From eb0fd25a19c2384bffd7eb31a70986506a093d97 Mon Sep 17 00:00:00 2001
From: Miroslav Grepl
Date: Jan 02 2013 14:50:45 +0000
Subject: renamed: policy-rawhide.patch -> policy-rawhide-base.patch
renamed: policy_contrib-rawhide.patch -> policy-rawhide-contrib.patch
---
diff --git a/policy-rawhide-base.patch b/policy-rawhide-base.patch
new file mode 100644
index 0000000..d9a6df5
--- /dev/null
+++ b/policy-rawhide-base.patch
@@ -0,0 +1,148643 @@
+diff --git a/Makefile b/Makefile
+index 39a3d40..f69289d 100644
+--- a/Makefile
++++ b/Makefile
+@@ -61,6 +61,7 @@ SEMODULE ?= $(tc_usrsbindir)/semodule
+ SEMOD_PKG ?= $(tc_usrbindir)/semodule_package
+ SEMOD_LNK ?= $(tc_usrbindir)/semodule_link
+ SEMOD_EXP ?= $(tc_usrbindir)/semodule_expand
++SEPOLGEN ?= $(tc_usrbindir)/sepolgen-ifgen
+ LOADPOLICY ?= $(tc_usrsbindir)/load_policy
+ SETFILES ?= $(tc_sbindir)/setfiles
+ XMLLINT ?= $(BINDIR)/xmllint
+@@ -249,7 +250,7 @@ seusers := $(appconf)/seusers
+ appdir := $(contextpath)
+ user_default_contexts := $(wildcard config/appconfig-$(TYPE)/*_default_contexts)
+ user_default_contexts_names := $(addprefix $(contextpath)/users/,$(subst _default_contexts,,$(notdir $(user_default_contexts))))
+-appfiles := $(addprefix $(appdir)/,default_contexts default_type initrc_context failsafe_context userhelper_context removable_context dbus_contexts sepgsql_contexts x_contexts customizable_types securetty_types virtual_domain_context virtual_image_context) $(contextpath)/files/media $(fcsubspath) $(user_default_contexts_names)
++appfiles := $(addprefix $(appdir)/,default_contexts default_type initrc_context failsafe_context userhelper_context removable_context dbus_contexts sepgsql_contexts x_contexts customizable_types securetty_types virtual_image_context virtual_domain_context lxc_contexts) $(contextpath)/files/media $(user_default_contexts_names)
+ net_contexts := $(builddir)net_contexts
+
+ all_layers := $(shell find $(wildcard $(moddir)/*) -maxdepth 0 -type d)
+@@ -608,15 +609,17 @@ resetlabels:
+ # Clean everything
+ #
+ bare: clean
+- rm -f $(polxml)
+- rm -f $(layerxml)
+- rm -f $(modxml)
+- rm -f $(tunxml)
+- rm -f $(boolxml)
+- rm -f $(mod_conf)
+- rm -f $(booleans)
+- rm -fR $(htmldir)
+- rm -f $(tags)
++ echo "hehe kde jsem asi tak"
++ pwd
++ #rm -f $(polxml)
++ #rm -f $(layerxml)
++ #rm -f $(modxml)
++ #rm -f $(tunxml)
++ #rm -f $(boolxml)
++ #rm -f $(mod_conf)
++ #rm -f $(booleans)
++ #rm -fR $(htmldir)
++ #rm -f $(tags)
+ # don't remove these files if we're given a local root
+ ifndef LOCAL_ROOT
+ rm -f $(fcsort)
+diff --git a/Rules.modular b/Rules.modular
+index 313d837..ef3c532 100644
+--- a/Rules.modular
++++ b/Rules.modular
+@@ -201,6 +201,7 @@ validate: $(base_pkg) $(mod_pkgs)
+ @echo "Validating policy linking."
+ $(verbose) $(SEMOD_LNK) -o $(tmpdir)/test.lnk $^
+ $(verbose) $(SEMOD_EXP) $(tmpdir)/test.lnk $(tmpdir)/policy.bin
++ $(verbose) $(SEPOLGEN) -p $(tmpdir)/policy.bin -i $(poldir) -o $(tmpdir)/output
+ @echo "Success."
+
+ ########################################
+diff --git a/config/appconfig-mcs/virtual_domain_context b/config/appconfig-mcs/virtual_domain_context
+index d387b42..150f281 100644
+--- a/config/appconfig-mcs/virtual_domain_context
++++ b/config/appconfig-mcs/virtual_domain_context
+@@ -1 +1,2 @@
+ system_u:system_r:svirt_t:s0
++system_u:system_r:svirt_tcg_t:s0
+diff --git a/config/appconfig-standard/virtual_domain_context b/config/appconfig-standard/virtual_domain_context
+index c049e10..150f281 100644
+--- a/config/appconfig-standard/virtual_domain_context
++++ b/config/appconfig-standard/virtual_domain_context
+@@ -1 +1,2 @@
+-system_u:system_r:svirt_t
++system_u:system_r:svirt_t:s0
++system_u:system_r:svirt_tcg_t:s0
+diff --git a/man/man8/NetworkManager_selinux.8 b/man/man8/NetworkManager_selinux.8
+new file mode 100644
+index 0000000..62a48d7
+--- /dev/null
++++ b/man/man8/NetworkManager_selinux.8
+@@ -0,0 +1,292 @@
++.TH "NetworkManager_selinux" "8" "12-11-01" "NetworkManager" "SELinux Policy documentation for NetworkManager"
++.SH "NAME"
++NetworkManager_selinux \- Security Enhanced Linux Policy for the NetworkManager processes
++.SH "DESCRIPTION"
++
++Security-Enhanced Linux secures the NetworkManager processes via flexible mandatory access control.
++
++The NetworkManager processes execute with the NetworkManager_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep NetworkManager_t
++
++
++.SH "ENTRYPOINTS"
++
++The NetworkManager_t SELinux type can be entered via the "NetworkManager_exec_t" file type. The default entrypoint paths for the NetworkManager_t domain are the following:"
++
++/usr/s?bin/NetworkManager, /usr/s?bin/wpa_supplicant, /usr/sbin/wicd, /sbin/wpa_supplicant, /usr/sbin/wpa_supplicant, /usr/sbin/nm-system-settings, /usr/sbin/NetworkManagerDispatcher
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux NetworkManager policy is very flexible allowing users to setup their NetworkManager processes in as secure a method as possible.
++.PP
++The following process types are defined for NetworkManager:
++
++.EX
++.B NetworkManager_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux NetworkManager policy is very flexible allowing users to setup their NetworkManager processes in as secure a method as possible.
++.PP
++The following file types are defined for NetworkManager:
++
++
++.EX
++.PP
++.B NetworkManager_etc_rw_t
++.EE
++
++- Set files with the NetworkManager_etc_rw_t type, if you want to treat the files as NetworkManager etc read/write content.
++
++
++.EX
++.PP
++.B NetworkManager_etc_t
++.EE
++
++- Set files with the NetworkManager_etc_t type, if you want to store NetworkManager files in the /etc directories.
++
++
++.EX
++.PP
++.B NetworkManager_exec_t
++.EE
++
++- Set files with the NetworkManager_exec_t type, if you want to transition an executable to the NetworkManager_t domain.
++
++
++.EX
++.PP
++.B NetworkManager_initrc_exec_t
++.EE
++
++- Set files with the NetworkManager_initrc_exec_t type, if you want to transition an executable to the NetworkManager_initrc_t domain.
++
++
++.EX
++.PP
++.B NetworkManager_log_t
++.EE
++
++- Set files with the NetworkManager_log_t type, if you want to treat the data as NetworkManager log data, usually stored under the /var/log directory.
++
++
++.EX
++.PP
++.B NetworkManager_tmp_t
++.EE
++
++- Set files with the NetworkManager_tmp_t type, if you want to store NetworkManager temporary files in the /tmp directories.
++
++
++.EX
++.PP
++.B NetworkManager_unit_file_t
++.EE
++
++- Set files with the NetworkManager_unit_file_t type, if you want to treat the files as NetworkManager unit content.
++
++
++.EX
++.PP
++.B NetworkManager_var_lib_t
++.EE
++
++- Set files with the NetworkManager_var_lib_t type, if you want to store the NetworkManager files under the /var/lib directory.
++
++
++.EX
++.PP
++.B NetworkManager_var_run_t
++.EE
++
++- Set files with the NetworkManager_var_run_t type, if you want to store the NetworkManager files under the /run directory.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH "MANAGED FILES"
++
++The SELinux process type NetworkManager_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++
++.br
++.B NetworkManager_etc_rw_t
++
++ /etc/NetworkManager/system-connections(/.*)?
++.br
++ /etc/NetworkManager/NetworkManager\.conf
++.br
++
++.br
++.B NetworkManager_log_t
++
++ /var/log/wicd.*
++.br
++ /var/log/wpa_supplicant.*
++.br
++
++.br
++.B NetworkManager_tmp_t
++
++
++.br
++.B NetworkManager_var_lib_t
++
++ /var/lib/wicd(/.*)?
++.br
++ /var/lib/NetworkManager(/.*)?
++.br
++ /etc/dhcp/wired-settings.conf
++.br
++ /etc/wicd/wired-settings.conf
++.br
++ /etc/dhcp/manager-settings.conf
++.br
++ /etc/wicd/manager-settings.conf
++.br
++ /etc/dhcp/wireless-settings.conf
++.br
++ /etc/wicd/wireless-settings.conf
++.br
++
++.br
++.B NetworkManager_var_run_t
++
++ /var/run/nm-dhclient.*
++.br
++ /var/run/NetworkManager(/.*)?
++.br
++ /var/run/wpa_supplicant(/.*)?
++.br
++ /var/run/NetworkManager\.pid
++.br
++ /var/run/nm-dns-dnsmasq\.conf
++.br
++ /var/run/wpa_supplicant-global
++.br
++
++.br
++.B named_cache_t
++
++ /var/named/data(/.*)?
++.br
++ /var/named/slaves(/.*)?
++.br
++ /var/named/dynamic(/.*)?
++.br
++ /var/named/chroot/var/tmp(/.*)?
++.br
++ /var/named/chroot/var/named/data(/.*)?
++.br
++ /var/named/chroot/var/named/slaves(/.*)?
++.br
++ /var/named/chroot/var/named/dynamic(/.*)?
++.br
++
++.br
++.B net_conf_t
++
++ /etc/ntpd?\.conf.*
++.br
++ /etc/hosts[^/]*
++.br
++ /etc/yp\.conf.*
++.br
++ /etc/denyhosts.*
++.br
++ /etc/hosts\.deny.*
++.br
++ /etc/resolv\.conf.*
++.br
++ /etc/ntp/step-tickers.*
++.br
++ /etc/sysconfig/networking(/.*)?
++.br
++ /etc/sysconfig/network-scripts(/.*)?
++.br
++ /etc/sysconfig/network-scripts/.*resolv\.conf
++.br
++ /etc/ethers
++.br
++
++.br
++.B pppd_var_run_t
++
++ /var/run/(i)?ppp.*pid[^/]*
++.br
++ /var/run/ppp(/.*)?
++.br
++ /var/run/pppd[0-9]*\.tdb
++.br
++
++.br
++.B sysfs_t
++
++ /sys(/.*)?
++.br
++
++.br
++.B systemd_passwd_var_run_t
++
++ /var/run/systemd/ask-password(/.*)?
++.br
++ /var/run/systemd/ask-password-block(/.*)?
++.br
++
++.SH NSSWITCH DOMAIN
++
++.PP
++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the NetworkManager_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++
++.EX
++.B setsebool -P authlogin_nsswitch_use_ldap 1
++.EE
++
++.PP
++If you want to allow confined applications to run with kerberos for the NetworkManager_t, you must turn on the kerberos_enabled boolean.
++
++.EX
++.B setsebool -P kerberos_enabled 1
++.EE
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was auto-generated using
++.B "sepolicy manpage"
++by Dan Walsh.
++
++.SH "SEE ALSO"
++selinux(8), NetworkManager(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
+diff --git a/man/man8/abrt_dump_oops_selinux.8 b/man/man8/abrt_dump_oops_selinux.8
+new file mode 100644
+index 0000000..c365bc5
+--- /dev/null
++++ b/man/man8/abrt_dump_oops_selinux.8
+@@ -0,0 +1,101 @@
++.TH "abrt_dump_oops_selinux" "8" "12-11-01" "abrt_dump_oops" "SELinux Policy documentation for abrt_dump_oops"
++.SH "NAME"
++abrt_dump_oops_selinux \- Security Enhanced Linux Policy for the abrt_dump_oops processes
++.SH "DESCRIPTION"
++
++Security-Enhanced Linux secures the abrt_dump_oops processes via flexible mandatory access control.
++
++The abrt_dump_oops processes execute with the abrt_dump_oops_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep abrt_dump_oops_t
++
++
++.SH "ENTRYPOINTS"
++
++The abrt_dump_oops_t SELinux type can be entered via the "abrt_dump_oops_exec_t" file type. The default entrypoint paths for the abrt_dump_oops_t domain are the following:"
++
++/usr/bin/abrt-dump-oops
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux abrt_dump_oops policy is very flexible allowing users to setup their abrt_dump_oops processes in as secure a method as possible.
++.PP
++The following process types are defined for abrt_dump_oops:
++
++.EX
++.B abrt_dump_oops_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux abrt_dump_oops policy is very flexible allowing users to setup their abrt_dump_oops processes in as secure a method as possible.
++.PP
++The following file types are defined for abrt_dump_oops:
++
++
++.EX
++.PP
++.B abrt_dump_oops_exec_t
++.EE
++
++- Set files with the abrt_dump_oops_exec_t type, if you want to transition an executable to the abrt_dump_oops_t domain.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH "MANAGED FILES"
++
++The SELinux process type abrt_dump_oops_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++
++.br
++.B abrt_var_cache_t
++
++ /var/cache/abrt(/.*)?
++.br
++ /var/spool/abrt(/.*)?
++.br
++ /var/cache/abrt-di(/.*)?
++.br
++
++.SH NSSWITCH DOMAIN
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was auto-generated using
++.B "sepolicy manpage"
++by Dan Walsh.
++
++.SH "SEE ALSO"
++selinux(8), abrt_dump_oops(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
++, abrt_selinux(8), abrt_selinux(8), abrt_handle_event_selinux(8), abrt_helper_selinux(8), abrt_retrace_coredump_selinux(8), abrt_retrace_worker_selinux(8), abrt_watch_log_selinux(8)
+\ No newline at end of file
+diff --git a/man/man8/abrt_handle_event_selinux.8 b/man/man8/abrt_handle_event_selinux.8
+new file mode 100644
+index 0000000..9cd4e4f
+--- /dev/null
++++ b/man/man8/abrt_handle_event_selinux.8
+@@ -0,0 +1,108 @@
++.TH "abrt_handle_event_selinux" "8" "12-11-01" "abrt_handle_event" "SELinux Policy documentation for abrt_handle_event"
++.SH "NAME"
++abrt_handle_event_selinux \- Security Enhanced Linux Policy for the abrt_handle_event processes
++.SH "DESCRIPTION"
++
++Security-Enhanced Linux secures the abrt_handle_event processes via flexible mandatory access control.
++
++The abrt_handle_event processes execute with the abrt_handle_event_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep abrt_handle_event_t
++
++
++.SH "ENTRYPOINTS"
++
++The abrt_handle_event_t SELinux type can be entered via the "abrt_handle_event_exec_t" file type. The default entrypoint paths for the abrt_handle_event_t domain are the following:"
++
++/usr/libexec/abrt-handle-event
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux abrt_handle_event policy is very flexible allowing users to setup their abrt_handle_event processes in as secure a method as possible.
++.PP
++The following process types are defined for abrt_handle_event:
++
++.EX
++.B abrt_handle_event_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH BOOLEANS
++SELinux policy is customizable based on least access required. abrt_handle_event policy is extremely flexible and has several booleans that allow you to manipulate the policy and run abrt_handle_event with the tightest access possible.
++
++
++.PP
++If you want to allow ABRT to run in abrt_handle_event_t domain to handle ABRT event scripts, you must turn on the abrt_handle_event boolean.
++
++.EX
++.B setsebool -P abrt_handle_event 1
++.EE
++
++.PP
++If you want to allow ABRT to run in abrt_handle_event_t domain to handle ABRT event scripts, you must turn on the abrt_handle_event boolean.
++
++.EX
++.B setsebool -P abrt_handle_event 1
++.EE
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux abrt_handle_event policy is very flexible allowing users to setup their abrt_handle_event processes in as secure a method as possible.
++.PP
++The following file types are defined for abrt_handle_event:
++
++
++.EX
++.PP
++.B abrt_handle_event_exec_t
++.EE
++
++- Set files with the abrt_handle_event_exec_t type, if you want to transition an executable to the abrt_handle_event_t domain.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH NSSWITCH DOMAIN
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.B semanage boolean
++can also be used to manipulate the booleans
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was auto-generated using
++.B "sepolicy manpage"
++by Dan Walsh.
++
++.SH "SEE ALSO"
++selinux(8), abrt_handle_event(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
++, setsebool(8), abrt_selinux(8), abrt_selinux(8), abrt_dump_oops_selinux(8), abrt_helper_selinux(8), abrt_retrace_coredump_selinux(8), abrt_retrace_worker_selinux(8), abrt_watch_log_selinux(8)
+\ No newline at end of file
+diff --git a/man/man8/abrt_helper_selinux.8 b/man/man8/abrt_helper_selinux.8
+new file mode 100644
+index 0000000..ffc4a82
+--- /dev/null
++++ b/man/man8/abrt_helper_selinux.8
+@@ -0,0 +1,115 @@
++.TH "abrt_helper_selinux" "8" "12-11-01" "abrt_helper" "SELinux Policy documentation for abrt_helper"
++.SH "NAME"
++abrt_helper_selinux \- Security Enhanced Linux Policy for the abrt_helper processes
++.SH "DESCRIPTION"
++
++Security-Enhanced Linux secures the abrt_helper processes via flexible mandatory access control.
++
++The abrt_helper processes execute with the abrt_helper_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep abrt_helper_t
++
++
++.SH "ENTRYPOINTS"
++
++The abrt_helper_t SELinux type can be entered via the "abrt_helper_exec_t" file type. The default entrypoint paths for the abrt_helper_t domain are the following:"
++
++/usr/bin/abrt-pyhook-helper
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux abrt_helper policy is very flexible allowing users to setup their abrt_helper processes in as secure a method as possible.
++.PP
++The following process types are defined for abrt_helper:
++
++.EX
++.B abrt_helper_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux abrt_helper policy is very flexible allowing users to setup their abrt_helper processes in as secure a method as possible.
++.PP
++The following file types are defined for abrt_helper:
++
++
++.EX
++.PP
++.B abrt_helper_exec_t
++.EE
++
++- Set files with the abrt_helper_exec_t type, if you want to transition an executable to the abrt_helper_t domain.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH "MANAGED FILES"
++
++The SELinux process type abrt_helper_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++
++.br
++.B abrt_var_cache_t
++
++ /var/cache/abrt(/.*)?
++.br
++ /var/spool/abrt(/.*)?
++.br
++ /var/cache/abrt-di(/.*)?
++.br
++
++.SH NSSWITCH DOMAIN
++
++.PP
++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the abrt_helper_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++
++.EX
++.B setsebool -P authlogin_nsswitch_use_ldap 1
++.EE
++
++.PP
++If you want to allow confined applications to run with kerberos for the abrt_helper_t, you must turn on the kerberos_enabled boolean.
++
++.EX
++.B setsebool -P kerberos_enabled 1
++.EE
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was auto-generated using
++.B "sepolicy manpage"
++by Dan Walsh.
++
++.SH "SEE ALSO"
++selinux(8), abrt_helper(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
++, abrt_selinux(8), abrt_selinux(8), abrt_dump_oops_selinux(8), abrt_handle_event_selinux(8), abrt_retrace_coredump_selinux(8), abrt_retrace_worker_selinux(8), abrt_watch_log_selinux(8)
+\ No newline at end of file
+diff --git a/man/man8/abrt_retrace_coredump_selinux.8 b/man/man8/abrt_retrace_coredump_selinux.8
+new file mode 100644
+index 0000000..95c7f7f
+--- /dev/null
++++ b/man/man8/abrt_retrace_coredump_selinux.8
+@@ -0,0 +1,115 @@
++.TH "abrt_retrace_coredump_selinux" "8" "12-11-01" "abrt_retrace_coredump" "SELinux Policy documentation for abrt_retrace_coredump"
++.SH "NAME"
++abrt_retrace_coredump_selinux \- Security Enhanced Linux Policy for the abrt_retrace_coredump processes
++.SH "DESCRIPTION"
++
++Security-Enhanced Linux secures the abrt_retrace_coredump processes via flexible mandatory access control.
++
++The abrt_retrace_coredump processes execute with the abrt_retrace_coredump_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep abrt_retrace_coredump_t
++
++
++.SH "ENTRYPOINTS"
++
++The abrt_retrace_coredump_t SELinux type can be entered via the "abrt_retrace_coredump_exec_t" file type. The default entrypoint paths for the abrt_retrace_coredump_t domain are the following:"
++
++/usr/bin/coredump2packages
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux abrt_retrace_coredump policy is very flexible allowing users to setup their abrt_retrace_coredump processes in as secure a method as possible.
++.PP
++The following process types are defined for abrt_retrace_coredump:
++
++.EX
++.B abrt_retrace_coredump_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux abrt_retrace_coredump policy is very flexible allowing users to setup their abrt_retrace_coredump processes in as secure a method as possible.
++.PP
++The following file types are defined for abrt_retrace_coredump:
++
++
++.EX
++.PP
++.B abrt_retrace_coredump_exec_t
++.EE
++
++- Set files with the abrt_retrace_coredump_exec_t type, if you want to transition an executable to the abrt_retrace_coredump_t domain.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH "MANAGED FILES"
++
++The SELinux process type abrt_retrace_coredump_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++
++.br
++.B rpm_log_t
++
++ /var/log/yum\.log.*
++.br
++
++.br
++.B rpm_var_cache_t
++
++ /var/cache/yum(/.*)?
++.br
++ /var/spool/up2date(/.*)?
++.br
++ /var/cache/PackageKit(/.*)?
++.br
++
++.br
++.B rpm_var_run_t
++
++ /var/run/yum.*
++.br
++ /var/run/PackageKit(/.*)?
++.br
++
++.SH NSSWITCH DOMAIN
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was auto-generated using
++.B "sepolicy manpage"
++by Dan Walsh.
++
++.SH "SEE ALSO"
++selinux(8), abrt_retrace_coredump(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
++, abrt_selinux(8), abrt_selinux(8), abrt_dump_oops_selinux(8), abrt_handle_event_selinux(8), abrt_helper_selinux(8), abrt_retrace_worker_selinux(8), abrt_watch_log_selinux(8)
+\ No newline at end of file
+diff --git a/man/man8/abrt_retrace_worker_selinux.8 b/man/man8/abrt_retrace_worker_selinux.8
+new file mode 100644
+index 0000000..c0c182f
+--- /dev/null
++++ b/man/man8/abrt_retrace_worker_selinux.8
+@@ -0,0 +1,99 @@
++.TH "abrt_retrace_worker_selinux" "8" "12-11-01" "abrt_retrace_worker" "SELinux Policy documentation for abrt_retrace_worker"
++.SH "NAME"
++abrt_retrace_worker_selinux \- Security Enhanced Linux Policy for the abrt_retrace_worker processes
++.SH "DESCRIPTION"
++
++Security-Enhanced Linux secures the abrt_retrace_worker processes via flexible mandatory access control.
++
++The abrt_retrace_worker processes execute with the abrt_retrace_worker_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep abrt_retrace_worker_t
++
++
++.SH "ENTRYPOINTS"
++
++The abrt_retrace_worker_t SELinux type can be entered via the "abrt_retrace_worker_exec_t" file type. The default entrypoint paths for the abrt_retrace_worker_t domain are the following:"
++
++/usr/bin/abrt-retrace-worker, /usr/bin/retrace-server-worker
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux abrt_retrace_worker policy is very flexible allowing users to setup their abrt_retrace_worker processes in as secure a method as possible.
++.PP
++The following process types are defined for abrt_retrace_worker:
++
++.EX
++.B abrt_retrace_worker_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux abrt_retrace_worker policy is very flexible allowing users to setup their abrt_retrace_worker processes in as secure a method as possible.
++.PP
++The following file types are defined for abrt_retrace_worker:
++
++
++.EX
++.PP
++.B abrt_retrace_worker_exec_t
++.EE
++
++- Set files with the abrt_retrace_worker_exec_t type, if you want to transition an executable to the abrt_retrace_worker_t domain.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH "MANAGED FILES"
++
++The SELinux process type abrt_retrace_worker_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++
++.br
++.B abrt_retrace_spool_t
++
++ /var/spool/abrt-retrace(/.*)?
++.br
++ /var/spool/retrace-server(/.*)?
++.br
++
++.SH NSSWITCH DOMAIN
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was auto-generated using
++.B "sepolicy manpage"
++by Dan Walsh.
++
++.SH "SEE ALSO"
++selinux(8), abrt_retrace_worker(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
++, abrt_selinux(8), abrt_selinux(8), abrt_dump_oops_selinux(8), abrt_handle_event_selinux(8), abrt_helper_selinux(8), abrt_retrace_coredump_selinux(8), abrt_watch_log_selinux(8)
+\ No newline at end of file
+diff --git a/man/man8/abrt_selinux.8 b/man/man8/abrt_selinux.8
+new file mode 100644
+index 0000000..25121c1
+--- /dev/null
++++ b/man/man8/abrt_selinux.8
+@@ -0,0 +1,347 @@
++.TH "abrt_selinux" "8" "12-11-01" "abrt" "SELinux Policy documentation for abrt"
++.SH "NAME"
++abrt_selinux \- Security Enhanced Linux Policy for the abrt processes
++.SH "DESCRIPTION"
++
++Security-Enhanced Linux secures the abrt processes via flexible mandatory access control.
++
++The abrt processes execute with the abrt_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep abrt_t
++
++
++.SH "ENTRYPOINTS"
++
++The abrt_t SELinux type can be entered via the "abrt_exec_t" file type. The default entrypoint paths for the abrt_t domain are the following:"
++
++/usr/sbin/abrtd, /usr/sbin/abrt-dbus
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux abrt policy is very flexible allowing users to setup their abrt processes in as secure a method as possible.
++.PP
++The following process types are defined for abrt:
++
++.EX
++.B abrt_handle_event_t, abrt_helper_t, abrt_retrace_coredump_t, abrt_t, abrt_retrace_worker_t, abrt_dump_oops_t, abrt_watch_log_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH BOOLEANS
++SELinux policy is customizable based on least access required. abrt policy is extremely flexible and has several booleans that allow you to manipulate the policy and run abrt with the tightest access possible.
++
++
++.PP
++If you want to allow ABRT to run in abrt_handle_event_t domain to handle ABRT event scripts, you must turn on the abrt_handle_event boolean.
++
++.EX
++.B setsebool -P abrt_handle_event 1
++.EE
++
++.PP
++If you want to allow ABRT to run in abrt_handle_event_t domain to handle ABRT event scripts, you must turn on the abrt_handle_event boolean.
++
++.EX
++.B setsebool -P abrt_handle_event 1
++.EE
++
++.SH SHARING FILES
++If you want to share files with multiple domains (Apache, FTP, rsync, Samba), you can set a file context of public_content_t and public_content_rw_t. These context allow any of the above domains to read the content. If you want a particular domain to write to the public_content_rw_t domain, you must set the appropriate boolean.
++.TP
++Allow abrt servers to read the /var/abrt directory by adding the public_content_t file type to the directory and by restoring the file type.
++.PP
++.B
++semanage fcontext -a -t public_content_t "/var/abrt(/.*)?"
++.br
++.B restorecon -F -R -v /var/abrt
++.pp
++.TP
++Allow abrt servers to read and write /var/tmp/incoming by adding the public_content_rw_t type to the directory and by restoring the file type. This also requires the allow_abrtd_anon_write boolean to be set.
++.PP
++.B
++semanage fcontext -a -t public_content_rw_t "/var/abrt/incoming(/.*)?"
++.br
++.B restorecon -F -R -v /var/abrt/incoming
++
++
++.PP
++If you want to allow ABRT to modify public files used for public file transfer services., you must turn on the abrt_anon_write boolean.
++
++.EX
++.B setsebool -P abrt_anon_write 1
++.EE
++
++.PP
++If you want to allow ABRT to modify public files used for public file transfer services., you must turn on the abrt_anon_write boolean.
++
++.EX
++.B setsebool -P abrt_anon_write 1
++.EE
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux abrt policy is very flexible allowing users to setup their abrt processes in as secure a method as possible.
++.PP
++The following file types are defined for abrt:
++
++
++.EX
++.PP
++.B abrt_dump_oops_exec_t
++.EE
++
++- Set files with the abrt_dump_oops_exec_t type, if you want to transition an executable to the abrt_dump_oops_t domain.
++
++
++.EX
++.PP
++.B abrt_etc_t
++.EE
++
++- Set files with the abrt_etc_t type, if you want to store abrt files in the /etc directories.
++
++
++.EX
++.PP
++.B abrt_exec_t
++.EE
++
++- Set files with the abrt_exec_t type, if you want to transition an executable to the abrt_t domain.
++
++
++.EX
++.PP
++.B abrt_handle_event_exec_t
++.EE
++
++- Set files with the abrt_handle_event_exec_t type, if you want to transition an executable to the abrt_handle_event_t domain.
++
++
++.EX
++.PP
++.B abrt_helper_exec_t
++.EE
++
++- Set files with the abrt_helper_exec_t type, if you want to transition an executable to the abrt_helper_t domain.
++
++
++.EX
++.PP
++.B abrt_initrc_exec_t
++.EE
++
++- Set files with the abrt_initrc_exec_t type, if you want to transition an executable to the abrt_initrc_t domain.
++
++
++.EX
++.PP
++.B abrt_retrace_cache_t
++.EE
++
++- Set files with the abrt_retrace_cache_t type, if you want to store the files under the /var/cache directory.
++
++
++.EX
++.PP
++.B abrt_retrace_coredump_exec_t
++.EE
++
++- Set files with the abrt_retrace_coredump_exec_t type, if you want to transition an executable to the abrt_retrace_coredump_t domain.
++
++
++.EX
++.PP
++.B abrt_retrace_spool_t
++.EE
++
++- Set files with the abrt_retrace_spool_t type, if you want to store the abrt retrace files under the /var/spool directory.
++
++
++.EX
++.PP
++.B abrt_retrace_worker_exec_t
++.EE
++
++- Set files with the abrt_retrace_worker_exec_t type, if you want to transition an executable to the abrt_retrace_worker_t domain.
++
++
++.EX
++.PP
++.B abrt_tmp_t
++.EE
++
++- Set files with the abrt_tmp_t type, if you want to store abrt temporary files in the /tmp directories.
++
++
++.EX
++.PP
++.B abrt_unit_file_t
++.EE
++
++- Set files with the abrt_unit_file_t type, if you want to treat the files as abrt unit content.
++
++
++.EX
++.PP
++.B abrt_var_cache_t
++.EE
++
++- Set files with the abrt_var_cache_t type, if you want to store the files under the /var/cache directory.
++
++
++.EX
++.PP
++.B abrt_var_log_t
++.EE
++
++- Set files with the abrt_var_log_t type, if you want to treat the data as abrt var log data, usually stored under the /var/log directory.
++
++
++.EX
++.PP
++.B abrt_var_run_t
++.EE
++
++- Set files with the abrt_var_run_t type, if you want to store the abrt files under the /run directory.
++
++
++.EX
++.PP
++.B abrt_watch_log_exec_t
++.EE
++
++- Set files with the abrt_watch_log_exec_t type, if you want to transition an executable to the abrt_watch_log_t domain.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH "MANAGED FILES"
++
++The SELinux process type abrt_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++
++.br
++.B abrt_etc_t
++
++ /etc/abrt(/.*)?
++.br
++
++.br
++.B abrt_tmp_t
++
++
++.br
++.B abrt_var_cache_t
++
++ /var/cache/abrt(/.*)?
++.br
++ /var/spool/abrt(/.*)?
++.br
++ /var/cache/abrt-di(/.*)?
++.br
++
++.br
++.B abrt_var_log_t
++
++ /var/log/abrt-logger
++.br
++
++.br
++.B abrt_var_run_t
++
++ /var/run/abrt(/.*)?
++.br
++ /var/run/abrtd?\.lock
++.br
++ /var/run/abrtd?\.socket
++.br
++ /var/run/abrt\.pid
++.br
++
++.br
++.B rpm_log_t
++
++ /var/log/yum\.log.*
++.br
++
++.br
++.B rpm_var_cache_t
++
++ /var/cache/yum(/.*)?
++.br
++ /var/spool/up2date(/.*)?
++.br
++ /var/cache/PackageKit(/.*)?
++.br
++
++.br
++.B rpm_var_run_t
++
++ /var/run/yum.*
++.br
++ /var/run/PackageKit(/.*)?
++.br
++
++.br
++.B sysfs_t
++
++ /sys(/.*)?
++.br
++
++.SH NSSWITCH DOMAIN
++
++.PP
++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the abrt_helper_t, abrt_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++
++.EX
++.B setsebool -P authlogin_nsswitch_use_ldap 1
++.EE
++
++.PP
++If you want to allow confined applications to run with kerberos for the abrt_helper_t, abrt_t, you must turn on the kerberos_enabled boolean.
++
++.EX
++.B setsebool -P kerberos_enabled 1
++.EE
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.B semanage boolean
++can also be used to manipulate the booleans
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was auto-generated using
++.B "sepolicy manpage"
++by Dan Walsh.
++
++.SH "SEE ALSO"
++selinux(8), abrt(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
++, setsebool(8), abrt_dump_oops_selinux(8), abrt_handle_event_selinux(8), abrt_helper_selinux(8), abrt_retrace_coredump_selinux(8), abrt_retrace_worker_selinux(8), abrt_watch_log_selinux(8)
+\ No newline at end of file
+diff --git a/man/man8/abrt_watch_log_selinux.8 b/man/man8/abrt_watch_log_selinux.8
+new file mode 100644
+index 0000000..e8ab68b
+--- /dev/null
++++ b/man/man8/abrt_watch_log_selinux.8
+@@ -0,0 +1,87 @@
++.TH "abrt_watch_log_selinux" "8" "12-11-01" "abrt_watch_log" "SELinux Policy documentation for abrt_watch_log"
++.SH "NAME"
++abrt_watch_log_selinux \- Security Enhanced Linux Policy for the abrt_watch_log processes
++.SH "DESCRIPTION"
++
++Security-Enhanced Linux secures the abrt_watch_log processes via flexible mandatory access control.
++
++The abrt_watch_log processes execute with the abrt_watch_log_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep abrt_watch_log_t
++
++
++.SH "ENTRYPOINTS"
++
++The abrt_watch_log_t SELinux type can be entered via the "abrt_watch_log_exec_t" file type. The default entrypoint paths for the abrt_watch_log_t domain are the following:"
++
++/usr/bin/abrt-watch-log
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux abrt_watch_log policy is very flexible allowing users to setup their abrt_watch_log processes in as secure a method as possible.
++.PP
++The following process types are defined for abrt_watch_log:
++
++.EX
++.B abrt_watch_log_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux abrt_watch_log policy is very flexible allowing users to setup their abrt_watch_log processes in as secure a method as possible.
++.PP
++The following file types are defined for abrt_watch_log:
++
++
++.EX
++.PP
++.B abrt_watch_log_exec_t
++.EE
++
++- Set files with the abrt_watch_log_exec_t type, if you want to transition an executable to the abrt_watch_log_t domain.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH NSSWITCH DOMAIN
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was auto-generated using
++.B "sepolicy manpage"
++by Dan Walsh.
++
++.SH "SEE ALSO"
++selinux(8), abrt_watch_log(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
++, abrt_selinux(8), abrt_selinux(8), abrt_dump_oops_selinux(8), abrt_handle_event_selinux(8), abrt_helper_selinux(8), abrt_retrace_coredump_selinux(8), abrt_retrace_worker_selinux(8)
+\ No newline at end of file
+diff --git a/man/man8/accountsd_selinux.8 b/man/man8/accountsd_selinux.8
+new file mode 100644
+index 0000000..0471351
+--- /dev/null
++++ b/man/man8/accountsd_selinux.8
+@@ -0,0 +1,132 @@
++.TH "accountsd_selinux" "8" "12-11-01" "accountsd" "SELinux Policy documentation for accountsd"
++.SH "NAME"
++accountsd_selinux \- Security Enhanced Linux Policy for the accountsd processes
++.SH "DESCRIPTION"
++
++Security-Enhanced Linux secures the accountsd processes via flexible mandatory access control.
++
++The accountsd processes execute with the accountsd_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep accountsd_t
++
++
++.SH "ENTRYPOINTS"
++
++The accountsd_t SELinux type can be entered via the "accountsd_exec_t" file type. The default entrypoint paths for the accountsd_t domain are the following:"
++
++/usr/libexec/accounts-daemon
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux accountsd policy is very flexible allowing users to setup their accountsd processes in as secure a method as possible.
++.PP
++The following process types are defined for accountsd:
++
++.EX
++.B accountsd_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux accountsd policy is very flexible allowing users to setup their accountsd processes in as secure a method as possible.
++.PP
++The following file types are defined for accountsd:
++
++
++.EX
++.PP
++.B accountsd_exec_t
++.EE
++
++- Set files with the accountsd_exec_t type, if you want to transition an executable to the accountsd_t domain.
++
++
++.EX
++.PP
++.B accountsd_unit_file_t
++.EE
++
++- Set files with the accountsd_unit_file_t type, if you want to treat the files as accountsd unit content.
++
++
++.EX
++.PP
++.B accountsd_var_lib_t
++.EE
++
++- Set files with the accountsd_var_lib_t type, if you want to store the accountsd files under the /var/lib directory.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH "MANAGED FILES"
++
++The SELinux process type accountsd_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++
++.br
++.B accountsd_var_lib_t
++
++ /var/lib/AccountsService(/.*)?
++.br
++
++.br
++.B xdm_etc_t
++
++ /etc/[mg]dm(/.*)?
++.br
++
++.SH NSSWITCH DOMAIN
++
++.PP
++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the accountsd_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++
++.EX
++.B setsebool -P authlogin_nsswitch_use_ldap 1
++.EE
++
++.PP
++If you want to allow confined applications to run with kerberos for the accountsd_t, you must turn on the kerberos_enabled boolean.
++
++.EX
++.B setsebool -P kerberos_enabled 1
++.EE
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was auto-generated using
++.B "sepolicy manpage"
++by Dan Walsh.
++
++.SH "SEE ALSO"
++selinux(8), accountsd(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
+diff --git a/man/man8/acct_selinux.8 b/man/man8/acct_selinux.8
+new file mode 100644
+index 0000000..88dbb11
+--- /dev/null
++++ b/man/man8/acct_selinux.8
+@@ -0,0 +1,126 @@
++.TH "acct_selinux" "8" "12-11-01" "acct" "SELinux Policy documentation for acct"
++.SH "NAME"
++acct_selinux \- Security Enhanced Linux Policy for the acct processes
++.SH "DESCRIPTION"
++
++Security-Enhanced Linux secures the acct processes via flexible mandatory access control.
++
++The acct processes execute with the acct_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep acct_t
++
++
++.SH "ENTRYPOINTS"
++
++The acct_t SELinux type can be entered via the "acct_exec_t" file type. The default entrypoint paths for the acct_t domain are the following:"
++
++/etc/cron\.(daily|monthly)/acct, /sbin/accton, /usr/sbin/accton
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux acct policy is very flexible allowing users to setup their acct processes in as secure a method as possible.
++.PP
++The following process types are defined for acct:
++
++.EX
++.B acct_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux acct policy is very flexible allowing users to setup their acct processes in as secure a method as possible.
++.PP
++The following file types are defined for acct:
++
++
++.EX
++.PP
++.B acct_data_t
++.EE
++
++- Set files with the acct_data_t type, if you want to treat the files as acct content.
++
++
++.EX
++.PP
++.B acct_exec_t
++.EE
++
++- Set files with the acct_exec_t type, if you want to transition an executable to the acct_t domain.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH "MANAGED FILES"
++
++The SELinux process type acct_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++
++.br
++.B acct_data_t
++
++ /var/account(/.*)?
++.br
++ /var/log/account(/.*)?
++.br
++
++.br
++.B wtmp_t
++
++ /var/log/wtmp.*
++.br
++
++.SH NSSWITCH DOMAIN
++
++.PP
++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the acct_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++
++.EX
++.B setsebool -P authlogin_nsswitch_use_ldap 1
++.EE
++
++.PP
++If you want to allow confined applications to run with kerberos for the acct_t, you must turn on the kerberos_enabled boolean.
++
++.EX
++.B setsebool -P kerberos_enabled 1
++.EE
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was auto-generated using
++.B "sepolicy manpage"
++by Dan Walsh.
++
++.SH "SEE ALSO"
++selinux(8), acct(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
+diff --git a/man/man8/afs_bosserver_selinux.8 b/man/man8/afs_bosserver_selinux.8
+new file mode 100644
+index 0000000..4502080
+--- /dev/null
++++ b/man/man8/afs_bosserver_selinux.8
+@@ -0,0 +1,105 @@
++.TH "afs_bosserver_selinux" "8" "12-11-01" "afs_bosserver" "SELinux Policy documentation for afs_bosserver"
++.SH "NAME"
++afs_bosserver_selinux \- Security Enhanced Linux Policy for the afs_bosserver processes
++.SH "DESCRIPTION"
++
++Security-Enhanced Linux secures the afs_bosserver processes via flexible mandatory access control.
++
++The afs_bosserver processes execute with the afs_bosserver_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep afs_bosserver_t
++
++
++.SH "ENTRYPOINTS"
++
++The afs_bosserver_t SELinux type can be entered via the "afs_bosserver_exec_t" file type. The default entrypoint paths for the afs_bosserver_t domain are the following:"
++
++/usr/afs/bin/bosserver
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux afs_bosserver policy is very flexible allowing users to setup their afs_bosserver processes in as secure a method as possible.
++.PP
++The following process types are defined for afs_bosserver:
++
++.EX
++.B afs_bosserver_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux afs_bosserver policy is very flexible allowing users to setup their afs_bosserver processes in as secure a method as possible.
++.PP
++The following file types are defined for afs_bosserver:
++
++
++.EX
++.PP
++.B afs_bosserver_exec_t
++.EE
++
++- Set files with the afs_bosserver_exec_t type, if you want to transition an executable to the afs_bosserver_t domain.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH "MANAGED FILES"
++
++The SELinux process type afs_bosserver_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++
++.br
++.B afs_config_t
++
++ /usr/afs/etc(/.*)?
++.br
++ /usr/afs/local(/.*)?
++.br
++
++.br
++.B afs_logfile_t
++
++ /usr/afs/logs(/.*)?
++.br
++
++.SH NSSWITCH DOMAIN
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was auto-generated using
++.B "sepolicy manpage"
++by Dan Walsh.
++
++.SH "SEE ALSO"
++selinux(8), afs_bosserver(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
++, afs_selinux(8), afs_selinux(8), afs_fsserver_selinux(8), afs_kaserver_selinux(8), afs_ptserver_selinux(8), afs_vlserver_selinux(8)
+\ No newline at end of file
+diff --git a/man/man8/afs_fsserver_selinux.8 b/man/man8/afs_fsserver_selinux.8
+new file mode 100644
+index 0000000..3881562
+--- /dev/null
++++ b/man/man8/afs_fsserver_selinux.8
+@@ -0,0 +1,115 @@
++.TH "afs_fsserver_selinux" "8" "12-11-01" "afs_fsserver" "SELinux Policy documentation for afs_fsserver"
++.SH "NAME"
++afs_fsserver_selinux \- Security Enhanced Linux Policy for the afs_fsserver processes
++.SH "DESCRIPTION"
++
++Security-Enhanced Linux secures the afs_fsserver processes via flexible mandatory access control.
++
++The afs_fsserver processes execute with the afs_fsserver_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep afs_fsserver_t
++
++
++.SH "ENTRYPOINTS"
++
++The afs_fsserver_t SELinux type can be entered via the "afs_fsserver_exec_t" file type. The default entrypoint paths for the afs_fsserver_t domain are the following:"
++
++/usr/afs/bin/salvager, /usr/afs/bin/volserver, /usr/afs/bin/fileserver
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux afs_fsserver policy is very flexible allowing users to setup their afs_fsserver processes in as secure a method as possible.
++.PP
++The following process types are defined for afs_fsserver:
++
++.EX
++.B afs_fsserver_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux afs_fsserver policy is very flexible allowing users to setup their afs_fsserver processes in as secure a method as possible.
++.PP
++The following file types are defined for afs_fsserver:
++
++
++.EX
++.PP
++.B afs_fsserver_exec_t
++.EE
++
++- Set files with the afs_fsserver_exec_t type, if you want to transition an executable to the afs_fsserver_t domain.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH "MANAGED FILES"
++
++The SELinux process type afs_fsserver_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++
++.br
++.B afs_config_t
++
++ /usr/afs/etc(/.*)?
++.br
++ /usr/afs/local(/.*)?
++.br
++
++.br
++.B afs_files_t
++
++ /vicepa
++.br
++ /vicepb
++.br
++ /vicepc
++.br
++
++.br
++.B afs_logfile_t
++
++ /usr/afs/logs(/.*)?
++.br
++
++.SH NSSWITCH DOMAIN
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was auto-generated using
++.B "sepolicy manpage"
++by Dan Walsh.
++
++.SH "SEE ALSO"
++selinux(8), afs_fsserver(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
++, afs_selinux(8), afs_selinux(8), afs_bosserver_selinux(8), afs_kaserver_selinux(8), afs_ptserver_selinux(8), afs_vlserver_selinux(8)
+\ No newline at end of file
+diff --git a/man/man8/afs_kaserver_selinux.8 b/man/man8/afs_kaserver_selinux.8
+new file mode 100644
+index 0000000..248aaef
+--- /dev/null
++++ b/man/man8/afs_kaserver_selinux.8
+@@ -0,0 +1,111 @@
++.TH "afs_kaserver_selinux" "8" "12-11-01" "afs_kaserver" "SELinux Policy documentation for afs_kaserver"
++.SH "NAME"
++afs_kaserver_selinux \- Security Enhanced Linux Policy for the afs_kaserver processes
++.SH "DESCRIPTION"
++
++Security-Enhanced Linux secures the afs_kaserver processes via flexible mandatory access control.
++
++The afs_kaserver processes execute with the afs_kaserver_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep afs_kaserver_t
++
++
++.SH "ENTRYPOINTS"
++
++The afs_kaserver_t SELinux type can be entered via the "afs_kaserver_exec_t" file type. The default entrypoint paths for the afs_kaserver_t domain are the following:"
++
++/usr/afs/bin/kaserver
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux afs_kaserver policy is very flexible allowing users to setup their afs_kaserver processes in as secure a method as possible.
++.PP
++The following process types are defined for afs_kaserver:
++
++.EX
++.B afs_kaserver_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux afs_kaserver policy is very flexible allowing users to setup their afs_kaserver processes in as secure a method as possible.
++.PP
++The following file types are defined for afs_kaserver:
++
++
++.EX
++.PP
++.B afs_kaserver_exec_t
++.EE
++
++- Set files with the afs_kaserver_exec_t type, if you want to transition an executable to the afs_kaserver_t domain.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH "MANAGED FILES"
++
++The SELinux process type afs_kaserver_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++
++.br
++.B afs_config_t
++
++ /usr/afs/etc(/.*)?
++.br
++ /usr/afs/local(/.*)?
++.br
++
++.br
++.B afs_ka_db_t
++
++ /usr/afs/db/ka.*
++.br
++
++.br
++.B afs_logfile_t
++
++ /usr/afs/logs(/.*)?
++.br
++
++.SH NSSWITCH DOMAIN
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was auto-generated using
++.B "sepolicy manpage"
++by Dan Walsh.
++
++.SH "SEE ALSO"
++selinux(8), afs_kaserver(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
++, afs_selinux(8), afs_selinux(8), afs_bosserver_selinux(8), afs_fsserver_selinux(8), afs_ptserver_selinux(8), afs_vlserver_selinux(8)
+\ No newline at end of file
+diff --git a/man/man8/afs_ptserver_selinux.8 b/man/man8/afs_ptserver_selinux.8
+new file mode 100644
+index 0000000..dfd8d86
+--- /dev/null
++++ b/man/man8/afs_ptserver_selinux.8
+@@ -0,0 +1,103 @@
++.TH "afs_ptserver_selinux" "8" "12-11-01" "afs_ptserver" "SELinux Policy documentation for afs_ptserver"
++.SH "NAME"
++afs_ptserver_selinux \- Security Enhanced Linux Policy for the afs_ptserver processes
++.SH "DESCRIPTION"
++
++Security-Enhanced Linux secures the afs_ptserver processes via flexible mandatory access control.
++
++The afs_ptserver processes execute with the afs_ptserver_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep afs_ptserver_t
++
++
++.SH "ENTRYPOINTS"
++
++The afs_ptserver_t SELinux type can be entered via the "afs_ptserver_exec_t" file type. The default entrypoint paths for the afs_ptserver_t domain are the following:"
++
++/usr/afs/bin/ptserver
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux afs_ptserver policy is very flexible allowing users to setup their afs_ptserver processes in as secure a method as possible.
++.PP
++The following process types are defined for afs_ptserver:
++
++.EX
++.B afs_ptserver_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux afs_ptserver policy is very flexible allowing users to setup their afs_ptserver processes in as secure a method as possible.
++.PP
++The following file types are defined for afs_ptserver:
++
++
++.EX
++.PP
++.B afs_ptserver_exec_t
++.EE
++
++- Set files with the afs_ptserver_exec_t type, if you want to transition an executable to the afs_ptserver_t domain.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH "MANAGED FILES"
++
++The SELinux process type afs_ptserver_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++
++.br
++.B afs_logfile_t
++
++ /usr/afs/logs(/.*)?
++.br
++
++.br
++.B afs_pt_db_t
++
++ /usr/afs/db/pr.*
++.br
++
++.SH NSSWITCH DOMAIN
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was auto-generated using
++.B "sepolicy manpage"
++by Dan Walsh.
++
++.SH "SEE ALSO"
++selinux(8), afs_ptserver(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
++, afs_selinux(8), afs_selinux(8), afs_bosserver_selinux(8), afs_fsserver_selinux(8), afs_kaserver_selinux(8), afs_vlserver_selinux(8)
+\ No newline at end of file
+diff --git a/man/man8/afs_selinux.8 b/man/man8/afs_selinux.8
+new file mode 100644
+index 0000000..3d27b08
+--- /dev/null
++++ b/man/man8/afs_selinux.8
+@@ -0,0 +1,352 @@
++.TH "afs_selinux" "8" "12-11-01" "afs" "SELinux Policy documentation for afs"
++.SH "NAME"
++afs_selinux \- Security Enhanced Linux Policy for the afs processes
++.SH "DESCRIPTION"
++
++Security-Enhanced Linux secures the afs processes via flexible mandatory access control.
++
++The afs processes execute with the afs_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep afs_t
++
++
++.SH "ENTRYPOINTS"
++
++The afs_t SELinux type can be entered via the "afs_exec_t" file type. The default entrypoint paths for the afs_t domain are the following:"
++
++/usr/sbin/afsd, /usr/vice/etc/afsd
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux afs policy is very flexible allowing users to setup their afs processes in as secure a method as possible.
++.PP
++The following process types are defined for afs:
++
++.EX
++.B afs_kaserver_t, afs_t, afs_fsserver_t, afs_bosserver_t, afs_vlserver_t, afs_ptserver_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux afs policy is very flexible allowing users to setup their afs processes in as secure a method as possible.
++.PP
++The following file types are defined for afs:
++
++
++.EX
++.PP
++.B afs_bosserver_exec_t
++.EE
++
++- Set files with the afs_bosserver_exec_t type, if you want to transition an executable to the afs_bosserver_t domain.
++
++
++.EX
++.PP
++.B afs_cache_t
++.EE
++
++- Set files with the afs_cache_t type, if you want to store the files under the /var/cache directory.
++
++
++.EX
++.PP
++.B afs_config_t
++.EE
++
++- Set files with the afs_config_t type, if you want to treat the files as afs configuration data, usually stored under the /etc directory.
++
++
++.EX
++.PP
++.B afs_dbdir_t
++.EE
++
++- Set files with the afs_dbdir_t type, if you want to treat the files as afs dbdir data.
++
++
++.EX
++.PP
++.B afs_exec_t
++.EE
++
++- Set files with the afs_exec_t type, if you want to transition an executable to the afs_t domain.
++
++
++.EX
++.PP
++.B afs_files_t
++.EE
++
++- Set files with the afs_files_t type, if you want to treat the files as afs content.
++
++
++.EX
++.PP
++.B afs_fsserver_exec_t
++.EE
++
++- Set files with the afs_fsserver_exec_t type, if you want to transition an executable to the afs_fsserver_t domain.
++
++
++.EX
++.PP
++.B afs_initrc_exec_t
++.EE
++
++- Set files with the afs_initrc_exec_t type, if you want to transition an executable to the afs_initrc_t domain.
++
++
++.EX
++.PP
++.B afs_ka_db_t
++.EE
++
++- Set files with the afs_ka_db_t type, if you want to treat the files as afs ka database content.
++
++
++.EX
++.PP
++.B afs_kaserver_exec_t
++.EE
++
++- Set files with the afs_kaserver_exec_t type, if you want to transition an executable to the afs_kaserver_t domain.
++
++
++.EX
++.PP
++.B afs_logfile_t
++.EE
++
++- Set files with the afs_logfile_t type, if you want to treat the files as afs logfile data.
++
++
++.EX
++.PP
++.B afs_pt_db_t
++.EE
++
++- Set files with the afs_pt_db_t type, if you want to treat the files as afs pt database content.
++
++
++.EX
++.PP
++.B afs_ptserver_exec_t
++.EE
++
++- Set files with the afs_ptserver_exec_t type, if you want to transition an executable to the afs_ptserver_t domain.
++
++
++.EX
++.PP
++.B afs_vl_db_t
++.EE
++
++- Set files with the afs_vl_db_t type, if you want to treat the files as afs vl database content.
++
++
++.EX
++.PP
++.B afs_vlserver_exec_t
++.EE
++
++- Set files with the afs_vlserver_exec_t type, if you want to transition an executable to the afs_vlserver_t domain.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH PORT TYPES
++SELinux defines port types to represent TCP and UDP ports.
++.PP
++You can see the types associated with a port by using the following command:
++
++.B semanage port -l
++
++.PP
++Policy governs the access confined processes have to these ports.
++SELinux afs policy is very flexible allowing users to setup their afs processes in as secure a method as possible.
++.PP
++The following port types are defined for afs:
++
++.EX
++.TP 5
++.B afs_bos_port_t
++.TP 10
++.EE
++
++
++Default Defined Ports:
++udp 7007
++.EE
++
++.EX
++.TP 5
++.B afs_client_port_t
++.TP 10
++.EE
++
++
++Default Defined Ports:
++udp 7001
++.EE
++
++.EX
++.TP 5
++.B afs_fs_port_t
++.TP 10
++.EE
++
++
++Default Defined Ports:
++tcp 2040
++.EE
++udp 7000,7005
++.EE
++
++.EX
++.TP 5
++.B afs_ka_port_t
++.TP 10
++.EE
++
++
++Default Defined Ports:
++udp 7004
++.EE
++
++.EX
++.TP 5
++.B afs_pt_port_t
++.TP 10
++.EE
++
++
++Default Defined Ports:
++udp 7002
++.EE
++
++.EX
++.TP 5
++.B afs_vl_port_t
++.TP 10
++.EE
++
++
++Default Defined Ports:
++udp 7003
++.EE
++.SH "MANAGED FILES"
++
++The SELinux process type afs_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++
++.br
++.B afs_cache_t
++
++ /var/cache/afs(/.*)?
++.br
++ /usr/vice/cache(/.*)?
++.br
++
++.br
++.B etc_runtime_t
++
++ /[^/]+
++.br
++ /etc/mtab.*
++.br
++ /etc/blkid(/.*)?
++.br
++ /etc/nologin.*
++.br
++ /etc/\.fstab\.hal\..+
++.br
++ /halt
++.br
++ /fastboot
++.br
++ /poweroff
++.br
++ /etc/cmtab
++.br
++ /\.autofsck
++.br
++ /forcefsck
++.br
++ /\.suspended
++.br
++ /fsckoptions
++.br
++ /\.autorelabel
++.br
++ /etc/securetty
++.br
++ /etc/killpower
++.br
++ /etc/nohotplug
++.br
++ /etc/ioctl\.save
++.br
++ /etc/fstab\.REVOKE
++.br
++ /etc/network/ifstate
++.br
++ /etc/sysconfig/hwconf
++.br
++ /etc/ptal/ptal-printd-like
++.br
++ /etc/sysconfig/iptables\.save
++.br
++ /etc/xorg\.conf\.d/00-system-setup-keyboard\.conf
++.br
++ /etc/X11/xorg\.conf\.d/00-system-setup-keyboard\.conf
++.br
++
++.br
++.B unlabeled_t
++
++
++.SH NSSWITCH DOMAIN
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.B semanage port
++can also be used to manipulate the port definitions
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was auto-generated using
++.B "sepolicy manpage"
++by Dan Walsh.
++
++.SH "SEE ALSO"
++selinux(8), afs(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
++, afs_bosserver_selinux(8), afs_fsserver_selinux(8), afs_kaserver_selinux(8), afs_ptserver_selinux(8), afs_vlserver_selinux(8)
+\ No newline at end of file
+diff --git a/man/man8/afs_vlserver_selinux.8 b/man/man8/afs_vlserver_selinux.8
+new file mode 100644
+index 0000000..fae8285
+--- /dev/null
++++ b/man/man8/afs_vlserver_selinux.8
+@@ -0,0 +1,103 @@
++.TH "afs_vlserver_selinux" "8" "12-11-01" "afs_vlserver" "SELinux Policy documentation for afs_vlserver"
++.SH "NAME"
++afs_vlserver_selinux \- Security Enhanced Linux Policy for the afs_vlserver processes
++.SH "DESCRIPTION"
++
++Security-Enhanced Linux secures the afs_vlserver processes via flexible mandatory access control.
++
++The afs_vlserver processes execute with the afs_vlserver_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep afs_vlserver_t
++
++
++.SH "ENTRYPOINTS"
++
++The afs_vlserver_t SELinux type can be entered via the "afs_vlserver_exec_t" file type. The default entrypoint paths for the afs_vlserver_t domain are the following:"
++
++/usr/afs/bin/vlserver
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux afs_vlserver policy is very flexible allowing users to setup their afs_vlserver processes in as secure a method as possible.
++.PP
++The following process types are defined for afs_vlserver:
++
++.EX
++.B afs_vlserver_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux afs_vlserver policy is very flexible allowing users to setup their afs_vlserver processes in as secure a method as possible.
++.PP
++The following file types are defined for afs_vlserver:
++
++
++.EX
++.PP
++.B afs_vlserver_exec_t
++.EE
++
++- Set files with the afs_vlserver_exec_t type, if you want to transition an executable to the afs_vlserver_t domain.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH "MANAGED FILES"
++
++The SELinux process type afs_vlserver_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++
++.br
++.B afs_logfile_t
++
++ /usr/afs/logs(/.*)?
++.br
++
++.br
++.B afs_vl_db_t
++
++ /usr/afs/db/vl.*
++.br
++
++.SH NSSWITCH DOMAIN
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was auto-generated using
++.B "sepolicy manpage"
++by Dan Walsh.
++
++.SH "SEE ALSO"
++selinux(8), afs_vlserver(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
++, afs_selinux(8), afs_selinux(8), afs_bosserver_selinux(8), afs_fsserver_selinux(8), afs_kaserver_selinux(8), afs_ptserver_selinux(8)
+\ No newline at end of file
+diff --git a/man/man8/aiccu_selinux.8 b/man/man8/aiccu_selinux.8
+new file mode 100644
+index 0000000..1c447a0
+--- /dev/null
++++ b/man/man8/aiccu_selinux.8
+@@ -0,0 +1,120 @@
++.TH "aiccu_selinux" "8" "12-11-01" "aiccu" "SELinux Policy documentation for aiccu"
++.SH "NAME"
++aiccu_selinux \- Security Enhanced Linux Policy for the aiccu processes
++.SH "DESCRIPTION"
++
++Security-Enhanced Linux secures the aiccu processes via flexible mandatory access control.
++
++The aiccu processes execute with the aiccu_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep aiccu_t
++
++
++.SH "ENTRYPOINTS"
++
++The aiccu_t SELinux type can be entered via the "aiccu_exec_t" file type. The default entrypoint paths for the aiccu_t domain are the following:"
++
++/usr/sbin/aiccu
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux aiccu policy is very flexible allowing users to setup their aiccu processes in as secure a method as possible.
++.PP
++The following process types are defined for aiccu:
++
++.EX
++.B aiccu_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux aiccu policy is very flexible allowing users to setup their aiccu processes in as secure a method as possible.
++.PP
++The following file types are defined for aiccu:
++
++
++.EX
++.PP
++.B aiccu_etc_t
++.EE
++
++- Set files with the aiccu_etc_t type, if you want to store aiccu files in the /etc directories.
++
++
++.EX
++.PP
++.B aiccu_exec_t
++.EE
++
++- Set files with the aiccu_exec_t type, if you want to transition an executable to the aiccu_t domain.
++
++
++.EX
++.PP
++.B aiccu_initrc_exec_t
++.EE
++
++- Set files with the aiccu_initrc_exec_t type, if you want to transition an executable to the aiccu_initrc_t domain.
++
++
++.EX
++.PP
++.B aiccu_var_run_t
++.EE
++
++- Set files with the aiccu_var_run_t type, if you want to store the aiccu files under the /run directory.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH "MANAGED FILES"
++
++The SELinux process type aiccu_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++
++.br
++.B aiccu_var_run_t
++
++ /var/run/aiccu\.pid
++.br
++
++.SH NSSWITCH DOMAIN
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was auto-generated using
++.B "sepolicy manpage"
++by Dan Walsh.
++
++.SH "SEE ALSO"
++selinux(8), aiccu(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
+diff --git a/man/man8/aide_selinux.8 b/man/man8/aide_selinux.8
+new file mode 100644
+index 0000000..183ad6a
+--- /dev/null
++++ b/man/man8/aide_selinux.8
+@@ -0,0 +1,120 @@
++.TH "aide_selinux" "8" "12-11-01" "aide" "SELinux Policy documentation for aide"
++.SH "NAME"
++aide_selinux \- Security Enhanced Linux Policy for the aide processes
++.SH "DESCRIPTION"
++
++Security-Enhanced Linux secures the aide processes via flexible mandatory access control.
++
++The aide processes execute with the aide_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep aide_t
++
++
++.SH "ENTRYPOINTS"
++
++The aide_t SELinux type can be entered via the "aide_exec_t" file type. The default entrypoint paths for the aide_t domain are the following:"
++
++/usr/sbin/aide
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux aide policy is very flexible allowing users to setup their aide processes in as secure a method as possible.
++.PP
++The following process types are defined for aide:
++
++.EX
++.B aide_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux aide policy is very flexible allowing users to setup their aide processes in as secure a method as possible.
++.PP
++The following file types are defined for aide:
++
++
++.EX
++.PP
++.B aide_db_t
++.EE
++
++- Set files with the aide_db_t type, if you want to treat the files as aide database content.
++
++
++.EX
++.PP
++.B aide_exec_t
++.EE
++
++- Set files with the aide_exec_t type, if you want to transition an executable to the aide_t domain.
++
++
++.EX
++.PP
++.B aide_log_t
++.EE
++
++- Set files with the aide_log_t type, if you want to treat the data as aide log data, usually stored under the /var/log directory.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH "MANAGED FILES"
++
++The SELinux process type aide_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++
++.br
++.B aide_db_t
++
++ /var/lib/aide(/.*)
++.br
++
++.br
++.B aide_log_t
++
++ /var/log/aide(/.*)?
++.br
++ /var/log/aide\.log.*
++.br
++
++.SH NSSWITCH DOMAIN
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was auto-generated using
++.B "sepolicy manpage"
++by Dan Walsh.
++
++.SH "SEE ALSO"
++selinux(8), aide(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
+diff --git a/man/man8/aisexec_selinux.8 b/man/man8/aisexec_selinux.8
+new file mode 100644
+index 0000000..ced319f
+--- /dev/null
++++ b/man/man8/aisexec_selinux.8
+@@ -0,0 +1,206 @@
++.TH "aisexec_selinux" "8" "12-11-01" "aisexec" "SELinux Policy documentation for aisexec"
++.SH "NAME"
++aisexec_selinux \- Security Enhanced Linux Policy for the aisexec processes
++.SH "DESCRIPTION"
++
++Security-Enhanced Linux secures the aisexec processes via flexible mandatory access control.
++
++The aisexec processes execute with the aisexec_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep aisexec_t
++
++
++.SH "ENTRYPOINTS"
++
++The aisexec_t SELinux type can be entered via the "aisexec_exec_t" file type. The default entrypoint paths for the aisexec_t domain are the following:"
++
++/usr/sbin/aisexec
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux aisexec policy is very flexible allowing users to setup their aisexec processes in as secure a method as possible.
++.PP
++The following process types are defined for aisexec:
++
++.EX
++.B aisexec_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux aisexec policy is very flexible allowing users to setup their aisexec processes in as secure a method as possible.
++.PP
++The following file types are defined for aisexec:
++
++
++.EX
++.PP
++.B aisexec_exec_t
++.EE
++
++- Set files with the aisexec_exec_t type, if you want to transition an executable to the aisexec_t domain.
++
++
++.EX
++.PP
++.B aisexec_initrc_exec_t
++.EE
++
++- Set files with the aisexec_initrc_exec_t type, if you want to transition an executable to the aisexec_initrc_t domain.
++
++
++.EX
++.PP
++.B aisexec_tmp_t
++.EE
++
++- Set files with the aisexec_tmp_t type, if you want to store aisexec temporary files in the /tmp directories.
++
++
++.EX
++.PP
++.B aisexec_tmpfs_t
++.EE
++
++- Set files with the aisexec_tmpfs_t type, if you want to store aisexec files on a tmpfs file system.
++
++
++.EX
++.PP
++.B aisexec_var_lib_t
++.EE
++
++- Set files with the aisexec_var_lib_t type, if you want to store the aisexec files under the /var/lib directory.
++
++
++.EX
++.PP
++.B aisexec_var_log_t
++.EE
++
++- Set files with the aisexec_var_log_t type, if you want to treat the data as aisexec var log data, usually stored under the /var/log directory.
++
++
++.EX
++.PP
++.B aisexec_var_run_t
++.EE
++
++- Set files with the aisexec_var_run_t type, if you want to store the aisexec files under the /run directory.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH "MANAGED FILES"
++
++The SELinux process type aisexec_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++
++.br
++.B aisexec_tmp_t
++
++
++.br
++.B aisexec_tmpfs_t
++
++
++.br
++.B aisexec_var_lib_t
++
++ /var/lib/openais(/.*)?
++.br
++
++.br
++.B aisexec_var_log_t
++
++ /var/log/cluster/aisexec\.log.*
++.br
++
++.br
++.B aisexec_var_run_t
++
++ /var/run/aisexec\.pid
++.br
++
++.br
++.B dlm_controld_tmpfs_t
++
++
++.br
++.B fenced_tmpfs_t
++
++
++.br
++.B gfs_controld_tmpfs_t
++
++
++.br
++.B groupd_tmpfs_t
++
++
++.br
++.B initrc_tmp_t
++
++
++.br
++.B var_lib_t
++
++ /opt/(.*/)?var/lib(/.*)?
++.br
++ /var/lib(/.*)?
++.br
++
++.SH NSSWITCH DOMAIN
++
++.PP
++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the aisexec_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++
++.EX
++.B setsebool -P authlogin_nsswitch_use_ldap 1
++.EE
++
++.PP
++If you want to allow confined applications to run with kerberos for the aisexec_t, you must turn on the kerberos_enabled boolean.
++
++.EX
++.B setsebool -P kerberos_enabled 1
++.EE
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was auto-generated using
++.B "sepolicy manpage"
++by Dan Walsh.
++
++.SH "SEE ALSO"
++selinux(8), aisexec(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
+diff --git a/man/man8/ajaxterm_selinux.8 b/man/man8/ajaxterm_selinux.8
+new file mode 100644
+index 0000000..2423a73
+--- /dev/null
++++ b/man/man8/ajaxterm_selinux.8
+@@ -0,0 +1,184 @@
++.TH "ajaxterm_selinux" "8" "12-11-01" "ajaxterm" "SELinux Policy documentation for ajaxterm"
++.SH "NAME"
++ajaxterm_selinux \- Security Enhanced Linux Policy for the ajaxterm processes
++.SH "DESCRIPTION"
++
++Security-Enhanced Linux secures the ajaxterm processes via flexible mandatory access control.
++
++The ajaxterm processes execute with the ajaxterm_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep ajaxterm_t
++
++
++.SH "ENTRYPOINTS"
++
++The ajaxterm_t SELinux type can be entered via the "ajaxterm_exec_t" file type. The default entrypoint paths for the ajaxterm_t domain are the following:"
++
++/usr/share/ajaxterm/ajaxterm\.py
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux ajaxterm policy is very flexible allowing users to setup their ajaxterm processes in as secure a method as possible.
++.PP
++The following process types are defined for ajaxterm:
++
++.EX
++.B ajaxterm_ssh_t, ajaxterm_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux ajaxterm policy is very flexible allowing users to setup their ajaxterm processes in as secure a method as possible.
++.PP
++The following file types are defined for ajaxterm:
++
++
++.EX
++.PP
++.B ajaxterm_exec_t
++.EE
++
++- Set files with the ajaxterm_exec_t type, if you want to transition an executable to the ajaxterm_t domain.
++
++
++.EX
++.PP
++.B ajaxterm_initrc_exec_t
++.EE
++
++- Set files with the ajaxterm_initrc_exec_t type, if you want to transition an executable to the ajaxterm_initrc_t domain.
++
++
++.EX
++.PP
++.B ajaxterm_var_run_t
++.EE
++
++- Set files with the ajaxterm_var_run_t type, if you want to store the ajaxterm files under the /run directory.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH PORT TYPES
++SELinux defines port types to represent TCP and UDP ports.
++.PP
++You can see the types associated with a port by using the following command:
++
++.B semanage port -l
++
++.PP
++Policy governs the access confined processes have to these ports.
++SELinux ajaxterm policy is very flexible allowing users to setup their ajaxterm processes in as secure a method as possible.
++.PP
++The following port types are defined for ajaxterm:
++
++.EX
++.TP 5
++.B ajaxterm_port_t
++.TP 10
++.EE
++
++
++Default Defined Ports:
++tcp 8022
++.EE
++.SH "MANAGED FILES"
++
++The SELinux process type ajaxterm_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++
++.br
++.B ajaxterm_var_run_t
++
++ /var/run/ajaxterm\.pid
++.br
++
++.br
++.B ssh_home_t
++
++ /root/\.ssh(/.*)?
++.br
++ /var/lib/openshift/[^/]+/\.ssh(/.*)?
++.br
++ /var/lib/amanda/\.ssh(/.*)?
++.br
++ /var/lib/stickshift/[^/]+/\.ssh(/.*)?
++.br
++ /var/lib/gitolite/\.ssh(/.*)?
++.br
++ /var/lib/nocpulse/\.ssh(/.*)?
++.br
++ /var/lib/gitolite3/\.ssh(/.*)?
++.br
++ /root/\.shosts
++.br
++ /home/[^/]*/\.ssh(/.*)?
++.br
++ /home/[^/]*/\.shosts
++.br
++ /home/dwalsh/\.ssh(/.*)?
++.br
++ /home/dwalsh/\.shosts
++.br
++ /var/lib/xguest/home/xguest/\.ssh(/.*)?
++.br
++ /var/lib/xguest/home/xguest/\.shosts
++.br
++
++.SH NSSWITCH DOMAIN
++
++.PP
++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the ajaxterm_ssh_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++
++.EX
++.B setsebool -P authlogin_nsswitch_use_ldap 1
++.EE
++
++.PP
++If you want to allow confined applications to run with kerberos for the ajaxterm_ssh_t, you must turn on the kerberos_enabled boolean.
++
++.EX
++.B setsebool -P kerberos_enabled 1
++.EE
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.B semanage port
++can also be used to manipulate the port definitions
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was auto-generated using
++.B "sepolicy manpage"
++by Dan Walsh.
++
++.SH "SEE ALSO"
++selinux(8), ajaxterm(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
+diff --git a/man/man8/alsa_selinux.8 b/man/man8/alsa_selinux.8
+new file mode 100644
+index 0000000..75888ee
+--- /dev/null
++++ b/man/man8/alsa_selinux.8
+@@ -0,0 +1,170 @@
++.TH "alsa_selinux" "8" "12-11-01" "alsa" "SELinux Policy documentation for alsa"
++.SH "NAME"
++alsa_selinux \- Security Enhanced Linux Policy for the alsa processes
++.SH "DESCRIPTION"
++
++Security-Enhanced Linux secures the alsa processes via flexible mandatory access control.
++
++The alsa processes execute with the alsa_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep alsa_t
++
++
++.SH "ENTRYPOINTS"
++
++The alsa_t SELinux type can be entered via the "alsa_exec_t" file type. The default entrypoint paths for the alsa_t domain are the following:"
++
++/sbin/salsa, /sbin/alsactl, /usr/bin/ainit, /bin/alsaunmute, /usr/sbin/salsa, /usr/sbin/alsactl, /usr/bin/alsaunmute
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux alsa policy is very flexible allowing users to setup their alsa processes in as secure a method as possible.
++.PP
++The following process types are defined for alsa:
++
++.EX
++.B alsa_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux alsa policy is very flexible allowing users to setup their alsa processes in as secure a method as possible.
++.PP
++The following file types are defined for alsa:
++
++
++.EX
++.PP
++.B alsa_etc_rw_t
++.EE
++
++- Set files with the alsa_etc_rw_t type, if you want to treat the files as alsa etc read/write content.
++
++
++.EX
++.PP
++.B alsa_exec_t
++.EE
++
++- Set files with the alsa_exec_t type, if you want to transition an executable to the alsa_t domain.
++
++
++.EX
++.PP
++.B alsa_home_t
++.EE
++
++- Set files with the alsa_home_t type, if you want to store alsa files in the users home directory.
++
++
++.EX
++.PP
++.B alsa_tmp_t
++.EE
++
++- Set files with the alsa_tmp_t type, if you want to store alsa temporary files in the /tmp directories.
++
++
++.EX
++.PP
++.B alsa_unit_file_t
++.EE
++
++- Set files with the alsa_unit_file_t type, if you want to treat the files as alsa unit content.
++
++
++.EX
++.PP
++.B alsa_var_lib_t
++.EE
++
++- Set files with the alsa_var_lib_t type, if you want to store the alsa files under the /var/lib directory.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH "MANAGED FILES"
++
++The SELinux process type alsa_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++
++.br
++.B alsa_etc_rw_t
++
++ /etc/asound(/.*)?
++.br
++ /etc/alsa/pcm(/.*)?
++.br
++ /usr/share/alsa/pcm(/.*)?
++.br
++ /etc/asound\.state
++.br
++ /etc/alsa/asound\.state
++.br
++ /usr/share/alsa/alsa\.conf
++.br
++
++.br
++.B alsa_tmp_t
++
++
++.br
++.B alsa_var_lib_t
++
++ /var/lib/alsa(/.*)?
++.br
++
++.SH NSSWITCH DOMAIN
++
++.PP
++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the alsa_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++
++.EX
++.B setsebool -P authlogin_nsswitch_use_ldap 1
++.EE
++
++.PP
++If you want to allow confined applications to run with kerberos for the alsa_t, you must turn on the kerberos_enabled boolean.
++
++.EX
++.B setsebool -P kerberos_enabled 1
++.EE
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was auto-generated using
++.B "sepolicy manpage"
++by Dan Walsh.
++
++.SH "SEE ALSO"
++selinux(8), alsa(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
+diff --git a/man/man8/amanda_recover_selinux.8 b/man/man8/amanda_recover_selinux.8
+new file mode 100644
+index 0000000..680559a
+--- /dev/null
++++ b/man/man8/amanda_recover_selinux.8
+@@ -0,0 +1,131 @@
++.TH "amanda_recover_selinux" "8" "12-11-01" "amanda_recover" "SELinux Policy documentation for amanda_recover"
++.SH "NAME"
++amanda_recover_selinux \- Security Enhanced Linux Policy for the amanda_recover processes
++.SH "DESCRIPTION"
++
++Security-Enhanced Linux secures the amanda_recover processes via flexible mandatory access control.
++
++The amanda_recover processes execute with the amanda_recover_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep amanda_recover_t
++
++
++.SH "ENTRYPOINTS"
++
++The amanda_recover_t SELinux type can be entered via the "amanda_recover_exec_t" file type. The default entrypoint paths for the amanda_recover_t domain are the following:"
++
++/usr/sbin/amrecover
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux amanda_recover policy is very flexible allowing users to setup their amanda_recover processes in as secure a method as possible.
++.PP
++The following process types are defined for amanda_recover:
++
++.EX
++.B amanda_recover_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux amanda_recover policy is very flexible allowing users to setup their amanda_recover processes in as secure a method as possible.
++.PP
++The following file types are defined for amanda_recover:
++
++
++.EX
++.PP
++.B amanda_recover_dir_t
++.EE
++
++- Set files with the amanda_recover_dir_t type, if you want to treat the files as amanda recover dir data.
++
++
++.EX
++.PP
++.B amanda_recover_exec_t
++.EE
++
++- Set files with the amanda_recover_exec_t type, if you want to transition an executable to the amanda_recover_t domain.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH "MANAGED FILES"
++
++The SELinux process type amanda_recover_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++
++.br
++.B amanda_log_t
++
++ /var/log/amanda(/.*)?
++.br
++ /var/lib/amanda/[^/]*/log(/.*)?
++.br
++
++.br
++.B amanda_recover_dir_t
++
++ /root/restore
++.br
++
++.br
++.B amanda_tmp_t
++
++
++.SH NSSWITCH DOMAIN
++
++.PP
++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the amanda_recover_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++
++.EX
++.B setsebool -P authlogin_nsswitch_use_ldap 1
++.EE
++
++.PP
++If you want to allow confined applications to run with kerberos for the amanda_recover_t, you must turn on the kerberos_enabled boolean.
++
++.EX
++.B setsebool -P kerberos_enabled 1
++.EE
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was auto-generated using
++.B "sepolicy manpage"
++by Dan Walsh.
++
++.SH "SEE ALSO"
++selinux(8), amanda_recover(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
++, amanda_selinux(8), amanda_selinux(8)
+\ No newline at end of file
+diff --git a/man/man8/amanda_selinux.8 b/man/man8/amanda_selinux.8
+new file mode 100644
+index 0000000..6bdbec5
+--- /dev/null
++++ b/man/man8/amanda_selinux.8
+@@ -0,0 +1,277 @@
++.TH "amanda_selinux" "8" "12-11-01" "amanda" "SELinux Policy documentation for amanda"
++.SH "NAME"
++amanda_selinux \- Security Enhanced Linux Policy for the amanda processes
++.SH "DESCRIPTION"
++
++Security-Enhanced Linux secures the amanda processes via flexible mandatory access control.
++
++The amanda processes execute with the amanda_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep amanda_t
++
++
++.SH "ENTRYPOINTS"
++
++The amanda_t SELinux type can be entered via the "amanda_exec_t,amanda_inetd_exec_t" file types. The default entrypoint paths for the amanda_t domain are the following:"
++
++/usr/lib/amanda/.+, /usr/lib/amanda/amandad, /usr/lib/amanda/amindexd, /usr/lib/amanda/amidxtaped
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux amanda policy is very flexible allowing users to setup their amanda processes in as secure a method as possible.
++.PP
++The following process types are defined for amanda:
++
++.EX
++.B amanda_t, amanda_recover_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux amanda policy is very flexible allowing users to setup their amanda processes in as secure a method as possible.
++.PP
++The following file types are defined for amanda:
++
++
++.EX
++.PP
++.B amanda_amandates_t
++.EE
++
++- Set files with the amanda_amandates_t type, if you want to treat the files as amanda amandates data.
++
++
++.EX
++.PP
++.B amanda_config_t
++.EE
++
++- Set files with the amanda_config_t type, if you want to treat the files as amanda configuration data, usually stored under the /etc directory.
++
++
++.EX
++.PP
++.B amanda_data_t
++.EE
++
++- Set files with the amanda_data_t type, if you want to treat the files as amanda content.
++
++
++.EX
++.PP
++.B amanda_dumpdates_t
++.EE
++
++- Set files with the amanda_dumpdates_t type, if you want to treat the files as amanda dumpdates data.
++
++
++.EX
++.PP
++.B amanda_exec_t
++.EE
++
++- Set files with the amanda_exec_t type, if you want to transition an executable to the amanda_t domain.
++
++
++.EX
++.PP
++.B amanda_gnutarlists_t
++.EE
++
++- Set files with the amanda_gnutarlists_t type, if you want to treat the files as amanda gnutarlists data.
++
++
++.EX
++.PP
++.B amanda_inetd_exec_t
++.EE
++
++- Set files with the amanda_inetd_exec_t type, if you want to transition an executable to the amanda_inetd_t domain.
++
++
++.EX
++.PP
++.B amanda_log_t
++.EE
++
++- Set files with the amanda_log_t type, if you want to treat the data as amanda log data, usually stored under the /var/log directory.
++
++
++.EX
++.PP
++.B amanda_recover_dir_t
++.EE
++
++- Set files with the amanda_recover_dir_t type, if you want to treat the files as amanda recover dir data.
++
++
++.EX
++.PP
++.B amanda_recover_exec_t
++.EE
++
++- Set files with the amanda_recover_exec_t type, if you want to transition an executable to the amanda_recover_t domain.
++
++
++.EX
++.PP
++.B amanda_tmp_t
++.EE
++
++- Set files with the amanda_tmp_t type, if you want to store amanda temporary files in the /tmp directories.
++
++
++.EX
++.PP
++.B amanda_usr_lib_t
++.EE
++
++- Set files with the amanda_usr_lib_t type, if you want to treat the files as amanda usr lib data.
++
++
++.EX
++.PP
++.B amanda_var_lib_t
++.EE
++
++- Set files with the amanda_var_lib_t type, if you want to store the amanda files under the /var/lib directory.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH PORT TYPES
++SELinux defines port types to represent TCP and UDP ports.
++.PP
++You can see the types associated with a port by using the following command:
++
++.B semanage port -l
++
++.PP
++Policy governs the access confined processes have to these ports.
++SELinux amanda policy is very flexible allowing users to setup their amanda processes in as secure a method as possible.
++.PP
++The following port types are defined for amanda:
++
++.EX
++.TP 5
++.B amanda_port_t
++.TP 10
++.EE
++
++
++Default Defined Ports:
++tcp 10080-10083
++.EE
++udp 10080-10082
++.EE
++.SH "MANAGED FILES"
++
++The SELinux process type amanda_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++
++.br
++.B amanda_amandates_t
++
++ /etc/amandates
++.br
++
++.br
++.B amanda_data_t
++
++ /etc/amanda/.*/index(/.*)?
++.br
++ /etc/amanda/.*/tapelist(/.*)?
++.br
++ /var/lib/amanda/[^/]+(/.*)?
++.br
++
++.br
++.B amanda_dumpdates_t
++
++ /etc/dumpdates
++.br
++
++.br
++.B amanda_gnutarlists_t
++
++ /var/lib/amanda/gnutar-lists(/.*)?
++.br
++
++.br
++.B amanda_log_t
++
++ /var/log/amanda(/.*)?
++.br
++ /var/lib/amanda/[^/]*/log(/.*)?
++.br
++
++.br
++.B amanda_tmp_t
++
++
++.br
++.B amanda_var_lib_t
++
++ /var/lib/amanda/[^/]+/index(/.*)?
++.br
++ /var/lib/amanda
++.br
++
++.SH NSSWITCH DOMAIN
++
++.PP
++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the amanda_recover_t, amanda_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++
++.EX
++.B setsebool -P authlogin_nsswitch_use_ldap 1
++.EE
++
++.PP
++If you want to allow confined applications to run with kerberos for the amanda_recover_t, amanda_t, you must turn on the kerberos_enabled boolean.
++
++.EX
++.B setsebool -P kerberos_enabled 1
++.EE
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.B semanage port
++can also be used to manipulate the port definitions
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was auto-generated using
++.B "sepolicy manpage"
++by Dan Walsh.
++
++.SH "SEE ALSO"
++selinux(8), amanda(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
++, amanda_recover_selinux(8)
+\ No newline at end of file
+diff --git a/man/man8/amavis_selinux.8 b/man/man8/amavis_selinux.8
+new file mode 100644
+index 0000000..28b1547
+--- /dev/null
++++ b/man/man8/amavis_selinux.8
+@@ -0,0 +1,283 @@
++.TH "amavis_selinux" "8" "12-11-01" "amavis" "SELinux Policy documentation for amavis"
++.SH "NAME"
++amavis_selinux \- Security Enhanced Linux Policy for the amavis processes
++.SH "DESCRIPTION"
++
++Security-Enhanced Linux secures the amavis processes via flexible mandatory access control.
++
++The amavis processes execute with the amavis_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep amavis_t
++
++
++.SH "ENTRYPOINTS"
++
++The amavis_t SELinux type can be entered via the "amavis_exec_t" file type. The default entrypoint paths for the amavis_t domain are the following:"
++
++/usr/sbin/amavisd.*, /usr/lib/AntiVir/antivir
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux amavis policy is very flexible allowing users to setup their amavis processes in as secure a method as possible.
++.PP
++The following process types are defined for amavis:
++
++.EX
++.B amavis_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH BOOLEANS
++SELinux policy is customizable based on least access required. amavis policy is extremely flexible and has several booleans that allow you to manipulate the policy and run amavis with the tightest access possible.
++
++
++.PP
++If you want to allow amavis to use JIT compiler, you must turn on the amavis_use_jit boolean.
++
++.EX
++.B setsebool -P amavis_use_jit 1
++.EE
++
++.PP
++If you want to allow amavis to use JIT compiler, you must turn on the amavis_use_jit boolean.
++
++.EX
++.B setsebool -P amavis_use_jit 1
++.EE
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux amavis policy is very flexible allowing users to setup their amavis processes in as secure a method as possible.
++.PP
++The following file types are defined for amavis:
++
++
++.EX
++.PP
++.B amavis_etc_t
++.EE
++
++- Set files with the amavis_etc_t type, if you want to store amavis files in the /etc directories.
++
++
++.EX
++.PP
++.B amavis_exec_t
++.EE
++
++- Set files with the amavis_exec_t type, if you want to transition an executable to the amavis_t domain.
++
++
++.EX
++.PP
++.B amavis_initrc_exec_t
++.EE
++
++- Set files with the amavis_initrc_exec_t type, if you want to transition an executable to the amavis_initrc_t domain.
++
++
++.EX
++.PP
++.B amavis_quarantine_t
++.EE
++
++- Set files with the amavis_quarantine_t type, if you want to treat the files as amavis quarantine data.
++
++
++.EX
++.PP
++.B amavis_spool_t
++.EE
++
++- Set files with the amavis_spool_t type, if you want to store the amavis files under the /var/spool directory.
++
++
++.EX
++.PP
++.B amavis_tmp_t
++.EE
++
++- Set files with the amavis_tmp_t type, if you want to store amavis temporary files in the /tmp directories.
++
++
++.EX
++.PP
++.B amavis_var_lib_t
++.EE
++
++- Set files with the amavis_var_lib_t type, if you want to store the amavis files under the /var/lib directory.
++
++
++.EX
++.PP
++.B amavis_var_log_t
++.EE
++
++- Set files with the amavis_var_log_t type, if you want to treat the data as amavis var log data, usually stored under the /var/log directory.
++
++
++.EX
++.PP
++.B amavis_var_run_t
++.EE
++
++- Set files with the amavis_var_run_t type, if you want to store the amavis files under the /run directory.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH PORT TYPES
++SELinux defines port types to represent TCP and UDP ports.
++.PP
++You can see the types associated with a port by using the following command:
++
++.B semanage port -l
++
++.PP
++Policy governs the access confined processes have to these ports.
++SELinux amavis policy is very flexible allowing users to setup their amavis processes in as secure a method as possible.
++.PP
++The following port types are defined for amavis:
++
++.EX
++.TP 5
++.B amavisd_recv_port_t
++.TP 10
++.EE
++
++
++Default Defined Ports:
++tcp 10024
++.EE
++
++.EX
++.TP 5
++.B amavisd_send_port_t
++.TP 10
++.EE
++
++
++Default Defined Ports:
++tcp 10025
++.EE
++.SH "MANAGED FILES"
++
++The SELinux process type amavis_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++
++.br
++.B amavis_quarantine_t
++
++ /var/virusmails(/.*)?
++.br
++
++.br
++.B amavis_spool_t
++
++ /var/spool/amavisd(/.*)?
++.br
++
++.br
++.B amavis_tmp_t
++
++
++.br
++.B amavis_var_lib_t
++
++ /var/amavis(/.*)?
++.br
++ /var/lib/amavis(/.*)?
++.br
++
++.br
++.B amavis_var_log_t
++
++ /var/log/amavisd\.log.*
++.br
++
++.br
++.B amavis_var_run_t
++
++ /var/run/amavis(d)?(/.*)?
++.br
++
++.br
++.B antivirus_db_t
++
++ /var/opt/f-secure(/.*)?
++.br
++
++.br
++.B snmpd_var_lib_t
++
++ /var/agentx(/.*)?
++.br
++ /var/lib/snmp(/.*)?
++.br
++ /var/net-snmp(/.*)?
++.br
++ /var/lib/net-snmp(/.*)?
++.br
++ /usr/share/snmp/mibs/\.index
++.br
++
++.SH NSSWITCH DOMAIN
++
++.PP
++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the amavis_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++
++.EX
++.B setsebool -P authlogin_nsswitch_use_ldap 1
++.EE
++
++.PP
++If you want to allow confined applications to run with kerberos for the amavis_t, you must turn on the kerberos_enabled boolean.
++
++.EX
++.B setsebool -P kerberos_enabled 1
++.EE
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.B semanage port
++can also be used to manipulate the port definitions
++
++.B semanage boolean
++can also be used to manipulate the booleans
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was auto-generated using
++.B "sepolicy manpage"
++by Dan Walsh.
++
++.SH "SEE ALSO"
++selinux(8), amavis(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
++, setsebool(8)
+\ No newline at end of file
+diff --git a/man/man8/amtu_selinux.8 b/man/man8/amtu_selinux.8
+new file mode 100644
+index 0000000..96416ac
+--- /dev/null
++++ b/man/man8/amtu_selinux.8
+@@ -0,0 +1,102 @@
++.TH "amtu_selinux" "8" "12-11-01" "amtu" "SELinux Policy documentation for amtu"
++.SH "NAME"
++amtu_selinux \- Security Enhanced Linux Policy for the amtu processes
++.SH "DESCRIPTION"
++
++Security-Enhanced Linux secures the amtu processes via flexible mandatory access control.
++
++The amtu processes execute with the amtu_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep amtu_t
++
++
++.SH "ENTRYPOINTS"
++
++The amtu_t SELinux type can be entered via the "amtu_exec_t" file type. The default entrypoint paths for the amtu_t domain are the following:"
++
++/usr/bin/amtu
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux amtu policy is very flexible allowing users to setup their amtu processes in as secure a method as possible.
++.PP
++The following process types are defined for amtu:
++
++.EX
++.B amtu_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux amtu policy is very flexible allowing users to setup their amtu processes in as secure a method as possible.
++.PP
++The following file types are defined for amtu:
++
++
++.EX
++.PP
++.B amtu_exec_t
++.EE
++
++- Set files with the amtu_exec_t type, if you want to transition an executable to the amtu_t domain.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH "MANAGED FILES"
++
++The SELinux process type amtu_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++
++.br
++.B boot_t
++
++ /boot/.*
++.br
++ /vmlinuz.*
++.br
++ /initrd\.img.*
++.br
++ /boot
++.br
++
++.SH NSSWITCH DOMAIN
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was auto-generated using
++.B "sepolicy manpage"
++by Dan Walsh.
++
++.SH "SEE ALSO"
++selinux(8), amtu(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
+diff --git a/man/man8/apache_selinux.8 b/man/man8/apache_selinux.8
+new file mode 100644
+index 0000000..1ff959f
+--- /dev/null
++++ b/man/man8/apache_selinux.8
+@@ -0,0 +1 @@
++.so man8/httpd_selinux.8
+\ No newline at end of file
+diff --git a/man/man8/apcupsd_selinux.8 b/man/man8/apcupsd_selinux.8
+new file mode 100644
+index 0000000..5c83a01
+--- /dev/null
++++ b/man/man8/apcupsd_selinux.8
+@@ -0,0 +1,264 @@
++.TH "apcupsd_selinux" "8" "12-11-01" "apcupsd" "SELinux Policy documentation for apcupsd"
++.SH "NAME"
++apcupsd_selinux \- Security Enhanced Linux Policy for the apcupsd processes
++.SH "DESCRIPTION"
++
++Security-Enhanced Linux secures the apcupsd processes via flexible mandatory access control.
++
++The apcupsd processes execute with the apcupsd_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep apcupsd_t
++
++
++.SH "ENTRYPOINTS"
++
++The apcupsd_t SELinux type can be entered via the "apcupsd_exec_t" file type. The default entrypoint paths for the apcupsd_t domain are the following:"
++
++/sbin/apcupsd, /usr/sbin/apcupsd
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux apcupsd policy is very flexible allowing users to setup their apcupsd processes in as secure a method as possible.
++.PP
++The following process types are defined for apcupsd:
++
++.EX
++.B apcupsd_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux apcupsd policy is very flexible allowing users to setup their apcupsd processes in as secure a method as possible.
++.PP
++The following file types are defined for apcupsd:
++
++
++.EX
++.PP
++.B apcupsd_exec_t
++.EE
++
++- Set files with the apcupsd_exec_t type, if you want to transition an executable to the apcupsd_t domain.
++
++
++.EX
++.PP
++.B apcupsd_initrc_exec_t
++.EE
++
++- Set files with the apcupsd_initrc_exec_t type, if you want to transition an executable to the apcupsd_initrc_t domain.
++
++
++.EX
++.PP
++.B apcupsd_lock_t
++.EE
++
++- Set files with the apcupsd_lock_t type, if you want to treat the files as apcupsd lock data, stored under the /var/lock directory
++
++
++.EX
++.PP
++.B apcupsd_log_t
++.EE
++
++- Set files with the apcupsd_log_t type, if you want to treat the data as apcupsd log data, usually stored under the /var/log directory.
++
++
++.EX
++.PP
++.B apcupsd_tmp_t
++.EE
++
++- Set files with the apcupsd_tmp_t type, if you want to store apcupsd temporary files in the /tmp directories.
++
++
++.EX
++.PP
++.B apcupsd_unit_file_t
++.EE
++
++- Set files with the apcupsd_unit_file_t type, if you want to treat the files as apcupsd unit content.
++
++
++.EX
++.PP
++.B apcupsd_var_run_t
++.EE
++
++- Set files with the apcupsd_var_run_t type, if you want to store the apcupsd files under the /run directory.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH PORT TYPES
++SELinux defines port types to represent TCP and UDP ports.
++.PP
++You can see the types associated with a port by using the following command:
++
++.B semanage port -l
++
++.PP
++Policy governs the access confined processes have to these ports.
++SELinux apcupsd policy is very flexible allowing users to setup their apcupsd processes in as secure a method as possible.
++.PP
++The following port types are defined for apcupsd:
++
++.EX
++.TP 5
++.B apcupsd_port_t
++.TP 10
++.EE
++
++
++Default Defined Ports:
++tcp 3551
++.EE
++udp 3551
++.EE
++.SH "MANAGED FILES"
++
++The SELinux process type apcupsd_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++
++.br
++.B apcupsd_lock_t
++
++ /var/lock/subsys/apcupsd
++.br
++
++.br
++.B apcupsd_log_t
++
++ /var/log/apcupsd\.events.*
++.br
++ /var/log/apcupsd\.status.*
++.br
++
++.br
++.B apcupsd_tmp_t
++
++
++.br
++.B apcupsd_var_run_t
++
++ /var/run/apcupsd\.pid
++.br
++
++.br
++.B etc_runtime_t
++
++ /[^/]+
++.br
++ /etc/mtab.*
++.br
++ /etc/blkid(/.*)?
++.br
++ /etc/nologin.*
++.br
++ /etc/\.fstab\.hal\..+
++.br
++ /halt
++.br
++ /fastboot
++.br
++ /poweroff
++.br
++ /etc/cmtab
++.br
++ /\.autofsck
++.br
++ /forcefsck
++.br
++ /\.suspended
++.br
++ /fsckoptions
++.br
++ /\.autorelabel
++.br
++ /etc/securetty
++.br
++ /etc/killpower
++.br
++ /etc/nohotplug
++.br
++ /etc/ioctl\.save
++.br
++ /etc/fstab\.REVOKE
++.br
++ /etc/network/ifstate
++.br
++ /etc/sysconfig/hwconf
++.br
++ /etc/ptal/ptal-printd-like
++.br
++ /etc/sysconfig/iptables\.save
++.br
++ /etc/xorg\.conf\.d/00-system-setup-keyboard\.conf
++.br
++ /etc/X11/xorg\.conf\.d/00-system-setup-keyboard\.conf
++.br
++
++.br
++.B initrc_var_run_t
++
++ /var/run/utmp
++.br
++ /var/run/random-seed
++.br
++ /var/run/runlevel\.dir
++.br
++ /var/run/setmixer_flag
++.br
++
++.br
++.B systemd_passwd_var_run_t
++
++ /var/run/systemd/ask-password(/.*)?
++.br
++ /var/run/systemd/ask-password-block(/.*)?
++.br
++
++.SH NSSWITCH DOMAIN
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.B semanage port
++can also be used to manipulate the port definitions
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was auto-generated using
++.B "sepolicy manpage"
++by Dan Walsh.
++
++.SH "SEE ALSO"
++selinux(8), apcupsd(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
+diff --git a/man/man8/apm_selinux.8 b/man/man8/apm_selinux.8
+new file mode 100644
+index 0000000..2791aca
+--- /dev/null
++++ b/man/man8/apm_selinux.8
+@@ -0,0 +1,149 @@
++.TH "apm_selinux" "8" "12-11-01" "apm" "SELinux Policy documentation for apm"
++.SH "NAME"
++apm_selinux \- Security Enhanced Linux Policy for the apm processes
++.SH "DESCRIPTION"
++
++Security-Enhanced Linux secures the apm processes via flexible mandatory access control.
++
++The apm processes execute with the apm_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep apm_t
++
++
++.SH "ENTRYPOINTS"
++
++The apm_t SELinux type can be entered via the "apm_exec_t" file type. The default entrypoint paths for the apm_t domain are the following:"
++
++/usr/bin/apm
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux apm policy is very flexible allowing users to setup their apm processes in as secure a method as possible.
++.PP
++The following process types are defined for apm:
++
++.EX
++.B apm_t, apmd_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux apm policy is very flexible allowing users to setup their apm processes in as secure a method as possible.
++.PP
++The following file types are defined for apm:
++
++
++.EX
++.PP
++.B apm_exec_t
++.EE
++
++- Set files with the apm_exec_t type, if you want to transition an executable to the apm_t domain.
++
++
++.EX
++.PP
++.B apmd_exec_t
++.EE
++
++- Set files with the apmd_exec_t type, if you want to transition an executable to the apmd_t domain.
++
++
++.EX
++.PP
++.B apmd_lock_t
++.EE
++
++- Set files with the apmd_lock_t type, if you want to treat the files as apmd lock data, stored under the /var/lock directory
++
++
++.EX
++.PP
++.B apmd_log_t
++.EE
++
++- Set files with the apmd_log_t type, if you want to treat the data as apmd log data, usually stored under the /var/log directory.
++
++
++.EX
++.PP
++.B apmd_tmp_t
++.EE
++
++- Set files with the apmd_tmp_t type, if you want to store apmd temporary files in the /tmp directories.
++
++
++.EX
++.PP
++.B apmd_unit_file_t
++.EE
++
++- Set files with the apmd_unit_file_t type, if you want to treat the files as apmd unit content.
++
++
++.EX
++.PP
++.B apmd_var_run_t
++.EE
++
++- Set files with the apmd_var_run_t type, if you want to store the apmd files under the /run directory.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH NSSWITCH DOMAIN
++
++.PP
++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the apmd_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++
++.EX
++.B setsebool -P authlogin_nsswitch_use_ldap 1
++.EE
++
++.PP
++If you want to allow confined applications to run with kerberos for the apmd_t, you must turn on the kerberos_enabled boolean.
++
++.EX
++.B setsebool -P kerberos_enabled 1
++.EE
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was auto-generated using
++.B "sepolicy manpage"
++by Dan Walsh.
++
++.SH "SEE ALSO"
++selinux(8), apm(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
++, apmd_selinux(8)
+\ No newline at end of file
+diff --git a/man/man8/apmd_selinux.8 b/man/man8/apmd_selinux.8
+new file mode 100644
+index 0000000..071cf38
+--- /dev/null
++++ b/man/man8/apmd_selinux.8
+@@ -0,0 +1,229 @@
++.TH "apmd_selinux" "8" "12-11-01" "apmd" "SELinux Policy documentation for apmd"
++.SH "NAME"
++apmd_selinux \- Security Enhanced Linux Policy for the apmd processes
++.SH "DESCRIPTION"
++
++Security-Enhanced Linux secures the apmd processes via flexible mandatory access control.
++
++The apmd processes execute with the apmd_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep apmd_t
++
++
++.SH "ENTRYPOINTS"
++
++The apmd_t SELinux type can be entered via the "apmd_exec_t" file type. The default entrypoint paths for the apmd_t domain are the following:"
++
++/usr/sbin/apmd, /usr/sbin/acpid, /usr/sbin/powersaved
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux apmd policy is very flexible allowing users to setup their apmd processes in as secure a method as possible.
++.PP
++The following process types are defined for apmd:
++
++.EX
++.B apm_t, apmd_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux apmd policy is very flexible allowing users to setup their apmd processes in as secure a method as possible.
++.PP
++The following file types are defined for apmd:
++
++
++.EX
++.PP
++.B apmd_exec_t
++.EE
++
++- Set files with the apmd_exec_t type, if you want to transition an executable to the apmd_t domain.
++
++
++.EX
++.PP
++.B apmd_lock_t
++.EE
++
++- Set files with the apmd_lock_t type, if you want to treat the files as apmd lock data, stored under the /var/lock directory
++
++
++.EX
++.PP
++.B apmd_log_t
++.EE
++
++- Set files with the apmd_log_t type, if you want to treat the data as apmd log data, usually stored under the /var/log directory.
++
++
++.EX
++.PP
++.B apmd_tmp_t
++.EE
++
++- Set files with the apmd_tmp_t type, if you want to store apmd temporary files in the /tmp directories.
++
++
++.EX
++.PP
++.B apmd_unit_file_t
++.EE
++
++- Set files with the apmd_unit_file_t type, if you want to treat the files as apmd unit content.
++
++
++.EX
++.PP
++.B apmd_var_run_t
++.EE
++
++- Set files with the apmd_var_run_t type, if you want to store the apmd files under the /run directory.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH "MANAGED FILES"
++
++The SELinux process type apmd_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++
++.br
++.B adjtime_t
++
++ /etc/adjtime
++.br
++
++.br
++.B apmd_lock_t
++
++
++.br
++.B apmd_log_t
++
++ /var/log/acpid.*
++.br
++
++.br
++.B apmd_tmp_t
++
++
++.br
++.B apmd_var_run_t
++
++ /var/run/\.?acpid\.socket
++.br
++ /var/run/apmd\.pid
++.br
++ /var/run/powersaved\.pid
++.br
++ /var/run/powersave_socket
++.br
++
++.br
++.B devicekit_var_log_t
++
++ /var/log/pm-suspend\.log.*
++.br
++ /var/log/pm-powersave\.log.*
++.br
++
++.br
++.B devicekit_var_run_t
++
++ /var/run/udisks.*
++.br
++ /var/run/devkit(/.*)?
++.br
++ /var/run/upower(/.*)?
++.br
++ /var/run/pm-utils(/.*)?
++.br
++ /var/run/DeviceKit-disks(/.*)?
++.br
++
++.br
++.B initrc_var_run_t
++
++ /var/run/utmp
++.br
++ /var/run/random-seed
++.br
++ /var/run/runlevel\.dir
++.br
++ /var/run/setmixer_flag
++.br
++
++.br
++.B sysctl_type
++
++
++.br
++.B sysfs_t
++
++ /sys(/.*)?
++.br
++
++.br
++.B systemd_passwd_var_run_t
++
++ /var/run/systemd/ask-password(/.*)?
++.br
++ /var/run/systemd/ask-password-block(/.*)?
++.br
++
++.SH NSSWITCH DOMAIN
++
++.PP
++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the apmd_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++
++.EX
++.B setsebool -P authlogin_nsswitch_use_ldap 1
++.EE
++
++.PP
++If you want to allow confined applications to run with kerberos for the apmd_t, you must turn on the kerberos_enabled boolean.
++
++.EX
++.B setsebool -P kerberos_enabled 1
++.EE
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was auto-generated using
++.B "sepolicy manpage"
++by Dan Walsh.
++
++.SH "SEE ALSO"
++selinux(8), apmd(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
++, apm_selinux(8), apm_selinux(8)
+\ No newline at end of file
+diff --git a/man/man8/arpwatch_selinux.8 b/man/man8/arpwatch_selinux.8
+new file mode 100644
+index 0000000..d869564
+--- /dev/null
++++ b/man/man8/arpwatch_selinux.8
+@@ -0,0 +1,160 @@
++.TH "arpwatch_selinux" "8" "12-11-01" "arpwatch" "SELinux Policy documentation for arpwatch"
++.SH "NAME"
++arpwatch_selinux \- Security Enhanced Linux Policy for the arpwatch processes
++.SH "DESCRIPTION"
++
++Security-Enhanced Linux secures the arpwatch processes via flexible mandatory access control.
++
++The arpwatch processes execute with the arpwatch_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep arpwatch_t
++
++
++.SH "ENTRYPOINTS"
++
++The arpwatch_t SELinux type can be entered via the "arpwatch_exec_t" file type. The default entrypoint paths for the arpwatch_t domain are the following:"
++
++/usr/sbin/arpwatch
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux arpwatch policy is very flexible allowing users to setup their arpwatch processes in as secure a method as possible.
++.PP
++The following process types are defined for arpwatch:
++
++.EX
++.B arpwatch_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux arpwatch policy is very flexible allowing users to setup their arpwatch processes in as secure a method as possible.
++.PP
++The following file types are defined for arpwatch:
++
++
++.EX
++.PP
++.B arpwatch_data_t
++.EE
++
++- Set files with the arpwatch_data_t type, if you want to treat the files as arpwatch content.
++
++
++.EX
++.PP
++.B arpwatch_exec_t
++.EE
++
++- Set files with the arpwatch_exec_t type, if you want to transition an executable to the arpwatch_t domain.
++
++
++.EX
++.PP
++.B arpwatch_initrc_exec_t
++.EE
++
++- Set files with the arpwatch_initrc_exec_t type, if you want to transition an executable to the arpwatch_initrc_t domain.
++
++
++.EX
++.PP
++.B arpwatch_tmp_t
++.EE
++
++- Set files with the arpwatch_tmp_t type, if you want to store arpwatch temporary files in the /tmp directories.
++
++
++.EX
++.PP
++.B arpwatch_unit_file_t
++.EE
++
++- Set files with the arpwatch_unit_file_t type, if you want to treat the files as arpwatch unit content.
++
++
++.EX
++.PP
++.B arpwatch_var_run_t
++.EE
++
++- Set files with the arpwatch_var_run_t type, if you want to store the arpwatch files under the /run directory.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH "MANAGED FILES"
++
++The SELinux process type arpwatch_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++
++.br
++.B arpwatch_data_t
++
++ /var/arpwatch(/.*)?
++.br
++ /var/lib/arpwatch(/.*)?
++.br
++
++.br
++.B arpwatch_tmp_t
++
++
++.br
++.B arpwatch_var_run_t
++
++
++.SH NSSWITCH DOMAIN
++
++.PP
++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the arpwatch_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++
++.EX
++.B setsebool -P authlogin_nsswitch_use_ldap 1
++.EE
++
++.PP
++If you want to allow confined applications to run with kerberos for the arpwatch_t, you must turn on the kerberos_enabled boolean.
++
++.EX
++.B setsebool -P kerberos_enabled 1
++.EE
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was auto-generated using
++.B "sepolicy manpage"
++by Dan Walsh.
++
++.SH "SEE ALSO"
++selinux(8), arpwatch(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
+diff --git a/man/man8/asterisk_selinux.8 b/man/man8/asterisk_selinux.8
+new file mode 100644
+index 0000000..070e49b
+--- /dev/null
++++ b/man/man8/asterisk_selinux.8
+@@ -0,0 +1,228 @@
++.TH "asterisk_selinux" "8" "12-11-01" "asterisk" "SELinux Policy documentation for asterisk"
++.SH "NAME"
++asterisk_selinux \- Security Enhanced Linux Policy for the asterisk processes
++.SH "DESCRIPTION"
++
++Security-Enhanced Linux secures the asterisk processes via flexible mandatory access control.
++
++The asterisk processes execute with the asterisk_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep asterisk_t
++
++
++.SH "ENTRYPOINTS"
++
++The asterisk_t SELinux type can be entered via the "asterisk_exec_t" file type. The default entrypoint paths for the asterisk_t domain are the following:"
++
++/usr/sbin/asterisk
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux asterisk policy is very flexible allowing users to setup their asterisk processes in as secure a method as possible.
++.PP
++The following process types are defined for asterisk:
++
++.EX
++.B asterisk_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux asterisk policy is very flexible allowing users to setup their asterisk processes in as secure a method as possible.
++.PP
++The following file types are defined for asterisk:
++
++
++.EX
++.PP
++.B asterisk_etc_t
++.EE
++
++- Set files with the asterisk_etc_t type, if you want to store asterisk files in the /etc directories.
++
++
++.EX
++.PP
++.B asterisk_exec_t
++.EE
++
++- Set files with the asterisk_exec_t type, if you want to transition an executable to the asterisk_t domain.
++
++
++.EX
++.PP
++.B asterisk_initrc_exec_t
++.EE
++
++- Set files with the asterisk_initrc_exec_t type, if you want to transition an executable to the asterisk_initrc_t domain.
++
++
++.EX
++.PP
++.B asterisk_log_t
++.EE
++
++- Set files with the asterisk_log_t type, if you want to treat the data as asterisk log data, usually stored under the /var/log directory.
++
++
++.EX
++.PP
++.B asterisk_spool_t
++.EE
++
++- Set files with the asterisk_spool_t type, if you want to store the asterisk files under the /var/spool directory.
++
++
++.EX
++.PP
++.B asterisk_tmp_t
++.EE
++
++- Set files with the asterisk_tmp_t type, if you want to store asterisk temporary files in the /tmp directories.
++
++
++.EX
++.PP
++.B asterisk_tmpfs_t
++.EE
++
++- Set files with the asterisk_tmpfs_t type, if you want to store asterisk files on a tmpfs file system.
++
++
++.EX
++.PP
++.B asterisk_var_lib_t
++.EE
++
++- Set files with the asterisk_var_lib_t type, if you want to store the asterisk files under the /var/lib directory.
++
++
++.EX
++.PP
++.B asterisk_var_run_t
++.EE
++
++- Set files with the asterisk_var_run_t type, if you want to store the asterisk files under the /run directory.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH PORT TYPES
++SELinux defines port types to represent TCP and UDP ports.
++.PP
++You can see the types associated with a port by using the following command:
++
++.B semanage port -l
++
++.PP
++Policy governs the access confined processes have to these ports.
++SELinux asterisk policy is very flexible allowing users to setup their asterisk processes in as secure a method as possible.
++.PP
++The following port types are defined for asterisk:
++
++.EX
++.TP 5
++.B asterisk_port_t
++.TP 10
++.EE
++
++
++Default Defined Ports:
++tcp 1720
++.EE
++udp 2427,2727,4569
++.EE
++.SH "MANAGED FILES"
++
++The SELinux process type asterisk_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++
++.br
++.B asterisk_log_t
++
++ /var/log/asterisk(/.*)?
++.br
++
++.br
++.B asterisk_spool_t
++
++ /var/spool/asterisk(/.*)?
++.br
++
++.br
++.B asterisk_tmp_t
++
++
++.br
++.B asterisk_tmpfs_t
++
++
++.br
++.B asterisk_var_lib_t
++
++ /var/lib/asterisk(/.*)?
++.br
++
++.br
++.B asterisk_var_run_t
++
++ /var/run/asterisk(/.*)?
++.br
++
++.SH NSSWITCH DOMAIN
++
++.PP
++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the asterisk_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++
++.EX
++.B setsebool -P authlogin_nsswitch_use_ldap 1
++.EE
++
++.PP
++If you want to allow confined applications to run with kerberos for the asterisk_t, you must turn on the kerberos_enabled boolean.
++
++.EX
++.B setsebool -P kerberos_enabled 1
++.EE
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.B semanage port
++can also be used to manipulate the port definitions
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was auto-generated using
++.B "sepolicy manpage"
++by Dan Walsh.
++
++.SH "SEE ALSO"
++selinux(8), asterisk(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
+diff --git a/man/man8/audisp_remote_selinux.8 b/man/man8/audisp_remote_selinux.8
+new file mode 100644
+index 0000000..e4c6d66
+--- /dev/null
++++ b/man/man8/audisp_remote_selinux.8
+@@ -0,0 +1,119 @@
++.TH "audisp_remote_selinux" "8" "12-11-01" "audisp_remote" "SELinux Policy documentation for audisp_remote"
++.SH "NAME"
++audisp_remote_selinux \- Security Enhanced Linux Policy for the audisp_remote processes
++.SH "DESCRIPTION"
++
++Security-Enhanced Linux secures the audisp_remote processes via flexible mandatory access control.
++
++The audisp_remote processes execute with the audisp_remote_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep audisp_remote_t
++
++
++.SH "ENTRYPOINTS"
++
++The audisp_remote_t SELinux type can be entered via the "audisp_remote_exec_t" file type. The default entrypoint paths for the audisp_remote_t domain are the following:"
++
++/sbin/audisp-remote, /usr/sbin/audisp-remote
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux audisp_remote policy is very flexible allowing users to setup their audisp_remote processes in as secure a method as possible.
++.PP
++The following process types are defined for audisp_remote:
++
++.EX
++.B audisp_remote_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux audisp_remote policy is very flexible allowing users to setup their audisp_remote processes in as secure a method as possible.
++.PP
++The following file types are defined for audisp_remote:
++
++
++.EX
++.PP
++.B audisp_remote_exec_t
++.EE
++
++- Set files with the audisp_remote_exec_t type, if you want to transition an executable to the audisp_remote_t domain.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH "MANAGED FILES"
++
++The SELinux process type audisp_remote_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++
++.br
++.B audit_spool_t
++
++ /var/spool/audit(/.*)?
++.br
++
++.br
++.B systemd_passwd_var_run_t
++
++ /var/run/systemd/ask-password(/.*)?
++.br
++ /var/run/systemd/ask-password-block(/.*)?
++.br
++
++.SH NSSWITCH DOMAIN
++
++.PP
++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the audisp_remote_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++
++.EX
++.B setsebool -P authlogin_nsswitch_use_ldap 1
++.EE
++
++.PP
++If you want to allow confined applications to run with kerberos for the audisp_remote_t, you must turn on the kerberos_enabled boolean.
++
++.EX
++.B setsebool -P kerberos_enabled 1
++.EE
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was auto-generated using
++.B "sepolicy manpage"
++by Dan Walsh.
++
++.SH "SEE ALSO"
++selinux(8), audisp_remote(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
++, audisp_selinux(8), audisp_selinux(8)
+\ No newline at end of file
+diff --git a/man/man8/audisp_selinux.8 b/man/man8/audisp_selinux.8
+new file mode 100644
+index 0000000..b50bbfe
+--- /dev/null
++++ b/man/man8/audisp_selinux.8
+@@ -0,0 +1,117 @@
++.TH "audisp_selinux" "8" "12-11-01" "audisp" "SELinux Policy documentation for audisp"
++.SH "NAME"
++audisp_selinux \- Security Enhanced Linux Policy for the audisp processes
++.SH "DESCRIPTION"
++
++Security-Enhanced Linux secures the audisp processes via flexible mandatory access control.
++
++The audisp processes execute with the audisp_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep audisp_t
++
++
++.SH "ENTRYPOINTS"
++
++The audisp_t SELinux type can be entered via the "audisp_exec_t" file type. The default entrypoint paths for the audisp_t domain are the following:"
++
++/sbin/audispd, /usr/sbin/audispd
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux audisp policy is very flexible allowing users to setup their audisp processes in as secure a method as possible.
++.PP
++The following process types are defined for audisp:
++
++.EX
++.B audisp_remote_t, audisp_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux audisp policy is very flexible allowing users to setup their audisp processes in as secure a method as possible.
++.PP
++The following file types are defined for audisp:
++
++
++.EX
++.PP
++.B audisp_exec_t
++.EE
++
++- Set files with the audisp_exec_t type, if you want to transition an executable to the audisp_t domain.
++
++
++.EX
++.PP
++.B audisp_remote_exec_t
++.EE
++
++- Set files with the audisp_remote_exec_t type, if you want to transition an executable to the audisp_remote_t domain.
++
++
++.EX
++.PP
++.B audisp_var_run_t
++.EE
++
++- Set files with the audisp_var_run_t type, if you want to store the audisp files under the /run directory.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH NSSWITCH DOMAIN
++
++.PP
++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the audisp_t, audisp_remote_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++
++.EX
++.B setsebool -P authlogin_nsswitch_use_ldap 1
++.EE
++
++.PP
++If you want to allow confined applications to run with kerberos for the audisp_t, audisp_remote_t, you must turn on the kerberos_enabled boolean.
++
++.EX
++.B setsebool -P kerberos_enabled 1
++.EE
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was auto-generated using
++.B "sepolicy manpage"
++by Dan Walsh.
++
++.SH "SEE ALSO"
++selinux(8), audisp(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
++, audisp_remote_selinux(8)
+\ No newline at end of file
+diff --git a/man/man8/auditadm_selinux.8 b/man/man8/auditadm_selinux.8
+new file mode 100644
+index 0000000..42e7075
+--- /dev/null
++++ b/man/man8/auditadm_selinux.8
+@@ -0,0 +1,242 @@
++.TH "auditadm_selinux" "8" "auditadm" "mgrepl@redhat.com" "auditadm SELinux Policy documentation"
++.SH "NAME"
++auditadm_r \- \fBAudit administrator role\fP - Security Enhanced Linux Policy
++
++.SH DESCRIPTION
++
++SELinux supports Roles Based Access Control (RBAC), some Linux roles are login roles, while other roles need to be transition into.
++
++.I Note:
++Examples in this man page will use the
++.B staff_u
++SELinux user.
++
++Non login roles are usually used for administrative tasks. For example, tasks that require root privileges. Roles control which types a user can run processes with. Roles often have default types assigned to them.
++
++The default type for the auditadm_r role is auditadm_t.
++
++The
++.B newrole
++program to transition directly to this role.
++
++.B newrole -r auditadm_r -t auditadm_t
++
++.B sudo
++is the preferred method to do transition from one role to another. You setup sudo to transition to auditadm_r by adding a similar line to the /etc/sudoers file.
++
++USERNAME ALL=(ALL) ROLE=auditadm_r TYPE=auditadm_t COMMAND
++
++.br
++sudo will run COMMAND as staff_u:auditadm_r:auditadm_t:LEVEL
++
++When using a a non login role, you need to setup SELinux so that your SELinux user can reach auditadm_r role.
++
++Execute the following to see all of the assigned SELinux roles:
++
++.B semanage user -l
++
++You need to add auditadm_r to the staff_u user. You could setup the staff_u user to be able to use the auditadm_r role with a command like:
++
++.B $ semanage user -m -R 'staff_r system_r auditadm_r' staff_u
++
++
++
++SELinux policy also controls which roles can transition to a different role.
++You can list these rules using the following command.
++
++.B search --role_allow
++
++SELinux policy allows the sysadm_r, secadm_r, staff_r roles can transition to the auditadm_r role.
++
++
++.SH "MANAGED FILES"
++
++The SELinux process type auditadm_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++
++.br
++.B anon_inodefs_t
++
++
++.br
++.B auditd_etc_t
++
++ /etc/audit(/.*)?
++.br
++
++.br
++.B auditd_log_t
++
++ /var/log/audit(/.*)?
++.br
++ /var/log/audit\.log
++.br
++
++.br
++.B auth_cache_t
++
++ /var/cache/coolkey(/.*)?
++.br
++
++.br
++.B cgroup_t
++
++ /cgroup
++.br
++ /sys/fs/cgroup
++.br
++
++.br
++.B chrome_sandbox_tmpfs_t
++
++
++.br
++.B games_data_t
++
++ /var/games(/.*)?
++.br
++ /var/lib/games(/.*)?
++.br
++
++.br
++.B gpg_agent_tmp_t
++
++ /home/[^/]*/\.gnupg/log-socket
++.br
++ /home/dwalsh/\.gnupg/log-socket
++.br
++ /var/lib/xguest/home/xguest/\.gnupg/log-socket
++.br
++
++.br
++.B mail_spool_t
++
++ /var/mail(/.*)?
++.br
++ /var/spool/imap(/.*)?
++.br
++ /var/spool/mail(/.*)?
++.br
++
++.br
++.B mqueue_spool_t
++
++ /var/spool/(client)?mqueue(/.*)?
++.br
++ /var/spool/mqueue\.in(/.*)?
++.br
++
++.br
++.B nfsd_rw_t
++
++
++.br
++.B noxattrfs
++
++ all files on file systems which do not support extended attributes
++.br
++
++.br
++.B screen_home_t
++
++ /root/\.screen(/.*)?
++.br
++ /home/[^/]*/\.screen(/.*)?
++.br
++ /home/[^/]*/\.screenrc
++.br
++ /home/dwalsh/\.screen(/.*)?
++.br
++ /home/dwalsh/\.screenrc
++.br
++ /var/lib/xguest/home/xguest/\.screen(/.*)?
++.br
++ /var/lib/xguest/home/xguest/\.screenrc
++.br
++
++.br
++.B security_t
++
++ /selinux
++.br
++
++.br
++.B usbfs_t
++
++
++.br
++.B user_fonts_cache_t
++
++ /root/\.fontconfig(/.*)?
++.br
++ /root/\.fonts/auto(/.*)?
++.br
++ /root/\.fonts\.cache-.*
++.br
++ /home/[^/]*/\.fontconfig(/.*)?
++.br
++ /home/[^/]*/\.fonts/auto(/.*)?
++.br
++ /home/[^/]*/\.fonts\.cache-.*
++.br
++ /home/dwalsh/\.fontconfig(/.*)?
++.br
++ /home/dwalsh/\.fonts/auto(/.*)?
++.br
++ /home/dwalsh/\.fonts\.cache-.*
++.br
++ /var/lib/xguest/home/xguest/\.fontconfig(/.*)?
++.br
++ /var/lib/xguest/home/xguest/\.fonts/auto(/.*)?
++.br
++ /var/lib/xguest/home/xguest/\.fonts\.cache-.*
++.br
++
++.br
++.B user_home_type
++
++ all user home files
++.br
++
++.br
++.B user_tmp_type
++
++ all user tmp files
++.br
++
++.br
++.B user_tmpfs_type
++
++ all user content in tmpfs file systems
++.br
++
++.br
++.B xdm_tmp_t
++
++ /tmp/\.X11-unix(/.*)?
++.br
++ /tmp/\.ICE-unix(/.*)?
++.br
++ /tmp/\.X0-lock
++.br
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was auto-generated using
++.B "sepolicy manpage"
++by Dan Walsh.
++
++.SH "SEE ALSO"
++selinux(8), auditadm(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
+diff --git a/man/man8/auditctl_selinux.8 b/man/man8/auditctl_selinux.8
+new file mode 100644
+index 0000000..5fea87e
+--- /dev/null
++++ b/man/man8/auditctl_selinux.8
+@@ -0,0 +1,86 @@
++.TH "auditctl_selinux" "8" "12-11-01" "auditctl" "SELinux Policy documentation for auditctl"
++.SH "NAME"
++auditctl_selinux \- Security Enhanced Linux Policy for the auditctl processes
++.SH "DESCRIPTION"
++
++Security-Enhanced Linux secures the auditctl processes via flexible mandatory access control.
++
++The auditctl processes execute with the auditctl_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep auditctl_t
++
++
++.SH "ENTRYPOINTS"
++
++The auditctl_t SELinux type can be entered via the "auditctl_exec_t" file type. The default entrypoint paths for the auditctl_t domain are the following:"
++
++/sbin/auditctl, /usr/sbin/auditctl
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux auditctl policy is very flexible allowing users to setup their auditctl processes in as secure a method as possible.
++.PP
++The following process types are defined for auditctl:
++
++.EX
++.B auditctl_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux auditctl policy is very flexible allowing users to setup their auditctl processes in as secure a method as possible.
++.PP
++The following file types are defined for auditctl:
++
++
++.EX
++.PP
++.B auditctl_exec_t
++.EE
++
++- Set files with the auditctl_exec_t type, if you want to transition an executable to the auditctl_t domain.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH NSSWITCH DOMAIN
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was auto-generated using
++.B "sepolicy manpage"
++by Dan Walsh.
++
++.SH "SEE ALSO"
++selinux(8), auditctl(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
+diff --git a/man/man8/auditd_selinux.8 b/man/man8/auditd_selinux.8
+new file mode 100644
+index 0000000..d1a4a01
+--- /dev/null
++++ b/man/man8/auditd_selinux.8
+@@ -0,0 +1,201 @@
++.TH "auditd_selinux" "8" "12-11-01" "auditd" "SELinux Policy documentation for auditd"
++.SH "NAME"
++auditd_selinux \- Security Enhanced Linux Policy for the auditd processes
++.SH "DESCRIPTION"
++
++Security-Enhanced Linux secures the auditd processes via flexible mandatory access control.
++
++The auditd processes execute with the auditd_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep auditd_t
++
++
++.SH "ENTRYPOINTS"
++
++The auditd_t SELinux type can be entered via the "auditd_exec_t" file type. The default entrypoint paths for the auditd_t domain are the following:"
++
++/sbin/auditd, /usr/sbin/auditd
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux auditd policy is very flexible allowing users to setup their auditd processes in as secure a method as possible.
++.PP
++The following process types are defined for auditd:
++
++.EX
++.B auditadm_su_t, auditadm_seunshare_t, auditadm_dbusd_t, auditadm_t, auditadm_sudo_t, auditadm_wine_t, auditadm_screen_t, auditadm_gkeyringd_t, auditd_t, auditctl_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux auditd policy is very flexible allowing users to setup their auditd processes in as secure a method as possible.
++.PP
++The following file types are defined for auditd:
++
++
++.EX
++.PP
++.B auditd_etc_t
++.EE
++
++- Set files with the auditd_etc_t type, if you want to store auditd files in the /etc directories.
++
++
++.EX
++.PP
++.B auditd_exec_t
++.EE
++
++- Set files with the auditd_exec_t type, if you want to transition an executable to the auditd_t domain.
++
++
++.EX
++.PP
++.B auditd_initrc_exec_t
++.EE
++
++- Set files with the auditd_initrc_exec_t type, if you want to transition an executable to the auditd_initrc_t domain.
++
++
++.EX
++.PP
++.B auditd_log_t
++.EE
++
++- Set files with the auditd_log_t type, if you want to treat the data as auditd log data, usually stored under the /var/log directory.
++
++
++.EX
++.PP
++.B auditd_unit_file_t
++.EE
++
++- Set files with the auditd_unit_file_t type, if you want to treat the files as auditd unit content.
++
++
++.EX
++.PP
++.B auditd_var_run_t
++.EE
++
++- Set files with the auditd_var_run_t type, if you want to store the auditd files under the /run directory.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH PORT TYPES
++SELinux defines port types to represent TCP and UDP ports.
++.PP
++You can see the types associated with a port by using the following command:
++
++.B semanage port -l
++
++.PP
++Policy governs the access confined processes have to these ports.
++SELinux auditd policy is very flexible allowing users to setup their auditd processes in as secure a method as possible.
++.PP
++The following port types are defined for auditd:
++
++.EX
++.TP 5
++.B audit_port_t
++.TP 10
++.EE
++
++
++Default Defined Ports:
++tcp 60
++.EE
++.SH "MANAGED FILES"
++
++The SELinux process type auditd_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++
++.br
++.B anon_inodefs_t
++
++
++.br
++.B auditd_log_t
++
++ /var/log/audit(/.*)?
++.br
++ /var/log/audit\.log
++.br
++
++.br
++.B auditd_var_run_t
++
++ /var/run/auditd\.pid
++.br
++ /var/run/auditd_sock
++.br
++ /var/run/audit_events
++.br
++
++.br
++.B systemd_passwd_var_run_t
++
++ /var/run/systemd/ask-password(/.*)?
++.br
++ /var/run/systemd/ask-password-block(/.*)?
++.br
++
++.SH NSSWITCH DOMAIN
++
++.PP
++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the auditadm_t, auditadm_gkeyringd_t, auditadm_su_t, auditd_t, auditadm_sudo_t, auditadm_screen_t, auditadm_wine_t, auditadm_seunshare_t, auditadm_dbusd_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++
++.EX
++.B setsebool -P authlogin_nsswitch_use_ldap 1
++.EE
++
++.PP
++If you want to allow confined applications to run with kerberos for the auditadm_t, auditadm_gkeyringd_t, auditadm_su_t, auditd_t, auditadm_sudo_t, auditadm_screen_t, auditadm_wine_t, auditadm_seunshare_t, auditadm_dbusd_t, you must turn on the kerberos_enabled boolean.
++
++.EX
++.B setsebool -P kerberos_enabled 1
++.EE
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.B semanage port
++can also be used to manipulate the port definitions
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was auto-generated using
++.B "sepolicy manpage"
++by Dan Walsh.
++
++.SH "SEE ALSO"
++selinux(8), auditd(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
++, auditadm_selinux(8), auditctl_selinux(8)
+\ No newline at end of file
+diff --git a/man/man8/authconfig_selinux.8 b/man/man8/authconfig_selinux.8
+new file mode 100644
+index 0000000..18ad01b
+--- /dev/null
++++ b/man/man8/authconfig_selinux.8
+@@ -0,0 +1,104 @@
++.TH "authconfig_selinux" "8" "12-11-01" "authconfig" "SELinux Policy documentation for authconfig"
++.SH "NAME"
++authconfig_selinux \- Security Enhanced Linux Policy for the authconfig processes
++.SH "DESCRIPTION"
++
++Security-Enhanced Linux secures the authconfig processes via flexible mandatory access control.
++
++The authconfig processes execute with the authconfig_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep authconfig_t
++
++
++.SH "ENTRYPOINTS"
++
++The authconfig_t SELinux type can be entered via the "filesystem_type,authconfig_exec_t,unlabeled_t,proc_type,mtrr_device_t,sysctl_type,file_type" file types. The default entrypoint paths for the authconfig_t domain are the following:"
++
++/usr/share/authconfig/authconfig.py, /dev/cpu/mtrr, all files on the system
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux authconfig policy is very flexible allowing users to setup their authconfig processes in as secure a method as possible.
++.PP
++The following process types are defined for authconfig:
++
++.EX
++.B authconfig_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux authconfig policy is very flexible allowing users to setup their authconfig processes in as secure a method as possible.
++.PP
++The following file types are defined for authconfig:
++
++
++.EX
++.PP
++.B authconfig_exec_t
++.EE
++
++- Set files with the authconfig_exec_t type, if you want to transition an executable to the authconfig_t domain.
++
++
++.EX
++.PP
++.B authconfig_var_lib_t
++.EE
++
++- Set files with the authconfig_var_lib_t type, if you want to store the authconfig files under the /var/lib directory.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH "MANAGED FILES"
++
++The SELinux process type authconfig_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++
++.br
++.B file_type
++
++ all files on the system
++.br
++
++.SH NSSWITCH DOMAIN
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was auto-generated using
++.B "sepolicy manpage"
++by Dan Walsh.
++
++.SH "SEE ALSO"
++selinux(8), authconfig(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
+diff --git a/man/man8/automount_selinux.8 b/man/man8/automount_selinux.8
+new file mode 100644
+index 0000000..c7bbc5a
+--- /dev/null
++++ b/man/man8/automount_selinux.8
+@@ -0,0 +1,176 @@
++.TH "automount_selinux" "8" "12-11-01" "automount" "SELinux Policy documentation for automount"
++.SH "NAME"
++automount_selinux \- Security Enhanced Linux Policy for the automount processes
++.SH "DESCRIPTION"
++
++Security-Enhanced Linux secures the automount processes via flexible mandatory access control.
++
++The automount processes execute with the automount_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep automount_t
++
++
++.SH "ENTRYPOINTS"
++
++The automount_t SELinux type can be entered via the "automount_exec_t" file type. The default entrypoint paths for the automount_t domain are the following:"
++
++/usr/sbin/automount, /etc/apm/event\.d/autofs
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux automount policy is very flexible allowing users to setup their automount processes in as secure a method as possible.
++.PP
++The following process types are defined for automount:
++
++.EX
++.B automount_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux automount policy is very flexible allowing users to setup their automount processes in as secure a method as possible.
++.PP
++The following file types are defined for automount:
++
++
++.EX
++.PP
++.B automount_exec_t
++.EE
++
++- Set files with the automount_exec_t type, if you want to transition an executable to the automount_t domain.
++
++
++.EX
++.PP
++.B automount_initrc_exec_t
++.EE
++
++- Set files with the automount_initrc_exec_t type, if you want to transition an executable to the automount_initrc_t domain.
++
++
++.EX
++.PP
++.B automount_keytab_t
++.EE
++
++- Set files with the automount_keytab_t type, if you want to treat the files as kerberos keytab files.
++
++
++.EX
++.PP
++.B automount_lock_t
++.EE
++
++- Set files with the automount_lock_t type, if you want to treat the files as automount lock data, stored under the /var/lock directory
++
++
++.EX
++.PP
++.B automount_tmp_t
++.EE
++
++- Set files with the automount_tmp_t type, if you want to store automount temporary files in the /tmp directories.
++
++
++.EX
++.PP
++.B automount_unit_file_t
++.EE
++
++- Set files with the automount_unit_file_t type, if you want to treat the files as automount unit content.
++
++
++.EX
++.PP
++.B automount_var_run_t
++.EE
++
++- Set files with the automount_var_run_t type, if you want to store the automount files under the /run directory.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH "MANAGED FILES"
++
++The SELinux process type automount_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++
++.br
++.B automount_lock_t
++
++
++.br
++.B automount_tmp_t
++
++
++.br
++.B automount_var_run_t
++
++ /var/run/autofs.*
++.br
++
++.br
++.B samba_var_t
++
++ /var/lib/samba(/.*)?
++.br
++ /var/cache/samba(/.*)?
++.br
++ /var/spool/samba(/.*)?
++.br
++
++.SH NSSWITCH DOMAIN
++
++.PP
++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the automount_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++
++.EX
++.B setsebool -P authlogin_nsswitch_use_ldap 1
++.EE
++
++.PP
++If you want to allow confined applications to run with kerberos for the automount_t, you must turn on the kerberos_enabled boolean.
++
++.EX
++.B setsebool -P kerberos_enabled 1
++.EE
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was auto-generated using
++.B "sepolicy manpage"
++by Dan Walsh.
++
++.SH "SEE ALSO"
++selinux(8), automount(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
+diff --git a/man/man8/avahi_selinux.8 b/man/man8/avahi_selinux.8
+new file mode 100644
+index 0000000..e4baa1f
+--- /dev/null
++++ b/man/man8/avahi_selinux.8
+@@ -0,0 +1,196 @@
++.TH "avahi_selinux" "8" "12-11-01" "avahi" "SELinux Policy documentation for avahi"
++.SH "NAME"
++avahi_selinux \- Security Enhanced Linux Policy for the avahi processes
++.SH "DESCRIPTION"
++
++Security-Enhanced Linux secures the avahi processes via flexible mandatory access control.
++
++The avahi processes execute with the avahi_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep avahi_t
++
++
++.SH "ENTRYPOINTS"
++
++The avahi_t SELinux type can be entered via the "avahi_exec_t" file type. The default entrypoint paths for the avahi_t domain are the following:"
++
++/usr/sbin/avahi-daemon, /usr/sbin/avahi-autoipd, /usr/sbin/avahi-dnsconfd
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux avahi policy is very flexible allowing users to setup their avahi processes in as secure a method as possible.
++.PP
++The following process types are defined for avahi:
++
++.EX
++.B avahi_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH BOOLEANS
++SELinux policy is customizable based on least access required. avahi policy is extremely flexible and has several booleans that allow you to manipulate the policy and run avahi with the tightest access possible.
++
++
++.PP
++If you want to allow Apache to communicate with avahi service via dbus, you must turn on the httpd_dbus_avahi boolean.
++
++.EX
++.B setsebool -P httpd_dbus_avahi 1
++.EE
++
++.PP
++If you want to allow Apache to communicate with avahi service via dbus, you must turn on the httpd_dbus_avahi boolean.
++
++.EX
++.B setsebool -P httpd_dbus_avahi 1
++.EE
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux avahi policy is very flexible allowing users to setup their avahi processes in as secure a method as possible.
++.PP
++The following file types are defined for avahi:
++
++
++.EX
++.PP
++.B avahi_exec_t
++.EE
++
++- Set files with the avahi_exec_t type, if you want to transition an executable to the avahi_t domain.
++
++
++.EX
++.PP
++.B avahi_initrc_exec_t
++.EE
++
++- Set files with the avahi_initrc_exec_t type, if you want to transition an executable to the avahi_initrc_t domain.
++
++
++.EX
++.PP
++.B avahi_unit_file_t
++.EE
++
++- Set files with the avahi_unit_file_t type, if you want to treat the files as avahi unit content.
++
++
++.EX
++.PP
++.B avahi_var_lib_t
++.EE
++
++- Set files with the avahi_var_lib_t type, if you want to store the avahi files under the /var/lib directory.
++
++
++.EX
++.PP
++.B avahi_var_run_t
++.EE
++
++- Set files with the avahi_var_run_t type, if you want to store the avahi files under the /run directory.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH "MANAGED FILES"
++
++The SELinux process type avahi_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++
++.br
++.B avahi_var_lib_t
++
++ /var/lib/avahi-autoipd(/.*)?
++.br
++
++.br
++.B avahi_var_run_t
++
++ /var/run/avahi-daemon(/.*)?
++.br
++
++.br
++.B net_conf_t
++
++ /etc/ntpd?\.conf.*
++.br
++ /etc/hosts[^/]*
++.br
++ /etc/yp\.conf.*
++.br
++ /etc/denyhosts.*
++.br
++ /etc/hosts\.deny.*
++.br
++ /etc/resolv\.conf.*
++.br
++ /etc/ntp/step-tickers.*
++.br
++ /etc/sysconfig/networking(/.*)?
++.br
++ /etc/sysconfig/network-scripts(/.*)?
++.br
++ /etc/sysconfig/network-scripts/.*resolv\.conf
++.br
++ /etc/ethers
++.br
++
++.SH NSSWITCH DOMAIN
++
++.PP
++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the avahi_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++
++.EX
++.B setsebool -P authlogin_nsswitch_use_ldap 1
++.EE
++
++.PP
++If you want to allow confined applications to run with kerberos for the avahi_t, you must turn on the kerberos_enabled boolean.
++
++.EX
++.B setsebool -P kerberos_enabled 1
++.EE
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.B semanage boolean
++can also be used to manipulate the booleans
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was auto-generated using
++.B "sepolicy manpage"
++by Dan Walsh.
++
++.SH "SEE ALSO"
++selinux(8), avahi(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
++, setsebool(8)
+\ No newline at end of file
+diff --git a/man/man8/awstats_selinux.8 b/man/man8/awstats_selinux.8
+new file mode 100644
+index 0000000..cffff58
+--- /dev/null
++++ b/man/man8/awstats_selinux.8
+@@ -0,0 +1,116 @@
++.TH "awstats_selinux" "8" "12-11-01" "awstats" "SELinux Policy documentation for awstats"
++.SH "NAME"
++awstats_selinux \- Security Enhanced Linux Policy for the awstats processes
++.SH "DESCRIPTION"
++
++Security-Enhanced Linux secures the awstats processes via flexible mandatory access control.
++
++The awstats processes execute with the awstats_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep awstats_t
++
++
++.SH "ENTRYPOINTS"
++
++The awstats_t SELinux type can be entered via the "awstats_exec_t" file type. The default entrypoint paths for the awstats_t domain are the following:"
++
++/usr/share/awstats/tools/.+\.pl
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux awstats policy is very flexible allowing users to setup their awstats processes in as secure a method as possible.
++.PP
++The following process types are defined for awstats:
++
++.EX
++.B awstats_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux awstats policy is very flexible allowing users to setup their awstats processes in as secure a method as possible.
++.PP
++The following file types are defined for awstats:
++
++
++.EX
++.PP
++.B awstats_exec_t
++.EE
++
++- Set files with the awstats_exec_t type, if you want to transition an executable to the awstats_t domain.
++
++
++.EX
++.PP
++.B awstats_tmp_t
++.EE
++
++- Set files with the awstats_tmp_t type, if you want to store awstats temporary files in the /tmp directories.
++
++
++.EX
++.PP
++.B awstats_var_lib_t
++.EE
++
++- Set files with the awstats_var_lib_t type, if you want to store the awstats files under the /var/lib directory.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH "MANAGED FILES"
++
++The SELinux process type awstats_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++
++.br
++.B awstats_tmp_t
++
++
++.br
++.B awstats_var_lib_t
++
++ /var/lib/awstats(/.*)?
++.br
++
++.SH NSSWITCH DOMAIN
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was auto-generated using
++.B "sepolicy manpage"
++by Dan Walsh.
++
++.SH "SEE ALSO"
++selinux(8), awstats(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
+diff --git a/man/man8/bcfg2_selinux.8 b/man/man8/bcfg2_selinux.8
+new file mode 100644
+index 0000000..792558d
+--- /dev/null
++++ b/man/man8/bcfg2_selinux.8
+@@ -0,0 +1,148 @@
++.TH "bcfg2_selinux" "8" "12-11-01" "bcfg2" "SELinux Policy documentation for bcfg2"
++.SH "NAME"
++bcfg2_selinux \- Security Enhanced Linux Policy for the bcfg2 processes
++.SH "DESCRIPTION"
++
++Security-Enhanced Linux secures the bcfg2 processes via flexible mandatory access control.
++
++The bcfg2 processes execute with the bcfg2_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep bcfg2_t
++
++
++.SH "ENTRYPOINTS"
++
++The bcfg2_t SELinux type can be entered via the "bcfg2_exec_t" file type. The default entrypoint paths for the bcfg2_t domain are the following:"
++
++/usr/sbin/bcfg2-server
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux bcfg2 policy is very flexible allowing users to setup their bcfg2 processes in as secure a method as possible.
++.PP
++The following process types are defined for bcfg2:
++
++.EX
++.B bcfg2_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux bcfg2 policy is very flexible allowing users to setup their bcfg2 processes in as secure a method as possible.
++.PP
++The following file types are defined for bcfg2:
++
++
++.EX
++.PP
++.B bcfg2_exec_t
++.EE
++
++- Set files with the bcfg2_exec_t type, if you want to transition an executable to the bcfg2_t domain.
++
++
++.EX
++.PP
++.B bcfg2_initrc_exec_t
++.EE
++
++- Set files with the bcfg2_initrc_exec_t type, if you want to transition an executable to the bcfg2_initrc_t domain.
++
++
++.EX
++.PP
++.B bcfg2_unit_file_t
++.EE
++
++- Set files with the bcfg2_unit_file_t type, if you want to treat the files as bcfg2 unit content.
++
++
++.EX
++.PP
++.B bcfg2_var_lib_t
++.EE
++
++- Set files with the bcfg2_var_lib_t type, if you want to store the bcfg2 files under the /var/lib directory.
++
++
++.EX
++.PP
++.B bcfg2_var_run_t
++.EE
++
++- Set files with the bcfg2_var_run_t type, if you want to store the bcfg2 files under the /run directory.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH "MANAGED FILES"
++
++The SELinux process type bcfg2_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++
++.br
++.B bcfg2_var_lib_t
++
++ /var/lib/bcfg2(/.*)?
++.br
++
++.br
++.B bcfg2_var_run_t
++
++ /var/run/bcfg2-server\.pid
++.br
++
++.SH NSSWITCH DOMAIN
++
++.PP
++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the bcfg2_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++
++.EX
++.B setsebool -P authlogin_nsswitch_use_ldap 1
++.EE
++
++.PP
++If you want to allow confined applications to run with kerberos for the bcfg2_t, you must turn on the kerberos_enabled boolean.
++
++.EX
++.B setsebool -P kerberos_enabled 1
++.EE
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was auto-generated using
++.B "sepolicy manpage"
++by Dan Walsh.
++
++.SH "SEE ALSO"
++selinux(8), bcfg2(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
+diff --git a/man/man8/bitlbee_selinux.8 b/man/man8/bitlbee_selinux.8
+new file mode 100644
+index 0000000..26fda6e
+--- /dev/null
++++ b/man/man8/bitlbee_selinux.8
+@@ -0,0 +1,178 @@
++.TH "bitlbee_selinux" "8" "12-11-01" "bitlbee" "SELinux Policy documentation for bitlbee"
++.SH "NAME"
++bitlbee_selinux \- Security Enhanced Linux Policy for the bitlbee processes
++.SH "DESCRIPTION"
++
++Security-Enhanced Linux secures the bitlbee processes via flexible mandatory access control.
++
++The bitlbee processes execute with the bitlbee_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep bitlbee_t
++
++
++.SH "ENTRYPOINTS"
++
++The bitlbee_t SELinux type can be entered via the "bitlbee_exec_t" file type. The default entrypoint paths for the bitlbee_t domain are the following:"
++
++/usr/bin/bip, /usr/sbin/bitlbee
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux bitlbee policy is very flexible allowing users to setup their bitlbee processes in as secure a method as possible.
++.PP
++The following process types are defined for bitlbee:
++
++.EX
++.B bitlbee_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux bitlbee policy is very flexible allowing users to setup their bitlbee processes in as secure a method as possible.
++.PP
++The following file types are defined for bitlbee:
++
++
++.EX
++.PP
++.B bitlbee_conf_t
++.EE
++
++- Set files with the bitlbee_conf_t type, if you want to treat the files as bitlbee configuration data, usually stored under the /etc directory.
++
++
++.EX
++.PP
++.B bitlbee_exec_t
++.EE
++
++- Set files with the bitlbee_exec_t type, if you want to transition an executable to the bitlbee_t domain.
++
++
++.EX
++.PP
++.B bitlbee_initrc_exec_t
++.EE
++
++- Set files with the bitlbee_initrc_exec_t type, if you want to transition an executable to the bitlbee_initrc_t domain.
++
++
++.EX
++.PP
++.B bitlbee_log_t
++.EE
++
++- Set files with the bitlbee_log_t type, if you want to treat the data as bitlbee log data, usually stored under the /var/log directory.
++
++
++.EX
++.PP
++.B bitlbee_tmp_t
++.EE
++
++- Set files with the bitlbee_tmp_t type, if you want to store bitlbee temporary files in the /tmp directories.
++
++
++.EX
++.PP
++.B bitlbee_var_run_t
++.EE
++
++- Set files with the bitlbee_var_run_t type, if you want to store the bitlbee files under the /run directory.
++
++
++.EX
++.PP
++.B bitlbee_var_t
++.EE
++
++- Set files with the bitlbee_var_t type, if you want to store the bit files under the /var directory.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH "MANAGED FILES"
++
++The SELinux process type bitlbee_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++
++.br
++.B bitlbee_log_t
++
++ /var/log/bip(/.*)?
++.br
++
++.br
++.B bitlbee_tmp_t
++
++
++.br
++.B bitlbee_var_run_t
++
++ /var/run/bip(/.*)?
++.br
++ /var/run/bitlbee\.pid
++.br
++ /var/run/bitlbee\.sock
++.br
++
++.br
++.B bitlbee_var_t
++
++ /var/lib/bitlbee(/.*)?
++.br
++
++.SH NSSWITCH DOMAIN
++
++.PP
++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the bitlbee_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++
++.EX
++.B setsebool -P authlogin_nsswitch_use_ldap 1
++.EE
++
++.PP
++If you want to allow confined applications to run with kerberos for the bitlbee_t, you must turn on the kerberos_enabled boolean.
++
++.EX
++.B setsebool -P kerberos_enabled 1
++.EE
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was auto-generated using
++.B "sepolicy manpage"
++by Dan Walsh.
++
++.SH "SEE ALSO"
++selinux(8), bitlbee(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
+diff --git a/man/man8/blktap_selinux.8 b/man/man8/blktap_selinux.8
+new file mode 100644
+index 0000000..8a96343
+--- /dev/null
++++ b/man/man8/blktap_selinux.8
+@@ -0,0 +1,116 @@
++.TH "blktap_selinux" "8" "12-11-01" "blktap" "SELinux Policy documentation for blktap"
++.SH "NAME"
++blktap_selinux \- Security Enhanced Linux Policy for the blktap processes
++.SH "DESCRIPTION"
++
++Security-Enhanced Linux secures the blktap processes via flexible mandatory access control.
++
++The blktap processes execute with the blktap_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep blktap_t
++
++
++.SH "ENTRYPOINTS"
++
++The blktap_t SELinux type can be entered via the "blktap_exec_t" file type. The default entrypoint paths for the blktap_t domain are the following:"
++
++/usr/sbin/tapdisk, /usr/sbin/blktapctrl
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux blktap policy is very flexible allowing users to setup their blktap processes in as secure a method as possible.
++.PP
++The following process types are defined for blktap:
++
++.EX
++.B blktap_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH BOOLEANS
++SELinux policy is customizable based on least access required. blktap policy is extremely flexible and has several booleans that allow you to manipulate the policy and run blktap with the tightest access possible.
++
++
++.PP
++If you want to allow xend to run blktapctrl/tapdisk. Not required if using dedicated logical volumes for disk images, you must turn on the xend_run_blktap boolean.
++
++.EX
++.B setsebool -P xend_run_blktap 1
++.EE
++
++.PP
++If you want to allow xend to run blktapctrl/tapdisk. Not required if using dedicated logical volumes for disk images, you must turn on the xend_run_blktap boolean.
++
++.EX
++.B setsebool -P xend_run_blktap 1
++.EE
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux blktap policy is very flexible allowing users to setup their blktap processes in as secure a method as possible.
++.PP
++The following file types are defined for blktap:
++
++
++.EX
++.PP
++.B blktap_exec_t
++.EE
++
++- Set files with the blktap_exec_t type, if you want to transition an executable to the blktap_t domain.
++
++
++.EX
++.PP
++.B blktap_var_run_t
++.EE
++
++- Set files with the blktap_var_run_t type, if you want to store the blktap files under the /run directory.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH NSSWITCH DOMAIN
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.B semanage boolean
++can also be used to manipulate the booleans
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was auto-generated using
++.B "sepolicy manpage"
++by Dan Walsh.
++
++.SH "SEE ALSO"
++selinux(8), blktap(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
++, setsebool(8)
+\ No newline at end of file
+diff --git a/man/man8/blueman_selinux.8 b/man/man8/blueman_selinux.8
+new file mode 100644
+index 0000000..4098061
+--- /dev/null
++++ b/man/man8/blueman_selinux.8
+@@ -0,0 +1,118 @@
++.TH "blueman_selinux" "8" "12-11-01" "blueman" "SELinux Policy documentation for blueman"
++.SH "NAME"
++blueman_selinux \- Security Enhanced Linux Policy for the blueman processes
++.SH "DESCRIPTION"
++
++Security-Enhanced Linux secures the blueman processes via flexible mandatory access control.
++
++The blueman processes execute with the blueman_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep blueman_t
++
++
++.SH "ENTRYPOINTS"
++
++The blueman_t SELinux type can be entered via the "blueman_exec_t" file type. The default entrypoint paths for the blueman_t domain are the following:"
++
++/usr/libexec/blueman-mechanism
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux blueman policy is very flexible allowing users to setup their blueman processes in as secure a method as possible.
++.PP
++The following process types are defined for blueman:
++
++.EX
++.B blueman_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux blueman policy is very flexible allowing users to setup their blueman processes in as secure a method as possible.
++.PP
++The following file types are defined for blueman:
++
++
++.EX
++.PP
++.B blueman_exec_t
++.EE
++
++- Set files with the blueman_exec_t type, if you want to transition an executable to the blueman_t domain.
++
++
++.EX
++.PP
++.B blueman_var_lib_t
++.EE
++
++- Set files with the blueman_var_lib_t type, if you want to store the blueman files under the /var/lib directory.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH "MANAGED FILES"
++
++The SELinux process type blueman_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++
++.br
++.B blueman_var_lib_t
++
++ /var/lib/blueman(/.*)?
++.br
++
++.SH NSSWITCH DOMAIN
++
++.PP
++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the blueman_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++
++.EX
++.B setsebool -P authlogin_nsswitch_use_ldap 1
++.EE
++
++.PP
++If you want to allow confined applications to run with kerberos for the blueman_t, you must turn on the kerberos_enabled boolean.
++
++.EX
++.B setsebool -P kerberos_enabled 1
++.EE
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was auto-generated using
++.B "sepolicy manpage"
++by Dan Walsh.
++
++.SH "SEE ALSO"
++selinux(8), blueman(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
+diff --git a/man/man8/bluetooth_helper_selinux.8 b/man/man8/bluetooth_helper_selinux.8
+new file mode 100644
+index 0000000..2fa6a79
+--- /dev/null
++++ b/man/man8/bluetooth_helper_selinux.8
+@@ -0,0 +1,157 @@
++.TH "bluetooth_helper_selinux" "8" "12-11-01" "bluetooth_helper" "SELinux Policy documentation for bluetooth_helper"
++.SH "NAME"
++bluetooth_helper_selinux \- Security Enhanced Linux Policy for the bluetooth_helper processes
++.SH "DESCRIPTION"
++
++Security-Enhanced Linux secures the bluetooth_helper processes via flexible mandatory access control.
++
++The bluetooth_helper processes execute with the bluetooth_helper_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep bluetooth_helper_t
++
++
++.SH "ENTRYPOINTS"
++
++The bluetooth_helper_t SELinux type can be entered via the "bluetooth_helper_exec_t" file type. The default entrypoint paths for the bluetooth_helper_t domain are the following:"
++
++/usr/bin/blue.*pin
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux bluetooth_helper policy is very flexible allowing users to setup their bluetooth_helper processes in as secure a method as possible.
++.PP
++The following process types are defined for bluetooth_helper:
++
++.EX
++.B bluetooth_helper_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux bluetooth_helper policy is very flexible allowing users to setup their bluetooth_helper processes in as secure a method as possible.
++.PP
++The following file types are defined for bluetooth_helper:
++
++
++.EX
++.PP
++.B bluetooth_helper_exec_t
++.EE
++
++- Set files with the bluetooth_helper_exec_t type, if you want to transition an executable to the bluetooth_helper_t domain.
++
++
++.EX
++.PP
++.B bluetooth_helper_tmp_t
++.EE
++
++- Set files with the bluetooth_helper_tmp_t type, if you want to store bluetooth helper temporary files in the /tmp directories.
++
++
++.EX
++.PP
++.B bluetooth_helper_tmpfs_t
++.EE
++
++- Set files with the bluetooth_helper_tmpfs_t type, if you want to store bluetooth helper files on a tmpfs file system.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH "MANAGED FILES"
++
++The SELinux process type bluetooth_helper_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++
++.br
++.B bluetooth_helper_tmp_t
++
++
++.br
++.B bluetooth_helper_tmpfs_t
++
++
++.br
++.B user_fonts_cache_t
++
++ /root/\.fontconfig(/.*)?
++.br
++ /root/\.fonts/auto(/.*)?
++.br
++ /root/\.fonts\.cache-.*
++.br
++ /home/[^/]*/\.fontconfig(/.*)?
++.br
++ /home/[^/]*/\.fonts/auto(/.*)?
++.br
++ /home/[^/]*/\.fonts\.cache-.*
++.br
++ /home/dwalsh/\.fontconfig(/.*)?
++.br
++ /home/dwalsh/\.fonts/auto(/.*)?
++.br
++ /home/dwalsh/\.fonts\.cache-.*
++.br
++ /var/lib/xguest/home/xguest/\.fontconfig(/.*)?
++.br
++ /var/lib/xguest/home/xguest/\.fonts/auto(/.*)?
++.br
++ /var/lib/xguest/home/xguest/\.fonts\.cache-.*
++.br
++
++.SH NSSWITCH DOMAIN
++
++.PP
++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the bluetooth_helper_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++
++.EX
++.B setsebool -P authlogin_nsswitch_use_ldap 1
++.EE
++
++.PP
++If you want to allow confined applications to run with kerberos for the bluetooth_helper_t, you must turn on the kerberos_enabled boolean.
++
++.EX
++.B setsebool -P kerberos_enabled 1
++.EE
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was auto-generated using
++.B "sepolicy manpage"
++by Dan Walsh.
++
++.SH "SEE ALSO"
++selinux(8), bluetooth_helper(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
++, bluetooth_selinux(8), bluetooth_selinux(8)
+\ No newline at end of file
+diff --git a/man/man8/bluetooth_selinux.8 b/man/man8/bluetooth_selinux.8
+new file mode 100644
+index 0000000..3432420
+--- /dev/null
++++ b/man/man8/bluetooth_selinux.8
+@@ -0,0 +1,246 @@
++.TH "bluetooth_selinux" "8" "12-11-01" "bluetooth" "SELinux Policy documentation for bluetooth"
++.SH "NAME"
++bluetooth_selinux \- Security Enhanced Linux Policy for the bluetooth processes
++.SH "DESCRIPTION"
++
++Security-Enhanced Linux secures the bluetooth processes via flexible mandatory access control.
++
++The bluetooth processes execute with the bluetooth_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep bluetooth_t
++
++
++.SH "ENTRYPOINTS"
++
++The bluetooth_t SELinux type can be entered via the "bluetooth_exec_t" file type. The default entrypoint paths for the bluetooth_t domain are the following:"
++
++/usr/bin/dund, /usr/bin/hidd, /usr/sbin/hcid, /usr/sbin/sdpd, /usr/bin/rfcomm, /usr/sbin/hid2hci, /usr/sbin/hciattach, /usr/sbin/bluetoothd
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux bluetooth policy is very flexible allowing users to setup their bluetooth processes in as secure a method as possible.
++.PP
++The following process types are defined for bluetooth:
++
++.EX
++.B bluetooth_helper_t, bluetooth_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH BOOLEANS
++SELinux policy is customizable based on least access required. bluetooth policy is extremely flexible and has several booleans that allow you to manipulate the policy and run bluetooth with the tightest access possible.
++
++
++.PP
++If you want to allow xguest to use blue tooth devices, you must turn on the xguest_use_bluetooth boolean.
++
++.EX
++.B setsebool -P xguest_use_bluetooth 1
++.EE
++
++.PP
++If you want to allow xguest to use blue tooth devices, you must turn on the xguest_use_bluetooth boolean.
++
++.EX
++.B setsebool -P xguest_use_bluetooth 1
++.EE
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux bluetooth policy is very flexible allowing users to setup their bluetooth processes in as secure a method as possible.
++.PP
++The following file types are defined for bluetooth:
++
++
++.EX
++.PP
++.B bluetooth_conf_rw_t
++.EE
++
++- Set files with the bluetooth_conf_rw_t type, if you want to treat the files as bluetooth conf read/write content.
++
++
++.EX
++.PP
++.B bluetooth_conf_t
++.EE
++
++- Set files with the bluetooth_conf_t type, if you want to treat the files as bluetooth configuration data, usually stored under the /etc directory.
++
++
++.EX
++.PP
++.B bluetooth_exec_t
++.EE
++
++- Set files with the bluetooth_exec_t type, if you want to transition an executable to the bluetooth_t domain.
++
++
++.EX
++.PP
++.B bluetooth_helper_exec_t
++.EE
++
++- Set files with the bluetooth_helper_exec_t type, if you want to transition an executable to the bluetooth_helper_t domain.
++
++
++.EX
++.PP
++.B bluetooth_helper_tmp_t
++.EE
++
++- Set files with the bluetooth_helper_tmp_t type, if you want to store bluetooth helper temporary files in the /tmp directories.
++
++
++.EX
++.PP
++.B bluetooth_helper_tmpfs_t
++.EE
++
++- Set files with the bluetooth_helper_tmpfs_t type, if you want to store bluetooth helper files on a tmpfs file system.
++
++
++.EX
++.PP
++.B bluetooth_initrc_exec_t
++.EE
++
++- Set files with the bluetooth_initrc_exec_t type, if you want to transition an executable to the bluetooth_initrc_t domain.
++
++
++.EX
++.PP
++.B bluetooth_lock_t
++.EE
++
++- Set files with the bluetooth_lock_t type, if you want to treat the files as bluetooth lock data, stored under the /var/lock directory
++
++
++.EX
++.PP
++.B bluetooth_tmp_t
++.EE
++
++- Set files with the bluetooth_tmp_t type, if you want to store bluetooth temporary files in the /tmp directories.
++
++
++.EX
++.PP
++.B bluetooth_unit_file_t
++.EE
++
++- Set files with the bluetooth_unit_file_t type, if you want to treat the files as bluetooth unit content.
++
++
++.EX
++.PP
++.B bluetooth_var_lib_t
++.EE
++
++- Set files with the bluetooth_var_lib_t type, if you want to store the bluetooth files under the /var/lib directory.
++
++
++.EX
++.PP
++.B bluetooth_var_run_t
++.EE
++
++- Set files with the bluetooth_var_run_t type, if you want to store the bluetooth files under the /run directory.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH "MANAGED FILES"
++
++The SELinux process type bluetooth_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++
++.br
++.B bluetooth_conf_rw_t
++
++ /etc/bluetooth/link_key
++.br
++
++.br
++.B bluetooth_lock_t
++
++
++.br
++.B bluetooth_tmp_t
++
++
++.br
++.B bluetooth_var_lib_t
++
++ /var/lib/bluetooth(/.*)?
++.br
++
++.br
++.B bluetooth_var_run_t
++
++ /var/run/sdp
++.br
++ /var/run/bluetoothd_address
++.br
++
++.br
++.B usbfs_t
++
++
++.SH NSSWITCH DOMAIN
++
++.PP
++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the bluetooth_t, bluetooth_helper_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++
++.EX
++.B setsebool -P authlogin_nsswitch_use_ldap 1
++.EE
++
++.PP
++If you want to allow confined applications to run with kerberos for the bluetooth_t, bluetooth_helper_t, you must turn on the kerberos_enabled boolean.
++
++.EX
++.B setsebool -P kerberos_enabled 1
++.EE
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.B semanage boolean
++can also be used to manipulate the booleans
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was auto-generated using
++.B "sepolicy manpage"
++by Dan Walsh.
++
++.SH "SEE ALSO"
++selinux(8), bluetooth(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
++, setsebool(8), bluetooth_helper_selinux(8)
+\ No newline at end of file
+diff --git a/man/man8/boinc_selinux.8 b/man/man8/boinc_selinux.8
+new file mode 100644
+index 0000000..138247a
+--- /dev/null
++++ b/man/man8/boinc_selinux.8
+@@ -0,0 +1,219 @@
++.TH "boinc_selinux" "8" "12-11-01" "boinc" "SELinux Policy documentation for boinc"
++.SH "NAME"
++boinc_selinux \- Security Enhanced Linux Policy for the boinc processes
++.SH "DESCRIPTION"
++
++Security-Enhanced Linux secures the boinc processes via flexible mandatory access control.
++
++The boinc processes execute with the boinc_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep boinc_t
++
++
++.SH "ENTRYPOINTS"
++
++The boinc_t SELinux type can be entered via the "boinc_exec_t" file type. The default entrypoint paths for the boinc_t domain are the following:"
++
++/usr/bin/boinc_client
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux boinc policy is very flexible allowing users to setup their boinc processes in as secure a method as possible.
++.PP
++The following process types are defined for boinc:
++
++.EX
++.B boinc_t, boinc_project_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux boinc policy is very flexible allowing users to setup their boinc processes in as secure a method as possible.
++.PP
++The following file types are defined for boinc:
++
++
++.EX
++.PP
++.B boinc_exec_t
++.EE
++
++- Set files with the boinc_exec_t type, if you want to transition an executable to the boinc_t domain.
++
++
++.EX
++.PP
++.B boinc_initrc_exec_t
++.EE
++
++- Set files with the boinc_initrc_exec_t type, if you want to transition an executable to the boinc_initrc_t domain.
++
++
++.EX
++.PP
++.B boinc_log_t
++.EE
++
++- Set files with the boinc_log_t type, if you want to treat the data as boinc log data, usually stored under the /var/log directory.
++
++
++.EX
++.PP
++.B boinc_project_tmp_t
++.EE
++
++- Set files with the boinc_project_tmp_t type, if you want to store boinc project temporary files in the /tmp directories.
++
++
++.EX
++.PP
++.B boinc_project_var_lib_t
++.EE
++
++- Set files with the boinc_project_var_lib_t type, if you want to store the boinc project files under the /var/lib directory.
++
++
++.EX
++.PP
++.B boinc_tmp_t
++.EE
++
++- Set files with the boinc_tmp_t type, if you want to store boinc temporary files in the /tmp directories.
++
++
++.EX
++.PP
++.B boinc_tmpfs_t
++.EE
++
++- Set files with the boinc_tmpfs_t type, if you want to store boinc files on a tmpfs file system.
++
++
++.EX
++.PP
++.B boinc_unit_file_t
++.EE
++
++- Set files with the boinc_unit_file_t type, if you want to treat the files as boinc unit content.
++
++
++.EX
++.PP
++.B boinc_var_lib_t
++.EE
++
++- Set files with the boinc_var_lib_t type, if you want to store the boinc files under the /var/lib directory.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH PORT TYPES
++SELinux defines port types to represent TCP and UDP ports.
++.PP
++You can see the types associated with a port by using the following command:
++
++.B semanage port -l
++
++.PP
++Policy governs the access confined processes have to these ports.
++SELinux boinc policy is very flexible allowing users to setup their boinc processes in as secure a method as possible.
++.PP
++The following port types are defined for boinc:
++
++.EX
++.TP 5
++.B boinc_client_ctrl_port_t
++.TP 10
++.EE
++
++
++Default Defined Ports:
++tcp 1043
++.EE
++
++.EX
++.TP 5
++.B boinc_port_t
++.TP 10
++.EE
++
++
++Default Defined Ports:
++tcp 31416
++.EE
++.SH "MANAGED FILES"
++
++The SELinux process type boinc_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++
++.br
++.B boinc_log_t
++
++ /var/log/boinc\.log.*
++.br
++
++.br
++.B boinc_project_var_lib_t
++
++ /var/lib/boinc/slots(/.*)?
++.br
++ /var/lib/boinc/projects(/.*)?
++.br
++
++.br
++.B boinc_tmp_t
++
++
++.br
++.B boinc_tmpfs_t
++
++
++.br
++.B boinc_var_lib_t
++
++ /var/lib/boinc(/.*)?
++.br
++
++.SH NSSWITCH DOMAIN
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.B semanage port
++can also be used to manipulate the port definitions
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was auto-generated using
++.B "sepolicy manpage"
++by Dan Walsh.
++
++.SH "SEE ALSO"
++selinux(8), boinc(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
+diff --git a/man/man8/bootloader_selinux.8 b/man/man8/bootloader_selinux.8
+new file mode 100644
+index 0000000..0e127fd
+--- /dev/null
++++ b/man/man8/bootloader_selinux.8
+@@ -0,0 +1,306 @@
++.TH "bootloader_selinux" "8" "12-11-01" "bootloader" "SELinux Policy documentation for bootloader"
++.SH "NAME"
++bootloader_selinux \- Security Enhanced Linux Policy for the bootloader processes
++.SH "DESCRIPTION"
++
++Security-Enhanced Linux secures the bootloader processes via flexible mandatory access control.
++
++The bootloader processes execute with the bootloader_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep bootloader_t
++
++
++.SH "ENTRYPOINTS"
++
++The bootloader_t SELinux type can be entered via the "bootloader_exec_t" file type. The default entrypoint paths for the bootloader_t domain are the following:"
++
++/sbin/grub.*, /sbin/lilo.*, /sbin/ybin.*, /usr/sbin/grub.*, /usr/sbin/lilo.*, /usr/sbin/ybin.*, /sbin/zipl, /usr/sbin/zipl
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux bootloader policy is very flexible allowing users to setup their bootloader processes in as secure a method as possible.
++.PP
++The following process types are defined for bootloader:
++
++.EX
++.B bootloader_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH BOOLEANS
++SELinux policy is customizable based on least access required. bootloader policy is extremely flexible and has several booleans that allow you to manipulate the policy and run bootloader with the tightest access possible.
++
++
++.PP
++If you want to allow the graphical login program to execute bootloader, you must turn on the xdm_exec_bootloader boolean.
++
++.EX
++.B setsebool -P xdm_exec_bootloader 1
++.EE
++
++.PP
++If you want to allow the graphical login program to execute bootloader, you must turn on the xdm_exec_bootloader boolean.
++
++.EX
++.B setsebool -P xdm_exec_bootloader 1
++.EE
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux bootloader policy is very flexible allowing users to setup their bootloader processes in as secure a method as possible.
++.PP
++The following file types are defined for bootloader:
++
++
++.EX
++.PP
++.B bootloader_etc_t
++.EE
++
++- Set files with the bootloader_etc_t type, if you want to store bootloader files in the /etc directories.
++
++
++.EX
++.PP
++.B bootloader_exec_t
++.EE
++
++- Set files with the bootloader_exec_t type, if you want to transition an executable to the bootloader_t domain.
++
++
++.EX
++.PP
++.B bootloader_tmp_t
++.EE
++
++- Set files with the bootloader_tmp_t type, if you want to store bootloader temporary files in the /tmp directories.
++
++
++.EX
++.PP
++.B bootloader_var_lib_t
++.EE
++
++- Set files with the bootloader_var_lib_t type, if you want to store the bootloader files under the /var/lib directory.
++
++
++.EX
++.PP
++.B bootloader_var_run_t
++.EE
++
++- Set files with the bootloader_var_run_t type, if you want to store the bootloader files under the /run directory.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH "MANAGED FILES"
++
++The SELinux process type bootloader_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++
++.br
++.B boot_t
++
++ /boot/.*
++.br
++ /vmlinuz.*
++.br
++ /initrd\.img.*
++.br
++ /boot
++.br
++
++.br
++.B bootloader_tmp_t
++
++
++.br
++.B bootloader_var_lib_t
++
++ /var/lib/os-prober(/.*)?
++.br
++
++.br
++.B bootloader_var_run_t
++
++
++.br
++.B dosfs_t
++
++
++.br
++.B etc_runtime_t
++
++ /[^/]+
++.br
++ /etc/mtab.*
++.br
++ /etc/blkid(/.*)?
++.br
++ /etc/nologin.*
++.br
++ /etc/\.fstab\.hal\..+
++.br
++ /halt
++.br
++ /fastboot
++.br
++ /poweroff
++.br
++ /etc/cmtab
++.br
++ /\.autofsck
++.br
++ /forcefsck
++.br
++ /\.suspended
++.br
++ /fsckoptions
++.br
++ /\.autorelabel
++.br
++ /etc/securetty
++.br
++ /etc/killpower
++.br
++ /etc/nohotplug
++.br
++ /etc/ioctl\.save
++.br
++ /etc/fstab\.REVOKE
++.br
++ /etc/network/ifstate
++.br
++ /etc/sysconfig/hwconf
++.br
++ /etc/ptal/ptal-printd-like
++.br
++ /etc/sysconfig/iptables\.save
++.br
++ /etc/xorg\.conf\.d/00-system-setup-keyboard\.conf
++.br
++ /etc/X11/xorg\.conf\.d/00-system-setup-keyboard\.conf
++.br
++
++.br
++.B file_t
++
++
++.br
++.B fsadm_var_run_t
++
++ /var/run/blkid(/.*)?
++.br
++
++.br
++.B modules_object_t
++
++ /lib/modules(/.*)?
++.br
++ /usr/lib/modules(/.*)?
++.br
++
++.br
++.B var_log_t
++
++ /var/log/.*
++.br
++ /nsr/logs(/.*)?
++.br
++ /var/webmin(/.*)?
++.br
++ /var/log/cron[^/]*
++.br
++ /var/log/secure[^/]*
++.br
++ /opt/zimbra/log(/.*)?
++.br
++ /var/log/maillog[^/]*
++.br
++ /var/log/spooler[^/]*
++.br
++ /var/log/messages[^/]*
++.br
++ /usr/centreon/log(/.*)?
++.br
++ /var/spool/rsyslog(/.*)?
++.br
++ /var/axfrdns/log/main(/.*)?
++.br
++ /var/spool/bacula/log(/.*)?
++.br
++ /var/tinydns/log/main(/.*)?
++.br
++ /var/dnscache/log/main(/.*)?
++.br
++ /var/stockmaniac/templates_cache(/.*)?
++.br
++ /opt/Symantec/scspagent/IDS/system(/.*)?
++.br
++ /var/log
++.br
++ /var/log/dmesg
++.br
++ /var/log/syslog
++.br
++ /var/named/chroot/var/log
++.br
++
++.SH NSSWITCH DOMAIN
++
++.PP
++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the bootloader_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++
++.EX
++.B setsebool -P authlogin_nsswitch_use_ldap 1
++.EE
++
++.PP
++If you want to allow confined applications to run with kerberos for the bootloader_t, you must turn on the kerberos_enabled boolean.
++
++.EX
++.B setsebool -P kerberos_enabled 1
++.EE
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.B semanage boolean
++can also be used to manipulate the booleans
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was auto-generated using
++.B "sepolicy manpage"
++by Dan Walsh.
++
++.SH "SEE ALSO"
++selinux(8), bootloader(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
++, setsebool(8)
+\ No newline at end of file
+diff --git a/man/man8/brctl_selinux.8 b/man/man8/brctl_selinux.8
+new file mode 100644
+index 0000000..454e06c
+--- /dev/null
++++ b/man/man8/brctl_selinux.8
+@@ -0,0 +1,96 @@
++.TH "brctl_selinux" "8" "12-11-01" "brctl" "SELinux Policy documentation for brctl"
++.SH "NAME"
++brctl_selinux \- Security Enhanced Linux Policy for the brctl processes
++.SH "DESCRIPTION"
++
++Security-Enhanced Linux secures the brctl processes via flexible mandatory access control.
++
++The brctl processes execute with the brctl_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep brctl_t
++
++
++.SH "ENTRYPOINTS"
++
++The brctl_t SELinux type can be entered via the "brctl_exec_t" file type. The default entrypoint paths for the brctl_t domain are the following:"
++
++/usr/sbin/brctl
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux brctl policy is very flexible allowing users to setup their brctl processes in as secure a method as possible.
++.PP
++The following process types are defined for brctl:
++
++.EX
++.B brctl_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux brctl policy is very flexible allowing users to setup their brctl processes in as secure a method as possible.
++.PP
++The following file types are defined for brctl:
++
++
++.EX
++.PP
++.B brctl_exec_t
++.EE
++
++- Set files with the brctl_exec_t type, if you want to transition an executable to the brctl_t domain.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH "MANAGED FILES"
++
++The SELinux process type brctl_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++
++.br
++.B sysfs_t
++
++ /sys(/.*)?
++.br
++
++.SH NSSWITCH DOMAIN
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was auto-generated using
++.B "sepolicy manpage"
++by Dan Walsh.
++
++.SH "SEE ALSO"
++selinux(8), brctl(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
+diff --git a/man/man8/cachefilesd_selinux.8 b/man/man8/cachefilesd_selinux.8
+new file mode 100644
+index 0000000..f337f15
+--- /dev/null
++++ b/man/man8/cachefilesd_selinux.8
+@@ -0,0 +1,112 @@
++.TH "cachefilesd_selinux" "8" "12-11-01" "cachefilesd" "SELinux Policy documentation for cachefilesd"
++.SH "NAME"
++cachefilesd_selinux \- Security Enhanced Linux Policy for the cachefilesd processes
++.SH "DESCRIPTION"
++
++Security-Enhanced Linux secures the cachefilesd processes via flexible mandatory access control.
++
++The cachefilesd processes execute with the cachefilesd_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep cachefilesd_t
++
++
++.SH "ENTRYPOINTS"
++
++The cachefilesd_t SELinux type can be entered via the "cachefilesd_exec_t" file type. The default entrypoint paths for the cachefilesd_t domain are the following:"
++
++/sbin/cachefilesd, /usr/sbin/cachefilesd
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux cachefilesd policy is very flexible allowing users to setup their cachefilesd processes in as secure a method as possible.
++.PP
++The following process types are defined for cachefilesd:
++
++.EX
++.B cachefilesd_t, cachefiles_kernel_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux cachefilesd policy is very flexible allowing users to setup their cachefilesd processes in as secure a method as possible.
++.PP
++The following file types are defined for cachefilesd:
++
++
++.EX
++.PP
++.B cachefilesd_exec_t
++.EE
++
++- Set files with the cachefilesd_exec_t type, if you want to transition an executable to the cachefilesd_t domain.
++
++
++.EX
++.PP
++.B cachefilesd_var_run_t
++.EE
++
++- Set files with the cachefilesd_var_run_t type, if you want to store the cachefilesd files under the /run directory.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH "MANAGED FILES"
++
++The SELinux process type cachefilesd_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++
++.br
++.B cachefiles_var_t
++
++ /var/fscache(/.*)?
++.br
++ /var/cache/fscache(/.*)?
++.br
++
++.br
++.B cachefilesd_var_run_t
++
++ /var/run/cachefilesd\.pid
++.br
++
++.SH NSSWITCH DOMAIN
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was auto-generated using
++.B "sepolicy manpage"
++by Dan Walsh.
++
++.SH "SEE ALSO"
++selinux(8), cachefilesd(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
+diff --git a/man/man8/calamaris_selinux.8 b/man/man8/calamaris_selinux.8
+new file mode 100644
+index 0000000..e3eb81f
+--- /dev/null
++++ b/man/man8/calamaris_selinux.8
+@@ -0,0 +1,132 @@
++.TH "calamaris_selinux" "8" "12-11-01" "calamaris" "SELinux Policy documentation for calamaris"
++.SH "NAME"
++calamaris_selinux \- Security Enhanced Linux Policy for the calamaris processes
++.SH "DESCRIPTION"
++
++Security-Enhanced Linux secures the calamaris processes via flexible mandatory access control.
++
++The calamaris processes execute with the calamaris_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep calamaris_t
++
++
++.SH "ENTRYPOINTS"
++
++The calamaris_t SELinux type can be entered via the "calamaris_exec_t" file type. The default entrypoint paths for the calamaris_t domain are the following:"
++
++/etc/cron\.daily/calamaris
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux calamaris policy is very flexible allowing users to setup their calamaris processes in as secure a method as possible.
++.PP
++The following process types are defined for calamaris:
++
++.EX
++.B calamaris_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux calamaris policy is very flexible allowing users to setup their calamaris processes in as secure a method as possible.
++.PP
++The following file types are defined for calamaris:
++
++
++.EX
++.PP
++.B calamaris_exec_t
++.EE
++
++- Set files with the calamaris_exec_t type, if you want to transition an executable to the calamaris_t domain.
++
++
++.EX
++.PP
++.B calamaris_log_t
++.EE
++
++- Set files with the calamaris_log_t type, if you want to treat the data as calamaris log data, usually stored under the /var/log directory.
++
++
++.EX
++.PP
++.B calamaris_www_t
++.EE
++
++- Set files with the calamaris_www_t type, if you want to treat the files as calamaris www data.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH "MANAGED FILES"
++
++The SELinux process type calamaris_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++
++.br
++.B calamaris_log_t
++
++ /var/log/calamaris(/.*)?
++.br
++
++.br
++.B calamaris_www_t
++
++ /var/www/calamaris(/.*)?
++.br
++
++.SH NSSWITCH DOMAIN
++
++.PP
++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the calamaris_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++
++.EX
++.B setsebool -P authlogin_nsswitch_use_ldap 1
++.EE
++
++.PP
++If you want to allow confined applications to run with kerberos for the calamaris_t, you must turn on the kerberos_enabled boolean.
++
++.EX
++.B setsebool -P kerberos_enabled 1
++.EE
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was auto-generated using
++.B "sepolicy manpage"
++by Dan Walsh.
++
++.SH "SEE ALSO"
++selinux(8), calamaris(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
+diff --git a/man/man8/callweaver_selinux.8 b/man/man8/callweaver_selinux.8
+new file mode 100644
+index 0000000..b1ebf14
+--- /dev/null
++++ b/man/man8/callweaver_selinux.8
+@@ -0,0 +1,168 @@
++.TH "callweaver_selinux" "8" "12-11-01" "callweaver" "SELinux Policy documentation for callweaver"
++.SH "NAME"
++callweaver_selinux \- Security Enhanced Linux Policy for the callweaver processes
++.SH "DESCRIPTION"
++
++Security-Enhanced Linux secures the callweaver processes via flexible mandatory access control.
++
++The callweaver processes execute with the callweaver_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep callweaver_t
++
++
++.SH "ENTRYPOINTS"
++
++The callweaver_t SELinux type can be entered via the "callweaver_exec_t" file type. The default entrypoint paths for the callweaver_t domain are the following:"
++
++/usr/sbin/callweaver
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux callweaver policy is very flexible allowing users to setup their callweaver processes in as secure a method as possible.
++.PP
++The following process types are defined for callweaver:
++
++.EX
++.B callweaver_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux callweaver policy is very flexible allowing users to setup their callweaver processes in as secure a method as possible.
++.PP
++The following file types are defined for callweaver:
++
++
++.EX
++.PP
++.B callweaver_exec_t
++.EE
++
++- Set files with the callweaver_exec_t type, if you want to transition an executable to the callweaver_t domain.
++
++
++.EX
++.PP
++.B callweaver_initrc_exec_t
++.EE
++
++- Set files with the callweaver_initrc_exec_t type, if you want to transition an executable to the callweaver_initrc_t domain.
++
++
++.EX
++.PP
++.B callweaver_log_t
++.EE
++
++- Set files with the callweaver_log_t type, if you want to treat the data as callweaver log data, usually stored under the /var/log directory.
++
++
++.EX
++.PP
++.B callweaver_spool_t
++.EE
++
++- Set files with the callweaver_spool_t type, if you want to store the callweaver files under the /var/spool directory.
++
++
++.EX
++.PP
++.B callweaver_var_lib_t
++.EE
++
++- Set files with the callweaver_var_lib_t type, if you want to store the callweaver files under the /var/lib directory.
++
++
++.EX
++.PP
++.B callweaver_var_run_t
++.EE
++
++- Set files with the callweaver_var_run_t type, if you want to store the callweaver files under the /run directory.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH "MANAGED FILES"
++
++The SELinux process type callweaver_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++
++.br
++.B callweaver_log_t
++
++ /var/log/callweaver(/.*)?
++.br
++
++.br
++.B callweaver_spool_t
++
++ /var/spool/callweaver(/.*)?
++.br
++
++.br
++.B callweaver_var_lib_t
++
++ /var/lib/callweaver(/.*)?
++.br
++
++.br
++.B callweaver_var_run_t
++
++ /var/run/callweaver(/.*)?
++.br
++
++.SH NSSWITCH DOMAIN
++
++.PP
++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the callweaver_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++
++.EX
++.B setsebool -P authlogin_nsswitch_use_ldap 1
++.EE
++
++.PP
++If you want to allow confined applications to run with kerberos for the callweaver_t, you must turn on the kerberos_enabled boolean.
++
++.EX
++.B setsebool -P kerberos_enabled 1
++.EE
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was auto-generated using
++.B "sepolicy manpage"
++by Dan Walsh.
++
++.SH "SEE ALSO"
++selinux(8), callweaver(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
+diff --git a/man/man8/canna_selinux.8 b/man/man8/canna_selinux.8
+new file mode 100644
+index 0000000..73d7f2a
+--- /dev/null
++++ b/man/man8/canna_selinux.8
+@@ -0,0 +1,148 @@
++.TH "canna_selinux" "8" "12-11-01" "canna" "SELinux Policy documentation for canna"
++.SH "NAME"
++canna_selinux \- Security Enhanced Linux Policy for the canna processes
++.SH "DESCRIPTION"
++
++Security-Enhanced Linux secures the canna processes via flexible mandatory access control.
++
++The canna processes execute with the canna_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep canna_t
++
++
++.SH "ENTRYPOINTS"
++
++The canna_t SELinux type can be entered via the "canna_exec_t" file type. The default entrypoint paths for the canna_t domain are the following:"
++
++/usr/bin/catdic, /usr/sbin/jserver, /usr/bin/cannaping, /usr/sbin/cannaserver
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux canna policy is very flexible allowing users to setup their canna processes in as secure a method as possible.
++.PP
++The following process types are defined for canna:
++
++.EX
++.B canna_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux canna policy is very flexible allowing users to setup their canna processes in as secure a method as possible.
++.PP
++The following file types are defined for canna:
++
++
++.EX
++.PP
++.B canna_exec_t
++.EE
++
++- Set files with the canna_exec_t type, if you want to transition an executable to the canna_t domain.
++
++
++.EX
++.PP
++.B canna_initrc_exec_t
++.EE
++
++- Set files with the canna_initrc_exec_t type, if you want to transition an executable to the canna_initrc_t domain.
++
++
++.EX
++.PP
++.B canna_log_t
++.EE
++
++- Set files with the canna_log_t type, if you want to treat the data as canna log data, usually stored under the /var/log directory.
++
++
++.EX
++.PP
++.B canna_var_lib_t
++.EE
++
++- Set files with the canna_var_lib_t type, if you want to store the canna files under the /var/lib directory.
++
++
++.EX
++.PP
++.B canna_var_run_t
++.EE
++
++- Set files with the canna_var_run_t type, if you want to store the canna files under the /run directory.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH "MANAGED FILES"
++
++The SELinux process type canna_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++
++.br
++.B canna_log_t
++
++ /var/log/wnn(/.*)?
++.br
++ /var/log/canna(/.*)?
++.br
++
++.br
++.B canna_var_lib_t
++
++ /var/lib/wnn/dic(/.*)?
++.br
++ /var/lib/canna/dic(/.*)?
++.br
++
++.br
++.B canna_var_run_t
++
++ /var/run/wnn-unix(/.*)?
++.br
++ /var/run/\.iroha_unix/.*
++.br
++ /var/run/\.iroha_unix
++.br
++
++.SH NSSWITCH DOMAIN
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was auto-generated using
++.B "sepolicy manpage"
++by Dan Walsh.
++
++.SH "SEE ALSO"
++selinux(8), canna(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
+diff --git a/man/man8/cardmgr_selinux.8 b/man/man8/cardmgr_selinux.8
+new file mode 100644
+index 0000000..8fccf2f
+--- /dev/null
++++ b/man/man8/cardmgr_selinux.8
+@@ -0,0 +1,162 @@
++.TH "cardmgr_selinux" "8" "12-11-01" "cardmgr" "SELinux Policy documentation for cardmgr"
++.SH "NAME"
++cardmgr_selinux \- Security Enhanced Linux Policy for the cardmgr processes
++.SH "DESCRIPTION"
++
++Security-Enhanced Linux secures the cardmgr processes via flexible mandatory access control.
++
++The cardmgr processes execute with the cardmgr_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep cardmgr_t
++
++
++.SH "ENTRYPOINTS"
++
++The cardmgr_t SELinux type can be entered via the "cardctl_exec_t,cardmgr_exec_t" file types. The default entrypoint paths for the cardmgr_t domain are the following:"
++
++/sbin/cardctl, /usr/sbin/cardctl, /sbin/cardmgr, /usr/sbin/cardmgr, /etc/apm/event\.d/pcmcia
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux cardmgr policy is very flexible allowing users to setup their cardmgr processes in as secure a method as possible.
++.PP
++The following process types are defined for cardmgr:
++
++.EX
++.B cardmgr_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux cardmgr policy is very flexible allowing users to setup their cardmgr processes in as secure a method as possible.
++.PP
++The following file types are defined for cardmgr:
++
++
++.EX
++.PP
++.B cardmgr_dev_t
++.EE
++
++- Set files with the cardmgr_dev_t type, if you want to treat the files as cardmgr dev data.
++
++
++.EX
++.PP
++.B cardmgr_exec_t
++.EE
++
++- Set files with the cardmgr_exec_t type, if you want to transition an executable to the cardmgr_t domain.
++
++
++.EX
++.PP
++.B cardmgr_lnk_t
++.EE
++
++- Set files with the cardmgr_lnk_t type, if you want to treat the files as cardmgr lnk data.
++
++
++.EX
++.PP
++.B cardmgr_var_lib_t
++.EE
++
++- Set files with the cardmgr_var_lib_t type, if you want to store the cardmgr files under the /var/lib directory.
++
++
++.EX
++.PP
++.B cardmgr_var_run_t
++.EE
++
++- Set files with the cardmgr_var_run_t type, if you want to store the cardmgr files under the /run directory.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH "MANAGED FILES"
++
++The SELinux process type cardmgr_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++
++.br
++.B cardmgr_var_lib_t
++
++
++.br
++.B cardmgr_var_run_t
++
++ /var/lib/pcmcia(/.*)?
++.br
++ /var/run/stab
++.br
++ /var/run/cardmgr\.pid
++.br
++
++.br
++.B net_conf_t
++
++ /etc/ntpd?\.conf.*
++.br
++ /etc/hosts[^/]*
++.br
++ /etc/yp\.conf.*
++.br
++ /etc/denyhosts.*
++.br
++ /etc/hosts\.deny.*
++.br
++ /etc/resolv\.conf.*
++.br
++ /etc/ntp/step-tickers.*
++.br
++ /etc/sysconfig/networking(/.*)?
++.br
++ /etc/sysconfig/network-scripts(/.*)?
++.br
++ /etc/sysconfig/network-scripts/.*resolv\.conf
++.br
++ /etc/ethers
++.br
++
++.SH NSSWITCH DOMAIN
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was auto-generated using
++.B "sepolicy manpage"
++by Dan Walsh.
++
++.SH "SEE ALSO"
++selinux(8), cardmgr(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
+diff --git a/man/man8/ccs_selinux.8 b/man/man8/ccs_selinux.8
+new file mode 100644
+index 0000000..4859e26
+--- /dev/null
++++ b/man/man8/ccs_selinux.8
+@@ -0,0 +1,172 @@
++.TH "ccs_selinux" "8" "12-11-01" "ccs" "SELinux Policy documentation for ccs"
++.SH "NAME"
++ccs_selinux \- Security Enhanced Linux Policy for the ccs processes
++.SH "DESCRIPTION"
++
++Security-Enhanced Linux secures the ccs processes via flexible mandatory access control.
++
++The ccs processes execute with the ccs_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep ccs_t
++
++
++.SH "ENTRYPOINTS"
++
++The ccs_t SELinux type can be entered via the "ccs_exec_t" file type. The default entrypoint paths for the ccs_t domain are the following:"
++
++/sbin/ccsd, /usr/sbin/ccsd
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux ccs policy is very flexible allowing users to setup their ccs processes in as secure a method as possible.
++.PP
++The following process types are defined for ccs:
++
++.EX
++.B ccs_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux ccs policy is very flexible allowing users to setup their ccs processes in as secure a method as possible.
++.PP
++The following file types are defined for ccs:
++
++
++.EX
++.PP
++.B ccs_exec_t
++.EE
++
++- Set files with the ccs_exec_t type, if you want to transition an executable to the ccs_t domain.
++
++
++.EX
++.PP
++.B ccs_tmp_t
++.EE
++
++- Set files with the ccs_tmp_t type, if you want to store ccs temporary files in the /tmp directories.
++
++
++.EX
++.PP
++.B ccs_tmpfs_t
++.EE
++
++- Set files with the ccs_tmpfs_t type, if you want to store ccs files on a tmpfs file system.
++
++
++.EX
++.PP
++.B ccs_var_lib_t
++.EE
++
++- Set files with the ccs_var_lib_t type, if you want to store the ccs files under the /var/lib directory.
++
++
++.EX
++.PP
++.B ccs_var_log_t
++.EE
++
++- Set files with the ccs_var_log_t type, if you want to treat the data as ccs var log data, usually stored under the /var/log directory.
++
++
++.EX
++.PP
++.B ccs_var_run_t
++.EE
++
++- Set files with the ccs_var_run_t type, if you want to store the ccs files under the /run directory.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH "MANAGED FILES"
++
++The SELinux process type ccs_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++
++.br
++.B ccs_tmp_t
++
++
++.br
++.B ccs_tmpfs_t
++
++
++.br
++.B ccs_var_lib_t
++
++
++.br
++.B ccs_var_log_t
++
++
++.br
++.B ccs_var_run_t
++
++ /var/run/cluster/ccsd\.pid
++.br
++ /var/run/cluster/ccsd\.sock
++.br
++
++.br
++.B cluster_conf_t
++
++ /etc/cluster(/.*)?
++.br
++
++.br
++.B file_t
++
++
++.br
++.B initrc_tmp_t
++
++
++.br
++.B qpidd_tmpfs_t
++
++
++.SH NSSWITCH DOMAIN
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was auto-generated using
++.B "sepolicy manpage"
++by Dan Walsh.
++
++.SH "SEE ALSO"
++selinux(8), ccs(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
+diff --git a/man/man8/cdcc_selinux.8 b/man/man8/cdcc_selinux.8
+new file mode 100644
+index 0000000..06454f9
+--- /dev/null
++++ b/man/man8/cdcc_selinux.8
+@@ -0,0 +1,128 @@
++.TH "cdcc_selinux" "8" "12-11-01" "cdcc" "SELinux Policy documentation for cdcc"
++.SH "NAME"
++cdcc_selinux \- Security Enhanced Linux Policy for the cdcc processes
++.SH "DESCRIPTION"
++
++Security-Enhanced Linux secures the cdcc processes via flexible mandatory access control.
++
++The cdcc processes execute with the cdcc_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep cdcc_t
++
++
++.SH "ENTRYPOINTS"
++
++The cdcc_t SELinux type can be entered via the "cdcc_exec_t" file type. The default entrypoint paths for the cdcc_t domain are the following:"
++
++/usr/bin/cdcc
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux cdcc policy is very flexible allowing users to setup their cdcc processes in as secure a method as possible.
++.PP
++The following process types are defined for cdcc:
++
++.EX
++.B cdcc_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux cdcc policy is very flexible allowing users to setup their cdcc processes in as secure a method as possible.
++.PP
++The following file types are defined for cdcc:
++
++
++.EX
++.PP
++.B cdcc_exec_t
++.EE
++
++- Set files with the cdcc_exec_t type, if you want to transition an executable to the cdcc_t domain.
++
++
++.EX
++.PP
++.B cdcc_tmp_t
++.EE
++
++- Set files with the cdcc_tmp_t type, if you want to store cdcc temporary files in the /tmp directories.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH "MANAGED FILES"
++
++The SELinux process type cdcc_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++
++.br
++.B cdcc_tmp_t
++
++
++.br
++.B dcc_client_map_t
++
++ /etc/dcc/map
++.br
++ /var/dcc/map
++.br
++ /var/lib/dcc/map
++.br
++ /var/run/dcc/map
++.br
++
++.SH NSSWITCH DOMAIN
++
++.PP
++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the cdcc_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++
++.EX
++.B setsebool -P authlogin_nsswitch_use_ldap 1
++.EE
++
++.PP
++If you want to allow confined applications to run with kerberos for the cdcc_t, you must turn on the kerberos_enabled boolean.
++
++.EX
++.B setsebool -P kerberos_enabled 1
++.EE
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was auto-generated using
++.B "sepolicy manpage"
++by Dan Walsh.
++
++.SH "SEE ALSO"
++selinux(8), cdcc(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
+diff --git a/man/man8/cdrecord_selinux.8 b/man/man8/cdrecord_selinux.8
+new file mode 100644
+index 0000000..f808c03
+--- /dev/null
++++ b/man/man8/cdrecord_selinux.8
+@@ -0,0 +1,108 @@
++.TH "cdrecord_selinux" "8" "12-11-01" "cdrecord" "SELinux Policy documentation for cdrecord"
++.SH "NAME"
++cdrecord_selinux \- Security Enhanced Linux Policy for the cdrecord processes
++.SH "DESCRIPTION"
++
++Security-Enhanced Linux secures the cdrecord processes via flexible mandatory access control.
++
++The cdrecord processes execute with the cdrecord_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep cdrecord_t
++
++
++.SH "ENTRYPOINTS"
++
++The cdrecord_t SELinux type can be entered via the "cdrecord_exec_t" file type. The default entrypoint paths for the cdrecord_t domain are the following:"
++
++/usr/bin/wodim, /usr/bin/cdrecord, /usr/bin/growisofs
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux cdrecord policy is very flexible allowing users to setup their cdrecord processes in as secure a method as possible.
++.PP
++The following process types are defined for cdrecord:
++
++.EX
++.B cdrecord_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH BOOLEANS
++SELinux policy is customizable based on least access required. cdrecord policy is extremely flexible and has several booleans that allow you to manipulate the policy and run cdrecord with the tightest access possible.
++
++
++.PP
++If you want to allow cdrecord to read various content. nfs, samba, removable devices, user temp and untrusted content files, you must turn on the cdrecord_read_content boolean.
++
++.EX
++.B setsebool -P cdrecord_read_content 1
++.EE
++
++.PP
++If you want to allow cdrecord to read various content. nfs, samba, removable devices, user temp and untrusted content files, you must turn on the cdrecord_read_content boolean.
++
++.EX
++.B setsebool -P cdrecord_read_content 1
++.EE
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux cdrecord policy is very flexible allowing users to setup their cdrecord processes in as secure a method as possible.
++.PP
++The following file types are defined for cdrecord:
++
++
++.EX
++.PP
++.B cdrecord_exec_t
++.EE
++
++- Set files with the cdrecord_exec_t type, if you want to transition an executable to the cdrecord_t domain.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH NSSWITCH DOMAIN
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.B semanage boolean
++can also be used to manipulate the booleans
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was auto-generated using
++.B "sepolicy manpage"
++by Dan Walsh.
++
++.SH "SEE ALSO"
++selinux(8), cdrecord(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
++, setsebool(8)
+\ No newline at end of file
+diff --git a/man/man8/certmaster_selinux.8 b/man/man8/certmaster_selinux.8
+new file mode 100644
+index 0000000..90729bf
+--- /dev/null
++++ b/man/man8/certmaster_selinux.8
+@@ -0,0 +1,208 @@
++.TH "certmaster_selinux" "8" "12-11-01" "certmaster" "SELinux Policy documentation for certmaster"
++.SH "NAME"
++certmaster_selinux \- Security Enhanced Linux Policy for the certmaster processes
++.SH "DESCRIPTION"
++
++Security-Enhanced Linux secures the certmaster processes via flexible mandatory access control.
++
++The certmaster processes execute with the certmaster_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep certmaster_t
++
++
++.SH "ENTRYPOINTS"
++
++The certmaster_t SELinux type can be entered via the "certmaster_exec_t" file type. The default entrypoint paths for the certmaster_t domain are the following:"
++
++/usr/bin/certmaster
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux certmaster policy is very flexible allowing users to setup their certmaster processes in as secure a method as possible.
++.PP
++The following process types are defined for certmaster:
++
++.EX
++.B certmaster_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux certmaster policy is very flexible allowing users to setup their certmaster processes in as secure a method as possible.
++.PP
++The following file types are defined for certmaster:
++
++
++.EX
++.PP
++.B certmaster_etc_rw_t
++.EE
++
++- Set files with the certmaster_etc_rw_t type, if you want to treat the files as certmaster etc read/write content.
++
++
++.EX
++.PP
++.B certmaster_exec_t
++.EE
++
++- Set files with the certmaster_exec_t type, if you want to transition an executable to the certmaster_t domain.
++
++
++.EX
++.PP
++.B certmaster_initrc_exec_t
++.EE
++
++- Set files with the certmaster_initrc_exec_t type, if you want to transition an executable to the certmaster_initrc_t domain.
++
++
++.EX
++.PP
++.B certmaster_var_lib_t
++.EE
++
++- Set files with the certmaster_var_lib_t type, if you want to store the certmaster files under the /var/lib directory.
++
++
++.EX
++.PP
++.B certmaster_var_log_t
++.EE
++
++- Set files with the certmaster_var_log_t type, if you want to treat the data as certmaster var log data, usually stored under the /var/log directory.
++
++
++.EX
++.PP
++.B certmaster_var_run_t
++.EE
++
++- Set files with the certmaster_var_run_t type, if you want to store the certmaster files under the /run directory.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH PORT TYPES
++SELinux defines port types to represent TCP and UDP ports.
++.PP
++You can see the types associated with a port by using the following command:
++
++.B semanage port -l
++
++.PP
++Policy governs the access confined processes have to these ports.
++SELinux certmaster policy is very flexible allowing users to setup their certmaster processes in as secure a method as possible.
++.PP
++The following port types are defined for certmaster:
++
++.EX
++.TP 5
++.B certmaster_port_t
++.TP 10
++.EE
++
++
++Default Defined Ports:
++tcp 51235
++.EE
++.SH "MANAGED FILES"
++
++The SELinux process type certmaster_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++
++.br
++.B cert_t
++
++ /etc/pki(/.*)?
++.br
++ /etc/httpd/alias(/.*)?
++.br
++ /usr/share/ssl/certs(/.*)?
++.br
++ /usr/share/ssl/private(/.*)?
++.br
++ /var/named/chroot/etc/pki(/.*)?
++.br
++
++.br
++.B certmaster_etc_rw_t
++
++ /etc/certmaster(/.*)?
++.br
++
++.br
++.B certmaster_var_lib_t
++
++ /var/lib/certmaster(/.*)?
++.br
++
++.br
++.B certmaster_var_log_t
++
++ /var/log/certmaster(/.*)?
++.br
++
++.br
++.B certmaster_var_run_t
++
++ /var/run/certmaster.*
++.br
++
++.SH NSSWITCH DOMAIN
++
++.PP
++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the certmaster_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++
++.EX
++.B setsebool -P authlogin_nsswitch_use_ldap 1
++.EE
++
++.PP
++If you want to allow confined applications to run with kerberos for the certmaster_t, you must turn on the kerberos_enabled boolean.
++
++.EX
++.B setsebool -P kerberos_enabled 1
++.EE
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.B semanage port
++can also be used to manipulate the port definitions
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was auto-generated using
++.B "sepolicy manpage"
++by Dan Walsh.
++
++.SH "SEE ALSO"
++selinux(8), certmaster(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
+diff --git a/man/man8/certmonger_selinux.8 b/man/man8/certmonger_selinux.8
+new file mode 100644
+index 0000000..17c7336
+--- /dev/null
++++ b/man/man8/certmonger_selinux.8
+@@ -0,0 +1,196 @@
++.TH "certmonger_selinux" "8" "12-11-01" "certmonger" "SELinux Policy documentation for certmonger"
++.SH "NAME"
++certmonger_selinux \- Security Enhanced Linux Policy for the certmonger processes
++.SH "DESCRIPTION"
++
++Security-Enhanced Linux secures the certmonger processes via flexible mandatory access control.
++
++The certmonger processes execute with the certmonger_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep certmonger_t
++
++
++.SH "ENTRYPOINTS"
++
++The certmonger_t SELinux type can be entered via the "certmonger_exec_t" file type. The default entrypoint paths for the certmonger_t domain are the following:"
++
++/usr/sbin/certmonger
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux certmonger policy is very flexible allowing users to setup their certmonger processes in as secure a method as possible.
++.PP
++The following process types are defined for certmonger:
++
++.EX
++.B certmonger_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux certmonger policy is very flexible allowing users to setup their certmonger processes in as secure a method as possible.
++.PP
++The following file types are defined for certmonger:
++
++
++.EX
++.PP
++.B certmonger_exec_t
++.EE
++
++- Set files with the certmonger_exec_t type, if you want to transition an executable to the certmonger_t domain.
++
++
++.EX
++.PP
++.B certmonger_initrc_exec_t
++.EE
++
++- Set files with the certmonger_initrc_exec_t type, if you want to transition an executable to the certmonger_initrc_t domain.
++
++
++.EX
++.PP
++.B certmonger_unconfined_exec_t
++.EE
++
++- Set files with the certmonger_unconfined_exec_t type, if you want to transition an executable to the certmonger_unconfined_t domain.
++
++
++.EX
++.PP
++.B certmonger_var_lib_t
++.EE
++
++- Set files with the certmonger_var_lib_t type, if you want to store the certmonger files under the /var/lib directory.
++
++
++.EX
++.PP
++.B certmonger_var_run_t
++.EE
++
++- Set files with the certmonger_var_run_t type, if you want to store the certmonger files under the /run directory.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH "MANAGED FILES"
++
++The SELinux process type certmonger_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++
++.br
++.B auth_cache_t
++
++ /var/cache/coolkey(/.*)?
++.br
++
++.br
++.B cert_t
++
++ /etc/pki(/.*)?
++.br
++ /etc/httpd/alias(/.*)?
++.br
++ /usr/share/ssl/certs(/.*)?
++.br
++ /usr/share/ssl/private(/.*)?
++.br
++ /var/named/chroot/etc/pki(/.*)?
++.br
++
++.br
++.B certmonger_var_lib_t
++
++ /var/lib/certmonger(/.*)?
++.br
++
++.br
++.B certmonger_var_run_t
++
++ /var/run/certmonger.pid
++.br
++
++.br
++.B dirsrv_config_t
++
++ /etc/dirsrv(/.*)?
++.br
++
++.br
++.B pki_tomcat_cert_t
++
++ /var/lib/pki-ca/alias(/.*)?
++.br
++ /var/lib/pki-kra/alias(/.*)?
++.br
++ /var/lib/pki-tks/alias(/.*)?
++.br
++ /var/lib/pki-ocsp/alias(/.*)?
++.br
++ /etc/pki/pki-tomcat/alias(/.*)?
++.br
++
++.br
++.B systemd_passwd_var_run_t
++
++ /var/run/systemd/ask-password(/.*)?
++.br
++ /var/run/systemd/ask-password-block(/.*)?
++.br
++
++.SH NSSWITCH DOMAIN
++
++.PP
++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the certmonger_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++
++.EX
++.B setsebool -P authlogin_nsswitch_use_ldap 1
++.EE
++
++.PP
++If you want to allow confined applications to run with kerberos for the certmonger_t, you must turn on the kerberos_enabled boolean.
++
++.EX
++.B setsebool -P kerberos_enabled 1
++.EE
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was auto-generated using
++.B "sepolicy manpage"
++by Dan Walsh.
++
++.SH "SEE ALSO"
++selinux(8), certmonger(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
+diff --git a/man/man8/certwatch_selinux.8 b/man/man8/certwatch_selinux.8
+new file mode 100644
+index 0000000..7655104
+--- /dev/null
++++ b/man/man8/certwatch_selinux.8
+@@ -0,0 +1,96 @@
++.TH "certwatch_selinux" "8" "12-11-01" "certwatch" "SELinux Policy documentation for certwatch"
++.SH "NAME"
++certwatch_selinux \- Security Enhanced Linux Policy for the certwatch processes
++.SH "DESCRIPTION"
++
++Security-Enhanced Linux secures the certwatch processes via flexible mandatory access control.
++
++The certwatch processes execute with the certwatch_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep certwatch_t
++
++
++.SH "ENTRYPOINTS"
++
++The certwatch_t SELinux type can be entered via the "certwatch_exec_t" file type. The default entrypoint paths for the certwatch_t domain are the following:"
++
++/usr/bin/certwatch
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux certwatch policy is very flexible allowing users to setup their certwatch processes in as secure a method as possible.
++.PP
++The following process types are defined for certwatch:
++
++.EX
++.B certwatch_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux certwatch policy is very flexible allowing users to setup their certwatch processes in as secure a method as possible.
++.PP
++The following file types are defined for certwatch:
++
++
++.EX
++.PP
++.B certwatch_exec_t
++.EE
++
++- Set files with the certwatch_exec_t type, if you want to transition an executable to the certwatch_t domain.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH "MANAGED FILES"
++
++The SELinux process type certwatch_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++
++.br
++.B auth_cache_t
++
++ /var/cache/coolkey(/.*)?
++.br
++
++.SH NSSWITCH DOMAIN
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was auto-generated using
++.B "sepolicy manpage"
++by Dan Walsh.
++
++.SH "SEE ALSO"
++selinux(8), certwatch(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
+diff --git a/man/man8/cfengine_execd_selinux.8 b/man/man8/cfengine_execd_selinux.8
+new file mode 100644
+index 0000000..12fcf8b
+--- /dev/null
++++ b/man/man8/cfengine_execd_selinux.8
+@@ -0,0 +1,117 @@
++.TH "cfengine_execd_selinux" "8" "12-11-01" "cfengine_execd" "SELinux Policy documentation for cfengine_execd"
++.SH "NAME"
++cfengine_execd_selinux \- Security Enhanced Linux Policy for the cfengine_execd processes
++.SH "DESCRIPTION"
++
++Security-Enhanced Linux secures the cfengine_execd processes via flexible mandatory access control.
++
++The cfengine_execd processes execute with the cfengine_execd_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep cfengine_execd_t
++
++
++.SH "ENTRYPOINTS"
++
++The cfengine_execd_t SELinux type can be entered via the "cfengine_execd_exec_t" file type. The default entrypoint paths for the cfengine_execd_t domain are the following:"
++
++/usr/sbin/cf-execd
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux cfengine_execd policy is very flexible allowing users to setup their cfengine_execd processes in as secure a method as possible.
++.PP
++The following process types are defined for cfengine_execd:
++
++.EX
++.B cfengine_execd_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux cfengine_execd policy is very flexible allowing users to setup their cfengine_execd processes in as secure a method as possible.
++.PP
++The following file types are defined for cfengine_execd:
++
++
++.EX
++.PP
++.B cfengine_execd_exec_t
++.EE
++
++- Set files with the cfengine_execd_exec_t type, if you want to transition an executable to the cfengine_execd_t domain.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH "MANAGED FILES"
++
++The SELinux process type cfengine_execd_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++
++.br
++.B cfengine_var_lib_t
++
++ /var/cfengine(/.*)?
++.br
++
++.br
++.B cfengine_var_log_t
++
++ /var/cfengine/outputs(/.*)?
++.br
++
++.SH NSSWITCH DOMAIN
++
++.PP
++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the cfengine_execd_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++
++.EX
++.B setsebool -P authlogin_nsswitch_use_ldap 1
++.EE
++
++.PP
++If you want to allow confined applications to run with kerberos for the cfengine_execd_t, you must turn on the kerberos_enabled boolean.
++
++.EX
++.B setsebool -P kerberos_enabled 1
++.EE
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was auto-generated using
++.B "sepolicy manpage"
++by Dan Walsh.
++
++.SH "SEE ALSO"
++selinux(8), cfengine_execd(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
++, cfengine_monitord_selinux(8), cfengine_serverd_selinux(8)
+\ No newline at end of file
+diff --git a/man/man8/cfengine_monitord_selinux.8 b/man/man8/cfengine_monitord_selinux.8
+new file mode 100644
+index 0000000..e4289e1
+--- /dev/null
++++ b/man/man8/cfengine_monitord_selinux.8
+@@ -0,0 +1,117 @@
++.TH "cfengine_monitord_selinux" "8" "12-11-01" "cfengine_monitord" "SELinux Policy documentation for cfengine_monitord"
++.SH "NAME"
++cfengine_monitord_selinux \- Security Enhanced Linux Policy for the cfengine_monitord processes
++.SH "DESCRIPTION"
++
++Security-Enhanced Linux secures the cfengine_monitord processes via flexible mandatory access control.
++
++The cfengine_monitord processes execute with the cfengine_monitord_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep cfengine_monitord_t
++
++
++.SH "ENTRYPOINTS"
++
++The cfengine_monitord_t SELinux type can be entered via the "cfengine_monitord_exec_t" file type. The default entrypoint paths for the cfengine_monitord_t domain are the following:"
++
++/usr/sbin/cf-monitord
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux cfengine_monitord policy is very flexible allowing users to setup their cfengine_monitord processes in as secure a method as possible.
++.PP
++The following process types are defined for cfengine_monitord:
++
++.EX
++.B cfengine_monitord_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux cfengine_monitord policy is very flexible allowing users to setup their cfengine_monitord processes in as secure a method as possible.
++.PP
++The following file types are defined for cfengine_monitord:
++
++
++.EX
++.PP
++.B cfengine_monitord_exec_t
++.EE
++
++- Set files with the cfengine_monitord_exec_t type, if you want to transition an executable to the cfengine_monitord_t domain.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH "MANAGED FILES"
++
++The SELinux process type cfengine_monitord_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++
++.br
++.B cfengine_var_lib_t
++
++ /var/cfengine(/.*)?
++.br
++
++.br
++.B cfengine_var_log_t
++
++ /var/cfengine/outputs(/.*)?
++.br
++
++.SH NSSWITCH DOMAIN
++
++.PP
++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the cfengine_monitord_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++
++.EX
++.B setsebool -P authlogin_nsswitch_use_ldap 1
++.EE
++
++.PP
++If you want to allow confined applications to run with kerberos for the cfengine_monitord_t, you must turn on the kerberos_enabled boolean.
++
++.EX
++.B setsebool -P kerberos_enabled 1
++.EE
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was auto-generated using
++.B "sepolicy manpage"
++by Dan Walsh.
++
++.SH "SEE ALSO"
++selinux(8), cfengine_monitord(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
++, cfengine_execd_selinux(8), cfengine_serverd_selinux(8)
+\ No newline at end of file
+diff --git a/man/man8/cfengine_serverd_selinux.8 b/man/man8/cfengine_serverd_selinux.8
+new file mode 100644
+index 0000000..55e7b52
+--- /dev/null
++++ b/man/man8/cfengine_serverd_selinux.8
+@@ -0,0 +1,117 @@
++.TH "cfengine_serverd_selinux" "8" "12-11-01" "cfengine_serverd" "SELinux Policy documentation for cfengine_serverd"
++.SH "NAME"
++cfengine_serverd_selinux \- Security Enhanced Linux Policy for the cfengine_serverd processes
++.SH "DESCRIPTION"
++
++Security-Enhanced Linux secures the cfengine_serverd processes via flexible mandatory access control.
++
++The cfengine_serverd processes execute with the cfengine_serverd_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep cfengine_serverd_t
++
++
++.SH "ENTRYPOINTS"
++
++The cfengine_serverd_t SELinux type can be entered via the "cfengine_serverd_exec_t" file type. The default entrypoint paths for the cfengine_serverd_t domain are the following:"
++
++/usr/sbin/cf-serverd
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux cfengine_serverd policy is very flexible allowing users to setup their cfengine_serverd processes in as secure a method as possible.
++.PP
++The following process types are defined for cfengine_serverd:
++
++.EX
++.B cfengine_serverd_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux cfengine_serverd policy is very flexible allowing users to setup their cfengine_serverd processes in as secure a method as possible.
++.PP
++The following file types are defined for cfengine_serverd:
++
++
++.EX
++.PP
++.B cfengine_serverd_exec_t
++.EE
++
++- Set files with the cfengine_serverd_exec_t type, if you want to transition an executable to the cfengine_serverd_t domain.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH "MANAGED FILES"
++
++The SELinux process type cfengine_serverd_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++
++.br
++.B cfengine_var_lib_t
++
++ /var/cfengine(/.*)?
++.br
++
++.br
++.B cfengine_var_log_t
++
++ /var/cfengine/outputs(/.*)?
++.br
++
++.SH NSSWITCH DOMAIN
++
++.PP
++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the cfengine_serverd_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++
++.EX
++.B setsebool -P authlogin_nsswitch_use_ldap 1
++.EE
++
++.PP
++If you want to allow confined applications to run with kerberos for the cfengine_serverd_t, you must turn on the kerberos_enabled boolean.
++
++.EX
++.B setsebool -P kerberos_enabled 1
++.EE
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was auto-generated using
++.B "sepolicy manpage"
++by Dan Walsh.
++
++.SH "SEE ALSO"
++selinux(8), cfengine_serverd(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
++, cfengine_execd_selinux(8), cfengine_monitord_selinux(8)
+\ No newline at end of file
+diff --git a/man/man8/cgclear_selinux.8 b/man/man8/cgclear_selinux.8
+new file mode 100644
+index 0000000..e92daea
+--- /dev/null
++++ b/man/man8/cgclear_selinux.8
+@@ -0,0 +1,112 @@
++.TH "cgclear_selinux" "8" "12-11-01" "cgclear" "SELinux Policy documentation for cgclear"
++.SH "NAME"
++cgclear_selinux \- Security Enhanced Linux Policy for the cgclear processes
++.SH "DESCRIPTION"
++
++Security-Enhanced Linux secures the cgclear processes via flexible mandatory access control.
++
++The cgclear processes execute with the cgclear_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep cgclear_t
++
++
++.SH "ENTRYPOINTS"
++
++The cgclear_t SELinux type can be entered via the "cgclear_exec_t" file type. The default entrypoint paths for the cgclear_t domain are the following:"
++
++/sbin/cgclear, /usr/sbin/cgclear
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux cgclear policy is very flexible allowing users to setup their cgclear processes in as secure a method as possible.
++.PP
++The following process types are defined for cgclear:
++
++.EX
++.B cgclear_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux cgclear policy is very flexible allowing users to setup their cgclear processes in as secure a method as possible.
++.PP
++The following file types are defined for cgclear:
++
++
++.EX
++.PP
++.B cgclear_exec_t
++.EE
++
++- Set files with the cgclear_exec_t type, if you want to transition an executable to the cgclear_t domain.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH "MANAGED FILES"
++
++The SELinux process type cgclear_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++
++.br
++.B cgroup_t
++
++ /cgroup
++.br
++ /sys/fs/cgroup
++.br
++
++.SH NSSWITCH DOMAIN
++
++.PP
++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the cgclear_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++
++.EX
++.B setsebool -P authlogin_nsswitch_use_ldap 1
++.EE
++
++.PP
++If you want to allow confined applications to run with kerberos for the cgclear_t, you must turn on the kerberos_enabled boolean.
++
++.EX
++.B setsebool -P kerberos_enabled 1
++.EE
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was auto-generated using
++.B "sepolicy manpage"
++by Dan Walsh.
++
++.SH "SEE ALSO"
++selinux(8), cgclear(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
+diff --git a/man/man8/cgconfig_selinux.8 b/man/man8/cgconfig_selinux.8
+new file mode 100644
+index 0000000..8e5f96c
+--- /dev/null
++++ b/man/man8/cgconfig_selinux.8
+@@ -0,0 +1,128 @@
++.TH "cgconfig_selinux" "8" "12-11-01" "cgconfig" "SELinux Policy documentation for cgconfig"
++.SH "NAME"
++cgconfig_selinux \- Security Enhanced Linux Policy for the cgconfig processes
++.SH "DESCRIPTION"
++
++Security-Enhanced Linux secures the cgconfig processes via flexible mandatory access control.
++
++The cgconfig processes execute with the cgconfig_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep cgconfig_t
++
++
++.SH "ENTRYPOINTS"
++
++The cgconfig_t SELinux type can be entered via the "cgconfig_exec_t" file type. The default entrypoint paths for the cgconfig_t domain are the following:"
++
++/sbin/cgconfigparser, /usr/sbin/cgconfigparser
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux cgconfig policy is very flexible allowing users to setup their cgconfig processes in as secure a method as possible.
++.PP
++The following process types are defined for cgconfig:
++
++.EX
++.B cgconfig_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux cgconfig policy is very flexible allowing users to setup their cgconfig processes in as secure a method as possible.
++.PP
++The following file types are defined for cgconfig:
++
++
++.EX
++.PP
++.B cgconfig_etc_t
++.EE
++
++- Set files with the cgconfig_etc_t type, if you want to store cgconfig files in the /etc directories.
++
++
++.EX
++.PP
++.B cgconfig_exec_t
++.EE
++
++- Set files with the cgconfig_exec_t type, if you want to transition an executable to the cgconfig_t domain.
++
++
++.EX
++.PP
++.B cgconfig_initrc_exec_t
++.EE
++
++- Set files with the cgconfig_initrc_exec_t type, if you want to transition an executable to the cgconfig_initrc_t domain.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH "MANAGED FILES"
++
++The SELinux process type cgconfig_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++
++.br
++.B cgroup_t
++
++ /cgroup
++.br
++ /sys/fs/cgroup
++.br
++
++.SH NSSWITCH DOMAIN
++
++.PP
++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the cgconfig_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++
++.EX
++.B setsebool -P authlogin_nsswitch_use_ldap 1
++.EE
++
++.PP
++If you want to allow confined applications to run with kerberos for the cgconfig_t, you must turn on the kerberos_enabled boolean.
++
++.EX
++.B setsebool -P kerberos_enabled 1
++.EE
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was auto-generated using
++.B "sepolicy manpage"
++by Dan Walsh.
++
++.SH "SEE ALSO"
++selinux(8), cgconfig(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
+diff --git a/man/man8/cgred_selinux.8 b/man/man8/cgred_selinux.8
+new file mode 100644
+index 0000000..dfaff3f
+--- /dev/null
++++ b/man/man8/cgred_selinux.8
+@@ -0,0 +1,148 @@
++.TH "cgred_selinux" "8" "12-11-01" "cgred" "SELinux Policy documentation for cgred"
++.SH "NAME"
++cgred_selinux \- Security Enhanced Linux Policy for the cgred processes
++.SH "DESCRIPTION"
++
++Security-Enhanced Linux secures the cgred processes via flexible mandatory access control.
++
++The cgred processes execute with the cgred_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep cgred_t
++
++
++.SH "ENTRYPOINTS"
++
++The cgred_t SELinux type can be entered via the "cgred_exec_t" file type. The default entrypoint paths for the cgred_t domain are the following:"
++
++/sbin/cgrulesengd, /usr/sbin/cgrulesengd
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux cgred policy is very flexible allowing users to setup their cgred processes in as secure a method as possible.
++.PP
++The following process types are defined for cgred:
++
++.EX
++.B cgred_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux cgred policy is very flexible allowing users to setup their cgred processes in as secure a method as possible.
++.PP
++The following file types are defined for cgred:
++
++
++.EX
++.PP
++.B cgred_exec_t
++.EE
++
++- Set files with the cgred_exec_t type, if you want to transition an executable to the cgred_t domain.
++
++
++.EX
++.PP
++.B cgred_initrc_exec_t
++.EE
++
++- Set files with the cgred_initrc_exec_t type, if you want to transition an executable to the cgred_initrc_t domain.
++
++
++.EX
++.PP
++.B cgred_log_t
++.EE
++
++- Set files with the cgred_log_t type, if you want to treat the data as cgred log data, usually stored under the /var/log directory.
++
++
++.EX
++.PP
++.B cgred_var_run_t
++.EE
++
++- Set files with the cgred_var_run_t type, if you want to store the cgred files under the /run directory.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH "MANAGED FILES"
++
++The SELinux process type cgred_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++
++.br
++.B cgred_log_t
++
++ /var/log/cgrulesengd\.log.*
++.br
++
++.br
++.B cgred_var_run_t
++
++ /var/run/cgred.*
++.br
++
++.br
++.B cgroup_t
++
++ /cgroup
++.br
++ /sys/fs/cgroup
++.br
++
++.SH NSSWITCH DOMAIN
++
++.PP
++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the cgred_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++
++.EX
++.B setsebool -P authlogin_nsswitch_use_ldap 1
++.EE
++
++.PP
++If you want to allow confined applications to run with kerberos for the cgred_t, you must turn on the kerberos_enabled boolean.
++
++.EX
++.B setsebool -P kerberos_enabled 1
++.EE
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was auto-generated using
++.B "sepolicy manpage"
++by Dan Walsh.
++
++.SH "SEE ALSO"
++selinux(8), cgred(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
+diff --git a/man/man8/checkpc_selinux.8 b/man/man8/checkpc_selinux.8
+new file mode 100644
+index 0000000..72abe95
+--- /dev/null
++++ b/man/man8/checkpc_selinux.8
+@@ -0,0 +1,112 @@
++.TH "checkpc_selinux" "8" "12-11-01" "checkpc" "SELinux Policy documentation for checkpc"
++.SH "NAME"
++checkpc_selinux \- Security Enhanced Linux Policy for the checkpc processes
++.SH "DESCRIPTION"
++
++Security-Enhanced Linux secures the checkpc processes via flexible mandatory access control.
++
++The checkpc processes execute with the checkpc_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep checkpc_t
++
++
++.SH "ENTRYPOINTS"
++
++The checkpc_t SELinux type can be entered via the "checkpc_exec_t" file type. The default entrypoint paths for the checkpc_t domain are the following:"
++
++/usr/sbin/checkpc
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux checkpc policy is very flexible allowing users to setup their checkpc processes in as secure a method as possible.
++.PP
++The following process types are defined for checkpc:
++
++.EX
++.B checkpc_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux checkpc policy is very flexible allowing users to setup their checkpc processes in as secure a method as possible.
++.PP
++The following file types are defined for checkpc:
++
++
++.EX
++.PP
++.B checkpc_exec_t
++.EE
++
++- Set files with the checkpc_exec_t type, if you want to transition an executable to the checkpc_t domain.
++
++
++.EX
++.PP
++.B checkpc_log_t
++.EE
++
++- Set files with the checkpc_log_t type, if you want to treat the data as checkpc log data, usually stored under the /var/log directory.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH "MANAGED FILES"
++
++The SELinux process type checkpc_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++
++.br
++.B checkpc_log_t
++
++
++.br
++.B print_spool_t
++
++ /var/spool/lpd(/.*)?
++.br
++ /var/spool/cups(/.*)?
++.br
++ /var/spool/cups-pdf(/.*)?
++.br
++
++.SH NSSWITCH DOMAIN
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was auto-generated using
++.B "sepolicy manpage"
++by Dan Walsh.
++
++.SH "SEE ALSO"
++selinux(8), checkpc(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
+diff --git a/man/man8/checkpolicy_selinux.8 b/man/man8/checkpolicy_selinux.8
+new file mode 100644
+index 0000000..b3bbf2c
+--- /dev/null
++++ b/man/man8/checkpolicy_selinux.8
+@@ -0,0 +1,102 @@
++.TH "checkpolicy_selinux" "8" "12-11-01" "checkpolicy" "SELinux Policy documentation for checkpolicy"
++.SH "NAME"
++checkpolicy_selinux \- Security Enhanced Linux Policy for the checkpolicy processes
++.SH "DESCRIPTION"
++
++Security-Enhanced Linux secures the checkpolicy processes via flexible mandatory access control.
++
++The checkpolicy processes execute with the checkpolicy_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep checkpolicy_t
++
++
++.SH "ENTRYPOINTS"
++
++The checkpolicy_t SELinux type can be entered via the "checkpolicy_exec_t" file type. The default entrypoint paths for the checkpolicy_t domain are the following:"
++
++/usr/bin/checkpolicy
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux checkpolicy policy is very flexible allowing users to setup their checkpolicy processes in as secure a method as possible.
++.PP
++The following process types are defined for checkpolicy:
++
++.EX
++.B checkpolicy_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux checkpolicy policy is very flexible allowing users to setup their checkpolicy processes in as secure a method as possible.
++.PP
++The following file types are defined for checkpolicy:
++
++
++.EX
++.PP
++.B checkpolicy_exec_t
++.EE
++
++- Set files with the checkpolicy_exec_t type, if you want to transition an executable to the checkpolicy_t domain.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH "MANAGED FILES"
++
++The SELinux process type checkpolicy_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++
++.br
++.B semanage_store_t
++
++ /etc/selinux/([^/]*/)?policy(/.*)?
++.br
++ /etc/selinux/([^/]*/)?modules/(active|tmp|previous)(/.*)?
++.br
++ /etc/share/selinux/mls(/.*)?
++.br
++ /etc/share/selinux/targeted(/.*)?
++.br
++
++.SH NSSWITCH DOMAIN
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was auto-generated using
++.B "sepolicy manpage"
++by Dan Walsh.
++
++.SH "SEE ALSO"
++selinux(8), checkpolicy(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
+diff --git a/man/man8/chfn_selinux.8 b/man/man8/chfn_selinux.8
+new file mode 100644
+index 0000000..9a08bac
+--- /dev/null
++++ b/man/man8/chfn_selinux.8
+@@ -0,0 +1,198 @@
++.TH "chfn_selinux" "8" "12-11-01" "chfn" "SELinux Policy documentation for chfn"
++.SH "NAME"
++chfn_selinux \- Security Enhanced Linux Policy for the chfn processes
++.SH "DESCRIPTION"
++
++Security-Enhanced Linux secures the chfn processes via flexible mandatory access control.
++
++The chfn processes execute with the chfn_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep chfn_t
++
++
++.SH "ENTRYPOINTS"
++
++The chfn_t SELinux type can be entered via the "chfn_exec_t" file type. The default entrypoint paths for the chfn_t domain are the following:"
++
++/usr/bin/chfn, /usr/bin/chsh
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux chfn policy is very flexible allowing users to setup their chfn processes in as secure a method as possible.
++.PP
++The following process types are defined for chfn:
++
++.EX
++.B chfn_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux chfn policy is very flexible allowing users to setup their chfn processes in as secure a method as possible.
++.PP
++The following file types are defined for chfn:
++
++
++.EX
++.PP
++.B chfn_exec_t
++.EE
++
++- Set files with the chfn_exec_t type, if you want to transition an executable to the chfn_t domain.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH "MANAGED FILES"
++
++The SELinux process type chfn_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++
++.br
++.B faillog_t
++
++ /var/log/btmp.*
++.br
++ /var/run/faillock(/.*)?
++.br
++ /var/log/faillog
++.br
++ /var/log/tallylog
++.br
++
++.br
++.B krb5_host_rcache_t
++
++ /var/cache/krb5rcache(/.*)?
++.br
++ /var/tmp/nfs_0
++.br
++ /var/tmp/DNS_25
++.br
++ /var/tmp/host_0
++.br
++ /var/tmp/imap_0
++.br
++ /var/tmp/HTTP_23
++.br
++ /var/tmp/HTTP_48
++.br
++ /var/tmp/ldap_55
++.br
++ /var/tmp/ldap_487
++.br
++ /var/tmp/ldapmap1_0
++.br
++
++.br
++.B lastlog_t
++
++ /var/log/lastlog
++.br
++
++.br
++.B passwd_file_t
++
++ /etc/group[-\+]?
++.br
++ /etc/passwd[-\+]?
++.br
++ /etc/passwd\.adjunct.*
++.br
++ /etc/ptmptmp
++.br
++ /etc/\.pwd\.lock
++.br
++ /etc/group\.lock
++.br
++ /etc/passwd\.OLD
++.br
++ /etc/passwd\.lock
++.br
++
++.br
++.B pcscd_var_run_t
++
++ /var/run/pcscd(/.*)?
++.br
++ /var/run/pcscd\.events(/.*)?
++.br
++ /var/run/pcscd\.pid
++.br
++ /var/run/pcscd\.pub
++.br
++ /var/run/pcscd\.comm
++.br
++
++.br
++.B security_t
++
++ /selinux
++.br
++
++.br
++.B user_tmp_t
++
++ /var/run/user(/.*)?
++.br
++ /tmp/gconfd-.*
++.br
++ /tmp/gconfd-dwalsh
++.br
++ /tmp/gconfd-xguest
++.br
++
++.SH NSSWITCH DOMAIN
++
++.PP
++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the chfn_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++
++.EX
++.B setsebool -P authlogin_nsswitch_use_ldap 1
++.EE
++
++.PP
++If you want to allow confined applications to run with kerberos for the chfn_t, you must turn on the kerberos_enabled boolean.
++
++.EX
++.B setsebool -P kerberos_enabled 1
++.EE
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was auto-generated using
++.B "sepolicy manpage"
++by Dan Walsh.
++
++.SH "SEE ALSO"
++selinux(8), chfn(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
+diff --git a/man/man8/chkpwd_selinux.8 b/man/man8/chkpwd_selinux.8
+new file mode 100644
+index 0000000..fa2035e
+--- /dev/null
++++ b/man/man8/chkpwd_selinux.8
+@@ -0,0 +1,100 @@
++.TH "chkpwd_selinux" "8" "12-11-01" "chkpwd" "SELinux Policy documentation for chkpwd"
++.SH "NAME"
++chkpwd_selinux \- Security Enhanced Linux Policy for the chkpwd processes
++.SH "DESCRIPTION"
++
++Security-Enhanced Linux secures the chkpwd processes via flexible mandatory access control.
++
++The chkpwd processes execute with the chkpwd_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep chkpwd_t
++
++
++.SH "ENTRYPOINTS"
++
++The chkpwd_t SELinux type can be entered via the "chkpwd_exec_t" file type. The default entrypoint paths for the chkpwd_t domain are the following:"
++
++/sbin/unix_chkpwd, /sbin/unix_verify, /usr/sbin/validate, /usr/sbin/unix_chkpwd, /usr/sbin/unix_verify
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux chkpwd policy is very flexible allowing users to setup their chkpwd processes in as secure a method as possible.
++.PP
++The following process types are defined for chkpwd:
++
++.EX
++.B chkpwd_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux chkpwd policy is very flexible allowing users to setup their chkpwd processes in as secure a method as possible.
++.PP
++The following file types are defined for chkpwd:
++
++
++.EX
++.PP
++.B chkpwd_exec_t
++.EE
++
++- Set files with the chkpwd_exec_t type, if you want to transition an executable to the chkpwd_t domain.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH NSSWITCH DOMAIN
++
++.PP
++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the chkpwd_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++
++.EX
++.B setsebool -P authlogin_nsswitch_use_ldap 1
++.EE
++
++.PP
++If you want to allow confined applications to run with kerberos for the chkpwd_t, you must turn on the kerberos_enabled boolean.
++
++.EX
++.B setsebool -P kerberos_enabled 1
++.EE
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was auto-generated using
++.B "sepolicy manpage"
++by Dan Walsh.
++
++.SH "SEE ALSO"
++selinux(8), chkpwd(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
+diff --git a/man/man8/chrome_sandbox_nacl_selinux.8 b/man/man8/chrome_sandbox_nacl_selinux.8
+new file mode 100644
+index 0000000..9f1594b
+--- /dev/null
++++ b/man/man8/chrome_sandbox_nacl_selinux.8
+@@ -0,0 +1,95 @@
++.TH "chrome_sandbox_nacl_selinux" "8" "12-11-01" "chrome_sandbox_nacl" "SELinux Policy documentation for chrome_sandbox_nacl"
++.SH "NAME"
++chrome_sandbox_nacl_selinux \- Security Enhanced Linux Policy for the chrome_sandbox_nacl processes
++.SH "DESCRIPTION"
++
++Security-Enhanced Linux secures the chrome_sandbox_nacl processes via flexible mandatory access control.
++
++The chrome_sandbox_nacl processes execute with the chrome_sandbox_nacl_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep chrome_sandbox_nacl_t
++
++
++.SH "ENTRYPOINTS"
++
++The chrome_sandbox_nacl_t SELinux type can be entered via the "bin_t,chrome_sandbox_nacl_exec_t" file types. The default entrypoint paths for the chrome_sandbox_nacl_t domain are the following:"
++
++/bin/.*, /opt/(.*/)?bin(/.*)?, /usr/(.*/)?Bin(/.*)?, /usr/(.*/)?bin(/.*)?, /usr/(.*/)?sbin(/.*)?, /opt/(.*/)?sbin(/.*)?, /opt/(.*/)?libexec(/.*)?, /sbin/.*, /usr/lib(.*/)?bin(/.*)?, /usr/lib(.*/)?sbin(/.*)?, /etc/gdm/[^/]+, /root/bin(/.*)?, /etc/gdm/[^/]+/.*, /etc/cron.daily(/.*)?, /etc/cron.weekly(/.*)?, /etc/cron.hourly(/.*)?, /etc/cron.monthly(/.*)?, /usr/lib/.*/program(/.*)?, /usr/lib/.*/scripts(/.*)?, /usr/lib/[^/]*/run-mozilla\.sh, /usr/lib/[^/]*/mozilla-xremote-client, /usr/lib/[^/]*thunderbird[^/]*/thunderbird, /usr/lib/[^/]*thunderbird[^/]*/open-browser\.sh, /usr/lib/[^/]*thunderbird[^/]*/thunderbird-bin, /lib/udev/[^/]*, /etc/auto\.[^/]*, /etc/avahi/.*\.action, /usr/lib/qt.*/bin(/.*)?, /usr/lib/yp/.+, /var/ftp/bin(/.*)?, /usr/Brother(/.*)?, /usr/Printer(/.*)?, /usr/libexec(/.*)?, /lib/upstart(/.*)?, /etc/kde/env(/.*)?, /etc/profile.d(/.*)?, /var/mailman.*/bin(/.*)?, /etc/lxdm/Pre.*, /etc/hotplug/.*rc, /usr/lib/cups(/.*)?, /etc/hotplug/.*agent, /usr/Brother/(.*/)?inf/setup.*, /usr/Brother/(.*/)?inf/brprintconf.*, /usr/lib/dpkg/.+, /etc/lxdm/Post.*, /usr/lib/udev/[^/]*, /var/qmail/bin(/.*)?, /usr/lib/xfce4(/.*)?, /usr/lib/fence(/.*)?, /etc/X11/xinit(/.*)?, /lib/readahead(/.*)?, /etc/netplug\.d(/.*)?, /usr/lib/gimp/.*/plug-ins(/.*)?, /usr/lib/ipsec/.*, /etc/ppp/ip-up\..*, /usr/bin/pingus.*, /etc/cipe/ip-up.*, /usr/lib/dracut(/.*)?, /etc/pm/power\.d(/.*)?, /etc/pm/sleep\.d(/.*)?, /etc/redhat-lsb(/.*)?, /usr/lib/tuned/.*/.*\.sh, /usr/lib/xen/bin(/.*)?, /usr/lib/upstart(/.*)?, /usr/lib/courier(/.*)?, /etc/xen/scripts(/.*)?, /usr/share/tucan.*/tucan.py, /usr/lib/mailman.*/bin(/.*)?, /usr/lib/mailman.*/mail(/.*)?, /etc/ppp/ipv6-up\..*, /etc/ppp/ip-down\..*, /etc/cipe/ip-down.*, /usr/share/hplip/[^/]*, /usr/lib/news/bin(/.*)?, /usr/lib/pm-utils(/.*)?, /etc/vmware-tools(/.*)?, /etc/kde/shutdown(/.*)?, /etc/acpi/actions(/.*)?, /etc/pki/tls/misc(/.*)?, /usr/lib/jvm/java(.*/)bin(/.*), /usr/lib/tumbler-[^/]*/tumblerd, /usr/lib/readahead(/.*)?, /opt/google/chrome(/.*)?, /etc/munin/plugins(/.*)?, /usr/lib/bluetooth(/.*)?, /usr/lib/debug/bin(/.*)?, /usr/lib/xulrunner[^/]*/updater, /usr/lib/xulrunner[^/]*/crashreporter, /usr/lib/xulrunner[^/]*/xulrunner[^/]*, /usr/lib/ruby/gems(/.*)?/helper-scripts(/.*)?, /usr/share/debconf/.+, /etc/ppp/ipv6-down\..*, /usr/share/cluster/.*\.sh, /usr/share/sectool/.*\.py, /usr/share/ssl/misc(/.*)?, /usr/share/e16/misc(/.*)?, /usr/lib/ccache/bin(/.*)?, /etc/racoon/scripts(/.*)?, /usr/lib/debug/sbin(/.*)?, /usr/lib/ruby/gems/.*/agents(/.*)?, /usr/share/mc/extfs/.*, /usr/lib/apt/methods.+, /usr/lib/portage/bin(/.*)?, /usr/lib/MailScanner(/.*)?, /etc/mcelog/triggers(/.*)?, /etc/dhcp/dhclient\.d(/.*)?, /emul/ia32-linux/bin(/.*)?, /usr/lib/libreoffice(/.*)?/bin(/.*)?, /emul/ia32-linux/usr(/.*)?/bin(/.*)?, /emul/ia32-linux/usr(/.*)?/Bin(/.*)?, /emul/ia32-linux/usr(/.*)?/sbin(/.*)?, /usr/lib/thunderbird.*/mozilla-xremote-client, /usr/lib/cyrus-imapd/.*, /usr/share/createrepo(/.*)?, /emul/ia32-linux/sbin(/.*)?, /usr/share/virtualbox/.*\.sh, /usr/share/wicd/daemon(/.*)?, /usr/share/hal/scripts(/.*)?, /lib/security/pam_krb5(/.*)?, /opt/google/talkplugin(/.*)?, /etc/PackageKit/events(/.*)?, /usr/lib/debug/usr/bin(/.*)?, /usr/lib/vmware-tools/(s)?bin64(/.*)?, /usr/lib/vmware-tools/(s)?bin32(/.*)?, /etc/gdm/XKeepsCrashing[^/]*, /usr/lib/oracle/xe/apps(/.*)?, /usr/share/Modules/init(/.*)?, /usr/share/smolt/client(/.*)?, /usr/lib/nagios/plugins(/.*)?, /usr/lib/debug/usr/sbin(/.*)?, /usr/share/apr-0/build/[^/]+\.sh, /usr/lib/emacsen-common/.*, /usr/share/ajaxterm/qweb.py.*, /var/lib/asterisk/agi-bin(/.*)?, /usr/share/shorewall-perl(/.*)?, /usr/share/shorewall-lite(/.*)?, /usr/linuxprinter/filters(/.*)?, /usr/lib/netsaint/plugins(/.*)?, /usr/lib/chromium-browser(/.*)?, /usr/share/turboprint/lib(/.*)?, /usr/lib/nfs-utils/scripts(/.*)?, /usr/share/shorewall6-lite(/.*)?, /usr/share/shorewall-shell(/.*)?, /usr/share/vhostmd/scripts(/.*)?, /usr/lib/debug/usr/libexec(/.*)?, /etc/ConsoleKit/run-seat\.d(/.*)?, /usr/lib/nspluginwrapper/np.*, /usr/share/sandbox/sandboxX.sh, /usr/lib/ConsoleKit/scripts(/.*)?, /usr/share/ajaxterm/ajaxterm.py.*, /usr/lib/pgsql/test/regress/.*\.sh, /usr/share/denyhosts/scripts(/.*)?, /usr/share/denyhosts/plugins(/.*)?, /emul/ia32-linux/usr/libexec(/.*)?, /usr/lib/mediawiki/math/texvc.*, /usr/share/PackageKit/helpers(/.*)?, /etc/ConsoleKit/run-session\.d(/.*)?, /etc/hotplug\.d/default/default.*, /usr/lib/systemd/system-sleep/(.*)?, /opt/gutenprint/cups/lib/filter(/.*)?, /usr/share/system-config-network(/netconfig)?/[^/]+\.py, /usr/lib/ConsoleKit/run-session\.d(/.*)?, /etc/sysconfig/network-scripts/net.*, /etc/sysconfig/network-scripts/ifup.*, /etc/sysconfig/network-scripts/init.*, /usr/share/kde4/apps/kajongg/kajongg.py, /etc/sysconfig/network-scripts/ifdown.*, /opt/OpenPrinting-Gutenprint/cups/lib/filter(/.*)?, /usr/share/gedit-2/plugins/externaltools/tools(/.*)?, /bin, /sbin, /usr/bin, /dev/MAKEDEV, /var/qmail/rc, /var/qmail/bin, /etc/mail/make, /bin/mountpoint, /usr/lib/rpm/rpmq, /usr/lib/rpm/rpmv, /usr/lib/rpm/rpmd, /usr/lib/rpm/rpmk, /lib/udev/scsi_id, /sbin/mkfs\.cramfs, /etc/xen/qemu-ifup, /etc/lxdm/Xsession, /etc/sysconfig/init, /usr/bin/mountpoint, /etc/apcupsd/commok, /usr/lib/sftp-server, /etc/sysconfig/crond, /etc/lxdm/LoginReady, /usr/sbin/mkfs\.cramfs, /usr/lib/udev/scsi_id, /etc/X11/xdm/Xsetup_0, /etc/init\.d/functions, /etc/apcupsd/changeme, /usr/lib/iscan/network, /etc/apcupsd/onbattery, /usr/lib/yaboot/addnote, /etc/sysconfig/libvirtd, /etc/apcupsd/apccontrol, /etc/apcupsd/offbattery, /usr/lib/wicd/monitor\.py, /etc/X11/xdm/TakeConsole, /etc/X11/xdm/GiveConsole, /etc/apcupsd/commfailure, /usr/lib/misc/sftp-server, /etc/sysconfig/netconsole, /lib/udev/devices/MAKEDEV, /var/lib/iscan/interpreter, /etc/rc\.d/init\.d/functions, /etc/apcupsd/masterconnect, /etc/apcupsd/mastertimeout, /usr/share/pydict/pydict\.py, /usr/share/clamav/clamd-gen, /sbin/insmod_ksymoops_clean, /etc/mgetty\+sendfax/new_fax, /usr/lib/xfce4/panel/migrate, /usr/lib/xfce4/panel/wrapper, /etc/sysconfig/readonly-root, /usr/lib/vte/gnome-pty-helper, /usr/lib/udev/devices/MAKEDEV, /usr/lib/xfce4/xfconf/xfconfd, /usr/share/cvs/contrib/rcs2log, /usr/share/hwbrowser/hwbrowser, /usr/X11R6/lib/X11/xkb/xkbcomp, /usr/lib/virtualbox/VBoxManage, /usr/share/cluster/SAPInstance, /usr/share/cluster/checkquorum, /usr/share/shorewall/getparams, /usr/share/apr-0/build/libtool, /usr/share/cluster/SAPDatabase, /etc/hotplug/hotplug\.functions, /usr/share/texmf/web2c/mktexdir, /usr/share/texmf/web2c/mktexnam, /usr/share/texmf/web2c/mktexupd, /usr/share/shorewall/configpath, /usr/sbin/insmod_ksymoops_clean, /etc/mcelog/cache-error-trigger, /usr/share/shorewall/compiler\.pl, /usr/share/dayplanner/dayplanner, /usr/libexec/openssh/sftp-server, /usr/share/texmf/texconfig/tcfmgr, /usr/share/clamav/freshclam-sleep, /usr/share/cluster/svclib_nfslock, /usr/share/cluster/ocf-shellfuncs, /usr/lib/xfce4/exo-1/exo-helper-1, /usr/share/pwlib/make/ptlib-config, /usr/share/fedora-usermgmt/wrapper, /usr/share/printconf/util/print\.py, /usr/lib/xfce4/xfwm4/helper-dialog, /etc/pki/tls/certs/make-dummy-cert, /usr/share/rhn/rhn_applet/applet\.py, /usr/share/authconfig/authconfig\.py, /usr/share/spamassassin/sa-update\.cron, /usr/share/gnucash/finance-quote-check, /usr/share/cluster/fence_scsi_check\.pl, /usr/share/selinux/devel/policygentool, /usr/share/switchdesk/switchdesk-gui\.py, /usr/share/authconfig/authconfig-tui\.py, /usr/share/authconfig/authconfig-gtk\.py, /usr/share/gnucash/finance-quote-helper, /usr/share/gitolite/hooks/common/update, /usr/lib/xfce4/exo-1/exo-compose-mail-1, /usr/share/system-config-services/gui\.py, /lib/security/pam_krb5/pam_krb5_storetmp, /usr/share/system-config-netboot/pxeos\.py, /usr/lib/xfce4/session/balou-export-theme, /usr/share/system-config-selinux/polgen\.py, /usr/share/system-config-nfs/nfs-export\.py, /usr/share/system-config-printer/applet\.py, /usr/share/PackageKit/pk-upgrade-distro\.sh, /usr/lib/xfce4/session/balou-install-theme, /usr/share/system-config-netboot/pxeboot\.py, /usr/lib/xfce4/session/xfsm-shutdown-helper, /usr/share/rhn/rhn_applet/needed-packages\.py, /usr/lib/security/pam_krb5/pam_krb5_storetmp, /usr/share/system-logviewer/system-logviewer\.py, /usr/share/system-config-network/neat-control\.py, /usr/share/system-config-services/serviceconf\.py, /usr/share/hal/device-manager/hal-device-manager, /usr/share/system-config-lvm/system-config-lvm\.py, /usr/share/system-config-nfs/system-config-nfs\.py, /usr/share/system-config-mouse/system-config-mouse, /usr/share/system-config-httpd/system-config-httpd, /usr/share/system-config-users/system-config-users, /usr/share/system-config-date/system-config-date\.py, /usr/share/doc/ghc/html/libraries/gen_contents_index, /usr/share/gitolite/hooks/gitolite-admin/post-update, /usr/share/system-config-samba/system-config-samba\.py, /usr/share/system-config-display/system-config-display, /usr/share/system-config-keyboard/system-config-keyboard, /usr/share/system-config-language/system-config-language, /usr/share/system-config-services/system-config-services, /usr/share/system-config-selinux/system-config-selinux\.py, /usr/share/system-config-netboot/system-config-netboot\.py, /usr/share/system-config-soundcard/system-config-soundcard, /usr/share/system-config-rootpassword/system-config-rootpassword, /usr/share/system-config-securitylevel/system-config-securitylevel\.py, /opt/google/chrome/nacl_helper_bootstrap, /usr/lib/chromium-browser/nacl_helper_bootstrap
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux chrome_sandbox_nacl policy is very flexible allowing users to setup their chrome_sandbox_nacl processes in as secure a method as possible.
++.PP
++The following process types are defined for chrome_sandbox_nacl:
++
++.EX
++.B chrome_sandbox_nacl_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux chrome_sandbox_nacl policy is very flexible allowing users to setup their chrome_sandbox_nacl processes in as secure a method as possible.
++.PP
++The following file types are defined for chrome_sandbox_nacl:
++
++
++.EX
++.PP
++.B chrome_sandbox_nacl_exec_t
++.EE
++
++- Set files with the chrome_sandbox_nacl_exec_t type, if you want to transition an executable to the chrome_sandbox_nacl_t domain.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH "MANAGED FILES"
++
++The SELinux process type chrome_sandbox_nacl_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++
++.br
++.B chrome_sandbox_tmpfs_t
++
++
++.SH NSSWITCH DOMAIN
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was auto-generated using
++.B "sepolicy manpage"
++by Dan Walsh.
++
++.SH "SEE ALSO"
++selinux(8), chrome_sandbox_nacl(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
++, chrome_sandbox_selinux(8), chrome_sandbox_selinux(8)
+\ No newline at end of file
+diff --git a/man/man8/chrome_sandbox_selinux.8 b/man/man8/chrome_sandbox_selinux.8
+new file mode 100644
+index 0000000..42c38de
+--- /dev/null
++++ b/man/man8/chrome_sandbox_selinux.8
+@@ -0,0 +1,206 @@
++.TH "chrome_sandbox_selinux" "8" "12-11-01" "chrome_sandbox" "SELinux Policy documentation for chrome_sandbox"
++.SH "NAME"
++chrome_sandbox_selinux \- Security Enhanced Linux Policy for the chrome_sandbox processes
++.SH "DESCRIPTION"
++
++Security-Enhanced Linux secures the chrome_sandbox processes via flexible mandatory access control.
++
++The chrome_sandbox processes execute with the chrome_sandbox_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep chrome_sandbox_t
++
++
++.SH "ENTRYPOINTS"
++
++The chrome_sandbox_t SELinux type can be entered via the "chrome_sandbox_exec_t" file type. The default entrypoint paths for the chrome_sandbox_t domain are the following:"
++
++/opt/google/chrome/chrome-sandbox, /usr/lib/chromium-browser/chrome-sandbox
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux chrome_sandbox policy is very flexible allowing users to setup their chrome_sandbox processes in as secure a method as possible.
++.PP
++The following process types are defined for chrome_sandbox:
++
++.EX
++.B chrome_sandbox_t, chrome_sandbox_nacl_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH BOOLEANS
++SELinux policy is customizable based on least access required. chrome_sandbox policy is extremely flexible and has several booleans that allow you to manipulate the policy and run chrome_sandbox with the tightest access possible.
++
++
++.PP
++If you want to allow unconfined users to transition to the chrome sandbox domains when running chrome-sandbox, you must turn on the unconfined_chrome_sandbox_transition boolean.
++
++.EX
++.B setsebool -P unconfined_chrome_sandbox_transition 1
++.EE
++
++.PP
++If you want to allow unconfined users to transition to the chrome sandbox domains when running chrome-sandbox, you must turn on the unconfined_chrome_sandbox_transition boolean.
++
++.EX
++.B setsebool -P unconfined_chrome_sandbox_transition 1
++.EE
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux chrome_sandbox policy is very flexible allowing users to setup their chrome_sandbox processes in as secure a method as possible.
++.PP
++The following file types are defined for chrome_sandbox:
++
++
++.EX
++.PP
++.B chrome_sandbox_exec_t
++.EE
++
++- Set files with the chrome_sandbox_exec_t type, if you want to transition an executable to the chrome_sandbox_t domain.
++
++
++.EX
++.PP
++.B chrome_sandbox_nacl_exec_t
++.EE
++
++- Set files with the chrome_sandbox_nacl_exec_t type, if you want to transition an executable to the chrome_sandbox_nacl_t domain.
++
++
++.EX
++.PP
++.B chrome_sandbox_tmp_t
++.EE
++
++- Set files with the chrome_sandbox_tmp_t type, if you want to store chrome sandbox temporary files in the /tmp directories.
++
++
++.EX
++.PP
++.B chrome_sandbox_tmpfs_t
++.EE
++
++- Set files with the chrome_sandbox_tmpfs_t type, if you want to store chrome sandbox files on a tmpfs file system.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH "MANAGED FILES"
++
++The SELinux process type chrome_sandbox_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++
++.br
++.B cgroup_t
++
++ /cgroup
++.br
++ /sys/fs/cgroup
++.br
++
++.br
++.B chrome_sandbox_tmp_t
++
++
++.br
++.B chrome_sandbox_tmpfs_t
++
++
++.br
++.B home_cert_t
++
++ /root/\.pki(/.*)?
++.br
++ /root/\.cert(/.*)?
++.br
++ /home/[^/]*/.kde/share/apps/networkmanagement/certificates(/.*)?
++.br
++ /home/[^/]*/\.pki(/.*)?
++.br
++ /home/[^/]*/\.cert(/.*)?
++.br
++ /home/dwalsh/.kde/share/apps/networkmanagement/certificates(/.*)?
++.br
++ /home/dwalsh/\.pki(/.*)?
++.br
++ /home/dwalsh/\.cert(/.*)?
++.br
++ /var/lib/xguest/home/xguest/.kde/share/apps/networkmanagement/certificates(/.*)?
++.br
++ /var/lib/xguest/home/xguest/\.pki(/.*)?
++.br
++ /var/lib/xguest/home/xguest/\.cert(/.*)?
++.br
++
++.br
++.B user_fonts_cache_t
++
++ /root/\.fontconfig(/.*)?
++.br
++ /root/\.fonts/auto(/.*)?
++.br
++ /root/\.fonts\.cache-.*
++.br
++ /home/[^/]*/\.fontconfig(/.*)?
++.br
++ /home/[^/]*/\.fonts/auto(/.*)?
++.br
++ /home/[^/]*/\.fonts\.cache-.*
++.br
++ /home/dwalsh/\.fontconfig(/.*)?
++.br
++ /home/dwalsh/\.fonts/auto(/.*)?
++.br
++ /home/dwalsh/\.fonts\.cache-.*
++.br
++ /var/lib/xguest/home/xguest/\.fontconfig(/.*)?
++.br
++ /var/lib/xguest/home/xguest/\.fonts/auto(/.*)?
++.br
++ /var/lib/xguest/home/xguest/\.fonts\.cache-.*
++.br
++
++.SH NSSWITCH DOMAIN
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.B semanage boolean
++can also be used to manipulate the booleans
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was auto-generated using
++.B "sepolicy manpage"
++by Dan Walsh.
++
++.SH "SEE ALSO"
++selinux(8), chrome_sandbox(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
++, setsebool(8), chrome_sandbox_nacl_selinux(8)
+\ No newline at end of file
+diff --git a/man/man8/chronyd_selinux.8 b/man/man8/chronyd_selinux.8
+new file mode 100644
+index 0000000..2e165b5
+--- /dev/null
++++ b/man/man8/chronyd_selinux.8
+@@ -0,0 +1,216 @@
++.TH "chronyd_selinux" "8" "12-11-01" "chronyd" "SELinux Policy documentation for chronyd"
++.SH "NAME"
++chronyd_selinux \- Security Enhanced Linux Policy for the chronyd processes
++.SH "DESCRIPTION"
++
++Security-Enhanced Linux secures the chronyd processes via flexible mandatory access control.
++
++The chronyd processes execute with the chronyd_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep chronyd_t
++
++
++.SH "ENTRYPOINTS"
++
++The chronyd_t SELinux type can be entered via the "chronyd_exec_t" file type. The default entrypoint paths for the chronyd_t domain are the following:"
++
++/usr/sbin/chronyd
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux chronyd policy is very flexible allowing users to setup their chronyd processes in as secure a method as possible.
++.PP
++The following process types are defined for chronyd:
++
++.EX
++.B chronyd_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux chronyd policy is very flexible allowing users to setup their chronyd processes in as secure a method as possible.
++.PP
++The following file types are defined for chronyd:
++
++
++.EX
++.PP
++.B chronyd_exec_t
++.EE
++
++- Set files with the chronyd_exec_t type, if you want to transition an executable to the chronyd_t domain.
++
++
++.EX
++.PP
++.B chronyd_initrc_exec_t
++.EE
++
++- Set files with the chronyd_initrc_exec_t type, if you want to transition an executable to the chronyd_initrc_t domain.
++
++
++.EX
++.PP
++.B chronyd_keys_t
++.EE
++
++- Set files with the chronyd_keys_t type, if you want to treat the files as chronyd keys data.
++
++
++.EX
++.PP
++.B chronyd_tmpfs_t
++.EE
++
++- Set files with the chronyd_tmpfs_t type, if you want to store chronyd files on a tmpfs file system.
++
++
++.EX
++.PP
++.B chronyd_unit_file_t
++.EE
++
++- Set files with the chronyd_unit_file_t type, if you want to treat the files as chronyd unit content.
++
++
++.EX
++.PP
++.B chronyd_var_lib_t
++.EE
++
++- Set files with the chronyd_var_lib_t type, if you want to store the chronyd files under the /var/lib directory.
++
++
++.EX
++.PP
++.B chronyd_var_log_t
++.EE
++
++- Set files with the chronyd_var_log_t type, if you want to treat the data as chronyd var log data, usually stored under the /var/log directory.
++
++
++.EX
++.PP
++.B chronyd_var_run_t
++.EE
++
++- Set files with the chronyd_var_run_t type, if you want to store the chronyd files under the /run directory.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH PORT TYPES
++SELinux defines port types to represent TCP and UDP ports.
++.PP
++You can see the types associated with a port by using the following command:
++
++.B semanage port -l
++
++.PP
++Policy governs the access confined processes have to these ports.
++SELinux chronyd policy is very flexible allowing users to setup their chronyd processes in as secure a method as possible.
++.PP
++The following port types are defined for chronyd:
++
++.EX
++.TP 5
++.B chronyd_port_t
++.TP 10
++.EE
++
++
++Default Defined Ports:
++udp 323
++.EE
++.SH "MANAGED FILES"
++
++The SELinux process type chronyd_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++
++.br
++.B chronyd_tmpfs_t
++
++
++.br
++.B chronyd_var_lib_t
++
++ /var/lib/chrony(/.*)?
++.br
++
++.br
++.B chronyd_var_log_t
++
++ /var/log/chrony(/.*)?
++.br
++
++.br
++.B chronyd_var_run_t
++
++ /var/run/chronyd(/.*)
++.br
++ /var/run/chronyd\.pid
++.br
++ /var/run/chronyd\.sock
++.br
++
++.br
++.B gpsd_tmpfs_t
++
++
++.SH NSSWITCH DOMAIN
++
++.PP
++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the chronyd_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++
++.EX
++.B setsebool -P authlogin_nsswitch_use_ldap 1
++.EE
++
++.PP
++If you want to allow confined applications to run with kerberos for the chronyd_t, you must turn on the kerberos_enabled boolean.
++
++.EX
++.B setsebool -P kerberos_enabled 1
++.EE
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.B semanage port
++can also be used to manipulate the port definitions
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was auto-generated using
++.B "sepolicy manpage"
++by Dan Walsh.
++
++.SH "SEE ALSO"
++selinux(8), chronyd(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
+diff --git a/man/man8/ciped_selinux.8 b/man/man8/ciped_selinux.8
+new file mode 100644
+index 0000000..7e19c9b
+--- /dev/null
++++ b/man/man8/ciped_selinux.8
+@@ -0,0 +1,86 @@
++.TH "ciped_selinux" "8" "12-11-01" "ciped" "SELinux Policy documentation for ciped"
++.SH "NAME"
++ciped_selinux \- Security Enhanced Linux Policy for the ciped processes
++.SH "DESCRIPTION"
++
++Security-Enhanced Linux secures the ciped processes via flexible mandatory access control.
++
++The ciped processes execute with the ciped_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep ciped_t
++
++
++.SH "ENTRYPOINTS"
++
++The ciped_t SELinux type can be entered via the "ciped_exec_t" file type. The default entrypoint paths for the ciped_t domain are the following:"
++
++/usr/sbin/ciped.*
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux ciped policy is very flexible allowing users to setup their ciped processes in as secure a method as possible.
++.PP
++The following process types are defined for ciped:
++
++.EX
++.B ciped_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux ciped policy is very flexible allowing users to setup their ciped processes in as secure a method as possible.
++.PP
++The following file types are defined for ciped:
++
++
++.EX
++.PP
++.B ciped_exec_t
++.EE
++
++- Set files with the ciped_exec_t type, if you want to transition an executable to the ciped_t domain.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH NSSWITCH DOMAIN
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was auto-generated using
++.B "sepolicy manpage"
++by Dan Walsh.
++
++.SH "SEE ALSO"
++selinux(8), ciped(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
+diff --git a/man/man8/clamd_selinux.8 b/man/man8/clamd_selinux.8
+new file mode 100644
+index 0000000..26f026b
+--- /dev/null
++++ b/man/man8/clamd_selinux.8
+@@ -0,0 +1,284 @@
++.TH "clamd_selinux" "8" "12-11-01" "clamd" "SELinux Policy documentation for clamd"
++.SH "NAME"
++clamd_selinux \- Security Enhanced Linux Policy for the clamd processes
++.SH "DESCRIPTION"
++
++Security-Enhanced Linux secures the clamd processes via flexible mandatory access control.
++
++The clamd processes execute with the clamd_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep clamd_t
++
++
++.SH "ENTRYPOINTS"
++
++The clamd_t SELinux type can be entered via the "clamd_exec_t" file type. The default entrypoint paths for the clamd_t domain are the following:"
++
++/usr/sbin/clamd, /usr/sbin/clamav-milter
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux clamd policy is very flexible allowing users to setup their clamd processes in as secure a method as possible.
++.PP
++The following process types are defined for clamd:
++
++.EX
++.B clamd_t, clamscan_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH BOOLEANS
++SELinux policy is customizable based on least access required. clamd policy is extremely flexible and has several booleans that allow you to manipulate the policy and run clamd with the tightest access possible.
++
++
++.PP
++If you want to allow clamd to use JIT compiler, you must turn on the clamd_use_jit boolean.
++
++.EX
++.B setsebool -P clamd_use_jit 1
++.EE
++
++.PP
++If you want to allow clamscan to non security files on a system, you must turn on the clamscan_can_scan_system boolean.
++
++.EX
++.B setsebool -P clamscan_can_scan_system 1
++.EE
++
++.PP
++If you want to allow clamscan to read user content, you must turn on the clamscan_read_user_content boolean.
++
++.EX
++.B setsebool -P clamscan_read_user_content 1
++.EE
++
++.PP
++If you want to allow clamd to use JIT compiler, you must turn on the clamd_use_jit boolean.
++
++.EX
++.B setsebool -P clamd_use_jit 1
++.EE
++
++.PP
++If you want to allow clamscan to non security files on a system, you must turn on the clamscan_can_scan_system boolean.
++
++.EX
++.B setsebool -P clamscan_can_scan_system 1
++.EE
++
++.PP
++If you want to allow clamscan to read user content, you must turn on the clamscan_read_user_content boolean.
++
++.EX
++.B setsebool -P clamscan_read_user_content 1
++.EE
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux clamd policy is very flexible allowing users to setup their clamd processes in as secure a method as possible.
++.PP
++The following file types are defined for clamd:
++
++
++.EX
++.PP
++.B clamd_etc_t
++.EE
++
++- Set files with the clamd_etc_t type, if you want to store clamd files in the /etc directories.
++
++
++.EX
++.PP
++.B clamd_exec_t
++.EE
++
++- Set files with the clamd_exec_t type, if you want to transition an executable to the clamd_t domain.
++
++
++.EX
++.PP
++.B clamd_initrc_exec_t
++.EE
++
++- Set files with the clamd_initrc_exec_t type, if you want to transition an executable to the clamd_initrc_t domain.
++
++
++.EX
++.PP
++.B clamd_tmp_t
++.EE
++
++- Set files with the clamd_tmp_t type, if you want to store clamd temporary files in the /tmp directories.
++
++
++.EX
++.PP
++.B clamd_unit_file_t
++.EE
++
++- Set files with the clamd_unit_file_t type, if you want to treat the files as clamd unit content.
++
++
++.EX
++.PP
++.B clamd_var_lib_t
++.EE
++
++- Set files with the clamd_var_lib_t type, if you want to store the clamd files under the /var/lib directory.
++
++
++.EX
++.PP
++.B clamd_var_log_t
++.EE
++
++- Set files with the clamd_var_log_t type, if you want to treat the data as clamd var log data, usually stored under the /var/log directory.
++
++
++.EX
++.PP
++.B clamd_var_run_t
++.EE
++
++- Set files with the clamd_var_run_t type, if you want to store the clamd files under the /run directory.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH PORT TYPES
++SELinux defines port types to represent TCP and UDP ports.
++.PP
++You can see the types associated with a port by using the following command:
++
++.B semanage port -l
++
++.PP
++Policy governs the access confined processes have to these ports.
++SELinux clamd policy is very flexible allowing users to setup their clamd processes in as secure a method as possible.
++.PP
++The following port types are defined for clamd:
++
++.EX
++.TP 5
++.B clamd_port_t
++.TP 10
++.EE
++
++
++Default Defined Ports:
++tcp 3310
++.EE
++.SH "MANAGED FILES"
++
++The SELinux process type clamd_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++
++.br
++.B amavis_spool_t
++
++ /var/spool/amavisd(/.*)?
++.br
++
++.br
++.B antivirus_db_t
++
++ /var/opt/f-secure(/.*)?
++.br
++
++.br
++.B clamd_tmp_t
++
++
++.br
++.B clamd_var_lib_t
++
++ /var/clamav(/.*)?
++.br
++ /var/lib/clamd.*
++.br
++ /var/lib/clamav(/.*)?
++.br
++
++.br
++.B clamd_var_log_t
++
++ /var/log/clamd.*
++.br
++ /var/log/clamav.*
++.br
++
++.br
++.B clamd_var_run_t
++
++ /var/run/clamd.*
++.br
++ /var/run/clamav.*
++.br
++ /var/run/amavis(d)?/clamd\.pid
++.br
++ /var/spool/MailScanner(/.*)?
++.br
++ /var/spool/amavisd/clamd\.sock
++.br
++
++.SH NSSWITCH DOMAIN
++
++.PP
++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the clamd_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++
++.EX
++.B setsebool -P authlogin_nsswitch_use_ldap 1
++.EE
++
++.PP
++If you want to allow confined applications to run with kerberos for the clamd_t, you must turn on the kerberos_enabled boolean.
++
++.EX
++.B setsebool -P kerberos_enabled 1
++.EE
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.B semanage port
++can also be used to manipulate the port definitions
++
++.B semanage boolean
++can also be used to manipulate the booleans
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was auto-generated using
++.B "sepolicy manpage"
++by Dan Walsh.
++
++.SH "SEE ALSO"
++selinux(8), clamd(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
++, setsebool(8), clamscan_selinux(8)
+\ No newline at end of file
+diff --git a/man/man8/clamscan_selinux.8 b/man/man8/clamscan_selinux.8
+new file mode 100644
+index 0000000..d29a7f2
+--- /dev/null
++++ b/man/man8/clamscan_selinux.8
+@@ -0,0 +1,160 @@
++.TH "clamscan_selinux" "8" "12-11-01" "clamscan" "SELinux Policy documentation for clamscan"
++.SH "NAME"
++clamscan_selinux \- Security Enhanced Linux Policy for the clamscan processes
++.SH "DESCRIPTION"
++
++Security-Enhanced Linux secures the clamscan processes via flexible mandatory access control.
++
++The clamscan processes execute with the clamscan_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep clamscan_t
++
++
++.SH "ENTRYPOINTS"
++
++The clamscan_t SELinux type can be entered via the "clamscan_exec_t" file type. The default entrypoint paths for the clamscan_t domain are the following:"
++
++/usr/bin/clamscan, /usr/bin/clamdscan
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux clamscan policy is very flexible allowing users to setup their clamscan processes in as secure a method as possible.
++.PP
++The following process types are defined for clamscan:
++
++.EX
++.B clamscan_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH BOOLEANS
++SELinux policy is customizable based on least access required. clamscan policy is extremely flexible and has several booleans that allow you to manipulate the policy and run clamscan with the tightest access possible.
++
++
++.PP
++If you want to allow clamscan to non security files on a system, you must turn on the clamscan_can_scan_system boolean.
++
++.EX
++.B setsebool -P clamscan_can_scan_system 1
++.EE
++
++.PP
++If you want to allow clamscan to read user content, you must turn on the clamscan_read_user_content boolean.
++
++.EX
++.B setsebool -P clamscan_read_user_content 1
++.EE
++
++.PP
++If you want to allow clamscan to non security files on a system, you must turn on the clamscan_can_scan_system boolean.
++
++.EX
++.B setsebool -P clamscan_can_scan_system 1
++.EE
++
++.PP
++If you want to allow clamscan to read user content, you must turn on the clamscan_read_user_content boolean.
++
++.EX
++.B setsebool -P clamscan_read_user_content 1
++.EE
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux clamscan policy is very flexible allowing users to setup their clamscan processes in as secure a method as possible.
++.PP
++The following file types are defined for clamscan:
++
++
++.EX
++.PP
++.B clamscan_exec_t
++.EE
++
++- Set files with the clamscan_exec_t type, if you want to transition an executable to the clamscan_t domain.
++
++
++.EX
++.PP
++.B clamscan_tmp_t
++.EE
++
++- Set files with the clamscan_tmp_t type, if you want to store clamscan temporary files in the /tmp directories.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH "MANAGED FILES"
++
++The SELinux process type clamscan_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++
++.br
++.B amavis_spool_t
++
++ /var/spool/amavisd(/.*)?
++.br
++
++.br
++.B antivirus_db_t
++
++ /var/opt/f-secure(/.*)?
++.br
++
++.br
++.B clamd_var_lib_t
++
++ /var/clamav(/.*)?
++.br
++ /var/lib/clamd.*
++.br
++ /var/lib/clamav(/.*)?
++.br
++
++.br
++.B clamscan_tmp_t
++
++
++.SH NSSWITCH DOMAIN
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.B semanage boolean
++can also be used to manipulate the booleans
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was auto-generated using
++.B "sepolicy manpage"
++by Dan Walsh.
++
++.SH "SEE ALSO"
++selinux(8), clamscan(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
++, setsebool(8)
+\ No newline at end of file
+diff --git a/man/man8/clogd_selinux.8 b/man/man8/clogd_selinux.8
+new file mode 100644
+index 0000000..376c775
+--- /dev/null
++++ b/man/man8/clogd_selinux.8
+@@ -0,0 +1,116 @@
++.TH "clogd_selinux" "8" "12-11-01" "clogd" "SELinux Policy documentation for clogd"
++.SH "NAME"
++clogd_selinux \- Security Enhanced Linux Policy for the clogd processes
++.SH "DESCRIPTION"
++
++Security-Enhanced Linux secures the clogd processes via flexible mandatory access control.
++
++The clogd processes execute with the clogd_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep clogd_t
++
++
++.SH "ENTRYPOINTS"
++
++The clogd_t SELinux type can be entered via the "clogd_exec_t" file type. The default entrypoint paths for the clogd_t domain are the following:"
++
++/usr/sbin/clogd
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux clogd policy is very flexible allowing users to setup their clogd processes in as secure a method as possible.
++.PP
++The following process types are defined for clogd:
++
++.EX
++.B clogd_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux clogd policy is very flexible allowing users to setup their clogd processes in as secure a method as possible.
++.PP
++The following file types are defined for clogd:
++
++
++.EX
++.PP
++.B clogd_exec_t
++.EE
++
++- Set files with the clogd_exec_t type, if you want to transition an executable to the clogd_t domain.
++
++
++.EX
++.PP
++.B clogd_tmpfs_t
++.EE
++
++- Set files with the clogd_tmpfs_t type, if you want to store clogd files on a tmpfs file system.
++
++
++.EX
++.PP
++.B clogd_var_run_t
++.EE
++
++- Set files with the clogd_var_run_t type, if you want to store the clogd files under the /run directory.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH "MANAGED FILES"
++
++The SELinux process type clogd_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++
++.br
++.B clogd_tmpfs_t
++
++
++.br
++.B clogd_var_run_t
++
++ /var/run/clogd\.pid
++.br
++
++.SH NSSWITCH DOMAIN
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was auto-generated using
++.B "sepolicy manpage"
++by Dan Walsh.
++
++.SH "SEE ALSO"
++selinux(8), clogd(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
+diff --git a/man/man8/clvmd_selinux.8 b/man/man8/clvmd_selinux.8
+new file mode 100644
+index 0000000..6c83943
+--- /dev/null
++++ b/man/man8/clvmd_selinux.8
+@@ -0,0 +1,142 @@
++.TH "clvmd_selinux" "8" "12-11-01" "clvmd" "SELinux Policy documentation for clvmd"
++.SH "NAME"
++clvmd_selinux \- Security Enhanced Linux Policy for the clvmd processes
++.SH "DESCRIPTION"
++
++Security-Enhanced Linux secures the clvmd processes via flexible mandatory access control.
++
++The clvmd processes execute with the clvmd_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep clvmd_t
++
++
++.SH "ENTRYPOINTS"
++
++The clvmd_t SELinux type can be entered via the "clvmd_exec_t" file type. The default entrypoint paths for the clvmd_t domain are the following:"
++
++/usr/sbin/clvmd
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux clvmd policy is very flexible allowing users to setup their clvmd processes in as secure a method as possible.
++.PP
++The following process types are defined for clvmd:
++
++.EX
++.B clvmd_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux clvmd policy is very flexible allowing users to setup their clvmd processes in as secure a method as possible.
++.PP
++The following file types are defined for clvmd:
++
++
++.EX
++.PP
++.B clvmd_exec_t
++.EE
++
++- Set files with the clvmd_exec_t type, if you want to transition an executable to the clvmd_t domain.
++
++
++.EX
++.PP
++.B clvmd_initrc_exec_t
++.EE
++
++- Set files with the clvmd_initrc_exec_t type, if you want to transition an executable to the clvmd_initrc_t domain.
++
++
++.EX
++.PP
++.B clvmd_tmpfs_t
++.EE
++
++- Set files with the clvmd_tmpfs_t type, if you want to store clvmd files on a tmpfs file system.
++
++
++.EX
++.PP
++.B clvmd_var_run_t
++.EE
++
++- Set files with the clvmd_var_run_t type, if you want to store the clvmd files under the /run directory.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH "MANAGED FILES"
++
++The SELinux process type clvmd_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++
++.br
++.B anon_inodefs_t
++
++
++.br
++.B clvmd_tmpfs_t
++
++
++.br
++.B clvmd_var_run_t
++
++ /var/run/clvmd\.pid
++.br
++
++.SH NSSWITCH DOMAIN
++
++.PP
++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the clvmd_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++
++.EX
++.B setsebool -P authlogin_nsswitch_use_ldap 1
++.EE
++
++.PP
++If you want to allow confined applications to run with kerberos for the clvmd_t, you must turn on the kerberos_enabled boolean.
++
++.EX
++.B setsebool -P kerberos_enabled 1
++.EE
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was auto-generated using
++.B "sepolicy manpage"
++by Dan Walsh.
++
++.SH "SEE ALSO"
++selinux(8), clvmd(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
+diff --git a/man/man8/cmirrord_selinux.8 b/man/man8/cmirrord_selinux.8
+new file mode 100644
+index 0000000..529b7f4
+--- /dev/null
++++ b/man/man8/cmirrord_selinux.8
+@@ -0,0 +1,124 @@
++.TH "cmirrord_selinux" "8" "12-11-01" "cmirrord" "SELinux Policy documentation for cmirrord"
++.SH "NAME"
++cmirrord_selinux \- Security Enhanced Linux Policy for the cmirrord processes
++.SH "DESCRIPTION"
++
++Security-Enhanced Linux secures the cmirrord processes via flexible mandatory access control.
++
++The cmirrord processes execute with the cmirrord_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep cmirrord_t
++
++
++.SH "ENTRYPOINTS"
++
++The cmirrord_t SELinux type can be entered via the "cmirrord_exec_t" file type. The default entrypoint paths for the cmirrord_t domain are the following:"
++
++/usr/sbin/cmirrord
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux cmirrord policy is very flexible allowing users to setup their cmirrord processes in as secure a method as possible.
++.PP
++The following process types are defined for cmirrord:
++
++.EX
++.B cmirrord_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux cmirrord policy is very flexible allowing users to setup their cmirrord processes in as secure a method as possible.
++.PP
++The following file types are defined for cmirrord:
++
++
++.EX
++.PP
++.B cmirrord_exec_t
++.EE
++
++- Set files with the cmirrord_exec_t type, if you want to transition an executable to the cmirrord_t domain.
++
++
++.EX
++.PP
++.B cmirrord_initrc_exec_t
++.EE
++
++- Set files with the cmirrord_initrc_exec_t type, if you want to transition an executable to the cmirrord_initrc_t domain.
++
++
++.EX
++.PP
++.B cmirrord_tmpfs_t
++.EE
++
++- Set files with the cmirrord_tmpfs_t type, if you want to store cmirrord files on a tmpfs file system.
++
++
++.EX
++.PP
++.B cmirrord_var_run_t
++.EE
++
++- Set files with the cmirrord_var_run_t type, if you want to store the cmirrord files under the /run directory.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH "MANAGED FILES"
++
++The SELinux process type cmirrord_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++
++.br
++.B cmirrord_tmpfs_t
++
++
++.br
++.B cmirrord_var_run_t
++
++ /var/run/cmirrord\.pid
++.br
++
++.SH NSSWITCH DOMAIN
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was auto-generated using
++.B "sepolicy manpage"
++by Dan Walsh.
++
++.SH "SEE ALSO"
++selinux(8), cmirrord(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
+diff --git a/man/man8/cobblerd_selinux.8 b/man/man8/cobblerd_selinux.8
+new file mode 100644
+index 0000000..d1680db
+--- /dev/null
++++ b/man/man8/cobblerd_selinux.8
+@@ -0,0 +1,391 @@
++.TH "cobblerd_selinux" "8" "12-11-01" "cobblerd" "SELinux Policy documentation for cobblerd"
++.SH "NAME"
++cobblerd_selinux \- Security Enhanced Linux Policy for the cobblerd processes
++.SH "DESCRIPTION"
++
++Security-Enhanced Linux secures the cobblerd processes via flexible mandatory access control.
++
++The cobblerd processes execute with the cobblerd_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep cobblerd_t
++
++
++.SH "ENTRYPOINTS"
++
++The cobblerd_t SELinux type can be entered via the "cobblerd_exec_t" file type. The default entrypoint paths for the cobblerd_t domain are the following:"
++
++/usr/bin/cobblerd
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux cobblerd policy is very flexible allowing users to setup their cobblerd processes in as secure a method as possible.
++.PP
++The following process types are defined for cobblerd:
++
++.EX
++.B cobblerd_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH BOOLEANS
++SELinux policy is customizable based on least access required. cobblerd policy is extremely flexible and has several booleans that allow you to manipulate the policy and run cobblerd with the tightest access possible.
++
++
++.PP
++If you want to allow Cobbler to access nfs file systems, you must turn on the cobbler_use_nfs boolean.
++
++.EX
++.B setsebool -P cobbler_use_nfs 1
++.EE
++
++.PP
++If you want to allow Cobbler to connect to the network using TCP, you must turn on the cobbler_can_network_connect boolean.
++
++.EX
++.B setsebool -P cobbler_can_network_connect 1
++.EE
++
++.PP
++If you want to allow HTTPD scripts and modules to connect to cobbler over the network, you must turn on the httpd_can_network_connect_cobbler boolean.
++
++.EX
++.B setsebool -P httpd_can_network_connect_cobbler 1
++.EE
++
++.PP
++If you want to allow Cobbler to access cifs file systems, you must turn on the cobbler_use_cifs boolean.
++
++.EX
++.B setsebool -P cobbler_use_cifs 1
++.EE
++
++.PP
++If you want to allow Cobbler to access nfs file systems, you must turn on the cobbler_use_nfs boolean.
++
++.EX
++.B setsebool -P cobbler_use_nfs 1
++.EE
++
++.PP
++If you want to allow Cobbler to connect to the network using TCP, you must turn on the cobbler_can_network_connect boolean.
++
++.EX
++.B setsebool -P cobbler_can_network_connect 1
++.EE
++
++.PP
++If you want to allow HTTPD scripts and modules to connect to cobbler over the network, you must turn on the httpd_can_network_connect_cobbler boolean.
++
++.EX
++.B setsebool -P httpd_can_network_connect_cobbler 1
++.EE
++
++.PP
++If you want to allow Cobbler to access cifs file systems, you must turn on the cobbler_use_cifs boolean.
++
++.EX
++.B setsebool -P cobbler_use_cifs 1
++.EE
++
++.SH SHARING FILES
++If you want to share files with multiple domains (Apache, FTP, rsync, Samba), you can set a file context of public_content_t and public_content_rw_t. These context allow any of the above domains to read the content. If you want a particular domain to write to the public_content_rw_t domain, you must set the appropriate boolean.
++.TP
++Allow cobblerd servers to read the /var/cobblerd directory by adding the public_content_t file type to the directory and by restoring the file type.
++.PP
++.B
++semanage fcontext -a -t public_content_t "/var/cobblerd(/.*)?"
++.br
++.B restorecon -F -R -v /var/cobblerd
++.pp
++.TP
++Allow cobblerd servers to read and write /var/tmp/incoming by adding the public_content_rw_t type to the directory and by restoring the file type. This also requires the allow_cobblerdd_anon_write boolean to be set.
++.PP
++.B
++semanage fcontext -a -t public_content_rw_t "/var/cobblerd/incoming(/.*)?"
++.br
++.B restorecon -F -R -v /var/cobblerd/incoming
++
++
++.PP
++If you want to allow Cobbler to modify public files used for public file transfer services., you must turn on the cobbler_anon_write boolean.
++
++.EX
++.B setsebool -P cobbler_anon_write 1
++.EE
++
++.PP
++If you want to allow Cobbler to modify public files used for public file transfer services., you must turn on the cobbler_anon_write boolean.
++
++.EX
++.B setsebool -P cobbler_anon_write 1
++.EE
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux cobblerd policy is very flexible allowing users to setup their cobblerd processes in as secure a method as possible.
++.PP
++The following file types are defined for cobblerd:
++
++
++.EX
++.PP
++.B cobblerd_exec_t
++.EE
++
++- Set files with the cobblerd_exec_t type, if you want to transition an executable to the cobblerd_t domain.
++
++
++.EX
++.PP
++.B cobblerd_initrc_exec_t
++.EE
++
++- Set files with the cobblerd_initrc_exec_t type, if you want to transition an executable to the cobblerd_initrc_t domain.
++
++
++.EX
++.PP
++.B cobblerd_unit_file_t
++.EE
++
++- Set files with the cobblerd_unit_file_t type, if you want to treat the files as cobblerd unit content.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH PORT TYPES
++SELinux defines port types to represent TCP and UDP ports.
++.PP
++You can see the types associated with a port by using the following command:
++
++.B semanage port -l
++
++.PP
++Policy governs the access confined processes have to these ports.
++SELinux cobblerd policy is very flexible allowing users to setup their cobblerd processes in as secure a method as possible.
++.PP
++The following port types are defined for cobblerd:
++
++.EX
++.TP 5
++.B cobbler_port_t
++.TP 10
++.EE
++
++
++Default Defined Ports:
++tcp 25151
++.EE
++.SH "MANAGED FILES"
++
++The SELinux process type cobblerd_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++
++.br
++.B cobbler_tmp_t
++
++
++.br
++.B cobbler_var_lib_t
++
++ /var/lib/cobbler(/.*)?
++.br
++ /var/www/cobbler/pub(/.*)?
++.br
++ /var/lib/tftpboot/etc(/.*)?
++.br
++ /var/lib/tftpboot/ppc(/.*)?
++.br
++ /var/lib/tftpboot/grub(/.*)?
++.br
++ /var/www/cobbler/links(/.*)?
++.br
++ /var/lib/tftpboot/s390x(/.*)?
++.br
++ /var/www/cobbler/images(/.*)?
++.br
++ /var/lib/tftpboot/images(/.*)?
++.br
++ /var/www/cobbler/rendered(/.*)?
++.br
++ /var/www/cobbler/ks_mirror(/.*)?
++.br
++ /var/www/cobbler/localmirror(/.*)?
++.br
++ /var/www/cobbler/repo_mirror(/.*)?
++.br
++ /var/lib/tftpboot/pxelinux\.cfg(/.*)?
++.br
++ /var/lib/tftpboot/yaboot
++.br
++ /var/lib/tftpboot/memdisk
++.br
++ /var/lib/tftpboot/menu\.c32
++.br
++ /var/lib/tftpboot/pxelinux\.0
++.br
++
++.br
++.B cobbler_var_log_t
++
++ /var/log/cobbler(/.*)?
++.br
++
++.br
++.B dhcp_etc_t
++
++ /etc/dhcpc.*
++.br
++ /etc/dhcp3(/.*)?
++.br
++ /etc/dhcpd(6)?\.conf
++.br
++ /etc/dhcp3?/dhclient.*
++.br
++ /etc/dhclient.*conf
++.br
++ /etc/dhcp/dhcpd(6)?\.conf
++.br
++ /etc/dhclient-script
++.br
++
++.br
++.B dnsmasq_etc_t
++
++ /etc/dnsmasq\.conf
++.br
++
++.br
++.B httpd_cobbler_rw_content_t
++
++
++.br
++.B named_conf_t
++
++ /etc/rndc.*
++.br
++ /etc/unbound(/.*)?
++.br
++ /var/named/chroot(/.*)?
++.br
++ /etc/named\.rfc1912.zones
++.br
++ /var/named/chroot/etc/named\.rfc1912.zones
++.br
++ /etc/named\.conf
++.br
++ /var/named/named\.ca
++.br
++ /etc/named\.root\.hints
++.br
++ /var/named/chroot/etc/named\.conf
++.br
++ /etc/named\.caching-nameserver\.conf
++.br
++ /var/named/chroot/var/named/named\.ca
++.br
++ /var/named/chroot/etc/named\.root\.hints
++.br
++ /var/named/chroot/etc/named\.caching-nameserver\.conf
++.br
++
++.br
++.B named_zone_t
++
++ /var/named(/.*)?
++.br
++ /var/named/chroot/var/named(/.*)?
++.br
++
++.br
++.B net_conf_t
++
++ /etc/ntpd?\.conf.*
++.br
++ /etc/hosts[^/]*
++.br
++ /etc/yp\.conf.*
++.br
++ /etc/denyhosts.*
++.br
++ /etc/hosts\.deny.*
++.br
++ /etc/resolv\.conf.*
++.br
++ /etc/ntp/step-tickers.*
++.br
++ /etc/sysconfig/networking(/.*)?
++.br
++ /etc/sysconfig/network-scripts(/.*)?
++.br
++ /etc/sysconfig/network-scripts/.*resolv\.conf
++.br
++ /etc/ethers
++.br
++
++.br
++.B rsync_etc_t
++
++ /etc/rsyncd\.conf
++.br
++
++.br
++.B systemd_passwd_var_run_t
++
++ /var/run/systemd/ask-password(/.*)?
++.br
++ /var/run/systemd/ask-password-block(/.*)?
++.br
++
++.br
++.B tftpd_etc_t
++
++ /etc/xinetd\.d/tftp
++.br
++
++.SH NSSWITCH DOMAIN
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.B semanage port
++can also be used to manipulate the port definitions
++
++.B semanage boolean
++can also be used to manipulate the booleans
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was auto-generated using
++.B "sepolicy manpage"
++by Dan Walsh.
++
++.SH "SEE ALSO"
++selinux(8), cobblerd(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
++, setsebool(8)
+\ No newline at end of file
+diff --git a/man/man8/collectd_selinux.8 b/man/man8/collectd_selinux.8
+new file mode 100644
+index 0000000..8593a45
+--- /dev/null
++++ b/man/man8/collectd_selinux.8
+@@ -0,0 +1,156 @@
++.TH "collectd_selinux" "8" "12-11-01" "collectd" "SELinux Policy documentation for collectd"
++.SH "NAME"
++collectd_selinux \- Security Enhanced Linux Policy for the collectd processes
++.SH "DESCRIPTION"
++
++Security-Enhanced Linux secures the collectd processes via flexible mandatory access control.
++
++The collectd processes execute with the collectd_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep collectd_t
++
++
++.SH "ENTRYPOINTS"
++
++The collectd_t SELinux type can be entered via the "collectd_exec_t" file type. The default entrypoint paths for the collectd_t domain are the following:"
++
++/usr/sbin/collectd
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux collectd policy is very flexible allowing users to setup their collectd processes in as secure a method as possible.
++.PP
++The following process types are defined for collectd:
++
++.EX
++.B collectd_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH BOOLEANS
++SELinux policy is customizable based on least access required. collectd policy is extremely flexible and has several booleans that allow you to manipulate the policy and run collectd with the tightest access possible.
++
++
++.PP
++If you want to allow collectd to connect to the network using TCP, you must turn on the collectd_can_network_connect boolean.
++
++.EX
++.B setsebool -P collectd_can_network_connect 1
++.EE
++
++.PP
++If you want to allow collectd to connect to the network using TCP, you must turn on the collectd_can_network_connect boolean.
++
++.EX
++.B setsebool -P collectd_can_network_connect 1
++.EE
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux collectd policy is very flexible allowing users to setup their collectd processes in as secure a method as possible.
++.PP
++The following file types are defined for collectd:
++
++
++.EX
++.PP
++.B collectd_exec_t
++.EE
++
++- Set files with the collectd_exec_t type, if you want to transition an executable to the collectd_t domain.
++
++
++.EX
++.PP
++.B collectd_initrc_exec_t
++.EE
++
++- Set files with the collectd_initrc_exec_t type, if you want to transition an executable to the collectd_initrc_t domain.
++
++
++.EX
++.PP
++.B collectd_unit_file_t
++.EE
++
++- Set files with the collectd_unit_file_t type, if you want to treat the files as collectd unit content.
++
++
++.EX
++.PP
++.B collectd_var_lib_t
++.EE
++
++- Set files with the collectd_var_lib_t type, if you want to store the collectd files under the /var/lib directory.
++
++
++.EX
++.PP
++.B collectd_var_run_t
++.EE
++
++- Set files with the collectd_var_run_t type, if you want to store the collectd files under the /run directory.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH "MANAGED FILES"
++
++The SELinux process type collectd_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++
++.br
++.B collectd_var_lib_t
++
++ /var/lib/collectd(/.*)?
++.br
++
++.br
++.B collectd_var_run_t
++
++ /var/run/collectd\.pid
++.br
++
++.SH NSSWITCH DOMAIN
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.B semanage boolean
++can also be used to manipulate the booleans
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was auto-generated using
++.B "sepolicy manpage"
++by Dan Walsh.
++
++.SH "SEE ALSO"
++selinux(8), collectd(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
++, setsebool(8)
+\ No newline at end of file
+diff --git a/man/man8/colord_selinux.8 b/man/man8/colord_selinux.8
+new file mode 100644
+index 0000000..5f598b7
+--- /dev/null
++++ b/man/man8/colord_selinux.8
+@@ -0,0 +1,164 @@
++.TH "colord_selinux" "8" "12-11-01" "colord" "SELinux Policy documentation for colord"
++.SH "NAME"
++colord_selinux \- Security Enhanced Linux Policy for the colord processes
++.SH "DESCRIPTION"
++
++Security-Enhanced Linux secures the colord processes via flexible mandatory access control.
++
++The colord processes execute with the colord_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep colord_t
++
++
++.SH "ENTRYPOINTS"
++
++The colord_t SELinux type can be entered via the "colord_exec_t" file type. The default entrypoint paths for the colord_t domain are the following:"
++
++/usr/libexec/colord, /usr/libexec/colord-sane
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux colord policy is very flexible allowing users to setup their colord processes in as secure a method as possible.
++.PP
++The following process types are defined for colord:
++
++.EX
++.B colord_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux colord policy is very flexible allowing users to setup their colord processes in as secure a method as possible.
++.PP
++The following file types are defined for colord:
++
++
++.EX
++.PP
++.B colord_exec_t
++.EE
++
++- Set files with the colord_exec_t type, if you want to transition an executable to the colord_t domain.
++
++
++.EX
++.PP
++.B colord_tmp_t
++.EE
++
++- Set files with the colord_tmp_t type, if you want to store colord temporary files in the /tmp directories.
++
++
++.EX
++.PP
++.B colord_tmpfs_t
++.EE
++
++- Set files with the colord_tmpfs_t type, if you want to store colord files on a tmpfs file system.
++
++
++.EX
++.PP
++.B colord_unit_file_t
++.EE
++
++- Set files with the colord_unit_file_t type, if you want to treat the files as colord unit content.
++
++
++.EX
++.PP
++.B colord_var_lib_t
++.EE
++
++- Set files with the colord_var_lib_t type, if you want to store the colord files under the /var/lib directory.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH "MANAGED FILES"
++
++The SELinux process type colord_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++
++.br
++.B colord_tmp_t
++
++
++.br
++.B colord_tmpfs_t
++
++
++.br
++.B colord_var_lib_t
++
++ /var/lib/color(/.*)?
++.br
++ /var/lib/colord(/.*)?
++.br
++
++.br
++.B user_tmpfs_t
++
++ /dev/shm/mono.*
++.br
++ /dev/shm/pulse-shm.*
++.br
++
++.br
++.B zoneminder_tmpfs_t
++
++
++.SH NSSWITCH DOMAIN
++
++.PP
++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the colord_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++
++.EX
++.B setsebool -P authlogin_nsswitch_use_ldap 1
++.EE
++
++.PP
++If you want to allow confined applications to run with kerberos for the colord_t, you must turn on the kerberos_enabled boolean.
++
++.EX
++.B setsebool -P kerberos_enabled 1
++.EE
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was auto-generated using
++.B "sepolicy manpage"
++by Dan Walsh.
++
++.SH "SEE ALSO"
++selinux(8), colord(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
+diff --git a/man/man8/comsat_selinux.8 b/man/man8/comsat_selinux.8
+new file mode 100644
+index 0000000..1301fea
+--- /dev/null
++++ b/man/man8/comsat_selinux.8
+@@ -0,0 +1,154 @@
++.TH "comsat_selinux" "8" "12-11-01" "comsat" "SELinux Policy documentation for comsat"
++.SH "NAME"
++comsat_selinux \- Security Enhanced Linux Policy for the comsat processes
++.SH "DESCRIPTION"
++
++Security-Enhanced Linux secures the comsat processes via flexible mandatory access control.
++
++The comsat processes execute with the comsat_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep comsat_t
++
++
++.SH "ENTRYPOINTS"
++
++The comsat_t SELinux type can be entered via the "comsat_exec_t" file type. The default entrypoint paths for the comsat_t domain are the following:"
++
++/usr/sbin/in\.comsat
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux comsat policy is very flexible allowing users to setup their comsat processes in as secure a method as possible.
++.PP
++The following process types are defined for comsat:
++
++.EX
++.B comsat_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux comsat policy is very flexible allowing users to setup their comsat processes in as secure a method as possible.
++.PP
++The following file types are defined for comsat:
++
++
++.EX
++.PP
++.B comsat_exec_t
++.EE
++
++- Set files with the comsat_exec_t type, if you want to transition an executable to the comsat_t domain.
++
++
++.EX
++.PP
++.B comsat_tmp_t
++.EE
++
++- Set files with the comsat_tmp_t type, if you want to store comsat temporary files in the /tmp directories.
++
++
++.EX
++.PP
++.B comsat_var_run_t
++.EE
++
++- Set files with the comsat_var_run_t type, if you want to store the comsat files under the /run directory.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH PORT TYPES
++SELinux defines port types to represent TCP and UDP ports.
++.PP
++You can see the types associated with a port by using the following command:
++
++.B semanage port -l
++
++.PP
++Policy governs the access confined processes have to these ports.
++SELinux comsat policy is very flexible allowing users to setup their comsat processes in as secure a method as possible.
++.PP
++The following port types are defined for comsat:
++
++.EX
++.TP 5
++.B comsat_port_t
++.TP 10
++.EE
++
++
++Default Defined Ports:
++udp 512
++.EE
++.SH "MANAGED FILES"
++
++The SELinux process type comsat_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++
++.br
++.B comsat_tmp_t
++
++
++.br
++.B comsat_var_run_t
++
++
++.SH NSSWITCH DOMAIN
++
++.PP
++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the comsat_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++
++.EX
++.B setsebool -P authlogin_nsswitch_use_ldap 1
++.EE
++
++.PP
++If you want to allow confined applications to run with kerberos for the comsat_t, you must turn on the kerberos_enabled boolean.
++
++.EX
++.B setsebool -P kerberos_enabled 1
++.EE
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.B semanage port
++can also be used to manipulate the port definitions
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was auto-generated using
++.B "sepolicy manpage"
++by Dan Walsh.
++
++.SH "SEE ALSO"
++selinux(8), comsat(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
+diff --git a/man/man8/condor_collector_selinux.8 b/man/man8/condor_collector_selinux.8
+new file mode 100644
+index 0000000..7b32989
+--- /dev/null
++++ b/man/man8/condor_collector_selinux.8
+@@ -0,0 +1,133 @@
++.TH "condor_collector_selinux" "8" "12-11-01" "condor_collector" "SELinux Policy documentation for condor_collector"
++.SH "NAME"
++condor_collector_selinux \- Security Enhanced Linux Policy for the condor_collector processes
++.SH "DESCRIPTION"
++
++Security-Enhanced Linux secures the condor_collector processes via flexible mandatory access control.
++
++The condor_collector processes execute with the condor_collector_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep condor_collector_t
++
++
++.SH "ENTRYPOINTS"
++
++The condor_collector_t SELinux type can be entered via the "condor_collector_exec_t" file type. The default entrypoint paths for the condor_collector_t domain are the following:"
++
++/usr/sbin/condor_collector
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux condor_collector policy is very flexible allowing users to setup their condor_collector processes in as secure a method as possible.
++.PP
++The following process types are defined for condor_collector:
++
++.EX
++.B condor_collector_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux condor_collector policy is very flexible allowing users to setup their condor_collector processes in as secure a method as possible.
++.PP
++The following file types are defined for condor_collector:
++
++
++.EX
++.PP
++.B condor_collector_exec_t
++.EE
++
++- Set files with the condor_collector_exec_t type, if you want to transition an executable to the condor_collector_t domain.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH "MANAGED FILES"
++
++The SELinux process type condor_collector_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++
++.br
++.B condor_log_t
++
++ /var/log/condor(/.*)?
++.br
++
++.br
++.B condor_var_lib_t
++
++ /var/lib/condor(/.*)?
++.br
++ /var/lib/condor/spool(/.*)?
++.br
++ /var/lib/condor/execute(/.*)?
++.br
++
++.br
++.B condor_var_lock_t
++
++ /var/lock/condor(/.*)?
++.br
++
++.br
++.B condor_var_run_t
++
++ /var/run/condor(/.*)?
++.br
++
++.SH NSSWITCH DOMAIN
++
++.PP
++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the condor_collector_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++
++.EX
++.B setsebool -P authlogin_nsswitch_use_ldap 1
++.EE
++
++.PP
++If you want to allow confined applications to run with kerberos for the condor_collector_t, you must turn on the kerberos_enabled boolean.
++
++.EX
++.B setsebool -P kerberos_enabled 1
++.EE
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was auto-generated using
++.B "sepolicy manpage"
++by Dan Walsh.
++
++.SH "SEE ALSO"
++selinux(8), condor_collector(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
++, condor_master_selinux(8), condor_negotiator_selinux(8), condor_procd_selinux(8), condor_schedd_selinux(8), condor_startd_selinux(8)
+\ No newline at end of file
+diff --git a/man/man8/condor_master_selinux.8 b/man/man8/condor_master_selinux.8
+new file mode 100644
+index 0000000..fa4e2d5
+--- /dev/null
++++ b/man/man8/condor_master_selinux.8
+@@ -0,0 +1,119 @@
++.TH "condor_master_selinux" "8" "12-11-01" "condor_master" "SELinux Policy documentation for condor_master"
++.SH "NAME"
++condor_master_selinux \- Security Enhanced Linux Policy for the condor_master processes
++.SH "DESCRIPTION"
++
++Security-Enhanced Linux secures the condor_master processes via flexible mandatory access control.
++
++The condor_master processes execute with the condor_master_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep condor_master_t
++
++
++.SH "ENTRYPOINTS"
++
++The condor_master_t SELinux type can be entered via the "condor_master_exec_t" file type. The default entrypoint paths for the condor_master_t domain are the following:"
++
++/usr/sbin/condor_master
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux condor_master policy is very flexible allowing users to setup their condor_master processes in as secure a method as possible.
++.PP
++The following process types are defined for condor_master:
++
++.EX
++.B condor_master_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux condor_master policy is very flexible allowing users to setup their condor_master processes in as secure a method as possible.
++.PP
++The following file types are defined for condor_master:
++
++
++.EX
++.PP
++.B condor_master_exec_t
++.EE
++
++- Set files with the condor_master_exec_t type, if you want to transition an executable to the condor_master_t domain.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH "MANAGED FILES"
++
++The SELinux process type condor_master_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++
++.br
++.B condor_log_t
++
++ /var/log/condor(/.*)?
++.br
++
++.br
++.B condor_var_lib_t
++
++ /var/lib/condor(/.*)?
++.br
++ /var/lib/condor/spool(/.*)?
++.br
++ /var/lib/condor/execute(/.*)?
++.br
++
++.br
++.B condor_var_lock_t
++
++ /var/lock/condor(/.*)?
++.br
++
++.br
++.B condor_var_run_t
++
++ /var/run/condor(/.*)?
++.br
++
++.SH NSSWITCH DOMAIN
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was auto-generated using
++.B "sepolicy manpage"
++by Dan Walsh.
++
++.SH "SEE ALSO"
++selinux(8), condor_master(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
++, condor_collector_selinux(8), condor_negotiator_selinux(8), condor_procd_selinux(8), condor_schedd_selinux(8), condor_startd_selinux(8)
+\ No newline at end of file
+diff --git a/man/man8/condor_negotiator_selinux.8 b/man/man8/condor_negotiator_selinux.8
+new file mode 100644
+index 0000000..9116018
+--- /dev/null
++++ b/man/man8/condor_negotiator_selinux.8
+@@ -0,0 +1,133 @@
++.TH "condor_negotiator_selinux" "8" "12-11-01" "condor_negotiator" "SELinux Policy documentation for condor_negotiator"
++.SH "NAME"
++condor_negotiator_selinux \- Security Enhanced Linux Policy for the condor_negotiator processes
++.SH "DESCRIPTION"
++
++Security-Enhanced Linux secures the condor_negotiator processes via flexible mandatory access control.
++
++The condor_negotiator processes execute with the condor_negotiator_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep condor_negotiator_t
++
++
++.SH "ENTRYPOINTS"
++
++The condor_negotiator_t SELinux type can be entered via the "condor_negotiator_exec_t" file type. The default entrypoint paths for the condor_negotiator_t domain are the following:"
++
++/usr/sbin/condor_negotiator
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux condor_negotiator policy is very flexible allowing users to setup their condor_negotiator processes in as secure a method as possible.
++.PP
++The following process types are defined for condor_negotiator:
++
++.EX
++.B condor_negotiator_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux condor_negotiator policy is very flexible allowing users to setup their condor_negotiator processes in as secure a method as possible.
++.PP
++The following file types are defined for condor_negotiator:
++
++
++.EX
++.PP
++.B condor_negotiator_exec_t
++.EE
++
++- Set files with the condor_negotiator_exec_t type, if you want to transition an executable to the condor_negotiator_t domain.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH "MANAGED FILES"
++
++The SELinux process type condor_negotiator_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++
++.br
++.B condor_log_t
++
++ /var/log/condor(/.*)?
++.br
++
++.br
++.B condor_var_lib_t
++
++ /var/lib/condor(/.*)?
++.br
++ /var/lib/condor/spool(/.*)?
++.br
++ /var/lib/condor/execute(/.*)?
++.br
++
++.br
++.B condor_var_lock_t
++
++ /var/lock/condor(/.*)?
++.br
++
++.br
++.B condor_var_run_t
++
++ /var/run/condor(/.*)?
++.br
++
++.SH NSSWITCH DOMAIN
++
++.PP
++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the condor_negotiator_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++
++.EX
++.B setsebool -P authlogin_nsswitch_use_ldap 1
++.EE
++
++.PP
++If you want to allow confined applications to run with kerberos for the condor_negotiator_t, you must turn on the kerberos_enabled boolean.
++
++.EX
++.B setsebool -P kerberos_enabled 1
++.EE
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was auto-generated using
++.B "sepolicy manpage"
++by Dan Walsh.
++
++.SH "SEE ALSO"
++selinux(8), condor_negotiator(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
++, condor_collector_selinux(8), condor_master_selinux(8), condor_procd_selinux(8), condor_schedd_selinux(8), condor_startd_selinux(8)
+\ No newline at end of file
+diff --git a/man/man8/condor_procd_selinux.8 b/man/man8/condor_procd_selinux.8
+new file mode 100644
+index 0000000..d3e5176
+--- /dev/null
++++ b/man/man8/condor_procd_selinux.8
+@@ -0,0 +1,133 @@
++.TH "condor_procd_selinux" "8" "12-11-01" "condor_procd" "SELinux Policy documentation for condor_procd"
++.SH "NAME"
++condor_procd_selinux \- Security Enhanced Linux Policy for the condor_procd processes
++.SH "DESCRIPTION"
++
++Security-Enhanced Linux secures the condor_procd processes via flexible mandatory access control.
++
++The condor_procd processes execute with the condor_procd_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep condor_procd_t
++
++
++.SH "ENTRYPOINTS"
++
++The condor_procd_t SELinux type can be entered via the "condor_procd_exec_t" file type. The default entrypoint paths for the condor_procd_t domain are the following:"
++
++/usr/sbin/condor_procd
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux condor_procd policy is very flexible allowing users to setup their condor_procd processes in as secure a method as possible.
++.PP
++The following process types are defined for condor_procd:
++
++.EX
++.B condor_procd_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux condor_procd policy is very flexible allowing users to setup their condor_procd processes in as secure a method as possible.
++.PP
++The following file types are defined for condor_procd:
++
++
++.EX
++.PP
++.B condor_procd_exec_t
++.EE
++
++- Set files with the condor_procd_exec_t type, if you want to transition an executable to the condor_procd_t domain.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH "MANAGED FILES"
++
++The SELinux process type condor_procd_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++
++.br
++.B condor_log_t
++
++ /var/log/condor(/.*)?
++.br
++
++.br
++.B condor_var_lib_t
++
++ /var/lib/condor(/.*)?
++.br
++ /var/lib/condor/spool(/.*)?
++.br
++ /var/lib/condor/execute(/.*)?
++.br
++
++.br
++.B condor_var_lock_t
++
++ /var/lock/condor(/.*)?
++.br
++
++.br
++.B condor_var_run_t
++
++ /var/run/condor(/.*)?
++.br
++
++.SH NSSWITCH DOMAIN
++
++.PP
++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the condor_procd_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++
++.EX
++.B setsebool -P authlogin_nsswitch_use_ldap 1
++.EE
++
++.PP
++If you want to allow confined applications to run with kerberos for the condor_procd_t, you must turn on the kerberos_enabled boolean.
++
++.EX
++.B setsebool -P kerberos_enabled 1
++.EE
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was auto-generated using
++.B "sepolicy manpage"
++by Dan Walsh.
++
++.SH "SEE ALSO"
++selinux(8), condor_procd(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
++, condor_collector_selinux(8), condor_master_selinux(8), condor_negotiator_selinux(8), condor_schedd_selinux(8), condor_startd_selinux(8)
+\ No newline at end of file
+diff --git a/man/man8/condor_schedd_selinux.8 b/man/man8/condor_schedd_selinux.8
+new file mode 100644
+index 0000000..4b28875
+--- /dev/null
++++ b/man/man8/condor_schedd_selinux.8
+@@ -0,0 +1,145 @@
++.TH "condor_schedd_selinux" "8" "12-11-01" "condor_schedd" "SELinux Policy documentation for condor_schedd"
++.SH "NAME"
++condor_schedd_selinux \- Security Enhanced Linux Policy for the condor_schedd processes
++.SH "DESCRIPTION"
++
++Security-Enhanced Linux secures the condor_schedd processes via flexible mandatory access control.
++
++The condor_schedd processes execute with the condor_schedd_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep condor_schedd_t
++
++
++.SH "ENTRYPOINTS"
++
++The condor_schedd_t SELinux type can be entered via the "condor_schedd_exec_t" file type. The default entrypoint paths for the condor_schedd_t domain are the following:"
++
++/usr/sbin/condor_schedd
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux condor_schedd policy is very flexible allowing users to setup their condor_schedd processes in as secure a method as possible.
++.PP
++The following process types are defined for condor_schedd:
++
++.EX
++.B condor_schedd_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux condor_schedd policy is very flexible allowing users to setup their condor_schedd processes in as secure a method as possible.
++.PP
++The following file types are defined for condor_schedd:
++
++
++.EX
++.PP
++.B condor_schedd_exec_t
++.EE
++
++- Set files with the condor_schedd_exec_t type, if you want to transition an executable to the condor_schedd_t domain.
++
++
++.EX
++.PP
++.B condor_schedd_tmp_t
++.EE
++
++- Set files with the condor_schedd_tmp_t type, if you want to store condor schedd temporary files in the /tmp directories.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH "MANAGED FILES"
++
++The SELinux process type condor_schedd_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++
++.br
++.B condor_log_t
++
++ /var/log/condor(/.*)?
++.br
++
++.br
++.B condor_schedd_tmp_t
++
++
++.br
++.B condor_var_lib_t
++
++ /var/lib/condor(/.*)?
++.br
++ /var/lib/condor/spool(/.*)?
++.br
++ /var/lib/condor/execute(/.*)?
++.br
++
++.br
++.B condor_var_lock_t
++
++ /var/lock/condor(/.*)?
++.br
++
++.br
++.B condor_var_run_t
++
++ /var/run/condor(/.*)?
++.br
++
++.SH NSSWITCH DOMAIN
++
++.PP
++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the condor_schedd_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++
++.EX
++.B setsebool -P authlogin_nsswitch_use_ldap 1
++.EE
++
++.PP
++If you want to allow confined applications to run with kerberos for the condor_schedd_t, you must turn on the kerberos_enabled boolean.
++
++.EX
++.B setsebool -P kerberos_enabled 1
++.EE
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was auto-generated using
++.B "sepolicy manpage"
++by Dan Walsh.
++
++.SH "SEE ALSO"
++selinux(8), condor_schedd(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
++, condor_collector_selinux(8), condor_master_selinux(8), condor_negotiator_selinux(8), condor_procd_selinux(8), condor_startd_selinux(8)
+\ No newline at end of file
+diff --git a/man/man8/condor_startd_selinux.8 b/man/man8/condor_startd_selinux.8
+new file mode 100644
+index 0000000..0413677
+--- /dev/null
++++ b/man/man8/condor_startd_selinux.8
+@@ -0,0 +1,189 @@
++.TH "condor_startd_selinux" "8" "12-11-01" "condor_startd" "SELinux Policy documentation for condor_startd"
++.SH "NAME"
++condor_startd_selinux \- Security Enhanced Linux Policy for the condor_startd processes
++.SH "DESCRIPTION"
++
++Security-Enhanced Linux secures the condor_startd processes via flexible mandatory access control.
++
++The condor_startd processes execute with the condor_startd_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep condor_startd_t
++
++
++.SH "ENTRYPOINTS"
++
++The condor_startd_t SELinux type can be entered via the "condor_startd_exec_t" file type. The default entrypoint paths for the condor_startd_t domain are the following:"
++
++/usr/sbin/condor_startd, /usr/sbin/condor_starter
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux condor_startd policy is very flexible allowing users to setup their condor_startd processes in as secure a method as possible.
++.PP
++The following process types are defined for condor_startd:
++
++.EX
++.B condor_startd_ssh_t, condor_startd_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux condor_startd policy is very flexible allowing users to setup their condor_startd processes in as secure a method as possible.
++.PP
++The following file types are defined for condor_startd:
++
++
++.EX
++.PP
++.B condor_startd_exec_t
++.EE
++
++- Set files with the condor_startd_exec_t type, if you want to transition an executable to the condor_startd_t domain.
++
++
++.EX
++.PP
++.B condor_startd_tmp_t
++.EE
++
++- Set files with the condor_startd_tmp_t type, if you want to store condor startd temporary files in the /tmp directories.
++
++
++.EX
++.PP
++.B condor_startd_tmpfs_t
++.EE
++
++- Set files with the condor_startd_tmpfs_t type, if you want to store condor startd files on a tmpfs file system.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH "MANAGED FILES"
++
++The SELinux process type condor_startd_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++
++.br
++.B condor_log_t
++
++ /var/log/condor(/.*)?
++.br
++
++.br
++.B condor_startd_tmp_t
++
++
++.br
++.B condor_startd_tmpfs_t
++
++
++.br
++.B condor_var_lib_t
++
++ /var/lib/condor(/.*)?
++.br
++ /var/lib/condor/spool(/.*)?
++.br
++ /var/lib/condor/execute(/.*)?
++.br
++
++.br
++.B condor_var_lock_t
++
++ /var/lock/condor(/.*)?
++.br
++
++.br
++.B condor_var_run_t
++
++ /var/run/condor(/.*)?
++.br
++
++.br
++.B ssh_home_t
++
++ /root/\.ssh(/.*)?
++.br
++ /var/lib/openshift/[^/]+/\.ssh(/.*)?
++.br
++ /var/lib/amanda/\.ssh(/.*)?
++.br
++ /var/lib/stickshift/[^/]+/\.ssh(/.*)?
++.br
++ /var/lib/gitolite/\.ssh(/.*)?
++.br
++ /var/lib/nocpulse/\.ssh(/.*)?
++.br
++ /var/lib/gitolite3/\.ssh(/.*)?
++.br
++ /root/\.shosts
++.br
++ /home/[^/]*/\.ssh(/.*)?
++.br
++ /home/[^/]*/\.shosts
++.br
++ /home/dwalsh/\.ssh(/.*)?
++.br
++ /home/dwalsh/\.shosts
++.br
++ /var/lib/xguest/home/xguest/\.ssh(/.*)?
++.br
++ /var/lib/xguest/home/xguest/\.shosts
++.br
++
++.SH NSSWITCH DOMAIN
++
++.PP
++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the condor_startd_t, condor_startd_ssh_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++
++.EX
++.B setsebool -P authlogin_nsswitch_use_ldap 1
++.EE
++
++.PP
++If you want to allow confined applications to run with kerberos for the condor_startd_t, condor_startd_ssh_t, you must turn on the kerberos_enabled boolean.
++
++.EX
++.B setsebool -P kerberos_enabled 1
++.EE
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was auto-generated using
++.B "sepolicy manpage"
++by Dan Walsh.
++
++.SH "SEE ALSO"
++selinux(8), condor_startd(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
++, condor_collector_selinux(8), condor_master_selinux(8), condor_negotiator_selinux(8), condor_procd_selinux(8), condor_schedd_selinux(8)
+\ No newline at end of file
+diff --git a/man/man8/consolekit_selinux.8 b/man/man8/consolekit_selinux.8
+new file mode 100644
+index 0000000..5721e3a
+--- /dev/null
++++ b/man/man8/consolekit_selinux.8
+@@ -0,0 +1,212 @@
++.TH "consolekit_selinux" "8" "12-11-01" "consolekit" "SELinux Policy documentation for consolekit"
++.SH "NAME"
++consolekit_selinux \- Security Enhanced Linux Policy for the consolekit processes
++.SH "DESCRIPTION"
++
++Security-Enhanced Linux secures the consolekit processes via flexible mandatory access control.
++
++The consolekit processes execute with the consolekit_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep consolekit_t
++
++
++.SH "ENTRYPOINTS"
++
++The consolekit_t SELinux type can be entered via the "consolekit_exec_t" file type. The default entrypoint paths for the consolekit_t domain are the following:"
++
++/usr/sbin/console-kit-daemon
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux consolekit policy is very flexible allowing users to setup their consolekit processes in as secure a method as possible.
++.PP
++The following process types are defined for consolekit:
++
++.EX
++.B consolekit_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux consolekit policy is very flexible allowing users to setup their consolekit processes in as secure a method as possible.
++.PP
++The following file types are defined for consolekit:
++
++
++.EX
++.PP
++.B consolekit_exec_t
++.EE
++
++- Set files with the consolekit_exec_t type, if you want to transition an executable to the consolekit_t domain.
++
++
++.EX
++.PP
++.B consolekit_log_t
++.EE
++
++- Set files with the consolekit_log_t type, if you want to treat the data as consolekit log data, usually stored under the /var/log directory.
++
++
++.EX
++.PP
++.B consolekit_tmpfs_t
++.EE
++
++- Set files with the consolekit_tmpfs_t type, if you want to store consolekit files on a tmpfs file system.
++
++
++.EX
++.PP
++.B consolekit_unit_file_t
++.EE
++
++- Set files with the consolekit_unit_file_t type, if you want to treat the files as consolekit unit content.
++
++
++.EX
++.PP
++.B consolekit_var_run_t
++.EE
++
++- Set files with the consolekit_var_run_t type, if you want to store the consolekit files under the /run directory.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH "MANAGED FILES"
++
++The SELinux process type consolekit_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++
++.br
++.B consolekit_log_t
++
++ /var/log/ConsoleKit(/.*)?
++.br
++
++.br
++.B consolekit_var_run_t
++
++ /var/run/ConsoleKit(/.*)?
++.br
++ /var/run/consolekit\.pid
++.br
++ /var/run/console-kit-daemon\.pid
++.br
++
++.br
++.B initrc_var_run_t
++
++ /var/run/utmp
++.br
++ /var/run/random-seed
++.br
++ /var/run/runlevel\.dir
++.br
++ /var/run/setmixer_flag
++.br
++
++.br
++.B pam_var_console_t
++
++ /var/run/console(/.*)?
++.br
++
++.br
++.B systemd_passwd_var_run_t
++
++ /var/run/systemd/ask-password(/.*)?
++.br
++ /var/run/systemd/ask-password-block(/.*)?
++.br
++
++.br
++.B user_fonts_cache_t
++
++ /root/\.fontconfig(/.*)?
++.br
++ /root/\.fonts/auto(/.*)?
++.br
++ /root/\.fonts\.cache-.*
++.br
++ /home/[^/]*/\.fontconfig(/.*)?
++.br
++ /home/[^/]*/\.fonts/auto(/.*)?
++.br
++ /home/[^/]*/\.fonts\.cache-.*
++.br
++ /home/dwalsh/\.fontconfig(/.*)?
++.br
++ /home/dwalsh/\.fonts/auto(/.*)?
++.br
++ /home/dwalsh/\.fonts\.cache-.*
++.br
++ /var/lib/xguest/home/xguest/\.fontconfig(/.*)?
++.br
++ /var/lib/xguest/home/xguest/\.fonts/auto(/.*)?
++.br
++ /var/lib/xguest/home/xguest/\.fonts\.cache-.*
++.br
++
++.br
++.B wtmp_t
++
++ /var/log/wtmp.*
++.br
++
++.SH NSSWITCH DOMAIN
++
++.PP
++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the consolekit_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++
++.EX
++.B setsebool -P authlogin_nsswitch_use_ldap 1
++.EE
++
++.PP
++If you want to allow confined applications to run with kerberos for the consolekit_t, you must turn on the kerberos_enabled boolean.
++
++.EX
++.B setsebool -P kerberos_enabled 1
++.EE
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was auto-generated using
++.B "sepolicy manpage"
++by Dan Walsh.
++
++.SH "SEE ALSO"
++selinux(8), consolekit(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
+diff --git a/man/man8/consoletype_selinux.8 b/man/man8/consoletype_selinux.8
+new file mode 100644
+index 0000000..aa2a4e4
+--- /dev/null
++++ b/man/man8/consoletype_selinux.8
+@@ -0,0 +1,94 @@
++.TH "consoletype_selinux" "8" "12-11-01" "consoletype" "SELinux Policy documentation for consoletype"
++.SH "NAME"
++consoletype_selinux \- Security Enhanced Linux Policy for the consoletype processes
++.SH "DESCRIPTION"
++
++Security-Enhanced Linux secures the consoletype processes via flexible mandatory access control.
++
++The consoletype processes execute with the consoletype_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep consoletype_t
++
++
++.SH "ENTRYPOINTS"
++
++The consoletype_t SELinux type can be entered via the "consoletype_exec_t" file type. The default entrypoint paths for the consoletype_t domain are the following:"
++
++/sbin/consoletype, /usr/sbin/consoletype
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux consoletype policy is very flexible allowing users to setup their consoletype processes in as secure a method as possible.
++.PP
++The following process types are defined for consoletype:
++
++.EX
++.B consoletype_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux consoletype policy is very flexible allowing users to setup their consoletype processes in as secure a method as possible.
++.PP
++The following file types are defined for consoletype:
++
++
++.EX
++.PP
++.B consoletype_exec_t
++.EE
++
++- Set files with the consoletype_exec_t type, if you want to transition an executable to the consoletype_t domain.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH "MANAGED FILES"
++
++The SELinux process type consoletype_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++
++.br
++.B nfs_t
++
++
++.SH NSSWITCH DOMAIN
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was auto-generated using
++.B "sepolicy manpage"
++by Dan Walsh.
++
++.SH "SEE ALSO"
++selinux(8), consoletype(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
+diff --git a/man/man8/corosync_selinux.8 b/man/man8/corosync_selinux.8
+new file mode 100644
+index 0000000..9f327ae
+--- /dev/null
++++ b/man/man8/corosync_selinux.8
+@@ -0,0 +1,270 @@
++.TH "corosync_selinux" "8" "12-11-01" "corosync" "SELinux Policy documentation for corosync"
++.SH "NAME"
++corosync_selinux \- Security Enhanced Linux Policy for the corosync processes
++.SH "DESCRIPTION"
++
++Security-Enhanced Linux secures the corosync processes via flexible mandatory access control.
++
++The corosync processes execute with the corosync_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep corosync_t
++
++
++.SH "ENTRYPOINTS"
++
++The corosync_t SELinux type can be entered via the "corosync_exec_t" file type. The default entrypoint paths for the corosync_t domain are the following:"
++
++/usr/sbin/corosync, /usr/sbin/ccs_tool, /usr/sbin/cman_tool, /usr/sbin/corosync-notifyd
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux corosync policy is very flexible allowing users to setup their corosync processes in as secure a method as possible.
++.PP
++The following process types are defined for corosync:
++
++.EX
++.B corosync_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux corosync policy is very flexible allowing users to setup their corosync processes in as secure a method as possible.
++.PP
++The following file types are defined for corosync:
++
++
++.EX
++.PP
++.B corosync_exec_t
++.EE
++
++- Set files with the corosync_exec_t type, if you want to transition an executable to the corosync_t domain.
++
++
++.EX
++.PP
++.B corosync_initrc_exec_t
++.EE
++
++- Set files with the corosync_initrc_exec_t type, if you want to transition an executable to the corosync_initrc_t domain.
++
++
++.EX
++.PP
++.B corosync_tmp_t
++.EE
++
++- Set files with the corosync_tmp_t type, if you want to store corosync temporary files in the /tmp directories.
++
++
++.EX
++.PP
++.B corosync_tmpfs_t
++.EE
++
++- Set files with the corosync_tmpfs_t type, if you want to store corosync files on a tmpfs file system.
++
++
++.EX
++.PP
++.B corosync_unit_file_t
++.EE
++
++- Set files with the corosync_unit_file_t type, if you want to treat the files as corosync unit content.
++
++
++.EX
++.PP
++.B corosync_var_lib_t
++.EE
++
++- Set files with the corosync_var_lib_t type, if you want to store the corosync files under the /var/lib directory.
++
++
++.EX
++.PP
++.B corosync_var_log_t
++.EE
++
++- Set files with the corosync_var_log_t type, if you want to treat the data as corosync var log data, usually stored under the /var/log directory.
++
++
++.EX
++.PP
++.B corosync_var_run_t
++.EE
++
++- Set files with the corosync_var_run_t type, if you want to store the corosync files under the /run directory.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH "MANAGED FILES"
++
++The SELinux process type corosync_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++
++.br
++.B cluster_tmpfs
++
++
++.br
++.B cluster_var_lib_t
++
++ /var/lib/cluster(/.*)?
++.br
++
++.br
++.B clvmd_tmpfs_t
++
++
++.br
++.B cmirrord_tmpfs_t
++
++
++.br
++.B corosync_tmp_t
++
++
++.br
++.B corosync_tmpfs_t
++
++
++.br
++.B corosync_var_lib_t
++
++ /var/lib/corosync(/.*)?
++.br
++
++.br
++.B corosync_var_log_t
++
++ /var/log/cluster/corosync\.log.*
++.br
++
++.br
++.B corosync_var_run_t
++
++ /var/run/cman_.*
++.br
++ /var/run/rsctmp(/.*)?
++.br
++ /var/run/corosync\.pid
++.br
++
++.br
++.B initrc_state_t
++
++
++.br
++.B initrc_tmp_t
++
++
++.br
++.B qpidd_tmpfs_t
++
++
++.br
++.B rgmanager_tmpfs_t
++
++
++.br
++.B rgmanager_var_lib_t
++
++ /usr/lib(64)?/heartbeat(/.*)?
++.br
++ /var/lib/heartbeat(/.*)?
++.br
++
++.br
++.B rgmanager_var_run_t
++
++ /var/run/heartbeat(/.*)?
++.br
++ /var/run/cpglockd\.pid
++.br
++ /var/run/rgmanager\.pid
++.br
++ /var/run/cluster/rgmanager\.sk
++.br
++
++.br
++.B tmpfs_t
++
++ /dev/shm
++.br
++ /lib/udev/devices/shm
++.br
++ /usr/lib/udev/devices/shm
++.br
++
++.br
++.B user_tmpfs_t
++
++ /dev/shm/mono.*
++.br
++ /dev/shm/pulse-shm.*
++.br
++
++.br
++.B var_lib_t
++
++ /opt/(.*/)?var/lib(/.*)?
++.br
++ /var/lib(/.*)?
++.br
++
++.SH NSSWITCH DOMAIN
++
++.PP
++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the corosync_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++
++.EX
++.B setsebool -P authlogin_nsswitch_use_ldap 1
++.EE
++
++.PP
++If you want to allow confined applications to run with kerberos for the corosync_t, you must turn on the kerberos_enabled boolean.
++
++.EX
++.B setsebool -P kerberos_enabled 1
++.EE
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was auto-generated using
++.B "sepolicy manpage"
++by Dan Walsh.
++
++.SH "SEE ALSO"
++selinux(8), corosync(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
+diff --git a/man/man8/couchdb_selinux.8 b/man/man8/couchdb_selinux.8
+new file mode 100644
+index 0000000..c703391
+--- /dev/null
++++ b/man/man8/couchdb_selinux.8
+@@ -0,0 +1,202 @@
++.TH "couchdb_selinux" "8" "12-11-01" "couchdb" "SELinux Policy documentation for couchdb"
++.SH "NAME"
++couchdb_selinux \- Security Enhanced Linux Policy for the couchdb processes
++.SH "DESCRIPTION"
++
++Security-Enhanced Linux secures the couchdb processes via flexible mandatory access control.
++
++The couchdb processes execute with the couchdb_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep couchdb_t
++
++
++.SH "ENTRYPOINTS"
++
++The couchdb_t SELinux type can be entered via the "couchdb_exec_t" file type. The default entrypoint paths for the couchdb_t domain are the following:"
++
++/usr/bin/couchdb
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux couchdb policy is very flexible allowing users to setup their couchdb processes in as secure a method as possible.
++.PP
++The following process types are defined for couchdb:
++
++.EX
++.B couchdb_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux couchdb policy is very flexible allowing users to setup their couchdb processes in as secure a method as possible.
++.PP
++The following file types are defined for couchdb:
++
++
++.EX
++.PP
++.B couchdb_etc_t
++.EE
++
++- Set files with the couchdb_etc_t type, if you want to store couchdb files in the /etc directories.
++
++
++.EX
++.PP
++.B couchdb_exec_t
++.EE
++
++- Set files with the couchdb_exec_t type, if you want to transition an executable to the couchdb_t domain.
++
++
++.EX
++.PP
++.B couchdb_log_t
++.EE
++
++- Set files with the couchdb_log_t type, if you want to treat the data as couchdb log data, usually stored under the /var/log directory.
++
++
++.EX
++.PP
++.B couchdb_tmp_t
++.EE
++
++- Set files with the couchdb_tmp_t type, if you want to store couchdb temporary files in the /tmp directories.
++
++
++.EX
++.PP
++.B couchdb_unit_file_t
++.EE
++
++- Set files with the couchdb_unit_file_t type, if you want to treat the files as couchdb unit content.
++
++
++.EX
++.PP
++.B couchdb_var_lib_t
++.EE
++
++- Set files with the couchdb_var_lib_t type, if you want to store the couchdb files under the /var/lib directory.
++
++
++.EX
++.PP
++.B couchdb_var_run_t
++.EE
++
++- Set files with the couchdb_var_run_t type, if you want to store the couchdb files under the /run directory.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH PORT TYPES
++SELinux defines port types to represent TCP and UDP ports.
++.PP
++You can see the types associated with a port by using the following command:
++
++.B semanage port -l
++
++.PP
++Policy governs the access confined processes have to these ports.
++SELinux couchdb policy is very flexible allowing users to setup their couchdb processes in as secure a method as possible.
++.PP
++The following port types are defined for couchdb:
++
++.EX
++.TP 5
++.B couchdb_port_t
++.TP 10
++.EE
++
++
++Default Defined Ports:
++tcp 5984
++.EE
++udp 5984
++.EE
++.SH "MANAGED FILES"
++
++The SELinux process type couchdb_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++
++.br
++.B couchdb_log_t
++
++ /var/log/couchdb(/.*)?
++.br
++
++.br
++.B couchdb_tmp_t
++
++
++.br
++.B couchdb_var_lib_t
++
++ /var/lib/couchdb(/.*)?
++.br
++
++.br
++.B couchdb_var_run_t
++
++ /var/run/couchdb(/.*)?
++.br
++
++.SH NSSWITCH DOMAIN
++
++.PP
++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the couchdb_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++
++.EX
++.B setsebool -P authlogin_nsswitch_use_ldap 1
++.EE
++
++.PP
++If you want to allow confined applications to run with kerberos for the couchdb_t, you must turn on the kerberos_enabled boolean.
++
++.EX
++.B setsebool -P kerberos_enabled 1
++.EE
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.B semanage port
++can also be used to manipulate the port definitions
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was auto-generated using
++.B "sepolicy manpage"
++by Dan Walsh.
++
++.SH "SEE ALSO"
++selinux(8), couchdb(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
+diff --git a/man/man8/courier_authdaemon_selinux.8 b/man/man8/courier_authdaemon_selinux.8
+new file mode 100644
+index 0000000..f5cc833
+--- /dev/null
++++ b/man/man8/courier_authdaemon_selinux.8
+@@ -0,0 +1,137 @@
++.TH "courier_authdaemon_selinux" "8" "12-11-01" "courier_authdaemon" "SELinux Policy documentation for courier_authdaemon"
++.SH "NAME"
++courier_authdaemon_selinux \- Security Enhanced Linux Policy for the courier_authdaemon processes
++.SH "DESCRIPTION"
++
++Security-Enhanced Linux secures the courier_authdaemon processes via flexible mandatory access control.
++
++The courier_authdaemon processes execute with the courier_authdaemon_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep courier_authdaemon_t
++
++
++.SH "ENTRYPOINTS"
++
++The courier_authdaemon_t SELinux type can be entered via the "courier_authdaemon_exec_t" file type. The default entrypoint paths for the courier_authdaemon_t domain are the following:"
++
++/usr/lib/courier/authlib/.*, /usr/sbin/authdaemond
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux courier_authdaemon policy is very flexible allowing users to setup their courier_authdaemon processes in as secure a method as possible.
++.PP
++The following process types are defined for courier_authdaemon:
++
++.EX
++.B courier_authdaemon_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux courier_authdaemon policy is very flexible allowing users to setup their courier_authdaemon processes in as secure a method as possible.
++.PP
++The following file types are defined for courier_authdaemon:
++
++
++.EX
++.PP
++.B courier_authdaemon_exec_t
++.EE
++
++- Set files with the courier_authdaemon_exec_t type, if you want to transition an executable to the courier_authdaemon_t domain.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH "MANAGED FILES"
++
++The SELinux process type courier_authdaemon_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++
++.br
++.B courier_var_run_t
++
++ /var/run/courier(/.*)?
++.br
++
++.br
++.B faillog_t
++
++ /var/log/btmp.*
++.br
++ /var/run/faillock(/.*)?
++.br
++ /var/log/faillog
++.br
++ /var/log/tallylog
++.br
++
++.br
++.B pcscd_var_run_t
++
++ /var/run/pcscd(/.*)?
++.br
++ /var/run/pcscd\.events(/.*)?
++.br
++ /var/run/pcscd\.pid
++.br
++ /var/run/pcscd\.pub
++.br
++ /var/run/pcscd\.comm
++.br
++
++.SH NSSWITCH DOMAIN
++
++.PP
++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the courier_authdaemon_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++
++.EX
++.B setsebool -P authlogin_nsswitch_use_ldap 1
++.EE
++
++.PP
++If you want to allow confined applications to run with kerberos for the courier_authdaemon_t, you must turn on the kerberos_enabled boolean.
++
++.EX
++.B setsebool -P kerberos_enabled 1
++.EE
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was auto-generated using
++.B "sepolicy manpage"
++by Dan Walsh.
++
++.SH "SEE ALSO"
++selinux(8), courier_authdaemon(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
++, courier_pcp_selinux(8), courier_pop_selinux(8), courier_sqwebmail_selinux(8), courier_tcpd_selinux(8)
+\ No newline at end of file
+diff --git a/man/man8/courier_pcp_selinux.8 b/man/man8/courier_pcp_selinux.8
+new file mode 100644
+index 0000000..526d096
+--- /dev/null
++++ b/man/man8/courier_pcp_selinux.8
+@@ -0,0 +1,97 @@
++.TH "courier_pcp_selinux" "8" "12-11-01" "courier_pcp" "SELinux Policy documentation for courier_pcp"
++.SH "NAME"
++courier_pcp_selinux \- Security Enhanced Linux Policy for the courier_pcp processes
++.SH "DESCRIPTION"
++
++Security-Enhanced Linux secures the courier_pcp processes via flexible mandatory access control.
++
++The courier_pcp processes execute with the courier_pcp_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep courier_pcp_t
++
++
++.SH "ENTRYPOINTS"
++
++The courier_pcp_t SELinux type can be entered via the "courier_pcp_exec_t" file type. The default entrypoint paths for the courier_pcp_t domain are the following:"
++
++/usr/lib/courier/courier/pcpd
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux courier_pcp policy is very flexible allowing users to setup their courier_pcp processes in as secure a method as possible.
++.PP
++The following process types are defined for courier_pcp:
++
++.EX
++.B courier_pcp_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux courier_pcp policy is very flexible allowing users to setup their courier_pcp processes in as secure a method as possible.
++.PP
++The following file types are defined for courier_pcp:
++
++
++.EX
++.PP
++.B courier_pcp_exec_t
++.EE
++
++- Set files with the courier_pcp_exec_t type, if you want to transition an executable to the courier_pcp_t domain.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH "MANAGED FILES"
++
++The SELinux process type courier_pcp_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++
++.br
++.B courier_var_run_t
++
++ /var/run/courier(/.*)?
++.br
++
++.SH NSSWITCH DOMAIN
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was auto-generated using
++.B "sepolicy manpage"
++by Dan Walsh.
++
++.SH "SEE ALSO"
++selinux(8), courier_pcp(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
++, courier_authdaemon_selinux(8), courier_pop_selinux(8), courier_sqwebmail_selinux(8), courier_tcpd_selinux(8)
+\ No newline at end of file
+diff --git a/man/man8/courier_pop_selinux.8 b/man/man8/courier_pop_selinux.8
+new file mode 100644
+index 0000000..5652da7
+--- /dev/null
++++ b/man/man8/courier_pop_selinux.8
+@@ -0,0 +1,107 @@
++.TH "courier_pop_selinux" "8" "12-11-01" "courier_pop" "SELinux Policy documentation for courier_pop"
++.SH "NAME"
++courier_pop_selinux \- Security Enhanced Linux Policy for the courier_pop processes
++.SH "DESCRIPTION"
++
++Security-Enhanced Linux secures the courier_pop processes via flexible mandatory access control.
++
++The courier_pop processes execute with the courier_pop_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep courier_pop_t
++
++
++.SH "ENTRYPOINTS"
++
++The courier_pop_t SELinux type can be entered via the "courier_pop_exec_t" file type. The default entrypoint paths for the courier_pop_t domain are the following:"
++
++/usr/lib/courier/courier/courierpop.*, /usr/bin/imapd, /usr/lib/courier/imapd, /usr/lib/courier/pop3d, /usr/lib/courier/courier/imaplogin
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux courier_pop policy is very flexible allowing users to setup their courier_pop processes in as secure a method as possible.
++.PP
++The following process types are defined for courier_pop:
++
++.EX
++.B courier_pop_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux courier_pop policy is very flexible allowing users to setup their courier_pop processes in as secure a method as possible.
++.PP
++The following file types are defined for courier_pop:
++
++
++.EX
++.PP
++.B courier_pop_exec_t
++.EE
++
++- Set files with the courier_pop_exec_t type, if you want to transition an executable to the courier_pop_t domain.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH "MANAGED FILES"
++
++The SELinux process type courier_pop_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++
++.br
++.B courier_var_run_t
++
++ /var/run/courier(/.*)?
++.br
++
++.br
++.B user_home_t
++
++ /home/[^/]*/.+
++.br
++ /home/dwalsh/.+
++.br
++ /var/lib/xguest/home/xguest/.+
++.br
++
++.SH NSSWITCH DOMAIN
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was auto-generated using
++.B "sepolicy manpage"
++by Dan Walsh.
++
++.SH "SEE ALSO"
++selinux(8), courier_pop(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
++, courier_authdaemon_selinux(8), courier_pcp_selinux(8), courier_sqwebmail_selinux(8), courier_tcpd_selinux(8)
+\ No newline at end of file
+diff --git a/man/man8/courier_sqwebmail_selinux.8 b/man/man8/courier_sqwebmail_selinux.8
+new file mode 100644
+index 0000000..6151335
+--- /dev/null
++++ b/man/man8/courier_sqwebmail_selinux.8
+@@ -0,0 +1,97 @@
++.TH "courier_sqwebmail_selinux" "8" "12-11-01" "courier_sqwebmail" "SELinux Policy documentation for courier_sqwebmail"
++.SH "NAME"
++courier_sqwebmail_selinux \- Security Enhanced Linux Policy for the courier_sqwebmail processes
++.SH "DESCRIPTION"
++
++Security-Enhanced Linux secures the courier_sqwebmail processes via flexible mandatory access control.
++
++The courier_sqwebmail processes execute with the courier_sqwebmail_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep courier_sqwebmail_t
++
++
++.SH "ENTRYPOINTS"
++
++The courier_sqwebmail_t SELinux type can be entered via the "courier_sqwebmail_exec_t" file type. The default entrypoint paths for the courier_sqwebmail_t domain are the following:"
++
++
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux courier_sqwebmail policy is very flexible allowing users to setup their courier_sqwebmail processes in as secure a method as possible.
++.PP
++The following process types are defined for courier_sqwebmail:
++
++.EX
++.B courier_sqwebmail_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux courier_sqwebmail policy is very flexible allowing users to setup their courier_sqwebmail processes in as secure a method as possible.
++.PP
++The following file types are defined for courier_sqwebmail:
++
++
++.EX
++.PP
++.B courier_sqwebmail_exec_t
++.EE
++
++- Set files with the courier_sqwebmail_exec_t type, if you want to transition an executable to the courier_sqwebmail_t domain.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH "MANAGED FILES"
++
++The SELinux process type courier_sqwebmail_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++
++.br
++.B courier_var_run_t
++
++ /var/run/courier(/.*)?
++.br
++
++.SH NSSWITCH DOMAIN
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was auto-generated using
++.B "sepolicy manpage"
++by Dan Walsh.
++
++.SH "SEE ALSO"
++selinux(8), courier_sqwebmail(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
++, courier_authdaemon_selinux(8), courier_pcp_selinux(8), courier_pop_selinux(8), courier_tcpd_selinux(8)
+\ No newline at end of file
+diff --git a/man/man8/courier_tcpd_selinux.8 b/man/man8/courier_tcpd_selinux.8
+new file mode 100644
+index 0000000..6794aff
+--- /dev/null
++++ b/man/man8/courier_tcpd_selinux.8
+@@ -0,0 +1,105 @@
++.TH "courier_tcpd_selinux" "8" "12-11-01" "courier_tcpd" "SELinux Policy documentation for courier_tcpd"
++.SH "NAME"
++courier_tcpd_selinux \- Security Enhanced Linux Policy for the courier_tcpd processes
++.SH "DESCRIPTION"
++
++Security-Enhanced Linux secures the courier_tcpd processes via flexible mandatory access control.
++
++The courier_tcpd processes execute with the courier_tcpd_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep courier_tcpd_t
++
++
++.SH "ENTRYPOINTS"
++
++The courier_tcpd_t SELinux type can be entered via the "courier_tcpd_exec_t" file type. The default entrypoint paths for the courier_tcpd_t domain are the following:"
++
++/usr/sbin/couriertcpd
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux courier_tcpd policy is very flexible allowing users to setup their courier_tcpd processes in as secure a method as possible.
++.PP
++The following process types are defined for courier_tcpd:
++
++.EX
++.B courier_tcpd_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux courier_tcpd policy is very flexible allowing users to setup their courier_tcpd processes in as secure a method as possible.
++.PP
++The following file types are defined for courier_tcpd:
++
++
++.EX
++.PP
++.B courier_tcpd_exec_t
++.EE
++
++- Set files with the courier_tcpd_exec_t type, if you want to transition an executable to the courier_tcpd_t domain.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH "MANAGED FILES"
++
++The SELinux process type courier_tcpd_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++
++.br
++.B courier_var_lib_t
++
++ /var/lib/courier(/.*)?
++.br
++ /var/lib/courier-imap(/.*)?
++.br
++
++.br
++.B courier_var_run_t
++
++ /var/run/courier(/.*)?
++.br
++
++.SH NSSWITCH DOMAIN
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was auto-generated using
++.B "sepolicy manpage"
++by Dan Walsh.
++
++.SH "SEE ALSO"
++selinux(8), courier_tcpd(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
++, courier_authdaemon_selinux(8), courier_pcp_selinux(8), courier_pop_selinux(8), courier_sqwebmail_selinux(8)
+\ No newline at end of file
+diff --git a/man/man8/cpucontrol_selinux.8 b/man/man8/cpucontrol_selinux.8
+new file mode 100644
+index 0000000..f81f173
+--- /dev/null
++++ b/man/man8/cpucontrol_selinux.8
+@@ -0,0 +1,94 @@
++.TH "cpucontrol_selinux" "8" "12-11-01" "cpucontrol" "SELinux Policy documentation for cpucontrol"
++.SH "NAME"
++cpucontrol_selinux \- Security Enhanced Linux Policy for the cpucontrol processes
++.SH "DESCRIPTION"
++
++Security-Enhanced Linux secures the cpucontrol processes via flexible mandatory access control.
++
++The cpucontrol processes execute with the cpucontrol_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep cpucontrol_t
++
++
++.SH "ENTRYPOINTS"
++
++The cpucontrol_t SELinux type can be entered via the "cpucontrol_exec_t" file type. The default entrypoint paths for the cpucontrol_t domain are the following:"
++
++/sbin/microcode_ctl, /usr/sbin/microcode_ctl
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux cpucontrol policy is very flexible allowing users to setup their cpucontrol processes in as secure a method as possible.
++.PP
++The following process types are defined for cpucontrol:
++
++.EX
++.B cpucontrol_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux cpucontrol policy is very flexible allowing users to setup their cpucontrol processes in as secure a method as possible.
++.PP
++The following file types are defined for cpucontrol:
++
++
++.EX
++.PP
++.B cpucontrol_conf_t
++.EE
++
++- Set files with the cpucontrol_conf_t type, if you want to treat the files as cpucontrol configuration data, usually stored under the /etc directory.
++
++
++.EX
++.PP
++.B cpucontrol_exec_t
++.EE
++
++- Set files with the cpucontrol_exec_t type, if you want to transition an executable to the cpucontrol_t domain.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH NSSWITCH DOMAIN
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was auto-generated using
++.B "sepolicy manpage"
++by Dan Walsh.
++
++.SH "SEE ALSO"
++selinux(8), cpucontrol(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
+diff --git a/man/man8/cpufreqselector_selinux.8 b/man/man8/cpufreqselector_selinux.8
+new file mode 100644
+index 0000000..764592d
+--- /dev/null
++++ b/man/man8/cpufreqselector_selinux.8
+@@ -0,0 +1,96 @@
++.TH "cpufreqselector_selinux" "8" "12-11-01" "cpufreqselector" "SELinux Policy documentation for cpufreqselector"
++.SH "NAME"
++cpufreqselector_selinux \- Security Enhanced Linux Policy for the cpufreqselector processes
++.SH "DESCRIPTION"
++
++Security-Enhanced Linux secures the cpufreqselector processes via flexible mandatory access control.
++
++The cpufreqselector processes execute with the cpufreqselector_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep cpufreqselector_t
++
++
++.SH "ENTRYPOINTS"
++
++The cpufreqselector_t SELinux type can be entered via the "cpufreqselector_exec_t" file type. The default entrypoint paths for the cpufreqselector_t domain are the following:"
++
++/usr/bin/cpufreq-selector
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux cpufreqselector policy is very flexible allowing users to setup their cpufreqselector processes in as secure a method as possible.
++.PP
++The following process types are defined for cpufreqselector:
++
++.EX
++.B cpufreqselector_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux cpufreqselector policy is very flexible allowing users to setup their cpufreqselector processes in as secure a method as possible.
++.PP
++The following file types are defined for cpufreqselector:
++
++
++.EX
++.PP
++.B cpufreqselector_exec_t
++.EE
++
++- Set files with the cpufreqselector_exec_t type, if you want to transition an executable to the cpufreqselector_t domain.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH "MANAGED FILES"
++
++The SELinux process type cpufreqselector_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++
++.br
++.B sysfs_t
++
++ /sys(/.*)?
++.br
++
++.SH NSSWITCH DOMAIN
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was auto-generated using
++.B "sepolicy manpage"
++by Dan Walsh.
++
++.SH "SEE ALSO"
++selinux(8), cpufreqselector(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
+diff --git a/man/man8/cpuspeed_selinux.8 b/man/man8/cpuspeed_selinux.8
+new file mode 100644
+index 0000000..ec9dfce
+--- /dev/null
++++ b/man/man8/cpuspeed_selinux.8
+@@ -0,0 +1,110 @@
++.TH "cpuspeed_selinux" "8" "12-11-01" "cpuspeed" "SELinux Policy documentation for cpuspeed"
++.SH "NAME"
++cpuspeed_selinux \- Security Enhanced Linux Policy for the cpuspeed processes
++.SH "DESCRIPTION"
++
++Security-Enhanced Linux secures the cpuspeed processes via flexible mandatory access control.
++
++The cpuspeed processes execute with the cpuspeed_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep cpuspeed_t
++
++
++.SH "ENTRYPOINTS"
++
++The cpuspeed_t SELinux type can be entered via the "cpuspeed_exec_t" file type. The default entrypoint paths for the cpuspeed_t domain are the following:"
++
++/usr/sbin/cpufreqd, /usr/sbin/cpuspeed, /usr/sbin/powernowd
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux cpuspeed policy is very flexible allowing users to setup their cpuspeed processes in as secure a method as possible.
++.PP
++The following process types are defined for cpuspeed:
++
++.EX
++.B cpuspeed_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux cpuspeed policy is very flexible allowing users to setup their cpuspeed processes in as secure a method as possible.
++.PP
++The following file types are defined for cpuspeed:
++
++
++.EX
++.PP
++.B cpuspeed_exec_t
++.EE
++
++- Set files with the cpuspeed_exec_t type, if you want to transition an executable to the cpuspeed_t domain.
++
++
++.EX
++.PP
++.B cpuspeed_var_run_t
++.EE
++
++- Set files with the cpuspeed_var_run_t type, if you want to store the cpuspeed files under the /run directory.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH "MANAGED FILES"
++
++The SELinux process type cpuspeed_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++
++.br
++.B cpuspeed_var_run_t
++
++ /var/run/cpufreqd\.pid
++.br
++
++.br
++.B sysfs_t
++
++ /sys(/.*)?
++.br
++
++.SH NSSWITCH DOMAIN
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was auto-generated using
++.B "sepolicy manpage"
++by Dan Walsh.
++
++.SH "SEE ALSO"
++selinux(8), cpuspeed(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
+diff --git a/man/man8/crack_selinux.8 b/man/man8/crack_selinux.8
+new file mode 100644
+index 0000000..49919a6
+--- /dev/null
++++ b/man/man8/crack_selinux.8
+@@ -0,0 +1,120 @@
++.TH "crack_selinux" "8" "12-11-01" "crack" "SELinux Policy documentation for crack"
++.SH "NAME"
++crack_selinux \- Security Enhanced Linux Policy for the crack processes
++.SH "DESCRIPTION"
++
++Security-Enhanced Linux secures the crack processes via flexible mandatory access control.
++
++The crack processes execute with the crack_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep crack_t
++
++
++.SH "ENTRYPOINTS"
++
++The crack_t SELinux type can be entered via the "crack_exec_t" file type. The default entrypoint paths for the crack_t domain are the following:"
++
++/usr/sbin/crack_[a-z]*, /usr/sbin/cracklib-[a-z]*
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux crack policy is very flexible allowing users to setup their crack processes in as secure a method as possible.
++.PP
++The following process types are defined for crack:
++
++.EX
++.B crack_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux crack policy is very flexible allowing users to setup their crack processes in as secure a method as possible.
++.PP
++The following file types are defined for crack:
++
++
++.EX
++.PP
++.B crack_db_t
++.EE
++
++- Set files with the crack_db_t type, if you want to treat the files as crack database content.
++
++
++.EX
++.PP
++.B crack_exec_t
++.EE
++
++- Set files with the crack_exec_t type, if you want to transition an executable to the crack_t domain.
++
++
++.EX
++.PP
++.B crack_tmp_t
++.EE
++
++- Set files with the crack_tmp_t type, if you want to store crack temporary files in the /tmp directories.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH "MANAGED FILES"
++
++The SELinux process type crack_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++
++.br
++.B crack_db_t
++
++ /usr/share/cracklib(/.*)?
++.br
++ /var/cache/cracklib(/.*)?
++.br
++ /usr/lib/cracklib_dict.*
++.br
++
++.br
++.B crack_tmp_t
++
++
++.SH NSSWITCH DOMAIN
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was auto-generated using
++.B "sepolicy manpage"
++by Dan Walsh.
++
++.SH "SEE ALSO"
++selinux(8), crack(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
+diff --git a/man/man8/crond_selinux.8 b/man/man8/crond_selinux.8
+new file mode 100644
+index 0000000..0f4955a
+--- /dev/null
++++ b/man/man8/crond_selinux.8
+@@ -0,0 +1,310 @@
++.TH "crond_selinux" "8" "12-11-01" "crond" "SELinux Policy documentation for crond"
++.SH "NAME"
++crond_selinux \- Security Enhanced Linux Policy for the crond processes
++.SH "DESCRIPTION"
++
++Security-Enhanced Linux secures the crond processes via flexible mandatory access control.
++
++The crond processes execute with the crond_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep crond_t
++
++
++.SH "ENTRYPOINTS"
++
++The crond_t SELinux type can be entered via the "crond_exec_t" file type. The default entrypoint paths for the crond_t domain are the following:"
++
++/usr/sbin/cron(d)?, /usr/sbin/atd, /usr/sbin/fcron
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux crond policy is very flexible allowing users to setup their crond processes in as secure a method as possible.
++.PP
++The following process types are defined for crond:
++
++.EX
++.B crond_t, cronjob_t, crontab_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH BOOLEANS
++SELinux policy is customizable based on least access required. crond policy is extremely flexible and has several booleans that allow you to manipulate the policy and run crond with the tightest access possible.
++
++
++.PP
++If you want to enable extra rules in the cron domain to support fcron, you must turn on the fcron_crond boolean.
++
++.EX
++.B setsebool -P fcron_crond 1
++.EE
++
++.PP
++If you want to allow system cron jobs to relabel filesystem for restoring file contexts, you must turn on the cron_can_relabel boolean.
++
++.EX
++.B setsebool -P cron_can_relabel 1
++.EE
++
++.PP
++If you want to enable extra rules in the cron domain to support fcron, you must turn on the fcron_crond boolean.
++
++.EX
++.B setsebool -P fcron_crond 1
++.EE
++
++.PP
++If you want to allow system cron jobs to relabel filesystem for restoring file contexts, you must turn on the cron_can_relabel boolean.
++
++.EX
++.B setsebool -P cron_can_relabel 1
++.EE
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux crond policy is very flexible allowing users to setup their crond processes in as secure a method as possible.
++.PP
++The following file types are defined for crond:
++
++
++.EX
++.PP
++.B crond_exec_t
++.EE
++
++- Set files with the crond_exec_t type, if you want to transition an executable to the crond_t domain.
++
++
++.EX
++.PP
++.B crond_initrc_exec_t
++.EE
++
++- Set files with the crond_initrc_exec_t type, if you want to transition an executable to the crond_initrc_t domain.
++
++
++.EX
++.PP
++.B crond_tmp_t
++.EE
++
++- Set files with the crond_tmp_t type, if you want to store crond temporary files in the /tmp directories.
++
++
++.EX
++.PP
++.B crond_unit_file_t
++.EE
++
++- Set files with the crond_unit_file_t type, if you want to treat the files as crond unit content.
++
++
++.EX
++.PP
++.B crond_var_run_t
++.EE
++
++- Set files with the crond_var_run_t type, if you want to store the crond files under the /run directory.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH "MANAGED FILES"
++
++The SELinux process type crond_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++
++.br
++.B cgroup_t
++
++ /cgroup
++.br
++ /sys/fs/cgroup
++.br
++
++.br
++.B cron_log_t
++
++ /var/log/rpmpkgs.*
++.br
++
++.br
++.B cron_spool_t
++
++ /var/spool/fcron
++.br
++ /var/spool/cron/crontabs
++.br
++
++.br
++.B crond_tmp_t
++
++
++.br
++.B crond_var_run_t
++
++ /var/run/.*cron.*
++.br
++ /var/run/crond?\.pid
++.br
++ /var/run/crond?\.reboot
++.br
++ /var/run/atd\.pid
++.br
++ /var/run/fcron\.pid
++.br
++ /var/run/fcron\.fifo
++.br
++ /var/run/anacron\.pid
++.br
++
++.br
++.B faillog_t
++
++ /var/log/btmp.*
++.br
++ /var/run/faillock(/.*)?
++.br
++ /var/log/faillog
++.br
++ /var/log/tallylog
++.br
++
++.br
++.B initrc_var_run_t
++
++ /var/run/utmp
++.br
++ /var/run/random-seed
++.br
++ /var/run/runlevel\.dir
++.br
++ /var/run/setmixer_flag
++.br
++
++.br
++.B pcscd_var_run_t
++
++ /var/run/pcscd(/.*)?
++.br
++ /var/run/pcscd\.events(/.*)?
++.br
++ /var/run/pcscd\.pid
++.br
++ /var/run/pcscd\.pub
++.br
++ /var/run/pcscd\.comm
++.br
++
++.br
++.B rpm_log_t
++
++ /var/log/yum\.log.*
++.br
++
++.br
++.B security_t
++
++ /selinux
++.br
++
++.br
++.B system_cron_spool_t
++
++ /etc/cron\.d(/.*)?
++.br
++ /var/spool/anacron(/.*)?
++.br
++ /etc/crontab
++.br
++ /var/spool/fcron/systab
++.br
++ /var/spool/fcron/new\.systab
++.br
++ /var/spool/fcron/systab\.orig
++.br
++
++.br
++.B user_cron_spool_t
++
++ /var/spool/at(/.*)?
++.br
++ /var/spool/cron
++.br
++
++.br
++.B var_auth_t
++
++ /var/ace(/.*)?
++.br
++ /var/rsa(/.*)?
++.br
++ /var/lib/abl(/.*)?
++.br
++ /var/lib/rsa(/.*)?
++.br
++ /var/lib/pam_ssh(/.*)?
++.br
++ /var/run/pam_ssh(/.*)?
++.br
++ /var/lib/pam_shield(/.*)?
++.br
++ /var/lib/google-authenticator(/.*)?
++.br
++
++.SH NSSWITCH DOMAIN
++
++.PP
++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the crontab_t, crond_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++
++.EX
++.B setsebool -P authlogin_nsswitch_use_ldap 1
++.EE
++
++.PP
++If you want to allow confined applications to run with kerberos for the crontab_t, crond_t, you must turn on the kerberos_enabled boolean.
++
++.EX
++.B setsebool -P kerberos_enabled 1
++.EE
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.B semanage boolean
++can also be used to manipulate the booleans
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was auto-generated using
++.B "sepolicy manpage"
++by Dan Walsh.
++
++.SH "SEE ALSO"
++selinux(8), crond(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
++, setsebool(8), crontab_selinux(8)
+\ No newline at end of file
+diff --git a/man/man8/crontab_selinux.8 b/man/man8/crontab_selinux.8
+new file mode 100644
+index 0000000..8d67b77
+--- /dev/null
++++ b/man/man8/crontab_selinux.8
+@@ -0,0 +1,190 @@
++.TH "crontab_selinux" "8" "12-11-01" "crontab" "SELinux Policy documentation for crontab"
++.SH "NAME"
++crontab_selinux \- Security Enhanced Linux Policy for the crontab processes
++.SH "DESCRIPTION"
++
++Security-Enhanced Linux secures the crontab processes via flexible mandatory access control.
++
++The crontab processes execute with the crontab_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep crontab_t
++
++
++.SH "ENTRYPOINTS"
++
++The crontab_t SELinux type can be entered via the "crontab_exec_t" file type. The default entrypoint paths for the crontab_t domain are the following:"
++
++/usr/bin/(f)?crontab, /usr/bin/at, /usr/sbin/fcronsighup
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux crontab policy is very flexible allowing users to setup their crontab processes in as secure a method as possible.
++.PP
++The following process types are defined for crontab:
++
++.EX
++.B crontab_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux crontab policy is very flexible allowing users to setup their crontab processes in as secure a method as possible.
++.PP
++The following file types are defined for crontab:
++
++
++.EX
++.PP
++.B crontab_exec_t
++.EE
++
++- Set files with the crontab_exec_t type, if you want to transition an executable to the crontab_t domain.
++
++
++.EX
++.PP
++.B crontab_tmp_t
++.EE
++
++- Set files with the crontab_tmp_t type, if you want to store crontab temporary files in the /tmp directories.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH "MANAGED FILES"
++
++The SELinux process type crontab_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++
++.br
++.B cgroup_t
++
++ /cgroup
++.br
++ /sys/fs/cgroup
++.br
++
++.br
++.B crontab_tmp_t
++
++
++.br
++.B faillog_t
++
++ /var/log/btmp.*
++.br
++ /var/run/faillock(/.*)?
++.br
++ /var/log/faillog
++.br
++ /var/log/tallylog
++.br
++
++.br
++.B pcscd_var_run_t
++
++ /var/run/pcscd(/.*)?
++.br
++ /var/run/pcscd\.events(/.*)?
++.br
++ /var/run/pcscd\.pid
++.br
++ /var/run/pcscd\.pub
++.br
++ /var/run/pcscd\.comm
++.br
++
++.br
++.B user_cron_spool_t
++
++ /var/spool/at(/.*)?
++.br
++ /var/spool/cron
++.br
++
++.br
++.B user_tmp_t
++
++ /var/run/user(/.*)?
++.br
++ /tmp/gconfd-.*
++.br
++ /tmp/gconfd-dwalsh
++.br
++ /tmp/gconfd-xguest
++.br
++
++.br
++.B var_auth_t
++
++ /var/ace(/.*)?
++.br
++ /var/rsa(/.*)?
++.br
++ /var/lib/abl(/.*)?
++.br
++ /var/lib/rsa(/.*)?
++.br
++ /var/lib/pam_ssh(/.*)?
++.br
++ /var/run/pam_ssh(/.*)?
++.br
++ /var/lib/pam_shield(/.*)?
++.br
++ /var/lib/google-authenticator(/.*)?
++.br
++
++.SH NSSWITCH DOMAIN
++
++.PP
++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the crontab_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++
++.EX
++.B setsebool -P authlogin_nsswitch_use_ldap 1
++.EE
++
++.PP
++If you want to allow confined applications to run with kerberos for the crontab_t, you must turn on the kerberos_enabled boolean.
++
++.EX
++.B setsebool -P kerberos_enabled 1
++.EE
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was auto-generated using
++.B "sepolicy manpage"
++by Dan Walsh.
++
++.SH "SEE ALSO"
++selinux(8), crontab(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
+diff --git a/man/man8/ctdbd_selinux.8 b/man/man8/ctdbd_selinux.8
+new file mode 100644
+index 0000000..33d0469
+--- /dev/null
++++ b/man/man8/ctdbd_selinux.8
+@@ -0,0 +1,232 @@
++.TH "ctdbd_selinux" "8" "12-11-01" "ctdbd" "SELinux Policy documentation for ctdbd"
++.SH "NAME"
++ctdbd_selinux \- Security Enhanced Linux Policy for the ctdbd processes
++.SH "DESCRIPTION"
++
++Security-Enhanced Linux secures the ctdbd processes via flexible mandatory access control.
++
++The ctdbd processes execute with the ctdbd_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep ctdbd_t
++
++
++.SH "ENTRYPOINTS"
++
++The ctdbd_t SELinux type can be entered via the "ctdbd_exec_t" file type. The default entrypoint paths for the ctdbd_t domain are the following:"
++
++/usr/sbin/ctdbd
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux ctdbd policy is very flexible allowing users to setup their ctdbd processes in as secure a method as possible.
++.PP
++The following process types are defined for ctdbd:
++
++.EX
++.B ctdbd_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux ctdbd policy is very flexible allowing users to setup their ctdbd processes in as secure a method as possible.
++.PP
++The following file types are defined for ctdbd:
++
++
++.EX
++.PP
++.B ctdbd_exec_t
++.EE
++
++- Set files with the ctdbd_exec_t type, if you want to transition an executable to the ctdbd_t domain.
++
++
++.EX
++.PP
++.B ctdbd_initrc_exec_t
++.EE
++
++- Set files with the ctdbd_initrc_exec_t type, if you want to transition an executable to the ctdbd_initrc_t domain.
++
++
++.EX
++.PP
++.B ctdbd_log_t
++.EE
++
++- Set files with the ctdbd_log_t type, if you want to treat the data as ctdbd log data, usually stored under the /var/log directory.
++
++
++.EX
++.PP
++.B ctdbd_spool_t
++.EE
++
++- Set files with the ctdbd_spool_t type, if you want to store the ctdbd files under the /var/spool directory.
++
++
++.EX
++.PP
++.B ctdbd_tmp_t
++.EE
++
++- Set files with the ctdbd_tmp_t type, if you want to store ctdbd temporary files in the /tmp directories.
++
++
++.EX
++.PP
++.B ctdbd_var_lib_t
++.EE
++
++- Set files with the ctdbd_var_lib_t type, if you want to store the ctdbd files under the /var/lib directory.
++
++
++.EX
++.PP
++.B ctdbd_var_run_t
++.EE
++
++- Set files with the ctdbd_var_run_t type, if you want to store the ctdbd files under the /run directory.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH PORT TYPES
++SELinux defines port types to represent TCP and UDP ports.
++.PP
++You can see the types associated with a port by using the following command:
++
++.B semanage port -l
++
++.PP
++Policy governs the access confined processes have to these ports.
++SELinux ctdbd policy is very flexible allowing users to setup their ctdbd processes in as secure a method as possible.
++.PP
++The following port types are defined for ctdbd:
++
++.EX
++.TP 5
++.B ctdb_port_t
++.TP 10
++.EE
++
++
++Default Defined Ports:
++tcp 4379
++.EE
++udp 4379
++.EE
++.SH "MANAGED FILES"
++
++The SELinux process type ctdbd_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++
++.br
++.B ctdbd_log_t
++
++ /var/log/log\.ctdb
++.br
++
++.br
++.B ctdbd_spool_t
++
++ /var/spool/ctdb(/.*)?
++.br
++
++.br
++.B ctdbd_tmp_t
++
++
++.br
++.B ctdbd_var_lib_t
++
++ /etc/ctdb(/.*)?
++.br
++ /var/ctdb(/.*)?
++.br
++ /var/ctdbd(/.*)?
++.br
++ /var/lib/ctdbd(/.*)?
++.br
++
++.br
++.B ctdbd_var_run_t
++
++ /var/run/ctdbd(/.*)?
++.br
++
++.br
++.B samba_var_t
++
++ /var/lib/samba(/.*)?
++.br
++ /var/cache/samba(/.*)?
++.br
++ /var/spool/samba(/.*)?
++.br
++
++.br
++.B systemd_passwd_var_run_t
++
++ /var/run/systemd/ask-password(/.*)?
++.br
++ /var/run/systemd/ask-password-block(/.*)?
++.br
++
++.SH NSSWITCH DOMAIN
++
++.PP
++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the ctdbd_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++
++.EX
++.B setsebool -P authlogin_nsswitch_use_ldap 1
++.EE
++
++.PP
++If you want to allow confined applications to run with kerberos for the ctdbd_t, you must turn on the kerberos_enabled boolean.
++
++.EX
++.B setsebool -P kerberos_enabled 1
++.EE
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.B semanage port
++can also be used to manipulate the port definitions
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was auto-generated using
++.B "sepolicy manpage"
++by Dan Walsh.
++
++.SH "SEE ALSO"
++selinux(8), ctdbd(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
+diff --git a/man/man8/cups_pdf_selinux.8 b/man/man8/cups_pdf_selinux.8
+new file mode 100644
+index 0000000..da4a09b
+--- /dev/null
++++ b/man/man8/cups_pdf_selinux.8
+@@ -0,0 +1,151 @@
++.TH "cups_pdf_selinux" "8" "12-11-01" "cups_pdf" "SELinux Policy documentation for cups_pdf"
++.SH "NAME"
++cups_pdf_selinux \- Security Enhanced Linux Policy for the cups_pdf processes
++.SH "DESCRIPTION"
++
++Security-Enhanced Linux secures the cups_pdf processes via flexible mandatory access control.
++
++The cups_pdf processes execute with the cups_pdf_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep cups_pdf_t
++
++
++.SH "ENTRYPOINTS"
++
++The cups_pdf_t SELinux type can be entered via the "cups_pdf_exec_t" file type. The default entrypoint paths for the cups_pdf_t domain are the following:"
++
++/usr/lib/cups/backend/cups-pdf
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux cups_pdf policy is very flexible allowing users to setup their cups_pdf processes in as secure a method as possible.
++.PP
++The following process types are defined for cups_pdf:
++
++.EX
++.B cups_pdf_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux cups_pdf policy is very flexible allowing users to setup their cups_pdf processes in as secure a method as possible.
++.PP
++The following file types are defined for cups_pdf:
++
++
++.EX
++.PP
++.B cups_pdf_exec_t
++.EE
++
++- Set files with the cups_pdf_exec_t type, if you want to transition an executable to the cups_pdf_t domain.
++
++
++.EX
++.PP
++.B cups_pdf_tmp_t
++.EE
++
++- Set files with the cups_pdf_tmp_t type, if you want to store cups pdf temporary files in the /tmp directories.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH "MANAGED FILES"
++
++The SELinux process type cups_pdf_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++
++.br
++.B anon_inodefs_t
++
++
++.br
++.B cups_pdf_tmp_t
++
++
++.br
++.B cupsd_log_t
++
++ /var/log/cups(/.*)?
++.br
++ /usr/Brother/fax/.*\.log.*
++.br
++ /var/log/turboprint.*
++.br
++
++.br
++.B print_spool_t
++
++ /var/spool/lpd(/.*)?
++.br
++ /var/spool/cups(/.*)?
++.br
++ /var/spool/cups-pdf(/.*)?
++.br
++
++.br
++.B user_home_t
++
++ /home/[^/]*/.+
++.br
++ /home/dwalsh/.+
++.br
++ /var/lib/xguest/home/xguest/.+
++.br
++
++.SH NSSWITCH DOMAIN
++
++.PP
++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the cups_pdf_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++
++.EX
++.B setsebool -P authlogin_nsswitch_use_ldap 1
++.EE
++
++.PP
++If you want to allow confined applications to run with kerberos for the cups_pdf_t, you must turn on the kerberos_enabled boolean.
++
++.EX
++.B setsebool -P kerberos_enabled 1
++.EE
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was auto-generated using
++.B "sepolicy manpage"
++by Dan Walsh.
++
++.SH "SEE ALSO"
++selinux(8), cups_pdf(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
++, cupsd_selinux(8), cupsd_config_selinux(8), cupsd_lpd_selinux(8)
+\ No newline at end of file
+diff --git a/man/man8/cupsd_config_selinux.8 b/man/man8/cupsd_config_selinux.8
+new file mode 100644
+index 0000000..a3e48d3
+--- /dev/null
++++ b/man/man8/cupsd_config_selinux.8
+@@ -0,0 +1,207 @@
++.TH "cupsd_config_selinux" "8" "12-11-01" "cupsd_config" "SELinux Policy documentation for cupsd_config"
++.SH "NAME"
++cupsd_config_selinux \- Security Enhanced Linux Policy for the cupsd_config processes
++.SH "DESCRIPTION"
++
++Security-Enhanced Linux secures the cupsd_config processes via flexible mandatory access control.
++
++The cupsd_config processes execute with the cupsd_config_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep cupsd_config_t
++
++
++.SH "ENTRYPOINTS"
++
++The cupsd_config_t SELinux type can be entered via the "cupsd_config_exec_t" file type. The default entrypoint paths for the cupsd_config_t domain are the following:"
++
++/usr/sbin/hal_lpadmin, /usr/libexec/hal_lpadmin, /usr/bin/cups-config-daemon, /usr/sbin/printconf-backend, /lib/udev/udev-configure-printer, /usr/lib/udev/udev-configure-printer, /usr/libexec/cups-pk-helper-mechanism
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux cupsd_config policy is very flexible allowing users to setup their cupsd_config processes in as secure a method as possible.
++.PP
++The following process types are defined for cupsd_config:
++
++.EX
++.B cupsd_config_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux cupsd_config policy is very flexible allowing users to setup their cupsd_config processes in as secure a method as possible.
++.PP
++The following file types are defined for cupsd_config:
++
++
++.EX
++.PP
++.B cupsd_config_exec_t
++.EE
++
++- Set files with the cupsd_config_exec_t type, if you want to transition an executable to the cupsd_config_t domain.
++
++
++.EX
++.PP
++.B cupsd_config_var_run_t
++.EE
++
++- Set files with the cupsd_config_var_run_t type, if you want to store the cupsd config files under the /run directory.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH "MANAGED FILES"
++
++The SELinux process type cupsd_config_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++
++.br
++.B cupsd_config_var_run_t
++
++ /var/run/udev-configure-printer(/.*)?
++.br
++
++.br
++.B cupsd_etc_t
++
++ /etc/cups(/.*)?
++.br
++ /usr/share/cups(/.*)?
++.br
++
++.br
++.B cupsd_log_t
++
++ /var/log/cups(/.*)?
++.br
++ /usr/Brother/fax/.*\.log.*
++.br
++ /var/log/turboprint.*
++.br
++
++.br
++.B cupsd_rw_etc_t
++
++ /etc/printcap.*
++.br
++ /etc/cups/ppd(/.*)?
++.br
++ /usr/Brother/(.*/)?inf(/.*)?
++.br
++ /usr/Printer/(.*/)?inf(/.*)?
++.br
++ /usr/lib/bjlib(/.*)?
++.br
++ /var/lib/iscan(/.*)?
++.br
++ /var/cache/cups(/.*)?
++.br
++ /etc/cups/certs/.*
++.br
++ /etc/opt/Brother/(.*/)?inf(/.*)?
++.br
++ /etc/cups/lpoptions.*
++.br
++ /var/cache/foomatic(/.*)?
++.br
++ /etc/cups/cupsd\.conf.*
++.br
++ /var/lib/cups/certs/.*
++.br
++ /opt/gutenprint/ppds(/.*)?
++.br
++ /opt/brother/Printers(.*/)?inf(/.*)?
++.br
++ /etc/cups/classes\.conf.*
++.br
++ /etc/cups/printers\.conf.*
++.br
++ /etc/cups/subscriptions.*
++.br
++ /usr/local/linuxprinter/ppd(/.*)?
++.br
++ /var/cache/alchemist/printconf.*
++.br
++ /etc/alchemist/namespace/printconf(/.*)?
++.br
++ /etc/cups/certs
++.br
++ /etc/cups/ppds\.dat
++.br
++ /var/lib/cups/certs
++.br
++ /usr/share/foomatic/db/oldprinterids
++.br
++
++.br
++.B cupsd_tmp_t
++
++
++.br
++.B user_tmp_t
++
++ /var/run/user(/.*)?
++.br
++ /tmp/gconfd-.*
++.br
++ /tmp/gconfd-dwalsh
++.br
++ /tmp/gconfd-xguest
++.br
++
++.SH NSSWITCH DOMAIN
++
++.PP
++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the cupsd_config_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++
++.EX
++.B setsebool -P authlogin_nsswitch_use_ldap 1
++.EE
++
++.PP
++If you want to allow confined applications to run with kerberos for the cupsd_config_t, you must turn on the kerberos_enabled boolean.
++
++.EX
++.B setsebool -P kerberos_enabled 1
++.EE
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was auto-generated using
++.B "sepolicy manpage"
++by Dan Walsh.
++
++.SH "SEE ALSO"
++selinux(8), cupsd_config(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
++, cupsd_selinux(8), cupsd_selinux(8), cupsd_lpd_selinux(8)
+\ No newline at end of file
+diff --git a/man/man8/cupsd_lpd_selinux.8 b/man/man8/cupsd_lpd_selinux.8
+new file mode 100644
+index 0000000..73ded99
+--- /dev/null
++++ b/man/man8/cupsd_lpd_selinux.8
+@@ -0,0 +1,129 @@
++.TH "cupsd_lpd_selinux" "8" "12-11-01" "cupsd_lpd" "SELinux Policy documentation for cupsd_lpd"
++.SH "NAME"
++cupsd_lpd_selinux \- Security Enhanced Linux Policy for the cupsd_lpd processes
++.SH "DESCRIPTION"
++
++Security-Enhanced Linux secures the cupsd_lpd processes via flexible mandatory access control.
++
++The cupsd_lpd processes execute with the cupsd_lpd_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep cupsd_lpd_t
++
++
++.SH "ENTRYPOINTS"
++
++The cupsd_lpd_t SELinux type can be entered via the "cupsd_lpd_exec_t" file type. The default entrypoint paths for the cupsd_lpd_t domain are the following:"
++
++/usr/lib/cups/daemon/cups-lpd
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux cupsd_lpd policy is very flexible allowing users to setup their cupsd_lpd processes in as secure a method as possible.
++.PP
++The following process types are defined for cupsd_lpd:
++
++.EX
++.B cupsd_lpd_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux cupsd_lpd policy is very flexible allowing users to setup their cupsd_lpd processes in as secure a method as possible.
++.PP
++The following file types are defined for cupsd_lpd:
++
++
++.EX
++.PP
++.B cupsd_lpd_exec_t
++.EE
++
++- Set files with the cupsd_lpd_exec_t type, if you want to transition an executable to the cupsd_lpd_t domain.
++
++
++.EX
++.PP
++.B cupsd_lpd_tmp_t
++.EE
++
++- Set files with the cupsd_lpd_tmp_t type, if you want to store cupsd lpd temporary files in the /tmp directories.
++
++
++.EX
++.PP
++.B cupsd_lpd_var_run_t
++.EE
++
++- Set files with the cupsd_lpd_var_run_t type, if you want to store the cupsd lpd files under the /run directory.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH "MANAGED FILES"
++
++The SELinux process type cupsd_lpd_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++
++.br
++.B cupsd_lpd_tmp_t
++
++
++.br
++.B cupsd_lpd_var_run_t
++
++
++.SH NSSWITCH DOMAIN
++
++.PP
++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the cupsd_lpd_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++
++.EX
++.B setsebool -P authlogin_nsswitch_use_ldap 1
++.EE
++
++.PP
++If you want to allow confined applications to run with kerberos for the cupsd_lpd_t, you must turn on the kerberos_enabled boolean.
++
++.EX
++.B setsebool -P kerberos_enabled 1
++.EE
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was auto-generated using
++.B "sepolicy manpage"
++by Dan Walsh.
++
++.SH "SEE ALSO"
++selinux(8), cupsd_lpd(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
++, cupsd_selinux(8), cupsd_selinux(8), cupsd_config_selinux(8)
+\ No newline at end of file
+diff --git a/man/man8/cupsd_selinux.8 b/man/man8/cupsd_selinux.8
+new file mode 100644
+index 0000000..89d22a6
+--- /dev/null
++++ b/man/man8/cupsd_selinux.8
+@@ -0,0 +1,387 @@
++.TH "cupsd_selinux" "8" "12-11-01" "cupsd" "SELinux Policy documentation for cupsd"
++.SH "NAME"
++cupsd_selinux \- Security Enhanced Linux Policy for the cupsd processes
++.SH "DESCRIPTION"
++
++Security-Enhanced Linux secures the cupsd processes via flexible mandatory access control.
++
++The cupsd processes execute with the cupsd_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep cupsd_t
++
++
++.SH "ENTRYPOINTS"
++
++The cupsd_t SELinux type can be entered via the "cupsd_exec_t" file type. The default entrypoint paths for the cupsd_t domain are the following:"
++
++/usr/sbin/cupsd
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux cupsd policy is very flexible allowing users to setup their cupsd processes in as secure a method as possible.
++.PP
++The following process types are defined for cupsd:
++
++.EX
++.B cupsd_t, cupsd_config_t, cupsd_lpd_t, cups_pdf_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux cupsd policy is very flexible allowing users to setup their cupsd processes in as secure a method as possible.
++.PP
++The following file types are defined for cupsd:
++
++
++.EX
++.PP
++.B cupsd_config_exec_t
++.EE
++
++- Set files with the cupsd_config_exec_t type, if you want to transition an executable to the cupsd_config_t domain.
++
++
++.EX
++.PP
++.B cupsd_config_var_run_t
++.EE
++
++- Set files with the cupsd_config_var_run_t type, if you want to store the cupsd config files under the /run directory.
++
++
++.EX
++.PP
++.B cupsd_etc_t
++.EE
++
++- Set files with the cupsd_etc_t type, if you want to store cupsd files in the /etc directories.
++
++
++.EX
++.PP
++.B cupsd_exec_t
++.EE
++
++- Set files with the cupsd_exec_t type, if you want to transition an executable to the cupsd_t domain.
++
++
++.EX
++.PP
++.B cupsd_initrc_exec_t
++.EE
++
++- Set files with the cupsd_initrc_exec_t type, if you want to transition an executable to the cupsd_initrc_t domain.
++
++
++.EX
++.PP
++.B cupsd_interface_t
++.EE
++
++- Set files with the cupsd_interface_t type, if you want to treat the files as cupsd interface data.
++
++
++.EX
++.PP
++.B cupsd_lock_t
++.EE
++
++- Set files with the cupsd_lock_t type, if you want to treat the files as cupsd lock data, stored under the /var/lock directory
++
++
++.EX
++.PP
++.B cupsd_log_t
++.EE
++
++- Set files with the cupsd_log_t type, if you want to treat the data as cupsd log data, usually stored under the /var/log directory.
++
++
++.EX
++.PP
++.B cupsd_lpd_exec_t
++.EE
++
++- Set files with the cupsd_lpd_exec_t type, if you want to transition an executable to the cupsd_lpd_t domain.
++
++
++.EX
++.PP
++.B cupsd_lpd_tmp_t
++.EE
++
++- Set files with the cupsd_lpd_tmp_t type, if you want to store cupsd lpd temporary files in the /tmp directories.
++
++
++.EX
++.PP
++.B cupsd_lpd_var_run_t
++.EE
++
++- Set files with the cupsd_lpd_var_run_t type, if you want to store the cupsd lpd files under the /run directory.
++
++
++.EX
++.PP
++.B cupsd_rw_etc_t
++.EE
++
++- Set files with the cupsd_rw_etc_t type, if you want to store cupsd rw files in the /etc directories.
++
++
++.EX
++.PP
++.B cupsd_tmp_t
++.EE
++
++- Set files with the cupsd_tmp_t type, if you want to store cupsd temporary files in the /tmp directories.
++
++
++.EX
++.PP
++.B cupsd_unit_file_t
++.EE
++
++- Set files with the cupsd_unit_file_t type, if you want to treat the files as cupsd unit content.
++
++
++.EX
++.PP
++.B cupsd_var_run_t
++.EE
++
++- Set files with the cupsd_var_run_t type, if you want to store the cupsd files under the /run directory.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH "MANAGED FILES"
++
++The SELinux process type cupsd_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++
++.br
++.B cupsd_interface_t
++
++ /etc/cups/interfaces(/.*)?
++.br
++
++.br
++.B cupsd_lock_t
++
++
++.br
++.B cupsd_log_t
++
++ /var/log/cups(/.*)?
++.br
++ /usr/Brother/fax/.*\.log.*
++.br
++ /var/log/turboprint.*
++.br
++
++.br
++.B cupsd_rw_etc_t
++
++ /etc/printcap.*
++.br
++ /etc/cups/ppd(/.*)?
++.br
++ /usr/Brother/(.*/)?inf(/.*)?
++.br
++ /usr/Printer/(.*/)?inf(/.*)?
++.br
++ /usr/lib/bjlib(/.*)?
++.br
++ /var/lib/iscan(/.*)?
++.br
++ /var/cache/cups(/.*)?
++.br
++ /etc/cups/certs/.*
++.br
++ /etc/opt/Brother/(.*/)?inf(/.*)?
++.br
++ /etc/cups/lpoptions.*
++.br
++ /var/cache/foomatic(/.*)?
++.br
++ /etc/cups/cupsd\.conf.*
++.br
++ /var/lib/cups/certs/.*
++.br
++ /opt/gutenprint/ppds(/.*)?
++.br
++ /opt/brother/Printers(.*/)?inf(/.*)?
++.br
++ /etc/cups/classes\.conf.*
++.br
++ /etc/cups/printers\.conf.*
++.br
++ /etc/cups/subscriptions.*
++.br
++ /usr/local/linuxprinter/ppd(/.*)?
++.br
++ /var/cache/alchemist/printconf.*
++.br
++ /etc/alchemist/namespace/printconf(/.*)?
++.br
++ /etc/cups/certs
++.br
++ /etc/cups/ppds\.dat
++.br
++ /var/lib/cups/certs
++.br
++ /usr/share/foomatic/db/oldprinterids
++.br
++
++.br
++.B cupsd_tmp_t
++
++
++.br
++.B cupsd_var_run_t
++
++ /var/ccpd(/.*)?
++.br
++ /var/ekpd(/.*)?
++.br
++ /var/run/cups(/.*)?
++.br
++ /var/turboprint(/.*)?
++.br
++
++.br
++.B faillog_t
++
++ /var/log/btmp.*
++.br
++ /var/run/faillock(/.*)?
++.br
++ /var/log/faillog
++.br
++ /var/log/tallylog
++.br
++
++.br
++.B krb5_host_rcache_t
++
++ /var/cache/krb5rcache(/.*)?
++.br
++ /var/tmp/nfs_0
++.br
++ /var/tmp/DNS_25
++.br
++ /var/tmp/host_0
++.br
++ /var/tmp/imap_0
++.br
++ /var/tmp/HTTP_23
++.br
++ /var/tmp/HTTP_48
++.br
++ /var/tmp/ldap_55
++.br
++ /var/tmp/ldap_487
++.br
++ /var/tmp/ldapmap1_0
++.br
++
++.br
++.B pcscd_var_run_t
++
++ /var/run/pcscd(/.*)?
++.br
++ /var/run/pcscd\.events(/.*)?
++.br
++ /var/run/pcscd\.pid
++.br
++ /var/run/pcscd\.pub
++.br
++ /var/run/pcscd\.comm
++.br
++
++.br
++.B print_spool_t
++
++ /var/spool/lpd(/.*)?
++.br
++ /var/spool/cups(/.*)?
++.br
++ /var/spool/cups-pdf(/.*)?
++.br
++
++.br
++.B samba_var_t
++
++ /var/lib/samba(/.*)?
++.br
++ /var/cache/samba(/.*)?
++.br
++ /var/spool/samba(/.*)?
++.br
++
++.br
++.B security_t
++
++ /selinux
++.br
++
++.br
++.B usbfs_t
++
++
++.SH NSSWITCH DOMAIN
++
++.PP
++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the cups_pdf_t, cupsd_config_t, cupsd_lpd_t, cupsd_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++
++.EX
++.B setsebool -P authlogin_nsswitch_use_ldap 1
++.EE
++
++.PP
++If you want to allow confined applications to run with kerberos for the cups_pdf_t, cupsd_config_t, cupsd_lpd_t, cupsd_t, you must turn on the kerberos_enabled boolean.
++
++.EX
++.B setsebool -P kerberos_enabled 1
++.EE
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was auto-generated using
++.B "sepolicy manpage"
++by Dan Walsh.
++
++.SH "SEE ALSO"
++selinux(8), cupsd(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
++, cups_pdf_selinux(8), cupsd_config_selinux(8), cupsd_lpd_selinux(8)
+\ No newline at end of file
+diff --git a/man/man8/cvs_selinux.8 b/man/man8/cvs_selinux.8
+new file mode 100644
+index 0000000..c477853
+--- /dev/null
++++ b/man/man8/cvs_selinux.8
+@@ -0,0 +1,236 @@
++.TH "cvs_selinux" "8" "12-11-01" "cvs" "SELinux Policy documentation for cvs"
++.SH "NAME"
++cvs_selinux \- Security Enhanced Linux Policy for the cvs processes
++.SH "DESCRIPTION"
++
++Security-Enhanced Linux secures the cvs processes via flexible mandatory access control.
++
++The cvs processes execute with the cvs_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep cvs_t
++
++
++.SH "ENTRYPOINTS"
++
++The cvs_t SELinux type can be entered via the "cvs_exec_t" file type. The default entrypoint paths for the cvs_t domain are the following:"
++
++/usr/bin/cvs
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux cvs policy is very flexible allowing users to setup their cvs processes in as secure a method as possible.
++.PP
++The following process types are defined for cvs:
++
++.EX
++.B cvs_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH BOOLEANS
++SELinux policy is customizable based on least access required. cvs policy is extremely flexible and has several booleans that allow you to manipulate the policy and run cvs with the tightest access possible.
++
++
++.PP
++If you want to allow cvs daemon to read shadow, you must turn on the cvs_read_shadow boolean.
++
++.EX
++.B setsebool -P cvs_read_shadow 1
++.EE
++
++.PP
++If you want to allow cvs daemon to read shadow, you must turn on the cvs_read_shadow boolean.
++
++.EX
++.B setsebool -P cvs_read_shadow 1
++.EE
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux cvs policy is very flexible allowing users to setup their cvs processes in as secure a method as possible.
++.PP
++The following file types are defined for cvs:
++
++
++.EX
++.PP
++.B cvs_data_t
++.EE
++
++- Set files with the cvs_data_t type, if you want to treat the files as cvs content.
++
++
++.EX
++.PP
++.B cvs_exec_t
++.EE
++
++- Set files with the cvs_exec_t type, if you want to transition an executable to the cvs_t domain.
++
++
++.EX
++.PP
++.B cvs_initrc_exec_t
++.EE
++
++- Set files with the cvs_initrc_exec_t type, if you want to transition an executable to the cvs_initrc_t domain.
++
++
++.EX
++.PP
++.B cvs_keytab_t
++.EE
++
++- Set files with the cvs_keytab_t type, if you want to treat the files as kerberos keytab files.
++
++
++.EX
++.PP
++.B cvs_tmp_t
++.EE
++
++- Set files with the cvs_tmp_t type, if you want to store cvs temporary files in the /tmp directories.
++
++
++.EX
++.PP
++.B cvs_var_run_t
++.EE
++
++- Set files with the cvs_var_run_t type, if you want to store the cvs files under the /run directory.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH PORT TYPES
++SELinux defines port types to represent TCP and UDP ports.
++.PP
++You can see the types associated with a port by using the following command:
++
++.B semanage port -l
++
++.PP
++Policy governs the access confined processes have to these ports.
++SELinux cvs policy is very flexible allowing users to setup their cvs processes in as secure a method as possible.
++.PP
++The following port types are defined for cvs:
++
++.EX
++.TP 5
++.B cvs_port_t
++.TP 10
++.EE
++
++
++Default Defined Ports:
++tcp 2401
++.EE
++udp 2401
++.EE
++.SH "MANAGED FILES"
++
++The SELinux process type cvs_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++
++.br
++.B cvs_data_t
++
++ /opt/cvs(/.*)?
++.br
++ /var/cvs(/.*)?
++.br
++
++.br
++.B cvs_tmp_t
++
++
++.br
++.B cvs_var_run_t
++
++
++.br
++.B faillog_t
++
++ /var/log/btmp.*
++.br
++ /var/run/faillock(/.*)?
++.br
++ /var/log/faillog
++.br
++ /var/log/tallylog
++.br
++
++.br
++.B pcscd_var_run_t
++
++ /var/run/pcscd(/.*)?
++.br
++ /var/run/pcscd\.events(/.*)?
++.br
++ /var/run/pcscd\.pid
++.br
++ /var/run/pcscd\.pub
++.br
++ /var/run/pcscd\.comm
++.br
++
++.SH NSSWITCH DOMAIN
++
++.PP
++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the cvs_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++
++.EX
++.B setsebool -P authlogin_nsswitch_use_ldap 1
++.EE
++
++.PP
++If you want to allow confined applications to run with kerberos for the cvs_t, you must turn on the kerberos_enabled boolean.
++
++.EX
++.B setsebool -P kerberos_enabled 1
++.EE
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.B semanage port
++can also be used to manipulate the port definitions
++
++.B semanage boolean
++can also be used to manipulate the booleans
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was auto-generated using
++.B "sepolicy manpage"
++by Dan Walsh.
++
++.SH "SEE ALSO"
++selinux(8), cvs(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
++, setsebool(8)
+\ No newline at end of file
+diff --git a/man/man8/cyphesis_selinux.8 b/man/man8/cyphesis_selinux.8
+new file mode 100644
+index 0000000..247c016
+--- /dev/null
++++ b/man/man8/cyphesis_selinux.8
+@@ -0,0 +1,154 @@
++.TH "cyphesis_selinux" "8" "12-11-01" "cyphesis" "SELinux Policy documentation for cyphesis"
++.SH "NAME"
++cyphesis_selinux \- Security Enhanced Linux Policy for the cyphesis processes
++.SH "DESCRIPTION"
++
++Security-Enhanced Linux secures the cyphesis processes via flexible mandatory access control.
++
++The cyphesis processes execute with the cyphesis_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep cyphesis_t
++
++
++.SH "ENTRYPOINTS"
++
++The cyphesis_t SELinux type can be entered via the "cyphesis_exec_t" file type. The default entrypoint paths for the cyphesis_t domain are the following:"
++
++/usr/bin/cyphesis
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux cyphesis policy is very flexible allowing users to setup their cyphesis processes in as secure a method as possible.
++.PP
++The following process types are defined for cyphesis:
++
++.EX
++.B cyphesis_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux cyphesis policy is very flexible allowing users to setup their cyphesis processes in as secure a method as possible.
++.PP
++The following file types are defined for cyphesis:
++
++
++.EX
++.PP
++.B cyphesis_exec_t
++.EE
++
++- Set files with the cyphesis_exec_t type, if you want to transition an executable to the cyphesis_t domain.
++
++
++.EX
++.PP
++.B cyphesis_log_t
++.EE
++
++- Set files with the cyphesis_log_t type, if you want to treat the data as cyphesis log data, usually stored under the /var/log directory.
++
++
++.EX
++.PP
++.B cyphesis_tmp_t
++.EE
++
++- Set files with the cyphesis_tmp_t type, if you want to store cyphesis temporary files in the /tmp directories.
++
++
++.EX
++.PP
++.B cyphesis_var_run_t
++.EE
++
++- Set files with the cyphesis_var_run_t type, if you want to store the cyphesis files under the /run directory.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH PORT TYPES
++SELinux defines port types to represent TCP and UDP ports.
++.PP
++You can see the types associated with a port by using the following command:
++
++.B semanage port -l
++
++.PP
++Policy governs the access confined processes have to these ports.
++SELinux cyphesis policy is very flexible allowing users to setup their cyphesis processes in as secure a method as possible.
++.PP
++The following port types are defined for cyphesis:
++
++.EX
++.TP 5
++.B cyphesis_port_t
++.TP 10
++.EE
++
++
++Default Defined Ports:
++tcp 6767,6769,6780-6799
++.EE
++udp 32771
++.EE
++.SH "MANAGED FILES"
++
++The SELinux process type cyphesis_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++
++.br
++.B cyphesis_log_t
++
++ /var/log/cyphesis(/.*)?
++.br
++
++.br
++.B cyphesis_var_run_t
++
++ /var/run/cyphesis(/.*)?
++.br
++
++.SH NSSWITCH DOMAIN
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.B semanage port
++can also be used to manipulate the port definitions
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was auto-generated using
++.B "sepolicy manpage"
++by Dan Walsh.
++
++.SH "SEE ALSO"
++selinux(8), cyphesis(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
+diff --git a/man/man8/cyrus_selinux.8 b/man/man8/cyrus_selinux.8
+new file mode 100644
+index 0000000..96f6359
+--- /dev/null
++++ b/man/man8/cyrus_selinux.8
+@@ -0,0 +1,170 @@
++.TH "cyrus_selinux" "8" "12-11-01" "cyrus" "SELinux Policy documentation for cyrus"
++.SH "NAME"
++cyrus_selinux \- Security Enhanced Linux Policy for the cyrus processes
++.SH "DESCRIPTION"
++
++Security-Enhanced Linux secures the cyrus processes via flexible mandatory access control.
++
++The cyrus processes execute with the cyrus_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep cyrus_t
++
++
++.SH "ENTRYPOINTS"
++
++The cyrus_t SELinux type can be entered via the "cyrus_exec_t" file type. The default entrypoint paths for the cyrus_t domain are the following:"
++
++/usr/lib/cyrus/master, /usr/lib/cyrus-imapd/cyrus-master
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux cyrus policy is very flexible allowing users to setup their cyrus processes in as secure a method as possible.
++.PP
++The following process types are defined for cyrus:
++
++.EX
++.B cyrus_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux cyrus policy is very flexible allowing users to setup their cyrus processes in as secure a method as possible.
++.PP
++The following file types are defined for cyrus:
++
++
++.EX
++.PP
++.B cyrus_exec_t
++.EE
++
++- Set files with the cyrus_exec_t type, if you want to transition an executable to the cyrus_t domain.
++
++
++.EX
++.PP
++.B cyrus_initrc_exec_t
++.EE
++
++- Set files with the cyrus_initrc_exec_t type, if you want to transition an executable to the cyrus_initrc_t domain.
++
++
++.EX
++.PP
++.B cyrus_keytab_t
++.EE
++
++- Set files with the cyrus_keytab_t type, if you want to treat the files as kerberos keytab files.
++
++
++.EX
++.PP
++.B cyrus_tmp_t
++.EE
++
++- Set files with the cyrus_tmp_t type, if you want to store cyrus temporary files in the /tmp directories.
++
++
++.EX
++.PP
++.B cyrus_var_lib_t
++.EE
++
++- Set files with the cyrus_var_lib_t type, if you want to store the cyrus files under the /var/lib directory.
++
++
++.EX
++.PP
++.B cyrus_var_run_t
++.EE
++
++- Set files with the cyrus_var_run_t type, if you want to store the cyrus files under the /run directory.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH "MANAGED FILES"
++
++The SELinux process type cyrus_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++
++.br
++.B cyrus_tmp_t
++
++
++.br
++.B cyrus_var_lib_t
++
++ /var/imap(/.*)?
++.br
++ /var/lib/imap(/.*)?
++.br
++
++.br
++.B cyrus_var_run_t
++
++
++.br
++.B mail_spool_t
++
++ /var/mail(/.*)?
++.br
++ /var/spool/imap(/.*)?
++.br
++ /var/spool/mail(/.*)?
++.br
++
++.SH NSSWITCH DOMAIN
++
++.PP
++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the cyrus_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++
++.EX
++.B setsebool -P authlogin_nsswitch_use_ldap 1
++.EE
++
++.PP
++If you want to allow confined applications to run with kerberos for the cyrus_t, you must turn on the kerberos_enabled boolean.
++
++.EX
++.B setsebool -P kerberos_enabled 1
++.EE
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was auto-generated using
++.B "sepolicy manpage"
++by Dan Walsh.
++
++.SH "SEE ALSO"
++selinux(8), cyrus(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
+diff --git a/man/man8/dbadm_selinux.8 b/man/man8/dbadm_selinux.8
+new file mode 100644
+index 0000000..db93ad7
+--- /dev/null
++++ b/man/man8/dbadm_selinux.8
+@@ -0,0 +1,225 @@
++.TH "dbadm_selinux" "8" "dbadm" "mgrepl@redhat.com" "dbadm SELinux Policy documentation"
++.SH "NAME"
++dbadm_r \- \fBDatabase administrator role\fP - Security Enhanced Linux Policy
++
++.SH DESCRIPTION
++
++SELinux supports Roles Based Access Control (RBAC), some Linux roles are login roles, while other roles need to be transition into.
++
++.I Note:
++Examples in this man page will use the
++.B staff_u
++SELinux user.
++
++Non login roles are usually used for administrative tasks. For example, tasks that require root privileges. Roles control which types a user can run processes with. Roles often have default types assigned to them.
++
++The default type for the dbadm_r role is dbadm_t.
++
++The
++.B newrole
++program to transition directly to this role.
++
++.B newrole -r dbadm_r -t dbadm_t
++
++.B sudo
++is the preferred method to do transition from one role to another. You setup sudo to transition to dbadm_r by adding a similar line to the /etc/sudoers file.
++
++USERNAME ALL=(ALL) ROLE=dbadm_r TYPE=dbadm_t COMMAND
++
++.br
++sudo will run COMMAND as staff_u:dbadm_r:dbadm_t:LEVEL
++
++When using a a non login role, you need to setup SELinux so that your SELinux user can reach dbadm_r role.
++
++Execute the following to see all of the assigned SELinux roles:
++
++.B semanage user -l
++
++You need to add dbadm_r to the staff_u user. You could setup the staff_u user to be able to use the dbadm_r role with a command like:
++
++.B $ semanage user -m -R 'staff_r system_r dbadm_r' staff_u
++
++
++.SH BOOLEANS
++SELinux policy is customizable based on least access required. dbadm policy is extremely flexible and has several booleans that allow you to manipulate the policy and run dbadm with the tightest access possible.
++
++
++.PP
++If you want to allow database admins to execute DML statement, you must turn on the postgresql_selinux_unconfined_dbadm boolean.
++
++.EX
++.B setsebool -P postgresql_selinux_unconfined_dbadm 1
++.EE
++
++.PP
++If you want to allow dbadm to manage files in users home directories, you must turn on the dbadm_manage_user_files boolean.
++
++.EX
++.B setsebool -P dbadm_manage_user_files 1
++.EE
++
++.PP
++If you want to allow dbadm to read files in users home directories, you must turn on the dbadm_read_user_files boolean.
++
++.EX
++.B setsebool -P dbadm_read_user_files 1
++.EE
++
++.PP
++If you want to allow database admins to execute DML statement, you must turn on the postgresql_selinux_unconfined_dbadm boolean.
++
++.EX
++.B setsebool -P postgresql_selinux_unconfined_dbadm 1
++.EE
++
++.PP
++If you want to allow dbadm to manage files in users home directories, you must turn on the dbadm_manage_user_files boolean.
++
++.EX
++.B setsebool -P dbadm_manage_user_files 1
++.EE
++
++.PP
++If you want to allow dbadm to read files in users home directories, you must turn on the dbadm_read_user_files boolean.
++
++.EX
++.B setsebool -P dbadm_read_user_files 1
++.EE
++
++.SH "MANAGED FILES"
++
++The SELinux process type dbadm_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++
++.br
++.B mysqld_db_t
++
++ /var/lib/mysql(/.*)?
++.br
++
++.br
++.B mysqld_etc_t
++
++ /etc/mysql(/.*)?
++.br
++ /etc/my\.cnf
++.br
++
++.br
++.B mysqld_home_t
++
++ /root/\.my\.cnf
++.br
++ /home/[^/]*/\.my\.cnf
++.br
++ /home/dwalsh/\.my\.cnf
++.br
++ /var/lib/xguest/home/xguest/\.my\.cnf
++.br
++
++.br
++.B mysqld_log_t
++
++ /var/log/mysql.*
++.br
++
++.br
++.B mysqld_tmp_t
++
++
++.br
++.B mysqld_unit_file_t
++
++ /usr/lib/systemd/system/mysqld.*
++.br
++
++.br
++.B mysqld_var_run_t
++
++ /var/run/mysqld(/.*)?
++.br
++ /var/lib/mysql/mysql\.sock
++.br
++
++.br
++.B postgresql_db_t
++
++ /var/lib/pgsql(/.*)?
++.br
++ /var/lib/sepgsql(/.*)?
++.br
++ /var/lib/postgres(ql)?(/.*)?
++.br
++ /usr/share/jonas/pgsql(/.*)?
++.br
++ /usr/lib/pgsql/test/regress(/.*)?
++.br
++
++.br
++.B postgresql_etc_t
++
++ /etc/postgresql(/.*)?
++.br
++ /etc/sysconfig/pgsql(/.*)?
++.br
++
++.br
++.B postgresql_log_t
++
++ /var/lib/pgsql/.*\.log
++.br
++ /var/log/rhdb/rhdb(/.*)?
++.br
++ /var/log/postgresql(/.*)?
++.br
++ /var/log/postgres\.log.*
++.br
++ /var/lib/pgsql/logfile(/.*)?
++.br
++ /var/log/sepostgresql\.log.*
++.br
++ /var/lib/sepgsql/pgstartup\.log
++.br
++
++.br
++.B postgresql_tmp_t
++
++
++.br
++.B postgresql_var_run_t
++
++ /var/run/postgresql(/.*)?
++.br
++
++.br
++.B systemd_passwd_var_run_t
++
++ /var/run/systemd/ask-password(/.*)?
++.br
++ /var/run/systemd/ask-password-block(/.*)?
++.br
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.B semanage boolean
++can also be used to manipulate the booleans
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was auto-generated using
++.B "sepolicy manpage"
++by Dan Walsh.
++
++.SH "SEE ALSO"
++selinux(8), dbadm(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
++, setsebool(8)
+\ No newline at end of file
+diff --git a/man/man8/dbskkd_selinux.8 b/man/man8/dbskkd_selinux.8
+new file mode 100644
+index 0000000..be5dff8
+--- /dev/null
++++ b/man/man8/dbskkd_selinux.8
+@@ -0,0 +1,154 @@
++.TH "dbskkd_selinux" "8" "12-11-01" "dbskkd" "SELinux Policy documentation for dbskkd"
++.SH "NAME"
++dbskkd_selinux \- Security Enhanced Linux Policy for the dbskkd processes
++.SH "DESCRIPTION"
++
++Security-Enhanced Linux secures the dbskkd processes via flexible mandatory access control.
++
++The dbskkd processes execute with the dbskkd_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep dbskkd_t
++
++
++.SH "ENTRYPOINTS"
++
++The dbskkd_t SELinux type can be entered via the "dbskkd_exec_t" file type. The default entrypoint paths for the dbskkd_t domain are the following:"
++
++/usr/sbin/dbskkd-cdb
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux dbskkd policy is very flexible allowing users to setup their dbskkd processes in as secure a method as possible.
++.PP
++The following process types are defined for dbskkd:
++
++.EX
++.B dbskkd_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux dbskkd policy is very flexible allowing users to setup their dbskkd processes in as secure a method as possible.
++.PP
++The following file types are defined for dbskkd:
++
++
++.EX
++.PP
++.B dbskkd_exec_t
++.EE
++
++- Set files with the dbskkd_exec_t type, if you want to transition an executable to the dbskkd_t domain.
++
++
++.EX
++.PP
++.B dbskkd_tmp_t
++.EE
++
++- Set files with the dbskkd_tmp_t type, if you want to store dbskkd temporary files in the /tmp directories.
++
++
++.EX
++.PP
++.B dbskkd_var_run_t
++.EE
++
++- Set files with the dbskkd_var_run_t type, if you want to store the dbskkd files under the /run directory.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH PORT TYPES
++SELinux defines port types to represent TCP and UDP ports.
++.PP
++You can see the types associated with a port by using the following command:
++
++.B semanage port -l
++
++.PP
++Policy governs the access confined processes have to these ports.
++SELinux dbskkd policy is very flexible allowing users to setup their dbskkd processes in as secure a method as possible.
++.PP
++The following port types are defined for dbskkd:
++
++.EX
++.TP 5
++.B dbskkd_port_t
++.TP 10
++.EE
++
++
++Default Defined Ports:
++tcp 1178
++.EE
++.SH "MANAGED FILES"
++
++The SELinux process type dbskkd_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++
++.br
++.B dbskkd_tmp_t
++
++
++.br
++.B dbskkd_var_run_t
++
++
++.SH NSSWITCH DOMAIN
++
++.PP
++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the dbskkd_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++
++.EX
++.B setsebool -P authlogin_nsswitch_use_ldap 1
++.EE
++
++.PP
++If you want to allow confined applications to run with kerberos for the dbskkd_t, you must turn on the kerberos_enabled boolean.
++
++.EX
++.B setsebool -P kerberos_enabled 1
++.EE
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.B semanage port
++can also be used to manipulate the port definitions
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was auto-generated using
++.B "sepolicy manpage"
++by Dan Walsh.
++
++.SH "SEE ALSO"
++selinux(8), dbskkd(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
+diff --git a/man/man8/dcc_client_selinux.8 b/man/man8/dcc_client_selinux.8
+new file mode 100644
+index 0000000..bba5677
+--- /dev/null
++++ b/man/man8/dcc_client_selinux.8
+@@ -0,0 +1,147 @@
++.TH "dcc_client_selinux" "8" "12-11-01" "dcc_client" "SELinux Policy documentation for dcc_client"
++.SH "NAME"
++dcc_client_selinux \- Security Enhanced Linux Policy for the dcc_client processes
++.SH "DESCRIPTION"
++
++Security-Enhanced Linux secures the dcc_client processes via flexible mandatory access control.
++
++The dcc_client processes execute with the dcc_client_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep dcc_client_t
++
++
++.SH "ENTRYPOINTS"
++
++The dcc_client_t SELinux type can be entered via the "dcc_client_exec_t" file type. The default entrypoint paths for the dcc_client_t domain are the following:"
++
++/usr/bin/dccproc
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux dcc_client policy is very flexible allowing users to setup their dcc_client processes in as secure a method as possible.
++.PP
++The following process types are defined for dcc_client:
++
++.EX
++.B dcc_client_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux dcc_client policy is very flexible allowing users to setup their dcc_client processes in as secure a method as possible.
++.PP
++The following file types are defined for dcc_client:
++
++
++.EX
++.PP
++.B dcc_client_exec_t
++.EE
++
++- Set files with the dcc_client_exec_t type, if you want to transition an executable to the dcc_client_t domain.
++
++
++.EX
++.PP
++.B dcc_client_map_t
++.EE
++
++- Set files with the dcc_client_map_t type, if you want to treat the files as dcc client map data.
++
++
++.EX
++.PP
++.B dcc_client_tmp_t
++.EE
++
++- Set files with the dcc_client_tmp_t type, if you want to store dcc client temporary files in the /tmp directories.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH "MANAGED FILES"
++
++The SELinux process type dcc_client_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++
++.br
++.B dcc_client_map_t
++
++ /etc/dcc/map
++.br
++ /var/dcc/map
++.br
++ /var/lib/dcc/map
++.br
++ /var/run/dcc/map
++.br
++
++.br
++.B dcc_client_tmp_t
++
++
++.br
++.B dcc_var_t
++
++ /etc/dcc(/.*)?
++.br
++ /var/dcc(/.*)?
++.br
++ /var/lib/dcc(/.*)?
++.br
++
++.SH NSSWITCH DOMAIN
++
++.PP
++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the dcc_client_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++
++.EX
++.B setsebool -P authlogin_nsswitch_use_ldap 1
++.EE
++
++.PP
++If you want to allow confined applications to run with kerberos for the dcc_client_t, you must turn on the kerberos_enabled boolean.
++
++.EX
++.B setsebool -P kerberos_enabled 1
++.EE
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was auto-generated using
++.B "sepolicy manpage"
++by Dan Walsh.
++
++.SH "SEE ALSO"
++selinux(8), dcc_client(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
++, dcc_dbclean_selinux(8), dccd_selinux(8), dccifd_selinux(8), dccm_selinux(8)
+\ No newline at end of file
+diff --git a/man/man8/dcc_dbclean_selinux.8 b/man/man8/dcc_dbclean_selinux.8
+new file mode 100644
+index 0000000..e4168aa
+--- /dev/null
++++ b/man/man8/dcc_dbclean_selinux.8
+@@ -0,0 +1,139 @@
++.TH "dcc_dbclean_selinux" "8" "12-11-01" "dcc_dbclean" "SELinux Policy documentation for dcc_dbclean"
++.SH "NAME"
++dcc_dbclean_selinux \- Security Enhanced Linux Policy for the dcc_dbclean processes
++.SH "DESCRIPTION"
++
++Security-Enhanced Linux secures the dcc_dbclean processes via flexible mandatory access control.
++
++The dcc_dbclean processes execute with the dcc_dbclean_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep dcc_dbclean_t
++
++
++.SH "ENTRYPOINTS"
++
++The dcc_dbclean_t SELinux type can be entered via the "dcc_dbclean_exec_t" file type. The default entrypoint paths for the dcc_dbclean_t domain are the following:"
++
++/usr/libexec/dcc/dbclean
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux dcc_dbclean policy is very flexible allowing users to setup their dcc_dbclean processes in as secure a method as possible.
++.PP
++The following process types are defined for dcc_dbclean:
++
++.EX
++.B dcc_dbclean_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux dcc_dbclean policy is very flexible allowing users to setup their dcc_dbclean processes in as secure a method as possible.
++.PP
++The following file types are defined for dcc_dbclean:
++
++
++.EX
++.PP
++.B dcc_dbclean_exec_t
++.EE
++
++- Set files with the dcc_dbclean_exec_t type, if you want to transition an executable to the dcc_dbclean_t domain.
++
++
++.EX
++.PP
++.B dcc_dbclean_tmp_t
++.EE
++
++- Set files with the dcc_dbclean_tmp_t type, if you want to store dcc dbclean temporary files in the /tmp directories.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH "MANAGED FILES"
++
++The SELinux process type dcc_dbclean_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++
++.br
++.B dcc_client_map_t
++
++ /etc/dcc/map
++.br
++ /var/dcc/map
++.br
++ /var/lib/dcc/map
++.br
++ /var/run/dcc/map
++.br
++
++.br
++.B dcc_dbclean_tmp_t
++
++
++.br
++.B dcc_var_t
++
++ /etc/dcc(/.*)?
++.br
++ /var/dcc(/.*)?
++.br
++ /var/lib/dcc(/.*)?
++.br
++
++.SH NSSWITCH DOMAIN
++
++.PP
++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the dcc_dbclean_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++
++.EX
++.B setsebool -P authlogin_nsswitch_use_ldap 1
++.EE
++
++.PP
++If you want to allow confined applications to run with kerberos for the dcc_dbclean_t, you must turn on the kerberos_enabled boolean.
++
++.EX
++.B setsebool -P kerberos_enabled 1
++.EE
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was auto-generated using
++.B "sepolicy manpage"
++by Dan Walsh.
++
++.SH "SEE ALSO"
++selinux(8), dcc_dbclean(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
++, dcc_client_selinux(8), dccd_selinux(8), dccifd_selinux(8), dccm_selinux(8)
+\ No newline at end of file
+diff --git a/man/man8/dccd_selinux.8 b/man/man8/dccd_selinux.8
+new file mode 100644
+index 0000000..ea14c8d
+--- /dev/null
++++ b/man/man8/dccd_selinux.8
+@@ -0,0 +1,190 @@
++.TH "dccd_selinux" "8" "12-11-01" "dccd" "SELinux Policy documentation for dccd"
++.SH "NAME"
++dccd_selinux \- Security Enhanced Linux Policy for the dccd processes
++.SH "DESCRIPTION"
++
++Security-Enhanced Linux secures the dccd processes via flexible mandatory access control.
++
++The dccd processes execute with the dccd_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep dccd_t
++
++
++.SH "ENTRYPOINTS"
++
++The dccd_t SELinux type can be entered via the "dccd_exec_t" file type. The default entrypoint paths for the dccd_t domain are the following:"
++
++/usr/libexec/dcc/dccd
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux dccd policy is very flexible allowing users to setup their dccd processes in as secure a method as possible.
++.PP
++The following process types are defined for dccd:
++
++.EX
++.B dccm_t, dcc_client_t, dcc_dbclean_t, dccifd_t, dccd_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux dccd policy is very flexible allowing users to setup their dccd processes in as secure a method as possible.
++.PP
++The following file types are defined for dccd:
++
++
++.EX
++.PP
++.B dccd_exec_t
++.EE
++
++- Set files with the dccd_exec_t type, if you want to transition an executable to the dccd_t domain.
++
++
++.EX
++.PP
++.B dccd_tmp_t
++.EE
++
++- Set files with the dccd_tmp_t type, if you want to store dccd temporary files in the /tmp directories.
++
++
++.EX
++.PP
++.B dccd_var_run_t
++.EE
++
++- Set files with the dccd_var_run_t type, if you want to store the dccd files under the /run directory.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH PORT TYPES
++SELinux defines port types to represent TCP and UDP ports.
++.PP
++You can see the types associated with a port by using the following command:
++
++.B semanage port -l
++
++.PP
++Policy governs the access confined processes have to these ports.
++SELinux dccd policy is very flexible allowing users to setup their dccd processes in as secure a method as possible.
++.PP
++The following port types are defined for dccd:
++
++.EX
++.TP 5
++.B dcc_port_t
++.TP 10
++.EE
++
++
++Default Defined Ports:
++udp 6276,6277
++.EE
++
++.EX
++.TP 5
++.B dccm_port_t
++.TP 10
++.EE
++
++
++Default Defined Ports:
++tcp 5679
++.EE
++udp 5679
++.EE
++.SH "MANAGED FILES"
++
++The SELinux process type dccd_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++
++.br
++.B dcc_client_map_t
++
++ /etc/dcc/map
++.br
++ /var/dcc/map
++.br
++ /var/lib/dcc/map
++.br
++ /var/run/dcc/map
++.br
++
++.br
++.B dcc_var_t
++
++ /etc/dcc(/.*)?
++.br
++ /var/dcc(/.*)?
++.br
++ /var/lib/dcc(/.*)?
++.br
++
++.br
++.B dccd_tmp_t
++
++
++.br
++.B dccd_var_run_t
++
++
++.SH NSSWITCH DOMAIN
++
++.PP
++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the dccifd_t, dccm_t, dcc_client_t, dcc_dbclean_t, dccd_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++
++.EX
++.B setsebool -P authlogin_nsswitch_use_ldap 1
++.EE
++
++.PP
++If you want to allow confined applications to run with kerberos for the dccifd_t, dccm_t, dcc_client_t, dcc_dbclean_t, dccd_t, you must turn on the kerberos_enabled boolean.
++
++.EX
++.B setsebool -P kerberos_enabled 1
++.EE
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.B semanage port
++can also be used to manipulate the port definitions
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was auto-generated using
++.B "sepolicy manpage"
++by Dan Walsh.
++
++.SH "SEE ALSO"
++selinux(8), dccd(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
++, dcc_client_selinux(8), dcc_dbclean_selinux(8), dccifd_selinux(8), dccm_selinux(8)
+\ No newline at end of file
+diff --git a/man/man8/dccifd_selinux.8 b/man/man8/dccifd_selinux.8
+new file mode 100644
+index 0000000..3c8baf4
+--- /dev/null
++++ b/man/man8/dccifd_selinux.8
+@@ -0,0 +1,154 @@
++.TH "dccifd_selinux" "8" "12-11-01" "dccifd" "SELinux Policy documentation for dccifd"
++.SH "NAME"
++dccifd_selinux \- Security Enhanced Linux Policy for the dccifd processes
++.SH "DESCRIPTION"
++
++Security-Enhanced Linux secures the dccifd processes via flexible mandatory access control.
++
++The dccifd processes execute with the dccifd_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep dccifd_t
++
++
++.SH "ENTRYPOINTS"
++
++The dccifd_t SELinux type can be entered via the "dccifd_exec_t" file type. The default entrypoint paths for the dccifd_t domain are the following:"
++
++/usr/libexec/dcc/dccifd
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux dccifd policy is very flexible allowing users to setup their dccifd processes in as secure a method as possible.
++.PP
++The following process types are defined for dccifd:
++
++.EX
++.B dccifd_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux dccifd policy is very flexible allowing users to setup their dccifd processes in as secure a method as possible.
++.PP
++The following file types are defined for dccifd:
++
++
++.EX
++.PP
++.B dccifd_exec_t
++.EE
++
++- Set files with the dccifd_exec_t type, if you want to transition an executable to the dccifd_t domain.
++
++
++.EX
++.PP
++.B dccifd_tmp_t
++.EE
++
++- Set files with the dccifd_tmp_t type, if you want to store dccifd temporary files in the /tmp directories.
++
++
++.EX
++.PP
++.B dccifd_var_run_t
++.EE
++
++- Set files with the dccifd_var_run_t type, if you want to store the dccifd files under the /run directory.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH "MANAGED FILES"
++
++The SELinux process type dccifd_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++
++.br
++.B dcc_client_map_t
++
++ /etc/dcc/map
++.br
++ /var/dcc/map
++.br
++ /var/lib/dcc/map
++.br
++ /var/run/dcc/map
++.br
++
++.br
++.B dcc_var_t
++
++ /etc/dcc(/.*)?
++.br
++ /var/dcc(/.*)?
++.br
++ /var/lib/dcc(/.*)?
++.br
++
++.br
++.B dccifd_tmp_t
++
++
++.br
++.B dccifd_var_run_t
++
++ /etc/dcc/dccifd
++.br
++ /var/run/dcc/dccifd
++.br
++
++.SH NSSWITCH DOMAIN
++
++.PP
++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the dccifd_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++
++.EX
++.B setsebool -P authlogin_nsswitch_use_ldap 1
++.EE
++
++.PP
++If you want to allow confined applications to run with kerberos for the dccifd_t, you must turn on the kerberos_enabled boolean.
++
++.EX
++.B setsebool -P kerberos_enabled 1
++.EE
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was auto-generated using
++.B "sepolicy manpage"
++by Dan Walsh.
++
++.SH "SEE ALSO"
++selinux(8), dccifd(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
+diff --git a/man/man8/dccm_selinux.8 b/man/man8/dccm_selinux.8
+new file mode 100644
+index 0000000..58a004a
+--- /dev/null
++++ b/man/man8/dccm_selinux.8
+@@ -0,0 +1,178 @@
++.TH "dccm_selinux" "8" "12-11-01" "dccm" "SELinux Policy documentation for dccm"
++.SH "NAME"
++dccm_selinux \- Security Enhanced Linux Policy for the dccm processes
++.SH "DESCRIPTION"
++
++Security-Enhanced Linux secures the dccm processes via flexible mandatory access control.
++
++The dccm processes execute with the dccm_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep dccm_t
++
++
++.SH "ENTRYPOINTS"
++
++The dccm_t SELinux type can be entered via the "dccm_exec_t" file type. The default entrypoint paths for the dccm_t domain are the following:"
++
++/usr/libexec/dcc/dccm
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux dccm policy is very flexible allowing users to setup their dccm processes in as secure a method as possible.
++.PP
++The following process types are defined for dccm:
++
++.EX
++.B dccm_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux dccm policy is very flexible allowing users to setup their dccm processes in as secure a method as possible.
++.PP
++The following file types are defined for dccm:
++
++
++.EX
++.PP
++.B dccm_exec_t
++.EE
++
++- Set files with the dccm_exec_t type, if you want to transition an executable to the dccm_t domain.
++
++
++.EX
++.PP
++.B dccm_tmp_t
++.EE
++
++- Set files with the dccm_tmp_t type, if you want to store dccm temporary files in the /tmp directories.
++
++
++.EX
++.PP
++.B dccm_var_run_t
++.EE
++
++- Set files with the dccm_var_run_t type, if you want to store the dccm files under the /run directory.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH PORT TYPES
++SELinux defines port types to represent TCP and UDP ports.
++.PP
++You can see the types associated with a port by using the following command:
++
++.B semanage port -l
++
++.PP
++Policy governs the access confined processes have to these ports.
++SELinux dccm policy is very flexible allowing users to setup their dccm processes in as secure a method as possible.
++.PP
++The following port types are defined for dccm:
++
++.EX
++.TP 5
++.B dccm_port_t
++.TP 10
++.EE
++
++
++Default Defined Ports:
++tcp 5679
++.EE
++udp 5679
++.EE
++.SH "MANAGED FILES"
++
++The SELinux process type dccm_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++
++.br
++.B dcc_client_map_t
++
++ /etc/dcc/map
++.br
++ /var/dcc/map
++.br
++ /var/lib/dcc/map
++.br
++ /var/run/dcc/map
++.br
++
++.br
++.B dcc_var_t
++
++ /etc/dcc(/.*)?
++.br
++ /var/dcc(/.*)?
++.br
++ /var/lib/dcc(/.*)?
++.br
++
++.br
++.B dccm_tmp_t
++
++
++.br
++.B dccm_var_run_t
++
++
++.SH NSSWITCH DOMAIN
++
++.PP
++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the dccm_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++
++.EX
++.B setsebool -P authlogin_nsswitch_use_ldap 1
++.EE
++
++.PP
++If you want to allow confined applications to run with kerberos for the dccm_t, you must turn on the kerberos_enabled boolean.
++
++.EX
++.B setsebool -P kerberos_enabled 1
++.EE
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.B semanage port
++can also be used to manipulate the port definitions
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was auto-generated using
++.B "sepolicy manpage"
++by Dan Walsh.
++
++.SH "SEE ALSO"
++selinux(8), dccm(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
+diff --git a/man/man8/dcerpcd_selinux.8 b/man/man8/dcerpcd_selinux.8
+new file mode 100644
+index 0000000..857f141
+--- /dev/null
++++ b/man/man8/dcerpcd_selinux.8
+@@ -0,0 +1,124 @@
++.TH "dcerpcd_selinux" "8" "12-11-01" "dcerpcd" "SELinux Policy documentation for dcerpcd"
++.SH "NAME"
++dcerpcd_selinux \- Security Enhanced Linux Policy for the dcerpcd processes
++.SH "DESCRIPTION"
++
++Security-Enhanced Linux secures the dcerpcd processes via flexible mandatory access control.
++
++The dcerpcd processes execute with the dcerpcd_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep dcerpcd_t
++
++
++.SH "ENTRYPOINTS"
++
++The dcerpcd_t SELinux type can be entered via the "dcerpcd_exec_t" file type. The default entrypoint paths for the dcerpcd_t domain are the following:"
++
++/usr/sbin/dcerpcd
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux dcerpcd policy is very flexible allowing users to setup their dcerpcd processes in as secure a method as possible.
++.PP
++The following process types are defined for dcerpcd:
++
++.EX
++.B dcerpcd_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux dcerpcd policy is very flexible allowing users to setup their dcerpcd processes in as secure a method as possible.
++.PP
++The following file types are defined for dcerpcd:
++
++
++.EX
++.PP
++.B dcerpcd_exec_t
++.EE
++
++- Set files with the dcerpcd_exec_t type, if you want to transition an executable to the dcerpcd_t domain.
++
++
++.EX
++.PP
++.B dcerpcd_var_lib_t
++.EE
++
++- Set files with the dcerpcd_var_lib_t type, if you want to store the dcerpcd files under the /var/lib directory.
++
++
++.EX
++.PP
++.B dcerpcd_var_run_t
++.EE
++
++- Set files with the dcerpcd_var_run_t type, if you want to store the dcerpcd files under the /run directory.
++
++
++.EX
++.PP
++.B dcerpcd_var_socket_t
++.EE
++
++- Set files with the dcerpcd_var_socket_t type, if you want to treat the files as dcerpcd var socket data.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH "MANAGED FILES"
++
++The SELinux process type dcerpcd_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++
++.br
++.B dcerpcd_var_lib_t
++
++ /var/lib/likewise-open/run/rpcdep.dat
++.br
++
++.br
++.B dcerpcd_var_run_t
++
++
++.SH NSSWITCH DOMAIN
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was auto-generated using
++.B "sepolicy manpage"
++by Dan Walsh.
++
++.SH "SEE ALSO"
++selinux(8), dcerpcd(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
+diff --git a/man/man8/ddclient_selinux.8 b/man/man8/ddclient_selinux.8
+new file mode 100644
+index 0000000..43a6aa0
+--- /dev/null
++++ b/man/man8/ddclient_selinux.8
+@@ -0,0 +1,176 @@
++.TH "ddclient_selinux" "8" "12-11-01" "ddclient" "SELinux Policy documentation for ddclient"
++.SH "NAME"
++ddclient_selinux \- Security Enhanced Linux Policy for the ddclient processes
++.SH "DESCRIPTION"
++
++Security-Enhanced Linux secures the ddclient processes via flexible mandatory access control.
++
++The ddclient processes execute with the ddclient_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep ddclient_t
++
++
++.SH "ENTRYPOINTS"
++
++The ddclient_t SELinux type can be entered via the "ddclient_exec_t" file type. The default entrypoint paths for the ddclient_t domain are the following:"
++
++/usr/sbin/ddtcd, /usr/sbin/ddclient
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux ddclient policy is very flexible allowing users to setup their ddclient processes in as secure a method as possible.
++.PP
++The following process types are defined for ddclient:
++
++.EX
++.B ddclient_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux ddclient policy is very flexible allowing users to setup their ddclient processes in as secure a method as possible.
++.PP
++The following file types are defined for ddclient:
++
++
++.EX
++.PP
++.B ddclient_etc_t
++.EE
++
++- Set files with the ddclient_etc_t type, if you want to store ddclient files in the /etc directories.
++
++
++.EX
++.PP
++.B ddclient_exec_t
++.EE
++
++- Set files with the ddclient_exec_t type, if you want to transition an executable to the ddclient_t domain.
++
++
++.EX
++.PP
++.B ddclient_initrc_exec_t
++.EE
++
++- Set files with the ddclient_initrc_exec_t type, if you want to transition an executable to the ddclient_initrc_t domain.
++
++
++.EX
++.PP
++.B ddclient_log_t
++.EE
++
++- Set files with the ddclient_log_t type, if you want to treat the data as ddclient log data, usually stored under the /var/log directory.
++
++
++.EX
++.PP
++.B ddclient_tmp_t
++.EE
++
++- Set files with the ddclient_tmp_t type, if you want to store ddclient temporary files in the /tmp directories.
++
++
++.EX
++.PP
++.B ddclient_var_lib_t
++.EE
++
++- Set files with the ddclient_var_lib_t type, if you want to store the ddclient files under the /var/lib directory.
++
++
++.EX
++.PP
++.B ddclient_var_run_t
++.EE
++
++- Set files with the ddclient_var_run_t type, if you want to store the ddclient files under the /run directory.
++
++
++.EX
++.PP
++.B ddclient_var_t
++.EE
++
++- Set files with the ddclient_var_t type, if you want to store the ddcl files under the /var directory.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH "MANAGED FILES"
++
++The SELinux process type ddclient_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++
++.br
++.B ddclient_log_t
++
++ /var/log/ddtcd\.log.*
++.br
++
++.br
++.B ddclient_tmp_t
++
++
++.br
++.B ddclient_var_lib_t
++
++ /var/lib/ddt-client(/.*)?
++.br
++
++.br
++.B ddclient_var_run_t
++
++ /var/run/ddtcd\.pid
++.br
++ /var/run/ddclient\.pid
++.br
++
++.br
++.B ddclient_var_t
++
++ /var/cache/ddclient(/.*)?
++.br
++
++.SH NSSWITCH DOMAIN
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was auto-generated using
++.B "sepolicy manpage"
++by Dan Walsh.
++
++.SH "SEE ALSO"
++selinux(8), ddclient(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
+diff --git a/man/man8/deltacloudd_selinux.8 b/man/man8/deltacloudd_selinux.8
+new file mode 100644
+index 0000000..c0b2b2f
+--- /dev/null
++++ b/man/man8/deltacloudd_selinux.8
+@@ -0,0 +1,142 @@
++.TH "deltacloudd_selinux" "8" "12-11-01" "deltacloudd" "SELinux Policy documentation for deltacloudd"
++.SH "NAME"
++deltacloudd_selinux \- Security Enhanced Linux Policy for the deltacloudd processes
++.SH "DESCRIPTION"
++
++Security-Enhanced Linux secures the deltacloudd processes via flexible mandatory access control.
++
++The deltacloudd processes execute with the deltacloudd_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep deltacloudd_t
++
++
++.SH "ENTRYPOINTS"
++
++The deltacloudd_t SELinux type can be entered via the "deltacloudd_exec_t" file type. The default entrypoint paths for the deltacloudd_t domain are the following:"
++
++/usr/bin/deltacloudd
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux deltacloudd policy is very flexible allowing users to setup their deltacloudd processes in as secure a method as possible.
++.PP
++The following process types are defined for deltacloudd:
++
++.EX
++.B deltacloudd_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux deltacloudd policy is very flexible allowing users to setup their deltacloudd processes in as secure a method as possible.
++.PP
++The following file types are defined for deltacloudd:
++
++
++.EX
++.PP
++.B deltacloudd_exec_t
++.EE
++
++- Set files with the deltacloudd_exec_t type, if you want to transition an executable to the deltacloudd_t domain.
++
++
++.EX
++.PP
++.B deltacloudd_log_t
++.EE
++
++- Set files with the deltacloudd_log_t type, if you want to treat the data as deltacloudd log data, usually stored under the /var/log directory.
++
++
++.EX
++.PP
++.B deltacloudd_tmp_t
++.EE
++
++- Set files with the deltacloudd_tmp_t type, if you want to store deltacloudd temporary files in the /tmp directories.
++
++
++.EX
++.PP
++.B deltacloudd_var_run_t
++.EE
++
++- Set files with the deltacloudd_var_run_t type, if you want to store the deltacloudd files under the /run directory.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH "MANAGED FILES"
++
++The SELinux process type deltacloudd_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++
++.br
++.B deltacloudd_log_t
++
++ /var/log/deltacloud-core(/.*)?
++.br
++
++.br
++.B deltacloudd_tmp_t
++
++
++.br
++.B deltacloudd_var_run_t
++
++
++.SH NSSWITCH DOMAIN
++
++.PP
++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the deltacloudd_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++
++.EX
++.B setsebool -P authlogin_nsswitch_use_ldap 1
++.EE
++
++.PP
++If you want to allow confined applications to run with kerberos for the deltacloudd_t, you must turn on the kerberos_enabled boolean.
++
++.EX
++.B setsebool -P kerberos_enabled 1
++.EE
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was auto-generated using
++.B "sepolicy manpage"
++by Dan Walsh.
++
++.SH "SEE ALSO"
++selinux(8), deltacloudd(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
+diff --git a/man/man8/denyhosts_selinux.8 b/man/man8/denyhosts_selinux.8
+new file mode 100644
+index 0000000..ec75026
+--- /dev/null
++++ b/man/man8/denyhosts_selinux.8
+@@ -0,0 +1,174 @@
++.TH "denyhosts_selinux" "8" "12-11-01" "denyhosts" "SELinux Policy documentation for denyhosts"
++.SH "NAME"
++denyhosts_selinux \- Security Enhanced Linux Policy for the denyhosts processes
++.SH "DESCRIPTION"
++
++Security-Enhanced Linux secures the denyhosts processes via flexible mandatory access control.
++
++The denyhosts processes execute with the denyhosts_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep denyhosts_t
++
++
++.SH "ENTRYPOINTS"
++
++The denyhosts_t SELinux type can be entered via the "denyhosts_exec_t" file type. The default entrypoint paths for the denyhosts_t domain are the following:"
++
++/usr/bin/denyhosts\.py
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux denyhosts policy is very flexible allowing users to setup their denyhosts processes in as secure a method as possible.
++.PP
++The following process types are defined for denyhosts:
++
++.EX
++.B denyhosts_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux denyhosts policy is very flexible allowing users to setup their denyhosts processes in as secure a method as possible.
++.PP
++The following file types are defined for denyhosts:
++
++
++.EX
++.PP
++.B denyhosts_exec_t
++.EE
++
++- Set files with the denyhosts_exec_t type, if you want to transition an executable to the denyhosts_t domain.
++
++
++.EX
++.PP
++.B denyhosts_initrc_exec_t
++.EE
++
++- Set files with the denyhosts_initrc_exec_t type, if you want to transition an executable to the denyhosts_initrc_t domain.
++
++
++.EX
++.PP
++.B denyhosts_var_lib_t
++.EE
++
++- Set files with the denyhosts_var_lib_t type, if you want to store the denyhosts files under the /var/lib directory.
++
++
++.EX
++.PP
++.B denyhosts_var_lock_t
++.EE
++
++- Set files with the denyhosts_var_lock_t type, if you want to treat the files as denyhosts var lock data, stored under the /var/lock directory
++
++
++.EX
++.PP
++.B denyhosts_var_log_t
++.EE
++
++- Set files with the denyhosts_var_log_t type, if you want to treat the data as denyhosts var log data, usually stored under the /var/log directory.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH "MANAGED FILES"
++
++The SELinux process type denyhosts_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++
++.br
++.B denyhosts_var_lib_t
++
++ /var/lib/denyhosts(/.*)?
++.br
++
++.br
++.B denyhosts_var_lock_t
++
++ /var/lock/subsys/denyhosts
++.br
++
++.br
++.B net_conf_t
++
++ /etc/ntpd?\.conf.*
++.br
++ /etc/hosts[^/]*
++.br
++ /etc/yp\.conf.*
++.br
++ /etc/denyhosts.*
++.br
++ /etc/hosts\.deny.*
++.br
++ /etc/resolv\.conf.*
++.br
++ /etc/ntp/step-tickers.*
++.br
++ /etc/sysconfig/networking(/.*)?
++.br
++ /etc/sysconfig/network-scripts(/.*)?
++.br
++ /etc/sysconfig/network-scripts/.*resolv\.conf
++.br
++ /etc/ethers
++.br
++
++.SH NSSWITCH DOMAIN
++
++.PP
++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the denyhosts_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++
++.EX
++.B setsebool -P authlogin_nsswitch_use_ldap 1
++.EE
++
++.PP
++If you want to allow confined applications to run with kerberos for the denyhosts_t, you must turn on the kerberos_enabled boolean.
++
++.EX
++.B setsebool -P kerberos_enabled 1
++.EE
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was auto-generated using
++.B "sepolicy manpage"
++by Dan Walsh.
++
++.SH "SEE ALSO"
++selinux(8), denyhosts(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
+diff --git a/man/man8/depmod_selinux.8 b/man/man8/depmod_selinux.8
+new file mode 100644
+index 0000000..86e670e
+--- /dev/null
++++ b/man/man8/depmod_selinux.8
+@@ -0,0 +1,112 @@
++.TH "depmod_selinux" "8" "12-11-01" "depmod" "SELinux Policy documentation for depmod"
++.SH "NAME"
++depmod_selinux \- Security Enhanced Linux Policy for the depmod processes
++.SH "DESCRIPTION"
++
++Security-Enhanced Linux secures the depmod processes via flexible mandatory access control.
++
++The depmod processes execute with the depmod_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep depmod_t
++
++
++.SH "ENTRYPOINTS"
++
++The depmod_t SELinux type can be entered via the "depmod_exec_t" file type. The default entrypoint paths for the depmod_t domain are the following:"
++
++/sbin/depmod.*, /usr/sbin/depmod.*
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux depmod policy is very flexible allowing users to setup their depmod processes in as secure a method as possible.
++.PP
++The following process types are defined for depmod:
++
++.EX
++.B depmod_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux depmod policy is very flexible allowing users to setup their depmod processes in as secure a method as possible.
++.PP
++The following file types are defined for depmod:
++
++
++.EX
++.PP
++.B depmod_exec_t
++.EE
++
++- Set files with the depmod_exec_t type, if you want to transition an executable to the depmod_t domain.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH "MANAGED FILES"
++
++The SELinux process type depmod_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++
++.br
++.B modules_dep_t
++
++ /lib/modules/[^/]+/modules\..+
++.br
++
++.br
++.B rpm_script_tmp_t
++
++
++.br
++.B user_tmp_t
++
++ /var/run/user(/.*)?
++.br
++ /tmp/gconfd-.*
++.br
++ /tmp/gconfd-dwalsh
++.br
++ /tmp/gconfd-xguest
++.br
++
++.SH NSSWITCH DOMAIN
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was auto-generated using
++.B "sepolicy manpage"
++by Dan Walsh.
++
++.SH "SEE ALSO"
++selinux(8), depmod(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
+diff --git a/man/man8/devicekit_disk_selinux.8 b/man/man8/devicekit_disk_selinux.8
+new file mode 100644
+index 0000000..cbce236
+--- /dev/null
++++ b/man/man8/devicekit_disk_selinux.8
+@@ -0,0 +1,163 @@
++.TH "devicekit_disk_selinux" "8" "12-11-01" "devicekit_disk" "SELinux Policy documentation for devicekit_disk"
++.SH "NAME"
++devicekit_disk_selinux \- Security Enhanced Linux Policy for the devicekit_disk processes
++.SH "DESCRIPTION"
++
++Security-Enhanced Linux secures the devicekit_disk processes via flexible mandatory access control.
++
++The devicekit_disk processes execute with the devicekit_disk_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep devicekit_disk_t
++
++
++.SH "ENTRYPOINTS"
++
++The devicekit_disk_t SELinux type can be entered via the "devicekit_disk_exec_t" file type. The default entrypoint paths for the devicekit_disk_t domain are the following:"
++
++/lib/udisks2/udisksd, /lib/udev/udisks-part-id, /usr/lib/udisks2/udisksd, /usr/libexec/udisks-daemon, /usr/lib/udev/udisks-part-id, /usr/lib/udisks/udisks-daemon, /usr/libexec/devkit-disks-daemon
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux devicekit_disk policy is very flexible allowing users to setup their devicekit_disk processes in as secure a method as possible.
++.PP
++The following process types are defined for devicekit_disk:
++
++.EX
++.B devicekit_disk_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux devicekit_disk policy is very flexible allowing users to setup their devicekit_disk processes in as secure a method as possible.
++.PP
++The following file types are defined for devicekit_disk:
++
++
++.EX
++.PP
++.B devicekit_disk_exec_t
++.EE
++
++- Set files with the devicekit_disk_exec_t type, if you want to transition an executable to the devicekit_disk_t domain.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH "MANAGED FILES"
++
++The SELinux process type devicekit_disk_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++
++.br
++.B device_t
++
++ /dev/.*
++.br
++ /lib/udev/devices(/.*)?
++.br
++ /usr/lib/udev/devices(/.*)?
++.br
++ /dev
++.br
++ /etc/udev/devices
++.br
++ /var/named/chroot/dev
++.br
++ /var/spool/postfix/dev
++.br
++
++.br
++.B devicekit_tmp_t
++
++
++.br
++.B devicekit_var_lib_t
++
++ /var/lib/udisks.*
++.br
++ /var/lib/upower(/.*)?
++.br
++ /var/lib/DeviceKit-.*
++.br
++
++.br
++.B devicekit_var_run_t
++
++ /var/run/udisks.*
++.br
++ /var/run/devkit(/.*)?
++.br
++ /var/run/upower(/.*)?
++.br
++ /var/run/pm-utils(/.*)?
++.br
++ /var/run/DeviceKit-disks(/.*)?
++.br
++
++.br
++.B sysfs_t
++
++ /sys(/.*)?
++.br
++
++.br
++.B virt_image_type
++
++ all virtual image files
++.br
++
++.SH NSSWITCH DOMAIN
++
++.PP
++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the devicekit_disk_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++
++.EX
++.B setsebool -P authlogin_nsswitch_use_ldap 1
++.EE
++
++.PP
++If you want to allow confined applications to run with kerberos for the devicekit_disk_t, you must turn on the kerberos_enabled boolean.
++
++.EX
++.B setsebool -P kerberos_enabled 1
++.EE
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was auto-generated using
++.B "sepolicy manpage"
++by Dan Walsh.
++
++.SH "SEE ALSO"
++selinux(8), devicekit_disk(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
++, devicekit_selinux(8), devicekit_selinux(8), devicekit_power_selinux(8)
+\ No newline at end of file
+diff --git a/man/man8/devicekit_power_selinux.8 b/man/man8/devicekit_power_selinux.8
+new file mode 100644
+index 0000000..ef9c4c3
+--- /dev/null
++++ b/man/man8/devicekit_power_selinux.8
+@@ -0,0 +1,193 @@
++.TH "devicekit_power_selinux" "8" "12-11-01" "devicekit_power" "SELinux Policy documentation for devicekit_power"
++.SH "NAME"
++devicekit_power_selinux \- Security Enhanced Linux Policy for the devicekit_power processes
++.SH "DESCRIPTION"
++
++Security-Enhanced Linux secures the devicekit_power processes via flexible mandatory access control.
++
++The devicekit_power processes execute with the devicekit_power_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep devicekit_power_t
++
++
++.SH "ENTRYPOINTS"
++
++The devicekit_power_t SELinux type can be entered via the "devicekit_power_exec_t" file type. The default entrypoint paths for the devicekit_power_t domain are the following:"
++
++/usr/libexec/upowerd, /usr/libexec/devkit-power-daemon
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux devicekit_power policy is very flexible allowing users to setup their devicekit_power processes in as secure a method as possible.
++.PP
++The following process types are defined for devicekit_power:
++
++.EX
++.B devicekit_power_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux devicekit_power policy is very flexible allowing users to setup their devicekit_power processes in as secure a method as possible.
++.PP
++The following file types are defined for devicekit_power:
++
++
++.EX
++.PP
++.B devicekit_power_exec_t
++.EE
++
++- Set files with the devicekit_power_exec_t type, if you want to transition an executable to the devicekit_power_t domain.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH "MANAGED FILES"
++
++The SELinux process type devicekit_power_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++
++.br
++.B config_home_t
++
++ /root/\.kde(/.*)?
++.br
++ /root/\.xine(/.*)?
++.br
++ /root/\.config(/.*)?
++.br
++ /var/run/user/[^/]*/dconf(/.*)?
++.br
++ /root/\.Xdefaults
++.br
++ /home/[^/]*/\.kde(/.*)?
++.br
++ /home/[^/]*/\.xine(/.*)?
++.br
++ /home/[^/]*/\.config(/.*)?
++.br
++ /home/[^/]*/\.Xdefaults
++.br
++ /home/dwalsh/\.kde(/.*)?
++.br
++ /home/dwalsh/\.xine(/.*)?
++.br
++ /home/dwalsh/\.config(/.*)?
++.br
++ /home/dwalsh/\.Xdefaults
++.br
++ /var/lib/xguest/home/xguest/\.kde(/.*)?
++.br
++ /var/lib/xguest/home/xguest/\.xine(/.*)?
++.br
++ /var/lib/xguest/home/xguest/\.config(/.*)?
++.br
++ /var/lib/xguest/home/xguest/\.Xdefaults
++.br
++
++.br
++.B devicekit_tmp_t
++
++
++.br
++.B devicekit_var_lib_t
++
++ /var/lib/udisks.*
++.br
++ /var/lib/upower(/.*)?
++.br
++ /var/lib/DeviceKit-.*
++.br
++
++.br
++.B devicekit_var_log_t
++
++ /var/log/pm-suspend\.log.*
++.br
++ /var/log/pm-powersave\.log.*
++.br
++
++.br
++.B devicekit_var_run_t
++
++ /var/run/udisks.*
++.br
++ /var/run/devkit(/.*)?
++.br
++ /var/run/upower(/.*)?
++.br
++ /var/run/pm-utils(/.*)?
++.br
++ /var/run/DeviceKit-disks(/.*)?
++.br
++
++.br
++.B sysfs_t
++
++ /sys(/.*)?
++.br
++
++.br
++.B systemd_passwd_var_run_t
++
++ /var/run/systemd/ask-password(/.*)?
++.br
++ /var/run/systemd/ask-password-block(/.*)?
++.br
++
++.SH NSSWITCH DOMAIN
++
++.PP
++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the devicekit_power_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++
++.EX
++.B setsebool -P authlogin_nsswitch_use_ldap 1
++.EE
++
++.PP
++If you want to allow confined applications to run with kerberos for the devicekit_power_t, you must turn on the kerberos_enabled boolean.
++
++.EX
++.B setsebool -P kerberos_enabled 1
++.EE
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was auto-generated using
++.B "sepolicy manpage"
++by Dan Walsh.
++
++.SH "SEE ALSO"
++selinux(8), devicekit_power(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
++, devicekit_selinux(8), devicekit_selinux(8), devicekit_disk_selinux(8)
+\ No newline at end of file
+diff --git a/man/man8/devicekit_selinux.8 b/man/man8/devicekit_selinux.8
+new file mode 100644
+index 0000000..94f8331
+--- /dev/null
++++ b/man/man8/devicekit_selinux.8
+@@ -0,0 +1,167 @@
++.TH "devicekit_selinux" "8" "12-11-01" "devicekit" "SELinux Policy documentation for devicekit"
++.SH "NAME"
++devicekit_selinux \- Security Enhanced Linux Policy for the devicekit processes
++.SH "DESCRIPTION"
++
++Security-Enhanced Linux secures the devicekit processes via flexible mandatory access control.
++
++The devicekit processes execute with the devicekit_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep devicekit_t
++
++
++.SH "ENTRYPOINTS"
++
++The devicekit_t SELinux type can be entered via the "devicekit_exec_t" file type. The default entrypoint paths for the devicekit_t domain are the following:"
++
++/usr/libexec/devkit-daemon
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux devicekit policy is very flexible allowing users to setup their devicekit processes in as secure a method as possible.
++.PP
++The following process types are defined for devicekit:
++
++.EX
++.B devicekit_power_t, devicekit_disk_t, devicekit_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux devicekit policy is very flexible allowing users to setup their devicekit processes in as secure a method as possible.
++.PP
++The following file types are defined for devicekit:
++
++
++.EX
++.PP
++.B devicekit_disk_exec_t
++.EE
++
++- Set files with the devicekit_disk_exec_t type, if you want to transition an executable to the devicekit_disk_t domain.
++
++
++.EX
++.PP
++.B devicekit_exec_t
++.EE
++
++- Set files with the devicekit_exec_t type, if you want to transition an executable to the devicekit_t domain.
++
++
++.EX
++.PP
++.B devicekit_power_exec_t
++.EE
++
++- Set files with the devicekit_power_exec_t type, if you want to transition an executable to the devicekit_power_t domain.
++
++
++.EX
++.PP
++.B devicekit_tmp_t
++.EE
++
++- Set files with the devicekit_tmp_t type, if you want to store devicekit temporary files in the /tmp directories.
++
++
++.EX
++.PP
++.B devicekit_var_lib_t
++.EE
++
++- Set files with the devicekit_var_lib_t type, if you want to store the devicekit files under the /var/lib directory.
++
++
++.EX
++.PP
++.B devicekit_var_log_t
++.EE
++
++- Set files with the devicekit_var_log_t type, if you want to treat the data as devicekit var log data, usually stored under the /var/log directory.
++
++
++.EX
++.PP
++.B devicekit_var_run_t
++.EE
++
++- Set files with the devicekit_var_run_t type, if you want to store the devicekit files under the /run directory.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH "MANAGED FILES"
++
++The SELinux process type devicekit_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++
++.br
++.B devicekit_var_run_t
++
++ /var/run/udisks.*
++.br
++ /var/run/devkit(/.*)?
++.br
++ /var/run/upower(/.*)?
++.br
++ /var/run/pm-utils(/.*)?
++.br
++ /var/run/DeviceKit-disks(/.*)?
++.br
++
++.SH NSSWITCH DOMAIN
++
++.PP
++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the devicekit_disk_t, devicekit_power_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++
++.EX
++.B setsebool -P authlogin_nsswitch_use_ldap 1
++.EE
++
++.PP
++If you want to allow confined applications to run with kerberos for the devicekit_disk_t, devicekit_power_t, you must turn on the kerberos_enabled boolean.
++
++.EX
++.B setsebool -P kerberos_enabled 1
++.EE
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was auto-generated using
++.B "sepolicy manpage"
++by Dan Walsh.
++
++.SH "SEE ALSO"
++selinux(8), devicekit(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
++, devicekit_disk_selinux(8), devicekit_power_selinux(8)
+\ No newline at end of file
+diff --git a/man/man8/dhcpc_selinux.8 b/man/man8/dhcpc_selinux.8
+new file mode 100644
+index 0000000..b0c446f
+--- /dev/null
++++ b/man/man8/dhcpc_selinux.8
+@@ -0,0 +1,256 @@
++.TH "dhcpc_selinux" "8" "12-11-01" "dhcpc" "SELinux Policy documentation for dhcpc"
++.SH "NAME"
++dhcpc_selinux \- Security Enhanced Linux Policy for the dhcpc processes
++.SH "DESCRIPTION"
++
++Security-Enhanced Linux secures the dhcpc processes via flexible mandatory access control.
++
++The dhcpc processes execute with the dhcpc_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep dhcpc_t
++
++
++.SH "ENTRYPOINTS"
++
++The dhcpc_t SELinux type can be entered via the "dhcpc_exec_t" file type. The default entrypoint paths for the dhcpc_t domain are the following:"
++
++/sbin/dhclient.*, /usr/sbin/dhclient.*, /sbin/pump, /sbin/dhcdbd, /sbin/dhcpcd, /usr/sbin/pump, /usr/sbin/dhcdbd, /usr/sbin/dhcpcd
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux dhcpc policy is very flexible allowing users to setup their dhcpc processes in as secure a method as possible.
++.PP
++The following process types are defined for dhcpc:
++
++.EX
++.B dhcpc_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH BOOLEANS
++SELinux policy is customizable based on least access required. dhcpc policy is extremely flexible and has several booleans that allow you to manipulate the policy and run dhcpc with the tightest access possible.
++
++
++.PP
++If you want to allow dhcpc client applications to execute iptables commands, you must turn on the dhcpc_exec_iptables boolean.
++
++.EX
++.B setsebool -P dhcpc_exec_iptables 1
++.EE
++
++.PP
++If you want to allow dhcpc client applications to execute iptables commands, you must turn on the dhcpc_exec_iptables boolean.
++
++.EX
++.B setsebool -P dhcpc_exec_iptables 1
++.EE
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux dhcpc policy is very flexible allowing users to setup their dhcpc processes in as secure a method as possible.
++.PP
++The following file types are defined for dhcpc:
++
++
++.EX
++.PP
++.B dhcpc_exec_t
++.EE
++
++- Set files with the dhcpc_exec_t type, if you want to transition an executable to the dhcpc_t domain.
++
++
++.EX
++.PP
++.B dhcpc_helper_exec_t
++.EE
++
++- Set files with the dhcpc_helper_exec_t type, if you want to transition an executable to the dhcpc_helper_t domain.
++
++
++.EX
++.PP
++.B dhcpc_state_t
++.EE
++
++- Set files with the dhcpc_state_t type, if you want to treat the files as dhcpc state data.
++
++
++.EX
++.PP
++.B dhcpc_tmp_t
++.EE
++
++- Set files with the dhcpc_tmp_t type, if you want to store dhcpc temporary files in the /tmp directories.
++
++
++.EX
++.PP
++.B dhcpc_var_run_t
++.EE
++
++- Set files with the dhcpc_var_run_t type, if you want to store the dhcpc files under the /run directory.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH PORT TYPES
++SELinux defines port types to represent TCP and UDP ports.
++.PP
++You can see the types associated with a port by using the following command:
++
++.B semanage port -l
++
++.PP
++Policy governs the access confined processes have to these ports.
++SELinux dhcpc policy is very flexible allowing users to setup their dhcpc processes in as secure a method as possible.
++.PP
++The following port types are defined for dhcpc:
++
++.EX
++.TP 5
++.B dhcpc_port_t
++.TP 10
++.EE
++
++
++Default Defined Ports:
++tcp 68,546
++.EE
++udp 68,546
++.EE
++.SH "MANAGED FILES"
++
++The SELinux process type dhcpc_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++
++.br
++.B dhcpc_state_t
++
++ /var/lib/dhcp3?/dhclient.*
++.br
++ /var/lib/dhcpcd(/.*)?
++.br
++ /var/lib/dhclient(/.*)?
++.br
++ /var/lib/wifiroamd(/.*)?
++.br
++
++.br
++.B dhcpc_tmp_t
++
++
++.br
++.B dhcpc_var_run_t
++
++ /var/run/dhcpcd(/.*)?
++.br
++ /var/run/dhclient.*
++.br
++
++.br
++.B initrc_var_run_t
++
++ /var/run/utmp
++.br
++ /var/run/random-seed
++.br
++ /var/run/runlevel\.dir
++.br
++ /var/run/setmixer_flag
++.br
++
++.br
++.B net_conf_t
++
++ /etc/ntpd?\.conf.*
++.br
++ /etc/hosts[^/]*
++.br
++ /etc/yp\.conf.*
++.br
++ /etc/denyhosts.*
++.br
++ /etc/hosts\.deny.*
++.br
++ /etc/resolv\.conf.*
++.br
++ /etc/ntp/step-tickers.*
++.br
++ /etc/sysconfig/networking(/.*)?
++.br
++ /etc/sysconfig/network-scripts(/.*)?
++.br
++ /etc/sysconfig/network-scripts/.*resolv\.conf
++.br
++ /etc/ethers
++.br
++
++.br
++.B systemd_passwd_var_run_t
++
++ /var/run/systemd/ask-password(/.*)?
++.br
++ /var/run/systemd/ask-password-block(/.*)?
++.br
++
++.SH NSSWITCH DOMAIN
++
++.PP
++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the dhcpc_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++
++.EX
++.B setsebool -P authlogin_nsswitch_use_ldap 1
++.EE
++
++.PP
++If you want to allow confined applications to run with kerberos for the dhcpc_t, you must turn on the kerberos_enabled boolean.
++
++.EX
++.B setsebool -P kerberos_enabled 1
++.EE
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.B semanage port
++can also be used to manipulate the port definitions
++
++.B semanage boolean
++can also be used to manipulate the booleans
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was auto-generated using
++.B "sepolicy manpage"
++by Dan Walsh.
++
++.SH "SEE ALSO"
++selinux(8), dhcpc(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
++, setsebool(8)
+\ No newline at end of file
+diff --git a/man/man8/dhcpd_selinux.8 b/man/man8/dhcpd_selinux.8
+new file mode 100644
+index 0000000..73cc04d
+--- /dev/null
++++ b/man/man8/dhcpd_selinux.8
+@@ -0,0 +1,239 @@
++.TH "dhcpd_selinux" "8" "12-11-01" "dhcpd" "SELinux Policy documentation for dhcpd"
++.SH "NAME"
++dhcpd_selinux \- Security Enhanced Linux Policy for the dhcpd processes
++.SH "DESCRIPTION"
++
++Security-Enhanced Linux secures the dhcpd processes via flexible mandatory access control.
++
++The dhcpd processes execute with the dhcpd_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep dhcpd_t
++
++
++.SH "ENTRYPOINTS"
++
++The dhcpd_t SELinux type can be entered via the "dhcpd_exec_t" file type. The default entrypoint paths for the dhcpd_t domain are the following:"
++
++/usr/sbin/dhcpd.*
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux dhcpd policy is very flexible allowing users to setup their dhcpd processes in as secure a method as possible.
++.PP
++The following process types are defined for dhcpd:
++
++.EX
++.B dhcpc_t, dhcpd_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH BOOLEANS
++SELinux policy is customizable based on least access required. dhcpd policy is extremely flexible and has several booleans that allow you to manipulate the policy and run dhcpd with the tightest access possible.
++
++
++.PP
++If you want to allow DHCP daemon to use LDAP backends, you must turn on the dhcpd_use_ldap boolean.
++
++.EX
++.B setsebool -P dhcpd_use_ldap 1
++.EE
++
++.PP
++If you want to allow dhcpc client applications to execute iptables commands, you must turn on the dhcpc_exec_iptables boolean.
++
++.EX
++.B setsebool -P dhcpc_exec_iptables 1
++.EE
++
++.PP
++If you want to allow DHCP daemon to use LDAP backends, you must turn on the dhcpd_use_ldap boolean.
++
++.EX
++.B setsebool -P dhcpd_use_ldap 1
++.EE
++
++.PP
++If you want to allow dhcpc client applications to execute iptables commands, you must turn on the dhcpc_exec_iptables boolean.
++
++.EX
++.B setsebool -P dhcpc_exec_iptables 1
++.EE
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux dhcpd policy is very flexible allowing users to setup their dhcpd processes in as secure a method as possible.
++.PP
++The following file types are defined for dhcpd:
++
++
++.EX
++.PP
++.B dhcpd_exec_t
++.EE
++
++- Set files with the dhcpd_exec_t type, if you want to transition an executable to the dhcpd_t domain.
++
++
++.EX
++.PP
++.B dhcpd_initrc_exec_t
++.EE
++
++- Set files with the dhcpd_initrc_exec_t type, if you want to transition an executable to the dhcpd_initrc_t domain.
++
++
++.EX
++.PP
++.B dhcpd_state_t
++.EE
++
++- Set files with the dhcpd_state_t type, if you want to treat the files as dhcpd state data.
++
++
++.EX
++.PP
++.B dhcpd_tmp_t
++.EE
++
++- Set files with the dhcpd_tmp_t type, if you want to store dhcpd temporary files in the /tmp directories.
++
++
++.EX
++.PP
++.B dhcpd_unit_file_t
++.EE
++
++- Set files with the dhcpd_unit_file_t type, if you want to treat the files as dhcpd unit content.
++
++
++.EX
++.PP
++.B dhcpd_var_run_t
++.EE
++
++- Set files with the dhcpd_var_run_t type, if you want to store the dhcpd files under the /run directory.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH PORT TYPES
++SELinux defines port types to represent TCP and UDP ports.
++.PP
++You can see the types associated with a port by using the following command:
++
++.B semanage port -l
++
++.PP
++Policy governs the access confined processes have to these ports.
++SELinux dhcpd policy is very flexible allowing users to setup their dhcpd processes in as secure a method as possible.
++.PP
++The following port types are defined for dhcpd:
++
++.EX
++.TP 5
++.B dhcpc_port_t
++.TP 10
++.EE
++
++
++Default Defined Ports:
++tcp 68,546
++.EE
++udp 68,546
++.EE
++
++.EX
++.TP 5
++.B dhcpd_port_t
++.TP 10
++.EE
++
++
++Default Defined Ports:
++tcp 547,548,647,847,7911
++.EE
++udp 67,547,548,647,847
++.EE
++.SH "MANAGED FILES"
++
++The SELinux process type dhcpd_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++
++.br
++.B dhcpd_state_t
++
++ /var/lib/dhcp(3)?/dhcpd\.leases.*
++.br
++ /var/lib/dhcpd(/.*)?
++.br
++
++.br
++.B dhcpd_tmp_t
++
++
++.br
++.B dhcpd_var_run_t
++
++ /var/run/dhcpd(6)?\.pid
++.br
++
++.SH NSSWITCH DOMAIN
++
++.PP
++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the dhcpd_t, dhcpc_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++
++.EX
++.B setsebool -P authlogin_nsswitch_use_ldap 1
++.EE
++
++.PP
++If you want to allow confined applications to run with kerberos for the dhcpd_t, dhcpc_t, you must turn on the kerberos_enabled boolean.
++
++.EX
++.B setsebool -P kerberos_enabled 1
++.EE
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.B semanage port
++can also be used to manipulate the port definitions
++
++.B semanage boolean
++can also be used to manipulate the booleans
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was auto-generated using
++.B "sepolicy manpage"
++by Dan Walsh.
++
++.SH "SEE ALSO"
++selinux(8), dhcpd(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
++, setsebool(8), dhcpc_selinux(8)
+\ No newline at end of file
+diff --git a/man/man8/dictd_selinux.8 b/man/man8/dictd_selinux.8
+new file mode 100644
+index 0000000..cb1309a
+--- /dev/null
++++ b/man/man8/dictd_selinux.8
+@@ -0,0 +1,168 @@
++.TH "dictd_selinux" "8" "12-11-01" "dictd" "SELinux Policy documentation for dictd"
++.SH "NAME"
++dictd_selinux \- Security Enhanced Linux Policy for the dictd processes
++.SH "DESCRIPTION"
++
++Security-Enhanced Linux secures the dictd processes via flexible mandatory access control.
++
++The dictd processes execute with the dictd_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep dictd_t
++
++
++.SH "ENTRYPOINTS"
++
++The dictd_t SELinux type can be entered via the "dictd_exec_t" file type. The default entrypoint paths for the dictd_t domain are the following:"
++
++/usr/sbin/dictd
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux dictd policy is very flexible allowing users to setup their dictd processes in as secure a method as possible.
++.PP
++The following process types are defined for dictd:
++
++.EX
++.B dictd_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux dictd policy is very flexible allowing users to setup their dictd processes in as secure a method as possible.
++.PP
++The following file types are defined for dictd:
++
++
++.EX
++.PP
++.B dictd_etc_t
++.EE
++
++- Set files with the dictd_etc_t type, if you want to store dictd files in the /etc directories.
++
++
++.EX
++.PP
++.B dictd_exec_t
++.EE
++
++- Set files with the dictd_exec_t type, if you want to transition an executable to the dictd_t domain.
++
++
++.EX
++.PP
++.B dictd_initrc_exec_t
++.EE
++
++- Set files with the dictd_initrc_exec_t type, if you want to transition an executable to the dictd_initrc_t domain.
++
++
++.EX
++.PP
++.B dictd_var_lib_t
++.EE
++
++- Set files with the dictd_var_lib_t type, if you want to store the dictd files under the /var/lib directory.
++
++
++.EX
++.PP
++.B dictd_var_run_t
++.EE
++
++- Set files with the dictd_var_run_t type, if you want to store the dictd files under the /run directory.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH PORT TYPES
++SELinux defines port types to represent TCP and UDP ports.
++.PP
++You can see the types associated with a port by using the following command:
++
++.B semanage port -l
++
++.PP
++Policy governs the access confined processes have to these ports.
++SELinux dictd policy is very flexible allowing users to setup their dictd processes in as secure a method as possible.
++.PP
++The following port types are defined for dictd:
++
++.EX
++.TP 5
++.B dict_port_t
++.TP 10
++.EE
++
++
++Default Defined Ports:
++tcp 2628
++.EE
++.SH "MANAGED FILES"
++
++The SELinux process type dictd_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++
++.br
++.B dictd_var_run_t
++
++ /var/run/dictd\.pid
++.br
++
++.SH NSSWITCH DOMAIN
++
++.PP
++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the dictd_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++
++.EX
++.B setsebool -P authlogin_nsswitch_use_ldap 1
++.EE
++
++.PP
++If you want to allow confined applications to run with kerberos for the dictd_t, you must turn on the kerberos_enabled boolean.
++
++.EX
++.B setsebool -P kerberos_enabled 1
++.EE
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.B semanage port
++can also be used to manipulate the port definitions
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was auto-generated using
++.B "sepolicy manpage"
++by Dan Walsh.
++
++.SH "SEE ALSO"
++selinux(8), dictd(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
+diff --git a/man/man8/dirsrv_selinux.8 b/man/man8/dirsrv_selinux.8
+new file mode 100644
+index 0000000..301dd74
+--- /dev/null
++++ b/man/man8/dirsrv_selinux.8
+@@ -0,0 +1,333 @@
++.TH "dirsrv_selinux" "8" "12-11-01" "dirsrv" "SELinux Policy documentation for dirsrv"
++.SH "NAME"
++dirsrv_selinux \- Security Enhanced Linux Policy for the dirsrv processes
++.SH "DESCRIPTION"
++
++Security-Enhanced Linux secures the dirsrv processes via flexible mandatory access control.
++
++The dirsrv processes execute with the dirsrv_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep dirsrv_t
++
++
++.SH "ENTRYPOINTS"
++
++The dirsrv_t SELinux type can be entered via the "dirsrv_exec_t" file type. The default entrypoint paths for the dirsrv_t domain are the following:"
++
++/usr/sbin/ns-slapd
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux dirsrv policy is very flexible allowing users to setup their dirsrv processes in as secure a method as possible.
++.PP
++The following process types are defined for dirsrv:
++
++.EX
++.B dirsrvadmin_unconfined_script_t, dirsrv_snmp_t, dirsrvadmin_t, dirsrv_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux dirsrv policy is very flexible allowing users to setup their dirsrv processes in as secure a method as possible.
++.PP
++The following file types are defined for dirsrv:
++
++
++.EX
++.PP
++.B dirsrv_config_t
++.EE
++
++- Set files with the dirsrv_config_t type, if you want to treat the files as dirsrv configuration data, usually stored under the /etc directory.
++
++
++.EX
++.PP
++.B dirsrv_exec_t
++.EE
++
++- Set files with the dirsrv_exec_t type, if you want to transition an executable to the dirsrv_t domain.
++
++
++.EX
++.PP
++.B dirsrv_share_t
++.EE
++
++- Set files with the dirsrv_share_t type, if you want to treat the files as dirsrv share data.
++
++
++.EX
++.PP
++.B dirsrv_snmp_exec_t
++.EE
++
++- Set files with the dirsrv_snmp_exec_t type, if you want to transition an executable to the dirsrv_snmp_t domain.
++
++
++.EX
++.PP
++.B dirsrv_snmp_var_log_t
++.EE
++
++- Set files with the dirsrv_snmp_var_log_t type, if you want to treat the data as dirsrv snmp var log data, usually stored under the /var/log directory.
++
++
++.EX
++.PP
++.B dirsrv_snmp_var_run_t
++.EE
++
++- Set files with the dirsrv_snmp_var_run_t type, if you want to store the dirsrv snmp files under the /run directory.
++
++
++.EX
++.PP
++.B dirsrv_tmp_t
++.EE
++
++- Set files with the dirsrv_tmp_t type, if you want to store dirsrv temporary files in the /tmp directories.
++
++
++.EX
++.PP
++.B dirsrv_tmpfs_t
++.EE
++
++- Set files with the dirsrv_tmpfs_t type, if you want to store dirsrv files on a tmpfs file system.
++
++
++.EX
++.PP
++.B dirsrv_var_lib_t
++.EE
++
++- Set files with the dirsrv_var_lib_t type, if you want to store the dirsrv files under the /var/lib directory.
++
++
++.EX
++.PP
++.B dirsrv_var_lock_t
++.EE
++
++- Set files with the dirsrv_var_lock_t type, if you want to treat the files as dirsrv var lock data, stored under the /var/lock directory
++
++
++.EX
++.PP
++.B dirsrv_var_log_t
++.EE
++
++- Set files with the dirsrv_var_log_t type, if you want to treat the data as dirsrv var log data, usually stored under the /var/log directory.
++
++
++.EX
++.PP
++.B dirsrv_var_run_t
++.EE
++
++- Set files with the dirsrv_var_run_t type, if you want to store the dirsrv files under the /run directory.
++
++
++.EX
++.PP
++.B dirsrvadmin_config_t
++.EE
++
++- Set files with the dirsrvadmin_config_t type, if you want to treat the files as dirsrvadmin configuration data, usually stored under the /etc directory.
++
++
++.EX
++.PP
++.B dirsrvadmin_exec_t
++.EE
++
++- Set files with the dirsrvadmin_exec_t type, if you want to transition an executable to the dirsrvadmin_t domain.
++
++
++.EX
++.PP
++.B dirsrvadmin_lock_t
++.EE
++
++- Set files with the dirsrvadmin_lock_t type, if you want to treat the files as dirsrvadmin lock data, stored under the /var/lock directory
++
++
++.EX
++.PP
++.B dirsrvadmin_tmp_t
++.EE
++
++- Set files with the dirsrvadmin_tmp_t type, if you want to store dirsrvadmin temporary files in the /tmp directories.
++
++
++.EX
++.PP
++.B dirsrvadmin_unconfined_script_exec_t
++.EE
++
++- Set files with the dirsrvadmin_unconfined_script_exec_t type, if you want to transition an executable to the dirsrvadmin_unconfined_script_t domain.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH "MANAGED FILES"
++
++The SELinux process type dirsrv_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++
++.br
++.B dirsrv_config_t
++
++ /etc/dirsrv(/.*)?
++.br
++
++.br
++.B dirsrv_tmp_t
++
++
++.br
++.B dirsrv_tmpfs_t
++
++
++.br
++.B dirsrv_var_lib_t
++
++ /var/lib/dirsrv(/.*)?
++.br
++
++.br
++.B dirsrv_var_lock_t
++
++ /var/lock/dirsrv(/.*)?
++.br
++
++.br
++.B dirsrv_var_log_t
++
++ /var/log/dirsrv(/.*)?
++.br
++
++.br
++.B dirsrv_var_run_t
++
++ /var/run/dirsrv(/.*)?
++.br
++
++.br
++.B faillog_t
++
++ /var/log/btmp.*
++.br
++ /var/run/faillock(/.*)?
++.br
++ /var/log/faillog
++.br
++ /var/log/tallylog
++.br
++
++.br
++.B krb5_host_rcache_t
++
++ /var/cache/krb5rcache(/.*)?
++.br
++ /var/tmp/nfs_0
++.br
++ /var/tmp/DNS_25
++.br
++ /var/tmp/host_0
++.br
++ /var/tmp/imap_0
++.br
++ /var/tmp/HTTP_23
++.br
++ /var/tmp/HTTP_48
++.br
++ /var/tmp/ldap_55
++.br
++ /var/tmp/ldap_487
++.br
++ /var/tmp/ldapmap1_0
++.br
++
++.br
++.B lastlog_t
++
++ /var/log/lastlog
++.br
++
++.br
++.B pcscd_var_run_t
++
++ /var/run/pcscd(/.*)?
++.br
++ /var/run/pcscd\.events(/.*)?
++.br
++ /var/run/pcscd\.pid
++.br
++ /var/run/pcscd\.pub
++.br
++ /var/run/pcscd\.comm
++.br
++
++.br
++.B security_t
++
++ /selinux
++.br
++
++.SH NSSWITCH DOMAIN
++
++.PP
++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the dirsrv_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++
++.EX
++.B setsebool -P authlogin_nsswitch_use_ldap 1
++.EE
++
++.PP
++If you want to allow confined applications to run with kerberos for the dirsrv_t, you must turn on the kerberos_enabled boolean.
++
++.EX
++.B setsebool -P kerberos_enabled 1
++.EE
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was auto-generated using
++.B "sepolicy manpage"
++by Dan Walsh.
++
++.SH "SEE ALSO"
++selinux(8), dirsrv(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
++, dirsrv_snmp_selinux(8), dirsrvadmin_selinux(8), dirsrvadmin_unconfined_script_selinux(8)
+\ No newline at end of file
+diff --git a/man/man8/dirsrv_snmp_selinux.8 b/man/man8/dirsrv_snmp_selinux.8
+new file mode 100644
+index 0000000..658d718
+--- /dev/null
++++ b/man/man8/dirsrv_snmp_selinux.8
+@@ -0,0 +1,137 @@
++.TH "dirsrv_snmp_selinux" "8" "12-11-01" "dirsrv_snmp" "SELinux Policy documentation for dirsrv_snmp"
++.SH "NAME"
++dirsrv_snmp_selinux \- Security Enhanced Linux Policy for the dirsrv_snmp processes
++.SH "DESCRIPTION"
++
++Security-Enhanced Linux secures the dirsrv_snmp processes via flexible mandatory access control.
++
++The dirsrv_snmp processes execute with the dirsrv_snmp_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep dirsrv_snmp_t
++
++
++.SH "ENTRYPOINTS"
++
++The dirsrv_snmp_t SELinux type can be entered via the "dirsrv_snmp_exec_t" file type. The default entrypoint paths for the dirsrv_snmp_t domain are the following:"
++
++/usr/sbin/ldap-agent-bin
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux dirsrv_snmp policy is very flexible allowing users to setup their dirsrv_snmp processes in as secure a method as possible.
++.PP
++The following process types are defined for dirsrv_snmp:
++
++.EX
++.B dirsrv_snmp_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux dirsrv_snmp policy is very flexible allowing users to setup their dirsrv_snmp processes in as secure a method as possible.
++.PP
++The following file types are defined for dirsrv_snmp:
++
++
++.EX
++.PP
++.B dirsrv_snmp_exec_t
++.EE
++
++- Set files with the dirsrv_snmp_exec_t type, if you want to transition an executable to the dirsrv_snmp_t domain.
++
++
++.EX
++.PP
++.B dirsrv_snmp_var_log_t
++.EE
++
++- Set files with the dirsrv_snmp_var_log_t type, if you want to treat the data as dirsrv snmp var log data, usually stored under the /var/log directory.
++
++
++.EX
++.PP
++.B dirsrv_snmp_var_run_t
++.EE
++
++- Set files with the dirsrv_snmp_var_run_t type, if you want to store the dirsrv snmp files under the /run directory.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH "MANAGED FILES"
++
++The SELinux process type dirsrv_snmp_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++
++.br
++.B dirsrv_snmp_var_log_t
++
++ /var/log/dirsrv/ldap-agent.log.*
++.br
++
++.br
++.B dirsrv_snmp_var_run_t
++
++ /var/run/ldap-agent\.pid
++.br
++
++.br
++.B dirsrv_tmpfs_t
++
++
++.br
++.B snmpd_var_lib_t
++
++ /var/agentx(/.*)?
++.br
++ /var/lib/snmp(/.*)?
++.br
++ /var/net-snmp(/.*)?
++.br
++ /var/lib/net-snmp(/.*)?
++.br
++ /usr/share/snmp/mibs/\.index
++.br
++
++.SH NSSWITCH DOMAIN
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was auto-generated using
++.B "sepolicy manpage"
++by Dan Walsh.
++
++.SH "SEE ALSO"
++selinux(8), dirsrv_snmp(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
++, dirsrv_selinux(8), dirsrv_selinux(8), dirsrvadmin_selinux(8), dirsrvadmin_unconfined_script_selinux(8)
+\ No newline at end of file
+diff --git a/man/man8/dirsrvadmin_selinux.8 b/man/man8/dirsrvadmin_selinux.8
+new file mode 100644
+index 0000000..02df63f
+--- /dev/null
++++ b/man/man8/dirsrvadmin_selinux.8
+@@ -0,0 +1,127 @@
++.TH "dirsrvadmin_selinux" "8" "12-11-01" "dirsrvadmin" "SELinux Policy documentation for dirsrvadmin"
++.SH "NAME"
++dirsrvadmin_selinux \- Security Enhanced Linux Policy for the dirsrvadmin processes
++.SH "DESCRIPTION"
++
++Security-Enhanced Linux secures the dirsrvadmin processes via flexible mandatory access control.
++
++The dirsrvadmin processes execute with the dirsrvadmin_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep dirsrvadmin_t
++
++
++.SH "ENTRYPOINTS"
++
++The dirsrvadmin_t SELinux type can be entered via the "shell_exec_t,dirsrvadmin_exec_t" file types. The default entrypoint paths for the dirsrvadmin_t domain are the following:"
++
++/bin/d?ash, /bin/zsh.*, /bin/ksh.*, /usr/bin/d?ash, /usr/bin/ksh.*, /usr/bin/zsh.*, /bin/esh, /bin/mksh, /bin/sash, /bin/tcsh, /bin/yash, /bin/bash, /bin/fish, /bin/bash2, /usr/bin/esh, /usr/bin/mksh, /usr/bin/sash, /usr/bin/bash, /usr/bin/fish, /usr/bin/tcsh, /usr/bin/yash, /sbin/nologin, /usr/sbin/sesh, /usr/bin/bash2, /usr/sbin/smrsh, /usr/bin/scponly, /usr/sbin/nologin, /usr/libexec/sesh, /usr/sbin/scponlyc, /usr/bin/git-shell, /usr/libexec/git-core/git-shell, /usr/sbin/stop-ds-admin, /usr/sbin/start-ds-admin, /usr/sbin/restart-ds-admin
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux dirsrvadmin policy is very flexible allowing users to setup their dirsrvadmin processes in as secure a method as possible.
++.PP
++The following process types are defined for dirsrvadmin:
++
++.EX
++.B dirsrvadmin_unconfined_script_t, dirsrvadmin_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux dirsrvadmin policy is very flexible allowing users to setup their dirsrvadmin processes in as secure a method as possible.
++.PP
++The following file types are defined for dirsrvadmin:
++
++
++.EX
++.PP
++.B dirsrvadmin_config_t
++.EE
++
++- Set files with the dirsrvadmin_config_t type, if you want to treat the files as dirsrvadmin configuration data, usually stored under the /etc directory.
++
++
++.EX
++.PP
++.B dirsrvadmin_exec_t
++.EE
++
++- Set files with the dirsrvadmin_exec_t type, if you want to transition an executable to the dirsrvadmin_t domain.
++
++
++.EX
++.PP
++.B dirsrvadmin_lock_t
++.EE
++
++- Set files with the dirsrvadmin_lock_t type, if you want to treat the files as dirsrvadmin lock data, stored under the /var/lock directory
++
++
++.EX
++.PP
++.B dirsrvadmin_tmp_t
++.EE
++
++- Set files with the dirsrvadmin_tmp_t type, if you want to store dirsrvadmin temporary files in the /tmp directories.
++
++
++.EX
++.PP
++.B dirsrvadmin_unconfined_script_exec_t
++.EE
++
++- Set files with the dirsrvadmin_unconfined_script_exec_t type, if you want to transition an executable to the dirsrvadmin_unconfined_script_t domain.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH "MANAGED FILES"
++
++The SELinux process type dirsrvadmin_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++
++.br
++.B dirsrvadmin_tmp_t
++
++
++.SH NSSWITCH DOMAIN
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was auto-generated using
++.B "sepolicy manpage"
++by Dan Walsh.
++
++.SH "SEE ALSO"
++selinux(8), dirsrvadmin(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
++, dirsrv_selinux(8), dirsrvadmin_unconfined_script_selinux(8)
+\ No newline at end of file
+diff --git a/man/man8/dirsrvadmin_unconfined_script_selinux.8 b/man/man8/dirsrvadmin_unconfined_script_selinux.8
+new file mode 100644
+index 0000000..bd60dd5
+--- /dev/null
++++ b/man/man8/dirsrvadmin_unconfined_script_selinux.8
+@@ -0,0 +1,127 @@
++.TH "dirsrvadmin_unconfined_script_selinux" "8" "12-11-01" "dirsrvadmin_unconfined_script" "SELinux Policy documentation for dirsrvadmin_unconfined_script"
++.SH "NAME"
++dirsrvadmin_unconfined_script_selinux \- Security Enhanced Linux Policy for the dirsrvadmin_unconfined_script processes
++.SH "DESCRIPTION"
++
++Security-Enhanced Linux secures the dirsrvadmin_unconfined_script processes via flexible mandatory access control.
++
++The dirsrvadmin_unconfined_script processes execute with the dirsrvadmin_unconfined_script_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep dirsrvadmin_unconfined_script_t
++
++
++.SH "ENTRYPOINTS"
++
++The dirsrvadmin_unconfined_script_t SELinux type can be entered via the "dirsrvadmin_unconfined_script_exec_t,shell_exec_t" file types. The default entrypoint paths for the dirsrvadmin_unconfined_script_t domain are the following:"
++
++/usr/lib/dirsrv/cgi-bin/ds_create, /usr/lib/dirsrv/cgi-bin/ds_remove, /bin/d?ash, /bin/zsh.*, /bin/ksh.*, /usr/bin/d?ash, /usr/bin/ksh.*, /usr/bin/zsh.*, /bin/esh, /bin/mksh, /bin/sash, /bin/tcsh, /bin/yash, /bin/bash, /bin/fish, /bin/bash2, /usr/bin/esh, /usr/bin/mksh, /usr/bin/sash, /usr/bin/bash, /usr/bin/fish, /usr/bin/tcsh, /usr/bin/yash, /sbin/nologin, /usr/sbin/sesh, /usr/bin/bash2, /usr/sbin/smrsh, /usr/bin/scponly, /usr/sbin/nologin, /usr/libexec/sesh, /usr/sbin/scponlyc, /usr/bin/git-shell, /usr/libexec/git-core/git-shell
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux dirsrvadmin_unconfined_script policy is very flexible allowing users to setup their dirsrvadmin_unconfined_script processes in as secure a method as possible.
++.PP
++The following process types are defined for dirsrvadmin_unconfined_script:
++
++.EX
++.B dirsrvadmin_unconfined_script_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux dirsrvadmin_unconfined_script policy is very flexible allowing users to setup their dirsrvadmin_unconfined_script processes in as secure a method as possible.
++.PP
++The following file types are defined for dirsrvadmin_unconfined_script:
++
++
++.EX
++.PP
++.B dirsrvadmin_unconfined_script_exec_t
++.EE
++
++- Set files with the dirsrvadmin_unconfined_script_exec_t type, if you want to transition an executable to the dirsrvadmin_unconfined_script_t domain.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH "MANAGED FILES"
++
++The SELinux process type dirsrvadmin_unconfined_script_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++
++.br
++.B dirsrv_config_t
++
++ /etc/dirsrv(/.*)?
++.br
++
++.br
++.B dirsrv_var_lib_t
++
++ /var/lib/dirsrv(/.*)?
++.br
++
++.br
++.B dirsrv_var_log_t
++
++ /var/log/dirsrv(/.*)?
++.br
++
++.br
++.B dirsrv_var_run_t
++
++ /var/run/dirsrv(/.*)?
++.br
++
++.br
++.B dirsrvadmin_config_t
++
++ /etc/dirsrv/dsgw(/.*)?
++.br
++ /etc/dirsrv/admin-serv(/.*)?
++.br
++
++.br
++.B dirsrvadmin_tmp_t
++
++
++.SH NSSWITCH DOMAIN
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was auto-generated using
++.B "sepolicy manpage"
++by Dan Walsh.
++
++.SH "SEE ALSO"
++selinux(8), dirsrvadmin_unconfined_script(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
++, dirsrv_selinux(8), dirsrvadmin_selinux(8), dirsrvadmin_selinux(8)
+\ No newline at end of file
+diff --git a/man/man8/disk_munin_plugin_selinux.8 b/man/man8/disk_munin_plugin_selinux.8
+new file mode 100644
+index 0000000..1679709
+--- /dev/null
++++ b/man/man8/disk_munin_plugin_selinux.8
+@@ -0,0 +1,114 @@
++.TH "disk_munin_plugin_selinux" "8" "12-11-01" "disk_munin_plugin" "SELinux Policy documentation for disk_munin_plugin"
++.SH "NAME"
++disk_munin_plugin_selinux \- Security Enhanced Linux Policy for the disk_munin_plugin processes
++.SH "DESCRIPTION"
++
++Security-Enhanced Linux secures the disk_munin_plugin processes via flexible mandatory access control.
++
++The disk_munin_plugin processes execute with the disk_munin_plugin_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep disk_munin_plugin_t
++
++
++.SH "ENTRYPOINTS"
++
++The disk_munin_plugin_t SELinux type can be entered via the "disk_munin_plugin_exec_t" file type. The default entrypoint paths for the disk_munin_plugin_t domain are the following:"
++
++/usr/share/munin/plugins/df.*, /usr/share/munin/plugins/smart_.*, /usr/share/munin/plugins/hddtemp.*, /usr/share/munin/plugins/diskstat.*
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux disk_munin_plugin policy is very flexible allowing users to setup their disk_munin_plugin processes in as secure a method as possible.
++.PP
++The following process types are defined for disk_munin_plugin:
++
++.EX
++.B disk_munin_plugin_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux disk_munin_plugin policy is very flexible allowing users to setup their disk_munin_plugin processes in as secure a method as possible.
++.PP
++The following file types are defined for disk_munin_plugin:
++
++
++.EX
++.PP
++.B disk_munin_plugin_exec_t
++.EE
++
++- Set files with the disk_munin_plugin_exec_t type, if you want to transition an executable to the disk_munin_plugin_t domain.
++
++
++.EX
++.PP
++.B disk_munin_plugin_tmp_t
++.EE
++
++- Set files with the disk_munin_plugin_tmp_t type, if you want to store disk munin plugin temporary files in the /tmp directories.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH "MANAGED FILES"
++
++The SELinux process type disk_munin_plugin_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++
++.br
++.B disk_munin_plugin_tmp_t
++
++
++.br
++.B munin_plugin_state_t
++
++ /var/lib/munin/plugin-state(/.*)?
++.br
++
++.br
++.B munin_var_lib_t
++
++ /var/lib/munin(/.*)?
++.br
++
++.SH NSSWITCH DOMAIN
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was auto-generated using
++.B "sepolicy manpage"
++by Dan Walsh.
++
++.SH "SEE ALSO"
++selinux(8), disk_munin_plugin(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
+diff --git a/man/man8/dkim_milter_selinux.8 b/man/man8/dkim_milter_selinux.8
+new file mode 100644
+index 0000000..813e538
+--- /dev/null
++++ b/man/man8/dkim_milter_selinux.8
+@@ -0,0 +1,132 @@
++.TH "dkim_milter_selinux" "8" "12-11-01" "dkim_milter" "SELinux Policy documentation for dkim_milter"
++.SH "NAME"
++dkim_milter_selinux \- Security Enhanced Linux Policy for the dkim_milter processes
++.SH "DESCRIPTION"
++
++Security-Enhanced Linux secures the dkim_milter processes via flexible mandatory access control.
++
++The dkim_milter processes execute with the dkim_milter_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep dkim_milter_t
++
++
++.SH "ENTRYPOINTS"
++
++The dkim_milter_t SELinux type can be entered via the "dkim_milter_exec_t" file type. The default entrypoint paths for the dkim_milter_t domain are the following:"
++
++/usr/sbin/opendkim, /usr/sbin/dkim-filter
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux dkim_milter policy is very flexible allowing users to setup their dkim_milter processes in as secure a method as possible.
++.PP
++The following process types are defined for dkim_milter:
++
++.EX
++.B dkim_milter_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux dkim_milter policy is very flexible allowing users to setup their dkim_milter processes in as secure a method as possible.
++.PP
++The following file types are defined for dkim_milter:
++
++
++.EX
++.PP
++.B dkim_milter_data_t
++.EE
++
++- Set files with the dkim_milter_data_t type, if you want to treat the files as dkim milter content.
++
++
++.EX
++.PP
++.B dkim_milter_exec_t
++.EE
++
++- Set files with the dkim_milter_exec_t type, if you want to transition an executable to the dkim_milter_t domain.
++
++
++.EX
++.PP
++.B dkim_milter_private_key_t
++.EE
++
++- Set files with the dkim_milter_private_key_t type, if you want to treat the files as dkim milter private key data.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH "MANAGED FILES"
++
++The SELinux process type dkim_milter_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++
++.br
++.B dkim_milter_data_t
++
++ /var/run/opendkim(/.*)?
++.br
++ /var/spool/opendkim(/.*)?
++.br
++ /var/lib/dkim-milter(/.*)?
++.br
++ /var/run/dkim-milter(/.*)?
++.br
++
++.SH NSSWITCH DOMAIN
++
++.PP
++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the dkim_milter_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++
++.EX
++.B setsebool -P authlogin_nsswitch_use_ldap 1
++.EE
++
++.PP
++If you want to allow confined applications to run with kerberos for the dkim_milter_t, you must turn on the kerberos_enabled boolean.
++
++.EX
++.B setsebool -P kerberos_enabled 1
++.EE
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was auto-generated using
++.B "sepolicy manpage"
++by Dan Walsh.
++
++.SH "SEE ALSO"
++selinux(8), dkim_milter(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
+diff --git a/man/man8/dlm_controld_selinux.8 b/man/man8/dlm_controld_selinux.8
+new file mode 100644
+index 0000000..25e4869
+--- /dev/null
++++ b/man/man8/dlm_controld_selinux.8
+@@ -0,0 +1,168 @@
++.TH "dlm_controld_selinux" "8" "12-11-01" "dlm_controld" "SELinux Policy documentation for dlm_controld"
++.SH "NAME"
++dlm_controld_selinux \- Security Enhanced Linux Policy for the dlm_controld processes
++.SH "DESCRIPTION"
++
++Security-Enhanced Linux secures the dlm_controld processes via flexible mandatory access control.
++
++The dlm_controld processes execute with the dlm_controld_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep dlm_controld_t
++
++
++.SH "ENTRYPOINTS"
++
++The dlm_controld_t SELinux type can be entered via the "dlm_controld_exec_t" file type. The default entrypoint paths for the dlm_controld_t domain are the following:"
++
++/usr/sbin/dlm_controld
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux dlm_controld policy is very flexible allowing users to setup their dlm_controld processes in as secure a method as possible.
++.PP
++The following process types are defined for dlm_controld:
++
++.EX
++.B dlm_controld_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux dlm_controld policy is very flexible allowing users to setup their dlm_controld processes in as secure a method as possible.
++.PP
++The following file types are defined for dlm_controld:
++
++
++.EX
++.PP
++.B dlm_controld_exec_t
++.EE
++
++- Set files with the dlm_controld_exec_t type, if you want to transition an executable to the dlm_controld_t domain.
++
++
++.EX
++.PP
++.B dlm_controld_tmpfs_t
++.EE
++
++- Set files with the dlm_controld_tmpfs_t type, if you want to store dlm controld files on a tmpfs file system.
++
++
++.EX
++.PP
++.B dlm_controld_var_log_t
++.EE
++
++- Set files with the dlm_controld_var_log_t type, if you want to treat the data as dlm controld var log data, usually stored under the /var/log directory.
++
++
++.EX
++.PP
++.B dlm_controld_var_run_t
++.EE
++
++- Set files with the dlm_controld_var_run_t type, if you want to store the dlm controld files under the /run directory.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH "MANAGED FILES"
++
++The SELinux process type dlm_controld_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++
++.br
++.B cluster_var_lib_t
++
++ /var/lib/cluster(/.*)?
++.br
++
++.br
++.B configfs_t
++
++
++.br
++.B corosync_tmpfs_t
++
++
++.br
++.B dlm_controld_tmpfs_t
++
++
++.br
++.B dlm_controld_var_log_t
++
++ /var/log/cluster/dlm_controld\.log.*
++.br
++
++.br
++.B dlm_controld_var_run_t
++
++ /var/run/dlm_controld\.pid
++.br
++
++.br
++.B initrc_tmp_t
++
++
++.br
++.B sysfs_t
++
++ /sys(/.*)?
++.br
++
++.SH NSSWITCH DOMAIN
++
++.PP
++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the dlm_controld_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++
++.EX
++.B setsebool -P authlogin_nsswitch_use_ldap 1
++.EE
++
++.PP
++If you want to allow confined applications to run with kerberos for the dlm_controld_t, you must turn on the kerberos_enabled boolean.
++
++.EX
++.B setsebool -P kerberos_enabled 1
++.EE
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was auto-generated using
++.B "sepolicy manpage"
++by Dan Walsh.
++
++.SH "SEE ALSO"
++selinux(8), dlm_controld(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
+diff --git a/man/man8/dmesg_selinux.8 b/man/man8/dmesg_selinux.8
+new file mode 100644
+index 0000000..c7d7b6d
+--- /dev/null
++++ b/man/man8/dmesg_selinux.8
+@@ -0,0 +1,136 @@
++.TH "dmesg_selinux" "8" "12-11-01" "dmesg" "SELinux Policy documentation for dmesg"
++.SH "NAME"
++dmesg_selinux \- Security Enhanced Linux Policy for the dmesg processes
++.SH "DESCRIPTION"
++
++Security-Enhanced Linux secures the dmesg processes via flexible mandatory access control.
++
++The dmesg processes execute with the dmesg_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep dmesg_t
++
++
++.SH "ENTRYPOINTS"
++
++The dmesg_t SELinux type can be entered via the "dmesg_exec_t" file type. The default entrypoint paths for the dmesg_t domain are the following:"
++
++/bin/dmesg, /usr/bin/dmesg
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux dmesg policy is very flexible allowing users to setup their dmesg processes in as secure a method as possible.
++.PP
++The following process types are defined for dmesg:
++
++.EX
++.B dmesg_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux dmesg policy is very flexible allowing users to setup their dmesg processes in as secure a method as possible.
++.PP
++The following file types are defined for dmesg:
++
++
++.EX
++.PP
++.B dmesg_exec_t
++.EE
++
++- Set files with the dmesg_exec_t type, if you want to transition an executable to the dmesg_t domain.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH "MANAGED FILES"
++
++The SELinux process type dmesg_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++
++.br
++.B var_log_t
++
++ /var/log/.*
++.br
++ /nsr/logs(/.*)?
++.br
++ /var/webmin(/.*)?
++.br
++ /var/log/cron[^/]*
++.br
++ /var/log/secure[^/]*
++.br
++ /opt/zimbra/log(/.*)?
++.br
++ /var/log/maillog[^/]*
++.br
++ /var/log/spooler[^/]*
++.br
++ /var/log/messages[^/]*
++.br
++ /usr/centreon/log(/.*)?
++.br
++ /var/spool/rsyslog(/.*)?
++.br
++ /var/axfrdns/log/main(/.*)?
++.br
++ /var/spool/bacula/log(/.*)?
++.br
++ /var/tinydns/log/main(/.*)?
++.br
++ /var/dnscache/log/main(/.*)?
++.br
++ /var/stockmaniac/templates_cache(/.*)?
++.br
++ /opt/Symantec/scspagent/IDS/system(/.*)?
++.br
++ /var/log
++.br
++ /var/log/dmesg
++.br
++ /var/log/syslog
++.br
++ /var/named/chroot/var/log
++.br
++
++.SH NSSWITCH DOMAIN
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was auto-generated using
++.B "sepolicy manpage"
++by Dan Walsh.
++
++.SH "SEE ALSO"
++selinux(8), dmesg(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
+diff --git a/man/man8/dmidecode_selinux.8 b/man/man8/dmidecode_selinux.8
+new file mode 100644
+index 0000000..e29cd1c
+--- /dev/null
++++ b/man/man8/dmidecode_selinux.8
+@@ -0,0 +1,86 @@
++.TH "dmidecode_selinux" "8" "12-11-01" "dmidecode" "SELinux Policy documentation for dmidecode"
++.SH "NAME"
++dmidecode_selinux \- Security Enhanced Linux Policy for the dmidecode processes
++.SH "DESCRIPTION"
++
++Security-Enhanced Linux secures the dmidecode processes via flexible mandatory access control.
++
++The dmidecode processes execute with the dmidecode_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep dmidecode_t
++
++
++.SH "ENTRYPOINTS"
++
++The dmidecode_t SELinux type can be entered via the "dmidecode_exec_t" file type. The default entrypoint paths for the dmidecode_t domain are the following:"
++
++/usr/sbin/dmidecode, /usr/sbin/ownership, /usr/sbin/vpddecode
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux dmidecode policy is very flexible allowing users to setup their dmidecode processes in as secure a method as possible.
++.PP
++The following process types are defined for dmidecode:
++
++.EX
++.B dmidecode_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux dmidecode policy is very flexible allowing users to setup their dmidecode processes in as secure a method as possible.
++.PP
++The following file types are defined for dmidecode:
++
++
++.EX
++.PP
++.B dmidecode_exec_t
++.EE
++
++- Set files with the dmidecode_exec_t type, if you want to transition an executable to the dmidecode_t domain.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH NSSWITCH DOMAIN
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was auto-generated using
++.B "sepolicy manpage"
++by Dan Walsh.
++
++.SH "SEE ALSO"
++selinux(8), dmidecode(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
+diff --git a/man/man8/dnsmasq_selinux.8 b/man/man8/dnsmasq_selinux.8
+new file mode 100644
+index 0000000..5a65f36
+--- /dev/null
++++ b/man/man8/dnsmasq_selinux.8
+@@ -0,0 +1,200 @@
++.TH "dnsmasq_selinux" "8" "12-11-01" "dnsmasq" "SELinux Policy documentation for dnsmasq"
++.SH "NAME"
++dnsmasq_selinux \- Security Enhanced Linux Policy for the dnsmasq processes
++.SH "DESCRIPTION"
++
++Security-Enhanced Linux secures the dnsmasq processes via flexible mandatory access control.
++
++The dnsmasq processes execute with the dnsmasq_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep dnsmasq_t
++
++
++.SH "ENTRYPOINTS"
++
++The dnsmasq_t SELinux type can be entered via the "dnsmasq_exec_t" file type. The default entrypoint paths for the dnsmasq_t domain are the following:"
++
++/usr/sbin/dnsmasq
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux dnsmasq policy is very flexible allowing users to setup their dnsmasq processes in as secure a method as possible.
++.PP
++The following process types are defined for dnsmasq:
++
++.EX
++.B dnsmasq_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux dnsmasq policy is very flexible allowing users to setup their dnsmasq processes in as secure a method as possible.
++.PP
++The following file types are defined for dnsmasq:
++
++
++.EX
++.PP
++.B dnsmasq_etc_t
++.EE
++
++- Set files with the dnsmasq_etc_t type, if you want to store dnsmasq files in the /etc directories.
++
++
++.EX
++.PP
++.B dnsmasq_exec_t
++.EE
++
++- Set files with the dnsmasq_exec_t type, if you want to transition an executable to the dnsmasq_t domain.
++
++
++.EX
++.PP
++.B dnsmasq_initrc_exec_t
++.EE
++
++- Set files with the dnsmasq_initrc_exec_t type, if you want to transition an executable to the dnsmasq_initrc_t domain.
++
++
++.EX
++.PP
++.B dnsmasq_lease_t
++.EE
++
++- Set files with the dnsmasq_lease_t type, if you want to treat the files as dnsmasq lease data.
++
++
++.EX
++.PP
++.B dnsmasq_unit_file_t
++.EE
++
++- Set files with the dnsmasq_unit_file_t type, if you want to treat the files as dnsmasq unit content.
++
++
++.EX
++.PP
++.B dnsmasq_var_log_t
++.EE
++
++- Set files with the dnsmasq_var_log_t type, if you want to treat the data as dnsmasq var log data, usually stored under the /var/log directory.
++
++
++.EX
++.PP
++.B dnsmasq_var_run_t
++.EE
++
++- Set files with the dnsmasq_var_run_t type, if you want to store the dnsmasq files under the /run directory.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH "MANAGED FILES"
++
++The SELinux process type dnsmasq_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++
++.br
++.B crond_var_run_t
++
++ /var/run/.*cron.*
++.br
++ /var/run/crond?\.pid
++.br
++ /var/run/crond?\.reboot
++.br
++ /var/run/atd\.pid
++.br
++ /var/run/fcron\.pid
++.br
++ /var/run/fcron\.fifo
++.br
++ /var/run/anacron\.pid
++.br
++
++.br
++.B dnsmasq_lease_t
++
++ /var/lib/dnsmasq(/.*)?
++.br
++ /var/lib/misc/dnsmasq\.leases
++.br
++
++.br
++.B dnsmasq_var_log_t
++
++ /var/log/dnsmasq.*
++.br
++
++.br
++.B dnsmasq_var_run_t
++
++ /var/run/libvirt/network(/.*)?
++.br
++ /var/run/dnsmasq\.pid
++.br
++
++.br
++.B virt_var_lib_t
++
++ /var/lib/oz(/.*)?
++.br
++ /var/lib/libvirt(/.*)?
++.br
++
++.SH NSSWITCH DOMAIN
++
++.PP
++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the dnsmasq_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++
++.EX
++.B setsebool -P authlogin_nsswitch_use_ldap 1
++.EE
++
++.PP
++If you want to allow confined applications to run with kerberos for the dnsmasq_t, you must turn on the kerberos_enabled boolean.
++
++.EX
++.B setsebool -P kerberos_enabled 1
++.EE
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was auto-generated using
++.B "sepolicy manpage"
++by Dan Walsh.
++
++.SH "SEE ALSO"
++selinux(8), dnsmasq(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
+diff --git a/man/man8/dnssec_trigger_selinux.8 b/man/man8/dnssec_trigger_selinux.8
+new file mode 100644
+index 0000000..d5478bf
+--- /dev/null
++++ b/man/man8/dnssec_trigger_selinux.8
+@@ -0,0 +1,130 @@
++.TH "dnssec_trigger_selinux" "8" "12-11-01" "dnssec_trigger" "SELinux Policy documentation for dnssec_trigger"
++.SH "NAME"
++dnssec_trigger_selinux \- Security Enhanced Linux Policy for the dnssec_trigger processes
++.SH "DESCRIPTION"
++
++Security-Enhanced Linux secures the dnssec_trigger processes via flexible mandatory access control.
++
++The dnssec_trigger processes execute with the dnssec_trigger_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep dnssec_trigger_t
++
++
++.SH "ENTRYPOINTS"
++
++The dnssec_trigger_t SELinux type can be entered via the "dnssec_trigger_exec_t" file type. The default entrypoint paths for the dnssec_trigger_t domain are the following:"
++
++/usr/sbin/dnssec-triggerd
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux dnssec_trigger policy is very flexible allowing users to setup their dnssec_trigger processes in as secure a method as possible.
++.PP
++The following process types are defined for dnssec_trigger:
++
++.EX
++.B dnssec_trigger_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux dnssec_trigger policy is very flexible allowing users to setup their dnssec_trigger processes in as secure a method as possible.
++.PP
++The following file types are defined for dnssec_trigger:
++
++
++.EX
++.PP
++.B dnssec_trigger_exec_t
++.EE
++
++- Set files with the dnssec_trigger_exec_t type, if you want to transition an executable to the dnssec_trigger_t domain.
++
++
++.EX
++.PP
++.B dnssec_trigger_var_run_t
++.EE
++
++- Set files with the dnssec_trigger_var_run_t type, if you want to store the dnssec trigger files under the /run directory.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH "MANAGED FILES"
++
++The SELinux process type dnssec_trigger_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++
++.br
++.B dnssec_trigger_var_run_t
++
++ /var/run/dnssec.*
++.br
++
++.br
++.B net_conf_t
++
++ /etc/ntpd?\.conf.*
++.br
++ /etc/hosts[^/]*
++.br
++ /etc/yp\.conf.*
++.br
++ /etc/denyhosts.*
++.br
++ /etc/hosts\.deny.*
++.br
++ /etc/resolv\.conf.*
++.br
++ /etc/ntp/step-tickers.*
++.br
++ /etc/sysconfig/networking(/.*)?
++.br
++ /etc/sysconfig/network-scripts(/.*)?
++.br
++ /etc/sysconfig/network-scripts/.*resolv\.conf
++.br
++ /etc/ethers
++.br
++
++.SH NSSWITCH DOMAIN
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was auto-generated using
++.B "sepolicy manpage"
++by Dan Walsh.
++
++.SH "SEE ALSO"
++selinux(8), dnssec_trigger(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
+diff --git a/man/man8/dovecot_auth_selinux.8 b/man/man8/dovecot_auth_selinux.8
+new file mode 100644
+index 0000000..6411b0a
+--- /dev/null
++++ b/man/man8/dovecot_auth_selinux.8
+@@ -0,0 +1,155 @@
++.TH "dovecot_auth_selinux" "8" "12-11-01" "dovecot_auth" "SELinux Policy documentation for dovecot_auth"
++.SH "NAME"
++dovecot_auth_selinux \- Security Enhanced Linux Policy for the dovecot_auth processes
++.SH "DESCRIPTION"
++
++Security-Enhanced Linux secures the dovecot_auth processes via flexible mandatory access control.
++
++The dovecot_auth processes execute with the dovecot_auth_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep dovecot_auth_t
++
++
++.SH "ENTRYPOINTS"
++
++The dovecot_auth_t SELinux type can be entered via the "dovecot_auth_exec_t" file type. The default entrypoint paths for the dovecot_auth_t domain are the following:"
++
++/usr/libexec/dovecot/auth, /usr/libexec/dovecot/dovecot-auth
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux dovecot_auth policy is very flexible allowing users to setup their dovecot_auth processes in as secure a method as possible.
++.PP
++The following process types are defined for dovecot_auth:
++
++.EX
++.B dovecot_auth_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux dovecot_auth policy is very flexible allowing users to setup their dovecot_auth processes in as secure a method as possible.
++.PP
++The following file types are defined for dovecot_auth:
++
++
++.EX
++.PP
++.B dovecot_auth_exec_t
++.EE
++
++- Set files with the dovecot_auth_exec_t type, if you want to transition an executable to the dovecot_auth_t domain.
++
++
++.EX
++.PP
++.B dovecot_auth_tmp_t
++.EE
++
++- Set files with the dovecot_auth_tmp_t type, if you want to store dovecot auth temporary files in the /tmp directories.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH "MANAGED FILES"
++
++The SELinux process type dovecot_auth_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++
++.br
++.B dovecot_auth_tmp_t
++
++
++.br
++.B faillog_t
++
++ /var/log/btmp.*
++.br
++ /var/run/faillock(/.*)?
++.br
++ /var/log/faillog
++.br
++ /var/log/tallylog
++.br
++
++.br
++.B initrc_var_run_t
++
++ /var/run/utmp
++.br
++ /var/run/random-seed
++.br
++ /var/run/runlevel\.dir
++.br
++ /var/run/setmixer_flag
++.br
++
++.br
++.B pcscd_var_run_t
++
++ /var/run/pcscd(/.*)?
++.br
++ /var/run/pcscd\.events(/.*)?
++.br
++ /var/run/pcscd\.pid
++.br
++ /var/run/pcscd\.pub
++.br
++ /var/run/pcscd\.comm
++.br
++
++.SH NSSWITCH DOMAIN
++
++.PP
++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the dovecot_auth_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++
++.EX
++.B setsebool -P authlogin_nsswitch_use_ldap 1
++.EE
++
++.PP
++If you want to allow confined applications to run with kerberos for the dovecot_auth_t, you must turn on the kerberos_enabled boolean.
++
++.EX
++.B setsebool -P kerberos_enabled 1
++.EE
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was auto-generated using
++.B "sepolicy manpage"
++by Dan Walsh.
++
++.SH "SEE ALSO"
++selinux(8), dovecot_auth(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
++, dovecot_selinux(8), dovecot_selinux(8), dovecot_deliver_selinux(8)
+\ No newline at end of file
+diff --git a/man/man8/dovecot_deliver_selinux.8 b/man/man8/dovecot_deliver_selinux.8
+new file mode 100644
+index 0000000..fa12a80
+--- /dev/null
++++ b/man/man8/dovecot_deliver_selinux.8
+@@ -0,0 +1,157 @@
++.TH "dovecot_deliver_selinux" "8" "12-11-01" "dovecot_deliver" "SELinux Policy documentation for dovecot_deliver"
++.SH "NAME"
++dovecot_deliver_selinux \- Security Enhanced Linux Policy for the dovecot_deliver processes
++.SH "DESCRIPTION"
++
++Security-Enhanced Linux secures the dovecot_deliver processes via flexible mandatory access control.
++
++The dovecot_deliver processes execute with the dovecot_deliver_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep dovecot_deliver_t
++
++
++.SH "ENTRYPOINTS"
++
++The dovecot_deliver_t SELinux type can be entered via the "dovecot_deliver_exec_t" file type. The default entrypoint paths for the dovecot_deliver_t domain are the following:"
++
++/usr/libexec/dovecot/deliver, /usr/libexec/dovecot/dovecot-lda
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux dovecot_deliver policy is very flexible allowing users to setup their dovecot_deliver processes in as secure a method as possible.
++.PP
++The following process types are defined for dovecot_deliver:
++
++.EX
++.B dovecot_deliver_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux dovecot_deliver policy is very flexible allowing users to setup their dovecot_deliver processes in as secure a method as possible.
++.PP
++The following file types are defined for dovecot_deliver:
++
++
++.EX
++.PP
++.B dovecot_deliver_exec_t
++.EE
++
++- Set files with the dovecot_deliver_exec_t type, if you want to transition an executable to the dovecot_deliver_t domain.
++
++
++.EX
++.PP
++.B dovecot_deliver_tmp_t
++.EE
++
++- Set files with the dovecot_deliver_tmp_t type, if you want to store dovecot deliver temporary files in the /tmp directories.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH "MANAGED FILES"
++
++The SELinux process type dovecot_deliver_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++
++.br
++.B data_home_t
++
++ /root/\.local/share(/.*)?
++.br
++ /home/[^/]*/\.local/share(/.*)?
++.br
++ /home/dwalsh/\.local/share(/.*)?
++.br
++ /var/lib/xguest/home/xguest/\.local/share(/.*)?
++.br
++
++.br
++.B dovecot_deliver_tmp_t
++
++
++.br
++.B dovecot_spool_t
++
++ /var/spool/dovecot(/.*)?
++.br
++
++.br
++.B mail_home_rw_t
++
++ /root/Maildir(/.*)?
++.br
++ /home/[^/]*/Maildir(/.*)?
++.br
++ /home/dwalsh/Maildir(/.*)?
++.br
++ /var/lib/xguest/home/xguest/Maildir(/.*)?
++.br
++
++.br
++.B user_home_t
++
++ /home/[^/]*/.+
++.br
++ /home/dwalsh/.+
++.br
++ /var/lib/xguest/home/xguest/.+
++.br
++
++.SH NSSWITCH DOMAIN
++
++.PP
++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the dovecot_deliver_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++
++.EX
++.B setsebool -P authlogin_nsswitch_use_ldap 1
++.EE
++
++.PP
++If you want to allow confined applications to run with kerberos for the dovecot_deliver_t, you must turn on the kerberos_enabled boolean.
++
++.EX
++.B setsebool -P kerberos_enabled 1
++.EE
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was auto-generated using
++.B "sepolicy manpage"
++by Dan Walsh.
++
++.SH "SEE ALSO"
++selinux(8), dovecot_deliver(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
++, dovecot_selinux(8), dovecot_selinux(8), dovecot_auth_selinux(8)
+\ No newline at end of file
+diff --git a/man/man8/dovecot_selinux.8 b/man/man8/dovecot_selinux.8
+new file mode 100644
+index 0000000..d61a836
+--- /dev/null
++++ b/man/man8/dovecot_selinux.8
+@@ -0,0 +1,317 @@
++.TH "dovecot_selinux" "8" "12-11-01" "dovecot" "SELinux Policy documentation for dovecot"
++.SH "NAME"
++dovecot_selinux \- Security Enhanced Linux Policy for the dovecot processes
++.SH "DESCRIPTION"
++
++Security-Enhanced Linux secures the dovecot processes via flexible mandatory access control.
++
++The dovecot processes execute with the dovecot_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep dovecot_t
++
++
++.SH "ENTRYPOINTS"
++
++The dovecot_t SELinux type can be entered via the "dovecot_exec_t" file type. The default entrypoint paths for the dovecot_t domain are the following:"
++
++/usr/sbin/dovecot
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux dovecot policy is very flexible allowing users to setup their dovecot processes in as secure a method as possible.
++.PP
++The following process types are defined for dovecot:
++
++.EX
++.B dovecot_deliver_t, dovecot_auth_t, dovecot_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux dovecot policy is very flexible allowing users to setup their dovecot processes in as secure a method as possible.
++.PP
++The following file types are defined for dovecot:
++
++
++.EX
++.PP
++.B dovecot_auth_exec_t
++.EE
++
++- Set files with the dovecot_auth_exec_t type, if you want to transition an executable to the dovecot_auth_t domain.
++
++
++.EX
++.PP
++.B dovecot_auth_tmp_t
++.EE
++
++- Set files with the dovecot_auth_tmp_t type, if you want to store dovecot auth temporary files in the /tmp directories.
++
++
++.EX
++.PP
++.B dovecot_cert_t
++.EE
++
++- Set files with the dovecot_cert_t type, if you want to treat the files as dovecot certificate data.
++
++
++.EX
++.PP
++.B dovecot_deliver_exec_t
++.EE
++
++- Set files with the dovecot_deliver_exec_t type, if you want to transition an executable to the dovecot_deliver_t domain.
++
++
++.EX
++.PP
++.B dovecot_deliver_tmp_t
++.EE
++
++- Set files with the dovecot_deliver_tmp_t type, if you want to store dovecot deliver temporary files in the /tmp directories.
++
++
++.EX
++.PP
++.B dovecot_etc_t
++.EE
++
++- Set files with the dovecot_etc_t type, if you want to store dovecot files in the /etc directories.
++
++
++.EX
++.PP
++.B dovecot_exec_t
++.EE
++
++- Set files with the dovecot_exec_t type, if you want to transition an executable to the dovecot_t domain.
++
++
++.EX
++.PP
++.B dovecot_initrc_exec_t
++.EE
++
++- Set files with the dovecot_initrc_exec_t type, if you want to transition an executable to the dovecot_initrc_t domain.
++
++
++.EX
++.PP
++.B dovecot_passwd_t
++.EE
++
++- Set files with the dovecot_passwd_t type, if you want to treat the files as dovecot passwd data.
++
++
++.EX
++.PP
++.B dovecot_spool_t
++.EE
++
++- Set files with the dovecot_spool_t type, if you want to store the dovecot files under the /var/spool directory.
++
++
++.EX
++.PP
++.B dovecot_t_keytab_t
++.EE
++
++- Set files with the dovecot_t_keytab_t type, if you want to treat the files as kerberos keytab files.
++
++
++.EX
++.PP
++.B dovecot_tmp_t
++.EE
++
++- Set files with the dovecot_tmp_t type, if you want to store dovecot temporary files in the /tmp directories.
++
++
++.EX
++.PP
++.B dovecot_var_lib_t
++.EE
++
++- Set files with the dovecot_var_lib_t type, if you want to store the dovecot files under the /var/lib directory.
++
++
++.EX
++.PP
++.B dovecot_var_log_t
++.EE
++
++- Set files with the dovecot_var_log_t type, if you want to treat the data as dovecot var log data, usually stored under the /var/log directory.
++
++
++.EX
++.PP
++.B dovecot_var_run_t
++.EE
++
++- Set files with the dovecot_var_run_t type, if you want to store the dovecot files under the /run directory.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH "MANAGED FILES"
++
++The SELinux process type dovecot_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++
++.br
++.B data_home_t
++
++ /root/\.local/share(/.*)?
++.br
++ /home/[^/]*/\.local/share(/.*)?
++.br
++ /home/dwalsh/\.local/share(/.*)?
++.br
++ /var/lib/xguest/home/xguest/\.local/share(/.*)?
++.br
++
++.br
++.B dovecot_spool_t
++
++ /var/spool/dovecot(/.*)?
++.br
++
++.br
++.B dovecot_tmp_t
++
++
++.br
++.B dovecot_var_lib_t
++
++ /var/lib/dovecot(/.*)?
++.br
++ /var/run/dovecot/login/ssl-parameters.dat
++.br
++
++.br
++.B dovecot_var_log_t
++
++ /var/log/dovecot(/.*)?
++.br
++ /var/log/dovecot\.log.*
++.br
++
++.br
++.B dovecot_var_run_t
++
++ /var/run/dovecot(-login)?(/.*)?
++.br
++
++.br
++.B krb5_host_rcache_t
++
++ /var/cache/krb5rcache(/.*)?
++.br
++ /var/tmp/nfs_0
++.br
++ /var/tmp/DNS_25
++.br
++ /var/tmp/host_0
++.br
++ /var/tmp/imap_0
++.br
++ /var/tmp/HTTP_23
++.br
++ /var/tmp/HTTP_48
++.br
++ /var/tmp/ldap_55
++.br
++ /var/tmp/ldap_487
++.br
++ /var/tmp/ldapmap1_0
++.br
++
++.br
++.B mail_home_rw_t
++
++ /root/Maildir(/.*)?
++.br
++ /home/[^/]*/Maildir(/.*)?
++.br
++ /home/dwalsh/Maildir(/.*)?
++.br
++ /var/lib/xguest/home/xguest/Maildir(/.*)?
++.br
++
++.br
++.B mail_spool_t
++
++ /var/mail(/.*)?
++.br
++ /var/spool/imap(/.*)?
++.br
++ /var/spool/mail(/.*)?
++.br
++
++.br
++.B user_home_t
++
++ /home/[^/]*/.+
++.br
++ /home/dwalsh/.+
++.br
++ /var/lib/xguest/home/xguest/.+
++.br
++
++.SH NSSWITCH DOMAIN
++
++.PP
++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the dovecot_auth_t, dovecot_t, dovecot_deliver_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++
++.EX
++.B setsebool -P authlogin_nsswitch_use_ldap 1
++.EE
++
++.PP
++If you want to allow confined applications to run with kerberos for the dovecot_auth_t, dovecot_t, dovecot_deliver_t, you must turn on the kerberos_enabled boolean.
++
++.EX
++.B setsebool -P kerberos_enabled 1
++.EE
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was auto-generated using
++.B "sepolicy manpage"
++by Dan Walsh.
++
++.SH "SEE ALSO"
++selinux(8), dovecot(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
++, dovecot_auth_selinux(8), dovecot_deliver_selinux(8)
+\ No newline at end of file
+diff --git a/man/man8/drbd_selinux.8 b/man/man8/drbd_selinux.8
+new file mode 100644
+index 0000000..0306d2e
+--- /dev/null
++++ b/man/man8/drbd_selinux.8
+@@ -0,0 +1,116 @@
++.TH "drbd_selinux" "8" "12-11-01" "drbd" "SELinux Policy documentation for drbd"
++.SH "NAME"
++drbd_selinux \- Security Enhanced Linux Policy for the drbd processes
++.SH "DESCRIPTION"
++
++Security-Enhanced Linux secures the drbd processes via flexible mandatory access control.
++
++The drbd processes execute with the drbd_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep drbd_t
++
++
++.SH "ENTRYPOINTS"
++
++The drbd_t SELinux type can be entered via the "drbd_exec_t" file type. The default entrypoint paths for the drbd_t domain are the following:"
++
++/usr/lib/ocf/resource.\d/linbit/drbd, /sbin/drbdadm, /sbin/drbdsetup, /usr/sbin/drbdadm, /usr/sbin/drbdsetup
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux drbd policy is very flexible allowing users to setup their drbd processes in as secure a method as possible.
++.PP
++The following process types are defined for drbd:
++
++.EX
++.B drbd_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux drbd policy is very flexible allowing users to setup their drbd processes in as secure a method as possible.
++.PP
++The following file types are defined for drbd:
++
++
++.EX
++.PP
++.B drbd_exec_t
++.EE
++
++- Set files with the drbd_exec_t type, if you want to transition an executable to the drbd_t domain.
++
++
++.EX
++.PP
++.B drbd_lock_t
++.EE
++
++- Set files with the drbd_lock_t type, if you want to treat the files as drbd lock data, stored under the /var/lock directory
++
++
++.EX
++.PP
++.B drbd_var_lib_t
++.EE
++
++- Set files with the drbd_var_lib_t type, if you want to store the drbd files under the /var/lib directory.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH "MANAGED FILES"
++
++The SELinux process type drbd_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++
++.br
++.B drbd_lock_t
++
++
++.br
++.B drbd_var_lib_t
++
++ /var/lib/drbd(/.*)?
++.br
++
++.SH NSSWITCH DOMAIN
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was auto-generated using
++.B "sepolicy manpage"
++by Dan Walsh.
++
++.SH "SEE ALSO"
++selinux(8), drbd(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
+diff --git a/man/man8/dspam_selinux.8 b/man/man8/dspam_selinux.8
+new file mode 100644
+index 0000000..64cf453
+--- /dev/null
++++ b/man/man8/dspam_selinux.8
+@@ -0,0 +1,166 @@
++.TH "dspam_selinux" "8" "12-11-01" "dspam" "SELinux Policy documentation for dspam"
++.SH "NAME"
++dspam_selinux \- Security Enhanced Linux Policy for the dspam processes
++.SH "DESCRIPTION"
++
++Security-Enhanced Linux secures the dspam processes via flexible mandatory access control.
++
++The dspam processes execute with the dspam_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep dspam_t
++
++
++.SH "ENTRYPOINTS"
++
++The dspam_t SELinux type can be entered via the "dspam_exec_t" file type. The default entrypoint paths for the dspam_t domain are the following:"
++
++/usr/bin/dspam
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux dspam policy is very flexible allowing users to setup their dspam processes in as secure a method as possible.
++.PP
++The following process types are defined for dspam:
++
++.EX
++.B dspam_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux dspam policy is very flexible allowing users to setup their dspam processes in as secure a method as possible.
++.PP
++The following file types are defined for dspam:
++
++
++.EX
++.PP
++.B dspam_exec_t
++.EE
++
++- Set files with the dspam_exec_t type, if you want to transition an executable to the dspam_t domain.
++
++
++.EX
++.PP
++.B dspam_initrc_exec_t
++.EE
++
++- Set files with the dspam_initrc_exec_t type, if you want to transition an executable to the dspam_initrc_t domain.
++
++
++.EX
++.PP
++.B dspam_log_t
++.EE
++
++- Set files with the dspam_log_t type, if you want to treat the data as dspam log data, usually stored under the /var/log directory.
++
++
++.EX
++.PP
++.B dspam_tmp_t
++.EE
++
++- Set files with the dspam_tmp_t type, if you want to store dspam temporary files in the /tmp directories.
++
++
++.EX
++.PP
++.B dspam_var_lib_t
++.EE
++
++- Set files with the dspam_var_lib_t type, if you want to store the dspam files under the /var/lib directory.
++
++
++.EX
++.PP
++.B dspam_var_run_t
++.EE
++
++- Set files with the dspam_var_run_t type, if you want to store the dspam files under the /run directory.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH "MANAGED FILES"
++
++The SELinux process type dspam_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++
++.br
++.B dspam_log_t
++
++ /var/log/dspam(/.*)?
++.br
++
++.br
++.B dspam_var_lib_t
++
++ /var/lib/dspam(/.*)?
++.br
++
++.br
++.B dspam_var_run_t
++
++ /var/run/dspam(/.*)?
++.br
++
++.br
++.B httpd_dspam_rw_content_t
++
++
++.SH NSSWITCH DOMAIN
++
++.PP
++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the dspam_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++
++.EX
++.B setsebool -P authlogin_nsswitch_use_ldap 1
++.EE
++
++.PP
++If you want to allow confined applications to run with kerberos for the dspam_t, you must turn on the kerberos_enabled boolean.
++
++.EX
++.B setsebool -P kerberos_enabled 1
++.EE
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was auto-generated using
++.B "sepolicy manpage"
++by Dan Walsh.
++
++.SH "SEE ALSO"
++selinux(8), dspam(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
+diff --git a/man/man8/entropyd_selinux.8 b/man/man8/entropyd_selinux.8
+new file mode 100644
+index 0000000..0035e75
+--- /dev/null
++++ b/man/man8/entropyd_selinux.8
+@@ -0,0 +1,142 @@
++.TH "entropyd_selinux" "8" "12-11-01" "entropyd" "SELinux Policy documentation for entropyd"
++.SH "NAME"
++entropyd_selinux \- Security Enhanced Linux Policy for the entropyd processes
++.SH "DESCRIPTION"
++
++Security-Enhanced Linux secures the entropyd processes via flexible mandatory access control.
++
++The entropyd processes execute with the entropyd_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep entropyd_t
++
++
++.SH "ENTRYPOINTS"
++
++The entropyd_t SELinux type can be entered via the "entropyd_exec_t" file type. The default entrypoint paths for the entropyd_t domain are the following:"
++
++/usr/sbin/haveged, /usr/sbin/audio-entropyd
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux entropyd policy is very flexible allowing users to setup their entropyd processes in as secure a method as possible.
++.PP
++The following process types are defined for entropyd:
++
++.EX
++.B entropyd_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH BOOLEANS
++SELinux policy is customizable based on least access required. entropyd policy is extremely flexible and has several booleans that allow you to manipulate the policy and run entropyd with the tightest access possible.
++
++
++.PP
++If you want to allow the use of the audio devices as the source for the entropy feeds, you must turn on the entropyd_use_audio boolean.
++
++.EX
++.B setsebool -P entropyd_use_audio 1
++.EE
++
++.PP
++If you want to allow the use of the audio devices as the source for the entropy feeds, you must turn on the entropyd_use_audio boolean.
++
++.EX
++.B setsebool -P entropyd_use_audio 1
++.EE
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux entropyd policy is very flexible allowing users to setup their entropyd processes in as secure a method as possible.
++.PP
++The following file types are defined for entropyd:
++
++
++.EX
++.PP
++.B entropyd_exec_t
++.EE
++
++- Set files with the entropyd_exec_t type, if you want to transition an executable to the entropyd_t domain.
++
++
++.EX
++.PP
++.B entropyd_var_run_t
++.EE
++
++- Set files with the entropyd_var_run_t type, if you want to store the entropyd files under the /run directory.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH "MANAGED FILES"
++
++The SELinux process type entropyd_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++
++.br
++.B entropyd_var_run_t
++
++ /var/run/haveged\.pid
++.br
++ /var/run/audio-entropyd\.pid
++.br
++
++.SH NSSWITCH DOMAIN
++
++.PP
++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the entropyd_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++
++.EX
++.B setsebool -P authlogin_nsswitch_use_ldap 1
++.EE
++
++.PP
++If you want to allow confined applications to run with kerberos for the entropyd_t, you must turn on the kerberos_enabled boolean.
++
++.EX
++.B setsebool -P kerberos_enabled 1
++.EE
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.B semanage boolean
++can also be used to manipulate the booleans
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was auto-generated using
++.B "sepolicy manpage"
++by Dan Walsh.
++
++.SH "SEE ALSO"
++selinux(8), entropyd(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
++, setsebool(8)
+\ No newline at end of file
+diff --git a/man/man8/eventlogd_selinux.8 b/man/man8/eventlogd_selinux.8
+new file mode 100644
+index 0000000..755e81c
+--- /dev/null
++++ b/man/man8/eventlogd_selinux.8
+@@ -0,0 +1,126 @@
++.TH "eventlogd_selinux" "8" "12-11-01" "eventlogd" "SELinux Policy documentation for eventlogd"
++.SH "NAME"
++eventlogd_selinux \- Security Enhanced Linux Policy for the eventlogd processes
++.SH "DESCRIPTION"
++
++Security-Enhanced Linux secures the eventlogd processes via flexible mandatory access control.
++
++The eventlogd processes execute with the eventlogd_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep eventlogd_t
++
++
++.SH "ENTRYPOINTS"
++
++The eventlogd_t SELinux type can be entered via the "eventlogd_exec_t" file type. The default entrypoint paths for the eventlogd_t domain are the following:"
++
++/usr/sbin/eventlogd
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux eventlogd policy is very flexible allowing users to setup their eventlogd processes in as secure a method as possible.
++.PP
++The following process types are defined for eventlogd:
++
++.EX
++.B eventlogd_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux eventlogd policy is very flexible allowing users to setup their eventlogd processes in as secure a method as possible.
++.PP
++The following file types are defined for eventlogd:
++
++
++.EX
++.PP
++.B eventlogd_exec_t
++.EE
++
++- Set files with the eventlogd_exec_t type, if you want to transition an executable to the eventlogd_t domain.
++
++
++.EX
++.PP
++.B eventlogd_var_lib_t
++.EE
++
++- Set files with the eventlogd_var_lib_t type, if you want to store the eventlogd files under the /var/lib directory.
++
++
++.EX
++.PP
++.B eventlogd_var_run_t
++.EE
++
++- Set files with the eventlogd_var_run_t type, if you want to store the eventlogd files under the /run directory.
++
++
++.EX
++.PP
++.B eventlogd_var_socket_t
++.EE
++
++- Set files with the eventlogd_var_socket_t type, if you want to treat the files as eventlogd var socket data.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH "MANAGED FILES"
++
++The SELinux process type eventlogd_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++
++.br
++.B eventlogd_var_lib_t
++
++ /var/lib/likewise-open/db/lwi_events.db
++.br
++
++.br
++.B eventlogd_var_run_t
++
++ /var/run/eventlogd.pid
++.br
++
++.SH NSSWITCH DOMAIN
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was auto-generated using
++.B "sepolicy manpage"
++by Dan Walsh.
++
++.SH "SEE ALSO"
++selinux(8), eventlogd(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
+diff --git a/man/man8/evtchnd_selinux.8 b/man/man8/evtchnd_selinux.8
+new file mode 100644
+index 0000000..85b3690
+--- /dev/null
++++ b/man/man8/evtchnd_selinux.8
+@@ -0,0 +1,120 @@
++.TH "evtchnd_selinux" "8" "12-11-01" "evtchnd" "SELinux Policy documentation for evtchnd"
++.SH "NAME"
++evtchnd_selinux \- Security Enhanced Linux Policy for the evtchnd processes
++.SH "DESCRIPTION"
++
++Security-Enhanced Linux secures the evtchnd processes via flexible mandatory access control.
++
++The evtchnd processes execute with the evtchnd_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep evtchnd_t
++
++
++.SH "ENTRYPOINTS"
++
++The evtchnd_t SELinux type can be entered via the "evtchnd_exec_t" file type. The default entrypoint paths for the evtchnd_t domain are the following:"
++
++/usr/sbin/evtchnd
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux evtchnd policy is very flexible allowing users to setup their evtchnd processes in as secure a method as possible.
++.PP
++The following process types are defined for evtchnd:
++
++.EX
++.B evtchnd_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux evtchnd policy is very flexible allowing users to setup their evtchnd processes in as secure a method as possible.
++.PP
++The following file types are defined for evtchnd:
++
++
++.EX
++.PP
++.B evtchnd_exec_t
++.EE
++
++- Set files with the evtchnd_exec_t type, if you want to transition an executable to the evtchnd_t domain.
++
++
++.EX
++.PP
++.B evtchnd_var_log_t
++.EE
++
++- Set files with the evtchnd_var_log_t type, if you want to treat the data as evtchnd var log data, usually stored under the /var/log directory.
++
++
++.EX
++.PP
++.B evtchnd_var_run_t
++.EE
++
++- Set files with the evtchnd_var_run_t type, if you want to store the evtchnd files under the /run directory.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH "MANAGED FILES"
++
++The SELinux process type evtchnd_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++
++.br
++.B evtchnd_var_log_t
++
++ /var/log/evtchnd\.log.*
++.br
++
++.br
++.B evtchnd_var_run_t
++
++ /var/run/evtchnd
++.br
++ /var/run/evtchnd\.pid
++.br
++
++.SH NSSWITCH DOMAIN
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was auto-generated using
++.B "sepolicy manpage"
++by Dan Walsh.
++
++.SH "SEE ALSO"
++selinux(8), evtchnd(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
+diff --git a/man/man8/exim_selinux.8 b/man/man8/exim_selinux.8
+new file mode 100644
+index 0000000..f156767
+--- /dev/null
++++ b/man/man8/exim_selinux.8
+@@ -0,0 +1,270 @@
++.TH "exim_selinux" "8" "12-11-01" "exim" "SELinux Policy documentation for exim"
++.SH "NAME"
++exim_selinux \- Security Enhanced Linux Policy for the exim processes
++.SH "DESCRIPTION"
++
++Security-Enhanced Linux secures the exim processes via flexible mandatory access control.
++
++The exim processes execute with the exim_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep exim_t
++
++
++.SH "ENTRYPOINTS"
++
++The exim_t SELinux type can be entered via the "exim_exec_t" file type. The default entrypoint paths for the exim_t domain are the following:"
++
++/usr/sbin/exim[0-9]?, /usr/sbin/exim_tidydb
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux exim policy is very flexible allowing users to setup their exim processes in as secure a method as possible.
++.PP
++The following process types are defined for exim:
++
++.EX
++.B exim_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH BOOLEANS
++SELinux policy is customizable based on least access required. exim policy is extremely flexible and has several booleans that allow you to manipulate the policy and run exim with the tightest access possible.
++
++
++.PP
++If you want to allow exim to connect to databases (postgres, mysql), you must turn on the exim_can_connect_db boolean.
++
++.EX
++.B setsebool -P exim_can_connect_db 1
++.EE
++
++.PP
++If you want to allow exim to create, read, write, and delete unprivileged user files, you must turn on the exim_manage_user_files boolean.
++
++.EX
++.B setsebool -P exim_manage_user_files 1
++.EE
++
++.PP
++If you want to allow exim to read unprivileged user files, you must turn on the exim_read_user_files boolean.
++
++.EX
++.B setsebool -P exim_read_user_files 1
++.EE
++
++.PP
++If you want to allow exim to connect to databases (postgres, mysql), you must turn on the exim_can_connect_db boolean.
++
++.EX
++.B setsebool -P exim_can_connect_db 1
++.EE
++
++.PP
++If you want to allow exim to create, read, write, and delete unprivileged user files, you must turn on the exim_manage_user_files boolean.
++
++.EX
++.B setsebool -P exim_manage_user_files 1
++.EE
++
++.PP
++If you want to allow exim to read unprivileged user files, you must turn on the exim_read_user_files boolean.
++
++.EX
++.B setsebool -P exim_read_user_files 1
++.EE
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux exim policy is very flexible allowing users to setup their exim processes in as secure a method as possible.
++.PP
++The following file types are defined for exim:
++
++
++.EX
++.PP
++.B exim_exec_t
++.EE
++
++- Set files with the exim_exec_t type, if you want to transition an executable to the exim_t domain.
++
++
++.EX
++.PP
++.B exim_initrc_exec_t
++.EE
++
++- Set files with the exim_initrc_exec_t type, if you want to transition an executable to the exim_initrc_t domain.
++
++
++.EX
++.PP
++.B exim_keytab_t
++.EE
++
++- Set files with the exim_keytab_t type, if you want to treat the files as kerberos keytab files.
++
++
++.EX
++.PP
++.B exim_log_t
++.EE
++
++- Set files with the exim_log_t type, if you want to treat the data as exim log data, usually stored under the /var/log directory.
++
++
++.EX
++.PP
++.B exim_spool_t
++.EE
++
++- Set files with the exim_spool_t type, if you want to store the exim files under the /var/spool directory.
++
++
++.EX
++.PP
++.B exim_tmp_t
++.EE
++
++- Set files with the exim_tmp_t type, if you want to store exim temporary files in the /tmp directories.
++
++
++.EX
++.PP
++.B exim_var_run_t
++.EE
++
++- Set files with the exim_var_run_t type, if you want to store the exim files under the /run directory.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH "MANAGED FILES"
++
++The SELinux process type exim_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++
++.br
++.B arpwatch_tmp_t
++
++
++.br
++.B dovecot_spool_t
++
++ /var/spool/dovecot(/.*)?
++.br
++
++.br
++.B exim_log_t
++
++ /var/log/exim[0-9]?(/.*)?
++.br
++
++.br
++.B exim_spool_t
++
++ /var/spool/exim[0-9]?(/.*)?
++.br
++
++.br
++.B exim_tmp_t
++
++
++.br
++.B exim_var_run_t
++
++ /var/run/exim[0-9]?\.pid
++.br
++
++.br
++.B mail_home_rw_t
++
++ /root/Maildir(/.*)?
++.br
++ /home/[^/]*/Maildir(/.*)?
++.br
++ /home/dwalsh/Maildir(/.*)?
++.br
++ /var/lib/xguest/home/xguest/Maildir(/.*)?
++.br
++
++.br
++.B mail_spool_t
++
++ /var/mail(/.*)?
++.br
++ /var/spool/imap(/.*)?
++.br
++ /var/spool/mail(/.*)?
++.br
++
++.br
++.B sendmail_tmp_t
++
++
++.br
++.B user_home_t
++
++ /home/[^/]*/.+
++.br
++ /home/dwalsh/.+
++.br
++ /var/lib/xguest/home/xguest/.+
++.br
++
++.SH NSSWITCH DOMAIN
++
++.PP
++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the exim_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++
++.EX
++.B setsebool -P authlogin_nsswitch_use_ldap 1
++.EE
++
++.PP
++If you want to allow confined applications to run with kerberos for the exim_t, you must turn on the kerberos_enabled boolean.
++
++.EX
++.B setsebool -P kerberos_enabled 1
++.EE
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.B semanage boolean
++can also be used to manipulate the booleans
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was auto-generated using
++.B "sepolicy manpage"
++by Dan Walsh.
++
++.SH "SEE ALSO"
++selinux(8), exim(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
++, setsebool(8)
+\ No newline at end of file
+diff --git a/man/man8/fail2ban_client_selinux.8 b/man/man8/fail2ban_client_selinux.8
+new file mode 100644
+index 0000000..965514d
+--- /dev/null
++++ b/man/man8/fail2ban_client_selinux.8
+@@ -0,0 +1,87 @@
++.TH "fail2ban_client_selinux" "8" "12-11-01" "fail2ban_client" "SELinux Policy documentation for fail2ban_client"
++.SH "NAME"
++fail2ban_client_selinux \- Security Enhanced Linux Policy for the fail2ban_client processes
++.SH "DESCRIPTION"
++
++Security-Enhanced Linux secures the fail2ban_client processes via flexible mandatory access control.
++
++The fail2ban_client processes execute with the fail2ban_client_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep fail2ban_client_t
++
++
++.SH "ENTRYPOINTS"
++
++The fail2ban_client_t SELinux type can be entered via the "fail2ban_client_exec_t" file type. The default entrypoint paths for the fail2ban_client_t domain are the following:"
++
++
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux fail2ban_client policy is very flexible allowing users to setup their fail2ban_client processes in as secure a method as possible.
++.PP
++The following process types are defined for fail2ban_client:
++
++.EX
++.B fail2ban_client_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux fail2ban_client policy is very flexible allowing users to setup their fail2ban_client processes in as secure a method as possible.
++.PP
++The following file types are defined for fail2ban_client:
++
++
++.EX
++.PP
++.B fail2ban_client_exec_t
++.EE
++
++- Set files with the fail2ban_client_exec_t type, if you want to transition an executable to the fail2ban_client_t domain.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH NSSWITCH DOMAIN
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was auto-generated using
++.B "sepolicy manpage"
++by Dan Walsh.
++
++.SH "SEE ALSO"
++selinux(8), fail2ban_client(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
++, fail2ban_selinux(8), fail2ban_selinux(8)
+\ No newline at end of file
+diff --git a/man/man8/fail2ban_selinux.8 b/man/man8/fail2ban_selinux.8
+new file mode 100644
+index 0000000..d71d700
+--- /dev/null
++++ b/man/man8/fail2ban_selinux.8
+@@ -0,0 +1,201 @@
++.TH "fail2ban_selinux" "8" "12-11-01" "fail2ban" "SELinux Policy documentation for fail2ban"
++.SH "NAME"
++fail2ban_selinux \- Security Enhanced Linux Policy for the fail2ban processes
++.SH "DESCRIPTION"
++
++Security-Enhanced Linux secures the fail2ban processes via flexible mandatory access control.
++
++The fail2ban processes execute with the fail2ban_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep fail2ban_t
++
++
++.SH "ENTRYPOINTS"
++
++The fail2ban_t SELinux type can be entered via the "fail2ban_exec_t" file type. The default entrypoint paths for the fail2ban_t domain are the following:"
++
++/usr/bin/fail2ban, /usr/bin/fail2ban-server
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux fail2ban policy is very flexible allowing users to setup their fail2ban processes in as secure a method as possible.
++.PP
++The following process types are defined for fail2ban:
++
++.EX
++.B fail2ban_client_t, fail2ban_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux fail2ban policy is very flexible allowing users to setup their fail2ban processes in as secure a method as possible.
++.PP
++The following file types are defined for fail2ban:
++
++
++.EX
++.PP
++.B fail2ban_client_exec_t
++.EE
++
++- Set files with the fail2ban_client_exec_t type, if you want to transition an executable to the fail2ban_client_t domain.
++
++
++.EX
++.PP
++.B fail2ban_exec_t
++.EE
++
++- Set files with the fail2ban_exec_t type, if you want to transition an executable to the fail2ban_t domain.
++
++
++.EX
++.PP
++.B fail2ban_initrc_exec_t
++.EE
++
++- Set files with the fail2ban_initrc_exec_t type, if you want to transition an executable to the fail2ban_initrc_t domain.
++
++
++.EX
++.PP
++.B fail2ban_log_t
++.EE
++
++- Set files with the fail2ban_log_t type, if you want to treat the data as fail2ban log data, usually stored under the /var/log directory.
++
++
++.EX
++.PP
++.B fail2ban_tmp_t
++.EE
++
++- Set files with the fail2ban_tmp_t type, if you want to store fail2ban temporary files in the /tmp directories.
++
++
++.EX
++.PP
++.B fail2ban_var_lib_t
++.EE
++
++- Set files with the fail2ban_var_lib_t type, if you want to store the fail2ban files under the /var/lib directory.
++
++
++.EX
++.PP
++.B fail2ban_var_run_t
++.EE
++
++- Set files with the fail2ban_var_run_t type, if you want to store the fail2ban files under the /run directory.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH "MANAGED FILES"
++
++The SELinux process type fail2ban_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++
++.br
++.B fail2ban_log_t
++
++ /var/log/fail2ban\.log.*
++.br
++
++.br
++.B fail2ban_tmp_t
++
++
++.br
++.B fail2ban_var_lib_t
++
++ /var/lib/fail2ban(/.*)?
++.br
++
++.br
++.B fail2ban_var_run_t
++
++ /var/run/fail2ban.*
++.br
++
++.br
++.B net_conf_t
++
++ /etc/ntpd?\.conf.*
++.br
++ /etc/hosts[^/]*
++.br
++ /etc/yp\.conf.*
++.br
++ /etc/denyhosts.*
++.br
++ /etc/hosts\.deny.*
++.br
++ /etc/resolv\.conf.*
++.br
++ /etc/ntp/step-tickers.*
++.br
++ /etc/sysconfig/networking(/.*)?
++.br
++ /etc/sysconfig/network-scripts(/.*)?
++.br
++ /etc/sysconfig/network-scripts/.*resolv\.conf
++.br
++ /etc/ethers
++.br
++
++.SH NSSWITCH DOMAIN
++
++.PP
++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the fail2ban_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++
++.EX
++.B setsebool -P authlogin_nsswitch_use_ldap 1
++.EE
++
++.PP
++If you want to allow confined applications to run with kerberos for the fail2ban_t, you must turn on the kerberos_enabled boolean.
++
++.EX
++.B setsebool -P kerberos_enabled 1
++.EE
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was auto-generated using
++.B "sepolicy manpage"
++by Dan Walsh.
++
++.SH "SEE ALSO"
++selinux(8), fail2ban(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
++, fail2ban_client_selinux(8)
+\ No newline at end of file
+diff --git a/man/man8/fcoemon_selinux.8 b/man/man8/fcoemon_selinux.8
+new file mode 100644
+index 0000000..f5a355c
+--- /dev/null
++++ b/man/man8/fcoemon_selinux.8
+@@ -0,0 +1,106 @@
++.TH "fcoemon_selinux" "8" "12-11-01" "fcoemon" "SELinux Policy documentation for fcoemon"
++.SH "NAME"
++fcoemon_selinux \- Security Enhanced Linux Policy for the fcoemon processes
++.SH "DESCRIPTION"
++
++Security-Enhanced Linux secures the fcoemon processes via flexible mandatory access control.
++
++The fcoemon processes execute with the fcoemon_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep fcoemon_t
++
++
++.SH "ENTRYPOINTS"
++
++The fcoemon_t SELinux type can be entered via the "fcoemon_exec_t" file type. The default entrypoint paths for the fcoemon_t domain are the following:"
++
++/usr/sbin/fcoemon
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux fcoemon policy is very flexible allowing users to setup their fcoemon processes in as secure a method as possible.
++.PP
++The following process types are defined for fcoemon:
++
++.EX
++.B fcoemon_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux fcoemon policy is very flexible allowing users to setup their fcoemon processes in as secure a method as possible.
++.PP
++The following file types are defined for fcoemon:
++
++
++.EX
++.PP
++.B fcoemon_exec_t
++.EE
++
++- Set files with the fcoemon_exec_t type, if you want to transition an executable to the fcoemon_t domain.
++
++
++.EX
++.PP
++.B fcoemon_var_run_t
++.EE
++
++- Set files with the fcoemon_var_run_t type, if you want to store the fcoemon files under the /run directory.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH "MANAGED FILES"
++
++The SELinux process type fcoemon_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++
++.br
++.B fcoemon_var_run_t
++
++ /var/run/fcm(/.*)?
++.br
++ /var/run/fcoemon\.pid
++.br
++
++.SH NSSWITCH DOMAIN
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was auto-generated using
++.B "sepolicy manpage"
++by Dan Walsh.
++
++.SH "SEE ALSO"
++selinux(8), fcoemon(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
+diff --git a/man/man8/fenced_selinux.8 b/man/man8/fenced_selinux.8
+new file mode 100644
+index 0000000..fa89bb1
+--- /dev/null
++++ b/man/man8/fenced_selinux.8
+@@ -0,0 +1,230 @@
++.TH "fenced_selinux" "8" "12-11-01" "fenced" "SELinux Policy documentation for fenced"
++.SH "NAME"
++fenced_selinux \- Security Enhanced Linux Policy for the fenced processes
++.SH "DESCRIPTION"
++
++Security-Enhanced Linux secures the fenced processes via flexible mandatory access control.
++
++The fenced processes execute with the fenced_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep fenced_t
++
++
++.SH "ENTRYPOINTS"
++
++The fenced_t SELinux type can be entered via the "fenced_exec_t" file type. The default entrypoint paths for the fenced_t domain are the following:"
++
++/usr/sbin/fenced, /usr/sbin/fence_node, /usr/sbin/fence_tool, /usr/sbin/fence_virtd
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux fenced policy is very flexible allowing users to setup their fenced processes in as secure a method as possible.
++.PP
++The following process types are defined for fenced:
++
++.EX
++.B fenced_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH BOOLEANS
++SELinux policy is customizable based on least access required. fenced policy is extremely flexible and has several booleans that allow you to manipulate the policy and run fenced with the tightest access possible.
++
++
++.PP
++If you want to allow fenced domain to connect to the network using TCP, you must turn on the fenced_can_network_connect boolean.
++
++.EX
++.B setsebool -P fenced_can_network_connect 1
++.EE
++
++.PP
++If you want to allow fenced domain to execute ssh, you must turn on the fenced_can_ssh boolean.
++
++.EX
++.B setsebool -P fenced_can_ssh 1
++.EE
++
++.PP
++If you want to allow fenced domain to connect to the network using TCP, you must turn on the fenced_can_network_connect boolean.
++
++.EX
++.B setsebool -P fenced_can_network_connect 1
++.EE
++
++.PP
++If you want to allow fenced domain to execute ssh, you must turn on the fenced_can_ssh boolean.
++
++.EX
++.B setsebool -P fenced_can_ssh 1
++.EE
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux fenced policy is very flexible allowing users to setup their fenced processes in as secure a method as possible.
++.PP
++The following file types are defined for fenced:
++
++
++.EX
++.PP
++.B fenced_exec_t
++.EE
++
++- Set files with the fenced_exec_t type, if you want to transition an executable to the fenced_t domain.
++
++
++.EX
++.PP
++.B fenced_lock_t
++.EE
++
++- Set files with the fenced_lock_t type, if you want to treat the files as fenced lock data, stored under the /var/lock directory
++
++
++.EX
++.PP
++.B fenced_tmp_t
++.EE
++
++- Set files with the fenced_tmp_t type, if you want to store fenced temporary files in the /tmp directories.
++
++
++.EX
++.PP
++.B fenced_tmpfs_t
++.EE
++
++- Set files with the fenced_tmpfs_t type, if you want to store fenced files on a tmpfs file system.
++
++
++.EX
++.PP
++.B fenced_var_log_t
++.EE
++
++- Set files with the fenced_var_log_t type, if you want to treat the data as fenced var log data, usually stored under the /var/log directory.
++
++
++.EX
++.PP
++.B fenced_var_run_t
++.EE
++
++- Set files with the fenced_var_run_t type, if you want to store the fenced files under the /run directory.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH "MANAGED FILES"
++
++The SELinux process type fenced_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++
++.br
++.B cluster_var_lib_t
++
++ /var/lib/cluster(/.*)?
++.br
++
++.br
++.B fenced_lock_t
++
++ /var/lock/fence_manual\.lock
++.br
++
++.br
++.B fenced_tmp_t
++
++
++.br
++.B fenced_tmpfs_t
++
++
++.br
++.B fenced_var_log_t
++
++ /var/log/cluster/fenced\.log.*
++.br
++
++.br
++.B fenced_var_run_t
++
++ /var/run/fence.*
++.br
++ /var/run/cluster/fence_scsi.*
++.br
++ /var/run/cluster/fenced_override
++.br
++
++.br
++.B snmpd_var_lib_t
++
++ /var/agentx(/.*)?
++.br
++ /var/lib/snmp(/.*)?
++.br
++ /var/net-snmp(/.*)?
++.br
++ /var/lib/net-snmp(/.*)?
++.br
++ /usr/share/snmp/mibs/\.index
++.br
++
++.SH NSSWITCH DOMAIN
++
++.PP
++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the fenced_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++
++.EX
++.B setsebool -P authlogin_nsswitch_use_ldap 1
++.EE
++
++.PP
++If you want to allow confined applications to run with kerberos for the fenced_t, you must turn on the kerberos_enabled boolean.
++
++.EX
++.B setsebool -P kerberos_enabled 1
++.EE
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.B semanage boolean
++can also be used to manipulate the booleans
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was auto-generated using
++.B "sepolicy manpage"
++by Dan Walsh.
++
++.SH "SEE ALSO"
++selinux(8), fenced(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
++, setsebool(8)
+\ No newline at end of file
+diff --git a/man/man8/fetchmail_selinux.8 b/man/man8/fetchmail_selinux.8
+new file mode 100644
+index 0000000..ae8394b
+--- /dev/null
++++ b/man/man8/fetchmail_selinux.8
+@@ -0,0 +1,144 @@
++.TH "fetchmail_selinux" "8" "12-11-01" "fetchmail" "SELinux Policy documentation for fetchmail"
++.SH "NAME"
++fetchmail_selinux \- Security Enhanced Linux Policy for the fetchmail processes
++.SH "DESCRIPTION"
++
++Security-Enhanced Linux secures the fetchmail processes via flexible mandatory access control.
++
++The fetchmail processes execute with the fetchmail_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep fetchmail_t
++
++
++.SH "ENTRYPOINTS"
++
++The fetchmail_t SELinux type can be entered via the "fetchmail_exec_t" file type. The default entrypoint paths for the fetchmail_t domain are the following:"
++
++/usr/bin/fetchmail
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux fetchmail policy is very flexible allowing users to setup their fetchmail processes in as secure a method as possible.
++.PP
++The following process types are defined for fetchmail:
++
++.EX
++.B fetchmail_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux fetchmail policy is very flexible allowing users to setup their fetchmail processes in as secure a method as possible.
++.PP
++The following file types are defined for fetchmail:
++
++
++.EX
++.PP
++.B fetchmail_etc_t
++.EE
++
++- Set files with the fetchmail_etc_t type, if you want to store fetchmail files in the /etc directories.
++
++
++.EX
++.PP
++.B fetchmail_exec_t
++.EE
++
++- Set files with the fetchmail_exec_t type, if you want to transition an executable to the fetchmail_t domain.
++
++
++.EX
++.PP
++.B fetchmail_home_t
++.EE
++
++- Set files with the fetchmail_home_t type, if you want to store fetchmail files in the users home directory.
++
++
++.EX
++.PP
++.B fetchmail_uidl_cache_t
++.EE
++
++- Set files with the fetchmail_uidl_cache_t type, if you want to store the files under the /var/cache directory.
++
++
++.EX
++.PP
++.B fetchmail_var_run_t
++.EE
++
++- Set files with the fetchmail_var_run_t type, if you want to store the fetchmail files under the /run directory.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH "MANAGED FILES"
++
++The SELinux process type fetchmail_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++
++.br
++.B fetchmail_uidl_cache_t
++
++ /var/lib/fetchmail(/.*)?
++.br
++ /var/mail/\.fetchmail-UIDL-cache
++.br
++
++.br
++.B fetchmail_var_run_t
++
++ /var/run/fetchmail/.*
++.br
++
++.br
++.B sendmail_log_t
++
++ /var/log/mail(/.*)?
++.br
++ /var/log/sendmail\.st
++.br
++
++.SH NSSWITCH DOMAIN
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was auto-generated using
++.B "sepolicy manpage"
++by Dan Walsh.
++
++.SH "SEE ALSO"
++selinux(8), fetchmail(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
+diff --git a/man/man8/fingerd_selinux.8 b/man/man8/fingerd_selinux.8
+new file mode 100644
+index 0000000..5dedb48
+--- /dev/null
++++ b/man/man8/fingerd_selinux.8
+@@ -0,0 +1,164 @@
++.TH "fingerd_selinux" "8" "12-11-01" "fingerd" "SELinux Policy documentation for fingerd"
++.SH "NAME"
++fingerd_selinux \- Security Enhanced Linux Policy for the fingerd processes
++.SH "DESCRIPTION"
++
++Security-Enhanced Linux secures the fingerd processes via flexible mandatory access control.
++
++The fingerd processes execute with the fingerd_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep fingerd_t
++
++
++.SH "ENTRYPOINTS"
++
++The fingerd_t SELinux type can be entered via the "fingerd_exec_t" file type. The default entrypoint paths for the fingerd_t domain are the following:"
++
++/usr/sbin/[cef]fingerd, /etc/cron\.weekly/(c)?fingerd, /usr/sbin/in\.fingerd
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux fingerd policy is very flexible allowing users to setup their fingerd processes in as secure a method as possible.
++.PP
++The following process types are defined for fingerd:
++
++.EX
++.B fingerd_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux fingerd policy is very flexible allowing users to setup their fingerd processes in as secure a method as possible.
++.PP
++The following file types are defined for fingerd:
++
++
++.EX
++.PP
++.B fingerd_etc_t
++.EE
++
++- Set files with the fingerd_etc_t type, if you want to store fingerd files in the /etc directories.
++
++
++.EX
++.PP
++.B fingerd_exec_t
++.EE
++
++- Set files with the fingerd_exec_t type, if you want to transition an executable to the fingerd_t domain.
++
++
++.EX
++.PP
++.B fingerd_log_t
++.EE
++
++- Set files with the fingerd_log_t type, if you want to treat the data as fingerd log data, usually stored under the /var/log directory.
++
++
++.EX
++.PP
++.B fingerd_var_run_t
++.EE
++
++- Set files with the fingerd_var_run_t type, if you want to store the fingerd files under the /run directory.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH PORT TYPES
++SELinux defines port types to represent TCP and UDP ports.
++.PP
++You can see the types associated with a port by using the following command:
++
++.B semanage port -l
++
++.PP
++Policy governs the access confined processes have to these ports.
++SELinux fingerd policy is very flexible allowing users to setup their fingerd processes in as secure a method as possible.
++.PP
++The following port types are defined for fingerd:
++
++.EX
++.TP 5
++.B fingerd_port_t
++.TP 10
++.EE
++
++
++Default Defined Ports:
++tcp 79
++.EE
++.SH "MANAGED FILES"
++
++The SELinux process type fingerd_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++
++.br
++.B fingerd_log_t
++
++ /var/log/cfingerd\.log.*
++.br
++
++.br
++.B fingerd_var_run_t
++
++
++.SH NSSWITCH DOMAIN
++
++.PP
++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the fingerd_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++
++.EX
++.B setsebool -P authlogin_nsswitch_use_ldap 1
++.EE
++
++.PP
++If you want to allow confined applications to run with kerberos for the fingerd_t, you must turn on the kerberos_enabled boolean.
++
++.EX
++.B setsebool -P kerberos_enabled 1
++.EE
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.B semanage port
++can also be used to manipulate the port definitions
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was auto-generated using
++.B "sepolicy manpage"
++by Dan Walsh.
++
++.SH "SEE ALSO"
++selinux(8), fingerd(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
+diff --git a/man/man8/firewalld_selinux.8 b/man/man8/firewalld_selinux.8
+new file mode 100644
+index 0000000..fc13038
+--- /dev/null
++++ b/man/man8/firewalld_selinux.8
+@@ -0,0 +1,159 @@
++.TH "firewalld_selinux" "8" "12-11-01" "firewalld" "SELinux Policy documentation for firewalld"
++.SH "NAME"
++firewalld_selinux \- Security Enhanced Linux Policy for the firewalld processes
++.SH "DESCRIPTION"
++
++Security-Enhanced Linux secures the firewalld processes via flexible mandatory access control.
++
++The firewalld processes execute with the firewalld_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep firewalld_t
++
++
++.SH "ENTRYPOINTS"
++
++The firewalld_t SELinux type can be entered via the "firewalld_exec_t" file type. The default entrypoint paths for the firewalld_t domain are the following:"
++
++/usr/sbin/firewalld
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux firewalld policy is very flexible allowing users to setup their firewalld processes in as secure a method as possible.
++.PP
++The following process types are defined for firewalld:
++
++.EX
++.B firewallgui_t, firewalld_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux firewalld policy is very flexible allowing users to setup their firewalld processes in as secure a method as possible.
++.PP
++The following file types are defined for firewalld:
++
++
++.EX
++.PP
++.B firewalld_etc_rw_t
++.EE
++
++- Set files with the firewalld_etc_rw_t type, if you want to treat the files as firewalld etc read/write content.
++
++
++.EX
++.PP
++.B firewalld_exec_t
++.EE
++
++- Set files with the firewalld_exec_t type, if you want to transition an executable to the firewalld_t domain.
++
++
++.EX
++.PP
++.B firewalld_initrc_exec_t
++.EE
++
++- Set files with the firewalld_initrc_exec_t type, if you want to transition an executable to the firewalld_initrc_t domain.
++
++
++.EX
++.PP
++.B firewalld_unit_file_t
++.EE
++
++- Set files with the firewalld_unit_file_t type, if you want to treat the files as firewalld unit content.
++
++
++.EX
++.PP
++.B firewalld_var_log_t
++.EE
++
++- Set files with the firewalld_var_log_t type, if you want to treat the data as firewalld var log data, usually stored under the /var/log directory.
++
++
++.EX
++.PP
++.B firewalld_var_run_t
++.EE
++
++- Set files with the firewalld_var_run_t type, if you want to store the firewalld files under the /run directory.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH "MANAGED FILES"
++
++The SELinux process type firewalld_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++
++.br
++.B firewalld_etc_rw_t
++
++ /etc/firewalld(/.*)?
++.br
++
++.br
++.B firewalld_var_run_t
++
++ /var/run/firewalld(/.*)?
++.br
++ /var/run/firewalld\.pid
++.br
++
++.SH NSSWITCH DOMAIN
++
++.PP
++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the firewallgui_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++
++.EX
++.B setsebool -P authlogin_nsswitch_use_ldap 1
++.EE
++
++.PP
++If you want to allow confined applications to run with kerberos for the firewallgui_t, you must turn on the kerberos_enabled boolean.
++
++.EX
++.B setsebool -P kerberos_enabled 1
++.EE
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was auto-generated using
++.B "sepolicy manpage"
++by Dan Walsh.
++
++.SH "SEE ALSO"
++selinux(8), firewalld(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
++, firewallgui_selinux(8)
+\ No newline at end of file
+diff --git a/man/man8/firewallgui_selinux.8 b/man/man8/firewallgui_selinux.8
+new file mode 100644
+index 0000000..ab4f40b
+--- /dev/null
++++ b/man/man8/firewallgui_selinux.8
+@@ -0,0 +1,138 @@
++.TH "firewallgui_selinux" "8" "12-11-01" "firewallgui" "SELinux Policy documentation for firewallgui"
++.SH "NAME"
++firewallgui_selinux \- Security Enhanced Linux Policy for the firewallgui processes
++.SH "DESCRIPTION"
++
++Security-Enhanced Linux secures the firewallgui processes via flexible mandatory access control.
++
++The firewallgui processes execute with the firewallgui_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep firewallgui_t
++
++
++.SH "ENTRYPOINTS"
++
++The firewallgui_t SELinux type can be entered via the "firewallgui_exec_t" file type. The default entrypoint paths for the firewallgui_t domain are the following:"
++
++/usr/share/system-config-firewall/system-config-firewall-mechanism.py
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux firewallgui policy is very flexible allowing users to setup their firewallgui processes in as secure a method as possible.
++.PP
++The following process types are defined for firewallgui:
++
++.EX
++.B firewallgui_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux firewallgui policy is very flexible allowing users to setup their firewallgui processes in as secure a method as possible.
++.PP
++The following file types are defined for firewallgui:
++
++
++.EX
++.PP
++.B firewallgui_exec_t
++.EE
++
++- Set files with the firewallgui_exec_t type, if you want to transition an executable to the firewallgui_t domain.
++
++
++.EX
++.PP
++.B firewallgui_tmp_t
++.EE
++
++- Set files with the firewallgui_tmp_t type, if you want to store firewallgui temporary files in the /tmp directories.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH "MANAGED FILES"
++
++The SELinux process type firewallgui_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++
++.br
++.B firewallgui_tmp_t
++
++
++.br
++.B system_conf_t
++
++ /etc/sysctl\.conf(\.old)?
++.br
++ /etc/sysconfig/ip6?tables.*
++.br
++ /etc/sysconfig/ipvsadm.*
++.br
++ /etc/sysconfig/ebtables.*
++.br
++ /etc/sysconfig/system-config-firewall.*
++.br
++
++.br
++.B systemd_passwd_var_run_t
++
++ /var/run/systemd/ask-password(/.*)?
++.br
++ /var/run/systemd/ask-password-block(/.*)?
++.br
++
++.SH NSSWITCH DOMAIN
++
++.PP
++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the firewallgui_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++
++.EX
++.B setsebool -P authlogin_nsswitch_use_ldap 1
++.EE
++
++.PP
++If you want to allow confined applications to run with kerberos for the firewallgui_t, you must turn on the kerberos_enabled boolean.
++
++.EX
++.B setsebool -P kerberos_enabled 1
++.EE
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was auto-generated using
++.B "sepolicy manpage"
++by Dan Walsh.
++
++.SH "SEE ALSO"
++selinux(8), firewallgui(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
+diff --git a/man/man8/firstboot_selinux.8 b/man/man8/firstboot_selinux.8
+new file mode 100644
+index 0000000..53e6593
+--- /dev/null
++++ b/man/man8/firstboot_selinux.8
+@@ -0,0 +1,104 @@
++.TH "firstboot_selinux" "8" "12-11-01" "firstboot" "SELinux Policy documentation for firstboot"
++.SH "NAME"
++firstboot_selinux \- Security Enhanced Linux Policy for the firstboot processes
++.SH "DESCRIPTION"
++
++Security-Enhanced Linux secures the firstboot processes via flexible mandatory access control.
++
++The firstboot processes execute with the firstboot_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep firstboot_t
++
++
++.SH "ENTRYPOINTS"
++
++The firstboot_t SELinux type can be entered via the "firstboot_exec_t,filesystem_type,unlabeled_t,proc_type,mtrr_device_t,sysctl_type,file_type" file types. The default entrypoint paths for the firstboot_t domain are the following:"
++
++/usr/sbin/firstboot, /usr/share/firstboot/firstboot\.py, /dev/cpu/mtrr, all files on the system
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux firstboot policy is very flexible allowing users to setup their firstboot processes in as secure a method as possible.
++.PP
++The following process types are defined for firstboot:
++
++.EX
++.B firstboot_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux firstboot policy is very flexible allowing users to setup their firstboot processes in as secure a method as possible.
++.PP
++The following file types are defined for firstboot:
++
++
++.EX
++.PP
++.B firstboot_etc_t
++.EE
++
++- Set files with the firstboot_etc_t type, if you want to store firstboot files in the /etc directories.
++
++
++.EX
++.PP
++.B firstboot_exec_t
++.EE
++
++- Set files with the firstboot_exec_t type, if you want to transition an executable to the firstboot_t domain.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH "MANAGED FILES"
++
++The SELinux process type firstboot_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++
++.br
++.B file_type
++
++ all files on the system
++.br
++
++.SH NSSWITCH DOMAIN
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was auto-generated using
++.B "sepolicy manpage"
++by Dan Walsh.
++
++.SH "SEE ALSO"
++selinux(8), firstboot(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
+diff --git a/man/man8/foghorn_selinux.8 b/man/man8/foghorn_selinux.8
+new file mode 100644
+index 0000000..f17a60b
+--- /dev/null
++++ b/man/man8/foghorn_selinux.8
+@@ -0,0 +1,146 @@
++.TH "foghorn_selinux" "8" "12-11-01" "foghorn" "SELinux Policy documentation for foghorn"
++.SH "NAME"
++foghorn_selinux \- Security Enhanced Linux Policy for the foghorn processes
++.SH "DESCRIPTION"
++
++Security-Enhanced Linux secures the foghorn processes via flexible mandatory access control.
++
++The foghorn processes execute with the foghorn_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep foghorn_t
++
++
++.SH "ENTRYPOINTS"
++
++The foghorn_t SELinux type can be entered via the "foghorn_exec_t" file type. The default entrypoint paths for the foghorn_t domain are the following:"
++
++/usr/sbin/foghorn
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux foghorn policy is very flexible allowing users to setup their foghorn processes in as secure a method as possible.
++.PP
++The following process types are defined for foghorn:
++
++.EX
++.B foghorn_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux foghorn policy is very flexible allowing users to setup their foghorn processes in as secure a method as possible.
++.PP
++The following file types are defined for foghorn:
++
++
++.EX
++.PP
++.B foghorn_exec_t
++.EE
++
++- Set files with the foghorn_exec_t type, if you want to transition an executable to the foghorn_t domain.
++
++
++.EX
++.PP
++.B foghorn_tmpfs_t
++.EE
++
++- Set files with the foghorn_tmpfs_t type, if you want to store foghorn files on a tmpfs file system.
++
++
++.EX
++.PP
++.B foghorn_var_log_t
++.EE
++
++- Set files with the foghorn_var_log_t type, if you want to treat the data as foghorn var log data, usually stored under the /var/log directory.
++
++
++.EX
++.PP
++.B foghorn_var_run_t
++.EE
++
++- Set files with the foghorn_var_run_t type, if you want to store the foghorn files under the /run directory.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH "MANAGED FILES"
++
++The SELinux process type foghorn_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++
++.br
++.B cluster_var_lib_t
++
++ /var/lib/cluster(/.*)?
++.br
++
++.br
++.B foghorn_tmpfs_t
++
++
++.br
++.B foghorn_var_log_t
++
++
++.br
++.B foghorn_var_run_t
++
++
++.SH NSSWITCH DOMAIN
++
++.PP
++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the foghorn_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++
++.EX
++.B setsebool -P authlogin_nsswitch_use_ldap 1
++.EE
++
++.PP
++If you want to allow confined applications to run with kerberos for the foghorn_t, you must turn on the kerberos_enabled boolean.
++
++.EX
++.B setsebool -P kerberos_enabled 1
++.EE
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was auto-generated using
++.B "sepolicy manpage"
++by Dan Walsh.
++
++.SH "SEE ALSO"
++selinux(8), foghorn(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
+diff --git a/man/man8/fprintd_selinux.8 b/man/man8/fprintd_selinux.8
+new file mode 100644
+index 0000000..68cee10
+--- /dev/null
++++ b/man/man8/fprintd_selinux.8
+@@ -0,0 +1,118 @@
++.TH "fprintd_selinux" "8" "12-11-01" "fprintd" "SELinux Policy documentation for fprintd"
++.SH "NAME"
++fprintd_selinux \- Security Enhanced Linux Policy for the fprintd processes
++.SH "DESCRIPTION"
++
++Security-Enhanced Linux secures the fprintd processes via flexible mandatory access control.
++
++The fprintd processes execute with the fprintd_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep fprintd_t
++
++
++.SH "ENTRYPOINTS"
++
++The fprintd_t SELinux type can be entered via the "fprintd_exec_t" file type. The default entrypoint paths for the fprintd_t domain are the following:"
++
++/usr/libexec/fprintd
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux fprintd policy is very flexible allowing users to setup their fprintd processes in as secure a method as possible.
++.PP
++The following process types are defined for fprintd:
++
++.EX
++.B fprintd_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux fprintd policy is very flexible allowing users to setup their fprintd processes in as secure a method as possible.
++.PP
++The following file types are defined for fprintd:
++
++
++.EX
++.PP
++.B fprintd_exec_t
++.EE
++
++- Set files with the fprintd_exec_t type, if you want to transition an executable to the fprintd_t domain.
++
++
++.EX
++.PP
++.B fprintd_var_lib_t
++.EE
++
++- Set files with the fprintd_var_lib_t type, if you want to store the fprintd files under the /var/lib directory.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH "MANAGED FILES"
++
++The SELinux process type fprintd_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++
++.br
++.B fprintd_var_lib_t
++
++ /var/lib/fprint(/.*)?
++.br
++
++.SH NSSWITCH DOMAIN
++
++.PP
++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the fprintd_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++
++.EX
++.B setsebool -P authlogin_nsswitch_use_ldap 1
++.EE
++
++.PP
++If you want to allow confined applications to run with kerberos for the fprintd_t, you must turn on the kerberos_enabled boolean.
++
++.EX
++.B setsebool -P kerberos_enabled 1
++.EE
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was auto-generated using
++.B "sepolicy manpage"
++by Dan Walsh.
++
++.SH "SEE ALSO"
++selinux(8), fprintd(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
+diff --git a/man/man8/freshclam_selinux.8 b/man/man8/freshclam_selinux.8
+new file mode 100644
+index 0000000..9ccf034
+--- /dev/null
++++ b/man/man8/freshclam_selinux.8
+@@ -0,0 +1,164 @@
++.TH "freshclam_selinux" "8" "12-11-01" "freshclam" "SELinux Policy documentation for freshclam"
++.SH "NAME"
++freshclam_selinux \- Security Enhanced Linux Policy for the freshclam processes
++.SH "DESCRIPTION"
++
++Security-Enhanced Linux secures the freshclam processes via flexible mandatory access control.
++
++The freshclam processes execute with the freshclam_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep freshclam_t
++
++
++.SH "ENTRYPOINTS"
++
++The freshclam_t SELinux type can be entered via the "freshclam_exec_t" file type. The default entrypoint paths for the freshclam_t domain are the following:"
++
++/usr/bin/freshclam
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux freshclam policy is very flexible allowing users to setup their freshclam processes in as secure a method as possible.
++.PP
++The following process types are defined for freshclam:
++
++.EX
++.B freshclam_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux freshclam policy is very flexible allowing users to setup their freshclam processes in as secure a method as possible.
++.PP
++The following file types are defined for freshclam:
++
++
++.EX
++.PP
++.B freshclam_exec_t
++.EE
++
++- Set files with the freshclam_exec_t type, if you want to transition an executable to the freshclam_t domain.
++
++
++.EX
++.PP
++.B freshclam_var_log_t
++.EE
++
++- Set files with the freshclam_var_log_t type, if you want to treat the data as freshclam var log data, usually stored under the /var/log directory.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH "MANAGED FILES"
++
++The SELinux process type freshclam_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++
++.br
++.B amavis_spool_t
++
++ /var/spool/amavisd(/.*)?
++.br
++
++.br
++.B antivirus_db_t
++
++ /var/opt/f-secure(/.*)?
++.br
++
++.br
++.B clamd_var_lib_t
++
++ /var/clamav(/.*)?
++.br
++ /var/lib/clamd.*
++.br
++ /var/lib/clamav(/.*)?
++.br
++
++.br
++.B clamd_var_run_t
++
++ /var/run/clamd.*
++.br
++ /var/run/clamav.*
++.br
++ /var/run/amavis(d)?/clamd\.pid
++.br
++ /var/spool/MailScanner(/.*)?
++.br
++ /var/spool/amavisd/clamd\.sock
++.br
++
++.br
++.B freshclam_var_log_t
++
++ /var/log/freshclam.*
++.br
++ /var/log/clamav/freshclam.*
++.br
++
++.br
++.B systemd_passwd_var_run_t
++
++ /var/run/systemd/ask-password(/.*)?
++.br
++ /var/run/systemd/ask-password-block(/.*)?
++.br
++
++.SH NSSWITCH DOMAIN
++
++.PP
++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the freshclam_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++
++.EX
++.B setsebool -P authlogin_nsswitch_use_ldap 1
++.EE
++
++.PP
++If you want to allow confined applications to run with kerberos for the freshclam_t, you must turn on the kerberos_enabled boolean.
++
++.EX
++.B setsebool -P kerberos_enabled 1
++.EE
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was auto-generated using
++.B "sepolicy manpage"
++by Dan Walsh.
++
++.SH "SEE ALSO"
++selinux(8), freshclam(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
+diff --git a/man/man8/fsadm_selinux.8 b/man/man8/fsadm_selinux.8
+new file mode 100644
+index 0000000..7bcfdaf
+--- /dev/null
++++ b/man/man8/fsadm_selinux.8
+@@ -0,0 +1,258 @@
++.TH "fsadm_selinux" "8" "12-11-01" "fsadm" "SELinux Policy documentation for fsadm"
++.SH "NAME"
++fsadm_selinux \- Security Enhanced Linux Policy for the fsadm processes
++.SH "DESCRIPTION"
++
++Security-Enhanced Linux secures the fsadm processes via flexible mandatory access control.
++
++The fsadm processes execute with the fsadm_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep fsadm_t
++
++
++.SH "ENTRYPOINTS"
++
++The fsadm_t SELinux type can be entered via the "fsadm_exec_t" file type. The default entrypoint paths for the fsadm_t domain are the following:"
++
++/sbin/fsck.*, /sbin/jfs_.*, /sbin/mkfs.*, /sbin/swapon.*, /sbin/resize.*fs, /sbin/losetup.*, /usr/sbin/fsck.*, /usr/sbin/jfs_.*, /usr/sbin/mkfs.*, /sbin/reiserfs(ck|tune), /usr/sbin/swapon.*, /usr/sbin/resize.*fs, /usr/sbin/losetup.*, /usr/sbin/reiserfs(ck|tune), /sbin/dump, /sbin/blkid, /sbin/fdisk, /sbin/partx, /sbin/cfdisk, /sbin/e2fsck, /sbin/e4fsck, /sbin/findfs, /sbin/hdparm, /sbin/lsraid, /sbin/mke2fs, /sbin/mke4fs, /sbin/mkraid, /sbin/parted, /sbin/sfdisk, /usr/bin/raw, /sbin/dosfsck, /sbin/e2label, /sbin/mkdosfs, /sbin/tune2fs, /sbin/blockdev, /sbin/dumpe2fs, /usr/sbin/dump, /sbin/partprobe, /sbin/raidstart, /sbin/scsi_info, /usr/sbin/blkid, /usr/sbin/fdisk, /usr/sbin/partx, /sbin/mkreiserfs, /usr/sbin/cfdisk, /usr/sbin/e2fsck, /usr/sbin/e4fsck, /usr/sbin/findfs, /usr/sbin/hdparm, /usr/sbin/lsraid, /usr/sbin/mke2fs, /usr/sbin/mke4fs, /usr/sbin/mkraid, /usr/sbin/parted, /usr/sbin/sfdisk, /sbin/install-mbr, /sbin/raidautorun, /usr/bin/syslinux, /usr/sbin/dosfsck, /usr/sbin/e2label, /usr/sbin/mkdosfs, /usr/sbin/tune2fs, /sbin/make_reiser4, /usr/sbin/blockdev, /usr/sbin/dumpe2fs, /usr/sbin/smartctl, /usr/sbin/partprobe, /usr/sbin/raidstart, /usr/sbin/scsi_info, /usr/sbin/mkreiserfs, /usr/sbin/clubufflush, /usr/sbin/install-mbr, /usr/sbin/raidautorun, /usr/sbin/make_reiser4, /usr/bin/partition_uuid, /usr/bin/scsi_unique_id, /usr/lib/systemd/systemd-fsck
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux fsadm policy is very flexible allowing users to setup their fsadm processes in as secure a method as possible.
++.PP
++The following process types are defined for fsadm:
++
++.EX
++.B fsadm_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux fsadm policy is very flexible allowing users to setup their fsadm processes in as secure a method as possible.
++.PP
++The following file types are defined for fsadm:
++
++
++.EX
++.PP
++.B fsadm_exec_t
++.EE
++
++- Set files with the fsadm_exec_t type, if you want to transition an executable to the fsadm_t domain.
++
++
++.EX
++.PP
++.B fsadm_log_t
++.EE
++
++- Set files with the fsadm_log_t type, if you want to treat the data as fsadm log data, usually stored under the /var/log directory.
++
++
++.EX
++.PP
++.B fsadm_tmp_t
++.EE
++
++- Set files with the fsadm_tmp_t type, if you want to store fsadm temporary files in the /tmp directories.
++
++
++.EX
++.PP
++.B fsadm_var_run_t
++.EE
++
++- Set files with the fsadm_var_run_t type, if you want to store the fsadm files under the /run directory.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH "MANAGED FILES"
++
++The SELinux process type fsadm_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++
++.br
++.B amanda_dumpdates_t
++
++ /etc/dumpdates
++.br
++
++.br
++.B cifs_t
++
++
++.br
++.B etc_runtime_t
++
++ /[^/]+
++.br
++ /etc/mtab.*
++.br
++ /etc/blkid(/.*)?
++.br
++ /etc/nologin.*
++.br
++ /etc/\.fstab\.hal\..+
++.br
++ /halt
++.br
++ /fastboot
++.br
++ /poweroff
++.br
++ /etc/cmtab
++.br
++ /\.autofsck
++.br
++ /forcefsck
++.br
++ /\.suspended
++.br
++ /fsckoptions
++.br
++ /\.autorelabel
++.br
++ /etc/securetty
++.br
++ /etc/killpower
++.br
++ /etc/nohotplug
++.br
++ /etc/ioctl\.save
++.br
++ /etc/fstab\.REVOKE
++.br
++ /etc/network/ifstate
++.br
++ /etc/sysconfig/hwconf
++.br
++ /etc/ptal/ptal-printd-like
++.br
++ /etc/sysconfig/iptables\.save
++.br
++ /etc/xorg\.conf\.d/00-system-setup-keyboard\.conf
++.br
++ /etc/X11/xorg\.conf\.d/00-system-setup-keyboard\.conf
++.br
++
++.br
++.B fsadm_log_t
++
++ /var/log/fsck(/.*)?
++.br
++
++.br
++.B fsadm_tmp_t
++
++
++.br
++.B fsadm_var_run_t
++
++ /var/run/blkid(/.*)?
++.br
++
++.br
++.B hugetlbfs_t
++
++ /dev/hugepages
++.br
++ /lib/udev/devices/hugepages
++.br
++ /usr/lib/udev/devices/hugepages
++.br
++
++.br
++.B livecd_tmp_t
++
++
++.br
++.B lost_found_t
++
++ /lost\+found
++.br
++ /var/lost\+found
++.br
++ /usr/lost\+found
++.br
++ /tmp/lost\+found
++.br
++ /boot/lost\+found
++.br
++ /var/tmp/lost\+found
++.br
++ /home/lost\+found
++.br
++
++.br
++.B nfs_t
++
++
++.br
++.B swapfile_t
++
++
++.br
++.B sysfs_t
++
++ /sys(/.*)?
++.br
++
++.br
++.B tmpfs_t
++
++ /dev/shm
++.br
++ /lib/udev/devices/shm
++.br
++ /usr/lib/udev/devices/shm
++.br
++
++.br
++.B xen_image_t
++
++ /xen(/.*)?
++.br
++ /var/lib/xen/images(/.*)?
++.br
++
++.SH NSSWITCH DOMAIN
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was auto-generated using
++.B "sepolicy manpage"
++by Dan Walsh.
++
++.SH "SEE ALSO"
++selinux(8), fsadm(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
+diff --git a/man/man8/fsdaemon_selinux.8 b/man/man8/fsdaemon_selinux.8
+new file mode 100644
+index 0000000..d181d7d
+--- /dev/null
++++ b/man/man8/fsdaemon_selinux.8
+@@ -0,0 +1,124 @@
++.TH "fsdaemon_selinux" "8" "12-11-01" "fsdaemon" "SELinux Policy documentation for fsdaemon"
++.SH "NAME"
++fsdaemon_selinux \- Security Enhanced Linux Policy for the fsdaemon processes
++.SH "DESCRIPTION"
++
++Security-Enhanced Linux secures the fsdaemon processes via flexible mandatory access control.
++
++The fsdaemon processes execute with the fsdaemon_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep fsdaemon_t
++
++
++.SH "ENTRYPOINTS"
++
++The fsdaemon_t SELinux type can be entered via the "fsdaemon_exec_t" file type. The default entrypoint paths for the fsdaemon_t domain are the following:"
++
++/usr/sbin/smartd
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux fsdaemon policy is very flexible allowing users to setup their fsdaemon processes in as secure a method as possible.
++.PP
++The following process types are defined for fsdaemon:
++
++.EX
++.B fsdaemon_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux fsdaemon policy is very flexible allowing users to setup their fsdaemon processes in as secure a method as possible.
++.PP
++The following file types are defined for fsdaemon:
++
++
++.EX
++.PP
++.B fsdaemon_exec_t
++.EE
++
++- Set files with the fsdaemon_exec_t type, if you want to transition an executable to the fsdaemon_t domain.
++
++
++.EX
++.PP
++.B fsdaemon_initrc_exec_t
++.EE
++
++- Set files with the fsdaemon_initrc_exec_t type, if you want to transition an executable to the fsdaemon_initrc_t domain.
++
++
++.EX
++.PP
++.B fsdaemon_tmp_t
++.EE
++
++- Set files with the fsdaemon_tmp_t type, if you want to store fsdaemon temporary files in the /tmp directories.
++
++
++.EX
++.PP
++.B fsdaemon_var_run_t
++.EE
++
++- Set files with the fsdaemon_var_run_t type, if you want to store the fsdaemon files under the /run directory.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH "MANAGED FILES"
++
++The SELinux process type fsdaemon_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++
++.br
++.B fsdaemon_tmp_t
++
++
++.br
++.B fsdaemon_var_run_t
++
++ /var/run/smartd\.pid
++.br
++
++.SH NSSWITCH DOMAIN
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was auto-generated using
++.B "sepolicy manpage"
++by Dan Walsh.
++
++.SH "SEE ALSO"
++selinux(8), fsdaemon(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
+diff --git a/man/man8/ftpd_selinux.8 b/man/man8/ftpd_selinux.8
+index 5bebd82..8460714 100644
+--- a/man/man8/ftpd_selinux.8
++++ b/man/man8/ftpd_selinux.8
+@@ -1,65 +1,608 @@
+-.TH "ftpd_selinux" "8" "17 Jan 2005" "dwalsh@redhat.com" "ftpd SELinux policy documentation"
++.TH "ftpd_selinux" "8" "12-11-01" "ftpd" "SELinux Policy documentation for ftpd"
+ .SH "NAME"
+-.PP
+-ftpd_selinux \- Security-Enhanced Linux policy for ftp daemons.
++ftpd_selinux \- Security Enhanced Linux Policy for the ftpd processes
+ .SH "DESCRIPTION"
++
++Security-Enhanced Linux secures the ftpd processes via flexible mandatory access control.
++
++The ftpd processes execute with the ftpd_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep ftpd_t
++
++
++.SH "ENTRYPOINTS"
++
++The ftpd_t SELinux type can be entered via the "ftpd_exec_t" file type. The default entrypoint paths for the ftpd_t domain are the following:"
++
++/usr/sbin/ftpwho, /usr/sbin/vsftpd, /usr/sbin/in\.ftpd, /usr/sbin/proftpd, /usr/sbin/muddleftpd, /usr/kerberos/sbin/ftpd, /etc/cron\.monthly/proftpd
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
+ .PP
+-Security-Enhanced Linux provides security for ftp daemons via flexible mandatory access control.
+-.SH FILE_CONTEXTS
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
+ .PP
+-SELinux requires files to have a file type. File types may be specified with semanage and are restored with restorecon. Policy governs the access that daemons have to files.
+-.TP
+-Allow ftp servers to read the /var/ftp directory by adding the public_content_t file type to the directory and by restoring the file type.
++Policy governs the access confined processes have to files.
++SELinux ftpd policy is very flexible allowing users to setup their ftpd processes in as secure a method as possible.
+ .PP
+-.B
+-semanage fcontext -a -t public_content_t "/var/ftp(/.*)?"
+-.TP
+-.B
+-restorecon -F -R -v /var/ftp
+-.TP
+-Allow ftp servers to read and write /var/tmp/incoming by adding the public_content_rw_t type to the directory and by restoring the file type. This also requires the allow_ftpd_anon_write boolean to be set.
++The following process types are defined for ftpd:
++
++.EX
++.B ftpd_t, ftpdctl_t
++.EE
+ .PP
+-.B
+-semanage fcontext -a -t public_content_rw_t "/var/ftp/incoming(/.*)?"
+-.TP
+-.B
+-restorecon -F -R -v /var/ftp/incoming
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
+
+ .SH BOOLEANS
++SELinux policy is customizable based on least access required. ftpd policy is extremely flexible and has several booleans that allow you to manipulate the policy and run ftpd with the tightest access possible.
++
++
+ .PP
+-SELinux policy is based on least privilege required and may also be customizable by setting a boolean with setsebool.
+-.TP
+-Allow ftp servers to read and write files with the public_content_rw_t file type.
++If you want to allow ftp servers to use nfs used for public file transfer services, you must turn on the ftpd_use_nfs boolean.
++
++.EX
++.B setsebool -P ftpd_use_nfs 1
++.EE
++
+ .PP
+-.B
+-setsebool -P allow_ftpd_anon_write on
+-.TP
+-Allow ftp servers to read or write files in the user home directories.
++If you want to allow httpd to act as a FTP server by listening on the ftp port, you must turn on the httpd_enable_ftp_server boolean.
++
++.EX
++.B setsebool -P httpd_enable_ftp_server 1
++.EE
++
+ .PP
+-.B
+-setsebool -P ftp_home_dir on
+-.TP
+-Allow ftp servers to read or write all files on the system.
++If you want to allow ftp servers to use bind to all unreserved ports for passive mode, you must turn on the ftpd_use_passive_mode boolean.
++
++.EX
++.B setsebool -P ftpd_use_passive_mode 1
++.EE
++
+ .PP
+-.B
+-setsebool -P allow_ftpd_full_access on
++If you want to allow httpd to act as a FTP client connecting to the ftp port and ephemeral ports, you must turn on the httpd_can_connect_ftp boolean.
++
++.EX
++.B setsebool -P httpd_can_connect_ftp 1
++.EE
++
++.PP
++If you want to allow ftp to read and write files in the user home directories, you must turn on the ftp_home_dir boolean.
++
++.EX
++.B setsebool -P ftp_home_dir 1
++.EE
++
++.PP
++If you want to allow ftp servers to connect to mysql database ports, you must turn on the ftpd_connect_db boolean.
++
++.EX
++.B setsebool -P ftpd_connect_db 1
++.EE
++
++.PP
++If you want to allow ftp servers to use cifs used for public file transfer services, you must turn on the ftpd_use_cifs boolean.
++
++.EX
++.B setsebool -P ftpd_use_cifs 1
++.EE
++
++.PP
++If you want to allow sftp-internal to read and write files in the user home directories, you must turn on the sftpd_enable_homedirs boolean.
++
++.EX
++.B setsebool -P sftpd_enable_homedirs 1
++.EE
++
++.PP
++If you want to allow internal-sftp to read and write files in the user ssh home directories, you must turn on the sftpd_write_ssh_home boolean.
++
++.EX
++.B setsebool -P sftpd_write_ssh_home 1
++.EE
++
++.PP
++If you want to allow tftp to read and write files in the user home directories, you must turn on the tftp_home_dir boolean.
++
++.EX
++.B setsebool -P tftp_home_dir 1
++.EE
++
++.PP
++If you want to allow sftp-internal to login to local users and read/write all files on the system, governed by DAC, you must turn on the sftpd_full_access boolean.
++
++.EX
++.B setsebool -P sftpd_full_access 1
++.EE
++
++.PP
++If you want to allow ftp servers to connect to all ports > 1023, you must turn on the ftpd_connect_all_unreserved boolean.
++
++.EX
++.B setsebool -P ftpd_connect_all_unreserved 1
++.EE
++
++.PP
++If you want to allow ftp servers to login to local users and read/write all files on the system, governed by DAC, you must turn on the ftpd_full_access boolean.
++
++.EX
++.B setsebool -P ftpd_full_access 1
++.EE
++
++.PP
++If you want to allow ftp servers to use nfs used for public file transfer services, you must turn on the ftpd_use_nfs boolean.
++
++.EX
++.B setsebool -P ftpd_use_nfs 1
++.EE
++
++.PP
++If you want to allow httpd to act as a FTP server by listening on the ftp port, you must turn on the httpd_enable_ftp_server boolean.
++
++.EX
++.B setsebool -P httpd_enable_ftp_server 1
++.EE
++
++.PP
++If you want to allow ftp servers to use bind to all unreserved ports for passive mode, you must turn on the ftpd_use_passive_mode boolean.
++
++.EX
++.B setsebool -P ftpd_use_passive_mode 1
++.EE
++
++.PP
++If you want to allow httpd to act as a FTP client connecting to the ftp port and ephemeral ports, you must turn on the httpd_can_connect_ftp boolean.
++
++.EX
++.B setsebool -P httpd_can_connect_ftp 1
++.EE
++
++.PP
++If you want to allow ftp to read and write files in the user home directories, you must turn on the ftp_home_dir boolean.
++
++.EX
++.B setsebool -P ftp_home_dir 1
++.EE
++
++.PP
++If you want to allow ftp servers to connect to mysql database ports, you must turn on the ftpd_connect_db boolean.
++
++.EX
++.B setsebool -P ftpd_connect_db 1
++.EE
++
++.PP
++If you want to allow ftp servers to use cifs used for public file transfer services, you must turn on the ftpd_use_cifs boolean.
++
++.EX
++.B setsebool -P ftpd_use_cifs 1
++.EE
++
++.PP
++If you want to allow sftp-internal to read and write files in the user home directories, you must turn on the sftpd_enable_homedirs boolean.
++
++.EX
++.B setsebool -P sftpd_enable_homedirs 1
++.EE
++
++.PP
++If you want to allow internal-sftp to read and write files in the user ssh home directories, you must turn on the sftpd_write_ssh_home boolean.
++
++.EX
++.B setsebool -P sftpd_write_ssh_home 1
++.EE
++
++.PP
++If you want to allow tftp to read and write files in the user home directories, you must turn on the tftp_home_dir boolean.
++
++.EX
++.B setsebool -P tftp_home_dir 1
++.EE
++
++.PP
++If you want to allow sftp-internal to login to local users and read/write all files on the system, governed by DAC, you must turn on the sftpd_full_access boolean.
++
++.EX
++.B setsebool -P sftpd_full_access 1
++.EE
++
++.PP
++If you want to allow ftp servers to connect to all ports > 1023, you must turn on the ftpd_connect_all_unreserved boolean.
++
++.EX
++.B setsebool -P ftpd_connect_all_unreserved 1
++.EE
++
++.PP
++If you want to allow ftp servers to login to local users and read/write all files on the system, governed by DAC, you must turn on the ftpd_full_access boolean.
++
++.EX
++.B setsebool -P ftpd_full_access 1
++.EE
++
++.SH SHARING FILES
++If you want to share files with multiple domains (Apache, FTP, rsync, Samba), you can set a file context of public_content_t and public_content_rw_t. These context allow any of the above domains to read the content. If you want a particular domain to write to the public_content_rw_t domain, you must set the appropriate boolean.
+ .TP
+-Allow ftp servers to use cifs for public file transfer services.
++Allow ftpd servers to read the /var/ftpd directory by adding the public_content_t file type to the directory and by restoring the file type.
+ .PP
+ .B
+-setsebool -P allow_ftpd_use_cifs on
++semanage fcontext -a -t public_content_t "/var/ftpd(/.*)?"
++.br
++.B restorecon -F -R -v /var/ftpd
++.pp
+ .TP
+-Allow ftp servers to use nfs for public file transfer services.
++Allow ftpd servers to read and write /var/tmp/incoming by adding the public_content_rw_t type to the directory and by restoring the file type. This also requires the allow_ftpdd_anon_write boolean to be set.
+ .PP
+ .B
+-setsebool -P allow_ftpd_use_nfs on
+-.TP
+-system-config-selinux is a GUI tool available to customize SELinux policy settings.
+-.SH AUTHOR
++semanage fcontext -a -t public_content_rw_t "/var/ftpd/incoming(/.*)?"
++.br
++.B restorecon -F -R -v /var/ftpd/incoming
++
++
+ .PP
+-This manual page was written by Dan Walsh .
++If you want to allow anon internal-sftp to upload files, used for public file transfer services. Directories must be labeled public_content_rw_t., you must turn on the sftpd_anon_write boolean.
+
+-.SH "SEE ALSO"
++.EX
++.B setsebool -P sftpd_anon_write 1
++.EE
++
++.PP
++If you want to allow ftp servers to upload files, used for public file transfer services. Directories must be labeled public_content_rw_t., you must turn on the ftpd_anon_write boolean.
++
++.EX
++.B setsebool -P ftpd_anon_write 1
++.EE
++
++.PP
++If you want to allow tftp to modify public files used for public file transfer services., you must turn on the tftp_anon_write boolean.
++
++.EX
++.B setsebool -P tftp_anon_write 1
++.EE
++
++.PP
++If you want to allow anon internal-sftp to upload files, used for public file transfer services. Directories must be labeled public_content_rw_t., you must turn on the sftpd_anon_write boolean.
++
++.EX
++.B setsebool -P sftpd_anon_write 1
++.EE
++
++.PP
++If you want to allow ftp servers to upload files, used for public file transfer services. Directories must be labeled public_content_rw_t., you must turn on the ftpd_anon_write boolean.
++
++.EX
++.B setsebool -P ftpd_anon_write 1
++.EE
++
++.PP
++If you want to allow tftp to modify public files used for public file transfer services., you must turn on the tftp_anon_write boolean.
++
++.EX
++.B setsebool -P tftp_anon_write 1
++.EE
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux ftpd policy is very flexible allowing users to setup their ftpd processes in as secure a method as possible.
++.PP
++The following file types are defined for ftpd:
++
++
++.EX
++.PP
++.B ftpd_etc_t
++.EE
++
++- Set files with the ftpd_etc_t type, if you want to store ftpd files in the /etc directories.
++
++
++.EX
++.PP
++.B ftpd_exec_t
++.EE
++
++- Set files with the ftpd_exec_t type, if you want to transition an executable to the ftpd_t domain.
++
++
++.EX
++.PP
++.B ftpd_initrc_exec_t
++.EE
++
++- Set files with the ftpd_initrc_exec_t type, if you want to transition an executable to the ftpd_initrc_t domain.
++
++
++.EX
++.PP
++.B ftpd_keytab_t
++.EE
++
++- Set files with the ftpd_keytab_t type, if you want to treat the files as kerberos keytab files.
++
++
++.EX
++.PP
++.B ftpd_lock_t
++.EE
++
++- Set files with the ftpd_lock_t type, if you want to treat the files as ftpd lock data, stored under the /var/lock directory
++
++
++.EX
++.PP
++.B ftpd_tmp_t
++.EE
++
++- Set files with the ftpd_tmp_t type, if you want to store ftpd temporary files in the /tmp directories.
++
++
++.EX
++.PP
++.B ftpd_tmpfs_t
++.EE
++
++- Set files with the ftpd_tmpfs_t type, if you want to store ftpd files on a tmpfs file system.
++
++
++.EX
++.PP
++.B ftpd_unit_file_t
++.EE
++
++- Set files with the ftpd_unit_file_t type, if you want to treat the files as ftpd unit content.
++
++
++.EX
++.PP
++.B ftpd_var_run_t
++.EE
++
++- Set files with the ftpd_var_run_t type, if you want to store the ftpd files under the /run directory.
++
++
++.EX
++.PP
++.B ftpdctl_exec_t
++.EE
++
++- Set files with the ftpdctl_exec_t type, if you want to transition an executable to the ftpdctl_t domain.
++
++
++.EX
++.PP
++.B ftpdctl_tmp_t
++.EE
++
++- Set files with the ftpdctl_tmp_t type, if you want to store ftpdctl temporary files in the /tmp directories.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH PORT TYPES
++SELinux defines port types to represent TCP and UDP ports.
++.PP
++You can see the types associated with a port by using the following command:
++
++.B semanage port -l
++
++.PP
++Policy governs the access confined processes have to these ports.
++SELinux ftpd policy is very flexible allowing users to setup their ftpd processes in as secure a method as possible.
++.PP
++The following port types are defined for ftpd:
++
++.EX
++.TP 5
++.B ftp_data_port_t
++.TP 10
++.EE
++
++
++Default Defined Ports:
++tcp 20
++.EE
++
++.EX
++.TP 5
++.B ftp_port_t
++.TP 10
++.EE
++
++
++Default Defined Ports:
++tcp 21,990
++.EE
++udp 990
++.EE
++.SH "MANAGED FILES"
++
++The SELinux process type ftpd_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++
++.br
++.B faillog_t
++
++ /var/log/btmp.*
++.br
++ /var/run/faillock(/.*)?
++.br
++ /var/log/faillog
++.br
++ /var/log/tallylog
++.br
++
++.br
++.B ftpd_lock_t
++
++
++.br
++.B ftpd_tmp_t
++
++
++.br
++.B ftpd_tmpfs_t
++
++
++.br
++.B ftpd_var_run_t
++
++ /var/run/proftpd.*
++.br
++
++.br
++.B initrc_var_run_t
++
++ /var/run/utmp
++.br
++ /var/run/random-seed
++.br
++ /var/run/runlevel\.dir
++.br
++ /var/run/setmixer_flag
++.br
++
++.br
++.B krb5_host_rcache_t
++
++ /var/cache/krb5rcache(/.*)?
++.br
++ /var/tmp/nfs_0
++.br
++ /var/tmp/DNS_25
++.br
++ /var/tmp/host_0
++.br
++ /var/tmp/imap_0
++.br
++ /var/tmp/HTTP_23
++.br
++ /var/tmp/HTTP_48
++.br
++ /var/tmp/ldap_55
++.br
++ /var/tmp/ldap_487
++.br
++ /var/tmp/ldapmap1_0
++.br
++
++.br
++.B lastlog_t
++
++ /var/log/lastlog
++.br
++
++.br
++.B pcscd_var_run_t
++
++ /var/run/pcscd(/.*)?
++.br
++ /var/run/pcscd\.events(/.*)?
++.br
++ /var/run/pcscd\.pid
++.br
++ /var/run/pcscd\.pub
++.br
++ /var/run/pcscd\.comm
++.br
++
++.br
++.B security_t
++
++ /selinux
++.br
++
++.br
++.B var_auth_t
++
++ /var/ace(/.*)?
++.br
++ /var/rsa(/.*)?
++.br
++ /var/lib/abl(/.*)?
++.br
++ /var/lib/rsa(/.*)?
++.br
++ /var/lib/pam_ssh(/.*)?
++.br
++ /var/run/pam_ssh(/.*)?
++.br
++ /var/lib/pam_shield(/.*)?
++.br
++ /var/lib/google-authenticator(/.*)?
++.br
++
++.br
++.B wtmp_t
++
++ /var/log/wtmp.*
++.br
++
++.br
++.B xferlog_t
++
++ /var/log/vsftpd.*
++.br
++ /var/log/xferlog.*
++.br
++ /var/log/proftpd(/.*)?
++.br
++ /var/log/xferreport.*
++.br
++ /var/log/muddleftpd\.log.*
++.br
++ /usr/libexec/webmin/vsftpd/webalizer/xfer_log
++.br
++
++.SH NSSWITCH DOMAIN
++
++.PP
++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the ftpd_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++
++.EX
++.B setsebool -P authlogin_nsswitch_use_ldap 1
++.EE
++
++.PP
++If you want to allow confined applications to run with kerberos for the ftpd_t, you must turn on the kerberos_enabled boolean.
++
++.EX
++.B setsebool -P kerberos_enabled 1
++.EE
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
+ .PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.B semanage port
++can also be used to manipulate the port definitions
+
+-selinux(8), ftpd(8), setsebool(8), semanage(8), restorecon(8)
++.B semanage boolean
++can also be used to manipulate the booleans
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was auto-generated using
++.B "sepolicy manpage"
++by Dan Walsh.
++
++.SH "SEE ALSO"
++selinux(8), ftpd(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
++, setsebool(8), ftpdctl_selinux(8)
+\ No newline at end of file
+diff --git a/man/man8/ftpdctl_selinux.8 b/man/man8/ftpdctl_selinux.8
+new file mode 100644
+index 0000000..c926027
+--- /dev/null
++++ b/man/man8/ftpdctl_selinux.8
+@@ -0,0 +1,95 @@
++.TH "ftpdctl_selinux" "8" "12-11-01" "ftpdctl" "SELinux Policy documentation for ftpdctl"
++.SH "NAME"
++ftpdctl_selinux \- Security Enhanced Linux Policy for the ftpdctl processes
++.SH "DESCRIPTION"
++
++Security-Enhanced Linux secures the ftpdctl processes via flexible mandatory access control.
++
++The ftpdctl processes execute with the ftpdctl_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep ftpdctl_t
++
++
++.SH "ENTRYPOINTS"
++
++The ftpdctl_t SELinux type can be entered via the "ftpdctl_exec_t" file type. The default entrypoint paths for the ftpdctl_t domain are the following:"
++
++/usr/bin/ftpdctl
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux ftpdctl policy is very flexible allowing users to setup their ftpdctl processes in as secure a method as possible.
++.PP
++The following process types are defined for ftpdctl:
++
++.EX
++.B ftpdctl_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux ftpdctl policy is very flexible allowing users to setup their ftpdctl processes in as secure a method as possible.
++.PP
++The following file types are defined for ftpdctl:
++
++
++.EX
++.PP
++.B ftpdctl_exec_t
++.EE
++
++- Set files with the ftpdctl_exec_t type, if you want to transition an executable to the ftpdctl_t domain.
++
++
++.EX
++.PP
++.B ftpdctl_tmp_t
++.EE
++
++- Set files with the ftpdctl_tmp_t type, if you want to store ftpdctl temporary files in the /tmp directories.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH NSSWITCH DOMAIN
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was auto-generated using
++.B "sepolicy manpage"
++by Dan Walsh.
++
++.SH "SEE ALSO"
++selinux(8), ftpdctl(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
++, ftpd_selinux(8)
+\ No newline at end of file
+diff --git a/man/man8/games_selinux.8 b/man/man8/games_selinux.8
+new file mode 100644
+index 0000000..3e88bfa
+--- /dev/null
++++ b/man/man8/games_selinux.8
+@@ -0,0 +1,178 @@
++.TH "games_selinux" "8" "12-11-01" "games" "SELinux Policy documentation for games"
++.SH "NAME"
++games_selinux \- Security Enhanced Linux Policy for the games processes
++.SH "DESCRIPTION"
++
++Security-Enhanced Linux secures the games processes via flexible mandatory access control.
++
++The games processes execute with the games_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep games_t
++
++
++.SH "ENTRYPOINTS"
++
++The games_t SELinux type can be entered via the "games_exec_t" file type. The default entrypoint paths for the games_t domain are the following:"
++
++/usr/games/.*, /usr/lib/games(/.*)?, /usr/bin/civclient.*, /usr/bin/civserver.*, /usr/bin/sol, /usr/bin/micq, /usr/bin/kolf, /usr/bin/kpat, /usr/bin/gnect, /usr/bin/gtali, /usr/bin/iagno, /usr/bin/ksame, /usr/bin/ktron, /usr/bin/kwin4, /usr/bin/lskat, /usr/bin/gataxx, /usr/bin/glines, /usr/bin/klines, /usr/bin/kmines, /usr/bin/kpoker, /usr/bin/ksnake, /usr/bin/gnomine, /usr/bin/gnotski, /usr/bin/katomic, /usr/bin/kbounce, /usr/bin/kshisen, /usr/bin/ksirtet, /usr/bin/gnibbles, /usr/bin/gnobots2, /usr/bin/mahjongg, /usr/bin/atlantik, /usr/bin/kenolaba, /usr/bin/klickety, /usr/bin/konquest, /usr/bin/kreversi, /usr/bin/ksokoban, /usr/bin/blackjack, /usr/bin/gnotravex, /usr/bin/kblackbox, /usr/bin/kfouleggs, /usr/bin/kmahjongg, /usr/bin/kwin4proc, /usr/bin/lskatproc, /usr/bin/Maelstrom, /usr/bin/same-gnome, /usr/bin/kasteroids, /usr/bin/ksmiletris, /usr/bin/kspaceduel, /usr/bin/ktuberling, /usr/bin/kbackgammon, /usr/bin/kbattleship, /usr/bin/kgoldrunner, /usr/bin/gnome-stones, /usr/bin/kjumpingcube
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux games policy is very flexible allowing users to setup their games processes in as secure a method as possible.
++.PP
++The following process types are defined for games:
++
++.EX
++.B games_t, games_srv_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux games policy is very flexible allowing users to setup their games processes in as secure a method as possible.
++.PP
++The following file types are defined for games:
++
++
++.EX
++.PP
++.B games_data_t
++.EE
++
++- Set files with the games_data_t type, if you want to treat the files as games content.
++
++
++.EX
++.PP
++.B games_exec_t
++.EE
++
++- Set files with the games_exec_t type, if you want to transition an executable to the games_t domain.
++
++
++.EX
++.PP
++.B games_srv_var_run_t
++.EE
++
++- Set files with the games_srv_var_run_t type, if you want to store the games srv files under the /run directory.
++
++
++.EX
++.PP
++.B games_tmp_t
++.EE
++
++- Set files with the games_tmp_t type, if you want to store games temporary files in the /tmp directories.
++
++
++.EX
++.PP
++.B games_tmpfs_t
++.EE
++
++- Set files with the games_tmpfs_t type, if you want to store games files on a tmpfs file system.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH "MANAGED FILES"
++
++The SELinux process type games_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++
++.br
++.B games_data_t
++
++ /var/games(/.*)?
++.br
++ /var/lib/games(/.*)?
++.br
++
++.br
++.B games_tmp_t
++
++
++.br
++.B games_tmpfs_t
++
++
++.br
++.B user_fonts_cache_t
++
++ /root/\.fontconfig(/.*)?
++.br
++ /root/\.fonts/auto(/.*)?
++.br
++ /root/\.fonts\.cache-.*
++.br
++ /home/[^/]*/\.fontconfig(/.*)?
++.br
++ /home/[^/]*/\.fonts/auto(/.*)?
++.br
++ /home/[^/]*/\.fonts\.cache-.*
++.br
++ /home/dwalsh/\.fontconfig(/.*)?
++.br
++ /home/dwalsh/\.fonts/auto(/.*)?
++.br
++ /home/dwalsh/\.fonts\.cache-.*
++.br
++ /var/lib/xguest/home/xguest/\.fontconfig(/.*)?
++.br
++ /var/lib/xguest/home/xguest/\.fonts/auto(/.*)?
++.br
++ /var/lib/xguest/home/xguest/\.fonts\.cache-.*
++.br
++
++.br
++.B user_tmp_t
++
++ /var/run/user(/.*)?
++.br
++ /tmp/gconfd-.*
++.br
++ /tmp/gconfd-dwalsh
++.br
++ /tmp/gconfd-xguest
++.br
++
++.SH NSSWITCH DOMAIN
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was auto-generated using
++.B "sepolicy manpage"
++by Dan Walsh.
++
++.SH "SEE ALSO"
++selinux(8), games(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
+diff --git a/man/man8/gconfd_selinux.8 b/man/man8/gconfd_selinux.8
+new file mode 100644
+index 0000000..18de510
+--- /dev/null
++++ b/man/man8/gconfd_selinux.8
+@@ -0,0 +1,129 @@
++.TH "gconfd_selinux" "8" "12-11-01" "gconfd" "SELinux Policy documentation for gconfd"
++.SH "NAME"
++gconfd_selinux \- Security Enhanced Linux Policy for the gconfd processes
++.SH "DESCRIPTION"
++
++Security-Enhanced Linux secures the gconfd processes via flexible mandatory access control.
++
++The gconfd processes execute with the gconfd_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep gconfd_t
++
++
++.SH "ENTRYPOINTS"
++
++The gconfd_t SELinux type can be entered via the "gconfd_exec_t" file type. The default entrypoint paths for the gconfd_t domain are the following:"
++
++
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux gconfd policy is very flexible allowing users to setup their gconfd processes in as secure a method as possible.
++.PP
++The following process types are defined for gconfd:
++
++.EX
++.B gconfdefaultsm_t, gconfd_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux gconfd policy is very flexible allowing users to setup their gconfd processes in as secure a method as possible.
++.PP
++The following file types are defined for gconfd:
++
++
++.EX
++.PP
++.B gconfd_exec_t
++.EE
++
++- Set files with the gconfd_exec_t type, if you want to transition an executable to the gconfd_t domain.
++
++
++.EX
++.PP
++.B gconfdefaultsm_exec_t
++.EE
++
++- Set files with the gconfdefaultsm_exec_t type, if you want to transition an executable to the gconfdefaultsm_t domain.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH "MANAGED FILES"
++
++The SELinux process type gconfd_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++
++.br
++.B gconf_home_t
++
++ /root/\.local.*
++.br
++ /root/\.gconf(d)?(/.*)?
++.br
++ /home/[^/]*/\.local.*
++.br
++ /home/[^/]*/\.gconf(d)?(/.*)?
++.br
++ /home/dwalsh/\.local.*
++.br
++ /home/dwalsh/\.gconf(d)?(/.*)?
++.br
++ /var/lib/xguest/home/xguest/\.local.*
++.br
++ /var/lib/xguest/home/xguest/\.gconf(d)?(/.*)?
++.br
++
++.br
++.B gconf_tmp_t
++
++ /tmp/gconfd-.*/.*
++.br
++ /tmp/gconfd-dwalsh/.*
++.br
++ /tmp/gconfd-xguest/.*
++.br
++
++.SH NSSWITCH DOMAIN
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was auto-generated using
++.B "sepolicy manpage"
++by Dan Walsh.
++
++.SH "SEE ALSO"
++selinux(8), gconfd(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
++, gconfdefaultsm_selinux(8)
+\ No newline at end of file
+diff --git a/man/man8/gconfdefaultsm_selinux.8 b/man/man8/gconfdefaultsm_selinux.8
+new file mode 100644
+index 0000000..a13ef31
+--- /dev/null
++++ b/man/man8/gconfdefaultsm_selinux.8
+@@ -0,0 +1,117 @@
++.TH "gconfdefaultsm_selinux" "8" "12-11-01" "gconfdefaultsm" "SELinux Policy documentation for gconfdefaultsm"
++.SH "NAME"
++gconfdefaultsm_selinux \- Security Enhanced Linux Policy for the gconfdefaultsm processes
++.SH "DESCRIPTION"
++
++Security-Enhanced Linux secures the gconfdefaultsm processes via flexible mandatory access control.
++
++The gconfdefaultsm processes execute with the gconfdefaultsm_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep gconfdefaultsm_t
++
++
++.SH "ENTRYPOINTS"
++
++The gconfdefaultsm_t SELinux type can be entered via the "gconfdefaultsm_exec_t" file type. The default entrypoint paths for the gconfdefaultsm_t domain are the following:"
++
++/usr/libexec/gconf-defaults-mechanism
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux gconfdefaultsm policy is very flexible allowing users to setup their gconfdefaultsm processes in as secure a method as possible.
++.PP
++The following process types are defined for gconfdefaultsm:
++
++.EX
++.B gconfdefaultsm_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux gconfdefaultsm policy is very flexible allowing users to setup their gconfdefaultsm processes in as secure a method as possible.
++.PP
++The following file types are defined for gconfdefaultsm:
++
++
++.EX
++.PP
++.B gconfdefaultsm_exec_t
++.EE
++
++- Set files with the gconfdefaultsm_exec_t type, if you want to transition an executable to the gconfdefaultsm_t domain.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH "MANAGED FILES"
++
++The SELinux process type gconfdefaultsm_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++
++.br
++.B gconf_etc_t
++
++ /etc/gconf(/.*)?
++.br
++
++.br
++.B gconf_home_t
++
++ /root/\.local.*
++.br
++ /root/\.gconf(d)?(/.*)?
++.br
++ /home/[^/]*/\.local.*
++.br
++ /home/[^/]*/\.gconf(d)?(/.*)?
++.br
++ /home/dwalsh/\.local.*
++.br
++ /home/dwalsh/\.gconf(d)?(/.*)?
++.br
++ /var/lib/xguest/home/xguest/\.local.*
++.br
++ /var/lib/xguest/home/xguest/\.gconf(d)?(/.*)?
++.br
++
++.SH NSSWITCH DOMAIN
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was auto-generated using
++.B "sepolicy manpage"
++by Dan Walsh.
++
++.SH "SEE ALSO"
++selinux(8), gconfdefaultsm(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
++, gconfd_selinux(8)
+\ No newline at end of file
+diff --git a/man/man8/getty_selinux.8 b/man/man8/getty_selinux.8
+new file mode 100644
+index 0000000..d3c311a
+--- /dev/null
++++ b/man/man8/getty_selinux.8
+@@ -0,0 +1,212 @@
++.TH "getty_selinux" "8" "12-11-01" "getty" "SELinux Policy documentation for getty"
++.SH "NAME"
++getty_selinux \- Security Enhanced Linux Policy for the getty processes
++.SH "DESCRIPTION"
++
++Security-Enhanced Linux secures the getty processes via flexible mandatory access control.
++
++The getty processes execute with the getty_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep getty_t
++
++
++.SH "ENTRYPOINTS"
++
++The getty_t SELinux type can be entered via the "getty_exec_t" file type. The default entrypoint paths for the getty_t domain are the following:"
++
++/sbin/.*getty, /usr/sbin/.*getty
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux getty policy is very flexible allowing users to setup their getty processes in as secure a method as possible.
++.PP
++The following process types are defined for getty:
++
++.EX
++.B getty_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux getty policy is very flexible allowing users to setup their getty processes in as secure a method as possible.
++.PP
++The following file types are defined for getty:
++
++
++.EX
++.PP
++.B getty_etc_t
++.EE
++
++- Set files with the getty_etc_t type, if you want to store getty files in the /etc directories.
++
++
++.EX
++.PP
++.B getty_exec_t
++.EE
++
++- Set files with the getty_exec_t type, if you want to transition an executable to the getty_t domain.
++
++
++.EX
++.PP
++.B getty_lock_t
++.EE
++
++- Set files with the getty_lock_t type, if you want to treat the files as getty lock data, stored under the /var/lock directory
++
++
++.EX
++.PP
++.B getty_log_t
++.EE
++
++- Set files with the getty_log_t type, if you want to treat the data as getty log data, usually stored under the /var/log directory.
++
++
++.EX
++.PP
++.B getty_tmp_t
++.EE
++
++- Set files with the getty_tmp_t type, if you want to store getty temporary files in the /tmp directories.
++
++
++.EX
++.PP
++.B getty_unit_file_t
++.EE
++
++- Set files with the getty_unit_file_t type, if you want to treat the files as getty unit content.
++
++
++.EX
++.PP
++.B getty_var_run_t
++.EE
++
++- Set files with the getty_var_run_t type, if you want to store the getty files under the /run directory.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH "MANAGED FILES"
++
++The SELinux process type getty_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++
++.br
++.B getty_lock_t
++
++
++.br
++.B getty_log_t
++
++ /var/log/mgetty\.log.*
++.br
++ /var/log/vgetty\.log\..*
++.br
++
++.br
++.B getty_tmp_t
++
++
++.br
++.B getty_var_run_t
++
++ /var/spool/fax(/.*)?
++.br
++ /var/spool/voice(/.*)?
++.br
++ /var/run/mgetty\.pid.*
++.br
++
++.br
++.B initrc_var_run_t
++
++ /var/run/utmp
++.br
++ /var/run/random-seed
++.br
++ /var/run/runlevel\.dir
++.br
++ /var/run/setmixer_flag
++.br
++
++.br
++.B var_run_t
++
++ /run/.*
++.br
++ /var/run/.*
++.br
++ /run
++.br
++ /var/run
++.br
++ /var/run
++.br
++ /var/spool/postfix/pid
++.br
++
++.br
++.B wtmp_t
++
++ /var/log/wtmp.*
++.br
++
++.SH NSSWITCH DOMAIN
++
++.PP
++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the getty_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++
++.EX
++.B setsebool -P authlogin_nsswitch_use_ldap 1
++.EE
++
++.PP
++If you want to allow confined applications to run with kerberos for the getty_t, you must turn on the kerberos_enabled boolean.
++
++.EX
++.B setsebool -P kerberos_enabled 1
++.EE
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was auto-generated using
++.B "sepolicy manpage"
++by Dan Walsh.
++
++.SH "SEE ALSO"
++selinux(8), getty(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
+diff --git a/man/man8/gfs_controld_selinux.8 b/man/man8/gfs_controld_selinux.8
+new file mode 100644
+index 0000000..d464731
+--- /dev/null
++++ b/man/man8/gfs_controld_selinux.8
+@@ -0,0 +1,160 @@
++.TH "gfs_controld_selinux" "8" "12-11-01" "gfs_controld" "SELinux Policy documentation for gfs_controld"
++.SH "NAME"
++gfs_controld_selinux \- Security Enhanced Linux Policy for the gfs_controld processes
++.SH "DESCRIPTION"
++
++Security-Enhanced Linux secures the gfs_controld processes via flexible mandatory access control.
++
++The gfs_controld processes execute with the gfs_controld_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep gfs_controld_t
++
++
++.SH "ENTRYPOINTS"
++
++The gfs_controld_t SELinux type can be entered via the "gfs_controld_exec_t" file type. The default entrypoint paths for the gfs_controld_t domain are the following:"
++
++/usr/sbin/gfs_controld
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux gfs_controld policy is very flexible allowing users to setup their gfs_controld processes in as secure a method as possible.
++.PP
++The following process types are defined for gfs_controld:
++
++.EX
++.B gfs_controld_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux gfs_controld policy is very flexible allowing users to setup their gfs_controld processes in as secure a method as possible.
++.PP
++The following file types are defined for gfs_controld:
++
++
++.EX
++.PP
++.B gfs_controld_exec_t
++.EE
++
++- Set files with the gfs_controld_exec_t type, if you want to transition an executable to the gfs_controld_t domain.
++
++
++.EX
++.PP
++.B gfs_controld_tmpfs_t
++.EE
++
++- Set files with the gfs_controld_tmpfs_t type, if you want to store gfs controld files on a tmpfs file system.
++
++
++.EX
++.PP
++.B gfs_controld_var_log_t
++.EE
++
++- Set files with the gfs_controld_var_log_t type, if you want to treat the data as gfs controld var log data, usually stored under the /var/log directory.
++
++
++.EX
++.PP
++.B gfs_controld_var_run_t
++.EE
++
++- Set files with the gfs_controld_var_run_t type, if you want to store the gfs controld files under the /run directory.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH "MANAGED FILES"
++
++The SELinux process type gfs_controld_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++
++.br
++.B cluster_var_lib_t
++
++ /var/lib/cluster(/.*)?
++.br
++
++.br
++.B gfs_controld_tmpfs_t
++
++
++.br
++.B gfs_controld_var_log_t
++
++ /var/log/cluster/gfs_controld\.log.*
++.br
++
++.br
++.B gfs_controld_var_run_t
++
++ /var/run/gfs_controld\.pid
++.br
++
++.br
++.B initrc_tmp_t
++
++
++.br
++.B sysfs_t
++
++ /sys(/.*)?
++.br
++
++.SH NSSWITCH DOMAIN
++
++.PP
++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the gfs_controld_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++
++.EX
++.B setsebool -P authlogin_nsswitch_use_ldap 1
++.EE
++
++.PP
++If you want to allow confined applications to run with kerberos for the gfs_controld_t, you must turn on the kerberos_enabled boolean.
++
++.EX
++.B setsebool -P kerberos_enabled 1
++.EE
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was auto-generated using
++.B "sepolicy manpage"
++by Dan Walsh.
++
++.SH "SEE ALSO"
++selinux(8), gfs_controld(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
+diff --git a/man/man8/git_selinux.8 b/man/man8/git_selinux.8
+deleted file mode 100644
+index e9c43b1..0000000
+--- a/man/man8/git_selinux.8
++++ /dev/null
+@@ -1,109 +0,0 @@
+-.TH "git_selinux" "8" "27 May 2010" "domg472@gmail.com" "Git SELinux policy documentation"
+-.de EX
+-.nf
+-.ft CW
+-..
+-.de EE
+-.ft R
+-.fi
+-..
+-.SH "NAME"
+-git_selinux \- Security Enhanced Linux Policy for the Git daemon.
+-.SH "DESCRIPTION"
+-Security-Enhanced Linux secures the Git server via flexible mandatory access
+-control.
+-.SH FILE_CONTEXTS
+-SELinux requires files to have an extended attribute to define the file type.
+-Policy governs the access daemons have to these files.
+-SELinux Git policy is very flexible allowing users to setup their web services in as secure a method as possible.
+-.PP
+-The following file contexts types are by default defined for Git:
+-.EX
+-git_system_content_t
+-.EE
+-- Set files with git_system_content_t if you want the Git system daemon to read the file, and if you want the file to be modifiable and executable by all "Git shell" users.
+-.EX
+-git_session_content_t
+-.EE
+-- Set files with git_session_content_t if you want the Git session and system daemon to read the file, and if you want the file to be modifiable and executable by all users. Note that "Git shell" users may not interact with this type.
+-.SH BOOLEANS
+-SELinux policy is customizable based on least access required. Git policy is extremely flexible and has several booleans that allow you to manipulate the policy and run Git with the tightest access possible.
+-.PP
+-Allow the Git system daemon to search user home directories so that it can find git session content. This is useful if you want the Git system daemon to host users personal repositories.
+-.EX
+-sudo setsebool -P git_system_enable_homedirs 1
+-.EE
+-.PP
+-Allow the Git system daemon to read system shared repositories on NFS shares.
+-.EX
+-sudo setsebool -P git_system_use_nfs 1
+-.EE
+-.PP
+-Allow the Git system daemon to read system shared repositories on Samba shares.
+-.EX
+-sudo setsebool -P git_system_use_cifs 1
+-.EE
+-.PP
+-Allow the Git session daemon to read users personal repositories on NFS mounted home directories.
+-.EX
+-sudo setsebool -P use_nfs_home_dirs 1
+-.EE
+-.PP
+-Allow the Git session daemon to read users personal repositories on Samba mounted home directories.
+-.EX
+-sudo setsebool -P use_samba_home_dirs 1
+-.EE
+-.PP
+-To also allow Git system daemon to read users personal repositories on NFS and Samba mounted home directories you must also allow the Git system daemon to search home directories so that it can find the repositories.
+-.EX
+-sudo setsebool -P git_system_enable_homedirs 1
+-.EE
+-.PP
+-To allow the Git System daemon mass hosting of users personal repositories you can allow the Git daemon to listen to any unreserved ports.
+-.EX
+-sudo setsebool -P git_session_bind_all_unreserved_ports 1
+-.EE
+-.SH GIT_SHELL
+-The Git policy by default provides a restricted user environment to be used with "Git shell". This default git_shell_u SELinux user can modify and execute generic Git system content (generic system shared respositories with type git_system_content_t).
+-.PP
+-To add a new Linux user and map him to this Git shell user domain automatically:
+-.EX
+-sudo useradd -Z git_shell_u joe
+-.EE
+-.SH ADVANCED_SYSTEM_SHARED_REPOSITORY_AND GIT_SHELL_RESTRICTIONS
+-Alternatively Git SELinux policy can be used to restrict "Git shell" users to git system shared repositories. The policy allows for the creation of new types of Git system content and Git shell user environment. The policy allows for delegation of types of "Git shell" environments to types of Git system content.
+-.PP
+-To add a new Git system repository type, for example "project1" create a file named project1.te and add to it:
+-.EX
+-policy_module(project1, 1.0.0)
+-git_content_template(project1)
+-.EE
+-Next create a file named project1.fc and add a file context specification for the new repository type to it:
+-.EX
+-/srv/git/project1\.git(/.*)? gen_context(system_u:object_r:git_project1_content_t,s0)
+-.EE
+-Build a binary representation of this source policy module, load it into the policy store and restore the context of the repository:
+-.EX
+-make -f /usr/share/selinux/devel/Makefile project.pp
+-sudo semodule -i project1.pp
+-sudo restorecon -R -v /srv/git/project1
+-.EE
+-To create a "Git shell" domain that can interact with this repository create a file named project1user.te in the same directory as where the source policy for the Git systemm content type is and add the following:
+-.EX
+-policy_module(project1user, 1.0.0)
+-git_role_template(project1user)
+-git_content_delegation(project1user_t, git_project1_content_t)
+-gen_user(project1user_u, user, project1user_r, s0, s0)
+-.EE
+-Build a binary representation of this source policy module, load it into the policy store and map Linux users to the new project1user_u SELinux user:
+-.EX
+-make -f /usr/share/selinux/devel/Makefile project1user.pp
+-sudo semodule -i project1user.pp
+-sudo useradd -Z project1user_u jane
+-.EE
+-.PP
+-system-config-selinux is a GUI tool available to customize SELinux policy settings.
+-.SH AUTHOR
+-This manual page was written by Dominick Grift .
+-.SH "SEE ALSO"
+-selinux(8), git(8), chcon(1), semodule(8), setsebool(8)
+diff --git a/man/man8/git_shell_selinux.8 b/man/man8/git_shell_selinux.8
+new file mode 100644
+index 0000000..f991f0f
+--- /dev/null
++++ b/man/man8/git_shell_selinux.8
+@@ -0,0 +1,133 @@
++.TH "git_shell_selinux" "8" "git_shell" "mgrepl@redhat.com" "git_shell SELinux Policy documentation"
++.SH "NAME"
++git_shell_u \- \fBgit_shell user role\fP - Security Enhanced Linux Policy
++
++.SH DESCRIPTION
++
++\fBgit_shell_u\fP is an SELinux User defined in the SELinux
++policy. SELinux users have default roles, \fBgit_shell_r\fP. The
++default role has a default type, \fBgit_shell_t\fP, associated with it.
++
++The SELinux user will usually login to a system with a context that looks like:
++
++.B git_shell_u:git_shell_r:git_shell_t:s0-s0:c0.c1023
++
++Linux users are automatically assigned an SELinux users at login.
++Login programs use the SELinux User to assign initial context to the user's shell.
++
++SELinux policy uses the context to control the user's access.
++
++By default all users are assigned to the SELinux user via the \fB__default__\fP flag
++
++On Targeted policy systems the \fB__default__\fP user is assigned to the \fBunconfined_u\fP SELinux user.
++
++You can list all Linux User to SELinux user mapping using:
++
++.B semanage login -l
++
++If you wanted to change the default user mapping to use the git_shell_u user, you would execute:
++
++.B semanage login -m -s git_shell_u __default__
++
++
++.SH USER DESCRIPTION
++
++The SELinux user git_shell_u is defined in policy as a unprivileged user. SELinux prevents unprivileged users from doing administration tasks without transitioning to a different role.
++
++.SH SUDO
++
++.SH X WINDOWS LOGIN
++
++The SELinux user git_shell_u is not able to X Windows login.
++
++.SH NETWORK
++
++.TP
++The SELinux user git_shell_u is able to connect to the following tcp ports.
++
++.B dns_port_t: 53
++
++.B ocsp_port_t: 9080
++
++.B kerberos_port_t: 88,750,4444
++
++.TP
++The SELinux user git_shell_u is able to connect to the following tcp ports.
++
++.B dns_port_t: 53
++
++.B ocsp_port_t: 9080
++
++.B kerberos_port_t: 88,750,4444
++
++.SH HOME_EXEC
++
++The SELinux user git_shell_u is able execute home content files.
++
++.SH TRANSITIONS
++
++Three things can happen when git_shell_t attempts to execute a program.
++
++\fB1.\fP SELinux Policy can deny git_shell_t from executing the program.
++
++.TP
++
++\fB2.\fP SELinux Policy can allow git_shell_t to execute the program in the current user type.
++
++Execute the following to see the types that the SELinux user git_shell_t can execute without transitioning:
++
++.B search -A -s git_shell_t -c file -p execute_no_trans
++
++.TP
++
++\fB3.\fP SELinux can allow git_shell_t to execute the program and transition to a new type.
++
++Execute the following to see the types that the SELinux user git_shell_t can execute and transition:
++
++.B $ search -A -s git_shell_t -c process -p transition
++
++
++.SH "MANAGED FILES"
++
++The SELinux process type git_shell_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++
++.br
++.B alsa_home_t
++
++ /home/[^/]*/\.asoundrc
++.br
++ /home/dwalsh/\.asoundrc
++.br
++ /var/lib/xguest/home/xguest/\.asoundrc
++.br
++
++.br
++.B git_sys_content_t
++
++ /srv/git(/.*)?
++.br
++ /var/lib/git(/.*)?
++.br
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was auto-generated using
++.B "sepolicy manpage"
++by Dan Walsh.
++
++.SH "SEE ALSO"
++selinux(8), git_shell(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
++, gitosis_selinux(8)
+\ No newline at end of file
+diff --git a/man/man8/gitosis_selinux.8 b/man/man8/gitosis_selinux.8
+new file mode 100644
+index 0000000..56b4bdf
+--- /dev/null
++++ b/man/man8/gitosis_selinux.8
+@@ -0,0 +1,128 @@
++.TH "gitosis_selinux" "8" "12-11-01" "gitosis" "SELinux Policy documentation for gitosis"
++.SH "NAME"
++gitosis_selinux \- Security Enhanced Linux Policy for the gitosis processes
++.SH "DESCRIPTION"
++
++Security-Enhanced Linux secures the gitosis processes via flexible mandatory access control.
++
++The gitosis processes execute with the gitosis_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep gitosis_t
++
++
++.SH "ENTRYPOINTS"
++
++The gitosis_t SELinux type can be entered via the "gitosis_exec_t" file type. The default entrypoint paths for the gitosis_t domain are the following:"
++
++/usr/bin/gitosis-serve, /usr/bin/gl-auth-command
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux gitosis policy is very flexible allowing users to setup their gitosis processes in as secure a method as possible.
++.PP
++The following process types are defined for gitosis:
++
++.EX
++.B gitosis_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH BOOLEANS
++SELinux policy is customizable based on least access required. gitosis policy is extremely flexible and has several booleans that allow you to manipulate the policy and run gitosis with the tightest access possible.
++
++
++.PP
++If you want to allow gitisis daemon to send mail, you must turn on the gitosis_can_sendmail boolean.
++
++.EX
++.B setsebool -P gitosis_can_sendmail 1
++.EE
++
++.PP
++If you want to allow gitisis daemon to send mail, you must turn on the gitosis_can_sendmail boolean.
++
++.EX
++.B setsebool -P gitosis_can_sendmail 1
++.EE
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux gitosis policy is very flexible allowing users to setup their gitosis processes in as secure a method as possible.
++.PP
++The following file types are defined for gitosis:
++
++
++.EX
++.PP
++.B gitosis_exec_t
++.EE
++
++- Set files with the gitosis_exec_t type, if you want to transition an executable to the gitosis_t domain.
++
++
++.EX
++.PP
++.B gitosis_var_lib_t
++.EE
++
++- Set files with the gitosis_var_lib_t type, if you want to store the gitosis files under the /var/lib directory.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH "MANAGED FILES"
++
++The SELinux process type gitosis_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++
++.br
++.B gitosis_var_lib_t
++
++ /var/lib/gitosis(/.*)?
++.br
++ /var/lib/gitolite(3)?(/.*)?
++.br
++
++.SH NSSWITCH DOMAIN
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.B semanage boolean
++can also be used to manipulate the booleans
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was auto-generated using
++.B "sepolicy manpage"
++by Dan Walsh.
++
++.SH "SEE ALSO"
++selinux(8), gitosis(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
++, setsebool(8)
+\ No newline at end of file
+diff --git a/man/man8/glance_api_selinux.8 b/man/man8/glance_api_selinux.8
+new file mode 100644
+index 0000000..f7a5295
+--- /dev/null
++++ b/man/man8/glance_api_selinux.8
+@@ -0,0 +1,121 @@
++.TH "glance_api_selinux" "8" "12-11-01" "glance_api" "SELinux Policy documentation for glance_api"
++.SH "NAME"
++glance_api_selinux \- Security Enhanced Linux Policy for the glance_api processes
++.SH "DESCRIPTION"
++
++Security-Enhanced Linux secures the glance_api processes via flexible mandatory access control.
++
++The glance_api processes execute with the glance_api_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep glance_api_t
++
++
++.SH "ENTRYPOINTS"
++
++The glance_api_t SELinux type can be entered via the "glance_api_exec_t" file type. The default entrypoint paths for the glance_api_t domain are the following:"
++
++/usr/bin/glance-api
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux glance_api policy is very flexible allowing users to setup their glance_api processes in as secure a method as possible.
++.PP
++The following process types are defined for glance_api:
++
++.EX
++.B glance_api_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux glance_api policy is very flexible allowing users to setup their glance_api processes in as secure a method as possible.
++.PP
++The following file types are defined for glance_api:
++
++
++.EX
++.PP
++.B glance_api_exec_t
++.EE
++
++- Set files with the glance_api_exec_t type, if you want to transition an executable to the glance_api_t domain.
++
++
++.EX
++.PP
++.B glance_api_initrc_exec_t
++.EE
++
++- Set files with the glance_api_initrc_exec_t type, if you want to transition an executable to the glance_api_initrc_t domain.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH "MANAGED FILES"
++
++The SELinux process type glance_api_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++
++.br
++.B glance_log_t
++
++ /var/log/glance(/.*)?
++.br
++
++.br
++.B glance_tmp_t
++
++
++.br
++.B glance_var_lib_t
++
++ /var/lib/glance(/.*)?
++.br
++
++.br
++.B glance_var_run_t
++
++ /var/run/glance(/.*)?
++.br
++
++.SH NSSWITCH DOMAIN
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was auto-generated using
++.B "sepolicy manpage"
++by Dan Walsh.
++
++.SH "SEE ALSO"
++selinux(8), glance_api(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
++, glance_registry_selinux(8)
+\ No newline at end of file
+diff --git a/man/man8/glance_registry_selinux.8 b/man/man8/glance_registry_selinux.8
+new file mode 100644
+index 0000000..1846d51
+--- /dev/null
++++ b/man/man8/glance_registry_selinux.8
+@@ -0,0 +1,157 @@
++.TH "glance_registry_selinux" "8" "12-11-01" "glance_registry" "SELinux Policy documentation for glance_registry"
++.SH "NAME"
++glance_registry_selinux \- Security Enhanced Linux Policy for the glance_registry processes
++.SH "DESCRIPTION"
++
++Security-Enhanced Linux secures the glance_registry processes via flexible mandatory access control.
++
++The glance_registry processes execute with the glance_registry_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep glance_registry_t
++
++
++.SH "ENTRYPOINTS"
++
++The glance_registry_t SELinux type can be entered via the "glance_registry_exec_t" file type. The default entrypoint paths for the glance_registry_t domain are the following:"
++
++/usr/bin/glance-registry
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux glance_registry policy is very flexible allowing users to setup their glance_registry processes in as secure a method as possible.
++.PP
++The following process types are defined for glance_registry:
++
++.EX
++.B glance_registry_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux glance_registry policy is very flexible allowing users to setup their glance_registry processes in as secure a method as possible.
++.PP
++The following file types are defined for glance_registry:
++
++
++.EX
++.PP
++.B glance_registry_exec_t
++.EE
++
++- Set files with the glance_registry_exec_t type, if you want to transition an executable to the glance_registry_t domain.
++
++
++.EX
++.PP
++.B glance_registry_initrc_exec_t
++.EE
++
++- Set files with the glance_registry_initrc_exec_t type, if you want to transition an executable to the glance_registry_initrc_t domain.
++
++
++.EX
++.PP
++.B glance_registry_tmp_t
++.EE
++
++- Set files with the glance_registry_tmp_t type, if you want to store glance registry temporary files in the /tmp directories.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH PORT TYPES
++SELinux defines port types to represent TCP and UDP ports.
++.PP
++You can see the types associated with a port by using the following command:
++
++.B semanage port -l
++
++.PP
++Policy governs the access confined processes have to these ports.
++SELinux glance_registry policy is very flexible allowing users to setup their glance_registry processes in as secure a method as possible.
++.PP
++The following port types are defined for glance_registry:
++
++.EX
++.TP 5
++.B glance_registry_port_t
++.TP 10
++.EE
++
++
++Default Defined Ports:
++tcp 9191
++.EE
++udp 9191
++.EE
++.SH "MANAGED FILES"
++
++The SELinux process type glance_registry_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++
++.br
++.B glance_log_t
++
++ /var/log/glance(/.*)?
++.br
++
++.br
++.B glance_registry_tmp_t
++
++
++.br
++.B glance_var_lib_t
++
++ /var/lib/glance(/.*)?
++.br
++
++.br
++.B glance_var_run_t
++
++ /var/run/glance(/.*)?
++.br
++
++.SH NSSWITCH DOMAIN
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.B semanage port
++can also be used to manipulate the port definitions
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was auto-generated using
++.B "sepolicy manpage"
++by Dan Walsh.
++
++.SH "SEE ALSO"
++selinux(8), glance_registry(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
++, glance_api_selinux(8)
+\ No newline at end of file
+diff --git a/man/man8/glusterd_selinux.8 b/man/man8/glusterd_selinux.8
+new file mode 100644
+index 0000000..b54fc9a
+--- /dev/null
++++ b/man/man8/glusterd_selinux.8
+@@ -0,0 +1,182 @@
++.TH "glusterd_selinux" "8" "12-11-01" "glusterd" "SELinux Policy documentation for glusterd"
++.SH "NAME"
++glusterd_selinux \- Security Enhanced Linux Policy for the glusterd processes
++.SH "DESCRIPTION"
++
++Security-Enhanced Linux secures the glusterd processes via flexible mandatory access control.
++
++The glusterd processes execute with the glusterd_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep glusterd_t
++
++
++.SH "ENTRYPOINTS"
++
++The glusterd_t SELinux type can be entered via the "glusterd_exec_t" file type. The default entrypoint paths for the glusterd_t domain are the following:"
++
++/opt/glusterfs/[^/]+/sbin/glusterfsd, /usr/sbin/glusterfsd
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux glusterd policy is very flexible allowing users to setup their glusterd processes in as secure a method as possible.
++.PP
++The following process types are defined for glusterd:
++
++.EX
++.B glusterd_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux glusterd policy is very flexible allowing users to setup their glusterd processes in as secure a method as possible.
++.PP
++The following file types are defined for glusterd:
++
++
++.EX
++.PP
++.B glusterd_etc_t
++.EE
++
++- Set files with the glusterd_etc_t type, if you want to store glusterd files in the /etc directories.
++
++
++.EX
++.PP
++.B glusterd_exec_t
++.EE
++
++- Set files with the glusterd_exec_t type, if you want to transition an executable to the glusterd_t domain.
++
++
++.EX
++.PP
++.B glusterd_initrc_exec_t
++.EE
++
++- Set files with the glusterd_initrc_exec_t type, if you want to transition an executable to the glusterd_initrc_t domain.
++
++
++.EX
++.PP
++.B glusterd_log_t
++.EE
++
++- Set files with the glusterd_log_t type, if you want to treat the data as glusterd log data, usually stored under the /var/log directory.
++
++
++.EX
++.PP
++.B glusterd_tmp_t
++.EE
++
++- Set files with the glusterd_tmp_t type, if you want to store glusterd temporary files in the /tmp directories.
++
++
++.EX
++.PP
++.B glusterd_var_lib_t
++.EE
++
++- Set files with the glusterd_var_lib_t type, if you want to store the glusterd files under the /var/lib directory.
++
++
++.EX
++.PP
++.B glusterd_var_run_t
++.EE
++
++- Set files with the glusterd_var_run_t type, if you want to store the glusterd files under the /run directory.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH "MANAGED FILES"
++
++The SELinux process type glusterd_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++
++.br
++.B glusterd_etc_t
++
++ /etc/glusterd(/.*)?
++.br
++ /etc/glusterfs(/.*)?
++.br
++
++.br
++.B glusterd_log_t
++
++ /var/log/glusterfs(/.*)?
++.br
++
++.br
++.B glusterd_tmp_t
++
++
++.br
++.B glusterd_var_lib_t
++
++
++.br
++.B glusterd_var_run_t
++
++ /var/run/glusterd(/.*)?
++.br
++ /var/run/glusterd\.pid
++.br
++
++.SH NSSWITCH DOMAIN
++
++.PP
++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the glusterd_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++
++.EX
++.B setsebool -P authlogin_nsswitch_use_ldap 1
++.EE
++
++.PP
++If you want to allow confined applications to run with kerberos for the glusterd_t, you must turn on the kerberos_enabled boolean.
++
++.EX
++.B setsebool -P kerberos_enabled 1
++.EE
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was auto-generated using
++.B "sepolicy manpage"
++by Dan Walsh.
++
++.SH "SEE ALSO"
++selinux(8), glusterd(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
+diff --git a/man/man8/gnomeclock_selinux.8 b/man/man8/gnomeclock_selinux.8
+new file mode 100644
+index 0000000..3f491fb
+--- /dev/null
++++ b/man/man8/gnomeclock_selinux.8
+@@ -0,0 +1,144 @@
++.TH "gnomeclock_selinux" "8" "12-11-01" "gnomeclock" "SELinux Policy documentation for gnomeclock"
++.SH "NAME"
++gnomeclock_selinux \- Security Enhanced Linux Policy for the gnomeclock processes
++.SH "DESCRIPTION"
++
++Security-Enhanced Linux secures the gnomeclock processes via flexible mandatory access control.
++
++The gnomeclock processes execute with the gnomeclock_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep gnomeclock_t
++
++
++.SH "ENTRYPOINTS"
++
++The gnomeclock_t SELinux type can be entered via the "gnomeclock_exec_t" file type. The default entrypoint paths for the gnomeclock_t domain are the following:"
++
++/usr/libexec/kde(3|4)/kcmdatetimehelper, /usr/lib/systemd/systemd-timedated, /usr/libexec/gsd-datetime-mechanism, /usr/libexec/gnome-clock-applet-mechanism
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux gnomeclock policy is very flexible allowing users to setup their gnomeclock processes in as secure a method as possible.
++.PP
++The following process types are defined for gnomeclock:
++
++.EX
++.B gnomeclock_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux gnomeclock policy is very flexible allowing users to setup their gnomeclock processes in as secure a method as possible.
++.PP
++The following file types are defined for gnomeclock:
++
++
++.EX
++.PP
++.B gnomeclock_exec_t
++.EE
++
++- Set files with the gnomeclock_exec_t type, if you want to transition an executable to the gnomeclock_t domain.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH "MANAGED FILES"
++
++The SELinux process type gnomeclock_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++
++.br
++.B config_usr_t
++
++ /usr/share/config(/.*)?
++.br
++
++.br
++.B locale_t
++
++ /etc/locale.conf
++.br
++ /usr/lib/locale(/.*)?
++.br
++ /usr/share/locale(/.*)?
++.br
++ /usr/share/zoneinfo(/.*)?
++.br
++ /usr/share/X11/locale(/.*)?
++.br
++ /etc/timezone
++.br
++ /etc/localtime
++.br
++ /etc/sysconfig/clock
++.br
++ /etc/avahi/etc/localtime
++.br
++ /var/empty/sshd/etc/localtime
++.br
++ /var/spool/postfix/etc/localtime
++.br
++
++.br
++.B systemd_passwd_var_run_t
++
++ /var/run/systemd/ask-password(/.*)?
++.br
++ /var/run/systemd/ask-password-block(/.*)?
++.br
++
++.SH NSSWITCH DOMAIN
++
++.PP
++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the gnomeclock_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++
++.EX
++.B setsebool -P authlogin_nsswitch_use_ldap 1
++.EE
++
++.PP
++If you want to allow confined applications to run with kerberos for the gnomeclock_t, you must turn on the kerberos_enabled boolean.
++
++.EX
++.B setsebool -P kerberos_enabled 1
++.EE
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was auto-generated using
++.B "sepolicy manpage"
++by Dan Walsh.
++
++.SH "SEE ALSO"
++selinux(8), gnomeclock(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
+diff --git a/man/man8/gnomesystemmm_selinux.8 b/man/man8/gnomesystemmm_selinux.8
+new file mode 100644
+index 0000000..a1956e7
+--- /dev/null
++++ b/man/man8/gnomesystemmm_selinux.8
+@@ -0,0 +1,96 @@
++.TH "gnomesystemmm_selinux" "8" "12-11-01" "gnomesystemmm" "SELinux Policy documentation for gnomesystemmm"
++.SH "NAME"
++gnomesystemmm_selinux \- Security Enhanced Linux Policy for the gnomesystemmm processes
++.SH "DESCRIPTION"
++
++Security-Enhanced Linux secures the gnomesystemmm processes via flexible mandatory access control.
++
++The gnomesystemmm processes execute with the gnomesystemmm_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep gnomesystemmm_t
++
++
++.SH "ENTRYPOINTS"
++
++The gnomesystemmm_t SELinux type can be entered via the "gnomesystemmm_exec_t" file type. The default entrypoint paths for the gnomesystemmm_t domain are the following:"
++
++/usr/libexec/kde(3|4)/ksysguardprocesslist_helper, /usr/libexec/gnome-system-monitor-mechanism
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux gnomesystemmm policy is very flexible allowing users to setup their gnomesystemmm processes in as secure a method as possible.
++.PP
++The following process types are defined for gnomesystemmm:
++
++.EX
++.B gnomesystemmm_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux gnomesystemmm policy is very flexible allowing users to setup their gnomesystemmm processes in as secure a method as possible.
++.PP
++The following file types are defined for gnomesystemmm:
++
++
++.EX
++.PP
++.B gnomesystemmm_exec_t
++.EE
++
++- Set files with the gnomesystemmm_exec_t type, if you want to transition an executable to the gnomesystemmm_t domain.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH "MANAGED FILES"
++
++The SELinux process type gnomesystemmm_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++
++.br
++.B config_usr_t
++
++ /usr/share/config(/.*)?
++.br
++
++.SH NSSWITCH DOMAIN
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was auto-generated using
++.B "sepolicy manpage"
++by Dan Walsh.
++
++.SH "SEE ALSO"
++selinux(8), gnomesystemmm(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
+diff --git a/man/man8/gpg_agent_selinux.8 b/man/man8/gpg_agent_selinux.8
+new file mode 100644
+index 0000000..c5861f9
+--- /dev/null
++++ b/man/man8/gpg_agent_selinux.8
+@@ -0,0 +1,144 @@
++.TH "gpg_agent_selinux" "8" "12-11-01" "gpg_agent" "SELinux Policy documentation for gpg_agent"
++.SH "NAME"
++gpg_agent_selinux \- Security Enhanced Linux Policy for the gpg_agent processes
++.SH "DESCRIPTION"
++
++Security-Enhanced Linux secures the gpg_agent processes via flexible mandatory access control.
++
++The gpg_agent processes execute with the gpg_agent_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep gpg_agent_t
++
++
++.SH "ENTRYPOINTS"
++
++The gpg_agent_t SELinux type can be entered via the "gpg_agent_exec_t" file type. The default entrypoint paths for the gpg_agent_t domain are the following:"
++
++/usr/bin/gpg-agent
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux gpg_agent policy is very flexible allowing users to setup their gpg_agent processes in as secure a method as possible.
++.PP
++The following process types are defined for gpg_agent:
++
++.EX
++.B gpg_agent_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH BOOLEANS
++SELinux policy is customizable based on least access required. gpg_agent policy is extremely flexible and has several booleans that allow you to manipulate the policy and run gpg_agent with the tightest access possible.
++
++
++.PP
++If you want to allow usage of the gpg-agent --write-env-file option. This also allows gpg-agent to manage user files, you must turn on the gpg_agent_env_file boolean.
++
++.EX
++.B setsebool -P gpg_agent_env_file 1
++.EE
++
++.PP
++If you want to allow usage of the gpg-agent --write-env-file option. This also allows gpg-agent to manage user files, you must turn on the gpg_agent_env_file boolean.
++
++.EX
++.B setsebool -P gpg_agent_env_file 1
++.EE
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux gpg_agent policy is very flexible allowing users to setup their gpg_agent processes in as secure a method as possible.
++.PP
++The following file types are defined for gpg_agent:
++
++
++.EX
++.PP
++.B gpg_agent_exec_t
++.EE
++
++- Set files with the gpg_agent_exec_t type, if you want to transition an executable to the gpg_agent_t domain.
++
++
++.EX
++.PP
++.B gpg_agent_tmp_t
++.EE
++
++- Set files with the gpg_agent_tmp_t type, if you want to store gpg agent temporary files in the /tmp directories.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH "MANAGED FILES"
++
++The SELinux process type gpg_agent_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++
++.br
++.B gpg_agent_tmp_t
++
++ /home/[^/]*/\.gnupg/log-socket
++.br
++ /home/dwalsh/\.gnupg/log-socket
++.br
++ /var/lib/xguest/home/xguest/\.gnupg/log-socket
++.br
++
++.br
++.B gpg_secret_t
++
++ /root/\.gnupg(/.+)?
++.br
++ /etc/mail/spamassassin/sa-update-keys(/.*)?
++.br
++ /home/[^/]*/\.gnupg(/.+)?
++.br
++ /home/dwalsh/\.gnupg(/.+)?
++.br
++ /var/lib/xguest/home/xguest/\.gnupg(/.+)?
++.br
++
++.SH NSSWITCH DOMAIN
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.B semanage boolean
++can also be used to manipulate the booleans
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was auto-generated using
++.B "sepolicy manpage"
++by Dan Walsh.
++
++.SH "SEE ALSO"
++selinux(8), gpg_agent(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
++, setsebool(8), gpg_selinux(8), gpg_selinux(8), gpg_helper_selinux(8)
+\ No newline at end of file
+diff --git a/man/man8/gpg_helper_selinux.8 b/man/man8/gpg_helper_selinux.8
+new file mode 100644
+index 0000000..b331e87
+--- /dev/null
++++ b/man/man8/gpg_helper_selinux.8
+@@ -0,0 +1,101 @@
++.TH "gpg_helper_selinux" "8" "12-11-01" "gpg_helper" "SELinux Policy documentation for gpg_helper"
++.SH "NAME"
++gpg_helper_selinux \- Security Enhanced Linux Policy for the gpg_helper processes
++.SH "DESCRIPTION"
++
++Security-Enhanced Linux secures the gpg_helper processes via flexible mandatory access control.
++
++The gpg_helper processes execute with the gpg_helper_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep gpg_helper_t
++
++
++.SH "ENTRYPOINTS"
++
++The gpg_helper_t SELinux type can be entered via the "gpg_helper_exec_t" file type. The default entrypoint paths for the gpg_helper_t domain are the following:"
++
++/usr/lib/gnupg/gpgkeys.*
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux gpg_helper policy is very flexible allowing users to setup their gpg_helper processes in as secure a method as possible.
++.PP
++The following process types are defined for gpg_helper:
++
++.EX
++.B gpg_helper_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux gpg_helper policy is very flexible allowing users to setup their gpg_helper processes in as secure a method as possible.
++.PP
++The following file types are defined for gpg_helper:
++
++
++.EX
++.PP
++.B gpg_helper_exec_t
++.EE
++
++- Set files with the gpg_helper_exec_t type, if you want to transition an executable to the gpg_helper_t domain.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH NSSWITCH DOMAIN
++
++.PP
++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the gpg_helper_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++
++.EX
++.B setsebool -P authlogin_nsswitch_use_ldap 1
++.EE
++
++.PP
++If you want to allow confined applications to run with kerberos for the gpg_helper_t, you must turn on the kerberos_enabled boolean.
++
++.EX
++.B setsebool -P kerberos_enabled 1
++.EE
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was auto-generated using
++.B "sepolicy manpage"
++by Dan Walsh.
++
++.SH "SEE ALSO"
++selinux(8), gpg_helper(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
++, gpg_selinux(8), gpg_selinux(8), gpg_agent_selinux(8)
+\ No newline at end of file
+diff --git a/man/man8/gpg_selinux.8 b/man/man8/gpg_selinux.8
+new file mode 100644
+index 0000000..4748f85
+--- /dev/null
++++ b/man/man8/gpg_selinux.8
+@@ -0,0 +1,361 @@
++.TH "gpg_selinux" "8" "12-11-01" "gpg" "SELinux Policy documentation for gpg"
++.SH "NAME"
++gpg_selinux \- Security Enhanced Linux Policy for the gpg processes
++.SH "DESCRIPTION"
++
++Security-Enhanced Linux secures the gpg processes via flexible mandatory access control.
++
++The gpg processes execute with the gpg_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep gpg_t
++
++
++.SH "ENTRYPOINTS"
++
++The gpg_t SELinux type can be entered via the "gpg_exec_t" file type. The default entrypoint paths for the gpg_t domain are the following:"
++
++/usr/bin/gpg(2)?, /usr/lib/gnupg/.*, /usr/bin/gpgsm
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux gpg policy is very flexible allowing users to setup their gpg processes in as secure a method as possible.
++.PP
++The following process types are defined for gpg:
++
++.EX
++.B gpg_t, gpg_pinentry_t, gpg_helper_t, gpg_web_t, gpg_agent_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH BOOLEANS
++SELinux policy is customizable based on least access required. gpg policy is extremely flexible and has several booleans that allow you to manipulate the policy and run gpg with the tightest access possible.
++
++
++.PP
++If you want to allow httpd to run gpg, you must turn on the httpd_use_gpg boolean.
++
++.EX
++.B setsebool -P httpd_use_gpg 1
++.EE
++
++.PP
++If you want to allow usage of the gpg-agent --write-env-file option. This also allows gpg-agent to manage user files, you must turn on the gpg_agent_env_file boolean.
++
++.EX
++.B setsebool -P gpg_agent_env_file 1
++.EE
++
++.PP
++If you want to allow httpd to run gpg, you must turn on the httpd_use_gpg boolean.
++
++.EX
++.B setsebool -P httpd_use_gpg 1
++.EE
++
++.PP
++If you want to allow usage of the gpg-agent --write-env-file option. This also allows gpg-agent to manage user files, you must turn on the gpg_agent_env_file boolean.
++
++.EX
++.B setsebool -P gpg_agent_env_file 1
++.EE
++
++.SH SHARING FILES
++If you want to share files with multiple domains (Apache, FTP, rsync, Samba), you can set a file context of public_content_t and public_content_rw_t. These context allow any of the above domains to read the content. If you want a particular domain to write to the public_content_rw_t domain, you must set the appropriate boolean.
++.TP
++Allow gpg servers to read the /var/gpg directory by adding the public_content_t file type to the directory and by restoring the file type.
++.PP
++.B
++semanage fcontext -a -t public_content_t "/var/gpg(/.*)?"
++.br
++.B restorecon -F -R -v /var/gpg
++.pp
++.TP
++Allow gpg servers to read and write /var/tmp/incoming by adding the public_content_rw_t type to the directory and by restoring the file type. This also requires the allow_gpgd_anon_write boolean to be set.
++.PP
++.B
++semanage fcontext -a -t public_content_rw_t "/var/gpg/incoming(/.*)?"
++.br
++.B restorecon -F -R -v /var/gpg/incoming
++
++
++.PP
++If you want to allow gpg web domain to modify public files used for public file transfer services., you must turn on the gpg_web_anon_write boolean.
++
++.EX
++.B setsebool -P gpg_web_anon_write 1
++.EE
++
++.PP
++If you want to allow gpg web domain to modify public files used for public file transfer services., you must turn on the gpg_web_anon_write boolean.
++
++.EX
++.B setsebool -P gpg_web_anon_write 1
++.EE
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux gpg policy is very flexible allowing users to setup their gpg processes in as secure a method as possible.
++.PP
++The following file types are defined for gpg:
++
++
++.EX
++.PP
++.B gpg_agent_exec_t
++.EE
++
++- Set files with the gpg_agent_exec_t type, if you want to transition an executable to the gpg_agent_t domain.
++
++
++.EX
++.PP
++.B gpg_agent_tmp_t
++.EE
++
++- Set files with the gpg_agent_tmp_t type, if you want to store gpg agent temporary files in the /tmp directories.
++
++
++.EX
++.PP
++.B gpg_exec_t
++.EE
++
++- Set files with the gpg_exec_t type, if you want to transition an executable to the gpg_t domain.
++
++
++.EX
++.PP
++.B gpg_helper_exec_t
++.EE
++
++- Set files with the gpg_helper_exec_t type, if you want to transition an executable to the gpg_helper_t domain.
++
++
++.EX
++.PP
++.B gpg_pinentry_tmp_t
++.EE
++
++- Set files with the gpg_pinentry_tmp_t type, if you want to store gpg pinentry temporary files in the /tmp directories.
++
++
++.EX
++.PP
++.B gpg_pinentry_tmpfs_t
++.EE
++
++- Set files with the gpg_pinentry_tmpfs_t type, if you want to store gpg pinentry files on a tmpfs file system.
++
++
++.EX
++.PP
++.B gpg_secret_t
++.EE
++
++- Set files with the gpg_secret_t type, if you want to treat the files as gpg se secret data.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH "MANAGED FILES"
++
++The SELinux process type gpg_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++
++.br
++.B etc_mail_t
++
++ /etc/mail(/.*)?
++.br
++
++.br
++.B gpg_agent_tmp_t
++
++ /home/[^/]*/\.gnupg/log-socket
++.br
++ /home/dwalsh/\.gnupg/log-socket
++.br
++ /var/lib/xguest/home/xguest/\.gnupg/log-socket
++.br
++
++.br
++.B gpg_secret_t
++
++ /root/\.gnupg(/.+)?
++.br
++ /etc/mail/spamassassin/sa-update-keys(/.*)?
++.br
++ /home/[^/]*/\.gnupg(/.+)?
++.br
++ /home/dwalsh/\.gnupg(/.+)?
++.br
++ /var/lib/xguest/home/xguest/\.gnupg(/.+)?
++.br
++
++.br
++.B mozilla_home_t
++
++ /home/[^/]*/\.java(/.*)?
++.br
++ /home/[^/]*/\.adobe(/.*)?
++.br
++ /home/[^/]*/\.gnash(/.*)?
++.br
++ /home/[^/]*/\.galeon(/.*)?
++.br
++ /home/[^/]*/\.spicec(/.*)?
++.br
++ /home/[^/]*/\.mozilla(/.*)?
++.br
++ /home/[^/]*/\.phoenix(/.*)?
++.br
++ /home/[^/]*/\.netscape(/.*)?
++.br
++ /home/[^/]*/\.ICAClient(/.*)?
++.br
++ /home/[^/]*/\.macromedia(/.*)?
++.br
++ /home/[^/]*/\.thunderbird(/.*)?
++.br
++ /home/[^/]*/\.gcjwebplugin(/.*)?
++.br
++ /home/[^/]*/\.icedteaplugin(/.*)?
++.br
++ /home/[^/]*/zimbrauserdata(/.*)?
++.br
++ /home/[^/]*/\.config/chromium(/.*)?
++.br
++ /home/dwalsh/\.java(/.*)?
++.br
++ /home/dwalsh/\.adobe(/.*)?
++.br
++ /home/dwalsh/\.gnash(/.*)?
++.br
++ /home/dwalsh/\.galeon(/.*)?
++.br
++ /home/dwalsh/\.spicec(/.*)?
++.br
++ /home/dwalsh/\.mozilla(/.*)?
++.br
++ /home/dwalsh/\.phoenix(/.*)?
++.br
++ /home/dwalsh/\.netscape(/.*)?
++.br
++ /home/dwalsh/\.ICAClient(/.*)?
++.br
++ /home/dwalsh/\.macromedia(/.*)?
++.br
++ /home/dwalsh/\.thunderbird(/.*)?
++.br
++ /home/dwalsh/\.gcjwebplugin(/.*)?
++.br
++ /home/dwalsh/\.icedteaplugin(/.*)?
++.br
++ /home/dwalsh/zimbrauserdata(/.*)?
++.br
++ /home/dwalsh/\.config/chromium(/.*)?
++.br
++ /var/lib/xguest/home/xguest/\.java(/.*)?
++.br
++ /var/lib/xguest/home/xguest/\.adobe(/.*)?
++.br
++ /var/lib/xguest/home/xguest/\.gnash(/.*)?
++.br
++ /var/lib/xguest/home/xguest/\.galeon(/.*)?
++.br
++ /var/lib/xguest/home/xguest/\.spicec(/.*)?
++.br
++ /var/lib/xguest/home/xguest/\.mozilla(/.*)?
++.br
++ /var/lib/xguest/home/xguest/\.phoenix(/.*)?
++.br
++ /var/lib/xguest/home/xguest/\.netscape(/.*)?
++.br
++ /var/lib/xguest/home/xguest/\.ICAClient(/.*)?
++.br
++ /var/lib/xguest/home/xguest/\.macromedia(/.*)?
++.br
++ /var/lib/xguest/home/xguest/\.thunderbird(/.*)?
++.br
++ /var/lib/xguest/home/xguest/\.gcjwebplugin(/.*)?
++.br
++ /var/lib/xguest/home/xguest/\.icedteaplugin(/.*)?
++.br
++ /var/lib/xguest/home/xguest/zimbrauserdata(/.*)?
++.br
++ /var/lib/xguest/home/xguest/\.config/chromium(/.*)?
++.br
++
++.br
++.B user_home_t
++
++ /home/[^/]*/.+
++.br
++ /home/dwalsh/.+
++.br
++ /var/lib/xguest/home/xguest/.+
++.br
++
++.br
++.B user_tmp_type
++
++ all user tmp files
++.br
++
++.SH NSSWITCH DOMAIN
++
++.PP
++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the gpg_t, gpg_helper_t, gpg_pinentry_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++
++.EX
++.B setsebool -P authlogin_nsswitch_use_ldap 1
++.EE
++
++.PP
++If you want to allow confined applications to run with kerberos for the gpg_t, gpg_helper_t, gpg_pinentry_t, you must turn on the kerberos_enabled boolean.
++
++.EX
++.B setsebool -P kerberos_enabled 1
++.EE
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.B semanage boolean
++can also be used to manipulate the booleans
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was auto-generated using
++.B "sepolicy manpage"
++by Dan Walsh.
++
++.SH "SEE ALSO"
++selinux(8), gpg(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
++, setsebool(8), gpg_agent_selinux(8), gpg_helper_selinux(8)
+\ No newline at end of file
+diff --git a/man/man8/gpm_selinux.8 b/man/man8/gpm_selinux.8
+new file mode 100644
+index 0000000..6c04bf7
+--- /dev/null
++++ b/man/man8/gpm_selinux.8
+@@ -0,0 +1,130 @@
++.TH "gpm_selinux" "8" "12-11-01" "gpm" "SELinux Policy documentation for gpm"
++.SH "NAME"
++gpm_selinux \- Security Enhanced Linux Policy for the gpm processes
++.SH "DESCRIPTION"
++
++Security-Enhanced Linux secures the gpm processes via flexible mandatory access control.
++
++The gpm processes execute with the gpm_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep gpm_t
++
++
++.SH "ENTRYPOINTS"
++
++The gpm_t SELinux type can be entered via the "gpm_exec_t" file type. The default entrypoint paths for the gpm_t domain are the following:"
++
++/usr/sbin/gpm
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux gpm policy is very flexible allowing users to setup their gpm processes in as secure a method as possible.
++.PP
++The following process types are defined for gpm:
++
++.EX
++.B gpm_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux gpm policy is very flexible allowing users to setup their gpm processes in as secure a method as possible.
++.PP
++The following file types are defined for gpm:
++
++
++.EX
++.PP
++.B gpm_conf_t
++.EE
++
++- Set files with the gpm_conf_t type, if you want to treat the files as gpm configuration data, usually stored under the /etc directory.
++
++
++.EX
++.PP
++.B gpm_exec_t
++.EE
++
++- Set files with the gpm_exec_t type, if you want to transition an executable to the gpm_t domain.
++
++
++.EX
++.PP
++.B gpm_tmp_t
++.EE
++
++- Set files with the gpm_tmp_t type, if you want to store gpm temporary files in the /tmp directories.
++
++
++.EX
++.PP
++.B gpm_var_run_t
++.EE
++
++- Set files with the gpm_var_run_t type, if you want to store the gpm files under the /run directory.
++
++
++.EX
++.PP
++.B gpmctl_t
++.EE
++
++- Set files with the gpmctl_t type, if you want to treat the files as gpmctl data.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH "MANAGED FILES"
++
++The SELinux process type gpm_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++
++.br
++.B gpm_tmp_t
++
++
++.br
++.B gpm_var_run_t
++
++
++.SH NSSWITCH DOMAIN
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was auto-generated using
++.B "sepolicy manpage"
++by Dan Walsh.
++
++.SH "SEE ALSO"
++selinux(8), gpm(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
+diff --git a/man/man8/gpsd_selinux.8 b/man/man8/gpsd_selinux.8
+new file mode 100644
+index 0000000..9c4572e
+--- /dev/null
++++ b/man/man8/gpsd_selinux.8
+@@ -0,0 +1,174 @@
++.TH "gpsd_selinux" "8" "12-11-01" "gpsd" "SELinux Policy documentation for gpsd"
++.SH "NAME"
++gpsd_selinux \- Security Enhanced Linux Policy for the gpsd processes
++.SH "DESCRIPTION"
++
++Security-Enhanced Linux secures the gpsd processes via flexible mandatory access control.
++
++The gpsd processes execute with the gpsd_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep gpsd_t
++
++
++.SH "ENTRYPOINTS"
++
++The gpsd_t SELinux type can be entered via the "gpsd_exec_t" file type. The default entrypoint paths for the gpsd_t domain are the following:"
++
++/usr/sbin/gpsd
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux gpsd policy is very flexible allowing users to setup their gpsd processes in as secure a method as possible.
++.PP
++The following process types are defined for gpsd:
++
++.EX
++.B gpsd_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux gpsd policy is very flexible allowing users to setup their gpsd processes in as secure a method as possible.
++.PP
++The following file types are defined for gpsd:
++
++
++.EX
++.PP
++.B gpsd_exec_t
++.EE
++
++- Set files with the gpsd_exec_t type, if you want to transition an executable to the gpsd_t domain.
++
++
++.EX
++.PP
++.B gpsd_initrc_exec_t
++.EE
++
++- Set files with the gpsd_initrc_exec_t type, if you want to transition an executable to the gpsd_initrc_t domain.
++
++
++.EX
++.PP
++.B gpsd_tmpfs_t
++.EE
++
++- Set files with the gpsd_tmpfs_t type, if you want to store gpsd files on a tmpfs file system.
++
++
++.EX
++.PP
++.B gpsd_var_run_t
++.EE
++
++- Set files with the gpsd_var_run_t type, if you want to store the gpsd files under the /run directory.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH PORT TYPES
++SELinux defines port types to represent TCP and UDP ports.
++.PP
++You can see the types associated with a port by using the following command:
++
++.B semanage port -l
++
++.PP
++Policy governs the access confined processes have to these ports.
++SELinux gpsd policy is very flexible allowing users to setup their gpsd processes in as secure a method as possible.
++.PP
++The following port types are defined for gpsd:
++
++.EX
++.TP 5
++.B gpsd_port_t
++.TP 10
++.EE
++
++
++Default Defined Ports:
++tcp 2947
++.EE
++.SH "MANAGED FILES"
++
++The SELinux process type gpsd_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++
++.br
++.B chronyd_tmpfs_t
++
++
++.br
++.B gpsd_tmpfs_t
++
++
++.br
++.B gpsd_var_run_t
++
++ /var/run/gpsd\.pid
++.br
++ /var/run/gpsd\.sock
++.br
++
++.br
++.B ntpd_tmpfs_t
++
++
++.SH NSSWITCH DOMAIN
++
++.PP
++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the gpsd_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++
++.EX
++.B setsebool -P authlogin_nsswitch_use_ldap 1
++.EE
++
++.PP
++If you want to allow confined applications to run with kerberos for the gpsd_t, you must turn on the kerberos_enabled boolean.
++
++.EX
++.B setsebool -P kerberos_enabled 1
++.EE
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.B semanage port
++can also be used to manipulate the port definitions
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was auto-generated using
++.B "sepolicy manpage"
++by Dan Walsh.
++
++.SH "SEE ALSO"
++selinux(8), gpsd(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
+diff --git a/man/man8/greylist_milter_selinux.8 b/man/man8/greylist_milter_selinux.8
+new file mode 100644
+index 0000000..848aace
+--- /dev/null
++++ b/man/man8/greylist_milter_selinux.8
+@@ -0,0 +1,126 @@
++.TH "greylist_milter_selinux" "8" "12-11-01" "greylist_milter" "SELinux Policy documentation for greylist_milter"
++.SH "NAME"
++greylist_milter_selinux \- Security Enhanced Linux Policy for the greylist_milter processes
++.SH "DESCRIPTION"
++
++Security-Enhanced Linux secures the greylist_milter processes via flexible mandatory access control.
++
++The greylist_milter processes execute with the greylist_milter_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep greylist_milter_t
++
++
++.SH "ENTRYPOINTS"
++
++The greylist_milter_t SELinux type can be entered via the "greylist_milter_exec_t" file type. The default entrypoint paths for the greylist_milter_t domain are the following:"
++
++/usr/sbin/sqlgrey, /usr/sbin/milter-greylist
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux greylist_milter policy is very flexible allowing users to setup their greylist_milter processes in as secure a method as possible.
++.PP
++The following process types are defined for greylist_milter:
++
++.EX
++.B greylist_milter_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux greylist_milter policy is very flexible allowing users to setup their greylist_milter processes in as secure a method as possible.
++.PP
++The following file types are defined for greylist_milter:
++
++
++.EX
++.PP
++.B greylist_milter_data_t
++.EE
++
++- Set files with the greylist_milter_data_t type, if you want to treat the files as greylist milter content.
++
++
++.EX
++.PP
++.B greylist_milter_exec_t
++.EE
++
++- Set files with the greylist_milter_exec_t type, if you want to transition an executable to the greylist_milter_t domain.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH "MANAGED FILES"
++
++The SELinux process type greylist_milter_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++
++.br
++.B greylist_milter_data_t
++
++ /var/lib/sqlgrey(/.*)?
++.br
++ /var/lib/milter-greylist(/.*)?
++.br
++ /var/run/milter-greylist(/.*)?
++.br
++ /var/run/sqlgrey\.pid
++.br
++ /var/run/milter-greylist\.pid
++.br
++
++.SH NSSWITCH DOMAIN
++
++.PP
++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the greylist_milter_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++
++.EX
++.B setsebool -P authlogin_nsswitch_use_ldap 1
++.EE
++
++.PP
++If you want to allow confined applications to run with kerberos for the greylist_milter_t, you must turn on the kerberos_enabled boolean.
++
++.EX
++.B setsebool -P kerberos_enabled 1
++.EE
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was auto-generated using
++.B "sepolicy manpage"
++by Dan Walsh.
++
++.SH "SEE ALSO"
++selinux(8), greylist_milter(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
+diff --git a/man/man8/groupadd_selinux.8 b/man/man8/groupadd_selinux.8
+new file mode 100644
+index 0000000..929fc9a
+--- /dev/null
++++ b/man/man8/groupadd_selinux.8
+@@ -0,0 +1,176 @@
++.TH "groupadd_selinux" "8" "12-11-01" "groupadd" "SELinux Policy documentation for groupadd"
++.SH "NAME"
++groupadd_selinux \- Security Enhanced Linux Policy for the groupadd processes
++.SH "DESCRIPTION"
++
++Security-Enhanced Linux secures the groupadd processes via flexible mandatory access control.
++
++The groupadd processes execute with the groupadd_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep groupadd_t
++
++
++.SH "ENTRYPOINTS"
++
++The groupadd_t SELinux type can be entered via the "groupadd_exec_t" file type. The default entrypoint paths for the groupadd_t domain are the following:"
++
++/usr/bin/gpasswd, /usr/sbin/gpasswd, /usr/sbin/groupadd, /usr/sbin/groupdel, /usr/sbin/groupmod
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux groupadd policy is very flexible allowing users to setup their groupadd processes in as secure a method as possible.
++.PP
++The following process types are defined for groupadd:
++
++.EX
++.B groupadd_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux groupadd policy is very flexible allowing users to setup their groupadd processes in as secure a method as possible.
++.PP
++The following file types are defined for groupadd:
++
++
++.EX
++.PP
++.B groupadd_exec_t
++.EE
++
++- Set files with the groupadd_exec_t type, if you want to transition an executable to the groupadd_t domain.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH "MANAGED FILES"
++
++The SELinux process type groupadd_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++
++.br
++.B faillog_t
++
++ /var/log/btmp.*
++.br
++ /var/run/faillock(/.*)?
++.br
++ /var/log/faillog
++.br
++ /var/log/tallylog
++.br
++
++.br
++.B lastlog_t
++
++ /var/log/lastlog
++.br
++
++.br
++.B passwd_file_t
++
++ /etc/group[-\+]?
++.br
++ /etc/passwd[-\+]?
++.br
++ /etc/passwd\.adjunct.*
++.br
++ /etc/ptmptmp
++.br
++ /etc/\.pwd\.lock
++.br
++ /etc/group\.lock
++.br
++ /etc/passwd\.OLD
++.br
++ /etc/passwd\.lock
++.br
++
++.br
++.B pcscd_var_run_t
++
++ /var/run/pcscd(/.*)?
++.br
++ /var/run/pcscd\.events(/.*)?
++.br
++ /var/run/pcscd\.pid
++.br
++ /var/run/pcscd\.pub
++.br
++ /var/run/pcscd\.comm
++.br
++
++.br
++.B security_t
++
++ /selinux
++.br
++
++.br
++.B shadow_t
++
++ /etc/shadow.*
++.br
++ /etc/gshadow.*
++.br
++ /var/db/shadow.*
++.br
++ /etc/security/opasswd
++.br
++ /etc/security/opasswd\.old
++.br
++
++.SH NSSWITCH DOMAIN
++
++.PP
++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the groupadd_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++
++.EX
++.B setsebool -P authlogin_nsswitch_use_ldap 1
++.EE
++
++.PP
++If you want to allow confined applications to run with kerberos for the groupadd_t, you must turn on the kerberos_enabled boolean.
++
++.EX
++.B setsebool -P kerberos_enabled 1
++.EE
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was auto-generated using
++.B "sepolicy manpage"
++by Dan Walsh.
++
++.SH "SEE ALSO"
++selinux(8), groupadd(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
+diff --git a/man/man8/groupd_selinux.8 b/man/man8/groupd_selinux.8
+new file mode 100644
+index 0000000..88f7928
+--- /dev/null
++++ b/man/man8/groupd_selinux.8
+@@ -0,0 +1,153 @@
++.TH "groupd_selinux" "8" "12-11-01" "groupd" "SELinux Policy documentation for groupd"
++.SH "NAME"
++groupd_selinux \- Security Enhanced Linux Policy for the groupd processes
++.SH "DESCRIPTION"
++
++Security-Enhanced Linux secures the groupd processes via flexible mandatory access control.
++
++The groupd processes execute with the groupd_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep groupd_t
++
++
++.SH "ENTRYPOINTS"
++
++The groupd_t SELinux type can be entered via the "groupd_exec_t" file type. The default entrypoint paths for the groupd_t domain are the following:"
++
++/usr/sbin/groupd
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux groupd policy is very flexible allowing users to setup their groupd processes in as secure a method as possible.
++.PP
++The following process types are defined for groupd:
++
++.EX
++.B groupadd_t, groupd_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux groupd policy is very flexible allowing users to setup their groupd processes in as secure a method as possible.
++.PP
++The following file types are defined for groupd:
++
++
++.EX
++.PP
++.B groupd_exec_t
++.EE
++
++- Set files with the groupd_exec_t type, if you want to transition an executable to the groupd_t domain.
++
++
++.EX
++.PP
++.B groupd_tmpfs_t
++.EE
++
++- Set files with the groupd_tmpfs_t type, if you want to store groupd files on a tmpfs file system.
++
++
++.EX
++.PP
++.B groupd_var_log_t
++.EE
++
++- Set files with the groupd_var_log_t type, if you want to treat the data as groupd var log data, usually stored under the /var/log directory.
++
++
++.EX
++.PP
++.B groupd_var_run_t
++.EE
++
++- Set files with the groupd_var_run_t type, if you want to store the groupd files under the /run directory.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH "MANAGED FILES"
++
++The SELinux process type groupd_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++
++.br
++.B cluster_var_lib_t
++
++ /var/lib/cluster(/.*)?
++.br
++
++.br
++.B groupd_tmpfs_t
++
++
++.br
++.B groupd_var_log_t
++
++
++.br
++.B groupd_var_run_t
++
++ /var/run/groupd\.pid
++.br
++
++.br
++.B initrc_tmp_t
++
++
++.SH NSSWITCH DOMAIN
++
++.PP
++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the groupd_t, groupadd_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++
++.EX
++.B setsebool -P authlogin_nsswitch_use_ldap 1
++.EE
++
++.PP
++If you want to allow confined applications to run with kerberos for the groupd_t, groupadd_t, you must turn on the kerberos_enabled boolean.
++
++.EX
++.B setsebool -P kerberos_enabled 1
++.EE
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was auto-generated using
++.B "sepolicy manpage"
++by Dan Walsh.
++
++.SH "SEE ALSO"
++selinux(8), groupd(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
++, groupadd_selinux(8)
+\ No newline at end of file
+diff --git a/man/man8/gssd_selinux.8 b/man/man8/gssd_selinux.8
+new file mode 100644
+index 0000000..071e84c
+--- /dev/null
++++ b/man/man8/gssd_selinux.8
+@@ -0,0 +1,204 @@
++.TH "gssd_selinux" "8" "12-11-01" "gssd" "SELinux Policy documentation for gssd"
++.SH "NAME"
++gssd_selinux \- Security Enhanced Linux Policy for the gssd processes
++.SH "DESCRIPTION"
++
++Security-Enhanced Linux secures the gssd processes via flexible mandatory access control.
++
++The gssd processes execute with the gssd_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep gssd_t
++
++
++.SH "ENTRYPOINTS"
++
++The gssd_t SELinux type can be entered via the "gssd_exec_t" file type. The default entrypoint paths for the gssd_t domain are the following:"
++
++/usr/sbin/rpc\.gssd, /usr/sbin/rpc\.svcgssd
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux gssd policy is very flexible allowing users to setup their gssd processes in as secure a method as possible.
++.PP
++The following process types are defined for gssd:
++
++.EX
++.B gssd_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH BOOLEANS
++SELinux policy is customizable based on least access required. gssd policy is extremely flexible and has several booleans that allow you to manipulate the policy and run gssd with the tightest access possible.
++
++
++.PP
++If you want to allow gssd to read temp directory. For access to kerberos tgt, you must turn on the gssd_read_tmp boolean.
++
++.EX
++.B setsebool -P gssd_read_tmp 1
++.EE
++
++.PP
++If you want to allow gssd to read temp directory. For access to kerberos tgt, you must turn on the gssd_read_tmp boolean.
++
++.EX
++.B setsebool -P gssd_read_tmp 1
++.EE
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux gssd policy is very flexible allowing users to setup their gssd processes in as secure a method as possible.
++.PP
++The following file types are defined for gssd:
++
++
++.EX
++.PP
++.B gssd_exec_t
++.EE
++
++- Set files with the gssd_exec_t type, if you want to transition an executable to the gssd_t domain.
++
++
++.EX
++.PP
++.B gssd_keytab_t
++.EE
++
++- Set files with the gssd_keytab_t type, if you want to treat the files as kerberos keytab files.
++
++
++.EX
++.PP
++.B gssd_tmp_t
++.EE
++
++- Set files with the gssd_tmp_t type, if you want to store gssd temporary files in the /tmp directories.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH "MANAGED FILES"
++
++The SELinux process type gssd_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++
++.br
++.B auth_cache_t
++
++ /var/cache/coolkey(/.*)?
++.br
++
++.br
++.B gssd_tmp_t
++
++
++.br
++.B krb5_host_rcache_t
++
++ /var/cache/krb5rcache(/.*)?
++.br
++ /var/tmp/nfs_0
++.br
++ /var/tmp/DNS_25
++.br
++ /var/tmp/host_0
++.br
++ /var/tmp/imap_0
++.br
++ /var/tmp/HTTP_23
++.br
++ /var/tmp/HTTP_48
++.br
++ /var/tmp/ldap_55
++.br
++ /var/tmp/ldap_487
++.br
++ /var/tmp/ldapmap1_0
++.br
++
++.br
++.B user_tmp_t
++
++ /var/run/user(/.*)?
++.br
++ /tmp/gconfd-.*
++.br
++ /tmp/gconfd-dwalsh
++.br
++ /tmp/gconfd-xguest
++.br
++
++.br
++.B var_lib_nfs_t
++
++ /var/lib/nfs(/.*)?
++.br
++
++.br
++.B xdm_tmp_t
++
++ /tmp/\.X11-unix(/.*)?
++.br
++ /tmp/\.ICE-unix(/.*)?
++.br
++ /tmp/\.X0-lock
++.br
++
++.SH NSSWITCH DOMAIN
++
++.PP
++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the gssd_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++
++.EX
++.B setsebool -P authlogin_nsswitch_use_ldap 1
++.EE
++
++.PP
++If you want to allow confined applications to run with kerberos for the gssd_t, you must turn on the kerberos_enabled boolean.
++
++.EX
++.B setsebool -P kerberos_enabled 1
++.EE
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.B semanage boolean
++can also be used to manipulate the booleans
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was auto-generated using
++.B "sepolicy manpage"
++by Dan Walsh.
++
++.SH "SEE ALSO"
++selinux(8), gssd(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
++, setsebool(8)
+\ No newline at end of file
+diff --git a/man/man8/guest_selinux.8 b/man/man8/guest_selinux.8
+new file mode 100644
+index 0000000..dc5e824
+--- /dev/null
++++ b/man/man8/guest_selinux.8
+@@ -0,0 +1,241 @@
++.TH "guest_selinux" "8" "guest" "mgrepl@redhat.com" "guest SELinux Policy documentation"
++.SH "NAME"
++guest_u \- \fBLeast privledge terminal user role\fP - Security Enhanced Linux Policy
++
++.SH DESCRIPTION
++
++\fBguest_u\fP is an SELinux User defined in the SELinux
++policy. SELinux users have default roles, \fBguest_r\fP. The
++default role has a default type, \fBguest_t\fP, associated with it.
++
++The SELinux user will usually login to a system with a context that looks like:
++
++.B guest_u:guest_r:guest_t:s0-s0:c0.c1023
++
++Linux users are automatically assigned an SELinux users at login.
++Login programs use the SELinux User to assign initial context to the user's shell.
++
++SELinux policy uses the context to control the user's access.
++
++By default all users are assigned to the SELinux user via the \fB__default__\fP flag
++
++On Targeted policy systems the \fB__default__\fP user is assigned to the \fBunconfined_u\fP SELinux user.
++
++You can list all Linux User to SELinux user mapping using:
++
++.B semanage login -l
++
++If you wanted to change the default user mapping to use the guest_u user, you would execute:
++
++.B semanage login -m -s guest_u __default__
++
++
++If you want to map the one Linux user (joe) to the SELinux user guest, you would execute:
++
++.B $ semanage login -a -s guest_u joe
++
++
++.SH USER DESCRIPTION
++
++The SELinux user guest_u is defined in policy as a unprivileged user. SELinux prevents unprivileged users from doing administration tasks without transitioning to a different role.
++
++.SH SUDO
++
++.SH X WINDOWS LOGIN
++
++The SELinux user guest_u is not able to X Windows login.
++
++.SH NETWORK
++
++.TP
++The SELinux user guest_u is able to connect to the following tcp ports.
++
++.B dns_port_t: 53
++
++.B ocsp_port_t: 9080
++
++.B kerberos_port_t: 88,750,4444
++
++.TP
++The SELinux user guest_u is able to connect to the following tcp ports.
++
++.B dns_port_t: 53
++
++.B ocsp_port_t: 9080
++
++.B kerberos_port_t: 88,750,4444
++
++.SH BOOLEANS
++SELinux policy is customizable based on least access required. guest policy is extremely flexible and has several booleans that allow you to manipulate the policy and run guest with the tightest access possible.
++
++
++.PP
++If you want to allow xguest users to mount removable media, you must turn on the xguest_mount_media boolean.
++
++.EX
++.B setsebool -P xguest_mount_media 1
++.EE
++
++.PP
++If you want to allow xguest users to configure Network Manager and connect to apache ports, you must turn on the xguest_connect_network boolean.
++
++.EX
++.B setsebool -P xguest_connect_network 1
++.EE
++
++.PP
++If you want to allow xguest to use blue tooth devices, you must turn on the xguest_use_bluetooth boolean.
++
++.EX
++.B setsebool -P xguest_use_bluetooth 1
++.EE
++
++.PP
++If you want to allow xguest users to mount removable media, you must turn on the xguest_mount_media boolean.
++
++.EX
++.B setsebool -P xguest_mount_media 1
++.EE
++
++.PP
++If you want to allow xguest users to configure Network Manager and connect to apache ports, you must turn on the xguest_connect_network boolean.
++
++.EX
++.B setsebool -P xguest_connect_network 1
++.EE
++
++.PP
++If you want to allow xguest to use blue tooth devices, you must turn on the xguest_use_bluetooth boolean.
++
++.EX
++.B setsebool -P xguest_use_bluetooth 1
++.EE
++
++.SH HOME_EXEC
++
++The SELinux user guest_u is able execute home content files.
++
++.SH TRANSITIONS
++
++Three things can happen when guest_t attempts to execute a program.
++
++\fB1.\fP SELinux Policy can deny guest_t from executing the program.
++
++.TP
++
++\fB2.\fP SELinux Policy can allow guest_t to execute the program in the current user type.
++
++Execute the following to see the types that the SELinux user guest_t can execute without transitioning:
++
++.B search -A -s guest_t -c file -p execute_no_trans
++
++.TP
++
++\fB3.\fP SELinux can allow guest_t to execute the program and transition to a new type.
++
++Execute the following to see the types that the SELinux user guest_t can execute and transition:
++
++.B $ search -A -s guest_t -c process -p transition
++
++
++.SH "MANAGED FILES"
++
++The SELinux process type guest_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++
++.br
++.B anon_inodefs_t
++
++
++.br
++.B auth_cache_t
++
++ /var/cache/coolkey(/.*)?
++.br
++
++.br
++.B httpd_user_content_t
++
++ /home/[^/]*/((www)|(web)|(public_html))(/.+)?
++.br
++ /home/dwalsh/((www)|(web)|(public_html))(/.+)?
++.br
++ /var/lib/xguest/home/xguest/((www)|(web)|(public_html))(/.+)?
++.br
++
++.br
++.B httpd_user_htaccess_t
++
++ /home/[^/]*/((www)|(web)|(public_html))(/.*)?/\.htaccess
++.br
++ /home/dwalsh/((www)|(web)|(public_html))(/.*)?/\.htaccess
++.br
++ /var/lib/xguest/home/xguest/((www)|(web)|(public_html))(/.*)?/\.htaccess
++.br
++
++.br
++.B httpd_user_ra_content_t
++
++ /home/[^/]*/((www)|(web)|(public_html))(/.*)?/logs(/.*)?
++.br
++ /home/dwalsh/((www)|(web)|(public_html))(/.*)?/logs(/.*)?
++.br
++ /var/lib/xguest/home/xguest/((www)|(web)|(public_html))(/.*)?/logs(/.*)?
++.br
++
++.br
++.B httpd_user_rw_content_t
++
++
++.br
++.B httpd_user_script_exec_t
++
++ /home/[^/]*/((www)|(web)|(public_html))/cgi-bin(/.+)?
++.br
++ /home/dwalsh/((www)|(web)|(public_html))/cgi-bin(/.+)?
++.br
++ /var/lib/xguest/home/xguest/((www)|(web)|(public_html))/cgi-bin(/.+)?
++.br
++
++.br
++.B user_home_type
++
++ all user home files
++.br
++
++.br
++.B user_tmp_type
++
++ all user tmp files
++.br
++
++.br
++.B user_tmpfs_type
++
++ all user content in tmpfs file systems
++.br
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.B semanage boolean
++can also be used to manipulate the booleans
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was auto-generated using
++.B "sepolicy manpage"
++by Dan Walsh.
++
++.SH "SEE ALSO"
++selinux(8), guest(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
++, setsebool(8)
+\ No newline at end of file
+diff --git a/man/man8/hddtemp_selinux.8 b/man/man8/hddtemp_selinux.8
+new file mode 100644
+index 0000000..3f4d9a5
+--- /dev/null
++++ b/man/man8/hddtemp_selinux.8
+@@ -0,0 +1,128 @@
++.TH "hddtemp_selinux" "8" "12-11-01" "hddtemp" "SELinux Policy documentation for hddtemp"
++.SH "NAME"
++hddtemp_selinux \- Security Enhanced Linux Policy for the hddtemp processes
++.SH "DESCRIPTION"
++
++Security-Enhanced Linux secures the hddtemp processes via flexible mandatory access control.
++
++The hddtemp processes execute with the hddtemp_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep hddtemp_t
++
++
++.SH "ENTRYPOINTS"
++
++The hddtemp_t SELinux type can be entered via the "hddtemp_exec_t" file type. The default entrypoint paths for the hddtemp_t domain are the following:"
++
++/usr/sbin/hddtemp
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux hddtemp policy is very flexible allowing users to setup their hddtemp processes in as secure a method as possible.
++.PP
++The following process types are defined for hddtemp:
++
++.EX
++.B hddtemp_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux hddtemp policy is very flexible allowing users to setup their hddtemp processes in as secure a method as possible.
++.PP
++The following file types are defined for hddtemp:
++
++
++.EX
++.PP
++.B hddtemp_etc_t
++.EE
++
++- Set files with the hddtemp_etc_t type, if you want to store hddtemp files in the /etc directories.
++
++
++.EX
++.PP
++.B hddtemp_exec_t
++.EE
++
++- Set files with the hddtemp_exec_t type, if you want to transition an executable to the hddtemp_t domain.
++
++
++.EX
++.PP
++.B hddtemp_initrc_exec_t
++.EE
++
++- Set files with the hddtemp_initrc_exec_t type, if you want to transition an executable to the hddtemp_initrc_t domain.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH PORT TYPES
++SELinux defines port types to represent TCP and UDP ports.
++.PP
++You can see the types associated with a port by using the following command:
++
++.B semanage port -l
++
++.PP
++Policy governs the access confined processes have to these ports.
++SELinux hddtemp policy is very flexible allowing users to setup their hddtemp processes in as secure a method as possible.
++.PP
++The following port types are defined for hddtemp:
++
++.EX
++.TP 5
++.B hddtemp_port_t
++.TP 10
++.EE
++
++
++Default Defined Ports:
++tcp 7634
++.EE
++.SH NSSWITCH DOMAIN
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.B semanage port
++can also be used to manipulate the port definitions
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was auto-generated using
++.B "sepolicy manpage"
++by Dan Walsh.
++
++.SH "SEE ALSO"
++selinux(8), hddtemp(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
+diff --git a/man/man8/hostname_selinux.8 b/man/man8/hostname_selinux.8
+new file mode 100644
+index 0000000..5de0695
+--- /dev/null
++++ b/man/man8/hostname_selinux.8
+@@ -0,0 +1,86 @@
++.TH "hostname_selinux" "8" "12-11-01" "hostname" "SELinux Policy documentation for hostname"
++.SH "NAME"
++hostname_selinux \- Security Enhanced Linux Policy for the hostname processes
++.SH "DESCRIPTION"
++
++Security-Enhanced Linux secures the hostname processes via flexible mandatory access control.
++
++The hostname processes execute with the hostname_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep hostname_t
++
++
++.SH "ENTRYPOINTS"
++
++The hostname_t SELinux type can be entered via the "hostname_exec_t" file type. The default entrypoint paths for the hostname_t domain are the following:"
++
++/bin/hostname, /usr/bin/hostname
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux hostname policy is very flexible allowing users to setup their hostname processes in as secure a method as possible.
++.PP
++The following process types are defined for hostname:
++
++.EX
++.B hostname_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux hostname policy is very flexible allowing users to setup their hostname processes in as secure a method as possible.
++.PP
++The following file types are defined for hostname:
++
++
++.EX
++.PP
++.B hostname_exec_t
++.EE
++
++- Set files with the hostname_exec_t type, if you want to transition an executable to the hostname_t domain.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH NSSWITCH DOMAIN
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was auto-generated using
++.B "sepolicy manpage"
++by Dan Walsh.
++
++.SH "SEE ALSO"
++selinux(8), hostname(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
+diff --git a/man/man8/hplip_selinux.8 b/man/man8/hplip_selinux.8
+new file mode 100644
+index 0000000..d23889a
+--- /dev/null
++++ b/man/man8/hplip_selinux.8
+@@ -0,0 +1,198 @@
++.TH "hplip_selinux" "8" "12-11-01" "hplip" "SELinux Policy documentation for hplip"
++.SH "NAME"
++hplip_selinux \- Security Enhanced Linux Policy for the hplip processes
++.SH "DESCRIPTION"
++
++Security-Enhanced Linux secures the hplip processes via flexible mandatory access control.
++
++The hplip processes execute with the hplip_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep hplip_t
++
++
++.SH "ENTRYPOINTS"
++
++The hplip_t SELinux type can be entered via the "hplip_exec_t" file type. The default entrypoint paths for the hplip_t domain are the following:"
++
++/usr/sbin/hp-[^/]+, /usr/share/hplip/.*\.py, /usr/lib/cups/backend/hp.*, /usr/bin/hpijs, /usr/sbin/hpiod
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux hplip policy is very flexible allowing users to setup their hplip processes in as secure a method as possible.
++.PP
++The following process types are defined for hplip:
++
++.EX
++.B hplip_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux hplip policy is very flexible allowing users to setup their hplip processes in as secure a method as possible.
++.PP
++The following file types are defined for hplip:
++
++
++.EX
++.PP
++.B hplip_etc_t
++.EE
++
++- Set files with the hplip_etc_t type, if you want to store hplip files in the /etc directories.
++
++
++.EX
++.PP
++.B hplip_exec_t
++.EE
++
++- Set files with the hplip_exec_t type, if you want to transition an executable to the hplip_t domain.
++
++
++.EX
++.PP
++.B hplip_tmp_t
++.EE
++
++- Set files with the hplip_tmp_t type, if you want to store hplip temporary files in the /tmp directories.
++
++
++.EX
++.PP
++.B hplip_var_lib_t
++.EE
++
++- Set files with the hplip_var_lib_t type, if you want to store the hplip files under the /var/lib directory.
++
++
++.EX
++.PP
++.B hplip_var_log_t
++.EE
++
++- Set files with the hplip_var_log_t type, if you want to treat the data as hplip var log data, usually stored under the /var/log directory.
++
++
++.EX
++.PP
++.B hplip_var_run_t
++.EE
++
++- Set files with the hplip_var_run_t type, if you want to store the hplip files under the /run directory.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH PORT TYPES
++SELinux defines port types to represent TCP and UDP ports.
++.PP
++You can see the types associated with a port by using the following command:
++
++.B semanage port -l
++
++.PP
++Policy governs the access confined processes have to these ports.
++SELinux hplip policy is very flexible allowing users to setup their hplip processes in as secure a method as possible.
++.PP
++The following port types are defined for hplip:
++
++.EX
++.TP 5
++.B hplip_port_t
++.TP 10
++.EE
++
++
++Default Defined Ports:
++tcp 1782,2207,2208,8290,50000,50002,8292,9100,9101,9102,9220,9221,9222,9280,9281,9282,9290,9291
++.EE
++.SH "MANAGED FILES"
++
++The SELinux process type hplip_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++
++.br
++.B anon_inodefs_t
++
++
++.br
++.B cupsd_tmp_t
++
++
++.br
++.B hplip_var_lib_t
++
++ /var/lib/hp(/.*)?
++.br
++
++.br
++.B hplip_var_log_t
++
++ /var/log/hp(/.*)?
++.br
++
++.br
++.B hplip_var_run_t
++
++ /var/run/hp.*\.pid
++.br
++ /var/run/hp.*\.port
++.br
++
++.br
++.B print_spool_t
++
++ /var/spool/lpd(/.*)?
++.br
++ /var/spool/cups(/.*)?
++.br
++ /var/spool/cups-pdf(/.*)?
++.br
++
++.br
++.B usbfs_t
++
++
++.SH NSSWITCH DOMAIN
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.B semanage port
++can also be used to manipulate the port definitions
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was auto-generated using
++.B "sepolicy manpage"
++by Dan Walsh.
++
++.SH "SEE ALSO"
++selinux(8), hplip(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
+diff --git a/man/man8/httpd_apcupsd_cgi_script_selinux.8 b/man/man8/httpd_apcupsd_cgi_script_selinux.8
+new file mode 100644
+index 0000000..b70ebe0
+--- /dev/null
++++ b/man/man8/httpd_apcupsd_cgi_script_selinux.8
+@@ -0,0 +1,95 @@
++.TH "httpd_apcupsd_cgi_script_selinux" "8" "12-11-01" "httpd_apcupsd_cgi_script" "SELinux Policy documentation for httpd_apcupsd_cgi_script"
++.SH "NAME"
++httpd_apcupsd_cgi_script_selinux \- Security Enhanced Linux Policy for the httpd_apcupsd_cgi_script processes
++.SH "DESCRIPTION"
++
++Security-Enhanced Linux secures the httpd_apcupsd_cgi_script processes via flexible mandatory access control.
++
++The httpd_apcupsd_cgi_script processes execute with the httpd_apcupsd_cgi_script_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep httpd_apcupsd_cgi_script_t
++
++
++.SH "ENTRYPOINTS"
++
++The httpd_apcupsd_cgi_script_t SELinux type can be entered via the "shell_exec_t,httpd_apcupsd_cgi_script_exec_t,httpd_apcupsd_cgi_script_exec_t" file types. The default entrypoint paths for the httpd_apcupsd_cgi_script_t domain are the following:"
++
++/bin/d?ash, /bin/zsh.*, /bin/ksh.*, /usr/bin/d?ash, /usr/bin/ksh.*, /usr/bin/zsh.*, /bin/esh, /bin/mksh, /bin/sash, /bin/tcsh, /bin/yash, /bin/bash, /bin/fish, /bin/bash2, /usr/bin/esh, /usr/bin/mksh, /usr/bin/sash, /usr/bin/bash, /usr/bin/fish, /usr/bin/tcsh, /usr/bin/yash, /sbin/nologin, /usr/sbin/sesh, /usr/bin/bash2, /usr/sbin/smrsh, /usr/bin/scponly, /usr/sbin/nologin, /usr/libexec/sesh, /usr/sbin/scponlyc, /usr/bin/git-shell, /usr/libexec/git-core/git-shell, /var/www/cgi-bin/apcgui(/.*)?, /var/www/apcupsd/multimon\.cgi, /var/www/apcupsd/upsimage\.cgi, /var/www/apcupsd/upsstats\.cgi, /var/www/apcupsd/upsfstats\.cgi, /var/www/cgi-bin/apcgui(/.*)?, /var/www/apcupsd/multimon\.cgi, /var/www/apcupsd/upsimage\.cgi, /var/www/apcupsd/upsstats\.cgi, /var/www/apcupsd/upsfstats\.cgi
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux httpd_apcupsd_cgi_script policy is very flexible allowing users to setup their httpd_apcupsd_cgi_script processes in as secure a method as possible.
++.PP
++The following process types are defined for httpd_apcupsd_cgi_script:
++
++.EX
++.B httpd_apcupsd_cgi_script_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux httpd_apcupsd_cgi_script policy is very flexible allowing users to setup their httpd_apcupsd_cgi_script processes in as secure a method as possible.
++.PP
++The following file types are defined for httpd_apcupsd_cgi_script:
++
++
++.EX
++.PP
++.B httpd_apcupsd_cgi_script_exec_t
++.EE
++
++- Set files with the httpd_apcupsd_cgi_script_exec_t type, if you want to transition an executable to the httpd_apcupsd_cgi_script_t domain.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH "MANAGED FILES"
++
++The SELinux process type httpd_apcupsd_cgi_script_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++
++.br
++.B httpd_apcupsd_cgi_rw_content_t
++
++
++.SH NSSWITCH DOMAIN
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was auto-generated using
++.B "sepolicy manpage"
++by Dan Walsh.
++
++.SH "SEE ALSO"
++selinux(8), httpd_apcupsd_cgi_script(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
++, httpd_selinux(8), httpd_selinux(8), httpd_awstats_script_selinux(8), httpd_bugzilla_script_selinux(8), httpd_cobbler_script_selinux(8), httpd_collectd_script_selinux(8), httpd_cvs_script_selinux(8), httpd_dirsrvadmin_script_selinux(8), httpd_dspam_script_selinux(8), httpd_git_script_selinux(8), httpd_helper_selinux(8), httpd_man2html_script_selinux(8), httpd_mediawiki_script_selinux(8), httpd_mojomojo_script_selinux(8), httpd_munin_script_selinux(8), httpd_nagios_script_selinux(8), httpd_nutups_cgi_script_selinux(8), httpd_openshift_script_selinux(8), httpd_passwd_selinux(8), httpd_php_selinux(8), httpd_prewikka_script_selinux(8), httpd_rotatelogs_selinux(8), httpd_smokeping_cgi_script_selinux(8), httpd_squid_script_selinux(8), httpd_suexec_selinux(8), httpd_sys_script_selinux(8), httpd_user_script_selinux(8), httpd_w3c_validator_script_selinux(8), httpd_zoneminder_script_selinux(8)
+\ No newline at end of file
+diff --git a/man/man8/httpd_awstats_script_selinux.8 b/man/man8/httpd_awstats_script_selinux.8
+new file mode 100644
+index 0000000..d03827d
+--- /dev/null
++++ b/man/man8/httpd_awstats_script_selinux.8
+@@ -0,0 +1,99 @@
++.TH "httpd_awstats_script_selinux" "8" "12-11-01" "httpd_awstats_script" "SELinux Policy documentation for httpd_awstats_script"
++.SH "NAME"
++httpd_awstats_script_selinux \- Security Enhanced Linux Policy for the httpd_awstats_script processes
++.SH "DESCRIPTION"
++
++Security-Enhanced Linux secures the httpd_awstats_script processes via flexible mandatory access control.
++
++The httpd_awstats_script processes execute with the httpd_awstats_script_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep httpd_awstats_script_t
++
++
++.SH "ENTRYPOINTS"
++
++The httpd_awstats_script_t SELinux type can be entered via the "shell_exec_t,httpd_awstats_script_exec_t,httpd_awstats_script_exec_t" file types. The default entrypoint paths for the httpd_awstats_script_t domain are the following:"
++
++/bin/d?ash, /bin/zsh.*, /bin/ksh.*, /usr/bin/d?ash, /usr/bin/ksh.*, /usr/bin/zsh.*, /bin/esh, /bin/mksh, /bin/sash, /bin/tcsh, /bin/yash, /bin/bash, /bin/fish, /bin/bash2, /usr/bin/esh, /usr/bin/mksh, /usr/bin/sash, /usr/bin/bash, /usr/bin/fish, /usr/bin/tcsh, /usr/bin/yash, /sbin/nologin, /usr/sbin/sesh, /usr/bin/bash2, /usr/sbin/smrsh, /usr/bin/scponly, /usr/sbin/nologin, /usr/libexec/sesh, /usr/sbin/scponlyc, /usr/bin/git-shell, /usr/libexec/git-core/git-shell, /usr/share/awstats/wwwroot/cgi-bin(/.*)?, /usr/share/awstats/wwwroot/cgi-bin(/.*)?
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux httpd_awstats_script policy is very flexible allowing users to setup their httpd_awstats_script processes in as secure a method as possible.
++.PP
++The following process types are defined for httpd_awstats_script:
++
++.EX
++.B httpd_awstats_script_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux httpd_awstats_script policy is very flexible allowing users to setup their httpd_awstats_script processes in as secure a method as possible.
++.PP
++The following file types are defined for httpd_awstats_script:
++
++
++.EX
++.PP
++.B httpd_awstats_script_exec_t
++.EE
++
++- Set files with the httpd_awstats_script_exec_t type, if you want to transition an executable to the httpd_awstats_script_t domain.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH "MANAGED FILES"
++
++The SELinux process type httpd_awstats_script_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++
++.br
++.B awstats_tmp_t
++
++
++.br
++.B httpd_awstats_rw_content_t
++
++
++.SH NSSWITCH DOMAIN
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was auto-generated using
++.B "sepolicy manpage"
++by Dan Walsh.
++
++.SH "SEE ALSO"
++selinux(8), httpd_awstats_script(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
++, httpd_selinux(8), httpd_selinux(8), httpd_apcupsd_cgi_script_selinux(8), httpd_bugzilla_script_selinux(8), httpd_cobbler_script_selinux(8), httpd_collectd_script_selinux(8), httpd_cvs_script_selinux(8), httpd_dirsrvadmin_script_selinux(8), httpd_dspam_script_selinux(8), httpd_git_script_selinux(8), httpd_helper_selinux(8), httpd_man2html_script_selinux(8), httpd_mediawiki_script_selinux(8), httpd_mojomojo_script_selinux(8), httpd_munin_script_selinux(8), httpd_nagios_script_selinux(8), httpd_nutups_cgi_script_selinux(8), httpd_openshift_script_selinux(8), httpd_passwd_selinux(8), httpd_php_selinux(8), httpd_prewikka_script_selinux(8), httpd_rotatelogs_selinux(8), httpd_smokeping_cgi_script_selinux(8), httpd_squid_script_selinux(8), httpd_suexec_selinux(8), httpd_sys_script_selinux(8), httpd_user_script_selinux(8), httpd_w3c_validator_script_selinux(8), httpd_zoneminder_script_selinux(8)
+\ No newline at end of file
+diff --git a/man/man8/httpd_bugzilla_script_selinux.8 b/man/man8/httpd_bugzilla_script_selinux.8
+new file mode 100644
+index 0000000..84e7a1b
+--- /dev/null
++++ b/man/man8/httpd_bugzilla_script_selinux.8
+@@ -0,0 +1,101 @@
++.TH "httpd_bugzilla_script_selinux" "8" "12-11-01" "httpd_bugzilla_script" "SELinux Policy documentation for httpd_bugzilla_script"
++.SH "NAME"
++httpd_bugzilla_script_selinux \- Security Enhanced Linux Policy for the httpd_bugzilla_script processes
++.SH "DESCRIPTION"
++
++Security-Enhanced Linux secures the httpd_bugzilla_script processes via flexible mandatory access control.
++
++The httpd_bugzilla_script processes execute with the httpd_bugzilla_script_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep httpd_bugzilla_script_t
++
++
++.SH "ENTRYPOINTS"
++
++The httpd_bugzilla_script_t SELinux type can be entered via the "httpd_bugzilla_script_exec_t,shell_exec_t,httpd_bugzilla_script_exec_t" file types. The default entrypoint paths for the httpd_bugzilla_script_t domain are the following:"
++
++/usr/share/bugzilla(/.*)?, /bin/d?ash, /bin/zsh.*, /bin/ksh.*, /usr/bin/d?ash, /usr/bin/ksh.*, /usr/bin/zsh.*, /bin/esh, /bin/mksh, /bin/sash, /bin/tcsh, /bin/yash, /bin/bash, /bin/fish, /bin/bash2, /usr/bin/esh, /usr/bin/mksh, /usr/bin/sash, /usr/bin/bash, /usr/bin/fish, /usr/bin/tcsh, /usr/bin/yash, /sbin/nologin, /usr/sbin/sesh, /usr/bin/bash2, /usr/sbin/smrsh, /usr/bin/scponly, /usr/sbin/nologin, /usr/libexec/sesh, /usr/sbin/scponlyc, /usr/bin/git-shell, /usr/libexec/git-core/git-shell, /usr/share/bugzilla(/.*)?
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux httpd_bugzilla_script policy is very flexible allowing users to setup their httpd_bugzilla_script processes in as secure a method as possible.
++.PP
++The following process types are defined for httpd_bugzilla_script:
++
++.EX
++.B httpd_bugzilla_script_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux httpd_bugzilla_script policy is very flexible allowing users to setup their httpd_bugzilla_script processes in as secure a method as possible.
++.PP
++The following file types are defined for httpd_bugzilla_script:
++
++
++.EX
++.PP
++.B httpd_bugzilla_script_exec_t
++.EE
++
++- Set files with the httpd_bugzilla_script_exec_t type, if you want to transition an executable to the httpd_bugzilla_script_t domain.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH "MANAGED FILES"
++
++The SELinux process type httpd_bugzilla_script_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++
++.br
++.B httpd_bugzilla_rw_content_t
++
++ /var/lib/bugzilla(/.*)?
++.br
++
++.br
++.B httpd_bugzilla_tmp_t
++
++
++.SH NSSWITCH DOMAIN
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was auto-generated using
++.B "sepolicy manpage"
++by Dan Walsh.
++
++.SH "SEE ALSO"
++selinux(8), httpd_bugzilla_script(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
++, httpd_selinux(8), httpd_selinux(8), httpd_apcupsd_cgi_script_selinux(8), httpd_awstats_script_selinux(8), httpd_cobbler_script_selinux(8), httpd_collectd_script_selinux(8), httpd_cvs_script_selinux(8), httpd_dirsrvadmin_script_selinux(8), httpd_dspam_script_selinux(8), httpd_git_script_selinux(8), httpd_helper_selinux(8), httpd_man2html_script_selinux(8), httpd_mediawiki_script_selinux(8), httpd_mojomojo_script_selinux(8), httpd_munin_script_selinux(8), httpd_nagios_script_selinux(8), httpd_nutups_cgi_script_selinux(8), httpd_openshift_script_selinux(8), httpd_passwd_selinux(8), httpd_php_selinux(8), httpd_prewikka_script_selinux(8), httpd_rotatelogs_selinux(8), httpd_smokeping_cgi_script_selinux(8), httpd_squid_script_selinux(8), httpd_suexec_selinux(8), httpd_sys_script_selinux(8), httpd_user_script_selinux(8), httpd_w3c_validator_script_selinux(8), httpd_zoneminder_script_selinux(8)
+\ No newline at end of file
+diff --git a/man/man8/httpd_cobbler_script_selinux.8 b/man/man8/httpd_cobbler_script_selinux.8
+new file mode 100644
+index 0000000..9a182d6
+--- /dev/null
++++ b/man/man8/httpd_cobbler_script_selinux.8
+@@ -0,0 +1,95 @@
++.TH "httpd_cobbler_script_selinux" "8" "12-11-01" "httpd_cobbler_script" "SELinux Policy documentation for httpd_cobbler_script"
++.SH "NAME"
++httpd_cobbler_script_selinux \- Security Enhanced Linux Policy for the httpd_cobbler_script processes
++.SH "DESCRIPTION"
++
++Security-Enhanced Linux secures the httpd_cobbler_script processes via flexible mandatory access control.
++
++The httpd_cobbler_script processes execute with the httpd_cobbler_script_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep httpd_cobbler_script_t
++
++
++.SH "ENTRYPOINTS"
++
++The httpd_cobbler_script_t SELinux type can be entered via the "httpd_cobbler_script_exec_t,shell_exec_t,httpd_cobbler_script_exec_t" file types. The default entrypoint paths for the httpd_cobbler_script_t domain are the following:"
++
++/bin/d?ash, /bin/zsh.*, /bin/ksh.*, /usr/bin/d?ash, /usr/bin/ksh.*, /usr/bin/zsh.*, /bin/esh, /bin/mksh, /bin/sash, /bin/tcsh, /bin/yash, /bin/bash, /bin/fish, /bin/bash2, /usr/bin/esh, /usr/bin/mksh, /usr/bin/sash, /usr/bin/bash, /usr/bin/fish, /usr/bin/tcsh, /usr/bin/yash, /sbin/nologin, /usr/sbin/sesh, /usr/bin/bash2, /usr/sbin/smrsh, /usr/bin/scponly, /usr/sbin/nologin, /usr/libexec/sesh, /usr/sbin/scponlyc, /usr/bin/git-shell, /usr/libexec/git-core/git-shell
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux httpd_cobbler_script policy is very flexible allowing users to setup their httpd_cobbler_script processes in as secure a method as possible.
++.PP
++The following process types are defined for httpd_cobbler_script:
++
++.EX
++.B httpd_cobbler_script_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux httpd_cobbler_script policy is very flexible allowing users to setup their httpd_cobbler_script processes in as secure a method as possible.
++.PP
++The following file types are defined for httpd_cobbler_script:
++
++
++.EX
++.PP
++.B httpd_cobbler_script_exec_t
++.EE
++
++- Set files with the httpd_cobbler_script_exec_t type, if you want to transition an executable to the httpd_cobbler_script_t domain.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH "MANAGED FILES"
++
++The SELinux process type httpd_cobbler_script_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++
++.br
++.B httpd_cobbler_rw_content_t
++
++
++.SH NSSWITCH DOMAIN
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was auto-generated using
++.B "sepolicy manpage"
++by Dan Walsh.
++
++.SH "SEE ALSO"
++selinux(8), httpd_cobbler_script(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
++, httpd_selinux(8), httpd_selinux(8), httpd_apcupsd_cgi_script_selinux(8), httpd_awstats_script_selinux(8), httpd_bugzilla_script_selinux(8), httpd_collectd_script_selinux(8), httpd_cvs_script_selinux(8), httpd_dirsrvadmin_script_selinux(8), httpd_dspam_script_selinux(8), httpd_git_script_selinux(8), httpd_helper_selinux(8), httpd_man2html_script_selinux(8), httpd_mediawiki_script_selinux(8), httpd_mojomojo_script_selinux(8), httpd_munin_script_selinux(8), httpd_nagios_script_selinux(8), httpd_nutups_cgi_script_selinux(8), httpd_openshift_script_selinux(8), httpd_passwd_selinux(8), httpd_php_selinux(8), httpd_prewikka_script_selinux(8), httpd_rotatelogs_selinux(8), httpd_smokeping_cgi_script_selinux(8), httpd_squid_script_selinux(8), httpd_suexec_selinux(8), httpd_sys_script_selinux(8), httpd_user_script_selinux(8), httpd_w3c_validator_script_selinux(8), httpd_zoneminder_script_selinux(8)
+\ No newline at end of file
+diff --git a/man/man8/httpd_collectd_script_selinux.8 b/man/man8/httpd_collectd_script_selinux.8
+new file mode 100644
+index 0000000..8b345d1
+--- /dev/null
++++ b/man/man8/httpd_collectd_script_selinux.8
+@@ -0,0 +1,95 @@
++.TH "httpd_collectd_script_selinux" "8" "12-11-01" "httpd_collectd_script" "SELinux Policy documentation for httpd_collectd_script"
++.SH "NAME"
++httpd_collectd_script_selinux \- Security Enhanced Linux Policy for the httpd_collectd_script processes
++.SH "DESCRIPTION"
++
++Security-Enhanced Linux secures the httpd_collectd_script processes via flexible mandatory access control.
++
++The httpd_collectd_script processes execute with the httpd_collectd_script_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep httpd_collectd_script_t
++
++
++.SH "ENTRYPOINTS"
++
++The httpd_collectd_script_t SELinux type can be entered via the "shell_exec_t,httpd_collectd_script_exec_t,httpd_collectd_script_exec_t" file types. The default entrypoint paths for the httpd_collectd_script_t domain are the following:"
++
++/bin/d?ash, /bin/zsh.*, /bin/ksh.*, /usr/bin/d?ash, /usr/bin/ksh.*, /usr/bin/zsh.*, /bin/esh, /bin/mksh, /bin/sash, /bin/tcsh, /bin/yash, /bin/bash, /bin/fish, /bin/bash2, /usr/bin/esh, /usr/bin/mksh, /usr/bin/sash, /usr/bin/bash, /usr/bin/fish, /usr/bin/tcsh, /usr/bin/yash, /sbin/nologin, /usr/sbin/sesh, /usr/bin/bash2, /usr/sbin/smrsh, /usr/bin/scponly, /usr/sbin/nologin, /usr/libexec/sesh, /usr/sbin/scponlyc, /usr/bin/git-shell, /usr/libexec/git-core/git-shell, /usr/share/collectd/collection3/bin/.*\.cgi, /usr/share/collectd/collection3/bin/.*\.cgi
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux httpd_collectd_script policy is very flexible allowing users to setup their httpd_collectd_script processes in as secure a method as possible.
++.PP
++The following process types are defined for httpd_collectd_script:
++
++.EX
++.B httpd_collectd_script_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux httpd_collectd_script policy is very flexible allowing users to setup their httpd_collectd_script processes in as secure a method as possible.
++.PP
++The following file types are defined for httpd_collectd_script:
++
++
++.EX
++.PP
++.B httpd_collectd_script_exec_t
++.EE
++
++- Set files with the httpd_collectd_script_exec_t type, if you want to transition an executable to the httpd_collectd_script_t domain.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH "MANAGED FILES"
++
++The SELinux process type httpd_collectd_script_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++
++.br
++.B httpd_collectd_rw_content_t
++
++
++.SH NSSWITCH DOMAIN
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was auto-generated using
++.B "sepolicy manpage"
++by Dan Walsh.
++
++.SH "SEE ALSO"
++selinux(8), httpd_collectd_script(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
++, httpd_selinux(8), httpd_selinux(8), httpd_apcupsd_cgi_script_selinux(8), httpd_awstats_script_selinux(8), httpd_bugzilla_script_selinux(8), httpd_cobbler_script_selinux(8), httpd_cvs_script_selinux(8), httpd_dirsrvadmin_script_selinux(8), httpd_dspam_script_selinux(8), httpd_git_script_selinux(8), httpd_helper_selinux(8), httpd_man2html_script_selinux(8), httpd_mediawiki_script_selinux(8), httpd_mojomojo_script_selinux(8), httpd_munin_script_selinux(8), httpd_nagios_script_selinux(8), httpd_nutups_cgi_script_selinux(8), httpd_openshift_script_selinux(8), httpd_passwd_selinux(8), httpd_php_selinux(8), httpd_prewikka_script_selinux(8), httpd_rotatelogs_selinux(8), httpd_smokeping_cgi_script_selinux(8), httpd_squid_script_selinux(8), httpd_suexec_selinux(8), httpd_sys_script_selinux(8), httpd_user_script_selinux(8), httpd_w3c_validator_script_selinux(8), httpd_zoneminder_script_selinux(8)
+\ No newline at end of file
+diff --git a/man/man8/httpd_cvs_script_selinux.8 b/man/man8/httpd_cvs_script_selinux.8
+new file mode 100644
+index 0000000..4c09121
+--- /dev/null
++++ b/man/man8/httpd_cvs_script_selinux.8
+@@ -0,0 +1,99 @@
++.TH "httpd_cvs_script_selinux" "8" "12-11-01" "httpd_cvs_script" "SELinux Policy documentation for httpd_cvs_script"
++.SH "NAME"
++httpd_cvs_script_selinux \- Security Enhanced Linux Policy for the httpd_cvs_script processes
++.SH "DESCRIPTION"
++
++Security-Enhanced Linux secures the httpd_cvs_script processes via flexible mandatory access control.
++
++The httpd_cvs_script processes execute with the httpd_cvs_script_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep httpd_cvs_script_t
++
++
++.SH "ENTRYPOINTS"
++
++The httpd_cvs_script_t SELinux type can be entered via the "shell_exec_t,httpd_cvs_script_exec_t,httpd_cvs_script_exec_t" file types. The default entrypoint paths for the httpd_cvs_script_t domain are the following:"
++
++/bin/d?ash, /bin/zsh.*, /bin/ksh.*, /usr/bin/d?ash, /usr/bin/ksh.*, /usr/bin/zsh.*, /bin/esh, /bin/mksh, /bin/sash, /bin/tcsh, /bin/yash, /bin/bash, /bin/fish, /bin/bash2, /usr/bin/esh, /usr/bin/mksh, /usr/bin/sash, /usr/bin/bash, /usr/bin/fish, /usr/bin/tcsh, /usr/bin/yash, /sbin/nologin, /usr/sbin/sesh, /usr/bin/bash2, /usr/sbin/smrsh, /usr/bin/scponly, /usr/sbin/nologin, /usr/libexec/sesh, /usr/sbin/scponlyc, /usr/bin/git-shell, /usr/libexec/git-core/git-shell, /var/www/cgi-bin/cvsweb\.cgi, /usr/share/cvsweb/cvsweb\.cgi, /var/www/cgi-bin/cvsweb\.cgi, /usr/share/cvsweb/cvsweb\.cgi
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux httpd_cvs_script policy is very flexible allowing users to setup their httpd_cvs_script processes in as secure a method as possible.
++.PP
++The following process types are defined for httpd_cvs_script:
++
++.EX
++.B httpd_cvs_script_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux httpd_cvs_script policy is very flexible allowing users to setup their httpd_cvs_script processes in as secure a method as possible.
++.PP
++The following file types are defined for httpd_cvs_script:
++
++
++.EX
++.PP
++.B httpd_cvs_script_exec_t
++.EE
++
++- Set files with the httpd_cvs_script_exec_t type, if you want to transition an executable to the httpd_cvs_script_t domain.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH "MANAGED FILES"
++
++The SELinux process type httpd_cvs_script_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++
++.br
++.B cvs_tmp_t
++
++
++.br
++.B httpd_cvs_rw_content_t
++
++
++.SH NSSWITCH DOMAIN
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was auto-generated using
++.B "sepolicy manpage"
++by Dan Walsh.
++
++.SH "SEE ALSO"
++selinux(8), httpd_cvs_script(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
++, httpd_selinux(8), httpd_selinux(8), httpd_apcupsd_cgi_script_selinux(8), httpd_awstats_script_selinux(8), httpd_bugzilla_script_selinux(8), httpd_cobbler_script_selinux(8), httpd_collectd_script_selinux(8), httpd_dirsrvadmin_script_selinux(8), httpd_dspam_script_selinux(8), httpd_git_script_selinux(8), httpd_helper_selinux(8), httpd_man2html_script_selinux(8), httpd_mediawiki_script_selinux(8), httpd_mojomojo_script_selinux(8), httpd_munin_script_selinux(8), httpd_nagios_script_selinux(8), httpd_nutups_cgi_script_selinux(8), httpd_openshift_script_selinux(8), httpd_passwd_selinux(8), httpd_php_selinux(8), httpd_prewikka_script_selinux(8), httpd_rotatelogs_selinux(8), httpd_smokeping_cgi_script_selinux(8), httpd_squid_script_selinux(8), httpd_suexec_selinux(8), httpd_sys_script_selinux(8), httpd_user_script_selinux(8), httpd_w3c_validator_script_selinux(8), httpd_zoneminder_script_selinux(8)
+\ No newline at end of file
+diff --git a/man/man8/httpd_dirsrvadmin_script_selinux.8 b/man/man8/httpd_dirsrvadmin_script_selinux.8
+new file mode 100644
+index 0000000..8523dac
+--- /dev/null
++++ b/man/man8/httpd_dirsrvadmin_script_selinux.8
+@@ -0,0 +1,137 @@
++.TH "httpd_dirsrvadmin_script_selinux" "8" "12-11-01" "httpd_dirsrvadmin_script" "SELinux Policy documentation for httpd_dirsrvadmin_script"
++.SH "NAME"
++httpd_dirsrvadmin_script_selinux \- Security Enhanced Linux Policy for the httpd_dirsrvadmin_script processes
++.SH "DESCRIPTION"
++
++Security-Enhanced Linux secures the httpd_dirsrvadmin_script processes via flexible mandatory access control.
++
++The httpd_dirsrvadmin_script processes execute with the httpd_dirsrvadmin_script_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep httpd_dirsrvadmin_script_t
++
++
++.SH "ENTRYPOINTS"
++
++The httpd_dirsrvadmin_script_t SELinux type can be entered via the "httpd_dirsrvadmin_script_exec_t,shell_exec_t,httpd_dirsrvadmin_script_exec_t" file types. The default entrypoint paths for the httpd_dirsrvadmin_script_t domain are the following:"
++
++/usr/lib/dirsrv/cgi-bin(/.*)?, /usr/lib/dirsrv/dsgw-cgi-bin(/.*)?, /bin/d?ash, /bin/zsh.*, /bin/ksh.*, /usr/bin/d?ash, /usr/bin/ksh.*, /usr/bin/zsh.*, /bin/esh, /bin/mksh, /bin/sash, /bin/tcsh, /bin/yash, /bin/bash, /bin/fish, /bin/bash2, /usr/bin/esh, /usr/bin/mksh, /usr/bin/sash, /usr/bin/bash, /usr/bin/fish, /usr/bin/tcsh, /usr/bin/yash, /sbin/nologin, /usr/sbin/sesh, /usr/bin/bash2, /usr/sbin/smrsh, /usr/bin/scponly, /usr/sbin/nologin, /usr/libexec/sesh, /usr/sbin/scponlyc, /usr/bin/git-shell, /usr/libexec/git-core/git-shell, /usr/lib/dirsrv/cgi-bin(/.*)?, /usr/lib/dirsrv/dsgw-cgi-bin(/.*)?
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux httpd_dirsrvadmin_script policy is very flexible allowing users to setup their httpd_dirsrvadmin_script processes in as secure a method as possible.
++.PP
++The following process types are defined for httpd_dirsrvadmin_script:
++
++.EX
++.B httpd_dirsrvadmin_script_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux httpd_dirsrvadmin_script policy is very flexible allowing users to setup their httpd_dirsrvadmin_script processes in as secure a method as possible.
++.PP
++The following file types are defined for httpd_dirsrvadmin_script:
++
++
++.EX
++.PP
++.B httpd_dirsrvadmin_script_exec_t
++.EE
++
++- Set files with the httpd_dirsrvadmin_script_exec_t type, if you want to transition an executable to the httpd_dirsrvadmin_script_t domain.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH "MANAGED FILES"
++
++The SELinux process type httpd_dirsrvadmin_script_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++
++.br
++.B dirsrv_config_t
++
++ /etc/dirsrv(/.*)?
++.br
++
++.br
++.B dirsrv_var_lib_t
++
++ /var/lib/dirsrv(/.*)?
++.br
++
++.br
++.B dirsrv_var_log_t
++
++ /var/log/dirsrv(/.*)?
++.br
++
++.br
++.B dirsrv_var_run_t
++
++ /var/run/dirsrv(/.*)?
++.br
++
++.br
++.B dirsrvadmin_config_t
++
++ /etc/dirsrv/dsgw(/.*)?
++.br
++ /etc/dirsrv/admin-serv(/.*)?
++.br
++
++.br
++.B dirsrvadmin_lock_t
++
++ /var/lock/subsys/dirsrv
++.br
++
++.br
++.B dirsrvadmin_tmp_t
++
++
++.br
++.B httpd_dirsrvadmin_rw_content_t
++
++
++.SH NSSWITCH DOMAIN
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was auto-generated using
++.B "sepolicy manpage"
++by Dan Walsh.
++
++.SH "SEE ALSO"
++selinux(8), httpd_dirsrvadmin_script(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
++, httpd_selinux(8), httpd_selinux(8), httpd_apcupsd_cgi_script_selinux(8), httpd_awstats_script_selinux(8), httpd_bugzilla_script_selinux(8), httpd_cobbler_script_selinux(8), httpd_collectd_script_selinux(8), httpd_cvs_script_selinux(8), httpd_dspam_script_selinux(8), httpd_git_script_selinux(8), httpd_helper_selinux(8), httpd_man2html_script_selinux(8), httpd_mediawiki_script_selinux(8), httpd_mojomojo_script_selinux(8), httpd_munin_script_selinux(8), httpd_nagios_script_selinux(8), httpd_nutups_cgi_script_selinux(8), httpd_openshift_script_selinux(8), httpd_passwd_selinux(8), httpd_php_selinux(8), httpd_prewikka_script_selinux(8), httpd_rotatelogs_selinux(8), httpd_smokeping_cgi_script_selinux(8), httpd_squid_script_selinux(8), httpd_suexec_selinux(8), httpd_sys_script_selinux(8), httpd_user_script_selinux(8), httpd_w3c_validator_script_selinux(8), httpd_zoneminder_script_selinux(8)
+\ No newline at end of file
+diff --git a/man/man8/httpd_dspam_script_selinux.8 b/man/man8/httpd_dspam_script_selinux.8
+new file mode 100644
+index 0000000..09ee1ed
+--- /dev/null
++++ b/man/man8/httpd_dspam_script_selinux.8
+@@ -0,0 +1,95 @@
++.TH "httpd_dspam_script_selinux" "8" "12-11-01" "httpd_dspam_script" "SELinux Policy documentation for httpd_dspam_script"
++.SH "NAME"
++httpd_dspam_script_selinux \- Security Enhanced Linux Policy for the httpd_dspam_script processes
++.SH "DESCRIPTION"
++
++Security-Enhanced Linux secures the httpd_dspam_script processes via flexible mandatory access control.
++
++The httpd_dspam_script processes execute with the httpd_dspam_script_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep httpd_dspam_script_t
++
++
++.SH "ENTRYPOINTS"
++
++The httpd_dspam_script_t SELinux type can be entered via the "httpd_dspam_script_exec_t,shell_exec_t,httpd_dspam_script_exec_t" file types. The default entrypoint paths for the httpd_dspam_script_t domain are the following:"
++
++/usr/share/dspam-web/dspam\.cgi, /bin/d?ash, /bin/zsh.*, /bin/ksh.*, /usr/bin/d?ash, /usr/bin/ksh.*, /usr/bin/zsh.*, /bin/esh, /bin/mksh, /bin/sash, /bin/tcsh, /bin/yash, /bin/bash, /bin/fish, /bin/bash2, /usr/bin/esh, /usr/bin/mksh, /usr/bin/sash, /usr/bin/bash, /usr/bin/fish, /usr/bin/tcsh, /usr/bin/yash, /sbin/nologin, /usr/sbin/sesh, /usr/bin/bash2, /usr/sbin/smrsh, /usr/bin/scponly, /usr/sbin/nologin, /usr/libexec/sesh, /usr/sbin/scponlyc, /usr/bin/git-shell, /usr/libexec/git-core/git-shell, /usr/share/dspam-web/dspam\.cgi
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux httpd_dspam_script policy is very flexible allowing users to setup their httpd_dspam_script processes in as secure a method as possible.
++.PP
++The following process types are defined for httpd_dspam_script:
++
++.EX
++.B httpd_dspam_script_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux httpd_dspam_script policy is very flexible allowing users to setup their httpd_dspam_script processes in as secure a method as possible.
++.PP
++The following file types are defined for httpd_dspam_script:
++
++
++.EX
++.PP
++.B httpd_dspam_script_exec_t
++.EE
++
++- Set files with the httpd_dspam_script_exec_t type, if you want to transition an executable to the httpd_dspam_script_t domain.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH "MANAGED FILES"
++
++The SELinux process type httpd_dspam_script_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++
++.br
++.B httpd_dspam_rw_content_t
++
++
++.SH NSSWITCH DOMAIN
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was auto-generated using
++.B "sepolicy manpage"
++by Dan Walsh.
++
++.SH "SEE ALSO"
++selinux(8), httpd_dspam_script(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
++, httpd_selinux(8), httpd_selinux(8), httpd_apcupsd_cgi_script_selinux(8), httpd_awstats_script_selinux(8), httpd_bugzilla_script_selinux(8), httpd_cobbler_script_selinux(8), httpd_collectd_script_selinux(8), httpd_cvs_script_selinux(8), httpd_dirsrvadmin_script_selinux(8), httpd_git_script_selinux(8), httpd_helper_selinux(8), httpd_man2html_script_selinux(8), httpd_mediawiki_script_selinux(8), httpd_mojomojo_script_selinux(8), httpd_munin_script_selinux(8), httpd_nagios_script_selinux(8), httpd_nutups_cgi_script_selinux(8), httpd_openshift_script_selinux(8), httpd_passwd_selinux(8), httpd_php_selinux(8), httpd_prewikka_script_selinux(8), httpd_rotatelogs_selinux(8), httpd_smokeping_cgi_script_selinux(8), httpd_squid_script_selinux(8), httpd_suexec_selinux(8), httpd_sys_script_selinux(8), httpd_user_script_selinux(8), httpd_w3c_validator_script_selinux(8), httpd_zoneminder_script_selinux(8)
+\ No newline at end of file
+diff --git a/man/man8/httpd_git_script_selinux.8 b/man/man8/httpd_git_script_selinux.8
+new file mode 100644
+index 0000000..3518b85
+--- /dev/null
++++ b/man/man8/httpd_git_script_selinux.8
+@@ -0,0 +1,113 @@
++.TH "httpd_git_script_selinux" "8" "12-11-01" "httpd_git_script" "SELinux Policy documentation for httpd_git_script"
++.SH "NAME"
++httpd_git_script_selinux \- Security Enhanced Linux Policy for the httpd_git_script processes
++.SH "DESCRIPTION"
++
++Security-Enhanced Linux secures the httpd_git_script processes via flexible mandatory access control.
++
++The httpd_git_script processes execute with the httpd_git_script_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep httpd_git_script_t
++
++
++.SH "ENTRYPOINTS"
++
++The httpd_git_script_t SELinux type can be entered via the "shell_exec_t,httpd_git_script_exec_t,httpd_git_script_exec_t" file types. The default entrypoint paths for the httpd_git_script_t domain are the following:"
++
++/bin/d?ash, /bin/zsh.*, /bin/ksh.*, /usr/bin/d?ash, /usr/bin/ksh.*, /usr/bin/zsh.*, /bin/esh, /bin/mksh, /bin/sash, /bin/tcsh, /bin/yash, /bin/bash, /bin/fish, /bin/bash2, /usr/bin/esh, /usr/bin/mksh, /usr/bin/sash, /usr/bin/bash, /usr/bin/fish, /usr/bin/tcsh, /usr/bin/yash, /sbin/nologin, /usr/sbin/sesh, /usr/bin/bash2, /usr/sbin/smrsh, /usr/bin/scponly, /usr/sbin/nologin, /usr/libexec/sesh, /usr/sbin/scponlyc, /usr/bin/git-shell, /usr/libexec/git-core/git-shell, /var/www/cgi-bin/cgit, /var/www/git/gitweb\.cgi, /var/www/gitweb-caching/gitweb\.cgi, /var/www/cgi-bin/cgit, /var/www/git/gitweb\.cgi, /var/www/gitweb-caching/gitweb\.cgi
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux httpd_git_script policy is very flexible allowing users to setup their httpd_git_script processes in as secure a method as possible.
++.PP
++The following process types are defined for httpd_git_script:
++
++.EX
++.B httpd_git_script_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux httpd_git_script policy is very flexible allowing users to setup their httpd_git_script processes in as secure a method as possible.
++.PP
++The following file types are defined for httpd_git_script:
++
++
++.EX
++.PP
++.B httpd_git_script_exec_t
++.EE
++
++- Set files with the httpd_git_script_exec_t type, if you want to transition an executable to the httpd_git_script_t domain.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH "MANAGED FILES"
++
++The SELinux process type httpd_git_script_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++
++.br
++.B httpd_git_rw_content_t
++
++ /var/cache/cgit(/.*)?
++.br
++ /var/cache/gitweb-caching(/.*)?
++.br
++
++.SH NSSWITCH DOMAIN
++
++.PP
++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the httpd_git_script_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++
++.EX
++.B setsebool -P authlogin_nsswitch_use_ldap 1
++.EE
++
++.PP
++If you want to allow confined applications to run with kerberos for the httpd_git_script_t, you must turn on the kerberos_enabled boolean.
++
++.EX
++.B setsebool -P kerberos_enabled 1
++.EE
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was auto-generated using
++.B "sepolicy manpage"
++by Dan Walsh.
++
++.SH "SEE ALSO"
++selinux(8), httpd_git_script(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
++, httpd_selinux(8), httpd_selinux(8), httpd_apcupsd_cgi_script_selinux(8), httpd_awstats_script_selinux(8), httpd_bugzilla_script_selinux(8), httpd_cobbler_script_selinux(8), httpd_collectd_script_selinux(8), httpd_cvs_script_selinux(8), httpd_dirsrvadmin_script_selinux(8), httpd_dspam_script_selinux(8), httpd_helper_selinux(8), httpd_man2html_script_selinux(8), httpd_mediawiki_script_selinux(8), httpd_mojomojo_script_selinux(8), httpd_munin_script_selinux(8), httpd_nagios_script_selinux(8), httpd_nutups_cgi_script_selinux(8), httpd_openshift_script_selinux(8), httpd_passwd_selinux(8), httpd_php_selinux(8), httpd_prewikka_script_selinux(8), httpd_rotatelogs_selinux(8), httpd_smokeping_cgi_script_selinux(8), httpd_squid_script_selinux(8), httpd_suexec_selinux(8), httpd_sys_script_selinux(8), httpd_user_script_selinux(8), httpd_w3c_validator_script_selinux(8), httpd_zoneminder_script_selinux(8)
+\ No newline at end of file
+diff --git a/man/man8/httpd_helper_selinux.8 b/man/man8/httpd_helper_selinux.8
+new file mode 100644
+index 0000000..3f124b1
+--- /dev/null
++++ b/man/man8/httpd_helper_selinux.8
+@@ -0,0 +1,87 @@
++.TH "httpd_helper_selinux" "8" "12-11-01" "httpd_helper" "SELinux Policy documentation for httpd_helper"
++.SH "NAME"
++httpd_helper_selinux \- Security Enhanced Linux Policy for the httpd_helper processes
++.SH "DESCRIPTION"
++
++Security-Enhanced Linux secures the httpd_helper processes via flexible mandatory access control.
++
++The httpd_helper processes execute with the httpd_helper_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep httpd_helper_t
++
++
++.SH "ENTRYPOINTS"
++
++The httpd_helper_t SELinux type can be entered via the "httpd_helper_exec_t" file type. The default entrypoint paths for the httpd_helper_t domain are the following:"
++
++/usr/bin/htsslpass
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux httpd_helper policy is very flexible allowing users to setup their httpd_helper processes in as secure a method as possible.
++.PP
++The following process types are defined for httpd_helper:
++
++.EX
++.B httpd_helper_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux httpd_helper policy is very flexible allowing users to setup their httpd_helper processes in as secure a method as possible.
++.PP
++The following file types are defined for httpd_helper:
++
++
++.EX
++.PP
++.B httpd_helper_exec_t
++.EE
++
++- Set files with the httpd_helper_exec_t type, if you want to transition an executable to the httpd_helper_t domain.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH NSSWITCH DOMAIN
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was auto-generated using
++.B "sepolicy manpage"
++by Dan Walsh.
++
++.SH "SEE ALSO"
++selinux(8), httpd_helper(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
++, httpd_selinux(8), httpd_selinux(8), httpd_apcupsd_cgi_script_selinux(8), httpd_awstats_script_selinux(8), httpd_bugzilla_script_selinux(8), httpd_cobbler_script_selinux(8), httpd_collectd_script_selinux(8), httpd_cvs_script_selinux(8), httpd_dirsrvadmin_script_selinux(8), httpd_dspam_script_selinux(8), httpd_git_script_selinux(8), httpd_man2html_script_selinux(8), httpd_mediawiki_script_selinux(8), httpd_mojomojo_script_selinux(8), httpd_munin_script_selinux(8), httpd_nagios_script_selinux(8), httpd_nutups_cgi_script_selinux(8), httpd_openshift_script_selinux(8), httpd_passwd_selinux(8), httpd_php_selinux(8), httpd_prewikka_script_selinux(8), httpd_rotatelogs_selinux(8), httpd_smokeping_cgi_script_selinux(8), httpd_squid_script_selinux(8), httpd_suexec_selinux(8), httpd_sys_script_selinux(8), httpd_user_script_selinux(8), httpd_w3c_validator_script_selinux(8), httpd_zoneminder_script_selinux(8)
+\ No newline at end of file
+diff --git a/man/man8/httpd_man2html_script_selinux.8 b/man/man8/httpd_man2html_script_selinux.8
+new file mode 100644
+index 0000000..e3292a9
+--- /dev/null
++++ b/man/man8/httpd_man2html_script_selinux.8
+@@ -0,0 +1,109 @@
++.TH "httpd_man2html_script_selinux" "8" "12-11-01" "httpd_man2html_script" "SELinux Policy documentation for httpd_man2html_script"
++.SH "NAME"
++httpd_man2html_script_selinux \- Security Enhanced Linux Policy for the httpd_man2html_script processes
++.SH "DESCRIPTION"
++
++Security-Enhanced Linux secures the httpd_man2html_script processes via flexible mandatory access control.
++
++The httpd_man2html_script processes execute with the httpd_man2html_script_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep httpd_man2html_script_t
++
++
++.SH "ENTRYPOINTS"
++
++The httpd_man2html_script_t SELinux type can be entered via the "shell_exec_t,httpd_man2html_script_exec_t,httpd_man2html_script_exec_t" file types. The default entrypoint paths for the httpd_man2html_script_t domain are the following:"
++
++/bin/d?ash, /bin/zsh.*, /bin/ksh.*, /usr/bin/d?ash, /usr/bin/ksh.*, /usr/bin/zsh.*, /bin/esh, /bin/mksh, /bin/sash, /bin/tcsh, /bin/yash, /bin/bash, /bin/fish, /bin/bash2, /usr/bin/esh, /usr/bin/mksh, /usr/bin/sash, /usr/bin/bash, /usr/bin/fish, /usr/bin/tcsh, /usr/bin/yash, /sbin/nologin, /usr/sbin/sesh, /usr/bin/bash2, /usr/sbin/smrsh, /usr/bin/scponly, /usr/sbin/nologin, /usr/libexec/sesh, /usr/sbin/scponlyc, /usr/bin/git-shell, /usr/libexec/git-core/git-shell, /usr/lib/man2html/cgi-bin/man/mansec, /usr/lib/man2html/cgi-bin/man/man2html, /usr/lib/man2html/cgi-bin/man/manwhatis, /usr/lib/man2html/cgi-bin/man/mansec, /usr/lib/man2html/cgi-bin/man/man2html, /usr/lib/man2html/cgi-bin/man/manwhatis
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux httpd_man2html_script policy is very flexible allowing users to setup their httpd_man2html_script processes in as secure a method as possible.
++.PP
++The following process types are defined for httpd_man2html_script:
++
++.EX
++.B httpd_man2html_script_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux httpd_man2html_script policy is very flexible allowing users to setup their httpd_man2html_script processes in as secure a method as possible.
++.PP
++The following file types are defined for httpd_man2html_script:
++
++
++.EX
++.PP
++.B httpd_man2html_script_cache_t
++.EE
++
++- Set files with the httpd_man2html_script_cache_t type, if you want to store the files under the /var/cache directory.
++
++
++.EX
++.PP
++.B httpd_man2html_script_exec_t
++.EE
++
++- Set files with the httpd_man2html_script_exec_t type, if you want to transition an executable to the httpd_man2html_script_t domain.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH "MANAGED FILES"
++
++The SELinux process type httpd_man2html_script_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++
++.br
++.B httpd_man2html_rw_content_t
++
++
++.br
++.B httpd_man2html_script_cache_t
++
++ /var/cache/man2html(/.*)?
++.br
++
++.SH NSSWITCH DOMAIN
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was auto-generated using
++.B "sepolicy manpage"
++by Dan Walsh.
++
++.SH "SEE ALSO"
++selinux(8), httpd_man2html_script(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
++, httpd_selinux(8), httpd_selinux(8), httpd_apcupsd_cgi_script_selinux(8), httpd_awstats_script_selinux(8), httpd_bugzilla_script_selinux(8), httpd_cobbler_script_selinux(8), httpd_collectd_script_selinux(8), httpd_cvs_script_selinux(8), httpd_dirsrvadmin_script_selinux(8), httpd_dspam_script_selinux(8), httpd_git_script_selinux(8), httpd_helper_selinux(8), httpd_mediawiki_script_selinux(8), httpd_mojomojo_script_selinux(8), httpd_munin_script_selinux(8), httpd_nagios_script_selinux(8), httpd_nutups_cgi_script_selinux(8), httpd_openshift_script_selinux(8), httpd_passwd_selinux(8), httpd_php_selinux(8), httpd_prewikka_script_selinux(8), httpd_rotatelogs_selinux(8), httpd_smokeping_cgi_script_selinux(8), httpd_squid_script_selinux(8), httpd_suexec_selinux(8), httpd_sys_script_selinux(8), httpd_user_script_selinux(8), httpd_w3c_validator_script_selinux(8), httpd_zoneminder_script_selinux(8)
+\ No newline at end of file
+diff --git a/man/man8/httpd_mediawiki_script_selinux.8 b/man/man8/httpd_mediawiki_script_selinux.8
+new file mode 100644
+index 0000000..eaf2b98
+--- /dev/null
++++ b/man/man8/httpd_mediawiki_script_selinux.8
+@@ -0,0 +1,97 @@
++.TH "httpd_mediawiki_script_selinux" "8" "12-11-01" "httpd_mediawiki_script" "SELinux Policy documentation for httpd_mediawiki_script"
++.SH "NAME"
++httpd_mediawiki_script_selinux \- Security Enhanced Linux Policy for the httpd_mediawiki_script processes
++.SH "DESCRIPTION"
++
++Security-Enhanced Linux secures the httpd_mediawiki_script processes via flexible mandatory access control.
++
++The httpd_mediawiki_script processes execute with the httpd_mediawiki_script_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep httpd_mediawiki_script_t
++
++
++.SH "ENTRYPOINTS"
++
++The httpd_mediawiki_script_t SELinux type can be entered via the "httpd_mediawiki_script_exec_t,shell_exec_t,httpd_mediawiki_script_exec_t" file types. The default entrypoint paths for the httpd_mediawiki_script_t domain are the following:"
++
++/usr/lib/mediawiki/math/texvc, /usr/lib/mediawiki/math/texvc_tex, /usr/lib/mediawiki/math/texvc_tes, /bin/d?ash, /bin/zsh.*, /bin/ksh.*, /usr/bin/d?ash, /usr/bin/ksh.*, /usr/bin/zsh.*, /bin/esh, /bin/mksh, /bin/sash, /bin/tcsh, /bin/yash, /bin/bash, /bin/fish, /bin/bash2, /usr/bin/esh, /usr/bin/mksh, /usr/bin/sash, /usr/bin/bash, /usr/bin/fish, /usr/bin/tcsh, /usr/bin/yash, /sbin/nologin, /usr/sbin/sesh, /usr/bin/bash2, /usr/sbin/smrsh, /usr/bin/scponly, /usr/sbin/nologin, /usr/libexec/sesh, /usr/sbin/scponlyc, /usr/bin/git-shell, /usr/libexec/git-core/git-shell, /usr/lib/mediawiki/math/texvc, /usr/lib/mediawiki/math/texvc_tex, /usr/lib/mediawiki/math/texvc_tes
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux httpd_mediawiki_script policy is very flexible allowing users to setup their httpd_mediawiki_script processes in as secure a method as possible.
++.PP
++The following process types are defined for httpd_mediawiki_script:
++
++.EX
++.B httpd_mediawiki_script_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux httpd_mediawiki_script policy is very flexible allowing users to setup their httpd_mediawiki_script processes in as secure a method as possible.
++.PP
++The following file types are defined for httpd_mediawiki_script:
++
++
++.EX
++.PP
++.B httpd_mediawiki_script_exec_t
++.EE
++
++- Set files with the httpd_mediawiki_script_exec_t type, if you want to transition an executable to the httpd_mediawiki_script_t domain.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH "MANAGED FILES"
++
++The SELinux process type httpd_mediawiki_script_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++
++.br
++.B httpd_mediawiki_rw_content_t
++
++ /var/www/wiki(/.*)?
++.br
++
++.SH NSSWITCH DOMAIN
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was auto-generated using
++.B "sepolicy manpage"
++by Dan Walsh.
++
++.SH "SEE ALSO"
++selinux(8), httpd_mediawiki_script(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
++, httpd_selinux(8), httpd_selinux(8), httpd_apcupsd_cgi_script_selinux(8), httpd_awstats_script_selinux(8), httpd_bugzilla_script_selinux(8), httpd_cobbler_script_selinux(8), httpd_collectd_script_selinux(8), httpd_cvs_script_selinux(8), httpd_dirsrvadmin_script_selinux(8), httpd_dspam_script_selinux(8), httpd_git_script_selinux(8), httpd_helper_selinux(8), httpd_man2html_script_selinux(8), httpd_mojomojo_script_selinux(8), httpd_munin_script_selinux(8), httpd_nagios_script_selinux(8), httpd_nutups_cgi_script_selinux(8), httpd_openshift_script_selinux(8), httpd_passwd_selinux(8), httpd_php_selinux(8), httpd_prewikka_script_selinux(8), httpd_rotatelogs_selinux(8), httpd_smokeping_cgi_script_selinux(8), httpd_squid_script_selinux(8), httpd_suexec_selinux(8), httpd_sys_script_selinux(8), httpd_user_script_selinux(8), httpd_w3c_validator_script_selinux(8), httpd_zoneminder_script_selinux(8)
+\ No newline at end of file
+diff --git a/man/man8/httpd_mojomojo_script_selinux.8 b/man/man8/httpd_mojomojo_script_selinux.8
+new file mode 100644
+index 0000000..8ff95bf
+--- /dev/null
++++ b/man/man8/httpd_mojomojo_script_selinux.8
+@@ -0,0 +1,101 @@
++.TH "httpd_mojomojo_script_selinux" "8" "12-11-01" "httpd_mojomojo_script" "SELinux Policy documentation for httpd_mojomojo_script"
++.SH "NAME"
++httpd_mojomojo_script_selinux \- Security Enhanced Linux Policy for the httpd_mojomojo_script processes
++.SH "DESCRIPTION"
++
++Security-Enhanced Linux secures the httpd_mojomojo_script processes via flexible mandatory access control.
++
++The httpd_mojomojo_script processes execute with the httpd_mojomojo_script_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep httpd_mojomojo_script_t
++
++
++.SH "ENTRYPOINTS"
++
++The httpd_mojomojo_script_t SELinux type can be entered via the "httpd_mojomojo_script_exec_t,shell_exec_t,httpd_mojomojo_script_exec_t" file types. The default entrypoint paths for the httpd_mojomojo_script_t domain are the following:"
++
++/usr/bin/mojomojo_fastcgi\.pl, /bin/d?ash, /bin/zsh.*, /bin/ksh.*, /usr/bin/d?ash, /usr/bin/ksh.*, /usr/bin/zsh.*, /bin/esh, /bin/mksh, /bin/sash, /bin/tcsh, /bin/yash, /bin/bash, /bin/fish, /bin/bash2, /usr/bin/esh, /usr/bin/mksh, /usr/bin/sash, /usr/bin/bash, /usr/bin/fish, /usr/bin/tcsh, /usr/bin/yash, /sbin/nologin, /usr/sbin/sesh, /usr/bin/bash2, /usr/sbin/smrsh, /usr/bin/scponly, /usr/sbin/nologin, /usr/libexec/sesh, /usr/sbin/scponlyc, /usr/bin/git-shell, /usr/libexec/git-core/git-shell, /usr/bin/mojomojo_fastcgi\.pl
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux httpd_mojomojo_script policy is very flexible allowing users to setup their httpd_mojomojo_script processes in as secure a method as possible.
++.PP
++The following process types are defined for httpd_mojomojo_script:
++
++.EX
++.B httpd_mojomojo_script_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux httpd_mojomojo_script policy is very flexible allowing users to setup their httpd_mojomojo_script processes in as secure a method as possible.
++.PP
++The following file types are defined for httpd_mojomojo_script:
++
++
++.EX
++.PP
++.B httpd_mojomojo_script_exec_t
++.EE
++
++- Set files with the httpd_mojomojo_script_exec_t type, if you want to transition an executable to the httpd_mojomojo_script_t domain.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH "MANAGED FILES"
++
++The SELinux process type httpd_mojomojo_script_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++
++.br
++.B httpd_mojomojo_rw_content_t
++
++ /var/lib/mojomojo(/.*)?
++.br
++
++.br
++.B httpd_mojomojo_tmp_t
++
++
++.SH NSSWITCH DOMAIN
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was auto-generated using
++.B "sepolicy manpage"
++by Dan Walsh.
++
++.SH "SEE ALSO"
++selinux(8), httpd_mojomojo_script(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
++, httpd_selinux(8), httpd_selinux(8), httpd_apcupsd_cgi_script_selinux(8), httpd_awstats_script_selinux(8), httpd_bugzilla_script_selinux(8), httpd_cobbler_script_selinux(8), httpd_collectd_script_selinux(8), httpd_cvs_script_selinux(8), httpd_dirsrvadmin_script_selinux(8), httpd_dspam_script_selinux(8), httpd_git_script_selinux(8), httpd_helper_selinux(8), httpd_man2html_script_selinux(8), httpd_mediawiki_script_selinux(8), httpd_munin_script_selinux(8), httpd_nagios_script_selinux(8), httpd_nutups_cgi_script_selinux(8), httpd_openshift_script_selinux(8), httpd_passwd_selinux(8), httpd_php_selinux(8), httpd_prewikka_script_selinux(8), httpd_rotatelogs_selinux(8), httpd_smokeping_cgi_script_selinux(8), httpd_squid_script_selinux(8), httpd_suexec_selinux(8), httpd_sys_script_selinux(8), httpd_user_script_selinux(8), httpd_w3c_validator_script_selinux(8), httpd_zoneminder_script_selinux(8)
+\ No newline at end of file
+diff --git a/man/man8/httpd_munin_script_selinux.8 b/man/man8/httpd_munin_script_selinux.8
+new file mode 100644
+index 0000000..df7ae1a
+--- /dev/null
++++ b/man/man8/httpd_munin_script_selinux.8
+@@ -0,0 +1,95 @@
++.TH "httpd_munin_script_selinux" "8" "12-11-01" "httpd_munin_script" "SELinux Policy documentation for httpd_munin_script"
++.SH "NAME"
++httpd_munin_script_selinux \- Security Enhanced Linux Policy for the httpd_munin_script processes
++.SH "DESCRIPTION"
++
++Security-Enhanced Linux secures the httpd_munin_script processes via flexible mandatory access control.
++
++The httpd_munin_script processes execute with the httpd_munin_script_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep httpd_munin_script_t
++
++
++.SH "ENTRYPOINTS"
++
++The httpd_munin_script_t SELinux type can be entered via the "httpd_munin_script_exec_t,shell_exec_t,httpd_munin_script_exec_t" file types. The default entrypoint paths for the httpd_munin_script_t domain are the following:"
++
++/var/www/html/munin/cgi(/.*)?, /bin/d?ash, /bin/zsh.*, /bin/ksh.*, /usr/bin/d?ash, /usr/bin/ksh.*, /usr/bin/zsh.*, /bin/esh, /bin/mksh, /bin/sash, /bin/tcsh, /bin/yash, /bin/bash, /bin/fish, /bin/bash2, /usr/bin/esh, /usr/bin/mksh, /usr/bin/sash, /usr/bin/bash, /usr/bin/fish, /usr/bin/tcsh, /usr/bin/yash, /sbin/nologin, /usr/sbin/sesh, /usr/bin/bash2, /usr/sbin/smrsh, /usr/bin/scponly, /usr/sbin/nologin, /usr/libexec/sesh, /usr/sbin/scponlyc, /usr/bin/git-shell, /usr/libexec/git-core/git-shell, /var/www/html/munin/cgi(/.*)?
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux httpd_munin_script policy is very flexible allowing users to setup their httpd_munin_script processes in as secure a method as possible.
++.PP
++The following process types are defined for httpd_munin_script:
++
++.EX
++.B httpd_munin_script_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux httpd_munin_script policy is very flexible allowing users to setup their httpd_munin_script processes in as secure a method as possible.
++.PP
++The following file types are defined for httpd_munin_script:
++
++
++.EX
++.PP
++.B httpd_munin_script_exec_t
++.EE
++
++- Set files with the httpd_munin_script_exec_t type, if you want to transition an executable to the httpd_munin_script_t domain.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH "MANAGED FILES"
++
++The SELinux process type httpd_munin_script_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++
++.br
++.B httpd_munin_rw_content_t
++
++
++.SH NSSWITCH DOMAIN
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was auto-generated using
++.B "sepolicy manpage"
++by Dan Walsh.
++
++.SH "SEE ALSO"
++selinux(8), httpd_munin_script(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
++, httpd_selinux(8), httpd_selinux(8), httpd_apcupsd_cgi_script_selinux(8), httpd_awstats_script_selinux(8), httpd_bugzilla_script_selinux(8), httpd_cobbler_script_selinux(8), httpd_collectd_script_selinux(8), httpd_cvs_script_selinux(8), httpd_dirsrvadmin_script_selinux(8), httpd_dspam_script_selinux(8), httpd_git_script_selinux(8), httpd_helper_selinux(8), httpd_man2html_script_selinux(8), httpd_mediawiki_script_selinux(8), httpd_mojomojo_script_selinux(8), httpd_nagios_script_selinux(8), httpd_nutups_cgi_script_selinux(8), httpd_openshift_script_selinux(8), httpd_passwd_selinux(8), httpd_php_selinux(8), httpd_prewikka_script_selinux(8), httpd_rotatelogs_selinux(8), httpd_smokeping_cgi_script_selinux(8), httpd_squid_script_selinux(8), httpd_suexec_selinux(8), httpd_sys_script_selinux(8), httpd_user_script_selinux(8), httpd_w3c_validator_script_selinux(8), httpd_zoneminder_script_selinux(8)
+\ No newline at end of file
+diff --git a/man/man8/httpd_nagios_script_selinux.8 b/man/man8/httpd_nagios_script_selinux.8
+new file mode 100644
+index 0000000..8bdd9ee
+--- /dev/null
++++ b/man/man8/httpd_nagios_script_selinux.8
+@@ -0,0 +1,95 @@
++.TH "httpd_nagios_script_selinux" "8" "12-11-01" "httpd_nagios_script" "SELinux Policy documentation for httpd_nagios_script"
++.SH "NAME"
++httpd_nagios_script_selinux \- Security Enhanced Linux Policy for the httpd_nagios_script processes
++.SH "DESCRIPTION"
++
++Security-Enhanced Linux secures the httpd_nagios_script processes via flexible mandatory access control.
++
++The httpd_nagios_script processes execute with the httpd_nagios_script_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep httpd_nagios_script_t
++
++
++.SH "ENTRYPOINTS"
++
++The httpd_nagios_script_t SELinux type can be entered via the "httpd_nagios_script_exec_t,shell_exec_t,httpd_nagios_script_exec_t" file types. The default entrypoint paths for the httpd_nagios_script_t domain are the following:"
++
++/usr/lib/nagios/cgi(/.*)?, /usr/lib/cgi-bin/nagios(/.+)?, /usr/lib/nagios/cgi-bin(/.*)?, /usr/lib/cgi-bin/netsaint(/.*)?, /bin/d?ash, /bin/zsh.*, /bin/ksh.*, /usr/bin/d?ash, /usr/bin/ksh.*, /usr/bin/zsh.*, /bin/esh, /bin/mksh, /bin/sash, /bin/tcsh, /bin/yash, /bin/bash, /bin/fish, /bin/bash2, /usr/bin/esh, /usr/bin/mksh, /usr/bin/sash, /usr/bin/bash, /usr/bin/fish, /usr/bin/tcsh, /usr/bin/yash, /sbin/nologin, /usr/sbin/sesh, /usr/bin/bash2, /usr/sbin/smrsh, /usr/bin/scponly, /usr/sbin/nologin, /usr/libexec/sesh, /usr/sbin/scponlyc, /usr/bin/git-shell, /usr/libexec/git-core/git-shell, /usr/lib/nagios/cgi(/.*)?, /usr/lib/cgi-bin/nagios(/.+)?, /usr/lib/nagios/cgi-bin(/.*)?, /usr/lib/cgi-bin/netsaint(/.*)?
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux httpd_nagios_script policy is very flexible allowing users to setup their httpd_nagios_script processes in as secure a method as possible.
++.PP
++The following process types are defined for httpd_nagios_script:
++
++.EX
++.B httpd_nagios_script_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux httpd_nagios_script policy is very flexible allowing users to setup their httpd_nagios_script processes in as secure a method as possible.
++.PP
++The following file types are defined for httpd_nagios_script:
++
++
++.EX
++.PP
++.B httpd_nagios_script_exec_t
++.EE
++
++- Set files with the httpd_nagios_script_exec_t type, if you want to transition an executable to the httpd_nagios_script_t domain.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH "MANAGED FILES"
++
++The SELinux process type httpd_nagios_script_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++
++.br
++.B httpd_nagios_rw_content_t
++
++
++.SH NSSWITCH DOMAIN
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was auto-generated using
++.B "sepolicy manpage"
++by Dan Walsh.
++
++.SH "SEE ALSO"
++selinux(8), httpd_nagios_script(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
++, httpd_selinux(8), httpd_selinux(8), httpd_apcupsd_cgi_script_selinux(8), httpd_awstats_script_selinux(8), httpd_bugzilla_script_selinux(8), httpd_cobbler_script_selinux(8), httpd_collectd_script_selinux(8), httpd_cvs_script_selinux(8), httpd_dirsrvadmin_script_selinux(8), httpd_dspam_script_selinux(8), httpd_git_script_selinux(8), httpd_helper_selinux(8), httpd_man2html_script_selinux(8), httpd_mediawiki_script_selinux(8), httpd_mojomojo_script_selinux(8), httpd_munin_script_selinux(8), httpd_nutups_cgi_script_selinux(8), httpd_openshift_script_selinux(8), httpd_passwd_selinux(8), httpd_php_selinux(8), httpd_prewikka_script_selinux(8), httpd_rotatelogs_selinux(8), httpd_smokeping_cgi_script_selinux(8), httpd_squid_script_selinux(8), httpd_suexec_selinux(8), httpd_sys_script_selinux(8), httpd_user_script_selinux(8), httpd_w3c_validator_script_selinux(8), httpd_zoneminder_script_selinux(8)
+\ No newline at end of file
+diff --git a/man/man8/httpd_nutups_cgi_script_selinux.8 b/man/man8/httpd_nutups_cgi_script_selinux.8
+new file mode 100644
+index 0000000..6f120e5
+--- /dev/null
++++ b/man/man8/httpd_nutups_cgi_script_selinux.8
+@@ -0,0 +1,95 @@
++.TH "httpd_nutups_cgi_script_selinux" "8" "12-11-01" "httpd_nutups_cgi_script" "SELinux Policy documentation for httpd_nutups_cgi_script"
++.SH "NAME"
++httpd_nutups_cgi_script_selinux \- Security Enhanced Linux Policy for the httpd_nutups_cgi_script processes
++.SH "DESCRIPTION"
++
++Security-Enhanced Linux secures the httpd_nutups_cgi_script processes via flexible mandatory access control.
++
++The httpd_nutups_cgi_script processes execute with the httpd_nutups_cgi_script_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep httpd_nutups_cgi_script_t
++
++
++.SH "ENTRYPOINTS"
++
++The httpd_nutups_cgi_script_t SELinux type can be entered via the "shell_exec_t,httpd_nutups_cgi_script_exec_t,httpd_nutups_cgi_script_exec_t" file types. The default entrypoint paths for the httpd_nutups_cgi_script_t domain are the following:"
++
++/bin/d?ash, /bin/zsh.*, /bin/ksh.*, /usr/bin/d?ash, /usr/bin/ksh.*, /usr/bin/zsh.*, /bin/esh, /bin/mksh, /bin/sash, /bin/tcsh, /bin/yash, /bin/bash, /bin/fish, /bin/bash2, /usr/bin/esh, /usr/bin/mksh, /usr/bin/sash, /usr/bin/bash, /usr/bin/fish, /usr/bin/tcsh, /usr/bin/yash, /sbin/nologin, /usr/sbin/sesh, /usr/bin/bash2, /usr/sbin/smrsh, /usr/bin/scponly, /usr/sbin/nologin, /usr/libexec/sesh, /usr/sbin/scponlyc, /usr/bin/git-shell, /usr/libexec/git-core/git-shell, /var/www/nut-cgi-bin/upsset\.cgi, /var/www/nut-cgi-bin/upsimage\.cgi, /var/www/nut-cgi-bin/upsstats\.cgi, /var/www/nut-cgi-bin/upsset\.cgi, /var/www/nut-cgi-bin/upsimage\.cgi, /var/www/nut-cgi-bin/upsstats\.cgi
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux httpd_nutups_cgi_script policy is very flexible allowing users to setup their httpd_nutups_cgi_script processes in as secure a method as possible.
++.PP
++The following process types are defined for httpd_nutups_cgi_script:
++
++.EX
++.B httpd_nutups_cgi_script_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux httpd_nutups_cgi_script policy is very flexible allowing users to setup their httpd_nutups_cgi_script processes in as secure a method as possible.
++.PP
++The following file types are defined for httpd_nutups_cgi_script:
++
++
++.EX
++.PP
++.B httpd_nutups_cgi_script_exec_t
++.EE
++
++- Set files with the httpd_nutups_cgi_script_exec_t type, if you want to transition an executable to the httpd_nutups_cgi_script_t domain.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH "MANAGED FILES"
++
++The SELinux process type httpd_nutups_cgi_script_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++
++.br
++.B httpd_nutups_cgi_rw_content_t
++
++
++.SH NSSWITCH DOMAIN
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was auto-generated using
++.B "sepolicy manpage"
++by Dan Walsh.
++
++.SH "SEE ALSO"
++selinux(8), httpd_nutups_cgi_script(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
++, httpd_selinux(8), httpd_selinux(8), httpd_apcupsd_cgi_script_selinux(8), httpd_awstats_script_selinux(8), httpd_bugzilla_script_selinux(8), httpd_cobbler_script_selinux(8), httpd_collectd_script_selinux(8), httpd_cvs_script_selinux(8), httpd_dirsrvadmin_script_selinux(8), httpd_dspam_script_selinux(8), httpd_git_script_selinux(8), httpd_helper_selinux(8), httpd_man2html_script_selinux(8), httpd_mediawiki_script_selinux(8), httpd_mojomojo_script_selinux(8), httpd_munin_script_selinux(8), httpd_nagios_script_selinux(8), httpd_openshift_script_selinux(8), httpd_passwd_selinux(8), httpd_php_selinux(8), httpd_prewikka_script_selinux(8), httpd_rotatelogs_selinux(8), httpd_smokeping_cgi_script_selinux(8), httpd_squid_script_selinux(8), httpd_suexec_selinux(8), httpd_sys_script_selinux(8), httpd_user_script_selinux(8), httpd_w3c_validator_script_selinux(8), httpd_zoneminder_script_selinux(8)
+\ No newline at end of file
+diff --git a/man/man8/httpd_openshift_script_selinux.8 b/man/man8/httpd_openshift_script_selinux.8
+new file mode 100644
+index 0000000..e19d72d
+--- /dev/null
++++ b/man/man8/httpd_openshift_script_selinux.8
+@@ -0,0 +1,95 @@
++.TH "httpd_openshift_script_selinux" "8" "12-11-01" "httpd_openshift_script" "SELinux Policy documentation for httpd_openshift_script"
++.SH "NAME"
++httpd_openshift_script_selinux \- Security Enhanced Linux Policy for the httpd_openshift_script processes
++.SH "DESCRIPTION"
++
++Security-Enhanced Linux secures the httpd_openshift_script processes via flexible mandatory access control.
++
++The httpd_openshift_script processes execute with the httpd_openshift_script_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep httpd_openshift_script_t
++
++
++.SH "ENTRYPOINTS"
++
++The httpd_openshift_script_t SELinux type can be entered via the "httpd_openshift_script_exec_t,shell_exec_t,httpd_openshift_script_exec_t" file types. The default entrypoint paths for the httpd_openshift_script_t domain are the following:"
++
++/usr/bin/(oo|rhc)-restorer-wrapper.sh, /bin/d?ash, /bin/zsh.*, /bin/ksh.*, /usr/bin/d?ash, /usr/bin/ksh.*, /usr/bin/zsh.*, /bin/esh, /bin/mksh, /bin/sash, /bin/tcsh, /bin/yash, /bin/bash, /bin/fish, /bin/bash2, /usr/bin/esh, /usr/bin/mksh, /usr/bin/sash, /usr/bin/bash, /usr/bin/fish, /usr/bin/tcsh, /usr/bin/yash, /sbin/nologin, /usr/sbin/sesh, /usr/bin/bash2, /usr/sbin/smrsh, /usr/bin/scponly, /usr/sbin/nologin, /usr/libexec/sesh, /usr/sbin/scponlyc, /usr/bin/git-shell, /usr/libexec/git-core/git-shell, /usr/bin/(oo|rhc)-restorer-wrapper.sh
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux httpd_openshift_script policy is very flexible allowing users to setup their httpd_openshift_script processes in as secure a method as possible.
++.PP
++The following process types are defined for httpd_openshift_script:
++
++.EX
++.B httpd_openshift_script_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux httpd_openshift_script policy is very flexible allowing users to setup their httpd_openshift_script processes in as secure a method as possible.
++.PP
++The following file types are defined for httpd_openshift_script:
++
++
++.EX
++.PP
++.B httpd_openshift_script_exec_t
++.EE
++
++- Set files with the httpd_openshift_script_exec_t type, if you want to transition an executable to the httpd_openshift_script_t domain.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH "MANAGED FILES"
++
++The SELinux process type httpd_openshift_script_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++
++.br
++.B httpd_openshift_rw_content_t
++
++
++.SH NSSWITCH DOMAIN
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was auto-generated using
++.B "sepolicy manpage"
++by Dan Walsh.
++
++.SH "SEE ALSO"
++selinux(8), httpd_openshift_script(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
++, httpd_selinux(8), httpd_selinux(8), httpd_apcupsd_cgi_script_selinux(8), httpd_awstats_script_selinux(8), httpd_bugzilla_script_selinux(8), httpd_cobbler_script_selinux(8), httpd_collectd_script_selinux(8), httpd_cvs_script_selinux(8), httpd_dirsrvadmin_script_selinux(8), httpd_dspam_script_selinux(8), httpd_git_script_selinux(8), httpd_helper_selinux(8), httpd_man2html_script_selinux(8), httpd_mediawiki_script_selinux(8), httpd_mojomojo_script_selinux(8), httpd_munin_script_selinux(8), httpd_nagios_script_selinux(8), httpd_nutups_cgi_script_selinux(8), httpd_passwd_selinux(8), httpd_php_selinux(8), httpd_prewikka_script_selinux(8), httpd_rotatelogs_selinux(8), httpd_smokeping_cgi_script_selinux(8), httpd_squid_script_selinux(8), httpd_suexec_selinux(8), httpd_sys_script_selinux(8), httpd_user_script_selinux(8), httpd_w3c_validator_script_selinux(8), httpd_zoneminder_script_selinux(8)
+\ No newline at end of file
+diff --git a/man/man8/httpd_passwd_selinux.8 b/man/man8/httpd_passwd_selinux.8
+new file mode 100644
+index 0000000..11ff56f
+--- /dev/null
++++ b/man/man8/httpd_passwd_selinux.8
+@@ -0,0 +1,113 @@
++.TH "httpd_passwd_selinux" "8" "12-11-01" "httpd_passwd" "SELinux Policy documentation for httpd_passwd"
++.SH "NAME"
++httpd_passwd_selinux \- Security Enhanced Linux Policy for the httpd_passwd processes
++.SH "DESCRIPTION"
++
++Security-Enhanced Linux secures the httpd_passwd processes via flexible mandatory access control.
++
++The httpd_passwd processes execute with the httpd_passwd_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep httpd_passwd_t
++
++
++.SH "ENTRYPOINTS"
++
++The httpd_passwd_t SELinux type can be entered via the "httpd_passwd_exec_t" file type. The default entrypoint paths for the httpd_passwd_t domain are the following:"
++
++/usr/libexec/httpd-ssl-pass-dialog
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux httpd_passwd policy is very flexible allowing users to setup their httpd_passwd processes in as secure a method as possible.
++.PP
++The following process types are defined for httpd_passwd:
++
++.EX
++.B httpd_passwd_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux httpd_passwd policy is very flexible allowing users to setup their httpd_passwd processes in as secure a method as possible.
++.PP
++The following file types are defined for httpd_passwd:
++
++
++.EX
++.PP
++.B httpd_passwd_exec_t
++.EE
++
++- Set files with the httpd_passwd_exec_t type, if you want to transition an executable to the httpd_passwd_t domain.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH "MANAGED FILES"
++
++The SELinux process type httpd_passwd_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++
++.br
++.B systemd_passwd_var_run_t
++
++ /var/run/systemd/ask-password(/.*)?
++.br
++ /var/run/systemd/ask-password-block(/.*)?
++.br
++
++.SH NSSWITCH DOMAIN
++
++.PP
++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the httpd_passwd_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++
++.EX
++.B setsebool -P authlogin_nsswitch_use_ldap 1
++.EE
++
++.PP
++If you want to allow confined applications to run with kerberos for the httpd_passwd_t, you must turn on the kerberos_enabled boolean.
++
++.EX
++.B setsebool -P kerberos_enabled 1
++.EE
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was auto-generated using
++.B "sepolicy manpage"
++by Dan Walsh.
++
++.SH "SEE ALSO"
++selinux(8), httpd_passwd(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
++, httpd_selinux(8), httpd_selinux(8), httpd_apcupsd_cgi_script_selinux(8), httpd_awstats_script_selinux(8), httpd_bugzilla_script_selinux(8), httpd_cobbler_script_selinux(8), httpd_collectd_script_selinux(8), httpd_cvs_script_selinux(8), httpd_dirsrvadmin_script_selinux(8), httpd_dspam_script_selinux(8), httpd_git_script_selinux(8), httpd_helper_selinux(8), httpd_man2html_script_selinux(8), httpd_mediawiki_script_selinux(8), httpd_mojomojo_script_selinux(8), httpd_munin_script_selinux(8), httpd_nagios_script_selinux(8), httpd_nutups_cgi_script_selinux(8), httpd_openshift_script_selinux(8), httpd_php_selinux(8), httpd_prewikka_script_selinux(8), httpd_rotatelogs_selinux(8), httpd_smokeping_cgi_script_selinux(8), httpd_squid_script_selinux(8), httpd_suexec_selinux(8), httpd_sys_script_selinux(8), httpd_user_script_selinux(8), httpd_w3c_validator_script_selinux(8), httpd_zoneminder_script_selinux(8)
+\ No newline at end of file
+diff --git a/man/man8/httpd_php_selinux.8 b/man/man8/httpd_php_selinux.8
+new file mode 100644
+index 0000000..6690ac0
+--- /dev/null
++++ b/man/man8/httpd_php_selinux.8
+@@ -0,0 +1,117 @@
++.TH "httpd_php_selinux" "8" "12-11-01" "httpd_php" "SELinux Policy documentation for httpd_php"
++.SH "NAME"
++httpd_php_selinux \- Security Enhanced Linux Policy for the httpd_php processes
++.SH "DESCRIPTION"
++
++Security-Enhanced Linux secures the httpd_php processes via flexible mandatory access control.
++
++The httpd_php processes execute with the httpd_php_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep httpd_php_t
++
++
++.SH "ENTRYPOINTS"
++
++The httpd_php_t SELinux type can be entered via the "httpd_php_exec_t" file type. The default entrypoint paths for the httpd_php_t domain are the following:"
++
++
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux httpd_php policy is very flexible allowing users to setup their httpd_php processes in as secure a method as possible.
++.PP
++The following process types are defined for httpd_php:
++
++.EX
++.B httpd_php_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux httpd_php policy is very flexible allowing users to setup their httpd_php processes in as secure a method as possible.
++.PP
++The following file types are defined for httpd_php:
++
++
++.EX
++.PP
++.B httpd_php_exec_t
++.EE
++
++- Set files with the httpd_php_exec_t type, if you want to transition an executable to the httpd_php_t domain.
++
++
++.EX
++.PP
++.B httpd_php_tmp_t
++.EE
++
++- Set files with the httpd_php_tmp_t type, if you want to store httpd php temporary files in the /tmp directories.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH "MANAGED FILES"
++
++The SELinux process type httpd_php_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++
++.br
++.B httpd_php_tmp_t
++
++
++.SH NSSWITCH DOMAIN
++
++.PP
++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the httpd_php_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++
++.EX
++.B setsebool -P authlogin_nsswitch_use_ldap 1
++.EE
++
++.PP
++If you want to allow confined applications to run with kerberos for the httpd_php_t, you must turn on the kerberos_enabled boolean.
++
++.EX
++.B setsebool -P kerberos_enabled 1
++.EE
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was auto-generated using
++.B "sepolicy manpage"
++by Dan Walsh.
++
++.SH "SEE ALSO"
++selinux(8), httpd_php(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
++, httpd_selinux(8), httpd_selinux(8), httpd_apcupsd_cgi_script_selinux(8), httpd_awstats_script_selinux(8), httpd_bugzilla_script_selinux(8), httpd_cobbler_script_selinux(8), httpd_collectd_script_selinux(8), httpd_cvs_script_selinux(8), httpd_dirsrvadmin_script_selinux(8), httpd_dspam_script_selinux(8), httpd_git_script_selinux(8), httpd_helper_selinux(8), httpd_man2html_script_selinux(8), httpd_mediawiki_script_selinux(8), httpd_mojomojo_script_selinux(8), httpd_munin_script_selinux(8), httpd_nagios_script_selinux(8), httpd_nutups_cgi_script_selinux(8), httpd_openshift_script_selinux(8), httpd_passwd_selinux(8), httpd_prewikka_script_selinux(8), httpd_rotatelogs_selinux(8), httpd_smokeping_cgi_script_selinux(8), httpd_squid_script_selinux(8), httpd_suexec_selinux(8), httpd_sys_script_selinux(8), httpd_user_script_selinux(8), httpd_w3c_validator_script_selinux(8), httpd_zoneminder_script_selinux(8)
+\ No newline at end of file
+diff --git a/man/man8/httpd_prewikka_script_selinux.8 b/man/man8/httpd_prewikka_script_selinux.8
+new file mode 100644
+index 0000000..8b729f1
+--- /dev/null
++++ b/man/man8/httpd_prewikka_script_selinux.8
+@@ -0,0 +1,109 @@
++.TH "httpd_prewikka_script_selinux" "8" "12-11-01" "httpd_prewikka_script" "SELinux Policy documentation for httpd_prewikka_script"
++.SH "NAME"
++httpd_prewikka_script_selinux \- Security Enhanced Linux Policy for the httpd_prewikka_script processes
++.SH "DESCRIPTION"
++
++Security-Enhanced Linux secures the httpd_prewikka_script processes via flexible mandatory access control.
++
++The httpd_prewikka_script processes execute with the httpd_prewikka_script_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep httpd_prewikka_script_t
++
++
++.SH "ENTRYPOINTS"
++
++The httpd_prewikka_script_t SELinux type can be entered via the "shell_exec_t,httpd_prewikka_script_exec_t,httpd_prewikka_script_exec_t" file types. The default entrypoint paths for the httpd_prewikka_script_t domain are the following:"
++
++/bin/d?ash, /bin/zsh.*, /bin/ksh.*, /usr/bin/d?ash, /usr/bin/ksh.*, /usr/bin/zsh.*, /bin/esh, /bin/mksh, /bin/sash, /bin/tcsh, /bin/yash, /bin/bash, /bin/fish, /bin/bash2, /usr/bin/esh, /usr/bin/mksh, /usr/bin/sash, /usr/bin/bash, /usr/bin/fish, /usr/bin/tcsh, /usr/bin/yash, /sbin/nologin, /usr/sbin/sesh, /usr/bin/bash2, /usr/sbin/smrsh, /usr/bin/scponly, /usr/sbin/nologin, /usr/libexec/sesh, /usr/sbin/scponlyc, /usr/bin/git-shell, /usr/libexec/git-core/git-shell, /usr/share/prewikka/cgi-bin(/.*)?, /usr/share/prewikka/cgi-bin(/.*)?
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux httpd_prewikka_script policy is very flexible allowing users to setup their httpd_prewikka_script processes in as secure a method as possible.
++.PP
++The following process types are defined for httpd_prewikka_script:
++
++.EX
++.B httpd_prewikka_script_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux httpd_prewikka_script policy is very flexible allowing users to setup their httpd_prewikka_script processes in as secure a method as possible.
++.PP
++The following file types are defined for httpd_prewikka_script:
++
++
++.EX
++.PP
++.B httpd_prewikka_script_exec_t
++.EE
++
++- Set files with the httpd_prewikka_script_exec_t type, if you want to transition an executable to the httpd_prewikka_script_t domain.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH "MANAGED FILES"
++
++The SELinux process type httpd_prewikka_script_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++
++.br
++.B httpd_prewikka_rw_content_t
++
++
++.SH NSSWITCH DOMAIN
++
++.PP
++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the httpd_prewikka_script_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++
++.EX
++.B setsebool -P authlogin_nsswitch_use_ldap 1
++.EE
++
++.PP
++If you want to allow confined applications to run with kerberos for the httpd_prewikka_script_t, you must turn on the kerberos_enabled boolean.
++
++.EX
++.B setsebool -P kerberos_enabled 1
++.EE
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was auto-generated using
++.B "sepolicy manpage"
++by Dan Walsh.
++
++.SH "SEE ALSO"
++selinux(8), httpd_prewikka_script(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
++, httpd_selinux(8), httpd_selinux(8), httpd_apcupsd_cgi_script_selinux(8), httpd_awstats_script_selinux(8), httpd_bugzilla_script_selinux(8), httpd_cobbler_script_selinux(8), httpd_collectd_script_selinux(8), httpd_cvs_script_selinux(8), httpd_dirsrvadmin_script_selinux(8), httpd_dspam_script_selinux(8), httpd_git_script_selinux(8), httpd_helper_selinux(8), httpd_man2html_script_selinux(8), httpd_mediawiki_script_selinux(8), httpd_mojomojo_script_selinux(8), httpd_munin_script_selinux(8), httpd_nagios_script_selinux(8), httpd_nutups_cgi_script_selinux(8), httpd_openshift_script_selinux(8), httpd_passwd_selinux(8), httpd_php_selinux(8), httpd_rotatelogs_selinux(8), httpd_smokeping_cgi_script_selinux(8), httpd_squid_script_selinux(8), httpd_suexec_selinux(8), httpd_sys_script_selinux(8), httpd_user_script_selinux(8), httpd_w3c_validator_script_selinux(8), httpd_zoneminder_script_selinux(8)
+\ No newline at end of file
+diff --git a/man/man8/httpd_rotatelogs_selinux.8 b/man/man8/httpd_rotatelogs_selinux.8
+new file mode 100644
+index 0000000..bbe80c8
+--- /dev/null
++++ b/man/man8/httpd_rotatelogs_selinux.8
+@@ -0,0 +1,121 @@
++.TH "httpd_rotatelogs_selinux" "8" "12-11-01" "httpd_rotatelogs" "SELinux Policy documentation for httpd_rotatelogs"
++.SH "NAME"
++httpd_rotatelogs_selinux \- Security Enhanced Linux Policy for the httpd_rotatelogs processes
++.SH "DESCRIPTION"
++
++Security-Enhanced Linux secures the httpd_rotatelogs processes via flexible mandatory access control.
++
++The httpd_rotatelogs processes execute with the httpd_rotatelogs_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep httpd_rotatelogs_t
++
++
++.SH "ENTRYPOINTS"
++
++The httpd_rotatelogs_t SELinux type can be entered via the "httpd_rotatelogs_exec_t" file type. The default entrypoint paths for the httpd_rotatelogs_t domain are the following:"
++
++/usr/sbin/rotatelogs
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux httpd_rotatelogs policy is very flexible allowing users to setup their httpd_rotatelogs processes in as secure a method as possible.
++.PP
++The following process types are defined for httpd_rotatelogs:
++
++.EX
++.B httpd_rotatelogs_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux httpd_rotatelogs policy is very flexible allowing users to setup their httpd_rotatelogs processes in as secure a method as possible.
++.PP
++The following file types are defined for httpd_rotatelogs:
++
++
++.EX
++.PP
++.B httpd_rotatelogs_exec_t
++.EE
++
++- Set files with the httpd_rotatelogs_exec_t type, if you want to transition an executable to the httpd_rotatelogs_t domain.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH "MANAGED FILES"
++
++The SELinux process type httpd_rotatelogs_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++
++.br
++.B httpd_log_t
++
++ /var/www(/.*)?/logs(/.*)?
++.br
++ /var/log/cacti(/.*)?
++.br
++ /var/log/httpd(/.*)?
++.br
++ /var/log/apache(2)?(/.*)?
++.br
++ /var/log/cherokee(/.*)?
++.br
++ /var/log/lighttpd(/.*)?
++.br
++ /var/log/suphp\.log.*
++.br
++ /var/log/apache-ssl(2)?(/.*)?
++.br
++ /var/log/cgiwrap\.log.*
++.br
++ /var/www/stickshift/[^/]*/log(/.*)?
++.br
++ /var/log/roundcubemail(/.*)?
++.br
++ /var/log/dirsrv/admin-serv(/.*)?
++.br
++ /etc/httpd/logs
++.br
++
++.SH NSSWITCH DOMAIN
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was auto-generated using
++.B "sepolicy manpage"
++by Dan Walsh.
++
++.SH "SEE ALSO"
++selinux(8), httpd_rotatelogs(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
++, httpd_selinux(8), httpd_selinux(8), httpd_apcupsd_cgi_script_selinux(8), httpd_awstats_script_selinux(8), httpd_bugzilla_script_selinux(8), httpd_cobbler_script_selinux(8), httpd_collectd_script_selinux(8), httpd_cvs_script_selinux(8), httpd_dirsrvadmin_script_selinux(8), httpd_dspam_script_selinux(8), httpd_git_script_selinux(8), httpd_helper_selinux(8), httpd_man2html_script_selinux(8), httpd_mediawiki_script_selinux(8), httpd_mojomojo_script_selinux(8), httpd_munin_script_selinux(8), httpd_nagios_script_selinux(8), httpd_nutups_cgi_script_selinux(8), httpd_openshift_script_selinux(8), httpd_passwd_selinux(8), httpd_php_selinux(8), httpd_prewikka_script_selinux(8), httpd_smokeping_cgi_script_selinux(8), httpd_squid_script_selinux(8), httpd_suexec_selinux(8), httpd_sys_script_selinux(8), httpd_user_script_selinux(8), httpd_w3c_validator_script_selinux(8), httpd_zoneminder_script_selinux(8)
+\ No newline at end of file
+diff --git a/man/man8/httpd_selinux.8 b/man/man8/httpd_selinux.8
+index 16e8b13..d05f08b 100644
+--- a/man/man8/httpd_selinux.8
++++ b/man/man8/httpd_selinux.8
+@@ -1,120 +1,2164 @@
+-.TH "httpd_selinux" "8" "17 Jan 2005" "dwalsh@redhat.com" "httpd Selinux Policy documentation"
+-.de EX
+-.nf
+-.ft CW
+-..
+-.de EE
+-.ft R
+-.fi
+-..
++.TH "httpd_selinux" "8" "12-11-01" "httpd" "SELinux Policy documentation for httpd"
+ .SH "NAME"
+-httpd_selinux \- Security Enhanced Linux Policy for the httpd daemon
++httpd_selinux \- Security Enhanced Linux Policy for the httpd processes
+ .SH "DESCRIPTION"
+
+-Security-Enhanced Linux secures the httpd server via flexible mandatory access
+-control.
+-.SH FILE_CONTEXTS
+-SELinux requires files to have an extended attribute to define the file type.
+-Policy governs the access daemons have to these files.
+-SELinux httpd policy is very flexible allowing users to setup their web services in as secure a method as possible.
+-.PP
+-The following file contexts types are defined for httpd:
++Security-Enhanced Linux secures the httpd processes via flexible mandatory access control.
++
++The httpd processes execute with the httpd_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep httpd_t
++
++
++.SH "ENTRYPOINTS"
++
++The httpd_t SELinux type can be entered via the "httpd_exec_t" file type. The default entrypoint paths for the httpd_t domain are the following:"
++
++/usr/sbin/httpd(\.worker)?, /usr/sbin/apache(2)?, /usr/lib/apache-ssl/.+, /usr/sbin/apache-ssl(2)?, /usr/share/jetty/bin/jetty.sh, /usr/sbin/cherokee, /usr/sbin/lighttpd, /usr/sbin/httpd\.event, /usr/bin/mongrel_rails
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux httpd policy is very flexible allowing users to setup their httpd processes in as secure a method as possible.
++.PP
++The following process types are defined for httpd:
++
++.EX
++.B httpd_collectd_script_t, httpd_cvs_script_t, httpd_rotatelogs_t, httpd_bugzilla_script_t, httpd_smokeping_cgi_script_t, httpd_nagios_script_t, httpd_dirsrvadmin_script_t, httpd_suexec_t, httpd_mojomojo_script_t, httpd_php_t, httpd_w3c_validator_script_t, httpd_user_script_t, httpd_awstats_script_t, httpd_apcupsd_cgi_script_t, httpd_nutups_cgi_script_t, httpd_munin_script_t, httpd_zoneminder_script_t, httpd_openshift_script_t, httpd_sys_script_t, httpd_dspam_script_t, httpd_prewikka_script_t, httpd_git_script_t, httpd_t, httpd_man2html_script_t, httpd_passwd_t, httpd_helper_t, httpd_squid_script_t, httpd_cobbler_script_t, httpd_mediawiki_script_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH BOOLEANS
++SELinux policy is customizable based on least access required. httpd policy is extremely flexible and has several booleans that allow you to manipulate the policy and run httpd with the tightest access possible.
++
++
++.PP
++If you want to allow httpd processes to manage IPA content, you must turn on the httpd_manage_ipa boolean.
++
++.EX
++.B setsebool -P httpd_manage_ipa 1
++.EE
++
++.PP
++If you want to allow Apache to run in stickshift mode, not transition to passenger, you must turn on the httpd_run_stickshift boolean.
++
++.EX
++.B setsebool -P httpd_run_stickshift 1
++.EE
++
++.PP
++If you want to allow httpd to access FUSE file systems, you must turn on the httpd_use_fusefs boolean.
++
++.EX
++.B setsebool -P httpd_use_fusefs 1
++.EE
++
++.PP
++If you want to allow httpd to access openstack ports, you must turn on the httpd_use_openstack boolean.
++
++.EX
++.B setsebool -P httpd_use_openstack 1
++.EE
++
++.PP
++If you want to allow httpd to connect to the ldap port, you must turn on the httpd_can_connect_ldap boolean.
++
++.EX
++.B setsebool -P httpd_can_connect_ldap 1
++.EE
++
++.PP
++If you want to allow httpd daemon to change its resource limits, you must turn on the httpd_setrlimit boolean.
++
++.EX
++.B setsebool -P httpd_setrlimit 1
++.EE
++
++.PP
++If you want to allow httpd to communicate with oddjob to start up a service, you must turn on the httpd_use_oddjob boolean.
++
++.EX
++.B setsebool -P httpd_use_oddjob 1
++.EE
++
++.PP
++If you want to allow httpd to act as a FTP server by listening on the ftp port, you must turn on the httpd_enable_ftp_server boolean.
++
++.EX
++.B setsebool -P httpd_enable_ftp_server 1
++.EE
++
++.PP
++If you want to allow httpd to access nfs file systems, you must turn on the httpd_use_nfs boolean.
++
++.EX
++.B setsebool -P httpd_use_nfs 1
++.EE
++
++.PP
++If you want to allow httpd to act as a relay, you must turn on the httpd_can_network_relay boolean.
++
++.EX
++.B setsebool -P httpd_can_network_relay 1
++.EE
++
++.PP
++If you want to allow http daemon to check spam, you must turn on the httpd_can_check_spam boolean.
++
++.EX
++.B setsebool -P httpd_can_check_spam 1
++.EE
++
++.PP
++If you want to unify HTTPD to communicate with the terminal. Needed for entering the passphrase for certificates at the terminal, you must turn on the httpd_tty_comm boolean.
++
++.EX
++.B setsebool -P httpd_tty_comm 1
++.EE
++
++.PP
++If you want to unify HTTPD handling of all content files, you must turn on the httpd_unified boolean.
++
++.EX
++.B setsebool -P httpd_unified 1
++.EE
++
++.PP
++If you want to allow httpd to connect to memcache server, you must turn on the httpd_can_network_memcache boolean.
++
++.EX
++.B setsebool -P httpd_can_network_memcache 1
++.EE
++
++.PP
++If you want to allow HTTPD to connect to port 80 for graceful shutdown, you must turn on the httpd_graceful_shutdown boolean.
++
++.EX
++.B setsebool -P httpd_graceful_shutdown 1
++.EE
++
++.PP
++If you want to allow httpd to run gpg, you must turn on the httpd_use_gpg boolean.
++
++.EX
++.B setsebool -P httpd_use_gpg 1
++.EE
++
++.PP
++If you want to allow httpd to use built in scripting (usually php), you must turn on the httpd_builtin_scripting boolean.
++
++.EX
++.B setsebool -P httpd_builtin_scripting 1
++.EE
++
++.PP
++If you want to allow http daemon to send mail, you must turn on the httpd_can_sendmail boolean.
++
++.EX
++.B setsebool -P httpd_can_sendmail 1
++.EE
++
++.PP
++If you want to allow httpd cgi support, you must turn on the httpd_enable_cgi boolean.
++
++.EX
++.B setsebool -P httpd_enable_cgi 1
++.EE
++
++.PP
++If you want to allow Apache to use mod_auth_pam, you must turn on the httpd_mod_auth_pam boolean.
++
++.EX
++.B setsebool -P httpd_mod_auth_pam 1
++.EE
++
++.PP
++If you want to allow httpd to read user content, you must turn on the httpd_read_user_content boolean.
++
++.EX
++.B setsebool -P httpd_read_user_content 1
++.EE
++
++.PP
++If you want to allow Apache to query NS records, you must turn on the httpd_verify_dns boolean.
++
++.EX
++.B setsebool -P httpd_verify_dns 1
++.EE
++
++.PP
++If you want to allow BIND to bind apache port, you must turn on the named_bind_http_port boolean.
++
++.EX
++.B setsebool -P named_bind_http_port 1
++.EE
++
++.PP
++If you want to allow httpd to act as a FTP client connecting to the ftp port and ephemeral ports, you must turn on the httpd_can_connect_ftp boolean.
++
++.EX
++.B setsebool -P httpd_can_connect_ftp 1
++.EE
++
++.PP
++If you want to allow HTTPD scripts and modules to connect to cobbler over the network, you must turn on the httpd_can_network_connect_cobbler boolean.
++
++.EX
++.B setsebool -P httpd_can_network_connect_cobbler 1
++.EE
++
++.PP
++If you want to allow Apache to use mod_auth_ntlm_winbind, you must turn on the httpd_mod_auth_ntlm_winbind boolean.
++
++.EX
++.B setsebool -P httpd_mod_auth_ntlm_winbind 1
++.EE
++
++.PP
++If you want to allow Apache to communicate with avahi service via dbus, you must turn on the httpd_dbus_avahi boolean.
++
++.EX
++.B setsebool -P httpd_dbus_avahi 1
++.EE
++
++.PP
++If you want to allow httpd to read home directories, you must turn on the httpd_enable_homedirs boolean.
++
++.EX
++.B setsebool -P httpd_enable_homedirs 1
++.EE
++
++.PP
++If you want to allow HTTPD to run SSI executables in the same domain as system CGI scripts, you must turn on the httpd_ssi_exec boolean.
++
++.EX
++.B setsebool -P httpd_ssi_exec 1
++.EE
++
++.PP
++If you want to allow Apache to execute tmp content, you must turn on the httpd_tmp_exec boolean.
++
++.EX
++.B setsebool -P httpd_tmp_exec 1
++.EE
++
++.PP
++If you want to allow httpd to access cifs file systems, you must turn on the httpd_use_cifs boolean.
++
++.EX
++.B setsebool -P httpd_use_cifs 1
++.EE
++
++.PP
++If you want to allow httpd scripts and modules execmem/execstack, you must turn on the httpd_execmem boolean.
++
++.EX
++.B setsebool -P httpd_execmem 1
++.EE
++
++.PP
++If you want to allow http daemon to connect to zabbix, you must turn on the httpd_can_connect_zabbix boolean.
++
++.EX
++.B setsebool -P httpd_can_connect_zabbix 1
++.EE
++
++.PP
++If you want to allow HTTPD scripts and modules to connect to the network using TCP, you must turn on the httpd_can_network_connect boolean.
++
++.EX
++.B setsebool -P httpd_can_network_connect 1
++.EE
++
++.PP
++If you want to allow HTTPD scripts and modules to connect to databases over the network, you must turn on the httpd_can_network_connect_db boolean.
++
++.EX
++.B setsebool -P httpd_can_network_connect_db 1
++.EE
++
++.PP
++If you want to allow httpd processes to manage IPA content, you must turn on the httpd_manage_ipa boolean.
++
++.EX
++.B setsebool -P httpd_manage_ipa 1
++.EE
++
++.PP
++If you want to allow Apache to run in stickshift mode, not transition to passenger, you must turn on the httpd_run_stickshift boolean.
++
++.EX
++.B setsebool -P httpd_run_stickshift 1
++.EE
++
++.PP
++If you want to allow httpd to access FUSE file systems, you must turn on the httpd_use_fusefs boolean.
++
++.EX
++.B setsebool -P httpd_use_fusefs 1
++.EE
++
++.PP
++If you want to allow httpd to access openstack ports, you must turn on the httpd_use_openstack boolean.
++
++.EX
++.B setsebool -P httpd_use_openstack 1
++.EE
++
++.PP
++If you want to allow httpd to connect to the ldap port, you must turn on the httpd_can_connect_ldap boolean.
++
++.EX
++.B setsebool -P httpd_can_connect_ldap 1
++.EE
++
++.PP
++If you want to allow httpd daemon to change its resource limits, you must turn on the httpd_setrlimit boolean.
++
++.EX
++.B setsebool -P httpd_setrlimit 1
++.EE
++
++.PP
++If you want to allow httpd to communicate with oddjob to start up a service, you must turn on the httpd_use_oddjob boolean.
++
++.EX
++.B setsebool -P httpd_use_oddjob 1
++.EE
++
++.PP
++If you want to allow httpd to act as a FTP server by listening on the ftp port, you must turn on the httpd_enable_ftp_server boolean.
++
++.EX
++.B setsebool -P httpd_enable_ftp_server 1
++.EE
++
++.PP
++If you want to allow httpd to access nfs file systems, you must turn on the httpd_use_nfs boolean.
++
++.EX
++.B setsebool -P httpd_use_nfs 1
++.EE
++
++.PP
++If you want to allow httpd to act as a relay, you must turn on the httpd_can_network_relay boolean.
++
++.EX
++.B setsebool -P httpd_can_network_relay 1
++.EE
++
++.PP
++If you want to allow http daemon to check spam, you must turn on the httpd_can_check_spam boolean.
++
++.EX
++.B setsebool -P httpd_can_check_spam 1
++.EE
++
++.PP
++If you want to unify HTTPD to communicate with the terminal. Needed for entering the passphrase for certificates at the terminal, you must turn on the httpd_tty_comm boolean.
++
++.EX
++.B setsebool -P httpd_tty_comm 1
++.EE
++
++.PP
++If you want to unify HTTPD handling of all content files, you must turn on the httpd_unified boolean.
++
++.EX
++.B setsebool -P httpd_unified 1
++.EE
++
++.PP
++If you want to allow httpd to connect to memcache server, you must turn on the httpd_can_network_memcache boolean.
++
++.EX
++.B setsebool -P httpd_can_network_memcache 1
++.EE
++
++.PP
++If you want to allow HTTPD to connect to port 80 for graceful shutdown, you must turn on the httpd_graceful_shutdown boolean.
++
++.EX
++.B setsebool -P httpd_graceful_shutdown 1
++.EE
++
++.PP
++If you want to allow httpd to run gpg, you must turn on the httpd_use_gpg boolean.
++
++.EX
++.B setsebool -P httpd_use_gpg 1
++.EE
++
++.PP
++If you want to allow httpd to use built in scripting (usually php), you must turn on the httpd_builtin_scripting boolean.
++
++.EX
++.B setsebool -P httpd_builtin_scripting 1
++.EE
++
++.PP
++If you want to allow http daemon to send mail, you must turn on the httpd_can_sendmail boolean.
++
++.EX
++.B setsebool -P httpd_can_sendmail 1
++.EE
++
++.PP
++If you want to allow httpd cgi support, you must turn on the httpd_enable_cgi boolean.
++
++.EX
++.B setsebool -P httpd_enable_cgi 1
++.EE
++
++.PP
++If you want to allow Apache to use mod_auth_pam, you must turn on the httpd_mod_auth_pam boolean.
++
++.EX
++.B setsebool -P httpd_mod_auth_pam 1
++.EE
++
++.PP
++If you want to allow httpd to read user content, you must turn on the httpd_read_user_content boolean.
++
++.EX
++.B setsebool -P httpd_read_user_content 1
++.EE
++
++.PP
++If you want to allow Apache to query NS records, you must turn on the httpd_verify_dns boolean.
++
++.EX
++.B setsebool -P httpd_verify_dns 1
++.EE
++
++.PP
++If you want to allow BIND to bind apache port, you must turn on the named_bind_http_port boolean.
++
++.EX
++.B setsebool -P named_bind_http_port 1
++.EE
++
++.PP
++If you want to allow httpd to act as a FTP client connecting to the ftp port and ephemeral ports, you must turn on the httpd_can_connect_ftp boolean.
++
++.EX
++.B setsebool -P httpd_can_connect_ftp 1
++.EE
++
++.PP
++If you want to allow HTTPD scripts and modules to connect to cobbler over the network, you must turn on the httpd_can_network_connect_cobbler boolean.
++
++.EX
++.B setsebool -P httpd_can_network_connect_cobbler 1
++.EE
++
++.PP
++If you want to allow Apache to use mod_auth_ntlm_winbind, you must turn on the httpd_mod_auth_ntlm_winbind boolean.
++
++.EX
++.B setsebool -P httpd_mod_auth_ntlm_winbind 1
++.EE
++
++.PP
++If you want to allow Apache to communicate with avahi service via dbus, you must turn on the httpd_dbus_avahi boolean.
++
++.EX
++.B setsebool -P httpd_dbus_avahi 1
++.EE
++
++.PP
++If you want to allow httpd to read home directories, you must turn on the httpd_enable_homedirs boolean.
++
++.EX
++.B setsebool -P httpd_enable_homedirs 1
++.EE
++
++.PP
++If you want to allow HTTPD to run SSI executables in the same domain as system CGI scripts, you must turn on the httpd_ssi_exec boolean.
++
++.EX
++.B setsebool -P httpd_ssi_exec 1
++.EE
++
++.PP
++If you want to allow Apache to execute tmp content, you must turn on the httpd_tmp_exec boolean.
++
++.EX
++.B setsebool -P httpd_tmp_exec 1
++.EE
++
++.PP
++If you want to allow httpd to access cifs file systems, you must turn on the httpd_use_cifs boolean.
++
++.EX
++.B setsebool -P httpd_use_cifs 1
++.EE
++
++.PP
++If you want to allow httpd scripts and modules execmem/execstack, you must turn on the httpd_execmem boolean.
++
++.EX
++.B setsebool -P httpd_execmem 1
++.EE
++
++.PP
++If you want to allow http daemon to connect to zabbix, you must turn on the httpd_can_connect_zabbix boolean.
++
++.EX
++.B setsebool -P httpd_can_connect_zabbix 1
++.EE
++
++.PP
++If you want to allow HTTPD scripts and modules to connect to the network using TCP, you must turn on the httpd_can_network_connect boolean.
++
++.EX
++.B setsebool -P httpd_can_network_connect 1
++.EE
++
++.PP
++If you want to allow HTTPD scripts and modules to connect to databases over the network, you must turn on the httpd_can_network_connect_db boolean.
++
++.EX
++.B setsebool -P httpd_can_network_connect_db 1
++.EE
++
++.SH SHARING FILES
++If you want to share files with multiple domains (Apache, FTP, rsync, Samba), you can set a file context of public_content_t and public_content_rw_t. These context allow any of the above domains to read the content. If you want a particular domain to write to the public_content_rw_t domain, you must set the appropriate boolean.
++.TP
++Allow httpd servers to read the /var/httpd directory by adding the public_content_t file type to the directory and by restoring the file type.
++.PP
++.B
++semanage fcontext -a -t public_content_t "/var/httpd(/.*)?"
++.br
++.B restorecon -F -R -v /var/httpd
++.pp
++.TP
++Allow httpd servers to read and write /var/tmp/incoming by adding the public_content_rw_t type to the directory and by restoring the file type. This also requires the allow_httpdd_anon_write boolean to be set.
++.PP
++.B
++semanage fcontext -a -t public_content_rw_t "/var/httpd/incoming(/.*)?"
++.br
++.B restorecon -F -R -v /var/httpd/incoming
++
++
++.PP
++If you want to allow Apache to modify public files used for public file transfer services. Directories/Files must be labeled public_content_rw_t., you must turn on the httpd_anon_write boolean.
++
++.EX
++.B setsebool -P httpd_anon_write 1
++.EE
++
++.PP
++If you want to allow apache scripts to write to public content, directories/files must be labeled public_rw_content_t., you must turn on the httpd_sys_script_anon_write boolean.
++
++.EX
++.B setsebool -P httpd_sys_script_anon_write 1
++.EE
++
++.PP
++If you want to allow Apache to modify public files used for public file transfer services. Directories/Files must be labeled public_content_rw_t., you must turn on the httpd_anon_write boolean.
++
++.EX
++.B setsebool -P httpd_anon_write 1
++.EE
++
++.PP
++If you want to allow apache scripts to write to public content, directories/files must be labeled public_rw_content_t., you must turn on the httpd_sys_script_anon_write boolean.
++
++.EX
++.B setsebool -P httpd_sys_script_anon_write 1
++.EE
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux httpd policy is very flexible allowing users to setup their httpd processes in as secure a method as possible.
++.PP
++The following file types are defined for httpd:
++
++
++.EX
++.PP
++.B httpd_apcupsd_cgi_content_t
++.EE
++
++- Set files with the httpd_apcupsd_cgi_content_t type, if you want to treat the files as httpd apcupsd cgi content.
++
++
++.EX
++.PP
++.B httpd_apcupsd_cgi_htaccess_t
++.EE
++
++- Set files with the httpd_apcupsd_cgi_htaccess_t type, if you want to treat the file as a httpd apcupsd cgi access file.
++
++
++.EX
++.PP
++.B httpd_apcupsd_cgi_ra_content_t
++.EE
++
++- Set files with the httpd_apcupsd_cgi_ra_content_t type, if you want to treat the files as httpd apcupsd cgi read/append content.
++
++
++.EX
++.PP
++.B httpd_apcupsd_cgi_rw_content_t
++.EE
++
++- Set files with the httpd_apcupsd_cgi_rw_content_t type, if you want to treat the files as httpd apcupsd cgi read/write content.
++
++
++.EX
++.PP
++.B httpd_apcupsd_cgi_script_exec_t
++.EE
++
++- Set files with the httpd_apcupsd_cgi_script_exec_t type, if you want to transition an executable to the httpd_apcupsd_cgi_script_t domain.
++
++
++.EX
++.PP
++.B httpd_awstats_content_t
++.EE
++
++- Set files with the httpd_awstats_content_t type, if you want to treat the files as httpd awstats content.
++
++
++.EX
++.PP
++.B httpd_awstats_htaccess_t
++.EE
++
++- Set files with the httpd_awstats_htaccess_t type, if you want to treat the file as a httpd awstats access file.
++
++
++.EX
++.PP
++.B httpd_awstats_ra_content_t
++.EE
++
++- Set files with the httpd_awstats_ra_content_t type, if you want to treat the files as httpd awstats read/append content.
++
++
++.EX
++.PP
++.B httpd_awstats_rw_content_t
++.EE
++
++- Set files with the httpd_awstats_rw_content_t type, if you want to treat the files as httpd awstats read/write content.
++
++
++.EX
++.PP
++.B httpd_awstats_script_exec_t
++.EE
++
++- Set files with the httpd_awstats_script_exec_t type, if you want to transition an executable to the httpd_awstats_script_t domain.
++
++
++.EX
++.PP
++.B httpd_bugzilla_content_t
++.EE
++
++- Set files with the httpd_bugzilla_content_t type, if you want to treat the files as httpd bugzilla content.
++
++
++.EX
++.PP
++.B httpd_bugzilla_htaccess_t
++.EE
++
++- Set files with the httpd_bugzilla_htaccess_t type, if you want to treat the file as a httpd bugzilla access file.
++
++
++.EX
++.PP
++.B httpd_bugzilla_ra_content_t
++.EE
++
++- Set files with the httpd_bugzilla_ra_content_t type, if you want to treat the files as httpd bugzilla read/append content.
++
++
++.EX
++.PP
++.B httpd_bugzilla_rw_content_t
++.EE
++
++- Set files with the httpd_bugzilla_rw_content_t type, if you want to treat the files as httpd bugzilla read/write content.
++
++
++.EX
++.PP
++.B httpd_bugzilla_script_exec_t
++.EE
++
++- Set files with the httpd_bugzilla_script_exec_t type, if you want to transition an executable to the httpd_bugzilla_script_t domain.
++
++
++.EX
++.PP
++.B httpd_bugzilla_tmp_t
++.EE
++
++- Set files with the httpd_bugzilla_tmp_t type, if you want to store httpd bugzilla temporary files in the /tmp directories.
++
++
++.EX
++.PP
++.B httpd_cache_t
++.EE
++
++- Set files with the httpd_cache_t type, if you want to store the files under the /var/cache directory.
++
++
++.EX
++.PP
++.B httpd_cobbler_content_t
++.EE
++
++- Set files with the httpd_cobbler_content_t type, if you want to treat the files as httpd cobbler content.
++
++
++.EX
++.PP
++.B httpd_cobbler_htaccess_t
++.EE
++
++- Set files with the httpd_cobbler_htaccess_t type, if you want to treat the file as a httpd cobbler access file.
++
++
++.EX
++.PP
++.B httpd_cobbler_ra_content_t
++.EE
++
++- Set files with the httpd_cobbler_ra_content_t type, if you want to treat the files as httpd cobbler read/append content.
++
++
++.EX
++.PP
++.B httpd_cobbler_rw_content_t
++.EE
++
++- Set files with the httpd_cobbler_rw_content_t type, if you want to treat the files as httpd cobbler read/write content.
++
++
++.EX
++.PP
++.B httpd_cobbler_script_exec_t
++.EE
++
++- Set files with the httpd_cobbler_script_exec_t type, if you want to transition an executable to the httpd_cobbler_script_t domain.
++
++
++.EX
++.PP
++.B httpd_collectd_content_t
++.EE
++
++- Set files with the httpd_collectd_content_t type, if you want to treat the files as httpd collectd content.
++
++
++.EX
++.PP
++.B httpd_collectd_htaccess_t
++.EE
++
++- Set files with the httpd_collectd_htaccess_t type, if you want to treat the file as a httpd collectd access file.
++
++
++.EX
++.PP
++.B httpd_collectd_ra_content_t
++.EE
++
++- Set files with the httpd_collectd_ra_content_t type, if you want to treat the files as httpd collectd read/append content.
++
++
++.EX
++.PP
++.B httpd_collectd_rw_content_t
++.EE
++
++- Set files with the httpd_collectd_rw_content_t type, if you want to treat the files as httpd collectd read/write content.
++
++
++.EX
++.PP
++.B httpd_collectd_script_exec_t
++.EE
++
++- Set files with the httpd_collectd_script_exec_t type, if you want to transition an executable to the httpd_collectd_script_t domain.
++
++
++.EX
++.PP
++.B httpd_config_t
++.EE
++
++- Set files with the httpd_config_t type, if you want to treat the files as httpd configuration data, usually stored under the /etc directory.
++
++
++.EX
++.PP
++.B httpd_cvs_content_t
++.EE
++
++- Set files with the httpd_cvs_content_t type, if you want to treat the files as httpd cvs content.
++
++
++.EX
++.PP
++.B httpd_cvs_htaccess_t
++.EE
++
++- Set files with the httpd_cvs_htaccess_t type, if you want to treat the file as a httpd cvs access file.
++
++
++.EX
++.PP
++.B httpd_cvs_ra_content_t
++.EE
++
++- Set files with the httpd_cvs_ra_content_t type, if you want to treat the files as httpd cvs read/append content.
++
++
++.EX
++.PP
++.B httpd_cvs_rw_content_t
++.EE
++
++- Set files with the httpd_cvs_rw_content_t type, if you want to treat the files as httpd cvs read/write content.
++
++
++.EX
++.PP
++.B httpd_cvs_script_exec_t
++.EE
++
++- Set files with the httpd_cvs_script_exec_t type, if you want to transition an executable to the httpd_cvs_script_t domain.
++
++
++.EX
++.PP
++.B httpd_dirsrvadmin_content_t
++.EE
++
++- Set files with the httpd_dirsrvadmin_content_t type, if you want to treat the files as httpd dirsrvadmin content.
++
++
++.EX
++.PP
++.B httpd_dirsrvadmin_htaccess_t
++.EE
++
++- Set files with the httpd_dirsrvadmin_htaccess_t type, if you want to treat the file as a httpd dirsrvadmin access file.
++
++
++.EX
++.PP
++.B httpd_dirsrvadmin_ra_content_t
++.EE
++
++- Set files with the httpd_dirsrvadmin_ra_content_t type, if you want to treat the files as httpd dirsrvadmin read/append content.
++
++
++.EX
++.PP
++.B httpd_dirsrvadmin_rw_content_t
++.EE
++
++- Set files with the httpd_dirsrvadmin_rw_content_t type, if you want to treat the files as httpd dirsrvadmin read/write content.
++
++
++.EX
++.PP
++.B httpd_dirsrvadmin_script_exec_t
++.EE
++
++- Set files with the httpd_dirsrvadmin_script_exec_t type, if you want to transition an executable to the httpd_dirsrvadmin_script_t domain.
++
++
++.EX
++.PP
++.B httpd_dspam_content_t
++.EE
++
++- Set files with the httpd_dspam_content_t type, if you want to treat the files as httpd dspam content.
++
++
++.EX
++.PP
++.B httpd_dspam_htaccess_t
++.EE
++
++- Set files with the httpd_dspam_htaccess_t type, if you want to treat the file as a httpd dspam access file.
++
++
++.EX
++.PP
++.B httpd_dspam_ra_content_t
++.EE
++
++- Set files with the httpd_dspam_ra_content_t type, if you want to treat the files as httpd dspam read/append content.
++
++
++.EX
++.PP
++.B httpd_dspam_rw_content_t
++.EE
++
++- Set files with the httpd_dspam_rw_content_t type, if you want to treat the files as httpd dspam read/write content.
++
++
++.EX
++.PP
++.B httpd_dspam_script_exec_t
++.EE
++
++- Set files with the httpd_dspam_script_exec_t type, if you want to transition an executable to the httpd_dspam_script_t domain.
++
++
++.EX
++.PP
++.B httpd_exec_t
++.EE
++
++- Set files with the httpd_exec_t type, if you want to transition an executable to the httpd_t domain.
++
++
++.EX
++.PP
++.B httpd_git_content_t
++.EE
++
++- Set files with the httpd_git_content_t type, if you want to treat the files as httpd git content.
++
++
++.EX
++.PP
++.B httpd_git_htaccess_t
++.EE
++
++- Set files with the httpd_git_htaccess_t type, if you want to treat the file as a httpd git access file.
++
++
++.EX
++.PP
++.B httpd_git_ra_content_t
++.EE
++
++- Set files with the httpd_git_ra_content_t type, if you want to treat the files as httpd git read/append content.
++
++
++.EX
++.PP
++.B httpd_git_rw_content_t
++.EE
++
++- Set files with the httpd_git_rw_content_t type, if you want to treat the files as httpd git read/write content.
++
++
++.EX
++.PP
++.B httpd_git_script_exec_t
++.EE
++
++- Set files with the httpd_git_script_exec_t type, if you want to transition an executable to the httpd_git_script_t domain.
++
++
++.EX
++.PP
++.B httpd_helper_exec_t
++.EE
++
++- Set files with the httpd_helper_exec_t type, if you want to transition an executable to the httpd_helper_t domain.
++
++
++.EX
++.PP
++.B httpd_initrc_exec_t
++.EE
++
++- Set files with the httpd_initrc_exec_t type, if you want to transition an executable to the httpd_initrc_t domain.
++
++
++.EX
++.PP
++.B httpd_keytab_t
++.EE
++
++- Set files with the httpd_keytab_t type, if you want to treat the files as kerberos keytab files.
++
++
++.EX
++.PP
++.B httpd_lock_t
++.EE
++
++- Set files with the httpd_lock_t type, if you want to treat the files as httpd lock data, stored under the /var/lock directory
++
++
++.EX
++.PP
++.B httpd_log_t
++.EE
++
++- Set files with the httpd_log_t type, if you want to treat the data as httpd log data, usually stored under the /var/log directory.
++
++
++.EX
++.PP
++.B httpd_man2html_content_t
++.EE
++
++- Set files with the httpd_man2html_content_t type, if you want to treat the files as httpd man2html content.
++
++
++.EX
++.PP
++.B httpd_man2html_htaccess_t
++.EE
++
++- Set files with the httpd_man2html_htaccess_t type, if you want to treat the file as a httpd man2html access file.
++
++
++.EX
++.PP
++.B httpd_man2html_ra_content_t
++.EE
++
++- Set files with the httpd_man2html_ra_content_t type, if you want to treat the files as httpd man2html read/append content.
++
++
++.EX
++.PP
++.B httpd_man2html_rw_content_t
++.EE
++
++- Set files with the httpd_man2html_rw_content_t type, if you want to treat the files as httpd man2html read/write content.
++
++
++.EX
++.PP
++.B httpd_man2html_script_cache_t
++.EE
++
++- Set files with the httpd_man2html_script_cache_t type, if you want to store the files under the /var/cache directory.
++
++
++.EX
++.PP
++.B httpd_man2html_script_exec_t
++.EE
++
++- Set files with the httpd_man2html_script_exec_t type, if you want to transition an executable to the httpd_man2html_script_t domain.
++
++
++.EX
++.PP
++.B httpd_mediawiki_content_t
++.EE
++
++- Set files with the httpd_mediawiki_content_t type, if you want to treat the files as httpd mediawiki content.
++
++
++.EX
++.PP
++.B httpd_mediawiki_htaccess_t
++.EE
++
++- Set files with the httpd_mediawiki_htaccess_t type, if you want to treat the file as a httpd mediawiki access file.
++
++
++.EX
++.PP
++.B httpd_mediawiki_ra_content_t
++.EE
++
++- Set files with the httpd_mediawiki_ra_content_t type, if you want to treat the files as httpd mediawiki read/append content.
++
++
++.EX
++.PP
++.B httpd_mediawiki_rw_content_t
++.EE
++
++- Set files with the httpd_mediawiki_rw_content_t type, if you want to treat the files as httpd mediawiki read/write content.
++
++
++.EX
++.PP
++.B httpd_mediawiki_script_exec_t
++.EE
++
++- Set files with the httpd_mediawiki_script_exec_t type, if you want to transition an executable to the httpd_mediawiki_script_t domain.
++
++
++.EX
++.PP
++.B httpd_modules_t
++.EE
++
++- Set files with the httpd_modules_t type, if you want to treat the files as httpd modules.
++
++
++.EX
++.PP
++.B httpd_mojomojo_content_t
++.EE
++
++- Set files with the httpd_mojomojo_content_t type, if you want to treat the files as httpd mojomojo content.
++
++
++.EX
++.PP
++.B httpd_mojomojo_htaccess_t
++.EE
++
++- Set files with the httpd_mojomojo_htaccess_t type, if you want to treat the file as a httpd mojomojo access file.
++
++
++.EX
++.PP
++.B httpd_mojomojo_ra_content_t
++.EE
++
++- Set files with the httpd_mojomojo_ra_content_t type, if you want to treat the files as httpd mojomojo read/append content.
++
++
++.EX
++.PP
++.B httpd_mojomojo_rw_content_t
++.EE
++
++- Set files with the httpd_mojomojo_rw_content_t type, if you want to treat the files as httpd mojomojo read/write content.
++
++
++.EX
++.PP
++.B httpd_mojomojo_script_exec_t
++.EE
++
++- Set files with the httpd_mojomojo_script_exec_t type, if you want to transition an executable to the httpd_mojomojo_script_t domain.
++
++
++.EX
++.PP
++.B httpd_mojomojo_tmp_t
++.EE
++
++- Set files with the httpd_mojomojo_tmp_t type, if you want to store httpd mojomojo temporary files in the /tmp directories.
++
++
++.EX
++.PP
++.B httpd_munin_content_t
++.EE
++
++- Set files with the httpd_munin_content_t type, if you want to treat the files as httpd munin content.
++
++
++.EX
++.PP
++.B httpd_munin_htaccess_t
++.EE
++
++- Set files with the httpd_munin_htaccess_t type, if you want to treat the file as a httpd munin access file.
++
++
++.EX
++.PP
++.B httpd_munin_ra_content_t
++.EE
++
++- Set files with the httpd_munin_ra_content_t type, if you want to treat the files as httpd munin read/append content.
++
++
++.EX
++.PP
++.B httpd_munin_rw_content_t
++.EE
++
++- Set files with the httpd_munin_rw_content_t type, if you want to treat the files as httpd munin read/write content.
++
++
++.EX
++.PP
++.B httpd_munin_script_exec_t
++.EE
++
++- Set files with the httpd_munin_script_exec_t type, if you want to transition an executable to the httpd_munin_script_t domain.
++
++
++.EX
++.PP
++.B httpd_nagios_content_t
++.EE
++
++- Set files with the httpd_nagios_content_t type, if you want to treat the files as httpd nagios content.
++
++
++.EX
++.PP
++.B httpd_nagios_htaccess_t
++.EE
++
++- Set files with the httpd_nagios_htaccess_t type, if you want to treat the file as a httpd nagios access file.
++
++
++.EX
++.PP
++.B httpd_nagios_ra_content_t
++.EE
++
++- Set files with the httpd_nagios_ra_content_t type, if you want to treat the files as httpd nagios read/append content.
++
++
++.EX
++.PP
++.B httpd_nagios_rw_content_t
++.EE
++
++- Set files with the httpd_nagios_rw_content_t type, if you want to treat the files as httpd nagios read/write content.
++
++
++.EX
++.PP
++.B httpd_nagios_script_exec_t
++.EE
++
++- Set files with the httpd_nagios_script_exec_t type, if you want to transition an executable to the httpd_nagios_script_t domain.
++
++
++.EX
++.PP
++.B httpd_nutups_cgi_content_t
++.EE
++
++- Set files with the httpd_nutups_cgi_content_t type, if you want to treat the files as httpd nutups cgi content.
++
++
++.EX
++.PP
++.B httpd_nutups_cgi_htaccess_t
++.EE
++
++- Set files with the httpd_nutups_cgi_htaccess_t type, if you want to treat the file as a httpd nutups cgi access file.
++
++
++.EX
++.PP
++.B httpd_nutups_cgi_ra_content_t
++.EE
++
++- Set files with the httpd_nutups_cgi_ra_content_t type, if you want to treat the files as httpd nutups cgi read/append content.
++
++
++.EX
++.PP
++.B httpd_nutups_cgi_rw_content_t
++.EE
++
++- Set files with the httpd_nutups_cgi_rw_content_t type, if you want to treat the files as httpd nutups cgi read/write content.
++
++
++.EX
++.PP
++.B httpd_nutups_cgi_script_exec_t
++.EE
++
++- Set files with the httpd_nutups_cgi_script_exec_t type, if you want to transition an executable to the httpd_nutups_cgi_script_t domain.
++
++
++.EX
++.PP
++.B httpd_openshift_content_t
++.EE
++
++- Set files with the httpd_openshift_content_t type, if you want to treat the files as httpd openshift content.
++
++
++.EX
++.PP
++.B httpd_openshift_htaccess_t
++.EE
++
++- Set files with the httpd_openshift_htaccess_t type, if you want to treat the file as a httpd openshift access file.
++
++
++.EX
++.PP
++.B httpd_openshift_ra_content_t
++.EE
++
++- Set files with the httpd_openshift_ra_content_t type, if you want to treat the files as httpd openshift read/append content.
++
++
++.EX
++.PP
++.B httpd_openshift_rw_content_t
++.EE
++
++- Set files with the httpd_openshift_rw_content_t type, if you want to treat the files as httpd openshift read/write content.
++
++
++.EX
++.PP
++.B httpd_openshift_script_exec_t
++.EE
++
++- Set files with the httpd_openshift_script_exec_t type, if you want to transition an executable to the httpd_openshift_script_t domain.
++
++
++.EX
++.PP
++.B httpd_passwd_exec_t
++.EE
++
++- Set files with the httpd_passwd_exec_t type, if you want to transition an executable to the httpd_passwd_t domain.
++
++
++.EX
++.PP
++.B httpd_php_exec_t
++.EE
++
++- Set files with the httpd_php_exec_t type, if you want to transition an executable to the httpd_php_t domain.
++
++
++.EX
++.PP
++.B httpd_php_tmp_t
++.EE
++
++- Set files with the httpd_php_tmp_t type, if you want to store httpd php temporary files in the /tmp directories.
++
++
++.EX
++.PP
++.B httpd_prewikka_content_t
++.EE
++
++- Set files with the httpd_prewikka_content_t type, if you want to treat the files as httpd prewikka content.
++
++
++.EX
++.PP
++.B httpd_prewikka_htaccess_t
++.EE
++
++- Set files with the httpd_prewikka_htaccess_t type, if you want to treat the file as a httpd prewikka access file.
++
++
++.EX
++.PP
++.B httpd_prewikka_ra_content_t
++.EE
++
++- Set files with the httpd_prewikka_ra_content_t type, if you want to treat the files as httpd prewikka read/append content.
++
++
++.EX
++.PP
++.B httpd_prewikka_rw_content_t
++.EE
++
++- Set files with the httpd_prewikka_rw_content_t type, if you want to treat the files as httpd prewikka read/write content.
++
++
++.EX
++.PP
++.B httpd_prewikka_script_exec_t
++.EE
++
++- Set files with the httpd_prewikka_script_exec_t type, if you want to transition an executable to the httpd_prewikka_script_t domain.
++
++
++.EX
++.PP
++.B httpd_rotatelogs_exec_t
++.EE
++
++- Set files with the httpd_rotatelogs_exec_t type, if you want to transition an executable to the httpd_rotatelogs_t domain.
++
++
++.EX
++.PP
++.B httpd_smokeping_cgi_content_t
++.EE
++
++- Set files with the httpd_smokeping_cgi_content_t type, if you want to treat the files as httpd smokeping cgi content.
++
++
++.EX
++.PP
++.B httpd_smokeping_cgi_htaccess_t
++.EE
++
++- Set files with the httpd_smokeping_cgi_htaccess_t type, if you want to treat the file as a httpd smokeping cgi access file.
++
++
++.EX
++.PP
++.B httpd_smokeping_cgi_ra_content_t
++.EE
++
++- Set files with the httpd_smokeping_cgi_ra_content_t type, if you want to treat the files as httpd smokeping cgi read/append content.
++
++
++.EX
++.PP
++.B httpd_smokeping_cgi_rw_content_t
++.EE
++
++- Set files with the httpd_smokeping_cgi_rw_content_t type, if you want to treat the files as httpd smokeping cgi read/write content.
++
++
++.EX
++.PP
++.B httpd_smokeping_cgi_script_exec_t
++.EE
++
++- Set files with the httpd_smokeping_cgi_script_exec_t type, if you want to transition an executable to the httpd_smokeping_cgi_script_t domain.
++
++
++.EX
++.PP
++.B httpd_squid_content_t
++.EE
++
++- Set files with the httpd_squid_content_t type, if you want to treat the files as httpd squid content.
++
++
++.EX
++.PP
++.B httpd_squid_htaccess_t
++.EE
++
++- Set files with the httpd_squid_htaccess_t type, if you want to treat the file as a httpd squid access file.
++
++
++.EX
++.PP
++.B httpd_squid_ra_content_t
++.EE
++
++- Set files with the httpd_squid_ra_content_t type, if you want to treat the files as httpd squid read/append content.
++
++
++.EX
++.PP
++.B httpd_squid_rw_content_t
++.EE
++
++- Set files with the httpd_squid_rw_content_t type, if you want to treat the files as httpd squid read/write content.
++
++
++.EX
++.PP
++.B httpd_squid_script_exec_t
++.EE
++
++- Set files with the httpd_squid_script_exec_t type, if you want to transition an executable to the httpd_squid_script_t domain.
++
++
++.EX
++.PP
++.B httpd_squirrelmail_t
++.EE
++
++- Set files with the httpd_squirrelmail_t type, if you want to treat the files as httpd squirrelmail data.
++
++
++.EX
++.PP
++.B httpd_suexec_exec_t
++.EE
++
++- Set files with the httpd_suexec_exec_t type, if you want to transition an executable to the httpd_suexec_t domain.
++
++
+ .EX
+-httpd_sys_content_t
+-.EE
+-- Set files with httpd_sys_content_t if you want httpd_sys_script_exec_t scripts and the daemon to read the file, and disallow other non sys scripts from access.
++.PP
++.B httpd_suexec_tmp_t
++.EE
++
++- Set files with the httpd_suexec_tmp_t type, if you want to store httpd suexec temporary files in the /tmp directories.
++
++
+ .EX
+-httpd_sys_script_exec_t
+-.EE
+-- Set cgi scripts with httpd_sys_script_exec_t to allow them to run with access to all sys types.
++.PP
++.B httpd_sys_content_t
++.EE
++
++- Set files with the httpd_sys_content_t type, if you want to treat the files as httpd sys content.
++
++
+ .EX
+-httpd_sys_content_rw_t
++.PP
++.B httpd_sys_htaccess_t
+ .EE
+-- Set files with httpd_sys_content_rw_t if you want httpd_sys_script_exec_t scripts and the daemon to read/write the data, and disallow other non sys scripts from access.
++
++- Set files with the httpd_sys_htaccess_t type, if you want to treat the file as a httpd sys access file.
++
++
+ .EX
+-httpd_sys_content_ra_t
++.PP
++.B httpd_sys_ra_content_t
+ .EE
+-- Set files with httpd_sys_content_ra_t if you want httpd_sys_script_exec_t scripts and the daemon to read/append to the file, and disallow other non sys scripts from access.
++
++- Set files with the httpd_sys_ra_content_t type, if you want to treat the files as httpd sys read/append content.
++
++
+ .EX
+-httpd_unconfined_script_exec_t
+-.EE
+-- Set cgi scripts with httpd_unconfined_script_exec_t to allow them to run without any SELinux protection. This should only be used for a very complex httpd scripts, after exhausting all other options. It is better to use this script rather than turning off SELinux protection for httpd.
++.PP
++.B httpd_sys_rw_content_t
++.EE
+
+-.SH NOTE
+-With certain policies you can define additional file contexts based on roles like user or staff. httpd_user_script_exec_t can be defined where it would only have access to "user" contexts.
++- Set files with the httpd_sys_rw_content_t type, if you want to treat the files as httpd sys read/write content.
+
+-.SH SHARING FILES
+-If you want to share files with multiple domains (Apache, FTP, rsync, Samba), you can set a file context of public_content_t and public_content_rw_t. These context allow any of the above domains to read the content. If you want a particular domain to write to the public_content_rw_t domain, you must set the appropriate boolean. allow_DOMAIN_anon_write. So for httpd you would execute:
+
+ .EX
+-setsebool -P allow_httpd_anon_write=1
++.PP
++.B httpd_sys_script_exec_t
+ .EE
+
+-or
++- Set files with the httpd_sys_script_exec_t type, if you want to transition an executable to the httpd_sys_script_t domain.
++
+
+ .EX
+-setsebool -P allow_httpd_sys_script_anon_write=1
++.PP
++.B httpd_tmp_t
+ .EE
+
+-.SH BOOLEANS
+-SELinux policy is customizable based on least access required. SELinux can be setup to prevent certain http scripts from working. httpd policy is extremely flexible and has several booleans that allow you to manipulate the policy and run httpd with the tightest access possible.
++- Set files with the httpd_tmp_t type, if you want to store httpd temporary files in the /tmp directories.
++
++
++.EX
++.PP
++.B httpd_tmpfs_t
++.EE
++
++- Set files with the httpd_tmpfs_t type, if you want to store httpd files on a tmpfs file system.
++
++
++.EX
++.PP
++.B httpd_unit_file_t
++.EE
++
++- Set files with the httpd_unit_file_t type, if you want to treat the files as httpd unit content.
++
++
++.EX
++.PP
++.B httpd_user_content_t
++.EE
++
++- Set files with the httpd_user_content_t type, if you want to treat the files as httpd user content.
++
++
++.EX
++.PP
++.B httpd_user_htaccess_t
++.EE
++
++- Set files with the httpd_user_htaccess_t type, if you want to treat the file as a httpd user access file.
++
++
++.EX
++.PP
++.B httpd_user_ra_content_t
++.EE
++
++- Set files with the httpd_user_ra_content_t type, if you want to treat the files as httpd user read/append content.
++
++
++.EX
++.PP
++.B httpd_user_rw_content_t
++.EE
++
++- Set files with the httpd_user_rw_content_t type, if you want to treat the files as httpd user read/write content.
++
++
++.EX
++.PP
++.B httpd_user_script_exec_t
++.EE
++
++- Set files with the httpd_user_script_exec_t type, if you want to transition an executable to the httpd_user_script_t domain.
++
++
++.EX
+ .PP
+-httpd can be setup to allow cgi scripts to be executed, set httpd_enable_cgi to allow this
++.B httpd_var_lib_t
++.EE
++
++- Set files with the httpd_var_lib_t type, if you want to store the httpd files under the /var/lib directory.
++
+
+ .EX
+-setsebool -P httpd_enable_cgi 1
++.PP
++.B httpd_var_run_t
+ .EE
+
++- Set files with the httpd_var_run_t type, if you want to store the httpd files under the /run directory.
++
++
++.EX
+ .PP
+-SELinux policy for httpd can be setup to not allowed to access users home directories. If you want to allow access to users home directories you need to set the httpd_enable_homedirs boolean and change the context of the files that you want people to access off the home dir.
++.B httpd_w3c_validator_content_t
++.EE
++
++- Set files with the httpd_w3c_validator_content_t type, if you want to treat the files as httpd w3c validator content.
++
+
+ .EX
+-setsebool -P httpd_enable_homedirs 1
+-chcon -R -t httpd_sys_content_t ~user/public_html
++.PP
++.B httpd_w3c_validator_htaccess_t
+ .EE
+
++- Set files with the httpd_w3c_validator_htaccess_t type, if you want to treat the file as a httpd w3c validator access file.
++
++
++.EX
+ .PP
+-SELinux policy for httpd can be setup to not allow access to the controlling terminal. In most cases this is preferred, because an intruder might be able to use the access to the terminal to gain privileges. But in certain situations httpd needs to prompt for a password to open a certificate file, in these cases, terminal access is required. Set the httpd_tty_comm boolean to allow terminal access.
++.B httpd_w3c_validator_ra_content_t
++.EE
++
++- Set files with the httpd_w3c_validator_ra_content_t type, if you want to treat the files as httpd w3c validator read/append content.
++
+
+ .EX
+-setsebool -P httpd_tty_comm 1
++.PP
++.B httpd_w3c_validator_rw_content_t
+ .EE
+
++- Set files with the httpd_w3c_validator_rw_content_t type, if you want to treat the files as httpd w3c validator read/write content.
++
++
++.EX
+ .PP
+-httpd can be configured to not differentiate file controls based on context, i.e. all files labeled as httpd context can be read/write/execute. Setting this boolean to false allows you to setup the security policy such that one httpd service can not interfere with another.
++.B httpd_w3c_validator_script_exec_t
++.EE
++
++- Set files with the httpd_w3c_validator_script_exec_t type, if you want to transition an executable to the httpd_w3c_validator_script_t domain.
++
+
+ .EX
+-setsebool -P httpd_unified 0
++.PP
++.B httpd_w3c_validator_tmp_t
+ .EE
+
++- Set files with the httpd_w3c_validator_tmp_t type, if you want to store httpd w3c validator temporary files in the /tmp directories.
++
++
++.EX
+ .PP
+-SELinu policy for httpd can be configured to turn on sending email. This is a security feature, since it would prevent a vulnerabiltiy in http from causing a spam attack. I certain situations, you may want http modules to send mail. You can turn on the httpd_send_mail boolean.
++.B httpd_zoneminder_content_t
++.EE
++
++- Set files with the httpd_zoneminder_content_t type, if you want to treat the files as httpd zoneminder content.
++
+
+ .EX
+-setsebool -P httpd_can_sendmail 1
+ .PP
+-httpd can be configured to turn off internal scripting (PHP). PHP and other
+-loadable modules run under the same context as httpd. Therefore several policy rules allow httpd greater access to the system then is needed if you only use external cgi scripts.
++.B httpd_zoneminder_htaccess_t
++.EE
++
++- Set files with the httpd_zoneminder_htaccess_t type, if you want to treat the file as a httpd zoneminder access file.
++
+
+ .EX
+-setsebool -P httpd_builtin_scripting 0
++.PP
++.B httpd_zoneminder_ra_content_t
+ .EE
+
++- Set files with the httpd_zoneminder_ra_content_t type, if you want to treat the files as httpd zoneminder read/append content.
++
++
++.EX
+ .PP
+-SELinux policy can be setup such that httpd scripts are not allowed to connect out to the network.
+-This would prevent a hacker from breaking into you httpd server and attacking
+-other machines. If you need scripts to be able to connect you can set the httpd_can_network_connect boolean on.
++.B httpd_zoneminder_rw_content_t
++.EE
++
++- Set files with the httpd_zoneminder_rw_content_t type, if you want to treat the files as httpd zoneminder read/write content.
++
+
+ .EX
+-setsebool -P httpd_can_network_connect 1
++.PP
++.B httpd_zoneminder_script_exec_t
+ .EE
+
++- Set files with the httpd_zoneminder_script_exec_t type, if you want to transition an executable to the httpd_zoneminder_script_t domain.
++
++
+ .PP
+-system-config-selinux is a GUI tool available to customize SELinux policy settings.
+-.SH AUTHOR
+-This manual page was written by Dan Walsh .
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
+
+-.SH "SEE ALSO"
+-selinux(8), httpd(8), chcon(1), setsebool(8)
++.SH PORT TYPES
++SELinux defines port types to represent TCP and UDP ports.
++.PP
++You can see the types associated with a port by using the following command:
++
++.B semanage port -l
++
++.PP
++Policy governs the access confined processes have to these ports.
++SELinux httpd policy is very flexible allowing users to setup their httpd processes in as secure a method as possible.
++.PP
++The following port types are defined for httpd:
++
++.EX
++.TP 5
++.B http_cache_port_t
++.TP 10
++.EE
+
+
++Default Defined Ports:
++tcp 8080,8118,10001-10010
++.EE
++udp 3130
++.EE
++
++.EX
++.TP 5
++.B http_port_t
++.TP 10
++.EE
++
++
++Default Defined Ports:
++tcp 80,81,443,488,8008,8009,8443
++.EE
++.SH "MANAGED FILES"
++
++The SELinux process type httpd_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++
++.br
++.B abrt_retrace_spool_t
++
++ /var/spool/abrt-retrace(/.*)?
++.br
++ /var/spool/retrace-server(/.*)?
++.br
++
++.br
++.B dirsrv_config_t
++
++ /etc/dirsrv(/.*)?
++.br
++
++.br
++.B dirsrv_var_log_t
++
++ /var/log/dirsrv(/.*)?
++.br
++
++.br
++.B dirsrv_var_run_t
++
++ /var/run/dirsrv(/.*)?
++.br
++
++.br
++.B dirsrvadmin_config_t
++
++ /etc/dirsrv/dsgw(/.*)?
++.br
++ /etc/dirsrv/admin-serv(/.*)?
++.br
++
++.br
++.B dirsrvadmin_tmp_t
++
++
++.br
++.B httpd_apcupsd_cgi_rw_content_t
++
++
++.br
++.B httpd_awstats_rw_content_t
++
++
++.br
++.B httpd_bugzilla_rw_content_t
++
++ /var/lib/bugzilla(/.*)?
++.br
++
++.br
++.B httpd_cache_t
++
++ /var/cache/rt3(/.*)?
++.br
++ /var/cache/ssl.*\.sem
++.br
++ /var/cache/mod_.*
++.br
++ /var/cache/php-.*
++.br
++ /var/cache/httpd(/.*)?
++.br
++ /var/cache/mason(/.*)?
++.br
++ /var/cache/mod_ssl(/.*)?
++.br
++ /var/cache/lighttpd(/.*)?
++.br
++ /var/cache/mediawiki(/.*)?
++.br
++ /var/cache/mod_proxy(/.*)?
++.br
++ /var/cache/mod_gnutls(/.*)?
++.br
++ /var/cache/php-mmcache(/.*)?
++.br
++ /var/cache/php-eaccelerator(/.*)?
++.br
++
++.br
++.B httpd_cobbler_rw_content_t
++
++
++.br
++.B httpd_collectd_rw_content_t
++
++
++.br
++.B httpd_cvs_rw_content_t
++
++
++.br
++.B httpd_dirsrvadmin_rw_content_t
++
++
++.br
++.B httpd_dspam_rw_content_t
++
++
++.br
++.B httpd_git_rw_content_t
++
++ /var/cache/cgit(/.*)?
++.br
++ /var/cache/gitweb-caching(/.*)?
++.br
++
++.br
++.B httpd_lock_t
++
++
++.br
++.B httpd_man2html_rw_content_t
++
++
++.br
++.B httpd_mediawiki_rw_content_t
++
++ /var/www/wiki(/.*)?
++.br
++
++.br
++.B httpd_mojomojo_rw_content_t
++
++ /var/lib/mojomojo(/.*)?
++.br
++
++.br
++.B httpd_munin_rw_content_t
++
++
++.br
++.B httpd_nagios_rw_content_t
++
++
++.br
++.B httpd_nutups_cgi_rw_content_t
++
++
++.br
++.B httpd_openshift_rw_content_t
++
++
++.br
++.B httpd_prewikka_rw_content_t
++
++
++.br
++.B httpd_smokeping_cgi_rw_content_t
++
++
++.br
++.B httpd_squid_rw_content_t
++
++
++.br
++.B httpd_squirrelmail_t
++
++ /var/lib/squirrelmail/prefs(/.*)?
++.br
++
++.br
++.B httpd_sys_rw_content_t
++
++ /etc/drupal.*
++.br
++ /var/lib/svn(/.*)?
++.br
++ /var/www/svn(/.*)?
++.br
++ /etc/mock/koji(/.*)?
++.br
++ /var/www/html/[^/]*/sites/default/files(/.*)?
++.br
++ /var/www/html/[^/]*/sites/default/settings\.php
++.br
++ /var/lib/drupal.*
++.br
++ /etc/zabbix/web(/.*)?
++.br
++ /var/spool/gosa(/.*)?
++.br
++ /etc/WebCalendar(/.*)?
++.br
++ /var/lib/dokuwiki(/.*)?
++.br
++ /var/spool/viewvc(/.*)?
++.br
++ /var/lib/pootle/po(/.*)?
++.br
++ /var/www/moodledata(/.*)?
++.br
++ /var/www/gallery/albums(/.*)?
++.br
++ /var/www/html/wp-content(/.*)?
++.br
++ /usr/share/wordpress-mu/wp-content(/.*)?
++.br
++ /usr/share/wordpress/wp-content/uploads(/.*)?
++.br
++ /usr/share/wordpress/wp-content/upgrade(/.*)?
++.br
++ /etc/owncloud/config\.php
++.br
++ /var/www/html/configuration\.php
++.br
++
++.br
++.B httpd_tmp_t
++
++ /var/run/user/apache(/.*)?
++.br
++
++.br
++.B httpd_tmpfs_t
++
++
++.br
++.B httpd_user_rw_content_t
++
++
++.br
++.B httpd_var_lib_t
++
++ /var/lib/dav(/.*)?
++.br
++ /var/lib/php(/.*)?
++.br
++ /var/lib/httpd(/.*)?
++.br
++ /var/lib/cherokee(/.*)?
++.br
++ /var/lib/lighttpd(/.*)?
++.br
++ /var/lib/rt3/data/RT-Shredder(/.*)?
++.br
++
++.br
++.B httpd_var_run_t
++
++ /var/run/mod_.*
++.br
++ /var/run/wsgi.*
++.br
++ /var/run/httpd.*
++.br
++ /var/run/apache.*
++.br
++ /var/run/lighttpd(/.*)?
++.br
++ /var/lib/php/session(/.*)?
++.br
++ /var/run/dirsrv/admin-serv.*
++.br
++ /opt/dirsrv/var/run/dirsrv/dsgw/cookies(/.*)?
++.br
++ /var/run/gcache_port
++.br
++ /var/run/cherokee\.pid
++.br
++
++.br
++.B httpd_w3c_validator_rw_content_t
++
++
++.br
++.B httpd_zoneminder_rw_content_t
++
++
++.br
++.B jetty_cache_t
++
++ /var/cache/jetty(/.*)?
++.br
++
++.br
++.B jetty_log_t
++
++ /var/log/jetty(/.*)?
++.br
++
++.br
++.B jetty_var_lib_t
++
++ /var/lib/jetty(/.*)?
++.br
++
++.br
++.B jetty_var_run_t
++
++ /var/run/jetty(/.*)?
++.br
++
++.br
++.B krb5_host_rcache_t
++
++ /var/cache/krb5rcache(/.*)?
++.br
++ /var/tmp/nfs_0
++.br
++ /var/tmp/DNS_25
++.br
++ /var/tmp/host_0
++.br
++ /var/tmp/imap_0
++.br
++ /var/tmp/HTTP_23
++.br
++ /var/tmp/HTTP_48
++.br
++ /var/tmp/ldap_55
++.br
++ /var/tmp/ldap_487
++.br
++ /var/tmp/ldapmap1_0
++.br
++
++.br
++.B passenger_tmp_t
++
++
++.br
++.B passenger_var_run_t
++
++ /var/run/passenger(/.*)?
++.br
++
++.br
++.B pki_apache_config
++
++
++.br
++.B pki_apache_var_lib
++
++
++.br
++.B pki_apache_var_log
++
++
++.br
++.B squirrelmail_spool_t
++
++ /var/spool/squirrelmail(/.*)?
++.br
++
++.br
++.B systemd_passwd_var_run_t
++
++ /var/run/systemd/ask-password(/.*)?
++.br
++ /var/run/systemd/ask-password-block(/.*)?
++.br
++
++.br
++.B zarafa_var_lib_t
++
++ /var/lib/zarafa(/.*)?
++.br
++ /var/lib/zarafa-webaccess(/.*)?
++.br
++
++.SH NSSWITCH DOMAIN
++
++.PP
++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the httpd_prewikka_script_t, httpd_passwd_t, httpd_t, httpd_php_t, httpd_git_script_t, httpd_suexec_t, httpd_sys_script_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++
++.EX
++.B setsebool -P authlogin_nsswitch_use_ldap 1
++.EE
++
++.PP
++If you want to allow confined applications to run with kerberos for the httpd_prewikka_script_t, httpd_passwd_t, httpd_t, httpd_php_t, httpd_git_script_t, httpd_suexec_t, httpd_sys_script_t, you must turn on the kerberos_enabled boolean.
++
++.EX
++.B setsebool -P kerberos_enabled 1
++.EE
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.B semanage port
++can also be used to manipulate the port definitions
++
++.B semanage boolean
++can also be used to manipulate the booleans
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was auto-generated using
++.B "sepolicy manpage"
++by Dan Walsh.
++
++.SH "SEE ALSO"
++selinux(8), httpd(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
++, setsebool(8), httpd_apcupsd_cgi_script_selinux(8), httpd_awstats_script_selinux(8), httpd_bugzilla_script_selinux(8), httpd_cobbler_script_selinux(8), httpd_collectd_script_selinux(8), httpd_cvs_script_selinux(8), httpd_dirsrvadmin_script_selinux(8), httpd_dspam_script_selinux(8), httpd_git_script_selinux(8), httpd_helper_selinux(8), httpd_man2html_script_selinux(8), httpd_mediawiki_script_selinux(8), httpd_mojomojo_script_selinux(8), httpd_munin_script_selinux(8), httpd_nagios_script_selinux(8), httpd_nutups_cgi_script_selinux(8), httpd_openshift_script_selinux(8), httpd_passwd_selinux(8), httpd_php_selinux(8), httpd_prewikka_script_selinux(8), httpd_rotatelogs_selinux(8), httpd_smokeping_cgi_script_selinux(8), httpd_squid_script_selinux(8), httpd_suexec_selinux(8), httpd_sys_script_selinux(8), httpd_user_script_selinux(8), httpd_w3c_validator_script_selinux(8), httpd_zoneminder_script_selinux(8)
+\ No newline at end of file
+diff --git a/man/man8/httpd_smokeping_cgi_script_selinux.8 b/man/man8/httpd_smokeping_cgi_script_selinux.8
+new file mode 100644
+index 0000000..d4560e5
+--- /dev/null
++++ b/man/man8/httpd_smokeping_cgi_script_selinux.8
+@@ -0,0 +1,101 @@
++.TH "httpd_smokeping_cgi_script_selinux" "8" "12-11-01" "httpd_smokeping_cgi_script" "SELinux Policy documentation for httpd_smokeping_cgi_script"
++.SH "NAME"
++httpd_smokeping_cgi_script_selinux \- Security Enhanced Linux Policy for the httpd_smokeping_cgi_script processes
++.SH "DESCRIPTION"
++
++Security-Enhanced Linux secures the httpd_smokeping_cgi_script processes via flexible mandatory access control.
++
++The httpd_smokeping_cgi_script processes execute with the httpd_smokeping_cgi_script_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep httpd_smokeping_cgi_script_t
++
++
++.SH "ENTRYPOINTS"
++
++The httpd_smokeping_cgi_script_t SELinux type can be entered via the "shell_exec_t,httpd_smokeping_cgi_script_exec_t,httpd_smokeping_cgi_script_exec_t" file types. The default entrypoint paths for the httpd_smokeping_cgi_script_t domain are the following:"
++
++/bin/d?ash, /bin/zsh.*, /bin/ksh.*, /usr/bin/d?ash, /usr/bin/ksh.*, /usr/bin/zsh.*, /bin/esh, /bin/mksh, /bin/sash, /bin/tcsh, /bin/yash, /bin/bash, /bin/fish, /bin/bash2, /usr/bin/esh, /usr/bin/mksh, /usr/bin/sash, /usr/bin/bash, /usr/bin/fish, /usr/bin/tcsh, /usr/bin/yash, /sbin/nologin, /usr/sbin/sesh, /usr/bin/bash2, /usr/sbin/smrsh, /usr/bin/scponly, /usr/sbin/nologin, /usr/libexec/sesh, /usr/sbin/scponlyc, /usr/bin/git-shell, /usr/libexec/git-core/git-shell, /usr/share/smokeping/cgi(/.*)?, /usr/share/smokeping/cgi(/.*)?
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux httpd_smokeping_cgi_script policy is very flexible allowing users to setup their httpd_smokeping_cgi_script processes in as secure a method as possible.
++.PP
++The following process types are defined for httpd_smokeping_cgi_script:
++
++.EX
++.B httpd_smokeping_cgi_script_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux httpd_smokeping_cgi_script policy is very flexible allowing users to setup their httpd_smokeping_cgi_script processes in as secure a method as possible.
++.PP
++The following file types are defined for httpd_smokeping_cgi_script:
++
++
++.EX
++.PP
++.B httpd_smokeping_cgi_script_exec_t
++.EE
++
++- Set files with the httpd_smokeping_cgi_script_exec_t type, if you want to transition an executable to the httpd_smokeping_cgi_script_t domain.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH "MANAGED FILES"
++
++The SELinux process type httpd_smokeping_cgi_script_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++
++.br
++.B httpd_smokeping_cgi_rw_content_t
++
++
++.br
++.B smokeping_var_lib_t
++
++ /var/lib/smokeping(/.*)?
++.br
++
++.SH NSSWITCH DOMAIN
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was auto-generated using
++.B "sepolicy manpage"
++by Dan Walsh.
++
++.SH "SEE ALSO"
++selinux(8), httpd_smokeping_cgi_script(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
++, httpd_selinux(8), httpd_selinux(8), httpd_apcupsd_cgi_script_selinux(8), httpd_awstats_script_selinux(8), httpd_bugzilla_script_selinux(8), httpd_cobbler_script_selinux(8), httpd_collectd_script_selinux(8), httpd_cvs_script_selinux(8), httpd_dirsrvadmin_script_selinux(8), httpd_dspam_script_selinux(8), httpd_git_script_selinux(8), httpd_helper_selinux(8), httpd_man2html_script_selinux(8), httpd_mediawiki_script_selinux(8), httpd_mojomojo_script_selinux(8), httpd_munin_script_selinux(8), httpd_nagios_script_selinux(8), httpd_nutups_cgi_script_selinux(8), httpd_openshift_script_selinux(8), httpd_passwd_selinux(8), httpd_php_selinux(8), httpd_prewikka_script_selinux(8), httpd_rotatelogs_selinux(8), httpd_squid_script_selinux(8), httpd_suexec_selinux(8), httpd_sys_script_selinux(8), httpd_user_script_selinux(8), httpd_w3c_validator_script_selinux(8), httpd_zoneminder_script_selinux(8)
+\ No newline at end of file
+diff --git a/man/man8/httpd_squid_script_selinux.8 b/man/man8/httpd_squid_script_selinux.8
+new file mode 100644
+index 0000000..fa0892f
+--- /dev/null
++++ b/man/man8/httpd_squid_script_selinux.8
+@@ -0,0 +1,95 @@
++.TH "httpd_squid_script_selinux" "8" "12-11-01" "httpd_squid_script" "SELinux Policy documentation for httpd_squid_script"
++.SH "NAME"
++httpd_squid_script_selinux \- Security Enhanced Linux Policy for the httpd_squid_script processes
++.SH "DESCRIPTION"
++
++Security-Enhanced Linux secures the httpd_squid_script processes via flexible mandatory access control.
++
++The httpd_squid_script processes execute with the httpd_squid_script_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep httpd_squid_script_t
++
++
++.SH "ENTRYPOINTS"
++
++The httpd_squid_script_t SELinux type can be entered via the "httpd_squid_script_exec_t,shell_exec_t,httpd_squid_script_exec_t" file types. The default entrypoint paths for the httpd_squid_script_t domain are the following:"
++
++/usr/share/lightsquid/cgi(/.*)?, /usr/lib/squid/cachemgr\.cgi, /bin/d?ash, /bin/zsh.*, /bin/ksh.*, /usr/bin/d?ash, /usr/bin/ksh.*, /usr/bin/zsh.*, /bin/esh, /bin/mksh, /bin/sash, /bin/tcsh, /bin/yash, /bin/bash, /bin/fish, /bin/bash2, /usr/bin/esh, /usr/bin/mksh, /usr/bin/sash, /usr/bin/bash, /usr/bin/fish, /usr/bin/tcsh, /usr/bin/yash, /sbin/nologin, /usr/sbin/sesh, /usr/bin/bash2, /usr/sbin/smrsh, /usr/bin/scponly, /usr/sbin/nologin, /usr/libexec/sesh, /usr/sbin/scponlyc, /usr/bin/git-shell, /usr/libexec/git-core/git-shell, /usr/share/lightsquid/cgi(/.*)?, /usr/lib/squid/cachemgr\.cgi
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux httpd_squid_script policy is very flexible allowing users to setup their httpd_squid_script processes in as secure a method as possible.
++.PP
++The following process types are defined for httpd_squid_script:
++
++.EX
++.B httpd_squid_script_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux httpd_squid_script policy is very flexible allowing users to setup their httpd_squid_script processes in as secure a method as possible.
++.PP
++The following file types are defined for httpd_squid_script:
++
++
++.EX
++.PP
++.B httpd_squid_script_exec_t
++.EE
++
++- Set files with the httpd_squid_script_exec_t type, if you want to transition an executable to the httpd_squid_script_t domain.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH "MANAGED FILES"
++
++The SELinux process type httpd_squid_script_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++
++.br
++.B httpd_squid_rw_content_t
++
++
++.SH NSSWITCH DOMAIN
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was auto-generated using
++.B "sepolicy manpage"
++by Dan Walsh.
++
++.SH "SEE ALSO"
++selinux(8), httpd_squid_script(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
++, httpd_selinux(8), httpd_selinux(8), httpd_apcupsd_cgi_script_selinux(8), httpd_awstats_script_selinux(8), httpd_bugzilla_script_selinux(8), httpd_cobbler_script_selinux(8), httpd_collectd_script_selinux(8), httpd_cvs_script_selinux(8), httpd_dirsrvadmin_script_selinux(8), httpd_dspam_script_selinux(8), httpd_git_script_selinux(8), httpd_helper_selinux(8), httpd_man2html_script_selinux(8), httpd_mediawiki_script_selinux(8), httpd_mojomojo_script_selinux(8), httpd_munin_script_selinux(8), httpd_nagios_script_selinux(8), httpd_nutups_cgi_script_selinux(8), httpd_openshift_script_selinux(8), httpd_passwd_selinux(8), httpd_php_selinux(8), httpd_prewikka_script_selinux(8), httpd_rotatelogs_selinux(8), httpd_smokeping_cgi_script_selinux(8), httpd_suexec_selinux(8), httpd_sys_script_selinux(8), httpd_user_script_selinux(8), httpd_w3c_validator_script_selinux(8), httpd_zoneminder_script_selinux(8)
+\ No newline at end of file
+diff --git a/man/man8/httpd_suexec_selinux.8 b/man/man8/httpd_suexec_selinux.8
+new file mode 100644
+index 0000000..2f8bbb0
+--- /dev/null
++++ b/man/man8/httpd_suexec_selinux.8
+@@ -0,0 +1,117 @@
++.TH "httpd_suexec_selinux" "8" "12-11-01" "httpd_suexec" "SELinux Policy documentation for httpd_suexec"
++.SH "NAME"
++httpd_suexec_selinux \- Security Enhanced Linux Policy for the httpd_suexec processes
++.SH "DESCRIPTION"
++
++Security-Enhanced Linux secures the httpd_suexec processes via flexible mandatory access control.
++
++The httpd_suexec processes execute with the httpd_suexec_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep httpd_suexec_t
++
++
++.SH "ENTRYPOINTS"
++
++The httpd_suexec_t SELinux type can be entered via the "httpd_suexec_exec_t" file type. The default entrypoint paths for the httpd_suexec_t domain are the following:"
++
++/usr/lib/apache(2)?/suexec(2)?, /usr/lib/cgi-bin/(nph-)?cgiwrap(d)?, /usr/sbin/suexec
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux httpd_suexec policy is very flexible allowing users to setup their httpd_suexec processes in as secure a method as possible.
++.PP
++The following process types are defined for httpd_suexec:
++
++.EX
++.B httpd_suexec_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux httpd_suexec policy is very flexible allowing users to setup their httpd_suexec processes in as secure a method as possible.
++.PP
++The following file types are defined for httpd_suexec:
++
++
++.EX
++.PP
++.B httpd_suexec_exec_t
++.EE
++
++- Set files with the httpd_suexec_exec_t type, if you want to transition an executable to the httpd_suexec_t domain.
++
++
++.EX
++.PP
++.B httpd_suexec_tmp_t
++.EE
++
++- Set files with the httpd_suexec_tmp_t type, if you want to store httpd suexec temporary files in the /tmp directories.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH "MANAGED FILES"
++
++The SELinux process type httpd_suexec_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++
++.br
++.B httpd_suexec_tmp_t
++
++
++.SH NSSWITCH DOMAIN
++
++.PP
++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the httpd_suexec_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++
++.EX
++.B setsebool -P authlogin_nsswitch_use_ldap 1
++.EE
++
++.PP
++If you want to allow confined applications to run with kerberos for the httpd_suexec_t, you must turn on the kerberos_enabled boolean.
++
++.EX
++.B setsebool -P kerberos_enabled 1
++.EE
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was auto-generated using
++.B "sepolicy manpage"
++by Dan Walsh.
++
++.SH "SEE ALSO"
++selinux(8), httpd_suexec(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
++, httpd_selinux(8), httpd_selinux(8), httpd_apcupsd_cgi_script_selinux(8), httpd_awstats_script_selinux(8), httpd_bugzilla_script_selinux(8), httpd_cobbler_script_selinux(8), httpd_collectd_script_selinux(8), httpd_cvs_script_selinux(8), httpd_dirsrvadmin_script_selinux(8), httpd_dspam_script_selinux(8), httpd_git_script_selinux(8), httpd_helper_selinux(8), httpd_man2html_script_selinux(8), httpd_mediawiki_script_selinux(8), httpd_mojomojo_script_selinux(8), httpd_munin_script_selinux(8), httpd_nagios_script_selinux(8), httpd_nutups_cgi_script_selinux(8), httpd_openshift_script_selinux(8), httpd_passwd_selinux(8), httpd_php_selinux(8), httpd_prewikka_script_selinux(8), httpd_rotatelogs_selinux(8), httpd_smokeping_cgi_script_selinux(8), httpd_squid_script_selinux(8), httpd_sys_script_selinux(8), httpd_user_script_selinux(8), httpd_w3c_validator_script_selinux(8), httpd_zoneminder_script_selinux(8)
+\ No newline at end of file
+diff --git a/man/man8/httpd_sys_script_selinux.8 b/man/man8/httpd_sys_script_selinux.8
+new file mode 100644
+index 0000000..566f6fa
+--- /dev/null
++++ b/man/man8/httpd_sys_script_selinux.8
+@@ -0,0 +1,190 @@
++.TH "httpd_sys_script_selinux" "8" "12-11-01" "httpd_sys_script" "SELinux Policy documentation for httpd_sys_script"
++.SH "NAME"
++httpd_sys_script_selinux \- Security Enhanced Linux Policy for the httpd_sys_script processes
++.SH "DESCRIPTION"
++
++Security-Enhanced Linux secures the httpd_sys_script processes via flexible mandatory access control.
++
++The httpd_sys_script processes execute with the httpd_sys_script_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep httpd_sys_script_t
++
++
++.SH "ENTRYPOINTS"
++
++The httpd_sys_script_t SELinux type can be entered via the "httpd_sys_script_exec_t,httpd_sys_content_t,cifs_t,shell_exec_t,nfs_t,httpd_sys_script_exec_t" file types. The default entrypoint paths for the httpd_sys_script_t domain are the following:"
++
++/usr/.*\.cgi, /opt/.*\.cgi, /var/www/[^/]*/cgi-bin(/.*)?, /var/www/perl(/.*)?, /var/www/html/[^/]*/cgi-bin(/.*)?, /usr/lib/cgi-bin(/.*)?, /var/www/cgi-bin(/.*)?, /var/www/svn/hooks(/.*)?, /usr/share/wordpress/.*\.php, /usr/share/wordpress/wp-includes/.*\.php, /usr/share/mythtv/mythweather/scripts(/.*)?, /usr/share/mythweb/mythweb\.pl, /usr/share/wordpress-mu/wp-config\.php, /srv/([^/]*/)?www(/.*)?, /var/www(/.*)?, /etc/htdig(/.*)?, /srv/gallery2(/.*)?, /var/lib/trac(/.*)?, /var/lib/htdig(/.*)?, /var/www/icons(/.*)?, /usr/share/htdig(/.*)?, /usr/share/drupal.*, /var/www/svn/conf(/.*)?, /usr/share/icecast(/.*)?, /usr/share/mythweb(/.*)?, /var/lib/cacti/rra(/.*)?, /usr/share/ntop/html(/.*)?, /usr/share/mythtv/data(/.*)?, /usr/share/doc/ghc/html(/.*)?, /usr/share/openca/htdocs(/.*)?, /usr/share/selinux-policy[^/]*/html(/.*)?, /bin/d?ash, /bin/zsh.*, /bin/ksh.*, /usr/bin/d?ash, /usr/bin/ksh.*, /usr/bin/zsh.*, /bin/esh, /bin/mksh, /bin/sash, /bin/tcsh, /bin/yash, /bin/bash, /bin/fish, /bin/bash2, /usr/bin/esh, /usr/bin/mksh, /usr/bin/sash, /usr/bin/bash, /usr/bin/fish, /usr/bin/tcsh, /usr/bin/yash, /sbin/nologin, /usr/sbin/sesh, /usr/bin/bash2, /usr/sbin/smrsh, /usr/bin/scponly, /usr/sbin/nologin, /usr/libexec/sesh, /usr/sbin/scponlyc, /usr/bin/git-shell, /usr/libexec/git-core/git-shell, /usr/.*\.cgi, /opt/.*\.cgi, /var/www/[^/]*/cgi-bin(/.*)?, /var/www/perl(/.*)?, /var/www/html/[^/]*/cgi-bin(/.*)?, /usr/lib/cgi-bin(/.*)?, /var/www/cgi-bin(/.*)?, /var/www/svn/hooks(/.*)?, /usr/share/wordpress/.*\.php, /usr/share/wordpress/wp-includes/.*\.php, /usr/share/mythtv/mythweather/scripts(/.*)?, /usr/share/mythweb/mythweb\.pl, /usr/share/wordpress-mu/wp-config\.php
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux httpd_sys_script policy is very flexible allowing users to setup their httpd_sys_script processes in as secure a method as possible.
++.PP
++The following process types are defined for httpd_sys_script:
++
++.EX
++.B httpd_sys_script_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH SHARING FILES
++If you want to share files with multiple domains (Apache, FTP, rsync, Samba), you can set a file context of public_content_t and public_content_rw_t. These context allow any of the above domains to read the content. If you want a particular domain to write to the public_content_rw_t domain, you must set the appropriate boolean.
++.TP
++Allow httpd_sys_script servers to read the /var/httpd_sys_script directory by adding the public_content_t file type to the directory and by restoring the file type.
++.PP
++.B
++semanage fcontext -a -t public_content_t "/var/httpd_sys_script(/.*)?"
++.br
++.B restorecon -F -R -v /var/httpd_sys_script
++.pp
++.TP
++Allow httpd_sys_script servers to read and write /var/tmp/incoming by adding the public_content_rw_t type to the directory and by restoring the file type. This also requires the allow_httpd_sys_scriptd_anon_write boolean to be set.
++.PP
++.B
++semanage fcontext -a -t public_content_rw_t "/var/httpd_sys_script/incoming(/.*)?"
++.br
++.B restorecon -F -R -v /var/httpd_sys_script/incoming
++
++
++.PP
++If you want to allow apache scripts to write to public content, directories/files must be labeled public_rw_content_t., you must turn on the httpd_sys_script_anon_write boolean.
++
++.EX
++.B setsebool -P httpd_sys_script_anon_write 1
++.EE
++
++.PP
++If you want to allow apache scripts to write to public content, directories/files must be labeled public_rw_content_t., you must turn on the httpd_sys_script_anon_write boolean.
++
++.EX
++.B setsebool -P httpd_sys_script_anon_write 1
++.EE
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux httpd_sys_script policy is very flexible allowing users to setup their httpd_sys_script processes in as secure a method as possible.
++.PP
++The following file types are defined for httpd_sys_script:
++
++
++.EX
++.PP
++.B httpd_sys_script_exec_t
++.EE
++
++- Set files with the httpd_sys_script_exec_t type, if you want to transition an executable to the httpd_sys_script_t domain.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH "MANAGED FILES"
++
++The SELinux process type httpd_sys_script_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++
++.br
++.B httpd_sys_rw_content_t
++
++ /etc/drupal.*
++.br
++ /var/lib/svn(/.*)?
++.br
++ /var/www/svn(/.*)?
++.br
++ /etc/mock/koji(/.*)?
++.br
++ /var/www/html/[^/]*/sites/default/files(/.*)?
++.br
++ /var/www/html/[^/]*/sites/default/settings\.php
++.br
++ /var/lib/drupal.*
++.br
++ /etc/zabbix/web(/.*)?
++.br
++ /var/spool/gosa(/.*)?
++.br
++ /etc/WebCalendar(/.*)?
++.br
++ /var/lib/dokuwiki(/.*)?
++.br
++ /var/spool/viewvc(/.*)?
++.br
++ /var/lib/pootle/po(/.*)?
++.br
++ /var/www/moodledata(/.*)?
++.br
++ /var/www/gallery/albums(/.*)?
++.br
++ /var/www/html/wp-content(/.*)?
++.br
++ /usr/share/wordpress-mu/wp-content(/.*)?
++.br
++ /usr/share/wordpress/wp-content/uploads(/.*)?
++.br
++ /usr/share/wordpress/wp-content/upgrade(/.*)?
++.br
++ /etc/owncloud/config\.php
++.br
++ /var/www/html/configuration\.php
++.br
++
++.br
++.B httpd_tmp_t
++
++ /var/run/user/apache(/.*)?
++.br
++
++.SH NSSWITCH DOMAIN
++
++.PP
++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the httpd_sys_script_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++
++.EX
++.B setsebool -P authlogin_nsswitch_use_ldap 1
++.EE
++
++.PP
++If you want to allow confined applications to run with kerberos for the httpd_sys_script_t, you must turn on the kerberos_enabled boolean.
++
++.EX
++.B setsebool -P kerberos_enabled 1
++.EE
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was auto-generated using
++.B "sepolicy manpage"
++by Dan Walsh.
++
++.SH "SEE ALSO"
++selinux(8), httpd_sys_script(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
++, httpd_selinux(8), httpd_selinux(8), httpd_apcupsd_cgi_script_selinux(8), httpd_awstats_script_selinux(8), httpd_bugzilla_script_selinux(8), httpd_cobbler_script_selinux(8), httpd_collectd_script_selinux(8), httpd_cvs_script_selinux(8), httpd_dirsrvadmin_script_selinux(8), httpd_dspam_script_selinux(8), httpd_git_script_selinux(8), httpd_helper_selinux(8), httpd_man2html_script_selinux(8), httpd_mediawiki_script_selinux(8), httpd_mojomojo_script_selinux(8), httpd_munin_script_selinux(8), httpd_nagios_script_selinux(8), httpd_nutups_cgi_script_selinux(8), httpd_openshift_script_selinux(8), httpd_passwd_selinux(8), httpd_php_selinux(8), httpd_prewikka_script_selinux(8), httpd_rotatelogs_selinux(8), httpd_smokeping_cgi_script_selinux(8), httpd_squid_script_selinux(8), httpd_suexec_selinux(8), httpd_user_script_selinux(8), httpd_w3c_validator_script_selinux(8), httpd_zoneminder_script_selinux(8)
+\ No newline at end of file
+diff --git a/man/man8/httpd_user_script_selinux.8 b/man/man8/httpd_user_script_selinux.8
+new file mode 100644
+index 0000000..4764520
+--- /dev/null
++++ b/man/man8/httpd_user_script_selinux.8
+@@ -0,0 +1,95 @@
++.TH "httpd_user_script_selinux" "8" "12-11-01" "httpd_user_script" "SELinux Policy documentation for httpd_user_script"
++.SH "NAME"
++httpd_user_script_selinux \- Security Enhanced Linux Policy for the httpd_user_script processes
++.SH "DESCRIPTION"
++
++Security-Enhanced Linux secures the httpd_user_script processes via flexible mandatory access control.
++
++The httpd_user_script processes execute with the httpd_user_script_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep httpd_user_script_t
++
++
++.SH "ENTRYPOINTS"
++
++The httpd_user_script_t SELinux type can be entered via the "shell_exec_t,httpd_user_script_exec_t,httpd_user_script_exec_t" file types. The default entrypoint paths for the httpd_user_script_t domain are the following:"
++
++/bin/d?ash, /bin/zsh.*, /bin/ksh.*, /usr/bin/d?ash, /usr/bin/ksh.*, /usr/bin/zsh.*, /bin/esh, /bin/mksh, /bin/sash, /bin/tcsh, /bin/yash, /bin/bash, /bin/fish, /bin/bash2, /usr/bin/esh, /usr/bin/mksh, /usr/bin/sash, /usr/bin/bash, /usr/bin/fish, /usr/bin/tcsh, /usr/bin/yash, /sbin/nologin, /usr/sbin/sesh, /usr/bin/bash2, /usr/sbin/smrsh, /usr/bin/scponly, /usr/sbin/nologin, /usr/libexec/sesh, /usr/sbin/scponlyc, /usr/bin/git-shell, /usr/libexec/git-core/git-shell, /home/[^/]*/((www)|(web)|(public_html))/cgi-bin(/.+)?, /home/dwalsh/((www)|(web)|(public_html))/cgi-bin(/.+)?, /var/lib/xguest/home/xguest/((www)|(web)|(public_html))/cgi-bin(/.+)?, /home/[^/]*/((www)|(web)|(public_html))/cgi-bin(/.+)?, /home/dwalsh/((www)|(web)|(public_html))/cgi-bin(/.+)?, /var/lib/xguest/home/xguest/((www)|(web)|(public_html))/cgi-bin(/.+)?
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux httpd_user_script policy is very flexible allowing users to setup their httpd_user_script processes in as secure a method as possible.
++.PP
++The following process types are defined for httpd_user_script:
++
++.EX
++.B httpd_user_script_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux httpd_user_script policy is very flexible allowing users to setup their httpd_user_script processes in as secure a method as possible.
++.PP
++The following file types are defined for httpd_user_script:
++
++
++.EX
++.PP
++.B httpd_user_script_exec_t
++.EE
++
++- Set files with the httpd_user_script_exec_t type, if you want to transition an executable to the httpd_user_script_t domain.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH "MANAGED FILES"
++
++The SELinux process type httpd_user_script_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++
++.br
++.B httpd_user_rw_content_t
++
++
++.SH NSSWITCH DOMAIN
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was auto-generated using
++.B "sepolicy manpage"
++by Dan Walsh.
++
++.SH "SEE ALSO"
++selinux(8), httpd_user_script(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
++, httpd_selinux(8), httpd_selinux(8), httpd_apcupsd_cgi_script_selinux(8), httpd_awstats_script_selinux(8), httpd_bugzilla_script_selinux(8), httpd_cobbler_script_selinux(8), httpd_collectd_script_selinux(8), httpd_cvs_script_selinux(8), httpd_dirsrvadmin_script_selinux(8), httpd_dspam_script_selinux(8), httpd_git_script_selinux(8), httpd_helper_selinux(8), httpd_man2html_script_selinux(8), httpd_mediawiki_script_selinux(8), httpd_mojomojo_script_selinux(8), httpd_munin_script_selinux(8), httpd_nagios_script_selinux(8), httpd_nutups_cgi_script_selinux(8), httpd_openshift_script_selinux(8), httpd_passwd_selinux(8), httpd_php_selinux(8), httpd_prewikka_script_selinux(8), httpd_rotatelogs_selinux(8), httpd_smokeping_cgi_script_selinux(8), httpd_squid_script_selinux(8), httpd_suexec_selinux(8), httpd_sys_script_selinux(8), httpd_w3c_validator_script_selinux(8), httpd_zoneminder_script_selinux(8)
+\ No newline at end of file
+diff --git a/man/man8/httpd_w3c_validator_script_selinux.8 b/man/man8/httpd_w3c_validator_script_selinux.8
+new file mode 100644
+index 0000000..1191c99
+--- /dev/null
++++ b/man/man8/httpd_w3c_validator_script_selinux.8
+@@ -0,0 +1,99 @@
++.TH "httpd_w3c_validator_script_selinux" "8" "12-11-01" "httpd_w3c_validator_script" "SELinux Policy documentation for httpd_w3c_validator_script"
++.SH "NAME"
++httpd_w3c_validator_script_selinux \- Security Enhanced Linux Policy for the httpd_w3c_validator_script processes
++.SH "DESCRIPTION"
++
++Security-Enhanced Linux secures the httpd_w3c_validator_script processes via flexible mandatory access control.
++
++The httpd_w3c_validator_script processes execute with the httpd_w3c_validator_script_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep httpd_w3c_validator_script_t
++
++
++.SH "ENTRYPOINTS"
++
++The httpd_w3c_validator_script_t SELinux type can be entered via the "shell_exec_t,httpd_w3c_validator_script_exec_t,httpd_w3c_validator_script_exec_t" file types. The default entrypoint paths for the httpd_w3c_validator_script_t domain are the following:"
++
++/bin/d?ash, /bin/zsh.*, /bin/ksh.*, /usr/bin/d?ash, /usr/bin/ksh.*, /usr/bin/zsh.*, /bin/esh, /bin/mksh, /bin/sash, /bin/tcsh, /bin/yash, /bin/bash, /bin/fish, /bin/bash2, /usr/bin/esh, /usr/bin/mksh, /usr/bin/sash, /usr/bin/bash, /usr/bin/fish, /usr/bin/tcsh, /usr/bin/yash, /sbin/nologin, /usr/sbin/sesh, /usr/bin/bash2, /usr/sbin/smrsh, /usr/bin/scponly, /usr/sbin/nologin, /usr/libexec/sesh, /usr/sbin/scponlyc, /usr/bin/git-shell, /usr/libexec/git-core/git-shell, /usr/share/w3c-markup-validator/cgi-bin(/.*)?, /usr/lib/cgi-bin/check, /usr/share/w3c-markup-validator/cgi-bin(/.*)?, /usr/lib/cgi-bin/check
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux httpd_w3c_validator_script policy is very flexible allowing users to setup their httpd_w3c_validator_script processes in as secure a method as possible.
++.PP
++The following process types are defined for httpd_w3c_validator_script:
++
++.EX
++.B httpd_w3c_validator_script_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux httpd_w3c_validator_script policy is very flexible allowing users to setup their httpd_w3c_validator_script processes in as secure a method as possible.
++.PP
++The following file types are defined for httpd_w3c_validator_script:
++
++
++.EX
++.PP
++.B httpd_w3c_validator_script_exec_t
++.EE
++
++- Set files with the httpd_w3c_validator_script_exec_t type, if you want to transition an executable to the httpd_w3c_validator_script_t domain.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH "MANAGED FILES"
++
++The SELinux process type httpd_w3c_validator_script_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++
++.br
++.B httpd_w3c_validator_rw_content_t
++
++
++.br
++.B httpd_w3c_validator_tmp_t
++
++
++.SH NSSWITCH DOMAIN
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was auto-generated using
++.B "sepolicy manpage"
++by Dan Walsh.
++
++.SH "SEE ALSO"
++selinux(8), httpd_w3c_validator_script(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
++, httpd_selinux(8), httpd_selinux(8), httpd_apcupsd_cgi_script_selinux(8), httpd_awstats_script_selinux(8), httpd_bugzilla_script_selinux(8), httpd_cobbler_script_selinux(8), httpd_collectd_script_selinux(8), httpd_cvs_script_selinux(8), httpd_dirsrvadmin_script_selinux(8), httpd_dspam_script_selinux(8), httpd_git_script_selinux(8), httpd_helper_selinux(8), httpd_man2html_script_selinux(8), httpd_mediawiki_script_selinux(8), httpd_mojomojo_script_selinux(8), httpd_munin_script_selinux(8), httpd_nagios_script_selinux(8), httpd_nutups_cgi_script_selinux(8), httpd_openshift_script_selinux(8), httpd_passwd_selinux(8), httpd_php_selinux(8), httpd_prewikka_script_selinux(8), httpd_rotatelogs_selinux(8), httpd_smokeping_cgi_script_selinux(8), httpd_squid_script_selinux(8), httpd_suexec_selinux(8), httpd_sys_script_selinux(8), httpd_user_script_selinux(8), httpd_zoneminder_script_selinux(8)
+\ No newline at end of file
+diff --git a/man/man8/httpd_zoneminder_script_selinux.8 b/man/man8/httpd_zoneminder_script_selinux.8
+new file mode 100644
+index 0000000..9666a60
+--- /dev/null
++++ b/man/man8/httpd_zoneminder_script_selinux.8
+@@ -0,0 +1,95 @@
++.TH "httpd_zoneminder_script_selinux" "8" "12-11-01" "httpd_zoneminder_script" "SELinux Policy documentation for httpd_zoneminder_script"
++.SH "NAME"
++httpd_zoneminder_script_selinux \- Security Enhanced Linux Policy for the httpd_zoneminder_script processes
++.SH "DESCRIPTION"
++
++Security-Enhanced Linux secures the httpd_zoneminder_script processes via flexible mandatory access control.
++
++The httpd_zoneminder_script processes execute with the httpd_zoneminder_script_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep httpd_zoneminder_script_t
++
++
++.SH "ENTRYPOINTS"
++
++The httpd_zoneminder_script_t SELinux type can be entered via the "httpd_zoneminder_script_exec_t,shell_exec_t,httpd_zoneminder_script_exec_t" file types. The default entrypoint paths for the httpd_zoneminder_script_t domain are the following:"
++
++/usr/libexec/zoneminder/cgi-bin(/.*)?, /bin/d?ash, /bin/zsh.*, /bin/ksh.*, /usr/bin/d?ash, /usr/bin/ksh.*, /usr/bin/zsh.*, /bin/esh, /bin/mksh, /bin/sash, /bin/tcsh, /bin/yash, /bin/bash, /bin/fish, /bin/bash2, /usr/bin/esh, /usr/bin/mksh, /usr/bin/sash, /usr/bin/bash, /usr/bin/fish, /usr/bin/tcsh, /usr/bin/yash, /sbin/nologin, /usr/sbin/sesh, /usr/bin/bash2, /usr/sbin/smrsh, /usr/bin/scponly, /usr/sbin/nologin, /usr/libexec/sesh, /usr/sbin/scponlyc, /usr/bin/git-shell, /usr/libexec/git-core/git-shell, /usr/libexec/zoneminder/cgi-bin(/.*)?
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux httpd_zoneminder_script policy is very flexible allowing users to setup their httpd_zoneminder_script processes in as secure a method as possible.
++.PP
++The following process types are defined for httpd_zoneminder_script:
++
++.EX
++.B httpd_zoneminder_script_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux httpd_zoneminder_script policy is very flexible allowing users to setup their httpd_zoneminder_script processes in as secure a method as possible.
++.PP
++The following file types are defined for httpd_zoneminder_script:
++
++
++.EX
++.PP
++.B httpd_zoneminder_script_exec_t
++.EE
++
++- Set files with the httpd_zoneminder_script_exec_t type, if you want to transition an executable to the httpd_zoneminder_script_t domain.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH "MANAGED FILES"
++
++The SELinux process type httpd_zoneminder_script_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++
++.br
++.B httpd_zoneminder_rw_content_t
++
++
++.SH NSSWITCH DOMAIN
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was auto-generated using
++.B "sepolicy manpage"
++by Dan Walsh.
++
++.SH "SEE ALSO"
++selinux(8), httpd_zoneminder_script(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
++, httpd_selinux(8), httpd_selinux(8), httpd_apcupsd_cgi_script_selinux(8), httpd_awstats_script_selinux(8), httpd_bugzilla_script_selinux(8), httpd_cobbler_script_selinux(8), httpd_collectd_script_selinux(8), httpd_cvs_script_selinux(8), httpd_dirsrvadmin_script_selinux(8), httpd_dspam_script_selinux(8), httpd_git_script_selinux(8), httpd_helper_selinux(8), httpd_man2html_script_selinux(8), httpd_mediawiki_script_selinux(8), httpd_mojomojo_script_selinux(8), httpd_munin_script_selinux(8), httpd_nagios_script_selinux(8), httpd_nutups_cgi_script_selinux(8), httpd_openshift_script_selinux(8), httpd_passwd_selinux(8), httpd_php_selinux(8), httpd_prewikka_script_selinux(8), httpd_rotatelogs_selinux(8), httpd_smokeping_cgi_script_selinux(8), httpd_squid_script_selinux(8), httpd_suexec_selinux(8), httpd_sys_script_selinux(8), httpd_user_script_selinux(8), httpd_w3c_validator_script_selinux(8)
+\ No newline at end of file
+diff --git a/man/man8/hwclock_selinux.8 b/man/man8/hwclock_selinux.8
+new file mode 100644
+index 0000000..5f81eee
+--- /dev/null
++++ b/man/man8/hwclock_selinux.8
+@@ -0,0 +1,110 @@
++.TH "hwclock_selinux" "8" "12-11-01" "hwclock" "SELinux Policy documentation for hwclock"
++.SH "NAME"
++hwclock_selinux \- Security Enhanced Linux Policy for the hwclock processes
++.SH "DESCRIPTION"
++
++Security-Enhanced Linux secures the hwclock processes via flexible mandatory access control.
++
++The hwclock processes execute with the hwclock_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep hwclock_t
++
++
++.SH "ENTRYPOINTS"
++
++The hwclock_t SELinux type can be entered via the "hwclock_exec_t" file type. The default entrypoint paths for the hwclock_t domain are the following:"
++
++/sbin/hwclock, /usr/sbin/hwclock
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux hwclock policy is very flexible allowing users to setup their hwclock processes in as secure a method as possible.
++.PP
++The following process types are defined for hwclock:
++
++.EX
++.B hwclock_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux hwclock policy is very flexible allowing users to setup their hwclock processes in as secure a method as possible.
++.PP
++The following file types are defined for hwclock:
++
++
++.EX
++.PP
++.B hwclock_exec_t
++.EE
++
++- Set files with the hwclock_exec_t type, if you want to transition an executable to the hwclock_t domain.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH "MANAGED FILES"
++
++The SELinux process type hwclock_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++
++.br
++.B adjtime_t
++
++ /etc/adjtime
++.br
++
++.SH NSSWITCH DOMAIN
++
++.PP
++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the hwclock_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++
++.EX
++.B setsebool -P authlogin_nsswitch_use_ldap 1
++.EE
++
++.PP
++If you want to allow confined applications to run with kerberos for the hwclock_t, you must turn on the kerberos_enabled boolean.
++
++.EX
++.B setsebool -P kerberos_enabled 1
++.EE
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was auto-generated using
++.B "sepolicy manpage"
++by Dan Walsh.
++
++.SH "SEE ALSO"
++selinux(8), hwclock(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
+diff --git a/man/man8/iceauth_selinux.8 b/man/man8/iceauth_selinux.8
+new file mode 100644
+index 0000000..2459ffa
+--- /dev/null
++++ b/man/man8/iceauth_selinux.8
+@@ -0,0 +1,118 @@
++.TH "iceauth_selinux" "8" "12-11-01" "iceauth" "SELinux Policy documentation for iceauth"
++.SH "NAME"
++iceauth_selinux \- Security Enhanced Linux Policy for the iceauth processes
++.SH "DESCRIPTION"
++
++Security-Enhanced Linux secures the iceauth processes via flexible mandatory access control.
++
++The iceauth processes execute with the iceauth_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep iceauth_t
++
++
++.SH "ENTRYPOINTS"
++
++The iceauth_t SELinux type can be entered via the "iceauth_exec_t" file type. The default entrypoint paths for the iceauth_t domain are the following:"
++
++/usr/bin/iceauth, /usr/X11R6/bin/iceauth
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux iceauth policy is very flexible allowing users to setup their iceauth processes in as secure a method as possible.
++.PP
++The following process types are defined for iceauth:
++
++.EX
++.B iceauth_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux iceauth policy is very flexible allowing users to setup their iceauth processes in as secure a method as possible.
++.PP
++The following file types are defined for iceauth:
++
++
++.EX
++.PP
++.B iceauth_exec_t
++.EE
++
++- Set files with the iceauth_exec_t type, if you want to transition an executable to the iceauth_t domain.
++
++
++.EX
++.PP
++.B iceauth_home_t
++.EE
++
++- Set files with the iceauth_home_t type, if you want to store iceauth files in the users home directory.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH "MANAGED FILES"
++
++The SELinux process type iceauth_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++
++.br
++.B iceauth_home_t
++
++ /root/\.DCOP.*
++.br
++ /root/\.ICEauthority.*
++.br
++ /home/[^/]*/\.DCOP.*
++.br
++ /home/[^/]*/\.ICEauthority.*
++.br
++ /home/dwalsh/\.DCOP.*
++.br
++ /home/dwalsh/\.ICEauthority.*
++.br
++ /var/lib/xguest/home/xguest/\.DCOP.*
++.br
++ /var/lib/xguest/home/xguest/\.ICEauthority.*
++.br
++
++.SH NSSWITCH DOMAIN
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was auto-generated using
++.B "sepolicy manpage"
++by Dan Walsh.
++
++.SH "SEE ALSO"
++selinux(8), iceauth(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
+diff --git a/man/man8/icecast_selinux.8 b/man/man8/icecast_selinux.8
+new file mode 100644
+index 0000000..f0455d7
+--- /dev/null
++++ b/man/man8/icecast_selinux.8
+@@ -0,0 +1,162 @@
++.TH "icecast_selinux" "8" "12-11-01" "icecast" "SELinux Policy documentation for icecast"
++.SH "NAME"
++icecast_selinux \- Security Enhanced Linux Policy for the icecast processes
++.SH "DESCRIPTION"
++
++Security-Enhanced Linux secures the icecast processes via flexible mandatory access control.
++
++The icecast processes execute with the icecast_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep icecast_t
++
++
++.SH "ENTRYPOINTS"
++
++The icecast_t SELinux type can be entered via the "icecast_exec_t" file type. The default entrypoint paths for the icecast_t domain are the following:"
++
++/usr/bin/icecast
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux icecast policy is very flexible allowing users to setup their icecast processes in as secure a method as possible.
++.PP
++The following process types are defined for icecast:
++
++.EX
++.B icecast_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH BOOLEANS
++SELinux policy is customizable based on least access required. icecast policy is extremely flexible and has several booleans that allow you to manipulate the policy and run icecast with the tightest access possible.
++
++
++.PP
++If you want to allow icecast to connect to all ports, not just sound ports, you must turn on the icecast_connect_any boolean.
++
++.EX
++.B setsebool -P icecast_connect_any 1
++.EE
++
++.PP
++If you want to allow icecast to connect to all ports, not just sound ports, you must turn on the icecast_connect_any boolean.
++
++.EX
++.B setsebool -P icecast_connect_any 1
++.EE
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux icecast policy is very flexible allowing users to setup their icecast processes in as secure a method as possible.
++.PP
++The following file types are defined for icecast:
++
++
++.EX
++.PP
++.B icecast_exec_t
++.EE
++
++- Set files with the icecast_exec_t type, if you want to transition an executable to the icecast_t domain.
++
++
++.EX
++.PP
++.B icecast_initrc_exec_t
++.EE
++
++- Set files with the icecast_initrc_exec_t type, if you want to transition an executable to the icecast_initrc_t domain.
++
++
++.EX
++.PP
++.B icecast_log_t
++.EE
++
++- Set files with the icecast_log_t type, if you want to treat the data as icecast log data, usually stored under the /var/log directory.
++
++
++.EX
++.PP
++.B icecast_var_run_t
++.EE
++
++- Set files with the icecast_var_run_t type, if you want to store the icecast files under the /run directory.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH "MANAGED FILES"
++
++The SELinux process type icecast_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++
++.br
++.B icecast_log_t
++
++ /var/log/icecast(/.*)?
++.br
++
++.br
++.B icecast_var_run_t
++
++ /var/run/icecast(/.*)?
++.br
++
++.SH NSSWITCH DOMAIN
++
++.PP
++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the icecast_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++
++.EX
++.B setsebool -P authlogin_nsswitch_use_ldap 1
++.EE
++
++.PP
++If you want to allow confined applications to run with kerberos for the icecast_t, you must turn on the kerberos_enabled boolean.
++
++.EX
++.B setsebool -P kerberos_enabled 1
++.EE
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.B semanage boolean
++can also be used to manipulate the booleans
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was auto-generated using
++.B "sepolicy manpage"
++by Dan Walsh.
++
++.SH "SEE ALSO"
++selinux(8), icecast(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
++, setsebool(8)
+\ No newline at end of file
+diff --git a/man/man8/ifconfig_selinux.8 b/man/man8/ifconfig_selinux.8
+new file mode 100644
+index 0000000..955a7ad
+--- /dev/null
++++ b/man/man8/ifconfig_selinux.8
+@@ -0,0 +1,114 @@
++.TH "ifconfig_selinux" "8" "12-11-01" "ifconfig" "SELinux Policy documentation for ifconfig"
++.SH "NAME"
++ifconfig_selinux \- Security Enhanced Linux Policy for the ifconfig processes
++.SH "DESCRIPTION"
++
++Security-Enhanced Linux secures the ifconfig processes via flexible mandatory access control.
++
++The ifconfig processes execute with the ifconfig_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep ifconfig_t
++
++
++.SH "ENTRYPOINTS"
++
++The ifconfig_t SELinux type can be entered via the "ifconfig_exec_t" file type. The default entrypoint paths for the ifconfig_t domain are the following:"
++
++/bin/ip, /sbin/ip, /sbin/tc, /usr/bin/ip, /usr/sbin/ip, /usr/sbin/tc, /sbin/ethtool, /sbin/ifconfig, /sbin/iwconfig, /sbin/mii-tool, /usr/sbin/ethtool, /usr/sbin/ifconfig, /usr/sbin/iwconfig, /usr/sbin/mii-tool, /sbin/ipx_configure, /sbin/ipx_interface, /sbin/ipx_internal_net, /usr/sbin/ipx_configure, /usr/sbin/ipx_interface, /usr/sbin/ipx_internal_net
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux ifconfig policy is very flexible allowing users to setup their ifconfig processes in as secure a method as possible.
++.PP
++The following process types are defined for ifconfig:
++
++.EX
++.B ifconfig_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux ifconfig policy is very flexible allowing users to setup their ifconfig processes in as secure a method as possible.
++.PP
++The following file types are defined for ifconfig:
++
++
++.EX
++.PP
++.B ifconfig_exec_t
++.EE
++
++- Set files with the ifconfig_exec_t type, if you want to transition an executable to the ifconfig_t domain.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH "MANAGED FILES"
++
++The SELinux process type ifconfig_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++
++.br
++.B ipsec_var_run_t
++
++ /var/racoon(/.*)?
++.br
++ /var/run/pluto(/.*)?
++.br
++ /var/run/racoon\.pid
++.br
++
++.SH NSSWITCH DOMAIN
++
++.PP
++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the ifconfig_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++
++.EX
++.B setsebool -P authlogin_nsswitch_use_ldap 1
++.EE
++
++.PP
++If you want to allow confined applications to run with kerberos for the ifconfig_t, you must turn on the kerberos_enabled boolean.
++
++.EX
++.B setsebool -P kerberos_enabled 1
++.EE
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was auto-generated using
++.B "sepolicy manpage"
++by Dan Walsh.
++
++.SH "SEE ALSO"
++selinux(8), ifconfig(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
+diff --git a/man/man8/inetd_child_selinux.8 b/man/man8/inetd_child_selinux.8
+new file mode 100644
+index 0000000..8239b51
+--- /dev/null
++++ b/man/man8/inetd_child_selinux.8
+@@ -0,0 +1,157 @@
++.TH "inetd_child_selinux" "8" "12-11-01" "inetd_child" "SELinux Policy documentation for inetd_child"
++.SH "NAME"
++inetd_child_selinux \- Security Enhanced Linux Policy for the inetd_child processes
++.SH "DESCRIPTION"
++
++Security-Enhanced Linux secures the inetd_child processes via flexible mandatory access control.
++
++The inetd_child processes execute with the inetd_child_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep inetd_child_t
++
++
++.SH "ENTRYPOINTS"
++
++The inetd_child_t SELinux type can be entered via the "inetd_child_exec_t" file type. The default entrypoint paths for the inetd_child_t domain are the following:"
++
++/usr/sbin/in\..*d, /usr/local/lib/pysieved/pysieved.*\.py, /usr/sbin/identd
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux inetd_child policy is very flexible allowing users to setup their inetd_child processes in as secure a method as possible.
++.PP
++The following process types are defined for inetd_child:
++
++.EX
++.B inetd_child_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux inetd_child policy is very flexible allowing users to setup their inetd_child processes in as secure a method as possible.
++.PP
++The following file types are defined for inetd_child:
++
++
++.EX
++.PP
++.B inetd_child_exec_t
++.EE
++
++- Set files with the inetd_child_exec_t type, if you want to transition an executable to the inetd_child_t domain.
++
++
++.EX
++.PP
++.B inetd_child_tmp_t
++.EE
++
++- Set files with the inetd_child_tmp_t type, if you want to store inetd child temporary files in the /tmp directories.
++
++
++.EX
++.PP
++.B inetd_child_var_run_t
++.EE
++
++- Set files with the inetd_child_var_run_t type, if you want to store the inetd child files under the /run directory.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH PORT TYPES
++SELinux defines port types to represent TCP and UDP ports.
++.PP
++You can see the types associated with a port by using the following command:
++
++.B semanage port -l
++
++.PP
++Policy governs the access confined processes have to these ports.
++SELinux inetd_child policy is very flexible allowing users to setup their inetd_child processes in as secure a method as possible.
++.PP
++The following port types are defined for inetd_child:
++
++.EX
++.TP 5
++.B inetd_child_port_t
++.TP 10
++.EE
++
++
++Default Defined Ports:
++tcp 1,9,13,19,512,543,544,891,892,2105,5666
++.EE
++udp 1,9,13,19,891,892
++.EE
++.SH "MANAGED FILES"
++
++The SELinux process type inetd_child_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++
++.br
++.B inetd_child_tmp_t
++
++
++.br
++.B inetd_child_var_run_t
++
++
++.SH NSSWITCH DOMAIN
++
++.PP
++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the inetd_child_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++
++.EX
++.B setsebool -P authlogin_nsswitch_use_ldap 1
++.EE
++
++.PP
++If you want to allow confined applications to run with kerberos for the inetd_child_t, you must turn on the kerberos_enabled boolean.
++
++.EX
++.B setsebool -P kerberos_enabled 1
++.EE
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.B semanage port
++can also be used to manipulate the port definitions
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was auto-generated using
++.B "sepolicy manpage"
++by Dan Walsh.
++
++.SH "SEE ALSO"
++selinux(8), inetd_child(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
++, inetd_selinux(8), inetd_selinux(8)
+\ No newline at end of file
+diff --git a/man/man8/inetd_selinux.8 b/man/man8/inetd_selinux.8
+new file mode 100644
+index 0000000..3f605ab
+--- /dev/null
++++ b/man/man8/inetd_selinux.8
+@@ -0,0 +1,203 @@
++.TH "inetd_selinux" "8" "12-11-01" "inetd" "SELinux Policy documentation for inetd"
++.SH "NAME"
++inetd_selinux \- Security Enhanced Linux Policy for the inetd processes
++.SH "DESCRIPTION"
++
++Security-Enhanced Linux secures the inetd processes via flexible mandatory access control.
++
++The inetd processes execute with the inetd_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep inetd_t
++
++
++.SH "ENTRYPOINTS"
++
++The inetd_t SELinux type can be entered via the "inetd_exec_t" file type. The default entrypoint paths for the inetd_t domain are the following:"
++
++/usr/sbin/inetd, /usr/sbin/xinetd, /usr/sbin/rlinetd
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux inetd policy is very flexible allowing users to setup their inetd processes in as secure a method as possible.
++.PP
++The following process types are defined for inetd:
++
++.EX
++.B inetd_t, inetd_child_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux inetd policy is very flexible allowing users to setup their inetd processes in as secure a method as possible.
++.PP
++The following file types are defined for inetd:
++
++
++.EX
++.PP
++.B inetd_child_exec_t
++.EE
++
++- Set files with the inetd_child_exec_t type, if you want to transition an executable to the inetd_child_t domain.
++
++
++.EX
++.PP
++.B inetd_child_tmp_t
++.EE
++
++- Set files with the inetd_child_tmp_t type, if you want to store inetd child temporary files in the /tmp directories.
++
++
++.EX
++.PP
++.B inetd_child_var_run_t
++.EE
++
++- Set files with the inetd_child_var_run_t type, if you want to store the inetd child files under the /run directory.
++
++
++.EX
++.PP
++.B inetd_exec_t
++.EE
++
++- Set files with the inetd_exec_t type, if you want to transition an executable to the inetd_t domain.
++
++
++.EX
++.PP
++.B inetd_log_t
++.EE
++
++- Set files with the inetd_log_t type, if you want to treat the data as inetd log data, usually stored under the /var/log directory.
++
++
++.EX
++.PP
++.B inetd_tmp_t
++.EE
++
++- Set files with the inetd_tmp_t type, if you want to store inetd temporary files in the /tmp directories.
++
++
++.EX
++.PP
++.B inetd_var_run_t
++.EE
++
++- Set files with the inetd_var_run_t type, if you want to store the inetd files under the /run directory.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH PORT TYPES
++SELinux defines port types to represent TCP and UDP ports.
++.PP
++You can see the types associated with a port by using the following command:
++
++.B semanage port -l
++
++.PP
++Policy governs the access confined processes have to these ports.
++SELinux inetd policy is very flexible allowing users to setup their inetd processes in as secure a method as possible.
++.PP
++The following port types are defined for inetd:
++
++.EX
++.TP 5
++.B inetd_child_port_t
++.TP 10
++.EE
++
++
++Default Defined Ports:
++tcp 1,9,13,19,512,543,544,891,892,2105,5666
++.EE
++udp 1,9,13,19,891,892
++.EE
++.SH "MANAGED FILES"
++
++The SELinux process type inetd_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++
++.br
++.B inetd_log_t
++
++ /var/log/(x)?inetd\.log.*
++.br
++
++.br
++.B inetd_tmp_t
++
++
++.br
++.B inetd_var_run_t
++
++ /var/run/(x)?inetd\.pid
++.br
++
++.br
++.B security_t
++
++ /selinux
++.br
++
++.SH NSSWITCH DOMAIN
++
++.PP
++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the inetd_t, inetd_child_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++
++.EX
++.B setsebool -P authlogin_nsswitch_use_ldap 1
++.EE
++
++.PP
++If you want to allow confined applications to run with kerberos for the inetd_t, inetd_child_t, you must turn on the kerberos_enabled boolean.
++
++.EX
++.B setsebool -P kerberos_enabled 1
++.EE
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.B semanage port
++can also be used to manipulate the port definitions
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was auto-generated using
++.B "sepolicy manpage"
++by Dan Walsh.
++
++.SH "SEE ALSO"
++selinux(8), inetd(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
++, inetd_child_selinux(8)
+\ No newline at end of file
+diff --git a/man/man8/init_selinux.8 b/man/man8/init_selinux.8
+new file mode 100644
+index 0000000..d772d9a
+--- /dev/null
++++ b/man/man8/init_selinux.8
+@@ -0,0 +1,465 @@
++.TH "init_selinux" "8" "12-11-01" "init" "SELinux Policy documentation for init"
++.SH "NAME"
++init_selinux \- Security Enhanced Linux Policy for the init processes
++.SH "DESCRIPTION"
++
++Security-Enhanced Linux secures the init processes via flexible mandatory access control.
++
++The init processes execute with the init_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep init_t
++
++
++.SH "ENTRYPOINTS"
++
++The init_t SELinux type can be entered via the "init_exec_t" file type. The default entrypoint paths for the init_t domain are the following:"
++
++/sbin/init(ng)?, /usr/sbin/init(ng)?, /usr/lib/systemd/[^/]*, /usr/lib/systemd/system-generators/[^/]*, /bin/systemd, /sbin/upstart, /usr/bin/systemd, /usr/sbin/upstart
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux init policy is very flexible allowing users to setup their init processes in as secure a method as possible.
++.PP
++The following process types are defined for init:
++
++.EX
++.B initrc_t, init_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux init policy is very flexible allowing users to setup their init processes in as secure a method as possible.
++.PP
++The following file types are defined for init:
++
++
++.EX
++.PP
++.B init_exec_t
++.EE
++
++- Set files with the init_exec_t type, if you want to transition an executable to the init_t domain.
++
++
++.EX
++.PP
++.B init_var_lib_t
++.EE
++
++- Set files with the init_var_lib_t type, if you want to store the init files under the /var/lib directory.
++
++
++.EX
++.PP
++.B init_var_run_t
++.EE
++
++- Set files with the init_var_run_t type, if you want to store the init files under the /run directory.
++
++
++.EX
++.PP
++.B initctl_t
++.EE
++
++- Set files with the initctl_t type, if you want to treat the files as initctl data.
++
++
++.EX
++.PP
++.B initrc_devpts_t
++.EE
++
++- Set files with the initrc_devpts_t type, if you want to treat the files as initrc devpts data.
++
++
++.EX
++.PP
++.B initrc_exec_t
++.EE
++
++- Set files with the initrc_exec_t type, if you want to transition an executable to the initrc_t domain.
++
++
++.EX
++.PP
++.B initrc_state_t
++.EE
++
++- Set files with the initrc_state_t type, if you want to treat the files as initrc state data.
++
++
++.EX
++.PP
++.B initrc_tmp_t
++.EE
++
++- Set files with the initrc_tmp_t type, if you want to store initrc temporary files in the /tmp directories.
++
++
++.EX
++.PP
++.B initrc_var_log_t
++.EE
++
++- Set files with the initrc_var_log_t type, if you want to treat the data as initrc var log data, usually stored under the /var/log directory.
++
++
++.EX
++.PP
++.B initrc_var_run_t
++.EE
++
++- Set files with the initrc_var_run_t type, if you want to store the initrc files under the /run directory.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH "MANAGED FILES"
++
++The SELinux process type init_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++
++.br
++.B binfmt_misc_fs_t
++
++
++.br
++.B boolean_type
++
++
++.br
++.B cgroup_t
++
++ /cgroup
++.br
++ /sys/fs/cgroup
++.br
++
++.br
++.B consolekit_log_t
++
++ /var/log/ConsoleKit(/.*)?
++.br
++
++.br
++.B device_t
++
++ /dev/.*
++.br
++ /lib/udev/devices(/.*)?
++.br
++ /usr/lib/udev/devices(/.*)?
++.br
++ /dev
++.br
++ /etc/udev/devices
++.br
++ /var/named/chroot/dev
++.br
++ /var/spool/postfix/dev
++.br
++
++.br
++.B etc_runtime_t
++
++ /[^/]+
++.br
++ /etc/mtab.*
++.br
++ /etc/blkid(/.*)?
++.br
++ /etc/nologin.*
++.br
++ /etc/\.fstab\.hal\..+
++.br
++ /halt
++.br
++ /fastboot
++.br
++ /poweroff
++.br
++ /etc/cmtab
++.br
++ /\.autofsck
++.br
++ /forcefsck
++.br
++ /\.suspended
++.br
++ /fsckoptions
++.br
++ /\.autorelabel
++.br
++ /etc/securetty
++.br
++ /etc/killpower
++.br
++ /etc/nohotplug
++.br
++ /etc/ioctl\.save
++.br
++ /etc/fstab\.REVOKE
++.br
++ /etc/network/ifstate
++.br
++ /etc/sysconfig/hwconf
++.br
++ /etc/ptal/ptal-printd-like
++.br
++ /etc/sysconfig/iptables\.save
++.br
++ /etc/xorg\.conf\.d/00-system-setup-keyboard\.conf
++.br
++ /etc/X11/xorg\.conf\.d/00-system-setup-keyboard\.conf
++.br
++
++.br
++.B init_var_lib_t
++
++
++.br
++.B init_var_run_t
++
++ /var/run/systemd(/.*)?
++.br
++
++.br
++.B initrc_state_t
++
++
++.br
++.B initrc_var_run_t
++
++ /var/run/utmp
++.br
++ /var/run/random-seed
++.br
++ /var/run/runlevel\.dir
++.br
++ /var/run/setmixer_flag
++.br
++
++.br
++.B ld_so_cache_t
++
++ /etc/ld\.so\.cache
++.br
++ /etc/ld\.so\.cache~
++.br
++ /etc/ld\.so\.preload
++.br
++ /etc/ld\.so\.preload~
++.br
++
++.br
++.B locale_t
++
++ /etc/locale.conf
++.br
++ /usr/lib/locale(/.*)?
++.br
++ /usr/share/locale(/.*)?
++.br
++ /usr/share/zoneinfo(/.*)?
++.br
++ /usr/share/X11/locale(/.*)?
++.br
++ /etc/timezone
++.br
++ /etc/localtime
++.br
++ /etc/sysconfig/clock
++.br
++ /etc/avahi/etc/localtime
++.br
++ /var/empty/sshd/etc/localtime
++.br
++ /var/spool/postfix/etc/localtime
++.br
++
++.br
++.B machineid_t
++
++ /etc/machine-id
++.br
++ /var/run/systemd/machine-id
++.br
++
++.br
++.B print_spool_t
++
++ /var/spool/lpd(/.*)?
++.br
++ /var/spool/cups(/.*)?
++.br
++ /var/spool/cups-pdf(/.*)?
++.br
++
++.br
++.B random_seed_t
++
++ /var/lib/random-seed
++.br
++ /usr/var/lib/random-seed
++.br
++
++.br
++.B sysfs_t
++
++ /sys(/.*)?
++.br
++
++.br
++.B systemd_passwd_var_run_t
++
++ /var/run/systemd/ask-password(/.*)?
++.br
++ /var/run/systemd/ask-password-block(/.*)?
++.br
++
++.br
++.B systemd_unit_file_type
++
++
++.br
++.B tmpfs_t
++
++ /dev/shm
++.br
++ /lib/udev/devices/shm
++.br
++ /usr/lib/udev/devices/shm
++.br
++
++.br
++.B var_lib_t
++
++ /opt/(.*/)?var/lib(/.*)?
++.br
++ /var/lib(/.*)?
++.br
++
++.br
++.B var_log_t
++
++ /var/log/.*
++.br
++ /nsr/logs(/.*)?
++.br
++ /var/webmin(/.*)?
++.br
++ /var/log/cron[^/]*
++.br
++ /var/log/secure[^/]*
++.br
++ /opt/zimbra/log(/.*)?
++.br
++ /var/log/maillog[^/]*
++.br
++ /var/log/spooler[^/]*
++.br
++ /var/log/messages[^/]*
++.br
++ /usr/centreon/log(/.*)?
++.br
++ /var/spool/rsyslog(/.*)?
++.br
++ /var/axfrdns/log/main(/.*)?
++.br
++ /var/spool/bacula/log(/.*)?
++.br
++ /var/tinydns/log/main(/.*)?
++.br
++ /var/dnscache/log/main(/.*)?
++.br
++ /var/stockmaniac/templates_cache(/.*)?
++.br
++ /opt/Symantec/scspagent/IDS/system(/.*)?
++.br
++ /var/log
++.br
++ /var/log/dmesg
++.br
++ /var/log/syslog
++.br
++ /var/named/chroot/var/log
++.br
++
++.br
++.B var_run_t
++
++ /run/.*
++.br
++ /var/run/.*
++.br
++ /run
++.br
++ /var/run
++.br
++ /var/run
++.br
++ /var/spool/postfix/pid
++.br
++
++.br
++.B wtmp_t
++
++ /var/log/wtmp.*
++.br
++
++.SH NSSWITCH DOMAIN
++
++.PP
++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the init_t, initrc_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++
++.EX
++.B setsebool -P authlogin_nsswitch_use_ldap 1
++.EE
++
++.PP
++If you want to allow confined applications to run with kerberos for the init_t, initrc_t, you must turn on the kerberos_enabled boolean.
++
++.EX
++.B setsebool -P kerberos_enabled 1
++.EE
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was auto-generated using
++.B "sepolicy manpage"
++by Dan Walsh.
++
++.SH "SEE ALSO"
++selinux(8), init(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
++, initrc_selinux(8)
+\ No newline at end of file
+diff --git a/man/man8/initrc_selinux.8 b/man/man8/initrc_selinux.8
+new file mode 100644
+index 0000000..6dc8740
+--- /dev/null
++++ b/man/man8/initrc_selinux.8
+@@ -0,0 +1,815 @@
++.TH "initrc_selinux" "8" "12-11-01" "initrc" "SELinux Policy documentation for initrc"
++.SH "NAME"
++initrc_selinux \- Security Enhanced Linux Policy for the initrc processes
++.SH "DESCRIPTION"
++
++Security-Enhanced Linux secures the initrc processes via flexible mandatory access control.
++
++The initrc processes execute with the initrc_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep initrc_t
++
++
++.SH "ENTRYPOINTS"
++
++The initrc_t SELinux type can be entered via the "glance_api_initrc_exec_t,slapd_initrc_exec_t,clamd_initrc_exec_t,ntop_initrc_exec_t,ntpd_initrc_exec_t,syslogd_initrc_exec_t,ulogd_initrc_exec_t,nscd_initrc_exec_t,bluetooth_initrc_exec_t,chronyd_initrc_exec_t,polipo_initrc_exec_t,boinc_initrc_exec_t,openvpn_initrc_exec_t,nfsd_initrc_exec_t,denyhosts_initrc_exec_t,cgconfig_initrc_exec_t,ddclient_initrc_exec_t,dictd_initrc_exec_t,mongod_initrc_exec_t,ricci_initrc_exec_t,automount_initrc_exec_t,innd_initrc_exec_t,pingd_initrc_exec_t,roundup_initrc_exec_t,zoneminder_initrc_exec_t,certmonger_initrc_exec_t,snort_initrc_exec_t,iwhd_initrc_exec_t,snmpd_initrc_exec_t,radiusd_initrc_exec_t,dhcpd_initrc_exec_t,lircd_initrc_exec_t,cyrus_initrc_exec_t,varnishd_initrc_exec_t,virtd_initrc_exec_t,aiccu_initrc_exec_t,mysqlmanagerd_initrc_exec_t,zabbix_agent_initrc_exec_t,varnishlog_initrc_exec_t,piranha_pulse_initrc_exec_t,glance_registry_initrc_exec_t,collectd_initrc_exec_t,puppetmaster_initrc_exec_t,dovecot_initrc_exec_t,zebra_initrc_exec_t,lldpad_initrc_exec_t,httpd_initrc_exec_t,kdump_initrc_exec_t,munin_initrc_exec_t,soundd_initrc_exec_t,bin_t,uuidd_initrc_exec_t,postfix_initrc_exec_t,ctdbd_initrc_exec_t,glusterd_initrc_exec_t,saslauthd_initrc_exec_t,postgresql_initrc_exec_t,kerberos_initrc_exec_t,apcupsd_initrc_exec_t,cupsd_initrc_exec_t,ksmtuned_initrc_exec_t,tuned_initrc_exec_t,exim_initrc_exec_t,fsdaemon_initrc_exec_t,tgtd_initrc_exec_t,ftpd_initrc_exec_t,ajaxterm_initrc_exec_t,hddtemp_initrc_exec_t,tcsd_initrc_exec_t,rhsmcertd_initrc_exec_t,svnserve_initrc_exec_t,shorewall_initrc_exec_t,aisexec_initrc_exec_t,auditd_initrc_exec_t,likewise_initrc_exec_t,cfengine_initrc_exec_t,initrc_exec_t,wdmd_initrc_exec_t,postgrey_initrc_exec_t,avahi_initrc_exec_t,gpsd_initrc_exec_t,privoxy_initrc_exec_t,pki_ra_script_exec_t,shell_exec_t,nagios_initrc_exec_t,rgmanager_initrc_exec_t,tor_initrc_exec_t,radvd_initrc_exec_t,cgred_initrc_exec_t,abrt_initrc_exec_t,ipsec_initrc_exec_t,puppet_initrc_exec_t,named_initrc_exec_t,squid_initrc_exec_t,cvs_initrc_exec_t,psad_initrc_exec_t,pppd_initrc_exec_t,afs_initrc_exec_t,canna_initrc_exec_t,firewalld_initrc_exec_t,spamd_initrc_exec_t,nis_initrc_exec_t,samba_initrc_exec_t,pacemaker_initrc_exec_t,mpd_initrc_exec_t,amavis_initrc_exec_t,arpwatch_initrc_exec_t,qpidd_initrc_exec_t,smokeping_initrc_exec_t,bcfg2_initrc_exec_t,callweaver_initrc_exec_t,pki_tps_script_exec_t,pads_initrc_exec_t,mscan_initrc_exec_t,isnsd_initrc_exec_t,rwho_initrc_exec_t,l2tpd_initrc_exec_t,portreserve_initrc_exec_t,NetworkManager_initrc_exec_t,icecast_initrc_exec_t,jabberd_initrc_exec_t,rpcd_initrc_exec_t,vhostmd_initrc_exec_t,nslcd_initrc_exec_t,certmaster_initrc_exec_t,slpd_initrc_exec_t,mysqld_initrc_exec_t,memcached_initrc_exec_t,crond_initrc_exec_t,asterisk_initrc_exec_t,fail2ban_initrc_exec_t,corosync_initrc_exec_t,sssd_initrc_exec_t,zabbix_initrc_exec_t,ypbind_initrc_exec_t,sshd_initrc_exec_t,clvmd_initrc_exec_t,dspam_initrc_exec_t,dhcpc_helper_exec_t,setrans_initrc_exec_t,cmirrord_initrc_exec_t,rngd_initrc_exec_t,prelude_initrc_exec_t,iptables_initrc_exec_t,sendmail_initrc_exec_t,rpcbind_initrc_exec_t,cobblerd_initrc_exec_t,dnsmasq_initrc_exec_t,bitlbee_initrc_exec_t,sanlock_initrc_exec_t" file types. The default entrypoint paths for the initrc_t domain are the following:"
++
++/etc/rc\.d/init\.d/openstack-glance-api, /etc/rc\.d/init\.d/slapd, /etc/rc\.d/init\.d/clamd-wrapper, /etc/rc\.d/init\.d/ntpd, /etc/rc\.d/init\.d/rsyslog, /etc/rc\.d/init\.d/ulogd, /etc/rc\.d/init\.d/nscd, /etc/rc\.d/init\.d/dund, /etc/rc\.d/init\.d/pand, /etc/rc\.d/init\.d/bluetooth, /etc/rc\.d/init\.d/chronyd, /etc/rc\.d/init\.d/polipo, /etc/rc\.d/init\.d/boinc-client, /etc/rc\.d/init\.d/openvpn, /etc/rc\.d/init\.d/nfs, /etc/rc\.d/init\.d/denyhosts, /etc/rc\.d/init\.d/cgconfig, /etc/rc\.d/init\.d/ddclient, /etc/rc\.d/init\.d/dictd, /etc/rc\.d/init\.d/mongod, /etc/rc\.d/init\.d/ricci, /etc/rc\.d/init\.d/autofs, /etc/rc\.d/init\.d/innd, /etc/rc\.d/init\.d/whatsup-pingd, /etc/rc\.d/init\.d/roundup, /etc/rc\.d/init\.d/motion, /etc/rc\.d/init\.d/zoneminder, /etc/rc\.d/init\.d/certmonger, /etc/rc\.d/init\.d/snortd, /etc/rc\.d/init\.d/iwhd, /etc/rc\.d/init\.d/snmpd, /etc/rc\.d/init\.d/snmptrapd, /etc/rc\.d/init\.d/radiusd, /etc/rc\.d/init\.d/dhcpd(6)?, /etc/rc\.d/init\.d/lirc, /etc/rc\.d/init\.d/cyrus, /etc/rc\.d/init\.d/varnish, /etc/rc\.d/init\.d/libvirtd, /etc/rc\.d/init\.d/aiccu, /etc/rc\.d/init\.d/mysqlmanager, /etc/rc\.d/init\.d/zabbix-agentd, /etc/rc\.d/init\.d/varnishlog, /etc/rc\.d/init\.d/varnishncsa, /etc/rc\.d/init\.d/pulse, /etc/rc\.d/init\.d/openstack-glance-registry, /etc/rc\.d/init\.d/collectd, /etc/rc\.d/init\.d/puppetmaster, /etc/rc\.d/init\.d/dovecot, /etc/rc\.d/init\.d/bgpd, /etc/rc\.d/init\.d/ripd, /etc/rc\.d/init\.d/ospfd, /etc/rc\.d/init\.d/zebra, /etc/rc\.d/init\.d/ospf6d, /etc/rc\.d/init\.d/ripngd, /etc/rc\.d/init\.d/lldpad, /etc/init\.d/cherokee, /etc/rc\.d/init\.d/httpd, /etc/rc\.d/init\.d/lighttpd, /etc/rc\.d/init\.d/kdump, /etc/rc\.d/init\.d/munin-node, /etc/rc\.d/init\.d/nasd, /bin/.*, /opt/(.*/)?bin(/.*)?, /usr/(.*/)?Bin(/.*)?, /usr/(.*/)?bin(/.*)?, /usr/(.*/)?sbin(/.*)?, /opt/(.*/)?sbin(/.*)?, /opt/(.*/)?libexec(/.*)?, /sbin/.*, /usr/lib(.*/)?bin(/.*)?, /usr/lib(.*/)?sbin(/.*)?, /etc/gdm/[^/]+, /root/bin(/.*)?, /etc/gdm/[^/]+/.*, /etc/cron.daily(/.*)?, /etc/cron.weekly(/.*)?, /etc/cron.hourly(/.*)?, /etc/cron.monthly(/.*)?, /usr/lib/.*/program(/.*)?, /usr/lib/.*/scripts(/.*)?, /usr/lib/[^/]*/run-mozilla\.sh, /usr/lib/[^/]*/mozilla-xremote-client, /usr/lib/[^/]*thunderbird[^/]*/thunderbird, /usr/lib/[^/]*thunderbird[^/]*/open-browser\.sh, /usr/lib/[^/]*thunderbird[^/]*/thunderbird-bin, /lib/udev/[^/]*, /etc/auto\.[^/]*, /etc/avahi/.*\.action, /usr/lib/qt.*/bin(/.*)?, /usr/lib/yp/.+, /var/ftp/bin(/.*)?, /usr/Brother(/.*)?, /usr/Printer(/.*)?, /usr/libexec(/.*)?, /lib/upstart(/.*)?, /etc/kde/env(/.*)?, /etc/profile.d(/.*)?, /var/mailman.*/bin(/.*)?, /etc/lxdm/Pre.*, /etc/hotplug/.*rc, /usr/lib/cups(/.*)?, /etc/hotplug/.*agent, /usr/Brother/(.*/)?inf/setup.*, /usr/Brother/(.*/)?inf/brprintconf.*, /usr/lib/dpkg/.+, /etc/lxdm/Post.*, /usr/lib/udev/[^/]*, /var/qmail/bin(/.*)?, /usr/lib/xfce4(/.*)?, /usr/lib/fence(/.*)?, /etc/X11/xinit(/.*)?, /lib/readahead(/.*)?, /etc/netplug\.d(/.*)?, /usr/lib/gimp/.*/plug-ins(/.*)?, /usr/lib/ipsec/.*, /etc/ppp/ip-up\..*, /usr/bin/pingus.*, /etc/cipe/ip-up.*, /usr/lib/dracut(/.*)?, /etc/pm/power\.d(/.*)?, /etc/pm/sleep\.d(/.*)?, /etc/redhat-lsb(/.*)?, /usr/lib/tuned/.*/.*\.sh, /usr/lib/xen/bin(/.*)?, /usr/lib/upstart(/.*)?, /usr/lib/courier(/.*)?, /etc/xen/scripts(/.*)?, /usr/share/tucan.*/tucan.py, /usr/lib/mailman.*/bin(/.*)?, /usr/lib/mailman.*/mail(/.*)?, /etc/ppp/ipv6-up\..*, /etc/ppp/ip-down\..*, /etc/cipe/ip-down.*, /usr/share/hplip/[^/]*, /usr/lib/news/bin(/.*)?, /usr/lib/pm-utils(/.*)?, /etc/vmware-tools(/.*)?, /etc/kde/shutdown(/.*)?, /etc/acpi/actions(/.*)?, /etc/pki/tls/misc(/.*)?, /usr/lib/jvm/java(.*/)bin(/.*), /usr/lib/tumbler-[^/]*/tumblerd, /usr/lib/readahead(/.*)?, /opt/google/chrome(/.*)?, /etc/munin/plugins(/.*)?, /usr/lib/bluetooth(/.*)?, /usr/lib/debug/bin(/.*)?, /usr/lib/xulrunner[^/]*/updater, /usr/lib/xulrunner[^/]*/crashreporter, /usr/lib/xulrunner[^/]*/xulrunner[^/]*, /usr/lib/ruby/gems(/.*)?/helper-scripts(/.*)?, /usr/share/debconf/.+, /etc/ppp/ipv6-down\..*, /usr/share/cluster/.*\.sh, /usr/share/sectool/.*\.py, /usr/share/ssl/misc(/.*)?, /usr/share/e16/misc(/.*)?, /usr/lib/ccache/bin(/.*)?, /etc/racoon/scripts(/.*)?, /usr/lib/debug/sbin(/.*)?, /usr/lib/ruby/gems/.*/agents(/.*)?, /usr/share/mc/extfs/.*, /usr/lib/apt/methods.+, /usr/lib/portage/bin(/.*)?, /usr/lib/MailScanner(/.*)?, /etc/mcelog/triggers(/.*)?, /etc/dhcp/dhclient\.d(/.*)?, /emul/ia32-linux/bin(/.*)?, /usr/lib/libreoffice(/.*)?/bin(/.*)?, /emul/ia32-linux/usr(/.*)?/bin(/.*)?, /emul/ia32-linux/usr(/.*)?/Bin(/.*)?, /emul/ia32-linux/usr(/.*)?/sbin(/.*)?, /usr/lib/thunderbird.*/mozilla-xremote-client, /usr/lib/cyrus-imapd/.*, /usr/share/createrepo(/.*)?, /emul/ia32-linux/sbin(/.*)?, /usr/share/virtualbox/.*\.sh, /usr/share/wicd/daemon(/.*)?, /usr/share/hal/scripts(/.*)?, /lib/security/pam_krb5(/.*)?, /opt/google/talkplugin(/.*)?, /etc/PackageKit/events(/.*)?, /usr/lib/debug/usr/bin(/.*)?, /usr/lib/vmware-tools/(s)?bin64(/.*)?, /usr/lib/vmware-tools/(s)?bin32(/.*)?, /etc/gdm/XKeepsCrashing[^/]*, /usr/lib/oracle/xe/apps(/.*)?, /usr/share/Modules/init(/.*)?, /usr/share/smolt/client(/.*)?, /usr/lib/nagios/plugins(/.*)?, /usr/lib/debug/usr/sbin(/.*)?, /usr/share/apr-0/build/[^/]+\.sh, /usr/lib/emacsen-common/.*, /usr/share/ajaxterm/qweb.py.*, /var/lib/asterisk/agi-bin(/.*)?, /usr/share/shorewall-perl(/.*)?, /usr/share/shorewall-lite(/.*)?, /usr/linuxprinter/filters(/.*)?, /usr/lib/netsaint/plugins(/.*)?, /usr/lib/chromium-browser(/.*)?, /usr/share/turboprint/lib(/.*)?, /usr/lib/nfs-utils/scripts(/.*)?, /usr/share/shorewall6-lite(/.*)?, /usr/share/shorewall-shell(/.*)?, /usr/share/vhostmd/scripts(/.*)?, /usr/lib/debug/usr/libexec(/.*)?, /etc/ConsoleKit/run-seat\.d(/.*)?, /usr/lib/nspluginwrapper/np.*, /usr/share/sandbox/sandboxX.sh, /usr/lib/ConsoleKit/scripts(/.*)?, /usr/share/ajaxterm/ajaxterm.py.*, /usr/lib/pgsql/test/regress/.*\.sh, /usr/share/denyhosts/scripts(/.*)?, /usr/share/denyhosts/plugins(/.*)?, /emul/ia32-linux/usr/libexec(/.*)?, /usr/lib/mediawiki/math/texvc.*, /usr/share/PackageKit/helpers(/.*)?, /etc/ConsoleKit/run-session\.d(/.*)?, /etc/hotplug\.d/default/default.*, /usr/lib/systemd/system-sleep/(.*)?, /opt/gutenprint/cups/lib/filter(/.*)?, /usr/share/system-config-network(/netconfig)?/[^/]+\.py, /usr/lib/ConsoleKit/run-session\.d(/.*)?, /etc/sysconfig/network-scripts/net.*, /etc/sysconfig/network-scripts/ifup.*, /etc/sysconfig/network-scripts/init.*, /usr/share/kde4/apps/kajongg/kajongg.py, /etc/sysconfig/network-scripts/ifdown.*, /opt/OpenPrinting-Gutenprint/cups/lib/filter(/.*)?, /usr/share/gedit-2/plugins/externaltools/tools(/.*)?, /bin, /sbin, /usr/bin, /dev/MAKEDEV, /var/qmail/rc, /var/qmail/bin, /etc/mail/make, /bin/mountpoint, /usr/lib/rpm/rpmq, /usr/lib/rpm/rpmv, /usr/lib/rpm/rpmd, /usr/lib/rpm/rpmk, /lib/udev/scsi_id, /sbin/mkfs\.cramfs, /etc/xen/qemu-ifup, /etc/lxdm/Xsession, /etc/sysconfig/init, /usr/bin/mountpoint, /etc/apcupsd/commok, /usr/lib/sftp-server, /etc/sysconfig/crond, /etc/lxdm/LoginReady, /usr/sbin/mkfs\.cramfs, /usr/lib/udev/scsi_id, /etc/X11/xdm/Xsetup_0, /etc/init\.d/functions, /etc/apcupsd/changeme, /usr/lib/iscan/network, /etc/apcupsd/onbattery, /usr/lib/yaboot/addnote, /etc/sysconfig/libvirtd, /etc/apcupsd/apccontrol, /etc/apcupsd/offbattery, /usr/lib/wicd/monitor\.py, /etc/X11/xdm/TakeConsole, /etc/X11/xdm/GiveConsole, /etc/apcupsd/commfailure, /usr/lib/misc/sftp-server, /etc/sysconfig/netconsole, /lib/udev/devices/MAKEDEV, /var/lib/iscan/interpreter, /etc/rc\.d/init\.d/functions, /etc/apcupsd/masterconnect, /etc/apcupsd/mastertimeout, /usr/share/pydict/pydict\.py, /usr/share/clamav/clamd-gen, /sbin/insmod_ksymoops_clean, /etc/mgetty\+sendfax/new_fax, /usr/lib/xfce4/panel/migrate, /usr/lib/xfce4/panel/wrapper, /etc/sysconfig/readonly-root, /usr/lib/vte/gnome-pty-helper, /usr/lib/udev/devices/MAKEDEV, /usr/lib/xfce4/xfconf/xfconfd, /usr/share/cvs/contrib/rcs2log, /usr/share/hwbrowser/hwbrowser, /usr/X11R6/lib/X11/xkb/xkbcomp, /usr/lib/virtualbox/VBoxManage, /usr/share/cluster/SAPInstance, /usr/share/cluster/checkquorum, /usr/share/shorewall/getparams, /usr/share/apr-0/build/libtool, /usr/share/cluster/SAPDatabase, /etc/hotplug/hotplug\.functions, /usr/share/texmf/web2c/mktexdir, /usr/share/texmf/web2c/mktexnam, /usr/share/texmf/web2c/mktexupd, /usr/share/shorewall/configpath, /usr/sbin/insmod_ksymoops_clean, /etc/mcelog/cache-error-trigger, /usr/share/shorewall/compiler\.pl, /usr/share/dayplanner/dayplanner, /usr/libexec/openssh/sftp-server, /usr/share/texmf/texconfig/tcfmgr, /usr/share/clamav/freshclam-sleep, /usr/share/cluster/svclib_nfslock, /usr/share/cluster/ocf-shellfuncs, /usr/lib/xfce4/exo-1/exo-helper-1, /usr/share/pwlib/make/ptlib-config, /usr/share/fedora-usermgmt/wrapper, /usr/share/printconf/util/print\.py, /usr/lib/xfce4/xfwm4/helper-dialog, /etc/pki/tls/certs/make-dummy-cert, /usr/share/rhn/rhn_applet/applet\.py, /usr/share/authconfig/authconfig\.py, /usr/share/spamassassin/sa-update\.cron, /usr/share/gnucash/finance-quote-check, /usr/share/cluster/fence_scsi_check\.pl, /usr/share/selinux/devel/policygentool, /usr/share/switchdesk/switchdesk-gui\.py, /usr/share/authconfig/authconfig-tui\.py, /usr/share/authconfig/authconfig-gtk\.py, /usr/share/gnucash/finance-quote-helper, /usr/share/gitolite/hooks/common/update, /usr/lib/xfce4/exo-1/exo-compose-mail-1, /usr/share/system-config-services/gui\.py, /lib/security/pam_krb5/pam_krb5_storetmp, /usr/share/system-config-netboot/pxeos\.py, /usr/lib/xfce4/session/balou-export-theme, /usr/share/system-config-selinux/polgen\.py, /usr/share/system-config-nfs/nfs-export\.py, /usr/share/system-config-printer/applet\.py, /usr/share/PackageKit/pk-upgrade-distro\.sh, /usr/lib/xfce4/session/balou-install-theme, /usr/share/system-config-netboot/pxeboot\.py, /usr/lib/xfce4/session/xfsm-shutdown-helper, /usr/share/rhn/rhn_applet/needed-packages\.py, /usr/lib/security/pam_krb5/pam_krb5_storetmp, /usr/share/system-logviewer/system-logviewer\.py, /usr/share/system-config-network/neat-control\.py, /usr/share/system-config-services/serviceconf\.py, /usr/share/hal/device-manager/hal-device-manager, /usr/share/system-config-lvm/system-config-lvm\.py, /usr/share/system-config-nfs/system-config-nfs\.py, /usr/share/system-config-mouse/system-config-mouse, /usr/share/system-config-httpd/system-config-httpd, /usr/share/system-config-users/system-config-users, /usr/share/system-config-date/system-config-date\.py, /usr/share/doc/ghc/html/libraries/gen_contents_index, /usr/share/gitolite/hooks/gitolite-admin/post-update, /usr/share/system-config-samba/system-config-samba\.py, /usr/share/system-config-display/system-config-display, /usr/share/system-config-keyboard/system-config-keyboard, /usr/share/system-config-language/system-config-language, /usr/share/system-config-services/system-config-services, /usr/share/system-config-selinux/system-config-selinux\.py, /usr/share/system-config-netboot/system-config-netboot\.py, /usr/share/system-config-soundcard/system-config-soundcard, /usr/share/system-config-rootpassword/system-config-rootpassword, /usr/share/system-config-securitylevel/system-config-securitylevel\.py, /etc/rc\.d/init\.d/uuidd, /etc/rc\.d/init\.d/postfix, /etc/rc\.d/init\.d/ctdb, /usr/sbin/glusterd, /etc/rc\.d/init\.d/glusterd, /etc/rc\.d/init\.d/sasl, /etc/rc\.d/init\.d/(se)?postgresql, /etc/rc\.d/init\.d/kprop, /etc/rc\.d/init\.d/kadmind, /etc/rc\.d/init\.d/krb524d, /etc/rc\.d/init\.d/krb5kdc, /etc/rc\.d/init\.d/apcupsd, /etc/rc\.d/init\.d/cups, /etc/rc\.d/init\.d/ksmtuned, /etc/rc\.d/init\.d/tuned, /etc/rc\.d/init\.d/exim, /etc/rc\.d/init\.d/smartd, /etc/rc\.d/init\.d/tgtd, /etc/rc\.d/init\.d/vsftpd, /etc/rc\.d/init\.d/proftpd, /etc/rc\.d/init\.d/ajaxterm, /etc/rc\.d/init\.d/hddtemp, /etc/rc\.d/init\.d/tcsd, /etc/rc\.d/init\.d/rhsmcertd, /etc/rc.d/init.d/svnserve, /etc/rc\.d/init\.d/shorewall, /etc/rc\.d/init\.d/shorewall-lite, /etc/rc\.d/init\.d/openais, /etc/rc\.d/init\.d/auditd, /etc/rc\.d/init\.d/lwiod, /etc/rc\.d/init\.d/lwsmd, /etc/rc\.d/init\.d/lsassd, /etc/rc\.d/init\.d/lwregd, /etc/rc\.d/init\.d/dcerpcd, /etc/rc\.d/init\.d/srvsvcd, /etc/rc\.d/init\.d/eventlogd, /etc/rc\.d/init\.d/netlogond, /etc/rc\.d/init\.d/cf-execd, /etc/rc\.d/init\.d/cf-serverd, /etc/rc\.d/init\.d/cf-monitord, /etc/init\.d/.*, /etc/rc\.d/rc\.[^/]+, /etc/rc\.d/init\.d/.*, /opt/nfast/sbin/init.d-ncipher, /usr/libexec/dcc/stop-.*, /usr/libexec/dcc/start-.*, /usr/lib/systemd/fedora[^/]*, /opt/nfast/scripts/init.d/(.*), /etc/rc\.d/rc, /etc/X11/prefdm, /usr/sbin/startx, /usr/bin/sepg_ctl, /usr/sbin/apachectl, /usr/sbin/ldap-agent, /usr/sbin/start-dirsrv, /usr/sbin/open_init_pty, /usr/sbin/restart-dirsrv, /etc/sysconfig/network-scripts/ifup-ipsec, /usr/share/system-config-services/system-config-services-mechanism\.py, /etc/rc\.d/init\.d/wdmd, /etc/rc\.d/init\.d/postgrey, /etc/rc\.d/init\.d/avahi.*, /etc/rc\.d/init\.d/gpsd, /etc/rc\.d/init\.d/privoxy, /bin/d?ash, /bin/zsh.*, /bin/ksh.*, /usr/bin/d?ash, /usr/bin/ksh.*, /usr/bin/zsh.*, /bin/esh, /bin/mksh, /bin/sash, /bin/tcsh, /bin/yash, /bin/bash, /bin/fish, /bin/bash2, /usr/bin/esh, /usr/bin/mksh, /usr/bin/sash, /usr/bin/bash, /usr/bin/fish, /usr/bin/tcsh, /usr/bin/yash, /sbin/nologin, /usr/sbin/sesh, /usr/bin/bash2, /usr/sbin/smrsh, /usr/bin/scponly, /usr/sbin/nologin, /usr/libexec/sesh, /usr/sbin/scponlyc, /usr/bin/git-shell, /usr/libexec/git-core/git-shell, /etc/rc\.d/init\.d/nrpe, /etc/rc\.d/init\.d/nagios, /etc/rc\.d/init\.d/cpglockd, /etc/rc\.d/init\.d/rgmanager, /etc/rc\.d/init\.d/heartbeat, /etc/rc\.d/init\.d/tor, /etc/rc\.d/init\.d/radvd, /etc/rc\.d/init\.d/cgred, /etc/rc\.d/init\.d/abrt, /etc/rc\.d/init\.d/ipsec, /etc/rc\.d/init\.d/racoon, /etc/rc\.d/init\.d/puppet, /etc/rc\.d/init\.d/named, /etc/rc\.d/init\.d/unbound, /etc/rc\.d/init\.d/squid, /etc/rc\.d/init\.d/psad, /etc/ppp/(auth|ip(v6|x)?)-(up|down), /etc/rc\.d/init\.d/ppp, /etc/rc\.d/init\.d/afs, /etc/rc\.d/init\.d/openafs-client, /etc/rc\.d/init\.d/canna, /etc/rc\.d/init\.d/firewalld, /etc/rc\.d/init\.d/mimedefang.*, /etc/rc\.d/init\.d/spamd, /etc/rc\.d/init\.d/spampd, /etc/rc\.d/init\.d/pyzord, /etc/rc\.d/init\.d/ypserv, /etc/rc\.d/init\.d/ypxfrd, /etc/rc\.d/init\.d/yppasswd, /etc/rc\.d/init\.d/nmb, /etc/rc\.d/init\.d/smb, /etc/rc\.d/init\.d/winbind, /etc/rc\.d/init\.d/pacemaker, /etc/rc\.d/init\.d/mpd, /etc/rc\.d/init\.d/amavis, /etc/rc\.d/init\.d/amavisd-snmp, /etc/rc\.d/init\.d/arpwatch, /etc/rc\.d/init\.d/qpidd, /etc/rc\.d/init\.d/smokeping, /etc/rc\.d/init\.d/bcfg2, /etc/rc\.d/init\.d/callweaver, /etc/rc\.d/init\.d/pads, /etc/rc\.d/init\.d/MailScanner, /etc/rc\.d/init\.d/isnsd, /etc/rc\.d/init\.d/rwhod, /etc/rc\.d/init\.d/xl2tpd, /etc/rc\.d/init\.d/prol2tpd, /etc/rc\.d/init\.d/openl2tpd, /etc/rc\.d/init\.d/portreserve, /usr/libexec/nm-dispatcher.action, /etc/NetworkManager/dispatcher\.d(/.*)?, /etc/rc\.d/init\.d/wicd, /etc/rc\.d/init\.d/icecast, /etc/rc\.d/init\.d/jabberd, /etc/rc\.d/init\.d/nfslock, /etc/rc\.d/init\.d/rpcidmapd, /etc/rc.d/init.d/vhostmd, /etc/rc\.d/init\.d/nslcd, /etc/rc\.d/init\.d/certmaster, /etc/rc\.d/init\.d/slpd, /etc/rc\.d/init\.d/mysqld, /etc/rc\.d/init\.d/memcached, /etc/rc\.d/init\.d/atd, /etc/rc\.d/init\.d/asterisk, /etc/rc\.d/init\.d/fail2ban, /etc/rc\.d/init\.d/corosync, /etc/rc\.d/init\.d/sssd, /etc/rc\.d/init\.d/zabbix, /etc/rc\.d/init\.d/zabbix-server, /etc/rc\.d/init\.d/ypbind, /etc/rc\.d/init\.d/sshd, /etc/rc\.d/init\.d/dspam, /etc/firestarter/firestarter\.sh, /etc/rc\.d/init\.d/mcstrans, /etc/rc\.d/init\.d/cmirrord, /etc/rc\.d/init\.d/rngd, /etc/rc\.d/init\.d/prelude-lml, /etc/rc\.d/init\.d/prelude-manager, /etc/rc\.d/init\.d/prelude-correlator, /etc/rc\.d/init\.d/ip6?tables, /etc/rc\.d/init\.d/ebtables, /etc/rc\.d/init\.d/sendmail, /etc/rc\.d/init\.d/rpcbind, /etc/rc\.d/init\.d/cobblerd, /etc/rc\.d/init\.d/dnsmasq, /etc/rc\.d/init\.d/bitlbee, /etc/rc\.d/init\.d/sanlock
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux initrc policy is very flexible allowing users to setup their initrc processes in as secure a method as possible.
++.PP
++The following process types are defined for initrc:
++
++.EX
++.B initrc_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux initrc policy is very flexible allowing users to setup their initrc processes in as secure a method as possible.
++.PP
++The following file types are defined for initrc:
++
++
++.EX
++.PP
++.B initrc_devpts_t
++.EE
++
++- Set files with the initrc_devpts_t type, if you want to treat the files as initrc devpts data.
++
++
++.EX
++.PP
++.B initrc_exec_t
++.EE
++
++- Set files with the initrc_exec_t type, if you want to transition an executable to the initrc_t domain.
++
++
++.EX
++.PP
++.B initrc_state_t
++.EE
++
++- Set files with the initrc_state_t type, if you want to treat the files as initrc state data.
++
++
++.EX
++.PP
++.B initrc_tmp_t
++.EE
++
++- Set files with the initrc_tmp_t type, if you want to store initrc temporary files in the /tmp directories.
++
++
++.EX
++.PP
++.B initrc_var_log_t
++.EE
++
++- Set files with the initrc_var_log_t type, if you want to treat the data as initrc var log data, usually stored under the /var/log directory.
++
++
++.EX
++.PP
++.B initrc_var_run_t
++.EE
++
++- Set files with the initrc_var_run_t type, if you want to store the initrc files under the /run directory.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH "MANAGED FILES"
++
++The SELinux process type initrc_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++
++.br
++.B abrt_var_run_t
++
++ /var/run/abrt(/.*)?
++.br
++ /var/run/abrtd?\.lock
++.br
++ /var/run/abrtd?\.socket
++.br
++ /var/run/abrt\.pid
++.br
++
++.br
++.B alsa_etc_rw_t
++
++ /etc/asound(/.*)?
++.br
++ /etc/alsa/pcm(/.*)?
++.br
++ /usr/share/alsa/pcm(/.*)?
++.br
++ /etc/asound\.state
++.br
++ /etc/alsa/asound\.state
++.br
++ /usr/share/alsa/alsa\.conf
++.br
++
++.br
++.B binfmt_misc_fs_t
++
++
++.br
++.B boot_t
++
++ /boot/.*
++.br
++ /vmlinuz.*
++.br
++ /initrd\.img.*
++.br
++ /boot
++.br
++
++.br
++.B cert_t
++
++ /etc/pki(/.*)?
++.br
++ /etc/httpd/alias(/.*)?
++.br
++ /usr/share/ssl/certs(/.*)?
++.br
++ /usr/share/ssl/private(/.*)?
++.br
++ /var/named/chroot/etc/pki(/.*)?
++.br
++
++.br
++.B cgroup_t
++
++ /cgroup
++.br
++ /sys/fs/cgroup
++.br
++
++.br
++.B consolekit_log_t
++
++ /var/log/ConsoleKit(/.*)?
++.br
++
++.br
++.B cupsd_log_t
++
++ /var/log/cups(/.*)?
++.br
++ /usr/Brother/fax/.*\.log.*
++.br
++ /var/log/turboprint.*
++.br
++
++.br
++.B cyrus_var_lib_t
++
++ /var/imap(/.*)?
++.br
++ /var/lib/imap(/.*)?
++.br
++
++.br
++.B device_t
++
++ /dev/.*
++.br
++ /lib/udev/devices(/.*)?
++.br
++ /usr/lib/udev/devices(/.*)?
++.br
++ /dev
++.br
++ /etc/udev/devices
++.br
++ /var/named/chroot/dev
++.br
++ /var/spool/postfix/dev
++.br
++
++.br
++.B dhcp_etc_t
++
++ /etc/dhcpc.*
++.br
++ /etc/dhcp3(/.*)?
++.br
++ /etc/dhcpd(6)?\.conf
++.br
++ /etc/dhcp3?/dhclient.*
++.br
++ /etc/dhclient.*conf
++.br
++ /etc/dhcp/dhcpd(6)?\.conf
++.br
++ /etc/dhclient-script
++.br
++
++.br
++.B dhcpc_state_t
++
++ /var/lib/dhcp3?/dhclient.*
++.br
++ /var/lib/dhcpcd(/.*)?
++.br
++ /var/lib/dhclient(/.*)?
++.br
++ /var/lib/wifiroamd(/.*)?
++.br
++
++.br
++.B dirsrv_var_run_t
++
++ /var/run/dirsrv(/.*)?
++.br
++
++.br
++.B etc_aliases_t
++
++ /etc/mail/aliases.*
++.br
++ /etc/postfix/aliases.*
++.br
++ /etc/aliases
++.br
++ /etc/aliases\.db
++.br
++
++.br
++.B etc_mail_t
++
++ /etc/mail(/.*)?
++.br
++
++.br
++.B etc_runtime_t
++
++ /[^/]+
++.br
++ /etc/mtab.*
++.br
++ /etc/blkid(/.*)?
++.br
++ /etc/nologin.*
++.br
++ /etc/\.fstab\.hal\..+
++.br
++ /halt
++.br
++ /fastboot
++.br
++ /poweroff
++.br
++ /etc/cmtab
++.br
++ /\.autofsck
++.br
++ /forcefsck
++.br
++ /\.suspended
++.br
++ /fsckoptions
++.br
++ /\.autorelabel
++.br
++ /etc/securetty
++.br
++ /etc/killpower
++.br
++ /etc/nohotplug
++.br
++ /etc/ioctl\.save
++.br
++ /etc/fstab\.REVOKE
++.br
++ /etc/network/ifstate
++.br
++ /etc/sysconfig/hwconf
++.br
++ /etc/ptal/ptal-printd-like
++.br
++ /etc/sysconfig/iptables\.save
++.br
++ /etc/xorg\.conf\.d/00-system-setup-keyboard\.conf
++.br
++ /etc/X11/xorg\.conf\.d/00-system-setup-keyboard\.conf
++.br
++
++.br
++.B exports_t
++
++ /etc/exports
++.br
++
++.br
++.B faillog_t
++
++ /var/log/btmp.*
++.br
++ /var/run/faillock(/.*)?
++.br
++ /var/log/faillog
++.br
++ /var/log/tallylog
++.br
++
++.br
++.B fonts_t
++
++ /usr/share/fonts(/.*)?
++.br
++ /usr/share/X11/fonts(/.*)?
++.br
++ /usr/X11R6/lib/X11/fonts(/.*)?
++.br
++ /usr/share/ghostscript/fonts(/.*)?
++.br
++
++.br
++.B gconf_etc_t
++
++ /etc/gconf(/.*)?
++.br
++
++.br
++.B glance_var_run_t
++
++ /var/run/glance(/.*)?
++.br
++
++.br
++.B initrc_state_t
++
++
++.br
++.B initrc_tmp_t
++
++
++.br
++.B initrc_var_log_t
++
++
++.br
++.B initrc_var_run_t
++
++ /var/run/utmp
++.br
++ /var/run/random-seed
++.br
++ /var/run/runlevel\.dir
++.br
++ /var/run/setmixer_flag
++.br
++
++.br
++.B ipsec_var_run_t
++
++ /var/racoon(/.*)?
++.br
++ /var/run/pluto(/.*)?
++.br
++ /var/run/racoon\.pid
++.br
++
++.br
++.B lastlog_t
++
++ /var/log/lastlog
++.br
++
++.br
++.B ld_so_cache_t
++
++ /etc/ld\.so\.cache
++.br
++ /etc/ld\.so\.cache~
++.br
++ /etc/ld\.so\.preload
++.br
++ /etc/ld\.so\.preload~
++.br
++
++.br
++.B locale_t
++
++ /etc/locale.conf
++.br
++ /usr/lib/locale(/.*)?
++.br
++ /usr/share/locale(/.*)?
++.br
++ /usr/share/zoneinfo(/.*)?
++.br
++ /usr/share/X11/locale(/.*)?
++.br
++ /etc/timezone
++.br
++ /etc/localtime
++.br
++ /etc/sysconfig/clock
++.br
++ /etc/avahi/etc/localtime
++.br
++ /var/empty/sshd/etc/localtime
++.br
++ /var/spool/postfix/etc/localtime
++.br
++
++.br
++.B lockfile
++
++
++.br
++.B mdadm_var_run_t
++
++ /dev/.mdadm\.map
++.br
++ /dev/md/.*
++.br
++ /var/run/mdadm(/.*)?
++.br
++
++.br
++.B mnt_t
++
++ /mnt(/[^/]*)
++.br
++ /mnt(/[^/]*)?
++.br
++ /rhev(/[^/]*)?
++.br
++ /media(/[^/]*)
++.br
++ /media(/[^/]*)?
++.br
++ /media/\.hal-.*
++.br
++ /var/run/media(/[^/]*)?
++.br
++ /net
++.br
++ /afs
++.br
++ /rhev
++.br
++ /misc
++.br
++
++.br
++.B mysqld_log_t
++
++ /var/log/mysql.*
++.br
++
++.br
++.B named_conf_t
++
++ /etc/rndc.*
++.br
++ /etc/unbound(/.*)?
++.br
++ /var/named/chroot(/.*)?
++.br
++ /etc/named\.rfc1912.zones
++.br
++ /var/named/chroot/etc/named\.rfc1912.zones
++.br
++ /etc/named\.conf
++.br
++ /var/named/named\.ca
++.br
++ /etc/named\.root\.hints
++.br
++ /var/named/chroot/etc/named\.conf
++.br
++ /etc/named\.caching-nameserver\.conf
++.br
++ /var/named/chroot/var/named/named\.ca
++.br
++ /var/named/chroot/etc/named\.root\.hints
++.br
++ /var/named/chroot/etc/named\.caching-nameserver\.conf
++.br
++
++.br
++.B net_conf_t
++
++ /etc/ntpd?\.conf.*
++.br
++ /etc/hosts[^/]*
++.br
++ /etc/yp\.conf.*
++.br
++ /etc/denyhosts.*
++.br
++ /etc/hosts\.deny.*
++.br
++ /etc/resolv\.conf.*
++.br
++ /etc/ntp/step-tickers.*
++.br
++ /etc/sysconfig/networking(/.*)?
++.br
++ /etc/sysconfig/network-scripts(/.*)?
++.br
++ /etc/sysconfig/network-scripts/.*resolv\.conf
++.br
++ /etc/ethers
++.br
++
++.br
++.B postgresql_db_t
++
++ /var/lib/pgsql(/.*)?
++.br
++ /var/lib/sepgsql(/.*)?
++.br
++ /var/lib/postgres(ql)?(/.*)?
++.br
++ /usr/share/jonas/pgsql(/.*)?
++.br
++ /usr/lib/pgsql/test/regress(/.*)?
++.br
++
++.br
++.B psad_var_log_t
++
++ /var/log/psad(/.*)?
++.br
++
++.br
++.B qpidd_var_run_t
++
++ /var/run/qpidd(/.*)?
++.br
++ /var/run/qpidd\.pid
++.br
++
++.br
++.B quota_flag_t
++
++ /var/lib/quota(/.*)?
++.br
++
++.br
++.B ricci_var_lib_t
++
++ /var/lib/ricci(/.*)?
++.br
++
++.br
++.B samba_etc_t
++
++ /etc/samba(/.*)?
++.br
++
++.br
++.B sanlock_var_run_t
++
++ /var/run/sanlock(/.*)?
++.br
++
++.br
++.B squid_log_t
++
++ /var/log/squid(/.*)?
++.br
++ /var/log/squidGuard(/.*)?
++.br
++
++.br
++.B svc_svc_t
++
++ /service/.*
++.br
++ /var/axfrdns(/.*)?
++.br
++ /var/tinydns(/.*)?
++.br
++ /var/service/.*
++.br
++ /var/dnscache(/.*)?
++.br
++ /var/qmail/supervise(/.*)?
++.br
++ /service
++.br
++
++.br
++.B sysctl_type
++
++
++.br
++.B sysfs_t
++
++ /sys(/.*)?
++.br
++
++.br
++.B system_conf_t
++
++ /etc/sysctl\.conf(\.old)?
++.br
++ /etc/sysconfig/ip6?tables.*
++.br
++ /etc/sysconfig/ipvsadm.*
++.br
++ /etc/sysconfig/ebtables.*
++.br
++ /etc/sysconfig/system-config-firewall.*
++.br
++
++.br
++.B system_dbusd_var_lib_t
++
++ /var/lib/dbus(/.*)?
++.br
++
++.br
++.B systemd_passwd_var_run_t
++
++ /var/run/systemd/ask-password(/.*)?
++.br
++ /var/run/systemd/ask-password-block(/.*)?
++.br
++
++.br
++.B udev_rules_t
++
++ /etc/udev/rules.d(/.*)?
++.br
++
++.br
++.B udev_var_run_t
++
++ /dev/\.udev(/.*)?
++.br
++ /var/run/udev(/.*)?
++.br
++ /var/run/libgpod(/.*)?
++.br
++ /var/run/PackageKit/udev(/.*)?
++.br
++ /dev/\.udevdb
++.br
++ /dev/udev\.tbl
++.br
++
++.br
++.B var_lib_nfs_t
++
++ /var/lib/nfs(/.*)?
++.br
++
++.br
++.B var_lib_t
++
++ /opt/(.*/)?var/lib(/.*)?
++.br
++ /var/lib(/.*)?
++.br
++
++.br
++.B var_log_t
++
++ /var/log/.*
++.br
++ /nsr/logs(/.*)?
++.br
++ /var/webmin(/.*)?
++.br
++ /var/log/cron[^/]*
++.br
++ /var/log/secure[^/]*
++.br
++ /opt/zimbra/log(/.*)?
++.br
++ /var/log/maillog[^/]*
++.br
++ /var/log/spooler[^/]*
++.br
++ /var/log/messages[^/]*
++.br
++ /usr/centreon/log(/.*)?
++.br
++ /var/spool/rsyslog(/.*)?
++.br
++ /var/axfrdns/log/main(/.*)?
++.br
++ /var/spool/bacula/log(/.*)?
++.br
++ /var/tinydns/log/main(/.*)?
++.br
++ /var/dnscache/log/main(/.*)?
++.br
++ /var/stockmaniac/templates_cache(/.*)?
++.br
++ /opt/Symantec/scspagent/IDS/system(/.*)?
++.br
++ /var/log
++.br
++ /var/log/dmesg
++.br
++ /var/log/syslog
++.br
++ /var/named/chroot/var/log
++.br
++
++.br
++.B var_spool_t
++
++ /var/spool(/.*)?
++.br
++
++.br
++.B virt_cache_t
++
++ /var/cache/oz(/.*)?
++.br
++ /var/cache/libvirt(/.*)?
++.br
++
++.br
++.B virt_var_lib_t
++
++ /var/lib/oz(/.*)?
++.br
++ /var/lib/libvirt(/.*)?
++.br
++
++.br
++.B wdmd_var_run_t
++
++ /var/run/wdmd(/.*)?
++.br
++
++.br
++.B wtmp_t
++
++ /var/log/wtmp.*
++.br
++
++.SH NSSWITCH DOMAIN
++
++.PP
++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the initrc_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++
++.EX
++.B setsebool -P authlogin_nsswitch_use_ldap 1
++.EE
++
++.PP
++If you want to allow confined applications to run with kerberos for the initrc_t, you must turn on the kerberos_enabled boolean.
++
++.EX
++.B setsebool -P kerberos_enabled 1
++.EE
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was auto-generated using
++.B "sepolicy manpage"
++by Dan Walsh.
++
++.SH "SEE ALSO"
++selinux(8), initrc(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
++, init_selinux(8)
+\ No newline at end of file
+diff --git a/man/man8/innd_selinux.8 b/man/man8/innd_selinux.8
+new file mode 100644
+index 0000000..e89f4a3
+--- /dev/null
++++ b/man/man8/innd_selinux.8
+@@ -0,0 +1,182 @@
++.TH "innd_selinux" "8" "12-11-01" "innd" "SELinux Policy documentation for innd"
++.SH "NAME"
++innd_selinux \- Security Enhanced Linux Policy for the innd processes
++.SH "DESCRIPTION"
++
++Security-Enhanced Linux secures the innd processes via flexible mandatory access control.
++
++The innd processes execute with the innd_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep innd_t
++
++
++.SH "ENTRYPOINTS"
++
++The innd_t SELinux type can be entered via the "innd_exec_t" file type. The default entrypoint paths for the innd_t domain are the following:"
++
++/usr/sbin/innd.*, /usr/bin/suck, /etc/news/boot, /usr/bin/inews, /usr/bin/rnews, /usr/bin/rpost, /usr/sbin/in\.nnrpd, /usr/lib/news/bin/sm, /usr/lib/news/bin/innd, /usr/lib/news/bin/inews, /usr/lib/news/bin/inndf, /usr/lib/news/bin/nnrpd, /usr/lib/news/bin/rnews, /usr/lib/news/bin/expire, /usr/lib/news/bin/fastrm, /usr/lib/news/bin/shlock, /usr/lib/news/bin/actsync, /usr/lib/news/bin/archive, /usr/lib/news/bin/batcher, /usr/lib/news/bin/ctlinnd, /usr/lib/news/bin/getlist, /usr/lib/news/bin/innfeed, /usr/lib/news/bin/innxmit, /usr/lib/news/bin/makedbz, /usr/lib/news/bin/nntpget, /usr/lib/news/bin/buffchan, /usr/lib/news/bin/convdate, /usr/lib/news/bin/cvtbatch, /usr/lib/news/bin/filechan, /usr/lib/news/bin/overchan, /usr/lib/news/bin/inndstart, /usr/lib/news/bin/innxbatch, /usr/lib/news/bin/expireover, /usr/lib/news/bin/innconfval, /usr/lib/news/bin/shrinkfile, /usr/lib/news/bin/grephistory, /usr/lib/news/bin/makehistory, /usr/lib/news/bin/newsrequeue, /usr/lib/news/bin/ovdb_recover, /usr/lib/news/bin/prunehistory, /usr/lib/news/bin/startinnfeed
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux innd policy is very flexible allowing users to setup their innd processes in as secure a method as possible.
++.PP
++The following process types are defined for innd:
++
++.EX
++.B innd_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux innd policy is very flexible allowing users to setup their innd processes in as secure a method as possible.
++.PP
++The following file types are defined for innd:
++
++
++.EX
++.PP
++.B innd_etc_t
++.EE
++
++- Set files with the innd_etc_t type, if you want to store innd files in the /etc directories.
++
++
++.EX
++.PP
++.B innd_exec_t
++.EE
++
++- Set files with the innd_exec_t type, if you want to transition an executable to the innd_t domain.
++
++
++.EX
++.PP
++.B innd_initrc_exec_t
++.EE
++
++- Set files with the innd_initrc_exec_t type, if you want to transition an executable to the innd_initrc_t domain.
++
++
++.EX
++.PP
++.B innd_log_t
++.EE
++
++- Set files with the innd_log_t type, if you want to treat the data as innd log data, usually stored under the /var/log directory.
++
++
++.EX
++.PP
++.B innd_var_lib_t
++.EE
++
++- Set files with the innd_var_lib_t type, if you want to store the innd files under the /var/lib directory.
++
++
++.EX
++.PP
++.B innd_var_run_t
++.EE
++
++- Set files with the innd_var_run_t type, if you want to store the innd files under the /run directory.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH PORT TYPES
++SELinux defines port types to represent TCP and UDP ports.
++.PP
++You can see the types associated with a port by using the following command:
++
++.B semanage port -l
++
++.PP
++Policy governs the access confined processes have to these ports.
++SELinux innd policy is very flexible allowing users to setup their innd processes in as secure a method as possible.
++.PP
++The following port types are defined for innd:
++
++.EX
++.TP 5
++.B innd_port_t
++.TP 10
++.EE
++
++
++Default Defined Ports:
++tcp 119
++.EE
++.SH "MANAGED FILES"
++
++The SELinux process type innd_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++
++.br
++.B innd_log_t
++
++ /var/log/news(/.*)?
++.br
++
++.br
++.B innd_var_lib_t
++
++ /var/lib/news(/.*)?
++.br
++
++.br
++.B innd_var_run_t
++
++ /var/run/innd(/.*)?
++.br
++ /var/run/news(/.*)?
++.br
++
++.br
++.B news_spool_t
++
++ /var/spool/news(/.*)?
++.br
++
++.SH NSSWITCH DOMAIN
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.B semanage port
++can also be used to manipulate the port definitions
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was auto-generated using
++.B "sepolicy manpage"
++by Dan Walsh.
++
++.SH "SEE ALSO"
++selinux(8), innd(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
+diff --git a/man/man8/insmod_selinux.8 b/man/man8/insmod_selinux.8
+new file mode 100644
+index 0000000..58787ca
+--- /dev/null
++++ b/man/man8/insmod_selinux.8
+@@ -0,0 +1,194 @@
++.TH "insmod_selinux" "8" "12-11-01" "insmod" "SELinux Policy documentation for insmod"
++.SH "NAME"
++insmod_selinux \- Security Enhanced Linux Policy for the insmod processes
++.SH "DESCRIPTION"
++
++Security-Enhanced Linux secures the insmod processes via flexible mandatory access control.
++
++The insmod processes execute with the insmod_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep insmod_t
++
++
++.SH "ENTRYPOINTS"
++
++The insmod_t SELinux type can be entered via the "insmod_exec_t" file type. The default entrypoint paths for the insmod_t domain are the following:"
++
++/sbin/rmmod.*, /sbin/insmod.*, /sbin/modprobe.*, /usr/sbin/rmmod.*, /usr/sbin/insmod.*, /usr/sbin/modprobe.*, /usr/bin/kmod
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux insmod policy is very flexible allowing users to setup their insmod processes in as secure a method as possible.
++.PP
++The following process types are defined for insmod:
++
++.EX
++.B insmod_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH BOOLEANS
++SELinux policy is customizable based on least access required. insmod policy is extremely flexible and has several booleans that allow you to manipulate the policy and run insmod with the tightest access possible.
++
++
++.PP
++If you want to allow pppd to load kernel modules for certain modems, you must turn on the pppd_can_insmod boolean.
++
++.EX
++.B setsebool -P pppd_can_insmod 1
++.EE
++
++.PP
++If you want to disable kernel module loading, you must turn on the secure_mode_insmod boolean.
++
++.EX
++.B setsebool -P secure_mode_insmod 1
++.EE
++
++.PP
++If you want to allow pppd to load kernel modules for certain modems, you must turn on the pppd_can_insmod boolean.
++
++.EX
++.B setsebool -P pppd_can_insmod 1
++.EE
++
++.PP
++If you want to disable kernel module loading, you must turn on the secure_mode_insmod boolean.
++
++.EX
++.B setsebool -P secure_mode_insmod 1
++.EE
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux insmod policy is very flexible allowing users to setup their insmod processes in as secure a method as possible.
++.PP
++The following file types are defined for insmod:
++
++
++.EX
++.PP
++.B insmod_exec_t
++.EE
++
++- Set files with the insmod_exec_t type, if you want to transition an executable to the insmod_t domain.
++
++
++.EX
++.PP
++.B insmod_tmpfs_t
++.EE
++
++- Set files with the insmod_tmpfs_t type, if you want to store insmod files on a tmpfs file system.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH "MANAGED FILES"
++
++The SELinux process type insmod_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++
++.br
++.B initrc_tmp_t
++
++
++.br
++.B insmod_tmpfs_t
++
++
++.br
++.B kdumpctl_tmp_t
++
++
++.br
++.B modules_dep_t
++
++ /lib/modules/[^/]+/modules\..+
++.br
++
++.br
++.B modules_object_t
++
++ /lib/modules(/.*)?
++.br
++ /usr/lib/modules(/.*)?
++.br
++
++.br
++.B mtrr_device_t
++
++ /dev/cpu/mtrr
++.br
++
++.br
++.B ramfs_t
++
++
++.br
++.B rpm_script_tmp_t
++
++
++.br
++.B sysfs_t
++
++ /sys(/.*)?
++.br
++
++.SH NSSWITCH DOMAIN
++
++.PP
++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the insmod_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++
++.EX
++.B setsebool -P authlogin_nsswitch_use_ldap 1
++.EE
++
++.PP
++If you want to allow confined applications to run with kerberos for the insmod_t, you must turn on the kerberos_enabled boolean.
++
++.EX
++.B setsebool -P kerberos_enabled 1
++.EE
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.B semanage boolean
++can also be used to manipulate the booleans
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was auto-generated using
++.B "sepolicy manpage"
++by Dan Walsh.
++
++.SH "SEE ALSO"
++selinux(8), insmod(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
++, setsebool(8)
+\ No newline at end of file
+diff --git a/man/man8/ipsec_mgmt_selinux.8 b/man/man8/ipsec_mgmt_selinux.8
+new file mode 100644
+index 0000000..d3feccd
+--- /dev/null
++++ b/man/man8/ipsec_mgmt_selinux.8
+@@ -0,0 +1,189 @@
++.TH "ipsec_mgmt_selinux" "8" "12-11-01" "ipsec_mgmt" "SELinux Policy documentation for ipsec_mgmt"
++.SH "NAME"
++ipsec_mgmt_selinux \- Security Enhanced Linux Policy for the ipsec_mgmt processes
++.SH "DESCRIPTION"
++
++Security-Enhanced Linux secures the ipsec_mgmt processes via flexible mandatory access control.
++
++The ipsec_mgmt processes execute with the ipsec_mgmt_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep ipsec_mgmt_t
++
++
++.SH "ENTRYPOINTS"
++
++The ipsec_mgmt_t SELinux type can be entered via the "shell_exec_t,ipsec_mgmt_exec_t" file types. The default entrypoint paths for the ipsec_mgmt_t domain are the following:"
++
++/bin/d?ash, /bin/zsh.*, /bin/ksh.*, /usr/bin/d?ash, /usr/bin/ksh.*, /usr/bin/zsh.*, /bin/esh, /bin/mksh, /bin/sash, /bin/tcsh, /bin/yash, /bin/bash, /bin/fish, /bin/bash2, /usr/bin/esh, /usr/bin/mksh, /usr/bin/sash, /usr/bin/bash, /usr/bin/fish, /usr/bin/tcsh, /usr/bin/yash, /sbin/nologin, /usr/sbin/sesh, /usr/bin/bash2, /usr/sbin/smrsh, /usr/bin/scponly, /usr/sbin/nologin, /usr/libexec/sesh, /usr/sbin/scponlyc, /usr/bin/git-shell, /usr/libexec/git-core/git-shell, /usr/sbin/ipsec, /usr/lib/ipsec/_plutorun, /usr/lib/ipsec/_plutoload, /usr/libexec/ipsec/_plutorun, /usr/libexec/ipsec/_plutoload, /usr/libexec/nm-openswan-service
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux ipsec_mgmt policy is very flexible allowing users to setup their ipsec_mgmt processes in as secure a method as possible.
++.PP
++The following process types are defined for ipsec_mgmt:
++
++.EX
++.B ipsec_mgmt_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux ipsec_mgmt policy is very flexible allowing users to setup their ipsec_mgmt processes in as secure a method as possible.
++.PP
++The following file types are defined for ipsec_mgmt:
++
++
++.EX
++.PP
++.B ipsec_mgmt_exec_t
++.EE
++
++- Set files with the ipsec_mgmt_exec_t type, if you want to transition an executable to the ipsec_mgmt_t domain.
++
++
++.EX
++.PP
++.B ipsec_mgmt_lock_t
++.EE
++
++- Set files with the ipsec_mgmt_lock_t type, if you want to treat the files as ipsec mgmt lock data, stored under the /var/lock directory
++
++
++.EX
++.PP
++.B ipsec_mgmt_var_run_t
++.EE
++
++- Set files with the ipsec_mgmt_var_run_t type, if you want to store the ipsec mgmt files under the /run directory.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH "MANAGED FILES"
++
++The SELinux process type ipsec_mgmt_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++
++.br
++.B ipsec_key_file_t
++
++ /etc/ipsec\.d(/.*)?
++.br
++ /etc/racoon/certs(/.*)?
++.br
++ /etc/ipsec\.secrets
++.br
++ /etc/racoon/psk\.txt
++.br
++
++.br
++.B ipsec_log_t
++
++ /var/log/pluto\.log
++.br
++
++.br
++.B ipsec_mgmt_lock_t
++
++ /var/lock/subsys/ipsec
++.br
++
++.br
++.B ipsec_mgmt_var_run_t
++
++
++.br
++.B ipsec_tmp_t
++
++
++.br
++.B ipsec_var_run_t
++
++ /var/racoon(/.*)?
++.br
++ /var/run/pluto(/.*)?
++.br
++ /var/run/racoon\.pid
++.br
++
++.br
++.B net_conf_t
++
++ /etc/ntpd?\.conf.*
++.br
++ /etc/hosts[^/]*
++.br
++ /etc/yp\.conf.*
++.br
++ /etc/denyhosts.*
++.br
++ /etc/hosts\.deny.*
++.br
++ /etc/resolv\.conf.*
++.br
++ /etc/ntp/step-tickers.*
++.br
++ /etc/sysconfig/networking(/.*)?
++.br
++ /etc/sysconfig/network-scripts(/.*)?
++.br
++ /etc/sysconfig/network-scripts/.*resolv\.conf
++.br
++ /etc/ethers
++.br
++
++.SH NSSWITCH DOMAIN
++
++.PP
++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the ipsec_mgmt_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++
++.EX
++.B setsebool -P authlogin_nsswitch_use_ldap 1
++.EE
++
++.PP
++If you want to allow confined applications to run with kerberos for the ipsec_mgmt_t, you must turn on the kerberos_enabled boolean.
++
++.EX
++.B setsebool -P kerberos_enabled 1
++.EE
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was auto-generated using
++.B "sepolicy manpage"
++by Dan Walsh.
++
++.SH "SEE ALSO"
++selinux(8), ipsec_mgmt(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
++, ipsec_selinux(8), ipsec_selinux(8)
+\ No newline at end of file
+diff --git a/man/man8/ipsec_selinux.8 b/man/man8/ipsec_selinux.8
+new file mode 100644
+index 0000000..2c1a0c0
+--- /dev/null
++++ b/man/man8/ipsec_selinux.8
+@@ -0,0 +1,263 @@
++.TH "ipsec_selinux" "8" "12-11-01" "ipsec" "SELinux Policy documentation for ipsec"
++.SH "NAME"
++ipsec_selinux \- Security Enhanced Linux Policy for the ipsec processes
++.SH "DESCRIPTION"
++
++Security-Enhanced Linux secures the ipsec processes via flexible mandatory access control.
++
++The ipsec processes execute with the ipsec_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep ipsec_t
++
++
++.SH "ENTRYPOINTS"
++
++The ipsec_t SELinux type can be entered via the "ipsec_exec_t" file type. The default entrypoint paths for the ipsec_t domain are the following:"
++
++/usr/lib/ipsec/spi, /usr/lib/ipsec/pluto, /usr/lib/ipsec/eroute, /usr/libexec/ipsec/spi, /usr/libexec/ipsec/pluto, /usr/lib/ipsec/klipsdebug, /usr/libexec/ipsec/eroute, /usr/libexec/ipsec/klipsdebug
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux ipsec policy is very flexible allowing users to setup their ipsec processes in as secure a method as possible.
++.PP
++The following process types are defined for ipsec:
++
++.EX
++.B ipsec_t, ipsec_mgmt_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux ipsec policy is very flexible allowing users to setup their ipsec processes in as secure a method as possible.
++.PP
++The following file types are defined for ipsec:
++
++
++.EX
++.PP
++.B ipsec_conf_file_t
++.EE
++
++- Set files with the ipsec_conf_file_t type, if you want to treat the files as ipsec conf content.
++
++
++.EX
++.PP
++.B ipsec_exec_t
++.EE
++
++- Set files with the ipsec_exec_t type, if you want to transition an executable to the ipsec_t domain.
++
++
++.EX
++.PP
++.B ipsec_initrc_exec_t
++.EE
++
++- Set files with the ipsec_initrc_exec_t type, if you want to transition an executable to the ipsec_initrc_t domain.
++
++
++.EX
++.PP
++.B ipsec_key_file_t
++.EE
++
++- Set files with the ipsec_key_file_t type, if you want to treat the files as ipsec key content.
++
++
++.EX
++.PP
++.B ipsec_log_t
++.EE
++
++- Set files with the ipsec_log_t type, if you want to treat the data as ipsec log data, usually stored under the /var/log directory.
++
++
++.EX
++.PP
++.B ipsec_mgmt_exec_t
++.EE
++
++- Set files with the ipsec_mgmt_exec_t type, if you want to transition an executable to the ipsec_mgmt_t domain.
++
++
++.EX
++.PP
++.B ipsec_mgmt_lock_t
++.EE
++
++- Set files with the ipsec_mgmt_lock_t type, if you want to treat the files as ipsec mgmt lock data, stored under the /var/lock directory
++
++
++.EX
++.PP
++.B ipsec_mgmt_var_run_t
++.EE
++
++- Set files with the ipsec_mgmt_var_run_t type, if you want to store the ipsec mgmt files under the /run directory.
++
++
++.EX
++.PP
++.B ipsec_tmp_t
++.EE
++
++- Set files with the ipsec_tmp_t type, if you want to store ipsec temporary files in the /tmp directories.
++
++
++.EX
++.PP
++.B ipsec_var_run_t
++.EE
++
++- Set files with the ipsec_var_run_t type, if you want to store the ipsec files under the /run directory.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH PORT TYPES
++SELinux defines port types to represent TCP and UDP ports.
++.PP
++You can see the types associated with a port by using the following command:
++
++.B semanage port -l
++
++.PP
++Policy governs the access confined processes have to these ports.
++SELinux ipsec policy is very flexible allowing users to setup their ipsec processes in as secure a method as possible.
++.PP
++The following port types are defined for ipsec:
++
++.EX
++.TP 5
++.B ipsecnat_port_t
++.TP 10
++.EE
++
++
++Default Defined Ports:
++tcp 4500
++.EE
++udp 4500
++.EE
++.SH "MANAGED FILES"
++
++The SELinux process type ipsec_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++
++.br
++.B ipsec_key_file_t
++
++ /etc/ipsec\.d(/.*)?
++.br
++ /etc/racoon/certs(/.*)?
++.br
++ /etc/ipsec\.secrets
++.br
++ /etc/racoon/psk\.txt
++.br
++
++.br
++.B ipsec_tmp_t
++
++
++.br
++.B ipsec_var_run_t
++
++ /var/racoon(/.*)?
++.br
++ /var/run/pluto(/.*)?
++.br
++ /var/run/racoon\.pid
++.br
++
++.br
++.B net_conf_t
++
++ /etc/ntpd?\.conf.*
++.br
++ /etc/hosts[^/]*
++.br
++ /etc/yp\.conf.*
++.br
++ /etc/denyhosts.*
++.br
++ /etc/hosts\.deny.*
++.br
++ /etc/resolv\.conf.*
++.br
++ /etc/ntp/step-tickers.*
++.br
++ /etc/sysconfig/networking(/.*)?
++.br
++ /etc/sysconfig/network-scripts(/.*)?
++.br
++ /etc/sysconfig/network-scripts/.*resolv\.conf
++.br
++ /etc/ethers
++.br
++
++.br
++.B security_t
++
++ /selinux
++.br
++
++.SH NSSWITCH DOMAIN
++
++.PP
++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the ipsec_t, ipsec_mgmt_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++
++.EX
++.B setsebool -P authlogin_nsswitch_use_ldap 1
++.EE
++
++.PP
++If you want to allow confined applications to run with kerberos for the ipsec_t, ipsec_mgmt_t, you must turn on the kerberos_enabled boolean.
++
++.EX
++.B setsebool -P kerberos_enabled 1
++.EE
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.B semanage port
++can also be used to manipulate the port definitions
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was auto-generated using
++.B "sepolicy manpage"
++by Dan Walsh.
++
++.SH "SEE ALSO"
++selinux(8), ipsec(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
++, ipsec_mgmt_selinux(8)
+\ No newline at end of file
+diff --git a/man/man8/iptables_selinux.8 b/man/man8/iptables_selinux.8
+new file mode 100644
+index 0000000..66ccd4a
+--- /dev/null
++++ b/man/man8/iptables_selinux.8
+@@ -0,0 +1,258 @@
++.TH "iptables_selinux" "8" "12-11-01" "iptables" "SELinux Policy documentation for iptables"
++.SH "NAME"
++iptables_selinux \- Security Enhanced Linux Policy for the iptables processes
++.SH "DESCRIPTION"
++
++Security-Enhanced Linux secures the iptables processes via flexible mandatory access control.
++
++The iptables processes execute with the iptables_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep iptables_t
++
++
++.SH "ENTRYPOINTS"
++
++The iptables_t SELinux type can be entered via the "iptables_exec_t" file type. The default entrypoint paths for the iptables_t domain are the following:"
++
++/sbin/ip6?tables, /sbin/ip6?tables-multi, /sbin/ip6?tables-restore, /usr/sbin/ip6?tables, /usr/sbin/ip6?tables-multi, /usr/sbin/ip6?tables-restore, /sbin/ipchains.*, /usr/sbin/ipchains.*, /sbin/ipvsadm, /sbin/ebtables, /usr/sbin/ipvsadm, /sbin/ipvsadm-save, /usr/sbin/ebtables, /sbin/xtables-multi, /sbin/ipvsadm-restore, /sbin/ebtables-restore, /usr/sbin/ipvsadm-save, /usr/sbin/xtables-multi, /usr/sbin/ipvsadm-restore, /usr/sbin/ebtables-restore
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux iptables policy is very flexible allowing users to setup their iptables processes in as secure a method as possible.
++.PP
++The following process types are defined for iptables:
++
++.EX
++.B iptables_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH BOOLEANS
++SELinux policy is customizable based on least access required. iptables policy is extremely flexible and has several booleans that allow you to manipulate the policy and run iptables with the tightest access possible.
++
++
++.PP
++If you want to allow dhcpc client applications to execute iptables commands, you must turn on the dhcpc_exec_iptables boolean.
++
++.EX
++.B setsebool -P dhcpc_exec_iptables 1
++.EE
++
++.PP
++If you want to allow dhcpc client applications to execute iptables commands, you must turn on the dhcpc_exec_iptables boolean.
++
++.EX
++.B setsebool -P dhcpc_exec_iptables 1
++.EE
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux iptables policy is very flexible allowing users to setup their iptables processes in as secure a method as possible.
++.PP
++The following file types are defined for iptables:
++
++
++.EX
++.PP
++.B iptables_exec_t
++.EE
++
++- Set files with the iptables_exec_t type, if you want to transition an executable to the iptables_t domain.
++
++
++.EX
++.PP
++.B iptables_initrc_exec_t
++.EE
++
++- Set files with the iptables_initrc_exec_t type, if you want to transition an executable to the iptables_initrc_t domain.
++
++
++.EX
++.PP
++.B iptables_tmp_t
++.EE
++
++- Set files with the iptables_tmp_t type, if you want to store iptables temporary files in the /tmp directories.
++
++
++.EX
++.PP
++.B iptables_unit_file_t
++.EE
++
++- Set files with the iptables_unit_file_t type, if you want to treat the files as iptables unit content.
++
++
++.EX
++.PP
++.B iptables_var_run_t
++.EE
++
++- Set files with the iptables_var_run_t type, if you want to store the iptables files under the /run directory.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH "MANAGED FILES"
++
++The SELinux process type iptables_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++
++.br
++.B etc_runtime_t
++
++ /[^/]+
++.br
++ /etc/mtab.*
++.br
++ /etc/blkid(/.*)?
++.br
++ /etc/nologin.*
++.br
++ /etc/\.fstab\.hal\..+
++.br
++ /halt
++.br
++ /fastboot
++.br
++ /poweroff
++.br
++ /etc/cmtab
++.br
++ /\.autofsck
++.br
++ /forcefsck
++.br
++ /\.suspended
++.br
++ /fsckoptions
++.br
++ /\.autorelabel
++.br
++ /etc/securetty
++.br
++ /etc/killpower
++.br
++ /etc/nohotplug
++.br
++ /etc/ioctl\.save
++.br
++ /etc/fstab\.REVOKE
++.br
++ /etc/network/ifstate
++.br
++ /etc/sysconfig/hwconf
++.br
++ /etc/ptal/ptal-printd-like
++.br
++ /etc/sysconfig/iptables\.save
++.br
++ /etc/xorg\.conf\.d/00-system-setup-keyboard\.conf
++.br
++ /etc/X11/xorg\.conf\.d/00-system-setup-keyboard\.conf
++.br
++
++.br
++.B initrc_tmp_t
++
++
++.br
++.B iptables_tmp_t
++
++
++.br
++.B iptables_var_run_t
++
++
++.br
++.B psad_tmp_t
++
++
++.br
++.B psad_var_log_t
++
++ /var/log/psad(/.*)?
++.br
++
++.br
++.B shorewall_var_lib_t
++
++ /var/lib/shorewall(/.*)?
++.br
++ /var/lib/shorewall6(/.*)?
++.br
++ /var/lib/shorewall-lite(/.*)?
++.br
++
++.br
++.B system_conf_t
++
++ /etc/sysctl\.conf(\.old)?
++.br
++ /etc/sysconfig/ip6?tables.*
++.br
++ /etc/sysconfig/ipvsadm.*
++.br
++ /etc/sysconfig/ebtables.*
++.br
++ /etc/sysconfig/system-config-firewall.*
++.br
++
++.SH NSSWITCH DOMAIN
++
++.PP
++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the iptables_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++
++.EX
++.B setsebool -P authlogin_nsswitch_use_ldap 1
++.EE
++
++.PP
++If you want to allow confined applications to run with kerberos for the iptables_t, you must turn on the kerberos_enabled boolean.
++
++.EX
++.B setsebool -P kerberos_enabled 1
++.EE
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.B semanage boolean
++can also be used to manipulate the booleans
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was auto-generated using
++.B "sepolicy manpage"
++by Dan Walsh.
++
++.SH "SEE ALSO"
++selinux(8), iptables(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
++, setsebool(8)
+\ No newline at end of file
+diff --git a/man/man8/irc_selinux.8 b/man/man8/irc_selinux.8
+new file mode 100644
+index 0000000..8ca561c
+--- /dev/null
++++ b/man/man8/irc_selinux.8
+@@ -0,0 +1,146 @@
++.TH "irc_selinux" "8" "12-11-01" "irc" "SELinux Policy documentation for irc"
++.SH "NAME"
++irc_selinux \- Security Enhanced Linux Policy for the irc processes
++.SH "DESCRIPTION"
++
++Security-Enhanced Linux secures the irc processes via flexible mandatory access control.
++
++The irc processes execute with the irc_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep irc_t
++
++
++.SH "ENTRYPOINTS"
++
++The irc_t SELinux type can be entered via the "irc_exec_t" file type. The default entrypoint paths for the irc_t domain are the following:"
++
++/usr/bin/[st]irc, /usr/bin/ircII, /usr/bin/tinyirc
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux irc policy is very flexible allowing users to setup their irc processes in as secure a method as possible.
++.PP
++The following process types are defined for irc:
++
++.EX
++.B irc_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux irc policy is very flexible allowing users to setup their irc processes in as secure a method as possible.
++.PP
++The following file types are defined for irc:
++
++
++.EX
++.PP
++.B irc_exec_t
++.EE
++
++- Set files with the irc_exec_t type, if you want to transition an executable to the irc_t domain.
++
++
++.EX
++.PP
++.B irc_home_t
++.EE
++
++- Set files with the irc_home_t type, if you want to store irc files in the users home directory.
++
++
++.EX
++.PP
++.B irc_tmp_t
++.EE
++
++- Set files with the irc_tmp_t type, if you want to store irc temporary files in the /tmp directories.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH PORT TYPES
++SELinux defines port types to represent TCP and UDP ports.
++.PP
++You can see the types associated with a port by using the following command:
++
++.B semanage port -l
++
++.PP
++Policy governs the access confined processes have to these ports.
++SELinux irc policy is very flexible allowing users to setup their irc processes in as secure a method as possible.
++.PP
++The following port types are defined for irc:
++
++.EX
++.TP 5
++.B ircd_port_t
++.TP 10
++.EE
++
++
++Default Defined Ports:
++tcp 6667,6697
++.EE
++.SH "MANAGED FILES"
++
++The SELinux process type irc_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++
++.br
++.B irc_home_t
++
++ /home/[^/]*/\.ircmotd
++.br
++ /home/dwalsh/\.ircmotd
++.br
++ /var/lib/xguest/home/xguest/\.ircmotd
++.br
++
++.br
++.B irc_tmp_t
++
++
++.SH NSSWITCH DOMAIN
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.B semanage port
++can also be used to manipulate the port definitions
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was auto-generated using
++.B "sepolicy manpage"
++by Dan Walsh.
++
++.SH "SEE ALSO"
++selinux(8), irc(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
+diff --git a/man/man8/irqbalance_selinux.8 b/man/man8/irqbalance_selinux.8
+new file mode 100644
+index 0000000..e967562
+--- /dev/null
++++ b/man/man8/irqbalance_selinux.8
+@@ -0,0 +1,102 @@
++.TH "irqbalance_selinux" "8" "12-11-01" "irqbalance" "SELinux Policy documentation for irqbalance"
++.SH "NAME"
++irqbalance_selinux \- Security Enhanced Linux Policy for the irqbalance processes
++.SH "DESCRIPTION"
++
++Security-Enhanced Linux secures the irqbalance processes via flexible mandatory access control.
++
++The irqbalance processes execute with the irqbalance_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep irqbalance_t
++
++
++.SH "ENTRYPOINTS"
++
++The irqbalance_t SELinux type can be entered via the "irqbalance_exec_t" file type. The default entrypoint paths for the irqbalance_t domain are the following:"
++
++/usr/sbin/irqbalance
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux irqbalance policy is very flexible allowing users to setup their irqbalance processes in as secure a method as possible.
++.PP
++The following process types are defined for irqbalance:
++
++.EX
++.B irqbalance_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux irqbalance policy is very flexible allowing users to setup their irqbalance processes in as secure a method as possible.
++.PP
++The following file types are defined for irqbalance:
++
++
++.EX
++.PP
++.B irqbalance_exec_t
++.EE
++
++- Set files with the irqbalance_exec_t type, if you want to transition an executable to the irqbalance_t domain.
++
++
++.EX
++.PP
++.B irqbalance_var_run_t
++.EE
++
++- Set files with the irqbalance_var_run_t type, if you want to store the irqbalance files under the /run directory.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH "MANAGED FILES"
++
++The SELinux process type irqbalance_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++
++.br
++.B irqbalance_var_run_t
++
++
++.SH NSSWITCH DOMAIN
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was auto-generated using
++.B "sepolicy manpage"
++by Dan Walsh.
++
++.SH "SEE ALSO"
++selinux(8), irqbalance(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
+diff --git a/man/man8/irssi_selinux.8 b/man/man8/irssi_selinux.8
+new file mode 100644
+index 0000000..36617d8
+--- /dev/null
++++ b/man/man8/irssi_selinux.8
+@@ -0,0 +1,158 @@
++.TH "irssi_selinux" "8" "12-11-01" "irssi" "SELinux Policy documentation for irssi"
++.SH "NAME"
++irssi_selinux \- Security Enhanced Linux Policy for the irssi processes
++.SH "DESCRIPTION"
++
++Security-Enhanced Linux secures the irssi processes via flexible mandatory access control.
++
++The irssi processes execute with the irssi_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep irssi_t
++
++
++.SH "ENTRYPOINTS"
++
++The irssi_t SELinux type can be entered via the "irssi_exec_t" file type. The default entrypoint paths for the irssi_t domain are the following:"
++
++/usr/bin/irssi
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux irssi policy is very flexible allowing users to setup their irssi processes in as secure a method as possible.
++.PP
++The following process types are defined for irssi:
++
++.EX
++.B irssi_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH BOOLEANS
++SELinux policy is customizable based on least access required. irssi policy is extremely flexible and has several booleans that allow you to manipulate the policy and run irssi with the tightest access possible.
++
++
++.PP
++If you want to allow the Irssi IRC Client to connect to any port, and to bind to any unreserved port, you must turn on the irssi_use_full_network boolean.
++
++.EX
++.B setsebool -P irssi_use_full_network 1
++.EE
++
++.PP
++If you want to allow the Irssi IRC Client to connect to any port, and to bind to any unreserved port, you must turn on the irssi_use_full_network boolean.
++
++.EX
++.B setsebool -P irssi_use_full_network 1
++.EE
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux irssi policy is very flexible allowing users to setup their irssi processes in as secure a method as possible.
++.PP
++The following file types are defined for irssi:
++
++
++.EX
++.PP
++.B irssi_etc_t
++.EE
++
++- Set files with the irssi_etc_t type, if you want to store irssi files in the /etc directories.
++
++
++.EX
++.PP
++.B irssi_exec_t
++.EE
++
++- Set files with the irssi_exec_t type, if you want to transition an executable to the irssi_t domain.
++
++
++.EX
++.PP
++.B irssi_home_t
++.EE
++
++- Set files with the irssi_home_t type, if you want to store irssi files in the users home directory.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH "MANAGED FILES"
++
++The SELinux process type irssi_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++
++.br
++.B irssi_home_t
++
++ /home/[^/]*/\.irssi(/.*)?
++.br
++ /home/[^/]*/irclogs(/.*)?
++.br
++ /home/dwalsh/\.irssi(/.*)?
++.br
++ /home/dwalsh/irclogs(/.*)?
++.br
++ /var/lib/xguest/home/xguest/\.irssi(/.*)?
++.br
++ /var/lib/xguest/home/xguest/irclogs(/.*)?
++.br
++
++.SH NSSWITCH DOMAIN
++
++.PP
++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the irssi_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++
++.EX
++.B setsebool -P authlogin_nsswitch_use_ldap 1
++.EE
++
++.PP
++If you want to allow confined applications to run with kerberos for the irssi_t, you must turn on the kerberos_enabled boolean.
++
++.EX
++.B setsebool -P kerberos_enabled 1
++.EE
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.B semanage boolean
++can also be used to manipulate the booleans
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was auto-generated using
++.B "sepolicy manpage"
++by Dan Walsh.
++
++.SH "SEE ALSO"
++selinux(8), irssi(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
++, setsebool(8)
+\ No newline at end of file
+diff --git a/man/man8/iscsid_selinux.8 b/man/man8/iscsid_selinux.8
+new file mode 100644
+index 0000000..4e63ee8
+--- /dev/null
++++ b/man/man8/iscsid_selinux.8
+@@ -0,0 +1,160 @@
++.TH "iscsid_selinux" "8" "12-11-01" "iscsid" "SELinux Policy documentation for iscsid"
++.SH "NAME"
++iscsid_selinux \- Security Enhanced Linux Policy for the iscsid processes
++.SH "DESCRIPTION"
++
++Security-Enhanced Linux secures the iscsid processes via flexible mandatory access control.
++
++The iscsid processes execute with the iscsid_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep iscsid_t
++
++
++.SH "ENTRYPOINTS"
++
++The iscsid_t SELinux type can be entered via the "iscsid_exec_t" file type. The default entrypoint paths for the iscsid_t domain are the following:"
++
++/sbin/iscsid, /sbin/iscsiuio, /usr/sbin/iscsid, /usr/sbin/iscsiuio, /sbin/brcm_iscsiuio, /usr/sbin/brcm_iscsiuio
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux iscsid policy is very flexible allowing users to setup their iscsid processes in as secure a method as possible.
++.PP
++The following process types are defined for iscsid:
++
++.EX
++.B iscsid_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux iscsid policy is very flexible allowing users to setup their iscsid processes in as secure a method as possible.
++.PP
++The following file types are defined for iscsid:
++
++
++.EX
++.PP
++.B iscsid_exec_t
++.EE
++
++- Set files with the iscsid_exec_t type, if you want to transition an executable to the iscsid_t domain.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH PORT TYPES
++SELinux defines port types to represent TCP and UDP ports.
++.PP
++You can see the types associated with a port by using the following command:
++
++.B semanage port -l
++
++.PP
++Policy governs the access confined processes have to these ports.
++SELinux iscsid policy is very flexible allowing users to setup their iscsid processes in as secure a method as possible.
++.PP
++The following port types are defined for iscsid:
++
++.EX
++.TP 5
++.B iscsi_port_t
++.TP 10
++.EE
++
++
++Default Defined Ports:
++tcp 3260
++.EE
++.SH "MANAGED FILES"
++
++The SELinux process type iscsid_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++
++.br
++.B iscsi_lock_t
++
++ /var/lock/iscsi(/.*)?
++.br
++
++.br
++.B iscsi_log_t
++
++ /var/log/iscsiuio\.log.*
++.br
++ /var/log/brcm-iscsi\.log.*
++.br
++
++.br
++.B iscsi_tmp_t
++
++
++.br
++.B iscsi_var_run_t
++
++ /var/run/iscsid\.pid
++.br
++
++.br
++.B sysfs_t
++
++ /sys(/.*)?
++.br
++
++.SH NSSWITCH DOMAIN
++
++.PP
++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the iscsid_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++
++.EX
++.B setsebool -P authlogin_nsswitch_use_ldap 1
++.EE
++
++.PP
++If you want to allow confined applications to run with kerberos for the iscsid_t, you must turn on the kerberos_enabled boolean.
++
++.EX
++.B setsebool -P kerberos_enabled 1
++.EE
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.B semanage port
++can also be used to manipulate the port definitions
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was auto-generated using
++.B "sepolicy manpage"
++by Dan Walsh.
++
++.SH "SEE ALSO"
++selinux(8), iscsid(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
+diff --git a/man/man8/isnsd_selinux.8 b/man/man8/isnsd_selinux.8
+new file mode 100644
+index 0000000..9811117
+--- /dev/null
++++ b/man/man8/isnsd_selinux.8
+@@ -0,0 +1,156 @@
++.TH "isnsd_selinux" "8" "12-11-01" "isnsd" "SELinux Policy documentation for isnsd"
++.SH "NAME"
++isnsd_selinux \- Security Enhanced Linux Policy for the isnsd processes
++.SH "DESCRIPTION"
++
++Security-Enhanced Linux secures the isnsd processes via flexible mandatory access control.
++
++The isnsd processes execute with the isnsd_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep isnsd_t
++
++
++.SH "ENTRYPOINTS"
++
++The isnsd_t SELinux type can be entered via the "isnsd_exec_t" file type. The default entrypoint paths for the isnsd_t domain are the following:"
++
++/usr/sbin/isnsd
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux isnsd policy is very flexible allowing users to setup their isnsd processes in as secure a method as possible.
++.PP
++The following process types are defined for isnsd:
++
++.EX
++.B isnsd_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux isnsd policy is very flexible allowing users to setup their isnsd processes in as secure a method as possible.
++.PP
++The following file types are defined for isnsd:
++
++
++.EX
++.PP
++.B isnsd_exec_t
++.EE
++
++- Set files with the isnsd_exec_t type, if you want to transition an executable to the isnsd_t domain.
++
++
++.EX
++.PP
++.B isnsd_initrc_exec_t
++.EE
++
++- Set files with the isnsd_initrc_exec_t type, if you want to transition an executable to the isnsd_initrc_t domain.
++
++
++.EX
++.PP
++.B isnsd_var_lib_t
++.EE
++
++- Set files with the isnsd_var_lib_t type, if you want to store the isnsd files under the /var/lib directory.
++
++
++.EX
++.PP
++.B isnsd_var_run_t
++.EE
++
++- Set files with the isnsd_var_run_t type, if you want to store the isnsd files under the /run directory.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH PORT TYPES
++SELinux defines port types to represent TCP and UDP ports.
++.PP
++You can see the types associated with a port by using the following command:
++
++.B semanage port -l
++
++.PP
++Policy governs the access confined processes have to these ports.
++SELinux isnsd policy is very flexible allowing users to setup their isnsd processes in as secure a method as possible.
++.PP
++The following port types are defined for isnsd:
++
++.EX
++.TP 5
++.B isns_port_t
++.TP 10
++.EE
++
++
++Default Defined Ports:
++tcp 3205
++.EE
++udp 3205
++.EE
++.SH "MANAGED FILES"
++
++The SELinux process type isnsd_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++
++.br
++.B isnsd_var_lib_t
++
++ /var/lib/isns(/.*)?
++.br
++
++.br
++.B isnsd_var_run_t
++
++ /var/run/isnsctl
++.br
++ /var/run/isnsd\.pid
++.br
++
++.SH NSSWITCH DOMAIN
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.B semanage port
++can also be used to manipulate the port definitions
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was auto-generated using
++.B "sepolicy manpage"
++by Dan Walsh.
++
++.SH "SEE ALSO"
++selinux(8), isnsd(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
+diff --git a/man/man8/iwhd_selinux.8 b/man/man8/iwhd_selinux.8
+new file mode 100644
+index 0000000..cea1bb7
+--- /dev/null
++++ b/man/man8/iwhd_selinux.8
+@@ -0,0 +1,140 @@
++.TH "iwhd_selinux" "8" "12-11-01" "iwhd" "SELinux Policy documentation for iwhd"
++.SH "NAME"
++iwhd_selinux \- Security Enhanced Linux Policy for the iwhd processes
++.SH "DESCRIPTION"
++
++Security-Enhanced Linux secures the iwhd processes via flexible mandatory access control.
++
++The iwhd processes execute with the iwhd_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep iwhd_t
++
++
++.SH "ENTRYPOINTS"
++
++The iwhd_t SELinux type can be entered via the "iwhd_exec_t" file type. The default entrypoint paths for the iwhd_t domain are the following:"
++
++/usr/bin/iwhd
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux iwhd policy is very flexible allowing users to setup their iwhd processes in as secure a method as possible.
++.PP
++The following process types are defined for iwhd:
++
++.EX
++.B iwhd_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux iwhd policy is very flexible allowing users to setup their iwhd processes in as secure a method as possible.
++.PP
++The following file types are defined for iwhd:
++
++
++.EX
++.PP
++.B iwhd_exec_t
++.EE
++
++- Set files with the iwhd_exec_t type, if you want to transition an executable to the iwhd_t domain.
++
++
++.EX
++.PP
++.B iwhd_initrc_exec_t
++.EE
++
++- Set files with the iwhd_initrc_exec_t type, if you want to transition an executable to the iwhd_initrc_t domain.
++
++
++.EX
++.PP
++.B iwhd_log_t
++.EE
++
++- Set files with the iwhd_log_t type, if you want to treat the data as iwhd log data, usually stored under the /var/log directory.
++
++
++.EX
++.PP
++.B iwhd_var_lib_t
++.EE
++
++- Set files with the iwhd_var_lib_t type, if you want to store the iwhd files under the /var/lib directory.
++
++
++.EX
++.PP
++.B iwhd_var_run_t
++.EE
++
++- Set files with the iwhd_var_run_t type, if you want to store the iwhd files under the /run directory.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH "MANAGED FILES"
++
++The SELinux process type iwhd_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++
++.br
++.B iwhd_log_t
++
++ /var/log/iwhd\.log.*
++.br
++
++.br
++.B iwhd_var_lib_t
++
++ /var/lib/iwhd(/.*)?
++.br
++
++.br
++.B iwhd_var_run_t
++
++ /var/run/iwhd\.pid
++.br
++
++.SH NSSWITCH DOMAIN
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was auto-generated using
++.B "sepolicy manpage"
++by Dan Walsh.
++
++.SH "SEE ALSO"
++selinux(8), iwhd(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
+diff --git a/man/man8/jabberd_router_selinux.8 b/man/man8/jabberd_router_selinux.8
+new file mode 100644
+index 0000000..6c57f11
+--- /dev/null
++++ b/man/man8/jabberd_router_selinux.8
+@@ -0,0 +1,97 @@
++.TH "jabberd_router_selinux" "8" "12-11-01" "jabberd_router" "SELinux Policy documentation for jabberd_router"
++.SH "NAME"
++jabberd_router_selinux \- Security Enhanced Linux Policy for the jabberd_router processes
++.SH "DESCRIPTION"
++
++Security-Enhanced Linux secures the jabberd_router processes via flexible mandatory access control.
++
++The jabberd_router processes execute with the jabberd_router_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep jabberd_router_t
++
++
++.SH "ENTRYPOINTS"
++
++The jabberd_router_t SELinux type can be entered via the "jabberd_router_exec_t" file type. The default entrypoint paths for the jabberd_router_t domain are the following:"
++
++/usr/bin/c2s, /usr/bin/router
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux jabberd_router policy is very flexible allowing users to setup their jabberd_router processes in as secure a method as possible.
++.PP
++The following process types are defined for jabberd_router:
++
++.EX
++.B jabberd_router_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux jabberd_router policy is very flexible allowing users to setup their jabberd_router processes in as secure a method as possible.
++.PP
++The following file types are defined for jabberd_router:
++
++
++.EX
++.PP
++.B jabberd_router_exec_t
++.EE
++
++- Set files with the jabberd_router_exec_t type, if you want to transition an executable to the jabberd_router_t domain.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH "MANAGED FILES"
++
++The SELinux process type jabberd_router_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++
++.br
++.B jabberd_var_lib_t
++
++ /var/lib/jabberd(/.*)?
++.br
++
++.SH NSSWITCH DOMAIN
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was auto-generated using
++.B "sepolicy manpage"
++by Dan Walsh.
++
++.SH "SEE ALSO"
++selinux(8), jabberd_router(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
++, jabberd_selinux(8), jabberd_selinux(8)
+\ No newline at end of file
+diff --git a/man/man8/jabberd_selinux.8 b/man/man8/jabberd_selinux.8
+new file mode 100644
+index 0000000..520a42b
+--- /dev/null
++++ b/man/man8/jabberd_selinux.8
+@@ -0,0 +1,169 @@
++.TH "jabberd_selinux" "8" "12-11-01" "jabberd" "SELinux Policy documentation for jabberd"
++.SH "NAME"
++jabberd_selinux \- Security Enhanced Linux Policy for the jabberd processes
++.SH "DESCRIPTION"
++
++Security-Enhanced Linux secures the jabberd processes via flexible mandatory access control.
++
++The jabberd processes execute with the jabberd_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep jabberd_t
++
++
++.SH "ENTRYPOINTS"
++
++The jabberd_t SELinux type can be entered via the "jabberd_exec_t" file type. The default entrypoint paths for the jabberd_t domain are the following:"
++
++/usr/bin/sm, /usr/bin/s2s
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux jabberd policy is very flexible allowing users to setup their jabberd processes in as secure a method as possible.
++.PP
++The following process types are defined for jabberd:
++
++.EX
++.B jabberd_router_t, jabberd_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux jabberd policy is very flexible allowing users to setup their jabberd processes in as secure a method as possible.
++.PP
++The following file types are defined for jabberd:
++
++
++.EX
++.PP
++.B jabberd_exec_t
++.EE
++
++- Set files with the jabberd_exec_t type, if you want to transition an executable to the jabberd_t domain.
++
++
++.EX
++.PP
++.B jabberd_initrc_exec_t
++.EE
++
++- Set files with the jabberd_initrc_exec_t type, if you want to transition an executable to the jabberd_initrc_t domain.
++
++
++.EX
++.PP
++.B jabberd_router_exec_t
++.EE
++
++- Set files with the jabberd_router_exec_t type, if you want to transition an executable to the jabberd_router_t domain.
++
++
++.EX
++.PP
++.B jabberd_var_lib_t
++.EE
++
++- Set files with the jabberd_var_lib_t type, if you want to store the jabberd files under the /var/lib directory.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH PORT TYPES
++SELinux defines port types to represent TCP and UDP ports.
++.PP
++You can see the types associated with a port by using the following command:
++
++.B semanage port -l
++
++.PP
++Policy governs the access confined processes have to these ports.
++SELinux jabberd policy is very flexible allowing users to setup their jabberd processes in as secure a method as possible.
++.PP
++The following port types are defined for jabberd:
++
++.EX
++.TP 5
++.B jabber_client_port_t
++.TP 10
++.EE
++
++
++Default Defined Ports:
++tcp 5222,5223
++.EE
++
++.EX
++.TP 5
++.B jabber_interserver_port_t
++.TP 10
++.EE
++
++
++Default Defined Ports:
++tcp 5269
++.EE
++
++.EX
++.TP 5
++.B jabber_router_port_t
++.TP 10
++.EE
++
++
++Default Defined Ports:
++tcp 5347
++.EE
++.SH "MANAGED FILES"
++
++The SELinux process type jabberd_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++
++.br
++.B jabberd_var_lib_t
++
++ /var/lib/jabberd(/.*)?
++.br
++
++.SH NSSWITCH DOMAIN
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.B semanage port
++can also be used to manipulate the port definitions
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was auto-generated using
++.B "sepolicy manpage"
++by Dan Walsh.
++
++.SH "SEE ALSO"
++selinux(8), jabberd(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
++, jabberd_router_selinux(8)
+\ No newline at end of file
+diff --git a/man/man8/jockey_selinux.8 b/man/man8/jockey_selinux.8
+new file mode 100644
+index 0000000..2615dc1
+--- /dev/null
++++ b/man/man8/jockey_selinux.8
+@@ -0,0 +1,120 @@
++.TH "jockey_selinux" "8" "12-11-01" "jockey" "SELinux Policy documentation for jockey"
++.SH "NAME"
++jockey_selinux \- Security Enhanced Linux Policy for the jockey processes
++.SH "DESCRIPTION"
++
++Security-Enhanced Linux secures the jockey processes via flexible mandatory access control.
++
++The jockey processes execute with the jockey_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep jockey_t
++
++
++.SH "ENTRYPOINTS"
++
++The jockey_t SELinux type can be entered via the "jockey_exec_t" file type. The default entrypoint paths for the jockey_t domain are the following:"
++
++/usr/share/jockey/jockey-backend
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux jockey policy is very flexible allowing users to setup their jockey processes in as secure a method as possible.
++.PP
++The following process types are defined for jockey:
++
++.EX
++.B jockey_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux jockey policy is very flexible allowing users to setup their jockey processes in as secure a method as possible.
++.PP
++The following file types are defined for jockey:
++
++
++.EX
++.PP
++.B jockey_cache_t
++.EE
++
++- Set files with the jockey_cache_t type, if you want to store the files under the /var/cache directory.
++
++
++.EX
++.PP
++.B jockey_exec_t
++.EE
++
++- Set files with the jockey_exec_t type, if you want to transition an executable to the jockey_t domain.
++
++
++.EX
++.PP
++.B jockey_var_log_t
++.EE
++
++- Set files with the jockey_var_log_t type, if you want to treat the data as jockey var log data, usually stored under the /var/log directory.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH "MANAGED FILES"
++
++The SELinux process type jockey_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++
++.br
++.B jockey_cache_t
++
++ /var/cache/jockey(/.*)?
++.br
++
++.br
++.B jockey_var_log_t
++
++ /var/log/jockey(/.*)?
++.br
++ /var/log/jockey\.log.*
++.br
++
++.SH NSSWITCH DOMAIN
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was auto-generated using
++.B "sepolicy manpage"
++by Dan Walsh.
++
++.SH "SEE ALSO"
++selinux(8), jockey(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
+diff --git a/man/man8/kadmind_selinux.8 b/man/man8/kadmind_selinux.8
+new file mode 100644
+index 0000000..f4e852a
+--- /dev/null
++++ b/man/man8/kadmind_selinux.8
+@@ -0,0 +1,162 @@
++.TH "kadmind_selinux" "8" "12-11-01" "kadmind" "SELinux Policy documentation for kadmind"
++.SH "NAME"
++kadmind_selinux \- Security Enhanced Linux Policy for the kadmind processes
++.SH "DESCRIPTION"
++
++Security-Enhanced Linux secures the kadmind processes via flexible mandatory access control.
++
++The kadmind processes execute with the kadmind_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep kadmind_t
++
++
++.SH "ENTRYPOINTS"
++
++The kadmind_t SELinux type can be entered via the "kadmind_exec_t" file type. The default entrypoint paths for the kadmind_t domain are the following:"
++
++/usr/(kerberos/)?sbin/kadmind, /usr/kerberos/sbin/kadmin\.local
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux kadmind policy is very flexible allowing users to setup their kadmind processes in as secure a method as possible.
++.PP
++The following process types are defined for kadmind:
++
++.EX
++.B kadmind_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux kadmind policy is very flexible allowing users to setup their kadmind processes in as secure a method as possible.
++.PP
++The following file types are defined for kadmind:
++
++
++.EX
++.PP
++.B kadmind_exec_t
++.EE
++
++- Set files with the kadmind_exec_t type, if you want to transition an executable to the kadmind_t domain.
++
++
++.EX
++.PP
++.B kadmind_log_t
++.EE
++
++- Set files with the kadmind_log_t type, if you want to treat the data as kadmind log data, usually stored under the /var/log directory.
++
++
++.EX
++.PP
++.B kadmind_tmp_t
++.EE
++
++- Set files with the kadmind_tmp_t type, if you want to store kadmind temporary files in the /tmp directories.
++
++
++.EX
++.PP
++.B kadmind_var_run_t
++.EE
++
++- Set files with the kadmind_var_run_t type, if you want to store the kadmind files under the /run directory.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH "MANAGED FILES"
++
++The SELinux process type kadmind_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++
++.br
++.B kadmind_log_t
++
++ /var/log/kadmin(d)?\.log.*
++.br
++
++.br
++.B kadmind_tmp_t
++
++
++.br
++.B kadmind_var_run_t
++
++
++.br
++.B krb5kdc_conf_t
++
++ /etc/krb5kdc(/.*)?
++.br
++ /usr/var/krb5kdc(/.*)?
++.br
++ /var/kerberos/krb5kdc(/.*)?
++.br
++
++.br
++.B krb5kdc_lock_t
++
++ /var/kerberos/krb5kdc/principal.*\.ok
++.br
++ /var/kerberos/krb5kdc/from_master.*
++.br
++
++.br
++.B krb5kdc_principal_t
++
++ /etc/krb5kdc/principal.*
++.br
++ /usr/var/krb5kdc/principal.*
++.br
++ /var/kerberos/krb5kdc/principal.*
++.br
++
++.br
++.B security_t
++
++ /selinux
++.br
++
++.SH NSSWITCH DOMAIN
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was auto-generated using
++.B "sepolicy manpage"
++by Dan Walsh.
++
++.SH "SEE ALSO"
++selinux(8), kadmind(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
+diff --git a/man/man8/kdump_selinux.8 b/man/man8/kdump_selinux.8
+new file mode 100644
+index 0000000..5b31590
+--- /dev/null
++++ b/man/man8/kdump_selinux.8
+@@ -0,0 +1,157 @@
++.TH "kdump_selinux" "8" "12-11-01" "kdump" "SELinux Policy documentation for kdump"
++.SH "NAME"
++kdump_selinux \- Security Enhanced Linux Policy for the kdump processes
++.SH "DESCRIPTION"
++
++Security-Enhanced Linux secures the kdump processes via flexible mandatory access control.
++
++The kdump processes execute with the kdump_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep kdump_t
++
++
++.SH "ENTRYPOINTS"
++
++The kdump_t SELinux type can be entered via the "kdump_exec_t" file type. The default entrypoint paths for the kdump_t domain are the following:"
++
++/sbin/kdump, /sbin/kexec, /usr/sbin/kdump, /usr/sbin/kexec
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux kdump policy is very flexible allowing users to setup their kdump processes in as secure a method as possible.
++.PP
++The following process types are defined for kdump:
++
++.EX
++.B kdumpgui_t, kdumpctl_t, kdump_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux kdump policy is very flexible allowing users to setup their kdump processes in as secure a method as possible.
++.PP
++The following file types are defined for kdump:
++
++
++.EX
++.PP
++.B kdump_etc_t
++.EE
++
++- Set files with the kdump_etc_t type, if you want to store kdump files in the /etc directories.
++
++
++.EX
++.PP
++.B kdump_exec_t
++.EE
++
++- Set files with the kdump_exec_t type, if you want to transition an executable to the kdump_t domain.
++
++
++.EX
++.PP
++.B kdump_initrc_exec_t
++.EE
++
++- Set files with the kdump_initrc_exec_t type, if you want to transition an executable to the kdump_initrc_t domain.
++
++
++.EX
++.PP
++.B kdump_unit_file_t
++.EE
++
++- Set files with the kdump_unit_file_t type, if you want to treat the files as kdump unit content.
++
++
++.EX
++.PP
++.B kdumpctl_exec_t
++.EE
++
++- Set files with the kdumpctl_exec_t type, if you want to transition an executable to the kdumpctl_t domain.
++
++
++.EX
++.PP
++.B kdumpctl_tmp_t
++.EE
++
++- Set files with the kdumpctl_tmp_t type, if you want to store kdumpctl temporary files in the /tmp directories.
++
++
++.EX
++.PP
++.B kdumpgui_exec_t
++.EE
++
++- Set files with the kdumpgui_exec_t type, if you want to transition an executable to the kdumpgui_t domain.
++
++
++.EX
++.PP
++.B kdumpgui_tmp_t
++.EE
++
++- Set files with the kdumpgui_tmp_t type, if you want to store kdumpgui temporary files in the /tmp directories.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH NSSWITCH DOMAIN
++
++.PP
++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the kdumpgui_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++
++.EX
++.B setsebool -P authlogin_nsswitch_use_ldap 1
++.EE
++
++.PP
++If you want to allow confined applications to run with kerberos for the kdumpgui_t, you must turn on the kerberos_enabled boolean.
++
++.EX
++.B setsebool -P kerberos_enabled 1
++.EE
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was auto-generated using
++.B "sepolicy manpage"
++by Dan Walsh.
++
++.SH "SEE ALSO"
++selinux(8), kdump(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
++, kdumpctl_selinux(8), kdumpgui_selinux(8)
+\ No newline at end of file
+diff --git a/man/man8/kdumpctl_selinux.8 b/man/man8/kdumpctl_selinux.8
+new file mode 100644
+index 0000000..64c0c6f
+--- /dev/null
++++ b/man/man8/kdumpctl_selinux.8
+@@ -0,0 +1,169 @@
++.TH "kdumpctl_selinux" "8" "12-11-01" "kdumpctl" "SELinux Policy documentation for kdumpctl"
++.SH "NAME"
++kdumpctl_selinux \- Security Enhanced Linux Policy for the kdumpctl processes
++.SH "DESCRIPTION"
++
++Security-Enhanced Linux secures the kdumpctl processes via flexible mandatory access control.
++
++The kdumpctl processes execute with the kdumpctl_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep kdumpctl_t
++
++
++.SH "ENTRYPOINTS"
++
++The kdumpctl_t SELinux type can be entered via the "kdumpctl_exec_t" file type. The default entrypoint paths for the kdumpctl_t domain are the following:"
++
++/usr/bin/kdumpctl
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux kdumpctl policy is very flexible allowing users to setup their kdumpctl processes in as secure a method as possible.
++.PP
++The following process types are defined for kdumpctl:
++
++.EX
++.B kdumpctl_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux kdumpctl policy is very flexible allowing users to setup their kdumpctl processes in as secure a method as possible.
++.PP
++The following file types are defined for kdumpctl:
++
++
++.EX
++.PP
++.B kdumpctl_exec_t
++.EE
++
++- Set files with the kdumpctl_exec_t type, if you want to transition an executable to the kdumpctl_t domain.
++
++
++.EX
++.PP
++.B kdumpctl_tmp_t
++.EE
++
++- Set files with the kdumpctl_tmp_t type, if you want to store kdumpctl temporary files in the /tmp directories.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH "MANAGED FILES"
++
++The SELinux process type kdumpctl_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++
++.br
++.B boot_t
++
++ /boot/.*
++.br
++ /vmlinuz.*
++.br
++ /initrd\.img.*
++.br
++ /boot
++.br
++
++.br
++.B kdumpctl_tmp_t
++
++
++.br
++.B systemd_passwd_var_run_t
++
++ /var/run/systemd/ask-password(/.*)?
++.br
++ /var/run/systemd/ask-password-block(/.*)?
++.br
++
++.br
++.B var_log_t
++
++ /var/log/.*
++.br
++ /nsr/logs(/.*)?
++.br
++ /var/webmin(/.*)?
++.br
++ /var/log/cron[^/]*
++.br
++ /var/log/secure[^/]*
++.br
++ /opt/zimbra/log(/.*)?
++.br
++ /var/log/maillog[^/]*
++.br
++ /var/log/spooler[^/]*
++.br
++ /var/log/messages[^/]*
++.br
++ /usr/centreon/log(/.*)?
++.br
++ /var/spool/rsyslog(/.*)?
++.br
++ /var/axfrdns/log/main(/.*)?
++.br
++ /var/spool/bacula/log(/.*)?
++.br
++ /var/tinydns/log/main(/.*)?
++.br
++ /var/dnscache/log/main(/.*)?
++.br
++ /var/stockmaniac/templates_cache(/.*)?
++.br
++ /opt/Symantec/scspagent/IDS/system(/.*)?
++.br
++ /var/log
++.br
++ /var/log/dmesg
++.br
++ /var/log/syslog
++.br
++ /var/named/chroot/var/log
++.br
++
++.SH NSSWITCH DOMAIN
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was auto-generated using
++.B "sepolicy manpage"
++by Dan Walsh.
++
++.SH "SEE ALSO"
++selinux(8), kdumpctl(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
++, kdump_selinux(8)
+\ No newline at end of file
+diff --git a/man/man8/kdumpgui_selinux.8 b/man/man8/kdumpgui_selinux.8
+new file mode 100644
+index 0000000..cdb1f42
+--- /dev/null
++++ b/man/man8/kdumpgui_selinux.8
+@@ -0,0 +1,197 @@
++.TH "kdumpgui_selinux" "8" "12-11-01" "kdumpgui" "SELinux Policy documentation for kdumpgui"
++.SH "NAME"
++kdumpgui_selinux \- Security Enhanced Linux Policy for the kdumpgui processes
++.SH "DESCRIPTION"
++
++Security-Enhanced Linux secures the kdumpgui processes via flexible mandatory access control.
++
++The kdumpgui processes execute with the kdumpgui_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep kdumpgui_t
++
++
++.SH "ENTRYPOINTS"
++
++The kdumpgui_t SELinux type can be entered via the "kdumpgui_exec_t" file type. The default entrypoint paths for the kdumpgui_t domain are the following:"
++
++/usr/share/system-config-kdump/system-config-kdump-backend\.py
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux kdumpgui policy is very flexible allowing users to setup their kdumpgui processes in as secure a method as possible.
++.PP
++The following process types are defined for kdumpgui:
++
++.EX
++.B kdumpgui_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux kdumpgui policy is very flexible allowing users to setup their kdumpgui processes in as secure a method as possible.
++.PP
++The following file types are defined for kdumpgui:
++
++
++.EX
++.PP
++.B kdumpgui_exec_t
++.EE
++
++- Set files with the kdumpgui_exec_t type, if you want to transition an executable to the kdumpgui_t domain.
++
++
++.EX
++.PP
++.B kdumpgui_tmp_t
++.EE
++
++- Set files with the kdumpgui_tmp_t type, if you want to store kdumpgui temporary files in the /tmp directories.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH "MANAGED FILES"
++
++The SELinux process type kdumpgui_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++
++.br
++.B boot_t
++
++ /boot/.*
++.br
++ /vmlinuz.*
++.br
++ /initrd\.img.*
++.br
++ /boot
++.br
++
++.br
++.B etc_runtime_t
++
++ /[^/]+
++.br
++ /etc/mtab.*
++.br
++ /etc/blkid(/.*)?
++.br
++ /etc/nologin.*
++.br
++ /etc/\.fstab\.hal\..+
++.br
++ /halt
++.br
++ /fastboot
++.br
++ /poweroff
++.br
++ /etc/cmtab
++.br
++ /\.autofsck
++.br
++ /forcefsck
++.br
++ /\.suspended
++.br
++ /fsckoptions
++.br
++ /\.autorelabel
++.br
++ /etc/securetty
++.br
++ /etc/killpower
++.br
++ /etc/nohotplug
++.br
++ /etc/ioctl\.save
++.br
++ /etc/fstab\.REVOKE
++.br
++ /etc/network/ifstate
++.br
++ /etc/sysconfig/hwconf
++.br
++ /etc/ptal/ptal-printd-like
++.br
++ /etc/sysconfig/iptables\.save
++.br
++ /etc/xorg\.conf\.d/00-system-setup-keyboard\.conf
++.br
++ /etc/X11/xorg\.conf\.d/00-system-setup-keyboard\.conf
++.br
++
++.br
++.B kdump_etc_t
++
++ /etc/kdump\.conf
++.br
++
++.br
++.B kdumpgui_tmp_t
++
++
++.br
++.B systemd_passwd_var_run_t
++
++ /var/run/systemd/ask-password(/.*)?
++.br
++ /var/run/systemd/ask-password-block(/.*)?
++.br
++
++.SH NSSWITCH DOMAIN
++
++.PP
++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the kdumpgui_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++
++.EX
++.B setsebool -P authlogin_nsswitch_use_ldap 1
++.EE
++
++.PP
++If you want to allow confined applications to run with kerberos for the kdumpgui_t, you must turn on the kerberos_enabled boolean.
++
++.EX
++.B setsebool -P kerberos_enabled 1
++.EE
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was auto-generated using
++.B "sepolicy manpage"
++by Dan Walsh.
++
++.SH "SEE ALSO"
++selinux(8), kdumpgui(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
++, kdump_selinux(8)
+\ No newline at end of file
+diff --git a/man/man8/kerberos_selinux.8 b/man/man8/kerberos_selinux.8
+deleted file mode 100644
+index a8f81c8..0000000
+--- a/man/man8/kerberos_selinux.8
++++ /dev/null
+@@ -1,28 +0,0 @@
+-.TH "kerberos_selinux" "8" "17 Jan 2005" "dwalsh@redhat.com" "kerberos Selinux Policy documentation"
+-.de EX
+-.nf
+-.ft CW
+-..
+-.de EE
+-.ft R
+-.fi
+-..
+-.SH "NAME"
+-kerberos_selinux \- Security Enhanced Linux Policy for Kerberos.
+-.SH "DESCRIPTION"
+-
+-Security-Enhanced Linux secures the system via flexible mandatory access
+-control. SELinux policy can be configured to deny Kerberos access to confined applications, since it requires daemons to be allowed greater access to certain secure files and additional access to the network.
+-.SH BOOLEANS
+-.PP
+-You must set the allow_kerberos boolean to allow your system to work properly in a Kerberos environment.
+-.EX
+-setsebool -P allow_kerberos 1
+-.EE
+-.PP
+-system-config-selinux is a GUI tool available to customize SELinux policy settings.
+-.SH AUTHOR
+-This manual page was written by Dan Walsh .
+-
+-.SH "SEE ALSO"
+-selinux(8), kerberos(1), chcon(1), setsebool(8)
+diff --git a/man/man8/keyboardd_selinux.8 b/man/man8/keyboardd_selinux.8
+new file mode 100644
+index 0000000..d16fc27
+--- /dev/null
++++ b/man/man8/keyboardd_selinux.8
+@@ -0,0 +1,144 @@
++.TH "keyboardd_selinux" "8" "12-11-01" "keyboardd" "SELinux Policy documentation for keyboardd"
++.SH "NAME"
++keyboardd_selinux \- Security Enhanced Linux Policy for the keyboardd processes
++.SH "DESCRIPTION"
++
++Security-Enhanced Linux secures the keyboardd processes via flexible mandatory access control.
++
++The keyboardd processes execute with the keyboardd_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep keyboardd_t
++
++
++.SH "ENTRYPOINTS"
++
++The keyboardd_t SELinux type can be entered via the "keyboardd_exec_t" file type. The default entrypoint paths for the keyboardd_t domain are the following:"
++
++/usr/bin/system-setup-keyboard
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux keyboardd policy is very flexible allowing users to setup their keyboardd processes in as secure a method as possible.
++.PP
++The following process types are defined for keyboardd:
++
++.EX
++.B keyboardd_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux keyboardd policy is very flexible allowing users to setup their keyboardd processes in as secure a method as possible.
++.PP
++The following file types are defined for keyboardd:
++
++
++.EX
++.PP
++.B keyboardd_exec_t
++.EE
++
++- Set files with the keyboardd_exec_t type, if you want to transition an executable to the keyboardd_t domain.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH "MANAGED FILES"
++
++The SELinux process type keyboardd_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++
++.br
++.B etc_runtime_t
++
++ /[^/]+
++.br
++ /etc/mtab.*
++.br
++ /etc/blkid(/.*)?
++.br
++ /etc/nologin.*
++.br
++ /etc/\.fstab\.hal\..+
++.br
++ /halt
++.br
++ /fastboot
++.br
++ /poweroff
++.br
++ /etc/cmtab
++.br
++ /\.autofsck
++.br
++ /forcefsck
++.br
++ /\.suspended
++.br
++ /fsckoptions
++.br
++ /\.autorelabel
++.br
++ /etc/securetty
++.br
++ /etc/killpower
++.br
++ /etc/nohotplug
++.br
++ /etc/ioctl\.save
++.br
++ /etc/fstab\.REVOKE
++.br
++ /etc/network/ifstate
++.br
++ /etc/sysconfig/hwconf
++.br
++ /etc/ptal/ptal-printd-like
++.br
++ /etc/sysconfig/iptables\.save
++.br
++ /etc/xorg\.conf\.d/00-system-setup-keyboard\.conf
++.br
++ /etc/X11/xorg\.conf\.d/00-system-setup-keyboard\.conf
++.br
++
++.SH NSSWITCH DOMAIN
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was auto-generated using
++.B "sepolicy manpage"
++by Dan Walsh.
++
++.SH "SEE ALSO"
++selinux(8), keyboardd(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
+diff --git a/man/man8/keystone_selinux.8 b/man/man8/keystone_selinux.8
+new file mode 100644
+index 0000000..92a2ad3
+--- /dev/null
++++ b/man/man8/keystone_selinux.8
+@@ -0,0 +1,242 @@
++.TH "keystone_selinux" "8" "12-11-01" "keystone" "SELinux Policy documentation for keystone"
++.SH "NAME"
++keystone_selinux \- Security Enhanced Linux Policy for the keystone processes
++.SH "DESCRIPTION"
++
++Security-Enhanced Linux secures the keystone processes via flexible mandatory access control.
++
++The keystone processes execute with the keystone_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep keystone_t
++
++
++.SH "ENTRYPOINTS"
++
++The keystone_t SELinux type can be entered via the "keystone_exec_t" file type. The default entrypoint paths for the keystone_t domain are the following:"
++
++/usr/bin/keystone-all
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux keystone policy is very flexible allowing users to setup their keystone processes in as secure a method as possible.
++.PP
++The following process types are defined for keystone:
++
++.EX
++.B keystone_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux keystone policy is very flexible allowing users to setup their keystone processes in as secure a method as possible.
++.PP
++The following file types are defined for keystone:
++
++
++.EX
++.PP
++.B keystone_exec_t
++.EE
++
++- Set files with the keystone_exec_t type, if you want to transition an executable to the keystone_t domain.
++
++
++.EX
++.PP
++.B keystone_log_t
++.EE
++
++- Set files with the keystone_log_t type, if you want to treat the data as keystone log data, usually stored under the /var/log directory.
++
++
++.EX
++.PP
++.B keystone_tmp_t
++.EE
++
++- Set files with the keystone_tmp_t type, if you want to store keystone temporary files in the /tmp directories.
++
++
++.EX
++.PP
++.B keystone_unit_file_t
++.EE
++
++- Set files with the keystone_unit_file_t type, if you want to treat the files as keystone unit content.
++
++
++.EX
++.PP
++.B keystone_var_lib_t
++.EE
++
++- Set files with the keystone_var_lib_t type, if you want to store the keystone files under the /var/lib directory.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH PORT TYPES
++SELinux defines port types to represent TCP and UDP ports.
++.PP
++You can see the types associated with a port by using the following command:
++
++.B semanage port -l
++
++.PP
++Policy governs the access confined processes have to these ports.
++SELinux keystone policy is very flexible allowing users to setup their keystone processes in as secure a method as possible.
++.PP
++The following port types are defined for keystone:
++
++.EX
++.TP 5
++.B keystone_port_t
++.TP 10
++.EE
++
++
++Default Defined Ports:
++tcp 5000
++.EE
++udp 5000
++.EE
++.SH "MANAGED FILES"
++
++The SELinux process type keystone_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++
++.br
++.B faillog_t
++
++ /var/log/btmp.*
++.br
++ /var/run/faillock(/.*)?
++.br
++ /var/log/faillog
++.br
++ /var/log/tallylog
++.br
++
++.br
++.B keystone_log_t
++
++ /var/log/keystone(/.*)?
++.br
++
++.br
++.B keystone_tmp_t
++
++
++.br
++.B keystone_var_lib_t
++
++ /var/lib/keystone(/.*)?
++.br
++
++.br
++.B krb5_host_rcache_t
++
++ /var/cache/krb5rcache(/.*)?
++.br
++ /var/tmp/nfs_0
++.br
++ /var/tmp/DNS_25
++.br
++ /var/tmp/host_0
++.br
++ /var/tmp/imap_0
++.br
++ /var/tmp/HTTP_23
++.br
++ /var/tmp/HTTP_48
++.br
++ /var/tmp/ldap_55
++.br
++ /var/tmp/ldap_487
++.br
++ /var/tmp/ldapmap1_0
++.br
++
++.br
++.B lastlog_t
++
++ /var/log/lastlog
++.br
++
++.br
++.B pcscd_var_run_t
++
++ /var/run/pcscd(/.*)?
++.br
++ /var/run/pcscd\.events(/.*)?
++.br
++ /var/run/pcscd\.pid
++.br
++ /var/run/pcscd\.pub
++.br
++ /var/run/pcscd\.comm
++.br
++
++.br
++.B security_t
++
++ /selinux
++.br
++
++.SH NSSWITCH DOMAIN
++
++.PP
++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the keystone_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++
++.EX
++.B setsebool -P authlogin_nsswitch_use_ldap 1
++.EE
++
++.PP
++If you want to allow confined applications to run with kerberos for the keystone_t, you must turn on the kerberos_enabled boolean.
++
++.EX
++.B setsebool -P kerberos_enabled 1
++.EE
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.B semanage port
++can also be used to manipulate the port definitions
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was auto-generated using
++.B "sepolicy manpage"
++by Dan Walsh.
++
++.SH "SEE ALSO"
++selinux(8), keystone(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
+diff --git a/man/man8/kismet_selinux.8 b/man/man8/kismet_selinux.8
+new file mode 100644
+index 0000000..74f62b3
+--- /dev/null
++++ b/man/man8/kismet_selinux.8
+@@ -0,0 +1,188 @@
++.TH "kismet_selinux" "8" "12-11-01" "kismet" "SELinux Policy documentation for kismet"
++.SH "NAME"
++kismet_selinux \- Security Enhanced Linux Policy for the kismet processes
++.SH "DESCRIPTION"
++
++Security-Enhanced Linux secures the kismet processes via flexible mandatory access control.
++
++The kismet processes execute with the kismet_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep kismet_t
++
++
++.SH "ENTRYPOINTS"
++
++The kismet_t SELinux type can be entered via the "kismet_exec_t" file type. The default entrypoint paths for the kismet_t domain are the following:"
++
++/usr/bin/kismet
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux kismet policy is very flexible allowing users to setup their kismet processes in as secure a method as possible.
++.PP
++The following process types are defined for kismet:
++
++.EX
++.B kismet_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux kismet policy is very flexible allowing users to setup their kismet processes in as secure a method as possible.
++.PP
++The following file types are defined for kismet:
++
++
++.EX
++.PP
++.B kismet_exec_t
++.EE
++
++- Set files with the kismet_exec_t type, if you want to transition an executable to the kismet_t domain.
++
++
++.EX
++.PP
++.B kismet_home_t
++.EE
++
++- Set files with the kismet_home_t type, if you want to store kismet files in the users home directory.
++
++
++.EX
++.PP
++.B kismet_log_t
++.EE
++
++- Set files with the kismet_log_t type, if you want to treat the data as kismet log data, usually stored under the /var/log directory.
++
++
++.EX
++.PP
++.B kismet_tmp_t
++.EE
++
++- Set files with the kismet_tmp_t type, if you want to store kismet temporary files in the /tmp directories.
++
++
++.EX
++.PP
++.B kismet_tmpfs_t
++.EE
++
++- Set files with the kismet_tmpfs_t type, if you want to store kismet files on a tmpfs file system.
++
++
++.EX
++.PP
++.B kismet_var_lib_t
++.EE
++
++- Set files with the kismet_var_lib_t type, if you want to store the kismet files under the /var/lib directory.
++
++
++.EX
++.PP
++.B kismet_var_run_t
++.EE
++
++- Set files with the kismet_var_run_t type, if you want to store the kismet files under the /run directory.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH "MANAGED FILES"
++
++The SELinux process type kismet_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++
++.br
++.B kismet_home_t
++
++ /home/[^/]*/\.kismet(/.*)?
++.br
++ /home/dwalsh/\.kismet(/.*)?
++.br
++ /var/lib/xguest/home/xguest/\.kismet(/.*)?
++.br
++
++.br
++.B kismet_log_t
++
++ /var/log/kismet(/.*)?
++.br
++
++.br
++.B kismet_tmp_t
++
++
++.br
++.B kismet_tmpfs_t
++
++
++.br
++.B kismet_var_lib_t
++
++ /var/lib/kismet(/.*)?
++.br
++
++.br
++.B kismet_var_run_t
++
++ /var/run/kismet_server.pid
++.br
++
++.SH NSSWITCH DOMAIN
++
++.PP
++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the kismet_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++
++.EX
++.B setsebool -P authlogin_nsswitch_use_ldap 1
++.EE
++
++.PP
++If you want to allow confined applications to run with kerberos for the kismet_t, you must turn on the kerberos_enabled boolean.
++
++.EX
++.B setsebool -P kerberos_enabled 1
++.EE
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was auto-generated using
++.B "sepolicy manpage"
++by Dan Walsh.
++
++.SH "SEE ALSO"
++selinux(8), kismet(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
+diff --git a/man/man8/klogd_selinux.8 b/man/man8/klogd_selinux.8
+new file mode 100644
+index 0000000..729c100
+--- /dev/null
++++ b/man/man8/klogd_selinux.8
+@@ -0,0 +1,116 @@
++.TH "klogd_selinux" "8" "12-11-01" "klogd" "SELinux Policy documentation for klogd"
++.SH "NAME"
++klogd_selinux \- Security Enhanced Linux Policy for the klogd processes
++.SH "DESCRIPTION"
++
++Security-Enhanced Linux secures the klogd processes via flexible mandatory access control.
++
++The klogd processes execute with the klogd_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep klogd_t
++
++
++.SH "ENTRYPOINTS"
++
++The klogd_t SELinux type can be entered via the "klogd_exec_t" file type. The default entrypoint paths for the klogd_t domain are the following:"
++
++/sbin/klogd, /sbin/rklogd, /usr/sbin/klogd, /usr/sbin/rklogd
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux klogd policy is very flexible allowing users to setup their klogd processes in as secure a method as possible.
++.PP
++The following process types are defined for klogd:
++
++.EX
++.B klogd_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux klogd policy is very flexible allowing users to setup their klogd processes in as secure a method as possible.
++.PP
++The following file types are defined for klogd:
++
++
++.EX
++.PP
++.B klogd_exec_t
++.EE
++
++- Set files with the klogd_exec_t type, if you want to transition an executable to the klogd_t domain.
++
++
++.EX
++.PP
++.B klogd_tmp_t
++.EE
++
++- Set files with the klogd_tmp_t type, if you want to store klogd temporary files in the /tmp directories.
++
++
++.EX
++.PP
++.B klogd_var_run_t
++.EE
++
++- Set files with the klogd_var_run_t type, if you want to store the klogd files under the /run directory.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH "MANAGED FILES"
++
++The SELinux process type klogd_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++
++.br
++.B klogd_tmp_t
++
++
++.br
++.B klogd_var_run_t
++
++ /var/run/klogd\.pid
++.br
++
++.SH NSSWITCH DOMAIN
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was auto-generated using
++.B "sepolicy manpage"
++by Dan Walsh.
++
++.SH "SEE ALSO"
++selinux(8), klogd(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
+diff --git a/man/man8/kpropd_selinux.8 b/man/man8/kpropd_selinux.8
+new file mode 100644
+index 0000000..37b1a4f
+--- /dev/null
++++ b/man/man8/kpropd_selinux.8
+@@ -0,0 +1,168 @@
++.TH "kpropd_selinux" "8" "12-11-01" "kpropd" "SELinux Policy documentation for kpropd"
++.SH "NAME"
++kpropd_selinux \- Security Enhanced Linux Policy for the kpropd processes
++.SH "DESCRIPTION"
++
++Security-Enhanced Linux secures the kpropd processes via flexible mandatory access control.
++
++The kpropd processes execute with the kpropd_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep kpropd_t
++
++
++.SH "ENTRYPOINTS"
++
++The kpropd_t SELinux type can be entered via the "kpropd_exec_t" file type. The default entrypoint paths for the kpropd_t domain are the following:"
++
++/usr/sbin/kpropd, /usr/kerberos/sbin/kpropd
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux kpropd policy is very flexible allowing users to setup their kpropd processes in as secure a method as possible.
++.PP
++The following process types are defined for kpropd:
++
++.EX
++.B kpropd_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux kpropd policy is very flexible allowing users to setup their kpropd processes in as secure a method as possible.
++.PP
++The following file types are defined for kpropd:
++
++
++.EX
++.PP
++.B kpropd_exec_t
++.EE
++
++- Set files with the kpropd_exec_t type, if you want to transition an executable to the kpropd_t domain.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH PORT TYPES
++SELinux defines port types to represent TCP and UDP ports.
++.PP
++You can see the types associated with a port by using the following command:
++
++.B semanage port -l
++
++.PP
++Policy governs the access confined processes have to these ports.
++SELinux kpropd policy is very flexible allowing users to setup their kpropd processes in as secure a method as possible.
++.PP
++The following port types are defined for kpropd:
++
++.EX
++.TP 5
++.B kprop_port_t
++.TP 10
++.EE
++
++
++Default Defined Ports:
++tcp 754
++.EE
++.SH "MANAGED FILES"
++
++The SELinux process type kpropd_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++
++.br
++.B krb5_host_rcache_t
++
++ /var/cache/krb5rcache(/.*)?
++.br
++ /var/tmp/nfs_0
++.br
++ /var/tmp/DNS_25
++.br
++ /var/tmp/host_0
++.br
++ /var/tmp/imap_0
++.br
++ /var/tmp/HTTP_23
++.br
++ /var/tmp/HTTP_48
++.br
++ /var/tmp/ldap_55
++.br
++ /var/tmp/ldap_487
++.br
++ /var/tmp/ldapmap1_0
++.br
++
++.br
++.B krb5kdc_lock_t
++
++ /var/kerberos/krb5kdc/principal.*\.ok
++.br
++ /var/kerberos/krb5kdc/from_master.*
++.br
++
++.br
++.B krb5kdc_principal_t
++
++ /etc/krb5kdc/principal.*
++.br
++ /usr/var/krb5kdc/principal.*
++.br
++ /var/kerberos/krb5kdc/principal.*
++.br
++
++.br
++.B krb5kdc_tmp_t
++
++
++.br
++.B security_t
++
++ /selinux
++.br
++
++.SH NSSWITCH DOMAIN
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.B semanage port
++can also be used to manipulate the port definitions
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was auto-generated using
++.B "sepolicy manpage"
++by Dan Walsh.
++
++.SH "SEE ALSO"
++selinux(8), kpropd(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
+diff --git a/man/man8/krb5kdc_selinux.8 b/man/man8/krb5kdc_selinux.8
+new file mode 100644
+index 0000000..5b1f8f4
+--- /dev/null
++++ b/man/man8/krb5kdc_selinux.8
+@@ -0,0 +1,176 @@
++.TH "krb5kdc_selinux" "8" "12-11-01" "krb5kdc" "SELinux Policy documentation for krb5kdc"
++.SH "NAME"
++krb5kdc_selinux \- Security Enhanced Linux Policy for the krb5kdc processes
++.SH "DESCRIPTION"
++
++Security-Enhanced Linux secures the krb5kdc processes via flexible mandatory access control.
++
++The krb5kdc processes execute with the krb5kdc_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep krb5kdc_t
++
++
++.SH "ENTRYPOINTS"
++
++The krb5kdc_t SELinux type can be entered via the "krb5kdc_exec_t" file type. The default entrypoint paths for the krb5kdc_t domain are the following:"
++
++/usr/(kerberos/)?sbin/krb5kdc
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux krb5kdc policy is very flexible allowing users to setup their krb5kdc processes in as secure a method as possible.
++.PP
++The following process types are defined for krb5kdc:
++
++.EX
++.B krb5kdc_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux krb5kdc policy is very flexible allowing users to setup their krb5kdc processes in as secure a method as possible.
++.PP
++The following file types are defined for krb5kdc:
++
++
++.EX
++.PP
++.B krb5kdc_conf_t
++.EE
++
++- Set files with the krb5kdc_conf_t type, if you want to treat the files as krb5kdc configuration data, usually stored under the /etc directory.
++
++
++.EX
++.PP
++.B krb5kdc_exec_t
++.EE
++
++- Set files with the krb5kdc_exec_t type, if you want to transition an executable to the krb5kdc_t domain.
++
++
++.EX
++.PP
++.B krb5kdc_lock_t
++.EE
++
++- Set files with the krb5kdc_lock_t type, if you want to treat the files as krb5kdc lock data, stored under the /var/lock directory
++
++
++.EX
++.PP
++.B krb5kdc_log_t
++.EE
++
++- Set files with the krb5kdc_log_t type, if you want to treat the data as krb5kdc log data, usually stored under the /var/log directory.
++
++
++.EX
++.PP
++.B krb5kdc_principal_t
++.EE
++
++- Set files with the krb5kdc_principal_t type, if you want to treat the files as krb5kdc principal data.
++
++
++.EX
++.PP
++.B krb5kdc_tmp_t
++.EE
++
++- Set files with the krb5kdc_tmp_t type, if you want to store krb5kdc temporary files in the /tmp directories.
++
++
++.EX
++.PP
++.B krb5kdc_var_run_t
++.EE
++
++- Set files with the krb5kdc_var_run_t type, if you want to store the krb5kdc files under the /run directory.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH "MANAGED FILES"
++
++The SELinux process type krb5kdc_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++
++.br
++.B krb5kdc_lock_t
++
++ /var/kerberos/krb5kdc/principal.*\.ok
++.br
++ /var/kerberos/krb5kdc/from_master.*
++.br
++
++.br
++.B krb5kdc_log_t
++
++ /var/log/krb5kdc\.log.*
++.br
++
++.br
++.B krb5kdc_principal_t
++
++ /etc/krb5kdc/principal.*
++.br
++ /usr/var/krb5kdc/principal.*
++.br
++ /var/kerberos/krb5kdc/principal.*
++.br
++
++.br
++.B krb5kdc_tmp_t
++
++
++.br
++.B krb5kdc_var_run_t
++
++
++.br
++.B security_t
++
++ /selinux
++.br
++
++.SH NSSWITCH DOMAIN
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was auto-generated using
++.B "sepolicy manpage"
++by Dan Walsh.
++
++.SH "SEE ALSO"
++selinux(8), krb5kdc(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
+diff --git a/man/man8/ksmtuned_selinux.8 b/man/man8/ksmtuned_selinux.8
+new file mode 100644
+index 0000000..dba373c
+--- /dev/null
++++ b/man/man8/ksmtuned_selinux.8
+@@ -0,0 +1,146 @@
++.TH "ksmtuned_selinux" "8" "12-11-01" "ksmtuned" "SELinux Policy documentation for ksmtuned"
++.SH "NAME"
++ksmtuned_selinux \- Security Enhanced Linux Policy for the ksmtuned processes
++.SH "DESCRIPTION"
++
++Security-Enhanced Linux secures the ksmtuned processes via flexible mandatory access control.
++
++The ksmtuned processes execute with the ksmtuned_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep ksmtuned_t
++
++
++.SH "ENTRYPOINTS"
++
++The ksmtuned_t SELinux type can be entered via the "ksmtuned_exec_t" file type. The default entrypoint paths for the ksmtuned_t domain are the following:"
++
++/usr/sbin/ksmtuned
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux ksmtuned policy is very flexible allowing users to setup their ksmtuned processes in as secure a method as possible.
++.PP
++The following process types are defined for ksmtuned:
++
++.EX
++.B ksmtuned_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux ksmtuned policy is very flexible allowing users to setup their ksmtuned processes in as secure a method as possible.
++.PP
++The following file types are defined for ksmtuned:
++
++
++.EX
++.PP
++.B ksmtuned_exec_t
++.EE
++
++- Set files with the ksmtuned_exec_t type, if you want to transition an executable to the ksmtuned_t domain.
++
++
++.EX
++.PP
++.B ksmtuned_initrc_exec_t
++.EE
++
++- Set files with the ksmtuned_initrc_exec_t type, if you want to transition an executable to the ksmtuned_initrc_t domain.
++
++
++.EX
++.PP
++.B ksmtuned_log_t
++.EE
++
++- Set files with the ksmtuned_log_t type, if you want to treat the data as ksmtuned log data, usually stored under the /var/log directory.
++
++
++.EX
++.PP
++.B ksmtuned_var_run_t
++.EE
++
++- Set files with the ksmtuned_var_run_t type, if you want to store the ksmtuned files under the /run directory.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH "MANAGED FILES"
++
++The SELinux process type ksmtuned_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++
++.br
++.B ksmtuned_log_t
++
++ /var/log/ksmtuned.*
++.br
++
++.br
++.B ksmtuned_var_run_t
++
++ /var/run/ksmtune\.pid
++.br
++
++.br
++.B sysfs_t
++
++ /sys(/.*)?
++.br
++
++.SH NSSWITCH DOMAIN
++
++.PP
++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the ksmtuned_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++
++.EX
++.B setsebool -P authlogin_nsswitch_use_ldap 1
++.EE
++
++.PP
++If you want to allow confined applications to run with kerberos for the ksmtuned_t, you must turn on the kerberos_enabled boolean.
++
++.EX
++.B setsebool -P kerberos_enabled 1
++.EE
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was auto-generated using
++.B "sepolicy manpage"
++by Dan Walsh.
++
++.SH "SEE ALSO"
++selinux(8), ksmtuned(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
+diff --git a/man/man8/ktalkd_selinux.8 b/man/man8/ktalkd_selinux.8
+new file mode 100644
+index 0000000..090a1a6
+--- /dev/null
++++ b/man/man8/ktalkd_selinux.8
+@@ -0,0 +1,168 @@
++.TH "ktalkd_selinux" "8" "12-11-01" "ktalkd" "SELinux Policy documentation for ktalkd"
++.SH "NAME"
++ktalkd_selinux \- Security Enhanced Linux Policy for the ktalkd processes
++.SH "DESCRIPTION"
++
++Security-Enhanced Linux secures the ktalkd processes via flexible mandatory access control.
++
++The ktalkd processes execute with the ktalkd_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep ktalkd_t
++
++
++.SH "ENTRYPOINTS"
++
++The ktalkd_t SELinux type can be entered via the "ktalkd_exec_t" file type. The default entrypoint paths for the ktalkd_t domain are the following:"
++
++/usr/bin/ktalkd, /usr/sbin/in\.talkd, /usr/sbin/in\.ntalkd
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux ktalkd policy is very flexible allowing users to setup their ktalkd processes in as secure a method as possible.
++.PP
++The following process types are defined for ktalkd:
++
++.EX
++.B ktalkd_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux ktalkd policy is very flexible allowing users to setup their ktalkd processes in as secure a method as possible.
++.PP
++The following file types are defined for ktalkd:
++
++
++.EX
++.PP
++.B ktalkd_exec_t
++.EE
++
++- Set files with the ktalkd_exec_t type, if you want to transition an executable to the ktalkd_t domain.
++
++
++.EX
++.PP
++.B ktalkd_log_t
++.EE
++
++- Set files with the ktalkd_log_t type, if you want to treat the data as ktalkd log data, usually stored under the /var/log directory.
++
++
++.EX
++.PP
++.B ktalkd_tmp_t
++.EE
++
++- Set files with the ktalkd_tmp_t type, if you want to store ktalkd temporary files in the /tmp directories.
++
++
++.EX
++.PP
++.B ktalkd_var_run_t
++.EE
++
++- Set files with the ktalkd_var_run_t type, if you want to store the ktalkd files under the /run directory.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH PORT TYPES
++SELinux defines port types to represent TCP and UDP ports.
++.PP
++You can see the types associated with a port by using the following command:
++
++.B semanage port -l
++
++.PP
++Policy governs the access confined processes have to these ports.
++SELinux ktalkd policy is very flexible allowing users to setup their ktalkd processes in as secure a method as possible.
++.PP
++The following port types are defined for ktalkd:
++
++.EX
++.TP 5
++.B ktalkd_port_t
++.TP 10
++.EE
++
++
++Default Defined Ports:
++udp 517,518
++.EE
++.SH "MANAGED FILES"
++
++The SELinux process type ktalkd_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++
++.br
++.B ktalkd_log_t
++
++ /var/log/talkd.*
++.br
++
++.br
++.B ktalkd_tmp_t
++
++
++.br
++.B ktalkd_var_run_t
++
++
++.SH NSSWITCH DOMAIN
++
++.PP
++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the ktalkd_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++
++.EX
++.B setsebool -P authlogin_nsswitch_use_ldap 1
++.EE
++
++.PP
++If you want to allow confined applications to run with kerberos for the ktalkd_t, you must turn on the kerberos_enabled boolean.
++
++.EX
++.B setsebool -P kerberos_enabled 1
++.EE
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.B semanage port
++can also be used to manipulate the port definitions
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was auto-generated using
++.B "sepolicy manpage"
++by Dan Walsh.
++
++.SH "SEE ALSO"
++selinux(8), ktalkd(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
+diff --git a/man/man8/l2tpd_selinux.8 b/man/man8/l2tpd_selinux.8
+new file mode 100644
+index 0000000..d28edaa
+--- /dev/null
++++ b/man/man8/l2tpd_selinux.8
+@@ -0,0 +1,158 @@
++.TH "l2tpd_selinux" "8" "12-11-01" "l2tpd" "SELinux Policy documentation for l2tpd"
++.SH "NAME"
++l2tpd_selinux \- Security Enhanced Linux Policy for the l2tpd processes
++.SH "DESCRIPTION"
++
++Security-Enhanced Linux secures the l2tpd processes via flexible mandatory access control.
++
++The l2tpd processes execute with the l2tpd_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep l2tpd_t
++
++
++.SH "ENTRYPOINTS"
++
++The l2tpd_t SELinux type can be entered via the "l2tpd_exec_t" file type. The default entrypoint paths for the l2tpd_t domain are the following:"
++
++/usr/sbin/xl2tpd, /usr/sbin/prol2tpd, /usr/sbin/openl2tpd
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux l2tpd policy is very flexible allowing users to setup their l2tpd processes in as secure a method as possible.
++.PP
++The following process types are defined for l2tpd:
++
++.EX
++.B l2tpd_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux l2tpd policy is very flexible allowing users to setup their l2tpd processes in as secure a method as possible.
++.PP
++The following file types are defined for l2tpd:
++
++
++.EX
++.PP
++.B l2tpd_exec_t
++.EE
++
++- Set files with the l2tpd_exec_t type, if you want to transition an executable to the l2tpd_t domain.
++
++
++.EX
++.PP
++.B l2tpd_initrc_exec_t
++.EE
++
++- Set files with the l2tpd_initrc_exec_t type, if you want to transition an executable to the l2tpd_initrc_t domain.
++
++
++.EX
++.PP
++.B l2tpd_tmp_t
++.EE
++
++- Set files with the l2tpd_tmp_t type, if you want to store l2tpd temporary files in the /tmp directories.
++
++
++.EX
++.PP
++.B l2tpd_var_run_t
++.EE
++
++- Set files with the l2tpd_var_run_t type, if you want to store the l2tpd files under the /run directory.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH PORT TYPES
++SELinux defines port types to represent TCP and UDP ports.
++.PP
++You can see the types associated with a port by using the following command:
++
++.B semanage port -l
++
++.PP
++Policy governs the access confined processes have to these ports.
++SELinux l2tpd policy is very flexible allowing users to setup their l2tpd processes in as secure a method as possible.
++.PP
++The following port types are defined for l2tpd:
++
++.EX
++.TP 5
++.B l2tp_port_t
++.TP 10
++.EE
++
++
++Default Defined Ports:
++tcp 1701
++.EE
++udp 1701
++.EE
++.SH "MANAGED FILES"
++
++The SELinux process type l2tpd_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++
++.br
++.B l2tpd_var_run_t
++
++ /var/run/xl2tpd(/.*)?
++.br
++ /var/run/prol2tpd(/.*)?
++.br
++ /var/run/xl2tpd\.pid
++.br
++ /var/run/prol2tpd\.ctl
++.br
++ /var/run/prol2tpd\.pid
++.br
++ /var/run/openl2tpd\.pid
++.br
++
++.SH NSSWITCH DOMAIN
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.B semanage port
++can also be used to manipulate the port definitions
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was auto-generated using
++.B "sepolicy manpage"
++by Dan Walsh.
++
++.SH "SEE ALSO"
++selinux(8), l2tpd(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
+diff --git a/man/man8/ldconfig_selinux.8 b/man/man8/ldconfig_selinux.8
+new file mode 100644
+index 0000000..ff3b691
+--- /dev/null
++++ b/man/man8/ldconfig_selinux.8
+@@ -0,0 +1,158 @@
++.TH "ldconfig_selinux" "8" "12-11-01" "ldconfig" "SELinux Policy documentation for ldconfig"
++.SH "NAME"
++ldconfig_selinux \- Security Enhanced Linux Policy for the ldconfig processes
++.SH "DESCRIPTION"
++
++Security-Enhanced Linux secures the ldconfig processes via flexible mandatory access control.
++
++The ldconfig processes execute with the ldconfig_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep ldconfig_t
++
++
++.SH "ENTRYPOINTS"
++
++The ldconfig_t SELinux type can be entered via the "ldconfig_exec_t" file type. The default entrypoint paths for the ldconfig_t domain are the following:"
++
++/sbin/ldconfig, /usr/sbin/ldconfig
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux ldconfig policy is very flexible allowing users to setup their ldconfig processes in as secure a method as possible.
++.PP
++The following process types are defined for ldconfig:
++
++.EX
++.B ldconfig_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux ldconfig policy is very flexible allowing users to setup their ldconfig processes in as secure a method as possible.
++.PP
++The following file types are defined for ldconfig:
++
++
++.EX
++.PP
++.B ldconfig_cache_t
++.EE
++
++- Set files with the ldconfig_cache_t type, if you want to store the files under the /var/cache directory.
++
++
++.EX
++.PP
++.B ldconfig_exec_t
++.EE
++
++- Set files with the ldconfig_exec_t type, if you want to transition an executable to the ldconfig_t domain.
++
++
++.EX
++.PP
++.B ldconfig_tmp_t
++.EE
++
++- Set files with the ldconfig_tmp_t type, if you want to store ldconfig temporary files in the /tmp directories.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH "MANAGED FILES"
++
++The SELinux process type ldconfig_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++
++.br
++.B kdumpctl_tmp_t
++
++
++.br
++.B ld_so_cache_t
++
++ /etc/ld\.so\.cache
++.br
++ /etc/ld\.so\.cache~
++.br
++ /etc/ld\.so\.preload
++.br
++ /etc/ld\.so\.preload~
++.br
++
++.br
++.B ldconfig_cache_t
++
++ /var/cache/ldconfig(/.*)?
++.br
++
++.br
++.B ldconfig_tmp_t
++
++
++.br
++.B rpm_script_tmp_t
++
++
++.br
++.B user_home_t
++
++ /home/[^/]*/.+
++.br
++ /home/dwalsh/.+
++.br
++ /var/lib/xguest/home/xguest/.+
++.br
++
++.br
++.B user_tmp_t
++
++ /var/run/user(/.*)?
++.br
++ /tmp/gconfd-.*
++.br
++ /tmp/gconfd-dwalsh
++.br
++ /tmp/gconfd-xguest
++.br
++
++.SH NSSWITCH DOMAIN
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was auto-generated using
++.B "sepolicy manpage"
++by Dan Walsh.
++
++.SH "SEE ALSO"
++selinux(8), ldconfig(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
+diff --git a/man/man8/libvirt_selinux.8 b/man/man8/libvirt_selinux.8
+new file mode 100644
+index 0000000..ee560da
+--- /dev/null
++++ b/man/man8/libvirt_selinux.8
+@@ -0,0 +1 @@
++.so man8/virtd_selinux.8
+\ No newline at end of file
+diff --git a/man/man8/lircd_selinux.8 b/man/man8/lircd_selinux.8
+new file mode 100644
+index 0000000..4f9932c
+--- /dev/null
++++ b/man/man8/lircd_selinux.8
+@@ -0,0 +1,160 @@
++.TH "lircd_selinux" "8" "12-11-01" "lircd" "SELinux Policy documentation for lircd"
++.SH "NAME"
++lircd_selinux \- Security Enhanced Linux Policy for the lircd processes
++.SH "DESCRIPTION"
++
++Security-Enhanced Linux secures the lircd processes via flexible mandatory access control.
++
++The lircd processes execute with the lircd_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep lircd_t
++
++
++.SH "ENTRYPOINTS"
++
++The lircd_t SELinux type can be entered via the "lircd_exec_t" file type. The default entrypoint paths for the lircd_t domain are the following:"
++
++/usr/sbin/lircd
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux lircd policy is very flexible allowing users to setup their lircd processes in as secure a method as possible.
++.PP
++The following process types are defined for lircd:
++
++.EX
++.B lircd_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux lircd policy is very flexible allowing users to setup their lircd processes in as secure a method as possible.
++.PP
++The following file types are defined for lircd:
++
++
++.EX
++.PP
++.B lircd_etc_t
++.EE
++
++- Set files with the lircd_etc_t type, if you want to store lircd files in the /etc directories.
++
++
++.EX
++.PP
++.B lircd_exec_t
++.EE
++
++- Set files with the lircd_exec_t type, if you want to transition an executable to the lircd_t domain.
++
++
++.EX
++.PP
++.B lircd_initrc_exec_t
++.EE
++
++- Set files with the lircd_initrc_exec_t type, if you want to transition an executable to the lircd_initrc_t domain.
++
++
++.EX
++.PP
++.B lircd_var_run_t
++.EE
++
++- Set files with the lircd_var_run_t type, if you want to store the lircd files under the /run directory.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH PORT TYPES
++SELinux defines port types to represent TCP and UDP ports.
++.PP
++You can see the types associated with a port by using the following command:
++
++.B semanage port -l
++
++.PP
++Policy governs the access confined processes have to these ports.
++SELinux lircd policy is very flexible allowing users to setup their lircd processes in as secure a method as possible.
++.PP
++The following port types are defined for lircd:
++
++.EX
++.TP 5
++.B lirc_port_t
++.TP 10
++.EE
++
++
++Default Defined Ports:
++tcp 8765
++.EE
++.SH "MANAGED FILES"
++
++The SELinux process type lircd_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++
++.br
++.B lircd_var_run_t
++
++ /var/run/lirc(/.*)?
++.br
++ /var/run/lircd(/.*)?
++.br
++ /var/run/lircd\.pid
++.br
++
++.br
++.B var_lock_t
++
++ /var/lock(/.*)?
++.br
++ /run/lock(/.*)?
++.br
++ /var/lock
++.br
++
++.SH NSSWITCH DOMAIN
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.B semanage port
++can also be used to manipulate the port definitions
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was auto-generated using
++.B "sepolicy manpage"
++by Dan Walsh.
++
++.SH "SEE ALSO"
++selinux(8), lircd(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
+diff --git a/man/man8/livecd_selinux.8 b/man/man8/livecd_selinux.8
+new file mode 100644
+index 0000000..d7d48dd
+--- /dev/null
++++ b/man/man8/livecd_selinux.8
+@@ -0,0 +1,104 @@
++.TH "livecd_selinux" "8" "12-11-01" "livecd" "SELinux Policy documentation for livecd"
++.SH "NAME"
++livecd_selinux \- Security Enhanced Linux Policy for the livecd processes
++.SH "DESCRIPTION"
++
++Security-Enhanced Linux secures the livecd processes via flexible mandatory access control.
++
++The livecd processes execute with the livecd_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep livecd_t
++
++
++.SH "ENTRYPOINTS"
++
++The livecd_t SELinux type can be entered via the "filesystem_type,unlabeled_t,proc_type,mtrr_device_t,sysctl_type,file_type,livecd_exec_t" file types. The default entrypoint paths for the livecd_t domain are the following:"
++
++/dev/cpu/mtrr, all files on the system, /usr/bin/livecd-creator
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux livecd policy is very flexible allowing users to setup their livecd processes in as secure a method as possible.
++.PP
++The following process types are defined for livecd:
++
++.EX
++.B livecd_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux livecd policy is very flexible allowing users to setup their livecd processes in as secure a method as possible.
++.PP
++The following file types are defined for livecd:
++
++
++.EX
++.PP
++.B livecd_exec_t
++.EE
++
++- Set files with the livecd_exec_t type, if you want to transition an executable to the livecd_t domain.
++
++
++.EX
++.PP
++.B livecd_tmp_t
++.EE
++
++- Set files with the livecd_tmp_t type, if you want to store livecd temporary files in the /tmp directories.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH "MANAGED FILES"
++
++The SELinux process type livecd_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++
++.br
++.B file_type
++
++ all files on the system
++.br
++
++.SH NSSWITCH DOMAIN
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was auto-generated using
++.B "sepolicy manpage"
++by Dan Walsh.
++
++.SH "SEE ALSO"
++selinux(8), livecd(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
+diff --git a/man/man8/lldpad_selinux.8 b/man/man8/lldpad_selinux.8
+new file mode 100644
+index 0000000..3cbeec5
+--- /dev/null
++++ b/man/man8/lldpad_selinux.8
+@@ -0,0 +1,138 @@
++.TH "lldpad_selinux" "8" "12-11-01" "lldpad" "SELinux Policy documentation for lldpad"
++.SH "NAME"
++lldpad_selinux \- Security Enhanced Linux Policy for the lldpad processes
++.SH "DESCRIPTION"
++
++Security-Enhanced Linux secures the lldpad processes via flexible mandatory access control.
++
++The lldpad processes execute with the lldpad_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep lldpad_t
++
++
++.SH "ENTRYPOINTS"
++
++The lldpad_t SELinux type can be entered via the "lldpad_exec_t" file type. The default entrypoint paths for the lldpad_t domain are the following:"
++
++/usr/sbin/lldpad
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux lldpad policy is very flexible allowing users to setup their lldpad processes in as secure a method as possible.
++.PP
++The following process types are defined for lldpad:
++
++.EX
++.B lldpad_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux lldpad policy is very flexible allowing users to setup their lldpad processes in as secure a method as possible.
++.PP
++The following file types are defined for lldpad:
++
++
++.EX
++.PP
++.B lldpad_exec_t
++.EE
++
++- Set files with the lldpad_exec_t type, if you want to transition an executable to the lldpad_t domain.
++
++
++.EX
++.PP
++.B lldpad_initrc_exec_t
++.EE
++
++- Set files with the lldpad_initrc_exec_t type, if you want to transition an executable to the lldpad_initrc_t domain.
++
++
++.EX
++.PP
++.B lldpad_tmpfs_t
++.EE
++
++- Set files with the lldpad_tmpfs_t type, if you want to store lldpad files on a tmpfs file system.
++
++
++.EX
++.PP
++.B lldpad_var_lib_t
++.EE
++
++- Set files with the lldpad_var_lib_t type, if you want to store the lldpad files under the /var/lib directory.
++
++
++.EX
++.PP
++.B lldpad_var_run_t
++.EE
++
++- Set files with the lldpad_var_run_t type, if you want to store the lldpad files under the /run directory.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH "MANAGED FILES"
++
++The SELinux process type lldpad_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++
++.br
++.B lldpad_tmpfs_t
++
++
++.br
++.B lldpad_var_lib_t
++
++ /var/lib/lldpad(/.*)?
++.br
++
++.br
++.B lldpad_var_run_t
++
++ /var/run/lldpad\.pid
++.br
++
++.SH NSSWITCH DOMAIN
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was auto-generated using
++.B "sepolicy manpage"
++by Dan Walsh.
++
++.SH "SEE ALSO"
++selinux(8), lldpad(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
+diff --git a/man/man8/load_policy_selinux.8 b/man/man8/load_policy_selinux.8
+new file mode 100644
+index 0000000..30c76e6
+--- /dev/null
++++ b/man/man8/load_policy_selinux.8
+@@ -0,0 +1,95 @@
++.TH "load_policy_selinux" "8" "12-11-01" "load_policy" "SELinux Policy documentation for load_policy"
++.SH "NAME"
++load_policy_selinux \- Security Enhanced Linux Policy for the load_policy processes
++.SH "DESCRIPTION"
++
++Security-Enhanced Linux secures the load_policy processes via flexible mandatory access control.
++
++The load_policy processes execute with the load_policy_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep load_policy_t
++
++
++.SH "ENTRYPOINTS"
++
++The load_policy_t SELinux type can be entered via the "load_policy_exec_t" file type. The default entrypoint paths for the load_policy_t domain are the following:"
++
++/sbin/load_policy, /usr/sbin/load_policy
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux load_policy policy is very flexible allowing users to setup their load_policy processes in as secure a method as possible.
++.PP
++The following process types are defined for load_policy:
++
++.EX
++.B load_policy_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux load_policy policy is very flexible allowing users to setup their load_policy processes in as secure a method as possible.
++.PP
++The following file types are defined for load_policy:
++
++
++.EX
++.PP
++.B load_policy_exec_t
++.EE
++
++- Set files with the load_policy_exec_t type, if you want to transition an executable to the load_policy_t domain.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH "MANAGED FILES"
++
++The SELinux process type load_policy_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++
++.br
++.B boolean_type
++
++
++.SH NSSWITCH DOMAIN
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was auto-generated using
++.B "sepolicy manpage"
++by Dan Walsh.
++
++.SH "SEE ALSO"
++selinux(8), load_policy(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
++, loadkeys_selinux(8)
+\ No newline at end of file
+diff --git a/man/man8/loadkeys_selinux.8 b/man/man8/loadkeys_selinux.8
+new file mode 100644
+index 0000000..3c43c48
+--- /dev/null
++++ b/man/man8/loadkeys_selinux.8
+@@ -0,0 +1,86 @@
++.TH "loadkeys_selinux" "8" "12-11-01" "loadkeys" "SELinux Policy documentation for loadkeys"
++.SH "NAME"
++loadkeys_selinux \- Security Enhanced Linux Policy for the loadkeys processes
++.SH "DESCRIPTION"
++
++Security-Enhanced Linux secures the loadkeys processes via flexible mandatory access control.
++
++The loadkeys processes execute with the loadkeys_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep loadkeys_t
++
++
++.SH "ENTRYPOINTS"
++
++The loadkeys_t SELinux type can be entered via the "loadkeys_exec_t" file type. The default entrypoint paths for the loadkeys_t domain are the following:"
++
++/usr/bin/unikeys, /usr/bin/loadkeys
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux loadkeys policy is very flexible allowing users to setup their loadkeys processes in as secure a method as possible.
++.PP
++The following process types are defined for loadkeys:
++
++.EX
++.B loadkeys_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux loadkeys policy is very flexible allowing users to setup their loadkeys processes in as secure a method as possible.
++.PP
++The following file types are defined for loadkeys:
++
++
++.EX
++.PP
++.B loadkeys_exec_t
++.EE
++
++- Set files with the loadkeys_exec_t type, if you want to transition an executable to the loadkeys_t domain.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH NSSWITCH DOMAIN
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was auto-generated using
++.B "sepolicy manpage"
++by Dan Walsh.
++
++.SH "SEE ALSO"
++selinux(8), loadkeys(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
+diff --git a/man/man8/locate_selinux.8 b/man/man8/locate_selinux.8
+new file mode 100644
+index 0000000..1ab1c6b
+--- /dev/null
++++ b/man/man8/locate_selinux.8
+@@ -0,0 +1,126 @@
++.TH "locate_selinux" "8" "12-11-01" "locate" "SELinux Policy documentation for locate"
++.SH "NAME"
++locate_selinux \- Security Enhanced Linux Policy for the locate processes
++.SH "DESCRIPTION"
++
++Security-Enhanced Linux secures the locate processes via flexible mandatory access control.
++
++The locate processes execute with the locate_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep locate_t
++
++
++.SH "ENTRYPOINTS"
++
++The locate_t SELinux type can be entered via the "locate_exec_t" file type. The default entrypoint paths for the locate_t domain are the following:"
++
++/usr/bin/updatedb
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux locate policy is very flexible allowing users to setup their locate processes in as secure a method as possible.
++.PP
++The following process types are defined for locate:
++
++.EX
++.B locate_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux locate policy is very flexible allowing users to setup their locate processes in as secure a method as possible.
++.PP
++The following file types are defined for locate:
++
++
++.EX
++.PP
++.B locate_exec_t
++.EE
++
++- Set files with the locate_exec_t type, if you want to transition an executable to the locate_t domain.
++
++
++.EX
++.PP
++.B locate_log_t
++.EE
++
++- Set files with the locate_log_t type, if you want to treat the data as locate log data, usually stored under the /var/log directory.
++
++
++.EX
++.PP
++.B locate_var_lib_t
++.EE
++
++- Set files with the locate_var_lib_t type, if you want to store the locate files under the /var/lib directory.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH "MANAGED FILES"
++
++The SELinux process type locate_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++
++.br
++.B locate_var_lib_t
++
++ /var/lib/[sm]locate(/.*)?
++.br
++
++.SH NSSWITCH DOMAIN
++
++.PP
++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the locate_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++
++.EX
++.B setsebool -P authlogin_nsswitch_use_ldap 1
++.EE
++
++.PP
++If you want to allow confined applications to run with kerberos for the locate_t, you must turn on the kerberos_enabled boolean.
++
++.EX
++.B setsebool -P kerberos_enabled 1
++.EE
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was auto-generated using
++.B "sepolicy manpage"
++by Dan Walsh.
++
++.SH "SEE ALSO"
++selinux(8), locate(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
+diff --git a/man/man8/lockdev_selinux.8 b/man/man8/lockdev_selinux.8
+new file mode 100644
+index 0000000..8c5a3fe
+--- /dev/null
++++ b/man/man8/lockdev_selinux.8
+@@ -0,0 +1,102 @@
++.TH "lockdev_selinux" "8" "12-11-01" "lockdev" "SELinux Policy documentation for lockdev"
++.SH "NAME"
++lockdev_selinux \- Security Enhanced Linux Policy for the lockdev processes
++.SH "DESCRIPTION"
++
++Security-Enhanced Linux secures the lockdev processes via flexible mandatory access control.
++
++The lockdev processes execute with the lockdev_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep lockdev_t
++
++
++.SH "ENTRYPOINTS"
++
++The lockdev_t SELinux type can be entered via the "lockdev_exec_t" file type. The default entrypoint paths for the lockdev_t domain are the following:"
++
++/usr/sbin/lockdev
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux lockdev policy is very flexible allowing users to setup their lockdev processes in as secure a method as possible.
++.PP
++The following process types are defined for lockdev:
++
++.EX
++.B lockdev_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux lockdev policy is very flexible allowing users to setup their lockdev processes in as secure a method as possible.
++.PP
++The following file types are defined for lockdev:
++
++
++.EX
++.PP
++.B lockdev_exec_t
++.EE
++
++- Set files with the lockdev_exec_t type, if you want to transition an executable to the lockdev_t domain.
++
++
++.EX
++.PP
++.B lockdev_lock_t
++.EE
++
++- Set files with the lockdev_lock_t type, if you want to treat the files as lockdev lock data, stored under the /var/lock directory
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH "MANAGED FILES"
++
++The SELinux process type lockdev_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++
++.br
++.B lockdev_lock_t
++
++
++.SH NSSWITCH DOMAIN
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was auto-generated using
++.B "sepolicy manpage"
++by Dan Walsh.
++
++.SH "SEE ALSO"
++selinux(8), lockdev(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
+diff --git a/man/man8/logadm_selinux.8 b/man/man8/logadm_selinux.8
+new file mode 100644
+index 0000000..9e18695
+--- /dev/null
++++ b/man/man8/logadm_selinux.8
+@@ -0,0 +1,161 @@
++.TH "logadm_selinux" "8" "logadm" "mgrepl@redhat.com" "logadm SELinux Policy documentation"
++.SH "NAME"
++logadm_r \- \fBLog administrator role\fP - Security Enhanced Linux Policy
++
++.SH DESCRIPTION
++
++SELinux supports Roles Based Access Control (RBAC), some Linux roles are login roles, while other roles need to be transition into.
++
++.I Note:
++Examples in this man page will use the
++.B staff_u
++SELinux user.
++
++Non login roles are usually used for administrative tasks. For example, tasks that require root privileges. Roles control which types a user can run processes with. Roles often have default types assigned to them.
++
++The default type for the logadm_r role is logadm_t.
++
++The
++.B newrole
++program to transition directly to this role.
++
++.B newrole -r logadm_r -t logadm_t
++
++.B sudo
++is the preferred method to do transition from one role to another. You setup sudo to transition to logadm_r by adding a similar line to the /etc/sudoers file.
++
++USERNAME ALL=(ALL) ROLE=logadm_r TYPE=logadm_t COMMAND
++
++.br
++sudo will run COMMAND as staff_u:logadm_r:logadm_t:LEVEL
++
++When using a a non login role, you need to setup SELinux so that your SELinux user can reach logadm_r role.
++
++Execute the following to see all of the assigned SELinux roles:
++
++.B semanage user -l
++
++You need to add logadm_r to the staff_u user. You could setup the staff_u user to be able to use the logadm_r role with a command like:
++
++.B $ semanage user -m -R 'staff_r system_r logadm_r' staff_u
++
++
++.SH "MANAGED FILES"
++
++The SELinux process type logadm_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++
++.br
++.B auditd_etc_t
++
++ /etc/audit(/.*)?
++.br
++
++.br
++.B auditd_log_t
++
++ /var/log/audit(/.*)?
++.br
++ /var/log/audit\.log
++.br
++
++.br
++.B auditd_unit_file_t
++
++ /usr/lib/systemd/system/auditd.*
++.br
++
++.br
++.B auditd_var_run_t
++
++ /var/run/auditd\.pid
++.br
++ /var/run/auditd_sock
++.br
++ /var/run/audit_events
++.br
++
++.br
++.B klogd_tmp_t
++
++
++.br
++.B klogd_var_run_t
++
++ /var/run/klogd\.pid
++.br
++
++.br
++.B logfile
++
++ all log files
++.br
++
++.br
++.B syslog_conf_t
++
++ /etc/syslog.conf
++.br
++ /etc/rsyslog.conf
++.br
++
++.br
++.B syslogd_tmp_t
++
++
++.br
++.B syslogd_var_lib_t
++
++ /var/lib/r?syslog(/.*)?
++.br
++ /var/lib/syslog-ng(/.*)?
++.br
++ /var/lib/syslog-ng.persist
++.br
++
++.br
++.B syslogd_var_run_t
++
++ /var/run/log(/.*)?
++.br
++ /var/run/syslog-ng.ctl
++.br
++ /var/log/syslog-ng(/.*)?
++.br
++ /var/run/syslog-ng(/.*)?
++.br
++ /var/run/systemd/journal(/.*)?
++.br
++ /var/run/metalog\.pid
++.br
++ /var/run/syslogd\.pid
++.br
++
++.br
++.B systemd_passwd_var_run_t
++
++ /var/run/systemd/ask-password(/.*)?
++.br
++ /var/run/systemd/ask-password-block(/.*)?
++.br
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was auto-generated using
++.B "sepolicy manpage"
++by Dan Walsh.
++
++.SH "SEE ALSO"
++selinux(8), logadm(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
+diff --git a/man/man8/logrotate_selinux.8 b/man/man8/logrotate_selinux.8
+new file mode 100644
+index 0000000..b7cec54
+--- /dev/null
++++ b/man/man8/logrotate_selinux.8
+@@ -0,0 +1,198 @@
++.TH "logrotate_selinux" "8" "12-11-01" "logrotate" "SELinux Policy documentation for logrotate"
++.SH "NAME"
++logrotate_selinux \- Security Enhanced Linux Policy for the logrotate processes
++.SH "DESCRIPTION"
++
++Security-Enhanced Linux secures the logrotate processes via flexible mandatory access control.
++
++The logrotate processes execute with the logrotate_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep logrotate_t
++
++
++.SH "ENTRYPOINTS"
++
++The logrotate_t SELinux type can be entered via the "logrotate_exec_t" file type. The default entrypoint paths for the logrotate_t domain are the following:"
++
++/etc/cron\.(daily|weekly)/sysklogd, /usr/sbin/logrotate
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux logrotate policy is very flexible allowing users to setup their logrotate processes in as secure a method as possible.
++.PP
++The following process types are defined for logrotate:
++
++.EX
++.B logrotate_t, logrotate_mail_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux logrotate policy is very flexible allowing users to setup their logrotate processes in as secure a method as possible.
++.PP
++The following file types are defined for logrotate:
++
++
++.EX
++.PP
++.B logrotate_exec_t
++.EE
++
++- Set files with the logrotate_exec_t type, if you want to transition an executable to the logrotate_t domain.
++
++
++.EX
++.PP
++.B logrotate_lock_t
++.EE
++
++- Set files with the logrotate_lock_t type, if you want to treat the files as logrotate lock data, stored under the /var/lock directory
++
++
++.EX
++.PP
++.B logrotate_mail_tmp_t
++.EE
++
++- Set files with the logrotate_mail_tmp_t type, if you want to store logrotate mail temporary files in the /tmp directories.
++
++
++.EX
++.PP
++.B logrotate_tmp_t
++.EE
++
++- Set files with the logrotate_tmp_t type, if you want to store logrotate temporary files in the /tmp directories.
++
++
++.EX
++.PP
++.B logrotate_var_lib_t
++.EE
++
++- Set files with the logrotate_var_lib_t type, if you want to store the logrotate files under the /var/lib directory.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH "MANAGED FILES"
++
++The SELinux process type logrotate_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++
++.br
++.B abrt_var_cache_t
++
++ /var/cache/abrt(/.*)?
++.br
++ /var/spool/abrt(/.*)?
++.br
++ /var/cache/abrt-di(/.*)?
++.br
++
++.br
++.B logfile
++
++ all log files
++.br
++
++.br
++.B logrotate_lock_t
++
++
++.br
++.B logrotate_tmp_t
++
++
++.br
++.B logrotate_var_lib_t
++
++ /var/lib/logrotate\.status
++.br
++
++.br
++.B named_cache_t
++
++ /var/named/data(/.*)?
++.br
++ /var/named/slaves(/.*)?
++.br
++ /var/named/dynamic(/.*)?
++.br
++ /var/named/chroot/var/tmp(/.*)?
++.br
++ /var/named/chroot/var/named/data(/.*)?
++.br
++ /var/named/chroot/var/named/slaves(/.*)?
++.br
++ /var/named/chroot/var/named/dynamic(/.*)?
++.br
++
++.br
++.B systemd_passwd_var_run_t
++
++ /var/run/systemd/ask-password(/.*)?
++.br
++ /var/run/systemd/ask-password-block(/.*)?
++.br
++
++.br
++.B var_spool_t
++
++ /var/spool(/.*)?
++.br
++
++.SH NSSWITCH DOMAIN
++
++.PP
++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the logrotate_t, logrotate_mail_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++
++.EX
++.B setsebool -P authlogin_nsswitch_use_ldap 1
++.EE
++
++.PP
++If you want to allow confined applications to run with kerberos for the logrotate_t, logrotate_mail_t, you must turn on the kerberos_enabled boolean.
++
++.EX
++.B setsebool -P kerberos_enabled 1
++.EE
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was auto-generated using
++.B "sepolicy manpage"
++by Dan Walsh.
++
++.SH "SEE ALSO"
++selinux(8), logrotate(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
+diff --git a/man/man8/logwatch_selinux.8 b/man/man8/logwatch_selinux.8
+new file mode 100644
+index 0000000..bc7bf81
+--- /dev/null
++++ b/man/man8/logwatch_selinux.8
+@@ -0,0 +1,170 @@
++.TH "logwatch_selinux" "8" "12-11-01" "logwatch" "SELinux Policy documentation for logwatch"
++.SH "NAME"
++logwatch_selinux \- Security Enhanced Linux Policy for the logwatch processes
++.SH "DESCRIPTION"
++
++Security-Enhanced Linux secures the logwatch processes via flexible mandatory access control.
++
++The logwatch processes execute with the logwatch_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep logwatch_t
++
++
++.SH "ENTRYPOINTS"
++
++The logwatch_t SELinux type can be entered via the "logwatch_exec_t" file type. The default entrypoint paths for the logwatch_t domain are the following:"
++
++/usr/sbin/epylog, /usr/sbin/logcheck, /usr/share/logwatch/scripts/logwatch\.pl
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux logwatch policy is very flexible allowing users to setup their logwatch processes in as secure a method as possible.
++.PP
++The following process types are defined for logwatch:
++
++.EX
++.B logwatch_t, logwatch_mail_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux logwatch policy is very flexible allowing users to setup their logwatch processes in as secure a method as possible.
++.PP
++The following file types are defined for logwatch:
++
++
++.EX
++.PP
++.B logwatch_cache_t
++.EE
++
++- Set files with the logwatch_cache_t type, if you want to store the files under the /var/cache directory.
++
++
++.EX
++.PP
++.B logwatch_exec_t
++.EE
++
++- Set files with the logwatch_exec_t type, if you want to transition an executable to the logwatch_t domain.
++
++
++.EX
++.PP
++.B logwatch_lock_t
++.EE
++
++- Set files with the logwatch_lock_t type, if you want to treat the files as logwatch lock data, stored under the /var/lock directory
++
++
++.EX
++.PP
++.B logwatch_mail_tmp_t
++.EE
++
++- Set files with the logwatch_mail_tmp_t type, if you want to store logwatch mail temporary files in the /tmp directories.
++
++
++.EX
++.PP
++.B logwatch_tmp_t
++.EE
++
++- Set files with the logwatch_tmp_t type, if you want to store logwatch temporary files in the /tmp directories.
++
++
++.EX
++.PP
++.B logwatch_var_run_t
++.EE
++
++- Set files with the logwatch_var_run_t type, if you want to store the logwatch files under the /run directory.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH "MANAGED FILES"
++
++The SELinux process type logwatch_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++
++.br
++.B logwatch_cache_t
++
++ /var/lib/epylog(/.*)?
++.br
++ /var/lib/logcheck(/.*)?
++.br
++ /var/cache/logwatch(/.*)?
++.br
++
++.br
++.B logwatch_lock_t
++
++ /var/log/logcheck/.+
++.br
++
++.br
++.B logwatch_tmp_t
++
++
++.br
++.B logwatch_var_run_t
++
++ /var/run/epylog\.pid
++.br
++
++.SH NSSWITCH DOMAIN
++
++.PP
++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the logwatch_mail_t, logwatch_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++
++.EX
++.B setsebool -P authlogin_nsswitch_use_ldap 1
++.EE
++
++.PP
++If you want to allow confined applications to run with kerberos for the logwatch_mail_t, logwatch_t, you must turn on the kerberos_enabled boolean.
++
++.EX
++.B setsebool -P kerberos_enabled 1
++.EE
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was auto-generated using
++.B "sepolicy manpage"
++by Dan Walsh.
++
++.SH "SEE ALSO"
++selinux(8), logwatch(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
+diff --git a/man/man8/lpd_selinux.8 b/man/man8/lpd_selinux.8
+new file mode 100644
+index 0000000..0b08fa7
+--- /dev/null
++++ b/man/man8/lpd_selinux.8
+@@ -0,0 +1,164 @@
++.TH "lpd_selinux" "8" "12-11-01" "lpd" "SELinux Policy documentation for lpd"
++.SH "NAME"
++lpd_selinux \- Security Enhanced Linux Policy for the lpd processes
++.SH "DESCRIPTION"
++
++Security-Enhanced Linux secures the lpd processes via flexible mandatory access control.
++
++The lpd processes execute with the lpd_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep lpd_t
++
++
++.SH "ENTRYPOINTS"
++
++The lpd_t SELinux type can be entered via the "lpd_exec_t" file type. The default entrypoint paths for the lpd_t domain are the following:"
++
++/usr/sbin/lpd
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux lpd policy is very flexible allowing users to setup their lpd processes in as secure a method as possible.
++.PP
++The following process types are defined for lpd:
++
++.EX
++.B lpd_t, lpr_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH BOOLEANS
++SELinux policy is customizable based on least access required. lpd policy is extremely flexible and has several booleans that allow you to manipulate the policy and run lpd with the tightest access possible.
++
++
++.PP
++If you want to use lpd server instead of cups, you must turn on the use_lpd_server boolean.
++
++.EX
++.B setsebool -P use_lpd_server 1
++.EE
++
++.PP
++If you want to use lpd server instead of cups, you must turn on the use_lpd_server boolean.
++
++.EX
++.B setsebool -P use_lpd_server 1
++.EE
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux lpd policy is very flexible allowing users to setup their lpd processes in as secure a method as possible.
++.PP
++The following file types are defined for lpd:
++
++
++.EX
++.PP
++.B lpd_exec_t
++.EE
++
++- Set files with the lpd_exec_t type, if you want to transition an executable to the lpd_t domain.
++
++
++.EX
++.PP
++.B lpd_tmp_t
++.EE
++
++- Set files with the lpd_tmp_t type, if you want to store lpd temporary files in the /tmp directories.
++
++
++.EX
++.PP
++.B lpd_var_run_t
++.EE
++
++- Set files with the lpd_var_run_t type, if you want to store the lpd files under the /run directory.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH "MANAGED FILES"
++
++The SELinux process type lpd_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++
++.br
++.B lpd_tmp_t
++
++
++.br
++.B lpd_var_run_t
++
++ /var/run/lprng(/.*)?
++.br
++ /var/spool/turboprint(/.*)?
++.br
++
++.br
++.B print_spool_t
++
++ /var/spool/lpd(/.*)?
++.br
++ /var/spool/cups(/.*)?
++.br
++ /var/spool/cups-pdf(/.*)?
++.br
++
++.SH NSSWITCH DOMAIN
++
++.PP
++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the lpr_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++
++.EX
++.B setsebool -P authlogin_nsswitch_use_ldap 1
++.EE
++
++.PP
++If you want to allow confined applications to run with kerberos for the lpr_t, you must turn on the kerberos_enabled boolean.
++
++.EX
++.B setsebool -P kerberos_enabled 1
++.EE
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.B semanage boolean
++can also be used to manipulate the booleans
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was auto-generated using
++.B "sepolicy manpage"
++by Dan Walsh.
++
++.SH "SEE ALSO"
++selinux(8), lpd(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
++, setsebool(8), lpr_selinux(8)
+\ No newline at end of file
+diff --git a/man/man8/lpr_selinux.8 b/man/man8/lpr_selinux.8
+new file mode 100644
+index 0000000..2aa3249
+--- /dev/null
++++ b/man/man8/lpr_selinux.8
+@@ -0,0 +1,108 @@
++.TH "lpr_selinux" "8" "12-11-01" "lpr" "SELinux Policy documentation for lpr"
++.SH "NAME"
++lpr_selinux \- Security Enhanced Linux Policy for the lpr processes
++.SH "DESCRIPTION"
++
++Security-Enhanced Linux secures the lpr processes via flexible mandatory access control.
++
++The lpr processes execute with the lpr_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep lpr_t
++
++
++.SH "ENTRYPOINTS"
++
++The lpr_t SELinux type can be entered via the "lpr_exec_t" file type. The default entrypoint paths for the lpr_t domain are the following:"
++
++/usr/bin/lp(\.cups)?, /usr/bin/lpq(\.cups)?, /usr/bin/lpr(\.cups)?, /usr/bin/lprm(\.cups)?, /usr/sbin/lpc(\.cups)?, /usr/bin/cancel(\.cups)?, /usr/bin/lpstat(\.cups)?, /opt/gutenprint/s?bin(/.*)?, /usr/linuxprinter/bin/l?lpr, /usr/sbin/accept, /usr/sbin/lpinfo, /usr/sbin/lpmove, /usr/sbin/lpadmin, /usr/bin/lpoptions
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux lpr policy is very flexible allowing users to setup their lpr processes in as secure a method as possible.
++.PP
++The following process types are defined for lpr:
++
++.EX
++.B lpr_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux lpr policy is very flexible allowing users to setup their lpr processes in as secure a method as possible.
++.PP
++The following file types are defined for lpr:
++
++
++.EX
++.PP
++.B lpr_exec_t
++.EE
++
++- Set files with the lpr_exec_t type, if you want to transition an executable to the lpr_t domain.
++
++
++.EX
++.PP
++.B lpr_tmp_t
++.EE
++
++- Set files with the lpr_tmp_t type, if you want to store lpr temporary files in the /tmp directories.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH NSSWITCH DOMAIN
++
++.PP
++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the lpr_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++
++.EX
++.B setsebool -P authlogin_nsswitch_use_ldap 1
++.EE
++
++.PP
++If you want to allow confined applications to run with kerberos for the lpr_t, you must turn on the kerberos_enabled boolean.
++
++.EX
++.B setsebool -P kerberos_enabled 1
++.EE
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was auto-generated using
++.B "sepolicy manpage"
++by Dan Walsh.
++
++.SH "SEE ALSO"
++selinux(8), lpr(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
+diff --git a/man/man8/lsassd_selinux.8 b/man/man8/lsassd_selinux.8
+new file mode 100644
+index 0000000..9b130b2
+--- /dev/null
++++ b/man/man8/lsassd_selinux.8
+@@ -0,0 +1,264 @@
++.TH "lsassd_selinux" "8" "12-11-01" "lsassd" "SELinux Policy documentation for lsassd"
++.SH "NAME"
++lsassd_selinux \- Security Enhanced Linux Policy for the lsassd processes
++.SH "DESCRIPTION"
++
++Security-Enhanced Linux secures the lsassd processes via flexible mandatory access control.
++
++The lsassd processes execute with the lsassd_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep lsassd_t
++
++
++.SH "ENTRYPOINTS"
++
++The lsassd_t SELinux type can be entered via the "lsassd_exec_t" file type. The default entrypoint paths for the lsassd_t domain are the following:"
++
++/usr/sbin/lsassd
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux lsassd policy is very flexible allowing users to setup their lsassd processes in as secure a method as possible.
++.PP
++The following process types are defined for lsassd:
++
++.EX
++.B lsassd_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux lsassd policy is very flexible allowing users to setup their lsassd processes in as secure a method as possible.
++.PP
++The following file types are defined for lsassd:
++
++
++.EX
++.PP
++.B lsassd_exec_t
++.EE
++
++- Set files with the lsassd_exec_t type, if you want to transition an executable to the lsassd_t domain.
++
++
++.EX
++.PP
++.B lsassd_tmp_t
++.EE
++
++- Set files with the lsassd_tmp_t type, if you want to store lsassd temporary files in the /tmp directories.
++
++
++.EX
++.PP
++.B lsassd_var_lib_t
++.EE
++
++- Set files with the lsassd_var_lib_t type, if you want to store the lsassd files under the /var/lib directory.
++
++
++.EX
++.PP
++.B lsassd_var_run_t
++.EE
++
++- Set files with the lsassd_var_run_t type, if you want to store the lsassd files under the /run directory.
++
++
++.EX
++.PP
++.B lsassd_var_socket_t
++.EE
++
++- Set files with the lsassd_var_socket_t type, if you want to treat the files as lsassd var socket data.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH "MANAGED FILES"
++
++The SELinux process type lsassd_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++
++.br
++.B etc_runtime_t
++
++ /[^/]+
++.br
++ /etc/mtab.*
++.br
++ /etc/blkid(/.*)?
++.br
++ /etc/nologin.*
++.br
++ /etc/\.fstab\.hal\..+
++.br
++ /halt
++.br
++ /fastboot
++.br
++ /poweroff
++.br
++ /etc/cmtab
++.br
++ /\.autofsck
++.br
++ /forcefsck
++.br
++ /\.suspended
++.br
++ /fsckoptions
++.br
++ /\.autorelabel
++.br
++ /etc/securetty
++.br
++ /etc/killpower
++.br
++ /etc/nohotplug
++.br
++ /etc/ioctl\.save
++.br
++ /etc/fstab\.REVOKE
++.br
++ /etc/network/ifstate
++.br
++ /etc/sysconfig/hwconf
++.br
++ /etc/ptal/ptal-printd-like
++.br
++ /etc/sysconfig/iptables\.save
++.br
++ /etc/xorg\.conf\.d/00-system-setup-keyboard\.conf
++.br
++ /etc/X11/xorg\.conf\.d/00-system-setup-keyboard\.conf
++.br
++
++.br
++.B etc_t
++
++ /etc/.*
++.br
++ /var/db/.*\.db
++.br
++ /usr/etc(/.*)?
++.br
++ /var/ftp/etc(/.*)?
++.br
++ /var/lib/openshift/.limits.d(/.*)?
++.br
++ /var/lib/openshift/.openshift-proxy.d(/.*)?
++.br
++ /var/lib/openshift/.stickshift-proxy.d(/.*)?
++.br
++ /var/lib/stickshift/.limits.d(/.*)?
++.br
++ /var/lib/stickshift/.stickshift-proxy.d(/.*)?
++.br
++ /var/named/chroot/etc(/.*)?
++.br
++ /etc/ipsec\.d/examples(/.*)?
++.br
++ /var/spool/postfix/etc(/.*)?
++.br
++ /etc
++.br
++ /etc/cups/client\.conf
++.br
++
++.br
++.B krb5_keytab_t
++
++ /etc/krb5\.keytab
++.br
++ /etc/krb5kdc/kadm5\.keytab
++.br
++ /var/kerberos/krb5kdc/kadm5\.keytab
++.br
++
++.br
++.B likewise_etc_t
++
++ /etc/likewise-open(/.*)?
++.br
++
++.br
++.B lsassd_tmp_t
++
++
++.br
++.B lsassd_var_lib_t
++
++ /var/lib/likewise-open/lsasd\.err
++.br
++ /var/lib/likewise-open/db/sam\.db
++.br
++ /var/lib/likewise-open/krb5ccr_lsass
++.br
++ /var/lib/likewise-open/db/lsass-adcache\.db
++.br
++ /var/lib/likewise-open/db/lsass-adstate\.filedb
++.br
++
++.br
++.B lsassd_var_run_t
++
++ /var/run/lsassd.pid
++.br
++
++.br
++.B security_t
++
++ /selinux
++.br
++
++.br
++.B user_home_t
++
++ /home/[^/]*/.+
++.br
++ /home/dwalsh/.+
++.br
++ /var/lib/xguest/home/xguest/.+
++.br
++
++.SH NSSWITCH DOMAIN
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was auto-generated using
++.B "sepolicy manpage"
++by Dan Walsh.
++
++.SH "SEE ALSO"
++selinux(8), lsassd(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
+diff --git a/man/man8/lvm_selinux.8 b/man/man8/lvm_selinux.8
+new file mode 100644
+index 0000000..9793bb8
+--- /dev/null
++++ b/man/man8/lvm_selinux.8
+@@ -0,0 +1,236 @@
++.TH "lvm_selinux" "8" "12-11-01" "lvm" "SELinux Policy documentation for lvm"
++.SH "NAME"
++lvm_selinux \- Security Enhanced Linux Policy for the lvm processes
++.SH "DESCRIPTION"
++
++Security-Enhanced Linux secures the lvm processes via flexible mandatory access control.
++
++The lvm processes execute with the lvm_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep lvm_t
++
++
++.SH "ENTRYPOINTS"
++
++The lvm_t SELinux type can be entered via the "lvm_exec_t" file type. The default entrypoint paths for the lvm_t domain are the following:"
++
++/lib/lvm-10/.*, /lib/lvm-200/.*, /usr/lib/lvm-10/.*, /usr/lib/lvm-200/.*, /sbin/lvm, /sbin/lvs, /sbin/pvs, /sbin/vgs, /sbin/vgck, /sbin/dmraid, /sbin/kpartx, /sbin/lvmsar, /sbin/lvscan, /sbin/pvdata, /sbin/pvmove, /sbin/pvscan, /sbin/vgscan, /sbin/dmsetup, /sbin/e2fsadm, /sbin/lvmetad, /sbin/lvmsadc, /sbin/vgmerge, /sbin/vgsplit, /usr/sbin/lvm, /usr/sbin/lvs, /usr/sbin/pvs, /usr/sbin/vgs, /sbin/lvchange, /sbin/lvcreate, /sbin/lvextend, /sbin/lvreduce, /sbin/lvremove, /sbin/lvrename, /sbin/lvresize, /sbin/pvchange, /sbin/pvcreate, /sbin/pvremove, /sbin/vgchange, /sbin/vgcreate, /sbin/vgexport, /sbin/vgextend, /sbin/vgimport, /sbin/vgreduce, /sbin/vgremove, /sbin/vgrename, /usr/sbin/vgck, /sbin/lvdisplay, /sbin/lvmchange, /sbin/pvdisplay, /sbin/vgdisplay, /sbin/vgmknodes, /sbin/vgwrapper, /sbin/cryptsetup, /sbin/lvm\.static, /sbin/multipathd, /usr/sbin/dmraid, /usr/sbin/kpartx, /usr/sbin/lvmsar, /usr/sbin/lvscan, /usr/sbin/pvdata, /usr/sbin/pvmove, /usr/sbin/pvscan, /usr/sbin/vgscan, /sbin/mount\.crypt, /sbin/lvmdiskscan, /sbin/vgcfgbackup, /usr/sbin/dmsetup, /usr/sbin/e2fsadm, /usr/sbin/lvmetad, /usr/sbin/lvmsadc, /usr/sbin/vgmerge, /usr/sbin/vgsplit, /sbin/vgcfgrestore, /usr/sbin/dmeventd, /usr/sbin/lvchange, /usr/sbin/lvcreate, /usr/sbin/lvextend, /usr/sbin/lvreduce, /usr/sbin/lvremove, /usr/sbin/lvrename, /usr/sbin/lvresize, /usr/sbin/pvchange, /usr/sbin/pvcreate, /usr/sbin/pvremove, /usr/sbin/vgchange, /usr/sbin/vgcreate, /usr/sbin/vgexport, /usr/sbin/vgextend, /usr/sbin/vgimport, /usr/sbin/vgreduce, /usr/sbin/vgremove, /usr/sbin/vgrename, /sbin/lvmiopversion, /sbin/vgscan\.static, /usr/sbin/lvdisplay, /usr/sbin/lvmchange, /usr/sbin/pvdisplay, /usr/sbin/vgdisplay, /usr/sbin/vgmknodes, /usr/sbin/vgwrapper, /sbin/dmsetup\.static, /usr/sbin/cryptsetup, /usr/sbin/lvm\.static, /usr/sbin/multipathd, /sbin/vgchange\.static, /usr/sbin/lvmdiskscan, /usr/sbin/mount\.crypt, /usr/sbin/vgcfgbackup, /sbin/multipath\.static, /usr/sbin/vgcfgrestore, /usr/sbin/lvmiopversion, /usr/sbin/vgscan\.static, /usr/sbin/dmsetup\.static, /usr/sbin/vgchange\.static, /usr/sbin/multipath\.static, /lib/udev/udisks-lvm-pv-export, /usr/lib/udev/udisks-lvm-pv-export, /usr/lib/systemd/systemd-cryptsetup
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux lvm policy is very flexible allowing users to setup their lvm processes in as secure a method as possible.
++.PP
++The following process types are defined for lvm:
++
++.EX
++.B lvm_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux lvm policy is very flexible allowing users to setup their lvm processes in as secure a method as possible.
++.PP
++The following file types are defined for lvm:
++
++
++.EX
++.PP
++.B lvm_etc_t
++.EE
++
++- Set files with the lvm_etc_t type, if you want to store lvm files in the /etc directories.
++
++
++.EX
++.PP
++.B lvm_exec_t
++.EE
++
++- Set files with the lvm_exec_t type, if you want to transition an executable to the lvm_t domain.
++
++
++.EX
++.PP
++.B lvm_lock_t
++.EE
++
++- Set files with the lvm_lock_t type, if you want to treat the files as lvm lock data, stored under the /var/lock directory
++
++
++.EX
++.PP
++.B lvm_metadata_t
++.EE
++
++- Set files with the lvm_metadata_t type, if you want to treat the files as lvm metadata data.
++
++
++.EX
++.PP
++.B lvm_tmp_t
++.EE
++
++- Set files with the lvm_tmp_t type, if you want to store lvm temporary files in the /tmp directories.
++
++
++.EX
++.PP
++.B lvm_var_lib_t
++.EE
++
++- Set files with the lvm_var_lib_t type, if you want to store the lvm files under the /var/lib directory.
++
++
++.EX
++.PP
++.B lvm_var_run_t
++.EE
++
++- Set files with the lvm_var_run_t type, if you want to store the lvm files under the /run directory.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH "MANAGED FILES"
++
++The SELinux process type lvm_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++
++.br
++.B anon_inodefs_t
++
++
++.br
++.B device_t
++
++ /dev/.*
++.br
++ /lib/udev/devices(/.*)?
++.br
++ /usr/lib/udev/devices(/.*)?
++.br
++ /dev
++.br
++ /etc/udev/devices
++.br
++ /var/named/chroot/dev
++.br
++ /var/spool/postfix/dev
++.br
++
++.br
++.B lvm_lock_t
++
++ /etc/lvm/lock(/.*)?
++.br
++ /var/lock/lvm(/.*)?
++.br
++
++.br
++.B lvm_metadata_t
++
++ /etc/lvmtab(/.*)?
++.br
++ /etc/lvmtab\.d(/.*)?
++.br
++ /etc/lvm/cache(/.*)?
++.br
++ /etc/lvm/backup(/.*)?
++.br
++ /etc/lvm/archive(/.*)?
++.br
++ /var/cache/multipathd(/.*)?
++.br
++ /etc/lvm/\.cache
++.br
++
++.br
++.B lvm_tmp_t
++
++
++.br
++.B lvm_var_lib_t
++
++ /var/lib/multipath(/.*)?
++.br
++
++.br
++.B lvm_var_run_t
++
++ /var/run/lvm(/.*)?
++.br
++ /var/run/dmevent.*
++.br
++ /var/run/multipathd\.sock
++.br
++
++.br
++.B rpm_script_tmp_t
++
++
++.br
++.B security_t
++
++ /selinux
++.br
++
++.br
++.B sysfs_t
++
++ /sys(/.*)?
++.br
++
++.br
++.B systemd_passwd_var_run_t
++
++ /var/run/systemd/ask-password(/.*)?
++.br
++ /var/run/systemd/ask-password-block(/.*)?
++.br
++
++.br
++.B virt_image_type
++
++ all virtual image files
++.br
++
++.SH NSSWITCH DOMAIN
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was auto-generated using
++.B "sepolicy manpage"
++by Dan Walsh.
++
++.SH "SEE ALSO"
++selinux(8), lvm(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
+diff --git a/man/man8/lwiod_selinux.8 b/man/man8/lwiod_selinux.8
+new file mode 100644
+index 0000000..249014f
+--- /dev/null
++++ b/man/man8/lwiod_selinux.8
+@@ -0,0 +1,130 @@
++.TH "lwiod_selinux" "8" "12-11-01" "lwiod" "SELinux Policy documentation for lwiod"
++.SH "NAME"
++lwiod_selinux \- Security Enhanced Linux Policy for the lwiod processes
++.SH "DESCRIPTION"
++
++Security-Enhanced Linux secures the lwiod processes via flexible mandatory access control.
++
++The lwiod processes execute with the lwiod_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep lwiod_t
++
++
++.SH "ENTRYPOINTS"
++
++The lwiod_t SELinux type can be entered via the "lwiod_exec_t" file type. The default entrypoint paths for the lwiod_t domain are the following:"
++
++/usr/sbin/lwiod
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux lwiod policy is very flexible allowing users to setup their lwiod processes in as secure a method as possible.
++.PP
++The following process types are defined for lwiod:
++
++.EX
++.B lwiod_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux lwiod policy is very flexible allowing users to setup their lwiod processes in as secure a method as possible.
++.PP
++The following file types are defined for lwiod:
++
++
++.EX
++.PP
++.B lwiod_exec_t
++.EE
++
++- Set files with the lwiod_exec_t type, if you want to transition an executable to the lwiod_t domain.
++
++
++.EX
++.PP
++.B lwiod_var_lib_t
++.EE
++
++- Set files with the lwiod_var_lib_t type, if you want to store the lwiod files under the /var/lib directory.
++
++
++.EX
++.PP
++.B lwiod_var_run_t
++.EE
++
++- Set files with the lwiod_var_run_t type, if you want to store the lwiod files under the /run directory.
++
++
++.EX
++.PP
++.B lwiod_var_socket_t
++.EE
++
++- Set files with the lwiod_var_socket_t type, if you want to treat the files as lwiod var socket data.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH "MANAGED FILES"
++
++The SELinux process type lwiod_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++
++.br
++.B krb5_conf_t
++
++ /etc/krb5\.conf
++.br
++
++.br
++.B lwiod_var_lib_t
++
++
++.br
++.B lwiod_var_run_t
++
++ /var/run/lwiod.pid
++.br
++
++.SH NSSWITCH DOMAIN
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was auto-generated using
++.B "sepolicy manpage"
++by Dan Walsh.
++
++.SH "SEE ALSO"
++selinux(8), lwiod(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
+diff --git a/man/man8/lwregd_selinux.8 b/man/man8/lwregd_selinux.8
+new file mode 100644
+index 0000000..9bc985a
+--- /dev/null
++++ b/man/man8/lwregd_selinux.8
+@@ -0,0 +1,128 @@
++.TH "lwregd_selinux" "8" "12-11-01" "lwregd" "SELinux Policy documentation for lwregd"
++.SH "NAME"
++lwregd_selinux \- Security Enhanced Linux Policy for the lwregd processes
++.SH "DESCRIPTION"
++
++Security-Enhanced Linux secures the lwregd processes via flexible mandatory access control.
++
++The lwregd processes execute with the lwregd_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep lwregd_t
++
++
++.SH "ENTRYPOINTS"
++
++The lwregd_t SELinux type can be entered via the "lwregd_exec_t" file type. The default entrypoint paths for the lwregd_t domain are the following:"
++
++/usr/sbin/lwregd
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux lwregd policy is very flexible allowing users to setup their lwregd processes in as secure a method as possible.
++.PP
++The following process types are defined for lwregd:
++
++.EX
++.B lwregd_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux lwregd policy is very flexible allowing users to setup their lwregd processes in as secure a method as possible.
++.PP
++The following file types are defined for lwregd:
++
++
++.EX
++.PP
++.B lwregd_exec_t
++.EE
++
++- Set files with the lwregd_exec_t type, if you want to transition an executable to the lwregd_t domain.
++
++
++.EX
++.PP
++.B lwregd_var_lib_t
++.EE
++
++- Set files with the lwregd_var_lib_t type, if you want to store the lwregd files under the /var/lib directory.
++
++
++.EX
++.PP
++.B lwregd_var_run_t
++.EE
++
++- Set files with the lwregd_var_run_t type, if you want to store the lwregd files under the /run directory.
++
++
++.EX
++.PP
++.B lwregd_var_socket_t
++.EE
++
++- Set files with the lwregd_var_socket_t type, if you want to treat the files as lwregd var socket data.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH "MANAGED FILES"
++
++The SELinux process type lwregd_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++
++.br
++.B lwregd_var_lib_t
++
++ /var/lib/likewise-open/regsd\.err
++.br
++ /var/lib/likewise-open/db/registry\.db
++.br
++
++.br
++.B lwregd_var_run_t
++
++ /var/run/lwregd.pid
++.br
++
++.SH NSSWITCH DOMAIN
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was auto-generated using
++.B "sepolicy manpage"
++by Dan Walsh.
++
++.SH "SEE ALSO"
++selinux(8), lwregd(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
+diff --git a/man/man8/lwsmd_selinux.8 b/man/man8/lwsmd_selinux.8
+new file mode 100644
+index 0000000..82a32da
+--- /dev/null
++++ b/man/man8/lwsmd_selinux.8
+@@ -0,0 +1,122 @@
++.TH "lwsmd_selinux" "8" "12-11-01" "lwsmd" "SELinux Policy documentation for lwsmd"
++.SH "NAME"
++lwsmd_selinux \- Security Enhanced Linux Policy for the lwsmd processes
++.SH "DESCRIPTION"
++
++Security-Enhanced Linux secures the lwsmd processes via flexible mandatory access control.
++
++The lwsmd processes execute with the lwsmd_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep lwsmd_t
++
++
++.SH "ENTRYPOINTS"
++
++The lwsmd_t SELinux type can be entered via the "lwsmd_exec_t" file type. The default entrypoint paths for the lwsmd_t domain are the following:"
++
++/usr/sbin/lwsmd
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux lwsmd policy is very flexible allowing users to setup their lwsmd processes in as secure a method as possible.
++.PP
++The following process types are defined for lwsmd:
++
++.EX
++.B lwsmd_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux lwsmd policy is very flexible allowing users to setup their lwsmd processes in as secure a method as possible.
++.PP
++The following file types are defined for lwsmd:
++
++
++.EX
++.PP
++.B lwsmd_exec_t
++.EE
++
++- Set files with the lwsmd_exec_t type, if you want to transition an executable to the lwsmd_t domain.
++
++
++.EX
++.PP
++.B lwsmd_var_lib_t
++.EE
++
++- Set files with the lwsmd_var_lib_t type, if you want to store the lwsmd files under the /var/lib directory.
++
++
++.EX
++.PP
++.B lwsmd_var_run_t
++.EE
++
++- Set files with the lwsmd_var_run_t type, if you want to store the lwsmd files under the /run directory.
++
++
++.EX
++.PP
++.B lwsmd_var_socket_t
++.EE
++
++- Set files with the lwsmd_var_socket_t type, if you want to treat the files as lwsmd var socket data.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH "MANAGED FILES"
++
++The SELinux process type lwsmd_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++
++.br
++.B lwsmd_var_lib_t
++
++
++.br
++.B lwsmd_var_run_t
++
++
++.SH NSSWITCH DOMAIN
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was auto-generated using
++.B "sepolicy manpage"
++by Dan Walsh.
++
++.SH "SEE ALSO"
++selinux(8), lwsmd(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
+diff --git a/man/man8/mail_munin_plugin_selinux.8 b/man/man8/mail_munin_plugin_selinux.8
+new file mode 100644
+index 0000000..fc8cf0a
+--- /dev/null
++++ b/man/man8/mail_munin_plugin_selinux.8
+@@ -0,0 +1,115 @@
++.TH "mail_munin_plugin_selinux" "8" "12-11-01" "mail_munin_plugin" "SELinux Policy documentation for mail_munin_plugin"
++.SH "NAME"
++mail_munin_plugin_selinux \- Security Enhanced Linux Policy for the mail_munin_plugin processes
++.SH "DESCRIPTION"
++
++Security-Enhanced Linux secures the mail_munin_plugin processes via flexible mandatory access control.
++
++The mail_munin_plugin processes execute with the mail_munin_plugin_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep mail_munin_plugin_t
++
++
++.SH "ENTRYPOINTS"
++
++The mail_munin_plugin_t SELinux type can be entered via the "mail_munin_plugin_exec_t" file type. The default entrypoint paths for the mail_munin_plugin_t domain are the following:"
++
++/usr/share/munin/plugins/qmail.*, /usr/share/munin/plugins/exim_mail.*, /usr/share/munin/plugins/sendmail_.*, /usr/share/munin/plugins/courier_mta_.*, /usr/share/munin/plugins/postfix_mail.*, /usr/share/munin/plugins/mailman, /usr/share/munin/plugins/mailscanner
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux mail_munin_plugin policy is very flexible allowing users to setup their mail_munin_plugin processes in as secure a method as possible.
++.PP
++The following process types are defined for mail_munin_plugin:
++
++.EX
++.B mail_munin_plugin_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux mail_munin_plugin policy is very flexible allowing users to setup their mail_munin_plugin processes in as secure a method as possible.
++.PP
++The following file types are defined for mail_munin_plugin:
++
++
++.EX
++.PP
++.B mail_munin_plugin_exec_t
++.EE
++
++- Set files with the mail_munin_plugin_exec_t type, if you want to transition an executable to the mail_munin_plugin_t domain.
++
++
++.EX
++.PP
++.B mail_munin_plugin_tmp_t
++.EE
++
++- Set files with the mail_munin_plugin_tmp_t type, if you want to store mail munin plugin temporary files in the /tmp directories.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH "MANAGED FILES"
++
++The SELinux process type mail_munin_plugin_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++
++.br
++.B mail_munin_plugin_tmp_t
++
++
++.br
++.B munin_plugin_state_t
++
++ /var/lib/munin/plugin-state(/.*)?
++.br
++
++.br
++.B munin_var_lib_t
++
++ /var/lib/munin(/.*)?
++.br
++
++.SH NSSWITCH DOMAIN
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was auto-generated using
++.B "sepolicy manpage"
++by Dan Walsh.
++
++.SH "SEE ALSO"
++selinux(8), mail_munin_plugin(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
++, mailman_cgi_selinux(8), mailman_mail_selinux(8), mailman_queue_selinux(8)
+\ No newline at end of file
+diff --git a/man/man8/mailman_cgi_selinux.8 b/man/man8/mailman_cgi_selinux.8
+new file mode 100644
+index 0000000..3314d81
+--- /dev/null
++++ b/man/man8/mailman_cgi_selinux.8
+@@ -0,0 +1,145 @@
++.TH "mailman_cgi_selinux" "8" "12-11-01" "mailman_cgi" "SELinux Policy documentation for mailman_cgi"
++.SH "NAME"
++mailman_cgi_selinux \- Security Enhanced Linux Policy for the mailman_cgi processes
++.SH "DESCRIPTION"
++
++Security-Enhanced Linux secures the mailman_cgi processes via flexible mandatory access control.
++
++The mailman_cgi processes execute with the mailman_cgi_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep mailman_cgi_t
++
++
++.SH "ENTRYPOINTS"
++
++The mailman_cgi_t SELinux type can be entered via the "mailman_cgi_exec_t" file type. The default entrypoint paths for the mailman_cgi_t domain are the following:"
++
++/usr/lib/mailman.*/cgi-bin/.*
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux mailman_cgi policy is very flexible allowing users to setup their mailman_cgi processes in as secure a method as possible.
++.PP
++The following process types are defined for mailman_cgi:
++
++.EX
++.B mailman_cgi_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux mailman_cgi policy is very flexible allowing users to setup their mailman_cgi processes in as secure a method as possible.
++.PP
++The following file types are defined for mailman_cgi:
++
++
++.EX
++.PP
++.B mailman_cgi_exec_t
++.EE
++
++- Set files with the mailman_cgi_exec_t type, if you want to transition an executable to the mailman_cgi_t domain.
++
++
++.EX
++.PP
++.B mailman_cgi_tmp_t
++.EE
++
++- Set files with the mailman_cgi_tmp_t type, if you want to store mailman cgi temporary files in the /tmp directories.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH "MANAGED FILES"
++
++The SELinux process type mailman_cgi_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++
++.br
++.B mailman_archive_t
++
++ /var/lib/mailman.*/archives(/.*)?
++.br
++
++.br
++.B mailman_cgi_tmp_t
++
++
++.br
++.B mailman_data_t
++
++ /etc/mailman.*
++.br
++ /var/lib/mailman.*
++.br
++ /var/spool/mailman.*
++.br
++
++.br
++.B mailman_lock_t
++
++ /var/lock/mailman.*
++.br
++
++.br
++.B mailman_log_t
++
++ /var/log/mailman.*
++.br
++
++.SH NSSWITCH DOMAIN
++
++.PP
++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the mailman_cgi_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++
++.EX
++.B setsebool -P authlogin_nsswitch_use_ldap 1
++.EE
++
++.PP
++If you want to allow confined applications to run with kerberos for the mailman_cgi_t, you must turn on the kerberos_enabled boolean.
++
++.EX
++.B setsebool -P kerberos_enabled 1
++.EE
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was auto-generated using
++.B "sepolicy manpage"
++by Dan Walsh.
++
++.SH "SEE ALSO"
++selinux(8), mailman_cgi(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
++, mailman_mail_selinux(8), mailman_queue_selinux(8)
+\ No newline at end of file
+diff --git a/man/man8/mailman_mail_selinux.8 b/man/man8/mailman_mail_selinux.8
+new file mode 100644
+index 0000000..e86936f
+--- /dev/null
++++ b/man/man8/mailman_mail_selinux.8
+@@ -0,0 +1,155 @@
++.TH "mailman_mail_selinux" "8" "12-11-01" "mailman_mail" "SELinux Policy documentation for mailman_mail"
++.SH "NAME"
++mailman_mail_selinux \- Security Enhanced Linux Policy for the mailman_mail processes
++.SH "DESCRIPTION"
++
++Security-Enhanced Linux secures the mailman_mail processes via flexible mandatory access control.
++
++The mailman_mail processes execute with the mailman_mail_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep mailman_mail_t
++
++
++.SH "ENTRYPOINTS"
++
++The mailman_mail_t SELinux type can be entered via the "mailman_mail_exec_t" file type. The default entrypoint paths for the mailman_mail_t domain are the following:"
++
++/usr/lib/mailman.*/mail/mailman, /usr/lib/mailman.*/bin/mailmanctl, /usr/lib/mailman.*/scripts/mailman, /usr/lib/mailman.*/bin/mm-handler.*, /usr/share/doc/mailman.*/mm-handler.*
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux mailman_mail policy is very flexible allowing users to setup their mailman_mail processes in as secure a method as possible.
++.PP
++The following process types are defined for mailman_mail:
++
++.EX
++.B mailman_mail_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux mailman_mail policy is very flexible allowing users to setup their mailman_mail processes in as secure a method as possible.
++.PP
++The following file types are defined for mailman_mail:
++
++
++.EX
++.PP
++.B mailman_mail_exec_t
++.EE
++
++- Set files with the mailman_mail_exec_t type, if you want to transition an executable to the mailman_mail_t domain.
++
++
++.EX
++.PP
++.B mailman_mail_tmp_t
++.EE
++
++- Set files with the mailman_mail_tmp_t type, if you want to store mailman mail temporary files in the /tmp directories.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH "MANAGED FILES"
++
++The SELinux process type mailman_mail_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++
++.br
++.B anon_inodefs_t
++
++
++.br
++.B mailman_archive_t
++
++ /var/lib/mailman.*/archives(/.*)?
++.br
++
++.br
++.B mailman_data_t
++
++ /etc/mailman.*
++.br
++ /var/lib/mailman.*
++.br
++ /var/spool/mailman.*
++.br
++
++.br
++.B mailman_lock_t
++
++ /var/lock/mailman.*
++.br
++
++.br
++.B mailman_log_t
++
++ /var/log/mailman.*
++.br
++
++.br
++.B mailman_mail_tmp_t
++
++
++.br
++.B mailman_var_run_t
++
++ /var/run/mailman.*
++.br
++
++.SH NSSWITCH DOMAIN
++
++.PP
++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the mailman_mail_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++
++.EX
++.B setsebool -P authlogin_nsswitch_use_ldap 1
++.EE
++
++.PP
++If you want to allow confined applications to run with kerberos for the mailman_mail_t, you must turn on the kerberos_enabled boolean.
++
++.EX
++.B setsebool -P kerberos_enabled 1
++.EE
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was auto-generated using
++.B "sepolicy manpage"
++by Dan Walsh.
++
++.SH "SEE ALSO"
++selinux(8), mailman_mail(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
++, mailman_cgi_selinux(8), mailman_queue_selinux(8)
+\ No newline at end of file
+diff --git a/man/man8/mailman_queue_selinux.8 b/man/man8/mailman_queue_selinux.8
+new file mode 100644
+index 0000000..b1d3963
+--- /dev/null
++++ b/man/man8/mailman_queue_selinux.8
+@@ -0,0 +1,171 @@
++.TH "mailman_queue_selinux" "8" "12-11-01" "mailman_queue" "SELinux Policy documentation for mailman_queue"
++.SH "NAME"
++mailman_queue_selinux \- Security Enhanced Linux Policy for the mailman_queue processes
++.SH "DESCRIPTION"
++
++Security-Enhanced Linux secures the mailman_queue processes via flexible mandatory access control.
++
++The mailman_queue processes execute with the mailman_queue_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep mailman_queue_t
++
++
++.SH "ENTRYPOINTS"
++
++The mailman_queue_t SELinux type can be entered via the "mailman_queue_exec_t" file type. The default entrypoint paths for the mailman_queue_t domain are the following:"
++
++/usr/lib/mailman.*/cron/.*, /usr/lib/mailman.*/bin/qrunner
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux mailman_queue policy is very flexible allowing users to setup their mailman_queue processes in as secure a method as possible.
++.PP
++The following process types are defined for mailman_queue:
++
++.EX
++.B mailman_queue_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux mailman_queue policy is very flexible allowing users to setup their mailman_queue processes in as secure a method as possible.
++.PP
++The following file types are defined for mailman_queue:
++
++
++.EX
++.PP
++.B mailman_queue_exec_t
++.EE
++
++- Set files with the mailman_queue_exec_t type, if you want to transition an executable to the mailman_queue_t domain.
++
++
++.EX
++.PP
++.B mailman_queue_tmp_t
++.EE
++
++- Set files with the mailman_queue_tmp_t type, if you want to store mailman queue temporary files in the /tmp directories.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH "MANAGED FILES"
++
++The SELinux process type mailman_queue_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++
++.br
++.B faillog_t
++
++ /var/log/btmp.*
++.br
++ /var/run/faillock(/.*)?
++.br
++ /var/log/faillog
++.br
++ /var/log/tallylog
++.br
++
++.br
++.B mailman_archive_t
++
++ /var/lib/mailman.*/archives(/.*)?
++.br
++
++.br
++.B mailman_data_t
++
++ /etc/mailman.*
++.br
++ /var/lib/mailman.*
++.br
++ /var/spool/mailman.*
++.br
++
++.br
++.B mailman_lock_t
++
++ /var/lock/mailman.*
++.br
++
++.br
++.B mailman_log_t
++
++ /var/log/mailman.*
++.br
++
++.br
++.B mailman_queue_tmp_t
++
++
++.br
++.B pcscd_var_run_t
++
++ /var/run/pcscd(/.*)?
++.br
++ /var/run/pcscd\.events(/.*)?
++.br
++ /var/run/pcscd\.pid
++.br
++ /var/run/pcscd\.pub
++.br
++ /var/run/pcscd\.comm
++.br
++
++.SH NSSWITCH DOMAIN
++
++.PP
++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the mailman_queue_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++
++.EX
++.B setsebool -P authlogin_nsswitch_use_ldap 1
++.EE
++
++.PP
++If you want to allow confined applications to run with kerberos for the mailman_queue_t, you must turn on the kerberos_enabled boolean.
++
++.EX
++.B setsebool -P kerberos_enabled 1
++.EE
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was auto-generated using
++.B "sepolicy manpage"
++by Dan Walsh.
++
++.SH "SEE ALSO"
++selinux(8), mailman_queue(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
++, mailman_cgi_selinux(8), mailman_mail_selinux(8)
+\ No newline at end of file
+diff --git a/man/man8/mandb_selinux.8 b/man/man8/mandb_selinux.8
+new file mode 100644
+index 0000000..962bcc4
+--- /dev/null
++++ b/man/man8/mandb_selinux.8
+@@ -0,0 +1,104 @@
++.TH "mandb_selinux" "8" "12-11-01" "mandb" "SELinux Policy documentation for mandb"
++.SH "NAME"
++mandb_selinux \- Security Enhanced Linux Policy for the mandb processes
++.SH "DESCRIPTION"
++
++Security-Enhanced Linux secures the mandb processes via flexible mandatory access control.
++
++The mandb processes execute with the mandb_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep mandb_t
++
++
++.SH "ENTRYPOINTS"
++
++The mandb_t SELinux type can be entered via the "mandb_exec_t" file type. The default entrypoint paths for the mandb_t domain are the following:"
++
++/usr/bin/mandb
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux mandb policy is very flexible allowing users to setup their mandb processes in as secure a method as possible.
++.PP
++The following process types are defined for mandb:
++
++.EX
++.B mandb_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux mandb policy is very flexible allowing users to setup their mandb processes in as secure a method as possible.
++.PP
++The following file types are defined for mandb:
++
++
++.EX
++.PP
++.B mandb_cache_t
++.EE
++
++- Set files with the mandb_cache_t type, if you want to store the files under the /var/cache directory.
++
++
++.EX
++.PP
++.B mandb_exec_t
++.EE
++
++- Set files with the mandb_exec_t type, if you want to transition an executable to the mandb_t domain.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH "MANAGED FILES"
++
++The SELinux process type mandb_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++
++.br
++.B mandb_cache_t
++
++ /var/cache/man(/.*)?
++.br
++
++.SH NSSWITCH DOMAIN
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was auto-generated using
++.B "sepolicy manpage"
++by Dan Walsh.
++
++.SH "SEE ALSO"
++selinux(8), mandb(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
+diff --git a/man/man8/mcelog_selinux.8 b/man/man8/mcelog_selinux.8
+new file mode 100644
+index 0000000..5259ce7
+--- /dev/null
++++ b/man/man8/mcelog_selinux.8
+@@ -0,0 +1,124 @@
++.TH "mcelog_selinux" "8" "12-11-01" "mcelog" "SELinux Policy documentation for mcelog"
++.SH "NAME"
++mcelog_selinux \- Security Enhanced Linux Policy for the mcelog processes
++.SH "DESCRIPTION"
++
++Security-Enhanced Linux secures the mcelog processes via flexible mandatory access control.
++
++The mcelog processes execute with the mcelog_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep mcelog_t
++
++
++.SH "ENTRYPOINTS"
++
++The mcelog_t SELinux type can be entered via the "mcelog_exec_t" file type. The default entrypoint paths for the mcelog_t domain are the following:"
++
++/usr/sbin/mcelog
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux mcelog policy is very flexible allowing users to setup their mcelog processes in as secure a method as possible.
++.PP
++The following process types are defined for mcelog:
++
++.EX
++.B mcelog_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux mcelog policy is very flexible allowing users to setup their mcelog processes in as secure a method as possible.
++.PP
++The following file types are defined for mcelog:
++
++
++.EX
++.PP
++.B mcelog_exec_t
++.EE
++
++- Set files with the mcelog_exec_t type, if you want to transition an executable to the mcelog_t domain.
++
++
++.EX
++.PP
++.B mcelog_log_t
++.EE
++
++- Set files with the mcelog_log_t type, if you want to treat the data as mcelog log data, usually stored under the /var/log directory.
++
++
++.EX
++.PP
++.B mcelog_var_run_t
++.EE
++
++- Set files with the mcelog_var_run_t type, if you want to store the mcelog files under the /run directory.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH "MANAGED FILES"
++
++The SELinux process type mcelog_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++
++.br
++.B mcelog_log_t
++
++ /var/log/mcelog.*
++.br
++
++.br
++.B mcelog_var_run_t
++
++ /var/run/mcelog.*
++.br
++
++.br
++.B sysfs_t
++
++ /sys(/.*)?
++.br
++
++.SH NSSWITCH DOMAIN
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was auto-generated using
++.B "sepolicy manpage"
++by Dan Walsh.
++
++.SH "SEE ALSO"
++selinux(8), mcelog(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
+diff --git a/man/man8/mdadm_selinux.8 b/man/man8/mdadm_selinux.8
+new file mode 100644
+index 0000000..e023488
+--- /dev/null
++++ b/man/man8/mdadm_selinux.8
+@@ -0,0 +1,128 @@
++.TH "mdadm_selinux" "8" "12-11-01" "mdadm" "SELinux Policy documentation for mdadm"
++.SH "NAME"
++mdadm_selinux \- Security Enhanced Linux Policy for the mdadm processes
++.SH "DESCRIPTION"
++
++Security-Enhanced Linux secures the mdadm processes via flexible mandatory access control.
++
++The mdadm processes execute with the mdadm_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep mdadm_t
++
++
++.SH "ENTRYPOINTS"
++
++The mdadm_t SELinux type can be entered via the "mdadm_exec_t" file type. The default entrypoint paths for the mdadm_t domain are the following:"
++
++/sbin/mdadm, /sbin/mdmpd, /usr/sbin/mdadm, /usr/sbin/mdmpd, /usr/sbin/iprdump, /usr/sbin/iprinit, /usr/sbin/iprupdate, /usr/sbin/raid-check
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux mdadm policy is very flexible allowing users to setup their mdadm processes in as secure a method as possible.
++.PP
++The following process types are defined for mdadm:
++
++.EX
++.B mdadm_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux mdadm policy is very flexible allowing users to setup their mdadm processes in as secure a method as possible.
++.PP
++The following file types are defined for mdadm:
++
++
++.EX
++.PP
++.B mdadm_exec_t
++.EE
++
++- Set files with the mdadm_exec_t type, if you want to transition an executable to the mdadm_t domain.
++
++
++.EX
++.PP
++.B mdadm_var_run_t
++.EE
++
++- Set files with the mdadm_var_run_t type, if you want to store the mdadm files under the /run directory.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH "MANAGED FILES"
++
++The SELinux process type mdadm_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++
++.br
++.B mdadm_var_run_t
++
++ /dev/.mdadm\.map
++.br
++ /dev/md/.*
++.br
++ /var/run/mdadm(/.*)?
++.br
++
++.br
++.B sysfs_t
++
++ /sys(/.*)?
++.br
++
++.SH NSSWITCH DOMAIN
++
++.PP
++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the mdadm_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++
++.EX
++.B setsebool -P authlogin_nsswitch_use_ldap 1
++.EE
++
++.PP
++If you want to allow confined applications to run with kerberos for the mdadm_t, you must turn on the kerberos_enabled boolean.
++
++.EX
++.B setsebool -P kerberos_enabled 1
++.EE
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was auto-generated using
++.B "sepolicy manpage"
++by Dan Walsh.
++
++.SH "SEE ALSO"
++selinux(8), mdadm(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
+diff --git a/man/man8/memcached_selinux.8 b/man/man8/memcached_selinux.8
+new file mode 100644
+index 0000000..f286679
+--- /dev/null
++++ b/man/man8/memcached_selinux.8
+@@ -0,0 +1,178 @@
++.TH "memcached_selinux" "8" "12-11-01" "memcached" "SELinux Policy documentation for memcached"
++.SH "NAME"
++memcached_selinux \- Security Enhanced Linux Policy for the memcached processes
++.SH "DESCRIPTION"
++
++Security-Enhanced Linux secures the memcached processes via flexible mandatory access control.
++
++The memcached processes execute with the memcached_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep memcached_t
++
++
++.SH "ENTRYPOINTS"
++
++The memcached_t SELinux type can be entered via the "memcached_exec_t" file type. The default entrypoint paths for the memcached_t domain are the following:"
++
++/usr/bin/memcached
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux memcached policy is very flexible allowing users to setup their memcached processes in as secure a method as possible.
++.PP
++The following process types are defined for memcached:
++
++.EX
++.B memcached_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH BOOLEANS
++SELinux policy is customizable based on least access required. memcached policy is extremely flexible and has several booleans that allow you to manipulate the policy and run memcached with the tightest access possible.
++
++
++.PP
++If you want to allow httpd to connect to memcache server, you must turn on the httpd_can_network_memcache boolean.
++
++.EX
++.B setsebool -P httpd_can_network_memcache 1
++.EE
++
++.PP
++If you want to allow httpd to connect to memcache server, you must turn on the httpd_can_network_memcache boolean.
++
++.EX
++.B setsebool -P httpd_can_network_memcache 1
++.EE
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux memcached policy is very flexible allowing users to setup their memcached processes in as secure a method as possible.
++.PP
++The following file types are defined for memcached:
++
++
++.EX
++.PP
++.B memcached_exec_t
++.EE
++
++- Set files with the memcached_exec_t type, if you want to transition an executable to the memcached_t domain.
++
++
++.EX
++.PP
++.B memcached_initrc_exec_t
++.EE
++
++- Set files with the memcached_initrc_exec_t type, if you want to transition an executable to the memcached_initrc_t domain.
++
++
++.EX
++.PP
++.B memcached_var_run_t
++.EE
++
++- Set files with the memcached_var_run_t type, if you want to store the memcached files under the /run directory.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH PORT TYPES
++SELinux defines port types to represent TCP and UDP ports.
++.PP
++You can see the types associated with a port by using the following command:
++
++.B semanage port -l
++
++.PP
++Policy governs the access confined processes have to these ports.
++SELinux memcached policy is very flexible allowing users to setup their memcached processes in as secure a method as possible.
++.PP
++The following port types are defined for memcached:
++
++.EX
++.TP 5
++.B memcache_port_t
++.TP 10
++.EE
++
++
++Default Defined Ports:
++tcp 11211
++.EE
++udp 11211
++.EE
++.SH "MANAGED FILES"
++
++The SELinux process type memcached_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++
++.br
++.B memcached_var_run_t
++
++ /var/run/memcached(/.*)?
++.br
++ /var/run/ipa_memcached(/.*)?
++.br
++
++.SH NSSWITCH DOMAIN
++
++.PP
++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the memcached_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++
++.EX
++.B setsebool -P authlogin_nsswitch_use_ldap 1
++.EE
++
++.PP
++If you want to allow confined applications to run with kerberos for the memcached_t, you must turn on the kerberos_enabled boolean.
++
++.EX
++.B setsebool -P kerberos_enabled 1
++.EE
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.B semanage port
++can also be used to manipulate the port definitions
++
++.B semanage boolean
++can also be used to manipulate the booleans
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was auto-generated using
++.B "sepolicy manpage"
++by Dan Walsh.
++
++.SH "SEE ALSO"
++selinux(8), memcached(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
++, setsebool(8)
+\ No newline at end of file
+diff --git a/man/man8/mencoder_selinux.8 b/man/man8/mencoder_selinux.8
+new file mode 100644
+index 0000000..70bc6e1
+--- /dev/null
++++ b/man/man8/mencoder_selinux.8
+@@ -0,0 +1,100 @@
++.TH "mencoder_selinux" "8" "12-11-01" "mencoder" "SELinux Policy documentation for mencoder"
++.SH "NAME"
++mencoder_selinux \- Security Enhanced Linux Policy for the mencoder processes
++.SH "DESCRIPTION"
++
++Security-Enhanced Linux secures the mencoder processes via flexible mandatory access control.
++
++The mencoder processes execute with the mencoder_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep mencoder_t
++
++
++.SH "ENTRYPOINTS"
++
++The mencoder_t SELinux type can be entered via the "mencoder_exec_t" file type. The default entrypoint paths for the mencoder_t domain are the following:"
++
++/usr/bin/mencoder
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux mencoder policy is very flexible allowing users to setup their mencoder processes in as secure a method as possible.
++.PP
++The following process types are defined for mencoder:
++
++.EX
++.B mencoder_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux mencoder policy is very flexible allowing users to setup their mencoder processes in as secure a method as possible.
++.PP
++The following file types are defined for mencoder:
++
++
++.EX
++.PP
++.B mencoder_exec_t
++.EE
++
++- Set files with the mencoder_exec_t type, if you want to transition an executable to the mencoder_t domain.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH "MANAGED FILES"
++
++The SELinux process type mencoder_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++
++.br
++.B mplayer_home_t
++
++ /home/[^/]*/\.mplayer(/.*)?
++.br
++ /home/dwalsh/\.mplayer(/.*)?
++.br
++ /var/lib/xguest/home/xguest/\.mplayer(/.*)?
++.br
++
++.SH NSSWITCH DOMAIN
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was auto-generated using
++.B "sepolicy manpage"
++by Dan Walsh.
++
++.SH "SEE ALSO"
++selinux(8), mencoder(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
+diff --git a/man/man8/mock_build_selinux.8 b/man/man8/mock_build_selinux.8
+new file mode 100644
+index 0000000..82e2f70
+--- /dev/null
++++ b/man/man8/mock_build_selinux.8
+@@ -0,0 +1,129 @@
++.TH "mock_build_selinux" "8" "12-11-01" "mock_build" "SELinux Policy documentation for mock_build"
++.SH "NAME"
++mock_build_selinux \- Security Enhanced Linux Policy for the mock_build processes
++.SH "DESCRIPTION"
++
++Security-Enhanced Linux secures the mock_build processes via flexible mandatory access control.
++
++The mock_build processes execute with the mock_build_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep mock_build_t
++
++
++.SH "ENTRYPOINTS"
++
++The mock_build_t SELinux type can be entered via the "mock_var_lib_t,mock_build_exec_t,mock_tmp_t" file types. The default entrypoint paths for the mock_build_t domain are the following:"
++
++/var/lib/mock(/.*)?
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux mock_build policy is very flexible allowing users to setup their mock_build processes in as secure a method as possible.
++.PP
++The following process types are defined for mock_build:
++
++.EX
++.B mock_build_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux mock_build policy is very flexible allowing users to setup their mock_build processes in as secure a method as possible.
++.PP
++The following file types are defined for mock_build:
++
++
++.EX
++.PP
++.B mock_build_exec_t
++.EE
++
++- Set files with the mock_build_exec_t type, if you want to transition an executable to the mock_build_t domain.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH "MANAGED FILES"
++
++The SELinux process type mock_build_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++
++.br
++.B mock_cache_t
++
++ /var/cache/mock(/.*)?
++.br
++
++.br
++.B mock_tmp_t
++
++
++.br
++.B mock_var_lib_t
++
++ /var/lib/mock(/.*)?
++.br
++
++.br
++.B systemd_passwd_var_run_t
++
++ /var/run/systemd/ask-password(/.*)?
++.br
++ /var/run/systemd/ask-password-block(/.*)?
++.br
++
++.SH NSSWITCH DOMAIN
++
++.PP
++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the mock_build_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++
++.EX
++.B setsebool -P authlogin_nsswitch_use_ldap 1
++.EE
++
++.PP
++If you want to allow confined applications to run with kerberos for the mock_build_t, you must turn on the kerberos_enabled boolean.
++
++.EX
++.B setsebool -P kerberos_enabled 1
++.EE
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was auto-generated using
++.B "sepolicy manpage"
++by Dan Walsh.
++
++.SH "SEE ALSO"
++selinux(8), mock_build(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
++, mock_selinux(8), mock_selinux(8)
+\ No newline at end of file
+diff --git a/man/man8/mock_selinux.8 b/man/man8/mock_selinux.8
+new file mode 100644
+index 0000000..d8f798e
+--- /dev/null
++++ b/man/man8/mock_selinux.8
+@@ -0,0 +1,190 @@
++.TH "mock_selinux" "8" "12-11-01" "mock" "SELinux Policy documentation for mock"
++.SH "NAME"
++mock_selinux \- Security Enhanced Linux Policy for the mock processes
++.SH "DESCRIPTION"
++
++Security-Enhanced Linux secures the mock processes via flexible mandatory access control.
++
++The mock processes execute with the mock_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep mock_t
++
++
++.SH "ENTRYPOINTS"
++
++The mock_t SELinux type can be entered via the "mock_exec_t" file type. The default entrypoint paths for the mock_t domain are the following:"
++
++/usr/sbin/mock
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux mock policy is very flexible allowing users to setup their mock processes in as secure a method as possible.
++.PP
++The following process types are defined for mock:
++
++.EX
++.B mock_t, mock_build_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH BOOLEANS
++SELinux policy is customizable based on least access required. mock policy is extremely flexible and has several booleans that allow you to manipulate the policy and run mock with the tightest access possible.
++
++
++.PP
++If you want to allow mock to read files in home directories, you must turn on the mock_enable_homedirs boolean.
++
++.EX
++.B setsebool -P mock_enable_homedirs 1
++.EE
++
++.PP
++If you want to allow mock to read files in home directories, you must turn on the mock_enable_homedirs boolean.
++
++.EX
++.B setsebool -P mock_enable_homedirs 1
++.EE
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux mock policy is very flexible allowing users to setup their mock processes in as secure a method as possible.
++.PP
++The following file types are defined for mock:
++
++
++.EX
++.PP
++.B mock_build_exec_t
++.EE
++
++- Set files with the mock_build_exec_t type, if you want to transition an executable to the mock_build_t domain.
++
++
++.EX
++.PP
++.B mock_cache_t
++.EE
++
++- Set files with the mock_cache_t type, if you want to store the files under the /var/cache directory.
++
++
++.EX
++.PP
++.B mock_etc_t
++.EE
++
++- Set files with the mock_etc_t type, if you want to store mock files in the /etc directories.
++
++
++.EX
++.PP
++.B mock_exec_t
++.EE
++
++- Set files with the mock_exec_t type, if you want to transition an executable to the mock_t domain.
++
++
++.EX
++.PP
++.B mock_tmp_t
++.EE
++
++- Set files with the mock_tmp_t type, if you want to store mock temporary files in the /tmp directories.
++
++
++.EX
++.PP
++.B mock_var_lib_t
++.EE
++
++- Set files with the mock_var_lib_t type, if you want to store the mock files under the /var/lib directory.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH "MANAGED FILES"
++
++The SELinux process type mock_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++
++.br
++.B mock_cache_t
++
++ /var/cache/mock(/.*)?
++.br
++
++.br
++.B mock_tmp_t
++
++
++.br
++.B mock_var_lib_t
++
++ /var/lib/mock(/.*)?
++.br
++
++.br
++.B systemd_passwd_var_run_t
++
++ /var/run/systemd/ask-password(/.*)?
++.br
++ /var/run/systemd/ask-password-block(/.*)?
++.br
++
++.SH NSSWITCH DOMAIN
++
++.PP
++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the mock_t, mock_build_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++
++.EX
++.B setsebool -P authlogin_nsswitch_use_ldap 1
++.EE
++
++.PP
++If you want to allow confined applications to run with kerberos for the mock_t, mock_build_t, you must turn on the kerberos_enabled boolean.
++
++.EX
++.B setsebool -P kerberos_enabled 1
++.EE
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.B semanage boolean
++can also be used to manipulate the booleans
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was auto-generated using
++.B "sepolicy manpage"
++by Dan Walsh.
++
++.SH "SEE ALSO"
++selinux(8), mock(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
++, setsebool(8), mock_build_selinux(8)
+\ No newline at end of file
+diff --git a/man/man8/modemmanager_selinux.8 b/man/man8/modemmanager_selinux.8
+new file mode 100644
+index 0000000..97ff255
+--- /dev/null
++++ b/man/man8/modemmanager_selinux.8
+@@ -0,0 +1,86 @@
++.TH "modemmanager_selinux" "8" "12-11-01" "modemmanager" "SELinux Policy documentation for modemmanager"
++.SH "NAME"
++modemmanager_selinux \- Security Enhanced Linux Policy for the modemmanager processes
++.SH "DESCRIPTION"
++
++Security-Enhanced Linux secures the modemmanager processes via flexible mandatory access control.
++
++The modemmanager processes execute with the modemmanager_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep modemmanager_t
++
++
++.SH "ENTRYPOINTS"
++
++The modemmanager_t SELinux type can be entered via the "modemmanager_exec_t" file type. The default entrypoint paths for the modemmanager_t domain are the following:"
++
++/usr/sbin/modem-manager
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux modemmanager policy is very flexible allowing users to setup their modemmanager processes in as secure a method as possible.
++.PP
++The following process types are defined for modemmanager:
++
++.EX
++.B modemmanager_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux modemmanager policy is very flexible allowing users to setup their modemmanager processes in as secure a method as possible.
++.PP
++The following file types are defined for modemmanager:
++
++
++.EX
++.PP
++.B modemmanager_exec_t
++.EE
++
++- Set files with the modemmanager_exec_t type, if you want to transition an executable to the modemmanager_t domain.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH NSSWITCH DOMAIN
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was auto-generated using
++.B "sepolicy manpage"
++by Dan Walsh.
++
++.SH "SEE ALSO"
++selinux(8), modemmanager(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
+diff --git a/man/man8/mongod_selinux.8 b/man/man8/mongod_selinux.8
+new file mode 100644
+index 0000000..a9bc3c3
+--- /dev/null
++++ b/man/man8/mongod_selinux.8
+@@ -0,0 +1,186 @@
++.TH "mongod_selinux" "8" "12-11-01" "mongod" "SELinux Policy documentation for mongod"
++.SH "NAME"
++mongod_selinux \- Security Enhanced Linux Policy for the mongod processes
++.SH "DESCRIPTION"
++
++Security-Enhanced Linux secures the mongod processes via flexible mandatory access control.
++
++The mongod processes execute with the mongod_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep mongod_t
++
++
++.SH "ENTRYPOINTS"
++
++The mongod_t SELinux type can be entered via the "mongod_exec_t" file type. The default entrypoint paths for the mongod_t domain are the following:"
++
++/usr/bin/mongod, /usr/share/aeolus-conductor/dbomatic/dbomatic
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux mongod policy is very flexible allowing users to setup their mongod processes in as secure a method as possible.
++.PP
++The following process types are defined for mongod:
++
++.EX
++.B mongod_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux mongod policy is very flexible allowing users to setup their mongod processes in as secure a method as possible.
++.PP
++The following file types are defined for mongod:
++
++
++.EX
++.PP
++.B mongod_exec_t
++.EE
++
++- Set files with the mongod_exec_t type, if you want to transition an executable to the mongod_t domain.
++
++
++.EX
++.PP
++.B mongod_initrc_exec_t
++.EE
++
++- Set files with the mongod_initrc_exec_t type, if you want to transition an executable to the mongod_initrc_t domain.
++
++
++.EX
++.PP
++.B mongod_log_t
++.EE
++
++- Set files with the mongod_log_t type, if you want to treat the data as mongod log data, usually stored under the /var/log directory.
++
++
++.EX
++.PP
++.B mongod_tmp_t
++.EE
++
++- Set files with the mongod_tmp_t type, if you want to store mongod temporary files in the /tmp directories.
++
++
++.EX
++.PP
++.B mongod_var_lib_t
++.EE
++
++- Set files with the mongod_var_lib_t type, if you want to store the mongod files under the /var/lib directory.
++
++
++.EX
++.PP
++.B mongod_var_run_t
++.EE
++
++- Set files with the mongod_var_run_t type, if you want to store the mongod files under the /run directory.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH PORT TYPES
++SELinux defines port types to represent TCP and UDP ports.
++.PP
++You can see the types associated with a port by using the following command:
++
++.B semanage port -l
++
++.PP
++Policy governs the access confined processes have to these ports.
++SELinux mongod policy is very flexible allowing users to setup their mongod processes in as secure a method as possible.
++.PP
++The following port types are defined for mongod:
++
++.EX
++.TP 5
++.B mongod_port_t
++.TP 10
++.EE
++
++
++Default Defined Ports:
++tcp 27017
++.EE
++.SH "MANAGED FILES"
++
++The SELinux process type mongod_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++
++.br
++.B mongod_log_t
++
++ /var/log/mongo(/.*)?
++.br
++ /var/log/mongodb(/.*)?
++.br
++ /var/log/mongo/mongod\.log.*
++.br
++ /var/log/aeolus-conductor/dbomatic\.log.*
++.br
++
++.br
++.B mongod_tmp_t
++
++
++.br
++.B mongod_var_lib_t
++
++ /var/lib/mongodb(/.*)?
++.br
++
++.br
++.B mongod_var_run_t
++
++ /var/run/mongodb(/.*)?
++.br
++ /var/run/aeolus/dbomatic\.pid
++.br
++
++.SH NSSWITCH DOMAIN
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.B semanage port
++can also be used to manipulate the port definitions
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was auto-generated using
++.B "sepolicy manpage"
++by Dan Walsh.
++
++.SH "SEE ALSO"
++selinux(8), mongod(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
+diff --git a/man/man8/mount_ecryptfs_selinux.8 b/man/man8/mount_ecryptfs_selinux.8
+new file mode 100644
+index 0000000..47e1952
+--- /dev/null
++++ b/man/man8/mount_ecryptfs_selinux.8
+@@ -0,0 +1,125 @@
++.TH "mount_ecryptfs_selinux" "8" "12-11-01" "mount_ecryptfs" "SELinux Policy documentation for mount_ecryptfs"
++.SH "NAME"
++mount_ecryptfs_selinux \- Security Enhanced Linux Policy for the mount_ecryptfs processes
++.SH "DESCRIPTION"
++
++Security-Enhanced Linux secures the mount_ecryptfs processes via flexible mandatory access control.
++
++The mount_ecryptfs processes execute with the mount_ecryptfs_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep mount_ecryptfs_t
++
++
++.SH "ENTRYPOINTS"
++
++The mount_ecryptfs_t SELinux type can be entered via the "mount_ecryptfs_exec_t" file type. The default entrypoint paths for the mount_ecryptfs_t domain are the following:"
++
++/usr/sbin/mount\.ecryptfs, /usr/sbin/umount\.ecryptfs, /usr/sbin/mount\.ecryptfs_private, /usr/sbin/umount\.ecryptfs_private
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux mount_ecryptfs policy is very flexible allowing users to setup their mount_ecryptfs processes in as secure a method as possible.
++.PP
++The following process types are defined for mount_ecryptfs:
++
++.EX
++.B mount_ecryptfs_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux mount_ecryptfs policy is very flexible allowing users to setup their mount_ecryptfs processes in as secure a method as possible.
++.PP
++The following file types are defined for mount_ecryptfs:
++
++
++.EX
++.PP
++.B mount_ecryptfs_exec_t
++.EE
++
++- Set files with the mount_ecryptfs_exec_t type, if you want to transition an executable to the mount_ecryptfs_t domain.
++
++
++.EX
++.PP
++.B mount_ecryptfs_tmpfs_t
++.EE
++
++- Set files with the mount_ecryptfs_tmpfs_t type, if you want to store mount ecryptfs files on a tmpfs file system.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH "MANAGED FILES"
++
++The SELinux process type mount_ecryptfs_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++
++.br
++.B mount_ecryptfs_tmpfs_t
++
++
++.br
++.B user_tmpfs_t
++
++ /dev/shm/mono.*
++.br
++ /dev/shm/pulse-shm.*
++.br
++
++.SH NSSWITCH DOMAIN
++
++.PP
++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the mount_ecryptfs_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++
++.EX
++.B setsebool -P authlogin_nsswitch_use_ldap 1
++.EE
++
++.PP
++If you want to allow confined applications to run with kerberos for the mount_ecryptfs_t, you must turn on the kerberos_enabled boolean.
++
++.EX
++.B setsebool -P kerberos_enabled 1
++.EE
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was auto-generated using
++.B "sepolicy manpage"
++by Dan Walsh.
++
++.SH "SEE ALSO"
++selinux(8), mount_ecryptfs(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
++, mount_selinux(8), mount_selinux(8)
+\ No newline at end of file
+diff --git a/man/man8/mount_selinux.8 b/man/man8/mount_selinux.8
+new file mode 100644
+index 0000000..1f6de58
+--- /dev/null
++++ b/man/man8/mount_selinux.8
+@@ -0,0 +1,242 @@
++.TH "mount_selinux" "8" "12-11-01" "mount" "SELinux Policy documentation for mount"
++.SH "NAME"
++mount_selinux \- Security Enhanced Linux Policy for the mount processes
++.SH "DESCRIPTION"
++
++Security-Enhanced Linux secures the mount processes via flexible mandatory access control.
++
++The mount processes execute with the mount_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep mount_t
++
++
++.SH "ENTRYPOINTS"
++
++The mount_t SELinux type can be entered via the "mount_exec_t,fusermount_exec_t" file types. The default entrypoint paths for the mount_t domain are the following:"
++
++/bin/mount.*, /bin/umount.*, /sbin/mount.*, /sbin/umount.*, /usr/bin/mount.*, /usr/bin/umount.*, /usr/sbin/mount.*, /usr/sbin/umount.*, /bin/fusermount, /usr/bin/fusermount
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux mount policy is very flexible allowing users to setup their mount processes in as secure a method as possible.
++.PP
++The following process types are defined for mount:
++
++.EX
++.B mount_t, mount_ecryptfs_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH BOOLEANS
++SELinux policy is customizable based on least access required. mount policy is extremely flexible and has several booleans that allow you to manipulate the policy and run mount with the tightest access possible.
++
++
++.PP
++If you want to allow xguest users to mount removable media, you must turn on the xguest_mount_media boolean.
++
++.EX
++.B setsebool -P xguest_mount_media 1
++.EE
++
++.PP
++If you want to allow the mount command to mount any directory or file, you must turn on the mount_anyfile boolean.
++
++.EX
++.B setsebool -P mount_anyfile 1
++.EE
++
++.PP
++If you want to allow xguest users to mount removable media, you must turn on the xguest_mount_media boolean.
++
++.EX
++.B setsebool -P xguest_mount_media 1
++.EE
++
++.PP
++If you want to allow the mount command to mount any directory or file, you must turn on the mount_anyfile boolean.
++
++.EX
++.B setsebool -P mount_anyfile 1
++.EE
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux mount policy is very flexible allowing users to setup their mount processes in as secure a method as possible.
++.PP
++The following file types are defined for mount:
++
++
++.EX
++.PP
++.B mount_ecryptfs_exec_t
++.EE
++
++- Set files with the mount_ecryptfs_exec_t type, if you want to transition an executable to the mount_ecryptfs_t domain.
++
++
++.EX
++.PP
++.B mount_ecryptfs_tmpfs_t
++.EE
++
++- Set files with the mount_ecryptfs_tmpfs_t type, if you want to store mount ecryptfs files on a tmpfs file system.
++
++
++.EX
++.PP
++.B mount_exec_t
++.EE
++
++- Set files with the mount_exec_t type, if you want to transition an executable to the mount_t domain.
++
++
++.EX
++.PP
++.B mount_loopback_t
++.EE
++
++- Set files with the mount_loopback_t type, if you want to treat the files as mount loopback data.
++
++
++.EX
++.PP
++.B mount_tmp_t
++.EE
++
++- Set files with the mount_tmp_t type, if you want to store mount temporary files in the /tmp directories.
++
++
++.EX
++.PP
++.B mount_var_run_t
++.EE
++
++- Set files with the mount_var_run_t type, if you want to store the mount files under the /run directory.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH "MANAGED FILES"
++
++The SELinux process type mount_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++
++.br
++.B etc_runtime_t
++
++ /[^/]+
++.br
++ /etc/mtab.*
++.br
++ /etc/blkid(/.*)?
++.br
++ /etc/nologin.*
++.br
++ /etc/\.fstab\.hal\..+
++.br
++ /halt
++.br
++ /fastboot
++.br
++ /poweroff
++.br
++ /etc/cmtab
++.br
++ /\.autofsck
++.br
++ /forcefsck
++.br
++ /\.suspended
++.br
++ /fsckoptions
++.br
++ /\.autorelabel
++.br
++ /etc/securetty
++.br
++ /etc/killpower
++.br
++ /etc/nohotplug
++.br
++ /etc/ioctl\.save
++.br
++ /etc/fstab\.REVOKE
++.br
++ /etc/network/ifstate
++.br
++ /etc/sysconfig/hwconf
++.br
++ /etc/ptal/ptal-printd-like
++.br
++ /etc/sysconfig/iptables\.save
++.br
++ /etc/xorg\.conf\.d/00-system-setup-keyboard\.conf
++.br
++ /etc/X11/xorg\.conf\.d/00-system-setup-keyboard\.conf
++.br
++
++.br
++.B nfsd_fs_t
++
++
++.br
++.B non_security_file_type
++
++
++.SH NSSWITCH DOMAIN
++
++.PP
++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the mount_t, mount_ecryptfs_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++
++.EX
++.B setsebool -P authlogin_nsswitch_use_ldap 1
++.EE
++
++.PP
++If you want to allow confined applications to run with kerberos for the mount_t, mount_ecryptfs_t, you must turn on the kerberos_enabled boolean.
++
++.EX
++.B setsebool -P kerberos_enabled 1
++.EE
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.B semanage boolean
++can also be used to manipulate the booleans
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was auto-generated using
++.B "sepolicy manpage"
++by Dan Walsh.
++
++.SH "SEE ALSO"
++selinux(8), mount(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
++, setsebool(8), mount_ecryptfs_selinux(8)
+\ No newline at end of file
+diff --git a/man/man8/mozilla_plugin_config_selinux.8 b/man/man8/mozilla_plugin_config_selinux.8
+new file mode 100644
+index 0000000..ad663f1
+--- /dev/null
++++ b/man/man8/mozilla_plugin_config_selinux.8
+@@ -0,0 +1,233 @@
++.TH "mozilla_plugin_config_selinux" "8" "12-11-01" "mozilla_plugin_config" "SELinux Policy documentation for mozilla_plugin_config"
++.SH "NAME"
++mozilla_plugin_config_selinux \- Security Enhanced Linux Policy for the mozilla_plugin_config processes
++.SH "DESCRIPTION"
++
++Security-Enhanced Linux secures the mozilla_plugin_config processes via flexible mandatory access control.
++
++The mozilla_plugin_config processes execute with the mozilla_plugin_config_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep mozilla_plugin_config_t
++
++
++.SH "ENTRYPOINTS"
++
++The mozilla_plugin_config_t SELinux type can be entered via the "mozilla_plugin_config_exec_t" file type. The default entrypoint paths for the mozilla_plugin_config_t domain are the following:"
++
++/usr/lib/nspluginwrapper/plugin-config
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux mozilla_plugin_config policy is very flexible allowing users to setup their mozilla_plugin_config processes in as secure a method as possible.
++.PP
++The following process types are defined for mozilla_plugin_config:
++
++.EX
++.B mozilla_plugin_config_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux mozilla_plugin_config policy is very flexible allowing users to setup their mozilla_plugin_config processes in as secure a method as possible.
++.PP
++The following file types are defined for mozilla_plugin_config:
++
++
++.EX
++.PP
++.B mozilla_plugin_config_exec_t
++.EE
++
++- Set files with the mozilla_plugin_config_exec_t type, if you want to transition an executable to the mozilla_plugin_config_t domain.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH "MANAGED FILES"
++
++The SELinux process type mozilla_plugin_config_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++
++.br
++.B mozilla_home_t
++
++ /home/[^/]*/\.java(/.*)?
++.br
++ /home/[^/]*/\.adobe(/.*)?
++.br
++ /home/[^/]*/\.gnash(/.*)?
++.br
++ /home/[^/]*/\.galeon(/.*)?
++.br
++ /home/[^/]*/\.spicec(/.*)?
++.br
++ /home/[^/]*/\.mozilla(/.*)?
++.br
++ /home/[^/]*/\.phoenix(/.*)?
++.br
++ /home/[^/]*/\.netscape(/.*)?
++.br
++ /home/[^/]*/\.ICAClient(/.*)?
++.br
++ /home/[^/]*/\.macromedia(/.*)?
++.br
++ /home/[^/]*/\.thunderbird(/.*)?
++.br
++ /home/[^/]*/\.gcjwebplugin(/.*)?
++.br
++ /home/[^/]*/\.icedteaplugin(/.*)?
++.br
++ /home/[^/]*/zimbrauserdata(/.*)?
++.br
++ /home/[^/]*/\.config/chromium(/.*)?
++.br
++ /home/dwalsh/\.java(/.*)?
++.br
++ /home/dwalsh/\.adobe(/.*)?
++.br
++ /home/dwalsh/\.gnash(/.*)?
++.br
++ /home/dwalsh/\.galeon(/.*)?
++.br
++ /home/dwalsh/\.spicec(/.*)?
++.br
++ /home/dwalsh/\.mozilla(/.*)?
++.br
++ /home/dwalsh/\.phoenix(/.*)?
++.br
++ /home/dwalsh/\.netscape(/.*)?
++.br
++ /home/dwalsh/\.ICAClient(/.*)?
++.br
++ /home/dwalsh/\.macromedia(/.*)?
++.br
++ /home/dwalsh/\.thunderbird(/.*)?
++.br
++ /home/dwalsh/\.gcjwebplugin(/.*)?
++.br
++ /home/dwalsh/\.icedteaplugin(/.*)?
++.br
++ /home/dwalsh/zimbrauserdata(/.*)?
++.br
++ /home/dwalsh/\.config/chromium(/.*)?
++.br
++ /var/lib/xguest/home/xguest/\.java(/.*)?
++.br
++ /var/lib/xguest/home/xguest/\.adobe(/.*)?
++.br
++ /var/lib/xguest/home/xguest/\.gnash(/.*)?
++.br
++ /var/lib/xguest/home/xguest/\.galeon(/.*)?
++.br
++ /var/lib/xguest/home/xguest/\.spicec(/.*)?
++.br
++ /var/lib/xguest/home/xguest/\.mozilla(/.*)?
++.br
++ /var/lib/xguest/home/xguest/\.phoenix(/.*)?
++.br
++ /var/lib/xguest/home/xguest/\.netscape(/.*)?
++.br
++ /var/lib/xguest/home/xguest/\.ICAClient(/.*)?
++.br
++ /var/lib/xguest/home/xguest/\.macromedia(/.*)?
++.br
++ /var/lib/xguest/home/xguest/\.thunderbird(/.*)?
++.br
++ /var/lib/xguest/home/xguest/\.gcjwebplugin(/.*)?
++.br
++ /var/lib/xguest/home/xguest/\.icedteaplugin(/.*)?
++.br
++ /var/lib/xguest/home/xguest/zimbrauserdata(/.*)?
++.br
++ /var/lib/xguest/home/xguest/\.config/chromium(/.*)?
++.br
++
++.br
++.B mozilla_plugin_rw_t
++
++ /usr/lib/mozilla/plugins-wrapped(/.*)?
++.br
++
++.br
++.B user_fonts_cache_t
++
++ /root/\.fontconfig(/.*)?
++.br
++ /root/\.fonts/auto(/.*)?
++.br
++ /root/\.fonts\.cache-.*
++.br
++ /home/[^/]*/\.fontconfig(/.*)?
++.br
++ /home/[^/]*/\.fonts/auto(/.*)?
++.br
++ /home/[^/]*/\.fonts\.cache-.*
++.br
++ /home/dwalsh/\.fontconfig(/.*)?
++.br
++ /home/dwalsh/\.fonts/auto(/.*)?
++.br
++ /home/dwalsh/\.fonts\.cache-.*
++.br
++ /var/lib/xguest/home/xguest/\.fontconfig(/.*)?
++.br
++ /var/lib/xguest/home/xguest/\.fonts/auto(/.*)?
++.br
++ /var/lib/xguest/home/xguest/\.fonts\.cache-.*
++.br
++
++.SH NSSWITCH DOMAIN
++
++.PP
++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the mozilla_plugin_config_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++
++.EX
++.B setsebool -P authlogin_nsswitch_use_ldap 1
++.EE
++
++.PP
++If you want to allow confined applications to run with kerberos for the mozilla_plugin_config_t, you must turn on the kerberos_enabled boolean.
++
++.EX
++.B setsebool -P kerberos_enabled 1
++.EE
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was auto-generated using
++.B "sepolicy manpage"
++by Dan Walsh.
++
++.SH "SEE ALSO"
++selinux(8), mozilla_plugin_config(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
++, mozilla_selinux(8), mozilla_selinux(8), mozilla_plugin_selinux(8), mozilla_plugin_selinux(8)
+\ No newline at end of file
+diff --git a/man/man8/mozilla_plugin_selinux.8 b/man/man8/mozilla_plugin_selinux.8
+new file mode 100644
+index 0000000..a873bb4
+--- /dev/null
++++ b/man/man8/mozilla_plugin_selinux.8
+@@ -0,0 +1,392 @@
++.TH "mozilla_plugin_selinux" "8" "12-11-01" "mozilla_plugin" "SELinux Policy documentation for mozilla_plugin"
++.SH "NAME"
++mozilla_plugin_selinux \- Security Enhanced Linux Policy for the mozilla_plugin processes
++.SH "DESCRIPTION"
++
++Security-Enhanced Linux secures the mozilla_plugin processes via flexible mandatory access control.
++
++The mozilla_plugin processes execute with the mozilla_plugin_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep mozilla_plugin_t
++
++
++.SH "ENTRYPOINTS"
++
++The mozilla_plugin_t SELinux type can be entered via the "mozilla_plugin_exec_t" file type. The default entrypoint paths for the mozilla_plugin_t domain are the following:"
++
++/usr/lib/xulrunner[^/]*/plugin-container, /usr/lib/nspluginwrapper/npviewer.bin, /usr/bin/nspluginscan, /usr/bin/nspluginviewer
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux mozilla_plugin policy is very flexible allowing users to setup their mozilla_plugin processes in as secure a method as possible.
++.PP
++The following process types are defined for mozilla_plugin:
++
++.EX
++.B mozilla_plugin_config_t, mozilla_plugin_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH BOOLEANS
++SELinux policy is customizable based on least access required. mozilla_plugin policy is extremely flexible and has several booleans that allow you to manipulate the policy and run mozilla_plugin with the tightest access possible.
++
++
++.PP
++If you want to allow mozilla plugin domain to connect to the network using TCP, you must turn on the mozilla_plugin_can_network_connect boolean.
++
++.EX
++.B setsebool -P mozilla_plugin_can_network_connect 1
++.EE
++
++.PP
++If you want to allow mozilla_plugins to create random content in the users home directory, you must turn on the mozilla_plugin_enable_homedirs boolean.
++
++.EX
++.B setsebool -P mozilla_plugin_enable_homedirs 1
++.EE
++
++.PP
++If you want to allow unconfined users to transition to the Mozilla plugin domain when running xulrunner plugin-container, you must turn on the unconfined_mozilla_plugin_transition boolean.
++
++.EX
++.B setsebool -P unconfined_mozilla_plugin_transition 1
++.EE
++
++.PP
++If you want to allow mozilla plugin domain to connect to the network using TCP, you must turn on the mozilla_plugin_can_network_connect boolean.
++
++.EX
++.B setsebool -P mozilla_plugin_can_network_connect 1
++.EE
++
++.PP
++If you want to allow mozilla_plugins to create random content in the users home directory, you must turn on the mozilla_plugin_enable_homedirs boolean.
++
++.EX
++.B setsebool -P mozilla_plugin_enable_homedirs 1
++.EE
++
++.PP
++If you want to allow unconfined users to transition to the Mozilla plugin domain when running xulrunner plugin-container, you must turn on the unconfined_mozilla_plugin_transition boolean.
++
++.EX
++.B setsebool -P unconfined_mozilla_plugin_transition 1
++.EE
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux mozilla_plugin policy is very flexible allowing users to setup their mozilla_plugin processes in as secure a method as possible.
++.PP
++The following file types are defined for mozilla_plugin:
++
++
++.EX
++.PP
++.B mozilla_plugin_config_exec_t
++.EE
++
++- Set files with the mozilla_plugin_config_exec_t type, if you want to transition an executable to the mozilla_plugin_config_t domain.
++
++
++.EX
++.PP
++.B mozilla_plugin_exec_t
++.EE
++
++- Set files with the mozilla_plugin_exec_t type, if you want to transition an executable to the mozilla_plugin_t domain.
++
++
++.EX
++.PP
++.B mozilla_plugin_rw_t
++.EE
++
++- Set files with the mozilla_plugin_rw_t type, if you want to treat the files as mozilla plugin read/write content.
++
++
++.EX
++.PP
++.B mozilla_plugin_tmp_t
++.EE
++
++- Set files with the mozilla_plugin_tmp_t type, if you want to store mozilla plugin temporary files in the /tmp directories.
++
++
++.EX
++.PP
++.B mozilla_plugin_tmpfs_t
++.EE
++
++- Set files with the mozilla_plugin_tmpfs_t type, if you want to store mozilla plugin files on a tmpfs file system.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH "MANAGED FILES"
++
++The SELinux process type mozilla_plugin_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++
++.br
++.B gnome_home_type
++
++
++.br
++.B home_cert_t
++
++ /root/\.pki(/.*)?
++.br
++ /root/\.cert(/.*)?
++.br
++ /home/[^/]*/.kde/share/apps/networkmanagement/certificates(/.*)?
++.br
++ /home/[^/]*/\.pki(/.*)?
++.br
++ /home/[^/]*/\.cert(/.*)?
++.br
++ /home/dwalsh/.kde/share/apps/networkmanagement/certificates(/.*)?
++.br
++ /home/dwalsh/\.pki(/.*)?
++.br
++ /home/dwalsh/\.cert(/.*)?
++.br
++ /var/lib/xguest/home/xguest/.kde/share/apps/networkmanagement/certificates(/.*)?
++.br
++ /var/lib/xguest/home/xguest/\.pki(/.*)?
++.br
++ /var/lib/xguest/home/xguest/\.cert(/.*)?
++.br
++
++.br
++.B mozilla_home_t
++
++ /home/[^/]*/\.java(/.*)?
++.br
++ /home/[^/]*/\.adobe(/.*)?
++.br
++ /home/[^/]*/\.gnash(/.*)?
++.br
++ /home/[^/]*/\.galeon(/.*)?
++.br
++ /home/[^/]*/\.spicec(/.*)?
++.br
++ /home/[^/]*/\.mozilla(/.*)?
++.br
++ /home/[^/]*/\.phoenix(/.*)?
++.br
++ /home/[^/]*/\.netscape(/.*)?
++.br
++ /home/[^/]*/\.ICAClient(/.*)?
++.br
++ /home/[^/]*/\.macromedia(/.*)?
++.br
++ /home/[^/]*/\.thunderbird(/.*)?
++.br
++ /home/[^/]*/\.gcjwebplugin(/.*)?
++.br
++ /home/[^/]*/\.icedteaplugin(/.*)?
++.br
++ /home/[^/]*/zimbrauserdata(/.*)?
++.br
++ /home/[^/]*/\.config/chromium(/.*)?
++.br
++ /home/dwalsh/\.java(/.*)?
++.br
++ /home/dwalsh/\.adobe(/.*)?
++.br
++ /home/dwalsh/\.gnash(/.*)?
++.br
++ /home/dwalsh/\.galeon(/.*)?
++.br
++ /home/dwalsh/\.spicec(/.*)?
++.br
++ /home/dwalsh/\.mozilla(/.*)?
++.br
++ /home/dwalsh/\.phoenix(/.*)?
++.br
++ /home/dwalsh/\.netscape(/.*)?
++.br
++ /home/dwalsh/\.ICAClient(/.*)?
++.br
++ /home/dwalsh/\.macromedia(/.*)?
++.br
++ /home/dwalsh/\.thunderbird(/.*)?
++.br
++ /home/dwalsh/\.gcjwebplugin(/.*)?
++.br
++ /home/dwalsh/\.icedteaplugin(/.*)?
++.br
++ /home/dwalsh/zimbrauserdata(/.*)?
++.br
++ /home/dwalsh/\.config/chromium(/.*)?
++.br
++ /var/lib/xguest/home/xguest/\.java(/.*)?
++.br
++ /var/lib/xguest/home/xguest/\.adobe(/.*)?
++.br
++ /var/lib/xguest/home/xguest/\.gnash(/.*)?
++.br
++ /var/lib/xguest/home/xguest/\.galeon(/.*)?
++.br
++ /var/lib/xguest/home/xguest/\.spicec(/.*)?
++.br
++ /var/lib/xguest/home/xguest/\.mozilla(/.*)?
++.br
++ /var/lib/xguest/home/xguest/\.phoenix(/.*)?
++.br
++ /var/lib/xguest/home/xguest/\.netscape(/.*)?
++.br
++ /var/lib/xguest/home/xguest/\.ICAClient(/.*)?
++.br
++ /var/lib/xguest/home/xguest/\.macromedia(/.*)?
++.br
++ /var/lib/xguest/home/xguest/\.thunderbird(/.*)?
++.br
++ /var/lib/xguest/home/xguest/\.gcjwebplugin(/.*)?
++.br
++ /var/lib/xguest/home/xguest/\.icedteaplugin(/.*)?
++.br
++ /var/lib/xguest/home/xguest/zimbrauserdata(/.*)?
++.br
++ /var/lib/xguest/home/xguest/\.config/chromium(/.*)?
++.br
++
++.br
++.B mozilla_plugin_tmp_t
++
++
++.br
++.B mozilla_plugin_tmpfs_t
++
++
++.br
++.B mplayer_home_t
++
++ /home/[^/]*/\.mplayer(/.*)?
++.br
++ /home/dwalsh/\.mplayer(/.*)?
++.br
++ /var/lib/xguest/home/xguest/\.mplayer(/.*)?
++.br
++
++.br
++.B pulseaudio_home_t
++
++ /root/\.pulse(/.*)?
++.br
++ /root/\.esd_auth
++.br
++ /root/\.pulse-cookie
++.br
++ /home/[^/]*/\.pulse(/.*)?
++.br
++ /home/[^/]*/\.esd_auth
++.br
++ /home/[^/]*/\.pulse-cookie
++.br
++ /home/dwalsh/\.pulse(/.*)?
++.br
++ /home/dwalsh/\.esd_auth
++.br
++ /home/dwalsh/\.pulse-cookie
++.br
++ /var/lib/xguest/home/xguest/\.pulse(/.*)?
++.br
++ /var/lib/xguest/home/xguest/\.esd_auth
++.br
++ /var/lib/xguest/home/xguest/\.pulse-cookie
++.br
++
++.br
++.B user_fonts_cache_t
++
++ /root/\.fontconfig(/.*)?
++.br
++ /root/\.fonts/auto(/.*)?
++.br
++ /root/\.fonts\.cache-.*
++.br
++ /home/[^/]*/\.fontconfig(/.*)?
++.br
++ /home/[^/]*/\.fonts/auto(/.*)?
++.br
++ /home/[^/]*/\.fonts\.cache-.*
++.br
++ /home/dwalsh/\.fontconfig(/.*)?
++.br
++ /home/dwalsh/\.fonts/auto(/.*)?
++.br
++ /home/dwalsh/\.fonts\.cache-.*
++.br
++ /var/lib/xguest/home/xguest/\.fontconfig(/.*)?
++.br
++ /var/lib/xguest/home/xguest/\.fonts/auto(/.*)?
++.br
++ /var/lib/xguest/home/xguest/\.fonts\.cache-.*
++.br
++
++.br
++.B user_tmpfs_t
++
++ /dev/shm/mono.*
++.br
++ /dev/shm/pulse-shm.*
++.br
++
++.SH NSSWITCH DOMAIN
++
++.PP
++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the mozilla_plugin_config_t, mozilla_plugin_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++
++.EX
++.B setsebool -P authlogin_nsswitch_use_ldap 1
++.EE
++
++.PP
++If you want to allow confined applications to run with kerberos for the mozilla_plugin_config_t, mozilla_plugin_t, you must turn on the kerberos_enabled boolean.
++
++.EX
++.B setsebool -P kerberos_enabled 1
++.EE
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.B semanage boolean
++can also be used to manipulate the booleans
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was auto-generated using
++.B "sepolicy manpage"
++by Dan Walsh.
++
++.SH "SEE ALSO"
++selinux(8), mozilla_plugin(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
++, setsebool(8), mozilla_selinux(8), mozilla_selinux(8), mozilla_plugin_config_selinux(8)
+\ No newline at end of file
+diff --git a/man/man8/mozilla_selinux.8 b/man/man8/mozilla_selinux.8
+new file mode 100644
+index 0000000..5c7618a
+--- /dev/null
++++ b/man/man8/mozilla_selinux.8
+@@ -0,0 +1,422 @@
++.TH "mozilla_selinux" "8" "12-11-01" "mozilla" "SELinux Policy documentation for mozilla"
++.SH "NAME"
++mozilla_selinux \- Security Enhanced Linux Policy for the mozilla processes
++.SH "DESCRIPTION"
++
++Security-Enhanced Linux secures the mozilla processes via flexible mandatory access control.
++
++The mozilla processes execute with the mozilla_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep mozilla_t
++
++
++.SH "ENTRYPOINTS"
++
++The mozilla_t SELinux type can be entered via the "mozilla_exec_t" file type. The default entrypoint paths for the mozilla_t domain are the following:"
++
++/usr/lib/[^/]*firefox[^/]*/firefox, /usr/lib/[^/]*firefox[^/]*/firefox-bin, /usr/lib/mozilla[^/]*/reg.+, /usr/lib/mozilla[^/]*/mozilla-.*, /usr/lib/firefox[^/]*/mozilla-.*, /usr/bin/mozilla-[0-9].*, /usr/lib/netscape/.+/communicator/communicator-smotif\.real, /usr/bin/mozilla-bin-[0-9].*, /usr/bin/mozilla, /usr/bin/netscape, /usr/bin/epiphany, /usr/bin/epiphany-bin, /usr/lib/galeon/galeon, /usr/bin/mozilla-snapshot, /usr/lib/netscape/base-4/wrapper
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux mozilla policy is very flexible allowing users to setup their mozilla processes in as secure a method as possible.
++.PP
++The following process types are defined for mozilla:
++
++.EX
++.B mozilla_t, mozilla_plugin_config_t, mozilla_plugin_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH BOOLEANS
++SELinux policy is customizable based on least access required. mozilla policy is extremely flexible and has several booleans that allow you to manipulate the policy and run mozilla with the tightest access possible.
++
++
++.PP
++If you want to allow mozilla plugin domain to connect to the network using TCP, you must turn on the mozilla_plugin_can_network_connect boolean.
++
++.EX
++.B setsebool -P mozilla_plugin_can_network_connect 1
++.EE
++
++.PP
++If you want to allow confined web browsers to read home directory content, you must turn on the mozilla_read_content boolean.
++
++.EX
++.B setsebool -P mozilla_read_content 1
++.EE
++
++.PP
++If you want to allow mozilla_plugins to create random content in the users home directory, you must turn on the mozilla_plugin_enable_homedirs boolean.
++
++.EX
++.B setsebool -P mozilla_plugin_enable_homedirs 1
++.EE
++
++.PP
++If you want to allow unconfined users to transition to the Mozilla plugin domain when running xulrunner plugin-container, you must turn on the unconfined_mozilla_plugin_transition boolean.
++
++.EX
++.B setsebool -P unconfined_mozilla_plugin_transition 1
++.EE
++
++.PP
++If you want to allow mozilla plugin domain to connect to the network using TCP, you must turn on the mozilla_plugin_can_network_connect boolean.
++
++.EX
++.B setsebool -P mozilla_plugin_can_network_connect 1
++.EE
++
++.PP
++If you want to allow confined web browsers to read home directory content, you must turn on the mozilla_read_content boolean.
++
++.EX
++.B setsebool -P mozilla_read_content 1
++.EE
++
++.PP
++If you want to allow mozilla_plugins to create random content in the users home directory, you must turn on the mozilla_plugin_enable_homedirs boolean.
++
++.EX
++.B setsebool -P mozilla_plugin_enable_homedirs 1
++.EE
++
++.PP
++If you want to allow unconfined users to transition to the Mozilla plugin domain when running xulrunner plugin-container, you must turn on the unconfined_mozilla_plugin_transition boolean.
++
++.EX
++.B setsebool -P unconfined_mozilla_plugin_transition 1
++.EE
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux mozilla policy is very flexible allowing users to setup their mozilla processes in as secure a method as possible.
++.PP
++The following file types are defined for mozilla:
++
++
++.EX
++.PP
++.B mozilla_conf_t
++.EE
++
++- Set files with the mozilla_conf_t type, if you want to treat the files as mozilla configuration data, usually stored under the /etc directory.
++
++
++.EX
++.PP
++.B mozilla_exec_t
++.EE
++
++- Set files with the mozilla_exec_t type, if you want to transition an executable to the mozilla_t domain.
++
++
++.EX
++.PP
++.B mozilla_home_t
++.EE
++
++- Set files with the mozilla_home_t type, if you want to store mozilla files in the users home directory.
++
++
++.EX
++.PP
++.B mozilla_plugin_config_exec_t
++.EE
++
++- Set files with the mozilla_plugin_config_exec_t type, if you want to transition an executable to the mozilla_plugin_config_t domain.
++
++
++.EX
++.PP
++.B mozilla_plugin_exec_t
++.EE
++
++- Set files with the mozilla_plugin_exec_t type, if you want to transition an executable to the mozilla_plugin_t domain.
++
++
++.EX
++.PP
++.B mozilla_plugin_rw_t
++.EE
++
++- Set files with the mozilla_plugin_rw_t type, if you want to treat the files as mozilla plugin read/write content.
++
++
++.EX
++.PP
++.B mozilla_plugin_tmp_t
++.EE
++
++- Set files with the mozilla_plugin_tmp_t type, if you want to store mozilla plugin temporary files in the /tmp directories.
++
++
++.EX
++.PP
++.B mozilla_plugin_tmpfs_t
++.EE
++
++- Set files with the mozilla_plugin_tmpfs_t type, if you want to store mozilla plugin files on a tmpfs file system.
++
++
++.EX
++.PP
++.B mozilla_tmp_t
++.EE
++
++- Set files with the mozilla_tmp_t type, if you want to store mozilla temporary files in the /tmp directories.
++
++
++.EX
++.PP
++.B mozilla_tmpfs_t
++.EE
++
++- Set files with the mozilla_tmpfs_t type, if you want to store mozilla files on a tmpfs file system.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH "MANAGED FILES"
++
++The SELinux process type mozilla_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++
++.br
++.B gconf_home_t
++
++ /root/\.local.*
++.br
++ /root/\.gconf(d)?(/.*)?
++.br
++ /home/[^/]*/\.local.*
++.br
++ /home/[^/]*/\.gconf(d)?(/.*)?
++.br
++ /home/dwalsh/\.local.*
++.br
++ /home/dwalsh/\.gconf(d)?(/.*)?
++.br
++ /var/lib/xguest/home/xguest/\.local.*
++.br
++ /var/lib/xguest/home/xguest/\.gconf(d)?(/.*)?
++.br
++
++.br
++.B gnome_home_type
++
++
++.br
++.B mozilla_home_t
++
++ /home/[^/]*/\.java(/.*)?
++.br
++ /home/[^/]*/\.adobe(/.*)?
++.br
++ /home/[^/]*/\.gnash(/.*)?
++.br
++ /home/[^/]*/\.galeon(/.*)?
++.br
++ /home/[^/]*/\.spicec(/.*)?
++.br
++ /home/[^/]*/\.mozilla(/.*)?
++.br
++ /home/[^/]*/\.phoenix(/.*)?
++.br
++ /home/[^/]*/\.netscape(/.*)?
++.br
++ /home/[^/]*/\.ICAClient(/.*)?
++.br
++ /home/[^/]*/\.macromedia(/.*)?
++.br
++ /home/[^/]*/\.thunderbird(/.*)?
++.br
++ /home/[^/]*/\.gcjwebplugin(/.*)?
++.br
++ /home/[^/]*/\.icedteaplugin(/.*)?
++.br
++ /home/[^/]*/zimbrauserdata(/.*)?
++.br
++ /home/[^/]*/\.config/chromium(/.*)?
++.br
++ /home/dwalsh/\.java(/.*)?
++.br
++ /home/dwalsh/\.adobe(/.*)?
++.br
++ /home/dwalsh/\.gnash(/.*)?
++.br
++ /home/dwalsh/\.galeon(/.*)?
++.br
++ /home/dwalsh/\.spicec(/.*)?
++.br
++ /home/dwalsh/\.mozilla(/.*)?
++.br
++ /home/dwalsh/\.phoenix(/.*)?
++.br
++ /home/dwalsh/\.netscape(/.*)?
++.br
++ /home/dwalsh/\.ICAClient(/.*)?
++.br
++ /home/dwalsh/\.macromedia(/.*)?
++.br
++ /home/dwalsh/\.thunderbird(/.*)?
++.br
++ /home/dwalsh/\.gcjwebplugin(/.*)?
++.br
++ /home/dwalsh/\.icedteaplugin(/.*)?
++.br
++ /home/dwalsh/zimbrauserdata(/.*)?
++.br
++ /home/dwalsh/\.config/chromium(/.*)?
++.br
++ /var/lib/xguest/home/xguest/\.java(/.*)?
++.br
++ /var/lib/xguest/home/xguest/\.adobe(/.*)?
++.br
++ /var/lib/xguest/home/xguest/\.gnash(/.*)?
++.br
++ /var/lib/xguest/home/xguest/\.galeon(/.*)?
++.br
++ /var/lib/xguest/home/xguest/\.spicec(/.*)?
++.br
++ /var/lib/xguest/home/xguest/\.mozilla(/.*)?
++.br
++ /var/lib/xguest/home/xguest/\.phoenix(/.*)?
++.br
++ /var/lib/xguest/home/xguest/\.netscape(/.*)?
++.br
++ /var/lib/xguest/home/xguest/\.ICAClient(/.*)?
++.br
++ /var/lib/xguest/home/xguest/\.macromedia(/.*)?
++.br
++ /var/lib/xguest/home/xguest/\.thunderbird(/.*)?
++.br
++ /var/lib/xguest/home/xguest/\.gcjwebplugin(/.*)?
++.br
++ /var/lib/xguest/home/xguest/\.icedteaplugin(/.*)?
++.br
++ /var/lib/xguest/home/xguest/zimbrauserdata(/.*)?
++.br
++ /var/lib/xguest/home/xguest/\.config/chromium(/.*)?
++.br
++
++.br
++.B mozilla_tmp_t
++
++
++.br
++.B mozilla_tmpfs_t
++
++
++.br
++.B pulseaudio_home_t
++
++ /root/\.pulse(/.*)?
++.br
++ /root/\.esd_auth
++.br
++ /root/\.pulse-cookie
++.br
++ /home/[^/]*/\.pulse(/.*)?
++.br
++ /home/[^/]*/\.esd_auth
++.br
++ /home/[^/]*/\.pulse-cookie
++.br
++ /home/dwalsh/\.pulse(/.*)?
++.br
++ /home/dwalsh/\.esd_auth
++.br
++ /home/dwalsh/\.pulse-cookie
++.br
++ /var/lib/xguest/home/xguest/\.pulse(/.*)?
++.br
++ /var/lib/xguest/home/xguest/\.esd_auth
++.br
++ /var/lib/xguest/home/xguest/\.pulse-cookie
++.br
++
++.br
++.B user_fonts_cache_t
++
++ /root/\.fontconfig(/.*)?
++.br
++ /root/\.fonts/auto(/.*)?
++.br
++ /root/\.fonts\.cache-.*
++.br
++ /home/[^/]*/\.fontconfig(/.*)?
++.br
++ /home/[^/]*/\.fonts/auto(/.*)?
++.br
++ /home/[^/]*/\.fonts\.cache-.*
++.br
++ /home/dwalsh/\.fontconfig(/.*)?
++.br
++ /home/dwalsh/\.fonts/auto(/.*)?
++.br
++ /home/dwalsh/\.fonts\.cache-.*
++.br
++ /var/lib/xguest/home/xguest/\.fontconfig(/.*)?
++.br
++ /var/lib/xguest/home/xguest/\.fonts/auto(/.*)?
++.br
++ /var/lib/xguest/home/xguest/\.fonts\.cache-.*
++.br
++
++.SH NSSWITCH DOMAIN
++
++.PP
++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the mozilla_plugin_config_t, mozilla_t, mozilla_plugin_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++
++.EX
++.B setsebool -P authlogin_nsswitch_use_ldap 1
++.EE
++
++.PP
++If you want to allow confined applications to run with kerberos for the mozilla_plugin_config_t, mozilla_t, mozilla_plugin_t, you must turn on the kerberos_enabled boolean.
++
++.EX
++.B setsebool -P kerberos_enabled 1
++.EE
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.B semanage boolean
++can also be used to manipulate the booleans
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was auto-generated using
++.B "sepolicy manpage"
++by Dan Walsh.
++
++.SH "SEE ALSO"
++selinux(8), mozilla(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
++, setsebool(8), mozilla_plugin_selinux(8), mozilla_plugin_config_selinux(8)
+\ No newline at end of file
+diff --git a/man/man8/mpd_selinux.8 b/man/man8/mpd_selinux.8
+new file mode 100644
+index 0000000..ee3fb08
+--- /dev/null
++++ b/man/man8/mpd_selinux.8
+@@ -0,0 +1,296 @@
++.TH "mpd_selinux" "8" "12-11-01" "mpd" "SELinux Policy documentation for mpd"
++.SH "NAME"
++mpd_selinux \- Security Enhanced Linux Policy for the mpd processes
++.SH "DESCRIPTION"
++
++Security-Enhanced Linux secures the mpd processes via flexible mandatory access control.
++
++The mpd processes execute with the mpd_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep mpd_t
++
++
++.SH "ENTRYPOINTS"
++
++The mpd_t SELinux type can be entered via the "mpd_exec_t" file type. The default entrypoint paths for the mpd_t domain are the following:"
++
++/usr/bin/mpd
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux mpd policy is very flexible allowing users to setup their mpd processes in as secure a method as possible.
++.PP
++The following process types are defined for mpd:
++
++.EX
++.B mpd_t, mplayer_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH BOOLEANS
++SELinux policy is customizable based on least access required. mpd policy is extremely flexible and has several booleans that allow you to manipulate the policy and run mpd with the tightest access possible.
++
++
++.PP
++If you want to allow mplayer executable stack, you must turn on the mplayer_execstack boolean.
++
++.EX
++.B setsebool -P mplayer_execstack 1
++.EE
++
++.PP
++If you want to allow all daemons to write corefiles to /, you must turn on the daemons_dump_core boolean.
++
++.EX
++.B setsebool -P daemons_dump_core 1
++.EE
++
++.PP
++If you want to allow gssd to read temp directory. For access to kerberos tgt, you must turn on the gssd_read_tmp boolean.
++
++.EX
++.B setsebool -P gssd_read_tmp 1
++.EE
++
++.PP
++If you want to allow Apache to execute tmp content, you must turn on the httpd_tmp_exec boolean.
++
++.EX
++.B setsebool -P httpd_tmp_exec 1
++.EE
++
++.PP
++If you want to allow video playing tools to run unconfined, you must turn on the unconfined_mplayer boolean.
++
++.EX
++.B setsebool -P unconfined_mplayer 1
++.EE
++
++.PP
++If you want to allow mplayer executable stack, you must turn on the mplayer_execstack boolean.
++
++.EX
++.B setsebool -P mplayer_execstack 1
++.EE
++
++.PP
++If you want to allow all daemons to write corefiles to /, you must turn on the daemons_dump_core boolean.
++
++.EX
++.B setsebool -P daemons_dump_core 1
++.EE
++
++.PP
++If you want to allow gssd to read temp directory. For access to kerberos tgt, you must turn on the gssd_read_tmp boolean.
++
++.EX
++.B setsebool -P gssd_read_tmp 1
++.EE
++
++.PP
++If you want to allow Apache to execute tmp content, you must turn on the httpd_tmp_exec boolean.
++
++.EX
++.B setsebool -P httpd_tmp_exec 1
++.EE
++
++.PP
++If you want to allow video playing tools to run unconfined, you must turn on the unconfined_mplayer boolean.
++
++.EX
++.B setsebool -P unconfined_mplayer 1
++.EE
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux mpd policy is very flexible allowing users to setup their mpd processes in as secure a method as possible.
++.PP
++The following file types are defined for mpd:
++
++
++.EX
++.PP
++.B mpd_data_t
++.EE
++
++- Set files with the mpd_data_t type, if you want to treat the files as mpd content.
++
++
++.EX
++.PP
++.B mpd_etc_t
++.EE
++
++- Set files with the mpd_etc_t type, if you want to store mpd files in the /etc directories.
++
++
++.EX
++.PP
++.B mpd_exec_t
++.EE
++
++- Set files with the mpd_exec_t type, if you want to transition an executable to the mpd_t domain.
++
++
++.EX
++.PP
++.B mpd_initrc_exec_t
++.EE
++
++- Set files with the mpd_initrc_exec_t type, if you want to transition an executable to the mpd_initrc_t domain.
++
++
++.EX
++.PP
++.B mpd_log_t
++.EE
++
++- Set files with the mpd_log_t type, if you want to treat the data as mpd log data, usually stored under the /var/log directory.
++
++
++.EX
++.PP
++.B mpd_tmp_t
++.EE
++
++- Set files with the mpd_tmp_t type, if you want to store mpd temporary files in the /tmp directories.
++
++
++.EX
++.PP
++.B mpd_tmpfs_t
++.EE
++
++- Set files with the mpd_tmpfs_t type, if you want to store mpd files on a tmpfs file system.
++
++
++.EX
++.PP
++.B mpd_var_lib_t
++.EE
++
++- Set files with the mpd_var_lib_t type, if you want to store the mpd files under the /var/lib directory.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH PORT TYPES
++SELinux defines port types to represent TCP and UDP ports.
++.PP
++You can see the types associated with a port by using the following command:
++
++.B semanage port -l
++
++.PP
++Policy governs the access confined processes have to these ports.
++SELinux mpd policy is very flexible allowing users to setup their mpd processes in as secure a method as possible.
++.PP
++The following port types are defined for mpd:
++
++.EX
++.TP 5
++.B mpd_port_t
++.TP 10
++.EE
++
++
++Default Defined Ports:
++tcp 6600
++.EE
++.SH "MANAGED FILES"
++
++The SELinux process type mpd_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++
++.br
++.B anon_inodefs_t
++
++
++.br
++.B mpd_data_t
++
++ /var/lib/mpd/music(/.*)?
++.br
++ /var/lib/mpd/playlists(/.*)?
++.br
++
++.br
++.B mpd_log_t
++
++ /var/log/mpd(/.*)?
++.br
++
++.br
++.B mpd_tmp_t
++
++
++.br
++.B mpd_tmpfs_t
++
++
++.br
++.B mpd_var_lib_t
++
++ /var/lib/mpd(/.*)?
++.br
++
++.SH NSSWITCH DOMAIN
++
++.PP
++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the mpd_t, mplayer_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++
++.EX
++.B setsebool -P authlogin_nsswitch_use_ldap 1
++.EE
++
++.PP
++If you want to allow confined applications to run with kerberos for the mpd_t, mplayer_t, you must turn on the kerberos_enabled boolean.
++
++.EX
++.B setsebool -P kerberos_enabled 1
++.EE
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.B semanage port
++can also be used to manipulate the port definitions
++
++.B semanage boolean
++can also be used to manipulate the booleans
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was auto-generated using
++.B "sepolicy manpage"
++by Dan Walsh.
++
++.SH "SEE ALSO"
++selinux(8), mpd(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
++, setsebool(8), mplayer_selinux(8)
+\ No newline at end of file
+diff --git a/man/man8/mplayer_selinux.8 b/man/man8/mplayer_selinux.8
+new file mode 100644
+index 0000000..5be39fe
+--- /dev/null
++++ b/man/man8/mplayer_selinux.8
+@@ -0,0 +1,206 @@
++.TH "mplayer_selinux" "8" "12-11-01" "mplayer" "SELinux Policy documentation for mplayer"
++.SH "NAME"
++mplayer_selinux \- Security Enhanced Linux Policy for the mplayer processes
++.SH "DESCRIPTION"
++
++Security-Enhanced Linux secures the mplayer processes via flexible mandatory access control.
++
++The mplayer processes execute with the mplayer_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep mplayer_t
++
++
++.SH "ENTRYPOINTS"
++
++The mplayer_t SELinux type can be entered via the "mplayer_exec_t" file type. The default entrypoint paths for the mplayer_t domain are the following:"
++
++/usr/bin/vlc, /usr/bin/xine, /usr/bin/mplayer
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux mplayer policy is very flexible allowing users to setup their mplayer processes in as secure a method as possible.
++.PP
++The following process types are defined for mplayer:
++
++.EX
++.B mplayer_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH BOOLEANS
++SELinux policy is customizable based on least access required. mplayer policy is extremely flexible and has several booleans that allow you to manipulate the policy and run mplayer with the tightest access possible.
++
++
++.PP
++If you want to allow mplayer executable stack, you must turn on the mplayer_execstack boolean.
++
++.EX
++.B setsebool -P mplayer_execstack 1
++.EE
++
++.PP
++If you want to allow video playing tools to run unconfined, you must turn on the unconfined_mplayer boolean.
++
++.EX
++.B setsebool -P unconfined_mplayer 1
++.EE
++
++.PP
++If you want to allow mplayer executable stack, you must turn on the mplayer_execstack boolean.
++
++.EX
++.B setsebool -P mplayer_execstack 1
++.EE
++
++.PP
++If you want to allow video playing tools to run unconfined, you must turn on the unconfined_mplayer boolean.
++
++.EX
++.B setsebool -P unconfined_mplayer 1
++.EE
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux mplayer policy is very flexible allowing users to setup their mplayer processes in as secure a method as possible.
++.PP
++The following file types are defined for mplayer:
++
++
++.EX
++.PP
++.B mplayer_etc_t
++.EE
++
++- Set files with the mplayer_etc_t type, if you want to store mplayer files in the /etc directories.
++
++
++.EX
++.PP
++.B mplayer_exec_t
++.EE
++
++- Set files with the mplayer_exec_t type, if you want to transition an executable to the mplayer_t domain.
++
++
++.EX
++.PP
++.B mplayer_home_t
++.EE
++
++- Set files with the mplayer_home_t type, if you want to store mplayer files in the users home directory.
++
++
++.EX
++.PP
++.B mplayer_tmpfs_t
++.EE
++
++- Set files with the mplayer_tmpfs_t type, if you want to store mplayer files on a tmpfs file system.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH "MANAGED FILES"
++
++The SELinux process type mplayer_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++
++.br
++.B mplayer_home_t
++
++ /home/[^/]*/\.mplayer(/.*)?
++.br
++ /home/dwalsh/\.mplayer(/.*)?
++.br
++ /var/lib/xguest/home/xguest/\.mplayer(/.*)?
++.br
++
++.br
++.B mplayer_tmpfs_t
++
++
++.br
++.B user_fonts_cache_t
++
++ /root/\.fontconfig(/.*)?
++.br
++ /root/\.fonts/auto(/.*)?
++.br
++ /root/\.fonts\.cache-.*
++.br
++ /home/[^/]*/\.fontconfig(/.*)?
++.br
++ /home/[^/]*/\.fonts/auto(/.*)?
++.br
++ /home/[^/]*/\.fonts\.cache-.*
++.br
++ /home/dwalsh/\.fontconfig(/.*)?
++.br
++ /home/dwalsh/\.fonts/auto(/.*)?
++.br
++ /home/dwalsh/\.fonts\.cache-.*
++.br
++ /var/lib/xguest/home/xguest/\.fontconfig(/.*)?
++.br
++ /var/lib/xguest/home/xguest/\.fonts/auto(/.*)?
++.br
++ /var/lib/xguest/home/xguest/\.fonts\.cache-.*
++.br
++
++.SH NSSWITCH DOMAIN
++
++.PP
++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the mplayer_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++
++.EX
++.B setsebool -P authlogin_nsswitch_use_ldap 1
++.EE
++
++.PP
++If you want to allow confined applications to run with kerberos for the mplayer_t, you must turn on the kerberos_enabled boolean.
++
++.EX
++.B setsebool -P kerberos_enabled 1
++.EE
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.B semanage boolean
++can also be used to manipulate the booleans
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was auto-generated using
++.B "sepolicy manpage"
++by Dan Walsh.
++
++.SH "SEE ALSO"
++selinux(8), mplayer(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
++, setsebool(8)
+\ No newline at end of file
+diff --git a/man/man8/mrtg_selinux.8 b/man/man8/mrtg_selinux.8
+new file mode 100644
+index 0000000..f49743b
+--- /dev/null
++++ b/man/man8/mrtg_selinux.8
+@@ -0,0 +1,210 @@
++.TH "mrtg_selinux" "8" "12-11-01" "mrtg" "SELinux Policy documentation for mrtg"
++.SH "NAME"
++mrtg_selinux \- Security Enhanced Linux Policy for the mrtg processes
++.SH "DESCRIPTION"
++
++Security-Enhanced Linux secures the mrtg processes via flexible mandatory access control.
++
++The mrtg processes execute with the mrtg_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep mrtg_t
++
++
++.SH "ENTRYPOINTS"
++
++The mrtg_t SELinux type can be entered via the "mrtg_exec_t" file type. The default entrypoint paths for the mrtg_t domain are the following:"
++
++/usr/bin/mrtg
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux mrtg policy is very flexible allowing users to setup their mrtg processes in as secure a method as possible.
++.PP
++The following process types are defined for mrtg:
++
++.EX
++.B mrtg_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux mrtg policy is very flexible allowing users to setup their mrtg processes in as secure a method as possible.
++.PP
++The following file types are defined for mrtg:
++
++
++.EX
++.PP
++.B mrtg_etc_t
++.EE
++
++- Set files with the mrtg_etc_t type, if you want to store mrtg files in the /etc directories.
++
++
++.EX
++.PP
++.B mrtg_exec_t
++.EE
++
++- Set files with the mrtg_exec_t type, if you want to transition an executable to the mrtg_t domain.
++
++
++.EX
++.PP
++.B mrtg_lock_t
++.EE
++
++- Set files with the mrtg_lock_t type, if you want to treat the files as mrtg lock data, stored under the /var/lock directory
++
++
++.EX
++.PP
++.B mrtg_log_t
++.EE
++
++- Set files with the mrtg_log_t type, if you want to treat the data as mrtg log data, usually stored under the /var/log directory.
++
++
++.EX
++.PP
++.B mrtg_var_lib_t
++.EE
++
++- Set files with the mrtg_var_lib_t type, if you want to store the mrtg files under the /var/lib directory.
++
++
++.EX
++.PP
++.B mrtg_var_run_t
++.EE
++
++- Set files with the mrtg_var_run_t type, if you want to store the mrtg files under the /run directory.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH "MANAGED FILES"
++
++The SELinux process type mrtg_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++
++.br
++.B httpd_sys_content_t
++
++ /srv/([^/]*/)?www(/.*)?
++.br
++ /var/www(/.*)?
++.br
++ /etc/htdig(/.*)?
++.br
++ /srv/gallery2(/.*)?
++.br
++ /var/lib/trac(/.*)?
++.br
++ /var/lib/htdig(/.*)?
++.br
++ /var/www/icons(/.*)?
++.br
++ /usr/share/htdig(/.*)?
++.br
++ /usr/share/drupal.*
++.br
++ /var/www/svn/conf(/.*)?
++.br
++ /usr/share/icecast(/.*)?
++.br
++ /usr/share/mythweb(/.*)?
++.br
++ /var/lib/cacti/rra(/.*)?
++.br
++ /usr/share/ntop/html(/.*)?
++.br
++ /usr/share/mythtv/data(/.*)?
++.br
++ /usr/share/doc/ghc/html(/.*)?
++.br
++ /usr/share/openca/htdocs(/.*)?
++.br
++ /usr/share/selinux-policy[^/]*/html(/.*)?
++.br
++
++.br
++.B mrtg_lock_t
++
++ /var/lock/mrtg(/.*)?
++.br
++ /etc/mrtg/mrtg\.ok
++.br
++
++.br
++.B mrtg_log_t
++
++ /var/log/mrtg(/.*)?
++.br
++
++.br
++.B mrtg_var_lib_t
++
++ /var/lib/mrtg(/.*)?
++.br
++
++.br
++.B mrtg_var_run_t
++
++ /var/run/mrtg\.pid
++.br
++
++.SH NSSWITCH DOMAIN
++
++.PP
++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the mrtg_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++
++.EX
++.B setsebool -P authlogin_nsswitch_use_ldap 1
++.EE
++
++.PP
++If you want to allow confined applications to run with kerberos for the mrtg_t, you must turn on the kerberos_enabled boolean.
++
++.EX
++.B setsebool -P kerberos_enabled 1
++.EE
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was auto-generated using
++.B "sepolicy manpage"
++by Dan Walsh.
++
++.SH "SEE ALSO"
++selinux(8), mrtg(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
+diff --git a/man/man8/mscan_selinux.8 b/man/man8/mscan_selinux.8
+new file mode 100644
+index 0000000..3349daa
+--- /dev/null
++++ b/man/man8/mscan_selinux.8
+@@ -0,0 +1,204 @@
++.TH "mscan_selinux" "8" "12-11-01" "mscan" "SELinux Policy documentation for mscan"
++.SH "NAME"
++mscan_selinux \- Security Enhanced Linux Policy for the mscan processes
++.SH "DESCRIPTION"
++
++Security-Enhanced Linux secures the mscan processes via flexible mandatory access control.
++
++The mscan processes execute with the mscan_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep mscan_t
++
++
++.SH "ENTRYPOINTS"
++
++The mscan_t SELinux type can be entered via the "mscan_exec_t" file type. The default entrypoint paths for the mscan_t domain are the following:"
++
++/usr/sbin/MailScanner
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux mscan policy is very flexible allowing users to setup their mscan processes in as secure a method as possible.
++.PP
++The following process types are defined for mscan:
++
++.EX
++.B mscan_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH BOOLEANS
++SELinux policy is customizable based on least access required. mscan policy is extremely flexible and has several booleans that allow you to manipulate the policy and run mscan with the tightest access possible.
++
++
++.PP
++If you want to allow clamscan to non security files on a system, you must turn on the clamscan_can_scan_system boolean.
++
++.EX
++.B setsebool -P clamscan_can_scan_system 1
++.EE
++
++.PP
++If you want to allow clamscan to read user content, you must turn on the clamscan_read_user_content boolean.
++
++.EX
++.B setsebool -P clamscan_read_user_content 1
++.EE
++
++.PP
++If you want to allow clamscan to non security files on a system, you must turn on the clamscan_can_scan_system boolean.
++
++.EX
++.B setsebool -P clamscan_can_scan_system 1
++.EE
++
++.PP
++If you want to allow clamscan to read user content, you must turn on the clamscan_read_user_content boolean.
++
++.EX
++.B setsebool -P clamscan_read_user_content 1
++.EE
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux mscan policy is very flexible allowing users to setup their mscan processes in as secure a method as possible.
++.PP
++The following file types are defined for mscan:
++
++
++.EX
++.PP
++.B mscan_etc_t
++.EE
++
++- Set files with the mscan_etc_t type, if you want to store mscan files in the /etc directories.
++
++
++.EX
++.PP
++.B mscan_exec_t
++.EE
++
++- Set files with the mscan_exec_t type, if you want to transition an executable to the mscan_t domain.
++
++
++.EX
++.PP
++.B mscan_initrc_exec_t
++.EE
++
++- Set files with the mscan_initrc_exec_t type, if you want to transition an executable to the mscan_initrc_t domain.
++
++
++.EX
++.PP
++.B mscan_tmp_t
++.EE
++
++- Set files with the mscan_tmp_t type, if you want to store mscan temporary files in the /tmp directories.
++
++
++.EX
++.PP
++.B mscan_var_run_t
++.EE
++
++- Set files with the mscan_var_run_t type, if you want to store the mscan files under the /run directory.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH "MANAGED FILES"
++
++The SELinux process type mscan_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++
++.br
++.B clamd_var_run_t
++
++ /var/run/clamd.*
++.br
++ /var/run/clamav.*
++.br
++ /var/run/amavis(d)?/clamd\.pid
++.br
++ /var/spool/MailScanner(/.*)?
++.br
++ /var/spool/amavisd/clamd\.sock
++.br
++
++.br
++.B mqueue_spool_t
++
++ /var/spool/(client)?mqueue(/.*)?
++.br
++ /var/spool/mqueue\.in(/.*)?
++.br
++
++.br
++.B mscan_tmp_t
++
++
++.br
++.B mscan_var_run_t
++
++ /var/run/MailScanner\.pid
++.br
++
++.SH NSSWITCH DOMAIN
++
++.PP
++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the mscan_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++
++.EX
++.B setsebool -P authlogin_nsswitch_use_ldap 1
++.EE
++
++.PP
++If you want to allow confined applications to run with kerberos for the mscan_t, you must turn on the kerberos_enabled boolean.
++
++.EX
++.B setsebool -P kerberos_enabled 1
++.EE
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.B semanage boolean
++can also be used to manipulate the booleans
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was auto-generated using
++.B "sepolicy manpage"
++by Dan Walsh.
++
++.SH "SEE ALSO"
++selinux(8), mscan(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
++, setsebool(8)
+\ No newline at end of file
+diff --git a/man/man8/munin_selinux.8 b/man/man8/munin_selinux.8
+new file mode 100644
+index 0000000..4e6e830
+--- /dev/null
++++ b/man/man8/munin_selinux.8
+@@ -0,0 +1,222 @@
++.TH "munin_selinux" "8" "12-11-01" "munin" "SELinux Policy documentation for munin"
++.SH "NAME"
++munin_selinux \- Security Enhanced Linux Policy for the munin processes
++.SH "DESCRIPTION"
++
++Security-Enhanced Linux secures the munin processes via flexible mandatory access control.
++
++The munin processes execute with the munin_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep munin_t
++
++
++.SH "ENTRYPOINTS"
++
++The munin_t SELinux type can be entered via the "munin_exec_t" file type. The default entrypoint paths for the munin_t domain are the following:"
++
++/usr/bin/munin-.*, /usr/sbin/munin-.*, /usr/share/munin/munin-.*, /usr/share/munin/plugins/.*
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux munin policy is very flexible allowing users to setup their munin processes in as secure a method as possible.
++.PP
++The following process types are defined for munin:
++
++.EX
++.B munin_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux munin policy is very flexible allowing users to setup their munin processes in as secure a method as possible.
++.PP
++The following file types are defined for munin:
++
++
++.EX
++.PP
++.B munin_etc_t
++.EE
++
++- Set files with the munin_etc_t type, if you want to store munin files in the /etc directories.
++
++
++.EX
++.PP
++.B munin_exec_t
++.EE
++
++- Set files with the munin_exec_t type, if you want to transition an executable to the munin_t domain.
++
++
++.EX
++.PP
++.B munin_initrc_exec_t
++.EE
++
++- Set files with the munin_initrc_exec_t type, if you want to transition an executable to the munin_initrc_t domain.
++
++
++.EX
++.PP
++.B munin_log_t
++.EE
++
++- Set files with the munin_log_t type, if you want to treat the data as munin log data, usually stored under the /var/log directory.
++
++
++.EX
++.PP
++.B munin_plugin_state_t
++.EE
++
++- Set files with the munin_plugin_state_t type, if you want to treat the files as munin plugin state data.
++
++
++.EX
++.PP
++.B munin_tmp_t
++.EE
++
++- Set files with the munin_tmp_t type, if you want to store munin temporary files in the /tmp directories.
++
++
++.EX
++.PP
++.B munin_var_lib_t
++.EE
++
++- Set files with the munin_var_lib_t type, if you want to store the munin files under the /var/lib directory.
++
++
++.EX
++.PP
++.B munin_var_run_t
++.EE
++
++- Set files with the munin_var_run_t type, if you want to store the munin files under the /run directory.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH PORT TYPES
++SELinux defines port types to represent TCP and UDP ports.
++.PP
++You can see the types associated with a port by using the following command:
++
++.B semanage port -l
++
++.PP
++Policy governs the access confined processes have to these ports.
++SELinux munin policy is very flexible allowing users to setup their munin processes in as secure a method as possible.
++.PP
++The following port types are defined for munin:
++
++.EX
++.TP 5
++.B munin_port_t
++.TP 10
++.EE
++
++
++Default Defined Ports:
++tcp 4949
++.EE
++udp 4949
++.EE
++.SH "MANAGED FILES"
++
++The SELinux process type munin_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++
++.br
++.B httpd_munin_content_t
++
++ /var/www/html/munin(/.*)?
++.br
++
++.br
++.B munin_log_t
++
++ /var/log/munin.*
++.br
++
++.br
++.B munin_plugin_state_t
++
++ /var/lib/munin/plugin-state(/.*)?
++.br
++
++.br
++.B munin_tmp_t
++
++
++.br
++.B munin_var_lib_t
++
++ /var/lib/munin(/.*)?
++.br
++
++.br
++.B munin_var_run_t
++
++ /var/run/munin(/.*)?
++.br
++
++.SH NSSWITCH DOMAIN
++
++.PP
++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the munin_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++
++.EX
++.B setsebool -P authlogin_nsswitch_use_ldap 1
++.EE
++
++.PP
++If you want to allow confined applications to run with kerberos for the munin_t, you must turn on the kerberos_enabled boolean.
++
++.EX
++.B setsebool -P kerberos_enabled 1
++.EE
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.B semanage port
++can also be used to manipulate the port definitions
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was auto-generated using
++.B "sepolicy manpage"
++by Dan Walsh.
++
++.SH "SEE ALSO"
++selinux(8), munin(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
+diff --git a/man/man8/mysqld_safe_selinux.8 b/man/man8/mysqld_safe_selinux.8
+new file mode 100644
+index 0000000..33c4086
+--- /dev/null
++++ b/man/man8/mysqld_safe_selinux.8
+@@ -0,0 +1,111 @@
++.TH "mysqld_safe_selinux" "8" "12-11-01" "mysqld_safe" "SELinux Policy documentation for mysqld_safe"
++.SH "NAME"
++mysqld_safe_selinux \- Security Enhanced Linux Policy for the mysqld_safe processes
++.SH "DESCRIPTION"
++
++Security-Enhanced Linux secures the mysqld_safe processes via flexible mandatory access control.
++
++The mysqld_safe processes execute with the mysqld_safe_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep mysqld_safe_t
++
++
++.SH "ENTRYPOINTS"
++
++The mysqld_safe_t SELinux type can be entered via the "mysqld_safe_exec_t" file type. The default entrypoint paths for the mysqld_safe_t domain are the following:"
++
++/usr/bin/mysqld_safe
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux mysqld_safe policy is very flexible allowing users to setup their mysqld_safe processes in as secure a method as possible.
++.PP
++The following process types are defined for mysqld_safe:
++
++.EX
++.B mysqld_safe_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux mysqld_safe policy is very flexible allowing users to setup their mysqld_safe processes in as secure a method as possible.
++.PP
++The following file types are defined for mysqld_safe:
++
++
++.EX
++.PP
++.B mysqld_safe_exec_t
++.EE
++
++- Set files with the mysqld_safe_exec_t type, if you want to transition an executable to the mysqld_safe_t domain.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH "MANAGED FILES"
++
++The SELinux process type mysqld_safe_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++
++.br
++.B mysqld_db_t
++
++ /var/lib/mysql(/.*)?
++.br
++
++.br
++.B mysqld_log_t
++
++ /var/log/mysql.*
++.br
++
++.br
++.B mysqld_var_run_t
++
++ /var/run/mysqld(/.*)?
++.br
++ /var/lib/mysql/mysql\.sock
++.br
++
++.SH NSSWITCH DOMAIN
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was auto-generated using
++.B "sepolicy manpage"
++by Dan Walsh.
++
++.SH "SEE ALSO"
++selinux(8), mysqld_safe(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
++, mysqld_selinux(8), mysqld_selinux(8)
+\ No newline at end of file
+diff --git a/man/man8/mysqld_selinux.8 b/man/man8/mysqld_selinux.8
+new file mode 100644
+index 0000000..4a21c03
+--- /dev/null
++++ b/man/man8/mysqld_selinux.8
+@@ -0,0 +1,283 @@
++.TH "mysqld_selinux" "8" "12-11-01" "mysqld" "SELinux Policy documentation for mysqld"
++.SH "NAME"
++mysqld_selinux \- Security Enhanced Linux Policy for the mysqld processes
++.SH "DESCRIPTION"
++
++Security-Enhanced Linux secures the mysqld processes via flexible mandatory access control.
++
++The mysqld processes execute with the mysqld_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep mysqld_t
++
++
++.SH "ENTRYPOINTS"
++
++The mysqld_t SELinux type can be entered via the "mysqld_exec_t" file type. The default entrypoint paths for the mysqld_t domain are the following:"
++
++/usr/sbin/mysqld(-max)?, /usr/sbin/ndbd, /usr/libexec/mysqld, /usr/bin/mysql_upgrade
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux mysqld policy is very flexible allowing users to setup their mysqld processes in as secure a method as possible.
++.PP
++The following process types are defined for mysqld:
++
++.EX
++.B mysqld_safe_t, mysqlmanagerd_t, mysqld_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH BOOLEANS
++SELinux policy is customizable based on least access required. mysqld policy is extremely flexible and has several booleans that allow you to manipulate the policy and run mysqld with the tightest access possible.
++
++
++.PP
++If you want to allow mysqld to connect to all ports, you must turn on the mysql_connect_any boolean.
++
++.EX
++.B setsebool -P mysql_connect_any 1
++.EE
++
++.PP
++If you want to allow users to connect to the local mysql server, you must turn on the selinuxuser_mysql_connect_enabled boolean.
++
++.EX
++.B setsebool -P selinuxuser_mysql_connect_enabled 1
++.EE
++
++.PP
++If you want to allow mysqld to connect to all ports, you must turn on the mysql_connect_any boolean.
++
++.EX
++.B setsebool -P mysql_connect_any 1
++.EE
++
++.PP
++If you want to allow users to connect to the local mysql server, you must turn on the selinuxuser_mysql_connect_enabled boolean.
++
++.EX
++.B setsebool -P selinuxuser_mysql_connect_enabled 1
++.EE
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux mysqld policy is very flexible allowing users to setup their mysqld processes in as secure a method as possible.
++.PP
++The following file types are defined for mysqld:
++
++
++.EX
++.PP
++.B mysqld_db_t
++.EE
++
++- Set files with the mysqld_db_t type, if you want to treat the files as mysqld database content.
++
++
++.EX
++.PP
++.B mysqld_etc_t
++.EE
++
++- Set files with the mysqld_etc_t type, if you want to store mysqld files in the /etc directories.
++
++
++.EX
++.PP
++.B mysqld_exec_t
++.EE
++
++- Set files with the mysqld_exec_t type, if you want to transition an executable to the mysqld_t domain.
++
++
++.EX
++.PP
++.B mysqld_home_t
++.EE
++
++- Set files with the mysqld_home_t type, if you want to store mysqld files in the users home directory.
++
++
++.EX
++.PP
++.B mysqld_initrc_exec_t
++.EE
++
++- Set files with the mysqld_initrc_exec_t type, if you want to transition an executable to the mysqld_initrc_t domain.
++
++
++.EX
++.PP
++.B mysqld_log_t
++.EE
++
++- Set files with the mysqld_log_t type, if you want to treat the data as mysqld log data, usually stored under the /var/log directory.
++
++
++.EX
++.PP
++.B mysqld_safe_exec_t
++.EE
++
++- Set files with the mysqld_safe_exec_t type, if you want to transition an executable to the mysqld_safe_t domain.
++
++
++.EX
++.PP
++.B mysqld_tmp_t
++.EE
++
++- Set files with the mysqld_tmp_t type, if you want to store mysqld temporary files in the /tmp directories.
++
++
++.EX
++.PP
++.B mysqld_unit_file_t
++.EE
++
++- Set files with the mysqld_unit_file_t type, if you want to treat the files as mysqld unit content.
++
++
++.EX
++.PP
++.B mysqld_var_run_t
++.EE
++
++- Set files with the mysqld_var_run_t type, if you want to store the mysqld files under the /run directory.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH PORT TYPES
++SELinux defines port types to represent TCP and UDP ports.
++.PP
++You can see the types associated with a port by using the following command:
++
++.B semanage port -l
++
++.PP
++Policy governs the access confined processes have to these ports.
++SELinux mysqld policy is very flexible allowing users to setup their mysqld processes in as secure a method as possible.
++.PP
++The following port types are defined for mysqld:
++
++.EX
++.TP 5
++.B mysqld_port_t
++.TP 10
++.EE
++
++
++Default Defined Ports:
++tcp 1186,3306,63132-63164
++.EE
++
++.EX
++.TP 5
++.B mysqlmanagerd_port_t
++.TP 10
++.EE
++
++
++Default Defined Ports:
++tcp 2273
++.EE
++.SH "MANAGED FILES"
++
++The SELinux process type mysqld_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++
++.br
++.B hugetlbfs_t
++
++ /dev/hugepages
++.br
++ /lib/udev/devices/hugepages
++.br
++ /usr/lib/udev/devices/hugepages
++.br
++
++.br
++.B mysqld_db_t
++
++ /var/lib/mysql(/.*)?
++.br
++
++.br
++.B mysqld_log_t
++
++ /var/log/mysql.*
++.br
++
++.br
++.B mysqld_tmp_t
++
++
++.br
++.B mysqld_var_run_t
++
++ /var/run/mysqld(/.*)?
++.br
++ /var/lib/mysql/mysql\.sock
++.br
++
++.SH NSSWITCH DOMAIN
++
++.PP
++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the mysqld_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++
++.EX
++.B setsebool -P authlogin_nsswitch_use_ldap 1
++.EE
++
++.PP
++If you want to allow confined applications to run with kerberos for the mysqld_t, you must turn on the kerberos_enabled boolean.
++
++.EX
++.B setsebool -P kerberos_enabled 1
++.EE
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.B semanage port
++can also be used to manipulate the port definitions
++
++.B semanage boolean
++can also be used to manipulate the booleans
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was auto-generated using
++.B "sepolicy manpage"
++by Dan Walsh.
++
++.SH "SEE ALSO"
++selinux(8), mysqld(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
++, setsebool(8), mysqld_safe_selinux(8), mysqlmanagerd_selinux(8)
+\ No newline at end of file
+diff --git a/man/man8/mysqlmanagerd_selinux.8 b/man/man8/mysqlmanagerd_selinux.8
+new file mode 100644
+index 0000000..1634a0c
+--- /dev/null
++++ b/man/man8/mysqlmanagerd_selinux.8
+@@ -0,0 +1,138 @@
++.TH "mysqlmanagerd_selinux" "8" "12-11-01" "mysqlmanagerd" "SELinux Policy documentation for mysqlmanagerd"
++.SH "NAME"
++mysqlmanagerd_selinux \- Security Enhanced Linux Policy for the mysqlmanagerd processes
++.SH "DESCRIPTION"
++
++Security-Enhanced Linux secures the mysqlmanagerd processes via flexible mandatory access control.
++
++The mysqlmanagerd processes execute with the mysqlmanagerd_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep mysqlmanagerd_t
++
++
++.SH "ENTRYPOINTS"
++
++The mysqlmanagerd_t SELinux type can be entered via the "mysqlmanagerd_exec_t" file type. The default entrypoint paths for the mysqlmanagerd_t domain are the following:"
++
++/usr/sbin/mysqlmanager
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux mysqlmanagerd policy is very flexible allowing users to setup their mysqlmanagerd processes in as secure a method as possible.
++.PP
++The following process types are defined for mysqlmanagerd:
++
++.EX
++.B mysqlmanagerd_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux mysqlmanagerd policy is very flexible allowing users to setup their mysqlmanagerd processes in as secure a method as possible.
++.PP
++The following file types are defined for mysqlmanagerd:
++
++
++.EX
++.PP
++.B mysqlmanagerd_exec_t
++.EE
++
++- Set files with the mysqlmanagerd_exec_t type, if you want to transition an executable to the mysqlmanagerd_t domain.
++
++
++.EX
++.PP
++.B mysqlmanagerd_initrc_exec_t
++.EE
++
++- Set files with the mysqlmanagerd_initrc_exec_t type, if you want to transition an executable to the mysqlmanagerd_initrc_t domain.
++
++
++.EX
++.PP
++.B mysqlmanagerd_var_run_t
++.EE
++
++- Set files with the mysqlmanagerd_var_run_t type, if you want to store the mysqlmanagerd files under the /run directory.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH PORT TYPES
++SELinux defines port types to represent TCP and UDP ports.
++.PP
++You can see the types associated with a port by using the following command:
++
++.B semanage port -l
++
++.PP
++Policy governs the access confined processes have to these ports.
++SELinux mysqlmanagerd policy is very flexible allowing users to setup their mysqlmanagerd processes in as secure a method as possible.
++.PP
++The following port types are defined for mysqlmanagerd:
++
++.EX
++.TP 5
++.B mysqlmanagerd_port_t
++.TP 10
++.EE
++
++
++Default Defined Ports:
++tcp 2273
++.EE
++.SH "MANAGED FILES"
++
++The SELinux process type mysqlmanagerd_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++
++.br
++.B mysqlmanagerd_var_run_t
++
++ /var/run/mysqld/mysqlmanager.*
++.br
++
++.SH NSSWITCH DOMAIN
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.B semanage port
++can also be used to manipulate the port definitions
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was auto-generated using
++.B "sepolicy manpage"
++by Dan Walsh.
++
++.SH "SEE ALSO"
++selinux(8), mysqlmanagerd(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
+diff --git a/man/man8/nagios_admin_plugin_selinux.8 b/man/man8/nagios_admin_plugin_selinux.8
+new file mode 100644
+index 0000000..505d3a1
+--- /dev/null
++++ b/man/man8/nagios_admin_plugin_selinux.8
+@@ -0,0 +1,87 @@
++.TH "nagios_admin_plugin_selinux" "8" "12-11-01" "nagios_admin_plugin" "SELinux Policy documentation for nagios_admin_plugin"
++.SH "NAME"
++nagios_admin_plugin_selinux \- Security Enhanced Linux Policy for the nagios_admin_plugin processes
++.SH "DESCRIPTION"
++
++Security-Enhanced Linux secures the nagios_admin_plugin processes via flexible mandatory access control.
++
++The nagios_admin_plugin processes execute with the nagios_admin_plugin_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep nagios_admin_plugin_t
++
++
++.SH "ENTRYPOINTS"
++
++The nagios_admin_plugin_t SELinux type can be entered via the "nagios_admin_plugin_exec_t" file type. The default entrypoint paths for the nagios_admin_plugin_t domain are the following:"
++
++/usr/lib/nagios/plugins/check_file_age
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux nagios_admin_plugin policy is very flexible allowing users to setup their nagios_admin_plugin processes in as secure a method as possible.
++.PP
++The following process types are defined for nagios_admin_plugin:
++
++.EX
++.B nagios_admin_plugin_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux nagios_admin_plugin policy is very flexible allowing users to setup their nagios_admin_plugin processes in as secure a method as possible.
++.PP
++The following file types are defined for nagios_admin_plugin:
++
++
++.EX
++.PP
++.B nagios_admin_plugin_exec_t
++.EE
++
++- Set files with the nagios_admin_plugin_exec_t type, if you want to transition an executable to the nagios_admin_plugin_t domain.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH NSSWITCH DOMAIN
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was auto-generated using
++.B "sepolicy manpage"
++by Dan Walsh.
++
++.SH "SEE ALSO"
++selinux(8), nagios_admin_plugin(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
++, nagios_selinux(8), nagios_selinux(8), nagios_checkdisk_plugin_selinux(8), nagios_eventhandler_plugin_selinux(8), nagios_mail_plugin_selinux(8), nagios_services_plugin_selinux(8), nagios_system_plugin_selinux(8), nagios_unconfined_plugin_selinux(8)
+\ No newline at end of file
+diff --git a/man/man8/nagios_checkdisk_plugin_selinux.8 b/man/man8/nagios_checkdisk_plugin_selinux.8
+new file mode 100644
+index 0000000..9ccef93
+--- /dev/null
++++ b/man/man8/nagios_checkdisk_plugin_selinux.8
+@@ -0,0 +1,87 @@
++.TH "nagios_checkdisk_plugin_selinux" "8" "12-11-01" "nagios_checkdisk_plugin" "SELinux Policy documentation for nagios_checkdisk_plugin"
++.SH "NAME"
++nagios_checkdisk_plugin_selinux \- Security Enhanced Linux Policy for the nagios_checkdisk_plugin processes
++.SH "DESCRIPTION"
++
++Security-Enhanced Linux secures the nagios_checkdisk_plugin processes via flexible mandatory access control.
++
++The nagios_checkdisk_plugin processes execute with the nagios_checkdisk_plugin_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep nagios_checkdisk_plugin_t
++
++
++.SH "ENTRYPOINTS"
++
++The nagios_checkdisk_plugin_t SELinux type can be entered via the "nagios_checkdisk_plugin_exec_t" file type. The default entrypoint paths for the nagios_checkdisk_plugin_t domain are the following:"
++
++/usr/lib/nagios/plugins/check_disk, /usr/lib/nagios/plugins/check_disk_smb, /usr/lib/nagios/plugins/check_ide_smart, /usr/lib/nagios/plugins/check_linux_raid
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux nagios_checkdisk_plugin policy is very flexible allowing users to setup their nagios_checkdisk_plugin processes in as secure a method as possible.
++.PP
++The following process types are defined for nagios_checkdisk_plugin:
++
++.EX
++.B nagios_checkdisk_plugin_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux nagios_checkdisk_plugin policy is very flexible allowing users to setup their nagios_checkdisk_plugin processes in as secure a method as possible.
++.PP
++The following file types are defined for nagios_checkdisk_plugin:
++
++
++.EX
++.PP
++.B nagios_checkdisk_plugin_exec_t
++.EE
++
++- Set files with the nagios_checkdisk_plugin_exec_t type, if you want to transition an executable to the nagios_checkdisk_plugin_t domain.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH NSSWITCH DOMAIN
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was auto-generated using
++.B "sepolicy manpage"
++by Dan Walsh.
++
++.SH "SEE ALSO"
++selinux(8), nagios_checkdisk_plugin(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
++, nagios_selinux(8), nagios_selinux(8), nagios_admin_plugin_selinux(8), nagios_eventhandler_plugin_selinux(8), nagios_mail_plugin_selinux(8), nagios_services_plugin_selinux(8), nagios_system_plugin_selinux(8), nagios_unconfined_plugin_selinux(8)
+\ No newline at end of file
+diff --git a/man/man8/nagios_eventhandler_plugin_selinux.8 b/man/man8/nagios_eventhandler_plugin_selinux.8
+new file mode 100644
+index 0000000..507c175
+--- /dev/null
++++ b/man/man8/nagios_eventhandler_plugin_selinux.8
+@@ -0,0 +1,111 @@
++.TH "nagios_eventhandler_plugin_selinux" "8" "12-11-01" "nagios_eventhandler_plugin" "SELinux Policy documentation for nagios_eventhandler_plugin"
++.SH "NAME"
++nagios_eventhandler_plugin_selinux \- Security Enhanced Linux Policy for the nagios_eventhandler_plugin processes
++.SH "DESCRIPTION"
++
++Security-Enhanced Linux secures the nagios_eventhandler_plugin processes via flexible mandatory access control.
++
++The nagios_eventhandler_plugin processes execute with the nagios_eventhandler_plugin_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep nagios_eventhandler_plugin_t
++
++
++.SH "ENTRYPOINTS"
++
++The nagios_eventhandler_plugin_t SELinux type can be entered via the "nagios_eventhandler_plugin_exec_t" file type. The default entrypoint paths for the nagios_eventhandler_plugin_t domain are the following:"
++
++/usr/lib/nagios/plugins/eventhandlers(/.*)
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux nagios_eventhandler_plugin policy is very flexible allowing users to setup their nagios_eventhandler_plugin processes in as secure a method as possible.
++.PP
++The following process types are defined for nagios_eventhandler_plugin:
++
++.EX
++.B nagios_eventhandler_plugin_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux nagios_eventhandler_plugin policy is very flexible allowing users to setup their nagios_eventhandler_plugin processes in as secure a method as possible.
++.PP
++The following file types are defined for nagios_eventhandler_plugin:
++
++
++.EX
++.PP
++.B nagios_eventhandler_plugin_exec_t
++.EE
++
++- Set files with the nagios_eventhandler_plugin_exec_t type, if you want to transition an executable to the nagios_eventhandler_plugin_t domain.
++
++
++.EX
++.PP
++.B nagios_eventhandler_plugin_tmp_t
++.EE
++
++- Set files with the nagios_eventhandler_plugin_tmp_t type, if you want to store nagios eventhandler plugin temporary files in the /tmp directories.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH "MANAGED FILES"
++
++The SELinux process type nagios_eventhandler_plugin_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++
++.br
++.B nagios_eventhandler_plugin_tmp_t
++
++
++.br
++.B systemd_passwd_var_run_t
++
++ /var/run/systemd/ask-password(/.*)?
++.br
++ /var/run/systemd/ask-password-block(/.*)?
++.br
++
++.SH NSSWITCH DOMAIN
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was auto-generated using
++.B "sepolicy manpage"
++by Dan Walsh.
++
++.SH "SEE ALSO"
++selinux(8), nagios_eventhandler_plugin(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
++, nagios_selinux(8), nagios_selinux(8), nagios_admin_plugin_selinux(8), nagios_checkdisk_plugin_selinux(8), nagios_mail_plugin_selinux(8), nagios_services_plugin_selinux(8), nagios_system_plugin_selinux(8), nagios_unconfined_plugin_selinux(8)
+\ No newline at end of file
+diff --git a/man/man8/nagios_mail_plugin_selinux.8 b/man/man8/nagios_mail_plugin_selinux.8
+new file mode 100644
+index 0000000..0140264
+--- /dev/null
++++ b/man/man8/nagios_mail_plugin_selinux.8
+@@ -0,0 +1,87 @@
++.TH "nagios_mail_plugin_selinux" "8" "12-11-01" "nagios_mail_plugin" "SELinux Policy documentation for nagios_mail_plugin"
++.SH "NAME"
++nagios_mail_plugin_selinux \- Security Enhanced Linux Policy for the nagios_mail_plugin processes
++.SH "DESCRIPTION"
++
++Security-Enhanced Linux secures the nagios_mail_plugin processes via flexible mandatory access control.
++
++The nagios_mail_plugin processes execute with the nagios_mail_plugin_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep nagios_mail_plugin_t
++
++
++.SH "ENTRYPOINTS"
++
++The nagios_mail_plugin_t SELinux type can be entered via the "nagios_mail_plugin_exec_t" file type. The default entrypoint paths for the nagios_mail_plugin_t domain are the following:"
++
++/usr/lib/nagios/plugins/check_mailq
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux nagios_mail_plugin policy is very flexible allowing users to setup their nagios_mail_plugin processes in as secure a method as possible.
++.PP
++The following process types are defined for nagios_mail_plugin:
++
++.EX
++.B nagios_mail_plugin_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux nagios_mail_plugin policy is very flexible allowing users to setup their nagios_mail_plugin processes in as secure a method as possible.
++.PP
++The following file types are defined for nagios_mail_plugin:
++
++
++.EX
++.PP
++.B nagios_mail_plugin_exec_t
++.EE
++
++- Set files with the nagios_mail_plugin_exec_t type, if you want to transition an executable to the nagios_mail_plugin_t domain.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH NSSWITCH DOMAIN
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was auto-generated using
++.B "sepolicy manpage"
++by Dan Walsh.
++
++.SH "SEE ALSO"
++selinux(8), nagios_mail_plugin(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
++, nagios_selinux(8), nagios_selinux(8), nagios_admin_plugin_selinux(8), nagios_checkdisk_plugin_selinux(8), nagios_eventhandler_plugin_selinux(8), nagios_services_plugin_selinux(8), nagios_system_plugin_selinux(8), nagios_unconfined_plugin_selinux(8)
+\ No newline at end of file
+diff --git a/man/man8/nagios_selinux.8 b/man/man8/nagios_selinux.8
+new file mode 100644
+index 0000000..2208671
+--- /dev/null
++++ b/man/man8/nagios_selinux.8
+@@ -0,0 +1,257 @@
++.TH "nagios_selinux" "8" "12-11-01" "nagios" "SELinux Policy documentation for nagios"
++.SH "NAME"
++nagios_selinux \- Security Enhanced Linux Policy for the nagios processes
++.SH "DESCRIPTION"
++
++Security-Enhanced Linux secures the nagios processes via flexible mandatory access control.
++
++The nagios processes execute with the nagios_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep nagios_t
++
++
++.SH "ENTRYPOINTS"
++
++The nagios_t SELinux type can be entered via the "nagios_exec_t" file type. The default entrypoint paths for the nagios_t domain are the following:"
++
++/usr/s?bin/nagios
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux nagios policy is very flexible allowing users to setup their nagios processes in as secure a method as possible.
++.PP
++The following process types are defined for nagios:
++
++.EX
++.B nagios_t, nagios_mail_plugin_t, nagios_checkdisk_plugin_t, nagios_services_plugin_t, nagios_eventhandler_plugin_t, nagios_system_plugin_t, nagios_unconfined_plugin_t, nagios_admin_plugin_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux nagios policy is very flexible allowing users to setup their nagios processes in as secure a method as possible.
++.PP
++The following file types are defined for nagios:
++
++
++.EX
++.PP
++.B nagios_admin_plugin_exec_t
++.EE
++
++- Set files with the nagios_admin_plugin_exec_t type, if you want to transition an executable to the nagios_admin_plugin_t domain.
++
++
++.EX
++.PP
++.B nagios_checkdisk_plugin_exec_t
++.EE
++
++- Set files with the nagios_checkdisk_plugin_exec_t type, if you want to transition an executable to the nagios_checkdisk_plugin_t domain.
++
++
++.EX
++.PP
++.B nagios_etc_t
++.EE
++
++- Set files with the nagios_etc_t type, if you want to store nagios files in the /etc directories.
++
++
++.EX
++.PP
++.B nagios_eventhandler_plugin_exec_t
++.EE
++
++- Set files with the nagios_eventhandler_plugin_exec_t type, if you want to transition an executable to the nagios_eventhandler_plugin_t domain.
++
++
++.EX
++.PP
++.B nagios_eventhandler_plugin_tmp_t
++.EE
++
++- Set files with the nagios_eventhandler_plugin_tmp_t type, if you want to store nagios eventhandler plugin temporary files in the /tmp directories.
++
++
++.EX
++.PP
++.B nagios_exec_t
++.EE
++
++- Set files with the nagios_exec_t type, if you want to transition an executable to the nagios_t domain.
++
++
++.EX
++.PP
++.B nagios_initrc_exec_t
++.EE
++
++- Set files with the nagios_initrc_exec_t type, if you want to transition an executable to the nagios_initrc_t domain.
++
++
++.EX
++.PP
++.B nagios_log_t
++.EE
++
++- Set files with the nagios_log_t type, if you want to treat the data as nagios log data, usually stored under the /var/log directory.
++
++
++.EX
++.PP
++.B nagios_mail_plugin_exec_t
++.EE
++
++- Set files with the nagios_mail_plugin_exec_t type, if you want to transition an executable to the nagios_mail_plugin_t domain.
++
++
++.EX
++.PP
++.B nagios_services_plugin_exec_t
++.EE
++
++- Set files with the nagios_services_plugin_exec_t type, if you want to transition an executable to the nagios_services_plugin_t domain.
++
++
++.EX
++.PP
++.B nagios_spool_t
++.EE
++
++- Set files with the nagios_spool_t type, if you want to store the nagios files under the /var/spool directory.
++
++
++.EX
++.PP
++.B nagios_system_plugin_exec_t
++.EE
++
++- Set files with the nagios_system_plugin_exec_t type, if you want to transition an executable to the nagios_system_plugin_t domain.
++
++
++.EX
++.PP
++.B nagios_system_plugin_tmp_t
++.EE
++
++- Set files with the nagios_system_plugin_tmp_t type, if you want to store nagios system plugin temporary files in the /tmp directories.
++
++
++.EX
++.PP
++.B nagios_tmp_t
++.EE
++
++- Set files with the nagios_tmp_t type, if you want to store nagios temporary files in the /tmp directories.
++
++
++.EX
++.PP
++.B nagios_unconfined_plugin_exec_t
++.EE
++
++- Set files with the nagios_unconfined_plugin_exec_t type, if you want to transition an executable to the nagios_unconfined_plugin_t domain.
++
++
++.EX
++.PP
++.B nagios_var_lib_t
++.EE
++
++- Set files with the nagios_var_lib_t type, if you want to store the nagios files under the /var/lib directory.
++
++
++.EX
++.PP
++.B nagios_var_run_t
++.EE
++
++- Set files with the nagios_var_run_t type, if you want to store the nagios files under the /run directory.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH "MANAGED FILES"
++
++The SELinux process type nagios_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++
++.br
++.B nagios_log_t
++
++ /var/log/nagios(/.*)?
++.br
++ /var/log/netsaint(/.*)?
++.br
++
++.br
++.B nagios_tmp_t
++
++
++.br
++.B nagios_var_lib_t
++
++ /usr/lib/pnp4nagios(/.*)?
++.br
++
++.br
++.B nagios_var_run_t
++
++ /var/run/nagios.*
++.br
++
++.SH NSSWITCH DOMAIN
++
++.PP
++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the nagios_services_plugin_t, nagios_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++
++.EX
++.B setsebool -P authlogin_nsswitch_use_ldap 1
++.EE
++
++.PP
++If you want to allow confined applications to run with kerberos for the nagios_services_plugin_t, nagios_t, you must turn on the kerberos_enabled boolean.
++
++.EX
++.B setsebool -P kerberos_enabled 1
++.EE
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was auto-generated using
++.B "sepolicy manpage"
++by Dan Walsh.
++
++.SH "SEE ALSO"
++selinux(8), nagios(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
++, nagios_admin_plugin_selinux(8), nagios_checkdisk_plugin_selinux(8), nagios_eventhandler_plugin_selinux(8), nagios_mail_plugin_selinux(8), nagios_services_plugin_selinux(8), nagios_system_plugin_selinux(8), nagios_unconfined_plugin_selinux(8)
+\ No newline at end of file
+diff --git a/man/man8/nagios_services_plugin_selinux.8 b/man/man8/nagios_services_plugin_selinux.8
+new file mode 100644
+index 0000000..4b2f93e
+--- /dev/null
++++ b/man/man8/nagios_services_plugin_selinux.8
+@@ -0,0 +1,101 @@
++.TH "nagios_services_plugin_selinux" "8" "12-11-01" "nagios_services_plugin" "SELinux Policy documentation for nagios_services_plugin"
++.SH "NAME"
++nagios_services_plugin_selinux \- Security Enhanced Linux Policy for the nagios_services_plugin processes
++.SH "DESCRIPTION"
++
++Security-Enhanced Linux secures the nagios_services_plugin processes via flexible mandatory access control.
++
++The nagios_services_plugin processes execute with the nagios_services_plugin_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep nagios_services_plugin_t
++
++
++.SH "ENTRYPOINTS"
++
++The nagios_services_plugin_t SELinux type can be entered via the "nagios_services_plugin_exec_t" file type. The default entrypoint paths for the nagios_services_plugin_t domain are the following:"
++
++/usr/lib/nagios/plugins/check_ntp.*, /usr/lib/nagios/plugins/check_snmp.*, /usr/lib/nagios/plugins/check_nt, /usr/lib/nagios/plugins/check_dig, /usr/lib/nagios/plugins/check_dns, /usr/lib/nagios/plugins/check_rpc, /usr/lib/nagios/plugins/check_tcp, /usr/lib/nagios/plugins/check_sip, /usr/lib/nagios/plugins/check_ssh, /usr/lib/nagios/plugins/check_ups, /usr/lib/nagios/plugins/check_dhcp, /usr/lib/nagios/plugins/check_game, /usr/lib/nagios/plugins/check_hpjd, /usr/lib/nagios/plugins/check_http, /usr/lib/nagios/plugins/check_icmp, /usr/lib/nagios/plugins/check_ircd, /usr/lib/nagios/plugins/check_ldap, /usr/lib/nagios/plugins/check_nrpe, /usr/lib/nagios/plugins/check_ping, /usr/lib/nagios/plugins/check_real, /usr/lib/nagios/plugins/check_time, /usr/lib/nagios/plugins/check_smtp, /usr/lib/nagios/plugins/check_dummy, /usr/lib/nagios/plugins/check_fping, /usr/lib/nagios/plugins/check_mysql, /usr/lib/nagios/plugins/check_pgsql, /usr/lib/nagios/plugins/check_breeze, /usr/lib/nagios/plugins/check_oracle, /usr/lib/nagios/plugins/check_radius, /usr/lib/nagios/plugins/check_cluster, /usr/lib/nagios/plugins/check_mysql_query
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux nagios_services_plugin policy is very flexible allowing users to setup their nagios_services_plugin processes in as secure a method as possible.
++.PP
++The following process types are defined for nagios_services_plugin:
++
++.EX
++.B nagios_services_plugin_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux nagios_services_plugin policy is very flexible allowing users to setup their nagios_services_plugin processes in as secure a method as possible.
++.PP
++The following file types are defined for nagios_services_plugin:
++
++
++.EX
++.PP
++.B nagios_services_plugin_exec_t
++.EE
++
++- Set files with the nagios_services_plugin_exec_t type, if you want to transition an executable to the nagios_services_plugin_t domain.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH NSSWITCH DOMAIN
++
++.PP
++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the nagios_services_plugin_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++
++.EX
++.B setsebool -P authlogin_nsswitch_use_ldap 1
++.EE
++
++.PP
++If you want to allow confined applications to run with kerberos for the nagios_services_plugin_t, you must turn on the kerberos_enabled boolean.
++
++.EX
++.B setsebool -P kerberos_enabled 1
++.EE
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was auto-generated using
++.B "sepolicy manpage"
++by Dan Walsh.
++
++.SH "SEE ALSO"
++selinux(8), nagios_services_plugin(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
++, nagios_selinux(8), nagios_selinux(8), nagios_admin_plugin_selinux(8), nagios_checkdisk_plugin_selinux(8), nagios_eventhandler_plugin_selinux(8), nagios_mail_plugin_selinux(8), nagios_system_plugin_selinux(8), nagios_unconfined_plugin_selinux(8)
+\ No newline at end of file
+diff --git a/man/man8/nagios_system_plugin_selinux.8 b/man/man8/nagios_system_plugin_selinux.8
+new file mode 100644
+index 0000000..0005f14
+--- /dev/null
++++ b/man/man8/nagios_system_plugin_selinux.8
+@@ -0,0 +1,103 @@
++.TH "nagios_system_plugin_selinux" "8" "12-11-01" "nagios_system_plugin" "SELinux Policy documentation for nagios_system_plugin"
++.SH "NAME"
++nagios_system_plugin_selinux \- Security Enhanced Linux Policy for the nagios_system_plugin processes
++.SH "DESCRIPTION"
++
++Security-Enhanced Linux secures the nagios_system_plugin processes via flexible mandatory access control.
++
++The nagios_system_plugin processes execute with the nagios_system_plugin_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep nagios_system_plugin_t
++
++
++.SH "ENTRYPOINTS"
++
++The nagios_system_plugin_t SELinux type can be entered via the "nagios_system_plugin_exec_t" file type. The default entrypoint paths for the nagios_system_plugin_t domain are the following:"
++
++/usr/lib/nagios/plugins/check_log, /usr/lib/nagios/plugins/check_load, /usr/lib/nagios/plugins/check_mrtg, /usr/lib/nagios/plugins/check_swap, /usr/lib/nagios/plugins/check_wave, /usr/lib/nagios/plugins/check_procs, /usr/lib/nagios/plugins/check_users, /usr/lib/nagios/plugins/check_flexlm, /usr/lib/nagios/plugins/check_nagios, /usr/lib/nagios/plugins/check_nwstat, /usr/lib/nagios/plugins/check_overcr, /usr/lib/nagios/plugins/check_sensors, /usr/lib/nagios/plugins/check_ifstatus, /usr/lib/nagios/plugins/check_mrtgtraf, /usr/lib/nagios/plugins/check_ifoperstatus
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux nagios_system_plugin policy is very flexible allowing users to setup their nagios_system_plugin processes in as secure a method as possible.
++.PP
++The following process types are defined for nagios_system_plugin:
++
++.EX
++.B nagios_system_plugin_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux nagios_system_plugin policy is very flexible allowing users to setup their nagios_system_plugin processes in as secure a method as possible.
++.PP
++The following file types are defined for nagios_system_plugin:
++
++
++.EX
++.PP
++.B nagios_system_plugin_exec_t
++.EE
++
++- Set files with the nagios_system_plugin_exec_t type, if you want to transition an executable to the nagios_system_plugin_t domain.
++
++
++.EX
++.PP
++.B nagios_system_plugin_tmp_t
++.EE
++
++- Set files with the nagios_system_plugin_tmp_t type, if you want to store nagios system plugin temporary files in the /tmp directories.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH "MANAGED FILES"
++
++The SELinux process type nagios_system_plugin_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++
++.br
++.B nagios_system_plugin_tmp_t
++
++
++.SH NSSWITCH DOMAIN
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was auto-generated using
++.B "sepolicy manpage"
++by Dan Walsh.
++
++.SH "SEE ALSO"
++selinux(8), nagios_system_plugin(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
++, nagios_selinux(8), nagios_selinux(8), nagios_admin_plugin_selinux(8), nagios_checkdisk_plugin_selinux(8), nagios_eventhandler_plugin_selinux(8), nagios_mail_plugin_selinux(8), nagios_services_plugin_selinux(8), nagios_unconfined_plugin_selinux(8)
+\ No newline at end of file
+diff --git a/man/man8/nagios_unconfined_plugin_selinux.8 b/man/man8/nagios_unconfined_plugin_selinux.8
+new file mode 100644
+index 0000000..ccf2eed
+--- /dev/null
++++ b/man/man8/nagios_unconfined_plugin_selinux.8
+@@ -0,0 +1,87 @@
++.TH "nagios_unconfined_plugin_selinux" "8" "12-11-01" "nagios_unconfined_plugin" "SELinux Policy documentation for nagios_unconfined_plugin"
++.SH "NAME"
++nagios_unconfined_plugin_selinux \- Security Enhanced Linux Policy for the nagios_unconfined_plugin processes
++.SH "DESCRIPTION"
++
++Security-Enhanced Linux secures the nagios_unconfined_plugin processes via flexible mandatory access control.
++
++The nagios_unconfined_plugin processes execute with the nagios_unconfined_plugin_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep nagios_unconfined_plugin_t
++
++
++.SH "ENTRYPOINTS"
++
++The nagios_unconfined_plugin_t SELinux type can be entered via the "nagios_unconfined_plugin_exec_t" file type. The default entrypoint paths for the nagios_unconfined_plugin_t domain are the following:"
++
++/usr/lib/nagios/plugins/check_by_ssh
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux nagios_unconfined_plugin policy is very flexible allowing users to setup their nagios_unconfined_plugin processes in as secure a method as possible.
++.PP
++The following process types are defined for nagios_unconfined_plugin:
++
++.EX
++.B nagios_unconfined_plugin_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux nagios_unconfined_plugin policy is very flexible allowing users to setup their nagios_unconfined_plugin processes in as secure a method as possible.
++.PP
++The following file types are defined for nagios_unconfined_plugin:
++
++
++.EX
++.PP
++.B nagios_unconfined_plugin_exec_t
++.EE
++
++- Set files with the nagios_unconfined_plugin_exec_t type, if you want to transition an executable to the nagios_unconfined_plugin_t domain.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH NSSWITCH DOMAIN
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was auto-generated using
++.B "sepolicy manpage"
++by Dan Walsh.
++
++.SH "SEE ALSO"
++selinux(8), nagios_unconfined_plugin(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
++, nagios_selinux(8), nagios_selinux(8), nagios_admin_plugin_selinux(8), nagios_checkdisk_plugin_selinux(8), nagios_eventhandler_plugin_selinux(8), nagios_mail_plugin_selinux(8), nagios_services_plugin_selinux(8), nagios_system_plugin_selinux(8)
+\ No newline at end of file
+diff --git a/man/man8/named_selinux.8 b/man/man8/named_selinux.8
+index fce0b48..8d2debb 100644
+--- a/man/man8/named_selinux.8
++++ b/man/man8/named_selinux.8
+@@ -1,30 +1,288 @@
+-.TH "named_selinux" "8" "17 Jan 2005" "dwalsh@redhat.com" "named Selinux Policy documentation"
+-.de EX
+-.nf
+-.ft CW
+-..
+-.de EE
+-.ft R
+-.fi
+-..
++.TH "named_selinux" "8" "12-11-01" "named" "SELinux Policy documentation for named"
+ .SH "NAME"
+-named_selinux \- Security Enhanced Linux Policy for the Internet Name server (named) daemon
++named_selinux \- Security Enhanced Linux Policy for the named processes
+ .SH "DESCRIPTION"
+
+-Security-Enhanced Linux secures the named server via flexible mandatory access
+-control.
++Security-Enhanced Linux secures the named processes via flexible mandatory access control.
++
++The named processes execute with the named_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep named_t
++
++
++.SH "ENTRYPOINTS"
++
++The named_t SELinux type can be entered via the "named_exec_t,named_checkconf_exec_t" file types. The default entrypoint paths for the named_t domain are the following:"
++
++/usr/sbin/named, /usr/sbin/lwresd, /usr/sbin/unbound, /usr/sbin/named-checkconf
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux named policy is very flexible allowing users to setup their named processes in as secure a method as possible.
++.PP
++The following process types are defined for named:
++
++.EX
++.B named_t, namespace_init_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
+ .SH BOOLEANS
+-SELinux policy is customizable based on least access required. So by
+-default SELinux policy does not allow named to write master zone files. If you want to have named update the master zone files you need to set the named_write_master_zones boolean.
++SELinux policy is customizable based on least access required. named policy is extremely flexible and has several booleans that allow you to manipulate the policy and run named with the tightest access possible.
++
++
++.PP
++If you want to allow BIND to write the master zone files. Generally this is used for dynamic DNS or zone transfers, you must turn on the named_write_master_zones boolean.
++
+ .EX
+-setsebool -P named_write_master_zones 1
++.B setsebool -P named_write_master_zones 1
+ .EE
++
+ .PP
+-system-config-selinux is a GUI tool available to customize SELinux policy settings.
+-.SH AUTHOR
+-This manual page was written by Dan Walsh .
++If you want to allow BIND to bind apache port, you must turn on the named_bind_http_port boolean.
++
++.EX
++.B setsebool -P named_bind_http_port 1
++.EE
++
++.PP
++If you want to allow BIND to write the master zone files. Generally this is used for dynamic DNS or zone transfers, you must turn on the named_write_master_zones boolean.
++
++.EX
++.B setsebool -P named_write_master_zones 1
++.EE
++
++.PP
++If you want to allow BIND to bind apache port, you must turn on the named_bind_http_port boolean.
++
++.EX
++.B setsebool -P named_bind_http_port 1
++.EE
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux named policy is very flexible allowing users to setup their named processes in as secure a method as possible.
++.PP
++The following file types are defined for named:
++
++
++.EX
++.PP
++.B named_cache_t
++.EE
++
++- Set files with the named_cache_t type, if you want to store the files under the /var/cache directory.
++
++
++.EX
++.PP
++.B named_checkconf_exec_t
++.EE
++
++- Set files with the named_checkconf_exec_t type, if you want to transition an executable to the named_checkconf_t domain.
++
++
++.EX
++.PP
++.B named_conf_t
++.EE
++
++- Set files with the named_conf_t type, if you want to treat the files as named configuration data, usually stored under the /etc directory.
++
++
++.EX
++.PP
++.B named_exec_t
++.EE
++
++- Set files with the named_exec_t type, if you want to transition an executable to the named_t domain.
++
++
++.EX
++.PP
++.B named_initrc_exec_t
++.EE
++
++- Set files with the named_initrc_exec_t type, if you want to transition an executable to the named_initrc_t domain.
+
+-.SH "SEE ALSO"
+-selinux(8), named(8), chcon(1), setsebool(8)
+
++.EX
++.PP
++.B named_keytab_t
++.EE
++
++- Set files with the named_keytab_t type, if you want to treat the files as kerberos keytab files.
++
++
++.EX
++.PP
++.B named_log_t
++.EE
++
++- Set files with the named_log_t type, if you want to treat the data as named log data, usually stored under the /var/log directory.
++
++
++.EX
++.PP
++.B named_tmp_t
++.EE
++
++- Set files with the named_tmp_t type, if you want to store named temporary files in the /tmp directories.
++
++
++.EX
++.PP
++.B named_unit_file_t
++.EE
++
++- Set files with the named_unit_file_t type, if you want to treat the files as named unit content.
++
++
++.EX
++.PP
++.B named_var_run_t
++.EE
++
++- Set files with the named_var_run_t type, if you want to store the named files under the /run directory.
++
++
++.EX
++.PP
++.B named_zone_t
++.EE
++
++- Set files with the named_zone_t type, if you want to treat the files as named zone data.
+
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH "MANAGED FILES"
++
++The SELinux process type named_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++
++.br
++.B krb5_host_rcache_t
++
++ /var/cache/krb5rcache(/.*)?
++.br
++ /var/tmp/nfs_0
++.br
++ /var/tmp/DNS_25
++.br
++ /var/tmp/host_0
++.br
++ /var/tmp/imap_0
++.br
++ /var/tmp/HTTP_23
++.br
++ /var/tmp/HTTP_48
++.br
++ /var/tmp/ldap_55
++.br
++ /var/tmp/ldap_487
++.br
++ /var/tmp/ldapmap1_0
++.br
++
++.br
++.B named_cache_t
++
++ /var/named/data(/.*)?
++.br
++ /var/named/slaves(/.*)?
++.br
++ /var/named/dynamic(/.*)?
++.br
++ /var/named/chroot/var/tmp(/.*)?
++.br
++ /var/named/chroot/var/named/data(/.*)?
++.br
++ /var/named/chroot/var/named/slaves(/.*)?
++.br
++ /var/named/chroot/var/named/dynamic(/.*)?
++.br
++
++.br
++.B named_log_t
++
++ /var/log/named.*
++.br
++ /var/named/chroot/var/log/named.*
++.br
++
++.br
++.B named_tmp_t
++
++
++.br
++.B named_var_run_t
++
++ /var/run/bind(/.*)?
++.br
++ /var/run/named(/.*)?
++.br
++ /var/run/unbound(/.*)?
++.br
++ /var/named/chroot/var/run/named.*
++.br
++ /var/run/ndc
++.br
++
++.SH NSSWITCH DOMAIN
++
++.PP
++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the namespace_init_t, named_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++
++.EX
++.B setsebool -P authlogin_nsswitch_use_ldap 1
++.EE
++
++.PP
++If you want to allow confined applications to run with kerberos for the namespace_init_t, named_t, you must turn on the kerberos_enabled boolean.
++
++.EX
++.B setsebool -P kerberos_enabled 1
++.EE
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.B semanage boolean
++can also be used to manipulate the booleans
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was auto-generated using
++.B "sepolicy manpage"
++by Dan Walsh.
++
++.SH "SEE ALSO"
++selinux(8), named(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
++, setsebool(8), namespace_init_selinux(8)
+\ No newline at end of file
+diff --git a/man/man8/namespace_init_selinux.8 b/man/man8/namespace_init_selinux.8
+new file mode 100644
+index 0000000..9d3197d
+--- /dev/null
++++ b/man/man8/namespace_init_selinux.8
+@@ -0,0 +1,120 @@
++.TH "namespace_init_selinux" "8" "12-11-01" "namespace_init" "SELinux Policy documentation for namespace_init"
++.SH "NAME"
++namespace_init_selinux \- Security Enhanced Linux Policy for the namespace_init processes
++.SH "DESCRIPTION"
++
++Security-Enhanced Linux secures the namespace_init processes via flexible mandatory access control.
++
++The namespace_init processes execute with the namespace_init_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep namespace_init_t
++
++
++.SH "ENTRYPOINTS"
++
++The namespace_init_t SELinux type can be entered via the "namespace_init_exec_t" file type. The default entrypoint paths for the namespace_init_t domain are the following:"
++
++/etc/security/namespace.init
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux namespace_init policy is very flexible allowing users to setup their namespace_init processes in as secure a method as possible.
++.PP
++The following process types are defined for namespace_init:
++
++.EX
++.B namespace_init_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux namespace_init policy is very flexible allowing users to setup their namespace_init processes in as secure a method as possible.
++.PP
++The following file types are defined for namespace_init:
++
++
++.EX
++.PP
++.B namespace_init_exec_t
++.EE
++
++- Set files with the namespace_init_exec_t type, if you want to transition an executable to the namespace_init_t domain.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH "MANAGED FILES"
++
++The SELinux process type namespace_init_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++
++.br
++.B security_t
++
++ /selinux
++.br
++
++.br
++.B user_home_t
++
++ /home/[^/]*/.+
++.br
++ /home/dwalsh/.+
++.br
++ /var/lib/xguest/home/xguest/.+
++.br
++
++.SH NSSWITCH DOMAIN
++
++.PP
++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the namespace_init_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++
++.EX
++.B setsebool -P authlogin_nsswitch_use_ldap 1
++.EE
++
++.PP
++If you want to allow confined applications to run with kerberos for the namespace_init_t, you must turn on the kerberos_enabled boolean.
++
++.EX
++.B setsebool -P kerberos_enabled 1
++.EE
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was auto-generated using
++.B "sepolicy manpage"
++by Dan Walsh.
++
++.SH "SEE ALSO"
++selinux(8), namespace_init(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
+diff --git a/man/man8/ncftool_selinux.8 b/man/man8/ncftool_selinux.8
+new file mode 100644
+index 0000000..2b164c1
+--- /dev/null
++++ b/man/man8/ncftool_selinux.8
+@@ -0,0 +1,138 @@
++.TH "ncftool_selinux" "8" "12-11-01" "ncftool" "SELinux Policy documentation for ncftool"
++.SH "NAME"
++ncftool_selinux \- Security Enhanced Linux Policy for the ncftool processes
++.SH "DESCRIPTION"
++
++Security-Enhanced Linux secures the ncftool processes via flexible mandatory access control.
++
++The ncftool processes execute with the ncftool_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep ncftool_t
++
++
++.SH "ENTRYPOINTS"
++
++The ncftool_t SELinux type can be entered via the "ncftool_exec_t" file type. The default entrypoint paths for the ncftool_t domain are the following:"
++
++/usr/bin/ncftool
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux ncftool policy is very flexible allowing users to setup their ncftool processes in as secure a method as possible.
++.PP
++The following process types are defined for ncftool:
++
++.EX
++.B ncftool_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux ncftool policy is very flexible allowing users to setup their ncftool processes in as secure a method as possible.
++.PP
++The following file types are defined for ncftool:
++
++
++.EX
++.PP
++.B ncftool_exec_t
++.EE
++
++- Set files with the ncftool_exec_t type, if you want to transition an executable to the ncftool_t domain.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH "MANAGED FILES"
++
++The SELinux process type ncftool_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++
++.br
++.B net_conf_t
++
++ /etc/ntpd?\.conf.*
++.br
++ /etc/hosts[^/]*
++.br
++ /etc/yp\.conf.*
++.br
++ /etc/denyhosts.*
++.br
++ /etc/hosts\.deny.*
++.br
++ /etc/resolv\.conf.*
++.br
++ /etc/ntp/step-tickers.*
++.br
++ /etc/sysconfig/networking(/.*)?
++.br
++ /etc/sysconfig/network-scripts(/.*)?
++.br
++ /etc/sysconfig/network-scripts/.*resolv\.conf
++.br
++ /etc/ethers
++.br
++
++.br
++.B system_conf_t
++
++ /etc/sysctl\.conf(\.old)?
++.br
++ /etc/sysconfig/ip6?tables.*
++.br
++ /etc/sysconfig/ipvsadm.*
++.br
++ /etc/sysconfig/ebtables.*
++.br
++ /etc/sysconfig/system-config-firewall.*
++.br
++
++.br
++.B systemd_passwd_var_run_t
++
++ /var/run/systemd/ask-password(/.*)?
++.br
++ /var/run/systemd/ask-password-block(/.*)?
++.br
++
++.SH NSSWITCH DOMAIN
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was auto-generated using
++.B "sepolicy manpage"
++by Dan Walsh.
++
++.SH "SEE ALSO"
++selinux(8), ncftool(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
+diff --git a/man/man8/ndc_selinux.8 b/man/man8/ndc_selinux.8
+new file mode 100644
+index 0000000..3fbc319
+--- /dev/null
++++ b/man/man8/ndc_selinux.8
+@@ -0,0 +1,100 @@
++.TH "ndc_selinux" "8" "12-11-01" "ndc" "SELinux Policy documentation for ndc"
++.SH "NAME"
++ndc_selinux \- Security Enhanced Linux Policy for the ndc processes
++.SH "DESCRIPTION"
++
++Security-Enhanced Linux secures the ndc processes via flexible mandatory access control.
++
++The ndc processes execute with the ndc_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep ndc_t
++
++
++.SH "ENTRYPOINTS"
++
++The ndc_t SELinux type can be entered via the "ndc_exec_t" file type. The default entrypoint paths for the ndc_t domain are the following:"
++
++/usr/sbin/r?ndc
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux ndc policy is very flexible allowing users to setup their ndc processes in as secure a method as possible.
++.PP
++The following process types are defined for ndc:
++
++.EX
++.B ndc_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux ndc policy is very flexible allowing users to setup their ndc processes in as secure a method as possible.
++.PP
++The following file types are defined for ndc:
++
++
++.EX
++.PP
++.B ndc_exec_t
++.EE
++
++- Set files with the ndc_exec_t type, if you want to transition an executable to the ndc_t domain.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH NSSWITCH DOMAIN
++
++.PP
++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the ndc_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++
++.EX
++.B setsebool -P authlogin_nsswitch_use_ldap 1
++.EE
++
++.PP
++If you want to allow confined applications to run with kerberos for the ndc_t, you must turn on the kerberos_enabled boolean.
++
++.EX
++.B setsebool -P kerberos_enabled 1
++.EE
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was auto-generated using
++.B "sepolicy manpage"
++by Dan Walsh.
++
++.SH "SEE ALSO"
++selinux(8), ndc(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
+diff --git a/man/man8/netlabel_mgmt_selinux.8 b/man/man8/netlabel_mgmt_selinux.8
+new file mode 100644
+index 0000000..9ee6f73
+--- /dev/null
++++ b/man/man8/netlabel_mgmt_selinux.8
+@@ -0,0 +1,86 @@
++.TH "netlabel_mgmt_selinux" "8" "12-11-01" "netlabel_mgmt" "SELinux Policy documentation for netlabel_mgmt"
++.SH "NAME"
++netlabel_mgmt_selinux \- Security Enhanced Linux Policy for the netlabel_mgmt processes
++.SH "DESCRIPTION"
++
++Security-Enhanced Linux secures the netlabel_mgmt processes via flexible mandatory access control.
++
++The netlabel_mgmt processes execute with the netlabel_mgmt_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep netlabel_mgmt_t
++
++
++.SH "ENTRYPOINTS"
++
++The netlabel_mgmt_t SELinux type can be entered via the "netlabel_mgmt_exec_t" file type. The default entrypoint paths for the netlabel_mgmt_t domain are the following:"
++
++/sbin/netlabelctl, /usr/sbin/netlabelctl
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux netlabel_mgmt policy is very flexible allowing users to setup their netlabel_mgmt processes in as secure a method as possible.
++.PP
++The following process types are defined for netlabel_mgmt:
++
++.EX
++.B netlabel_mgmt_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux netlabel_mgmt policy is very flexible allowing users to setup their netlabel_mgmt processes in as secure a method as possible.
++.PP
++The following file types are defined for netlabel_mgmt:
++
++
++.EX
++.PP
++.B netlabel_mgmt_exec_t
++.EE
++
++- Set files with the netlabel_mgmt_exec_t type, if you want to transition an executable to the netlabel_mgmt_t domain.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH NSSWITCH DOMAIN
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was auto-generated using
++.B "sepolicy manpage"
++by Dan Walsh.
++
++.SH "SEE ALSO"
++selinux(8), netlabel_mgmt(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
+diff --git a/man/man8/netlogond_selinux.8 b/man/man8/netlogond_selinux.8
+new file mode 100644
+index 0000000..56dbd55
+--- /dev/null
++++ b/man/man8/netlogond_selinux.8
+@@ -0,0 +1,134 @@
++.TH "netlogond_selinux" "8" "12-11-01" "netlogond" "SELinux Policy documentation for netlogond"
++.SH "NAME"
++netlogond_selinux \- Security Enhanced Linux Policy for the netlogond processes
++.SH "DESCRIPTION"
++
++Security-Enhanced Linux secures the netlogond processes via flexible mandatory access control.
++
++The netlogond processes execute with the netlogond_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep netlogond_t
++
++
++.SH "ENTRYPOINTS"
++
++The netlogond_t SELinux type can be entered via the "netlogond_exec_t" file type. The default entrypoint paths for the netlogond_t domain are the following:"
++
++/usr/sbin/netlogond
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux netlogond policy is very flexible allowing users to setup their netlogond processes in as secure a method as possible.
++.PP
++The following process types are defined for netlogond:
++
++.EX
++.B netlogond_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux netlogond policy is very flexible allowing users to setup their netlogond processes in as secure a method as possible.
++.PP
++The following file types are defined for netlogond:
++
++
++.EX
++.PP
++.B netlogond_exec_t
++.EE
++
++- Set files with the netlogond_exec_t type, if you want to transition an executable to the netlogond_t domain.
++
++
++.EX
++.PP
++.B netlogond_var_lib_t
++.EE
++
++- Set files with the netlogond_var_lib_t type, if you want to store the netlogond files under the /var/lib directory.
++
++
++.EX
++.PP
++.B netlogond_var_run_t
++.EE
++
++- Set files with the netlogond_var_run_t type, if you want to store the netlogond files under the /run directory.
++
++
++.EX
++.PP
++.B netlogond_var_socket_t
++.EE
++
++- Set files with the netlogond_var_socket_t type, if you want to treat the files as netlogond var socket data.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH "MANAGED FILES"
++
++The SELinux process type netlogond_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++
++.br
++.B likewise_etc_t
++
++ /etc/likewise-open(/.*)?
++.br
++
++.br
++.B netlogond_var_lib_t
++
++ /var/lib/likewise-open/krb5-affinity.conf
++.br
++ /var/lib/likewise-open/LWNetsd\.err
++.br
++
++.br
++.B netlogond_var_run_t
++
++ /var/run/netlogond.pid
++.br
++
++.SH NSSWITCH DOMAIN
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was auto-generated using
++.B "sepolicy manpage"
++by Dan Walsh.
++
++.SH "SEE ALSO"
++selinux(8), netlogond(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
+diff --git a/man/man8/netutils_selinux.8 b/man/man8/netutils_selinux.8
+new file mode 100644
+index 0000000..0c0688f
+--- /dev/null
++++ b/man/man8/netutils_selinux.8
+@@ -0,0 +1,116 @@
++.TH "netutils_selinux" "8" "12-11-01" "netutils" "SELinux Policy documentation for netutils"
++.SH "NAME"
++netutils_selinux \- Security Enhanced Linux Policy for the netutils processes
++.SH "DESCRIPTION"
++
++Security-Enhanced Linux secures the netutils processes via flexible mandatory access control.
++
++The netutils processes execute with the netutils_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep netutils_t
++
++
++.SH "ENTRYPOINTS"
++
++The netutils_t SELinux type can be entered via the "netutils_exec_t" file type. The default entrypoint paths for the netutils_t domain are the following:"
++
++/sbin/arping, /usr/sbin/arping, /usr/sbin/tcpdump
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux netutils policy is very flexible allowing users to setup their netutils processes in as secure a method as possible.
++.PP
++The following process types are defined for netutils:
++
++.EX
++.B netutils_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux netutils policy is very flexible allowing users to setup their netutils processes in as secure a method as possible.
++.PP
++The following file types are defined for netutils:
++
++
++.EX
++.PP
++.B netutils_exec_t
++.EE
++
++- Set files with the netutils_exec_t type, if you want to transition an executable to the netutils_t domain.
++
++
++.EX
++.PP
++.B netutils_tmp_t
++.EE
++
++- Set files with the netutils_tmp_t type, if you want to store netutils temporary files in the /tmp directories.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH "MANAGED FILES"
++
++The SELinux process type netutils_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++
++.br
++.B netutils_tmp_t
++
++
++.SH NSSWITCH DOMAIN
++
++.PP
++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the netutils_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++
++.EX
++.B setsebool -P authlogin_nsswitch_use_ldap 1
++.EE
++
++.PP
++If you want to allow confined applications to run with kerberos for the netutils_t, you must turn on the kerberos_enabled boolean.
++
++.EX
++.B setsebool -P kerberos_enabled 1
++.EE
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was auto-generated using
++.B "sepolicy manpage"
++by Dan Walsh.
++
++.SH "SEE ALSO"
++selinux(8), netutils(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
+diff --git a/man/man8/newrole_selinux.8 b/man/man8/newrole_selinux.8
+new file mode 100644
+index 0000000..fc68433
+--- /dev/null
++++ b/man/man8/newrole_selinux.8
+@@ -0,0 +1,178 @@
++.TH "newrole_selinux" "8" "12-11-01" "newrole" "SELinux Policy documentation for newrole"
++.SH "NAME"
++newrole_selinux \- Security Enhanced Linux Policy for the newrole processes
++.SH "DESCRIPTION"
++
++Security-Enhanced Linux secures the newrole processes via flexible mandatory access control.
++
++The newrole processes execute with the newrole_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep newrole_t
++
++
++.SH "ENTRYPOINTS"
++
++The newrole_t SELinux type can be entered via the "newrole_exec_t" file type. The default entrypoint paths for the newrole_t domain are the following:"
++
++/usr/bin/newrole
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux newrole policy is very flexible allowing users to setup their newrole processes in as secure a method as possible.
++.PP
++The following process types are defined for newrole:
++
++.EX
++.B newrole_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux newrole policy is very flexible allowing users to setup their newrole processes in as secure a method as possible.
++.PP
++The following file types are defined for newrole:
++
++
++.EX
++.PP
++.B newrole_exec_t
++.EE
++
++- Set files with the newrole_exec_t type, if you want to transition an executable to the newrole_t domain.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH "MANAGED FILES"
++
++The SELinux process type newrole_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++
++.br
++.B faillog_t
++
++ /var/log/btmp.*
++.br
++ /var/run/faillock(/.*)?
++.br
++ /var/log/faillog
++.br
++ /var/log/tallylog
++.br
++
++.br
++.B initrc_var_run_t
++
++ /var/run/utmp
++.br
++ /var/run/random-seed
++.br
++ /var/run/runlevel\.dir
++.br
++ /var/run/setmixer_flag
++.br
++
++.br
++.B krb5_host_rcache_t
++
++ /var/cache/krb5rcache(/.*)?
++.br
++ /var/tmp/nfs_0
++.br
++ /var/tmp/DNS_25
++.br
++ /var/tmp/host_0
++.br
++ /var/tmp/imap_0
++.br
++ /var/tmp/HTTP_23
++.br
++ /var/tmp/HTTP_48
++.br
++ /var/tmp/ldap_55
++.br
++ /var/tmp/ldap_487
++.br
++ /var/tmp/ldapmap1_0
++.br
++
++.br
++.B lastlog_t
++
++ /var/log/lastlog
++.br
++
++.br
++.B pcscd_var_run_t
++
++ /var/run/pcscd(/.*)?
++.br
++ /var/run/pcscd\.events(/.*)?
++.br
++ /var/run/pcscd\.pid
++.br
++ /var/run/pcscd\.pub
++.br
++ /var/run/pcscd\.comm
++.br
++
++.br
++.B security_t
++
++ /selinux
++.br
++
++.SH NSSWITCH DOMAIN
++
++.PP
++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the newrole_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++
++.EX
++.B setsebool -P authlogin_nsswitch_use_ldap 1
++.EE
++
++.PP
++If you want to allow confined applications to run with kerberos for the newrole_t, you must turn on the kerberos_enabled boolean.
++
++.EX
++.B setsebool -P kerberos_enabled 1
++.EE
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was auto-generated using
++.B "sepolicy manpage"
++by Dan Walsh.
++
++.SH "SEE ALSO"
++selinux(8), newrole(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
+diff --git a/man/man8/nfs_selinux.8 b/man/man8/nfs_selinux.8
+deleted file mode 100644
+index 8e30c4c..0000000
+--- a/man/man8/nfs_selinux.8
++++ /dev/null
+@@ -1,31 +0,0 @@
+-.TH "nfs_selinux" "8" "9 Feb 2009" "dwalsh@redhat.com" "NFS SELinux Policy documentation"
+-.SH "NAME"
+-nfs_selinux \- Security Enhanced Linux Policy for NFS
+-.SH "DESCRIPTION"
+-
+-Security Enhanced Linux secures the NFS server via flexible mandatory access
+-control.
+-.SH BOOLEANS
+-SELinux policy is customizable based on the least level of access required. SELinux can be configured to not allow NFS to share files. If you want to share NFS partitions, and only allow read-only access to those NFS partitions, turn the nfs_export_all_ro boolean on:
+-
+-.TP
+-setsebool -P nfs_export_all_ro 1
+-.TP
+-If you want to share files read/write you must set the nfs_export_all_rw boolean.
+-.TP
+-setsebool -P nfs_export_all_rw 1
+-
+-.TP
+-These booleans are not required when files to be shared are labeled with the public_content_t or public_content_rw_t types. NFS can share files labeled with the public_content_t or public_content_rw_t types even if the nfs_export_all_ro and nfs_export_all_rw booleans are off.
+-
+-.TP
+-If you want to use a remote NFS server for the home directories on this machine, you must set the use_nfs_home_dirs boolean:
+-.TP
+-setsebool -P use_nfs_home_dirs 1
+-.TP
+-system-config-selinux is a GUI tool available to customize SELinux policy settings.
+-.SH AUTHOR
+-This manual page was written by Dan Walsh .
+-
+-.SH "SEE ALSO"
+-selinux(8), chcon(1), setsebool(8)
+diff --git a/man/man8/nfsd_selinux.8 b/man/man8/nfsd_selinux.8
+new file mode 100644
+index 0000000..72cf8db
+--- /dev/null
++++ b/man/man8/nfsd_selinux.8
+@@ -0,0 +1,447 @@
++.TH "nfsd_selinux" "8" "12-11-01" "nfsd" "SELinux Policy documentation for nfsd"
++.SH "NAME"
++nfsd_selinux \- Security Enhanced Linux Policy for the nfsd processes
++.SH "DESCRIPTION"
++
++Security-Enhanced Linux secures the nfsd processes via flexible mandatory access control.
++
++The nfsd processes execute with the nfsd_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep nfsd_t
++
++
++.SH "ENTRYPOINTS"
++
++The nfsd_t SELinux type can be entered via the "nfsd_exec_t" file type. The default entrypoint paths for the nfsd_t domain are the following:"
++
++/usr/sbin/rpc\.nfsd, /usr/sbin/rpc\.mountd
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux nfsd policy is very flexible allowing users to setup their nfsd processes in as secure a method as possible.
++.PP
++The following process types are defined for nfsd:
++
++.EX
++.B nfsd_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH BOOLEANS
++SELinux policy is customizable based on least access required. nfsd policy is extremely flexible and has several booleans that allow you to manipulate the policy and run nfsd with the tightest access possible.
++
++
++.PP
++If you want to allow ftp servers to use nfs used for public file transfer services, you must turn on the ftpd_use_nfs boolean.
++
++.EX
++.B setsebool -P ftpd_use_nfs 1
++.EE
++
++.PP
++If you want to allow httpd to access nfs file systems, you must turn on the httpd_use_nfs boolean.
++
++.EX
++.B setsebool -P httpd_use_nfs 1
++.EE
++
++.PP
++If you want to allow any files/directories to be exported read/only via NFS, you must turn on the nfs_export_all_ro boolean.
++
++.EX
++.B setsebool -P nfs_export_all_ro 1
++.EE
++
++.PP
++If you want to allow confined virtual guests to manage nfs files, you must turn on the virt_use_nfs boolean.
++
++.EX
++.B setsebool -P virt_use_nfs 1
++.EE
++
++.PP
++If you want to allow sge to access nfs file systems, you must turn on the sge_use_nfs boolean.
++
++.EX
++.B setsebool -P sge_use_nfs 1
++.EE
++
++.PP
++If you want to allow Cobbler to access nfs file systems, you must turn on the cobbler_use_nfs boolean.
++
++.EX
++.B setsebool -P cobbler_use_nfs 1
++.EE
++
++.PP
++If you want to determine whether Git system daemon can access nfs file systems, you must turn on the git_system_use_nfs boolean.
++
++.EX
++.B setsebool -P git_system_use_nfs 1
++.EE
++
++.PP
++If you want to allow rsync servers to share nfs files systems, you must turn on the rsync_use_nfs boolean.
++
++.EX
++.B setsebool -P rsync_use_nfs 1
++.EE
++
++.PP
++If you want to allow samba to export NFS volumes, you must turn on the samba_share_nfs boolean.
++
++.EX
++.B setsebool -P samba_share_nfs 1
++.EE
++
++.PP
++If you want to allow xen to manage nfs files, you must turn on the xen_use_nfs boolean.
++
++.EX
++.B setsebool -P xen_use_nfs 1
++.EE
++
++.PP
++If you want to determine whether Polipo can access nfs file systems, you must turn on the polipo_use_nfs boolean.
++
++.EX
++.B setsebool -P polipo_use_nfs 1
++.EE
++
++.PP
++If you want to allow any files/directories to be exported read/write via NFS, you must turn on the nfs_export_all_rw boolean.
++
++.EX
++.B setsebool -P nfs_export_all_rw 1
++.EE
++
++.PP
++If you want to allow sanlock to manage nfs files, you must turn on the sanlock_use_nfs boolean.
++
++.EX
++.B setsebool -P sanlock_use_nfs 1
++.EE
++
++.PP
++If you want to determine whether Git CGI can access nfs file systems, you must turn on the git_cgi_use_nfs boolean.
++
++.EX
++.B setsebool -P git_cgi_use_nfs 1
++.EE
++
++.PP
++If you want to support NFS home directories, you must turn on the use_nfs_home_dirs boolean.
++
++.EX
++.B setsebool -P use_nfs_home_dirs 1
++.EE
++
++.PP
++If you want to allow ftp servers to use nfs used for public file transfer services, you must turn on the ftpd_use_nfs boolean.
++
++.EX
++.B setsebool -P ftpd_use_nfs 1
++.EE
++
++.PP
++If you want to allow httpd to access nfs file systems, you must turn on the httpd_use_nfs boolean.
++
++.EX
++.B setsebool -P httpd_use_nfs 1
++.EE
++
++.PP
++If you want to allow any files/directories to be exported read/only via NFS, you must turn on the nfs_export_all_ro boolean.
++
++.EX
++.B setsebool -P nfs_export_all_ro 1
++.EE
++
++.PP
++If you want to allow confined virtual guests to manage nfs files, you must turn on the virt_use_nfs boolean.
++
++.EX
++.B setsebool -P virt_use_nfs 1
++.EE
++
++.PP
++If you want to allow sge to access nfs file systems, you must turn on the sge_use_nfs boolean.
++
++.EX
++.B setsebool -P sge_use_nfs 1
++.EE
++
++.PP
++If you want to allow Cobbler to access nfs file systems, you must turn on the cobbler_use_nfs boolean.
++
++.EX
++.B setsebool -P cobbler_use_nfs 1
++.EE
++
++.PP
++If you want to determine whether Git system daemon can access nfs file systems, you must turn on the git_system_use_nfs boolean.
++
++.EX
++.B setsebool -P git_system_use_nfs 1
++.EE
++
++.PP
++If you want to allow rsync servers to share nfs files systems, you must turn on the rsync_use_nfs boolean.
++
++.EX
++.B setsebool -P rsync_use_nfs 1
++.EE
++
++.PP
++If you want to allow samba to export NFS volumes, you must turn on the samba_share_nfs boolean.
++
++.EX
++.B setsebool -P samba_share_nfs 1
++.EE
++
++.PP
++If you want to allow xen to manage nfs files, you must turn on the xen_use_nfs boolean.
++
++.EX
++.B setsebool -P xen_use_nfs 1
++.EE
++
++.PP
++If you want to determine whether Polipo can access nfs file systems, you must turn on the polipo_use_nfs boolean.
++
++.EX
++.B setsebool -P polipo_use_nfs 1
++.EE
++
++.PP
++If you want to allow any files/directories to be exported read/write via NFS, you must turn on the nfs_export_all_rw boolean.
++
++.EX
++.B setsebool -P nfs_export_all_rw 1
++.EE
++
++.PP
++If you want to allow sanlock to manage nfs files, you must turn on the sanlock_use_nfs boolean.
++
++.EX
++.B setsebool -P sanlock_use_nfs 1
++.EE
++
++.PP
++If you want to determine whether Git CGI can access nfs file systems, you must turn on the git_cgi_use_nfs boolean.
++
++.EX
++.B setsebool -P git_cgi_use_nfs 1
++.EE
++
++.PP
++If you want to support NFS home directories, you must turn on the use_nfs_home_dirs boolean.
++
++.EX
++.B setsebool -P use_nfs_home_dirs 1
++.EE
++
++.SH SHARING FILES
++If you want to share files with multiple domains (Apache, FTP, rsync, Samba), you can set a file context of public_content_t and public_content_rw_t. These context allow any of the above domains to read the content. If you want a particular domain to write to the public_content_rw_t domain, you must set the appropriate boolean.
++.TP
++Allow nfsd servers to read the /var/nfsd directory by adding the public_content_t file type to the directory and by restoring the file type.
++.PP
++.B
++semanage fcontext -a -t public_content_t "/var/nfsd(/.*)?"
++.br
++.B restorecon -F -R -v /var/nfsd
++.pp
++.TP
++Allow nfsd servers to read and write /var/tmp/incoming by adding the public_content_rw_t type to the directory and by restoring the file type. This also requires the allow_nfsdd_anon_write boolean to be set.
++.PP
++.B
++semanage fcontext -a -t public_content_rw_t "/var/nfsd/incoming(/.*)?"
++.br
++.B restorecon -F -R -v /var/nfsd/incoming
++
++
++.PP
++If you want to allow nfs servers to modify public files used for public file transfer services. Files/Directories must be labeled public_content_rw_t., you must turn on the nfsd_anon_write boolean.
++
++.EX
++.B setsebool -P nfsd_anon_write 1
++.EE
++
++.PP
++If you want to allow nfs servers to modify public files used for public file transfer services. Files/Directories must be labeled public_content_rw_t., you must turn on the nfsd_anon_write boolean.
++
++.EX
++.B setsebool -P nfsd_anon_write 1
++.EE
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux nfsd policy is very flexible allowing users to setup their nfsd processes in as secure a method as possible.
++.PP
++The following file types are defined for nfsd:
++
++
++.EX
++.PP
++.B nfsd_exec_t
++.EE
++
++- Set files with the nfsd_exec_t type, if you want to transition an executable to the nfsd_t domain.
++
++
++.EX
++.PP
++.B nfsd_initrc_exec_t
++.EE
++
++- Set files with the nfsd_initrc_exec_t type, if you want to transition an executable to the nfsd_initrc_t domain.
++
++
++.EX
++.PP
++.B nfsd_ro_t
++.EE
++
++- Set files with the nfsd_ro_t type, if you want to treat the files as nfsd read/only content.
++
++
++.EX
++.PP
++.B nfsd_rw_t
++.EE
++
++- Set files with the nfsd_rw_t type, if you want to treat the files as nfsd read/write content.
++
++
++.EX
++.PP
++.B nfsd_unit_file_t
++.EE
++
++- Set files with the nfsd_unit_file_t type, if you want to treat the files as nfsd unit content.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH PORT TYPES
++SELinux defines port types to represent TCP and UDP ports.
++.PP
++You can see the types associated with a port by using the following command:
++
++.B semanage port -l
++
++.PP
++Policy governs the access confined processes have to these ports.
++SELinux nfsd policy is very flexible allowing users to setup their nfsd processes in as secure a method as possible.
++.PP
++The following port types are defined for nfsd:
++
++.EX
++.TP 5
++.B nfs_port_t
++.TP 10
++.EE
++
++
++Default Defined Ports:
++tcp 2049,20048-20049
++.EE
++udp 2049,20048-20049
++.EE
++.SH "MANAGED FILES"
++
++The SELinux process type nfsd_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++
++.br
++.B mount_var_run_t
++
++ /run/mount(/.*)?
++.br
++ /dev/\.mount(/.*)?
++.br
++ /var/run/mount(/.*)?
++.br
++ /var/run/davfs2(/.*)?
++.br
++ /var/cache/davfs2(/.*)?
++.br
++
++.br
++.B nfsd_fs_t
++
++
++.br
++.B var_lib_nfs_t
++
++ /var/lib/nfs(/.*)?
++.br
++
++.br
++.B var_lib_t
++
++ /opt/(.*/)?var/lib(/.*)?
++.br
++ /var/lib(/.*)?
++.br
++
++.SH NSSWITCH DOMAIN
++
++.PP
++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the nfsd_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++
++.EX
++.B setsebool -P authlogin_nsswitch_use_ldap 1
++.EE
++
++.PP
++If you want to allow confined applications to run with kerberos for the nfsd_t, you must turn on the kerberos_enabled boolean.
++
++.EX
++.B setsebool -P kerberos_enabled 1
++.EE
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.B semanage port
++can also be used to manipulate the port definitions
++
++.B semanage boolean
++can also be used to manipulate the booleans
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was auto-generated using
++.B "sepolicy manpage"
++by Dan Walsh.
++
++.SH "SEE ALSO"
++selinux(8), nfsd(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
++, setsebool(8)
+\ No newline at end of file
+diff --git a/man/man8/nis_selinux.8 b/man/man8/nis_selinux.8
+deleted file mode 100644
+index 6271c95..0000000
+--- a/man/man8/nis_selinux.8
++++ /dev/null
+@@ -1 +0,0 @@
+-.so man8/ypbind_selinux.8
+diff --git a/man/man8/nmbd_selinux.8 b/man/man8/nmbd_selinux.8
+new file mode 100644
+index 0000000..d15f44d
+--- /dev/null
++++ b/man/man8/nmbd_selinux.8
+@@ -0,0 +1,170 @@
++.TH "nmbd_selinux" "8" "12-11-01" "nmbd" "SELinux Policy documentation for nmbd"
++.SH "NAME"
++nmbd_selinux \- Security Enhanced Linux Policy for the nmbd processes
++.SH "DESCRIPTION"
++
++Security-Enhanced Linux secures the nmbd processes via flexible mandatory access control.
++
++The nmbd processes execute with the nmbd_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep nmbd_t
++
++
++.SH "ENTRYPOINTS"
++
++The nmbd_t SELinux type can be entered via the "nmbd_exec_t" file type. The default entrypoint paths for the nmbd_t domain are the following:"
++
++/usr/sbin/nmbd
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux nmbd policy is very flexible allowing users to setup their nmbd processes in as secure a method as possible.
++.PP
++The following process types are defined for nmbd:
++
++.EX
++.B nmbd_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux nmbd policy is very flexible allowing users to setup their nmbd processes in as secure a method as possible.
++.PP
++The following file types are defined for nmbd:
++
++
++.EX
++.PP
++.B nmbd_exec_t
++.EE
++
++- Set files with the nmbd_exec_t type, if you want to transition an executable to the nmbd_t domain.
++
++
++.EX
++.PP
++.B nmbd_var_run_t
++.EE
++
++- Set files with the nmbd_var_run_t type, if you want to store the nmbd files under the /run directory.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH PORT TYPES
++SELinux defines port types to represent TCP and UDP ports.
++.PP
++You can see the types associated with a port by using the following command:
++
++.B semanage port -l
++
++.PP
++Policy governs the access confined processes have to these ports.
++SELinux nmbd policy is very flexible allowing users to setup their nmbd processes in as secure a method as possible.
++.PP
++The following port types are defined for nmbd:
++
++.EX
++.TP 5
++.B nmbd_port_t
++.TP 10
++.EE
++
++
++Default Defined Ports:
++udp 137,138
++.EE
++.SH "MANAGED FILES"
++
++The SELinux process type nmbd_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++
++.br
++.B nmbd_var_run_t
++
++ /var/run/nmbd(/.*)?
++.br
++ /var/run/samba/nmbd(/.*)?
++.br
++ /var/run/samba/nmbd\.pid
++.br
++ /var/run/samba/messages\.tdb
++.br
++ /var/run/samba/namelist\.debug
++.br
++ /var/run/samba/unexpected\.tdb
++.br
++
++.br
++.B samba_log_t
++
++ /var/log/samba(/.*)?
++.br
++
++.br
++.B samba_var_t
++
++ /var/lib/samba(/.*)?
++.br
++ /var/cache/samba(/.*)?
++.br
++ /var/spool/samba(/.*)?
++.br
++
++.SH NSSWITCH DOMAIN
++
++.PP
++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the nmbd_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++
++.EX
++.B setsebool -P authlogin_nsswitch_use_ldap 1
++.EE
++
++.PP
++If you want to allow confined applications to run with kerberos for the nmbd_t, you must turn on the kerberos_enabled boolean.
++
++.EX
++.B setsebool -P kerberos_enabled 1
++.EE
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.B semanage port
++can also be used to manipulate the port definitions
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was auto-generated using
++.B "sepolicy manpage"
++by Dan Walsh.
++
++.SH "SEE ALSO"
++selinux(8), nmbd(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
+diff --git a/man/man8/nova_ajax_selinux.8 b/man/man8/nova_ajax_selinux.8
+new file mode 100644
+index 0000000..f57b656
+--- /dev/null
++++ b/man/man8/nova_ajax_selinux.8
+@@ -0,0 +1,129 @@
++.TH "nova_ajax_selinux" "8" "12-11-01" "nova_ajax" "SELinux Policy documentation for nova_ajax"
++.SH "NAME"
++nova_ajax_selinux \- Security Enhanced Linux Policy for the nova_ajax processes
++.SH "DESCRIPTION"
++
++Security-Enhanced Linux secures the nova_ajax processes via flexible mandatory access control.
++
++The nova_ajax processes execute with the nova_ajax_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep nova_ajax_t
++
++
++.SH "ENTRYPOINTS"
++
++The nova_ajax_t SELinux type can be entered via the "nova_ajax_exec_t" file type. The default entrypoint paths for the nova_ajax_t domain are the following:"
++
++/usr/bin/nova-ajax-console-proxy
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux nova_ajax policy is very flexible allowing users to setup their nova_ajax processes in as secure a method as possible.
++.PP
++The following process types are defined for nova_ajax:
++
++.EX
++.B nova_ajax_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux nova_ajax policy is very flexible allowing users to setup their nova_ajax processes in as secure a method as possible.
++.PP
++The following file types are defined for nova_ajax:
++
++
++.EX
++.PP
++.B nova_ajax_exec_t
++.EE
++
++- Set files with the nova_ajax_exec_t type, if you want to transition an executable to the nova_ajax_t domain.
++
++
++.EX
++.PP
++.B nova_ajax_tmp_t
++.EE
++
++- Set files with the nova_ajax_tmp_t type, if you want to store nova ajax temporary files in the /tmp directories.
++
++
++.EX
++.PP
++.B nova_ajax_unit_file_t
++.EE
++
++- Set files with the nova_ajax_unit_file_t type, if you want to treat the files as nova ajax unit content.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH "MANAGED FILES"
++
++The SELinux process type nova_ajax_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++
++.br
++.B nova_ajax_tmp_t
++
++
++.br
++.B nova_log_t
++
++ /var/log/nova(/.*)?
++.br
++
++.br
++.B nova_var_lib_t
++
++ /var/lib/nova(/.*)?
++.br
++
++.br
++.B nova_var_run_t
++
++ /var/run/nova(/.*)?
++.br
++
++.SH NSSWITCH DOMAIN
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was auto-generated using
++.B "sepolicy manpage"
++by Dan Walsh.
++
++.SH "SEE ALSO"
++selinux(8), nova_ajax(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
++, nova_api_selinux(8), nova_cert_selinux(8), nova_compute_selinux(8), nova_console_selinux(8), nova_direct_selinux(8), nova_network_selinux(8), nova_objectstore_selinux(8), nova_scheduler_selinux(8), nova_vncproxy_selinux(8), nova_volume_selinux(8)
+\ No newline at end of file
+diff --git a/man/man8/nova_api_selinux.8 b/man/man8/nova_api_selinux.8
+new file mode 100644
+index 0000000..094a9ae
+--- /dev/null
++++ b/man/man8/nova_api_selinux.8
+@@ -0,0 +1,129 @@
++.TH "nova_api_selinux" "8" "12-11-01" "nova_api" "SELinux Policy documentation for nova_api"
++.SH "NAME"
++nova_api_selinux \- Security Enhanced Linux Policy for the nova_api processes
++.SH "DESCRIPTION"
++
++Security-Enhanced Linux secures the nova_api processes via flexible mandatory access control.
++
++The nova_api processes execute with the nova_api_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep nova_api_t
++
++
++.SH "ENTRYPOINTS"
++
++The nova_api_t SELinux type can be entered via the "nova_api_exec_t" file type. The default entrypoint paths for the nova_api_t domain are the following:"
++
++/usr/bin/nova-api, /usr//bin/nova-api-metadata
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux nova_api policy is very flexible allowing users to setup their nova_api processes in as secure a method as possible.
++.PP
++The following process types are defined for nova_api:
++
++.EX
++.B nova_api_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux nova_api policy is very flexible allowing users to setup their nova_api processes in as secure a method as possible.
++.PP
++The following file types are defined for nova_api:
++
++
++.EX
++.PP
++.B nova_api_exec_t
++.EE
++
++- Set files with the nova_api_exec_t type, if you want to transition an executable to the nova_api_t domain.
++
++
++.EX
++.PP
++.B nova_api_tmp_t
++.EE
++
++- Set files with the nova_api_tmp_t type, if you want to store nova api temporary files in the /tmp directories.
++
++
++.EX
++.PP
++.B nova_api_unit_file_t
++.EE
++
++- Set files with the nova_api_unit_file_t type, if you want to treat the files as nova api unit content.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH "MANAGED FILES"
++
++The SELinux process type nova_api_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++
++.br
++.B nova_api_tmp_t
++
++
++.br
++.B nova_log_t
++
++ /var/log/nova(/.*)?
++.br
++
++.br
++.B nova_var_lib_t
++
++ /var/lib/nova(/.*)?
++.br
++
++.br
++.B nova_var_run_t
++
++ /var/run/nova(/.*)?
++.br
++
++.SH NSSWITCH DOMAIN
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was auto-generated using
++.B "sepolicy manpage"
++by Dan Walsh.
++
++.SH "SEE ALSO"
++selinux(8), nova_api(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
++, nova_ajax_selinux(8), nova_cert_selinux(8), nova_compute_selinux(8), nova_console_selinux(8), nova_direct_selinux(8), nova_network_selinux(8), nova_objectstore_selinux(8), nova_scheduler_selinux(8), nova_vncproxy_selinux(8), nova_volume_selinux(8)
+\ No newline at end of file
+diff --git a/man/man8/nova_cert_selinux.8 b/man/man8/nova_cert_selinux.8
+new file mode 100644
+index 0000000..252fa7f
+--- /dev/null
++++ b/man/man8/nova_cert_selinux.8
+@@ -0,0 +1,143 @@
++.TH "nova_cert_selinux" "8" "12-11-01" "nova_cert" "SELinux Policy documentation for nova_cert"
++.SH "NAME"
++nova_cert_selinux \- Security Enhanced Linux Policy for the nova_cert processes
++.SH "DESCRIPTION"
++
++Security-Enhanced Linux secures the nova_cert processes via flexible mandatory access control.
++
++The nova_cert processes execute with the nova_cert_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep nova_cert_t
++
++
++.SH "ENTRYPOINTS"
++
++The nova_cert_t SELinux type can be entered via the "nova_cert_exec_t" file type. The default entrypoint paths for the nova_cert_t domain are the following:"
++
++/usr/bin/nova-cert
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux nova_cert policy is very flexible allowing users to setup their nova_cert processes in as secure a method as possible.
++.PP
++The following process types are defined for nova_cert:
++
++.EX
++.B nova_cert_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux nova_cert policy is very flexible allowing users to setup their nova_cert processes in as secure a method as possible.
++.PP
++The following file types are defined for nova_cert:
++
++
++.EX
++.PP
++.B nova_cert_exec_t
++.EE
++
++- Set files with the nova_cert_exec_t type, if you want to transition an executable to the nova_cert_t domain.
++
++
++.EX
++.PP
++.B nova_cert_tmp_t
++.EE
++
++- Set files with the nova_cert_tmp_t type, if you want to store nova cert temporary files in the /tmp directories.
++
++
++.EX
++.PP
++.B nova_cert_unit_file_t
++.EE
++
++- Set files with the nova_cert_unit_file_t type, if you want to treat the files as nova cert unit content.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH "MANAGED FILES"
++
++The SELinux process type nova_cert_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++
++.br
++.B nova_cert_tmp_t
++
++
++.br
++.B nova_log_t
++
++ /var/log/nova(/.*)?
++.br
++
++.br
++.B nova_var_lib_t
++
++ /var/lib/nova(/.*)?
++.br
++
++.br
++.B nova_var_run_t
++
++ /var/run/nova(/.*)?
++.br
++
++.SH NSSWITCH DOMAIN
++
++.PP
++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the nova_cert_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++
++.EX
++.B setsebool -P authlogin_nsswitch_use_ldap 1
++.EE
++
++.PP
++If you want to allow confined applications to run with kerberos for the nova_cert_t, you must turn on the kerberos_enabled boolean.
++
++.EX
++.B setsebool -P kerberos_enabled 1
++.EE
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was auto-generated using
++.B "sepolicy manpage"
++by Dan Walsh.
++
++.SH "SEE ALSO"
++selinux(8), nova_cert(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
++, nova_ajax_selinux(8), nova_api_selinux(8), nova_compute_selinux(8), nova_console_selinux(8), nova_direct_selinux(8), nova_network_selinux(8), nova_objectstore_selinux(8), nova_scheduler_selinux(8), nova_vncproxy_selinux(8), nova_volume_selinux(8)
+\ No newline at end of file
+diff --git a/man/man8/nova_compute_selinux.8 b/man/man8/nova_compute_selinux.8
+new file mode 100644
+index 0000000..cd73723
+--- /dev/null
++++ b/man/man8/nova_compute_selinux.8
+@@ -0,0 +1,129 @@
++.TH "nova_compute_selinux" "8" "12-11-01" "nova_compute" "SELinux Policy documentation for nova_compute"
++.SH "NAME"
++nova_compute_selinux \- Security Enhanced Linux Policy for the nova_compute processes
++.SH "DESCRIPTION"
++
++Security-Enhanced Linux secures the nova_compute processes via flexible mandatory access control.
++
++The nova_compute processes execute with the nova_compute_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep nova_compute_t
++
++
++.SH "ENTRYPOINTS"
++
++The nova_compute_t SELinux type can be entered via the "nova_compute_exec_t" file type. The default entrypoint paths for the nova_compute_t domain are the following:"
++
++
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux nova_compute policy is very flexible allowing users to setup their nova_compute processes in as secure a method as possible.
++.PP
++The following process types are defined for nova_compute:
++
++.EX
++.B nova_compute_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux nova_compute policy is very flexible allowing users to setup their nova_compute processes in as secure a method as possible.
++.PP
++The following file types are defined for nova_compute:
++
++
++.EX
++.PP
++.B nova_compute_exec_t
++.EE
++
++- Set files with the nova_compute_exec_t type, if you want to transition an executable to the nova_compute_t domain.
++
++
++.EX
++.PP
++.B nova_compute_tmp_t
++.EE
++
++- Set files with the nova_compute_tmp_t type, if you want to store nova compute temporary files in the /tmp directories.
++
++
++.EX
++.PP
++.B nova_compute_unit_file_t
++.EE
++
++- Set files with the nova_compute_unit_file_t type, if you want to treat the files as nova compute unit content.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH "MANAGED FILES"
++
++The SELinux process type nova_compute_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++
++.br
++.B nova_compute_tmp_t
++
++
++.br
++.B nova_log_t
++
++ /var/log/nova(/.*)?
++.br
++
++.br
++.B nova_var_lib_t
++
++ /var/lib/nova(/.*)?
++.br
++
++.br
++.B nova_var_run_t
++
++ /var/run/nova(/.*)?
++.br
++
++.SH NSSWITCH DOMAIN
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was auto-generated using
++.B "sepolicy manpage"
++by Dan Walsh.
++
++.SH "SEE ALSO"
++selinux(8), nova_compute(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
++, nova_ajax_selinux(8), nova_api_selinux(8), nova_cert_selinux(8), nova_console_selinux(8), nova_direct_selinux(8), nova_network_selinux(8), nova_objectstore_selinux(8), nova_scheduler_selinux(8), nova_vncproxy_selinux(8), nova_volume_selinux(8)
+\ No newline at end of file
+diff --git a/man/man8/nova_console_selinux.8 b/man/man8/nova_console_selinux.8
+new file mode 100644
+index 0000000..3ac720b
+--- /dev/null
++++ b/man/man8/nova_console_selinux.8
+@@ -0,0 +1,143 @@
++.TH "nova_console_selinux" "8" "12-11-01" "nova_console" "SELinux Policy documentation for nova_console"
++.SH "NAME"
++nova_console_selinux \- Security Enhanced Linux Policy for the nova_console processes
++.SH "DESCRIPTION"
++
++Security-Enhanced Linux secures the nova_console processes via flexible mandatory access control.
++
++The nova_console processes execute with the nova_console_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep nova_console_t
++
++
++.SH "ENTRYPOINTS"
++
++The nova_console_t SELinux type can be entered via the "nova_console_exec_t" file type. The default entrypoint paths for the nova_console_t domain are the following:"
++
++/usr/bin/nova-console.*
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux nova_console policy is very flexible allowing users to setup their nova_console processes in as secure a method as possible.
++.PP
++The following process types are defined for nova_console:
++
++.EX
++.B nova_console_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux nova_console policy is very flexible allowing users to setup their nova_console processes in as secure a method as possible.
++.PP
++The following file types are defined for nova_console:
++
++
++.EX
++.PP
++.B nova_console_exec_t
++.EE
++
++- Set files with the nova_console_exec_t type, if you want to transition an executable to the nova_console_t domain.
++
++
++.EX
++.PP
++.B nova_console_tmp_t
++.EE
++
++- Set files with the nova_console_tmp_t type, if you want to store nova console temporary files in the /tmp directories.
++
++
++.EX
++.PP
++.B nova_console_unit_file_t
++.EE
++
++- Set files with the nova_console_unit_file_t type, if you want to treat the files as nova console unit content.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH "MANAGED FILES"
++
++The SELinux process type nova_console_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++
++.br
++.B nova_console_tmp_t
++
++
++.br
++.B nova_log_t
++
++ /var/log/nova(/.*)?
++.br
++
++.br
++.B nova_var_lib_t
++
++ /var/lib/nova(/.*)?
++.br
++
++.br
++.B nova_var_run_t
++
++ /var/run/nova(/.*)?
++.br
++
++.SH NSSWITCH DOMAIN
++
++.PP
++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the nova_console_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++
++.EX
++.B setsebool -P authlogin_nsswitch_use_ldap 1
++.EE
++
++.PP
++If you want to allow confined applications to run with kerberos for the nova_console_t, you must turn on the kerberos_enabled boolean.
++
++.EX
++.B setsebool -P kerberos_enabled 1
++.EE
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was auto-generated using
++.B "sepolicy manpage"
++by Dan Walsh.
++
++.SH "SEE ALSO"
++selinux(8), nova_console(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
++, nova_ajax_selinux(8), nova_api_selinux(8), nova_cert_selinux(8), nova_compute_selinux(8), nova_direct_selinux(8), nova_network_selinux(8), nova_objectstore_selinux(8), nova_scheduler_selinux(8), nova_vncproxy_selinux(8), nova_volume_selinux(8)
+\ No newline at end of file
+diff --git a/man/man8/nova_direct_selinux.8 b/man/man8/nova_direct_selinux.8
+new file mode 100644
+index 0000000..7739204
+--- /dev/null
++++ b/man/man8/nova_direct_selinux.8
+@@ -0,0 +1,129 @@
++.TH "nova_direct_selinux" "8" "12-11-01" "nova_direct" "SELinux Policy documentation for nova_direct"
++.SH "NAME"
++nova_direct_selinux \- Security Enhanced Linux Policy for the nova_direct processes
++.SH "DESCRIPTION"
++
++Security-Enhanced Linux secures the nova_direct processes via flexible mandatory access control.
++
++The nova_direct processes execute with the nova_direct_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep nova_direct_t
++
++
++.SH "ENTRYPOINTS"
++
++The nova_direct_t SELinux type can be entered via the "nova_direct_exec_t" file type. The default entrypoint paths for the nova_direct_t domain are the following:"
++
++/usr/bin/nova-direct-api
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux nova_direct policy is very flexible allowing users to setup their nova_direct processes in as secure a method as possible.
++.PP
++The following process types are defined for nova_direct:
++
++.EX
++.B nova_direct_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux nova_direct policy is very flexible allowing users to setup their nova_direct processes in as secure a method as possible.
++.PP
++The following file types are defined for nova_direct:
++
++
++.EX
++.PP
++.B nova_direct_exec_t
++.EE
++
++- Set files with the nova_direct_exec_t type, if you want to transition an executable to the nova_direct_t domain.
++
++
++.EX
++.PP
++.B nova_direct_tmp_t
++.EE
++
++- Set files with the nova_direct_tmp_t type, if you want to store nova direct temporary files in the /tmp directories.
++
++
++.EX
++.PP
++.B nova_direct_unit_file_t
++.EE
++
++- Set files with the nova_direct_unit_file_t type, if you want to treat the files as nova direct unit content.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH "MANAGED FILES"
++
++The SELinux process type nova_direct_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++
++.br
++.B nova_direct_tmp_t
++
++
++.br
++.B nova_log_t
++
++ /var/log/nova(/.*)?
++.br
++
++.br
++.B nova_var_lib_t
++
++ /var/lib/nova(/.*)?
++.br
++
++.br
++.B nova_var_run_t
++
++ /var/run/nova(/.*)?
++.br
++
++.SH NSSWITCH DOMAIN
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was auto-generated using
++.B "sepolicy manpage"
++by Dan Walsh.
++
++.SH "SEE ALSO"
++selinux(8), nova_direct(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
++, nova_ajax_selinux(8), nova_api_selinux(8), nova_cert_selinux(8), nova_compute_selinux(8), nova_console_selinux(8), nova_network_selinux(8), nova_objectstore_selinux(8), nova_scheduler_selinux(8), nova_vncproxy_selinux(8), nova_volume_selinux(8)
+\ No newline at end of file
+diff --git a/man/man8/nova_network_selinux.8 b/man/man8/nova_network_selinux.8
+new file mode 100644
+index 0000000..953274d
+--- /dev/null
++++ b/man/man8/nova_network_selinux.8
+@@ -0,0 +1,129 @@
++.TH "nova_network_selinux" "8" "12-11-01" "nova_network" "SELinux Policy documentation for nova_network"
++.SH "NAME"
++nova_network_selinux \- Security Enhanced Linux Policy for the nova_network processes
++.SH "DESCRIPTION"
++
++Security-Enhanced Linux secures the nova_network processes via flexible mandatory access control.
++
++The nova_network processes execute with the nova_network_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep nova_network_t
++
++
++.SH "ENTRYPOINTS"
++
++The nova_network_t SELinux type can be entered via the "nova_network_exec_t" file type. The default entrypoint paths for the nova_network_t domain are the following:"
++
++/usr/bin/nova-network
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux nova_network policy is very flexible allowing users to setup their nova_network processes in as secure a method as possible.
++.PP
++The following process types are defined for nova_network:
++
++.EX
++.B nova_network_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux nova_network policy is very flexible allowing users to setup their nova_network processes in as secure a method as possible.
++.PP
++The following file types are defined for nova_network:
++
++
++.EX
++.PP
++.B nova_network_exec_t
++.EE
++
++- Set files with the nova_network_exec_t type, if you want to transition an executable to the nova_network_t domain.
++
++
++.EX
++.PP
++.B nova_network_tmp_t
++.EE
++
++- Set files with the nova_network_tmp_t type, if you want to store nova network temporary files in the /tmp directories.
++
++
++.EX
++.PP
++.B nova_network_unit_file_t
++.EE
++
++- Set files with the nova_network_unit_file_t type, if you want to treat the files as nova network unit content.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH "MANAGED FILES"
++
++The SELinux process type nova_network_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++
++.br
++.B nova_log_t
++
++ /var/log/nova(/.*)?
++.br
++
++.br
++.B nova_network_tmp_t
++
++
++.br
++.B nova_var_lib_t
++
++ /var/lib/nova(/.*)?
++.br
++
++.br
++.B nova_var_run_t
++
++ /var/run/nova(/.*)?
++.br
++
++.SH NSSWITCH DOMAIN
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was auto-generated using
++.B "sepolicy manpage"
++by Dan Walsh.
++
++.SH "SEE ALSO"
++selinux(8), nova_network(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
++, nova_ajax_selinux(8), nova_api_selinux(8), nova_cert_selinux(8), nova_compute_selinux(8), nova_console_selinux(8), nova_direct_selinux(8), nova_objectstore_selinux(8), nova_scheduler_selinux(8), nova_vncproxy_selinux(8), nova_volume_selinux(8)
+\ No newline at end of file
+diff --git a/man/man8/nova_objectstore_selinux.8 b/man/man8/nova_objectstore_selinux.8
+new file mode 100644
+index 0000000..449bba7
+--- /dev/null
++++ b/man/man8/nova_objectstore_selinux.8
+@@ -0,0 +1,129 @@
++.TH "nova_objectstore_selinux" "8" "12-11-01" "nova_objectstore" "SELinux Policy documentation for nova_objectstore"
++.SH "NAME"
++nova_objectstore_selinux \- Security Enhanced Linux Policy for the nova_objectstore processes
++.SH "DESCRIPTION"
++
++Security-Enhanced Linux secures the nova_objectstore processes via flexible mandatory access control.
++
++The nova_objectstore processes execute with the nova_objectstore_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep nova_objectstore_t
++
++
++.SH "ENTRYPOINTS"
++
++The nova_objectstore_t SELinux type can be entered via the "nova_objectstore_exec_t" file type. The default entrypoint paths for the nova_objectstore_t domain are the following:"
++
++/usr/bin/nova-objectstore
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux nova_objectstore policy is very flexible allowing users to setup their nova_objectstore processes in as secure a method as possible.
++.PP
++The following process types are defined for nova_objectstore:
++
++.EX
++.B nova_objectstore_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux nova_objectstore policy is very flexible allowing users to setup their nova_objectstore processes in as secure a method as possible.
++.PP
++The following file types are defined for nova_objectstore:
++
++
++.EX
++.PP
++.B nova_objectstore_exec_t
++.EE
++
++- Set files with the nova_objectstore_exec_t type, if you want to transition an executable to the nova_objectstore_t domain.
++
++
++.EX
++.PP
++.B nova_objectstore_tmp_t
++.EE
++
++- Set files with the nova_objectstore_tmp_t type, if you want to store nova objectstore temporary files in the /tmp directories.
++
++
++.EX
++.PP
++.B nova_objectstore_unit_file_t
++.EE
++
++- Set files with the nova_objectstore_unit_file_t type, if you want to treat the files as nova objectstore unit content.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH "MANAGED FILES"
++
++The SELinux process type nova_objectstore_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++
++.br
++.B nova_log_t
++
++ /var/log/nova(/.*)?
++.br
++
++.br
++.B nova_objectstore_tmp_t
++
++
++.br
++.B nova_var_lib_t
++
++ /var/lib/nova(/.*)?
++.br
++
++.br
++.B nova_var_run_t
++
++ /var/run/nova(/.*)?
++.br
++
++.SH NSSWITCH DOMAIN
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was auto-generated using
++.B "sepolicy manpage"
++by Dan Walsh.
++
++.SH "SEE ALSO"
++selinux(8), nova_objectstore(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
++, nova_ajax_selinux(8), nova_api_selinux(8), nova_cert_selinux(8), nova_compute_selinux(8), nova_console_selinux(8), nova_direct_selinux(8), nova_network_selinux(8), nova_scheduler_selinux(8), nova_vncproxy_selinux(8), nova_volume_selinux(8)
+\ No newline at end of file
+diff --git a/man/man8/nova_scheduler_selinux.8 b/man/man8/nova_scheduler_selinux.8
+new file mode 100644
+index 0000000..ef40436
+--- /dev/null
++++ b/man/man8/nova_scheduler_selinux.8
+@@ -0,0 +1,129 @@
++.TH "nova_scheduler_selinux" "8" "12-11-01" "nova_scheduler" "SELinux Policy documentation for nova_scheduler"
++.SH "NAME"
++nova_scheduler_selinux \- Security Enhanced Linux Policy for the nova_scheduler processes
++.SH "DESCRIPTION"
++
++Security-Enhanced Linux secures the nova_scheduler processes via flexible mandatory access control.
++
++The nova_scheduler processes execute with the nova_scheduler_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep nova_scheduler_t
++
++
++.SH "ENTRYPOINTS"
++
++The nova_scheduler_t SELinux type can be entered via the "nova_scheduler_exec_t" file type. The default entrypoint paths for the nova_scheduler_t domain are the following:"
++
++/usr/bin/nova-scheduler
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux nova_scheduler policy is very flexible allowing users to setup their nova_scheduler processes in as secure a method as possible.
++.PP
++The following process types are defined for nova_scheduler:
++
++.EX
++.B nova_scheduler_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux nova_scheduler policy is very flexible allowing users to setup their nova_scheduler processes in as secure a method as possible.
++.PP
++The following file types are defined for nova_scheduler:
++
++
++.EX
++.PP
++.B nova_scheduler_exec_t
++.EE
++
++- Set files with the nova_scheduler_exec_t type, if you want to transition an executable to the nova_scheduler_t domain.
++
++
++.EX
++.PP
++.B nova_scheduler_tmp_t
++.EE
++
++- Set files with the nova_scheduler_tmp_t type, if you want to store nova scheduler temporary files in the /tmp directories.
++
++
++.EX
++.PP
++.B nova_scheduler_unit_file_t
++.EE
++
++- Set files with the nova_scheduler_unit_file_t type, if you want to treat the files as nova scheduler unit content.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH "MANAGED FILES"
++
++The SELinux process type nova_scheduler_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++
++.br
++.B nova_log_t
++
++ /var/log/nova(/.*)?
++.br
++
++.br
++.B nova_scheduler_tmp_t
++
++
++.br
++.B nova_var_lib_t
++
++ /var/lib/nova(/.*)?
++.br
++
++.br
++.B nova_var_run_t
++
++ /var/run/nova(/.*)?
++.br
++
++.SH NSSWITCH DOMAIN
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was auto-generated using
++.B "sepolicy manpage"
++by Dan Walsh.
++
++.SH "SEE ALSO"
++selinux(8), nova_scheduler(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
++, nova_ajax_selinux(8), nova_api_selinux(8), nova_cert_selinux(8), nova_compute_selinux(8), nova_console_selinux(8), nova_direct_selinux(8), nova_network_selinux(8), nova_objectstore_selinux(8), nova_vncproxy_selinux(8), nova_volume_selinux(8)
+\ No newline at end of file
+diff --git a/man/man8/nova_vncproxy_selinux.8 b/man/man8/nova_vncproxy_selinux.8
+new file mode 100644
+index 0000000..452fe26
+--- /dev/null
++++ b/man/man8/nova_vncproxy_selinux.8
+@@ -0,0 +1,129 @@
++.TH "nova_vncproxy_selinux" "8" "12-11-01" "nova_vncproxy" "SELinux Policy documentation for nova_vncproxy"
++.SH "NAME"
++nova_vncproxy_selinux \- Security Enhanced Linux Policy for the nova_vncproxy processes
++.SH "DESCRIPTION"
++
++Security-Enhanced Linux secures the nova_vncproxy processes via flexible mandatory access control.
++
++The nova_vncproxy processes execute with the nova_vncproxy_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep nova_vncproxy_t
++
++
++.SH "ENTRYPOINTS"
++
++The nova_vncproxy_t SELinux type can be entered via the "nova_vncproxy_exec_t" file type. The default entrypoint paths for the nova_vncproxy_t domain are the following:"
++
++/usr/bin/nova-vncproxy, /usr/bin/nova-xvpvncproxy
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux nova_vncproxy policy is very flexible allowing users to setup their nova_vncproxy processes in as secure a method as possible.
++.PP
++The following process types are defined for nova_vncproxy:
++
++.EX
++.B nova_vncproxy_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux nova_vncproxy policy is very flexible allowing users to setup their nova_vncproxy processes in as secure a method as possible.
++.PP
++The following file types are defined for nova_vncproxy:
++
++
++.EX
++.PP
++.B nova_vncproxy_exec_t
++.EE
++
++- Set files with the nova_vncproxy_exec_t type, if you want to transition an executable to the nova_vncproxy_t domain.
++
++
++.EX
++.PP
++.B nova_vncproxy_tmp_t
++.EE
++
++- Set files with the nova_vncproxy_tmp_t type, if you want to store nova vncproxy temporary files in the /tmp directories.
++
++
++.EX
++.PP
++.B nova_vncproxy_unit_file_t
++.EE
++
++- Set files with the nova_vncproxy_unit_file_t type, if you want to treat the files as nova vncproxy unit content.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH "MANAGED FILES"
++
++The SELinux process type nova_vncproxy_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++
++.br
++.B nova_log_t
++
++ /var/log/nova(/.*)?
++.br
++
++.br
++.B nova_var_lib_t
++
++ /var/lib/nova(/.*)?
++.br
++
++.br
++.B nova_var_run_t
++
++ /var/run/nova(/.*)?
++.br
++
++.br
++.B nova_vncproxy_tmp_t
++
++
++.SH NSSWITCH DOMAIN
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was auto-generated using
++.B "sepolicy manpage"
++by Dan Walsh.
++
++.SH "SEE ALSO"
++selinux(8), nova_vncproxy(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
++, nova_ajax_selinux(8), nova_api_selinux(8), nova_cert_selinux(8), nova_compute_selinux(8), nova_console_selinux(8), nova_direct_selinux(8), nova_network_selinux(8), nova_objectstore_selinux(8), nova_scheduler_selinux(8), nova_volume_selinux(8)
+\ No newline at end of file
+diff --git a/man/man8/nova_volume_selinux.8 b/man/man8/nova_volume_selinux.8
+new file mode 100644
+index 0000000..b39d068
+--- /dev/null
++++ b/man/man8/nova_volume_selinux.8
+@@ -0,0 +1,129 @@
++.TH "nova_volume_selinux" "8" "12-11-01" "nova_volume" "SELinux Policy documentation for nova_volume"
++.SH "NAME"
++nova_volume_selinux \- Security Enhanced Linux Policy for the nova_volume processes
++.SH "DESCRIPTION"
++
++Security-Enhanced Linux secures the nova_volume processes via flexible mandatory access control.
++
++The nova_volume processes execute with the nova_volume_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep nova_volume_t
++
++
++.SH "ENTRYPOINTS"
++
++The nova_volume_t SELinux type can be entered via the "nova_volume_exec_t" file type. The default entrypoint paths for the nova_volume_t domain are the following:"
++
++/usr/bin/nova-volume
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux nova_volume policy is very flexible allowing users to setup their nova_volume processes in as secure a method as possible.
++.PP
++The following process types are defined for nova_volume:
++
++.EX
++.B nova_volume_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux nova_volume policy is very flexible allowing users to setup their nova_volume processes in as secure a method as possible.
++.PP
++The following file types are defined for nova_volume:
++
++
++.EX
++.PP
++.B nova_volume_exec_t
++.EE
++
++- Set files with the nova_volume_exec_t type, if you want to transition an executable to the nova_volume_t domain.
++
++
++.EX
++.PP
++.B nova_volume_tmp_t
++.EE
++
++- Set files with the nova_volume_tmp_t type, if you want to store nova volume temporary files in the /tmp directories.
++
++
++.EX
++.PP
++.B nova_volume_unit_file_t
++.EE
++
++- Set files with the nova_volume_unit_file_t type, if you want to treat the files as nova volume unit content.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH "MANAGED FILES"
++
++The SELinux process type nova_volume_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++
++.br
++.B nova_log_t
++
++ /var/log/nova(/.*)?
++.br
++
++.br
++.B nova_var_lib_t
++
++ /var/lib/nova(/.*)?
++.br
++
++.br
++.B nova_var_run_t
++
++ /var/run/nova(/.*)?
++.br
++
++.br
++.B nova_volume_tmp_t
++
++
++.SH NSSWITCH DOMAIN
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was auto-generated using
++.B "sepolicy manpage"
++by Dan Walsh.
++
++.SH "SEE ALSO"
++selinux(8), nova_volume(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
++, nova_ajax_selinux(8), nova_api_selinux(8), nova_cert_selinux(8), nova_compute_selinux(8), nova_console_selinux(8), nova_direct_selinux(8), nova_network_selinux(8), nova_objectstore_selinux(8), nova_scheduler_selinux(8), nova_vncproxy_selinux(8)
+\ No newline at end of file
+diff --git a/man/man8/nrpe_selinux.8 b/man/man8/nrpe_selinux.8
+new file mode 100644
+index 0000000..f91aa56
+--- /dev/null
++++ b/man/man8/nrpe_selinux.8
+@@ -0,0 +1,124 @@
++.TH "nrpe_selinux" "8" "12-11-01" "nrpe" "SELinux Policy documentation for nrpe"
++.SH "NAME"
++nrpe_selinux \- Security Enhanced Linux Policy for the nrpe processes
++.SH "DESCRIPTION"
++
++Security-Enhanced Linux secures the nrpe processes via flexible mandatory access control.
++
++The nrpe processes execute with the nrpe_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep nrpe_t
++
++
++.SH "ENTRYPOINTS"
++
++The nrpe_t SELinux type can be entered via the "nrpe_exec_t" file type. The default entrypoint paths for the nrpe_t domain are the following:"
++
++/usr/s?bin/nrpe
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux nrpe policy is very flexible allowing users to setup their nrpe processes in as secure a method as possible.
++.PP
++The following process types are defined for nrpe:
++
++.EX
++.B nrpe_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux nrpe policy is very flexible allowing users to setup their nrpe processes in as secure a method as possible.
++.PP
++The following file types are defined for nrpe:
++
++
++.EX
++.PP
++.B nrpe_etc_t
++.EE
++
++- Set files with the nrpe_etc_t type, if you want to store nrpe files in the /etc directories.
++
++
++.EX
++.PP
++.B nrpe_exec_t
++.EE
++
++- Set files with the nrpe_exec_t type, if you want to transition an executable to the nrpe_t domain.
++
++
++.EX
++.PP
++.B nrpe_var_run_t
++.EE
++
++- Set files with the nrpe_var_run_t type, if you want to store the nrpe files under the /run directory.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH "MANAGED FILES"
++
++The SELinux process type nrpe_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++
++.br
++.B nrpe_var_run_t
++
++
++.SH NSSWITCH DOMAIN
++
++.PP
++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the nrpe_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++
++.EX
++.B setsebool -P authlogin_nsswitch_use_ldap 1
++.EE
++
++.PP
++If you want to allow confined applications to run with kerberos for the nrpe_t, you must turn on the kerberos_enabled boolean.
++
++.EX
++.B setsebool -P kerberos_enabled 1
++.EE
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was auto-generated using
++.B "sepolicy manpage"
++by Dan Walsh.
++
++.SH "SEE ALSO"
++selinux(8), nrpe(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
+diff --git a/man/man8/nscd_selinux.8 b/man/man8/nscd_selinux.8
+new file mode 100644
+index 0000000..2d79417
+--- /dev/null
++++ b/man/man8/nscd_selinux.8
+@@ -0,0 +1,184 @@
++.TH "nscd_selinux" "8" "12-11-01" "nscd" "SELinux Policy documentation for nscd"
++.SH "NAME"
++nscd_selinux \- Security Enhanced Linux Policy for the nscd processes
++.SH "DESCRIPTION"
++
++Security-Enhanced Linux secures the nscd processes via flexible mandatory access control.
++
++The nscd processes execute with the nscd_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep nscd_t
++
++
++.SH "ENTRYPOINTS"
++
++The nscd_t SELinux type can be entered via the "nscd_exec_t" file type. The default entrypoint paths for the nscd_t domain are the following:"
++
++/usr/sbin/nscd
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux nscd policy is very flexible allowing users to setup their nscd processes in as secure a method as possible.
++.PP
++The following process types are defined for nscd:
++
++.EX
++.B nscd_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH BOOLEANS
++SELinux policy is customizable based on least access required. nscd policy is extremely flexible and has several booleans that allow you to manipulate the policy and run nscd with the tightest access possible.
++
++
++.PP
++If you want to allow confined applications to use nscd shared memory, you must turn on the nscd_use_shm boolean.
++
++.EX
++.B setsebool -P nscd_use_shm 1
++.EE
++
++.PP
++If you want to allow confined applications to use nscd shared memory, you must turn on the nscd_use_shm boolean.
++
++.EX
++.B setsebool -P nscd_use_shm 1
++.EE
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux nscd policy is very flexible allowing users to setup their nscd processes in as secure a method as possible.
++.PP
++The following file types are defined for nscd:
++
++
++.EX
++.PP
++.B nscd_exec_t
++.EE
++
++- Set files with the nscd_exec_t type, if you want to transition an executable to the nscd_t domain.
++
++
++.EX
++.PP
++.B nscd_initrc_exec_t
++.EE
++
++- Set files with the nscd_initrc_exec_t type, if you want to transition an executable to the nscd_initrc_t domain.
++
++
++.EX
++.PP
++.B nscd_log_t
++.EE
++
++- Set files with the nscd_log_t type, if you want to treat the data as nscd log data, usually stored under the /var/log directory.
++
++
++.EX
++.PP
++.B nscd_unit_file_t
++.EE
++
++- Set files with the nscd_unit_file_t type, if you want to treat the files as nscd unit content.
++
++
++.EX
++.PP
++.B nscd_var_run_t
++.EE
++
++- Set files with the nscd_var_run_t type, if you want to store the nscd files under the /run directory.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH "MANAGED FILES"
++
++The SELinux process type nscd_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++
++.br
++.B nscd_log_t
++
++ /var/log/nscd\.log.*
++.br
++
++.br
++.B nscd_var_run_t
++
++ /var/db/nscd(/.*)?
++.br
++ /var/run/nscd(/.*)?
++.br
++ /var/cache/nscd(/.*)?
++.br
++ /var/run/nscd\.pid
++.br
++ /var/run/\.nscd_socket
++.br
++
++.br
++.B security_t
++
++ /selinux
++.br
++
++.SH NSSWITCH DOMAIN
++
++.PP
++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the nscd_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++
++.EX
++.B setsebool -P authlogin_nsswitch_use_ldap 1
++.EE
++
++.PP
++If you want to allow confined applications to run with kerberos for the nscd_t, you must turn on the kerberos_enabled boolean.
++
++.EX
++.B setsebool -P kerberos_enabled 1
++.EE
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.B semanage boolean
++can also be used to manipulate the booleans
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was auto-generated using
++.B "sepolicy manpage"
++by Dan Walsh.
++
++.SH "SEE ALSO"
++selinux(8), nscd(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
++, setsebool(8)
+\ No newline at end of file
+diff --git a/man/man8/nslcd_selinux.8 b/man/man8/nslcd_selinux.8
+new file mode 100644
+index 0000000..a01b48c
+--- /dev/null
++++ b/man/man8/nslcd_selinux.8
+@@ -0,0 +1,134 @@
++.TH "nslcd_selinux" "8" "12-11-01" "nslcd" "SELinux Policy documentation for nslcd"
++.SH "NAME"
++nslcd_selinux \- Security Enhanced Linux Policy for the nslcd processes
++.SH "DESCRIPTION"
++
++Security-Enhanced Linux secures the nslcd processes via flexible mandatory access control.
++
++The nslcd processes execute with the nslcd_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep nslcd_t
++
++
++.SH "ENTRYPOINTS"
++
++The nslcd_t SELinux type can be entered via the "nslcd_exec_t" file type. The default entrypoint paths for the nslcd_t domain are the following:"
++
++/usr/sbin/nslcd
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux nslcd policy is very flexible allowing users to setup their nslcd processes in as secure a method as possible.
++.PP
++The following process types are defined for nslcd:
++
++.EX
++.B nslcd_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux nslcd policy is very flexible allowing users to setup their nslcd processes in as secure a method as possible.
++.PP
++The following file types are defined for nslcd:
++
++
++.EX
++.PP
++.B nslcd_conf_t
++.EE
++
++- Set files with the nslcd_conf_t type, if you want to treat the files as nslcd configuration data, usually stored under the /etc directory.
++
++
++.EX
++.PP
++.B nslcd_exec_t
++.EE
++
++- Set files with the nslcd_exec_t type, if you want to transition an executable to the nslcd_t domain.
++
++
++.EX
++.PP
++.B nslcd_initrc_exec_t
++.EE
++
++- Set files with the nslcd_initrc_exec_t type, if you want to transition an executable to the nslcd_initrc_t domain.
++
++
++.EX
++.PP
++.B nslcd_var_run_t
++.EE
++
++- Set files with the nslcd_var_run_t type, if you want to store the nslcd files under the /run directory.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH "MANAGED FILES"
++
++The SELinux process type nslcd_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++
++.br
++.B nslcd_var_run_t
++
++ /var/run/nslcd(/.*)?
++.br
++
++.SH NSSWITCH DOMAIN
++
++.PP
++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the nslcd_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++
++.EX
++.B setsebool -P authlogin_nsswitch_use_ldap 1
++.EE
++
++.PP
++If you want to allow confined applications to run with kerberos for the nslcd_t, you must turn on the kerberos_enabled boolean.
++
++.EX
++.B setsebool -P kerberos_enabled 1
++.EE
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was auto-generated using
++.B "sepolicy manpage"
++by Dan Walsh.
++
++.SH "SEE ALSO"
++selinux(8), nslcd(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
+diff --git a/man/man8/ntop_selinux.8 b/man/man8/ntop_selinux.8
+new file mode 100644
+index 0000000..ea60031
+--- /dev/null
++++ b/man/man8/ntop_selinux.8
+@@ -0,0 +1,188 @@
++.TH "ntop_selinux" "8" "12-11-01" "ntop" "SELinux Policy documentation for ntop"
++.SH "NAME"
++ntop_selinux \- Security Enhanced Linux Policy for the ntop processes
++.SH "DESCRIPTION"
++
++Security-Enhanced Linux secures the ntop processes via flexible mandatory access control.
++
++The ntop processes execute with the ntop_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep ntop_t
++
++
++.SH "ENTRYPOINTS"
++
++The ntop_t SELinux type can be entered via the "ntop_exec_t" file type. The default entrypoint paths for the ntop_t domain are the following:"
++
++/usr/bin/ntop
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux ntop policy is very flexible allowing users to setup their ntop processes in as secure a method as possible.
++.PP
++The following process types are defined for ntop:
++
++.EX
++.B ntop_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux ntop policy is very flexible allowing users to setup their ntop processes in as secure a method as possible.
++.PP
++The following file types are defined for ntop:
++
++
++.EX
++.PP
++.B ntop_etc_t
++.EE
++
++- Set files with the ntop_etc_t type, if you want to store ntop files in the /etc directories.
++
++
++.EX
++.PP
++.B ntop_exec_t
++.EE
++
++- Set files with the ntop_exec_t type, if you want to transition an executable to the ntop_t domain.
++
++
++.EX
++.PP
++.B ntop_initrc_exec_t
++.EE
++
++- Set files with the ntop_initrc_exec_t type, if you want to transition an executable to the ntop_initrc_t domain.
++
++
++.EX
++.PP
++.B ntop_tmp_t
++.EE
++
++- Set files with the ntop_tmp_t type, if you want to store ntop temporary files in the /tmp directories.
++
++
++.EX
++.PP
++.B ntop_var_lib_t
++.EE
++
++- Set files with the ntop_var_lib_t type, if you want to store the ntop files under the /var/lib directory.
++
++
++.EX
++.PP
++.B ntop_var_run_t
++.EE
++
++- Set files with the ntop_var_run_t type, if you want to store the ntop files under the /run directory.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH PORT TYPES
++SELinux defines port types to represent TCP and UDP ports.
++.PP
++You can see the types associated with a port by using the following command:
++
++.B semanage port -l
++
++.PP
++Policy governs the access confined processes have to these ports.
++SELinux ntop policy is very flexible allowing users to setup their ntop processes in as secure a method as possible.
++.PP
++The following port types are defined for ntop:
++
++.EX
++.TP 5
++.B ntop_port_t
++.TP 10
++.EE
++
++
++Default Defined Ports:
++tcp 3000-3001
++.EE
++udp 3000-3001
++.EE
++.SH "MANAGED FILES"
++
++The SELinux process type ntop_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++
++.br
++.B ntop_tmp_t
++
++
++.br
++.B ntop_var_lib_t
++
++ /var/lib/ntop(/.*)?
++.br
++
++.br
++.B ntop_var_run_t
++
++ /var/run/ntop\.pid
++.br
++
++.SH NSSWITCH DOMAIN
++
++.PP
++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the ntop_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++
++.EX
++.B setsebool -P authlogin_nsswitch_use_ldap 1
++.EE
++
++.PP
++If you want to allow confined applications to run with kerberos for the ntop_t, you must turn on the kerberos_enabled boolean.
++
++.EX
++.B setsebool -P kerberos_enabled 1
++.EE
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.B semanage port
++can also be used to manipulate the port definitions
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was auto-generated using
++.B "sepolicy manpage"
++by Dan Walsh.
++
++.SH "SEE ALSO"
++selinux(8), ntop(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
+diff --git a/man/man8/ntpd_selinux.8 b/man/man8/ntpd_selinux.8
+new file mode 100644
+index 0000000..d93b729
+--- /dev/null
++++ b/man/man8/ntpd_selinux.8
+@@ -0,0 +1,240 @@
++.TH "ntpd_selinux" "8" "12-11-01" "ntpd" "SELinux Policy documentation for ntpd"
++.SH "NAME"
++ntpd_selinux \- Security Enhanced Linux Policy for the ntpd processes
++.SH "DESCRIPTION"
++
++Security-Enhanced Linux secures the ntpd processes via flexible mandatory access control.
++
++The ntpd processes execute with the ntpd_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep ntpd_t
++
++
++.SH "ENTRYPOINTS"
++
++The ntpd_t SELinux type can be entered via the "ntpd_exec_t,ntpdate_exec_t" file types. The default entrypoint paths for the ntpd_t domain are the following:"
++
++/etc/cron\.(daily|weekly)/ntp-simple, /etc/cron\.(daily|weekly)/ntp-server, /usr/sbin/ntpd, /usr/sbin/ntpdate
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux ntpd policy is very flexible allowing users to setup their ntpd processes in as secure a method as possible.
++.PP
++The following process types are defined for ntpd:
++
++.EX
++.B ntpd_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux ntpd policy is very flexible allowing users to setup their ntpd processes in as secure a method as possible.
++.PP
++The following file types are defined for ntpd:
++
++
++.EX
++.PP
++.B ntpd_exec_t
++.EE
++
++- Set files with the ntpd_exec_t type, if you want to transition an executable to the ntpd_t domain.
++
++
++.EX
++.PP
++.B ntpd_initrc_exec_t
++.EE
++
++- Set files with the ntpd_initrc_exec_t type, if you want to transition an executable to the ntpd_initrc_t domain.
++
++
++.EX
++.PP
++.B ntpd_key_t
++.EE
++
++- Set files with the ntpd_key_t type, if you want to treat the files as ntpd key data.
++
++
++.EX
++.PP
++.B ntpd_log_t
++.EE
++
++- Set files with the ntpd_log_t type, if you want to treat the data as ntpd log data, usually stored under the /var/log directory.
++
++
++.EX
++.PP
++.B ntpd_tmp_t
++.EE
++
++- Set files with the ntpd_tmp_t type, if you want to store ntpd temporary files in the /tmp directories.
++
++
++.EX
++.PP
++.B ntpd_tmpfs_t
++.EE
++
++- Set files with the ntpd_tmpfs_t type, if you want to store ntpd files on a tmpfs file system.
++
++
++.EX
++.PP
++.B ntpd_unit_file_t
++.EE
++
++- Set files with the ntpd_unit_file_t type, if you want to treat the files as ntpd unit content.
++
++
++.EX
++.PP
++.B ntpd_var_run_t
++.EE
++
++- Set files with the ntpd_var_run_t type, if you want to store the ntpd files under the /run directory.
++
++
++.EX
++.PP
++.B ntpdate_exec_t
++.EE
++
++- Set files with the ntpdate_exec_t type, if you want to transition an executable to the ntpdate_t domain.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH PORT TYPES
++SELinux defines port types to represent TCP and UDP ports.
++.PP
++You can see the types associated with a port by using the following command:
++
++.B semanage port -l
++
++.PP
++Policy governs the access confined processes have to these ports.
++SELinux ntpd policy is very flexible allowing users to setup their ntpd processes in as secure a method as possible.
++.PP
++The following port types are defined for ntpd:
++
++.EX
++.TP 5
++.B ntp_port_t
++.TP 10
++.EE
++
++
++Default Defined Ports:
++udp 123
++.EE
++.SH "MANAGED FILES"
++
++The SELinux process type ntpd_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++
++.br
++.B gpsd_tmpfs_t
++
++
++.br
++.B ntp_drift_t
++
++ /var/lib/ntp(/.*)?
++.br
++ /etc/ntp/data(/.*)?
++.br
++
++.br
++.B ntpd_log_t
++
++ /var/log/ntp.*
++.br
++ /var/log/xntpd.*
++.br
++ /var/log/ntpstats(/.*)?
++.br
++
++.br
++.B ntpd_tmp_t
++
++
++.br
++.B ntpd_tmpfs_t
++
++
++.br
++.B ntpd_var_run_t
++
++ /var/run/ntpd\.pid
++.br
++
++.br
++.B tmpfs_t
++
++ /dev/shm
++.br
++ /lib/udev/devices/shm
++.br
++ /usr/lib/udev/devices/shm
++.br
++
++.SH NSSWITCH DOMAIN
++
++.PP
++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the ntpd_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++
++.EX
++.B setsebool -P authlogin_nsswitch_use_ldap 1
++.EE
++
++.PP
++If you want to allow confined applications to run with kerberos for the ntpd_t, you must turn on the kerberos_enabled boolean.
++
++.EX
++.B setsebool -P kerberos_enabled 1
++.EE
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.B semanage port
++can also be used to manipulate the port definitions
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was auto-generated using
++.B "sepolicy manpage"
++by Dan Walsh.
++
++.SH "SEE ALSO"
++selinux(8), ntpd(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
+diff --git a/man/man8/numad_selinux.8 b/man/man8/numad_selinux.8
+new file mode 100644
+index 0000000..4602514
+--- /dev/null
++++ b/man/man8/numad_selinux.8
+@@ -0,0 +1,126 @@
++.TH "numad_selinux" "8" "12-11-01" "numad" "SELinux Policy documentation for numad"
++.SH "NAME"
++numad_selinux \- Security Enhanced Linux Policy for the numad processes
++.SH "DESCRIPTION"
++
++Security-Enhanced Linux secures the numad processes via flexible mandatory access control.
++
++The numad processes execute with the numad_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep numad_t
++
++
++.SH "ENTRYPOINTS"
++
++The numad_t SELinux type can be entered via the "numad_exec_t" file type. The default entrypoint paths for the numad_t domain are the following:"
++
++/usr/bin/numad
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux numad policy is very flexible allowing users to setup their numad processes in as secure a method as possible.
++.PP
++The following process types are defined for numad:
++
++.EX
++.B numad_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux numad policy is very flexible allowing users to setup their numad processes in as secure a method as possible.
++.PP
++The following file types are defined for numad:
++
++
++.EX
++.PP
++.B numad_exec_t
++.EE
++
++- Set files with the numad_exec_t type, if you want to transition an executable to the numad_t domain.
++
++
++.EX
++.PP
++.B numad_unit_file_t
++.EE
++
++- Set files with the numad_unit_file_t type, if you want to treat the files as numad unit content.
++
++
++.EX
++.PP
++.B numad_var_log_t
++.EE
++
++- Set files with the numad_var_log_t type, if you want to treat the data as numad var log data, usually stored under the /var/log directory.
++
++
++.EX
++.PP
++.B numad_var_run_t
++.EE
++
++- Set files with the numad_var_run_t type, if you want to store the numad files under the /run directory.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH "MANAGED FILES"
++
++The SELinux process type numad_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++
++.br
++.B numad_var_log_t
++
++ /var/log/numad\.log.*
++.br
++
++.br
++.B numad_var_run_t
++
++ /var/run/numad\.pid
++.br
++
++.SH NSSWITCH DOMAIN
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was auto-generated using
++.B "sepolicy manpage"
++by Dan Walsh.
++
++.SH "SEE ALSO"
++selinux(8), numad(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
+diff --git a/man/man8/nut_upsd_selinux.8 b/man/man8/nut_upsd_selinux.8
+new file mode 100644
+index 0000000..f9abfb2
+--- /dev/null
++++ b/man/man8/nut_upsd_selinux.8
+@@ -0,0 +1,119 @@
++.TH "nut_upsd_selinux" "8" "12-11-01" "nut_upsd" "SELinux Policy documentation for nut_upsd"
++.SH "NAME"
++nut_upsd_selinux \- Security Enhanced Linux Policy for the nut_upsd processes
++.SH "DESCRIPTION"
++
++Security-Enhanced Linux secures the nut_upsd processes via flexible mandatory access control.
++
++The nut_upsd processes execute with the nut_upsd_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep nut_upsd_t
++
++
++.SH "ENTRYPOINTS"
++
++The nut_upsd_t SELinux type can be entered via the "nut_upsd_exec_t" file type. The default entrypoint paths for the nut_upsd_t domain are the following:"
++
++/usr/sbin/upsd
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux nut_upsd policy is very flexible allowing users to setup their nut_upsd processes in as secure a method as possible.
++.PP
++The following process types are defined for nut_upsd:
++
++.EX
++.B nut_upsd_t, nut_upsmon_t, nut_upsdrvctl_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux nut_upsd policy is very flexible allowing users to setup their nut_upsd processes in as secure a method as possible.
++.PP
++The following file types are defined for nut_upsd:
++
++
++.EX
++.PP
++.B nut_upsd_exec_t
++.EE
++
++- Set files with the nut_upsd_exec_t type, if you want to transition an executable to the nut_upsd_t domain.
++
++
++.EX
++.PP
++.B nut_upsdrvctl_exec_t
++.EE
++
++- Set files with the nut_upsdrvctl_exec_t type, if you want to transition an executable to the nut_upsdrvctl_t domain.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH "MANAGED FILES"
++
++The SELinux process type nut_upsd_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++
++.br
++.B nut_var_run_t
++
++ /var/run/nut(/.*)?
++.br
++
++.SH NSSWITCH DOMAIN
++
++.PP
++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the nut_upsmon_t, nut_upsdrvctl_t, nut_upsd_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++
++.EX
++.B setsebool -P authlogin_nsswitch_use_ldap 1
++.EE
++
++.PP
++If you want to allow confined applications to run with kerberos for the nut_upsmon_t, nut_upsdrvctl_t, nut_upsd_t, you must turn on the kerberos_enabled boolean.
++
++.EX
++.B setsebool -P kerberos_enabled 1
++.EE
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was auto-generated using
++.B "sepolicy manpage"
++by Dan Walsh.
++
++.SH "SEE ALSO"
++selinux(8), nut_upsd(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
++, nut_upsdrvctl_selinux(8), nut_upsmon_selinux(8)
+\ No newline at end of file
+diff --git a/man/man8/nut_upsdrvctl_selinux.8 b/man/man8/nut_upsdrvctl_selinux.8
+new file mode 100644
+index 0000000..fbe671e
+--- /dev/null
++++ b/man/man8/nut_upsdrvctl_selinux.8
+@@ -0,0 +1,111 @@
++.TH "nut_upsdrvctl_selinux" "8" "12-11-01" "nut_upsdrvctl" "SELinux Policy documentation for nut_upsdrvctl"
++.SH "NAME"
++nut_upsdrvctl_selinux \- Security Enhanced Linux Policy for the nut_upsdrvctl processes
++.SH "DESCRIPTION"
++
++Security-Enhanced Linux secures the nut_upsdrvctl processes via flexible mandatory access control.
++
++The nut_upsdrvctl processes execute with the nut_upsdrvctl_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep nut_upsdrvctl_t
++
++
++.SH "ENTRYPOINTS"
++
++The nut_upsdrvctl_t SELinux type can be entered via the "nut_upsdrvctl_exec_t" file type. The default entrypoint paths for the nut_upsdrvctl_t domain are the following:"
++
++/sbin/upsdrvctl, /usr/sbin/upsdrvctl
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux nut_upsdrvctl policy is very flexible allowing users to setup their nut_upsdrvctl processes in as secure a method as possible.
++.PP
++The following process types are defined for nut_upsdrvctl:
++
++.EX
++.B nut_upsdrvctl_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux nut_upsdrvctl policy is very flexible allowing users to setup their nut_upsdrvctl processes in as secure a method as possible.
++.PP
++The following file types are defined for nut_upsdrvctl:
++
++
++.EX
++.PP
++.B nut_upsdrvctl_exec_t
++.EE
++
++- Set files with the nut_upsdrvctl_exec_t type, if you want to transition an executable to the nut_upsdrvctl_t domain.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH "MANAGED FILES"
++
++The SELinux process type nut_upsdrvctl_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++
++.br
++.B nut_var_run_t
++
++ /var/run/nut(/.*)?
++.br
++
++.SH NSSWITCH DOMAIN
++
++.PP
++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the nut_upsdrvctl_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++
++.EX
++.B setsebool -P authlogin_nsswitch_use_ldap 1
++.EE
++
++.PP
++If you want to allow confined applications to run with kerberos for the nut_upsdrvctl_t, you must turn on the kerberos_enabled boolean.
++
++.EX
++.B setsebool -P kerberos_enabled 1
++.EE
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was auto-generated using
++.B "sepolicy manpage"
++by Dan Walsh.
++
++.SH "SEE ALSO"
++selinux(8), nut_upsdrvctl(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
++, nut_upsd_selinux(8), nut_upsd_selinux(8), nut_upsmon_selinux(8)
+\ No newline at end of file
+diff --git a/man/man8/nut_upsmon_selinux.8 b/man/man8/nut_upsmon_selinux.8
+new file mode 100644
+index 0000000..8abe28c
+--- /dev/null
++++ b/man/man8/nut_upsmon_selinux.8
+@@ -0,0 +1,185 @@
++.TH "nut_upsmon_selinux" "8" "12-11-01" "nut_upsmon" "SELinux Policy documentation for nut_upsmon"
++.SH "NAME"
++nut_upsmon_selinux \- Security Enhanced Linux Policy for the nut_upsmon processes
++.SH "DESCRIPTION"
++
++Security-Enhanced Linux secures the nut_upsmon processes via flexible mandatory access control.
++
++The nut_upsmon processes execute with the nut_upsmon_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep nut_upsmon_t
++
++
++.SH "ENTRYPOINTS"
++
++The nut_upsmon_t SELinux type can be entered via the "nut_upsmon_exec_t" file type. The default entrypoint paths for the nut_upsmon_t domain are the following:"
++
++/usr/sbin/upsmon
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux nut_upsmon policy is very flexible allowing users to setup their nut_upsmon processes in as secure a method as possible.
++.PP
++The following process types are defined for nut_upsmon:
++
++.EX
++.B nut_upsmon_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux nut_upsmon policy is very flexible allowing users to setup their nut_upsmon processes in as secure a method as possible.
++.PP
++The following file types are defined for nut_upsmon:
++
++
++.EX
++.PP
++.B nut_upsmon_exec_t
++.EE
++
++- Set files with the nut_upsmon_exec_t type, if you want to transition an executable to the nut_upsmon_t domain.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH "MANAGED FILES"
++
++The SELinux process type nut_upsmon_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++
++.br
++.B etc_runtime_t
++
++ /[^/]+
++.br
++ /etc/mtab.*
++.br
++ /etc/blkid(/.*)?
++.br
++ /etc/nologin.*
++.br
++ /etc/\.fstab\.hal\..+
++.br
++ /halt
++.br
++ /fastboot
++.br
++ /poweroff
++.br
++ /etc/cmtab
++.br
++ /\.autofsck
++.br
++ /forcefsck
++.br
++ /\.suspended
++.br
++ /fsckoptions
++.br
++ /\.autorelabel
++.br
++ /etc/securetty
++.br
++ /etc/killpower
++.br
++ /etc/nohotplug
++.br
++ /etc/ioctl\.save
++.br
++ /etc/fstab\.REVOKE
++.br
++ /etc/network/ifstate
++.br
++ /etc/sysconfig/hwconf
++.br
++ /etc/ptal/ptal-printd-like
++.br
++ /etc/sysconfig/iptables\.save
++.br
++ /etc/xorg\.conf\.d/00-system-setup-keyboard\.conf
++.br
++ /etc/X11/xorg\.conf\.d/00-system-setup-keyboard\.conf
++.br
++
++.br
++.B initrc_var_run_t
++
++ /var/run/utmp
++.br
++ /var/run/random-seed
++.br
++ /var/run/runlevel\.dir
++.br
++ /var/run/setmixer_flag
++.br
++
++.br
++.B nut_var_run_t
++
++ /var/run/nut(/.*)?
++.br
++
++.br
++.B systemd_passwd_var_run_t
++
++ /var/run/systemd/ask-password(/.*)?
++.br
++ /var/run/systemd/ask-password-block(/.*)?
++.br
++
++.SH NSSWITCH DOMAIN
++
++.PP
++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the nut_upsmon_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++
++.EX
++.B setsebool -P authlogin_nsswitch_use_ldap 1
++.EE
++
++.PP
++If you want to allow confined applications to run with kerberos for the nut_upsmon_t, you must turn on the kerberos_enabled boolean.
++
++.EX
++.B setsebool -P kerberos_enabled 1
++.EE
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was auto-generated using
++.B "sepolicy manpage"
++by Dan Walsh.
++
++.SH "SEE ALSO"
++selinux(8), nut_upsmon(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
++, nut_upsd_selinux(8), nut_upsdrvctl_selinux(8)
+\ No newline at end of file
+diff --git a/man/man8/nx_server_selinux.8 b/man/man8/nx_server_selinux.8
+new file mode 100644
+index 0000000..e551b42
+--- /dev/null
++++ b/man/man8/nx_server_selinux.8
+@@ -0,0 +1,129 @@
++.TH "nx_server_selinux" "8" "nx_server" "mgrepl@redhat.com" "nx_server SELinux Policy documentation"
++.SH "NAME"
++nx_server_r \- \fBnx_server user role\fP - Security Enhanced Linux Policy
++
++.SH DESCRIPTION
++
++SELinux supports Roles Based Access Control (RBAC), some Linux roles are login roles, while other roles need to be transition into.
++
++.I Note:
++Examples in this man page will use the
++.B staff_u
++SELinux user.
++
++Non login roles are usually used for administrative tasks. For example, tasks that require root privileges. Roles control which types a user can run processes with. Roles often have default types assigned to them.
++
++The default type for the nx_server_r role is nx_server_t.
++
++The
++.B newrole
++program to transition directly to this role.
++
++.B newrole -r nx_server_r -t nx_server_t
++
++.B sudo
++is the preferred method to do transition from one role to another. You setup sudo to transition to nx_server_r by adding a similar line to the /etc/sudoers file.
++
++USERNAME ALL=(ALL) ROLE=nx_server_r TYPE=nx_server_t COMMAND
++
++.br
++sudo will run COMMAND as staff_u:nx_server_r:nx_server_t:LEVEL
++
++When using a a non login role, you need to setup SELinux so that your SELinux user can reach nx_server_r role.
++
++Execute the following to see all of the assigned SELinux roles:
++
++.B semanage user -l
++
++You need to add nx_server_r to the staff_u user. You could setup the staff_u user to be able to use the nx_server_r role with a command like:
++
++.B $ semanage user -m -R 'staff_r system_r nx_server_r' staff_u
++
++
++.SH "MANAGED FILES"
++
++The SELinux process type nx_server_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++
++.br
++.B nx_server_home_ssh_t
++
++ /opt/NX/home/nx/\.ssh(/.*)?
++.br
++ /usr/NX/home/nx/\.ssh(/.*)?
++.br
++ /var/lib/nxserver/home/.ssh(/.*)?
++.br
++
++.br
++.B nx_server_tmp_t
++
++
++.br
++.B nx_server_var_lib_t
++
++ /opt/NX/home(/.*)?
++.br
++ /usr/NX/home(/.*)?
++.br
++ /var/lib/nxserver(/.*)?
++.br
++
++.br
++.B nx_server_var_run_t
++
++ /opt/NX/var(/.*)?
++.br
++
++.br
++.B ssh_home_t
++
++ /root/\.ssh(/.*)?
++.br
++ /var/lib/openshift/[^/]+/\.ssh(/.*)?
++.br
++ /var/lib/amanda/\.ssh(/.*)?
++.br
++ /var/lib/stickshift/[^/]+/\.ssh(/.*)?
++.br
++ /var/lib/gitolite/\.ssh(/.*)?
++.br
++ /var/lib/nocpulse/\.ssh(/.*)?
++.br
++ /var/lib/gitolite3/\.ssh(/.*)?
++.br
++ /root/\.shosts
++.br
++ /home/[^/]*/\.ssh(/.*)?
++.br
++ /home/[^/]*/\.shosts
++.br
++ /home/dwalsh/\.ssh(/.*)?
++.br
++ /home/dwalsh/\.shosts
++.br
++ /var/lib/xguest/home/xguest/\.ssh(/.*)?
++.br
++ /var/lib/xguest/home/xguest/\.shosts
++.br
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was auto-generated using
++.B "sepolicy manpage"
++by Dan Walsh.
++
++.SH "SEE ALSO"
++selinux(8), nx_server(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
+diff --git a/man/man8/obex_selinux.8 b/man/man8/obex_selinux.8
+new file mode 100644
+index 0000000..516eea1
+--- /dev/null
++++ b/man/man8/obex_selinux.8
+@@ -0,0 +1,86 @@
++.TH "obex_selinux" "8" "12-11-01" "obex" "SELinux Policy documentation for obex"
++.SH "NAME"
++obex_selinux \- Security Enhanced Linux Policy for the obex processes
++.SH "DESCRIPTION"
++
++Security-Enhanced Linux secures the obex processes via flexible mandatory access control.
++
++The obex processes execute with the obex_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep obex_t
++
++
++.SH "ENTRYPOINTS"
++
++The obex_t SELinux type can be entered via the "obex_exec_t" file type. The default entrypoint paths for the obex_t domain are the following:"
++
++/usr/bin/obex-data-server
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux obex policy is very flexible allowing users to setup their obex processes in as secure a method as possible.
++.PP
++The following process types are defined for obex:
++
++.EX
++.B obex_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux obex policy is very flexible allowing users to setup their obex processes in as secure a method as possible.
++.PP
++The following file types are defined for obex:
++
++
++.EX
++.PP
++.B obex_exec_t
++.EE
++
++- Set files with the obex_exec_t type, if you want to transition an executable to the obex_t domain.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH NSSWITCH DOMAIN
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was auto-generated using
++.B "sepolicy manpage"
++by Dan Walsh.
++
++.SH "SEE ALSO"
++selinux(8), obex(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
+diff --git a/man/man8/oddjob_mkhomedir_selinux.8 b/man/man8/oddjob_mkhomedir_selinux.8
+new file mode 100644
+index 0000000..a049201
+--- /dev/null
++++ b/man/man8/oddjob_mkhomedir_selinux.8
+@@ -0,0 +1,117 @@
++.TH "oddjob_mkhomedir_selinux" "8" "12-11-01" "oddjob_mkhomedir" "SELinux Policy documentation for oddjob_mkhomedir"
++.SH "NAME"
++oddjob_mkhomedir_selinux \- Security Enhanced Linux Policy for the oddjob_mkhomedir processes
++.SH "DESCRIPTION"
++
++Security-Enhanced Linux secures the oddjob_mkhomedir processes via flexible mandatory access control.
++
++The oddjob_mkhomedir processes execute with the oddjob_mkhomedir_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep oddjob_mkhomedir_t
++
++
++.SH "ENTRYPOINTS"
++
++The oddjob_mkhomedir_t SELinux type can be entered via the "oddjob_mkhomedir_exec_t" file type. The default entrypoint paths for the oddjob_mkhomedir_t domain are the following:"
++
++/usr/lib/oddjob/mkhomedir, /usr/sbin/mkhomedir_helper, /usr/libexec/oddjob/mkhomedir
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux oddjob_mkhomedir policy is very flexible allowing users to setup their oddjob_mkhomedir processes in as secure a method as possible.
++.PP
++The following process types are defined for oddjob_mkhomedir:
++
++.EX
++.B oddjob_mkhomedir_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux oddjob_mkhomedir policy is very flexible allowing users to setup their oddjob_mkhomedir processes in as secure a method as possible.
++.PP
++The following file types are defined for oddjob_mkhomedir:
++
++
++.EX
++.PP
++.B oddjob_mkhomedir_exec_t
++.EE
++
++- Set files with the oddjob_mkhomedir_exec_t type, if you want to transition an executable to the oddjob_mkhomedir_t domain.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH "MANAGED FILES"
++
++The SELinux process type oddjob_mkhomedir_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++
++.br
++.B security_t
++
++ /selinux
++.br
++
++.br
++.B user_home_type
++
++ all user home files
++.br
++
++.SH NSSWITCH DOMAIN
++
++.PP
++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the oddjob_mkhomedir_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++
++.EX
++.B setsebool -P authlogin_nsswitch_use_ldap 1
++.EE
++
++.PP
++If you want to allow confined applications to run with kerberos for the oddjob_mkhomedir_t, you must turn on the kerberos_enabled boolean.
++
++.EX
++.B setsebool -P kerberos_enabled 1
++.EE
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was auto-generated using
++.B "sepolicy manpage"
++by Dan Walsh.
++
++.SH "SEE ALSO"
++selinux(8), oddjob_mkhomedir(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
++, oddjob_selinux(8), oddjob_selinux(8)
+\ No newline at end of file
+diff --git a/man/man8/oddjob_selinux.8 b/man/man8/oddjob_selinux.8
+new file mode 100644
+index 0000000..da2bce8
+--- /dev/null
++++ b/man/man8/oddjob_selinux.8
+@@ -0,0 +1,154 @@
++.TH "oddjob_selinux" "8" "12-11-01" "oddjob" "SELinux Policy documentation for oddjob"
++.SH "NAME"
++oddjob_selinux \- Security Enhanced Linux Policy for the oddjob processes
++.SH "DESCRIPTION"
++
++Security-Enhanced Linux secures the oddjob processes via flexible mandatory access control.
++
++The oddjob processes execute with the oddjob_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep oddjob_t
++
++
++.SH "ENTRYPOINTS"
++
++The oddjob_t SELinux type can be entered via the "oddjob_exec_t" file type. The default entrypoint paths for the oddjob_t domain are the following:"
++
++/usr/sbin/oddjobd
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux oddjob policy is very flexible allowing users to setup their oddjob processes in as secure a method as possible.
++.PP
++The following process types are defined for oddjob:
++
++.EX
++.B oddjob_mkhomedir_t, oddjob_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH BOOLEANS
++SELinux policy is customizable based on least access required. oddjob policy is extremely flexible and has several booleans that allow you to manipulate the policy and run oddjob with the tightest access possible.
++
++
++.PP
++If you want to allow httpd to communicate with oddjob to start up a service, you must turn on the httpd_use_oddjob boolean.
++
++.EX
++.B setsebool -P httpd_use_oddjob 1
++.EE
++
++.PP
++If you want to allow httpd to communicate with oddjob to start up a service, you must turn on the httpd_use_oddjob boolean.
++
++.EX
++.B setsebool -P httpd_use_oddjob 1
++.EE
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux oddjob policy is very flexible allowing users to setup their oddjob processes in as secure a method as possible.
++.PP
++The following file types are defined for oddjob:
++
++
++.EX
++.PP
++.B oddjob_exec_t
++.EE
++
++- Set files with the oddjob_exec_t type, if you want to transition an executable to the oddjob_t domain.
++
++
++.EX
++.PP
++.B oddjob_mkhomedir_exec_t
++.EE
++
++- Set files with the oddjob_mkhomedir_exec_t type, if you want to transition an executable to the oddjob_mkhomedir_t domain.
++
++
++.EX
++.PP
++.B oddjob_var_run_t
++.EE
++
++- Set files with the oddjob_var_run_t type, if you want to store the oddjob files under the /run directory.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH "MANAGED FILES"
++
++The SELinux process type oddjob_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++
++.br
++.B oddjob_var_run_t
++
++ /var/run/oddjobd\.pid
++.br
++
++.br
++.B security_t
++
++ /selinux
++.br
++
++.SH NSSWITCH DOMAIN
++
++.PP
++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the oddjob_mkhomedir_t, oddjob_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++
++.EX
++.B setsebool -P authlogin_nsswitch_use_ldap 1
++.EE
++
++.PP
++If you want to allow confined applications to run with kerberos for the oddjob_mkhomedir_t, oddjob_t, you must turn on the kerberos_enabled boolean.
++
++.EX
++.B setsebool -P kerberos_enabled 1
++.EE
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.B semanage boolean
++can also be used to manipulate the booleans
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was auto-generated using
++.B "sepolicy manpage"
++by Dan Walsh.
++
++.SH "SEE ALSO"
++selinux(8), oddjob(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
++, setsebool(8), oddjob_mkhomedir_selinux(8)
+\ No newline at end of file
+diff --git a/man/man8/openct_selinux.8 b/man/man8/openct_selinux.8
+new file mode 100644
+index 0000000..7a5ded1
+--- /dev/null
++++ b/man/man8/openct_selinux.8
+@@ -0,0 +1,108 @@
++.TH "openct_selinux" "8" "12-11-01" "openct" "SELinux Policy documentation for openct"
++.SH "NAME"
++openct_selinux \- Security Enhanced Linux Policy for the openct processes
++.SH "DESCRIPTION"
++
++Security-Enhanced Linux secures the openct processes via flexible mandatory access control.
++
++The openct processes execute with the openct_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep openct_t
++
++
++.SH "ENTRYPOINTS"
++
++The openct_t SELinux type can be entered via the "openct_exec_t" file type. The default entrypoint paths for the openct_t domain are the following:"
++
++/usr/sbin/ifdhandler, /usr/sbin/openct-control
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux openct policy is very flexible allowing users to setup their openct processes in as secure a method as possible.
++.PP
++The following process types are defined for openct:
++
++.EX
++.B openct_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux openct policy is very flexible allowing users to setup their openct processes in as secure a method as possible.
++.PP
++The following file types are defined for openct:
++
++
++.EX
++.PP
++.B openct_exec_t
++.EE
++
++- Set files with the openct_exec_t type, if you want to transition an executable to the openct_t domain.
++
++
++.EX
++.PP
++.B openct_var_run_t
++.EE
++
++- Set files with the openct_var_run_t type, if you want to store the openct files under the /run directory.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH "MANAGED FILES"
++
++The SELinux process type openct_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++
++.br
++.B openct_var_run_t
++
++ /var/run/openct(/.*)?
++.br
++
++.br
++.B usbfs_t
++
++
++.SH NSSWITCH DOMAIN
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was auto-generated using
++.B "sepolicy manpage"
++by Dan Walsh.
++
++.SH "SEE ALSO"
++selinux(8), openct(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
+diff --git a/man/man8/openshift_cgroup_read_selinux.8 b/man/man8/openshift_cgroup_read_selinux.8
+new file mode 100644
+index 0000000..535b556
+--- /dev/null
++++ b/man/man8/openshift_cgroup_read_selinux.8
+@@ -0,0 +1,87 @@
++.TH "openshift_cgroup_read_selinux" "8" "12-11-01" "openshift_cgroup_read" "SELinux Policy documentation for openshift_cgroup_read"
++.SH "NAME"
++openshift_cgroup_read_selinux \- Security Enhanced Linux Policy for the openshift_cgroup_read processes
++.SH "DESCRIPTION"
++
++Security-Enhanced Linux secures the openshift_cgroup_read processes via flexible mandatory access control.
++
++The openshift_cgroup_read processes execute with the openshift_cgroup_read_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep openshift_cgroup_read_t
++
++
++.SH "ENTRYPOINTS"
++
++The openshift_cgroup_read_t SELinux type can be entered via the "openshift_cgroup_read_exec_t" file type. The default entrypoint paths for the openshift_cgroup_read_t domain are the following:"
++
++/usr/bin/(oo|rhc)-cgroup-read
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux openshift_cgroup_read policy is very flexible allowing users to setup their openshift_cgroup_read processes in as secure a method as possible.
++.PP
++The following process types are defined for openshift_cgroup_read:
++
++.EX
++.B openshift_cgroup_read_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux openshift_cgroup_read policy is very flexible allowing users to setup their openshift_cgroup_read processes in as secure a method as possible.
++.PP
++The following file types are defined for openshift_cgroup_read:
++
++
++.EX
++.PP
++.B openshift_cgroup_read_exec_t
++.EE
++
++- Set files with the openshift_cgroup_read_exec_t type, if you want to transition an executable to the openshift_cgroup_read_t domain.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH NSSWITCH DOMAIN
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was auto-generated using
++.B "sepolicy manpage"
++by Dan Walsh.
++
++.SH "SEE ALSO"
++selinux(8), openshift_cgroup_read(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
++, openshift_initrc_selinux(8)
+\ No newline at end of file
+diff --git a/man/man8/openshift_initrc_selinux.8 b/man/man8/openshift_initrc_selinux.8
+new file mode 100644
+index 0000000..43101f1
+--- /dev/null
++++ b/man/man8/openshift_initrc_selinux.8
+@@ -0,0 +1,105 @@
++.TH "openshift_initrc_selinux" "8" "12-11-01" "openshift_initrc" "SELinux Policy documentation for openshift_initrc"
++.SH "NAME"
++openshift_initrc_selinux \- Security Enhanced Linux Policy for the openshift_initrc processes
++.SH "DESCRIPTION"
++
++Security-Enhanced Linux secures the openshift_initrc processes via flexible mandatory access control.
++
++The openshift_initrc processes execute with the openshift_initrc_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep openshift_initrc_t
++
++
++.SH "ENTRYPOINTS"
++
++The openshift_initrc_t SELinux type can be entered via the "filesystem_type,openshift_initrc_exec_t,unlabeled_t,proc_type,mtrr_device_t,sysctl_type,file_type" file types. The default entrypoint paths for the openshift_initrc_t domain are the following:"
++
++/usr/bin/(oo|rhc)-restorer, /etc/rc\.d/init\.d/libra, /usr/sbin/mcollectived, /usr/bin/oo-admin-ctl-gears, /etc/rc\.d/init\.d/mcollective, /dev/cpu/mtrr, all files on the system
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux openshift_initrc policy is very flexible allowing users to setup their openshift_initrc processes in as secure a method as possible.
++.PP
++The following process types are defined for openshift_initrc:
++
++.EX
++.B openshift_initrc_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux openshift_initrc policy is very flexible allowing users to setup their openshift_initrc processes in as secure a method as possible.
++.PP
++The following file types are defined for openshift_initrc:
++
++
++.EX
++.PP
++.B openshift_initrc_exec_t
++.EE
++
++- Set files with the openshift_initrc_exec_t type, if you want to transition an executable to the openshift_initrc_t domain.
++
++
++.EX
++.PP
++.B openshift_initrc_tmp_t
++.EE
++
++- Set files with the openshift_initrc_tmp_t type, if you want to store openshift initrc temporary files in the /tmp directories.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH "MANAGED FILES"
++
++The SELinux process type openshift_initrc_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++
++.br
++.B file_type
++
++ all files on the system
++.br
++
++.SH NSSWITCH DOMAIN
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was auto-generated using
++.B "sepolicy manpage"
++by Dan Walsh.
++
++.SH "SEE ALSO"
++selinux(8), openshift_initrc(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
++, openshift_cgroup_read_selinux(8)
+\ No newline at end of file
+diff --git a/man/man8/openvpn_selinux.8 b/man/man8/openvpn_selinux.8
+new file mode 100644
+index 0000000..266266d
+--- /dev/null
++++ b/man/man8/openvpn_selinux.8
+@@ -0,0 +1,314 @@
++.TH "openvpn_selinux" "8" "12-11-01" "openvpn" "SELinux Policy documentation for openvpn"
++.SH "NAME"
++openvpn_selinux \- Security Enhanced Linux Policy for the openvpn processes
++.SH "DESCRIPTION"
++
++Security-Enhanced Linux secures the openvpn processes via flexible mandatory access control.
++
++The openvpn processes execute with the openvpn_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep openvpn_t
++
++
++.SH "ENTRYPOINTS"
++
++The openvpn_t SELinux type can be entered via the "openvpn_exec_t" file type. The default entrypoint paths for the openvpn_t domain are the following:"
++
++/usr/sbin/openvpn
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux openvpn policy is very flexible allowing users to setup their openvpn processes in as secure a method as possible.
++.PP
++The following process types are defined for openvpn:
++
++.EX
++.B openvpn_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH BOOLEANS
++SELinux policy is customizable based on least access required. openvpn policy is extremely flexible and has several booleans that allow you to manipulate the policy and run openvpn with the tightest access possible.
++
++
++.PP
++If you want to allow openvpn to read home directories, you must turn on the openvpn_enable_homedirs boolean.
++
++.EX
++.B setsebool -P openvpn_enable_homedirs 1
++.EE
++
++.PP
++If you want to allow openvpn to read home directories, you must turn on the openvpn_enable_homedirs boolean.
++
++.EX
++.B setsebool -P openvpn_enable_homedirs 1
++.EE
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux openvpn policy is very flexible allowing users to setup their openvpn processes in as secure a method as possible.
++.PP
++The following file types are defined for openvpn:
++
++
++.EX
++.PP
++.B openvpn_etc_rw_t
++.EE
++
++- Set files with the openvpn_etc_rw_t type, if you want to treat the files as openvpn etc read/write content.
++
++
++.EX
++.PP
++.B openvpn_etc_t
++.EE
++
++- Set files with the openvpn_etc_t type, if you want to store openvpn files in the /etc directories.
++
++
++.EX
++.PP
++.B openvpn_exec_t
++.EE
++
++- Set files with the openvpn_exec_t type, if you want to transition an executable to the openvpn_t domain.
++
++
++.EX
++.PP
++.B openvpn_initrc_exec_t
++.EE
++
++- Set files with the openvpn_initrc_exec_t type, if you want to transition an executable to the openvpn_initrc_t domain.
++
++
++.EX
++.PP
++.B openvpn_tmp_t
++.EE
++
++- Set files with the openvpn_tmp_t type, if you want to store openvpn temporary files in the /tmp directories.
++
++
++.EX
++.PP
++.B openvpn_var_log_t
++.EE
++
++- Set files with the openvpn_var_log_t type, if you want to treat the data as openvpn var log data, usually stored under the /var/log directory.
++
++
++.EX
++.PP
++.B openvpn_var_run_t
++.EE
++
++- Set files with the openvpn_var_run_t type, if you want to store the openvpn files under the /run directory.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH PORT TYPES
++SELinux defines port types to represent TCP and UDP ports.
++.PP
++You can see the types associated with a port by using the following command:
++
++.B semanage port -l
++
++.PP
++Policy governs the access confined processes have to these ports.
++SELinux openvpn policy is very flexible allowing users to setup their openvpn processes in as secure a method as possible.
++.PP
++The following port types are defined for openvpn:
++
++.EX
++.TP 5
++.B openvpn_port_t
++.TP 10
++.EE
++
++
++Default Defined Ports:
++tcp 1194
++.EE
++udp 1194
++.EE
++.SH "MANAGED FILES"
++
++The SELinux process type openvpn_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++
++.br
++.B faillog_t
++
++ /var/log/btmp.*
++.br
++ /var/run/faillock(/.*)?
++.br
++ /var/log/faillog
++.br
++ /var/log/tallylog
++.br
++
++.br
++.B krb5_host_rcache_t
++
++ /var/cache/krb5rcache(/.*)?
++.br
++ /var/tmp/nfs_0
++.br
++ /var/tmp/DNS_25
++.br
++ /var/tmp/host_0
++.br
++ /var/tmp/imap_0
++.br
++ /var/tmp/HTTP_23
++.br
++ /var/tmp/HTTP_48
++.br
++ /var/tmp/ldap_55
++.br
++ /var/tmp/ldap_487
++.br
++ /var/tmp/ldapmap1_0
++.br
++
++.br
++.B lastlog_t
++
++ /var/log/lastlog
++.br
++
++.br
++.B net_conf_t
++
++ /etc/ntpd?\.conf.*
++.br
++ /etc/hosts[^/]*
++.br
++ /etc/yp\.conf.*
++.br
++ /etc/denyhosts.*
++.br
++ /etc/hosts\.deny.*
++.br
++ /etc/resolv\.conf.*
++.br
++ /etc/ntp/step-tickers.*
++.br
++ /etc/sysconfig/networking(/.*)?
++.br
++ /etc/sysconfig/network-scripts(/.*)?
++.br
++ /etc/sysconfig/network-scripts/.*resolv\.conf
++.br
++ /etc/ethers
++.br
++
++.br
++.B openvpn_etc_rw_t
++
++ /etc/openvpn/ipp.txt
++.br
++
++.br
++.B openvpn_tmp_t
++
++
++.br
++.B openvpn_var_log_t
++
++ /var/log/openvpn.*
++.br
++
++.br
++.B openvpn_var_run_t
++
++ /var/run/openvpn(/.*)?
++.br
++ /var/run/openvpn\.client.*
++.br
++
++.br
++.B pcscd_var_run_t
++
++ /var/run/pcscd(/.*)?
++.br
++ /var/run/pcscd\.events(/.*)?
++.br
++ /var/run/pcscd\.pid
++.br
++ /var/run/pcscd\.pub
++.br
++ /var/run/pcscd\.comm
++.br
++
++.br
++.B security_t
++
++ /selinux
++.br
++
++.SH NSSWITCH DOMAIN
++
++.PP
++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the openvpn_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++
++.EX
++.B setsebool -P authlogin_nsswitch_use_ldap 1
++.EE
++
++.PP
++If you want to allow confined applications to run with kerberos for the openvpn_t, you must turn on the kerberos_enabled boolean.
++
++.EX
++.B setsebool -P kerberos_enabled 1
++.EE
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.B semanage port
++can also be used to manipulate the port definitions
++
++.B semanage boolean
++can also be used to manipulate the booleans
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was auto-generated using
++.B "sepolicy manpage"
++by Dan Walsh.
++
++.SH "SEE ALSO"
++selinux(8), openvpn(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
++, setsebool(8)
+\ No newline at end of file
+diff --git a/man/man8/pacemaker_selinux.8 b/man/man8/pacemaker_selinux.8
+new file mode 100644
+index 0000000..30da0ee
+--- /dev/null
++++ b/man/man8/pacemaker_selinux.8
+@@ -0,0 +1,150 @@
++.TH "pacemaker_selinux" "8" "12-11-01" "pacemaker" "SELinux Policy documentation for pacemaker"
++.SH "NAME"
++pacemaker_selinux \- Security Enhanced Linux Policy for the pacemaker processes
++.SH "DESCRIPTION"
++
++Security-Enhanced Linux secures the pacemaker processes via flexible mandatory access control.
++
++The pacemaker processes execute with the pacemaker_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep pacemaker_t
++
++
++.SH "ENTRYPOINTS"
++
++The pacemaker_t SELinux type can be entered via the "pacemaker_exec_t" file type. The default entrypoint paths for the pacemaker_t domain are the following:"
++
++/usr/sbin/pacemakerd
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux pacemaker policy is very flexible allowing users to setup their pacemaker processes in as secure a method as possible.
++.PP
++The following process types are defined for pacemaker:
++
++.EX
++.B pacemaker_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux pacemaker policy is very flexible allowing users to setup their pacemaker processes in as secure a method as possible.
++.PP
++The following file types are defined for pacemaker:
++
++
++.EX
++.PP
++.B pacemaker_exec_t
++.EE
++
++- Set files with the pacemaker_exec_t type, if you want to transition an executable to the pacemaker_t domain.
++
++
++.EX
++.PP
++.B pacemaker_initrc_exec_t
++.EE
++
++- Set files with the pacemaker_initrc_exec_t type, if you want to transition an executable to the pacemaker_initrc_t domain.
++
++
++.EX
++.PP
++.B pacemaker_unit_file_t
++.EE
++
++- Set files with the pacemaker_unit_file_t type, if you want to treat the files as pacemaker unit content.
++
++
++.EX
++.PP
++.B pacemaker_var_lib_t
++.EE
++
++- Set files with the pacemaker_var_lib_t type, if you want to store the pacemaker files under the /var/lib directory.
++
++
++.EX
++.PP
++.B pacemaker_var_run_t
++.EE
++
++- Set files with the pacemaker_var_run_t type, if you want to store the pacemaker files under the /run directory.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH "MANAGED FILES"
++
++The SELinux process type pacemaker_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++
++.br
++.B pacemaker_var_lib_t
++
++ /var/lib/pengine(/.*)?
++.br
++ /var/lib/heartbeat/crm(/.*)?
++.br
++
++.br
++.B pacemaker_var_run_t
++
++ /var/run/crm(/.*)?
++.br
++
++.SH NSSWITCH DOMAIN
++
++.PP
++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the pacemaker_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++
++.EX
++.B setsebool -P authlogin_nsswitch_use_ldap 1
++.EE
++
++.PP
++If you want to allow confined applications to run with kerberos for the pacemaker_t, you must turn on the kerberos_enabled boolean.
++
++.EX
++.B setsebool -P kerberos_enabled 1
++.EE
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was auto-generated using
++.B "sepolicy manpage"
++by Dan Walsh.
++
++.SH "SEE ALSO"
++selinux(8), pacemaker(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
+diff --git a/man/man8/pads_selinux.8 b/man/man8/pads_selinux.8
+new file mode 100644
+index 0000000..4402702
+--- /dev/null
++++ b/man/man8/pads_selinux.8
+@@ -0,0 +1,140 @@
++.TH "pads_selinux" "8" "12-11-01" "pads" "SELinux Policy documentation for pads"
++.SH "NAME"
++pads_selinux \- Security Enhanced Linux Policy for the pads processes
++.SH "DESCRIPTION"
++
++Security-Enhanced Linux secures the pads processes via flexible mandatory access control.
++
++The pads processes execute with the pads_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep pads_t
++
++
++.SH "ENTRYPOINTS"
++
++The pads_t SELinux type can be entered via the "pads_exec_t" file type. The default entrypoint paths for the pads_t domain are the following:"
++
++/usr/bin/pads
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux pads policy is very flexible allowing users to setup their pads processes in as secure a method as possible.
++.PP
++The following process types are defined for pads:
++
++.EX
++.B pads_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux pads policy is very flexible allowing users to setup their pads processes in as secure a method as possible.
++.PP
++The following file types are defined for pads:
++
++
++.EX
++.PP
++.B pads_config_t
++.EE
++
++- Set files with the pads_config_t type, if you want to treat the files as pads configuration data, usually stored under the /etc directory.
++
++
++.EX
++.PP
++.B pads_exec_t
++.EE
++
++- Set files with the pads_exec_t type, if you want to transition an executable to the pads_t domain.
++
++
++.EX
++.PP
++.B pads_initrc_exec_t
++.EE
++
++- Set files with the pads_initrc_exec_t type, if you want to transition an executable to the pads_initrc_t domain.
++
++
++.EX
++.PP
++.B pads_var_run_t
++.EE
++
++- Set files with the pads_var_run_t type, if you want to store the pads files under the /run directory.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH "MANAGED FILES"
++
++The SELinux process type pads_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++
++.br
++.B pads_config_t
++
++ /etc/pads-assets.csv
++.br
++ /etc/pads\.conf
++.br
++ /etc/pads-ether-codes
++.br
++ /etc/pads-signature-list
++.br
++
++.br
++.B pads_var_run_t
++
++ /var/run/pads\.pid
++.br
++
++.br
++.B prelude_spool_t
++
++ /var/spool/prelude(/.*)?
++.br
++ /var/spool/prelude-manager(/.*)?
++.br
++
++.SH NSSWITCH DOMAIN
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was auto-generated using
++.B "sepolicy manpage"
++by Dan Walsh.
++
++.SH "SEE ALSO"
++selinux(8), pads(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
+diff --git a/man/man8/pam_console_selinux.8 b/man/man8/pam_console_selinux.8
+new file mode 100644
+index 0000000..efb2cc6
+--- /dev/null
++++ b/man/man8/pam_console_selinux.8
+@@ -0,0 +1,101 @@
++.TH "pam_console_selinux" "8" "12-11-01" "pam_console" "SELinux Policy documentation for pam_console"
++.SH "NAME"
++pam_console_selinux \- Security Enhanced Linux Policy for the pam_console processes
++.SH "DESCRIPTION"
++
++Security-Enhanced Linux secures the pam_console processes via flexible mandatory access control.
++
++The pam_console processes execute with the pam_console_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep pam_console_t
++
++
++.SH "ENTRYPOINTS"
++
++The pam_console_t SELinux type can be entered via the "pam_console_exec_t" file type. The default entrypoint paths for the pam_console_t domain are the following:"
++
++/sbin/pam_console_apply, /usr/sbin/pam_console_apply
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux pam_console policy is very flexible allowing users to setup their pam_console processes in as secure a method as possible.
++.PP
++The following process types are defined for pam_console:
++
++.EX
++.B pam_console_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux pam_console policy is very flexible allowing users to setup their pam_console processes in as secure a method as possible.
++.PP
++The following file types are defined for pam_console:
++
++
++.EX
++.PP
++.B pam_console_exec_t
++.EE
++
++- Set files with the pam_console_exec_t type, if you want to transition an executable to the pam_console_t domain.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH NSSWITCH DOMAIN
++
++.PP
++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the pam_console_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++
++.EX
++.B setsebool -P authlogin_nsswitch_use_ldap 1
++.EE
++
++.PP
++If you want to allow confined applications to run with kerberos for the pam_console_t, you must turn on the kerberos_enabled boolean.
++
++.EX
++.B setsebool -P kerberos_enabled 1
++.EE
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was auto-generated using
++.B "sepolicy manpage"
++by Dan Walsh.
++
++.SH "SEE ALSO"
++selinux(8), pam_console(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
++, pam_timestamp_selinux(8)
+\ No newline at end of file
+diff --git a/man/man8/pam_timestamp_selinux.8 b/man/man8/pam_timestamp_selinux.8
+new file mode 100644
+index 0000000..b2e35ab
+--- /dev/null
++++ b/man/man8/pam_timestamp_selinux.8
+@@ -0,0 +1,117 @@
++.TH "pam_timestamp_selinux" "8" "12-11-01" "pam_timestamp" "SELinux Policy documentation for pam_timestamp"
++.SH "NAME"
++pam_timestamp_selinux \- Security Enhanced Linux Policy for the pam_timestamp processes
++.SH "DESCRIPTION"
++
++Security-Enhanced Linux secures the pam_timestamp processes via flexible mandatory access control.
++
++The pam_timestamp processes execute with the pam_timestamp_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep pam_timestamp_t
++
++
++.SH "ENTRYPOINTS"
++
++The pam_timestamp_t SELinux type can be entered via the "pam_timestamp_exec_t" file type. The default entrypoint paths for the pam_timestamp_t domain are the following:"
++
++/sbin/pam_timestamp_check, /usr/sbin/pam_timestamp_check
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux pam_timestamp policy is very flexible allowing users to setup their pam_timestamp processes in as secure a method as possible.
++.PP
++The following process types are defined for pam_timestamp:
++
++.EX
++.B pam_timestamp_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux pam_timestamp policy is very flexible allowing users to setup their pam_timestamp processes in as secure a method as possible.
++.PP
++The following file types are defined for pam_timestamp:
++
++
++.EX
++.PP
++.B pam_timestamp_exec_t
++.EE
++
++- Set files with the pam_timestamp_exec_t type, if you want to transition an executable to the pam_timestamp_t domain.
++
++
++.EX
++.PP
++.B pam_timestamp_tmp_t
++.EE
++
++- Set files with the pam_timestamp_tmp_t type, if you want to store pam timestamp temporary files in the /tmp directories.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH "MANAGED FILES"
++
++The SELinux process type pam_timestamp_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++
++.br
++.B pam_timestamp_tmp_t
++
++
++.SH NSSWITCH DOMAIN
++
++.PP
++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the pam_timestamp_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++
++.EX
++.B setsebool -P authlogin_nsswitch_use_ldap 1
++.EE
++
++.PP
++If you want to allow confined applications to run with kerberos for the pam_timestamp_t, you must turn on the kerberos_enabled boolean.
++
++.EX
++.B setsebool -P kerberos_enabled 1
++.EE
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was auto-generated using
++.B "sepolicy manpage"
++by Dan Walsh.
++
++.SH "SEE ALSO"
++selinux(8), pam_timestamp(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
++, pam_console_selinux(8)
+\ No newline at end of file
+diff --git a/man/man8/passenger_selinux.8 b/man/man8/passenger_selinux.8
+new file mode 100644
+index 0000000..c07e89a
+--- /dev/null
++++ b/man/man8/passenger_selinux.8
+@@ -0,0 +1,166 @@
++.TH "passenger_selinux" "8" "12-11-01" "passenger" "SELinux Policy documentation for passenger"
++.SH "NAME"
++passenger_selinux \- Security Enhanced Linux Policy for the passenger processes
++.SH "DESCRIPTION"
++
++Security-Enhanced Linux secures the passenger processes via flexible mandatory access control.
++
++The passenger processes execute with the passenger_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep passenger_t
++
++
++.SH "ENTRYPOINTS"
++
++The passenger_t SELinux type can be entered via the "passenger_exec_t" file type. The default entrypoint paths for the passenger_t domain are the following:"
++
++/usr/lib/gems/.*/Passenger.*, /usr/lib/gems/.*/ApplicationPoolServerExecutable, /usr/share/gems/.*/Passenger.*, /usr/share/gems/.*/ApplicationPoolServerExecutable
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux passenger policy is very flexible allowing users to setup their passenger processes in as secure a method as possible.
++.PP
++The following process types are defined for passenger:
++
++.EX
++.B passenger_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux passenger policy is very flexible allowing users to setup their passenger processes in as secure a method as possible.
++.PP
++The following file types are defined for passenger:
++
++
++.EX
++.PP
++.B passenger_exec_t
++.EE
++
++- Set files with the passenger_exec_t type, if you want to transition an executable to the passenger_t domain.
++
++
++.EX
++.PP
++.B passenger_log_t
++.EE
++
++- Set files with the passenger_log_t type, if you want to treat the data as passenger log data, usually stored under the /var/log directory.
++
++
++.EX
++.PP
++.B passenger_tmp_t
++.EE
++
++- Set files with the passenger_tmp_t type, if you want to store passenger temporary files in the /tmp directories.
++
++
++.EX
++.PP
++.B passenger_var_lib_t
++.EE
++
++- Set files with the passenger_var_lib_t type, if you want to store the passenger files under the /var/lib directory.
++
++
++.EX
++.PP
++.B passenger_var_run_t
++.EE
++
++- Set files with the passenger_var_run_t type, if you want to store the passenger files under the /run directory.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH "MANAGED FILES"
++
++The SELinux process type passenger_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++
++.br
++.B passenger_log_t
++
++ /var/log/passenger.*
++.br
++ /var/log/passenger(/.*)?
++.br
++
++.br
++.B passenger_tmp_t
++
++
++.br
++.B passenger_var_lib_t
++
++ /var/lib/passenger(/.*)?
++.br
++
++.br
++.B passenger_var_run_t
++
++ /var/run/passenger(/.*)?
++.br
++
++.br
++.B puppet_var_lib_t
++
++ /var/lib/puppet(/.*)?
++.br
++
++.SH NSSWITCH DOMAIN
++
++.PP
++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the passenger_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++
++.EX
++.B setsebool -P authlogin_nsswitch_use_ldap 1
++.EE
++
++.PP
++If you want to allow confined applications to run with kerberos for the passenger_t, you must turn on the kerberos_enabled boolean.
++
++.EX
++.B setsebool -P kerberos_enabled 1
++.EE
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was auto-generated using
++.B "sepolicy manpage"
++by Dan Walsh.
++
++.SH "SEE ALSO"
++selinux(8), passenger(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
+diff --git a/man/man8/passwd_selinux.8 b/man/man8/passwd_selinux.8
+new file mode 100644
+index 0000000..af4b9b1
+--- /dev/null
++++ b/man/man8/passwd_selinux.8
+@@ -0,0 +1,208 @@
++.TH "passwd_selinux" "8" "12-11-01" "passwd" "SELinux Policy documentation for passwd"
++.SH "NAME"
++passwd_selinux \- Security Enhanced Linux Policy for the passwd processes
++.SH "DESCRIPTION"
++
++Security-Enhanced Linux secures the passwd processes via flexible mandatory access control.
++
++The passwd processes execute with the passwd_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep passwd_t
++
++
++.SH "ENTRYPOINTS"
++
++The passwd_t SELinux type can be entered via the "passwd_exec_t" file type. The default entrypoint paths for the passwd_t domain are the following:"
++
++/usr/bin/chage, /usr/bin/passwd
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux passwd policy is very flexible allowing users to setup their passwd processes in as secure a method as possible.
++.PP
++The following process types are defined for passwd:
++
++.EX
++.B passwd_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux passwd policy is very flexible allowing users to setup their passwd processes in as secure a method as possible.
++.PP
++The following file types are defined for passwd:
++
++
++.EX
++.PP
++.B passwd_exec_t
++.EE
++
++- Set files with the passwd_exec_t type, if you want to transition an executable to the passwd_t domain.
++
++
++.EX
++.PP
++.B passwd_file_t
++.EE
++
++- Set files with the passwd_file_t type, if you want to treat the files as passwd content.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH "MANAGED FILES"
++
++The SELinux process type passwd_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++
++.br
++.B faillog_t
++
++ /var/log/btmp.*
++.br
++ /var/run/faillock(/.*)?
++.br
++ /var/log/faillog
++.br
++ /var/log/tallylog
++.br
++
++.br
++.B krb5_host_rcache_t
++
++ /var/cache/krb5rcache(/.*)?
++.br
++ /var/tmp/nfs_0
++.br
++ /var/tmp/DNS_25
++.br
++ /var/tmp/host_0
++.br
++ /var/tmp/imap_0
++.br
++ /var/tmp/HTTP_23
++.br
++ /var/tmp/HTTP_48
++.br
++ /var/tmp/ldap_55
++.br
++ /var/tmp/ldap_487
++.br
++ /var/tmp/ldapmap1_0
++.br
++
++.br
++.B lastlog_t
++
++ /var/log/lastlog
++.br
++
++.br
++.B passwd_file_t
++
++ /etc/group[-\+]?
++.br
++ /etc/passwd[-\+]?
++.br
++ /etc/passwd\.adjunct.*
++.br
++ /etc/ptmptmp
++.br
++ /etc/\.pwd\.lock
++.br
++ /etc/group\.lock
++.br
++ /etc/passwd\.OLD
++.br
++ /etc/passwd\.lock
++.br
++
++.br
++.B pcscd_var_run_t
++
++ /var/run/pcscd(/.*)?
++.br
++ /var/run/pcscd\.events(/.*)?
++.br
++ /var/run/pcscd\.pid
++.br
++ /var/run/pcscd\.pub
++.br
++ /var/run/pcscd\.comm
++.br
++
++.br
++.B security_t
++
++ /selinux
++.br
++
++.br
++.B shadow_t
++
++ /etc/shadow.*
++.br
++ /etc/gshadow.*
++.br
++ /var/db/shadow.*
++.br
++ /etc/security/opasswd
++.br
++ /etc/security/opasswd\.old
++.br
++
++.SH NSSWITCH DOMAIN
++
++.PP
++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the passwd_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++
++.EX
++.B setsebool -P authlogin_nsswitch_use_ldap 1
++.EE
++
++.PP
++If you want to allow confined applications to run with kerberos for the passwd_t, you must turn on the kerberos_enabled boolean.
++
++.EX
++.B setsebool -P kerberos_enabled 1
++.EE
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was auto-generated using
++.B "sepolicy manpage"
++by Dan Walsh.
++
++.SH "SEE ALSO"
++selinux(8), passwd(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
+diff --git a/man/man8/pcscd_selinux.8 b/man/man8/pcscd_selinux.8
+new file mode 100644
+index 0000000..41e4f5f
+--- /dev/null
++++ b/man/man8/pcscd_selinux.8
+@@ -0,0 +1,116 @@
++.TH "pcscd_selinux" "8" "12-11-01" "pcscd" "SELinux Policy documentation for pcscd"
++.SH "NAME"
++pcscd_selinux \- Security Enhanced Linux Policy for the pcscd processes
++.SH "DESCRIPTION"
++
++Security-Enhanced Linux secures the pcscd processes via flexible mandatory access control.
++
++The pcscd processes execute with the pcscd_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep pcscd_t
++
++
++.SH "ENTRYPOINTS"
++
++The pcscd_t SELinux type can be entered via the "pcscd_exec_t" file type. The default entrypoint paths for the pcscd_t domain are the following:"
++
++/usr/sbin/pcscd
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux pcscd policy is very flexible allowing users to setup their pcscd processes in as secure a method as possible.
++.PP
++The following process types are defined for pcscd:
++
++.EX
++.B pcscd_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux pcscd policy is very flexible allowing users to setup their pcscd processes in as secure a method as possible.
++.PP
++The following file types are defined for pcscd:
++
++
++.EX
++.PP
++.B pcscd_exec_t
++.EE
++
++- Set files with the pcscd_exec_t type, if you want to transition an executable to the pcscd_t domain.
++
++
++.EX
++.PP
++.B pcscd_var_run_t
++.EE
++
++- Set files with the pcscd_var_run_t type, if you want to store the pcscd files under the /run directory.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH "MANAGED FILES"
++
++The SELinux process type pcscd_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++
++.br
++.B pcscd_var_run_t
++
++ /var/run/pcscd(/.*)?
++.br
++ /var/run/pcscd\.events(/.*)?
++.br
++ /var/run/pcscd\.pid
++.br
++ /var/run/pcscd\.pub
++.br
++ /var/run/pcscd\.comm
++.br
++
++.br
++.B usbfs_t
++
++
++.SH NSSWITCH DOMAIN
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was auto-generated using
++.B "sepolicy manpage"
++by Dan Walsh.
++
++.SH "SEE ALSO"
++selinux(8), pcscd(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
+diff --git a/man/man8/pegasus_selinux.8 b/man/man8/pegasus_selinux.8
+new file mode 100644
+index 0000000..39479f4
+--- /dev/null
++++ b/man/man8/pegasus_selinux.8
+@@ -0,0 +1,279 @@
++.TH "pegasus_selinux" "8" "12-11-01" "pegasus" "SELinux Policy documentation for pegasus"
++.SH "NAME"
++pegasus_selinux \- Security Enhanced Linux Policy for the pegasus processes
++.SH "DESCRIPTION"
++
++Security-Enhanced Linux secures the pegasus processes via flexible mandatory access control.
++
++The pegasus processes execute with the pegasus_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep pegasus_t
++
++
++.SH "ENTRYPOINTS"
++
++The pegasus_t SELinux type can be entered via the "pegasus_exec_t" file type. The default entrypoint paths for the pegasus_t domain are the following:"
++
++/usr/sbin/cimserver, /usr/sbin/init_repository
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux pegasus policy is very flexible allowing users to setup their pegasus processes in as secure a method as possible.
++.PP
++The following process types are defined for pegasus:
++
++.EX
++.B pegasus_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux pegasus policy is very flexible allowing users to setup their pegasus processes in as secure a method as possible.
++.PP
++The following file types are defined for pegasus:
++
++
++.EX
++.PP
++.B pegasus_cache_t
++.EE
++
++- Set files with the pegasus_cache_t type, if you want to store the files under the /var/cache directory.
++
++
++.EX
++.PP
++.B pegasus_conf_t
++.EE
++
++- Set files with the pegasus_conf_t type, if you want to treat the files as pegasus configuration data, usually stored under the /etc directory.
++
++
++.EX
++.PP
++.B pegasus_data_t
++.EE
++
++- Set files with the pegasus_data_t type, if you want to treat the files as pegasus content.
++
++
++.EX
++.PP
++.B pegasus_exec_t
++.EE
++
++- Set files with the pegasus_exec_t type, if you want to transition an executable to the pegasus_t domain.
++
++
++.EX
++.PP
++.B pegasus_mof_t
++.EE
++
++- Set files with the pegasus_mof_t type, if you want to treat the files as pegasus mof data.
++
++
++.EX
++.PP
++.B pegasus_tmp_t
++.EE
++
++- Set files with the pegasus_tmp_t type, if you want to store pegasus temporary files in the /tmp directories.
++
++
++.EX
++.PP
++.B pegasus_var_run_t
++.EE
++
++- Set files with the pegasus_var_run_t type, if you want to store the pegasus files under the /run directory.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH PORT TYPES
++SELinux defines port types to represent TCP and UDP ports.
++.PP
++You can see the types associated with a port by using the following command:
++
++.B semanage port -l
++
++.PP
++Policy governs the access confined processes have to these ports.
++SELinux pegasus policy is very flexible allowing users to setup their pegasus processes in as secure a method as possible.
++.PP
++The following port types are defined for pegasus:
++
++.EX
++.TP 5
++.B pegasus_http_port_t
++.TP 10
++.EE
++
++
++Default Defined Ports:
++tcp 5988
++.EE
++
++.EX
++.TP 5
++.B pegasus_https_port_t
++.TP 10
++.EE
++
++
++Default Defined Ports:
++tcp 5989
++.EE
++.SH "MANAGED FILES"
++
++The SELinux process type pegasus_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++
++.br
++.B faillog_t
++
++ /var/log/btmp.*
++.br
++ /var/run/faillock(/.*)?
++.br
++ /var/log/faillog
++.br
++ /var/log/tallylog
++.br
++
++.br
++.B initrc_var_run_t
++
++ /var/run/utmp
++.br
++ /var/run/random-seed
++.br
++ /var/run/runlevel\.dir
++.br
++ /var/run/setmixer_flag
++.br
++
++.br
++.B pcscd_var_run_t
++
++ /var/run/pcscd(/.*)?
++.br
++ /var/run/pcscd\.events(/.*)?
++.br
++ /var/run/pcscd\.pid
++.br
++ /var/run/pcscd\.pub
++.br
++ /var/run/pcscd\.comm
++.br
++
++.br
++.B pegasus_cache_t
++
++
++.br
++.B pegasus_data_t
++
++ /var/lib/Pegasus(/.*)?
++.br
++ /etc/Pegasus/pegasus_current\.conf
++.br
++
++.br
++.B pegasus_tmp_t
++
++
++.br
++.B pegasus_var_run_t
++
++ /var/run/tog-pegasus(/.*)?
++.br
++
++.br
++.B samba_etc_t
++
++ /etc/samba(/.*)?
++.br
++
++.br
++.B virt_etc_rw_t
++
++ /etc/xen/.*/.*
++.br
++ /etc/xen/[^/]*
++.br
++ /etc/libvirt/.*/.*
++.br
++ /etc/libvirt/[^/]*
++.br
++
++.br
++.B virt_etc_t
++
++ /etc/xen/[^/]*
++.br
++ /etc/libvirt/[^/]*
++.br
++ /etc/xen
++.br
++ /etc/libvirt
++.br
++
++.SH NSSWITCH DOMAIN
++
++.PP
++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the pegasus_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++
++.EX
++.B setsebool -P authlogin_nsswitch_use_ldap 1
++.EE
++
++.PP
++If you want to allow confined applications to run with kerberos for the pegasus_t, you must turn on the kerberos_enabled boolean.
++
++.EX
++.B setsebool -P kerberos_enabled 1
++.EE
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.B semanage port
++can also be used to manipulate the port definitions
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was auto-generated using
++.B "sepolicy manpage"
++by Dan Walsh.
++
++.SH "SEE ALSO"
++selinux(8), pegasus(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
+diff --git a/man/man8/phpfpm_selinux.8 b/man/man8/phpfpm_selinux.8
+new file mode 100644
+index 0000000..ae94dbd
+--- /dev/null
++++ b/man/man8/phpfpm_selinux.8
+@@ -0,0 +1,140 @@
++.TH "phpfpm_selinux" "8" "12-11-01" "phpfpm" "SELinux Policy documentation for phpfpm"
++.SH "NAME"
++phpfpm_selinux \- Security Enhanced Linux Policy for the phpfpm processes
++.SH "DESCRIPTION"
++
++Security-Enhanced Linux secures the phpfpm processes via flexible mandatory access control.
++
++The phpfpm processes execute with the phpfpm_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep phpfpm_t
++
++
++.SH "ENTRYPOINTS"
++
++The phpfpm_t SELinux type can be entered via the "phpfpm_exec_t" file type. The default entrypoint paths for the phpfpm_t domain are the following:"
++
++/usr/sbin/php-fpm
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux phpfpm policy is very flexible allowing users to setup their phpfpm processes in as secure a method as possible.
++.PP
++The following process types are defined for phpfpm:
++
++.EX
++.B phpfpm_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux phpfpm policy is very flexible allowing users to setup their phpfpm processes in as secure a method as possible.
++.PP
++The following file types are defined for phpfpm:
++
++
++.EX
++.PP
++.B phpfpm_exec_t
++.EE
++
++- Set files with the phpfpm_exec_t type, if you want to transition an executable to the phpfpm_t domain.
++
++
++.EX
++.PP
++.B phpfpm_log_t
++.EE
++
++- Set files with the phpfpm_log_t type, if you want to treat the data as phpfpm log data, usually stored under the /var/log directory.
++
++
++.EX
++.PP
++.B phpfpm_unit_file_t
++.EE
++
++- Set files with the phpfpm_unit_file_t type, if you want to treat the files as phpfpm unit content.
++
++
++.EX
++.PP
++.B phpfpm_var_run_t
++.EE
++
++- Set files with the phpfpm_var_run_t type, if you want to store the phpfpm files under the /run directory.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH "MANAGED FILES"
++
++The SELinux process type phpfpm_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++
++.br
++.B phpfpm_log_t
++
++ /var/log/php-fpm(/.*)?
++.br
++
++.br
++.B phpfpm_var_run_t
++
++ /var/run/php-fpm(/.*)?
++.br
++
++.SH NSSWITCH DOMAIN
++
++.PP
++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the phpfpm_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++
++.EX
++.B setsebool -P authlogin_nsswitch_use_ldap 1
++.EE
++
++.PP
++If you want to allow confined applications to run with kerberos for the phpfpm_t, you must turn on the kerberos_enabled boolean.
++
++.EX
++.B setsebool -P kerberos_enabled 1
++.EE
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was auto-generated using
++.B "sepolicy manpage"
++by Dan Walsh.
++
++.SH "SEE ALSO"
++selinux(8), phpfpm(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
+diff --git a/man/man8/ping_selinux.8 b/man/man8/ping_selinux.8
+new file mode 100644
+index 0000000..7210530
+--- /dev/null
++++ b/man/man8/ping_selinux.8
+@@ -0,0 +1,180 @@
++.TH "ping_selinux" "8" "12-11-01" "ping" "SELinux Policy documentation for ping"
++.SH "NAME"
++ping_selinux \- Security Enhanced Linux Policy for the ping processes
++.SH "DESCRIPTION"
++
++Security-Enhanced Linux secures the ping processes via flexible mandatory access control.
++
++The ping processes execute with the ping_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep ping_t
++
++
++.SH "ENTRYPOINTS"
++
++The ping_t SELinux type can be entered via the "ping_exec_t" file type. The default entrypoint paths for the ping_t domain are the following:"
++
++/bin/ping.*, /usr/bin/ping.*, /usr/sbin/fping.*, /usr/sbin/hping2, /usr/sbin/send_arp
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux ping policy is very flexible allowing users to setup their ping processes in as secure a method as possible.
++.PP
++The following process types are defined for ping:
++
++.EX
++.B ping_t, pingd_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH BOOLEANS
++SELinux policy is customizable based on least access required. ping policy is extremely flexible and has several booleans that allow you to manipulate the policy and run ping with the tightest access possible.
++
++
++.PP
++If you want to allow confined users the ability to execute the ping and traceroute commands, you must turn on the selinuxuser_ping boolean.
++
++.EX
++.B setsebool -P selinuxuser_ping 1
++.EE
++
++.PP
++If you want to allow confined users the ability to execute the ping and traceroute commands, you must turn on the selinuxuser_ping boolean.
++
++.EX
++.B setsebool -P selinuxuser_ping 1
++.EE
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux ping policy is very flexible allowing users to setup their ping processes in as secure a method as possible.
++.PP
++The following file types are defined for ping:
++
++
++.EX
++.PP
++.B ping_exec_t
++.EE
++
++- Set files with the ping_exec_t type, if you want to transition an executable to the ping_t domain.
++
++
++.EX
++.PP
++.B pingd_etc_t
++.EE
++
++- Set files with the pingd_etc_t type, if you want to store pingd files in the /etc directories.
++
++
++.EX
++.PP
++.B pingd_exec_t
++.EE
++
++- Set files with the pingd_exec_t type, if you want to transition an executable to the pingd_t domain.
++
++
++.EX
++.PP
++.B pingd_initrc_exec_t
++.EE
++
++- Set files with the pingd_initrc_exec_t type, if you want to transition an executable to the pingd_initrc_t domain.
++
++
++.EX
++.PP
++.B pingd_modules_t
++.EE
++
++- Set files with the pingd_modules_t type, if you want to treat the files as pingd modules.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH PORT TYPES
++SELinux defines port types to represent TCP and UDP ports.
++.PP
++You can see the types associated with a port by using the following command:
++
++.B semanage port -l
++
++.PP
++Policy governs the access confined processes have to these ports.
++SELinux ping policy is very flexible allowing users to setup their ping processes in as secure a method as possible.
++.PP
++The following port types are defined for ping:
++
++.EX
++.TP 5
++.B pingd_port_t
++.TP 10
++.EE
++
++
++Default Defined Ports:
++tcp 9125
++.EE
++.SH NSSWITCH DOMAIN
++
++.PP
++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the pingd_t, ping_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++
++.EX
++.B setsebool -P authlogin_nsswitch_use_ldap 1
++.EE
++
++.PP
++If you want to allow confined applications to run with kerberos for the pingd_t, ping_t, you must turn on the kerberos_enabled boolean.
++
++.EX
++.B setsebool -P kerberos_enabled 1
++.EE
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.B semanage port
++can also be used to manipulate the port definitions
++
++.B semanage boolean
++can also be used to manipulate the booleans
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was auto-generated using
++.B "sepolicy manpage"
++by Dan Walsh.
++
++.SH "SEE ALSO"
++selinux(8), ping(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
++, setsebool(8), pingd_selinux(8)
+\ No newline at end of file
+diff --git a/man/man8/pingd_selinux.8 b/man/man8/pingd_selinux.8
+new file mode 100644
+index 0000000..4fc7233
+--- /dev/null
++++ b/man/man8/pingd_selinux.8
+@@ -0,0 +1,172 @@
++.TH "pingd_selinux" "8" "12-11-01" "pingd" "SELinux Policy documentation for pingd"
++.SH "NAME"
++pingd_selinux \- Security Enhanced Linux Policy for the pingd processes
++.SH "DESCRIPTION"
++
++Security-Enhanced Linux secures the pingd processes via flexible mandatory access control.
++
++The pingd processes execute with the pingd_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep pingd_t
++
++
++.SH "ENTRYPOINTS"
++
++The pingd_t SELinux type can be entered via the "pingd_exec_t" file type. The default entrypoint paths for the pingd_t domain are the following:"
++
++/usr/sbin/pingd
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux pingd policy is very flexible allowing users to setup their pingd processes in as secure a method as possible.
++.PP
++The following process types are defined for pingd:
++
++.EX
++.B ping_t, pingd_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH BOOLEANS
++SELinux policy is customizable based on least access required. pingd policy is extremely flexible and has several booleans that allow you to manipulate the policy and run pingd with the tightest access possible.
++
++
++.PP
++If you want to allow confined users the ability to execute the ping and traceroute commands, you must turn on the selinuxuser_ping boolean.
++
++.EX
++.B setsebool -P selinuxuser_ping 1
++.EE
++
++.PP
++If you want to allow confined users the ability to execute the ping and traceroute commands, you must turn on the selinuxuser_ping boolean.
++
++.EX
++.B setsebool -P selinuxuser_ping 1
++.EE
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux pingd policy is very flexible allowing users to setup their pingd processes in as secure a method as possible.
++.PP
++The following file types are defined for pingd:
++
++
++.EX
++.PP
++.B pingd_etc_t
++.EE
++
++- Set files with the pingd_etc_t type, if you want to store pingd files in the /etc directories.
++
++
++.EX
++.PP
++.B pingd_exec_t
++.EE
++
++- Set files with the pingd_exec_t type, if you want to transition an executable to the pingd_t domain.
++
++
++.EX
++.PP
++.B pingd_initrc_exec_t
++.EE
++
++- Set files with the pingd_initrc_exec_t type, if you want to transition an executable to the pingd_initrc_t domain.
++
++
++.EX
++.PP
++.B pingd_modules_t
++.EE
++
++- Set files with the pingd_modules_t type, if you want to treat the files as pingd modules.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH PORT TYPES
++SELinux defines port types to represent TCP and UDP ports.
++.PP
++You can see the types associated with a port by using the following command:
++
++.B semanage port -l
++
++.PP
++Policy governs the access confined processes have to these ports.
++SELinux pingd policy is very flexible allowing users to setup their pingd processes in as secure a method as possible.
++.PP
++The following port types are defined for pingd:
++
++.EX
++.TP 5
++.B pingd_port_t
++.TP 10
++.EE
++
++
++Default Defined Ports:
++tcp 9125
++.EE
++.SH NSSWITCH DOMAIN
++
++.PP
++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the pingd_t, ping_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++
++.EX
++.B setsebool -P authlogin_nsswitch_use_ldap 1
++.EE
++
++.PP
++If you want to allow confined applications to run with kerberos for the pingd_t, ping_t, you must turn on the kerberos_enabled boolean.
++
++.EX
++.B setsebool -P kerberos_enabled 1
++.EE
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.B semanage port
++can also be used to manipulate the port definitions
++
++.B semanage boolean
++can also be used to manipulate the booleans
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was auto-generated using
++.B "sepolicy manpage"
++by Dan Walsh.
++
++.SH "SEE ALSO"
++selinux(8), pingd(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
++, setsebool(8), ping_selinux(8), ping_selinux(8)
+\ No newline at end of file
+diff --git a/man/man8/piranha_fos_selinux.8 b/man/man8/piranha_fos_selinux.8
+new file mode 100644
+index 0000000..99093e6
+--- /dev/null
++++ b/man/man8/piranha_fos_selinux.8
+@@ -0,0 +1,119 @@
++.TH "piranha_fos_selinux" "8" "12-11-01" "piranha_fos" "SELinux Policy documentation for piranha_fos"
++.SH "NAME"
++piranha_fos_selinux \- Security Enhanced Linux Policy for the piranha_fos processes
++.SH "DESCRIPTION"
++
++Security-Enhanced Linux secures the piranha_fos processes via flexible mandatory access control.
++
++The piranha_fos processes execute with the piranha_fos_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep piranha_fos_t
++
++
++.SH "ENTRYPOINTS"
++
++The piranha_fos_t SELinux type can be entered via the "piranha_fos_exec_t" file type. The default entrypoint paths for the piranha_fos_t domain are the following:"
++
++/usr/sbin/fos
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux piranha_fos policy is very flexible allowing users to setup their piranha_fos processes in as secure a method as possible.
++.PP
++The following process types are defined for piranha_fos:
++
++.EX
++.B piranha_fos_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux piranha_fos policy is very flexible allowing users to setup their piranha_fos processes in as secure a method as possible.
++.PP
++The following file types are defined for piranha_fos:
++
++
++.EX
++.PP
++.B piranha_fos_exec_t
++.EE
++
++- Set files with the piranha_fos_exec_t type, if you want to transition an executable to the piranha_fos_t domain.
++
++
++.EX
++.PP
++.B piranha_fos_var_run_t
++.EE
++
++- Set files with the piranha_fos_var_run_t type, if you want to store the piranha fos files under the /run directory.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH "MANAGED FILES"
++
++The SELinux process type piranha_fos_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++
++.br
++.B piranha_fos_var_run_t
++
++ /var/run/fos\.pid
++.br
++
++.SH NSSWITCH DOMAIN
++
++.PP
++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the piranha_fos_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++
++.EX
++.B setsebool -P authlogin_nsswitch_use_ldap 1
++.EE
++
++.PP
++If you want to allow confined applications to run with kerberos for the piranha_fos_t, you must turn on the kerberos_enabled boolean.
++
++.EX
++.B setsebool -P kerberos_enabled 1
++.EE
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was auto-generated using
++.B "sepolicy manpage"
++by Dan Walsh.
++
++.SH "SEE ALSO"
++selinux(8), piranha_fos(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
++, piranha_lvs_selinux(8), piranha_pulse_selinux(8), piranha_web_selinux(8)
+\ No newline at end of file
+diff --git a/man/man8/piranha_lvs_selinux.8 b/man/man8/piranha_lvs_selinux.8
+new file mode 100644
+index 0000000..4792eec
+--- /dev/null
++++ b/man/man8/piranha_lvs_selinux.8
+@@ -0,0 +1,140 @@
++.TH "piranha_lvs_selinux" "8" "12-11-01" "piranha_lvs" "SELinux Policy documentation for piranha_lvs"
++.SH "NAME"
++piranha_lvs_selinux \- Security Enhanced Linux Policy for the piranha_lvs processes
++.SH "DESCRIPTION"
++
++Security-Enhanced Linux secures the piranha_lvs processes via flexible mandatory access control.
++
++The piranha_lvs processes execute with the piranha_lvs_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep piranha_lvs_t
++
++
++.SH "ENTRYPOINTS"
++
++The piranha_lvs_t SELinux type can be entered via the "piranha_lvs_exec_t" file type. The default entrypoint paths for the piranha_lvs_t domain are the following:"
++
++/usr/sbin/lvsd
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux piranha_lvs policy is very flexible allowing users to setup their piranha_lvs processes in as secure a method as possible.
++.PP
++The following process types are defined for piranha_lvs:
++
++.EX
++.B piranha_lvs_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH BOOLEANS
++SELinux policy is customizable based on least access required. piranha_lvs policy is extremely flexible and has several booleans that allow you to manipulate the policy and run piranha_lvs with the tightest access possible.
++
++
++.PP
++If you want to allow piranha-lvs domain to connect to the network using TCP, you must turn on the piranha_lvs_can_network_connect boolean.
++
++.EX
++.B setsebool -P piranha_lvs_can_network_connect 1
++.EE
++
++.PP
++If you want to allow piranha-lvs domain to connect to the network using TCP, you must turn on the piranha_lvs_can_network_connect boolean.
++
++.EX
++.B setsebool -P piranha_lvs_can_network_connect 1
++.EE
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux piranha_lvs policy is very flexible allowing users to setup their piranha_lvs processes in as secure a method as possible.
++.PP
++The following file types are defined for piranha_lvs:
++
++
++.EX
++.PP
++.B piranha_lvs_exec_t
++.EE
++
++- Set files with the piranha_lvs_exec_t type, if you want to transition an executable to the piranha_lvs_t domain.
++
++
++.EX
++.PP
++.B piranha_lvs_var_run_t
++.EE
++
++- Set files with the piranha_lvs_var_run_t type, if you want to store the piranha lvs files under the /run directory.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH "MANAGED FILES"
++
++The SELinux process type piranha_lvs_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++
++.br
++.B piranha_lvs_var_run_t
++
++ /var/run/lvs\.pid
++.br
++
++.SH NSSWITCH DOMAIN
++
++.PP
++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the piranha_lvs_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++
++.EX
++.B setsebool -P authlogin_nsswitch_use_ldap 1
++.EE
++
++.PP
++If you want to allow confined applications to run with kerberos for the piranha_lvs_t, you must turn on the kerberos_enabled boolean.
++
++.EX
++.B setsebool -P kerberos_enabled 1
++.EE
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.B semanage boolean
++can also be used to manipulate the booleans
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was auto-generated using
++.B "sepolicy manpage"
++by Dan Walsh.
++
++.SH "SEE ALSO"
++selinux(8), piranha_lvs(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
++, setsebool(8), piranha_fos_selinux(8), piranha_pulse_selinux(8), piranha_web_selinux(8)
+\ No newline at end of file
+diff --git a/man/man8/piranha_pulse_selinux.8 b/man/man8/piranha_pulse_selinux.8
+new file mode 100644
+index 0000000..2c470f5
+--- /dev/null
++++ b/man/man8/piranha_pulse_selinux.8
+@@ -0,0 +1,151 @@
++.TH "piranha_pulse_selinux" "8" "12-11-01" "piranha_pulse" "SELinux Policy documentation for piranha_pulse"
++.SH "NAME"
++piranha_pulse_selinux \- Security Enhanced Linux Policy for the piranha_pulse processes
++.SH "DESCRIPTION"
++
++Security-Enhanced Linux secures the piranha_pulse processes via flexible mandatory access control.
++
++The piranha_pulse processes execute with the piranha_pulse_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep piranha_pulse_t
++
++
++.SH "ENTRYPOINTS"
++
++The piranha_pulse_t SELinux type can be entered via the "piranha_pulse_exec_t" file type. The default entrypoint paths for the piranha_pulse_t domain are the following:"
++
++/usr/sbin/pulse
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux piranha_pulse policy is very flexible allowing users to setup their piranha_pulse processes in as secure a method as possible.
++.PP
++The following process types are defined for piranha_pulse:
++
++.EX
++.B piranha_pulse_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux piranha_pulse policy is very flexible allowing users to setup their piranha_pulse processes in as secure a method as possible.
++.PP
++The following file types are defined for piranha_pulse:
++
++
++.EX
++.PP
++.B piranha_pulse_exec_t
++.EE
++
++- Set files with the piranha_pulse_exec_t type, if you want to transition an executable to the piranha_pulse_t domain.
++
++
++.EX
++.PP
++.B piranha_pulse_initrc_exec_t
++.EE
++
++- Set files with the piranha_pulse_initrc_exec_t type, if you want to transition an executable to the piranha_pulse_initrc_t domain.
++
++
++.EX
++.PP
++.B piranha_pulse_var_run_t
++.EE
++
++- Set files with the piranha_pulse_var_run_t type, if you want to store the piranha pulse files under the /run directory.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH "MANAGED FILES"
++
++The SELinux process type piranha_pulse_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++
++.br
++.B piranha_pulse_var_run_t
++
++ /var/run/pulse\.pid
++.br
++
++.br
++.B samba_etc_t
++
++ /etc/samba(/.*)?
++.br
++
++.br
++.B samba_var_t
++
++ /var/lib/samba(/.*)?
++.br
++ /var/cache/samba(/.*)?
++.br
++ /var/spool/samba(/.*)?
++.br
++
++.br
++.B systemd_passwd_var_run_t
++
++ /var/run/systemd/ask-password(/.*)?
++.br
++ /var/run/systemd/ask-password-block(/.*)?
++.br
++
++.SH NSSWITCH DOMAIN
++
++.PP
++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the piranha_pulse_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++
++.EX
++.B setsebool -P authlogin_nsswitch_use_ldap 1
++.EE
++
++.PP
++If you want to allow confined applications to run with kerberos for the piranha_pulse_t, you must turn on the kerberos_enabled boolean.
++
++.EX
++.B setsebool -P kerberos_enabled 1
++.EE
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was auto-generated using
++.B "sepolicy manpage"
++by Dan Walsh.
++
++.SH "SEE ALSO"
++selinux(8), piranha_pulse(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
++, piranha_fos_selinux(8), piranha_lvs_selinux(8), piranha_web_selinux(8)
+\ No newline at end of file
+diff --git a/man/man8/piranha_web_selinux.8 b/man/man8/piranha_web_selinux.8
+new file mode 100644
+index 0000000..c0ce2c7
+--- /dev/null
++++ b/man/man8/piranha_web_selinux.8
+@@ -0,0 +1,177 @@
++.TH "piranha_web_selinux" "8" "12-11-01" "piranha_web" "SELinux Policy documentation for piranha_web"
++.SH "NAME"
++piranha_web_selinux \- Security Enhanced Linux Policy for the piranha_web processes
++.SH "DESCRIPTION"
++
++Security-Enhanced Linux secures the piranha_web processes via flexible mandatory access control.
++
++The piranha_web processes execute with the piranha_web_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep piranha_web_t
++
++
++.SH "ENTRYPOINTS"
++
++The piranha_web_t SELinux type can be entered via the "piranha_web_exec_t" file type. The default entrypoint paths for the piranha_web_t domain are the following:"
++
++/usr/sbin/piranha_gui
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux piranha_web policy is very flexible allowing users to setup their piranha_web processes in as secure a method as possible.
++.PP
++The following process types are defined for piranha_web:
++
++.EX
++.B piranha_web_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux piranha_web policy is very flexible allowing users to setup their piranha_web processes in as secure a method as possible.
++.PP
++The following file types are defined for piranha_web:
++
++
++.EX
++.PP
++.B piranha_web_conf_t
++.EE
++
++- Set files with the piranha_web_conf_t type, if you want to treat the files as piranha web configuration data, usually stored under the /etc directory.
++
++
++.EX
++.PP
++.B piranha_web_data_t
++.EE
++
++- Set files with the piranha_web_data_t type, if you want to treat the files as piranha web content.
++
++
++.EX
++.PP
++.B piranha_web_exec_t
++.EE
++
++- Set files with the piranha_web_exec_t type, if you want to transition an executable to the piranha_web_t domain.
++
++
++.EX
++.PP
++.B piranha_web_tmp_t
++.EE
++
++- Set files with the piranha_web_tmp_t type, if you want to store piranha web temporary files in the /tmp directories.
++
++
++.EX
++.PP
++.B piranha_web_tmpfs_t
++.EE
++
++- Set files with the piranha_web_tmpfs_t type, if you want to store piranha web files on a tmpfs file system.
++
++
++.EX
++.PP
++.B piranha_web_var_run_t
++.EE
++
++- Set files with the piranha_web_var_run_t type, if you want to store the piranha web files under the /run directory.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH "MANAGED FILES"
++
++The SELinux process type piranha_web_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++
++.br
++.B piranha_etc_rw_t
++
++ /etc/piranha/lvs\.cf
++.br
++
++.br
++.B piranha_log_t
++
++ /var/log/piranha(/.*)?
++.br
++
++.br
++.B piranha_web_data_t
++
++ /var/lib/luci(/.*)?
++.br
++
++.br
++.B piranha_web_tmp_t
++
++
++.br
++.B piranha_web_tmpfs_t
++
++
++.br
++.B piranha_web_var_run_t
++
++ /var/run/piranha-httpd\.pid
++.br
++
++.SH NSSWITCH DOMAIN
++
++.PP
++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the piranha_web_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++
++.EX
++.B setsebool -P authlogin_nsswitch_use_ldap 1
++.EE
++
++.PP
++If you want to allow confined applications to run with kerberos for the piranha_web_t, you must turn on the kerberos_enabled boolean.
++
++.EX
++.B setsebool -P kerberos_enabled 1
++.EE
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was auto-generated using
++.B "sepolicy manpage"
++by Dan Walsh.
++
++.SH "SEE ALSO"
++selinux(8), piranha_web(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
++, piranha_fos_selinux(8), piranha_lvs_selinux(8), piranha_pulse_selinux(8)
+\ No newline at end of file
+diff --git a/man/man8/pkcsslotd_selinux.8 b/man/man8/pkcsslotd_selinux.8
+new file mode 100644
+index 0000000..a7bf1c6
+--- /dev/null
++++ b/man/man8/pkcsslotd_selinux.8
+@@ -0,0 +1,148 @@
++.TH "pkcsslotd_selinux" "8" "12-11-01" "pkcsslotd" "SELinux Policy documentation for pkcsslotd"
++.SH "NAME"
++pkcsslotd_selinux \- Security Enhanced Linux Policy for the pkcsslotd processes
++.SH "DESCRIPTION"
++
++Security-Enhanced Linux secures the pkcsslotd processes via flexible mandatory access control.
++
++The pkcsslotd processes execute with the pkcsslotd_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep pkcsslotd_t
++
++
++.SH "ENTRYPOINTS"
++
++The pkcsslotd_t SELinux type can be entered via the "pkcsslotd_exec_t" file type. The default entrypoint paths for the pkcsslotd_t domain are the following:"
++
++/usr/sbin/pkcsslotd
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux pkcsslotd policy is very flexible allowing users to setup their pkcsslotd processes in as secure a method as possible.
++.PP
++The following process types are defined for pkcsslotd:
++
++.EX
++.B pkcsslotd_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux pkcsslotd policy is very flexible allowing users to setup their pkcsslotd processes in as secure a method as possible.
++.PP
++The following file types are defined for pkcsslotd:
++
++
++.EX
++.PP
++.B pkcsslotd_exec_t
++.EE
++
++- Set files with the pkcsslotd_exec_t type, if you want to transition an executable to the pkcsslotd_t domain.
++
++
++.EX
++.PP
++.B pkcsslotd_tmp_t
++.EE
++
++- Set files with the pkcsslotd_tmp_t type, if you want to store pkcsslotd temporary files in the /tmp directories.
++
++
++.EX
++.PP
++.B pkcsslotd_tmpfs_t
++.EE
++
++- Set files with the pkcsslotd_tmpfs_t type, if you want to store pkcsslotd files on a tmpfs file system.
++
++
++.EX
++.PP
++.B pkcsslotd_unit_file_t
++.EE
++
++- Set files with the pkcsslotd_unit_file_t type, if you want to treat the files as pkcsslotd unit content.
++
++
++.EX
++.PP
++.B pkcsslotd_var_lib_t
++.EE
++
++- Set files with the pkcsslotd_var_lib_t type, if you want to store the pkcsslotd files under the /var/lib directory.
++
++
++.EX
++.PP
++.B pkcsslotd_var_run_t
++.EE
++
++- Set files with the pkcsslotd_var_run_t type, if you want to store the pkcsslotd files under the /run directory.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH "MANAGED FILES"
++
++The SELinux process type pkcsslotd_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++
++.br
++.B pkcsslotd_tmp_t
++
++
++.br
++.B pkcsslotd_tmpfs_t
++
++
++.br
++.B pkcsslotd_var_lib_t
++
++ /var/lib/opencryptoki(/.*)?
++.br
++
++.br
++.B pkcsslotd_var_run_t
++
++
++.SH NSSWITCH DOMAIN
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was auto-generated using
++.B "sepolicy manpage"
++by Dan Walsh.
++
++.SH "SEE ALSO"
++selinux(8), pkcsslotd(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
+diff --git a/man/man8/pki_ra_selinux.8 b/man/man8/pki_ra_selinux.8
+new file mode 100644
+index 0000000..565c3d5
+--- /dev/null
++++ b/man/man8/pki_ra_selinux.8
+@@ -0,0 +1,241 @@
++.TH "pki_ra_selinux" "8" "12-11-01" "pki_ra" "SELinux Policy documentation for pki_ra"
++.SH "NAME"
++pki_ra_selinux \- Security Enhanced Linux Policy for the pki_ra processes
++.SH "DESCRIPTION"
++
++Security-Enhanced Linux secures the pki_ra processes via flexible mandatory access control.
++
++The pki_ra processes execute with the pki_ra_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep pki_ra_t
++
++
++.SH "ENTRYPOINTS"
++
++The pki_ra_t SELinux type can be entered via the "httpd_exec_t,pki_ra_exec_t" file types. The default entrypoint paths for the pki_ra_t domain are the following:"
++
++/usr/sbin/httpd(\.worker)?, /usr/sbin/apache(2)?, /usr/lib/apache-ssl/.+, /usr/sbin/apache-ssl(2)?, /usr/share/jetty/bin/jetty.sh, /usr/sbin/cherokee, /usr/sbin/lighttpd, /usr/sbin/httpd\.event, /usr/bin/mongrel_rails, /var/lib/pki-ra/pki-ra
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux pki_ra policy is very flexible allowing users to setup their pki_ra processes in as secure a method as possible.
++.PP
++The following process types are defined for pki_ra:
++
++.EX
++.B pki_ra_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux pki_ra policy is very flexible allowing users to setup their pki_ra processes in as secure a method as possible.
++.PP
++The following file types are defined for pki_ra:
++
++
++.EX
++.PP
++.B pki_ra_etc_rw_t
++.EE
++
++- Set files with the pki_ra_etc_rw_t type, if you want to treat the files as pki ra etc read/write content.
++
++
++.EX
++.PP
++.B pki_ra_exec_t
++.EE
++
++- Set files with the pki_ra_exec_t type, if you want to transition an executable to the pki_ra_t domain.
++
++
++.EX
++.PP
++.B pki_ra_lock_t
++.EE
++
++- Set files with the pki_ra_lock_t type, if you want to treat the files as pki ra lock data, stored under the /var/lock directory
++
++
++.EX
++.PP
++.B pki_ra_log_t
++.EE
++
++- Set files with the pki_ra_log_t type, if you want to treat the data as pki ra log data, usually stored under the /var/log directory.
++
++
++.EX
++.PP
++.B pki_ra_script_exec_t
++.EE
++
++- Set files with the pki_ra_script_exec_t type, if you want to transition an executable to the pki_ra_script_t domain.
++
++
++.EX
++.PP
++.B pki_ra_tomcat_exec_t
++.EE
++
++- Set files with the pki_ra_tomcat_exec_t type, if you want to transition an executable to the pki_ra_tomcat_t domain.
++
++
++.EX
++.PP
++.B pki_ra_var_lib_t
++.EE
++
++- Set files with the pki_ra_var_lib_t type, if you want to store the pki ra files under the /var/lib directory.
++
++
++.EX
++.PP
++.B pki_ra_var_run_t
++.EE
++
++- Set files with the pki_ra_var_run_t type, if you want to store the pki ra files under the /run directory.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH PORT TYPES
++SELinux defines port types to represent TCP and UDP ports.
++.PP
++You can see the types associated with a port by using the following command:
++
++.B semanage port -l
++
++.PP
++Policy governs the access confined processes have to these ports.
++SELinux pki_ra policy is very flexible allowing users to setup their pki_ra processes in as secure a method as possible.
++.PP
++The following port types are defined for pki_ra:
++
++.EX
++.TP 5
++.B pki_ra_port_t
++.TP 10
++.EE
++
++
++Default Defined Ports:
++tcp 12888-12889
++.EE
++.SH "MANAGED FILES"
++
++The SELinux process type pki_ra_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++
++.br
++.B mail_spool_t
++
++ /var/mail(/.*)?
++.br
++ /var/spool/imap(/.*)?
++.br
++ /var/spool/mail(/.*)?
++.br
++
++.br
++.B mqueue_spool_t
++
++ /var/spool/(client)?mqueue(/.*)?
++.br
++ /var/spool/mqueue\.in(/.*)?
++.br
++
++.br
++.B pki_common_t
++
++ /opt/nfast(/.*)?
++.br
++
++.br
++.B pki_ra_etc_rw_t
++
++ /etc/pki-ra(/.*)?
++.br
++ /etc/sysconfig/pki/ra(/.*)?
++.br
++
++.br
++.B pki_ra_lock_t
++
++
++.br
++.B pki_ra_log_t
++
++ /var/log/pki-ra(/.*)?
++.br
++
++.br
++.B pki_ra_var_lib_t
++
++ /var/lib/pki-ra(/.*)?
++.br
++
++.br
++.B pki_ra_var_run_t
++
++ /var/run/pki/ra(/.*)?
++.br
++
++.SH NSSWITCH DOMAIN
++
++.PP
++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the pki_ra_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++
++.EX
++.B setsebool -P authlogin_nsswitch_use_ldap 1
++.EE
++
++.PP
++If you want to allow confined applications to run with kerberos for the pki_ra_t, you must turn on the kerberos_enabled boolean.
++
++.EX
++.B setsebool -P kerberos_enabled 1
++.EE
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.B semanage port
++can also be used to manipulate the port definitions
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was auto-generated using
++.B "sepolicy manpage"
++by Dan Walsh.
++
++.SH "SEE ALSO"
++selinux(8), pki_ra(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
++, pki_tomcat_selinux(8), pki_tps_selinux(8)
+\ No newline at end of file
+diff --git a/man/man8/pki_tomcat_selinux.8 b/man/man8/pki_tomcat_selinux.8
+new file mode 100644
+index 0000000..47e7c89
+--- /dev/null
++++ b/man/man8/pki_tomcat_selinux.8
+@@ -0,0 +1,273 @@
++.TH "pki_tomcat_selinux" "8" "12-11-01" "pki_tomcat" "SELinux Policy documentation for pki_tomcat"
++.SH "NAME"
++pki_tomcat_selinux \- Security Enhanced Linux Policy for the pki_tomcat processes
++.SH "DESCRIPTION"
++
++Security-Enhanced Linux secures the pki_tomcat processes via flexible mandatory access control.
++
++The pki_tomcat processes execute with the pki_tomcat_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep pki_tomcat_t
++
++
++.SH "ENTRYPOINTS"
++
++The pki_tomcat_t SELinux type can be entered via the "pki_tomcat_exec_t" file type. The default entrypoint paths for the pki_tomcat_t domain are the following:"
++
++/usr/bin/pkidaemon
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux pki_tomcat policy is very flexible allowing users to setup their pki_tomcat processes in as secure a method as possible.
++.PP
++The following process types are defined for pki_tomcat:
++
++.EX
++.B pki_tomcat_t, pki_tomcat_script_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux pki_tomcat policy is very flexible allowing users to setup their pki_tomcat processes in as secure a method as possible.
++.PP
++The following file types are defined for pki_tomcat:
++
++
++.EX
++.PP
++.B pki_tomcat_cache_t
++.EE
++
++- Set files with the pki_tomcat_cache_t type, if you want to store the files under the /var/cache directory.
++
++
++.EX
++.PP
++.B pki_tomcat_cert_t
++.EE
++
++- Set files with the pki_tomcat_cert_t type, if you want to treat the files as pki tomcat certificate data.
++
++
++.EX
++.PP
++.B pki_tomcat_etc_rw_t
++.EE
++
++- Set files with the pki_tomcat_etc_rw_t type, if you want to treat the files as pki tomcat etc read/write content.
++
++
++.EX
++.PP
++.B pki_tomcat_exec_t
++.EE
++
++- Set files with the pki_tomcat_exec_t type, if you want to transition an executable to the pki_tomcat_t domain.
++
++
++.EX
++.PP
++.B pki_tomcat_lock_t
++.EE
++
++- Set files with the pki_tomcat_lock_t type, if you want to treat the files as pki tomcat lock data, stored under the /var/lock directory
++
++
++.EX
++.PP
++.B pki_tomcat_log_t
++.EE
++
++- Set files with the pki_tomcat_log_t type, if you want to treat the data as pki tomcat log data, usually stored under the /var/log directory.
++
++
++.EX
++.PP
++.B pki_tomcat_tmp_t
++.EE
++
++- Set files with the pki_tomcat_tmp_t type, if you want to store pki tomcat temporary files in the /tmp directories.
++
++
++.EX
++.PP
++.B pki_tomcat_unit_file_t
++.EE
++
++- Set files with the pki_tomcat_unit_file_t type, if you want to treat the files as pki tomcat unit content.
++
++
++.EX
++.PP
++.B pki_tomcat_var_lib_t
++.EE
++
++- Set files with the pki_tomcat_var_lib_t type, if you want to store the pki tomcat files under the /var/lib directory.
++
++
++.EX
++.PP
++.B pki_tomcat_var_run_t
++.EE
++
++- Set files with the pki_tomcat_var_run_t type, if you want to store the pki tomcat files under the /run directory.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH "MANAGED FILES"
++
++The SELinux process type pki_tomcat_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++
++.br
++.B dirsrv_var_lib_t
++
++ /var/lib/dirsrv(/.*)?
++.br
++
++.br
++.B pki_common_t
++
++ /opt/nfast(/.*)?
++.br
++
++.br
++.B pki_tomcat_cache_t
++
++
++.br
++.B pki_tomcat_cert_t
++
++ /var/lib/pki-ca/alias(/.*)?
++.br
++ /var/lib/pki-kra/alias(/.*)?
++.br
++ /var/lib/pki-tks/alias(/.*)?
++.br
++ /var/lib/pki-ocsp/alias(/.*)?
++.br
++ /etc/pki/pki-tomcat/alias(/.*)?
++.br
++
++.br
++.B pki_tomcat_etc_rw_t
++
++ /etc/pki-ca(/.*)?
++.br
++ /etc/pki-kra(/.*)?
++.br
++ /etc/pki-tks(/.*)?
++.br
++ /etc/pki-ocsp(/.*)?
++.br
++ /etc/pki/pki-tomcat(/.*)?
++.br
++ /etc/sysconfig/pki/tomcat(/.*)?
++.br
++
++.br
++.B pki_tomcat_lock_t
++
++ /var/lock/subsys/pkidaemon
++.br
++
++.br
++.B pki_tomcat_log_t
++
++ /var/log/pki-ca(/.*)?
++.br
++ /var/log/pki-kra(/.*)?
++.br
++ /var/log/pki-tks(/.*)?
++.br
++ /var/log/pki-ocsp(/.*)?
++.br
++ /var/log/pki/pki-tomcat(/.*)?
++.br
++
++.br
++.B pki_tomcat_tmp_t
++
++
++.br
++.B pki_tomcat_var_lib_t
++
++ /var/lib/pki-ca(/.*)?
++.br
++ /var/lib/pki-kra(/.*)?
++.br
++ /var/lib/pki-tks(/.*)?
++.br
++ /var/lib/pki-ocsp(/.*)?
++.br
++ /var/lib/pki/pki-tomcat(/.*)?
++.br
++
++.br
++.B pki_tomcat_var_run_t
++
++ /var/run/pki-ca.pid
++.br
++ /var/run/pki-kra.pid
++.br
++ /var/run/pki-tks.pid
++.br
++ /var/run/pki-ocsp.pid
++.br
++ /var/run/pki/tomcat(/.*)?
++.br
++
++.br
++.B user_tmp_t
++
++ /var/run/user(/.*)?
++.br
++ /tmp/gconfd-.*
++.br
++ /tmp/gconfd-dwalsh
++.br
++ /tmp/gconfd-xguest
++.br
++
++.SH NSSWITCH DOMAIN
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was auto-generated using
++.B "sepolicy manpage"
++by Dan Walsh.
++
++.SH "SEE ALSO"
++selinux(8), pki_tomcat(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
++, pki_ra_selinux(8), pki_tps_selinux(8)
+\ No newline at end of file
+diff --git a/man/man8/pki_tps_selinux.8 b/man/man8/pki_tps_selinux.8
+new file mode 100644
+index 0000000..8fecac8
+--- /dev/null
++++ b/man/man8/pki_tps_selinux.8
+@@ -0,0 +1,223 @@
++.TH "pki_tps_selinux" "8" "12-11-01" "pki_tps" "SELinux Policy documentation for pki_tps"
++.SH "NAME"
++pki_tps_selinux \- Security Enhanced Linux Policy for the pki_tps processes
++.SH "DESCRIPTION"
++
++Security-Enhanced Linux secures the pki_tps processes via flexible mandatory access control.
++
++The pki_tps processes execute with the pki_tps_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep pki_tps_t
++
++
++.SH "ENTRYPOINTS"
++
++The pki_tps_t SELinux type can be entered via the "httpd_exec_t,pki_tps_exec_t" file types. The default entrypoint paths for the pki_tps_t domain are the following:"
++
++/usr/sbin/httpd(\.worker)?, /usr/sbin/apache(2)?, /usr/lib/apache-ssl/.+, /usr/sbin/apache-ssl(2)?, /usr/share/jetty/bin/jetty.sh, /usr/sbin/cherokee, /usr/sbin/lighttpd, /usr/sbin/httpd\.event, /usr/bin/mongrel_rails, /var/lib/pki-tps/pki-tps
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux pki_tps policy is very flexible allowing users to setup their pki_tps processes in as secure a method as possible.
++.PP
++The following process types are defined for pki_tps:
++
++.EX
++.B pki_tps_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux pki_tps policy is very flexible allowing users to setup their pki_tps processes in as secure a method as possible.
++.PP
++The following file types are defined for pki_tps:
++
++
++.EX
++.PP
++.B pki_tps_etc_rw_t
++.EE
++
++- Set files with the pki_tps_etc_rw_t type, if you want to treat the files as pki tps etc read/write content.
++
++
++.EX
++.PP
++.B pki_tps_exec_t
++.EE
++
++- Set files with the pki_tps_exec_t type, if you want to transition an executable to the pki_tps_t domain.
++
++
++.EX
++.PP
++.B pki_tps_lock_t
++.EE
++
++- Set files with the pki_tps_lock_t type, if you want to treat the files as pki tps lock data, stored under the /var/lock directory
++
++
++.EX
++.PP
++.B pki_tps_log_t
++.EE
++
++- Set files with the pki_tps_log_t type, if you want to treat the data as pki tps log data, usually stored under the /var/log directory.
++
++
++.EX
++.PP
++.B pki_tps_script_exec_t
++.EE
++
++- Set files with the pki_tps_script_exec_t type, if you want to transition an executable to the pki_tps_script_t domain.
++
++
++.EX
++.PP
++.B pki_tps_tomcat_exec_t
++.EE
++
++- Set files with the pki_tps_tomcat_exec_t type, if you want to transition an executable to the pki_tps_tomcat_t domain.
++
++
++.EX
++.PP
++.B pki_tps_var_lib_t
++.EE
++
++- Set files with the pki_tps_var_lib_t type, if you want to store the pki tps files under the /var/lib directory.
++
++
++.EX
++.PP
++.B pki_tps_var_run_t
++.EE
++
++- Set files with the pki_tps_var_run_t type, if you want to store the pki tps files under the /run directory.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH PORT TYPES
++SELinux defines port types to represent TCP and UDP ports.
++.PP
++You can see the types associated with a port by using the following command:
++
++.B semanage port -l
++
++.PP
++Policy governs the access confined processes have to these ports.
++SELinux pki_tps policy is very flexible allowing users to setup their pki_tps processes in as secure a method as possible.
++.PP
++The following port types are defined for pki_tps:
++
++.EX
++.TP 5
++.B pki_tps_port_t
++.TP 10
++.EE
++
++
++Default Defined Ports:
++tcp 7888-7889
++.EE
++.SH "MANAGED FILES"
++
++The SELinux process type pki_tps_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++
++.br
++.B pki_common_t
++
++ /opt/nfast(/.*)?
++.br
++
++.br
++.B pki_tps_etc_rw_t
++
++ /etc/pki-tps(/.*)?
++.br
++ /etc/sysconfig/pki/tps(/.*)?
++.br
++
++.br
++.B pki_tps_lock_t
++
++
++.br
++.B pki_tps_log_t
++
++ /var/log/pki-tps(/.*)?
++.br
++
++.br
++.B pki_tps_var_lib_t
++
++ /var/lib/pki-tps(/.*)?
++.br
++
++.br
++.B pki_tps_var_run_t
++
++ /var/run/pki/tps(/.*)?
++.br
++
++.SH NSSWITCH DOMAIN
++
++.PP
++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the pki_tps_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++
++.EX
++.B setsebool -P authlogin_nsswitch_use_ldap 1
++.EE
++
++.PP
++If you want to allow confined applications to run with kerberos for the pki_tps_t, you must turn on the kerberos_enabled boolean.
++
++.EX
++.B setsebool -P kerberos_enabled 1
++.EE
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.B semanage port
++can also be used to manipulate the port definitions
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was auto-generated using
++.B "sepolicy manpage"
++by Dan Walsh.
++
++.SH "SEE ALSO"
++selinux(8), pki_tps(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
++, pki_ra_selinux(8), pki_tomcat_selinux(8)
+\ No newline at end of file
+diff --git a/man/man8/plymouth_selinux.8 b/man/man8/plymouth_selinux.8
+new file mode 100644
+index 0000000..fd43c97
+--- /dev/null
++++ b/man/man8/plymouth_selinux.8
+@@ -0,0 +1,127 @@
++.TH "plymouth_selinux" "8" "12-11-01" "plymouth" "SELinux Policy documentation for plymouth"
++.SH "NAME"
++plymouth_selinux \- Security Enhanced Linux Policy for the plymouth processes
++.SH "DESCRIPTION"
++
++Security-Enhanced Linux secures the plymouth processes via flexible mandatory access control.
++
++The plymouth processes execute with the plymouth_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep plymouth_t
++
++
++.SH "ENTRYPOINTS"
++
++The plymouth_t SELinux type can be entered via the "plymouth_exec_t" file type. The default entrypoint paths for the plymouth_t domain are the following:"
++
++/bin/plymouth, /usr/bin/plymouth
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux plymouth policy is very flexible allowing users to setup their plymouth processes in as secure a method as possible.
++.PP
++The following process types are defined for plymouth:
++
++.EX
++.B plymouth_t, plymouthd_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux plymouth policy is very flexible allowing users to setup their plymouth processes in as secure a method as possible.
++.PP
++The following file types are defined for plymouth:
++
++
++.EX
++.PP
++.B plymouth_exec_t
++.EE
++
++- Set files with the plymouth_exec_t type, if you want to transition an executable to the plymouth_t domain.
++
++
++.EX
++.PP
++.B plymouthd_exec_t
++.EE
++
++- Set files with the plymouthd_exec_t type, if you want to transition an executable to the plymouthd_t domain.
++
++
++.EX
++.PP
++.B plymouthd_spool_t
++.EE
++
++- Set files with the plymouthd_spool_t type, if you want to store the plymouthd files under the /var/spool directory.
++
++
++.EX
++.PP
++.B plymouthd_var_lib_t
++.EE
++
++- Set files with the plymouthd_var_lib_t type, if you want to store the plymouthd files under the /var/lib directory.
++
++
++.EX
++.PP
++.B plymouthd_var_log_t
++.EE
++
++- Set files with the plymouthd_var_log_t type, if you want to treat the data as plymouthd var log data, usually stored under the /var/log directory.
++
++
++.EX
++.PP
++.B plymouthd_var_run_t
++.EE
++
++- Set files with the plymouthd_var_run_t type, if you want to store the plymouthd files under the /run directory.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH NSSWITCH DOMAIN
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was auto-generated using
++.B "sepolicy manpage"
++by Dan Walsh.
++
++.SH "SEE ALSO"
++selinux(8), plymouth(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
++, plymouthd_selinux(8)
+\ No newline at end of file
+diff --git a/man/man8/plymouthd_selinux.8 b/man/man8/plymouthd_selinux.8
+new file mode 100644
+index 0000000..8ddb343
+--- /dev/null
++++ b/man/man8/plymouthd_selinux.8
+@@ -0,0 +1,159 @@
++.TH "plymouthd_selinux" "8" "12-11-01" "plymouthd" "SELinux Policy documentation for plymouthd"
++.SH "NAME"
++plymouthd_selinux \- Security Enhanced Linux Policy for the plymouthd processes
++.SH "DESCRIPTION"
++
++Security-Enhanced Linux secures the plymouthd processes via flexible mandatory access control.
++
++The plymouthd processes execute with the plymouthd_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep plymouthd_t
++
++
++.SH "ENTRYPOINTS"
++
++The plymouthd_t SELinux type can be entered via the "plymouthd_exec_t" file type. The default entrypoint paths for the plymouthd_t domain are the following:"
++
++/sbin/plymouthd, /usr/sbin/plymouthd
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux plymouthd policy is very flexible allowing users to setup their plymouthd processes in as secure a method as possible.
++.PP
++The following process types are defined for plymouthd:
++
++.EX
++.B plymouth_t, plymouthd_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux plymouthd policy is very flexible allowing users to setup their plymouthd processes in as secure a method as possible.
++.PP
++The following file types are defined for plymouthd:
++
++
++.EX
++.PP
++.B plymouthd_exec_t
++.EE
++
++- Set files with the plymouthd_exec_t type, if you want to transition an executable to the plymouthd_t domain.
++
++
++.EX
++.PP
++.B plymouthd_spool_t
++.EE
++
++- Set files with the plymouthd_spool_t type, if you want to store the plymouthd files under the /var/spool directory.
++
++
++.EX
++.PP
++.B plymouthd_var_lib_t
++.EE
++
++- Set files with the plymouthd_var_lib_t type, if you want to store the plymouthd files under the /var/lib directory.
++
++
++.EX
++.PP
++.B plymouthd_var_log_t
++.EE
++
++- Set files with the plymouthd_var_log_t type, if you want to treat the data as plymouthd var log data, usually stored under the /var/log directory.
++
++
++.EX
++.PP
++.B plymouthd_var_run_t
++.EE
++
++- Set files with the plymouthd_var_run_t type, if you want to store the plymouthd files under the /run directory.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH "MANAGED FILES"
++
++The SELinux process type plymouthd_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++
++.br
++.B fonts_cache_t
++
++ /var/cache/fontconfig(/.*)?
++.br
++
++.br
++.B plymouthd_spool_t
++
++ /var/spool/plymouth(/.*)?
++.br
++
++.br
++.B plymouthd_var_lib_t
++
++ /var/lib/plymouth(/.*)?
++.br
++
++.br
++.B plymouthd_var_log_t
++
++ /var/log/boot\.log
++.br
++
++.br
++.B plymouthd_var_run_t
++
++ /var/run/plymouth(/.*)?
++.br
++
++.br
++.B xdm_spool_t
++
++ /var/spool/[mg]dm(/.*)?
++.br
++
++.SH NSSWITCH DOMAIN
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was auto-generated using
++.B "sepolicy manpage"
++by Dan Walsh.
++
++.SH "SEE ALSO"
++selinux(8), plymouthd(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
++, plymouth_selinux(8), plymouth_selinux(8)
+\ No newline at end of file
+diff --git a/man/man8/podsleuth_selinux.8 b/man/man8/podsleuth_selinux.8
+new file mode 100644
+index 0000000..5da1a9f
+--- /dev/null
++++ b/man/man8/podsleuth_selinux.8
+@@ -0,0 +1,128 @@
++.TH "podsleuth_selinux" "8" "12-11-01" "podsleuth" "SELinux Policy documentation for podsleuth"
++.SH "NAME"
++podsleuth_selinux \- Security Enhanced Linux Policy for the podsleuth processes
++.SH "DESCRIPTION"
++
++Security-Enhanced Linux secures the podsleuth processes via flexible mandatory access control.
++
++The podsleuth processes execute with the podsleuth_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep podsleuth_t
++
++
++.SH "ENTRYPOINTS"
++
++The podsleuth_t SELinux type can be entered via the "podsleuth_exec_t" file type. The default entrypoint paths for the podsleuth_t domain are the following:"
++
++/usr/bin/podsleuth, /usr/libexec/hal-podsleuth
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux podsleuth policy is very flexible allowing users to setup their podsleuth processes in as secure a method as possible.
++.PP
++The following process types are defined for podsleuth:
++
++.EX
++.B podsleuth_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux podsleuth policy is very flexible allowing users to setup their podsleuth processes in as secure a method as possible.
++.PP
++The following file types are defined for podsleuth:
++
++
++.EX
++.PP
++.B podsleuth_cache_t
++.EE
++
++- Set files with the podsleuth_cache_t type, if you want to store the files under the /var/cache directory.
++
++
++.EX
++.PP
++.B podsleuth_exec_t
++.EE
++
++- Set files with the podsleuth_exec_t type, if you want to transition an executable to the podsleuth_t domain.
++
++
++.EX
++.PP
++.B podsleuth_tmp_t
++.EE
++
++- Set files with the podsleuth_tmp_t type, if you want to store podsleuth temporary files in the /tmp directories.
++
++
++.EX
++.PP
++.B podsleuth_tmpfs_t
++.EE
++
++- Set files with the podsleuth_tmpfs_t type, if you want to store podsleuth files on a tmpfs file system.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH "MANAGED FILES"
++
++The SELinux process type podsleuth_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++
++.br
++.B podsleuth_cache_t
++
++ /var/cache/podsleuth(/.*)?
++.br
++
++.br
++.B podsleuth_tmp_t
++
++
++.br
++.B podsleuth_tmpfs_t
++
++
++.SH NSSWITCH DOMAIN
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was auto-generated using
++.B "sepolicy manpage"
++by Dan Walsh.
++
++.SH "SEE ALSO"
++selinux(8), podsleuth(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
+diff --git a/man/man8/policykit_auth_selinux.8 b/man/man8/policykit_auth_selinux.8
+new file mode 100644
+index 0000000..8e1e635
+--- /dev/null
++++ b/man/man8/policykit_auth_selinux.8
+@@ -0,0 +1,207 @@
++.TH "policykit_auth_selinux" "8" "12-11-01" "policykit_auth" "SELinux Policy documentation for policykit_auth"
++.SH "NAME"
++policykit_auth_selinux \- Security Enhanced Linux Policy for the policykit_auth processes
++.SH "DESCRIPTION"
++
++Security-Enhanced Linux secures the policykit_auth processes via flexible mandatory access control.
++
++The policykit_auth processes execute with the policykit_auth_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep policykit_auth_t
++
++
++.SH "ENTRYPOINTS"
++
++The policykit_auth_t SELinux type can be entered via the "policykit_auth_exec_t" file type. The default entrypoint paths for the policykit_auth_t domain are the following:"
++
++/usr/libexec/polkit-read-auth-helper, /usr/lib/polkit-1/polkit-agent-helper-1, /usr/lib/policykit/polkit-read-auth-helper, /usr/libexec/polkit-1/polkit-agent-helper-1
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux policykit_auth policy is very flexible allowing users to setup their policykit_auth processes in as secure a method as possible.
++.PP
++The following process types are defined for policykit_auth:
++
++.EX
++.B policykit_auth_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux policykit_auth policy is very flexible allowing users to setup their policykit_auth processes in as secure a method as possible.
++.PP
++The following file types are defined for policykit_auth:
++
++
++.EX
++.PP
++.B policykit_auth_exec_t
++.EE
++
++- Set files with the policykit_auth_exec_t type, if you want to transition an executable to the policykit_auth_t domain.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH "MANAGED FILES"
++
++The SELinux process type policykit_auth_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++
++.br
++.B faillog_t
++
++ /var/log/btmp.*
++.br
++ /var/run/faillock(/.*)?
++.br
++ /var/log/faillog
++.br
++ /var/log/tallylog
++.br
++
++.br
++.B krb5_host_rcache_t
++
++ /var/cache/krb5rcache(/.*)?
++.br
++ /var/tmp/nfs_0
++.br
++ /var/tmp/DNS_25
++.br
++ /var/tmp/host_0
++.br
++ /var/tmp/imap_0
++.br
++ /var/tmp/HTTP_23
++.br
++ /var/tmp/HTTP_48
++.br
++ /var/tmp/ldap_55
++.br
++ /var/tmp/ldap_487
++.br
++ /var/tmp/ldapmap1_0
++.br
++
++.br
++.B pcscd_var_run_t
++
++ /var/run/pcscd(/.*)?
++.br
++ /var/run/pcscd\.events(/.*)?
++.br
++ /var/run/pcscd\.pid
++.br
++ /var/run/pcscd\.pub
++.br
++ /var/run/pcscd\.comm
++.br
++
++.br
++.B policykit_reload_t
++
++ /var/lib/misc/PolicyKit.reload
++.br
++
++.br
++.B policykit_tmp_t
++
++
++.br
++.B policykit_var_lib_t
++
++ /var/lib/polkit-1(/.*)?
++.br
++ /var/lib/PolicyKit(/.*)?
++.br
++ /var/lib/PolicyKit-public(/.*)?
++.br
++
++.br
++.B policykit_var_run_t
++
++ /var/run/PolicyKit(/.*)?
++.br
++
++.br
++.B security_t
++
++ /selinux
++.br
++
++.br
++.B var_auth_t
++
++ /var/ace(/.*)?
++.br
++ /var/rsa(/.*)?
++.br
++ /var/lib/abl(/.*)?
++.br
++ /var/lib/rsa(/.*)?
++.br
++ /var/lib/pam_ssh(/.*)?
++.br
++ /var/run/pam_ssh(/.*)?
++.br
++ /var/lib/pam_shield(/.*)?
++.br
++ /var/lib/google-authenticator(/.*)?
++.br
++
++.SH NSSWITCH DOMAIN
++
++.PP
++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the policykit_auth_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++
++.EX
++.B setsebool -P authlogin_nsswitch_use_ldap 1
++.EE
++
++.PP
++If you want to allow confined applications to run with kerberos for the policykit_auth_t, you must turn on the kerberos_enabled boolean.
++
++.EX
++.B setsebool -P kerberos_enabled 1
++.EE
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was auto-generated using
++.B "sepolicy manpage"
++by Dan Walsh.
++
++.SH "SEE ALSO"
++selinux(8), policykit_auth(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
++, policykit_selinux(8), policykit_selinux(8), policykit_grant_selinux(8), policykit_resolve_selinux(8)
+\ No newline at end of file
+diff --git a/man/man8/policykit_grant_selinux.8 b/man/man8/policykit_grant_selinux.8
+new file mode 100644
+index 0000000..236cec7
+--- /dev/null
++++ b/man/man8/policykit_grant_selinux.8
+@@ -0,0 +1,157 @@
++.TH "policykit_grant_selinux" "8" "12-11-01" "policykit_grant" "SELinux Policy documentation for policykit_grant"
++.SH "NAME"
++policykit_grant_selinux \- Security Enhanced Linux Policy for the policykit_grant processes
++.SH "DESCRIPTION"
++
++Security-Enhanced Linux secures the policykit_grant processes via flexible mandatory access control.
++
++The policykit_grant processes execute with the policykit_grant_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep policykit_grant_t
++
++
++.SH "ENTRYPOINTS"
++
++The policykit_grant_t SELinux type can be entered via the "policykit_grant_exec_t" file type. The default entrypoint paths for the policykit_grant_t domain are the following:"
++
++/usr/libexec/polkit-grant-helper.*, /usr/lib/policykit/polkit-grant-helper.*
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux policykit_grant policy is very flexible allowing users to setup their policykit_grant processes in as secure a method as possible.
++.PP
++The following process types are defined for policykit_grant:
++
++.EX
++.B policykit_grant_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux policykit_grant policy is very flexible allowing users to setup their policykit_grant processes in as secure a method as possible.
++.PP
++The following file types are defined for policykit_grant:
++
++
++.EX
++.PP
++.B policykit_grant_exec_t
++.EE
++
++- Set files with the policykit_grant_exec_t type, if you want to transition an executable to the policykit_grant_t domain.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH "MANAGED FILES"
++
++The SELinux process type policykit_grant_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++
++.br
++.B faillog_t
++
++ /var/log/btmp.*
++.br
++ /var/run/faillock(/.*)?
++.br
++ /var/log/faillog
++.br
++ /var/log/tallylog
++.br
++
++.br
++.B pcscd_var_run_t
++
++ /var/run/pcscd(/.*)?
++.br
++ /var/run/pcscd\.events(/.*)?
++.br
++ /var/run/pcscd\.pid
++.br
++ /var/run/pcscd\.pub
++.br
++ /var/run/pcscd\.comm
++.br
++
++.br
++.B policykit_reload_t
++
++ /var/lib/misc/PolicyKit.reload
++.br
++
++.br
++.B policykit_var_lib_t
++
++ /var/lib/polkit-1(/.*)?
++.br
++ /var/lib/PolicyKit(/.*)?
++.br
++ /var/lib/PolicyKit-public(/.*)?
++.br
++
++.br
++.B policykit_var_run_t
++
++ /var/run/PolicyKit(/.*)?
++.br
++
++.br
++.B system_cronjob_var_lib_t
++
++
++.SH NSSWITCH DOMAIN
++
++.PP
++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the policykit_grant_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++
++.EX
++.B setsebool -P authlogin_nsswitch_use_ldap 1
++.EE
++
++.PP
++If you want to allow confined applications to run with kerberos for the policykit_grant_t, you must turn on the kerberos_enabled boolean.
++
++.EX
++.B setsebool -P kerberos_enabled 1
++.EE
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was auto-generated using
++.B "sepolicy manpage"
++by Dan Walsh.
++
++.SH "SEE ALSO"
++selinux(8), policykit_grant(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
++, policykit_selinux(8), policykit_selinux(8), policykit_auth_selinux(8), policykit_resolve_selinux(8)
+\ No newline at end of file
+diff --git a/man/man8/policykit_resolve_selinux.8 b/man/man8/policykit_resolve_selinux.8
+new file mode 100644
+index 0000000..103c687
+--- /dev/null
++++ b/man/man8/policykit_resolve_selinux.8
+@@ -0,0 +1,101 @@
++.TH "policykit_resolve_selinux" "8" "12-11-01" "policykit_resolve" "SELinux Policy documentation for policykit_resolve"
++.SH "NAME"
++policykit_resolve_selinux \- Security Enhanced Linux Policy for the policykit_resolve processes
++.SH "DESCRIPTION"
++
++Security-Enhanced Linux secures the policykit_resolve processes via flexible mandatory access control.
++
++The policykit_resolve processes execute with the policykit_resolve_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep policykit_resolve_t
++
++
++.SH "ENTRYPOINTS"
++
++The policykit_resolve_t SELinux type can be entered via the "policykit_resolve_exec_t" file type. The default entrypoint paths for the policykit_resolve_t domain are the following:"
++
++/usr/libexec/polkit-resolve-exe-helper.*, /usr/lib/policykit/polkit-resolve-exe-helper.*
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux policykit_resolve policy is very flexible allowing users to setup their policykit_resolve processes in as secure a method as possible.
++.PP
++The following process types are defined for policykit_resolve:
++
++.EX
++.B policykit_resolve_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux policykit_resolve policy is very flexible allowing users to setup their policykit_resolve processes in as secure a method as possible.
++.PP
++The following file types are defined for policykit_resolve:
++
++
++.EX
++.PP
++.B policykit_resolve_exec_t
++.EE
++
++- Set files with the policykit_resolve_exec_t type, if you want to transition an executable to the policykit_resolve_t domain.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH NSSWITCH DOMAIN
++
++.PP
++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the policykit_resolve_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++
++.EX
++.B setsebool -P authlogin_nsswitch_use_ldap 1
++.EE
++
++.PP
++If you want to allow confined applications to run with kerberos for the policykit_resolve_t, you must turn on the kerberos_enabled boolean.
++
++.EX
++.B setsebool -P kerberos_enabled 1
++.EE
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was auto-generated using
++.B "sepolicy manpage"
++by Dan Walsh.
++
++.SH "SEE ALSO"
++selinux(8), policykit_resolve(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
++, policykit_selinux(8), policykit_selinux(8), policykit_auth_selinux(8), policykit_grant_selinux(8)
+\ No newline at end of file
+diff --git a/man/man8/policykit_selinux.8 b/man/man8/policykit_selinux.8
+new file mode 100644
+index 0000000..62bd2e6
+--- /dev/null
++++ b/man/man8/policykit_selinux.8
+@@ -0,0 +1,213 @@
++.TH "policykit_selinux" "8" "12-11-01" "policykit" "SELinux Policy documentation for policykit"
++.SH "NAME"
++policykit_selinux \- Security Enhanced Linux Policy for the policykit processes
++.SH "DESCRIPTION"
++
++Security-Enhanced Linux secures the policykit processes via flexible mandatory access control.
++
++The policykit processes execute with the policykit_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep policykit_t
++
++
++.SH "ENTRYPOINTS"
++
++The policykit_t SELinux type can be entered via the "policykit_exec_t" file type. The default entrypoint paths for the policykit_t domain are the following:"
++
++/usr/libexec/polkitd.*, /usr/libexec/polkit-1/polkitd.*, /usr/lib/polkit-1/polkitd, /usr/lib/policykit/polkitd
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux policykit policy is very flexible allowing users to setup their policykit processes in as secure a method as possible.
++.PP
++The following process types are defined for policykit:
++
++.EX
++.B policykit_grant_t, policykit_auth_t, policykit_t, policykit_resolve_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux policykit policy is very flexible allowing users to setup their policykit processes in as secure a method as possible.
++.PP
++The following file types are defined for policykit:
++
++
++.EX
++.PP
++.B policykit_auth_exec_t
++.EE
++
++- Set files with the policykit_auth_exec_t type, if you want to transition an executable to the policykit_auth_t domain.
++
++
++.EX
++.PP
++.B policykit_exec_t
++.EE
++
++- Set files with the policykit_exec_t type, if you want to transition an executable to the policykit_t domain.
++
++
++.EX
++.PP
++.B policykit_grant_exec_t
++.EE
++
++- Set files with the policykit_grant_exec_t type, if you want to transition an executable to the policykit_grant_t domain.
++
++
++.EX
++.PP
++.B policykit_reload_t
++.EE
++
++- Set files with the policykit_reload_t type, if you want to treat the files as policykit reload data.
++
++
++.EX
++.PP
++.B policykit_resolve_exec_t
++.EE
++
++- Set files with the policykit_resolve_exec_t type, if you want to transition an executable to the policykit_resolve_t domain.
++
++
++.EX
++.PP
++.B policykit_tmp_t
++.EE
++
++- Set files with the policykit_tmp_t type, if you want to store policykit temporary files in the /tmp directories.
++
++
++.EX
++.PP
++.B policykit_var_lib_t
++.EE
++
++- Set files with the policykit_var_lib_t type, if you want to store the policykit files under the /var/lib directory.
++
++
++.EX
++.PP
++.B policykit_var_run_t
++.EE
++
++- Set files with the policykit_var_run_t type, if you want to store the policykit files under the /run directory.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH "MANAGED FILES"
++
++The SELinux process type policykit_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++
++.br
++.B krb5_host_rcache_t
++
++ /var/cache/krb5rcache(/.*)?
++.br
++ /var/tmp/nfs_0
++.br
++ /var/tmp/DNS_25
++.br
++ /var/tmp/host_0
++.br
++ /var/tmp/imap_0
++.br
++ /var/tmp/HTTP_23
++.br
++ /var/tmp/HTTP_48
++.br
++ /var/tmp/ldap_55
++.br
++ /var/tmp/ldap_487
++.br
++ /var/tmp/ldapmap1_0
++.br
++
++.br
++.B policykit_reload_t
++
++ /var/lib/misc/PolicyKit.reload
++.br
++
++.br
++.B policykit_var_lib_t
++
++ /var/lib/polkit-1(/.*)?
++.br
++ /var/lib/PolicyKit(/.*)?
++.br
++ /var/lib/PolicyKit-public(/.*)?
++.br
++
++.br
++.B policykit_var_run_t
++
++ /var/run/PolicyKit(/.*)?
++.br
++
++.br
++.B security_t
++
++ /selinux
++.br
++
++.SH NSSWITCH DOMAIN
++
++.PP
++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the policykit_grant_t, policykit_auth_t, policykit_t, policykit_resolve_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++
++.EX
++.B setsebool -P authlogin_nsswitch_use_ldap 1
++.EE
++
++.PP
++If you want to allow confined applications to run with kerberos for the policykit_grant_t, policykit_auth_t, policykit_t, policykit_resolve_t, you must turn on the kerberos_enabled boolean.
++
++.EX
++.B setsebool -P kerberos_enabled 1
++.EE
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was auto-generated using
++.B "sepolicy manpage"
++by Dan Walsh.
++
++.SH "SEE ALSO"
++selinux(8), policykit(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
++, policykit_auth_selinux(8), policykit_grant_selinux(8), policykit_resolve_selinux(8)
+\ No newline at end of file
+diff --git a/man/man8/polipo_selinux.8 b/man/man8/polipo_selinux.8
+new file mode 100644
+index 0000000..47a11ed
+--- /dev/null
++++ b/man/man8/polipo_selinux.8
+@@ -0,0 +1,264 @@
++.TH "polipo_selinux" "8" "12-11-01" "polipo" "SELinux Policy documentation for polipo"
++.SH "NAME"
++polipo_selinux \- Security Enhanced Linux Policy for the polipo processes
++.SH "DESCRIPTION"
++
++Security-Enhanced Linux secures the polipo processes via flexible mandatory access control.
++
++The polipo processes execute with the polipo_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep polipo_t
++
++
++.SH "ENTRYPOINTS"
++
++The polipo_t SELinux type can be entered via the "polipo_exec_t" file type. The default entrypoint paths for the polipo_t domain are the following:"
++
++/usr/bin/polipo
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux polipo policy is very flexible allowing users to setup their polipo processes in as secure a method as possible.
++.PP
++The following process types are defined for polipo:
++
++.EX
++.B polipo_t, polipo_session_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH BOOLEANS
++SELinux policy is customizable based on least access required. polipo policy is extremely flexible and has several booleans that allow you to manipulate the policy and run polipo with the tightest access possible.
++
++
++.PP
++If you want to determine whether calling user domains can execute Polipo daemon in the polipo_session_t domain, you must turn on the polipo_session_users boolean.
++
++.EX
++.B setsebool -P polipo_session_users 1
++.EE
++
++.PP
++If you want to determine whether Polipo can access nfs file systems, you must turn on the polipo_use_nfs boolean.
++
++.EX
++.B setsebool -P polipo_use_nfs 1
++.EE
++
++.PP
++If you want to determine whether polipo can access cifs file systems, you must turn on the polipo_use_cifs boolean.
++
++.EX
++.B setsebool -P polipo_use_cifs 1
++.EE
++
++.PP
++If you want to determine whether Polipo session daemon can bind tcp sockets to all unreserved ports, you must turn on the polipo_session_bind_all_unreserved_ports boolean.
++
++.EX
++.B setsebool -P polipo_session_bind_all_unreserved_ports 1
++.EE
++
++.PP
++If you want to allow polipo to connect to all ports > 1023, you must turn on the polipo_connect_all_unreserved boolean.
++
++.EX
++.B setsebool -P polipo_connect_all_unreserved 1
++.EE
++
++.PP
++If you want to determine whether calling user domains can execute Polipo daemon in the polipo_session_t domain, you must turn on the polipo_session_users boolean.
++
++.EX
++.B setsebool -P polipo_session_users 1
++.EE
++
++.PP
++If you want to determine whether Polipo can access nfs file systems, you must turn on the polipo_use_nfs boolean.
++
++.EX
++.B setsebool -P polipo_use_nfs 1
++.EE
++
++.PP
++If you want to determine whether polipo can access cifs file systems, you must turn on the polipo_use_cifs boolean.
++
++.EX
++.B setsebool -P polipo_use_cifs 1
++.EE
++
++.PP
++If you want to determine whether Polipo session daemon can bind tcp sockets to all unreserved ports, you must turn on the polipo_session_bind_all_unreserved_ports boolean.
++
++.EX
++.B setsebool -P polipo_session_bind_all_unreserved_ports 1
++.EE
++
++.PP
++If you want to allow polipo to connect to all ports > 1023, you must turn on the polipo_connect_all_unreserved boolean.
++
++.EX
++.B setsebool -P polipo_connect_all_unreserved 1
++.EE
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux polipo policy is very flexible allowing users to setup their polipo processes in as secure a method as possible.
++.PP
++The following file types are defined for polipo:
++
++
++.EX
++.PP
++.B polipo_cache_home_t
++.EE
++
++- Set files with the polipo_cache_home_t type, if you want to store polipo cache files in the users home directory.
++
++
++.EX
++.PP
++.B polipo_cache_t
++.EE
++
++- Set files with the polipo_cache_t type, if you want to store the files under the /var/cache directory.
++
++
++.EX
++.PP
++.B polipo_config_home_t
++.EE
++
++- Set files with the polipo_config_home_t type, if you want to store polipo config files in the users home directory.
++
++
++.EX
++.PP
++.B polipo_etc_t
++.EE
++
++- Set files with the polipo_etc_t type, if you want to store polipo files in the /etc directories.
++
++
++.EX
++.PP
++.B polipo_exec_t
++.EE
++
++- Set files with the polipo_exec_t type, if you want to transition an executable to the polipo_t domain.
++
++
++.EX
++.PP
++.B polipo_initrc_exec_t
++.EE
++
++- Set files with the polipo_initrc_exec_t type, if you want to transition an executable to the polipo_initrc_t domain.
++
++
++.EX
++.PP
++.B polipo_log_t
++.EE
++
++- Set files with the polipo_log_t type, if you want to treat the data as polipo log data, usually stored under the /var/log directory.
++
++
++.EX
++.PP
++.B polipo_pid_t
++.EE
++
++- Set files with the polipo_pid_t type, if you want to store the polipo files under the /run directory.
++
++
++.EX
++.PP
++.B polipo_unit_file_t
++.EE
++
++- Set files with the polipo_unit_file_t type, if you want to treat the files as polipo unit content.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH "MANAGED FILES"
++
++The SELinux process type polipo_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++
++.br
++.B polipo_cache_t
++
++ /var/cache/polipo(/.*)?
++.br
++
++.br
++.B polipo_log_t
++
++ /var/log/polipo.*
++.br
++
++.br
++.B polipo_pid_t
++
++ /var/run/polipo(/.*)?
++.br
++
++.SH NSSWITCH DOMAIN
++
++.PP
++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the polipo_t, polipo_session_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++
++.EX
++.B setsebool -P authlogin_nsswitch_use_ldap 1
++.EE
++
++.PP
++If you want to allow confined applications to run with kerberos for the polipo_t, polipo_session_t, you must turn on the kerberos_enabled boolean.
++
++.EX
++.B setsebool -P kerberos_enabled 1
++.EE
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.B semanage boolean
++can also be used to manipulate the booleans
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was auto-generated using
++.B "sepolicy manpage"
++by Dan Walsh.
++
++.SH "SEE ALSO"
++selinux(8), polipo(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
++, setsebool(8)
+\ No newline at end of file
+diff --git a/man/man8/portmap_helper_selinux.8 b/man/man8/portmap_helper_selinux.8
+new file mode 100644
+index 0000000..8e59c47
+--- /dev/null
++++ b/man/man8/portmap_helper_selinux.8
+@@ -0,0 +1,125 @@
++.TH "portmap_helper_selinux" "8" "12-11-01" "portmap_helper" "SELinux Policy documentation for portmap_helper"
++.SH "NAME"
++portmap_helper_selinux \- Security Enhanced Linux Policy for the portmap_helper processes
++.SH "DESCRIPTION"
++
++Security-Enhanced Linux secures the portmap_helper processes via flexible mandatory access control.
++
++The portmap_helper processes execute with the portmap_helper_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep portmap_helper_t
++
++
++.SH "ENTRYPOINTS"
++
++The portmap_helper_t SELinux type can be entered via the "portmap_helper_exec_t" file type. The default entrypoint paths for the portmap_helper_t domain are the following:"
++
++/usr/sbin/pmap_set, /usr/sbin/pmap_dump
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux portmap_helper policy is very flexible allowing users to setup their portmap_helper processes in as secure a method as possible.
++.PP
++The following process types are defined for portmap_helper:
++
++.EX
++.B portmap_helper_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux portmap_helper policy is very flexible allowing users to setup their portmap_helper processes in as secure a method as possible.
++.PP
++The following file types are defined for portmap_helper:
++
++
++.EX
++.PP
++.B portmap_helper_exec_t
++.EE
++
++- Set files with the portmap_helper_exec_t type, if you want to transition an executable to the portmap_helper_t domain.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH "MANAGED FILES"
++
++The SELinux process type portmap_helper_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++
++.br
++.B initrc_var_run_t
++
++ /var/run/utmp
++.br
++ /var/run/random-seed
++.br
++ /var/run/runlevel\.dir
++.br
++ /var/run/setmixer_flag
++.br
++
++.br
++.B portmap_var_run_t
++
++ /var/run/portmap\.upgrade-state
++.br
++
++.br
++.B var_run_t
++
++ /run/.*
++.br
++ /var/run/.*
++.br
++ /run
++.br
++ /var/run
++.br
++ /var/run
++.br
++ /var/spool/postfix/pid
++.br
++
++.SH NSSWITCH DOMAIN
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was auto-generated using
++.B "sepolicy manpage"
++by Dan Walsh.
++
++.SH "SEE ALSO"
++selinux(8), portmap_helper(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
++, portmap_selinux(8), portmap_selinux(8)
+\ No newline at end of file
+diff --git a/man/man8/portmap_selinux.8 b/man/man8/portmap_selinux.8
+new file mode 100644
+index 0000000..6c4bbc4
+--- /dev/null
++++ b/man/man8/portmap_selinux.8
+@@ -0,0 +1,188 @@
++.TH "portmap_selinux" "8" "12-11-01" "portmap" "SELinux Policy documentation for portmap"
++.SH "NAME"
++portmap_selinux \- Security Enhanced Linux Policy for the portmap processes
++.SH "DESCRIPTION"
++
++Security-Enhanced Linux secures the portmap processes via flexible mandatory access control.
++
++The portmap processes execute with the portmap_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep portmap_t
++
++
++.SH "ENTRYPOINTS"
++
++The portmap_t SELinux type can be entered via the "portmap_exec_t" file type. The default entrypoint paths for the portmap_t domain are the following:"
++
++/sbin/portmap, /usr/sbin/portmap
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux portmap policy is very flexible allowing users to setup their portmap processes in as secure a method as possible.
++.PP
++The following process types are defined for portmap:
++
++.EX
++.B portmap_helper_t, portmap_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH BOOLEANS
++SELinux policy is customizable based on least access required. portmap policy is extremely flexible and has several booleans that allow you to manipulate the policy and run portmap with the tightest access possible.
++
++
++.PP
++If you want to allow samba to act as a portmapper, you must turn on the samba_portmapper boolean.
++
++.EX
++.B setsebool -P samba_portmapper 1
++.EE
++
++.PP
++If you want to allow samba to act as a portmapper, you must turn on the samba_portmapper boolean.
++
++.EX
++.B setsebool -P samba_portmapper 1
++.EE
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux portmap policy is very flexible allowing users to setup their portmap processes in as secure a method as possible.
++.PP
++The following file types are defined for portmap:
++
++
++.EX
++.PP
++.B portmap_exec_t
++.EE
++
++- Set files with the portmap_exec_t type, if you want to transition an executable to the portmap_t domain.
++
++
++.EX
++.PP
++.B portmap_helper_exec_t
++.EE
++
++- Set files with the portmap_helper_exec_t type, if you want to transition an executable to the portmap_helper_t domain.
++
++
++.EX
++.PP
++.B portmap_tmp_t
++.EE
++
++- Set files with the portmap_tmp_t type, if you want to store portmap temporary files in the /tmp directories.
++
++
++.EX
++.PP
++.B portmap_var_run_t
++.EE
++
++- Set files with the portmap_var_run_t type, if you want to store the portmap files under the /run directory.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH PORT TYPES
++SELinux defines port types to represent TCP and UDP ports.
++.PP
++You can see the types associated with a port by using the following command:
++
++.B semanage port -l
++
++.PP
++Policy governs the access confined processes have to these ports.
++SELinux portmap policy is very flexible allowing users to setup their portmap processes in as secure a method as possible.
++.PP
++The following port types are defined for portmap:
++
++.EX
++.TP 5
++.B portmap_port_t
++.TP 10
++.EE
++
++
++Default Defined Ports:
++tcp 111
++.EE
++udp 111
++.EE
++.SH "MANAGED FILES"
++
++The SELinux process type portmap_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++
++.br
++.B portmap_tmp_t
++
++
++.br
++.B portmap_var_run_t
++
++ /var/run/portmap\.upgrade-state
++.br
++
++.SH NSSWITCH DOMAIN
++
++.PP
++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the portmap_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++
++.EX
++.B setsebool -P authlogin_nsswitch_use_ldap 1
++.EE
++
++.PP
++If you want to allow confined applications to run with kerberos for the portmap_t, you must turn on the kerberos_enabled boolean.
++
++.EX
++.B setsebool -P kerberos_enabled 1
++.EE
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.B semanage port
++can also be used to manipulate the port definitions
++
++.B semanage boolean
++can also be used to manipulate the booleans
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was auto-generated using
++.B "sepolicy manpage"
++by Dan Walsh.
++
++.SH "SEE ALSO"
++selinux(8), portmap(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
++, setsebool(8), portmap_helper_selinux(8)
+\ No newline at end of file
+diff --git a/man/man8/portreserve_selinux.8 b/man/man8/portreserve_selinux.8
+new file mode 100644
+index 0000000..af478cb
+--- /dev/null
++++ b/man/man8/portreserve_selinux.8
+@@ -0,0 +1,120 @@
++.TH "portreserve_selinux" "8" "12-11-01" "portreserve" "SELinux Policy documentation for portreserve"
++.SH "NAME"
++portreserve_selinux \- Security Enhanced Linux Policy for the portreserve processes
++.SH "DESCRIPTION"
++
++Security-Enhanced Linux secures the portreserve processes via flexible mandatory access control.
++
++The portreserve processes execute with the portreserve_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep portreserve_t
++
++
++.SH "ENTRYPOINTS"
++
++The portreserve_t SELinux type can be entered via the "portreserve_exec_t" file type. The default entrypoint paths for the portreserve_t domain are the following:"
++
++/sbin/portreserve, /usr/sbin/portreserve
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux portreserve policy is very flexible allowing users to setup their portreserve processes in as secure a method as possible.
++.PP
++The following process types are defined for portreserve:
++
++.EX
++.B portreserve_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux portreserve policy is very flexible allowing users to setup their portreserve processes in as secure a method as possible.
++.PP
++The following file types are defined for portreserve:
++
++
++.EX
++.PP
++.B portreserve_etc_t
++.EE
++
++- Set files with the portreserve_etc_t type, if you want to store portreserve files in the /etc directories.
++
++
++.EX
++.PP
++.B portreserve_exec_t
++.EE
++
++- Set files with the portreserve_exec_t type, if you want to transition an executable to the portreserve_t domain.
++
++
++.EX
++.PP
++.B portreserve_initrc_exec_t
++.EE
++
++- Set files with the portreserve_initrc_exec_t type, if you want to transition an executable to the portreserve_initrc_t domain.
++
++
++.EX
++.PP
++.B portreserve_var_run_t
++.EE
++
++- Set files with the portreserve_var_run_t type, if you want to store the portreserve files under the /run directory.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH "MANAGED FILES"
++
++The SELinux process type portreserve_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++
++.br
++.B portreserve_var_run_t
++
++ /var/run/portreserve(/.*)?
++.br
++
++.SH NSSWITCH DOMAIN
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was auto-generated using
++.B "sepolicy manpage"
++by Dan Walsh.
++
++.SH "SEE ALSO"
++selinux(8), portreserve(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
+diff --git a/man/man8/postfix_bounce_selinux.8 b/man/man8/postfix_bounce_selinux.8
+new file mode 100644
+index 0000000..c0a0f25
+--- /dev/null
++++ b/man/man8/postfix_bounce_selinux.8
+@@ -0,0 +1,149 @@
++.TH "postfix_bounce_selinux" "8" "12-11-01" "postfix_bounce" "SELinux Policy documentation for postfix_bounce"
++.SH "NAME"
++postfix_bounce_selinux \- Security Enhanced Linux Policy for the postfix_bounce processes
++.SH "DESCRIPTION"
++
++Security-Enhanced Linux secures the postfix_bounce processes via flexible mandatory access control.
++
++The postfix_bounce processes execute with the postfix_bounce_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep postfix_bounce_t
++
++
++.SH "ENTRYPOINTS"
++
++The postfix_bounce_t SELinux type can be entered via the "postfix_bounce_exec_t" file type. The default entrypoint paths for the postfix_bounce_t domain are the following:"
++
++/usr/libexec/postfix/bounce
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux postfix_bounce policy is very flexible allowing users to setup their postfix_bounce processes in as secure a method as possible.
++.PP
++The following process types are defined for postfix_bounce:
++
++.EX
++.B postfix_bounce_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux postfix_bounce policy is very flexible allowing users to setup their postfix_bounce processes in as secure a method as possible.
++.PP
++The following file types are defined for postfix_bounce:
++
++
++.EX
++.PP
++.B postfix_bounce_exec_t
++.EE
++
++- Set files with the postfix_bounce_exec_t type, if you want to transition an executable to the postfix_bounce_t domain.
++
++
++.EX
++.PP
++.B postfix_bounce_tmp_t
++.EE
++
++- Set files with the postfix_bounce_tmp_t type, if you want to store postfix bounce temporary files in the /tmp directories.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH "MANAGED FILES"
++
++The SELinux process type postfix_bounce_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++
++.br
++.B anon_inodefs_t
++
++
++.br
++.B postfix_bounce_tmp_t
++
++
++.br
++.B postfix_spool_bounce_t
++
++ /var/spool/postfix/bounce(/.*)?
++.br
++
++.br
++.B postfix_spool_maildrop_t
++
++ /var/spool/postfix/defer(/.*)?
++.br
++ /var/spool/postfix/deferred(/.*)?
++.br
++ /var/spool/postfix/maildrop(/.*)?
++.br
++
++.br
++.B postfix_spool_t
++
++ /var/spool/postfix.*
++.br
++
++.br
++.B postfix_var_run_t
++
++ /var/spool/postfix/pid/.*
++.br
++
++.SH NSSWITCH DOMAIN
++
++.PP
++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the postfix_bounce_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++
++.EX
++.B setsebool -P authlogin_nsswitch_use_ldap 1
++.EE
++
++.PP
++If you want to allow confined applications to run with kerberos for the postfix_bounce_t, you must turn on the kerberos_enabled boolean.
++
++.EX
++.B setsebool -P kerberos_enabled 1
++.EE
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was auto-generated using
++.B "sepolicy manpage"
++by Dan Walsh.
++
++.SH "SEE ALSO"
++selinux(8), postfix_bounce(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
++, postfix_cleanup_selinux(8), postfix_local_selinux(8), postfix_map_selinux(8), postfix_master_selinux(8), postfix_pickup_selinux(8), postfix_pipe_selinux(8), postfix_postdrop_selinux(8), postfix_postqueue_selinux(8), postfix_qmgr_selinux(8), postfix_showq_selinux(8), postfix_smtp_selinux(8), postfix_smtpd_selinux(8), postfix_virtual_selinux(8)
+\ No newline at end of file
+diff --git a/man/man8/postfix_cleanup_selinux.8 b/man/man8/postfix_cleanup_selinux.8
+new file mode 100644
+index 0000000..615ab43
+--- /dev/null
++++ b/man/man8/postfix_cleanup_selinux.8
+@@ -0,0 +1,133 @@
++.TH "postfix_cleanup_selinux" "8" "12-11-01" "postfix_cleanup" "SELinux Policy documentation for postfix_cleanup"
++.SH "NAME"
++postfix_cleanup_selinux \- Security Enhanced Linux Policy for the postfix_cleanup processes
++.SH "DESCRIPTION"
++
++Security-Enhanced Linux secures the postfix_cleanup processes via flexible mandatory access control.
++
++The postfix_cleanup processes execute with the postfix_cleanup_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep postfix_cleanup_t
++
++
++.SH "ENTRYPOINTS"
++
++The postfix_cleanup_t SELinux type can be entered via the "postfix_cleanup_exec_t" file type. The default entrypoint paths for the postfix_cleanup_t domain are the following:"
++
++/usr/libexec/postfix/cleanup
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux postfix_cleanup policy is very flexible allowing users to setup their postfix_cleanup processes in as secure a method as possible.
++.PP
++The following process types are defined for postfix_cleanup:
++
++.EX
++.B postfix_cleanup_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux postfix_cleanup policy is very flexible allowing users to setup their postfix_cleanup processes in as secure a method as possible.
++.PP
++The following file types are defined for postfix_cleanup:
++
++
++.EX
++.PP
++.B postfix_cleanup_exec_t
++.EE
++
++- Set files with the postfix_cleanup_exec_t type, if you want to transition an executable to the postfix_cleanup_t domain.
++
++
++.EX
++.PP
++.B postfix_cleanup_tmp_t
++.EE
++
++- Set files with the postfix_cleanup_tmp_t type, if you want to store postfix cleanup temporary files in the /tmp directories.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH "MANAGED FILES"
++
++The SELinux process type postfix_cleanup_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++
++.br
++.B anon_inodefs_t
++
++
++.br
++.B postfix_cleanup_tmp_t
++
++
++.br
++.B postfix_spool_t
++
++ /var/spool/postfix.*
++.br
++
++.br
++.B postfix_var_run_t
++
++ /var/spool/postfix/pid/.*
++.br
++
++.SH NSSWITCH DOMAIN
++
++.PP
++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the postfix_cleanup_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++
++.EX
++.B setsebool -P authlogin_nsswitch_use_ldap 1
++.EE
++
++.PP
++If you want to allow confined applications to run with kerberos for the postfix_cleanup_t, you must turn on the kerberos_enabled boolean.
++
++.EX
++.B setsebool -P kerberos_enabled 1
++.EE
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was auto-generated using
++.B "sepolicy manpage"
++by Dan Walsh.
++
++.SH "SEE ALSO"
++selinux(8), postfix_cleanup(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
++, postfix_bounce_selinux(8), postfix_local_selinux(8), postfix_map_selinux(8), postfix_master_selinux(8), postfix_pickup_selinux(8), postfix_pipe_selinux(8), postfix_postdrop_selinux(8), postfix_postqueue_selinux(8), postfix_qmgr_selinux(8), postfix_showq_selinux(8), postfix_smtp_selinux(8), postfix_smtpd_selinux(8), postfix_virtual_selinux(8)
+\ No newline at end of file
+diff --git a/man/man8/postfix_local_selinux.8 b/man/man8/postfix_local_selinux.8
+new file mode 100644
+index 0000000..6e24730
+--- /dev/null
++++ b/man/man8/postfix_local_selinux.8
+@@ -0,0 +1,212 @@
++.TH "postfix_local_selinux" "8" "12-11-01" "postfix_local" "SELinux Policy documentation for postfix_local"
++.SH "NAME"
++postfix_local_selinux \- Security Enhanced Linux Policy for the postfix_local processes
++.SH "DESCRIPTION"
++
++Security-Enhanced Linux secures the postfix_local processes via flexible mandatory access control.
++
++The postfix_local processes execute with the postfix_local_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep postfix_local_t
++
++
++.SH "ENTRYPOINTS"
++
++The postfix_local_t SELinux type can be entered via the "postfix_local_exec_t" file type. The default entrypoint paths for the postfix_local_t domain are the following:"
++
++/usr/libexec/postfix/local
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux postfix_local policy is very flexible allowing users to setup their postfix_local processes in as secure a method as possible.
++.PP
++The following process types are defined for postfix_local:
++
++.EX
++.B postfix_local_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH BOOLEANS
++SELinux policy is customizable based on least access required. postfix_local policy is extremely flexible and has several booleans that allow you to manipulate the policy and run postfix_local with the tightest access possible.
++
++
++.PP
++If you want to allow postfix_local domain full write access to mail_spool directories, you must turn on the postfix_local_write_mail_spool boolean.
++
++.EX
++.B setsebool -P postfix_local_write_mail_spool 1
++.EE
++
++.PP
++If you want to allow postfix_local domain full write access to mail_spool directories, you must turn on the postfix_local_write_mail_spool boolean.
++
++.EX
++.B setsebool -P postfix_local_write_mail_spool 1
++.EE
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux postfix_local policy is very flexible allowing users to setup their postfix_local processes in as secure a method as possible.
++.PP
++The following file types are defined for postfix_local:
++
++
++.EX
++.PP
++.B postfix_local_exec_t
++.EE
++
++- Set files with the postfix_local_exec_t type, if you want to transition an executable to the postfix_local_t domain.
++
++
++.EX
++.PP
++.B postfix_local_tmp_t
++.EE
++
++- Set files with the postfix_local_tmp_t type, if you want to store postfix local temporary files in the /tmp directories.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH "MANAGED FILES"
++
++The SELinux process type postfix_local_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++
++.br
++.B anon_inodefs_t
++
++
++.br
++.B dovecot_spool_t
++
++ /var/spool/dovecot(/.*)?
++.br
++
++.br
++.B mail_home_rw_t
++
++ /root/Maildir(/.*)?
++.br
++ /home/[^/]*/Maildir(/.*)?
++.br
++ /home/dwalsh/Maildir(/.*)?
++.br
++ /var/lib/xguest/home/xguest/Maildir(/.*)?
++.br
++
++.br
++.B mail_spool_t
++
++ /var/mail(/.*)?
++.br
++ /var/spool/imap(/.*)?
++.br
++ /var/spool/mail(/.*)?
++.br
++
++.br
++.B mailman_data_t
++
++ /etc/mailman.*
++.br
++ /var/lib/mailman.*
++.br
++ /var/spool/mailman.*
++.br
++
++.br
++.B postfix_local_tmp_t
++
++
++.br
++.B postfix_spool_maildrop_t
++
++ /var/spool/postfix/defer(/.*)?
++.br
++ /var/spool/postfix/deferred(/.*)?
++.br
++ /var/spool/postfix/maildrop(/.*)?
++.br
++
++.br
++.B postfix_spool_t
++
++ /var/spool/postfix.*
++.br
++
++.br
++.B postfix_var_run_t
++
++ /var/spool/postfix/pid/.*
++.br
++
++.br
++.B user_home_t
++
++ /home/[^/]*/.+
++.br
++ /home/dwalsh/.+
++.br
++ /var/lib/xguest/home/xguest/.+
++.br
++
++.SH NSSWITCH DOMAIN
++
++.PP
++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the postfix_local_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++
++.EX
++.B setsebool -P authlogin_nsswitch_use_ldap 1
++.EE
++
++.PP
++If you want to allow confined applications to run with kerberos for the postfix_local_t, you must turn on the kerberos_enabled boolean.
++
++.EX
++.B setsebool -P kerberos_enabled 1
++.EE
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.B semanage boolean
++can also be used to manipulate the booleans
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was auto-generated using
++.B "sepolicy manpage"
++by Dan Walsh.
++
++.SH "SEE ALSO"
++selinux(8), postfix_local(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
++, setsebool(8), postfix_bounce_selinux(8), postfix_cleanup_selinux(8), postfix_map_selinux(8), postfix_master_selinux(8), postfix_pickup_selinux(8), postfix_pipe_selinux(8), postfix_postdrop_selinux(8), postfix_postqueue_selinux(8), postfix_qmgr_selinux(8), postfix_showq_selinux(8), postfix_smtp_selinux(8), postfix_smtpd_selinux(8), postfix_virtual_selinux(8)
+\ No newline at end of file
+diff --git a/man/man8/postfix_map_selinux.8 b/man/man8/postfix_map_selinux.8
+new file mode 100644
+index 0000000..f1b2f03
+--- /dev/null
++++ b/man/man8/postfix_map_selinux.8
+@@ -0,0 +1,133 @@
++.TH "postfix_map_selinux" "8" "12-11-01" "postfix_map" "SELinux Policy documentation for postfix_map"
++.SH "NAME"
++postfix_map_selinux \- Security Enhanced Linux Policy for the postfix_map processes
++.SH "DESCRIPTION"
++
++Security-Enhanced Linux secures the postfix_map processes via flexible mandatory access control.
++
++The postfix_map processes execute with the postfix_map_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep postfix_map_t
++
++
++.SH "ENTRYPOINTS"
++
++The postfix_map_t SELinux type can be entered via the "postfix_map_exec_t" file type. The default entrypoint paths for the postfix_map_t domain are the following:"
++
++/usr/sbin/postmap
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux postfix_map policy is very flexible allowing users to setup their postfix_map processes in as secure a method as possible.
++.PP
++The following process types are defined for postfix_map:
++
++.EX
++.B postfix_map_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux postfix_map policy is very flexible allowing users to setup their postfix_map processes in as secure a method as possible.
++.PP
++The following file types are defined for postfix_map:
++
++
++.EX
++.PP
++.B postfix_map_exec_t
++.EE
++
++- Set files with the postfix_map_exec_t type, if you want to transition an executable to the postfix_map_t domain.
++
++
++.EX
++.PP
++.B postfix_map_tmp_t
++.EE
++
++- Set files with the postfix_map_tmp_t type, if you want to store postfix map temporary files in the /tmp directories.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH "MANAGED FILES"
++
++The SELinux process type postfix_map_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++
++.br
++.B mailman_data_t
++
++ /etc/mailman.*
++.br
++ /var/lib/mailman.*
++.br
++ /var/spool/mailman.*
++.br
++
++.br
++.B postfix_etc_t
++
++ /etc/postfix.*
++.br
++
++.br
++.B postfix_map_tmp_t
++
++
++.SH NSSWITCH DOMAIN
++
++.PP
++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the postfix_map_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++
++.EX
++.B setsebool -P authlogin_nsswitch_use_ldap 1
++.EE
++
++.PP
++If you want to allow confined applications to run with kerberos for the postfix_map_t, you must turn on the kerberos_enabled boolean.
++
++.EX
++.B setsebool -P kerberos_enabled 1
++.EE
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was auto-generated using
++.B "sepolicy manpage"
++by Dan Walsh.
++
++.SH "SEE ALSO"
++selinux(8), postfix_map(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
++, postfix_bounce_selinux(8), postfix_cleanup_selinux(8), postfix_local_selinux(8), postfix_master_selinux(8), postfix_pickup_selinux(8), postfix_pipe_selinux(8), postfix_postdrop_selinux(8), postfix_postqueue_selinux(8), postfix_qmgr_selinux(8), postfix_showq_selinux(8), postfix_smtp_selinux(8), postfix_smtpd_selinux(8), postfix_virtual_selinux(8)
+\ No newline at end of file
+diff --git a/man/man8/postfix_master_selinux.8 b/man/man8/postfix_master_selinux.8
+new file mode 100644
+index 0000000..feb9a1e
+--- /dev/null
++++ b/man/man8/postfix_master_selinux.8
+@@ -0,0 +1,177 @@
++.TH "postfix_master_selinux" "8" "12-11-01" "postfix_master" "SELinux Policy documentation for postfix_master"
++.SH "NAME"
++postfix_master_selinux \- Security Enhanced Linux Policy for the postfix_master processes
++.SH "DESCRIPTION"
++
++Security-Enhanced Linux secures the postfix_master processes via flexible mandatory access control.
++
++The postfix_master processes execute with the postfix_master_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep postfix_master_t
++
++
++.SH "ENTRYPOINTS"
++
++The postfix_master_t SELinux type can be entered via the "postfix_master_exec_t" file type. The default entrypoint paths for the postfix_master_t domain are the following:"
++
++/usr/sbin/postcat, /usr/sbin/postfix, /usr/sbin/postlog, /usr/sbin/postkick, /usr/sbin/postlock, /usr/sbin/postalias, /usr/sbin/postsuper, /usr/libexec/postfix/master
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux postfix_master policy is very flexible allowing users to setup their postfix_master processes in as secure a method as possible.
++.PP
++The following process types are defined for postfix_master:
++
++.EX
++.B postfix_master_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux postfix_master policy is very flexible allowing users to setup their postfix_master processes in as secure a method as possible.
++.PP
++The following file types are defined for postfix_master:
++
++
++.EX
++.PP
++.B postfix_master_exec_t
++.EE
++
++- Set files with the postfix_master_exec_t type, if you want to transition an executable to the postfix_master_t domain.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH "MANAGED FILES"
++
++The SELinux process type postfix_master_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++
++.br
++.B anon_inodefs_t
++
++
++.br
++.B etc_aliases_t
++
++ /etc/mail/aliases.*
++.br
++ /etc/postfix/aliases.*
++.br
++ /etc/aliases
++.br
++ /etc/aliases\.db
++.br
++
++.br
++.B mailman_data_t
++
++ /etc/mailman.*
++.br
++ /var/lib/mailman.*
++.br
++ /var/spool/mailman.*
++.br
++
++.br
++.B postfix_data_t
++
++ /var/lib/postfix.*
++.br
++
++.br
++.B postfix_etc_t
++
++ /etc/postfix.*
++.br
++
++.br
++.B postfix_prng_t
++
++ /etc/postfix/prng_exch
++.br
++
++.br
++.B postfix_spool_flush_t
++
++ /var/spool/postfix/flush(/.*)?
++.br
++
++.br
++.B postfix_spool_maildrop_t
++
++ /var/spool/postfix/defer(/.*)?
++.br
++ /var/spool/postfix/deferred(/.*)?
++.br
++ /var/spool/postfix/maildrop(/.*)?
++.br
++
++.br
++.B postfix_spool_t
++
++ /var/spool/postfix.*
++.br
++
++.br
++.B postfix_var_run_t
++
++ /var/spool/postfix/pid/.*
++.br
++
++.SH NSSWITCH DOMAIN
++
++.PP
++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the postfix_master_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++
++.EX
++.B setsebool -P authlogin_nsswitch_use_ldap 1
++.EE
++
++.PP
++If you want to allow confined applications to run with kerberos for the postfix_master_t, you must turn on the kerberos_enabled boolean.
++
++.EX
++.B setsebool -P kerberos_enabled 1
++.EE
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was auto-generated using
++.B "sepolicy manpage"
++by Dan Walsh.
++
++.SH "SEE ALSO"
++selinux(8), postfix_master(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
++, postfix_bounce_selinux(8), postfix_cleanup_selinux(8), postfix_local_selinux(8), postfix_map_selinux(8), postfix_pickup_selinux(8), postfix_pipe_selinux(8), postfix_postdrop_selinux(8), postfix_postqueue_selinux(8), postfix_qmgr_selinux(8), postfix_showq_selinux(8), postfix_smtp_selinux(8), postfix_smtpd_selinux(8), postfix_virtual_selinux(8)
+\ No newline at end of file
+diff --git a/man/man8/postfix_pickup_selinux.8 b/man/man8/postfix_pickup_selinux.8
+new file mode 100644
+index 0000000..4db315f
+--- /dev/null
++++ b/man/man8/postfix_pickup_selinux.8
+@@ -0,0 +1,127 @@
++.TH "postfix_pickup_selinux" "8" "12-11-01" "postfix_pickup" "SELinux Policy documentation for postfix_pickup"
++.SH "NAME"
++postfix_pickup_selinux \- Security Enhanced Linux Policy for the postfix_pickup processes
++.SH "DESCRIPTION"
++
++Security-Enhanced Linux secures the postfix_pickup processes via flexible mandatory access control.
++
++The postfix_pickup processes execute with the postfix_pickup_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep postfix_pickup_t
++
++
++.SH "ENTRYPOINTS"
++
++The postfix_pickup_t SELinux type can be entered via the "postfix_pickup_exec_t" file type. The default entrypoint paths for the postfix_pickup_t domain are the following:"
++
++/usr/libexec/postfix/pickup
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux postfix_pickup policy is very flexible allowing users to setup their postfix_pickup processes in as secure a method as possible.
++.PP
++The following process types are defined for postfix_pickup:
++
++.EX
++.B postfix_pickup_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux postfix_pickup policy is very flexible allowing users to setup their postfix_pickup processes in as secure a method as possible.
++.PP
++The following file types are defined for postfix_pickup:
++
++
++.EX
++.PP
++.B postfix_pickup_exec_t
++.EE
++
++- Set files with the postfix_pickup_exec_t type, if you want to transition an executable to the postfix_pickup_t domain.
++
++
++.EX
++.PP
++.B postfix_pickup_tmp_t
++.EE
++
++- Set files with the postfix_pickup_tmp_t type, if you want to store postfix pickup temporary files in the /tmp directories.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH "MANAGED FILES"
++
++The SELinux process type postfix_pickup_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++
++.br
++.B anon_inodefs_t
++
++
++.br
++.B postfix_pickup_tmp_t
++
++
++.br
++.B postfix_var_run_t
++
++ /var/spool/postfix/pid/.*
++.br
++
++.SH NSSWITCH DOMAIN
++
++.PP
++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the postfix_pickup_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++
++.EX
++.B setsebool -P authlogin_nsswitch_use_ldap 1
++.EE
++
++.PP
++If you want to allow confined applications to run with kerberos for the postfix_pickup_t, you must turn on the kerberos_enabled boolean.
++
++.EX
++.B setsebool -P kerberos_enabled 1
++.EE
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was auto-generated using
++.B "sepolicy manpage"
++by Dan Walsh.
++
++.SH "SEE ALSO"
++selinux(8), postfix_pickup(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
++, postfix_bounce_selinux(8), postfix_cleanup_selinux(8), postfix_local_selinux(8), postfix_map_selinux(8), postfix_master_selinux(8), postfix_pipe_selinux(8), postfix_postdrop_selinux(8), postfix_postqueue_selinux(8), postfix_qmgr_selinux(8), postfix_showq_selinux(8), postfix_smtp_selinux(8), postfix_smtpd_selinux(8), postfix_virtual_selinux(8)
+\ No newline at end of file
+diff --git a/man/man8/postfix_pipe_selinux.8 b/man/man8/postfix_pipe_selinux.8
+new file mode 100644
+index 0000000..0fc0351
+--- /dev/null
++++ b/man/man8/postfix_pipe_selinux.8
+@@ -0,0 +1,143 @@
++.TH "postfix_pipe_selinux" "8" "12-11-01" "postfix_pipe" "SELinux Policy documentation for postfix_pipe"
++.SH "NAME"
++postfix_pipe_selinux \- Security Enhanced Linux Policy for the postfix_pipe processes
++.SH "DESCRIPTION"
++
++Security-Enhanced Linux secures the postfix_pipe processes via flexible mandatory access control.
++
++The postfix_pipe processes execute with the postfix_pipe_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep postfix_pipe_t
++
++
++.SH "ENTRYPOINTS"
++
++The postfix_pipe_t SELinux type can be entered via the "postfix_pipe_exec_t" file type. The default entrypoint paths for the postfix_pipe_t domain are the following:"
++
++/usr/libexec/postfix/pipe
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux postfix_pipe policy is very flexible allowing users to setup their postfix_pipe processes in as secure a method as possible.
++.PP
++The following process types are defined for postfix_pipe:
++
++.EX
++.B postfix_pipe_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux postfix_pipe policy is very flexible allowing users to setup their postfix_pipe processes in as secure a method as possible.
++.PP
++The following file types are defined for postfix_pipe:
++
++
++.EX
++.PP
++.B postfix_pipe_exec_t
++.EE
++
++- Set files with the postfix_pipe_exec_t type, if you want to transition an executable to the postfix_pipe_t domain.
++
++
++.EX
++.PP
++.B postfix_pipe_tmp_t
++.EE
++
++- Set files with the postfix_pipe_tmp_t type, if you want to store postfix pipe temporary files in the /tmp directories.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH "MANAGED FILES"
++
++The SELinux process type postfix_pipe_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++
++.br
++.B anon_inodefs_t
++
++
++.br
++.B mail_spool_t
++
++ /var/mail(/.*)?
++.br
++ /var/spool/imap(/.*)?
++.br
++ /var/spool/mail(/.*)?
++.br
++
++.br
++.B postfix_pipe_tmp_t
++
++
++.br
++.B postfix_spool_t
++
++ /var/spool/postfix.*
++.br
++
++.br
++.B postfix_var_run_t
++
++ /var/spool/postfix/pid/.*
++.br
++
++.SH NSSWITCH DOMAIN
++
++.PP
++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the postfix_pipe_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++
++.EX
++.B setsebool -P authlogin_nsswitch_use_ldap 1
++.EE
++
++.PP
++If you want to allow confined applications to run with kerberos for the postfix_pipe_t, you must turn on the kerberos_enabled boolean.
++
++.EX
++.B setsebool -P kerberos_enabled 1
++.EE
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was auto-generated using
++.B "sepolicy manpage"
++by Dan Walsh.
++
++.SH "SEE ALSO"
++selinux(8), postfix_pipe(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
++, postfix_bounce_selinux(8), postfix_cleanup_selinux(8), postfix_local_selinux(8), postfix_map_selinux(8), postfix_master_selinux(8), postfix_pickup_selinux(8), postfix_postdrop_selinux(8), postfix_postqueue_selinux(8), postfix_qmgr_selinux(8), postfix_showq_selinux(8), postfix_smtp_selinux(8), postfix_smtpd_selinux(8), postfix_virtual_selinux(8)
+\ No newline at end of file
+diff --git a/man/man8/postfix_postdrop_selinux.8 b/man/man8/postfix_postdrop_selinux.8
+new file mode 100644
+index 0000000..e6877f7
+--- /dev/null
++++ b/man/man8/postfix_postdrop_selinux.8
+@@ -0,0 +1,137 @@
++.TH "postfix_postdrop_selinux" "8" "12-11-01" "postfix_postdrop" "SELinux Policy documentation for postfix_postdrop"
++.SH "NAME"
++postfix_postdrop_selinux \- Security Enhanced Linux Policy for the postfix_postdrop processes
++.SH "DESCRIPTION"
++
++Security-Enhanced Linux secures the postfix_postdrop processes via flexible mandatory access control.
++
++The postfix_postdrop processes execute with the postfix_postdrop_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep postfix_postdrop_t
++
++
++.SH "ENTRYPOINTS"
++
++The postfix_postdrop_t SELinux type can be entered via the "postfix_postdrop_exec_t" file type. The default entrypoint paths for the postfix_postdrop_t domain are the following:"
++
++/usr/sbin/postdrop
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux postfix_postdrop policy is very flexible allowing users to setup their postfix_postdrop processes in as secure a method as possible.
++.PP
++The following process types are defined for postfix_postdrop:
++
++.EX
++.B postfix_postdrop_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux postfix_postdrop policy is very flexible allowing users to setup their postfix_postdrop processes in as secure a method as possible.
++.PP
++The following file types are defined for postfix_postdrop:
++
++
++.EX
++.PP
++.B postfix_postdrop_exec_t
++.EE
++
++- Set files with the postfix_postdrop_exec_t type, if you want to transition an executable to the postfix_postdrop_t domain.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH "MANAGED FILES"
++
++The SELinux process type postfix_postdrop_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++
++.br
++.B anon_inodefs_t
++
++
++.br
++.B arpwatch_tmp_t
++
++
++.br
++.B postfix_spool_maildrop_t
++
++ /var/spool/postfix/defer(/.*)?
++.br
++ /var/spool/postfix/deferred(/.*)?
++.br
++ /var/spool/postfix/maildrop(/.*)?
++.br
++
++.br
++.B postfix_var_run_t
++
++ /var/spool/postfix/pid/.*
++.br
++
++.br
++.B uucpd_spool_t
++
++ /var/spool/uucp(/.*)?
++.br
++ /var/spool/uucppublic(/.*)?
++.br
++
++.SH NSSWITCH DOMAIN
++
++.PP
++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the postfix_postdrop_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++
++.EX
++.B setsebool -P authlogin_nsswitch_use_ldap 1
++.EE
++
++.PP
++If you want to allow confined applications to run with kerberos for the postfix_postdrop_t, you must turn on the kerberos_enabled boolean.
++
++.EX
++.B setsebool -P kerberos_enabled 1
++.EE
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was auto-generated using
++.B "sepolicy manpage"
++by Dan Walsh.
++
++.SH "SEE ALSO"
++selinux(8), postfix_postdrop(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
++, postfix_bounce_selinux(8), postfix_cleanup_selinux(8), postfix_local_selinux(8), postfix_map_selinux(8), postfix_master_selinux(8), postfix_pickup_selinux(8), postfix_pipe_selinux(8), postfix_postqueue_selinux(8), postfix_qmgr_selinux(8), postfix_showq_selinux(8), postfix_smtp_selinux(8), postfix_smtpd_selinux(8), postfix_virtual_selinux(8)
+\ No newline at end of file
+diff --git a/man/man8/postfix_postqueue_selinux.8 b/man/man8/postfix_postqueue_selinux.8
+new file mode 100644
+index 0000000..7b40ff1
+--- /dev/null
++++ b/man/man8/postfix_postqueue_selinux.8
+@@ -0,0 +1,119 @@
++.TH "postfix_postqueue_selinux" "8" "12-11-01" "postfix_postqueue" "SELinux Policy documentation for postfix_postqueue"
++.SH "NAME"
++postfix_postqueue_selinux \- Security Enhanced Linux Policy for the postfix_postqueue processes
++.SH "DESCRIPTION"
++
++Security-Enhanced Linux secures the postfix_postqueue processes via flexible mandatory access control.
++
++The postfix_postqueue processes execute with the postfix_postqueue_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep postfix_postqueue_t
++
++
++.SH "ENTRYPOINTS"
++
++The postfix_postqueue_t SELinux type can be entered via the "postfix_postqueue_exec_t" file type. The default entrypoint paths for the postfix_postqueue_t domain are the following:"
++
++/usr/sbin/postqueue
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux postfix_postqueue policy is very flexible allowing users to setup their postfix_postqueue processes in as secure a method as possible.
++.PP
++The following process types are defined for postfix_postqueue:
++
++.EX
++.B postfix_postqueue_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux postfix_postqueue policy is very flexible allowing users to setup their postfix_postqueue processes in as secure a method as possible.
++.PP
++The following file types are defined for postfix_postqueue:
++
++
++.EX
++.PP
++.B postfix_postqueue_exec_t
++.EE
++
++- Set files with the postfix_postqueue_exec_t type, if you want to transition an executable to the postfix_postqueue_t domain.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH "MANAGED FILES"
++
++The SELinux process type postfix_postqueue_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++
++.br
++.B anon_inodefs_t
++
++
++.br
++.B arpwatch_tmp_t
++
++
++.br
++.B postfix_var_run_t
++
++ /var/spool/postfix/pid/.*
++.br
++
++.SH NSSWITCH DOMAIN
++
++.PP
++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the postfix_postqueue_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++
++.EX
++.B setsebool -P authlogin_nsswitch_use_ldap 1
++.EE
++
++.PP
++If you want to allow confined applications to run with kerberos for the postfix_postqueue_t, you must turn on the kerberos_enabled boolean.
++
++.EX
++.B setsebool -P kerberos_enabled 1
++.EE
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was auto-generated using
++.B "sepolicy manpage"
++by Dan Walsh.
++
++.SH "SEE ALSO"
++selinux(8), postfix_postqueue(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
++, postfix_bounce_selinux(8), postfix_cleanup_selinux(8), postfix_local_selinux(8), postfix_map_selinux(8), postfix_master_selinux(8), postfix_pickup_selinux(8), postfix_pipe_selinux(8), postfix_postdrop_selinux(8), postfix_qmgr_selinux(8), postfix_showq_selinux(8), postfix_smtp_selinux(8), postfix_smtpd_selinux(8), postfix_virtual_selinux(8)
+\ No newline at end of file
+diff --git a/man/man8/postfix_qmgr_selinux.8 b/man/man8/postfix_qmgr_selinux.8
+new file mode 100644
+index 0000000..0cdebf4
+--- /dev/null
++++ b/man/man8/postfix_qmgr_selinux.8
+@@ -0,0 +1,143 @@
++.TH "postfix_qmgr_selinux" "8" "12-11-01" "postfix_qmgr" "SELinux Policy documentation for postfix_qmgr"
++.SH "NAME"
++postfix_qmgr_selinux \- Security Enhanced Linux Policy for the postfix_qmgr processes
++.SH "DESCRIPTION"
++
++Security-Enhanced Linux secures the postfix_qmgr processes via flexible mandatory access control.
++
++The postfix_qmgr processes execute with the postfix_qmgr_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep postfix_qmgr_t
++
++
++.SH "ENTRYPOINTS"
++
++The postfix_qmgr_t SELinux type can be entered via the "postfix_qmgr_exec_t" file type. The default entrypoint paths for the postfix_qmgr_t domain are the following:"
++
++/usr/libexec/postfix/(n)?qmgr
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux postfix_qmgr policy is very flexible allowing users to setup their postfix_qmgr processes in as secure a method as possible.
++.PP
++The following process types are defined for postfix_qmgr:
++
++.EX
++.B postfix_qmgr_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux postfix_qmgr policy is very flexible allowing users to setup their postfix_qmgr processes in as secure a method as possible.
++.PP
++The following file types are defined for postfix_qmgr:
++
++
++.EX
++.PP
++.B postfix_qmgr_exec_t
++.EE
++
++- Set files with the postfix_qmgr_exec_t type, if you want to transition an executable to the postfix_qmgr_t domain.
++
++
++.EX
++.PP
++.B postfix_qmgr_tmp_t
++.EE
++
++- Set files with the postfix_qmgr_tmp_t type, if you want to store postfix qmgr temporary files in the /tmp directories.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH "MANAGED FILES"
++
++The SELinux process type postfix_qmgr_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++
++.br
++.B anon_inodefs_t
++
++
++.br
++.B postfix_qmgr_tmp_t
++
++
++.br
++.B postfix_spool_maildrop_t
++
++ /var/spool/postfix/defer(/.*)?
++.br
++ /var/spool/postfix/deferred(/.*)?
++.br
++ /var/spool/postfix/maildrop(/.*)?
++.br
++
++.br
++.B postfix_spool_t
++
++ /var/spool/postfix.*
++.br
++
++.br
++.B postfix_var_run_t
++
++ /var/spool/postfix/pid/.*
++.br
++
++.SH NSSWITCH DOMAIN
++
++.PP
++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the postfix_qmgr_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++
++.EX
++.B setsebool -P authlogin_nsswitch_use_ldap 1
++.EE
++
++.PP
++If you want to allow confined applications to run with kerberos for the postfix_qmgr_t, you must turn on the kerberos_enabled boolean.
++
++.EX
++.B setsebool -P kerberos_enabled 1
++.EE
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was auto-generated using
++.B "sepolicy manpage"
++by Dan Walsh.
++
++.SH "SEE ALSO"
++selinux(8), postfix_qmgr(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
++, postfix_bounce_selinux(8), postfix_cleanup_selinux(8), postfix_local_selinux(8), postfix_map_selinux(8), postfix_master_selinux(8), postfix_pickup_selinux(8), postfix_pipe_selinux(8), postfix_postdrop_selinux(8), postfix_postqueue_selinux(8), postfix_showq_selinux(8), postfix_smtp_selinux(8), postfix_smtpd_selinux(8), postfix_virtual_selinux(8)
+\ No newline at end of file
+diff --git a/man/man8/postfix_showq_selinux.8 b/man/man8/postfix_showq_selinux.8
+new file mode 100644
+index 0000000..06cde29
+--- /dev/null
++++ b/man/man8/postfix_showq_selinux.8
+@@ -0,0 +1,115 @@
++.TH "postfix_showq_selinux" "8" "12-11-01" "postfix_showq" "SELinux Policy documentation for postfix_showq"
++.SH "NAME"
++postfix_showq_selinux \- Security Enhanced Linux Policy for the postfix_showq processes
++.SH "DESCRIPTION"
++
++Security-Enhanced Linux secures the postfix_showq processes via flexible mandatory access control.
++
++The postfix_showq processes execute with the postfix_showq_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep postfix_showq_t
++
++
++.SH "ENTRYPOINTS"
++
++The postfix_showq_t SELinux type can be entered via the "postfix_showq_exec_t" file type. The default entrypoint paths for the postfix_showq_t domain are the following:"
++
++/usr/libexec/postfix/showq
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux postfix_showq policy is very flexible allowing users to setup their postfix_showq processes in as secure a method as possible.
++.PP
++The following process types are defined for postfix_showq:
++
++.EX
++.B postfix_showq_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux postfix_showq policy is very flexible allowing users to setup their postfix_showq processes in as secure a method as possible.
++.PP
++The following file types are defined for postfix_showq:
++
++
++.EX
++.PP
++.B postfix_showq_exec_t
++.EE
++
++- Set files with the postfix_showq_exec_t type, if you want to transition an executable to the postfix_showq_t domain.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH "MANAGED FILES"
++
++The SELinux process type postfix_showq_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++
++.br
++.B anon_inodefs_t
++
++
++.br
++.B postfix_var_run_t
++
++ /var/spool/postfix/pid/.*
++.br
++
++.SH NSSWITCH DOMAIN
++
++.PP
++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the postfix_showq_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++
++.EX
++.B setsebool -P authlogin_nsswitch_use_ldap 1
++.EE
++
++.PP
++If you want to allow confined applications to run with kerberos for the postfix_showq_t, you must turn on the kerberos_enabled boolean.
++
++.EX
++.B setsebool -P kerberos_enabled 1
++.EE
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was auto-generated using
++.B "sepolicy manpage"
++by Dan Walsh.
++
++.SH "SEE ALSO"
++selinux(8), postfix_showq(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
++, postfix_bounce_selinux(8), postfix_cleanup_selinux(8), postfix_local_selinux(8), postfix_map_selinux(8), postfix_master_selinux(8), postfix_pickup_selinux(8), postfix_pipe_selinux(8), postfix_postdrop_selinux(8), postfix_postqueue_selinux(8), postfix_qmgr_selinux(8), postfix_smtp_selinux(8), postfix_smtpd_selinux(8), postfix_virtual_selinux(8)
+\ No newline at end of file
+diff --git a/man/man8/postfix_smtp_selinux.8 b/man/man8/postfix_smtp_selinux.8
+new file mode 100644
+index 0000000..d10b079
+--- /dev/null
++++ b/man/man8/postfix_smtp_selinux.8
+@@ -0,0 +1,165 @@
++.TH "postfix_smtp_selinux" "8" "12-11-01" "postfix_smtp" "SELinux Policy documentation for postfix_smtp"
++.SH "NAME"
++postfix_smtp_selinux \- Security Enhanced Linux Policy for the postfix_smtp processes
++.SH "DESCRIPTION"
++
++Security-Enhanced Linux secures the postfix_smtp processes via flexible mandatory access control.
++
++The postfix_smtp processes execute with the postfix_smtp_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep postfix_smtp_t
++
++
++.SH "ENTRYPOINTS"
++
++The postfix_smtp_t SELinux type can be entered via the "postfix_smtp_exec_t" file type. The default entrypoint paths for the postfix_smtp_t domain are the following:"
++
++/usr/libexec/postfix/lmtp, /usr/libexec/postfix/smtp, /usr/libexec/postfix/scache
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux postfix_smtp policy is very flexible allowing users to setup their postfix_smtp processes in as secure a method as possible.
++.PP
++The following process types are defined for postfix_smtp:
++
++.EX
++.B postfix_smtpd_t, postfix_smtp_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux postfix_smtp policy is very flexible allowing users to setup their postfix_smtp processes in as secure a method as possible.
++.PP
++The following file types are defined for postfix_smtp:
++
++
++.EX
++.PP
++.B postfix_smtp_exec_t
++.EE
++
++- Set files with the postfix_smtp_exec_t type, if you want to transition an executable to the postfix_smtp_t domain.
++
++
++.EX
++.PP
++.B postfix_smtp_tmp_t
++.EE
++
++- Set files with the postfix_smtp_tmp_t type, if you want to store postfix smtp temporary files in the /tmp directories.
++
++
++.EX
++.PP
++.B postfix_smtpd_exec_t
++.EE
++
++- Set files with the postfix_smtpd_exec_t type, if you want to transition an executable to the postfix_smtpd_t domain.
++
++
++.EX
++.PP
++.B postfix_smtpd_tmp_t
++.EE
++
++- Set files with the postfix_smtpd_tmp_t type, if you want to store postfix smtpd temporary files in the /tmp directories.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH "MANAGED FILES"
++
++The SELinux process type postfix_smtp_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++
++.br
++.B anon_inodefs_t
++
++
++.br
++.B postfix_prng_t
++
++ /etc/postfix/prng_exch
++.br
++
++.br
++.B postfix_smtp_tmp_t
++
++
++.br
++.B postfix_spool_maildrop_t
++
++ /var/spool/postfix/defer(/.*)?
++.br
++ /var/spool/postfix/deferred(/.*)?
++.br
++ /var/spool/postfix/maildrop(/.*)?
++.br
++
++.br
++.B postfix_spool_t
++
++ /var/spool/postfix.*
++.br
++
++.br
++.B postfix_var_run_t
++
++ /var/spool/postfix/pid/.*
++.br
++
++.SH NSSWITCH DOMAIN
++
++.PP
++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the postfix_smtpd_t, postfix_smtp_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++
++.EX
++.B setsebool -P authlogin_nsswitch_use_ldap 1
++.EE
++
++.PP
++If you want to allow confined applications to run with kerberos for the postfix_smtpd_t, postfix_smtp_t, you must turn on the kerberos_enabled boolean.
++
++.EX
++.B setsebool -P kerberos_enabled 1
++.EE
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was auto-generated using
++.B "sepolicy manpage"
++by Dan Walsh.
++
++.SH "SEE ALSO"
++selinux(8), postfix_smtp(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
++, postfix_bounce_selinux(8), postfix_cleanup_selinux(8), postfix_local_selinux(8), postfix_map_selinux(8), postfix_master_selinux(8), postfix_pickup_selinux(8), postfix_pipe_selinux(8), postfix_postdrop_selinux(8), postfix_postqueue_selinux(8), postfix_qmgr_selinux(8), postfix_showq_selinux(8), postfix_smtpd_selinux(8), postfix_virtual_selinux(8)
+\ No newline at end of file
+diff --git a/man/man8/postfix_smtpd_selinux.8 b/man/man8/postfix_smtpd_selinux.8
+new file mode 100644
+index 0000000..45ad26e
+--- /dev/null
++++ b/man/man8/postfix_smtpd_selinux.8
+@@ -0,0 +1,139 @@
++.TH "postfix_smtpd_selinux" "8" "12-11-01" "postfix_smtpd" "SELinux Policy documentation for postfix_smtpd"
++.SH "NAME"
++postfix_smtpd_selinux \- Security Enhanced Linux Policy for the postfix_smtpd processes
++.SH "DESCRIPTION"
++
++Security-Enhanced Linux secures the postfix_smtpd processes via flexible mandatory access control.
++
++The postfix_smtpd processes execute with the postfix_smtpd_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep postfix_smtpd_t
++
++
++.SH "ENTRYPOINTS"
++
++The postfix_smtpd_t SELinux type can be entered via the "postfix_smtpd_exec_t" file type. The default entrypoint paths for the postfix_smtpd_t domain are the following:"
++
++/usr/libexec/postfix/smtpd
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux postfix_smtpd policy is very flexible allowing users to setup their postfix_smtpd processes in as secure a method as possible.
++.PP
++The following process types are defined for postfix_smtpd:
++
++.EX
++.B postfix_smtpd_t, postfix_smtp_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux postfix_smtpd policy is very flexible allowing users to setup their postfix_smtpd processes in as secure a method as possible.
++.PP
++The following file types are defined for postfix_smtpd:
++
++
++.EX
++.PP
++.B postfix_smtpd_exec_t
++.EE
++
++- Set files with the postfix_smtpd_exec_t type, if you want to transition an executable to the postfix_smtpd_t domain.
++
++
++.EX
++.PP
++.B postfix_smtpd_tmp_t
++.EE
++
++- Set files with the postfix_smtpd_tmp_t type, if you want to store postfix smtpd temporary files in the /tmp directories.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH "MANAGED FILES"
++
++The SELinux process type postfix_smtpd_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++
++.br
++.B anon_inodefs_t
++
++
++.br
++.B postfix_prng_t
++
++ /etc/postfix/prng_exch
++.br
++
++.br
++.B postfix_smtpd_tmp_t
++
++
++.br
++.B postfix_spool_t
++
++ /var/spool/postfix.*
++.br
++
++.br
++.B postfix_var_run_t
++
++ /var/spool/postfix/pid/.*
++.br
++
++.SH NSSWITCH DOMAIN
++
++.PP
++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the postfix_smtpd_t, postfix_smtp_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++
++.EX
++.B setsebool -P authlogin_nsswitch_use_ldap 1
++.EE
++
++.PP
++If you want to allow confined applications to run with kerberos for the postfix_smtpd_t, postfix_smtp_t, you must turn on the kerberos_enabled boolean.
++
++.EX
++.B setsebool -P kerberos_enabled 1
++.EE
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was auto-generated using
++.B "sepolicy manpage"
++by Dan Walsh.
++
++.SH "SEE ALSO"
++selinux(8), postfix_smtpd(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
++, postfix_bounce_selinux(8), postfix_cleanup_selinux(8), postfix_local_selinux(8), postfix_map_selinux(8), postfix_master_selinux(8), postfix_pickup_selinux(8), postfix_pipe_selinux(8), postfix_postdrop_selinux(8), postfix_postqueue_selinux(8), postfix_qmgr_selinux(8), postfix_showq_selinux(8), postfix_smtp_selinux(8), postfix_smtp_selinux(8), postfix_virtual_selinux(8)
+\ No newline at end of file
+diff --git a/man/man8/postfix_virtual_selinux.8 b/man/man8/postfix_virtual_selinux.8
+new file mode 100644
+index 0000000..c58fbd2
+--- /dev/null
++++ b/man/man8/postfix_virtual_selinux.8
+@@ -0,0 +1,165 @@
++.TH "postfix_virtual_selinux" "8" "12-11-01" "postfix_virtual" "SELinux Policy documentation for postfix_virtual"
++.SH "NAME"
++postfix_virtual_selinux \- Security Enhanced Linux Policy for the postfix_virtual processes
++.SH "DESCRIPTION"
++
++Security-Enhanced Linux secures the postfix_virtual processes via flexible mandatory access control.
++
++The postfix_virtual processes execute with the postfix_virtual_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep postfix_virtual_t
++
++
++.SH "ENTRYPOINTS"
++
++The postfix_virtual_t SELinux type can be entered via the "postfix_virtual_exec_t" file type. The default entrypoint paths for the postfix_virtual_t domain are the following:"
++
++/usr/libexec/postfix/virtual
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux postfix_virtual policy is very flexible allowing users to setup their postfix_virtual processes in as secure a method as possible.
++.PP
++The following process types are defined for postfix_virtual:
++
++.EX
++.B postfix_virtual_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux postfix_virtual policy is very flexible allowing users to setup their postfix_virtual processes in as secure a method as possible.
++.PP
++The following file types are defined for postfix_virtual:
++
++
++.EX
++.PP
++.B postfix_virtual_exec_t
++.EE
++
++- Set files with the postfix_virtual_exec_t type, if you want to transition an executable to the postfix_virtual_t domain.
++
++
++.EX
++.PP
++.B postfix_virtual_tmp_t
++.EE
++
++- Set files with the postfix_virtual_tmp_t type, if you want to store postfix virtual temporary files in the /tmp directories.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH "MANAGED FILES"
++
++The SELinux process type postfix_virtual_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++
++.br
++.B anon_inodefs_t
++
++
++.br
++.B dovecot_spool_t
++
++ /var/spool/dovecot(/.*)?
++.br
++
++.br
++.B mail_spool_t
++
++ /var/mail(/.*)?
++.br
++ /var/spool/imap(/.*)?
++.br
++ /var/spool/mail(/.*)?
++.br
++
++.br
++.B postfix_spool_t
++
++ /var/spool/postfix.*
++.br
++
++.br
++.B postfix_var_run_t
++
++ /var/spool/postfix/pid/.*
++.br
++
++.br
++.B postfix_virtual_tmp_t
++
++
++.br
++.B user_home_t
++
++ /home/[^/]*/.+
++.br
++ /home/dwalsh/.+
++.br
++ /var/lib/xguest/home/xguest/.+
++.br
++
++.br
++.B user_home_type
++
++ all user home files
++.br
++
++.SH NSSWITCH DOMAIN
++
++.PP
++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the postfix_virtual_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++
++.EX
++.B setsebool -P authlogin_nsswitch_use_ldap 1
++.EE
++
++.PP
++If you want to allow confined applications to run with kerberos for the postfix_virtual_t, you must turn on the kerberos_enabled boolean.
++
++.EX
++.B setsebool -P kerberos_enabled 1
++.EE
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was auto-generated using
++.B "sepolicy manpage"
++by Dan Walsh.
++
++.SH "SEE ALSO"
++selinux(8), postfix_virtual(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
++, postfix_bounce_selinux(8), postfix_cleanup_selinux(8), postfix_local_selinux(8), postfix_map_selinux(8), postfix_master_selinux(8), postfix_pickup_selinux(8), postfix_pipe_selinux(8), postfix_postdrop_selinux(8), postfix_postqueue_selinux(8), postfix_qmgr_selinux(8), postfix_showq_selinux(8), postfix_smtp_selinux(8), postfix_smtpd_selinux(8)
+\ No newline at end of file
+diff --git a/man/man8/postgresql_selinux.8 b/man/man8/postgresql_selinux.8
+new file mode 100644
+index 0000000..375c37b
+--- /dev/null
++++ b/man/man8/postgresql_selinux.8
+@@ -0,0 +1,382 @@
++.TH "postgresql_selinux" "8" "12-11-01" "postgresql" "SELinux Policy documentation for postgresql"
++.SH "NAME"
++postgresql_selinux \- Security Enhanced Linux Policy for the postgresql processes
++.SH "DESCRIPTION"
++
++Security-Enhanced Linux secures the postgresql processes via flexible mandatory access control.
++
++The postgresql processes execute with the postgresql_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep postgresql_t
++
++
++.SH "ENTRYPOINTS"
++
++The postgresql_t SELinux type can be entered via the "postgresql_exec_t" file type. The default entrypoint paths for the postgresql_t domain are the following:"
++
++/usr/bin/(se)?postgres, /usr/bin/initdb(\.sepgsql)?, /usr/lib/postgresql/bin/.*, /usr/lib/pgsql/test/regress/pg_regress
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux postgresql policy is very flexible allowing users to setup their postgresql processes in as secure a method as possible.
++.PP
++The following process types are defined for postgresql:
++
++.EX
++.B postgresql_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH BOOLEANS
++SELinux policy is customizable based on least access required. postgresql policy is extremely flexible and has several booleans that allow you to manipulate the policy and run postgresql with the tightest access possible.
++
++
++.PP
++If you want to allow transmit client label to foreign database, you must turn on the postgresql_selinux_transmit_client_label boolean.
++
++.EX
++.B setsebool -P postgresql_selinux_transmit_client_label 1
++.EE
++
++.PP
++If you want to allow database admins to execute DML statement, you must turn on the postgresql_selinux_unconfined_dbadm boolean.
++
++.EX
++.B setsebool -P postgresql_selinux_unconfined_dbadm 1
++.EE
++
++.PP
++If you want to allow postgresql to use ssh and rsync for point-in-time recovery, you must turn on the postgresql_can_rsync boolean.
++
++.EX
++.B setsebool -P postgresql_can_rsync 1
++.EE
++
++.PP
++If you want to allow users to connect to PostgreSQL, you must turn on the selinuxuser_postgresql_connect_enabled boolean.
++
++.EX
++.B setsebool -P selinuxuser_postgresql_connect_enabled 1
++.EE
++
++.PP
++If you want to allow unprivileged users to execute DDL statement, you must turn on the postgresql_selinux_users_ddl boolean.
++
++.EX
++.B setsebool -P postgresql_selinux_users_ddl 1
++.EE
++
++.PP
++If you want to allow transmit client label to foreign database, you must turn on the postgresql_selinux_transmit_client_label boolean.
++
++.EX
++.B setsebool -P postgresql_selinux_transmit_client_label 1
++.EE
++
++.PP
++If you want to allow database admins to execute DML statement, you must turn on the postgresql_selinux_unconfined_dbadm boolean.
++
++.EX
++.B setsebool -P postgresql_selinux_unconfined_dbadm 1
++.EE
++
++.PP
++If you want to allow postgresql to use ssh and rsync for point-in-time recovery, you must turn on the postgresql_can_rsync boolean.
++
++.EX
++.B setsebool -P postgresql_can_rsync 1
++.EE
++
++.PP
++If you want to allow users to connect to PostgreSQL, you must turn on the selinuxuser_postgresql_connect_enabled boolean.
++
++.EX
++.B setsebool -P selinuxuser_postgresql_connect_enabled 1
++.EE
++
++.PP
++If you want to allow unprivileged users to execute DDL statement, you must turn on the postgresql_selinux_users_ddl boolean.
++
++.EX
++.B setsebool -P postgresql_selinux_users_ddl 1
++.EE
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux postgresql policy is very flexible allowing users to setup their postgresql processes in as secure a method as possible.
++.PP
++The following file types are defined for postgresql:
++
++
++.EX
++.PP
++.B postgresql_db_t
++.EE
++
++- Set files with the postgresql_db_t type, if you want to treat the files as postgresql database content.
++
++
++.EX
++.PP
++.B postgresql_etc_t
++.EE
++
++- Set files with the postgresql_etc_t type, if you want to store postgresql files in the /etc directories.
++
++
++.EX
++.PP
++.B postgresql_exec_t
++.EE
++
++- Set files with the postgresql_exec_t type, if you want to transition an executable to the postgresql_t domain.
++
++
++.EX
++.PP
++.B postgresql_initrc_exec_t
++.EE
++
++- Set files with the postgresql_initrc_exec_t type, if you want to transition an executable to the postgresql_initrc_t domain.
++
++
++.EX
++.PP
++.B postgresql_lock_t
++.EE
++
++- Set files with the postgresql_lock_t type, if you want to treat the files as postgresql lock data, stored under the /var/lock directory
++
++
++.EX
++.PP
++.B postgresql_log_t
++.EE
++
++- Set files with the postgresql_log_t type, if you want to treat the data as postgresql log data, usually stored under the /var/log directory.
++
++
++.EX
++.PP
++.B postgresql_tmp_t
++.EE
++
++- Set files with the postgresql_tmp_t type, if you want to store postgresql temporary files in the /tmp directories.
++
++
++.EX
++.PP
++.B postgresql_var_run_t
++.EE
++
++- Set files with the postgresql_var_run_t type, if you want to store the postgresql files under the /run directory.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH PORT TYPES
++SELinux defines port types to represent TCP and UDP ports.
++.PP
++You can see the types associated with a port by using the following command:
++
++.B semanage port -l
++
++.PP
++Policy governs the access confined processes have to these ports.
++SELinux postgresql policy is very flexible allowing users to setup their postgresql processes in as secure a method as possible.
++.PP
++The following port types are defined for postgresql:
++
++.EX
++.TP 5
++.B postgresql_port_t
++.TP 10
++.EE
++
++
++Default Defined Ports:
++tcp 5432
++.EE
++.SH "MANAGED FILES"
++
++The SELinux process type postgresql_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++
++.br
++.B faillog_t
++
++ /var/log/btmp.*
++.br
++ /var/run/faillock(/.*)?
++.br
++ /var/log/faillog
++.br
++ /var/log/tallylog
++.br
++
++.br
++.B hugetlbfs_t
++
++ /dev/hugepages
++.br
++ /lib/udev/devices/hugepages
++.br
++ /usr/lib/udev/devices/hugepages
++.br
++
++.br
++.B krb5_host_rcache_t
++
++ /var/cache/krb5rcache(/.*)?
++.br
++ /var/tmp/nfs_0
++.br
++ /var/tmp/DNS_25
++.br
++ /var/tmp/host_0
++.br
++ /var/tmp/imap_0
++.br
++ /var/tmp/HTTP_23
++.br
++ /var/tmp/HTTP_48
++.br
++ /var/tmp/ldap_55
++.br
++ /var/tmp/ldap_487
++.br
++ /var/tmp/ldapmap1_0
++.br
++
++.br
++.B lastlog_t
++
++ /var/log/lastlog
++.br
++
++.br
++.B pcscd_var_run_t
++
++ /var/run/pcscd(/.*)?
++.br
++ /var/run/pcscd\.events(/.*)?
++.br
++ /var/run/pcscd\.pid
++.br
++ /var/run/pcscd\.pub
++.br
++ /var/run/pcscd\.comm
++.br
++
++.br
++.B postgresql_db_t
++
++ /var/lib/pgsql(/.*)?
++.br
++ /var/lib/sepgsql(/.*)?
++.br
++ /var/lib/postgres(ql)?(/.*)?
++.br
++ /usr/share/jonas/pgsql(/.*)?
++.br
++ /usr/lib/pgsql/test/regress(/.*)?
++.br
++
++.br
++.B postgresql_lock_t
++
++
++.br
++.B postgresql_log_t
++
++ /var/lib/pgsql/.*\.log
++.br
++ /var/log/rhdb/rhdb(/.*)?
++.br
++ /var/log/postgresql(/.*)?
++.br
++ /var/log/postgres\.log.*
++.br
++ /var/lib/pgsql/logfile(/.*)?
++.br
++ /var/log/sepostgresql\.log.*
++.br
++ /var/lib/sepgsql/pgstartup\.log
++.br
++
++.br
++.B postgresql_tmp_t
++
++
++.br
++.B postgresql_var_run_t
++
++ /var/run/postgresql(/.*)?
++.br
++
++.br
++.B security_t
++
++ /selinux
++.br
++
++.SH NSSWITCH DOMAIN
++
++.PP
++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the postgresql_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++
++.EX
++.B setsebool -P authlogin_nsswitch_use_ldap 1
++.EE
++
++.PP
++If you want to allow confined applications to run with kerberos for the postgresql_t, you must turn on the kerberos_enabled boolean.
++
++.EX
++.B setsebool -P kerberos_enabled 1
++.EE
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.B semanage port
++can also be used to manipulate the port definitions
++
++.B semanage boolean
++can also be used to manipulate the booleans
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was auto-generated using
++.B "sepolicy manpage"
++by Dan Walsh.
++
++.SH "SEE ALSO"
++selinux(8), postgresql(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
++, setsebool(8)
+\ No newline at end of file
+diff --git a/man/man8/postgrey_selinux.8 b/man/man8/postgrey_selinux.8
+new file mode 100644
+index 0000000..0959a17
+--- /dev/null
++++ b/man/man8/postgrey_selinux.8
+@@ -0,0 +1,180 @@
++.TH "postgrey_selinux" "8" "12-11-01" "postgrey" "SELinux Policy documentation for postgrey"
++.SH "NAME"
++postgrey_selinux \- Security Enhanced Linux Policy for the postgrey processes
++.SH "DESCRIPTION"
++
++Security-Enhanced Linux secures the postgrey processes via flexible mandatory access control.
++
++The postgrey processes execute with the postgrey_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep postgrey_t
++
++
++.SH "ENTRYPOINTS"
++
++The postgrey_t SELinux type can be entered via the "postgrey_exec_t" file type. The default entrypoint paths for the postgrey_t domain are the following:"
++
++/usr/sbin/postgrey
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux postgrey policy is very flexible allowing users to setup their postgrey processes in as secure a method as possible.
++.PP
++The following process types are defined for postgrey:
++
++.EX
++.B postgrey_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux postgrey policy is very flexible allowing users to setup their postgrey processes in as secure a method as possible.
++.PP
++The following file types are defined for postgrey:
++
++
++.EX
++.PP
++.B postgrey_etc_t
++.EE
++
++- Set files with the postgrey_etc_t type, if you want to store postgrey files in the /etc directories.
++
++
++.EX
++.PP
++.B postgrey_exec_t
++.EE
++
++- Set files with the postgrey_exec_t type, if you want to transition an executable to the postgrey_t domain.
++
++
++.EX
++.PP
++.B postgrey_initrc_exec_t
++.EE
++
++- Set files with the postgrey_initrc_exec_t type, if you want to transition an executable to the postgrey_initrc_t domain.
++
++
++.EX
++.PP
++.B postgrey_spool_t
++.EE
++
++- Set files with the postgrey_spool_t type, if you want to store the postgrey files under the /var/spool directory.
++
++
++.EX
++.PP
++.B postgrey_var_lib_t
++.EE
++
++- Set files with the postgrey_var_lib_t type, if you want to store the postgrey files under the /var/lib directory.
++
++
++.EX
++.PP
++.B postgrey_var_run_t
++.EE
++
++- Set files with the postgrey_var_run_t type, if you want to store the postgrey files under the /run directory.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH PORT TYPES
++SELinux defines port types to represent TCP and UDP ports.
++.PP
++You can see the types associated with a port by using the following command:
++
++.B semanage port -l
++
++.PP
++Policy governs the access confined processes have to these ports.
++SELinux postgrey policy is very flexible allowing users to setup their postgrey processes in as secure a method as possible.
++.PP
++The following port types are defined for postgrey:
++
++.EX
++.TP 5
++.B postgrey_port_t
++.TP 10
++.EE
++
++
++Default Defined Ports:
++tcp 60000
++.EE
++.SH "MANAGED FILES"
++
++The SELinux process type postgrey_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++
++.br
++.B postfix_spool_type
++
++
++.br
++.B postgrey_spool_t
++
++ /var/spool/postfix/postgrey(/.*)?
++.br
++
++.br
++.B postgrey_var_lib_t
++
++ /var/lib/postgrey(/.*)?
++.br
++
++.br
++.B postgrey_var_run_t
++
++ /var/run/postgrey(/.*)?
++.br
++ /var/run/postgrey\.pid
++.br
++
++.SH NSSWITCH DOMAIN
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.B semanage port
++can also be used to manipulate the port definitions
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was auto-generated using
++.B "sepolicy manpage"
++by Dan Walsh.
++
++.SH "SEE ALSO"
++selinux(8), postgrey(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
+diff --git a/man/man8/pppd_selinux.8 b/man/man8/pppd_selinux.8
+new file mode 100644
+index 0000000..be38983
+--- /dev/null
++++ b/man/man8/pppd_selinux.8
+@@ -0,0 +1,362 @@
++.TH "pppd_selinux" "8" "12-11-01" "pppd" "SELinux Policy documentation for pppd"
++.SH "NAME"
++pppd_selinux \- Security Enhanced Linux Policy for the pppd processes
++.SH "DESCRIPTION"
++
++Security-Enhanced Linux secures the pppd processes via flexible mandatory access control.
++
++The pppd processes execute with the pppd_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep pppd_t
++
++
++.SH "ENTRYPOINTS"
++
++The pppd_t SELinux type can be entered via the "pppd_exec_t" file type. The default entrypoint paths for the pppd_t domain are the following:"
++
++/usr/sbin/pppd, /sbin/ppp-watch, /usr/sbin/ipppd, /sbin/pppoe-server, /usr/sbin/ppp-watch, /usr/sbin/pppoe-server
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux pppd policy is very flexible allowing users to setup their pppd processes in as secure a method as possible.
++.PP
++The following process types are defined for pppd:
++
++.EX
++.B pppd_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH BOOLEANS
++SELinux policy is customizable based on least access required. pppd policy is extremely flexible and has several booleans that allow you to manipulate the policy and run pppd with the tightest access possible.
++
++
++.PP
++If you want to allow pppd to load kernel modules for certain modems, you must turn on the pppd_can_insmod boolean.
++
++.EX
++.B setsebool -P pppd_can_insmod 1
++.EE
++
++.PP
++If you want to allow pppd to be run for a regular user, you must turn on the pppd_for_user boolean.
++
++.EX
++.B setsebool -P pppd_for_user 1
++.EE
++
++.PP
++If you want to allow pppd to load kernel modules for certain modems, you must turn on the pppd_can_insmod boolean.
++
++.EX
++.B setsebool -P pppd_can_insmod 1
++.EE
++
++.PP
++If you want to allow pppd to be run for a regular user, you must turn on the pppd_for_user boolean.
++
++.EX
++.B setsebool -P pppd_for_user 1
++.EE
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux pppd policy is very flexible allowing users to setup their pppd processes in as secure a method as possible.
++.PP
++The following file types are defined for pppd:
++
++
++.EX
++.PP
++.B pppd_etc_rw_t
++.EE
++
++- Set files with the pppd_etc_rw_t type, if you want to treat the files as pppd etc read/write content.
++
++
++.EX
++.PP
++.B pppd_etc_t
++.EE
++
++- Set files with the pppd_etc_t type, if you want to store pppd files in the /etc directories.
++
++
++.EX
++.PP
++.B pppd_exec_t
++.EE
++
++- Set files with the pppd_exec_t type, if you want to transition an executable to the pppd_t domain.
++
++
++.EX
++.PP
++.B pppd_initrc_exec_t
++.EE
++
++- Set files with the pppd_initrc_exec_t type, if you want to transition an executable to the pppd_initrc_t domain.
++
++
++.EX
++.PP
++.B pppd_lock_t
++.EE
++
++- Set files with the pppd_lock_t type, if you want to treat the files as pppd lock data, stored under the /var/lock directory
++
++
++.EX
++.PP
++.B pppd_log_t
++.EE
++
++- Set files with the pppd_log_t type, if you want to treat the data as pppd log data, usually stored under the /var/log directory.
++
++
++.EX
++.PP
++.B pppd_secret_t
++.EE
++
++- Set files with the pppd_secret_t type, if you want to treat the files as pppd se secret data.
++
++
++.EX
++.PP
++.B pppd_tmp_t
++.EE
++
++- Set files with the pppd_tmp_t type, if you want to store pppd temporary files in the /tmp directories.
++
++
++.EX
++.PP
++.B pppd_unit_file_t
++.EE
++
++- Set files with the pppd_unit_file_t type, if you want to treat the files as pppd unit content.
++
++
++.EX
++.PP
++.B pppd_var_run_t
++.EE
++
++- Set files with the pppd_var_run_t type, if you want to store the pppd files under the /run directory.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH "MANAGED FILES"
++
++The SELinux process type pppd_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++
++.br
++.B etc_runtime_t
++
++ /[^/]+
++.br
++ /etc/mtab.*
++.br
++ /etc/blkid(/.*)?
++.br
++ /etc/nologin.*
++.br
++ /etc/\.fstab\.hal\..+
++.br
++ /halt
++.br
++ /fastboot
++.br
++ /poweroff
++.br
++ /etc/cmtab
++.br
++ /\.autofsck
++.br
++ /forcefsck
++.br
++ /\.suspended
++.br
++ /fsckoptions
++.br
++ /\.autorelabel
++.br
++ /etc/securetty
++.br
++ /etc/killpower
++.br
++ /etc/nohotplug
++.br
++ /etc/ioctl\.save
++.br
++ /etc/fstab\.REVOKE
++.br
++ /etc/network/ifstate
++.br
++ /etc/sysconfig/hwconf
++.br
++ /etc/ptal/ptal-printd-like
++.br
++ /etc/sysconfig/iptables\.save
++.br
++ /etc/xorg\.conf\.d/00-system-setup-keyboard\.conf
++.br
++ /etc/X11/xorg\.conf\.d/00-system-setup-keyboard\.conf
++.br
++
++.br
++.B faillog_t
++
++ /var/log/btmp.*
++.br
++ /var/run/faillock(/.*)?
++.br
++ /var/log/faillog
++.br
++ /var/log/tallylog
++.br
++
++.br
++.B net_conf_t
++
++ /etc/ntpd?\.conf.*
++.br
++ /etc/hosts[^/]*
++.br
++ /etc/yp\.conf.*
++.br
++ /etc/denyhosts.*
++.br
++ /etc/hosts\.deny.*
++.br
++ /etc/resolv\.conf.*
++.br
++ /etc/ntp/step-tickers.*
++.br
++ /etc/sysconfig/networking(/.*)?
++.br
++ /etc/sysconfig/network-scripts(/.*)?
++.br
++ /etc/sysconfig/network-scripts/.*resolv\.conf
++.br
++ /etc/ethers
++.br
++
++.br
++.B pcscd_var_run_t
++
++ /var/run/pcscd(/.*)?
++.br
++ /var/run/pcscd\.events(/.*)?
++.br
++ /var/run/pcscd\.pid
++.br
++ /var/run/pcscd\.pub
++.br
++ /var/run/pcscd\.comm
++.br
++
++.br
++.B pppd_etc_rw_t
++
++ /etc/ppp(/.*)?
++.br
++ /etc/ppp/peers(/.*)?
++.br
++ /etc/ppp/resolv\.conf
++.br
++
++.br
++.B pppd_lock_t
++
++ /var/lock/ppp(/.*)?
++.br
++
++.br
++.B pppd_log_t
++
++ /var/log/ppp(/.*)?
++.br
++ /var/log/ppp-connect-errors.*
++.br
++
++.br
++.B pppd_tmp_t
++
++
++.br
++.B pppd_var_run_t
++
++ /var/run/(i)?ppp.*pid[^/]*
++.br
++ /var/run/ppp(/.*)?
++.br
++ /var/run/pppd[0-9]*\.tdb
++.br
++
++.br
++.B wtmp_t
++
++ /var/log/wtmp.*
++.br
++
++.SH NSSWITCH DOMAIN
++
++.PP
++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the pppd_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++
++.EX
++.B setsebool -P authlogin_nsswitch_use_ldap 1
++.EE
++
++.PP
++If you want to allow confined applications to run with kerberos for the pppd_t, you must turn on the kerberos_enabled boolean.
++
++.EX
++.B setsebool -P kerberos_enabled 1
++.EE
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.B semanage boolean
++can also be used to manipulate the booleans
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was auto-generated using
++.B "sepolicy manpage"
++by Dan Walsh.
++
++.SH "SEE ALSO"
++selinux(8), pppd(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
++, setsebool(8)
+\ No newline at end of file
+diff --git a/man/man8/pptp_selinux.8 b/man/man8/pptp_selinux.8
+new file mode 100644
+index 0000000..ff95294
+--- /dev/null
++++ b/man/man8/pptp_selinux.8
+@@ -0,0 +1,158 @@
++.TH "pptp_selinux" "8" "12-11-01" "pptp" "SELinux Policy documentation for pptp"
++.SH "NAME"
++pptp_selinux \- Security Enhanced Linux Policy for the pptp processes
++.SH "DESCRIPTION"
++
++Security-Enhanced Linux secures the pptp processes via flexible mandatory access control.
++
++The pptp processes execute with the pptp_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep pptp_t
++
++
++.SH "ENTRYPOINTS"
++
++The pptp_t SELinux type can be entered via the "pptp_exec_t" file type. The default entrypoint paths for the pptp_t domain are the following:"
++
++/usr/sbin/pptp
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux pptp policy is very flexible allowing users to setup their pptp processes in as secure a method as possible.
++.PP
++The following process types are defined for pptp:
++
++.EX
++.B pptp_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux pptp policy is very flexible allowing users to setup their pptp processes in as secure a method as possible.
++.PP
++The following file types are defined for pptp:
++
++
++.EX
++.PP
++.B pptp_exec_t
++.EE
++
++- Set files with the pptp_exec_t type, if you want to transition an executable to the pptp_t domain.
++
++
++.EX
++.PP
++.B pptp_log_t
++.EE
++
++- Set files with the pptp_log_t type, if you want to treat the data as pptp log data, usually stored under the /var/log directory.
++
++
++.EX
++.PP
++.B pptp_var_run_t
++.EE
++
++- Set files with the pptp_var_run_t type, if you want to store the pptp files under the /run directory.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH PORT TYPES
++SELinux defines port types to represent TCP and UDP ports.
++.PP
++You can see the types associated with a port by using the following command:
++
++.B semanage port -l
++
++.PP
++Policy governs the access confined processes have to these ports.
++SELinux pptp policy is very flexible allowing users to setup their pptp processes in as secure a method as possible.
++.PP
++The following port types are defined for pptp:
++
++.EX
++.TP 5
++.B pptp_port_t
++.TP 10
++.EE
++
++
++Default Defined Ports:
++tcp 1723
++.EE
++udp 1723
++.EE
++.SH "MANAGED FILES"
++
++The SELinux process type pptp_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++
++.br
++.B pptp_log_t
++
++
++.br
++.B pptp_var_run_t
++
++ /var/run/pptp(/.*)?
++.br
++
++.SH NSSWITCH DOMAIN
++
++.PP
++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the pptp_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++
++.EX
++.B setsebool -P authlogin_nsswitch_use_ldap 1
++.EE
++
++.PP
++If you want to allow confined applications to run with kerberos for the pptp_t, you must turn on the kerberos_enabled boolean.
++
++.EX
++.B setsebool -P kerberos_enabled 1
++.EE
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.B semanage port
++can also be used to manipulate the port definitions
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was auto-generated using
++.B "sepolicy manpage"
++by Dan Walsh.
++
++.SH "SEE ALSO"
++selinux(8), pptp(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
+diff --git a/man/man8/prelink_cron_system_selinux.8 b/man/man8/prelink_cron_system_selinux.8
+new file mode 100644
+index 0000000..b622f23
+--- /dev/null
++++ b/man/man8/prelink_cron_system_selinux.8
+@@ -0,0 +1,129 @@
++.TH "prelink_cron_system_selinux" "8" "12-11-01" "prelink_cron_system" "SELinux Policy documentation for prelink_cron_system"
++.SH "NAME"
++prelink_cron_system_selinux \- Security Enhanced Linux Policy for the prelink_cron_system processes
++.SH "DESCRIPTION"
++
++Security-Enhanced Linux secures the prelink_cron_system processes via flexible mandatory access control.
++
++The prelink_cron_system processes execute with the prelink_cron_system_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep prelink_cron_system_t
++
++
++.SH "ENTRYPOINTS"
++
++The prelink_cron_system_t SELinux type can be entered via the "prelink_cron_system_exec_t" file type. The default entrypoint paths for the prelink_cron_system_t domain are the following:"
++
++/etc/cron\.daily/prelink
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux prelink_cron_system policy is very flexible allowing users to setup their prelink_cron_system processes in as secure a method as possible.
++.PP
++The following process types are defined for prelink_cron_system:
++
++.EX
++.B prelink_cron_system_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux prelink_cron_system policy is very flexible allowing users to setup their prelink_cron_system processes in as secure a method as possible.
++.PP
++The following file types are defined for prelink_cron_system:
++
++
++.EX
++.PP
++.B prelink_cron_system_exec_t
++.EE
++
++- Set files with the prelink_cron_system_exec_t type, if you want to transition an executable to the prelink_cron_system_t domain.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH "MANAGED FILES"
++
++The SELinux process type prelink_cron_system_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++
++.br
++.B prelink_log_t
++
++ /var/log/prelink(/.*)?
++.br
++ /var/log/prelink\.log.*
++.br
++
++.br
++.B prelink_var_lib_t
++
++ /var/lib/prelink(/.*)?
++.br
++ /var/lib/misc/prelink.*
++.br
++
++.br
++.B systemd_passwd_var_run_t
++
++ /var/run/systemd/ask-password(/.*)?
++.br
++ /var/run/systemd/ask-password-block(/.*)?
++.br
++
++.SH NSSWITCH DOMAIN
++
++.PP
++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the prelink_cron_system_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++
++.EX
++.B setsebool -P authlogin_nsswitch_use_ldap 1
++.EE
++
++.PP
++If you want to allow confined applications to run with kerberos for the prelink_cron_system_t, you must turn on the kerberos_enabled boolean.
++
++.EX
++.B setsebool -P kerberos_enabled 1
++.EE
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was auto-generated using
++.B "sepolicy manpage"
++by Dan Walsh.
++
++.SH "SEE ALSO"
++selinux(8), prelink_cron_system(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
++, prelink_selinux(8), prelink_selinux(8)
+\ No newline at end of file
+diff --git a/man/man8/prelink_selinux.8 b/man/man8/prelink_selinux.8
+new file mode 100644
+index 0000000..9c74265
+--- /dev/null
++++ b/man/man8/prelink_selinux.8
+@@ -0,0 +1,765 @@
++.TH "prelink_selinux" "8" "12-11-01" "prelink" "SELinux Policy documentation for prelink"
++.SH "NAME"
++prelink_selinux \- Security Enhanced Linux Policy for the prelink processes
++.SH "DESCRIPTION"
++
++Security-Enhanced Linux secures the prelink processes via flexible mandatory access control.
++
++The prelink processes execute with the prelink_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep prelink_t
++
++
++.SH "ENTRYPOINTS"
++
++The prelink_t SELinux type can be entered via the "prelink_exec_t" file type. The default entrypoint paths for the prelink_t domain are the following:"
++
++/usr/sbin/prelink(\.bin)?
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux prelink policy is very flexible allowing users to setup their prelink processes in as secure a method as possible.
++.PP
++The following process types are defined for prelink:
++
++.EX
++.B prelink_cron_system_t, prelink_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux prelink policy is very flexible allowing users to setup their prelink processes in as secure a method as possible.
++.PP
++The following file types are defined for prelink:
++
++
++.EX
++.PP
++.B prelink_cache_t
++.EE
++
++- Set files with the prelink_cache_t type, if you want to store the files under the /var/cache directory.
++
++
++.EX
++.PP
++.B prelink_cron_system_exec_t
++.EE
++
++- Set files with the prelink_cron_system_exec_t type, if you want to transition an executable to the prelink_cron_system_t domain.
++
++
++.EX
++.PP
++.B prelink_exec_t
++.EE
++
++- Set files with the prelink_exec_t type, if you want to transition an executable to the prelink_t domain.
++
++
++.EX
++.PP
++.B prelink_log_t
++.EE
++
++- Set files with the prelink_log_t type, if you want to treat the data as prelink log data, usually stored under the /var/log directory.
++
++
++.EX
++.PP
++.B prelink_tmp_t
++.EE
++
++- Set files with the prelink_tmp_t type, if you want to store prelink temporary files in the /tmp directories.
++
++
++.EX
++.PP
++.B prelink_tmpfs_t
++.EE
++
++- Set files with the prelink_tmpfs_t type, if you want to store prelink files on a tmpfs file system.
++
++
++.EX
++.PP
++.B prelink_var_lib_t
++.EE
++
++- Set files with the prelink_var_lib_t type, if you want to store the prelink files under the /var/lib directory.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH "MANAGED FILES"
++
++The SELinux process type prelink_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++
++.br
++.B exec_type
++
++
++.br
++.B ld_so_t
++
++ /usr/(.*/)?lib(/.*)?/ld-[^/]*\.so(\.[^/]*)*
++.br
++ /lib/ld-[^/]*\.so(\.[^/]*)*
++.br
++ /usr/lib/ld-[^/]*\.so(\.[^/]*)*
++.br
++ /var/ftp/lib/ld[^/]*\.so(\.[^/]*)*
++.br
++ /emul/ia32-linux/lib(/.*)?/ld-[^/]*\.so(\.[^/]*)*
++.br
++ /emul/ia32-linux/usr(/.*)?/lib(/.*)?/ld-[^/]*\.so(\.[^/]*)*
++.br
++ /var/spool/postfix/lib/ld.*\.so.*
++.br
++
++.br
++.B lib_t
++
++ /lib/.*
++.br
++ /opt/.*\.so(\.[^/]*)*
++.br
++ /usr/.*\.so(\.[^/]*)*
++.br
++ /opt/(.*/)?lib(/.*)?
++.br
++ /usr/(.*/)?lib(/.*)?
++.br
++ /opt/(.*/)?jre/.+\.jar
++.br
++ /opt/(.*/)?java/.+\.jar
++.br
++ /usr/(.*/)?java/.+\.jar
++.br
++ /usr/(.*/)?java/.+\.jsa
++.br
++ /usr/lib/.*
++.br
++ /usr/lib/.*/program(/.*)?\.so
++.br
++ /var/ftp/lib(/.*)?
++.br
++ /opt/Acrobat[5-9]/Reader/intellinux/plugins/.*\.api
++.br
++ /opt/ibm/java.*/jre/.+\.jar
++.br
++ /usr/lib/pgsql/.*\.so.*
++.br
++ /usr/lib/xfce4/.*\.so.*
++.br
++ /opt/Adobe/Reader.?/Reader/intellinux/SPPlugins/.*\.ap[il]
++.br
++ /emul/ia32-linux/lib(/.*)?
++.br
++ /emul/ia32-linux/usr(/.*)?/lib(/.*)?
++.br
++ /emul/ia32-linux/usr(/.*)?/java/.*\.jar
++.br
++ /emul/ia32-linux/usr(/.*)?/java/.*\.jsa
++.br
++ /emul/ia32-linux/usr(/.*)?/java/.+\.so(\.[^/]*)*
++.br
++ /var/spool/postfix/lib(/.*)?
++.br
++ /var/spool/postfix/usr(/.*)?
++.br
++ /var/mailman/pythonlib(/.*)?/.+\.so(\..*)?
++.br
++ /var/spool/postfix/lib64(/.*)?
++.br
++ /usr/lib/nspluginwrapper/np.*\.so
++.br
++ /usr/lib/pgsql/test/regress/.*\.so.*
++.br
++ /usr/share/hplip/prnt/plugins(/.*)?
++.br
++ /var/lib/spamassassin/compiled/.*\.so.*
++.br
++ /lib
++.br
++ /lib64
++.br
++ /usr/lib
++.br
++ /etc/ppp/plugins/rp-pppoe\.so
++.br
++ /usr/share/rhn/rhn_applet/eggtrayiconmodule\.so
++.br
++
++.br
++.B mozilla_plugin_rw_t
++
++ /usr/lib/mozilla/plugins-wrapped(/.*)?
++.br
++
++.br
++.B prelink_cache_t
++
++ /etc/prelink\.cache
++.br
++
++.br
++.B prelink_object
++
++
++.br
++.B prelink_tmp_t
++
++
++.br
++.B prelink_tmpfs_t
++
++
++.br
++.B prelink_var_lib_t
++
++ /var/lib/prelink(/.*)?
++.br
++ /var/lib/misc/prelink.*
++.br
++
++.br
++.B rpm_tmp_t
++
++
++.br
++.B textrel_shlib_t
++
++ /usr/(.*/)?nprhapengine\.so.*
++.br
++ /usr/(.*/)?nvidia/.+\.so(\..*)?
++.br
++ /usr/(.*/)?java/.+\.so(\.[^/]*)*
++.br
++ /opt/(.*/)?jre.*/.+\.so(\.[^/]*)*
++.br
++ /usr/(.*/)?jre.*/.*\.so(\.[^/]*)*
++.br
++ /opt/(.*/)?oracle/(.*/)?libnnz.*\.so
++.br
++ /opt/(.*/)?/RealPlayer/.+\.so(\.[^/]*)*
++.br
++ /usr/(.*/)?/RealPlayer/.+\.so(\.[^/]*)*
++.br
++ /usr/(.*/)?/HelixPlayer/.+\.so(\.[^/]*)*
++.br
++ /usr/(.*/)?lib(64)?(/.*)?/nvidia/.+\.so(\..*)?
++.br
++ /usr/(.*/)?intellinux/SPPlugins/ADMPlugin\.apl
++.br
++ /usr/(.*/)?pcsc/drivers(/.*)?/lib(cm2020|cm4000|SCR24x)\.so(\.[^/]*)*
++.br
++ /opt/cx.*/lib/wine/.+\.so
++.br
++ /usr/lib.*/libmpg123\.so(\.[^/]*)*
++.br
++ /usr/lib(/.*)?/nvidia/.+\.so(\..*)?
++.br
++ /usr/lib(/.*)?/libnvidia.+\.so(\.[^/]*)*
++.br
++ /usr/lib(/.*)?/nvidia_drv.*\.so(\.[^/]*)*
++.br
++ /usr/lib/.*/nprhapengine\.so.*
++.br
++ /usr/lib/.*/libflashplayer\.so.*
++.br
++ /usr/lib/(sse2/)?libfame-.*\.so.*
++.br
++ /usr/lib/.*/program/libsoffice\.so
++.br
++ /usr/lib/.*/program/libsts645li\.so
++.br
++ /usr/lib/.*/program/libwrp645li\.so
++.br
++ /usr/lib/.*/program/libswd680li\.so
++.br
++ /usr/lib/.*/program/libsvx680li\.so
++.br
++ /usr/lib/.*/program/libicudata\.so.*
++.br
++ /usr/lib/(.*/)?jre.*/.*\.so(\.[^/]*)*
++.br
++ /usr/lib/.*/program/librecentfile\.so
++.br
++ /usr/lib/.*/program/libcomphelp4gcc3\.so
++.br
++ /usr/lib/.*/program/libvclplug_gen645li\.so
++.br
++ /usr/lib/(virtualbox(-ose)?/)?(components/)?VBox.*\.so
++.br
++ /opt/Adobe.*/libcurl\.so
++.br
++ /opt/Adobe(/.*?)/nppdf\.so
++.br
++ /usr/Adobe/.*\.api
++.br
++ /opt/matlab.*\.so(\.[^/]*)*
++.br
++ /usr/matlab.*\.so(\.[^/]*)*
++.br
++ /usr/Adobe/(.*/)?intellinux/nppdf\.so
++.br
++ /usr/Adobe/(.*/)?intellinux/sidecars/*
++.br
++ /usr/Adobe/(.*/)?lib/[^/]*\.so(\.[^/]*)*
++.br
++ /usr/matlab.*/bin/glnx86/libmwlapack\.so
++.br
++ /usr/matlab.*/sys/os/glnx86/libtermcap\.so
++.br
++ /usr/matlab.*/bin/glnx86/(libmw(lapack|mathutil|services)|lapack|libmkl)\.so
++.br
++ /opt/google/.*\.so.*
++.br
++ /opt/altera9.1/quartus/linux/libccl_err\.so
++.br
++ /usr/lib/dri/.+\.so
++.br
++ /usr/lib/nsr/(.*/)?.*\.so
++.br
++ /opt/ibm/java.*/jre/.+\.so(\.[^/]*)*
++.br
++ /opt/ibm/java.*/jre/bin/.+\.so(\.[^/]*)*
++.br
++ /opt/netbeans(.*/)?jdk.*/linux/.+\.so(\.[^/]*)*
++.br
++ /usr/lib/wine/.+\.so
++.br
++ /usr/lib/sse2/.*\.so.*
++.br
++ /usr/lib/i686/.*\.so.*
++.br
++ /usr/lib/libav.*\.so(\.[^/]*)*
++.br
++ /usr/acroread/(.*/)?intellinux/nppdf\.so
++.br
++ /usr/acroread/(.*/)?lib/[^/]*\.so(\.[^/]*)*
++.br
++ /usr/lib/libADM.*\.so.*
++.br
++ /opt/lampp/lib/.*\.so.*
++.br
++ /usr/lib/libGTL.*\.so.*
++.br
++ /usr/lib/win32/.*\.so(\.[^/]*)*
++.br
++ /usr/lib/fglrx/.*\.so(\.[^/]*)*
++.br
++ /usr/lib/nvidia.*\.so(\.[^/]*)*
++.br
++ /opt/VirtualBox(/.*)?/VBox.*\.so
++.br
++ /usr/lib/python.*/site-packages/pymedia/muxer\.so
++.br
++ /usr/lib/libmyth[^/]+\.so.*
++.br
++ /usr/lib/midori/.*\.so(\.[^/]*)*
++.br
++ /usr/lib/cedega/.+\.so(\.[^/]*)*
++.br
++ /usr/lib/libADM5.*\.so(\.[^/]*)*
++.br
++ /usr/lib/vmware/(.*/)?VmPerl\.so
++.br
++ /usr/lib/oracle/.*/lib/libnnz10\.so
++.br
++ /usr/lib/oracle/.*/lib/libnnz.*\.so
++.br
++ /usr/lib/oracle/.*/lib/libclntsh\.so(\.[^/]*)*
++.br
++ /usr/lib/python2.4/site-packages/M2Crypto/__m2crypto\.so
++.br
++ /usr/lib/libjs\.so.*
++.br
++ /usr/lib/libGL\.so(\.[^/]*)*
++.br
++ /usr/libmpg123\.so(\.[^/]*)*
++.br
++ /usr/lib/libnnz11.so(\.[^/]*)*
++.br
++ /opt/local/matlab.*\.so(\.[^/]*)*
++.br
++ /opt/lgtonmc/bin/.*\.so(\.[0-9])?
++.br
++ /usr/lib/allegro/(.*/)?alleg-vga\.so
++.br
++ /usr/lib/jvm/java(.*/)bin(/.*)?/.*\.so
++.br
++ /usr/lib/firefox-[^/]*/plugins/nppdf.so
++.br
++ /opt/Adobe/Reader.?/Reader/intellinux/plug_ins/.*\.api
++.br
++ /usr/lib/firefox-[^/]*/extensions(/.*)?/libqfaservices.so
++.br
++ /usr/lib/acroread/.+\.api
++.br
++ /usr/google-earth/.*\.so.*
++.br
++ /opt/google-earth/.*\.so.*
++.br
++ /usr/lib/acroread/(.*/)?nppdf\.so
++.br
++ /usr/lib/acroread/(.*/)?sidecars/*
++.br
++ /usr/lib/acroread/(.*/)?ADMPlugin\.apl
++.br
++ /usr/lib/acroread/(.*/)?lib/[^/]*\.so(\.[^/]*)*
++.br
++ /usr/lib/libFLAC\.so.*
++.br
++ /usr/lib/libgpac\.so.*
++.br
++ /opt/google/picasa/.*\.dll
++.br
++ /opt/google/picasa/.*\.yti
++.br
++ /opt/google/chrome/.*\.so.*
++.br
++ /usr/lib/libzvbi\.so(\.[^/]*)*
++.br
++ /usr/lib/libx264\.so(\.[^/]*)*
++.br
++ /usr/lib/ati-fglrx/.+\.so(\..*)?
++.br
++ /usr/lib/gstreamer-.*/[^/]*\.so.*
++.br
++ /usr/lib/ICAClient/.*\.so(\.[^/]*)*
++.br
++ /usr/lib/vmware/lib(/.*)?/HConfig\.so
++.br
++ /usr/lib/codecs/drv[1-9c]\.so(\.[^/]*)*
++.br
++ /usr/lib/vmware/lib(/.*)?/libgdk-x11-.*\.so.*
++.br
++ /usr/lib/vmware/lib(/.*)?/libvmware-gksu.*\.so.*
++.br
++ /usr/lib/libmpeg2\.so.*
++.br
++ /usr/lib/valgrind/vg.*\.so
++.br
++ /usr/lib/virtualbox/.*\.so
++.br
++ /usr/lib/libglide3-v[0-9]*\.so.*
++.br
++ /usr/lib/libglide3\.so.*
++.br
++ /usr/lib/libHermes\.so.*
++.br
++ /usr/lib/libdvdcss\.so.*
++.br
++ /usr/lib/libGLcore\.so.*
++.br
++ /usr/lib/googleearth/.*\.so.*
++.br
++ /usr/NX/lib/libjpeg\.so.*
++.br
++ /usr/lib/nx/libjpeg\.so.*
++.br
++ /usr/lib/libswscale\.so.*
++.br
++ /usr/lib/libmp3lame\.so.*
++.br
++ /usr/lib/nmm/liba52\.so.*
++.br
++ /usr/lib/dri/fglrx_dri.so.*
++.br
++ /usr/lib/xine/plugins/.+\.so
++.br
++ /usr/lib/google-earth/.*\.so.*
++.br
++ /usr/lib/helix/codecs/[^/]*\.so
++.br
++ /usr/lib/xorg/libGL\.so(\.[^/]*)*
++.br
++ /usr/X11R6/lib/libGL\.so.*
++.br
++ /usr/NX/lib/libXcomp\.so.*
++.br
++ /usr/lib/nx/libXcomp\.so.*
++.br
++ /usr/lib/libxvidcore\.so.*
++.br
++ /usr/lib/libpostproc\.so.*
++.br
++ /opt/lampp/lib/libct\.so.*
++.br
++ /opt/google/talkplugin/.*\.so.*
++.br
++ /usr/lib/helix/plugins/[^/]*\.so
++.br
++ /usr/lib/libatiadlxx\.so(\.[^/]*)*
++.br
++ /opt/VBoxGuestAdditions.*/lib/VBox.*\.so
++.br
++ /usr/lib/mythtv/filters/.*\.so.*
++.br
++ /usr/lib/libtfmessbsp\.so(\.[^/]*)*
++.br
++ /usr/lib/sse2/libx264\.so(\.[^/]*)*
++.br
++ /usr/lib/nvidia-graphics(-[^/]*/)?libXvMCNVIDIA\.so.*
++.br
++ /usr/lib/nvidia-graphics(-[^/]*/)?libnvidia.*\.so(\.[^/]*)*
++.br
++ /usr/lib/nvidia-graphics(-[^/]*/)?libGL(core)?\.so(\.[^/]*)*
++.br
++ /usr/lib/libsipphoneapi\.so.*
++.br
++ /usr/lib/libfglrx_gamma\.so.*
++.br
++ /usr/lib/xorg/modules/dri/.+\.so
++.br
++ /usr/lib/chromium-browser/.*\.so
++.br
++ /usr/lib/catalyst/libGL\.so(\.[^/]*)*
++.br
++ /usr/lib/yafaray/libDarkSky.so
++.br
++ /usr/X11R6/lib/modules/dri/.+\.so
++.br
++ /opt/real/RealPlayer/codecs(/.*)?
++.br
++ /usr/lib/libcncpmslld328\.so(\.[^/]*)*
++.br
++ /opt/real/RealPlayer/plugins(/.*)?
++.br
++ /usr/lib/libkmplayercommon\.so.*
++.br
++ /usr/lib/libjavascriptcoregtk[^/]*\.so.*
++.br
++ /usr/games/darwinia/lib/libSDL.*\.so.*
++.br
++ /usr/lib/altivec/libavcodec\.so(\.[^/]*)*
++.br
++ /usr/lib/xorg/modules/glesx\.so(\.[^/]*)*
++.br
++ /usr/X11R6/lib/libXvMCNVIDIA\.so.*
++.br
++ /usr/lib/sane/libsane-epkowa\.so.*
++.br
++ /opt/AutoScan/usr/lib/libvte\.so.*
++.br
++ /usr/X11R6/lib/libfglrx_gamma\.so.*
++.br
++ /usr/lib/nero/plug-ins/libMP3\.so(\.[^/]*)*
++.br
++ /usr/lib/vdpau/libvdpau_nvidia\.so.*
++.br
++ /usr/lib/ADM_plugins/videoFilter/.*\.so(\.[^/]*)*
++.br
++ /opt/Unify/SQLBase/libgptsblmsui11\.so.*
++.br
++ /usr/share/squeezeboxserver/CPAN/arch/.+\.so
++.br
++ /opt/f-secure/fspms/libexec/librapi\.so(\.[^/]*)*
++.br
++ /usr/lib/xorg/modules/extensions/nvidia(-[^/]*)?/libglx\.so(\.[^/]*)*
++.br
++ /opt/Komodo-Edit-5/lib/python/lib/python2.6/lib-dynload/.*\.so(\.[^/]*)*
++.br
++ /usr/lib/xorg/modules/drivers/fglrx_drv\.so(\.[^/]*)*
++.br
++ /usr/lib/xorg/modules/extensions/libglx\.so(\.[^/]*)*
++.br
++ /usr/x11R6/lib/modules/extensions/libglx\.so(\.[^/]*)*
++.br
++ /usr/bin/bsnes
++.br
++ /usr/lib/VBoxVMM\.so
++.br
++ /usr/lib/valgrind/hp2ps
++.br
++ /usr/lib/libmlib_jai\.so
++.br
++ /usr/lib/valgrind/stage2
++.br
++ /lib/security/pam_poldi\.so
++.br
++ /usr/lib/libg\+\+\.so\.2\.7\.2\.8
++.br
++ /usr/lib/ladspa/gsm_1215\.so
++.br
++ /usr/lib/ladspa/sc1_1425\.so
++.br
++ /usr/lib/ladspa/sc2_1426\.so
++.br
++ /usr/lib/ladspa/sc3_1427\.so
++.br
++ /usr/lib/ladspa/sc4_1882\.so
++.br
++ /usr/lib/ladspa/se4_1883\.so
++.br
++ /usr/lib/libdivxdecore\.so\.0
++.br
++ /usr/lib/libdivxencore\.so\.0
++.br
++ /usr/lib/libstdc\+\+\.so\.2\.7\.2\.8
++.br
++ /usr/lib/ladspa/gverb_1216\.so
++.br
++ /usr/lib/security/pam_poldi\.so
++.br
++ /usr/lib/ladspa/fm_osc_1415\.so
++.br
++ /usr/zend/lib/apache2/libphp5\.so
++.br
++ /usr/lib/mozilla/plugins/nppdf\.so
++.br
++ /usr/lib/ladspa/notch_iir_1894\.so
++.br
++ /usr/lib/xchat/plugins/systray\.so
++.br
++ /usr/lib/ocaml/stublibs/dllnums\.so
++.br
++ /usr/lib/vlc/codec/libdmo_plugin\.so
++.br
++ /usr/lib/ladspa/butterworth_1902\.so
++.br
++ /usr/lib/ladspa/lowpass_iir_1891\.so
++.br
++ /usr/lib/ladspa/pitch_scale_1193\.so
++.br
++ /usr/lib/ladspa/pitch_scale_1194\.so
++.br
++ /usr/lib/ladspa/analogue_osc_1416\.so
++.br
++ /usr/lib/ladspa/bandpass_iir_1892\.so
++.br
++ /usr/lib/ladspa/highpass_iir_1890\.so
++.br
++ /usr/Zend/lib/ZendExtensionManager\.so
++.br
++ /opt/cisco-vpnclient/lib/libvpnapi\.so
++.br
++ /usr/lib/firefox/plugins/libractrl\.so
++.br
++ /usr/lib/ladspa/hermes_filter_1200\.so
++.br
++ /usr/lib/ladspa/bandpass_a_iir_1893\.so
++.br
++ /usr/lib/octagaplayer/libapplication\.so
++.br
++ /usr/lib/mozilla/plugins/libvlcplugin\.so
++.br
++ /usr/lib/vlc/codec/librealvideo_plugin\.so
++.br
++ /usr/lib/vlc/codec/librealaudio_plugin\.so
++.br
++ /usr/lib/xorg/modules/drivers/nvidia_drv\.o
++.br
++ /opt/novell/groupwise/client/lib/libgwapijni\.so\.1
++.br
++ /usr/lib/vlc/video_chroma/libi420_rgb_mmx_plugin\.so
++.br
++ /home/[^/]*/.*/plugins/nppdf\.so.*
++.br
++ /home/dwalsh/.*/plugins/nppdf\.so.*
++.br
++ /var/lib/xguest/home/xguest/.*/plugins/nppdf\.so.*
++.br
++
++.br
++.B user_home_type
++
++ all user home files
++.br
++
++.br
++.B usr_t
++
++ /usr/.*
++.br
++ /opt/.*
++.br
++ /emul/.*
++.br
++ /export(/.*)?
++.br
++ /usr/doc(/.*)?/lib(/.*)?
++.br
++ /usr/inclu.e(/.*)?
++.br
++ /usr/share/doc(/.*)?/README.*
++.br
++ /usr
++.br
++ /opt
++.br
++ /emul
++.br
++
++.br
++.B var_t
++
++ /nsr(/.*)?
++.br
++ /var/.*
++.br
++ /srv/.*
++.br
++ /var
++.br
++ /srv
++.br
++
++.SH NSSWITCH DOMAIN
++
++.PP
++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the prelink_cron_system_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++
++.EX
++.B setsebool -P authlogin_nsswitch_use_ldap 1
++.EE
++
++.PP
++If you want to allow confined applications to run with kerberos for the prelink_cron_system_t, you must turn on the kerberos_enabled boolean.
++
++.EX
++.B setsebool -P kerberos_enabled 1
++.EE
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was auto-generated using
++.B "sepolicy manpage"
++by Dan Walsh.
++
++.SH "SEE ALSO"
++selinux(8), prelink(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
++, prelink_cron_system_selinux(8)
+\ No newline at end of file
+diff --git a/man/man8/prelude_audisp_selinux.8 b/man/man8/prelude_audisp_selinux.8
+new file mode 100644
+index 0000000..18ba823
+--- /dev/null
++++ b/man/man8/prelude_audisp_selinux.8
+@@ -0,0 +1,107 @@
++.TH "prelude_audisp_selinux" "8" "12-11-01" "prelude_audisp" "SELinux Policy documentation for prelude_audisp"
++.SH "NAME"
++prelude_audisp_selinux \- Security Enhanced Linux Policy for the prelude_audisp processes
++.SH "DESCRIPTION"
++
++Security-Enhanced Linux secures the prelude_audisp processes via flexible mandatory access control.
++
++The prelude_audisp processes execute with the prelude_audisp_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep prelude_audisp_t
++
++
++.SH "ENTRYPOINTS"
++
++The prelude_audisp_t SELinux type can be entered via the "prelude_audisp_exec_t" file type. The default entrypoint paths for the prelude_audisp_t domain are the following:"
++
++/sbin/audisp-prelude, /usr/sbin/audisp-prelude
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux prelude_audisp policy is very flexible allowing users to setup their prelude_audisp processes in as secure a method as possible.
++.PP
++The following process types are defined for prelude_audisp:
++
++.EX
++.B prelude_audisp_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux prelude_audisp policy is very flexible allowing users to setup their prelude_audisp processes in as secure a method as possible.
++.PP
++The following file types are defined for prelude_audisp:
++
++
++.EX
++.PP
++.B prelude_audisp_exec_t
++.EE
++
++- Set files with the prelude_audisp_exec_t type, if you want to transition an executable to the prelude_audisp_t domain.
++
++
++.EX
++.PP
++.B prelude_audisp_var_run_t
++.EE
++
++- Set files with the prelude_audisp_var_run_t type, if you want to store the prelude audisp files under the /run directory.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH "MANAGED FILES"
++
++The SELinux process type prelude_audisp_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++
++.br
++.B prelude_spool_t
++
++ /var/spool/prelude(/.*)?
++.br
++ /var/spool/prelude-manager(/.*)?
++.br
++
++.SH NSSWITCH DOMAIN
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was auto-generated using
++.B "sepolicy manpage"
++by Dan Walsh.
++
++.SH "SEE ALSO"
++selinux(8), prelude_audisp(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
++, prelude_selinux(8), prelude_selinux(8), prelude_correlator_selinux(8), prelude_lml_selinux(8)
+\ No newline at end of file
+diff --git a/man/man8/prelude_correlator_selinux.8 b/man/man8/prelude_correlator_selinux.8
+new file mode 100644
+index 0000000..54cfb46
+--- /dev/null
++++ b/man/man8/prelude_correlator_selinux.8
+@@ -0,0 +1,107 @@
++.TH "prelude_correlator_selinux" "8" "12-11-01" "prelude_correlator" "SELinux Policy documentation for prelude_correlator"
++.SH "NAME"
++prelude_correlator_selinux \- Security Enhanced Linux Policy for the prelude_correlator processes
++.SH "DESCRIPTION"
++
++Security-Enhanced Linux secures the prelude_correlator processes via flexible mandatory access control.
++
++The prelude_correlator processes execute with the prelude_correlator_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep prelude_correlator_t
++
++
++.SH "ENTRYPOINTS"
++
++The prelude_correlator_t SELinux type can be entered via the "prelude_correlator_exec_t" file type. The default entrypoint paths for the prelude_correlator_t domain are the following:"
++
++/usr/bin/prelude-correlator
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux prelude_correlator policy is very flexible allowing users to setup their prelude_correlator processes in as secure a method as possible.
++.PP
++The following process types are defined for prelude_correlator:
++
++.EX
++.B prelude_correlator_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux prelude_correlator policy is very flexible allowing users to setup their prelude_correlator processes in as secure a method as possible.
++.PP
++The following file types are defined for prelude_correlator:
++
++
++.EX
++.PP
++.B prelude_correlator_config_t
++.EE
++
++- Set files with the prelude_correlator_config_t type, if you want to treat the files as prelude correlator configuration data, usually stored under the /etc directory.
++
++
++.EX
++.PP
++.B prelude_correlator_exec_t
++.EE
++
++- Set files with the prelude_correlator_exec_t type, if you want to transition an executable to the prelude_correlator_t domain.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH "MANAGED FILES"
++
++The SELinux process type prelude_correlator_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++
++.br
++.B prelude_spool_t
++
++ /var/spool/prelude(/.*)?
++.br
++ /var/spool/prelude-manager(/.*)?
++.br
++
++.SH NSSWITCH DOMAIN
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was auto-generated using
++.B "sepolicy manpage"
++by Dan Walsh.
++
++.SH "SEE ALSO"
++selinux(8), prelude_correlator(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
++, prelude_selinux(8), prelude_selinux(8), prelude_audisp_selinux(8), prelude_lml_selinux(8)
+\ No newline at end of file
+diff --git a/man/man8/prelude_lml_selinux.8 b/man/man8/prelude_lml_selinux.8
+new file mode 100644
+index 0000000..9d345c5
+--- /dev/null
++++ b/man/man8/prelude_lml_selinux.8
+@@ -0,0 +1,149 @@
++.TH "prelude_lml_selinux" "8" "12-11-01" "prelude_lml" "SELinux Policy documentation for prelude_lml"
++.SH "NAME"
++prelude_lml_selinux \- Security Enhanced Linux Policy for the prelude_lml processes
++.SH "DESCRIPTION"
++
++Security-Enhanced Linux secures the prelude_lml processes via flexible mandatory access control.
++
++The prelude_lml processes execute with the prelude_lml_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep prelude_lml_t
++
++
++.SH "ENTRYPOINTS"
++
++The prelude_lml_t SELinux type can be entered via the "prelude_lml_exec_t" file type. The default entrypoint paths for the prelude_lml_t domain are the following:"
++
++/usr/bin/prelude-lml
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux prelude_lml policy is very flexible allowing users to setup their prelude_lml processes in as secure a method as possible.
++.PP
++The following process types are defined for prelude_lml:
++
++.EX
++.B prelude_lml_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux prelude_lml policy is very flexible allowing users to setup their prelude_lml processes in as secure a method as possible.
++.PP
++The following file types are defined for prelude_lml:
++
++
++.EX
++.PP
++.B prelude_lml_exec_t
++.EE
++
++- Set files with the prelude_lml_exec_t type, if you want to transition an executable to the prelude_lml_t domain.
++
++
++.EX
++.PP
++.B prelude_lml_tmp_t
++.EE
++
++- Set files with the prelude_lml_tmp_t type, if you want to store prelude lml temporary files in the /tmp directories.
++
++
++.EX
++.PP
++.B prelude_lml_var_run_t
++.EE
++
++- Set files with the prelude_lml_var_run_t type, if you want to store the prelude lml files under the /run directory.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH "MANAGED FILES"
++
++The SELinux process type prelude_lml_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++
++.br
++.B anon_inodefs_t
++
++
++.br
++.B prelude_lml_tmp_t
++
++
++.br
++.B prelude_lml_var_run_t
++
++ /var/run/prelude-lml.pid
++.br
++
++.br
++.B prelude_spool_t
++
++ /var/spool/prelude(/.*)?
++.br
++ /var/spool/prelude-manager(/.*)?
++.br
++
++.br
++.B prelude_var_lib_t
++
++ /var/lib/prelude-lml(/.*)?
++.br
++
++.SH NSSWITCH DOMAIN
++
++.PP
++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the prelude_lml_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++
++.EX
++.B setsebool -P authlogin_nsswitch_use_ldap 1
++.EE
++
++.PP
++If you want to allow confined applications to run with kerberos for the prelude_lml_t, you must turn on the kerberos_enabled boolean.
++
++.EX
++.B setsebool -P kerberos_enabled 1
++.EE
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was auto-generated using
++.B "sepolicy manpage"
++by Dan Walsh.
++
++.SH "SEE ALSO"
++selinux(8), prelude_lml(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
++, prelude_selinux(8), prelude_selinux(8), prelude_audisp_selinux(8), prelude_correlator_selinux(8)
+\ No newline at end of file
+diff --git a/man/man8/prelude_selinux.8 b/man/man8/prelude_selinux.8
+new file mode 100644
+index 0000000..8ad755d
+--- /dev/null
++++ b/man/man8/prelude_selinux.8
+@@ -0,0 +1,259 @@
++.TH "prelude_selinux" "8" "12-11-01" "prelude" "SELinux Policy documentation for prelude"
++.SH "NAME"
++prelude_selinux \- Security Enhanced Linux Policy for the prelude processes
++.SH "DESCRIPTION"
++
++Security-Enhanced Linux secures the prelude processes via flexible mandatory access control.
++
++The prelude processes execute with the prelude_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep prelude_t
++
++
++.SH "ENTRYPOINTS"
++
++The prelude_t SELinux type can be entered via the "prelude_exec_t" file type. The default entrypoint paths for the prelude_t domain are the following:"
++
++/usr/bin/prelude-manager
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux prelude policy is very flexible allowing users to setup their prelude processes in as secure a method as possible.
++.PP
++The following process types are defined for prelude:
++
++.EX
++.B prelude_lml_t, prelude_t, prelude_audisp_t, prelude_correlator_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux prelude policy is very flexible allowing users to setup their prelude processes in as secure a method as possible.
++.PP
++The following file types are defined for prelude:
++
++
++.EX
++.PP
++.B prelude_audisp_exec_t
++.EE
++
++- Set files with the prelude_audisp_exec_t type, if you want to transition an executable to the prelude_audisp_t domain.
++
++
++.EX
++.PP
++.B prelude_audisp_var_run_t
++.EE
++
++- Set files with the prelude_audisp_var_run_t type, if you want to store the prelude audisp files under the /run directory.
++
++
++.EX
++.PP
++.B prelude_correlator_config_t
++.EE
++
++- Set files with the prelude_correlator_config_t type, if you want to treat the files as prelude correlator configuration data, usually stored under the /etc directory.
++
++
++.EX
++.PP
++.B prelude_correlator_exec_t
++.EE
++
++- Set files with the prelude_correlator_exec_t type, if you want to transition an executable to the prelude_correlator_t domain.
++
++
++.EX
++.PP
++.B prelude_exec_t
++.EE
++
++- Set files with the prelude_exec_t type, if you want to transition an executable to the prelude_t domain.
++
++
++.EX
++.PP
++.B prelude_initrc_exec_t
++.EE
++
++- Set files with the prelude_initrc_exec_t type, if you want to transition an executable to the prelude_initrc_t domain.
++
++
++.EX
++.PP
++.B prelude_lml_exec_t
++.EE
++
++- Set files with the prelude_lml_exec_t type, if you want to transition an executable to the prelude_lml_t domain.
++
++
++.EX
++.PP
++.B prelude_lml_tmp_t
++.EE
++
++- Set files with the prelude_lml_tmp_t type, if you want to store prelude lml temporary files in the /tmp directories.
++
++
++.EX
++.PP
++.B prelude_lml_var_run_t
++.EE
++
++- Set files with the prelude_lml_var_run_t type, if you want to store the prelude lml files under the /run directory.
++
++
++.EX
++.PP
++.B prelude_log_t
++.EE
++
++- Set files with the prelude_log_t type, if you want to treat the data as prelude log data, usually stored under the /var/log directory.
++
++
++.EX
++.PP
++.B prelude_spool_t
++.EE
++
++- Set files with the prelude_spool_t type, if you want to store the prelude files under the /var/spool directory.
++
++
++.EX
++.PP
++.B prelude_var_lib_t
++.EE
++
++- Set files with the prelude_var_lib_t type, if you want to store the prelude files under the /var/lib directory.
++
++
++.EX
++.PP
++.B prelude_var_run_t
++.EE
++
++- Set files with the prelude_var_run_t type, if you want to store the prelude files under the /run directory.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH PORT TYPES
++SELinux defines port types to represent TCP and UDP ports.
++.PP
++You can see the types associated with a port by using the following command:
++
++.B semanage port -l
++
++.PP
++Policy governs the access confined processes have to these ports.
++SELinux prelude policy is very flexible allowing users to setup their prelude processes in as secure a method as possible.
++.PP
++The following port types are defined for prelude:
++
++.EX
++.TP 5
++.B prelude_port_t
++.TP 10
++.EE
++
++
++Default Defined Ports:
++tcp 4690
++.EE
++udp 4690
++.EE
++.SH "MANAGED FILES"
++
++The SELinux process type prelude_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++
++.br
++.B anon_inodefs_t
++
++
++.br
++.B prelude_log_t
++
++ /var/log/prelude.*
++.br
++
++.br
++.B prelude_spool_t
++
++ /var/spool/prelude(/.*)?
++.br
++ /var/spool/prelude-manager(/.*)?
++.br
++
++.br
++.B prelude_var_lib_t
++
++ /var/lib/prelude-lml(/.*)?
++.br
++
++.br
++.B prelude_var_run_t
++
++ /var/run/prelude-manager(/.*)?
++.br
++
++.SH NSSWITCH DOMAIN
++
++.PP
++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the prelude_lml_t, prelude_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++
++.EX
++.B setsebool -P authlogin_nsswitch_use_ldap 1
++.EE
++
++.PP
++If you want to allow confined applications to run with kerberos for the prelude_lml_t, prelude_t, you must turn on the kerberos_enabled boolean.
++
++.EX
++.B setsebool -P kerberos_enabled 1
++.EE
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.B semanage port
++can also be used to manipulate the port definitions
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was auto-generated using
++.B "sepolicy manpage"
++by Dan Walsh.
++
++.SH "SEE ALSO"
++selinux(8), prelude(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
++, prelude_audisp_selinux(8), prelude_correlator_selinux(8), prelude_lml_selinux(8)
+\ No newline at end of file
+diff --git a/man/man8/privoxy_selinux.8 b/man/man8/privoxy_selinux.8
+new file mode 100644
+index 0000000..f7a88d0
+--- /dev/null
++++ b/man/man8/privoxy_selinux.8
+@@ -0,0 +1,174 @@
++.TH "privoxy_selinux" "8" "12-11-01" "privoxy" "SELinux Policy documentation for privoxy"
++.SH "NAME"
++privoxy_selinux \- Security Enhanced Linux Policy for the privoxy processes
++.SH "DESCRIPTION"
++
++Security-Enhanced Linux secures the privoxy processes via flexible mandatory access control.
++
++The privoxy processes execute with the privoxy_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep privoxy_t
++
++
++.SH "ENTRYPOINTS"
++
++The privoxy_t SELinux type can be entered via the "privoxy_exec_t" file type. The default entrypoint paths for the privoxy_t domain are the following:"
++
++/usr/sbin/privoxy
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux privoxy policy is very flexible allowing users to setup their privoxy processes in as secure a method as possible.
++.PP
++The following process types are defined for privoxy:
++
++.EX
++.B privoxy_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH BOOLEANS
++SELinux policy is customizable based on least access required. privoxy policy is extremely flexible and has several booleans that allow you to manipulate the policy and run privoxy with the tightest access possible.
++
++
++.PP
++If you want to allow privoxy to connect to all ports, not just HTTP, FTP, and Gopher ports, you must turn on the privoxy_connect_any boolean.
++
++.EX
++.B setsebool -P privoxy_connect_any 1
++.EE
++
++.PP
++If you want to allow privoxy to connect to all ports, not just HTTP, FTP, and Gopher ports, you must turn on the privoxy_connect_any boolean.
++
++.EX
++.B setsebool -P privoxy_connect_any 1
++.EE
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux privoxy policy is very flexible allowing users to setup their privoxy processes in as secure a method as possible.
++.PP
++The following file types are defined for privoxy:
++
++
++.EX
++.PP
++.B privoxy_etc_rw_t
++.EE
++
++- Set files with the privoxy_etc_rw_t type, if you want to treat the files as privoxy etc read/write content.
++
++
++.EX
++.PP
++.B privoxy_exec_t
++.EE
++
++- Set files with the privoxy_exec_t type, if you want to transition an executable to the privoxy_t domain.
++
++
++.EX
++.PP
++.B privoxy_initrc_exec_t
++.EE
++
++- Set files with the privoxy_initrc_exec_t type, if you want to transition an executable to the privoxy_initrc_t domain.
++
++
++.EX
++.PP
++.B privoxy_log_t
++.EE
++
++- Set files with the privoxy_log_t type, if you want to treat the data as privoxy log data, usually stored under the /var/log directory.
++
++
++.EX
++.PP
++.B privoxy_var_run_t
++.EE
++
++- Set files with the privoxy_var_run_t type, if you want to store the privoxy files under the /run directory.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH "MANAGED FILES"
++
++The SELinux process type privoxy_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++
++.br
++.B privoxy_etc_rw_t
++
++ /etc/privoxy/[^/]*\.action
++.br
++
++.br
++.B privoxy_log_t
++
++ /var/log/privoxy(/.*)?
++.br
++
++.br
++.B privoxy_var_run_t
++
++
++.SH NSSWITCH DOMAIN
++
++.PP
++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the privoxy_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++
++.EX
++.B setsebool -P authlogin_nsswitch_use_ldap 1
++.EE
++
++.PP
++If you want to allow confined applications to run with kerberos for the privoxy_t, you must turn on the kerberos_enabled boolean.
++
++.EX
++.B setsebool -P kerberos_enabled 1
++.EE
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.B semanage boolean
++can also be used to manipulate the booleans
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was auto-generated using
++.B "sepolicy manpage"
++by Dan Walsh.
++
++.SH "SEE ALSO"
++selinux(8), privoxy(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
++, setsebool(8)
+\ No newline at end of file
+diff --git a/man/man8/procmail_selinux.8 b/man/man8/procmail_selinux.8
+new file mode 100644
+index 0000000..12bd0d0
+--- /dev/null
++++ b/man/man8/procmail_selinux.8
+@@ -0,0 +1,180 @@
++.TH "procmail_selinux" "8" "12-11-01" "procmail" "SELinux Policy documentation for procmail"
++.SH "NAME"
++procmail_selinux \- Security Enhanced Linux Policy for the procmail processes
++.SH "DESCRIPTION"
++
++Security-Enhanced Linux secures the procmail processes via flexible mandatory access control.
++
++The procmail processes execute with the procmail_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep procmail_t
++
++
++.SH "ENTRYPOINTS"
++
++The procmail_t SELinux type can be entered via the "procmail_exec_t" file type. The default entrypoint paths for the procmail_t domain are the following:"
++
++/usr/bin/procmail
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux procmail policy is very flexible allowing users to setup their procmail processes in as secure a method as possible.
++.PP
++The following process types are defined for procmail:
++
++.EX
++.B procmail_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux procmail policy is very flexible allowing users to setup their procmail processes in as secure a method as possible.
++.PP
++The following file types are defined for procmail:
++
++
++.EX
++.PP
++.B procmail_exec_t
++.EE
++
++- Set files with the procmail_exec_t type, if you want to transition an executable to the procmail_t domain.
++
++
++.EX
++.PP
++.B procmail_home_t
++.EE
++
++- Set files with the procmail_home_t type, if you want to store procmail files in the users home directory.
++
++
++.EX
++.PP
++.B procmail_log_t
++.EE
++
++- Set files with the procmail_log_t type, if you want to treat the data as procmail log data, usually stored under the /var/log directory.
++
++
++.EX
++.PP
++.B procmail_tmp_t
++.EE
++
++- Set files with the procmail_tmp_t type, if you want to store procmail temporary files in the /tmp directories.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH "MANAGED FILES"
++
++The SELinux process type procmail_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++
++.br
++.B anon_inodefs_t
++
++
++.br
++.B data_home_t
++
++ /root/\.local/share(/.*)?
++.br
++ /home/[^/]*/\.local/share(/.*)?
++.br
++ /home/dwalsh/\.local/share(/.*)?
++.br
++ /var/lib/xguest/home/xguest/\.local/share(/.*)?
++.br
++
++.br
++.B mail_home_rw_t
++
++ /root/Maildir(/.*)?
++.br
++ /home/[^/]*/Maildir(/.*)?
++.br
++ /home/dwalsh/Maildir(/.*)?
++.br
++ /var/lib/xguest/home/xguest/Maildir(/.*)?
++.br
++
++.br
++.B mail_spool_t
++
++ /var/mail(/.*)?
++.br
++ /var/spool/imap(/.*)?
++.br
++ /var/spool/mail(/.*)?
++.br
++
++.br
++.B procmail_tmp_t
++
++
++.br
++.B user_home_t
++
++ /home/[^/]*/.+
++.br
++ /home/dwalsh/.+
++.br
++ /var/lib/xguest/home/xguest/.+
++.br
++
++.SH NSSWITCH DOMAIN
++
++.PP
++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the procmail_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++
++.EX
++.B setsebool -P authlogin_nsswitch_use_ldap 1
++.EE
++
++.PP
++If you want to allow confined applications to run with kerberos for the procmail_t, you must turn on the kerberos_enabled boolean.
++
++.EX
++.B setsebool -P kerberos_enabled 1
++.EE
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was auto-generated using
++.B "sepolicy manpage"
++by Dan Walsh.
++
++.SH "SEE ALSO"
++selinux(8), procmail(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
+diff --git a/man/man8/psad_selinux.8 b/man/man8/psad_selinux.8
+new file mode 100644
+index 0000000..ce2de13
+--- /dev/null
++++ b/man/man8/psad_selinux.8
+@@ -0,0 +1,168 @@
++.TH "psad_selinux" "8" "12-11-01" "psad" "SELinux Policy documentation for psad"
++.SH "NAME"
++psad_selinux \- Security Enhanced Linux Policy for the psad processes
++.SH "DESCRIPTION"
++
++Security-Enhanced Linux secures the psad processes via flexible mandatory access control.
++
++The psad processes execute with the psad_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep psad_t
++
++
++.SH "ENTRYPOINTS"
++
++The psad_t SELinux type can be entered via the "psad_exec_t" file type. The default entrypoint paths for the psad_t domain are the following:"
++
++/usr/sbin/psad
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux psad policy is very flexible allowing users to setup their psad processes in as secure a method as possible.
++.PP
++The following process types are defined for psad:
++
++.EX
++.B psad_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux psad policy is very flexible allowing users to setup their psad processes in as secure a method as possible.
++.PP
++The following file types are defined for psad:
++
++
++.EX
++.PP
++.B psad_etc_t
++.EE
++
++- Set files with the psad_etc_t type, if you want to store psad files in the /etc directories.
++
++
++.EX
++.PP
++.B psad_exec_t
++.EE
++
++- Set files with the psad_exec_t type, if you want to transition an executable to the psad_t domain.
++
++
++.EX
++.PP
++.B psad_initrc_exec_t
++.EE
++
++- Set files with the psad_initrc_exec_t type, if you want to transition an executable to the psad_initrc_t domain.
++
++
++.EX
++.PP
++.B psad_tmp_t
++.EE
++
++- Set files with the psad_tmp_t type, if you want to store psad temporary files in the /tmp directories.
++
++
++.EX
++.PP
++.B psad_var_lib_t
++.EE
++
++- Set files with the psad_var_lib_t type, if you want to store the psad files under the /var/lib directory.
++
++
++.EX
++.PP
++.B psad_var_log_t
++.EE
++
++- Set files with the psad_var_log_t type, if you want to treat the data as psad var log data, usually stored under the /var/log directory.
++
++
++.EX
++.PP
++.B psad_var_run_t
++.EE
++
++- Set files with the psad_var_run_t type, if you want to store the psad files under the /run directory.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH "MANAGED FILES"
++
++The SELinux process type psad_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++
++.br
++.B psad_tmp_t
++
++
++.br
++.B psad_var_log_t
++
++ /var/log/psad(/.*)?
++.br
++
++.br
++.B psad_var_run_t
++
++ /var/run/psad(/.*)?
++.br
++
++.SH NSSWITCH DOMAIN
++
++.PP
++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the psad_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++
++.EX
++.B setsebool -P authlogin_nsswitch_use_ldap 1
++.EE
++
++.PP
++If you want to allow confined applications to run with kerberos for the psad_t, you must turn on the kerberos_enabled boolean.
++
++.EX
++.B setsebool -P kerberos_enabled 1
++.EE
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was auto-generated using
++.B "sepolicy manpage"
++by Dan Walsh.
++
++.SH "SEE ALSO"
++selinux(8), psad(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
+diff --git a/man/man8/ptal_selinux.8 b/man/man8/ptal_selinux.8
+new file mode 100644
+index 0000000..aa2365a
+--- /dev/null
++++ b/man/man8/ptal_selinux.8
+@@ -0,0 +1,140 @@
++.TH "ptal_selinux" "8" "12-11-01" "ptal" "SELinux Policy documentation for ptal"
++.SH "NAME"
++ptal_selinux \- Security Enhanced Linux Policy for the ptal processes
++.SH "DESCRIPTION"
++
++Security-Enhanced Linux secures the ptal processes via flexible mandatory access control.
++
++The ptal processes execute with the ptal_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep ptal_t
++
++
++.SH "ENTRYPOINTS"
++
++The ptal_t SELinux type can be entered via the "ptal_exec_t" file type. The default entrypoint paths for the ptal_t domain are the following:"
++
++/usr/sbin/ptal-mlcd, /usr/sbin/ptal-printd, /usr/sbin/ptal-photod
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux ptal policy is very flexible allowing users to setup their ptal processes in as secure a method as possible.
++.PP
++The following process types are defined for ptal:
++
++.EX
++.B ptal_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux ptal policy is very flexible allowing users to setup their ptal processes in as secure a method as possible.
++.PP
++The following file types are defined for ptal:
++
++
++.EX
++.PP
++.B ptal_etc_t
++.EE
++
++- Set files with the ptal_etc_t type, if you want to store ptal files in the /etc directories.
++
++
++.EX
++.PP
++.B ptal_exec_t
++.EE
++
++- Set files with the ptal_exec_t type, if you want to transition an executable to the ptal_t domain.
++
++
++.EX
++.PP
++.B ptal_var_run_t
++.EE
++
++- Set files with the ptal_var_run_t type, if you want to store the ptal files under the /run directory.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH PORT TYPES
++SELinux defines port types to represent TCP and UDP ports.
++.PP
++You can see the types associated with a port by using the following command:
++
++.B semanage port -l
++
++.PP
++Policy governs the access confined processes have to these ports.
++SELinux ptal policy is very flexible allowing users to setup their ptal processes in as secure a method as possible.
++.PP
++The following port types are defined for ptal:
++
++.EX
++.TP 5
++.B ptal_port_t
++.TP 10
++.EE
++
++
++Default Defined Ports:
++tcp 5703
++.EE
++.SH "MANAGED FILES"
++
++The SELinux process type ptal_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++
++.br
++.B ptal_var_run_t
++
++ /var/run/ptal-mlcd(/.*)?
++.br
++ /var/run/ptal-printd(/.*)?
++.br
++
++.SH NSSWITCH DOMAIN
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.B semanage port
++can also be used to manipulate the port definitions
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was auto-generated using
++.B "sepolicy manpage"
++by Dan Walsh.
++
++.SH "SEE ALSO"
++selinux(8), ptal(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
+diff --git a/man/man8/ptchown_selinux.8 b/man/man8/ptchown_selinux.8
+new file mode 100644
+index 0000000..31e96e1
+--- /dev/null
++++ b/man/man8/ptchown_selinux.8
+@@ -0,0 +1,94 @@
++.TH "ptchown_selinux" "8" "12-11-01" "ptchown" "SELinux Policy documentation for ptchown"
++.SH "NAME"
++ptchown_selinux \- Security Enhanced Linux Policy for the ptchown processes
++.SH "DESCRIPTION"
++
++Security-Enhanced Linux secures the ptchown processes via flexible mandatory access control.
++
++The ptchown processes execute with the ptchown_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep ptchown_t
++
++
++.SH "ENTRYPOINTS"
++
++The ptchown_t SELinux type can be entered via the "ptchown_exec_t" file type. The default entrypoint paths for the ptchown_t domain are the following:"
++
++/usr/libexec/pt_chown
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux ptchown policy is very flexible allowing users to setup their ptchown processes in as secure a method as possible.
++.PP
++The following process types are defined for ptchown:
++
++.EX
++.B ptchown_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux ptchown policy is very flexible allowing users to setup their ptchown processes in as secure a method as possible.
++.PP
++The following file types are defined for ptchown:
++
++
++.EX
++.PP
++.B ptchown_exec_t
++.EE
++
++- Set files with the ptchown_exec_t type, if you want to transition an executable to the ptchown_t domain.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH "MANAGED FILES"
++
++The SELinux process type ptchown_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++
++.br
++.B anon_inodefs_t
++
++
++.SH NSSWITCH DOMAIN
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was auto-generated using
++.B "sepolicy manpage"
++by Dan Walsh.
++
++.SH "SEE ALSO"
++selinux(8), ptchown(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
+diff --git a/man/man8/publicfile_selinux.8 b/man/man8/publicfile_selinux.8
+new file mode 100644
+index 0000000..6021aa7
+--- /dev/null
++++ b/man/man8/publicfile_selinux.8
+@@ -0,0 +1,94 @@
++.TH "publicfile_selinux" "8" "12-11-01" "publicfile" "SELinux Policy documentation for publicfile"
++.SH "NAME"
++publicfile_selinux \- Security Enhanced Linux Policy for the publicfile processes
++.SH "DESCRIPTION"
++
++Security-Enhanced Linux secures the publicfile processes via flexible mandatory access control.
++
++The publicfile processes execute with the publicfile_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep publicfile_t
++
++
++.SH "ENTRYPOINTS"
++
++The publicfile_t SELinux type can be entered via the "publicfile_exec_t" file type. The default entrypoint paths for the publicfile_t domain are the following:"
++
++/usr/bin/ftpd, /usr/bin/httpd
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux publicfile policy is very flexible allowing users to setup their publicfile processes in as secure a method as possible.
++.PP
++The following process types are defined for publicfile:
++
++.EX
++.B publicfile_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux publicfile policy is very flexible allowing users to setup their publicfile processes in as secure a method as possible.
++.PP
++The following file types are defined for publicfile:
++
++
++.EX
++.PP
++.B publicfile_content_t
++.EE
++
++- Set files with the publicfile_content_t type, if you want to treat the files as publicfile content.
++
++
++.EX
++.PP
++.B publicfile_exec_t
++.EE
++
++- Set files with the publicfile_exec_t type, if you want to transition an executable to the publicfile_t domain.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH NSSWITCH DOMAIN
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was auto-generated using
++.B "sepolicy manpage"
++by Dan Walsh.
++
++.SH "SEE ALSO"
++selinux(8), publicfile(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
+diff --git a/man/man8/pulseaudio_selinux.8 b/man/man8/pulseaudio_selinux.8
+new file mode 100644
+index 0000000..f889102
+--- /dev/null
++++ b/man/man8/pulseaudio_selinux.8
+@@ -0,0 +1,300 @@
++.TH "pulseaudio_selinux" "8" "12-11-01" "pulseaudio" "SELinux Policy documentation for pulseaudio"
++.SH "NAME"
++pulseaudio_selinux \- Security Enhanced Linux Policy for the pulseaudio processes
++.SH "DESCRIPTION"
++
++Security-Enhanced Linux secures the pulseaudio processes via flexible mandatory access control.
++
++The pulseaudio processes execute with the pulseaudio_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep pulseaudio_t
++
++
++.SH "ENTRYPOINTS"
++
++The pulseaudio_t SELinux type can be entered via the "pulseaudio_exec_t" file type. The default entrypoint paths for the pulseaudio_t domain are the following:"
++
++/usr/bin/pulseaudio
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux pulseaudio policy is very flexible allowing users to setup their pulseaudio processes in as secure a method as possible.
++.PP
++The following process types are defined for pulseaudio:
++
++.EX
++.B pulseaudio_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux pulseaudio policy is very flexible allowing users to setup their pulseaudio processes in as secure a method as possible.
++.PP
++The following file types are defined for pulseaudio:
++
++
++.EX
++.PP
++.B pulseaudio_exec_t
++.EE
++
++- Set files with the pulseaudio_exec_t type, if you want to transition an executable to the pulseaudio_t domain.
++
++
++.EX
++.PP
++.B pulseaudio_home_t
++.EE
++
++- Set files with the pulseaudio_home_t type, if you want to store pulseaudio files in the users home directory.
++
++
++.EX
++.PP
++.B pulseaudio_tmpfs_t
++.EE
++
++- Set files with the pulseaudio_tmpfs_t type, if you want to store pulseaudio files on a tmpfs file system.
++
++
++.EX
++.PP
++.B pulseaudio_var_lib_t
++.EE
++
++- Set files with the pulseaudio_var_lib_t type, if you want to store the pulseaudio files under the /var/lib directory.
++
++
++.EX
++.PP
++.B pulseaudio_var_run_t
++.EE
++
++- Set files with the pulseaudio_var_run_t type, if you want to store the pulseaudio files under the /run directory.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH PORT TYPES
++SELinux defines port types to represent TCP and UDP ports.
++.PP
++You can see the types associated with a port by using the following command:
++
++.B semanage port -l
++
++.PP
++Policy governs the access confined processes have to these ports.
++SELinux pulseaudio policy is very flexible allowing users to setup their pulseaudio processes in as secure a method as possible.
++.PP
++The following port types are defined for pulseaudio:
++
++.EX
++.TP 5
++.B pulseaudio_port_t
++.TP 10
++.EE
++
++
++Default Defined Ports:
++tcp 4713
++.EE
++udp 4713
++.EE
++.SH "MANAGED FILES"
++
++The SELinux process type pulseaudio_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++
++.br
++.B anon_inodefs_t
++
++
++.br
++.B gstreamer_home_t
++
++ /var/run/user/[^/]*/\.orc(/.*)?
++.br
++ /root/\.gstreamer-.*
++.br
++ /home/[^/]*/\.orc(/.*)?
++.br
++ /home/[^/]*/\.gstreamer-.*
++.br
++ /home/[^/]*/\.grl-bookmarks
++.br
++ /home/[^/]*/\.grl-bookmarks
++.br
++ /home/[^/]*/\.grl-metadata-store
++.br
++ /home/dwalsh/\.orc(/.*)?
++.br
++ /home/dwalsh/\.gstreamer-.*
++.br
++ /home/dwalsh/\.grl-bookmarks
++.br
++ /home/dwalsh/\.grl-bookmarks
++.br
++ /home/dwalsh/\.grl-metadata-store
++.br
++ /var/lib/xguest/home/xguest/\.orc(/.*)?
++.br
++ /var/lib/xguest/home/xguest/\.gstreamer-.*
++.br
++ /var/lib/xguest/home/xguest/\.grl-bookmarks
++.br
++ /var/lib/xguest/home/xguest/\.grl-bookmarks
++.br
++ /var/lib/xguest/home/xguest/\.grl-metadata-store
++.br
++
++.br
++.B pulseaudio_home_t
++
++ /root/\.pulse(/.*)?
++.br
++ /root/\.esd_auth
++.br
++ /root/\.pulse-cookie
++.br
++ /home/[^/]*/\.pulse(/.*)?
++.br
++ /home/[^/]*/\.esd_auth
++.br
++ /home/[^/]*/\.pulse-cookie
++.br
++ /home/dwalsh/\.pulse(/.*)?
++.br
++ /home/dwalsh/\.esd_auth
++.br
++ /home/dwalsh/\.pulse-cookie
++.br
++ /var/lib/xguest/home/xguest/\.pulse(/.*)?
++.br
++ /var/lib/xguest/home/xguest/\.esd_auth
++.br
++ /var/lib/xguest/home/xguest/\.pulse-cookie
++.br
++
++.br
++.B pulseaudio_var_lib_t
++
++ /var/lib/pulse(/.*)?
++.br
++
++.br
++.B pulseaudio_var_run_t
++
++ /var/run/pulse(/.*)?
++.br
++
++.br
++.B user_fonts_cache_t
++
++ /root/\.fontconfig(/.*)?
++.br
++ /root/\.fonts/auto(/.*)?
++.br
++ /root/\.fonts\.cache-.*
++.br
++ /home/[^/]*/\.fontconfig(/.*)?
++.br
++ /home/[^/]*/\.fonts/auto(/.*)?
++.br
++ /home/[^/]*/\.fonts\.cache-.*
++.br
++ /home/dwalsh/\.fontconfig(/.*)?
++.br
++ /home/dwalsh/\.fonts/auto(/.*)?
++.br
++ /home/dwalsh/\.fonts\.cache-.*
++.br
++ /var/lib/xguest/home/xguest/\.fontconfig(/.*)?
++.br
++ /var/lib/xguest/home/xguest/\.fonts/auto(/.*)?
++.br
++ /var/lib/xguest/home/xguest/\.fonts\.cache-.*
++.br
++
++.br
++.B user_tmp_type
++
++ all user tmp files
++.br
++
++.br
++.B user_tmpfs_type
++
++ all user content in tmpfs file systems
++.br
++
++.br
++.B virt_tmpfs_type
++
++
++.br
++.B xdm_tmp_t
++
++ /tmp/\.X11-unix(/.*)?
++.br
++ /tmp/\.ICE-unix(/.*)?
++.br
++ /tmp/\.X0-lock
++.br
++
++.SH NSSWITCH DOMAIN
++
++.PP
++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the pulseaudio_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++
++.EX
++.B setsebool -P authlogin_nsswitch_use_ldap 1
++.EE
++
++.PP
++If you want to allow confined applications to run with kerberos for the pulseaudio_t, you must turn on the kerberos_enabled boolean.
++
++.EX
++.B setsebool -P kerberos_enabled 1
++.EE
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.B semanage port
++can also be used to manipulate the port definitions
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was auto-generated using
++.B "sepolicy manpage"
++by Dan Walsh.
++
++.SH "SEE ALSO"
++selinux(8), pulseaudio(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
+diff --git a/man/man8/puppet_selinux.8 b/man/man8/puppet_selinux.8
+new file mode 100644
+index 0000000..1e449cb
+--- /dev/null
++++ b/man/man8/puppet_selinux.8
+@@ -0,0 +1,368 @@
++.TH "puppet_selinux" "8" "12-11-01" "puppet" "SELinux Policy documentation for puppet"
++.SH "NAME"
++puppet_selinux \- Security Enhanced Linux Policy for the puppet processes
++.SH "DESCRIPTION"
++
++Security-Enhanced Linux secures the puppet processes via flexible mandatory access control.
++
++The puppet processes execute with the puppet_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep puppet_t
++
++
++.SH "ENTRYPOINTS"
++
++The puppet_t SELinux type can be entered via the "puppet_exec_t" file type. The default entrypoint paths for the puppet_t domain are the following:"
++
++/usr/sbin/puppetd
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux puppet policy is very flexible allowing users to setup their puppet processes in as secure a method as possible.
++.PP
++The following process types are defined for puppet:
++
++.EX
++.B puppet_t, puppetmaster_t, puppetca_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH BOOLEANS
++SELinux policy is customizable based on least access required. puppet policy is extremely flexible and has several booleans that allow you to manipulate the policy and run puppet with the tightest access possible.
++
++
++.PP
++If you want to allow Puppet master to use connect to MySQL and PostgreSQL database, you must turn on the puppetmaster_use_db boolean.
++
++.EX
++.B setsebool -P puppetmaster_use_db 1
++.EE
++
++.PP
++If you want to allow Puppet client to manage all file types, you must turn on the puppet_manage_all_files boolean.
++
++.EX
++.B setsebool -P puppet_manage_all_files 1
++.EE
++
++.PP
++If you want to allow Puppet master to use connect to MySQL and PostgreSQL database, you must turn on the puppetmaster_use_db boolean.
++
++.EX
++.B setsebool -P puppetmaster_use_db 1
++.EE
++
++.PP
++If you want to allow Puppet client to manage all file types, you must turn on the puppet_manage_all_files boolean.
++
++.EX
++.B setsebool -P puppet_manage_all_files 1
++.EE
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux puppet policy is very flexible allowing users to setup their puppet processes in as secure a method as possible.
++.PP
++The following file types are defined for puppet:
++
++
++.EX
++.PP
++.B puppet_etc_t
++.EE
++
++- Set files with the puppet_etc_t type, if you want to store puppet files in the /etc directories.
++
++
++.EX
++.PP
++.B puppet_exec_t
++.EE
++
++- Set files with the puppet_exec_t type, if you want to transition an executable to the puppet_t domain.
++
++
++.EX
++.PP
++.B puppet_initrc_exec_t
++.EE
++
++- Set files with the puppet_initrc_exec_t type, if you want to transition an executable to the puppet_initrc_t domain.
++
++
++.EX
++.PP
++.B puppet_log_t
++.EE
++
++- Set files with the puppet_log_t type, if you want to treat the data as puppet log data, usually stored under the /var/log directory.
++
++
++.EX
++.PP
++.B puppet_tmp_t
++.EE
++
++- Set files with the puppet_tmp_t type, if you want to store puppet temporary files in the /tmp directories.
++
++
++.EX
++.PP
++.B puppet_var_lib_t
++.EE
++
++- Set files with the puppet_var_lib_t type, if you want to store the puppet files under the /var/lib directory.
++
++
++.EX
++.PP
++.B puppet_var_run_t
++.EE
++
++- Set files with the puppet_var_run_t type, if you want to store the puppet files under the /run directory.
++
++
++.EX
++.PP
++.B puppetca_exec_t
++.EE
++
++- Set files with the puppetca_exec_t type, if you want to transition an executable to the puppetca_t domain.
++
++
++.EX
++.PP
++.B puppetmaster_exec_t
++.EE
++
++- Set files with the puppetmaster_exec_t type, if you want to transition an executable to the puppetmaster_t domain.
++
++
++.EX
++.PP
++.B puppetmaster_initrc_exec_t
++.EE
++
++- Set files with the puppetmaster_initrc_exec_t type, if you want to transition an executable to the puppetmaster_initrc_t domain.
++
++
++.EX
++.PP
++.B puppetmaster_tmp_t
++.EE
++
++- Set files with the puppetmaster_tmp_t type, if you want to store puppetmaster temporary files in the /tmp directories.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH PORT TYPES
++SELinux defines port types to represent TCP and UDP ports.
++.PP
++You can see the types associated with a port by using the following command:
++
++.B semanage port -l
++
++.PP
++Policy governs the access confined processes have to these ports.
++SELinux puppet policy is very flexible allowing users to setup their puppet processes in as secure a method as possible.
++.PP
++The following port types are defined for puppet:
++
++.EX
++.TP 5
++.B puppet_port_t
++.TP 10
++.EE
++
++
++Default Defined Ports:
++tcp 8140
++.EE
++.SH "MANAGED FILES"
++
++The SELinux process type puppet_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++
++.br
++.B boolean_type
++
++
++.br
++.B configfile
++
++
++.br
++.B etc_t
++
++ /etc/.*
++.br
++ /var/db/.*\.db
++.br
++ /usr/etc(/.*)?
++.br
++ /var/ftp/etc(/.*)?
++.br
++ /var/lib/openshift/.limits.d(/.*)?
++.br
++ /var/lib/openshift/.openshift-proxy.d(/.*)?
++.br
++ /var/lib/openshift/.stickshift-proxy.d(/.*)?
++.br
++ /var/lib/stickshift/.limits.d(/.*)?
++.br
++ /var/lib/stickshift/.stickshift-proxy.d(/.*)?
++.br
++ /var/named/chroot/etc(/.*)?
++.br
++ /etc/ipsec\.d/examples(/.*)?
++.br
++ /var/spool/postfix/etc(/.*)?
++.br
++ /etc
++.br
++ /etc/cups/client\.conf
++.br
++
++.br
++.B krb5_host_rcache_t
++
++ /var/cache/krb5rcache(/.*)?
++.br
++ /var/tmp/nfs_0
++.br
++ /var/tmp/DNS_25
++.br
++ /var/tmp/host_0
++.br
++ /var/tmp/imap_0
++.br
++ /var/tmp/HTTP_23
++.br
++ /var/tmp/HTTP_48
++.br
++ /var/tmp/ldap_55
++.br
++ /var/tmp/ldap_487
++.br
++ /var/tmp/ldapmap1_0
++.br
++
++.br
++.B krb5_keytab_t
++
++ /etc/krb5\.keytab
++.br
++ /etc/krb5kdc/kadm5\.keytab
++.br
++ /var/kerberos/krb5kdc/kadm5\.keytab
++.br
++
++.br
++.B puppet_tmp_t
++
++
++.br
++.B puppet_var_lib_t
++
++ /var/lib/puppet(/.*)?
++.br
++
++.br
++.B puppet_var_run_t
++
++ /var/run/puppet(/.*)?
++.br
++
++.br
++.B rpm_log_t
++
++ /var/log/yum\.log.*
++.br
++
++.br
++.B rpm_var_lib_t
++
++ /var/lib/rpm(/.*)?
++.br
++ /var/lib/yum(/.*)?
++.br
++ /var/lib/PackageKit(/.*)?
++.br
++ /var/lib/alternatives(/.*)?
++.br
++
++.br
++.B var_t
++
++ /nsr(/.*)?
++.br
++ /var/.*
++.br
++ /srv/.*
++.br
++ /var
++.br
++ /srv
++.br
++
++.SH NSSWITCH DOMAIN
++
++.PP
++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the puppetmaster_t, puppet_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++
++.EX
++.B setsebool -P authlogin_nsswitch_use_ldap 1
++.EE
++
++.PP
++If you want to allow confined applications to run with kerberos for the puppetmaster_t, puppet_t, you must turn on the kerberos_enabled boolean.
++
++.EX
++.B setsebool -P kerberos_enabled 1
++.EE
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.B semanage port
++can also be used to manipulate the port definitions
++
++.B semanage boolean
++can also be used to manipulate the booleans
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was auto-generated using
++.B "sepolicy manpage"
++by Dan Walsh.
++
++.SH "SEE ALSO"
++selinux(8), puppet(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
++, setsebool(8), puppetca_selinux(8), puppetmaster_selinux(8)
+\ No newline at end of file
+diff --git a/man/man8/puppetca_selinux.8 b/man/man8/puppetca_selinux.8
+new file mode 100644
+index 0000000..b0b4381
+--- /dev/null
++++ b/man/man8/puppetca_selinux.8
+@@ -0,0 +1,103 @@
++.TH "puppetca_selinux" "8" "12-11-01" "puppetca" "SELinux Policy documentation for puppetca"
++.SH "NAME"
++puppetca_selinux \- Security Enhanced Linux Policy for the puppetca processes
++.SH "DESCRIPTION"
++
++Security-Enhanced Linux secures the puppetca processes via flexible mandatory access control.
++
++The puppetca processes execute with the puppetca_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep puppetca_t
++
++
++.SH "ENTRYPOINTS"
++
++The puppetca_t SELinux type can be entered via the "puppetca_exec_t" file type. The default entrypoint paths for the puppetca_t domain are the following:"
++
++/usr/sbin/puppetca
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux puppetca policy is very flexible allowing users to setup their puppetca processes in as secure a method as possible.
++.PP
++The following process types are defined for puppetca:
++
++.EX
++.B puppetca_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux puppetca policy is very flexible allowing users to setup their puppetca processes in as secure a method as possible.
++.PP
++The following file types are defined for puppetca:
++
++
++.EX
++.PP
++.B puppetca_exec_t
++.EE
++
++- Set files with the puppetca_exec_t type, if you want to transition an executable to the puppetca_t domain.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH "MANAGED FILES"
++
++The SELinux process type puppetca_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++
++.br
++.B puppet_var_lib_t
++
++ /var/lib/puppet(/.*)?
++.br
++
++.br
++.B security_t
++
++ /selinux
++.br
++
++.SH NSSWITCH DOMAIN
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was auto-generated using
++.B "sepolicy manpage"
++by Dan Walsh.
++
++.SH "SEE ALSO"
++selinux(8), puppetca(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
++, puppet_selinux(8)
+\ No newline at end of file
+diff --git a/man/man8/puppetmaster_selinux.8 b/man/man8/puppetmaster_selinux.8
+new file mode 100644
+index 0000000..83d8f60
+--- /dev/null
++++ b/man/man8/puppetmaster_selinux.8
+@@ -0,0 +1,170 @@
++.TH "puppetmaster_selinux" "8" "12-11-01" "puppetmaster" "SELinux Policy documentation for puppetmaster"
++.SH "NAME"
++puppetmaster_selinux \- Security Enhanced Linux Policy for the puppetmaster processes
++.SH "DESCRIPTION"
++
++Security-Enhanced Linux secures the puppetmaster processes via flexible mandatory access control.
++
++The puppetmaster processes execute with the puppetmaster_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep puppetmaster_t
++
++
++.SH "ENTRYPOINTS"
++
++The puppetmaster_t SELinux type can be entered via the "puppetmaster_exec_t" file type. The default entrypoint paths for the puppetmaster_t domain are the following:"
++
++/usr/sbin/puppetmasterd
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux puppetmaster policy is very flexible allowing users to setup their puppetmaster processes in as secure a method as possible.
++.PP
++The following process types are defined for puppetmaster:
++
++.EX
++.B puppetmaster_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH BOOLEANS
++SELinux policy is customizable based on least access required. puppetmaster policy is extremely flexible and has several booleans that allow you to manipulate the policy and run puppetmaster with the tightest access possible.
++
++
++.PP
++If you want to allow Puppet master to use connect to MySQL and PostgreSQL database, you must turn on the puppetmaster_use_db boolean.
++
++.EX
++.B setsebool -P puppetmaster_use_db 1
++.EE
++
++.PP
++If you want to allow Puppet master to use connect to MySQL and PostgreSQL database, you must turn on the puppetmaster_use_db boolean.
++
++.EX
++.B setsebool -P puppetmaster_use_db 1
++.EE
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux puppetmaster policy is very flexible allowing users to setup their puppetmaster processes in as secure a method as possible.
++.PP
++The following file types are defined for puppetmaster:
++
++
++.EX
++.PP
++.B puppetmaster_exec_t
++.EE
++
++- Set files with the puppetmaster_exec_t type, if you want to transition an executable to the puppetmaster_t domain.
++
++
++.EX
++.PP
++.B puppetmaster_initrc_exec_t
++.EE
++
++- Set files with the puppetmaster_initrc_exec_t type, if you want to transition an executable to the puppetmaster_initrc_t domain.
++
++
++.EX
++.PP
++.B puppetmaster_tmp_t
++.EE
++
++- Set files with the puppetmaster_tmp_t type, if you want to store puppetmaster temporary files in the /tmp directories.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH "MANAGED FILES"
++
++The SELinux process type puppetmaster_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++
++.br
++.B puppet_log_t
++
++ /var/log/puppet(/.*)?
++.br
++
++.br
++.B puppet_var_lib_t
++
++ /var/lib/puppet(/.*)?
++.br
++
++.br
++.B puppet_var_run_t
++
++ /var/run/puppet(/.*)?
++.br
++
++.br
++.B puppetmaster_tmp_t
++
++
++.br
++.B security_t
++
++ /selinux
++.br
++
++.SH NSSWITCH DOMAIN
++
++.PP
++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the puppetmaster_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++
++.EX
++.B setsebool -P authlogin_nsswitch_use_ldap 1
++.EE
++
++.PP
++If you want to allow confined applications to run with kerberos for the puppetmaster_t, you must turn on the kerberos_enabled boolean.
++
++.EX
++.B setsebool -P kerberos_enabled 1
++.EE
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.B semanage boolean
++can also be used to manipulate the booleans
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was auto-generated using
++.B "sepolicy manpage"
++by Dan Walsh.
++
++.SH "SEE ALSO"
++selinux(8), puppetmaster(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
++, setsebool(8), puppet_selinux(8)
+\ No newline at end of file
+diff --git a/man/man8/pwauth_selinux.8 b/man/man8/pwauth_selinux.8
+new file mode 100644
+index 0000000..ce82d8a
+--- /dev/null
++++ b/man/man8/pwauth_selinux.8
+@@ -0,0 +1,118 @@
++.TH "pwauth_selinux" "8" "12-11-01" "pwauth" "SELinux Policy documentation for pwauth"
++.SH "NAME"
++pwauth_selinux \- Security Enhanced Linux Policy for the pwauth processes
++.SH "DESCRIPTION"
++
++Security-Enhanced Linux secures the pwauth processes via flexible mandatory access control.
++
++The pwauth processes execute with the pwauth_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep pwauth_t
++
++
++.SH "ENTRYPOINTS"
++
++The pwauth_t SELinux type can be entered via the "pwauth_exec_t" file type. The default entrypoint paths for the pwauth_t domain are the following:"
++
++/usr/bin/pwauth
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux pwauth policy is very flexible allowing users to setup their pwauth processes in as secure a method as possible.
++.PP
++The following process types are defined for pwauth:
++
++.EX
++.B pwauth_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux pwauth policy is very flexible allowing users to setup their pwauth processes in as secure a method as possible.
++.PP
++The following file types are defined for pwauth:
++
++
++.EX
++.PP
++.B pwauth_exec_t
++.EE
++
++- Set files with the pwauth_exec_t type, if you want to transition an executable to the pwauth_t domain.
++
++
++.EX
++.PP
++.B pwauth_var_run_t
++.EE
++
++- Set files with the pwauth_var_run_t type, if you want to store the pwauth files under the /run directory.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH "MANAGED FILES"
++
++The SELinux process type pwauth_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++
++.br
++.B pwauth_var_run_t
++
++ /var/run/pwauth.lock
++.br
++
++.SH NSSWITCH DOMAIN
++
++.PP
++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the pwauth_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++
++.EX
++.B setsebool -P authlogin_nsswitch_use_ldap 1
++.EE
++
++.PP
++If you want to allow confined applications to run with kerberos for the pwauth_t, you must turn on the kerberos_enabled boolean.
++
++.EX
++.B setsebool -P kerberos_enabled 1
++.EE
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was auto-generated using
++.B "sepolicy manpage"
++by Dan Walsh.
++
++.SH "SEE ALSO"
++selinux(8), pwauth(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
+diff --git a/man/man8/pyicqt_selinux.8 b/man/man8/pyicqt_selinux.8
+new file mode 100644
+index 0000000..d92e759
+--- /dev/null
++++ b/man/man8/pyicqt_selinux.8
+@@ -0,0 +1,146 @@
++.TH "pyicqt_selinux" "8" "12-11-01" "pyicqt" "SELinux Policy documentation for pyicqt"
++.SH "NAME"
++pyicqt_selinux \- Security Enhanced Linux Policy for the pyicqt processes
++.SH "DESCRIPTION"
++
++Security-Enhanced Linux secures the pyicqt processes via flexible mandatory access control.
++
++The pyicqt processes execute with the pyicqt_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep pyicqt_t
++
++
++.SH "ENTRYPOINTS"
++
++The pyicqt_t SELinux type can be entered via the "pyicqt_exec_t" file type. The default entrypoint paths for the pyicqt_t domain are the following:"
++
++/usr/share/pyicq-t/PyICQt\.py
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux pyicqt policy is very flexible allowing users to setup their pyicqt processes in as secure a method as possible.
++.PP
++The following process types are defined for pyicqt:
++
++.EX
++.B pyicqt_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux pyicqt policy is very flexible allowing users to setup their pyicqt processes in as secure a method as possible.
++.PP
++The following file types are defined for pyicqt:
++
++
++.EX
++.PP
++.B pyicqt_exec_t
++.EE
++
++- Set files with the pyicqt_exec_t type, if you want to transition an executable to the pyicqt_t domain.
++
++
++.EX
++.PP
++.B pyicqt_log_t
++.EE
++
++- Set files with the pyicqt_log_t type, if you want to treat the data as pyicqt log data, usually stored under the /var/log directory.
++
++
++.EX
++.PP
++.B pyicqt_var_run_t
++.EE
++
++- Set files with the pyicqt_var_run_t type, if you want to store the pyicqt files under the /run directory.
++
++
++.EX
++.PP
++.B pyicqt_var_spool_t
++.EE
++
++- Set files with the pyicqt_var_spool_t type, if you want to store the pyicqt var files under the /var/spool directory.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH "MANAGED FILES"
++
++The SELinux process type pyicqt_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++
++.br
++.B pyicqt_log_t
++
++ /var/log/pyicq-t\.log.*
++.br
++
++.br
++.B pyicqt_var_run_t
++
++ /var/run/pyicq-t(/.*)?
++.br
++
++.br
++.B pyicqt_var_spool_t
++
++ /var/spool/pyicq-t(/.*)?
++.br
++
++.SH NSSWITCH DOMAIN
++
++.PP
++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the pyicqt_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++
++.EX
++.B setsebool -P authlogin_nsswitch_use_ldap 1
++.EE
++
++.PP
++If you want to allow confined applications to run with kerberos for the pyicqt_t, you must turn on the kerberos_enabled boolean.
++
++.EX
++.B setsebool -P kerberos_enabled 1
++.EE
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was auto-generated using
++.B "sepolicy manpage"
++by Dan Walsh.
++
++.SH "SEE ALSO"
++selinux(8), pyicqt(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
+diff --git a/man/man8/qdiskd_selinux.8 b/man/man8/qdiskd_selinux.8
+new file mode 100644
+index 0000000..e6e2867
+--- /dev/null
++++ b/man/man8/qdiskd_selinux.8
+@@ -0,0 +1,164 @@
++.TH "qdiskd_selinux" "8" "12-11-01" "qdiskd" "SELinux Policy documentation for qdiskd"
++.SH "NAME"
++qdiskd_selinux \- Security Enhanced Linux Policy for the qdiskd processes
++.SH "DESCRIPTION"
++
++Security-Enhanced Linux secures the qdiskd processes via flexible mandatory access control.
++
++The qdiskd processes execute with the qdiskd_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep qdiskd_t
++
++
++.SH "ENTRYPOINTS"
++
++The qdiskd_t SELinux type can be entered via the "qdiskd_exec_t" file type. The default entrypoint paths for the qdiskd_t domain are the following:"
++
++/usr/sbin/qdiskd
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux qdiskd policy is very flexible allowing users to setup their qdiskd processes in as secure a method as possible.
++.PP
++The following process types are defined for qdiskd:
++
++.EX
++.B qdiskd_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux qdiskd policy is very flexible allowing users to setup their qdiskd processes in as secure a method as possible.
++.PP
++The following file types are defined for qdiskd:
++
++
++.EX
++.PP
++.B qdiskd_exec_t
++.EE
++
++- Set files with the qdiskd_exec_t type, if you want to transition an executable to the qdiskd_t domain.
++
++
++.EX
++.PP
++.B qdiskd_tmpfs_t
++.EE
++
++- Set files with the qdiskd_tmpfs_t type, if you want to store qdiskd files on a tmpfs file system.
++
++
++.EX
++.PP
++.B qdiskd_var_lib_t
++.EE
++
++- Set files with the qdiskd_var_lib_t type, if you want to store the qdiskd files under the /var/lib directory.
++
++
++.EX
++.PP
++.B qdiskd_var_log_t
++.EE
++
++- Set files with the qdiskd_var_log_t type, if you want to treat the data as qdiskd var log data, usually stored under the /var/log directory.
++
++
++.EX
++.PP
++.B qdiskd_var_run_t
++.EE
++
++- Set files with the qdiskd_var_run_t type, if you want to store the qdiskd files under the /run directory.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH "MANAGED FILES"
++
++The SELinux process type qdiskd_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++
++.br
++.B cluster_var_lib_t
++
++ /var/lib/cluster(/.*)?
++.br
++
++.br
++.B qdiskd_tmpfs_t
++
++
++.br
++.B qdiskd_var_lib_t
++
++ /var/lib/qdiskd(/.*)?
++.br
++
++.br
++.B qdiskd_var_log_t
++
++ /var/log/cluster/qdiskd\.log.*
++.br
++
++.br
++.B qdiskd_var_run_t
++
++ /var/run/qdiskd\.pid
++.br
++
++.SH NSSWITCH DOMAIN
++
++.PP
++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the qdiskd_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++
++.EX
++.B setsebool -P authlogin_nsswitch_use_ldap 1
++.EE
++
++.PP
++If you want to allow confined applications to run with kerberos for the qdiskd_t, you must turn on the kerberos_enabled boolean.
++
++.EX
++.B setsebool -P kerberos_enabled 1
++.EE
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was auto-generated using
++.B "sepolicy manpage"
++by Dan Walsh.
++
++.SH "SEE ALSO"
++selinux(8), qdiskd(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
+diff --git a/man/man8/qemu_dm_selinux.8 b/man/man8/qemu_dm_selinux.8
+new file mode 100644
+index 0000000..a367e12
+--- /dev/null
++++ b/man/man8/qemu_dm_selinux.8
+@@ -0,0 +1,94 @@
++.TH "qemu_dm_selinux" "8" "12-11-01" "qemu_dm" "SELinux Policy documentation for qemu_dm"
++.SH "NAME"
++qemu_dm_selinux \- Security Enhanced Linux Policy for the qemu_dm processes
++.SH "DESCRIPTION"
++
++Security-Enhanced Linux secures the qemu_dm processes via flexible mandatory access control.
++
++The qemu_dm processes execute with the qemu_dm_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep qemu_dm_t
++
++
++.SH "ENTRYPOINTS"
++
++The qemu_dm_t SELinux type can be entered via the "qemu_dm_exec_t" file type. The default entrypoint paths for the qemu_dm_t domain are the following:"
++
++
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux qemu_dm policy is very flexible allowing users to setup their qemu_dm processes in as secure a method as possible.
++.PP
++The following process types are defined for qemu_dm:
++
++.EX
++.B qemu_dm_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux qemu_dm policy is very flexible allowing users to setup their qemu_dm processes in as secure a method as possible.
++.PP
++The following file types are defined for qemu_dm:
++
++
++.EX
++.PP
++.B qemu_dm_exec_t
++.EE
++
++- Set files with the qemu_dm_exec_t type, if you want to transition an executable to the qemu_dm_t domain.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH "MANAGED FILES"
++
++The SELinux process type qemu_dm_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++
++.br
++.B xenfs_t
++
++
++.SH NSSWITCH DOMAIN
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was auto-generated using
++.B "sepolicy manpage"
++by Dan Walsh.
++
++.SH "SEE ALSO"
++selinux(8), qemu_dm(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
+diff --git a/man/man8/qmail_clean_selinux.8 b/man/man8/qmail_clean_selinux.8
+new file mode 100644
+index 0000000..4688dbf
+--- /dev/null
++++ b/man/man8/qmail_clean_selinux.8
+@@ -0,0 +1,87 @@
++.TH "qmail_clean_selinux" "8" "12-11-01" "qmail_clean" "SELinux Policy documentation for qmail_clean"
++.SH "NAME"
++qmail_clean_selinux \- Security Enhanced Linux Policy for the qmail_clean processes
++.SH "DESCRIPTION"
++
++Security-Enhanced Linux secures the qmail_clean processes via flexible mandatory access control.
++
++The qmail_clean processes execute with the qmail_clean_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep qmail_clean_t
++
++
++.SH "ENTRYPOINTS"
++
++The qmail_clean_t SELinux type can be entered via the "qmail_clean_exec_t" file type. The default entrypoint paths for the qmail_clean_t domain are the following:"
++
++/var/qmail/bin/qmail-clean
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux qmail_clean policy is very flexible allowing users to setup their qmail_clean processes in as secure a method as possible.
++.PP
++The following process types are defined for qmail_clean:
++
++.EX
++.B qmail_clean_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux qmail_clean policy is very flexible allowing users to setup their qmail_clean processes in as secure a method as possible.
++.PP
++The following file types are defined for qmail_clean:
++
++
++.EX
++.PP
++.B qmail_clean_exec_t
++.EE
++
++- Set files with the qmail_clean_exec_t type, if you want to transition an executable to the qmail_clean_t domain.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH NSSWITCH DOMAIN
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was auto-generated using
++.B "sepolicy manpage"
++by Dan Walsh.
++
++.SH "SEE ALSO"
++selinux(8), qmail_clean(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
++, qmail_inject_selinux(8), qmail_local_selinux(8), qmail_lspawn_selinux(8), qmail_queue_selinux(8), qmail_remote_selinux(8), qmail_rspawn_selinux(8), qmail_send_selinux(8), qmail_smtpd_selinux(8), qmail_splogger_selinux(8), qmail_start_selinux(8), qmail_tcp_env_selinux(8)
+\ No newline at end of file
+diff --git a/man/man8/qmail_inject_selinux.8 b/man/man8/qmail_inject_selinux.8
+new file mode 100644
+index 0000000..b61fe99
+--- /dev/null
++++ b/man/man8/qmail_inject_selinux.8
+@@ -0,0 +1,95 @@
++.TH "qmail_inject_selinux" "8" "12-11-01" "qmail_inject" "SELinux Policy documentation for qmail_inject"
++.SH "NAME"
++qmail_inject_selinux \- Security Enhanced Linux Policy for the qmail_inject processes
++.SH "DESCRIPTION"
++
++Security-Enhanced Linux secures the qmail_inject processes via flexible mandatory access control.
++
++The qmail_inject processes execute with the qmail_inject_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep qmail_inject_t
++
++
++.SH "ENTRYPOINTS"
++
++The qmail_inject_t SELinux type can be entered via the "qmail_inject_exec_t" file type. The default entrypoint paths for the qmail_inject_t domain are the following:"
++
++/var/qmail/bin/qmail-inject
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux qmail_inject policy is very flexible allowing users to setup their qmail_inject processes in as secure a method as possible.
++.PP
++The following process types are defined for qmail_inject:
++
++.EX
++.B qmail_inject_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux qmail_inject policy is very flexible allowing users to setup their qmail_inject processes in as secure a method as possible.
++.PP
++The following file types are defined for qmail_inject:
++
++
++.EX
++.PP
++.B qmail_inject_exec_t
++.EE
++
++- Set files with the qmail_inject_exec_t type, if you want to transition an executable to the qmail_inject_t domain.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH "MANAGED FILES"
++
++The SELinux process type qmail_inject_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++
++.br
++.B arpwatch_tmp_t
++
++
++.SH NSSWITCH DOMAIN
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was auto-generated using
++.B "sepolicy manpage"
++by Dan Walsh.
++
++.SH "SEE ALSO"
++selinux(8), qmail_inject(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
++, qmail_clean_selinux(8), qmail_local_selinux(8), qmail_lspawn_selinux(8), qmail_queue_selinux(8), qmail_remote_selinux(8), qmail_rspawn_selinux(8), qmail_send_selinux(8), qmail_smtpd_selinux(8), qmail_splogger_selinux(8), qmail_start_selinux(8), qmail_tcp_env_selinux(8)
+\ No newline at end of file
+diff --git a/man/man8/qmail_local_selinux.8 b/man/man8/qmail_local_selinux.8
+new file mode 100644
+index 0000000..923074e
+--- /dev/null
++++ b/man/man8/qmail_local_selinux.8
+@@ -0,0 +1,151 @@
++.TH "qmail_local_selinux" "8" "12-11-01" "qmail_local" "SELinux Policy documentation for qmail_local"
++.SH "NAME"
++qmail_local_selinux \- Security Enhanced Linux Policy for the qmail_local processes
++.SH "DESCRIPTION"
++
++Security-Enhanced Linux secures the qmail_local processes via flexible mandatory access control.
++
++The qmail_local processes execute with the qmail_local_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep qmail_local_t
++
++
++.SH "ENTRYPOINTS"
++
++The qmail_local_t SELinux type can be entered via the "qmail_local_exec_t" file type. The default entrypoint paths for the qmail_local_t domain are the following:"
++
++/var/qmail/bin/qmail-local
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux qmail_local policy is very flexible allowing users to setup their qmail_local processes in as secure a method as possible.
++.PP
++The following process types are defined for qmail_local:
++
++.EX
++.B qmail_local_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux qmail_local policy is very flexible allowing users to setup their qmail_local processes in as secure a method as possible.
++.PP
++The following file types are defined for qmail_local:
++
++
++.EX
++.PP
++.B qmail_local_exec_t
++.EE
++
++- Set files with the qmail_local_exec_t type, if you want to transition an executable to the qmail_local_t domain.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH "MANAGED FILES"
++
++The SELinux process type qmail_local_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++
++.br
++.B dovecot_spool_t
++
++ /var/spool/dovecot(/.*)?
++.br
++
++.br
++.B mail_home_rw_t
++
++ /root/Maildir(/.*)?
++.br
++ /home/[^/]*/Maildir(/.*)?
++.br
++ /home/dwalsh/Maildir(/.*)?
++.br
++ /var/lib/xguest/home/xguest/Maildir(/.*)?
++.br
++
++.br
++.B mail_spool_t
++
++ /var/mail(/.*)?
++.br
++ /var/spool/imap(/.*)?
++.br
++ /var/spool/mail(/.*)?
++.br
++
++.br
++.B qmail_alias_home_t
++
++ /var/qmail/alias(/.*)?
++.br
++ /var/qmail/alias
++.br
++
++.br
++.B user_home_t
++
++ /home/[^/]*/.+
++.br
++ /home/dwalsh/.+
++.br
++ /var/lib/xguest/home/xguest/.+
++.br
++
++.SH NSSWITCH DOMAIN
++
++.PP
++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the qmail_local_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++
++.EX
++.B setsebool -P authlogin_nsswitch_use_ldap 1
++.EE
++
++.PP
++If you want to allow confined applications to run with kerberos for the qmail_local_t, you must turn on the kerberos_enabled boolean.
++
++.EX
++.B setsebool -P kerberos_enabled 1
++.EE
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was auto-generated using
++.B "sepolicy manpage"
++by Dan Walsh.
++
++.SH "SEE ALSO"
++selinux(8), qmail_local(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
++, qmail_clean_selinux(8), qmail_inject_selinux(8), qmail_lspawn_selinux(8), qmail_queue_selinux(8), qmail_remote_selinux(8), qmail_rspawn_selinux(8), qmail_send_selinux(8), qmail_smtpd_selinux(8), qmail_splogger_selinux(8), qmail_start_selinux(8), qmail_tcp_env_selinux(8)
+\ No newline at end of file
+diff --git a/man/man8/qmail_lspawn_selinux.8 b/man/man8/qmail_lspawn_selinux.8
+new file mode 100644
+index 0000000..7ac2a16
+--- /dev/null
++++ b/man/man8/qmail_lspawn_selinux.8
+@@ -0,0 +1,119 @@
++.TH "qmail_lspawn_selinux" "8" "12-11-01" "qmail_lspawn" "SELinux Policy documentation for qmail_lspawn"
++.SH "NAME"
++qmail_lspawn_selinux \- Security Enhanced Linux Policy for the qmail_lspawn processes
++.SH "DESCRIPTION"
++
++Security-Enhanced Linux secures the qmail_lspawn processes via flexible mandatory access control.
++
++The qmail_lspawn processes execute with the qmail_lspawn_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep qmail_lspawn_t
++
++
++.SH "ENTRYPOINTS"
++
++The qmail_lspawn_t SELinux type can be entered via the "qmail_lspawn_exec_t" file type. The default entrypoint paths for the qmail_lspawn_t domain are the following:"
++
++/var/qmail/bin/qmail-lspawn
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux qmail_lspawn policy is very flexible allowing users to setup their qmail_lspawn processes in as secure a method as possible.
++.PP
++The following process types are defined for qmail_lspawn:
++
++.EX
++.B qmail_lspawn_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux qmail_lspawn policy is very flexible allowing users to setup their qmail_lspawn processes in as secure a method as possible.
++.PP
++The following file types are defined for qmail_lspawn:
++
++
++.EX
++.PP
++.B qmail_lspawn_exec_t
++.EE
++
++- Set files with the qmail_lspawn_exec_t type, if you want to transition an executable to the qmail_lspawn_t domain.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH "MANAGED FILES"
++
++The SELinux process type qmail_lspawn_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++
++.br
++.B dovecot_spool_t
++
++ /var/spool/dovecot(/.*)?
++.br
++
++.br
++.B mail_home_rw_t
++
++ /root/Maildir(/.*)?
++.br
++ /home/[^/]*/Maildir(/.*)?
++.br
++ /home/dwalsh/Maildir(/.*)?
++.br
++ /var/lib/xguest/home/xguest/Maildir(/.*)?
++.br
++
++.br
++.B user_home_t
++
++ /home/[^/]*/.+
++.br
++ /home/dwalsh/.+
++.br
++ /var/lib/xguest/home/xguest/.+
++.br
++
++.SH NSSWITCH DOMAIN
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was auto-generated using
++.B "sepolicy manpage"
++by Dan Walsh.
++
++.SH "SEE ALSO"
++selinux(8), qmail_lspawn(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
++, qmail_clean_selinux(8), qmail_inject_selinux(8), qmail_local_selinux(8), qmail_queue_selinux(8), qmail_remote_selinux(8), qmail_rspawn_selinux(8), qmail_send_selinux(8), qmail_smtpd_selinux(8), qmail_splogger_selinux(8), qmail_start_selinux(8), qmail_tcp_env_selinux(8)
+\ No newline at end of file
+diff --git a/man/man8/qmail_queue_selinux.8 b/man/man8/qmail_queue_selinux.8
+new file mode 100644
+index 0000000..473dcd0
+--- /dev/null
++++ b/man/man8/qmail_queue_selinux.8
+@@ -0,0 +1,101 @@
++.TH "qmail_queue_selinux" "8" "12-11-01" "qmail_queue" "SELinux Policy documentation for qmail_queue"
++.SH "NAME"
++qmail_queue_selinux \- Security Enhanced Linux Policy for the qmail_queue processes
++.SH "DESCRIPTION"
++
++Security-Enhanced Linux secures the qmail_queue processes via flexible mandatory access control.
++
++The qmail_queue processes execute with the qmail_queue_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep qmail_queue_t
++
++
++.SH "ENTRYPOINTS"
++
++The qmail_queue_t SELinux type can be entered via the "qmail_queue_exec_t" file type. The default entrypoint paths for the qmail_queue_t domain are the following:"
++
++/var/qmail/bin/qmail-queue
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux qmail_queue policy is very flexible allowing users to setup their qmail_queue processes in as secure a method as possible.
++.PP
++The following process types are defined for qmail_queue:
++
++.EX
++.B qmail_queue_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux qmail_queue policy is very flexible allowing users to setup their qmail_queue processes in as secure a method as possible.
++.PP
++The following file types are defined for qmail_queue:
++
++
++.EX
++.PP
++.B qmail_queue_exec_t
++.EE
++
++- Set files with the qmail_queue_exec_t type, if you want to transition an executable to the qmail_queue_t domain.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH "MANAGED FILES"
++
++The SELinux process type qmail_queue_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++
++.br
++.B arpwatch_tmp_t
++
++
++.br
++.B qmail_spool_t
++
++ /var/qmail/queue(/.*)?
++.br
++
++.SH NSSWITCH DOMAIN
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was auto-generated using
++.B "sepolicy manpage"
++by Dan Walsh.
++
++.SH "SEE ALSO"
++selinux(8), qmail_queue(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
++, qmail_clean_selinux(8), qmail_inject_selinux(8), qmail_local_selinux(8), qmail_lspawn_selinux(8), qmail_remote_selinux(8), qmail_rspawn_selinux(8), qmail_send_selinux(8), qmail_smtpd_selinux(8), qmail_splogger_selinux(8), qmail_start_selinux(8), qmail_tcp_env_selinux(8)
+\ No newline at end of file
+diff --git a/man/man8/qmail_remote_selinux.8 b/man/man8/qmail_remote_selinux.8
+new file mode 100644
+index 0000000..0760c51
+--- /dev/null
++++ b/man/man8/qmail_remote_selinux.8
+@@ -0,0 +1,97 @@
++.TH "qmail_remote_selinux" "8" "12-11-01" "qmail_remote" "SELinux Policy documentation for qmail_remote"
++.SH "NAME"
++qmail_remote_selinux \- Security Enhanced Linux Policy for the qmail_remote processes
++.SH "DESCRIPTION"
++
++Security-Enhanced Linux secures the qmail_remote processes via flexible mandatory access control.
++
++The qmail_remote processes execute with the qmail_remote_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep qmail_remote_t
++
++
++.SH "ENTRYPOINTS"
++
++The qmail_remote_t SELinux type can be entered via the "qmail_remote_exec_t" file type. The default entrypoint paths for the qmail_remote_t domain are the following:"
++
++/var/qmail/bin/qmail-remote
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux qmail_remote policy is very flexible allowing users to setup their qmail_remote processes in as secure a method as possible.
++.PP
++The following process types are defined for qmail_remote:
++
++.EX
++.B qmail_remote_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux qmail_remote policy is very flexible allowing users to setup their qmail_remote processes in as secure a method as possible.
++.PP
++The following file types are defined for qmail_remote:
++
++
++.EX
++.PP
++.B qmail_remote_exec_t
++.EE
++
++- Set files with the qmail_remote_exec_t type, if you want to transition an executable to the qmail_remote_t domain.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH "MANAGED FILES"
++
++The SELinux process type qmail_remote_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++
++.br
++.B qmail_spool_t
++
++ /var/qmail/queue(/.*)?
++.br
++
++.SH NSSWITCH DOMAIN
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was auto-generated using
++.B "sepolicy manpage"
++by Dan Walsh.
++
++.SH "SEE ALSO"
++selinux(8), qmail_remote(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
++, qmail_clean_selinux(8), qmail_inject_selinux(8), qmail_local_selinux(8), qmail_lspawn_selinux(8), qmail_queue_selinux(8), qmail_rspawn_selinux(8), qmail_send_selinux(8), qmail_smtpd_selinux(8), qmail_splogger_selinux(8), qmail_start_selinux(8), qmail_tcp_env_selinux(8)
+\ No newline at end of file
+diff --git a/man/man8/qmail_rspawn_selinux.8 b/man/man8/qmail_rspawn_selinux.8
+new file mode 100644
+index 0000000..5c8ef31
+--- /dev/null
++++ b/man/man8/qmail_rspawn_selinux.8
+@@ -0,0 +1,97 @@
++.TH "qmail_rspawn_selinux" "8" "12-11-01" "qmail_rspawn" "SELinux Policy documentation for qmail_rspawn"
++.SH "NAME"
++qmail_rspawn_selinux \- Security Enhanced Linux Policy for the qmail_rspawn processes
++.SH "DESCRIPTION"
++
++Security-Enhanced Linux secures the qmail_rspawn processes via flexible mandatory access control.
++
++The qmail_rspawn processes execute with the qmail_rspawn_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep qmail_rspawn_t
++
++
++.SH "ENTRYPOINTS"
++
++The qmail_rspawn_t SELinux type can be entered via the "qmail_rspawn_exec_t" file type. The default entrypoint paths for the qmail_rspawn_t domain are the following:"
++
++/var/qmail/bin/qmail-rspawn
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux qmail_rspawn policy is very flexible allowing users to setup their qmail_rspawn processes in as secure a method as possible.
++.PP
++The following process types are defined for qmail_rspawn:
++
++.EX
++.B qmail_rspawn_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux qmail_rspawn policy is very flexible allowing users to setup their qmail_rspawn processes in as secure a method as possible.
++.PP
++The following file types are defined for qmail_rspawn:
++
++
++.EX
++.PP
++.B qmail_rspawn_exec_t
++.EE
++
++- Set files with the qmail_rspawn_exec_t type, if you want to transition an executable to the qmail_rspawn_t domain.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH "MANAGED FILES"
++
++The SELinux process type qmail_rspawn_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++
++.br
++.B qmail_spool_t
++
++ /var/qmail/queue(/.*)?
++.br
++
++.SH NSSWITCH DOMAIN
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was auto-generated using
++.B "sepolicy manpage"
++by Dan Walsh.
++
++.SH "SEE ALSO"
++selinux(8), qmail_rspawn(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
++, qmail_clean_selinux(8), qmail_inject_selinux(8), qmail_local_selinux(8), qmail_lspawn_selinux(8), qmail_queue_selinux(8), qmail_remote_selinux(8), qmail_send_selinux(8), qmail_smtpd_selinux(8), qmail_splogger_selinux(8), qmail_start_selinux(8), qmail_tcp_env_selinux(8)
+\ No newline at end of file
+diff --git a/man/man8/qmail_send_selinux.8 b/man/man8/qmail_send_selinux.8
+new file mode 100644
+index 0000000..2dd46dd
+--- /dev/null
++++ b/man/man8/qmail_send_selinux.8
+@@ -0,0 +1,97 @@
++.TH "qmail_send_selinux" "8" "12-11-01" "qmail_send" "SELinux Policy documentation for qmail_send"
++.SH "NAME"
++qmail_send_selinux \- Security Enhanced Linux Policy for the qmail_send processes
++.SH "DESCRIPTION"
++
++Security-Enhanced Linux secures the qmail_send processes via flexible mandatory access control.
++
++The qmail_send processes execute with the qmail_send_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep qmail_send_t
++
++
++.SH "ENTRYPOINTS"
++
++The qmail_send_t SELinux type can be entered via the "qmail_send_exec_t" file type. The default entrypoint paths for the qmail_send_t domain are the following:"
++
++/var/qmail/bin/qmail-send
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux qmail_send policy is very flexible allowing users to setup their qmail_send processes in as secure a method as possible.
++.PP
++The following process types are defined for qmail_send:
++
++.EX
++.B qmail_send_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux qmail_send policy is very flexible allowing users to setup their qmail_send processes in as secure a method as possible.
++.PP
++The following file types are defined for qmail_send:
++
++
++.EX
++.PP
++.B qmail_send_exec_t
++.EE
++
++- Set files with the qmail_send_exec_t type, if you want to transition an executable to the qmail_send_t domain.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH "MANAGED FILES"
++
++The SELinux process type qmail_send_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++
++.br
++.B qmail_spool_t
++
++ /var/qmail/queue(/.*)?
++.br
++
++.SH NSSWITCH DOMAIN
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was auto-generated using
++.B "sepolicy manpage"
++by Dan Walsh.
++
++.SH "SEE ALSO"
++selinux(8), qmail_send(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
++, qmail_clean_selinux(8), qmail_inject_selinux(8), qmail_local_selinux(8), qmail_lspawn_selinux(8), qmail_queue_selinux(8), qmail_remote_selinux(8), qmail_rspawn_selinux(8), qmail_smtpd_selinux(8), qmail_splogger_selinux(8), qmail_start_selinux(8), qmail_tcp_env_selinux(8)
+\ No newline at end of file
+diff --git a/man/man8/qmail_smtpd_selinux.8 b/man/man8/qmail_smtpd_selinux.8
+new file mode 100644
+index 0000000..9e7c3d8
+--- /dev/null
++++ b/man/man8/qmail_smtpd_selinux.8
+@@ -0,0 +1,87 @@
++.TH "qmail_smtpd_selinux" "8" "12-11-01" "qmail_smtpd" "SELinux Policy documentation for qmail_smtpd"
++.SH "NAME"
++qmail_smtpd_selinux \- Security Enhanced Linux Policy for the qmail_smtpd processes
++.SH "DESCRIPTION"
++
++Security-Enhanced Linux secures the qmail_smtpd processes via flexible mandatory access control.
++
++The qmail_smtpd processes execute with the qmail_smtpd_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep qmail_smtpd_t
++
++
++.SH "ENTRYPOINTS"
++
++The qmail_smtpd_t SELinux type can be entered via the "qmail_smtpd_exec_t" file type. The default entrypoint paths for the qmail_smtpd_t domain are the following:"
++
++/var/qmail/bin/qmail-smtpd
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux qmail_smtpd policy is very flexible allowing users to setup their qmail_smtpd processes in as secure a method as possible.
++.PP
++The following process types are defined for qmail_smtpd:
++
++.EX
++.B qmail_smtpd_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux qmail_smtpd policy is very flexible allowing users to setup their qmail_smtpd processes in as secure a method as possible.
++.PP
++The following file types are defined for qmail_smtpd:
++
++
++.EX
++.PP
++.B qmail_smtpd_exec_t
++.EE
++
++- Set files with the qmail_smtpd_exec_t type, if you want to transition an executable to the qmail_smtpd_t domain.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH NSSWITCH DOMAIN
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was auto-generated using
++.B "sepolicy manpage"
++by Dan Walsh.
++
++.SH "SEE ALSO"
++selinux(8), qmail_smtpd(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
++, qmail_clean_selinux(8), qmail_inject_selinux(8), qmail_local_selinux(8), qmail_lspawn_selinux(8), qmail_queue_selinux(8), qmail_remote_selinux(8), qmail_rspawn_selinux(8), qmail_send_selinux(8), qmail_splogger_selinux(8), qmail_start_selinux(8), qmail_tcp_env_selinux(8)
+\ No newline at end of file
+diff --git a/man/man8/qmail_splogger_selinux.8 b/man/man8/qmail_splogger_selinux.8
+new file mode 100644
+index 0000000..4598efb
+--- /dev/null
++++ b/man/man8/qmail_splogger_selinux.8
+@@ -0,0 +1,87 @@
++.TH "qmail_splogger_selinux" "8" "12-11-01" "qmail_splogger" "SELinux Policy documentation for qmail_splogger"
++.SH "NAME"
++qmail_splogger_selinux \- Security Enhanced Linux Policy for the qmail_splogger processes
++.SH "DESCRIPTION"
++
++Security-Enhanced Linux secures the qmail_splogger processes via flexible mandatory access control.
++
++The qmail_splogger processes execute with the qmail_splogger_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep qmail_splogger_t
++
++
++.SH "ENTRYPOINTS"
++
++The qmail_splogger_t SELinux type can be entered via the "qmail_splogger_exec_t" file type. The default entrypoint paths for the qmail_splogger_t domain are the following:"
++
++/var/qmail/bin/splogger
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux qmail_splogger policy is very flexible allowing users to setup their qmail_splogger processes in as secure a method as possible.
++.PP
++The following process types are defined for qmail_splogger:
++
++.EX
++.B qmail_splogger_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux qmail_splogger policy is very flexible allowing users to setup their qmail_splogger processes in as secure a method as possible.
++.PP
++The following file types are defined for qmail_splogger:
++
++
++.EX
++.PP
++.B qmail_splogger_exec_t
++.EE
++
++- Set files with the qmail_splogger_exec_t type, if you want to transition an executable to the qmail_splogger_t domain.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH NSSWITCH DOMAIN
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was auto-generated using
++.B "sepolicy manpage"
++by Dan Walsh.
++
++.SH "SEE ALSO"
++selinux(8), qmail_splogger(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
++, qmail_clean_selinux(8), qmail_inject_selinux(8), qmail_local_selinux(8), qmail_lspawn_selinux(8), qmail_queue_selinux(8), qmail_remote_selinux(8), qmail_rspawn_selinux(8), qmail_send_selinux(8), qmail_smtpd_selinux(8), qmail_start_selinux(8), qmail_tcp_env_selinux(8)
+\ No newline at end of file
+diff --git a/man/man8/qmail_start_selinux.8 b/man/man8/qmail_start_selinux.8
+new file mode 100644
+index 0000000..ff8236b
+--- /dev/null
++++ b/man/man8/qmail_start_selinux.8
+@@ -0,0 +1,87 @@
++.TH "qmail_start_selinux" "8" "12-11-01" "qmail_start" "SELinux Policy documentation for qmail_start"
++.SH "NAME"
++qmail_start_selinux \- Security Enhanced Linux Policy for the qmail_start processes
++.SH "DESCRIPTION"
++
++Security-Enhanced Linux secures the qmail_start processes via flexible mandatory access control.
++
++The qmail_start processes execute with the qmail_start_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep qmail_start_t
++
++
++.SH "ENTRYPOINTS"
++
++The qmail_start_t SELinux type can be entered via the "qmail_start_exec_t" file type. The default entrypoint paths for the qmail_start_t domain are the following:"
++
++/var/qmail/bin/qmail-start
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux qmail_start policy is very flexible allowing users to setup their qmail_start processes in as secure a method as possible.
++.PP
++The following process types are defined for qmail_start:
++
++.EX
++.B qmail_start_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux qmail_start policy is very flexible allowing users to setup their qmail_start processes in as secure a method as possible.
++.PP
++The following file types are defined for qmail_start:
++
++
++.EX
++.PP
++.B qmail_start_exec_t
++.EE
++
++- Set files with the qmail_start_exec_t type, if you want to transition an executable to the qmail_start_t domain.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH NSSWITCH DOMAIN
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was auto-generated using
++.B "sepolicy manpage"
++by Dan Walsh.
++
++.SH "SEE ALSO"
++selinux(8), qmail_start(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
++, qmail_clean_selinux(8), qmail_inject_selinux(8), qmail_local_selinux(8), qmail_lspawn_selinux(8), qmail_queue_selinux(8), qmail_remote_selinux(8), qmail_rspawn_selinux(8), qmail_send_selinux(8), qmail_smtpd_selinux(8), qmail_splogger_selinux(8), qmail_tcp_env_selinux(8)
+\ No newline at end of file
+diff --git a/man/man8/qmail_tcp_env_selinux.8 b/man/man8/qmail_tcp_env_selinux.8
+new file mode 100644
+index 0000000..86b82a0
+--- /dev/null
++++ b/man/man8/qmail_tcp_env_selinux.8
+@@ -0,0 +1,87 @@
++.TH "qmail_tcp_env_selinux" "8" "12-11-01" "qmail_tcp_env" "SELinux Policy documentation for qmail_tcp_env"
++.SH "NAME"
++qmail_tcp_env_selinux \- Security Enhanced Linux Policy for the qmail_tcp_env processes
++.SH "DESCRIPTION"
++
++Security-Enhanced Linux secures the qmail_tcp_env processes via flexible mandatory access control.
++
++The qmail_tcp_env processes execute with the qmail_tcp_env_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep qmail_tcp_env_t
++
++
++.SH "ENTRYPOINTS"
++
++The qmail_tcp_env_t SELinux type can be entered via the "qmail_tcp_env_exec_t" file type. The default entrypoint paths for the qmail_tcp_env_t domain are the following:"
++
++/var/qmail/bin/tcp-env
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux qmail_tcp_env policy is very flexible allowing users to setup their qmail_tcp_env processes in as secure a method as possible.
++.PP
++The following process types are defined for qmail_tcp_env:
++
++.EX
++.B qmail_tcp_env_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux qmail_tcp_env policy is very flexible allowing users to setup their qmail_tcp_env processes in as secure a method as possible.
++.PP
++The following file types are defined for qmail_tcp_env:
++
++
++.EX
++.PP
++.B qmail_tcp_env_exec_t
++.EE
++
++- Set files with the qmail_tcp_env_exec_t type, if you want to transition an executable to the qmail_tcp_env_t domain.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH NSSWITCH DOMAIN
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was auto-generated using
++.B "sepolicy manpage"
++by Dan Walsh.
++
++.SH "SEE ALSO"
++selinux(8), qmail_tcp_env(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
++, qmail_clean_selinux(8), qmail_inject_selinux(8), qmail_local_selinux(8), qmail_lspawn_selinux(8), qmail_queue_selinux(8), qmail_remote_selinux(8), qmail_rspawn_selinux(8), qmail_send_selinux(8), qmail_smtpd_selinux(8), qmail_splogger_selinux(8), qmail_start_selinux(8)
+\ No newline at end of file
+diff --git a/man/man8/qpidd_selinux.8 b/man/man8/qpidd_selinux.8
+new file mode 100644
+index 0000000..0d185be
+--- /dev/null
++++ b/man/man8/qpidd_selinux.8
+@@ -0,0 +1,140 @@
++.TH "qpidd_selinux" "8" "12-11-01" "qpidd" "SELinux Policy documentation for qpidd"
++.SH "NAME"
++qpidd_selinux \- Security Enhanced Linux Policy for the qpidd processes
++.SH "DESCRIPTION"
++
++Security-Enhanced Linux secures the qpidd processes via flexible mandatory access control.
++
++The qpidd processes execute with the qpidd_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep qpidd_t
++
++
++.SH "ENTRYPOINTS"
++
++The qpidd_t SELinux type can be entered via the "qpidd_exec_t" file type. The default entrypoint paths for the qpidd_t domain are the following:"
++
++/usr/sbin/qpidd
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux qpidd policy is very flexible allowing users to setup their qpidd processes in as secure a method as possible.
++.PP
++The following process types are defined for qpidd:
++
++.EX
++.B qpidd_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux qpidd policy is very flexible allowing users to setup their qpidd processes in as secure a method as possible.
++.PP
++The following file types are defined for qpidd:
++
++
++.EX
++.PP
++.B qpidd_exec_t
++.EE
++
++- Set files with the qpidd_exec_t type, if you want to transition an executable to the qpidd_t domain.
++
++
++.EX
++.PP
++.B qpidd_initrc_exec_t
++.EE
++
++- Set files with the qpidd_initrc_exec_t type, if you want to transition an executable to the qpidd_initrc_t domain.
++
++
++.EX
++.PP
++.B qpidd_tmpfs_t
++.EE
++
++- Set files with the qpidd_tmpfs_t type, if you want to store qpidd files on a tmpfs file system.
++
++
++.EX
++.PP
++.B qpidd_var_lib_t
++.EE
++
++- Set files with the qpidd_var_lib_t type, if you want to store the qpidd files under the /var/lib directory.
++
++
++.EX
++.PP
++.B qpidd_var_run_t
++.EE
++
++- Set files with the qpidd_var_run_t type, if you want to store the qpidd files under the /run directory.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH "MANAGED FILES"
++
++The SELinux process type qpidd_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++
++.br
++.B qpidd_tmpfs_t
++
++
++.br
++.B qpidd_var_lib_t
++
++ /var/lib/qpidd(/.*)?
++.br
++
++.br
++.B qpidd_var_run_t
++
++ /var/run/qpidd(/.*)?
++.br
++ /var/run/qpidd\.pid
++.br
++
++.SH NSSWITCH DOMAIN
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was auto-generated using
++.B "sepolicy manpage"
++by Dan Walsh.
++
++.SH "SEE ALSO"
++selinux(8), qpidd(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
+diff --git a/man/man8/quantum_selinux.8 b/man/man8/quantum_selinux.8
+new file mode 100644
+index 0000000..7ccd16b
+--- /dev/null
++++ b/man/man8/quantum_selinux.8
+@@ -0,0 +1,178 @@
++.TH "quantum_selinux" "8" "12-11-01" "quantum" "SELinux Policy documentation for quantum"
++.SH "NAME"
++quantum_selinux \- Security Enhanced Linux Policy for the quantum processes
++.SH "DESCRIPTION"
++
++Security-Enhanced Linux secures the quantum processes via flexible mandatory access control.
++
++The quantum processes execute with the quantum_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep quantum_t
++
++
++.SH "ENTRYPOINTS"
++
++The quantum_t SELinux type can be entered via the "quantum_exec_t" file type. The default entrypoint paths for the quantum_t domain are the following:"
++
++/usr/bin/quantum-server, /usr/bin/quantum-ryu-agent, /usr/bin/quantum-openvswitch-agent, /usr/bin/quantum-linuxbridge-agent
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux quantum policy is very flexible allowing users to setup their quantum processes in as secure a method as possible.
++.PP
++The following process types are defined for quantum:
++
++.EX
++.B quantum_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux quantum policy is very flexible allowing users to setup their quantum processes in as secure a method as possible.
++.PP
++The following file types are defined for quantum:
++
++
++.EX
++.PP
++.B quantum_exec_t
++.EE
++
++- Set files with the quantum_exec_t type, if you want to transition an executable to the quantum_t domain.
++
++
++.EX
++.PP
++.B quantum_log_t
++.EE
++
++- Set files with the quantum_log_t type, if you want to treat the data as quantum log data, usually stored under the /var/log directory.
++
++
++.EX
++.PP
++.B quantum_tmp_t
++.EE
++
++- Set files with the quantum_tmp_t type, if you want to store quantum temporary files in the /tmp directories.
++
++
++.EX
++.PP
++.B quantum_unit_file_t
++.EE
++
++- Set files with the quantum_unit_file_t type, if you want to treat the files as quantum unit content.
++
++
++.EX
++.PP
++.B quantum_var_lib_t
++.EE
++
++- Set files with the quantum_var_lib_t type, if you want to store the quantum files under the /var/lib directory.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH PORT TYPES
++SELinux defines port types to represent TCP and UDP ports.
++.PP
++You can see the types associated with a port by using the following command:
++
++.B semanage port -l
++
++.PP
++Policy governs the access confined processes have to these ports.
++SELinux quantum policy is very flexible allowing users to setup their quantum processes in as secure a method as possible.
++.PP
++The following port types are defined for quantum:
++
++.EX
++.TP 5
++.B quantum_port_t
++.TP 10
++.EE
++
++
++Default Defined Ports:
++tcp 9696
++.EE
++.SH "MANAGED FILES"
++
++The SELinux process type quantum_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++
++.br
++.B quantum_log_t
++
++ /var/log/quantum(/.*)?
++.br
++
++.br
++.B quantum_tmp_t
++
++
++.br
++.B quantum_var_lib_t
++
++ /var/lib/quantum(/.*)?
++.br
++
++.SH NSSWITCH DOMAIN
++
++.PP
++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the quantum_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++
++.EX
++.B setsebool -P authlogin_nsswitch_use_ldap 1
++.EE
++
++.PP
++If you want to allow confined applications to run with kerberos for the quantum_t, you must turn on the kerberos_enabled boolean.
++
++.EX
++.B setsebool -P kerberos_enabled 1
++.EE
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.B semanage port
++can also be used to manipulate the port definitions
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was auto-generated using
++.B "sepolicy manpage"
++by Dan Walsh.
++
++.SH "SEE ALSO"
++selinux(8), quantum(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
+diff --git a/man/man8/quota_nld_selinux.8 b/man/man8/quota_nld_selinux.8
+new file mode 100644
+index 0000000..e8c53e4
+--- /dev/null
++++ b/man/man8/quota_nld_selinux.8
+@@ -0,0 +1,119 @@
++.TH "quota_nld_selinux" "8" "12-11-01" "quota_nld" "SELinux Policy documentation for quota_nld"
++.SH "NAME"
++quota_nld_selinux \- Security Enhanced Linux Policy for the quota_nld processes
++.SH "DESCRIPTION"
++
++Security-Enhanced Linux secures the quota_nld processes via flexible mandatory access control.
++
++The quota_nld processes execute with the quota_nld_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep quota_nld_t
++
++
++.SH "ENTRYPOINTS"
++
++The quota_nld_t SELinux type can be entered via the "quota_nld_exec_t" file type. The default entrypoint paths for the quota_nld_t domain are the following:"
++
++/usr/sbin/quota_nld
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux quota_nld policy is very flexible allowing users to setup their quota_nld processes in as secure a method as possible.
++.PP
++The following process types are defined for quota_nld:
++
++.EX
++.B quota_nld_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux quota_nld policy is very flexible allowing users to setup their quota_nld processes in as secure a method as possible.
++.PP
++The following file types are defined for quota_nld:
++
++
++.EX
++.PP
++.B quota_nld_exec_t
++.EE
++
++- Set files with the quota_nld_exec_t type, if you want to transition an executable to the quota_nld_t domain.
++
++
++.EX
++.PP
++.B quota_nld_var_run_t
++.EE
++
++- Set files with the quota_nld_var_run_t type, if you want to store the quota nld files under the /run directory.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH "MANAGED FILES"
++
++The SELinux process type quota_nld_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++
++.br
++.B quota_nld_var_run_t
++
++ /var/run/quota_nld\.pid
++.br
++
++.SH NSSWITCH DOMAIN
++
++.PP
++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the quota_nld_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++
++.EX
++.B setsebool -P authlogin_nsswitch_use_ldap 1
++.EE
++
++.PP
++If you want to allow confined applications to run with kerberos for the quota_nld_t, you must turn on the kerberos_enabled boolean.
++
++.EX
++.B setsebool -P kerberos_enabled 1
++.EE
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was auto-generated using
++.B "sepolicy manpage"
++by Dan Walsh.
++
++.SH "SEE ALSO"
++selinux(8), quota_nld(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
++, quota_selinux(8), quota_selinux(8)
+\ No newline at end of file
+diff --git a/man/man8/quota_selinux.8 b/man/man8/quota_selinux.8
+new file mode 100644
+index 0000000..f6b1bff
+--- /dev/null
++++ b/man/man8/quota_selinux.8
+@@ -0,0 +1,163 @@
++.TH "quota_selinux" "8" "12-11-01" "quota" "SELinux Policy documentation for quota"
++.SH "NAME"
++quota_selinux \- Security Enhanced Linux Policy for the quota processes
++.SH "DESCRIPTION"
++
++Security-Enhanced Linux secures the quota processes via flexible mandatory access control.
++
++The quota processes execute with the quota_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep quota_t
++
++
++.SH "ENTRYPOINTS"
++
++The quota_t SELinux type can be entered via the "quota_exec_t" file type. The default entrypoint paths for the quota_t domain are the following:"
++
++/sbin/quota(check|on), /usr/sbin/quota(check|on), /usr/sbin/convertquota
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux quota policy is very flexible allowing users to setup their quota processes in as secure a method as possible.
++.PP
++The following process types are defined for quota:
++
++.EX
++.B quota_t, quota_nld_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux quota policy is very flexible allowing users to setup their quota processes in as secure a method as possible.
++.PP
++The following file types are defined for quota:
++
++
++.EX
++.PP
++.B quota_db_t
++.EE
++
++- Set files with the quota_db_t type, if you want to treat the files as quota database content.
++
++
++.EX
++.PP
++.B quota_exec_t
++.EE
++
++- Set files with the quota_exec_t type, if you want to transition an executable to the quota_t domain.
++
++
++.EX
++.PP
++.B quota_flag_t
++.EE
++
++- Set files with the quota_flag_t type, if you want to treat the files as quota flag data.
++
++
++.EX
++.PP
++.B quota_nld_exec_t
++.EE
++
++- Set files with the quota_nld_exec_t type, if you want to transition an executable to the quota_nld_t domain.
++
++
++.EX
++.PP
++.B quota_nld_var_run_t
++.EE
++
++- Set files with the quota_nld_var_run_t type, if you want to store the quota nld files under the /run directory.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH "MANAGED FILES"
++
++The SELinux process type quota_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++
++.br
++.B quota_db_t
++
++ /a?quota\.(user|group)
++.br
++ /etc/a?quota\.(user|group)
++.br
++ /var/a?quota\.(user|group)
++.br
++ /boot/a?quota\.(user|group)
++.br
++ /var/spool/(.*/)?a?quota\.(user|group)
++.br
++ /var/lib/openshift/a?quota\.(user|group)
++.br
++ /var/lib/stickshift/a?quota\.(user|group)
++.br
++ /home/[^/]*/a?quota\.(user|group)
++.br
++ /home/a?quota\.(user|group)
++.br
++ /home/dwalsh/a?quota\.(user|group)
++.br
++ /var/lib/xguest/home/xguest/a?quota\.(user|group)
++.br
++
++.SH NSSWITCH DOMAIN
++
++.PP
++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the quota_nld_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++
++.EX
++.B setsebool -P authlogin_nsswitch_use_ldap 1
++.EE
++
++.PP
++If you want to allow confined applications to run with kerberos for the quota_nld_t, you must turn on the kerberos_enabled boolean.
++
++.EX
++.B setsebool -P kerberos_enabled 1
++.EE
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was auto-generated using
++.B "sepolicy manpage"
++by Dan Walsh.
++
++.SH "SEE ALSO"
++selinux(8), quota(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
++, quota_nld_selinux(8)
+\ No newline at end of file
+diff --git a/man/man8/rabbitmq_beam_selinux.8 b/man/man8/rabbitmq_beam_selinux.8
+new file mode 100644
+index 0000000..01bdf1a
+--- /dev/null
++++ b/man/man8/rabbitmq_beam_selinux.8
+@@ -0,0 +1,103 @@
++.TH "rabbitmq_beam_selinux" "8" "12-11-01" "rabbitmq_beam" "SELinux Policy documentation for rabbitmq_beam"
++.SH "NAME"
++rabbitmq_beam_selinux \- Security Enhanced Linux Policy for the rabbitmq_beam processes
++.SH "DESCRIPTION"
++
++Security-Enhanced Linux secures the rabbitmq_beam processes via flexible mandatory access control.
++
++The rabbitmq_beam processes execute with the rabbitmq_beam_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep rabbitmq_beam_t
++
++
++.SH "ENTRYPOINTS"
++
++The rabbitmq_beam_t SELinux type can be entered via the "rabbitmq_beam_exec_t" file type. The default entrypoint paths for the rabbitmq_beam_t domain are the following:"
++
++/usr/lib64/erlang/erts-5.8.5/bin/beam.*
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux rabbitmq_beam policy is very flexible allowing users to setup their rabbitmq_beam processes in as secure a method as possible.
++.PP
++The following process types are defined for rabbitmq_beam:
++
++.EX
++.B rabbitmq_beam_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux rabbitmq_beam policy is very flexible allowing users to setup their rabbitmq_beam processes in as secure a method as possible.
++.PP
++The following file types are defined for rabbitmq_beam:
++
++
++.EX
++.PP
++.B rabbitmq_beam_exec_t
++.EE
++
++- Set files with the rabbitmq_beam_exec_t type, if you want to transition an executable to the rabbitmq_beam_t domain.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH "MANAGED FILES"
++
++The SELinux process type rabbitmq_beam_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++
++.br
++.B rabbitmq_var_lib_t
++
++ /var/lib/rabbitmq(/.*)?
++.br
++
++.br
++.B rabbitmq_var_log_t
++
++ /var/log/rabbitmq(/.*)?
++.br
++
++.SH NSSWITCH DOMAIN
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was auto-generated using
++.B "sepolicy manpage"
++by Dan Walsh.
++
++.SH "SEE ALSO"
++selinux(8), rabbitmq_beam(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
++, rabbitmq_epmd_selinux(8)
+\ No newline at end of file
+diff --git a/man/man8/rabbitmq_epmd_selinux.8 b/man/man8/rabbitmq_epmd_selinux.8
+new file mode 100644
+index 0000000..5151b32
+--- /dev/null
++++ b/man/man8/rabbitmq_epmd_selinux.8
+@@ -0,0 +1,97 @@
++.TH "rabbitmq_epmd_selinux" "8" "12-11-01" "rabbitmq_epmd" "SELinux Policy documentation for rabbitmq_epmd"
++.SH "NAME"
++rabbitmq_epmd_selinux \- Security Enhanced Linux Policy for the rabbitmq_epmd processes
++.SH "DESCRIPTION"
++
++Security-Enhanced Linux secures the rabbitmq_epmd processes via flexible mandatory access control.
++
++The rabbitmq_epmd processes execute with the rabbitmq_epmd_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep rabbitmq_epmd_t
++
++
++.SH "ENTRYPOINTS"
++
++The rabbitmq_epmd_t SELinux type can be entered via the "rabbitmq_epmd_exec_t" file type. The default entrypoint paths for the rabbitmq_epmd_t domain are the following:"
++
++/usr/lib64/erlang/erts-5.8.5/bin/epmd
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux rabbitmq_epmd policy is very flexible allowing users to setup their rabbitmq_epmd processes in as secure a method as possible.
++.PP
++The following process types are defined for rabbitmq_epmd:
++
++.EX
++.B rabbitmq_epmd_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux rabbitmq_epmd policy is very flexible allowing users to setup their rabbitmq_epmd processes in as secure a method as possible.
++.PP
++The following file types are defined for rabbitmq_epmd:
++
++
++.EX
++.PP
++.B rabbitmq_epmd_exec_t
++.EE
++
++- Set files with the rabbitmq_epmd_exec_t type, if you want to transition an executable to the rabbitmq_epmd_t domain.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH "MANAGED FILES"
++
++The SELinux process type rabbitmq_epmd_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++
++.br
++.B rabbitmq_var_log_t
++
++ /var/log/rabbitmq(/.*)?
++.br
++
++.SH NSSWITCH DOMAIN
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was auto-generated using
++.B "sepolicy manpage"
++by Dan Walsh.
++
++.SH "SEE ALSO"
++selinux(8), rabbitmq_epmd(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
++, rabbitmq_beam_selinux(8)
+\ No newline at end of file
+diff --git a/man/man8/racoon_selinux.8 b/man/man8/racoon_selinux.8
+new file mode 100644
+index 0000000..58f53af
+--- /dev/null
++++ b/man/man8/racoon_selinux.8
+@@ -0,0 +1,210 @@
++.TH "racoon_selinux" "8" "12-11-01" "racoon" "SELinux Policy documentation for racoon"
++.SH "NAME"
++racoon_selinux \- Security Enhanced Linux Policy for the racoon processes
++.SH "DESCRIPTION"
++
++Security-Enhanced Linux secures the racoon processes via flexible mandatory access control.
++
++The racoon processes execute with the racoon_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep racoon_t
++
++
++.SH "ENTRYPOINTS"
++
++The racoon_t SELinux type can be entered via the "racoon_exec_t" file type. The default entrypoint paths for the racoon_t domain are the following:"
++
++/usr/sbin/racoon
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux racoon policy is very flexible allowing users to setup their racoon processes in as secure a method as possible.
++.PP
++The following process types are defined for racoon:
++
++.EX
++.B racoon_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH BOOLEANS
++SELinux policy is customizable based on least access required. racoon policy is extremely flexible and has several booleans that allow you to manipulate the policy and run racoon with the tightest access possible.
++
++
++.PP
++If you want to allow racoon to read shadow, you must turn on the racoon_read_shadow boolean.
++
++.EX
++.B setsebool -P racoon_read_shadow 1
++.EE
++
++.PP
++If you want to allow racoon to read shadow, you must turn on the racoon_read_shadow boolean.
++
++.EX
++.B setsebool -P racoon_read_shadow 1
++.EE
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux racoon policy is very flexible allowing users to setup their racoon processes in as secure a method as possible.
++.PP
++The following file types are defined for racoon:
++
++
++.EX
++.PP
++.B racoon_exec_t
++.EE
++
++- Set files with the racoon_exec_t type, if you want to transition an executable to the racoon_t domain.
++
++
++.EX
++.PP
++.B racoon_tmp_t
++.EE
++
++- Set files with the racoon_tmp_t type, if you want to store racoon temporary files in the /tmp directories.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH "MANAGED FILES"
++
++The SELinux process type racoon_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++
++.br
++.B faillog_t
++
++ /var/log/btmp.*
++.br
++ /var/run/faillock(/.*)?
++.br
++ /var/log/faillog
++.br
++ /var/log/tallylog
++.br
++
++.br
++.B ipsec_var_run_t
++
++ /var/racoon(/.*)?
++.br
++ /var/run/pluto(/.*)?
++.br
++ /var/run/racoon\.pid
++.br
++
++.br
++.B krb5_host_rcache_t
++
++ /var/cache/krb5rcache(/.*)?
++.br
++ /var/tmp/nfs_0
++.br
++ /var/tmp/DNS_25
++.br
++ /var/tmp/host_0
++.br
++ /var/tmp/imap_0
++.br
++ /var/tmp/HTTP_23
++.br
++ /var/tmp/HTTP_48
++.br
++ /var/tmp/ldap_55
++.br
++ /var/tmp/ldap_487
++.br
++ /var/tmp/ldapmap1_0
++.br
++
++.br
++.B lastlog_t
++
++ /var/log/lastlog
++.br
++
++.br
++.B pcscd_var_run_t
++
++ /var/run/pcscd(/.*)?
++.br
++ /var/run/pcscd\.events(/.*)?
++.br
++ /var/run/pcscd\.pid
++.br
++ /var/run/pcscd\.pub
++.br
++ /var/run/pcscd\.comm
++.br
++
++.br
++.B racoon_tmp_t
++
++
++.br
++.B security_t
++
++ /selinux
++.br
++
++.SH NSSWITCH DOMAIN
++
++.PP
++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the racoon_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++
++.EX
++.B setsebool -P authlogin_nsswitch_use_ldap 1
++.EE
++
++.PP
++If you want to allow confined applications to run with kerberos for the racoon_t, you must turn on the kerberos_enabled boolean.
++
++.EX
++.B setsebool -P kerberos_enabled 1
++.EE
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.B semanage boolean
++can also be used to manipulate the booleans
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was auto-generated using
++.B "sepolicy manpage"
++by Dan Walsh.
++
++.SH "SEE ALSO"
++selinux(8), racoon(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
++, setsebool(8)
+\ No newline at end of file
+diff --git a/man/man8/radiusd_selinux.8 b/man/man8/radiusd_selinux.8
+new file mode 100644
+index 0000000..2a14d47
+--- /dev/null
++++ b/man/man8/radiusd_selinux.8
+@@ -0,0 +1,264 @@
++.TH "radiusd_selinux" "8" "12-11-01" "radiusd" "SELinux Policy documentation for radiusd"
++.SH "NAME"
++radiusd_selinux \- Security Enhanced Linux Policy for the radiusd processes
++.SH "DESCRIPTION"
++
++Security-Enhanced Linux secures the radiusd processes via flexible mandatory access control.
++
++The radiusd processes execute with the radiusd_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep radiusd_t
++
++
++.SH "ENTRYPOINTS"
++
++The radiusd_t SELinux type can be entered via the "radiusd_exec_t" file type. The default entrypoint paths for the radiusd_t domain are the following:"
++
++/etc/cron\.(daily|monthly)/radiusd, /etc/cron\.(daily|weekly|monthly)/freeradius, /usr/sbin/radiusd, /usr/sbin/freeradius
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux radiusd policy is very flexible allowing users to setup their radiusd processes in as secure a method as possible.
++.PP
++The following process types are defined for radiusd:
++
++.EX
++.B radiusd_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH BOOLEANS
++SELinux policy is customizable based on least access required. radiusd policy is extremely flexible and has several booleans that allow you to manipulate the policy and run radiusd with the tightest access possible.
++
++
++.PP
++If you want to allow users to login using a radius server, you must turn on the authlogin_radius boolean.
++
++.EX
++.B setsebool -P authlogin_radius 1
++.EE
++
++.PP
++If you want to allow users to login using a radius server, you must turn on the authlogin_radius boolean.
++
++.EX
++.B setsebool -P authlogin_radius 1
++.EE
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux radiusd policy is very flexible allowing users to setup their radiusd processes in as secure a method as possible.
++.PP
++The following file types are defined for radiusd:
++
++
++.EX
++.PP
++.B radiusd_etc_rw_t
++.EE
++
++- Set files with the radiusd_etc_rw_t type, if you want to treat the files as radiusd etc read/write content.
++
++
++.EX
++.PP
++.B radiusd_etc_t
++.EE
++
++- Set files with the radiusd_etc_t type, if you want to store radiusd files in the /etc directories.
++
++
++.EX
++.PP
++.B radiusd_exec_t
++.EE
++
++- Set files with the radiusd_exec_t type, if you want to transition an executable to the radiusd_t domain.
++
++
++.EX
++.PP
++.B radiusd_initrc_exec_t
++.EE
++
++- Set files with the radiusd_initrc_exec_t type, if you want to transition an executable to the radiusd_initrc_t domain.
++
++
++.EX
++.PP
++.B radiusd_log_t
++.EE
++
++- Set files with the radiusd_log_t type, if you want to treat the data as radiusd log data, usually stored under the /var/log directory.
++
++
++.EX
++.PP
++.B radiusd_var_lib_t
++.EE
++
++- Set files with the radiusd_var_lib_t type, if you want to store the radiusd files under the /var/lib directory.
++
++
++.EX
++.PP
++.B radiusd_var_run_t
++.EE
++
++- Set files with the radiusd_var_run_t type, if you want to store the radiusd files under the /run directory.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH PORT TYPES
++SELinux defines port types to represent TCP and UDP ports.
++.PP
++You can see the types associated with a port by using the following command:
++
++.B semanage port -l
++
++.PP
++Policy governs the access confined processes have to these ports.
++SELinux radiusd policy is very flexible allowing users to setup their radiusd processes in as secure a method as possible.
++.PP
++The following port types are defined for radiusd:
++
++.EX
++.TP 5
++.B radius_port_t
++.TP 10
++.EE
++
++
++Default Defined Ports:
++udp 1645,1812
++.EE
++.SH "MANAGED FILES"
++
++The SELinux process type radiusd_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++
++.br
++.B faillog_t
++
++ /var/log/btmp.*
++.br
++ /var/run/faillock(/.*)?
++.br
++ /var/log/faillog
++.br
++ /var/log/tallylog
++.br
++
++.br
++.B pcscd_var_run_t
++
++ /var/run/pcscd(/.*)?
++.br
++ /var/run/pcscd\.events(/.*)?
++.br
++ /var/run/pcscd\.pid
++.br
++ /var/run/pcscd\.pub
++.br
++ /var/run/pcscd\.comm
++.br
++
++.br
++.B radiusd_etc_rw_t
++
++ /etc/raddb/db\.daily
++.br
++
++.br
++.B radiusd_log_t
++
++ /var/log/radius(/.*)?
++.br
++ /var/log/radwtmp.*
++.br
++ /var/log/radacct(/.*)?
++.br
++ /var/log/radius\.log.*
++.br
++ /var/log/freeradius(/.*)?
++.br
++ /var/log/radiusd-freeradius(/.*)?
++.br
++ /var/log/radutmp
++.br
++
++.br
++.B radiusd_var_lib_t
++
++ /var/lib/radiousd(/.*)?
++.br
++
++.br
++.B radiusd_var_run_t
++
++ /var/run/radiusd(/.*)?
++.br
++ /var/run/radiusd\.pid
++.br
++
++.SH NSSWITCH DOMAIN
++
++.PP
++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the radiusd_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++
++.EX
++.B setsebool -P authlogin_nsswitch_use_ldap 1
++.EE
++
++.PP
++If you want to allow confined applications to run with kerberos for the radiusd_t, you must turn on the kerberos_enabled boolean.
++
++.EX
++.B setsebool -P kerberos_enabled 1
++.EE
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.B semanage port
++can also be used to manipulate the port definitions
++
++.B semanage boolean
++can also be used to manipulate the booleans
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was auto-generated using
++.B "sepolicy manpage"
++by Dan Walsh.
++
++.SH "SEE ALSO"
++selinux(8), radiusd(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
++, setsebool(8)
+\ No newline at end of file
+diff --git a/man/man8/radvd_selinux.8 b/man/man8/radvd_selinux.8
+new file mode 100644
+index 0000000..1fba22f
+--- /dev/null
++++ b/man/man8/radvd_selinux.8
+@@ -0,0 +1,136 @@
++.TH "radvd_selinux" "8" "12-11-01" "radvd" "SELinux Policy documentation for radvd"
++.SH "NAME"
++radvd_selinux \- Security Enhanced Linux Policy for the radvd processes
++.SH "DESCRIPTION"
++
++Security-Enhanced Linux secures the radvd processes via flexible mandatory access control.
++
++The radvd processes execute with the radvd_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep radvd_t
++
++
++.SH "ENTRYPOINTS"
++
++The radvd_t SELinux type can be entered via the "radvd_exec_t" file type. The default entrypoint paths for the radvd_t domain are the following:"
++
++/usr/sbin/radvd
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux radvd policy is very flexible allowing users to setup their radvd processes in as secure a method as possible.
++.PP
++The following process types are defined for radvd:
++
++.EX
++.B radvd_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux radvd policy is very flexible allowing users to setup their radvd processes in as secure a method as possible.
++.PP
++The following file types are defined for radvd:
++
++
++.EX
++.PP
++.B radvd_etc_t
++.EE
++
++- Set files with the radvd_etc_t type, if you want to store radvd files in the /etc directories.
++
++
++.EX
++.PP
++.B radvd_exec_t
++.EE
++
++- Set files with the radvd_exec_t type, if you want to transition an executable to the radvd_t domain.
++
++
++.EX
++.PP
++.B radvd_initrc_exec_t
++.EE
++
++- Set files with the radvd_initrc_exec_t type, if you want to transition an executable to the radvd_initrc_t domain.
++
++
++.EX
++.PP
++.B radvd_var_run_t
++.EE
++
++- Set files with the radvd_var_run_t type, if you want to store the radvd files under the /run directory.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH "MANAGED FILES"
++
++The SELinux process type radvd_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++
++.br
++.B radvd_var_run_t
++
++ /var/run/radvd(/.*)?
++.br
++ /var/run/radvd\.pid
++.br
++
++.SH NSSWITCH DOMAIN
++
++.PP
++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the radvd_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++
++.EX
++.B setsebool -P authlogin_nsswitch_use_ldap 1
++.EE
++
++.PP
++If you want to allow confined applications to run with kerberos for the radvd_t, you must turn on the kerberos_enabled boolean.
++
++.EX
++.B setsebool -P kerberos_enabled 1
++.EE
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was auto-generated using
++.B "sepolicy manpage"
++by Dan Walsh.
++
++.SH "SEE ALSO"
++selinux(8), radvd(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
+diff --git a/man/man8/rdisc_selinux.8 b/man/man8/rdisc_selinux.8
+new file mode 100644
+index 0000000..436b9f8
+--- /dev/null
++++ b/man/man8/rdisc_selinux.8
+@@ -0,0 +1,86 @@
++.TH "rdisc_selinux" "8" "12-11-01" "rdisc" "SELinux Policy documentation for rdisc"
++.SH "NAME"
++rdisc_selinux \- Security Enhanced Linux Policy for the rdisc processes
++.SH "DESCRIPTION"
++
++Security-Enhanced Linux secures the rdisc processes via flexible mandatory access control.
++
++The rdisc processes execute with the rdisc_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep rdisc_t
++
++
++.SH "ENTRYPOINTS"
++
++The rdisc_t SELinux type can be entered via the "rdisc_exec_t" file type. The default entrypoint paths for the rdisc_t domain are the following:"
++
++/sbin/rdisc, /usr/sbin/rdisc
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux rdisc policy is very flexible allowing users to setup their rdisc processes in as secure a method as possible.
++.PP
++The following process types are defined for rdisc:
++
++.EX
++.B rdisc_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux rdisc policy is very flexible allowing users to setup their rdisc processes in as secure a method as possible.
++.PP
++The following file types are defined for rdisc:
++
++
++.EX
++.PP
++.B rdisc_exec_t
++.EE
++
++- Set files with the rdisc_exec_t type, if you want to transition an executable to the rdisc_t domain.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH NSSWITCH DOMAIN
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was auto-generated using
++.B "sepolicy manpage"
++by Dan Walsh.
++
++.SH "SEE ALSO"
++selinux(8), rdisc(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
+diff --git a/man/man8/readahead_selinux.8 b/man/man8/readahead_selinux.8
+new file mode 100644
+index 0000000..56587b5
+--- /dev/null
++++ b/man/man8/readahead_selinux.8
+@@ -0,0 +1,180 @@
++.TH "readahead_selinux" "8" "12-11-01" "readahead" "SELinux Policy documentation for readahead"
++.SH "NAME"
++readahead_selinux \- Security Enhanced Linux Policy for the readahead processes
++.SH "DESCRIPTION"
++
++Security-Enhanced Linux secures the readahead processes via flexible mandatory access control.
++
++The readahead processes execute with the readahead_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep readahead_t
++
++
++.SH "ENTRYPOINTS"
++
++The readahead_t SELinux type can be entered via the "readahead_exec_t" file type. The default entrypoint paths for the readahead_t domain are the following:"
++
++/sbin/readahead.*, /usr/sbin/readahead.*, /usr/lib/systemd/systemd-readahead.*
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux readahead policy is very flexible allowing users to setup their readahead processes in as secure a method as possible.
++.PP
++The following process types are defined for readahead:
++
++.EX
++.B readahead_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux readahead policy is very flexible allowing users to setup their readahead processes in as secure a method as possible.
++.PP
++The following file types are defined for readahead:
++
++
++.EX
++.PP
++.B readahead_exec_t
++.EE
++
++- Set files with the readahead_exec_t type, if you want to transition an executable to the readahead_t domain.
++
++
++.EX
++.PP
++.B readahead_var_lib_t
++.EE
++
++- Set files with the readahead_var_lib_t type, if you want to store the readahead files under the /var/lib directory.
++
++
++.EX
++.PP
++.B readahead_var_run_t
++.EE
++
++- Set files with the readahead_var_run_t type, if you want to store the readahead files under the /run directory.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH "MANAGED FILES"
++
++The SELinux process type readahead_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++
++.br
++.B etc_runtime_t
++
++ /[^/]+
++.br
++ /etc/mtab.*
++.br
++ /etc/blkid(/.*)?
++.br
++ /etc/nologin.*
++.br
++ /etc/\.fstab\.hal\..+
++.br
++ /halt
++.br
++ /fastboot
++.br
++ /poweroff
++.br
++ /etc/cmtab
++.br
++ /\.autofsck
++.br
++ /forcefsck
++.br
++ /\.suspended
++.br
++ /fsckoptions
++.br
++ /\.autorelabel
++.br
++ /etc/securetty
++.br
++ /etc/killpower
++.br
++ /etc/nohotplug
++.br
++ /etc/ioctl\.save
++.br
++ /etc/fstab\.REVOKE
++.br
++ /etc/network/ifstate
++.br
++ /etc/sysconfig/hwconf
++.br
++ /etc/ptal/ptal-printd-like
++.br
++ /etc/sysconfig/iptables\.save
++.br
++ /etc/xorg\.conf\.d/00-system-setup-keyboard\.conf
++.br
++ /etc/X11/xorg\.conf\.d/00-system-setup-keyboard\.conf
++.br
++
++.br
++.B readahead_var_lib_t
++
++ /var/lib/readahead(/.*)?
++.br
++
++.br
++.B readahead_var_run_t
++
++ /dev/\.systemd/readahead(/.*)?
++.br
++ /var/run/systemd/readahead(/.*)?
++.br
++
++.br
++.B sysfs_t
++
++ /sys(/.*)?
++.br
++
++.SH NSSWITCH DOMAIN
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was auto-generated using
++.B "sepolicy manpage"
++by Dan Walsh.
++
++.SH "SEE ALSO"
++selinux(8), readahead(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
+diff --git a/man/man8/realmd_selinux.8 b/man/man8/realmd_selinux.8
+new file mode 100644
+index 0000000..926344d
+--- /dev/null
++++ b/man/man8/realmd_selinux.8
+@@ -0,0 +1,166 @@
++.TH "realmd_selinux" "8" "12-11-01" "realmd" "SELinux Policy documentation for realmd"
++.SH "NAME"
++realmd_selinux \- Security Enhanced Linux Policy for the realmd processes
++.SH "DESCRIPTION"
++
++Security-Enhanced Linux secures the realmd processes via flexible mandatory access control.
++
++The realmd processes execute with the realmd_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep realmd_t
++
++
++.SH "ENTRYPOINTS"
++
++The realmd_t SELinux type can be entered via the "realmd_exec_t" file type. The default entrypoint paths for the realmd_t domain are the following:"
++
++/usr/lib/realmd/realmd
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux realmd policy is very flexible allowing users to setup their realmd processes in as secure a method as possible.
++.PP
++The following process types are defined for realmd:
++
++.EX
++.B realmd_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux realmd policy is very flexible allowing users to setup their realmd processes in as secure a method as possible.
++.PP
++The following file types are defined for realmd:
++
++
++.EX
++.PP
++.B realmd_exec_t
++.EE
++
++- Set files with the realmd_exec_t type, if you want to transition an executable to the realmd_t domain.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH "MANAGED FILES"
++
++The SELinux process type realmd_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++
++.br
++.B cache_home_t
++
++ /root/\.cache(/.*)?
++.br
++ /home/[^/]*/\.nv(/.*)?
++.br
++ /home/[^/]*/\.cache(/.*)?
++.br
++ /home/dwalsh/\.nv(/.*)?
++.br
++ /home/dwalsh/\.cache(/.*)?
++.br
++ /var/lib/xguest/home/xguest/\.nv(/.*)?
++.br
++ /var/lib/xguest/home/xguest/\.cache(/.*)?
++.br
++
++.br
++.B krb5_keytab_t
++
++ /etc/krb5\.keytab
++.br
++ /etc/krb5kdc/kadm5\.keytab
++.br
++ /var/kerberos/krb5kdc/kadm5\.keytab
++.br
++
++.br
++.B samba_etc_t
++
++ /etc/samba(/.*)?
++.br
++
++.br
++.B sssd_conf_t
++
++ /etc/sssd(/.*)?
++.br
++
++.br
++.B sssd_public_t
++
++ /var/lib/sss/mc(/.*)?
++.br
++ /var/lib/sss/pubconf(/.*)?
++.br
++
++.br
++.B sssd_var_lib_t
++
++ /var/lib/sss(/.*)?
++.br
++
++.br
++.B systemd_passwd_var_run_t
++
++ /var/run/systemd/ask-password(/.*)?
++.br
++ /var/run/systemd/ask-password-block(/.*)?
++.br
++
++.SH NSSWITCH DOMAIN
++
++.PP
++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the realmd_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++
++.EX
++.B setsebool -P authlogin_nsswitch_use_ldap 1
++.EE
++
++.PP
++If you want to allow confined applications to run with kerberos for the realmd_t, you must turn on the kerberos_enabled boolean.
++
++.EX
++.B setsebool -P kerberos_enabled 1
++.EE
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was auto-generated using
++.B "sepolicy manpage"
++by Dan Walsh.
++
++.SH "SEE ALSO"
++selinux(8), realmd(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
+diff --git a/man/man8/regex_milter_selinux.8 b/man/man8/regex_milter_selinux.8
+new file mode 100644
+index 0000000..6b0d3db
+--- /dev/null
++++ b/man/man8/regex_milter_selinux.8
+@@ -0,0 +1,118 @@
++.TH "regex_milter_selinux" "8" "12-11-01" "regex_milter" "SELinux Policy documentation for regex_milter"
++.SH "NAME"
++regex_milter_selinux \- Security Enhanced Linux Policy for the regex_milter processes
++.SH "DESCRIPTION"
++
++Security-Enhanced Linux secures the regex_milter processes via flexible mandatory access control.
++
++The regex_milter processes execute with the regex_milter_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep regex_milter_t
++
++
++.SH "ENTRYPOINTS"
++
++The regex_milter_t SELinux type can be entered via the "regex_milter_exec_t" file type. The default entrypoint paths for the regex_milter_t domain are the following:"
++
++/usr/sbin/milter-regex
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux regex_milter policy is very flexible allowing users to setup their regex_milter processes in as secure a method as possible.
++.PP
++The following process types are defined for regex_milter:
++
++.EX
++.B regex_milter_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux regex_milter policy is very flexible allowing users to setup their regex_milter processes in as secure a method as possible.
++.PP
++The following file types are defined for regex_milter:
++
++
++.EX
++.PP
++.B regex_milter_data_t
++.EE
++
++- Set files with the regex_milter_data_t type, if you want to treat the files as regex milter content.
++
++
++.EX
++.PP
++.B regex_milter_exec_t
++.EE
++
++- Set files with the regex_milter_exec_t type, if you want to transition an executable to the regex_milter_t domain.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH "MANAGED FILES"
++
++The SELinux process type regex_milter_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++
++.br
++.B regex_milter_data_t
++
++ /var/spool/milter-regex(/.*)?
++.br
++
++.SH NSSWITCH DOMAIN
++
++.PP
++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the regex_milter_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++
++.EX
++.B setsebool -P authlogin_nsswitch_use_ldap 1
++.EE
++
++.PP
++If you want to allow confined applications to run with kerberos for the regex_milter_t, you must turn on the kerberos_enabled boolean.
++
++.EX
++.B setsebool -P kerberos_enabled 1
++.EE
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was auto-generated using
++.B "sepolicy manpage"
++by Dan Walsh.
++
++.SH "SEE ALSO"
++selinux(8), regex_milter(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
+diff --git a/man/man8/restorecond_selinux.8 b/man/man8/restorecond_selinux.8
+new file mode 100644
+index 0000000..0810458
+--- /dev/null
++++ b/man/man8/restorecond_selinux.8
+@@ -0,0 +1,124 @@
++.TH "restorecond_selinux" "8" "12-11-01" "restorecond" "SELinux Policy documentation for restorecond"
++.SH "NAME"
++restorecond_selinux \- Security Enhanced Linux Policy for the restorecond processes
++.SH "DESCRIPTION"
++
++Security-Enhanced Linux secures the restorecond processes via flexible mandatory access control.
++
++The restorecond processes execute with the restorecond_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep restorecond_t
++
++
++.SH "ENTRYPOINTS"
++
++The restorecond_t SELinux type can be entered via the "restorecond_exec_t" file type. The default entrypoint paths for the restorecond_t domain are the following:"
++
++/usr/sbin/restorecond
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux restorecond policy is very flexible allowing users to setup their restorecond processes in as secure a method as possible.
++.PP
++The following process types are defined for restorecond:
++
++.EX
++.B restorecond_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux restorecond policy is very flexible allowing users to setup their restorecond processes in as secure a method as possible.
++.PP
++The following file types are defined for restorecond:
++
++
++.EX
++.PP
++.B restorecond_exec_t
++.EE
++
++- Set files with the restorecond_exec_t type, if you want to transition an executable to the restorecond_t domain.
++
++
++.EX
++.PP
++.B restorecond_var_run_t
++.EE
++
++- Set files with the restorecond_var_run_t type, if you want to store the restorecond files under the /run directory.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH "MANAGED FILES"
++
++The SELinux process type restorecond_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++
++.br
++.B restorecond_var_run_t
++
++ /var/run/restorecond\.pid
++.br
++
++.br
++.B security_t
++
++ /selinux
++.br
++
++.SH NSSWITCH DOMAIN
++
++.PP
++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the restorecond_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++
++.EX
++.B setsebool -P authlogin_nsswitch_use_ldap 1
++.EE
++
++.PP
++If you want to allow confined applications to run with kerberos for the restorecond_t, you must turn on the kerberos_enabled boolean.
++
++.EX
++.B setsebool -P kerberos_enabled 1
++.EE
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was auto-generated using
++.B "sepolicy manpage"
++by Dan Walsh.
++
++.SH "SEE ALSO"
++selinux(8), restorecond(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
+diff --git a/man/man8/rgmanager_selinux.8 b/man/man8/rgmanager_selinux.8
+new file mode 100644
+index 0000000..feb0254
+--- /dev/null
++++ b/man/man8/rgmanager_selinux.8
+@@ -0,0 +1,276 @@
++.TH "rgmanager_selinux" "8" "12-11-01" "rgmanager" "SELinux Policy documentation for rgmanager"
++.SH "NAME"
++rgmanager_selinux \- Security Enhanced Linux Policy for the rgmanager processes
++.SH "DESCRIPTION"
++
++Security-Enhanced Linux secures the rgmanager processes via flexible mandatory access control.
++
++The rgmanager processes execute with the rgmanager_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep rgmanager_t
++
++
++.SH "ENTRYPOINTS"
++
++The rgmanager_t SELinux type can be entered via the "rgmanager_exec_t" file type. The default entrypoint paths for the rgmanager_t domain are the following:"
++
++/usr/lib(64)?/heartbeat/heartbeat, /usr/sbin/cpglockd, /usr/sbin/rgmanager
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux rgmanager policy is very flexible allowing users to setup their rgmanager processes in as secure a method as possible.
++.PP
++The following process types are defined for rgmanager:
++
++.EX
++.B rgmanager_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH BOOLEANS
++SELinux policy is customizable based on least access required. rgmanager policy is extremely flexible and has several booleans that allow you to manipulate the policy and run rgmanager with the tightest access possible.
++
++
++.PP
++If you want to allow rgmanager domain to connect to the network using TCP, you must turn on the rgmanager_can_network_connect boolean.
++
++.EX
++.B setsebool -P rgmanager_can_network_connect 1
++.EE
++
++.PP
++If you want to allow rgmanager domain to connect to the network using TCP, you must turn on the rgmanager_can_network_connect boolean.
++
++.EX
++.B setsebool -P rgmanager_can_network_connect 1
++.EE
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux rgmanager policy is very flexible allowing users to setup their rgmanager processes in as secure a method as possible.
++.PP
++The following file types are defined for rgmanager:
++
++
++.EX
++.PP
++.B rgmanager_exec_t
++.EE
++
++- Set files with the rgmanager_exec_t type, if you want to transition an executable to the rgmanager_t domain.
++
++
++.EX
++.PP
++.B rgmanager_initrc_exec_t
++.EE
++
++- Set files with the rgmanager_initrc_exec_t type, if you want to transition an executable to the rgmanager_initrc_t domain.
++
++
++.EX
++.PP
++.B rgmanager_tmp_t
++.EE
++
++- Set files with the rgmanager_tmp_t type, if you want to store rgmanager temporary files in the /tmp directories.
++
++
++.EX
++.PP
++.B rgmanager_tmpfs_t
++.EE
++
++- Set files with the rgmanager_tmpfs_t type, if you want to store rgmanager files on a tmpfs file system.
++
++
++.EX
++.PP
++.B rgmanager_var_lib_t
++.EE
++
++- Set files with the rgmanager_var_lib_t type, if you want to store the rgmanager files under the /var/lib directory.
++
++
++.EX
++.PP
++.B rgmanager_var_log_t
++.EE
++
++- Set files with the rgmanager_var_log_t type, if you want to treat the data as rgmanager var log data, usually stored under the /var/log directory.
++
++
++.EX
++.PP
++.B rgmanager_var_run_t
++.EE
++
++- Set files with the rgmanager_var_run_t type, if you want to store the rgmanager files under the /run directory.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH "MANAGED FILES"
++
++The SELinux process type rgmanager_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++
++.br
++.B cluster_conf_t
++
++ /etc/cluster(/.*)?
++.br
++
++.br
++.B file_t
++
++
++.br
++.B mnt_t
++
++ /mnt(/[^/]*)
++.br
++ /mnt(/[^/]*)?
++.br
++ /rhev(/[^/]*)?
++.br
++ /media(/[^/]*)
++.br
++ /media(/[^/]*)?
++.br
++ /media/\.hal-.*
++.br
++ /var/run/media(/[^/]*)?
++.br
++ /net
++.br
++ /afs
++.br
++ /rhev
++.br
++ /misc
++.br
++
++.br
++.B rgmanager_tmp_t
++
++
++.br
++.B rgmanager_tmpfs_t
++
++
++.br
++.B rgmanager_var_lib_t
++
++ /usr/lib(64)?/heartbeat(/.*)?
++.br
++ /var/lib/heartbeat(/.*)?
++.br
++
++.br
++.B rgmanager_var_log_t
++
++ /var/log/cluster/cpglockd\.log.*
++.br
++ /var/log/cluster/rgmanager\.log.*
++.br
++
++.br
++.B rgmanager_var_run_t
++
++ /var/run/heartbeat(/.*)?
++.br
++ /var/run/cpglockd\.pid
++.br
++ /var/run/rgmanager\.pid
++.br
++ /var/run/cluster/rgmanager\.sk
++.br
++
++.br
++.B samba_etc_t
++
++ /etc/samba(/.*)?
++.br
++
++.br
++.B samba_var_t
++
++ /var/lib/samba(/.*)?
++.br
++ /var/cache/samba(/.*)?
++.br
++ /var/spool/samba(/.*)?
++.br
++
++.br
++.B systemd_passwd_var_run_t
++
++ /var/run/systemd/ask-password(/.*)?
++.br
++ /var/run/systemd/ask-password-block(/.*)?
++.br
++
++.br
++.B var_lib_nfs_t
++
++ /var/lib/nfs(/.*)?
++.br
++
++.SH NSSWITCH DOMAIN
++
++.PP
++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the rgmanager_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++
++.EX
++.B setsebool -P authlogin_nsswitch_use_ldap 1
++.EE
++
++.PP
++If you want to allow confined applications to run with kerberos for the rgmanager_t, you must turn on the kerberos_enabled boolean.
++
++.EX
++.B setsebool -P kerberos_enabled 1
++.EE
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.B semanage boolean
++can also be used to manipulate the booleans
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was auto-generated using
++.B "sepolicy manpage"
++by Dan Walsh.
++
++.SH "SEE ALSO"
++selinux(8), rgmanager(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
++, setsebool(8)
+\ No newline at end of file
+diff --git a/man/man8/rhev_agentd_selinux.8 b/man/man8/rhev_agentd_selinux.8
+new file mode 100644
+index 0000000..5550bd3
+--- /dev/null
++++ b/man/man8/rhev_agentd_selinux.8
+@@ -0,0 +1,152 @@
++.TH "rhev_agentd_selinux" "8" "12-11-01" "rhev_agentd" "SELinux Policy documentation for rhev_agentd"
++.SH "NAME"
++rhev_agentd_selinux \- Security Enhanced Linux Policy for the rhev_agentd processes
++.SH "DESCRIPTION"
++
++Security-Enhanced Linux secures the rhev_agentd processes via flexible mandatory access control.
++
++The rhev_agentd processes execute with the rhev_agentd_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep rhev_agentd_t
++
++
++.SH "ENTRYPOINTS"
++
++The rhev_agentd_t SELinux type can be entered via the "rhev_agentd_exec_t" file type. The default entrypoint paths for the rhev_agentd_t domain are the following:"
++
++/usr/share/ovirt-guest-agent, /usr/share/rhev-agent/rhev-agentd\.py
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux rhev_agentd policy is very flexible allowing users to setup their rhev_agentd processes in as secure a method as possible.
++.PP
++The following process types are defined for rhev_agentd:
++
++.EX
++.B rhev_agentd_t, rhev_agentd_consolehelper_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux rhev_agentd policy is very flexible allowing users to setup their rhev_agentd processes in as secure a method as possible.
++.PP
++The following file types are defined for rhev_agentd:
++
++
++.EX
++.PP
++.B rhev_agentd_exec_t
++.EE
++
++- Set files with the rhev_agentd_exec_t type, if you want to transition an executable to the rhev_agentd_t domain.
++
++
++.EX
++.PP
++.B rhev_agentd_log_t
++.EE
++
++- Set files with the rhev_agentd_log_t type, if you want to treat the data as rhev agentd log data, usually stored under the /var/log directory.
++
++
++.EX
++.PP
++.B rhev_agentd_tmp_t
++.EE
++
++- Set files with the rhev_agentd_tmp_t type, if you want to store rhev agentd temporary files in the /tmp directories.
++
++
++.EX
++.PP
++.B rhev_agentd_unit_file_t
++.EE
++
++- Set files with the rhev_agentd_unit_file_t type, if you want to treat the files as rhev agentd unit content.
++
++
++.EX
++.PP
++.B rhev_agentd_var_run_t
++.EE
++
++- Set files with the rhev_agentd_var_run_t type, if you want to store the rhev agentd files under the /run directory.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH "MANAGED FILES"
++
++The SELinux process type rhev_agentd_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++
++.br
++.B rhev_agentd_log_t
++
++ /var/log/rhev-agent(/.*)?
++.br
++
++.br
++.B rhev_agentd_tmp_t
++
++
++.br
++.B rhev_agentd_var_run_t
++
++ /var/run/rhev-agentd\.pid
++.br
++
++.SH NSSWITCH DOMAIN
++
++.PP
++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the rhev_agentd_t, rhev_agentd_consolehelper_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++
++.EX
++.B setsebool -P authlogin_nsswitch_use_ldap 1
++.EE
++
++.PP
++If you want to allow confined applications to run with kerberos for the rhev_agentd_t, rhev_agentd_consolehelper_t, you must turn on the kerberos_enabled boolean.
++
++.EX
++.B setsebool -P kerberos_enabled 1
++.EE
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was auto-generated using
++.B "sepolicy manpage"
++by Dan Walsh.
++
++.SH "SEE ALSO"
++selinux(8), rhev_agentd(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
+diff --git a/man/man8/rhgb_selinux.8 b/man/man8/rhgb_selinux.8
+new file mode 100644
+index 0000000..a384089
+--- /dev/null
++++ b/man/man8/rhgb_selinux.8
+@@ -0,0 +1,106 @@
++.TH "rhgb_selinux" "8" "12-11-01" "rhgb" "SELinux Policy documentation for rhgb"
++.SH "NAME"
++rhgb_selinux \- Security Enhanced Linux Policy for the rhgb processes
++.SH "DESCRIPTION"
++
++Security-Enhanced Linux secures the rhgb processes via flexible mandatory access control.
++
++The rhgb processes execute with the rhgb_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep rhgb_t
++
++
++.SH "ENTRYPOINTS"
++
++The rhgb_t SELinux type can be entered via the "rhgb_exec_t" file type. The default entrypoint paths for the rhgb_t domain are the following:"
++
++/usr/bin/rhgb
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux rhgb policy is very flexible allowing users to setup their rhgb processes in as secure a method as possible.
++.PP
++The following process types are defined for rhgb:
++
++.EX
++.B rhgb_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux rhgb policy is very flexible allowing users to setup their rhgb processes in as secure a method as possible.
++.PP
++The following file types are defined for rhgb:
++
++
++.EX
++.PP
++.B rhgb_exec_t
++.EE
++
++- Set files with the rhgb_exec_t type, if you want to transition an executable to the rhgb_t domain.
++
++
++.EX
++.PP
++.B rhgb_tmpfs_t
++.EE
++
++- Set files with the rhgb_tmpfs_t type, if you want to store rhgb files on a tmpfs file system.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH "MANAGED FILES"
++
++The SELinux process type rhgb_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++
++.br
++.B ramfs_t
++
++
++.br
++.B rhgb_tmpfs_t
++
++
++.SH NSSWITCH DOMAIN
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was auto-generated using
++.B "sepolicy manpage"
++by Dan Walsh.
++
++.SH "SEE ALSO"
++selinux(8), rhgb(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
+diff --git a/man/man8/rhsmcertd_selinux.8 b/man/man8/rhsmcertd_selinux.8
+new file mode 100644
+index 0000000..7350aa2
+--- /dev/null
++++ b/man/man8/rhsmcertd_selinux.8
+@@ -0,0 +1,164 @@
++.TH "rhsmcertd_selinux" "8" "12-11-01" "rhsmcertd" "SELinux Policy documentation for rhsmcertd"
++.SH "NAME"
++rhsmcertd_selinux \- Security Enhanced Linux Policy for the rhsmcertd processes
++.SH "DESCRIPTION"
++
++Security-Enhanced Linux secures the rhsmcertd processes via flexible mandatory access control.
++
++The rhsmcertd processes execute with the rhsmcertd_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep rhsmcertd_t
++
++
++.SH "ENTRYPOINTS"
++
++The rhsmcertd_t SELinux type can be entered via the "rhsmcertd_exec_t" file type. The default entrypoint paths for the rhsmcertd_t domain are the following:"
++
++/usr/bin/rhsmcertd
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux rhsmcertd policy is very flexible allowing users to setup their rhsmcertd processes in as secure a method as possible.
++.PP
++The following process types are defined for rhsmcertd:
++
++.EX
++.B rhsmcertd_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux rhsmcertd policy is very flexible allowing users to setup their rhsmcertd processes in as secure a method as possible.
++.PP
++The following file types are defined for rhsmcertd:
++
++
++.EX
++.PP
++.B rhsmcertd_exec_t
++.EE
++
++- Set files with the rhsmcertd_exec_t type, if you want to transition an executable to the rhsmcertd_t domain.
++
++
++.EX
++.PP
++.B rhsmcertd_initrc_exec_t
++.EE
++
++- Set files with the rhsmcertd_initrc_exec_t type, if you want to transition an executable to the rhsmcertd_initrc_t domain.
++
++
++.EX
++.PP
++.B rhsmcertd_lock_t
++.EE
++
++- Set files with the rhsmcertd_lock_t type, if you want to treat the files as rhsmcertd lock data, stored under the /var/lock directory
++
++
++.EX
++.PP
++.B rhsmcertd_log_t
++.EE
++
++- Set files with the rhsmcertd_log_t type, if you want to treat the data as rhsmcertd log data, usually stored under the /var/log directory.
++
++
++.EX
++.PP
++.B rhsmcertd_var_lib_t
++.EE
++
++- Set files with the rhsmcertd_var_lib_t type, if you want to store the rhsmcertd files under the /var/lib directory.
++
++
++.EX
++.PP
++.B rhsmcertd_var_run_t
++.EE
++
++- Set files with the rhsmcertd_var_run_t type, if you want to store the rhsmcertd files under the /run directory.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH "MANAGED FILES"
++
++The SELinux process type rhsmcertd_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++
++.br
++.B rhsmcertd_lock_t
++
++ /var/lock/subsys/rhsmcertd
++.br
++
++.br
++.B rhsmcertd_log_t
++
++ /var/log/rhsm(/.*)?
++.br
++
++.br
++.B rhsmcertd_var_lib_t
++
++ /var/lib/rhsm(/.*)?
++.br
++
++.br
++.B rhsmcertd_var_run_t
++
++ /var/run/rhsm(/.*)?
++.br
++
++.br
++.B var_lock_t
++
++ /var/lock(/.*)?
++.br
++ /run/lock(/.*)?
++.br
++ /var/lock
++.br
++
++.SH NSSWITCH DOMAIN
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was auto-generated using
++.B "sepolicy manpage"
++by Dan Walsh.
++
++.SH "SEE ALSO"
++selinux(8), rhsmcertd(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
+diff --git a/man/man8/ricci_modcluster_selinux.8 b/man/man8/ricci_modcluster_selinux.8
+new file mode 100644
+index 0000000..bbe6e5e
+--- /dev/null
++++ b/man/man8/ricci_modcluster_selinux.8
+@@ -0,0 +1,187 @@
++.TH "ricci_modcluster_selinux" "8" "12-11-01" "ricci_modcluster" "SELinux Policy documentation for ricci_modcluster"
++.SH "NAME"
++ricci_modcluster_selinux \- Security Enhanced Linux Policy for the ricci_modcluster processes
++.SH "DESCRIPTION"
++
++Security-Enhanced Linux secures the ricci_modcluster processes via flexible mandatory access control.
++
++The ricci_modcluster processes execute with the ricci_modcluster_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep ricci_modcluster_t
++
++
++.SH "ENTRYPOINTS"
++
++The ricci_modcluster_t SELinux type can be entered via the "ricci_modcluster_exec_t" file type. The default entrypoint paths for the ricci_modcluster_t domain are the following:"
++
++/usr/libexec/modcluster
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux ricci_modcluster policy is very flexible allowing users to setup their ricci_modcluster processes in as secure a method as possible.
++.PP
++The following process types are defined for ricci_modcluster:
++
++.EX
++.B ricci_modclusterd_t, ricci_modcluster_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux ricci_modcluster policy is very flexible allowing users to setup their ricci_modcluster processes in as secure a method as possible.
++.PP
++The following file types are defined for ricci_modcluster:
++
++
++.EX
++.PP
++.B ricci_modcluster_exec_t
++.EE
++
++- Set files with the ricci_modcluster_exec_t type, if you want to transition an executable to the ricci_modcluster_t domain.
++
++
++.EX
++.PP
++.B ricci_modcluster_var_lib_t
++.EE
++
++- Set files with the ricci_modcluster_var_lib_t type, if you want to store the ricci modcluster files under the /var/lib directory.
++
++
++.EX
++.PP
++.B ricci_modcluster_var_log_t
++.EE
++
++- Set files with the ricci_modcluster_var_log_t type, if you want to treat the data as ricci modcluster var log data, usually stored under the /var/log directory.
++
++
++.EX
++.PP
++.B ricci_modcluster_var_run_t
++.EE
++
++- Set files with the ricci_modcluster_var_run_t type, if you want to store the ricci modcluster files under the /run directory.
++
++
++.EX
++.PP
++.B ricci_modclusterd_exec_t
++.EE
++
++- Set files with the ricci_modclusterd_exec_t type, if you want to transition an executable to the ricci_modclusterd_t domain.
++
++
++.EX
++.PP
++.B ricci_modclusterd_tmpfs_t
++.EE
++
++- Set files with the ricci_modclusterd_tmpfs_t type, if you want to store ricci modclusterd files on a tmpfs file system.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH PORT TYPES
++SELinux defines port types to represent TCP and UDP ports.
++.PP
++You can see the types associated with a port by using the following command:
++
++.B semanage port -l
++
++.PP
++Policy governs the access confined processes have to these ports.
++SELinux ricci_modcluster policy is very flexible allowing users to setup their ricci_modcluster processes in as secure a method as possible.
++.PP
++The following port types are defined for ricci_modcluster:
++
++.EX
++.TP 5
++.B ricci_modcluster_port_t
++.TP 10
++.EE
++
++
++Default Defined Ports:
++tcp 16851
++.EE
++udp 16851
++.EE
++.SH "MANAGED FILES"
++
++The SELinux process type ricci_modcluster_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++
++.br
++.B cluster_conf_t
++
++ /etc/cluster(/.*)?
++.br
++
++.br
++.B systemd_passwd_var_run_t
++
++ /var/run/systemd/ask-password(/.*)?
++.br
++ /var/run/systemd/ask-password-block(/.*)?
++.br
++
++.SH NSSWITCH DOMAIN
++
++.PP
++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the ricci_modcluster_t, ricci_modclusterd_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++
++.EX
++.B setsebool -P authlogin_nsswitch_use_ldap 1
++.EE
++
++.PP
++If you want to allow confined applications to run with kerberos for the ricci_modcluster_t, ricci_modclusterd_t, you must turn on the kerberos_enabled boolean.
++
++.EX
++.B setsebool -P kerberos_enabled 1
++.EE
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.B semanage port
++can also be used to manipulate the port definitions
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was auto-generated using
++.B "sepolicy manpage"
++by Dan Walsh.
++
++.SH "SEE ALSO"
++selinux(8), ricci_modcluster(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
++, ricci_selinux(8), ricci_selinux(8), ricci_modclusterd_selinux(8), ricci_modlog_selinux(8), ricci_modrpm_selinux(8), ricci_modservice_selinux(8), ricci_modstorage_selinux(8)
+\ No newline at end of file
+diff --git a/man/man8/ricci_modclusterd_selinux.8 b/man/man8/ricci_modclusterd_selinux.8
+new file mode 100644
+index 0000000..7d43326
+--- /dev/null
++++ b/man/man8/ricci_modclusterd_selinux.8
+@@ -0,0 +1,159 @@
++.TH "ricci_modclusterd_selinux" "8" "12-11-01" "ricci_modclusterd" "SELinux Policy documentation for ricci_modclusterd"
++.SH "NAME"
++ricci_modclusterd_selinux \- Security Enhanced Linux Policy for the ricci_modclusterd processes
++.SH "DESCRIPTION"
++
++Security-Enhanced Linux secures the ricci_modclusterd processes via flexible mandatory access control.
++
++The ricci_modclusterd processes execute with the ricci_modclusterd_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep ricci_modclusterd_t
++
++
++.SH "ENTRYPOINTS"
++
++The ricci_modclusterd_t SELinux type can be entered via the "ricci_modclusterd_exec_t" file type. The default entrypoint paths for the ricci_modclusterd_t domain are the following:"
++
++/usr/sbin/modclusterd
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux ricci_modclusterd policy is very flexible allowing users to setup their ricci_modclusterd processes in as secure a method as possible.
++.PP
++The following process types are defined for ricci_modclusterd:
++
++.EX
++.B ricci_modclusterd_t, ricci_modcluster_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux ricci_modclusterd policy is very flexible allowing users to setup their ricci_modclusterd processes in as secure a method as possible.
++.PP
++The following file types are defined for ricci_modclusterd:
++
++
++.EX
++.PP
++.B ricci_modclusterd_exec_t
++.EE
++
++- Set files with the ricci_modclusterd_exec_t type, if you want to transition an executable to the ricci_modclusterd_t domain.
++
++
++.EX
++.PP
++.B ricci_modclusterd_tmpfs_t
++.EE
++
++- Set files with the ricci_modclusterd_tmpfs_t type, if you want to store ricci modclusterd files on a tmpfs file system.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH PORT TYPES
++SELinux defines port types to represent TCP and UDP ports.
++.PP
++You can see the types associated with a port by using the following command:
++
++.B semanage port -l
++
++.PP
++Policy governs the access confined processes have to these ports.
++SELinux ricci_modclusterd policy is very flexible allowing users to setup their ricci_modclusterd processes in as secure a method as possible.
++.PP
++The following port types are defined for ricci_modclusterd:
++
++.EX
++.TP 5
++.B ricci_modcluster_port_t
++.TP 10
++.EE
++
++
++Default Defined Ports:
++tcp 16851
++.EE
++udp 16851
++.EE
++.SH "MANAGED FILES"
++
++The SELinux process type ricci_modclusterd_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++
++.br
++.B ricci_modcluster_var_log_t
++
++ /var/log/clumond\.log.*
++.br
++
++.br
++.B ricci_modcluster_var_run_t
++
++ /var/run/clumond\.sock
++.br
++ /var/run/modclusterd\.pid
++.br
++
++.br
++.B ricci_modclusterd_tmpfs_t
++
++
++.SH NSSWITCH DOMAIN
++
++.PP
++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the ricci_modcluster_t, ricci_modclusterd_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++
++.EX
++.B setsebool -P authlogin_nsswitch_use_ldap 1
++.EE
++
++.PP
++If you want to allow confined applications to run with kerberos for the ricci_modcluster_t, ricci_modclusterd_t, you must turn on the kerberos_enabled boolean.
++
++.EX
++.B setsebool -P kerberos_enabled 1
++.EE
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.B semanage port
++can also be used to manipulate the port definitions
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was auto-generated using
++.B "sepolicy manpage"
++by Dan Walsh.
++
++.SH "SEE ALSO"
++selinux(8), ricci_modclusterd(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
++, ricci_selinux(8), ricci_selinux(8), ricci_modcluster_selinux(8), ricci_modcluster_selinux(8), ricci_modlog_selinux(8), ricci_modrpm_selinux(8), ricci_modservice_selinux(8), ricci_modstorage_selinux(8)
+\ No newline at end of file
+diff --git a/man/man8/ricci_modlog_selinux.8 b/man/man8/ricci_modlog_selinux.8
+new file mode 100644
+index 0000000..f0ca4e5
+--- /dev/null
++++ b/man/man8/ricci_modlog_selinux.8
+@@ -0,0 +1,87 @@
++.TH "ricci_modlog_selinux" "8" "12-11-01" "ricci_modlog" "SELinux Policy documentation for ricci_modlog"
++.SH "NAME"
++ricci_modlog_selinux \- Security Enhanced Linux Policy for the ricci_modlog processes
++.SH "DESCRIPTION"
++
++Security-Enhanced Linux secures the ricci_modlog processes via flexible mandatory access control.
++
++The ricci_modlog processes execute with the ricci_modlog_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep ricci_modlog_t
++
++
++.SH "ENTRYPOINTS"
++
++The ricci_modlog_t SELinux type can be entered via the "ricci_modlog_exec_t" file type. The default entrypoint paths for the ricci_modlog_t domain are the following:"
++
++/usr/libexec/ricci-modlog
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux ricci_modlog policy is very flexible allowing users to setup their ricci_modlog processes in as secure a method as possible.
++.PP
++The following process types are defined for ricci_modlog:
++
++.EX
++.B ricci_modlog_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux ricci_modlog policy is very flexible allowing users to setup their ricci_modlog processes in as secure a method as possible.
++.PP
++The following file types are defined for ricci_modlog:
++
++
++.EX
++.PP
++.B ricci_modlog_exec_t
++.EE
++
++- Set files with the ricci_modlog_exec_t type, if you want to transition an executable to the ricci_modlog_t domain.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH NSSWITCH DOMAIN
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was auto-generated using
++.B "sepolicy manpage"
++by Dan Walsh.
++
++.SH "SEE ALSO"
++selinux(8), ricci_modlog(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
++, ricci_selinux(8), ricci_selinux(8), ricci_modcluster_selinux(8), ricci_modclusterd_selinux(8), ricci_modrpm_selinux(8), ricci_modservice_selinux(8), ricci_modstorage_selinux(8)
+\ No newline at end of file
+diff --git a/man/man8/ricci_modrpm_selinux.8 b/man/man8/ricci_modrpm_selinux.8
+new file mode 100644
+index 0000000..123f519
+--- /dev/null
++++ b/man/man8/ricci_modrpm_selinux.8
+@@ -0,0 +1,87 @@
++.TH "ricci_modrpm_selinux" "8" "12-11-01" "ricci_modrpm" "SELinux Policy documentation for ricci_modrpm"
++.SH "NAME"
++ricci_modrpm_selinux \- Security Enhanced Linux Policy for the ricci_modrpm processes
++.SH "DESCRIPTION"
++
++Security-Enhanced Linux secures the ricci_modrpm processes via flexible mandatory access control.
++
++The ricci_modrpm processes execute with the ricci_modrpm_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep ricci_modrpm_t
++
++
++.SH "ENTRYPOINTS"
++
++The ricci_modrpm_t SELinux type can be entered via the "ricci_modrpm_exec_t" file type. The default entrypoint paths for the ricci_modrpm_t domain are the following:"
++
++/usr/libexec/ricci-modrpm
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux ricci_modrpm policy is very flexible allowing users to setup their ricci_modrpm processes in as secure a method as possible.
++.PP
++The following process types are defined for ricci_modrpm:
++
++.EX
++.B ricci_modrpm_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux ricci_modrpm policy is very flexible allowing users to setup their ricci_modrpm processes in as secure a method as possible.
++.PP
++The following file types are defined for ricci_modrpm:
++
++
++.EX
++.PP
++.B ricci_modrpm_exec_t
++.EE
++
++- Set files with the ricci_modrpm_exec_t type, if you want to transition an executable to the ricci_modrpm_t domain.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH NSSWITCH DOMAIN
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was auto-generated using
++.B "sepolicy manpage"
++by Dan Walsh.
++
++.SH "SEE ALSO"
++selinux(8), ricci_modrpm(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
++, ricci_selinux(8), ricci_selinux(8), ricci_modcluster_selinux(8), ricci_modclusterd_selinux(8), ricci_modlog_selinux(8), ricci_modservice_selinux(8), ricci_modstorage_selinux(8)
+\ No newline at end of file
+diff --git a/man/man8/ricci_modservice_selinux.8 b/man/man8/ricci_modservice_selinux.8
+new file mode 100644
+index 0000000..4c964e3
+--- /dev/null
++++ b/man/man8/ricci_modservice_selinux.8
+@@ -0,0 +1,87 @@
++.TH "ricci_modservice_selinux" "8" "12-11-01" "ricci_modservice" "SELinux Policy documentation for ricci_modservice"
++.SH "NAME"
++ricci_modservice_selinux \- Security Enhanced Linux Policy for the ricci_modservice processes
++.SH "DESCRIPTION"
++
++Security-Enhanced Linux secures the ricci_modservice processes via flexible mandatory access control.
++
++The ricci_modservice processes execute with the ricci_modservice_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep ricci_modservice_t
++
++
++.SH "ENTRYPOINTS"
++
++The ricci_modservice_t SELinux type can be entered via the "ricci_modservice_exec_t" file type. The default entrypoint paths for the ricci_modservice_t domain are the following:"
++
++/usr/libexec/ricci-modservice
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux ricci_modservice policy is very flexible allowing users to setup their ricci_modservice processes in as secure a method as possible.
++.PP
++The following process types are defined for ricci_modservice:
++
++.EX
++.B ricci_modservice_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux ricci_modservice policy is very flexible allowing users to setup their ricci_modservice processes in as secure a method as possible.
++.PP
++The following file types are defined for ricci_modservice:
++
++
++.EX
++.PP
++.B ricci_modservice_exec_t
++.EE
++
++- Set files with the ricci_modservice_exec_t type, if you want to transition an executable to the ricci_modservice_t domain.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH NSSWITCH DOMAIN
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was auto-generated using
++.B "sepolicy manpage"
++by Dan Walsh.
++
++.SH "SEE ALSO"
++selinux(8), ricci_modservice(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
++, ricci_selinux(8), ricci_selinux(8), ricci_modcluster_selinux(8), ricci_modclusterd_selinux(8), ricci_modlog_selinux(8), ricci_modrpm_selinux(8), ricci_modstorage_selinux(8)
+\ No newline at end of file
+diff --git a/man/man8/ricci_modstorage_selinux.8 b/man/man8/ricci_modstorage_selinux.8
+new file mode 100644
+index 0000000..d9a4baa
+--- /dev/null
++++ b/man/man8/ricci_modstorage_selinux.8
+@@ -0,0 +1,157 @@
++.TH "ricci_modstorage_selinux" "8" "12-11-01" "ricci_modstorage" "SELinux Policy documentation for ricci_modstorage"
++.SH "NAME"
++ricci_modstorage_selinux \- Security Enhanced Linux Policy for the ricci_modstorage processes
++.SH "DESCRIPTION"
++
++Security-Enhanced Linux secures the ricci_modstorage processes via flexible mandatory access control.
++
++The ricci_modstorage processes execute with the ricci_modstorage_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep ricci_modstorage_t
++
++
++.SH "ENTRYPOINTS"
++
++The ricci_modstorage_t SELinux type can be entered via the "ricci_modstorage_exec_t" file type. The default entrypoint paths for the ricci_modstorage_t domain are the following:"
++
++/usr/libexec/ricci-modstorage
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux ricci_modstorage policy is very flexible allowing users to setup their ricci_modstorage processes in as secure a method as possible.
++.PP
++The following process types are defined for ricci_modstorage:
++
++.EX
++.B ricci_modstorage_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux ricci_modstorage policy is very flexible allowing users to setup their ricci_modstorage processes in as secure a method as possible.
++.PP
++The following file types are defined for ricci_modstorage:
++
++
++.EX
++.PP
++.B ricci_modstorage_exec_t
++.EE
++
++- Set files with the ricci_modstorage_exec_t type, if you want to transition an executable to the ricci_modstorage_t domain.
++
++
++.EX
++.PP
++.B ricci_modstorage_lock_t
++.EE
++
++- Set files with the ricci_modstorage_lock_t type, if you want to treat the files as ricci modstorage lock data, stored under the /var/lock directory
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH "MANAGED FILES"
++
++The SELinux process type ricci_modstorage_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++
++.br
++.B default_t
++
++ /.*
++.br
++
++.br
++.B etc_t
++
++ /etc/.*
++.br
++ /var/db/.*\.db
++.br
++ /usr/etc(/.*)?
++.br
++ /var/ftp/etc(/.*)?
++.br
++ /var/lib/openshift/.limits.d(/.*)?
++.br
++ /var/lib/openshift/.openshift-proxy.d(/.*)?
++.br
++ /var/lib/openshift/.stickshift-proxy.d(/.*)?
++.br
++ /var/lib/stickshift/.limits.d(/.*)?
++.br
++ /var/lib/stickshift/.stickshift-proxy.d(/.*)?
++.br
++ /var/named/chroot/etc(/.*)?
++.br
++ /etc/ipsec\.d/examples(/.*)?
++.br
++ /var/spool/postfix/etc(/.*)?
++.br
++ /etc
++.br
++ /etc/cups/client\.conf
++.br
++
++.br
++.B lvm_etc_t
++
++ /etc/lvm(/.*)?
++.br
++
++.SH NSSWITCH DOMAIN
++
++.PP
++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the ricci_modstorage_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++
++.EX
++.B setsebool -P authlogin_nsswitch_use_ldap 1
++.EE
++
++.PP
++If you want to allow confined applications to run with kerberos for the ricci_modstorage_t, you must turn on the kerberos_enabled boolean.
++
++.EX
++.B setsebool -P kerberos_enabled 1
++.EE
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was auto-generated using
++.B "sepolicy manpage"
++by Dan Walsh.
++
++.SH "SEE ALSO"
++selinux(8), ricci_modstorage(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
++, ricci_selinux(8), ricci_selinux(8), ricci_modcluster_selinux(8), ricci_modclusterd_selinux(8), ricci_modlog_selinux(8), ricci_modrpm_selinux(8), ricci_modservice_selinux(8)
+\ No newline at end of file
+diff --git a/man/man8/ricci_selinux.8 b/man/man8/ricci_selinux.8
+new file mode 100644
+index 0000000..77e1008
+--- /dev/null
++++ b/man/man8/ricci_selinux.8
+@@ -0,0 +1,394 @@
++.TH "ricci_selinux" "8" "12-11-01" "ricci" "SELinux Policy documentation for ricci"
++.SH "NAME"
++ricci_selinux \- Security Enhanced Linux Policy for the ricci processes
++.SH "DESCRIPTION"
++
++Security-Enhanced Linux secures the ricci processes via flexible mandatory access control.
++
++The ricci processes execute with the ricci_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep ricci_t
++
++
++.SH "ENTRYPOINTS"
++
++The ricci_t SELinux type can be entered via the "ricci_exec_t,bin_t" file types. The default entrypoint paths for the ricci_t domain are the following:"
++
++/usr/sbin/ricci, /bin/.*, /opt/(.*/)?bin(/.*)?, /usr/(.*/)?Bin(/.*)?, /usr/(.*/)?bin(/.*)?, /usr/(.*/)?sbin(/.*)?, /opt/(.*/)?sbin(/.*)?, /opt/(.*/)?libexec(/.*)?, /sbin/.*, /usr/lib(.*/)?bin(/.*)?, /usr/lib(.*/)?sbin(/.*)?, /etc/gdm/[^/]+, /root/bin(/.*)?, /etc/gdm/[^/]+/.*, /etc/cron.daily(/.*)?, /etc/cron.weekly(/.*)?, /etc/cron.hourly(/.*)?, /etc/cron.monthly(/.*)?, /usr/lib/.*/program(/.*)?, /usr/lib/.*/scripts(/.*)?, /usr/lib/[^/]*/run-mozilla\.sh, /usr/lib/[^/]*/mozilla-xremote-client, /usr/lib/[^/]*thunderbird[^/]*/thunderbird, /usr/lib/[^/]*thunderbird[^/]*/open-browser\.sh, /usr/lib/[^/]*thunderbird[^/]*/thunderbird-bin, /lib/udev/[^/]*, /etc/auto\.[^/]*, /etc/avahi/.*\.action, /usr/lib/qt.*/bin(/.*)?, /usr/lib/yp/.+, /var/ftp/bin(/.*)?, /usr/Brother(/.*)?, /usr/Printer(/.*)?, /usr/libexec(/.*)?, /lib/upstart(/.*)?, /etc/kde/env(/.*)?, /etc/profile.d(/.*)?, /var/mailman.*/bin(/.*)?, /etc/lxdm/Pre.*, /etc/hotplug/.*rc, /usr/lib/cups(/.*)?, /etc/hotplug/.*agent, /usr/Brother/(.*/)?inf/setup.*, /usr/Brother/(.*/)?inf/brprintconf.*, /usr/lib/dpkg/.+, /etc/lxdm/Post.*, /usr/lib/udev/[^/]*, /var/qmail/bin(/.*)?, /usr/lib/xfce4(/.*)?, /usr/lib/fence(/.*)?, /etc/X11/xinit(/.*)?, /lib/readahead(/.*)?, /etc/netplug\.d(/.*)?, /usr/lib/gimp/.*/plug-ins(/.*)?, /usr/lib/ipsec/.*, /etc/ppp/ip-up\..*, /usr/bin/pingus.*, /etc/cipe/ip-up.*, /usr/lib/dracut(/.*)?, /etc/pm/power\.d(/.*)?, /etc/pm/sleep\.d(/.*)?, /etc/redhat-lsb(/.*)?, /usr/lib/tuned/.*/.*\.sh, /usr/lib/xen/bin(/.*)?, /usr/lib/upstart(/.*)?, /usr/lib/courier(/.*)?, /etc/xen/scripts(/.*)?, /usr/share/tucan.*/tucan.py, /usr/lib/mailman.*/bin(/.*)?, /usr/lib/mailman.*/mail(/.*)?, /etc/ppp/ipv6-up\..*, /etc/ppp/ip-down\..*, /etc/cipe/ip-down.*, /usr/share/hplip/[^/]*, /usr/lib/news/bin(/.*)?, /usr/lib/pm-utils(/.*)?, /etc/vmware-tools(/.*)?, /etc/kde/shutdown(/.*)?, /etc/acpi/actions(/.*)?, /etc/pki/tls/misc(/.*)?, /usr/lib/jvm/java(.*/)bin(/.*), /usr/lib/tumbler-[^/]*/tumblerd, /usr/lib/readahead(/.*)?, /opt/google/chrome(/.*)?, /etc/munin/plugins(/.*)?, /usr/lib/bluetooth(/.*)?, /usr/lib/debug/bin(/.*)?, /usr/lib/xulrunner[^/]*/updater, /usr/lib/xulrunner[^/]*/crashreporter, /usr/lib/xulrunner[^/]*/xulrunner[^/]*, /usr/lib/ruby/gems(/.*)?/helper-scripts(/.*)?, /usr/share/debconf/.+, /etc/ppp/ipv6-down\..*, /usr/share/cluster/.*\.sh, /usr/share/sectool/.*\.py, /usr/share/ssl/misc(/.*)?, /usr/share/e16/misc(/.*)?, /usr/lib/ccache/bin(/.*)?, /etc/racoon/scripts(/.*)?, /usr/lib/debug/sbin(/.*)?, /usr/lib/ruby/gems/.*/agents(/.*)?, /usr/share/mc/extfs/.*, /usr/lib/apt/methods.+, /usr/lib/portage/bin(/.*)?, /usr/lib/MailScanner(/.*)?, /etc/mcelog/triggers(/.*)?, /etc/dhcp/dhclient\.d(/.*)?, /emul/ia32-linux/bin(/.*)?, /usr/lib/libreoffice(/.*)?/bin(/.*)?, /emul/ia32-linux/usr(/.*)?/bin(/.*)?, /emul/ia32-linux/usr(/.*)?/Bin(/.*)?, /emul/ia32-linux/usr(/.*)?/sbin(/.*)?, /usr/lib/thunderbird.*/mozilla-xremote-client, /usr/lib/cyrus-imapd/.*, /usr/share/createrepo(/.*)?, /emul/ia32-linux/sbin(/.*)?, /usr/share/virtualbox/.*\.sh, /usr/share/wicd/daemon(/.*)?, /usr/share/hal/scripts(/.*)?, /lib/security/pam_krb5(/.*)?, /opt/google/talkplugin(/.*)?, /etc/PackageKit/events(/.*)?, /usr/lib/debug/usr/bin(/.*)?, /usr/lib/vmware-tools/(s)?bin64(/.*)?, /usr/lib/vmware-tools/(s)?bin32(/.*)?, /etc/gdm/XKeepsCrashing[^/]*, /usr/lib/oracle/xe/apps(/.*)?, /usr/share/Modules/init(/.*)?, /usr/share/smolt/client(/.*)?, /usr/lib/nagios/plugins(/.*)?, /usr/lib/debug/usr/sbin(/.*)?, /usr/share/apr-0/build/[^/]+\.sh, /usr/lib/emacsen-common/.*, /usr/share/ajaxterm/qweb.py.*, /var/lib/asterisk/agi-bin(/.*)?, /usr/share/shorewall-perl(/.*)?, /usr/share/shorewall-lite(/.*)?, /usr/linuxprinter/filters(/.*)?, /usr/lib/netsaint/plugins(/.*)?, /usr/lib/chromium-browser(/.*)?, /usr/share/turboprint/lib(/.*)?, /usr/lib/nfs-utils/scripts(/.*)?, /usr/share/shorewall6-lite(/.*)?, /usr/share/shorewall-shell(/.*)?, /usr/share/vhostmd/scripts(/.*)?, /usr/lib/debug/usr/libexec(/.*)?, /etc/ConsoleKit/run-seat\.d(/.*)?, /usr/lib/nspluginwrapper/np.*, /usr/share/sandbox/sandboxX.sh, /usr/lib/ConsoleKit/scripts(/.*)?, /usr/share/ajaxterm/ajaxterm.py.*, /usr/lib/pgsql/test/regress/.*\.sh, /usr/share/denyhosts/scripts(/.*)?, /usr/share/denyhosts/plugins(/.*)?, /emul/ia32-linux/usr/libexec(/.*)?, /usr/lib/mediawiki/math/texvc.*, /usr/share/PackageKit/helpers(/.*)?, /etc/ConsoleKit/run-session\.d(/.*)?, /etc/hotplug\.d/default/default.*, /usr/lib/systemd/system-sleep/(.*)?, /opt/gutenprint/cups/lib/filter(/.*)?, /usr/share/system-config-network(/netconfig)?/[^/]+\.py, /usr/lib/ConsoleKit/run-session\.d(/.*)?, /etc/sysconfig/network-scripts/net.*, /etc/sysconfig/network-scripts/ifup.*, /etc/sysconfig/network-scripts/init.*, /usr/share/kde4/apps/kajongg/kajongg.py, /etc/sysconfig/network-scripts/ifdown.*, /opt/OpenPrinting-Gutenprint/cups/lib/filter(/.*)?, /usr/share/gedit-2/plugins/externaltools/tools(/.*)?, /bin, /sbin, /usr/bin, /dev/MAKEDEV, /var/qmail/rc, /var/qmail/bin, /etc/mail/make, /bin/mountpoint, /usr/lib/rpm/rpmq, /usr/lib/rpm/rpmv, /usr/lib/rpm/rpmd, /usr/lib/rpm/rpmk, /lib/udev/scsi_id, /sbin/mkfs\.cramfs, /etc/xen/qemu-ifup, /etc/lxdm/Xsession, /etc/sysconfig/init, /usr/bin/mountpoint, /etc/apcupsd/commok, /usr/lib/sftp-server, /etc/sysconfig/crond, /etc/lxdm/LoginReady, /usr/sbin/mkfs\.cramfs, /usr/lib/udev/scsi_id, /etc/X11/xdm/Xsetup_0, /etc/init\.d/functions, /etc/apcupsd/changeme, /usr/lib/iscan/network, /etc/apcupsd/onbattery, /usr/lib/yaboot/addnote, /etc/sysconfig/libvirtd, /etc/apcupsd/apccontrol, /etc/apcupsd/offbattery, /usr/lib/wicd/monitor\.py, /etc/X11/xdm/TakeConsole, /etc/X11/xdm/GiveConsole, /etc/apcupsd/commfailure, /usr/lib/misc/sftp-server, /etc/sysconfig/netconsole, /lib/udev/devices/MAKEDEV, /var/lib/iscan/interpreter, /etc/rc\.d/init\.d/functions, /etc/apcupsd/masterconnect, /etc/apcupsd/mastertimeout, /usr/share/pydict/pydict\.py, /usr/share/clamav/clamd-gen, /sbin/insmod_ksymoops_clean, /etc/mgetty\+sendfax/new_fax, /usr/lib/xfce4/panel/migrate, /usr/lib/xfce4/panel/wrapper, /etc/sysconfig/readonly-root, /usr/lib/vte/gnome-pty-helper, /usr/lib/udev/devices/MAKEDEV, /usr/lib/xfce4/xfconf/xfconfd, /usr/share/cvs/contrib/rcs2log, /usr/share/hwbrowser/hwbrowser, /usr/X11R6/lib/X11/xkb/xkbcomp, /usr/lib/virtualbox/VBoxManage, /usr/share/cluster/SAPInstance, /usr/share/cluster/checkquorum, /usr/share/shorewall/getparams, /usr/share/apr-0/build/libtool, /usr/share/cluster/SAPDatabase, /etc/hotplug/hotplug\.functions, /usr/share/texmf/web2c/mktexdir, /usr/share/texmf/web2c/mktexnam, /usr/share/texmf/web2c/mktexupd, /usr/share/shorewall/configpath, /usr/sbin/insmod_ksymoops_clean, /etc/mcelog/cache-error-trigger, /usr/share/shorewall/compiler\.pl, /usr/share/dayplanner/dayplanner, /usr/libexec/openssh/sftp-server, /usr/share/texmf/texconfig/tcfmgr, /usr/share/clamav/freshclam-sleep, /usr/share/cluster/svclib_nfslock, /usr/share/cluster/ocf-shellfuncs, /usr/lib/xfce4/exo-1/exo-helper-1, /usr/share/pwlib/make/ptlib-config, /usr/share/fedora-usermgmt/wrapper, /usr/share/printconf/util/print\.py, /usr/lib/xfce4/xfwm4/helper-dialog, /etc/pki/tls/certs/make-dummy-cert, /usr/share/rhn/rhn_applet/applet\.py, /usr/share/authconfig/authconfig\.py, /usr/share/spamassassin/sa-update\.cron, /usr/share/gnucash/finance-quote-check, /usr/share/cluster/fence_scsi_check\.pl, /usr/share/selinux/devel/policygentool, /usr/share/switchdesk/switchdesk-gui\.py, /usr/share/authconfig/authconfig-tui\.py, /usr/share/authconfig/authconfig-gtk\.py, /usr/share/gnucash/finance-quote-helper, /usr/share/gitolite/hooks/common/update, /usr/lib/xfce4/exo-1/exo-compose-mail-1, /usr/share/system-config-services/gui\.py, /lib/security/pam_krb5/pam_krb5_storetmp, /usr/share/system-config-netboot/pxeos\.py, /usr/lib/xfce4/session/balou-export-theme, /usr/share/system-config-selinux/polgen\.py, /usr/share/system-config-nfs/nfs-export\.py, /usr/share/system-config-printer/applet\.py, /usr/share/PackageKit/pk-upgrade-distro\.sh, /usr/lib/xfce4/session/balou-install-theme, /usr/share/system-config-netboot/pxeboot\.py, /usr/lib/xfce4/session/xfsm-shutdown-helper, /usr/share/rhn/rhn_applet/needed-packages\.py, /usr/lib/security/pam_krb5/pam_krb5_storetmp, /usr/share/system-logviewer/system-logviewer\.py, /usr/share/system-config-network/neat-control\.py, /usr/share/system-config-services/serviceconf\.py, /usr/share/hal/device-manager/hal-device-manager, /usr/share/system-config-lvm/system-config-lvm\.py, /usr/share/system-config-nfs/system-config-nfs\.py, /usr/share/system-config-mouse/system-config-mouse, /usr/share/system-config-httpd/system-config-httpd, /usr/share/system-config-users/system-config-users, /usr/share/system-config-date/system-config-date\.py, /usr/share/doc/ghc/html/libraries/gen_contents_index, /usr/share/gitolite/hooks/gitolite-admin/post-update, /usr/share/system-config-samba/system-config-samba\.py, /usr/share/system-config-display/system-config-display, /usr/share/system-config-keyboard/system-config-keyboard, /usr/share/system-config-language/system-config-language, /usr/share/system-config-services/system-config-services, /usr/share/system-config-selinux/system-config-selinux\.py, /usr/share/system-config-netboot/system-config-netboot\.py, /usr/share/system-config-soundcard/system-config-soundcard, /usr/share/system-config-rootpassword/system-config-rootpassword, /usr/share/system-config-securitylevel/system-config-securitylevel\.py
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux ricci policy is very flexible allowing users to setup their ricci processes in as secure a method as possible.
++.PP
++The following process types are defined for ricci:
++
++.EX
++.B ricci_t, ricci_modservice_t, ricci_modstorage_t, ricci_modclusterd_t, ricci_modlog_t, ricci_modrpm_t, ricci_modcluster_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux ricci policy is very flexible allowing users to setup their ricci processes in as secure a method as possible.
++.PP
++The following file types are defined for ricci:
++
++
++.EX
++.PP
++.B ricci_exec_t
++.EE
++
++- Set files with the ricci_exec_t type, if you want to transition an executable to the ricci_t domain.
++
++
++.EX
++.PP
++.B ricci_initrc_exec_t
++.EE
++
++- Set files with the ricci_initrc_exec_t type, if you want to transition an executable to the ricci_initrc_t domain.
++
++
++.EX
++.PP
++.B ricci_modcluster_exec_t
++.EE
++
++- Set files with the ricci_modcluster_exec_t type, if you want to transition an executable to the ricci_modcluster_t domain.
++
++
++.EX
++.PP
++.B ricci_modcluster_var_lib_t
++.EE
++
++- Set files with the ricci_modcluster_var_lib_t type, if you want to store the ricci modcluster files under the /var/lib directory.
++
++
++.EX
++.PP
++.B ricci_modcluster_var_log_t
++.EE
++
++- Set files with the ricci_modcluster_var_log_t type, if you want to treat the data as ricci modcluster var log data, usually stored under the /var/log directory.
++
++
++.EX
++.PP
++.B ricci_modcluster_var_run_t
++.EE
++
++- Set files with the ricci_modcluster_var_run_t type, if you want to store the ricci modcluster files under the /run directory.
++
++
++.EX
++.PP
++.B ricci_modclusterd_exec_t
++.EE
++
++- Set files with the ricci_modclusterd_exec_t type, if you want to transition an executable to the ricci_modclusterd_t domain.
++
++
++.EX
++.PP
++.B ricci_modclusterd_tmpfs_t
++.EE
++
++- Set files with the ricci_modclusterd_tmpfs_t type, if you want to store ricci modclusterd files on a tmpfs file system.
++
++
++.EX
++.PP
++.B ricci_modlog_exec_t
++.EE
++
++- Set files with the ricci_modlog_exec_t type, if you want to transition an executable to the ricci_modlog_t domain.
++
++
++.EX
++.PP
++.B ricci_modrpm_exec_t
++.EE
++
++- Set files with the ricci_modrpm_exec_t type, if you want to transition an executable to the ricci_modrpm_t domain.
++
++
++.EX
++.PP
++.B ricci_modservice_exec_t
++.EE
++
++- Set files with the ricci_modservice_exec_t type, if you want to transition an executable to the ricci_modservice_t domain.
++
++
++.EX
++.PP
++.B ricci_modstorage_exec_t
++.EE
++
++- Set files with the ricci_modstorage_exec_t type, if you want to transition an executable to the ricci_modstorage_t domain.
++
++
++.EX
++.PP
++.B ricci_modstorage_lock_t
++.EE
++
++- Set files with the ricci_modstorage_lock_t type, if you want to treat the files as ricci modstorage lock data, stored under the /var/lock directory
++
++
++.EX
++.PP
++.B ricci_tmp_t
++.EE
++
++- Set files with the ricci_tmp_t type, if you want to store ricci temporary files in the /tmp directories.
++
++
++.EX
++.PP
++.B ricci_var_lib_t
++.EE
++
++- Set files with the ricci_var_lib_t type, if you want to store the ricci files under the /var/lib directory.
++
++
++.EX
++.PP
++.B ricci_var_log_t
++.EE
++
++- Set files with the ricci_var_log_t type, if you want to treat the data as ricci var log data, usually stored under the /var/log directory.
++
++
++.EX
++.PP
++.B ricci_var_run_t
++.EE
++
++- Set files with the ricci_var_run_t type, if you want to store the ricci files under the /run directory.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH PORT TYPES
++SELinux defines port types to represent TCP and UDP ports.
++.PP
++You can see the types associated with a port by using the following command:
++
++.B semanage port -l
++
++.PP
++Policy governs the access confined processes have to these ports.
++SELinux ricci policy is very flexible allowing users to setup their ricci processes in as secure a method as possible.
++.PP
++The following port types are defined for ricci:
++
++.EX
++.TP 5
++.B ricci_modcluster_port_t
++.TP 10
++.EE
++
++
++Default Defined Ports:
++tcp 16851
++.EE
++udp 16851
++.EE
++
++.EX
++.TP 5
++.B ricci_port_t
++.TP 10
++.EE
++
++
++Default Defined Ports:
++tcp 11111
++.EE
++udp 11111
++.EE
++.SH "MANAGED FILES"
++
++The SELinux process type ricci_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++
++.br
++.B etc_runtime_t
++
++ /[^/]+
++.br
++ /etc/mtab.*
++.br
++ /etc/blkid(/.*)?
++.br
++ /etc/nologin.*
++.br
++ /etc/\.fstab\.hal\..+
++.br
++ /halt
++.br
++ /fastboot
++.br
++ /poweroff
++.br
++ /etc/cmtab
++.br
++ /\.autofsck
++.br
++ /forcefsck
++.br
++ /\.suspended
++.br
++ /fsckoptions
++.br
++ /\.autorelabel
++.br
++ /etc/securetty
++.br
++ /etc/killpower
++.br
++ /etc/nohotplug
++.br
++ /etc/ioctl\.save
++.br
++ /etc/fstab\.REVOKE
++.br
++ /etc/network/ifstate
++.br
++ /etc/sysconfig/hwconf
++.br
++ /etc/ptal/ptal-printd-like
++.br
++ /etc/sysconfig/iptables\.save
++.br
++ /etc/xorg\.conf\.d/00-system-setup-keyboard\.conf
++.br
++ /etc/X11/xorg\.conf\.d/00-system-setup-keyboard\.conf
++.br
++
++.br
++.B faillog_t
++
++ /var/log/btmp.*
++.br
++ /var/run/faillock(/.*)?
++.br
++ /var/log/faillog
++.br
++ /var/log/tallylog
++.br
++
++.br
++.B initrc_var_run_t
++
++ /var/run/utmp
++.br
++ /var/run/random-seed
++.br
++ /var/run/runlevel\.dir
++.br
++ /var/run/setmixer_flag
++.br
++
++.br
++.B pcscd_var_run_t
++
++ /var/run/pcscd(/.*)?
++.br
++ /var/run/pcscd\.events(/.*)?
++.br
++ /var/run/pcscd\.pid
++.br
++ /var/run/pcscd\.pub
++.br
++ /var/run/pcscd\.comm
++.br
++
++.br
++.B ricci_tmp_t
++
++
++.br
++.B ricci_var_lib_t
++
++ /var/lib/ricci(/.*)?
++.br
++
++.br
++.B ricci_var_log_t
++
++
++.br
++.B ricci_var_run_t
++
++ /var/run/ricci\.pid
++.br
++
++.br
++.B systemd_passwd_var_run_t
++
++ /var/run/systemd/ask-password(/.*)?
++.br
++ /var/run/systemd/ask-password-block(/.*)?
++.br
++
++.SH NSSWITCH DOMAIN
++
++.PP
++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the ricci_modstorage_t, ricci_modcluster_t, ricci_modclusterd_t, ricci_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++
++.EX
++.B setsebool -P authlogin_nsswitch_use_ldap 1
++.EE
++
++.PP
++If you want to allow confined applications to run with kerberos for the ricci_modstorage_t, ricci_modcluster_t, ricci_modclusterd_t, ricci_t, you must turn on the kerberos_enabled boolean.
++
++.EX
++.B setsebool -P kerberos_enabled 1
++.EE
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.B semanage port
++can also be used to manipulate the port definitions
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was auto-generated using
++.B "sepolicy manpage"
++by Dan Walsh.
++
++.SH "SEE ALSO"
++selinux(8), ricci(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
++, ricci_modcluster_selinux(8), ricci_modclusterd_selinux(8), ricci_modlog_selinux(8), ricci_modrpm_selinux(8), ricci_modservice_selinux(8), ricci_modstorage_selinux(8)
+\ No newline at end of file
+diff --git a/man/man8/rlogind_selinux.8 b/man/man8/rlogind_selinux.8
+new file mode 100644
+index 0000000..436ab6e
+--- /dev/null
++++ b/man/man8/rlogind_selinux.8
+@@ -0,0 +1,328 @@
++.TH "rlogind_selinux" "8" "12-11-01" "rlogind" "SELinux Policy documentation for rlogind"
++.SH "NAME"
++rlogind_selinux \- Security Enhanced Linux Policy for the rlogind processes
++.SH "DESCRIPTION"
++
++Security-Enhanced Linux secures the rlogind processes via flexible mandatory access control.
++
++The rlogind processes execute with the rlogind_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep rlogind_t
++
++
++.SH "ENTRYPOINTS"
++
++The rlogind_t SELinux type can be entered via the "rlogind_exec_t" file type. The default entrypoint paths for the rlogind_t domain are the following:"
++
++/usr/lib/telnetlogin, /usr/sbin/in\.rlogind, /usr/kerberos/sbin/klogind
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux rlogind policy is very flexible allowing users to setup their rlogind processes in as secure a method as possible.
++.PP
++The following process types are defined for rlogind:
++
++.EX
++.B rlogind_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux rlogind policy is very flexible allowing users to setup their rlogind processes in as secure a method as possible.
++.PP
++The following file types are defined for rlogind:
++
++
++.EX
++.PP
++.B rlogind_exec_t
++.EE
++
++- Set files with the rlogind_exec_t type, if you want to transition an executable to the rlogind_t domain.
++
++
++.EX
++.PP
++.B rlogind_home_t
++.EE
++
++- Set files with the rlogind_home_t type, if you want to store rlogind files in the users home directory.
++
++
++.EX
++.PP
++.B rlogind_keytab_t
++.EE
++
++- Set files with the rlogind_keytab_t type, if you want to treat the files as kerberos keytab files.
++
++
++.EX
++.PP
++.B rlogind_tmp_t
++.EE
++
++- Set files with the rlogind_tmp_t type, if you want to store rlogind temporary files in the /tmp directories.
++
++
++.EX
++.PP
++.B rlogind_var_run_t
++.EE
++
++- Set files with the rlogind_var_run_t type, if you want to store the rlogind files under the /run directory.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH PORT TYPES
++SELinux defines port types to represent TCP and UDP ports.
++.PP
++You can see the types associated with a port by using the following command:
++
++.B semanage port -l
++
++.PP
++Policy governs the access confined processes have to these ports.
++SELinux rlogind policy is very flexible allowing users to setup their rlogind processes in as secure a method as possible.
++.PP
++The following port types are defined for rlogind:
++
++.EX
++.TP 5
++.B rlogind_port_t
++.TP 10
++.EE
++
++
++Default Defined Ports:
++tcp 513
++.EE
++.SH "MANAGED FILES"
++
++The SELinux process type rlogind_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++
++.br
++.B auth_cache_t
++
++ /var/cache/coolkey(/.*)?
++.br
++
++.br
++.B auth_home_t
++
++ /root/\.google_authenticator
++.br
++ /root/\.google_authenticator~
++.br
++ /home/[^/]*/\.google_authenticator
++.br
++ /home/[^/]*/\.google_authenticator~
++.br
++ /home/dwalsh/\.google_authenticator
++.br
++ /home/dwalsh/\.google_authenticator~
++.br
++ /var/lib/xguest/home/xguest/\.google_authenticator
++.br
++ /var/lib/xguest/home/xguest/\.google_authenticator~
++.br
++
++.br
++.B cgroup_t
++
++ /cgroup
++.br
++ /sys/fs/cgroup
++.br
++
++.br
++.B faillog_t
++
++ /var/log/btmp.*
++.br
++ /var/run/faillock(/.*)?
++.br
++ /var/log/faillog
++.br
++ /var/log/tallylog
++.br
++
++.br
++.B initrc_var_run_t
++
++ /var/run/utmp
++.br
++ /var/run/random-seed
++.br
++ /var/run/runlevel\.dir
++.br
++ /var/run/setmixer_flag
++.br
++
++.br
++.B krb5_host_rcache_t
++
++ /var/cache/krb5rcache(/.*)?
++.br
++ /var/tmp/nfs_0
++.br
++ /var/tmp/DNS_25
++.br
++ /var/tmp/host_0
++.br
++ /var/tmp/imap_0
++.br
++ /var/tmp/HTTP_23
++.br
++ /var/tmp/HTTP_48
++.br
++ /var/tmp/ldap_55
++.br
++ /var/tmp/ldap_487
++.br
++ /var/tmp/ldapmap1_0
++.br
++
++.br
++.B lastlog_t
++
++ /var/log/lastlog
++.br
++
++.br
++.B pam_var_run_t
++
++ /var/(db|lib|adm)/sudo(/.*)?
++.br
++ /var/run/sudo(/.*)?
++.br
++ /var/run/sepermit(/.*)?
++.br
++ /var/run/pam_mount(/.*)?
++.br
++
++.br
++.B pcscd_var_run_t
++
++ /var/run/pcscd(/.*)?
++.br
++ /var/run/pcscd\.events(/.*)?
++.br
++ /var/run/pcscd\.pid
++.br
++ /var/run/pcscd\.pub
++.br
++ /var/run/pcscd\.comm
++.br
++
++.br
++.B rlogind_tmp_t
++
++
++.br
++.B rlogind_var_run_t
++
++
++.br
++.B security_t
++
++ /selinux
++.br
++
++.br
++.B user_tmp_t
++
++ /var/run/user(/.*)?
++.br
++ /tmp/gconfd-.*
++.br
++ /tmp/gconfd-dwalsh
++.br
++ /tmp/gconfd-xguest
++.br
++
++.br
++.B var_auth_t
++
++ /var/ace(/.*)?
++.br
++ /var/rsa(/.*)?
++.br
++ /var/lib/abl(/.*)?
++.br
++ /var/lib/rsa(/.*)?
++.br
++ /var/lib/pam_ssh(/.*)?
++.br
++ /var/run/pam_ssh(/.*)?
++.br
++ /var/lib/pam_shield(/.*)?
++.br
++ /var/lib/google-authenticator(/.*)?
++.br
++
++.br
++.B wtmp_t
++
++ /var/log/wtmp.*
++.br
++
++.SH NSSWITCH DOMAIN
++
++.PP
++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the rlogind_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++
++.EX
++.B setsebool -P authlogin_nsswitch_use_ldap 1
++.EE
++
++.PP
++If you want to allow confined applications to run with kerberos for the rlogind_t, you must turn on the kerberos_enabled boolean.
++
++.EX
++.B setsebool -P kerberos_enabled 1
++.EE
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.B semanage port
++can also be used to manipulate the port definitions
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was auto-generated using
++.B "sepolicy manpage"
++by Dan Walsh.
++
++.SH "SEE ALSO"
++selinux(8), rlogind(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
+diff --git a/man/man8/rngd_selinux.8 b/man/man8/rngd_selinux.8
+new file mode 100644
+index 0000000..bd28b6f
+--- /dev/null
++++ b/man/man8/rngd_selinux.8
+@@ -0,0 +1,102 @@
++.TH "rngd_selinux" "8" "12-11-01" "rngd" "SELinux Policy documentation for rngd"
++.SH "NAME"
++rngd_selinux \- Security Enhanced Linux Policy for the rngd processes
++.SH "DESCRIPTION"
++
++Security-Enhanced Linux secures the rngd processes via flexible mandatory access control.
++
++The rngd processes execute with the rngd_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep rngd_t
++
++
++.SH "ENTRYPOINTS"
++
++The rngd_t SELinux type can be entered via the "rngd_exec_t" file type. The default entrypoint paths for the rngd_t domain are the following:"
++
++/usr/sbin/rngd
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux rngd policy is very flexible allowing users to setup their rngd processes in as secure a method as possible.
++.PP
++The following process types are defined for rngd:
++
++.EX
++.B rngd_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux rngd policy is very flexible allowing users to setup their rngd processes in as secure a method as possible.
++.PP
++The following file types are defined for rngd:
++
++
++.EX
++.PP
++.B rngd_exec_t
++.EE
++
++- Set files with the rngd_exec_t type, if you want to transition an executable to the rngd_t domain.
++
++
++.EX
++.PP
++.B rngd_initrc_exec_t
++.EE
++
++- Set files with the rngd_initrc_exec_t type, if you want to transition an executable to the rngd_initrc_t domain.
++
++
++.EX
++.PP
++.B rngd_unit_file_t
++.EE
++
++- Set files with the rngd_unit_file_t type, if you want to treat the files as rngd unit content.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH NSSWITCH DOMAIN
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was auto-generated using
++.B "sepolicy manpage"
++by Dan Walsh.
++
++.SH "SEE ALSO"
++selinux(8), rngd(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
+diff --git a/man/man8/roundup_selinux.8 b/man/man8/roundup_selinux.8
+new file mode 100644
+index 0000000..22ad9ee
+--- /dev/null
++++ b/man/man8/roundup_selinux.8
+@@ -0,0 +1,124 @@
++.TH "roundup_selinux" "8" "12-11-01" "roundup" "SELinux Policy documentation for roundup"
++.SH "NAME"
++roundup_selinux \- Security Enhanced Linux Policy for the roundup processes
++.SH "DESCRIPTION"
++
++Security-Enhanced Linux secures the roundup processes via flexible mandatory access control.
++
++The roundup processes execute with the roundup_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep roundup_t
++
++
++.SH "ENTRYPOINTS"
++
++The roundup_t SELinux type can be entered via the "roundup_exec_t" file type. The default entrypoint paths for the roundup_t domain are the following:"
++
++/usr/bin/roundup-server
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux roundup policy is very flexible allowing users to setup their roundup processes in as secure a method as possible.
++.PP
++The following process types are defined for roundup:
++
++.EX
++.B roundup_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux roundup policy is very flexible allowing users to setup their roundup processes in as secure a method as possible.
++.PP
++The following file types are defined for roundup:
++
++
++.EX
++.PP
++.B roundup_exec_t
++.EE
++
++- Set files with the roundup_exec_t type, if you want to transition an executable to the roundup_t domain.
++
++
++.EX
++.PP
++.B roundup_initrc_exec_t
++.EE
++
++- Set files with the roundup_initrc_exec_t type, if you want to transition an executable to the roundup_initrc_t domain.
++
++
++.EX
++.PP
++.B roundup_var_lib_t
++.EE
++
++- Set files with the roundup_var_lib_t type, if you want to store the roundup files under the /var/lib directory.
++
++
++.EX
++.PP
++.B roundup_var_run_t
++.EE
++
++- Set files with the roundup_var_run_t type, if you want to store the roundup files under the /run directory.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH "MANAGED FILES"
++
++The SELinux process type roundup_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++
++.br
++.B roundup_var_lib_t
++
++ /var/lib/roundup(/.*)?
++.br
++
++.br
++.B roundup_var_run_t
++
++
++.SH NSSWITCH DOMAIN
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was auto-generated using
++.B "sepolicy manpage"
++by Dan Walsh.
++
++.SH "SEE ALSO"
++selinux(8), roundup(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
+diff --git a/man/man8/rpcbind_selinux.8 b/man/man8/rpcbind_selinux.8
+new file mode 100644
+index 0000000..9f38f73
+--- /dev/null
++++ b/man/man8/rpcbind_selinux.8
+@@ -0,0 +1,130 @@
++.TH "rpcbind_selinux" "8" "12-11-01" "rpcbind" "SELinux Policy documentation for rpcbind"
++.SH "NAME"
++rpcbind_selinux \- Security Enhanced Linux Policy for the rpcbind processes
++.SH "DESCRIPTION"
++
++Security-Enhanced Linux secures the rpcbind processes via flexible mandatory access control.
++
++The rpcbind processes execute with the rpcbind_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep rpcbind_t
++
++
++.SH "ENTRYPOINTS"
++
++The rpcbind_t SELinux type can be entered via the "rpcbind_exec_t" file type. The default entrypoint paths for the rpcbind_t domain are the following:"
++
++/sbin/rpcbind, /usr/sbin/rpcbind
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux rpcbind policy is very flexible allowing users to setup their rpcbind processes in as secure a method as possible.
++.PP
++The following process types are defined for rpcbind:
++
++.EX
++.B rpcbind_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux rpcbind policy is very flexible allowing users to setup their rpcbind processes in as secure a method as possible.
++.PP
++The following file types are defined for rpcbind:
++
++
++.EX
++.PP
++.B rpcbind_exec_t
++.EE
++
++- Set files with the rpcbind_exec_t type, if you want to transition an executable to the rpcbind_t domain.
++
++
++.EX
++.PP
++.B rpcbind_initrc_exec_t
++.EE
++
++- Set files with the rpcbind_initrc_exec_t type, if you want to transition an executable to the rpcbind_initrc_t domain.
++
++
++.EX
++.PP
++.B rpcbind_var_lib_t
++.EE
++
++- Set files with the rpcbind_var_lib_t type, if you want to store the rpcbind files under the /var/lib directory.
++
++
++.EX
++.PP
++.B rpcbind_var_run_t
++.EE
++
++- Set files with the rpcbind_var_run_t type, if you want to store the rpcbind files under the /run directory.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH "MANAGED FILES"
++
++The SELinux process type rpcbind_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++
++.br
++.B rpcbind_var_lib_t
++
++ /var/lib/rpcbind(/.*)?
++.br
++ /var/cache/rpcbind(/.*)?
++.br
++
++.br
++.B rpcbind_var_run_t
++
++ /var/run/rpc.statd\.pid
++.br
++ /var/run/rpcbind.*
++.br
++
++.SH NSSWITCH DOMAIN
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was auto-generated using
++.B "sepolicy manpage"
++by Dan Walsh.
++
++.SH "SEE ALSO"
++selinux(8), rpcbind(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
+diff --git a/man/man8/rpcd_selinux.8 b/man/man8/rpcd_selinux.8
+new file mode 100644
+index 0000000..054ef5a
+--- /dev/null
++++ b/man/man8/rpcd_selinux.8
+@@ -0,0 +1,181 @@
++.TH "rpcd_selinux" "8" "12-11-01" "rpcd" "SELinux Policy documentation for rpcd"
++.SH "NAME"
++rpcd_selinux \- Security Enhanced Linux Policy for the rpcd processes
++.SH "DESCRIPTION"
++
++Security-Enhanced Linux secures the rpcd processes via flexible mandatory access control.
++
++The rpcd processes execute with the rpcd_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep rpcd_t
++
++
++.SH "ENTRYPOINTS"
++
++The rpcd_t SELinux type can be entered via the "rpcd_exec_t" file type. The default entrypoint paths for the rpcd_t domain are the following:"
++
++/sbin/rpc\..*, /usr/sbin/rpc\..*, /sbin/sm-notify, /usr/sbin/sm-notify, /usr/sbin/rpc\.idmapd, /usr/sbin/rpc\.rquotad
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux rpcd policy is very flexible allowing users to setup their rpcd processes in as secure a method as possible.
++.PP
++The following process types are defined for rpcd:
++
++.EX
++.B rpcd_t, rpcbind_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux rpcd policy is very flexible allowing users to setup their rpcd processes in as secure a method as possible.
++.PP
++The following file types are defined for rpcd:
++
++
++.EX
++.PP
++.B rpcd_exec_t
++.EE
++
++- Set files with the rpcd_exec_t type, if you want to transition an executable to the rpcd_t domain.
++
++
++.EX
++.PP
++.B rpcd_initrc_exec_t
++.EE
++
++- Set files with the rpcd_initrc_exec_t type, if you want to transition an executable to the rpcd_initrc_t domain.
++
++
++.EX
++.PP
++.B rpcd_unit_file_t
++.EE
++
++- Set files with the rpcd_unit_file_t type, if you want to treat the files as rpcd unit content.
++
++
++.EX
++.PP
++.B rpcd_var_run_t
++.EE
++
++- Set files with the rpcd_var_run_t type, if you want to store the rpcd files under the /run directory.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH "MANAGED FILES"
++
++The SELinux process type rpcd_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++
++.br
++.B quota_db_t
++
++ /a?quota\.(user|group)
++.br
++ /etc/a?quota\.(user|group)
++.br
++ /var/a?quota\.(user|group)
++.br
++ /boot/a?quota\.(user|group)
++.br
++ /var/spool/(.*/)?a?quota\.(user|group)
++.br
++ /var/lib/openshift/a?quota\.(user|group)
++.br
++ /var/lib/stickshift/a?quota\.(user|group)
++.br
++ /home/[^/]*/a?quota\.(user|group)
++.br
++ /home/a?quota\.(user|group)
++.br
++ /home/dwalsh/a?quota\.(user|group)
++.br
++ /var/lib/xguest/home/xguest/a?quota\.(user|group)
++.br
++
++.br
++.B rgmanager_tmp_t
++
++
++.br
++.B rpcd_var_run_t
++
++ /var/run/rpc\.statd(/.*)?
++.br
++ /var/run/rpc\.statd\.pid
++.br
++
++.br
++.B var_lib_nfs_t
++
++ /var/lib/nfs(/.*)?
++.br
++
++.br
++.B var_lib_t
++
++ /opt/(.*/)?var/lib(/.*)?
++.br
++ /var/lib(/.*)?
++.br
++
++.SH NSSWITCH DOMAIN
++
++.PP
++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the rpcd_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++
++.EX
++.B setsebool -P authlogin_nsswitch_use_ldap 1
++.EE
++
++.PP
++If you want to allow confined applications to run with kerberos for the rpcd_t, you must turn on the kerberos_enabled boolean.
++
++.EX
++.B setsebool -P kerberos_enabled 1
++.EE
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was auto-generated using
++.B "sepolicy manpage"
++by Dan Walsh.
++
++.SH "SEE ALSO"
++selinux(8), rpcd(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
++, rpcbind_selinux(8)
+\ No newline at end of file
+diff --git a/man/man8/rpm_script_selinux.8 b/man/man8/rpm_script_selinux.8
+new file mode 100644
+index 0000000..3a3d1db
+--- /dev/null
++++ b/man/man8/rpm_script_selinux.8
+@@ -0,0 +1,127 @@
++.TH "rpm_script_selinux" "8" "12-11-01" "rpm_script" "SELinux Policy documentation for rpm_script"
++.SH "NAME"
++rpm_script_selinux \- Security Enhanced Linux Policy for the rpm_script processes
++.SH "DESCRIPTION"
++
++Security-Enhanced Linux secures the rpm_script processes via flexible mandatory access control.
++
++The rpm_script processes execute with the rpm_script_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep rpm_script_t
++
++
++.SH "ENTRYPOINTS"
++
++The rpm_script_t SELinux type can be entered via the "filesystem_type,unlabeled_t,proc_type,bin_t,ldconfig_exec_t,mtrr_device_t,shell_exec_t,sysctl_type,file_type" file types. The default entrypoint paths for the rpm_script_t domain are the following:"
++
++/bin/.*, /opt/(.*/)?bin(/.*)?, /usr/(.*/)?Bin(/.*)?, /usr/(.*/)?bin(/.*)?, /usr/(.*/)?sbin(/.*)?, /opt/(.*/)?sbin(/.*)?, /opt/(.*/)?libexec(/.*)?, /sbin/.*, /usr/lib(.*/)?bin(/.*)?, /usr/lib(.*/)?sbin(/.*)?, /etc/gdm/[^/]+, /root/bin(/.*)?, /etc/gdm/[^/]+/.*, /etc/cron.daily(/.*)?, /etc/cron.weekly(/.*)?, /etc/cron.hourly(/.*)?, /etc/cron.monthly(/.*)?, /usr/lib/.*/program(/.*)?, /usr/lib/.*/scripts(/.*)?, /usr/lib/[^/]*/run-mozilla\.sh, /usr/lib/[^/]*/mozilla-xremote-client, /usr/lib/[^/]*thunderbird[^/]*/thunderbird, /usr/lib/[^/]*thunderbird[^/]*/open-browser\.sh, /usr/lib/[^/]*thunderbird[^/]*/thunderbird-bin, /lib/udev/[^/]*, /etc/auto\.[^/]*, /etc/avahi/.*\.action, /usr/lib/qt.*/bin(/.*)?, /usr/lib/yp/.+, /var/ftp/bin(/.*)?, /usr/Brother(/.*)?, /usr/Printer(/.*)?, /usr/libexec(/.*)?, /lib/upstart(/.*)?, /etc/kde/env(/.*)?, /etc/profile.d(/.*)?, /var/mailman.*/bin(/.*)?, /etc/lxdm/Pre.*, /etc/hotplug/.*rc, /usr/lib/cups(/.*)?, /etc/hotplug/.*agent, /usr/Brother/(.*/)?inf/setup.*, /usr/Brother/(.*/)?inf/brprintconf.*, /usr/lib/dpkg/.+, /etc/lxdm/Post.*, /usr/lib/udev/[^/]*, /var/qmail/bin(/.*)?, /usr/lib/xfce4(/.*)?, /usr/lib/fence(/.*)?, /etc/X11/xinit(/.*)?, /lib/readahead(/.*)?, /etc/netplug\.d(/.*)?, /usr/lib/gimp/.*/plug-ins(/.*)?, /usr/lib/ipsec/.*, /etc/ppp/ip-up\..*, /usr/bin/pingus.*, /etc/cipe/ip-up.*, /usr/lib/dracut(/.*)?, /etc/pm/power\.d(/.*)?, /etc/pm/sleep\.d(/.*)?, /etc/redhat-lsb(/.*)?, /usr/lib/tuned/.*/.*\.sh, /usr/lib/xen/bin(/.*)?, /usr/lib/upstart(/.*)?, /usr/lib/courier(/.*)?, /etc/xen/scripts(/.*)?, /usr/share/tucan.*/tucan.py, /usr/lib/mailman.*/bin(/.*)?, /usr/lib/mailman.*/mail(/.*)?, /etc/ppp/ipv6-up\..*, /etc/ppp/ip-down\..*, /etc/cipe/ip-down.*, /usr/share/hplip/[^/]*, /usr/lib/news/bin(/.*)?, /usr/lib/pm-utils(/.*)?, /etc/vmware-tools(/.*)?, /etc/kde/shutdown(/.*)?, /etc/acpi/actions(/.*)?, /etc/pki/tls/misc(/.*)?, /usr/lib/jvm/java(.*/)bin(/.*), /usr/lib/tumbler-[^/]*/tumblerd, /usr/lib/readahead(/.*)?, /opt/google/chrome(/.*)?, /etc/munin/plugins(/.*)?, /usr/lib/bluetooth(/.*)?, /usr/lib/debug/bin(/.*)?, /usr/lib/xulrunner[^/]*/updater, /usr/lib/xulrunner[^/]*/crashreporter, /usr/lib/xulrunner[^/]*/xulrunner[^/]*, /usr/lib/ruby/gems(/.*)?/helper-scripts(/.*)?, /usr/share/debconf/.+, /etc/ppp/ipv6-down\..*, /usr/share/cluster/.*\.sh, /usr/share/sectool/.*\.py, /usr/share/ssl/misc(/.*)?, /usr/share/e16/misc(/.*)?, /usr/lib/ccache/bin(/.*)?, /etc/racoon/scripts(/.*)?, /usr/lib/debug/sbin(/.*)?, /usr/lib/ruby/gems/.*/agents(/.*)?, /usr/share/mc/extfs/.*, /usr/lib/apt/methods.+, /usr/lib/portage/bin(/.*)?, /usr/lib/MailScanner(/.*)?, /etc/mcelog/triggers(/.*)?, /etc/dhcp/dhclient\.d(/.*)?, /emul/ia32-linux/bin(/.*)?, /usr/lib/libreoffice(/.*)?/bin(/.*)?, /emul/ia32-linux/usr(/.*)?/bin(/.*)?, /emul/ia32-linux/usr(/.*)?/Bin(/.*)?, /emul/ia32-linux/usr(/.*)?/sbin(/.*)?, /usr/lib/thunderbird.*/mozilla-xremote-client, /usr/lib/cyrus-imapd/.*, /usr/share/createrepo(/.*)?, /emul/ia32-linux/sbin(/.*)?, /usr/share/virtualbox/.*\.sh, /usr/share/wicd/daemon(/.*)?, /usr/share/hal/scripts(/.*)?, /lib/security/pam_krb5(/.*)?, /opt/google/talkplugin(/.*)?, /etc/PackageKit/events(/.*)?, /usr/lib/debug/usr/bin(/.*)?, /usr/lib/vmware-tools/(s)?bin64(/.*)?, /usr/lib/vmware-tools/(s)?bin32(/.*)?, /etc/gdm/XKeepsCrashing[^/]*, /usr/lib/oracle/xe/apps(/.*)?, /usr/share/Modules/init(/.*)?, /usr/share/smolt/client(/.*)?, /usr/lib/nagios/plugins(/.*)?, /usr/lib/debug/usr/sbin(/.*)?, /usr/share/apr-0/build/[^/]+\.sh, /usr/lib/emacsen-common/.*, /usr/share/ajaxterm/qweb.py.*, /var/lib/asterisk/agi-bin(/.*)?, /usr/share/shorewall-perl(/.*)?, /usr/share/shorewall-lite(/.*)?, /usr/linuxprinter/filters(/.*)?, /usr/lib/netsaint/plugins(/.*)?, /usr/lib/chromium-browser(/.*)?, /usr/share/turboprint/lib(/.*)?, /usr/lib/nfs-utils/scripts(/.*)?, /usr/share/shorewall6-lite(/.*)?, /usr/share/shorewall-shell(/.*)?, /usr/share/vhostmd/scripts(/.*)?, /usr/lib/debug/usr/libexec(/.*)?, /etc/ConsoleKit/run-seat\.d(/.*)?, /usr/lib/nspluginwrapper/np.*, /usr/share/sandbox/sandboxX.sh, /usr/lib/ConsoleKit/scripts(/.*)?, /usr/share/ajaxterm/ajaxterm.py.*, /usr/lib/pgsql/test/regress/.*\.sh, /usr/share/denyhosts/scripts(/.*)?, /usr/share/denyhosts/plugins(/.*)?, /emul/ia32-linux/usr/libexec(/.*)?, /usr/lib/mediawiki/math/texvc.*, /usr/share/PackageKit/helpers(/.*)?, /etc/ConsoleKit/run-session\.d(/.*)?, /etc/hotplug\.d/default/default.*, /usr/lib/systemd/system-sleep/(.*)?, /opt/gutenprint/cups/lib/filter(/.*)?, /usr/share/system-config-network(/netconfig)?/[^/]+\.py, /usr/lib/ConsoleKit/run-session\.d(/.*)?, /etc/sysconfig/network-scripts/net.*, /etc/sysconfig/network-scripts/ifup.*, /etc/sysconfig/network-scripts/init.*, /usr/share/kde4/apps/kajongg/kajongg.py, /etc/sysconfig/network-scripts/ifdown.*, /opt/OpenPrinting-Gutenprint/cups/lib/filter(/.*)?, /usr/share/gedit-2/plugins/externaltools/tools(/.*)?, /bin, /sbin, /usr/bin, /dev/MAKEDEV, /var/qmail/rc, /var/qmail/bin, /etc/mail/make, /bin/mountpoint, /usr/lib/rpm/rpmq, /usr/lib/rpm/rpmv, /usr/lib/rpm/rpmd, /usr/lib/rpm/rpmk, /lib/udev/scsi_id, /sbin/mkfs\.cramfs, /etc/xen/qemu-ifup, /etc/lxdm/Xsession, /etc/sysconfig/init, /usr/bin/mountpoint, /etc/apcupsd/commok, /usr/lib/sftp-server, /etc/sysconfig/crond, /etc/lxdm/LoginReady, /usr/sbin/mkfs\.cramfs, /usr/lib/udev/scsi_id, /etc/X11/xdm/Xsetup_0, /etc/init\.d/functions, /etc/apcupsd/changeme, /usr/lib/iscan/network, /etc/apcupsd/onbattery, /usr/lib/yaboot/addnote, /etc/sysconfig/libvirtd, /etc/apcupsd/apccontrol, /etc/apcupsd/offbattery, /usr/lib/wicd/monitor\.py, /etc/X11/xdm/TakeConsole, /etc/X11/xdm/GiveConsole, /etc/apcupsd/commfailure, /usr/lib/misc/sftp-server, /etc/sysconfig/netconsole, /lib/udev/devices/MAKEDEV, /var/lib/iscan/interpreter, /etc/rc\.d/init\.d/functions, /etc/apcupsd/masterconnect, /etc/apcupsd/mastertimeout, /usr/share/pydict/pydict\.py, /usr/share/clamav/clamd-gen, /sbin/insmod_ksymoops_clean, /etc/mgetty\+sendfax/new_fax, /usr/lib/xfce4/panel/migrate, /usr/lib/xfce4/panel/wrapper, /etc/sysconfig/readonly-root, /usr/lib/vte/gnome-pty-helper, /usr/lib/udev/devices/MAKEDEV, /usr/lib/xfce4/xfconf/xfconfd, /usr/share/cvs/contrib/rcs2log, /usr/share/hwbrowser/hwbrowser, /usr/X11R6/lib/X11/xkb/xkbcomp, /usr/lib/virtualbox/VBoxManage, /usr/share/cluster/SAPInstance, /usr/share/cluster/checkquorum, /usr/share/shorewall/getparams, /usr/share/apr-0/build/libtool, /usr/share/cluster/SAPDatabase, /etc/hotplug/hotplug\.functions, /usr/share/texmf/web2c/mktexdir, /usr/share/texmf/web2c/mktexnam, /usr/share/texmf/web2c/mktexupd, /usr/share/shorewall/configpath, /usr/sbin/insmod_ksymoops_clean, /etc/mcelog/cache-error-trigger, /usr/share/shorewall/compiler\.pl, /usr/share/dayplanner/dayplanner, /usr/libexec/openssh/sftp-server, /usr/share/texmf/texconfig/tcfmgr, /usr/share/clamav/freshclam-sleep, /usr/share/cluster/svclib_nfslock, /usr/share/cluster/ocf-shellfuncs, /usr/lib/xfce4/exo-1/exo-helper-1, /usr/share/pwlib/make/ptlib-config, /usr/share/fedora-usermgmt/wrapper, /usr/share/printconf/util/print\.py, /usr/lib/xfce4/xfwm4/helper-dialog, /etc/pki/tls/certs/make-dummy-cert, /usr/share/rhn/rhn_applet/applet\.py, /usr/share/authconfig/authconfig\.py, /usr/share/spamassassin/sa-update\.cron, /usr/share/gnucash/finance-quote-check, /usr/share/cluster/fence_scsi_check\.pl, /usr/share/selinux/devel/policygentool, /usr/share/switchdesk/switchdesk-gui\.py, /usr/share/authconfig/authconfig-tui\.py, /usr/share/authconfig/authconfig-gtk\.py, /usr/share/gnucash/finance-quote-helper, /usr/share/gitolite/hooks/common/update, /usr/lib/xfce4/exo-1/exo-compose-mail-1, /usr/share/system-config-services/gui\.py, /lib/security/pam_krb5/pam_krb5_storetmp, /usr/share/system-config-netboot/pxeos\.py, /usr/lib/xfce4/session/balou-export-theme, /usr/share/system-config-selinux/polgen\.py, /usr/share/system-config-nfs/nfs-export\.py, /usr/share/system-config-printer/applet\.py, /usr/share/PackageKit/pk-upgrade-distro\.sh, /usr/lib/xfce4/session/balou-install-theme, /usr/share/system-config-netboot/pxeboot\.py, /usr/lib/xfce4/session/xfsm-shutdown-helper, /usr/share/rhn/rhn_applet/needed-packages\.py, /usr/lib/security/pam_krb5/pam_krb5_storetmp, /usr/share/system-logviewer/system-logviewer\.py, /usr/share/system-config-network/neat-control\.py, /usr/share/system-config-services/serviceconf\.py, /usr/share/hal/device-manager/hal-device-manager, /usr/share/system-config-lvm/system-config-lvm\.py, /usr/share/system-config-nfs/system-config-nfs\.py, /usr/share/system-config-mouse/system-config-mouse, /usr/share/system-config-httpd/system-config-httpd, /usr/share/system-config-users/system-config-users, /usr/share/system-config-date/system-config-date\.py, /usr/share/doc/ghc/html/libraries/gen_contents_index, /usr/share/gitolite/hooks/gitolite-admin/post-update, /usr/share/system-config-samba/system-config-samba\.py, /usr/share/system-config-display/system-config-display, /usr/share/system-config-keyboard/system-config-keyboard, /usr/share/system-config-language/system-config-language, /usr/share/system-config-services/system-config-services, /usr/share/system-config-selinux/system-config-selinux\.py, /usr/share/system-config-netboot/system-config-netboot\.py, /usr/share/system-config-soundcard/system-config-soundcard, /usr/share/system-config-rootpassword/system-config-rootpassword, /usr/share/system-config-securitylevel/system-config-securitylevel\.py, /sbin/ldconfig, /usr/sbin/ldconfig, /dev/cpu/mtrr, /bin/d?ash, /bin/zsh.*, /bin/ksh.*, /usr/bin/d?ash, /usr/bin/ksh.*, /usr/bin/zsh.*, /bin/esh, /bin/mksh, /bin/sash, /bin/tcsh, /bin/yash, /bin/bash, /bin/fish, /bin/bash2, /usr/bin/esh, /usr/bin/mksh, /usr/bin/sash, /usr/bin/bash, /usr/bin/fish, /usr/bin/tcsh, /usr/bin/yash, /sbin/nologin, /usr/sbin/sesh, /usr/bin/bash2, /usr/sbin/smrsh, /usr/bin/scponly, /usr/sbin/nologin, /usr/libexec/sesh, /usr/sbin/scponlyc, /usr/bin/git-shell, /usr/libexec/git-core/git-shell, all files on the system
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux rpm_script policy is very flexible allowing users to setup their rpm_script processes in as secure a method as possible.
++.PP
++The following process types are defined for rpm_script:
++
++.EX
++.B rpm_script_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux rpm_script policy is very flexible allowing users to setup their rpm_script processes in as secure a method as possible.
++.PP
++The following file types are defined for rpm_script:
++
++
++.EX
++.PP
++.B rpm_script_exec_t
++.EE
++
++- Set files with the rpm_script_exec_t type, if you want to transition an executable to the rpm_script_t domain.
++
++
++.EX
++.PP
++.B rpm_script_tmp_t
++.EE
++
++- Set files with the rpm_script_tmp_t type, if you want to store rpm script temporary files in the /tmp directories.
++
++
++.EX
++.PP
++.B rpm_script_tmpfs_t
++.EE
++
++- Set files with the rpm_script_tmpfs_t type, if you want to store rpm script files on a tmpfs file system.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH "MANAGED FILES"
++
++The SELinux process type rpm_script_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++
++.br
++.B file_type
++
++ all files on the system
++.br
++
++.SH NSSWITCH DOMAIN
++
++.PP
++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the rpm_script_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++
++.EX
++.B setsebool -P authlogin_nsswitch_use_ldap 1
++.EE
++
++.PP
++If you want to allow confined applications to run with kerberos for the rpm_script_t, you must turn on the kerberos_enabled boolean.
++
++.EX
++.B setsebool -P kerberos_enabled 1
++.EE
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was auto-generated using
++.B "sepolicy manpage"
++by Dan Walsh.
++
++.SH "SEE ALSO"
++selinux(8), rpm_script(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
++, rpm_selinux(8), rpm_selinux(8)
+\ No newline at end of file
+diff --git a/man/man8/rpm_selinux.8 b/man/man8/rpm_selinux.8
+new file mode 100644
+index 0000000..0b6f8e2
+--- /dev/null
++++ b/man/man8/rpm_selinux.8
+@@ -0,0 +1,191 @@
++.TH "rpm_selinux" "8" "12-11-01" "rpm" "SELinux Policy documentation for rpm"
++.SH "NAME"
++rpm_selinux \- Security Enhanced Linux Policy for the rpm processes
++.SH "DESCRIPTION"
++
++Security-Enhanced Linux secures the rpm processes via flexible mandatory access control.
++
++The rpm processes execute with the rpm_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep rpm_t
++
++
++.SH "ENTRYPOINTS"
++
++The rpm_t SELinux type can be entered via the "rpm_exec_t,debuginfo_exec_t,filesystem_type,rpm_script_exec_t,unlabeled_t,proc_type,mtrr_device_t,sysctl_type,file_type" file types. The default entrypoint paths for the rpm_t domain are the following:"
++
++/usr/libexec/yumDBUSBackend.py, /bin/rpm, /usr/bin/dnf, /usr/bin/rpm, /usr/bin/yum, /usr/bin/zif, /usr/sbin/pup, /usr/bin/smart, /usr/sbin/bcfg2, /usr/sbin/pirut, /usr/bin/apt-get, /usr/sbin/up2date, /usr/sbin/synaptic, /usr/bin/apt-shell, /usr/sbin/rhn_check, /usr/sbin/rhnreg_ks, /usr/sbin/packagekitd, /usr/sbin/yum-updatesd, /usr/libexec/packagekitd, /usr/bin/package-cleanup, /usr/bin/fedora-rmdevelrpms, /usr/bin/rpmdev-rmdevelrpms, /usr/sbin/system-install-packages, /usr/share/yumex/yum_childtask\.py, /usr/sbin/yum-complete-transaction, /usr/share/yumex/yumex-yum-backend, /usr/bin/debuginfo-install, /dev/cpu/mtrr, all files on the system
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux rpm policy is very flexible allowing users to setup their rpm processes in as secure a method as possible.
++.PP
++The following process types are defined for rpm:
++
++.EX
++.B rpm_t, rpm_script_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux rpm policy is very flexible allowing users to setup their rpm processes in as secure a method as possible.
++.PP
++The following file types are defined for rpm:
++
++
++.EX
++.PP
++.B rpm_exec_t
++.EE
++
++- Set files with the rpm_exec_t type, if you want to transition an executable to the rpm_t domain.
++
++
++.EX
++.PP
++.B rpm_file_t
++.EE
++
++- Set files with the rpm_file_t type, if you want to treat the files as rpm content.
++
++
++.EX
++.PP
++.B rpm_log_t
++.EE
++
++- Set files with the rpm_log_t type, if you want to treat the data as rpm log data, usually stored under the /var/log directory.
++
++
++.EX
++.PP
++.B rpm_script_exec_t
++.EE
++
++- Set files with the rpm_script_exec_t type, if you want to transition an executable to the rpm_script_t domain.
++
++
++.EX
++.PP
++.B rpm_script_tmp_t
++.EE
++
++- Set files with the rpm_script_tmp_t type, if you want to store rpm script temporary files in the /tmp directories.
++
++
++.EX
++.PP
++.B rpm_script_tmpfs_t
++.EE
++
++- Set files with the rpm_script_tmpfs_t type, if you want to store rpm script files on a tmpfs file system.
++
++
++.EX
++.PP
++.B rpm_tmp_t
++.EE
++
++- Set files with the rpm_tmp_t type, if you want to store rpm temporary files in the /tmp directories.
++
++
++.EX
++.PP
++.B rpm_tmpfs_t
++.EE
++
++- Set files with the rpm_tmpfs_t type, if you want to store rpm files on a tmpfs file system.
++
++
++.EX
++.PP
++.B rpm_var_cache_t
++.EE
++
++- Set files with the rpm_var_cache_t type, if you want to store the files under the /var/cache directory.
++
++
++.EX
++.PP
++.B rpm_var_lib_t
++.EE
++
++- Set files with the rpm_var_lib_t type, if you want to store the rpm files under the /var/lib directory.
++
++
++.EX
++.PP
++.B rpm_var_run_t
++.EE
++
++- Set files with the rpm_var_run_t type, if you want to store the rpm files under the /run directory.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH "MANAGED FILES"
++
++The SELinux process type rpm_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++
++.br
++.B file_type
++
++ all files on the system
++.br
++
++.SH NSSWITCH DOMAIN
++
++.PP
++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the rpm_script_t, rpm_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++
++.EX
++.B setsebool -P authlogin_nsswitch_use_ldap 1
++.EE
++
++.PP
++If you want to allow confined applications to run with kerberos for the rpm_script_t, rpm_t, you must turn on the kerberos_enabled boolean.
++
++.EX
++.B setsebool -P kerberos_enabled 1
++.EE
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was auto-generated using
++.B "sepolicy manpage"
++by Dan Walsh.
++
++.SH "SEE ALSO"
++selinux(8), rpm(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
++, rpm_script_selinux(8)
+\ No newline at end of file
+diff --git a/man/man8/rshd_selinux.8 b/man/man8/rshd_selinux.8
+new file mode 100644
+index 0000000..8958739
+--- /dev/null
++++ b/man/man8/rshd_selinux.8
+@@ -0,0 +1,302 @@
++.TH "rshd_selinux" "8" "12-11-01" "rshd" "SELinux Policy documentation for rshd"
++.SH "NAME"
++rshd_selinux \- Security Enhanced Linux Policy for the rshd processes
++.SH "DESCRIPTION"
++
++Security-Enhanced Linux secures the rshd processes via flexible mandatory access control.
++
++The rshd processes execute with the rshd_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep rshd_t
++
++
++.SH "ENTRYPOINTS"
++
++The rshd_t SELinux type can be entered via the "rshd_exec_t" file type. The default entrypoint paths for the rshd_t domain are the following:"
++
++/usr/sbin/in\.rshd, /usr/sbin/in\.rexecd, /usr/kerberos/sbin/kshd
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux rshd policy is very flexible allowing users to setup their rshd processes in as secure a method as possible.
++.PP
++The following process types are defined for rshd:
++
++.EX
++.B rshd_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux rshd policy is very flexible allowing users to setup their rshd processes in as secure a method as possible.
++.PP
++The following file types are defined for rshd:
++
++
++.EX
++.PP
++.B rshd_exec_t
++.EE
++
++- Set files with the rshd_exec_t type, if you want to transition an executable to the rshd_t domain.
++
++
++.EX
++.PP
++.B rshd_keytab_t
++.EE
++
++- Set files with the rshd_keytab_t type, if you want to treat the files as kerberos keytab files.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH PORT TYPES
++SELinux defines port types to represent TCP and UDP ports.
++.PP
++You can see the types associated with a port by using the following command:
++
++.B semanage port -l
++
++.PP
++Policy governs the access confined processes have to these ports.
++SELinux rshd policy is very flexible allowing users to setup their rshd processes in as secure a method as possible.
++.PP
++The following port types are defined for rshd:
++
++.EX
++.TP 5
++.B rsh_port_t
++.TP 10
++.EE
++
++
++Default Defined Ports:
++tcp 514
++.EE
++.SH "MANAGED FILES"
++
++The SELinux process type rshd_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++
++.br
++.B auth_cache_t
++
++ /var/cache/coolkey(/.*)?
++.br
++
++.br
++.B auth_home_t
++
++ /root/\.google_authenticator
++.br
++ /root/\.google_authenticator~
++.br
++ /home/[^/]*/\.google_authenticator
++.br
++ /home/[^/]*/\.google_authenticator~
++.br
++ /home/dwalsh/\.google_authenticator
++.br
++ /home/dwalsh/\.google_authenticator~
++.br
++ /var/lib/xguest/home/xguest/\.google_authenticator
++.br
++ /var/lib/xguest/home/xguest/\.google_authenticator~
++.br
++
++.br
++.B cgroup_t
++
++ /cgroup
++.br
++ /sys/fs/cgroup
++.br
++
++.br
++.B faillog_t
++
++ /var/log/btmp.*
++.br
++ /var/run/faillock(/.*)?
++.br
++ /var/log/faillog
++.br
++ /var/log/tallylog
++.br
++
++.br
++.B initrc_var_run_t
++
++ /var/run/utmp
++.br
++ /var/run/random-seed
++.br
++ /var/run/runlevel\.dir
++.br
++ /var/run/setmixer_flag
++.br
++
++.br
++.B krb5_host_rcache_t
++
++ /var/cache/krb5rcache(/.*)?
++.br
++ /var/tmp/nfs_0
++.br
++ /var/tmp/DNS_25
++.br
++ /var/tmp/host_0
++.br
++ /var/tmp/imap_0
++.br
++ /var/tmp/HTTP_23
++.br
++ /var/tmp/HTTP_48
++.br
++ /var/tmp/ldap_55
++.br
++ /var/tmp/ldap_487
++.br
++ /var/tmp/ldapmap1_0
++.br
++
++.br
++.B lastlog_t
++
++ /var/log/lastlog
++.br
++
++.br
++.B pam_var_run_t
++
++ /var/(db|lib|adm)/sudo(/.*)?
++.br
++ /var/run/sudo(/.*)?
++.br
++ /var/run/sepermit(/.*)?
++.br
++ /var/run/pam_mount(/.*)?
++.br
++
++.br
++.B pcscd_var_run_t
++
++ /var/run/pcscd(/.*)?
++.br
++ /var/run/pcscd\.events(/.*)?
++.br
++ /var/run/pcscd\.pid
++.br
++ /var/run/pcscd\.pub
++.br
++ /var/run/pcscd\.comm
++.br
++
++.br
++.B security_t
++
++ /selinux
++.br
++
++.br
++.B user_tmp_t
++
++ /var/run/user(/.*)?
++.br
++ /tmp/gconfd-.*
++.br
++ /tmp/gconfd-dwalsh
++.br
++ /tmp/gconfd-xguest
++.br
++
++.br
++.B user_tmp_type
++
++ all user tmp files
++.br
++
++.br
++.B var_auth_t
++
++ /var/ace(/.*)?
++.br
++ /var/rsa(/.*)?
++.br
++ /var/lib/abl(/.*)?
++.br
++ /var/lib/rsa(/.*)?
++.br
++ /var/lib/pam_ssh(/.*)?
++.br
++ /var/run/pam_ssh(/.*)?
++.br
++ /var/lib/pam_shield(/.*)?
++.br
++ /var/lib/google-authenticator(/.*)?
++.br
++
++.br
++.B wtmp_t
++
++ /var/log/wtmp.*
++.br
++
++.SH NSSWITCH DOMAIN
++
++.PP
++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the rshd_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++
++.EX
++.B setsebool -P authlogin_nsswitch_use_ldap 1
++.EE
++
++.PP
++If you want to allow confined applications to run with kerberos for the rshd_t, you must turn on the kerberos_enabled boolean.
++
++.EX
++.B setsebool -P kerberos_enabled 1
++.EE
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.B semanage port
++can also be used to manipulate the port definitions
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was auto-generated using
++.B "sepolicy manpage"
++by Dan Walsh.
++
++.SH "SEE ALSO"
++selinux(8), rshd(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
+diff --git a/man/man8/rssh_chroot_helper_selinux.8 b/man/man8/rssh_chroot_helper_selinux.8
+new file mode 100644
+index 0000000..42e38a6
+--- /dev/null
++++ b/man/man8/rssh_chroot_helper_selinux.8
+@@ -0,0 +1,101 @@
++.TH "rssh_chroot_helper_selinux" "8" "12-11-01" "rssh_chroot_helper" "SELinux Policy documentation for rssh_chroot_helper"
++.SH "NAME"
++rssh_chroot_helper_selinux \- Security Enhanced Linux Policy for the rssh_chroot_helper processes
++.SH "DESCRIPTION"
++
++Security-Enhanced Linux secures the rssh_chroot_helper processes via flexible mandatory access control.
++
++The rssh_chroot_helper processes execute with the rssh_chroot_helper_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep rssh_chroot_helper_t
++
++
++.SH "ENTRYPOINTS"
++
++The rssh_chroot_helper_t SELinux type can be entered via the "rssh_chroot_helper_exec_t" file type. The default entrypoint paths for the rssh_chroot_helper_t domain are the following:"
++
++/usr/libexec/rssh_chroot_helper
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux rssh_chroot_helper policy is very flexible allowing users to setup their rssh_chroot_helper processes in as secure a method as possible.
++.PP
++The following process types are defined for rssh_chroot_helper:
++
++.EX
++.B rssh_chroot_helper_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux rssh_chroot_helper policy is very flexible allowing users to setup their rssh_chroot_helper processes in as secure a method as possible.
++.PP
++The following file types are defined for rssh_chroot_helper:
++
++
++.EX
++.PP
++.B rssh_chroot_helper_exec_t
++.EE
++
++- Set files with the rssh_chroot_helper_exec_t type, if you want to transition an executable to the rssh_chroot_helper_t domain.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH NSSWITCH DOMAIN
++
++.PP
++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the rssh_chroot_helper_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++
++.EX
++.B setsebool -P authlogin_nsswitch_use_ldap 1
++.EE
++
++.PP
++If you want to allow confined applications to run with kerberos for the rssh_chroot_helper_t, you must turn on the kerberos_enabled boolean.
++
++.EX
++.B setsebool -P kerberos_enabled 1
++.EE
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was auto-generated using
++.B "sepolicy manpage"
++by Dan Walsh.
++
++.SH "SEE ALSO"
++selinux(8), rssh_chroot_helper(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
++, rssh_selinux(8), rssh_selinux(8)
+\ No newline at end of file
+diff --git a/man/man8/rssh_selinux.8 b/man/man8/rssh_selinux.8
+new file mode 100644
+index 0000000..f418ac6
+--- /dev/null
++++ b/man/man8/rssh_selinux.8
+@@ -0,0 +1,133 @@
++.TH "rssh_selinux" "8" "12-11-01" "rssh" "SELinux Policy documentation for rssh"
++.SH "NAME"
++rssh_selinux \- Security Enhanced Linux Policy for the rssh processes
++.SH "DESCRIPTION"
++
++Security-Enhanced Linux secures the rssh processes via flexible mandatory access control.
++
++The rssh processes execute with the rssh_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep rssh_t
++
++
++.SH "ENTRYPOINTS"
++
++The rssh_t SELinux type can be entered via the "rssh_exec_t" file type. The default entrypoint paths for the rssh_t domain are the following:"
++
++/usr/bin/rssh
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux rssh policy is very flexible allowing users to setup their rssh processes in as secure a method as possible.
++.PP
++The following process types are defined for rssh:
++
++.EX
++.B rssh_t, rssh_chroot_helper_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux rssh policy is very flexible allowing users to setup their rssh processes in as secure a method as possible.
++.PP
++The following file types are defined for rssh:
++
++
++.EX
++.PP
++.B rssh_chroot_helper_exec_t
++.EE
++
++- Set files with the rssh_chroot_helper_exec_t type, if you want to transition an executable to the rssh_chroot_helper_t domain.
++
++
++.EX
++.PP
++.B rssh_exec_t
++.EE
++
++- Set files with the rssh_exec_t type, if you want to transition an executable to the rssh_t domain.
++
++
++.EX
++.PP
++.B rssh_ro_t
++.EE
++
++- Set files with the rssh_ro_t type, if you want to treat the files as rssh read/only content.
++
++
++.EX
++.PP
++.B rssh_rw_t
++.EE
++
++- Set files with the rssh_rw_t type, if you want to treat the files as rssh read/write content.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH "MANAGED FILES"
++
++The SELinux process type rssh_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++
++.br
++.B rssh_rw_t
++
++
++.SH NSSWITCH DOMAIN
++
++.PP
++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the rssh_chroot_helper_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++
++.EX
++.B setsebool -P authlogin_nsswitch_use_ldap 1
++.EE
++
++.PP
++If you want to allow confined applications to run with kerberos for the rssh_chroot_helper_t, you must turn on the kerberos_enabled boolean.
++
++.EX
++.B setsebool -P kerberos_enabled 1
++.EE
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was auto-generated using
++.B "sepolicy manpage"
++by Dan Walsh.
++
++.SH "SEE ALSO"
++selinux(8), rssh(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
++, rssh_chroot_helper_selinux(8)
+\ No newline at end of file
+diff --git a/man/man8/rsync_selinux.8 b/man/man8/rsync_selinux.8
+index ad9ccf5..bf0928c 100644
+--- a/man/man8/rsync_selinux.8
++++ b/man/man8/rsync_selinux.8
+@@ -1,52 +1,299 @@
+-.TH "rsync_selinux" "8" "17 Jan 2005" "dwalsh@redhat.com" "rsync Selinux Policy documentation"
+-.de EX
+-.nf
+-.ft CW
+-..
+-.de EE
+-.ft R
+-.fi
+-..
++.TH "rsync_selinux" "8" "12-11-01" "rsync" "SELinux Policy documentation for rsync"
+ .SH "NAME"
+-rsync_selinux \- Security Enhanced Linux Policy for the rsync daemon
++rsync_selinux \- Security Enhanced Linux Policy for the rsync processes
+ .SH "DESCRIPTION"
+
+-Security-Enhanced Linux secures the rsync server via flexible mandatory access
+-control.
+-.SH FILE_CONTEXTS
+-SELinux requires files to have an extended attribute to define the file type.
+-Policy governs the access daemons have to these files.
+-If you want to share files using the rsync daemon, you must label the files and directories public_content_t. So if you created a special directory /var/rsync, you
+-would need to label the directory with the chcon tool.
+-.TP
+-chcon -t public_content_t /var/rsync
+-.TP
+-.TP
+-To make this change permanent (survive a relabel), use the semanage command to add the change to file context configuration:
++Security-Enhanced Linux secures the rsync processes via flexible mandatory access control.
++
++The rsync processes execute with the rsync_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep rsync_t
++
++
++.SH "ENTRYPOINTS"
++
++The rsync_t SELinux type can be entered via the "rsync_exec_t" file type. The default entrypoint paths for the rsync_t domain are the following:"
++
++/usr/bin/rsync
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux rsync policy is very flexible allowing users to setup their rsync processes in as secure a method as possible.
++.PP
++The following process types are defined for rsync:
++
++.EX
++.B rsync_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH BOOLEANS
++SELinux policy is customizable based on least access required. rsync policy is extremely flexible and has several booleans that allow you to manipulate the policy and run rsync with the tightest access possible.
++
++
++.PP
++If you want to allow postgresql to use ssh and rsync for point-in-time recovery, you must turn on the postgresql_can_rsync boolean.
++
++.EX
++.B setsebool -P postgresql_can_rsync 1
++.EE
++
++.PP
++If you want to allow rsync to export any files/directories read only, you must turn on the rsync_export_all_ro boolean.
++
++.EX
++.B setsebool -P rsync_export_all_ro 1
++.EE
++
++.PP
++If you want to allow rsync servers to share nfs files systems, you must turn on the rsync_use_nfs boolean.
++
++.EX
++.B setsebool -P rsync_use_nfs 1
++.EE
++
++.PP
++If you want to allow rsync servers to share cifs files systems, you must turn on the rsync_use_cifs boolean.
++
++.EX
++.B setsebool -P rsync_use_cifs 1
++.EE
++
++.PP
++If you want to allow rsync to run as a client, you must turn on the rsync_client boolean.
++
++.EX
++.B setsebool -P rsync_client 1
++.EE
++
++.PP
++If you want to allow postgresql to use ssh and rsync for point-in-time recovery, you must turn on the postgresql_can_rsync boolean.
++
++.EX
++.B setsebool -P postgresql_can_rsync 1
++.EE
++
++.PP
++If you want to allow rsync to export any files/directories read only, you must turn on the rsync_export_all_ro boolean.
++
++.EX
++.B setsebool -P rsync_export_all_ro 1
++.EE
++
++.PP
++If you want to allow rsync servers to share nfs files systems, you must turn on the rsync_use_nfs boolean.
++
++.EX
++.B setsebool -P rsync_use_nfs 1
++.EE
++
++.PP
++If you want to allow rsync servers to share cifs files systems, you must turn on the rsync_use_cifs boolean.
++
++.EX
++.B setsebool -P rsync_use_cifs 1
++.EE
++
++.PP
++If you want to allow rsync to run as a client, you must turn on the rsync_client boolean.
++
++.EX
++.B setsebool -P rsync_client 1
++.EE
++
++.SH SHARING FILES
++If you want to share files with multiple domains (Apache, FTP, rsync, Samba), you can set a file context of public_content_t and public_content_rw_t. These context allow any of the above domains to read the content. If you want a particular domain to write to the public_content_rw_t domain, you must set the appropriate boolean.
+ .TP
++Allow rsync servers to read the /var/rsync directory by adding the public_content_t file type to the directory and by restoring the file type.
++.PP
++.B
+ semanage fcontext -a -t public_content_t "/var/rsync(/.*)?"
++.br
++.B restorecon -F -R -v /var/rsync
++.pp
+ .TP
+-This command adds the following entry to /etc/selinux/POLICYTYPE/contexts/files/file_contexts.local:
+-.TP
+-/var/rsync(/.*)? system_u:object_r:publix_content_t:s0
+-.TP
+-Run the restorecon command to apply the changes:
+-.TP
+-restorecon -R -v /var/rsync/
++Allow rsync servers to read and write /var/tmp/incoming by adding the public_content_rw_t type to the directory and by restoring the file type. This also requires the allow_rsyncd_anon_write boolean to be set.
++.PP
++.B
++semanage fcontext -a -t public_content_rw_t "/var/rsync/incoming(/.*)?"
++.br
++.B restorecon -F -R -v /var/rsync/incoming
++
++
++.PP
++If you want to allow rsync to modify public files used for public file transfer services. Files/Directories must be labeled public_content_rw_t., you must turn on the rsync_anon_write boolean.
++
++.EX
++.B setsebool -P rsync_anon_write 1
+ .EE
+
+-.SH SHARING FILES
+-If you want to share files with multiple domains (Apache, FTP, rsync, Samba), you can set a file context of public_content_t and public_content_rw_t. These context allow any of the above domains to read the content. If you want a particular domain to write to the public_content_rw_t domain, you must set the appropriate boolean. allow_DOMAIN_anon_write. So for rsync you would execute:
++.PP
++If you want to allow rsync to modify public files used for public file transfer services. Files/Directories must be labeled public_content_rw_t., you must turn on the rsync_anon_write boolean.
+
+ .EX
+-setsebool -P allow_rsync_anon_write=1
++.B setsebool -P rsync_anon_write 1
+ .EE
+
+-.SH BOOLEANS
+-.TP
+-system-config-selinux is a GUI tool available to customize SELinux policy settings.
+-.SH AUTHOR
+-This manual page was written by Dan Walsh .
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux rsync policy is very flexible allowing users to setup their rsync processes in as secure a method as possible.
++.PP
++The following file types are defined for rsync:
++
++
++.EX
++.PP
++.B rsync_data_t
++.EE
++
++- Set files with the rsync_data_t type, if you want to treat the files as rsync content.
++
++
++.EX
++.PP
++.B rsync_etc_t
++.EE
++
++- Set files with the rsync_etc_t type, if you want to store rsync files in the /etc directories.
++
++
++.EX
++.PP
++.B rsync_exec_t
++.EE
++
++- Set files with the rsync_exec_t type, if you want to transition an executable to the rsync_t domain.
++
++
++.EX
++.PP
++.B rsync_log_t
++.EE
++
++- Set files with the rsync_log_t type, if you want to treat the data as rsync log data, usually stored under the /var/log directory.
++
++
++.EX
++.PP
++.B rsync_tmp_t
++.EE
++
++- Set files with the rsync_tmp_t type, if you want to store rsync temporary files in the /tmp directories.
++
++
++.EX
++.PP
++.B rsync_var_run_t
++.EE
++
++- Set files with the rsync_var_run_t type, if you want to store the rsync files under the /run directory.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH PORT TYPES
++SELinux defines port types to represent TCP and UDP ports.
++.PP
++You can see the types associated with a port by using the following command:
++
++.B semanage port -l
++
++.PP
++Policy governs the access confined processes have to these ports.
++SELinux rsync policy is very flexible allowing users to setup their rsync processes in as secure a method as possible.
++.PP
++The following port types are defined for rsync:
++
++.EX
++.TP 5
++.B rsync_port_t
++.TP 10
++.EE
++
++
++Default Defined Ports:
++tcp 873
++.EE
++udp 873
++.EE
++.SH "MANAGED FILES"
++
++The SELinux process type rsync_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++
++.br
++.B rsync_log_t
++
++ /var/log/rsync\.log.*
++.br
++
++.br
++.B rsync_tmp_t
++
++
++.br
++.B rsync_var_run_t
++
++ /var/run/rsyncd\.lock
++.br
++
++.SH NSSWITCH DOMAIN
++
++.PP
++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the rsync_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++
++.EX
++.B setsebool -P authlogin_nsswitch_use_ldap 1
++.EE
++
++.PP
++If you want to allow confined applications to run with kerberos for the rsync_t, you must turn on the kerberos_enabled boolean.
++
++.EX
++.B setsebool -P kerberos_enabled 1
++.EE
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.B semanage port
++can also be used to manipulate the port definitions
++
++.B semanage boolean
++can also be used to manipulate the booleans
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was auto-generated using
++.B "sepolicy manpage"
++by Dan Walsh.
+
+ .SH "SEE ALSO"
+-selinux(8), rsync(1), chcon(1), setsebool(8), semanage(8)
++selinux(8), rsync(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
++, setsebool(8)
+\ No newline at end of file
+diff --git a/man/man8/rtkit_daemon_selinux.8 b/man/man8/rtkit_daemon_selinux.8
+new file mode 100644
+index 0000000..0e3bbbc
+--- /dev/null
++++ b/man/man8/rtkit_daemon_selinux.8
+@@ -0,0 +1,108 @@
++.TH "rtkit_daemon_selinux" "8" "12-11-01" "rtkit_daemon" "SELinux Policy documentation for rtkit_daemon"
++.SH "NAME"
++rtkit_daemon_selinux \- Security Enhanced Linux Policy for the rtkit_daemon processes
++.SH "DESCRIPTION"
++
++Security-Enhanced Linux secures the rtkit_daemon processes via flexible mandatory access control.
++
++The rtkit_daemon processes execute with the rtkit_daemon_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep rtkit_daemon_t
++
++
++.SH "ENTRYPOINTS"
++
++The rtkit_daemon_t SELinux type can be entered via the "rtkit_daemon_exec_t" file type. The default entrypoint paths for the rtkit_daemon_t domain are the following:"
++
++/usr/libexec/rtkit-daemon
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux rtkit_daemon policy is very flexible allowing users to setup their rtkit_daemon processes in as secure a method as possible.
++.PP
++The following process types are defined for rtkit_daemon:
++
++.EX
++.B rtkit_daemon_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux rtkit_daemon policy is very flexible allowing users to setup their rtkit_daemon processes in as secure a method as possible.
++.PP
++The following file types are defined for rtkit_daemon:
++
++
++.EX
++.PP
++.B rtkit_daemon_exec_t
++.EE
++
++- Set files with the rtkit_daemon_exec_t type, if you want to transition an executable to the rtkit_daemon_t domain.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH "MANAGED FILES"
++
++The SELinux process type rtkit_daemon_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++
++.br
++.B anon_inodefs_t
++
++
++.SH NSSWITCH DOMAIN
++
++.PP
++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the rtkit_daemon_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++
++.EX
++.B setsebool -P authlogin_nsswitch_use_ldap 1
++.EE
++
++.PP
++If you want to allow confined applications to run with kerberos for the rtkit_daemon_t, you must turn on the kerberos_enabled boolean.
++
++.EX
++.B setsebool -P kerberos_enabled 1
++.EE
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was auto-generated using
++.B "sepolicy manpage"
++by Dan Walsh.
++
++.SH "SEE ALSO"
++selinux(8), rtkit_daemon(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
+diff --git a/man/man8/run_init_selinux.8 b/man/man8/run_init_selinux.8
+new file mode 100644
+index 0000000..69e4288
+--- /dev/null
++++ b/man/man8/run_init_selinux.8
+@@ -0,0 +1,148 @@
++.TH "run_init_selinux" "8" "12-11-01" "run_init" "SELinux Policy documentation for run_init"
++.SH "NAME"
++run_init_selinux \- Security Enhanced Linux Policy for the run_init processes
++.SH "DESCRIPTION"
++
++Security-Enhanced Linux secures the run_init processes via flexible mandatory access control.
++
++The run_init processes execute with the run_init_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep run_init_t
++
++
++.SH "ENTRYPOINTS"
++
++The run_init_t SELinux type can be entered via the "run_init_exec_t" file type. The default entrypoint paths for the run_init_t domain are the following:"
++
++/usr/sbin/run_init
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux run_init policy is very flexible allowing users to setup their run_init processes in as secure a method as possible.
++.PP
++The following process types are defined for run_init:
++
++.EX
++.B run_init_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux run_init policy is very flexible allowing users to setup their run_init processes in as secure a method as possible.
++.PP
++The following file types are defined for run_init:
++
++
++.EX
++.PP
++.B run_init_exec_t
++.EE
++
++- Set files with the run_init_exec_t type, if you want to transition an executable to the run_init_t domain.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH "MANAGED FILES"
++
++The SELinux process type run_init_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++
++.br
++.B faillog_t
++
++ /var/log/btmp.*
++.br
++ /var/run/faillock(/.*)?
++.br
++ /var/log/faillog
++.br
++ /var/log/tallylog
++.br
++
++.br
++.B initrc_var_run_t
++
++ /var/run/utmp
++.br
++ /var/run/random-seed
++.br
++ /var/run/runlevel\.dir
++.br
++ /var/run/setmixer_flag
++.br
++
++.br
++.B pcscd_var_run_t
++
++ /var/run/pcscd(/.*)?
++.br
++ /var/run/pcscd\.events(/.*)?
++.br
++ /var/run/pcscd\.pid
++.br
++ /var/run/pcscd\.pub
++.br
++ /var/run/pcscd\.comm
++.br
++
++.br
++.B security_t
++
++ /selinux
++.br
++
++.SH NSSWITCH DOMAIN
++
++.PP
++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the run_init_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++
++.EX
++.B setsebool -P authlogin_nsswitch_use_ldap 1
++.EE
++
++.PP
++If you want to allow confined applications to run with kerberos for the run_init_t, you must turn on the kerberos_enabled boolean.
++
++.EX
++.B setsebool -P kerberos_enabled 1
++.EE
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was auto-generated using
++.B "sepolicy manpage"
++by Dan Walsh.
++
++.SH "SEE ALSO"
++selinux(8), run_init(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
+diff --git a/man/man8/rwho_selinux.8 b/man/man8/rwho_selinux.8
+new file mode 100644
+index 0000000..6044f11
+--- /dev/null
++++ b/man/man8/rwho_selinux.8
+@@ -0,0 +1,152 @@
++.TH "rwho_selinux" "8" "12-11-01" "rwho" "SELinux Policy documentation for rwho"
++.SH "NAME"
++rwho_selinux \- Security Enhanced Linux Policy for the rwho processes
++.SH "DESCRIPTION"
++
++Security-Enhanced Linux secures the rwho processes via flexible mandatory access control.
++
++The rwho processes execute with the rwho_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep rwho_t
++
++
++.SH "ENTRYPOINTS"
++
++The rwho_t SELinux type can be entered via the "rwho_exec_t" file type. The default entrypoint paths for the rwho_t domain are the following:"
++
++/usr/sbin/rwhod
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux rwho policy is very flexible allowing users to setup their rwho processes in as secure a method as possible.
++.PP
++The following process types are defined for rwho:
++
++.EX
++.B rwho_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux rwho policy is very flexible allowing users to setup their rwho processes in as secure a method as possible.
++.PP
++The following file types are defined for rwho:
++
++
++.EX
++.PP
++.B rwho_exec_t
++.EE
++
++- Set files with the rwho_exec_t type, if you want to transition an executable to the rwho_t domain.
++
++
++.EX
++.PP
++.B rwho_initrc_exec_t
++.EE
++
++- Set files with the rwho_initrc_exec_t type, if you want to transition an executable to the rwho_initrc_t domain.
++
++
++.EX
++.PP
++.B rwho_log_t
++.EE
++
++- Set files with the rwho_log_t type, if you want to treat the data as rwho log data, usually stored under the /var/log directory.
++
++
++.EX
++.PP
++.B rwho_spool_t
++.EE
++
++- Set files with the rwho_spool_t type, if you want to store the rwho files under the /var/spool directory.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH PORT TYPES
++SELinux defines port types to represent TCP and UDP ports.
++.PP
++You can see the types associated with a port by using the following command:
++
++.B semanage port -l
++
++.PP
++Policy governs the access confined processes have to these ports.
++SELinux rwho policy is very flexible allowing users to setup their rwho processes in as secure a method as possible.
++.PP
++The following port types are defined for rwho:
++
++.EX
++.TP 5
++.B rwho_port_t
++.TP 10
++.EE
++
++
++Default Defined Ports:
++udp 513
++.EE
++.SH "MANAGED FILES"
++
++The SELinux process type rwho_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++
++.br
++.B rwho_log_t
++
++ /var/log/rwhod(/.*)?
++.br
++
++.br
++.B rwho_spool_t
++
++ /var/spool/rwho(/.*)?
++.br
++
++.SH NSSWITCH DOMAIN
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.B semanage port
++can also be used to manipulate the port definitions
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was auto-generated using
++.B "sepolicy manpage"
++by Dan Walsh.
++
++.SH "SEE ALSO"
++selinux(8), rwho(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
+diff --git a/man/man8/samba_net_selinux.8 b/man/man8/samba_net_selinux.8
+new file mode 100644
+index 0000000..2b5c346
+--- /dev/null
++++ b/man/man8/samba_net_selinux.8
+@@ -0,0 +1,155 @@
++.TH "samba_net_selinux" "8" "12-11-01" "samba_net" "SELinux Policy documentation for samba_net"
++.SH "NAME"
++samba_net_selinux \- Security Enhanced Linux Policy for the samba_net processes
++.SH "DESCRIPTION"
++
++Security-Enhanced Linux secures the samba_net processes via flexible mandatory access control.
++
++The samba_net processes execute with the samba_net_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep samba_net_t
++
++
++.SH "ENTRYPOINTS"
++
++The samba_net_t SELinux type can be entered via the "samba_net_exec_t" file type. The default entrypoint paths for the samba_net_t domain are the following:"
++
++/usr/bin/net
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux samba_net policy is very flexible allowing users to setup their samba_net processes in as secure a method as possible.
++.PP
++The following process types are defined for samba_net:
++
++.EX
++.B samba_net_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux samba_net policy is very flexible allowing users to setup their samba_net processes in as secure a method as possible.
++.PP
++The following file types are defined for samba_net:
++
++
++.EX
++.PP
++.B samba_net_exec_t
++.EE
++
++- Set files with the samba_net_exec_t type, if you want to transition an executable to the samba_net_t domain.
++
++
++.EX
++.PP
++.B samba_net_tmp_t
++.EE
++
++- Set files with the samba_net_tmp_t type, if you want to store samba net temporary files in the /tmp directories.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH "MANAGED FILES"
++
++The SELinux process type samba_net_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++
++.br
++.B auth_cache_t
++
++ /var/cache/coolkey(/.*)?
++.br
++
++.br
++.B krb5_keytab_t
++
++ /etc/krb5\.keytab
++.br
++ /etc/krb5kdc/kadm5\.keytab
++.br
++ /var/kerberos/krb5kdc/kadm5\.keytab
++.br
++
++.br
++.B samba_net_tmp_t
++
++
++.br
++.B samba_secrets_t
++
++ /etc/samba/smbpasswd
++.br
++ /etc/samba/passdb\.tdb
++.br
++ /etc/samba/MACHINE\.SID
++.br
++ /etc/samba/secrets\.tdb
++.br
++
++.br
++.B samba_var_t
++
++ /var/lib/samba(/.*)?
++.br
++ /var/cache/samba(/.*)?
++.br
++ /var/spool/samba(/.*)?
++.br
++
++.SH NSSWITCH DOMAIN
++
++.PP
++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the samba_net_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++
++.EX
++.B setsebool -P authlogin_nsswitch_use_ldap 1
++.EE
++
++.PP
++If you want to allow confined applications to run with kerberos for the samba_net_t, you must turn on the kerberos_enabled boolean.
++
++.EX
++.B setsebool -P kerberos_enabled 1
++.EE
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was auto-generated using
++.B "sepolicy manpage"
++by Dan Walsh.
++
++.SH "SEE ALSO"
++selinux(8), samba_net(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
++, samba_unconfined_script_selinux(8), sambagui_selinux(8)
+\ No newline at end of file
+diff --git a/man/man8/samba_selinux.8 b/man/man8/samba_selinux.8
+index ca702c7..234a9c7 100644
+--- a/man/man8/samba_selinux.8
++++ b/man/man8/samba_selinux.8
+@@ -1,56 +1 @@
+-.TH "samba_selinux" "8" "17 Jan 2005" "dwalsh@redhat.com" "Samba Selinux Policy documentation"
+-.SH "NAME"
+-samba_selinux \- Security Enhanced Linux Policy for Samba
+-.SH "DESCRIPTION"
+-
+-Security-Enhanced Linux secures the Samba server via flexible mandatory access
+-control.
+-.SH FILE_CONTEXTS
+-SELinux requires files to have an extended attribute to define the file type.
+-Policy governs the access daemons have to these files.
+-If you want to share files other than home directories, those files must be
+-labeled samba_share_t. So if you created a special directory /var/eng, you
+-would need to label the directory with the chcon tool.
+-.TP
+-chcon -t samba_share_t /var/eng
+-.TP
+-To make this change permanent (survive a relabel), use the semanage command to add the change to file context configuration:
+-.TP
+-semanage fcontext -a -t samba_share_t "/var/eng(/.*)?"
+-.TP
+-This command adds the following entry to /etc/selinux/POLICYTYPE/contexts/files/file_contexts.local:
+-.TP
+-/var/eng(/.*)? system_u:object_r:samba_share_t:s0
+-.TP
+-Run the restorecon command to apply the changes:
+-.TP
+-restorecon -R -v /var/eng/
+-
+-.SH SHARING FILES
+-If you want to share files with multiple domains (Apache, FTP, rsync, Samba), you can set a file context of public_content_t and public_content_rw_t. These context allow any of the above domains to read the content. If you want a particular domain to write to the public_content_rw_t domain, you must set the appropriate boolean. allow_DOMAIN_anon_write. So for samba you would execute:
+-
+-setsebool -P allow_smbd_anon_write=1
+-
+-.SH BOOLEANS
+-.br
+-SELinux policy is customizable based on least access required. So by
+-default SELinux policy turns off SELinux sharing of home directories and
+-the use of Samba shares from a remote machine as a home directory.
+-.TP
+-If you are setting up this machine as a Samba server and wish to share the home directories, you need to set the samba_enable_home_dirs boolean.
+-.br
+-
+-setsebool -P samba_enable_home_dirs 1
+-.TP
+-If you want to use a remote Samba server for the home directories on this machine, you must set the use_samba_home_dirs boolean.
+-.br
+-
+-setsebool -P use_samba_home_dirs 1
+-.TP
+-system-config-selinux is a GUI tool available to customize SELinux policy settings.
+-
+-.SH AUTHOR
+-This manual page was written by Dan Walsh .
+-
+-.SH "SEE ALSO"
+-selinux(8), samba(7), chcon(1), setsebool(8), semanage(8)
++.so man8/smbd_selinux.8
+\ No newline at end of file
+diff --git a/man/man8/samba_unconfined_script_selinux.8 b/man/man8/samba_unconfined_script_selinux.8
+new file mode 100644
+index 0000000..293e93e
+--- /dev/null
++++ b/man/man8/samba_unconfined_script_selinux.8
+@@ -0,0 +1,87 @@
++.TH "samba_unconfined_script_selinux" "8" "12-11-01" "samba_unconfined_script" "SELinux Policy documentation for samba_unconfined_script"
++.SH "NAME"
++samba_unconfined_script_selinux \- Security Enhanced Linux Policy for the samba_unconfined_script processes
++.SH "DESCRIPTION"
++
++Security-Enhanced Linux secures the samba_unconfined_script processes via flexible mandatory access control.
++
++The samba_unconfined_script processes execute with the samba_unconfined_script_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep samba_unconfined_script_t
++
++
++.SH "ENTRYPOINTS"
++
++The samba_unconfined_script_t SELinux type can be entered via the "shell_exec_t,samba_unconfined_script_exec_t" file types. The default entrypoint paths for the samba_unconfined_script_t domain are the following:"
++
++/bin/d?ash, /bin/zsh.*, /bin/ksh.*, /usr/bin/d?ash, /usr/bin/ksh.*, /usr/bin/zsh.*, /bin/esh, /bin/mksh, /bin/sash, /bin/tcsh, /bin/yash, /bin/bash, /bin/fish, /bin/bash2, /usr/bin/esh, /usr/bin/mksh, /usr/bin/sash, /usr/bin/bash, /usr/bin/fish, /usr/bin/tcsh, /usr/bin/yash, /sbin/nologin, /usr/sbin/sesh, /usr/bin/bash2, /usr/sbin/smrsh, /usr/bin/scponly, /usr/sbin/nologin, /usr/libexec/sesh, /usr/sbin/scponlyc, /usr/bin/git-shell, /usr/libexec/git-core/git-shell, /var/lib/samba/scripts(/.*)?
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux samba_unconfined_script policy is very flexible allowing users to setup their samba_unconfined_script processes in as secure a method as possible.
++.PP
++The following process types are defined for samba_unconfined_script:
++
++.EX
++.B samba_unconfined_script_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux samba_unconfined_script policy is very flexible allowing users to setup their samba_unconfined_script processes in as secure a method as possible.
++.PP
++The following file types are defined for samba_unconfined_script:
++
++
++.EX
++.PP
++.B samba_unconfined_script_exec_t
++.EE
++
++- Set files with the samba_unconfined_script_exec_t type, if you want to transition an executable to the samba_unconfined_script_t domain.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH NSSWITCH DOMAIN
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was auto-generated using
++.B "sepolicy manpage"
++by Dan Walsh.
++
++.SH "SEE ALSO"
++selinux(8), samba_unconfined_script(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
++, samba_net_selinux(8), sambagui_selinux(8)
+\ No newline at end of file
+diff --git a/man/man8/sambagui_selinux.8 b/man/man8/sambagui_selinux.8
+new file mode 100644
+index 0000000..3c17297
+--- /dev/null
++++ b/man/man8/sambagui_selinux.8
+@@ -0,0 +1,128 @@
++.TH "sambagui_selinux" "8" "12-11-01" "sambagui" "SELinux Policy documentation for sambagui"
++.SH "NAME"
++sambagui_selinux \- Security Enhanced Linux Policy for the sambagui processes
++.SH "DESCRIPTION"
++
++Security-Enhanced Linux secures the sambagui processes via flexible mandatory access control.
++
++The sambagui processes execute with the sambagui_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep sambagui_t
++
++
++.SH "ENTRYPOINTS"
++
++The sambagui_t SELinux type can be entered via the "sambagui_exec_t" file type. The default entrypoint paths for the sambagui_t domain are the following:"
++
++/usr/share/system-config-samba/system-config-samba-mechanism.py
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux sambagui policy is very flexible allowing users to setup their sambagui processes in as secure a method as possible.
++.PP
++The following process types are defined for sambagui:
++
++.EX
++.B sambagui_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux sambagui policy is very flexible allowing users to setup their sambagui processes in as secure a method as possible.
++.PP
++The following file types are defined for sambagui:
++
++
++.EX
++.PP
++.B sambagui_exec_t
++.EE
++
++- Set files with the sambagui_exec_t type, if you want to transition an executable to the sambagui_t domain.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH "MANAGED FILES"
++
++The SELinux process type sambagui_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++
++.br
++.B samba_etc_t
++
++ /etc/samba(/.*)?
++.br
++
++.br
++.B samba_var_t
++
++ /var/lib/samba(/.*)?
++.br
++ /var/cache/samba(/.*)?
++.br
++ /var/spool/samba(/.*)?
++.br
++
++.br
++.B systemd_passwd_var_run_t
++
++ /var/run/systemd/ask-password(/.*)?
++.br
++ /var/run/systemd/ask-password-block(/.*)?
++.br
++
++.SH NSSWITCH DOMAIN
++
++.PP
++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the sambagui_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++
++.EX
++.B setsebool -P authlogin_nsswitch_use_ldap 1
++.EE
++
++.PP
++If you want to allow confined applications to run with kerberos for the sambagui_t, you must turn on the kerberos_enabled boolean.
++
++.EX
++.B setsebool -P kerberos_enabled 1
++.EE
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was auto-generated using
++.B "sepolicy manpage"
++by Dan Walsh.
++
++.SH "SEE ALSO"
++selinux(8), sambagui(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
+diff --git a/man/man8/sandbox_selinux.8 b/man/man8/sandbox_selinux.8
+new file mode 100644
+index 0000000..ee32f27
+--- /dev/null
++++ b/man/man8/sandbox_selinux.8
+@@ -0,0 +1,192 @@
++.TH "sandbox_selinux" "8" "12-11-01" "sandbox" "SELinux Policy documentation for sandbox"
++.SH "NAME"
++sandbox_selinux \- Security Enhanced Linux Policy for the sandbox processes
++.SH "DESCRIPTION"
++
++Security-Enhanced Linux secures the sandbox processes via flexible mandatory access control.
++
++The sandbox processes execute with the sandbox_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep sandbox_t
++
++
++.SH "ENTRYPOINTS"
++
++The sandbox_t SELinux type can be entered via the "file_type" file type. The default entrypoint paths for the sandbox_t domain are the following:"
++
++all files on the system
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux sandbox policy is very flexible allowing users to setup their sandbox processes in as secure a method as possible.
++.PP
++The following process types are defined for sandbox:
++
++.EX
++.B sandbox_x_client_t, sandbox_net_client_t, sandbox_xserver_t, sandbox_x_t, sandbox_web_client_t, sandbox_min_t, sandbox_net_t, sandbox_web_t, sandbox_min_client_t, sandbox_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH BOOLEANS
++SELinux policy is customizable based on least access required. sandbox policy is extremely flexible and has several booleans that allow you to manipulate the policy and run sandbox with the tightest access possible.
++
++
++.PP
++If you want to allow unconfined users to transition to the chrome sandbox domains when running chrome-sandbox, you must turn on the unconfined_chrome_sandbox_transition boolean.
++
++.EX
++.B setsebool -P unconfined_chrome_sandbox_transition 1
++.EE
++
++.PP
++If you want to allow unconfined users to transition to the chrome sandbox domains when running chrome-sandbox, you must turn on the unconfined_chrome_sandbox_transition boolean.
++
++.EX
++.B setsebool -P unconfined_chrome_sandbox_transition 1
++.EE
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux sandbox policy is very flexible allowing users to setup their sandbox processes in as secure a method as possible.
++.PP
++The following file types are defined for sandbox:
++
++
++.EX
++.PP
++.B sandbox_devpts_t
++.EE
++
++- Set files with the sandbox_devpts_t type, if you want to treat the files as sandbox devpts data.
++
++
++.EX
++.PP
++.B sandbox_exec_t
++.EE
++
++- Set files with the sandbox_exec_t type, if you want to transition an executable to the sandbox_t domain.
++
++
++.EX
++.PP
++.B sandbox_file_t
++.EE
++
++- Set files with the sandbox_file_t type, if you want to treat the files as sandbox content.
++
++
++.EX
++.PP
++.B sandbox_min_client_tmpfs_t
++.EE
++
++- Set files with the sandbox_min_client_tmpfs_t type, if you want to store sandbox min client files on a tmpfs file system.
++
++
++.EX
++.PP
++.B sandbox_net_client_tmpfs_t
++.EE
++
++- Set files with the sandbox_net_client_tmpfs_t type, if you want to store sandbox net client files on a tmpfs file system.
++
++
++.EX
++.PP
++.B sandbox_web_client_tmpfs_t
++.EE
++
++- Set files with the sandbox_web_client_tmpfs_t type, if you want to store sandbox web client files on a tmpfs file system.
++
++
++.EX
++.PP
++.B sandbox_x_client_tmpfs_t
++.EE
++
++- Set files with the sandbox_x_client_tmpfs_t type, if you want to store sandbox x client files on a tmpfs file system.
++
++
++.EX
++.PP
++.B sandbox_xserver_tmpfs_t
++.EE
++
++- Set files with the sandbox_xserver_tmpfs_t type, if you want to store sandbox xserver files on a tmpfs file system.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH "MANAGED FILES"
++
++The SELinux process type sandbox_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++
++.br
++.B sandbox_file_t
++
++
++.br
++.B sandbox_tmpfs_type
++
++ all sandbox content in tmpfs file systems
++.br
++
++.SH NSSWITCH DOMAIN
++
++.PP
++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the sandbox_min_t, sandbox_net_t, sandbox_web_client_t, sandbox_xserver_t, sandbox_web_t, sandbox_x_client_t, sandbox_x_t, sandbox_net_client_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++
++.EX
++.B setsebool -P authlogin_nsswitch_use_ldap 1
++.EE
++
++.PP
++If you want to allow confined applications to run with kerberos for the sandbox_min_t, sandbox_net_t, sandbox_web_client_t, sandbox_xserver_t, sandbox_web_t, sandbox_x_client_t, sandbox_x_t, sandbox_net_client_t, you must turn on the kerberos_enabled boolean.
++
++.EX
++.B setsebool -P kerberos_enabled 1
++.EE
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.B semanage boolean
++can also be used to manipulate the booleans
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was auto-generated using
++.B "sepolicy manpage"
++by Dan Walsh.
++
++.SH "SEE ALSO"
++selinux(8), sandbox(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
++, setsebool(8)
+\ No newline at end of file
+diff --git a/man/man8/sanlock_selinux.8 b/man/man8/sanlock_selinux.8
+new file mode 100644
+index 0000000..91bbc31
+--- /dev/null
++++ b/man/man8/sanlock_selinux.8
+@@ -0,0 +1,220 @@
++.TH "sanlock_selinux" "8" "12-11-01" "sanlock" "SELinux Policy documentation for sanlock"
++.SH "NAME"
++sanlock_selinux \- Security Enhanced Linux Policy for the sanlock processes
++.SH "DESCRIPTION"
++
++Security-Enhanced Linux secures the sanlock processes via flexible mandatory access control.
++
++The sanlock processes execute with the sanlock_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep sanlock_t
++
++
++.SH "ENTRYPOINTS"
++
++The sanlock_t SELinux type can be entered via the "sanlock_exec_t" file type. The default entrypoint paths for the sanlock_t domain are the following:"
++
++/usr/sbin/sanlock
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux sanlock policy is very flexible allowing users to setup their sanlock processes in as secure a method as possible.
++.PP
++The following process types are defined for sanlock:
++
++.EX
++.B sanlock_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH BOOLEANS
++SELinux policy is customizable based on least access required. sanlock policy is extremely flexible and has several booleans that allow you to manipulate the policy and run sanlock with the tightest access possible.
++
++
++.PP
++If you want to allow sanlock to read/write fuse files, you must turn on the sanlock_use_fusefs boolean.
++
++.EX
++.B setsebool -P sanlock_use_fusefs 1
++.EE
++
++.PP
++If you want to allow sanlock to manage cifs files, you must turn on the sanlock_use_samba boolean.
++
++.EX
++.B setsebool -P sanlock_use_samba 1
++.EE
++
++.PP
++If you want to allow confined virtual guests to interact with the sanlock, you must turn on the virt_use_sanlock boolean.
++
++.EX
++.B setsebool -P virt_use_sanlock 1
++.EE
++
++.PP
++If you want to allow sanlock to manage nfs files, you must turn on the sanlock_use_nfs boolean.
++
++.EX
++.B setsebool -P sanlock_use_nfs 1
++.EE
++
++.PP
++If you want to allow sanlock to read/write fuse files, you must turn on the sanlock_use_fusefs boolean.
++
++.EX
++.B setsebool -P sanlock_use_fusefs 1
++.EE
++
++.PP
++If you want to allow sanlock to manage cifs files, you must turn on the sanlock_use_samba boolean.
++
++.EX
++.B setsebool -P sanlock_use_samba 1
++.EE
++
++.PP
++If you want to allow confined virtual guests to interact with the sanlock, you must turn on the virt_use_sanlock boolean.
++
++.EX
++.B setsebool -P virt_use_sanlock 1
++.EE
++
++.PP
++If you want to allow sanlock to manage nfs files, you must turn on the sanlock_use_nfs boolean.
++
++.EX
++.B setsebool -P sanlock_use_nfs 1
++.EE
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux sanlock policy is very flexible allowing users to setup their sanlock processes in as secure a method as possible.
++.PP
++The following file types are defined for sanlock:
++
++
++.EX
++.PP
++.B sanlock_exec_t
++.EE
++
++- Set files with the sanlock_exec_t type, if you want to transition an executable to the sanlock_t domain.
++
++
++.EX
++.PP
++.B sanlock_initrc_exec_t
++.EE
++
++- Set files with the sanlock_initrc_exec_t type, if you want to transition an executable to the sanlock_initrc_t domain.
++
++
++.EX
++.PP
++.B sanlock_log_t
++.EE
++
++- Set files with the sanlock_log_t type, if you want to treat the data as sanlock log data, usually stored under the /var/log directory.
++
++
++.EX
++.PP
++.B sanlock_unit_file_t
++.EE
++
++- Set files with the sanlock_unit_file_t type, if you want to treat the files as sanlock unit content.
++
++
++.EX
++.PP
++.B sanlock_var_run_t
++.EE
++
++- Set files with the sanlock_var_run_t type, if you want to store the sanlock files under the /run directory.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH "MANAGED FILES"
++
++The SELinux process type sanlock_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++
++.br
++.B sanlock_log_t
++
++ /var/log/sanlock\.log.*
++.br
++
++.br
++.B sanlock_var_run_t
++
++ /var/run/sanlock(/.*)?
++.br
++
++.br
++.B virt_var_lib_t
++
++ /var/lib/oz(/.*)?
++.br
++ /var/lib/libvirt(/.*)?
++.br
++
++.SH NSSWITCH DOMAIN
++
++.PP
++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the sanlock_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++
++.EX
++.B setsebool -P authlogin_nsswitch_use_ldap 1
++.EE
++
++.PP
++If you want to allow confined applications to run with kerberos for the sanlock_t, you must turn on the kerberos_enabled boolean.
++
++.EX
++.B setsebool -P kerberos_enabled 1
++.EE
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.B semanage boolean
++can also be used to manipulate the booleans
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was auto-generated using
++.B "sepolicy manpage"
++by Dan Walsh.
++
++.SH "SEE ALSO"
++selinux(8), sanlock(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
++, setsebool(8)
+\ No newline at end of file
+diff --git a/man/man8/saslauthd_selinux.8 b/man/man8/saslauthd_selinux.8
+new file mode 100644
+index 0000000..da990ec
+--- /dev/null
++++ b/man/man8/saslauthd_selinux.8
+@@ -0,0 +1,220 @@
++.TH "saslauthd_selinux" "8" "12-11-01" "saslauthd" "SELinux Policy documentation for saslauthd"
++.SH "NAME"
++saslauthd_selinux \- Security Enhanced Linux Policy for the saslauthd processes
++.SH "DESCRIPTION"
++
++Security-Enhanced Linux secures the saslauthd processes via flexible mandatory access control.
++
++The saslauthd processes execute with the saslauthd_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep saslauthd_t
++
++
++.SH "ENTRYPOINTS"
++
++The saslauthd_t SELinux type can be entered via the "saslauthd_exec_t" file type. The default entrypoint paths for the saslauthd_t domain are the following:"
++
++/usr/sbin/saslauthd
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux saslauthd policy is very flexible allowing users to setup their saslauthd processes in as secure a method as possible.
++.PP
++The following process types are defined for saslauthd:
++
++.EX
++.B saslauthd_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH BOOLEANS
++SELinux policy is customizable based on least access required. saslauthd policy is extremely flexible and has several booleans that allow you to manipulate the policy and run saslauthd with the tightest access possible.
++
++
++.PP
++If you want to allow sasl to read shadow, you must turn on the saslauthd_read_shadow boolean.
++
++.EX
++.B setsebool -P saslauthd_read_shadow 1
++.EE
++
++.PP
++If you want to allow sasl to read shadow, you must turn on the saslauthd_read_shadow boolean.
++
++.EX
++.B setsebool -P saslauthd_read_shadow 1
++.EE
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux saslauthd policy is very flexible allowing users to setup their saslauthd processes in as secure a method as possible.
++.PP
++The following file types are defined for saslauthd:
++
++
++.EX
++.PP
++.B saslauthd_exec_t
++.EE
++
++- Set files with the saslauthd_exec_t type, if you want to transition an executable to the saslauthd_t domain.
++
++
++.EX
++.PP
++.B saslauthd_initrc_exec_t
++.EE
++
++- Set files with the saslauthd_initrc_exec_t type, if you want to transition an executable to the saslauthd_initrc_t domain.
++
++
++.EX
++.PP
++.B saslauthd_keytab_t
++.EE
++
++- Set files with the saslauthd_keytab_t type, if you want to treat the files as kerberos keytab files.
++
++
++.EX
++.PP
++.B saslauthd_var_run_t
++.EE
++
++- Set files with the saslauthd_var_run_t type, if you want to store the saslauthd files under the /run directory.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH "MANAGED FILES"
++
++The SELinux process type saslauthd_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++
++.br
++.B faillog_t
++
++ /var/log/btmp.*
++.br
++ /var/run/faillock(/.*)?
++.br
++ /var/log/faillog
++.br
++ /var/log/tallylog
++.br
++
++.br
++.B krb5_host_rcache_t
++
++ /var/cache/krb5rcache(/.*)?
++.br
++ /var/tmp/nfs_0
++.br
++ /var/tmp/DNS_25
++.br
++ /var/tmp/host_0
++.br
++ /var/tmp/imap_0
++.br
++ /var/tmp/HTTP_23
++.br
++ /var/tmp/HTTP_48
++.br
++ /var/tmp/ldap_55
++.br
++ /var/tmp/ldap_487
++.br
++ /var/tmp/ldapmap1_0
++.br
++
++.br
++.B lastlog_t
++
++ /var/log/lastlog
++.br
++
++.br
++.B pcscd_var_run_t
++
++ /var/run/pcscd(/.*)?
++.br
++ /var/run/pcscd\.events(/.*)?
++.br
++ /var/run/pcscd\.pid
++.br
++ /var/run/pcscd\.pub
++.br
++ /var/run/pcscd\.comm
++.br
++
++.br
++.B saslauthd_var_run_t
++
++ /var/lib/sasl2(/.*)?
++.br
++ /var/run/saslauthd(/.*)?
++.br
++
++.br
++.B security_t
++
++ /selinux
++.br
++
++.SH NSSWITCH DOMAIN
++
++.PP
++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the saslauthd_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++
++.EX
++.B setsebool -P authlogin_nsswitch_use_ldap 1
++.EE
++
++.PP
++If you want to allow confined applications to run with kerberos for the saslauthd_t, you must turn on the kerberos_enabled boolean.
++
++.EX
++.B setsebool -P kerberos_enabled 1
++.EE
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.B semanage boolean
++can also be used to manipulate the booleans
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was auto-generated using
++.B "sepolicy manpage"
++by Dan Walsh.
++
++.SH "SEE ALSO"
++selinux(8), saslauthd(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
++, setsebool(8)
+\ No newline at end of file
+diff --git a/man/man8/sblim_gatherd_selinux.8 b/man/man8/sblim_gatherd_selinux.8
+new file mode 100644
+index 0000000..85b84c9
+--- /dev/null
++++ b/man/man8/sblim_gatherd_selinux.8
+@@ -0,0 +1,97 @@
++.TH "sblim_gatherd_selinux" "8" "12-11-01" "sblim_gatherd" "SELinux Policy documentation for sblim_gatherd"
++.SH "NAME"
++sblim_gatherd_selinux \- Security Enhanced Linux Policy for the sblim_gatherd processes
++.SH "DESCRIPTION"
++
++Security-Enhanced Linux secures the sblim_gatherd processes via flexible mandatory access control.
++
++The sblim_gatherd processes execute with the sblim_gatherd_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep sblim_gatherd_t
++
++
++.SH "ENTRYPOINTS"
++
++The sblim_gatherd_t SELinux type can be entered via the "sblim_gatherd_exec_t" file type. The default entrypoint paths for the sblim_gatherd_t domain are the following:"
++
++/usr/sbin/gatherd
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux sblim_gatherd policy is very flexible allowing users to setup their sblim_gatherd processes in as secure a method as possible.
++.PP
++The following process types are defined for sblim_gatherd:
++
++.EX
++.B sblim_gatherd_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux sblim_gatherd policy is very flexible allowing users to setup their sblim_gatherd processes in as secure a method as possible.
++.PP
++The following file types are defined for sblim_gatherd:
++
++
++.EX
++.PP
++.B sblim_gatherd_exec_t
++.EE
++
++- Set files with the sblim_gatherd_exec_t type, if you want to transition an executable to the sblim_gatherd_t domain.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH "MANAGED FILES"
++
++The SELinux process type sblim_gatherd_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++
++.br
++.B sblim_var_run_t
++
++ /var/run/gather(/.*)?
++.br
++
++.SH NSSWITCH DOMAIN
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was auto-generated using
++.B "sepolicy manpage"
++by Dan Walsh.
++
++.SH "SEE ALSO"
++selinux(8), sblim_gatherd(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
++, sblim_reposd_selinux(8)
+\ No newline at end of file
+diff --git a/man/man8/sblim_reposd_selinux.8 b/man/man8/sblim_reposd_selinux.8
+new file mode 100644
+index 0000000..10407e3
+--- /dev/null
++++ b/man/man8/sblim_reposd_selinux.8
+@@ -0,0 +1,97 @@
++.TH "sblim_reposd_selinux" "8" "12-11-01" "sblim_reposd" "SELinux Policy documentation for sblim_reposd"
++.SH "NAME"
++sblim_reposd_selinux \- Security Enhanced Linux Policy for the sblim_reposd processes
++.SH "DESCRIPTION"
++
++Security-Enhanced Linux secures the sblim_reposd processes via flexible mandatory access control.
++
++The sblim_reposd processes execute with the sblim_reposd_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep sblim_reposd_t
++
++
++.SH "ENTRYPOINTS"
++
++The sblim_reposd_t SELinux type can be entered via the "sblim_reposd_exec_t" file type. The default entrypoint paths for the sblim_reposd_t domain are the following:"
++
++/usr/sbin/reposd
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux sblim_reposd policy is very flexible allowing users to setup their sblim_reposd processes in as secure a method as possible.
++.PP
++The following process types are defined for sblim_reposd:
++
++.EX
++.B sblim_reposd_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux sblim_reposd policy is very flexible allowing users to setup their sblim_reposd processes in as secure a method as possible.
++.PP
++The following file types are defined for sblim_reposd:
++
++
++.EX
++.PP
++.B sblim_reposd_exec_t
++.EE
++
++- Set files with the sblim_reposd_exec_t type, if you want to transition an executable to the sblim_reposd_t domain.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH "MANAGED FILES"
++
++The SELinux process type sblim_reposd_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++
++.br
++.B sblim_var_run_t
++
++ /var/run/gather(/.*)?
++.br
++
++.SH NSSWITCH DOMAIN
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was auto-generated using
++.B "sepolicy manpage"
++by Dan Walsh.
++
++.SH "SEE ALSO"
++selinux(8), sblim_reposd(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
++, sblim_gatherd_selinux(8)
+\ No newline at end of file
+diff --git a/man/man8/secadm_selinux.8 b/man/man8/secadm_selinux.8
+new file mode 100644
+index 0000000..bb8258d
+--- /dev/null
++++ b/man/man8/secadm_selinux.8
+@@ -0,0 +1,332 @@
++.TH "secadm_selinux" "8" "secadm" "mgrepl@redhat.com" "secadm SELinux Policy documentation"
++.SH "NAME"
++secadm_r \- \fBSecurity administrator role\fP - Security Enhanced Linux Policy
++
++.SH DESCRIPTION
++
++SELinux supports Roles Based Access Control (RBAC), some Linux roles are login roles, while other roles need to be transition into.
++
++.I Note:
++Examples in this man page will use the
++.B staff_u
++SELinux user.
++
++Non login roles are usually used for administrative tasks. For example, tasks that require root privileges. Roles control which types a user can run processes with. Roles often have default types assigned to them.
++
++The default type for the secadm_r role is secadm_t.
++
++The
++.B newrole
++program to transition directly to this role.
++
++.B newrole -r secadm_r -t secadm_t
++
++.B sudo
++is the preferred method to do transition from one role to another. You setup sudo to transition to secadm_r by adding a similar line to the /etc/sudoers file.
++
++USERNAME ALL=(ALL) ROLE=secadm_r TYPE=secadm_t COMMAND
++
++.br
++sudo will run COMMAND as staff_u:secadm_r:secadm_t:LEVEL
++
++When using a a non login role, you need to setup SELinux so that your SELinux user can reach secadm_r role.
++
++Execute the following to see all of the assigned SELinux roles:
++
++.B semanage user -l
++
++You need to add secadm_r to the staff_u user. You could setup the staff_u user to be able to use the secadm_r role with a command like:
++
++.B $ semanage user -m -R 'staff_r system_r secadm_r' staff_u
++
++
++
++SELinux policy also controls which roles can transition to a different role.
++You can list these rules using the following command.
++
++.B search --role_allow
++
++SELinux policy allows the sysadm_r, staff_r, auditadm_r roles can transition to the secadm_r role.
++
++
++.SH "MANAGED FILES"
++
++The SELinux process type secadm_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++
++.br
++.B anon_inodefs_t
++
++
++.br
++.B auth_cache_t
++
++ /var/cache/coolkey(/.*)?
++.br
++
++.br
++.B boolean_type
++
++
++.br
++.B cgroup_t
++
++ /cgroup
++.br
++ /sys/fs/cgroup
++.br
++
++.br
++.B chrome_sandbox_tmpfs_t
++
++
++.br
++.B default_context_t
++
++ /etc/selinux/([^/]*/)?contexts(/.*)?
++.br
++ /root/\.default_contexts
++.br
++
++.br
++.B etc_runtime_t
++
++ /[^/]+
++.br
++ /etc/mtab.*
++.br
++ /etc/blkid(/.*)?
++.br
++ /etc/nologin.*
++.br
++ /etc/\.fstab\.hal\..+
++.br
++ /halt
++.br
++ /fastboot
++.br
++ /poweroff
++.br
++ /etc/cmtab
++.br
++ /\.autofsck
++.br
++ /forcefsck
++.br
++ /\.suspended
++.br
++ /fsckoptions
++.br
++ /\.autorelabel
++.br
++ /etc/securetty
++.br
++ /etc/killpower
++.br
++ /etc/nohotplug
++.br
++ /etc/ioctl\.save
++.br
++ /etc/fstab\.REVOKE
++.br
++ /etc/network/ifstate
++.br
++ /etc/sysconfig/hwconf
++.br
++ /etc/ptal/ptal-printd-like
++.br
++ /etc/sysconfig/iptables\.save
++.br
++ /etc/xorg\.conf\.d/00-system-setup-keyboard\.conf
++.br
++ /etc/X11/xorg\.conf\.d/00-system-setup-keyboard\.conf
++.br
++
++.br
++.B file_context_t
++
++ /etc/selinux/([^/]*/)?contexts/files(/.*)?
++.br
++
++.br
++.B games_data_t
++
++ /var/games(/.*)?
++.br
++ /var/lib/games(/.*)?
++.br
++
++.br
++.B gpg_agent_tmp_t
++
++ /home/[^/]*/\.gnupg/log-socket
++.br
++ /home/dwalsh/\.gnupg/log-socket
++.br
++ /var/lib/xguest/home/xguest/\.gnupg/log-socket
++.br
++
++.br
++.B mail_spool_t
++
++ /var/mail(/.*)?
++.br
++ /var/spool/imap(/.*)?
++.br
++ /var/spool/mail(/.*)?
++.br
++
++.br
++.B mqueue_spool_t
++
++ /var/spool/(client)?mqueue(/.*)?
++.br
++ /var/spool/mqueue\.in(/.*)?
++.br
++
++.br
++.B nfsd_rw_t
++
++
++.br
++.B noxattrfs
++
++ all files on file systems which do not support extended attributes
++.br
++
++.br
++.B screen_home_t
++
++ /root/\.screen(/.*)?
++.br
++ /home/[^/]*/\.screen(/.*)?
++.br
++ /home/[^/]*/\.screenrc
++.br
++ /home/dwalsh/\.screen(/.*)?
++.br
++ /home/dwalsh/\.screenrc
++.br
++ /var/lib/xguest/home/xguest/\.screen(/.*)?
++.br
++ /var/lib/xguest/home/xguest/\.screenrc
++.br
++
++.br
++.B selinux_config_t
++
++ /etc/selinux(/.*)?
++.br
++ /etc/selinux/([^/]*/)?seusers
++.br
++ /etc/selinux/([^/]*/)?users(/.*)?
++.br
++ /etc/selinux/([^/]*/)?setrans\.conf
++.br
++
++.br
++.B selinux_login_config_t
++
++ /etc/selinux/([^/]*/)?logins(/.*)?
++.br
++
++.br
++.B semanage_store_t
++
++ /etc/selinux/([^/]*/)?policy(/.*)?
++.br
++ /etc/selinux/([^/]*/)?modules/(active|tmp|previous)(/.*)?
++.br
++ /etc/share/selinux/mls(/.*)?
++.br
++ /etc/share/selinux/targeted(/.*)?
++.br
++
++.br
++.B systemd_passwd_var_run_t
++
++ /var/run/systemd/ask-password(/.*)?
++.br
++ /var/run/systemd/ask-password-block(/.*)?
++.br
++
++.br
++.B usbfs_t
++
++
++.br
++.B user_fonts_cache_t
++
++ /root/\.fontconfig(/.*)?
++.br
++ /root/\.fonts/auto(/.*)?
++.br
++ /root/\.fonts\.cache-.*
++.br
++ /home/[^/]*/\.fontconfig(/.*)?
++.br
++ /home/[^/]*/\.fonts/auto(/.*)?
++.br
++ /home/[^/]*/\.fonts\.cache-.*
++.br
++ /home/dwalsh/\.fontconfig(/.*)?
++.br
++ /home/dwalsh/\.fonts/auto(/.*)?
++.br
++ /home/dwalsh/\.fonts\.cache-.*
++.br
++ /var/lib/xguest/home/xguest/\.fontconfig(/.*)?
++.br
++ /var/lib/xguest/home/xguest/\.fonts/auto(/.*)?
++.br
++ /var/lib/xguest/home/xguest/\.fonts\.cache-.*
++.br
++
++.br
++.B user_home_type
++
++ all user home files
++.br
++
++.br
++.B user_tmp_type
++
++ all user tmp files
++.br
++
++.br
++.B user_tmpfs_type
++
++ all user content in tmpfs file systems
++.br
++
++.br
++.B xdm_tmp_t
++
++ /tmp/\.X11-unix(/.*)?
++.br
++ /tmp/\.ICE-unix(/.*)?
++.br
++ /tmp/\.X0-lock
++.br
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was auto-generated using
++.B "sepolicy manpage"
++by Dan Walsh.
++
++.SH "SEE ALSO"
++selinux(8), secadm(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
+diff --git a/man/man8/sectoolm_selinux.8 b/man/man8/sectoolm_selinux.8
+new file mode 100644
+index 0000000..145e360
+--- /dev/null
++++ b/man/man8/sectoolm_selinux.8
+@@ -0,0 +1,126 @@
++.TH "sectoolm_selinux" "8" "12-11-01" "sectoolm" "SELinux Policy documentation for sectoolm"
++.SH "NAME"
++sectoolm_selinux \- Security Enhanced Linux Policy for the sectoolm processes
++.SH "DESCRIPTION"
++
++Security-Enhanced Linux secures the sectoolm processes via flexible mandatory access control.
++
++The sectoolm processes execute with the sectoolm_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep sectoolm_t
++
++
++.SH "ENTRYPOINTS"
++
++The sectoolm_t SELinux type can be entered via the "sectoolm_exec_t" file type. The default entrypoint paths for the sectoolm_t domain are the following:"
++
++/usr/libexec/sectool-mechanism\.py
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux sectoolm policy is very flexible allowing users to setup their sectoolm processes in as secure a method as possible.
++.PP
++The following process types are defined for sectoolm:
++
++.EX
++.B sectoolm_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux sectoolm policy is very flexible allowing users to setup their sectoolm processes in as secure a method as possible.
++.PP
++The following file types are defined for sectoolm:
++
++
++.EX
++.PP
++.B sectoolm_exec_t
++.EE
++
++- Set files with the sectoolm_exec_t type, if you want to transition an executable to the sectoolm_t domain.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH "MANAGED FILES"
++
++The SELinux process type sectoolm_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++
++.br
++.B sectool_tmp_t
++
++
++.br
++.B sectool_var_lib_t
++
++ /var/lib/sectool(/.*)?
++.br
++
++.br
++.B sectool_var_log_t
++
++ /var/log/sectool\.log.*
++.br
++
++.br
++.B security_t
++
++ /selinux
++.br
++
++.SH NSSWITCH DOMAIN
++
++.PP
++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the sectoolm_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++
++.EX
++.B setsebool -P authlogin_nsswitch_use_ldap 1
++.EE
++
++.PP
++If you want to allow confined applications to run with kerberos for the sectoolm_t, you must turn on the kerberos_enabled boolean.
++
++.EX
++.B setsebool -P kerberos_enabled 1
++.EE
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was auto-generated using
++.B "sepolicy manpage"
++by Dan Walsh.
++
++.SH "SEE ALSO"
++selinux(8), sectoolm(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
+diff --git a/man/man8/selinux_munin_plugin_selinux.8 b/man/man8/selinux_munin_plugin_selinux.8
+new file mode 100644
+index 0000000..d4bbce9
+--- /dev/null
++++ b/man/man8/selinux_munin_plugin_selinux.8
+@@ -0,0 +1,108 @@
++.TH "selinux_munin_plugin_selinux" "8" "12-11-01" "selinux_munin_plugin" "SELinux Policy documentation for selinux_munin_plugin"
++.SH "NAME"
++selinux_munin_plugin_selinux \- Security Enhanced Linux Policy for the selinux_munin_plugin processes
++.SH "DESCRIPTION"
++
++Security-Enhanced Linux secures the selinux_munin_plugin processes via flexible mandatory access control.
++
++The selinux_munin_plugin processes execute with the selinux_munin_plugin_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep selinux_munin_plugin_t
++
++
++.SH "ENTRYPOINTS"
++
++The selinux_munin_plugin_t SELinux type can be entered via the "selinux_munin_plugin_exec_t" file type. The default entrypoint paths for the selinux_munin_plugin_t domain are the following:"
++
++/usr/share/munin/plugins/selinux_avcstat
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux selinux_munin_plugin policy is very flexible allowing users to setup their selinux_munin_plugin processes in as secure a method as possible.
++.PP
++The following process types are defined for selinux_munin_plugin:
++
++.EX
++.B selinux_munin_plugin_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux selinux_munin_plugin policy is very flexible allowing users to setup their selinux_munin_plugin processes in as secure a method as possible.
++.PP
++The following file types are defined for selinux_munin_plugin:
++
++
++.EX
++.PP
++.B selinux_munin_plugin_exec_t
++.EE
++
++- Set files with the selinux_munin_plugin_exec_t type, if you want to transition an executable to the selinux_munin_plugin_t domain.
++
++
++.EX
++.PP
++.B selinux_munin_plugin_tmp_t
++.EE
++
++- Set files with the selinux_munin_plugin_tmp_t type, if you want to store selinux munin plugin temporary files in the /tmp directories.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH "MANAGED FILES"
++
++The SELinux process type selinux_munin_plugin_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++
++.br
++.B munin_plugin_state_t
++
++ /var/lib/munin/plugin-state(/.*)?
++.br
++
++.br
++.B selinux_munin_plugin_tmp_t
++
++
++.SH NSSWITCH DOMAIN
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was auto-generated using
++.B "sepolicy manpage"
++by Dan Walsh.
++
++.SH "SEE ALSO"
++selinux(8), selinux_munin_plugin(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
+diff --git a/man/man8/semanage_selinux.8 b/man/man8/semanage_selinux.8
+new file mode 100644
+index 0000000..d6f6031
+--- /dev/null
++++ b/man/man8/semanage_selinux.8
+@@ -0,0 +1,214 @@
++.TH "semanage_selinux" "8" "12-11-01" "semanage" "SELinux Policy documentation for semanage"
++.SH "NAME"
++semanage_selinux \- Security Enhanced Linux Policy for the semanage processes
++.SH "DESCRIPTION"
++
++Security-Enhanced Linux secures the semanage processes via flexible mandatory access control.
++
++The semanage processes execute with the semanage_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep semanage_t
++
++
++.SH "ENTRYPOINTS"
++
++The semanage_t SELinux type can be entered via the "semanage_exec_t" file type. The default entrypoint paths for the semanage_t domain are the following:"
++
++/usr/sbin/semanage, /usr/sbin/semodule, /usr/share/system-config-selinux/system-config-selinux-dbus\.py
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux semanage policy is very flexible allowing users to setup their semanage processes in as secure a method as possible.
++.PP
++The following process types are defined for semanage:
++
++.EX
++.B semanage_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux semanage policy is very flexible allowing users to setup their semanage processes in as secure a method as possible.
++.PP
++The following file types are defined for semanage:
++
++
++.EX
++.PP
++.B semanage_exec_t
++.EE
++
++- Set files with the semanage_exec_t type, if you want to transition an executable to the semanage_t domain.
++
++
++.EX
++.PP
++.B semanage_read_lock_t
++.EE
++
++- Set files with the semanage_read_lock_t type, if you want to treat the files as semanage read lock data, stored under the /var/lock directory
++
++
++.EX
++.PP
++.B semanage_store_t
++.EE
++
++- Set files with the semanage_store_t type, if you want to treat the files as semanage store data.
++
++
++.EX
++.PP
++.B semanage_tmp_t
++.EE
++
++- Set files with the semanage_tmp_t type, if you want to store semanage temporary files in the /tmp directories.
++
++
++.EX
++.PP
++.B semanage_trans_lock_t
++.EE
++
++- Set files with the semanage_trans_lock_t type, if you want to treat the files as semanage trans lock data, stored under the /var/lock directory
++
++
++.EX
++.PP
++.B semanage_var_lib_t
++.EE
++
++- Set files with the semanage_var_lib_t type, if you want to store the semanage files under the /var/lib directory.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH "MANAGED FILES"
++
++The SELinux process type semanage_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++
++.br
++.B boolean_type
++
++
++.br
++.B default_context_t
++
++ /etc/selinux/([^/]*/)?contexts(/.*)?
++.br
++ /root/\.default_contexts
++.br
++
++.br
++.B file_context_t
++
++ /etc/selinux/([^/]*/)?contexts/files(/.*)?
++.br
++
++.br
++.B mock_var_lib_t
++
++ /var/lib/mock(/.*)?
++.br
++
++.br
++.B selinux_config_t
++
++ /etc/selinux(/.*)?
++.br
++ /etc/selinux/([^/]*/)?seusers
++.br
++ /etc/selinux/([^/]*/)?users(/.*)?
++.br
++ /etc/selinux/([^/]*/)?setrans\.conf
++.br
++
++.br
++.B semanage_read_lock_t
++
++ /etc/selinux/([^/]*/)?modules/semanage\.read\.LOCK
++.br
++
++.br
++.B semanage_store_t
++
++ /etc/selinux/([^/]*/)?policy(/.*)?
++.br
++ /etc/selinux/([^/]*/)?modules/(active|tmp|previous)(/.*)?
++.br
++ /etc/share/selinux/mls(/.*)?
++.br
++ /etc/share/selinux/targeted(/.*)?
++.br
++
++.br
++.B semanage_tmp_t
++
++
++.br
++.B semanage_trans_lock_t
++
++ /etc/selinux/([^/]*/)?modules/semanage\.trans\.LOCK
++.br
++
++.br
++.B semanage_var_lib_t
++
++ /var/lib/selinux(/.*)?
++.br
++
++.SH NSSWITCH DOMAIN
++
++.PP
++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the semanage_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++
++.EX
++.B setsebool -P authlogin_nsswitch_use_ldap 1
++.EE
++
++.PP
++If you want to allow confined applications to run with kerberos for the semanage_t, you must turn on the kerberos_enabled boolean.
++
++.EX
++.B setsebool -P kerberos_enabled 1
++.EE
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was auto-generated using
++.B "sepolicy manpage"
++by Dan Walsh.
++
++.SH "SEE ALSO"
++selinux(8), semanage(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
+diff --git a/man/man8/sendmail_selinux.8 b/man/man8/sendmail_selinux.8
+new file mode 100644
+index 0000000..b44a2e8
+--- /dev/null
++++ b/man/man8/sendmail_selinux.8
+@@ -0,0 +1,290 @@
++.TH "sendmail_selinux" "8" "12-11-01" "sendmail" "SELinux Policy documentation for sendmail"
++.SH "NAME"
++sendmail_selinux \- Security Enhanced Linux Policy for the sendmail processes
++.SH "DESCRIPTION"
++
++Security-Enhanced Linux secures the sendmail processes via flexible mandatory access control.
++
++The sendmail processes execute with the sendmail_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep sendmail_t
++
++
++.SH "ENTRYPOINTS"
++
++The sendmail_t SELinux type can be entered via the "mta_exec_type,sendmail_exec_t" file types. The default entrypoint paths for the sendmail_t domain are the following:"
++
++/bin/mail(x)?, /usr/bin/mail(x)?, /usr/sbin/sendmail(\.sendmail)?, /usr/bin/esmtp, /usr/sbin/rmail, /usr/sbin/ssmtp, /usr/lib/sendmail, /var/qmail/bin/sendmail, /usr/sbin/sendmail\.postfix, /usr/lib/courier/bin/sendmail
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux sendmail policy is very flexible allowing users to setup their sendmail processes in as secure a method as possible.
++.PP
++The following process types are defined for sendmail:
++
++.EX
++.B sendmail_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH BOOLEANS
++SELinux policy is customizable based on least access required. sendmail policy is extremely flexible and has several booleans that allow you to manipulate the policy and run sendmail with the tightest access possible.
++
++
++.PP
++If you want to allow http daemon to send mail, you must turn on the httpd_can_sendmail boolean.
++
++.EX
++.B setsebool -P httpd_can_sendmail 1
++.EE
++
++.PP
++If you want to allow gitisis daemon to send mail, you must turn on the gitosis_can_sendmail boolean.
++
++.EX
++.B setsebool -P gitosis_can_sendmail 1
++.EE
++
++.PP
++If you want to allow syslogd daemon to send mail, you must turn on the logging_syslogd_can_sendmail boolean.
++
++.EX
++.B setsebool -P logging_syslogd_can_sendmail 1
++.EE
++
++.PP
++If you want to allow http daemon to send mail, you must turn on the httpd_can_sendmail boolean.
++
++.EX
++.B setsebool -P httpd_can_sendmail 1
++.EE
++
++.PP
++If you want to allow gitisis daemon to send mail, you must turn on the gitosis_can_sendmail boolean.
++
++.EX
++.B setsebool -P gitosis_can_sendmail 1
++.EE
++
++.PP
++If you want to allow syslogd daemon to send mail, you must turn on the logging_syslogd_can_sendmail boolean.
++
++.EX
++.B setsebool -P logging_syslogd_can_sendmail 1
++.EE
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux sendmail policy is very flexible allowing users to setup their sendmail processes in as secure a method as possible.
++.PP
++The following file types are defined for sendmail:
++
++
++.EX
++.PP
++.B sendmail_exec_t
++.EE
++
++- Set files with the sendmail_exec_t type, if you want to transition an executable to the sendmail_t domain.
++
++
++.EX
++.PP
++.B sendmail_initrc_exec_t
++.EE
++
++- Set files with the sendmail_initrc_exec_t type, if you want to transition an executable to the sendmail_initrc_t domain.
++
++
++.EX
++.PP
++.B sendmail_keytab_t
++.EE
++
++- Set files with the sendmail_keytab_t type, if you want to treat the files as kerberos keytab files.
++
++
++.EX
++.PP
++.B sendmail_log_t
++.EE
++
++- Set files with the sendmail_log_t type, if you want to treat the data as sendmail log data, usually stored under the /var/log directory.
++
++
++.EX
++.PP
++.B sendmail_tmp_t
++.EE
++
++- Set files with the sendmail_tmp_t type, if you want to store sendmail temporary files in the /tmp directories.
++
++
++.EX
++.PP
++.B sendmail_var_run_t
++.EE
++
++- Set files with the sendmail_var_run_t type, if you want to store the sendmail files under the /run directory.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH "MANAGED FILES"
++
++The SELinux process type sendmail_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++
++.br
++.B anon_inodefs_t
++
++
++.br
++.B dovecot_spool_t
++
++ /var/spool/dovecot(/.*)?
++.br
++
++.br
++.B etc_aliases_t
++
++ /etc/mail/aliases.*
++.br
++ /etc/postfix/aliases.*
++.br
++ /etc/aliases
++.br
++ /etc/aliases\.db
++.br
++
++.br
++.B exim_spool_t
++
++ /var/spool/exim[0-9]?(/.*)?
++.br
++
++.br
++.B initrc_tmp_t
++
++
++.br
++.B mail_home_rw_t
++
++ /root/Maildir(/.*)?
++.br
++ /home/[^/]*/Maildir(/.*)?
++.br
++ /home/dwalsh/Maildir(/.*)?
++.br
++ /var/lib/xguest/home/xguest/Maildir(/.*)?
++.br
++
++.br
++.B mail_spool_t
++
++ /var/mail(/.*)?
++.br
++ /var/spool/imap(/.*)?
++.br
++ /var/spool/mail(/.*)?
++.br
++
++.br
++.B mqueue_spool_t
++
++ /var/spool/(client)?mqueue(/.*)?
++.br
++ /var/spool/mqueue\.in(/.*)?
++.br
++
++.br
++.B procmail_tmp_t
++
++
++.br
++.B sendmail_log_t
++
++ /var/log/mail(/.*)?
++.br
++ /var/log/sendmail\.st
++.br
++
++.br
++.B sendmail_tmp_t
++
++
++.br
++.B sendmail_var_run_t
++
++ /var/run/sendmail\.pid
++.br
++ /var/run/sm-client\.pid
++.br
++
++.br
++.B user_home_t
++
++ /home/[^/]*/.+
++.br
++ /home/dwalsh/.+
++.br
++ /var/lib/xguest/home/xguest/.+
++.br
++
++.SH NSSWITCH DOMAIN
++
++.PP
++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the sendmail_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++
++.EX
++.B setsebool -P authlogin_nsswitch_use_ldap 1
++.EE
++
++.PP
++If you want to allow confined applications to run with kerberos for the sendmail_t, you must turn on the kerberos_enabled boolean.
++
++.EX
++.B setsebool -P kerberos_enabled 1
++.EE
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.B semanage boolean
++can also be used to manipulate the booleans
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was auto-generated using
++.B "sepolicy manpage"
++by Dan Walsh.
++
++.SH "SEE ALSO"
++selinux(8), sendmail(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
++, setsebool(8)
+\ No newline at end of file
+diff --git a/man/man8/sensord_selinux.8 b/man/man8/sensord_selinux.8
+new file mode 100644
+index 0000000..8969289
+--- /dev/null
++++ b/man/man8/sensord_selinux.8
+@@ -0,0 +1,112 @@
++.TH "sensord_selinux" "8" "12-11-01" "sensord" "SELinux Policy documentation for sensord"
++.SH "NAME"
++sensord_selinux \- Security Enhanced Linux Policy for the sensord processes
++.SH "DESCRIPTION"
++
++Security-Enhanced Linux secures the sensord processes via flexible mandatory access control.
++
++The sensord processes execute with the sensord_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep sensord_t
++
++
++.SH "ENTRYPOINTS"
++
++The sensord_t SELinux type can be entered via the "sensord_exec_t" file type. The default entrypoint paths for the sensord_t domain are the following:"
++
++/usr/sbin/sensord
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux sensord policy is very flexible allowing users to setup their sensord processes in as secure a method as possible.
++.PP
++The following process types are defined for sensord:
++
++.EX
++.B sensord_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux sensord policy is very flexible allowing users to setup their sensord processes in as secure a method as possible.
++.PP
++The following file types are defined for sensord:
++
++
++.EX
++.PP
++.B sensord_exec_t
++.EE
++
++- Set files with the sensord_exec_t type, if you want to transition an executable to the sensord_t domain.
++
++
++.EX
++.PP
++.B sensord_unit_file_t
++.EE
++
++- Set files with the sensord_unit_file_t type, if you want to treat the files as sensord unit content.
++
++
++.EX
++.PP
++.B sensord_var_run_t
++.EE
++
++- Set files with the sensord_var_run_t type, if you want to store the sensord files under the /run directory.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH "MANAGED FILES"
++
++The SELinux process type sensord_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++
++.br
++.B sensord_var_run_t
++
++ /var/run/sensord\.pid
++.br
++
++.SH NSSWITCH DOMAIN
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was auto-generated using
++.B "sepolicy manpage"
++by Dan Walsh.
++
++.SH "SEE ALSO"
++selinux(8), sensord(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
+diff --git a/man/man8/services_munin_plugin_selinux.8 b/man/man8/services_munin_plugin_selinux.8
+new file mode 100644
+index 0000000..6e5c075
+--- /dev/null
++++ b/man/man8/services_munin_plugin_selinux.8
+@@ -0,0 +1,108 @@
++.TH "services_munin_plugin_selinux" "8" "12-11-01" "services_munin_plugin" "SELinux Policy documentation for services_munin_plugin"
++.SH "NAME"
++services_munin_plugin_selinux \- Security Enhanced Linux Policy for the services_munin_plugin processes
++.SH "DESCRIPTION"
++
++Security-Enhanced Linux secures the services_munin_plugin processes via flexible mandatory access control.
++
++The services_munin_plugin processes execute with the services_munin_plugin_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep services_munin_plugin_t
++
++
++.SH "ENTRYPOINTS"
++
++The services_munin_plugin_t SELinux type can be entered via the "services_munin_plugin_exec_t" file type. The default entrypoint paths for the services_munin_plugin_t domain are the following:"
++
++/usr/share/munin/plugins/nut.*, /usr/share/munin/plugins/ntp_.*, /usr/share/munin/plugins/snmp_.*, /usr/share/munin/plugins/mysql_.*, /usr/share/munin/plugins/slapd_.*, /usr/share/munin/plugins/squid_.*, /usr/share/munin/plugins/apache_.*, /usr/share/munin/plugins/tomcat_.*, /usr/share/munin/plugins/varnish_.*, /usr/share/munin/plugins/asterisk_.*, /usr/share/munin/plugins/postgres_.*, /usr/share/munin/plugins/named, /usr/share/munin/plugins/ping_, /usr/share/munin/plugins/samba, /usr/share/munin/plugins/lpstat, /usr/share/munin/plugins/openvpn, /usr/share/munin/plugins/fail2ban, /usr/share/munin/plugins/http_loadtime
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux services_munin_plugin policy is very flexible allowing users to setup their services_munin_plugin processes in as secure a method as possible.
++.PP
++The following process types are defined for services_munin_plugin:
++
++.EX
++.B services_munin_plugin_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux services_munin_plugin policy is very flexible allowing users to setup their services_munin_plugin processes in as secure a method as possible.
++.PP
++The following file types are defined for services_munin_plugin:
++
++
++.EX
++.PP
++.B services_munin_plugin_exec_t
++.EE
++
++- Set files with the services_munin_plugin_exec_t type, if you want to transition an executable to the services_munin_plugin_t domain.
++
++
++.EX
++.PP
++.B services_munin_plugin_tmp_t
++.EE
++
++- Set files with the services_munin_plugin_tmp_t type, if you want to store services munin plugin temporary files in the /tmp directories.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH "MANAGED FILES"
++
++The SELinux process type services_munin_plugin_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++
++.br
++.B munin_plugin_state_t
++
++ /var/lib/munin/plugin-state(/.*)?
++.br
++
++.br
++.B services_munin_plugin_tmp_t
++
++
++.SH NSSWITCH DOMAIN
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was auto-generated using
++.B "sepolicy manpage"
++by Dan Walsh.
++
++.SH "SEE ALSO"
++selinux(8), services_munin_plugin(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
+diff --git a/man/man8/setfiles_selinux.8 b/man/man8/setfiles_selinux.8
+new file mode 100644
+index 0000000..19b8e3f
+--- /dev/null
++++ b/man/man8/setfiles_selinux.8
+@@ -0,0 +1,102 @@
++.TH "setfiles_selinux" "8" "12-11-01" "setfiles" "SELinux Policy documentation for setfiles"
++.SH "NAME"
++setfiles_selinux \- Security Enhanced Linux Policy for the setfiles processes
++.SH "DESCRIPTION"
++
++Security-Enhanced Linux secures the setfiles processes via flexible mandatory access control.
++
++The setfiles processes execute with the setfiles_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep setfiles_t
++
++
++.SH "ENTRYPOINTS"
++
++The setfiles_t SELinux type can be entered via the "setfiles_exec_t" file type. The default entrypoint paths for the setfiles_t domain are the following:"
++
++/sbin/setfiles.*, /usr/sbin/setfiles.*, /sbin/restorecon, /usr/sbin/restorecon
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux setfiles policy is very flexible allowing users to setup their setfiles processes in as secure a method as possible.
++.PP
++The following process types are defined for setfiles:
++
++.EX
++.B setfiles_mac_t, setfiles_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux setfiles policy is very flexible allowing users to setup their setfiles processes in as secure a method as possible.
++.PP
++The following file types are defined for setfiles:
++
++
++.EX
++.PP
++.B setfiles_exec_t
++.EE
++
++- Set files with the setfiles_exec_t type, if you want to transition an executable to the setfiles_t domain.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH "MANAGED FILES"
++
++The SELinux process type setfiles_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++
++.br
++.B security_t
++
++ /selinux
++.br
++
++.br
++.B user_home_type
++
++ all user home files
++.br
++
++.SH NSSWITCH DOMAIN
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was auto-generated using
++.B "sepolicy manpage"
++by Dan Walsh.
++
++.SH "SEE ALSO"
++selinux(8), setfiles(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
+diff --git a/man/man8/setkey_selinux.8 b/man/man8/setkey_selinux.8
+new file mode 100644
+index 0000000..d2623ac
+--- /dev/null
++++ b/man/man8/setkey_selinux.8
+@@ -0,0 +1,86 @@
++.TH "setkey_selinux" "8" "12-11-01" "setkey" "SELinux Policy documentation for setkey"
++.SH "NAME"
++setkey_selinux \- Security Enhanced Linux Policy for the setkey processes
++.SH "DESCRIPTION"
++
++Security-Enhanced Linux secures the setkey processes via flexible mandatory access control.
++
++The setkey processes execute with the setkey_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep setkey_t
++
++
++.SH "ENTRYPOINTS"
++
++The setkey_t SELinux type can be entered via the "setkey_exec_t" file type. The default entrypoint paths for the setkey_t domain are the following:"
++
++/sbin/setkey, /usr/sbin/setkey
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux setkey policy is very flexible allowing users to setup their setkey processes in as secure a method as possible.
++.PP
++The following process types are defined for setkey:
++
++.EX
++.B setkey_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux setkey policy is very flexible allowing users to setup their setkey processes in as secure a method as possible.
++.PP
++The following file types are defined for setkey:
++
++
++.EX
++.PP
++.B setkey_exec_t
++.EE
++
++- Set files with the setkey_exec_t type, if you want to transition an executable to the setkey_t domain.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH NSSWITCH DOMAIN
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was auto-generated using
++.B "sepolicy manpage"
++by Dan Walsh.
++
++.SH "SEE ALSO"
++selinux(8), setkey(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
+diff --git a/man/man8/setrans_selinux.8 b/man/man8/setrans_selinux.8
+new file mode 100644
+index 0000000..e0a6cbb
+--- /dev/null
++++ b/man/man8/setrans_selinux.8
+@@ -0,0 +1,120 @@
++.TH "setrans_selinux" "8" "12-11-01" "setrans" "SELinux Policy documentation for setrans"
++.SH "NAME"
++setrans_selinux \- Security Enhanced Linux Policy for the setrans processes
++.SH "DESCRIPTION"
++
++Security-Enhanced Linux secures the setrans processes via flexible mandatory access control.
++
++The setrans processes execute with the setrans_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep setrans_t
++
++
++.SH "ENTRYPOINTS"
++
++The setrans_t SELinux type can be entered via the "setrans_exec_t" file type. The default entrypoint paths for the setrans_t domain are the following:"
++
++/sbin/mcstransd, /usr/sbin/mcstransd
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux setrans policy is very flexible allowing users to setup their setrans processes in as secure a method as possible.
++.PP
++The following process types are defined for setrans:
++
++.EX
++.B setrans_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux setrans policy is very flexible allowing users to setup their setrans processes in as secure a method as possible.
++.PP
++The following file types are defined for setrans:
++
++
++.EX
++.PP
++.B setrans_exec_t
++.EE
++
++- Set files with the setrans_exec_t type, if you want to transition an executable to the setrans_t domain.
++
++
++.EX
++.PP
++.B setrans_initrc_exec_t
++.EE
++
++- Set files with the setrans_initrc_exec_t type, if you want to transition an executable to the setrans_initrc_t domain.
++
++
++.EX
++.PP
++.B setrans_var_run_t
++.EE
++
++- Set files with the setrans_var_run_t type, if you want to store the setrans files under the /run directory.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH "MANAGED FILES"
++
++The SELinux process type setrans_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++
++.br
++.B security_t
++
++ /selinux
++.br
++
++.br
++.B setrans_var_run_t
++
++ /var/run/setrans(/.*)?
++.br
++ /var/run/mcstransd\.pid
++.br
++
++.SH NSSWITCH DOMAIN
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was auto-generated using
++.B "sepolicy manpage"
++by Dan Walsh.
++
++.SH "SEE ALSO"
++selinux(8), setrans(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
+diff --git a/man/man8/setroubleshoot_fixit_selinux.8 b/man/man8/setroubleshoot_fixit_selinux.8
+new file mode 100644
+index 0000000..a0089bb
+--- /dev/null
++++ b/man/man8/setroubleshoot_fixit_selinux.8
+@@ -0,0 +1,101 @@
++.TH "setroubleshoot_fixit_selinux" "8" "12-11-01" "setroubleshoot_fixit" "SELinux Policy documentation for setroubleshoot_fixit"
++.SH "NAME"
++setroubleshoot_fixit_selinux \- Security Enhanced Linux Policy for the setroubleshoot_fixit processes
++.SH "DESCRIPTION"
++
++Security-Enhanced Linux secures the setroubleshoot_fixit processes via flexible mandatory access control.
++
++The setroubleshoot_fixit processes execute with the setroubleshoot_fixit_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep setroubleshoot_fixit_t
++
++
++.SH "ENTRYPOINTS"
++
++The setroubleshoot_fixit_t SELinux type can be entered via the "setroubleshoot_fixit_exec_t" file type. The default entrypoint paths for the setroubleshoot_fixit_t domain are the following:"
++
++/usr/share/setroubleshoot/SetroubleshootFixit\.py*
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux setroubleshoot_fixit policy is very flexible allowing users to setup their setroubleshoot_fixit processes in as secure a method as possible.
++.PP
++The following process types are defined for setroubleshoot_fixit:
++
++.EX
++.B setroubleshoot_fixit_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux setroubleshoot_fixit policy is very flexible allowing users to setup their setroubleshoot_fixit processes in as secure a method as possible.
++.PP
++The following file types are defined for setroubleshoot_fixit:
++
++
++.EX
++.PP
++.B setroubleshoot_fixit_exec_t
++.EE
++
++- Set files with the setroubleshoot_fixit_exec_t type, if you want to transition an executable to the setroubleshoot_fixit_t domain.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH NSSWITCH DOMAIN
++
++.PP
++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the setroubleshoot_fixit_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++
++.EX
++.B setsebool -P authlogin_nsswitch_use_ldap 1
++.EE
++
++.PP
++If you want to allow confined applications to run with kerberos for the setroubleshoot_fixit_t, you must turn on the kerberos_enabled boolean.
++
++.EX
++.B setsebool -P kerberos_enabled 1
++.EE
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was auto-generated using
++.B "sepolicy manpage"
++by Dan Walsh.
++
++.SH "SEE ALSO"
++selinux(8), setroubleshoot_fixit(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
++, setroubleshootd_selinux(8)
+\ No newline at end of file
+diff --git a/man/man8/setroubleshootd_selinux.8 b/man/man8/setroubleshootd_selinux.8
+new file mode 100644
+index 0000000..66279d7
+--- /dev/null
++++ b/man/man8/setroubleshootd_selinux.8
+@@ -0,0 +1,129 @@
++.TH "setroubleshootd_selinux" "8" "12-11-01" "setroubleshootd" "SELinux Policy documentation for setroubleshootd"
++.SH "NAME"
++setroubleshootd_selinux \- Security Enhanced Linux Policy for the setroubleshootd processes
++.SH "DESCRIPTION"
++
++Security-Enhanced Linux secures the setroubleshootd processes via flexible mandatory access control.
++
++The setroubleshootd processes execute with the setroubleshootd_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep setroubleshootd_t
++
++
++.SH "ENTRYPOINTS"
++
++The setroubleshootd_t SELinux type can be entered via the "setroubleshootd_exec_t" file type. The default entrypoint paths for the setroubleshootd_t domain are the following:"
++
++/usr/sbin/setroubleshootd
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux setroubleshootd policy is very flexible allowing users to setup their setroubleshootd processes in as secure a method as possible.
++.PP
++The following process types are defined for setroubleshootd:
++
++.EX
++.B setroubleshoot_fixit_t, setroubleshootd_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux setroubleshootd policy is very flexible allowing users to setup their setroubleshootd processes in as secure a method as possible.
++.PP
++The following file types are defined for setroubleshootd:
++
++
++.EX
++.PP
++.B setroubleshootd_exec_t
++.EE
++
++- Set files with the setroubleshootd_exec_t type, if you want to transition an executable to the setroubleshootd_t domain.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH "MANAGED FILES"
++
++The SELinux process type setroubleshootd_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++
++.br
++.B security_t
++
++ /selinux
++.br
++
++.br
++.B setroubleshoot_var_lib_t
++
++ /var/lib/setroubleshoot(/.*)?
++.br
++
++.br
++.B setroubleshoot_var_log_t
++
++ /var/log/setroubleshoot(/.*)?
++.br
++
++.br
++.B setroubleshoot_var_run_t
++
++ /var/run/setroubleshoot(/.*)?
++.br
++
++.SH NSSWITCH DOMAIN
++
++.PP
++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the setroubleshootd_t, setroubleshoot_fixit_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++
++.EX
++.B setsebool -P authlogin_nsswitch_use_ldap 1
++.EE
++
++.PP
++If you want to allow confined applications to run with kerberos for the setroubleshootd_t, setroubleshoot_fixit_t, you must turn on the kerberos_enabled boolean.
++
++.EX
++.B setsebool -P kerberos_enabled 1
++.EE
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was auto-generated using
++.B "sepolicy manpage"
++by Dan Walsh.
++
++.SH "SEE ALSO"
++selinux(8), setroubleshootd(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
++, setroubleshoot_fixit_selinux(8)
+\ No newline at end of file
+diff --git a/man/man8/setsebool_selinux.8 b/man/man8/setsebool_selinux.8
+new file mode 100644
+index 0000000..f7ac281
+--- /dev/null
++++ b/man/man8/setsebool_selinux.8
+@@ -0,0 +1,162 @@
++.TH "setsebool_selinux" "8" "12-11-01" "setsebool" "SELinux Policy documentation for setsebool"
++.SH "NAME"
++setsebool_selinux \- Security Enhanced Linux Policy for the setsebool processes
++.SH "DESCRIPTION"
++
++Security-Enhanced Linux secures the setsebool processes via flexible mandatory access control.
++
++The setsebool processes execute with the setsebool_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep setsebool_t
++
++
++.SH "ENTRYPOINTS"
++
++The setsebool_t SELinux type can be entered via the "setsebool_exec_t" file type. The default entrypoint paths for the setsebool_t domain are the following:"
++
++/usr/sbin/setsebool
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux setsebool policy is very flexible allowing users to setup their setsebool processes in as secure a method as possible.
++.PP
++The following process types are defined for setsebool:
++
++.EX
++.B setsebool_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux setsebool policy is very flexible allowing users to setup their setsebool processes in as secure a method as possible.
++.PP
++The following file types are defined for setsebool:
++
++
++.EX
++.PP
++.B setsebool_exec_t
++.EE
++
++- Set files with the setsebool_exec_t type, if you want to transition an executable to the setsebool_t domain.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH "MANAGED FILES"
++
++The SELinux process type setsebool_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++
++.br
++.B boolean_type
++
++
++.br
++.B default_context_t
++
++ /etc/selinux/([^/]*/)?contexts(/.*)?
++.br
++ /root/\.default_contexts
++.br
++
++.br
++.B file_context_t
++
++ /etc/selinux/([^/]*/)?contexts/files(/.*)?
++.br
++
++.br
++.B selinux_config_t
++
++ /etc/selinux(/.*)?
++.br
++ /etc/selinux/([^/]*/)?seusers
++.br
++ /etc/selinux/([^/]*/)?users(/.*)?
++.br
++ /etc/selinux/([^/]*/)?setrans\.conf
++.br
++
++.br
++.B semanage_read_lock_t
++
++ /etc/selinux/([^/]*/)?modules/semanage\.read\.LOCK
++.br
++
++.br
++.B semanage_store_t
++
++ /etc/selinux/([^/]*/)?policy(/.*)?
++.br
++ /etc/selinux/([^/]*/)?modules/(active|tmp|previous)(/.*)?
++.br
++ /etc/share/selinux/mls(/.*)?
++.br
++ /etc/share/selinux/targeted(/.*)?
++.br
++
++.br
++.B semanage_tmp_t
++
++
++.br
++.B semanage_trans_lock_t
++
++ /etc/selinux/([^/]*/)?modules/semanage\.trans\.LOCK
++.br
++
++.SH NSSWITCH DOMAIN
++
++.PP
++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the setsebool_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++
++.EX
++.B setsebool -P authlogin_nsswitch_use_ldap 1
++.EE
++
++.PP
++If you want to allow confined applications to run with kerberos for the setsebool_t, you must turn on the kerberos_enabled boolean.
++
++.EX
++.B setsebool -P kerberos_enabled 1
++.EE
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was auto-generated using
++.B "sepolicy manpage"
++by Dan Walsh.
++
++.SH "SEE ALSO"
++selinux(8), setsebool(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
+diff --git a/man/man8/sge_execd_selinux.8 b/man/man8/sge_execd_selinux.8
+new file mode 100644
+index 0000000..169d466
+--- /dev/null
++++ b/man/man8/sge_execd_selinux.8
+@@ -0,0 +1,115 @@
++.TH "sge_execd_selinux" "8" "12-11-01" "sge_execd" "SELinux Policy documentation for sge_execd"
++.SH "NAME"
++sge_execd_selinux \- Security Enhanced Linux Policy for the sge_execd processes
++.SH "DESCRIPTION"
++
++Security-Enhanced Linux secures the sge_execd processes via flexible mandatory access control.
++
++The sge_execd processes execute with the sge_execd_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep sge_execd_t
++
++
++.SH "ENTRYPOINTS"
++
++The sge_execd_t SELinux type can be entered via the "sge_execd_exec_t" file type. The default entrypoint paths for the sge_execd_t domain are the following:"
++
++/usr/bin/sge_execd
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux sge_execd policy is very flexible allowing users to setup their sge_execd processes in as secure a method as possible.
++.PP
++The following process types are defined for sge_execd:
++
++.EX
++.B sge_execd_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux sge_execd policy is very flexible allowing users to setup their sge_execd processes in as secure a method as possible.
++.PP
++The following file types are defined for sge_execd:
++
++
++.EX
++.PP
++.B sge_execd_exec_t
++.EE
++
++- Set files with the sge_execd_exec_t type, if you want to transition an executable to the sge_execd_t domain.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH "MANAGED FILES"
++
++The SELinux process type sge_execd_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++
++.br
++.B sge_spool_t
++
++ /var/spool/gridengine(/.*)?
++.br
++
++.br
++.B sge_tmp_t
++
++
++.SH NSSWITCH DOMAIN
++
++.PP
++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the sge_execd_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++
++.EX
++.B setsebool -P authlogin_nsswitch_use_ldap 1
++.EE
++
++.PP
++If you want to allow confined applications to run with kerberos for the sge_execd_t, you must turn on the kerberos_enabled boolean.
++
++.EX
++.B setsebool -P kerberos_enabled 1
++.EE
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was auto-generated using
++.B "sepolicy manpage"
++by Dan Walsh.
++
++.SH "SEE ALSO"
++selinux(8), sge_execd(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
++, sge_job_selinux(8), sge_shepherd_selinux(8)
+\ No newline at end of file
+diff --git a/man/man8/sge_job_selinux.8 b/man/man8/sge_job_selinux.8
+new file mode 100644
+index 0000000..e017c54
+--- /dev/null
++++ b/man/man8/sge_job_selinux.8
+@@ -0,0 +1,147 @@
++.TH "sge_job_selinux" "8" "12-11-01" "sge_job" "SELinux Policy documentation for sge_job"
++.SH "NAME"
++sge_job_selinux \- Security Enhanced Linux Policy for the sge_job processes
++.SH "DESCRIPTION"
++
++Security-Enhanced Linux secures the sge_job processes via flexible mandatory access control.
++
++The sge_job processes execute with the sge_job_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep sge_job_t
++
++
++.SH "ENTRYPOINTS"
++
++The sge_job_t SELinux type can be entered via the "shell_exec_t,sge_job_exec_t" file types. The default entrypoint paths for the sge_job_t domain are the following:"
++
++/bin/d?ash, /bin/zsh.*, /bin/ksh.*, /usr/bin/d?ash, /usr/bin/ksh.*, /usr/bin/zsh.*, /bin/esh, /bin/mksh, /bin/sash, /bin/tcsh, /bin/yash, /bin/bash, /bin/fish, /bin/bash2, /usr/bin/esh, /usr/bin/mksh, /usr/bin/sash, /usr/bin/bash, /usr/bin/fish, /usr/bin/tcsh, /usr/bin/yash, /sbin/nologin, /usr/sbin/sesh, /usr/bin/bash2, /usr/sbin/smrsh, /usr/bin/scponly, /usr/sbin/nologin, /usr/libexec/sesh, /usr/sbin/scponlyc, /usr/bin/git-shell, /usr/libexec/git-core/git-shell
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux sge_job policy is very flexible allowing users to setup their sge_job processes in as secure a method as possible.
++.PP
++The following process types are defined for sge_job:
++
++.EX
++.B sge_job_ssh_t, sge_job_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux sge_job policy is very flexible allowing users to setup their sge_job processes in as secure a method as possible.
++.PP
++The following file types are defined for sge_job:
++
++
++.EX
++.PP
++.B sge_job_exec_t
++.EE
++
++- Set files with the sge_job_exec_t type, if you want to transition an executable to the sge_job_t domain.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH "MANAGED FILES"
++
++The SELinux process type sge_job_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++
++.br
++.B sge_spool_t
++
++ /var/spool/gridengine(/.*)?
++.br
++
++.br
++.B sge_tmp_t
++
++
++.br
++.B ssh_home_t
++
++ /root/\.ssh(/.*)?
++.br
++ /var/lib/openshift/[^/]+/\.ssh(/.*)?
++.br
++ /var/lib/amanda/\.ssh(/.*)?
++.br
++ /var/lib/stickshift/[^/]+/\.ssh(/.*)?
++.br
++ /var/lib/gitolite/\.ssh(/.*)?
++.br
++ /var/lib/nocpulse/\.ssh(/.*)?
++.br
++ /var/lib/gitolite3/\.ssh(/.*)?
++.br
++ /root/\.shosts
++.br
++ /home/[^/]*/\.ssh(/.*)?
++.br
++ /home/[^/]*/\.shosts
++.br
++ /home/dwalsh/\.ssh(/.*)?
++.br
++ /home/dwalsh/\.shosts
++.br
++ /var/lib/xguest/home/xguest/\.ssh(/.*)?
++.br
++ /var/lib/xguest/home/xguest/\.shosts
++.br
++
++.SH NSSWITCH DOMAIN
++
++.PP
++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the sge_job_ssh_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++
++.EX
++.B setsebool -P authlogin_nsswitch_use_ldap 1
++.EE
++
++.PP
++If you want to allow confined applications to run with kerberos for the sge_job_ssh_t, you must turn on the kerberos_enabled boolean.
++
++.EX
++.B setsebool -P kerberos_enabled 1
++.EE
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was auto-generated using
++.B "sepolicy manpage"
++by Dan Walsh.
++
++.SH "SEE ALSO"
++selinux(8), sge_job(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
++, sge_execd_selinux(8), sge_shepherd_selinux(8)
+\ No newline at end of file
+diff --git a/man/man8/sge_shepherd_selinux.8 b/man/man8/sge_shepherd_selinux.8
+new file mode 100644
+index 0000000..9a14e7d
+--- /dev/null
++++ b/man/man8/sge_shepherd_selinux.8
+@@ -0,0 +1,101 @@
++.TH "sge_shepherd_selinux" "8" "12-11-01" "sge_shepherd" "SELinux Policy documentation for sge_shepherd"
++.SH "NAME"
++sge_shepherd_selinux \- Security Enhanced Linux Policy for the sge_shepherd processes
++.SH "DESCRIPTION"
++
++Security-Enhanced Linux secures the sge_shepherd processes via flexible mandatory access control.
++
++The sge_shepherd processes execute with the sge_shepherd_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep sge_shepherd_t
++
++
++.SH "ENTRYPOINTS"
++
++The sge_shepherd_t SELinux type can be entered via the "sge_shepherd_exec_t" file type. The default entrypoint paths for the sge_shepherd_t domain are the following:"
++
++/usr/bin/sge_shepherd
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux sge_shepherd policy is very flexible allowing users to setup their sge_shepherd processes in as secure a method as possible.
++.PP
++The following process types are defined for sge_shepherd:
++
++.EX
++.B sge_shepherd_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux sge_shepherd policy is very flexible allowing users to setup their sge_shepherd processes in as secure a method as possible.
++.PP
++The following file types are defined for sge_shepherd:
++
++
++.EX
++.PP
++.B sge_shepherd_exec_t
++.EE
++
++- Set files with the sge_shepherd_exec_t type, if you want to transition an executable to the sge_shepherd_t domain.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH "MANAGED FILES"
++
++The SELinux process type sge_shepherd_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++
++.br
++.B sge_spool_t
++
++ /var/spool/gridengine(/.*)?
++.br
++
++.br
++.B sge_tmp_t
++
++
++.SH NSSWITCH DOMAIN
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was auto-generated using
++.B "sepolicy manpage"
++by Dan Walsh.
++
++.SH "SEE ALSO"
++selinux(8), sge_shepherd(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
++, sge_execd_selinux(8), sge_job_selinux(8)
+\ No newline at end of file
+diff --git a/man/man8/shorewall_selinux.8 b/man/man8/shorewall_selinux.8
+new file mode 100644
+index 0000000..ef276fc
+--- /dev/null
++++ b/man/man8/shorewall_selinux.8
+@@ -0,0 +1,190 @@
++.TH "shorewall_selinux" "8" "12-11-01" "shorewall" "SELinux Policy documentation for shorewall"
++.SH "NAME"
++shorewall_selinux \- Security Enhanced Linux Policy for the shorewall processes
++.SH "DESCRIPTION"
++
++Security-Enhanced Linux secures the shorewall processes via flexible mandatory access control.
++
++The shorewall processes execute with the shorewall_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep shorewall_t
++
++
++.SH "ENTRYPOINTS"
++
++The shorewall_t SELinux type can be entered via the "shorewall_var_lib_t,shorewall_exec_t" file types. The default entrypoint paths for the shorewall_t domain are the following:"
++
++/var/lib/shorewall(/.*)?, /var/lib/shorewall6(/.*)?, /var/lib/shorewall-lite(/.*)?, /sbin/shorewall6?, /usr/sbin/shorewall6?, /sbin/shorewall-lite, /usr/sbin/shorewall-lite
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux shorewall policy is very flexible allowing users to setup their shorewall processes in as secure a method as possible.
++.PP
++The following process types are defined for shorewall:
++
++.EX
++.B shorewall_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux shorewall policy is very flexible allowing users to setup their shorewall processes in as secure a method as possible.
++.PP
++The following file types are defined for shorewall:
++
++
++.EX
++.PP
++.B shorewall_etc_t
++.EE
++
++- Set files with the shorewall_etc_t type, if you want to store shorewall files in the /etc directories.
++
++
++.EX
++.PP
++.B shorewall_exec_t
++.EE
++
++- Set files with the shorewall_exec_t type, if you want to transition an executable to the shorewall_t domain.
++
++
++.EX
++.PP
++.B shorewall_initrc_exec_t
++.EE
++
++- Set files with the shorewall_initrc_exec_t type, if you want to transition an executable to the shorewall_initrc_t domain.
++
++
++.EX
++.PP
++.B shorewall_lock_t
++.EE
++
++- Set files with the shorewall_lock_t type, if you want to treat the files as shorewall lock data, stored under the /var/lock directory
++
++
++.EX
++.PP
++.B shorewall_log_t
++.EE
++
++- Set files with the shorewall_log_t type, if you want to treat the data as shorewall log data, usually stored under the /var/log directory.
++
++
++.EX
++.PP
++.B shorewall_tmp_t
++.EE
++
++- Set files with the shorewall_tmp_t type, if you want to store shorewall temporary files in the /tmp directories.
++
++
++.EX
++.PP
++.B shorewall_var_lib_t
++.EE
++
++- Set files with the shorewall_var_lib_t type, if you want to store the shorewall files under the /var/lib directory.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH "MANAGED FILES"
++
++The SELinux process type shorewall_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++
++.br
++.B initrc_var_run_t
++
++ /var/run/utmp
++.br
++ /var/run/random-seed
++.br
++ /var/run/runlevel\.dir
++.br
++ /var/run/setmixer_flag
++.br
++
++.br
++.B shorewall_lock_t
++
++ /var/lock/subsys/shorewall
++.br
++
++.br
++.B shorewall_log_t
++
++ /var/log/shorewall.*
++.br
++
++.br
++.B shorewall_tmp_t
++
++
++.br
++.B shorewall_var_lib_t
++
++ /var/lib/shorewall(/.*)?
++.br
++ /var/lib/shorewall6(/.*)?
++.br
++ /var/lib/shorewall-lite(/.*)?
++.br
++
++.SH NSSWITCH DOMAIN
++
++.PP
++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the shorewall_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++
++.EX
++.B setsebool -P authlogin_nsswitch_use_ldap 1
++.EE
++
++.PP
++If you want to allow confined applications to run with kerberos for the shorewall_t, you must turn on the kerberos_enabled boolean.
++
++.EX
++.B setsebool -P kerberos_enabled 1
++.EE
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was auto-generated using
++.B "sepolicy manpage"
++by Dan Walsh.
++
++.SH "SEE ALSO"
++selinux(8), shorewall(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
+diff --git a/man/man8/showmount_selinux.8 b/man/man8/showmount_selinux.8
+new file mode 100644
+index 0000000..906e450
+--- /dev/null
++++ b/man/man8/showmount_selinux.8
+@@ -0,0 +1,86 @@
++.TH "showmount_selinux" "8" "12-11-01" "showmount" "SELinux Policy documentation for showmount"
++.SH "NAME"
++showmount_selinux \- Security Enhanced Linux Policy for the showmount processes
++.SH "DESCRIPTION"
++
++Security-Enhanced Linux secures the showmount processes via flexible mandatory access control.
++
++The showmount processes execute with the showmount_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep showmount_t
++
++
++.SH "ENTRYPOINTS"
++
++The showmount_t SELinux type can be entered via the "showmount_exec_t" file type. The default entrypoint paths for the showmount_t domain are the following:"
++
++/usr/sbin/showmount
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux showmount policy is very flexible allowing users to setup their showmount processes in as secure a method as possible.
++.PP
++The following process types are defined for showmount:
++
++.EX
++.B showmount_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux showmount policy is very flexible allowing users to setup their showmount processes in as secure a method as possible.
++.PP
++The following file types are defined for showmount:
++
++
++.EX
++.PP
++.B showmount_exec_t
++.EE
++
++- Set files with the showmount_exec_t type, if you want to transition an executable to the showmount_t domain.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH NSSWITCH DOMAIN
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was auto-generated using
++.B "sepolicy manpage"
++by Dan Walsh.
++
++.SH "SEE ALSO"
++selinux(8), showmount(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
+diff --git a/man/man8/shutdown_selinux.8 b/man/man8/shutdown_selinux.8
+new file mode 100644
+index 0000000..f54ff0c
+--- /dev/null
++++ b/man/man8/shutdown_selinux.8
+@@ -0,0 +1,180 @@
++.TH "shutdown_selinux" "8" "12-11-01" "shutdown" "SELinux Policy documentation for shutdown"
++.SH "NAME"
++shutdown_selinux \- Security Enhanced Linux Policy for the shutdown processes
++.SH "DESCRIPTION"
++
++Security-Enhanced Linux secures the shutdown processes via flexible mandatory access control.
++
++The shutdown processes execute with the shutdown_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep shutdown_t
++
++
++.SH "ENTRYPOINTS"
++
++The shutdown_t SELinux type can be entered via the "shutdown_exec_t" file type. The default entrypoint paths for the shutdown_t domain are the following:"
++
++/sbin/shutdown, /usr/sbin/shutdown, /lib/upstart/shutdown, /usr/lib/upstart/shutdown
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux shutdown policy is very flexible allowing users to setup their shutdown processes in as secure a method as possible.
++.PP
++The following process types are defined for shutdown:
++
++.EX
++.B shutdown_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH BOOLEANS
++SELinux policy is customizable based on least access required. shutdown policy is extremely flexible and has several booleans that allow you to manipulate the policy and run shutdown with the tightest access possible.
++
++
++.PP
++If you want to allow HTTPD to connect to port 80 for graceful shutdown, you must turn on the httpd_graceful_shutdown boolean.
++
++.EX
++.B setsebool -P httpd_graceful_shutdown 1
++.EE
++
++.PP
++If you want to allow HTTPD to connect to port 80 for graceful shutdown, you must turn on the httpd_graceful_shutdown boolean.
++
++.EX
++.B setsebool -P httpd_graceful_shutdown 1
++.EE
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux shutdown policy is very flexible allowing users to setup their shutdown processes in as secure a method as possible.
++.PP
++The following file types are defined for shutdown:
++
++
++.EX
++.PP
++.B shutdown_etc_t
++.EE
++
++- Set files with the shutdown_etc_t type, if you want to store shutdown files in the /etc directories.
++
++
++.EX
++.PP
++.B shutdown_exec_t
++.EE
++
++- Set files with the shutdown_exec_t type, if you want to transition an executable to the shutdown_t domain.
++
++
++.EX
++.PP
++.B shutdown_var_run_t
++.EE
++
++- Set files with the shutdown_var_run_t type, if you want to store the shutdown files under the /run directory.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH "MANAGED FILES"
++
++The SELinux process type shutdown_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++
++.br
++.B initrc_var_run_t
++
++ /var/run/utmp
++.br
++ /var/run/random-seed
++.br
++ /var/run/runlevel\.dir
++.br
++ /var/run/setmixer_flag
++.br
++
++.br
++.B shutdown_etc_t
++
++ /etc/nologin
++.br
++
++.br
++.B shutdown_var_run_t
++
++ /var/run/shutdown\.pid
++.br
++
++.br
++.B systemd_passwd_var_run_t
++
++ /var/run/systemd/ask-password(/.*)?
++.br
++ /var/run/systemd/ask-password-block(/.*)?
++.br
++
++.br
++.B wtmp_t
++
++ /var/log/wtmp.*
++.br
++
++.SH NSSWITCH DOMAIN
++
++.PP
++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the shutdown_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++
++.EX
++.B setsebool -P authlogin_nsswitch_use_ldap 1
++.EE
++
++.PP
++If you want to allow confined applications to run with kerberos for the shutdown_t, you must turn on the kerberos_enabled boolean.
++
++.EX
++.B setsebool -P kerberos_enabled 1
++.EE
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.B semanage boolean
++can also be used to manipulate the booleans
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was auto-generated using
++.B "sepolicy manpage"
++by Dan Walsh.
++
++.SH "SEE ALSO"
++selinux(8), shutdown(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
++, setsebool(8)
+\ No newline at end of file
+diff --git a/man/man8/slapd_selinux.8 b/man/man8/slapd_selinux.8
+new file mode 100644
+index 0000000..b4a9ee2
+--- /dev/null
++++ b/man/man8/slapd_selinux.8
+@@ -0,0 +1,274 @@
++.TH "slapd_selinux" "8" "12-11-01" "slapd" "SELinux Policy documentation for slapd"
++.SH "NAME"
++slapd_selinux \- Security Enhanced Linux Policy for the slapd processes
++.SH "DESCRIPTION"
++
++Security-Enhanced Linux secures the slapd processes via flexible mandatory access control.
++
++The slapd processes execute with the slapd_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep slapd_t
++
++
++.SH "ENTRYPOINTS"
++
++The slapd_t SELinux type can be entered via the "slapd_exec_t" file type. The default entrypoint paths for the slapd_t domain are the following:"
++
++/usr/sbin/slapd
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux slapd policy is very flexible allowing users to setup their slapd processes in as secure a method as possible.
++.PP
++The following process types are defined for slapd:
++
++.EX
++.B slapd_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux slapd policy is very flexible allowing users to setup their slapd processes in as secure a method as possible.
++.PP
++The following file types are defined for slapd:
++
++
++.EX
++.PP
++.B slapd_cert_t
++.EE
++
++- Set files with the slapd_cert_t type, if you want to treat the files as slapd certificate data.
++
++
++.EX
++.PP
++.B slapd_db_t
++.EE
++
++- Set files with the slapd_db_t type, if you want to treat the files as slapd database content.
++
++
++.EX
++.PP
++.B slapd_etc_t
++.EE
++
++- Set files with the slapd_etc_t type, if you want to store slapd files in the /etc directories.
++
++
++.EX
++.PP
++.B slapd_exec_t
++.EE
++
++- Set files with the slapd_exec_t type, if you want to transition an executable to the slapd_t domain.
++
++
++.EX
++.PP
++.B slapd_initrc_exec_t
++.EE
++
++- Set files with the slapd_initrc_exec_t type, if you want to transition an executable to the slapd_initrc_t domain.
++
++
++.EX
++.PP
++.B slapd_keytab_t
++.EE
++
++- Set files with the slapd_keytab_t type, if you want to treat the files as kerberos keytab files.
++
++
++.EX
++.PP
++.B slapd_lock_t
++.EE
++
++- Set files with the slapd_lock_t type, if you want to treat the files as slapd lock data, stored under the /var/lock directory
++
++
++.EX
++.PP
++.B slapd_log_t
++.EE
++
++- Set files with the slapd_log_t type, if you want to treat the data as slapd log data, usually stored under the /var/log directory.
++
++
++.EX
++.PP
++.B slapd_replog_t
++.EE
++
++- Set files with the slapd_replog_t type, if you want to treat the files as slapd replog data.
++
++
++.EX
++.PP
++.B slapd_tmp_t
++.EE
++
++- Set files with the slapd_tmp_t type, if you want to store slapd temporary files in the /tmp directories.
++
++
++.EX
++.PP
++.B slapd_tmpfs_t
++.EE
++
++- Set files with the slapd_tmpfs_t type, if you want to store slapd files on a tmpfs file system.
++
++
++.EX
++.PP
++.B slapd_unit_file_t
++.EE
++
++- Set files with the slapd_unit_file_t type, if you want to treat the files as slapd unit content.
++
++
++.EX
++.PP
++.B slapd_var_run_t
++.EE
++
++- Set files with the slapd_var_run_t type, if you want to store the slapd files under the /run directory.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH "MANAGED FILES"
++
++The SELinux process type slapd_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++
++.br
++.B auth_cache_t
++
++ /var/cache/coolkey(/.*)?
++.br
++
++.br
++.B krb5_host_rcache_t
++
++ /var/cache/krb5rcache(/.*)?
++.br
++ /var/tmp/nfs_0
++.br
++ /var/tmp/DNS_25
++.br
++ /var/tmp/host_0
++.br
++ /var/tmp/imap_0
++.br
++ /var/tmp/HTTP_23
++.br
++ /var/tmp/HTTP_48
++.br
++ /var/tmp/ldap_55
++.br
++ /var/tmp/ldap_487
++.br
++ /var/tmp/ldapmap1_0
++.br
++
++.br
++.B slapd_db_t
++
++ /var/lib/ldap(/.*)?
++.br
++ /etc/openldap/slapd\.d(/.*)?
++.br
++
++.br
++.B slapd_lock_t
++
++
++.br
++.B slapd_log_t
++
++
++.br
++.B slapd_replog_t
++
++ /var/lib/ldap/replog(/.*)?
++.br
++
++.br
++.B slapd_tmp_t
++
++
++.br
++.B slapd_tmpfs_t
++
++
++.br
++.B slapd_var_run_t
++
++ /var/run/slapd.*
++.br
++ /var/run/openldap(/.*)?
++.br
++ /var/run/ldapi
++.br
++ /var/run/slapd\.pid
++.br
++ /var/run/slapd\.args
++.br
++
++.SH NSSWITCH DOMAIN
++
++.PP
++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the slapd_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++
++.EX
++.B setsebool -P authlogin_nsswitch_use_ldap 1
++.EE
++
++.PP
++If you want to allow confined applications to run with kerberos for the slapd_t, you must turn on the kerberos_enabled boolean.
++
++.EX
++.B setsebool -P kerberos_enabled 1
++.EE
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was auto-generated using
++.B "sepolicy manpage"
++by Dan Walsh.
++
++.SH "SEE ALSO"
++selinux(8), slapd(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
+diff --git a/man/man8/slpd_selinux.8 b/man/man8/slpd_selinux.8
+new file mode 100644
+index 0000000..0387935
+--- /dev/null
++++ b/man/man8/slpd_selinux.8
+@@ -0,0 +1,140 @@
++.TH "slpd_selinux" "8" "12-11-01" "slpd" "SELinux Policy documentation for slpd"
++.SH "NAME"
++slpd_selinux \- Security Enhanced Linux Policy for the slpd processes
++.SH "DESCRIPTION"
++
++Security-Enhanced Linux secures the slpd processes via flexible mandatory access control.
++
++The slpd processes execute with the slpd_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep slpd_t
++
++
++.SH "ENTRYPOINTS"
++
++The slpd_t SELinux type can be entered via the "slpd_exec_t" file type. The default entrypoint paths for the slpd_t domain are the following:"
++
++/usr/sbin/slpd
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux slpd policy is very flexible allowing users to setup their slpd processes in as secure a method as possible.
++.PP
++The following process types are defined for slpd:
++
++.EX
++.B slpd_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux slpd policy is very flexible allowing users to setup their slpd processes in as secure a method as possible.
++.PP
++The following file types are defined for slpd:
++
++
++.EX
++.PP
++.B slpd_exec_t
++.EE
++
++- Set files with the slpd_exec_t type, if you want to transition an executable to the slpd_t domain.
++
++
++.EX
++.PP
++.B slpd_initrc_exec_t
++.EE
++
++- Set files with the slpd_initrc_exec_t type, if you want to transition an executable to the slpd_initrc_t domain.
++
++
++.EX
++.PP
++.B slpd_var_log_t
++.EE
++
++- Set files with the slpd_var_log_t type, if you want to treat the data as slpd var log data, usually stored under the /var/log directory.
++
++
++.EX
++.PP
++.B slpd_var_run_t
++.EE
++
++- Set files with the slpd_var_run_t type, if you want to store the slpd files under the /run directory.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH "MANAGED FILES"
++
++The SELinux process type slpd_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++
++.br
++.B slpd_var_log_t
++
++ /var/log/slpd\.log
++.br
++
++.br
++.B slpd_var_run_t
++
++ /var/run/slpd\.pid
++.br
++
++.SH NSSWITCH DOMAIN
++
++.PP
++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the slpd_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++
++.EX
++.B setsebool -P authlogin_nsswitch_use_ldap 1
++.EE
++
++.PP
++If you want to allow confined applications to run with kerberos for the slpd_t, you must turn on the kerberos_enabled boolean.
++
++.EX
++.B setsebool -P kerberos_enabled 1
++.EE
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was auto-generated using
++.B "sepolicy manpage"
++by Dan Walsh.
++
++.SH "SEE ALSO"
++selinux(8), slpd(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
+diff --git a/man/man8/smbcontrol_selinux.8 b/man/man8/smbcontrol_selinux.8
+new file mode 100644
+index 0000000..1b75541
+--- /dev/null
++++ b/man/man8/smbcontrol_selinux.8
+@@ -0,0 +1,100 @@
++.TH "smbcontrol_selinux" "8" "12-11-01" "smbcontrol" "SELinux Policy documentation for smbcontrol"
++.SH "NAME"
++smbcontrol_selinux \- Security Enhanced Linux Policy for the smbcontrol processes
++.SH "DESCRIPTION"
++
++Security-Enhanced Linux secures the smbcontrol processes via flexible mandatory access control.
++
++The smbcontrol processes execute with the smbcontrol_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep smbcontrol_t
++
++
++.SH "ENTRYPOINTS"
++
++The smbcontrol_t SELinux type can be entered via the "smbcontrol_exec_t" file type. The default entrypoint paths for the smbcontrol_t domain are the following:"
++
++/usr/bin/smbcontrol
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux smbcontrol policy is very flexible allowing users to setup their smbcontrol processes in as secure a method as possible.
++.PP
++The following process types are defined for smbcontrol:
++
++.EX
++.B smbcontrol_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux smbcontrol policy is very flexible allowing users to setup their smbcontrol processes in as secure a method as possible.
++.PP
++The following file types are defined for smbcontrol:
++
++
++.EX
++.PP
++.B smbcontrol_exec_t
++.EE
++
++- Set files with the smbcontrol_exec_t type, if you want to transition an executable to the smbcontrol_t domain.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH "MANAGED FILES"
++
++The SELinux process type smbcontrol_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++
++.br
++.B samba_var_t
++
++ /var/lib/samba(/.*)?
++.br
++ /var/cache/samba(/.*)?
++.br
++ /var/spool/samba(/.*)?
++.br
++
++.SH NSSWITCH DOMAIN
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was auto-generated using
++.B "sepolicy manpage"
++by Dan Walsh.
++
++.SH "SEE ALSO"
++selinux(8), smbcontrol(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
+diff --git a/man/man8/smbd_selinux.8 b/man/man8/smbd_selinux.8
+new file mode 100644
+index 0000000..9794fdc
+--- /dev/null
++++ b/man/man8/smbd_selinux.8
+@@ -0,0 +1,421 @@
++.TH "smbd_selinux" "8" "12-11-01" "smbd" "SELinux Policy documentation for smbd"
++.SH "NAME"
++smbd_selinux \- Security Enhanced Linux Policy for the smbd processes
++.SH "DESCRIPTION"
++
++Security-Enhanced Linux secures the smbd processes via flexible mandatory access control.
++
++The smbd processes execute with the smbd_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep smbd_t
++
++
++.SH "ENTRYPOINTS"
++
++The smbd_t SELinux type can be entered via the "smbd_exec_t" file type. The default entrypoint paths for the smbd_t domain are the following:"
++
++/usr/sbin/smbd
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux smbd policy is very flexible allowing users to setup their smbd processes in as secure a method as possible.
++.PP
++The following process types are defined for smbd:
++
++.EX
++.B smbcontrol_t, smbmount_t, smbd_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH BOOLEANS
++SELinux policy is customizable based on least access required. smbd policy is extremely flexible and has several booleans that allow you to manipulate the policy and run smbd with the tightest access possible.
++
++
++.PP
++If you want to allow samba to export ntfs/fusefs volumes, you must turn on the samba_share_fusefs boolean.
++
++.EX
++.B setsebool -P samba_share_fusefs 1
++.EE
++
++.PP
++If you want to allow samba to share any file/directory read only, you must turn on the samba_export_all_ro boolean.
++
++.EX
++.B setsebool -P samba_export_all_ro 1
++.EE
++
++.PP
++If you want to allow confined virtual guests to manage cifs files, you must turn on the virt_use_samba boolean.
++
++.EX
++.B setsebool -P virt_use_samba 1
++.EE
++
++.PP
++If you want to allow samba to create new home directories (e.g. via PAM), you must turn on the samba_create_home_dirs boolean.
++
++.EX
++.B setsebool -P samba_create_home_dirs 1
++.EE
++
++.PP
++If you want to allow samba to share users home directories, you must turn on the samba_enable_home_dirs boolean.
++
++.EX
++.B setsebool -P samba_enable_home_dirs 1
++.EE
++
++.PP
++If you want to allow samba to export NFS volumes, you must turn on the samba_share_nfs boolean.
++
++.EX
++.B setsebool -P samba_share_nfs 1
++.EE
++
++.PP
++If you want to allow sanlock to manage cifs files, you must turn on the sanlock_use_samba boolean.
++
++.EX
++.B setsebool -P sanlock_use_samba 1
++.EE
++
++.PP
++If you want to allow samba to run unconfined scripts, you must turn on the samba_run_unconfined boolean.
++
++.EX
++.B setsebool -P samba_run_unconfined 1
++.EE
++
++.PP
++If you want to allow samba to act as the domain controller, add users, groups and change passwords, you must turn on the samba_domain_controller boolean.
++
++.EX
++.B setsebool -P samba_domain_controller 1
++.EE
++
++.PP
++If you want to allow samba to share any file/directory read/write, you must turn on the samba_export_all_rw boolean.
++
++.EX
++.B setsebool -P samba_export_all_rw 1
++.EE
++
++.PP
++If you want to allow samba to act as a portmapper, you must turn on the samba_portmapper boolean.
++
++.EX
++.B setsebool -P samba_portmapper 1
++.EE
++
++.PP
++If you want to support SAMBA home directories, you must turn on the use_samba_home_dirs boolean.
++
++.EX
++.B setsebool -P use_samba_home_dirs 1
++.EE
++
++.SH SHARING FILES
++If you want to share files with multiple domains (Apache, FTP, rsync, Samba), you can set a file context of public_content_t and public_content_rw_t. These context allow any of the above domains to read the content. If you want a particular domain to write to the public_content_rw_t domain, you must set the appropriate boolean.
++.TP
++Allow smbd servers to read the /var/smbd directory by adding the public_content_t file type to the directory and by restoring the file type.
++.PP
++.B
++semanage fcontext -a -t public_content_t "/var/smbd(/.*)?"
++.br
++.B restorecon -F -R -v /var/smbd
++.pp
++.TP
++Allow smbd servers to read and write /var/tmp/incoming by adding the public_content_rw_t type to the directory and by restoring the file type. This also requires the allow_smbdd_anon_write boolean to be set.
++.PP
++.B
++semanage fcontext -a -t public_content_rw_t "/var/smbd/incoming(/.*)?"
++.br
++.B restorecon -F -R -v /var/smbd/incoming
++
++
++.PP
++If you want to allow samba to modify public files used for public file transfer services. Files/Directories must be labeled public_content_rw_t., you must turn on the smbd_anon_write boolean.
++
++.EX
++.B setsebool -P smbd_anon_write 1
++.EE
++
++.PP
++If you want to allow samba to modify public files used for public file transfer services. Files/Directories must be labeled public_content_rw_t., you must turn on the smbd_anon_write boolean.
++
++.EX
++.B setsebool -P smbd_anon_write 1
++.EE
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux smbd policy is very flexible allowing users to setup their smbd processes in as secure a method as possible.
++.PP
++The following file types are defined for smbd:
++
++
++.EX
++.PP
++.B smbd_exec_t
++.EE
++
++- Set files with the smbd_exec_t type, if you want to transition an executable to the smbd_t domain.
++
++
++.EX
++.PP
++.B smbd_keytab_t
++.EE
++
++- Set files with the smbd_keytab_t type, if you want to treat the files as kerberos keytab files.
++
++
++.EX
++.PP
++.B smbd_tmp_t
++.EE
++
++- Set files with the smbd_tmp_t type, if you want to store smbd temporary files in the /tmp directories.
++
++
++.EX
++.PP
++.B smbd_var_run_t
++.EE
++
++- Set files with the smbd_var_run_t type, if you want to store the smbd files under the /run directory.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH PORT TYPES
++SELinux defines port types to represent TCP and UDP ports.
++.PP
++You can see the types associated with a port by using the following command:
++
++.B semanage port -l
++
++.PP
++Policy governs the access confined processes have to these ports.
++SELinux smbd policy is very flexible allowing users to setup their smbd processes in as secure a method as possible.
++.PP
++The following port types are defined for smbd:
++
++.EX
++.TP 5
++.B smbd_port_t
++.TP 10
++.EE
++
++
++Default Defined Ports:
++tcp 137-139,445
++.EE
++.SH "MANAGED FILES"
++
++The SELinux process type smbd_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++
++.br
++.B auth_cache_t
++
++ /var/cache/coolkey(/.*)?
++.br
++
++.br
++.B ctdbd_var_lib_t
++
++ /etc/ctdb(/.*)?
++.br
++ /var/ctdb(/.*)?
++.br
++ /var/ctdbd(/.*)?
++.br
++ /var/lib/ctdbd(/.*)?
++.br
++
++.br
++.B faillog_t
++
++ /var/log/btmp.*
++.br
++ /var/run/faillock(/.*)?
++.br
++ /var/log/faillog
++.br
++ /var/log/tallylog
++.br
++
++.br
++.B initrc_var_run_t
++
++ /var/run/utmp
++.br
++ /var/run/random-seed
++.br
++ /var/run/runlevel\.dir
++.br
++ /var/run/setmixer_flag
++.br
++
++.br
++.B nmbd_var_run_t
++
++ /var/run/nmbd(/.*)?
++.br
++ /var/run/samba/nmbd(/.*)?
++.br
++ /var/run/samba/nmbd\.pid
++.br
++ /var/run/samba/messages\.tdb
++.br
++ /var/run/samba/namelist\.debug
++.br
++ /var/run/samba/unexpected\.tdb
++.br
++
++.br
++.B pcscd_var_run_t
++
++ /var/run/pcscd(/.*)?
++.br
++ /var/run/pcscd\.events(/.*)?
++.br
++ /var/run/pcscd\.pid
++.br
++ /var/run/pcscd\.pub
++.br
++ /var/run/pcscd\.comm
++.br
++
++.br
++.B samba_etc_t
++
++ /etc/samba(/.*)?
++.br
++
++.br
++.B samba_log_t
++
++ /var/log/samba(/.*)?
++.br
++
++.br
++.B samba_secrets_t
++
++ /etc/samba/smbpasswd
++.br
++ /etc/samba/passdb\.tdb
++.br
++ /etc/samba/MACHINE\.SID
++.br
++ /etc/samba/secrets\.tdb
++.br
++
++.br
++.B samba_share_t
++
++ use this label for random content that will be shared using samba
++.br
++
++.br
++.B samba_var_t
++
++ /var/lib/samba(/.*)?
++.br
++ /var/cache/samba(/.*)?
++.br
++ /var/spool/samba(/.*)?
++.br
++
++.br
++.B smbd_tmp_t
++
++
++.br
++.B smbd_var_run_t
++
++ /var/run/samba(/.*)?
++.br
++ /var/run/samba/smbd\.pid
++.br
++ /var/run/samba/brlock\.tdb
++.br
++ /var/run/samba/locking\.tdb
++.br
++ /var/run/samba/gencache\.tdb
++.br
++ /var/run/samba/sessionid\.tdb
++.br
++ /var/run/samba/share_info\.tdb
++.br
++ /var/run/samba/connections\.tdb
++.br
++
++.br
++.B wtmp_t
++
++ /var/log/wtmp.*
++.br
++
++.SH NSSWITCH DOMAIN
++
++.PP
++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the smbmount_t, smbd_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++
++.EX
++.B setsebool -P authlogin_nsswitch_use_ldap 1
++.EE
++
++.PP
++If you want to allow confined applications to run with kerberos for the smbmount_t, smbd_t, you must turn on the kerberos_enabled boolean.
++
++.EX
++.B setsebool -P kerberos_enabled 1
++.EE
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.B semanage port
++can also be used to manipulate the port definitions
++
++.B semanage boolean
++can also be used to manipulate the booleans
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was auto-generated using
++.B "sepolicy manpage"
++by Dan Walsh.
++
++.SH "SEE ALSO"
++selinux(8), smbd(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
++, setsebool(8), smbcontrol_selinux(8), smbmount_selinux(8)
+\ No newline at end of file
+diff --git a/man/man8/smbmount_selinux.8 b/man/man8/smbmount_selinux.8
+new file mode 100644
+index 0000000..33aaac3
+--- /dev/null
++++ b/man/man8/smbmount_selinux.8
+@@ -0,0 +1,186 @@
++.TH "smbmount_selinux" "8" "12-11-01" "smbmount" "SELinux Policy documentation for smbmount"
++.SH "NAME"
++smbmount_selinux \- Security Enhanced Linux Policy for the smbmount processes
++.SH "DESCRIPTION"
++
++Security-Enhanced Linux secures the smbmount processes via flexible mandatory access control.
++
++The smbmount processes execute with the smbmount_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep smbmount_t
++
++
++.SH "ENTRYPOINTS"
++
++The smbmount_t SELinux type can be entered via the "smbmount_exec_t" file type. The default entrypoint paths for the smbmount_t domain are the following:"
++
++/usr/bin/smbmnt, /usr/bin/smbmount
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux smbmount policy is very flexible allowing users to setup their smbmount processes in as secure a method as possible.
++.PP
++The following process types are defined for smbmount:
++
++.EX
++.B smbmount_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux smbmount policy is very flexible allowing users to setup their smbmount processes in as secure a method as possible.
++.PP
++The following file types are defined for smbmount:
++
++
++.EX
++.PP
++.B smbmount_exec_t
++.EE
++
++- Set files with the smbmount_exec_t type, if you want to transition an executable to the smbmount_t domain.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH "MANAGED FILES"
++
++The SELinux process type smbmount_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++
++.br
++.B etc_runtime_t
++
++ /[^/]+
++.br
++ /etc/mtab.*
++.br
++ /etc/blkid(/.*)?
++.br
++ /etc/nologin.*
++.br
++ /etc/\.fstab\.hal\..+
++.br
++ /halt
++.br
++ /fastboot
++.br
++ /poweroff
++.br
++ /etc/cmtab
++.br
++ /\.autofsck
++.br
++ /forcefsck
++.br
++ /\.suspended
++.br
++ /fsckoptions
++.br
++ /\.autorelabel
++.br
++ /etc/securetty
++.br
++ /etc/killpower
++.br
++ /etc/nohotplug
++.br
++ /etc/ioctl\.save
++.br
++ /etc/fstab\.REVOKE
++.br
++ /etc/network/ifstate
++.br
++ /etc/sysconfig/hwconf
++.br
++ /etc/ptal/ptal-printd-like
++.br
++ /etc/sysconfig/iptables\.save
++.br
++ /etc/xorg\.conf\.d/00-system-setup-keyboard\.conf
++.br
++ /etc/X11/xorg\.conf\.d/00-system-setup-keyboard\.conf
++.br
++
++.br
++.B samba_log_t
++
++ /var/log/samba(/.*)?
++.br
++
++.br
++.B samba_secrets_t
++
++ /etc/samba/smbpasswd
++.br
++ /etc/samba/passdb\.tdb
++.br
++ /etc/samba/MACHINE\.SID
++.br
++ /etc/samba/secrets\.tdb
++.br
++
++.br
++.B samba_var_t
++
++ /var/lib/samba(/.*)?
++.br
++ /var/cache/samba(/.*)?
++.br
++ /var/spool/samba(/.*)?
++.br
++
++.SH NSSWITCH DOMAIN
++
++.PP
++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the smbmount_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++
++.EX
++.B setsebool -P authlogin_nsswitch_use_ldap 1
++.EE
++
++.PP
++If you want to allow confined applications to run with kerberos for the smbmount_t, you must turn on the kerberos_enabled boolean.
++
++.EX
++.B setsebool -P kerberos_enabled 1
++.EE
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was auto-generated using
++.B "sepolicy manpage"
++by Dan Walsh.
++
++.SH "SEE ALSO"
++selinux(8), smbmount(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
+diff --git a/man/man8/smokeping_selinux.8 b/man/man8/smokeping_selinux.8
+new file mode 100644
+index 0000000..63d78f7
+--- /dev/null
++++ b/man/man8/smokeping_selinux.8
+@@ -0,0 +1,140 @@
++.TH "smokeping_selinux" "8" "12-11-01" "smokeping" "SELinux Policy documentation for smokeping"
++.SH "NAME"
++smokeping_selinux \- Security Enhanced Linux Policy for the smokeping processes
++.SH "DESCRIPTION"
++
++Security-Enhanced Linux secures the smokeping processes via flexible mandatory access control.
++
++The smokeping processes execute with the smokeping_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep smokeping_t
++
++
++.SH "ENTRYPOINTS"
++
++The smokeping_t SELinux type can be entered via the "smokeping_exec_t" file type. The default entrypoint paths for the smokeping_t domain are the following:"
++
++/usr/sbin/smokeping
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux smokeping policy is very flexible allowing users to setup their smokeping processes in as secure a method as possible.
++.PP
++The following process types are defined for smokeping:
++
++.EX
++.B smokeping_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux smokeping policy is very flexible allowing users to setup their smokeping processes in as secure a method as possible.
++.PP
++The following file types are defined for smokeping:
++
++
++.EX
++.PP
++.B smokeping_exec_t
++.EE
++
++- Set files with the smokeping_exec_t type, if you want to transition an executable to the smokeping_t domain.
++
++
++.EX
++.PP
++.B smokeping_initrc_exec_t
++.EE
++
++- Set files with the smokeping_initrc_exec_t type, if you want to transition an executable to the smokeping_initrc_t domain.
++
++
++.EX
++.PP
++.B smokeping_var_lib_t
++.EE
++
++- Set files with the smokeping_var_lib_t type, if you want to store the smokeping files under the /var/lib directory.
++
++
++.EX
++.PP
++.B smokeping_var_run_t
++.EE
++
++- Set files with the smokeping_var_run_t type, if you want to store the smokeping files under the /run directory.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH "MANAGED FILES"
++
++The SELinux process type smokeping_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++
++.br
++.B smokeping_var_lib_t
++
++ /var/lib/smokeping(/.*)?
++.br
++
++.br
++.B smokeping_var_run_t
++
++ /var/run/smokeping(/.*)?
++.br
++
++.SH NSSWITCH DOMAIN
++
++.PP
++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the smokeping_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++
++.EX
++.B setsebool -P authlogin_nsswitch_use_ldap 1
++.EE
++
++.PP
++If you want to allow confined applications to run with kerberos for the smokeping_t, you must turn on the kerberos_enabled boolean.
++
++.EX
++.B setsebool -P kerberos_enabled 1
++.EE
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was auto-generated using
++.B "sepolicy manpage"
++by Dan Walsh.
++
++.SH "SEE ALSO"
++selinux(8), smokeping(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
+diff --git a/man/man8/smoltclient_selinux.8 b/man/man8/smoltclient_selinux.8
+new file mode 100644
+index 0000000..088e814
+--- /dev/null
++++ b/man/man8/smoltclient_selinux.8
+@@ -0,0 +1,116 @@
++.TH "smoltclient_selinux" "8" "12-11-01" "smoltclient" "SELinux Policy documentation for smoltclient"
++.SH "NAME"
++smoltclient_selinux \- Security Enhanced Linux Policy for the smoltclient processes
++.SH "DESCRIPTION"
++
++Security-Enhanced Linux secures the smoltclient processes via flexible mandatory access control.
++
++The smoltclient processes execute with the smoltclient_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep smoltclient_t
++
++
++.SH "ENTRYPOINTS"
++
++The smoltclient_t SELinux type can be entered via the "smoltclient_exec_t" file type. The default entrypoint paths for the smoltclient_t domain are the following:"
++
++/usr/share/smolt/client/sendProfile.py
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux smoltclient policy is very flexible allowing users to setup their smoltclient processes in as secure a method as possible.
++.PP
++The following process types are defined for smoltclient:
++
++.EX
++.B smoltclient_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux smoltclient policy is very flexible allowing users to setup their smoltclient processes in as secure a method as possible.
++.PP
++The following file types are defined for smoltclient:
++
++
++.EX
++.PP
++.B smoltclient_exec_t
++.EE
++
++- Set files with the smoltclient_exec_t type, if you want to transition an executable to the smoltclient_t domain.
++
++
++.EX
++.PP
++.B smoltclient_tmp_t
++.EE
++
++- Set files with the smoltclient_tmp_t type, if you want to store smoltclient temporary files in the /tmp directories.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH "MANAGED FILES"
++
++The SELinux process type smoltclient_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++
++.br
++.B smoltclient_tmp_t
++
++
++.SH NSSWITCH DOMAIN
++
++.PP
++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the smoltclient_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++
++.EX
++.B setsebool -P authlogin_nsswitch_use_ldap 1
++.EE
++
++.PP
++If you want to allow confined applications to run with kerberos for the smoltclient_t, you must turn on the kerberos_enabled boolean.
++
++.EX
++.B setsebool -P kerberos_enabled 1
++.EE
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was auto-generated using
++.B "sepolicy manpage"
++by Dan Walsh.
++
++.SH "SEE ALSO"
++selinux(8), smoltclient(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
+diff --git a/man/man8/snmpd_selinux.8 b/man/man8/snmpd_selinux.8
+new file mode 100644
+index 0000000..2987987
+--- /dev/null
++++ b/man/man8/snmpd_selinux.8
+@@ -0,0 +1,194 @@
++.TH "snmpd_selinux" "8" "12-11-01" "snmpd" "SELinux Policy documentation for snmpd"
++.SH "NAME"
++snmpd_selinux \- Security Enhanced Linux Policy for the snmpd processes
++.SH "DESCRIPTION"
++
++Security-Enhanced Linux secures the snmpd processes via flexible mandatory access control.
++
++The snmpd processes execute with the snmpd_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep snmpd_t
++
++
++.SH "ENTRYPOINTS"
++
++The snmpd_t SELinux type can be entered via the "snmpd_exec_t" file type. The default entrypoint paths for the snmpd_t domain are the following:"
++
++/usr/sbin/snmp(trap)?d
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux snmpd policy is very flexible allowing users to setup their snmpd processes in as secure a method as possible.
++.PP
++The following process types are defined for snmpd:
++
++.EX
++.B snmpd_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux snmpd policy is very flexible allowing users to setup their snmpd processes in as secure a method as possible.
++.PP
++The following file types are defined for snmpd:
++
++
++.EX
++.PP
++.B snmpd_exec_t
++.EE
++
++- Set files with the snmpd_exec_t type, if you want to transition an executable to the snmpd_t domain.
++
++
++.EX
++.PP
++.B snmpd_initrc_exec_t
++.EE
++
++- Set files with the snmpd_initrc_exec_t type, if you want to transition an executable to the snmpd_initrc_t domain.
++
++
++.EX
++.PP
++.B snmpd_log_t
++.EE
++
++- Set files with the snmpd_log_t type, if you want to treat the data as snmpd log data, usually stored under the /var/log directory.
++
++
++.EX
++.PP
++.B snmpd_var_lib_t
++.EE
++
++- Set files with the snmpd_var_lib_t type, if you want to store the snmpd files under the /var/lib directory.
++
++
++.EX
++.PP
++.B snmpd_var_run_t
++.EE
++
++- Set files with the snmpd_var_run_t type, if you want to store the snmpd files under the /run directory.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH PORT TYPES
++SELinux defines port types to represent TCP and UDP ports.
++.PP
++You can see the types associated with a port by using the following command:
++
++.B semanage port -l
++
++.PP
++Policy governs the access confined processes have to these ports.
++SELinux snmpd policy is very flexible allowing users to setup their snmpd processes in as secure a method as possible.
++.PP
++The following port types are defined for snmpd:
++
++.EX
++.TP 5
++.B snmp_port_t
++.TP 10
++.EE
++
++
++Default Defined Ports:
++tcp 161-162,199,1161
++.EE
++udp 161-162
++.EE
++.SH "MANAGED FILES"
++
++The SELinux process type snmpd_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++
++.br
++.B snmpd_log_t
++
++ /var/log/snmpd\.log.*
++.br
++
++.br
++.B snmpd_var_lib_t
++
++ /var/agentx(/.*)?
++.br
++ /var/lib/snmp(/.*)?
++.br
++ /var/net-snmp(/.*)?
++.br
++ /var/lib/net-snmp(/.*)?
++.br
++ /usr/share/snmp/mibs/\.index
++.br
++
++.br
++.B snmpd_var_run_t
++
++ /var/run/snmpd(/.*)?
++.br
++ /var/run/net-snmpd(/.*)?
++.br
++ /var/run/snmpd\.pid
++.br
++
++.SH NSSWITCH DOMAIN
++
++.PP
++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the snmpd_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++
++.EX
++.B setsebool -P authlogin_nsswitch_use_ldap 1
++.EE
++
++.PP
++If you want to allow confined applications to run with kerberos for the snmpd_t, you must turn on the kerberos_enabled boolean.
++
++.EX
++.B setsebool -P kerberos_enabled 1
++.EE
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.B semanage port
++can also be used to manipulate the port definitions
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was auto-generated using
++.B "sepolicy manpage"
++by Dan Walsh.
++
++.SH "SEE ALSO"
++selinux(8), snmpd(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
+diff --git a/man/man8/snort_selinux.8 b/man/man8/snort_selinux.8
+new file mode 100644
+index 0000000..6c1bac3
+--- /dev/null
++++ b/man/man8/snort_selinux.8
+@@ -0,0 +1,154 @@
++.TH "snort_selinux" "8" "12-11-01" "snort" "SELinux Policy documentation for snort"
++.SH "NAME"
++snort_selinux \- Security Enhanced Linux Policy for the snort processes
++.SH "DESCRIPTION"
++
++Security-Enhanced Linux secures the snort processes via flexible mandatory access control.
++
++The snort processes execute with the snort_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep snort_t
++
++
++.SH "ENTRYPOINTS"
++
++The snort_t SELinux type can be entered via the "snort_exec_t" file type. The default entrypoint paths for the snort_t domain are the following:"
++
++/usr/s?bin/snort, /usr/sbin/snort-plain
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux snort policy is very flexible allowing users to setup their snort processes in as secure a method as possible.
++.PP
++The following process types are defined for snort:
++
++.EX
++.B snort_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux snort policy is very flexible allowing users to setup their snort processes in as secure a method as possible.
++.PP
++The following file types are defined for snort:
++
++
++.EX
++.PP
++.B snort_etc_t
++.EE
++
++- Set files with the snort_etc_t type, if you want to store snort files in the /etc directories.
++
++
++.EX
++.PP
++.B snort_exec_t
++.EE
++
++- Set files with the snort_exec_t type, if you want to transition an executable to the snort_t domain.
++
++
++.EX
++.PP
++.B snort_initrc_exec_t
++.EE
++
++- Set files with the snort_initrc_exec_t type, if you want to transition an executable to the snort_initrc_t domain.
++
++
++.EX
++.PP
++.B snort_log_t
++.EE
++
++- Set files with the snort_log_t type, if you want to treat the data as snort log data, usually stored under the /var/log directory.
++
++
++.EX
++.PP
++.B snort_tmp_t
++.EE
++
++- Set files with the snort_tmp_t type, if you want to store snort temporary files in the /tmp directories.
++
++
++.EX
++.PP
++.B snort_var_run_t
++.EE
++
++- Set files with the snort_var_run_t type, if you want to store the snort files under the /run directory.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH "MANAGED FILES"
++
++The SELinux process type snort_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++
++.br
++.B prelude_spool_t
++
++ /var/spool/prelude(/.*)?
++.br
++ /var/spool/prelude-manager(/.*)?
++.br
++
++.br
++.B snort_log_t
++
++ /var/log/snort(/.*)?
++.br
++
++.br
++.B snort_tmp_t
++
++
++.br
++.B snort_var_run_t
++
++ /var/run/snort.*
++.br
++
++.SH NSSWITCH DOMAIN
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was auto-generated using
++.B "sepolicy manpage"
++by Dan Walsh.
++
++.SH "SEE ALSO"
++selinux(8), snort(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
+diff --git a/man/man8/sosreport_selinux.8 b/man/man8/sosreport_selinux.8
+new file mode 100644
+index 0000000..b4723c2
+--- /dev/null
++++ b/man/man8/sosreport_selinux.8
+@@ -0,0 +1,206 @@
++.TH "sosreport_selinux" "8" "12-11-01" "sosreport" "SELinux Policy documentation for sosreport"
++.SH "NAME"
++sosreport_selinux \- Security Enhanced Linux Policy for the sosreport processes
++.SH "DESCRIPTION"
++
++Security-Enhanced Linux secures the sosreport processes via flexible mandatory access control.
++
++The sosreport processes execute with the sosreport_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep sosreport_t
++
++
++.SH "ENTRYPOINTS"
++
++The sosreport_t SELinux type can be entered via the "sosreport_exec_t" file type. The default entrypoint paths for the sosreport_t domain are the following:"
++
++/usr/sbin/sosreport
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux sosreport policy is very flexible allowing users to setup their sosreport processes in as secure a method as possible.
++.PP
++The following process types are defined for sosreport:
++
++.EX
++.B sosreport_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux sosreport policy is very flexible allowing users to setup their sosreport processes in as secure a method as possible.
++.PP
++The following file types are defined for sosreport:
++
++
++.EX
++.PP
++.B sosreport_exec_t
++.EE
++
++- Set files with the sosreport_exec_t type, if you want to transition an executable to the sosreport_t domain.
++
++
++.EX
++.PP
++.B sosreport_tmp_t
++.EE
++
++- Set files with the sosreport_tmp_t type, if you want to store sosreport temporary files in the /tmp directories.
++
++
++.EX
++.PP
++.B sosreport_tmpfs_t
++.EE
++
++- Set files with the sosreport_tmpfs_t type, if you want to store sosreport files on a tmpfs file system.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH "MANAGED FILES"
++
++The SELinux process type sosreport_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++
++.br
++.B abrt_var_cache_t
++
++ /var/cache/abrt(/.*)?
++.br
++ /var/spool/abrt(/.*)?
++.br
++ /var/cache/abrt-di(/.*)?
++.br
++
++.br
++.B abrt_var_run_t
++
++ /var/run/abrt(/.*)?
++.br
++ /var/run/abrtd?\.lock
++.br
++ /var/run/abrtd?\.socket
++.br
++ /var/run/abrt\.pid
++.br
++
++.br
++.B etc_runtime_t
++
++ /[^/]+
++.br
++ /etc/mtab.*
++.br
++ /etc/blkid(/.*)?
++.br
++ /etc/nologin.*
++.br
++ /etc/\.fstab\.hal\..+
++.br
++ /halt
++.br
++ /fastboot
++.br
++ /poweroff
++.br
++ /etc/cmtab
++.br
++ /\.autofsck
++.br
++ /forcefsck
++.br
++ /\.suspended
++.br
++ /fsckoptions
++.br
++ /\.autorelabel
++.br
++ /etc/securetty
++.br
++ /etc/killpower
++.br
++ /etc/nohotplug
++.br
++ /etc/ioctl\.save
++.br
++ /etc/fstab\.REVOKE
++.br
++ /etc/network/ifstate
++.br
++ /etc/sysconfig/hwconf
++.br
++ /etc/ptal/ptal-printd-like
++.br
++ /etc/sysconfig/iptables\.save
++.br
++ /etc/xorg\.conf\.d/00-system-setup-keyboard\.conf
++.br
++ /etc/X11/xorg\.conf\.d/00-system-setup-keyboard\.conf
++.br
++
++.br
++.B sosreport_tmp_t
++
++ /.ismount-test-file
++.br
++
++.br
++.B sosreport_tmpfs_t
++
++
++.SH NSSWITCH DOMAIN
++
++.PP
++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the sosreport_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++
++.EX
++.B setsebool -P authlogin_nsswitch_use_ldap 1
++.EE
++
++.PP
++If you want to allow confined applications to run with kerberos for the sosreport_t, you must turn on the kerberos_enabled boolean.
++
++.EX
++.B setsebool -P kerberos_enabled 1
++.EE
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was auto-generated using
++.B "sepolicy manpage"
++by Dan Walsh.
++
++.SH "SEE ALSO"
++selinux(8), sosreport(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
+diff --git a/man/man8/soundd_selinux.8 b/man/man8/soundd_selinux.8
+new file mode 100644
+index 0000000..4f05705
+--- /dev/null
++++ b/man/man8/soundd_selinux.8
+@@ -0,0 +1,186 @@
++.TH "soundd_selinux" "8" "12-11-01" "soundd" "SELinux Policy documentation for soundd"
++.SH "NAME"
++soundd_selinux \- Security Enhanced Linux Policy for the soundd processes
++.SH "DESCRIPTION"
++
++Security-Enhanced Linux secures the soundd processes via flexible mandatory access control.
++
++The soundd processes execute with the soundd_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep soundd_t
++
++
++.SH "ENTRYPOINTS"
++
++The soundd_t SELinux type can be entered via the "soundd_exec_t" file type. The default entrypoint paths for the soundd_t domain are the following:"
++
++/usr/bin/nasd, /usr/sbin/yiff, /usr/bin/gpe-soundserver
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux soundd policy is very flexible allowing users to setup their soundd processes in as secure a method as possible.
++.PP
++The following process types are defined for soundd:
++
++.EX
++.B soundd_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux soundd policy is very flexible allowing users to setup their soundd processes in as secure a method as possible.
++.PP
++The following file types are defined for soundd:
++
++
++.EX
++.PP
++.B soundd_etc_t
++.EE
++
++- Set files with the soundd_etc_t type, if you want to store soundd files in the /etc directories.
++
++
++.EX
++.PP
++.B soundd_exec_t
++.EE
++
++- Set files with the soundd_exec_t type, if you want to transition an executable to the soundd_t domain.
++
++
++.EX
++.PP
++.B soundd_initrc_exec_t
++.EE
++
++- Set files with the soundd_initrc_exec_t type, if you want to transition an executable to the soundd_initrc_t domain.
++
++
++.EX
++.PP
++.B soundd_state_t
++.EE
++
++- Set files with the soundd_state_t type, if you want to treat the files as soundd state data.
++
++
++.EX
++.PP
++.B soundd_tmp_t
++.EE
++
++- Set files with the soundd_tmp_t type, if you want to store soundd temporary files in the /tmp directories.
++
++
++.EX
++.PP
++.B soundd_tmpfs_t
++.EE
++
++- Set files with the soundd_tmpfs_t type, if you want to store soundd files on a tmpfs file system.
++
++
++.EX
++.PP
++.B soundd_var_run_t
++.EE
++
++- Set files with the soundd_var_run_t type, if you want to store the soundd files under the /run directory.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH PORT TYPES
++SELinux defines port types to represent TCP and UDP ports.
++.PP
++You can see the types associated with a port by using the following command:
++
++.B semanage port -l
++
++.PP
++Policy governs the access confined processes have to these ports.
++SELinux soundd policy is very flexible allowing users to setup their soundd processes in as secure a method as possible.
++.PP
++The following port types are defined for soundd:
++
++.EX
++.TP 5
++.B soundd_port_t
++.TP 10
++.EE
++
++
++Default Defined Ports:
++tcp 8000,9433,16001
++.EE
++.SH "MANAGED FILES"
++
++The SELinux process type soundd_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++
++.br
++.B soundd_state_t
++
++ /var/state/yiff(/.*)?
++.br
++
++.br
++.B soundd_tmp_t
++
++
++.br
++.B soundd_tmpfs_t
++
++
++.br
++.B soundd_var_run_t
++
++ /var/run/nasd(/.*)?
++.br
++ /var/run/yiff-[0-9]+\.pid
++.br
++
++.SH NSSWITCH DOMAIN
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.B semanage port
++can also be used to manipulate the port definitions
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was auto-generated using
++.B "sepolicy manpage"
++by Dan Walsh.
++
++.SH "SEE ALSO"
++selinux(8), soundd(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
+diff --git a/man/man8/spamass_milter_selinux.8 b/man/man8/spamass_milter_selinux.8
+new file mode 100644
+index 0000000..8dd4096
+--- /dev/null
++++ b/man/man8/spamass_milter_selinux.8
+@@ -0,0 +1,132 @@
++.TH "spamass_milter_selinux" "8" "12-11-01" "spamass_milter" "SELinux Policy documentation for spamass_milter"
++.SH "NAME"
++spamass_milter_selinux \- Security Enhanced Linux Policy for the spamass_milter processes
++.SH "DESCRIPTION"
++
++Security-Enhanced Linux secures the spamass_milter processes via flexible mandatory access control.
++
++The spamass_milter processes execute with the spamass_milter_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep spamass_milter_t
++
++
++.SH "ENTRYPOINTS"
++
++The spamass_milter_t SELinux type can be entered via the "spamass_milter_exec_t" file type. The default entrypoint paths for the spamass_milter_t domain are the following:"
++
++/usr/sbin/spamass-milter
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux spamass_milter policy is very flexible allowing users to setup their spamass_milter processes in as secure a method as possible.
++.PP
++The following process types are defined for spamass_milter:
++
++.EX
++.B spamass_milter_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux spamass_milter policy is very flexible allowing users to setup their spamass_milter processes in as secure a method as possible.
++.PP
++The following file types are defined for spamass_milter:
++
++
++.EX
++.PP
++.B spamass_milter_data_t
++.EE
++
++- Set files with the spamass_milter_data_t type, if you want to treat the files as spamass milter content.
++
++
++.EX
++.PP
++.B spamass_milter_exec_t
++.EE
++
++- Set files with the spamass_milter_exec_t type, if you want to transition an executable to the spamass_milter_t domain.
++
++
++.EX
++.PP
++.B spamass_milter_state_t
++.EE
++
++- Set files with the spamass_milter_state_t type, if you want to treat the files as spamass milter state data.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH "MANAGED FILES"
++
++The SELinux process type spamass_milter_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++
++.br
++.B spamass_milter_data_t
++
++ /var/run/spamass(/.*)?
++.br
++ /var/run/spamass-milter(/.*)?
++.br
++ /var/spool/postfix/spamass(/.*)?
++.br
++ /var/run/spamass-milter\.pid
++.br
++
++.SH NSSWITCH DOMAIN
++
++.PP
++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the spamass_milter_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++
++.EX
++.B setsebool -P authlogin_nsswitch_use_ldap 1
++.EE
++
++.PP
++If you want to allow confined applications to run with kerberos for the spamass_milter_t, you must turn on the kerberos_enabled boolean.
++
++.EX
++.B setsebool -P kerberos_enabled 1
++.EE
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was auto-generated using
++.B "sepolicy manpage"
++by Dan Walsh.
++
++.SH "SEE ALSO"
++selinux(8), spamass_milter(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
+diff --git a/man/man8/spamc_selinux.8 b/man/man8/spamc_selinux.8
+new file mode 100644
+index 0000000..ee04299
+--- /dev/null
++++ b/man/man8/spamc_selinux.8
+@@ -0,0 +1,172 @@
++.TH "spamc_selinux" "8" "12-11-01" "spamc" "SELinux Policy documentation for spamc"
++.SH "NAME"
++spamc_selinux \- Security Enhanced Linux Policy for the spamc processes
++.SH "DESCRIPTION"
++
++Security-Enhanced Linux secures the spamc processes via flexible mandatory access control.
++
++The spamc processes execute with the spamc_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep spamc_t
++
++
++.SH "ENTRYPOINTS"
++
++The spamc_t SELinux type can be entered via the "spamc_exec_t" file type. The default entrypoint paths for the spamc_t domain are the following:"
++
++/usr/bin/razor.*, /usr/bin/spamc, /usr/bin/pyzor, /usr/bin/sa-learn, /usr/bin/spamassassin
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux spamc policy is very flexible allowing users to setup their spamc processes in as secure a method as possible.
++.PP
++The following process types are defined for spamc:
++
++.EX
++.B spamc_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux spamc policy is very flexible allowing users to setup their spamc processes in as secure a method as possible.
++.PP
++The following file types are defined for spamc:
++
++
++.EX
++.PP
++.B spamc_exec_t
++.EE
++
++- Set files with the spamc_exec_t type, if you want to transition an executable to the spamc_t domain.
++
++
++.EX
++.PP
++.B spamc_home_t
++.EE
++
++- Set files with the spamc_home_t type, if you want to store spamc files in the users home directory.
++
++
++.EX
++.PP
++.B spamc_tmp_t
++.EE
++
++- Set files with the spamc_tmp_t type, if you want to store spamc temporary files in the /tmp directories.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH "MANAGED FILES"
++
++The SELinux process type spamc_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++
++.br
++.B amavis_spool_t
++
++ /var/spool/amavisd(/.*)?
++.br
++
++.br
++.B spamass_milter_state_t
++
++ /var/lib/spamass-milter(/.*)?
++.br
++
++.br
++.B spamc_home_t
++
++ /root/\.pyzor(/.*)?
++.br
++ /root/\.spamd(/.*)?
++.br
++ /root/\.razor(/.*)?
++.br
++ /root/\.spamassassin(/.*)?
++.br
++ /home/[^/]*/\.pyzor(/.*)?
++.br
++ /home/[^/]*/\.spamd(/.*)?
++.br
++ /home/[^/]*/\.razor(/.*)?
++.br
++ /home/[^/]*/\.spamassassin(/.*)?
++.br
++ /home/dwalsh/\.pyzor(/.*)?
++.br
++ /home/dwalsh/\.spamd(/.*)?
++.br
++ /home/dwalsh/\.razor(/.*)?
++.br
++ /home/dwalsh/\.spamassassin(/.*)?
++.br
++ /var/lib/xguest/home/xguest/\.pyzor(/.*)?
++.br
++ /var/lib/xguest/home/xguest/\.spamd(/.*)?
++.br
++ /var/lib/xguest/home/xguest/\.razor(/.*)?
++.br
++ /var/lib/xguest/home/xguest/\.spamassassin(/.*)?
++.br
++
++.br
++.B spamc_tmp_t
++
++
++.SH NSSWITCH DOMAIN
++
++.PP
++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the spamc_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++
++.EX
++.B setsebool -P authlogin_nsswitch_use_ldap 1
++.EE
++
++.PP
++If you want to allow confined applications to run with kerberos for the spamc_t, you must turn on the kerberos_enabled boolean.
++
++.EX
++.B setsebool -P kerberos_enabled 1
++.EE
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was auto-generated using
++.B "sepolicy manpage"
++by Dan Walsh.
++
++.SH "SEE ALSO"
++selinux(8), spamc(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
+diff --git a/man/man8/spamd_selinux.8 b/man/man8/spamd_selinux.8
+new file mode 100644
+index 0000000..11a86c5
+--- /dev/null
++++ b/man/man8/spamd_selinux.8
+@@ -0,0 +1,378 @@
++.TH "spamd_selinux" "8" "12-11-01" "spamd" "SELinux Policy documentation for spamd"
++.SH "NAME"
++spamd_selinux \- Security Enhanced Linux Policy for the spamd processes
++.SH "DESCRIPTION"
++
++Security-Enhanced Linux secures the spamd processes via flexible mandatory access control.
++
++The spamd processes execute with the spamd_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep spamd_t
++
++
++.SH "ENTRYPOINTS"
++
++The spamd_t SELinux type can be entered via the "spamd_exec_t" file type. The default entrypoint paths for the spamd_t domain are the following:"
++
++/usr/bin/spamd, /usr/sbin/spamd, /usr/bin/pyzord, /usr/sbin/spampd, /usr/bin/mimedefang, /usr/bin/mimedefang-multiplexor
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux spamd policy is very flexible allowing users to setup their spamd processes in as secure a method as possible.
++.PP
++The following process types are defined for spamd:
++
++.EX
++.B spamc_t, spamd_t, spamd_update_t, spamass_milter_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH BOOLEANS
++SELinux policy is customizable based on least access required. spamd policy is extremely flexible and has several booleans that allow you to manipulate the policy and run spamd with the tightest access possible.
++
++
++.PP
++If you want to allow user spamassassin clients to use the network, you must turn on the spamassassin_can_network boolean.
++
++.EX
++.B setsebool -P spamassassin_can_network 1
++.EE
++
++.PP
++If you want to allow spamd to read/write user home directories, you must turn on the spamd_enable_home_dirs boolean.
++
++.EX
++.B setsebool -P spamd_enable_home_dirs 1
++.EE
++
++.PP
++If you want to allow http daemon to check spam, you must turn on the httpd_can_check_spam boolean.
++
++.EX
++.B setsebool -P httpd_can_check_spam 1
++.EE
++
++.PP
++If you want to allow user spamassassin clients to use the network, you must turn on the spamassassin_can_network boolean.
++
++.EX
++.B setsebool -P spamassassin_can_network 1
++.EE
++
++.PP
++If you want to allow spamd to read/write user home directories, you must turn on the spamd_enable_home_dirs boolean.
++
++.EX
++.B setsebool -P spamd_enable_home_dirs 1
++.EE
++
++.PP
++If you want to allow http daemon to check spam, you must turn on the httpd_can_check_spam boolean.
++
++.EX
++.B setsebool -P httpd_can_check_spam 1
++.EE
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux spamd policy is very flexible allowing users to setup their spamd processes in as secure a method as possible.
++.PP
++The following file types are defined for spamd:
++
++
++.EX
++.PP
++.B spamd_compiled_t
++.EE
++
++- Set files with the spamd_compiled_t type, if you want to treat the files as spamd compiled data.
++
++
++.EX
++.PP
++.B spamd_etc_t
++.EE
++
++- Set files with the spamd_etc_t type, if you want to store spamd files in the /etc directories.
++
++
++.EX
++.PP
++.B spamd_exec_t
++.EE
++
++- Set files with the spamd_exec_t type, if you want to transition an executable to the spamd_t domain.
++
++
++.EX
++.PP
++.B spamd_initrc_exec_t
++.EE
++
++- Set files with the spamd_initrc_exec_t type, if you want to transition an executable to the spamd_initrc_t domain.
++
++
++.EX
++.PP
++.B spamd_log_t
++.EE
++
++- Set files with the spamd_log_t type, if you want to treat the data as spamd log data, usually stored under the /var/log directory.
++
++
++.EX
++.PP
++.B spamd_spool_t
++.EE
++
++- Set files with the spamd_spool_t type, if you want to store the spamd files under the /var/spool directory.
++
++
++.EX
++.PP
++.B spamd_tmp_t
++.EE
++
++- Set files with the spamd_tmp_t type, if you want to store spamd temporary files in the /tmp directories.
++
++
++.EX
++.PP
++.B spamd_update_exec_t
++.EE
++
++- Set files with the spamd_update_exec_t type, if you want to transition an executable to the spamd_update_t domain.
++
++
++.EX
++.PP
++.B spamd_var_lib_t
++.EE
++
++- Set files with the spamd_var_lib_t type, if you want to store the spamd files under the /var/lib directory.
++
++
++.EX
++.PP
++.B spamd_var_run_t
++.EE
++
++- Set files with the spamd_var_run_t type, if you want to store the spamd files under the /run directory.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH PORT TYPES
++SELinux defines port types to represent TCP and UDP ports.
++.PP
++You can see the types associated with a port by using the following command:
++
++.B semanage port -l
++
++.PP
++Policy governs the access confined processes have to these ports.
++SELinux spamd policy is very flexible allowing users to setup their spamd processes in as secure a method as possible.
++.PP
++The following port types are defined for spamd:
++
++.EX
++.TP 5
++.B spamd_port_t
++.TP 10
++.EE
++
++
++Default Defined Ports:
++tcp 783,10026,10027
++.EE
++.SH "MANAGED FILES"
++
++The SELinux process type spamd_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++
++.br
++.B amavis_var_lib_t
++
++ /var/amavis(/.*)?
++.br
++ /var/lib/amavis(/.*)?
++.br
++
++.br
++.B exim_spool_t
++
++ /var/spool/exim[0-9]?(/.*)?
++.br
++
++.br
++.B spamass_milter_state_t
++
++ /var/lib/spamass-milter(/.*)?
++.br
++
++.br
++.B spamc_home_t
++
++ /root/\.pyzor(/.*)?
++.br
++ /root/\.spamd(/.*)?
++.br
++ /root/\.razor(/.*)?
++.br
++ /root/\.spamassassin(/.*)?
++.br
++ /home/[^/]*/\.pyzor(/.*)?
++.br
++ /home/[^/]*/\.spamd(/.*)?
++.br
++ /home/[^/]*/\.razor(/.*)?
++.br
++ /home/[^/]*/\.spamassassin(/.*)?
++.br
++ /home/dwalsh/\.pyzor(/.*)?
++.br
++ /home/dwalsh/\.spamd(/.*)?
++.br
++ /home/dwalsh/\.razor(/.*)?
++.br
++ /home/dwalsh/\.spamassassin(/.*)?
++.br
++ /var/lib/xguest/home/xguest/\.pyzor(/.*)?
++.br
++ /var/lib/xguest/home/xguest/\.spamd(/.*)?
++.br
++ /var/lib/xguest/home/xguest/\.razor(/.*)?
++.br
++ /var/lib/xguest/home/xguest/\.spamassassin(/.*)?
++.br
++
++.br
++.B spamd_compiled_t
++
++ /var/lib/spamassassin/compiled(/.*)?
++.br
++
++.br
++.B spamd_etc_t
++
++ /etc/pyzor(/.*)?
++.br
++ /etc/razor(/.*)?
++.br
++
++.br
++.B spamd_log_t
++
++ /var/log/spamd\.log.*
++.br
++ /var/log/pyzord\.log.*
++.br
++ /var/log/razor-agent\.log.*
++.br
++ /var/log/mimedefang
++.br
++
++.br
++.B spamd_spool_t
++
++ /var/spool/spamd(/.*)?
++.br
++ /var/spool/spampd(/.*)?
++.br
++ /var/spool/spamassassin(/.*)?
++.br
++
++.br
++.B spamd_tmp_t
++
++
++.br
++.B spamd_var_lib_t
++
++ /var/lib/razor(/.*)?
++.br
++ /var/lib/pyzord(/.*)?
++.br
++ /var/lib/spamassassin(/.*)?
++.br
++
++.br
++.B spamd_var_run_t
++
++ /var/run/spamassassin(/.*)?
++.br
++ /var/spool/MIMEDefang(/.*)?
++.br
++ /var/spool/MD-Quarantine(/.*)?
++.br
++
++.br
++.B user_home_t
++
++ /home/[^/]*/.+
++.br
++ /home/dwalsh/.+
++.br
++ /var/lib/xguest/home/xguest/.+
++.br
++
++.SH NSSWITCH DOMAIN
++
++.PP
++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the spamc_t, spamd_update_t, spamd_t, spamass_milter_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++
++.EX
++.B setsebool -P authlogin_nsswitch_use_ldap 1
++.EE
++
++.PP
++If you want to allow confined applications to run with kerberos for the spamc_t, spamd_update_t, spamd_t, spamass_milter_t, you must turn on the kerberos_enabled boolean.
++
++.EX
++.B setsebool -P kerberos_enabled 1
++.EE
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.B semanage port
++can also be used to manipulate the port definitions
++
++.B semanage boolean
++can also be used to manipulate the booleans
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was auto-generated using
++.B "sepolicy manpage"
++by Dan Walsh.
++
++.SH "SEE ALSO"
++selinux(8), spamd(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
++, setsebool(8), spamass_milter_selinux(8), spamc_selinux(8), spamd_update_selinux(8)
+\ No newline at end of file
+diff --git a/man/man8/spamd_update_selinux.8 b/man/man8/spamd_update_selinux.8
+new file mode 100644
+index 0000000..099d75a
+--- /dev/null
++++ b/man/man8/spamd_update_selinux.8
+@@ -0,0 +1,119 @@
++.TH "spamd_update_selinux" "8" "12-11-01" "spamd_update" "SELinux Policy documentation for spamd_update"
++.SH "NAME"
++spamd_update_selinux \- Security Enhanced Linux Policy for the spamd_update processes
++.SH "DESCRIPTION"
++
++Security-Enhanced Linux secures the spamd_update processes via flexible mandatory access control.
++
++The spamd_update processes execute with the spamd_update_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep spamd_update_t
++
++
++.SH "ENTRYPOINTS"
++
++The spamd_update_t SELinux type can be entered via the "spamd_update_exec_t" file type. The default entrypoint paths for the spamd_update_t domain are the following:"
++
++/usr/bin/sa-update
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux spamd_update policy is very flexible allowing users to setup their spamd_update processes in as secure a method as possible.
++.PP
++The following process types are defined for spamd_update:
++
++.EX
++.B spamd_update_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux spamd_update policy is very flexible allowing users to setup their spamd_update processes in as secure a method as possible.
++.PP
++The following file types are defined for spamd_update:
++
++
++.EX
++.PP
++.B spamd_update_exec_t
++.EE
++
++- Set files with the spamd_update_exec_t type, if you want to transition an executable to the spamd_update_t domain.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH "MANAGED FILES"
++
++The SELinux process type spamd_update_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++
++.br
++.B spamd_tmp_t
++
++
++.br
++.B spamd_var_lib_t
++
++ /var/lib/razor(/.*)?
++.br
++ /var/lib/pyzord(/.*)?
++.br
++ /var/lib/spamassassin(/.*)?
++.br
++
++.SH NSSWITCH DOMAIN
++
++.PP
++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the spamd_update_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++
++.EX
++.B setsebool -P authlogin_nsswitch_use_ldap 1
++.EE
++
++.PP
++If you want to allow confined applications to run with kerberos for the spamd_update_t, you must turn on the kerberos_enabled boolean.
++
++.EX
++.B setsebool -P kerberos_enabled 1
++.EE
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was auto-generated using
++.B "sepolicy manpage"
++by Dan Walsh.
++
++.SH "SEE ALSO"
++selinux(8), spamd_update(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
++, spamd_selinux(8), spamd_selinux(8)
+\ No newline at end of file
+diff --git a/man/man8/squid_cron_selinux.8 b/man/man8/squid_cron_selinux.8
+new file mode 100644
+index 0000000..cf792c9
+--- /dev/null
++++ b/man/man8/squid_cron_selinux.8
+@@ -0,0 +1,103 @@
++.TH "squid_cron_selinux" "8" "12-11-01" "squid_cron" "SELinux Policy documentation for squid_cron"
++.SH "NAME"
++squid_cron_selinux \- Security Enhanced Linux Policy for the squid_cron processes
++.SH "DESCRIPTION"
++
++Security-Enhanced Linux secures the squid_cron processes via flexible mandatory access control.
++
++The squid_cron processes execute with the squid_cron_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep squid_cron_t
++
++
++.SH "ENTRYPOINTS"
++
++The squid_cron_t SELinux type can be entered via the "squid_cron_exec_t" file type. The default entrypoint paths for the squid_cron_t domain are the following:"
++
++/usr/sbin/lightparser.pl
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux squid_cron policy is very flexible allowing users to setup their squid_cron processes in as secure a method as possible.
++.PP
++The following process types are defined for squid_cron:
++
++.EX
++.B squid_cron_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux squid_cron policy is very flexible allowing users to setup their squid_cron processes in as secure a method as possible.
++.PP
++The following file types are defined for squid_cron:
++
++
++.EX
++.PP
++.B squid_cron_exec_t
++.EE
++
++- Set files with the squid_cron_exec_t type, if you want to transition an executable to the squid_cron_t domain.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH "MANAGED FILES"
++
++The SELinux process type squid_cron_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++
++.br
++.B squid_cache_t
++
++ /var/squidGuard(/.*)?
++.br
++ /var/lightsquid(/.*)?
++.br
++ /var/cache/squid(/.*)?
++.br
++ /var/spool/squid(/.*)?
++.br
++
++.SH NSSWITCH DOMAIN
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was auto-generated using
++.B "sepolicy manpage"
++by Dan Walsh.
++
++.SH "SEE ALSO"
++selinux(8), squid_cron(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
++, squid_selinux(8), squid_selinux(8)
+\ No newline at end of file
+diff --git a/man/man8/squid_selinux.8 b/man/man8/squid_selinux.8
+new file mode 100644
+index 0000000..be4c9e5
+--- /dev/null
++++ b/man/man8/squid_selinux.8
+@@ -0,0 +1,316 @@
++.TH "squid_selinux" "8" "12-11-01" "squid" "SELinux Policy documentation for squid"
++.SH "NAME"
++squid_selinux \- Security Enhanced Linux Policy for the squid processes
++.SH "DESCRIPTION"
++
++Security-Enhanced Linux secures the squid processes via flexible mandatory access control.
++
++The squid processes execute with the squid_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep squid_t
++
++
++.SH "ENTRYPOINTS"
++
++The squid_t SELinux type can be entered via the "squid_exec_t" file type. The default entrypoint paths for the squid_t domain are the following:"
++
++/usr/sbin/squid
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux squid policy is very flexible allowing users to setup their squid processes in as secure a method as possible.
++.PP
++The following process types are defined for squid:
++
++.EX
++.B squid_t, squid_cron_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH BOOLEANS
++SELinux policy is customizable based on least access required. squid policy is extremely flexible and has several booleans that allow you to manipulate the policy and run squid with the tightest access possible.
++
++
++.PP
++If you want to allow squid to connect to all ports, not just HTTP, FTP, and Gopher ports, you must turn on the squid_connect_any boolean.
++
++.EX
++.B setsebool -P squid_connect_any 1
++.EE
++
++.PP
++If you want to allow squid to run as a transparent proxy (TPROXY), you must turn on the squid_use_tproxy boolean.
++
++.EX
++.B setsebool -P squid_use_tproxy 1
++.EE
++
++.PP
++If you want to allow squid to connect to all ports, not just HTTP, FTP, and Gopher ports, you must turn on the squid_connect_any boolean.
++
++.EX
++.B setsebool -P squid_connect_any 1
++.EE
++
++.PP
++If you want to allow squid to run as a transparent proxy (TPROXY), you must turn on the squid_use_tproxy boolean.
++
++.EX
++.B setsebool -P squid_use_tproxy 1
++.EE
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux squid policy is very flexible allowing users to setup their squid processes in as secure a method as possible.
++.PP
++The following file types are defined for squid:
++
++
++.EX
++.PP
++.B squid_cache_t
++.EE
++
++- Set files with the squid_cache_t type, if you want to store the files under the /var/cache directory.
++
++
++.EX
++.PP
++.B squid_conf_t
++.EE
++
++- Set files with the squid_conf_t type, if you want to treat the files as squid configuration data, usually stored under the /etc directory.
++
++
++.EX
++.PP
++.B squid_cron_exec_t
++.EE
++
++- Set files with the squid_cron_exec_t type, if you want to transition an executable to the squid_cron_t domain.
++
++
++.EX
++.PP
++.B squid_exec_t
++.EE
++
++- Set files with the squid_exec_t type, if you want to transition an executable to the squid_t domain.
++
++
++.EX
++.PP
++.B squid_initrc_exec_t
++.EE
++
++- Set files with the squid_initrc_exec_t type, if you want to transition an executable to the squid_initrc_t domain.
++
++
++.EX
++.PP
++.B squid_log_t
++.EE
++
++- Set files with the squid_log_t type, if you want to treat the data as squid log data, usually stored under the /var/log directory.
++
++
++.EX
++.PP
++.B squid_tmp_t
++.EE
++
++- Set files with the squid_tmp_t type, if you want to store squid temporary files in the /tmp directories.
++
++
++.EX
++.PP
++.B squid_tmpfs_t
++.EE
++
++- Set files with the squid_tmpfs_t type, if you want to store squid files on a tmpfs file system.
++
++
++.EX
++.PP
++.B squid_var_run_t
++.EE
++
++- Set files with the squid_var_run_t type, if you want to store the squid files under the /run directory.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH PORT TYPES
++SELinux defines port types to represent TCP and UDP ports.
++.PP
++You can see the types associated with a port by using the following command:
++
++.B semanage port -l
++
++.PP
++Policy governs the access confined processes have to these ports.
++SELinux squid policy is very flexible allowing users to setup their squid processes in as secure a method as possible.
++.PP
++The following port types are defined for squid:
++
++.EX
++.TP 5
++.B squid_port_t
++.TP 10
++.EE
++
++
++Default Defined Ports:
++tcp 3128,3401,4827
++.EE
++udp 3401,4827
++.EE
++.SH "MANAGED FILES"
++
++The SELinux process type squid_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++
++.br
++.B faillog_t
++
++ /var/log/btmp.*
++.br
++ /var/run/faillock(/.*)?
++.br
++ /var/log/faillog
++.br
++ /var/log/tallylog
++.br
++
++.br
++.B krb5_host_rcache_t
++
++ /var/cache/krb5rcache(/.*)?
++.br
++ /var/tmp/nfs_0
++.br
++ /var/tmp/DNS_25
++.br
++ /var/tmp/host_0
++.br
++ /var/tmp/imap_0
++.br
++ /var/tmp/HTTP_23
++.br
++ /var/tmp/HTTP_48
++.br
++ /var/tmp/ldap_55
++.br
++ /var/tmp/ldap_487
++.br
++ /var/tmp/ldapmap1_0
++.br
++
++.br
++.B pcscd_var_run_t
++
++ /var/run/pcscd(/.*)?
++.br
++ /var/run/pcscd\.events(/.*)?
++.br
++ /var/run/pcscd\.pid
++.br
++ /var/run/pcscd\.pub
++.br
++ /var/run/pcscd\.comm
++.br
++
++.br
++.B squid_cache_t
++
++ /var/squidGuard(/.*)?
++.br
++ /var/lightsquid(/.*)?
++.br
++ /var/cache/squid(/.*)?
++.br
++ /var/spool/squid(/.*)?
++.br
++
++.br
++.B squid_log_t
++
++ /var/log/squid(/.*)?
++.br
++ /var/log/squidGuard(/.*)?
++.br
++
++.br
++.B squid_tmp_t
++
++
++.br
++.B squid_tmpfs_t
++
++
++.br
++.B squid_var_run_t
++
++ /var/run/squid\.pid
++.br
++
++.SH NSSWITCH DOMAIN
++
++.PP
++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the squid_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++
++.EX
++.B setsebool -P authlogin_nsswitch_use_ldap 1
++.EE
++
++.PP
++If you want to allow confined applications to run with kerberos for the squid_t, you must turn on the kerberos_enabled boolean.
++
++.EX
++.B setsebool -P kerberos_enabled 1
++.EE
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.B semanage port
++can also be used to manipulate the port definitions
++
++.B semanage boolean
++can also be used to manipulate the booleans
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was auto-generated using
++.B "sepolicy manpage"
++by Dan Walsh.
++
++.SH "SEE ALSO"
++selinux(8), squid(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
++, setsebool(8), squid_cron_selinux(8)
+\ No newline at end of file
+diff --git a/man/man8/srvsvcd_selinux.8 b/man/man8/srvsvcd_selinux.8
+new file mode 100644
+index 0000000..4699f35
+--- /dev/null
++++ b/man/man8/srvsvcd_selinux.8
+@@ -0,0 +1,124 @@
++.TH "srvsvcd_selinux" "8" "12-11-01" "srvsvcd" "SELinux Policy documentation for srvsvcd"
++.SH "NAME"
++srvsvcd_selinux \- Security Enhanced Linux Policy for the srvsvcd processes
++.SH "DESCRIPTION"
++
++Security-Enhanced Linux secures the srvsvcd processes via flexible mandatory access control.
++
++The srvsvcd processes execute with the srvsvcd_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep srvsvcd_t
++
++
++.SH "ENTRYPOINTS"
++
++The srvsvcd_t SELinux type can be entered via the "srvsvcd_exec_t" file type. The default entrypoint paths for the srvsvcd_t domain are the following:"
++
++/usr/sbin/srvsvcd
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux srvsvcd policy is very flexible allowing users to setup their srvsvcd processes in as secure a method as possible.
++.PP
++The following process types are defined for srvsvcd:
++
++.EX
++.B srvsvcd_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux srvsvcd policy is very flexible allowing users to setup their srvsvcd processes in as secure a method as possible.
++.PP
++The following file types are defined for srvsvcd:
++
++
++.EX
++.PP
++.B srvsvcd_exec_t
++.EE
++
++- Set files with the srvsvcd_exec_t type, if you want to transition an executable to the srvsvcd_t domain.
++
++
++.EX
++.PP
++.B srvsvcd_var_lib_t
++.EE
++
++- Set files with the srvsvcd_var_lib_t type, if you want to store the srvsvcd files under the /var/lib directory.
++
++
++.EX
++.PP
++.B srvsvcd_var_run_t
++.EE
++
++- Set files with the srvsvcd_var_run_t type, if you want to store the srvsvcd files under the /run directory.
++
++
++.EX
++.PP
++.B srvsvcd_var_socket_t
++.EE
++
++- Set files with the srvsvcd_var_socket_t type, if you want to treat the files as srvsvcd var socket data.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH "MANAGED FILES"
++
++The SELinux process type srvsvcd_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++
++.br
++.B srvsvcd_var_lib_t
++
++
++.br
++.B srvsvcd_var_run_t
++
++ /var/run/srvsvcd.pid
++.br
++
++.SH NSSWITCH DOMAIN
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was auto-generated using
++.B "sepolicy manpage"
++by Dan Walsh.
++
++.SH "SEE ALSO"
++selinux(8), srvsvcd(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
+diff --git a/man/man8/ssh_keygen_selinux.8 b/man/man8/ssh_keygen_selinux.8
+new file mode 100644
+index 0000000..33a275f
+--- /dev/null
++++ b/man/man8/ssh_keygen_selinux.8
+@@ -0,0 +1,155 @@
++.TH "ssh_keygen_selinux" "8" "12-11-01" "ssh_keygen" "SELinux Policy documentation for ssh_keygen"
++.SH "NAME"
++ssh_keygen_selinux \- Security Enhanced Linux Policy for the ssh_keygen processes
++.SH "DESCRIPTION"
++
++Security-Enhanced Linux secures the ssh_keygen processes via flexible mandatory access control.
++
++The ssh_keygen processes execute with the ssh_keygen_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep ssh_keygen_t
++
++
++.SH "ENTRYPOINTS"
++
++The ssh_keygen_t SELinux type can be entered via the "ssh_keygen_exec_t" file type. The default entrypoint paths for the ssh_keygen_t domain are the following:"
++
++/usr/bin/ssh-keygen
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux ssh_keygen policy is very flexible allowing users to setup their ssh_keygen processes in as secure a method as possible.
++.PP
++The following process types are defined for ssh_keygen:
++
++.EX
++.B ssh_keygen_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux ssh_keygen policy is very flexible allowing users to setup their ssh_keygen processes in as secure a method as possible.
++.PP
++The following file types are defined for ssh_keygen:
++
++
++.EX
++.PP
++.B ssh_keygen_exec_t
++.EE
++
++- Set files with the ssh_keygen_exec_t type, if you want to transition an executable to the ssh_keygen_t domain.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH "MANAGED FILES"
++
++The SELinux process type ssh_keygen_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++
++.br
++.B ssh_home_t
++
++ /root/\.ssh(/.*)?
++.br
++ /var/lib/openshift/[^/]+/\.ssh(/.*)?
++.br
++ /var/lib/amanda/\.ssh(/.*)?
++.br
++ /var/lib/stickshift/[^/]+/\.ssh(/.*)?
++.br
++ /var/lib/gitolite/\.ssh(/.*)?
++.br
++ /var/lib/nocpulse/\.ssh(/.*)?
++.br
++ /var/lib/gitolite3/\.ssh(/.*)?
++.br
++ /root/\.shosts
++.br
++ /home/[^/]*/\.ssh(/.*)?
++.br
++ /home/[^/]*/\.shosts
++.br
++ /home/dwalsh/\.ssh(/.*)?
++.br
++ /home/dwalsh/\.shosts
++.br
++ /var/lib/xguest/home/xguest/\.ssh(/.*)?
++.br
++ /var/lib/xguest/home/xguest/\.shosts
++.br
++
++.br
++.B sshd_key_t
++
++ /etc/ssh/ssh_host_key.pub
++.br
++ /etc/ssh/ssh_host_dsa_key.pub
++.br
++ /etc/ssh/ssh_host_rsa_key.pub
++.br
++ /etc/ssh/primes
++.br
++ /etc/ssh/ssh_host_key
++.br
++ /etc/ssh/ssh_host_dsa_key
++.br
++ /etc/ssh/ssh_host_rsa_key
++.br
++
++.SH NSSWITCH DOMAIN
++
++.PP
++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the ssh_keygen_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++
++.EX
++.B setsebool -P authlogin_nsswitch_use_ldap 1
++.EE
++
++.PP
++If you want to allow confined applications to run with kerberos for the ssh_keygen_t, you must turn on the kerberos_enabled boolean.
++
++.EX
++.B setsebool -P kerberos_enabled 1
++.EE
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was auto-generated using
++.B "sepolicy manpage"
++by Dan Walsh.
++
++.SH "SEE ALSO"
++selinux(8), ssh_keygen(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
++, ssh_selinux(8), ssh_selinux(8), ssh_keysign_selinux(8), sshd_selinux(8)
+\ No newline at end of file
+diff --git a/man/man8/ssh_keysign_selinux.8 b/man/man8/ssh_keysign_selinux.8
+new file mode 100644
+index 0000000..1a657dc
+--- /dev/null
++++ b/man/man8/ssh_keysign_selinux.8
+@@ -0,0 +1,108 @@
++.TH "ssh_keysign_selinux" "8" "12-11-01" "ssh_keysign" "SELinux Policy documentation for ssh_keysign"
++.SH "NAME"
++ssh_keysign_selinux \- Security Enhanced Linux Policy for the ssh_keysign processes
++.SH "DESCRIPTION"
++
++Security-Enhanced Linux secures the ssh_keysign processes via flexible mandatory access control.
++
++The ssh_keysign processes execute with the ssh_keysign_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep ssh_keysign_t
++
++
++.SH "ENTRYPOINTS"
++
++The ssh_keysign_t SELinux type can be entered via the "ssh_keysign_exec_t" file type. The default entrypoint paths for the ssh_keysign_t domain are the following:"
++
++/usr/libexec/openssh/ssh-keysign
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux ssh_keysign policy is very flexible allowing users to setup their ssh_keysign processes in as secure a method as possible.
++.PP
++The following process types are defined for ssh_keysign:
++
++.EX
++.B ssh_keysign_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH BOOLEANS
++SELinux policy is customizable based on least access required. ssh_keysign policy is extremely flexible and has several booleans that allow you to manipulate the policy and run ssh_keysign with the tightest access possible.
++
++
++.PP
++If you want to allow host key based authentication, you must turn on the ssh_keysign boolean.
++
++.EX
++.B setsebool -P ssh_keysign 1
++.EE
++
++.PP
++If you want to allow host key based authentication, you must turn on the ssh_keysign boolean.
++
++.EX
++.B setsebool -P ssh_keysign 1
++.EE
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux ssh_keysign policy is very flexible allowing users to setup their ssh_keysign processes in as secure a method as possible.
++.PP
++The following file types are defined for ssh_keysign:
++
++
++.EX
++.PP
++.B ssh_keysign_exec_t
++.EE
++
++- Set files with the ssh_keysign_exec_t type, if you want to transition an executable to the ssh_keysign_t domain.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH NSSWITCH DOMAIN
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.B semanage boolean
++can also be used to manipulate the booleans
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was auto-generated using
++.B "sepolicy manpage"
++by Dan Walsh.
++
++.SH "SEE ALSO"
++selinux(8), ssh_keysign(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
++, setsebool(8), ssh_selinux(8), ssh_selinux(8), ssh_keygen_selinux(8), sshd_selinux(8)
+\ No newline at end of file
+diff --git a/man/man8/ssh_selinux.8 b/man/man8/ssh_selinux.8
+new file mode 100644
+index 0000000..4f02c5d
+--- /dev/null
++++ b/man/man8/ssh_selinux.8
+@@ -0,0 +1,400 @@
++.TH "ssh_selinux" "8" "12-11-01" "ssh" "SELinux Policy documentation for ssh"
++.SH "NAME"
++ssh_selinux \- Security Enhanced Linux Policy for the ssh processes
++.SH "DESCRIPTION"
++
++Security-Enhanced Linux secures the ssh processes via flexible mandatory access control.
++
++The ssh processes execute with the ssh_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep ssh_t
++
++
++.SH "ENTRYPOINTS"
++
++The ssh_t SELinux type can be entered via the "ssh_exec_t" file type. The default entrypoint paths for the ssh_t domain are the following:"
++
++/usr/bin/ssh
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux ssh policy is very flexible allowing users to setup their ssh processes in as secure a method as possible.
++.PP
++The following process types are defined for ssh:
++
++.EX
++.B sshd_sandbox_t, ssh_keysign_t, ssh_keygen_t, ssh_t, sshd_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH BOOLEANS
++SELinux policy is customizable based on least access required. ssh policy is extremely flexible and has several booleans that allow you to manipulate the policy and run ssh with the tightest access possible.
++
++
++.PP
++If you want to allow user to use ssh chroot environment, you must turn on the selinuxuser_use_ssh_chroot boolean.
++
++.EX
++.B setsebool -P selinuxuser_use_ssh_chroot 1
++.EE
++
++.PP
++If you want to allow host key based authentication, you must turn on the ssh_keysign boolean.
++
++.EX
++.B setsebool -P ssh_keysign 1
++.EE
++
++.PP
++If you want to allow ssh with chroot env to read and write files in the user home directories, you must turn on the ssh_chroot_rw_homedirs boolean.
++
++.EX
++.B setsebool -P ssh_chroot_rw_homedirs 1
++.EE
++
++.PP
++If you want to allow fenced domain to execute ssh, you must turn on the fenced_can_ssh boolean.
++
++.EX
++.B setsebool -P fenced_can_ssh 1
++.EE
++
++.PP
++If you want to allow internal-sftp to read and write files in the user ssh home directories, you must turn on the sftpd_write_ssh_home boolean.
++
++.EX
++.B setsebool -P sftpd_write_ssh_home 1
++.EE
++
++.PP
++If you want to allow ssh logins as sysadm_r:sysadm_t, you must turn on the ssh_sysadm_login boolean.
++
++.EX
++.B setsebool -P ssh_sysadm_login 1
++.EE
++
++.PP
++If you want to allow user to use ssh chroot environment, you must turn on the selinuxuser_use_ssh_chroot boolean.
++
++.EX
++.B setsebool -P selinuxuser_use_ssh_chroot 1
++.EE
++
++.PP
++If you want to allow host key based authentication, you must turn on the ssh_keysign boolean.
++
++.EX
++.B setsebool -P ssh_keysign 1
++.EE
++
++.PP
++If you want to allow ssh with chroot env to read and write files in the user home directories, you must turn on the ssh_chroot_rw_homedirs boolean.
++
++.EX
++.B setsebool -P ssh_chroot_rw_homedirs 1
++.EE
++
++.PP
++If you want to allow fenced domain to execute ssh, you must turn on the fenced_can_ssh boolean.
++
++.EX
++.B setsebool -P fenced_can_ssh 1
++.EE
++
++.PP
++If you want to allow internal-sftp to read and write files in the user ssh home directories, you must turn on the sftpd_write_ssh_home boolean.
++
++.EX
++.B setsebool -P sftpd_write_ssh_home 1
++.EE
++
++.PP
++If you want to allow ssh logins as sysadm_r:sysadm_t, you must turn on the ssh_sysadm_login boolean.
++
++.EX
++.B setsebool -P ssh_sysadm_login 1
++.EE
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux ssh policy is very flexible allowing users to setup their ssh processes in as secure a method as possible.
++.PP
++The following file types are defined for ssh:
++
++
++.EX
++.PP
++.B ssh_agent_exec_t
++.EE
++
++- Set files with the ssh_agent_exec_t type, if you want to transition an executable to the ssh_agent_t domain.
++
++
++.EX
++.PP
++.B ssh_agent_tmp_t
++.EE
++
++- Set files with the ssh_agent_tmp_t type, if you want to store ssh agent temporary files in the /tmp directories.
++
++
++.EX
++.PP
++.B ssh_exec_t
++.EE
++
++- Set files with the ssh_exec_t type, if you want to transition an executable to the ssh_t domain.
++
++
++.EX
++.PP
++.B ssh_home_t
++.EE
++
++- Set files with the ssh_home_t type, if you want to store ssh files in the users home directory.
++
++
++.EX
++.PP
++.B ssh_keygen_exec_t
++.EE
++
++- Set files with the ssh_keygen_exec_t type, if you want to transition an executable to the ssh_keygen_t domain.
++
++
++.EX
++.PP
++.B ssh_keysign_exec_t
++.EE
++
++- Set files with the ssh_keysign_exec_t type, if you want to transition an executable to the ssh_keysign_t domain.
++
++
++.EX
++.PP
++.B ssh_tmpfs_t
++.EE
++
++- Set files with the ssh_tmpfs_t type, if you want to store ssh files on a tmpfs file system.
++
++
++.EX
++.PP
++.B sshd_exec_t
++.EE
++
++- Set files with the sshd_exec_t type, if you want to transition an executable to the sshd_t domain.
++
++
++.EX
++.PP
++.B sshd_initrc_exec_t
++.EE
++
++- Set files with the sshd_initrc_exec_t type, if you want to transition an executable to the sshd_initrc_t domain.
++
++
++.EX
++.PP
++.B sshd_key_t
++.EE
++
++- Set files with the sshd_key_t type, if you want to treat the files as sshd key data.
++
++
++.EX
++.PP
++.B sshd_keytab_t
++.EE
++
++- Set files with the sshd_keytab_t type, if you want to treat the files as kerberos keytab files.
++
++
++.EX
++.PP
++.B sshd_tmpfs_t
++.EE
++
++- Set files with the sshd_tmpfs_t type, if you want to store sshd files on a tmpfs file system.
++
++
++.EX
++.PP
++.B sshd_var_run_t
++.EE
++
++- Set files with the sshd_var_run_t type, if you want to store the sshd files under the /run directory.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH PORT TYPES
++SELinux defines port types to represent TCP and UDP ports.
++.PP
++You can see the types associated with a port by using the following command:
++
++.B semanage port -l
++
++.PP
++Policy governs the access confined processes have to these ports.
++SELinux ssh policy is very flexible allowing users to setup their ssh processes in as secure a method as possible.
++.PP
++The following port types are defined for ssh:
++
++.EX
++.TP 5
++.B ssh_port_t
++.TP 10
++.EE
++
++
++Default Defined Ports:
++tcp 22
++.EE
++.SH "MANAGED FILES"
++
++The SELinux process type ssh_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++
++.br
++.B ssh_home_t
++
++ /root/\.ssh(/.*)?
++.br
++ /var/lib/openshift/[^/]+/\.ssh(/.*)?
++.br
++ /var/lib/amanda/\.ssh(/.*)?
++.br
++ /var/lib/stickshift/[^/]+/\.ssh(/.*)?
++.br
++ /var/lib/gitolite/\.ssh(/.*)?
++.br
++ /var/lib/nocpulse/\.ssh(/.*)?
++.br
++ /var/lib/gitolite3/\.ssh(/.*)?
++.br
++ /root/\.shosts
++.br
++ /home/[^/]*/\.ssh(/.*)?
++.br
++ /home/[^/]*/\.shosts
++.br
++ /home/dwalsh/\.ssh(/.*)?
++.br
++ /home/dwalsh/\.shosts
++.br
++ /var/lib/xguest/home/xguest/\.ssh(/.*)?
++.br
++ /var/lib/xguest/home/xguest/\.shosts
++.br
++
++.br
++.B ssh_tmpfs_t
++
++
++.br
++.B user_fonts_cache_t
++
++ /root/\.fontconfig(/.*)?
++.br
++ /root/\.fonts/auto(/.*)?
++.br
++ /root/\.fonts\.cache-.*
++.br
++ /home/[^/]*/\.fontconfig(/.*)?
++.br
++ /home/[^/]*/\.fonts/auto(/.*)?
++.br
++ /home/[^/]*/\.fonts\.cache-.*
++.br
++ /home/dwalsh/\.fontconfig(/.*)?
++.br
++ /home/dwalsh/\.fonts/auto(/.*)?
++.br
++ /home/dwalsh/\.fonts\.cache-.*
++.br
++ /var/lib/xguest/home/xguest/\.fontconfig(/.*)?
++.br
++ /var/lib/xguest/home/xguest/\.fonts/auto(/.*)?
++.br
++ /var/lib/xguest/home/xguest/\.fonts\.cache-.*
++.br
++
++.br
++.B user_tmp_t
++
++ /var/run/user(/.*)?
++.br
++ /tmp/gconfd-.*
++.br
++ /tmp/gconfd-dwalsh
++.br
++ /tmp/gconfd-xguest
++.br
++
++.br
++.B user_tmp_type
++
++ all user tmp files
++.br
++
++.SH NSSWITCH DOMAIN
++
++.PP
++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the ssh_keygen_t, sshd_t, ssh_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++
++.EX
++.B setsebool -P authlogin_nsswitch_use_ldap 1
++.EE
++
++.PP
++If you want to allow confined applications to run with kerberos for the ssh_keygen_t, sshd_t, ssh_t, you must turn on the kerberos_enabled boolean.
++
++.EX
++.B setsebool -P kerberos_enabled 1
++.EE
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.B semanage port
++can also be used to manipulate the port definitions
++
++.B semanage boolean
++can also be used to manipulate the booleans
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was auto-generated using
++.B "sepolicy manpage"
++by Dan Walsh.
++
++.SH "SEE ALSO"
++selinux(8), ssh(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
++, setsebool(8), ssh_keygen_selinux(8), ssh_keysign_selinux(8), sshd_selinux(8)
+\ No newline at end of file
+diff --git a/man/man8/sshd_selinux.8 b/man/man8/sshd_selinux.8
+new file mode 100644
+index 0000000..887086e
+--- /dev/null
++++ b/man/man8/sshd_selinux.8
+@@ -0,0 +1,508 @@
++.TH "sshd_selinux" "8" "12-11-01" "sshd" "SELinux Policy documentation for sshd"
++.SH "NAME"
++sshd_selinux \- Security Enhanced Linux Policy for the sshd processes
++.SH "DESCRIPTION"
++
++Security-Enhanced Linux secures the sshd processes via flexible mandatory access control.
++
++The sshd processes execute with the sshd_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep sshd_t
++
++
++.SH "ENTRYPOINTS"
++
++The sshd_t SELinux type can be entered via the "sshd_exec_t" file type. The default entrypoint paths for the sshd_t domain are the following:"
++
++/usr/sbin/sshd
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux sshd policy is very flexible allowing users to setup their sshd processes in as secure a method as possible.
++.PP
++The following process types are defined for sshd:
++
++.EX
++.B sshd_sandbox_t, ssh_keysign_t, ssh_keygen_t, ssh_t, sshd_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH BOOLEANS
++SELinux policy is customizable based on least access required. sshd policy is extremely flexible and has several booleans that allow you to manipulate the policy and run sshd with the tightest access possible.
++
++
++.PP
++If you want to allow user to use ssh chroot environment, you must turn on the selinuxuser_use_ssh_chroot boolean.
++
++.EX
++.B setsebool -P selinuxuser_use_ssh_chroot 1
++.EE
++
++.PP
++If you want to allow host key based authentication, you must turn on the ssh_keysign boolean.
++
++.EX
++.B setsebool -P ssh_keysign 1
++.EE
++
++.PP
++If you want to allow ssh with chroot env to read and write files in the user home directories, you must turn on the ssh_chroot_rw_homedirs boolean.
++
++.EX
++.B setsebool -P ssh_chroot_rw_homedirs 1
++.EE
++
++.PP
++If you want to allow fenced domain to execute ssh, you must turn on the fenced_can_ssh boolean.
++
++.EX
++.B setsebool -P fenced_can_ssh 1
++.EE
++
++.PP
++If you want to allow internal-sftp to read and write files in the user ssh home directories, you must turn on the sftpd_write_ssh_home boolean.
++
++.EX
++.B setsebool -P sftpd_write_ssh_home 1
++.EE
++
++.PP
++If you want to allow ssh logins as sysadm_r:sysadm_t, you must turn on the ssh_sysadm_login boolean.
++
++.EX
++.B setsebool -P ssh_sysadm_login 1
++.EE
++
++.PP
++If you want to allow user to use ssh chroot environment, you must turn on the selinuxuser_use_ssh_chroot boolean.
++
++.EX
++.B setsebool -P selinuxuser_use_ssh_chroot 1
++.EE
++
++.PP
++If you want to allow host key based authentication, you must turn on the ssh_keysign boolean.
++
++.EX
++.B setsebool -P ssh_keysign 1
++.EE
++
++.PP
++If you want to allow ssh with chroot env to read and write files in the user home directories, you must turn on the ssh_chroot_rw_homedirs boolean.
++
++.EX
++.B setsebool -P ssh_chroot_rw_homedirs 1
++.EE
++
++.PP
++If you want to allow fenced domain to execute ssh, you must turn on the fenced_can_ssh boolean.
++
++.EX
++.B setsebool -P fenced_can_ssh 1
++.EE
++
++.PP
++If you want to allow internal-sftp to read and write files in the user ssh home directories, you must turn on the sftpd_write_ssh_home boolean.
++
++.EX
++.B setsebool -P sftpd_write_ssh_home 1
++.EE
++
++.PP
++If you want to allow ssh logins as sysadm_r:sysadm_t, you must turn on the ssh_sysadm_login boolean.
++
++.EX
++.B setsebool -P ssh_sysadm_login 1
++.EE
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux sshd policy is very flexible allowing users to setup their sshd processes in as secure a method as possible.
++.PP
++The following file types are defined for sshd:
++
++
++.EX
++.PP
++.B sshd_exec_t
++.EE
++
++- Set files with the sshd_exec_t type, if you want to transition an executable to the sshd_t domain.
++
++
++.EX
++.PP
++.B sshd_initrc_exec_t
++.EE
++
++- Set files with the sshd_initrc_exec_t type, if you want to transition an executable to the sshd_initrc_t domain.
++
++
++.EX
++.PP
++.B sshd_key_t
++.EE
++
++- Set files with the sshd_key_t type, if you want to treat the files as sshd key data.
++
++
++.EX
++.PP
++.B sshd_keytab_t
++.EE
++
++- Set files with the sshd_keytab_t type, if you want to treat the files as kerberos keytab files.
++
++
++.EX
++.PP
++.B sshd_tmpfs_t
++.EE
++
++- Set files with the sshd_tmpfs_t type, if you want to store sshd files on a tmpfs file system.
++
++
++.EX
++.PP
++.B sshd_var_run_t
++.EE
++
++- Set files with the sshd_var_run_t type, if you want to store the sshd files under the /run directory.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH PORT TYPES
++SELinux defines port types to represent TCP and UDP ports.
++.PP
++You can see the types associated with a port by using the following command:
++
++.B semanage port -l
++
++.PP
++Policy governs the access confined processes have to these ports.
++SELinux sshd policy is very flexible allowing users to setup their sshd processes in as secure a method as possible.
++.PP
++The following port types are defined for sshd:
++
++.EX
++.TP 5
++.B ssh_port_t
++.TP 10
++.EE
++
++
++Default Defined Ports:
++tcp 22
++.EE
++.SH "MANAGED FILES"
++
++The SELinux process type sshd_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++
++.br
++.B auth_cache_t
++
++ /var/cache/coolkey(/.*)?
++.br
++
++.br
++.B auth_home_t
++
++ /root/\.google_authenticator
++.br
++ /root/\.google_authenticator~
++.br
++ /home/[^/]*/\.google_authenticator
++.br
++ /home/[^/]*/\.google_authenticator~
++.br
++ /home/dwalsh/\.google_authenticator
++.br
++ /home/dwalsh/\.google_authenticator~
++.br
++ /var/lib/xguest/home/xguest/\.google_authenticator
++.br
++ /var/lib/xguest/home/xguest/\.google_authenticator~
++.br
++
++.br
++.B cgroup_t
++
++ /cgroup
++.br
++ /sys/fs/cgroup
++.br
++
++.br
++.B condor_var_lib_t
++
++ /var/lib/condor(/.*)?
++.br
++ /var/lib/condor/spool(/.*)?
++.br
++ /var/lib/condor/execute(/.*)?
++.br
++
++.br
++.B faillog_t
++
++ /var/log/btmp.*
++.br
++ /var/run/faillock(/.*)?
++.br
++ /var/log/faillog
++.br
++ /var/log/tallylog
++.br
++
++.br
++.B gitosis_var_lib_t
++
++ /var/lib/gitosis(/.*)?
++.br
++ /var/lib/gitolite(3)?(/.*)?
++.br
++
++.br
++.B initrc_var_run_t
++
++ /var/run/utmp
++.br
++ /var/run/random-seed
++.br
++ /var/run/runlevel\.dir
++.br
++ /var/run/setmixer_flag
++.br
++
++.br
++.B krb5_host_rcache_t
++
++ /var/cache/krb5rcache(/.*)?
++.br
++ /var/tmp/nfs_0
++.br
++ /var/tmp/DNS_25
++.br
++ /var/tmp/host_0
++.br
++ /var/tmp/imap_0
++.br
++ /var/tmp/HTTP_23
++.br
++ /var/tmp/HTTP_48
++.br
++ /var/tmp/ldap_55
++.br
++ /var/tmp/ldap_487
++.br
++ /var/tmp/ldapmap1_0
++.br
++
++.br
++.B lastlog_t
++
++ /var/log/lastlog
++.br
++
++.br
++.B openshift_tmp_t
++
++ /var/lib/openshift/.*/\.tmp(/.*)?
++.br
++ /var/lib/openshift/.*/\.sandbox(/.*)?
++.br
++ /var/lib/stickshift/.*/\.tmp(/.*)?
++.br
++ /var/lib/stickshift/.*/\.sandbox(/.*)?
++.br
++
++.br
++.B pam_var_run_t
++
++ /var/(db|lib|adm)/sudo(/.*)?
++.br
++ /var/run/sudo(/.*)?
++.br
++ /var/run/sepermit(/.*)?
++.br
++ /var/run/pam_mount(/.*)?
++.br
++
++.br
++.B pcscd_var_run_t
++
++ /var/run/pcscd(/.*)?
++.br
++ /var/run/pcscd\.events(/.*)?
++.br
++ /var/run/pcscd\.pid
++.br
++ /var/run/pcscd\.pub
++.br
++ /var/run/pcscd\.comm
++.br
++
++.br
++.B security_t
++
++ /selinux
++.br
++
++.br
++.B ssh_home_t
++
++ /root/\.ssh(/.*)?
++.br
++ /var/lib/openshift/[^/]+/\.ssh(/.*)?
++.br
++ /var/lib/amanda/\.ssh(/.*)?
++.br
++ /var/lib/stickshift/[^/]+/\.ssh(/.*)?
++.br
++ /var/lib/gitolite/\.ssh(/.*)?
++.br
++ /var/lib/nocpulse/\.ssh(/.*)?
++.br
++ /var/lib/gitolite3/\.ssh(/.*)?
++.br
++ /root/\.shosts
++.br
++ /home/[^/]*/\.ssh(/.*)?
++.br
++ /home/[^/]*/\.shosts
++.br
++ /home/dwalsh/\.ssh(/.*)?
++.br
++ /home/dwalsh/\.shosts
++.br
++ /var/lib/xguest/home/xguest/\.ssh(/.*)?
++.br
++ /var/lib/xguest/home/xguest/\.shosts
++.br
++
++.br
++.B sshd_tmpfs_t
++
++
++.br
++.B sshd_var_run_t
++
++ /var/run/sshd\.pid
++.br
++ /var/run/sshd\.init\.pid
++.br
++
++.br
++.B systemd_passwd_var_run_t
++
++ /var/run/systemd/ask-password(/.*)?
++.br
++ /var/run/systemd/ask-password-block(/.*)?
++.br
++
++.br
++.B user_tmp_t
++
++ /var/run/user(/.*)?
++.br
++ /tmp/gconfd-.*
++.br
++ /tmp/gconfd-dwalsh
++.br
++ /tmp/gconfd-xguest
++.br
++
++.br
++.B user_tmp_type
++
++ all user tmp files
++.br
++
++.br
++.B var_auth_t
++
++ /var/ace(/.*)?
++.br
++ /var/rsa(/.*)?
++.br
++ /var/lib/abl(/.*)?
++.br
++ /var/lib/rsa(/.*)?
++.br
++ /var/lib/pam_ssh(/.*)?
++.br
++ /var/run/pam_ssh(/.*)?
++.br
++ /var/lib/pam_shield(/.*)?
++.br
++ /var/lib/google-authenticator(/.*)?
++.br
++
++.br
++.B wtmp_t
++
++ /var/log/wtmp.*
++.br
++
++.SH NSSWITCH DOMAIN
++
++.PP
++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the ssh_keygen_t, sshd_t, ssh_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++
++.EX
++.B setsebool -P authlogin_nsswitch_use_ldap 1
++.EE
++
++.PP
++If you want to allow confined applications to run with kerberos for the ssh_keygen_t, sshd_t, ssh_t, you must turn on the kerberos_enabled boolean.
++
++.EX
++.B setsebool -P kerberos_enabled 1
++.EE
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.B semanage port
++can also be used to manipulate the port definitions
++
++.B semanage boolean
++can also be used to manipulate the booleans
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was auto-generated using
++.B "sepolicy manpage"
++by Dan Walsh.
++
++.SH "SEE ALSO"
++selinux(8), sshd(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
++, setsebool(8), ssh_selinux(8), ssh_selinux(8), ssh_keygen_selinux(8), ssh_keysign_selinux(8)
+\ No newline at end of file
+diff --git a/man/man8/sssd_selinux.8 b/man/man8/sssd_selinux.8
+new file mode 100644
+index 0000000..29b2b6f
+--- /dev/null
++++ b/man/man8/sssd_selinux.8
+@@ -0,0 +1,260 @@
++.TH "sssd_selinux" "8" "12-11-01" "sssd" "SELinux Policy documentation for sssd"
++.SH "NAME"
++sssd_selinux \- Security Enhanced Linux Policy for the sssd processes
++.SH "DESCRIPTION"
++
++Security-Enhanced Linux secures the sssd processes via flexible mandatory access control.
++
++The sssd processes execute with the sssd_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep sssd_t
++
++
++.SH "ENTRYPOINTS"
++
++The sssd_t SELinux type can be entered via the "sssd_exec_t" file type. The default entrypoint paths for the sssd_t domain are the following:"
++
++/usr/sbin/sssd
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux sssd policy is very flexible allowing users to setup their sssd processes in as secure a method as possible.
++.PP
++The following process types are defined for sssd:
++
++.EX
++.B sssd_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux sssd policy is very flexible allowing users to setup their sssd processes in as secure a method as possible.
++.PP
++The following file types are defined for sssd:
++
++
++.EX
++.PP
++.B sssd_conf_t
++.EE
++
++- Set files with the sssd_conf_t type, if you want to treat the files as sssd configuration data, usually stored under the /etc directory.
++
++
++.EX
++.PP
++.B sssd_exec_t
++.EE
++
++- Set files with the sssd_exec_t type, if you want to transition an executable to the sssd_t domain.
++
++
++.EX
++.PP
++.B sssd_initrc_exec_t
++.EE
++
++- Set files with the sssd_initrc_exec_t type, if you want to transition an executable to the sssd_initrc_t domain.
++
++
++.EX
++.PP
++.B sssd_public_t
++.EE
++
++- Set files with the sssd_public_t type, if you want to treat the files as sssd public data.
++
++
++.EX
++.PP
++.B sssd_unit_file_t
++.EE
++
++- Set files with the sssd_unit_file_t type, if you want to treat the files as sssd unit content.
++
++
++.EX
++.PP
++.B sssd_var_lib_t
++.EE
++
++- Set files with the sssd_var_lib_t type, if you want to store the sssd files under the /var/lib directory.
++
++
++.EX
++.PP
++.B sssd_var_log_t
++.EE
++
++- Set files with the sssd_var_log_t type, if you want to treat the data as sssd var log data, usually stored under the /var/log directory.
++
++
++.EX
++.PP
++.B sssd_var_run_t
++.EE
++
++- Set files with the sssd_var_run_t type, if you want to store the sssd files under the /run directory.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH "MANAGED FILES"
++
++The SELinux process type sssd_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++
++.br
++.B auth_cache_t
++
++ /var/cache/coolkey(/.*)?
++.br
++
++.br
++.B faillog_t
++
++ /var/log/btmp.*
++.br
++ /var/run/faillock(/.*)?
++.br
++ /var/log/faillog
++.br
++ /var/log/tallylog
++.br
++
++.br
++.B krb5_host_rcache_t
++
++ /var/cache/krb5rcache(/.*)?
++.br
++ /var/tmp/nfs_0
++.br
++ /var/tmp/DNS_25
++.br
++ /var/tmp/host_0
++.br
++ /var/tmp/imap_0
++.br
++ /var/tmp/HTTP_23
++.br
++ /var/tmp/HTTP_48
++.br
++ /var/tmp/ldap_55
++.br
++ /var/tmp/ldap_487
++.br
++ /var/tmp/ldapmap1_0
++.br
++
++.br
++.B pcscd_var_run_t
++
++ /var/run/pcscd(/.*)?
++.br
++ /var/run/pcscd\.events(/.*)?
++.br
++ /var/run/pcscd\.pid
++.br
++ /var/run/pcscd\.pub
++.br
++ /var/run/pcscd\.comm
++.br
++
++.br
++.B security_t
++
++ /selinux
++.br
++
++.br
++.B selinux_login_config_t
++
++ /etc/selinux/([^/]*/)?logins(/.*)?
++.br
++
++.br
++.B sssd_public_t
++
++ /var/lib/sss/mc(/.*)?
++.br
++ /var/lib/sss/pubconf(/.*)?
++.br
++
++.br
++.B sssd_var_lib_t
++
++ /var/lib/sss(/.*)?
++.br
++
++.br
++.B sssd_var_log_t
++
++ /var/log/sssd(/.*)?
++.br
++
++.br
++.B sssd_var_run_t
++
++ /var/run/sssd.pid
++.br
++
++.br
++.B user_tmp_type
++
++ all user tmp files
++.br
++
++.SH NSSWITCH DOMAIN
++
++.PP
++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the sssd_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++
++.EX
++.B setsebool -P authlogin_nsswitch_use_ldap 1
++.EE
++
++.PP
++If you want to allow confined applications to run with kerberos for the sssd_t, you must turn on the kerberos_enabled boolean.
++
++.EX
++.B setsebool -P kerberos_enabled 1
++.EE
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was auto-generated using
++.B "sepolicy manpage"
++by Dan Walsh.
++
++.SH "SEE ALSO"
++selinux(8), sssd(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
+diff --git a/man/man8/staff_selinux.8 b/man/man8/staff_selinux.8
+new file mode 100644
+index 0000000..44df6b6
+--- /dev/null
++++ b/man/man8/staff_selinux.8
+@@ -0,0 +1,583 @@
++.TH "staff_selinux" "8" "staff" "mgrepl@redhat.com" "staff SELinux Policy documentation"
++.SH "NAME"
++staff_u \- \fBAdministrator's unprivileged user\fP - Security Enhanced Linux Policy
++
++.SH DESCRIPTION
++
++\fBstaff_u\fP is an SELinux User defined in the SELinux
++policy. SELinux users have default roles, \fBstaff_r\fP. The
++default role has a default type, \fBstaff_t\fP, associated with it.
++
++The SELinux user will usually login to a system with a context that looks like:
++
++.B staff_u:staff_r:staff_t:s0-s0:c0.c1023
++
++Linux users are automatically assigned an SELinux users at login.
++Login programs use the SELinux User to assign initial context to the user's shell.
++
++SELinux policy uses the context to control the user's access.
++
++By default all users are assigned to the SELinux user via the \fB__default__\fP flag
++
++On Targeted policy systems the \fB__default__\fP user is assigned to the \fBunconfined_u\fP SELinux user.
++
++You can list all Linux User to SELinux user mapping using:
++
++.B semanage login -l
++
++If you wanted to change the default user mapping to use the staff_u user, you would execute:
++
++.B semanage login -m -s staff_u __default__
++
++
++If you want to map the one Linux user (joe) to the SELinux user staff, you would execute:
++
++.B $ semanage login -a -s staff_u joe
++
++
++.SH USER DESCRIPTION
++
++The SELinux user staff_u is defined in policy as a unprivileged user. SELinux prevents unprivileged users from doing administration tasks without transitioning to a different role.
++
++.SH SUDO
++
++The SELinux user staff can execute sudo.
++
++You can set up sudo to allow staff to transition to an administrative domain:
++
++Add one or more of the following record to sudoers using visudo.
++
++
++USERNAME ALL=(ALL) ROLE=auditadm_r TYPE=auditadm_t COMMAND
++.br
++sudo will run COMMAND as staff_u:auditadm_r:auditadm_t:LEVEL
++
++You might also need to add one or more of these new roles to your SELinux user record.
++
++List the SELinux roles your SELinux user can reach by executing:
++
++.B $ semanage user -l |grep selinux_name
++
++Modify the roles list and add staff_r to this list.
++
++.B $ semanage user -m -R 'staff_r auditadm_r dbadm_r logadm_r secadm_r sysadm_r unconfined_r webadm_r' staff_u
++
++For more details you can see semanage man page.
++
++
++USERNAME ALL=(ALL) ROLE=dbadm_r TYPE=dbadm_t COMMAND
++.br
++sudo will run COMMAND as staff_u:dbadm_r:dbadm_t:LEVEL
++
++You might also need to add one or more of these new roles to your SELinux user record.
++
++List the SELinux roles your SELinux user can reach by executing:
++
++.B $ semanage user -l |grep selinux_name
++
++Modify the roles list and add staff_r to this list.
++
++.B $ semanage user -m -R 'staff_r auditadm_r dbadm_r logadm_r secadm_r sysadm_r unconfined_r webadm_r' staff_u
++
++For more details you can see semanage man page.
++
++
++USERNAME ALL=(ALL) ROLE=logadm_r TYPE=logadm_t COMMAND
++.br
++sudo will run COMMAND as staff_u:logadm_r:logadm_t:LEVEL
++
++You might also need to add one or more of these new roles to your SELinux user record.
++
++List the SELinux roles your SELinux user can reach by executing:
++
++.B $ semanage user -l |grep selinux_name
++
++Modify the roles list and add staff_r to this list.
++
++.B $ semanage user -m -R 'staff_r auditadm_r dbadm_r logadm_r secadm_r sysadm_r unconfined_r webadm_r' staff_u
++
++For more details you can see semanage man page.
++
++
++USERNAME ALL=(ALL) ROLE=secadm_r TYPE=secadm_t COMMAND
++.br
++sudo will run COMMAND as staff_u:secadm_r:secadm_t:LEVEL
++
++You might also need to add one or more of these new roles to your SELinux user record.
++
++List the SELinux roles your SELinux user can reach by executing:
++
++.B $ semanage user -l |grep selinux_name
++
++Modify the roles list and add staff_r to this list.
++
++.B $ semanage user -m -R 'staff_r auditadm_r dbadm_r logadm_r secadm_r sysadm_r unconfined_r webadm_r' staff_u
++
++For more details you can see semanage man page.
++
++
++USERNAME ALL=(ALL) ROLE=sysadm_r TYPE=sysadm_t COMMAND
++.br
++sudo will run COMMAND as staff_u:sysadm_r:sysadm_t:LEVEL
++
++You might also need to add one or more of these new roles to your SELinux user record.
++
++List the SELinux roles your SELinux user can reach by executing:
++
++.B $ semanage user -l |grep selinux_name
++
++Modify the roles list and add staff_r to this list.
++
++.B $ semanage user -m -R 'staff_r auditadm_r dbadm_r logadm_r secadm_r sysadm_r unconfined_r webadm_r' staff_u
++
++For more details you can see semanage man page.
++
++
++USERNAME ALL=(ALL) ROLE=unconfined_r TYPE=unconfined_t COMMAND
++.br
++sudo will run COMMAND as staff_u:unconfined_r:unconfined_t:LEVEL
++
++You might also need to add one or more of these new roles to your SELinux user record.
++
++List the SELinux roles your SELinux user can reach by executing:
++
++.B $ semanage user -l |grep selinux_name
++
++Modify the roles list and add staff_r to this list.
++
++.B $ semanage user -m -R 'staff_r auditadm_r dbadm_r logadm_r secadm_r sysadm_r unconfined_r webadm_r' staff_u
++
++For more details you can see semanage man page.
++
++
++USERNAME ALL=(ALL) ROLE=webadm_r TYPE=webadm_t COMMAND
++.br
++sudo will run COMMAND as staff_u:webadm_r:webadm_t:LEVEL
++
++You might also need to add one or more of these new roles to your SELinux user record.
++
++List the SELinux roles your SELinux user can reach by executing:
++
++.B $ semanage user -l |grep selinux_name
++
++Modify the roles list and add staff_r to this list.
++
++.B $ semanage user -m -R 'staff_r auditadm_r dbadm_r logadm_r secadm_r sysadm_r unconfined_r webadm_r' staff_u
++
++For more details you can see semanage man page.
++
++
++The SELinux type staff_t is not allowed to execute sudo.
++
++.SH X WINDOWS LOGIN
++
++The SELinux user staff_u is able to X Windows login.
++
++.SH NETWORK
++
++.TP
++The SELinux user staff_u is able to listen on the following tcp ports.
++
++.B xserver_port_t: 6000-6020
++
++.TP
++The SELinux user staff_u is able to connect to the following tcp ports.
++
++.B all ports
++
++.TP
++The SELinux user staff_u is able to listen on the following udp ports.
++
++.B ephemeral_port_t: 32768-61000
++
++.B all ports with out defined types
++
++.TP
++The SELinux user staff_u is able to connect to the following tcp ports.
++
++.B all ports
++
++.SH BOOLEANS
++SELinux policy is customizable based on least access required. staff policy is extremely flexible and has several booleans that allow you to manipulate the policy and run staff with the tightest access possible.
++
++
++.PP
++If you want to allow staff user to create and transition to svirt domains, you must turn on the staff_use_svirt boolean.
++
++.EX
++.B setsebool -P staff_use_svirt 1
++.EE
++
++.PP
++If you want to allow staff user to create and transition to svirt domains, you must turn on the staff_use_svirt boolean.
++
++.EX
++.B setsebool -P staff_use_svirt 1
++.EE
++
++.SH HOME_EXEC
++
++The SELinux user staff_u is able execute home content files.
++
++.SH TRANSITIONS
++
++Three things can happen when staff_t attempts to execute a program.
++
++\fB1.\fP SELinux Policy can deny staff_t from executing the program.
++
++.TP
++
++\fB2.\fP SELinux Policy can allow staff_t to execute the program in the current user type.
++
++Execute the following to see the types that the SELinux user staff_t can execute without transitioning:
++
++.B search -A -s staff_t -c file -p execute_no_trans
++
++.TP
++
++\fB3.\fP SELinux can allow staff_t to execute the program and transition to a new type.
++
++Execute the following to see the types that the SELinux user staff_t can execute and transition:
++
++.B $ search -A -s staff_t -c process -p transition
++
++
++.SH "MANAGED FILES"
++
++The SELinux process type staff_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++
++.br
++.B anon_inodefs_t
++
++
++.br
++.B auth_cache_t
++
++ /var/cache/coolkey(/.*)?
++.br
++
++.br
++.B bluetooth_helper_tmp_t
++
++
++.br
++.B bluetooth_helper_tmpfs_t
++
++
++.br
++.B cgroup_t
++
++ /cgroup
++.br
++ /sys/fs/cgroup
++.br
++
++.br
++.B chrome_sandbox_tmpfs_t
++
++
++.br
++.B games_data_t
++
++ /var/games(/.*)?
++.br
++ /var/lib/games(/.*)?
++.br
++
++.br
++.B gpg_agent_tmp_t
++
++ /home/[^/]*/\.gnupg/log-socket
++.br
++ /home/dwalsh/\.gnupg/log-socket
++.br
++ /var/lib/xguest/home/xguest/\.gnupg/log-socket
++.br
++
++.br
++.B httpd_user_content_t
++
++ /home/[^/]*/((www)|(web)|(public_html))(/.+)?
++.br
++ /home/dwalsh/((www)|(web)|(public_html))(/.+)?
++.br
++ /var/lib/xguest/home/xguest/((www)|(web)|(public_html))(/.+)?
++.br
++
++.br
++.B httpd_user_htaccess_t
++
++ /home/[^/]*/((www)|(web)|(public_html))(/.*)?/\.htaccess
++.br
++ /home/dwalsh/((www)|(web)|(public_html))(/.*)?/\.htaccess
++.br
++ /var/lib/xguest/home/xguest/((www)|(web)|(public_html))(/.*)?/\.htaccess
++.br
++
++.br
++.B httpd_user_ra_content_t
++
++ /home/[^/]*/((www)|(web)|(public_html))(/.*)?/logs(/.*)?
++.br
++ /home/dwalsh/((www)|(web)|(public_html))(/.*)?/logs(/.*)?
++.br
++ /var/lib/xguest/home/xguest/((www)|(web)|(public_html))(/.*)?/logs(/.*)?
++.br
++
++.br
++.B httpd_user_rw_content_t
++
++
++.br
++.B httpd_user_script_exec_t
++
++ /home/[^/]*/((www)|(web)|(public_html))/cgi-bin(/.+)?
++.br
++ /home/dwalsh/((www)|(web)|(public_html))/cgi-bin(/.+)?
++.br
++ /var/lib/xguest/home/xguest/((www)|(web)|(public_html))/cgi-bin(/.+)?
++.br
++
++.br
++.B iceauth_home_t
++
++ /root/\.DCOP.*
++.br
++ /root/\.ICEauthority.*
++.br
++ /home/[^/]*/\.DCOP.*
++.br
++ /home/[^/]*/\.ICEauthority.*
++.br
++ /home/dwalsh/\.DCOP.*
++.br
++ /home/dwalsh/\.ICEauthority.*
++.br
++ /var/lib/xguest/home/xguest/\.DCOP.*
++.br
++ /var/lib/xguest/home/xguest/\.ICEauthority.*
++.br
++
++.br
++.B mail_spool_t
++
++ /var/mail(/.*)?
++.br
++ /var/spool/imap(/.*)?
++.br
++ /var/spool/mail(/.*)?
++.br
++
++.br
++.B mqueue_spool_t
++
++ /var/spool/(client)?mqueue(/.*)?
++.br
++ /var/spool/mqueue\.in(/.*)?
++.br
++
++.br
++.B nfsd_rw_t
++
++
++.br
++.B noxattrfs
++
++ all files on file systems which do not support extended attributes
++.br
++
++.br
++.B sandbox_file_t
++
++
++.br
++.B sandbox_tmpfs_type
++
++ all sandbox content in tmpfs file systems
++.br
++
++.br
++.B screen_home_t
++
++ /root/\.screen(/.*)?
++.br
++ /home/[^/]*/\.screen(/.*)?
++.br
++ /home/[^/]*/\.screenrc
++.br
++ /home/dwalsh/\.screen(/.*)?
++.br
++ /home/dwalsh/\.screenrc
++.br
++ /var/lib/xguest/home/xguest/\.screen(/.*)?
++.br
++ /var/lib/xguest/home/xguest/\.screenrc
++.br
++
++.br
++.B security_t
++
++ /selinux
++.br
++
++.br
++.B systemd_passwd_var_run_t
++
++ /var/run/systemd/ask-password(/.*)?
++.br
++ /var/run/systemd/ask-password-block(/.*)?
++.br
++
++.br
++.B usbfs_t
++
++
++.br
++.B user_fonts_cache_t
++
++ /root/\.fontconfig(/.*)?
++.br
++ /root/\.fonts/auto(/.*)?
++.br
++ /root/\.fonts\.cache-.*
++.br
++ /home/[^/]*/\.fontconfig(/.*)?
++.br
++ /home/[^/]*/\.fonts/auto(/.*)?
++.br
++ /home/[^/]*/\.fonts\.cache-.*
++.br
++ /home/dwalsh/\.fontconfig(/.*)?
++.br
++ /home/dwalsh/\.fonts/auto(/.*)?
++.br
++ /home/dwalsh/\.fonts\.cache-.*
++.br
++ /var/lib/xguest/home/xguest/\.fontconfig(/.*)?
++.br
++ /var/lib/xguest/home/xguest/\.fonts/auto(/.*)?
++.br
++ /var/lib/xguest/home/xguest/\.fonts\.cache-.*
++.br
++
++.br
++.B user_fonts_t
++
++ /root/\.fonts(/.*)?
++.br
++ /tmp/\.font-unix(/.*)?
++.br
++ /home/[^/]*/\.fonts(/.*)?
++.br
++ /home/dwalsh/\.fonts(/.*)?
++.br
++ /var/lib/xguest/home/xguest/\.fonts(/.*)?
++.br
++
++.br
++.B user_home_type
++
++ all user home files
++.br
++
++.br
++.B user_tmp_type
++
++ all user tmp files
++.br
++
++.br
++.B user_tmpfs_type
++
++ all user content in tmpfs file systems
++.br
++
++.br
++.B virt_image_type
++
++ all virtual image files
++.br
++
++.br
++.B xauth_home_t
++
++ /root/\.xauth.*
++.br
++ /root/\.Xauth.*
++.br
++ /root/\.serverauth.*
++.br
++ /root/\.Xauthority.*
++.br
++ /var/lib/pqsql/\.xauth.*
++.br
++ /var/lib/pqsql/\.Xauthority.*
++.br
++ /var/lib/nxserver/home/\.xauth.*
++.br
++ /var/lib/nxserver/home/\.Xauthority.*
++.br
++ /home/[^/]*/\.xauth.*
++.br
++ /home/[^/]*/\.Xauth.*
++.br
++ /home/[^/]*/\.serverauth.*
++.br
++ /home/[^/]*/\.Xauthority.*
++.br
++ /home/dwalsh/\.xauth.*
++.br
++ /home/dwalsh/\.Xauth.*
++.br
++ /home/dwalsh/\.serverauth.*
++.br
++ /home/dwalsh/\.Xauthority.*
++.br
++ /var/lib/xguest/home/xguest/\.xauth.*
++.br
++ /var/lib/xguest/home/xguest/\.Xauth.*
++.br
++ /var/lib/xguest/home/xguest/\.serverauth.*
++.br
++ /var/lib/xguest/home/xguest/\.Xauthority.*
++.br
++
++.br
++.B xdm_tmp_t
++
++ /tmp/\.X11-unix(/.*)?
++.br
++ /tmp/\.ICE-unix(/.*)?
++.br
++ /tmp/\.X0-lock
++.br
++
++.br
++.B xserver_tmpfs_t
++
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.B semanage boolean
++can also be used to manipulate the booleans
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was auto-generated using
++.B "sepolicy manpage"
++by Dan Walsh.
++
++.SH "SEE ALSO"
++selinux(8), staff(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
++, setsebool(8)
+\ No newline at end of file
+diff --git a/man/man8/stapserver_selinux.8 b/man/man8/stapserver_selinux.8
+new file mode 100644
+index 0000000..1d7061b
+--- /dev/null
++++ b/man/man8/stapserver_selinux.8
+@@ -0,0 +1,146 @@
++.TH "stapserver_selinux" "8" "12-11-01" "stapserver" "SELinux Policy documentation for stapserver"
++.SH "NAME"
++stapserver_selinux \- Security Enhanced Linux Policy for the stapserver processes
++.SH "DESCRIPTION"
++
++Security-Enhanced Linux secures the stapserver processes via flexible mandatory access control.
++
++The stapserver processes execute with the stapserver_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep stapserver_t
++
++
++.SH "ENTRYPOINTS"
++
++The stapserver_t SELinux type can be entered via the "stapserver_exec_t" file type. The default entrypoint paths for the stapserver_t domain are the following:"
++
++/usr/bin/stap-server
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux stapserver policy is very flexible allowing users to setup their stapserver processes in as secure a method as possible.
++.PP
++The following process types are defined for stapserver:
++
++.EX
++.B stapserver_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux stapserver policy is very flexible allowing users to setup their stapserver processes in as secure a method as possible.
++.PP
++The following file types are defined for stapserver:
++
++
++.EX
++.PP
++.B stapserver_exec_t
++.EE
++
++- Set files with the stapserver_exec_t type, if you want to transition an executable to the stapserver_t domain.
++
++
++.EX
++.PP
++.B stapserver_log_t
++.EE
++
++- Set files with the stapserver_log_t type, if you want to treat the data as stapserver log data, usually stored under the /var/log directory.
++
++
++.EX
++.PP
++.B stapserver_var_lib_t
++.EE
++
++- Set files with the stapserver_var_lib_t type, if you want to store the stapserver files under the /var/lib directory.
++
++
++.EX
++.PP
++.B stapserver_var_run_t
++.EE
++
++- Set files with the stapserver_var_run_t type, if you want to store the stapserver files under the /run directory.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH "MANAGED FILES"
++
++The SELinux process type stapserver_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++
++.br
++.B stapserver_log_t
++
++ /var/log/stap-server(/.*)?
++.br
++
++.br
++.B stapserver_var_lib_t
++
++ /var/lib/stap-server(/.*)?
++.br
++
++.br
++.B stapserver_var_run_t
++
++ /var/run/stap-server(/.*)?
++.br
++
++.SH NSSWITCH DOMAIN
++
++.PP
++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the stapserver_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++
++.EX
++.B setsebool -P authlogin_nsswitch_use_ldap 1
++.EE
++
++.PP
++If you want to allow confined applications to run with kerberos for the stapserver_t, you must turn on the kerberos_enabled boolean.
++
++.EX
++.B setsebool -P kerberos_enabled 1
++.EE
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was auto-generated using
++.B "sepolicy manpage"
++by Dan Walsh.
++
++.SH "SEE ALSO"
++selinux(8), stapserver(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
+diff --git a/man/man8/stunnel_selinux.8 b/man/man8/stunnel_selinux.8
+new file mode 100644
+index 0000000..feb8ccd
+--- /dev/null
++++ b/man/man8/stunnel_selinux.8
+@@ -0,0 +1,160 @@
++.TH "stunnel_selinux" "8" "12-11-01" "stunnel" "SELinux Policy documentation for stunnel"
++.SH "NAME"
++stunnel_selinux \- Security Enhanced Linux Policy for the stunnel processes
++.SH "DESCRIPTION"
++
++Security-Enhanced Linux secures the stunnel processes via flexible mandatory access control.
++
++The stunnel processes execute with the stunnel_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep stunnel_t
++
++
++.SH "ENTRYPOINTS"
++
++The stunnel_t SELinux type can be entered via the "stunnel_exec_t" file type. The default entrypoint paths for the stunnel_t domain are the following:"
++
++/usr/bin/stunnel, /usr/sbin/stunnel
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux stunnel policy is very flexible allowing users to setup their stunnel processes in as secure a method as possible.
++.PP
++The following process types are defined for stunnel:
++
++.EX
++.B stunnel_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux stunnel policy is very flexible allowing users to setup their stunnel processes in as secure a method as possible.
++.PP
++The following file types are defined for stunnel:
++
++
++.EX
++.PP
++.B stunnel_etc_t
++.EE
++
++- Set files with the stunnel_etc_t type, if you want to store stunnel files in the /etc directories.
++
++
++.EX
++.PP
++.B stunnel_exec_t
++.EE
++
++- Set files with the stunnel_exec_t type, if you want to transition an executable to the stunnel_t domain.
++
++
++.EX
++.PP
++.B stunnel_tmp_t
++.EE
++
++- Set files with the stunnel_tmp_t type, if you want to store stunnel temporary files in the /tmp directories.
++
++
++.EX
++.PP
++.B stunnel_var_run_t
++.EE
++
++- Set files with the stunnel_var_run_t type, if you want to store the stunnel files under the /run directory.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH PORT TYPES
++SELinux defines port types to represent TCP and UDP ports.
++.PP
++You can see the types associated with a port by using the following command:
++
++.B semanage port -l
++
++.PP
++Policy governs the access confined processes have to these ports.
++SELinux stunnel policy is very flexible allowing users to setup their stunnel processes in as secure a method as possible.
++.PP
++The following port types are defined for stunnel:
++
++.EX
++.TP 5
++.B stunnel_port_t
++.TP 10
++.EE
++
++.SH "MANAGED FILES"
++
++The SELinux process type stunnel_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++
++.br
++.B stunnel_tmp_t
++
++
++.br
++.B stunnel_var_run_t
++
++ /var/run/stunnel(/.*)?
++.br
++
++.SH NSSWITCH DOMAIN
++
++.PP
++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the stunnel_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++
++.EX
++.B setsebool -P authlogin_nsswitch_use_ldap 1
++.EE
++
++.PP
++If you want to allow confined applications to run with kerberos for the stunnel_t, you must turn on the kerberos_enabled boolean.
++
++.EX
++.B setsebool -P kerberos_enabled 1
++.EE
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.B semanage port
++can also be used to manipulate the port definitions
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was auto-generated using
++.B "sepolicy manpage"
++by Dan Walsh.
++
++.SH "SEE ALSO"
++selinux(8), stunnel(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
+diff --git a/man/man8/sulogin_selinux.8 b/man/man8/sulogin_selinux.8
+new file mode 100644
+index 0000000..debe287
+--- /dev/null
++++ b/man/man8/sulogin_selinux.8
+@@ -0,0 +1,110 @@
++.TH "sulogin_selinux" "8" "12-11-01" "sulogin" "SELinux Policy documentation for sulogin"
++.SH "NAME"
++sulogin_selinux \- Security Enhanced Linux Policy for the sulogin processes
++.SH "DESCRIPTION"
++
++Security-Enhanced Linux secures the sulogin processes via flexible mandatory access control.
++
++The sulogin processes execute with the sulogin_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep sulogin_t
++
++
++.SH "ENTRYPOINTS"
++
++The sulogin_t SELinux type can be entered via the "sulogin_exec_t" file type. The default entrypoint paths for the sulogin_t domain are the following:"
++
++/sbin/sulogin, /sbin/sushell, /usr/sbin/sulogin, /usr/sbin/sushell
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux sulogin policy is very flexible allowing users to setup their sulogin processes in as secure a method as possible.
++.PP
++The following process types are defined for sulogin:
++
++.EX
++.B sulogin_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux sulogin policy is very flexible allowing users to setup their sulogin processes in as secure a method as possible.
++.PP
++The following file types are defined for sulogin:
++
++
++.EX
++.PP
++.B sulogin_exec_t
++.EE
++
++- Set files with the sulogin_exec_t type, if you want to transition an executable to the sulogin_t domain.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH "MANAGED FILES"
++
++The SELinux process type sulogin_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++
++.br
++.B security_t
++
++ /selinux
++.br
++
++.SH NSSWITCH DOMAIN
++
++.PP
++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the sulogin_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++
++.EX
++.B setsebool -P authlogin_nsswitch_use_ldap 1
++.EE
++
++.PP
++If you want to allow confined applications to run with kerberos for the sulogin_t, you must turn on the kerberos_enabled boolean.
++
++.EX
++.B setsebool -P kerberos_enabled 1
++.EE
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was auto-generated using
++.B "sepolicy manpage"
++by Dan Walsh.
++
++.SH "SEE ALSO"
++selinux(8), sulogin(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
+diff --git a/man/man8/svc_multilog_selinux.8 b/man/man8/svc_multilog_selinux.8
+new file mode 100644
+index 0000000..723cd0c
+--- /dev/null
++++ b/man/man8/svc_multilog_selinux.8
+@@ -0,0 +1,155 @@
++.TH "svc_multilog_selinux" "8" "12-11-01" "svc_multilog" "SELinux Policy documentation for svc_multilog"
++.SH "NAME"
++svc_multilog_selinux \- Security Enhanced Linux Policy for the svc_multilog processes
++.SH "DESCRIPTION"
++
++Security-Enhanced Linux secures the svc_multilog processes via flexible mandatory access control.
++
++The svc_multilog processes execute with the svc_multilog_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep svc_multilog_t
++
++
++.SH "ENTRYPOINTS"
++
++The svc_multilog_t SELinux type can be entered via the "svc_multilog_exec_t" file type. The default entrypoint paths for the svc_multilog_t domain are the following:"
++
++/usr/bin/multilog
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux svc_multilog policy is very flexible allowing users to setup their svc_multilog processes in as secure a method as possible.
++.PP
++The following process types are defined for svc_multilog:
++
++.EX
++.B svc_multilog_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux svc_multilog policy is very flexible allowing users to setup their svc_multilog processes in as secure a method as possible.
++.PP
++The following file types are defined for svc_multilog:
++
++
++.EX
++.PP
++.B svc_multilog_exec_t
++.EE
++
++- Set files with the svc_multilog_exec_t type, if you want to transition an executable to the svc_multilog_t domain.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH "MANAGED FILES"
++
++The SELinux process type svc_multilog_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++
++.br
++.B svc_svc_t
++
++ /service/.*
++.br
++ /var/axfrdns(/.*)?
++.br
++ /var/tinydns(/.*)?
++.br
++ /var/service/.*
++.br
++ /var/dnscache(/.*)?
++.br
++ /var/qmail/supervise(/.*)?
++.br
++ /service
++.br
++
++.br
++.B var_log_t
++
++ /var/log/.*
++.br
++ /nsr/logs(/.*)?
++.br
++ /var/webmin(/.*)?
++.br
++ /var/log/cron[^/]*
++.br
++ /var/log/secure[^/]*
++.br
++ /opt/zimbra/log(/.*)?
++.br
++ /var/log/maillog[^/]*
++.br
++ /var/log/spooler[^/]*
++.br
++ /var/log/messages[^/]*
++.br
++ /usr/centreon/log(/.*)?
++.br
++ /var/spool/rsyslog(/.*)?
++.br
++ /var/axfrdns/log/main(/.*)?
++.br
++ /var/spool/bacula/log(/.*)?
++.br
++ /var/tinydns/log/main(/.*)?
++.br
++ /var/dnscache/log/main(/.*)?
++.br
++ /var/stockmaniac/templates_cache(/.*)?
++.br
++ /opt/Symantec/scspagent/IDS/system(/.*)?
++.br
++ /var/log
++.br
++ /var/log/dmesg
++.br
++ /var/log/syslog
++.br
++ /var/named/chroot/var/log
++.br
++
++.SH NSSWITCH DOMAIN
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was auto-generated using
++.B "sepolicy manpage"
++by Dan Walsh.
++
++.SH "SEE ALSO"
++selinux(8), svc_multilog(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
++, svc_run_selinux(8), svc_start_selinux(8)
+\ No newline at end of file
+diff --git a/man/man8/svc_run_selinux.8 b/man/man8/svc_run_selinux.8
+new file mode 100644
+index 0000000..81dbe8e
+--- /dev/null
++++ b/man/man8/svc_run_selinux.8
+@@ -0,0 +1,87 @@
++.TH "svc_run_selinux" "8" "12-11-01" "svc_run" "SELinux Policy documentation for svc_run"
++.SH "NAME"
++svc_run_selinux \- Security Enhanced Linux Policy for the svc_run processes
++.SH "DESCRIPTION"
++
++Security-Enhanced Linux secures the svc_run processes via flexible mandatory access control.
++
++The svc_run processes execute with the svc_run_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep svc_run_t
++
++
++.SH "ENTRYPOINTS"
++
++The svc_run_t SELinux type can be entered via the "svc_run_exec_t" file type. The default entrypoint paths for the svc_run_t domain are the following:"
++
++/var/service/.*/run.*, /var/service/.*/log/run, /var/qmail/supervise/.*/run, /var/qmail/supervise/.*/log/run, /usr/bin/envdir, /usr/bin/fghack, /usr/bin/setlock, /var/axfrdns/run, /var/tinydns/run, /usr/bin/pgrphack, /var/dnscache/run, /usr/bin/envuidgid, /usr/bin/setuidgid, /usr/bin/softlimit, /var/axfrdns/log/run, /var/tinydns/log/run, /var/dnscache/log/run
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux svc_run policy is very flexible allowing users to setup their svc_run processes in as secure a method as possible.
++.PP
++The following process types are defined for svc_run:
++
++.EX
++.B svc_run_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux svc_run policy is very flexible allowing users to setup their svc_run processes in as secure a method as possible.
++.PP
++The following file types are defined for svc_run:
++
++
++.EX
++.PP
++.B svc_run_exec_t
++.EE
++
++- Set files with the svc_run_exec_t type, if you want to transition an executable to the svc_run_t domain.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH NSSWITCH DOMAIN
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was auto-generated using
++.B "sepolicy manpage"
++by Dan Walsh.
++
++.SH "SEE ALSO"
++selinux(8), svc_run(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
++, svc_multilog_selinux(8), svc_start_selinux(8)
+\ No newline at end of file
+diff --git a/man/man8/svc_start_selinux.8 b/man/man8/svc_start_selinux.8
+new file mode 100644
+index 0000000..bada5e7
+--- /dev/null
++++ b/man/man8/svc_start_selinux.8
+@@ -0,0 +1,109 @@
++.TH "svc_start_selinux" "8" "12-11-01" "svc_start" "SELinux Policy documentation for svc_start"
++.SH "NAME"
++svc_start_selinux \- Security Enhanced Linux Policy for the svc_start processes
++.SH "DESCRIPTION"
++
++Security-Enhanced Linux secures the svc_start processes via flexible mandatory access control.
++
++The svc_start processes execute with the svc_start_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep svc_start_t
++
++
++.SH "ENTRYPOINTS"
++
++The svc_start_t SELinux type can be entered via the "svc_start_exec_t" file type. The default entrypoint paths for the svc_start_t domain are the following:"
++
++/usr/bin/svc, /usr/bin/svok, /usr/bin/svscan, /usr/bin/supervise, /usr/bin/svscanboot
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux svc_start policy is very flexible allowing users to setup their svc_start processes in as secure a method as possible.
++.PP
++The following process types are defined for svc_start:
++
++.EX
++.B svc_start_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux svc_start policy is very flexible allowing users to setup their svc_start processes in as secure a method as possible.
++.PP
++The following file types are defined for svc_start:
++
++
++.EX
++.PP
++.B svc_start_exec_t
++.EE
++
++- Set files with the svc_start_exec_t type, if you want to transition an executable to the svc_start_t domain.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH "MANAGED FILES"
++
++The SELinux process type svc_start_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++
++.br
++.B svc_svc_t
++
++ /service/.*
++.br
++ /var/axfrdns(/.*)?
++.br
++ /var/tinydns(/.*)?
++.br
++ /var/service/.*
++.br
++ /var/dnscache(/.*)?
++.br
++ /var/qmail/supervise(/.*)?
++.br
++ /service
++.br
++
++.SH NSSWITCH DOMAIN
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was auto-generated using
++.B "sepolicy manpage"
++by Dan Walsh.
++
++.SH "SEE ALSO"
++selinux(8), svc_start(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
++, svc_multilog_selinux(8), svc_run_selinux(8)
+\ No newline at end of file
+diff --git a/man/man8/svnserve_selinux.8 b/man/man8/svnserve_selinux.8
+new file mode 100644
+index 0000000..19003a2
+--- /dev/null
++++ b/man/man8/svnserve_selinux.8
+@@ -0,0 +1,138 @@
++.TH "svnserve_selinux" "8" "12-11-01" "svnserve" "SELinux Policy documentation for svnserve"
++.SH "NAME"
++svnserve_selinux \- Security Enhanced Linux Policy for the svnserve processes
++.SH "DESCRIPTION"
++
++Security-Enhanced Linux secures the svnserve processes via flexible mandatory access control.
++
++The svnserve processes execute with the svnserve_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep svnserve_t
++
++
++.SH "ENTRYPOINTS"
++
++The svnserve_t SELinux type can be entered via the "svnserve_exec_t" file type. The default entrypoint paths for the svnserve_t domain are the following:"
++
++/usr/bin/svnserve
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux svnserve policy is very flexible allowing users to setup their svnserve processes in as secure a method as possible.
++.PP
++The following process types are defined for svnserve:
++
++.EX
++.B svnserve_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux svnserve policy is very flexible allowing users to setup their svnserve processes in as secure a method as possible.
++.PP
++The following file types are defined for svnserve:
++
++
++.EX
++.PP
++.B svnserve_content_t
++.EE
++
++- Set files with the svnserve_content_t type, if you want to treat the files as svnserve content.
++
++
++.EX
++.PP
++.B svnserve_exec_t
++.EE
++
++- Set files with the svnserve_exec_t type, if you want to transition an executable to the svnserve_t domain.
++
++
++.EX
++.PP
++.B svnserve_initrc_exec_t
++.EE
++
++- Set files with the svnserve_initrc_exec_t type, if you want to transition an executable to the svnserve_initrc_t domain.
++
++
++.EX
++.PP
++.B svnserve_unit_file_t
++.EE
++
++- Set files with the svnserve_unit_file_t type, if you want to treat the files as svnserve unit content.
++
++
++.EX
++.PP
++.B svnserve_var_run_t
++.EE
++
++- Set files with the svnserve_var_run_t type, if you want to store the svnserve files under the /run directory.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH "MANAGED FILES"
++
++The SELinux process type svnserve_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++
++.br
++.B svnserve_content_t
++
++ /var/subversion/repo(/.*)?
++.br
++ /var/lib/subversion/repo(/.*)?
++.br
++
++.br
++.B svnserve_var_run_t
++
++ /var/run/svnserve.pid
++.br
++ /var/run/svnserve(/.*)?
++.br
++
++.SH NSSWITCH DOMAIN
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was auto-generated using
++.B "sepolicy manpage"
++by Dan Walsh.
++
++.SH "SEE ALSO"
++selinux(8), svnserve(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
+diff --git a/man/man8/swat_selinux.8 b/man/man8/swat_selinux.8
+new file mode 100644
+index 0000000..7533603
+--- /dev/null
++++ b/man/man8/swat_selinux.8
+@@ -0,0 +1,214 @@
++.TH "swat_selinux" "8" "12-11-01" "swat" "SELinux Policy documentation for swat"
++.SH "NAME"
++swat_selinux \- Security Enhanced Linux Policy for the swat processes
++.SH "DESCRIPTION"
++
++Security-Enhanced Linux secures the swat processes via flexible mandatory access control.
++
++The swat processes execute with the swat_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep swat_t
++
++
++.SH "ENTRYPOINTS"
++
++The swat_t SELinux type can be entered via the "swat_exec_t" file type. The default entrypoint paths for the swat_t domain are the following:"
++
++/usr/sbin/swat
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux swat policy is very flexible allowing users to setup their swat processes in as secure a method as possible.
++.PP
++The following process types are defined for swat:
++
++.EX
++.B swat_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux swat policy is very flexible allowing users to setup their swat processes in as secure a method as possible.
++.PP
++The following file types are defined for swat:
++
++
++.EX
++.PP
++.B swat_exec_t
++.EE
++
++- Set files with the swat_exec_t type, if you want to transition an executable to the swat_t domain.
++
++
++.EX
++.PP
++.B swat_tmp_t
++.EE
++
++- Set files with the swat_tmp_t type, if you want to store swat temporary files in the /tmp directories.
++
++
++.EX
++.PP
++.B swat_var_run_t
++.EE
++
++- Set files with the swat_var_run_t type, if you want to store the swat files under the /run directory.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH PORT TYPES
++SELinux defines port types to represent TCP and UDP ports.
++.PP
++You can see the types associated with a port by using the following command:
++
++.B semanage port -l
++
++.PP
++Policy governs the access confined processes have to these ports.
++SELinux swat policy is very flexible allowing users to setup their swat processes in as secure a method as possible.
++.PP
++The following port types are defined for swat:
++
++.EX
++.TP 5
++.B swat_port_t
++.TP 10
++.EE
++
++
++Default Defined Ports:
++tcp 901
++.EE
++.SH "MANAGED FILES"
++
++The SELinux process type swat_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++
++.br
++.B faillog_t
++
++ /var/log/btmp.*
++.br
++ /var/run/faillock(/.*)?
++.br
++ /var/log/faillog
++.br
++ /var/log/tallylog
++.br
++
++.br
++.B pcscd_var_run_t
++
++ /var/run/pcscd(/.*)?
++.br
++ /var/run/pcscd\.events(/.*)?
++.br
++ /var/run/pcscd\.pid
++.br
++ /var/run/pcscd\.pub
++.br
++ /var/run/pcscd\.comm
++.br
++
++.br
++.B samba_etc_t
++
++ /etc/samba(/.*)?
++.br
++
++.br
++.B samba_log_t
++
++ /var/log/samba(/.*)?
++.br
++
++.br
++.B samba_secrets_t
++
++ /etc/samba/smbpasswd
++.br
++ /etc/samba/passdb\.tdb
++.br
++ /etc/samba/MACHINE\.SID
++.br
++ /etc/samba/secrets\.tdb
++.br
++
++.br
++.B samba_var_t
++
++ /var/lib/samba(/.*)?
++.br
++ /var/cache/samba(/.*)?
++.br
++ /var/spool/samba(/.*)?
++.br
++
++.br
++.B swat_tmp_t
++
++
++.br
++.B swat_var_run_t
++
++
++.SH NSSWITCH DOMAIN
++
++.PP
++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the swat_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++
++.EX
++.B setsebool -P authlogin_nsswitch_use_ldap 1
++.EE
++
++.PP
++If you want to allow confined applications to run with kerberos for the swat_t, you must turn on the kerberos_enabled boolean.
++
++.EX
++.B setsebool -P kerberos_enabled 1
++.EE
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.B semanage port
++can also be used to manipulate the port definitions
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was auto-generated using
++.B "sepolicy manpage"
++by Dan Walsh.
++
++.SH "SEE ALSO"
++selinux(8), swat(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
+diff --git a/man/man8/sysadm_selinux.8 b/man/man8/sysadm_selinux.8
+new file mode 100644
+index 0000000..a815869
+--- /dev/null
++++ b/man/man8/sysadm_selinux.8
+@@ -0,0 +1,532 @@
++.TH "sysadm_selinux" "8" "sysadm" "mgrepl@redhat.com" "sysadm SELinux Policy documentation"
++.SH "NAME"
++sysadm_u \- \fBGeneral system administration role\fP - Security Enhanced Linux Policy
++
++.SH DESCRIPTION
++
++\fBsysadm_u\fP is an SELinux User defined in the SELinux
++policy. SELinux users have default roles, \fBsysadm_r\fP. The
++default role has a default type, \fBsysadm_t\fP, associated with it.
++
++The SELinux user will usually login to a system with a context that looks like:
++
++.B sysadm_u:sysadm_r:sysadm_t:s0-s0:c0.c1023
++
++Linux users are automatically assigned an SELinux users at login.
++Login programs use the SELinux User to assign initial context to the user's shell.
++
++SELinux policy uses the context to control the user's access.
++
++By default all users are assigned to the SELinux user via the \fB__default__\fP flag
++
++On Targeted policy systems the \fB__default__\fP user is assigned to the \fBunconfined_u\fP SELinux user.
++
++You can list all Linux User to SELinux user mapping using:
++
++.B semanage login -l
++
++If you wanted to change the default user mapping to use the sysadm_u user, you would execute:
++
++.B semanage login -m -s sysadm_u __default__
++
++
++If you want to map the one Linux user (joe) to the SELinux user sysadm, you would execute:
++
++.B $ semanage login -a -s sysadm_u joe
++
++
++.SH USER DESCRIPTION
++
++The SELinux user sysadm_u is an admin user. It means that a mapped Linux user to this SELinux user is intended for administrative actions. Usually this is assigned to a root Linux user.
++
++.SH SUDO
++
++The SELinux user sysadm can execute sudo.
++
++You can set up sudo to allow sysadm to transition to an administrative domain:
++
++Add one or more of the following record to sudoers using visudo.
++
++
++USERNAME ALL=(ALL) ROLE=auditadm_r TYPE=auditadm_t COMMAND
++.br
++sudo will run COMMAND as sysadm_u:auditadm_r:auditadm_t:LEVEL
++
++You might also need to add one or more of these new roles to your SELinux user record.
++
++List the SELinux roles your SELinux user can reach by executing:
++
++.B $ semanage user -l |grep selinux_name
++
++Modify the roles list and add sysadm_r to this list.
++
++.B $ semanage user -m -R 'sysadm_r auditadm_r secadm_r staff_r user_r' sysadm_u
++
++For more details you can see semanage man page.
++
++
++USERNAME ALL=(ALL) ROLE=secadm_r TYPE=secadm_t COMMAND
++.br
++sudo will run COMMAND as sysadm_u:secadm_r:secadm_t:LEVEL
++
++You might also need to add one or more of these new roles to your SELinux user record.
++
++List the SELinux roles your SELinux user can reach by executing:
++
++.B $ semanage user -l |grep selinux_name
++
++Modify the roles list and add sysadm_r to this list.
++
++.B $ semanage user -m -R 'sysadm_r auditadm_r secadm_r staff_r user_r' sysadm_u
++
++For more details you can see semanage man page.
++
++
++USERNAME ALL=(ALL) ROLE=staff_r TYPE=staff_t COMMAND
++.br
++sudo will run COMMAND as sysadm_u:staff_r:staff_t:LEVEL
++
++You might also need to add one or more of these new roles to your SELinux user record.
++
++List the SELinux roles your SELinux user can reach by executing:
++
++.B $ semanage user -l |grep selinux_name
++
++Modify the roles list and add sysadm_r to this list.
++
++.B $ semanage user -m -R 'sysadm_r auditadm_r secadm_r staff_r user_r' sysadm_u
++
++For more details you can see semanage man page.
++
++
++USERNAME ALL=(ALL) ROLE=user_r TYPE=user_t COMMAND
++.br
++sudo will run COMMAND as sysadm_u:user_r:user_t:LEVEL
++
++You might also need to add one or more of these new roles to your SELinux user record.
++
++List the SELinux roles your SELinux user can reach by executing:
++
++.B $ semanage user -l |grep selinux_name
++
++Modify the roles list and add sysadm_r to this list.
++
++.B $ semanage user -m -R 'sysadm_r auditadm_r secadm_r staff_r user_r' sysadm_u
++
++For more details you can see semanage man page.
++
++
++The SELinux type sysadm_t is not allowed to execute sudo.
++
++.SH X WINDOWS LOGIN
++
++The SELinux user sysadm_u is able to X Windows login.
++
++.SH NETWORK
++
++.TP
++The SELinux user sysadm_u is able to listen on the following tcp ports.
++
++.B all ports with out defined types
++
++.B ephemeral_port_t: 32768-61000
++
++.TP
++The SELinux user sysadm_u is able to connect to the following tcp ports.
++
++.B all ports
++
++.TP
++The SELinux user sysadm_u is able to listen on the following udp ports.
++
++.B all ports with out defined types
++
++.B ntp_port_t: 123
++
++.B ephemeral_port_t: 32768-61000
++
++.TP
++The SELinux user sysadm_u is able to connect to the following tcp ports.
++
++.B all ports
++
++.SH BOOLEANS
++SELinux policy is customizable based on least access required. sysadm policy is extremely flexible and has several booleans that allow you to manipulate the policy and run sysadm with the tightest access possible.
++
++
++.PP
++If you want to allow ssh logins as sysadm_r:sysadm_t, you must turn on the ssh_sysadm_login boolean.
++
++.EX
++.B setsebool -P ssh_sysadm_login 1
++.EE
++
++.PP
++If you want to allow the graphical login program to login directly as sysadm_r:sysadm_t, you must turn on the xdm_sysadm_login boolean.
++
++.EX
++.B setsebool -P xdm_sysadm_login 1
++.EE
++
++.PP
++If you want to allow ssh logins as sysadm_r:sysadm_t, you must turn on the ssh_sysadm_login boolean.
++
++.EX
++.B setsebool -P ssh_sysadm_login 1
++.EE
++
++.PP
++If you want to allow the graphical login program to login directly as sysadm_r:sysadm_t, you must turn on the xdm_sysadm_login boolean.
++
++.EX
++.B setsebool -P xdm_sysadm_login 1
++.EE
++
++.SH HOME_EXEC
++
++The SELinux user sysadm_u is able execute home content files.
++
++.SH TRANSITIONS
++
++Three things can happen when sysadm_t attempts to execute a program.
++
++\fB1.\fP SELinux Policy can deny sysadm_t from executing the program.
++
++.TP
++
++\fB2.\fP SELinux Policy can allow sysadm_t to execute the program in the current user type.
++
++Execute the following to see the types that the SELinux user sysadm_t can execute without transitioning:
++
++.B search -A -s sysadm_t -c file -p execute_no_trans
++
++.TP
++
++\fB3.\fP SELinux can allow sysadm_t to execute the program and transition to a new type.
++
++Execute the following to see the types that the SELinux user sysadm_t can execute and transition:
++
++.B $ search -A -s sysadm_t -c process -p transition
++
++
++.SH "MANAGED FILES"
++
++The SELinux process type sysadm_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++
++.br
++.B auditd_etc_t
++
++ /etc/audit(/.*)?
++.br
++
++.br
++.B auditd_log_t
++
++ /var/log/audit(/.*)?
++.br
++ /var/log/audit\.log
++.br
++
++.br
++.B boolean_type
++
++
++.br
++.B etc_runtime_t
++
++ /[^/]+
++.br
++ /etc/mtab.*
++.br
++ /etc/blkid(/.*)?
++.br
++ /etc/nologin.*
++.br
++ /etc/\.fstab\.hal\..+
++.br
++ /halt
++.br
++ /fastboot
++.br
++ /poweroff
++.br
++ /etc/cmtab
++.br
++ /\.autofsck
++.br
++ /forcefsck
++.br
++ /\.suspended
++.br
++ /fsckoptions
++.br
++ /\.autorelabel
++.br
++ /etc/securetty
++.br
++ /etc/killpower
++.br
++ /etc/nohotplug
++.br
++ /etc/ioctl\.save
++.br
++ /etc/fstab\.REVOKE
++.br
++ /etc/network/ifstate
++.br
++ /etc/sysconfig/hwconf
++.br
++ /etc/ptal/ptal-printd-like
++.br
++ /etc/sysconfig/iptables\.save
++.br
++ /etc/xorg\.conf\.d/00-system-setup-keyboard\.conf
++.br
++ /etc/X11/xorg\.conf\.d/00-system-setup-keyboard\.conf
++.br
++
++.br
++.B iceauth_home_t
++
++ /root/\.DCOP.*
++.br
++ /root/\.ICEauthority.*
++.br
++ /home/[^/]*/\.DCOP.*
++.br
++ /home/[^/]*/\.ICEauthority.*
++.br
++ /home/dwalsh/\.DCOP.*
++.br
++ /home/dwalsh/\.ICEauthority.*
++.br
++ /var/lib/xguest/home/xguest/\.DCOP.*
++.br
++ /var/lib/xguest/home/xguest/\.ICEauthority.*
++.br
++
++.br
++.B krb5_host_rcache_t
++
++ /var/cache/krb5rcache(/.*)?
++.br
++ /var/tmp/nfs_0
++.br
++ /var/tmp/DNS_25
++.br
++ /var/tmp/host_0
++.br
++ /var/tmp/imap_0
++.br
++ /var/tmp/HTTP_23
++.br
++ /var/tmp/HTTP_48
++.br
++ /var/tmp/ldap_55
++.br
++ /var/tmp/ldap_487
++.br
++ /var/tmp/ldapmap1_0
++.br
++
++.br
++.B krb5_keytab_t
++
++ /etc/krb5\.keytab
++.br
++ /etc/krb5kdc/kadm5\.keytab
++.br
++ /var/kerberos/krb5kdc/kadm5\.keytab
++.br
++
++.br
++.B non_security_file_type
++
++
++.br
++.B noxattrfs
++
++ all files on file systems which do not support extended attributes
++.br
++
++.br
++.B screen_home_t
++
++ /root/\.screen(/.*)?
++.br
++ /home/[^/]*/\.screen(/.*)?
++.br
++ /home/[^/]*/\.screenrc
++.br
++ /home/dwalsh/\.screen(/.*)?
++.br
++ /home/dwalsh/\.screenrc
++.br
++ /var/lib/xguest/home/xguest/\.screen(/.*)?
++.br
++ /var/lib/xguest/home/xguest/\.screenrc
++.br
++
++.br
++.B sysctl_type
++
++
++.br
++.B systemd_passwd_var_run_t
++
++ /var/run/systemd/ask-password(/.*)?
++.br
++ /var/run/systemd/ask-password-block(/.*)?
++.br
++
++.br
++.B systemd_unit_file_type
++
++
++.br
++.B usbfs_t
++
++
++.br
++.B user_fonts_cache_t
++
++ /root/\.fontconfig(/.*)?
++.br
++ /root/\.fonts/auto(/.*)?
++.br
++ /root/\.fonts\.cache-.*
++.br
++ /home/[^/]*/\.fontconfig(/.*)?
++.br
++ /home/[^/]*/\.fonts/auto(/.*)?
++.br
++ /home/[^/]*/\.fonts\.cache-.*
++.br
++ /home/dwalsh/\.fontconfig(/.*)?
++.br
++ /home/dwalsh/\.fonts/auto(/.*)?
++.br
++ /home/dwalsh/\.fonts\.cache-.*
++.br
++ /var/lib/xguest/home/xguest/\.fontconfig(/.*)?
++.br
++ /var/lib/xguest/home/xguest/\.fonts/auto(/.*)?
++.br
++ /var/lib/xguest/home/xguest/\.fonts\.cache-.*
++.br
++
++.br
++.B user_fonts_t
++
++ /root/\.fonts(/.*)?
++.br
++ /tmp/\.font-unix(/.*)?
++.br
++ /home/[^/]*/\.fonts(/.*)?
++.br
++ /home/dwalsh/\.fonts(/.*)?
++.br
++ /var/lib/xguest/home/xguest/\.fonts(/.*)?
++.br
++
++.br
++.B user_home_t
++
++ /home/[^/]*/.+
++.br
++ /home/dwalsh/.+
++.br
++ /var/lib/xguest/home/xguest/.+
++.br
++
++.br
++.B user_home_type
++
++ all user home files
++.br
++
++.br
++.B user_tmp_type
++
++ all user tmp files
++.br
++
++.br
++.B user_tmpfs_type
++
++ all user content in tmpfs file systems
++.br
++
++.br
++.B xauth_home_t
++
++ /root/\.xauth.*
++.br
++ /root/\.Xauth.*
++.br
++ /root/\.serverauth.*
++.br
++ /root/\.Xauthority.*
++.br
++ /var/lib/pqsql/\.xauth.*
++.br
++ /var/lib/pqsql/\.Xauthority.*
++.br
++ /var/lib/nxserver/home/\.xauth.*
++.br
++ /var/lib/nxserver/home/\.Xauthority.*
++.br
++ /home/[^/]*/\.xauth.*
++.br
++ /home/[^/]*/\.Xauth.*
++.br
++ /home/[^/]*/\.serverauth.*
++.br
++ /home/[^/]*/\.Xauthority.*
++.br
++ /home/dwalsh/\.xauth.*
++.br
++ /home/dwalsh/\.Xauth.*
++.br
++ /home/dwalsh/\.serverauth.*
++.br
++ /home/dwalsh/\.Xauthority.*
++.br
++ /var/lib/xguest/home/xguest/\.xauth.*
++.br
++ /var/lib/xguest/home/xguest/\.Xauth.*
++.br
++ /var/lib/xguest/home/xguest/\.serverauth.*
++.br
++ /var/lib/xguest/home/xguest/\.Xauthority.*
++.br
++
++.br
++.B xserver_tmpfs_t
++
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.B semanage boolean
++can also be used to manipulate the booleans
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was auto-generated using
++.B "sepolicy manpage"
++by Dan Walsh.
++
++.SH "SEE ALSO"
++selinux(8), sysadm(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
++, setsebool(8)
+\ No newline at end of file
+diff --git a/man/man8/syslogd_selinux.8 b/man/man8/syslogd_selinux.8
+new file mode 100644
+index 0000000..6ebf4fa
+--- /dev/null
++++ b/man/man8/syslogd_selinux.8
+@@ -0,0 +1,286 @@
++.TH "syslogd_selinux" "8" "12-11-01" "syslogd" "SELinux Policy documentation for syslogd"
++.SH "NAME"
++syslogd_selinux \- Security Enhanced Linux Policy for the syslogd processes
++.SH "DESCRIPTION"
++
++Security-Enhanced Linux secures the syslogd processes via flexible mandatory access control.
++
++The syslogd processes execute with the syslogd_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep syslogd_t
++
++
++.SH "ENTRYPOINTS"
++
++The syslogd_t SELinux type can be entered via the "syslogd_exec_t" file type. The default entrypoint paths for the syslogd_t domain are the following:"
++
++/sbin/syslogd, /sbin/minilogd, /sbin/rsyslogd, /sbin/syslog-ng, /usr/sbin/metalog, /usr/sbin/syslogd, /usr/sbin/minilogd, /usr/sbin/rsyslogd, /usr/sbin/syslog-ng, /usr/lib/systemd/systemd-journald, /usr/lib/systemd/systemd-kmsg-syslogd
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux syslogd policy is very flexible allowing users to setup their syslogd processes in as secure a method as possible.
++.PP
++The following process types are defined for syslogd:
++
++.EX
++.B syslogd_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH BOOLEANS
++SELinux policy is customizable based on least access required. syslogd policy is extremely flexible and has several booleans that allow you to manipulate the policy and run syslogd with the tightest access possible.
++
++
++.PP
++If you want to allow syslogd the ability to read/write terminals, you must turn on the logging_syslogd_use_tty boolean.
++
++.EX
++.B setsebool -P logging_syslogd_use_tty 1
++.EE
++
++.PP
++If you want to allow syslogd daemon to send mail, you must turn on the logging_syslogd_can_sendmail boolean.
++
++.EX
++.B setsebool -P logging_syslogd_can_sendmail 1
++.EE
++
++.PP
++If you want to allow syslogd the ability to read/write terminals, you must turn on the logging_syslogd_use_tty boolean.
++
++.EX
++.B setsebool -P logging_syslogd_use_tty 1
++.EE
++
++.PP
++If you want to allow syslogd daemon to send mail, you must turn on the logging_syslogd_can_sendmail boolean.
++
++.EX
++.B setsebool -P logging_syslogd_can_sendmail 1
++.EE
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux syslogd policy is very flexible allowing users to setup their syslogd processes in as secure a method as possible.
++.PP
++The following file types are defined for syslogd:
++
++
++.EX
++.PP
++.B syslogd_exec_t
++.EE
++
++- Set files with the syslogd_exec_t type, if you want to transition an executable to the syslogd_t domain.
++
++
++.EX
++.PP
++.B syslogd_initrc_exec_t
++.EE
++
++- Set files with the syslogd_initrc_exec_t type, if you want to transition an executable to the syslogd_initrc_t domain.
++
++
++.EX
++.PP
++.B syslogd_keytab_t
++.EE
++
++- Set files with the syslogd_keytab_t type, if you want to treat the files as kerberos keytab files.
++
++
++.EX
++.PP
++.B syslogd_tmp_t
++.EE
++
++- Set files with the syslogd_tmp_t type, if you want to store syslogd temporary files in the /tmp directories.
++
++
++.EX
++.PP
++.B syslogd_var_lib_t
++.EE
++
++- Set files with the syslogd_var_lib_t type, if you want to store the syslogd files under the /var/lib directory.
++
++
++.EX
++.PP
++.B syslogd_var_run_t
++.EE
++
++- Set files with the syslogd_var_run_t type, if you want to store the syslogd files under the /run directory.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH PORT TYPES
++SELinux defines port types to represent TCP and UDP ports.
++.PP
++You can see the types associated with a port by using the following command:
++
++.B semanage port -l
++
++.PP
++Policy governs the access confined processes have to these ports.
++SELinux syslogd policy is very flexible allowing users to setup their syslogd processes in as secure a method as possible.
++.PP
++The following port types are defined for syslogd:
++
++.EX
++.TP 5
++.B syslogd_port_t
++.TP 10
++.EE
++
++
++Default Defined Ports:
++tcp 6514
++.EE
++udp 514,6514
++.EE
++.SH "MANAGED FILES"
++
++The SELinux process type syslogd_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++
++.br
++.B krb5_host_rcache_t
++
++ /var/cache/krb5rcache(/.*)?
++.br
++ /var/tmp/nfs_0
++.br
++ /var/tmp/DNS_25
++.br
++ /var/tmp/host_0
++.br
++ /var/tmp/imap_0
++.br
++ /var/tmp/HTTP_23
++.br
++ /var/tmp/HTTP_48
++.br
++ /var/tmp/ldap_55
++.br
++ /var/tmp/ldap_487
++.br
++ /var/tmp/ldapmap1_0
++.br
++
++.br
++.B logfile
++
++ all log files
++.br
++
++.br
++.B security_t
++
++ /selinux
++.br
++
++.br
++.B syslogd_tmp_t
++
++
++.br
++.B syslogd_var_lib_t
++
++ /var/lib/r?syslog(/.*)?
++.br
++ /var/lib/syslog-ng(/.*)?
++.br
++ /var/lib/syslog-ng.persist
++.br
++
++.br
++.B syslogd_var_run_t
++
++ /var/run/log(/.*)?
++.br
++ /var/run/syslog-ng.ctl
++.br
++ /var/log/syslog-ng(/.*)?
++.br
++ /var/run/syslog-ng(/.*)?
++.br
++ /var/run/systemd/journal(/.*)?
++.br
++ /var/run/metalog\.pid
++.br
++ /var/run/syslogd\.pid
++.br
++
++.br
++.B tmpfs_t
++
++ /dev/shm
++.br
++ /lib/udev/devices/shm
++.br
++ /usr/lib/udev/devices/shm
++.br
++
++.SH NSSWITCH DOMAIN
++
++.PP
++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the syslogd_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++
++.EX
++.B setsebool -P authlogin_nsswitch_use_ldap 1
++.EE
++
++.PP
++If you want to allow confined applications to run with kerberos for the syslogd_t, you must turn on the kerberos_enabled boolean.
++
++.EX
++.B setsebool -P kerberos_enabled 1
++.EE
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.B semanage port
++can also be used to manipulate the port definitions
++
++.B semanage boolean
++can also be used to manipulate the booleans
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was auto-generated using
++.B "sepolicy manpage"
++by Dan Walsh.
++
++.SH "SEE ALSO"
++selinux(8), syslogd(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
++, setsebool(8)
+\ No newline at end of file
+diff --git a/man/man8/sysstat_selinux.8 b/man/man8/sysstat_selinux.8
+new file mode 100644
+index 0000000..a41e354
+--- /dev/null
++++ b/man/man8/sysstat_selinux.8
+@@ -0,0 +1,124 @@
++.TH "sysstat_selinux" "8" "12-11-01" "sysstat" "SELinux Policy documentation for sysstat"
++.SH "NAME"
++sysstat_selinux \- Security Enhanced Linux Policy for the sysstat processes
++.SH "DESCRIPTION"
++
++Security-Enhanced Linux secures the sysstat processes via flexible mandatory access control.
++
++The sysstat processes execute with the sysstat_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep sysstat_t
++
++
++.SH "ENTRYPOINTS"
++
++The sysstat_t SELinux type can be entered via the "sysstat_exec_t" file type. The default entrypoint paths for the sysstat_t domain are the following:"
++
++/usr/lib/sa/sa.*, /usr/lib/atsar/atsa.*, /usr/lib/sysstat/sa.*
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux sysstat policy is very flexible allowing users to setup their sysstat processes in as secure a method as possible.
++.PP
++The following process types are defined for sysstat:
++
++.EX
++.B sysstat_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux sysstat policy is very flexible allowing users to setup their sysstat processes in as secure a method as possible.
++.PP
++The following file types are defined for sysstat:
++
++
++.EX
++.PP
++.B sysstat_exec_t
++.EE
++
++- Set files with the sysstat_exec_t type, if you want to transition an executable to the sysstat_t domain.
++
++
++.EX
++.PP
++.B sysstat_log_t
++.EE
++
++- Set files with the sysstat_log_t type, if you want to treat the data as sysstat log data, usually stored under the /var/log directory.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH "MANAGED FILES"
++
++The SELinux process type sysstat_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++
++.br
++.B sysstat_log_t
++
++ /var/log/sa(/.*)?
++.br
++ /opt/sartest(/.*)?
++.br
++ /var/log/atsar(/.*)?
++.br
++ /var/log/sysstat(/.*)?
++.br
++
++.SH NSSWITCH DOMAIN
++
++.PP
++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the sysstat_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++
++.EX
++.B setsebool -P authlogin_nsswitch_use_ldap 1
++.EE
++
++.PP
++If you want to allow confined applications to run with kerberos for the sysstat_t, you must turn on the kerberos_enabled boolean.
++
++.EX
++.B setsebool -P kerberos_enabled 1
++.EE
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was auto-generated using
++.B "sepolicy manpage"
++by Dan Walsh.
++
++.SH "SEE ALSO"
++selinux(8), sysstat(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
+diff --git a/man/man8/system_munin_plugin_selinux.8 b/man/man8/system_munin_plugin_selinux.8
+new file mode 100644
+index 0000000..1b3a9b7
+--- /dev/null
++++ b/man/man8/system_munin_plugin_selinux.8
+@@ -0,0 +1,115 @@
++.TH "system_munin_plugin_selinux" "8" "12-11-01" "system_munin_plugin" "SELinux Policy documentation for system_munin_plugin"
++.SH "NAME"
++system_munin_plugin_selinux \- Security Enhanced Linux Policy for the system_munin_plugin processes
++.SH "DESCRIPTION"
++
++Security-Enhanced Linux secures the system_munin_plugin processes via flexible mandatory access control.
++
++The system_munin_plugin processes execute with the system_munin_plugin_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep system_munin_plugin_t
++
++
++.SH "ENTRYPOINTS"
++
++The system_munin_plugin_t SELinux type can be entered via the "system_munin_plugin_exec_t" file type. The default entrypoint paths for the system_munin_plugin_t domain are the following:"
++
++/usr/share/munin/plugins/cpu.*, /usr/share/munin/plugins/if_.*, /usr/share/munin/plugins/nfs.*, /usr/share/munin/plugins/iostat.*, /usr/share/munin/plugins/munin_.*, /usr/share/munin/plugins/yum, /usr/share/munin/plugins/acpi, /usr/share/munin/plugins/load, /usr/share/munin/plugins/swap, /usr/share/munin/plugins/forks, /usr/share/munin/plugins/users, /usr/share/munin/plugins/memory, /usr/share/munin/plugins/uptime, /usr/share/munin/plugins/netstat, /usr/share/munin/plugins/threads, /usr/share/munin/plugins/irqstats, /usr/share/munin/plugins/proc_pri, /usr/share/munin/plugins/processes, /usr/share/munin/plugins/interrupts, /usr/share/munin/plugins/open_files
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux system_munin_plugin policy is very flexible allowing users to setup their system_munin_plugin processes in as secure a method as possible.
++.PP
++The following process types are defined for system_munin_plugin:
++
++.EX
++.B system_munin_plugin_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux system_munin_plugin policy is very flexible allowing users to setup their system_munin_plugin processes in as secure a method as possible.
++.PP
++The following file types are defined for system_munin_plugin:
++
++
++.EX
++.PP
++.B system_munin_plugin_exec_t
++.EE
++
++- Set files with the system_munin_plugin_exec_t type, if you want to transition an executable to the system_munin_plugin_t domain.
++
++
++.EX
++.PP
++.B system_munin_plugin_tmp_t
++.EE
++
++- Set files with the system_munin_plugin_tmp_t type, if you want to store system munin plugin temporary files in the /tmp directories.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH "MANAGED FILES"
++
++The SELinux process type system_munin_plugin_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++
++.br
++.B munin_plugin_state_t
++
++ /var/lib/munin/plugin-state(/.*)?
++.br
++
++.br
++.B munin_var_lib_t
++
++ /var/lib/munin(/.*)?
++.br
++
++.br
++.B system_munin_plugin_tmp_t
++
++
++.SH NSSWITCH DOMAIN
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was auto-generated using
++.B "sepolicy manpage"
++by Dan Walsh.
++
++.SH "SEE ALSO"
++selinux(8), system_munin_plugin(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
++, systemd_logger_selinux(8), systemd_logind_selinux(8), systemd_notify_selinux(8), systemd_passwd_agent_selinux(8), systemd_tmpfiles_selinux(8)
+\ No newline at end of file
+diff --git a/man/man8/systemd_logger_selinux.8 b/man/man8/systemd_logger_selinux.8
+new file mode 100644
+index 0000000..b8b6a98
+--- /dev/null
++++ b/man/man8/systemd_logger_selinux.8
+@@ -0,0 +1,101 @@
++.TH "systemd_logger_selinux" "8" "12-11-01" "systemd_logger" "SELinux Policy documentation for systemd_logger"
++.SH "NAME"
++systemd_logger_selinux \- Security Enhanced Linux Policy for the systemd_logger processes
++.SH "DESCRIPTION"
++
++Security-Enhanced Linux secures the systemd_logger processes via flexible mandatory access control.
++
++The systemd_logger processes execute with the systemd_logger_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep systemd_logger_t
++
++
++.SH "ENTRYPOINTS"
++
++The systemd_logger_t SELinux type can be entered via the "systemd_logger_exec_t" file type. The default entrypoint paths for the systemd_logger_t domain are the following:"
++
++/usr/lib/systemd/systemd-logger
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux systemd_logger policy is very flexible allowing users to setup their systemd_logger processes in as secure a method as possible.
++.PP
++The following process types are defined for systemd_logger:
++
++.EX
++.B systemd_logger_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux systemd_logger policy is very flexible allowing users to setup their systemd_logger processes in as secure a method as possible.
++.PP
++The following file types are defined for systemd_logger:
++
++
++.EX
++.PP
++.B systemd_logger_exec_t
++.EE
++
++- Set files with the systemd_logger_exec_t type, if you want to transition an executable to the systemd_logger_t domain.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH NSSWITCH DOMAIN
++
++.PP
++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the systemd_logger_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++
++.EX
++.B setsebool -P authlogin_nsswitch_use_ldap 1
++.EE
++
++.PP
++If you want to allow confined applications to run with kerberos for the systemd_logger_t, you must turn on the kerberos_enabled boolean.
++
++.EX
++.B setsebool -P kerberos_enabled 1
++.EE
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was auto-generated using
++.B "sepolicy manpage"
++by Dan Walsh.
++
++.SH "SEE ALSO"
++selinux(8), systemd_logger(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
++, systemd_logind_selinux(8), systemd_notify_selinux(8), systemd_passwd_agent_selinux(8), systemd_tmpfiles_selinux(8)
+\ No newline at end of file
+diff --git a/man/man8/systemd_logind_selinux.8 b/man/man8/systemd_logind_selinux.8
+new file mode 100644
+index 0000000..d2912c3
+--- /dev/null
++++ b/man/man8/systemd_logind_selinux.8
+@@ -0,0 +1,249 @@
++.TH "systemd_logind_selinux" "8" "12-11-01" "systemd_logind" "SELinux Policy documentation for systemd_logind"
++.SH "NAME"
++systemd_logind_selinux \- Security Enhanced Linux Policy for the systemd_logind processes
++.SH "DESCRIPTION"
++
++Security-Enhanced Linux secures the systemd_logind processes via flexible mandatory access control.
++
++The systemd_logind processes execute with the systemd_logind_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep systemd_logind_t
++
++
++.SH "ENTRYPOINTS"
++
++The systemd_logind_t SELinux type can be entered via the "systemd_logind_exec_t" file type. The default entrypoint paths for the systemd_logind_t domain are the following:"
++
++/usr/lib/systemd/systemd-logind
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux systemd_logind policy is very flexible allowing users to setup their systemd_logind processes in as secure a method as possible.
++.PP
++The following process types are defined for systemd_logind:
++
++.EX
++.B systemd_logind_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux systemd_logind policy is very flexible allowing users to setup their systemd_logind processes in as secure a method as possible.
++.PP
++The following file types are defined for systemd_logind:
++
++
++.EX
++.PP
++.B systemd_logind_exec_t
++.EE
++
++- Set files with the systemd_logind_exec_t type, if you want to transition an executable to the systemd_logind_t domain.
++
++
++.EX
++.PP
++.B systemd_logind_inhibit_var_run_t
++.EE
++
++- Set files with the systemd_logind_inhibit_var_run_t type, if you want to store the systemd logind inhibit files under the /run directory.
++
++
++.EX
++.PP
++.B systemd_logind_sessions_t
++.EE
++
++- Set files with the systemd_logind_sessions_t type, if you want to treat the files as systemd logind sessions data.
++
++
++.EX
++.PP
++.B systemd_logind_var_run_t
++.EE
++
++- Set files with the systemd_logind_var_run_t type, if you want to store the systemd logind files under the /run directory.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH "MANAGED FILES"
++
++The SELinux process type systemd_logind_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++
++.br
++.B cgroup_t
++
++ /cgroup
++.br
++ /sys/fs/cgroup
++.br
++
++.br
++.B config_home_t
++
++ /root/\.kde(/.*)?
++.br
++ /root/\.xine(/.*)?
++.br
++ /root/\.config(/.*)?
++.br
++ /var/run/user/[^/]*/dconf(/.*)?
++.br
++ /root/\.Xdefaults
++.br
++ /home/[^/]*/\.kde(/.*)?
++.br
++ /home/[^/]*/\.xine(/.*)?
++.br
++ /home/[^/]*/\.config(/.*)?
++.br
++ /home/[^/]*/\.Xdefaults
++.br
++ /home/dwalsh/\.kde(/.*)?
++.br
++ /home/dwalsh/\.xine(/.*)?
++.br
++ /home/dwalsh/\.config(/.*)?
++.br
++ /home/dwalsh/\.Xdefaults
++.br
++ /var/lib/xguest/home/xguest/\.kde(/.*)?
++.br
++ /var/lib/xguest/home/xguest/\.xine(/.*)?
++.br
++ /var/lib/xguest/home/xguest/\.config(/.*)?
++.br
++ /var/lib/xguest/home/xguest/\.Xdefaults
++.br
++
++.br
++.B sysfs_t
++
++ /sys(/.*)?
++.br
++
++.br
++.B systemd_logind_inhibit_var_run_t
++
++ /var/run/systemd/inhibit(/.*)?
++.br
++
++.br
++.B systemd_logind_sessions_t
++
++ /var/run/systemd/sessions(/.*)?
++.br
++
++.br
++.B systemd_logind_var_run_t
++
++ /var/run/systemd/seats(/.*)?
++.br
++ /var/run/systemd/users(/.*)?
++.br
++ /var/run/nologin
++.br
++
++.br
++.B systemd_passwd_var_run_t
++
++ /var/run/systemd/ask-password(/.*)?
++.br
++ /var/run/systemd/ask-password-block(/.*)?
++.br
++
++.br
++.B udev_rules_t
++
++ /etc/udev/rules.d(/.*)?
++.br
++
++.br
++.B user_tmp_t
++
++ /var/run/user(/.*)?
++.br
++ /tmp/gconfd-.*
++.br
++ /tmp/gconfd-dwalsh
++.br
++ /tmp/gconfd-xguest
++.br
++
++.br
++.B var_auth_t
++
++ /var/ace(/.*)?
++.br
++ /var/rsa(/.*)?
++.br
++ /var/lib/abl(/.*)?
++.br
++ /var/lib/rsa(/.*)?
++.br
++ /var/lib/pam_ssh(/.*)?
++.br
++ /var/run/pam_ssh(/.*)?
++.br
++ /var/lib/pam_shield(/.*)?
++.br
++ /var/lib/google-authenticator(/.*)?
++.br
++
++.SH NSSWITCH DOMAIN
++
++.PP
++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the systemd_logind_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++
++.EX
++.B setsebool -P authlogin_nsswitch_use_ldap 1
++.EE
++
++.PP
++If you want to allow confined applications to run with kerberos for the systemd_logind_t, you must turn on the kerberos_enabled boolean.
++
++.EX
++.B setsebool -P kerberos_enabled 1
++.EE
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was auto-generated using
++.B "sepolicy manpage"
++by Dan Walsh.
++
++.SH "SEE ALSO"
++selinux(8), systemd_logind(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
++, systemd_logger_selinux(8), systemd_notify_selinux(8), systemd_passwd_agent_selinux(8), systemd_tmpfiles_selinux(8)
+\ No newline at end of file
+diff --git a/man/man8/systemd_notify_selinux.8 b/man/man8/systemd_notify_selinux.8
+new file mode 100644
+index 0000000..6a06f93
+--- /dev/null
++++ b/man/man8/systemd_notify_selinux.8
+@@ -0,0 +1,113 @@
++.TH "systemd_notify_selinux" "8" "12-11-01" "systemd_notify" "SELinux Policy documentation for systemd_notify"
++.SH "NAME"
++systemd_notify_selinux \- Security Enhanced Linux Policy for the systemd_notify processes
++.SH "DESCRIPTION"
++
++Security-Enhanced Linux secures the systemd_notify processes via flexible mandatory access control.
++
++The systemd_notify processes execute with the systemd_notify_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep systemd_notify_t
++
++
++.SH "ENTRYPOINTS"
++
++The systemd_notify_t SELinux type can be entered via the "systemd_notify_exec_t" file type. The default entrypoint paths for the systemd_notify_t domain are the following:"
++
++/bin/systemd-notify, /usr/bin/systemd-notify
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux systemd_notify policy is very flexible allowing users to setup their systemd_notify processes in as secure a method as possible.
++.PP
++The following process types are defined for systemd_notify:
++
++.EX
++.B systemd_notify_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux systemd_notify policy is very flexible allowing users to setup their systemd_notify processes in as secure a method as possible.
++.PP
++The following file types are defined for systemd_notify:
++
++
++.EX
++.PP
++.B systemd_notify_exec_t
++.EE
++
++- Set files with the systemd_notify_exec_t type, if you want to transition an executable to the systemd_notify_t domain.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH "MANAGED FILES"
++
++The SELinux process type systemd_notify_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++
++.br
++.B readahead_var_run_t
++
++ /dev/\.systemd/readahead(/.*)?
++.br
++ /var/run/systemd/readahead(/.*)?
++.br
++
++.SH NSSWITCH DOMAIN
++
++.PP
++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the systemd_notify_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++
++.EX
++.B setsebool -P authlogin_nsswitch_use_ldap 1
++.EE
++
++.PP
++If you want to allow confined applications to run with kerberos for the systemd_notify_t, you must turn on the kerberos_enabled boolean.
++
++.EX
++.B setsebool -P kerberos_enabled 1
++.EE
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was auto-generated using
++.B "sepolicy manpage"
++by Dan Walsh.
++
++.SH "SEE ALSO"
++selinux(8), systemd_notify(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
++, systemd_logger_selinux(8), systemd_logind_selinux(8), systemd_passwd_agent_selinux(8), systemd_tmpfiles_selinux(8)
+\ No newline at end of file
+diff --git a/man/man8/systemd_passwd_agent_selinux.8 b/man/man8/systemd_passwd_agent_selinux.8
+new file mode 100644
+index 0000000..e32dad2
+--- /dev/null
++++ b/man/man8/systemd_passwd_agent_selinux.8
+@@ -0,0 +1,113 @@
++.TH "systemd_passwd_agent_selinux" "8" "12-11-01" "systemd_passwd_agent" "SELinux Policy documentation for systemd_passwd_agent"
++.SH "NAME"
++systemd_passwd_agent_selinux \- Security Enhanced Linux Policy for the systemd_passwd_agent processes
++.SH "DESCRIPTION"
++
++Security-Enhanced Linux secures the systemd_passwd_agent processes via flexible mandatory access control.
++
++The systemd_passwd_agent processes execute with the systemd_passwd_agent_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep systemd_passwd_agent_t
++
++
++.SH "ENTRYPOINTS"
++
++The systemd_passwd_agent_t SELinux type can be entered via the "systemd_passwd_agent_exec_t" file type. The default entrypoint paths for the systemd_passwd_agent_t domain are the following:"
++
++/bin/systemd-tty-ask-password-agent, /usr/bin/systemd-tty-ask-password-agent, /usr/bin/systemd-gnome-ask-password-agent
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux systemd_passwd_agent policy is very flexible allowing users to setup their systemd_passwd_agent processes in as secure a method as possible.
++.PP
++The following process types are defined for systemd_passwd_agent:
++
++.EX
++.B systemd_passwd_agent_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux systemd_passwd_agent policy is very flexible allowing users to setup their systemd_passwd_agent processes in as secure a method as possible.
++.PP
++The following file types are defined for systemd_passwd_agent:
++
++
++.EX
++.PP
++.B systemd_passwd_agent_exec_t
++.EE
++
++- Set files with the systemd_passwd_agent_exec_t type, if you want to transition an executable to the systemd_passwd_agent_t domain.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH "MANAGED FILES"
++
++The SELinux process type systemd_passwd_agent_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++
++.br
++.B systemd_passwd_var_run_t
++
++ /var/run/systemd/ask-password(/.*)?
++.br
++ /var/run/systemd/ask-password-block(/.*)?
++.br
++
++.SH NSSWITCH DOMAIN
++
++.PP
++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the systemd_passwd_agent_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++
++.EX
++.B setsebool -P authlogin_nsswitch_use_ldap 1
++.EE
++
++.PP
++If you want to allow confined applications to run with kerberos for the systemd_passwd_agent_t, you must turn on the kerberos_enabled boolean.
++
++.EX
++.B setsebool -P kerberos_enabled 1
++.EE
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was auto-generated using
++.B "sepolicy manpage"
++by Dan Walsh.
++
++.SH "SEE ALSO"
++selinux(8), systemd_passwd_agent(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
++, systemd_logger_selinux(8), systemd_logind_selinux(8), systemd_notify_selinux(8), systemd_tmpfiles_selinux(8)
+\ No newline at end of file
+diff --git a/man/man8/systemd_tmpfiles_selinux.8 b/man/man8/systemd_tmpfiles_selinux.8
+new file mode 100644
+index 0000000..de442a9
+--- /dev/null
++++ b/man/man8/systemd_tmpfiles_selinux.8
+@@ -0,0 +1,187 @@
++.TH "systemd_tmpfiles_selinux" "8" "12-11-01" "systemd_tmpfiles" "SELinux Policy documentation for systemd_tmpfiles"
++.SH "NAME"
++systemd_tmpfiles_selinux \- Security Enhanced Linux Policy for the systemd_tmpfiles processes
++.SH "DESCRIPTION"
++
++Security-Enhanced Linux secures the systemd_tmpfiles processes via flexible mandatory access control.
++
++The systemd_tmpfiles processes execute with the systemd_tmpfiles_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep systemd_tmpfiles_t
++
++
++.SH "ENTRYPOINTS"
++
++The systemd_tmpfiles_t SELinux type can be entered via the "systemd_tmpfiles_exec_t" file type. The default entrypoint paths for the systemd_tmpfiles_t domain are the following:"
++
++/bin/systemd-tmpfiles, /usr/bin/systemd-tmpfiles, /usr/lib/systemd/systemd-tmpfiles
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux systemd_tmpfiles policy is very flexible allowing users to setup their systemd_tmpfiles processes in as secure a method as possible.
++.PP
++The following process types are defined for systemd_tmpfiles:
++
++.EX
++.B systemd_tmpfiles_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux systemd_tmpfiles policy is very flexible allowing users to setup their systemd_tmpfiles processes in as secure a method as possible.
++.PP
++The following file types are defined for systemd_tmpfiles:
++
++
++.EX
++.PP
++.B systemd_tmpfiles_exec_t
++.EE
++
++- Set files with the systemd_tmpfiles_exec_t type, if you want to transition an executable to the systemd_tmpfiles_t domain.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH "MANAGED FILES"
++
++The SELinux process type systemd_tmpfiles_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++
++.br
++.B faillog_t
++
++ /var/log/btmp.*
++.br
++ /var/run/faillock(/.*)?
++.br
++ /var/log/faillog
++.br
++ /var/log/tallylog
++.br
++
++.br
++.B lockfile
++
++
++.br
++.B man_t
++
++ /opt/(.*/)?man(/.*)?
++.br
++ /usr/man(/.*)?
++.br
++ /usr/share/man(/.*)?
++.br
++ /usr/X11R6/man(/.*)?
++.br
++ /usr/lib/perl5/man(/.*)?
++.br
++
++.br
++.B pidfile
++
++
++.br
++.B sysfs_t
++
++ /sys(/.*)?
++.br
++
++.br
++.B tmp_t
++
++ /sandbox(/.*)?
++.br
++ /tmp
++.br
++ /var/tmp
++.br
++ /var/tmp
++.br
++ /usr/tmp
++.br
++ /var/tmp/vi\.recover
++.br
++
++.br
++.B var_auth_t
++
++ /var/ace(/.*)?
++.br
++ /var/rsa(/.*)?
++.br
++ /var/lib/abl(/.*)?
++.br
++ /var/lib/rsa(/.*)?
++.br
++ /var/lib/pam_ssh(/.*)?
++.br
++ /var/run/pam_ssh(/.*)?
++.br
++ /var/lib/pam_shield(/.*)?
++.br
++ /var/lib/google-authenticator(/.*)?
++.br
++
++.br
++.B wtmp_t
++
++ /var/log/wtmp.*
++.br
++
++.SH NSSWITCH DOMAIN
++
++.PP
++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the systemd_tmpfiles_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++
++.EX
++.B setsebool -P authlogin_nsswitch_use_ldap 1
++.EE
++
++.PP
++If you want to allow confined applications to run with kerberos for the systemd_tmpfiles_t, you must turn on the kerberos_enabled boolean.
++
++.EX
++.B setsebool -P kerberos_enabled 1
++.EE
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was auto-generated using
++.B "sepolicy manpage"
++by Dan Walsh.
++
++.SH "SEE ALSO"
++selinux(8), systemd_tmpfiles(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
++, systemd_logger_selinux(8), systemd_logind_selinux(8), systemd_notify_selinux(8), systemd_passwd_agent_selinux(8)
+\ No newline at end of file
+diff --git a/man/man8/tcpd_selinux.8 b/man/man8/tcpd_selinux.8
+new file mode 100644
+index 0000000..42ef6d7
+--- /dev/null
++++ b/man/man8/tcpd_selinux.8
+@@ -0,0 +1,152 @@
++.TH "tcpd_selinux" "8" "12-11-01" "tcpd" "SELinux Policy documentation for tcpd"
++.SH "NAME"
++tcpd_selinux \- Security Enhanced Linux Policy for the tcpd processes
++.SH "DESCRIPTION"
++
++Security-Enhanced Linux secures the tcpd processes via flexible mandatory access control.
++
++The tcpd processes execute with the tcpd_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep tcpd_t
++
++
++.SH "ENTRYPOINTS"
++
++The tcpd_t SELinux type can be entered via the "tcpd_exec_t" file type. The default entrypoint paths for the tcpd_t domain are the following:"
++
++/usr/sbin/tcpd
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux tcpd policy is very flexible allowing users to setup their tcpd processes in as secure a method as possible.
++.PP
++The following process types are defined for tcpd:
++
++.EX
++.B tcpd_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH BOOLEANS
++SELinux policy is customizable based on least access required. tcpd policy is extremely flexible and has several booleans that allow you to manipulate the policy and run tcpd with the tightest access possible.
++
++
++.PP
++If you want to allow all daemons to use tcp wrappers, you must turn on the daemons_use_tcp_wrapper boolean.
++
++.EX
++.B setsebool -P daemons_use_tcp_wrapper 1
++.EE
++
++.PP
++If you want to allow users to run TCP servers (bind to ports and accept connection from the same domain and outside users) disabling this forces FTP passive mode and may change other protocols, you must turn on the selinuxuser_tcp_server boolean.
++
++.EX
++.B setsebool -P selinuxuser_tcp_server 1
++.EE
++
++.PP
++If you want to allow the Telepathy connection managers to connect to any generic TCP port, you must turn on the telepathy_tcp_connect_generic_network_ports boolean.
++
++.EX
++.B setsebool -P telepathy_tcp_connect_generic_network_ports 1
++.EE
++
++.PP
++If you want to allow all daemons to use tcp wrappers, you must turn on the daemons_use_tcp_wrapper boolean.
++
++.EX
++.B setsebool -P daemons_use_tcp_wrapper 1
++.EE
++
++.PP
++If you want to allow users to run TCP servers (bind to ports and accept connection from the same domain and outside users) disabling this forces FTP passive mode and may change other protocols, you must turn on the selinuxuser_tcp_server boolean.
++
++.EX
++.B setsebool -P selinuxuser_tcp_server 1
++.EE
++
++.PP
++If you want to allow the Telepathy connection managers to connect to any generic TCP port, you must turn on the telepathy_tcp_connect_generic_network_ports boolean.
++
++.EX
++.B setsebool -P telepathy_tcp_connect_generic_network_ports 1
++.EE
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux tcpd policy is very flexible allowing users to setup their tcpd processes in as secure a method as possible.
++.PP
++The following file types are defined for tcpd:
++
++
++.EX
++.PP
++.B tcpd_exec_t
++.EE
++
++- Set files with the tcpd_exec_t type, if you want to transition an executable to the tcpd_t domain.
++
++
++.EX
++.PP
++.B tcpd_tmp_t
++.EE
++
++- Set files with the tcpd_tmp_t type, if you want to store tcpd temporary files in the /tmp directories.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH "MANAGED FILES"
++
++The SELinux process type tcpd_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++
++.br
++.B tcpd_tmp_t
++
++
++.SH NSSWITCH DOMAIN
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.B semanage boolean
++can also be used to manipulate the booleans
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was auto-generated using
++.B "sepolicy manpage"
++by Dan Walsh.
++
++.SH "SEE ALSO"
++selinux(8), tcpd(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
++, setsebool(8)
+\ No newline at end of file
+diff --git a/man/man8/tcsd_selinux.8 b/man/man8/tcsd_selinux.8
+new file mode 100644
+index 0000000..f4bc953
+--- /dev/null
++++ b/man/man8/tcsd_selinux.8
+@@ -0,0 +1,152 @@
++.TH "tcsd_selinux" "8" "12-11-01" "tcsd" "SELinux Policy documentation for tcsd"
++.SH "NAME"
++tcsd_selinux \- Security Enhanced Linux Policy for the tcsd processes
++.SH "DESCRIPTION"
++
++Security-Enhanced Linux secures the tcsd processes via flexible mandatory access control.
++
++The tcsd processes execute with the tcsd_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep tcsd_t
++
++
++.SH "ENTRYPOINTS"
++
++The tcsd_t SELinux type can be entered via the "tcsd_exec_t" file type. The default entrypoint paths for the tcsd_t domain are the following:"
++
++/usr/sbin/tcsd
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux tcsd policy is very flexible allowing users to setup their tcsd processes in as secure a method as possible.
++.PP
++The following process types are defined for tcsd:
++
++.EX
++.B tcsd_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux tcsd policy is very flexible allowing users to setup their tcsd processes in as secure a method as possible.
++.PP
++The following file types are defined for tcsd:
++
++
++.EX
++.PP
++.B tcsd_exec_t
++.EE
++
++- Set files with the tcsd_exec_t type, if you want to transition an executable to the tcsd_t domain.
++
++
++.EX
++.PP
++.B tcsd_initrc_exec_t
++.EE
++
++- Set files with the tcsd_initrc_exec_t type, if you want to transition an executable to the tcsd_initrc_t domain.
++
++
++.EX
++.PP
++.B tcsd_var_lib_t
++.EE
++
++- Set files with the tcsd_var_lib_t type, if you want to store the tcsd files under the /var/lib directory.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH PORT TYPES
++SELinux defines port types to represent TCP and UDP ports.
++.PP
++You can see the types associated with a port by using the following command:
++
++.B semanage port -l
++
++.PP
++Policy governs the access confined processes have to these ports.
++SELinux tcsd policy is very flexible allowing users to setup their tcsd processes in as secure a method as possible.
++.PP
++The following port types are defined for tcsd:
++
++.EX
++.TP 5
++.B tcs_port_t
++.TP 10
++.EE
++
++
++Default Defined Ports:
++tcp 30003
++.EE
++.SH "MANAGED FILES"
++
++The SELinux process type tcsd_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++
++.br
++.B tcsd_var_lib_t
++
++ /var/lib/tpm(/.*)?
++.br
++
++.SH NSSWITCH DOMAIN
++
++.PP
++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the tcsd_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++
++.EX
++.B setsebool -P authlogin_nsswitch_use_ldap 1
++.EE
++
++.PP
++If you want to allow confined applications to run with kerberos for the tcsd_t, you must turn on the kerberos_enabled boolean.
++
++.EX
++.B setsebool -P kerberos_enabled 1
++.EE
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.B semanage port
++can also be used to manipulate the port definitions
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was auto-generated using
++.B "sepolicy manpage"
++by Dan Walsh.
++
++.SH "SEE ALSO"
++selinux(8), tcsd(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
+diff --git a/man/man8/telepathy_gabble_selinux.8 b/man/man8/telepathy_gabble_selinux.8
+new file mode 100644
+index 0000000..a1ba3c0
+--- /dev/null
++++ b/man/man8/telepathy_gabble_selinux.8
+@@ -0,0 +1,193 @@
++.TH "telepathy_gabble_selinux" "8" "12-11-01" "telepathy_gabble" "SELinux Policy documentation for telepathy_gabble"
++.SH "NAME"
++telepathy_gabble_selinux \- Security Enhanced Linux Policy for the telepathy_gabble processes
++.SH "DESCRIPTION"
++
++Security-Enhanced Linux secures the telepathy_gabble processes via flexible mandatory access control.
++
++The telepathy_gabble processes execute with the telepathy_gabble_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep telepathy_gabble_t
++
++
++.SH "ENTRYPOINTS"
++
++The telepathy_gabble_t SELinux type can be entered via the "telepathy_gabble_exec_t" file type. The default entrypoint paths for the telepathy_gabble_t domain are the following:"
++
++/usr/libexec/telepathy-gabble
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux telepathy_gabble policy is very flexible allowing users to setup their telepathy_gabble processes in as secure a method as possible.
++.PP
++The following process types are defined for telepathy_gabble:
++
++.EX
++.B telepathy_gabble_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux telepathy_gabble policy is very flexible allowing users to setup their telepathy_gabble processes in as secure a method as possible.
++.PP
++The following file types are defined for telepathy_gabble:
++
++
++.EX
++.PP
++.B telepathy_gabble_cache_home_t
++.EE
++
++- Set files with the telepathy_gabble_cache_home_t type, if you want to store telepathy gabble cache files in the users home directory.
++
++
++.EX
++.PP
++.B telepathy_gabble_exec_t
++.EE
++
++- Set files with the telepathy_gabble_exec_t type, if you want to transition an executable to the telepathy_gabble_t domain.
++
++
++.EX
++.PP
++.B telepathy_gabble_tmp_t
++.EE
++
++- Set files with the telepathy_gabble_tmp_t type, if you want to store telepathy gabble temporary files in the /tmp directories.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH "MANAGED FILES"
++
++The SELinux process type telepathy_gabble_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++
++.br
++.B cache_home_t
++
++ /root/\.cache(/.*)?
++.br
++ /home/[^/]*/\.nv(/.*)?
++.br
++ /home/[^/]*/\.cache(/.*)?
++.br
++ /home/dwalsh/\.nv(/.*)?
++.br
++ /home/dwalsh/\.cache(/.*)?
++.br
++ /var/lib/xguest/home/xguest/\.nv(/.*)?
++.br
++ /var/lib/xguest/home/xguest/\.cache(/.*)?
++.br
++
++.br
++.B config_home_t
++
++ /root/\.kde(/.*)?
++.br
++ /root/\.xine(/.*)?
++.br
++ /root/\.config(/.*)?
++.br
++ /var/run/user/[^/]*/dconf(/.*)?
++.br
++ /root/\.Xdefaults
++.br
++ /home/[^/]*/\.kde(/.*)?
++.br
++ /home/[^/]*/\.xine(/.*)?
++.br
++ /home/[^/]*/\.config(/.*)?
++.br
++ /home/[^/]*/\.Xdefaults
++.br
++ /home/dwalsh/\.kde(/.*)?
++.br
++ /home/dwalsh/\.xine(/.*)?
++.br
++ /home/dwalsh/\.config(/.*)?
++.br
++ /home/dwalsh/\.Xdefaults
++.br
++ /var/lib/xguest/home/xguest/\.kde(/.*)?
++.br
++ /var/lib/xguest/home/xguest/\.xine(/.*)?
++.br
++ /var/lib/xguest/home/xguest/\.config(/.*)?
++.br
++ /var/lib/xguest/home/xguest/\.Xdefaults
++.br
++
++.br
++.B telepathy_gabble_cache_home_t
++
++ /home/[^/]*/\.cache/wocky(/.*)?
++.br
++ /home/[^/]*/\.cache/telepathy/gabble(/.*)?
++.br
++ /home/dwalsh/\.cache/wocky(/.*)?
++.br
++ /home/dwalsh/\.cache/telepathy/gabble(/.*)?
++.br
++ /var/lib/xguest/home/xguest/\.cache/wocky(/.*)?
++.br
++ /var/lib/xguest/home/xguest/\.cache/telepathy/gabble(/.*)?
++.br
++
++.SH NSSWITCH DOMAIN
++
++.PP
++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the telepathy_gabble_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++
++.EX
++.B setsebool -P authlogin_nsswitch_use_ldap 1
++.EE
++
++.PP
++If you want to allow confined applications to run with kerberos for the telepathy_gabble_t, you must turn on the kerberos_enabled boolean.
++
++.EX
++.B setsebool -P kerberos_enabled 1
++.EE
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was auto-generated using
++.B "sepolicy manpage"
++by Dan Walsh.
++
++.SH "SEE ALSO"
++selinux(8), telepathy_gabble(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
++, telepathy_idle_selinux(8), telepathy_logger_selinux(8), telepathy_mission_control_selinux(8), telepathy_msn_selinux(8), telepathy_salut_selinux(8), telepathy_sofiasip_selinux(8), telepathy_stream_engine_selinux(8), telepathy_sunshine_selinux(8)
+\ No newline at end of file
+diff --git a/man/man8/telepathy_idle_selinux.8 b/man/man8/telepathy_idle_selinux.8
+new file mode 100644
+index 0000000..dd6fb69
+--- /dev/null
++++ b/man/man8/telepathy_idle_selinux.8
+@@ -0,0 +1,131 @@
++.TH "telepathy_idle_selinux" "8" "12-11-01" "telepathy_idle" "SELinux Policy documentation for telepathy_idle"
++.SH "NAME"
++telepathy_idle_selinux \- Security Enhanced Linux Policy for the telepathy_idle processes
++.SH "DESCRIPTION"
++
++Security-Enhanced Linux secures the telepathy_idle processes via flexible mandatory access control.
++
++The telepathy_idle processes execute with the telepathy_idle_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep telepathy_idle_t
++
++
++.SH "ENTRYPOINTS"
++
++The telepathy_idle_t SELinux type can be entered via the "telepathy_idle_exec_t" file type. The default entrypoint paths for the telepathy_idle_t domain are the following:"
++
++/usr/libexec/telepathy-idle
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux telepathy_idle policy is very flexible allowing users to setup their telepathy_idle processes in as secure a method as possible.
++.PP
++The following process types are defined for telepathy_idle:
++
++.EX
++.B telepathy_idle_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux telepathy_idle policy is very flexible allowing users to setup their telepathy_idle processes in as secure a method as possible.
++.PP
++The following file types are defined for telepathy_idle:
++
++
++.EX
++.PP
++.B telepathy_idle_exec_t
++.EE
++
++- Set files with the telepathy_idle_exec_t type, if you want to transition an executable to the telepathy_idle_t domain.
++
++
++.EX
++.PP
++.B telepathy_idle_tmp_t
++.EE
++
++- Set files with the telepathy_idle_tmp_t type, if you want to store telepathy idle temporary files in the /tmp directories.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH "MANAGED FILES"
++
++The SELinux process type telepathy_idle_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++
++.br
++.B cache_home_t
++
++ /root/\.cache(/.*)?
++.br
++ /home/[^/]*/\.nv(/.*)?
++.br
++ /home/[^/]*/\.cache(/.*)?
++.br
++ /home/dwalsh/\.nv(/.*)?
++.br
++ /home/dwalsh/\.cache(/.*)?
++.br
++ /var/lib/xguest/home/xguest/\.nv(/.*)?
++.br
++ /var/lib/xguest/home/xguest/\.cache(/.*)?
++.br
++
++.SH NSSWITCH DOMAIN
++
++.PP
++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the telepathy_idle_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++
++.EX
++.B setsebool -P authlogin_nsswitch_use_ldap 1
++.EE
++
++.PP
++If you want to allow confined applications to run with kerberos for the telepathy_idle_t, you must turn on the kerberos_enabled boolean.
++
++.EX
++.B setsebool -P kerberos_enabled 1
++.EE
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was auto-generated using
++.B "sepolicy manpage"
++by Dan Walsh.
++
++.SH "SEE ALSO"
++selinux(8), telepathy_idle(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
++, telepathy_gabble_selinux(8), telepathy_logger_selinux(8), telepathy_mission_control_selinux(8), telepathy_msn_selinux(8), telepathy_salut_selinux(8), telepathy_sofiasip_selinux(8), telepathy_stream_engine_selinux(8), telepathy_sunshine_selinux(8)
+\ No newline at end of file
+diff --git a/man/man8/telepathy_logger_selinux.8 b/man/man8/telepathy_logger_selinux.8
+new file mode 100644
+index 0000000..e218a21
+--- /dev/null
++++ b/man/man8/telepathy_logger_selinux.8
+@@ -0,0 +1,205 @@
++.TH "telepathy_logger_selinux" "8" "12-11-01" "telepathy_logger" "SELinux Policy documentation for telepathy_logger"
++.SH "NAME"
++telepathy_logger_selinux \- Security Enhanced Linux Policy for the telepathy_logger processes
++.SH "DESCRIPTION"
++
++Security-Enhanced Linux secures the telepathy_logger processes via flexible mandatory access control.
++
++The telepathy_logger processes execute with the telepathy_logger_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep telepathy_logger_t
++
++
++.SH "ENTRYPOINTS"
++
++The telepathy_logger_t SELinux type can be entered via the "telepathy_logger_exec_t" file type. The default entrypoint paths for the telepathy_logger_t domain are the following:"
++
++/usr/libexec/telepathy-logger
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux telepathy_logger policy is very flexible allowing users to setup their telepathy_logger processes in as secure a method as possible.
++.PP
++The following process types are defined for telepathy_logger:
++
++.EX
++.B telepathy_logger_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux telepathy_logger policy is very flexible allowing users to setup their telepathy_logger processes in as secure a method as possible.
++.PP
++The following file types are defined for telepathy_logger:
++
++
++.EX
++.PP
++.B telepathy_logger_cache_home_t
++.EE
++
++- Set files with the telepathy_logger_cache_home_t type, if you want to store telepathy logger cache files in the users home directory.
++
++
++.EX
++.PP
++.B telepathy_logger_data_home_t
++.EE
++
++- Set files with the telepathy_logger_data_home_t type, if you want to store telepathy logger data files in the users home directory.
++
++
++.EX
++.PP
++.B telepathy_logger_exec_t
++.EE
++
++- Set files with the telepathy_logger_exec_t type, if you want to transition an executable to the telepathy_logger_t domain.
++
++
++.EX
++.PP
++.B telepathy_logger_tmp_t
++.EE
++
++- Set files with the telepathy_logger_tmp_t type, if you want to store telepathy logger temporary files in the /tmp directories.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH "MANAGED FILES"
++
++The SELinux process type telepathy_logger_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++
++.br
++.B cache_home_t
++
++ /root/\.cache(/.*)?
++.br
++ /home/[^/]*/\.nv(/.*)?
++.br
++ /home/[^/]*/\.cache(/.*)?
++.br
++ /home/dwalsh/\.nv(/.*)?
++.br
++ /home/dwalsh/\.cache(/.*)?
++.br
++ /var/lib/xguest/home/xguest/\.nv(/.*)?
++.br
++ /var/lib/xguest/home/xguest/\.cache(/.*)?
++.br
++
++.br
++.B config_home_t
++
++ /root/\.kde(/.*)?
++.br
++ /root/\.xine(/.*)?
++.br
++ /root/\.config(/.*)?
++.br
++ /var/run/user/[^/]*/dconf(/.*)?
++.br
++ /root/\.Xdefaults
++.br
++ /home/[^/]*/\.kde(/.*)?
++.br
++ /home/[^/]*/\.xine(/.*)?
++.br
++ /home/[^/]*/\.config(/.*)?
++.br
++ /home/[^/]*/\.Xdefaults
++.br
++ /home/dwalsh/\.kde(/.*)?
++.br
++ /home/dwalsh/\.xine(/.*)?
++.br
++ /home/dwalsh/\.config(/.*)?
++.br
++ /home/dwalsh/\.Xdefaults
++.br
++ /var/lib/xguest/home/xguest/\.kde(/.*)?
++.br
++ /var/lib/xguest/home/xguest/\.xine(/.*)?
++.br
++ /var/lib/xguest/home/xguest/\.config(/.*)?
++.br
++ /var/lib/xguest/home/xguest/\.Xdefaults
++.br
++
++.br
++.B telepathy_logger_cache_home_t
++
++ /home/[^/]*/\.cache/telepathy/logger(/.*)?
++.br
++ /home/dwalsh/\.cache/telepathy/logger(/.*)?
++.br
++ /var/lib/xguest/home/xguest/\.cache/telepathy/logger(/.*)?
++.br
++
++.br
++.B telepathy_logger_data_home_t
++
++ /home/[^/]*/\.local/share/TpLogger(/.*)?
++.br
++ /home/dwalsh/\.local/share/TpLogger(/.*)?
++.br
++ /var/lib/xguest/home/xguest/\.local/share/TpLogger(/.*)?
++.br
++
++.SH NSSWITCH DOMAIN
++
++.PP
++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the telepathy_logger_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++
++.EX
++.B setsebool -P authlogin_nsswitch_use_ldap 1
++.EE
++
++.PP
++If you want to allow confined applications to run with kerberos for the telepathy_logger_t, you must turn on the kerberos_enabled boolean.
++
++.EX
++.B setsebool -P kerberos_enabled 1
++.EE
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was auto-generated using
++.B "sepolicy manpage"
++by Dan Walsh.
++
++.SH "SEE ALSO"
++selinux(8), telepathy_logger(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
++, telepathy_gabble_selinux(8), telepathy_idle_selinux(8), telepathy_mission_control_selinux(8), telepathy_msn_selinux(8), telepathy_salut_selinux(8), telepathy_sofiasip_selinux(8), telepathy_stream_engine_selinux(8), telepathy_sunshine_selinux(8)
+\ No newline at end of file
+diff --git a/man/man8/telepathy_mission_control_selinux.8 b/man/man8/telepathy_mission_control_selinux.8
+new file mode 100644
+index 0000000..6367510
+--- /dev/null
++++ b/man/man8/telepathy_mission_control_selinux.8
+@@ -0,0 +1,223 @@
++.TH "telepathy_mission_control_selinux" "8" "12-11-01" "telepathy_mission_control" "SELinux Policy documentation for telepathy_mission_control"
++.SH "NAME"
++telepathy_mission_control_selinux \- Security Enhanced Linux Policy for the telepathy_mission_control processes
++.SH "DESCRIPTION"
++
++Security-Enhanced Linux secures the telepathy_mission_control processes via flexible mandatory access control.
++
++The telepathy_mission_control processes execute with the telepathy_mission_control_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep telepathy_mission_control_t
++
++
++.SH "ENTRYPOINTS"
++
++The telepathy_mission_control_t SELinux type can be entered via the "telepathy_mission_control_exec_t" file type. The default entrypoint paths for the telepathy_mission_control_t domain are the following:"
++
++/usr/libexec/mission-control-5
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux telepathy_mission_control policy is very flexible allowing users to setup their telepathy_mission_control processes in as secure a method as possible.
++.PP
++The following process types are defined for telepathy_mission_control:
++
++.EX
++.B telepathy_mission_control_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux telepathy_mission_control policy is very flexible allowing users to setup their telepathy_mission_control processes in as secure a method as possible.
++.PP
++The following file types are defined for telepathy_mission_control:
++
++
++.EX
++.PP
++.B telepathy_mission_control_cache_home_t
++.EE
++
++- Set files with the telepathy_mission_control_cache_home_t type, if you want to store telepathy mission control cache files in the users home directory.
++
++
++.EX
++.PP
++.B telepathy_mission_control_data_home_t
++.EE
++
++- Set files with the telepathy_mission_control_data_home_t type, if you want to store telepathy mission control data files in the users home directory.
++
++
++.EX
++.PP
++.B telepathy_mission_control_exec_t
++.EE
++
++- Set files with the telepathy_mission_control_exec_t type, if you want to transition an executable to the telepathy_mission_control_t domain.
++
++
++.EX
++.PP
++.B telepathy_mission_control_home_t
++.EE
++
++- Set files with the telepathy_mission_control_home_t type, if you want to store telepathy mission control files in the users home directory.
++
++
++.EX
++.PP
++.B telepathy_mission_control_tmp_t
++.EE
++
++- Set files with the telepathy_mission_control_tmp_t type, if you want to store telepathy mission control temporary files in the /tmp directories.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH "MANAGED FILES"
++
++The SELinux process type telepathy_mission_control_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++
++.br
++.B cache_home_t
++
++ /root/\.cache(/.*)?
++.br
++ /home/[^/]*/\.nv(/.*)?
++.br
++ /home/[^/]*/\.cache(/.*)?
++.br
++ /home/dwalsh/\.nv(/.*)?
++.br
++ /home/dwalsh/\.cache(/.*)?
++.br
++ /var/lib/xguest/home/xguest/\.nv(/.*)?
++.br
++ /var/lib/xguest/home/xguest/\.cache(/.*)?
++.br
++
++.br
++.B config_home_t
++
++ /root/\.kde(/.*)?
++.br
++ /root/\.xine(/.*)?
++.br
++ /root/\.config(/.*)?
++.br
++ /var/run/user/[^/]*/dconf(/.*)?
++.br
++ /root/\.Xdefaults
++.br
++ /home/[^/]*/\.kde(/.*)?
++.br
++ /home/[^/]*/\.xine(/.*)?
++.br
++ /home/[^/]*/\.config(/.*)?
++.br
++ /home/[^/]*/\.Xdefaults
++.br
++ /home/dwalsh/\.kde(/.*)?
++.br
++ /home/dwalsh/\.xine(/.*)?
++.br
++ /home/dwalsh/\.config(/.*)?
++.br
++ /home/dwalsh/\.Xdefaults
++.br
++ /var/lib/xguest/home/xguest/\.kde(/.*)?
++.br
++ /var/lib/xguest/home/xguest/\.xine(/.*)?
++.br
++ /var/lib/xguest/home/xguest/\.config(/.*)?
++.br
++ /var/lib/xguest/home/xguest/\.Xdefaults
++.br
++
++.br
++.B telepathy_mission_control_cache_home_t
++
++ /home/[^/]*/\.cache/\.mc_connections
++.br
++ /home/dwalsh/\.cache/\.mc_connections
++.br
++ /var/lib/xguest/home/xguest/\.cache/\.mc_connections
++.br
++
++.br
++.B telepathy_mission_control_data_home_t
++
++ /home/[^/]*/\.local/share/telepathy/mission-control(/.*)?
++.br
++ /home/dwalsh/\.local/share/telepathy/mission-control(/.*)?
++.br
++ /var/lib/xguest/home/xguest/\.local/share/telepathy/mission-control(/.*)?
++.br
++
++.br
++.B telepathy_mission_control_home_t
++
++ /home/[^/]*/\.mission-control(/.*)?
++.br
++ /home/dwalsh/\.mission-control(/.*)?
++.br
++ /var/lib/xguest/home/xguest/\.mission-control(/.*)?
++.br
++
++.SH NSSWITCH DOMAIN
++
++.PP
++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the telepathy_mission_control_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++
++.EX
++.B setsebool -P authlogin_nsswitch_use_ldap 1
++.EE
++
++.PP
++If you want to allow confined applications to run with kerberos for the telepathy_mission_control_t, you must turn on the kerberos_enabled boolean.
++
++.EX
++.B setsebool -P kerberos_enabled 1
++.EE
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was auto-generated using
++.B "sepolicy manpage"
++by Dan Walsh.
++
++.SH "SEE ALSO"
++selinux(8), telepathy_mission_control(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
++, telepathy_gabble_selinux(8), telepathy_idle_selinux(8), telepathy_logger_selinux(8), telepathy_msn_selinux(8), telepathy_salut_selinux(8), telepathy_sofiasip_selinux(8), telepathy_stream_engine_selinux(8), telepathy_sunshine_selinux(8)
+\ No newline at end of file
+diff --git a/man/man8/telepathy_msn_selinux.8 b/man/man8/telepathy_msn_selinux.8
+new file mode 100644
+index 0000000..69bc52e
+--- /dev/null
++++ b/man/man8/telepathy_msn_selinux.8
+@@ -0,0 +1,135 @@
++.TH "telepathy_msn_selinux" "8" "12-11-01" "telepathy_msn" "SELinux Policy documentation for telepathy_msn"
++.SH "NAME"
++telepathy_msn_selinux \- Security Enhanced Linux Policy for the telepathy_msn processes
++.SH "DESCRIPTION"
++
++Security-Enhanced Linux secures the telepathy_msn processes via flexible mandatory access control.
++
++The telepathy_msn processes execute with the telepathy_msn_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep telepathy_msn_t
++
++
++.SH "ENTRYPOINTS"
++
++The telepathy_msn_t SELinux type can be entered via the "telepathy_msn_exec_t" file type. The default entrypoint paths for the telepathy_msn_t domain are the following:"
++
++/usr/libexec/telepathy-haze, /usr/libexec/telepathy-butterfly
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux telepathy_msn policy is very flexible allowing users to setup their telepathy_msn processes in as secure a method as possible.
++.PP
++The following process types are defined for telepathy_msn:
++
++.EX
++.B telepathy_msn_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux telepathy_msn policy is very flexible allowing users to setup their telepathy_msn processes in as secure a method as possible.
++.PP
++The following file types are defined for telepathy_msn:
++
++
++.EX
++.PP
++.B telepathy_msn_exec_t
++.EE
++
++- Set files with the telepathy_msn_exec_t type, if you want to transition an executable to the telepathy_msn_t domain.
++
++
++.EX
++.PP
++.B telepathy_msn_tmp_t
++.EE
++
++- Set files with the telepathy_msn_tmp_t type, if you want to store telepathy msn temporary files in the /tmp directories.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH "MANAGED FILES"
++
++The SELinux process type telepathy_msn_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++
++.br
++.B cache_home_t
++
++ /root/\.cache(/.*)?
++.br
++ /home/[^/]*/\.nv(/.*)?
++.br
++ /home/[^/]*/\.cache(/.*)?
++.br
++ /home/dwalsh/\.nv(/.*)?
++.br
++ /home/dwalsh/\.cache(/.*)?
++.br
++ /var/lib/xguest/home/xguest/\.nv(/.*)?
++.br
++ /var/lib/xguest/home/xguest/\.cache(/.*)?
++.br
++
++.br
++.B telepathy_msn_tmp_t
++
++
++.SH NSSWITCH DOMAIN
++
++.PP
++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the telepathy_msn_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++
++.EX
++.B setsebool -P authlogin_nsswitch_use_ldap 1
++.EE
++
++.PP
++If you want to allow confined applications to run with kerberos for the telepathy_msn_t, you must turn on the kerberos_enabled boolean.
++
++.EX
++.B setsebool -P kerberos_enabled 1
++.EE
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was auto-generated using
++.B "sepolicy manpage"
++by Dan Walsh.
++
++.SH "SEE ALSO"
++selinux(8), telepathy_msn(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
++, telepathy_gabble_selinux(8), telepathy_idle_selinux(8), telepathy_logger_selinux(8), telepathy_mission_control_selinux(8), telepathy_salut_selinux(8), telepathy_sofiasip_selinux(8), telepathy_stream_engine_selinux(8), telepathy_sunshine_selinux(8)
+\ No newline at end of file
+diff --git a/man/man8/telepathy_salut_selinux.8 b/man/man8/telepathy_salut_selinux.8
+new file mode 100644
+index 0000000..b680807
+--- /dev/null
++++ b/man/man8/telepathy_salut_selinux.8
+@@ -0,0 +1,131 @@
++.TH "telepathy_salut_selinux" "8" "12-11-01" "telepathy_salut" "SELinux Policy documentation for telepathy_salut"
++.SH "NAME"
++telepathy_salut_selinux \- Security Enhanced Linux Policy for the telepathy_salut processes
++.SH "DESCRIPTION"
++
++Security-Enhanced Linux secures the telepathy_salut processes via flexible mandatory access control.
++
++The telepathy_salut processes execute with the telepathy_salut_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep telepathy_salut_t
++
++
++.SH "ENTRYPOINTS"
++
++The telepathy_salut_t SELinux type can be entered via the "telepathy_salut_exec_t" file type. The default entrypoint paths for the telepathy_salut_t domain are the following:"
++
++/usr/libexec/telepathy-salut
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux telepathy_salut policy is very flexible allowing users to setup their telepathy_salut processes in as secure a method as possible.
++.PP
++The following process types are defined for telepathy_salut:
++
++.EX
++.B telepathy_salut_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux telepathy_salut policy is very flexible allowing users to setup their telepathy_salut processes in as secure a method as possible.
++.PP
++The following file types are defined for telepathy_salut:
++
++
++.EX
++.PP
++.B telepathy_salut_exec_t
++.EE
++
++- Set files with the telepathy_salut_exec_t type, if you want to transition an executable to the telepathy_salut_t domain.
++
++
++.EX
++.PP
++.B telepathy_salut_tmp_t
++.EE
++
++- Set files with the telepathy_salut_tmp_t type, if you want to store telepathy salut temporary files in the /tmp directories.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH "MANAGED FILES"
++
++The SELinux process type telepathy_salut_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++
++.br
++.B cache_home_t
++
++ /root/\.cache(/.*)?
++.br
++ /home/[^/]*/\.nv(/.*)?
++.br
++ /home/[^/]*/\.cache(/.*)?
++.br
++ /home/dwalsh/\.nv(/.*)?
++.br
++ /home/dwalsh/\.cache(/.*)?
++.br
++ /var/lib/xguest/home/xguest/\.nv(/.*)?
++.br
++ /var/lib/xguest/home/xguest/\.cache(/.*)?
++.br
++
++.SH NSSWITCH DOMAIN
++
++.PP
++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the telepathy_salut_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++
++.EX
++.B setsebool -P authlogin_nsswitch_use_ldap 1
++.EE
++
++.PP
++If you want to allow confined applications to run with kerberos for the telepathy_salut_t, you must turn on the kerberos_enabled boolean.
++
++.EX
++.B setsebool -P kerberos_enabled 1
++.EE
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was auto-generated using
++.B "sepolicy manpage"
++by Dan Walsh.
++
++.SH "SEE ALSO"
++selinux(8), telepathy_salut(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
++, telepathy_gabble_selinux(8), telepathy_idle_selinux(8), telepathy_logger_selinux(8), telepathy_mission_control_selinux(8), telepathy_msn_selinux(8), telepathy_sofiasip_selinux(8), telepathy_stream_engine_selinux(8), telepathy_sunshine_selinux(8)
+\ No newline at end of file
+diff --git a/man/man8/telepathy_sofiasip_selinux.8 b/man/man8/telepathy_sofiasip_selinux.8
+new file mode 100644
+index 0000000..7a6973e
+--- /dev/null
++++ b/man/man8/telepathy_sofiasip_selinux.8
+@@ -0,0 +1,131 @@
++.TH "telepathy_sofiasip_selinux" "8" "12-11-01" "telepathy_sofiasip" "SELinux Policy documentation for telepathy_sofiasip"
++.SH "NAME"
++telepathy_sofiasip_selinux \- Security Enhanced Linux Policy for the telepathy_sofiasip processes
++.SH "DESCRIPTION"
++
++Security-Enhanced Linux secures the telepathy_sofiasip processes via flexible mandatory access control.
++
++The telepathy_sofiasip processes execute with the telepathy_sofiasip_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep telepathy_sofiasip_t
++
++
++.SH "ENTRYPOINTS"
++
++The telepathy_sofiasip_t SELinux type can be entered via the "telepathy_sofiasip_exec_t" file type. The default entrypoint paths for the telepathy_sofiasip_t domain are the following:"
++
++/usr/libexec/telepathy-sofiasip
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux telepathy_sofiasip policy is very flexible allowing users to setup their telepathy_sofiasip processes in as secure a method as possible.
++.PP
++The following process types are defined for telepathy_sofiasip:
++
++.EX
++.B telepathy_sofiasip_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux telepathy_sofiasip policy is very flexible allowing users to setup their telepathy_sofiasip processes in as secure a method as possible.
++.PP
++The following file types are defined for telepathy_sofiasip:
++
++
++.EX
++.PP
++.B telepathy_sofiasip_exec_t
++.EE
++
++- Set files with the telepathy_sofiasip_exec_t type, if you want to transition an executable to the telepathy_sofiasip_t domain.
++
++
++.EX
++.PP
++.B telepathy_sofiasip_tmp_t
++.EE
++
++- Set files with the telepathy_sofiasip_tmp_t type, if you want to store telepathy sofiasip temporary files in the /tmp directories.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH "MANAGED FILES"
++
++The SELinux process type telepathy_sofiasip_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++
++.br
++.B cache_home_t
++
++ /root/\.cache(/.*)?
++.br
++ /home/[^/]*/\.nv(/.*)?
++.br
++ /home/[^/]*/\.cache(/.*)?
++.br
++ /home/dwalsh/\.nv(/.*)?
++.br
++ /home/dwalsh/\.cache(/.*)?
++.br
++ /var/lib/xguest/home/xguest/\.nv(/.*)?
++.br
++ /var/lib/xguest/home/xguest/\.cache(/.*)?
++.br
++
++.SH NSSWITCH DOMAIN
++
++.PP
++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the telepathy_sofiasip_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++
++.EX
++.B setsebool -P authlogin_nsswitch_use_ldap 1
++.EE
++
++.PP
++If you want to allow confined applications to run with kerberos for the telepathy_sofiasip_t, you must turn on the kerberos_enabled boolean.
++
++.EX
++.B setsebool -P kerberos_enabled 1
++.EE
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was auto-generated using
++.B "sepolicy manpage"
++by Dan Walsh.
++
++.SH "SEE ALSO"
++selinux(8), telepathy_sofiasip(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
++, telepathy_gabble_selinux(8), telepathy_idle_selinux(8), telepathy_logger_selinux(8), telepathy_mission_control_selinux(8), telepathy_msn_selinux(8), telepathy_salut_selinux(8), telepathy_stream_engine_selinux(8), telepathy_sunshine_selinux(8)
+\ No newline at end of file
+diff --git a/man/man8/telepathy_stream_engine_selinux.8 b/man/man8/telepathy_stream_engine_selinux.8
+new file mode 100644
+index 0000000..dafb6b0
+--- /dev/null
++++ b/man/man8/telepathy_stream_engine_selinux.8
+@@ -0,0 +1,131 @@
++.TH "telepathy_stream_engine_selinux" "8" "12-11-01" "telepathy_stream_engine" "SELinux Policy documentation for telepathy_stream_engine"
++.SH "NAME"
++telepathy_stream_engine_selinux \- Security Enhanced Linux Policy for the telepathy_stream_engine processes
++.SH "DESCRIPTION"
++
++Security-Enhanced Linux secures the telepathy_stream_engine processes via flexible mandatory access control.
++
++The telepathy_stream_engine processes execute with the telepathy_stream_engine_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep telepathy_stream_engine_t
++
++
++.SH "ENTRYPOINTS"
++
++The telepathy_stream_engine_t SELinux type can be entered via the "telepathy_stream_engine_exec_t" file type. The default entrypoint paths for the telepathy_stream_engine_t domain are the following:"
++
++/usr/libexec/telepathy-stream-engine
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux telepathy_stream_engine policy is very flexible allowing users to setup their telepathy_stream_engine processes in as secure a method as possible.
++.PP
++The following process types are defined for telepathy_stream_engine:
++
++.EX
++.B telepathy_stream_engine_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux telepathy_stream_engine policy is very flexible allowing users to setup their telepathy_stream_engine processes in as secure a method as possible.
++.PP
++The following file types are defined for telepathy_stream_engine:
++
++
++.EX
++.PP
++.B telepathy_stream_engine_exec_t
++.EE
++
++- Set files with the telepathy_stream_engine_exec_t type, if you want to transition an executable to the telepathy_stream_engine_t domain.
++
++
++.EX
++.PP
++.B telepathy_stream_engine_tmp_t
++.EE
++
++- Set files with the telepathy_stream_engine_tmp_t type, if you want to store telepathy stream engine temporary files in the /tmp directories.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH "MANAGED FILES"
++
++The SELinux process type telepathy_stream_engine_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++
++.br
++.B cache_home_t
++
++ /root/\.cache(/.*)?
++.br
++ /home/[^/]*/\.nv(/.*)?
++.br
++ /home/[^/]*/\.cache(/.*)?
++.br
++ /home/dwalsh/\.nv(/.*)?
++.br
++ /home/dwalsh/\.cache(/.*)?
++.br
++ /var/lib/xguest/home/xguest/\.nv(/.*)?
++.br
++ /var/lib/xguest/home/xguest/\.cache(/.*)?
++.br
++
++.SH NSSWITCH DOMAIN
++
++.PP
++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the telepathy_stream_engine_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++
++.EX
++.B setsebool -P authlogin_nsswitch_use_ldap 1
++.EE
++
++.PP
++If you want to allow confined applications to run with kerberos for the telepathy_stream_engine_t, you must turn on the kerberos_enabled boolean.
++
++.EX
++.B setsebool -P kerberos_enabled 1
++.EE
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was auto-generated using
++.B "sepolicy manpage"
++by Dan Walsh.
++
++.SH "SEE ALSO"
++selinux(8), telepathy_stream_engine(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
++, telepathy_gabble_selinux(8), telepathy_idle_selinux(8), telepathy_logger_selinux(8), telepathy_mission_control_selinux(8), telepathy_msn_selinux(8), telepathy_salut_selinux(8), telepathy_sofiasip_selinux(8), telepathy_sunshine_selinux(8)
+\ No newline at end of file
+diff --git a/man/man8/telepathy_sunshine_selinux.8 b/man/man8/telepathy_sunshine_selinux.8
+new file mode 100644
+index 0000000..96616f7
+--- /dev/null
++++ b/man/man8/telepathy_sunshine_selinux.8
+@@ -0,0 +1,153 @@
++.TH "telepathy_sunshine_selinux" "8" "12-11-01" "telepathy_sunshine" "SELinux Policy documentation for telepathy_sunshine"
++.SH "NAME"
++telepathy_sunshine_selinux \- Security Enhanced Linux Policy for the telepathy_sunshine processes
++.SH "DESCRIPTION"
++
++Security-Enhanced Linux secures the telepathy_sunshine processes via flexible mandatory access control.
++
++The telepathy_sunshine processes execute with the telepathy_sunshine_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep telepathy_sunshine_t
++
++
++.SH "ENTRYPOINTS"
++
++The telepathy_sunshine_t SELinux type can be entered via the "telepathy_sunshine_exec_t" file type. The default entrypoint paths for the telepathy_sunshine_t domain are the following:"
++
++/usr/libexec/telepathy-sunshine
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux telepathy_sunshine policy is very flexible allowing users to setup their telepathy_sunshine processes in as secure a method as possible.
++.PP
++The following process types are defined for telepathy_sunshine:
++
++.EX
++.B telepathy_sunshine_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux telepathy_sunshine policy is very flexible allowing users to setup their telepathy_sunshine processes in as secure a method as possible.
++.PP
++The following file types are defined for telepathy_sunshine:
++
++
++.EX
++.PP
++.B telepathy_sunshine_exec_t
++.EE
++
++- Set files with the telepathy_sunshine_exec_t type, if you want to transition an executable to the telepathy_sunshine_t domain.
++
++
++.EX
++.PP
++.B telepathy_sunshine_home_t
++.EE
++
++- Set files with the telepathy_sunshine_home_t type, if you want to store telepathy sunshine files in the users home directory.
++
++
++.EX
++.PP
++.B telepathy_sunshine_tmp_t
++.EE
++
++- Set files with the telepathy_sunshine_tmp_t type, if you want to store telepathy sunshine temporary files in the /tmp directories.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH "MANAGED FILES"
++
++The SELinux process type telepathy_sunshine_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++
++.br
++.B cache_home_t
++
++ /root/\.cache(/.*)?
++.br
++ /home/[^/]*/\.nv(/.*)?
++.br
++ /home/[^/]*/\.cache(/.*)?
++.br
++ /home/dwalsh/\.nv(/.*)?
++.br
++ /home/dwalsh/\.cache(/.*)?
++.br
++ /var/lib/xguest/home/xguest/\.nv(/.*)?
++.br
++ /var/lib/xguest/home/xguest/\.cache(/.*)?
++.br
++
++.br
++.B telepathy_sunshine_home_t
++
++ /home/[^/]*/\.telepathy-sunshine(/.*)?
++.br
++ /home/dwalsh/\.telepathy-sunshine(/.*)?
++.br
++ /var/lib/xguest/home/xguest/\.telepathy-sunshine(/.*)?
++.br
++
++.br
++.B telepathy_sunshine_tmp_t
++
++
++.SH NSSWITCH DOMAIN
++
++.PP
++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the telepathy_sunshine_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++
++.EX
++.B setsebool -P authlogin_nsswitch_use_ldap 1
++.EE
++
++.PP
++If you want to allow confined applications to run with kerberos for the telepathy_sunshine_t, you must turn on the kerberos_enabled boolean.
++
++.EX
++.B setsebool -P kerberos_enabled 1
++.EE
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was auto-generated using
++.B "sepolicy manpage"
++by Dan Walsh.
++
++.SH "SEE ALSO"
++selinux(8), telepathy_sunshine(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
++, telepathy_gabble_selinux(8), telepathy_idle_selinux(8), telepathy_logger_selinux(8), telepathy_mission_control_selinux(8), telepathy_msn_selinux(8), telepathy_salut_selinux(8), telepathy_sofiasip_selinux(8), telepathy_stream_engine_selinux(8)
+\ No newline at end of file
+diff --git a/man/man8/telnetd_selinux.8 b/man/man8/telnetd_selinux.8
+new file mode 100644
+index 0000000..955a5aa
+--- /dev/null
++++ b/man/man8/telnetd_selinux.8
+@@ -0,0 +1,222 @@
++.TH "telnetd_selinux" "8" "12-11-01" "telnetd" "SELinux Policy documentation for telnetd"
++.SH "NAME"
++telnetd_selinux \- Security Enhanced Linux Policy for the telnetd processes
++.SH "DESCRIPTION"
++
++Security-Enhanced Linux secures the telnetd processes via flexible mandatory access control.
++
++The telnetd processes execute with the telnetd_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep telnetd_t
++
++
++.SH "ENTRYPOINTS"
++
++The telnetd_t SELinux type can be entered via the "telnetd_exec_t" file type. The default entrypoint paths for the telnetd_t domain are the following:"
++
++/usr/sbin/in\.telnetd, /usr/kerberos/sbin/telnetd
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux telnetd policy is very flexible allowing users to setup their telnetd processes in as secure a method as possible.
++.PP
++The following process types are defined for telnetd:
++
++.EX
++.B telnetd_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux telnetd policy is very flexible allowing users to setup their telnetd processes in as secure a method as possible.
++.PP
++The following file types are defined for telnetd:
++
++
++.EX
++.PP
++.B telnetd_exec_t
++.EE
++
++- Set files with the telnetd_exec_t type, if you want to transition an executable to the telnetd_t domain.
++
++
++.EX
++.PP
++.B telnetd_keytab_t
++.EE
++
++- Set files with the telnetd_keytab_t type, if you want to treat the files as kerberos keytab files.
++
++
++.EX
++.PP
++.B telnetd_tmp_t
++.EE
++
++- Set files with the telnetd_tmp_t type, if you want to store telnetd temporary files in the /tmp directories.
++
++
++.EX
++.PP
++.B telnetd_var_run_t
++.EE
++
++- Set files with the telnetd_var_run_t type, if you want to store the telnetd files under the /run directory.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH PORT TYPES
++SELinux defines port types to represent TCP and UDP ports.
++.PP
++You can see the types associated with a port by using the following command:
++
++.B semanage port -l
++
++.PP
++Policy governs the access confined processes have to these ports.
++SELinux telnetd policy is very flexible allowing users to setup their telnetd processes in as secure a method as possible.
++.PP
++The following port types are defined for telnetd:
++
++.EX
++.TP 5
++.B telnetd_port_t
++.TP 10
++.EE
++
++
++Default Defined Ports:
++tcp 23
++.EE
++.SH "MANAGED FILES"
++
++The SELinux process type telnetd_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++
++.br
++.B initrc_var_run_t
++
++ /var/run/utmp
++.br
++ /var/run/random-seed
++.br
++ /var/run/runlevel\.dir
++.br
++ /var/run/setmixer_flag
++.br
++
++.br
++.B krb5_host_rcache_t
++
++ /var/cache/krb5rcache(/.*)?
++.br
++ /var/tmp/nfs_0
++.br
++ /var/tmp/DNS_25
++.br
++ /var/tmp/host_0
++.br
++ /var/tmp/imap_0
++.br
++ /var/tmp/HTTP_23
++.br
++ /var/tmp/HTTP_48
++.br
++ /var/tmp/ldap_55
++.br
++ /var/tmp/ldap_487
++.br
++ /var/tmp/ldapmap1_0
++.br
++
++.br
++.B security_t
++
++ /selinux
++.br
++
++.br
++.B telnetd_tmp_t
++
++
++.br
++.B telnetd_var_run_t
++
++
++.br
++.B user_tmp_t
++
++ /var/run/user(/.*)?
++.br
++ /tmp/gconfd-.*
++.br
++ /tmp/gconfd-dwalsh
++.br
++ /tmp/gconfd-xguest
++.br
++
++.br
++.B wtmp_t
++
++ /var/log/wtmp.*
++.br
++
++.SH NSSWITCH DOMAIN
++
++.PP
++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the telnetd_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++
++.EX
++.B setsebool -P authlogin_nsswitch_use_ldap 1
++.EE
++
++.PP
++If you want to allow confined applications to run with kerberos for the telnetd_t, you must turn on the kerberos_enabled boolean.
++
++.EX
++.B setsebool -P kerberos_enabled 1
++.EE
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.B semanage port
++can also be used to manipulate the port definitions
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was auto-generated using
++.B "sepolicy manpage"
++by Dan Walsh.
++
++.SH "SEE ALSO"
++selinux(8), telnetd(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
+diff --git a/man/man8/tftpd_selinux.8 b/man/man8/tftpd_selinux.8
+new file mode 100644
+index 0000000..9909eeb
+--- /dev/null
++++ b/man/man8/tftpd_selinux.8
+@@ -0,0 +1,227 @@
++.TH "tftpd_selinux" "8" "12-11-01" "tftpd" "SELinux Policy documentation for tftpd"
++.SH "NAME"
++tftpd_selinux \- Security Enhanced Linux Policy for the tftpd processes
++.SH "DESCRIPTION"
++
++Security-Enhanced Linux secures the tftpd processes via flexible mandatory access control.
++
++The tftpd processes execute with the tftpd_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep tftpd_t
++
++
++.SH "ENTRYPOINTS"
++
++The tftpd_t SELinux type can be entered via the "tftpd_exec_t" file type. The default entrypoint paths for the tftpd_t domain are the following:"
++
++/usr/sbin/atftpd, /usr/sbin/in\.tftpd
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux tftpd policy is very flexible allowing users to setup their tftpd processes in as secure a method as possible.
++.PP
++The following process types are defined for tftpd:
++
++.EX
++.B tftpd_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH BOOLEANS
++SELinux policy is customizable based on least access required. tftpd policy is extremely flexible and has several booleans that allow you to manipulate the policy and run tftpd with the tightest access possible.
++
++
++.PP
++If you want to allow tftp to read and write files in the user home directories, you must turn on the tftp_home_dir boolean.
++
++.EX
++.B setsebool -P tftp_home_dir 1
++.EE
++
++.PP
++If you want to allow tftp to read and write files in the user home directories, you must turn on the tftp_home_dir boolean.
++
++.EX
++.B setsebool -P tftp_home_dir 1
++.EE
++
++.SH SHARING FILES
++If you want to share files with multiple domains (Apache, FTP, rsync, Samba), you can set a file context of public_content_t and public_content_rw_t. These context allow any of the above domains to read the content. If you want a particular domain to write to the public_content_rw_t domain, you must set the appropriate boolean.
++.TP
++Allow tftpd servers to read the /var/tftpd directory by adding the public_content_t file type to the directory and by restoring the file type.
++.PP
++.B
++semanage fcontext -a -t public_content_t "/var/tftpd(/.*)?"
++.br
++.B restorecon -F -R -v /var/tftpd
++.pp
++.TP
++Allow tftpd servers to read and write /var/tmp/incoming by adding the public_content_rw_t type to the directory and by restoring the file type. This also requires the allow_tftpdd_anon_write boolean to be set.
++.PP
++.B
++semanage fcontext -a -t public_content_rw_t "/var/tftpd/incoming(/.*)?"
++.br
++.B restorecon -F -R -v /var/tftpd/incoming
++
++
++.PP
++If you want to allow tftp to modify public files used for public file transfer services., you must turn on the tftp_anon_write boolean.
++
++.EX
++.B setsebool -P tftp_anon_write 1
++.EE
++
++.PP
++If you want to allow tftp to modify public files used for public file transfer services., you must turn on the tftp_anon_write boolean.
++
++.EX
++.B setsebool -P tftp_anon_write 1
++.EE
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux tftpd policy is very flexible allowing users to setup their tftpd processes in as secure a method as possible.
++.PP
++The following file types are defined for tftpd:
++
++
++.EX
++.PP
++.B tftpd_etc_t
++.EE
++
++- Set files with the tftpd_etc_t type, if you want to store tftpd files in the /etc directories.
++
++
++.EX
++.PP
++.B tftpd_exec_t
++.EE
++
++- Set files with the tftpd_exec_t type, if you want to transition an executable to the tftpd_t domain.
++
++
++.EX
++.PP
++.B tftpd_var_run_t
++.EE
++
++- Set files with the tftpd_var_run_t type, if you want to store the tftpd files under the /run directory.
++
++
++.EX
++.PP
++.B tftpdir_rw_t
++.EE
++
++- Set files with the tftpdir_rw_t type, if you want to treat the files as tftpdir read/write content.
++
++
++.EX
++.PP
++.B tftpdir_t
++.EE
++
++- Set files with the tftpdir_t type, if you want to treat the files as tftpdir data.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH PORT TYPES
++SELinux defines port types to represent TCP and UDP ports.
++.PP
++You can see the types associated with a port by using the following command:
++
++.B semanage port -l
++
++.PP
++Policy governs the access confined processes have to these ports.
++SELinux tftpd policy is very flexible allowing users to setup their tftpd processes in as secure a method as possible.
++.PP
++The following port types are defined for tftpd:
++
++.EX
++.TP 5
++.B tftp_port_t
++.TP 10
++.EE
++
++
++Default Defined Ports:
++udp 69
++.EE
++.SH "MANAGED FILES"
++
++The SELinux process type tftpd_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++
++.br
++.B tftpd_var_run_t
++
++
++.br
++.B tftpdir_rw_t
++
++ /var/lib/tftpboot(/.*)?
++.br
++
++.SH NSSWITCH DOMAIN
++
++.PP
++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the tftpd_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++
++.EX
++.B setsebool -P authlogin_nsswitch_use_ldap 1
++.EE
++
++.PP
++If you want to allow confined applications to run with kerberos for the tftpd_t, you must turn on the kerberos_enabled boolean.
++
++.EX
++.B setsebool -P kerberos_enabled 1
++.EE
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.B semanage port
++can also be used to manipulate the port definitions
++
++.B semanage boolean
++can also be used to manipulate the booleans
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was auto-generated using
++.B "sepolicy manpage"
++by Dan Walsh.
++
++.SH "SEE ALSO"
++selinux(8), tftpd(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
++, setsebool(8)
+\ No newline at end of file
+diff --git a/man/man8/tgtd_selinux.8 b/man/man8/tgtd_selinux.8
+new file mode 100644
+index 0000000..e0da88e
+--- /dev/null
++++ b/man/man8/tgtd_selinux.8
+@@ -0,0 +1,146 @@
++.TH "tgtd_selinux" "8" "12-11-01" "tgtd" "SELinux Policy documentation for tgtd"
++.SH "NAME"
++tgtd_selinux \- Security Enhanced Linux Policy for the tgtd processes
++.SH "DESCRIPTION"
++
++Security-Enhanced Linux secures the tgtd processes via flexible mandatory access control.
++
++The tgtd processes execute with the tgtd_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep tgtd_t
++
++
++.SH "ENTRYPOINTS"
++
++The tgtd_t SELinux type can be entered via the "tgtd_exec_t" file type. The default entrypoint paths for the tgtd_t domain are the following:"
++
++/usr/sbin/tgtd
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux tgtd policy is very flexible allowing users to setup their tgtd processes in as secure a method as possible.
++.PP
++The following process types are defined for tgtd:
++
++.EX
++.B tgtd_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux tgtd policy is very flexible allowing users to setup their tgtd processes in as secure a method as possible.
++.PP
++The following file types are defined for tgtd:
++
++
++.EX
++.PP
++.B tgtd_exec_t
++.EE
++
++- Set files with the tgtd_exec_t type, if you want to transition an executable to the tgtd_t domain.
++
++
++.EX
++.PP
++.B tgtd_initrc_exec_t
++.EE
++
++- Set files with the tgtd_initrc_exec_t type, if you want to transition an executable to the tgtd_initrc_t domain.
++
++
++.EX
++.PP
++.B tgtd_tmp_t
++.EE
++
++- Set files with the tgtd_tmp_t type, if you want to store tgtd temporary files in the /tmp directories.
++
++
++.EX
++.PP
++.B tgtd_tmpfs_t
++.EE
++
++- Set files with the tgtd_tmpfs_t type, if you want to store tgtd files on a tmpfs file system.
++
++
++.EX
++.PP
++.B tgtd_var_lib_t
++.EE
++
++- Set files with the tgtd_var_lib_t type, if you want to store the tgtd files under the /var/lib directory.
++
++
++.EX
++.PP
++.B tgtd_var_run_t
++.EE
++
++- Set files with the tgtd_var_run_t type, if you want to store the tgtd files under the /run directory.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH "MANAGED FILES"
++
++The SELinux process type tgtd_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++
++.br
++.B tgtd_tmpfs_t
++
++
++.br
++.B tgtd_var_lib_t
++
++ /var/lib/tgtd(/.*)?
++.br
++
++.br
++.B tgtd_var_run_t
++
++ /var/run/tgtd.*
++.br
++
++.SH NSSWITCH DOMAIN
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was auto-generated using
++.B "sepolicy manpage"
++by Dan Walsh.
++
++.SH "SEE ALSO"
++selinux(8), tgtd(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
+diff --git a/man/man8/thin_aeolus_configserver_selinux.8 b/man/man8/thin_aeolus_configserver_selinux.8
+new file mode 100644
+index 0000000..66344ef
+--- /dev/null
++++ b/man/man8/thin_aeolus_configserver_selinux.8
+@@ -0,0 +1,133 @@
++.TH "thin_aeolus_configserver_selinux" "8" "12-11-01" "thin_aeolus_configserver" "SELinux Policy documentation for thin_aeolus_configserver"
++.SH "NAME"
++thin_aeolus_configserver_selinux \- Security Enhanced Linux Policy for the thin_aeolus_configserver processes
++.SH "DESCRIPTION"
++
++Security-Enhanced Linux secures the thin_aeolus_configserver processes via flexible mandatory access control.
++
++The thin_aeolus_configserver processes execute with the thin_aeolus_configserver_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep thin_aeolus_configserver_t
++
++
++.SH "ENTRYPOINTS"
++
++The thin_aeolus_configserver_t SELinux type can be entered via the "thin_aeolus_configserver_exec_t" file type. The default entrypoint paths for the thin_aeolus_configserver_t domain are the following:"
++
++/usr/bin/aeolus-configserver-thinwrapper
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux thin_aeolus_configserver policy is very flexible allowing users to setup their thin_aeolus_configserver processes in as secure a method as possible.
++.PP
++The following process types are defined for thin_aeolus_configserver:
++
++.EX
++.B thin_aeolus_configserver_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux thin_aeolus_configserver policy is very flexible allowing users to setup their thin_aeolus_configserver processes in as secure a method as possible.
++.PP
++The following file types are defined for thin_aeolus_configserver:
++
++
++.EX
++.PP
++.B thin_aeolus_configserver_exec_t
++.EE
++
++- Set files with the thin_aeolus_configserver_exec_t type, if you want to transition an executable to the thin_aeolus_configserver_t domain.
++
++
++.EX
++.PP
++.B thin_aeolus_configserver_lib_t
++.EE
++
++- Set files with the thin_aeolus_configserver_lib_t type, if you want to treat the files as thin aeolus configserver lib data.
++
++
++.EX
++.PP
++.B thin_aeolus_configserver_log_t
++.EE
++
++- Set files with the thin_aeolus_configserver_log_t type, if you want to treat the data as thin aeolus configserver log data, usually stored under the /var/log directory.
++
++
++.EX
++.PP
++.B thin_aeolus_configserver_var_run_t
++.EE
++
++- Set files with the thin_aeolus_configserver_var_run_t type, if you want to store the thin aeolus configserver files under the /run directory.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH "MANAGED FILES"
++
++The SELinux process type thin_aeolus_configserver_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++
++.br
++.B thin_aeolus_configserver_lib_t
++
++ /var/lib/aeolus-configserver(/.*)?
++.br
++
++.br
++.B thin_aeolus_configserver_log_t
++
++ /var/log/aeolus-configserver(/.*)?
++.br
++
++.br
++.B thin_aeolus_configserver_var_run_t
++
++ /var/run/aeolus-configserver(/.*)?
++.br
++
++.SH NSSWITCH DOMAIN
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was auto-generated using
++.B "sepolicy manpage"
++by Dan Walsh.
++
++.SH "SEE ALSO"
++selinux(8), thin_aeolus_configserver(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
++, thin_selinux(8), thin_selinux(8)
+\ No newline at end of file
+diff --git a/man/man8/thin_selinux.8 b/man/man8/thin_selinux.8
+new file mode 100644
+index 0000000..dbab03d
+--- /dev/null
++++ b/man/man8/thin_selinux.8
+@@ -0,0 +1,151 @@
++.TH "thin_selinux" "8" "12-11-01" "thin" "SELinux Policy documentation for thin"
++.SH "NAME"
++thin_selinux \- Security Enhanced Linux Policy for the thin processes
++.SH "DESCRIPTION"
++
++Security-Enhanced Linux secures the thin processes via flexible mandatory access control.
++
++The thin processes execute with the thin_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep thin_t
++
++
++.SH "ENTRYPOINTS"
++
++The thin_t SELinux type can be entered via the "thin_exec_t" file type. The default entrypoint paths for the thin_t domain are the following:"
++
++/usr/bin/thin
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux thin policy is very flexible allowing users to setup their thin processes in as secure a method as possible.
++.PP
++The following process types are defined for thin:
++
++.EX
++.B thin_t, thin_aeolus_configserver_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux thin policy is very flexible allowing users to setup their thin processes in as secure a method as possible.
++.PP
++The following file types are defined for thin:
++
++
++.EX
++.PP
++.B thin_aeolus_configserver_exec_t
++.EE
++
++- Set files with the thin_aeolus_configserver_exec_t type, if you want to transition an executable to the thin_aeolus_configserver_t domain.
++
++
++.EX
++.PP
++.B thin_aeolus_configserver_lib_t
++.EE
++
++- Set files with the thin_aeolus_configserver_lib_t type, if you want to treat the files as thin aeolus configserver lib data.
++
++
++.EX
++.PP
++.B thin_aeolus_configserver_log_t
++.EE
++
++- Set files with the thin_aeolus_configserver_log_t type, if you want to treat the data as thin aeolus configserver log data, usually stored under the /var/log directory.
++
++
++.EX
++.PP
++.B thin_aeolus_configserver_var_run_t
++.EE
++
++- Set files with the thin_aeolus_configserver_var_run_t type, if you want to store the thin aeolus configserver files under the /run directory.
++
++
++.EX
++.PP
++.B thin_exec_t
++.EE
++
++- Set files with the thin_exec_t type, if you want to transition an executable to the thin_t domain.
++
++
++.EX
++.PP
++.B thin_log_t
++.EE
++
++- Set files with the thin_log_t type, if you want to treat the data as thin log data, usually stored under the /var/log directory.
++
++
++.EX
++.PP
++.B thin_var_run_t
++.EE
++
++- Set files with the thin_var_run_t type, if you want to store the thin files under the /run directory.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH "MANAGED FILES"
++
++The SELinux process type thin_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++
++.br
++.B thin_log_t
++
++ /var/log/thin\.log.*
++.br
++
++.br
++.B thin_var_run_t
++
++ /var/run/aeolus/thin\.pid
++.br
++
++.SH NSSWITCH DOMAIN
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was auto-generated using
++.B "sepolicy manpage"
++by Dan Walsh.
++
++.SH "SEE ALSO"
++selinux(8), thin(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
++, thin_aeolus_configserver_selinux(8)
+\ No newline at end of file
+diff --git a/man/man8/thumb_selinux.8 b/man/man8/thumb_selinux.8
+new file mode 100644
+index 0000000..0983a25
+--- /dev/null
++++ b/man/man8/thumb_selinux.8
+@@ -0,0 +1,236 @@
++.TH "thumb_selinux" "8" "12-11-01" "thumb" "SELinux Policy documentation for thumb"
++.SH "NAME"
++thumb_selinux \- Security Enhanced Linux Policy for the thumb processes
++.SH "DESCRIPTION"
++
++Security-Enhanced Linux secures the thumb processes via flexible mandatory access control.
++
++The thumb processes execute with the thumb_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep thumb_t
++
++
++.SH "ENTRYPOINTS"
++
++The thumb_t SELinux type can be entered via the "thumb_exec_t" file type. The default entrypoint paths for the thumb_t domain are the following:"
++
++/usr/bin/[^/]*thumbnailer, /usr/bin/gnome-[^/]*-thumbnailer(.sh)?, /usr/lib/tumbler[^/]*/tumblerd, /usr/bin/raw-thumbnailer, /usr/bin/whaaw-thumbnailer, /usr/bin/ffmpegthumbnailer, /usr/bin/evince-thumbnailer, /usr/bin/gnome-thumbnail-font, /usr/bin/gsf-office-thumbnailer, /usr/bin/totem-video-thumbnailer, /usr/bin/shotwell-video-thumbnailer
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux thumb policy is very flexible allowing users to setup their thumb processes in as secure a method as possible.
++.PP
++The following process types are defined for thumb:
++
++.EX
++.B thumb_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux thumb policy is very flexible allowing users to setup their thumb processes in as secure a method as possible.
++.PP
++The following file types are defined for thumb:
++
++
++.EX
++.PP
++.B thumb_exec_t
++.EE
++
++- Set files with the thumb_exec_t type, if you want to transition an executable to the thumb_t domain.
++
++
++.EX
++.PP
++.B thumb_home_t
++.EE
++
++- Set files with the thumb_home_t type, if you want to store thumb files in the users home directory.
++
++
++.EX
++.PP
++.B thumb_tmp_t
++.EE
++
++- Set files with the thumb_tmp_t type, if you want to store thumb temporary files in the /tmp directories.
++
++
++.EX
++.PP
++.B thumb_tmpfs_t
++.EE
++
++- Set files with the thumb_tmpfs_t type, if you want to store thumb files on a tmpfs file system.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH "MANAGED FILES"
++
++The SELinux process type thumb_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++
++.br
++.B gstreamer_home_t
++
++ /var/run/user/[^/]*/\.orc(/.*)?
++.br
++ /root/\.gstreamer-.*
++.br
++ /home/[^/]*/\.orc(/.*)?
++.br
++ /home/[^/]*/\.gstreamer-.*
++.br
++ /home/[^/]*/\.grl-bookmarks
++.br
++ /home/[^/]*/\.grl-bookmarks
++.br
++ /home/[^/]*/\.grl-metadata-store
++.br
++ /home/dwalsh/\.orc(/.*)?
++.br
++ /home/dwalsh/\.gstreamer-.*
++.br
++ /home/dwalsh/\.grl-bookmarks
++.br
++ /home/dwalsh/\.grl-bookmarks
++.br
++ /home/dwalsh/\.grl-metadata-store
++.br
++ /var/lib/xguest/home/xguest/\.orc(/.*)?
++.br
++ /var/lib/xguest/home/xguest/\.gstreamer-.*
++.br
++ /var/lib/xguest/home/xguest/\.grl-bookmarks
++.br
++ /var/lib/xguest/home/xguest/\.grl-bookmarks
++.br
++ /var/lib/xguest/home/xguest/\.grl-metadata-store
++.br
++
++.br
++.B thumb_home_t
++
++ /home/[^/]*/\.thumbnails(/.*)?
++.br
++ /home/[^/]*/missfont\.log.*
++.br
++ /home/[^/]*/\.cache/thumbnails(/.*)?
++.br
++ /home/dwalsh/\.thumbnails(/.*)?
++.br
++ /home/dwalsh/missfont\.log.*
++.br
++ /home/dwalsh/\.cache/thumbnails(/.*)?
++.br
++ /var/lib/xguest/home/xguest/\.thumbnails(/.*)?
++.br
++ /var/lib/xguest/home/xguest/missfont\.log.*
++.br
++ /var/lib/xguest/home/xguest/\.cache/thumbnails(/.*)?
++.br
++
++.br
++.B thumb_tmp_t
++
++
++.br
++.B thumb_tmpfs_t
++
++
++.br
++.B user_fonts_cache_t
++
++ /root/\.fontconfig(/.*)?
++.br
++ /root/\.fonts/auto(/.*)?
++.br
++ /root/\.fonts\.cache-.*
++.br
++ /home/[^/]*/\.fontconfig(/.*)?
++.br
++ /home/[^/]*/\.fonts/auto(/.*)?
++.br
++ /home/[^/]*/\.fonts\.cache-.*
++.br
++ /home/dwalsh/\.fontconfig(/.*)?
++.br
++ /home/dwalsh/\.fonts/auto(/.*)?
++.br
++ /home/dwalsh/\.fonts\.cache-.*
++.br
++ /var/lib/xguest/home/xguest/\.fontconfig(/.*)?
++.br
++ /var/lib/xguest/home/xguest/\.fonts/auto(/.*)?
++.br
++ /var/lib/xguest/home/xguest/\.fonts\.cache-.*
++.br
++
++.br
++.B user_tmp_t
++
++ /var/run/user(/.*)?
++.br
++ /tmp/gconfd-.*
++.br
++ /tmp/gconfd-dwalsh
++.br
++ /tmp/gconfd-xguest
++.br
++
++.SH NSSWITCH DOMAIN
++
++.PP
++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the thumb_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++
++.EX
++.B setsebool -P authlogin_nsswitch_use_ldap 1
++.EE
++
++.PP
++If you want to allow confined applications to run with kerberos for the thumb_t, you must turn on the kerberos_enabled boolean.
++
++.EX
++.B setsebool -P kerberos_enabled 1
++.EE
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was auto-generated using
++.B "sepolicy manpage"
++by Dan Walsh.
++
++.SH "SEE ALSO"
++selinux(8), thumb(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
+diff --git a/man/man8/tmpreaper_selinux.8 b/man/man8/tmpreaper_selinux.8
+new file mode 100644
+index 0000000..1f3820f
+--- /dev/null
++++ b/man/man8/tmpreaper_selinux.8
+@@ -0,0 +1,136 @@
++.TH "tmpreaper_selinux" "8" "12-11-01" "tmpreaper" "SELinux Policy documentation for tmpreaper"
++.SH "NAME"
++tmpreaper_selinux \- Security Enhanced Linux Policy for the tmpreaper processes
++.SH "DESCRIPTION"
++
++Security-Enhanced Linux secures the tmpreaper processes via flexible mandatory access control.
++
++The tmpreaper processes execute with the tmpreaper_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep tmpreaper_t
++
++
++.SH "ENTRYPOINTS"
++
++The tmpreaper_t SELinux type can be entered via the "tmpreaper_exec_t" file type. The default entrypoint paths for the tmpreaper_t domain are the following:"
++
++/usr/sbin/tmpwatch, /usr/sbin/tmpreaper
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux tmpreaper policy is very flexible allowing users to setup their tmpreaper processes in as secure a method as possible.
++.PP
++The following process types are defined for tmpreaper:
++
++.EX
++.B tmpreaper_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux tmpreaper policy is very flexible allowing users to setup their tmpreaper processes in as secure a method as possible.
++.PP
++The following file types are defined for tmpreaper:
++
++
++.EX
++.PP
++.B tmpreaper_exec_t
++.EE
++
++- Set files with the tmpreaper_exec_t type, if you want to transition an executable to the tmpreaper_t domain.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH "MANAGED FILES"
++
++The SELinux process type tmpreaper_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++
++.br
++.B amavis_spool_t
++
++ /var/spool/amavisd(/.*)?
++.br
++
++.br
++.B kismet_log_t
++
++ /var/log/kismet(/.*)?
++.br
++
++.br
++.B print_spool_t
++
++ /var/spool/lpd(/.*)?
++.br
++ /var/spool/cups(/.*)?
++.br
++ /var/spool/cups-pdf(/.*)?
++.br
++
++.br
++.B rpm_var_cache_t
++
++ /var/cache/yum(/.*)?
++.br
++ /var/spool/up2date(/.*)?
++.br
++ /var/cache/PackageKit(/.*)?
++.br
++
++.SH NSSWITCH DOMAIN
++
++.PP
++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the tmpreaper_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++
++.EX
++.B setsebool -P authlogin_nsswitch_use_ldap 1
++.EE
++
++.PP
++If you want to allow confined applications to run with kerberos for the tmpreaper_t, you must turn on the kerberos_enabled boolean.
++
++.EX
++.B setsebool -P kerberos_enabled 1
++.EE
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was auto-generated using
++.B "sepolicy manpage"
++by Dan Walsh.
++
++.SH "SEE ALSO"
++selinux(8), tmpreaper(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
+diff --git a/man/man8/tomcat_selinux.8 b/man/man8/tomcat_selinux.8
+new file mode 100644
+index 0000000..c89378e
+--- /dev/null
++++ b/man/man8/tomcat_selinux.8
+@@ -0,0 +1,166 @@
++.TH "tomcat_selinux" "8" "12-11-01" "tomcat" "SELinux Policy documentation for tomcat"
++.SH "NAME"
++tomcat_selinux \- Security Enhanced Linux Policy for the tomcat processes
++.SH "DESCRIPTION"
++
++Security-Enhanced Linux secures the tomcat processes via flexible mandatory access control.
++
++The tomcat processes execute with the tomcat_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep tomcat_t
++
++
++.SH "ENTRYPOINTS"
++
++The tomcat_t SELinux type can be entered via the "tomcat_exec_t" file type. The default entrypoint paths for the tomcat_t domain are the following:"
++
++/usr/sbin/tomcat(6)?
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux tomcat policy is very flexible allowing users to setup their tomcat processes in as secure a method as possible.
++.PP
++The following process types are defined for tomcat:
++
++.EX
++.B tomcat_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux tomcat policy is very flexible allowing users to setup their tomcat processes in as secure a method as possible.
++.PP
++The following file types are defined for tomcat:
++
++
++.EX
++.PP
++.B tomcat_cache_t
++.EE
++
++- Set files with the tomcat_cache_t type, if you want to store the files under the /var/cache directory.
++
++
++.EX
++.PP
++.B tomcat_exec_t
++.EE
++
++- Set files with the tomcat_exec_t type, if you want to transition an executable to the tomcat_t domain.
++
++
++.EX
++.PP
++.B tomcat_log_t
++.EE
++
++- Set files with the tomcat_log_t type, if you want to treat the data as tomcat log data, usually stored under the /var/log directory.
++
++
++.EX
++.PP
++.B tomcat_tmp_t
++.EE
++
++- Set files with the tomcat_tmp_t type, if you want to store tomcat temporary files in the /tmp directories.
++
++
++.EX
++.PP
++.B tomcat_unit_file_t
++.EE
++
++- Set files with the tomcat_unit_file_t type, if you want to treat the files as tomcat unit content.
++
++
++.EX
++.PP
++.B tomcat_var_lib_t
++.EE
++
++- Set files with the tomcat_var_lib_t type, if you want to store the tomcat files under the /var/lib directory.
++
++
++.EX
++.PP
++.B tomcat_var_run_t
++.EE
++
++- Set files with the tomcat_var_run_t type, if you want to store the tomcat files under the /run directory.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH "MANAGED FILES"
++
++The SELinux process type tomcat_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++
++.br
++.B tomcat_cache_t
++
++ /var/cache/tomcat6?(/.*)?
++.br
++
++.br
++.B tomcat_log_t
++
++ /var/log/tomcat6?(/.*)?
++.br
++
++.br
++.B tomcat_tmp_t
++
++
++.br
++.B tomcat_var_lib_t
++
++ /var/lib/tomcat6?(/.*)?
++.br
++
++.br
++.B tomcat_var_run_t
++
++ /var/run/tomcat6?\.pid
++.br
++
++.SH NSSWITCH DOMAIN
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was auto-generated using
++.B "sepolicy manpage"
++by Dan Walsh.
++
++.SH "SEE ALSO"
++selinux(8), tomcat(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
+diff --git a/man/man8/tor_selinux.8 b/man/man8/tor_selinux.8
+new file mode 100644
+index 0000000..2274d81
+--- /dev/null
++++ b/man/man8/tor_selinux.8
+@@ -0,0 +1,231 @@
++.TH "tor_selinux" "8" "12-11-01" "tor" "SELinux Policy documentation for tor"
++.SH "NAME"
++tor_selinux \- Security Enhanced Linux Policy for the tor processes
++.SH "DESCRIPTION"
++
++Security-Enhanced Linux secures the tor processes via flexible mandatory access control.
++
++The tor processes execute with the tor_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep tor_t
++
++
++.SH "ENTRYPOINTS"
++
++The tor_t SELinux type can be entered via the "tor_exec_t" file type. The default entrypoint paths for the tor_t domain are the following:"
++
++/usr/bin/tor, /usr/sbin/tor
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux tor policy is very flexible allowing users to setup their tor processes in as secure a method as possible.
++.PP
++The following process types are defined for tor:
++
++.EX
++.B tor_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH BOOLEANS
++SELinux policy is customizable based on least access required. tor policy is extremely flexible and has several booleans that allow you to manipulate the policy and run tor with the tightest access possible.
++
++
++.PP
++If you want to allow tor daemon to bind tcp sockets to all unreserved ports, you must turn on the tor_bind_all_unreserved_ports boolean.
++
++.EX
++.B setsebool -P tor_bind_all_unreserved_ports 1
++.EE
++
++.PP
++If you want to allow tor daemon to bind tcp sockets to all unreserved ports, you must turn on the tor_bind_all_unreserved_ports boolean.
++
++.EX
++.B setsebool -P tor_bind_all_unreserved_ports 1
++.EE
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux tor policy is very flexible allowing users to setup their tor processes in as secure a method as possible.
++.PP
++The following file types are defined for tor:
++
++
++.EX
++.PP
++.B tor_etc_t
++.EE
++
++- Set files with the tor_etc_t type, if you want to store tor files in the /etc directories.
++
++
++.EX
++.PP
++.B tor_exec_t
++.EE
++
++- Set files with the tor_exec_t type, if you want to transition an executable to the tor_t domain.
++
++
++.EX
++.PP
++.B tor_initrc_exec_t
++.EE
++
++- Set files with the tor_initrc_exec_t type, if you want to transition an executable to the tor_initrc_t domain.
++
++
++.EX
++.PP
++.B tor_unit_file_t
++.EE
++
++- Set files with the tor_unit_file_t type, if you want to treat the files as tor unit content.
++
++
++.EX
++.PP
++.B tor_var_lib_t
++.EE
++
++- Set files with the tor_var_lib_t type, if you want to store the tor files under the /var/lib directory.
++
++
++.EX
++.PP
++.B tor_var_log_t
++.EE
++
++- Set files with the tor_var_log_t type, if you want to treat the data as tor var log data, usually stored under the /var/log directory.
++
++
++.EX
++.PP
++.B tor_var_run_t
++.EE
++
++- Set files with the tor_var_run_t type, if you want to store the tor files under the /run directory.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH PORT TYPES
++SELinux defines port types to represent TCP and UDP ports.
++.PP
++You can see the types associated with a port by using the following command:
++
++.B semanage port -l
++
++.PP
++Policy governs the access confined processes have to these ports.
++SELinux tor policy is very flexible allowing users to setup their tor processes in as secure a method as possible.
++.PP
++The following port types are defined for tor:
++
++.EX
++.TP 5
++.B tor_port_t
++.TP 10
++.EE
++
++
++Default Defined Ports:
++tcp 6969,9001,9030,9051
++.EE
++
++.EX
++.TP 5
++.B tor_socks_port_t
++.TP 10
++.EE
++
++
++Default Defined Ports:
++tcp 9050
++.EE
++.SH "MANAGED FILES"
++
++The SELinux process type tor_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++
++.br
++.B tor_var_lib_t
++
++ /var/lib/tor(/.*)?
++.br
++ /var/lib/tor-data(/.*)?
++.br
++
++.br
++.B tor_var_log_t
++
++ /var/log/tor(/.*)?
++.br
++
++.br
++.B tor_var_run_t
++
++ /var/run/tor(/.*)?
++.br
++
++.SH NSSWITCH DOMAIN
++
++.PP
++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the tor_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++
++.EX
++.B setsebool -P authlogin_nsswitch_use_ldap 1
++.EE
++
++.PP
++If you want to allow confined applications to run with kerberos for the tor_t, you must turn on the kerberos_enabled boolean.
++
++.EX
++.B setsebool -P kerberos_enabled 1
++.EE
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.B semanage port
++can also be used to manipulate the port definitions
++
++.B semanage boolean
++can also be used to manipulate the booleans
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was auto-generated using
++.B "sepolicy manpage"
++by Dan Walsh.
++
++.SH "SEE ALSO"
++selinux(8), tor(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
++, setsebool(8)
+\ No newline at end of file
+diff --git a/man/man8/traceroute_selinux.8 b/man/man8/traceroute_selinux.8
+new file mode 100644
+index 0000000..00db217
+--- /dev/null
++++ b/man/man8/traceroute_selinux.8
+@@ -0,0 +1,126 @@
++.TH "traceroute_selinux" "8" "12-11-01" "traceroute" "SELinux Policy documentation for traceroute"
++.SH "NAME"
++traceroute_selinux \- Security Enhanced Linux Policy for the traceroute processes
++.SH "DESCRIPTION"
++
++Security-Enhanced Linux secures the traceroute processes via flexible mandatory access control.
++
++The traceroute processes execute with the traceroute_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep traceroute_t
++
++
++.SH "ENTRYPOINTS"
++
++The traceroute_t SELinux type can be entered via the "traceroute_exec_t" file type. The default entrypoint paths for the traceroute_t domain are the following:"
++
++/bin/tracepath.*, /bin/traceroute.*, /usr/bin/tracepath.*, /usr/bin/traceroute.*, /usr/sbin/traceroute.*, /usr/bin/lft, /usr/bin/mtr, /usr/bin/nmap, /usr/sbin/mtr
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux traceroute policy is very flexible allowing users to setup their traceroute processes in as secure a method as possible.
++.PP
++The following process types are defined for traceroute:
++
++.EX
++.B traceroute_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux traceroute policy is very flexible allowing users to setup their traceroute processes in as secure a method as possible.
++.PP
++The following file types are defined for traceroute:
++
++
++.EX
++.PP
++.B traceroute_exec_t
++.EE
++
++- Set files with the traceroute_exec_t type, if you want to transition an executable to the traceroute_t domain.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH PORT TYPES
++SELinux defines port types to represent TCP and UDP ports.
++.PP
++You can see the types associated with a port by using the following command:
++
++.B semanage port -l
++
++.PP
++Policy governs the access confined processes have to these ports.
++SELinux traceroute policy is very flexible allowing users to setup their traceroute processes in as secure a method as possible.
++.PP
++The following port types are defined for traceroute:
++
++.EX
++.TP 5
++.B traceroute_port_t
++.TP 10
++.EE
++
++
++Default Defined Ports:
++udp 64000-64010
++.EE
++.SH NSSWITCH DOMAIN
++
++.PP
++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the traceroute_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++
++.EX
++.B setsebool -P authlogin_nsswitch_use_ldap 1
++.EE
++
++.PP
++If you want to allow confined applications to run with kerberos for the traceroute_t, you must turn on the kerberos_enabled boolean.
++
++.EX
++.B setsebool -P kerberos_enabled 1
++.EE
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.B semanage port
++can also be used to manipulate the port definitions
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was auto-generated using
++.B "sepolicy manpage"
++by Dan Walsh.
++
++.SH "SEE ALSO"
++selinux(8), traceroute(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
+diff --git a/man/man8/tuned_selinux.8 b/man/man8/tuned_selinux.8
+new file mode 100644
+index 0000000..31c8195
+--- /dev/null
++++ b/man/man8/tuned_selinux.8
+@@ -0,0 +1,172 @@
++.TH "tuned_selinux" "8" "12-11-01" "tuned" "SELinux Policy documentation for tuned"
++.SH "NAME"
++tuned_selinux \- Security Enhanced Linux Policy for the tuned processes
++.SH "DESCRIPTION"
++
++Security-Enhanced Linux secures the tuned processes via flexible mandatory access control.
++
++The tuned processes execute with the tuned_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep tuned_t
++
++
++.SH "ENTRYPOINTS"
++
++The tuned_t SELinux type can be entered via the "tuned_exec_t" file type. The default entrypoint paths for the tuned_t domain are the following:"
++
++/usr/sbin/tuned
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux tuned policy is very flexible allowing users to setup their tuned processes in as secure a method as possible.
++.PP
++The following process types are defined for tuned:
++
++.EX
++.B tuned_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux tuned policy is very flexible allowing users to setup their tuned processes in as secure a method as possible.
++.PP
++The following file types are defined for tuned:
++
++
++.EX
++.PP
++.B tuned_etc_t
++.EE
++
++- Set files with the tuned_etc_t type, if you want to store tuned files in the /etc directories.
++
++
++.EX
++.PP
++.B tuned_exec_t
++.EE
++
++- Set files with the tuned_exec_t type, if you want to transition an executable to the tuned_t domain.
++
++
++.EX
++.PP
++.B tuned_initrc_exec_t
++.EE
++
++- Set files with the tuned_initrc_exec_t type, if you want to transition an executable to the tuned_initrc_t domain.
++
++
++.EX
++.PP
++.B tuned_log_t
++.EE
++
++- Set files with the tuned_log_t type, if you want to treat the data as tuned log data, usually stored under the /var/log directory.
++
++
++.EX
++.PP
++.B tuned_rw_etc_t
++.EE
++
++- Set files with the tuned_rw_etc_t type, if you want to store tuned rw files in the /etc directories.
++
++
++.EX
++.PP
++.B tuned_var_run_t
++.EE
++
++- Set files with the tuned_var_run_t type, if you want to store the tuned files under the /run directory.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH "MANAGED FILES"
++
++The SELinux process type tuned_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++
++.br
++.B sysfs_t
++
++ /sys(/.*)?
++.br
++
++.br
++.B tuned_log_t
++
++ /var/log/tuned(/.*)?
++.br
++ /var/log/tuned\.log.*
++.br
++
++.br
++.B tuned_rw_etc_t
++
++ /etc/tuned/active_profile
++.br
++
++.br
++.B tuned_var_run_t
++
++ /var/run/tuned(/.*)?
++.br
++ /var/run/tuned\.pid
++.br
++
++.SH NSSWITCH DOMAIN
++
++.PP
++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the tuned_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++
++.EX
++.B setsebool -P authlogin_nsswitch_use_ldap 1
++.EE
++
++.PP
++If you want to allow confined applications to run with kerberos for the tuned_t, you must turn on the kerberos_enabled boolean.
++
++.EX
++.B setsebool -P kerberos_enabled 1
++.EE
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was auto-generated using
++.B "sepolicy manpage"
++by Dan Walsh.
++
++.SH "SEE ALSO"
++selinux(8), tuned(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
+diff --git a/man/man8/tvtime_selinux.8 b/man/man8/tvtime_selinux.8
+new file mode 100644
+index 0000000..f52edbe
+--- /dev/null
++++ b/man/man8/tvtime_selinux.8
+@@ -0,0 +1,154 @@
++.TH "tvtime_selinux" "8" "12-11-01" "tvtime" "SELinux Policy documentation for tvtime"
++.SH "NAME"
++tvtime_selinux \- Security Enhanced Linux Policy for the tvtime processes
++.SH "DESCRIPTION"
++
++Security-Enhanced Linux secures the tvtime processes via flexible mandatory access control.
++
++The tvtime processes execute with the tvtime_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep tvtime_t
++
++
++.SH "ENTRYPOINTS"
++
++The tvtime_t SELinux type can be entered via the "tvtime_exec_t" file type. The default entrypoint paths for the tvtime_t domain are the following:"
++
++/usr/bin/tvtime
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux tvtime policy is very flexible allowing users to setup their tvtime processes in as secure a method as possible.
++.PP
++The following process types are defined for tvtime:
++
++.EX
++.B tvtime_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux tvtime policy is very flexible allowing users to setup their tvtime processes in as secure a method as possible.
++.PP
++The following file types are defined for tvtime:
++
++
++.EX
++.PP
++.B tvtime_exec_t
++.EE
++
++- Set files with the tvtime_exec_t type, if you want to transition an executable to the tvtime_t domain.
++
++
++.EX
++.PP
++.B tvtime_home_t
++.EE
++
++- Set files with the tvtime_home_t type, if you want to store tvtime files in the users home directory.
++
++
++.EX
++.PP
++.B tvtime_tmp_t
++.EE
++
++- Set files with the tvtime_tmp_t type, if you want to store tvtime temporary files in the /tmp directories.
++
++
++.EX
++.PP
++.B tvtime_tmpfs_t
++.EE
++
++- Set files with the tvtime_tmpfs_t type, if you want to store tvtime files on a tmpfs file system.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH "MANAGED FILES"
++
++The SELinux process type tvtime_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++
++.br
++.B tvtime_home_t
++
++
++.br
++.B tvtime_tmp_t
++
++
++.br
++.B tvtime_tmpfs_t
++
++
++.br
++.B user_fonts_cache_t
++
++ /root/\.fontconfig(/.*)?
++.br
++ /root/\.fonts/auto(/.*)?
++.br
++ /root/\.fonts\.cache-.*
++.br
++ /home/[^/]*/\.fontconfig(/.*)?
++.br
++ /home/[^/]*/\.fonts/auto(/.*)?
++.br
++ /home/[^/]*/\.fonts\.cache-.*
++.br
++ /home/dwalsh/\.fontconfig(/.*)?
++.br
++ /home/dwalsh/\.fonts/auto(/.*)?
++.br
++ /home/dwalsh/\.fonts\.cache-.*
++.br
++ /var/lib/xguest/home/xguest/\.fontconfig(/.*)?
++.br
++ /var/lib/xguest/home/xguest/\.fonts/auto(/.*)?
++.br
++ /var/lib/xguest/home/xguest/\.fonts\.cache-.*
++.br
++
++.SH NSSWITCH DOMAIN
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was auto-generated using
++.B "sepolicy manpage"
++by Dan Walsh.
++
++.SH "SEE ALSO"
++selinux(8), tvtime(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
+diff --git a/man/man8/udev_selinux.8 b/man/man8/udev_selinux.8
+new file mode 100644
+index 0000000..8e9a765
+--- /dev/null
++++ b/man/man8/udev_selinux.8
+@@ -0,0 +1,328 @@
++.TH "udev_selinux" "8" "12-11-01" "udev" "SELinux Policy documentation for udev"
++.SH "NAME"
++udev_selinux \- Security Enhanced Linux Policy for the udev processes
++.SH "DESCRIPTION"
++
++Security-Enhanced Linux secures the udev processes via flexible mandatory access control.
++
++The udev processes execute with the udev_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep udev_t
++
++
++.SH "ENTRYPOINTS"
++
++The udev_t SELinux type can be entered via the "udev_exec_t,udev_helper_exec_t" file types. The default entrypoint paths for the udev_t domain are the following:"
++
++/sbin/udev, /sbin/udevd, /bin/udevadm, /sbin/udevadm, /sbin/udevsend, /usr/sbin/udev, /lib/udev/udevd, /sbin/udevstart, /usr/sbin/udevd, /sbin/start_udev, /usr/bin/udevadm, /usr/bin/udevinfo, /usr/sbin/udevadm, /lib/udev/udev-acl, /usr/sbin/udevsend, /usr/sbin/udevstart, /usr/lib/udev/udevd, /sbin/wait_for_sysfs, /usr/sbin/start_udev, /usr/lib/udev/udev-acl, /usr/sbin/wait_for_sysfs, /usr/lib/systemd/systemd-udevd, /etc/dev\.d/.+, /etc/udev/scripts/.+, /etc/hotplug\.d/default/udev.*
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux udev policy is very flexible allowing users to setup their udev processes in as secure a method as possible.
++.PP
++The following process types are defined for udev:
++
++.EX
++.B udev_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux udev policy is very flexible allowing users to setup their udev processes in as secure a method as possible.
++.PP
++The following file types are defined for udev:
++
++
++.EX
++.PP
++.B udev_etc_t
++.EE
++
++- Set files with the udev_etc_t type, if you want to store udev files in the /etc directories.
++
++
++.EX
++.PP
++.B udev_exec_t
++.EE
++
++- Set files with the udev_exec_t type, if you want to transition an executable to the udev_t domain.
++
++
++.EX
++.PP
++.B udev_helper_exec_t
++.EE
++
++- Set files with the udev_helper_exec_t type, if you want to transition an executable to the udev_helper_t domain.
++
++
++.EX
++.PP
++.B udev_rules_t
++.EE
++
++- Set files with the udev_rules_t type, if you want to treat the files as udev rules data.
++
++
++.EX
++.PP
++.B udev_var_run_t
++.EE
++
++- Set files with the udev_var_run_t type, if you want to store the udev files under the /run directory.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH "MANAGED FILES"
++
++The SELinux process type udev_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++
++.br
++.B anon_inodefs_t
++
++
++.br
++.B device_t
++
++ /dev/.*
++.br
++ /lib/udev/devices(/.*)?
++.br
++ /usr/lib/udev/devices(/.*)?
++.br
++ /dev
++.br
++ /etc/udev/devices
++.br
++ /var/named/chroot/dev
++.br
++ /var/spool/postfix/dev
++.br
++
++.br
++.B dhcp_etc_t
++
++ /etc/dhcpc.*
++.br
++ /etc/dhcp3(/.*)?
++.br
++ /etc/dhcpd(6)?\.conf
++.br
++ /etc/dhcp3?/dhclient.*
++.br
++ /etc/dhclient.*conf
++.br
++ /etc/dhcp/dhcpd(6)?\.conf
++.br
++ /etc/dhclient-script
++.br
++
++.br
++.B etc_t
++
++ /etc/.*
++.br
++ /var/db/.*\.db
++.br
++ /usr/etc(/.*)?
++.br
++ /var/ftp/etc(/.*)?
++.br
++ /var/lib/openshift/.limits.d(/.*)?
++.br
++ /var/lib/openshift/.openshift-proxy.d(/.*)?
++.br
++ /var/lib/openshift/.stickshift-proxy.d(/.*)?
++.br
++ /var/lib/stickshift/.limits.d(/.*)?
++.br
++ /var/lib/stickshift/.stickshift-proxy.d(/.*)?
++.br
++ /var/named/chroot/etc(/.*)?
++.br
++ /etc/ipsec\.d/examples(/.*)?
++.br
++ /var/spool/postfix/etc(/.*)?
++.br
++ /etc
++.br
++ /etc/cups/client\.conf
++.br
++
++.br
++.B net_conf_t
++
++ /etc/ntpd?\.conf.*
++.br
++ /etc/hosts[^/]*
++.br
++ /etc/yp\.conf.*
++.br
++ /etc/denyhosts.*
++.br
++ /etc/hosts\.deny.*
++.br
++ /etc/resolv\.conf.*
++.br
++ /etc/ntp/step-tickers.*
++.br
++ /etc/sysconfig/networking(/.*)?
++.br
++ /etc/sysconfig/network-scripts(/.*)?
++.br
++ /etc/sysconfig/network-scripts/.*resolv\.conf
++.br
++ /etc/ethers
++.br
++
++.br
++.B security_t
++
++ /selinux
++.br
++
++.br
++.B sysfs_t
++
++ /sys(/.*)?
++.br
++
++.br
++.B udev_exec_t
++
++ /sbin/udev
++.br
++ /sbin/udevd
++.br
++ /bin/udevadm
++.br
++ /sbin/udevadm
++.br
++ /sbin/udevsend
++.br
++ /usr/sbin/udev
++.br
++ /lib/udev/udevd
++.br
++ /sbin/udevstart
++.br
++ /usr/sbin/udevd
++.br
++ /sbin/start_udev
++.br
++ /usr/bin/udevadm
++.br
++ /usr/bin/udevinfo
++.br
++ /usr/sbin/udevadm
++.br
++ /lib/udev/udev-acl
++.br
++ /usr/sbin/udevsend
++.br
++ /usr/sbin/udevstart
++.br
++ /usr/lib/udev/udevd
++.br
++ /sbin/wait_for_sysfs
++.br
++ /usr/sbin/start_udev
++.br
++ /usr/lib/udev/udev-acl
++.br
++ /usr/sbin/wait_for_sysfs
++.br
++ /usr/lib/systemd/systemd-udevd
++.br
++
++.br
++.B udev_rules_t
++
++ /etc/udev/rules.d(/.*)?
++.br
++
++.br
++.B udev_var_run_t
++
++ /dev/\.udev(/.*)?
++.br
++ /var/run/udev(/.*)?
++.br
++ /var/run/libgpod(/.*)?
++.br
++ /var/run/PackageKit/udev(/.*)?
++.br
++ /dev/\.udevdb
++.br
++ /dev/udev\.tbl
++.br
++
++.br
++.B xend_var_log_t
++
++ /var/log/xen(/.*)?
++.br
++ /var/log/xend\.log.*
++.br
++ /var/log/xend-debug\.log.*
++.br
++ /var/log/xen-hotplug\.log.*
++.br
++
++.SH NSSWITCH DOMAIN
++
++.PP
++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the udev_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++
++.EX
++.B setsebool -P authlogin_nsswitch_use_ldap 1
++.EE
++
++.PP
++If you want to allow confined applications to run with kerberos for the udev_t, you must turn on the kerberos_enabled boolean.
++
++.EX
++.B setsebool -P kerberos_enabled 1
++.EE
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was auto-generated using
++.B "sepolicy manpage"
++by Dan Walsh.
++
++.SH "SEE ALSO"
++selinux(8), udev(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
+diff --git a/man/man8/ulogd_selinux.8 b/man/man8/ulogd_selinux.8
+new file mode 100644
+index 0000000..3953cf8
+--- /dev/null
++++ b/man/man8/ulogd_selinux.8
+@@ -0,0 +1,128 @@
++.TH "ulogd_selinux" "8" "12-11-01" "ulogd" "SELinux Policy documentation for ulogd"
++.SH "NAME"
++ulogd_selinux \- Security Enhanced Linux Policy for the ulogd processes
++.SH "DESCRIPTION"
++
++Security-Enhanced Linux secures the ulogd processes via flexible mandatory access control.
++
++The ulogd processes execute with the ulogd_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep ulogd_t
++
++
++.SH "ENTRYPOINTS"
++
++The ulogd_t SELinux type can be entered via the "ulogd_exec_t" file type. The default entrypoint paths for the ulogd_t domain are the following:"
++
++/usr/sbin/ulogd
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux ulogd policy is very flexible allowing users to setup their ulogd processes in as secure a method as possible.
++.PP
++The following process types are defined for ulogd:
++
++.EX
++.B ulogd_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux ulogd policy is very flexible allowing users to setup their ulogd processes in as secure a method as possible.
++.PP
++The following file types are defined for ulogd:
++
++
++.EX
++.PP
++.B ulogd_etc_t
++.EE
++
++- Set files with the ulogd_etc_t type, if you want to store ulogd files in the /etc directories.
++
++
++.EX
++.PP
++.B ulogd_exec_t
++.EE
++
++- Set files with the ulogd_exec_t type, if you want to transition an executable to the ulogd_t domain.
++
++
++.EX
++.PP
++.B ulogd_initrc_exec_t
++.EE
++
++- Set files with the ulogd_initrc_exec_t type, if you want to transition an executable to the ulogd_initrc_t domain.
++
++
++.EX
++.PP
++.B ulogd_modules_t
++.EE
++
++- Set files with the ulogd_modules_t type, if you want to treat the files as ulogd modules.
++
++
++.EX
++.PP
++.B ulogd_var_log_t
++.EE
++
++- Set files with the ulogd_var_log_t type, if you want to treat the data as ulogd var log data, usually stored under the /var/log directory.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH "MANAGED FILES"
++
++The SELinux process type ulogd_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++
++.br
++.B ulogd_var_log_t
++
++ /var/log/ulogd(/.*)?
++.br
++
++.SH NSSWITCH DOMAIN
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was auto-generated using
++.B "sepolicy manpage"
++by Dan Walsh.
++
++.SH "SEE ALSO"
++selinux(8), ulogd(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
+diff --git a/man/man8/uml_selinux.8 b/man/man8/uml_selinux.8
+new file mode 100644
+index 0000000..5629dd2
+--- /dev/null
++++ b/man/man8/uml_selinux.8
+@@ -0,0 +1,157 @@
++.TH "uml_selinux" "8" "12-11-01" "uml" "SELinux Policy documentation for uml"
++.SH "NAME"
++uml_selinux \- Security Enhanced Linux Policy for the uml processes
++.SH "DESCRIPTION"
++
++Security-Enhanced Linux secures the uml processes via flexible mandatory access control.
++
++The uml processes execute with the uml_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep uml_t
++
++
++.SH "ENTRYPOINTS"
++
++The uml_t SELinux type can be entered via the "uml_exec_t" file type. The default entrypoint paths for the uml_t domain are the following:"
++
++
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux uml policy is very flexible allowing users to setup their uml processes in as secure a method as possible.
++.PP
++The following process types are defined for uml:
++
++.EX
++.B uml_switch_t, uml_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux uml policy is very flexible allowing users to setup their uml processes in as secure a method as possible.
++.PP
++The following file types are defined for uml:
++
++
++.EX
++.PP
++.B uml_exec_t
++.EE
++
++- Set files with the uml_exec_t type, if you want to transition an executable to the uml_t domain.
++
++
++.EX
++.PP
++.B uml_ro_t
++.EE
++
++- Set files with the uml_ro_t type, if you want to treat the files as uml read/only content.
++
++
++.EX
++.PP
++.B uml_rw_t
++.EE
++
++- Set files with the uml_rw_t type, if you want to treat the files as uml read/write content.
++
++
++.EX
++.PP
++.B uml_switch_exec_t
++.EE
++
++- Set files with the uml_switch_exec_t type, if you want to transition an executable to the uml_switch_t domain.
++
++
++.EX
++.PP
++.B uml_switch_var_run_t
++.EE
++
++- Set files with the uml_switch_var_run_t type, if you want to store the uml switch files under the /run directory.
++
++
++.EX
++.PP
++.B uml_tmp_t
++.EE
++
++- Set files with the uml_tmp_t type, if you want to store uml temporary files in the /tmp directories.
++
++
++.EX
++.PP
++.B uml_tmpfs_t
++.EE
++
++- Set files with the uml_tmpfs_t type, if you want to store uml files on a tmpfs file system.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH "MANAGED FILES"
++
++The SELinux process type uml_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++
++.br
++.B uml_rw_t
++
++ /home/[^/]*/\.uml(/.*)?
++.br
++ /home/dwalsh/\.uml(/.*)?
++.br
++ /var/lib/xguest/home/xguest/\.uml(/.*)?
++.br
++
++.br
++.B uml_tmp_t
++
++
++.br
++.B uml_tmpfs_t
++
++
++.SH NSSWITCH DOMAIN
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was auto-generated using
++.B "sepolicy manpage"
++by Dan Walsh.
++
++.SH "SEE ALSO"
++selinux(8), uml(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
++, uml_switch_selinux(8)
+\ No newline at end of file
+diff --git a/man/man8/uml_switch_selinux.8 b/man/man8/uml_switch_selinux.8
+new file mode 100644
+index 0000000..e67ca95
+--- /dev/null
++++ b/man/man8/uml_switch_selinux.8
+@@ -0,0 +1,105 @@
++.TH "uml_switch_selinux" "8" "12-11-01" "uml_switch" "SELinux Policy documentation for uml_switch"
++.SH "NAME"
++uml_switch_selinux \- Security Enhanced Linux Policy for the uml_switch processes
++.SH "DESCRIPTION"
++
++Security-Enhanced Linux secures the uml_switch processes via flexible mandatory access control.
++
++The uml_switch processes execute with the uml_switch_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep uml_switch_t
++
++
++.SH "ENTRYPOINTS"
++
++The uml_switch_t SELinux type can be entered via the "uml_switch_exec_t" file type. The default entrypoint paths for the uml_switch_t domain are the following:"
++
++/usr/bin/uml_switch
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux uml_switch policy is very flexible allowing users to setup their uml_switch processes in as secure a method as possible.
++.PP
++The following process types are defined for uml_switch:
++
++.EX
++.B uml_switch_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux uml_switch policy is very flexible allowing users to setup their uml_switch processes in as secure a method as possible.
++.PP
++The following file types are defined for uml_switch:
++
++
++.EX
++.PP
++.B uml_switch_exec_t
++.EE
++
++- Set files with the uml_switch_exec_t type, if you want to transition an executable to the uml_switch_t domain.
++
++
++.EX
++.PP
++.B uml_switch_var_run_t
++.EE
++
++- Set files with the uml_switch_var_run_t type, if you want to store the uml switch files under the /run directory.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH "MANAGED FILES"
++
++The SELinux process type uml_switch_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++
++.br
++.B uml_switch_var_run_t
++
++ /var/run/uml-utilities(/.*)?
++.br
++
++.SH NSSWITCH DOMAIN
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was auto-generated using
++.B "sepolicy manpage"
++by Dan Walsh.
++
++.SH "SEE ALSO"
++selinux(8), uml_switch(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
++, uml_selinux(8), uml_selinux(8)
+\ No newline at end of file
+diff --git a/man/man8/unconfined_munin_plugin_selinux.8 b/man/man8/unconfined_munin_plugin_selinux.8
+new file mode 100644
+index 0000000..0eca181
+--- /dev/null
++++ b/man/man8/unconfined_munin_plugin_selinux.8
+@@ -0,0 +1,109 @@
++.TH "unconfined_munin_plugin_selinux" "8" "12-11-01" "unconfined_munin_plugin" "SELinux Policy documentation for unconfined_munin_plugin"
++.SH "NAME"
++unconfined_munin_plugin_selinux \- Security Enhanced Linux Policy for the unconfined_munin_plugin processes
++.SH "DESCRIPTION"
++
++Security-Enhanced Linux secures the unconfined_munin_plugin processes via flexible mandatory access control.
++
++The unconfined_munin_plugin processes execute with the unconfined_munin_plugin_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep unconfined_munin_plugin_t
++
++
++.SH "ENTRYPOINTS"
++
++The unconfined_munin_plugin_t SELinux type can be entered via the "unconfined_munin_plugin_exec_t" file type. The default entrypoint paths for the unconfined_munin_plugin_t domain are the following:"
++
++
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux unconfined_munin_plugin policy is very flexible allowing users to setup their unconfined_munin_plugin processes in as secure a method as possible.
++.PP
++The following process types are defined for unconfined_munin_plugin:
++
++.EX
++.B unconfined_munin_plugin_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux unconfined_munin_plugin policy is very flexible allowing users to setup their unconfined_munin_plugin processes in as secure a method as possible.
++.PP
++The following file types are defined for unconfined_munin_plugin:
++
++
++.EX
++.PP
++.B unconfined_munin_plugin_exec_t
++.EE
++
++- Set files with the unconfined_munin_plugin_exec_t type, if you want to transition an executable to the unconfined_munin_plugin_t domain.
++
++
++.EX
++.PP
++.B unconfined_munin_plugin_tmp_t
++.EE
++
++- Set files with the unconfined_munin_plugin_tmp_t type, if you want to store unconfined munin plugin temporary files in the /tmp directories.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH "MANAGED FILES"
++
++The SELinux process type unconfined_munin_plugin_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++
++.br
++.B munin_plugin_state_t
++
++ /var/lib/munin/plugin-state(/.*)?
++.br
++
++.br
++.B unconfined_munin_plugin_tmp_t
++
++
++.SH NSSWITCH DOMAIN
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was auto-generated using
++.B "sepolicy manpage"
++by Dan Walsh.
++
++.SH "SEE ALSO"
++selinux(8), unconfined_munin_plugin(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
++, unconfined_selinux(8), unconfined_selinux(8)
+\ No newline at end of file
+diff --git a/man/man8/unconfined_selinux.8 b/man/man8/unconfined_selinux.8
+new file mode 100644
+index 0000000..da88b6e
+--- /dev/null
++++ b/man/man8/unconfined_selinux.8
+@@ -0,0 +1,165 @@
++.TH "unconfined_selinux" "8" "unconfined" "mgrepl@redhat.com" "unconfined SELinux Policy documentation"
++.SH "NAME"
++unconfined_r \- \fBUnconfiend user role\fP - Security Enhanced Linux Policy
++
++.SH DESCRIPTION
++
++SELinux supports Roles Based Access Control (RBAC), some Linux roles are login roles, while other roles need to be transition into.
++
++.I Note:
++Examples in this man page will use the
++.B staff_u
++SELinux user.
++
++Non login roles are usually used for administrative tasks. For example, tasks that require root privileges. Roles control which types a user can run processes with. Roles often have default types assigned to them.
++
++The default type for the unconfined_r role is unconfined_t.
++
++The
++.B newrole
++program to transition directly to this role.
++
++.B newrole -r unconfined_r -t unconfined_t
++
++.B sudo
++is the preferred method to do transition from one role to another. You setup sudo to transition to unconfined_r by adding a similar line to the /etc/sudoers file.
++
++USERNAME ALL=(ALL) ROLE=unconfined_r TYPE=unconfined_t COMMAND
++
++.br
++sudo will run COMMAND as staff_u:unconfined_r:unconfined_t:LEVEL
++
++When using a a non login role, you need to setup SELinux so that your SELinux user can reach unconfined_r role.
++
++Execute the following to see all of the assigned SELinux roles:
++
++.B semanage user -l
++
++You need to add unconfined_r to the staff_u user. You could setup the staff_u user to be able to use the unconfined_r role with a command like:
++
++.B $ semanage user -m -R 'staff_r system_r unconfined_r' staff_u
++
++
++.SH BOOLEANS
++SELinux policy is customizable based on least access required. unconfined policy is extremely flexible and has several booleans that allow you to manipulate the policy and run unconfined with the tightest access possible.
++
++
++.PP
++If you want to allow database admins to execute DML statement, you must turn on the postgresql_selinux_unconfined_dbadm boolean.
++
++.EX
++.B setsebool -P postgresql_selinux_unconfined_dbadm 1
++.EE
++
++.PP
++If you want to allow unconfined users to transition to the chrome sandbox domains when running chrome-sandbox, you must turn on the unconfined_chrome_sandbox_transition boolean.
++
++.EX
++.B setsebool -P unconfined_chrome_sandbox_transition 1
++.EE
++
++.PP
++If you want to allow a user to login as an unconfined domain, you must turn on the unconfined_login boolean.
++
++.EX
++.B setsebool -P unconfined_login 1
++.EE
++
++.PP
++If you want to allow samba to run unconfined scripts, you must turn on the samba_run_unconfined boolean.
++
++.EX
++.B setsebool -P samba_run_unconfined 1
++.EE
++
++.PP
++If you want to allow video playing tools to run unconfined, you must turn on the unconfined_mplayer boolean.
++
++.EX
++.B setsebool -P unconfined_mplayer 1
++.EE
++
++.PP
++If you want to allow unconfined users to transition to the Mozilla plugin domain when running xulrunner plugin-container, you must turn on the unconfined_mozilla_plugin_transition boolean.
++
++.EX
++.B setsebool -P unconfined_mozilla_plugin_transition 1
++.EE
++
++.PP
++If you want to allow database admins to execute DML statement, you must turn on the postgresql_selinux_unconfined_dbadm boolean.
++
++.EX
++.B setsebool -P postgresql_selinux_unconfined_dbadm 1
++.EE
++
++.PP
++If you want to allow unconfined users to transition to the chrome sandbox domains when running chrome-sandbox, you must turn on the unconfined_chrome_sandbox_transition boolean.
++
++.EX
++.B setsebool -P unconfined_chrome_sandbox_transition 1
++.EE
++
++.PP
++If you want to allow a user to login as an unconfined domain, you must turn on the unconfined_login boolean.
++
++.EX
++.B setsebool -P unconfined_login 1
++.EE
++
++.PP
++If you want to allow samba to run unconfined scripts, you must turn on the samba_run_unconfined boolean.
++
++.EX
++.B setsebool -P samba_run_unconfined 1
++.EE
++
++.PP
++If you want to allow video playing tools to run unconfined, you must turn on the unconfined_mplayer boolean.
++
++.EX
++.B setsebool -P unconfined_mplayer 1
++.EE
++
++.PP
++If you want to allow unconfined users to transition to the Mozilla plugin domain when running xulrunner plugin-container, you must turn on the unconfined_mozilla_plugin_transition boolean.
++
++.EX
++.B setsebool -P unconfined_mozilla_plugin_transition 1
++.EE
++
++.SH "MANAGED FILES"
++
++The SELinux process type unconfined_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++
++.br
++.B file_type
++
++ all files on the system
++.br
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.B semanage boolean
++can also be used to manipulate the booleans
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was auto-generated using
++.B "sepolicy manpage"
++by Dan Walsh.
++
++.SH "SEE ALSO"
++selinux(8), unconfined(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
++, setsebool(8), unconfined_munin_plugin_selinux(8)
+\ No newline at end of file
+diff --git a/man/man8/update_modules_selinux.8 b/man/man8/update_modules_selinux.8
+new file mode 100644
+index 0000000..733d361
+--- /dev/null
++++ b/man/man8/update_modules_selinux.8
+@@ -0,0 +1,122 @@
++.TH "update_modules_selinux" "8" "12-11-01" "update_modules" "SELinux Policy documentation for update_modules"
++.SH "NAME"
++update_modules_selinux \- Security Enhanced Linux Policy for the update_modules processes
++.SH "DESCRIPTION"
++
++Security-Enhanced Linux secures the update_modules processes via flexible mandatory access control.
++
++The update_modules processes execute with the update_modules_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep update_modules_t
++
++
++.SH "ENTRYPOINTS"
++
++The update_modules_t SELinux type can be entered via the "update_modules_exec_t" file type. The default entrypoint paths for the update_modules_t domain are the following:"
++
++/sbin/modules-update, /sbin/update-modules, /usr/sbin/modules-update, /usr/sbin/update-modules, /sbin/generate-modprobe\.conf, /usr/sbin/generate-modprobe\.conf
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux update_modules policy is very flexible allowing users to setup their update_modules processes in as secure a method as possible.
++.PP
++The following process types are defined for update_modules:
++
++.EX
++.B update_modules_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux update_modules policy is very flexible allowing users to setup their update_modules processes in as secure a method as possible.
++.PP
++The following file types are defined for update_modules:
++
++
++.EX
++.PP
++.B update_modules_exec_t
++.EE
++
++- Set files with the update_modules_exec_t type, if you want to transition an executable to the update_modules_t domain.
++
++
++.EX
++.PP
++.B update_modules_tmp_t
++.EE
++
++- Set files with the update_modules_tmp_t type, if you want to store update modules temporary files in the /tmp directories.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH "MANAGED FILES"
++
++The SELinux process type update_modules_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++
++.br
++.B modules_conf_t
++
++ /etc/modprobe\.d(/.*)?
++.br
++ /etc/modules\.conf.*
++.br
++ /etc/modprobe\.conf.*
++.br
++ /lib/modules/modprobe\.conf
++.br
++ /usr/lib/modules/modprobe\.conf
++.br
++
++.br
++.B modules_dep_t
++
++ /lib/modules/[^/]+/modules\..+
++.br
++
++.br
++.B update_modules_tmp_t
++
++
++.SH NSSWITCH DOMAIN
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was auto-generated using
++.B "sepolicy manpage"
++by Dan Walsh.
++
++.SH "SEE ALSO"
++selinux(8), update_modules(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
+diff --git a/man/man8/updfstab_selinux.8 b/man/man8/updfstab_selinux.8
+new file mode 100644
+index 0000000..9bf36a1
+--- /dev/null
++++ b/man/man8/updfstab_selinux.8
+@@ -0,0 +1,168 @@
++.TH "updfstab_selinux" "8" "12-11-01" "updfstab" "SELinux Policy documentation for updfstab"
++.SH "NAME"
++updfstab_selinux \- Security Enhanced Linux Policy for the updfstab processes
++.SH "DESCRIPTION"
++
++Security-Enhanced Linux secures the updfstab processes via flexible mandatory access control.
++
++The updfstab processes execute with the updfstab_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep updfstab_t
++
++
++.SH "ENTRYPOINTS"
++
++The updfstab_t SELinux type can be entered via the "updfstab_exec_t" file type. The default entrypoint paths for the updfstab_t domain are the following:"
++
++/usr/sbin/updfstab, /usr/sbin/fstab-sync
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux updfstab policy is very flexible allowing users to setup their updfstab processes in as secure a method as possible.
++.PP
++The following process types are defined for updfstab:
++
++.EX
++.B updfstab_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux updfstab policy is very flexible allowing users to setup their updfstab processes in as secure a method as possible.
++.PP
++The following file types are defined for updfstab:
++
++
++.EX
++.PP
++.B updfstab_exec_t
++.EE
++
++- Set files with the updfstab_exec_t type, if you want to transition an executable to the updfstab_t domain.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH "MANAGED FILES"
++
++The SELinux process type updfstab_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++
++.br
++.B etc_t
++
++ /etc/.*
++.br
++ /var/db/.*\.db
++.br
++ /usr/etc(/.*)?
++.br
++ /var/ftp/etc(/.*)?
++.br
++ /var/lib/openshift/.limits.d(/.*)?
++.br
++ /var/lib/openshift/.openshift-proxy.d(/.*)?
++.br
++ /var/lib/openshift/.stickshift-proxy.d(/.*)?
++.br
++ /var/lib/stickshift/.limits.d(/.*)?
++.br
++ /var/lib/stickshift/.stickshift-proxy.d(/.*)?
++.br
++ /var/named/chroot/etc(/.*)?
++.br
++ /etc/ipsec\.d/examples(/.*)?
++.br
++ /var/spool/postfix/etc(/.*)?
++.br
++ /etc
++.br
++ /etc/cups/client\.conf
++.br
++
++.br
++.B mnt_t
++
++ /mnt(/[^/]*)
++.br
++ /mnt(/[^/]*)?
++.br
++ /rhev(/[^/]*)?
++.br
++ /media(/[^/]*)
++.br
++ /media(/[^/]*)?
++.br
++ /media/\.hal-.*
++.br
++ /var/run/media(/[^/]*)?
++.br
++ /net
++.br
++ /afs
++.br
++ /rhev
++.br
++ /misc
++.br
++
++.br
++.B security_t
++
++ /selinux
++.br
++
++.SH NSSWITCH DOMAIN
++
++.PP
++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the updfstab_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++
++.EX
++.B setsebool -P authlogin_nsswitch_use_ldap 1
++.EE
++
++.PP
++If you want to allow confined applications to run with kerberos for the updfstab_t, you must turn on the kerberos_enabled boolean.
++
++.EX
++.B setsebool -P kerberos_enabled 1
++.EE
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was auto-generated using
++.B "sepolicy manpage"
++by Dan Walsh.
++
++.SH "SEE ALSO"
++selinux(8), updfstab(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
+diff --git a/man/man8/updpwd_selinux.8 b/man/man8/updpwd_selinux.8
+new file mode 100644
+index 0000000..158653a
+--- /dev/null
++++ b/man/man8/updpwd_selinux.8
+@@ -0,0 +1,170 @@
++.TH "updpwd_selinux" "8" "12-11-01" "updpwd" "SELinux Policy documentation for updpwd"
++.SH "NAME"
++updpwd_selinux \- Security Enhanced Linux Policy for the updpwd processes
++.SH "DESCRIPTION"
++
++Security-Enhanced Linux secures the updpwd processes via flexible mandatory access control.
++
++The updpwd processes execute with the updpwd_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep updpwd_t
++
++
++.SH "ENTRYPOINTS"
++
++The updpwd_t SELinux type can be entered via the "updpwd_exec_t" file type. The default entrypoint paths for the updpwd_t domain are the following:"
++
++/sbin/unix_update, /usr/sbin/unix_update
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux updpwd policy is very flexible allowing users to setup their updpwd processes in as secure a method as possible.
++.PP
++The following process types are defined for updpwd:
++
++.EX
++.B updpwd_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux updpwd policy is very flexible allowing users to setup their updpwd processes in as secure a method as possible.
++.PP
++The following file types are defined for updpwd:
++
++
++.EX
++.PP
++.B updpwd_exec_t
++.EE
++
++- Set files with the updpwd_exec_t type, if you want to transition an executable to the updpwd_t domain.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH "MANAGED FILES"
++
++The SELinux process type updpwd_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++
++.br
++.B etc_t
++
++ /etc/.*
++.br
++ /var/db/.*\.db
++.br
++ /usr/etc(/.*)?
++.br
++ /var/ftp/etc(/.*)?
++.br
++ /var/lib/openshift/.limits.d(/.*)?
++.br
++ /var/lib/openshift/.openshift-proxy.d(/.*)?
++.br
++ /var/lib/openshift/.stickshift-proxy.d(/.*)?
++.br
++ /var/lib/stickshift/.limits.d(/.*)?
++.br
++ /var/lib/stickshift/.stickshift-proxy.d(/.*)?
++.br
++ /var/named/chroot/etc(/.*)?
++.br
++ /etc/ipsec\.d/examples(/.*)?
++.br
++ /var/spool/postfix/etc(/.*)?
++.br
++ /etc
++.br
++ /etc/cups/client\.conf
++.br
++
++.br
++.B passwd_file_t
++
++ /etc/group[-\+]?
++.br
++ /etc/passwd[-\+]?
++.br
++ /etc/passwd\.adjunct.*
++.br
++ /etc/ptmptmp
++.br
++ /etc/\.pwd\.lock
++.br
++ /etc/group\.lock
++.br
++ /etc/passwd\.OLD
++.br
++ /etc/passwd\.lock
++.br
++
++.br
++.B shadow_t
++
++ /etc/shadow.*
++.br
++ /etc/gshadow.*
++.br
++ /var/db/shadow.*
++.br
++ /etc/security/opasswd
++.br
++ /etc/security/opasswd\.old
++.br
++
++.SH NSSWITCH DOMAIN
++
++.PP
++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the updpwd_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++
++.EX
++.B setsebool -P authlogin_nsswitch_use_ldap 1
++.EE
++
++.PP
++If you want to allow confined applications to run with kerberos for the updpwd_t, you must turn on the kerberos_enabled boolean.
++
++.EX
++.B setsebool -P kerberos_enabled 1
++.EE
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was auto-generated using
++.B "sepolicy manpage"
++by Dan Walsh.
++
++.SH "SEE ALSO"
++selinux(8), updpwd(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
+diff --git a/man/man8/usbmodules_selinux.8 b/man/man8/usbmodules_selinux.8
+new file mode 100644
+index 0000000..39fd388
+--- /dev/null
++++ b/man/man8/usbmodules_selinux.8
+@@ -0,0 +1,94 @@
++.TH "usbmodules_selinux" "8" "12-11-01" "usbmodules" "SELinux Policy documentation for usbmodules"
++.SH "NAME"
++usbmodules_selinux \- Security Enhanced Linux Policy for the usbmodules processes
++.SH "DESCRIPTION"
++
++Security-Enhanced Linux secures the usbmodules processes via flexible mandatory access control.
++
++The usbmodules processes execute with the usbmodules_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep usbmodules_t
++
++
++.SH "ENTRYPOINTS"
++
++The usbmodules_t SELinux type can be entered via the "usbmodules_exec_t" file type. The default entrypoint paths for the usbmodules_t domain are the following:"
++
++/sbin/usbmodules, /usr/sbin/usbmodules
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux usbmodules policy is very flexible allowing users to setup their usbmodules processes in as secure a method as possible.
++.PP
++The following process types are defined for usbmodules:
++
++.EX
++.B usbmodules_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux usbmodules policy is very flexible allowing users to setup their usbmodules processes in as secure a method as possible.
++.PP
++The following file types are defined for usbmodules:
++
++
++.EX
++.PP
++.B usbmodules_exec_t
++.EE
++
++- Set files with the usbmodules_exec_t type, if you want to transition an executable to the usbmodules_t domain.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH "MANAGED FILES"
++
++The SELinux process type usbmodules_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++
++.br
++.B usbfs_t
++
++
++.SH NSSWITCH DOMAIN
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was auto-generated using
++.B "sepolicy manpage"
++by Dan Walsh.
++
++.SH "SEE ALSO"
++selinux(8), usbmodules(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
+diff --git a/man/man8/usbmuxd_selinux.8 b/man/man8/usbmuxd_selinux.8
+new file mode 100644
+index 0000000..66ed42f
+--- /dev/null
++++ b/man/man8/usbmuxd_selinux.8
+@@ -0,0 +1,126 @@
++.TH "usbmuxd_selinux" "8" "12-11-01" "usbmuxd" "SELinux Policy documentation for usbmuxd"
++.SH "NAME"
++usbmuxd_selinux \- Security Enhanced Linux Policy for the usbmuxd processes
++.SH "DESCRIPTION"
++
++Security-Enhanced Linux secures the usbmuxd processes via flexible mandatory access control.
++
++The usbmuxd processes execute with the usbmuxd_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep usbmuxd_t
++
++
++.SH "ENTRYPOINTS"
++
++The usbmuxd_t SELinux type can be entered via the "usbmuxd_exec_t" file type. The default entrypoint paths for the usbmuxd_t domain are the following:"
++
++/usr/sbin/usbmuxd
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux usbmuxd policy is very flexible allowing users to setup their usbmuxd processes in as secure a method as possible.
++.PP
++The following process types are defined for usbmuxd:
++
++.EX
++.B usbmuxd_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux usbmuxd policy is very flexible allowing users to setup their usbmuxd processes in as secure a method as possible.
++.PP
++The following file types are defined for usbmuxd:
++
++
++.EX
++.PP
++.B usbmuxd_exec_t
++.EE
++
++- Set files with the usbmuxd_exec_t type, if you want to transition an executable to the usbmuxd_t domain.
++
++
++.EX
++.PP
++.B usbmuxd_unit_file_t
++.EE
++
++- Set files with the usbmuxd_unit_file_t type, if you want to treat the files as usbmuxd unit content.
++
++
++.EX
++.PP
++.B usbmuxd_var_run_t
++.EE
++
++- Set files with the usbmuxd_var_run_t type, if you want to store the usbmuxd files under the /run directory.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH "MANAGED FILES"
++
++The SELinux process type usbmuxd_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++
++.br
++.B usbmuxd_var_run_t
++
++ /var/run/usbmuxd.*
++.br
++
++.SH NSSWITCH DOMAIN
++
++.PP
++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the usbmuxd_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++
++.EX
++.B setsebool -P authlogin_nsswitch_use_ldap 1
++.EE
++
++.PP
++If you want to allow confined applications to run with kerberos for the usbmuxd_t, you must turn on the kerberos_enabled boolean.
++
++.EX
++.B setsebool -P kerberos_enabled 1
++.EE
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was auto-generated using
++.B "sepolicy manpage"
++by Dan Walsh.
++
++.SH "SEE ALSO"
++selinux(8), usbmuxd(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
+diff --git a/man/man8/user_selinux.8 b/man/man8/user_selinux.8
+new file mode 100644
+index 0000000..1106e32
+--- /dev/null
++++ b/man/man8/user_selinux.8
+@@ -0,0 +1,763 @@
++.TH "user_selinux" "8" "user" "mgrepl@redhat.com" "user SELinux Policy documentation"
++.SH "NAME"
++user_u \- \fBGeneric unprivileged user\fP - Security Enhanced Linux Policy
++
++.SH DESCRIPTION
++
++\fBuser_u\fP is an SELinux User defined in the SELinux
++policy. SELinux users have default roles, \fBuser_r\fP. The
++default role has a default type, \fBuser_t\fP, associated with it.
++
++The SELinux user will usually login to a system with a context that looks like:
++
++.B user_u:user_r:user_t:s0-s0:c0.c1023
++
++Linux users are automatically assigned an SELinux users at login.
++Login programs use the SELinux User to assign initial context to the user's shell.
++
++SELinux policy uses the context to control the user's access.
++
++By default all users are assigned to the SELinux user via the \fB__default__\fP flag
++
++On Targeted policy systems the \fB__default__\fP user is assigned to the \fBunconfined_u\fP SELinux user.
++
++You can list all Linux User to SELinux user mapping using:
++
++.B semanage login -l
++
++If you wanted to change the default user mapping to use the user_u user, you would execute:
++
++.B semanage login -m -s user_u __default__
++
++
++If you want to map the one Linux user (joe) to the SELinux user user, you would execute:
++
++.B $ semanage login -a -s user_u joe
++
++
++.SH USER DESCRIPTION
++
++The SELinux user user_u is defined in policy as a unprivileged user. SELinux prevents unprivileged users from doing administration tasks without transitioning to a different role.
++
++.SH SUDO
++
++.SH X WINDOWS LOGIN
++
++The SELinux user user_u is able to X Windows login.
++
++.SH NETWORK
++
++.TP
++The SELinux user user_u is able to listen on the following tcp ports.
++
++.B xserver_port_t: 6000-6020
++
++.TP
++The SELinux user user_u is able to connect to the following tcp ports.
++
++.B all ports
++
++.TP
++The SELinux user user_u is able to listen on the following udp ports.
++
++.B all ports with out defined types
++
++.B ephemeral_port_t: 32768-61000
++
++.TP
++The SELinux user user_u is able to connect to the following tcp ports.
++
++.B all ports
++
++.SH BOOLEANS
++SELinux policy is customizable based on least access required. user policy is extremely flexible and has several booleans that allow you to manipulate the policy and run user with the tightest access possible.
++
++
++.PP
++If you want to allow unconfined executables to make their stack executable. This should never, ever be necessary. Probably indicates a badly coded executable, but could indicate an attack. This executable should be reported in bugzilla, you must turn on the selinuxuser_execstack boolean.
++
++.EX
++.B setsebool -P selinuxuser_execstack 1
++.EE
++
++.PP
++If you want to allow user to use ssh chroot environment, you must turn on the selinuxuser_use_ssh_chroot boolean.
++
++.EX
++.B setsebool -P selinuxuser_use_ssh_chroot 1
++.EE
++
++.PP
++If you want to determine whether calling user domains can execute Polipo daemon in the polipo_session_t domain, you must turn on the polipo_session_users boolean.
++
++.EX
++.B setsebool -P polipo_session_users 1
++.EE
++
++.PP
++If you want to allow confined users the ability to execute the ping and traceroute commands, you must turn on the selinuxuser_ping boolean.
++
++.EX
++.B setsebool -P selinuxuser_ping 1
++.EE
++
++.PP
++If you want to allow user music sharing, you must turn on the selinuxuser_user_share_music boolean.
++
++.EX
++.B setsebool -P selinuxuser_user_share_music 1
++.EE
++
++.PP
++If you want to allow unprivledged user to create and transition to svirt domains, you must turn on the unprivuser_use_svirt boolean.
++
++.EX
++.B setsebool -P unprivuser_use_svirt 1
++.EE
++
++.PP
++If you want to allow regular users direct dri device access, you must turn on the selinuxuser_direct_dri_enabled boolean.
++
++.EX
++.B setsebool -P selinuxuser_direct_dri_enabled 1
++.EE
++
++.PP
++If you want to allow users to run TCP servers (bind to ports and accept connection from the same domain and outside users) disabling this forces FTP passive mode and may change other protocols, you must turn on the selinuxuser_tcp_server boolean.
++
++.EX
++.B setsebool -P selinuxuser_tcp_server 1
++.EE
++
++.PP
++If you want to allow unconfined executables to make their heap memory executable. Doing this is a really bad idea. Probably indicates a badly coded executable, but could indicate an attack. This executable should be reported in bugzilla, you must turn on the selinuxuser_execheap boolean.
++
++.EX
++.B setsebool -P selinuxuser_execheap 1
++.EE
++
++.PP
++If you want to allow users to connect to PostgreSQL, you must turn on the selinuxuser_postgresql_connect_enabled boolean.
++
++.EX
++.B setsebool -P selinuxuser_postgresql_connect_enabled 1
++.EE
++
++.PP
++If you want to allow user to r/w files on filesystems that do not have extended attributes (FAT, CDROM, FLOPPY), you must turn on the selinuxuser_rw_noexattrfile boolean.
++
++.EX
++.B setsebool -P selinuxuser_rw_noexattrfile 1
++.EE
++
++.PP
++If you want to allow httpd to read user content, you must turn on the httpd_read_user_content boolean.
++
++.EX
++.B setsebool -P httpd_read_user_content 1
++.EE
++
++.PP
++If you want to allow unprivileged users to execute DDL statement, you must turn on the postgresql_selinux_users_ddl boolean.
++
++.EX
++.B setsebool -P postgresql_selinux_users_ddl 1
++.EE
++
++.PP
++If you want to allow all unconfined executables to use libraries requiring text relocation that are not labeled textrel_shlib_t, you must turn on the selinuxuser_execmod boolean.
++
++.EX
++.B setsebool -P selinuxuser_execmod 1
++.EE
++
++.PP
++If you want to allow webadm to manage files in users home directories, you must turn on the webadm_manage_user_files boolean.
++
++.EX
++.B setsebool -P webadm_manage_user_files 1
++.EE
++
++.PP
++If you want to allow pppd to be run for a regular user, you must turn on the pppd_for_user boolean.
++
++.EX
++.B setsebool -P pppd_for_user 1
++.EE
++
++.PP
++If you want to allow users to connect to the local mysql server, you must turn on the selinuxuser_mysql_connect_enabled boolean.
++
++.EX
++.B setsebool -P selinuxuser_mysql_connect_enabled 1
++.EE
++
++.PP
++If you want to allow clamscan to read user content, you must turn on the clamscan_read_user_content boolean.
++
++.EX
++.B setsebool -P clamscan_read_user_content 1
++.EE
++
++.PP
++If you want to allow dbadm to manage files in users home directories, you must turn on the dbadm_manage_user_files boolean.
++
++.EX
++.B setsebool -P dbadm_manage_user_files 1
++.EE
++
++.PP
++If you want to allow exim to create, read, write, and delete unprivileged user files, you must turn on the exim_manage_user_files boolean.
++
++.EX
++.B setsebool -P exim_manage_user_files 1
++.EE
++
++.PP
++If you want to determine whether calling user domains can execute Git daemon in the git_session_t domain, you must turn on the git_session_users boolean.
++
++.EX
++.B setsebool -P git_session_users 1
++.EE
++
++.PP
++If you want to allow dbadm to read files in users home directories, you must turn on the dbadm_read_user_files boolean.
++
++.EX
++.B setsebool -P dbadm_read_user_files 1
++.EE
++
++.PP
++If you want to allow exim to read unprivileged user files, you must turn on the exim_read_user_files boolean.
++
++.EX
++.B setsebool -P exim_read_user_files 1
++.EE
++
++.PP
++If you want to allow webadm to read files in users home directories, you must turn on the webadm_read_user_files boolean.
++
++.EX
++.B setsebool -P webadm_read_user_files 1
++.EE
++
++.PP
++If you want to allow unconfined executables to make their stack executable. This should never, ever be necessary. Probably indicates a badly coded executable, but could indicate an attack. This executable should be reported in bugzilla, you must turn on the selinuxuser_execstack boolean.
++
++.EX
++.B setsebool -P selinuxuser_execstack 1
++.EE
++
++.PP
++If you want to allow user to use ssh chroot environment, you must turn on the selinuxuser_use_ssh_chroot boolean.
++
++.EX
++.B setsebool -P selinuxuser_use_ssh_chroot 1
++.EE
++
++.PP
++If you want to determine whether calling user domains can execute Polipo daemon in the polipo_session_t domain, you must turn on the polipo_session_users boolean.
++
++.EX
++.B setsebool -P polipo_session_users 1
++.EE
++
++.PP
++If you want to allow confined users the ability to execute the ping and traceroute commands, you must turn on the selinuxuser_ping boolean.
++
++.EX
++.B setsebool -P selinuxuser_ping 1
++.EE
++
++.PP
++If you want to allow user music sharing, you must turn on the selinuxuser_user_share_music boolean.
++
++.EX
++.B setsebool -P selinuxuser_user_share_music 1
++.EE
++
++.PP
++If you want to allow unprivledged user to create and transition to svirt domains, you must turn on the unprivuser_use_svirt boolean.
++
++.EX
++.B setsebool -P unprivuser_use_svirt 1
++.EE
++
++.PP
++If you want to allow regular users direct dri device access, you must turn on the selinuxuser_direct_dri_enabled boolean.
++
++.EX
++.B setsebool -P selinuxuser_direct_dri_enabled 1
++.EE
++
++.PP
++If you want to allow users to run TCP servers (bind to ports and accept connection from the same domain and outside users) disabling this forces FTP passive mode and may change other protocols, you must turn on the selinuxuser_tcp_server boolean.
++
++.EX
++.B setsebool -P selinuxuser_tcp_server 1
++.EE
++
++.PP
++If you want to allow unconfined executables to make their heap memory executable. Doing this is a really bad idea. Probably indicates a badly coded executable, but could indicate an attack. This executable should be reported in bugzilla, you must turn on the selinuxuser_execheap boolean.
++
++.EX
++.B setsebool -P selinuxuser_execheap 1
++.EE
++
++.PP
++If you want to allow users to connect to PostgreSQL, you must turn on the selinuxuser_postgresql_connect_enabled boolean.
++
++.EX
++.B setsebool -P selinuxuser_postgresql_connect_enabled 1
++.EE
++
++.PP
++If you want to allow user to r/w files on filesystems that do not have extended attributes (FAT, CDROM, FLOPPY), you must turn on the selinuxuser_rw_noexattrfile boolean.
++
++.EX
++.B setsebool -P selinuxuser_rw_noexattrfile 1
++.EE
++
++.PP
++If you want to allow httpd to read user content, you must turn on the httpd_read_user_content boolean.
++
++.EX
++.B setsebool -P httpd_read_user_content 1
++.EE
++
++.PP
++If you want to allow unprivileged users to execute DDL statement, you must turn on the postgresql_selinux_users_ddl boolean.
++
++.EX
++.B setsebool -P postgresql_selinux_users_ddl 1
++.EE
++
++.PP
++If you want to allow all unconfined executables to use libraries requiring text relocation that are not labeled textrel_shlib_t, you must turn on the selinuxuser_execmod boolean.
++
++.EX
++.B setsebool -P selinuxuser_execmod 1
++.EE
++
++.PP
++If you want to allow webadm to manage files in users home directories, you must turn on the webadm_manage_user_files boolean.
++
++.EX
++.B setsebool -P webadm_manage_user_files 1
++.EE
++
++.PP
++If you want to allow pppd to be run for a regular user, you must turn on the pppd_for_user boolean.
++
++.EX
++.B setsebool -P pppd_for_user 1
++.EE
++
++.PP
++If you want to allow users to connect to the local mysql server, you must turn on the selinuxuser_mysql_connect_enabled boolean.
++
++.EX
++.B setsebool -P selinuxuser_mysql_connect_enabled 1
++.EE
++
++.PP
++If you want to allow clamscan to read user content, you must turn on the clamscan_read_user_content boolean.
++
++.EX
++.B setsebool -P clamscan_read_user_content 1
++.EE
++
++.PP
++If you want to allow dbadm to manage files in users home directories, you must turn on the dbadm_manage_user_files boolean.
++
++.EX
++.B setsebool -P dbadm_manage_user_files 1
++.EE
++
++.PP
++If you want to allow exim to create, read, write, and delete unprivileged user files, you must turn on the exim_manage_user_files boolean.
++
++.EX
++.B setsebool -P exim_manage_user_files 1
++.EE
++
++.PP
++If you want to determine whether calling user domains can execute Git daemon in the git_session_t domain, you must turn on the git_session_users boolean.
++
++.EX
++.B setsebool -P git_session_users 1
++.EE
++
++.PP
++If you want to allow dbadm to read files in users home directories, you must turn on the dbadm_read_user_files boolean.
++
++.EX
++.B setsebool -P dbadm_read_user_files 1
++.EE
++
++.PP
++If you want to allow exim to read unprivileged user files, you must turn on the exim_read_user_files boolean.
++
++.EX
++.B setsebool -P exim_read_user_files 1
++.EE
++
++.PP
++If you want to allow webadm to read files in users home directories, you must turn on the webadm_read_user_files boolean.
++
++.EX
++.B setsebool -P webadm_read_user_files 1
++.EE
++
++.SH HOME_EXEC
++
++The SELinux user user_u is able execute home content files.
++
++.SH TRANSITIONS
++
++Three things can happen when user_t attempts to execute a program.
++
++\fB1.\fP SELinux Policy can deny user_t from executing the program.
++
++.TP
++
++\fB2.\fP SELinux Policy can allow user_t to execute the program in the current user type.
++
++Execute the following to see the types that the SELinux user user_t can execute without transitioning:
++
++.B search -A -s user_t -c file -p execute_no_trans
++
++.TP
++
++\fB3.\fP SELinux can allow user_t to execute the program and transition to a new type.
++
++Execute the following to see the types that the SELinux user user_t can execute and transition:
++
++.B $ search -A -s user_t -c process -p transition
++
++
++.SH "MANAGED FILES"
++
++The SELinux process type user_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++
++.br
++.B anon_inodefs_t
++
++
++.br
++.B auth_cache_t
++
++ /var/cache/coolkey(/.*)?
++.br
++
++.br
++.B bluetooth_helper_tmp_t
++
++
++.br
++.B bluetooth_helper_tmpfs_t
++
++
++.br
++.B cgroup_t
++
++ /cgroup
++.br
++ /sys/fs/cgroup
++.br
++
++.br
++.B chrome_sandbox_tmpfs_t
++
++
++.br
++.B games_data_t
++
++ /var/games(/.*)?
++.br
++ /var/lib/games(/.*)?
++.br
++
++.br
++.B gpg_agent_tmp_t
++
++ /home/[^/]*/\.gnupg/log-socket
++.br
++ /home/dwalsh/\.gnupg/log-socket
++.br
++ /var/lib/xguest/home/xguest/\.gnupg/log-socket
++.br
++
++.br
++.B httpd_user_content_t
++
++ /home/[^/]*/((www)|(web)|(public_html))(/.+)?
++.br
++ /home/dwalsh/((www)|(web)|(public_html))(/.+)?
++.br
++ /var/lib/xguest/home/xguest/((www)|(web)|(public_html))(/.+)?
++.br
++
++.br
++.B httpd_user_htaccess_t
++
++ /home/[^/]*/((www)|(web)|(public_html))(/.*)?/\.htaccess
++.br
++ /home/dwalsh/((www)|(web)|(public_html))(/.*)?/\.htaccess
++.br
++ /var/lib/xguest/home/xguest/((www)|(web)|(public_html))(/.*)?/\.htaccess
++.br
++
++.br
++.B httpd_user_ra_content_t
++
++ /home/[^/]*/((www)|(web)|(public_html))(/.*)?/logs(/.*)?
++.br
++ /home/dwalsh/((www)|(web)|(public_html))(/.*)?/logs(/.*)?
++.br
++ /var/lib/xguest/home/xguest/((www)|(web)|(public_html))(/.*)?/logs(/.*)?
++.br
++
++.br
++.B httpd_user_rw_content_t
++
++
++.br
++.B httpd_user_script_exec_t
++
++ /home/[^/]*/((www)|(web)|(public_html))/cgi-bin(/.+)?
++.br
++ /home/dwalsh/((www)|(web)|(public_html))/cgi-bin(/.+)?
++.br
++ /var/lib/xguest/home/xguest/((www)|(web)|(public_html))/cgi-bin(/.+)?
++.br
++
++.br
++.B iceauth_home_t
++
++ /root/\.DCOP.*
++.br
++ /root/\.ICEauthority.*
++.br
++ /home/[^/]*/\.DCOP.*
++.br
++ /home/[^/]*/\.ICEauthority.*
++.br
++ /home/dwalsh/\.DCOP.*
++.br
++ /home/dwalsh/\.ICEauthority.*
++.br
++ /var/lib/xguest/home/xguest/\.DCOP.*
++.br
++ /var/lib/xguest/home/xguest/\.ICEauthority.*
++.br
++
++.br
++.B mail_spool_t
++
++ /var/mail(/.*)?
++.br
++ /var/spool/imap(/.*)?
++.br
++ /var/spool/mail(/.*)?
++.br
++
++.br
++.B mqueue_spool_t
++
++ /var/spool/(client)?mqueue(/.*)?
++.br
++ /var/spool/mqueue\.in(/.*)?
++.br
++
++.br
++.B nfsd_rw_t
++
++
++.br
++.B noxattrfs
++
++ all files on file systems which do not support extended attributes
++.br
++
++.br
++.B sandbox_file_t
++
++
++.br
++.B sandbox_tmpfs_type
++
++ all sandbox content in tmpfs file systems
++.br
++
++.br
++.B screen_home_t
++
++ /root/\.screen(/.*)?
++.br
++ /home/[^/]*/\.screen(/.*)?
++.br
++ /home/[^/]*/\.screenrc
++.br
++ /home/dwalsh/\.screen(/.*)?
++.br
++ /home/dwalsh/\.screenrc
++.br
++ /var/lib/xguest/home/xguest/\.screen(/.*)?
++.br
++ /var/lib/xguest/home/xguest/\.screenrc
++.br
++
++.br
++.B security_t
++
++ /selinux
++.br
++
++.br
++.B usbfs_t
++
++
++.br
++.B user_fonts_cache_t
++
++ /root/\.fontconfig(/.*)?
++.br
++ /root/\.fonts/auto(/.*)?
++.br
++ /root/\.fonts\.cache-.*
++.br
++ /home/[^/]*/\.fontconfig(/.*)?
++.br
++ /home/[^/]*/\.fonts/auto(/.*)?
++.br
++ /home/[^/]*/\.fonts\.cache-.*
++.br
++ /home/dwalsh/\.fontconfig(/.*)?
++.br
++ /home/dwalsh/\.fonts/auto(/.*)?
++.br
++ /home/dwalsh/\.fonts\.cache-.*
++.br
++ /var/lib/xguest/home/xguest/\.fontconfig(/.*)?
++.br
++ /var/lib/xguest/home/xguest/\.fonts/auto(/.*)?
++.br
++ /var/lib/xguest/home/xguest/\.fonts\.cache-.*
++.br
++
++.br
++.B user_fonts_t
++
++ /root/\.fonts(/.*)?
++.br
++ /tmp/\.font-unix(/.*)?
++.br
++ /home/[^/]*/\.fonts(/.*)?
++.br
++ /home/dwalsh/\.fonts(/.*)?
++.br
++ /var/lib/xguest/home/xguest/\.fonts(/.*)?
++.br
++
++.br
++.B user_home_type
++
++ all user home files
++.br
++
++.br
++.B user_tmp_type
++
++ all user tmp files
++.br
++
++.br
++.B user_tmpfs_type
++
++ all user content in tmpfs file systems
++.br
++
++.br
++.B xauth_home_t
++
++ /root/\.xauth.*
++.br
++ /root/\.Xauth.*
++.br
++ /root/\.serverauth.*
++.br
++ /root/\.Xauthority.*
++.br
++ /var/lib/pqsql/\.xauth.*
++.br
++ /var/lib/pqsql/\.Xauthority.*
++.br
++ /var/lib/nxserver/home/\.xauth.*
++.br
++ /var/lib/nxserver/home/\.Xauthority.*
++.br
++ /home/[^/]*/\.xauth.*
++.br
++ /home/[^/]*/\.Xauth.*
++.br
++ /home/[^/]*/\.serverauth.*
++.br
++ /home/[^/]*/\.Xauthority.*
++.br
++ /home/dwalsh/\.xauth.*
++.br
++ /home/dwalsh/\.Xauth.*
++.br
++ /home/dwalsh/\.serverauth.*
++.br
++ /home/dwalsh/\.Xauthority.*
++.br
++ /var/lib/xguest/home/xguest/\.xauth.*
++.br
++ /var/lib/xguest/home/xguest/\.Xauth.*
++.br
++ /var/lib/xguest/home/xguest/\.serverauth.*
++.br
++ /var/lib/xguest/home/xguest/\.Xauthority.*
++.br
++
++.br
++.B xdm_tmp_t
++
++ /tmp/\.X11-unix(/.*)?
++.br
++ /tmp/\.ICE-unix(/.*)?
++.br
++ /tmp/\.X0-lock
++.br
++
++.br
++.B xserver_tmpfs_t
++
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.B semanage boolean
++can also be used to manipulate the booleans
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was auto-generated using
++.B "sepolicy manpage"
++by Dan Walsh.
++
++.SH "SEE ALSO"
++selinux(8), user(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
++, setsebool(8), useradd_selinux(8), usernetctl_selinux(8)
+\ No newline at end of file
+diff --git a/man/man8/useradd_selinux.8 b/man/man8/useradd_selinux.8
+new file mode 100644
+index 0000000..81ee3be
+--- /dev/null
++++ b/man/man8/useradd_selinux.8
+@@ -0,0 +1,311 @@
++.TH "useradd_selinux" "8" "12-11-01" "useradd" "SELinux Policy documentation for useradd"
++.SH "NAME"
++useradd_selinux \- Security Enhanced Linux Policy for the useradd processes
++.SH "DESCRIPTION"
++
++Security-Enhanced Linux secures the useradd processes via flexible mandatory access control.
++
++The useradd processes execute with the useradd_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep useradd_t
++
++
++.SH "ENTRYPOINTS"
++
++The useradd_t SELinux type can be entered via the "useradd_exec_t,user_home_t" file types. The default entrypoint paths for the useradd_t domain are the following:"
++
++/usr/sbin/useradd, /usr/sbin/userdel, /usr/sbin/usermod, /usr/sbin/newusers, /home/[^/]*/.+, /home/dwalsh/.+, /var/lib/xguest/home/xguest/.+
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux useradd policy is very flexible allowing users to setup their useradd processes in as secure a method as possible.
++.PP
++The following process types are defined for useradd:
++
++.EX
++.B useradd_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux useradd policy is very flexible allowing users to setup their useradd processes in as secure a method as possible.
++.PP
++The following file types are defined for useradd:
++
++
++.EX
++.PP
++.B useradd_exec_t
++.EE
++
++- Set files with the useradd_exec_t type, if you want to transition an executable to the useradd_t domain.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH "MANAGED FILES"
++
++The SELinux process type useradd_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++
++.br
++.B default_context_t
++
++ /etc/selinux/([^/]*/)?contexts(/.*)?
++.br
++ /root/\.default_contexts
++.br
++
++.br
++.B etc_t
++
++ /etc/.*
++.br
++ /var/db/.*\.db
++.br
++ /usr/etc(/.*)?
++.br
++ /var/ftp/etc(/.*)?
++.br
++ /var/lib/openshift/.limits.d(/.*)?
++.br
++ /var/lib/openshift/.openshift-proxy.d(/.*)?
++.br
++ /var/lib/openshift/.stickshift-proxy.d(/.*)?
++.br
++ /var/lib/stickshift/.limits.d(/.*)?
++.br
++ /var/lib/stickshift/.stickshift-proxy.d(/.*)?
++.br
++ /var/named/chroot/etc(/.*)?
++.br
++ /etc/ipsec\.d/examples(/.*)?
++.br
++ /var/spool/postfix/etc(/.*)?
++.br
++ /etc
++.br
++ /etc/cups/client\.conf
++.br
++
++.br
++.B faillog_t
++
++ /var/log/btmp.*
++.br
++ /var/run/faillock(/.*)?
++.br
++ /var/log/faillog
++.br
++ /var/log/tallylog
++.br
++
++.br
++.B file_context_t
++
++ /etc/selinux/([^/]*/)?contexts/files(/.*)?
++.br
++
++.br
++.B httpd_user_content_type
++
++
++.br
++.B httpd_user_script_exec_type
++
++
++.br
++.B initrc_var_run_t
++
++ /var/run/utmp
++.br
++ /var/run/random-seed
++.br
++ /var/run/runlevel\.dir
++.br
++ /var/run/setmixer_flag
++.br
++
++.br
++.B lastlog_t
++
++ /var/log/lastlog
++.br
++
++.br
++.B mail_spool_t
++
++ /var/mail(/.*)?
++.br
++ /var/spool/imap(/.*)?
++.br
++ /var/spool/mail(/.*)?
++.br
++
++.br
++.B passwd_file_t
++
++ /etc/group[-\+]?
++.br
++ /etc/passwd[-\+]?
++.br
++ /etc/passwd\.adjunct.*
++.br
++ /etc/ptmptmp
++.br
++ /etc/\.pwd\.lock
++.br
++ /etc/group\.lock
++.br
++ /etc/passwd\.OLD
++.br
++ /etc/passwd\.lock
++.br
++
++.br
++.B pcscd_var_run_t
++
++ /var/run/pcscd(/.*)?
++.br
++ /var/run/pcscd\.events(/.*)?
++.br
++ /var/run/pcscd\.pid
++.br
++ /var/run/pcscd\.pub
++.br
++ /var/run/pcscd\.comm
++.br
++
++.br
++.B security_t
++
++ /selinux
++.br
++
++.br
++.B selinux_config_t
++
++ /etc/selinux(/.*)?
++.br
++ /etc/selinux/([^/]*/)?seusers
++.br
++ /etc/selinux/([^/]*/)?users(/.*)?
++.br
++ /etc/selinux/([^/]*/)?setrans\.conf
++.br
++
++.br
++.B selinux_login_config_t
++
++ /etc/selinux/([^/]*/)?logins(/.*)?
++.br
++
++.br
++.B semanage_read_lock_t
++
++ /etc/selinux/([^/]*/)?modules/semanage\.read\.LOCK
++.br
++
++.br
++.B semanage_store_t
++
++ /etc/selinux/([^/]*/)?policy(/.*)?
++.br
++ /etc/selinux/([^/]*/)?modules/(active|tmp|previous)(/.*)?
++.br
++ /etc/share/selinux/mls(/.*)?
++.br
++ /etc/share/selinux/targeted(/.*)?
++.br
++
++.br
++.B semanage_tmp_t
++
++
++.br
++.B semanage_trans_lock_t
++
++ /etc/selinux/([^/]*/)?modules/semanage\.trans\.LOCK
++.br
++
++.br
++.B shadow_t
++
++ /etc/shadow.*
++.br
++ /etc/gshadow.*
++.br
++ /var/db/shadow.*
++.br
++ /etc/security/opasswd
++.br
++ /etc/security/opasswd\.old
++.br
++
++.br
++.B stapserver_var_lib_t
++
++ /var/lib/stap-server(/.*)?
++.br
++
++.br
++.B user_home_type
++
++ all user home files
++.br
++
++.SH NSSWITCH DOMAIN
++
++.PP
++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the useradd_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++
++.EX
++.B setsebool -P authlogin_nsswitch_use_ldap 1
++.EE
++
++.PP
++If you want to allow confined applications to run with kerberos for the useradd_t, you must turn on the kerberos_enabled boolean.
++
++.EX
++.B setsebool -P kerberos_enabled 1
++.EE
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was auto-generated using
++.B "sepolicy manpage"
++by Dan Walsh.
++
++.SH "SEE ALSO"
++selinux(8), useradd(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
++, user_selinux(8)
+\ No newline at end of file
+diff --git a/man/man8/usernetctl_selinux.8 b/man/man8/usernetctl_selinux.8
+new file mode 100644
+index 0000000..cb4d1bf
+--- /dev/null
++++ b/man/man8/usernetctl_selinux.8
+@@ -0,0 +1,101 @@
++.TH "usernetctl_selinux" "8" "12-11-01" "usernetctl" "SELinux Policy documentation for usernetctl"
++.SH "NAME"
++usernetctl_selinux \- Security Enhanced Linux Policy for the usernetctl processes
++.SH "DESCRIPTION"
++
++Security-Enhanced Linux secures the usernetctl processes via flexible mandatory access control.
++
++The usernetctl processes execute with the usernetctl_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep usernetctl_t
++
++
++.SH "ENTRYPOINTS"
++
++The usernetctl_t SELinux type can be entered via the "usernetctl_exec_t" file type. The default entrypoint paths for the usernetctl_t domain are the following:"
++
++/usr/sbin/usernetctl
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux usernetctl policy is very flexible allowing users to setup their usernetctl processes in as secure a method as possible.
++.PP
++The following process types are defined for usernetctl:
++
++.EX
++.B usernetctl_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux usernetctl policy is very flexible allowing users to setup their usernetctl processes in as secure a method as possible.
++.PP
++The following file types are defined for usernetctl:
++
++
++.EX
++.PP
++.B usernetctl_exec_t
++.EE
++
++- Set files with the usernetctl_exec_t type, if you want to transition an executable to the usernetctl_t domain.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH NSSWITCH DOMAIN
++
++.PP
++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the usernetctl_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++
++.EX
++.B setsebool -P authlogin_nsswitch_use_ldap 1
++.EE
++
++.PP
++If you want to allow confined applications to run with kerberos for the usernetctl_t, you must turn on the kerberos_enabled boolean.
++
++.EX
++.B setsebool -P kerberos_enabled 1
++.EE
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was auto-generated using
++.B "sepolicy manpage"
++by Dan Walsh.
++
++.SH "SEE ALSO"
++selinux(8), usernetctl(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
++, user_selinux(8)
+\ No newline at end of file
+diff --git a/man/man8/utempter_selinux.8 b/man/man8/utempter_selinux.8
+new file mode 100644
+index 0000000..7ae0085
+--- /dev/null
++++ b/man/man8/utempter_selinux.8
+@@ -0,0 +1,134 @@
++.TH "utempter_selinux" "8" "12-11-01" "utempter" "SELinux Policy documentation for utempter"
++.SH "NAME"
++utempter_selinux \- Security Enhanced Linux Policy for the utempter processes
++.SH "DESCRIPTION"
++
++Security-Enhanced Linux secures the utempter processes via flexible mandatory access control.
++
++The utempter processes execute with the utempter_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep utempter_t
++
++
++.SH "ENTRYPOINTS"
++
++The utempter_t SELinux type can be entered via the "utempter_exec_t" file type. The default entrypoint paths for the utempter_t domain are the following:"
++
++/usr/sbin/utempter
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux utempter policy is very flexible allowing users to setup their utempter processes in as secure a method as possible.
++.PP
++The following process types are defined for utempter:
++
++.EX
++.B utempter_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux utempter policy is very flexible allowing users to setup their utempter processes in as secure a method as possible.
++.PP
++The following file types are defined for utempter:
++
++
++.EX
++.PP
++.B utempter_exec_t
++.EE
++
++- Set files with the utempter_exec_t type, if you want to transition an executable to the utempter_t domain.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH "MANAGED FILES"
++
++The SELinux process type utempter_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++
++.br
++.B initrc_var_run_t
++
++ /var/run/utmp
++.br
++ /var/run/random-seed
++.br
++ /var/run/runlevel\.dir
++.br
++ /var/run/setmixer_flag
++.br
++
++.br
++.B user_tmp_t
++
++ /var/run/user(/.*)?
++.br
++ /tmp/gconfd-.*
++.br
++ /tmp/gconfd-dwalsh
++.br
++ /tmp/gconfd-xguest
++.br
++
++.br
++.B wtmp_t
++
++ /var/log/wtmp.*
++.br
++
++.SH NSSWITCH DOMAIN
++
++.PP
++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the utempter_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++
++.EX
++.B setsebool -P authlogin_nsswitch_use_ldap 1
++.EE
++
++.PP
++If you want to allow confined applications to run with kerberos for the utempter_t, you must turn on the kerberos_enabled boolean.
++
++.EX
++.B setsebool -P kerberos_enabled 1
++.EE
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was auto-generated using
++.B "sepolicy manpage"
++by Dan Walsh.
++
++.SH "SEE ALSO"
++selinux(8), utempter(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
+diff --git a/man/man8/uucpd_selinux.8 b/man/man8/uucpd_selinux.8
+new file mode 100644
+index 0000000..1f472de
+--- /dev/null
++++ b/man/man8/uucpd_selinux.8
+@@ -0,0 +1,218 @@
++.TH "uucpd_selinux" "8" "12-11-01" "uucpd" "SELinux Policy documentation for uucpd"
++.SH "NAME"
++uucpd_selinux \- Security Enhanced Linux Policy for the uucpd processes
++.SH "DESCRIPTION"
++
++Security-Enhanced Linux secures the uucpd processes via flexible mandatory access control.
++
++The uucpd processes execute with the uucpd_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep uucpd_t
++
++
++.SH "ENTRYPOINTS"
++
++The uucpd_t SELinux type can be entered via the "uucpd_exec_t" file type. The default entrypoint paths for the uucpd_t domain are the following:"
++
++/usr/sbin/uucico
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux uucpd policy is very flexible allowing users to setup their uucpd processes in as secure a method as possible.
++.PP
++The following process types are defined for uucpd:
++
++.EX
++.B uucpd_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux uucpd policy is very flexible allowing users to setup their uucpd processes in as secure a method as possible.
++.PP
++The following file types are defined for uucpd:
++
++
++.EX
++.PP
++.B uucpd_exec_t
++.EE
++
++- Set files with the uucpd_exec_t type, if you want to transition an executable to the uucpd_t domain.
++
++
++.EX
++.PP
++.B uucpd_lock_t
++.EE
++
++- Set files with the uucpd_lock_t type, if you want to treat the files as uucpd lock data, stored under the /var/lock directory
++
++
++.EX
++.PP
++.B uucpd_log_t
++.EE
++
++- Set files with the uucpd_log_t type, if you want to treat the data as uucpd log data, usually stored under the /var/log directory.
++
++
++.EX
++.PP
++.B uucpd_ro_t
++.EE
++
++- Set files with the uucpd_ro_t type, if you want to treat the files as uucpd read/only content.
++
++
++.EX
++.PP
++.B uucpd_rw_t
++.EE
++
++- Set files with the uucpd_rw_t type, if you want to treat the files as uucpd read/write content.
++
++
++.EX
++.PP
++.B uucpd_spool_t
++.EE
++
++- Set files with the uucpd_spool_t type, if you want to store the uucpd files under the /var/spool directory.
++
++
++.EX
++.PP
++.B uucpd_tmp_t
++.EE
++
++- Set files with the uucpd_tmp_t type, if you want to store uucpd temporary files in the /tmp directories.
++
++
++.EX
++.PP
++.B uucpd_var_run_t
++.EE
++
++- Set files with the uucpd_var_run_t type, if you want to store the uucpd files under the /run directory.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH PORT TYPES
++SELinux defines port types to represent TCP and UDP ports.
++.PP
++You can see the types associated with a port by using the following command:
++
++.B semanage port -l
++
++.PP
++Policy governs the access confined processes have to these ports.
++SELinux uucpd policy is very flexible allowing users to setup their uucpd processes in as secure a method as possible.
++.PP
++The following port types are defined for uucpd:
++
++.EX
++.TP 5
++.B uucpd_port_t
++.TP 10
++.EE
++
++
++Default Defined Ports:
++tcp 540
++.EE
++.SH "MANAGED FILES"
++
++The SELinux process type uucpd_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++
++.br
++.B uucpd_lock_t
++
++ /var/lock/uucp(/.*)?
++.br
++
++.br
++.B uucpd_log_t
++
++ /var/log/uucp(/.*)?
++.br
++
++.br
++.B uucpd_rw_t
++
++
++.br
++.B uucpd_spool_t
++
++ /var/spool/uucp(/.*)?
++.br
++ /var/spool/uucppublic(/.*)?
++.br
++
++.br
++.B uucpd_tmp_t
++
++
++.br
++.B uucpd_var_run_t
++
++
++.SH NSSWITCH DOMAIN
++
++.PP
++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the uucpd_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++
++.EX
++.B setsebool -P authlogin_nsswitch_use_ldap 1
++.EE
++
++.PP
++If you want to allow confined applications to run with kerberos for the uucpd_t, you must turn on the kerberos_enabled boolean.
++
++.EX
++.B setsebool -P kerberos_enabled 1
++.EE
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.B semanage port
++can also be used to manipulate the port definitions
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was auto-generated using
++.B "sepolicy manpage"
++by Dan Walsh.
++
++.SH "SEE ALSO"
++selinux(8), uucpd(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
+diff --git a/man/man8/uuidd_selinux.8 b/man/man8/uuidd_selinux.8
+new file mode 100644
+index 0000000..219e6f4
+--- /dev/null
++++ b/man/man8/uuidd_selinux.8
+@@ -0,0 +1,126 @@
++.TH "uuidd_selinux" "8" "12-11-01" "uuidd" "SELinux Policy documentation for uuidd"
++.SH "NAME"
++uuidd_selinux \- Security Enhanced Linux Policy for the uuidd processes
++.SH "DESCRIPTION"
++
++Security-Enhanced Linux secures the uuidd processes via flexible mandatory access control.
++
++The uuidd processes execute with the uuidd_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep uuidd_t
++
++
++.SH "ENTRYPOINTS"
++
++The uuidd_t SELinux type can be entered via the "uuidd_exec_t" file type. The default entrypoint paths for the uuidd_t domain are the following:"
++
++/usr/sbin/uuidd
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux uuidd policy is very flexible allowing users to setup their uuidd processes in as secure a method as possible.
++.PP
++The following process types are defined for uuidd:
++
++.EX
++.B uuidd_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux uuidd policy is very flexible allowing users to setup their uuidd processes in as secure a method as possible.
++.PP
++The following file types are defined for uuidd:
++
++
++.EX
++.PP
++.B uuidd_exec_t
++.EE
++
++- Set files with the uuidd_exec_t type, if you want to transition an executable to the uuidd_t domain.
++
++
++.EX
++.PP
++.B uuidd_initrc_exec_t
++.EE
++
++- Set files with the uuidd_initrc_exec_t type, if you want to transition an executable to the uuidd_initrc_t domain.
++
++
++.EX
++.PP
++.B uuidd_var_lib_t
++.EE
++
++- Set files with the uuidd_var_lib_t type, if you want to store the uuidd files under the /var/lib directory.
++
++
++.EX
++.PP
++.B uuidd_var_run_t
++.EE
++
++- Set files with the uuidd_var_run_t type, if you want to store the uuidd files under the /run directory.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH "MANAGED FILES"
++
++The SELinux process type uuidd_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++
++.br
++.B uuidd_var_lib_t
++
++ /var/lib/libuuid(/.*)?
++.br
++
++.br
++.B uuidd_var_run_t
++
++ /var/run/uuidd(/.*)?
++.br
++
++.SH NSSWITCH DOMAIN
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was auto-generated using
++.B "sepolicy manpage"
++by Dan Walsh.
++
++.SH "SEE ALSO"
++selinux(8), uuidd(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
+diff --git a/man/man8/uux_selinux.8 b/man/man8/uux_selinux.8
+new file mode 100644
+index 0000000..5c1314d
+--- /dev/null
++++ b/man/man8/uux_selinux.8
+@@ -0,0 +1,116 @@
++.TH "uux_selinux" "8" "12-11-01" "uux" "SELinux Policy documentation for uux"
++.SH "NAME"
++uux_selinux \- Security Enhanced Linux Policy for the uux processes
++.SH "DESCRIPTION"
++
++Security-Enhanced Linux secures the uux processes via flexible mandatory access control.
++
++The uux processes execute with the uux_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep uux_t
++
++
++.SH "ENTRYPOINTS"
++
++The uux_t SELinux type can be entered via the "uux_exec_t" file type. The default entrypoint paths for the uux_t domain are the following:"
++
++/usr/bin/uux
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux uux policy is very flexible allowing users to setup their uux processes in as secure a method as possible.
++.PP
++The following process types are defined for uux:
++
++.EX
++.B uux_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux uux policy is very flexible allowing users to setup their uux processes in as secure a method as possible.
++.PP
++The following file types are defined for uux:
++
++
++.EX
++.PP
++.B uux_exec_t
++.EE
++
++- Set files with the uux_exec_t type, if you want to transition an executable to the uux_t domain.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH "MANAGED FILES"
++
++The SELinux process type uux_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++
++.br
++.B anon_inodefs_t
++
++
++.br
++.B uucpd_spool_t
++
++ /var/spool/uucp(/.*)?
++.br
++ /var/spool/uucppublic(/.*)?
++.br
++
++.SH NSSWITCH DOMAIN
++
++.PP
++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the uux_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++
++.EX
++.B setsebool -P authlogin_nsswitch_use_ldap 1
++.EE
++
++.PP
++If you want to allow confined applications to run with kerberos for the uux_t, you must turn on the kerberos_enabled boolean.
++
++.EX
++.B setsebool -P kerberos_enabled 1
++.EE
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was auto-generated using
++.B "sepolicy manpage"
++by Dan Walsh.
++
++.SH "SEE ALSO"
++selinux(8), uux(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
+diff --git a/man/man8/varnishd_selinux.8 b/man/man8/varnishd_selinux.8
+new file mode 100644
+index 0000000..a0af064
+--- /dev/null
++++ b/man/man8/varnishd_selinux.8
+@@ -0,0 +1,208 @@
++.TH "varnishd_selinux" "8" "12-11-01" "varnishd" "SELinux Policy documentation for varnishd"
++.SH "NAME"
++varnishd_selinux \- Security Enhanced Linux Policy for the varnishd processes
++.SH "DESCRIPTION"
++
++Security-Enhanced Linux secures the varnishd processes via flexible mandatory access control.
++
++The varnishd processes execute with the varnishd_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep varnishd_t
++
++
++.SH "ENTRYPOINTS"
++
++The varnishd_t SELinux type can be entered via the "varnishd_exec_t" file type. The default entrypoint paths for the varnishd_t domain are the following:"
++
++/usr/sbin/varnishd
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux varnishd policy is very flexible allowing users to setup their varnishd processes in as secure a method as possible.
++.PP
++The following process types are defined for varnishd:
++
++.EX
++.B varnishd_t, varnishlog_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH BOOLEANS
++SELinux policy is customizable based on least access required. varnishd policy is extremely flexible and has several booleans that allow you to manipulate the policy and run varnishd with the tightest access possible.
++
++
++.PP
++If you want to allow varnishd to connect to all ports, not just HTTP, you must turn on the varnishd_connect_any boolean.
++
++.EX
++.B setsebool -P varnishd_connect_any 1
++.EE
++
++.PP
++If you want to allow varnishd to connect to all ports, not just HTTP, you must turn on the varnishd_connect_any boolean.
++
++.EX
++.B setsebool -P varnishd_connect_any 1
++.EE
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux varnishd policy is very flexible allowing users to setup their varnishd processes in as secure a method as possible.
++.PP
++The following file types are defined for varnishd:
++
++
++.EX
++.PP
++.B varnishd_etc_t
++.EE
++
++- Set files with the varnishd_etc_t type, if you want to store varnishd files in the /etc directories.
++
++
++.EX
++.PP
++.B varnishd_exec_t
++.EE
++
++- Set files with the varnishd_exec_t type, if you want to transition an executable to the varnishd_t domain.
++
++
++.EX
++.PP
++.B varnishd_initrc_exec_t
++.EE
++
++- Set files with the varnishd_initrc_exec_t type, if you want to transition an executable to the varnishd_initrc_t domain.
++
++
++.EX
++.PP
++.B varnishd_tmp_t
++.EE
++
++- Set files with the varnishd_tmp_t type, if you want to store varnishd temporary files in the /tmp directories.
++
++
++.EX
++.PP
++.B varnishd_var_lib_t
++.EE
++
++- Set files with the varnishd_var_lib_t type, if you want to store the varnishd files under the /var/lib directory.
++
++
++.EX
++.PP
++.B varnishd_var_run_t
++.EE
++
++- Set files with the varnishd_var_run_t type, if you want to store the varnishd files under the /run directory.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH PORT TYPES
++SELinux defines port types to represent TCP and UDP ports.
++.PP
++You can see the types associated with a port by using the following command:
++
++.B semanage port -l
++
++.PP
++Policy governs the access confined processes have to these ports.
++SELinux varnishd policy is very flexible allowing users to setup their varnishd processes in as secure a method as possible.
++.PP
++The following port types are defined for varnishd:
++
++.EX
++.TP 5
++.B varnishd_port_t
++.TP 10
++.EE
++
++
++Default Defined Ports:
++tcp 6081-6082
++.EE
++.SH "MANAGED FILES"
++
++The SELinux process type varnishd_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++
++.br
++.B varnishd_tmp_t
++
++
++.br
++.B varnishd_var_lib_t
++
++ /var/lib/varnish(/.*)?
++.br
++
++.br
++.B varnishd_var_run_t
++
++ /var/run/varnish\.pid
++.br
++
++.SH NSSWITCH DOMAIN
++
++.PP
++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the varnishd_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++
++.EX
++.B setsebool -P authlogin_nsswitch_use_ldap 1
++.EE
++
++.PP
++If you want to allow confined applications to run with kerberos for the varnishd_t, you must turn on the kerberos_enabled boolean.
++
++.EX
++.B setsebool -P kerberos_enabled 1
++.EE
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.B semanage port
++can also be used to manipulate the port definitions
++
++.B semanage boolean
++can also be used to manipulate the booleans
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was auto-generated using
++.B "sepolicy manpage"
++by Dan Walsh.
++
++.SH "SEE ALSO"
++selinux(8), varnishd(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
++, setsebool(8), varnishlog_selinux(8)
+\ No newline at end of file
+diff --git a/man/man8/varnishlog_selinux.8 b/man/man8/varnishlog_selinux.8
+new file mode 100644
+index 0000000..bc3b750
+--- /dev/null
++++ b/man/man8/varnishlog_selinux.8
+@@ -0,0 +1,128 @@
++.TH "varnishlog_selinux" "8" "12-11-01" "varnishlog" "SELinux Policy documentation for varnishlog"
++.SH "NAME"
++varnishlog_selinux \- Security Enhanced Linux Policy for the varnishlog processes
++.SH "DESCRIPTION"
++
++Security-Enhanced Linux secures the varnishlog processes via flexible mandatory access control.
++
++The varnishlog processes execute with the varnishlog_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep varnishlog_t
++
++
++.SH "ENTRYPOINTS"
++
++The varnishlog_t SELinux type can be entered via the "varnishlog_exec_t" file type. The default entrypoint paths for the varnishlog_t domain are the following:"
++
++/usr/bin/varnishlog, /usr/bin/varnisncsa
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux varnishlog policy is very flexible allowing users to setup their varnishlog processes in as secure a method as possible.
++.PP
++The following process types are defined for varnishlog:
++
++.EX
++.B varnishlog_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux varnishlog policy is very flexible allowing users to setup their varnishlog processes in as secure a method as possible.
++.PP
++The following file types are defined for varnishlog:
++
++
++.EX
++.PP
++.B varnishlog_exec_t
++.EE
++
++- Set files with the varnishlog_exec_t type, if you want to transition an executable to the varnishlog_t domain.
++
++
++.EX
++.PP
++.B varnishlog_initrc_exec_t
++.EE
++
++- Set files with the varnishlog_initrc_exec_t type, if you want to transition an executable to the varnishlog_initrc_t domain.
++
++
++.EX
++.PP
++.B varnishlog_log_t
++.EE
++
++- Set files with the varnishlog_log_t type, if you want to treat the data as varnishlog log data, usually stored under the /var/log directory.
++
++
++.EX
++.PP
++.B varnishlog_var_run_t
++.EE
++
++- Set files with the varnishlog_var_run_t type, if you want to store the varnishlog files under the /run directory.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH "MANAGED FILES"
++
++The SELinux process type varnishlog_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++
++.br
++.B varnishlog_log_t
++
++ /var/log/varnish(/.*)?
++.br
++
++.br
++.B varnishlog_var_run_t
++
++ /var/run/varnishlog\.pid
++.br
++ /var/run/varnishncsa\.pid
++.br
++
++.SH NSSWITCH DOMAIN
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was auto-generated using
++.B "sepolicy manpage"
++by Dan Walsh.
++
++.SH "SEE ALSO"
++selinux(8), varnishlog(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
+diff --git a/man/man8/vbetool_selinux.8 b/man/man8/vbetool_selinux.8
+new file mode 100644
+index 0000000..507145b
+--- /dev/null
++++ b/man/man8/vbetool_selinux.8
+@@ -0,0 +1,124 @@
++.TH "vbetool_selinux" "8" "12-11-01" "vbetool" "SELinux Policy documentation for vbetool"
++.SH "NAME"
++vbetool_selinux \- Security Enhanced Linux Policy for the vbetool processes
++.SH "DESCRIPTION"
++
++Security-Enhanced Linux secures the vbetool processes via flexible mandatory access control.
++
++The vbetool processes execute with the vbetool_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep vbetool_t
++
++
++.SH "ENTRYPOINTS"
++
++The vbetool_t SELinux type can be entered via the "vbetool_exec_t" file type. The default entrypoint paths for the vbetool_t domain are the following:"
++
++/usr/sbin/vbetool
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux vbetool policy is very flexible allowing users to setup their vbetool processes in as secure a method as possible.
++.PP
++The following process types are defined for vbetool:
++
++.EX
++.B vbetool_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH BOOLEANS
++SELinux policy is customizable based on least access required. vbetool policy is extremely flexible and has several booleans that allow you to manipulate the policy and run vbetool with the tightest access possible.
++
++
++.PP
++If you want to ignore vbetool mmap_zero errors, you must turn on the vbetool_mmap_zero_ignore boolean.
++
++.EX
++.B setsebool -P vbetool_mmap_zero_ignore 1
++.EE
++
++.PP
++If you want to ignore vbetool mmap_zero errors, you must turn on the vbetool_mmap_zero_ignore boolean.
++
++.EX
++.B setsebool -P vbetool_mmap_zero_ignore 1
++.EE
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux vbetool policy is very flexible allowing users to setup their vbetool processes in as secure a method as possible.
++.PP
++The following file types are defined for vbetool:
++
++
++.EX
++.PP
++.B vbetool_exec_t
++.EE
++
++- Set files with the vbetool_exec_t type, if you want to transition an executable to the vbetool_t domain.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH "MANAGED FILES"
++
++The SELinux process type vbetool_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++
++.br
++.B mtrr_device_t
++
++ /dev/cpu/mtrr
++.br
++
++.br
++.B sysfs_t
++
++ /sys(/.*)?
++.br
++
++.SH NSSWITCH DOMAIN
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.B semanage boolean
++can also be used to manipulate the booleans
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was auto-generated using
++.B "sepolicy manpage"
++by Dan Walsh.
++
++.SH "SEE ALSO"
++selinux(8), vbetool(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
++, setsebool(8)
+\ No newline at end of file
+diff --git a/man/man8/vdagent_selinux.8 b/man/man8/vdagent_selinux.8
+new file mode 100644
+index 0000000..1d1e6e4
+--- /dev/null
++++ b/man/man8/vdagent_selinux.8
+@@ -0,0 +1,122 @@
++.TH "vdagent_selinux" "8" "12-11-01" "vdagent" "SELinux Policy documentation for vdagent"
++.SH "NAME"
++vdagent_selinux \- Security Enhanced Linux Policy for the vdagent processes
++.SH "DESCRIPTION"
++
++Security-Enhanced Linux secures the vdagent processes via flexible mandatory access control.
++
++The vdagent processes execute with the vdagent_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep vdagent_t
++
++
++.SH "ENTRYPOINTS"
++
++The vdagent_t SELinux type can be entered via the "vdagent_exec_t" file type. The default entrypoint paths for the vdagent_t domain are the following:"
++
++/usr/sbin/spice-vdagentd
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux vdagent policy is very flexible allowing users to setup their vdagent processes in as secure a method as possible.
++.PP
++The following process types are defined for vdagent:
++
++.EX
++.B vdagent_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux vdagent policy is very flexible allowing users to setup their vdagent processes in as secure a method as possible.
++.PP
++The following file types are defined for vdagent:
++
++
++.EX
++.PP
++.B vdagent_exec_t
++.EE
++
++- Set files with the vdagent_exec_t type, if you want to transition an executable to the vdagent_t domain.
++
++
++.EX
++.PP
++.B vdagent_log_t
++.EE
++
++- Set files with the vdagent_log_t type, if you want to treat the data as vdagent log data, usually stored under the /var/log directory.
++
++
++.EX
++.PP
++.B vdagent_var_run_t
++.EE
++
++- Set files with the vdagent_var_run_t type, if you want to store the vdagent files under the /run directory.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH "MANAGED FILES"
++
++The SELinux process type vdagent_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++
++.br
++.B vdagent_log_t
++
++ /var/log/spice-vdagentd(/.*)?
++.br
++ /var/log/spice-vdagentd\.log.*
++.br
++
++.br
++.B vdagent_var_run_t
++
++ /var/run/spice-vdagentd(/.*)?
++.br
++ /var/run/spice-vdagentd\.pid
++.br
++
++.SH NSSWITCH DOMAIN
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was auto-generated using
++.B "sepolicy manpage"
++by Dan Walsh.
++
++.SH "SEE ALSO"
++selinux(8), vdagent(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
+diff --git a/man/man8/vhostmd_selinux.8 b/man/man8/vhostmd_selinux.8
+new file mode 100644
+index 0000000..eafe755
+--- /dev/null
++++ b/man/man8/vhostmd_selinux.8
+@@ -0,0 +1,156 @@
++.TH "vhostmd_selinux" "8" "12-11-01" "vhostmd" "SELinux Policy documentation for vhostmd"
++.SH "NAME"
++vhostmd_selinux \- Security Enhanced Linux Policy for the vhostmd processes
++.SH "DESCRIPTION"
++
++Security-Enhanced Linux secures the vhostmd processes via flexible mandatory access control.
++
++The vhostmd processes execute with the vhostmd_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep vhostmd_t
++
++
++.SH "ENTRYPOINTS"
++
++The vhostmd_t SELinux type can be entered via the "vhostmd_exec_t" file type. The default entrypoint paths for the vhostmd_t domain are the following:"
++
++/usr/sbin/vhostmd
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux vhostmd policy is very flexible allowing users to setup their vhostmd processes in as secure a method as possible.
++.PP
++The following process types are defined for vhostmd:
++
++.EX
++.B vhostmd_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux vhostmd policy is very flexible allowing users to setup their vhostmd processes in as secure a method as possible.
++.PP
++The following file types are defined for vhostmd:
++
++
++.EX
++.PP
++.B vhostmd_exec_t
++.EE
++
++- Set files with the vhostmd_exec_t type, if you want to transition an executable to the vhostmd_t domain.
++
++
++.EX
++.PP
++.B vhostmd_initrc_exec_t
++.EE
++
++- Set files with the vhostmd_initrc_exec_t type, if you want to transition an executable to the vhostmd_initrc_t domain.
++
++
++.EX
++.PP
++.B vhostmd_tmpfs_t
++.EE
++
++- Set files with the vhostmd_tmpfs_t type, if you want to store vhostmd files on a tmpfs file system.
++
++
++.EX
++.PP
++.B vhostmd_var_run_t
++.EE
++
++- Set files with the vhostmd_var_run_t type, if you want to store the vhostmd files under the /run directory.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH "MANAGED FILES"
++
++The SELinux process type vhostmd_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++
++.br
++.B vhostmd_tmpfs_t
++
++
++.br
++.B vhostmd_var_run_t
++
++ /var/run/vhostmd.pid
++.br
++
++.br
++.B virt_content_t
++
++ /var/lib/vdsm(/.*)?
++.br
++ /var/lib/oz/isos(/.*)?
++.br
++ /var/lib/libvirt/boot(/.*)?
++.br
++ /var/lib/libvirt/isos(/.*)?
++.br
++ /home/[^/]*/VirtualMachines/isos(/.*)?
++.br
++ /home/dwalsh/VirtualMachines/isos(/.*)?
++.br
++ /var/lib/xguest/home/xguest/VirtualMachines/isos(/.*)?
++.br
++
++.SH NSSWITCH DOMAIN
++
++.PP
++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the vhostmd_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++
++.EX
++.B setsebool -P authlogin_nsswitch_use_ldap 1
++.EE
++
++.PP
++If you want to allow confined applications to run with kerberos for the vhostmd_t, you must turn on the kerberos_enabled boolean.
++
++.EX
++.B setsebool -P kerberos_enabled 1
++.EE
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was auto-generated using
++.B "sepolicy manpage"
++by Dan Walsh.
++
++.SH "SEE ALSO"
++selinux(8), vhostmd(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
+diff --git a/man/man8/virsh_selinux.8 b/man/man8/virsh_selinux.8
+new file mode 100644
+index 0000000..595b506
+--- /dev/null
++++ b/man/man8/virsh_selinux.8
+@@ -0,0 +1,186 @@
++.TH "virsh_selinux" "8" "12-11-01" "virsh" "SELinux Policy documentation for virsh"
++.SH "NAME"
++virsh_selinux \- Security Enhanced Linux Policy for the virsh processes
++.SH "DESCRIPTION"
++
++Security-Enhanced Linux secures the virsh processes via flexible mandatory access control.
++
++The virsh processes execute with the virsh_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep virsh_t
++
++
++.SH "ENTRYPOINTS"
++
++The virsh_t SELinux type can be entered via the "virsh_exec_t" file type. The default entrypoint paths for the virsh_t domain are the following:"
++
++/usr/bin/virt-sandbox-service.*, /usr/bin/virsh
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux virsh policy is very flexible allowing users to setup their virsh processes in as secure a method as possible.
++.PP
++The following process types are defined for virsh:
++
++.EX
++.B virsh_ssh_t, virsh_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux virsh policy is very flexible allowing users to setup their virsh processes in as secure a method as possible.
++.PP
++The following file types are defined for virsh:
++
++
++.EX
++.PP
++.B virsh_exec_t
++.EE
++
++- Set files with the virsh_exec_t type, if you want to transition an executable to the virsh_t domain.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH "MANAGED FILES"
++
++The SELinux process type virsh_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++
++.br
++.B ssh_home_t
++
++ /root/\.ssh(/.*)?
++.br
++ /var/lib/openshift/[^/]+/\.ssh(/.*)?
++.br
++ /var/lib/amanda/\.ssh(/.*)?
++.br
++ /var/lib/stickshift/[^/]+/\.ssh(/.*)?
++.br
++ /var/lib/gitolite/\.ssh(/.*)?
++.br
++ /var/lib/nocpulse/\.ssh(/.*)?
++.br
++ /var/lib/gitolite3/\.ssh(/.*)?
++.br
++ /root/\.shosts
++.br
++ /home/[^/]*/\.ssh(/.*)?
++.br
++ /home/[^/]*/\.shosts
++.br
++ /home/dwalsh/\.ssh(/.*)?
++.br
++ /home/dwalsh/\.shosts
++.br
++ /var/lib/xguest/home/xguest/\.ssh(/.*)?
++.br
++ /var/lib/xguest/home/xguest/\.shosts
++.br
++
++.br
++.B svirt_lxc_file_t
++
++
++.br
++.B vhostmd_tmpfs_t
++
++
++.br
++.B virt_etc_rw_t
++
++ /etc/xen/.*/.*
++.br
++ /etc/xen/[^/]*
++.br
++ /etc/libvirt/.*/.*
++.br
++ /etc/libvirt/[^/]*
++.br
++
++.br
++.B virt_etc_t
++
++ /etc/xen/[^/]*
++.br
++ /etc/libvirt/[^/]*
++.br
++ /etc/xen
++.br
++ /etc/libvirt
++.br
++
++.br
++.B virt_image_type
++
++ all virtual image files
++.br
++
++.br
++.B virt_lxc_var_run_t
++
++ /var/run/libvirt/lxc(/.*)?
++.br
++ /var/run/libvirt-sandbox(/.*)?
++.br
++
++.br
++.B xenfs_t
++
++
++.SH NSSWITCH DOMAIN
++
++.PP
++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the virsh_ssh_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++
++.EX
++.B setsebool -P authlogin_nsswitch_use_ldap 1
++.EE
++
++.PP
++If you want to allow confined applications to run with kerberos for the virsh_ssh_t, you must turn on the kerberos_enabled boolean.
++
++.EX
++.B setsebool -P kerberos_enabled 1
++.EE
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was auto-generated using
++.B "sepolicy manpage"
++by Dan Walsh.
++
++.SH "SEE ALSO"
++selinux(8), virsh(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
+diff --git a/man/man8/virt_bridgehelper_selinux.8 b/man/man8/virt_bridgehelper_selinux.8
+new file mode 100644
+index 0000000..4c6e5e6
+--- /dev/null
++++ b/man/man8/virt_bridgehelper_selinux.8
+@@ -0,0 +1,119 @@
++.TH "virt_bridgehelper_selinux" "8" "12-11-01" "virt_bridgehelper" "SELinux Policy documentation for virt_bridgehelper"
++.SH "NAME"
++virt_bridgehelper_selinux \- Security Enhanced Linux Policy for the virt_bridgehelper processes
++.SH "DESCRIPTION"
++
++Security-Enhanced Linux secures the virt_bridgehelper processes via flexible mandatory access control.
++
++The virt_bridgehelper processes execute with the virt_bridgehelper_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep virt_bridgehelper_t
++
++
++.SH "ENTRYPOINTS"
++
++The virt_bridgehelper_t SELinux type can be entered via the "virt_bridgehelper_exec_t" file type. The default entrypoint paths for the virt_bridgehelper_t domain are the following:"
++
++/usr/libexec/qemu-bridge-helper
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux virt_bridgehelper policy is very flexible allowing users to setup their virt_bridgehelper processes in as secure a method as possible.
++.PP
++The following process types are defined for virt_bridgehelper:
++
++.EX
++.B virt_bridgehelper_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux virt_bridgehelper policy is very flexible allowing users to setup their virt_bridgehelper processes in as secure a method as possible.
++.PP
++The following file types are defined for virt_bridgehelper:
++
++
++.EX
++.PP
++.B virt_bridgehelper_exec_t
++.EE
++
++- Set files with the virt_bridgehelper_exec_t type, if you want to transition an executable to the virt_bridgehelper_t domain.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH "MANAGED FILES"
++
++The SELinux process type virt_bridgehelper_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++
++.br
++.B svirt_home_t
++
++ /home/[^/]*/\.libvirt/qemu(/.*)?
++.br
++ /home/[^/]*/\.cache/libvirt/qemu(/.*)?
++.br
++ /home/[^/]*/\.config/libvirt/qemu(/.*)?
++.br
++ /home/[^/]*/\.local/share/gnome-boxes/images(/.*)?
++.br
++ /home/dwalsh/\.libvirt/qemu(/.*)?
++.br
++ /home/dwalsh/\.cache/libvirt/qemu(/.*)?
++.br
++ /home/dwalsh/\.config/libvirt/qemu(/.*)?
++.br
++ /home/dwalsh/\.local/share/gnome-boxes/images(/.*)?
++.br
++ /var/lib/xguest/home/xguest/\.libvirt/qemu(/.*)?
++.br
++ /var/lib/xguest/home/xguest/\.cache/libvirt/qemu(/.*)?
++.br
++ /var/lib/xguest/home/xguest/\.config/libvirt/qemu(/.*)?
++.br
++ /var/lib/xguest/home/xguest/\.local/share/gnome-boxes/images(/.*)?
++.br
++
++.SH NSSWITCH DOMAIN
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was auto-generated using
++.B "sepolicy manpage"
++by Dan Walsh.
++
++.SH "SEE ALSO"
++selinux(8), virt_bridgehelper(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
++, virt_qemu_ga_selinux(8), virt_qmf_selinux(8), virtd_selinux(8), virtd_lxc_selinux(8)
+\ No newline at end of file
+diff --git a/man/man8/virt_qemu_ga_selinux.8 b/man/man8/virt_qemu_ga_selinux.8
+new file mode 100644
+index 0000000..0419773
+--- /dev/null
++++ b/man/man8/virt_qemu_ga_selinux.8
+@@ -0,0 +1,119 @@
++.TH "virt_qemu_ga_selinux" "8" "12-11-01" "virt_qemu_ga" "SELinux Policy documentation for virt_qemu_ga"
++.SH "NAME"
++virt_qemu_ga_selinux \- Security Enhanced Linux Policy for the virt_qemu_ga processes
++.SH "DESCRIPTION"
++
++Security-Enhanced Linux secures the virt_qemu_ga processes via flexible mandatory access control.
++
++The virt_qemu_ga processes execute with the virt_qemu_ga_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep virt_qemu_ga_t
++
++
++.SH "ENTRYPOINTS"
++
++The virt_qemu_ga_t SELinux type can be entered via the "virt_qemu_ga_exec_t" file type. The default entrypoint paths for the virt_qemu_ga_t domain are the following:"
++
++/usr/bin/qemu-ga
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux virt_qemu_ga policy is very flexible allowing users to setup their virt_qemu_ga processes in as secure a method as possible.
++.PP
++The following process types are defined for virt_qemu_ga:
++
++.EX
++.B virt_qemu_ga_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux virt_qemu_ga policy is very flexible allowing users to setup their virt_qemu_ga processes in as secure a method as possible.
++.PP
++The following file types are defined for virt_qemu_ga:
++
++
++.EX
++.PP
++.B virt_qemu_ga_exec_t
++.EE
++
++- Set files with the virt_qemu_ga_exec_t type, if you want to transition an executable to the virt_qemu_ga_t domain.
++
++
++.EX
++.PP
++.B virt_qemu_ga_log_t
++.EE
++
++- Set files with the virt_qemu_ga_log_t type, if you want to treat the data as virt qemu ga log data, usually stored under the /var/log directory.
++
++
++.EX
++.PP
++.B virt_qemu_ga_var_run_t
++.EE
++
++- Set files with the virt_qemu_ga_var_run_t type, if you want to store the virt qemu ga files under the /run directory.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH "MANAGED FILES"
++
++The SELinux process type virt_qemu_ga_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++
++.br
++.B virt_qemu_ga_log_t
++
++ /var/log/qemu-ga\.log
++.br
++
++.br
++.B virt_qemu_ga_var_run_t
++
++ /var/run/qemu-ga\.pid
++.br
++
++.SH NSSWITCH DOMAIN
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was auto-generated using
++.B "sepolicy manpage"
++by Dan Walsh.
++
++.SH "SEE ALSO"
++selinux(8), virt_qemu_ga(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
++, virt_bridgehelper_selinux(8), virt_qmf_selinux(8), virtd_selinux(8), virtd_lxc_selinux(8)
+\ No newline at end of file
+diff --git a/man/man8/virt_qmf_selinux.8 b/man/man8/virt_qmf_selinux.8
+new file mode 100644
+index 0000000..03fd507
+--- /dev/null
++++ b/man/man8/virt_qmf_selinux.8
+@@ -0,0 +1,87 @@
++.TH "virt_qmf_selinux" "8" "12-11-01" "virt_qmf" "SELinux Policy documentation for virt_qmf"
++.SH "NAME"
++virt_qmf_selinux \- Security Enhanced Linux Policy for the virt_qmf processes
++.SH "DESCRIPTION"
++
++Security-Enhanced Linux secures the virt_qmf processes via flexible mandatory access control.
++
++The virt_qmf processes execute with the virt_qmf_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep virt_qmf_t
++
++
++.SH "ENTRYPOINTS"
++
++The virt_qmf_t SELinux type can be entered via the "virt_qmf_exec_t" file type. The default entrypoint paths for the virt_qmf_t domain are the following:"
++
++/usr/sbin/libvirt-qmf
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux virt_qmf policy is very flexible allowing users to setup their virt_qmf processes in as secure a method as possible.
++.PP
++The following process types are defined for virt_qmf:
++
++.EX
++.B virt_qmf_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux virt_qmf policy is very flexible allowing users to setup their virt_qmf processes in as secure a method as possible.
++.PP
++The following file types are defined for virt_qmf:
++
++
++.EX
++.PP
++.B virt_qmf_exec_t
++.EE
++
++- Set files with the virt_qmf_exec_t type, if you want to transition an executable to the virt_qmf_t domain.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH NSSWITCH DOMAIN
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was auto-generated using
++.B "sepolicy manpage"
++by Dan Walsh.
++
++.SH "SEE ALSO"
++selinux(8), virt_qmf(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
++, virt_bridgehelper_selinux(8), virt_qemu_ga_selinux(8), virtd_selinux(8), virtd_lxc_selinux(8)
+\ No newline at end of file
+diff --git a/man/man8/virt_selinux.8 b/man/man8/virt_selinux.8
+new file mode 100644
+index 0000000..ee560da
+--- /dev/null
++++ b/man/man8/virt_selinux.8
+@@ -0,0 +1 @@
++.so man8/virtd_selinux.8
+\ No newline at end of file
+diff --git a/man/man8/virtd_lxc_selinux.8 b/man/man8/virtd_lxc_selinux.8
+new file mode 100644
+index 0000000..68244d4
+--- /dev/null
++++ b/man/man8/virtd_lxc_selinux.8
+@@ -0,0 +1,145 @@
++.TH "virtd_lxc_selinux" "8" "12-11-01" "virtd_lxc" "SELinux Policy documentation for virtd_lxc"
++.SH "NAME"
++virtd_lxc_selinux \- Security Enhanced Linux Policy for the virtd_lxc processes
++.SH "DESCRIPTION"
++
++Security-Enhanced Linux secures the virtd_lxc processes via flexible mandatory access control.
++
++The virtd_lxc processes execute with the virtd_lxc_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep virtd_lxc_t
++
++
++.SH "ENTRYPOINTS"
++
++The virtd_lxc_t SELinux type can be entered via the "virtd_lxc_exec_t" file type. The default entrypoint paths for the virtd_lxc_t domain are the following:"
++
++/usr/libexec/libvirt_lxc
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux virtd_lxc policy is very flexible allowing users to setup their virtd_lxc processes in as secure a method as possible.
++.PP
++The following process types are defined for virtd_lxc:
++
++.EX
++.B virtd_lxc_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux virtd_lxc policy is very flexible allowing users to setup their virtd_lxc processes in as secure a method as possible.
++.PP
++The following file types are defined for virtd_lxc:
++
++
++.EX
++.PP
++.B virtd_lxc_exec_t
++.EE
++
++- Set files with the virtd_lxc_exec_t type, if you want to transition an executable to the virtd_lxc_t domain.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH "MANAGED FILES"
++
++The SELinux process type virtd_lxc_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++
++.br
++.B cgroup_t
++
++ /cgroup
++.br
++ /sys/fs/cgroup
++.br
++
++.br
++.B security_t
++
++ /selinux
++.br
++
++.br
++.B svirt_lxc_file_t
++
++
++.br
++.B sysfs_t
++
++ /sys(/.*)?
++.br
++
++.br
++.B virt_image_t
++
++ /var/lib/libvirt/images(/.*)?
++.br
++ /var/lib/imagefactory/images(/.*)?
++.br
++
++.br
++.B virt_lxc_var_run_t
++
++ /var/run/libvirt/lxc(/.*)?
++.br
++ /var/run/libvirt-sandbox(/.*)?
++.br
++
++.SH NSSWITCH DOMAIN
++
++.PP
++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the virtd_lxc_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++
++.EX
++.B setsebool -P authlogin_nsswitch_use_ldap 1
++.EE
++
++.PP
++If you want to allow confined applications to run with kerberos for the virtd_lxc_t, you must turn on the kerberos_enabled boolean.
++
++.EX
++.B setsebool -P kerberos_enabled 1
++.EE
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was auto-generated using
++.B "sepolicy manpage"
++by Dan Walsh.
++
++.SH "SEE ALSO"
++selinux(8), virtd_lxc(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
++, virtd_selinux(8), virtd_selinux(8)
+\ No newline at end of file
+diff --git a/man/man8/virtd_selinux.8 b/man/man8/virtd_selinux.8
+new file mode 100644
+index 0000000..783d0c9
+--- /dev/null
++++ b/man/man8/virtd_selinux.8
+@@ -0,0 +1,616 @@
++.TH "virtd_selinux" "8" "12-11-01" "virtd" "SELinux Policy documentation for virtd"
++.SH "NAME"
++virtd_selinux \- Security Enhanced Linux Policy for the virtd processes
++.SH "DESCRIPTION"
++
++Security-Enhanced Linux secures the virtd processes via flexible mandatory access control.
++
++The virtd processes execute with the virtd_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep virtd_t
++
++
++.SH "ENTRYPOINTS"
++
++The virtd_t SELinux type can be entered via the "virtd_exec_t" file type. The default entrypoint paths for the virtd_t domain are the following:"
++
++/usr/sbin/libvirtd, /usr/bin/imgfac\.py, /usr/bin/imagefactory, /usr/bin/nova-compute, /usr/sbin/condor_vm-gahp, /usr/bin/vios-proxy-host, /usr/bin/vios-proxy-guest
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux virtd policy is very flexible allowing users to setup their virtd processes in as secure a method as possible.
++.PP
++The following process types are defined for virtd:
++
++.EX
++.B virtd_lxc_t, virt_qmf_t, virt_qemu_ga_t, virt_bridgehelper_t, virtd_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH BOOLEANS
++SELinux policy is customizable based on least access required. virtd policy is extremely flexible and has several booleans that allow you to manipulate the policy and run virtd with the tightest access possible.
++
++
++.PP
++If you want to allow confined virtual guests to manage device configuration, (pci), you must turn on the virt_use_sysfs boolean.
++
++.EX
++.B setsebool -P virt_use_sysfs 1
++.EE
++
++.PP
++If you want to allow unprivledged user to create and transition to svirt domains, you must turn on the unprivuser_use_svirt boolean.
++
++.EX
++.B setsebool -P unprivuser_use_svirt 1
++.EE
++
++.PP
++If you want to allow confined virtual guests to manage nfs files, you must turn on the virt_use_nfs boolean.
++
++.EX
++.B setsebool -P virt_use_nfs 1
++.EE
++
++.PP
++If you want to allow confined virtual guests to manage cifs files, you must turn on the virt_use_samba boolean.
++
++.EX
++.B setsebool -P virt_use_samba 1
++.EE
++
++.PP
++If you want to allow confined virtual guests to use usb devices, you must turn on the virt_use_usb boolean.
++
++.EX
++.B setsebool -P virt_use_usb 1
++.EE
++
++.PP
++If you want to allow confined virtual guests to use serial/parallel communication ports, you must turn on the virt_use_comm boolean.
++
++.EX
++.B setsebool -P virt_use_comm 1
++.EE
++
++.PP
++If you want to allow confined virtual guests to interact with the xserver, you must turn on the virt_use_xserver boolean.
++
++.EX
++.B setsebool -P virt_use_xserver 1
++.EE
++
++.PP
++If you want to allow staff user to create and transition to svirt domains, you must turn on the staff_use_svirt boolean.
++
++.EX
++.B setsebool -P staff_use_svirt 1
++.EE
++
++.PP
++If you want to allow confined virtual guests to read fuse files, you must turn on the virt_use_fusefs boolean.
++
++.EX
++.B setsebool -P virt_use_fusefs 1
++.EE
++
++.PP
++If you want to allow confined virtual guests to use executable memory and executable stack, you must turn on the virt_use_execmem boolean.
++
++.EX
++.B setsebool -P virt_use_execmem 1
++.EE
++
++.PP
++If you want to allow confined virtual guests to interact with the sanlock, you must turn on the virt_use_sanlock boolean.
++
++.EX
++.B setsebool -P virt_use_sanlock 1
++.EE
++
++.PP
++If you want to allow confined virtual guests to manage device configuration, (pci), you must turn on the virt_use_sysfs boolean.
++
++.EX
++.B setsebool -P virt_use_sysfs 1
++.EE
++
++.PP
++If you want to allow unprivledged user to create and transition to svirt domains, you must turn on the unprivuser_use_svirt boolean.
++
++.EX
++.B setsebool -P unprivuser_use_svirt 1
++.EE
++
++.PP
++If you want to allow confined virtual guests to manage nfs files, you must turn on the virt_use_nfs boolean.
++
++.EX
++.B setsebool -P virt_use_nfs 1
++.EE
++
++.PP
++If you want to allow confined virtual guests to manage cifs files, you must turn on the virt_use_samba boolean.
++
++.EX
++.B setsebool -P virt_use_samba 1
++.EE
++
++.PP
++If you want to allow confined virtual guests to use usb devices, you must turn on the virt_use_usb boolean.
++
++.EX
++.B setsebool -P virt_use_usb 1
++.EE
++
++.PP
++If you want to allow confined virtual guests to use serial/parallel communication ports, you must turn on the virt_use_comm boolean.
++
++.EX
++.B setsebool -P virt_use_comm 1
++.EE
++
++.PP
++If you want to allow confined virtual guests to interact with the xserver, you must turn on the virt_use_xserver boolean.
++
++.EX
++.B setsebool -P virt_use_xserver 1
++.EE
++
++.PP
++If you want to allow staff user to create and transition to svirt domains, you must turn on the staff_use_svirt boolean.
++
++.EX
++.B setsebool -P staff_use_svirt 1
++.EE
++
++.PP
++If you want to allow confined virtual guests to read fuse files, you must turn on the virt_use_fusefs boolean.
++
++.EX
++.B setsebool -P virt_use_fusefs 1
++.EE
++
++.PP
++If you want to allow confined virtual guests to use executable memory and executable stack, you must turn on the virt_use_execmem boolean.
++
++.EX
++.B setsebool -P virt_use_execmem 1
++.EE
++
++.PP
++If you want to allow confined virtual guests to interact with the sanlock, you must turn on the virt_use_sanlock boolean.
++
++.EX
++.B setsebool -P virt_use_sanlock 1
++.EE
++
++.PP
++If you want to allow confined virtual guests to manage device configuration, (pci), you must turn on the virt_use_sysfs boolean.
++
++.EX
++.B setsebool -P virt_use_sysfs 1
++.EE
++
++.PP
++If you want to allow unprivledged user to create and transition to svirt domains, you must turn on the unprivuser_use_svirt boolean.
++
++.EX
++.B setsebool -P unprivuser_use_svirt 1
++.EE
++
++.PP
++If you want to allow confined virtual guests to manage nfs files, you must turn on the virt_use_nfs boolean.
++
++.EX
++.B setsebool -P virt_use_nfs 1
++.EE
++
++.PP
++If you want to allow confined virtual guests to manage cifs files, you must turn on the virt_use_samba boolean.
++
++.EX
++.B setsebool -P virt_use_samba 1
++.EE
++
++.PP
++If you want to allow confined virtual guests to use usb devices, you must turn on the virt_use_usb boolean.
++
++.EX
++.B setsebool -P virt_use_usb 1
++.EE
++
++.PP
++If you want to allow confined virtual guests to use serial/parallel communication ports, you must turn on the virt_use_comm boolean.
++
++.EX
++.B setsebool -P virt_use_comm 1
++.EE
++
++.PP
++If you want to allow confined virtual guests to interact with the xserver, you must turn on the virt_use_xserver boolean.
++
++.EX
++.B setsebool -P virt_use_xserver 1
++.EE
++
++.PP
++If you want to allow staff user to create and transition to svirt domains, you must turn on the staff_use_svirt boolean.
++
++.EX
++.B setsebool -P staff_use_svirt 1
++.EE
++
++.PP
++If you want to allow confined virtual guests to read fuse files, you must turn on the virt_use_fusefs boolean.
++
++.EX
++.B setsebool -P virt_use_fusefs 1
++.EE
++
++.PP
++If you want to allow confined virtual guests to use executable memory and executable stack, you must turn on the virt_use_execmem boolean.
++
++.EX
++.B setsebool -P virt_use_execmem 1
++.EE
++
++.PP
++If you want to allow confined virtual guests to interact with the sanlock, you must turn on the virt_use_sanlock boolean.
++
++.EX
++.B setsebool -P virt_use_sanlock 1
++.EE
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux virtd policy is very flexible allowing users to setup their virtd processes in as secure a method as possible.
++.PP
++The following file types are defined for virtd:
++
++
++.EX
++.PP
++.B virtd_exec_t
++.EE
++
++- Set files with the virtd_exec_t type, if you want to transition an executable to the virtd_t domain.
++
++
++.EX
++.PP
++.B virtd_initrc_exec_t
++.EE
++
++- Set files with the virtd_initrc_exec_t type, if you want to transition an executable to the virtd_initrc_t domain.
++
++
++.EX
++.PP
++.B virtd_keytab_t
++.EE
++
++- Set files with the virtd_keytab_t type, if you want to treat the files as kerberos keytab files.
++
++
++.EX
++.PP
++.B virtd_lxc_exec_t
++.EE
++
++- Set files with the virtd_lxc_exec_t type, if you want to transition an executable to the virtd_lxc_t domain.
++
++
++.EX
++.PP
++.B virtd_unit_file_t
++.EE
++
++- Set files with the virtd_unit_file_t type, if you want to treat the files as virtd unit content.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH PORT TYPES
++SELinux defines port types to represent TCP and UDP ports.
++.PP
++You can see the types associated with a port by using the following command:
++
++.B semanage port -l
++
++.PP
++Policy governs the access confined processes have to these ports.
++SELinux virtd policy is very flexible allowing users to setup their virtd processes in as secure a method as possible.
++.PP
++The following port types are defined for virtd:
++
++.EX
++.TP 5
++.B virt_migration_port_t
++.TP 10
++.EE
++
++
++Default Defined Ports:
++tcp 49152-49216
++.EE
++
++.EX
++.TP 5
++.B virt_port_t
++.TP 10
++.EE
++
++
++Default Defined Ports:
++tcp 16509,16514
++.EE
++udp 16509,16514
++.EE
++.SH "MANAGED FILES"
++
++The SELinux process type virtd_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++
++.br
++.B anon_inodefs_t
++
++
++.br
++.B cgroup_t
++
++ /cgroup
++.br
++ /sys/fs/cgroup
++.br
++
++.br
++.B dnsmasq_var_run_t
++
++ /var/run/libvirt/network(/.*)?
++.br
++ /var/run/dnsmasq\.pid
++.br
++
++.br
++.B hugetlbfs_t
++
++ /dev/hugepages
++.br
++ /lib/udev/devices/hugepages
++.br
++ /usr/lib/udev/devices/hugepages
++.br
++
++.br
++.B modules_conf_t
++
++ /etc/modprobe\.d(/.*)?
++.br
++ /etc/modules\.conf.*
++.br
++ /etc/modprobe\.conf.*
++.br
++ /lib/modules/modprobe\.conf
++.br
++ /usr/lib/modules/modprobe\.conf
++.br
++
++.br
++.B mtrr_device_t
++
++ /dev/cpu/mtrr
++.br
++
++.br
++.B qemu_var_run_t
++
++ /var/lib/libvirt/qemu(/.*)?
++.br
++ /var/run/libvirt/qemu(/.*)?
++.br
++
++.br
++.B security_t
++
++ /selinux
++.br
++
++.br
++.B sysfs_t
++
++ /sys(/.*)?
++.br
++
++.br
++.B system_conf_t
++
++ /etc/sysctl\.conf(\.old)?
++.br
++ /etc/sysconfig/ip6?tables.*
++.br
++ /etc/sysconfig/ipvsadm.*
++.br
++ /etc/sysconfig/ebtables.*
++.br
++ /etc/sysconfig/system-config-firewall.*
++.br
++
++.br
++.B systemd_passwd_var_run_t
++
++ /var/run/systemd/ask-password(/.*)?
++.br
++ /var/run/systemd/ask-password-block(/.*)?
++.br
++
++.br
++.B virt_cache_t
++
++ /var/cache/oz(/.*)?
++.br
++ /var/cache/libvirt(/.*)?
++.br
++
++.br
++.B virt_etc_rw_t
++
++ /etc/xen/.*/.*
++.br
++ /etc/xen/[^/]*
++.br
++ /etc/libvirt/.*/.*
++.br
++ /etc/libvirt/[^/]*
++.br
++
++.br
++.B virt_home_t
++
++ /home/[^/]*/\.libvirt(/.*)?
++.br
++ /home/[^/]*/\.virtinst(/.*)?
++.br
++ /home/[^/]*/\.cache/libvirt(/.*)?
++.br
++ /home/[^/]*/\.config/libvirt(/.*)?
++.br
++ /home/[^/]*/VirtualMachines(/.*)?
++.br
++ /home/[^/]*/\.cache/gnome-boxes(/.*)?
++.br
++ /home/dwalsh/\.libvirt(/.*)?
++.br
++ /home/dwalsh/\.virtinst(/.*)?
++.br
++ /home/dwalsh/\.cache/libvirt(/.*)?
++.br
++ /home/dwalsh/\.config/libvirt(/.*)?
++.br
++ /home/dwalsh/VirtualMachines(/.*)?
++.br
++ /home/dwalsh/\.cache/gnome-boxes(/.*)?
++.br
++ /var/lib/xguest/home/xguest/\.libvirt(/.*)?
++.br
++ /var/lib/xguest/home/xguest/\.virtinst(/.*)?
++.br
++ /var/lib/xguest/home/xguest/\.cache/libvirt(/.*)?
++.br
++ /var/lib/xguest/home/xguest/\.config/libvirt(/.*)?
++.br
++ /var/lib/xguest/home/xguest/VirtualMachines(/.*)?
++.br
++ /var/lib/xguest/home/xguest/\.cache/gnome-boxes(/.*)?
++.br
++
++.br
++.B virt_image_type
++
++ all virtual image files
++.br
++
++.br
++.B virt_lock_t
++
++
++.br
++.B virt_log_t
++
++ /var/log/log(/.*)?
++.br
++ /var/log/vdsm(/.*)?
++.br
++ /var/log/libvirt(/.*)?
++.br
++
++.br
++.B virt_lxc_var_run_t
++
++ /var/run/libvirt/lxc(/.*)?
++.br
++ /var/run/libvirt-sandbox(/.*)?
++.br
++
++.br
++.B virt_tmp_t
++
++
++.br
++.B virt_var_lib_t
++
++ /var/lib/oz(/.*)?
++.br
++ /var/lib/libvirt(/.*)?
++.br
++
++.br
++.B virt_var_run_t
++
++ /var/vdsm(/.*)?
++.br
++ /var/run/vdsm(/.*)?
++.br
++ /var/run/libvirt(/.*)?
++.br
++
++.SH NSSWITCH DOMAIN
++
++.PP
++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the virtd_t, virtd_lxc_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++
++.EX
++.B setsebool -P authlogin_nsswitch_use_ldap 1
++.EE
++
++.PP
++If you want to allow confined applications to run with kerberos for the virtd_t, virtd_lxc_t, you must turn on the kerberos_enabled boolean.
++
++.EX
++.B setsebool -P kerberos_enabled 1
++.EE
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.B semanage port
++can also be used to manipulate the port definitions
++
++.B semanage boolean
++can also be used to manipulate the booleans
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was auto-generated using
++.B "sepolicy manpage"
++by Dan Walsh.
++
++.SH "SEE ALSO"
++selinux(8), virtd(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
++, setsebool(8), virt_bridgehelper_selinux(8), virt_qemu_ga_selinux(8), virt_qmf_selinux(8), virtd_lxc_selinux(8)
+\ No newline at end of file
+diff --git a/man/man8/vlock_selinux.8 b/man/man8/vlock_selinux.8
+new file mode 100644
+index 0000000..372dfc6
+--- /dev/null
++++ b/man/man8/vlock_selinux.8
+@@ -0,0 +1,130 @@
++.TH "vlock_selinux" "8" "12-11-01" "vlock" "SELinux Policy documentation for vlock"
++.SH "NAME"
++vlock_selinux \- Security Enhanced Linux Policy for the vlock processes
++.SH "DESCRIPTION"
++
++Security-Enhanced Linux secures the vlock processes via flexible mandatory access control.
++
++The vlock processes execute with the vlock_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep vlock_t
++
++
++.SH "ENTRYPOINTS"
++
++The vlock_t SELinux type can be entered via the "vlock_exec_t" file type. The default entrypoint paths for the vlock_t domain are the following:"
++
++/usr/sbin/vlock-main
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux vlock policy is very flexible allowing users to setup their vlock processes in as secure a method as possible.
++.PP
++The following process types are defined for vlock:
++
++.EX
++.B vlock_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux vlock policy is very flexible allowing users to setup their vlock processes in as secure a method as possible.
++.PP
++The following file types are defined for vlock:
++
++
++.EX
++.PP
++.B vlock_exec_t
++.EE
++
++- Set files with the vlock_exec_t type, if you want to transition an executable to the vlock_t domain.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH "MANAGED FILES"
++
++The SELinux process type vlock_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++
++.br
++.B faillog_t
++
++ /var/log/btmp.*
++.br
++ /var/run/faillock(/.*)?
++.br
++ /var/log/faillog
++.br
++ /var/log/tallylog
++.br
++
++.br
++.B pcscd_var_run_t
++
++ /var/run/pcscd(/.*)?
++.br
++ /var/run/pcscd\.events(/.*)?
++.br
++ /var/run/pcscd\.pid
++.br
++ /var/run/pcscd\.pub
++.br
++ /var/run/pcscd\.comm
++.br
++
++.SH NSSWITCH DOMAIN
++
++.PP
++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the vlock_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++
++.EX
++.B setsebool -P authlogin_nsswitch_use_ldap 1
++.EE
++
++.PP
++If you want to allow confined applications to run with kerberos for the vlock_t, you must turn on the kerberos_enabled boolean.
++
++.EX
++.B setsebool -P kerberos_enabled 1
++.EE
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was auto-generated using
++.B "sepolicy manpage"
++by Dan Walsh.
++
++.SH "SEE ALSO"
++selinux(8), vlock(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
+diff --git a/man/man8/vmware_host_selinux.8 b/man/man8/vmware_host_selinux.8
+new file mode 100644
+index 0000000..2dd2f97
+--- /dev/null
++++ b/man/man8/vmware_host_selinux.8
+@@ -0,0 +1,139 @@
++.TH "vmware_host_selinux" "8" "12-11-01" "vmware_host" "SELinux Policy documentation for vmware_host"
++.SH "NAME"
++vmware_host_selinux \- Security Enhanced Linux Policy for the vmware_host processes
++.SH "DESCRIPTION"
++
++Security-Enhanced Linux secures the vmware_host processes via flexible mandatory access control.
++
++The vmware_host processes execute with the vmware_host_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep vmware_host_t
++
++
++.SH "ENTRYPOINTS"
++
++The vmware_host_t SELinux type can be entered via the "vmware_host_exec_t" file type. The default entrypoint paths for the vmware_host_t domain are the following:"
++
++/usr/sbin/vmware-guest.*, /usr/lib/vmware-tools/sbin32/vmware.*, /usr/lib/vmware-tools/sbin64/vmware.*, /usr/bin/vmnet-natd, /usr/bin/vmware-vmx, /usr/bin/vmnet-dhcpd, /usr/bin/vmware-nmbd, /usr/bin/vmware-smbd, /usr/bin/vmnet-bridge, /usr/bin/vmnet-netifup, /usr/bin/vmnet-sniffer, /usr/bin/vmware-network, /usr/bin/vmware-smbpasswd, /usr/bin/vmware-smbpasswd\.bin, /usr/lib/vmware/bin/vmware-vmx
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux vmware_host policy is very flexible allowing users to setup their vmware_host processes in as secure a method as possible.
++.PP
++The following process types are defined for vmware_host:
++
++.EX
++.B vmware_host_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux vmware_host policy is very flexible allowing users to setup their vmware_host processes in as secure a method as possible.
++.PP
++The following file types are defined for vmware_host:
++
++
++.EX
++.PP
++.B vmware_host_exec_t
++.EE
++
++- Set files with the vmware_host_exec_t type, if you want to transition an executable to the vmware_host_t domain.
++
++
++.EX
++.PP
++.B vmware_host_pid_t
++.EE
++
++- Set files with the vmware_host_pid_t type, if you want to store the vmware host files under the /run directory.
++
++
++.EX
++.PP
++.B vmware_host_tmp_t
++.EE
++
++- Set files with the vmware_host_tmp_t type, if you want to store vmware host temporary files in the /tmp directories.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH "MANAGED FILES"
++
++The SELinux process type vmware_host_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++
++.br
++.B systemd_passwd_var_run_t
++
++ /var/run/systemd/ask-password(/.*)?
++.br
++ /var/run/systemd/ask-password-block(/.*)?
++.br
++
++.br
++.B vmware_host_pid_t
++
++
++.br
++.B vmware_host_tmp_t
++
++
++.br
++.B vmware_log_t
++
++ /var/log/vmware.*
++.br
++ /var/log/vnetlib.*
++.br
++
++.br
++.B vmware_sys_conf_t
++
++ /etc/vmware.*(/.*)?
++.br
++ /usr/lib/vmware/config
++.br
++
++.SH NSSWITCH DOMAIN
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was auto-generated using
++.B "sepolicy manpage"
++by Dan Walsh.
++
++.SH "SEE ALSO"
++selinux(8), vmware_host(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
++, vmware_selinux(8), vmware_selinux(8)
+\ No newline at end of file
+diff --git a/man/man8/vmware_selinux.8 b/man/man8/vmware_selinux.8
+new file mode 100644
+index 0000000..de1de63
+--- /dev/null
++++ b/man/man8/vmware_selinux.8
+@@ -0,0 +1,241 @@
++.TH "vmware_selinux" "8" "12-11-01" "vmware" "SELinux Policy documentation for vmware"
++.SH "NAME"
++vmware_selinux \- Security Enhanced Linux Policy for the vmware processes
++.SH "DESCRIPTION"
++
++Security-Enhanced Linux secures the vmware processes via flexible mandatory access control.
++
++The vmware processes execute with the vmware_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep vmware_t
++
++
++.SH "ENTRYPOINTS"
++
++The vmware_t SELinux type can be entered via the "vmware_exec_t" file type. The default entrypoint paths for the vmware_t domain are the following:"
++
++/usr/bin/vmware, /usr/bin/vmware-ping, /usr/bin/vmware-wizard, /usr/sbin/vmware-serverd, /usr/lib/vmware/bin/vmplayer, /usr/lib/vmware/bin/vmware-ui, /usr/lib/vmware/bin/vmware-mks
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux vmware policy is very flexible allowing users to setup their vmware processes in as secure a method as possible.
++.PP
++The following process types are defined for vmware:
++
++.EX
++.B vmware_t, vmware_host_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux vmware policy is very flexible allowing users to setup their vmware processes in as secure a method as possible.
++.PP
++The following file types are defined for vmware:
++
++
++.EX
++.PP
++.B vmware_conf_t
++.EE
++
++- Set files with the vmware_conf_t type, if you want to treat the files as vmware configuration data, usually stored under the /etc directory.
++
++
++.EX
++.PP
++.B vmware_exec_t
++.EE
++
++- Set files with the vmware_exec_t type, if you want to transition an executable to the vmware_t domain.
++
++
++.EX
++.PP
++.B vmware_file_t
++.EE
++
++- Set files with the vmware_file_t type, if you want to treat the files as vmware content.
++
++
++.EX
++.PP
++.B vmware_host_exec_t
++.EE
++
++- Set files with the vmware_host_exec_t type, if you want to transition an executable to the vmware_host_t domain.
++
++
++.EX
++.PP
++.B vmware_host_pid_t
++.EE
++
++- Set files with the vmware_host_pid_t type, if you want to store the vmware host files under the /run directory.
++
++
++.EX
++.PP
++.B vmware_host_tmp_t
++.EE
++
++- Set files with the vmware_host_tmp_t type, if you want to store vmware host temporary files in the /tmp directories.
++
++
++.EX
++.PP
++.B vmware_log_t
++.EE
++
++- Set files with the vmware_log_t type, if you want to treat the data as vmware log data, usually stored under the /var/log directory.
++
++
++.EX
++.PP
++.B vmware_pid_t
++.EE
++
++- Set files with the vmware_pid_t type, if you want to store the vmware files under the /run directory.
++
++
++.EX
++.PP
++.B vmware_sys_conf_t
++.EE
++
++- Set files with the vmware_sys_conf_t type, if you want to treat the files as vmware sys configuration data, usually stored under the /etc directory.
++
++
++.EX
++.PP
++.B vmware_tmp_t
++.EE
++
++- Set files with the vmware_tmp_t type, if you want to store vmware temporary files in the /tmp directories.
++
++
++.EX
++.PP
++.B vmware_tmpfs_t
++.EE
++
++- Set files with the vmware_tmpfs_t type, if you want to store vmware files on a tmpfs file system.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH "MANAGED FILES"
++
++The SELinux process type vmware_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++
++.br
++.B usbfs_t
++
++
++.br
++.B user_fonts_cache_t
++
++ /root/\.fontconfig(/.*)?
++.br
++ /root/\.fonts/auto(/.*)?
++.br
++ /root/\.fonts\.cache-.*
++.br
++ /home/[^/]*/\.fontconfig(/.*)?
++.br
++ /home/[^/]*/\.fonts/auto(/.*)?
++.br
++ /home/[^/]*/\.fonts\.cache-.*
++.br
++ /home/dwalsh/\.fontconfig(/.*)?
++.br
++ /home/dwalsh/\.fonts/auto(/.*)?
++.br
++ /home/dwalsh/\.fonts\.cache-.*
++.br
++ /var/lib/xguest/home/xguest/\.fontconfig(/.*)?
++.br
++ /var/lib/xguest/home/xguest/\.fonts/auto(/.*)?
++.br
++ /var/lib/xguest/home/xguest/\.fonts\.cache-.*
++.br
++
++.br
++.B vmware_conf_t
++
++ /home/[^/]*/\.vmware[^/]*/.*\.cfg
++.br
++ /home/dwalsh/\.vmware[^/]*/.*\.cfg
++.br
++ /var/lib/xguest/home/xguest/\.vmware[^/]*/.*\.cfg
++.br
++
++.br
++.B vmware_file_t
++
++ /home/[^/]*/vmware(/.*)?
++.br
++ /home/[^/]*/\.vmware(/.*)?
++.br
++ /home/dwalsh/vmware(/.*)?
++.br
++ /home/dwalsh/\.vmware(/.*)?
++.br
++ /var/lib/xguest/home/xguest/vmware(/.*)?
++.br
++ /var/lib/xguest/home/xguest/\.vmware(/.*)?
++.br
++
++.br
++.B vmware_pid_t
++
++
++.br
++.B vmware_tmp_t
++
++
++.br
++.B vmware_tmpfs_t
++
++
++.SH NSSWITCH DOMAIN
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was auto-generated using
++.B "sepolicy manpage"
++by Dan Walsh.
++
++.SH "SEE ALSO"
++selinux(8), vmware(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
++, vmware_host_selinux(8)
+\ No newline at end of file
+diff --git a/man/man8/vnstat_selinux.8 b/man/man8/vnstat_selinux.8
+new file mode 100644
+index 0000000..2139a86
+--- /dev/null
++++ b/man/man8/vnstat_selinux.8
+@@ -0,0 +1,121 @@
++.TH "vnstat_selinux" "8" "12-11-01" "vnstat" "SELinux Policy documentation for vnstat"
++.SH "NAME"
++vnstat_selinux \- Security Enhanced Linux Policy for the vnstat processes
++.SH "DESCRIPTION"
++
++Security-Enhanced Linux secures the vnstat processes via flexible mandatory access control.
++
++The vnstat processes execute with the vnstat_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep vnstat_t
++
++
++.SH "ENTRYPOINTS"
++
++The vnstat_t SELinux type can be entered via the "vnstat_exec_t" file type. The default entrypoint paths for the vnstat_t domain are the following:"
++
++/usr/bin/vnstat
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux vnstat policy is very flexible allowing users to setup their vnstat processes in as secure a method as possible.
++.PP
++The following process types are defined for vnstat:
++
++.EX
++.B vnstat_t, vnstatd_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux vnstat policy is very flexible allowing users to setup their vnstat processes in as secure a method as possible.
++.PP
++The following file types are defined for vnstat:
++
++
++.EX
++.PP
++.B vnstat_exec_t
++.EE
++
++- Set files with the vnstat_exec_t type, if you want to transition an executable to the vnstat_t domain.
++
++
++.EX
++.PP
++.B vnstatd_exec_t
++.EE
++
++- Set files with the vnstatd_exec_t type, if you want to transition an executable to the vnstatd_t domain.
++
++
++.EX
++.PP
++.B vnstatd_var_lib_t
++.EE
++
++- Set files with the vnstatd_var_lib_t type, if you want to store the vnstatd files under the /var/lib directory.
++
++
++.EX
++.PP
++.B vnstatd_var_run_t
++.EE
++
++- Set files with the vnstatd_var_run_t type, if you want to store the vnstatd files under the /run directory.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH "MANAGED FILES"
++
++The SELinux process type vnstat_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++
++.br
++.B vnstatd_var_lib_t
++
++ /var/lib/vnstat(/.*)?
++.br
++
++.SH NSSWITCH DOMAIN
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was auto-generated using
++.B "sepolicy manpage"
++by Dan Walsh.
++
++.SH "SEE ALSO"
++selinux(8), vnstat(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
++, vnstatd_selinux(8)
+\ No newline at end of file
+diff --git a/man/man8/vnstatd_selinux.8 b/man/man8/vnstatd_selinux.8
+new file mode 100644
+index 0000000..548eb69
+--- /dev/null
++++ b/man/man8/vnstatd_selinux.8
+@@ -0,0 +1,119 @@
++.TH "vnstatd_selinux" "8" "12-11-01" "vnstatd" "SELinux Policy documentation for vnstatd"
++.SH "NAME"
++vnstatd_selinux \- Security Enhanced Linux Policy for the vnstatd processes
++.SH "DESCRIPTION"
++
++Security-Enhanced Linux secures the vnstatd processes via flexible mandatory access control.
++
++The vnstatd processes execute with the vnstatd_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep vnstatd_t
++
++
++.SH "ENTRYPOINTS"
++
++The vnstatd_t SELinux type can be entered via the "vnstatd_exec_t" file type. The default entrypoint paths for the vnstatd_t domain are the following:"
++
++/usr/sbin/vnstatd
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux vnstatd policy is very flexible allowing users to setup their vnstatd processes in as secure a method as possible.
++.PP
++The following process types are defined for vnstatd:
++
++.EX
++.B vnstat_t, vnstatd_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux vnstatd policy is very flexible allowing users to setup their vnstatd processes in as secure a method as possible.
++.PP
++The following file types are defined for vnstatd:
++
++
++.EX
++.PP
++.B vnstatd_exec_t
++.EE
++
++- Set files with the vnstatd_exec_t type, if you want to transition an executable to the vnstatd_t domain.
++
++
++.EX
++.PP
++.B vnstatd_var_lib_t
++.EE
++
++- Set files with the vnstatd_var_lib_t type, if you want to store the vnstatd files under the /var/lib directory.
++
++
++.EX
++.PP
++.B vnstatd_var_run_t
++.EE
++
++- Set files with the vnstatd_var_run_t type, if you want to store the vnstatd files under the /run directory.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH "MANAGED FILES"
++
++The SELinux process type vnstatd_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++
++.br
++.B vnstatd_var_lib_t
++
++ /var/lib/vnstat(/.*)?
++.br
++
++.br
++.B vnstatd_var_run_t
++
++ /var/run/vnstat\.pid
++.br
++
++.SH NSSWITCH DOMAIN
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was auto-generated using
++.B "sepolicy manpage"
++by Dan Walsh.
++
++.SH "SEE ALSO"
++selinux(8), vnstatd(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
++, vnstat_selinux(8), vnstat_selinux(8)
+\ No newline at end of file
+diff --git a/man/man8/vpnc_selinux.8 b/man/man8/vpnc_selinux.8
+new file mode 100644
+index 0000000..d20c0f1
+--- /dev/null
++++ b/man/man8/vpnc_selinux.8
+@@ -0,0 +1,156 @@
++.TH "vpnc_selinux" "8" "12-11-01" "vpnc" "SELinux Policy documentation for vpnc"
++.SH "NAME"
++vpnc_selinux \- Security Enhanced Linux Policy for the vpnc processes
++.SH "DESCRIPTION"
++
++Security-Enhanced Linux secures the vpnc processes via flexible mandatory access control.
++
++The vpnc processes execute with the vpnc_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep vpnc_t
++
++
++.SH "ENTRYPOINTS"
++
++The vpnc_t SELinux type can be entered via the "vpnc_exec_t" file type. The default entrypoint paths for the vpnc_t domain are the following:"
++
++/sbin/vpnc, /usr/sbin/vpnc, /usr/bin/openconnect
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux vpnc policy is very flexible allowing users to setup their vpnc processes in as secure a method as possible.
++.PP
++The following process types are defined for vpnc:
++
++.EX
++.B vpnc_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux vpnc policy is very flexible allowing users to setup their vpnc processes in as secure a method as possible.
++.PP
++The following file types are defined for vpnc:
++
++
++.EX
++.PP
++.B vpnc_exec_t
++.EE
++
++- Set files with the vpnc_exec_t type, if you want to transition an executable to the vpnc_t domain.
++
++
++.EX
++.PP
++.B vpnc_tmp_t
++.EE
++
++- Set files with the vpnc_tmp_t type, if you want to store vpnc temporary files in the /tmp directories.
++
++
++.EX
++.PP
++.B vpnc_var_run_t
++.EE
++
++- Set files with the vpnc_var_run_t type, if you want to store the vpnc files under the /run directory.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH "MANAGED FILES"
++
++The SELinux process type vpnc_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++
++.br
++.B net_conf_t
++
++ /etc/ntpd?\.conf.*
++.br
++ /etc/hosts[^/]*
++.br
++ /etc/yp\.conf.*
++.br
++ /etc/denyhosts.*
++.br
++ /etc/hosts\.deny.*
++.br
++ /etc/resolv\.conf.*
++.br
++ /etc/ntp/step-tickers.*
++.br
++ /etc/sysconfig/networking(/.*)?
++.br
++ /etc/sysconfig/network-scripts(/.*)?
++.br
++ /etc/sysconfig/network-scripts/.*resolv\.conf
++.br
++ /etc/ethers
++.br
++
++.br
++.B vpnc_tmp_t
++
++
++.br
++.B vpnc_var_run_t
++
++ /var/run/vpnc(/.*)?
++.br
++
++.SH NSSWITCH DOMAIN
++
++.PP
++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the vpnc_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++
++.EX
++.B setsebool -P authlogin_nsswitch_use_ldap 1
++.EE
++
++.PP
++If you want to allow confined applications to run with kerberos for the vpnc_t, you must turn on the kerberos_enabled boolean.
++
++.EX
++.B setsebool -P kerberos_enabled 1
++.EE
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was auto-generated using
++.B "sepolicy manpage"
++by Dan Walsh.
++
++.SH "SEE ALSO"
++selinux(8), vpnc(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
+diff --git a/man/man8/wdmd_selinux.8 b/man/man8/wdmd_selinux.8
+new file mode 100644
+index 0000000..347d6d8
+--- /dev/null
++++ b/man/man8/wdmd_selinux.8
+@@ -0,0 +1,138 @@
++.TH "wdmd_selinux" "8" "12-11-01" "wdmd" "SELinux Policy documentation for wdmd"
++.SH "NAME"
++wdmd_selinux \- Security Enhanced Linux Policy for the wdmd processes
++.SH "DESCRIPTION"
++
++Security-Enhanced Linux secures the wdmd processes via flexible mandatory access control.
++
++The wdmd processes execute with the wdmd_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep wdmd_t
++
++
++.SH "ENTRYPOINTS"
++
++The wdmd_t SELinux type can be entered via the "wdmd_exec_t" file type. The default entrypoint paths for the wdmd_t domain are the following:"
++
++/usr/sbin/wdmd
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux wdmd policy is very flexible allowing users to setup their wdmd processes in as secure a method as possible.
++.PP
++The following process types are defined for wdmd:
++
++.EX
++.B wdmd_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux wdmd policy is very flexible allowing users to setup their wdmd processes in as secure a method as possible.
++.PP
++The following file types are defined for wdmd:
++
++
++.EX
++.PP
++.B wdmd_exec_t
++.EE
++
++- Set files with the wdmd_exec_t type, if you want to transition an executable to the wdmd_t domain.
++
++
++.EX
++.PP
++.B wdmd_initrc_exec_t
++.EE
++
++- Set files with the wdmd_initrc_exec_t type, if you want to transition an executable to the wdmd_initrc_t domain.
++
++
++.EX
++.PP
++.B wdmd_tmpfs_t
++.EE
++
++- Set files with the wdmd_tmpfs_t type, if you want to store wdmd files on a tmpfs file system.
++
++
++.EX
++.PP
++.B wdmd_var_run_t
++.EE
++
++- Set files with the wdmd_var_run_t type, if you want to store the wdmd files under the /run directory.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH "MANAGED FILES"
++
++The SELinux process type wdmd_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++
++.br
++.B wdmd_tmpfs_t
++
++
++.br
++.B wdmd_var_run_t
++
++ /var/run/wdmd(/.*)?
++.br
++
++.SH NSSWITCH DOMAIN
++
++.PP
++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the wdmd_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++
++.EX
++.B setsebool -P authlogin_nsswitch_use_ldap 1
++.EE
++
++.PP
++If you want to allow confined applications to run with kerberos for the wdmd_t, you must turn on the kerberos_enabled boolean.
++
++.EX
++.B setsebool -P kerberos_enabled 1
++.EE
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was auto-generated using
++.B "sepolicy manpage"
++by Dan Walsh.
++
++.SH "SEE ALSO"
++selinux(8), wdmd(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
+diff --git a/man/man8/webadm_selinux.8 b/man/man8/webadm_selinux.8
+new file mode 100644
+index 0000000..46d2721
+--- /dev/null
++++ b/man/man8/webadm_selinux.8
+@@ -0,0 +1,255 @@
++.TH "webadm_selinux" "8" "webadm" "mgrepl@redhat.com" "webadm SELinux Policy documentation"
++.SH "NAME"
++webadm_r \- \fBWeb administrator role\fP - Security Enhanced Linux Policy
++
++.SH DESCRIPTION
++
++SELinux supports Roles Based Access Control (RBAC), some Linux roles are login roles, while other roles need to be transition into.
++
++.I Note:
++Examples in this man page will use the
++.B staff_u
++SELinux user.
++
++Non login roles are usually used for administrative tasks. For example, tasks that require root privileges. Roles control which types a user can run processes with. Roles often have default types assigned to them.
++
++The default type for the webadm_r role is webadm_t.
++
++The
++.B newrole
++program to transition directly to this role.
++
++.B newrole -r webadm_r -t webadm_t
++
++.B sudo
++is the preferred method to do transition from one role to another. You setup sudo to transition to webadm_r by adding a similar line to the /etc/sudoers file.
++
++USERNAME ALL=(ALL) ROLE=webadm_r TYPE=webadm_t COMMAND
++
++.br
++sudo will run COMMAND as staff_u:webadm_r:webadm_t:LEVEL
++
++When using a a non login role, you need to setup SELinux so that your SELinux user can reach webadm_r role.
++
++Execute the following to see all of the assigned SELinux roles:
++
++.B semanage user -l
++
++You need to add webadm_r to the staff_u user. You could setup the staff_u user to be able to use the webadm_r role with a command like:
++
++.B $ semanage user -m -R 'staff_r system_r webadm_r' staff_u
++
++
++.SH BOOLEANS
++SELinux policy is customizable based on least access required. webadm policy is extremely flexible and has several booleans that allow you to manipulate the policy and run webadm with the tightest access possible.
++
++
++.PP
++If you want to allow webadm to manage files in users home directories, you must turn on the webadm_manage_user_files boolean.
++
++.EX
++.B setsebool -P webadm_manage_user_files 1
++.EE
++
++.PP
++If you want to allow webadm to read files in users home directories, you must turn on the webadm_read_user_files boolean.
++
++.EX
++.B setsebool -P webadm_read_user_files 1
++.EE
++
++.PP
++If you want to allow webadm to manage files in users home directories, you must turn on the webadm_manage_user_files boolean.
++
++.EX
++.B setsebool -P webadm_manage_user_files 1
++.EE
++
++.PP
++If you want to allow webadm to read files in users home directories, you must turn on the webadm_read_user_files boolean.
++
++.EX
++.B setsebool -P webadm_read_user_files 1
++.EE
++
++.SH "MANAGED FILES"
++
++The SELinux process type webadm_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++
++.br
++.B httpd_config_t
++
++ /etc/httpd(/.*)?
++.br
++ /etc/apache(2)?(/.*)?
++.br
++ /etc/cherokee(/.*)?
++.br
++ /etc/lighttpd(/.*)?
++.br
++ /etc/apache-ssl(2)?(/.*)?
++.br
++ /var/lib/openshift/.httpd.d(/.*)?
++.br
++ /var/lib/stickshift/.httpd.d(/.*)?
++.br
++ /etc/vhosts
++.br
++
++.br
++.B httpd_lock_t
++
++
++.br
++.B httpd_log_t
++
++ /var/www(/.*)?/logs(/.*)?
++.br
++ /var/log/cacti(/.*)?
++.br
++ /var/log/httpd(/.*)?
++.br
++ /var/log/apache(2)?(/.*)?
++.br
++ /var/log/cherokee(/.*)?
++.br
++ /var/log/lighttpd(/.*)?
++.br
++ /var/log/suphp\.log.*
++.br
++ /var/log/apache-ssl(2)?(/.*)?
++.br
++ /var/log/cgiwrap\.log.*
++.br
++ /var/www/stickshift/[^/]*/log(/.*)?
++.br
++ /var/log/roundcubemail(/.*)?
++.br
++ /var/log/dirsrv/admin-serv(/.*)?
++.br
++ /etc/httpd/logs
++.br
++
++.br
++.B httpd_modules_t
++
++ /usr/lib/httpd(/.*)?
++.br
++ /usr/lib/apache(/.*)?
++.br
++ /usr/lib/cherokee(/.*)?
++.br
++ /usr/lib/lighttpd(/.*)?
++.br
++ /usr/lib/apache2/modules(/.*)?
++.br
++ /etc/httpd/modules
++.br
++
++.br
++.B httpd_php_tmp_t
++
++
++.br
++.B httpd_script_exec_type
++
++
++.br
++.B httpd_suexec_tmp_t
++
++
++.br
++.B httpd_tmp_t
++
++ /var/run/user/apache(/.*)?
++.br
++
++.br
++.B httpd_unit_file_t
++
++ /usr/lib/systemd/system/httpd.*
++.br
++ /usr/lib/systemd/system/jetty.*
++.br
++
++.br
++.B httpd_var_run_t
++
++ /var/run/mod_.*
++.br
++ /var/run/wsgi.*
++.br
++ /var/run/httpd.*
++.br
++ /var/run/apache.*
++.br
++ /var/run/lighttpd(/.*)?
++.br
++ /var/lib/php/session(/.*)?
++.br
++ /var/run/dirsrv/admin-serv.*
++.br
++ /opt/dirsrv/var/run/dirsrv/dsgw/cookies(/.*)?
++.br
++ /var/run/gcache_port
++.br
++ /var/run/cherokee\.pid
++.br
++
++.br
++.B httpdcontent
++
++
++.br
++.B public_content_rw_t
++
++ /var/spool/abrt-upload(/.*)?
++.br
++
++.br
++.B systemd_passwd_var_run_t
++
++ /var/run/systemd/ask-password(/.*)?
++.br
++ /var/run/systemd/ask-password-block(/.*)?
++.br
++
++.br
++.B var_lock_t
++
++ /var/lock(/.*)?
++.br
++ /run/lock(/.*)?
++.br
++ /var/lock
++.br
++
++.br
++.B webadm_tmp_t
++
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.B semanage boolean
++can also be used to manipulate the booleans
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was auto-generated using
++.B "sepolicy manpage"
++by Dan Walsh.
++
++.SH "SEE ALSO"
++selinux(8), webadm(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
++, setsebool(8)
+\ No newline at end of file
+diff --git a/man/man8/webalizer_selinux.8 b/man/man8/webalizer_selinux.8
+new file mode 100644
+index 0000000..c971659
+--- /dev/null
++++ b/man/man8/webalizer_selinux.8
+@@ -0,0 +1,198 @@
++.TH "webalizer_selinux" "8" "12-11-01" "webalizer" "SELinux Policy documentation for webalizer"
++.SH "NAME"
++webalizer_selinux \- Security Enhanced Linux Policy for the webalizer processes
++.SH "DESCRIPTION"
++
++Security-Enhanced Linux secures the webalizer processes via flexible mandatory access control.
++
++The webalizer processes execute with the webalizer_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep webalizer_t
++
++
++.SH "ENTRYPOINTS"
++
++The webalizer_t SELinux type can be entered via the "webalizer_exec_t" file type. The default entrypoint paths for the webalizer_t domain are the following:"
++
++/usr/bin/awffull, /usr/bin/webalizer
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux webalizer policy is very flexible allowing users to setup their webalizer processes in as secure a method as possible.
++.PP
++The following process types are defined for webalizer:
++
++.EX
++.B webalizer_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux webalizer policy is very flexible allowing users to setup their webalizer processes in as secure a method as possible.
++.PP
++The following file types are defined for webalizer:
++
++
++.EX
++.PP
++.B webalizer_etc_t
++.EE
++
++- Set files with the webalizer_etc_t type, if you want to store webalizer files in the /etc directories.
++
++
++.EX
++.PP
++.B webalizer_exec_t
++.EE
++
++- Set files with the webalizer_exec_t type, if you want to transition an executable to the webalizer_t domain.
++
++
++.EX
++.PP
++.B webalizer_tmp_t
++.EE
++
++- Set files with the webalizer_tmp_t type, if you want to store webalizer temporary files in the /tmp directories.
++
++
++.EX
++.PP
++.B webalizer_usage_t
++.EE
++
++- Set files with the webalizer_usage_t type, if you want to treat the files as webalizer usage data.
++
++
++.EX
++.PP
++.B webalizer_var_lib_t
++.EE
++
++- Set files with the webalizer_var_lib_t type, if you want to store the webalizer files under the /var/lib directory.
++
++
++.EX
++.PP
++.B webalizer_write_t
++.EE
++
++- Set files with the webalizer_write_t type, if you want to treat the files as webalizer read/write content.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH "MANAGED FILES"
++
++The SELinux process type webalizer_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++
++.br
++.B anon_inodefs_t
++
++
++.br
++.B httpd_sys_content_t
++
++ /srv/([^/]*/)?www(/.*)?
++.br
++ /var/www(/.*)?
++.br
++ /etc/htdig(/.*)?
++.br
++ /srv/gallery2(/.*)?
++.br
++ /var/lib/trac(/.*)?
++.br
++ /var/lib/htdig(/.*)?
++.br
++ /var/www/icons(/.*)?
++.br
++ /usr/share/htdig(/.*)?
++.br
++ /usr/share/drupal.*
++.br
++ /var/www/svn/conf(/.*)?
++.br
++ /usr/share/icecast(/.*)?
++.br
++ /usr/share/mythweb(/.*)?
++.br
++ /var/lib/cacti/rra(/.*)?
++.br
++ /usr/share/ntop/html(/.*)?
++.br
++ /usr/share/mythtv/data(/.*)?
++.br
++ /usr/share/doc/ghc/html(/.*)?
++.br
++ /usr/share/openca/htdocs(/.*)?
++.br
++ /usr/share/selinux-policy[^/]*/html(/.*)?
++.br
++
++.br
++.B webalizer_tmp_t
++
++
++.br
++.B webalizer_var_lib_t
++
++ /var/lib/webalizer(/.*)?
++.br
++
++.SH NSSWITCH DOMAIN
++
++.PP
++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the webalizer_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++
++.EX
++.B setsebool -P authlogin_nsswitch_use_ldap 1
++.EE
++
++.PP
++If you want to allow confined applications to run with kerberos for the webalizer_t, you must turn on the kerberos_enabled boolean.
++
++.EX
++.B setsebool -P kerberos_enabled 1
++.EE
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was auto-generated using
++.B "sepolicy manpage"
++by Dan Walsh.
++
++.SH "SEE ALSO"
++selinux(8), webalizer(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
+diff --git a/man/man8/winbind_helper_selinux.8 b/man/man8/winbind_helper_selinux.8
+new file mode 100644
+index 0000000..2cf4c75
+--- /dev/null
++++ b/man/man8/winbind_helper_selinux.8
+@@ -0,0 +1,101 @@
++.TH "winbind_helper_selinux" "8" "12-11-01" "winbind_helper" "SELinux Policy documentation for winbind_helper"
++.SH "NAME"
++winbind_helper_selinux \- Security Enhanced Linux Policy for the winbind_helper processes
++.SH "DESCRIPTION"
++
++Security-Enhanced Linux secures the winbind_helper processes via flexible mandatory access control.
++
++The winbind_helper processes execute with the winbind_helper_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep winbind_helper_t
++
++
++.SH "ENTRYPOINTS"
++
++The winbind_helper_t SELinux type can be entered via the "winbind_helper_exec_t" file type. The default entrypoint paths for the winbind_helper_t domain are the following:"
++
++/usr/bin/ntlm_auth
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux winbind_helper policy is very flexible allowing users to setup their winbind_helper processes in as secure a method as possible.
++.PP
++The following process types are defined for winbind_helper:
++
++.EX
++.B winbind_helper_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux winbind_helper policy is very flexible allowing users to setup their winbind_helper processes in as secure a method as possible.
++.PP
++The following file types are defined for winbind_helper:
++
++
++.EX
++.PP
++.B winbind_helper_exec_t
++.EE
++
++- Set files with the winbind_helper_exec_t type, if you want to transition an executable to the winbind_helper_t domain.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH NSSWITCH DOMAIN
++
++.PP
++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the winbind_helper_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++
++.EX
++.B setsebool -P authlogin_nsswitch_use_ldap 1
++.EE
++
++.PP
++If you want to allow confined applications to run with kerberos for the winbind_helper_t, you must turn on the kerberos_enabled boolean.
++
++.EX
++.B setsebool -P kerberos_enabled 1
++.EE
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was auto-generated using
++.B "sepolicy manpage"
++by Dan Walsh.
++
++.SH "SEE ALSO"
++selinux(8), winbind_helper(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
++, winbind_selinux(8), winbind_selinux(8)
+\ No newline at end of file
+diff --git a/man/man8/winbind_selinux.8 b/man/man8/winbind_selinux.8
+new file mode 100644
+index 0000000..63e0898
+--- /dev/null
++++ b/man/man8/winbind_selinux.8
+@@ -0,0 +1,284 @@
++.TH "winbind_selinux" "8" "12-11-01" "winbind" "SELinux Policy documentation for winbind"
++.SH "NAME"
++winbind_selinux \- Security Enhanced Linux Policy for the winbind processes
++.SH "DESCRIPTION"
++
++Security-Enhanced Linux secures the winbind processes via flexible mandatory access control.
++
++The winbind processes execute with the winbind_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep winbind_t
++
++
++.SH "ENTRYPOINTS"
++
++The winbind_t SELinux type can be entered via the "winbind_exec_t" file type. The default entrypoint paths for the winbind_t domain are the following:"
++
++/usr/sbin/winbindd
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux winbind policy is very flexible allowing users to setup their winbind processes in as secure a method as possible.
++.PP
++The following process types are defined for winbind:
++
++.EX
++.B winbind_helper_t, winbind_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH BOOLEANS
++SELinux policy is customizable based on least access required. winbind policy is extremely flexible and has several booleans that allow you to manipulate the policy and run winbind with the tightest access possible.
++
++
++.PP
++If you want to allow Apache to use mod_auth_ntlm_winbind, you must turn on the httpd_mod_auth_ntlm_winbind boolean.
++
++.EX
++.B setsebool -P httpd_mod_auth_ntlm_winbind 1
++.EE
++
++.PP
++If you want to allow Apache to use mod_auth_ntlm_winbind, you must turn on the httpd_mod_auth_ntlm_winbind boolean.
++
++.EX
++.B setsebool -P httpd_mod_auth_ntlm_winbind 1
++.EE
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux winbind policy is very flexible allowing users to setup their winbind processes in as secure a method as possible.
++.PP
++The following file types are defined for winbind:
++
++
++.EX
++.PP
++.B winbind_exec_t
++.EE
++
++- Set files with the winbind_exec_t type, if you want to transition an executable to the winbind_t domain.
++
++
++.EX
++.PP
++.B winbind_helper_exec_t
++.EE
++
++- Set files with the winbind_helper_exec_t type, if you want to transition an executable to the winbind_helper_t domain.
++
++
++.EX
++.PP
++.B winbind_log_t
++.EE
++
++- Set files with the winbind_log_t type, if you want to treat the data as winbind log data, usually stored under the /var/log directory.
++
++
++.EX
++.PP
++.B winbind_var_run_t
++.EE
++
++- Set files with the winbind_var_run_t type, if you want to store the winbind files under the /run directory.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH "MANAGED FILES"
++
++The SELinux process type winbind_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++
++.br
++.B auth_cache_t
++
++ /var/cache/coolkey(/.*)?
++.br
++
++.br
++.B ctdbd_var_lib_t
++
++ /etc/ctdb(/.*)?
++.br
++ /var/ctdb(/.*)?
++.br
++ /var/ctdbd(/.*)?
++.br
++ /var/lib/ctdbd(/.*)?
++.br
++
++.br
++.B faillog_t
++
++ /var/log/btmp.*
++.br
++ /var/run/faillock(/.*)?
++.br
++ /var/log/faillog
++.br
++ /var/log/tallylog
++.br
++
++.br
++.B pcscd_var_run_t
++
++ /var/run/pcscd(/.*)?
++.br
++ /var/run/pcscd\.events(/.*)?
++.br
++ /var/run/pcscd\.pid
++.br
++ /var/run/pcscd\.pub
++.br
++ /var/run/pcscd\.comm
++.br
++
++.br
++.B samba_log_t
++
++ /var/log/samba(/.*)?
++.br
++
++.br
++.B samba_secrets_t
++
++ /etc/samba/smbpasswd
++.br
++ /etc/samba/passdb\.tdb
++.br
++ /etc/samba/MACHINE\.SID
++.br
++ /etc/samba/secrets\.tdb
++.br
++
++.br
++.B samba_var_t
++
++ /var/lib/samba(/.*)?
++.br
++ /var/cache/samba(/.*)?
++.br
++ /var/spool/samba(/.*)?
++.br
++
++.br
++.B smbd_tmp_t
++
++
++.br
++.B smbd_var_run_t
++
++ /var/run/samba(/.*)?
++.br
++ /var/run/samba/smbd\.pid
++.br
++ /var/run/samba/brlock\.tdb
++.br
++ /var/run/samba/locking\.tdb
++.br
++ /var/run/samba/gencache\.tdb
++.br
++ /var/run/samba/sessionid\.tdb
++.br
++ /var/run/samba/share_info\.tdb
++.br
++ /var/run/samba/connections\.tdb
++.br
++
++.br
++.B user_home_t
++
++ /home/[^/]*/.+
++.br
++ /home/dwalsh/.+
++.br
++ /var/lib/xguest/home/xguest/.+
++.br
++
++.br
++.B user_tmp_t
++
++ /var/run/user(/.*)?
++.br
++ /tmp/gconfd-.*
++.br
++ /tmp/gconfd-dwalsh
++.br
++ /tmp/gconfd-xguest
++.br
++
++.br
++.B winbind_log_t
++
++
++.br
++.B winbind_var_run_t
++
++ /var/run/winbindd(/.*)?
++.br
++ /var/run/samba/winbindd(/.*)?
++.br
++ /var/lib/samba/winbindd_privileged(/.*)?
++.br
++ /var/cache/samba/winbindd_privileged(/.*)?
++.br
++
++.SH NSSWITCH DOMAIN
++
++.PP
++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the winbind_helper_t, winbind_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++
++.EX
++.B setsebool -P authlogin_nsswitch_use_ldap 1
++.EE
++
++.PP
++If you want to allow confined applications to run with kerberos for the winbind_helper_t, winbind_t, you must turn on the kerberos_enabled boolean.
++
++.EX
++.B setsebool -P kerberos_enabled 1
++.EE
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.B semanage boolean
++can also be used to manipulate the booleans
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was auto-generated using
++.B "sepolicy manpage"
++by Dan Walsh.
++
++.SH "SEE ALSO"
++selinux(8), winbind(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
++, setsebool(8), winbind_helper_selinux(8)
+\ No newline at end of file
+diff --git a/man/man8/wine_selinux.8 b/man/man8/wine_selinux.8
+new file mode 100644
+index 0000000..b6b7f15
+--- /dev/null
++++ b/man/man8/wine_selinux.8
+@@ -0,0 +1,124 @@
++.TH "wine_selinux" "8" "12-11-01" "wine" "SELinux Policy documentation for wine"
++.SH "NAME"
++wine_selinux \- Security Enhanced Linux Policy for the wine processes
++.SH "DESCRIPTION"
++
++Security-Enhanced Linux secures the wine processes via flexible mandatory access control.
++
++The wine processes execute with the wine_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep wine_t
++
++
++.SH "ENTRYPOINTS"
++
++The wine_t SELinux type can be entered via the "wine_exec_t" file type. The default entrypoint paths for the wine_t domain are the following:"
++
++/usr/bin/wine.*, /opt/teamviewer(/.*)?/bin/wine.*, /opt/google/picasa(/.*)?/bin/wdi, /opt/google/picasa(/.*)?/bin/wine.*, /opt/google/picasa(/.*)?/bin/msiexec, /opt/google/picasa(/.*)?/bin/notepad, /opt/google/picasa(/.*)?/bin/progman, /opt/google/picasa(/.*)?/bin/regedit, /opt/google/picasa(/.*)?/bin/regsvr32, /opt/google/picasa(/.*)?/Picasa3/.*exe, /opt/google/picasa(/.*)?/bin/uninstaller, /opt/cxoffice/bin/wine.*, /opt/picasa/wine/bin/wine.*, /usr/bin/msiexec, /usr/bin/notepad, /usr/bin/regedit, /usr/bin/regsvr32, /usr/bin/uninstaller, /home/[^/]*/cxoffice/bin/wine.+, /home/dwalsh/cxoffice/bin/wine.+, /var/lib/xguest/home/xguest/cxoffice/bin/wine.+
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux wine policy is very flexible allowing users to setup their wine processes in as secure a method as possible.
++.PP
++The following process types are defined for wine:
++
++.EX
++.B wine_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH BOOLEANS
++SELinux policy is customizable based on least access required. wine policy is extremely flexible and has several booleans that allow you to manipulate the policy and run wine with the tightest access possible.
++
++
++.PP
++If you want to ignore wine mmap_zero errors, you must turn on the wine_mmap_zero_ignore boolean.
++
++.EX
++.B setsebool -P wine_mmap_zero_ignore 1
++.EE
++
++.PP
++If you want to ignore wine mmap_zero errors, you must turn on the wine_mmap_zero_ignore boolean.
++
++.EX
++.B setsebool -P wine_mmap_zero_ignore 1
++.EE
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux wine policy is very flexible allowing users to setup their wine processes in as secure a method as possible.
++.PP
++The following file types are defined for wine:
++
++
++.EX
++.PP
++.B wine_exec_t
++.EE
++
++- Set files with the wine_exec_t type, if you want to transition an executable to the wine_t domain.
++
++
++.EX
++.PP
++.B wine_tmp_t
++.EE
++
++- Set files with the wine_tmp_t type, if you want to store wine temporary files in the /tmp directories.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH "MANAGED FILES"
++
++The SELinux process type wine_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++
++.br
++.B wine_tmp_t
++
++
++.SH NSSWITCH DOMAIN
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.B semanage boolean
++can also be used to manipulate the booleans
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was auto-generated using
++.B "sepolicy manpage"
++by Dan Walsh.
++
++.SH "SEE ALSO"
++selinux(8), wine(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
++, setsebool(8)
+\ No newline at end of file
+diff --git a/man/man8/wireshark_selinux.8 b/man/man8/wireshark_selinux.8
+new file mode 100644
+index 0000000..58e07b9
+--- /dev/null
++++ b/man/man8/wireshark_selinux.8
+@@ -0,0 +1,184 @@
++.TH "wireshark_selinux" "8" "12-11-01" "wireshark" "SELinux Policy documentation for wireshark"
++.SH "NAME"
++wireshark_selinux \- Security Enhanced Linux Policy for the wireshark processes
++.SH "DESCRIPTION"
++
++Security-Enhanced Linux secures the wireshark processes via flexible mandatory access control.
++
++The wireshark processes execute with the wireshark_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep wireshark_t
++
++
++.SH "ENTRYPOINTS"
++
++The wireshark_t SELinux type can be entered via the "wireshark_exec_t" file type. The default entrypoint paths for the wireshark_t domain are the following:"
++
++/usr/bin/wireshark
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux wireshark policy is very flexible allowing users to setup their wireshark processes in as secure a method as possible.
++.PP
++The following process types are defined for wireshark:
++
++.EX
++.B wireshark_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux wireshark policy is very flexible allowing users to setup their wireshark processes in as secure a method as possible.
++.PP
++The following file types are defined for wireshark:
++
++
++.EX
++.PP
++.B wireshark_exec_t
++.EE
++
++- Set files with the wireshark_exec_t type, if you want to transition an executable to the wireshark_t domain.
++
++
++.EX
++.PP
++.B wireshark_home_t
++.EE
++
++- Set files with the wireshark_home_t type, if you want to store wireshark files in the users home directory.
++
++
++.EX
++.PP
++.B wireshark_tmp_t
++.EE
++
++- Set files with the wireshark_tmp_t type, if you want to store wireshark temporary files in the /tmp directories.
++
++
++.EX
++.PP
++.B wireshark_tmpfs_t
++.EE
++
++- Set files with the wireshark_tmpfs_t type, if you want to store wireshark files on a tmpfs file system.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH "MANAGED FILES"
++
++The SELinux process type wireshark_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++
++.br
++.B user_fonts_cache_t
++
++ /root/\.fontconfig(/.*)?
++.br
++ /root/\.fonts/auto(/.*)?
++.br
++ /root/\.fonts\.cache-.*
++.br
++ /home/[^/]*/\.fontconfig(/.*)?
++.br
++ /home/[^/]*/\.fonts/auto(/.*)?
++.br
++ /home/[^/]*/\.fonts\.cache-.*
++.br
++ /home/dwalsh/\.fontconfig(/.*)?
++.br
++ /home/dwalsh/\.fonts/auto(/.*)?
++.br
++ /home/dwalsh/\.fonts\.cache-.*
++.br
++ /var/lib/xguest/home/xguest/\.fontconfig(/.*)?
++.br
++ /var/lib/xguest/home/xguest/\.fonts/auto(/.*)?
++.br
++ /var/lib/xguest/home/xguest/\.fonts\.cache-.*
++.br
++
++.br
++.B user_home_t
++
++ /home/[^/]*/.+
++.br
++ /home/dwalsh/.+
++.br
++ /var/lib/xguest/home/xguest/.+
++.br
++
++.br
++.B wireshark_home_t
++
++ /home/[^/]*/\.wireshark(/.*)?
++.br
++ /home/dwalsh/\.wireshark(/.*)?
++.br
++ /var/lib/xguest/home/xguest/\.wireshark(/.*)?
++.br
++
++.br
++.B wireshark_tmp_t
++
++
++.br
++.B wireshark_tmpfs_t
++
++
++.SH NSSWITCH DOMAIN
++
++.PP
++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the wireshark_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++
++.EX
++.B setsebool -P authlogin_nsswitch_use_ldap 1
++.EE
++
++.PP
++If you want to allow confined applications to run with kerberos for the wireshark_t, you must turn on the kerberos_enabled boolean.
++
++.EX
++.B setsebool -P kerberos_enabled 1
++.EE
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was auto-generated using
++.B "sepolicy manpage"
++by Dan Walsh.
++
++.SH "SEE ALSO"
++selinux(8), wireshark(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
+diff --git a/man/man8/wpa_cli_selinux.8 b/man/man8/wpa_cli_selinux.8
+new file mode 100644
+index 0000000..2ea0f25
+--- /dev/null
++++ b/man/man8/wpa_cli_selinux.8
+@@ -0,0 +1,86 @@
++.TH "wpa_cli_selinux" "8" "12-11-01" "wpa_cli" "SELinux Policy documentation for wpa_cli"
++.SH "NAME"
++wpa_cli_selinux \- Security Enhanced Linux Policy for the wpa_cli processes
++.SH "DESCRIPTION"
++
++Security-Enhanced Linux secures the wpa_cli processes via flexible mandatory access control.
++
++The wpa_cli processes execute with the wpa_cli_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep wpa_cli_t
++
++
++.SH "ENTRYPOINTS"
++
++The wpa_cli_t SELinux type can be entered via the "wpa_cli_exec_t" file type. The default entrypoint paths for the wpa_cli_t domain are the following:"
++
++/sbin/wpa_cli, /usr/sbin/wpa_cli
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux wpa_cli policy is very flexible allowing users to setup their wpa_cli processes in as secure a method as possible.
++.PP
++The following process types are defined for wpa_cli:
++
++.EX
++.B wpa_cli_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux wpa_cli policy is very flexible allowing users to setup their wpa_cli processes in as secure a method as possible.
++.PP
++The following file types are defined for wpa_cli:
++
++
++.EX
++.PP
++.B wpa_cli_exec_t
++.EE
++
++- Set files with the wpa_cli_exec_t type, if you want to transition an executable to the wpa_cli_t domain.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH NSSWITCH DOMAIN
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was auto-generated using
++.B "sepolicy manpage"
++by Dan Walsh.
++
++.SH "SEE ALSO"
++selinux(8), wpa_cli(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
+diff --git a/man/man8/xauth_selinux.8 b/man/man8/xauth_selinux.8
+new file mode 100644
+index 0000000..4e36630
+--- /dev/null
++++ b/man/man8/xauth_selinux.8
+@@ -0,0 +1,232 @@
++.TH "xauth_selinux" "8" "12-11-01" "xauth" "SELinux Policy documentation for xauth"
++.SH "NAME"
++xauth_selinux \- Security Enhanced Linux Policy for the xauth processes
++.SH "DESCRIPTION"
++
++Security-Enhanced Linux secures the xauth processes via flexible mandatory access control.
++
++The xauth processes execute with the xauth_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep xauth_t
++
++
++.SH "ENTRYPOINTS"
++
++The xauth_t SELinux type can be entered via the "xauth_exec_t" file type. The default entrypoint paths for the xauth_t domain are the following:"
++
++/usr/bin/xauth, /usr/X11R6/bin/xauth
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux xauth policy is very flexible allowing users to setup their xauth processes in as secure a method as possible.
++.PP
++The following process types are defined for xauth:
++
++.EX
++.B xauth_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux xauth policy is very flexible allowing users to setup their xauth processes in as secure a method as possible.
++.PP
++The following file types are defined for xauth:
++
++
++.EX
++.PP
++.B xauth_exec_t
++.EE
++
++- Set files with the xauth_exec_t type, if you want to transition an executable to the xauth_t domain.
++
++
++.EX
++.PP
++.B xauth_home_t
++.EE
++
++- Set files with the xauth_home_t type, if you want to store xauth files in the users home directory.
++
++
++.EX
++.PP
++.B xauth_tmp_t
++.EE
++
++- Set files with the xauth_tmp_t type, if you want to store xauth temporary files in the /tmp directories.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH "MANAGED FILES"
++
++The SELinux process type xauth_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++
++.br
++.B user_home_t
++
++ /home/[^/]*/.+
++.br
++ /home/dwalsh/.+
++.br
++ /var/lib/xguest/home/xguest/.+
++.br
++
++.br
++.B user_tmp_t
++
++ /var/run/user(/.*)?
++.br
++ /tmp/gconfd-.*
++.br
++ /tmp/gconfd-dwalsh
++.br
++ /tmp/gconfd-xguest
++.br
++
++.br
++.B xauth_home_t
++
++ /root/\.xauth.*
++.br
++ /root/\.Xauth.*
++.br
++ /root/\.serverauth.*
++.br
++ /root/\.Xauthority.*
++.br
++ /var/lib/pqsql/\.xauth.*
++.br
++ /var/lib/pqsql/\.Xauthority.*
++.br
++ /var/lib/nxserver/home/\.xauth.*
++.br
++ /var/lib/nxserver/home/\.Xauthority.*
++.br
++ /home/[^/]*/\.xauth.*
++.br
++ /home/[^/]*/\.Xauth.*
++.br
++ /home/[^/]*/\.serverauth.*
++.br
++ /home/[^/]*/\.Xauthority.*
++.br
++ /home/dwalsh/\.xauth.*
++.br
++ /home/dwalsh/\.Xauth.*
++.br
++ /home/dwalsh/\.serverauth.*
++.br
++ /home/dwalsh/\.Xauthority.*
++.br
++ /var/lib/xguest/home/xguest/\.xauth.*
++.br
++ /var/lib/xguest/home/xguest/\.Xauth.*
++.br
++ /var/lib/xguest/home/xguest/\.serverauth.*
++.br
++ /var/lib/xguest/home/xguest/\.Xauthority.*
++.br
++
++.br
++.B xauth_tmp_t
++
++
++.br
++.B xdm_tmp_t
++
++ /tmp/\.X11-unix(/.*)?
++.br
++ /tmp/\.ICE-unix(/.*)?
++.br
++ /tmp/\.X0-lock
++.br
++
++.br
++.B xdm_var_run_t
++
++ /etc/kde[34]?/kdm/backgroundrc
++.br
++ /var/run/[gx]dm\.pid
++.br
++ /var/run/[kgm]dm(/.*)?
++.br
++ /usr/lib/qt-.*/etc/settings(/.*)?
++.br
++ /var/run/slim.*
++.br
++ /var/run/lxdm(/.*)?
++.br
++ /var/run/slim(/.*)?
++.br
++ /var/run/xauth(/.*)?
++.br
++ /var/run/xdmctl(/.*)?
++.br
++ /var/run/lightdm(/.*)?
++.br
++ /var/run/systemd/multi-session-x(/.*)?
++.br
++ /var/run/lxdm\.pid
++.br
++ /var/run/lxdm\.auth
++.br
++ /var/run/gdm_socket
++.br
++
++.SH NSSWITCH DOMAIN
++
++.PP
++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the xauth_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++
++.EX
++.B setsebool -P authlogin_nsswitch_use_ldap 1
++.EE
++
++.PP
++If you want to allow confined applications to run with kerberos for the xauth_t, you must turn on the kerberos_enabled boolean.
++
++.EX
++.B setsebool -P kerberos_enabled 1
++.EE
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was auto-generated using
++.B "sepolicy manpage"
++by Dan Walsh.
++
++.SH "SEE ALSO"
++selinux(8), xauth(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
+diff --git a/man/man8/xdm_selinux.8 b/man/man8/xdm_selinux.8
+new file mode 100644
+index 0000000..b6a703d
+--- /dev/null
++++ b/man/man8/xdm_selinux.8
+@@ -0,0 +1,758 @@
++.TH "xdm_selinux" "8" "12-11-01" "xdm" "SELinux Policy documentation for xdm"
++.SH "NAME"
++xdm_selinux \- Security Enhanced Linux Policy for the xdm processes
++.SH "DESCRIPTION"
++
++Security-Enhanced Linux secures the xdm processes via flexible mandatory access control.
++
++The xdm processes execute with the xdm_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep xdm_t
++
++
++.SH "ENTRYPOINTS"
++
++The xdm_t SELinux type can be entered via the "xdm_exec_t,bin_t" file types. The default entrypoint paths for the xdm_t domain are the following:"
++
++/usr/(s)?bin/lightdm*, /usr/(s)?bin/[mxgkw]dm, /usr/(s)?bin/gdm-binary, /usr/(s)?bin/lxdm(-binary)?, /usr/X11R6/bin/[xgkw]dm, /usr/bin/slim, /usr/bin/gpe-dm, /opt/kde3/bin/kdm, /usr/sbin/mdm-binary, /bin/.*, /opt/(.*/)?bin(/.*)?, /usr/(.*/)?Bin(/.*)?, /usr/(.*/)?bin(/.*)?, /usr/(.*/)?sbin(/.*)?, /opt/(.*/)?sbin(/.*)?, /opt/(.*/)?libexec(/.*)?, /sbin/.*, /usr/lib(.*/)?bin(/.*)?, /usr/lib(.*/)?sbin(/.*)?, /etc/gdm/[^/]+, /root/bin(/.*)?, /etc/gdm/[^/]+/.*, /etc/cron.daily(/.*)?, /etc/cron.weekly(/.*)?, /etc/cron.hourly(/.*)?, /etc/cron.monthly(/.*)?, /usr/lib/.*/program(/.*)?, /usr/lib/.*/scripts(/.*)?, /usr/lib/[^/]*/run-mozilla\.sh, /usr/lib/[^/]*/mozilla-xremote-client, /usr/lib/[^/]*thunderbird[^/]*/thunderbird, /usr/lib/[^/]*thunderbird[^/]*/open-browser\.sh, /usr/lib/[^/]*thunderbird[^/]*/thunderbird-bin, /lib/udev/[^/]*, /etc/auto\.[^/]*, /etc/avahi/.*\.action, /usr/lib/qt.*/bin(/.*)?, /usr/lib/yp/.+, /var/ftp/bin(/.*)?, /usr/Brother(/.*)?, /usr/Printer(/.*)?, /usr/libexec(/.*)?, /lib/upstart(/.*)?, /etc/kde/env(/.*)?, /etc/profile.d(/.*)?, /var/mailman.*/bin(/.*)?, /etc/lxdm/Pre.*, /etc/hotplug/.*rc, /usr/lib/cups(/.*)?, /etc/hotplug/.*agent, /usr/Brother/(.*/)?inf/setup.*, /usr/Brother/(.*/)?inf/brprintconf.*, /usr/lib/dpkg/.+, /etc/lxdm/Post.*, /usr/lib/udev/[^/]*, /var/qmail/bin(/.*)?, /usr/lib/xfce4(/.*)?, /usr/lib/fence(/.*)?, /etc/X11/xinit(/.*)?, /lib/readahead(/.*)?, /etc/netplug\.d(/.*)?, /usr/lib/gimp/.*/plug-ins(/.*)?, /usr/lib/ipsec/.*, /etc/ppp/ip-up\..*, /usr/bin/pingus.*, /etc/cipe/ip-up.*, /usr/lib/dracut(/.*)?, /etc/pm/power\.d(/.*)?, /etc/pm/sleep\.d(/.*)?, /etc/redhat-lsb(/.*)?, /usr/lib/tuned/.*/.*\.sh, /usr/lib/xen/bin(/.*)?, /usr/lib/upstart(/.*)?, /usr/lib/courier(/.*)?, /etc/xen/scripts(/.*)?, /usr/share/tucan.*/tucan.py, /usr/lib/mailman.*/bin(/.*)?, /usr/lib/mailman.*/mail(/.*)?, /etc/ppp/ipv6-up\..*, /etc/ppp/ip-down\..*, /etc/cipe/ip-down.*, /usr/share/hplip/[^/]*, /usr/lib/news/bin(/.*)?, /usr/lib/pm-utils(/.*)?, /etc/vmware-tools(/.*)?, /etc/kde/shutdown(/.*)?, /etc/acpi/actions(/.*)?, /etc/pki/tls/misc(/.*)?, /usr/lib/jvm/java(.*/)bin(/.*), /usr/lib/tumbler-[^/]*/tumblerd, /usr/lib/readahead(/.*)?, /opt/google/chrome(/.*)?, /etc/munin/plugins(/.*)?, /usr/lib/bluetooth(/.*)?, /usr/lib/debug/bin(/.*)?, /usr/lib/xulrunner[^/]*/updater, /usr/lib/xulrunner[^/]*/crashreporter, /usr/lib/xulrunner[^/]*/xulrunner[^/]*, /usr/lib/ruby/gems(/.*)?/helper-scripts(/.*)?, /usr/share/debconf/.+, /etc/ppp/ipv6-down\..*, /usr/share/cluster/.*\.sh, /usr/share/sectool/.*\.py, /usr/share/ssl/misc(/.*)?, /usr/share/e16/misc(/.*)?, /usr/lib/ccache/bin(/.*)?, /etc/racoon/scripts(/.*)?, /usr/lib/debug/sbin(/.*)?, /usr/lib/ruby/gems/.*/agents(/.*)?, /usr/share/mc/extfs/.*, /usr/lib/apt/methods.+, /usr/lib/portage/bin(/.*)?, /usr/lib/MailScanner(/.*)?, /etc/mcelog/triggers(/.*)?, /etc/dhcp/dhclient\.d(/.*)?, /emul/ia32-linux/bin(/.*)?, /usr/lib/libreoffice(/.*)?/bin(/.*)?, /emul/ia32-linux/usr(/.*)?/bin(/.*)?, /emul/ia32-linux/usr(/.*)?/Bin(/.*)?, /emul/ia32-linux/usr(/.*)?/sbin(/.*)?, /usr/lib/thunderbird.*/mozilla-xremote-client, /usr/lib/cyrus-imapd/.*, /usr/share/createrepo(/.*)?, /emul/ia32-linux/sbin(/.*)?, /usr/share/virtualbox/.*\.sh, /usr/share/wicd/daemon(/.*)?, /usr/share/hal/scripts(/.*)?, /lib/security/pam_krb5(/.*)?, /opt/google/talkplugin(/.*)?, /etc/PackageKit/events(/.*)?, /usr/lib/debug/usr/bin(/.*)?, /usr/lib/vmware-tools/(s)?bin64(/.*)?, /usr/lib/vmware-tools/(s)?bin32(/.*)?, /etc/gdm/XKeepsCrashing[^/]*, /usr/lib/oracle/xe/apps(/.*)?, /usr/share/Modules/init(/.*)?, /usr/share/smolt/client(/.*)?, /usr/lib/nagios/plugins(/.*)?, /usr/lib/debug/usr/sbin(/.*)?, /usr/share/apr-0/build/[^/]+\.sh, /usr/lib/emacsen-common/.*, /usr/share/ajaxterm/qweb.py.*, /var/lib/asterisk/agi-bin(/.*)?, /usr/share/shorewall-perl(/.*)?, /usr/share/shorewall-lite(/.*)?, /usr/linuxprinter/filters(/.*)?, /usr/lib/netsaint/plugins(/.*)?, /usr/lib/chromium-browser(/.*)?, /usr/share/turboprint/lib(/.*)?, /usr/lib/nfs-utils/scripts(/.*)?, /usr/share/shorewall6-lite(/.*)?, /usr/share/shorewall-shell(/.*)?, /usr/share/vhostmd/scripts(/.*)?, /usr/lib/debug/usr/libexec(/.*)?, /etc/ConsoleKit/run-seat\.d(/.*)?, /usr/lib/nspluginwrapper/np.*, /usr/share/sandbox/sandboxX.sh, /usr/lib/ConsoleKit/scripts(/.*)?, /usr/share/ajaxterm/ajaxterm.py.*, /usr/lib/pgsql/test/regress/.*\.sh, /usr/share/denyhosts/scripts(/.*)?, /usr/share/denyhosts/plugins(/.*)?, /emul/ia32-linux/usr/libexec(/.*)?, /usr/lib/mediawiki/math/texvc.*, /usr/share/PackageKit/helpers(/.*)?, /etc/ConsoleKit/run-session\.d(/.*)?, /etc/hotplug\.d/default/default.*, /usr/lib/systemd/system-sleep/(.*)?, /opt/gutenprint/cups/lib/filter(/.*)?, /usr/share/system-config-network(/netconfig)?/[^/]+\.py, /usr/lib/ConsoleKit/run-session\.d(/.*)?, /etc/sysconfig/network-scripts/net.*, /etc/sysconfig/network-scripts/ifup.*, /etc/sysconfig/network-scripts/init.*, /usr/share/kde4/apps/kajongg/kajongg.py, /etc/sysconfig/network-scripts/ifdown.*, /opt/OpenPrinting-Gutenprint/cups/lib/filter(/.*)?, /usr/share/gedit-2/plugins/externaltools/tools(/.*)?, /bin, /sbin, /usr/bin, /dev/MAKEDEV, /var/qmail/rc, /var/qmail/bin, /etc/mail/make, /bin/mountpoint, /usr/lib/rpm/rpmq, /usr/lib/rpm/rpmv, /usr/lib/rpm/rpmd, /usr/lib/rpm/rpmk, /lib/udev/scsi_id, /sbin/mkfs\.cramfs, /etc/xen/qemu-ifup, /etc/lxdm/Xsession, /etc/sysconfig/init, /usr/bin/mountpoint, /etc/apcupsd/commok, /usr/lib/sftp-server, /etc/sysconfig/crond, /etc/lxdm/LoginReady, /usr/sbin/mkfs\.cramfs, /usr/lib/udev/scsi_id, /etc/X11/xdm/Xsetup_0, /etc/init\.d/functions, /etc/apcupsd/changeme, /usr/lib/iscan/network, /etc/apcupsd/onbattery, /usr/lib/yaboot/addnote, /etc/sysconfig/libvirtd, /etc/apcupsd/apccontrol, /etc/apcupsd/offbattery, /usr/lib/wicd/monitor\.py, /etc/X11/xdm/TakeConsole, /etc/X11/xdm/GiveConsole, /etc/apcupsd/commfailure, /usr/lib/misc/sftp-server, /etc/sysconfig/netconsole, /lib/udev/devices/MAKEDEV, /var/lib/iscan/interpreter, /etc/rc\.d/init\.d/functions, /etc/apcupsd/masterconnect, /etc/apcupsd/mastertimeout, /usr/share/pydict/pydict\.py, /usr/share/clamav/clamd-gen, /sbin/insmod_ksymoops_clean, /etc/mgetty\+sendfax/new_fax, /usr/lib/xfce4/panel/migrate, /usr/lib/xfce4/panel/wrapper, /etc/sysconfig/readonly-root, /usr/lib/vte/gnome-pty-helper, /usr/lib/udev/devices/MAKEDEV, /usr/lib/xfce4/xfconf/xfconfd, /usr/share/cvs/contrib/rcs2log, /usr/share/hwbrowser/hwbrowser, /usr/X11R6/lib/X11/xkb/xkbcomp, /usr/lib/virtualbox/VBoxManage, /usr/share/cluster/SAPInstance, /usr/share/cluster/checkquorum, /usr/share/shorewall/getparams, /usr/share/apr-0/build/libtool, /usr/share/cluster/SAPDatabase, /etc/hotplug/hotplug\.functions, /usr/share/texmf/web2c/mktexdir, /usr/share/texmf/web2c/mktexnam, /usr/share/texmf/web2c/mktexupd, /usr/share/shorewall/configpath, /usr/sbin/insmod_ksymoops_clean, /etc/mcelog/cache-error-trigger, /usr/share/shorewall/compiler\.pl, /usr/share/dayplanner/dayplanner, /usr/libexec/openssh/sftp-server, /usr/share/texmf/texconfig/tcfmgr, /usr/share/clamav/freshclam-sleep, /usr/share/cluster/svclib_nfslock, /usr/share/cluster/ocf-shellfuncs, /usr/lib/xfce4/exo-1/exo-helper-1, /usr/share/pwlib/make/ptlib-config, /usr/share/fedora-usermgmt/wrapper, /usr/share/printconf/util/print\.py, /usr/lib/xfce4/xfwm4/helper-dialog, /etc/pki/tls/certs/make-dummy-cert, /usr/share/rhn/rhn_applet/applet\.py, /usr/share/authconfig/authconfig\.py, /usr/share/spamassassin/sa-update\.cron, /usr/share/gnucash/finance-quote-check, /usr/share/cluster/fence_scsi_check\.pl, /usr/share/selinux/devel/policygentool, /usr/share/switchdesk/switchdesk-gui\.py, /usr/share/authconfig/authconfig-tui\.py, /usr/share/authconfig/authconfig-gtk\.py, /usr/share/gnucash/finance-quote-helper, /usr/share/gitolite/hooks/common/update, /usr/lib/xfce4/exo-1/exo-compose-mail-1, /usr/share/system-config-services/gui\.py, /lib/security/pam_krb5/pam_krb5_storetmp, /usr/share/system-config-netboot/pxeos\.py, /usr/lib/xfce4/session/balou-export-theme, /usr/share/system-config-selinux/polgen\.py, /usr/share/system-config-nfs/nfs-export\.py, /usr/share/system-config-printer/applet\.py, /usr/share/PackageKit/pk-upgrade-distro\.sh, /usr/lib/xfce4/session/balou-install-theme, /usr/share/system-config-netboot/pxeboot\.py, /usr/lib/xfce4/session/xfsm-shutdown-helper, /usr/share/rhn/rhn_applet/needed-packages\.py, /usr/lib/security/pam_krb5/pam_krb5_storetmp, /usr/share/system-logviewer/system-logviewer\.py, /usr/share/system-config-network/neat-control\.py, /usr/share/system-config-services/serviceconf\.py, /usr/share/hal/device-manager/hal-device-manager, /usr/share/system-config-lvm/system-config-lvm\.py, /usr/share/system-config-nfs/system-config-nfs\.py, /usr/share/system-config-mouse/system-config-mouse, /usr/share/system-config-httpd/system-config-httpd, /usr/share/system-config-users/system-config-users, /usr/share/system-config-date/system-config-date\.py, /usr/share/doc/ghc/html/libraries/gen_contents_index, /usr/share/gitolite/hooks/gitolite-admin/post-update, /usr/share/system-config-samba/system-config-samba\.py, /usr/share/system-config-display/system-config-display, /usr/share/system-config-keyboard/system-config-keyboard, /usr/share/system-config-language/system-config-language, /usr/share/system-config-services/system-config-services, /usr/share/system-config-selinux/system-config-selinux\.py, /usr/share/system-config-netboot/system-config-netboot\.py, /usr/share/system-config-soundcard/system-config-soundcard, /usr/share/system-config-rootpassword/system-config-rootpassword, /usr/share/system-config-securitylevel/system-config-securitylevel\.py
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux xdm policy is very flexible allowing users to setup their xdm processes in as secure a method as possible.
++.PP
++The following process types are defined for xdm:
++
++.EX
++.B xdm_t, xdm_dbusd_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH BOOLEANS
++SELinux policy is customizable based on least access required. xdm policy is extremely flexible and has several booleans that allow you to manipulate the policy and run xdm with the tightest access possible.
++
++
++.PP
++If you want to allow the graphical login program to execute bootloader, you must turn on the xdm_exec_bootloader boolean.
++
++.EX
++.B setsebool -P xdm_exec_bootloader 1
++.EE
++
++.PP
++If you want to allow the graphical login program to login directly as sysadm_r:sysadm_t, you must turn on the xdm_sysadm_login boolean.
++
++.EX
++.B setsebool -P xdm_sysadm_login 1
++.EE
++
++.PP
++If you want to allow the graphical login program to execute bootloader, you must turn on the xdm_exec_bootloader boolean.
++
++.EX
++.B setsebool -P xdm_exec_bootloader 1
++.EE
++
++.PP
++If you want to allow the graphical login program to login directly as sysadm_r:sysadm_t, you must turn on the xdm_sysadm_login boolean.
++
++.EX
++.B setsebool -P xdm_sysadm_login 1
++.EE
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux xdm policy is very flexible allowing users to setup their xdm processes in as secure a method as possible.
++.PP
++The following file types are defined for xdm:
++
++
++.EX
++.PP
++.B xdm_etc_t
++.EE
++
++- Set files with the xdm_etc_t type, if you want to store xdm files in the /etc directories.
++
++
++.EX
++.PP
++.B xdm_exec_t
++.EE
++
++- Set files with the xdm_exec_t type, if you want to transition an executable to the xdm_t domain.
++
++
++.EX
++.PP
++.B xdm_home_t
++.EE
++
++- Set files with the xdm_home_t type, if you want to store xdm files in the users home directory.
++
++
++.EX
++.PP
++.B xdm_lock_t
++.EE
++
++- Set files with the xdm_lock_t type, if you want to treat the files as xdm lock data, stored under the /var/lock directory
++
++
++.EX
++.PP
++.B xdm_log_t
++.EE
++
++- Set files with the xdm_log_t type, if you want to treat the data as xdm log data, usually stored under the /var/log directory.
++
++
++.EX
++.PP
++.B xdm_rw_etc_t
++.EE
++
++- Set files with the xdm_rw_etc_t type, if you want to store xdm rw files in the /etc directories.
++
++
++.EX
++.PP
++.B xdm_spool_t
++.EE
++
++- Set files with the xdm_spool_t type, if you want to store the xdm files under the /var/spool directory.
++
++
++.EX
++.PP
++.B xdm_tmp_t
++.EE
++
++- Set files with the xdm_tmp_t type, if you want to store xdm temporary files in the /tmp directories.
++
++
++.EX
++.PP
++.B xdm_tmpfs_t
++.EE
++
++- Set files with the xdm_tmpfs_t type, if you want to store xdm files on a tmpfs file system.
++
++
++.EX
++.PP
++.B xdm_unconfined_exec_t
++.EE
++
++- Set files with the xdm_unconfined_exec_t type, if you want to transition an executable to the xdm_unconfined_t domain.
++
++
++.EX
++.PP
++.B xdm_var_lib_t
++.EE
++
++- Set files with the xdm_var_lib_t type, if you want to store the xdm files under the /var/lib directory.
++
++
++.EX
++.PP
++.B xdm_var_run_t
++.EE
++
++- Set files with the xdm_var_run_t type, if you want to store the xdm files under the /run directory.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH PORT TYPES
++SELinux defines port types to represent TCP and UDP ports.
++.PP
++You can see the types associated with a port by using the following command:
++
++.B semanage port -l
++
++.PP
++Policy governs the access confined processes have to these ports.
++SELinux xdm policy is very flexible allowing users to setup their xdm processes in as secure a method as possible.
++.PP
++The following port types are defined for xdm:
++
++.EX
++.TP 5
++.B xdmcp_port_t
++.TP 10
++.EE
++
++
++Default Defined Ports:
++tcp 177
++.EE
++udp 177
++.EE
++.SH "MANAGED FILES"
++
++The SELinux process type xdm_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++
++.br
++.B anon_inodefs_t
++
++
++.br
++.B auth_cache_t
++
++ /var/cache/coolkey(/.*)?
++.br
++
++.br
++.B auth_home_t
++
++ /root/\.google_authenticator
++.br
++ /root/\.google_authenticator~
++.br
++ /home/[^/]*/\.google_authenticator
++.br
++ /home/[^/]*/\.google_authenticator~
++.br
++ /home/dwalsh/\.google_authenticator
++.br
++ /home/dwalsh/\.google_authenticator~
++.br
++ /var/lib/xguest/home/xguest/\.google_authenticator
++.br
++ /var/lib/xguest/home/xguest/\.google_authenticator~
++.br
++
++.br
++.B cgroup_t
++
++ /cgroup
++.br
++ /sys/fs/cgroup
++.br
++
++.br
++.B etc_runtime_t
++
++ /[^/]+
++.br
++ /etc/mtab.*
++.br
++ /etc/blkid(/.*)?
++.br
++ /etc/nologin.*
++.br
++ /etc/\.fstab\.hal\..+
++.br
++ /halt
++.br
++ /fastboot
++.br
++ /poweroff
++.br
++ /etc/cmtab
++.br
++ /\.autofsck
++.br
++ /forcefsck
++.br
++ /\.suspended
++.br
++ /fsckoptions
++.br
++ /\.autorelabel
++.br
++ /etc/securetty
++.br
++ /etc/killpower
++.br
++ /etc/nohotplug
++.br
++ /etc/ioctl\.save
++.br
++ /etc/fstab\.REVOKE
++.br
++ /etc/network/ifstate
++.br
++ /etc/sysconfig/hwconf
++.br
++ /etc/ptal/ptal-printd-like
++.br
++ /etc/sysconfig/iptables\.save
++.br
++ /etc/xorg\.conf\.d/00-system-setup-keyboard\.conf
++.br
++ /etc/X11/xorg\.conf\.d/00-system-setup-keyboard\.conf
++.br
++
++.br
++.B faillog_t
++
++ /var/log/btmp.*
++.br
++ /var/run/faillock(/.*)?
++.br
++ /var/log/faillog
++.br
++ /var/log/tallylog
++.br
++
++.br
++.B fonts_cache_t
++
++ /var/cache/fontconfig(/.*)?
++.br
++
++.br
++.B gconf_home_t
++
++ /root/\.local.*
++.br
++ /root/\.gconf(d)?(/.*)?
++.br
++ /home/[^/]*/\.local.*
++.br
++ /home/[^/]*/\.gconf(d)?(/.*)?
++.br
++ /home/dwalsh/\.local.*
++.br
++ /home/dwalsh/\.gconf(d)?(/.*)?
++.br
++ /var/lib/xguest/home/xguest/\.local.*
++.br
++ /var/lib/xguest/home/xguest/\.gconf(d)?(/.*)?
++.br
++
++.br
++.B gnome_home_type
++
++
++.br
++.B initrc_var_run_t
++
++ /var/run/utmp
++.br
++ /var/run/random-seed
++.br
++ /var/run/runlevel\.dir
++.br
++ /var/run/setmixer_flag
++.br
++
++.br
++.B krb5_host_rcache_t
++
++ /var/cache/krb5rcache(/.*)?
++.br
++ /var/tmp/nfs_0
++.br
++ /var/tmp/DNS_25
++.br
++ /var/tmp/host_0
++.br
++ /var/tmp/imap_0
++.br
++ /var/tmp/HTTP_23
++.br
++ /var/tmp/HTTP_48
++.br
++ /var/tmp/ldap_55
++.br
++ /var/tmp/ldap_487
++.br
++ /var/tmp/ldapmap1_0
++.br
++
++.br
++.B lastlog_t
++
++ /var/log/lastlog
++.br
++
++.br
++.B locale_t
++
++ /etc/locale.conf
++.br
++ /usr/lib/locale(/.*)?
++.br
++ /usr/share/locale(/.*)?
++.br
++ /usr/share/zoneinfo(/.*)?
++.br
++ /usr/share/X11/locale(/.*)?
++.br
++ /etc/timezone
++.br
++ /etc/localtime
++.br
++ /etc/sysconfig/clock
++.br
++ /etc/avahi/etc/localtime
++.br
++ /var/empty/sshd/etc/localtime
++.br
++ /var/spool/postfix/etc/localtime
++.br
++
++.br
++.B pam_var_console_t
++
++ /var/run/console(/.*)?
++.br
++
++.br
++.B pam_var_run_t
++
++ /var/(db|lib|adm)/sudo(/.*)?
++.br
++ /var/run/sudo(/.*)?
++.br
++ /var/run/sepermit(/.*)?
++.br
++ /var/run/pam_mount(/.*)?
++.br
++
++.br
++.B pcscd_var_run_t
++
++ /var/run/pcscd(/.*)?
++.br
++ /var/run/pcscd\.events(/.*)?
++.br
++ /var/run/pcscd\.pid
++.br
++ /var/run/pcscd\.pub
++.br
++ /var/run/pcscd\.comm
++.br
++
++.br
++.B security_t
++
++ /selinux
++.br
++
++.br
++.B sysfs_t
++
++ /sys(/.*)?
++.br
++
++.br
++.B systemd_passwd_var_run_t
++
++ /var/run/systemd/ask-password(/.*)?
++.br
++ /var/run/systemd/ask-password-block(/.*)?
++.br
++
++.br
++.B user_fonts_t
++
++ /root/\.fonts(/.*)?
++.br
++ /tmp/\.font-unix(/.*)?
++.br
++ /home/[^/]*/\.fonts(/.*)?
++.br
++ /home/dwalsh/\.fonts(/.*)?
++.br
++ /var/lib/xguest/home/xguest/\.fonts(/.*)?
++.br
++
++.br
++.B user_tmp_t
++
++ /var/run/user(/.*)?
++.br
++ /tmp/gconfd-.*
++.br
++ /tmp/gconfd-dwalsh
++.br
++ /tmp/gconfd-xguest
++.br
++
++.br
++.B user_tmpfs_type
++
++ all user content in tmpfs file systems
++.br
++
++.br
++.B var_auth_t
++
++ /var/ace(/.*)?
++.br
++ /var/rsa(/.*)?
++.br
++ /var/lib/abl(/.*)?
++.br
++ /var/lib/rsa(/.*)?
++.br
++ /var/lib/pam_ssh(/.*)?
++.br
++ /var/run/pam_ssh(/.*)?
++.br
++ /var/lib/pam_shield(/.*)?
++.br
++ /var/lib/google-authenticator(/.*)?
++.br
++
++.br
++.B wtmp_t
++
++ /var/log/wtmp.*
++.br
++
++.br
++.B xauth_home_t
++
++ /root/\.xauth.*
++.br
++ /root/\.Xauth.*
++.br
++ /root/\.serverauth.*
++.br
++ /root/\.Xauthority.*
++.br
++ /var/lib/pqsql/\.xauth.*
++.br
++ /var/lib/pqsql/\.Xauthority.*
++.br
++ /var/lib/nxserver/home/\.xauth.*
++.br
++ /var/lib/nxserver/home/\.Xauthority.*
++.br
++ /home/[^/]*/\.xauth.*
++.br
++ /home/[^/]*/\.Xauth.*
++.br
++ /home/[^/]*/\.serverauth.*
++.br
++ /home/[^/]*/\.Xauthority.*
++.br
++ /home/dwalsh/\.xauth.*
++.br
++ /home/dwalsh/\.Xauth.*
++.br
++ /home/dwalsh/\.serverauth.*
++.br
++ /home/dwalsh/\.Xauthority.*
++.br
++ /var/lib/xguest/home/xguest/\.xauth.*
++.br
++ /var/lib/xguest/home/xguest/\.Xauth.*
++.br
++ /var/lib/xguest/home/xguest/\.serverauth.*
++.br
++ /var/lib/xguest/home/xguest/\.Xauthority.*
++.br
++
++.br
++.B xdm_home_t
++
++ /root/\.dmrc.*
++.br
++ /root/\.xsession-errors.*
++.br
++ /home/[^/]*/\.dmrc.*
++.br
++ /home/[^/]*/\.cache/gdm(/.*)?
++.br
++ /home/[^/]*/\.xsession-errors.*
++.br
++ /home/dwalsh/\.dmrc.*
++.br
++ /home/dwalsh/\.cache/gdm(/.*)?
++.br
++ /home/dwalsh/\.xsession-errors.*
++.br
++ /var/lib/xguest/home/xguest/\.dmrc.*
++.br
++ /var/lib/xguest/home/xguest/\.cache/gdm(/.*)?
++.br
++ /var/lib/xguest/home/xguest/\.xsession-errors.*
++.br
++
++.br
++.B xdm_lock_t
++
++
++.br
++.B xdm_log_t
++
++ /var/log/[mg]dm(/.*)?
++.br
++ /var/log/[mkwx]dm\.log.*
++.br
++ /var/log/lxdm\.log.*
++.br
++ /var/log/slim\.log
++.br
++
++.br
++.B xdm_rw_etc_t
++
++ /etc/X11/wdm(/.*)?
++.br
++ /etc/opt/VirtualGL(/.*)?
++.br
++
++.br
++.B xdm_spool_t
++
++ /var/spool/[mg]dm(/.*)?
++.br
++
++.br
++.B xdm_tmp_t
++
++ /tmp/\.X11-unix(/.*)?
++.br
++ /tmp/\.ICE-unix(/.*)?
++.br
++ /tmp/\.X0-lock
++.br
++
++.br
++.B xdm_tmpfs_t
++
++
++.br
++.B xdm_var_lib_t
++
++ /var/lib/[mxkwg]dm(/.*)?
++.br
++ /var/cache/[mg]dm(/.*)?
++.br
++ /var/lib/lxdm(/.*)?
++.br
++ /var/lib/lightdm(/.*)?
++.br
++ /var/cache/lightdm(/.*)?
++.br
++
++.br
++.B xdm_var_run_t
++
++ /etc/kde[34]?/kdm/backgroundrc
++.br
++ /var/run/[gx]dm\.pid
++.br
++ /var/run/[kgm]dm(/.*)?
++.br
++ /usr/lib/qt-.*/etc/settings(/.*)?
++.br
++ /var/run/slim.*
++.br
++ /var/run/lxdm(/.*)?
++.br
++ /var/run/slim(/.*)?
++.br
++ /var/run/xauth(/.*)?
++.br
++ /var/run/xdmctl(/.*)?
++.br
++ /var/run/lightdm(/.*)?
++.br
++ /var/run/systemd/multi-session-x(/.*)?
++.br
++ /var/run/lxdm\.pid
++.br
++ /var/run/lxdm\.auth
++.br
++ /var/run/gdm_socket
++.br
++
++.br
++.B xkb_var_lib_t
++
++ /var/lib/xkb(/.*)?
++.br
++ /usr/X11R6/lib/X11/xkb/.*
++.br
++ /usr/X11R6/lib/X11/xkb
++.br
++
++.br
++.B xserver_log_t
++
++ /var/[xgkw]dm(/.*)?
++.br
++ /usr/var/[xgkw]dm(/.*)?
++.br
++ /var/log/Xorg.*
++.br
++ /var/log/XFree86.*
++.br
++ /var/log/lightdm(/.*)?
++.br
++ /var/log/nvidia-installer\.log.*
++.br
++
++.br
++.B xserver_tmpfs_t
++
++
++.SH NSSWITCH DOMAIN
++
++.PP
++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the xdm_dbusd_t, xdm_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++
++.EX
++.B setsebool -P authlogin_nsswitch_use_ldap 1
++.EE
++
++.PP
++If you want to allow confined applications to run with kerberos for the xdm_dbusd_t, xdm_t, you must turn on the kerberos_enabled boolean.
++
++.EX
++.B setsebool -P kerberos_enabled 1
++.EE
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.B semanage port
++can also be used to manipulate the port definitions
++
++.B semanage boolean
++can also be used to manipulate the booleans
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was auto-generated using
++.B "sepolicy manpage"
++by Dan Walsh.
++
++.SH "SEE ALSO"
++selinux(8), xdm(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
++, setsebool(8)
+\ No newline at end of file
+diff --git a/man/man8/xenconsoled_selinux.8 b/man/man8/xenconsoled_selinux.8
+new file mode 100644
+index 0000000..9d5fe35
+--- /dev/null
++++ b/man/man8/xenconsoled_selinux.8
+@@ -0,0 +1,126 @@
++.TH "xenconsoled_selinux" "8" "12-11-01" "xenconsoled" "SELinux Policy documentation for xenconsoled"
++.SH "NAME"
++xenconsoled_selinux \- Security Enhanced Linux Policy for the xenconsoled processes
++.SH "DESCRIPTION"
++
++Security-Enhanced Linux secures the xenconsoled processes via flexible mandatory access control.
++
++The xenconsoled processes execute with the xenconsoled_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep xenconsoled_t
++
++
++.SH "ENTRYPOINTS"
++
++The xenconsoled_t SELinux type can be entered via the "xenconsoled_exec_t" file type. The default entrypoint paths for the xenconsoled_t domain are the following:"
++
++/usr/sbin/xenconsoled
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux xenconsoled policy is very flexible allowing users to setup their xenconsoled processes in as secure a method as possible.
++.PP
++The following process types are defined for xenconsoled:
++
++.EX
++.B xenconsoled_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux xenconsoled policy is very flexible allowing users to setup their xenconsoled processes in as secure a method as possible.
++.PP
++The following file types are defined for xenconsoled:
++
++
++.EX
++.PP
++.B xenconsoled_exec_t
++.EE
++
++- Set files with the xenconsoled_exec_t type, if you want to transition an executable to the xenconsoled_t domain.
++
++
++.EX
++.PP
++.B xenconsoled_var_run_t
++.EE
++
++- Set files with the xenconsoled_var_run_t type, if you want to store the xenconsoled files under the /run directory.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH "MANAGED FILES"
++
++The SELinux process type xenconsoled_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++
++.br
++.B sysfs_t
++
++ /sys(/.*)?
++.br
++
++.br
++.B xenconsoled_var_run_t
++
++ /var/run/xenconsoled\.pid
++.br
++
++.br
++.B xend_var_log_t
++
++ /var/log/xen(/.*)?
++.br
++ /var/log/xend\.log.*
++.br
++ /var/log/xend-debug\.log.*
++.br
++ /var/log/xen-hotplug\.log.*
++.br
++
++.br
++.B xenfs_t
++
++
++.SH NSSWITCH DOMAIN
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was auto-generated using
++.B "sepolicy manpage"
++by Dan Walsh.
++
++.SH "SEE ALSO"
++selinux(8), xenconsoled(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
+diff --git a/man/man8/xend_selinux.8 b/man/man8/xend_selinux.8
+new file mode 100644
+index 0000000..b211bcb
+--- /dev/null
++++ b/man/man8/xend_selinux.8
+@@ -0,0 +1,330 @@
++.TH "xend_selinux" "8" "12-11-01" "xend" "SELinux Policy documentation for xend"
++.SH "NAME"
++xend_selinux \- Security Enhanced Linux Policy for the xend processes
++.SH "DESCRIPTION"
++
++Security-Enhanced Linux secures the xend processes via flexible mandatory access control.
++
++The xend processes execute with the xend_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep xend_t
++
++
++.SH "ENTRYPOINTS"
++
++The xend_t SELinux type can be entered via the "xend_exec_t" file type. The default entrypoint paths for the xend_t domain are the following:"
++
++/usr/sbin/xend
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux xend policy is very flexible allowing users to setup their xend processes in as secure a method as possible.
++.PP
++The following process types are defined for xend:
++
++.EX
++.B xend_t, xenstored_t, xenconsoled_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH BOOLEANS
++SELinux policy is customizable based on least access required. xend policy is extremely flexible and has several booleans that allow you to manipulate the policy and run xend with the tightest access possible.
++
++
++.PP
++If you want to allow xend to run blktapctrl/tapdisk. Not required if using dedicated logical volumes for disk images, you must turn on the xend_run_blktap boolean.
++
++.EX
++.B setsebool -P xend_run_blktap 1
++.EE
++
++.PP
++If you want to allow xen to manage nfs files, you must turn on the xen_use_nfs boolean.
++
++.EX
++.B setsebool -P xen_use_nfs 1
++.EE
++
++.PP
++If you want to allow xend to run qemu-dm. Not required if using paravirt and no vfb, you must turn on the xend_run_qemu boolean.
++
++.EX
++.B setsebool -P xend_run_qemu 1
++.EE
++
++.PP
++If you want to allow xend to run blktapctrl/tapdisk. Not required if using dedicated logical volumes for disk images, you must turn on the xend_run_blktap boolean.
++
++.EX
++.B setsebool -P xend_run_blktap 1
++.EE
++
++.PP
++If you want to allow xen to manage nfs files, you must turn on the xen_use_nfs boolean.
++
++.EX
++.B setsebool -P xen_use_nfs 1
++.EE
++
++.PP
++If you want to allow xend to run qemu-dm. Not required if using paravirt and no vfb, you must turn on the xend_run_qemu boolean.
++
++.EX
++.B setsebool -P xend_run_qemu 1
++.EE
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux xend policy is very flexible allowing users to setup their xend processes in as secure a method as possible.
++.PP
++The following file types are defined for xend:
++
++
++.EX
++.PP
++.B xend_exec_t
++.EE
++
++- Set files with the xend_exec_t type, if you want to transition an executable to the xend_t domain.
++
++
++.EX
++.PP
++.B xend_tmp_t
++.EE
++
++- Set files with the xend_tmp_t type, if you want to store xend temporary files in the /tmp directories.
++
++
++.EX
++.PP
++.B xend_var_lib_t
++.EE
++
++- Set files with the xend_var_lib_t type, if you want to store the xend files under the /var/lib directory.
++
++
++.EX
++.PP
++.B xend_var_log_t
++.EE
++
++- Set files with the xend_var_log_t type, if you want to treat the data as xend var log data, usually stored under the /var/log directory.
++
++
++.EX
++.PP
++.B xend_var_run_t
++.EE
++
++- Set files with the xend_var_run_t type, if you want to store the xend files under the /run directory.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH PORT TYPES
++SELinux defines port types to represent TCP and UDP ports.
++.PP
++You can see the types associated with a port by using the following command:
++
++.B semanage port -l
++
++.PP
++Policy governs the access confined processes have to these ports.
++SELinux xend policy is very flexible allowing users to setup their xend processes in as secure a method as possible.
++.PP
++The following port types are defined for xend:
++
++.EX
++.TP 5
++.B xen_port_t
++.TP 10
++.EE
++
++
++Default Defined Ports:
++tcp 8002
++.EE
++.SH "MANAGED FILES"
++
++The SELinux process type xend_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++
++.br
++.B dhcp_etc_t
++
++ /etc/dhcpc.*
++.br
++ /etc/dhcp3(/.*)?
++.br
++ /etc/dhcpd(6)?\.conf
++.br
++ /etc/dhcp3?/dhclient.*
++.br
++ /etc/dhclient.*conf
++.br
++ /etc/dhcp/dhcpd(6)?\.conf
++.br
++ /etc/dhclient-script
++.br
++
++.br
++.B etc_runtime_t
++
++ /[^/]+
++.br
++ /etc/mtab.*
++.br
++ /etc/blkid(/.*)?
++.br
++ /etc/nologin.*
++.br
++ /etc/\.fstab\.hal\..+
++.br
++ /halt
++.br
++ /fastboot
++.br
++ /poweroff
++.br
++ /etc/cmtab
++.br
++ /\.autofsck
++.br
++ /forcefsck
++.br
++ /\.suspended
++.br
++ /fsckoptions
++.br
++ /\.autorelabel
++.br
++ /etc/securetty
++.br
++ /etc/killpower
++.br
++ /etc/nohotplug
++.br
++ /etc/ioctl\.save
++.br
++ /etc/fstab\.REVOKE
++.br
++ /etc/network/ifstate
++.br
++ /etc/sysconfig/hwconf
++.br
++ /etc/ptal/ptal-printd-like
++.br
++ /etc/sysconfig/iptables\.save
++.br
++ /etc/xorg\.conf\.d/00-system-setup-keyboard\.conf
++.br
++ /etc/X11/xorg\.conf\.d/00-system-setup-keyboard\.conf
++.br
++
++.br
++.B sysfs_t
++
++ /sys(/.*)?
++.br
++
++.br
++.B xen_image_t
++
++ /xen(/.*)?
++.br
++ /var/lib/xen/images(/.*)?
++.br
++
++.br
++.B xend_tmp_t
++
++
++.br
++.B xend_var_lib_t
++
++ /var/lib/xen(/.*)?
++.br
++ /var/lib/xend(/.*)?
++.br
++
++.br
++.B xend_var_log_t
++
++ /var/log/xen(/.*)?
++.br
++ /var/log/xend\.log.*
++.br
++ /var/log/xend-debug\.log.*
++.br
++ /var/log/xen-hotplug\.log.*
++.br
++
++.br
++.B xend_var_run_t
++
++ /var/run/xend(/.*)?
++.br
++ /var/run/xenner(/.*)?
++.br
++ /var/run/xend\.pid
++.br
++
++.br
++.B xenfs_t
++
++
++.br
++.B xenstored_var_run_t
++
++ /var/run/xenstored(/.*)?
++.br
++ /var/run/xenstore\.pid
++.br
++
++.SH NSSWITCH DOMAIN
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.B semanage port
++can also be used to manipulate the port definitions
++
++.B semanage boolean
++can also be used to manipulate the booleans
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was auto-generated using
++.B "sepolicy manpage"
++by Dan Walsh.
++
++.SH "SEE ALSO"
++selinux(8), xend(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
++, setsebool(8), xenconsoled_selinux(8), xenstored_selinux(8)
+\ No newline at end of file
+diff --git a/man/man8/xenstored_selinux.8 b/man/man8/xenstored_selinux.8
+new file mode 100644
+index 0000000..5ad6f42
+--- /dev/null
++++ b/man/man8/xenstored_selinux.8
+@@ -0,0 +1,148 @@
++.TH "xenstored_selinux" "8" "12-11-01" "xenstored" "SELinux Policy documentation for xenstored"
++.SH "NAME"
++xenstored_selinux \- Security Enhanced Linux Policy for the xenstored processes
++.SH "DESCRIPTION"
++
++Security-Enhanced Linux secures the xenstored processes via flexible mandatory access control.
++
++The xenstored processes execute with the xenstored_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep xenstored_t
++
++
++.SH "ENTRYPOINTS"
++
++The xenstored_t SELinux type can be entered via the "xenstored_exec_t" file type. The default entrypoint paths for the xenstored_t domain are the following:"
++
++/usr/sbin/xenstored
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux xenstored policy is very flexible allowing users to setup their xenstored processes in as secure a method as possible.
++.PP
++The following process types are defined for xenstored:
++
++.EX
++.B xenstored_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux xenstored policy is very flexible allowing users to setup their xenstored processes in as secure a method as possible.
++.PP
++The following file types are defined for xenstored:
++
++
++.EX
++.PP
++.B xenstored_exec_t
++.EE
++
++- Set files with the xenstored_exec_t type, if you want to transition an executable to the xenstored_t domain.
++
++
++.EX
++.PP
++.B xenstored_tmp_t
++.EE
++
++- Set files with the xenstored_tmp_t type, if you want to store xenstored temporary files in the /tmp directories.
++
++
++.EX
++.PP
++.B xenstored_var_lib_t
++.EE
++
++- Set files with the xenstored_var_lib_t type, if you want to store the xenstored files under the /var/lib directory.
++
++
++.EX
++.PP
++.B xenstored_var_log_t
++.EE
++
++- Set files with the xenstored_var_log_t type, if you want to treat the data as xenstored var log data, usually stored under the /var/log directory.
++
++
++.EX
++.PP
++.B xenstored_var_run_t
++.EE
++
++- Set files with the xenstored_var_run_t type, if you want to store the xenstored files under the /run directory.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH "MANAGED FILES"
++
++The SELinux process type xenstored_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++
++.br
++.B xenfs_t
++
++
++.br
++.B xenstored_tmp_t
++
++
++.br
++.B xenstored_var_lib_t
++
++ /var/lib/xenstored(/.*)?
++.br
++
++.br
++.B xenstored_var_log_t
++
++
++.br
++.B xenstored_var_run_t
++
++ /var/run/xenstored(/.*)?
++.br
++ /var/run/xenstore\.pid
++.br
++
++.SH NSSWITCH DOMAIN
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was auto-generated using
++.B "sepolicy manpage"
++by Dan Walsh.
++
++.SH "SEE ALSO"
++selinux(8), xenstored(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
+diff --git a/man/man8/xguest_selinux.8 b/man/man8/xguest_selinux.8
+new file mode 100644
+index 0000000..9a09106
+--- /dev/null
++++ b/man/man8/xguest_selinux.8
+@@ -0,0 +1,345 @@
++.TH "xguest_selinux" "8" "xguest" "mgrepl@redhat.com" "xguest SELinux Policy documentation"
++.SH "NAME"
++xguest_u \- \fBLeast privledge xwindows user role\fP - Security Enhanced Linux Policy
++
++.SH DESCRIPTION
++
++\fBxguest_u\fP is an SELinux User defined in the SELinux
++policy. SELinux users have default roles, \fBxguest_r\fP. The
++default role has a default type, \fBxguest_t\fP, associated with it.
++
++The SELinux user will usually login to a system with a context that looks like:
++
++.B xguest_u:xguest_r:xguest_t:s0-s0:c0.c1023
++
++Linux users are automatically assigned an SELinux users at login.
++Login programs use the SELinux User to assign initial context to the user's shell.
++
++SELinux policy uses the context to control the user's access.
++
++By default all users are assigned to the SELinux user via the \fB__default__\fP flag
++
++On Targeted policy systems the \fB__default__\fP user is assigned to the \fBunconfined_u\fP SELinux user.
++
++You can list all Linux User to SELinux user mapping using:
++
++.B semanage login -l
++
++If you wanted to change the default user mapping to use the xguest_u user, you would execute:
++
++.B semanage login -m -s xguest_u __default__
++
++
++If you want to map the one Linux user (joe) to the SELinux user xguest, you would execute:
++
++.B $ semanage login -a -s xguest_u joe
++
++
++.SH USER DESCRIPTION
++
++The SELinux user xguest_u is defined in policy as a unprivileged user. SELinux prevents unprivileged users from doing administration tasks without transitioning to a different role.
++
++.SH SUDO
++
++.SH X WINDOWS LOGIN
++
++The SELinux user xguest_u is able to X Windows login.
++
++.SH NETWORK
++
++.TP
++The SELinux user xguest_u is able to connect to the following tcp ports.
++
++.B dns_port_t: 53
++
++.B all ports with out defined types
++
++.B ftp_port_t: 21,990
++
++.B speech_port_t: 8036
++
++.B http_cache_port_t: 8080,8118,10001-10010
++
++.B http_port_t: 80,81,443,488,8008,8009,8443
++
++.B ocsp_port_t: 9080
++
++.B squid_port_t: 3128,3401,4827
++
++.B ephemeral_port_t: 32768-61000
++
++.B kerberos_port_t: 88,750,4444
++
++.B pulseaudio_port_t: 4713
++
++.B flash_port_t: 843,1935
++
++.B soundd_port_t: 8000,9433,16001
++
++.B commplex_port_t: 5001
++
++.B ipp_port_t: 631,8610-8614
++
++.B transproxy_port_t: 8081
++
++.TP
++The SELinux user xguest_u is able to connect to the following tcp ports.
++
++.B dns_port_t: 53
++
++.B all ports with out defined types
++
++.B ftp_port_t: 21,990
++
++.B speech_port_t: 8036
++
++.B http_cache_port_t: 8080,8118,10001-10010
++
++.B http_port_t: 80,81,443,488,8008,8009,8443
++
++.B ocsp_port_t: 9080
++
++.B squid_port_t: 3128,3401,4827
++
++.B ephemeral_port_t: 32768-61000
++
++.B kerberos_port_t: 88,750,4444
++
++.B pulseaudio_port_t: 4713
++
++.B flash_port_t: 843,1935
++
++.B soundd_port_t: 8000,9433,16001
++
++.B commplex_port_t: 5001
++
++.B ipp_port_t: 631,8610-8614
++
++.B transproxy_port_t: 8081
++
++.SH BOOLEANS
++SELinux policy is customizable based on least access required. xguest policy is extremely flexible and has several booleans that allow you to manipulate the policy and run xguest with the tightest access possible.
++
++
++.PP
++If you want to allow xguest users to mount removable media, you must turn on the xguest_mount_media boolean.
++
++.EX
++.B setsebool -P xguest_mount_media 1
++.EE
++
++.PP
++If you want to allow xguest users to configure Network Manager and connect to apache ports, you must turn on the xguest_connect_network boolean.
++
++.EX
++.B setsebool -P xguest_connect_network 1
++.EE
++
++.PP
++If you want to allow xguest to use blue tooth devices, you must turn on the xguest_use_bluetooth boolean.
++
++.EX
++.B setsebool -P xguest_use_bluetooth 1
++.EE
++
++.PP
++If you want to allow xguest users to mount removable media, you must turn on the xguest_mount_media boolean.
++
++.EX
++.B setsebool -P xguest_mount_media 1
++.EE
++
++.PP
++If you want to allow xguest users to configure Network Manager and connect to apache ports, you must turn on the xguest_connect_network boolean.
++
++.EX
++.B setsebool -P xguest_connect_network 1
++.EE
++
++.PP
++If you want to allow xguest to use blue tooth devices, you must turn on the xguest_use_bluetooth boolean.
++
++.EX
++.B setsebool -P xguest_use_bluetooth 1
++.EE
++
++.SH HOME_EXEC
++
++The SELinux user xguest_u is able execute home content files.
++
++.SH TRANSITIONS
++
++Three things can happen when xguest_t attempts to execute a program.
++
++\fB1.\fP SELinux Policy can deny xguest_t from executing the program.
++
++.TP
++
++\fB2.\fP SELinux Policy can allow xguest_t to execute the program in the current user type.
++
++Execute the following to see the types that the SELinux user xguest_t can execute without transitioning:
++
++.B search -A -s xguest_t -c file -p execute_no_trans
++
++.TP
++
++\fB3.\fP SELinux can allow xguest_t to execute the program and transition to a new type.
++
++Execute the following to see the types that the SELinux user xguest_t can execute and transition:
++
++.B $ search -A -s xguest_t -c process -p transition
++
++
++.SH "MANAGED FILES"
++
++The SELinux process type xguest_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++
++.br
++.B anon_inodefs_t
++
++
++.br
++.B auth_cache_t
++
++ /var/cache/coolkey(/.*)?
++.br
++
++.br
++.B chrome_sandbox_tmpfs_t
++
++
++.br
++.B httpd_user_content_t
++
++ /home/[^/]*/((www)|(web)|(public_html))(/.+)?
++.br
++ /home/dwalsh/((www)|(web)|(public_html))(/.+)?
++.br
++ /var/lib/xguest/home/xguest/((www)|(web)|(public_html))(/.+)?
++.br
++
++.br
++.B httpd_user_htaccess_t
++
++ /home/[^/]*/((www)|(web)|(public_html))(/.*)?/\.htaccess
++.br
++ /home/dwalsh/((www)|(web)|(public_html))(/.*)?/\.htaccess
++.br
++ /var/lib/xguest/home/xguest/((www)|(web)|(public_html))(/.*)?/\.htaccess
++.br
++
++.br
++.B httpd_user_ra_content_t
++
++ /home/[^/]*/((www)|(web)|(public_html))(/.*)?/logs(/.*)?
++.br
++ /home/dwalsh/((www)|(web)|(public_html))(/.*)?/logs(/.*)?
++.br
++ /var/lib/xguest/home/xguest/((www)|(web)|(public_html))(/.*)?/logs(/.*)?
++.br
++
++.br
++.B httpd_user_rw_content_t
++
++
++.br
++.B httpd_user_script_exec_t
++
++ /home/[^/]*/((www)|(web)|(public_html))/cgi-bin(/.+)?
++.br
++ /home/dwalsh/((www)|(web)|(public_html))/cgi-bin(/.+)?
++.br
++ /var/lib/xguest/home/xguest/((www)|(web)|(public_html))/cgi-bin(/.+)?
++.br
++
++.br
++.B noxattrfs
++
++ all files on file systems which do not support extended attributes
++.br
++
++.br
++.B usbfs_t
++
++
++.br
++.B user_fonts_cache_t
++
++ /root/\.fontconfig(/.*)?
++.br
++ /root/\.fonts/auto(/.*)?
++.br
++ /root/\.fonts\.cache-.*
++.br
++ /home/[^/]*/\.fontconfig(/.*)?
++.br
++ /home/[^/]*/\.fonts/auto(/.*)?
++.br
++ /home/[^/]*/\.fonts\.cache-.*
++.br
++ /home/dwalsh/\.fontconfig(/.*)?
++.br
++ /home/dwalsh/\.fonts/auto(/.*)?
++.br
++ /home/dwalsh/\.fonts\.cache-.*
++.br
++ /var/lib/xguest/home/xguest/\.fontconfig(/.*)?
++.br
++ /var/lib/xguest/home/xguest/\.fonts/auto(/.*)?
++.br
++ /var/lib/xguest/home/xguest/\.fonts\.cache-.*
++.br
++
++.br
++.B user_home_type
++
++ all user home files
++.br
++
++.br
++.B user_tmp_type
++
++ all user tmp files
++.br
++
++.br
++.B user_tmpfs_type
++
++ all user content in tmpfs file systems
++.br
++
++.br
++.B xdm_tmp_t
++
++ /tmp/\.X11-unix(/.*)?
++.br
++ /tmp/\.ICE-unix(/.*)?
++.br
++ /tmp/\.X0-lock
++.br
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.B semanage boolean
++can also be used to manipulate the booleans
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was auto-generated using
++.B "sepolicy manpage"
++by Dan Walsh.
++
++.SH "SEE ALSO"
++selinux(8), xguest(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
++, setsebool(8)
+\ No newline at end of file
+diff --git a/man/man8/xserver_selinux.8 b/man/man8/xserver_selinux.8
+new file mode 100644
+index 0000000..936e2de
+--- /dev/null
++++ b/man/man8/xserver_selinux.8
+@@ -0,0 +1,416 @@
++.TH "xserver_selinux" "8" "12-11-01" "xserver" "SELinux Policy documentation for xserver"
++.SH "NAME"
++xserver_selinux \- Security Enhanced Linux Policy for the xserver processes
++.SH "DESCRIPTION"
++
++Security-Enhanced Linux secures the xserver processes via flexible mandatory access control.
++
++The xserver processes execute with the xserver_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep xserver_t
++
++
++.SH "ENTRYPOINTS"
++
++The xserver_t SELinux type can be entered via the "xserver_exec_t" file type. The default entrypoint paths for the xserver_t domain are the following:"
++
++/usr/bin/Xair, /usr/bin/Xorg, /usr/bin/Xephyr, /usr/X11R6/bin/X, /usr/X11R6/bin/Xorg, /usr/X11R6/bin/Xipaq, /usr/X11R6/bin/XFree86, /usr/X11R6/bin/Xwrapper, /etc/init\.d/xfree86-common
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux xserver policy is very flexible allowing users to setup their xserver processes in as secure a method as possible.
++.PP
++The following process types are defined for xserver:
++
++.EX
++.B xserver_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH BOOLEANS
++SELinux policy is customizable based on least access required. xserver policy is extremely flexible and has several booleans that allow you to manipulate the policy and run xserver with the tightest access possible.
++
++
++.PP
++If you want to support X userspace object manager, you must turn on the xserver_object_manager boolean.
++
++.EX
++.B setsebool -P xserver_object_manager 1
++.EE
++
++.PP
++If you want to allow confined virtual guests to interact with the xserver, you must turn on the virt_use_xserver boolean.
++
++.EX
++.B setsebool -P virt_use_xserver 1
++.EE
++
++.PP
++If you want to allows clients to write to the X server shared memory segments, you must turn on the xserver_clients_write_xshm boolean.
++
++.EX
++.B setsebool -P xserver_clients_write_xshm 1
++.EE
++
++.PP
++If you want to allows XServer to execute writable memory, you must turn on the xserver_execmem boolean.
++
++.EX
++.B setsebool -P xserver_execmem 1
++.EE
++
++.PP
++If you want to support X userspace object manager, you must turn on the xserver_object_manager boolean.
++
++.EX
++.B setsebool -P xserver_object_manager 1
++.EE
++
++.PP
++If you want to allow confined virtual guests to interact with the xserver, you must turn on the virt_use_xserver boolean.
++
++.EX
++.B setsebool -P virt_use_xserver 1
++.EE
++
++.PP
++If you want to allows clients to write to the X server shared memory segments, you must turn on the xserver_clients_write_xshm boolean.
++
++.EX
++.B setsebool -P xserver_clients_write_xshm 1
++.EE
++
++.PP
++If you want to allows XServer to execute writable memory, you must turn on the xserver_execmem boolean.
++
++.EX
++.B setsebool -P xserver_execmem 1
++.EE
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux xserver policy is very flexible allowing users to setup their xserver processes in as secure a method as possible.
++.PP
++The following file types are defined for xserver:
++
++
++.EX
++.PP
++.B xserver_exec_t
++.EE
++
++- Set files with the xserver_exec_t type, if you want to transition an executable to the xserver_t domain.
++
++
++.EX
++.PP
++.B xserver_log_t
++.EE
++
++- Set files with the xserver_log_t type, if you want to treat the data as xserver log data, usually stored under the /var/log directory.
++
++
++.EX
++.PP
++.B xserver_tmpfs_t
++.EE
++
++- Set files with the xserver_tmpfs_t type, if you want to store xserver files on a tmpfs file system.
++
++
++.EX
++.PP
++.B xserver_var_lib_t
++.EE
++
++- Set files with the xserver_var_lib_t type, if you want to store the xserver files under the /var/lib directory.
++
++
++.EX
++.PP
++.B xserver_var_run_t
++.EE
++
++- Set files with the xserver_var_run_t type, if you want to store the xserver files under the /run directory.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH PORT TYPES
++SELinux defines port types to represent TCP and UDP ports.
++.PP
++You can see the types associated with a port by using the following command:
++
++.B semanage port -l
++
++.PP
++Policy governs the access confined processes have to these ports.
++SELinux xserver policy is very flexible allowing users to setup their xserver processes in as secure a method as possible.
++.PP
++The following port types are defined for xserver:
++
++.EX
++.TP 5
++.B xserver_port_t
++.TP 10
++.EE
++
++
++Default Defined Ports:
++tcp 6000-6020
++.EE
++.SH "MANAGED FILES"
++
++The SELinux process type xserver_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++
++.br
++.B bluetooth_helper_tmpfs_t
++
++
++.br
++.B chrome_sandbox_tmpfs_t
++
++
++.br
++.B consolekit_tmpfs_t
++
++
++.br
++.B games_tmpfs_t
++
++
++.br
++.B gpg_pinentry_tmpfs_t
++
++
++.br
++.B mozilla_tmpfs_t
++
++
++.br
++.B mplayer_tmpfs_t
++
++
++.br
++.B mtrr_device_t
++
++ /dev/cpu/mtrr
++.br
++
++.br
++.B pulseaudio_tmpfs_t
++
++
++.br
++.B rhgb_tmpfs_t
++
++
++.br
++.B sandbox_xserver_tmpfs_t
++
++
++.br
++.B security_t
++
++ /selinux
++.br
++
++.br
++.B ssh_tmpfs_t
++
++
++.br
++.B sysfs_t
++
++ /sys(/.*)?
++.br
++
++.br
++.B tmpfs_t
++
++ /dev/shm
++.br
++ /lib/udev/devices/shm
++.br
++ /usr/lib/udev/devices/shm
++.br
++
++.br
++.B tvtime_tmpfs_t
++
++
++.br
++.B user_fonts_cache_t
++
++ /root/\.fontconfig(/.*)?
++.br
++ /root/\.fonts/auto(/.*)?
++.br
++ /root/\.fonts\.cache-.*
++.br
++ /home/[^/]*/\.fontconfig(/.*)?
++.br
++ /home/[^/]*/\.fonts/auto(/.*)?
++.br
++ /home/[^/]*/\.fonts\.cache-.*
++.br
++ /home/dwalsh/\.fontconfig(/.*)?
++.br
++ /home/dwalsh/\.fonts/auto(/.*)?
++.br
++ /home/dwalsh/\.fonts\.cache-.*
++.br
++ /var/lib/xguest/home/xguest/\.fontconfig(/.*)?
++.br
++ /var/lib/xguest/home/xguest/\.fonts/auto(/.*)?
++.br
++ /var/lib/xguest/home/xguest/\.fonts\.cache-.*
++.br
++
++.br
++.B user_tmpfs_t
++
++ /dev/shm/mono.*
++.br
++ /dev/shm/pulse-shm.*
++.br
++
++.br
++.B vmware_tmpfs_t
++
++
++.br
++.B wireshark_tmpfs_t
++
++
++.br
++.B xdm_log_t
++
++ /var/log/[mg]dm(/.*)?
++.br
++ /var/log/[mkwx]dm\.log.*
++.br
++ /var/log/lxdm\.log.*
++.br
++ /var/log/slim\.log
++.br
++
++.br
++.B xdm_tmp_t
++
++ /tmp/\.X11-unix(/.*)?
++.br
++ /tmp/\.ICE-unix(/.*)?
++.br
++ /tmp/\.X0-lock
++.br
++
++.br
++.B xdm_tmpfs_t
++
++
++.br
++.B xkb_var_lib_t
++
++ /var/lib/xkb(/.*)?
++.br
++ /usr/X11R6/lib/X11/xkb/.*
++.br
++ /usr/X11R6/lib/X11/xkb
++.br
++
++.br
++.B xserver_log_t
++
++ /var/[xgkw]dm(/.*)?
++.br
++ /usr/var/[xgkw]dm(/.*)?
++.br
++ /var/log/Xorg.*
++.br
++ /var/log/XFree86.*
++.br
++ /var/log/lightdm(/.*)?
++.br
++ /var/log/nvidia-installer\.log.*
++.br
++
++.br
++.B xserver_tmpfs_t
++
++
++.br
++.B xserver_var_lib_t
++
++ /var/lib/xorg(/.*)?
++.br
++
++.br
++.B xserver_var_run_t
++
++ /var/run/xorg(/.*)?
++.br
++ /var/run/video.rom
++.br
++
++.SH NSSWITCH DOMAIN
++
++.PP
++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the xserver_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++
++.EX
++.B setsebool -P authlogin_nsswitch_use_ldap 1
++.EE
++
++.PP
++If you want to allow confined applications to run with kerberos for the xserver_t, you must turn on the kerberos_enabled boolean.
++
++.EX
++.B setsebool -P kerberos_enabled 1
++.EE
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.B semanage port
++can also be used to manipulate the port definitions
++
++.B semanage boolean
++can also be used to manipulate the booleans
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was auto-generated using
++.B "sepolicy manpage"
++by Dan Walsh.
++
++.SH "SEE ALSO"
++selinux(8), xserver(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
++, setsebool(8)
+\ No newline at end of file
+diff --git a/man/man8/ypbind_selinux.8 b/man/man8/ypbind_selinux.8
+index 5061a5f..017254a 100644
+--- a/man/man8/ypbind_selinux.8
++++ b/man/man8/ypbind_selinux.8
+@@ -1,19 +1,138 @@
+-.TH "ypbind_selinux" "8" "17 Jan 2005" "dwalsh@redhat.com" "ypbind Selinux Policy documentation"
++.TH "ypbind_selinux" "8" "12-11-01" "ypbind" "SELinux Policy documentation for ypbind"
+ .SH "NAME"
+-ypbind_selinux \- Security Enhanced Linux Policy for NIS.
++ypbind_selinux \- Security Enhanced Linux Policy for the ypbind processes
+ .SH "DESCRIPTION"
+
+-Security-Enhanced Linux secures the system via flexible mandatory access
+-control. SELinux can be setup deny NIS from working, since it requires daemons to be allowed greater access to the network.
+-.SH BOOLEANS
+-.TP
+-You must set the allow_ypbind boolean to allow your system to work properly in a NIS environment.
+-.TP
+-setsebool -P allow_ypbind 1
+-.TP
+-system-config-selinux is a GUI tool available to customize SELinux policy settings.
+-.SH AUTHOR
+-This manual page was written by Dan Walsh .
++Security-Enhanced Linux secures the ypbind processes via flexible mandatory access control.
++
++The ypbind processes execute with the ypbind_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep ypbind_t
++
++
++.SH "ENTRYPOINTS"
++
++The ypbind_t SELinux type can be entered via the "ypbind_exec_t" file type. The default entrypoint paths for the ypbind_t domain are the following:"
++
++/sbin/ypbind, /usr/sbin/ypbind
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux ypbind policy is very flexible allowing users to setup their ypbind processes in as secure a method as possible.
++.PP
++The following process types are defined for ypbind:
++
++.EX
++.B ypbind_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux ypbind policy is very flexible allowing users to setup their ypbind processes in as secure a method as possible.
++.PP
++The following file types are defined for ypbind:
++
++
++.EX
++.PP
++.B ypbind_exec_t
++.EE
++
++- Set files with the ypbind_exec_t type, if you want to transition an executable to the ypbind_t domain.
++
++
++.EX
++.PP
++.B ypbind_initrc_exec_t
++.EE
++
++- Set files with the ypbind_initrc_exec_t type, if you want to transition an executable to the ypbind_initrc_t domain.
++
++
++.EX
++.PP
++.B ypbind_tmp_t
++.EE
++
++- Set files with the ypbind_tmp_t type, if you want to store ypbind temporary files in the /tmp directories.
++
++
++.EX
++.PP
++.B ypbind_unit_file_t
++.EE
++
++- Set files with the ypbind_unit_file_t type, if you want to treat the files as ypbind unit content.
++
++
++.EX
++.PP
++.B ypbind_var_run_t
++.EE
++
++- Set files with the ypbind_var_run_t type, if you want to store the ypbind files under the /run directory.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH "MANAGED FILES"
++
++The SELinux process type ypbind_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++
++.br
++.B var_yp_t
++
++ /var/yp(/.*)?
++.br
++
++.br
++.B ypbind_tmp_t
++
++
++.br
++.B ypbind_var_run_t
++
++ /var/run/ypbind.*
++.br
++
++.SH NSSWITCH DOMAIN
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was auto-generated using
++.B "sepolicy manpage"
++by Dan Walsh.
+
+ .SH "SEE ALSO"
+-selinux(8), ypbind(8), chcon(1), setsebool(8)
++selinux(8), ypbind(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
+diff --git a/man/man8/yppasswdd_selinux.8 b/man/man8/yppasswdd_selinux.8
+new file mode 100644
+index 0000000..dc85345
+--- /dev/null
++++ b/man/man8/yppasswdd_selinux.8
+@@ -0,0 +1,124 @@
++.TH "yppasswdd_selinux" "8" "12-11-01" "yppasswdd" "SELinux Policy documentation for yppasswdd"
++.SH "NAME"
++yppasswdd_selinux \- Security Enhanced Linux Policy for the yppasswdd processes
++.SH "DESCRIPTION"
++
++Security-Enhanced Linux secures the yppasswdd processes via flexible mandatory access control.
++
++The yppasswdd processes execute with the yppasswdd_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep yppasswdd_t
++
++
++.SH "ENTRYPOINTS"
++
++The yppasswdd_t SELinux type can be entered via the "yppasswdd_exec_t" file type. The default entrypoint paths for the yppasswdd_t domain are the following:"
++
++/usr/sbin/rpc\.yppasswdd, /usr/sbin/rpc\.yppasswdd\.env
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux yppasswdd policy is very flexible allowing users to setup their yppasswdd processes in as secure a method as possible.
++.PP
++The following process types are defined for yppasswdd:
++
++.EX
++.B yppasswdd_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux yppasswdd policy is very flexible allowing users to setup their yppasswdd processes in as secure a method as possible.
++.PP
++The following file types are defined for yppasswdd:
++
++
++.EX
++.PP
++.B yppasswdd_exec_t
++.EE
++
++- Set files with the yppasswdd_exec_t type, if you want to transition an executable to the yppasswdd_t domain.
++
++
++.EX
++.PP
++.B yppasswdd_var_run_t
++.EE
++
++- Set files with the yppasswdd_var_run_t type, if you want to store the yppasswdd files under the /run directory.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH "MANAGED FILES"
++
++The SELinux process type yppasswdd_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++
++.br
++.B shadow_t
++
++ /etc/shadow.*
++.br
++ /etc/gshadow.*
++.br
++ /var/db/shadow.*
++.br
++ /etc/security/opasswd
++.br
++ /etc/security/opasswd\.old
++.br
++
++.br
++.B var_yp_t
++
++ /var/yp(/.*)?
++.br
++
++.br
++.B yppasswdd_var_run_t
++
++ /var/run/yppass.*
++.br
++
++.SH NSSWITCH DOMAIN
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was auto-generated using
++.B "sepolicy manpage"
++by Dan Walsh.
++
++.SH "SEE ALSO"
++selinux(8), yppasswdd(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
+diff --git a/man/man8/ypserv_selinux.8 b/man/man8/ypserv_selinux.8
+new file mode 100644
+index 0000000..b34ed73
+--- /dev/null
++++ b/man/man8/ypserv_selinux.8
+@@ -0,0 +1,130 @@
++.TH "ypserv_selinux" "8" "12-11-01" "ypserv" "SELinux Policy documentation for ypserv"
++.SH "NAME"
++ypserv_selinux \- Security Enhanced Linux Policy for the ypserv processes
++.SH "DESCRIPTION"
++
++Security-Enhanced Linux secures the ypserv processes via flexible mandatory access control.
++
++The ypserv processes execute with the ypserv_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep ypserv_t
++
++
++.SH "ENTRYPOINTS"
++
++The ypserv_t SELinux type can be entered via the "ypserv_exec_t" file type. The default entrypoint paths for the ypserv_t domain are the following:"
++
++/usr/sbin/ypserv
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux ypserv policy is very flexible allowing users to setup their ypserv processes in as secure a method as possible.
++.PP
++The following process types are defined for ypserv:
++
++.EX
++.B ypserv_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux ypserv policy is very flexible allowing users to setup their ypserv processes in as secure a method as possible.
++.PP
++The following file types are defined for ypserv:
++
++
++.EX
++.PP
++.B ypserv_conf_t
++.EE
++
++- Set files with the ypserv_conf_t type, if you want to treat the files as ypserv configuration data, usually stored under the /etc directory.
++
++
++.EX
++.PP
++.B ypserv_exec_t
++.EE
++
++- Set files with the ypserv_exec_t type, if you want to transition an executable to the ypserv_t domain.
++
++
++.EX
++.PP
++.B ypserv_tmp_t
++.EE
++
++- Set files with the ypserv_tmp_t type, if you want to store ypserv temporary files in the /tmp directories.
++
++
++.EX
++.PP
++.B ypserv_var_run_t
++.EE
++
++- Set files with the ypserv_var_run_t type, if you want to store the ypserv files under the /run directory.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH "MANAGED FILES"
++
++The SELinux process type ypserv_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++
++.br
++.B var_yp_t
++
++ /var/yp(/.*)?
++.br
++
++.br
++.B ypserv_tmp_t
++
++
++.br
++.B ypserv_var_run_t
++
++ /var/run/ypserv.*
++.br
++
++.SH NSSWITCH DOMAIN
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was auto-generated using
++.B "sepolicy manpage"
++by Dan Walsh.
++
++.SH "SEE ALSO"
++selinux(8), ypserv(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
+diff --git a/man/man8/ypxfr_selinux.8 b/man/man8/ypxfr_selinux.8
+new file mode 100644
+index 0000000..ca3f8ec
+--- /dev/null
++++ b/man/man8/ypxfr_selinux.8
+@@ -0,0 +1,110 @@
++.TH "ypxfr_selinux" "8" "12-11-01" "ypxfr" "SELinux Policy documentation for ypxfr"
++.SH "NAME"
++ypxfr_selinux \- Security Enhanced Linux Policy for the ypxfr processes
++.SH "DESCRIPTION"
++
++Security-Enhanced Linux secures the ypxfr processes via flexible mandatory access control.
++
++The ypxfr processes execute with the ypxfr_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep ypxfr_t
++
++
++.SH "ENTRYPOINTS"
++
++The ypxfr_t SELinux type can be entered via the "ypxfr_exec_t" file type. The default entrypoint paths for the ypxfr_t domain are the following:"
++
++/usr/lib/yp/ypxfr, /usr/sbin/rpc\.ypxfrd
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux ypxfr policy is very flexible allowing users to setup their ypxfr processes in as secure a method as possible.
++.PP
++The following process types are defined for ypxfr:
++
++.EX
++.B ypxfr_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux ypxfr policy is very flexible allowing users to setup their ypxfr processes in as secure a method as possible.
++.PP
++The following file types are defined for ypxfr:
++
++
++.EX
++.PP
++.B ypxfr_exec_t
++.EE
++
++- Set files with the ypxfr_exec_t type, if you want to transition an executable to the ypxfr_t domain.
++
++
++.EX
++.PP
++.B ypxfr_var_run_t
++.EE
++
++- Set files with the ypxfr_var_run_t type, if you want to store the ypxfr files under the /run directory.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH "MANAGED FILES"
++
++The SELinux process type ypxfr_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++
++.br
++.B var_yp_t
++
++ /var/yp(/.*)?
++.br
++
++.br
++.B ypxfr_var_run_t
++
++ /var/run/ypxfrd.*
++.br
++
++.SH NSSWITCH DOMAIN
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was auto-generated using
++.B "sepolicy manpage"
++by Dan Walsh.
++
++.SH "SEE ALSO"
++selinux(8), ypxfr(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
+diff --git a/man/man8/zabbix_agent_selinux.8 b/man/man8/zabbix_agent_selinux.8
+new file mode 100644
+index 0000000..e7df99d
+--- /dev/null
++++ b/man/man8/zabbix_agent_selinux.8
+@@ -0,0 +1,141 @@
++.TH "zabbix_agent_selinux" "8" "12-11-01" "zabbix_agent" "SELinux Policy documentation for zabbix_agent"
++.SH "NAME"
++zabbix_agent_selinux \- Security Enhanced Linux Policy for the zabbix_agent processes
++.SH "DESCRIPTION"
++
++Security-Enhanced Linux secures the zabbix_agent processes via flexible mandatory access control.
++
++The zabbix_agent processes execute with the zabbix_agent_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep zabbix_agent_t
++
++
++.SH "ENTRYPOINTS"
++
++The zabbix_agent_t SELinux type can be entered via the "zabbix_agent_exec_t" file type. The default entrypoint paths for the zabbix_agent_t domain are the following:"
++
++/usr/(s)?bin/zabbix_agentd
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux zabbix_agent policy is very flexible allowing users to setup their zabbix_agent processes in as secure a method as possible.
++.PP
++The following process types are defined for zabbix_agent:
++
++.EX
++.B zabbix_agent_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux zabbix_agent policy is very flexible allowing users to setup their zabbix_agent processes in as secure a method as possible.
++.PP
++The following file types are defined for zabbix_agent:
++
++
++.EX
++.PP
++.B zabbix_agent_exec_t
++.EE
++
++- Set files with the zabbix_agent_exec_t type, if you want to transition an executable to the zabbix_agent_t domain.
++
++
++.EX
++.PP
++.B zabbix_agent_initrc_exec_t
++.EE
++
++- Set files with the zabbix_agent_initrc_exec_t type, if you want to transition an executable to the zabbix_agent_initrc_t domain.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH PORT TYPES
++SELinux defines port types to represent TCP and UDP ports.
++.PP
++You can see the types associated with a port by using the following command:
++
++.B semanage port -l
++
++.PP
++Policy governs the access confined processes have to these ports.
++SELinux zabbix_agent policy is very flexible allowing users to setup their zabbix_agent processes in as secure a method as possible.
++.PP
++The following port types are defined for zabbix_agent:
++
++.EX
++.TP 5
++.B zabbix_agent_port_t
++.TP 10
++.EE
++
++
++Default Defined Ports:
++tcp 10050
++.EE
++.SH "MANAGED FILES"
++
++The SELinux process type zabbix_agent_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++
++.br
++.B zabbix_log_t
++
++ /var/log/zabbix(/.*)?
++.br
++
++.br
++.B zabbix_tmpfs_t
++
++
++.br
++.B zabbix_var_run_t
++
++ /var/run/zabbix(/.*)?
++.br
++
++.SH NSSWITCH DOMAIN
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.B semanage port
++can also be used to manipulate the port definitions
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was auto-generated using
++.B "sepolicy manpage"
++by Dan Walsh.
++
++.SH "SEE ALSO"
++selinux(8), zabbix_agent(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
++, zabbix_selinux(8), zabbix_selinux(8)
+\ No newline at end of file
+diff --git a/man/man8/zabbix_selinux.8 b/man/man8/zabbix_selinux.8
+new file mode 100644
+index 0000000..ed7cfcc
+--- /dev/null
++++ b/man/man8/zabbix_selinux.8
+@@ -0,0 +1,253 @@
++.TH "zabbix_selinux" "8" "12-11-01" "zabbix" "SELinux Policy documentation for zabbix"
++.SH "NAME"
++zabbix_selinux \- Security Enhanced Linux Policy for the zabbix processes
++.SH "DESCRIPTION"
++
++Security-Enhanced Linux secures the zabbix processes via flexible mandatory access control.
++
++The zabbix processes execute with the zabbix_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep zabbix_t
++
++
++.SH "ENTRYPOINTS"
++
++The zabbix_t SELinux type can be entered via the "zabbix_exec_t" file type. The default entrypoint paths for the zabbix_t domain are the following:"
++
++/usr/(s)?bin/zabbix_server, /usr/sbin/zabbix_server_mysql, /usr/sbin/zabbix_server_pgsql, /usr/sbin/zabbix_server_sqlite3
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux zabbix policy is very flexible allowing users to setup their zabbix processes in as secure a method as possible.
++.PP
++The following process types are defined for zabbix:
++
++.EX
++.B zabbix_agent_t, zabbix_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH BOOLEANS
++SELinux policy is customizable based on least access required. zabbix policy is extremely flexible and has several booleans that allow you to manipulate the policy and run zabbix with the tightest access possible.
++
++
++.PP
++If you want to allow zabbix to connect to unreserved ports, you must turn on the zabbix_can_network boolean.
++
++.EX
++.B setsebool -P zabbix_can_network 1
++.EE
++
++.PP
++If you want to allow http daemon to connect to zabbix, you must turn on the httpd_can_connect_zabbix boolean.
++
++.EX
++.B setsebool -P httpd_can_connect_zabbix 1
++.EE
++
++.PP
++If you want to allow zabbix to connect to unreserved ports, you must turn on the zabbix_can_network boolean.
++
++.EX
++.B setsebool -P zabbix_can_network 1
++.EE
++
++.PP
++If you want to allow http daemon to connect to zabbix, you must turn on the httpd_can_connect_zabbix boolean.
++
++.EX
++.B setsebool -P httpd_can_connect_zabbix 1
++.EE
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux zabbix policy is very flexible allowing users to setup their zabbix processes in as secure a method as possible.
++.PP
++The following file types are defined for zabbix:
++
++
++.EX
++.PP
++.B zabbix_agent_exec_t
++.EE
++
++- Set files with the zabbix_agent_exec_t type, if you want to transition an executable to the zabbix_agent_t domain.
++
++
++.EX
++.PP
++.B zabbix_agent_initrc_exec_t
++.EE
++
++- Set files with the zabbix_agent_initrc_exec_t type, if you want to transition an executable to the zabbix_agent_initrc_t domain.
++
++
++.EX
++.PP
++.B zabbix_exec_t
++.EE
++
++- Set files with the zabbix_exec_t type, if you want to transition an executable to the zabbix_t domain.
++
++
++.EX
++.PP
++.B zabbix_initrc_exec_t
++.EE
++
++- Set files with the zabbix_initrc_exec_t type, if you want to transition an executable to the zabbix_initrc_t domain.
++
++
++.EX
++.PP
++.B zabbix_log_t
++.EE
++
++- Set files with the zabbix_log_t type, if you want to treat the data as zabbix log data, usually stored under the /var/log directory.
++
++
++.EX
++.PP
++.B zabbix_tmp_t
++.EE
++
++- Set files with the zabbix_tmp_t type, if you want to store zabbix temporary files in the /tmp directories.
++
++
++.EX
++.PP
++.B zabbix_tmpfs_t
++.EE
++
++- Set files with the zabbix_tmpfs_t type, if you want to store zabbix files on a tmpfs file system.
++
++
++.EX
++.PP
++.B zabbix_var_run_t
++.EE
++
++- Set files with the zabbix_var_run_t type, if you want to store the zabbix files under the /run directory.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH PORT TYPES
++SELinux defines port types to represent TCP and UDP ports.
++.PP
++You can see the types associated with a port by using the following command:
++
++.B semanage port -l
++
++.PP
++Policy governs the access confined processes have to these ports.
++SELinux zabbix policy is very flexible allowing users to setup their zabbix processes in as secure a method as possible.
++.PP
++The following port types are defined for zabbix:
++
++.EX
++.TP 5
++.B zabbix_agent_port_t
++.TP 10
++.EE
++
++
++Default Defined Ports:
++tcp 10050
++.EE
++
++.EX
++.TP 5
++.B zabbix_port_t
++.TP 10
++.EE
++
++
++Default Defined Ports:
++tcp 10051
++.EE
++.SH "MANAGED FILES"
++
++The SELinux process type zabbix_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++
++.br
++.B zabbix_log_t
++
++ /var/log/zabbix(/.*)?
++.br
++
++.br
++.B zabbix_tmp_t
++
++
++.br
++.B zabbix_tmpfs_t
++
++
++.br
++.B zabbix_var_run_t
++
++ /var/run/zabbix(/.*)?
++.br
++
++.SH NSSWITCH DOMAIN
++
++.PP
++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the zabbix_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++
++.EX
++.B setsebool -P authlogin_nsswitch_use_ldap 1
++.EE
++
++.PP
++If you want to allow confined applications to run with kerberos for the zabbix_t, you must turn on the kerberos_enabled boolean.
++
++.EX
++.B setsebool -P kerberos_enabled 1
++.EE
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.B semanage port
++can also be used to manipulate the port definitions
++
++.B semanage boolean
++can also be used to manipulate the booleans
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was auto-generated using
++.B "sepolicy manpage"
++by Dan Walsh.
++
++.SH "SEE ALSO"
++selinux(8), zabbix(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
++, setsebool(8), zabbix_agent_selinux(8)
+\ No newline at end of file
+diff --git a/man/man8/zarafa_deliver_selinux.8 b/man/man8/zarafa_deliver_selinux.8
+new file mode 100644
+index 0000000..a840dc6
+--- /dev/null
++++ b/man/man8/zarafa_deliver_selinux.8
+@@ -0,0 +1,145 @@
++.TH "zarafa_deliver_selinux" "8" "12-11-01" "zarafa_deliver" "SELinux Policy documentation for zarafa_deliver"
++.SH "NAME"
++zarafa_deliver_selinux \- Security Enhanced Linux Policy for the zarafa_deliver processes
++.SH "DESCRIPTION"
++
++Security-Enhanced Linux secures the zarafa_deliver processes via flexible mandatory access control.
++
++The zarafa_deliver processes execute with the zarafa_deliver_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep zarafa_deliver_t
++
++
++.SH "ENTRYPOINTS"
++
++The zarafa_deliver_t SELinux type can be entered via the "zarafa_deliver_exec_t" file type. The default entrypoint paths for the zarafa_deliver_t domain are the following:"
++
++/usr/bin/zarafa-dagent
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux zarafa_deliver policy is very flexible allowing users to setup their zarafa_deliver processes in as secure a method as possible.
++.PP
++The following process types are defined for zarafa_deliver:
++
++.EX
++.B zarafa_deliver_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux zarafa_deliver policy is very flexible allowing users to setup their zarafa_deliver processes in as secure a method as possible.
++.PP
++The following file types are defined for zarafa_deliver:
++
++
++.EX
++.PP
++.B zarafa_deliver_exec_t
++.EE
++
++- Set files with the zarafa_deliver_exec_t type, if you want to transition an executable to the zarafa_deliver_t domain.
++
++
++.EX
++.PP
++.B zarafa_deliver_log_t
++.EE
++
++- Set files with the zarafa_deliver_log_t type, if you want to treat the data as zarafa deliver log data, usually stored under the /var/log directory.
++
++
++.EX
++.PP
++.B zarafa_deliver_tmp_t
++.EE
++
++- Set files with the zarafa_deliver_tmp_t type, if you want to store zarafa deliver temporary files in the /tmp directories.
++
++
++.EX
++.PP
++.B zarafa_deliver_var_run_t
++.EE
++
++- Set files with the zarafa_deliver_var_run_t type, if you want to store the zarafa deliver files under the /run directory.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH "MANAGED FILES"
++
++The SELinux process type zarafa_deliver_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++
++.br
++.B zarafa_deliver_log_t
++
++ /var/log/zarafa/dagent\.log.*
++.br
++
++.br
++.B zarafa_deliver_tmp_t
++
++
++.br
++.B zarafa_deliver_var_run_t
++
++ /var/run/zarafa-dagent\.pid
++.br
++
++.SH NSSWITCH DOMAIN
++
++.PP
++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the zarafa_deliver_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++
++.EX
++.B setsebool -P authlogin_nsswitch_use_ldap 1
++.EE
++
++.PP
++If you want to allow confined applications to run with kerberos for the zarafa_deliver_t, you must turn on the kerberos_enabled boolean.
++
++.EX
++.B setsebool -P kerberos_enabled 1
++.EE
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was auto-generated using
++.B "sepolicy manpage"
++by Dan Walsh.
++
++.SH "SEE ALSO"
++selinux(8), zarafa_deliver(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
++, zarafa_gateway_selinux(8), zarafa_ical_selinux(8), zarafa_indexer_selinux(8), zarafa_monitor_selinux(8), zarafa_server_selinux(8), zarafa_spooler_selinux(8)
+\ No newline at end of file
+diff --git a/man/man8/zarafa_gateway_selinux.8 b/man/man8/zarafa_gateway_selinux.8
+new file mode 100644
+index 0000000..e4eeeb5
+--- /dev/null
++++ b/man/man8/zarafa_gateway_selinux.8
+@@ -0,0 +1,133 @@
++.TH "zarafa_gateway_selinux" "8" "12-11-01" "zarafa_gateway" "SELinux Policy documentation for zarafa_gateway"
++.SH "NAME"
++zarafa_gateway_selinux \- Security Enhanced Linux Policy for the zarafa_gateway processes
++.SH "DESCRIPTION"
++
++Security-Enhanced Linux secures the zarafa_gateway processes via flexible mandatory access control.
++
++The zarafa_gateway processes execute with the zarafa_gateway_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep zarafa_gateway_t
++
++
++.SH "ENTRYPOINTS"
++
++The zarafa_gateway_t SELinux type can be entered via the "zarafa_gateway_exec_t" file type. The default entrypoint paths for the zarafa_gateway_t domain are the following:"
++
++/usr/bin/zarafa-gateway
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux zarafa_gateway policy is very flexible allowing users to setup their zarafa_gateway processes in as secure a method as possible.
++.PP
++The following process types are defined for zarafa_gateway:
++
++.EX
++.B zarafa_gateway_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux zarafa_gateway policy is very flexible allowing users to setup their zarafa_gateway processes in as secure a method as possible.
++.PP
++The following file types are defined for zarafa_gateway:
++
++
++.EX
++.PP
++.B zarafa_gateway_exec_t
++.EE
++
++- Set files with the zarafa_gateway_exec_t type, if you want to transition an executable to the zarafa_gateway_t domain.
++
++
++.EX
++.PP
++.B zarafa_gateway_log_t
++.EE
++
++- Set files with the zarafa_gateway_log_t type, if you want to treat the data as zarafa gateway log data, usually stored under the /var/log directory.
++
++
++.EX
++.PP
++.B zarafa_gateway_var_run_t
++.EE
++
++- Set files with the zarafa_gateway_var_run_t type, if you want to store the zarafa gateway files under the /run directory.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH "MANAGED FILES"
++
++The SELinux process type zarafa_gateway_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++
++.br
++.B zarafa_gateway_log_t
++
++ /var/log/zarafa/gateway\.log.*
++.br
++
++.br
++.B zarafa_gateway_var_run_t
++
++ /var/run/zarafa-gateway\.pid
++.br
++
++.SH NSSWITCH DOMAIN
++
++.PP
++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the zarafa_gateway_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++
++.EX
++.B setsebool -P authlogin_nsswitch_use_ldap 1
++.EE
++
++.PP
++If you want to allow confined applications to run with kerberos for the zarafa_gateway_t, you must turn on the kerberos_enabled boolean.
++
++.EX
++.B setsebool -P kerberos_enabled 1
++.EE
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was auto-generated using
++.B "sepolicy manpage"
++by Dan Walsh.
++
++.SH "SEE ALSO"
++selinux(8), zarafa_gateway(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
++, zarafa_deliver_selinux(8), zarafa_ical_selinux(8), zarafa_indexer_selinux(8), zarafa_monitor_selinux(8), zarafa_server_selinux(8), zarafa_spooler_selinux(8)
+\ No newline at end of file
+diff --git a/man/man8/zarafa_ical_selinux.8 b/man/man8/zarafa_ical_selinux.8
+new file mode 100644
+index 0000000..08fcb78
+--- /dev/null
++++ b/man/man8/zarafa_ical_selinux.8
+@@ -0,0 +1,133 @@
++.TH "zarafa_ical_selinux" "8" "12-11-01" "zarafa_ical" "SELinux Policy documentation for zarafa_ical"
++.SH "NAME"
++zarafa_ical_selinux \- Security Enhanced Linux Policy for the zarafa_ical processes
++.SH "DESCRIPTION"
++
++Security-Enhanced Linux secures the zarafa_ical processes via flexible mandatory access control.
++
++The zarafa_ical processes execute with the zarafa_ical_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep zarafa_ical_t
++
++
++.SH "ENTRYPOINTS"
++
++The zarafa_ical_t SELinux type can be entered via the "zarafa_ical_exec_t" file type. The default entrypoint paths for the zarafa_ical_t domain are the following:"
++
++/usr/bin/zarafa-ical
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux zarafa_ical policy is very flexible allowing users to setup their zarafa_ical processes in as secure a method as possible.
++.PP
++The following process types are defined for zarafa_ical:
++
++.EX
++.B zarafa_ical_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux zarafa_ical policy is very flexible allowing users to setup their zarafa_ical processes in as secure a method as possible.
++.PP
++The following file types are defined for zarafa_ical:
++
++
++.EX
++.PP
++.B zarafa_ical_exec_t
++.EE
++
++- Set files with the zarafa_ical_exec_t type, if you want to transition an executable to the zarafa_ical_t domain.
++
++
++.EX
++.PP
++.B zarafa_ical_log_t
++.EE
++
++- Set files with the zarafa_ical_log_t type, if you want to treat the data as zarafa ical log data, usually stored under the /var/log directory.
++
++
++.EX
++.PP
++.B zarafa_ical_var_run_t
++.EE
++
++- Set files with the zarafa_ical_var_run_t type, if you want to store the zarafa ical files under the /run directory.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH "MANAGED FILES"
++
++The SELinux process type zarafa_ical_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++
++.br
++.B zarafa_ical_log_t
++
++ /var/log/zarafa/ical\.log.*
++.br
++
++.br
++.B zarafa_ical_var_run_t
++
++ /var/run/zarafa-ical\.pid
++.br
++
++.SH NSSWITCH DOMAIN
++
++.PP
++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the zarafa_ical_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++
++.EX
++.B setsebool -P authlogin_nsswitch_use_ldap 1
++.EE
++
++.PP
++If you want to allow confined applications to run with kerberos for the zarafa_ical_t, you must turn on the kerberos_enabled boolean.
++
++.EX
++.B setsebool -P kerberos_enabled 1
++.EE
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was auto-generated using
++.B "sepolicy manpage"
++by Dan Walsh.
++
++.SH "SEE ALSO"
++selinux(8), zarafa_ical(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
++, zarafa_deliver_selinux(8), zarafa_gateway_selinux(8), zarafa_indexer_selinux(8), zarafa_monitor_selinux(8), zarafa_server_selinux(8), zarafa_spooler_selinux(8)
+\ No newline at end of file
+diff --git a/man/man8/zarafa_indexer_selinux.8 b/man/man8/zarafa_indexer_selinux.8
+new file mode 100644
+index 0000000..72df8d0
+--- /dev/null
++++ b/man/man8/zarafa_indexer_selinux.8
+@@ -0,0 +1,155 @@
++.TH "zarafa_indexer_selinux" "8" "12-11-01" "zarafa_indexer" "SELinux Policy documentation for zarafa_indexer"
++.SH "NAME"
++zarafa_indexer_selinux \- Security Enhanced Linux Policy for the zarafa_indexer processes
++.SH "DESCRIPTION"
++
++Security-Enhanced Linux secures the zarafa_indexer processes via flexible mandatory access control.
++
++The zarafa_indexer processes execute with the zarafa_indexer_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep zarafa_indexer_t
++
++
++.SH "ENTRYPOINTS"
++
++The zarafa_indexer_t SELinux type can be entered via the "zarafa_indexer_exec_t" file type. The default entrypoint paths for the zarafa_indexer_t domain are the following:"
++
++/usr/bin/zarafa-indexer
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux zarafa_indexer policy is very flexible allowing users to setup their zarafa_indexer processes in as secure a method as possible.
++.PP
++The following process types are defined for zarafa_indexer:
++
++.EX
++.B zarafa_indexer_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux zarafa_indexer policy is very flexible allowing users to setup their zarafa_indexer processes in as secure a method as possible.
++.PP
++The following file types are defined for zarafa_indexer:
++
++
++.EX
++.PP
++.B zarafa_indexer_exec_t
++.EE
++
++- Set files with the zarafa_indexer_exec_t type, if you want to transition an executable to the zarafa_indexer_t domain.
++
++
++.EX
++.PP
++.B zarafa_indexer_log_t
++.EE
++
++- Set files with the zarafa_indexer_log_t type, if you want to treat the data as zarafa indexer log data, usually stored under the /var/log directory.
++
++
++.EX
++.PP
++.B zarafa_indexer_tmp_t
++.EE
++
++- Set files with the zarafa_indexer_tmp_t type, if you want to store zarafa indexer temporary files in the /tmp directories.
++
++
++.EX
++.PP
++.B zarafa_indexer_var_run_t
++.EE
++
++- Set files with the zarafa_indexer_var_run_t type, if you want to store the zarafa indexer files under the /run directory.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH "MANAGED FILES"
++
++The SELinux process type zarafa_indexer_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++
++.br
++.B zarafa_indexer_log_t
++
++ /var/log/zarafa/indexer\.log.*
++.br
++
++.br
++.B zarafa_indexer_tmp_t
++
++
++.br
++.B zarafa_indexer_var_run_t
++
++ /var/run/zarafa-indexer
++.br
++ /var/run/zarafa-indexer\.pid
++.br
++
++.br
++.B zarafa_var_lib_t
++
++ /var/lib/zarafa(/.*)?
++.br
++ /var/lib/zarafa-webaccess(/.*)?
++.br
++
++.SH NSSWITCH DOMAIN
++
++.PP
++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the zarafa_indexer_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++
++.EX
++.B setsebool -P authlogin_nsswitch_use_ldap 1
++.EE
++
++.PP
++If you want to allow confined applications to run with kerberos for the zarafa_indexer_t, you must turn on the kerberos_enabled boolean.
++
++.EX
++.B setsebool -P kerberos_enabled 1
++.EE
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was auto-generated using
++.B "sepolicy manpage"
++by Dan Walsh.
++
++.SH "SEE ALSO"
++selinux(8), zarafa_indexer(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
++, zarafa_deliver_selinux(8), zarafa_gateway_selinux(8), zarafa_ical_selinux(8), zarafa_monitor_selinux(8), zarafa_server_selinux(8), zarafa_spooler_selinux(8)
+\ No newline at end of file
+diff --git a/man/man8/zarafa_monitor_selinux.8 b/man/man8/zarafa_monitor_selinux.8
+new file mode 100644
+index 0000000..c563b1e
+--- /dev/null
++++ b/man/man8/zarafa_monitor_selinux.8
+@@ -0,0 +1,133 @@
++.TH "zarafa_monitor_selinux" "8" "12-11-01" "zarafa_monitor" "SELinux Policy documentation for zarafa_monitor"
++.SH "NAME"
++zarafa_monitor_selinux \- Security Enhanced Linux Policy for the zarafa_monitor processes
++.SH "DESCRIPTION"
++
++Security-Enhanced Linux secures the zarafa_monitor processes via flexible mandatory access control.
++
++The zarafa_monitor processes execute with the zarafa_monitor_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep zarafa_monitor_t
++
++
++.SH "ENTRYPOINTS"
++
++The zarafa_monitor_t SELinux type can be entered via the "zarafa_monitor_exec_t" file type. The default entrypoint paths for the zarafa_monitor_t domain are the following:"
++
++/usr/bin/zarafa-monitor
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux zarafa_monitor policy is very flexible allowing users to setup their zarafa_monitor processes in as secure a method as possible.
++.PP
++The following process types are defined for zarafa_monitor:
++
++.EX
++.B zarafa_monitor_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux zarafa_monitor policy is very flexible allowing users to setup their zarafa_monitor processes in as secure a method as possible.
++.PP
++The following file types are defined for zarafa_monitor:
++
++
++.EX
++.PP
++.B zarafa_monitor_exec_t
++.EE
++
++- Set files with the zarafa_monitor_exec_t type, if you want to transition an executable to the zarafa_monitor_t domain.
++
++
++.EX
++.PP
++.B zarafa_monitor_log_t
++.EE
++
++- Set files with the zarafa_monitor_log_t type, if you want to treat the data as zarafa monitor log data, usually stored under the /var/log directory.
++
++
++.EX
++.PP
++.B zarafa_monitor_var_run_t
++.EE
++
++- Set files with the zarafa_monitor_var_run_t type, if you want to store the zarafa monitor files under the /run directory.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH "MANAGED FILES"
++
++The SELinux process type zarafa_monitor_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++
++.br
++.B zarafa_monitor_log_t
++
++ /var/log/zarafa/monitor\.log.*
++.br
++
++.br
++.B zarafa_monitor_var_run_t
++
++ /var/run/zarafa-monitor\.pid
++.br
++
++.SH NSSWITCH DOMAIN
++
++.PP
++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the zarafa_monitor_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++
++.EX
++.B setsebool -P authlogin_nsswitch_use_ldap 1
++.EE
++
++.PP
++If you want to allow confined applications to run with kerberos for the zarafa_monitor_t, you must turn on the kerberos_enabled boolean.
++
++.EX
++.B setsebool -P kerberos_enabled 1
++.EE
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was auto-generated using
++.B "sepolicy manpage"
++by Dan Walsh.
++
++.SH "SEE ALSO"
++selinux(8), zarafa_monitor(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
++, zarafa_deliver_selinux(8), zarafa_gateway_selinux(8), zarafa_ical_selinux(8), zarafa_indexer_selinux(8), zarafa_server_selinux(8), zarafa_spooler_selinux(8)
+\ No newline at end of file
+diff --git a/man/man8/zarafa_selinux.8 b/man/man8/zarafa_selinux.8
+new file mode 100644
+index 0000000..23c13e3
+--- /dev/null
++++ b/man/man8/zarafa_selinux.8
+@@ -0,0 +1,165 @@
++.TH "zarafa_selinux" "8" "zarafa" "dwalsh@redhat.com" "zarafa SELinux Policy documentation"
++.SH "NAME"
++zarafa_selinux \- Security Enhanced Linux Policy for the zarafa processes
++.SH "DESCRIPTION"
++
++Security-Enhanced Linux secures the zarafa processes via flexible mandatory access
++control.
++
++.SH NSSWITCH DOMAIN
++
++.PP
++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the zarafa_deliver_t, zarafa_spooler_t, zarafa_gateway_t, zarafa_ical_t, zarafa_server_t, zarafa_monitor_t, zarafa_indexer_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++
++.EX
++.B setsebool -P authlogin_nsswitch_use_ldap 1
++.EE
++
++.PP
++If you want to allow confined applications to run with kerberos for the zarafa_deliver_t, zarafa_spooler_t, zarafa_gateway_t, zarafa_ical_t, zarafa_server_t, zarafa_monitor_t, zarafa_indexer_t, you must turn on the kerberos_enabled boolean.
++
++.EX
++.B setsebool -P kerberos_enabled 1
++.EE
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux zarafa policy is very flexible allowing users to setup their zarafa processes in as secure a method as possible.
++.PP
++The following file types are defined for zarafa:
++
++
++.EX
++.PP
++.B zarafa_deliver_exec_t
++.EE
++
++- Set files with the zarafa_deliver_exec_t type, if you want to transition an executable to the zarafa_deliver_t domain.
++
++
++.EX
++.PP
++.B zarafa_deliver_log_t
++.EE
++
++- Set files with the zarafa_deliver_log_t type, if you want to treat the data as zarafa deliver log data, usually stored under the /var/log directory.
++
++
++.EX
++.PP
++.B zarafa_deliver_tmp_t
++.EE
++
++- Set files with the zarafa_deliver_tmp_t type, if you want to store zarafa deliver temporary files in the /tmp directories.
++
++
++.EX
++.PP
++.B zarafa_deliver_var_run_t
++.EE
++
++- Set files with the zarafa_deliver_var_run_t type, if you want to store the zarafa deliver files under the /run directory.
++
++
++.EX
++.PP
++.B zarafa_etc_t
++.EE
++
++- Set files with the zarafa_etc_t type, if you want to store zarafa files in the /etc directories.
++
++
++.EX
++.PP
++.B zarafa_gateway_exec_t
++.EE
++
++- Set files with the zarafa_gateway_exec_t type, if you want to transition an executable to the zarafa_gateway_t domain.
++
++
++.EX
++.PP
++.B zarafa_gateway_log_t
++.EE
++
++- Set files with the zarafa_gateway_log_t type, if you want to treat the data as zarafa gateway log data, usually stored under the /var/log directory.
++
++
++.EX
++.PP
++.B zarafa_gateway_var_run_t
++.EE
++
++- Set files with the zarafa_gateway_var_run_t type, if you want to store the zarafa gateway files under the /run directory.
++
++
++.EX
++.PP
++.B zarafa_ical_exec_t
++.EE
++
++- Set files with the zarafa_ical_exec_t type, if you want to transition an executable to the zarafa_ical_t domain.
++
++
++.EX
++.PP
++.B zarafa_ical_log_t
++.EE
++
++- Set files with the zarafa_ical_log_t type, if you want to treat the data as zarafa ical log data, usually stored under the /var/log directory.
++
++
++.EX
++.PP
++.B zarafa_ical_var_run_t
++.EE
++
++- Set files with the zarafa_ical_var_run_t type, if you want to store the zarafa ical files under the /run directory.
++
++
++.EX
++.PP
++.B zarafa_indexer_exec_t
++.EE
++
++- Set files with the zarafa_indexer_exec_t type, if you want to transition an executable to the zarafa_indexer_t domain.
++
++
++.EX
++.PP
++.B zarafa_indexer_log_t
++.EE
++
++- Set files with the zarafa_indexer_log_t type, if you want to treat the data as zarafa indexer log data, usually stored under the /var/log directory.
++
++
++.EX
++.PP
++.B zarafa_indexer_tmp_t
++.EE
++
++- Set files with the zarafa_indexer_tmp_t type, if you want to store zarafa indexer temporary files in the /tmp directories.
++
++
++.EX
++.PP
++.B zarafa_indexer_var_run_t
++.EE
++
++- Set files with the zarafa_indexer_var_run_t type, if you want to store the zarafa indexer files under the /run directory.
++
++.br
++.TP 5
++Paths:
++/var/run/zarafa-indexer\.pid, /var/run/zarafa-indexer
++
++.EX
++.PP
++.B zarafa_monitor_exec_t
++.EE
++
++- Set files with the zarafa_monitor_exec_t type, if you want to transition an execut
+\ No newline at end of file
+diff --git a/man/man8/zarafa_server_selinux.8 b/man/man8/zarafa_server_selinux.8
+new file mode 100644
+index 0000000..09bb9df
+--- /dev/null
++++ b/man/man8/zarafa_server_selinux.8
+@@ -0,0 +1,155 @@
++.TH "zarafa_server_selinux" "8" "12-11-01" "zarafa_server" "SELinux Policy documentation for zarafa_server"
++.SH "NAME"
++zarafa_server_selinux \- Security Enhanced Linux Policy for the zarafa_server processes
++.SH "DESCRIPTION"
++
++Security-Enhanced Linux secures the zarafa_server processes via flexible mandatory access control.
++
++The zarafa_server processes execute with the zarafa_server_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep zarafa_server_t
++
++
++.SH "ENTRYPOINTS"
++
++The zarafa_server_t SELinux type can be entered via the "zarafa_server_exec_t" file type. The default entrypoint paths for the zarafa_server_t domain are the following:"
++
++/usr/bin/zarafa-server
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux zarafa_server policy is very flexible allowing users to setup their zarafa_server processes in as secure a method as possible.
++.PP
++The following process types are defined for zarafa_server:
++
++.EX
++.B zarafa_server_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux zarafa_server policy is very flexible allowing users to setup their zarafa_server processes in as secure a method as possible.
++.PP
++The following file types are defined for zarafa_server:
++
++
++.EX
++.PP
++.B zarafa_server_exec_t
++.EE
++
++- Set files with the zarafa_server_exec_t type, if you want to transition an executable to the zarafa_server_t domain.
++
++
++.EX
++.PP
++.B zarafa_server_log_t
++.EE
++
++- Set files with the zarafa_server_log_t type, if you want to treat the data as zarafa server log data, usually stored under the /var/log directory.
++
++
++.EX
++.PP
++.B zarafa_server_tmp_t
++.EE
++
++- Set files with the zarafa_server_tmp_t type, if you want to store zarafa server temporary files in the /tmp directories.
++
++
++.EX
++.PP
++.B zarafa_server_var_run_t
++.EE
++
++- Set files with the zarafa_server_var_run_t type, if you want to store the zarafa server files under the /run directory.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH "MANAGED FILES"
++
++The SELinux process type zarafa_server_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++
++.br
++.B zarafa_server_log_t
++
++ /var/log/zarafa/server\.log.*
++.br
++
++.br
++.B zarafa_server_tmp_t
++
++
++.br
++.B zarafa_server_var_run_t
++
++ /var/run/zarafa
++.br
++ /var/run/zarafa-server\.pid
++.br
++
++.br
++.B zarafa_var_lib_t
++
++ /var/lib/zarafa(/.*)?
++.br
++ /var/lib/zarafa-webaccess(/.*)?
++.br
++
++.SH NSSWITCH DOMAIN
++
++.PP
++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the zarafa_server_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++
++.EX
++.B setsebool -P authlogin_nsswitch_use_ldap 1
++.EE
++
++.PP
++If you want to allow confined applications to run with kerberos for the zarafa_server_t, you must turn on the kerberos_enabled boolean.
++
++.EX
++.B setsebool -P kerberos_enabled 1
++.EE
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was auto-generated using
++.B "sepolicy manpage"
++by Dan Walsh.
++
++.SH "SEE ALSO"
++selinux(8), zarafa_server(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
++, zarafa_deliver_selinux(8), zarafa_gateway_selinux(8), zarafa_ical_selinux(8), zarafa_indexer_selinux(8), zarafa_monitor_selinux(8), zarafa_spooler_selinux(8)
+\ No newline at end of file
+diff --git a/man/man8/zarafa_spooler_selinux.8 b/man/man8/zarafa_spooler_selinux.8
+new file mode 100644
+index 0000000..2c41587
+--- /dev/null
++++ b/man/man8/zarafa_spooler_selinux.8
+@@ -0,0 +1,133 @@
++.TH "zarafa_spooler_selinux" "8" "12-11-01" "zarafa_spooler" "SELinux Policy documentation for zarafa_spooler"
++.SH "NAME"
++zarafa_spooler_selinux \- Security Enhanced Linux Policy for the zarafa_spooler processes
++.SH "DESCRIPTION"
++
++Security-Enhanced Linux secures the zarafa_spooler processes via flexible mandatory access control.
++
++The zarafa_spooler processes execute with the zarafa_spooler_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep zarafa_spooler_t
++
++
++.SH "ENTRYPOINTS"
++
++The zarafa_spooler_t SELinux type can be entered via the "zarafa_spooler_exec_t" file type. The default entrypoint paths for the zarafa_spooler_t domain are the following:"
++
++/usr/bin/zarafa-spooler
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux zarafa_spooler policy is very flexible allowing users to setup their zarafa_spooler processes in as secure a method as possible.
++.PP
++The following process types are defined for zarafa_spooler:
++
++.EX
++.B zarafa_spooler_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux zarafa_spooler policy is very flexible allowing users to setup their zarafa_spooler processes in as secure a method as possible.
++.PP
++The following file types are defined for zarafa_spooler:
++
++
++.EX
++.PP
++.B zarafa_spooler_exec_t
++.EE
++
++- Set files with the zarafa_spooler_exec_t type, if you want to transition an executable to the zarafa_spooler_t domain.
++
++
++.EX
++.PP
++.B zarafa_spooler_log_t
++.EE
++
++- Set files with the zarafa_spooler_log_t type, if you want to treat the data as zarafa spooler log data, usually stored under the /var/log directory.
++
++
++.EX
++.PP
++.B zarafa_spooler_var_run_t
++.EE
++
++- Set files with the zarafa_spooler_var_run_t type, if you want to store the zarafa spooler files under the /run directory.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH "MANAGED FILES"
++
++The SELinux process type zarafa_spooler_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++
++.br
++.B zarafa_spooler_log_t
++
++ /var/log/zarafa/spooler\.log.*
++.br
++
++.br
++.B zarafa_spooler_var_run_t
++
++ /var/run/zarafa-spooler\.pid
++.br
++
++.SH NSSWITCH DOMAIN
++
++.PP
++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the zarafa_spooler_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++
++.EX
++.B setsebool -P authlogin_nsswitch_use_ldap 1
++.EE
++
++.PP
++If you want to allow confined applications to run with kerberos for the zarafa_spooler_t, you must turn on the kerberos_enabled boolean.
++
++.EX
++.B setsebool -P kerberos_enabled 1
++.EE
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was auto-generated using
++.B "sepolicy manpage"
++by Dan Walsh.
++
++.SH "SEE ALSO"
++selinux(8), zarafa_spooler(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
++, zarafa_deliver_selinux(8), zarafa_gateway_selinux(8), zarafa_ical_selinux(8), zarafa_indexer_selinux(8), zarafa_monitor_selinux(8), zarafa_server_selinux(8)
+\ No newline at end of file
+diff --git a/man/man8/zebra_selinux.8 b/man/man8/zebra_selinux.8
+new file mode 100644
+index 0000000..0875d31
+--- /dev/null
++++ b/man/man8/zebra_selinux.8
+@@ -0,0 +1,198 @@
++.TH "zebra_selinux" "8" "12-11-01" "zebra" "SELinux Policy documentation for zebra"
++.SH "NAME"
++zebra_selinux \- Security Enhanced Linux Policy for the zebra processes
++.SH "DESCRIPTION"
++
++Security-Enhanced Linux secures the zebra processes via flexible mandatory access control.
++
++The zebra processes execute with the zebra_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep zebra_t
++
++
++.SH "ENTRYPOINTS"
++
++The zebra_t SELinux type can be entered via the "zebra_exec_t" file type. The default entrypoint paths for the zebra_t domain are the following:"
++
++/usr/sbin/rip.*, /usr/sbin/ospf.*, /usr/sbin/bgpd, /usr/sbin/zebra
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux zebra policy is very flexible allowing users to setup their zebra processes in as secure a method as possible.
++.PP
++The following process types are defined for zebra:
++
++.EX
++.B zebra_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH BOOLEANS
++SELinux policy is customizable based on least access required. zebra policy is extremely flexible and has several booleans that allow you to manipulate the policy and run zebra with the tightest access possible.
++
++
++.PP
++If you want to allow zebra daemon to write it configuration files, you must turn on the zebra_write_config boolean.
++
++.EX
++.B setsebool -P zebra_write_config 1
++.EE
++
++.PP
++If you want to allow zebra daemon to write it configuration files, you must turn on the zebra_write_config boolean.
++
++.EX
++.B setsebool -P zebra_write_config 1
++.EE
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux zebra policy is very flexible allowing users to setup their zebra processes in as secure a method as possible.
++.PP
++The following file types are defined for zebra:
++
++
++.EX
++.PP
++.B zebra_conf_t
++.EE
++
++- Set files with the zebra_conf_t type, if you want to treat the files as zebra configuration data, usually stored under the /etc directory.
++
++
++.EX
++.PP
++.B zebra_exec_t
++.EE
++
++- Set files with the zebra_exec_t type, if you want to transition an executable to the zebra_t domain.
++
++
++.EX
++.PP
++.B zebra_initrc_exec_t
++.EE
++
++- Set files with the zebra_initrc_exec_t type, if you want to transition an executable to the zebra_initrc_t domain.
++
++
++.EX
++.PP
++.B zebra_log_t
++.EE
++
++- Set files with the zebra_log_t type, if you want to treat the data as zebra log data, usually stored under the /var/log directory.
++
++
++.EX
++.PP
++.B zebra_tmp_t
++.EE
++
++- Set files with the zebra_tmp_t type, if you want to store zebra temporary files in the /tmp directories.
++
++
++.EX
++.PP
++.B zebra_var_run_t
++.EE
++
++- Set files with the zebra_var_run_t type, if you want to store the zebra files under the /run directory.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH PORT TYPES
++SELinux defines port types to represent TCP and UDP ports.
++.PP
++You can see the types associated with a port by using the following command:
++
++.B semanage port -l
++
++.PP
++Policy governs the access confined processes have to these ports.
++SELinux zebra policy is very flexible allowing users to setup their zebra processes in as secure a method as possible.
++.PP
++The following port types are defined for zebra:
++
++.EX
++.TP 5
++.B zebra_port_t
++.TP 10
++.EE
++
++
++Default Defined Ports:
++tcp 2600-2604,2606
++.EE
++udp 2600-2604,2606
++.EE
++.SH "MANAGED FILES"
++
++The SELinux process type zebra_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++
++.br
++.B zebra_log_t
++
++ /var/log/zebra(/.*)?
++.br
++ /var/log/quagga(/.*)?
++.br
++
++.br
++.B zebra_var_run_t
++
++ /var/run/quagga(/.*)?
++.br
++ /var/run/\.zebra
++.br
++ /var/run/\.zserv
++.br
++
++.SH NSSWITCH DOMAIN
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.B semanage port
++can also be used to manipulate the port definitions
++
++.B semanage boolean
++can also be used to manipulate the booleans
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was auto-generated using
++.B "sepolicy manpage"
++by Dan Walsh.
++
++.SH "SEE ALSO"
++selinux(8), zebra(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
++, setsebool(8)
+\ No newline at end of file
+diff --git a/man/man8/zoneminder_selinux.8 b/man/man8/zoneminder_selinux.8
+new file mode 100644
+index 0000000..ac66364
+--- /dev/null
++++ b/man/man8/zoneminder_selinux.8
+@@ -0,0 +1,217 @@
++.TH "zoneminder_selinux" "8" "12-11-01" "zoneminder" "SELinux Policy documentation for zoneminder"
++.SH "NAME"
++zoneminder_selinux \- Security Enhanced Linux Policy for the zoneminder processes
++.SH "DESCRIPTION"
++
++Security-Enhanced Linux secures the zoneminder processes via flexible mandatory access control.
++
++The zoneminder processes execute with the zoneminder_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep zoneminder_t
++
++
++.SH "ENTRYPOINTS"
++
++The zoneminder_t SELinux type can be entered via the "zoneminder_exec_t" file type. The default entrypoint paths for the zoneminder_t domain are the following:"
++
++/usr/bin/zmpkg.pl, /usr/bin/motion
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux zoneminder policy is very flexible allowing users to setup their zoneminder processes in as secure a method as possible.
++.PP
++The following process types are defined for zoneminder:
++
++.EX
++.B zoneminder_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH SHARING FILES
++If you want to share files with multiple domains (Apache, FTP, rsync, Samba), you can set a file context of public_content_t and public_content_rw_t. These context allow any of the above domains to read the content. If you want a particular domain to write to the public_content_rw_t domain, you must set the appropriate boolean.
++.TP
++Allow zoneminder servers to read the /var/zoneminder directory by adding the public_content_t file type to the directory and by restoring the file type.
++.PP
++.B
++semanage fcontext -a -t public_content_t "/var/zoneminder(/.*)?"
++.br
++.B restorecon -F -R -v /var/zoneminder
++.pp
++.TP
++Allow zoneminder servers to read and write /var/tmp/incoming by adding the public_content_rw_t type to the directory and by restoring the file type. This also requires the allow_zoneminderd_anon_write boolean to be set.
++.PP
++.B
++semanage fcontext -a -t public_content_rw_t "/var/zoneminder/incoming(/.*)?"
++.br
++.B restorecon -F -R -v /var/zoneminder/incoming
++
++
++.PP
++If you want to allow ZoneMinder to modify public files used for public file transfer services., you must turn on the zoneminder_anon_write boolean.
++
++.EX
++.B setsebool -P zoneminder_anon_write 1
++.EE
++
++.PP
++If you want to allow ZoneMinder to modify public files used for public file transfer services., you must turn on the zoneminder_anon_write boolean.
++
++.EX
++.B setsebool -P zoneminder_anon_write 1
++.EE
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux zoneminder policy is very flexible allowing users to setup their zoneminder processes in as secure a method as possible.
++.PP
++The following file types are defined for zoneminder:
++
++
++.EX
++.PP
++.B zoneminder_exec_t
++.EE
++
++- Set files with the zoneminder_exec_t type, if you want to transition an executable to the zoneminder_t domain.
++
++
++.EX
++.PP
++.B zoneminder_initrc_exec_t
++.EE
++
++- Set files with the zoneminder_initrc_exec_t type, if you want to transition an executable to the zoneminder_initrc_t domain.
++
++
++.EX
++.PP
++.B zoneminder_log_t
++.EE
++
++- Set files with the zoneminder_log_t type, if you want to treat the data as zoneminder log data, usually stored under the /var/log directory.
++
++
++.EX
++.PP
++.B zoneminder_spool_t
++.EE
++
++- Set files with the zoneminder_spool_t type, if you want to store the zoneminder files under the /var/spool directory.
++
++
++.EX
++.PP
++.B zoneminder_tmpfs_t
++.EE
++
++- Set files with the zoneminder_tmpfs_t type, if you want to store zoneminder files on a tmpfs file system.
++
++
++.EX
++.PP
++.B zoneminder_var_lib_t
++.EE
++
++- Set files with the zoneminder_var_lib_t type, if you want to store the zoneminder files under the /var/lib directory.
++
++
++.EX
++.PP
++.B zoneminder_var_run_t
++.EE
++
++- Set files with the zoneminder_var_run_t type, if you want to store the zoneminder files under the /run directory.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH "MANAGED FILES"
++
++The SELinux process type zoneminder_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++
++.br
++.B zoneminder_log_t
++
++ /var/log/motion\.log.*
++.br
++ /var/log/zoneminder(/.*)?
++.br
++
++.br
++.B zoneminder_spool_t
++
++ /var/spool/zoneminder-upload(/.*)?
++.br
++
++.br
++.B zoneminder_tmpfs_t
++
++
++.br
++.B zoneminder_var_lib_t
++
++ /var/motion(/.*)?
++.br
++ /var/lib/zoneminder(/.*)?
++.br
++
++.br
++.B zoneminder_var_run_t
++
++ /var/run/motion\.pid
++.br
++
++.SH NSSWITCH DOMAIN
++
++.PP
++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the zoneminder_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++
++.EX
++.B setsebool -P authlogin_nsswitch_use_ldap 1
++.EE
++
++.PP
++If you want to allow confined applications to run with kerberos for the zoneminder_t, you must turn on the kerberos_enabled boolean.
++
++.EX
++.B setsebool -P kerberos_enabled 1
++.EE
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was auto-generated using
++.B "sepolicy manpage"
++by Dan Walsh.
++
++.SH "SEE ALSO"
++selinux(8), zoneminder(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
+diff --git a/man/man8/zos_remote_selinux.8 b/man/man8/zos_remote_selinux.8
+new file mode 100644
+index 0000000..29d9940
+--- /dev/null
++++ b/man/man8/zos_remote_selinux.8
+@@ -0,0 +1,100 @@
++.TH "zos_remote_selinux" "8" "12-11-01" "zos_remote" "SELinux Policy documentation for zos_remote"
++.SH "NAME"
++zos_remote_selinux \- Security Enhanced Linux Policy for the zos_remote processes
++.SH "DESCRIPTION"
++
++Security-Enhanced Linux secures the zos_remote processes via flexible mandatory access control.
++
++The zos_remote processes execute with the zos_remote_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep zos_remote_t
++
++
++.SH "ENTRYPOINTS"
++
++The zos_remote_t SELinux type can be entered via the "zos_remote_exec_t" file type. The default entrypoint paths for the zos_remote_t domain are the following:"
++
++/sbin/audispd-zos-remote, /usr/sbin/audispd-zos-remote
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux zos_remote policy is very flexible allowing users to setup their zos_remote processes in as secure a method as possible.
++.PP
++The following process types are defined for zos_remote:
++
++.EX
++.B zos_remote_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux zos_remote policy is very flexible allowing users to setup their zos_remote processes in as secure a method as possible.
++.PP
++The following file types are defined for zos_remote:
++
++
++.EX
++.PP
++.B zos_remote_exec_t
++.EE
++
++- Set files with the zos_remote_exec_t type, if you want to transition an executable to the zos_remote_t domain.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH NSSWITCH DOMAIN
++
++.PP
++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the zos_remote_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++
++.EX
++.B setsebool -P authlogin_nsswitch_use_ldap 1
++.EE
++
++.PP
++If you want to allow confined applications to run with kerberos for the zos_remote_t, you must turn on the kerberos_enabled boolean.
++
++.EX
++.B setsebool -P kerberos_enabled 1
++.EE
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was auto-generated using
++.B "sepolicy manpage"
++by Dan Walsh.
++
++.SH "SEE ALSO"
++selinux(8), zos_remote(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
+diff --git a/policy/constraints b/policy/constraints
+index 3a45f23..f4754f0 100644
+--- a/policy/constraints
++++ b/policy/constraints
+@@ -105,6 +105,18 @@ constrain process { transition dyntransition noatsecure siginh rlimitinh }
+ or ( t1 == process_uncond_exempt )
+ );
+
++constrain process dyntransition
++(
++ u1 == u2
++ or ( t1 == can_change_process_identity and t2 == process_user_target )
++);
++
++constrain process dyntransition
++(
++ r1 == r2
++ or ( t1 == can_change_process_identity and t2 == process_user_target )
++);
++
+ # These permissions do not have ubac constraints:
+ # fork
+ # setexec
+diff --git a/policy/flask/access_vectors b/policy/flask/access_vectors
+index 28802c5..d9460ea 100644
+--- a/policy/flask/access_vectors
++++ b/policy/flask/access_vectors
+@@ -329,6 +329,7 @@ class process
+ execheap
+ setkeycreate
+ setsockcreate
++ ptrace_child
+ }
+
+
+@@ -393,6 +394,10 @@ class system
+ syslog_mod
+ syslog_console
+ module_request
++ halt
++ reboot
++ status
++ undefined
+ }
+
+ #
+@@ -443,10 +448,12 @@ class capability
+ class capability2
+ {
+ mac_override # unused by SELinux
+- mac_admin # unused by SELinux
++ mac_admin
+ syslog
+ wake_alarm
++ epolwakeup
+ block_suspend
++ compromise_kernel
+ }
+
+ #
+@@ -862,3 +869,20 @@ inherits database
+ implement
+ execute
+ }
++
++class service
++{
++ start
++ stop
++ status
++ reload
++ kill
++ load
++ enable
++ disable
++}
++
++class proxy
++{
++ read
++}
+diff --git a/policy/flask/security_classes b/policy/flask/security_classes
+index 14a4799..db2e4a0 100644
+--- a/policy/flask/security_classes
++++ b/policy/flask/security_classes
+@@ -131,4 +131,11 @@ class db_view # userspace
+ class db_sequence # userspace
+ class db_language # userspace
+
++# systemd services
++class service
++
++# gssd services
++class proxy
++
++
+ # FLASK
+diff --git a/policy/global_booleans b/policy/global_booleans
+index 66e85ea..d02654d 100644
+--- a/policy/global_booleans
++++ b/policy/global_booleans
+@@ -6,7 +6,7 @@
+
+ ##
+ ##
+-## Enabling secure mode disallows programs, such as
++## disallow programs, such as
+ ## newrole, from transitioning to administrative
+ ## user domains.
+ ##
+diff --git a/policy/global_tunables b/policy/global_tunables
+index 4705ab6..11a1ae6 100644
+--- a/policy/global_tunables
++++ b/policy/global_tunables
+@@ -6,52 +6,59 @@
+
+ ##
+ ##
++## Allow sysadm to debug or ptrace all processes.
++##
++##
++gen_tunable(deny_ptrace, false)
++
++##
++##
+ ## Allow unconfined executables to make their heap memory executable. Doing this is a really bad idea. Probably indicates a badly coded executable, but could indicate an attack. This executable should be reported in bugzilla
+ ##
+ ##
+-gen_tunable(allow_execheap,false)
++gen_tunable(selinuxuser_execheap,false)
+
+ ##
+ ##
+-## Allow unconfined executables to map a memory region as both executable and writable, this is dangerous and the executable should be reported in bugzilla")
++## Deny user domains applications to map a memory region as both executable and writable, this is dangerous and the executable should be reported in bugzilla
+ ##
+ ##
+-gen_tunable(allow_execmem,false)
++gen_tunable(deny_execmem,false)
+
+ ##
+ ##
+-## Allow all unconfined executables to use libraries requiring text relocation that are not labeled textrel_shlib_t")
++## Allow all unconfined executables to use libraries requiring text relocation that are not labeled textrel_shlib_t
+ ##
+ ##
+-gen_tunable(allow_execmod,false)
++gen_tunable(selinuxuser_execmod,false)
+
+ ##
+ ##
+-## Allow unconfined executables to make their stack executable. This should never, ever be necessary. Probably indicates a badly coded executable, but could indicate an attack. This executable should be reported in bugzilla")
++## Allow unconfined executables to make their stack executable. This should never, ever be necessary. Probably indicates a badly coded executable, but could indicate an attack. This executable should be reported in bugzilla
+ ##
+ ##
+-gen_tunable(allow_execstack,false)
++gen_tunable(selinuxuser_execstack,false)
+
+ ##
+ ##
+ ## Enable polyinstantiated directory support.
+ ##
+ ##
+-gen_tunable(allow_polyinstantiation,false)
++gen_tunable(polyinstantiation_enabled,false)
+
+ ##
+ ##
+ ## Allow system to run with NIS
+ ##
+ ##
+-gen_tunable(allow_ypbind,false)
++gen_tunable(nis_enabled,false)
+
+ ##
+ ##
+ ## Allow logging in and using the system from /dev/console.
+ ##
+ ##
+-gen_tunable(console_login,true)
++gen_tunable(login_console_enabled,true)
+
+ ##
+ ##
+@@ -68,15 +75,6 @@ gen_tunable(global_ssp,false)
+
+ ##
+ ##
+-## Allow email client to various content.
+-## nfs, samba, removable devices, and user temp
+-## files
+-##
+-##
+-gen_tunable(mail_read_content,false)
+-
+-##
+-##
+ ## Allow any files/directories to be exported read/write via NFS.
+ ##
+ ##
+@@ -105,9 +103,24 @@ gen_tunable(use_samba_home_dirs,false)
+
+ ##
+ ##
++## Support ecryptfs home directories
++##
++##
++gen_tunable(use_ecryptfs_home_dirs,false)
++
++##
++##
++## Support fusefs home directories
++##
++##
++gen_tunable(use_fusefs_home_dirs,false)
++
++##
++##
+ ## Allow users to run TCP servers (bind to ports and accept connection from
+ ## the same domain and outside users) disabling this forces FTP passive mode
+ ## and may change other protocols.
+ ##
+ ##
+-gen_tunable(user_tcp_server,false)
++gen_tunable(selinuxuser_tcp_server,false)
++
+diff --git a/policy/mcs b/policy/mcs
+index f477c7f..ff7369c 100644
+--- a/policy/mcs
++++ b/policy/mcs
+@@ -1,4 +1,6 @@
+ ifdef(`enable_mcs',`
++default_range dir_file_class_set target low;
++
+ #
+ # Define sensitivities
+ #
+@@ -69,28 +71,48 @@ gen_levels(1,mcs_num_cats)
+ # - /proc/pid operations are not constrained.
+
+ mlsconstrain file { read ioctl lock execute execute_no_trans }
+- (( h1 dom h2 ) or ( t1 == mcsreadall ) or ( t2 == domain ));
++ (( h1 dom h2 ) or ( t1 == mcsreadall ) or
++ (( t1 != mcsuntrustedproc ) and (t2 == domain)));
+
+ mlsconstrain file { write setattr append unlink link rename }
+- (( h1 dom h2 ) or ( t1 == mcswriteall ) or ( t2 == domain ));
++ (( h1 dom h2 ) or ( t1 == mcswriteall ) or
++ (( t1 != mcsuntrustedproc ) and (t2 == domain)));
+
+ mlsconstrain dir { search read ioctl lock }
+- (( h1 dom h2 ) or ( t1 == mcsreadall ) or ( t2 == domain ));
++ (( h1 dom h2 ) or ( t1 == mcsreadall ) or
++ (( t1 != mcsuntrustedproc ) and (t2 == domain)));
+
+ mlsconstrain dir { write setattr append unlink link rename add_name remove_name }
+- (( h1 dom h2 ) or ( t1 == mcswriteall ) or ( t2 == domain ));
++ (( h1 dom h2 ) or ( t1 == mcswriteall ) or
++ (( t1 != mcsuntrustedproc ) and (t2 == domain)));
++
++mlsconstrain fifo_file { open }
++ (( h1 dom h2 ) or ( t1 == mcsreadall ) or
++ (( t1 != mcsuntrustedproc ) and ( t2 == domain )));
++
++mlsconstrain { lnk_file chr_file blk_file sock_file } { getattr read ioctl }
++ (( h1 dom h2 ) or ( t1 == mcsreadall ) or
++ (( t1 != mcsuntrustedproc ) and (t2 == domain)));
++
++mlsconstrain { lnk_file chr_file blk_file sock_file } { write setattr }
++ (( h1 dom h2 ) or ( t1 == mcswriteall ) or
++ (( t1 != mcsuntrustedproc ) and (t2 == domain)));
+
+ # New filesystem object labels must be dominated by the relabeling subject
+ # clearance, also the objects are single-level.
+ mlsconstrain file { create relabelto }
+- (( h1 dom h2 ) and ( l2 eq h2 ));
++ ((( h1 dom h2 ) and ( l2 eq h2 )) or
++ ( t1 != mcsuntrustedproc ));
+
+ # new file labels must be dominated by the relabeling subject clearance
+ mlsconstrain { dir file lnk_file chr_file blk_file sock_file fifo_file } { relabelfrom }
+- ( h1 dom h2 );
++ (( h1 dom h2 ) or ( t1 == mcswriteall ));
++
++mlsconstrain { file lnk_file fifo_file } { create relabelto }
++ ( l2 eq h2 );
+
+ mlsconstrain { dir file lnk_file chr_file blk_file sock_file fifo_file } { create relabelto }
+- (( h1 dom h2 ) and ( l2 eq h2 ));
++ ( h1 dom h2 );
+
+ mlsconstrain process { transition dyntransition }
+ (( h1 dom h2 ) or ( t1 == mcssetcats ));
+@@ -101,6 +123,9 @@ mlsconstrain process { ptrace }
+ mlsconstrain process { sigkill sigstop }
+ (( h1 dom h2 ) or ( t1 == mcskillall ));
+
++mlsconstrain process { signal }
++ (( h1 dom h2 ) or ( t1 != mcsuntrustedproc ));
++
+ #
+ # MCS policy for SELinux-enabled databases
+ #
+@@ -144,4 +169,23 @@ mlsconstrain db_language { drop getattr setattr relabelfrom execute }
+ mlsconstrain db_blob { drop getattr setattr relabelfrom read write import export }
+ ( h1 dom h2 );
+
++mlsconstrain { tcp_socket udp_socket rawip_socket } node_bind
++ (( h1 dom h2 ) or ( t1 != mcsuntrustedproc ));
++
++# the node recvfrom/sendto ops, the recvfrom permission is a "write" operation
++# because the subject in this particular case is the remote domain which is
++# writing data out the network node which is acting as the object
++mlsconstrain { node } { recvfrom sendto }
++ (( l1 dom l2 ) or (t1 != mcsuntrustedproc));
++
++mlsconstrain { packet peer } { recv }
++ (( l1 dom l2 ) or
++ ((t1 != mcsuntrustedproc) and (t2 != mcsuntrustedproc)));
++
++# the netif ingress/egress ops, the ingress permission is a "write" operation
++# because the subject in this particular case is the remote domain which is
++# writing data out the network interface which is acting as the object
++mlsconstrain { netif } { egress ingress }
++ (( l1 dom l2 ) or (t1 != mcsuntrustedproc));
++
+ ') dnl end enable_mcs
+diff --git a/policy/mls b/policy/mls
+index d218387..c2541c2 100644
+--- a/policy/mls
++++ b/policy/mls
+@@ -195,7 +195,8 @@ mlsconstrain { socket tcp_socket udp_socket rawip_socket netlink_socket packet_s
+ (( l1 eq l2 ) or
+ (( t1 == mlsnetwriteranged ) and ( l1 dom l2 ) and ( l1 domby h2 )) or
+ (( t1 == mlsnetwritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or
+- ( t1 == mlsnetwrite ));
++ ( t1 == mlsnetwrite ) or
++ ( t2 == mlstrustedobject ));
+
+ # used by netlabel to restrict normal domains to same level connections
+ mlsconstrain { tcp_socket udp_socket rawip_socket } recvfrom
+@@ -361,9 +362,6 @@ mlsconstrain { peer packet } { recv }
+ (( t1 == mlsnetreadtoclr ) and ( h1 dom l2 )) or
+ ( t1 == mlsnetread ));
+
+-
+-
+-
+ #
+ # MLS policy for the process class
+ #
+diff --git a/policy/modules/admin/bootloader.fc b/policy/modules/admin/bootloader.fc
+index 7a6f06f..bf04b0a 100644
+--- a/policy/modules/admin/bootloader.fc
++++ b/policy/modules/admin/bootloader.fc
+@@ -1,9 +1,16 @@
+-
++/etc/default/grub -- gen_context(system_u:object_r:bootloader_etc_t,s0)
+ /etc/lilo\.conf.* -- gen_context(system_u:object_r:bootloader_etc_t,s0)
+ /etc/yaboot\.conf.* -- gen_context(system_u:object_r:bootloader_etc_t,s0)
++/etc/zipl\.conf.* -- gen_context(system_u:object_r:bootloader_etc_t,s0)
+
+-/sbin/grub -- gen_context(system_u:object_r:bootloader_exec_t,s0)
++/sbin/grub.* -- gen_context(system_u:object_r:bootloader_exec_t,s0)
+ /sbin/lilo.* -- gen_context(system_u:object_r:bootloader_exec_t,s0)
+ /sbin/ybin.* -- gen_context(system_u:object_r:bootloader_exec_t,s0)
++/sbin/zipl -- gen_context(system_u:object_r:bootloader_exec_t,s0)
++
++/usr/sbin/grub.* -- gen_context(system_u:object_r:bootloader_exec_t,s0)
++/usr/sbin/lilo.* -- gen_context(system_u:object_r:bootloader_exec_t,s0)
++/usr/sbin/ybin.* -- gen_context(system_u:object_r:bootloader_exec_t,s0)
++/usr/sbin/zipl -- gen_context(system_u:object_r:bootloader_exec_t,s0)
+
+-/usr/sbin/grub -- gen_context(system_u:object_r:bootloader_exec_t,s0)
++/var/lib/os-prober(/.*)? gen_context(system_u:object_r:bootloader_var_lib_t,s0)
+diff --git a/policy/modules/admin/bootloader.if b/policy/modules/admin/bootloader.if
+index a778bb1..5e914db 100644
+--- a/policy/modules/admin/bootloader.if
++++ b/policy/modules/admin/bootloader.if
+@@ -19,6 +19,24 @@ interface(`bootloader_domtrans',`
+ domtrans_pattern($1, bootloader_exec_t, bootloader_t)
+ ')
+
++######################################
++##
++## Execute bootloader in the caller domain.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`bootloader_exec',`
++ gen_require(`
++ type bootloader_exec_t;
++ ')
++
++ can_exec($1, bootloader_exec_t)
++')
++
+ ########################################
+ ##
+ ## Execute bootloader interactively and do
+@@ -38,11 +56,21 @@ interface(`bootloader_domtrans',`
+ #
+ interface(`bootloader_run',`
+ gen_require(`
+- attribute_role bootloader_roles;
++ type bootloader_t;
++ #attribute_role bootloader_roles;
+ ')
+
++ #bootloader_domtrans($1)
++ #roleattribute $2 bootloader_roles;
++
+ bootloader_domtrans($1)
+- roleattribute $2 bootloader_roles;
++
++ role $2 types bootloader_t;
++
++ ifdef(`distro_redhat',`
++ # for mke2fs
++ mount_run(bootloader_t, $2)
++ ')
+ ')
+
+ ########################################
+@@ -100,7 +128,7 @@ interface(`bootloader_rw_tmp_files',`
+ ')
+
+ files_search_tmp($1)
+- allow $1 bootloader_tmp_t:file rw_file_perms;
++ allow $1 bootloader_tmp_t:file rw_inherited_file_perms;
+ ')
+
+ ########################################
+@@ -122,3 +150,22 @@ interface(`bootloader_create_runtime_file',`
+ allow $1 boot_runtime_t:file { create_file_perms rw_file_perms };
+ files_boot_filetrans($1, boot_runtime_t, file)
+ ')
++
++########################################
++##
++## Type transition files created in /etc
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`bootloader_filetrans_config',`
++ gen_require(`
++ type bootloader_etc_t;
++ ')
++
++ files_etc_filetrans($1,bootloader_etc_t,file, "lilo.conf")
++ files_etc_filetrans($1,bootloader_etc_t,file, "yaboot.conf")
++')
+diff --git a/policy/modules/admin/bootloader.te b/policy/modules/admin/bootloader.te
+index ab0439a..57890fe 100644
+--- a/policy/modules/admin/bootloader.te
++++ b/policy/modules/admin/bootloader.te
+@@ -5,8 +5,8 @@ policy_module(bootloader, 1.13.0)
+ # Declarations
+ #
+
+-attribute_role bootloader_roles;
+-roleattribute system_r bootloader_roles;
++#attribute_role bootloader_roles;
++#roleattribute system_r bootloader_roles;
+
+ #
+ # boot_runtime_t is the type for /boot/kernel.h,
+@@ -19,14 +19,21 @@ files_type(boot_runtime_t)
+ type bootloader_t;
+ type bootloader_exec_t;
+ application_domain(bootloader_t, bootloader_exec_t)
+-role bootloader_roles types bootloader_t;
++#role bootloader_roles types bootloader_t;
++role system_r types bootloader_t;
++
++type bootloader_var_run_t;
++files_pid_file(bootloader_var_run_t)
++
++type bootloader_var_lib_t;
++files_type(bootloader_var_lib_t)
+
+ #
+ # bootloader_etc_t is the configuration file,
+ # grub.conf, lilo.conf, etc.
+ #
+ type bootloader_etc_t alias etc_bootloader_t;
+-files_type(bootloader_etc_t)
++files_config_file(bootloader_etc_t)
+
+ #
+ # The temp file is used for initrd creation;
+@@ -41,7 +48,7 @@ dev_node(bootloader_tmp_t)
+ # bootloader local policy
+ #
+
+-allow bootloader_t self:capability { dac_override dac_read_search fsetid sys_rawio sys_admin mknod chown };
++allow bootloader_t self:capability { dac_override dac_read_search fsetid sys_rawio sys_admin sys_chroot mknod chown };
+ allow bootloader_t self:process { signal_perms execmem };
+ allow bootloader_t self:fifo_file rw_fifo_file_perms;
+
+@@ -59,6 +66,15 @@ files_tmp_filetrans(bootloader_t, bootloader_tmp_t, { dir file lnk_file chr_file
+ # for tune2fs (cjp: ?)
+ files_root_filetrans(bootloader_t, bootloader_tmp_t, file)
+
++manage_dirs_pattern(bootloader_t, bootloader_var_run_t, bootloader_var_run_t)
++manage_files_pattern(bootloader_t, bootloader_var_run_t, bootloader_var_run_t)
++files_pid_filetrans(bootloader_t, bootloader_var_run_t, {dir file })
++
++manage_dirs_pattern(bootloader_t, bootloader_var_lib_t, bootloader_var_lib_t)
++manage_files_pattern(bootloader_t, bootloader_var_lib_t, bootloader_var_lib_t)
++manage_lnk_files_pattern(bootloader_t, bootloader_var_lib_t, bootloader_var_lib_t)
++files_var_lib_filetrans(bootloader_t, bootloader_var_lib_t, {dir file })
++
+ kernel_getattr_core_if(bootloader_t)
+ kernel_read_network_state(bootloader_t)
+ kernel_read_system_state(bootloader_t)
+@@ -81,6 +97,8 @@ dev_rw_nvram(bootloader_t)
+
+ fs_getattr_xattr_fs(bootloader_t)
+ fs_getattr_tmpfs(bootloader_t)
++fs_list_hugetlbfs(bootloader_t)
++fs_list_tmpfs(bootloader_t)
+ fs_read_tmpfs_symlinks(bootloader_t)
+ #Needed for ia64
+ fs_manage_dos_files(bootloader_t)
+@@ -89,7 +107,10 @@ mls_file_read_all_levels(bootloader_t)
+ mls_file_write_all_levels(bootloader_t)
+
+ term_getattr_all_ttys(bootloader_t)
++term_getattr_all_ptys(bootloader_t)
+ term_dontaudit_manage_pty_dirs(bootloader_t)
++term_dontaudit_getattr_generic_ptys(bootloader_t)
++term_use_unallocated_ttys(bootloader_t)
+
+ corecmd_exec_all_executables(bootloader_t)
+
+@@ -98,12 +119,14 @@ domain_use_interactive_fds(bootloader_t)
+ files_create_boot_dirs(bootloader_t)
+ files_manage_boot_files(bootloader_t)
+ files_manage_boot_symlinks(bootloader_t)
++files_manage_kernel_modules(bootloader_t)
+ files_read_etc_files(bootloader_t)
+ files_exec_etc_files(bootloader_t)
+ files_read_usr_src_files(bootloader_t)
+ files_read_usr_files(bootloader_t)
+ files_read_var_files(bootloader_t)
+ files_read_kernel_modules(bootloader_t)
++files_read_kernel_symbol_table(bootloader_t)
+ # for nscd
+ files_dontaudit_search_pids(bootloader_t)
+ # for blkid.tab
+@@ -111,6 +134,7 @@ files_manage_etc_runtime_files(bootloader_t)
+ files_etc_filetrans_etc_runtime(bootloader_t, file)
+ files_dontaudit_search_home(bootloader_t)
+
++
+ init_getattr_initctl(bootloader_t)
+ init_use_script_ptys(bootloader_t)
+ init_use_script_fds(bootloader_t)
+@@ -118,19 +142,21 @@ init_rw_script_pipes(bootloader_t)
+
+ libs_read_lib_files(bootloader_t)
+ libs_exec_lib_files(bootloader_t)
++libs_exec_ld_so(bootloader_t)
++
++auth_use_nsswitch(bootloader_t)
+
+ logging_send_syslog_msg(bootloader_t)
+ logging_rw_generic_logs(bootloader_t)
+
+-miscfiles_read_localization(bootloader_t)
+
+ modutils_domtrans_insmod(bootloader_t)
+
+ seutil_read_bin_policy(bootloader_t)
+ seutil_read_loadpolicy(bootloader_t)
+-seutil_dontaudit_search_config(bootloader_t)
+
+-userdom_use_user_terminals(bootloader_t)
++userdom_getattr_user_tmpfs_files(bootloader_t)
++userdom_use_inherited_user_terminals(bootloader_t)
+ userdom_dontaudit_search_user_home_dirs(bootloader_t)
+
+ ifdef(`distro_debian',`
+@@ -166,7 +192,8 @@ ifdef(`distro_redhat',`
+ files_manage_isid_type_chr_files(bootloader_t)
+
+ # for mke2fs
+- mount_run(bootloader_t, bootloader_roles)
++ #mount_run(bootloader_t, bootloader_roles)
++ mount_domtrans(bootloader_t)
+
+ optional_policy(`
+ unconfined_domain(bootloader_t)
+@@ -174,6 +201,10 @@ ifdef(`distro_redhat',`
+ ')
+
+ optional_policy(`
++ devicekit_dontaudit_read_pid_files(bootloader_t)
++')
++
++optional_policy(`
+ fstools_exec(bootloader_t)
+ ')
+
+@@ -183,6 +214,14 @@ optional_policy(`
+ ')
+
+ optional_policy(`
++ gpm_getattr_gpmctl(bootloader_t)
++')
++
++optional_policy(`
++ fsadm_manage_pid(bootloader_t)
++')
++
++optional_policy(`
+ kudzu_domtrans(bootloader_t)
+ ')
+
+@@ -195,17 +234,19 @@ optional_policy(`
+
+ optional_policy(`
+ modutils_exec_insmod(bootloader_t)
++ modutils_list_module_config(bootloader_t)
+ modutils_read_module_deps(bootloader_t)
+ modutils_read_module_config(bootloader_t)
+ modutils_exec_insmod(bootloader_t)
+ modutils_exec_depmod(bootloader_t)
+ modutils_exec_update_mods(bootloader_t)
++ modutils_domtrans_insmod_uncond(bootloader_t)
+ ')
+
+ optional_policy(`
+- nscd_socket_use(bootloader_t)
++ rpm_rw_pipes(bootloader_t)
+ ')
+
+ optional_policy(`
+- rpm_rw_pipes(bootloader_t)
++ udev_read_pid_files(bootloader_t)
+ ')
+diff --git a/policy/modules/admin/consoletype.fc b/policy/modules/admin/consoletype.fc
+index b7f053b..5d4fc31 100644
+--- a/policy/modules/admin/consoletype.fc
++++ b/policy/modules/admin/consoletype.fc
+@@ -1,2 +1,4 @@
+
+ /sbin/consoletype -- gen_context(system_u:object_r:consoletype_exec_t,s0)
++
++/usr/sbin/consoletype -- gen_context(system_u:object_r:consoletype_exec_t,s0)
+diff --git a/policy/modules/admin/consoletype.if b/policy/modules/admin/consoletype.if
+index 0f57d3b..655d07f 100644
+--- a/policy/modules/admin/consoletype.if
++++ b/policy/modules/admin/consoletype.if
+@@ -19,10 +19,6 @@ interface(`consoletype_domtrans',`
+
+ corecmd_search_bin($1)
+ domtrans_pattern($1, consoletype_exec_t, consoletype_t)
+-
+- ifdef(`hide_broken_symptoms', `
+- dontaudit consoletype_t $1:socket_class_set { read write };
+- ')
+ ')
+
+ ########################################
+diff --git a/policy/modules/admin/consoletype.te b/policy/modules/admin/consoletype.te
+index cd5e005..247259a 100644
+--- a/policy/modules/admin/consoletype.te
++++ b/policy/modules/admin/consoletype.te
+@@ -7,8 +7,8 @@ policy_module(consoletype, 1.10.0)
+
+ type consoletype_t;
+ type consoletype_exec_t;
+-init_domain(consoletype_t, consoletype_exec_t)
+-init_system_domain(consoletype_t, consoletype_exec_t)
++application_domain(consoletype_t, consoletype_exec_t)
++role system_r types consoletype_t;
+
+ ########################################
+ #
+@@ -47,14 +47,16 @@ fs_list_inotifyfs(consoletype_t)
+ mls_file_read_all_levels(consoletype_t)
+ mls_file_write_all_levels(consoletype_t)
+
+-term_use_all_terms(consoletype_t)
++term_use_all_inherited_terms(consoletype_t)
++term_use_ptmx(consoletype_t)
+
+ init_use_fds(consoletype_t)
+ init_use_script_ptys(consoletype_t)
+ init_use_script_fds(consoletype_t)
+ init_rw_script_pipes(consoletype_t)
++init_rw_inherited_script_tmp_files(consoletype_t)
+
+-userdom_use_user_terminals(consoletype_t)
++userdom_use_inherited_user_terminals(consoletype_t)
+
+ ifdef(`distro_redhat',`
+ fs_rw_tmpfs_chr_files(consoletype_t)
+@@ -79,16 +81,14 @@ optional_policy(`
+ ')
+
+ optional_policy(`
+- files_read_etc_files(consoletype_t)
+- firstboot_use_fds(consoletype_t)
+- firstboot_rw_pipes(consoletype_t)
++ devicekit_dontaudit_read_pid_files(consoletype_t)
++ devicekit_dontaudit_rw_log(consoletype_t)
+ ')
+
+ optional_policy(`
+- hal_dontaudit_use_fds(consoletype_t)
+- hal_dontaudit_rw_pipes(consoletype_t)
+- hal_dontaudit_rw_dgram_sockets(consoletype_t)
+- hal_dontaudit_write_log(consoletype_t)
++ files_read_etc_files(consoletype_t)
++ firstboot_use_fds(consoletype_t)
++ firstboot_rw_pipes(consoletype_t)
+ ')
+
+ optional_policy(`
+@@ -114,6 +114,7 @@ optional_policy(`
+
+ optional_policy(`
+ userdom_use_unpriv_users_fds(consoletype_t)
++ userdom_dontaudit_rw_dgram_socket(consoletype_t)
+ ')
+
+ optional_policy(`
+diff --git a/policy/modules/admin/dmesg.fc b/policy/modules/admin/dmesg.fc
+index d6cc2d9..0685b19 100644
+--- a/policy/modules/admin/dmesg.fc
++++ b/policy/modules/admin/dmesg.fc
+@@ -1,2 +1,4 @@
+
+ /bin/dmesg -- gen_context(system_u:object_r:dmesg_exec_t,s0)
++
++/usr/bin/dmesg -- gen_context(system_u:object_r:dmesg_exec_t,s0)
+diff --git a/policy/modules/admin/dmesg.te b/policy/modules/admin/dmesg.te
+index 72bc6d8..ff164b3 100644
+--- a/policy/modules/admin/dmesg.te
++++ b/policy/modules/admin/dmesg.te
+@@ -9,6 +9,10 @@ type dmesg_t;
+ type dmesg_exec_t;
+ init_system_domain(dmesg_t, dmesg_exec_t)
+
++ifdef(`enable_mls',`
++ init_ranged_daemon_domain(dmesg_t, dmesg_exec_t, mls_systemhigh)
++')
++
+ ########################################
+ #
+ # Local policy
+@@ -19,6 +23,7 @@ dontaudit dmesg_t self:capability sys_tty_config;
+
+ allow dmesg_t self:process signal_perms;
+
++kernel_read_system_state(dmesg_t)
+ kernel_read_kernel_sysctls(dmesg_t)
+ kernel_read_ring_buffer(dmesg_t)
+ kernel_clear_ring_buffer(dmesg_t)
+@@ -27,6 +32,7 @@ kernel_list_proc(dmesg_t)
+ kernel_read_proc_symlinks(dmesg_t)
+
+ dev_read_sysfs(dmesg_t)
++dev_read_kmsg(dmesg_t)
+
+ fs_search_auto_mountpoints(dmesg_t)
+
+@@ -44,10 +50,13 @@ init_use_script_ptys(dmesg_t)
+ logging_send_syslog_msg(dmesg_t)
+ logging_write_generic_logs(dmesg_t)
+
+-miscfiles_read_localization(dmesg_t)
+
+ userdom_dontaudit_use_unpriv_user_fds(dmesg_t)
+-userdom_use_user_terminals(dmesg_t)
++userdom_use_inherited_user_terminals(dmesg_t)
++
++optional_policy(`
++ abrt_rw_inherited_cache(dmesg_t)
++')
+
+ optional_policy(`
+ seutil_sigchld_newrole(dmesg_t)
+diff --git a/policy/modules/admin/netutils.fc b/policy/modules/admin/netutils.fc
+index 407078f..1a09bea 100644
+--- a/policy/modules/admin/netutils.fc
++++ b/policy/modules/admin/netutils.fc
+@@ -1,15 +1,22 @@
+ /bin/ping.* -- gen_context(system_u:object_r:ping_exec_t,s0)
+-/bin/tracepath.* -- gen_context(system_u:object_r:traceroute_exec_t,s0)
++/bin/tracepath.* -- gen_context(system_u:object_r:traceroute_exec_t,s0)
+ /bin/traceroute.* -- gen_context(system_u:object_r:traceroute_exec_t,s0)
+
+ /sbin/arping -- gen_context(system_u:object_r:netutils_exec_t,s0)
+
+ /usr/bin/lft -- gen_context(system_u:object_r:traceroute_exec_t,s0)
++/usr/bin/mtr -- gen_context(system_u:object_r:traceroute_exec_t,s0)
+ /usr/bin/nmap -- gen_context(system_u:object_r:traceroute_exec_t,s0)
++/usr/bin/ping.* -- gen_context(system_u:object_r:ping_exec_t,s0)
++/usr/bin/tracepath.* -- gen_context(system_u:object_r:traceroute_exec_t,s0)
+ /usr/bin/traceroute.* -- gen_context(system_u:object_r:traceroute_exec_t,s0)
+
+-/usr/sbin/fping -- gen_context(system_u:object_r:ping_exec_t,s0)
++/usr/lib/heartbeat/send_arp -- gen_context(system_u:object_r:ping_exec_t,s0)
++
++/usr/sbin/arping -- gen_context(system_u:object_r:netutils_exec_t,s0)
++/usr/sbin/fping.* -- gen_context(system_u:object_r:ping_exec_t,s0)
+ /usr/sbin/traceroute.* -- gen_context(system_u:object_r:traceroute_exec_t,s0)
+ /usr/sbin/hping2 -- gen_context(system_u:object_r:ping_exec_t,s0)
++/usr/sbin/mtr -- gen_context(system_u:object_r:traceroute_exec_t,s0)
+ /usr/sbin/send_arp -- gen_context(system_u:object_r:ping_exec_t,s0)
+ /usr/sbin/tcpdump -- gen_context(system_u:object_r:netutils_exec_t,s0)
+diff --git a/policy/modules/admin/netutils.if b/policy/modules/admin/netutils.if
+index c6ca761..0c86bfd 100644
+--- a/policy/modules/admin/netutils.if
++++ b/policy/modules/admin/netutils.if
+@@ -42,6 +42,7 @@ interface(`netutils_run',`
+ ')
+
+ netutils_domtrans($1)
++ allow $1 netutils_t:process { signal sigkill };
+ role $2 types netutils_t;
+ ')
+
+@@ -161,6 +162,7 @@ interface(`netutils_run_ping',`
+
+ netutils_domtrans_ping($1)
+ role $2 types ping_t;
++ allow $1 ping_t:process { signal sigkill };
+ ')
+
+ ########################################
+@@ -183,13 +185,14 @@ interface(`netutils_run_ping',`
+ interface(`netutils_run_ping_cond',`
+ gen_require(`
+ type ping_t;
+- bool user_ping;
++ bool selinuxuser_ping;
+ ')
+
+ role $2 types ping_t;
+
+- if ( user_ping ) {
++ if ( selinuxuser_ping ) {
+ netutils_domtrans_ping($1)
++ allow $1 ping_t:process { signal sigkill };
+ }
+ ')
+
+@@ -254,6 +257,7 @@ interface(`netutils_run_traceroute',`
+ ')
+
+ netutils_domtrans_traceroute($1)
++ allow $1 traceroute_t:process { signal sigkill };
+ role $2 types traceroute_t;
+ ')
+
+@@ -277,13 +281,14 @@ interface(`netutils_run_traceroute',`
+ interface(`netutils_run_traceroute_cond',`
+ gen_require(`
+ type traceroute_t;
+- bool user_ping;
++ bool selinuxuser_ping;
+ ')
+
+ role $2 types traceroute_t;
+
+- if( user_ping ) {
++ if( selinuxuser_ping ) {
+ netutils_domtrans_traceroute($1)
++ allow $1 traceroute_t:process { signal sigkill };
+ }
+ ')
+
+diff --git a/policy/modules/admin/netutils.te b/policy/modules/admin/netutils.te
+index e0791b9..db9ddf7 100644
+--- a/policy/modules/admin/netutils.te
++++ b/policy/modules/admin/netutils.te
+@@ -7,10 +7,10 @@ policy_module(netutils, 1.11.0)
+
+ ##
+ ##
+-## Control users use of ping and traceroute
++## Allow confined users the ability to execute the ping and traceroute commands.
+ ##
+ ##
+-gen_tunable(user_ping, false)
++gen_tunable(selinuxuser_ping, false)
+
+ type netutils_t;
+ type netutils_exec_t;
+@@ -35,12 +35,13 @@ init_system_domain(traceroute_t, traceroute_exec_t)
+ # Perform network administration operations and have raw access to the network.
+ allow netutils_t self:capability { net_admin net_raw setuid setgid };
+ dontaudit netutils_t self:capability sys_tty_config;
+-allow netutils_t self:process signal_perms;
++allow netutils_t self:process { setcap signal_perms };
+ allow netutils_t self:netlink_route_socket create_netlink_socket_perms;
+ allow netutils_t self:packet_socket create_socket_perms;
+ allow netutils_t self:udp_socket create_socket_perms;
+ allow netutils_t self:tcp_socket create_stream_socket_perms;
+ allow netutils_t self:socket create_socket_perms;
++allow netutils_t self:netlink_socket create_socket_perms;
+
+ manage_dirs_pattern(netutils_t, netutils_tmp_t, netutils_tmp_t)
+ manage_files_pattern(netutils_t, netutils_tmp_t, netutils_tmp_t)
+@@ -48,8 +49,9 @@ files_tmp_filetrans(netutils_t, netutils_tmp_t, { file dir })
+
+ kernel_search_proc(netutils_t)
+ kernel_read_all_sysctls(netutils_t)
++kernel_read_network_state(netutils_t)
++kernel_request_load_module(netutils_t)
+
+-corenet_all_recvfrom_unlabeled(netutils_t)
+ corenet_all_recvfrom_netlabel(netutils_t)
+ corenet_tcp_sendrecv_generic_if(netutils_t)
+ corenet_raw_sendrecv_generic_if(netutils_t)
+@@ -64,6 +66,9 @@ corenet_sendrecv_all_client_packets(netutils_t)
+ corenet_udp_bind_generic_node(netutils_t)
+
+ dev_read_sysfs(netutils_t)
++dev_read_usbmon_dev(netutils_t)
++dev_write_usbmon_dev(netutils_t)
++dev_rw_generic_usb_dev(netutils_t)
+
+ fs_getattr_xattr_fs(netutils_t)
+
+@@ -80,10 +85,9 @@ auth_use_nsswitch(netutils_t)
+
+ logging_send_syslog_msg(netutils_t)
+
+-miscfiles_read_localization(netutils_t)
+
+ term_dontaudit_use_console(netutils_t)
+-userdom_use_user_terminals(netutils_t)
++userdom_use_inherited_user_terminals(netutils_t)
+ userdom_use_all_users_fds(netutils_t)
+
+ optional_policy(`
+@@ -104,13 +108,14 @@ optional_policy(`
+ #
+
+ allow ping_t self:capability { setuid net_raw };
++allow ping_t self:process setcap;
++
+ dontaudit ping_t self:capability sys_tty_config;
+ allow ping_t self:tcp_socket create_socket_perms;
+-allow ping_t self:rawip_socket { create ioctl read write bind getopt setopt };
+-allow ping_t self:packet_socket { create ioctl read write bind getopt setopt };
++allow ping_t self:rawip_socket create_socket_perms;
++allow ping_t self:packet_socket create_socket_perms;
+ allow ping_t self:netlink_route_socket create_netlink_socket_perms;
+
+-corenet_all_recvfrom_unlabeled(ping_t)
+ corenet_all_recvfrom_netlabel(ping_t)
+ corenet_tcp_sendrecv_generic_if(ping_t)
+ corenet_raw_sendrecv_generic_if(ping_t)
+@@ -120,6 +125,7 @@ corenet_raw_bind_generic_node(ping_t)
+ corenet_tcp_sendrecv_all_ports(ping_t)
+
+ fs_dontaudit_getattr_xattr_fs(ping_t)
++fs_dontaudit_rw_anon_inodefs_files(ping_t)
+
+ domain_use_interactive_fds(ping_t)
+
+@@ -130,11 +136,9 @@ kernel_read_system_state(ping_t)
+
+ auth_use_nsswitch(ping_t)
+
+-logging_send_syslog_msg(ping_t)
+-
+-miscfiles_read_localization(ping_t)
++init_rw_inherited_script_tmp_files(ping_t)
+
+-userdom_use_user_terminals(ping_t)
++logging_send_syslog_msg(ping_t)
+
+ ifdef(`hide_broken_symptoms',`
+ init_dontaudit_use_fds(ping_t)
+@@ -145,11 +149,25 @@ ifdef(`hide_broken_symptoms',`
+ ')
+ ')
+
++term_use_all_inherited_terms(ping_t)
++
++tunable_policy(`selinuxuser_ping',`
++ term_use_all_ttys(ping_t)
++ term_use_all_ptys(ping_t)
++',`
++ term_dontaudit_use_all_ttys(ping_t)
++ term_dontaudit_use_all_ptys(ping_t)
++')
++
+ optional_policy(`
+ munin_append_log(ping_t)
+ ')
+
+ optional_policy(`
++ nagios_rw_inerited_tmp_files(ping_t)
++')
++
++optional_policy(`
+ pcmcia_use_cardmgr_fds(ping_t)
+ ')
+
+@@ -157,6 +175,15 @@ optional_policy(`
+ hotplug_use_fds(ping_t)
+ ')
+
++optional_policy(`
++ openshift_rw_inherited_content(ping_t)
++ openshift_dontaudit_rw_inherited_fifo_files(ping_t)
++')
++
++optional_policy(`
++ zabbix_read_tmp(ping_t)
++')
++
+ ########################################
+ #
+ # Traceroute local policy
+@@ -170,7 +197,6 @@ allow traceroute_t self:udp_socket create_socket_perms;
+ kernel_read_system_state(traceroute_t)
+ kernel_read_network_state(traceroute_t)
+
+-corenet_all_recvfrom_unlabeled(traceroute_t)
+ corenet_all_recvfrom_netlabel(traceroute_t)
+ corenet_tcp_sendrecv_generic_if(traceroute_t)
+ corenet_udp_sendrecv_generic_if(traceroute_t)
+@@ -194,6 +220,7 @@ fs_dontaudit_getattr_xattr_fs(traceroute_t)
+ domain_use_interactive_fds(traceroute_t)
+
+ files_read_etc_files(traceroute_t)
++files_read_usr_files(traceroute_t)
+ files_dontaudit_search_var(traceroute_t)
+
+ init_use_fds(traceroute_t)
+@@ -202,11 +229,17 @@ auth_use_nsswitch(traceroute_t)
+
+ logging_send_syslog_msg(traceroute_t)
+
+-miscfiles_read_localization(traceroute_t)
+-
+-userdom_use_user_terminals(traceroute_t)
+
+ #rules needed for nmap
+ dev_read_rand(traceroute_t)
+ dev_read_urand(traceroute_t)
+-files_read_usr_files(traceroute_t)
++
++term_use_all_inherited_terms(traceroute_t)
++
++tunable_policy(`selinuxuser_ping',`
++ term_use_all_ttys(traceroute_t)
++ term_use_all_ptys(traceroute_t)
++',`
++ term_dontaudit_use_all_ttys(traceroute_t)
++ term_dontaudit_use_all_ptys(traceroute_t)
++')
+diff --git a/policy/modules/admin/su.fc b/policy/modules/admin/su.fc
+index 688abc2..3d89250 100644
+--- a/policy/modules/admin/su.fc
++++ b/policy/modules/admin/su.fc
+@@ -3,3 +3,4 @@
+
+ /usr/(local/)?bin/ksu -- gen_context(system_u:object_r:su_exec_t,s0)
+ /usr/bin/kdesu -- gen_context(system_u:object_r:su_exec_t,s0)
++/usr/bin/su -- gen_context(system_u:object_r:su_exec_t,s0)
+diff --git a/policy/modules/admin/su.if b/policy/modules/admin/su.if
+index 03ec5ca..bfc85a0 100644
+--- a/policy/modules/admin/su.if
++++ b/policy/modules/admin/su.if
+@@ -89,7 +89,6 @@ template(`su_restricted_domain_template', `
+
+ logging_send_syslog_msg($1_su_t)
+
+- miscfiles_read_localization($1_su_t)
+
+ ifdef(`distro_redhat',`
+ # RHEL5 and possibly newer releases incl. Fedora
+@@ -119,11 +118,6 @@ template(`su_restricted_domain_template', `
+ userdom_spec_domtrans_unpriv_users($1_su_t)
+ ')
+
+- ifdef(`hide_broken_symptoms',`
+- # dontaudit leaked sockets from parent
+- dontaudit $1_su_t $2:socket_class_set { read write };
+- ')
+-
+ optional_policy(`
+ cron_read_pipes($1_su_t)
+ ')
+@@ -208,7 +202,7 @@ template(`su_role_template',`
+
+ auth_domtrans_chk_passwd($1_su_t)
+ auth_dontaudit_read_shadow($1_su_t)
+- auth_use_nsswitch($1_su_t)
++ auth_use_pam($1_su_t)
+ auth_rw_faillog($1_su_t)
+
+ corecmd_search_bin($1_su_t)
+@@ -228,10 +222,10 @@ template(`su_role_template',`
+
+ logging_send_syslog_msg($1_su_t)
+
+- miscfiles_read_localization($1_su_t)
+
+ userdom_use_user_terminals($1_su_t)
+ userdom_search_user_home_dirs($1_su_t)
++ userdom_search_admin_dir($1_su_t)
+
+ ifdef(`distro_redhat',`
+ # RHEL5 and possibly newer releases incl. Fedora
+@@ -277,12 +271,7 @@ template(`su_role_template',`
+ ')
+ ')
+
+- ifdef(`hide_broken_symptoms',`
+- # dontaudit leaked sockets from parent
+- dontaudit $1_su_t $3:socket_class_set { read write };
+- ')
+-
+- tunable_policy(`allow_polyinstantiation',`
++ tunable_policy(`polyinstantiation_enabled',`
+ fs_mount_xattr_fs($1_su_t)
+ fs_unmount_xattr_fs($1_su_t)
+ ')
+diff --git a/policy/modules/admin/sudo.fc b/policy/modules/admin/sudo.fc
+index 7bddc02..2b59ed0 100644
+--- a/policy/modules/admin/sudo.fc
++++ b/policy/modules/admin/sudo.fc
+@@ -1,2 +1,4 @@
+
+ /usr/bin/sudo(edit)? -- gen_context(system_u:object_r:sudo_exec_t,s0)
++
++/var/db/sudo(/.*)? gen_context(system_u:object_r:sudo_db_t,s0)
+diff --git a/policy/modules/admin/sudo.if b/policy/modules/admin/sudo.if
+index 0960199..aa51ab2 100644
+--- a/policy/modules/admin/sudo.if
++++ b/policy/modules/admin/sudo.if
+@@ -32,6 +32,7 @@ template(`sudo_role_template',`
+
+ gen_require(`
+ type sudo_exec_t;
++ type sudo_db_t;
+ attribute sudodomain;
+ ')
+
+@@ -45,27 +46,13 @@ template(`sudo_role_template',`
+ domain_interactive_fd($1_sudo_t)
+ domain_role_change_exemption($1_sudo_t)
+ role $2 types $1_sudo_t;
++ userdom_home_manager($1_sudo_t)
+
+- ##############################
+- #
+- # Local Policy
+- #
++ type $1_sudo_tmp_t;
++ files_tmp_file($1_sudo_tmp_t)
+
+- # Use capabilities.
+- allow $1_sudo_t self:capability { fowner setuid setgid dac_override sys_nice sys_resource };
+- allow $1_sudo_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
+- allow $1_sudo_t self:process { setexec setrlimit };
+- allow $1_sudo_t self:fd use;
+- allow $1_sudo_t self:fifo_file rw_fifo_file_perms;
+- allow $1_sudo_t self:shm create_shm_perms;
+- allow $1_sudo_t self:sem create_sem_perms;
+- allow $1_sudo_t self:msgq create_msgq_perms;
+- allow $1_sudo_t self:msg { send receive };
+- allow $1_sudo_t self:unix_dgram_socket create_socket_perms;
+- allow $1_sudo_t self:unix_stream_socket create_stream_socket_perms;
+- allow $1_sudo_t self:unix_dgram_socket sendto;
+- allow $1_sudo_t self:unix_stream_socket connectto;
+- allow $1_sudo_t self:key manage_key_perms;
++ allow $1_sudo_t $1_sudo_tmp_t:file manage_file_perms;
++ files_tmp_filetrans($1_sudo_t, $1_sudo_tmp_t, file)
+
+ allow $1_sudo_t $3:key search;
+
+@@ -75,88 +62,30 @@ template(`sudo_role_template',`
+ # By default, revert to the calling domain when a shell is executed.
+ corecmd_shell_domtrans($1_sudo_t, $3)
+ corecmd_bin_domtrans($1_sudo_t, $3)
++ userdom_domtrans_user_home($1_sudo_t, $3)
++ userdom_domtrans_user_tmp($1_sudo_t, $3)
++ domain_entry_file($3, sudo_exec_t)
++ domain_auto_transition_pattern($1_sudo_t, sudo_exec_t, $3)
++
+ allow $3 $1_sudo_t:fd use;
+ allow $3 $1_sudo_t:fifo_file rw_fifo_file_perms;
+ allow $3 $1_sudo_t:process signal_perms;
+
+- kernel_read_kernel_sysctls($1_sudo_t)
+ kernel_read_system_state($1_sudo_t)
+- kernel_link_key($1_sudo_t)
+-
+- corecmd_read_bin_symlinks($1_sudo_t)
+- corecmd_exec_all_executables($1_sudo_t)
+-
+- dev_getattr_fs($1_sudo_t)
+- dev_read_urand($1_sudo_t)
+- dev_rw_generic_usb_dev($1_sudo_t)
+- dev_read_sysfs($1_sudo_t)
+-
+- domain_use_interactive_fds($1_sudo_t)
+- domain_sigchld_interactive_fds($1_sudo_t)
+- domain_getattr_all_entry_files($1_sudo_t)
+-
+- files_read_etc_files($1_sudo_t)
+- files_read_var_files($1_sudo_t)
+- files_read_usr_symlinks($1_sudo_t)
+- files_getattr_usr_files($1_sudo_t)
+- # for some PAM modules and for cwd
+- files_dontaudit_search_home($1_sudo_t)
+- files_list_tmp($1_sudo_t)
+-
+- fs_search_auto_mountpoints($1_sudo_t)
+- fs_getattr_xattr_fs($1_sudo_t)
+-
+- selinux_validate_context($1_sudo_t)
+- selinux_compute_relabel_context($1_sudo_t)
+-
+- term_getattr_pty_fs($1_sudo_t)
+- term_relabel_all_ttys($1_sudo_t)
+- term_relabel_all_ptys($1_sudo_t)
++ seutil_libselinux_linked($1_sudo_t)
+
+ auth_run_chk_passwd($1_sudo_t, $2)
+- # sudo stores a token in the pam_pid directory
+- auth_manage_pam_pid($1_sudo_t)
+ auth_use_nsswitch($1_sudo_t)
+
+- init_rw_utmp($1_sudo_t)
+-
+- logging_send_audit_msgs($1_sudo_t)
+ logging_send_syslog_msg($1_sudo_t)
+
+- miscfiles_read_localization($1_sudo_t)
+-
+- seutil_search_default_contexts($1_sudo_t)
+- seutil_libselinux_linked($1_sudo_t)
+-
+- userdom_spec_domtrans_all_users($1_sudo_t)
+- userdom_create_all_users_keys($1_sudo_t)
+- userdom_manage_user_home_content_files($1_sudo_t)
+- userdom_manage_user_home_content_symlinks($1_sudo_t)
+- userdom_manage_user_tmp_files($1_sudo_t)
+- userdom_manage_user_tmp_symlinks($1_sudo_t)
+- userdom_use_user_terminals($1_sudo_t)
+- # for some PAM modules and for cwd
+- userdom_dontaudit_search_user_home_content($1_sudo_t)
+- userdom_dontaudit_search_user_home_dirs($1_sudo_t)
+-
+- ifdef(`hide_broken_symptoms', `
+- dontaudit $1_sudo_t $3:socket_class_set { read write };
+- ')
+-
+- tunable_policy(`use_nfs_home_dirs',`
+- fs_manage_nfs_files($1_sudo_t)
+- ')
+-
+- tunable_policy(`use_samba_home_dirs',`
+- fs_manage_cifs_files($1_sudo_t)
+- ')
+-
+ optional_policy(`
+- dbus_system_bus_client($1_sudo_t)
++ mta_role($2, $1_sudo_t)
+ ')
+
+ optional_policy(`
+- fprintd_dbus_chat($1_sudo_t)
++ kerberos_manage_host_rcache($1_sudo_t)
++ kerberos_read_config($1_sudo_t)
+ ')
+
+ ')
+@@ -178,3 +107,22 @@ interface(`sudo_sigchld',`
+
+ allow $1 sudodomain:process sigchld;
+ ')
++
++#######################################
++##
++## Allow execute sudo in called domain.
++## This interfaces is added for nova-stack policy.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`sudo_exec',`
++ gen_require(`
++ type sudo_exec_t;
++ ')
++
++ can_exec($1, sudo_exec_t)
++')
+diff --git a/policy/modules/admin/sudo.te b/policy/modules/admin/sudo.te
+index d9fce57..8ae7673 100644
+--- a/policy/modules/admin/sudo.te
++++ b/policy/modules/admin/sudo.te
+@@ -7,3 +7,100 @@ attribute sudodomain;
+
+ type sudo_exec_t;
+ application_executable_file(sudo_exec_t)
++
++type sudo_db_t;
++files_type(sudo_db_t)
++mls_trusted_object(sudo_db_t)
++
++manage_dirs_pattern(sudodomain, sudo_db_t, sudo_db_t)
++manage_files_pattern(sudodomain, sudo_db_t, sudo_db_t)
++
++##############################
++#
++# Local Policy
++#
++
++# Use capabilities.
++allow sudodomain self:capability { chown fowner setuid setgid dac_override sys_nice sys_resource };
++allow sudodomain self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
++allow sudodomain self:process { setexec setrlimit };
++allow sudodomain self:fd use;
++allow sudodomain self:fifo_file rw_fifo_file_perms;
++allow sudodomain self:shm create_shm_perms;
++allow sudodomain self:sem create_sem_perms;
++allow sudodomain self:msgq create_msgq_perms;
++allow sudodomain self:msg { send receive };
++allow sudodomain self:unix_dgram_socket create_socket_perms;
++allow sudodomain self:unix_stream_socket create_stream_socket_perms;
++allow sudodomain self:unix_dgram_socket sendto;
++allow sudodomain self:unix_stream_socket connectto;
++allow sudodomain self:key manage_key_perms;
++
++kernel_read_kernel_sysctls(sudodomain)
++kernel_link_key(sudodomain)
++
++corecmd_read_bin_symlinks(sudodomain)
++corecmd_exec_all_executables(sudodomain)
++
++dev_getattr_fs(sudodomain)
++dev_read_urand(sudodomain)
++dev_rw_generic_usb_dev(sudodomain)
++dev_read_sysfs(sudodomain)
++dev_dontaudit_getattr_all(sudodomain)
++
++domain_use_interactive_fds(sudodomain)
++domain_sigchld_interactive_fds(sudodomain)
++domain_getattr_all_entry_files(sudodomain)
++
++files_read_etc_files(sudodomain)
++files_read_var_files(sudodomain)
++files_read_usr_files(sudodomain)
++# for some PAM modules and for cwd
++files_dontaudit_search_home(sudodomain)
++files_list_tmp(sudodomain)
++
++fs_search_auto_mountpoints(sudodomain)
++fs_getattr_all_fs(sudodomain)
++
++selinux_validate_context(sudodomain)
++selinux_compute_relabel_context(sudodomain)
++
++term_getattr_pty_fs(sudodomain)
++term_relabel_all_ttys(sudodomain)
++term_relabel_all_ptys(sudodomain)
++term_getattr_pty_fs(sudodomain)
++
++#auth_run_chk_passwd(sudodomain)
++# sudo stores a token in the pam_pid directory
++auth_manage_pam_pid(sudodomain)
++#auth_use_nsswitch(sudodomain)
++
++application_signal(sudodomain)
++
++init_rw_utmp(sudodomain)
++
++logging_send_audit_msgs(sudodomain)
++logging_set_audit_parameters(sudodomain)
++
++seutil_read_default_contexts(sudodomain)
++
++userdom_spec_domtrans_all_users(sudodomain)
++userdom_manage_user_home_content_files(sudodomain)
++userdom_manage_user_home_content_symlinks(sudodomain)
++userdom_manage_user_tmp_files(sudodomain)
++userdom_manage_user_tmp_symlinks(sudodomain)
++userdom_use_user_terminals(sudodomain)
++userdom_signal_all_users(sudodomain)
++userdom_exec_user_home_content_files(sudodomain)
++# for some PAM modules and for cwd
++userdom_search_user_home_content(sudodomain)
++userdom_search_admin_dir(sudodomain)
++userdom_manage_all_users_keys(sudodomain)
++
++optional_policy(`
++ dbus_system_bus_client(sudodomain)
++')
++
++optional_policy(`
++ fprintd_dbus_chat(sudodomain)
++')
+diff --git a/policy/modules/admin/usermanage.fc b/policy/modules/admin/usermanage.fc
+index f82f0ce..204bdc8 100644
+--- a/policy/modules/admin/usermanage.fc
++++ b/policy/modules/admin/usermanage.fc
+@@ -20,6 +20,7 @@ ifdef(`distro_gentoo',`
+ /usr/sbin/groupmod -- gen_context(system_u:object_r:groupadd_exec_t,s0)
+ /usr/sbin/grpconv -- gen_context(system_u:object_r:admin_passwd_exec_t,s0)
+ /usr/sbin/grpunconv -- gen_context(system_u:object_r:admin_passwd_exec_t,s0)
++/usr/sbin/newusers -- gen_context(system_u:object_r:useradd_exec_t,s0)
+ /usr/sbin/pwconv -- gen_context(system_u:object_r:admin_passwd_exec_t,s0)
+ /usr/sbin/pwunconv -- gen_context(system_u:object_r:admin_passwd_exec_t,s0)
+ /usr/sbin/useradd -- gen_context(system_u:object_r:useradd_exec_t,s0)
+diff --git a/policy/modules/admin/usermanage.if b/policy/modules/admin/usermanage.if
+index 98b8b2d..41f4994 100644
+--- a/policy/modules/admin/usermanage.if
++++ b/policy/modules/admin/usermanage.if
+@@ -17,10 +17,6 @@ interface(`usermanage_domtrans_chfn',`
+
+ corecmd_search_bin($1)
+ domtrans_pattern($1, chfn_exec_t, chfn_t)
+-
+- ifdef(`hide_broken_symptoms',`
+- dontaudit chfn_t $1:socket_class_set { read write };
+- ')
+ ')
+
+ ########################################
+@@ -41,11 +37,16 @@ interface(`usermanage_domtrans_chfn',`
+ #
+ interface(`usermanage_run_chfn',`
+ gen_require(`
+- attribute_role chfn_roles;
++ #attribute_role chfn_roles;
++ type chfn_t;
+ ')
+
++ #usermanage_domtrans_chfn($1)
++ #roleattribute $2 chfn_roles;
++
+ usermanage_domtrans_chfn($1)
+- roleattribute $2 chfn_roles;
++ role $2 types chfn_t;
++
+ ')
+
+ ########################################
+@@ -65,10 +66,25 @@ interface(`usermanage_domtrans_groupadd',`
+
+ corecmd_search_bin($1)
+ domtrans_pattern($1, groupadd_exec_t, groupadd_t)
++')
+
+- ifdef(`hide_broken_symptoms',`
+- dontaudit groupadd_t $1:socket_class_set { read write };
++########################################
++##
++## Check access to the groupadd executable.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`usermanage_access_check_groupadd',`
++ gen_require(`
++ type groupadd_exec_t;
+ ')
++
++ corecmd_search_bin($1)
++ allow $1 groupadd_exec_t:file { getattr_file_perms execute };
+ ')
+
+ ########################################
+@@ -90,11 +106,19 @@ interface(`usermanage_domtrans_groupadd',`
+ #
+ interface(`usermanage_run_groupadd',`
+ gen_require(`
+- attribute_role groupadd_roles;
++ type groupadd_t;
++ #attribute_role groupadd_roles;
+ ')
+
++ #usermanage_domtrans_groupadd($1)
++ #roleattribute $2 groupadd_roles;
+ usermanage_domtrans_groupadd($1)
+- roleattribute $2 groupadd_roles;
++ role $2 types groupadd_t;
++
++ optional_policy(`
++ nscd_run(groupadd_t, $2)
++ ')
++
+ ')
+
+ ########################################
+@@ -114,10 +138,6 @@ interface(`usermanage_domtrans_passwd',`
+
+ corecmd_search_bin($1)
+ domtrans_pattern($1, passwd_exec_t, passwd_t)
+-
+- ifdef(`hide_broken_symptoms',`
+- dontaudit passwd_t $1:socket_class_set { read write };
+- ')
+ ')
+
+ ########################################
+@@ -156,11 +176,35 @@ interface(`usermanage_kill_passwd',`
+ #
+ interface(`usermanage_run_passwd',`
+ gen_require(`
+- attribute_role passwd_roles;
++ type passwd_t;
++ #attribute_role passwd_roles;
+ ')
+
++ #usermanage_domtrans_passwd($1)
++ #roleattribute $2 passwd_roles;
++
+ usermanage_domtrans_passwd($1)
+- roleattribute $2 passwd_roles;
++ role $2 types passwd_t;
++ auth_run_chk_passwd(passwd_t, $2)
++')
++
++########################################
++##
++## Check access to the passwd executable
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`usermanage_access_check_passwd',`
++ gen_require(`
++ type passwd_exec_t;
++ ')
++
++ corecmd_search_bin($1)
++ allow $1 passwd_exec_t:file { getattr_file_perms execute };
+ ')
+
+ ########################################
+@@ -203,11 +247,20 @@ interface(`usermanage_domtrans_admin_passwd',`
+ #
+ interface(`usermanage_run_admin_passwd',`
+ gen_require(`
+- attribute_role sysadm_passwd_roles;
++ type sysadm_passwd_t;
++ #attribute_role sysadm_passwd_roles;
+ ')
+
++ #usermanage_domtrans_admin_passwd($1)
++ #roleattribute $2 sysadm_passwd_roles;
++
+ usermanage_domtrans_admin_passwd($1)
+- roleattribute $2 sysadm_passwd_roles;
++ role $2 types sysadm_passwd_t;
++
++ optional_policy(`
++ nscd_run(sysadm_passwd_t, $2)
++ ')
++
+ ')
+
+ ########################################
+@@ -245,10 +298,6 @@ interface(`usermanage_domtrans_useradd',`
+
+ corecmd_search_bin($1)
+ domtrans_pattern($1, useradd_exec_t, useradd_t)
+-
+- ifdef(`hide_broken_symptoms',`
+- dontaudit useradd_t $1:socket_class_set { read write };
+- ')
+ ')
+
+ ########################################
+@@ -270,11 +319,38 @@ interface(`usermanage_domtrans_useradd',`
+ #
+ interface(`usermanage_run_useradd',`
+ gen_require(`
+- attribute_role useradd_roles;
++ #attribute_role useradd_roles;
++ type useradd_t;
+ ')
+
++ #usermanage_domtrans_useradd($1)
++ #roleattribute $2 useradd_roles;
++
+ usermanage_domtrans_useradd($1)
+- roleattribute $2 useradd_roles;
++ role $2 types useradd_t;
++
++ optional_policy(`
++ nscd_run(useradd_t, $2)
++ ')
++')
++
++########################################
++##
++## Check access to the useradd executable.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`usermanage_access_check_useradd',`
++ gen_require(`
++ type useradd_exec_t;
++ ')
++
++ corecmd_search_bin($1)
++ allow $1 useradd_exec_t:file { getattr_file_perms execute };
+ ')
+
+ ########################################
+diff --git a/policy/modules/admin/usermanage.te b/policy/modules/admin/usermanage.te
+index 673180c..82cfc6e 100644
+--- a/policy/modules/admin/usermanage.te
++++ b/policy/modules/admin/usermanage.te
+@@ -5,18 +5,18 @@ policy_module(usermanage, 1.18.0)
+ # Declarations
+ #
+
+-attribute_role chfn_roles;
+-role system_r types chfn_t;
++#attribute_role chfn_roles;
++#role system_r types chfn_t;
+
+-attribute_role groupadd_roles;
++#attribute_role groupadd_roles;
+
+-attribute_role passwd_roles;
+-roleattribute system_r passwd_roles;
++#attribute_role passwd_roles;
++#roleattribute system_r passwd_roles;
+
+-attribute_role sysadm_passwd_roles;
+-roleattribute system_r sysadm_passwd_roles;
++#attribute_role sysadm_passwd_roles;
++#roleattribute system_r sysadm_passwd_roles;
+
+-attribute_role useradd_roles;
++#attribute_role useradd_roles;
+
+ type admin_passwd_exec_t;
+ files_type(admin_passwd_exec_t)
+@@ -25,7 +25,8 @@ type chfn_t;
+ type chfn_exec_t;
+ domain_obj_id_change_exemption(chfn_t)
+ application_domain(chfn_t, chfn_exec_t)
+-role chfn_roles types chfn_t;
++#role chfn_roles types chfn_t;
++role system_r types chfn_t;
+
+ type crack_t;
+ type crack_exec_t;
+@@ -42,18 +43,21 @@ type groupadd_t;
+ type groupadd_exec_t;
+ domain_obj_id_change_exemption(groupadd_t)
+ init_system_domain(groupadd_t, groupadd_exec_t)
+-role groupadd_roles types groupadd_t;
++#role groupadd_roles types groupadd_t;
++
+
+ type passwd_t;
+ type passwd_exec_t;
+ domain_obj_id_change_exemption(passwd_t)
+ application_domain(passwd_t, passwd_exec_t)
+-role passwd_roles types passwd_t;
++#role passwd_roles types passwd_t;
++role system_r types passwd_t;
+
+ type sysadm_passwd_t;
+ domain_obj_id_change_exemption(sysadm_passwd_t)
+ application_domain(sysadm_passwd_t, admin_passwd_exec_t)
+-role sysadm_passwd_roles types sysadm_passwd_t;
++#role sysadm_passwd_roles types sysadm_passwd_t;
++role system_r types sysadm_passwd_t;
+
+ type sysadm_passwd_tmp_t;
+ files_tmp_file(sysadm_passwd_tmp_t)
+@@ -61,8 +65,10 @@ files_tmp_file(sysadm_passwd_tmp_t)
+ type useradd_t;
+ type useradd_exec_t;
+ domain_obj_id_change_exemption(useradd_t)
++domain_system_change_exemption(useradd_t)
+ init_system_domain(useradd_t, useradd_exec_t)
+-role useradd_roles types useradd_t;
++#role useradd_roles types useradd_t;
++role system_r types useradd_t;
+
+ ########################################
+ #
+@@ -86,6 +92,7 @@ allow chfn_t self:unix_stream_socket connectto;
+
+ kernel_read_system_state(chfn_t)
+ kernel_read_kernel_sysctls(chfn_t)
++kernel_dontaudit_getattr_core_if(chfn_t)
+
+ selinux_get_fs_mount(chfn_t)
+ selinux_validate_context(chfn_t)
+@@ -94,25 +101,29 @@ selinux_compute_create_context(chfn_t)
+ selinux_compute_relabel_context(chfn_t)
+ selinux_compute_user_contexts(chfn_t)
+
+-term_use_all_ttys(chfn_t)
+-term_use_all_ptys(chfn_t)
++term_use_all_inherited_ttys(chfn_t)
++term_use_all_inherited_ptys(chfn_t)
++term_getattr_all_ptys(chfn_t)
+
+ fs_getattr_xattr_fs(chfn_t)
+ fs_search_auto_mountpoints(chfn_t)
+
+ # for SSP
+ dev_read_urand(chfn_t)
++dev_dontaudit_getattr_all(chfn_t)
+
+-auth_run_chk_passwd(chfn_t, chfn_roles)
+-auth_dontaudit_read_shadow(chfn_t)
+-auth_use_nsswitch(chfn_t)
++auth_manage_passwd(chfn_t)
++auth_use_pam(chfn_t)
++#auth_run_chk_passwd(chfn_t, chfn_roles)
++#auth_dontaudit_read_shadow(chfn_t)
++#auth_use_nsswitch(chfn_t)
+
+ # allow checking if a shell is executable
+ corecmd_check_exec_shell(chfn_t)
++corecmd_exec_bin(chfn_t)
+
+ domain_use_interactive_fds(chfn_t)
+
+-files_manage_etc_files(chfn_t)
+ files_read_etc_runtime_files(chfn_t)
+ files_dontaudit_search_var(chfn_t)
+ files_dontaudit_search_home(chfn_t)
+@@ -120,19 +131,29 @@ files_dontaudit_search_home(chfn_t)
+ # /usr/bin/passwd asks for w access to utmp, but it will operate
+ # correctly without it. Do not audit write denials to utmp.
+ init_dontaudit_rw_utmp(chfn_t)
++init_dontaudit_getattr_initctl(chfn_t)
+
+-miscfiles_read_localization(chfn_t)
+
+ logging_send_syslog_msg(chfn_t)
+
+-# uses unix_chkpwd for checking passwords
+-seutil_dontaudit_search_config(chfn_t)
++userdom_manage_user_tmp_files(chfn_t)
++userdom_tmp_filetrans_user_tmp(chfn_t, { file })
+
+ userdom_use_unpriv_users_fds(chfn_t)
+ # user generally runs this from their home directory, so do not audit a search
+ # on user home dir
+ userdom_dontaudit_search_user_home_content(chfn_t)
+
++optional_policy(`
++ rssh_exec(chfn_t)
++')
++
++
++optional_policy(`
++ # allow to exec tmux
++ screen_exec(chfn_t)
++')
++
+ ########################################
+ #
+ # Crack local policy
+@@ -209,8 +230,8 @@ selinux_compute_create_context(groupadd_t)
+ selinux_compute_relabel_context(groupadd_t)
+ selinux_compute_user_contexts(groupadd_t)
+
+-term_use_all_ttys(groupadd_t)
+-term_use_all_ptys(groupadd_t)
++term_use_all_inherited_terms(groupadd_t)
++term_getattr_all_ptys(groupadd_t)
+
+ init_use_fds(groupadd_t)
+ init_read_utmp(groupadd_t)
+@@ -218,8 +239,8 @@ init_dontaudit_write_utmp(groupadd_t)
+
+ domain_use_interactive_fds(groupadd_t)
+
+-files_manage_etc_files(groupadd_t)
+ files_relabel_etc_files(groupadd_t)
++files_read_etc_files(groupadd_t)
+ files_read_etc_runtime_files(groupadd_t)
+ files_read_usr_symlinks(groupadd_t)
+
+@@ -229,14 +250,15 @@ corecmd_exec_bin(groupadd_t)
+ logging_send_audit_msgs(groupadd_t)
+ logging_send_syslog_msg(groupadd_t)
+
+-miscfiles_read_localization(groupadd_t)
+
+-auth_run_chk_passwd(groupadd_t, groupadd_roles)
++#auth_run_chk_passwd(groupadd_t, groupadd_roles)
++auth_domtrans_chk_passwd(groupadd_t)
+ auth_rw_lastlog(groupadd_t)
+ auth_use_nsswitch(groupadd_t)
++auth_manage_passwd(groupadd_t)
++auth_manage_shadow(groupadd_t)
+ # these may be unnecessary due to the above
+ # domtrans_chk_passwd() call.
+-auth_manage_shadow(groupadd_t)
+ auth_relabel_shadow(groupadd_t)
+ auth_etc_filetrans_shadow(groupadd_t)
+
+@@ -253,7 +275,8 @@ optional_policy(`
+ ')
+
+ optional_policy(`
+- nscd_run(groupadd_t, groupadd_roles)
++# nscd_run(groupadd_t, groupadd_roles)
++ nscd_domtrans(groupadd_t)
+ ')
+
+ optional_policy(`
+@@ -285,6 +308,7 @@ allow passwd_t self:shm create_shm_perms;
+ allow passwd_t self:sem create_sem_perms;
+ allow passwd_t self:msgq create_msgq_perms;
+ allow passwd_t self:msg { send receive };
++allow passwd_t self:netlink_selinux_socket create_socket_perms;
+
+ allow passwd_t crack_db_t:dir list_dir_perms;
+ read_files_pattern(passwd_t, crack_db_t, crack_db_t)
+@@ -293,6 +317,7 @@ kernel_read_kernel_sysctls(passwd_t)
+
+ # for SSP
+ dev_read_urand(passwd_t)
++dev_dontaudit_getattr_all(passwd_t)
+
+ fs_getattr_xattr_fs(passwd_t)
+ fs_search_auto_mountpoints(passwd_t)
+@@ -307,26 +332,38 @@ selinux_compute_create_context(passwd_t)
+ selinux_compute_relabel_context(passwd_t)
+ selinux_compute_user_contexts(passwd_t)
+
+-term_use_all_ttys(passwd_t)
+-term_use_all_ptys(passwd_t)
++term_use_all_inherited_terms(passwd_t)
++term_getattr_all_ptys(passwd_t)
+
+-auth_run_chk_passwd(passwd_t, passwd_roles)
++auth_manage_passwd(passwd_t)
+ auth_manage_shadow(passwd_t)
+ auth_relabel_shadow(passwd_t)
+ auth_etc_filetrans_shadow(passwd_t)
+-auth_use_nsswitch(passwd_t)
++auth_use_pam(passwd_t)
++
++#auth_run_chk_passwd(passwd_t, passwd_roles)
++#auth_manage_passwd(passwd_t)
++#auth_manage_shadow(passwd_t)
++#auth_relabel_shadow(passwd_t)
++#auth_etc_filetrans_shadow(passwd_t)
++#auth_use_nsswitch(passwd_t)
+
+ # allow checking if a shell is executable
+ corecmd_check_exec_shell(passwd_t)
++corecmd_exec_bin(passwd_t)
++
++corenet_tcp_connect_kerberos_password_port(passwd_t)
+
+ domain_use_interactive_fds(passwd_t)
+
+ files_read_etc_runtime_files(passwd_t)
+-files_manage_etc_files(passwd_t)
++files_read_usr_files(passwd_t)
+ files_search_var(passwd_t)
+ files_dontaudit_search_pids(passwd_t)
+ files_relabel_etc_files(passwd_t)
+
++term_search_ptys(passwd_t)
++
+ # /usr/bin/passwd asks for w access to utmp, but it will operate
+ # correctly without it. Do not audit write denials to utmp.
+ init_dontaudit_rw_utmp(passwd_t)
+@@ -335,12 +372,11 @@ init_use_fds(passwd_t)
+ logging_send_audit_msgs(passwd_t)
+ logging_send_syslog_msg(passwd_t)
+
+-miscfiles_read_localization(passwd_t)
+
+ seutil_read_config(passwd_t)
+ seutil_read_file_contexts(passwd_t)
+
+-userdom_use_user_terminals(passwd_t)
++userdom_use_inherited_user_terminals(passwd_t)
+ userdom_use_unpriv_users_fds(passwd_t)
+ # make sure that getcon succeeds
+ userdom_getattr_all_users(passwd_t)
+@@ -349,9 +385,15 @@ userdom_read_user_tmp_files(passwd_t)
+ # user generally runs this from their home directory, so do not audit a search
+ # on user home dir
+ userdom_dontaudit_search_user_home_content(passwd_t)
++userdom_stream_connect(passwd_t)
++
++optional_policy(`
++ gnome_exec_keyringd(passwd_t)
++')
+
+ optional_policy(`
+- nscd_run(passwd_t, passwd_roles)
++ #nscd_run(passwd_t, passwd_roles)
++ nscd_domtrans(passwd_t)
+ ')
+
+ ########################################
+@@ -398,9 +440,10 @@ dev_read_urand(sysadm_passwd_t)
+ fs_getattr_xattr_fs(sysadm_passwd_t)
+ fs_search_auto_mountpoints(sysadm_passwd_t)
+
+-term_use_all_ttys(sysadm_passwd_t)
+-term_use_all_ptys(sysadm_passwd_t)
++term_use_all_inherited_terms(sysadm_passwd_t)
++term_getattr_all_ptys(sysadm_passwd_t)
+
++auth_manage_passwd(sysadm_passwd_t)
+ auth_manage_shadow(sysadm_passwd_t)
+ auth_relabel_shadow(sysadm_passwd_t)
+ auth_etc_filetrans_shadow(sysadm_passwd_t)
+@@ -413,7 +456,6 @@ files_read_usr_files(sysadm_passwd_t)
+
+ domain_use_interactive_fds(sysadm_passwd_t)
+
+-files_manage_etc_files(sysadm_passwd_t)
+ files_relabel_etc_files(sysadm_passwd_t)
+ files_read_etc_runtime_files(sysadm_passwd_t)
+ # for nscd lookups
+@@ -423,19 +465,17 @@ files_dontaudit_search_pids(sysadm_passwd_t)
+ # correctly without it. Do not audit write denials to utmp.
+ init_dontaudit_rw_utmp(sysadm_passwd_t)
+
+-miscfiles_read_localization(sysadm_passwd_t)
+
+ logging_send_syslog_msg(sysadm_passwd_t)
+
+-seutil_dontaudit_search_config(sysadm_passwd_t)
+-
+ userdom_use_unpriv_users_fds(sysadm_passwd_t)
+ # user generally runs this from their home directory, so do not audit a search
+ # on user home dir
+ userdom_dontaudit_search_user_home_content(sysadm_passwd_t)
+
+ optional_policy(`
+- nscd_run(sysadm_passwd_t, sysadm_passwd_roles)
++ nscd_domtrans(sysadm_passwd_t)
++ #nscd_run(sysadm_passwd_t, sysadm_passwd_roles)
+ ')
+
+ ########################################
+@@ -443,7 +483,8 @@ optional_policy(`
+ # Useradd local policy
+ #
+
+-allow useradd_t self:capability { dac_override chown kill fowner fsetid setuid sys_resource };
++allow useradd_t self:capability { dac_override chown kill fowner fsetid setuid sys_ptrace sys_resource };
++
+ dontaudit useradd_t self:capability sys_tty_config;
+ allow useradd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
+ allow useradd_t self:process setfscreate;
+@@ -465,36 +506,35 @@ corecmd_exec_shell(useradd_t)
+ # Execute /usr/bin/{passwd,chfn,chsh} and /usr/sbin/{useradd,vipw}.
+ corecmd_exec_bin(useradd_t)
+
++kernel_getattr_core_if(useradd_t)
++dev_dontaudit_getattr_all(useradd_t)
++
+ domain_use_interactive_fds(useradd_t)
+ domain_read_all_domains_state(useradd_t)
++domain_dontaudit_read_all_domains_state(useradd_t)
+
+-files_manage_etc_files(useradd_t)
+ files_search_var_lib(useradd_t)
+ files_relabel_etc_files(useradd_t)
+ files_read_etc_runtime_files(useradd_t)
++files_manage_etc_files(useradd_t)
+
+ fs_search_auto_mountpoints(useradd_t)
+ fs_getattr_xattr_fs(useradd_t)
+
+ mls_file_upgrade(useradd_t)
++mls_process_read_to_clearance(useradd_t)
+
+-# Allow access to context for shadow file
+-selinux_get_fs_mount(useradd_t)
+-selinux_validate_context(useradd_t)
+-selinux_compute_access_vector(useradd_t)
+-selinux_compute_create_context(useradd_t)
+-selinux_compute_relabel_context(useradd_t)
+-selinux_compute_user_contexts(useradd_t)
+-
+-term_use_all_ttys(useradd_t)
+-term_use_all_ptys(useradd_t)
++term_use_all_inherited_terms(useradd_t)
++term_getattr_all_ptys(useradd_t)
+
+-auth_run_chk_passwd(useradd_t, useradd_roles)
++#auth_run_chk_passwd(useradd_t, useradd_roles)
++auth_domtrans_chk_passwd(useradd_t)
+ auth_rw_lastlog(useradd_t)
+ auth_rw_faillog(useradd_t)
+ auth_use_nsswitch(useradd_t)
+ # these may be unnecessary due to the above
+ # domtrans_chk_passwd() call.
++auth_manage_passwd(useradd_t)
+ auth_manage_shadow(useradd_t)
+ auth_relabel_shadow(useradd_t)
+ auth_etc_filetrans_shadow(useradd_t)
+@@ -505,33 +545,36 @@ init_rw_utmp(useradd_t)
+ logging_send_audit_msgs(useradd_t)
+ logging_send_syslog_msg(useradd_t)
+
+-miscfiles_read_localization(useradd_t)
++
++seutil_semanage_policy(useradd_t)
++seutil_manage_file_contexts(useradd_t)
++seutil_manage_config(useradd_t)
++seutil_manage_login_config(useradd_t)
++seutil_manage_default_contexts(useradd_t)
+
+ seutil_read_config(useradd_t)
+ seutil_read_file_contexts(useradd_t)
+ seutil_read_default_contexts(useradd_t)
+-seutil_run_semanage(useradd_t, useradd_roles)
+-seutil_run_setfiles(useradd_t, useradd_roles)
++seutil_domtrans_semanage(useradd_t)
++seutil_domtrans_setfiles(useradd_t)
++seutil_domtrans_loadpolicy(useradd_t)
++#seutil_manage_bin_policy(useradd_t)
++#seutil_manage_module_store(useradd_t)
++seutil_get_semanage_trans_lock(useradd_t)
++seutil_get_semanage_read_lock(useradd_t)
++#seutil_run_semanage(useradd_t, useradd_roles)
++#seutil_run_setfiles(useradd_t, useradd_roles)
+
+ userdom_use_unpriv_users_fds(useradd_t)
+ # Add/remove user home directories
+-userdom_manage_user_home_dirs(useradd_t)
+-userdom_home_filetrans_user_home_dir(useradd_t)
+-userdom_manage_user_home_content_dirs(useradd_t)
+-userdom_manage_user_home_content_files(useradd_t)
+ userdom_home_filetrans_user_home_dir(useradd_t)
+-userdom_user_home_dir_filetrans_user_home_content(useradd_t, notdevfile_class_set)
++userdom_manage_home_role(system_r, useradd_t)
++userdom_delete_all_user_home_content(useradd_t)
+
+ optional_policy(`
+ mta_manage_spool(useradd_t)
+ ')
+
+-ifdef(`distro_redhat',`
+- optional_policy(`
+- unconfined_domain(useradd_t)
+- ')
+-')
+-
+ optional_policy(`
+ apache_manage_all_user_content(useradd_t)
+ ')
+@@ -542,7 +585,8 @@ optional_policy(`
+ ')
+
+ optional_policy(`
+- nscd_run(useradd_t, useradd_roles)
++ nscd_domtrans(useradd_t)
++# nscd_run(useradd_t, useradd_roles)
+ ')
+
+ optional_policy(`
+@@ -550,6 +594,11 @@ optional_policy(`
+ ')
+
+ optional_policy(`
++ rpc_list_nfs_state_data(useradd_t)
++ rpc_read_nfs_state_data(useradd_t)
++')
++
++optional_policy(`
+ tunable_policy(`samba_domain_controller',`
+ samba_append_log(useradd_t)
+ ')
+@@ -559,3 +608,7 @@ optional_policy(`
+ rpm_use_fds(useradd_t)
+ rpm_rw_pipes(useradd_t)
+ ')
++
++optional_policy(`
++ stapserver_manage_lib(useradd_t)
++')
+diff --git a/policy/modules/apps/seunshare.if b/policy/modules/apps/seunshare.if
+index 1dc7a85..dcc6337 100644
+--- a/policy/modules/apps/seunshare.if
++++ b/policy/modules/apps/seunshare.if
+@@ -43,18 +43,18 @@ interface(`seunshare_run',`
+ role $2 types seunshare_t;
+
+ allow $1 seunshare_t:process signal_perms;
+-
+- ifdef(`hide_broken_symptoms', `
+- dontaudit seunshare_t $1:tcp_socket rw_socket_perms;
+- dontaudit seunshare_t $1:udp_socket rw_socket_perms;
+- dontaudit seunshare_t $1:unix_stream_socket rw_socket_perms;
+- ')
+ ')
+
+ ########################################
+ ##
+-## Role access for seunshare
++## The role template for the seunshare module.
+ ##
++##
++##
++## The prefix of the user role (e.g., user
++## is the prefix for user_r).
++##
++##
+ ##
+ ##
+ ## Role allowed access.
+@@ -66,15 +66,43 @@ interface(`seunshare_run',`
+ ##
+ ##
+ #
+-interface(`seunshare_role',`
++interface(`seunshare_role_template',`
+ gen_require(`
+- type seunshare_t;
++ attribute seunshare_domain;
++ type seunshare_exec_t;
+ ')
+
+- role $2 types seunshare_t;
++ type $1_seunshare_t, seunshare_domain;
++ application_domain($1_seunshare_t, seunshare_exec_t)
++ role $2 types $1_seunshare_t;
+
+- seunshare_domtrans($1)
++ kernel_read_system_state($1_seunshare_t)
++
++ auth_use_nsswitch($1_seunshare_t)
++
++ logging_send_syslog_msg($1_seunshare_t)
++
++ mls_process_set_level($1_seunshare_t)
++
++ domtrans_pattern($3, seunshare_exec_t, $1_seunshare_t)
++
++ # part of sandboxX.pp
++ optional_policy(`
++ sandbox_x_transition($1_seunshare_t, $2)
++ ')
++
++ # part of sandbox.pp
++ optional_policy(`
++ sandbox_transition($1_seunshare_t, $2)
++ ')
++
++ ps_process_pattern($3, $1_seunshare_t)
++ allow $3 $1_seunshare_t:process signal_perms;
++ allow $3 $1_seunshare_t:fd use;
++
++ allow $1_seunshare_t $3:process transition;
++ dontaudit $1_seunshare_t $3:process { noatsecure siginh rlimitinh };
+
+- ps_process_pattern($2, seunshare_t)
+- allow $2 seunshare_t:process signal;
++ corecmd_bin_domtrans($1_seunshare_t, $1_t)
++ corecmd_shell_domtrans($1_seunshare_t, $1_t)
+ ')
+diff --git a/policy/modules/apps/seunshare.te b/policy/modules/apps/seunshare.te
+index 7590165..19aaaed 100644
+--- a/policy/modules/apps/seunshare.te
++++ b/policy/modules/apps/seunshare.te
+@@ -5,40 +5,57 @@ policy_module(seunshare, 1.1.0)
+ # Declarations
+ #
+
+-type seunshare_t;
++attribute seunshare_domain;
+ type seunshare_exec_t;
+-application_domain(seunshare_t, seunshare_exec_t)
+-role system_r types seunshare_t;
+
+ ########################################
+ #
+ # seunshare local policy
+ #
++allow seunshare_domain self:capability { fowner setgid setuid dac_override setpcap sys_admin sys_nice };
++allow seunshare_domain self:process { fork setexec signal getcap setcap setsched };
+
+-allow seunshare_t self:capability { setuid dac_override setpcap sys_admin };
+-allow seunshare_t self:process { setexec signal getcap setcap };
++allow seunshare_domain self:fifo_file rw_file_perms;
++allow seunshare_domain self:unix_stream_socket create_stream_socket_perms;
+
+-allow seunshare_t self:fifo_file rw_file_perms;
+-allow seunshare_t self:unix_stream_socket create_stream_socket_perms;
++corecmd_exec_shell(seunshare_domain)
++corecmd_exec_bin(seunshare_domain)
+
+-corecmd_exec_shell(seunshare_t)
+-corecmd_exec_bin(seunshare_t)
++dev_read_urand(seunshare_domain)
++dev_dontaudit_rw_dri(seunshare_domain)
+
+-files_read_etc_files(seunshare_t)
+-files_mounton_all_poly_members(seunshare_t)
++files_search_all(seunshare_domain)
++files_read_etc_files(seunshare_domain)
++files_mounton_all_poly_members(seunshare_domain)
++files_mounton_rootfs(seunshare_domain)
++files_manage_generic_tmp_dirs(seunshare_domain)
++files_relabelfrom_tmp_dirs(seunshare_domain)
+
+-auth_use_nsswitch(seunshare_t)
+-
+-logging_send_syslog_msg(seunshare_t)
+-
+-miscfiles_read_localization(seunshare_t)
+-
+-userdom_use_user_terminals(seunshare_t)
++fs_manage_cgroup_dirs(seunshare_domain)
++fs_manage_cgroup_files(seunshare_domain)
++fs_unmount_all_fs(seunshare_domain)
+
++userdom_dontaudit_rw_user_tmp_pipes(seunshare_domain)
++userdom_use_inherited_user_terminals(seunshare_domain)
++userdom_list_user_home_content(seunshare_domain)
+ ifdef(`hide_broken_symptoms', `
+- fs_dontaudit_rw_anon_inodefs_files(seunshare_t)
++ fs_dontaudit_rw_anon_inodefs_files(seunshare_domain)
++ fs_dontaudit_list_inotifyfs(seunshare_domain)
+
+ optional_policy(`
+- mozilla_dontaudit_manage_user_home_files(seunshare_t)
++ mozilla_dontaudit_manage_user_home_files(seunshare_domain)
++ mozilla_plugin_dontaudit_leaks(seunshare_domain)
+ ')
+ ')
++
++tunable_policy(`use_nfs_home_dirs',`
++ fs_mounton_nfs(seunshare_domain)
++')
++
++tunable_policy(`use_samba_home_dirs',`
++ fs_mounton_cifs(seunshare_domain)
++')
++
++tunable_policy(`use_fusefs_home_dirs',`
++ fs_mounton_fusefs(seunshare_domain)
++')
+diff --git a/policy/modules/kernel/corecommands.fc b/policy/modules/kernel/corecommands.fc
+index db981df..e2c87b3 100644
+--- a/policy/modules/kernel/corecommands.fc
++++ b/policy/modules/kernel/corecommands.fc
+@@ -1,9 +1,10 @@
+ #
+ # /bin
+ #
+-/bin -d gen_context(system_u:object_r:bin_t,s0)
++/bin gen_context(system_u:object_r:bin_t,s0)
+ /bin/.* gen_context(system_u:object_r:bin_t,s0)
+ /bin/d?ash -- gen_context(system_u:object_r:shell_exec_t,s0)
++/bin/esh -- gen_context(system_u:object_r:shell_exec_t,s0)
+ /bin/bash -- gen_context(system_u:object_r:shell_exec_t,s0)
+ /bin/bash2 -- gen_context(system_u:object_r:shell_exec_t,s0)
+ /bin/fish -- gen_context(system_u:object_r:shell_exec_t,s0)
+@@ -46,6 +47,7 @@ ifdef(`distro_redhat',`
+ /etc/apcupsd/offbattery -- gen_context(system_u:object_r:bin_t,s0)
+ /etc/apcupsd/onbattery -- gen_context(system_u:object_r:bin_t,s0)
+
++/etc/auto\.[^/]* -- gen_context(system_u:object_r:bin_t,s0)
+ /etc/avahi/.*\.action -- gen_context(system_u:object_r:bin_t,s0)
+
+ /etc/cipe/ip-up.* -- gen_context(system_u:object_r:bin_t,s0)
+@@ -71,10 +73,18 @@ ifdef(`distro_redhat',`
+ /etc/kde/env(/.*)? gen_context(system_u:object_r:bin_t,s0)
+ /etc/kde/shutdown(/.*)? gen_context(system_u:object_r:bin_t,s0)
+
++/etc/redhat-lsb(/.*)? gen_context(system_u:object_r:bin_t,s0)
++
++/etc/lxdm/LoginReady -- gen_context(system_u:object_r:bin_t,s0)
++/etc/lxdm/Post.* -- gen_context(system_u:object_r:bin_t,s0)
++/etc/lxdm/Pre.* -- gen_context(system_u:object_r:bin_t,s0)
++/etc/lxdm/Xsession -- gen_context(system_u:object_r:bin_t,s0)
++
+ /etc/mail/make -- gen_context(system_u:object_r:bin_t,s0)
+ /etc/mcelog/cache-error-trigger -- gen_context(system_u:object_r:bin_t,s0)
+ /etc/mcelog/triggers(/.*)? gen_context(system_u:object_r:bin_t,s0)
+ /etc/mgetty\+sendfax/new_fax -- gen_context(system_u:object_r:bin_t,s0)
++/etc/munin/plugins(/.*)? gen_context(system_u:object_r:bin_t,s0)
+
+ /etc/netplug\.d(/.*)? gen_context(system_u:object_r:bin_t,s0)
+
+@@ -97,8 +107,6 @@ ifdef(`distro_redhat',`
+
+ /etc/rc\.d/init\.d/functions -- gen_context(system_u:object_r:bin_t,s0)
+
+-/etc/security/namespace.init -- gen_context(system_u:object_r:bin_t,s0)
+-
+ /etc/sysconfig/crond -- gen_context(system_u:object_r:bin_t,s0)
+ /etc/sysconfig/init -- gen_context(system_u:object_r:bin_t,s0)
+ /etc/sysconfig/libvirtd -- gen_context(system_u:object_r:bin_t,s0)
+@@ -130,10 +138,11 @@ ifdef(`distro_debian',`
+
+ /lib/readahead(/.*)? gen_context(system_u:object_r:bin_t,s0)
+ /lib/security/pam_krb5/pam_krb5_storetmp -- gen_context(system_u:object_r:bin_t,s0)
+-/lib/systemd/systemd.* -- gen_context(system_u:object_r:bin_t,s0)
+ /lib/udev/[^/]* -- gen_context(system_u:object_r:bin_t,s0)
++/lib/udev/devices/MAKEDEV -l gen_context(system_u:object_r:bin_t,s0)
+ /lib/udev/scsi_id -- gen_context(system_u:object_r:bin_t,s0)
+ /lib/upstart(/.*)? gen_context(system_u:object_r:bin_t,s0)
++/lib/security/pam_krb5(/.*)? gen_context(system_u:object_r:bin_t,s0)
+
+ ifdef(`distro_gentoo',`
+ /lib/dhcpcd/dhcpcd-run-hooks -- gen_context(system_u:object_r:bin_t,s0)
+@@ -147,7 +156,7 @@ ifdef(`distro_gentoo',`
+ #
+ # /sbin
+ #
+-/sbin -d gen_context(system_u:object_r:bin_t,s0)
++/sbin gen_context(system_u:object_r:bin_t,s0)
+ /sbin/.* gen_context(system_u:object_r:bin_t,s0)
+ /sbin/insmod_ksymoops_clean -- gen_context(system_u:object_r:bin_t,s0)
+ /sbin/mkfs\.cramfs -- gen_context(system_u:object_r:bin_t,s0)
+@@ -163,6 +172,7 @@ ifdef(`distro_gentoo',`
+ /opt/(.*/)?sbin(/.*)? gen_context(system_u:object_r:bin_t,s0)
+
+ /opt/google/talkplugin(/.*)? gen_context(system_u:object_r:bin_t,s0)
++/opt/google/chrome(/.*)? gen_context(system_u:object_r:bin_t,s0)
+
+ /opt/gutenprint/cups/lib/filter(/.*)? gen_context(system_u:object_r:bin_t,s0)
+
+@@ -174,53 +184,80 @@ ifdef(`distro_gentoo',`
+ /opt/vmware/workstation/lib/lib/wrapper-gtk24\.sh -- gen_context(system_u:object_r:bin_t,s0)
+ ')
+
++/root/bin(/.*)? gen_context(system_u:object_r:bin_t,s0)
++
+ #
+ # /usr
+ #
++/usr/bin -d gen_context(system_u:object_r:bin_t,s0)
+ /usr/(.*/)?Bin(/.*)? gen_context(system_u:object_r:bin_t,s0)
+ /usr/(.*/)?bin(/.*)? gen_context(system_u:object_r:bin_t,s0)
+-/usr/bin/git-shell -- gen_context(system_u:object_r:shell_exec_t,s0)
++/usr/bin/d?ash -- gen_context(system_u:object_r:shell_exec_t,s0)
++/usr/bin/esh -- gen_context(system_u:object_r:shell_exec_t,s0)
++/usr/bin/bash -- gen_context(system_u:object_r:shell_exec_t,s0)
++/usr/bin/bash2 -- gen_context(system_u:object_r:shell_exec_t,s0)
+ /usr/bin/fish -- gen_context(system_u:object_r:shell_exec_t,s0)
+-/usr/bin/scponly -- gen_context(system_u:object_r:shell_exec_t,s0)
++/usr/bin/ksh.* -- gen_context(system_u:object_r:shell_exec_t,s0)
++/usr/bin/mksh -- gen_context(system_u:object_r:shell_exec_t,s0)
++/usr/bin/mountpoint -- gen_context(system_u:object_r:bin_t,s0)
++/usr/bin/pingus.* -- gen_context(system_u:object_r:bin_t,s0)
++/usr/bin/sash -- gen_context(system_u:object_r:shell_exec_t,s0)
+ /usr/bin/tcsh -- gen_context(system_u:object_r:shell_exec_t,s0)
++/usr/bin/yash -- gen_context(system_u:object_r:shell_exec_t,s0)
++/usr/bin/zsh.* -- gen_context(system_u:object_r:shell_exec_t,s0)
+
+-/usr/lib(.*/)?bin(/.*)? gen_context(system_u:object_r:bin_t,s0)
++/usr/bin/git-shell -- gen_context(system_u:object_r:shell_exec_t,s0)
++/usr/bin/scponly -- gen_context(system_u:object_r:shell_exec_t,s0)
+
+ /usr/(.*/)?sbin(/.*)? gen_context(system_u:object_r:bin_t,s0)
+ /usr/lib(.*/)?sbin(/.*)? gen_context(system_u:object_r:bin_t,s0)
+
++/usr/lib/jvm/java(.*/)bin(/.*) gen_context(system_u:object_r:bin_t,s0)
++/usr/lib(.*/)?bin(/.*)? gen_context(system_u:object_r:bin_t,s0)
+ /usr/lib/ccache/bin(/.*)? gen_context(system_u:object_r:bin_t,s0)
+ /usr/lib/fence(/.*)? gen_context(system_u:object_r:bin_t,s0)
++/usr/lib/libreoffice(/.*)?/bin(/.*)? gen_context(system_u:object_r:bin_t,s0)
+ /usr/lib/pgsql/test/regress/.*\.sh -- gen_context(system_u:object_r:bin_t,s0)
+ /usr/lib/qt.*/bin(/.*)? gen_context(system_u:object_r:bin_t,s0)
+ /usr/lib/wicd/monitor\.py -- gen_context(system_u:object_r:bin_t, s0)
+-/usr/lib/apt/methods.+ -- gen_context(system_u:object_r:bin_t,s0)
++/usr/lib/apt/methods.+ -- gen_context(system_u:object_r:bin_t,s0)
++/usr/lib/chromium-browser(/.*)? gen_context(system_u:object_r:bin_t,s0)
+ /usr/lib/ConsoleKit/scripts(/.*)? gen_context(system_u:object_r:bin_t,s0)
+-/usr/lib/ConsoleKit/run-session.d(/.*)? gen_context(system_u:object_r:bin_t,s0)
+-/usr/lib/courier(/.*)? gen_context(system_u:object_r:bin_t,s0)
+-/usr/lib/cups(/.*)? gen_context(system_u:object_r:bin_t,s0)
+-/usr/lib/cyrus/.* -- gen_context(system_u:object_r:bin_t,s0)
+-/usr/lib/cyrus-imapd/.* -- gen_context(system_u:object_r:bin_t,s0)
++/usr/lib/ConsoleKit/run-session\.d(/.*)? gen_context(system_u:object_r:bin_t,s0)
++/usr/lib/courier(/.*)? gen_context(system_u:object_r:bin_t,s0)
++/usr/lib/cups(/.*)? gen_context(system_u:object_r:bin_t,s0)
++/usr/lib/cyrus-imapd/.* -- gen_context(system_u:object_r:bin_t,s0)
+ /usr/lib/dpkg/.+ -- gen_context(system_u:object_r:bin_t,s0)
+ /usr/lib/emacsen-common/.* gen_context(system_u:object_r:bin_t,s0)
+-/usr/lib/gimp/.*/plug-ins(/.*)? gen_context(system_u:object_r:bin_t,s0)
++/usr/lib/gimp/.*/plug-ins(/.*)? gen_context(system_u:object_r:bin_t,s0)
+ /usr/lib/ipsec/.* -- gen_context(system_u:object_r:bin_t,s0)
+-/usr/lib/mailman/bin(/.*)? gen_context(system_u:object_r:bin_t,s0)
+-/usr/lib/mailman/mail(/.*)? gen_context(system_u:object_r:bin_t,s0)
+-/usr/lib/mediawiki/math/texvc.* gen_context(system_u:object_r:bin_t,s0)
++/usr/lib/mailman.*/bin(/.*)? gen_context(system_u:object_r:bin_t,s0)
++/usr/lib/mailman.*/mail(/.*)? gen_context(system_u:object_r:bin_t,s0)
++/usr/lib/MailScanner(/.*)? gen_context(system_u:object_r:bin_t,s0)
++/usr/lib/mediawiki/math/texvc.* gen_context(system_u:object_r:bin_t,s0)
+ /usr/lib/misc/sftp-server -- gen_context(system_u:object_r:bin_t,s0)
+-/usr/lib/nagios/plugins(/.*)? gen_context(system_u:object_r:bin_t,s0)
+-/usr/lib/netsaint/plugins(/.*)? gen_context(system_u:object_r:bin_t,s0)
+-/usr/lib/news/bin(/.*)? gen_context(system_u:object_r:bin_t,s0)
+-/usr/lib/nspluginwrapper/np.* gen_context(system_u:object_r:bin_t,s0)
+-/usr/lib/portage/bin(/.*)? gen_context(system_u:object_r:bin_t,s0)
+-/usr/lib/pm-utils(/.*)? gen_context(system_u:object_r:bin_t,s0)
++/usr/lib/nagios/plugins(/.*)? gen_context(system_u:object_r:bin_t,s0)
++/usr/lib/netsaint/plugins(/.*)? gen_context(system_u:object_r:bin_t,s0)
++/usr/lib/news/bin(/.*)? gen_context(system_u:object_r:bin_t,s0)
++/usr/lib/nspluginwrapper/np.* gen_context(system_u:object_r:bin_t,s0)
++/usr/lib/ocf(/.*)? gen_context(system_u:object_r:bin_t,s0)
++/usr/lib/portage/bin(/.*)? gen_context(system_u:object_r:bin_t,s0)
++/usr/lib/pm-utils(/.*)? gen_context(system_u:object_r:bin_t,s0)
++/usr/lib/readahead(/.*)? gen_context(system_u:object_r:bin_t,s0)
+ /usr/lib/rpm/rpmd -- gen_context(system_u:object_r:bin_t,s0)
+ /usr/lib/rpm/rpmk -- gen_context(system_u:object_r:bin_t,s0)
+ /usr/lib/rpm/rpmq -- gen_context(system_u:object_r:bin_t,s0)
+ /usr/lib/rpm/rpmv -- gen_context(system_u:object_r:bin_t,s0)
++/usr/lib/tumbler-[^/]*/tumblerd -- gen_context(system_u:object_r:bin_t,s0)
++/usr/lib/security/pam_krb5/pam_krb5_storetmp -- gen_context(system_u:object_r:bin_t,s0)
+ /usr/lib/sftp-server -- gen_context(system_u:object_r:bin_t,s0)
+-/usr/lib/vte/gnome-pty-helper -- gen_context(system_u:object_r:bin_t,s0)
++/usr/lib/systemd/system-sleep/(.*)? gen_context(system_u:object_r:bin_t,s0)
++/usr/lib/vte/gnome-pty-helper -- gen_context(system_u:object_r:bin_t,s0)
++/usr/lib/yaboot/addnote -- gen_context(system_u:object_r:bin_t,s0)
++/usr/lib/udev/[^/]* -- gen_context(system_u:object_r:bin_t,s0)
++/usr/lib/udev/devices/MAKEDEV -l gen_context(system_u:object_r:bin_t,s0)
++/usr/lib/udev/scsi_id -- gen_context(system_u:object_r:bin_t,s0)
++/usr/lib/upstart(/.*)? gen_context(system_u:object_r:bin_t,s0)
+ /usr/lib/xfce4/exo-1/exo-compose-mail-1 -- gen_context(system_u:object_r:bin_t,s0)
+ /usr/lib/xfce4/exo-1/exo-helper-1 -- gen_context(system_u:object_r:bin_t,s0)
+ /usr/lib/xfce4/panel/migrate -- gen_context(system_u:object_r:bin_t,s0)
+@@ -235,10 +272,15 @@ ifdef(`distro_gentoo',`
+ /usr/lib/debug/sbin(/.*)? -- gen_context(system_u:object_r:bin_t,s0)
+ /usr/lib/debug/usr/bin(/.*)? -- gen_context(system_u:object_r:bin_t,s0)
+ /usr/lib/debug/usr/sbin(/.*)? -- gen_context(system_u:object_r:bin_t,s0)
++/usr/lib/debug/usr/libexec(/.*)? gen_context(system_u:object_r:bin_t,s0)
+
+ /usr/lib/[^/]*thunderbird[^/]*/thunderbird -- gen_context(system_u:object_r:bin_t,s0)
+ /usr/lib/[^/]*thunderbird[^/]*/thunderbird-bin -- gen_context(system_u:object_r:bin_t,s0)
+ /usr/lib/[^/]*thunderbird[^/]*/open-browser\.sh -- gen_context(system_u:object_r:bin_t,s0)
++/usr/lib/xulrunner[^/]*/xulrunner[^/]* -- gen_context(system_u:object_r:bin_t,s0)
++/usr/lib/xulrunner[^/]*/updater -- gen_context(system_u:object_r:bin_t,s0)
++/usr/lib/xulrunner[^/]*/crashreporter -- gen_context(system_u:object_r:bin_t,s0)
++
+ /usr/lib/[^/]*/run-mozilla\.sh -- gen_context(system_u:object_r:bin_t,s0)
+ /usr/lib/[^/]*/mozilla-xremote-client -- gen_context(system_u:object_r:bin_t,s0)
+ /usr/lib/thunderbird.*/mozilla-xremote-client -- gen_context(system_u:object_r:bin_t,s0)
+@@ -251,11 +293,17 @@ ifdef(`distro_gentoo',`
+
+ /usr/libexec/openssh/sftp-server -- gen_context(system_u:object_r:bin_t,s0)
+
+-/usr/local/lib(64)?/ipsec/.* -- gen_context(system_u:object_r:bin_t,s0)
+-/usr/local/Brother(/.*)? gen_context(system_u:object_r:bin_t,s0)
+-/usr/local/Printer(/.*)? gen_context(system_u:object_r:bin_t,s0)
+-/usr/local/linuxprinter/filters(/.*)? gen_context(system_u:object_r:bin_t,s0)
++/usr/lib/xfce4(/.*)? gen_context(system_u:object_r:bin_t,s0)
+
++/usr/Brother(/.*)? gen_context(system_u:object_r:bin_t,s0)
++/usr/Printer(/.*)? gen_context(system_u:object_r:bin_t,s0)
++/usr/Brother/(.*/)?inf/brprintconf.* gen_context(system_u:object_r:bin_t,s0)
++/usr/Brother/(.*/)?inf/setup.* gen_context(system_u:object_r:bin_t,s0)
++/usr/linuxprinter/filters(/.*)? gen_context(system_u:object_r:bin_t,s0)
++
++/usr/sbin/insmod_ksymoops_clean -- gen_context(system_u:object_r:bin_t,s0)
++/usr/sbin/mkfs\.cramfs -- gen_context(system_u:object_r:bin_t,s0)
++/usr/sbin/nologin -- gen_context(system_u:object_r:shell_exec_t,s0)
+ /usr/sbin/scponlyc -- gen_context(system_u:object_r:shell_exec_t,s0)
+ /usr/sbin/sesh -- gen_context(system_u:object_r:shell_exec_t,s0)
+ /usr/sbin/smrsh -- gen_context(system_u:object_r:shell_exec_t,s0)
+@@ -271,10 +319,15 @@ ifdef(`distro_gentoo',`
+ /usr/share/cluster/.*\.sh gen_context(system_u:object_r:bin_t,s0)
+ /usr/share/cluster/ocf-shellfuncs -- gen_context(system_u:object_r:bin_t,s0)
+ /usr/share/cluster/svclib_nfslock -- gen_context(system_u:object_r:bin_t,s0)
++/usr/share/cluster/SAPDatabase -- gen_context(system_u:object_r:bin_t,s0)
++/usr/share/cluster/SAPInstance -- gen_context(system_u:object_r:bin_t,s0)
++/usr/share/cluster/fence_scsi_check\.pl -- gen_context(system_u:object_r:bin_t,s0)
++/usr/share/cluster/checkquorum.* -- gen_context(system_u:object_r:bin_t,s0)
+ /usr/share/e16/misc(/.*)? gen_context(system_u:object_r:bin_t,s0)
+ /usr/share/gedit-2/plugins/externaltools/tools(/.*)? gen_context(system_u:object_r:bin_t,s0)
+ /usr/share/gitolite/hooks/common/update -- gen_context(system_u:object_r:bin_t,s0)
+ /usr/share/gitolite/hooks/gitolite-admin/post-update -- gen_context(system_u:object_r:bin_t,s0)
++/usr/share/gitolite3/commands(/.*)? -- gen_context(system_u:object_r:bin_t,s0)
+ /usr/share/gnucash/finance-quote-check -- gen_context(system_u:object_r:bin_t,s0)
+ /usr/share/gnucash/finance-quote-helper -- gen_context(system_u:object_r:bin_t,s0)
+ /usr/share/hal/device-manager/hal-device-manager -- gen_context(system_u:object_r:bin_t,s0)
+@@ -289,16 +342,21 @@ ifdef(`distro_gentoo',`
+ /usr/share/selinux/devel/policygentool -- gen_context(system_u:object_r:bin_t,s0)
+ /usr/share/smolt/client(/.*)? gen_context(system_u:object_r:bin_t,s0)
+ /usr/share/shorewall/compiler\.pl -- gen_context(system_u:object_r:bin_t,s0)
+-/usr/share/shorewall/configpath -- gen_context(system_u:object_r:bin_t,s0)
++/usr/share/shorewall6?/configpath -- gen_context(system_u:object_r:bin_t,s0)
++/usr/share/shorewall/getparams -- gen_context(system_u:object_r:bin_t,s0)
++/usr/share/shorewall6?/wait4ifup -- gen_context(system_u:object_r:bin_t,s0)
+ /usr/share/shorewall-perl(/.*)? gen_context(system_u:object_r:bin_t,s0)
+ /usr/share/shorewall-shell(/.*)? gen_context(system_u:object_r:bin_t,s0)
+ /usr/share/shorewall-lite(/.*)? gen_context(system_u:object_r:bin_t,s0)
+ /usr/share/shorewall6-lite(/.*)? gen_context(system_u:object_r:bin_t,s0)
+ /usr/share/spamassassin/sa-update\.cron gen_context(system_u:object_r:bin_t,s0)
+ /usr/share/turboprint/lib(/.*)? -- gen_context(system_u:object_r:bin_t,s0)
++/usr/share/tucan.*/tucan.py -- gen_context(system_u:object_r:bin_t,s0)
+ /usr/share/vhostmd/scripts(/.*)? gen_context(system_u:object_r:bin_t,s0)
++/usr/share/virtualbox/.*\.sh gen_context(system_u:object_r:bin_t,s0)
++/usr/share/wicd/daemon(/.*)? gen_context(system_u:object_r:bin_t,s0)
+
+-/usr/X11R6/lib(64)?/X11/xkb/xkbcomp -- gen_context(system_u:object_r:bin_t,s0)
++/usr/X11R6/lib/X11/xkb/xkbcomp -- gen_context(system_u:object_r:bin_t,s0)
+
+ ifdef(`distro_debian',`
+ /usr/lib/ConsoleKit/.* -- gen_context(system_u:object_r:bin_t,s0)
+@@ -314,8 +372,12 @@ ifdef(`distro_redhat', `
+ /etc/gdm/[^/]+ -d gen_context(system_u:object_r:bin_t,s0)
+ /etc/gdm/[^/]+/.* gen_context(system_u:object_r:bin_t,s0)
+
++/usr/lib/.*/scripts(/.*)? gen_context(system_u:object_r:bin_t,s0)
+ /usr/lib/.*/program(/.*)? gen_context(system_u:object_r:bin_t,s0)
+ /usr/lib/bluetooth(/.*)? -- gen_context(system_u:object_r:bin_t,s0)
++/usr/lib/nfs-utils/scripts(/.*)? gen_context(system_u:object_r:bin_t,s0)
++/usr/lib/oracle/xe/apps(/.*)? gen_context(system_u:object_r:bin_t,s0)
++/usr/lib/tuned/.*/.*\.sh -- gen_context(system_u:object_r:bin_t,s0)
+ /usr/lib/vmware-tools/(s)?bin32(/.*)? gen_context(system_u:object_r:bin_t,s0)
+ /usr/lib/vmware-tools/(s)?bin64(/.*)? gen_context(system_u:object_r:bin_t,s0)
+ /usr/share/authconfig/authconfig-gtk\.py -- gen_context(system_u:object_r:bin_t,s0)
+@@ -325,9 +387,11 @@ ifdef(`distro_redhat', `
+ /usr/share/clamav/clamd-gen -- gen_context(system_u:object_r:bin_t,s0)
+ /usr/share/clamav/freshclam-sleep -- gen_context(system_u:object_r:bin_t,s0)
+ /usr/share/createrepo(/.*)? gen_context(system_u:object_r:bin_t,s0)
++/usr/share/doc/ghc/html/libraries/gen_contents_index -- gen_context(system_u:object_r:bin_t,s0)
+ /usr/share/fedora-usermgmt/wrapper -- gen_context(system_u:object_r:bin_t,s0)
+ /usr/share/hplip/[^/]* -- gen_context(system_u:object_r:bin_t,s0)
+ /usr/share/hwbrowser/hwbrowser -- gen_context(system_u:object_r:bin_t,s0)
++/usr/share/kde4/apps/kajongg/kajongg.py -- gen_context(system_u:object_r:bin_t,s0)
+ /usr/share/pwlib/make/ptlib-config -- gen_context(system_u:object_r:bin_t,s0)
+ /usr/share/pydict/pydict\.py -- gen_context(system_u:object_r:bin_t,s0)
+ /usr/share/rhn/rhn_applet/applet\.py -- gen_context(system_u:object_r:bin_t,s0)
+@@ -376,11 +440,15 @@ ifdef(`distro_suse', `
+ #
+ # /var
+ #
+-/var/mailman/bin(/.*)? gen_context(system_u:object_r:bin_t,s0)
++/var/mailman.*/bin(/.*)? gen_context(system_u:object_r:bin_t,s0)
+
+ /var/ftp/bin(/.*)? gen_context(system_u:object_r:bin_t,s0)
+
+ /var/lib/asterisk/agi-bin(/.*)? gen_context(system_u:object_r:bin_t,s0)
++/var/lib/iscan/interpreter gen_context(system_u:object_r:bin_t,s0)
++/usr/lib/ruby/gems(/.*)?/helper-scripts(/.*)? gen_context(system_u:object_r:bin_t,s0)
++/usr/share/gems(/.*)?/helper-scripts(/.*)? gen_context(system_u:object_r:bin_t,s0)
++
+ /usr/lib/yp/.+ -- gen_context(system_u:object_r:bin_t,s0)
+
+ /var/qmail/bin -d gen_context(system_u:object_r:bin_t,s0)
+@@ -390,3 +458,12 @@ ifdef(`distro_suse', `
+ ifdef(`distro_suse',`
+ /var/lib/samba/bin/.+ gen_context(system_u:object_r:bin_t,s0)
+ ')
++
++#
++# /usr/lib
++#
++
++/usr/lib/dracut(/.*)? gen_context(system_u:object_r:bin_t,s0)
++/usr/lib/iscan/network -- gen_context(system_u:object_r:bin_t,s0)
++/usr/lib/ruby/gems/.*/agents(/.*)? gen_context(system_u:object_r:bin_t,s0)
++/usr/lib/virtualbox/VBoxManage -- gen_context(system_u:object_r:bin_t,s0)
+diff --git a/policy/modules/kernel/corecommands.if b/policy/modules/kernel/corecommands.if
+index 9e9263a..87d577e 100644
+--- a/policy/modules/kernel/corecommands.if
++++ b/policy/modules/kernel/corecommands.if
+@@ -122,6 +122,7 @@ interface(`corecmd_search_bin',`
+ type bin_t;
+ ')
+
++ corecmd_read_bin_symlinks($1)
+ search_dirs_pattern($1, bin_t, bin_t)
+ ')
+
+@@ -158,6 +159,7 @@ interface(`corecmd_list_bin',`
+ type bin_t;
+ ')
+
++ corecmd_read_bin_symlinks($1)
+ list_dirs_pattern($1, bin_t, bin_t)
+ ')
+
+@@ -203,7 +205,7 @@ interface(`corecmd_getattr_bin_files',`
+ ##
+ ##
+ ##
+-## Domain allowed access.
++## Domain to not audit.
+ ##
+ ##
+ #
+@@ -231,6 +233,7 @@ interface(`corecmd_read_bin_files',`
+ type bin_t;
+ ')
+
++ corecmd_read_bin_symlinks($1)
+ read_files_pattern($1, bin_t, bin_t)
+ ')
+
+@@ -254,6 +257,24 @@ interface(`corecmd_dontaudit_write_bin_files',`
+
+ ########################################
+ ##
++## Do not audit attempts to access check bin files.
++##
++##
++##
++## Domain to not audit.
++##
++##
++#
++interface(`corecmd_dontaudit_access_check_bin',`
++ gen_require(`
++ type bin_t;
++ ')
++
++ dontaudit $1 bin_t:file audit_access;
++')
++
++########################################
++##
+ ## Read symbolic links in bin directories.
+ ##
+ ##
+@@ -285,6 +306,7 @@ interface(`corecmd_read_bin_pipes',`
+ type bin_t;
+ ')
+
++ corecmd_read_bin_symlinks(bin_t)
+ read_fifo_files_pattern($1, bin_t, bin_t)
+ ')
+
+@@ -303,6 +325,7 @@ interface(`corecmd_read_bin_sockets',`
+ type bin_t;
+ ')
+
++ corecmd_read_bin_symlinks($1)
+ read_sock_files_pattern($1, bin_t, bin_t)
+ ')
+
+@@ -345,6 +368,10 @@ interface(`corecmd_exec_bin',`
+ read_lnk_files_pattern($1, bin_t, bin_t)
+ list_dirs_pattern($1, bin_t, bin_t)
+ can_exec($1, bin_t)
++
++ ifdef(`enable_mls',`',`
++ files_exec_all_base_ro_files($1)
++ ')
+ ')
+
+ ########################################
+@@ -362,6 +389,7 @@ interface(`corecmd_manage_bin_files',`
+ type bin_t;
+ ')
+
++ corecmd_read_bin_symlinks($1)
+ manage_files_pattern($1, bin_t, bin_t)
+ ')
+
+@@ -398,6 +426,7 @@ interface(`corecmd_mmap_bin_files',`
+ type bin_t;
+ ')
+
++ corecmd_read_bin_symlinks($1)
+ mmap_files_pattern($1, bin_t, bin_t)
+ ')
+
+@@ -954,6 +983,24 @@ interface(`corecmd_exec_chroot',`
+
+ ########################################
+ ##
++## Do not audit attempts to access check executable files.
++##
++##
++##
++## Domain to not audit.
++##
++##
++#
++interface(`corecmd_dontaudit_access_all_executables',`
++ gen_require(`
++ attribute exec_type;
++ ')
++
++ dontaudit $1 exec_type:file audit_access;
++')
++
++########################################
++##
+ ## Get the attributes of all executable files.
+ ##
+ ##
+@@ -1012,6 +1059,10 @@ interface(`corecmd_exec_all_executables',`
+ can_exec($1, exec_type)
+ list_dirs_pattern($1, bin_t, bin_t)
+ read_lnk_files_pattern($1, bin_t, exec_type)
++
++ ifdef(`enable_mls',`',`
++ files_exec_all_base_ro_files($1)
++ ')
+ ')
+
+ ########################################
+@@ -1049,6 +1100,7 @@ interface(`corecmd_manage_all_executables',`
+ type bin_t;
+ ')
+
++ manage_dirs_pattern($1, bin_t, exec_type)
+ manage_files_pattern($1, bin_t, exec_type)
+ manage_lnk_files_pattern($1, bin_t, bin_t)
+ ')
+@@ -1091,3 +1143,36 @@ interface(`corecmd_mmap_all_executables',`
+
+ mmap_files_pattern($1, bin_t, exec_type)
+ ')
++
++########################################
++##
++## Create objects in the /bin directory
++##
++##
++##
++## Domain allowed access.
++##
++##
++##
++##
++## The type of the object to be created
++##
++##
++##
++##
++## The object class.
++##
++##
++##
++##
++## The name of the object being created.
++##
++##
++#
++interface(`corecmd_bin_filetrans',`
++ gen_require(`
++ type bin_t;
++ ')
++
++ filetrans_pattern($1, bin_t, $2, $3, $4)
++')
+diff --git a/policy/modules/kernel/corecommands.te b/policy/modules/kernel/corecommands.te
+index 1dd0427..6d6f456 100644
+--- a/policy/modules/kernel/corecommands.te
++++ b/policy/modules/kernel/corecommands.te
+@@ -13,7 +13,8 @@ attribute exec_type;
+ #
+ # bin_t is the type of files in the system bin/sbin directories.
+ #
+-type bin_t alias { ls_exec_t sbin_t };
++type bin_t alias { ls_exec_t sbin_t unconfined_execmem_exec_t execmem_exec_t java_exec_t mono_exec_t };
++files_ro_base_file(bin_t)
+ corecmd_executable_file(bin_t)
+ dev_associate(bin_t) #For /dev/MAKEDEV
+
+@@ -21,6 +22,7 @@ dev_associate(bin_t) #For /dev/MAKEDEV
+ # shell_exec_t is the type of user shells such as /bin/bash.
+ #
+ type shell_exec_t;
++files_ro_base_file(shell_exec_t)
+ corecmd_executable_file(shell_exec_t)
+
+ type chroot_exec_t;
+diff --git a/policy/modules/kernel/corenetwork.fc b/policy/modules/kernel/corenetwork.fc
+index f9b25c1..9af1f7a 100644
+--- a/policy/modules/kernel/corenetwork.fc
++++ b/policy/modules/kernel/corenetwork.fc
+@@ -8,3 +8,6 @@
+
+ /lib/udev/devices/ppp -c gen_context(system_u:object_r:ppp_device_t,s0)
+ /lib/udev/devices/net/.* -c gen_context(system_u:object_r:tun_tap_device_t,s0)
++
++/usr/lib/udev/devices/ppp -c gen_context(system_u:object_r:ppp_device_t,s0)
++/usr/lib/udev/devices/net/.* -c gen_context(system_u:object_r:tun_tap_device_t,s0)
+diff --git a/policy/modules/kernel/corenetwork.if.in b/policy/modules/kernel/corenetwork.if.in
+index 07126bd..7ac4630 100644
+--- a/policy/modules/kernel/corenetwork.if.in
++++ b/policy/modules/kernel/corenetwork.if.in
+@@ -55,6 +55,7 @@ interface(`corenet_reserved_port',`
+ ')
+
+ typeattribute $1 reserved_port_type;
++ corenet_port($1)
+ ')
+
+ ########################################
+@@ -82,6 +83,7 @@ interface(`corenet_rpc_port',`
+ ')
+
+ typeattribute $1 rpc_port_type;
++ corenet_port($1)
+ ')
+
+ ########################################
+@@ -615,6 +617,24 @@ interface(`corenet_raw_sendrecv_all_if',`
+
+ ########################################
+ ##
++## Send and receive DCCP network traffic on generic nodes.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`corenet_dccp_sendrecv_generic_node',`
++ gen_require(`
++ type node_t;
++ ')
++
++ allow $1 node_t:node { dccp_send dccp_recv sendto recvfrom };
++')
++
++########################################
++##
+ ## Send and receive TCP network traffic on generic nodes.
+ ##
+ ##
+@@ -789,6 +809,24 @@ interface(`corenet_raw_sendrecv_generic_node',`
+
+ ########################################
+ ##
++## Bind DCCP sockets to generic nodes.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`corenet_dccp_bind_generic_node',`
++ gen_require(`
++ type node_t;
++ ')
++
++ allow $1 node_t:dccp_socket node_bind;
++')
++
++########################################
++##
+ ## Bind TCP sockets to generic nodes.
+ ##
+ ##
+@@ -928,6 +966,24 @@ interface(`corenet_inout_generic_node',`
+
+ ########################################
+ ##
++## Send and receive DCCP network traffic on all nodes.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`corenet_dccp_sendrecv_all_nodes',`
++ gen_require(`
++ attribute node_type;
++ ')
++
++ allow $1 node_type:node { dccp_send dccp_recv sendto recvfrom };
++')
++
++########################################
++##
+ ## Send and receive TCP network traffic on all nodes.
+ ##
+ ##
+@@ -1102,6 +1158,24 @@ interface(`corenet_raw_sendrecv_all_nodes',`
+
+ ########################################
+ ##
++## Bind DCCP sockets to all nodes.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`corenet_dccp_bind_all_nodes',`
++ gen_require(`
++ attribute node_type;
++ ')
++
++ allow $1 node_type:dccp_socket node_bind;
++')
++
++########################################
++##
+ ## Bind TCP sockets to all nodes.
+ ##
+ ##
+@@ -1157,6 +1231,24 @@ interface(`corenet_raw_bind_all_nodes',`
+
+ ########################################
+ ##
++## Send and receive DCCP network traffic on generic ports.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`corenet_dccp_sendrecv_generic_port',`
++ gen_require(`
++ type port_t, unreserved_port_t, ephemeral_port_t;
++ ')
++
++ allow $1 { port_t unreserved_port_t ephemeral_port_t }:dccp_socket { send_msg recv_msg };
++')
++
++########################################
++##
+ ## Send and receive TCP network traffic on generic ports.
+ ##
+ ##
+@@ -1167,10 +1259,30 @@ interface(`corenet_raw_bind_all_nodes',`
+ #
+ interface(`corenet_tcp_sendrecv_generic_port',`
+ gen_require(`
+- type port_t;
++ type port_t, unreserved_port_t, ephemeral_port_t;
+ ')
+
+- allow $1 port_t:tcp_socket { send_msg recv_msg };
++ allow $1 { port_t unreserved_port_t ephemeral_port_t }:tcp_socket { send_msg recv_msg };
++')
++
++########################################
++##
++## Do not audit attempts to send and
++## receive DCCP network traffic on
++## generic ports.
++##
++##
++##
++## Domain to not audit.
++##
++##
++#
++interface(`corenet_dontaudit_dccp_sendrecv_generic_port',`
++ gen_require(`
++ type port_t, unreserved_port_t, ephemeral_port_t;
++ ')
++
++ dontaudit $1 { port_t unreserved_port_t ephemeral_port_t }:dccp_socket { send_msg recv_msg };
+ ')
+
+ ########################################
+@@ -1185,10 +1297,10 @@ interface(`corenet_tcp_sendrecv_generic_port',`
+ #
+ interface(`corenet_dontaudit_tcp_sendrecv_generic_port',`
+ gen_require(`
+- type port_t;
++ type port_t, unreserved_port_t, ephemeral_port_t;
+ ')
+
+- dontaudit $1 port_t:tcp_socket { send_msg recv_msg };
++ dontaudit $1 { port_t unreserved_port_t ephemeral_port_t }:tcp_socket { send_msg recv_msg };
+ ')
+
+ ########################################
+@@ -1203,10 +1315,10 @@ interface(`corenet_dontaudit_tcp_sendrecv_generic_port',`
+ #
+ interface(`corenet_udp_send_generic_port',`
+ gen_require(`
+- type port_t;
++ type port_t, unreserved_port_t, ephemeral_port_t;
+ ')
+
+- allow $1 port_t:udp_socket send_msg;
++ allow $1 { port_t unreserved_port_t ephemeral_port_t }:udp_socket send_msg;
+ ')
+
+ ########################################
+@@ -1221,10 +1333,10 @@ interface(`corenet_udp_send_generic_port',`
+ #
+ interface(`corenet_udp_receive_generic_port',`
+ gen_require(`
+- type port_t;
++ type port_t, unreserved_port_t, ephemeral_port_t;
+ ')
+
+- allow $1 port_t:udp_socket recv_msg;
++ allow $1 { port_t unreserved_port_t ephemeral_port_t }:udp_socket recv_msg;
+ ')
+
+ ########################################
+@@ -1244,6 +1356,26 @@ interface(`corenet_udp_sendrecv_generic_port',`
+
+ ########################################
+ ##
++## Bind DCCP sockets to generic ports.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`corenet_dccp_bind_generic_port',`
++ gen_require(`
++ type port_t, unreserved_port_t, ephemeral_port_t;
++ attribute defined_port_type;
++ ')
++
++ allow $1 { port_t unreserved_port_t ephemeral_port_t }:dccp_socket name_bind;
++ dontaudit $1 defined_port_type:dccp_socket name_bind;
++')
++
++########################################
++##
+ ## Bind TCP sockets to generic ports.
+ ##
+ ##
+@@ -1254,16 +1386,35 @@ interface(`corenet_udp_sendrecv_generic_port',`
+ #
+ interface(`corenet_tcp_bind_generic_port',`
+ gen_require(`
+- type port_t;
++ type port_t, unreserved_port_t, ephemeral_port_t;
+ attribute defined_port_type;
+ ')
+
+- allow $1 port_t:tcp_socket name_bind;
++ allow $1 { port_t unreserved_port_t ephemeral_port_t }:tcp_socket name_bind;
+ dontaudit $1 defined_port_type:tcp_socket name_bind;
+ ')
+
+ ########################################
+ ##
++## Do not audit attempts to bind DCCP
++## sockets to generic ports.
++##
++##
++##
++## Domain to not audit.
++##
++##
++#
++interface(`corenet_dontaudit_dccp_bind_generic_port',`
++ gen_require(`
++ type port_t, unreserved_port_t, ephemeral_port_t;
++ ')
++
++ dontaudit $1 { port_t unreserved_port_t ephemeral_port_t }:dccp_socket name_bind;
++')
++
++########################################
++##
+ ## Do not audit bind TCP sockets to generic ports.
+ ##
+ ##
+@@ -1274,10 +1425,10 @@ interface(`corenet_tcp_bind_generic_port',`
+ #
+ interface(`corenet_dontaudit_tcp_bind_generic_port',`
+ gen_require(`
+- type port_t;
++ type port_t, unreserved_port_t, ephemeral_port_t;
+ ')
+
+- dontaudit $1 port_t:tcp_socket name_bind;
++ dontaudit $1 { port_t unreserved_port_t ephemeral_port_t }:tcp_socket name_bind;
+ ')
+
+ ########################################
+@@ -1292,16 +1443,34 @@ interface(`corenet_dontaudit_tcp_bind_generic_port',`
+ #
+ interface(`corenet_udp_bind_generic_port',`
+ gen_require(`
+- type port_t;
++ type port_t, unreserved_port_t, ephemeral_port_t;
+ attribute defined_port_type;
+ ')
+
+- allow $1 port_t:udp_socket name_bind;
++ allow $1 { port_t unreserved_port_t ephemeral_port_t }:udp_socket name_bind;
+ dontaudit $1 defined_port_type:udp_socket name_bind;
+ ')
+
+ ########################################
+ ##
++## Connect DCCP sockets to generic ports.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`corenet_dccp_connect_generic_port',`
++ gen_require(`
++ type port_t, unreserved_port_t,ephemeral_port_t;
++ ')
++
++ allow $1 { port_t unreserved_port_t ephemeral_port_t }:dccp_socket name_connect;
++')
++
++########################################
++##
+ ## Connect TCP sockets to generic ports.
+ ##
+ ##
+@@ -1312,10 +1481,28 @@ interface(`corenet_udp_bind_generic_port',`
+ #
+ interface(`corenet_tcp_connect_generic_port',`
+ gen_require(`
+- type port_t;
++ type port_t, unreserved_port_t, ephemeral_port_t;
+ ')
+
+- allow $1 port_t:tcp_socket name_connect;
++ allow $1 { port_t unreserved_port_t ephemeral_port_t }:tcp_socket name_connect;
++')
++
++########################################
++##
++## Send and receive DCCP network traffic on all ports.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`corenet_dccp_sendrecv_all_ports',`
++ gen_require(`
++ attribute port_type;
++ ')
++
++ allow $1 port_type:dccp_socket { send_msg recv_msg };
+ ')
+
+ ########################################
+@@ -1439,6 +1626,25 @@ interface(`corenet_udp_sendrecv_all_ports',`
+
+ ########################################
+ ##
++## Bind DCCP sockets to all ports.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`corenet_dccp_bind_all_ports',`
++ gen_require(`
++ attribute port_type;
++ ')
++
++ allow $1 port_type:dccp_socket name_bind;
++ allow $1 self:capability net_bind_service;
++')
++
++########################################
++##
+ ## Bind TCP sockets to all ports.
+ ##
+ ##
+@@ -1458,6 +1664,24 @@ interface(`corenet_tcp_bind_all_ports',`
+
+ ########################################
+ ##
++## Do not audit attepts to bind DCCP sockets to any ports.
++##
++##
++##
++## Domain to not audit.
++##
++##
++#
++interface(`corenet_dontaudit_dccp_bind_all_ports',`
++ gen_require(`
++ attribute port_type;
++ ')
++
++ dontaudit $1 port_type:dccp_socket name_bind;
++')
++
++########################################
++##
+ ## Do not audit attepts to bind TCP sockets to any ports.
+ ##
+ ##
+@@ -1513,6 +1737,24 @@ interface(`corenet_dontaudit_udp_bind_all_ports',`
+
+ ########################################
+ ##
++## Connect DCCP sockets to all ports.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`corenet_dccp_connect_all_ports',`
++ gen_require(`
++ attribute port_type;
++ ')
++
++ allow $1 port_type:dccp_socket name_connect;
++')
++
++########################################
++##
+ ## Connect TCP sockets to all ports.
+ ##
+ ##
+@@ -1559,6 +1801,25 @@ interface(`corenet_tcp_connect_all_ports',`
+
+ ########################################
+ ##
++## Do not audit attempts to connect DCCP sockets
++## to all ports.
++##
++##
++##
++## Domain to not audit.
++##
++##
++#
++interface(`corenet_dontaudit_dccp_connect_all_ports',`
++ gen_require(`
++ attribute port_type;
++ ')
++
++ dontaudit $1 port_type:dccp_socket name_connect;
++')
++
++########################################
++##
+ ## Do not audit attempts to connect TCP sockets
+ ## to all ports.
+ ##
+@@ -1578,6 +1839,24 @@ interface(`corenet_dontaudit_tcp_connect_all_ports',`
+
+ ########################################
+ ##
++## Send and receive DCCP network traffic on generic reserved ports.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`corenet_dccp_sendrecv_reserved_port',`
++ gen_require(`
++ type reserved_port_t;
++ ')
++
++ allow $1 reserved_port_t:dccp_socket { send_msg recv_msg };
++')
++
++########################################
++##
+ ## Send and receive TCP network traffic on generic reserved ports.
+ ##
+ ##
+@@ -1647,6 +1926,25 @@ interface(`corenet_udp_sendrecv_reserved_port',`
+
+ ########################################
+ ##
++## Bind DCCP sockets to generic reserved ports.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`corenet_dccp_bind_reserved_port',`
++ gen_require(`
++ type reserved_port_t;
++ ')
++
++ allow $1 reserved_port_t:dccp_socket name_bind;
++ allow $1 self:capability net_bind_service;
++')
++
++########################################
++##
+ ## Bind TCP sockets to generic reserved ports.
+ ##
+ ##
+@@ -1685,6 +1983,24 @@ interface(`corenet_udp_bind_reserved_port',`
+
+ ########################################
+ ##
++## Connect DCCP sockets to generic reserved ports.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`corenet_dccp_connect_reserved_port',`
++ gen_require(`
++ type reserved_port_t;
++ ')
++
++ allow $1 reserved_port_t:dccp_socket name_connect;
++')
++
++########################################
++##
+ ## Connect TCP sockets to generic reserved ports.
+ ##
+ ##
+@@ -1703,6 +2019,24 @@ interface(`corenet_tcp_connect_reserved_port',`
+
+ ########################################
+ ##
++## Send and receive DCCP network traffic on all reserved ports.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`corenet_dccp_sendrecv_all_reserved_ports',`
++ gen_require(`
++ attribute reserved_port_type;
++ ')
++
++ allow $1 reserved_port_type:dccp_socket { send_msg recv_msg };
++')
++
++########################################
++##
+ ## Send and receive TCP network traffic on all reserved ports.
+ ##
+ ##
+@@ -1752,12 +2086,210 @@ interface(`corenet_udp_receive_all_reserved_ports',`
+ attribute reserved_port_type;
+ ')
+
+- allow $1 reserved_port_type:udp_socket recv_msg;
++ allow $1 reserved_port_type:udp_socket recv_msg;
++')
++
++########################################
++##
++## Send and receive UDP network traffic on all reserved ports.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`corenet_udp_sendrecv_all_reserved_ports',`
++ corenet_udp_send_all_reserved_ports($1)
++ corenet_udp_receive_all_reserved_ports($1)
++')
++
++########################################
++##
++## Bind DCCP sockets to all reserved ports.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`corenet_dccp_bind_all_reserved_ports',`
++ gen_require(`
++ attribute reserved_port_type;
++ ')
++
++ allow $1 reserved_port_type:dccp_socket name_bind;
++ allow $1 self:capability net_bind_service;
++')
++
++########################################
++##
++## Bind TCP sockets to all reserved ports.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`corenet_tcp_bind_all_reserved_ports',`
++ gen_require(`
++ attribute reserved_port_type;
++ ')
++
++ allow $1 reserved_port_type:tcp_socket name_bind;
++ allow $1 self:capability net_bind_service;
++')
++
++########################################
++##
++## Do not audit attempts to bind DCCP sockets to all reserved ports.
++##
++##
++##
++## Domain to not audit.
++##
++##
++#
++interface(`corenet_dontaudit_dccp_bind_all_reserved_ports',`
++ gen_require(`
++ attribute reserved_port_type;
++ ')
++
++ dontaudit $1 reserved_port_type:dccp_socket name_bind;
++')
++
++########################################
++##
++## Do not audit attempts to bind TCP sockets to all reserved ports.
++##
++##
++##
++## Domain to not audit.
++##
++##
++#
++interface(`corenet_dontaudit_tcp_bind_all_reserved_ports',`
++ gen_require(`
++ attribute reserved_port_type;
++ ')
++
++ dontaudit $1 reserved_port_type:tcp_socket name_bind;
++')
++
++########################################
++##
++## Bind UDP sockets to all reserved ports.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`corenet_udp_bind_all_reserved_ports',`
++ gen_require(`
++ attribute reserved_port_type;
++ ')
++
++ allow $1 reserved_port_type:udp_socket name_bind;
++ allow $1 self:capability net_bind_service;
++')
++
++########################################
++##
++## Do not audit attempts to bind UDP sockets to all reserved ports.
++##
++##
++##
++## Domain to not audit.
++##
++##
++#
++interface(`corenet_dontaudit_udp_bind_all_reserved_ports',`
++ gen_require(`
++ attribute reserved_port_type;
++ ')
++
++ dontaudit $1 reserved_port_type:udp_socket name_bind;
++')
++
++########################################
++##
++## Bind DCCP sockets to all ports > 1024.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`corenet_dccp_bind_all_unreserved_ports',`
++ gen_require(`
++ attribute unreserved_port_type;
++ ')
++
++ allow $1 unreserved_port_type:dccp_socket name_bind;
++')
++
++########################################
++##
++## Bind TCP sockets to all ports > 1024.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`corenet_tcp_bind_all_unreserved_ports',`
++ gen_require(`
++ attribute unreserved_port_type;
++ ')
++
++ allow $1 unreserved_port_type:tcp_socket name_bind;
++')
++
++########################################
++##
++## Bind UDP sockets to all ports > 1024.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`corenet_udp_bind_all_unreserved_ports',`
++ gen_require(`
++ attribute unreserved_port_type;
++ ')
++
++ allow $1 unreserved_port_type:udp_socket name_bind;
++')
++
++########################################
++##
++## Bind TCP sockets to all ports > 32768.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`corenet_tcp_bind_all_ephemeral_ports',`
++ gen_require(`
++ attribute ephemeral_port_type;
++ ')
++
++ allow $1 ephemeral_port_type:tcp_socket name_bind;
+ ')
+
+ ########################################
+ ##
+-## Send and receive UDP network traffic on all reserved ports.
++## Bind UDP sockets to all ports > 32768.
+ ##
+ ##
+ ##
+@@ -1765,14 +2297,17 @@ interface(`corenet_udp_receive_all_reserved_ports',`
+ ##
+ ##
+ #
+-interface(`corenet_udp_sendrecv_all_reserved_ports',`
+- corenet_udp_send_all_reserved_ports($1)
+- corenet_udp_receive_all_reserved_ports($1)
++interface(`corenet_udp_bind_all_ephemeral_ports',`
++ gen_require(`
++ attribute ephemeral_port_type;
++ ')
++
++ allow $1 ephemeral_port_type:udp_socket name_bind;
+ ')
+
+ ########################################
+ ##
+-## Bind TCP sockets to all reserved ports.
++## Connect DCCP sockets to reserved ports.
+ ##
+ ##
+ ##
+@@ -1780,36 +2315,35 @@ interface(`corenet_udp_sendrecv_all_reserved_ports',`
+ ##
+ ##
+ #
+-interface(`corenet_tcp_bind_all_reserved_ports',`
++interface(`corenet_dccp_connect_all_reserved_ports',`
+ gen_require(`
+ attribute reserved_port_type;
+ ')
+
+- allow $1 reserved_port_type:tcp_socket name_bind;
+- allow $1 self:capability net_bind_service;
++ allow $1 reserved_port_type:dccp_socket name_connect;
+ ')
+
+ ########################################
+ ##
+-## Do not audit attempts to bind TCP sockets to all reserved ports.
++## Connect TCP sockets to reserved ports.
+ ##
+ ##
+ ##
+-## Domain to not audit.
++## Domain allowed access.
+ ##
+ ##
+ #
+-interface(`corenet_dontaudit_tcp_bind_all_reserved_ports',`
++interface(`corenet_tcp_connect_all_reserved_ports',`
+ gen_require(`
+ attribute reserved_port_type;
+ ')
+
+- dontaudit $1 reserved_port_type:tcp_socket name_bind;
++ allow $1 reserved_port_type:tcp_socket name_connect;
+ ')
+
+ ########################################
+ ##
+-## Bind UDP sockets to all reserved ports.
++## Connect DCCP sockets to all ports > 1024.
+ ##
+ ##
+ ##
+@@ -1817,36 +2351,35 @@ interface(`corenet_dontaudit_tcp_bind_all_reserved_ports',`
+ ##
+ ##
+ #
+-interface(`corenet_udp_bind_all_reserved_ports',`
++interface(`corenet_dccp_connect_all_unreserved_ports',`
+ gen_require(`
+- attribute reserved_port_type;
++ attribute unreserved_port_type;
+ ')
+
+- allow $1 reserved_port_type:udp_socket name_bind;
+- allow $1 self:capability net_bind_service;
++ allow $1 unreserved_port_type:dccp_socket name_connect;
+ ')
+
+-########################################
++#######################################
+ ##
+-## Do not audit attempts to bind UDP sockets to all reserved ports.
++## Connect TCP sockets to ports > 1024.
+ ##
+ ##
+-##
+-## Domain to not audit.
+-##
++##
++## Domain allowed access.
++##
+ ##
+ #
+-interface(`corenet_dontaudit_udp_bind_all_reserved_ports',`
+- gen_require(`
+- attribute reserved_port_type;
+- ')
++interface(`corenet_tcp_connect_unreserved_ports',`
++ gen_require(`
++ type unreserved_port_t;
++ ')
+
+- dontaudit $1 reserved_port_type:udp_socket name_bind;
++ allow $1 unreserved_port_t:tcp_socket name_connect;
+ ')
+
+ ########################################
+ ##
+-## Bind TCP sockets to all ports > 1024.
++## Connect TCP sockets to all ports > 1024.
+ ##
+ ##
+ ##
+@@ -1854,17 +2387,17 @@ interface(`corenet_dontaudit_udp_bind_all_reserved_ports',`
+ ##
+ ##
+ #
+-interface(`corenet_tcp_bind_all_unreserved_ports',`
++interface(`corenet_tcp_connect_all_unreserved_ports',`
+ gen_require(`
+ attribute unreserved_port_type;
+ ')
+
+- allow $1 unreserved_port_type:tcp_socket name_bind;
++ allow $1 unreserved_port_type:tcp_socket name_connect;
+ ')
+
+ ########################################
+ ##
+-## Bind UDP sockets to all ports > 1024.
++## Connect TCP sockets to all ports > 32768.
+ ##
+ ##
+ ##
+@@ -1872,67 +2405,68 @@ interface(`corenet_tcp_bind_all_unreserved_ports',`
+ ##
+ ##
+ #
+-interface(`corenet_udp_bind_all_unreserved_ports',`
++interface(`corenet_tcp_connect_all_ephemeral_ports',`
+ gen_require(`
+- attribute unreserved_port_type;
++ attribute ephemeral_port_type;
+ ')
+
+- allow $1 unreserved_port_type:udp_socket name_bind;
++ allow $1 ephemeral_port_type:tcp_socket name_connect;
+ ')
+
+ ########################################
+ ##
+-## Connect TCP sockets to reserved ports.
++## Do not audit attempts to connect DCCP sockets
++## all reserved ports.
+ ##
+ ##
+ ##
+-## Domain allowed access.
++## Domain to not audit.
+ ##
+ ##
+ #
+-interface(`corenet_tcp_connect_all_reserved_ports',`
++interface(`corenet_dontaudit_dccp_connect_all_reserved_ports',`
+ gen_require(`
+ attribute reserved_port_type;
+ ')
+
+- allow $1 reserved_port_type:tcp_socket name_connect;
++ dontaudit $1 reserved_port_type:dccp_socket name_connect;
+ ')
+
+ ########################################
+ ##
+-## Connect TCP sockets to all ports > 1024.
++## Do not audit attempts to connect TCP sockets
++## all reserved ports.
+ ##
+ ##
+ ##
+-## Domain allowed access.
++## Domain to not audit.
+ ##
+ ##
+ #
+-interface(`corenet_tcp_connect_all_unreserved_ports',`
++interface(`corenet_dontaudit_tcp_connect_all_reserved_ports',`
+ gen_require(`
+- attribute unreserved_port_type;
++ attribute reserved_port_type;
+ ')
+
+- allow $1 unreserved_port_type:tcp_socket name_connect;
++ dontaudit $1 reserved_port_type:tcp_socket name_connect;
+ ')
+
+ ########################################
+ ##
+-## Do not audit attempts to connect TCP sockets
+-## all reserved ports.
++## Connect DCCP sockets to rpc ports.
+ ##
+ ##
+ ##
+-## Domain to not audit.
++## Domain allowed access.
+ ##
+ ##
+ #
+-interface(`corenet_dontaudit_tcp_connect_all_reserved_ports',`
++interface(`corenet_dccp_connect_all_rpc_ports',`
+ gen_require(`
+- attribute reserved_port_type;
++ attribute rpc_port_type;
+ ')
+
+- dontaudit $1 reserved_port_type:tcp_socket name_connect;
++ allow $1 rpc_port_type:dccp_socket name_connect;
+ ')
+
+ ########################################
+@@ -1955,6 +2489,25 @@ interface(`corenet_tcp_connect_all_rpc_ports',`
+
+ ########################################
+ ##
++## Do not audit attempts to connect DCCP sockets
++## all rpc ports.
++##
++##
++##
++## Domain to not audit.
++##
++##
++#
++interface(`corenet_dontaudit_dccp_connect_all_rpc_ports',`
++ gen_require(`
++ attribute rpc_port_type;
++ ')
++
++ dontaudit $1 rpc_port_type:dccp_socket name_connect;
++')
++
++########################################
++##
+ ## Do not audit attempts to connect TCP sockets
+ ## all rpc ports.
+ ##
+@@ -1993,6 +2546,24 @@ interface(`corenet_rw_tun_tap_dev',`
+
+ ########################################
+ ##
++## Read and write inherited TUN/TAP virtual network device.
++##
++##
++##
++## The domain allowed access.
++##
++##
++#
++interface(`corenet_rw_inherited_tun_tap_dev',`
++ gen_require(`
++ type tun_tap_device_t;
++ ')
++
++ allow $1 tun_tap_device_t:chr_file rw_inherited_chr_file_perms;
++')
++
++########################################
++##
+ ## Do not audit attempts to read or write the TUN/TAP
+ ## virtual network device.
+ ##
+@@ -2049,6 +2620,25 @@ interface(`corenet_rw_ppp_dev',`
+
+ ########################################
+ ##
++## Bind DCCP sockets to all RPC ports.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`corenet_dccp_bind_all_rpc_ports',`
++ gen_require(`
++ attribute rpc_port_type;
++ ')
++
++ allow $1 rpc_port_type:dccp_socket name_bind;
++ allow $1 self:capability net_bind_service;
++')
++
++########################################
++##
+ ## Bind TCP sockets to all RPC ports.
+ ##
+ ##
+@@ -2068,6 +2658,24 @@ interface(`corenet_tcp_bind_all_rpc_ports',`
+
+ ########################################
+ ##
++## Do not audit attempts to bind DCCP sockets to all RPC ports.
++##
++##
++##
++## Domain to not audit.
++##
++##
++#
++interface(`corenet_dontaudit_dccp_bind_all_rpc_ports',`
++ gen_require(`
++ attribute rpc_port_type;
++ ')
++
++ dontaudit $1 rpc_port_type:dccp_socket name_bind;
++')
++
++########################################
++##
+ ## Do not audit attempts to bind TCP sockets to all RPC ports.
+ ##
+ ##
+@@ -2194,6 +2802,25 @@ interface(`corenet_tcp_recv_netlabel',`
+
+ ########################################
+ ##
++## Receive DCCP packets from a NetLabel connection.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`corenet_dccp_recvfrom_netlabel',`
++ gen_require(`
++ type netlabel_peer_t;
++ ')
++
++ allow $1 netlabel_peer_t:peer recv;
++ allow $1 netlabel_peer_t:dccp_socket recvfrom;
++')
++
++########################################
++##
+ ## Receive TCP packets from a NetLabel connection.
+ ##
+ ##
+@@ -2213,7 +2840,7 @@ interface(`corenet_tcp_recvfrom_netlabel',`
+
+ ########################################
+ ##
+-## Receive TCP packets from an unlabled connection.
++## Receive DCCP packets from an unlabled connection.
+ ##
+ ##
+ ##
+@@ -2221,10 +2848,15 @@ interface(`corenet_tcp_recvfrom_netlabel',`
+ ##
+ ##
+ #
+-interface(`corenet_tcp_recvfrom_unlabeled',`
+- kernel_tcp_recvfrom_unlabeled($1)
++interface(`corenet_dccp_recvfrom_unlabeled',`
++ gen_require(`
++ attribute corenet_unlabeled_type;
++ ')
++
++ kernel_dccp_recvfrom_unlabeled($1)
+ kernel_recvfrom_unlabeled_peer($1)
+
++ typeattribute $1 corenet_unlabeled_type;
+ # XXX - at some point the oubound/send access check will be removed
+ # but for right now we need to keep this in place so as not to break
+ # older systems
+@@ -2249,6 +2881,26 @@ interface(`corenet_dontaudit_tcp_recv_netlabel',`
+
+ ########################################
+ ##
++## Do not audit attempts to receive DCCP packets from a NetLabel
++## connection.
++##
++##
++##
++## Domain to not audit.
++##
++##
++#
++interface(`corenet_dontaudit_dccp_recvfrom_netlabel',`
++ gen_require(`
++ type netlabel_peer_t;
++ ')
++
++ dontaudit $1 netlabel_peer_t:peer recv;
++ dontaudit $1 netlabel_peer_t:dccp_socket recvfrom;
++')
++
++########################################
++##
+ ## Do not audit attempts to receive TCP packets from a NetLabel
+ ## connection.
+ ##
+@@ -2269,6 +2921,27 @@ interface(`corenet_dontaudit_tcp_recvfrom_netlabel',`
+
+ ########################################
+ ##
++## Do not audit attempts to receive DCCP packets from an unlabeled
++## connection.
++##
++##
++##
++## Domain to not audit.
++##
++##
++#
++interface(`corenet_dontaudit_dccp_recvfrom_unlabeled',`
++ kernel_dontaudit_dccp_recvfrom_unlabeled($1)
++ kernel_dontaudit_recvfrom_unlabeled_peer($1)
++
++ # XXX - at some point the oubound/send access check will be removed
++ # but for right now we need to keep this in place so as not to break
++ # older systems
++ kernel_dontaudit_sendrecv_unlabeled_association($1)
++')
++
++########################################
++##
+ ## Do not audit attempts to receive TCP packets from an unlabeled
+ ## connection.
+ ##
+@@ -2533,15 +3206,10 @@ interface(`corenet_dontaudit_raw_recvfrom_unlabeled',`
+ ##
+ #
+ interface(`corenet_all_recvfrom_unlabeled',`
+- kernel_tcp_recvfrom_unlabeled($1)
+- kernel_udp_recvfrom_unlabeled($1)
+- kernel_raw_recvfrom_unlabeled($1)
+- kernel_recvfrom_unlabeled_peer($1)
+-
+- # XXX - at some point the oubound/send access check will be removed
+- # but for right now we need to keep this in place so as not to break
+- # older systems
+- kernel_sendrecv_unlabeled_association($1)
++ gen_require(`
++ attribute corenet_unlabeled_type;
++ ')
++ typeattribute $1 corenet_unlabeled_type;
+ ')
+
+ ########################################
+@@ -2567,11 +3235,34 @@ interface(`corenet_all_recvfrom_unlabeled',`
+ #
+ interface(`corenet_all_recvfrom_netlabel',`
+ gen_require(`
+- type netlabel_peer_t;
++ attribute netlabel_peer_type;
+ ')
+
+- allow $1 netlabel_peer_t:peer recv;
+- allow $1 netlabel_peer_t:{ tcp_socket udp_socket rawip_socket } recvfrom;
++ typeattribute $1 netlabel_peer_type;
++')
++
++########################################
++##
++## Enable unlabeled net packets
++##
++##
++##
++## Allow unlabeled_packet_t to be used by all domains that use the network
++##
++##
++##
++##
++## Domain allowed access.
++##
++##
++##
++#
++interface(`corenet_enable_unlabeled_packets',`
++ gen_require(`
++ attribute corenet_unlabeled_type;
++ ')
++
++ kernel_sendrecv_unlabeled_association(corenet_unlabeled_type)
+ ')
+
+ ########################################
+@@ -2585,6 +3276,7 @@ interface(`corenet_all_recvfrom_netlabel',`
+ ##
+ #
+ interface(`corenet_dontaudit_all_recvfrom_unlabeled',`
++ kernel_dontaudit_dccp_recvfrom_unlabeled($1)
+ kernel_dontaudit_tcp_recvfrom_unlabeled($1)
+ kernel_dontaudit_udp_recvfrom_unlabeled($1)
+ kernel_dontaudit_raw_recvfrom_unlabeled($1)
+@@ -2613,7 +3305,35 @@ interface(`corenet_dontaudit_all_recvfrom_netlabel',`
+ ')
+
+ dontaudit $1 netlabel_peer_t:peer recv;
+- dontaudit $1 netlabel_peer_t:{ tcp_socket udp_socket rawip_socket } recvfrom;
++ dontaudit $1 netlabel_peer_t:{ tcp_socket udp_socket rawip_socket dccp_socket } recvfrom;
++')
++
++########################################
++##
++## Rules for receiving labeled DCCP packets.
++##
++##
++##
++## Domain allowed access.
++##
++##
++##
++##
++## Peer domain.
++##
++##
++#
++interface(`corenet_dccp_recvfrom_labeled',`
++ allow { $1 $2 } self:association sendto;
++ allow $1 $2:{ association dccp_socket } recvfrom;
++ allow $2 $1:{ association dccp_socket } recvfrom;
++
++ allow $1 $2:peer recv;
++ allow $2 $1:peer recv;
++
++ # allow receiving packets from MLS-only peers using NetLabel
++ corenet_dccp_recvfrom_netlabel($1)
++ corenet_dccp_recvfrom_netlabel($2)
+ ')
+
+ ########################################
+@@ -2727,6 +3447,7 @@ interface(`corenet_raw_recvfrom_labeled',`
+ ##
+ #
+ interface(`corenet_all_recvfrom_labeled',`
++ corenet_dccp_recvfrom_labeled($1, $2)
+ corenet_tcp_recvfrom_labeled($1, $2)
+ corenet_udp_recvfrom_labeled($1, $2)
+ corenet_raw_recvfrom_labeled($1, $2)
+@@ -3134,3 +3855,53 @@ interface(`corenet_unconfined',`
+
+ typeattribute $1 corenet_unconfined_type;
+ ')
++
++########################################
++##
++## Create all network named devices with the correct label
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`corenet_filetrans_all_named_dev',`
++
++ gen_require(`
++ type tun_tap_device_t;
++ type ppp_device_t;
++ ')
++
++ dev_filetrans($1, tun_tap_device_t, chr_file, "tap0")
++ dev_filetrans($1, tun_tap_device_t, chr_file, "tap1")
++ dev_filetrans($1, tun_tap_device_t, chr_file, "tap2")
++ dev_filetrans($1, tun_tap_device_t, chr_file, "tap3")
++ dev_filetrans($1, tun_tap_device_t, chr_file, "tap4")
++ dev_filetrans($1, tun_tap_device_t, chr_file, "tap5")
++ dev_filetrans($1, tun_tap_device_t, chr_file, "tap6")
++ dev_filetrans($1, tun_tap_device_t, chr_file, "tap7")
++ dev_filetrans($1, tun_tap_device_t, chr_file, "tap8")
++ dev_filetrans($1, tun_tap_device_t, chr_file, "tap9")
++ dev_filetrans($1, tun_tap_device_t, chr_file, "tap10")
++ dev_filetrans($1, tun_tap_device_t, chr_file, "tap11")
++ dev_filetrans($1, tun_tap_device_t, chr_file, "tap12")
++ dev_filetrans($1, tun_tap_device_t, chr_file, "tap13")
++ dev_filetrans($1, tun_tap_device_t, chr_file, "tap14")
++ dev_filetrans($1, tun_tap_device_t, chr_file, "tap15")
++ dev_filetrans($1, tun_tap_device_t, chr_file, "tap16")
++ dev_filetrans($1, tun_tap_device_t, chr_file, "tap17")
++ dev_filetrans($1, tun_tap_device_t, chr_file, "tap18")
++ dev_filetrans($1, tun_tap_device_t, chr_file, "tap19")
++ dev_filetrans($1, tun_tap_device_t, chr_file, "tap20")
++ dev_filetrans($1, tun_tap_device_t, chr_file, "tap21")
++ dev_filetrans($1, tun_tap_device_t, chr_file, "tap22")
++ dev_filetrans($1, tun_tap_device_t, chr_file, "tap23")
++ dev_filetrans($1, tun_tap_device_t, chr_file, "tap24")
++ dev_filetrans($1, tun_tap_device_t, chr_file, "tap25")
++ dev_filetrans($1, tun_tap_device_t, chr_file, "tap26")
++ dev_filetrans($1, tun_tap_device_t, chr_file, "tap27")
++ dev_filetrans($1, tun_tap_device_t, chr_file, "tap28")
++ dev_filetrans($1, tun_tap_device_t, chr_file, "tap29")
++ dev_filetrans($1, ppp_device_t, chr_file, "ppp")
++')
+diff --git a/policy/modules/kernel/corenetwork.if.m4 b/policy/modules/kernel/corenetwork.if.m4
+index 8e0f9cd..b9f45b9 100644
+--- a/policy/modules/kernel/corenetwork.if.m4
++++ b/policy/modules/kernel/corenetwork.if.m4
+@@ -631,6 +631,26 @@ interface(`corenet_udp_bind_$1_port',`
+
+ ########################################
+ ##
++## Do not audit attempts to sbind to $1 port.
++##
++##
++##
++## Domain to not audit.
++##
++##
++##
++#
++interface(`corenet_dontaudit_udp_bind_$1_port',`
++ gen_require(`
++ $3 $1_$2;
++ ')
++
++ dontaudit dollarsone $1_$2:udp_socket name_bind;
++ $4
++')
++
++########################################
++##
+ ## Make a TCP connection to the $1 port.
+ ##
+ ##
+@@ -646,6 +666,23 @@ interface(`corenet_tcp_connect_$1_port',`
+
+ allow dollarsone $1_$2:tcp_socket name_connect;
+ ')
++########################################
++##
++## Do not audit attempts to make a TCP connection to $1 port.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`corenet_dontaudit_tcp_connect_$1_port',`
++ gen_require(`
++ $3 $1_$2;
++ ')
++
++ dontaudit dollarsone $1_$2:tcp_socket name_connect;
++')
+ '') dnl end create_port_interfaces
+
+ define(`create_packet_interfaces',``
+diff --git a/policy/modules/kernel/corenetwork.te.in b/policy/modules/kernel/corenetwork.te.in
+index fe2ee5e..72c5a3b 100644
+--- a/policy/modules/kernel/corenetwork.te.in
++++ b/policy/modules/kernel/corenetwork.te.in
+@@ -5,6 +5,7 @@ policy_module(corenetwork, 1.18.0)
+ # Declarations
+ #
+
++attribute netlabel_peer_type;
+ attribute client_packet_type;
+ # This is an optimization for { port_type -port_t }
+ attribute defined_port_type;
+@@ -14,12 +15,14 @@ attribute node_type;
+ attribute packet_type;
+ attribute port_type;
+ attribute reserved_port_type;
++attribute ephemeral_port_type;
+ attribute rpc_port_type;
+ attribute server_packet_type;
+ # This is an optimization for { port_type -reserved_port_type }
+ attribute unreserved_port_type;
+
+ attribute corenet_unconfined_type;
++attribute corenet_unlabeled_type;
+
+ type ppp_device_t;
+ dev_node(ppp_device_t)
+@@ -29,6 +32,7 @@ dev_node(ppp_device_t)
+ #
+ type tun_tap_device_t;
+ dev_node(tun_tap_device_t)
++mls_trusted_object(tun_tap_device_t)
+
+ ########################################
+ #
+@@ -38,6 +42,18 @@ dev_node(tun_tap_device_t)
+ #
+ # client_packet_t is the default type of IPv4 and IPv6 client packets.
+ #
++type intranet_packet_t;
++corenet_packet(intranet_packet_t)
++
++#
++# client_packet_t is the default type of IPv4 and IPv6 client packets.
++#
++type internet_packet_t;
++corenet_packet(internet_packet_t)
++
++#
++# client_packet_t is the default type of IPv4 and IPv6 client packets.
++#
+ type client_packet_t, packet_type, client_packet_type;
+
+ #
+@@ -46,6 +62,7 @@ type client_packet_t, packet_type, client_packet_type;
+ #
+ type netlabel_peer_t;
+ sid netmsg gen_context(system_u:object_r:netlabel_peer_t,mls_systemhigh)
++mcs_untrusted_proc(netlabel_peer_t)
+
+ #
+ # port_t is the default type of INET port numbers.
+@@ -59,6 +76,12 @@ sid port gen_context(system_u:object_r:port_t,s0)
+ type unreserved_port_t, port_type, unreserved_port_type;
+
+ #
++# ephemeral_port_t is the default type of ephemeral port numbers.
++# cat /proc/sys/net/ipv4/ip_local_port_range
++#
++type ephemeral_port_t, port_type, ephemeral_port_type;
++
++#
+ # reserved_port_t is the type of INET port numbers below 1024.
+ #
+ type reserved_port_t, port_type, reserved_port_type;
+@@ -74,30 +97,39 @@ type hi_reserved_port_t, port_type, reserved_port_type, rpc_port_type;
+ type server_packet_t, packet_type, server_packet_type;
+
+ network_port(afs_bos, udp,7007,s0)
++network_port(afs_client, udp,7001,s0)
+ network_port(afs_fs, tcp,2040,s0, udp,7000,s0, udp,7005,s0)
+ network_port(afs_ka, udp,7004,s0)
+ network_port(afs_pt, udp,7002,s0)
+ network_port(afs_vl, udp,7003,s0)
+ network_port(agentx, udp,705,s0, tcp,705,s0)
++network_port(ajaxterm, tcp,8022,s0)
+ network_port(amanda, udp,10080-10082,s0, tcp,10080-10083,s0)
+ network_port(amavisd_recv, tcp,10024,s0)
+ network_port(amavisd_send, tcp,10025,s0)
+ network_port(amqp, udp,5671-5672,s0, tcp,5671-5672,s0)
+-network_port(aol, udp,5190-5193,s0, tcp,5190-5193,s0)
++network_port(aol, udp,5190-5193,s0, tcp,5190-5193,s0)
+ network_port(apcupsd, tcp,3551,s0, udp,3551,s0)
++network_port(apertus_ldp, tcp,539,s0, udp,539,s0)
+ network_port(asterisk, tcp,1720,s0, udp,2427,s0, udp,2727,s0, udp,4569,s0)
+ network_port(audit, tcp,60,s0)
+ network_port(auth, tcp,113,s0)
+ network_port(bgp, tcp,179,s0, udp,179,s0, tcp,2605,s0, udp,2605,s0)
+ network_port(boinc, tcp,31416,s0)
++network_port(boinc_client_ctrl, tcp,1043,s0)
+ network_port(biff) # no defined portcon
+ network_port(certmaster, tcp,51235,s0)
+ network_port(chronyd, udp,323,s0)
+ network_port(clamd, tcp,3310,s0)
+ network_port(clockspeed, udp,4041,s0)
+ network_port(cluster, tcp,5149,s0, udp,5149,s0, tcp,40040,s0, tcp,50006-50008,s0, udp,50006-50008,s0)
++network_port(cma, tcp,1050,s0, udp,1050,s0)
+ network_port(cobbler, tcp,25151,s0)
++network_port(commplex, tcp,5001,s0, udp,5001,s0)
+ network_port(comsat, udp,512,s0)
++network_port(condor, tcp, 9618,s0, udp, 9618,s0)
++network_port(couchdb, tcp,5984,s0, udp,5984,s0)
++network_port(ctdb, tcp,4379,s0, udp,4379,s0)
+ network_port(cvs, tcp,2401,s0, udp,2401,s0)
+ network_port(cyphesis, tcp,6767,s0, tcp,6769,s0, tcp,6780-6799,s0, udp,32771,s0)
+ network_port(daap, tcp,3689,s0, udp,3689,s0)
+@@ -108,14 +140,23 @@ network_port(dhcpc, udp,68,s0, tcp,68,s0, udp,546,s0, tcp, 546,s0)
+ network_port(dhcpd, udp,67,s0, udp,547,s0, tcp, 547,s0, udp,548,s0, tcp, 548,s0, tcp,647,s0, udp,647,s0, tcp,847,s0, udp,847,s0, tcp,7911,s0)
+ network_port(dict, tcp,2628,s0)
+ network_port(distccd, tcp,3632,s0)
++network_port(dogtag, tcp,7390,s0)
+ network_port(dns, udp,53,s0, tcp,53,s0)
++network_port(dnssec, tcp,8955,s0)
++network_port(echo, tcp,7,s0, udp,7,s0)
+ network_port(epmap, tcp,135,s0, udp,135,s0)
++network_port(epmd, tcp,4369,s0, udp,4369,s0)
++network_port(festival, tcp,1314,s0)
+ network_port(fingerd, tcp,79,s0)
++network_port(firebird, tcp,3050,s0, udp,3050,s0)
++network_port(flash, tcp,843,s0, tcp,1935,s0, udp,1935,s0)
++network_port(fprot, tcp,10200,s0)
+ network_port(ftp, tcp,21,s0, tcp,990,s0, udp,990,s0)
+ network_port(ftp_data, tcp,20,s0)
+ network_port(gatekeeper, udp,1718,s0, udp,1719,s0, tcp,1721,s0, tcp,7000,s0)
+ network_port(giftd, tcp,1213,s0)
+ network_port(git, tcp,9418,s0, udp,9418,s0)
++network_port(glance, tcp,9292,s0, udp,9292,s0)
+ network_port(glance_registry, tcp,9191,s0, udp,9191,s0)
+ network_port(gopher, tcp,70,s0, udp,70,s0)
+ network_port(gpsd, tcp,2947,s0)
+@@ -123,104 +164,139 @@ network_port(hadoop_datanode, tcp,50010,s0)
+ network_port(hadoop_namenode, tcp,8020,s0)
+ network_port(hddtemp, tcp,7634,s0)
+ network_port(howl, tcp,5335,s0, udp,5353,s0)
+-network_port(hplip, tcp,1782,s0, tcp,2207,s0, tcp,2208,s0, tcp, 8290,s0, tcp,50000,s0, tcp,50002,s0, tcp,8292,s0, tcp,9100,s0, tcp,9101,s0, tcp,9102,s0, tcp,9220,s0, tcp,9221,s0, tcp,9222,s0, tcp,9280,s0, tcp,9281,s0, tcp,9282,s0, tcp,9290,s0, tcp,9291,s0, tcp,9292,s0)
+-network_port(http, tcp,80,s0, tcp,443,s0, tcp,488,s0, tcp,8008,s0, tcp,8009,s0, tcp,8443,s0) #8443 is mod_nss default port
+-network_port(http_cache, tcp,3128,s0, udp,3130,s0, tcp,8080,s0, tcp,8118,s0, tcp,10001-10010,s0) # 8118 is for privoxy
++network_port(hplip, tcp,1782,s0, tcp,2207,s0, tcp,2208,s0, tcp, 8290,s0, tcp,50000,s0, tcp,50002,s0, tcp,8292,s0, tcp,9100,s0, tcp,9101,s0, tcp,9102,s0, tcp,9220,s0, tcp,9221,s0, tcp,9222,s0, tcp,9280,s0, tcp,9281,s0, tcp,9282,s0, tcp,9290,s0, tcp,9291,s0)
++network_port(http, tcp,80,s0, tcp,81,s0, tcp,443,s0, tcp,488,s0, tcp,8008,s0, tcp,8009,s0, tcp,8443,s0,tcp,9000, s0) #8443 is mod_nss default port
++network_port(http_cache, udp,3130,s0, tcp,8080,s0, tcp,8118,s0, tcp,8123,s0, tcp,10001-10010,s0) # 8118 is for privoxy
+ network_port(i18n_input, tcp,9010,s0)
+ network_port(imaze, tcp,5323,s0, udp,5323,s0)
+-network_port(inetd_child, tcp,1,s0, udp,1,s0, tcp,7,s0, udp,7,s0, tcp,9,s0, udp,9,s0, tcp,13,s0, udp,13,s0, tcp,19,s0, udp,19,s0, tcp,37,s0, udp,37,s0, tcp,512,s0, tcp,543,s0, tcp,544,s0, tcp,891,s0, udp,891,s0, tcp,892,s0, udp,892,s0, tcp,2105,s0, tcp,5666,s0)
++network_port(inetd_child, tcp,1,s0, udp,1,s0, tcp,9,s0, udp,9,s0, tcp,13,s0, udp,13,s0, tcp,19,s0, udp,19,s0, tcp,512,s0, tcp,543,s0, tcp,544,s0, tcp,891,s0, udp,891,s0, tcp,892,s0, udp,892,s0, tcp,2105,s0, tcp,5666,s0)
+ network_port(innd, tcp,119,s0)
++network_port(interwise, tcp,7778,s0, udp,7778,s0)
++network_port(ionixnetmon, tcp,7410,s0, udp,7410,s0)
+ network_port(ipmi, udp,623,s0, udp,664,s0)
+ network_port(ipp, tcp,631,s0, udp,631,s0, tcp,8610-8614,s0, udp,8610-8614,s0)
+ network_port(ipsecnat, tcp,4500,s0, udp,4500,s0)
+-network_port(ircd, tcp,6667,s0)
++network_port(ircd, tcp,6667,s0, tcp,6697,s0)
+ network_port(isakmp, udp,500,s0)
+ network_port(iscsi, tcp,3260,s0)
+ network_port(isns, tcp,3205,s0, udp,3205,s0)
+ network_port(jabber_client, tcp,5222,s0, tcp,5223,s0)
+ network_port(jabber_interserver, tcp,5269,s0)
+-network_port(kerberos, tcp,88,s0, udp,88,s0, tcp,750,s0, udp,750,s0)
+-network_port(kerberos_admin, tcp,464,s0, udp,464,s0, tcp,749,s0)
+-network_port(kerberos_master, tcp,4444,s0, udp,4444,s0)
+-network_port(kismet, tcp,2501,s0)
++network_port(jabber_router, tcp,5347,s0)
++network_port(jacorb, tcp,3528,s0, tcp,3529,s0)
++network_port(jboss_debug, tcp,8787,s0)
++network_port(jboss_messaging, tcp,5445,s0, tcp,5455,s0)
++network_port(jboss_management, tcp,4712,s0, udp,4712,s0, tcp,4447,s0, tcp,7600,s0, tcp,9123,s0, udp,9123,s0, tcp, 9990, s0, tcp, 9999, s0, tcp, 18001, s0)
++network_port(kerberos, tcp,88,s0, udp,88,s0, tcp,750,s0, udp,750,s0, tcp,4444,s0, udp,4444,s0)
++network_port(kerberos_admin, tcp,749,s0)
++network_port(kerberos_password, tcp,464,s0, udp,464,s0)
++network_port(keystone, tcp,5000,s0, udp,5000,s0, tcp, 35357,s0, udp, 35357,s0)
++network_port(rtsclient, tcp,2501,s0)
+ network_port(kprop, tcp,754,s0)
+ network_port(ktalkd, udp,517,s0, udp,518,s0)
+-network_port(ldap, tcp,389,s0, udp,389,s0, tcp,636,s0, udp,636,s0, tcp,3268,s0)
++network_port(ldap, tcp,389,s0, udp,389,s0, tcp,636,s0, udp,636,s0, tcp,3268,s0, tcp, 7389,s0)
+ network_port(lirc, tcp,8765,s0)
++network_port(luci, tcp,8084,s0)
+ network_port(lmtp, tcp,24,s0, udp,24,s0)
+ network_port(lrrd) # no defined portcon
++network_port(l2tp, tcp,1701,s0, udp,1701,s0)
+ network_port(mail, tcp,2000,s0, tcp,3905,s0)
+ network_port(matahari, tcp,49000,s0, udp,49000,s0)
+ network_port(memcache, tcp,11211,s0, udp,11211,s0)
+ network_port(milter) # no defined portcon
+ network_port(mmcc, tcp,5050,s0, udp,5050,s0)
++network_port(mongod, tcp,27017,s0)
+ network_port(monopd, tcp,1234,s0)
++network_port(movaz_ssc, tcp,5252,s0)
+ network_port(mpd, tcp,6600,s0)
+ network_port(msnp, tcp,1863,s0, udp,1863,s0)
+ network_port(mssql, tcp,1433-1434,s0, udp,1433-1434,s0)
+ network_port(munin, tcp,4949,s0, udp,4949,s0)
++network_port(mxi, tcp,8005, s0, udp, 8005,s0)
+ network_port(mysqld, tcp,1186,s0, tcp,3306,s0, tcp,63132-63164,s0)
+ network_port(mysqlmanagerd, tcp,2273,s0)
+ network_port(nessus, tcp,1241,s0)
+ network_port(netport, tcp,3129,s0, udp,3129,s0)
+ network_port(netsupport, tcp,5404,s0, udp,5404,s0, tcp,5405,s0, udp,5405,s0)
++network_port(nfs, tcp,2049,s0, udp,2049,s0, tcp,20048-20049,s0, udp,20048-20049,s0)
+ network_port(nmbd, udp,137,s0, udp,138,s0)
++network_port(nodejs_debug, tcp,5858,s0, udp,5858,s0)
+ network_port(ntop, tcp,3000-3001,s0, udp,3000-3001,s0)
+ network_port(ntp, udp,123,s0)
+-network_port(oracledb, tcp, 1521,s0,udp, 1521,s0, tcp,2483,s0,udp,2483,s0, tcp,2484,s0, udp,2484,s0)
++network_port(oracle, tcp, 1521,s0,udp, 1521,s0, tcp,2483,s0,udp,2483,s0, tcp,2484,s0, udp,2484,s0)
+ network_port(ocsp, tcp,9080,s0)
+ network_port(openvpn, tcp,1194,s0, udp,1194,s0)
++network_port(openhpid, tcp,4743,s0, udp,4743,s0)
++network_port(pktcable, tcp,2126,s0, udp,2126,s0, tcp,3198,s0, udp,3198,s0)
+ network_port(pegasus_http, tcp,5988,s0)
+ network_port(pegasus_https, tcp,5989,s0)
+ network_port(pgpkeyserver, udp, 11371,s0, tcp,11371,s0)
+ network_port(pingd, tcp,9125,s0)
++network_port(piranha, tcp,3636,s0)
++network_port(pki_ca, tcp, 9180, s0, tcp, 9701, s0, tcp, 9443-9447, s0)
++network_port(pki_kra, tcp, 10180, s0, tcp, 10701, s0, tcp, 10443-10446, s0)
++network_port(pki_ocsp, tcp, 11180, s0, tcp, 11701, s0, tcp, 11443-11446, s0)
++network_port(pki_tks, tcp, 13180, s0, tcp, 13701, s0, tcp, 13443-13446, s0)
++network_port(pki_ra, tcp,12888-12889,s0)
++network_port(pki_tps, tcp,7888-7889,s0)
+ network_port(pop, tcp,106,s0, tcp,109,s0, tcp,110,s0, tcp,143,s0, tcp,220,s0, tcp,993,s0, tcp,995,s0, tcp,1109,s0)
+ network_port(portmap, udp,111,s0, tcp,111,s0)
+ network_port(postfix_policyd, tcp,10031,s0)
+ network_port(postgresql, tcp,5432,s0)
+ network_port(postgrey, tcp,60000,s0)
++network_port(pptp, tcp, 1723,s0, udp, 1723, s0)
+ network_port(prelude, tcp,4690,s0, udp,4690,s0)
+ network_port(presence, tcp,5298-5299,s0, udp,5298-5299,s0)
+ network_port(printer, tcp,515,s0)
+ network_port(ptal, tcp,5703,s0)
+-network_port(pulseaudio, tcp,4713,s0)
++network_port(pulseaudio, tcp,4713,s0, udp,4713,s0)
+ network_port(puppet, tcp, 8140, s0)
+ network_port(pxe, udp,4011,s0)
+ network_port(pyzor, udp,24441,s0)
++network_port(quantum, tcp,9696,s0)
+ network_port(radacct, udp,1646,s0, udp,1813,s0)
+ network_port(radius, udp,1645,s0, udp,1812,s0)
+ network_port(radsec, tcp,2083,s0)
+ network_port(razor, tcp,2703,s0)
++network_port(time, tcp,37,s0, udp,37,s0)
+ network_port(repository, tcp, 6363, s0)
+ network_port(ricci, tcp,11111,s0, udp,11111,s0)
+ network_port(ricci_modcluster, tcp,16851,s0, udp,16851,s0)
+ network_port(rlogind, tcp,513,s0)
+-network_port(rndc, tcp,953,s0)
+-network_port(router, udp,520,s0, udp,521,s0, tcp,521,s0)
++network_port(rndc, tcp,953,s0, tcp,8953,s0)
++network_port(router, udp,520-521,s0, tcp,521,s0)
+ network_port(rsh, tcp,514,s0)
+ network_port(rsync, tcp,873,s0, udp,873,s0)
+ network_port(rwho, udp,513,s0)
+ network_port(sap, tcp,9875,s0, udp,9875,s0)
++network_port(saphostctrl, tcp,1128,s0, tcp,1129,s0)
++network_port(sametime, tcp,1533,s0, udp,1533,s0)
+ network_port(sieve, tcp,4190,s0)
+ network_port(sip, tcp,5060,s0, udp,5060,s0, tcp,5061,s0, udp,5061,s0)
+ network_port(sixxsconfig, tcp,3874,s0, udp,3874,s0)
+ network_port(smbd, tcp,137-139,s0, tcp,445,s0)
+ network_port(smtp, tcp,25,s0, tcp,465,s0, tcp,587,s0)
+-network_port(snmp, udp,161,s0, udp,162,s0, tcp,199,s0, tcp, 1161, s0)
+-network_port(socks) # no defined portcon
++network_port(snmp, tcp,161-162,s0, udp,161-162,s0, tcp,199,s0, tcp, 1161, s0)
++type socks_port_t, port_type; dnl network_port(socks) # no defined portcon
+ network_port(soundd, tcp,8000,s0, tcp,9433,s0, tcp, 16001, s0)
+-network_port(spamd, tcp,783,s0)
++network_port(spamd, tcp,783,s0, tcp, 10026, s0, tcp, 10027, s0)
+ network_port(speech, tcp,8036,s0)
+-network_port(squid, udp,3401,s0, tcp,3401,s0, udp,4827,s0, tcp,4827,s0) # snmp and htcp
++network_port(squid, tcp,3128,s0, udp,3401,s0, tcp,3401,s0, udp,4827,s0, tcp,4827,s0) # snmp and htcp
++network_port(ssdp, tcp,1900,s0, udp, 1900, s0)
+ network_port(ssh, tcp,22,s0)
++network_port(streaming, tcp, 554, s0, udp, 554, s0, tcp, 1755, s0, udp, 1755, s0)
++network_port(svn, tcp,3690,s0, udp,3690,s0)
+ network_port(stunnel) # no defined portcon
+ network_port(swat, tcp,901,s0)
+-network_port(syslogd, udp,514,s0)
++network_port(sype, tcp,9911,s0, udp,9911,s0)
++network_port(syslogd, udp,514,s0, tcp,6514,s0, udp,6514,s0)
+ network_port(tcs, tcp, 30003, s0)
+ network_port(telnetd, tcp,23,s0)
+ network_port(tftp, udp,69,s0)
+-network_port(tor, tcp, 6969, s0, tcp,9001,s0, tcp,9030,s0, tcp,9050,s0, tcp,9051,s0)
++network_port(tor, tcp, 6969, s0, tcp,9001,s0, tcp,9030,s0, tcp,9051,s0)
++network_port(tor_socks, tcp,9050,s0)
+ network_port(traceroute, udp,64000-64010,s0)
++network_port(tram, tcp, 4567, s0)
+ network_port(transproxy, tcp,8081,s0)
+ network_port(ups, tcp,3493,s0)
+ network_port(utcpserver) # no defined portcon
+@@ -228,9 +304,12 @@ network_port(uucpd, tcp,540,s0)
+ network_port(varnishd, tcp,6081-6082,s0)
+ network_port(virt, tcp,16509,s0, udp,16509,s0, tcp,16514,s0, udp,16514,s0)
+ network_port(virt_migration, tcp,49152-49216,s0)
+-network_port(vnc, tcp,5900,s0)
++network_port(vnc, tcp,5900-5983,s0, tcp,5985-5999,s0)
+ network_port(wccp, udp,2048,s0)
++network_port(websm, tcp,9090,s0, udp,9090,s0)
+ network_port(whois, tcp,43,s0, udp,43,s0, tcp, 4321, s0 , udp, 4321, s0 )
++network_port(winshadow, tcp, 3261, s0, udp, 3261,s0)
++network_port(wsicopy, tcp, 3378, s0, udp, 3378,s0)
+ network_port(xdmcp, udp,177,s0, tcp,177,s0)
+ network_port(xen, tcp,8002,s0)
+ network_port(xfs, tcp,7100,s0)
+@@ -242,17 +321,22 @@ network_port(zookeeper_client, tcp,2181,s0)
+ network_port(zookeeper_election, tcp,3888,s0)
+ network_port(zookeeper_leader, tcp,2888,s0)
+ network_port(zebra, tcp,2600-2604,s0, tcp,2606,s0, udp,2600-2604,s0, udp,2606,s0)
++network_port(zented, tcp,1229,s0, udp,1229,s0)
+ network_port(zope, tcp,8021,s0)
+
+ # Defaults for reserved ports. Earlier portcon entries take precedence;
+ # these entries just cover any remaining reserved ports not otherwise declared.
+
+-portcon udp 1024-65535 gen_context(system_u:object_r:unreserved_port_t, s0)
+-portcon tcp 1024-65535 gen_context(system_u:object_r:unreserved_port_t, s0)
+ portcon tcp 512-1023 gen_context(system_u:object_r:hi_reserved_port_t, s0)
+ portcon udp 512-1023 gen_context(system_u:object_r:hi_reserved_port_t, s0)
+ portcon tcp 1-511 gen_context(system_u:object_r:reserved_port_t, s0)
+ portcon udp 1-511 gen_context(system_u:object_r:reserved_port_t, s0)
++portcon tcp 1024-32767 gen_context(system_u:object_r:unreserved_port_t, s0)
++portcon tcp 32768-61000 gen_context(system_u:object_r:ephemeral_port_t, s0)
++portcon tcp 61001-65535 gen_context(system_u:object_r:unreserved_port_t, s0)
++portcon udp 1024-32767 gen_context(system_u:object_r:unreserved_port_t, s0)
++portcon udp 32768-61000 gen_context(system_u:object_r:ephemeral_port_t, s0)
++portcon udp 61001-65535 gen_context(system_u:object_r:unreserved_port_t, s0)
+
+ ########################################
+ #
+@@ -297,9 +381,24 @@ typealias netif_t alias { lo_netif_t netif_lo_t };
+ allow corenet_unconfined_type node_type:node *;
+ allow corenet_unconfined_type netif_type:netif *;
+ allow corenet_unconfined_type packet_type:packet *;
++allow corenet_unconfined_type port_type:dccp_socket { send_msg recv_msg name_connect };
+ allow corenet_unconfined_type port_type:tcp_socket { send_msg recv_msg name_connect };
+ allow corenet_unconfined_type port_type:udp_socket { send_msg recv_msg };
+
+ # Bind to any network address.
+-allow corenet_unconfined_type port_type:{ tcp_socket udp_socket rawip_socket } name_bind;
+-allow corenet_unconfined_type node_type:{ tcp_socket udp_socket rawip_socket } node_bind;
++allow corenet_unconfined_type port_type:{ dccp_socket tcp_socket udp_socket rawip_socket } name_bind;
++allow corenet_unconfined_type node_type:{ dccp_socket tcp_socket udp_socket rawip_socket } node_bind;
++
++#
++# Rules coverning the use of unlabeled types
++#
++kernel_dccp_recvfrom_unlabeled(corenet_unlabeled_type)
++kernel_tcp_recvfrom_unlabeled(corenet_unlabeled_type)
++kernel_udp_recvfrom_unlabeled(corenet_unlabeled_type)
++kernel_raw_recvfrom_unlabeled(corenet_unlabeled_type)
++kernel_recvfrom_unlabeled_peer(corenet_unlabeled_type)
++
++allow netlabel_peer_type netlabel_peer_t:peer recv;
++allow netlabel_peer_type netlabel_peer_t:{ tcp_socket udp_socket rawip_socket dccp_socket } recvfrom;
++allow netlabel_peer_t netif_t:netif { rawip_recv egress ingress };
++allow netlabel_peer_t node_t:node recvfrom;
+diff --git a/policy/modules/kernel/corenetwork.te.m4 b/policy/modules/kernel/corenetwork.te.m4
+index 3f6e168..51ad69a 100644
+--- a/policy/modules/kernel/corenetwork.te.m4
++++ b/policy/modules/kernel/corenetwork.te.m4
+@@ -86,6 +86,11 @@ define(`add_port_attribute',`dnl
+ ifelse(eval(range_start($2) < 1024),1,`typeattribute $1 reserved_port_type;',`typeattribute $1 unreserved_port_type;')
+ ')
+
++define(`add_ephemeral_attribute',`dnl
++ifelse(eval(range_start($3) >= 32768 && range_start($3) < 61001),1,`typeattribute $1 ephemeral_port_type;
++',`ifelse(`$5',`',`',`add_ephemeral_attribute($1,shiftn(4,$*))')')dnl
++')
++
+ # bindresvport in glibc starts searching for reserved ports at 512
+ define(`add_rpc_attribute',`dnl
+ ifelse(eval(range_start($3) >= 512 && range_start($3) < 1024),1,`typeattribute $1 rpc_port_type;
+@@ -101,6 +106,7 @@ type $1_client_packet_t, packet_type, client_packet_type;
+ type $1_server_packet_t, packet_type, server_packet_type;
+ ifelse(`$2',`',`',`add_port_attribute($1_port_t,$3)')dnl
+ ifelse(`$2',`',`',`add_rpc_attribute($1_port_t,shift($*))')dnl
++ifelse(`$2',`',`',`add_ephemeral_attribute($1_port_t,shift($*))')dnl
+ ifelse(`$2',`',`',`declare_portcons($1_port_t,shift($*))')dnl
+ ')
+
+diff --git a/policy/modules/kernel/devices.fc b/policy/modules/kernel/devices.fc
+index 02b7ac1..b30f7b8 100644
+--- a/policy/modules/kernel/devices.fc
++++ b/policy/modules/kernel/devices.fc
+@@ -15,14 +15,17 @@
+ /dev/atibm -c gen_context(system_u:object_r:mouse_device_t,s0)
+ /dev/audio.* -c gen_context(system_u:object_r:sound_device_t,s0)
+ /dev/autofs.* -c gen_context(system_u:object_r:autofs_device_t,s0)
++/dev/bsr.* -c gen_context(system_u:object_r:cpu_device_t,s0)
+ /dev/beep -c gen_context(system_u:object_r:sound_device_t,s0)
+ /dev/btrfs-control -c gen_context(system_u:object_r:lvm_control_t,s0)
+ /dev/controlD64 -c gen_context(system_u:object_r:xserver_misc_device_t,s0)
+ /dev/crash -c gen_context(system_u:object_r:crash_device_t,mls_systemhigh)
+ /dev/dahdi/.* -c gen_context(system_u:object_r:sound_device_t,s0)
+-/dev/dmfm -c gen_context(system_u:object_r:sound_device_t,s0)
++/dev/dlm.* -c gen_context(system_u:object_r:dlm_control_device_t,s0)
++/dev/dmfm.* -c gen_context(system_u:object_r:sound_device_t,s0)
+ /dev/dmmidi.* -c gen_context(system_u:object_r:sound_device_t,s0)
+ /dev/dsp.* -c gen_context(system_u:object_r:sound_device_t,s0)
++/dev/ecryptfs -c gen_context(system_u:object_r:ecryptfs_device_t,mls_systemhigh)
+ /dev/efirtc -c gen_context(system_u:object_r:clock_device_t,s0)
+ /dev/elographics/e2201 -c gen_context(system_u:object_r:mouse_device_t,s0)
+ /dev/em8300.* -c gen_context(system_u:object_r:v4l_device_t,s0)
+@@ -57,8 +60,11 @@
+ /dev/lirc[0-9]+ -c gen_context(system_u:object_r:lirc_device_t,s0)
+ /dev/lircm -c gen_context(system_u:object_r:mouse_device_t,s0)
+ /dev/logibm -c gen_context(system_u:object_r:mouse_device_t,s0)
++/dev/loop-control -c gen_context(system_u:object_r:loop_control_device_t,s0)
+ /dev/lp.* -c gen_context(system_u:object_r:printer_device_t,s0)
+ /dev/mcelog -c gen_context(system_u:object_r:kmsg_device_t,mls_systemhigh)
++/dev/media.* -c gen_context(system_u:object_r:v4l_device_t,s0)
++/dev/mei -c gen_context(system_u:object_r:mei_device_t,s0)
+ /dev/mem -c gen_context(system_u:object_r:memory_device_t,mls_systemhigh)
+ /dev/mergemem -c gen_context(system_u:object_r:memory_device_t,mls_systemhigh)
+ /dev/mga_vid.* -c gen_context(system_u:object_r:xserver_misc_device_t,s0)
+@@ -125,13 +131,15 @@ ifdef(`distro_suse', `
+ /dev/vrtpanel -c gen_context(system_u:object_r:mouse_device_t,s0)
+ /dev/vttuner -c gen_context(system_u:object_r:v4l_device_t,s0)
+ /dev/vtx.* -c gen_context(system_u:object_r:v4l_device_t,s0)
+-/dev/watchdog -c gen_context(system_u:object_r:watchdog_device_t,s0)
++/dev/watchdog.* -c gen_context(system_u:object_r:watchdog_device_t,s0)
++/dev/cdc-wdm[0-1] -c gen_context(system_u:object_r:modem_device_t,s0)
+ /dev/winradio. -c gen_context(system_u:object_r:v4l_device_t,s0)
+ /dev/z90crypt -c gen_context(system_u:object_r:crypt_device_t,s0)
+ /dev/zero -c gen_context(system_u:object_r:zero_device_t,s0)
+
+ /dev/bus/usb/.*/[0-9]+ -c gen_context(system_u:object_r:usb_device_t,s0)
+
++/dev/ati/card.* -c gen_context(system_u:object_r:xserver_misc_device_t,s0)
+ /dev/card.* -c gen_context(system_u:object_r:xserver_misc_device_t,s0)
+ /dev/cmx.* -c gen_context(system_u:object_r:smartcard_device_t,s0)
+
+@@ -195,12 +203,22 @@ ifdef(`distro_debian',`
+ /lib/udev/devices/null -c gen_context(system_u:object_r:null_device_t,s0)
+ /lib/udev/devices/zero -c gen_context(system_u:object_r:zero_device_t,s0)
+
+-/sys(/.*)? gen_context(system_u:object_r:sysfs_t,s0)
+-
+ ifdef(`distro_redhat',`
+ # originally from named.fc
+ /var/named/chroot/dev -d gen_context(system_u:object_r:device_t,s0)
+ /var/named/chroot/dev/null -c gen_context(system_u:object_r:null_device_t,s0)
+ /var/named/chroot/dev/random -c gen_context(system_u:object_r:random_device_t,s0)
+ /var/named/chroot/dev/zero -c gen_context(system_u:object_r:zero_device_t,s0)
++/var/spool/postfix/dev -d gen_context(system_u:object_r:device_t,s0)
+ ')
++
++#
++# /sys
++#
++/sys(/.*)? gen_context(system_u:object_r:sysfs_t,s0)
++/sys/devices/system/cpu/online gen_context(system_u:object_r:cpu_online_t,s0)
++
++/usr/lib/udev/devices(/.*)? gen_context(system_u:object_r:device_t,s0)
++/usr/lib/udev/devices/lp.* -c gen_context(system_u:object_r:printer_device_t,s0)
++/usr/lib/udev/devices/null -c gen_context(system_u:object_r:null_device_t,s0)
++/usr/lib/udev/devices/zero -c gen_context(system_u:object_r:zero_device_t,s0)
+diff --git a/policy/modules/kernel/devices.if b/policy/modules/kernel/devices.if
+index d820975..a8b5aa9 100644
+--- a/policy/modules/kernel/devices.if
++++ b/policy/modules/kernel/devices.if
+@@ -143,13 +143,32 @@ interface(`dev_relabel_all_dev_nodes',`
+ type device_t;
+ ')
+
+- relabelfrom_dirs_pattern($1, device_t, device_node)
+- relabelfrom_files_pattern($1, device_t, device_node)
+- relabelfrom_lnk_files_pattern($1, device_t, { device_t device_node })
+- relabelfrom_fifo_files_pattern($1, device_t, device_node)
+- relabelfrom_sock_files_pattern($1, device_t, device_node)
+- relabel_blk_files_pattern($1, device_t, { device_t device_node })
+- relabel_chr_files_pattern($1, device_t, { device_t device_node })
++ relabel_dirs_pattern($1, device_t, device_node)
++ relabel_files_pattern($1, device_t, device_node)
++ relabel_lnk_files_pattern($1, device_t, device_node)
++ relabel_fifo_files_pattern($1, device_t, device_node)
++ relabel_sock_files_pattern($1, device_t, device_node)
++ relabel_blk_files_pattern($1, device_t, device_node)
++ relabel_chr_files_pattern($1, device_t, device_node)
++')
++
++########################################
++##
++## Allow full relabeling (to and from) of all device files.
++##
++##
++##
++## Domain allowed access.
++##
++##
++##
++#
++interface(`dev_relabel_all_dev_files',`
++ gen_require(`
++ type device_t;
++ ')
++
++ relabel_files_pattern($1, device_t, device_t)
+ ')
+
+ ########################################
+@@ -209,6 +228,24 @@ interface(`dev_dontaudit_list_all_dev_nodes',`
+
+ ########################################
+ ##
++## Dontaudit attempts to list all device nodes.
++##
++##
++##
++## Domain to not audit.
++##
++##
++#
++interface(`dev_dontaudit_all_access_check',`
++ gen_require(`
++ attribute device_node;
++ ')
++
++ dontaudit $1 device_node:file_class_set audit_access;
++')
++
++########################################
++##
+ ## Add entries to directories in /dev.
+ ##
+ ##
+@@ -352,6 +389,24 @@ interface(`dev_read_generic_files',`
+ read_files_pattern($1, device_t, device_t)
+ ')
+
++#######################################
++##
++## Read generic files in /dev.
++##
++##
++##
++## Domain to not audit.
++##
++##
++#
++interface(`dev_dontaudit_read_generic_files',`
++ gen_require(`
++ type device_t;
++ ')
++
++ dontaudit $1 device_t:file { read getattr };
++')
++
+ ########################################
+ ##
+ ## Read and write generic files in /dev.
+@@ -462,6 +517,42 @@ interface(`dev_getattr_generic_blk_files',`
+
+ ########################################
+ ##
++## Rename generic block device nodes.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`dev_rename_generic_blk_files',`
++ gen_require(`
++ type device_t;
++ ')
++
++ rename_blk_files_pattern($1, device_t, device_t)
++')
++
++########################################
++##
++## write generic sock files in /dev.
++##
++##
++##
++## Domain to not audit.
++##
++##
++#
++interface(`dev_write_generic_sock_files',`
++ gen_require(`
++ type device_t;
++ ')
++
++ write_sock_files_pattern($1, device_t, device_t)
++')
++
++########################################
++##
+ ## Dontaudit getattr on generic block devices.
+ ##
+ ##
+@@ -570,6 +661,24 @@ interface(`dev_dontaudit_getattr_generic_chr_files',`
+
+ ########################################
+ ##
++## Rename generic character device nodes.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`dev_rename_generic_chr_files',`
++ gen_require(`
++ type device_t;
++ ')
++
++ rename_chr_files_pattern($1, device_t, device_t)
++')
++
++########################################
++##
+ ## Dontaudit setattr for generic character device files.
+ ##
+ ##
+@@ -646,7 +755,7 @@ interface(`dev_rw_generic_blk_files',`
+ ##
+ ##
+ ##
+-## Domain to dontaudit access.
++## Domain to not audit.
+ ##
+ ##
+ #
+@@ -733,7 +842,7 @@ interface(`dev_dontaudit_setattr_generic_symlinks',`
+
+ ########################################
+ ##
+-## Read symbolic links in device directories.
++## Create symbolic links in device directories.
+ ##
+ ##
+ ##
+@@ -741,17 +850,17 @@ interface(`dev_dontaudit_setattr_generic_symlinks',`
+ ##
+ ##
+ #
+-interface(`dev_read_generic_symlinks',`
++interface(`dev_create_generic_symlinks',`
+ gen_require(`
+ type device_t;
+ ')
+
+- allow $1 device_t:lnk_file read_lnk_file_perms;
++ create_lnk_files_pattern($1, device_t, device_t)
+ ')
+
+ ########################################
+ ##
+-## Create symbolic links in device directories.
++## Delete symbolic links in device directories.
+ ##
+ ##
+ ##
+@@ -759,17 +868,17 @@ interface(`dev_read_generic_symlinks',`
+ ##
+ ##
+ #
+-interface(`dev_create_generic_symlinks',`
++interface(`dev_delete_generic_symlinks',`
+ gen_require(`
+ type device_t;
+ ')
+
+- create_lnk_files_pattern($1, device_t, device_t)
++ delete_lnk_files_pattern($1, device_t, device_t)
+ ')
+
+ ########################################
+ ##
+-## Delete symbolic links in device directories.
++## Read symbolic links in device directories.
+ ##
+ ##
+ ##
+@@ -777,12 +886,12 @@ interface(`dev_create_generic_symlinks',`
+ ##
+ ##
+ #
+-interface(`dev_delete_generic_symlinks',`
++interface(`dev_read_generic_symlinks',`
+ gen_require(`
+ type device_t;
+ ')
+
+- delete_lnk_files_pattern($1, device_t, device_t)
++ allow $1 device_t:lnk_file read_lnk_file_perms;
+ ')
+
+ ########################################
+@@ -1003,6 +1112,26 @@ interface(`dev_getattr_all_blk_files',`
+
+ ########################################
+ ##
++## Read on all block file device nodes.
++##
++##
++##
++## Domain allowed access.
++##
++##
++##
++#
++interface(`dev_read_all_blk_files',`
++ gen_require(`
++ attribute device_node;
++ type device_t;
++ ')
++
++ read_blk_files_pattern($1, device_t, device_node)
++')
++
++########################################
++##
+ ## Dontaudit getattr on all block file device nodes.
+ ##
+ ##
+@@ -1034,6 +1163,7 @@ interface(`dev_dontaudit_getattr_all_blk_files',`
+ interface(`dev_getattr_all_chr_files',`
+ gen_require(`
+ attribute device_node;
++ type device_t;
+ ')
+
+ getattr_chr_files_pattern($1, device_t, device_node)
+@@ -1206,6 +1336,42 @@ interface(`dev_create_all_chr_files',`
+
+ ########################################
+ ##
++## rw all inherited character device files.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`dev_rw_all_inherited_chr_files',`
++ gen_require(`
++ attribute device_node;
++ ')
++
++ allow $1 device_node:chr_file rw_inherited_chr_file_perms;
++')
++
++########################################
++##
++## rw all inherited blk device files.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`dev_rw_all_inherited_blk_files',`
++ gen_require(`
++ attribute device_node;
++ ')
++
++ allow $1 device_node:blk_file rw_inherited_blk_file_perms;
++')
++
++########################################
++##
+ ## Delete all block device files.
+ ##
+ ##
+@@ -1663,6 +1829,26 @@ interface(`dev_filetrans_cardmgr',`
+
+ ########################################
+ ##
++## Automatic type transition to the type
++## for xserver misc device nodes when
++## created in /dev.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`dev_filetrans_xserver_misc',`
++ gen_require(`
++ type device_t, xserver_misc_device_t;
++ ')
++
++ filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file )
++')
++
++########################################
++##
+ ## Get the attributes of the CPU
+ ## microcode and id interfaces.
+ ##
+@@ -1772,6 +1958,24 @@ interface(`dev_rw_crypto',`
+ rw_chr_files_pattern($1, device_t, crypt_device_t)
+ ')
+
++########################################
++##
++## Read and write the the ecrypt filesystem device.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`dev_rw_ecryptfs',`
++ gen_require(`
++ type device_t, ecryptfs_device_t;
++ ')
++
++ rw_chr_files_pattern($1, device_t, ecryptfs_device_t)
++')
++
+ #######################################
+ ##
+ ## Set the attributes of the dlm control devices.
+@@ -2383,7 +2587,7 @@ interface(`dev_filetrans_lirc',`
+
+ ########################################
+ ##
+-## Get the attributes of the lvm comtrol device.
++## Get the attributes of the loop comtrol device.
+ ##
+ ##
+ ##
+@@ -2391,17 +2595,17 @@ interface(`dev_filetrans_lirc',`
+ ##
+ ##
+ #
+-interface(`dev_getattr_lvm_control',`
++interface(`dev_getattr_loop_control',`
+ gen_require(`
+- type device_t, lvm_control_t;
++ type device_t, loop_control_device_t;
+ ')
+
+- getattr_chr_files_pattern($1, device_t, lvm_control_t)
++ getattr_chr_files_pattern($1, device_t, loop_control_device_t)
+ ')
+
+ ########################################
+ ##
+-## Read the lvm comtrol device.
++## Read the loop comtrol device.
+ ##
+ ##
+ ##
+@@ -2409,17 +2613,17 @@ interface(`dev_getattr_lvm_control',`
+ ##
+ ##
+ #
+-interface(`dev_read_lvm_control',`
++interface(`dev_read_loop_control',`
+ gen_require(`
+- type device_t, lvm_control_t;
++ type device_t, loop_control_device_t;
+ ')
+
+- read_chr_files_pattern($1, device_t, lvm_control_t)
++ read_chr_files_pattern($1, device_t, loop_control_device_t)
+ ')
+
+ ########################################
+ ##
+-## Read and write the lvm control device.
++## Read and write the loop control device.
+ ##
+ ##
+ ##
+@@ -2427,17 +2631,17 @@ interface(`dev_read_lvm_control',`
+ ##
+ ##
+ #
+-interface(`dev_rw_lvm_control',`
++interface(`dev_rw_loop_control',`
+ gen_require(`
+- type device_t, lvm_control_t;
++ type device_t, loop_control_device_t;
+ ')
+
+- rw_chr_files_pattern($1, device_t, lvm_control_t)
++ rw_chr_files_pattern($1, device_t, loop_control_device_t)
+ ')
+
+ ########################################
+ ##
+-## Do not audit attempts to read and write lvm control device.
++## Do not audit attempts to read and write loop control device.
+ ##
+ ##
+ ##
+@@ -2445,17 +2649,17 @@ interface(`dev_rw_lvm_control',`
+ ##
+ ##
+ #
+-interface(`dev_dontaudit_rw_lvm_control',`
++interface(`dev_dontaudit_rw_loop_control',`
+ gen_require(`
+- type lvm_control_t;
++ type loop_control_device_t;
+ ')
+
+- dontaudit $1 lvm_control_t:chr_file rw_file_perms;
++ dontaudit $1 loop_control_device_t:chr_file rw_file_perms;
+ ')
+
+ ########################################
+ ##
+-## Delete the lvm control device.
++## Delete the loop control device.
+ ##
+ ##
+ ##
+@@ -2463,35 +2667,35 @@ interface(`dev_dontaudit_rw_lvm_control',`
+ ##
+ ##
+ #
+-interface(`dev_delete_lvm_control_dev',`
++interface(`dev_delete_loop_control_dev',`
+ gen_require(`
+- type device_t, lvm_control_t;
++ type device_t, loop_control_device_t;
+ ')
+
+- delete_chr_files_pattern($1, device_t, lvm_control_t)
++ delete_chr_files_pattern($1, device_t, loop_control_device_t)
+ ')
+
+ ########################################
+ ##
+-## dontaudit getattr raw memory devices (e.g. /dev/mem).
++## Get the attributes of the loop comtrol device.
+ ##
+ ##
+ ##
+-## Domain to not audit.
++## Domain allowed access.
+ ##
+ ##
+ #
+-interface(`dev_dontaudit_getattr_memory_dev',`
++interface(`dev_getattr_lvm_control',`
+ gen_require(`
+- type memory_device_t;
++ type device_t, lvm_control_t;
+ ')
+
+- dontaudit $1 memory_device_t:chr_file getattr;
++ getattr_chr_files_pattern($1, device_t, lvm_control_t)
+ ')
+
+ ########################################
+ ##
+-## Read raw memory devices (e.g. /dev/mem).
++## Read the lvm comtrol device.
+ ##
+ ##
+ ##
+@@ -2499,62 +2703,53 @@ interface(`dev_dontaudit_getattr_memory_dev',`
+ ##
+ ##
+ #
+-interface(`dev_read_raw_memory',`
++interface(`dev_read_lvm_control',`
+ gen_require(`
+- type device_t, memory_device_t;
+- attribute memory_raw_read;
++ type device_t, lvm_control_t;
+ ')
+
+- read_chr_files_pattern($1, device_t, memory_device_t)
+-
+- allow $1 self:capability sys_rawio;
+- typeattribute $1 memory_raw_read;
++ read_chr_files_pattern($1, device_t, lvm_control_t)
+ ')
+
+ ########################################
+ ##
+-## Do not audit attempts to read raw memory devices
+-## (e.g. /dev/mem).
++## Read and write the lvm control device.
+ ##
+ ##
+ ##
+-## Domain to not audit.
++## Domain allowed access.
+ ##
+ ##
+ #
+-interface(`dev_dontaudit_read_raw_memory',`
++interface(`dev_rw_lvm_control',`
+ gen_require(`
+- type memory_device_t;
++ type device_t, lvm_control_t;
+ ')
+
+- dontaudit $1 memory_device_t:chr_file read_chr_file_perms;
++ rw_chr_files_pattern($1, device_t, lvm_control_t)
+ ')
+
+ ########################################
+ ##
+-## Write raw memory devices (e.g. /dev/mem).
++## Do not audit attempts to read and write lvm control device.
+ ##
+ ##
+ ##
+-## Domain allowed access.
++## Domain to not audit.
+ ##
+ ##
+ #
+-interface(`dev_write_raw_memory',`
++interface(`dev_dontaudit_rw_lvm_control',`
+ gen_require(`
+- type device_t, memory_device_t;
+- attribute memory_raw_write;
++ type lvm_control_t;
+ ')
+
+- write_chr_files_pattern($1, device_t, memory_device_t)
+-
+- allow $1 self:capability sys_rawio;
+- typeattribute $1 memory_raw_write;
++ dontaudit $1 lvm_control_t:chr_file rw_file_perms;
+ ')
+
+ ########################################
+ ##
+-## Read and execute raw memory devices (e.g. /dev/mem).
++## Delete the lvm control device.
+ ##
+ ##
+ ##
+@@ -2562,7 +2757,106 @@ interface(`dev_write_raw_memory',`
+ ##
+ ##
+ #
+-interface(`dev_rx_raw_memory',`
++interface(`dev_delete_lvm_control_dev',`
++ gen_require(`
++ type device_t, lvm_control_t;
++ ')
++
++ delete_chr_files_pattern($1, device_t, lvm_control_t)
++')
++
++########################################
++##
++## dontaudit getattr raw memory devices (e.g. /dev/mem).
++##
++##
++##
++## Domain to not audit.
++##
++##
++#
++interface(`dev_dontaudit_getattr_memory_dev',`
++ gen_require(`
++ type memory_device_t;
++ ')
++
++ dontaudit $1 memory_device_t:chr_file getattr;
++')
++
++########################################
++##
++## Read raw memory devices (e.g. /dev/mem).
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`dev_read_raw_memory',`
++ gen_require(`
++ type device_t, memory_device_t;
++ attribute memory_raw_read;
++ ')
++
++ read_chr_files_pattern($1, device_t, memory_device_t)
++
++ allow $1 self:capability sys_rawio;
++ typeattribute $1 memory_raw_read;
++')
++
++########################################
++##
++## Do not audit attempts to read raw memory devices
++## (e.g. /dev/mem).
++##
++##
++##
++## Domain to not audit.
++##
++##
++#
++interface(`dev_dontaudit_read_raw_memory',`
++ gen_require(`
++ type memory_device_t;
++ ')
++
++ dontaudit $1 memory_device_t:chr_file read_chr_file_perms;
++')
++
++########################################
++##
++## Write raw memory devices (e.g. /dev/mem).
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`dev_write_raw_memory',`
++ gen_require(`
++ type device_t, memory_device_t;
++ attribute memory_raw_write;
++ ')
++
++ write_chr_files_pattern($1, device_t, memory_device_t)
++
++ allow $1 self:capability sys_rawio;
++ typeattribute $1 memory_raw_write;
++')
++
++########################################
++##
++## Read and execute raw memory devices (e.g. /dev/mem).
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`dev_rx_raw_memory',`
+ gen_require(`
+ type device_t, memory_device_t;
+ ')
+@@ -2706,7 +3000,7 @@ interface(`dev_write_misc',`
+ ##
+ ##
+ ##
+-## Domain allowed access.
++## Domain to not audit.
+ ##
+ ##
+ #
+@@ -2956,8 +3250,8 @@ interface(`dev_dontaudit_write_mtrr',`
+ type mtrr_device_t;
+ ')
+
+- dontaudit $1 mtrr_device_t:file write;
+- dontaudit $1 mtrr_device_t:chr_file write;
++ dontaudit $1 mtrr_device_t:file write_file_perms;
++ dontaudit $1 mtrr_device_t:chr_file write_chr_file_perms;
+ ')
+
+ ########################################
+@@ -3125,6 +3419,42 @@ interface(`dev_create_null_dev',`
+
+ ########################################
+ ##
++## Get the status of a null device service.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`dev_service_status_null_dev',`
++ gen_require(`
++ type null_device_t;
++ ')
++
++ allow $1 null_device_t:service status;
++')
++
++########################################
++##
++## Configure null_device as a unit files.
++##
++##
++##
++## Domain allowed to transition.
++##
++##
++#
++interface(`dev_config_null_dev_service',`
++ gen_require(`
++ type null_device_t;
++ ')
++
++ allow $1 null_device_t:service manage_service_perms;
++')
++
++########################################
++##
+ ## Do not audit attempts to get the attributes
+ ## of the BIOS non-volatile RAM device.
+ ##
+@@ -3235,7 +3565,25 @@ interface(`dev_rw_printer',`
+
+ ########################################
+ ##
+-## Read printk devices (e.g., /dev/kmsg /dev/mcelog)
++## Relabel the printer device node.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`dev_relabel_printer',`
++ gen_require(`
++ type printer_device_t;
++ ')
++
++ allow $1 printer_device_t:chr_file relabel_chr_file_perms;
++')
++
++########################################
++##
++## Read and write the printer device.
+ ##
+ ##
+ ##
+@@ -3243,12 +3591,13 @@ interface(`dev_rw_printer',`
+ ##
+ ##
+ #
+-interface(`dev_read_printk',`
++interface(`dev_manage_printer',`
+ gen_require(`
+- type device_t, printk_device_t;
++ type device_t, printer_device_t;
+ ')
+
+- read_chr_files_pattern($1, device_t, printk_device_t)
++ manage_chr_files_pattern($1, device_t, printer_device_t)
++ dev_filetrans_printer_named_dev($1)
+ ')
+
+ ########################################
+@@ -3836,6 +4185,42 @@ interface(`dev_getattr_sysfs_dirs',`
+
+ ########################################
+ ##
++## Set the attributes of sysfs directories.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`dev_setattr_sysfs_dirs',`
++ gen_require(`
++ type sysfs_t;
++ ')
++
++ allow $1 sysfs_t:dir setattr_dir_perms;
++')
++
++########################################
++##
++## Get attributes of sysfs filesystems.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`dev_getattr_sysfs_fs',`
++ gen_require(`
++ type sysfs_t;
++ ')
++
++ allow $1 sysfs_t:filesystem getattr;
++')
++
++########################################
++##
+ ## Search the sysfs directories.
+ ##
+ ##
+@@ -3885,6 +4270,7 @@ interface(`dev_list_sysfs',`
+ type sysfs_t;
+ ')
+
++ read_lnk_files_pattern($1, sysfs_t, sysfs_t)
+ list_dirs_pattern($1, sysfs_t, sysfs_t)
+ ')
+
+@@ -3927,23 +4313,49 @@ interface(`dev_dontaudit_write_sysfs_dirs',`
+
+ ########################################
+ ##
+-## Create, read, write, and delete sysfs
+-## directories.
++## Read cpu online hardware state information.
+ ##
++##
++##
++## Allow the specified domain to read /sys/devices/system/cpu/online file.
++##
++##
+ ##
+ ##
+ ## Domain allowed access.
+ ##
+ ##
+ #
+-interface(`dev_manage_sysfs_dirs',`
++interface(`dev_read_cpu_online',`
+ gen_require(`
++ type cpu_online_t;
++ ')
++
++ dev_search_sysfs($1)
++ read_files_pattern($1, cpu_online_t, cpu_online_t)
++')
++
++########################################
++##
++## Relabel cpu online hardware state information.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`dev_relabel_cpu_online',`
++ gen_require(`
++ type cpu_online_t;
+ type sysfs_t;
+ ')
+
+- manage_dirs_pattern($1, sysfs_t, sysfs_t)
++ dev_search_sysfs($1)
++ allow $1 cpu_online_t:file relabel_file_perms;
+ ')
+
++
+ ########################################
+ ##
+ ## Read hardware state information.
+@@ -3997,6 +4409,62 @@ interface(`dev_rw_sysfs',`
+
+ ########################################
+ ##
++## Relabel hardware state directories.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`dev_relabel_sysfs_dirs',`
++ gen_require(`
++ type sysfs_t;
++ ')
++
++ relabel_dirs_pattern($1, sysfs_t, sysfs_t)
++')
++
++########################################
++##
++## Relabel hardware state files
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`dev_relabel_all_sysfs',`
++ gen_require(`
++ type sysfs_t;
++ ')
++
++ relabel_dirs_pattern($1, sysfs_t, sysfs_t)
++ relabel_files_pattern($1, sysfs_t, sysfs_t)
++ relabel_lnk_files_pattern($1, sysfs_t, sysfs_t)
++')
++
++########################################
++##
++## Allow caller to modify hardware state information.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`dev_manage_sysfs_dirs',`
++ gen_require(`
++ type sysfs_t;
++ ')
++
++ manage_dirs_pattern($1, sysfs_t, sysfs_t)
++')
++
++########################################
++##
+ ## Read and write the TPM device.
+ ##
+ ##
+@@ -4094,6 +4562,25 @@ interface(`dev_write_urand',`
+
+ ########################################
+ ##
++## Do not audit attempts to write to pseudo
++## random devices (e.g., /dev/urandom)
++##
++##
++##
++## Domain to not audit.
++##
++##
++#
++interface(`dev_dontaudit_write_urand',`
++ gen_require(`
++ type urandom_device_t;
++ ')
++
++ dontaudit $1 urandom_device_t:chr_file write;
++')
++
++########################################
++##
+ ## Getattr generic the USB devices.
+ ##
+ ##
+@@ -4128,6 +4615,24 @@ interface(`dev_setattr_generic_usb_dev',`
+ setattr_chr_files_pattern($1, device_t, usb_device_t)
+ ')
+
++######################################
++##
++## Allow relabeling (to and from) of generic usb device
++##
++##
++##
++## Domain allowed to relabel.
++##
++##
++#
++interface(`dev_relabel_generic_usb_dev',`
++ gen_require(`
++ type usb_device_t;
++ ')
++
++ relabel_dirs_pattern($1, usb_device_t, usb_device_t)
++')
++
+ ########################################
+ ##
+ ## Read generic the USB devices.
+@@ -4520,6 +5025,24 @@ interface(`dev_rw_vhost',`
+
+ ########################################
+ ##
++## Allow read/write inheretid the vhost net device
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`dev_rw_inherited_vhost',`
++ gen_require(`
++ type device_t, vhost_device_t;
++ ')
++
++ allow $1 vhost_device_t:chr_file rw_inherited_chr_file_perms;
++')
++
++########################################
++##
+ ## Read and write VMWare devices.
+ ##
+ ##
+@@ -4725,6 +5248,26 @@ interface(`dev_rw_xserver_misc',`
+
+ ########################################
+ ##
++## Read and write X server miscellaneous devices.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`dev_manage_xserver_misc',`
++ gen_require(`
++ type device_t, xserver_misc_device_t;
++ ')
++
++ manage_chr_files_pattern($1, device_t, xserver_misc_device_t)
++
++ dev_filetrans_xserver_named_dev($1)
++')
++
++########################################
++##
+ ## Read and write to the zero device (/dev/zero).
+ ##
+ ##
+@@ -4814,3 +5357,917 @@ interface(`dev_unconfined',`
+
+ typeattribute $1 devices_unconfined_type;
+ ')
++
++########################################
++##
++## Dontaudit getattr on all device nodes.
++##
++##
++##
++## Domain to not audit.
++##
++##
++#
++interface(`dev_dontaudit_getattr_all',`
++ gen_require(`
++ attribute device_node;
++ type device_t;
++ ')
++
++ dontaudit $1 { device_t device_node }:dir_file_class_set getattr;
++')
++
++########################################
++##
++## Get the attributes of the mei devices.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`dev_getattr_mei',`
++ gen_require(`
++ type device_t, mei_device_t;
++ ')
++
++ getattr_chr_files_pattern($1, device_t, mei_device_t)
++')
++
++########################################
++##
++## Read the mei devices.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`dev_read_mei',`
++ gen_require(`
++ type device_t, mei_device_t;
++ ')
++
++ read_chr_files_pattern($1, device_t, mei_device_t)
++')
++
++########################################
++##
++## Read and write to mei devices.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`dev_rw_mei',`
++ gen_require(`
++ type device_t, mei_device_t;
++ ')
++
++ rw_chr_files_pattern($1, device_t, mei_device_t)
++')
++
++########################################
++##
++## Create all named devices with the correct label
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`dev_filetrans_printer_named_dev',`
++
++ gen_require(`
++ type printer_device_t;
++
++ ')
++ filetrans_pattern($1, device_t, printer_device_t, chr_file, "irlpt0")
++ filetrans_pattern($1, device_t, printer_device_t, chr_file, "irlpt1")
++ filetrans_pattern($1, device_t, printer_device_t, chr_file, "irlpt2")
++ filetrans_pattern($1, device_t, printer_device_t, chr_file, "irlpt3")
++ filetrans_pattern($1, device_t, printer_device_t, chr_file, "irlpt4")
++ filetrans_pattern($1, device_t, printer_device_t, chr_file, "irlpt5")
++ filetrans_pattern($1, device_t, printer_device_t, chr_file, "irlpt6")
++ filetrans_pattern($1, device_t, printer_device_t, chr_file, "irlpt7")
++ filetrans_pattern($1, device_t, printer_device_t, chr_file, "irlpt8")
++ filetrans_pattern($1, device_t, printer_device_t, chr_file, "irlpt9")
++ filetrans_pattern($1, device_t, printer_device_t, chr_file, "lp0")
++ filetrans_pattern($1, device_t, printer_device_t, chr_file, "lp1")
++ filetrans_pattern($1, device_t, printer_device_t, chr_file, "lp2")
++ filetrans_pattern($1, device_t, printer_device_t, chr_file, "lp3")
++ filetrans_pattern($1, device_t, printer_device_t, chr_file, "lp4")
++ filetrans_pattern($1, device_t, printer_device_t, chr_file, "lp5")
++ filetrans_pattern($1, device_t, printer_device_t, chr_file, "lp6")
++ filetrans_pattern($1, device_t, printer_device_t, chr_file, "lp7")
++ filetrans_pattern($1, device_t, printer_device_t, chr_file, "lp8")
++ filetrans_pattern($1, device_t, printer_device_t, chr_file, "lp9")
++ filetrans_pattern($1, device_t, printer_device_t, chr_file, "par0")
++ filetrans_pattern($1, device_t, printer_device_t, chr_file, "par1")
++ filetrans_pattern($1, device_t, printer_device_t, chr_file, "par2")
++ filetrans_pattern($1, device_t, printer_device_t, chr_file, "par3")
++ filetrans_pattern($1, device_t, printer_device_t, chr_file, "par4")
++ filetrans_pattern($1, device_t, printer_device_t, chr_file, "par5")
++ filetrans_pattern($1, device_t, printer_device_t, chr_file, "par6")
++ filetrans_pattern($1, device_t, printer_device_t, chr_file, "par7")
++ filetrans_pattern($1, device_t, printer_device_t, chr_file, "par8")
++ filetrans_pattern($1, device_t, printer_device_t, chr_file, "par9")
++ filetrans_pattern($1, device_t, printer_device_t, chr_file, "usblp0")
++ filetrans_pattern($1, device_t, printer_device_t, chr_file, "usblp1")
++ filetrans_pattern($1, device_t, printer_device_t, chr_file, "usblp2")
++ filetrans_pattern($1, device_t, printer_device_t, chr_file, "usblp3")
++ filetrans_pattern($1, device_t, printer_device_t, chr_file, "usblp4")
++ filetrans_pattern($1, device_t, printer_device_t, chr_file, "usblp5")
++ filetrans_pattern($1, device_t, printer_device_t, chr_file, "usblp6")
++ filetrans_pattern($1, device_t, printer_device_t, chr_file, "usblp7")
++ filetrans_pattern($1, device_t, printer_device_t, chr_file, "usblp8")
++ filetrans_pattern($1, device_t, printer_device_t, chr_file, "usblp9")
++')
++
++########################################
++##
++## Create all named devices with the correct label
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`dev_filetrans_all_named_dev',`
++
++gen_require(`
++ type device_t;
++ type usb_device_t;
++ type sound_device_t;
++ type apm_bios_t;
++ type mouse_device_t;
++ type autofs_device_t;
++ type lvm_control_t;
++ type crash_device_t;
++ type dlm_control_device_t;
++ type clock_device_t;
++ type v4l_device_t;
++ type event_device_t;
++ type xen_device_t;
++ type framebuf_device_t;
++ type null_device_t;
++ type random_device_t;
++ type dri_device_t;
++ type ipmi_device_t;
++ type memory_device_t;
++ type kmsg_device_t;
++ type qemu_device_t;
++ type ksm_device_t;
++ type kvm_device_t;
++ type lirc_device_t;
++ type cpu_device_t;
++ type scanner_device_t;
++ type modem_device_t;
++ type vhost_device_t;
++ type netcontrol_device_t;
++ type nvram_device_t;
++ type power_device_t;
++ type wireless_device_t;
++ type tpm_device_t;
++ type userio_device_t;
++ type urandom_device_t;
++ type usbmon_device_t;
++ type vmware_device_t;
++ type watchdog_device_t;
++ type crypt_device_t;
++ type zero_device_t;
++ type smartcard_device_t;
++ type mtrr_device_t;
++ type ecryptfs_device_t;
++')
++
++ dev_filetrans_printer_named_dev($1)
++ filetrans_pattern($1, device_t, sound_device_t, chr_file, "admmidi0")
++ filetrans_pattern($1, device_t, sound_device_t, chr_file, "admmidi1")
++ filetrans_pattern($1, device_t, sound_device_t, chr_file, "admmidi2")
++ filetrans_pattern($1, device_t, sound_device_t, chr_file, "admmidi3")
++ filetrans_pattern($1, device_t, sound_device_t, chr_file, "admmidi4")
++ filetrans_pattern($1, device_t, sound_device_t, chr_file, "admmidi5")
++ filetrans_pattern($1, device_t, sound_device_t, chr_file, "admmidi6")
++ filetrans_pattern($1, device_t, sound_device_t, chr_file, "admmidi7")
++ filetrans_pattern($1, device_t, sound_device_t, chr_file, "admmidi8")
++ filetrans_pattern($1, device_t, sound_device_t, chr_file, "admmidi9")
++ filetrans_pattern($1, device_t, sound_device_t, chr_file, "adsp0")
++ filetrans_pattern($1, device_t, sound_device_t, chr_file, "adsp1")
++ filetrans_pattern($1, device_t, sound_device_t, chr_file, "adsp2")
++ filetrans_pattern($1, device_t, sound_device_t, chr_file, "adsp3")
++ filetrans_pattern($1, device_t, sound_device_t, chr_file, "adsp4")
++ filetrans_pattern($1, device_t, sound_device_t, chr_file, "adsp5")
++ filetrans_pattern($1, device_t, sound_device_t, chr_file, "adsp6")
++ filetrans_pattern($1, device_t, sound_device_t, chr_file, "adsp7")
++ filetrans_pattern($1, device_t, sound_device_t, chr_file, "adsp8")
++ filetrans_pattern($1, device_t, sound_device_t, chr_file, "adsp9")
++ filetrans_pattern($1, device_t, sound_device_t, chr_file, "aload0")
++ filetrans_pattern($1, device_t, sound_device_t, chr_file, "aload1")
++ filetrans_pattern($1, device_t, sound_device_t, chr_file, "aload2")
++ filetrans_pattern($1, device_t, sound_device_t, chr_file, "aload3")
++ filetrans_pattern($1, device_t, sound_device_t, chr_file, "aload4")
++ filetrans_pattern($1, device_t, sound_device_t, chr_file, "aload5")
++ filetrans_pattern($1, device_t, sound_device_t, chr_file, "aload6")
++ filetrans_pattern($1, device_t, sound_device_t, chr_file, "aload7")
++ filetrans_pattern($1, device_t, sound_device_t, chr_file, "aload8")
++ filetrans_pattern($1, device_t, sound_device_t, chr_file, "aload9")
++ filetrans_pattern($1, device_t, sound_device_t, chr_file, "amidi0")
++ filetrans_pattern($1, device_t, sound_device_t, chr_file, "amidi1")
++ filetrans_pattern($1, device_t, sound_device_t, chr_file, "amidi2")
++ filetrans_pattern($1, device_t, sound_device_t, chr_file, "amidi3")
++ filetrans_pattern($1, device_t, sound_device_t, chr_file, "amidi4")
++ filetrans_pattern($1, device_t, sound_device_t, chr_file, "amidi5")
++ filetrans_pattern($1, device_t, sound_device_t, chr_file, "amidi6")
++ filetrans_pattern($1, device_t, sound_device_t, chr_file, "amidi7")
++ filetrans_pattern($1, device_t, sound_device_t, chr_file, "amidi8")
++ filetrans_pattern($1, device_t, sound_device_t, chr_file, "amidi9")
++ filetrans_pattern($1, device_t, sound_device_t, chr_file, "amixer0")
++ filetrans_pattern($1, device_t, sound_device_t, chr_file, "amixer1")
++ filetrans_pattern($1, device_t, sound_device_t, chr_file, "amixer2")
++ filetrans_pattern($1, device_t, sound_device_t, chr_file, "amixer3")
++ filetrans_pattern($1, device_t, sound_device_t, chr_file, "amixer4")
++ filetrans_pattern($1, device_t, sound_device_t, chr_file, "amixer5")
++ filetrans_pattern($1, device_t, sound_device_t, chr_file, "amixer6")
++ filetrans_pattern($1, device_t, sound_device_t, chr_file, "amixer7")
++ filetrans_pattern($1, device_t, sound_device_t, chr_file, "amixer8")
++ filetrans_pattern($1, device_t, sound_device_t, chr_file, "amixer9")
++ filetrans_pattern($1, device_t, apm_bios_t, chr_file, "apm_bios")
++ filetrans_pattern($1, device_t, mouse_device_t, chr_file, "atibm")
++ filetrans_pattern($1, device_t, sound_device_t, chr_file, "audio0")
++ filetrans_pattern($1, device_t, sound_device_t, chr_file, "audio1")
++ filetrans_pattern($1, device_t, sound_device_t, chr_file, "audio2")
++ filetrans_pattern($1, device_t, sound_device_t, chr_file, "audio3")
++ filetrans_pattern($1, device_t, sound_device_t, chr_file, "audio4")
++ filetrans_pattern($1, device_t, sound_device_t, chr_file, "audio5")
++ filetrans_pattern($1, device_t, sound_device_t, chr_file, "audio6")
++ filetrans_pattern($1, device_t, sound_device_t, chr_file, "audio7")
++ filetrans_pattern($1, device_t, sound_device_t, chr_file, "audio8")
++ filetrans_pattern($1, device_t, sound_device_t, chr_file, "audio9")
++ filetrans_pattern($1, device_t, ecryptfs_device_t, chr_file, "ecryptfs")
++ filetrans_pattern($1, device_t, autofs_device_t, chr_file, "autofs0")
++ filetrans_pattern($1, device_t, autofs_device_t, chr_file, "autofs1")
++ filetrans_pattern($1, device_t, autofs_device_t, chr_file, "autofs2")
++ filetrans_pattern($1, device_t, autofs_device_t, chr_file, "autofs3")
++ filetrans_pattern($1, device_t, autofs_device_t, chr_file, "autofs4")
++ filetrans_pattern($1, device_t, autofs_device_t, chr_file, "autofs5")
++ filetrans_pattern($1, device_t, autofs_device_t, chr_file, "autofs6")
++ filetrans_pattern($1, device_t, autofs_device_t, chr_file, "autofs7")
++ filetrans_pattern($1, device_t, autofs_device_t, chr_file, "autofs8")
++ filetrans_pattern($1, device_t, autofs_device_t, chr_file, "autofs9")
++ filetrans_pattern($1, device_t, sound_device_t, chr_file, "beep")
++ filetrans_pattern($1, device_t, lvm_control_t, chr_file, "btrfs-control")
++ filetrans_pattern($1, device_t, crash_device_t, chr_file, "crash")
++ filetrans_pattern($1, device_t, dlm_control_device_t, chr_file, "dlm0")
++ filetrans_pattern($1, device_t, dlm_control_device_t, chr_file, "dlm1")
++ filetrans_pattern($1, device_t, dlm_control_device_t, chr_file, "dlm2")
++ filetrans_pattern($1, device_t, dlm_control_device_t, chr_file, "dlm3")
++ filetrans_pattern($1, device_t, dlm_control_device_t, chr_file, "dlm4")
++ filetrans_pattern($1, device_t, dlm_control_device_t, chr_file, "dlm5")
++ filetrans_pattern($1, device_t, dlm_control_device_t, chr_file, "dlm6")
++ filetrans_pattern($1, device_t, dlm_control_device_t, chr_file, "dlm7")
++ filetrans_pattern($1, device_t, dlm_control_device_t, chr_file, "dlm8")
++ filetrans_pattern($1, device_t, dlm_control_device_t, chr_file, "dlm9")
++ filetrans_pattern($1, device_t, sound_device_t, chr_file, "dmfm")
++ filetrans_pattern($1, device_t, sound_device_t, chr_file, "dmmidi0")
++ filetrans_pattern($1, device_t, sound_device_t, chr_file, "dmmidi1")
++ filetrans_pattern($1, device_t, sound_device_t, chr_file, "dmmidi2")
++ filetrans_pattern($1, device_t, sound_device_t, chr_file, "dmmidi3")
++ filetrans_pattern($1, device_t, sound_device_t, chr_file, "dmmidi4")
++ filetrans_pattern($1, device_t, sound_device_t, chr_file, "dmmidi5")
++ filetrans_pattern($1, device_t, sound_device_t, chr_file, "dmmidi6")
++ filetrans_pattern($1, device_t, sound_device_t, chr_file, "dmmidi7")
++ filetrans_pattern($1, device_t, sound_device_t, chr_file, "dmmidi8")
++ filetrans_pattern($1, device_t, sound_device_t, chr_file, "dmmidi9")
++ filetrans_pattern($1, device_t, sound_device_t, chr_file, "dsp0")
++ filetrans_pattern($1, device_t, sound_device_t, chr_file, "dsp1")
++ filetrans_pattern($1, device_t, sound_device_t, chr_file, "dsp2")
++ filetrans_pattern($1, device_t, sound_device_t, chr_file, "dsp3")
++ filetrans_pattern($1, device_t, sound_device_t, chr_file, "dsp4")
++ filetrans_pattern($1, device_t, sound_device_t, chr_file, "dsp5")
++ filetrans_pattern($1, device_t, sound_device_t, chr_file, "dsp6")
++ filetrans_pattern($1, device_t, sound_device_t, chr_file, "dsp7")
++ filetrans_pattern($1, device_t, sound_device_t, chr_file, "dsp8")
++ filetrans_pattern($1, device_t, sound_device_t, chr_file, "dsp9")
++ filetrans_pattern($1, device_t, clock_device_t, chr_file, "efirtc")
++ filetrans_pattern($1, device_t, mouse_device_t, chr_file, "e2201")
++ filetrans_pattern($1, device_t, v4l_device_t, chr_file, "em83000")
++ filetrans_pattern($1, device_t, v4l_device_t, chr_file, "em83001")
++ filetrans_pattern($1, device_t, v4l_device_t, chr_file, "em83002")
++ filetrans_pattern($1, device_t, v4l_device_t, chr_file, "em83003")
++ filetrans_pattern($1, device_t, v4l_device_t, chr_file, "em83004")
++ filetrans_pattern($1, device_t, v4l_device_t, chr_file, "em83005")
++ filetrans_pattern($1, device_t, v4l_device_t, chr_file, "em83006")
++ filetrans_pattern($1, device_t, v4l_device_t, chr_file, "em83007")
++ filetrans_pattern($1, device_t, v4l_device_t, chr_file, "em83008")
++ filetrans_pattern($1, device_t, v4l_device_t, chr_file, "em83009")
++ filetrans_pattern($1, device_t, event_device_t, chr_file, "event0")
++ filetrans_pattern($1, device_t, event_device_t, chr_file, "event1")
++ filetrans_pattern($1, device_t, event_device_t, chr_file, "event2")
++ filetrans_pattern($1, device_t, event_device_t, chr_file, "event3")
++ filetrans_pattern($1, device_t, event_device_t, chr_file, "event4")
++ filetrans_pattern($1, device_t, event_device_t, chr_file, "event5")
++ filetrans_pattern($1, device_t, event_device_t, chr_file, "event6")
++ filetrans_pattern($1, device_t, event_device_t, chr_file, "event7")
++ filetrans_pattern($1, device_t, event_device_t, chr_file, "event8")
++ filetrans_pattern($1, device_t, event_device_t, chr_file, "event9")
++ filetrans_pattern($1, device_t, event_device_t, chr_file, "event10")
++ filetrans_pattern($1, device_t, event_device_t, chr_file, "event11")
++ filetrans_pattern($1, device_t, event_device_t, chr_file, "event12")
++ filetrans_pattern($1, device_t, event_device_t, chr_file, "event13")
++ filetrans_pattern($1, device_t, event_device_t, chr_file, "event14")
++ filetrans_pattern($1, device_t, event_device_t, chr_file, "event15")
++ filetrans_pattern($1, device_t, event_device_t, chr_file, "event16")
++ filetrans_pattern($1, device_t, event_device_t, chr_file, "event17")
++ filetrans_pattern($1, device_t, event_device_t, chr_file, "event18")
++ filetrans_pattern($1, device_t, event_device_t, chr_file, "event19")
++ filetrans_pattern($1, device_t, event_device_t, chr_file, "event20")
++ filetrans_pattern($1, device_t, xen_device_t, chr_file, "evtchn")
++ filetrans_pattern($1, device_t, framebuf_device_t, chr_file, "fb0")
++ filetrans_pattern($1, device_t, framebuf_device_t, chr_file, "fb1")
++ filetrans_pattern($1, device_t, framebuf_device_t, chr_file, "fb2")
++ filetrans_pattern($1, device_t, framebuf_device_t, chr_file, "fb3")
++ filetrans_pattern($1, device_t, framebuf_device_t, chr_file, "fb4")
++ filetrans_pattern($1, device_t, framebuf_device_t, chr_file, "fb5")
++ filetrans_pattern($1, device_t, framebuf_device_t, chr_file, "fb6")
++ filetrans_pattern($1, device_t, framebuf_device_t, chr_file, "fb7")
++ filetrans_pattern($1, device_t, framebuf_device_t, chr_file, "fb8")
++ filetrans_pattern($1, device_t, framebuf_device_t, chr_file, "fb9")
++ filetrans_pattern($1, device_t, null_device_t, chr_file, "full")
++ filetrans_pattern($1, device_t, usb_device_t, chr_file, "fw0")
++ filetrans_pattern($1, device_t, usb_device_t, chr_file, "fw1")
++ filetrans_pattern($1, device_t, usb_device_t, chr_file, "fw2")
++ filetrans_pattern($1, device_t, usb_device_t, chr_file, "fw3")
++ filetrans_pattern($1, device_t, usb_device_t, chr_file, "fw4")
++ filetrans_pattern($1, device_t, usb_device_t, chr_file, "fw5")
++ filetrans_pattern($1, device_t, usb_device_t, chr_file, "fw6")
++ filetrans_pattern($1, device_t, usb_device_t, chr_file, "fw7")
++ filetrans_pattern($1, device_t, usb_device_t, chr_file, "fw8")
++ filetrans_pattern($1, device_t, usb_device_t, chr_file, "fw9")
++ filetrans_pattern($1, device_t, usb_device_t, chr_file, "000")
++ filetrans_pattern($1, device_t, usb_device_t, chr_file, "001")
++ filetrans_pattern($1, device_t, usb_device_t, chr_file, "002")
++ filetrans_pattern($1, device_t, usb_device_t, chr_file, "003")
++ filetrans_pattern($1, device_t, usb_device_t, chr_file, "004")
++ filetrans_pattern($1, device_t, usb_device_t, chr_file, "005")
++ filetrans_pattern($1, device_t, usb_device_t, chr_file, "006")
++ filetrans_pattern($1, device_t, usb_device_t, chr_file, "007")
++ filetrans_pattern($1, device_t, usb_device_t, chr_file, "008")
++ filetrans_pattern($1, device_t, usb_device_t, chr_file, "009")
++ filetrans_pattern($1, device_t, usb_device_t, chr_file, "010")
++ filetrans_pattern($1, device_t, usb_device_t, chr_file, "011")
++ filetrans_pattern($1, device_t, usb_device_t, chr_file, "012")
++ filetrans_pattern($1, device_t, usb_device_t, chr_file, "013")
++ filetrans_pattern($1, device_t, usb_device_t, chr_file, "014")
++ filetrans_pattern($1, device_t, usb_device_t, chr_file, "015")
++ filetrans_pattern($1, device_t, usb_device_t, chr_file, "016")
++ filetrans_pattern($1, device_t, usb_device_t, chr_file, "017")
++ filetrans_pattern($1, device_t, usb_device_t, chr_file, "018")
++ filetrans_pattern($1, device_t, usb_device_t, chr_file, "019")
++ filetrans_pattern($1, device_t, usb_device_t, chr_file, "020")
++ filetrans_pattern($1, device_t, usb_device_t, chr_file, "021")
++ filetrans_pattern($1, device_t, usb_device_t, chr_file, "022")
++ filetrans_pattern($1, device_t, usb_device_t, chr_file, "023")
++ filetrans_pattern($1, device_t, usb_device_t, chr_file, "024")
++ filetrans_pattern($1, device_t, usb_device_t, chr_file, "025")
++ filetrans_pattern($1, device_t, usb_device_t, chr_file, "026")
++ filetrans_pattern($1, device_t, usb_device_t, chr_file, "027")
++ filetrans_pattern($1, device_t, usb_device_t, chr_file, "028")
++ filetrans_pattern($1, device_t, usb_device_t, chr_file, "029")
++ filetrans_pattern($1, device_t, clock_device_t, chr_file, "gtrsc0")
++ filetrans_pattern($1, device_t, clock_device_t, chr_file, "gtrsc1")
++ filetrans_pattern($1, device_t, clock_device_t, chr_file, "gtrsc2")
++ filetrans_pattern($1, device_t, clock_device_t, chr_file, "gtrsc3")
++ filetrans_pattern($1, device_t, clock_device_t, chr_file, "gtrsc4")
++ filetrans_pattern($1, device_t, clock_device_t, chr_file, "gtrsc5")
++ filetrans_pattern($1, device_t, clock_device_t, chr_file, "gtrsc6")
++ filetrans_pattern($1, device_t, clock_device_t, chr_file, "gtrsc7")
++ filetrans_pattern($1, device_t, clock_device_t, chr_file, "gtrsc8")
++ filetrans_pattern($1, device_t, clock_device_t, chr_file, "gtrsc9")
++ filetrans_pattern($1, device_t, sound_device_t, chr_file, "hfmodem")
++ filetrans_pattern($1, device_t, usb_device_t, chr_file, "hiddev0")
++ filetrans_pattern($1, device_t, usb_device_t, chr_file, "hiddev1")
++ filetrans_pattern($1, device_t, usb_device_t, chr_file, "hiddev2")
++ filetrans_pattern($1, device_t, usb_device_t, chr_file, "hiddev3")
++ filetrans_pattern($1, device_t, usb_device_t, chr_file, "hiddev4")
++ filetrans_pattern($1, device_t, usb_device_t, chr_file, "hiddev5")
++ filetrans_pattern($1, device_t, usb_device_t, chr_file, "hiddev6")
++ filetrans_pattern($1, device_t, usb_device_t, chr_file, "hiddev7")
++ filetrans_pattern($1, device_t, usb_device_t, chr_file, "hiddev8")
++ filetrans_pattern($1, device_t, usb_device_t, chr_file, "hiddev9")
++ filetrans_pattern($1, device_t, usb_device_t, chr_file, "hidraw0")
++ filetrans_pattern($1, device_t, usb_device_t, chr_file, "hidraw1")
++ filetrans_pattern($1, device_t, usb_device_t, chr_file, "hidraw2")
++ filetrans_pattern($1, device_t, usb_device_t, chr_file, "hidraw3")
++ filetrans_pattern($1, device_t, usb_device_t, chr_file, "hidraw4")
++ filetrans_pattern($1, device_t, usb_device_t, chr_file, "hidraw5")
++ filetrans_pattern($1, device_t, usb_device_t, chr_file, "hidraw6")
++ filetrans_pattern($1, device_t, usb_device_t, chr_file, "hidraw7")
++ filetrans_pattern($1, device_t, usb_device_t, chr_file, "hidraw8")
++ filetrans_pattern($1, device_t, usb_device_t, chr_file, "hidraw9")
++ filetrans_pattern($1, device_t, clock_device_t, chr_file, "hpet")
++ filetrans_pattern($1, device_t, random_device_t, chr_file, "hw_random")
++ filetrans_pattern($1, device_t, random_device_t, chr_file, "hwrng")
++ filetrans_pattern($1, device_t, dri_device_t, chr_file, "i915")
++ filetrans_pattern($1, device_t, mouse_device_t, chr_file, "inportbm")
++ filetrans_pattern($1, device_t, ipmi_device_t, chr_file, "ipmi0")
++ filetrans_pattern($1, device_t, ipmi_device_t, chr_file, "ipmi1")
++ filetrans_pattern($1, device_t, ipmi_device_t, chr_file, "ipmi2")
++ filetrans_pattern($1, device_t, ipmi_device_t, chr_file, "ipmi3")
++ filetrans_pattern($1, device_t, ipmi_device_t, chr_file, "ipmi4")
++ filetrans_pattern($1, device_t, ipmi_device_t, chr_file, "ipmi5")
++ filetrans_pattern($1, device_t, ipmi_device_t, chr_file, "ipmi6")
++ filetrans_pattern($1, device_t, ipmi_device_t, chr_file, "ipmi7")
++ filetrans_pattern($1, device_t, ipmi_device_t, chr_file, "ipmi8")
++ filetrans_pattern($1, device_t, ipmi_device_t, chr_file, "ipmi9")
++ filetrans_pattern($1, device_t, mouse_device_t, chr_file, "jbm")
++ filetrans_pattern($1, device_t, mouse_device_t, chr_file, "js0")
++ filetrans_pattern($1, device_t, mouse_device_t, chr_file, "js1")
++ filetrans_pattern($1, device_t, mouse_device_t, chr_file, "js2")
++ filetrans_pattern($1, device_t, mouse_device_t, chr_file, "js3")
++ filetrans_pattern($1, device_t, mouse_device_t, chr_file, "js4")
++ filetrans_pattern($1, device_t, mouse_device_t, chr_file, "js5")
++ filetrans_pattern($1, device_t, mouse_device_t, chr_file, "js6")
++ filetrans_pattern($1, device_t, mouse_device_t, chr_file, "js7")
++ filetrans_pattern($1, device_t, mouse_device_t, chr_file, "js8")
++ filetrans_pattern($1, device_t, mouse_device_t, chr_file, "js9")
++ filetrans_pattern($1, device_t, mouse_device_t, chr_file, "mouse0")
++ filetrans_pattern($1, device_t, mouse_device_t, chr_file, "mouse1")
++ filetrans_pattern($1, device_t, mouse_device_t, chr_file, "mouse2")
++ filetrans_pattern($1, device_t, mouse_device_t, chr_file, "mouse3")
++ filetrans_pattern($1, device_t, mouse_device_t, chr_file, "mouse4")
++ filetrans_pattern($1, device_t, mouse_device_t, chr_file, "mouse5")
++ filetrans_pattern($1, device_t, mouse_device_t, chr_file, "mouse6")
++ filetrans_pattern($1, device_t, mouse_device_t, chr_file, "mouse7")
++ filetrans_pattern($1, device_t, mouse_device_t, chr_file, "mouse8")
++ filetrans_pattern($1, device_t, mouse_device_t, chr_file, "mouse9")
++ filetrans_pattern($1, device_t, memory_device_t, chr_file, "kmem")
++ filetrans_pattern($1, device_t, kmsg_device_t, chr_file, "kmsg")
++ filetrans_pattern($1, device_t, qemu_device_t, chr_file, "kqemu")
++ filetrans_pattern($1, device_t, ksm_device_t, chr_file, "ksm")
++ filetrans_pattern($1, device_t, kvm_device_t, chr_file, "kvm")
++ filetrans_pattern($1, device_t, event_device_t, chr_file, "lik0")
++ filetrans_pattern($1, device_t, event_device_t, chr_file, "lik1")
++ filetrans_pattern($1, device_t, event_device_t, chr_file, "lik2")
++ filetrans_pattern($1, device_t, event_device_t, chr_file, "lik3")
++ filetrans_pattern($1, device_t, event_device_t, chr_file, "lik4")
++ filetrans_pattern($1, device_t, event_device_t, chr_file, "lik5")
++ filetrans_pattern($1, device_t, event_device_t, chr_file, "lik6")
++ filetrans_pattern($1, device_t, event_device_t, chr_file, "lik7")
++ filetrans_pattern($1, device_t, event_device_t, chr_file, "lik8")
++ filetrans_pattern($1, device_t, event_device_t, chr_file, "lik9")
++ filetrans_pattern($1, device_t, lirc_device_t, chr_file, "lirc0")
++ filetrans_pattern($1, device_t, lirc_device_t, chr_file, "lirc1")
++ filetrans_pattern($1, device_t, lirc_device_t, chr_file, "lirc2")
++ filetrans_pattern($1, device_t, lirc_device_t, chr_file, "lirc3")
++ filetrans_pattern($1, device_t, lirc_device_t, chr_file, "lirc4")
++ filetrans_pattern($1, device_t, lirc_device_t, chr_file, "lirc5")
++ filetrans_pattern($1, device_t, lirc_device_t, chr_file, "lirc6")
++ filetrans_pattern($1, device_t, lirc_device_t, chr_file, "lirc7")
++ filetrans_pattern($1, device_t, lirc_device_t, chr_file, "lirc8")
++ filetrans_pattern($1, device_t, lirc_device_t, chr_file, "lirc9")
++ filetrans_pattern($1, device_t, mouse_device_t, chr_file, "lircm")
++ filetrans_pattern($1, device_t, mouse_device_t, chr_file, "logibm")
++ filetrans_pattern($1, device_t, kmsg_device_t, chr_file, "mcelog")
++ filetrans_pattern($1, device_t, memory_device_t, chr_file, "mem")
++ filetrans_pattern($1, device_t, memory_device_t, chr_file, "mergemem")
++ filetrans_pattern($1, device_t, mouse_device_t, chr_file, "mice")
++ filetrans_pattern($1, device_t, cpu_device_t, chr_file, "microcode")
++ filetrans_pattern($1, device_t, sound_device_t, chr_file, "midi0")
++ filetrans_pattern($1, device_t, sound_device_t, chr_file, "midi1")
++ filetrans_pattern($1, device_t, sound_device_t, chr_file, "midi2")
++ filetrans_pattern($1, device_t, sound_device_t, chr_file, "midi3")
++ filetrans_pattern($1, device_t, sound_device_t, chr_file, "midi4")
++ filetrans_pattern($1, device_t, sound_device_t, chr_file, "midi5")
++ filetrans_pattern($1, device_t, sound_device_t, chr_file, "midi6")
++ filetrans_pattern($1, device_t, sound_device_t, chr_file, "midi7")
++ filetrans_pattern($1, device_t, sound_device_t, chr_file, "midi8")
++ filetrans_pattern($1, device_t, sound_device_t, chr_file, "midi9")
++ filetrans_pattern($1, device_t, sound_device_t, chr_file, "mixer0")
++ filetrans_pattern($1, device_t, sound_device_t, chr_file, "mixer1")
++ filetrans_pattern($1, device_t, sound_device_t, chr_file, "mixer2")
++ filetrans_pattern($1, device_t, sound_device_t, chr_file, "mixer3")
++ filetrans_pattern($1, device_t, sound_device_t, chr_file, "mixer4")
++ filetrans_pattern($1, device_t, sound_device_t, chr_file, "mixer5")
++ filetrans_pattern($1, device_t, sound_device_t, chr_file, "mixer6")
++ filetrans_pattern($1, device_t, sound_device_t, chr_file, "mixer7")
++ filetrans_pattern($1, device_t, sound_device_t, chr_file, "mixer8")
++ filetrans_pattern($1, device_t, sound_device_t, chr_file, "mixer9")
++ filetrans_pattern($1, device_t, scanner_device_t, chr_file, "mmetfgrab")
++ filetrans_pattern($1, device_t, modem_device_t, chr_file, "modem")
++ filetrans_pattern($1, device_t, sound_device_t, chr_file, "mpu4010")
++ filetrans_pattern($1, device_t, sound_device_t, chr_file, "mpu4011")
++ filetrans_pattern($1, device_t, sound_device_t, chr_file, "mpu4012")
++ filetrans_pattern($1, device_t, sound_device_t, chr_file, "mpu4013")
++ filetrans_pattern($1, device_t, sound_device_t, chr_file, "mpu4014")
++ filetrans_pattern($1, device_t, sound_device_t, chr_file, "mpu4015")
++ filetrans_pattern($1, device_t, sound_device_t, chr_file, "mpu4016")
++ filetrans_pattern($1, device_t, sound_device_t, chr_file, "mpu4017")
++ filetrans_pattern($1, device_t, sound_device_t, chr_file, "mpu4018")
++ filetrans_pattern($1, device_t, sound_device_t, chr_file, "mpu4019")
++ filetrans_pattern($1, device_t, cpu_device_t, chr_file, "msr0")
++ filetrans_pattern($1, device_t, cpu_device_t, chr_file, "msr1")
++ filetrans_pattern($1, device_t, cpu_device_t, chr_file, "msr2")
++ filetrans_pattern($1, device_t, cpu_device_t, chr_file, "msr3")
++ filetrans_pattern($1, device_t, cpu_device_t, chr_file, "msr4")
++ filetrans_pattern($1, device_t, cpu_device_t, chr_file, "msr5")
++ filetrans_pattern($1, device_t, cpu_device_t, chr_file, "msr6")
++ filetrans_pattern($1, device_t, cpu_device_t, chr_file, "msr7")
++ filetrans_pattern($1, device_t, cpu_device_t, chr_file, "msr8")
++ filetrans_pattern($1, device_t, cpu_device_t, chr_file, "msr9")
++ filetrans_pattern($1, device_t, vhost_device_t, chr_file, "vhost")
++ filetrans_pattern($1, device_t, netcontrol_device_t, chr_file, "network_latency")
++ filetrans_pattern($1, device_t, netcontrol_device_t, chr_file, "network_throughput")
++ filetrans_pattern($1, device_t, modem_device_t, chr_file, "noz0")
++ filetrans_pattern($1, device_t, modem_device_t, chr_file, "noz1")
++ filetrans_pattern($1, device_t, modem_device_t, chr_file, "noz2")
++ filetrans_pattern($1, device_t, modem_device_t, chr_file, "noz3")
++ filetrans_pattern($1, device_t, modem_device_t, chr_file, "noz4")
++ filetrans_pattern($1, device_t, modem_device_t, chr_file, "noz5")
++ filetrans_pattern($1, device_t, modem_device_t, chr_file, "noz6")
++ filetrans_pattern($1, device_t, modem_device_t, chr_file, "noz7")
++ filetrans_pattern($1, device_t, modem_device_t, chr_file, "noz8")
++ filetrans_pattern($1, device_t, modem_device_t, chr_file, "noz9")
++ filetrans_pattern($1, device_t, null_device_t, chr_file, "null")
++ filetrans_pattern($1, device_t, nvram_device_t, chr_file, "nvram")
++ filetrans_pattern($1, device_t, memory_device_t, chr_file, "oldmem")
++ filetrans_pattern($1, device_t, mouse_device_t, chr_file, "pc110pad")
++ filetrans_pattern($1, device_t, clock_device_t, chr_file, "pcfclock0")
++ filetrans_pattern($1, device_t, clock_device_t, chr_file, "pcfclock1")
++ filetrans_pattern($1, device_t, clock_device_t, chr_file, "pcfclock2")
++ filetrans_pattern($1, device_t, clock_device_t, chr_file, "pcfclock3")
++ filetrans_pattern($1, device_t, clock_device_t, chr_file, "pcfclock4")
++ filetrans_pattern($1, device_t, clock_device_t, chr_file, "pcfclock5")
++ filetrans_pattern($1, device_t, clock_device_t, chr_file, "pcfclock6")
++ filetrans_pattern($1, device_t, clock_device_t, chr_file, "pcfclock7")
++ filetrans_pattern($1, device_t, clock_device_t, chr_file, "pcfclock8")
++ filetrans_pattern($1, device_t, clock_device_t, chr_file, "pcfclock9")
++ filetrans_pattern($1, device_t, power_device_t, chr_file, "pmu")
++ filetrans_pattern($1, device_t, memory_device_t, chr_file, "port")
++ filetrans_pattern($1, device_t, clock_device_t, chr_file, "pps0")
++ filetrans_pattern($1, device_t, clock_device_t, chr_file, "pps1")
++ filetrans_pattern($1, device_t, clock_device_t, chr_file, "pps2")
++ filetrans_pattern($1, device_t, clock_device_t, chr_file, "pps3")
++ filetrans_pattern($1, device_t, clock_device_t, chr_file, "pps4")
++ filetrans_pattern($1, device_t, clock_device_t, chr_file, "pps5")
++ filetrans_pattern($1, device_t, clock_device_t, chr_file, "pps6")
++ filetrans_pattern($1, device_t, clock_device_t, chr_file, "pps7")
++ filetrans_pattern($1, device_t, clock_device_t, chr_file, "pps8")
++ filetrans_pattern($1, device_t, clock_device_t, chr_file, "pps9")
++ filetrans_pattern($1, device_t, sound_device_t, chr_file, "rmidi0")
++ filetrans_pattern($1, device_t, sound_device_t, chr_file, "rmidi1")
++ filetrans_pattern($1, device_t, sound_device_t, chr_file, "rmidi2")
++ filetrans_pattern($1, device_t, sound_device_t, chr_file, "rmidi3")
++ filetrans_pattern($1, device_t, sound_device_t, chr_file, "rmidi4")
++ filetrans_pattern($1, device_t, sound_device_t, chr_file, "rmidi5")
++ filetrans_pattern($1, device_t, sound_device_t, chr_file, "rmidi6")
++ filetrans_pattern($1, device_t, sound_device_t, chr_file, "rmidi7")
++ filetrans_pattern($1, device_t, sound_device_t, chr_file, "rmidi8")
++ filetrans_pattern($1, device_t, sound_device_t, chr_file, "rmidi9")
++ filetrans_pattern($1, device_t, dri_device_t, chr_file, "radeon")
++ filetrans_pattern($1, device_t, v4l_device_t, chr_file, "radio0")
++ filetrans_pattern($1, device_t, v4l_device_t, chr_file, "radio1")
++ filetrans_pattern($1, device_t, v4l_device_t, chr_file, "radio2")
++ filetrans_pattern($1, device_t, v4l_device_t, chr_file, "radio3")
++ filetrans_pattern($1, device_t, v4l_device_t, chr_file, "radio4")
++ filetrans_pattern($1, device_t, v4l_device_t, chr_file, "radio5")
++ filetrans_pattern($1, device_t, v4l_device_t, chr_file, "radio6")
++ filetrans_pattern($1, device_t, v4l_device_t, chr_file, "radio7")
++ filetrans_pattern($1, device_t, v4l_device_t, chr_file, "radio8")
++ filetrans_pattern($1, device_t, v4l_device_t, chr_file, "radio9")
++ filetrans_pattern($1, device_t, random_device_t, chr_file, "random")
++ filetrans_pattern($1, device_t, v4l_device_t, chr_file, "raw13940")
++ filetrans_pattern($1, device_t, v4l_device_t, chr_file, "raw13941")
++ filetrans_pattern($1, device_t, v4l_device_t, chr_file, "raw13942")
++ filetrans_pattern($1, device_t, v4l_device_t, chr_file, "raw13943")
++ filetrans_pattern($1, device_t, v4l_device_t, chr_file, "raw13944")
++ filetrans_pattern($1, device_t, v4l_device_t, chr_file, "raw13945")
++ filetrans_pattern($1, device_t, v4l_device_t, chr_file, "raw13946")
++ filetrans_pattern($1, device_t, v4l_device_t, chr_file, "raw13947")
++ filetrans_pattern($1, device_t, v4l_device_t, chr_file, "raw13948")
++ filetrans_pattern($1, device_t, v4l_device_t, chr_file, "raw13949")
++ filetrans_pattern($1, device_t, modem_device_t, chr_file, "cdc-wdm0")
++ filetrans_pattern($1, device_t, modem_device_t, chr_file, "cdc-wdm1")
++ filetrans_pattern($1, device_t, wireless_device_t, chr_file, "rfkill")
++ filetrans_pattern($1, device_t, sound_device_t, chr_file, "sequencer")
++ filetrans_pattern($1, device_t, sound_device_t, chr_file, "sequencer2")
++ filetrans_pattern($1, device_t, sound_device_t, chr_file, "smpte0")
++ filetrans_pattern($1, device_t, sound_device_t, chr_file, "smpte1")
++ filetrans_pattern($1, device_t, sound_device_t, chr_file, "smpte2")
++ filetrans_pattern($1, device_t, sound_device_t, chr_file, "smpte3")
++ filetrans_pattern($1, device_t, sound_device_t, chr_file, "smpte4")
++ filetrans_pattern($1, device_t, sound_device_t, chr_file, "smpte5")
++ filetrans_pattern($1, device_t, sound_device_t, chr_file, "smpte6")
++ filetrans_pattern($1, device_t, sound_device_t, chr_file, "smpte7")
++ filetrans_pattern($1, device_t, sound_device_t, chr_file, "smpte8")
++ filetrans_pattern($1, device_t, sound_device_t, chr_file, "smpte9")
++ filetrans_pattern($1, device_t, power_device_t, chr_file, "smu")
++ filetrans_pattern($1, device_t, apm_bios_t, chr_file, "snapshot")
++ filetrans_pattern($1, device_t, sound_device_t, chr_file, "sndstat")
++ filetrans_pattern($1, device_t, v4l_device_t, chr_file, "sonypi")
++ filetrans_pattern($1, device_t, tpm_device_t, chr_file, "tpm0")
++ filetrans_pattern($1, device_t, tpm_device_t, chr_file, "tpm1")
++ filetrans_pattern($1, device_t, tpm_device_t, chr_file, "tpm2")
++ filetrans_pattern($1, device_t, tpm_device_t, chr_file, "tpm3")
++ filetrans_pattern($1, device_t, tpm_device_t, chr_file, "tpm4")
++ filetrans_pattern($1, device_t, tpm_device_t, chr_file, "tpm5")
++ filetrans_pattern($1, device_t, tpm_device_t, chr_file, "tpm6")
++ filetrans_pattern($1, device_t, tpm_device_t, chr_file, "tpm7")
++ filetrans_pattern($1, device_t, tpm_device_t, chr_file, "tpm8")
++ filetrans_pattern($1, device_t, tpm_device_t, chr_file, "tpm9")
++ filetrans_pattern($1, device_t, event_device_t, chr_file, "uinput")
++ filetrans_pattern($1, device_t, userio_device_t, chr_file, "uio0")
++ filetrans_pattern($1, device_t, userio_device_t, chr_file, "uio1")
++ filetrans_pattern($1, device_t, userio_device_t, chr_file, "uio2")
++ filetrans_pattern($1, device_t, userio_device_t, chr_file, "uio3")
++ filetrans_pattern($1, device_t, userio_device_t, chr_file, "uio4")
++ filetrans_pattern($1, device_t, userio_device_t, chr_file, "uio5")
++ filetrans_pattern($1, device_t, userio_device_t, chr_file, "uio6")
++ filetrans_pattern($1, device_t, userio_device_t, chr_file, "uio7")
++ filetrans_pattern($1, device_t, userio_device_t, chr_file, "uio8")
++ filetrans_pattern($1, device_t, userio_device_t, chr_file, "uio9")
++ filetrans_pattern($1, device_t, urandom_device_t, chr_file, "urandom")
++ filetrans_pattern($1, device_t, usb_device_t, chr_file, "usb0")
++ filetrans_pattern($1, device_t, usb_device_t, chr_file, "usb1")
++ filetrans_pattern($1, device_t, usb_device_t, chr_file, "usb2")
++ filetrans_pattern($1, device_t, usb_device_t, chr_file, "usb3")
++ filetrans_pattern($1, device_t, usb_device_t, chr_file, "usb4")
++ filetrans_pattern($1, device_t, usb_device_t, chr_file, "usb5")
++ filetrans_pattern($1, device_t, usb_device_t, chr_file, "usb6")
++ filetrans_pattern($1, device_t, usb_device_t, chr_file, "usb7")
++ filetrans_pattern($1, device_t, usb_device_t, chr_file, "usb8")
++ filetrans_pattern($1, device_t, usbmon_device_t, chr_file, "usbmon0")
++ filetrans_pattern($1, device_t, usbmon_device_t, chr_file, "usbmon1")
++ filetrans_pattern($1, device_t, usbmon_device_t, chr_file, "usbmon2")
++ filetrans_pattern($1, device_t, usbmon_device_t, chr_file, "usbmon3")
++ filetrans_pattern($1, device_t, usbmon_device_t, chr_file, "usbmon4")
++ filetrans_pattern($1, device_t, usbmon_device_t, chr_file, "usbmon5")
++ filetrans_pattern($1, device_t, usbmon_device_t, chr_file, "usbmon6")
++ filetrans_pattern($1, device_t, usbmon_device_t, chr_file, "usbmon7")
++ filetrans_pattern($1, device_t, usbmon_device_t, chr_file, "usbmon8")
++ filetrans_pattern($1, device_t, usbmon_device_t, chr_file, "usbmon9")
++ filetrans_pattern($1, device_t, scanner_device_t, chr_file, "usbscanner")
++ filetrans_pattern($1, device_t, vhost_device_t, chr_file, "vhost-net")
++ filetrans_pattern($1, device_t, v4l_device_t, chr_file, "vbi0")
++ filetrans_pattern($1, device_t, v4l_device_t, chr_file, "vbi1")
++ filetrans_pattern($1, device_t, v4l_device_t, chr_file, "vbi2")
++ filetrans_pattern($1, device_t, v4l_device_t, chr_file, "vbi3")
++ filetrans_pattern($1, device_t, v4l_device_t, chr_file, "vbi4")
++ filetrans_pattern($1, device_t, v4l_device_t, chr_file, "vbi5")
++ filetrans_pattern($1, device_t, v4l_device_t, chr_file, "vbi6")
++ filetrans_pattern($1, device_t, v4l_device_t, chr_file, "vbi7")
++ filetrans_pattern($1, device_t, v4l_device_t, chr_file, "vbi8")
++ filetrans_pattern($1, device_t, v4l_device_t, chr_file, "vbi9")
++ filetrans_pattern($1, device_t, vmware_device_t, chr_file, "vmmon")
++ filetrans_pattern($1, device_t, vmware_device_t, chr_file, "vmnet0")
++ filetrans_pattern($1, device_t, vmware_device_t, chr_file, "vmnet1")
++ filetrans_pattern($1, device_t, vmware_device_t, chr_file, "vmnet2")
++ filetrans_pattern($1, device_t, vmware_device_t, chr_file, "vmnet3")
++ filetrans_pattern($1, device_t, vmware_device_t, chr_file, "vmnet4")
++ filetrans_pattern($1, device_t, vmware_device_t, chr_file, "vmnet5")
++ filetrans_pattern($1, device_t, vmware_device_t, chr_file, "vmnet6")
++ filetrans_pattern($1, device_t, vmware_device_t, chr_file, "vmnet7")
++ filetrans_pattern($1, device_t, vmware_device_t, chr_file, "vmnet8")
++ filetrans_pattern($1, device_t, vmware_device_t, chr_file, "vmnet9")
++ filetrans_pattern($1, device_t, v4l_device_t, chr_file, "media0")
++ filetrans_pattern($1, device_t, v4l_device_t, chr_file, "media1")
++ filetrans_pattern($1, device_t, v4l_device_t, chr_file, "media2")
++ filetrans_pattern($1, device_t, v4l_device_t, chr_file, "media3")
++ filetrans_pattern($1, device_t, v4l_device_t, chr_file, "media4")
++ filetrans_pattern($1, device_t, v4l_device_t, chr_file, "media5")
++ filetrans_pattern($1, device_t, v4l_device_t, chr_file, "media6")
++ filetrans_pattern($1, device_t, v4l_device_t, chr_file, "media7")
++ filetrans_pattern($1, device_t, v4l_device_t, chr_file, "media8")
++ filetrans_pattern($1, device_t, v4l_device_t, chr_file, "media9")
++ filetrans_pattern($1, device_t, v4l_device_t, chr_file, "video0")
++ filetrans_pattern($1, device_t, v4l_device_t, chr_file, "video1")
++ filetrans_pattern($1, device_t, v4l_device_t, chr_file, "video2")
++ filetrans_pattern($1, device_t, v4l_device_t, chr_file, "video3")
++ filetrans_pattern($1, device_t, v4l_device_t, chr_file, "video4")
++ filetrans_pattern($1, device_t, v4l_device_t, chr_file, "video5")
++ filetrans_pattern($1, device_t, v4l_device_t, chr_file, "video6")
++ filetrans_pattern($1, device_t, v4l_device_t, chr_file, "video7")
++ filetrans_pattern($1, device_t, v4l_device_t, chr_file, "video8")
++ filetrans_pattern($1, device_t, v4l_device_t, chr_file, "video9")
++ filetrans_pattern($1, device_t, mouse_device_t, chr_file, "vrtpanel")
++ filetrans_pattern($1, device_t, v4l_device_t, chr_file, "vttuner")
++ filetrans_pattern($1, device_t, v4l_device_t, chr_file, "vtx0")
++ filetrans_pattern($1, device_t, v4l_device_t, chr_file, "vtx1")
++ filetrans_pattern($1, device_t, v4l_device_t, chr_file, "vtx2")
++ filetrans_pattern($1, device_t, v4l_device_t, chr_file, "vtx3")
++ filetrans_pattern($1, device_t, v4l_device_t, chr_file, "vtx4")
++ filetrans_pattern($1, device_t, v4l_device_t, chr_file, "vtx5")
++ filetrans_pattern($1, device_t, v4l_device_t, chr_file, "vtx6")
++ filetrans_pattern($1, device_t, v4l_device_t, chr_file, "vtx7")
++ filetrans_pattern($1, device_t, v4l_device_t, chr_file, "vtx8")
++ filetrans_pattern($1, device_t, v4l_device_t, chr_file, "vtx9")
++ filetrans_pattern($1, device_t, watchdog_device_t, chr_file, "watchdog")
++ filetrans_pattern($1, device_t, v4l_device_t, chr_file, "winradio0")
++ filetrans_pattern($1, device_t, v4l_device_t, chr_file, "winradio1")
++ filetrans_pattern($1, device_t, v4l_device_t, chr_file, "winradio2")
++ filetrans_pattern($1, device_t, v4l_device_t, chr_file, "winradio3")
++ filetrans_pattern($1, device_t, v4l_device_t, chr_file, "winradio4")
++ filetrans_pattern($1, device_t, v4l_device_t, chr_file, "winradio5")
++ filetrans_pattern($1, device_t, v4l_device_t, chr_file, "winradio6")
++ filetrans_pattern($1, device_t, v4l_device_t, chr_file, "winradio7")
++ filetrans_pattern($1, device_t, v4l_device_t, chr_file, "winradio8")
++ filetrans_pattern($1, device_t, v4l_device_t, chr_file, "winradio9")
++ filetrans_pattern($1, device_t, crypt_device_t, chr_file, "z90crypt")
++ filetrans_pattern($1, device_t, zero_device_t, chr_file, "zero")
++ filetrans_pattern($1, device_t, smartcard_device_t, chr_file, "cmx0")
++ filetrans_pattern($1, device_t, smartcard_device_t, chr_file, "cmx1")
++ filetrans_pattern($1, device_t, smartcard_device_t, chr_file, "cmx2")
++ filetrans_pattern($1, device_t, smartcard_device_t, chr_file, "cmx3")
++ filetrans_pattern($1, device_t, smartcard_device_t, chr_file, "cmx4")
++ filetrans_pattern($1, device_t, smartcard_device_t, chr_file, "cmx5")
++ filetrans_pattern($1, device_t, smartcard_device_t, chr_file, "cmx6")
++ filetrans_pattern($1, device_t, smartcard_device_t, chr_file, "cmx7")
++ filetrans_pattern($1, device_t, smartcard_device_t, chr_file, "cmx8")
++ filetrans_pattern($1, device_t, smartcard_device_t, chr_file, "cmx9")
++ filetrans_pattern($1, device_t, netcontrol_device_t, chr_file, "cpu_dma_latency")
++ filetrans_pattern($1, device_t, cpu_device_t, chr_file, "cpu0")
++ filetrans_pattern($1, device_t, cpu_device_t, chr_file, "cpu1")
++ filetrans_pattern($1, device_t, cpu_device_t, chr_file, "cpu2")
++ filetrans_pattern($1, device_t, cpu_device_t, chr_file, "cpu3")
++ filetrans_pattern($1, device_t, cpu_device_t, chr_file, "cpu4")
++ filetrans_pattern($1, device_t, cpu_device_t, chr_file, "cpu5")
++ filetrans_pattern($1, device_t, cpu_device_t, chr_file, "cpu6")
++ filetrans_pattern($1, device_t, cpu_device_t, chr_file, "cpu7")
++ filetrans_pattern($1, device_t, cpu_device_t, chr_file, "cpu8")
++ filetrans_pattern($1, device_t, cpu_device_t, chr_file, "cpu9")
++ filetrans_pattern($1, device_t, mtrr_device_t, chr_file, "mtrr")
++ filetrans_pattern($1, device_t, event_device_t, chr_file, "sensor0")
++ filetrans_pattern($1, device_t, event_device_t, chr_file, "sensor1")
++ filetrans_pattern($1, device_t, event_device_t, chr_file, "sensor2")
++ filetrans_pattern($1, device_t, event_device_t, chr_file, "sensor3")
++ filetrans_pattern($1, device_t, event_device_t, chr_file, "sensor4")
++ filetrans_pattern($1, device_t, event_device_t, chr_file, "sensor5")
++ filetrans_pattern($1, device_t, event_device_t, chr_file, "sensor6")
++ filetrans_pattern($1, device_t, event_device_t, chr_file, "sensor7")
++ filetrans_pattern($1, device_t, event_device_t, chr_file, "sensor8")
++ filetrans_pattern($1, device_t, event_device_t, chr_file, "sensor9")
++ filetrans_pattern($1, device_t, mouse_device_t, chr_file, "m0")
++ filetrans_pattern($1, device_t, mouse_device_t, chr_file, "m1")
++ filetrans_pattern($1, device_t, mouse_device_t, chr_file, "m2")
++ filetrans_pattern($1, device_t, mouse_device_t, chr_file, "m3")
++ filetrans_pattern($1, device_t, mouse_device_t, chr_file, "m4")
++ filetrans_pattern($1, device_t, mouse_device_t, chr_file, "m5")
++ filetrans_pattern($1, device_t, mouse_device_t, chr_file, "m6")
++ filetrans_pattern($1, device_t, mouse_device_t, chr_file, "m7")
++ filetrans_pattern($1, device_t, mouse_device_t, chr_file, "m8")
++ filetrans_pattern($1, device_t, mouse_device_t, chr_file, "m9")
++ filetrans_pattern($1, device_t, event_device_t, chr_file, "keyboard0")
++ filetrans_pattern($1, device_t, event_device_t, chr_file, "keyboard1")
++ filetrans_pattern($1, device_t, event_device_t, chr_file, "keyboard2")
++ filetrans_pattern($1, device_t, event_device_t, chr_file, "keyboard3")
++ filetrans_pattern($1, device_t, event_device_t, chr_file, "keyboard4")
++ filetrans_pattern($1, device_t, event_device_t, chr_file, "keyboard5")
++ filetrans_pattern($1, device_t, event_device_t, chr_file, "keyboard6")
++ filetrans_pattern($1, device_t, event_device_t, chr_file, "keyboard7")
++ filetrans_pattern($1, device_t, event_device_t, chr_file, "keyboard8")
++ filetrans_pattern($1, device_t, event_device_t, chr_file, "keyboard9")
++ filetrans_pattern($1, device_t, lvm_control_t, chr_file, "control")
++ filetrans_pattern($1, device_t, mouse_device_t, chr_file, "ucb1x00")
++ filetrans_pattern($1, device_t, mouse_device_t, chr_file, "mk712")
++ filetrans_pattern($1, device_t, scanner_device_t, chr_file, "dc2xx0")
++ filetrans_pattern($1, device_t, scanner_device_t, chr_file, "dc2xx1")
++ filetrans_pattern($1, device_t, scanner_device_t, chr_file, "dc2xx2")
++ filetrans_pattern($1, device_t, scanner_device_t, chr_file, "dc2xx3")
++ filetrans_pattern($1, device_t, scanner_device_t, chr_file, "dc2xx4")
++ filetrans_pattern($1, device_t, scanner_device_t, chr_file, "dc2xx5")
++ filetrans_pattern($1, device_t, scanner_device_t, chr_file, "dc2xx6")
++ filetrans_pattern($1, device_t, scanner_device_t, chr_file, "dc2xx7")
++ filetrans_pattern($1, device_t, scanner_device_t, chr_file, "dc2xx8")
++ filetrans_pattern($1, device_t, scanner_device_t, chr_file, "dc2xx9")
++ filetrans_pattern($1, device_t, scanner_device_t, chr_file, "mdc8000")
++ filetrans_pattern($1, device_t, scanner_device_t, chr_file, "mdc8001")
++ filetrans_pattern($1, device_t, scanner_device_t, chr_file, "mdc8002")
++ filetrans_pattern($1, device_t, scanner_device_t, chr_file, "mdc8003")
++ filetrans_pattern($1, device_t, scanner_device_t, chr_file, "mdc8004")
++ filetrans_pattern($1, device_t, scanner_device_t, chr_file, "mdc8005")
++ filetrans_pattern($1, device_t, scanner_device_t, chr_file, "mdc8006")
++ filetrans_pattern($1, device_t, scanner_device_t, chr_file, "mdc8007")
++ filetrans_pattern($1, device_t, scanner_device_t, chr_file, "mdc8008")
++ filetrans_pattern($1, device_t, scanner_device_t, chr_file, "mdc8009")
++ filetrans_pattern($1, device_t, scanner_device_t, chr_file, "scanner0")
++ filetrans_pattern($1, device_t, scanner_device_t, chr_file, "scanner1")
++ filetrans_pattern($1, device_t, scanner_device_t, chr_file, "scanner2")
++ filetrans_pattern($1, device_t, scanner_device_t, chr_file, "scanner3")
++ filetrans_pattern($1, device_t, scanner_device_t, chr_file, "scanner4")
++ filetrans_pattern($1, device_t, scanner_device_t, chr_file, "scanner5")
++ filetrans_pattern($1, device_t, scanner_device_t, chr_file, "scanner6")
++ filetrans_pattern($1, device_t, scanner_device_t, chr_file, "scanner7")
++ filetrans_pattern($1, device_t, scanner_device_t, chr_file, "scanner8")
++ filetrans_pattern($1, device_t, scanner_device_t, chr_file, "scanner9")
++ filetrans_pattern($1, device_t, xen_device_t, chr_file, "blktap0")
++ filetrans_pattern($1, device_t, xen_device_t, chr_file, "blktap1")
++ filetrans_pattern($1, device_t, xen_device_t, chr_file, "blktap2")
++ filetrans_pattern($1, device_t, xen_device_t, chr_file, "blktap3")
++ filetrans_pattern($1, device_t, xen_device_t, chr_file, "blktap4")
++ filetrans_pattern($1, device_t, xen_device_t, chr_file, "blktap5")
++ filetrans_pattern($1, device_t, xen_device_t, chr_file, "blktap6")
++ filetrans_pattern($1, device_t, xen_device_t, chr_file, "blktap7")
++ filetrans_pattern($1, device_t, xen_device_t, chr_file, "blktap8")
++ filetrans_pattern($1, device_t, xen_device_t, chr_file, "blktap9")
++ filetrans_pattern($1, device_t, xen_device_t, chr_file, "gntdev")
++ filetrans_pattern($1, device_t, xen_device_t, chr_file, "gntalloc")
++ filetrans_pattern($1, device_t, sound_device_t, chr_file, "controlC0")
++ filetrans_pattern($1, device_t, sound_device_t, chr_file, "controlC1")
++ filetrans_pattern($1, device_t, sound_device_t, chr_file, "controlC2")
++ filetrans_pattern($1, device_t, sound_device_t, chr_file, "controlC3")
++ filetrans_pattern($1, device_t, sound_device_t, chr_file, "controlC4")
++ filetrans_pattern($1, device_t, sound_device_t, chr_file, "controlC5")
++ filetrans_pattern($1, device_t, sound_device_t, chr_file, "controlC6")
++ filetrans_pattern($1, device_t, sound_device_t, chr_file, "controlC7")
++ filetrans_pattern($1, device_t, sound_device_t, chr_file, "controlC8")
++ filetrans_pattern($1, device_t, sound_device_t, chr_file, "controlC9")
++ filetrans_pattern($1, device_t, sound_device_t, chr_file, "patmgr0")
++ filetrans_pattern($1, device_t, sound_device_t, chr_file, "patmgr1")
++ filetrans_pattern($1, device_t, sound_device_t, chr_file, "srnd0")
++ filetrans_pattern($1, device_t, sound_device_t, chr_file, "srnd1")
++ filetrans_pattern($1, device_t, sound_device_t, chr_file, "srnd2")
++ filetrans_pattern($1, device_t, sound_device_t, chr_file, "srnd3")
++ filetrans_pattern($1, device_t, sound_device_t, chr_file, "srnd4")
++ filetrans_pattern($1, device_t, sound_device_t, chr_file, "srnd5")
++ filetrans_pattern($1, device_t, sound_device_t, chr_file, "srnd6")
++ filetrans_pattern($1, device_t, sound_device_t, chr_file, "srnd7")
++ filetrans_pattern($1, device_t, v4l_device_t, chr_file, "tlk0")
++ filetrans_pattern($1, device_t, v4l_device_t, chr_file, "tlk1")
++ filetrans_pattern($1, device_t, v4l_device_t, chr_file, "tlk2")
++ filetrans_pattern($1, device_t, v4l_device_t, chr_file, "tlk3")
++ filetrans_pattern($1, device_t, usb_device_t, chr_file, "uba")
++ filetrans_pattern($1, device_t, usb_device_t, chr_file, "ubb")
++ filetrans_pattern($1, device_t, usb_device_t, chr_file, "ubc")
++ dev_filetrans_xserver_named_dev($1)
++')
++
++########################################
++##
++## Create all named devices with the correct label
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`dev_filetrans_xserver_named_dev',`
++
++ gen_require(`
++ type xserver_misc_device_t;
++ ')
++
++ filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "3dfx")
++ filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "controlD64")
++ filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "gfx")
++ filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "graphics")
++ filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "mga_vid0")
++ filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "mga_vid1")
++ filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "mga_vid2")
++ filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "mga_vid3")
++ filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "mga_vid4")
++ filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "mga_vid5")
++ filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "mga_vid6")
++ filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "mga_vid7")
++ filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "mga_vid8")
++ filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "mga_vid9")
++ filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "nvidia0")
++ filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "nvidia1")
++ filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "nvidia2")
++ filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "nvidia3")
++ filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "nvidia4")
++ filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "nvidia5")
++ filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "nvidia6")
++ filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "nvidia7")
++ filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "nvidia8")
++ filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "nvidia9")
++ filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "nvidiactl")
++ filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "opengl")
++ filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "vbox0")
++ filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "vbox1")
++ filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "vbox2")
++ filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "vbox3")
++ filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "vbox4")
++ filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "vbox5")
++ filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "vbox6")
++ filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "vbox7")
++ filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "vbox8")
++ filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "vbox9")
++ filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "vga_arbiter")
++ filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "card0")
++ filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "card1")
++ filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "card2")
++ filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "card3")
++ filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "card4")
++ filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "card5")
++ filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "card6")
++ filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "card7")
++ filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "card8")
++ filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "card9")
++')
+diff --git a/policy/modules/kernel/devices.te b/policy/modules/kernel/devices.te
+index 06eda45..ed26516 100644
+--- a/policy/modules/kernel/devices.te
++++ b/policy/modules/kernel/devices.te
+@@ -15,11 +15,12 @@ attribute devices_unconfined_type;
+ #
+ type device_t;
+ fs_associate_tmpfs(device_t)
+-files_type(device_t)
++files_base_file(device_t)
+ files_mountpoint(device_t)
+ files_associate_tmp(device_t)
+ fs_type(device_t)
+ fs_use_trans devtmpfs gen_context(system_u:object_r:device_t,s0);
++dev_node(device_t)
+
+ #
+ # Type for /dev/agpgart
+@@ -62,6 +63,9 @@ dev_node(cpu_device_t)
+ type crash_device_t;
+ dev_node(crash_device_t)
+
++type ecryptfs_device_t;
++dev_node(ecryptfs_device_t)
++
+ # for the IBM zSeries z90crypt hardware ssl accelorator
+ type crypt_device_t;
+ dev_node(crypt_device_t)
+@@ -108,6 +112,7 @@ dev_node(ksm_device_t)
+ #
+ type kvm_device_t;
+ dev_node(kvm_device_t)
++mls_trusted_object(kvm_device_t)
+
+ #
+ # Type for /dev/lirc
+@@ -118,9 +123,18 @@ dev_node(lirc_device_t)
+ #
+ # Type for /dev/mapper/control
+ #
++type loop_control_device_t;
++dev_node(loop_control_device_t)
++
++#
++# Type for /dev/mapper/control
++#
+ type lvm_control_t;
+ dev_node(lvm_control_t)
+
++type mei_device_t;
++dev_node(mei_device_t)
++
+ #
+ # memory_device_t is the type of /dev/kmem,
+ # /dev/mem and /dev/port.
+@@ -218,6 +232,10 @@ files_mountpoint(sysfs_t)
+ fs_type(sysfs_t)
+ genfscon sysfs / gen_context(system_u:object_r:sysfs_t,s0)
+
++type cpu_online_t;
++files_type(cpu_online_t)
++dev_associate_sysfs(cpu_online_t)
++
+ #
+ # Type for /dev/tpm
+ #
+@@ -265,6 +283,7 @@ dev_node(v4l_device_t)
+ #
+ type vhost_device_t;
+ dev_node(vhost_device_t)
++mls_trusted_object(vhost_device_t)
+
+ # Type for vmware devices.
+ type vmware_device_t;
+@@ -310,5 +329,5 @@ files_associate_tmp(device_node)
+ #
+
+ allow devices_unconfined_type self:capability sys_rawio;
+-allow devices_unconfined_type device_node:{ blk_file chr_file } *;
++allow devices_unconfined_type device_node:{ blk_file chr_file lnk_file } *;
+ allow devices_unconfined_type mtrr_device_t:file *;
+diff --git a/policy/modules/kernel/domain.if b/policy/modules/kernel/domain.if
+index 6a1e4d1..eee8419 100644
+--- a/policy/modules/kernel/domain.if
++++ b/policy/modules/kernel/domain.if
+@@ -76,33 +76,8 @@ interface(`domain_type',`
+ # start with basic domain
+ domain_base_type($1)
+
+- ifdef(`distro_redhat',`
+- optional_policy(`
+- unconfined_use_fds($1)
+- ')
+- ')
+-
+- # send init a sigchld and signull
+- optional_policy(`
+- init_sigchld($1)
+- init_signull($1)
+- ')
+-
+- # these seem questionable:
+-
+- optional_policy(`
+- rpm_use_fds($1)
+- rpm_read_pipes($1)
+- ')
+-
+- optional_policy(`
+- selinux_dontaudit_getattr_fs($1)
+- selinux_dontaudit_read_fs($1)
+- ')
+-
+- optional_policy(`
+- seutil_dontaudit_read_config($1)
+- ')
++ # Only way to get corenet_unlabeled packets disabled to work
++ corenet_all_recvfrom_unlabeled($1)
+ ')
+
+ ########################################
+@@ -513,6 +488,26 @@ interface(`domain_signull_all_domains',`
+
+ ########################################
+ ##
++## Do not audit attempts to send
++## signulls to all domains.
++##
++##
++##
++## Domain to not audit.
++##
++##
++##
++#
++interface(`domain_dontaudit_signull_all_domains',`
++ gen_require(`
++ attribute domain;
++ ')
++
++ dontaudit $1 domain:process signull;
++')
++
++########################################
++##
+ ## Send a stop signal to all domains.
+ ##
+ ##
+@@ -631,7 +626,7 @@ interface(`domain_read_all_domains_state',`
+
+ ########################################
+ ##
+-## Get the attributes of all domains of all domains.
++## Get the attributes of all domains.
+ ##
+ ##
+ ##
+@@ -655,7 +650,7 @@ interface(`domain_getattr_all_domains',`
+ ##
+ ##
+ ##
+-## Domain allowed access.
++## Domain to not audit.
+ ##
+ ##
+ #
+@@ -1356,6 +1351,24 @@ interface(`domain_manage_all_entry_files',`
+
+ ########################################
+ ##
++## Relabel from domain types on files if a user managed to mislable
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`domain_relabelfrom',`
++ gen_require(`
++ attribute domain;
++ ')
++
++ allow $1 domain:dir_file_class_set relabelfrom_file_perms;
++')
++
++########################################
++##
+ ## Relabel to and from all entry point
+ ## file types.
+ ##
+@@ -1530,4 +1543,29 @@ interface(`domain_unconfined',`
+ typeattribute $1 can_change_object_identity;
+ typeattribute $1 set_curr_context;
+ typeattribute $1 process_uncond_exempt;
++
++ mcs_file_read_all($1)
++ mcs_file_write_all($1)
++ mcs_killall($1)
++ mcs_ptrace_all($1)
++ mcs_socket_write_all_levels($1)
++')
++
++########################################
++##
++## Do not audit attempts to read or write
++## all leaked sockets.
++##
++##
++##
++## Domain to not audit.
++##
++##
++#
++interface(`domain_dontaudit_leaks',`
++ gen_require(`
++ attribute domain;
++ ')
++
++ dontaudit $1 domain:socket_class_set { read write };
+ ')
+diff --git a/policy/modules/kernel/domain.te b/policy/modules/kernel/domain.te
+index cf04cb5..09a61e6 100644
+--- a/policy/modules/kernel/domain.te
++++ b/policy/modules/kernel/domain.te
+@@ -4,6 +4,29 @@ policy_module(domain, 1.11.0)
+ #
+ # Declarations
+ #
++##
++##
++## Allow all domains to use other domains file descriptors
++##
++##
++#
++gen_tunable(domain_fd_use, true)
++
++##
++##
++## Allow all domains to execute in fips_mode
++##
++##
++#
++gen_tunable(fips_mode, true)
++
++##
++##
++## Allow all domains to have the kernel load modules
++##
++##
++#
++gen_tunable(domain_kernel_load_modules, false)
+
+ ##
+ ##
+@@ -86,23 +109,43 @@ neverallow ~{ domain unlabeled_t } *:process *;
+ allow domain self:dir list_dir_perms;
+ allow domain self:lnk_file { read_lnk_file_perms lock ioctl };
+ allow domain self:file rw_file_perms;
++allow domain self:fifo_file rw_fifo_file_perms;
++
+ kernel_read_proc_symlinks(domain)
++kernel_read_crypto_sysctls(domain)
++kernel_read_vm_overcommit_sysctls(domain)
++
+ # Every domain gets the key ring, so we should default
+ # to no one allowed to look at it; afs kernel support creates
+ # a keyring
+ kernel_dontaudit_search_key(domain)
+ kernel_dontaudit_link_key(domain)
++kernel_dontaudit_search_debugfs(domain)
+
+ # create child processes in the domain
+-allow domain self:process { fork sigchld };
++allow domain self:process { getcap fork getsched sigchld };
+
+ # Use trusted objects in /dev
++dev_read_cpu_online(domain)
+ dev_rw_null(domain)
+ dev_rw_zero(domain)
+ term_use_controlling_term(domain)
+
+ # list the root directory
+ files_list_root(domain)
++# allow all domains to search through default_t directory, since users sometimes
++# place labels within these directories. (samba_share_t) for example.
++files_search_default(domain)
++files_read_inherited_tmp_files(domain)
++files_append_inherited_tmp_files(domain)
++files_read_all_base_ro_files(domain)
++
++# All executables should be able to search the directory they are in
++corecmd_search_bin(domain)
++
++tunable_policy(`domain_kernel_load_modules',`
++ kernel_request_load_module(domain)
++')
+
+ ifdef(`hide_broken_symptoms',`
+ # This check is in the general socket
+@@ -121,8 +164,18 @@ tunable_policy(`global_ssp',`
+ ')
+
+ optional_policy(`
++ afs_rw_cache(domain)
++')
++
++optional_policy(`
+ libs_use_ld_so(domain)
+ libs_use_shared_libs(domain)
++ libs_read_lib_files(domain)
++')
++
++optional_policy(`
++ miscfiles_read_localization(domain)
++ miscfiles_read_man_pages(domain)
+ ')
+
+ optional_policy(`
+@@ -133,6 +186,8 @@ optional_policy(`
+ optional_policy(`
+ xserver_dontaudit_use_xdm_fds(domain)
+ xserver_dontaudit_rw_xdm_pipes(domain)
++ xserver_dontaudit_append_xdm_home_files(domain)
++ xserver_dontaudit_write_log(domain)
+ ')
+
+ ########################################
+@@ -147,12 +202,18 @@ optional_policy(`
+ # Use/sendto/connectto sockets created by any domain.
+ allow unconfined_domain_type domain:{ socket_class_set socket key_socket } *;
+
++allow unconfined_domain_type domain:system all_system_perms;
+ # Use descriptors and pipes created by any domain.
+ allow unconfined_domain_type domain:fd use;
+ allow unconfined_domain_type domain:fifo_file rw_file_perms;
+
++allow unconfined_domain_type unconfined_domain_type:dbus send_msg;
++
+ # Act upon any other process.
+-allow unconfined_domain_type domain:process ~{ transition dyntransition execmem execstack execheap };
++allow unconfined_domain_type domain:process ~{ ptrace transition dyntransition execmem execstack execheap };
++tunable_policy(`deny_ptrace',`',`
++ allow unconfined_domain_type domain:process ptrace;
++')
+
+ # Create/access any System V IPC objects.
+ allow unconfined_domain_type domain:{ sem msgq shm } *;
+@@ -166,5 +227,278 @@ allow unconfined_domain_type domain:lnk_file { read_lnk_file_perms ioctl lock };
+ # act on all domains keys
+ allow unconfined_domain_type domain:key *;
+
++corenet_filetrans_all_named_dev(unconfined_domain_type)
++
++dev_filetrans_all_named_dev(unconfined_domain_type)
++
+ # receive from all domains over labeled networking
+ domain_all_recvfrom_all_domains(unconfined_domain_type)
++
++files_filetrans_named_content(unconfined_domain_type)
++files_filetrans_system_conf_named_files(unconfined_domain_type)
++files_config_all_files(unconfined_domain_type)
++dev_config_null_dev_service(unconfined_domain_type)
++
++storage_filetrans_all_named_dev(unconfined_domain_type)
++
++term_filetrans_all_named_dev(unconfined_domain_type)
++
++optional_policy(`
++ init_status(unconfined_domain_type)
++ init_reboot(unconfined_domain_type)
++ init_halt(unconfined_domain_type)
++ init_undefined(unconfined_domain_type)
++')
++
++optional_policy(`
++ auth_filetrans_named_content(unconfined_domain_type)
++ auth_filetrans_admin_home_content(unconfined_domain_type)
++ auth_filetrans_home_content(unconfined_domain_type)
++')
++
++optional_policy(`
++ libs_filetrans_named_content(unconfined_domain_type)
++')
++
++optional_policy(`
++ logging_filetrans_named_content(unconfined_domain_type)
++')
++
++optional_policy(`
++ miscfiles_filetrans_named_content(unconfined_domain_type)
++')
++
++optional_policy(`
++ alsa_filetrans_named_content(unconfined_domain_type)
++')
++
++optional_policy(`
++ apache_filetrans_named_content(unconfined_domain_type)
++')
++
++optional_policy(`
++ bootloader_filetrans_config(unconfined_domain_type)
++')
++
++optional_policy(`
++ cups_filetrans_named_content(unconfined_domain_type)
++')
++
++optional_policy(`
++ devicekit_filetrans_named_content(unconfined_domain_type)
++')
++
++optional_policy(`
++ dnsmasq_filetrans_named_content(unconfined_domain_type)
++')
++
++optional_policy(`
++ gnome_filetrans_admin_home_content(unconfined_domain_type)
++')
++
++optional_policy(`
++ gpg_filetrans_home_content(unconfined_domain_type)
++')
++
++optional_policy(`
++ irc_filetrans_home_content(unconfined_domain_type)
++')
++
++optional_policy(`
++ kerberos_filetrans_named_content(unconfined_domain_type)
++')
++
++optional_policy(`
++ mta_filetrans_named_content(unconfined_domain_type)
++')
++
++optional_policy(`
++ modules_filetrans_named_content(unconfined_domain_type)
++')
++
++optional_policy(`
++ mozilla_filetrans_home_content(unconfined_domain_type)
++')
++
++optional_policy(`
++ mysql_filetrans_named_content(unconfined_domain_type)
++')
++
++optional_policy(`
++ networkmanager_filetrans_named_content(unconfined_domain_type)
++')
++
++optional_policy(`
++ nx_filetrans_named_content(unconfined_domain_type)
++')
++
++optional_policy(`
++ postfix_filetrans_named_content(unconfined_domain_type)
++')
++
++optional_policy(`
++ prelink_filetrans_named_content(unconfined_domain_type)
++')
++
++optional_policy(`
++ pulseaudio_filetrans_home_content(unconfined_domain_type)
++ pulseaudio_filetrans_admin_home_content(unconfined_domain_type)
++')
++
++optional_policy(`
++ quota_filetrans_named_content(unconfined_domain_type)
++')
++
++optional_policy(`
++ rpcbind_filetrans_named_content(unconfined_domain_type)
++')
++
++optional_policy(`
++ sysnet_filetrans_named_content(unconfined_domain_type)
++')
++
++optional_policy(`
++ systemd_login_status(unconfined_domain_type)
++ systemd_login_reboot(unconfined_domain_type)
++ systemd_login_halt(unconfined_domain_type)
++ systemd_login_undefined(unconfined_domain_type)
++')
++
++optional_policy(`
++ thumb_filetrans_home_content(unconfined_domain_type)
++')
++
++optional_policy(`
++ tftp_filetrans_named_content(unconfined_domain_type)
++')
++
++optional_policy(`
++ userdom_user_home_dir_filetrans_user_home_content(unconfined_domain_type, { dir file lnk_file fifo_file sock_file })
++ userdom_filetrans_home_content(unconfined_domain_type)
++')
++
++optional_policy(`
++ virt_filetrans_named_content(unconfined_domain_type)
++ virt_filetrans_home_content(unconfined_domain_type)
++')
++
++optional_policy(`
++ ssh_filetrans_admin_home_content(unconfined_domain_type)
++')
++
++selinux_getattr_fs(domain)
++selinux_search_fs(domain)
++selinux_dontaudit_read_fs(domain)
++
++optional_policy(`
++ seutil_dontaudit_read_config(domain)
++')
++
++optional_policy(`
++ init_sigchld(domain)
++ init_signull(domain)
++ init_read_machineid(domain)
++')
++
++ifdef(`distro_redhat',`
++ files_search_mnt(domain)
++ optional_policy(`
++ unconfined_use_fds(domain)
++ ')
++')
++
++# these seem questionable:
++
++optional_policy(`
++ abrt_domtrans_helper(domain)
++ abrt_read_pid_files(domain)
++ abrt_read_state(domain)
++ abrt_signull(domain)
++ abrt_append_cache(domain)
++ abrt_rw_fifo_file(domain)
++')
++
++optional_policy(`
++ rpm_use_fds(domain)
++ rpm_read_pipes(domain)
++ rpm_search_log(domain)
++ rpm_append_tmp_files(domain)
++ rpm_dontaudit_leaks(domain)
++ rpm_read_script_tmp_files(domain)
++ rpm_inherited_fifo(domain)
++')
++
++optional_policy(`
++ sosreport_append_tmp_files(domain)
++')
++
++tunable_policy(`domain_fd_use',`
++ # Allow all domains to use fds past to them
++ allow domain domain:fd use;
++')
++
++optional_policy(`
++ cron_dontaudit_write_system_job_tmp_files(domain)
++ cron_rw_pipes(domain)
++ cron_rw_system_job_pipes(domain)
++')
++
++ifdef(`hide_broken_symptoms',`
++ dontaudit domain self:udp_socket listen;
++ allow domain domain:key { link search };
++ dontaudit domain domain:socket_class_set { read write };
++ dontaudit domain self:capability sys_module;
++')
++
++optional_policy(`
++ ipsec_match_default_spd(domain)
++')
++
++optional_policy(`
++ ifdef(`hide_broken_symptoms',`
++ afs_rw_udp_sockets(domain)
++ ')
++')
++
++optional_policy(`
++ ssh_rw_pipes(domain)
++')
++
++optional_policy(`
++ unconfined_dontaudit_rw_pipes(domain)
++ unconfined_sigchld(domain)
++')
++
++# broken kernel
++dontaudit can_change_object_identity can_change_object_identity:key link;
++
++ifdef(`distro_redhat',`
++ optional_policy(`
++ unconfined_use_fds(domain)
++ ')
++')
++
++# these seem questionable:
++
++optional_policy(`
++ puppet_rw_tmp(domain)
++')
++
++optional_policy(`
++ rpm_use_fds(domain)
++ rpm_read_pipes(domain)
++')
++
++dontaudit domain domain:process { noatsecure siginh rlimitinh } ;
++
++
++tunable_policy(`fips_mode',`
++ allow domain self:fifo_file manage_fifo_file_perms;
++ kernel_read_kernel_sysctls(domain)
++')
++
++optional_policy(`
++ tunable_policy(`fips_mode',`
++ prelink_exec(domain)
++ ')
++')
+diff --git a/policy/modules/kernel/files.fc b/policy/modules/kernel/files.fc
+index 8796ca3..cb02728 100644
+--- a/policy/modules/kernel/files.fc
++++ b/policy/modules/kernel/files.fc
+@@ -18,6 +18,7 @@ ifdef(`distro_redhat',`
+ /fsckoptions -- gen_context(system_u:object_r:etc_runtime_t,s0)
+ /halt -- gen_context(system_u:object_r:etc_runtime_t,s0)
+ /poweroff -- gen_context(system_u:object_r:etc_runtime_t,s0)
++/[^/]+ -- gen_context(system_u:object_r:etc_runtime_t,s0)
+ ')
+
+ ifdef(`distro_suse',`
+@@ -27,7 +28,7 @@ ifdef(`distro_suse',`
+ #
+ # /boot
+ #
+-/boot -d gen_context(system_u:object_r:boot_t,s0)
++/boot gen_context(system_u:object_r:boot_t,s0)
+ /boot/.* gen_context(system_u:object_r:boot_t,s0)
+ /boot/\.journal <>
+ /boot/efi(/.*)?/System\.map(-.*)? -- gen_context(system_u:object_r:system_map_t,s0)
+@@ -38,13 +39,13 @@ ifdef(`distro_suse',`
+ #
+ # /emul
+ #
+-/emul -d gen_context(system_u:object_r:usr_t,s0)
++/emul gen_context(system_u:object_r:usr_t,s0)
+ /emul/.* gen_context(system_u:object_r:usr_t,s0)
+
+ #
+ # /etc
+ #
+-/etc -d gen_context(system_u:object_r:etc_t,s0)
++/etc gen_context(system_u:object_r:etc_t,s0)
+ /etc/.* gen_context(system_u:object_r:etc_t,s0)
+ /etc/\.fstab\.hal\..+ -- gen_context(system_u:object_r:etc_runtime_t,s0)
+ /etc/blkid(/.*)? gen_context(system_u:object_r:etc_runtime_t,s0)
+@@ -52,13 +53,16 @@ ifdef(`distro_suse',`
+ /etc/fstab\.REVOKE -- gen_context(system_u:object_r:etc_runtime_t,s0)
+ /etc/ioctl\.save -- gen_context(system_u:object_r:etc_runtime_t,s0)
+ /etc/killpower -- gen_context(system_u:object_r:etc_runtime_t,s0)
+-/etc/localtime -l gen_context(system_u:object_r:etc_t,s0)
+-/etc/mtab -- gen_context(system_u:object_r:etc_runtime_t,s0)
+-/etc/mtab~[0-9]* -- gen_context(system_u:object_r:etc_runtime_t,s0)
+-/etc/mtab\.tmp -- gen_context(system_u:object_r:etc_runtime_t,s0)
+-/etc/mtab\.fuselock -- gen_context(system_u:object_r:etc_runtime_t,s0)
++/etc/mtab.* -- gen_context(system_u:object_r:etc_runtime_t,s0)
+ /etc/nohotplug -- gen_context(system_u:object_r:etc_runtime_t,s0)
+ /etc/nologin.* -- gen_context(system_u:object_r:etc_runtime_t,s0)
++/etc/securetty -- gen_context(system_u:object_r:etc_runtime_t,s0)
++
++/etc/sysctl\.conf(\.old)? -- gen_context(system_u:object_r:system_conf_t,s0)
++/etc/sysconfig/ebtables.* -- gen_context(system_u:object_r:system_conf_t,s0)
++/etc/sysconfig/ip6?tables.* -- gen_context(system_u:object_r:system_conf_t,s0)
++/etc/sysconfig/ipvsadm.* -- gen_context(system_u:object_r:system_conf_t,s0)
++/etc/sysconfig/system-config-firewall.* -- gen_context(system_u:object_r:system_conf_t,s0)
+
+ /etc/cups/client\.conf -- gen_context(system_u:object_r:etc_t,s0)
+
+@@ -70,7 +74,10 @@ ifdef(`distro_suse',`
+
+ /etc/sysconfig/hwconf -- gen_context(system_u:object_r:etc_runtime_t,s0)
+ /etc/sysconfig/iptables\.save -- gen_context(system_u:object_r:etc_runtime_t,s0)
+-/etc/sysconfig/firstboot -- gen_context(system_u:object_r:etc_runtime_t,s0)
++
++/etc/xorg\.conf\.d/00-system-setup-keyboard\.conf -- gen_context(system_u:object_r:etc_runtime_t,s0)
++/etc/X11/xorg\.conf\.d/00-system-setup-keyboard\.conf -- gen_context(system_u:object_r:etc_runtime_t,s0)
++
+
+ ifdef(`distro_gentoo', `
+ /etc/profile\.env -- gen_context(system_u:object_r:etc_runtime_t,s0)
+@@ -78,10 +85,6 @@ ifdef(`distro_gentoo', `
+ /etc/env\.d/.* -- gen_context(system_u:object_r:etc_runtime_t,s0)
+ ')
+
+-ifdef(`distro_redhat',`
+-/etc/rhgb(/.*)? -d gen_context(system_u:object_r:mnt_t,s0)
+-')
+-
+ ifdef(`distro_suse',`
+ /etc/defkeymap\.map -- gen_context(system_u:object_r:etc_runtime_t,s0)
+ /etc/init\.d/\.depend.* -- gen_context(system_u:object_r:etc_runtime_t,s0)
+@@ -104,7 +107,7 @@ HOME_ROOT/lost\+found/.* <>
+ /initrd -d gen_context(system_u:object_r:root_t,s0)
+
+ #
+-# /lib(64)?
++# /lib
+ #
+ /lib/modules(/.*)? gen_context(system_u:object_r:modules_object_t,s0)
+
+@@ -129,6 +132,8 @@ ifdef(`distro_debian',`
+ /media(/[^/]*)? -d gen_context(system_u:object_r:mnt_t,s0)
+ /media/[^/]*/.* <>
+ /media/\.hal-.* -- gen_context(system_u:object_r:mnt_t,s0)
++/var/run/media(/[^/]*)? -d gen_context(system_u:object_r:mnt_t,s0)
++/var/run/media/.* <>
+
+ #
+ # /misc
+@@ -150,10 +155,10 @@ ifdef(`distro_debian',`
+ #
+ # /opt
+ #
+-/opt -d gen_context(system_u:object_r:usr_t,s0)
++/opt gen_context(system_u:object_r:usr_t,s0)
+ /opt/.* gen_context(system_u:object_r:usr_t,s0)
+
+-/opt/(.*/)?var/lib(64)?(/.*)? gen_context(system_u:object_r:var_lib_t,s0)
++/opt/(.*/)?var/lib(/.*)? gen_context(system_u:object_r:var_lib_t,s0)
+
+ #
+ # /proc
+@@ -161,6 +166,12 @@ ifdef(`distro_debian',`
+ /proc -d <>
+ /proc/.* <>
+
++ifdef(`distro_redhat',`
++/rhev -d gen_context(system_u:object_r:mnt_t,s0)
++/rhev(/[^/]*)? -d gen_context(system_u:object_r:mnt_t,s0)
++/rhev/[^/]*/.* <>
++')
++
+ #
+ # /run
+ #
+@@ -169,6 +180,7 @@ ifdef(`distro_debian',`
+ /run/.*\.*pid <>
+ /run/lock(/.*)? gen_context(system_u:object_r:var_lock_t,s0)
+
++/sandbox(/.*)? gen_context(system_u:object_r:tmp_t,s0)
+ #
+ # /selinux
+ #
+@@ -178,13 +190,14 @@ ifdef(`distro_debian',`
+ #
+ # /srv
+ #
+-/srv -d gen_context(system_u:object_r:var_t,s0)
++/srv gen_context(system_u:object_r:var_t,s0)
+ /srv/.* gen_context(system_u:object_r:var_t,s0)
+
+ #
+ # /tmp
+ #
+-/tmp -d gen_context(system_u:object_r:tmp_t,s0-mls_systemhigh)
++/tmp gen_context(system_u:object_r:tmp_t,s0-mls_systemhigh)
++/tmp-inst gen_context(system_u:object_r:tmp_t,s0-mls_systemhigh)
+ /tmp/.* <>
+ /tmp/\.journal <>
+
+@@ -194,9 +207,10 @@ ifdef(`distro_debian',`
+ #
+ # /usr
+ #
+-/usr -d gen_context(system_u:object_r:usr_t,s0)
++/usr gen_context(system_u:object_r:usr_t,s0)
+ /usr/.* gen_context(system_u:object_r:usr_t,s0)
+ /usr/\.journal <>
++/export(/.*)? gen_context(system_u:object_r:usr_t,s0)
+
+ /usr/doc(/.*)?/lib(/.*)? gen_context(system_u:object_r:usr_t,s0)
+
+@@ -204,15 +218,9 @@ ifdef(`distro_debian',`
+
+ /usr/inclu.e(/.*)? gen_context(system_u:object_r:usr_t,s0)
+
+-/usr/local/\.journal <>
+-
+-/usr/local/etc(/.*)? gen_context(system_u:object_r:etc_t,s0)
+-
+-/usr/local/lost\+found -d gen_context(system_u:object_r:lost_found_t,mls_systemhigh)
+-/usr/local/lost\+found/.* <>
+-
+ /usr/lost\+found -d gen_context(system_u:object_r:lost_found_t,mls_systemhigh)
+ /usr/lost\+found/.* <>
++/usr/lib/modules(/.*)? gen_context(system_u:object_r:modules_object_t,s0)
+
+ /usr/share/doc(/.*)?/README.* gen_context(system_u:object_r:usr_t,s0)
+
+@@ -220,8 +228,6 @@ ifdef(`distro_debian',`
+ /usr/tmp/.* <>
+
+ ifndef(`distro_redhat',`
+-/usr/local/src(/.*)? gen_context(system_u:object_r:src_t,s0)
+-
+ /usr/src(/.*)? gen_context(system_u:object_r:src_t,s0)
+ /usr/src/kernels/.+/lib(/.*)? gen_context(system_u:object_r:usr_t,s0)
+ ')
+@@ -229,7 +235,7 @@ ifndef(`distro_redhat',`
+ #
+ # /var
+ #
+-/var -d gen_context(system_u:object_r:var_t,s0)
++/var gen_context(system_u:object_r:var_t,s0)
+ /var/.* gen_context(system_u:object_r:var_t,s0)
+ /var/\.journal <>
+
+@@ -237,11 +243,21 @@ ifndef(`distro_redhat',`
+
+ /var/ftp/etc(/.*)? gen_context(system_u:object_r:etc_t,s0)
+
++/var/named/chroot/etc(/.*)? gen_context(system_u:object_r:etc_t,s0)
++
+ /var/lib(/.*)? gen_context(system_u:object_r:var_lib_t,s0)
+
+ /var/lib/nfs/rpc_pipefs(/.*)? <>
+
++/var/lib/stickshift/.stickshift-proxy.d(/.*)? gen_context(system_u:object_r:etc_t,s0)
++/var/lib/stickshift/.limits.d(/.*)? gen_context(system_u:object_r:etc_t,s0)
++
++/var/lib/openshift/.openshift-proxy.d(/.*)? gen_context(system_u:object_r:etc_t,s0)
++/var/lib/openshift/.stickshift-proxy.d(/.*)? gen_context(system_u:object_r:etc_t,s0)
++/var/lib/openshift/.limits.d(/.*)? gen_context(system_u:object_r:etc_t,s0)
++
+ /var/lock(/.*)? gen_context(system_u:object_r:var_lock_t,s0)
++/var/lock -l gen_context(system_u:object_r:var_lock_t,s0)
+
+ /var/lost\+found -d gen_context(system_u:object_r:lost_found_t,mls_systemhigh)
+ /var/lost\+found/.* <>
+@@ -256,6 +272,7 @@ ifndef(`distro_redhat',`
+
+ /var/tmp -d gen_context(system_u:object_r:tmp_t,s0-mls_systemhigh)
+ /var/tmp -l gen_context(system_u:object_r:tmp_t,s0)
++/var/tmp-inst -d gen_context(system_u:object_r:tmp_t,s0-mls_systemhigh)
+ /var/tmp/.* <>
+ /var/tmp/lost\+found -d gen_context(system_u:object_r:lost_found_t,mls_systemhigh)
+ /var/tmp/lost\+found/.* <>
+@@ -264,3 +281,5 @@ ifndef(`distro_redhat',`
+ ifdef(`distro_debian',`
+ /var/run/motd -- gen_context(system_u:object_r:initrc_var_run_t,s0)
+ ')
++/nsr(/.*)? gen_context(system_u:object_r:var_t,s0)
++/nsr/logs(/.*)? gen_context(system_u:object_r:var_log_t,s0)
+diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if
+index e1e814d..37f3b90 100644
+--- a/policy/modules/kernel/files.if
++++ b/policy/modules/kernel/files.if
+@@ -55,6 +55,7 @@
+ ## files_pid_file()
+ ## files_security_file()
+ ## files_security_mountpoint()
++## files_spool_file()
+ ## files_tmp_file()
+ ## files_tmpfs_file()
+ ## logging_log_file()
+@@ -521,7 +522,7 @@ interface(`files_mounton_non_security',`
+ attribute non_security_file_type;
+ ')
+
+- allow $1 non_security_file_type:dir mounton;
++ allow $1 non_security_file_type:dir { write setattr mounton };
+ allow $1 non_security_file_type:file mounton;
+ ')
+
+@@ -620,6 +621,63 @@ interface(`files_dontaudit_getattr_non_security_files',`
+
+ ########################################
+ ##
++## Do not audit attempts to search
++## non security dirs.
++##
++##
++##
++## Domain to not audit.
++##
++##
++#
++interface(`files_dontaudit_search_non_security_dirs',`
++ gen_require(`
++ attribute non_security_file_type;
++ ')
++
++ dontaudit $1 non_security_file_type:dir search_dir_perms;
++')
++
++########################################
++##
++## Do not audit attempts to set the attributes
++## of non security files.
++##
++##
++##
++## Domain to not audit.
++##
++##
++#
++interface(`files_dontaudit_setattr_non_security_files',`
++ gen_require(`
++ attribute non_security_file_type;
++ ')
++
++ dontaudit $1 non_security_file_type:file setattr;
++')
++
++########################################
++##
++## Do not audit attempts to set the attributes
++## of non security directories.
++##
++##
++##
++## Domain to not audit.
++##
++##
++#
++interface(`files_dontaudit_setattr_non_security_dirs',`
++ gen_require(`
++ attribute non_security_file_type;
++ ')
++
++ dontaudit $1 non_security_file_type:dir setattr;
++')
++
++########################################
++##
+ ## Read all files.
+ ##
+ ##
+@@ -683,12 +741,82 @@ interface(`files_read_non_security_files',`
+ attribute non_security_file_type;
+ ')
+
++ list_dirs_pattern($1, non_security_file_type, non_security_file_type)
+ read_files_pattern($1, non_security_file_type, non_security_file_type)
+ read_lnk_files_pattern($1, non_security_file_type, non_security_file_type)
+ ')
+
+ ########################################
+ ##
++## Read/Write all inherited non-security files.
++##
++##
++##
++## Domain allowed access.
++##
++##
++##
++#
++interface(`files_rw_inherited_non_security_files',`
++ gen_require(`
++ attribute non_security_file_type;
++ ')
++
++ allow $1 non_security_file_type:file { read write };
++')
++
++########################################
++##
++## Manage all non-security files.
++##
++##
++##
++## Domain allowed access.
++##
++##
++##
++#
++interface(`files_manage_non_security_files',`
++ gen_require(`
++ attribute non_security_file_type;
++ ')
++
++ manage_files_pattern($1, non_security_file_type, non_security_file_type)
++ manage_lnk_files_pattern($1, non_security_file_type, non_security_file_type)
++')
++
++########################################
++##
++## Relabel all non-security files.
++##
++##
++##
++## Domain allowed access.
++##
++##
++##
++#
++interface(`files_relabel_non_security_files',`
++ gen_require(`
++ attribute non_security_file_type;
++ ')
++
++ relabel_files_pattern($1, non_security_file_type, non_security_file_type)
++ allow $1 { non_security_file_type }:dir list_dir_perms;
++ relabel_dirs_pattern($1, { non_security_file_type }, { non_security_file_type })
++ relabel_files_pattern($1, { non_security_file_type }, { non_security_file_type })
++ relabel_lnk_files_pattern($1, { non_security_file_type }, { non_security_file_type })
++ relabel_fifo_files_pattern($1, { non_security_file_type }, { non_security_file_type })
++ relabel_sock_files_pattern($1, { non_security_file_type }, { non_security_file_type })
++ relabel_blk_files_pattern($1, { non_security_file_type }, { non_security_file_type })
++ relabel_chr_files_pattern($1, { non_security_file_type }, { non_security_file_type })
++
++ # satisfy the assertions:
++ seutil_relabelto_bin_policy($1)
++')
++
++########################################
++##
+ ## Read all directories on the filesystem, except
+ ## the listed exceptions.
+ ##
+@@ -953,6 +1081,25 @@ interface(`files_dontaudit_getattr_non_security_pipes',`
+
+ ########################################
+ ##
++## Do not audit attempts to read/write
++## of non security named pipes.
++##
++##
++##
++## Domain to not audit.
++##
++##
++#
++interface(`files_dontaudit_rw_inherited_pipes',`
++ gen_require(`
++ attribute non_security_file_type;
++ ')
++
++ dontaudit $1 non_security_file_type:fifo_file rw_inherited_fifo_file_perms;
++')
++
++########################################
++##
+ ## Get the attributes of all named sockets.
+ ##
+ ##
+@@ -1073,10 +1220,8 @@ interface(`files_relabel_all_files',`
+ relabel_lnk_files_pattern($1, { file_type $2 }, { file_type $2 })
+ relabel_fifo_files_pattern($1, { file_type $2 }, { file_type $2 })
+ relabel_sock_files_pattern($1, { file_type $2 }, { file_type $2 })
+- # this is only relabelfrom since there should be no
+- # device nodes with file types.
+- relabelfrom_blk_files_pattern($1, { file_type $2 }, { file_type $2 })
+- relabelfrom_chr_files_pattern($1, { file_type $2 }, { file_type $2 })
++ relabel_blk_files_pattern($1, { file_type $2 }, { file_type $2 })
++ relabel_chr_files_pattern($1, { file_type $2 }, { file_type $2 })
+
+ # satisfy the assertions:
+ seutil_relabelto_bin_policy($1)
+@@ -1655,6 +1800,24 @@ interface(`files_dontaudit_list_all_mountpoints',`
+
+ ########################################
+ ##
++## Write all mount points.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`files_write_all_mountpoints',`
++ gen_require(`
++ attribute mountpoint;
++ ')
++
++ allow $1 mountpoint:dir write;
++')
++
++########################################
++##
+ ## Do not audit attempts to write to mount points.
+ ##
+ ##
+@@ -1673,6 +1836,24 @@ interface(`files_dontaudit_write_all_mountpoints',`
+
+ ########################################
+ ##
++## Write all file type directories.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`files_write_all_dirs',`
++ gen_require(`
++ attribute file_type;
++ ')
++
++ allow $1 file_type:dir write;
++')
++
++########################################
++##
+ ## List the contents of the root directory.
+ ##
+ ##
+@@ -1856,6 +2037,42 @@ interface(`files_delete_root_dir_entry',`
+
+ ########################################
+ ##
++## Set attributes of the root directory.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`files_setattr_root_dirs',`
++ gen_require(`
++ type root_t;
++ ')
++
++ allow $1 root_t:dir setattr_dir_perms;
++')
++
++########################################
++##
++## Relabel a rootfs filesystem.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`files_relabel_rootfs',`
++ gen_require(`
++ type root_t;
++ ')
++
++ allow $1 root_t:filesystem relabel_file_perms;
++')
++
++########################################
++##
+ ## Unmount a rootfs filesystem.
+ ##
+ ##
+@@ -1874,6 +2091,24 @@ interface(`files_unmount_rootfs',`
+
+ ########################################
+ ##
++## Mount a filesystem on the root file system
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`files_mounton_rootfs',`
++ gen_require(`
++ type root_t;
++ ')
++
++ allow $1 root_t:dir { search_dir_perms mounton };
++')
++
++########################################
++##
+ ## Get attributes of the /boot directory.
+ ##
+ ##
+@@ -2573,6 +2808,24 @@ interface(`files_rw_etc_dirs',`
+ allow $1 etc_t:dir rw_dir_perms;
+ ')
+
++#######################################
++##
++## Dontaudit remove dir /etc directories.
++##
++##
++##
++## Domain to not audit.
++##
++##
++#
++interface(`files_dontaudit_remove_etc_dir',`
++ gen_require(`
++ type etc_t;
++ ')
++
++ dontaudit $1 etc_t:dir rmdir;
++')
++
+ ##########################################
+ ##
+ ## Manage generic directories in /etc
+@@ -2644,6 +2897,7 @@ interface(`files_read_etc_files',`
+ allow $1 etc_t:dir list_dir_perms;
+ read_files_pattern($1, etc_t, etc_t)
+ read_lnk_files_pattern($1, etc_t, etc_t)
++ files_read_etc_runtime_files($1)
+ ')
+
+ ########################################
+@@ -2652,7 +2906,7 @@ interface(`files_read_etc_files',`
+ ##
+ ##
+ ##
+-## Domain allowed access.
++## Domain to not audit.
+ ##
+ ##
+ #
+@@ -2708,6 +2962,25 @@ interface(`files_manage_etc_files',`
+
+ ########################################
+ ##
++## Do not audit attempts to check the
++## access on etc files
++##
++##
++##
++## Domain to not audit.
++##
++##
++#
++interface(`files_dontaudit_access_check_etc',`
++ gen_require(`
++ type etc_t;
++ ')
++
++ dontaudit $1 etc_t:file_class_set audit_access;
++')
++
++########################################
++##
+ ## Delete system configuration files in /etc.
+ ##
+ ##
+@@ -2726,6 +2999,24 @@ interface(`files_delete_etc_files',`
+
+ ########################################
+ ##
++## Remove entries from the etc directory.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`files_delete_etc_dir_entry',`
++ gen_require(`
++ type etc_t;
++ ')
++
++ allow $1 etc_t:dir del_entry_dir_perms;
++')
++
++########################################
++##
+ ## Execute generic files in /etc.
+ ##
+ ##
+@@ -2891,24 +3182,6 @@ interface(`files_delete_boot_flag',`
+
+ ########################################
+ ##
+-## Do not audit attempts to set the attributes of the etc_runtime files
+-##
+-##
+-##
+-## Domain allowed access.
+-##
+-##
+-#
+-interface(`files_dontaudit_setattr_etc_runtime_files',`
+- gen_require(`
+- type etc_runtime_t;
+- ')
+-
+- dontaudit $1 etc_runtime_t:file setattr;
+-')
+-
+-########################################
+-##
+ ## Read files in /etc that are dynamically
+ ## created on boot, such as mtab.
+ ##
+@@ -2949,9 +3222,7 @@ interface(`files_read_etc_runtime_files',`
+
+ ########################################
+ ##
+-## Do not audit attempts to read files
+-## in /etc that are dynamically
+-## created on boot, such as mtab.
++## Do not audit attempts to set the attributes of the etc_runtime files
+ ##
+ ##
+ ##
+@@ -2959,12 +3230,50 @@ interface(`files_read_etc_runtime_files',`
+ ##
+ ##
+ #
+-interface(`files_dontaudit_read_etc_runtime_files',`
++interface(`files_dontaudit_setattr_etc_runtime_files',`
+ gen_require(`
+ type etc_runtime_t;
+ ')
+
+- dontaudit $1 etc_runtime_t:file { getattr read };
++ dontaudit $1 etc_runtime_t:file setattr;
++')
++
++########################################
++##
++## Do not audit attempts to write etc_runtime files
++##
++##
++##
++## Domain to not audit.
++##
++##
++#
++interface(`files_dontaudit_write_etc_runtime_files',`
++ gen_require(`
++ type etc_runtime_t;
++ ')
++
++ dontaudit $1 etc_runtime_t:file write;
++')
++
++########################################
++##
++## Do not audit attempts to read files
++## in /etc that are dynamically
++## created on boot, such as mtab.
++##
++##
++##
++## Domain to not audit.
++##
++##
++#
++interface(`files_dontaudit_read_etc_runtime_files',`
++ gen_require(`
++ type etc_runtime_t;
++ ')
++
++ dontaudit $1 etc_runtime_t:file { getattr read };
+ ')
+
+ ########################################
+@@ -2986,6 +3295,7 @@ interface(`files_rw_etc_runtime_files',`
+
+ allow $1 etc_t:dir list_dir_perms;
+ rw_files_pattern($1, etc_t, etc_runtime_t)
++ read_lnk_files_pattern($1, etc_t, etc_t)
+ ')
+
+ ########################################
+@@ -3007,6 +3317,7 @@ interface(`files_manage_etc_runtime_files',`
+ ')
+
+ manage_files_pattern($1, { etc_t etc_runtime_t }, etc_runtime_t)
++ read_lnk_files_pattern($1, etc_t, etc_runtime_t)
+ ')
+
+ ########################################
+@@ -3135,6 +3446,25 @@ interface(`files_delete_isid_type_dirs',`
+
+ ########################################
+ ##
++## Relabelfrom all file opbjects on new filesystems
++## that have not yet been labeled.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`files_relabelfrom_isid_type',`
++ gen_require(`
++ type file_t;
++ ')
++
++ dontaudit $1 file_t:dir_file_class_set relabelfrom;
++')
++
++########################################
++##
+ ## Create, read, write, and delete directories
+ ## on new filesystems that have not yet been labeled.
+ ##
+@@ -3382,6 +3712,25 @@ interface(`files_rw_isid_type_blk_files',`
+
+ ########################################
+ ##
++## rw any files inherited from another process
++## on new filesystems that have not yet been labeled.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`files_rw_inherited_isid_type_files',`
++ gen_require(`
++ type file_t;
++ ')
++
++ allow $1 file_t:file rw_inherited_file_perms;
++')
++
++########################################
++##
+ ## Create, read, write, and delete block device nodes
+ ## on new filesystems that have not yet been labeled.
+ ##
+@@ -3723,20 +4072,38 @@ interface(`files_list_mnt',`
+
+ ######################################
+ ##
+-## Do not audit attempts to list the contents of /mnt.
++## dontaudit List the contents of /mnt.
++##
++##
++##
++## Domain to not audit.
++##
++##
++#
++interface(`files_dontaudit_list_mnt',`
++ gen_require(`
++ type mnt_t;
++ ')
++
++ dontaudit $1 mnt_t:dir list_dir_perms;
++')
++
++########################################
++##
++## Do not audit attempts to check the
++## write access on mnt files
+ ##
+ ##
+ ##
+-## Domain allowed access.
++## Domain to not audit.
+ ##
+ ##
+ #
+-interface(`files_dontaudit_list_mnt',`
++interface(`files_dontaudit_access_check_mnt',`
+ gen_require(`
+ type mnt_t;
+ ')
+-
+- dontaudit $1 mnt_t:dir list_dir_perms;
++ dontaudit $1 mnt_t:file_class_set audit_access;
+ ')
+
+ ########################################
+@@ -4126,6 +4493,133 @@ interface(`files_read_world_readable_sockets',`
+ allow $1 readable_t:sock_file read_sock_file_perms;
+ ')
+
++#######################################
++##
++## Read manageable system configuration files in /etc
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`files_read_system_conf_files',`
++ gen_require(`
++ type etc_t, system_conf_t;
++ ')
++
++ allow $1 etc_t:dir list_dir_perms;
++ read_files_pattern($1, etc_t, system_conf_t)
++ read_lnk_files_pattern($1, etc_t, system_conf_t)
++')
++
++######################################
++##
++## Manage manageable system configuration files in /etc.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`files_manage_system_conf_files',`
++ gen_require(`
++ type etc_t, system_conf_t;
++ ')
++
++ manage_files_pattern($1, { etc_t system_conf_t }, system_conf_t)
++ files_filetrans_system_conf_named_files($1)
++')
++
++#####################################
++##
++## File name transition for system configuration files in /etc.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`files_filetrans_system_conf_named_files',`
++ gen_require(`
++ type etc_t, system_conf_t;
++ ')
++
++ filetrans_pattern($1, etc_t, system_conf_t, file, "sysctl.conf")
++ filetrans_pattern($1, etc_t, system_conf_t, file, "sysctl.conf.old")
++ filetrans_pattern($1, etc_t, system_conf_t, file, "ebtables")
++ filetrans_pattern($1, etc_t, system_conf_t, file, "ebtables.old")
++ filetrans_pattern($1, etc_t, system_conf_t, file, "ebtables-config")
++ filetrans_pattern($1, etc_t, system_conf_t, file, "ebtables-config.old")
++ filetrans_pattern($1, etc_t, system_conf_t, file, "iptables")
++ filetrans_pattern($1, etc_t, system_conf_t, file, "iptables.old")
++ filetrans_pattern($1, etc_t, system_conf_t, file, "iptables-config")
++ filetrans_pattern($1, etc_t, system_conf_t, file, "iptables-config.old")
++ filetrans_pattern($1, etc_t, system_conf_t, file, "ip6tables")
++ filetrans_pattern($1, etc_t, system_conf_t, file, "ip6tables.old")
++ filetrans_pattern($1, etc_t, system_conf_t, file, "ip6tables-config")
++ filetrans_pattern($1, etc_t, system_conf_t, file, "ip6tables-config.old")
++ filetrans_pattern($1, etc_t, system_conf_t, file, "system-config-firewall")
++ filetrans_pattern($1, etc_t, system_conf_t, file, "system-config-firewall.old")
++')
++
++######################################
++##
++## Relabel manageable system configuration files in /etc.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`files_relabelto_system_conf_files',`
++ gen_require(`
++ type usr_t;
++ ')
++
++ relabelto_files_pattern($1, system_conf_t, system_conf_t)
++')
++
++######################################
++##
++## Relabel manageable system configuration files in /etc.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`files_relabelfrom_system_conf_files',`
++ gen_require(`
++ type usr_t;
++ ')
++
++ relabelfrom_files_pattern($1, system_conf_t, system_conf_t)
++')
++
++###################################
++##
++## Create files in /etc with the type used for
++## the manageable system config files.
++##
++##
++##
++## The type of the process performing this action.
++##
++##
++#
++interface(`files_etc_filetrans_system_conf',`
++ gen_require(`
++ type etc_t, system_conf_t;
++ ')
++
++ filetrans_pattern($1, etc_t, system_conf_t, file)
++')
++
+ ########################################
+ ##
+ ## Allow the specified type to associate
+@@ -4148,6 +4642,26 @@ interface(`files_associate_tmp',`
+
+ ########################################
+ ##
++## Allow the specified type to associate
++## to a filesystem with the type of the
++## / file system
++##
++##
++##
++## Type of the file to associate.
++##
++##
++#
++interface(`files_associate_rootfs',`
++ gen_require(`
++ type root_t;
++ ')
++
++ allow $1 root_t:filesystem associate;
++')
++
++########################################
++##
+ ## Get the attributes of the tmp directory (/tmp).
+ ##
+ ##
+@@ -4161,6 +4675,7 @@ interface(`files_getattr_tmp_dirs',`
+ type tmp_t;
+ ')
+
++ read_lnk_files_pattern($1, tmp_t, tmp_t)
+ allow $1 tmp_t:dir getattr;
+ ')
+
+@@ -4171,7 +4686,7 @@ interface(`files_getattr_tmp_dirs',`
+ ##
+ ##
+ ##
+-## Domain allowed access.
++## Domain to not audit.
+ ##
+ ##
+ #
+@@ -4198,6 +4713,7 @@ interface(`files_search_tmp',`
+ type tmp_t;
+ ')
+
++ read_lnk_files_pattern($1, tmp_t, tmp_t)
+ allow $1 tmp_t:dir search_dir_perms;
+ ')
+
+@@ -4234,6 +4750,7 @@ interface(`files_list_tmp',`
+ type tmp_t;
+ ')
+
++ read_lnk_files_pattern($1, tmp_t, tmp_t)
+ allow $1 tmp_t:dir list_dir_perms;
+ ')
+
+@@ -4243,7 +4760,7 @@ interface(`files_list_tmp',`
+ ##
+ ##
+ ##
+-## Domain not to audit.
++## Domain to not audit.
+ ##
+ ##
+ #
+@@ -4255,6 +4772,25 @@ interface(`files_dontaudit_list_tmp',`
+ dontaudit $1 tmp_t:dir list_dir_perms;
+ ')
+
++#######################################
++##
++## Allow read and write to the tmp directory (/tmp).
++##
++##
++##
++## Domain not to audit.
++##
++##
++#
++interface(`files_rw_generic_tmp_dir',`
++ gen_require(`
++ type tmp_t;
++ ')
++
++ files_search_tmp($1)
++ allow $1 tmp_t:dir rw_dir_perms;
++')
++
+ ########################################
+ ##
+ ## Remove entries from the tmp directory.
+@@ -4270,6 +4806,7 @@ interface(`files_delete_tmp_dir_entry',`
+ type tmp_t;
+ ')
+
++ files_search_tmp($1)
+ allow $1 tmp_t:dir del_entry_dir_perms;
+ ')
+
+@@ -4311,6 +4848,32 @@ interface(`files_manage_generic_tmp_dirs',`
+
+ ########################################
+ ##
++## Allow shared library text relocations in tmp files.
++##
++##
++##
++## Allow shared library text relocations in tmp files.
++##
++##
++## This is added to support java policy.
++##
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`files_execmod_tmp',`
++ gen_require(`
++ attribute tmpfile;
++ ')
++
++ allow $1 tmpfile:file execmod;
++')
++
++########################################
++##
+ ## Manage temporary files and directories in /tmp.
+ ##
+ ##
+@@ -4365,6 +4928,42 @@ interface(`files_rw_generic_tmp_sockets',`
+
+ ########################################
+ ##
++## Relabel a dir from the type used in /tmp.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`files_relabelfrom_tmp_dirs',`
++ gen_require(`
++ type tmp_t;
++ ')
++
++ relabelfrom_dirs_pattern($1, tmp_t, tmp_t)
++')
++
++########################################
++##
++## Relabel a file from the type used in /tmp.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`files_relabelfrom_tmp_files',`
++ gen_require(`
++ type tmp_t;
++ ')
++
++ relabelfrom_files_pattern($1, tmp_t, tmp_t)
++')
++
++########################################
++##
+ ## Set the attributes of all tmp directories.
+ ##
+ ##
+@@ -4383,6 +4982,42 @@ interface(`files_setattr_all_tmp_dirs',`
+
+ ########################################
+ ##
++## Allow caller to read inherited tmp files.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`files_read_inherited_tmp_files',`
++ gen_require(`
++ attribute tmpfile;
++ ')
++
++ allow $1 tmpfile:file { append read_inherited_file_perms };
++')
++
++########################################
++##
++## Allow caller to append inherited tmp files.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`files_append_inherited_tmp_files',`
++ gen_require(`
++ attribute tmpfile;
++ ')
++
++ allow $1 tmpfile:file append_inherited_file_perms;
++')
++
++########################################
++##
+ ## List all tmp directories.
+ ##
+ ##
+@@ -4428,7 +5063,7 @@ interface(`files_relabel_all_tmp_dirs',`
+ ##
+ ##
+ ##
+-## Domain not to audit.
++## Domain to not audit.
+ ##
+ ##
+ #
+@@ -4488,7 +5123,7 @@ interface(`files_relabel_all_tmp_files',`
+ ##
+ ##
+ ##
+-## Domain not to audit.
++## Domain to not audit.
+ ##
+ ##
+ #
+@@ -4573,6 +5208,16 @@ interface(`files_purge_tmp',`
+ delete_lnk_files_pattern($1, tmpfile, tmpfile)
+ delete_fifo_files_pattern($1, tmpfile, tmpfile)
+ delete_sock_files_pattern($1, tmpfile, tmpfile)
++ delete_chr_files_pattern($1, tmpfile, tmpfile)
++ delete_blk_files_pattern($1, tmpfile, tmpfile)
++ files_list_isid_type_dirs($1)
++ files_delete_isid_type_dirs($1)
++ files_delete_isid_type_files($1)
++ files_delete_isid_type_symlinks($1)
++ files_delete_isid_type_fifo_files($1)
++ files_delete_isid_type_sock_files($1)
++ files_delete_isid_type_blk_files($1)
++ files_delete_isid_type_chr_files($1)
+ ')
+
+ ########################################
+@@ -5150,12 +5795,30 @@ interface(`files_list_var',`
+
+ ########################################
+ ##
+-## Create, read, write, and delete directories
+-## in the /var directory.
++## Do not audit listing of the var directory (/var).
+ ##
+ ##
+ ##
+-## Domain allowed access.
++## Domain to not audit.
++##
++##
++#
++interface(`files_dontaudit_list_var',`
++ gen_require(`
++ type var_t;
++ ')
++
++ dontaudit $1 var_t:dir list_dir_perms;
++')
++
++########################################
++##
++## Create, read, write, and delete directories
++## in the /var directory.
++##
++##
++##
++## Domain allowed access.
+ ##
+ ##
+ #
+@@ -5505,6 +6168,25 @@ interface(`files_read_var_lib_symlinks',`
+ read_lnk_files_pattern($1, { var_t var_lib_t }, var_lib_t)
+ ')
+
++########################################
++##
++## manage generic symbolic links
++## in the /var/lib directory.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`files_manage_var_lib_symlinks',`
++ gen_require(`
++ type var_lib_t;
++ ')
++
++ manage_lnk_files_pattern($1,var_lib_t,var_lib_t)
++')
++
+ # cjp: the next two interfaces really need to be fixed
+ # in some way. They really neeed their own types.
+
+@@ -5550,7 +6232,7 @@ interface(`files_manage_mounttab',`
+
+ ########################################
+ ##
+-## Set the attributes of the generic lock directories.
++## List generic lock directories.
+ ##
+ ##
+ ##
+@@ -5558,12 +6240,13 @@ interface(`files_manage_mounttab',`
+ ##
+ ##
+ #
+-interface(`files_setattr_lock_dirs',`
++interface(`files_list_locks',`
+ gen_require(`
+ type var_t, var_lock_t;
+ ')
+
+- setattr_dirs_pattern($1, var_t, var_lock_t)
++ files_search_locks($1)
++ list_dirs_pattern($1, var_t, var_lock_t)
+ ')
+
+ ########################################
+@@ -5581,6 +6264,7 @@ interface(`files_search_locks',`
+ type var_t, var_lock_t;
+ ')
+
++ files_search_pids($1)
+ allow $1 var_lock_t:lnk_file read_lnk_file_perms;
+ search_dirs_pattern($1, var_t, var_lock_t)
+ ')
+@@ -5607,7 +6291,26 @@ interface(`files_dontaudit_search_locks',`
+
+ ########################################
+ ##
+-## List generic lock directories.
++## Do not audit attempts to read/write inherited
++## locks (/var/lock).
++##
++##
++##
++## Domain to not audit.
++##
++##
++#
++interface(`files_dontaudit_rw_inherited_locks',`
++ gen_require(`
++ type var_lock_t;
++ ')
++
++ dontaudit $1 var_lock_t:file rw_inherited_file_perms;
++')
++
++########################################
++##
++## Set the attributes of the /var/lock directory.
+ ##
+ ##
+ ##
+@@ -5615,13 +6318,12 @@ interface(`files_dontaudit_search_locks',`
+ ##
+ ##
+ #
+-interface(`files_list_locks',`
++interface(`files_setattr_lock_dirs',`
+ gen_require(`
+- type var_t, var_lock_t;
++ type var_lock_t;
+ ')
+
+- allow $1 var_lock_t:lnk_file read_lnk_file_perms;
+- list_dirs_pattern($1, var_t, var_lock_t)
++ allow $1 var_lock_t:dir setattr;
+ ')
+
+ ########################################
+@@ -5640,7 +6342,7 @@ interface(`files_rw_lock_dirs',`
+ type var_t, var_lock_t;
+ ')
+
+- allow $1 var_lock_t:lnk_file read_lnk_file_perms;
++ files_search_locks($1)
+ rw_dirs_pattern($1, var_t, var_lock_t)
+ ')
+
+@@ -5673,7 +6375,6 @@ interface(`files_create_lock_dirs',`
+ ## Domain allowed access.
+ ##
+ ##
+-##
+ #
+ interface(`files_relabel_all_lock_dirs',`
+ gen_require(`
+@@ -5701,8 +6402,7 @@ interface(`files_getattr_generic_locks',`
+ type var_t, var_lock_t;
+ ')
+
+- allow $1 var_t:dir search_dir_perms;
+- allow $1 var_lock_t:lnk_file read_lnk_file_perms;
++ files_search_locks($1)
+ allow $1 var_lock_t:dir list_dir_perms;
+ getattr_files_pattern($1, var_lock_t, var_lock_t)
+ ')
+@@ -5718,13 +6418,12 @@ interface(`files_getattr_generic_locks',`
+ ##
+ #
+ interface(`files_delete_generic_locks',`
+- gen_require(`
++ gen_require(`
+ type var_t, var_lock_t;
+- ')
++ ')
+
+- allow $1 var_t:dir search_dir_perms;
+- allow $1 var_lock_t:lnk_file read_lnk_file_perms;
+- delete_files_pattern($1, var_lock_t, var_lock_t)
++ files_search_locks($1)
++ delete_files_pattern($1, var_lock_t, var_lock_t)
+ ')
+
+ ########################################
+@@ -5743,8 +6442,7 @@ interface(`files_manage_generic_locks',`
+ type var_t, var_lock_t;
+ ')
+
+- allow $1 var_t:dir search_dir_perms;
+- allow $1 var_lock_t:lnk_file read_lnk_file_perms;
++ files_search_locks($1)
+ manage_files_pattern($1, var_lock_t, var_lock_t)
+ ')
+
+@@ -5786,8 +6484,7 @@ interface(`files_read_all_locks',`
+ type var_t, var_lock_t;
+ ')
+
+- allow $1 var_lock_t:lnk_file read_lnk_file_perms;
+- allow $1 { var_t var_lock_t }:dir search_dir_perms;
++ files_search_locks($1)
+ allow $1 lockfile:dir list_dir_perms;
+ read_files_pattern($1, lockfile, lockfile)
+ read_lnk_files_pattern($1, lockfile, lockfile)
+@@ -5809,8 +6506,7 @@ interface(`files_manage_all_locks',`
+ type var_t, var_lock_t;
+ ')
+
+- allow $1 var_lock_t:lnk_file read_lnk_file_perms;
+- allow $1 { var_t var_lock_t }:dir search_dir_perms;
++ files_search_locks($1)
+ manage_dirs_pattern($1, lockfile, lockfile)
+ manage_files_pattern($1, lockfile, lockfile)
+ manage_lnk_files_pattern($1, lockfile, lockfile)
+@@ -5847,8 +6543,7 @@ interface(`files_lock_filetrans',`
+ type var_t, var_lock_t;
+ ')
+
+- allow $1 var_t:dir search_dir_perms;
+- allow $1 var_lock_t:lnk_file read_lnk_file_perms;
++ files_search_locks($1)
+ filetrans_pattern($1, var_lock_t, $2, $3, $4)
+ ')
+
+@@ -5911,6 +6606,43 @@ interface(`files_search_pids',`
+ search_dirs_pattern($1, var_t, var_run_t)
+ ')
+
++######################################
++##
++## Add and remove entries from pid directories.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`files_rw_pid_dirs',`
++ gen_require(`
++ type var_run_t;
++ ')
++
++ allow $1 var_run_t:dir rw_dir_perms;
++')
++
++#######################################
++##
++## Create generic pid directory.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`files_create_var_run_dirs',`
++ gen_require(`
++ type var_t, var_run_t;
++ ')
++
++ allow $1 var_t:dir search_dir_perms;
++ allow $1 var_run_t:dir create_dir_perms;
++')
++
+ ########################################
+ ##
+ ## Do not audit attempts to search
+@@ -5933,6 +6665,25 @@ interface(`files_dontaudit_search_pids',`
+
+ ########################################
+ ##
++## Do not audit attempts to search
++## the all /var/run directory.
++##
++##
++##
++## Domain to not audit.
++##
++##
++#
++interface(`files_dontaudit_search_all_pids',`
++ gen_require(`
++ attribute pidfile;
++ ')
++
++ dontaudit $1 pidfile:dir search_dir_perms;
++')
++
++########################################
++##
+ ## List the contents of the runtime process
+ ## ID directories (/var/run).
+ ##
+@@ -6048,7 +6799,6 @@ interface(`files_pid_filetrans',`
+ ')
+
+ allow $1 var_t:dir search_dir_perms;
+- allow $1 var_run_t:lnk_file read_lnk_file_perms;
+ filetrans_pattern($1, var_run_t, $2, $3, $4)
+ ')
+
+@@ -6157,30 +6907,25 @@ interface(`files_dontaudit_ioctl_all_pids',`
+
+ ########################################
+ ##
+-## Read all process ID files.
++## Relable all pid directories
+ ##
+ ##
+ ##
+ ## Domain allowed access.
+ ##
+ ##
+-##
+ #
+-interface(`files_read_all_pids',`
++interface(`files_relabel_all_pid_dirs',`
+ gen_require(`
+ attribute pidfile;
+- type var_t, var_run_t;
+ ')
+
+- allow $1 var_run_t:lnk_file read_lnk_file_perms;
+- list_dirs_pattern($1, var_t, pidfile)
+- read_files_pattern($1, pidfile, pidfile)
++ relabel_dirs_pattern($1, pidfile, pidfile)
+ ')
+
+ ########################################
+ ##
+-## Mount filesystems on all polyinstantiation
+-## member directories.
++## Delete all pid sockets
+ ##
+ ##
+ ##
+@@ -6188,43 +6933,35 @@ interface(`files_read_all_pids',`
+ ##
+ ##
+ #
+-interface(`files_mounton_all_poly_members',`
++interface(`files_delete_all_pid_sockets',`
+ gen_require(`
+- attribute polymember;
++ attribute pidfile;
+ ')
+
+- allow $1 polymember:dir mounton;
++ allow $1 pidfile:sock_file delete_sock_file_perms;
+ ')
+
+ ########################################
+ ##
+-## Delete all process IDs.
++## Create all pid sockets
+ ##
+ ##
+ ##
+ ## Domain allowed access.
+ ##
+ ##
+-##
+ #
+-interface(`files_delete_all_pids',`
++interface(`files_create_all_pid_sockets',`
+ gen_require(`
+ attribute pidfile;
+- type var_t, var_run_t;
+ ')
+
+- allow $1 var_t:dir search_dir_perms;
+- allow $1 var_run_t:lnk_file read_lnk_file_perms;
+- allow $1 var_run_t:dir rmdir;
+- allow $1 var_run_t:lnk_file delete_lnk_file_perms;
+- delete_files_pattern($1, pidfile, pidfile)
+- delete_fifo_files_pattern($1, pidfile, pidfile)
+- delete_sock_files_pattern($1, pidfile, { pidfile var_run_t })
++ allow $1 pidfile:sock_file create_sock_file_perms;
+ ')
+
+ ########################################
+ ##
+-## Delete all process ID directories.
++## Create all pid named pipes
+ ##
+ ##
+ ##
+@@ -6232,21 +6969,17 @@ interface(`files_delete_all_pids',`
+ ##
+ ##
+ #
+-interface(`files_delete_all_pid_dirs',`
++interface(`files_create_all_pid_pipes',`
+ gen_require(`
+ attribute pidfile;
+- type var_t, var_run_t;
+ ')
+
+- allow $1 var_t:dir search_dir_perms;
+- allow $1 var_run_t:lnk_file read_lnk_file_perms;
+- delete_dirs_pattern($1, pidfile, pidfile)
++ allow $1 pidfile:fifo_file create_fifo_file_perms;
+ ')
+
+ ########################################
+ ##
+-## Search the contents of generic spool
+-## directories (/var/spool).
++## Delete all pid named pipes
+ ##
+ ##
+ ##
+@@ -6254,56 +6987,59 @@ interface(`files_delete_all_pid_dirs',`
+ ##
+ ##
+ #
+-interface(`files_search_spool',`
++interface(`files_delete_all_pid_pipes',`
+ gen_require(`
+- type var_t, var_spool_t;
++ attribute pidfile;
+ ')
+
+- search_dirs_pattern($1, var_t, var_spool_t)
++ allow $1 pidfile:fifo_file delete_fifo_file_perms;
+ ')
+
+ ########################################
+ ##
+-## Do not audit attempts to search generic
+-## spool directories.
++## manage all pidfile directories
++## in the /var/run directory.
+ ##
+ ##
+ ##
+-## Domain to not audit.
++## Domain allowed access.
+ ##
+ ##
+ #
+-interface(`files_dontaudit_search_spool',`
++interface(`files_manage_all_pid_dirs',`
+ gen_require(`
+- type var_spool_t;
++ attribute pidfile;
+ ')
+
+- dontaudit $1 var_spool_t:dir search_dir_perms;
++ manage_dirs_pattern($1,pidfile,pidfile)
+ ')
+
++
+ ########################################
+ ##
+-## List the contents of generic spool
+-## (/var/spool) directories.
++## Read all process ID files.
+ ##
+ ##
+ ##
+ ## Domain allowed access.
+ ##
+ ##
++##
+ #
+-interface(`files_list_spool',`
++interface(`files_read_all_pids',`
+ gen_require(`
+- type var_t, var_spool_t;
++ attribute pidfile;
++ type var_t;
+ ')
+
+- list_dirs_pattern($1, var_t, var_spool_t)
++ list_dirs_pattern($1, var_t, pidfile)
++ read_files_pattern($1, pidfile, pidfile)
++ read_lnk_files_pattern($1, pidfile, pidfile)
+ ')
+
+ ########################################
+ ##
+-## Create, read, write, and delete generic
+-## spool directories (/var/spool).
++## Relable all pid files
+ ##
+ ##
+ ##
+@@ -6311,18 +7047,17 @@ interface(`files_list_spool',`
+ ##
+ ##
+ #
+-interface(`files_manage_generic_spool_dirs',`
++interface(`files_relabel_all_pid_files',`
+ gen_require(`
+- type var_t, var_spool_t;
++ attribute pidfile;
+ ')
+
+- allow $1 var_t:dir search_dir_perms;
+- manage_dirs_pattern($1, var_spool_t, var_spool_t)
++ relabel_files_pattern($1, pidfile, pidfile)
+ ')
+
+ ########################################
+ ##
+-## Read generic spool files.
++## Execute generic programs in /var/run in the caller domain.
+ ##
+ ##
+ ##
+@@ -6330,19 +7065,18 @@ interface(`files_manage_generic_spool_dirs',`
+ ##
+ ##
+ #
+-interface(`files_read_generic_spool',`
++interface(`files_exec_generic_pid_files',`
+ gen_require(`
+- type var_t, var_spool_t;
++ type var_run_t;
+ ')
+
+- list_dirs_pattern($1, var_t, var_spool_t)
+- read_files_pattern($1, var_spool_t, var_spool_t)
++ exec_files_pattern($1, var_run_t, var_run_t)
+ ')
+
+ ########################################
+ ##
+-## Create, read, write, and delete generic
+-## spool files.
++## manage all pidfiles
++## in the /var/run directory.
+ ##
+ ##
+ ##
+@@ -6350,55 +7084,62 @@ interface(`files_read_generic_spool',`
+ ##
+ ##
+ #
+-interface(`files_manage_generic_spool',`
++interface(`files_manage_all_pids',`
+ gen_require(`
+- type var_t, var_spool_t;
++ attribute pidfile;
+ ')
+
+- allow $1 var_t:dir search_dir_perms;
+- manage_files_pattern($1, var_spool_t, var_spool_t)
++ manage_files_pattern($1,pidfile,pidfile)
+ ')
+
+ ########################################
+ ##
+-## Create objects in the spool directory
+-## with a private type with a type transition.
++## Mount filesystems on all polyinstantiation
++## member directories.
+ ##
+ ##
+ ##
+ ## Domain allowed access.
+ ##
+ ##
+-##
+-##
+-## Type to which the created node will be transitioned.
+-##
+-##
+-##
+-##
+-## Object class(es) (single or set including {}) for which this
+-## the transition will occur.
+-##
+-##
+-##
++#
++interface(`files_mounton_all_poly_members',`
++ gen_require(`
++ attribute polymember;
++ ')
++
++ allow $1 polymember:dir mounton;
++')
++
++########################################
++##
++## Delete all process IDs.
++##
++##
+ ##
+-## The name of the object being created.
++## Domain allowed access.
+ ##
+ ##
++##
+ #
+-interface(`files_spool_filetrans',`
++interface(`files_delete_all_pids',`
+ gen_require(`
+- type var_t, var_spool_t;
++ attribute pidfile;
++ type var_t, var_run_t;
+ ')
+
+ allow $1 var_t:dir search_dir_perms;
+- filetrans_pattern($1, var_spool_t, $2, $3, $4)
++ allow $1 var_run_t:lnk_file read_lnk_file_perms;
++ allow $1 var_run_t:dir rmdir;
++ allow $1 var_run_t:lnk_file delete_lnk_file_perms;
++ delete_files_pattern($1, pidfile, pidfile)
++ delete_fifo_files_pattern($1, pidfile, pidfile)
++ delete_sock_files_pattern($1, pidfile, { pidfile var_run_t })
+ ')
+
+ ########################################
+ ##
+-## Allow access to manage all polyinstantiated
+-## directories on the system.
++## Delete all process ID directories.
+ ##
+ ##
+ ##
+@@ -6406,25 +7147,283 @@ interface(`files_spool_filetrans',`
+ ##
+ ##
+ #
+-interface(`files_polyinstantiate_all',`
++interface(`files_delete_all_pid_dirs',`
+ gen_require(`
+- attribute polydir, polymember, polyparent;
+- type poly_t;
++ attribute pidfile;
++ type var_t, var_run_t;
+ ')
+
+- # Need to give access to /selinux/member
+- selinux_compute_member($1)
+-
+- # Need sys_admin capability for mounting
+- allow $1 self:capability { chown fsetid sys_admin fowner };
+-
+- # Need to give access to the directories to be polyinstantiated
+- allow $1 polydir:dir { create open getattr search write add_name setattr mounton rmdir };
+-
+- # Need to give access to the polyinstantiated subdirectories
+- allow $1 polymember:dir search_dir_perms;
++ allow $1 var_t:dir search_dir_perms;
++ allow $1 var_run_t:lnk_file read_lnk_file_perms;
++ delete_dirs_pattern($1, pidfile, pidfile)
++')
+
+- # Need to give access to parent directories where original
++########################################
++##
++## Make the specified type a file
++## used for spool files.
++##
++##
++##
++## Make the specified type usable for spool files.
++## This will also make the type usable for files, making
++## calls to files_type() redundant. Failure to use this interface
++## for a spool file may result in problems with
++## purging spool files.
++##
++##
++## Related interfaces:
++##
++##
++## - files_spool_filetrans()
++##
++##
++## Example usage with a domain that can create and
++## write its spool file in the system spool file
++## directories (/var/spool):
++##
++##
++## type myspoolfile_t;
++## files_spool_file(myfile_spool_t)
++## allow mydomain_t myfile_spool_t:file { create_file_perms write_file_perms };
++## files_spool_filetrans(mydomain_t, myfile_spool_t, file)
++##
++##
++##
++##
++## Type of the file to be used as a
++## spool file.
++##
++##
++##
++#
++interface(`files_spool_file',`
++ gen_require(`
++ attribute spoolfile;
++ ')
++
++ files_type($1)
++ typeattribute $1 spoolfile;
++')
++
++########################################
++##
++## Create all spool sockets
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`files_create_all_spool_sockets',`
++ gen_require(`
++ attribute spoolfile;
++ ')
++
++ allow $1 spoolfile:sock_file create_sock_file_perms;
++')
++
++########################################
++##
++## Delete all spool sockets
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`files_delete_all_spool_sockets',`
++ gen_require(`
++ attribute spoolfile;
++ ')
++
++ allow $1 spoolfile:sock_file delete_sock_file_perms;
++')
++
++########################################
++##
++## Search the contents of generic spool
++## directories (/var/spool).
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`files_search_spool',`
++ gen_require(`
++ type var_t, var_spool_t;
++ ')
++
++ search_dirs_pattern($1, var_t, var_spool_t)
++')
++
++########################################
++##
++## Do not audit attempts to search generic
++## spool directories.
++##
++##
++##
++## Domain to not audit.
++##
++##
++#
++interface(`files_dontaudit_search_spool',`
++ gen_require(`
++ type var_spool_t;
++ ')
++
++ dontaudit $1 var_spool_t:dir search_dir_perms;
++')
++
++########################################
++##
++## List the contents of generic spool
++## (/var/spool) directories.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`files_list_spool',`
++ gen_require(`
++ type var_t, var_spool_t;
++ ')
++
++ list_dirs_pattern($1, var_t, var_spool_t)
++')
++
++########################################
++##
++## Create, read, write, and delete generic
++## spool directories (/var/spool).
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`files_manage_generic_spool_dirs',`
++ gen_require(`
++ type var_t, var_spool_t;
++ ')
++
++ allow $1 var_t:dir search_dir_perms;
++ manage_dirs_pattern($1, var_spool_t, var_spool_t)
++')
++
++########################################
++##
++## Read generic spool files.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`files_read_generic_spool',`
++ gen_require(`
++ type var_t, var_spool_t;
++ ')
++
++ list_dirs_pattern($1, var_t, var_spool_t)
++ read_files_pattern($1, var_spool_t, var_spool_t)
++')
++
++########################################
++##
++## Create, read, write, and delete generic
++## spool files.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`files_manage_generic_spool',`
++ gen_require(`
++ type var_t, var_spool_t;
++ ')
++
++ allow $1 var_t:dir search_dir_perms;
++ manage_files_pattern($1, var_spool_t, var_spool_t)
++')
++
++########################################
++##
++## Create objects in the spool directory
++## with a private type with a type transition.
++##
++##
++##
++## Domain allowed access.
++##
++##
++##
++##
++## Type to which the created node will be transitioned.
++##
++##
++##
++##
++## Object class(es) (single or set including {}) for which this
++## the transition will occur.
++##
++##
++##
++##
++## The name of the object being created.
++##
++##
++#
++interface(`files_spool_filetrans',`
++ gen_require(`
++ type var_t, var_spool_t;
++ ')
++
++ allow $1 var_t:dir search_dir_perms;
++ filetrans_pattern($1, var_spool_t, $2, $3, $4)
++')
++
++########################################
++##
++## Allow access to manage all polyinstantiated
++## directories on the system.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`files_polyinstantiate_all',`
++ gen_require(`
++ attribute polydir, polymember, polyparent;
++ type poly_t;
++ ')
++
++ # Need to give access to /selinux/member
++ selinux_compute_member($1)
++
++ # Need sys_admin capability for mounting
++ allow $1 self:capability { chown fsetid sys_admin fowner };
++
++ # Need to give access to the directories to be polyinstantiated
++ allow $1 polydir:dir { create open getattr search write add_name setattr mounton rmdir };
++
++ # Need to give access to the polyinstantiated subdirectories
++ allow $1 polymember:dir search_dir_perms;
++
++ # Need to give access to parent directories where original
+ # is remounted for polyinstantiation aware programs (like gdm)
+ allow $1 polyparent:dir { getattr mounton };
+
+@@ -6467,3 +7466,457 @@ interface(`files_unconfined',`
+
+ typeattribute $1 files_unconfined_type;
+ ')
++
++########################################
++##
++## Create a core files in /
++##
++##
++##
++## Create a core file in /,
++##
++##
++##
++##
++## Domain allowed access.
++##
++##
++##
++#
++interface(`files_manage_root_files',`
++ gen_require(`
++ type root_t;
++ ')
++
++ manage_files_pattern($1, root_t, root_t)
++')
++
++########################################
++##
++## Create a default directory
++##
++##
++##
++## Create a default_t direcrory
++##
++##
++##
++##
++## Domain allowed access.
++##
++##
++##
++#
++interface(`files_create_default_dir',`
++ gen_require(`
++ type default_t;
++ ')
++
++ allow $1 default_t:dir create;
++')
++
++########################################
++##
++## Create, default_t objects with an automatic
++## type transition.
++##
++##
++##
++## Domain allowed access.
++##
++##
++##
++##
++## The class of the object being created.
++##
++##
++#
++interface(`files_root_filetrans_default',`
++ gen_require(`
++ type root_t, default_t;
++ ')
++
++ filetrans_pattern($1, root_t, default_t, $2)
++')
++
++########################################
++##
++## manage generic symbolic links
++## in the /var/run directory.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`files_manage_generic_pids_symlinks',`
++ gen_require(`
++ type var_run_t;
++ ')
++
++ manage_lnk_files_pattern($1,var_run_t,var_run_t)
++')
++
++########################################
++##
++## Do not audit attempts to getattr
++## all tmpfs files.
++##
++##
++##
++## Domain to not audit.
++##
++##
++#
++interface(`files_dontaudit_getattr_tmpfs_files',`
++ gen_require(`
++ attribute tmpfsfile;
++ ')
++
++ allow $1 tmpfsfile:file getattr;
++')
++
++########################################
++##
++## Allow read write all tmpfs files
++##
++##
++##
++## Domain to not audit.
++##
++##
++#
++interface(`files_rw_tmpfs_files',`
++ gen_require(`
++ attribute tmpfsfile;
++ ')
++
++ allow $1 tmpfsfile:file { read write };
++')
++
++########################################
++##
++## Do not audit attempts to read security files
++##
++##
++##
++## Domain to not audit.
++##
++##
++#
++interface(`files_dontaudit_read_security_files',`
++ gen_require(`
++ attribute security_file_type;
++ ')
++
++ dontaudit $1 security_file_type:file read_file_perms;
++')
++
++########################################
++##
++## rw any files inherited from another process
++##
++##
++##
++## Domain allowed access.
++##
++##
++##
++##
++## Object type.
++##
++##
++#
++interface(`files_rw_all_inherited_files',`
++ gen_require(`
++ attribute file_type;
++ ')
++
++ allow $1 { file_type $2 }:file rw_inherited_file_perms;
++ allow $1 { file_type $2 }:fifo_file rw_inherited_fifo_file_perms;
++ allow $1 { file_type $2 }:sock_file rw_inherited_sock_file_perms;
++ allow $1 { file_type $2 }:chr_file rw_inherited_chr_file_perms;
++')
++
++########################################
++##
++## Allow any file point to be the entrypoint of this domain
++##
++##
++##
++## Domain allowed access.
++##
++##
++##
++#
++interface(`files_entrypoint_all_files',`
++ gen_require(`
++ attribute file_type;
++ ')
++ allow $1 file_type:file entrypoint;
++')
++
++########################################
++##
++## Do not audit attempts to rw inherited file perms
++## of non security files.
++##
++##
++##
++## Domain to not audit.
++##
++##
++#
++interface(`files_dontaudit_all_non_security_leaks',`
++ gen_require(`
++ attribute non_security_file_type;
++ ')
++
++ dontaudit $1 non_security_file_type:file_class_set rw_inherited_file_perms;
++')
++
++########################################
++##
++## Do not audit attempts to read or write
++## all leaked files.
++##
++##
++##
++## Domain to not audit.
++##
++##
++#
++interface(`files_dontaudit_leaks',`
++ gen_require(`
++ attribute file_type;
++ ')
++
++ dontaudit $1 file_type:file rw_inherited_file_perms;
++ dontaudit $1 file_type:lnk_file { read };
++')
++
++########################################
++##
++## Allow domain to create_file_ass all types
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`files_create_as_is_all_files',`
++ gen_require(`
++ attribute file_type;
++ class kernel_service create_files_as;
++ ')
++
++ allow $1 file_type:kernel_service create_files_as;
++')
++
++########################################
++##
++## Do not audit attempts to check the
++## write access on all files
++##
++##
++##
++## Domain to not audit.
++##
++##
++#
++interface(`files_dontaudit_all_access_check',`
++ gen_require(`
++ attribute file_type;
++ ')
++
++ dontaudit $1 file_type:file_class_set audit_access;
++')
++
++########################################
++##
++## Do not audit attempts to write to all files
++##
++##
++##
++## Domain to not audit.
++##
++##
++#
++interface(`files_dontaudit_write_all_files',`
++ gen_require(`
++ attribute file_type;
++ ')
++
++ dontaudit $1 file_type:dir_file_class_set write;
++')
++
++########################################
++##
++## Allow domain to delete to all files
++##
++##
++##
++## Domain to not audit.
++##
++##
++#
++interface(`files_delete_all_non_security_files',`
++ gen_require(`
++ attribute non_security_file_type;
++ ')
++
++ allow $1 non_security_file_type:dir del_entry_dir_perms;
++ allow $1 non_security_file_type:file_class_set delete_file_perms;
++')
++
++########################################
++##
++## Transition named content in the var_run_t directory
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`files_filetrans_named_content',`
++ gen_require(`
++ type mnt_t;
++ type usr_t;
++ type var_t;
++ ')
++
++ files_pid_filetrans($1, mnt_t, dir, "media")
++ files_root_filetrans($1, etc_runtime_t, file, ".readahead")
++ files_root_filetrans($1, etc_runtime_t, file, ".autorelabel")
++ files_root_filetrans($1, mnt_t, dir, "afs")
++ files_root_filetrans($1, mnt_t, dir, "misc")
++ files_root_filetrans($1, mnt_t, dir, "net")
++ files_root_filetrans($1, usr_t, dir, "export")
++ files_root_filetrans($1, usr_t, dir, "emul")
++ files_root_filetrans($1, var_t, dir, "nsr")
++ files_etc_filetrans_etc_runtime($1, file, "runtime")
++ files_etc_filetrans_etc_runtime($1, dir, "blkid")
++ files_etc_filetrans_etc_runtime($1, dir, "cmtab")
++ files_etc_filetrans_etc_runtime($1, file, "fstab.REVOKE")
++ files_etc_filetrans_etc_runtime($1, file, "ioctl.save")
++ files_etc_filetrans_etc_runtime($1, file, "nologin")
++ files_etc_filetrans_etc_runtime($1, file, "securetty")
++ files_etc_filetrans_etc_runtime($1, file, "ifstate")
++ files_etc_filetrans_etc_runtime($1, file, "ptal-printd-like")
++ files_etc_filetrans_etc_runtime($1, file, "hwconf")
++ files_etc_filetrans_etc_runtime($1, file, "iptables.save")
++')
++
++########################################
++##
++## Make the specified type a
++## base file.
++##
++##
++##
++## Identify file type as base file type. Tools will use this attribute,
++## to help users diagnose problems.
++##
++##
++##
++##
++## Type to be used as a base files.
++##
++##
++##
++#
++interface(`files_base_file',`
++ gen_require(`
++ attribute base_file_type;
++ ')
++ files_type($1)
++ typeattribute $1 base_file_type;
++')
++
++########################################
++##
++## Make the specified type a
++## base read only file.
++##
++##
++##
++## Make the specified type readable for all domains.
++##
++##
++##
++##
++## Type to be used as a base read only files.
++##
++##
++##
++#
++interface(`files_ro_base_file',`
++ gen_require(`
++ attribute base_ro_file_type;
++ ')
++ files_base_file($1)
++ typeattribute $1 base_ro_file_type;
++')
++
++########################################
++##
++## Read all ro base files.
++##
++##
++##
++## Domain allowed access.
++##
++##
++##
++#
++interface(`files_read_all_base_ro_files',`
++ gen_require(`
++ attribute base_ro_file_type;
++ ')
++
++ list_dirs_pattern($1, base_ro_file_type, base_ro_file_type)
++ read_files_pattern($1, base_ro_file_type, base_ro_file_type)
++ read_lnk_files_pattern($1, base_ro_file_type, base_ro_file_type)
++')
++
++########################################
++##
++## Execute all base ro files.
++##
++##
++##
++## Domain allowed access.
++##
++##
++##
++#
++interface(`files_exec_all_base_ro_files',`
++ gen_require(`
++ attribute base_ro_file_type;
++ ')
++
++ can_exec($1, base_ro_file_type)
++')
++
++########################################
++##
++## Allow the specified domain to modify the systemd configuration of
++## any file.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`files_config_all_files',`
++ gen_require(`
++ attribute file_type;
++ ')
++
++ allow $1 file_type:service all_service_perms;
++')
++
+diff --git a/policy/modules/kernel/files.te b/policy/modules/kernel/files.te
+index 52ef84e..45cb0bc 100644
+--- a/policy/modules/kernel/files.te
++++ b/policy/modules/kernel/files.te
+@@ -5,12 +5,16 @@ policy_module(files, 1.17.0)
+ # Declarations
+ #
+
++attribute base_file_type;
++attribute base_ro_file_type;
+ attribute file_type;
+ attribute files_unconfined_type;
+ attribute lockfile;
+ attribute mountpoint;
+ attribute pidfile;
++attribute spoolfile;
+ attribute configfile;
++attribute etcfile;
+
+ # For labeling types that are to be polyinstantiated
+ attribute polydir;
+@@ -48,28 +52,40 @@ attribute usercanread;
+ #
+ type boot_t;
+ files_mountpoint(boot_t)
++files_ro_base_file(boot_t)
+
+ # default_t is the default type for files that do not
+ # match any specification in the file_contexts configuration
+ # other than the generic /.* specification.
+ type default_t;
+ files_mountpoint(default_t)
++files_base_file(default_t)
+
+ #
+ # etc_t is the type of the system etc directories.
+ #
+ type etc_t, configfile;
+-files_type(etc_t)
++files_ro_base_file(etc_t)
++
+ # compatibility aliases for removed types:
+ typealias etc_t alias automount_etc_t;
+ typealias etc_t alias snmpd_etc_t;
+
++# system_conf_t is a new type of various
++# files in /etc/ that can be managed and
++# created by several domains.
++#
++type system_conf_t, configfile;
++files_type(system_conf_t)
++# compatibility aliases for removed type:
++typealias system_conf_t alias iptables_conf_t;
++
+ #
+ # etc_runtime_t is the type of various
+ # files in /etc that are automatically
+ # generated during initialization.
+ #
+-type etc_runtime_t;
++type etc_runtime_t, configfile;
+ files_type(etc_runtime_t)
+ #Temporarily in policy until FC5 dissappears
+ typealias etc_runtime_t alias firstboot_rw_t;
+@@ -81,6 +97,7 @@ typealias etc_runtime_t alias firstboot_rw_t;
+ #
+ type file_t;
+ files_mountpoint(file_t)
++files_base_file(file_t)
+ kernel_rootfs_mountpoint(file_t)
+ sid file gen_context(system_u:object_r:file_t,s0)
+
+@@ -89,6 +106,7 @@ sid file gen_context(system_u:object_r:file_t,s0)
+ # are created
+ #
+ type home_root_t;
++files_base_file(home_root_t)
+ files_mountpoint(home_root_t)
+ files_poly_parent(home_root_t)
+
+@@ -96,12 +114,13 @@ files_poly_parent(home_root_t)
+ # lost_found_t is the type for the lost+found directories.
+ #
+ type lost_found_t;
+-files_type(lost_found_t)
++files_base_file(lost_found_t)
+
+ #
+ # mnt_t is the type for mount points such as /mnt/cdrom
+ #
+ type mnt_t;
++files_base_file(mnt_t)
+ files_mountpoint(mnt_t)
+
+ #
+@@ -123,6 +142,7 @@ files_type(readable_t)
+ # root_t is the type for rootfs and the root directory.
+ #
+ type root_t;
++files_base_file(root_t)
+ files_mountpoint(root_t)
+ files_poly_parent(root_t)
+ kernel_rootfs_mountpoint(root_t)
+@@ -133,52 +153,63 @@ genfscon rootfs / gen_context(system_u:object_r:root_t,s0)
+ #
+ type src_t;
+ files_mountpoint(src_t)
++files_ro_base_file(src_t)
+
+ #
+ # system_map_t is for the system.map files in /boot
+ #
+ type system_map_t;
+ files_type(system_map_t)
++kernel_proc_type(system_map_t)
+ genfscon proc /kallsyms gen_context(system_u:object_r:system_map_t,s0)
+
+ #
+ # tmp_t is the type of the temporary directories
+ #
+ type tmp_t;
++files_base_file(tmp_t)
+ files_tmp_file(tmp_t)
+ files_mountpoint(tmp_t)
+ files_poly(tmp_t)
+ files_poly_parent(tmp_t)
++typealias tmp_t alias firstboot_tmp_t;
+
+ #
+ # usr_t is the type for /usr.
+ #
+ type usr_t;
++files_ro_base_file(usr_t)
+ files_mountpoint(usr_t)
+
+ #
+ # var_t is the type of /var
+ #
+ type var_t;
++files_base_file(var_t)
+ files_mountpoint(var_t)
+
+ #
+ # var_lib_t is the type of /var/lib
+ #
+ type var_lib_t;
++files_base_file(var_lib_t)
+ files_mountpoint(var_lib_t)
++files_poly(var_lib_t)
+
+ #
+ # var_lock_t is tye type of /var/lock
+ #
+ type var_lock_t;
++files_base_file(var_lock_t)
+ files_lock_file(var_lock_t)
++files_mountpoint(var_lock_t)
+
+ #
+ # var_run_t is the type of /var/run, usually
+ # used for pid and other runtime files.
+ #
+ type var_run_t;
++files_base_file(var_run_t)
+ files_pid_file(var_run_t)
+ files_mountpoint(var_run_t)
+
+@@ -186,7 +217,9 @@ files_mountpoint(var_run_t)
+ # var_spool_t is the type of /var/spool
+ #
+ type var_spool_t;
++files_base_file(var_spool_t)
+ files_tmp_file(var_spool_t)
++files_spool_file(var_spool_t)
+
+ ########################################
+ #
+@@ -225,10 +258,11 @@ fs_associate_tmpfs(tmpfsfile)
+ # Create/access any file in a labeled filesystem;
+ allow files_unconfined_type file_type:{ file chr_file } ~execmod;
+ allow files_unconfined_type file_type:{ dir lnk_file sock_file fifo_file blk_file } *;
++allow files_unconfined_type file_type:service *;
+
+ # Mount/unmount any filesystem with the context= option.
+ allow files_unconfined_type file_type:filesystem *;
+
+-tunable_policy(`allow_execmod',`
++tunable_policy(`selinuxuser_execmod',`
+ allow files_unconfined_type file_type:file execmod;
+ ')
+diff --git a/policy/modules/kernel/filesystem.fc b/policy/modules/kernel/filesystem.fc
+index cda5588..91d1e25 100644
+--- a/policy/modules/kernel/filesystem.fc
++++ b/policy/modules/kernel/filesystem.fc
+@@ -1,3 +1,7 @@
++# ecryptfs does not support xattr
++HOME_DIR/\.ecryptfs(/.*)? gen_context(system_u:object_r:ecryptfs_t,s0)
++HOME_DIR/\.Private(/.*)? gen_context(system_u:object_r:ecryptfs_t,s0)
++
+ /cgroup -d gen_context(system_u:object_r:cgroup_t,s0)
+ /cgroup/.* <>
+
+@@ -14,3 +18,8 @@
+ # for systemd systems:
+ /sys/fs/cgroup -d gen_context(system_u:object_r:cgroup_t,s0)
+ /sys/fs/cgroup/.* <>
++
++/usr/lib/udev/devices/hugepages -d gen_context(system_u:object_r:hugetlbfs_t,s0)
++/usr/lib/udev/devices/hugepages/.* <>
++/usr/lib/udev/devices/shm -d gen_context(system_u:object_r:tmpfs_t,s0)
++/usr/lib/udev/devices/shm/.* <>
+diff --git a/policy/modules/kernel/filesystem.if b/policy/modules/kernel/filesystem.if
+index 7c6b791..aa86bf7 100644
+--- a/policy/modules/kernel/filesystem.if
++++ b/policy/modules/kernel/filesystem.if
+@@ -631,6 +631,27 @@ interface(`fs_getattr_cgroup',`
+
+ ########################################
+ ##
++## Get attributes of cgroup files.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`fs_getattr_cgroup_files',`
++ gen_require(`
++ type cgroup_t;
++
++ ')
++
++ getattr_files_pattern($1, cgroup_t, cgroup_t)
++ fs_search_tmpfs($1)
++ dev_search_sysfs($1)
++')
++
++########################################
++##
+ ## Search cgroup directories.
+ ##
+ ##
+@@ -646,11 +667,31 @@ interface(`fs_search_cgroup_dirs',`
+ ')
+
+ search_dirs_pattern($1, cgroup_t, cgroup_t)
++ fs_search_tmpfs($1)
+ dev_search_sysfs($1)
+ ')
+
+ ########################################
+ ##
++## Relabel cgroup directories.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`fs_relabel_cgroup_dirs',`
++ gen_require(`
++ type cgroup_t;
++
++ ')
++
++ relabel_dirs_pattern($1, cgroup_t, cgroup_t)
++')
++
++########################################
++##
+ ## list cgroup directories.
+ ##
+ ##
+@@ -665,9 +706,29 @@ interface(`fs_list_cgroup_dirs', `
+ ')
+
+ list_dirs_pattern($1, cgroup_t, cgroup_t)
++ fs_search_tmpfs($1)
+ dev_search_sysfs($1)
+ ')
+
++#######################################
++##
++## Do not audit attempts to search cgroup directories.
++##
++##
++##
++## Domain to not audit.
++##
++##
++#
++interface(`fs_dontaudit_search_cgroup_dirs', `
++ gen_require(`
++ type cgroup_t;
++ ')
++
++ dontaudit $1 cgroup_t:dir search_dir_perms;
++ dev_dontaudit_search_sysfs($1)
++')
++
+ ########################################
+ ##
+ ## Delete cgroup directories.
+@@ -684,6 +745,7 @@ interface(`fs_delete_cgroup_dirs', `
+ ')
+
+ delete_dirs_pattern($1, cgroup_t, cgroup_t)
++ fs_search_tmpfs($1)
+ dev_search_sysfs($1)
+ ')
+
+@@ -704,6 +766,7 @@ interface(`fs_manage_cgroup_dirs',`
+ ')
+
+ manage_dirs_pattern($1, cgroup_t, cgroup_t)
++ fs_search_tmpfs($1)
+ dev_search_sysfs($1)
+ ')
+
+@@ -724,6 +787,8 @@ interface(`fs_read_cgroup_files',`
+ ')
+
+ read_files_pattern($1, cgroup_t, cgroup_t)
++ read_lnk_files_pattern($1, cgroup_t, cgroup_t)
++ fs_search_tmpfs($1)
+ dev_search_sysfs($1)
+ ')
+
+@@ -743,6 +808,7 @@ interface(`fs_write_cgroup_files', `
+ ')
+
+ write_files_pattern($1, cgroup_t, cgroup_t)
++ fs_search_tmpfs($1)
+ dev_search_sysfs($1)
+ ')
+
+@@ -762,7 +828,9 @@ interface(`fs_rw_cgroup_files',`
+
+ ')
+
++ read_lnk_files_pattern($1, cgroup_t, cgroup_t)
+ rw_files_pattern($1, cgroup_t, cgroup_t)
++ fs_search_tmpfs($1)
+ dev_search_sysfs($1)
+ ')
+
+@@ -803,6 +871,8 @@ interface(`fs_manage_cgroup_files',`
+ ')
+
+ manage_files_pattern($1, cgroup_t, cgroup_t)
++ manage_lnk_files_pattern($1, cgroup_t, cgroup_t)
++ fs_search_tmpfs($1)
+ dev_search_sysfs($1)
+ ')
+
+@@ -1107,6 +1177,24 @@ interface(`fs_read_noxattr_fs_files',`
+
+ ########################################
+ ##
++## Read/Write all inherited noxattrfs files.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`fs_rw_inherited_noxattr_fs_files',`
++ gen_require(`
++ attribute noxattrfs;
++ ')
++
++ allow $1 noxattrfs:file rw_inherited_file_perms;
++')
++
++########################################
++##
+ ## Do not audit attempts to read all
+ ## noxattrfs files.
+ ##
+@@ -1245,7 +1333,7 @@ interface(`fs_append_cifs_files',`
+
+ ########################################
+ ##
+-## dontaudit Append files
++## Do not audit attempts to append files
+ ## on a CIFS filesystem.
+ ##
+ ##
+@@ -1265,6 +1353,42 @@ interface(`fs_dontaudit_append_cifs_files',`
+
+ ########################################
+ ##
++## Read inherited files on a CIFS or SMB filesystem.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`fs_read_inherited_cifs_files',`
++ gen_require(`
++ type cifs_t;
++ ')
++
++ allow $1 cifs_t:file read_inherited_file_perms;
++')
++
++########################################
++##
++## Read/Write inherited files on a CIFS or SMB filesystem.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`fs_rw_inherited_cifs_files',`
++ gen_require(`
++ type cifs_t;
++ ')
++
++ allow $1 cifs_t:file rw_inherited_file_perms;
++')
++
++########################################
++##
+ ## Do not audit attempts to read or
+ ## write files on a CIFS or SMB filesystem.
+ ##
+@@ -1279,7 +1403,7 @@ interface(`fs_dontaudit_rw_cifs_files',`
+ type cifs_t;
+ ')
+
+- dontaudit $1 cifs_t:file rw_file_perms;
++ dontaudit $1 cifs_t:file rw_inherited_file_perms;
+ ')
+
+ ########################################
+@@ -1542,6 +1666,25 @@ interface(`fs_cifs_domtrans',`
+ domain_auto_transition_pattern($1, cifs_t, $2)
+ ')
+
++########################################
++##
++## Make general progams in cifs an entrypoint for
++## the specified domain.
++##
++##
++##
++## The domain for which cifs_t is an entrypoint.
++##
++##
++#
++interface(`fs_cifs_entry_type',`
++ gen_require(`
++ type cifs_t;
++ ')
++
++ domain_entry_file($1, cifs_t)
++')
++
+ #######################################
+ ##
+ ## Create, read, write, and delete dirs
+@@ -1582,6 +1725,24 @@ interface(`fs_manage_configfs_files',`
+
+ ########################################
+ ##
++## Unmount a configfs filesystem
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`fs_unmount_configfs',`
++ gen_require(`
++ type configfs_t;
++ ')
++
++ allow $1 configfs_t:filesystem unmount;
++')
++
++########################################
++##
+ ## Mount a DOS filesystem, such as
+ ## FAT32 or NTFS.
+ ##
+@@ -1679,6 +1840,25 @@ interface(`fs_relabelfrom_dos_fs',`
+
+ ########################################
+ ##
++## Allow changing of the label of a
++## tmpfs filesystem using the context= mount option.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`fs_relabelfrom_tmpfs',`
++ gen_require(`
++ type tmpfs_t;
++ ')
++
++ allow $1 tmpfs_t:filesystem relabelfrom;
++')
++
++########################################
++##
+ ## Search dosfs filesystem.
+ ##
+ ##
+@@ -1793,6 +1973,188 @@ interface(`fs_read_eventpollfs',`
+ refpolicywarn(`$0($*) has been deprecated.')
+ ')
+
++
++#######################################
++##
++## Search directories
++## on a ecrypt filesystem.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`fs_search_ecryptfs',`
++ gen_require(`
++ type ecryptfs_t;
++ ')
++
++ allow $1 ecryptfs_t:dir search_dir_perms;
++')
++
++########################################
++##
++## Create, read, write, and delete directories
++## on a FUSEFS filesystem.
++##
++##
++##
++## Domain allowed access.
++##
++##
++##
++#
++interface(`fs_manage_ecryptfs_dirs',`
++ gen_require(`
++ type ecryptfs_t;
++ ')
++
++ manage_dirs_pattern($1, ecryptfs_t, ecryptfs_t)
++ allow $1 ecryptfs_t:dir manage_dir_perms;
++')
++
++#######################################
++##
++## Create, read, write, and delete files
++## on a FUSEFS filesystem.
++##
++##
++##
++## Domain allowed access.
++##
++##
++##
++#
++interface(`fs_read_ecryptfs_files',`
++ gen_require(`
++ type ecryptfs_t;
++ ')
++
++ read_files_pattern($1, ecryptfs_t, ecryptfs_t)
++')
++
++########################################
++##
++## Create, read, write, and delete files
++## on a FUSEFS filesystem.
++##
++##
++##
++## Domain allowed access.
++##
++##
++##
++#
++interface(`fs_manage_ecryptfs_files',`
++ gen_require(`
++ type ecryptfs_t;
++ ')
++
++ manage_files_pattern($1, ecryptfs_t, ecryptfs_t)
++')
++
++########################################
++##
++## Do not audit attempts to create,
++## read, write, and delete files
++## on a FUSEFS filesystem.
++##
++##
++##
++## Domain to not audit.
++##
++##
++#
++interface(`fs_dontaudit_manage_ecryptfs_files',`
++ gen_require(`
++ type ecryptfs_t;
++ ')
++
++ dontaudit $1 ecryptfs_t:file manage_file_perms;
++')
++
++########################################
++##
++## Read symbolic links on a FUSEFS filesystem.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`fs_read_ecryptfs_symlinks',`
++ gen_require(`
++ type ecryptfs_t;
++ ')
++
++ allow $1 ecryptfs_t:dir list_dir_perms;
++ read_lnk_files_pattern($1, ecryptfs_t, ecryptfs_t)
++')
++
++########################################
++##
++## Manage symbolic links on a FUSEFS filesystem.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`fs_manage_ecryptfs_symlinks',`
++ gen_require(`
++ type ecryptfs_t;
++ ')
++
++ manage_lnk_files_pattern($1, ecryptfs_t, ecryptfs_t)
++')
++
++########################################
++##
++## Execute a file on a FUSE filesystem
++## in the specified domain.
++##
++##
++##
++## Execute a file on a FUSE filesystem
++## in the specified domain. This allows
++## the specified domain to execute any file
++## on these filesystems in the specified
++## domain. This is not suggested.
++##
++##
++## No interprocess communication (signals, pipes,
++## etc.) is provided by this interface since
++## the domains are not owned by this module.
++##
++##
++## This interface was added to handle
++## home directories on FUSE filesystems,
++## in particular used by the ssh-agent policy.
++##
++##
++##
++##
++## Domain allowed to transition.
++##
++##
++##
++##
++## The type of the new process.
++##
++##
++#
++interface(`fs_ecryptfs_domtrans',`
++ gen_require(`
++ type ecryptfs_t;
++ ')
++
++ allow $1 ecryptfs_t:dir search_dir_perms;
++ domain_auto_transition_pattern($1, ecryptfs_t, $2)
++')
++
+ ########################################
+ ##
+ ## Mount a FUSE filesystem.
+@@ -2025,6 +2387,87 @@ interface(`fs_read_fusefs_symlinks',`
+
+ ########################################
+ ##
++## Manage symbolic links on a FUSEFS filesystem.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`fs_manage_fusefs_symlinks',`
++ gen_require(`
++ type fusefs_t;
++ ')
++
++ manage_lnk_files_pattern($1, fusefs_t, fusefs_t)
++')
++
++########################################
++##
++## Execute a file on a FUSE filesystem
++## in the specified domain.
++##
++##
++##
++## Execute a file on a FUSE filesystem
++## in the specified domain. This allows
++## the specified domain to execute any file
++## on these filesystems in the specified
++## domain. This is not suggested.
++##
++##
++## No interprocess communication (signals, pipes,
++## etc.) is provided by this interface since
++## the domains are not owned by this module.
++##
++##
++## This interface was added to handle
++## home directories on FUSE filesystems,
++## in particular used by the ssh-agent policy.
++##
++##
++##
++##
++## Domain allowed to transition.
++##
++##
++##
++##
++## The type of the new process.
++##
++##
++#
++interface(`fs_fusefs_domtrans',`
++ gen_require(`
++ type fusefs_t;
++ ')
++
++ allow $1 fusefs_t:dir search_dir_perms;
++ domain_auto_transition_pattern($1, fusefs_t, $2)
++')
++
++########################################
++##
++## Get the attributes of a FUSEFS filesystem.
++##
++##
++##
++## Domain allowed access.
++##
++##
++##
++#
++interface(`fs_getattr_fusefs',`
++ gen_require(`
++ type fusefs_t;
++ ')
++
++ allow $1 fusefs_t:filesystem getattr;
++')
++
++########################################
++##
+ ## Get the attributes of an hugetlbfs
+ ## filesystem.
+ ##
+@@ -2080,6 +2523,24 @@ interface(`fs_manage_hugetlbfs_dirs',`
+
+ ########################################
+ ##
++## Read hugetlbfs files.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`fs_read_hugetlbfs_files',`
++ gen_require(`
++ type hugetlbfs_t;
++ ')
++
++ read_files_pattern($1, hugetlbfs_t, hugetlbfs_t)
++')
++
++########################################
++##
+ ## Read and write hugetlbfs files.
+ ##
+ ##
+@@ -2148,11 +2609,12 @@ interface(`fs_list_inotifyfs',`
+ ')
+
+ allow $1 inotifyfs_t:dir list_dir_perms;
++ fs_read_anon_inodefs_files($1)
+ ')
+
+ ########################################
+ ##
+-## Dontaudit List inotifyfs filesystem.
++## Do not audit attempts to list inotifyfs filesystem.
+ ##
+ ##
+ ##
+@@ -2485,6 +2947,7 @@ interface(`fs_read_nfs_files',`
+ type nfs_t;
+ ')
+
++ fs_search_auto_mountpoints($1)
+ allow $1 nfs_t:dir list_dir_perms;
+ read_files_pattern($1, nfs_t, nfs_t)
+ ')
+@@ -2510,81 +2973,137 @@ interface(`fs_dontaudit_read_nfs_files',`
+
+ ########################################
+ ##
+-## Read files on a NFS filesystem.
++## Read files on a NFS filesystem.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`fs_write_nfs_files',`
++ gen_require(`
++ type nfs_t;
++ ')
++
++ fs_search_auto_mountpoints($1)
++ allow $1 nfs_t:dir list_dir_perms;
++ write_files_pattern($1, nfs_t, nfs_t)
++')
++
++########################################
++##
++## Execute files on a NFS filesystem.
++##
++##
++##
++## Domain allowed access.
++##
++##
++##
++#
++interface(`fs_exec_nfs_files',`
++ gen_require(`
++ type nfs_t;
++ ')
++
++ allow $1 nfs_t:dir list_dir_perms;
++ exec_files_pattern($1, nfs_t, nfs_t)
++')
++
++########################################
++##
++## Make general progams in nfs an entrypoint for
++## the specified domain.
++##
++##
++##
++## The domain for which nfs_t is an entrypoint.
++##
++##
++#
++interface(`fs_nfs_entry_type',`
++ gen_require(`
++ type nfs_t;
++ ')
++
++ domain_entry_file($1, nfs_t)
++')
++
++########################################
++##
++## Append files
++## on a NFS filesystem.
+ ##
+ ##
+ ##
+ ## Domain allowed access.
+ ##
+ ##
++##
+ #
+-interface(`fs_write_nfs_files',`
++interface(`fs_append_nfs_files',`
+ gen_require(`
+ type nfs_t;
+ ')
+
+- allow $1 nfs_t:dir list_dir_perms;
+- write_files_pattern($1, nfs_t, nfs_t)
++ append_files_pattern($1, nfs_t, nfs_t)
+ ')
+
+ ########################################
+ ##
+-## Execute files on a NFS filesystem.
++## Do not audit attempts to append files
++## on a NFS filesystem.
+ ##
+ ##
+ ##
+-## Domain allowed access.
++## Domain to not audit.
+ ##
+ ##
+ ##
+ #
+-interface(`fs_exec_nfs_files',`
++interface(`fs_dontaudit_append_nfs_files',`
+ gen_require(`
+ type nfs_t;
+ ')
+
+- allow $1 nfs_t:dir list_dir_perms;
+- exec_files_pattern($1, nfs_t, nfs_t)
++ dontaudit $1 nfs_t:file append_file_perms;
+ ')
+
+ ########################################
+ ##
+-## Append files
+-## on a NFS filesystem.
++## Read inherited files on a NFS filesystem.
+ ##
+ ##
+ ##
+ ## Domain allowed access.
+ ##
+ ##
+-##
+ #
+-interface(`fs_append_nfs_files',`
++interface(`fs_read_inherited_nfs_files',`
+ gen_require(`
+ type nfs_t;
+ ')
+
+- append_files_pattern($1, nfs_t, nfs_t)
++ allow $1 nfs_t:file read_inherited_file_perms;
+ ')
+
+ ########################################
+ ##
+-## dontaudit Append files
+-## on a NFS filesystem.
++## Read/write inherited files on a NFS filesystem.
+ ##
+ ##
+ ##
+-## Domain to not audit.
++## Domain allowed access.
+ ##
+ ##
+-##
+ #
+-interface(`fs_dontaudit_append_nfs_files',`
++interface(`fs_rw_inherited_nfs_files',`
+ gen_require(`
+ type nfs_t;
+ ')
+
+- dontaudit $1 nfs_t:file append_file_perms;
++ allow $1 nfs_t:file rw_inherited_file_perms;
+ ')
+
+ ########################################
+@@ -2603,7 +3122,7 @@ interface(`fs_dontaudit_rw_nfs_files',`
+ type nfs_t;
+ ')
+
+- dontaudit $1 nfs_t:file rw_file_perms;
++ dontaudit $1 nfs_t:file rw_inherited_file_perms;
+ ')
+
+ ########################################
+@@ -2627,7 +3146,7 @@ interface(`fs_read_nfs_symlinks',`
+
+ ########################################
+ ##
+-## Dontaudit read symbolic links on a NFS filesystem.
++## Do not audit attempts to read symbolic links on a NFS filesystem.
+ ##
+ ##
+ ##
+@@ -2741,7 +3260,7 @@ interface(`fs_search_removable',`
+ ##
+ ##
+ ##
+-## Domain not to audit.
++## Domain to not audit.
+ ##
+ ##
+ #
+@@ -2777,7 +3296,7 @@ interface(`fs_read_removable_files',`
+ ##
+ ##
+ ##
+-## Domain not to audit.
++## Domain to not audit.
+ ##
+ ##
+ #
+@@ -2970,6 +3489,7 @@ interface(`fs_manage_nfs_dirs',`
+ type nfs_t;
+ ')
+
++ fs_search_auto_mountpoints($1)
+ allow $1 nfs_t:dir manage_dir_perms;
+ ')
+
+@@ -3010,6 +3530,7 @@ interface(`fs_manage_nfs_files',`
+ type nfs_t;
+ ')
+
++ fs_search_auto_mountpoints($1)
+ manage_files_pattern($1, nfs_t, nfs_t)
+ ')
+
+@@ -3050,6 +3571,7 @@ interface(`fs_manage_nfs_symlinks',`
+ type nfs_t;
+ ')
+
++ fs_search_auto_mountpoints($1)
+ manage_lnk_files_pattern($1, nfs_t, nfs_t)
+ ')
+
+@@ -3263,6 +3785,24 @@ interface(`fs_getattr_nfsd_files',`
+ getattr_files_pattern($1, nfsd_fs_t, nfsd_fs_t)
+ ')
+
++#######################################
++##
++## read files on an nfsd filesystem
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`fs_read_nfsd_files',`
++ gen_require(`
++ type nfsd_fs_t;
++ ')
++
++ read_files_pattern($1, nfsd_fs_t, nfsd_fs_t)
++')
++
+ ########################################
+ ##
+ ## Read and write NFS server files.
+@@ -3283,6 +3823,24 @@ interface(`fs_rw_nfsd_fs',`
+
+ ########################################
+ ##
++## Manage NFS server files.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`fs_manage_nfsd_fs',`
++ gen_require(`
++ type nfsd_fs_t;
++ ')
++
++ manage_files_pattern($1, nfsd_fs_t, nfsd_fs_t)
++')
++
++########################################
++##
+ ## Allow the type to associate to ramfs filesystems.
+ ##
+ ##
+@@ -3392,7 +3950,7 @@ interface(`fs_search_ramfs',`
+
+ ########################################
+ ##
+-## Dontaudit Search directories on a ramfs
++## Do not audit attempts to search directories on a ramfs
+ ##
+ ##
+ ##
+@@ -3429,7 +3987,7 @@ interface(`fs_manage_ramfs_dirs',`
+
+ ########################################
+ ##
+-## Dontaudit read on a ramfs files.
++## Do not audit attempts to read on a ramfs files.
+ ##
+ ##
+ ##
+@@ -3447,7 +4005,7 @@ interface(`fs_dontaudit_read_ramfs_files',`
+
+ ########################################
+ ##
+-## Dontaudit read on a ramfs fifo_files.
++## Do not audit attempts to read on a ramfs fifo_files.
+ ##
+ ##
+ ##
+@@ -3815,6 +4373,24 @@ interface(`fs_unmount_tmpfs',`
+
+ ########################################
+ ##
++## Mount on tmpfs directories.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`fs_mounton_tmpfs', `
++ gen_require(`
++ type tmpfs_t;
++ ')
++
++ allow $1 tmpfs_t:dir mounton;
++')
++
++########################################
++##
+ ## Get the attributes of a tmpfs
+ ## filesystem.
+ ##
+@@ -3963,6 +4539,60 @@ interface(`fs_dontaudit_list_tmpfs',`
+
+ ########################################
+ ##
++## Relabel directory on tmpfs filesystems.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`fs_relabel_tmpfs_dirs',`
++ gen_require(`
++ type tmpfs_t;
++ ')
++
++ relabel_dirs_pattern($1, tmpfs_t, tmpfs_t)
++')
++
++########################################
++##
++## Relabel fifo_file on tmpfs filesystems.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`fs_relabel_tmpfs_fifo_files',`
++ gen_require(`
++ type tmpfs_t;
++ ')
++
++ relabel_fifo_files_pattern($1, tmpfs_t, tmpfs_t)
++')
++
++########################################
++##
++## Relabel files on tmpfs filesystems.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`fs_relabel_tmpfs_files',`
++ gen_require(`
++ type tmpfs_t;
++ ')
++
++ relabel_files_pattern($1, tmpfs_t, tmpfs_t)
++')
++
++########################################
++##
+ ## Create, read, write, and delete
+ ## tmpfs directories
+ ##
+@@ -4069,7 +4699,7 @@ interface(`fs_dontaudit_rw_tmpfs_files',`
+ type tmpfs_t;
+ ')
+
+- dontaudit $1 tmpfs_t:file rw_file_perms;
++ dontaudit $1 tmpfs_t:file rw_inherited_file_perms;
+ ')
+
+ ########################################
+@@ -4129,6 +4759,24 @@ interface(`fs_rw_tmpfs_files',`
+
+ ########################################
+ ##
++## Read and write generic tmpfs files.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`fs_rw_inherited_tmpfs_files',`
++ gen_require(`
++ type tmpfs_t;
++ ')
++
++ allow $1 tmpfs_t:file { read write };
++')
++
++########################################
++##
+ ## Read tmpfs link files.
+ ##
+ ##
+@@ -4166,7 +4814,7 @@ interface(`fs_rw_tmpfs_chr_files',`
+
+ ########################################
+ ##
+-## dontaudit Read and write character nodes on tmpfs filesystems.
++## Do not audit attempts to read and write character nodes on tmpfs filesystems.
+ ##
+ ##
+ ##
+@@ -4185,6 +4833,60 @@ interface(`fs_dontaudit_use_tmpfs_chr_dev',`
+
+ ########################################
+ ##
++## Do not audit attempts to create character nodes on tmpfs filesystems.
++##
++##
++##
++## Domain to not audit.
++##
++##
++#
++interface(`fs_dontaudit_create_tmpfs_chr_dev',`
++ gen_require(`
++ type tmpfs_t;
++ ')
++
++ dontaudit $1 tmpfs_t:chr_file create;
++')
++
++########################################
++##
++## Do not audit attempts to dontaudit read block nodes on tmpfs filesystems.
++##
++##
++##
++## Domain to not audit.
++##
++##
++#
++interface(`fs_dontaudit_read_tmpfs_blk_dev',`
++ gen_require(`
++ type tmpfs_t;
++ ')
++
++ dontaudit $1 tmpfs_t:blk_file read_blk_file_perms;
++')
++
++########################################
++##
++## Do not audit attempts to read files on tmpfs filesystems.
++##
++##
++##
++## Domain to not audit.
++##
++##
++#
++interface(`fs_dontaudit_read_tmpfs_files',`
++ gen_require(`
++ type tmpfs_t;
++ ')
++
++ dontaudit $1 tmpfs_t:blk_file read;
++')
++
++########################################
++##
+ ## Relabel character nodes on tmpfs filesystems.
+ ##
+ ##
+@@ -4242,6 +4944,43 @@ interface(`fs_relabel_tmpfs_blk_file',`
+
+ ########################################
+ ##
++## Relabel sock nodes on tmpfs filesystems.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`fs_relabel_tmpfs_sock_file',`
++ gen_require(`
++ type tmpfs_t;
++ ')
++
++ allow $1 tmpfs_t:dir list_dir_perms;
++ relabel_sock_files_pattern($1, tmpfs_t, tmpfs_t)
++')
++
++########################################
++##
++## Delete generic files in tmpfs directory.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`fs_delete_tmpfs_files',`
++ gen_require(`
++ type tmpfs_t;
++ ')
++
++ allow $1 tmpfs_t:file unlink;
++')
++
++########################################
++##
+ ## Read and write, create and delete generic
+ ## files on tmpfs filesystems.
+ ##
+@@ -4261,6 +5000,25 @@ interface(`fs_manage_tmpfs_files',`
+
+ ########################################
+ ##
++## Execute files on a tmpfs filesystem.
++##
++##
++##
++## Domain allowed access.
++##
++##
++##
++#
++interface(`fs_exec_tmpfs_files',`
++ gen_require(`
++ type tmpfs_t;
++ ')
++
++ exec_files_pattern($1, tmpfs_t, tmpfs_t)
++')
++
++########################################
++##
+ ## Read and write, create and delete symbolic
+ ## links on tmpfs filesystems.
+ ##
+@@ -4467,6 +5225,8 @@ interface(`fs_mount_all_fs',`
+ ')
+
+ allow $1 filesystem_type:filesystem mount;
++# Mount checks write access on the dir
++ allow $1 filesystem_type:dir write;
+ ')
+
+ ########################################
+@@ -4513,7 +5273,7 @@ interface(`fs_unmount_all_fs',`
+ ##
+ ##
+ ## Allow the specified domain to
+-## et the attributes of all filesystems.
++## get the attributes of all filesystems.
+ ## Example attributes:
+ ##
+ ##
+@@ -4876,3 +5636,43 @@ interface(`fs_unconfined',`
+
+ typeattribute $1 filesystem_unconfined_type;
+ ')
++
++########################################
++##
++## Do not audit attempts to read or write
++## all leaked filesystems files.
++##
++##
++##
++## Domain to not audit.
++##
++##
++#
++interface(`fs_dontaudit_leaks',`
++ gen_require(`
++ attribute filesystem_type;
++ ')
++
++ dontaudit $1 filesystem_type:file rw_inherited_file_perms;
++ dontaudit $1 filesystem_type:lnk_file { read };
++')
++
++
++########################################
++##
++## Transition named content in tmpfs_t directory
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`fs_tmpfs_filetrans_named_content',`
++ gen_require(`
++ type cgroup_t;
++ ')
++
++ fs_tmpfs_filetrans($1, cgroup_t, lnk_file, "cpu")
++ fs_tmpfs_filetrans($1, cgroup_t, lnk_file, "cpuacct")
++')
+diff --git a/policy/modules/kernel/filesystem.te b/policy/modules/kernel/filesystem.te
+index 376bae8..36a5041 100644
+--- a/policy/modules/kernel/filesystem.te
++++ b/policy/modules/kernel/filesystem.te
+@@ -33,6 +33,8 @@ fs_use_xattr jffs2 gen_context(system_u:object_r:fs_t,s0);
+ fs_use_xattr jfs gen_context(system_u:object_r:fs_t,s0);
+ fs_use_xattr lustre gen_context(system_u:object_r:fs_t,s0);
+ fs_use_xattr xfs gen_context(system_u:object_r:fs_t,s0);
++fs_use_xattr squashfs gen_context(system_u:object_r:fs_t,s0);
++fs_use_xattr zfs gen_context(system_u:object_r:fs_t,s0);
+
+ # Use the allocating task SID to label inodes in the following filesystem
+ # types, and label the filesystem itself with the specified context.
+@@ -52,6 +54,7 @@ type anon_inodefs_t;
+ fs_type(anon_inodefs_t)
+ files_mountpoint(anon_inodefs_t)
+ genfscon anon_inodefs / gen_context(system_u:object_r:anon_inodefs_t,s0)
++mls_trusted_object(anon_inodefs_t)
+
+ type bdev_t;
+ fs_type(bdev_t)
+@@ -67,7 +70,7 @@ fs_type(capifs_t)
+ files_mountpoint(capifs_t)
+ genfscon capifs / gen_context(system_u:object_r:capifs_t,s0)
+
+-type cgroup_t;
++type cgroup_t alias cgroupfs_t;
+ fs_type(cgroup_t)
+ files_type(cgroup_t)
+ files_mountpoint(cgroup_t)
+@@ -88,6 +91,11 @@ fs_noxattr_type(ecryptfs_t)
+ files_mountpoint(ecryptfs_t)
+ genfscon ecryptfs / gen_context(system_u:object_r:ecryptfs_t,s0)
+
++type efivarfs_t;
++fs_noxattr_type(efivarfs_t)
++files_mountpoint(efivarfs_t)
++genfscon efivarfs / gen_context(system_u:object_r:efivarfs_t,s0)
++
+ type futexfs_t;
+ fs_type(futexfs_t)
+ genfscon futexfs / gen_context(system_u:object_r:futexfs_t,s0)
+@@ -96,6 +104,7 @@ type hugetlbfs_t;
+ fs_type(hugetlbfs_t)
+ files_mountpoint(hugetlbfs_t)
+ fs_use_trans hugetlbfs gen_context(system_u:object_r:hugetlbfs_t,s0);
++dev_associate(hugetlbfs_t)
+
+ type ibmasmfs_t;
+ fs_type(ibmasmfs_t)
+@@ -144,11 +153,6 @@ fs_type(spufs_t)
+ genfscon spufs / gen_context(system_u:object_r:spufs_t,s0)
+ files_mountpoint(spufs_t)
+
+-type squash_t;
+-fs_type(squash_t)
+-genfscon squash / gen_context(system_u:object_r:squash_t,s0)
+-files_mountpoint(squash_t)
+-
+ type sysv_t;
+ fs_noxattr_type(sysv_t)
+ files_mountpoint(sysv_t)
+@@ -175,6 +179,7 @@ fs_type(tmpfs_t)
+ files_type(tmpfs_t)
+ files_mountpoint(tmpfs_t)
+ files_poly_parent(tmpfs_t)
++dev_associate(tmpfs_t)
+
+ # Use a transition SID based on the allocating task SID and the
+ # filesystem SID to label inodes in the following filesystem types,
+@@ -254,6 +259,8 @@ genfscon udf / gen_context(system_u:object_r:iso9660_t,s0)
+ type removable_t;
+ allow removable_t noxattrfs:filesystem associate;
+ fs_noxattr_type(removable_t)
++files_type(removable_t)
++dev_node(removable_t)
+ files_mountpoint(removable_t)
+
+ #
+@@ -273,6 +280,7 @@ genfscon ncpfs / gen_context(system_u:object_r:nfs_t,s0)
+ genfscon reiserfs / gen_context(system_u:object_r:nfs_t,s0)
+ genfscon panfs / gen_context(system_u:object_r:nfs_t,s0)
+ genfscon gadgetfs / gen_context(system_u:object_r:nfs_t,s0)
++genfscon 9p / gen_context(system_u:object_r:nfs_t,s0)
+
+ ########################################
+ #
+diff --git a/policy/modules/kernel/kernel.fc b/policy/modules/kernel/kernel.fc
+index 7be4ddf..f7021a0 100644
+--- a/policy/modules/kernel/kernel.fc
++++ b/policy/modules/kernel/kernel.fc
+@@ -1 +1,2 @@
+-# This module currently does not have any file contexts.
++
++/sys/class/net/ib.* gen_context(system_u:object_r:sysctl_net_t,s0)
+diff --git a/policy/modules/kernel/kernel.if b/policy/modules/kernel/kernel.if
+index 4bf45cb..9f81200 100644
+--- a/policy/modules/kernel/kernel.if
++++ b/policy/modules/kernel/kernel.if
+@@ -267,7 +267,7 @@ interface(`kernel_rw_unix_dgram_sockets',`
+ type kernel_t;
+ ')
+
+- allow $1 kernel_t:unix_dgram_socket { read write ioctl };
++ allow $1 kernel_t:unix_dgram_socket { getattr read write ioctl };
+ ')
+
+ ########################################
+@@ -785,6 +785,24 @@ interface(`kernel_unmount_proc',`
+
+ ########################################
+ ##
++## Mounton a proc filesystem.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`kernel_mounton_proc',`
++ gen_require(`
++ type proc_t;
++ ')
++
++ allow $1 proc_t:dir mounton;
++')
++
++########################################
++##
+ ## Get the attributes of the proc filesystem.
+ ##
+ ##
+@@ -972,13 +990,10 @@ interface(`kernel_read_proc_symlinks',`
+ #
+ interface(`kernel_read_system_state',`
+ gen_require(`
+- type proc_t;
++ attribute kernel_system_state_reader;
+ ')
+
+- read_files_pattern($1, proc_t, proc_t)
+- read_lnk_files_pattern($1, proc_t, proc_t)
+-
+- list_dirs_pattern($1, proc_t, proc_t)
++ typeattribute $1 kernel_system_state_reader;
+ ')
+
+ ########################################
+@@ -1458,6 +1473,24 @@ interface(`kernel_dontaudit_list_all_proc',`
+
+ ########################################
+ ##
++## Allow attempts to read all proc types.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`kernel_read_all_proc',`
++ gen_require(`
++ attribute proc_type;
++ ')
++
++ read_files_pattern($1, proc_type, proc_type)
++')
++
++########################################
++##
+ ## Do not audit attempts by caller to search
+ ## the base directory of sysctls.
+ ##
+@@ -2066,7 +2099,7 @@ interface(`kernel_dontaudit_list_all_sysctls',`
+ ')
+
+ dontaudit $1 sysctl_type:dir list_dir_perms;
+- dontaudit $1 sysctl_type:file getattr;
++ dontaudit $1 sysctl_type:file read_file_perms;
+ ')
+
+ ########################################
+@@ -2263,6 +2296,25 @@ interface(`kernel_list_unlabeled',`
+
+ ########################################
+ ##
++## Delete unlabeled files
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`kernel_delete_unlabeled',`
++ gen_require(`
++ type unlabeled_t;
++ ')
++
++ allow $1 unlabeled_t:dir delete_dir_perms;
++ allow $1 unlabeled_t:dir_file_class_set delete_file_perms;
++')
++
++########################################
++##
+ ## Read the process state (/proc/pid) of all unlabeled_t.
+ ##
+ ##
+@@ -2287,7 +2339,7 @@ interface(`kernel_read_unlabeled_state',`
+ ##
+ ##
+ ##
+-## Domain allowed access.
++## Domain to not audit.
+ ##
+ ##
+ #
+@@ -2469,6 +2521,24 @@ interface(`kernel_rw_unlabeled_blk_files',`
+
+ ########################################
+ ##
++## Read and write unlabeled sockets.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`kernel_rw_unlabeled_socket',`
++ gen_require(`
++ type unlabeled_t;
++ ')
++
++ allow $1 unlabeled_t:socket rw_socket_perms;
++')
++
++########################################
++##
+ ## Do not audit attempts by caller to get attributes for
+ ## unlabeled character devices.
+ ##
+@@ -2506,6 +2576,24 @@ interface(`kernel_relabelfrom_unlabeled_dirs',`
+
+ ########################################
+ ##
++## Allow caller to relabel unlabeled filesystems.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`kernel_relabelfrom_unlabeled_fs',`
++ gen_require(`
++ type unlabeled_t;
++ ')
++
++ allow $1 unlabeled_t:filesystem relabelfrom;
++')
++
++########################################
++##
+ ## Allow caller to relabel unlabeled files.
+ ##
+ ##
+@@ -2613,7 +2701,7 @@ interface(`kernel_sendrecv_unlabeled_association',`
+ allow $1 unlabeled_t:association { sendto recvfrom };
+
+ # temporary hack until labeling on packets is supported
+- allow $1 unlabeled_t:packet { send recv };
++# allow $1 unlabeled_t:packet { send recv };
+ ')
+
+ ########################################
+@@ -2651,6 +2739,24 @@ interface(`kernel_dontaudit_sendrecv_unlabeled_association',`
+
+ ########################################
+ ##
++## Receive DCCP packets from an unlabeled connection.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`kernel_dccp_recvfrom_unlabeled',`
++ gen_require(`
++ type unlabeled_t;
++ ')
++
++ allow $1 unlabeled_t:dccp_socket recvfrom;
++')
++
++########################################
++##
+ ## Receive TCP packets from an unlabeled connection.
+ ##
+ ##
+@@ -2678,6 +2784,25 @@ interface(`kernel_tcp_recvfrom_unlabeled',`
+
+ ########################################
+ ##
++## Do not audit attempts to receive DCCP packets from an unlabeled
++## connection.
++##
++##
++##
++## Domain to not audit.
++##
++##
++#
++interface(`kernel_dontaudit_dccp_recvfrom_unlabeled',`
++ gen_require(`
++ type unlabeled_t;
++ ')
++
++ dontaudit $1 unlabeled_t:dccp_socket recvfrom;
++')
++
++########################################
++##
+ ## Do not audit attempts to receive TCP packets from an unlabeled
+ ## connection.
+ ##
+@@ -2787,6 +2912,33 @@ interface(`kernel_raw_recvfrom_unlabeled',`
+
+ allow $1 unlabeled_t:rawip_socket recvfrom;
+ ')
++########################################
++##
++## Read/Write Raw IP packets from an unlabeled connection.
++##
++##
++##
++## Receive Raw IP packets from an unlabeled connection.
++##
++##
++## The corenetwork interface corenet_raw_recv_unlabeled() should
++## be used instead of this one.
++##
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`kernel_rw_unlabeled_rawip_socket',`
++ gen_require(`
++ type unlabeled_t;
++ ')
++
++ allow $1 unlabeled_t:rawip_socket rw_socket_perms;
++')
++
+
+ ########################################
+ ##
+@@ -2942,6 +3094,24 @@ interface(`kernel_relabelfrom_unlabeled_database',`
+
+ ########################################
+ ##
++## Relabel to unlabeled context .
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`kernel_relabelto_unlabeled',`
++ gen_require(`
++ type unlabeled_t;
++ ')
++
++ allow $1 unlabeled_t:dir_file_class_set relabelto;
++')
++
++########################################
++##
+ ## Unconfined access to kernel module resources.
+ ##
+ ##
+@@ -2956,5 +3126,318 @@ interface(`kernel_unconfined',`
+ ')
+
+ typeattribute $1 kern_unconfined;
+- kernel_load_module($1)
++ kernel_load_module($1)
++')
++
++########################################
++##
++## Allow the specified domain to connect to
++## the kernel with a unix socket.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`kernel_stream_connect',`
++ gen_require(`
++ type kernel_t;
++ ')
++
++ allow $1 kernel_t:unix_stream_socket connectto;
++')
++
++########################################
++##
++## Allow the specified domain to getattr on
++## the kernel with a unix socket.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`kernel_stream_read',`
++ gen_require(`
++ type kernel_t;
++ ')
++
++ allow $1 kernel_t:unix_stream_socket { read getattr };
++')
++
++#######################################
++##
++## Allow the specified domain to write on
++## the kernel with a unix socket.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`kernel_stream_write',`
++ gen_require(`
++ type kernel_t;
++ ')
++
++ allow $1 kernel_t:unix_stream_socket { write getattr };
++')
++
++#######################################
++##
++## Allow the specified domain to read/write on
++## the kernel with a unix socket.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`kernel_rw_stream_socket_perms',`
++ gen_require(`
++ type kernel_t;
++ ')
++
++ allow $1 kernel_t:unix_stream_socket rw_socket_perms;
++')
++
++########################################
++##
++## Make the specified type usable for regular entries in proc
++##
++##
++##
++## Type to be used for /proc entries.
++##
++##
++#
++interface(`kernel_proc_type',`
++ gen_require(`
++ attribute proc_type;
++ ')
++
++ typeattribute $1 proc_type;
++')
++
++########################################
++##
++## Do not audit attempts by caller to get attributes on all sysctls.
++##
++##
++##
++## Domain to not audit.
++##
++##
++#
++interface(`kernel_dontaudit_getattr_all_sysctls',`
++ gen_require(`
++ attribute sysctl_type;
++ ')
++
++ dontaudit $1 sysctl_type:file getattr;
++')
++
++########################################
++##
++## Read the process state (/proc/pid) of the kernel.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`kernel_read_state',`
++ gen_require(`
++ type kernel_t;
++ ')
++
++ allow $1 kernel_t:dir search_dir_perms;
++ allow $1 kernel_t:file read_file_perms;
++ allow $1 kernel_t:lnk_file read_lnk_file_perms;
++')
++
++########################################
++##
++## Dontaudit attempts to read the process state (/proc/pid) of the kernel.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`kernel_dontaudit_read_state',`
++ gen_require(`
++ type kernel_t;
++ ')
++
++ dontaudit $1 kernel_t:dir search_dir_perms;
++ dontaudit $1 kernel_t:file read_file_perms;
++ dontaudit $1 kernel_t:lnk_file read_lnk_file_perms;
++')
++
++########################################
++##
++## Allow searching of numa state directory.
++##
++##
++##
++## Domain allowed access.
++##
++##
++##
++#
++interface(`kernel_search_numa_state',`
++ gen_require(`
++ type proc_t, proc_numa_t;
++ ')
++
++ search_dirs_pattern($1, proc_t, proc_numa_t)
++')
++
++########################################
++##
++## Do not audit attempts to search the numa
++## state directory.
++##
++##
++##
++## Domain to not audit.
++##
++##
++##
++#
++interface(`kernel_dontaudit_search_numa_state',`
++ gen_require(`
++ type proc_numa_t;
++ ')
++
++ dontaudit $1 proc_numa_t:dir search;
++')
++
++########################################
++##
++## Allow caller to read the numa state information.
++##
++##
++##
++## Domain allowed access.
++##
++##
++##
++#
++interface(`kernel_read_numa_state',`
++ gen_require(`
++ type proc_t, proc_numa_t;
++ ')
++
++ read_files_pattern($1, { proc_t proc_numa_t }, proc_numa_t)
++ read_lnk_files_pattern($1, { proc_t proc_numa_t }, proc_numa_t)
++
++ list_dirs_pattern($1, proc_t, proc_numa_t)
++')
++
++########################################
++##
++## Allow caller to read the numa state symbolic links.
++##
++##
++##
++## Domain allowed access.
++##
++##
++##
++#
++interface(`kernel_read_numa_state_symlinks',`
++ gen_require(`
++ type proc_t, proc_numa_t;
++ ')
++
++ read_lnk_files_pattern($1, { proc_t proc_numa_t }, proc_numa_t)
++
++ list_dirs_pattern($1, proc_t, proc_numa_t)
++')
++
++########################################
++##
++## Allow caller to write numa state information.
++##
++##
++##
++## Domain allowed access.
++##
++##
++##
++#
++interface(`kernel_write_numa_state',`
++ gen_require(`
++ type proc_t, proc_numa_t;
++ ')
++
++ write_files_pattern($1, { proc_t proc_numa_t }, proc_numa_t)
++')
++
++########################################
++##
++## Allow caller to search virtual memory overcommit sysctls.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`kernel_search_vm_overcommit_sysctl',`
++ gen_require(`
++ type sysctl_vm_overcommit_t;
++ ')
++
++ kernel_search_vm_sysctl($1)
++ search_dirs_pattern($1, sysctl_vm_overcommit_t, sysctl_vm_overcommit_t)
++')
++
++########################################
++##
++## Allow caller to read virtual memory overcommit sysctls.
++##
++##
++##
++## Domain allowed access.
++##
++##
++##
++#
++interface(`kernel_read_vm_overcommit_sysctls',`
++ gen_require(`
++ type sysctl_vm_overcommit_t;
++ ')
++
++ kernel_search_vm_sysctl($1)
++ read_files_pattern($1, sysctl_vm_overcommit_t, sysctl_vm_overcommit_t)
++')
++
++########################################
++##
++## Read and write virtual memory overcommit sysctls.
++##
++##
++##
++## Domain allowed access.
++##
++##
++##
++#
++interface(`kernel_rw_vm_overcommit_sysctls',`
++ gen_require(`
++ type sysctl_vm_overcommit_t;
++ ')
++
++ kernel_search_vm_sysctl($1)
++ rw_files_pattern($1, sysctl_vm_overcommit_t, sysctl_vm_overcommit_t)
++ list_dirs_pattern($1, sysctl_vm_overcommit_t, sysctl_vm_overcommit_t)
+ ')
+diff --git a/policy/modules/kernel/kernel.te b/policy/modules/kernel/kernel.te
+index ab9b6cd..ccffb0f 100644
+--- a/policy/modules/kernel/kernel.te
++++ b/policy/modules/kernel/kernel.te
+@@ -25,6 +25,9 @@ attribute kern_unconfined;
+ # regular entries in proc
+ attribute proc_type;
+
++# attribute for domains which read proc_t
++attribute kernel_system_state_reader;
++
+ # sysctls
+ attribute sysctl_type;
+
+@@ -48,6 +51,7 @@ ifdef(`enable_mls',`
+ type kernel_t, can_load_kernmodule;
+ domain_base_type(kernel_t)
+ mls_rangetrans_source(kernel_t)
++mls_trusted_object(kernel_t)
+ role system_r types kernel_t;
+ sid kernel gen_context(system_u:system_r:kernel_t,mls_systemhigh)
+
+@@ -58,6 +62,8 @@ sid kernel gen_context(system_u:system_r:kernel_t,mls_systemhigh)
+ type debugfs_t;
+ files_mountpoint(debugfs_t)
+ fs_type(debugfs_t)
++files_mountpoint(debugfs_t)
++
+ allow debugfs_t self:filesystem associate;
+ genfscon debugfs / gen_context(system_u:object_r:debugfs_t,s0)
+
+@@ -95,6 +101,10 @@ genfscon proc /kcore gen_context(system_u:object_r:proc_kcore_t,mls_systemhigh)
+ type proc_mdstat_t, proc_type;
+ genfscon proc /mdstat gen_context(system_u:object_r:proc_mdstat_t,s0)
+
++type proc_numa_t, proc_type;
++genfscon proc /numatools gen_context(system_u:object_r:proc_numa_t,s0)
++mls_trusted_object(proc_numa_t)
++
+ type proc_net_t, proc_type;
+ genfscon proc /net gen_context(system_u:object_r:proc_net_t,s0)
+
+@@ -153,6 +163,10 @@ genfscon proc /sys/net/unix gen_context(system_u:object_r:sysctl_net_unix_t,s0)
+ type sysctl_vm_t, sysctl_type;
+ genfscon proc /sys/vm gen_context(system_u:object_r:sysctl_vm_t,s0)
+
++# /proc/sys/vm/overcommit_memory
++type sysctl_vm_overcommit_t, sysctl_type;
++genfscon proc /sys/vm/overcommit_memory gen_context(system_u:object_r:sysctl_vm_overcommit_t,s0)
++
+ # /proc/sys/dev directory and files
+ type sysctl_dev_t, sysctl_type;
+ genfscon proc /sys/dev gen_context(system_u:object_r:sysctl_dev_t,s0)
+@@ -165,6 +179,7 @@ genfscon proc /sys/dev gen_context(system_u:object_r:sysctl_dev_t,s0)
+ type unlabeled_t;
+ fs_associate(unlabeled_t)
+ sid unlabeled gen_context(system_u:object_r:unlabeled_t,mls_systemhigh)
++fs_associate(unlabeled_t)
+
+ # These initial sids are no longer used, and can be removed:
+ sid any_socket gen_context(system_u:object_r:unlabeled_t,mls_systemhigh)
+@@ -233,7 +248,6 @@ allow unlabeled_t unlabeled_t:packet { forward_in forward_out };
+ corenet_in_generic_if(unlabeled_t)
+ corenet_in_generic_node(unlabeled_t)
+
+-corenet_all_recvfrom_unlabeled(kernel_t)
+ corenet_all_recvfrom_netlabel(kernel_t)
+ # Kernel-generated traffic e.g., ICMP replies:
+ corenet_raw_sendrecv_all_if(kernel_t)
+@@ -244,17 +258,21 @@ corenet_tcp_sendrecv_all_if(kernel_t)
+ corenet_tcp_sendrecv_all_nodes(kernel_t)
+ corenet_raw_send_generic_node(kernel_t)
+ corenet_send_all_packets(kernel_t)
++corenet_filetrans_all_named_dev(kernel_t)
+
+ dev_read_sysfs(kernel_t)
+ dev_search_usbfs(kernel_t)
+ # devtmpfs handling:
+ dev_create_generic_dirs(kernel_t)
+ dev_delete_generic_dirs(kernel_t)
+-dev_create_generic_blk_files(kernel_t)
+-dev_delete_generic_blk_files(kernel_t)
+-dev_create_generic_chr_files(kernel_t)
+-dev_delete_generic_chr_files(kernel_t)
++dev_create_all_blk_files(kernel_t)
++dev_delete_all_blk_files(kernel_t)
++dev_create_all_chr_files(kernel_t)
++dev_delete_all_chr_files(kernel_t)
+ dev_mounton(kernel_t)
++dev_filetrans_all_named_dev(kernel_t)
++storage_filetrans_all_named_dev(kernel_t)
++term_filetrans_all_named_dev(kernel_t)
+
+ # Mount root file system. Used when loading a policy
+ # from initrd, then mounting the root filesystem
+@@ -263,7 +281,8 @@ fs_unmount_all_fs(kernel_t)
+
+ selinux_load_policy(kernel_t)
+
+-term_use_console(kernel_t)
++term_use_all_terms(kernel_t)
++term_use_ptmx(kernel_t)
+
+ corecmd_exec_shell(kernel_t)
+ corecmd_list_bin(kernel_t)
+@@ -277,25 +296,48 @@ files_list_root(kernel_t)
+ files_list_etc(kernel_t)
+ files_list_home(kernel_t)
+ files_read_usr_files(kernel_t)
++files_manage_mounttab(kernel_t)
++files_manage_generic_spool_dirs(kernel_t)
+
+ mcs_process_set_categories(kernel_t)
++mcs_file_read_all(kernel_t)
++mcs_file_write_all(kernel_t)
++mcs_socket_write_all_levels(kernel_t)
+
+ mls_process_read_up(kernel_t)
+ mls_process_write_down(kernel_t)
++mls_file_downgrade(kernel_t)
+ mls_file_write_all_levels(kernel_t)
+ mls_file_read_all_levels(kernel_t)
++mls_socket_write_all_levels(kernel_t)
++mls_fd_share_all_levels(kernel_t)
++mls_fd_use_all_levels(kernel_t)
+
+ ifdef(`distro_redhat',`
+ # Bugzilla 222337
+ fs_rw_tmpfs_chr_files(kernel_t)
+ ')
+
++
++optional_policy(`
++ apache_filetrans_home_content(kernel_t)
++')
++
++optional_policy(`
++ gnome_filetrans_home_content(kernel_t)
++')
++
++optional_policy(`
++ kerberos_filetrans_home_content(kernel_t)
++')
++
+ optional_policy(`
+ hotplug_search_config(kernel_t)
+ ')
+
+ optional_policy(`
+ init_sigchld(kernel_t)
++ init_dyntrans(kernel_t)
+ ')
+
+ optional_policy(`
+@@ -305,6 +347,19 @@ optional_policy(`
+
+ optional_policy(`
+ logging_send_syslog_msg(kernel_t)
++ logging_manage_generic_logs(kernel_t)
++')
++
++optional_policy(`
++ mta_filetrans_home_content(kernel_t)
++')
++
++optional_policy(`
++ ssh_filetrans_home_content(kernel_t)
++')
++
++optional_policy(`
++ userdom_user_home_dir_filetrans_user_home_content(kernel_t, { file dir })
+ ')
+
+ optional_policy(`
+@@ -334,7 +389,6 @@ optional_policy(`
+
+ rpc_manage_nfs_ro_content(kernel_t)
+ rpc_manage_nfs_rw_content(kernel_t)
+- rpc_tcp_rw_nfs_sockets(kernel_t)
+ rpc_udp_rw_nfs_sockets(kernel_t)
+
+ tunable_policy(`nfs_export_all_ro',`
+@@ -343,9 +397,7 @@ optional_policy(`
+ fs_read_noxattr_fs_files(kernel_t)
+ fs_read_noxattr_fs_symlinks(kernel_t)
+
+- files_list_non_auth_dirs(kernel_t)
+- files_read_non_auth_files(kernel_t)
+- files_read_non_auth_symlinks(kernel_t)
++ files_read_non_security_files(kernel_t)
+ ')
+
+ tunable_policy(`nfs_export_all_rw',`
+@@ -354,7 +406,7 @@ optional_policy(`
+ fs_read_noxattr_fs_files(kernel_t)
+ fs_read_noxattr_fs_symlinks(kernel_t)
+
+- files_manage_non_auth_files(kernel_t)
++ files_manage_non_security_files(kernel_t)
+ ')
+ ')
+
+@@ -367,6 +419,15 @@ optional_policy(`
+ unconfined_domain_noaudit(kernel_t)
+ ')
+
++optional_policy(`
++ virt_filetrans_home_content(kernel_t)
++')
++
++optional_policy(`
++ xserver_xdm_manage_spool(kernel_t)
++ xserver_filetrans_home_content(kernel_t)
++')
++
+ ########################################
+ #
+ # Unlabeled process local policy
+@@ -409,4 +470,26 @@ allow kern_unconfined unlabeled_t:dir_file_class_set *;
+ allow kern_unconfined unlabeled_t:filesystem *;
+ allow kern_unconfined unlabeled_t:association *;
+ allow kern_unconfined unlabeled_t:packet *;
+-allow kern_unconfined unlabeled_t:process ~{ transition dyntransition execmem execstack execheap };
++allow kern_unconfined unlabeled_t:process ~{ ptrace transition dyntransition execmem execstack execheap };
++
++gen_require(`
++ bool secure_mode_insmod;
++')
++
++if( ! secure_mode_insmod ) {
++ allow can_load_kernmodule self:capability sys_module;
++ allow can_load_kernmodule self:capability2 compromise_kernel;
++ # load_module() calls stop_machine() which
++ # calls sched_setscheduler()
++ allow can_load_kernmodule self:capability sys_nice;
++ kernel_setsched(can_load_kernmodule)
++}
++
++#######################################
++#
++# Kernel system state reader policy
++#
++
++read_files_pattern(kernel_system_state_reader, proc_t, proc_t)
++read_lnk_files_pattern(kernel_system_state_reader, proc_t, proc_t)
++list_dirs_pattern(kernel_system_state_reader, proc_t, proc_t)
+diff --git a/policy/modules/kernel/mcs.if b/policy/modules/kernel/mcs.if
+index f52faaf..6bb6529 100644
+--- a/policy/modules/kernel/mcs.if
++++ b/policy/modules/kernel/mcs.if
+@@ -102,3 +102,49 @@ interface(`mcs_process_set_categories',`
+
+ typeattribute $1 mcssetcats;
+ ')
++
++########################################
++##
++## Make specified process type MCS untrusted.
++##
++##
++##
++## Make specified process type MCS untrusted. This
++## prevents this process from sending signals to other processes
++## with different mcs labels
++## object.
++##
++##
++##
++##
++## The type of the process.
++##
++##
++#
++interface(`mcs_untrusted_proc',`
++ gen_require(`
++ attribute mcsuntrustedproc;
++ ')
++
++ typeattribute $1 mcsuntrustedproc;
++')
++
++########################################
++##
++## Make specified domain MCS trusted
++## for writing to sockets at any level.
++##
++##
++##
++## Domain allowed access.
++##
++##
++##
++#
++interface(`mcs_socket_write_all_levels',`
++ gen_require(`
++ attribute mcsnetwrite;
++ ')
++
++ typeattribute $1 mcsnetwrite;
++')
+diff --git a/policy/modules/kernel/mcs.te b/policy/modules/kernel/mcs.te
+index 0e5b661..3168d72 100644
+--- a/policy/modules/kernel/mcs.te
++++ b/policy/modules/kernel/mcs.te
+@@ -10,3 +10,5 @@ attribute mcsptraceall;
+ attribute mcssetcats;
+ attribute mcswriteall;
+ attribute mcsreadall;
++attribute mcsuntrustedproc;
++attribute mcsnetwrite;
+diff --git a/policy/modules/kernel/selinux.fc b/policy/modules/kernel/selinux.fc
+index 7be4ddf..4d4c577 100644
+--- a/policy/modules/kernel/selinux.fc
++++ b/policy/modules/kernel/selinux.fc
+@@ -1 +1 @@
+-# This module currently does not have any file contexts.
++/selinux -l gen_context(system_u:object_r:security_t,s0)
+diff --git a/policy/modules/kernel/selinux.if b/policy/modules/kernel/selinux.if
+index 81440c5..a02d444 100644
+--- a/policy/modules/kernel/selinux.if
++++ b/policy/modules/kernel/selinux.if
+@@ -40,7 +40,7 @@ interface(`selinux_labeled_boolean',`
+
+ # because of this statement, any module which
+ # calls this interface must be in the base module:
+- genfscon selinuxfs /booleans/$2 gen_context(system_u:object_r:$1,s0)
++# genfscon selinuxfs /booleans/$2 gen_context(system_u:object_r:$1,s0)
+ ')
+
+ ########################################
+@@ -58,6 +58,9 @@ interface(`selinux_get_fs_mount',`
+ type security_t;
+ ')
+
++ allow $1 security_t:lnk_file read_lnk_file_perms;
++ dev_getattr_sysfs_fs($1)
++ dev_search_sysfs($1)
+ # starting in libselinux 2.0.5, init_selinuxmnt() will
+ # attempt to short circuit by checking if SELINUXMNT
+ # (/selinux) is already a selinuxfs
+@@ -87,6 +90,7 @@ interface(`selinux_dontaudit_get_fs_mount',`
+ # starting in libselinux 2.0.5, init_selinuxmnt() will
+ # attempt to short circuit by checking if SELINUXMNT
+ # (/selinux) is already a selinuxfs
++ dev_dontaudit_search_sysfs($1)
+ dontaudit $1 security_t:filesystem getattr;
+
+ # read /proc/filesystems to see if selinuxfs is supported
+@@ -109,6 +113,9 @@ interface(`selinux_mount_fs',`
+ type security_t;
+ ')
+
++ dev_getattr_sysfs_fs($1)
++ dev_search_sysfs($1)
++ allow $1 security_t:lnk_file read_lnk_file_perms;
+ allow $1 security_t:filesystem mount;
+ ')
+
+@@ -128,6 +135,9 @@ interface(`selinux_remount_fs',`
+ type security_t;
+ ')
+
++ dev_getattr_sysfs_fs($1)
++ dev_search_sysfs($1)
++ allow $1 security_t:lnk_file read_lnk_file_perms;
+ allow $1 security_t:filesystem remount;
+ ')
+
+@@ -146,6 +156,9 @@ interface(`selinux_unmount_fs',`
+ type security_t;
+ ')
+
++ dev_getattr_sysfs_fs($1)
++ dev_search_sysfs($1)
++ allow $1 security_t:lnk_file read_lnk_file_perms;
+ allow $1 security_t:filesystem unmount;
+ ')
+
+@@ -164,6 +177,7 @@ interface(`selinux_getattr_fs',`
+ type security_t;
+ ')
+
++ allow $1 security_t:lnk_file read_lnk_file_perms;
+ allow $1 security_t:filesystem getattr;
+ ')
+
+@@ -220,6 +234,9 @@ interface(`selinux_search_fs',`
+ type security_t;
+ ')
+
++ dev_getattr_sysfs_fs($1)
++ dev_search_sysfs($1)
++ allow $1 security_t:lnk_file read_lnk_file_perms;
+ allow $1 security_t:dir search_dir_perms;
+ ')
+
+@@ -243,6 +260,28 @@ interface(`selinux_dontaudit_search_fs',`
+
+ ########################################
+ ##
++## Mount on selinuxfs directories.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`selinux_mounton_fs',`
++ gen_require(`
++ type security_t;
++ ')
++
++ dev_getattr_sysfs_fs($1)
++ dev_search_sysfs($1)
++ allow $1 security_t:lnk_file read_lnk_file_perms;
++ allow $1 security_t:dir mounton;
++')
++
++
++########################################
++##
+ ## Do not audit attempts to read
+ ## generic selinuxfs entries
+ ##
+@@ -257,6 +296,7 @@ interface(`selinux_dontaudit_read_fs',`
+ type security_t;
+ ')
+
++ selinux_dontaudit_getattr_fs($1)
+ dontaudit $1 security_t:dir search_dir_perms;
+ dontaudit $1 security_t:file read_file_perms;
+ ')
+@@ -278,6 +318,8 @@ interface(`selinux_get_enforce_mode',`
+ type security_t;
+ ')
+
++ selinux_get_fs_mount($1)
++ allow $1 security_t:lnk_file read_lnk_file_perms;
+ allow $1 security_t:dir list_dir_perms;
+ allow $1 security_t:file read_file_perms;
+ ')
+@@ -308,21 +350,9 @@ interface(`selinux_set_enforce_mode',`
+ gen_require(`
+ type security_t;
+ attribute can_setenforce;
+- bool secure_mode_policyload;
+ ')
+
+- allow $1 security_t:dir list_dir_perms;
+- allow $1 security_t:file rw_file_perms;
+ typeattribute $1 can_setenforce;
+-
+- if(!secure_mode_policyload) {
+- allow $1 security_t:security setenforce;
+-
+- ifdef(`distro_rhel4',`
+- # needed for systems without audit support
+- auditallow $1 security_t:security setenforce;
+- ')
+- }
+ ')
+
+ ########################################
+@@ -339,21 +369,14 @@ interface(`selinux_load_policy',`
+ gen_require(`
+ type security_t;
+ attribute can_load_policy;
+- bool secure_mode_policyload;
+ ')
+
++ dev_getattr_sysfs_fs($1)
++ dev_search_sysfs($1)
++ allow $1 security_t:lnk_file read_lnk_file_perms;
+ allow $1 security_t:dir list_dir_perms;
+ allow $1 security_t:file rw_file_perms;
+ typeattribute $1 can_load_policy;
+-
+- if(!secure_mode_policyload) {
+- allow $1 security_t:security load_policy;
+-
+- ifdef(`distro_rhel4',`
+- # needed for systems without audit support
+- auditallow $1 security_t:security load_policy;
+- ')
+- }
+ ')
+
+ ########################################
+@@ -371,6 +394,9 @@ interface(`selinux_read_policy',`
+ type security_t;
+ ')
+
++ dev_getattr_sysfs_fs($1)
++ dev_search_sysfs($1)
++ allow $1 security_t:lnk_file read_lnk_file_perms;
+ allow $1 security_t:dir list_dir_perms;
+ allow $1 security_t:file read_file_perms;
+ allow $1 security_t:security read_policy;
+@@ -433,17 +459,16 @@ interface(`selinux_set_boolean',`
+ interface(`selinux_set_generic_booleans',`
+ gen_require(`
+ type security_t;
++ attribute can_setbool;
+ ')
+
++ typeattribute $1 can_setbool;
++ dev_getattr_sysfs_fs($1)
++ dev_search_sysfs($1)
++ allow $1 security_t:lnk_file read_lnk_file_perms;
+ allow $1 security_t:dir list_dir_perms;
+ allow $1 security_t:file rw_file_perms;
+
+- allow $1 security_t:security setbool;
+-
+- ifdef(`distro_rhel4',`
+- # needed for systems without audit support
+- auditallow $1 security_t:security setbool;
+- ')
+ ')
+
+ ########################################
+@@ -472,23 +497,16 @@ interface(`selinux_set_all_booleans',`
+ gen_require(`
+ type security_t, secure_mode_policyload_t;
+ attribute boolean_type;
+- bool secure_mode_policyload;
++ attribute can_setbool;
+ ')
+
++ typeattribute $1 can_setbool;
++ dev_getattr_sysfs_fs($1)
++ dev_search_sysfs($1)
++ allow $1 security_t:lnk_file read_lnk_file_perms;
+ allow $1 security_t:dir list_dir_perms;
+- allow $1 { boolean_type -secure_mode_policyload_t }:file rw_file_perms;
+- allow $1 secure_mode_policyload_t:file read_file_perms;
+-
+- allow $1 security_t:security setbool;
+-
+- ifdef(`distro_rhel4',`
+- # needed for systems without audit support
+- auditallow $1 security_t:security setbool;
+- ')
+-
+- if(!secure_mode_policyload) {
+- allow $1 secure_mode_policyload_t:file write_file_perms;
+- }
++ allow $1 boolean_type:dir list_dir_perms;
++ allow $1 boolean_type:file rw_file_perms;
+ ')
+
+ ########################################
+@@ -519,6 +537,9 @@ interface(`selinux_set_parameters',`
+ attribute can_setsecparam;
+ ')
+
++ dev_getattr_sysfs_fs($1)
++ dev_search_sysfs($1)
++ allow $1 security_t:lnk_file read_lnk_file_perms;
+ allow $1 security_t:dir list_dir_perms;
+ allow $1 security_t:file rw_file_perms;
+ allow $1 security_t:security setsecparam;
+@@ -542,6 +563,9 @@ interface(`selinux_validate_context',`
+ type security_t;
+ ')
+
++ dev_getattr_sysfs_fs($1)
++ dev_search_sysfs($1)
++ allow $1 security_t:lnk_file read_lnk_file_perms;
+ allow $1 security_t:dir list_dir_perms;
+ allow $1 security_t:file rw_file_perms;
+ allow $1 security_t:security check_context;
+@@ -584,6 +608,9 @@ interface(`selinux_compute_access_vector',`
+ type security_t;
+ ')
+
++ dev_getattr_sysfs_fs($1)
++ dev_search_sysfs($1)
++ allow $1 security_t:lnk_file read_lnk_file_perms;
+ allow $1 security_t:dir list_dir_perms;
+ allow $1 security_t:file rw_file_perms;
+ allow $1 security_t:security compute_av;
+@@ -605,6 +632,9 @@ interface(`selinux_compute_create_context',`
+ type security_t;
+ ')
+
++ dev_getattr_sysfs_fs($1)
++ dev_search_sysfs($1)
++ allow $1 security_t:lnk_file read_lnk_file_perms;
+ allow $1 security_t:dir list_dir_perms;
+ allow $1 security_t:file rw_file_perms;
+ allow $1 security_t:security compute_create;
+@@ -626,6 +656,9 @@ interface(`selinux_compute_member',`
+ type security_t;
+ ')
+
++ dev_getattr_sysfs_fs($1)
++ dev_search_sysfs($1)
++ allow $1 security_t:lnk_file read_lnk_file_perms;
+ allow $1 security_t:dir list_dir_perms;
+ allow $1 security_t:file rw_file_perms;
+ allow $1 security_t:security compute_member;
+@@ -655,6 +688,9 @@ interface(`selinux_compute_relabel_context',`
+ type security_t;
+ ')
+
++ dev_getattr_sysfs_fs($1)
++ dev_search_sysfs($1)
++ allow $1 security_t:lnk_file read_lnk_file_perms;
+ allow $1 security_t:dir list_dir_perms;
+ allow $1 security_t:file rw_file_perms;
+ allow $1 security_t:security compute_relabel;
+@@ -675,6 +711,9 @@ interface(`selinux_compute_user_contexts',`
+ type security_t;
+ ')
+
++ dev_getattr_sysfs_fs($1)
++ dev_search_sysfs($1)
++ allow $1 security_t:lnk_file read_lnk_file_perms;
+ allow $1 security_t:dir list_dir_perms;
+ allow $1 security_t:file rw_file_perms;
+ allow $1 security_t:security compute_user;
+@@ -696,4 +735,29 @@ interface(`selinux_unconfined',`
+ ')
+
+ typeattribute $1 selinux_unconfined_type;
++ selinux_set_all_booleans($1)
++ selinux_load_policy($1)
++ selinux_set_parameters($1)
++ selinux_set_enforce_mode($1)
++')
++
++########################################
++##
++## Generate a file context for a boolean type
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`selinux_genbool',`
++ gen_require(`
++ attribute boolean_type;
++ ')
++
++ type $1, boolean_type;
++ fs_type($1)
++ mls_trusted_object($1)
+ ')
++
+diff --git a/policy/modules/kernel/selinux.te b/policy/modules/kernel/selinux.te
+index 522ab32..443f4a0 100644
+--- a/policy/modules/kernel/selinux.te
++++ b/policy/modules/kernel/selinux.te
+@@ -17,6 +17,7 @@ gen_bool(secure_mode_policyload,false)
+ attribute boolean_type;
+ attribute can_load_policy;
+ attribute can_setenforce;
++attribute can_setbool;
+ attribute can_setsecparam;
+ attribute selinux_unconfined_type;
+
+@@ -31,14 +32,15 @@ selinux_labeled_boolean(secure_mode_policyload_t, secure_mode_policyload)
+ type security_t, boolean_type;
+ files_mountpoint(security_t)
+ fs_type(security_t)
++files_mountpoint(security_t)
+ mls_trusted_object(security_t)
+ sid security gen_context(system_u:object_r:security_t,mls_systemhigh)
+ genfscon selinuxfs / gen_context(system_u:object_r:security_t,s0)
+ genfscon securityfs / gen_context(system_u:object_r:security_t,s0)
+
+-neverallow ~{ selinux_unconfined_type can_load_policy } security_t:security load_policy;
+-neverallow ~{ selinux_unconfined_type can_setenforce } security_t:security setenforce;
+-neverallow ~{ selinux_unconfined_type can_setsecparam } security_t:security setsecparam;
++neverallow ~{ can_load_policy } security_t:security load_policy;
++neverallow ~{ can_setenforce } security_t:security setenforce;
++neverallow ~{ can_setsecparam } security_t:security setsecparam;
+
+ ########################################
+ #
+@@ -60,11 +62,28 @@ ifdef(`distro_rhel4',`
+ ')
+
+ if(!secure_mode_policyload) {
+- allow selinux_unconfined_type security_t:security { load_policy setenforce };
+- allow selinux_unconfined_type secure_mode_policyload_t:file write_file_perms;
++ allow can_setenforce security_t:security setenforce;
++ dev_getattr_sysfs_fs(can_setenforce)
++ dev_search_sysfs(can_setenforce)
++ allow can_setenforce security_t:dir list_dir_perms;
++ allow can_setenforce security_t:file rw_file_perms;
++
++ ifdef(`distro_rhel4',`
++ # needed for systems without audit support
++ auditallow can_setenforce security_t:security setenforce;
++ ')
++
++ allow can_load_policy security_t:security load_policy;
++
++ ifdef(`distro_rhel4',`
++ # needed for systems without audit support
++ auditallow can_load_policy security_t:security load_policy;
++ ')
++
++ allow can_setbool boolean_type:security setbool;
+
+ ifdef(`distro_rhel4',`
+ # needed for systems without audit support
+- auditallow selinux_unconfined_type security_t:security { load_policy setenforce };
++ auditallow can_setbool boolean_type:security setbool;
+ ')
+ }
+diff --git a/policy/modules/kernel/storage.fc b/policy/modules/kernel/storage.fc
+index 54f1827..a2d5eaa 100644
+--- a/policy/modules/kernel/storage.fc
++++ b/policy/modules/kernel/storage.fc
+@@ -28,7 +28,8 @@
+ /dev/loop.* -b gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
+ /dev/lvm -c gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
+ /dev/mcdx? -b gen_context(system_u:object_r:removable_device_t,s0)
+-/dev/megadev.* -c gen_context(system_u:object_r:removable_device_t,s0)
++/dev/megaraid_sas_ioctl_node -c gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
++/dev/megadev.* -c gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
+ /dev/mmcblk.* -b gen_context(system_u:object_r:removable_device_t,s0)
+ /dev/mspblk.* -b gen_context(system_u:object_r:removable_device_t,s0)
+ /dev/mtd.* -b gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
+@@ -51,7 +52,7 @@ ifdef(`distro_redhat', `
+ /dev/sjcd -b gen_context(system_u:object_r:removable_device_t,s0)
+ /dev/sonycd -b gen_context(system_u:object_r:removable_device_t,s0)
+ /dev/tape.* -c gen_context(system_u:object_r:tape_device_t,s0)
+-/dev/tw[a-z][^/]+ -c gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
++/dev/tw[a-z][^/]* -c gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
+ /dev/ub[a-z][^/]+ -b gen_context(system_u:object_r:removable_device_t,mls_systemhigh)
+ /dev/ubd[^/]* -b gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
+ /dev/vd[^/]* -b gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
+@@ -81,3 +82,6 @@ ifdef(`distro_redhat', `
+
+ /lib/udev/devices/loop.* -b gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
+ /lib/udev/devices/fuse -c gen_context(system_u:object_r:fuse_device_t,s0)
++
++/usr/lib/udev/devices/loop.* -b gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
++/usr/lib/udev/devices/fuse -c gen_context(system_u:object_r:fuse_device_t,s0)
+diff --git a/policy/modules/kernel/storage.if b/policy/modules/kernel/storage.if
+index 1700ef2..6fb69e7 100644
+--- a/policy/modules/kernel/storage.if
++++ b/policy/modules/kernel/storage.if
+@@ -22,6 +22,26 @@ interface(`storage_getattr_fixed_disk_dev',`
+
+ ########################################
+ ##
++## Allow the caller to read/write inherited fixed disk
++## device nodes.
++##
++##
++##
++## The domain allowed access.
++##
++##
++#
++interface(`storage_rw_inherited_fixed_disk_dev',`
++ gen_require(`
++ type fixed_disk_device_t;
++ ')
++
++ allow $1 fixed_disk_device_t:chr_file { read write };
++ allow $1 fixed_disk_device_t:blk_file { read write };
++')
++
++########################################
++##
+ ## Do not audit attempts made by the caller to get
+ ## the attributes of fixed disk device nodes.
+ ##
+@@ -101,6 +121,8 @@ interface(`storage_raw_read_fixed_disk',`
+ dev_list_all_dev_nodes($1)
+ allow $1 fixed_disk_device_t:blk_file read_blk_file_perms;
+ allow $1 fixed_disk_device_t:chr_file read_chr_file_perms;
++ #577012
++ allow $1 fixed_disk_device_t:lnk_file read_lnk_file_perms;
+ typeattribute $1 fixed_disk_raw_read;
+ ')
+
+@@ -205,6 +227,7 @@ interface(`storage_create_fixed_disk_dev',`
+
+ allow $1 self:capability mknod;
+ allow $1 fixed_disk_device_t:blk_file create_blk_file_perms;
++ allow $1 fixed_disk_device_t:chr_file create_chr_file_perms;
+ dev_add_entry_generic_dirs($1)
+ ')
+
+@@ -269,6 +292,48 @@ interface(`storage_dev_filetrans_fixed_disk',`
+ dev_filetrans($1, fixed_disk_device_t, blk_file)
+ ')
+
++#######################################
++##
++## Create block devices in /dev with the fixed disk type
++## via an automatic type transition.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`storage_dev_filetrans_named_fixed_disk',`
++ gen_require(`
++ type fixed_disk_device_t;
++ ')
++
++ dev_filetrans($1, fixed_disk_device_t, chr_file, "jsflash")
++ dev_filetrans($1, fixed_disk_device_t, chr_file, "lvm")
++ dev_filetrans($1, fixed_disk_device_t, chr_file, "megaraid_sas_ioctl_node")
++ dev_filetrans($1, fixed_disk_device_t, chr_file, "megadev0")
++ dev_filetrans($1, fixed_disk_device_t, chr_file, "megadev1")
++ dev_filetrans($1, fixed_disk_device_t, chr_file, "megadev2")
++ dev_filetrans($1, fixed_disk_device_t, chr_file, "megadev3")
++ dev_filetrans($1, fixed_disk_device_t, chr_file, "megadev4")
++ dev_filetrans($1, fixed_disk_device_t, chr_file, "megadev5")
++ dev_filetrans($1, fixed_disk_device_t, chr_file, "megadev6")
++ dev_filetrans($1, fixed_disk_device_t, chr_file, "megadev7")
++ dev_filetrans($1, fixed_disk_device_t, chr_file, "megadev8")
++ dev_filetrans($1, fixed_disk_device_t, chr_file, "megadev9")
++ dev_filetrans($1, fixed_disk_device_t, chr_file, "device-mapper")
++ dev_filetrans($1, fixed_disk_device_t, chr_file, "raw0")
++ dev_filetrans($1, fixed_disk_device_t, chr_file, "raw1")
++ dev_filetrans($1, fixed_disk_device_t, chr_file, "raw2")
++ dev_filetrans($1, fixed_disk_device_t, chr_file, "raw3")
++ dev_filetrans($1, fixed_disk_device_t, chr_file, "raw4")
++ dev_filetrans($1, fixed_disk_device_t, chr_file, "raw5")
++ dev_filetrans($1, fixed_disk_device_t, chr_file, "raw6")
++ dev_filetrans($1, fixed_disk_device_t, chr_file, "raw7")
++ dev_filetrans($1, fixed_disk_device_t, chr_file, "raw8")
++ dev_filetrans($1, fixed_disk_device_t, chr_file, "raw9")
++')
++
+ ########################################
+ ##
+ ## Create block devices in on a tmpfs filesystem with the
+@@ -711,6 +776,24 @@ interface(`storage_dontaudit_raw_write_removable_device',`
+ dontaudit $1 removable_device_t:blk_file write_blk_file_perms;
+ ')
+
++#######################################
++##
++## Alow read and write inherited removable devices.
++##
++##
++##
++## Domain to not audit.
++##
++##
++#
++interface(`storage_rw_inherited_removable_device',`
++ gen_require(`
++ type removable_device_t;
++ ')
++
++ dontaudit $1 removable_device_t:blk_file { read write };
++')
++
+ ########################################
+ ##
+ ## Allow the caller to directly read
+@@ -808,3 +891,369 @@ interface(`storage_unconfined',`
+
+ typeattribute $1 storage_unconfined_type;
+ ')
++
++########################################
++##
++## Create all named devices with the correct label
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`storage_filetrans_all_named_dev',`
++
++ gen_require(`
++ type tape_device_t;
++ type fixed_disk_device_t;
++ type removable_device_t;
++ type scsi_generic_device_t;
++ type fuse_device_t;
++ ')
++
++ dev_filetrans($1, tape_device_t, chr_file, "ht00")
++ dev_filetrans($1, tape_device_t, chr_file, "ht01")
++ dev_filetrans($1, tape_device_t, chr_file, "ht02")
++ dev_filetrans($1, tape_device_t, chr_file, "ht03")
++ dev_filetrans($1, tape_device_t, chr_file, "ht04")
++ dev_filetrans($1, tape_device_t, chr_file, "ht05")
++ dev_filetrans($1, tape_device_t, chr_file, "ht06")
++ dev_filetrans($1, tape_device_t, chr_file, "ht07")
++ dev_filetrans($1, tape_device_t, chr_file, "ht08")
++ dev_filetrans($1, tape_device_t, chr_file, "ht09")
++ dev_filetrans($1, tape_device_t, chr_file, "st00")
++ dev_filetrans($1, tape_device_t, chr_file, "st01")
++ dev_filetrans($1, tape_device_t, chr_file, "st02")
++ dev_filetrans($1, tape_device_t, chr_file, "st03")
++ dev_filetrans($1, tape_device_t, chr_file, "st04")
++ dev_filetrans($1, tape_device_t, chr_file, "st05")
++ dev_filetrans($1, tape_device_t, chr_file, "st06")
++ dev_filetrans($1, tape_device_t, chr_file, "st07")
++ dev_filetrans($1, tape_device_t, chr_file, "st08")
++ dev_filetrans($1, tape_device_t, chr_file, "st09")
++ dev_filetrans($1, tape_device_t, chr_file, "qft0")
++ dev_filetrans($1, tape_device_t, chr_file, "qft1")
++ dev_filetrans($1, tape_device_t, chr_file, "qft2")
++ dev_filetrans($1, tape_device_t, chr_file, "qft3")
++ dev_filetrans($1, tape_device_t, chr_file, "osst00")
++ dev_filetrans($1, tape_device_t, chr_file, "osst01")
++ dev_filetrans($1, tape_device_t, chr_file, "osst02")
++ dev_filetrans($1, tape_device_t, chr_file, "osst03")
++ dev_filetrans($1, tape_device_t, chr_file, "osst04")
++ dev_filetrans($1, tape_device_t, chr_file, "osst05")
++ dev_filetrans($1, tape_device_t, chr_file, "osst06")
++ dev_filetrans($1, tape_device_t, chr_file, "osst07")
++ dev_filetrans($1, tape_device_t, chr_file, "osst08")
++ dev_filetrans($1, tape_device_t, chr_file, "osst09")
++ dev_filetrans($1, tape_device_t, chr_file, "pt0")
++ dev_filetrans($1, tape_device_t, chr_file, "pt1")
++ dev_filetrans($1, tape_device_t, chr_file, "pt2")
++ dev_filetrans($1, tape_device_t, chr_file, "pt3")
++ dev_filetrans($1, tape_device_t, chr_file, "pt4")
++ dev_filetrans($1, tape_device_t, chr_file, "pt5")
++ dev_filetrans($1, tape_device_t, chr_file, "pt6")
++ dev_filetrans($1, tape_device_t, chr_file, "pt7")
++ dev_filetrans($1, tape_device_t, chr_file, "pt8")
++ dev_filetrans($1, tape_device_t, chr_file, "pt9")
++ dev_filetrans($1, tape_device_t, chr_file, "tpqic0")
++ dev_filetrans($1, tape_device_t, chr_file, "tpqic1")
++ dev_filetrans($1, tape_device_t, chr_file, "tpqic2")
++ dev_filetrans($1, tape_device_t, chr_file, "tpqic3")
++ dev_filetrans($1, tape_device_t, chr_file, "tpqic4")
++ dev_filetrans($1, tape_device_t, chr_file, "tpqic5")
++ dev_filetrans($1, tape_device_t, chr_file, "tpqic6")
++ dev_filetrans($1, tape_device_t, chr_file, "tpqic7")
++ dev_filetrans($1, tape_device_t, chr_file, "tpqic8")
++ dev_filetrans($1, tape_device_t, chr_file, "tpqic9")
++ dev_filetrans($1, removable_device_t, blk_file, "aztcd")
++ dev_filetrans($1, removable_device_t, blk_file, "bpcd")
++ dev_filetrans($1, removable_device_t, blk_file, "cdu0")
++ dev_filetrans($1, removable_device_t, blk_file, "cdu1")
++ dev_filetrans($1, removable_device_t, blk_file, "cdu2")
++ dev_filetrans($1, removable_device_t, blk_file, "cdu3")
++ dev_filetrans($1, removable_device_t, blk_file, "cdu4")
++ dev_filetrans($1, removable_device_t, blk_file, "cdu5")
++ dev_filetrans($1, removable_device_t, blk_file, "cdu6")
++ dev_filetrans($1, removable_device_t, blk_file, "cdu7")
++ dev_filetrans($1, removable_device_t, blk_file, "cdu8")
++ dev_filetrans($1, removable_device_t, blk_file, "cdu9")
++ dev_filetrans($1, removable_device_t, blk_file, "cm200")
++ dev_filetrans($1, removable_device_t, blk_file, "cm201")
++ dev_filetrans($1, removable_device_t, blk_file, "cm202")
++ dev_filetrans($1, removable_device_t, blk_file, "cm203")
++ dev_filetrans($1, removable_device_t, blk_file, "cm204")
++ dev_filetrans($1, removable_device_t, blk_file, "cm205")
++ dev_filetrans($1, removable_device_t, blk_file, "cm206")
++ dev_filetrans($1, removable_device_t, blk_file, "cm207")
++ dev_filetrans($1, removable_device_t, blk_file, "cm208")
++ dev_filetrans($1, removable_device_t, blk_file, "cm209")
++ dev_filetrans($1, fixed_disk_device_t, blk_file, "md0")
++ dev_filetrans($1, fixed_disk_device_t, blk_file, "md1")
++ dev_filetrans($1, fixed_disk_device_t, blk_file, "md2")
++ dev_filetrans($1, fixed_disk_device_t, blk_file, "md3")
++ dev_filetrans($1, fixed_disk_device_t, blk_file, "md4")
++ dev_filetrans($1, fixed_disk_device_t, blk_file, "md5")
++ dev_filetrans($1, fixed_disk_device_t, blk_file, "md6")
++ dev_filetrans($1, fixed_disk_device_t, blk_file, "md7")
++ dev_filetrans($1, fixed_disk_device_t, blk_file, "md8")
++ dev_filetrans($1, fixed_disk_device_t, blk_file, "md9")
++ dev_filetrans($1, fixed_disk_device_t, blk_file, "sda")
++ dev_filetrans($1, fixed_disk_device_t, blk_file, "sda0")
++ dev_filetrans($1, fixed_disk_device_t, blk_file, "sda1")
++ dev_filetrans($1, fixed_disk_device_t, blk_file, "sda2")
++ dev_filetrans($1, fixed_disk_device_t, blk_file, "sda3")
++ dev_filetrans($1, fixed_disk_device_t, blk_file, "sda4")
++ dev_filetrans($1, fixed_disk_device_t, blk_file, "sda5")
++ dev_filetrans($1, fixed_disk_device_t, blk_file, "sda6")
++ dev_filetrans($1, fixed_disk_device_t, blk_file, "sda7")
++ dev_filetrans($1, fixed_disk_device_t, blk_file, "sda8")
++ dev_filetrans($1, fixed_disk_device_t, blk_file, "sda9")
++ dev_filetrans($1, fixed_disk_device_t, blk_file, "sdb")
++ dev_filetrans($1, fixed_disk_device_t, blk_file, "sdb0")
++ dev_filetrans($1, fixed_disk_device_t, blk_file, "sdb1")
++ dev_filetrans($1, fixed_disk_device_t, blk_file, "sdb2")
++ dev_filetrans($1, fixed_disk_device_t, blk_file, "sdb3")
++ dev_filetrans($1, fixed_disk_device_t, blk_file, "sdb4")
++ dev_filetrans($1, fixed_disk_device_t, blk_file, "sdb5")
++ dev_filetrans($1, fixed_disk_device_t, blk_file, "sdb6")
++ dev_filetrans($1, fixed_disk_device_t, blk_file, "sdb7")
++ dev_filetrans($1, fixed_disk_device_t, blk_file, "sdb8")
++ dev_filetrans($1, fixed_disk_device_t, blk_file, "sdb9")
++ dev_filetrans($1, fixed_disk_device_t, blk_file, "sdc")
++ dev_filetrans($1, fixed_disk_device_t, blk_file, "sdc0")
++ dev_filetrans($1, fixed_disk_device_t, blk_file, "sdc1")
++ dev_filetrans($1, fixed_disk_device_t, blk_file, "sdc2")
++ dev_filetrans($1, fixed_disk_device_t, blk_file, "sdc3")
++ dev_filetrans($1, fixed_disk_device_t, blk_file, "sdc4")
++ dev_filetrans($1, fixed_disk_device_t, blk_file, "sdc5")
++ dev_filetrans($1, fixed_disk_device_t, blk_file, "sdc6")
++ dev_filetrans($1, fixed_disk_device_t, blk_file, "sdc7")
++ dev_filetrans($1, fixed_disk_device_t, blk_file, "sdc8")
++ dev_filetrans($1, fixed_disk_device_t, blk_file, "sdc9")
++ dev_filetrans($1, fixed_disk_device_t, blk_file, "sdd")
++ dev_filetrans($1, fixed_disk_device_t, blk_file, "sdd0")
++ dev_filetrans($1, fixed_disk_device_t, blk_file, "sdd1")
++ dev_filetrans($1, fixed_disk_device_t, blk_file, "sdd2")
++ dev_filetrans($1, fixed_disk_device_t, blk_file, "sdd3")
++ dev_filetrans($1, fixed_disk_device_t, blk_file, "sdd4")
++ dev_filetrans($1, fixed_disk_device_t, blk_file, "sdd5")
++ dev_filetrans($1, fixed_disk_device_t, blk_file, "sdd6")
++ dev_filetrans($1, fixed_disk_device_t, blk_file, "sdd7")
++ dev_filetrans($1, fixed_disk_device_t, blk_file, "sdd8")
++ dev_filetrans($1, fixed_disk_device_t, blk_file, "sdd9")
++ dev_filetrans($1, fixed_disk_device_t, blk_file, "sde")
++ dev_filetrans($1, fixed_disk_device_t, blk_file, "sde0")
++ dev_filetrans($1, fixed_disk_device_t, blk_file, "sde1")
++ dev_filetrans($1, fixed_disk_device_t, blk_file, "sde2")
++ dev_filetrans($1, fixed_disk_device_t, blk_file, "sde3")
++ dev_filetrans($1, fixed_disk_device_t, blk_file, "sde4")
++ dev_filetrans($1, fixed_disk_device_t, blk_file, "sde5")
++ dev_filetrans($1, fixed_disk_device_t, blk_file, "sde6")
++ dev_filetrans($1, fixed_disk_device_t, blk_file, "sde7")
++ dev_filetrans($1, fixed_disk_device_t, blk_file, "sde8")
++ dev_filetrans($1, fixed_disk_device_t, blk_file, "sde9")
++ dev_filetrans($1, fixed_disk_device_t, blk_file, "sdf")
++ dev_filetrans($1, fixed_disk_device_t, blk_file, "sdf0")
++ dev_filetrans($1, fixed_disk_device_t, blk_file, "sdf1")
++ dev_filetrans($1, fixed_disk_device_t, blk_file, "sdf2")
++ dev_filetrans($1, fixed_disk_device_t, blk_file, "sdf3")
++ dev_filetrans($1, fixed_disk_device_t, blk_file, "sdf4")
++ dev_filetrans($1, fixed_disk_device_t, blk_file, "sdf5")
++ dev_filetrans($1, fixed_disk_device_t, blk_file, "sdf6")
++ dev_filetrans($1, fixed_disk_device_t, blk_file, "sdf7")
++ dev_filetrans($1, fixed_disk_device_t, blk_file, "sdf8")
++ dev_filetrans($1, fixed_disk_device_t, blk_file, "sdf9")
++ dev_filetrans($1, fixed_disk_device_t, blk_file, "sdg")
++ dev_filetrans($1, fixed_disk_device_t, blk_file, "sdg0")
++ dev_filetrans($1, fixed_disk_device_t, blk_file, "sdg1")
++ dev_filetrans($1, fixed_disk_device_t, blk_file, "sdg2")
++ dev_filetrans($1, fixed_disk_device_t, blk_file, "sdg3")
++ dev_filetrans($1, fixed_disk_device_t, blk_file, "sdg4")
++ dev_filetrans($1, fixed_disk_device_t, blk_file, "sdg5")
++ dev_filetrans($1, fixed_disk_device_t, blk_file, "sdg6")
++ dev_filetrans($1, fixed_disk_device_t, blk_file, "sdg7")
++ dev_filetrans($1, fixed_disk_device_t, blk_file, "sdg8")
++ dev_filetrans($1, fixed_disk_device_t, blk_file, "sdg9")
++ dev_filetrans($1, fixed_disk_device_t, blk_file, "dm-0")
++ dev_filetrans($1, fixed_disk_device_t, blk_file, "dm-1")
++ dev_filetrans($1, fixed_disk_device_t, blk_file, "dm-2")
++ dev_filetrans($1, fixed_disk_device_t, blk_file, "dm-3")
++ dev_filetrans($1, fixed_disk_device_t, blk_file, "dm-4")
++ dev_filetrans($1, fixed_disk_device_t, blk_file, "dm-5")
++ dev_filetrans($1, fixed_disk_device_t, blk_file, "dm-6")
++ dev_filetrans($1, fixed_disk_device_t, blk_file, "dm-7")
++ dev_filetrans($1, fixed_disk_device_t, blk_file, "dm-8")
++ dev_filetrans($1, fixed_disk_device_t, blk_file, "dm-9")
++ dev_filetrans($1, removable_device_t, blk_file, "gscd")
++ dev_filetrans($1, removable_device_t, blk_file, "hitcd")
++ dev_filetrans($1, tape_device_t, blk_file, "ht0")
++ dev_filetrans($1, tape_device_t, blk_file, "ht1")
++ dev_filetrans($1, removable_device_t, blk_file, "hwcdrom")
++ dev_filetrans($1, fixed_disk_device_t, blk_file, "initrd")
++ dev_filetrans($1, fixed_disk_device_t, blk_file, "jsfd")
++ dev_filetrans($1, fixed_disk_device_t, chr_file, "jsflash")
++ dev_filetrans($1, fixed_disk_device_t, blk_file, "loop0")
++ dev_filetrans($1, fixed_disk_device_t, blk_file, "loop1")
++ dev_filetrans($1, fixed_disk_device_t, blk_file, "loop2")
++ dev_filetrans($1, fixed_disk_device_t, blk_file, "loop3")
++ dev_filetrans($1, fixed_disk_device_t, blk_file, "loop4")
++ dev_filetrans($1, fixed_disk_device_t, blk_file, "loop5")
++ dev_filetrans($1, fixed_disk_device_t, blk_file, "loop6")
++ dev_filetrans($1, fixed_disk_device_t, blk_file, "loop7")
++ dev_filetrans($1, fixed_disk_device_t, blk_file, "loop8")
++ dev_filetrans($1, fixed_disk_device_t, blk_file, "loop9")
++ dev_filetrans($1, fixed_disk_device_t, chr_file, "lvm")
++ dev_filetrans($1, removable_device_t, blk_file, "mcd")
++ dev_filetrans($1, removable_device_t, blk_file, "mcdx")
++ dev_filetrans($1, fixed_disk_device_t, chr_file, "megaraid_sas_ioctl_node")
++ dev_filetrans($1, fixed_disk_device_t, chr_file, "megadev0")
++ dev_filetrans($1, fixed_disk_device_t, chr_file, "megadev1")
++ dev_filetrans($1, fixed_disk_device_t, chr_file, "megadev2")
++ dev_filetrans($1, fixed_disk_device_t, chr_file, "megadev3")
++ dev_filetrans($1, fixed_disk_device_t, chr_file, "megadev4")
++ dev_filetrans($1, fixed_disk_device_t, chr_file, "megadev5")
++ dev_filetrans($1, fixed_disk_device_t, chr_file, "megadev6")
++ dev_filetrans($1, fixed_disk_device_t, chr_file, "megadev7")
++ dev_filetrans($1, fixed_disk_device_t, chr_file, "megadev8")
++ dev_filetrans($1, fixed_disk_device_t, chr_file, "megadev9")
++ dev_filetrans($1, removable_device_t, blk_file, "mmcblk0")
++ dev_filetrans($1, removable_device_t, blk_file, "mmcblk1")
++ dev_filetrans($1, removable_device_t, blk_file, "mmcblk2")
++ dev_filetrans($1, removable_device_t, blk_file, "mmcblk3")
++ dev_filetrans($1, removable_device_t, blk_file, "mmcblk4")
++ dev_filetrans($1, removable_device_t, blk_file, "mmcblk5")
++ dev_filetrans($1, removable_device_t, blk_file, "mmcblk6")
++ dev_filetrans($1, removable_device_t, blk_file, "mmcblk7")
++ dev_filetrans($1, removable_device_t, blk_file, "mmcblk8")
++ dev_filetrans($1, removable_device_t, blk_file, "mmcblk9")
++ dev_filetrans($1, removable_device_t, blk_file, "mspblk0")
++ dev_filetrans($1, removable_device_t, blk_file, "mspblk1")
++ dev_filetrans($1, removable_device_t, blk_file, "mspblk2")
++ dev_filetrans($1, removable_device_t, blk_file, "mspblk3")
++ dev_filetrans($1, removable_device_t, blk_file, "mspblk4")
++ dev_filetrans($1, removable_device_t, blk_file, "mspblk5")
++ dev_filetrans($1, removable_device_t, blk_file, "mspblk6")
++ dev_filetrans($1, removable_device_t, blk_file, "mspblk7")
++ dev_filetrans($1, removable_device_t, blk_file, "mspblk8")
++ dev_filetrans($1, removable_device_t, blk_file, "mspblk9")
++ dev_filetrans($1, fixed_disk_device_t, blk_file, "mtd0")
++ dev_filetrans($1, fixed_disk_device_t, blk_file, "mtd1")
++ dev_filetrans($1, fixed_disk_device_t, blk_file, "mtd2")
++ dev_filetrans($1, fixed_disk_device_t, blk_file, "mtd3")
++ dev_filetrans($1, fixed_disk_device_t, blk_file, "mtd4")
++ dev_filetrans($1, fixed_disk_device_t, blk_file, "mtd5")
++ dev_filetrans($1, fixed_disk_device_t, blk_file, "mtd6")
++ dev_filetrans($1, fixed_disk_device_t, blk_file, "mtd7")
++ dev_filetrans($1, fixed_disk_device_t, blk_file, "mtd8")
++ dev_filetrans($1, fixed_disk_device_t, blk_file, "mtd9")
++ dev_filetrans($1, removable_device_t, blk_file, "optcd")
++ dev_filetrans($1, removable_device_t, blk_file, "pf0")
++ dev_filetrans($1, removable_device_t, blk_file, "pf1")
++ dev_filetrans($1, removable_device_t, blk_file, "pf2")
++ dev_filetrans($1, removable_device_t, blk_file, "pf3")
++ dev_filetrans($1, removable_device_t, blk_file, "pg0")
++ dev_filetrans($1, removable_device_t, blk_file, "pg1")
++ dev_filetrans($1, removable_device_t, blk_file, "pg2")
++ dev_filetrans($1, removable_device_t, blk_file, "pg3")
++ dev_filetrans($1, removable_device_t, blk_file, "pcd0")
++ dev_filetrans($1, removable_device_t, blk_file, "pcd1")
++ dev_filetrans($1, removable_device_t, blk_file, "pcd2")
++ dev_filetrans($1, removable_device_t, blk_file, "pcd3")
++ dev_filetrans($1, removable_device_t, chr_file, "pg0")
++ dev_filetrans($1, removable_device_t, chr_file, "pg1")
++ dev_filetrans($1, removable_device_t, chr_file, "pg2")
++ dev_filetrans($1, removable_device_t, chr_file, "pg3")
++ dev_filetrans($1, fixed_disk_device_t, blk_file, "ps3d0")
++ dev_filetrans($1, fixed_disk_device_t, blk_file, "ps3d1")
++ dev_filetrans($1, fixed_disk_device_t, blk_file, "ps3d2")
++ dev_filetrans($1, fixed_disk_device_t, blk_file, "ps3d3")
++ dev_filetrans($1, fixed_disk_device_t, blk_file, "ps3d4")
++ dev_filetrans($1, fixed_disk_device_t, blk_file, "ps3d5")
++ dev_filetrans($1, fixed_disk_device_t, blk_file, "ps3d6")
++ dev_filetrans($1, fixed_disk_device_t, blk_file, "ps3d7")
++ dev_filetrans($1, fixed_disk_device_t, blk_file, "ps3d8")
++ dev_filetrans($1, fixed_disk_device_t, blk_file, "ps3d9")
++ dev_filetrans($1, fixed_disk_device_t, blk_file, "ram0")
++ dev_filetrans($1, fixed_disk_device_t, blk_file, "ram1")
++ dev_filetrans($1, fixed_disk_device_t, blk_file, "ram2")
++ dev_filetrans($1, fixed_disk_device_t, blk_file, "ram3")
++ dev_filetrans($1, fixed_disk_device_t, blk_file, "ram4")
++ dev_filetrans($1, fixed_disk_device_t, blk_file, "ram5")
++ dev_filetrans($1, fixed_disk_device_t, blk_file, "ram6")
++ dev_filetrans($1, fixed_disk_device_t, blk_file, "ram7")
++ dev_filetrans($1, fixed_disk_device_t, blk_file, "ram8")
++ dev_filetrans($1, fixed_disk_device_t, blk_file, "ram9")
++ dev_filetrans($1, fixed_disk_device_t, blk_file, "ram10")
++ dev_filetrans($1, fixed_disk_device_t, blk_file, "ram11")
++ dev_filetrans($1, fixed_disk_device_t, blk_file, "ram12")
++ dev_filetrans($1, fixed_disk_device_t, blk_file, "ram13")
++ dev_filetrans($1, fixed_disk_device_t, blk_file, "ram14")
++ dev_filetrans($1, fixed_disk_device_t, blk_file, "ram15")
++ dev_filetrans($1, fixed_disk_device_t, blk_file, "rd0")
++ dev_filetrans($1, fixed_disk_device_t, blk_file, "rd1")
++ dev_filetrans($1, fixed_disk_device_t, blk_file, "rd2")
++ dev_filetrans($1, fixed_disk_device_t, blk_file, "rd3")
++ dev_filetrans($1, fixed_disk_device_t, blk_file, "rd4")
++ dev_filetrans($1, fixed_disk_device_t, blk_file, "rd5")
++ dev_filetrans($1, fixed_disk_device_t, blk_file, "rd6")
++ dev_filetrans($1, fixed_disk_device_t, blk_file, "rd7")
++ dev_filetrans($1, fixed_disk_device_t, blk_file, "rd8")
++ dev_filetrans($1, fixed_disk_device_t, blk_file, "rd9")
++ dev_filetrans($1, fixed_disk_device_t, blk_file, "root")
++ dev_filetrans($1, removable_device_t, blk_file, "sbpcd0")
++ dev_filetrans($1, removable_device_t, blk_file, "sbpcd1")
++ dev_filetrans($1, removable_device_t, blk_file, "sbpcd2")
++ dev_filetrans($1, removable_device_t, blk_file, "sbpcd3")
++ dev_filetrans($1, removable_device_t, blk_file, "sbpcd4")
++ dev_filetrans($1, removable_device_t, blk_file, "sbpcd5")
++ dev_filetrans($1, removable_device_t, blk_file, "sbpcd6")
++ dev_filetrans($1, removable_device_t, blk_file, "sbpcd7")
++ dev_filetrans($1, removable_device_t, blk_file, "sbpcd8")
++ dev_filetrans($1, removable_device_t, blk_file, "sbpcd9")
++ dev_filetrans($1, scsi_generic_device_t, chr_file, "sg0")
++ dev_filetrans($1, scsi_generic_device_t, chr_file, "sg1")
++ dev_filetrans($1, scsi_generic_device_t, chr_file, "sg2")
++ dev_filetrans($1, scsi_generic_device_t, chr_file, "sg3")
++ dev_filetrans($1, scsi_generic_device_t, chr_file, "sg4")
++ dev_filetrans($1, scsi_generic_device_t, chr_file, "sg5")
++ dev_filetrans($1, scsi_generic_device_t, chr_file, "sg6")
++ dev_filetrans($1, scsi_generic_device_t, chr_file, "sg7")
++ dev_filetrans($1, scsi_generic_device_t, chr_file, "sg8")
++ dev_filetrans($1, scsi_generic_device_t, chr_file, "sg9")
++ dev_filetrans($1, removable_device_t, blk_file, "sr0")
++ dev_filetrans($1, removable_device_t, blk_file, "sr1")
++ dev_filetrans($1, removable_device_t, blk_file, "sr2")
++ dev_filetrans($1, removable_device_t, blk_file, "sr3")
++ dev_filetrans($1, removable_device_t, blk_file, "sr4")
++ dev_filetrans($1, removable_device_t, blk_file, "sr5")
++ dev_filetrans($1, removable_device_t, blk_file, "sr6")
++ dev_filetrans($1, removable_device_t, blk_file, "sr7")
++ dev_filetrans($1, removable_device_t, blk_file, "sr8")
++ dev_filetrans($1, removable_device_t, blk_file, "sr9")
++ dev_filetrans($1, removable_device_t, blk_file, "sjcd")
++ dev_filetrans($1, removable_device_t, blk_file, "sonycd")
++ dev_filetrans($1, tape_device_t, chr_file, "tape0")
++ dev_filetrans($1, tape_device_t, chr_file, "tape1")
++ dev_filetrans($1, tape_device_t, chr_file, "tape2")
++ dev_filetrans($1, tape_device_t, chr_file, "tape3")
++ dev_filetrans($1, tape_device_t, chr_file, "tape4")
++ dev_filetrans($1, tape_device_t, chr_file, "tape5")
++ dev_filetrans($1, tape_device_t, chr_file, "tape6")
++ dev_filetrans($1, tape_device_t, chr_file, "tape7")
++ dev_filetrans($1, tape_device_t, chr_file, "tape8")
++ dev_filetrans($1, tape_device_t, chr_file, "tape9")
++ dev_filetrans($1, fuse_device_t, chr_file, "fuse")
++ dev_filetrans($1, fixed_disk_device_t, chr_file, "device-mapper")
++ dev_filetrans($1, fixed_disk_device_t, chr_file, "raw0")
++ dev_filetrans($1, fixed_disk_device_t, chr_file, "raw1")
++ dev_filetrans($1, fixed_disk_device_t, chr_file, "raw2")
++ dev_filetrans($1, fixed_disk_device_t, chr_file, "raw3")
++ dev_filetrans($1, fixed_disk_device_t, chr_file, "raw4")
++ dev_filetrans($1, fixed_disk_device_t, chr_file, "raw5")
++ dev_filetrans($1, fixed_disk_device_t, chr_file, "raw6")
++ dev_filetrans($1, fixed_disk_device_t, chr_file, "raw7")
++ dev_filetrans($1, fixed_disk_device_t, chr_file, "raw8")
++ dev_filetrans($1, fixed_disk_device_t, chr_file, "raw9")
++ dev_filetrans($1, removable_device_t, chr_file, "rio500")
++')
+diff --git a/policy/modules/kernel/terminal.fc b/policy/modules/kernel/terminal.fc
+index 7d45d15..22c9cfe 100644
+--- a/policy/modules/kernel/terminal.fc
++++ b/policy/modules/kernel/terminal.fc
+@@ -14,11 +14,12 @@
+ /dev/ip2[^/]* -c gen_context(system_u:object_r:tty_device_t,s0)
+ /dev/isdn.* -c gen_context(system_u:object_r:tty_device_t,s0)
+ /dev/ptmx -c gen_context(system_u:object_r:ptmx_t,s0)
+-/dev/pts/ptmx -c gen_context(system_u:object_r:ptmx_t,s0)
+ /dev/rfcomm[0-9]+ -c gen_context(system_u:object_r:tty_device_t,s0)
+ /dev/slamr[0-9]+ -c gen_context(system_u:object_r:tty_device_t,s0)
+ /dev/tty -c gen_context(system_u:object_r:devtty_t,s0)
+ /dev/ttySG.* -c gen_context(system_u:object_r:tty_device_t,s0)
++/dev/ttyUSB[0-9]+ -c gen_context(system_u:object_r:usbtty_device_t,s0)
++/dev/vport[0-9]p[0-9]+ -c gen_context(system_u:object_r:virtio_device_t,s0)
+ /dev/xvc[^/]* -c gen_context(system_u:object_r:tty_device_t,s0)
+
+ /dev/pty/.* -c gen_context(system_u:object_r:bsdpty_device_t,s0)
+@@ -41,3 +42,7 @@ ifdef(`distro_gentoo',`
+ # used by init scripts to initally populate udev /dev
+ /lib/udev/devices/console -c gen_context(system_u:object_r:console_device_t,s0)
+ ')
++
++/lib/udev/devices/pts -d gen_context(system_u:object_r:devpts_t,s0-mls_systemhigh)
++
++/usr/lib/udev/devices/pts -d gen_context(system_u:object_r:devpts_t,s0-mls_systemhigh)
+diff --git a/policy/modules/kernel/terminal.if b/policy/modules/kernel/terminal.if
+index 01dd2f1..3541088 100644
+--- a/policy/modules/kernel/terminal.if
++++ b/policy/modules/kernel/terminal.if
+@@ -124,7 +124,7 @@ interface(`term_user_tty',`
+ type_change $1 ttynode:chr_file $2;
+ ')
+
+- tunable_policy(`console_login',`
++ tunable_policy(`login_console_enabled',`
+ # When user logs in from /dev/console, relabel it
+ # to user tty type as well.
+ type_change $1 console_device_t:chr_file $2;
+@@ -208,6 +208,27 @@ interface(`term_use_all_terms',`
+
+ ########################################
+ ##
++## Read and write the inherited console, all inherited
++## ttys and ptys.
++##
++##
++##
++## Domain allowed access.
++##
++##
++##
++#
++interface(`term_use_all_inherited_terms',`
++ gen_require(`
++ attribute ttynode, ptynode;
++ type console_device_t, devpts_t, tty_device_t;
++ ')
++
++ allow $1 { devpts_t console_device_t tty_device_t ttynode ptynode }:chr_file rw_inherited_term_perms;
++')
++
++########################################
++##
+ ## Write to the console.
+ ##
+ ##
+@@ -274,7 +295,6 @@ interface(`term_dontaudit_read_console',`
+ ## Domain allowed access.
+ ##
+ ##
+-##
+ #
+ interface(`term_use_console',`
+ gen_require(`
+@@ -299,9 +319,12 @@ interface(`term_use_console',`
+ interface(`term_dontaudit_use_console',`
+ gen_require(`
+ type console_device_t;
++ type tty_device_t;
+ ')
+
+- dontaudit $1 console_device_t:chr_file rw_chr_file_perms;
++ init_dontaudit_use_fds($1)
++ dontaudit $1 console_device_t:chr_file rw_inherited_chr_file_perms;
++ dontaudit $1 tty_device_t:chr_file rw_inherited_chr_file_perms;
+ ')
+
+ ########################################
+@@ -384,6 +407,24 @@ interface(`term_getattr_pty_fs',`
+
+ ########################################
+ ##
++## Relabel a pty filesystem.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`term_relabel_pty_fs',`
++ gen_require(`
++ type devpts_t;
++ ')
++
++ allow $1 devpts_t:filesystem relabel_file_perms;
++')
++
++########################################
++##
+ ## Do not audit attempts to get the
+ ## attributes of the /dev/pts directory.
+ ##
+@@ -462,6 +503,24 @@ interface(`term_list_ptys',`
+
+ ########################################
+ ##
++## Relabel the /dev/pts directory
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`term_relabel_ptys_dirs',`
++ gen_require(`
++ type devpts_t;
++ ')
++
++ allow $1 devpts_t:dir relabel_dir_perms;
++')
++
++########################################
++##
+ ## Do not audit attempts to read the
+ ## /dev/pts directory.
+ ##
+@@ -601,7 +660,7 @@ interface(`term_use_generic_ptys',`
+
+ ########################################
+ ##
+-## Dot not audit attempts to read and
++## Do not audit attempts to read and
+ ## write the generic pty type. This is
+ ## generally only used in the targeted policy.
+ ##
+@@ -616,6 +675,7 @@ interface(`term_dontaudit_use_generic_ptys',`
+ type devpts_t;
+ ')
+
++ init_dontaudit_use_fds($1)
+ dontaudit $1 devpts_t:chr_file { getattr read write ioctl };
+ ')
+
+@@ -860,6 +920,26 @@ interface(`term_use_all_ptys',`
+
+ ########################################
+ ##
++## Read and write all inherited ptys.
++##
++##
++##
++## Domain allowed access.
++##
++##
++##
++#
++interface(`term_use_all_inherited_ptys',`
++ gen_require(`
++ attribute ptynode;
++ type devpts_t;
++ ')
++
++ allow $1 ptynode:chr_file { rw_inherited_term_perms lock };
++')
++
++########################################
++##
+ ## Do not audit attempts to read or write any ptys.
+ ##
+ ##
+@@ -873,7 +953,7 @@ interface(`term_dontaudit_use_all_ptys',`
+ attribute ptynode;
+ ')
+
+- dontaudit $1 ptynode:chr_file { rw_term_perms lock append };
++ dontaudit $1 ptynode:chr_file { rw_inherited_term_perms lock append };
+ ')
+
+ ########################################
+@@ -893,7 +973,7 @@ interface(`term_relabel_all_ptys',`
+ ')
+
+ dev_list_all_dev_nodes($1)
+- relabel_chr_files_pattern($1, devpts_t, ptynode)
++ relabel_chr_files_pattern($1, devpts_t, { ptynode devpts_t } )
+ ')
+
+ ########################################
+@@ -921,7 +1001,7 @@ interface(`term_getattr_all_user_ptys',`
+ ##
+ ##
+ ##
+-## Domain allowed access.
++## Domain to not audit.
+ ##
+ ##
+ #
+@@ -1240,7 +1320,47 @@ interface(`term_dontaudit_use_unallocated_ttys',`
+ type tty_device_t;
+ ')
+
+- dontaudit $1 tty_device_t:chr_file rw_chr_file_perms;
++ init_dontaudit_use_fds($1)
++ dontaudit $1 tty_device_t:chr_file rw_inherited_chr_file_perms;
++')
++
++########################################
++##
++## Read and write USB tty character
++## device nodes.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`term_use_usb_ttys',`
++ gen_require(`
++ type usbtty_device_t;
++ ')
++
++ dev_list_all_dev_nodes($1)
++ allow $1 usbtty_device_t:chr_file rw_chr_file_perms;
++')
++
++#######################################
++##
++## Setattr on USB tty character
++## device nodes.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`term_setattr_usb_ttys',`
++ gen_require(`
++ type usbtty_device_t;
++ ')
++
++ allow $1 usbtty_device_t:chr_file setattr;
+ ')
+
+ ########################################
+@@ -1256,11 +1376,13 @@ interface(`term_dontaudit_use_unallocated_ttys',`
+ #
+ interface(`term_getattr_all_ttys',`
+ gen_require(`
++ type tty_device_t;
+ attribute ttynode;
+ ')
+
+ dev_list_all_dev_nodes($1)
+ allow $1 ttynode:chr_file getattr;
++ allow $1 tty_device_t:chr_file getattr;
+ ')
+
+ ########################################
+@@ -1277,10 +1399,12 @@ interface(`term_getattr_all_ttys',`
+ interface(`term_dontaudit_getattr_all_ttys',`
+ gen_require(`
+ attribute ttynode;
++ type tty_device_t;
+ ')
+
+ dev_list_all_dev_nodes($1)
+ dontaudit $1 ttynode:chr_file getattr;
++ dontaudit $1 tty_device_t:chr_file getattr;
+ ')
+
+ ########################################
+@@ -1358,7 +1482,27 @@ interface(`term_use_all_ttys',`
+ ')
+
+ dev_list_all_dev_nodes($1)
+- allow $1 ttynode:chr_file rw_chr_file_perms;
++ allow $1 ttynode:chr_file rw_term_perms;
++')
++
++########################################
++##
++## Read and write all inherited ttys.
++##
++##
++##
++## Domain allowed access.
++##
++##
++##
++#
++interface(`term_use_all_inherited_ttys',`
++ gen_require(`
++ attribute ttynode;
++ ')
++
++ dev_list_all_dev_nodes($1)
++ allow $1 ttynode:chr_file rw_inherited_term_perms;
+ ')
+
+ ########################################
+@@ -1377,7 +1521,7 @@ interface(`term_dontaudit_use_all_ttys',`
+ attribute ttynode;
+ ')
+
+- dontaudit $1 ttynode:chr_file rw_chr_file_perms;
++ dontaudit $1 ttynode:chr_file rw_inherited_chr_file_perms;
+ ')
+
+ ########################################
+@@ -1485,7 +1629,7 @@ interface(`term_use_all_user_ttys',`
+ ##
+ ##
+ ##
+-## Domain allowed access.
++## Domain to not audit.
+ ##
+ ##
+ #
+@@ -1493,3 +1637,436 @@ interface(`term_dontaudit_use_all_user_ttys',`
+ refpolicywarn(`$0() is deprecated, use term_dontaudit_use_all_ttys() instead.')
+ term_dontaudit_use_all_ttys($1)
+ ')
++
++####################################
++##
++## Getattr on the virtio console.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`term_getattr_virtio_console',`
++ gen_require(`
++ type virtio_device_t;
++ ')
++
++ allow $1 virtio_device_t:chr_file getattr_chr_file_perms;
++')
++
++#####################################
++##
++## Read from and write to the virtio console.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`term_use_virtio_console',`
++ gen_require(`
++ type virtio_device_t;
++ ')
++
++ dev_list_all_dev_nodes($1)
++ allow $1 virtio_device_t:chr_file rw_chr_file_perms;
++')
++
++########################################
++##
++## Create all named term devices with the correct label
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`term_filetrans_all_named_dev',`
++
++gen_require(`
++ type tty_device_t;
++ type bsdpty_device_t;
++ type console_device_t;
++ type ptmx_t;
++ type devtty_t;
++ type virtio_device_t;
++ type devpts_t;
++ type usbtty_device_t;
++')
++
++ dev_filetrans($1, devtty_t, chr_file, "tty")
++ dev_filetrans($1, tty_device_t, chr_file, "tty0")
++ dev_filetrans($1, tty_device_t, chr_file, "tty1")
++ dev_filetrans($1, tty_device_t, chr_file, "tty2")
++ dev_filetrans($1, tty_device_t, chr_file, "tty3")
++ dev_filetrans($1, tty_device_t, chr_file, "tty4")
++ dev_filetrans($1, tty_device_t, chr_file, "tty5")
++ dev_filetrans($1, tty_device_t, chr_file, "tty6")
++ dev_filetrans($1, tty_device_t, chr_file, "tty7")
++ dev_filetrans($1, tty_device_t, chr_file, "tty8")
++ dev_filetrans($1, tty_device_t, chr_file, "tty9")
++ dev_filetrans($1, tty_device_t, chr_file, "tty10")
++ dev_filetrans($1, tty_device_t, chr_file, "tty11")
++ dev_filetrans($1, tty_device_t, chr_file, "tty12")
++ dev_filetrans($1, tty_device_t, chr_file, "tty13")
++ dev_filetrans($1, tty_device_t, chr_file, "tty14")
++ dev_filetrans($1, tty_device_t, chr_file, "tty15")
++ dev_filetrans($1, tty_device_t, chr_file, "tty16")
++ dev_filetrans($1, tty_device_t, chr_file, "tty17")
++ dev_filetrans($1, tty_device_t, chr_file, "tty18")
++ dev_filetrans($1, tty_device_t, chr_file, "tty19")
++ dev_filetrans($1, tty_device_t, chr_file, "tty20")
++ dev_filetrans($1, tty_device_t, chr_file, "tty21")
++ dev_filetrans($1, tty_device_t, chr_file, "tty22")
++ dev_filetrans($1, tty_device_t, chr_file, "tty23")
++ dev_filetrans($1, tty_device_t, chr_file, "tty24")
++ dev_filetrans($1, tty_device_t, chr_file, "tty25")
++ dev_filetrans($1, tty_device_t, chr_file, "tty26")
++ dev_filetrans($1, tty_device_t, chr_file, "tty27")
++ dev_filetrans($1, tty_device_t, chr_file, "tty28")
++ dev_filetrans($1, tty_device_t, chr_file, "tty29")
++ dev_filetrans($1, tty_device_t, chr_file, "tty30")
++ dev_filetrans($1, tty_device_t, chr_file, "tty31")
++ dev_filetrans($1, tty_device_t, chr_file, "tty32")
++ dev_filetrans($1, tty_device_t, chr_file, "tty33")
++ dev_filetrans($1, tty_device_t, chr_file, "tty34")
++ dev_filetrans($1, tty_device_t, chr_file, "tty35")
++ dev_filetrans($1, tty_device_t, chr_file, "tty36")
++ dev_filetrans($1, tty_device_t, chr_file, "tty37")
++ dev_filetrans($1, tty_device_t, chr_file, "tty38")
++ dev_filetrans($1, tty_device_t, chr_file, "tty39")
++ dev_filetrans($1, tty_device_t, chr_file, "tty40")
++ dev_filetrans($1, tty_device_t, chr_file, "tty41")
++ dev_filetrans($1, tty_device_t, chr_file, "tty42")
++ dev_filetrans($1, tty_device_t, chr_file, "tty43")
++ dev_filetrans($1, tty_device_t, chr_file, "tty44")
++ dev_filetrans($1, tty_device_t, chr_file, "tty45")
++ dev_filetrans($1, tty_device_t, chr_file, "tty46")
++ dev_filetrans($1, tty_device_t, chr_file, "tty47")
++ dev_filetrans($1, tty_device_t, chr_file, "tty48")
++ dev_filetrans($1, tty_device_t, chr_file, "tty49")
++ dev_filetrans($1, tty_device_t, chr_file, "tty50")
++ dev_filetrans($1, tty_device_t, chr_file, "tty51")
++ dev_filetrans($1, tty_device_t, chr_file, "tty52")
++ dev_filetrans($1, tty_device_t, chr_file, "tty53")
++ dev_filetrans($1, tty_device_t, chr_file, "tty54")
++ dev_filetrans($1, tty_device_t, chr_file, "tty55")
++ dev_filetrans($1, tty_device_t, chr_file, "tty56")
++ dev_filetrans($1, tty_device_t, chr_file, "tty57")
++ dev_filetrans($1, tty_device_t, chr_file, "tty58")
++ dev_filetrans($1, tty_device_t, chr_file, "tty59")
++ dev_filetrans($1, tty_device_t, chr_file, "tty60")
++ dev_filetrans($1, tty_device_t, chr_file, "tty61")
++ dev_filetrans($1, tty_device_t, chr_file, "tty62")
++ dev_filetrans($1, tty_device_t, chr_file, "tty63")
++ dev_filetrans($1, tty_device_t, chr_file, "tty64")
++ dev_filetrans($1, tty_device_t, chr_file, "tty65")
++ dev_filetrans($1, tty_device_t, chr_file, "tty66")
++ dev_filetrans($1, tty_device_t, chr_file, "tty67")
++ dev_filetrans($1, tty_device_t, chr_file, "tty68")
++ dev_filetrans($1, tty_device_t, chr_file, "tty69")
++ dev_filetrans($1, tty_device_t, chr_file, "tty70")
++ dev_filetrans($1, tty_device_t, chr_file, "tty71")
++ dev_filetrans($1, tty_device_t, chr_file, "tty72")
++ dev_filetrans($1, tty_device_t, chr_file, "tty73")
++ dev_filetrans($1, tty_device_t, chr_file, "tty74")
++ dev_filetrans($1, tty_device_t, chr_file, "tty75")
++ dev_filetrans($1, tty_device_t, chr_file, "tty76")
++ dev_filetrans($1, tty_device_t, chr_file, "tty77")
++ dev_filetrans($1, tty_device_t, chr_file, "tty78")
++ dev_filetrans($1, tty_device_t, chr_file, "tty79")
++ dev_filetrans($1, tty_device_t, chr_file, "tty80")
++ dev_filetrans($1, tty_device_t, chr_file, "tty81")
++ dev_filetrans($1, tty_device_t, chr_file, "tty82")
++ dev_filetrans($1, tty_device_t, chr_file, "tty83")
++ dev_filetrans($1, tty_device_t, chr_file, "tty84")
++ dev_filetrans($1, tty_device_t, chr_file, "tty85")
++ dev_filetrans($1, tty_device_t, chr_file, "tty86")
++ dev_filetrans($1, tty_device_t, chr_file, "tty87")
++ dev_filetrans($1, tty_device_t, chr_file, "tty88")
++ dev_filetrans($1, tty_device_t, chr_file, "tty89")
++ dev_filetrans($1, tty_device_t, chr_file, "tty90")
++ dev_filetrans($1, tty_device_t, chr_file, "tty91")
++ dev_filetrans($1, tty_device_t, chr_file, "tty92")
++ dev_filetrans($1, tty_device_t, chr_file, "tty93")
++ dev_filetrans($1, tty_device_t, chr_file, "tty94")
++ dev_filetrans($1, tty_device_t, chr_file, "tty95")
++ dev_filetrans($1, tty_device_t, chr_file, "tty96")
++ dev_filetrans($1, tty_device_t, chr_file, "tty97")
++ dev_filetrans($1, tty_device_t, chr_file, "tty98")
++ dev_filetrans($1, tty_device_t, chr_file, "tty99")
++ dev_filetrans($1, tty_device_t, chr_file, "pty")
++ dev_filetrans($1, tty_device_t, chr_file, "pty0")
++ dev_filetrans($1, tty_device_t, chr_file, "pty1")
++ dev_filetrans($1, tty_device_t, chr_file, "pty2")
++ dev_filetrans($1, tty_device_t, chr_file, "pty3")
++ dev_filetrans($1, tty_device_t, chr_file, "pty4")
++ dev_filetrans($1, tty_device_t, chr_file, "pty5")
++ dev_filetrans($1, tty_device_t, chr_file, "pty6")
++ dev_filetrans($1, tty_device_t, chr_file, "pty7")
++ dev_filetrans($1, tty_device_t, chr_file, "pty8")
++ dev_filetrans($1, tty_device_t, chr_file, "pty9")
++ dev_filetrans($1, tty_device_t, chr_file, "pty10")
++ dev_filetrans($1, tty_device_t, chr_file, "pty11")
++ dev_filetrans($1, tty_device_t, chr_file, "pty12")
++ dev_filetrans($1, tty_device_t, chr_file, "pty13")
++ dev_filetrans($1, tty_device_t, chr_file, "pty14")
++ dev_filetrans($1, tty_device_t, chr_file, "pty15")
++ dev_filetrans($1, tty_device_t, chr_file, "pty16")
++ dev_filetrans($1, tty_device_t, chr_file, "pty17")
++ dev_filetrans($1, tty_device_t, chr_file, "pty18")
++ dev_filetrans($1, tty_device_t, chr_file, "pty19")
++ dev_filetrans($1, tty_device_t, chr_file, "pty20")
++ dev_filetrans($1, tty_device_t, chr_file, "pty21")
++ dev_filetrans($1, tty_device_t, chr_file, "pty22")
++ dev_filetrans($1, tty_device_t, chr_file, "pty23")
++ dev_filetrans($1, tty_device_t, chr_file, "pty24")
++ dev_filetrans($1, tty_device_t, chr_file, "pty25")
++ dev_filetrans($1, tty_device_t, chr_file, "pty26")
++ dev_filetrans($1, tty_device_t, chr_file, "pty27")
++ dev_filetrans($1, tty_device_t, chr_file, "pty28")
++ dev_filetrans($1, tty_device_t, chr_file, "pty29")
++ dev_filetrans($1, tty_device_t, chr_file, "pty30")
++ dev_filetrans($1, tty_device_t, chr_file, "pty31")
++ dev_filetrans($1, tty_device_t, chr_file, "pty32")
++ dev_filetrans($1, tty_device_t, chr_file, "pty33")
++ dev_filetrans($1, tty_device_t, chr_file, "pty34")
++ dev_filetrans($1, tty_device_t, chr_file, "pty35")
++ dev_filetrans($1, tty_device_t, chr_file, "pty36")
++ dev_filetrans($1, tty_device_t, chr_file, "pty37")
++ dev_filetrans($1, tty_device_t, chr_file, "pty38")
++ dev_filetrans($1, tty_device_t, chr_file, "pty39")
++ dev_filetrans($1, tty_device_t, chr_file, "pty40")
++ dev_filetrans($1, tty_device_t, chr_file, "pty41")
++ dev_filetrans($1, tty_device_t, chr_file, "pty42")
++ dev_filetrans($1, tty_device_t, chr_file, "pty43")
++ dev_filetrans($1, tty_device_t, chr_file, "pty44")
++ dev_filetrans($1, tty_device_t, chr_file, "pty45")
++ dev_filetrans($1, tty_device_t, chr_file, "pty46")
++ dev_filetrans($1, tty_device_t, chr_file, "pty47")
++ dev_filetrans($1, tty_device_t, chr_file, "pty48")
++ dev_filetrans($1, tty_device_t, chr_file, "pty49")
++ dev_filetrans($1, tty_device_t, chr_file, "pty50")
++ dev_filetrans($1, tty_device_t, chr_file, "pty51")
++ dev_filetrans($1, tty_device_t, chr_file, "pty52")
++ dev_filetrans($1, tty_device_t, chr_file, "pty53")
++ dev_filetrans($1, tty_device_t, chr_file, "pty54")
++ dev_filetrans($1, tty_device_t, chr_file, "pty55")
++ dev_filetrans($1, tty_device_t, chr_file, "pty56")
++ dev_filetrans($1, tty_device_t, chr_file, "pty57")
++ dev_filetrans($1, tty_device_t, chr_file, "pty58")
++ dev_filetrans($1, tty_device_t, chr_file, "pty59")
++ dev_filetrans($1, tty_device_t, chr_file, "pty60")
++ dev_filetrans($1, tty_device_t, chr_file, "pty61")
++ dev_filetrans($1, tty_device_t, chr_file, "pty62")
++ dev_filetrans($1, tty_device_t, chr_file, "pty63")
++ dev_filetrans($1, tty_device_t, chr_file, "pty64")
++ dev_filetrans($1, tty_device_t, chr_file, "pty65")
++ dev_filetrans($1, tty_device_t, chr_file, "pty66")
++ dev_filetrans($1, tty_device_t, chr_file, "pty67")
++ dev_filetrans($1, tty_device_t, chr_file, "pty68")
++ dev_filetrans($1, tty_device_t, chr_file, "pty69")
++ dev_filetrans($1, tty_device_t, chr_file, "pty70")
++ dev_filetrans($1, tty_device_t, chr_file, "pty71")
++ dev_filetrans($1, tty_device_t, chr_file, "pty72")
++ dev_filetrans($1, tty_device_t, chr_file, "pty73")
++ dev_filetrans($1, tty_device_t, chr_file, "pty74")
++ dev_filetrans($1, tty_device_t, chr_file, "pty75")
++ dev_filetrans($1, tty_device_t, chr_file, "pty76")
++ dev_filetrans($1, tty_device_t, chr_file, "pty77")
++ dev_filetrans($1, tty_device_t, chr_file, "pty78")
++ dev_filetrans($1, tty_device_t, chr_file, "pty79")
++ dev_filetrans($1, tty_device_t, chr_file, "pty80")
++ dev_filetrans($1, tty_device_t, chr_file, "pty81")
++ dev_filetrans($1, tty_device_t, chr_file, "pty82")
++ dev_filetrans($1, tty_device_t, chr_file, "pty83")
++ dev_filetrans($1, tty_device_t, chr_file, "pty84")
++ dev_filetrans($1, tty_device_t, chr_file, "pty85")
++ dev_filetrans($1, tty_device_t, chr_file, "pty86")
++ dev_filetrans($1, tty_device_t, chr_file, "pty87")
++ dev_filetrans($1, tty_device_t, chr_file, "pty88")
++ dev_filetrans($1, tty_device_t, chr_file, "pty89")
++ dev_filetrans($1, tty_device_t, chr_file, "pty90")
++ dev_filetrans($1, tty_device_t, chr_file, "pty91")
++ dev_filetrans($1, tty_device_t, chr_file, "pty92")
++ dev_filetrans($1, tty_device_t, chr_file, "pty93")
++ dev_filetrans($1, tty_device_t, chr_file, "pty94")
++ dev_filetrans($1, tty_device_t, chr_file, "pty95")
++ dev_filetrans($1, tty_device_t, chr_file, "pty96")
++ dev_filetrans($1, tty_device_t, chr_file, "pty97")
++ dev_filetrans($1, tty_device_t, chr_file, "pty98")
++ dev_filetrans($1, tty_device_t, chr_file, "pty99")
++ dev_filetrans($1, tty_device_t, chr_file, "adb0")
++ dev_filetrans($1, tty_device_t, chr_file, "adb1")
++ dev_filetrans($1, tty_device_t, chr_file, "adb2")
++ dev_filetrans($1, tty_device_t, chr_file, "adb3")
++ dev_filetrans($1, tty_device_t, chr_file, "adb4")
++ dev_filetrans($1, tty_device_t, chr_file, "adb5")
++ dev_filetrans($1, tty_device_t, chr_file, "adb6")
++ dev_filetrans($1, tty_device_t, chr_file, "adb7")
++ dev_filetrans($1, tty_device_t, chr_file, "adb8")
++ dev_filetrans($1, tty_device_t, chr_file, "adb9")
++ dev_filetrans($1, tty_device_t, chr_file, "capi0")
++ dev_filetrans($1, tty_device_t, chr_file, "capi1")
++ dev_filetrans($1, tty_device_t, chr_file, "capi2")
++ dev_filetrans($1, tty_device_t, chr_file, "capi3")
++ dev_filetrans($1, tty_device_t, chr_file, "capi4")
++ dev_filetrans($1, tty_device_t, chr_file, "capi5")
++ dev_filetrans($1, tty_device_t, chr_file, "capi6")
++ dev_filetrans($1, tty_device_t, chr_file, "capi7")
++ dev_filetrans($1, tty_device_t, chr_file, "capi8")
++ dev_filetrans($1, tty_device_t, chr_file, "capi9")
++ dev_filetrans($1, console_device_t, chr_file, "console")
++ dev_filetrans($1, tty_device_t, chr_file, "cu0")
++ dev_filetrans($1, tty_device_t, chr_file, "cu1")
++ dev_filetrans($1, tty_device_t, chr_file, "cu2")
++ dev_filetrans($1, tty_device_t, chr_file, "cu3")
++ dev_filetrans($1, tty_device_t, chr_file, "cu4")
++ dev_filetrans($1, tty_device_t, chr_file, "cu5")
++ dev_filetrans($1, tty_device_t, chr_file, "cu6")
++ dev_filetrans($1, tty_device_t, chr_file, "cu7")
++ dev_filetrans($1, tty_device_t, chr_file, "cu8")
++ dev_filetrans($1, tty_device_t, chr_file, "cu9")
++ dev_filetrans($1, tty_device_t, chr_file, "dcbri0")
++ dev_filetrans($1, tty_device_t, chr_file, "dcbri1")
++ dev_filetrans($1, tty_device_t, chr_file, "dcbri2")
++ dev_filetrans($1, tty_device_t, chr_file, "dcbri3")
++ dev_filetrans($1, tty_device_t, chr_file, "dcbri4")
++ dev_filetrans($1, tty_device_t, chr_file, "dcbri5")
++ dev_filetrans($1, tty_device_t, chr_file, "dcbri6")
++ dev_filetrans($1, tty_device_t, chr_file, "dcbri7")
++ dev_filetrans($1, tty_device_t, chr_file, "dcbri8")
++ dev_filetrans($1, tty_device_t, chr_file, "dcbri9")
++ dev_filetrans($1, tty_device_t, chr_file, "vcsa")
++ dev_filetrans($1, tty_device_t, chr_file, "vcsb")
++ dev_filetrans($1, tty_device_t, chr_file, "vcsc")
++ dev_filetrans($1, tty_device_t, chr_file, "vcsd")
++ dev_filetrans($1, tty_device_t, chr_file, "vcse")
++ dev_filetrans($1, tty_device_t, chr_file, "hvc0")
++ dev_filetrans($1, tty_device_t, chr_file, "hvc1")
++ dev_filetrans($1, tty_device_t, chr_file, "hvc2")
++ dev_filetrans($1, tty_device_t, chr_file, "hvc3")
++ dev_filetrans($1, tty_device_t, chr_file, "hvc4")
++ dev_filetrans($1, tty_device_t, chr_file, "hvc5")
++ dev_filetrans($1, tty_device_t, chr_file, "hvc6")
++ dev_filetrans($1, tty_device_t, chr_file, "hvc7")
++ dev_filetrans($1, tty_device_t, chr_file, "hvc8")
++ dev_filetrans($1, tty_device_t, chr_file, "hvc9")
++ dev_filetrans($1, tty_device_t, chr_file, "hvsi0")
++ dev_filetrans($1, tty_device_t, chr_file, "hvsi1")
++ dev_filetrans($1, tty_device_t, chr_file, "hvsi2")
++ dev_filetrans($1, tty_device_t, chr_file, "hvsi3")
++ dev_filetrans($1, tty_device_t, chr_file, "hvsi4")
++ dev_filetrans($1, tty_device_t, chr_file, "hvsi5")
++ dev_filetrans($1, tty_device_t, chr_file, "hvsi6")
++ dev_filetrans($1, tty_device_t, chr_file, "hvsi7")
++ dev_filetrans($1, tty_device_t, chr_file, "hvsi8")
++ dev_filetrans($1, tty_device_t, chr_file, "hvsi9")
++ dev_filetrans($1, tty_device_t, chr_file, "ircomm0")
++ dev_filetrans($1, tty_device_t, chr_file, "ircomm1")
++ dev_filetrans($1, tty_device_t, chr_file, "ircomm2")
++ dev_filetrans($1, tty_device_t, chr_file, "ircomm3")
++ dev_filetrans($1, tty_device_t, chr_file, "ircomm4")
++ dev_filetrans($1, tty_device_t, chr_file, "ircomm5")
++ dev_filetrans($1, tty_device_t, chr_file, "ircomm6")
++ dev_filetrans($1, tty_device_t, chr_file, "ircomm7")
++ dev_filetrans($1, tty_device_t, chr_file, "ircomm8")
++ dev_filetrans($1, tty_device_t, chr_file, "ircomm9")
++ dev_filetrans($1, tty_device_t, chr_file, "isdn0")
++ dev_filetrans($1, tty_device_t, chr_file, "isdn1")
++ dev_filetrans($1, tty_device_t, chr_file, "isdn2")
++ dev_filetrans($1, tty_device_t, chr_file, "isdn3")
++ dev_filetrans($1, tty_device_t, chr_file, "isdn4")
++ dev_filetrans($1, tty_device_t, chr_file, "isdn5")
++ dev_filetrans($1, tty_device_t, chr_file, "isdn6")
++ dev_filetrans($1, tty_device_t, chr_file, "isdn7")
++ dev_filetrans($1, tty_device_t, chr_file, "isdn8")
++ dev_filetrans($1, tty_device_t, chr_file, "isdn9")
++ filetrans_pattern($1, devpts_t, ptmx_t, chr_file, "ptmx")
++ dev_filetrans($1, ptmx_t, chr_file, "ptmx")
++ dev_filetrans($1, tty_device_t, chr_file, "rfcomm0")
++ dev_filetrans($1, tty_device_t, chr_file, "rfcomm1")
++ dev_filetrans($1, tty_device_t, chr_file, "rfcomm2")
++ dev_filetrans($1, tty_device_t, chr_file, "rfcomm3")
++ dev_filetrans($1, tty_device_t, chr_file, "rfcomm4")
++ dev_filetrans($1, tty_device_t, chr_file, "rfcomm5")
++ dev_filetrans($1, tty_device_t, chr_file, "rfcomm6")
++ dev_filetrans($1, tty_device_t, chr_file, "rfcomm7")
++ dev_filetrans($1, tty_device_t, chr_file, "rfcomm8")
++ dev_filetrans($1, tty_device_t, chr_file, "rfcomm9")
++ dev_filetrans($1, tty_device_t, chr_file, "slamr0")
++ dev_filetrans($1, tty_device_t, chr_file, "slamr1")
++ dev_filetrans($1, tty_device_t, chr_file, "slamr2")
++ dev_filetrans($1, tty_device_t, chr_file, "slamr3")
++ dev_filetrans($1, tty_device_t, chr_file, "slamr4")
++ dev_filetrans($1, tty_device_t, chr_file, "slamr5")
++ dev_filetrans($1, tty_device_t, chr_file, "slamr6")
++ dev_filetrans($1, tty_device_t, chr_file, "slamr7")
++ dev_filetrans($1, tty_device_t, chr_file, "slamr8")
++ dev_filetrans($1, tty_device_t, chr_file, "slamr9")
++ dev_filetrans($1, tty_device_t, chr_file, "ttyACM0")
++ dev_filetrans($1, tty_device_t, chr_file, "ttyACM1")
++ dev_filetrans($1, tty_device_t, chr_file, "ttyACM2")
++ dev_filetrans($1, tty_device_t, chr_file, "ttyACM3")
++ dev_filetrans($1, tty_device_t, chr_file, "ttyACM4")
++ dev_filetrans($1, tty_device_t, chr_file, "ttyACM5")
++ dev_filetrans($1, tty_device_t, chr_file, "ttyACM6")
++ dev_filetrans($1, tty_device_t, chr_file, "ttyACM7")
++ dev_filetrans($1, tty_device_t, chr_file, "ttyACM8")
++ dev_filetrans($1, tty_device_t, chr_file, "ttyACM9")
++ dev_filetrans($1, tty_device_t, chr_file, "ttyS0")
++ dev_filetrans($1, tty_device_t, chr_file, "ttyS1")
++ dev_filetrans($1, tty_device_t, chr_file, "ttyS2")
++ dev_filetrans($1, tty_device_t, chr_file, "ttyS3")
++ dev_filetrans($1, tty_device_t, chr_file, "ttyS4")
++ dev_filetrans($1, tty_device_t, chr_file, "ttyS5")
++ dev_filetrans($1, tty_device_t, chr_file, "ttyS6")
++ dev_filetrans($1, tty_device_t, chr_file, "ttyS7")
++ dev_filetrans($1, tty_device_t, chr_file, "ttyS8")
++ dev_filetrans($1, tty_device_t, chr_file, "ttyS9")
++ dev_filetrans($1, tty_device_t, chr_file, "ttySG0")
++ dev_filetrans($1, tty_device_t, chr_file, "ttySG1")
++ dev_filetrans($1, tty_device_t, chr_file, "ttySG2")
++ dev_filetrans($1, tty_device_t, chr_file, "ttySG3")
++ dev_filetrans($1, tty_device_t, chr_file, "ttySG4")
++ dev_filetrans($1, tty_device_t, chr_file, "ttySG5")
++ dev_filetrans($1, tty_device_t, chr_file, "ttySG6")
++ dev_filetrans($1, tty_device_t, chr_file, "ttySG7")
++ dev_filetrans($1, tty_device_t, chr_file, "ttySG8")
++ dev_filetrans($1, tty_device_t, chr_file, "ttySG9")
++ dev_filetrans($1, usbtty_device_t, chr_file, "ttyUSB0")
++ dev_filetrans($1, usbtty_device_t, chr_file, "ttyUSB1")
++ dev_filetrans($1, usbtty_device_t, chr_file, "ttyUSB2")
++ dev_filetrans($1, usbtty_device_t, chr_file, "ttyUSB3")
++ dev_filetrans($1, usbtty_device_t, chr_file, "ttyUSB4")
++ dev_filetrans($1, usbtty_device_t, chr_file, "ttyUSB5")
++ dev_filetrans($1, usbtty_device_t, chr_file, "ttyUSB6")
++ dev_filetrans($1, usbtty_device_t, chr_file, "ttyUSB7")
++ dev_filetrans($1, usbtty_device_t, chr_file, "ttyUSB8")
++ dev_filetrans($1, usbtty_device_t, chr_file, "ttyUSB9")
++ dev_filetrans($1, virtio_device_t, chr_file, "vport0p0")
++ dev_filetrans($1, virtio_device_t, chr_file, "vport0p1")
++ dev_filetrans($1, virtio_device_t, chr_file, "vport0p2")
++ dev_filetrans($1, virtio_device_t, chr_file, "vport0p3")
++ dev_filetrans($1, virtio_device_t, chr_file, "vport0p4")
++ dev_filetrans($1, virtio_device_t, chr_file, "vport0p5")
++ dev_filetrans($1, virtio_device_t, chr_file, "vport0p6")
++ dev_filetrans($1, virtio_device_t, chr_file, "vport0p7")
++ dev_filetrans($1, virtio_device_t, chr_file, "vport0p8")
++ dev_filetrans($1, virtio_device_t, chr_file, "vport0p9")
++ dev_filetrans($1, devpts_t, dir, "pts")
++ dev_filetrans($1, tty_device_t, chr_file, "xvc0")
++ dev_filetrans($1, tty_device_t, chr_file, "xvc1")
++ dev_filetrans($1, tty_device_t, chr_file, "xvc2")
++ dev_filetrans($1, tty_device_t, chr_file, "xvc3")
++ dev_filetrans($1, tty_device_t, chr_file, "xvc4")
++ dev_filetrans($1, tty_device_t, chr_file, "xvc5")
++ dev_filetrans($1, tty_device_t, chr_file, "xvc6")
++ dev_filetrans($1, tty_device_t, chr_file, "xvc7")
++ dev_filetrans($1, tty_device_t, chr_file, "xvc8")
++ dev_filetrans($1, tty_device_t, chr_file, "xvc9")
++')
+diff --git a/policy/modules/kernel/terminal.te b/policy/modules/kernel/terminal.te
+index 9d64659..f85e86f 100644
+--- a/policy/modules/kernel/terminal.te
++++ b/policy/modules/kernel/terminal.te
+@@ -29,6 +29,7 @@ files_mountpoint(devpts_t)
+ fs_associate_tmpfs(devpts_t)
+ fs_type(devpts_t)
+ fs_use_trans devpts gen_context(system_u:object_r:devpts_t,s0);
++dev_associate(devpts_t)
+
+ #
+ # devtty_t is the type of /dev/tty.
+@@ -54,5 +55,11 @@ dev_node(tty_device_t)
+ #
+ # usbtty_device_t is the type of /dev/usr/tty*
+ #
+-type usbtty_device_t, serial_device;
+-dev_node(usbtty_device_t)
++type usbtty_device_t;
++term_tty(usbtty_device_t)
++
++#
++# virtio_device_t is the type of /dev/vport[0-9]p[0-9]
++#
++type virtio_device_t, serial_device;
++dev_node(virtio_device_t)
+diff --git a/policy/modules/kernel/unlabelednet.fc b/policy/modules/kernel/unlabelednet.fc
+new file mode 100644
+index 0000000..f310b9d
+--- /dev/null
++++ b/policy/modules/kernel/unlabelednet.fc
+@@ -0,0 +1 @@
++# No unlabelednet file contexts.
+diff --git a/policy/modules/kernel/unlabelednet.if b/policy/modules/kernel/unlabelednet.if
+new file mode 100644
+index 0000000..0ce0470
+--- /dev/null
++++ b/policy/modules/kernel/unlabelednet.if
+@@ -0,0 +1 @@
++## Policy for allowing confined domains to use unlabeled_t packets
+diff --git a/policy/modules/kernel/unlabelednet.te b/policy/modules/kernel/unlabelednet.te
+new file mode 100644
+index 0000000..64b5db7
+--- /dev/null
++++ b/policy/modules/kernel/unlabelednet.te
+@@ -0,0 +1,3 @@
++policy_module(unlabelednet, 1.0.0)
++
++corenet_enable_unlabeled_packets()
+diff --git a/policy/modules/roles/auditadm.te b/policy/modules/roles/auditadm.te
+index 834a065..1105353 100644
+--- a/policy/modules/roles/auditadm.te
++++ b/policy/modules/roles/auditadm.te
+@@ -22,16 +22,21 @@ corecmd_exec_shell(auditadm_t)
+
+ domain_kill_all_domains(auditadm_t)
+
++selinux_read_policy(auditadm_t)
++
+ logging_send_syslog_msg(auditadm_t)
+ logging_read_generic_logs(auditadm_t)
+ logging_manage_audit_log(auditadm_t)
+ logging_manage_audit_config(auditadm_t)
+ logging_run_auditctl(auditadm_t, auditadm_r)
+ logging_run_auditd(auditadm_t, auditadm_r)
++logging_stream_connect_syslog(auditadm_t)
+
+ seutil_run_runinit(auditadm_t, auditadm_r)
+ seutil_read_bin_policy(auditadm_t)
+
++userdom_dontaudit_search_admin_dir(auditadm_t)
++
+ optional_policy(`
+ consoletype_exec(auditadm_t)
+ ')
+diff --git a/policy/modules/roles/logadm.te b/policy/modules/roles/logadm.te
+index 3a45a3e..6b08160 100644
+--- a/policy/modules/roles/logadm.te
++++ b/policy/modules/roles/logadm.te
+@@ -14,6 +14,5 @@ userdom_base_user_template(logadm)
+ # logadmin local policy
+ #
+
+-allow logadm_t self:capability { dac_override dac_read_search kill sys_ptrace sys_nice };
+-
++allow logadm_t self:capability { dac_override dac_read_search kill sys_nice };
+ logging_admin(logadm_t, logadm_r)
+diff --git a/policy/modules/roles/secadm.te b/policy/modules/roles/secadm.te
+index da11120..34f3a61 100644
+--- a/policy/modules/roles/secadm.te
++++ b/policy/modules/roles/secadm.te
+@@ -9,6 +9,8 @@ role secadm_r;
+
+ userdom_unpriv_user_template(secadm)
+ userdom_security_admin_template(secadm_t, secadm_r)
++userdom_inherit_append_admin_home_files(secadm_t)
++userdom_read_admin_home_files(secadm_t)
+
+ ########################################
+ #
+@@ -30,8 +32,7 @@ mls_file_upgrade(secadm_t)
+ mls_file_downgrade(secadm_t)
+
+ auth_role(secadm_r, secadm_t)
+-files_relabel_non_auth_files(secadm_t)
+-auth_relabel_shadow(secadm_t)
++files_relabel_all_files(secadm_t)
+
+ init_exec(secadm_t)
+
+diff --git a/policy/modules/roles/staff.if b/policy/modules/roles/staff.if
+index 234a940..d340f20 100644
+--- a/policy/modules/roles/staff.if
++++ b/policy/modules/roles/staff.if
+@@ -1,4 +1,4 @@
+-## Administrator's unprivileged user role
++## Administrator's unprivileged user
+
+ ########################################
+ ##
+diff --git a/policy/modules/roles/staff.te b/policy/modules/roles/staff.te
+index e5aee97..2fdb49f 100644
+--- a/policy/modules/roles/staff.te
++++ b/policy/modules/roles/staff.te
+@@ -8,12 +8,67 @@ policy_module(staff, 2.3.0)
+ role staff_r;
+
+ userdom_unpriv_user_template(staff)
++fs_exec_noxattr(staff_t)
++
++##
++##
++## allow staff user to create and transition to svirt domains.
++##
++##
++gen_tunable(staff_use_svirt, false)
+
+ ########################################
+ #
+ # Local policy
+ #
+
++kernel_read_ring_buffer(staff_t)
++kernel_getattr_core_if(staff_t)
++kernel_getattr_message_if(staff_t)
++kernel_read_software_raid_state(staff_t)
++kernel_read_fs_sysctls(staff_t)
++kernel_read_numa_state(staff_t)
++kernel_write_numa_state(staff_t)
++
++fs_read_hugetlbfs_files(staff_t)
++
++dev_read_cpuid(staff_t)
++dev_read_kmsg(staff_t)
++
++domain_read_all_domains_state(staff_t)
++domain_getattr_all_domains(staff_t)
++domain_obj_id_change_exemption(staff_t)
++
++files_read_kernel_modules(staff_t)
++
++seutil_read_module_store(staff_t)
++seutil_run_newrole(staff_t, staff_r)
++
++storage_read_scsi_generic(staff_t)
++storage_write_scsi_generic(staff_t)
++
++term_use_unallocated_ttys(staff_t)
++
++auth_domtrans_pam_console(staff_t)
++
++init_dbus_chat(staff_t)
++init_dbus_chat_script(staff_t)
++
++miscfiles_read_hwdata(staff_t)
++
++ifndef(`enable_mls',`
++ selinux_read_policy(staff_t)
++')
++
++optional_policy(`
++ abrt_read_cache(staff_t)
++')
++
++optional_policy(`
++ accountsd_dbus_chat(staff_t)
++ accountsd_read_lib_files(staff_t)
++')
++
+ optional_policy(`
+ apache_role(staff_r, staff_t)
+ ')
+@@ -23,11 +78,110 @@ optional_policy(`
+ ')
+
+ optional_policy(`
++ blueman_dbus_chat(staff_t)
++')
++
++optional_policy(`
++ kdumpgui_dbus_chat(staff_t)
++')
++
++optional_policy(`
++ bluetooth_role(staff_r, staff_t)
++')
++
++optional_policy(`
++ chrome_role(staff_r, staff_t)
++')
++
++optional_policy(`
++ colord_dbus_chat(staff_t)
++')
++
++optional_policy(`
+ dbadm_role_change(staff_r)
+ ')
+
+ optional_policy(`
+- git_role(staff_r, staff_t)
++ dnsmasq_read_pid_files(staff_t)
++')
++
++optional_policy(`
++ dmesg_exec(staff_t)
++')
++
++optional_policy(`
++ firewalld_dbus_chat(staff_t)
++')
++
++optional_policy(`
++ firewallgui_dbus_chat(staff_t)
++')
++
++optional_policy(`
++ gnomeclock_dbus_chat(staff_t)
++')
++
++optional_policy(`
++ gnome_role(staff_r, staff_t)
++')
++
++optional_policy(`
++ irc_role(staff_r, staff_t)
++')
++
++optional_policy(`
++ kerneloops_dbus_chat(staff_t)
++')
++
++optional_policy(`
++ logadm_role_change(staff_r)
++')
++
++optional_policy(`
++ lpd_list_spool(staff_t)
++')
++
++optional_policy(`
++ mock_role(staff_r, staff_t)
++')
++
++optional_policy(`
++ mozilla_run_plugin(staff_t, staff_r)
++')
++
++optional_policy(`
++ modutils_read_module_config(staff_t)
++ modutils_read_module_deps(staff_t)
++')
++
++optional_policy(`
++ netutils_run_ping(staff_t, staff_r)
++ netutils_run_traceroute(staff_t, staff_r)
++ netutils_signal_ping(staff_t)
++ netutils_kill_ping(staff_t)
++')
++
++optional_policy(`
++ oident_manage_user_content(staff_t)
++ oident_relabel_user_content(staff_t)
++')
++
++optional_policy(`
++ mta_role(staff_r, staff_t)
++')
++
++optional_policy(`
++ mysql_exec(staff_t)
++')
++
++optional_policy(`
++ polipo_role(staff_r, staff_t)
++ polipo_named_filetrans_cache_home_dirs(staff_t)
++ polipo_named_filetrans_config_home_files(staff_t)
++')
++
++optional_policy(`
++ git_session_role(staff_r, staff_t)
+ ')
+
+ optional_policy(`
+@@ -35,15 +189,31 @@ optional_policy(`
+ ')
+
+ optional_policy(`
++ rtkit_scheduled(staff_t)
++')
++
++optional_policy(`
++ rpm_dbus_chat(staff_t)
++')
++
++optional_policy(`
++ rwho_read_spool_files(staff_t)
++')
++
++optional_policy(`
+ secadm_role_change(staff_r)
+ ')
+
+ optional_policy(`
+- ssh_role_template(staff, staff_r, staff_t)
++ sandbox_transition(staff_t, staff_r)
+ ')
+
+ optional_policy(`
+- sudo_role_template(staff, staff_r, staff_t)
++ sandbox_x_transition(staff_t, staff_r)
++')
++
++optional_policy(`
++ screen_role_template(staff, staff_r, staff_t)
+ ')
+
+ optional_policy(`
+@@ -52,10 +222,59 @@ optional_policy(`
+ ')
+
+ optional_policy(`
++ systemd_read_unit_files(staff_t)
++ systemd_exec_systemctl(staff_t)
++')
++
++optional_policy(`
++ setroubleshoot_stream_connect(staff_t)
++ setroubleshoot_dbus_chat(staff_t)
++ setroubleshoot_dbus_chat_fixit(staff_t)
++')
++
++optional_policy(`
++ ssh_role_template(staff, staff_r, staff_t)
++')
++
++optional_policy(`
++ sudo_role_template(staff, staff_r, staff_t)
++')
++
++#optional_policy(`
++# telepathy_dbus_session_role(staff_r, staff_t)
++#')
++
++optional_policy(`
++ userhelper_console_role_template(staff, staff_r, staff_t)
++')
++
++optional_policy(`
++ unconfined_role_change(staff_r)
++')
++
++optional_policy(`
++ usbmuxd_stream_connect(staff_t)
++')
++
++optional_policy(`
++ virt_getattr_exec(staff_t)
++ virt_search_images(staff_t)
++ virt_stream_connect(staff_t)
++')
++
++optional_policy(`
+ vlock_run(staff_t, staff_r)
+ ')
+
+ optional_policy(`
++ vnstatd_read_lib_files(staff_t)
++')
++
++optional_policy(`
++ webadm_role_change(staff_r)
++')
++
++optional_policy(`
+ xserver_role(staff_r, staff_t)
+ ')
+
+@@ -65,10 +284,6 @@ ifndef(`distro_redhat',`
+ ')
+
+ optional_policy(`
+- bluetooth_role(staff_r, staff_t)
+- ')
+-
+- optional_policy(`
+ cdrecord_role(staff_r, staff_t)
+ ')
+
+@@ -93,18 +308,10 @@ ifndef(`distro_redhat',`
+ ')
+
+ optional_policy(`
+- gnome_role(staff_r, staff_t)
+- ')
+-
+- optional_policy(`
+ gpg_role(staff_r, staff_t)
+ ')
+
+ optional_policy(`
+- irc_role(staff_r, staff_t)
+- ')
+-
+- optional_policy(`
+ java_role(staff_r, staff_t)
+ ')
+
+@@ -125,10 +332,6 @@ ifndef(`distro_redhat',`
+ ')
+
+ optional_policy(`
+- mta_role(staff_r, staff_t)
+- ')
+-
+- optional_policy(`
+ pyzor_role(staff_r, staff_t)
+ ')
+
+@@ -141,10 +344,6 @@ ifndef(`distro_redhat',`
+ ')
+
+ optional_policy(`
+- screen_role_template(staff, staff_r, staff_t)
+- ')
+-
+- optional_policy(`
+ spamassassin_role(staff_r, staff_t)
+ ')
+
+@@ -176,3 +375,20 @@ ifndef(`distro_redhat',`
+ wireshark_role(staff_r, staff_t)
+ ')
+ ')
++
++tunable_policy(`selinuxuser_execmod',`
++ userdom_execmod_user_home_files(staff_t)
++')
++
++optional_policy(`
++ virt_transition_svirt(staff_t, staff_r)
++ virt_filetrans_home_content(staff_t)
++')
++
++optional_policy(`
++ tunable_policy(`staff_use_svirt',`
++ allow staff_t self:fifo_file relabelfrom;
++ dev_rw_kvm(staff_t)
++ virt_manage_images(staff_t)
++ ')
++')
+diff --git a/policy/modules/roles/sysadm.if b/policy/modules/roles/sysadm.if
+index ff92430..36740ea 100644
+--- a/policy/modules/roles/sysadm.if
++++ b/policy/modules/roles/sysadm.if
+@@ -70,6 +70,23 @@ interface(`sysadm_shell_domtrans',`
+ allow sysadm_t $1:process sigchld;
+ ')
+
++#######################################
++##
++## sysadm stub interface. No access allowed.
++##
++##
++##
++## Domain allowed access
++##
++##
++#
++interface(`sysadm_stub',`
++ gen_require(`
++ type sysadm_t;
++ role sysadm_r;
++ ')
++')
++
+ ########################################
+ ##
+ ## Execute a generic bin program in the sysadm domain.
+diff --git a/policy/modules/roles/sysadm.te b/policy/modules/roles/sysadm.te
+index 44c198a..82eb9e5 100644
+--- a/policy/modules/roles/sysadm.te
++++ b/policy/modules/roles/sysadm.te
+@@ -5,39 +5,73 @@ policy_module(sysadm, 2.5.0)
+ # Declarations
+ #
+
+-##
+-##
+-## Allow sysadm to debug or ptrace all processes.
+-##
+-##
+-gen_tunable(allow_ptrace, false)
+-
+ role sysadm_r;
+
+ userdom_admin_user_template(sysadm)
+
+-ifndef(`enable_mls',`
+- userdom_security_admin_template(sysadm_t, sysadm_r)
+-')
+-
+ ########################################
+ #
+ # Local policy
+ #
++kernel_read_fs_sysctls(sysadm_t)
+
+ corecmd_exec_shell(sysadm_t)
+
++dev_filetrans_all_named_dev(sysadm_t)
++
++domain_dontaudit_read_all_domains_state(sysadm_t)
++
++files_read_kernel_modules(sysadm_t)
++files_filetrans_named_content(sysadm_t)
++
++fs_mount_fusefs(sysadm_t)
++
++storage_filetrans_all_named_dev(sysadm_t)
++
++term_filetrans_all_named_dev(sysadm_t)
++
+ mls_process_read_up(sysadm_t)
++mls_file_read_all_levels(sysadm_t)
++mls_file_write_all_levels(sysadm_t)
++mls_file_read_to_clearance(sysadm_t)
++mls_process_write_to_clearance(sysadm_t)
++
++storage_setattr_fixed_disk_dev(sysadm_t)
+
+ ubac_process_exempt(sysadm_t)
+ ubac_file_exempt(sysadm_t)
+ ubac_fd_exempt(sysadm_t)
+
++application_exec(sysadm_t)
++
+ init_exec(sysadm_t)
++init_exec_script_files(sysadm_t)
++init_dbus_chat(sysadm_t)
++init_script_role_transition(sysadm_r)
++init_status(sysadm_t)
++init_reboot(sysadm_t)
++init_halt(sysadm_t)
++init_undefined(sysadm_t)
++
++logging_filetrans_named_content(sysadm_t)
++
++miscfiles_filetrans_named_content(sysadm_t)
++miscfiles_read_hwdata(sysadm_t)
++
++sysnet_filetrans_named_content(sysadm_t)
+
+ # Add/remove user home directories
+ userdom_manage_user_home_dirs(sysadm_t)
+ userdom_home_filetrans_user_home_dir(sysadm_t)
++userdom_manage_tmp_role(sysadm_r, sysadm_t)
++
++optional_policy(`
++ alsa_filetrans_named_content(sysadm_t)
++')
++
++optional_policy(`
++ ssh_filetrans_admin_home_content(sysadm_t)
++')
+
+ ifdef(`direct_sysadm_daemon',`
+ optional_policy(`
+@@ -55,13 +89,7 @@ ifdef(`distro_gentoo',`
+ init_exec_rc(sysadm_t)
+ ')
+
+-ifndef(`enable_mls',`
+- logging_manage_audit_log(sysadm_t)
+- logging_manage_audit_config(sysadm_t)
+- logging_run_auditctl(sysadm_t, sysadm_r)
+-')
+-
+-tunable_policy(`allow_ptrace',`
++tunable_policy(`deny_ptrace',`',`
+ domain_ptrace_all_domains(sysadm_t)
+ ')
+
+@@ -71,9 +99,9 @@ optional_policy(`
+
+ optional_policy(`
+ apache_run_helper(sysadm_t, sysadm_r)
++ apache_filetrans_named_content(sysadm_t)
+ #apache_run_all_scripts(sysadm_t, sysadm_r)
+ #apache_domtrans_sys_script(sysadm_t)
+- apache_role(sysadm_r, sysadm_t)
+ ')
+
+ optional_policy(`
+@@ -110,6 +138,10 @@ optional_policy(`
+ ')
+
+ optional_policy(`
++ certmonger_dbus_chat(sysadm_t)
++')
++
++optional_policy(`
+ certwatch_run(sysadm_t, sysadm_r)
+ ')
+
+@@ -122,11 +154,20 @@ optional_policy(`
+ ')
+
+ optional_policy(`
+- consoletype_run(sysadm_t, sysadm_r)
++ cron_admin_role(sysadm_r, sysadm_t)
++ #cron_role(sysadm_r, sysadm_t)
++')
++
++optional_policy(`
++ consoletype_exec(sysadm_t)
+ ')
+
+ optional_policy(`
+- cvs_exec(sysadm_t)
++ daemonstools_run_start(sysadm_t, sysadm_r)
++')
++
++optional_policy(`
++ dbus_role_template(sysadm, sysadm_r, sysadm_t)
+ ')
+
+ optional_policy(`
+@@ -140,6 +181,10 @@ optional_policy(`
+ ')
+
+ optional_policy(`
++ devicekit_filetrans_named_content(sysadm_t)
++')
++
++optional_policy(`
+ dmesg_exec(sysadm_t)
+ ')
+
+@@ -156,11 +201,15 @@ optional_policy(`
+ ')
+
+ optional_policy(`
++ firewalld_dbus_chat(sysadm_t)
++')
++
++optional_policy(`
+ fstools_run(sysadm_t, sysadm_r)
+ ')
+
+ optional_policy(`
+- git_role(sysadm_r, sysadm_t)
++ git_session_role(sysadm_r, sysadm_t)
+ ')
+
+ optional_policy(`
+@@ -179,6 +228,13 @@ optional_policy(`
+ ipsec_stream_connect(sysadm_t)
+ # for lsof
+ ipsec_getattr_key_sockets(sysadm_t)
++ ipsec_run_setkey(sysadm_t, sysadm_r)
++ ipsec_run_racoon(sysadm_t, sysadm_r)
++ ipsec_stream_connect_racoon(sysadm_t)
++
++ optional_policy(`
++ ipsec_mgmt_dbus_chat(sysadm_t)
++ ')
+ ')
+
+ optional_policy(`
+@@ -186,15 +242,20 @@ optional_policy(`
+ ')
+
+ optional_policy(`
+- kudzu_run(sysadm_t, sysadm_r)
++ irc_role(sysadm_r, sysadm_t)
+ ')
+
+ optional_policy(`
+- libs_run_ldconfig(sysadm_t, sysadm_r)
++ kerberos_exec_kadmind(sysadm_t)
++ kerberos_filetrans_named_content(sysadm_t)
++')
++
++optional_policy(`
++ kudzu_run(sysadm_t, sysadm_r)
+ ')
+
+ optional_policy(`
+- lockdev_role(sysadm_r, sysadm_t)
++ libs_run_ldconfig(sysadm_t, sysadm_r)
+ ')
+
+ optional_policy(`
+@@ -214,22 +275,20 @@ optional_policy(`
+ modutils_run_depmod(sysadm_t, sysadm_r)
+ modutils_run_insmod(sysadm_t, sysadm_r)
+ modutils_run_update_mods(sysadm_t, sysadm_r)
++ modutils_read_module_deps(sysadm_t)
++ modules_filetrans_named_content(sysadm_t)
+ ')
+
+ optional_policy(`
+ mount_run(sysadm_t, sysadm_r)
+-')
+-
+-optional_policy(`
+- mozilla_role(sysadm_r, sysadm_t)
+-')
+-
+-optional_policy(`
+- mplayer_role(sysadm_r, sysadm_t)
++ mount_run_showmount(sysadm_t, sysadm_r)
+ ')
+
+ optional_policy(`
+ mta_role(sysadm_r, sysadm_t)
++ # this is defined in userdom_common_user_template
++ #mta_filetrans_home_content(sysadm_t)
++ mta_filetrans_admin_home_content(sysadm_t)
+ ')
+
+ optional_policy(`
+@@ -241,25 +300,47 @@ optional_policy(`
+ ')
+
+ optional_policy(`
++ ncftool_run(sysadm_t, sysadm_r)
++')
++
++optional_policy(`
+ netutils_run(sysadm_t, sysadm_r)
+ netutils_run_ping(sysadm_t, sysadm_r)
+ netutils_run_traceroute(sysadm_t, sysadm_r)
+ ')
+
+ optional_policy(`
++ networkmanager_filetrans_named_content(sysadm_t)
++')
++
++optional_policy(`
+ ntp_stub()
+ corenet_udp_bind_ntp_port(sysadm_t)
+ ')
+
+ optional_policy(`
++ nx_filetrans_named_content(sysadm_t)
++')
++
++optional_policy(`
+ oav_run_update(sysadm_t, sysadm_r)
+ ')
+
+ optional_policy(`
++ openvpn_run(sysadm_t, sysadm_r)
++')
++
++optional_policy(`
+ pcmcia_run_cardctl(sysadm_t, sysadm_r)
+ ')
+
+ optional_policy(`
++ polipo_role(sysadm_r, sysadm_t)
++ polipo_named_filetrans_admin_cache_home_dirs(sysadm_t)
++ polipo_named_filetrans_admin_config_home_files(sysadm_t)
++')
++
++optional_policy(`
+ portage_run(sysadm_t, sysadm_r)
+ portage_run_fetch(sysadm_t, sysadm_r)
+ portage_run_gcc_config(sysadm_t, sysadm_r)
+@@ -270,31 +351,32 @@ optional_policy(`
+ ')
+
+ optional_policy(`
+- pyzor_role(sysadm_r, sysadm_t)
++ postfix_filetrans_named_content(sysadm_t)
+ ')
+
+ optional_policy(`
+- quota_run(sysadm_t, sysadm_r)
++ prelink_run(sysadm_t, sysadm_r)
+ ')
+
+ optional_policy(`
+- raid_run_mdadm(sysadm_r, sysadm_t)
++ puppet_run_puppetca(sysadm_t, sysadm_r)
+ ')
+
+ optional_policy(`
+- razor_role(sysadm_r, sysadm_t)
++ quota_filetrans_named_content(sysadm_t)
+ ')
+
+ optional_policy(`
+- rpc_domtrans_nfsd(sysadm_t)
++ raid_domtrans_mdadm(sysadm_t)
+ ')
+
+ optional_policy(`
+- rpm_run(sysadm_t, sysadm_r)
++ rpc_domtrans_nfsd(sysadm_t)
+ ')
+
+ optional_policy(`
+- rssh_role(sysadm_r, sysadm_t)
++ rpm_run(sysadm_t, sysadm_r)
++ rpm_dbus_chat(sysadm_t, sysadm_r)
+ ')
+
+ optional_policy(`
+@@ -319,12 +401,18 @@ optional_policy(`
+ ')
+
+ optional_policy(`
++ setroubleshoot_stream_connect(sysadm_t)
++ setroubleshoot_dbus_chat(sysadm_t)
++ setroubleshoot_dbus_chat_fixit(sysadm_t)
++')
++
++optional_policy(`
+ seutil_run_setfiles(sysadm_t, sysadm_r)
+ seutil_run_runinit(sysadm_t, sysadm_r)
+ ')
+
+ optional_policy(`
+- spamassassin_role(sysadm_r, sysadm_t)
++ shutdown_run(sysadm_t, sysadm_r)
+ ')
+
+ optional_policy(`
+@@ -349,7 +437,18 @@ optional_policy(`
+ ')
+
+ optional_policy(`
+- thunderbird_role(sysadm_r, sysadm_t)
++ systemd_passwd_agent_run(sysadm_t, sysadm_r)
++ systemd_config_all_services(sysadm_t)
++ systemd_manage_all_unit_files(sysadm_t)
++ systemd_manage_all_unit_lnk_files(sysadm_t)
++ systemd_login_status(sysadm_t)
++ systemd_login_reboot(sysadm_t)
++ systemd_login_halt(sysadm_t)
++ systemd_login_undefined(sysadm_t)
++')
++
++optional_policy(`
++ tftp_filetrans_named_content(sysadm_t)
+ ')
+
+ optional_policy(`
+@@ -360,19 +459,15 @@ optional_policy(`
+ ')
+
+ optional_policy(`
+- tvtime_role(sysadm_r, sysadm_t)
+-')
+-
+-optional_policy(`
+ tzdata_domtrans(sysadm_t)
+ ')
+
+ optional_policy(`
+- uml_role(sysadm_r, sysadm_t)
++ unconfined_domtrans(sysadm_t)
+ ')
+
+ optional_policy(`
+- unconfined_domtrans(sysadm_t)
++ udev_run(sysadm_t, sysadm_r)
+ ')
+
+ optional_policy(`
+@@ -384,10 +479,6 @@ optional_policy(`
+ ')
+
+ optional_policy(`
+- userhelper_role_template(sysadm, sysadm_r, sysadm_t)
+-')
+-
+-optional_policy(`
+ usermanage_run_admin_passwd(sysadm_t, sysadm_r)
+ usermanage_run_groupadd(sysadm_t, sysadm_r)
+ usermanage_run_useradd(sysadm_t, sysadm_r)
+@@ -395,6 +486,9 @@ optional_policy(`
+
+ optional_policy(`
+ virt_stream_connect(sysadm_t)
++ virt_filetrans_home_content(sysadm_t)
++ virt_manage_pid_dirs(sysadm_t)
++ virt_transition_svirt_lxc(sysadm_t, sysadm_r)
+ ')
+
+ optional_policy(`
+@@ -402,31 +496,34 @@ optional_policy(`
+ ')
+
+ optional_policy(`
+- vpn_run(sysadm_t, sysadm_r)
++ vlock_run(sysadm_t, sysadm_r)
+ ')
+
+ optional_policy(`
+- webalizer_run(sysadm_t, sysadm_r)
++ vpn_run(sysadm_t, sysadm_r)
+ ')
+
+ optional_policy(`
+- wireshark_role(sysadm_r, sysadm_t)
++ webalizer_run(sysadm_t, sysadm_r)
+ ')
+
+ optional_policy(`
+- vlock_run(sysadm_t, sysadm_r)
++ xserver_role(sysadm_r, sysadm_t)
+ ')
+
+ optional_policy(`
+- xserver_role(sysadm_r, sysadm_t)
++ yam_run(sysadm_t, sysadm_r)
+ ')
+
+ optional_policy(`
+- yam_run(sysadm_t, sysadm_r)
++ zebra_stream_connect(sysadm_t)
+ ')
+
+ ifndef(`distro_redhat',`
+ optional_policy(`
++ apache_role(sysadm_r, sysadm_t)
++ ')
++ optional_policy(`
+ auth_role(sysadm_r, sysadm_t)
+ ')
+
+@@ -439,10 +536,6 @@ ifndef(`distro_redhat',`
+ ')
+
+ optional_policy(`
+- cron_admin_role(sysadm_r, sysadm_t)
+- ')
+-
+- optional_policy(`
+ dbus_role_template(sysadm, sysadm_r, sysadm_t)
+ ')
+
+@@ -460,6 +553,7 @@ ifndef(`distro_redhat',`
+
+ optional_policy(`
+ gnome_role(sysadm_r, sysadm_t)
++ gnome_filetrans_admin_home_content(sysadm_t)
+ ')
+
+ optional_policy(`
+@@ -467,11 +561,66 @@ ifndef(`distro_redhat',`
+ ')
+
+ optional_policy(`
+- irc_role(sysadm_r, sysadm_t)
++ java_role(sysadm_r, sysadm_t)
+ ')
+
+ optional_policy(`
+- java_role(sysadm_r, sysadm_t)
++ lockdev_role(sysadm_r, sysadm_t)
++ ')
++
++ optional_policy(`
++ mock_admin(sysadm_t)
++ ')
++
++ optional_policy(`
++ mozilla_role(sysadm_r, sysadm_t)
+ ')
+-')
+
++ optional_policy(`
++ mplayer_role(sysadm_r, sysadm_t)
++ ')
++
++ optional_policy(`
++ pyzor_role(sysadm_r, sysadm_t)
++ ')
++
++ optional_policy(`
++ razor_role(sysadm_r, sysadm_t)
++ ')
++
++ optional_policy(`
++ rssh_role(sysadm_r, sysadm_t)
++ ')
++
++ optional_policy(`
++ spamassassin_role(sysadm_r, sysadm_t)
++ ')
++
++ optional_policy(`
++ thunderbird_role(sysadm_r, sysadm_t)
++ ')
++
++ optional_policy(`
++ tvtime_role(sysadm_r, sysadm_t)
++ ')
++
++ optional_policy(`
++ uml_role(sysadm_r, sysadm_t)
++ ')
++
++ optional_policy(`
++ userhelper_role_template(sysadm, sysadm_r, sysadm_t)
++ ')
++
++ optional_policy(`
++ vmware_role(sysadm_r, sysadm_t)
++ ')
++
++ optional_policy(`
++ wireshark_role(sysadm_r, sysadm_t)
++ ')
++
++ optional_policy(`
++ xserver_role(sysadm_r, sysadm_t)
++ ')
++')
+diff --git a/policy/modules/roles/sysadm_secadm.fc b/policy/modules/roles/sysadm_secadm.fc
+new file mode 100644
+index 0000000..ae3b6db
+--- /dev/null
++++ b/policy/modules/roles/sysadm_secadm.fc
+@@ -0,0 +1 @@
++# No context
+diff --git a/policy/modules/roles/sysadm_secadm.if b/policy/modules/roles/sysadm_secadm.if
+new file mode 100644
+index 0000000..bd83148
+--- /dev/null
++++ b/policy/modules/roles/sysadm_secadm.if
+@@ -0,0 +1 @@
++## No Interfaces
+diff --git a/policy/modules/roles/sysadm_secadm.te b/policy/modules/roles/sysadm_secadm.te
+new file mode 100644
+index 0000000..63bc797
+--- /dev/null
++++ b/policy/modules/roles/sysadm_secadm.te
+@@ -0,0 +1,25 @@
++policy_module(sysadm_secadm, 1.0.0)
++
++########################################
++#
++# Declarations
++#
++
++gen_require(`
++ type sysadm_t;
++ role sysadm_r;
++')
++
++userdom_security_admin_template(sysadm_t, sysadm_r)
++
++#######################################
++#
++# Local policy
++#
++
++mls_file_write_all_levels(sysadm_t)
++
++logging_manage_audit_log(sysadm_t)
++logging_manage_audit_config(sysadm_t)
++logging_run_auditctl(sysadm_t, sysadm_r)
++logging_stream_connect_syslog(sysadm_t)
+diff --git a/policy/modules/roles/unconfineduser.fc b/policy/modules/roles/unconfineduser.fc
+new file mode 100644
+index 0000000..0e8654b
+--- /dev/null
++++ b/policy/modules/roles/unconfineduser.fc
+@@ -0,0 +1,8 @@
++# Add programs here which should not be confined by SELinux
++# e.g.:
++# /usr/local/bin/appsrv -- gen_context(system_u:object_r:unconfined_exec_t,s0)
++# For the time being until someone writes a sane policy, we need initrc to transition to unconfined_t
++/usr/bin/vncserver -- gen_context(system_u:object_r:unconfined_exec_t,s0)
++
++/usr/sbin/xrdp -- gen_context(system_u:object_r:unconfined_exec_t,s0)
++/usr/sbin/xrdp-sesman -- gen_context(system_u:object_r:unconfined_exec_t,s0)
+diff --git a/policy/modules/roles/unconfineduser.if b/policy/modules/roles/unconfineduser.if
+new file mode 100644
+index 0000000..bac0dc0
+--- /dev/null
++++ b/policy/modules/roles/unconfineduser.if
+@@ -0,0 +1,595 @@
++## Unconfiend user role
++
++########################################
++##
++## Change from the unconfineduser role.
++##
++##
++##
++## Change from the unconfineduser role to
++## the specified role.
++##
++##
++## This is an interface to support third party modules
++## and its use is not allowed in upstream reference
++## policy.
++##
++##
++##
++##
++## Role allowed access.
++##
++##
++##
++#
++interface(`unconfined_role_change_to',`
++ gen_require(`
++ role unconfined_r;
++ ')
++
++ allow unconfined_r $1;
++')
++
++########################################
++##
++## Transition to the unconfined domain.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`unconfined_domtrans',`
++ gen_require(`
++ type unconfined_t, unconfined_exec_t;
++ ')
++
++ domtrans_pattern($1,unconfined_exec_t,unconfined_t)
++')
++
++########################################
++##
++## Execute specified programs in the unconfined domain.
++##
++##
++##
++## The type of the process performing this action.
++##
++##
++##
++##
++## The role to allow the unconfined domain.
++##
++##
++#
++interface(`unconfined_run',`
++ gen_require(`
++ type unconfined_t;
++ ')
++
++ unconfined_domtrans($1)
++ role $2 types unconfined_t;
++')
++
++########################################
++##
++## Transition to the unconfined domain by executing a shell.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`unconfined_shell_domtrans',`
++ gen_require(`
++ attribute unconfined_login_domain;
++ ')
++ typeattribute $1 unconfined_login_domain;
++')
++
++########################################
++##
++## Allow unconfined to execute the specified program in
++## the specified domain.
++##
++##
++##
++## Allow unconfined to execute the specified program in
++## the specified domain.
++##
++##
++## This is a interface to support third party modules
++## and its use is not allowed in upstream reference
++## policy.
++##
++##
++##
++##
++## Domain to execute in.
++##
++##
++##
++##
++## Domain entry point file.
++##
++##
++#
++interface(`unconfined_domtrans_to',`
++ gen_require(`
++ type unconfined_t;
++ ')
++
++ domtrans_pattern(unconfined_t,$2,$1)
++')
++
++########################################
++##
++## Allow unconfined to execute the specified program in
++## the specified domain. Allow the specified domain the
++## unconfined role and use of unconfined user terminals.
++##
++##
++##
++## Allow unconfined to execute the specified program in
++## the specified domain. Allow the specified domain the
++## unconfined role and use of unconfined user terminals.
++##
++##
++## This is a interface to support third party modules
++## and its use is not allowed in upstream reference
++## policy.
++##
++##
++##
++##
++## Domain to execute in.
++##
++##
++##
++##
++## Domain entry point file.
++##
++##
++#
++interface(`unconfined_run_to',`
++ gen_require(`
++ type unconfined_t;
++ role unconfined_r;
++ ')
++
++ domtrans_pattern(unconfined_t,$2,$1)
++ role unconfined_r types $1;
++ userdom_use_user_terminals($1)
++')
++
++########################################
++##
++## Inherit file descriptors from the unconfined domain.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`unconfined_use_fds',`
++ gen_require(`
++ type unconfined_t;
++ ')
++
++ allow $1 unconfined_t:fd use;
++')
++
++########################################
++##
++## Send a SIGCHLD signal to the unconfined domain.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`unconfined_sigchld',`
++ gen_require(`
++ type unconfined_t;
++ ')
++
++ allow $1 unconfined_t:process sigchld;
++')
++
++########################################
++##
++## Send a SIGNULL signal to the unconfined domain.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`unconfined_signull',`
++ gen_require(`
++ type unconfined_t;
++ ')
++
++ allow $1 unconfined_t:process signull;
++')
++
++########################################
++##
++## Send generic signals to the unconfined domain.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`unconfined_signal',`
++ gen_require(`
++ type unconfined_t;
++ ')
++
++ allow $1 unconfined_t:process signal;
++')
++
++########################################
++##
++## Read unconfined domain unnamed pipes.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`unconfined_read_pipes',`
++ gen_require(`
++ type unconfined_t;
++ ')
++
++ allow $1 unconfined_t:fifo_file read_fifo_file_perms;
++')
++
++########################################
++##
++## Do not audit attempts to read unconfined domain unnamed pipes.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`unconfined_dontaudit_read_pipes',`
++ gen_require(`
++ type unconfined_t;
++ ')
++
++ dontaudit $1 unconfined_t:fifo_file read;
++')
++
++########################################
++##
++## Read and write unconfined domain unnamed pipes.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`unconfined_rw_pipes',`
++ gen_require(`
++ type unconfined_t;
++ ')
++
++ allow $1 unconfined_t:fifo_file rw_fifo_file_perms;
++')
++
++########################################
++##
++## Do not audit attempts to read and write
++## unconfined domain unnamed pipes.
++##
++##
++##
++## Domain to not audit.
++##
++##
++#
++interface(`unconfined_dontaudit_rw_pipes',`
++ gen_require(`
++ type unconfined_t;
++ ')
++
++ dontaudit $1 unconfined_t:fifo_file rw_file_perms;
++')
++
++########################################
++##
++## Do not audit attempts to read and write
++## unconfined domain stream.
++##
++##
++##
++## Domain to not audit.
++##
++##
++#
++interface(`unconfined_dontaudit_rw_stream',`
++ gen_require(`
++ type unconfined_t;
++ ')
++
++ dontaudit $1 unconfined_t:unix_stream_socket rw_socket_perms;
++')
++
++########################################
++##
++## Connect to the unconfined domain using
++## a unix domain stream socket.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`unconfined_stream_connect',`
++ gen_require(`
++ type unconfined_t;
++ ')
++
++ allow $1 unconfined_t:unix_stream_socket connectto;
++')
++
++########################################
++##
++## Do not audit attempts to read or write
++## unconfined domain tcp sockets.
++##
++##
++##
++## Do not audit attempts to read or write
++## unconfined domain tcp sockets.
++##
++##
++## This interface was added due to a broken
++## symptom in ldconfig.
++##
++##
++##
++##
++## Domain to not audit.
++##
++##
++#
++interface(`unconfined_dontaudit_rw_tcp_sockets',`
++ gen_require(`
++ type unconfined_t;
++ ')
++
++ dontaudit $1 unconfined_t:tcp_socket { read write };
++')
++
++########################################
++##
++## Do not audit attempts to read or write
++## unconfined domain packet sockets.
++##
++##
++##
++## Do not audit attempts to read or write
++## unconfined domain packet sockets.
++##
++##
++## This interface was added due to a broken
++## symptom.
++##
++##
++##
++##
++## Domain to not audit.
++##
++##
++#
++interface(`unconfined_dontaudit_rw_packet_sockets',`
++ gen_require(`
++ type unconfined_t;
++ ')
++
++ dontaudit $1 unconfined_t:packet_socket { read write };
++')
++
++########################################
++##
++## Create keys for the unconfined domain.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`unconfined_create_keys',`
++ gen_require(`
++ type unconfined_t;
++ ')
++
++ allow $1 unconfined_t:key create;
++')
++
++########################################
++##
++## Send messages to the unconfined domain over dbus.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`unconfined_dbus_send',`
++ gen_require(`
++ type unconfined_t;
++ class dbus send_msg;
++ ')
++
++ allow $1 unconfined_t:dbus send_msg;
++')
++
++########################################
++##
++## Send and receive messages from
++## unconfined_t over dbus.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`unconfined_dbus_chat',`
++ gen_require(`
++ type unconfined_t;
++ class dbus send_msg;
++ ')
++
++ allow $1 unconfined_t:dbus send_msg;
++ allow unconfined_t $1:dbus send_msg;
++')
++
++########################################
++##
++## Connect to the the unconfined DBUS
++## for service (acquire_svc).
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`unconfined_dbus_connect',`
++ gen_require(`
++ type unconfined_t;
++ class dbus acquire_svc;
++ ')
++
++ allow $1 unconfined_t:dbus acquire_svc;
++')
++
++########################################
++##
++## Allow ptrace of unconfined domain
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`unconfined_ptrace',`
++ gen_require(`
++ type unconfined_t;
++ ')
++
++ allow $1 unconfined_t:process ptrace;
++')
++
++########################################
++##
++## Read and write to unconfined shared memory.
++##
++##
++##
++## The type of the process performing this action.
++##
++##
++#
++interface(`unconfined_rw_shm',`
++ gen_require(`
++ type unconfined_t;
++ ')
++
++ allow $1 unconfined_t:shm rw_shm_perms;
++')
++
++########################################
++##
++## Allow apps to set rlimits on userdomain
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`unconfined_set_rlimitnh',`
++ gen_require(`
++ type unconfined_t;
++ ')
++
++ allow $1 unconfined_t:process rlimitinh;
++')
++
++########################################
++##
++## Get the process group of unconfined.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`unconfined_getpgid',`
++ gen_require(`
++ type unconfined_t;
++ ')
++
++ allow $1 unconfined_t:process getpgid;
++')
++
++########################################
++##
++## Change to the unconfined role.
++##
++##
++##
++## Role allowed access.
++##
++##
++##
++#
++interface(`unconfined_role_change',`
++ gen_require(`
++ role unconfined_r;
++ ')
++
++ allow $1 unconfined_r;
++')
++
++########################################
++##
++## Allow domain to attach to TUN devices created by unconfined_t users.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`unconfined_attach_tun_iface',`
++ gen_require(`
++ type unconfined_t;
++ ')
++
++ allow $1 unconfined_t:tun_socket relabelfrom;
++ allow $1 self:tun_socket relabelto;
++')
++
+diff --git a/policy/modules/roles/unconfineduser.te b/policy/modules/roles/unconfineduser.te
+new file mode 100644
+index 0000000..d609f53
+--- /dev/null
++++ b/policy/modules/roles/unconfineduser.te
+@@ -0,0 +1,387 @@
++policy_module(unconfineduser, 1.0.0)
++
++########################################
++#
++# Declarations
++#
++attribute unconfined_login_domain;
++
++##
++##
++## allow unconfined users to transition to the chrome sandbox domains when running chrome-sandbox
++##
++##
++gen_tunable(unconfined_chrome_sandbox_transition, false)
++
++##
++##
++## Allow unconfined users to transition to the Mozilla plugin domain when running xulrunner plugin-container.
++##
++##
++gen_tunable(unconfined_mozilla_plugin_transition, false)
++
++##
++##
++## Allow video playing tools to run unconfined
++##
++##
++gen_tunable(unconfined_mplayer, false)
++
++##
++##
++## Allow a user to login as an unconfined domain
++##
++##
++gen_tunable(unconfined_login, true)
++
++# usage in this module of types created by these
++# calls is not correct, however we dont currently
++# have another method to add access to these types
++userdom_base_user_template(unconfined)
++userdom_manage_home_role(unconfined_r, unconfined_t)
++userdom_manage_tmp_role(unconfined_r, unconfined_t)
++userdom_manage_tmpfs_role(unconfined_r, unconfined_t)
++userdom_unpriv_type(unconfined_t)
++
++type unconfined_exec_t;
++init_system_domain(unconfined_t, unconfined_exec_t)
++role unconfined_r types unconfined_t;
++role_transition system_r unconfined_exec_t unconfined_r;
++allow system_r unconfined_r;
++
++domain_user_exemption_target(unconfined_t)
++allow system_r unconfined_r;
++allow unconfined_r system_r;
++init_script_role_transition(unconfined_r)
++role system_r types unconfined_t;
++typealias unconfined_t alias unconfined_crontab_t;
++
++########################################
++#
++# Local policy
++#
++
++dontaudit unconfined_t self:dir write;
++dontaudit unconfined_t self:file setattr;
++
++allow unconfined_t self:system syslog_read;
++dontaudit unconfined_t self:capability sys_module;
++
++kernel_rw_unlabeled_socket(unconfined_t)
++kernel_rw_unlabeled_rawip_socket(unconfined_t)
++
++files_create_boot_flag(unconfined_t)
++files_create_default_dir(unconfined_t)
++files_root_filetrans_default(unconfined_t, dir)
++
++mcs_killall(unconfined_t)
++mcs_ptrace_all(unconfined_t)
++mls_file_write_all_levels(unconfined_t)
++
++init_run_daemon(unconfined_t, unconfined_r)
++init_domtrans_script(unconfined_t)
++init_telinit(unconfined_t)
++
++logging_send_syslog_msg(unconfined_t)
++logging_run_auditctl(unconfined_t, unconfined_r)
++
++systemd_config_all_services(unconfined_t)
++
++seutil_run_loadpolicy(unconfined_t, unconfined_r)
++seutil_run_setsebool(unconfined_t, unconfined_r)
++seutil_run_setfiles(unconfined_t, unconfined_r)
++seutil_run_semanage(unconfined_t, unconfined_r)
++
++unconfined_domain_noaudit(unconfined_t)
++
++usermanage_run_passwd(unconfined_t, unconfined_r)
++
++tunable_policy(`deny_execmem',`',`
++ allow unconfined_t self:process execmem;
++')
++
++tunable_policy(`selinuxuser_execstack',`
++ allow unconfined_t self:process execstack;
++')
++
++tunable_policy(`selinuxuser_execmod',`
++ userdom_execmod_user_home_files(unconfined_t)
++')
++
++tunable_policy(`unconfined_login',`
++ corecmd_shell_domtrans(unconfined_login_domain,unconfined_t)
++ allow unconfined_t unconfined_login_domain:fd use;
++ allow unconfined_t unconfined_login_domain:fifo_file rw_file_perms;
++ allow unconfined_t unconfined_login_domain:process sigchld;
++')
++
++optional_policy(`
++ gen_require(`
++ type unconfined_t;
++ ')
++
++ optional_policy(`
++ abrt_dbus_chat(unconfined_t)
++ abrt_run_helper(unconfined_t, unconfined_r)
++ ')
++
++ optional_policy(`
++ avahi_dbus_chat(unconfined_t)
++ ')
++
++ optional_policy(`
++ blueman_dbus_chat(unconfined_t)
++ ')
++
++ optional_policy(`
++ certmonger_dbus_chat(unconfined_t)
++ ')
++
++ optional_policy(`
++ devicekit_dbus_chat(unconfined_t)
++ devicekit_dbus_chat_disk(unconfined_t)
++ devicekit_dbus_chat_power(unconfined_t)
++ ')
++
++ optional_policy(`
++ hal_dbus_chat(unconfined_t)
++ ')
++
++ optional_policy(`
++ networkmanager_dbus_chat(unconfined_t)
++ ')
++
++ optional_policy(`
++ policykit_role(unconfined_r, unconfined_t)
++ ')
++
++ optional_policy(`
++ rtkit_scheduled(unconfined_t)
++ ')
++
++ # Might remove later if this proves to be problematic, but would like to gather AVCs
++ optional_policy(`
++ thumb_role(unconfined_r, unconfined_t)
++ ')
++
++ optional_policy(`
++ setroubleshoot_dbus_chat(unconfined_t)
++ setroubleshoot_dbus_chat_fixit(unconfined_t)
++ ')
++
++ optional_policy(`
++ sandbox_transition(unconfined_t, unconfined_r)
++ ')
++
++ optional_policy(`
++ sandbox_x_transition(unconfined_t, unconfined_r)
++ ')
++
++ optional_policy(`
++ shutdown_run(unconfined_t, unconfined_r)
++ ')
++
++ optional_policy(`
++ gen_require(`
++ type user_tmpfs_t;
++ ')
++
++ xserver_rw_session(unconfined_t, user_tmpfs_t)
++ xserver_run_xauth(unconfined_t, unconfined_r)
++ xserver_dbus_chat_xdm(unconfined_t)
++ ')
++')
++
++ifdef(`distro_gentoo',`
++ seutil_run_runinit(unconfined_t, unconfined_r)
++ seutil_init_script_run_runinit(unconfined_t, unconfined_r)
++')
++
++optional_policy(`
++ accountsd_dbus_chat(unconfined_t)
++')
++
++optional_policy(`
++ apache_run_helper(unconfined_t, unconfined_r)
++')
++
++optional_policy(`
++ bind_run_ndc(unconfined_t, unconfined_r)
++')
++
++optional_policy(`
++ chrome_role_notrans(unconfined_r, unconfined_t)
++
++ tunable_policy(`unconfined_chrome_sandbox_transition',`
++ chrome_domtrans_sandbox(unconfined_t)
++ ')
++')
++
++optional_policy(`
++ dbus_role_template(unconfined, unconfined_r, unconfined_t)
++
++ optional_policy(`
++ unconfined_domain(unconfined_dbusd_t)
++
++ optional_policy(`
++ xserver_rw_shm(unconfined_dbusd_t)
++ ')
++ ')
++
++ init_dbus_chat(unconfined_t)
++ init_dbus_chat_script(unconfined_t)
++
++ dbus_stub(unconfined_t)
++
++ optional_policy(`
++ bluetooth_dbus_chat(unconfined_t)
++ ')
++
++ optional_policy(`
++ consolekit_dbus_chat(unconfined_t)
++ ')
++
++ optional_policy(`
++ cups_dbus_chat_config(unconfined_t)
++ ')
++
++ optional_policy(`
++ fprintd_dbus_chat(unconfined_t)
++ ')
++
++ optional_policy(`
++ gnomeclock_dbus_chat(unconfined_t)
++ gnome_dbus_chat_gconfdefault(unconfined_t)
++ gnome_command_domtrans_gkeyringd(unconfined_dbusd_t,unconfined_t)
++ ')
++
++ optional_policy(`
++ ipsec_mgmt_dbus_chat(unconfined_t)
++ ')
++
++ optional_policy(`
++ kerneloops_dbus_chat(unconfined_t)
++ ')
++
++ optional_policy(`
++ telepathy_command_domtrans(unconfined_dbusd_t, unconfined_t)
++ ')
++
++ optional_policy(`
++ oddjob_dbus_chat(unconfined_t)
++ ')
++
++ optional_policy(`
++ vpn_dbus_chat(unconfined_t)
++ ')
++
++ optional_policy(`
++ firewalld_dbus_chat(unconfined_t)
++ ')
++
++ optional_policy(`
++ firewallgui_dbus_chat(unconfined_t)
++ ')
++')
++
++optional_policy(`
++ firstboot_run(unconfined_t, unconfined_r)
++')
++
++optional_policy(`
++ fsadm_manage_pid(unconfined_t)
++')
++
++optional_policy(`
++ ftp_run_ftpdctl(unconfined_t, unconfined_r)
++')
++
++optional_policy(`
++ gpsd_run(unconfined_t, unconfined_r)
++')
++
++optional_policy(`
++ java_run_unconfined(unconfined_t, unconfined_r)
++')
++
++optional_policy(`
++ livecd_run(unconfined_t, unconfined_r)
++')
++
++optional_policy(`
++ lpd_run_checkpc(unconfined_t, unconfined_r)
++')
++
++#optional_policy(`
++# mock_role(unconfined_r, unconfined_t)
++#')
++
++optional_policy(`
++ modutils_run_update_mods(unconfined_t, unconfined_r)
++')
++
++optional_policy(`
++ mozilla_role_plugin(unconfined_r)
++
++ tunable_policy(`unconfined_mozilla_plugin_transition', `
++ mozilla_domtrans_plugin(unconfined_t)
++ ')
++')
++
++optional_policy(`
++ oddjob_run_mkhomedir(unconfined_t, unconfined_r)
++')
++
++optional_policy(`
++ portmap_run_helper(unconfined_t, unconfined_r)
++')
++
++optional_policy(`
++ rpm_run(unconfined_t, unconfined_r)
++ # Allow SELinux aware applications to request rpm_script execution
++ rpm_transition_script(unconfined_t)
++ rpm_dbus_chat(unconfined_t)
++')
++
++optional_policy(`
++ optional_policy(`
++ samba_run_unconfined_net(unconfined_t, unconfined_r)
++ ')
++
++ samba_role_notrans(unconfined_r)
++ samba_run_smbcontrol(unconfined_t, unconfined_r)
++')
++
++optional_policy(`
++ sysnet_run_dhcpc(unconfined_t, unconfined_r)
++ sysnet_dbus_chat_dhcpc(unconfined_t)
++ sysnet_role_transition_dhcpc(unconfined_r)
++')
++
++optional_policy(`
++ openshift_run(unconfined_usertype, unconfined_r)
++')
++
++optional_policy(`
++ usermanage_run_useradd(unconfined_t, unconfined_r)
++')
++
++optional_policy(`
++ virt_transition_svirt(unconfined_t, unconfined_r)
++ virt_transition_svirt_lxc(unconfined_t, unconfined_r)
++')
++
++optional_policy(`
++ webalizer_run(unconfined_t, unconfined_r)
++')
++
++optional_policy(`
++ wine_run(unconfined_t, unconfined_r)
++')
++
++optional_policy(`
++ xserver_run(unconfined_t, unconfined_r)
++ xserver_manage_home_fonts(unconfined_t)
++')
++
++gen_user(unconfined_u, user, unconfined_r system_r, s0, s0 - mls_systemhigh, mcs_allcats)
+diff --git a/policy/modules/roles/unprivuser.if b/policy/modules/roles/unprivuser.if
+index 3835596..fbca2be 100644
+--- a/policy/modules/roles/unprivuser.if
++++ b/policy/modules/roles/unprivuser.if
+@@ -1,4 +1,4 @@
+-## Generic unprivileged user role
++## Generic unprivileged user
+
+ ########################################
+ ##
+diff --git a/policy/modules/roles/unprivuser.te b/policy/modules/roles/unprivuser.te
+index 9f6d4c3..23a78b4 100644
+--- a/policy/modules/roles/unprivuser.te
++++ b/policy/modules/roles/unprivuser.te
+@@ -1,5 +1,12 @@
+ policy_module(unprivuser, 2.3.0)
+
++##
++##
++## Allow unprivledged user to create and transition to svirt domains.
++##
++##
++gen_tunable(unprivuser_use_svirt, false)
++
+ # this module should be named user, but that is
+ # a compile error since user is a keyword.
+
+@@ -12,12 +19,97 @@ role user_r;
+
+ userdom_unpriv_user_template(user)
+
++kernel_read_numa_state(user_t)
++kernel_write_numa_state(user_t)
++
++fs_exec_noxattr(user_t)
++fs_read_hugetlbfs_files(user_t)
++
++storage_read_scsi_generic(user_t)
++storage_write_scsi_generic(user_t)
++
++tunable_policy(`selinuxuser_execmod',`
++ userdom_execmod_user_home_files(user_t)
++')
++
++optional_policy(`
++ abrt_read_cache(user_t)
++')
++
+ optional_policy(`
+ apache_role(user_r, user_t)
+ ')
+
+ optional_policy(`
+- git_role(user_r, user_t)
++ blueman_dbus_chat(user_t)
++')
++
++optional_policy(`
++ bluetooth_role(user_r, user_t)
++')
++
++optional_policy(`
++ colord_dbus_chat(user_t)
++')
++
++optional_policy(`
++ chrome_role(user_r, user_t)
++')
++
++optional_policy(`
++ gnome_role(user_r, user_t)
++')
++
++optional_policy(`
++ irc_role(user_r, user_t)
++')
++
++optional_policy(`
++ oident_manage_user_content(user_t)
++ oident_relabel_user_content(user_t)
++')
++
++optional_policy(`
++ mozilla_run_plugin(user_t, user_r)
++')
++
++optional_policy(`
++ mta_role(user_r, user_t)
++')
++
++optional_policy(`
++ netutils_run_ping_cond(user_t, user_r)
++ netutils_run_traceroute_cond(user_t, user_r)
++')
++
++optional_policy(`
++ polipo_role(user_r, user_t)
++ polipo_named_filetrans_cache_home_dirs(user_t)
++ polipo_named_filetrans_config_home_files(user_t)
++')
++
++optional_policy(`
++ rpm_dontaudit_dbus_chat(user_t)
++')
++
++optional_policy(`
++ rtkit_scheduled(user_t)
++')
++
++optional_policy(`
++ sandbox_transition(user_t, user_r)
++')
++
++optional_policy(`
++ sandbox_x_transition(user_t, user_r)
++')
++
++optional_policy(`
++ ssh_role_template(user, user_r, user_t)
++')
++
++optional_policy(`
++ git_session_role(user_r, user_t)
+ ')
+
+ optional_policy(`
+@@ -25,6 +117,18 @@ optional_policy(`
+ ')
+
+ optional_policy(`
++ setroubleshoot_dontaudit_stream_connect(user_t)
++')
++
++#optional_policy(`
++# telepathy_dbus_session_role(user_r, user_t)
++#')
++
++optional_policy(`
++ usbmuxd_stream_connect(user_t)
++')
++
++optional_policy(`
+ vlock_run(user_t, user_r)
+ ')
+
+@@ -66,10 +170,6 @@ ifndef(`distro_redhat',`
+ ')
+
+ optional_policy(`
+- gnome_role(user_r, user_t)
+- ')
+-
+- optional_policy(`
+ gpg_role(user_r, user_t)
+ ')
+
+@@ -102,10 +202,6 @@ ifndef(`distro_redhat',`
+ ')
+
+ optional_policy(`
+- mta_role(user_r, user_t)
+- ')
+-
+- optional_policy(`
+ postgresql_role(user_r, user_t)
+ ')
+
+@@ -128,7 +224,6 @@ ifndef(`distro_redhat',`
+ optional_policy(`
+ ssh_role_template(user, user_r, user_t)
+ ')
+-
+ optional_policy(`
+ su_role_template(user, user_r, user_t)
+ ')
+@@ -161,3 +256,15 @@ ifndef(`distro_redhat',`
+ wireshark_role(user_r, user_t)
+ ')
+ ')
++
++
++optional_policy(`
++ virt_transition_svirt(user_t, user_r)
++ virt_filetrans_home_content(user_t)
++')
++
++optional_policy(`
++ tunable_policy(`unprivuser_use_svirt',`
++ virt_manage_images(user_t)
++ ')
++')
+diff --git a/policy/modules/services/postgresql.fc b/policy/modules/services/postgresql.fc
+index a26f84f..d3cc612 100644
+--- a/policy/modules/services/postgresql.fc
++++ b/policy/modules/services/postgresql.fc
+@@ -10,6 +10,7 @@
+ #
+ /usr/bin/initdb(\.sepgsql)? -- gen_context(system_u:object_r:postgresql_exec_t,s0)
+ /usr/bin/(se)?postgres -- gen_context(system_u:object_r:postgresql_exec_t,s0)
++/usr/bin/pg_ctl -- gen_context(system_u:object_r:postgresql_exec_t,s0)
+
+ /usr/lib/pgsql/test/regress(/.*)? gen_context(system_u:object_r:postgresql_db_t,s0)
+ /usr/lib/pgsql/test/regress/pg_regress -- gen_context(system_u:object_r:postgresql_exec_t,s0)
+@@ -28,9 +29,9 @@ ifdef(`distro_redhat', `
+ #
+ /var/lib/postgres(ql)?(/.*)? gen_context(system_u:object_r:postgresql_db_t,s0)
+
+-/var/lib/pgsql/data(/.*)? gen_context(system_u:object_r:postgresql_db_t,s0)
++/var/lib/pgsql(/.*)? gen_context(system_u:object_r:postgresql_db_t,s0)
+ /var/lib/pgsql/logfile(/.*)? gen_context(system_u:object_r:postgresql_log_t,s0)
+-/var/lib/pgsql/pgstartup\.log gen_context(system_u:object_r:postgresql_log_t,s0)
++/var/lib/pgsql/.*\.log gen_context(system_u:object_r:postgresql_log_t,s0)
+
+ /var/lib/sepgsql(/.*)? gen_context(system_u:object_r:postgresql_db_t,s0)
+ /var/lib/sepgsql/pgstartup\.log -- gen_context(system_u:object_r:postgresql_log_t,s0)
+@@ -45,4 +46,4 @@ ifdef(`distro_redhat', `
+
+ /var/run/postgresql(/.*)? gen_context(system_u:object_r:postgresql_var_run_t,s0)
+
+-/var/run/postmaster.* gen_context(system_u:object_r:postgresql_var_run_t,s0)
++#/var/run/postmaster.* gen_context(system_u:object_r:postgresql_var_run_t,s0)
+diff --git a/policy/modules/services/postgresql.if b/policy/modules/services/postgresql.if
+index ecef19f..fcbc25a 100644
+--- a/policy/modules/services/postgresql.if
++++ b/policy/modules/services/postgresql.if
+@@ -10,7 +10,7 @@
+ ##
+ ##
+ ##
+-##
++##
+ ## The type of the user domain.
+ ##
+ ##
+@@ -54,15 +54,6 @@ interface(`postgresql_role',`
+ # Client local policy
+ #
+
+- tunable_policy(`sepgsql_enable_users_ddl',`
+- allow $2 user_sepgsql_schema_t:db_schema { create drop setattr };
+- allow $2 user_sepgsql_table_t:db_table { create drop setattr };
+- allow $2 user_sepgsql_table_t:db_column { create drop setattr };
+- allow $2 user_sepgsql_sysobj_t:db_tuple { update insert delete };
+- allow $2 user_sepgsql_seq_t:db_sequence { create drop setattr set_value };
+- allow $2 user_sepgsql_view_t:db_view { create drop setattr };
+- allow $2 user_sepgsql_proc_exec_t:db_procedure { create drop setattr };
+- ')
+
+ allow $2 user_sepgsql_schema_t:db_schema { getattr search add_name remove_name };
+ type_transition $2 sepgsql_database_type:db_schema user_sepgsql_schema_t;
+@@ -94,6 +85,16 @@ interface(`postgresql_role',`
+
+ allow $2 sepgsql_trusted_proc_t:process transition;
+ type_transition $2 sepgsql_trusted_proc_exec_t:process sepgsql_trusted_proc_t;
++
++ tunable_policy(`sepgsql_enable_users_ddl',`
++ allow $2 user_sepgsql_schema_t:db_schema { create drop setattr };
++ allow $2 user_sepgsql_table_t:db_table { create drop setattr };
++ allow $2 user_sepgsql_table_t:db_column { create drop setattr };
++ allow $2 user_sepgsql_sysobj_t:db_tuple { update insert delete };
++ allow $2 user_sepgsql_seq_t:db_sequence { create drop setattr set_value };
++ allow $2 user_sepgsql_view_t:db_view { create drop setattr };
++ allow $2 user_sepgsql_proc_exec_t:db_procedure { create drop setattr };
++ ')
+ ')
+
+ ########################################
+@@ -312,7 +313,7 @@ interface(`postgresql_search_db',`
+ type postgresql_db_t;
+ ')
+
+- allow $1 postgresql_db_t:dir search;
++ allow $1 postgresql_db_t:dir search_dir_perms;
+ ')
+
+ ########################################
+@@ -324,14 +325,16 @@ interface(`postgresql_search_db',`
+ ## Domain allowed access.
+ ##
+ ##
++#
+ interface(`postgresql_manage_db',`
+ gen_require(`
+ type postgresql_db_t;
+ ')
+
+- allow $1 postgresql_db_t:dir rw_dir_perms;
+- allow $1 postgresql_db_t:file rw_file_perms;
+- allow $1 postgresql_db_t:lnk_file { getattr read };
++ files_search_var_lib($1)
++ manage_dirs_pattern($1, postgresql_db_t, postgresql_db_t)
++ manage_files_pattern($1, postgresql_db_t, postgresql_db_t)
++ manage_lnk_files_pattern($1, postgresql_db_t, postgresql_db_t)
+ ')
+
+ ########################################
+@@ -354,6 +357,24 @@ interface(`postgresql_domtrans',`
+
+ ######################################
+ ##
++## Execute Postgresql in the caller domain.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`postgresql_exec',`
++ gen_require(`
++ type postgresql_exec_t;
++ ')
++
++ can_exec($1, postgresql_exec_t)
++')
++
++######################################
++##
+ ## Allow domain to signal postgresql
+ ##
+ ##
+@@ -421,7 +442,6 @@ interface(`postgresql_tcp_connect',`
+ ## Domain allowed access.
+ ##
+ ##
+-##
+ #
+ interface(`postgresql_stream_connect',`
+ gen_require(`
+@@ -429,10 +449,8 @@ interface(`postgresql_stream_connect',`
+ ')
+
+ files_search_pids($1)
+- allow $1 postgresql_t:unix_stream_socket connectto;
+- allow $1 postgresql_var_run_t:sock_file write;
+- # Some versions of postgresql put the sock file in /tmp
+- allow $1 postgresql_tmp_t:sock_file write;
++ files_search_tmp($1)
++ stream_connect_pattern($1, { postgresql_var_run_t postgresql_tmp_t }, { postgresql_var_run_t postgresql_tmp_t }, postgresql_t)
+ ')
+
+ ########################################
+@@ -515,7 +533,6 @@ interface(`postgresql_unpriv_client',`
+ allow $1 unpriv_sepgsql_view_t:db_view { getattr expand };
+ type_transition $1 sepgsql_schema_type:db_view unpriv_sepgsql_view_t;
+
+-
+ tunable_policy(`sepgsql_enable_users_ddl',`
+ allow $1 unpriv_sepgsql_schema_t:db_schema { create drop setattr };
+ allow $1 unpriv_sepgsql_table_t:db_table { create drop setattr };
+@@ -564,33 +581,38 @@ interface(`postgresql_unconfined',`
+ #
+ interface(`postgresql_admin',`
+ gen_require(`
+- attribute sepgsql_admin_type;
+- attribute sepgsql_client_type;
+-
+- type postgresql_t, postgresql_var_run_t;
+- type postgresql_tmp_t, postgresql_db_t;
+- type postgresql_etc_t, postgresql_log_t;
+- type postgresql_initrc_exec_t;
++ attribute sepgsql_admin_type, sepgsql_client_type;
++ type postgresql_t, postgresql_var_run_t, postgresql_initrc_exec_t;
++ type postgresql_tmp_t, postgresql_db_t, postgresql_log_t;
++ type postgresql_etc_t;
+ ')
+
+ typeattribute $1 sepgsql_admin_type;
+
+- allow $1 postgresql_t:process { ptrace signal_perms };
++ allow $1 postgresql_t:process signal_perms;
+ ps_process_pattern($1, postgresql_t)
++ tunable_policy(`deny_ptrace',`',`
++ allow $1 postgresql_t:process ptrace;
++ ')
+
+ init_labeled_script_domtrans($1, postgresql_initrc_exec_t)
+ domain_system_change_exemption($1)
+ role_transition $2 postgresql_initrc_exec_t system_r;
+ allow $2 system_r;
+
++ files_list_pids($1)
+ admin_pattern($1, postgresql_var_run_t)
+
++ files_list_var_lib($1)
+ admin_pattern($1, postgresql_db_t)
+
++ files_list_etc($1)
+ admin_pattern($1, postgresql_etc_t)
+
++ logging_list_logs($1)
+ admin_pattern($1, postgresql_log_t)
+
++ files_list_tmp($1)
+ admin_pattern($1, postgresql_tmp_t)
+
+ postgresql_tcp_connect($1)
+diff --git a/policy/modules/services/postgresql.te b/policy/modules/services/postgresql.te
+index 4318f73..e4d0b31 100644
+--- a/policy/modules/services/postgresql.te
++++ b/policy/modules/services/postgresql.te
+@@ -19,25 +19,32 @@ gen_require(`
+ #
+
+ ##
+-##
+-## Allow unprived users to execute DDL statement
+-##
++##
++## Allow postgresql to use ssh and rsync for point-in-time recovery
++##
++##
++gen_tunable(postgresql_can_rsync, false)
++
++##
++##
++## Allow unprivileged users to execute DDL statement
++##
+ ##
+-gen_tunable(sepgsql_enable_users_ddl, true)
++gen_tunable(postgresql_selinux_users_ddl, true)
+
+ ##
+ ##
+ ## Allow transmit client label to foreign database
+ ##
+ ##
+-gen_tunable(sepgsql_transmit_client_label, false)
++gen_tunable(postgresql_selinux_transmit_client_label, false)
+
+ ##
+ ##
+ ## Allow database admins to execute DML statement
+ ##
+ ##
+-gen_tunable(sepgsql_unconfined_dbadm, true)
++gen_tunable(postgresql_selinux_unconfined_dbadm, true)
+
+ type postgresql_t;
+ type postgresql_exec_t;
+@@ -233,9 +240,10 @@ allow postgresql_t self:shm create_shm_perms;
+ allow postgresql_t self:tcp_socket create_stream_socket_perms;
+ allow postgresql_t self:udp_socket create_stream_socket_perms;
+ allow postgresql_t self:unix_dgram_socket create_socket_perms;
+-allow postgresql_t self:unix_stream_socket create_stream_socket_perms;
++allow postgresql_t self:unix_stream_socket { connectto create_stream_socket_perms };
+ allow postgresql_t self:netlink_selinux_socket create_socket_perms;
+-tunable_policy(`sepgsql_transmit_client_label',`
++
++tunable_policy(`postgresql_selinux_transmit_client_label',`
+ allow postgresql_t self:process { setsockcreate };
+ ')
+
+@@ -275,7 +283,7 @@ allow postgresql_t postgresql_etc_t:dir list_dir_perms;
+ read_files_pattern(postgresql_t, postgresql_etc_t, postgresql_etc_t)
+ read_lnk_files_pattern(postgresql_t, postgresql_etc_t, postgresql_etc_t)
+
+-allow postgresql_t postgresql_exec_t:lnk_file { getattr read };
++allow postgresql_t postgresql_exec_t:lnk_file read_lnk_file_perms;
+ can_exec(postgresql_t, postgresql_exec_t )
+
+ allow postgresql_t postgresql_lock_t:file manage_file_perms;
+@@ -303,7 +311,6 @@ kernel_list_proc(postgresql_t)
+ kernel_read_all_sysctls(postgresql_t)
+ kernel_read_proc_symlinks(postgresql_t)
+
+-corenet_all_recvfrom_unlabeled(postgresql_t)
+ corenet_all_recvfrom_netlabel(postgresql_t)
+ corenet_tcp_sendrecv_generic_if(postgresql_t)
+ corenet_udp_sendrecv_generic_if(postgresql_t)
+@@ -341,8 +348,7 @@ domain_dontaudit_list_all_domains_state(postgresql_t)
+ domain_use_interactive_fds(postgresql_t)
+
+ files_dontaudit_search_home(postgresql_t)
+-files_manage_etc_files(postgresql_t)
+-files_search_etc(postgresql_t)
++files_read_etc_files(postgresql_t)
+ files_read_etc_runtime_files(postgresql_t)
+ files_read_usr_files(postgresql_t)
+
+@@ -353,7 +359,6 @@ init_read_utmp(postgresql_t)
+ logging_send_syslog_msg(postgresql_t)
+ logging_send_audit_msgs(postgresql_t)
+
+-miscfiles_read_localization(postgresql_t)
+
+ seutil_libselinux_linked(postgresql_t)
+ seutil_read_default_contexts(postgresql_t)
+@@ -366,7 +371,7 @@ optional_policy(`
+ mta_getattr_spool(postgresql_t)
+ ')
+
+-tunable_policy(`allow_execmem',`
++tunable_policy(`deny_execmem',`',`
+ allow postgresql_t self:process execmem;
+ ')
+
+@@ -487,7 +492,7 @@ allow sepgsql_client_type sepgsql_temp_object_t:{db_schema db_table db_column db
+ # Note that permission of creation/deletion are eventually controlled by
+ # create or drop permission of individual objects within shared schemas.
+ # So, it just allows to create/drop user specific types.
+-tunable_policy(`sepgsql_enable_users_ddl',`
++tunable_policy(`postgresql_selinux_users_ddl',`
+ allow sepgsql_client_type sepgsql_schema_t:db_schema { add_name remove_name };
+ ')
+
+@@ -535,7 +540,7 @@ allow sepgsql_admin_type sepgsql_module_type:db_database install_module;
+
+ kernel_relabelfrom_unlabeled_database(sepgsql_admin_type)
+
+-tunable_policy(`sepgsql_unconfined_dbadm',`
++tunable_policy(`postgresql_selinux_unconfined_dbadm',`
+ allow sepgsql_admin_type sepgsql_database_type:db_database *;
+
+ allow sepgsql_admin_type sepgsql_schema_type:db_schema *;
+@@ -588,3 +593,17 @@ allow sepgsql_unconfined_type sepgsql_blob_type:db_blob *;
+ allow sepgsql_unconfined_type sepgsql_module_type:db_database install_module;
+
+ kernel_relabelfrom_unlabeled_database(sepgsql_unconfined_type)
++
++optional_policy(`
++ tunable_policy(`postgresql_can_rsync',`
++ rsync_exec(postgresql_t)
++ ')
++')
++
++optional_policy(`
++ tunable_policy(`postgresql_can_rsync',`
++ ssh_exec(postgresql_t)
++ ssh_read_user_home_files(postgresql_t)
++ corenet_tcp_connect_ssh_port(postgresql_t)
++ ')
++')
+diff --git a/policy/modules/services/ssh.fc b/policy/modules/services/ssh.fc
+index 078bcd7..022c7db 100644
+--- a/policy/modules/services/ssh.fc
++++ b/policy/modules/services/ssh.fc
+@@ -1,9 +1,23 @@
+ HOME_DIR/\.ssh(/.*)? gen_context(system_u:object_r:ssh_home_t,s0)
++HOME_DIR/\.shosts gen_context(system_u:object_r:ssh_home_t,s0)
++
++/var/lib/amanda/\.ssh(/.*)? gen_context(system_u:object_r:ssh_home_t,s0)
++/var/lib/gitolite/\.ssh(/.*)? gen_context(system_u:object_r:ssh_home_t,s0)
++/var/lib/gitolite3/\.ssh(/.*)? gen_context(system_u:object_r:ssh_home_t,s0)
++/var/lib/nocpulse/\.ssh(/.*)? gen_context(system_u:object_r:ssh_home_t,s0)
++/var/lib/stickshift/[^/]+/\.ssh(/.*)? gen_context(system_u:object_r:ssh_home_t,s0)
++/var/lib/openshift/[^/]+/\.ssh(/.*)? gen_context(system_u:object_r:ssh_home_t,s0)
++/var/lib/pgsql/\.ssh(/.*)? gen_context(system_u:object_r:ssh_home_t,s0)
++
++/etc/rc\.d/init\.d/sshd -- gen_context(system_u:object_r:sshd_initrc_exec_t,s0)
+
+ /etc/ssh/primes -- gen_context(system_u:object_r:sshd_key_t,s0)
+ /etc/ssh/ssh_host_key -- gen_context(system_u:object_r:sshd_key_t,s0)
+ /etc/ssh/ssh_host_dsa_key -- gen_context(system_u:object_r:sshd_key_t,s0)
+ /etc/ssh/ssh_host_rsa_key -- gen_context(system_u:object_r:sshd_key_t,s0)
++/etc/ssh/ssh_host_key.pub -- gen_context(system_u:object_r:sshd_key_t,s0)
++/etc/ssh/ssh_host_dsa_key.pub -- gen_context(system_u:object_r:sshd_key_t,s0)
++/etc/ssh/ssh_host_rsa_key.pub -- gen_context(system_u:object_r:sshd_key_t,s0)
+
+ /usr/bin/ssh -- gen_context(system_u:object_r:ssh_exec_t,s0)
+ /usr/bin/ssh-agent -- gen_context(system_u:object_r:ssh_agent_exec_t,s0)
+@@ -12,5 +26,10 @@ HOME_DIR/\.ssh(/.*)? gen_context(system_u:object_r:ssh_home_t,s0)
+ /usr/libexec/openssh/ssh-keysign -- gen_context(system_u:object_r:ssh_keysign_exec_t,s0)
+
+ /usr/sbin/sshd -- gen_context(system_u:object_r:sshd_exec_t,s0)
++/usr/sbin/gsisshd -- gen_context(system_u:object_r:sshd_exec_t,s0)
+
+ /var/run/sshd\.init\.pid -- gen_context(system_u:object_r:sshd_var_run_t,s0)
++/var/run/sshd\.pid -- gen_context(system_u:object_r:sshd_var_run_t,s0)
++
++/root/\.ssh(/.*)? gen_context(system_u:object_r:ssh_home_t,s0)
++/root/\.shosts gen_context(system_u:object_r:ssh_home_t,s0)
+diff --git a/policy/modules/services/ssh.if b/policy/modules/services/ssh.if
+index fe0c682..6395fe1 100644
+--- a/policy/modules/services/ssh.if
++++ b/policy/modules/services/ssh.if
+@@ -32,10 +32,11 @@
+ ##
+ #
+ template(`ssh_basic_client_template',`
+-
+ gen_require(`
+ attribute ssh_server;
+ type ssh_exec_t, sshd_key_t, sshd_tmp_t;
++ type ssh_keysign_exec_t, ssh_keysign_t;
++ type ssh_home_t;
+ ')
+
+ ##############################
+@@ -47,10 +48,6 @@ template(`ssh_basic_client_template',`
+ application_domain($1_ssh_t, ssh_exec_t)
+ role $3 types $1_ssh_t;
+
+- type $1_ssh_home_t;
+- files_type($1_ssh_home_t)
+- typealias $1_ssh_home_t alias $1_home_ssh_t;
+-
+ ##############################
+ #
+ # Client local policy
+@@ -89,33 +86,38 @@ template(`ssh_basic_client_template',`
+ # or "regular" (not special like sshd_extern_t) servers
+ allow $2 ssh_server:unix_stream_socket rw_stream_socket_perms;
+
++ # derived domain can execute ssh-keysign
++ domtrans_pattern($1_ssh_t, ssh_keysign_exec_t, ssh_keysign_t)
++ role $3 types ssh_keysign_t;
++
+ # allow ps to show ssh
+ ps_process_pattern($2, $1_ssh_t)
+
+ # user can manage the keys and config
+- manage_files_pattern($2, $1_ssh_home_t, $1_ssh_home_t)
+- manage_lnk_files_pattern($2, $1_ssh_home_t, $1_ssh_home_t)
+- manage_sock_files_pattern($2, $1_ssh_home_t, $1_ssh_home_t)
++ manage_files_pattern($2, ssh_home_t, ssh_home_t)
++ manage_lnk_files_pattern($2, ssh_home_t, ssh_home_t)
++ manage_sock_files_pattern($2, ssh_home_t, ssh_home_t)
+
+ # ssh client can manage the keys and config
+- manage_files_pattern($1_ssh_t, $1_ssh_home_t, $1_ssh_home_t)
+- read_lnk_files_pattern($1_ssh_t, $1_ssh_home_t, $1_ssh_home_t)
++ manage_files_pattern($1_ssh_t, ssh_home_t, ssh_home_t)
++ read_lnk_files_pattern($1_ssh_t, ssh_home_t, ssh_home_t)
+
+ # ssh servers can read the user keys and config
+- allow ssh_server $1_ssh_home_t:dir list_dir_perms;
+- read_files_pattern(ssh_server, $1_ssh_home_t, $1_ssh_home_t)
+- read_lnk_files_pattern(ssh_server, $1_ssh_home_t, $1_ssh_home_t)
++ allow ssh_server ssh_home_t:dir list_dir_perms;
++ read_files_pattern(ssh_server, ssh_home_t, ssh_home_t)
++ read_lnk_files_pattern(ssh_server, ssh_home_t, ssh_home_t)
+
+ kernel_read_kernel_sysctls($1_ssh_t)
+ kernel_read_system_state($1_ssh_t)
+
+- corenet_all_recvfrom_unlabeled($1_ssh_t)
+ corenet_all_recvfrom_netlabel($1_ssh_t)
+ corenet_tcp_sendrecv_generic_if($1_ssh_t)
+ corenet_tcp_sendrecv_generic_node($1_ssh_t)
+ corenet_tcp_sendrecv_all_ports($1_ssh_t)
+ corenet_tcp_connect_ssh_port($1_ssh_t)
+ corenet_sendrecv_ssh_client_packets($1_ssh_t)
++ corenet_tcp_bind_generic_node($1_ssh_t)
++ corenet_tcp_bind_all_unreserved_ports($1_ssh_t)
+
+ dev_read_urand($1_ssh_t)
+
+@@ -139,7 +141,6 @@ template(`ssh_basic_client_template',`
+ logging_send_syslog_msg($1_ssh_t)
+ logging_read_generic_logs($1_ssh_t)
+
+- miscfiles_read_localization($1_ssh_t)
+
+ seutil_read_config($1_ssh_t)
+
+@@ -148,6 +149,29 @@ template(`ssh_basic_client_template',`
+ ')
+ ')
+
++######################################
++##
++## The template to define a domain to which sshd dyntransition.
++##
++##
++##
++## The prefix of the dyntransition domain
++##
++##
++#
++template(`ssh_dyntransition_domain_template',`
++ gen_require(`
++ attribute ssh_dyntransition_domain;
++ ')
++
++ type $1, ssh_dyntransition_domain;
++ domain_type($1)
++ role system_r types $1;
++
++ optional_policy(`
++ ssh_dyntransition_to($1)
++ ')
++')
+ #######################################
+ ##
+ ## The template to define a ssh server.
+@@ -168,7 +192,7 @@ template(`ssh_basic_client_template',`
+ ##
+ ##
+ #
+-template(`ssh_server_template', `
++template(`ssh_server_template',`
+ type $1_t, ssh_server;
+ auth_login_pgm_domain($1_t)
+
+@@ -181,16 +205,18 @@ template(`ssh_server_template', `
+ type $1_var_run_t;
+ files_pid_file($1_var_run_t)
+
+- allow $1_t self:capability { kill sys_chroot sys_nice sys_resource chown dac_override fowner fsetid setgid setuid sys_tty_config };
++ allow $1_t self:capability { kill sys_chroot sys_nice sys_resource chown dac_override fowner fsetid net_admin setgid setuid sys_tty_config };
+ allow $1_t self:fifo_file rw_fifo_file_perms;
+- allow $1_t self:process { signal getsched setsched setrlimit setexec setkeycreate };
++ allow $1_t self:process { getcap signal getsched setsched setrlimit setexec };
++ allow $1_t self:process { signal getcap getsched setsched setrlimit setexec };
+ allow $1_t self:tcp_socket create_stream_socket_perms;
+ allow $1_t self:udp_socket create_socket_perms;
++ allow $1_t self:tun_socket { create_socket_perms relabelfrom relabelto };
+ # ssh agent connections:
+ allow $1_t self:unix_stream_socket create_stream_socket_perms;
+ allow $1_t self:shm create_shm_perms;
+
+- allow $1_t $1_devpts_t:chr_file { rw_chr_file_perms setattr getattr relabelfrom };
++ allow $1_t $1_devpts_t:chr_file { rw_chr_file_perms setattr_chr_file_perms getattr_chr_file_perms relabelfrom };
+ term_create_pty($1_t, $1_devpts_t)
+
+ manage_files_pattern($1_t, $1_tmpfs_t, $1_tmpfs_t)
+@@ -206,6 +232,7 @@ template(`ssh_server_template', `
+
+ kernel_read_kernel_sysctls($1_t)
+ kernel_read_network_state($1_t)
++ kernel_request_load_module($1_t)
+
+ corenet_all_recvfrom_unlabeled($1_t)
+ corenet_all_recvfrom_netlabel($1_t)
+@@ -220,10 +247,13 @@ template(`ssh_server_template', `
+ corenet_tcp_bind_generic_node($1_t)
+ corenet_udp_bind_generic_node($1_t)
+ corenet_tcp_bind_ssh_port($1_t)
+- corenet_tcp_connect_all_ports($1_t)
+ corenet_sendrecv_ssh_server_packets($1_t)
++ # -R qualifier
++ corenet_sendrecv_ssh_server_packets($1_t)
++ # tunnel feature and -w (net_admin capability also)
++ corenet_rw_tun_tap_dev($1_t)
+
+- fs_dontaudit_getattr_all_fs($1_t)
++ fs_getattr_all_fs($1_t)
+
+ auth_rw_login_records($1_t)
+ auth_rw_faillog($1_t)
+@@ -234,6 +264,7 @@ template(`ssh_server_template', `
+ corecmd_getattr_bin_files($1_t)
+
+ domain_interactive_fd($1_t)
++ domain_dyntrans_type($1_t)
+
+ files_read_etc_files($1_t)
+ files_read_etc_runtime_files($1_t)
+@@ -241,35 +272,34 @@ template(`ssh_server_template', `
+
+ logging_search_logs($1_t)
+
+- miscfiles_read_localization($1_t)
+
+- userdom_create_all_users_keys($1_t)
+ userdom_dontaudit_relabelfrom_user_ptys($1_t)
+- userdom_search_user_home_dirs($1_t)
++ userdom_read_user_home_content_files($1_t)
+
+ # Allow checking users mail at login
+ optional_policy(`
+ mta_getattr_spool($1_t)
+ ')
+
+- tunable_policy(`use_nfs_home_dirs',`
+- fs_read_nfs_files($1_t)
+- fs_read_nfs_symlinks($1_t)
+- ')
+-
+- tunable_policy(`use_samba_home_dirs',`
+- fs_read_cifs_files($1_t)
+- ')
++ userdom_home_manager($1_t)
+
+ optional_policy(`
+ kerberos_use($1_t)
+- kerberos_manage_host_rcache($1_t)
++ #kerberos_manage_host_rcache($1_t)
+ ')
+
+ optional_policy(`
+ files_read_var_lib_symlinks($1_t)
+ nx_spec_domtrans_server($1_t)
+ ')
++
++ optional_policy(`
++ rlogin_read_home_content($1_t)
++ ')
++
++ optional_policy(`
++ shutdown_getattr_exec_files($1_t)
++ ')
+ ')
+
+ ########################################
+@@ -292,14 +322,15 @@ template(`ssh_server_template', `
+ ## User domain for the role
+ ##
+ ##
++##
+ #
+ template(`ssh_role_template',`
+ gen_require(`
+ attribute ssh_server, ssh_agent_type;
+-
+ type ssh_t, ssh_exec_t, ssh_tmpfs_t, ssh_home_t;
+ type ssh_agent_exec_t, ssh_keysign_t, ssh_tmpfs_t;
+ type ssh_agent_tmp_t;
++ type cache_home_t;
+ ')
+
+ ##############################
+@@ -328,103 +359,56 @@ template(`ssh_role_template',`
+
+ # allow ps to show ssh
+ ps_process_pattern($3, ssh_t)
+- allow $3 ssh_t:process signal;
++ allow $3 ssh_t:process signal_perms;
+
+ # for rsync
+ allow ssh_t $3:unix_stream_socket rw_socket_perms;
+ allow ssh_t $3:unix_stream_socket connectto;
++ allow ssh_t $3:key manage_key_perms;
++ allow $3 ssh_t:key read;
+
+ # user can manage the keys and config
+ manage_files_pattern($3, ssh_home_t, ssh_home_t)
+ manage_lnk_files_pattern($3, ssh_home_t, ssh_home_t)
+ manage_sock_files_pattern($3, ssh_home_t, ssh_home_t)
+ userdom_search_user_home_dirs($1_t)
++ userdom_manage_tmp_role($2, ssh_t)
+
+ ##############################
+ #
+ # SSH agent local policy
+ #
+
+- allow $1_ssh_agent_t self:process setrlimit;
+- allow $1_ssh_agent_t self:capability setgid;
+-
+ allow $1_ssh_agent_t { $1_ssh_agent_t $3 }:process signull;
+
+ allow $1_ssh_agent_t self:unix_stream_socket { create_stream_socket_perms connectto };
+
+- manage_dirs_pattern($1_ssh_agent_t, ssh_agent_tmp_t, ssh_agent_tmp_t)
+- manage_sock_files_pattern($1_ssh_agent_t, ssh_agent_tmp_t, ssh_agent_tmp_t)
+- files_tmp_filetrans($1_ssh_agent_t, ssh_agent_tmp_t, { dir sock_file })
+-
+ # for ssh-add
+ stream_connect_pattern($3, ssh_agent_tmp_t, ssh_agent_tmp_t, $1_ssh_agent_t)
++ stream_connect_pattern($3, cache_home_t, cache_home_t, $1_ssh_agent_t)
+
+ # Allow the user shell to signal the ssh program.
+- allow $3 $1_ssh_agent_t:process signal;
++ allow $3 $1_ssh_agent_t:process signal_perms;
+
+ # allow ps to show ssh
+ ps_process_pattern($3, $1_ssh_agent_t)
+
+ domtrans_pattern($3, ssh_agent_exec_t, $1_ssh_agent_t)
+
+- kernel_read_kernel_sysctls($1_ssh_agent_t)
+-
+- dev_read_urand($1_ssh_agent_t)
+- dev_read_rand($1_ssh_agent_t)
+-
+- fs_search_auto_mountpoints($1_ssh_agent_t)
++ kernel_read_system_state($1_ssh_agent_t)
+
+ # transition back to normal privs upon exec
+ corecmd_shell_domtrans($1_ssh_agent_t, $3)
+ corecmd_bin_domtrans($1_ssh_agent_t, $3)
+
+- domain_use_interactive_fds($1_ssh_agent_t)
+-
+- files_read_etc_files($1_ssh_agent_t)
+- files_read_etc_runtime_files($1_ssh_agent_t)
+- files_search_home($1_ssh_agent_t)
+-
+- libs_read_lib_files($1_ssh_agent_t)
++ auth_use_nsswitch($1_ssh_agent_t)
+
+ logging_send_syslog_msg($1_ssh_agent_t)
+
+- miscfiles_read_localization($1_ssh_agent_t)
+- miscfiles_read_generic_certs($1_ssh_agent_t)
+-
+- seutil_dontaudit_read_config($1_ssh_agent_t)
+-
+- # Write to the user domain tty.
+- userdom_use_user_terminals($1_ssh_agent_t)
+-
+- # for the transition back to normal privs upon exec
+- userdom_search_user_home_content($1_ssh_agent_t)
+ userdom_user_home_domtrans($1_ssh_agent_t, $3)
+- allow $3 $1_ssh_agent_t:fd use;
+- allow $3 $1_ssh_agent_t:fifo_file rw_file_perms;
+- allow $3 $1_ssh_agent_t:process sigchld;
+-
+- tunable_policy(`use_nfs_home_dirs',`
+- fs_manage_nfs_files($1_ssh_agent_t)
+-
+- # transition back to normal privs upon exec
+- fs_nfs_domtrans($1_ssh_agent_t, $3)
+- ')
+-
+- tunable_policy(`use_samba_home_dirs',`
+- fs_manage_cifs_files($1_ssh_agent_t)
+-
+- # transition back to normal privs upon exec
+- fs_cifs_domtrans($1_ssh_agent_t, $3)
+- ')
+-
+- optional_policy(`
+- nis_use_ypbind($1_ssh_agent_t)
+- ')
++ userdom_home_manager($1_ssh_agent_t)
+
+- optional_policy(`
+- xserver_use_xdm_fds($1_ssh_agent_t)
+- xserver_rw_xdm_pipes($1_ssh_agent_t)
+- ')
++ ssh_exec_keygen($3)
+ ')
+
+ ########################################
+@@ -496,8 +480,27 @@ interface(`ssh_read_pipes',`
+ type sshd_t;
+ ')
+
+- allow $1 sshd_t:fifo_file { getattr read };
++ allow $1 sshd_t:fifo_file read_fifo_file_perms;
+ ')
++
++######################################
++##
++## Read and write ssh server unix dgram sockets.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`ssh_rw_dgram_sockets',`
++ gen_require(`
++ type sshd_t;
++ ')
++
++ allow $1 sshd_t:unix_dgram_socket rw_stream_socket_perms;
++')
++
+ ########################################
+ ##
+ ## Read and write a ssh server unnamed pipe.
+@@ -513,7 +516,7 @@ interface(`ssh_rw_pipes',`
+ type sshd_t;
+ ')
+
+- allow $1 sshd_t:fifo_file { write read getattr ioctl };
++ allow $1 sshd_t:fifo_file rw_inherited_fifo_file_perms;
+ ')
+
+ ########################################
+@@ -605,6 +608,24 @@ interface(`ssh_domtrans',`
+
+ ########################################
+ ##
++## Execute sshd server in the sshd domain.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`ssh_initrc_domtrans',`
++ gen_require(`
++ type sshd_initrc_exec_t;
++ ')
++
++ init_labeled_script_domtrans($1, sshd_initrc_exec_t)
++')
++
++########################################
++##
+ ## Execute the ssh client in the caller domain.
+ ##
+ ##
+@@ -637,7 +658,7 @@ interface(`ssh_setattr_key_files',`
+ type sshd_key_t;
+ ')
+
+- allow $1 sshd_key_t:file setattr;
++ allow $1 sshd_key_t:file setattr_file_perms;
+ files_search_pids($1)
+ ')
+
+@@ -662,6 +683,42 @@ interface(`ssh_agent_exec',`
+
+ ########################################
+ ##
++## Getattr ssh home directory
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`ssh_getattr_user_home_dir',`
++ gen_require(`
++ type ssh_home_t;
++ ')
++
++ allow $1 ssh_home_t:dir getattr;
++')
++
++########################################
++##
++## Dontaudit search ssh home directory
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`ssh_dontaudit_search_user_home_dir',`
++ gen_require(`
++ type ssh_home_t;
++ ')
++
++ dontaudit $1 ssh_home_t:dir search_dir_perms;
++')
++
++########################################
++##
+ ## Read ssh home directory content
+ ##
+ ##
+@@ -701,6 +758,50 @@ interface(`ssh_domtrans_keygen',`
+
+ ########################################
+ ##
++## Execute the ssh key generator in the caller domain.
++##
++##
++##
++## Domain allowed to transition.
++##
++##
++#
++interface(`ssh_exec_keygen',`
++ gen_require(`
++ type ssh_keygen_exec_t;
++ ')
++
++ can_exec($1, ssh_keygen_exec_t)
++')
++
++#######################################
++##
++## Execute ssh-keygen in the iptables domain, and
++## allow the specified role the ssh-keygen domain.
++##
++##
++##
++## Domain allowed to transition.
++##
++##
++##
++##
++## Role allowed access.
++##
++##
++##
++#
++interface(`ssh_run_keygen',`
++ gen_require(`
++ type ssh_keygen_t;
++ ')
++
++ role $2 types ssh_keygen_t;
++ ssh_domtrans_keygen($1)
++')
++
++########################################
++##
+ ## Read ssh server keys
+ ##
+ ##
+@@ -714,7 +815,7 @@ interface(`ssh_dontaudit_read_server_keys',`
+ type sshd_key_t;
+ ')
+
+- dontaudit $1 sshd_key_t:file { getattr read };
++ dontaudit $1 sshd_key_t:file read_file_perms;
+ ')
+
+ ######################################
+@@ -754,3 +855,101 @@ interface(`ssh_delete_tmp',`
+ files_search_tmp($1)
+ delete_files_pattern($1, sshd_tmp_t, sshd_tmp_t)
+ ')
++
++#####################################
++##
++## Allow domain dyntransition to chroot_user_t domain.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`ssh_dyntransition_to',`
++ gen_require(`
++ type sshd_t;
++ ')
++
++ allow sshd_t $1:process dyntransition;
++ allow $1 sshd_t:process sigchld;
++ allow sshd_t $1:process { getattr sigkill sigstop signull signal };
++')
++
++########################################
++##
++## Create .ssh directory in the /root directory
++## with an correct label.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`ssh_filetrans_admin_home_content',`
++ gen_require(`
++ type ssh_home_t;
++ ')
++
++ userdom_admin_home_dir_filetrans($1, ssh_home_t, dir, ".ssh")
++ userdom_admin_home_dir_filetrans($1, ssh_home_t, dir, ".shosts")
++')
++
++########################################
++##
++## Create .ssh directory in the user home directory
++## with an correct label.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`ssh_filetrans_home_content',`
++
++ gen_require(`
++ type ssh_home_t;
++ ')
++
++ userdom_user_home_dir_filetrans($1, ssh_home_t, dir, ".ssh")
++ userdom_user_home_dir_filetrans($1, ssh_home_t, dir, ".shosts")
++')
++
++########################################
++##
++## Do not audit attempts to read and
++## write the sshd pty type.
++##
++##
++##
++## Domain to not audit.
++##
++##
++#
++interface(`ssh_dontaudit_use_ptys',`
++ gen_require(`
++ type sshd_devpts_t;
++ ')
++
++ dontaudit $1 sshd_devpts_t:chr_file { getattr read write ioctl };
++')
++
++########################################
++##
++## Read and write inherited sshd pty type.
++##
++##
++##
++## Domain to not audit.
++##
++##
++#
++interface(`ssh_use_ptys',`
++ gen_require(`
++ type sshd_devpts_t;
++ ')
++
++ allow $1 sshd_devpts_t:chr_file { getattr open read write ioctl };
++')
+diff --git a/policy/modules/services/ssh.te b/policy/modules/services/ssh.te
+index b17e27a..3354b8f 100644
+--- a/policy/modules/services/ssh.te
++++ b/policy/modules/services/ssh.te
+@@ -6,44 +6,51 @@ policy_module(ssh, 2.3.0)
+ #
+
+ ##
+-##
+-## allow host key based authentication
+-##
++##
++## allow host key based authentication
++##
+ ##
+-gen_tunable(allow_ssh_keysign, false)
++gen_tunable(ssh_keysign, false)
++
++##
++##
++## Allow ssh logins as sysadm_r:sysadm_t
++##
++##
++gen_tunable(ssh_sysadm_login, false)
+
+ ##
+ ##
+-## Allow ssh logins as sysadm_r:sysadm_t
++## Allow ssh with chroot env to read and write files
++## in the user home directories
+ ##
+ ##
+-gen_tunable(ssh_sysadm_login, false)
++gen_tunable(ssh_chroot_rw_homedirs, false)
+
++attribute ssh_dyntransition_domain;
+ attribute ssh_server;
+ attribute ssh_agent_type;
+
++ssh_dyntransition_domain_template(chroot_user_t)
++ssh_dyntransition_domain_template(sshd_sandbox_t)
++
+ type ssh_keygen_t;
+ type ssh_keygen_exec_t;
+ init_system_domain(ssh_keygen_t, ssh_keygen_exec_t)
+-role system_r types ssh_keygen_t;
+
+ type sshd_exec_t;
+ corecmd_executable_file(sshd_exec_t)
+
+ ssh_server_template(sshd)
+ init_daemon_domain(sshd_t, sshd_exec_t)
++mls_trusted_object(sshd_t)
++
++type sshd_initrc_exec_t;
++init_script_file(sshd_initrc_exec_t)
+
+ type sshd_key_t;
+ files_type(sshd_key_t)
+
+-type sshd_tmp_t;
+-files_tmp_file(sshd_tmp_t)
+-files_poly_parent(sshd_tmp_t)
+-
+-ifdef(`enable_mcs',`
+- init_ranged_daemon_domain(sshd_t, sshd_exec_t, s0 - mcs_systemhigh)
+-')
+-
+ type ssh_t;
+ type ssh_exec_t;
+ typealias ssh_t alias { user_ssh_t staff_ssh_t sysadm_ssh_t };
+@@ -73,6 +80,11 @@ type ssh_home_t;
+ typealias ssh_home_t alias { home_ssh_t user_ssh_home_t user_home_ssh_t staff_home_ssh_t sysadm_home_ssh_t };
+ typealias ssh_home_t alias { auditadm_home_ssh_t secadm_home_ssh_t };
+ userdom_user_home_content(ssh_home_t)
++files_poly_parent(ssh_home_t)
++
++ifdef(`enable_mcs',`
++ init_ranged_daemon_domain(sshd_t, sshd_exec_t, s0 - mcs_systemhigh)
++')
+
+ ##############################
+ #
+@@ -83,6 +95,7 @@ allow ssh_t self:capability { setuid setgid dac_override dac_read_search };
+ allow ssh_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
+ allow ssh_t self:fd use;
+ allow ssh_t self:fifo_file rw_fifo_file_perms;
++allow ssh_t self:key read;
+ allow ssh_t self:unix_dgram_socket { create_socket_perms sendto };
+ allow ssh_t self:unix_stream_socket { create_stream_socket_perms connectto };
+ allow ssh_t self:shm create_shm_perms;
+@@ -90,15 +103,11 @@ allow ssh_t self:sem create_sem_perms;
+ allow ssh_t self:msgq create_msgq_perms;
+ allow ssh_t self:msg { send receive };
+ allow ssh_t self:tcp_socket create_stream_socket_perms;
++can_exec(ssh_t, ssh_exec_t)
+
+ # Read the ssh key file.
+ allow ssh_t sshd_key_t:file read_file_perms;
+
+-# Access the ssh temporary files.
+-allow ssh_t sshd_tmp_t:dir manage_dir_perms;
+-allow ssh_t sshd_tmp_t:file manage_file_perms;
+-files_tmp_filetrans(ssh_t, sshd_tmp_t, { file dir })
+-
+ manage_files_pattern(ssh_t, ssh_tmpfs_t, ssh_tmpfs_t)
+ manage_lnk_files_pattern(ssh_t, ssh_tmpfs_t, ssh_tmpfs_t)
+ manage_fifo_files_pattern(ssh_t, ssh_tmpfs_t, ssh_tmpfs_t)
+@@ -108,32 +117,42 @@ fs_tmpfs_filetrans(ssh_t, ssh_tmpfs_t, { dir file lnk_file sock_file fifo_file }
+ manage_dirs_pattern(ssh_t, ssh_home_t, ssh_home_t)
+ manage_sock_files_pattern(ssh_t, ssh_home_t, ssh_home_t)
+ userdom_user_home_dir_filetrans(ssh_t, ssh_home_t, { dir sock_file })
++userdom_read_all_users_keys(ssh_t)
++userdom_stream_connect(ssh_t)
++userdom_search_admin_dir(sshd_t)
++userdom_admin_home_dir_filetrans(ssh_t, ssh_home_t, { dir sock_file })
+
+ # Allow the ssh program to communicate with ssh-agent.
+ stream_connect_pattern(ssh_t, ssh_agent_tmp_t, ssh_agent_tmp_t, ssh_agent_type)
+
+ allow ssh_t sshd_t:unix_stream_socket connectto;
++allow ssh_t sshd_t:peer recv;
+
+ # ssh client can manage the keys and config
+ manage_files_pattern(ssh_t, ssh_home_t, ssh_home_t)
+ read_lnk_files_pattern(ssh_t, ssh_home_t, ssh_home_t)
+
+ # ssh servers can read the user keys and config
+-allow ssh_server ssh_home_t:dir list_dir_perms;
+-read_files_pattern(ssh_server, ssh_home_t, ssh_home_t)
+-read_lnk_files_pattern(ssh_server, ssh_home_t, ssh_home_t)
++manage_dirs_pattern(ssh_server, ssh_home_t, ssh_home_t)
++manage_files_pattern(ssh_server, ssh_home_t, ssh_home_t)
++userdom_user_home_dir_filetrans(ssh_server, ssh_home_t, dir)
++userdom_admin_home_dir_filetrans(ssh_server, ssh_home_t, dir)
+
+ kernel_read_kernel_sysctls(ssh_t)
+ kernel_read_system_state(ssh_t)
+
+-corenet_all_recvfrom_unlabeled(ssh_t)
+ corenet_all_recvfrom_netlabel(ssh_t)
+ corenet_tcp_sendrecv_generic_if(ssh_t)
+ corenet_tcp_sendrecv_generic_node(ssh_t)
+ corenet_tcp_sendrecv_all_ports(ssh_t)
+ corenet_tcp_connect_ssh_port(ssh_t)
++corenet_tcp_connect_all_unreserved_ports(ssh_t)
+ corenet_sendrecv_ssh_client_packets(ssh_t)
++corenet_tcp_bind_generic_node(ssh_t)
++#corenet_tcp_bind_all_unreserved_ports(ssh_t)
++corenet_rw_tun_tap_dev(ssh_t)
+
++dev_read_rand(ssh_t)
+ dev_read_urand(ssh_t)
+
+ fs_getattr_all_fs(ssh_t)
+@@ -156,38 +175,42 @@ logging_read_generic_logs(ssh_t)
+
+ auth_use_nsswitch(ssh_t)
+
+-miscfiles_read_localization(ssh_t)
++miscfiles_read_generic_certs(ssh_t)
+
+ seutil_read_config(ssh_t)
+
+ userdom_dontaudit_list_user_home_dirs(ssh_t)
+ userdom_search_user_home_dirs(ssh_t)
++userdom_search_admin_dir(ssh_t)
+ # Write to the user domain tty.
+-userdom_use_user_terminals(ssh_t)
+-# needs to read krb tgt
++userdom_use_inherited_user_terminals(ssh_t)
++# needs to read krb/write tgt
+ userdom_read_user_tmp_files(ssh_t)
+-
+-tunable_policy(`allow_ssh_keysign',`
+- domain_auto_trans(ssh_t, ssh_keysign_exec_t, ssh_keysign_t)
+- allow ssh_keysign_t ssh_t:fd use;
+- allow ssh_keysign_t ssh_t:process sigchld;
+- allow ssh_keysign_t ssh_t:fifo_file rw_file_perms;
++userdom_write_user_tmp_files(ssh_t)
++userdom_read_user_home_content_symlinks(ssh_t)
++userdom_rw_inherited_user_home_content_files(ssh_t)
++userdom_read_home_certs(ssh_t)
++userdom_home_manager(ssh_t)
++
++tunable_policy(`ssh_keysign',`
++ domtrans_pattern(ssh_t, ssh_keysign_exec_t, ssh_keysign_t)
+ ')
+
+-tunable_policy(`use_nfs_home_dirs',`
+- fs_manage_nfs_dirs(ssh_t)
+- fs_manage_nfs_files(ssh_t)
++# for port forwarding
++tunable_policy(`selinuxuser_tcp_server',`
++ corenet_tcp_bind_ssh_port(ssh_t)
++ corenet_tcp_bind_generic_node(ssh_t)
++ corenet_tcp_bind_all_unreserved_ports(ssh_t)
+ ')
+
+-tunable_policy(`use_samba_home_dirs',`
+- fs_manage_cifs_dirs(ssh_t)
+- fs_manage_cifs_files(ssh_t)
++ifdef(`enable_mcs',`
++ optional_policy(`
++ condor_startd_ranged_domtrans_to(sshd_t, sshd_exec_t, mcs_systemlow - mcs_systemhigh)
++ ')
+ ')
+
+-# for port forwarding
+-tunable_policy(`user_tcp_server',`
+- corenet_tcp_bind_ssh_port(ssh_t)
+- corenet_tcp_bind_generic_node(ssh_t)
++optional_policy(`
++ gnome_stream_connect_gkeyringd(ssh_t)
+ ')
+
+ optional_policy(`
+@@ -195,28 +218,24 @@ optional_policy(`
+ xserver_domtrans_xauth(ssh_t)
+ ')
+
++
+ ##############################
+ #
+ # ssh_keysign_t local policy
+ #
+
+-tunable_policy(`allow_ssh_keysign',`
++tunable_policy(`ssh_keysign',`
+ allow ssh_keysign_t self:capability { setgid setuid };
+ allow ssh_keysign_t self:unix_stream_socket create_socket_perms;
+
+- allow ssh_keysign_t sshd_key_t:file { getattr read };
++ allow ssh_keysign_t sshd_key_t:file read_file_perms;
+
++ dev_read_rand(ssh_keysign_t)
+ dev_read_urand(ssh_keysign_t)
+
+ files_read_etc_files(ssh_keysign_t)
+ ')
+
+-optional_policy(`
+- tunable_policy(`allow_ssh_keysign',`
+- nscd_socket_use(ssh_keysign_t)
+- ')
+-')
+-
+ #################################
+ #
+ # sshd local policy
+@@ -227,33 +246,50 @@ optional_policy(`
+ # so a tunnel can point to another ssh tunnel
+ allow sshd_t self:netlink_route_socket r_netlink_socket_perms;
+ allow sshd_t self:key { search link write };
+-
+-manage_dirs_pattern(sshd_t, sshd_tmp_t, sshd_tmp_t)
+-manage_files_pattern(sshd_t, sshd_tmp_t, sshd_tmp_t)
+-manage_sock_files_pattern(sshd_t, sshd_tmp_t, sshd_tmp_t)
+-files_tmp_filetrans(sshd_t, sshd_tmp_t, { dir file sock_file })
++allow sshd_t self:process setcurrent;
+
+ kernel_search_key(sshd_t)
+ kernel_link_key(sshd_t)
+
++files_search_all(sshd_t)
++
+ term_use_all_ptys(sshd_t)
+ term_setattr_all_ptys(sshd_t)
++term_setattr_all_ttys(sshd_t)
+ term_relabelto_all_ptys(sshd_t)
++term_use_ptmx(sshd_t)
+
+ # for X forwarding
+ corenet_tcp_bind_xserver_port(sshd_t)
+ corenet_sendrecv_xserver_server_packets(sshd_t)
+
++auth_exec_login_program(sshd_t)
++
++userdom_read_user_home_content_files(sshd_t)
++userdom_read_user_home_content_symlinks(sshd_t)
++userdom_manage_tmp_role(system_r, sshd_t)
++userdom_spec_domtrans_unpriv_users(sshd_t)
++userdom_signal_unpriv_users(sshd_t)
++userdom_dyntransition_unpriv_users(sshd_t)
++userdom_dyntransition_admin_users(sshd_t)
++
+ tunable_policy(`ssh_sysadm_login',`
+ # Relabel and access ptys created by sshd
+ # ioctl is necessary for logout() processing for utmp entry and for w to
+ # display the tty.
+ # some versions of sshd on the new SE Linux require setattr
+- userdom_spec_domtrans_all_users(sshd_t)
+ userdom_signal_all_users(sshd_t)
+-',`
+- userdom_spec_domtrans_unpriv_users(sshd_t)
+- userdom_signal_unpriv_users(sshd_t)
++ userdom_spec_domtrans_all_users(sshd_t)
++')
++
++optional_policy(`
++ amanda_search_var_lib(sshd_t)
++')
++
++optional_policy(`
++ condor_rw_lib_files(sshd_t)
++ condor_rw_tcp_sockets_startd(sshd_t)
++ condor_rw_tcp_sockets_schedd(sshd_t)
+ ')
+
+ optional_policy(`
+@@ -261,11 +297,24 @@ optional_policy(`
+ ')
+
+ optional_policy(`
++ kerberos_keytab_template(sshd, sshd_t)
++')
++
++optional_policy(`
++ ftp_dyntrans_sftpd(sshd_t)
++ ftp_dyntrans_anon_sftpd(sshd_t)
++')
++
++optional_policy(`
++ gitosis_manage_lib_files(sshd_t)
++')
++
++optional_policy(`
+ inetd_tcp_service_domain(sshd_t, sshd_exec_t)
+ ')
+
+ optional_policy(`
+- kerberos_keytab_template(sshd, sshd_t)
++ nx_read_home_files(sshd_t)
+ ')
+
+ optional_policy(`
+@@ -273,6 +322,10 @@ optional_policy(`
+ ')
+
+ optional_policy(`
++ munin_read_var_lib_files(sshd_t)
++')
++
++optional_policy(`
+ rpm_use_script_fds(sshd_t)
+ ')
+
+@@ -283,6 +336,28 @@ optional_policy(`
+ ')
+
+ optional_policy(`
++ systemd_exec_systemctl(sshd_t)
++')
++
++optional_policy(`
++ usermanage_domtrans_passwd(sshd_t)
++ usermanage_read_crack_db(sshd_t)
++')
++
++optional_policy(`
++ openshift_dyntransition(sshd_t)
++ openshift_transition(sshd_t)
++ openshift_manage_tmp_files(sshd_t)
++ openshift_manage_tmp_sockets(sshd_t)
++ openshift_mounton_tmp(sshd_t)
++ openshift_search_lib(sshd_t)
++')
++
++optional_policy(`
++ postgresql_search_db(sshd_t)
++')
++
++optional_policy(`
+ unconfined_shell_domtrans(sshd_t)
+ ')
+
+@@ -290,6 +365,29 @@ optional_policy(`
+ xserver_domtrans_xauth(sshd_t)
+ ')
+
++ifdef(`TODO',`
++ tunable_policy(`ssh_sysadm_login',`
++ # Relabel and access ptys created by sshd
++ # ioctl is necessary for logout() processing for utmp entry and for w to
++ # display the tty.
++ # some versions of sshd on the new SE Linux require setattr
++ allow sshd_t ptyfile:chr_file relabelto;
++
++ optional_policy(`
++ domain_trans(sshd_t, xauth_exec_t, userdomain)
++ ')
++ ',`
++ optional_policy(`
++ domain_trans(sshd_t, xauth_exec_t, unpriv_userdomain)
++ ')
++ # Relabel and access ptys created by sshd
++ # ioctl is necessary for logout() processing for utmp entry and for w to
++ # display the tty.
++ # some versions of sshd on the new SE Linux require setattr
++ allow sshd_t userpty_type:chr_file { relabelto rw_inherited_chr_file_perms setattr_chr_file_perms };
++ ')
++') dnl endif TODO
++
+ ########################################
+ #
+ # ssh_keygen local policy
+@@ -298,19 +396,26 @@ optional_policy(`
+ # ssh_keygen_t is the type of the ssh-keygen program when run at install time
+ # and by sysadm_t
+
++allow ssh_keygen_t self:capability dac_override;
+ dontaudit ssh_keygen_t self:capability sys_tty_config;
+ allow ssh_keygen_t self:process { sigchld sigkill sigstop signull signal };
+-
+ allow ssh_keygen_t self:unix_stream_socket create_stream_socket_perms;
+
+ allow ssh_keygen_t sshd_key_t:file manage_file_perms;
+ files_etc_filetrans(ssh_keygen_t, sshd_key_t, file)
+
++manage_dirs_pattern(ssh_keygen_t, ssh_home_t, ssh_home_t)
++manage_files_pattern(ssh_keygen_t, ssh_home_t, ssh_home_t)
++userdom_admin_home_dir_filetrans(ssh_keygen_t, ssh_home_t, dir)
++userdom_user_home_dir_filetrans(ssh_keygen_t, ssh_home_t, dir)
++
++kernel_read_system_state(ssh_keygen_t)
+ kernel_read_kernel_sysctls(ssh_keygen_t)
+
+ fs_search_auto_mountpoints(ssh_keygen_t)
+
+ dev_read_sysfs(ssh_keygen_t)
++dev_read_rand(ssh_keygen_t)
+ dev_read_urand(ssh_keygen_t)
+
+ term_dontaudit_use_console(ssh_keygen_t)
+@@ -327,9 +432,11 @@ auth_use_nsswitch(ssh_keygen_t)
+ logging_send_syslog_msg(ssh_keygen_t)
+
+ userdom_dontaudit_use_unpriv_user_fds(ssh_keygen_t)
++userdom_use_user_terminals(ssh_keygen_t)
+
+-optional_policy(`
+- nscd_socket_use(ssh_keygen_t)
++tunable_policy(`use_nfs_home_dirs',`
++ fs_manage_nfs_files(ssh_keygen_t)
++ fs_manage_nfs_dirs(ssh_keygen_t)
+ ')
+
+ optional_policy(`
+@@ -339,3 +446,121 @@ optional_policy(`
+ optional_policy(`
+ udev_read_db(ssh_keygen_t)
+ ')
++
++####################################
++#
++# ssh_dyntransition domain local policy
++#
++
++allow ssh_dyntransition_domain self:capability { setuid sys_chroot setgid };
++
++allow ssh_dyntransition_domain self:fifo_file rw_fifo_file_perms;
++
++optional_policy(`
++ ssh_rw_stream_sockets(ssh_dyntransition_domain)
++ ssh_rw_tcp_sockets(ssh_dyntransition_domain)
++')
++
++#####################################
++#
++# ssh_sandbox local policy
++#
++
++allow sshd_t sshd_sandbox_t:process signal;
++
++init_ioctl_stream_sockets(sshd_sandbox_t)
++
++logging_send_audit_msgs(sshd_sandbox_t)
++
++######################################
++#
++# chroot_user_t local policy
++#
++allow chroot_user_t self:unix_dgram_socket create_socket_perms;
++
++corecmd_exec_shell(chroot_user_t)
++
++term_search_ptys(chroot_user_t)
++term_use_ptmx(chroot_user_t)
++
++userdom_read_user_home_content_files(chroot_user_t)
++userdom_read_inherited_user_home_content_files(chroot_user_t)
++userdom_read_user_home_content_symlinks(chroot_user_t)
++userdom_exec_user_home_content_files(chroot_user_t)
++userdom_use_inherited_user_ptys(chroot_user_t)
++
++tunable_policy(`ssh_chroot_rw_homedirs',`
++ files_list_home(chroot_user_t)
++ userdom_read_user_home_content_files(chroot_user_t)
++ userdom_manage_user_home_content(chroot_user_t)
++', `
++
++ userdom_user_home_dir_filetrans_pattern(chroot_user_t, { dir file lnk_file })
++')
++
++tunable_policy(`ssh_chroot_rw_homedirs && use_nfs_home_dirs',`
++ fs_manage_nfs_dirs(chroot_user_t)
++ fs_manage_nfs_files(chroot_user_t)
++ fs_manage_nfs_symlinks(chroot_user_t)
++')
++
++tunable_policy(`ssh_chroot_rw_homedirs && use_samba_home_dirs',`
++ fs_manage_cifs_dirs(chroot_user_t)
++ fs_manage_cifs_files(chroot_user_t)
++ fs_manage_cifs_symlinks(chroot_user_t)
++')
++
++tunable_policy(`ssh_chroot_rw_homedirs && use_fusefs_home_dirs',`
++ fs_manage_fusefs_dirs(chroot_user_t)
++ fs_manage_fusefs_files(chroot_user_t)
++ fs_manage_fusefs_symlinks(chroot_user_t)
++')
++
++tunable_policy(`use_samba_home_dirs',`
++ fs_read_cifs_files(chroot_user_t)
++ fs_read_cifs_symlinks(chroot_user_t)
++')
++
++userdom_home_manager(chroot_user_t)
++
++optional_policy(`
++ ssh_rw_dgram_sockets(chroot_user_t)
++')
++
++######################################
++#
++# ssh_agent_type common policy local policy
++#
++allow ssh_agent_type self:process setrlimit;
++allow ssh_agent_type self:capability setgid;
++
++manage_dirs_pattern(ssh_agent_type, ssh_agent_tmp_t, ssh_agent_tmp_t)
++manage_sock_files_pattern(ssh_agent_type, ssh_agent_tmp_t, ssh_agent_tmp_t)
++files_tmp_filetrans(ssh_agent_type, ssh_agent_tmp_t, { dir sock_file })
++
++kernel_read_kernel_sysctls(ssh_agent_type)
++
++dev_read_urand(ssh_agent_type)
++dev_read_rand(ssh_agent_type)
++
++fs_search_auto_mountpoints(ssh_agent_type)
++
++domain_use_interactive_fds(ssh_agent_type)
++
++files_read_etc_files(ssh_agent_type)
++files_read_etc_runtime_files(ssh_agent_type)
++
++libs_read_lib_files(ssh_agent_type)
++
++miscfiles_read_generic_certs(ssh_agent_type)
++
++# Write to the user domain tty.
++userdom_use_inherited_user_terminals(ssh_agent_type)
++
++# for the transition back to normal privs upon exec
++userdom_search_user_home_content(ssh_agent_type)
++
++optional_policy(`
++ xserver_use_xdm_fds(ssh_agent_type)
++ xserver_rw_xdm_pipes(ssh_agent_type)
++')
+diff --git a/policy/modules/services/xserver.fc b/policy/modules/services/xserver.fc
+index fc86b7c..ba6be42 100644
+--- a/policy/modules/services/xserver.fc
++++ b/policy/modules/services/xserver.fc
+@@ -2,13 +2,35 @@
+ # HOME_DIR
+ #
+ HOME_DIR/\.fonts\.conf -- gen_context(system_u:object_r:user_fonts_config_t,s0)
++HOME_DIR/\.fonts\.d(/.*)? gen_context(system_u:object_r:user_fonts_config_t,s0)
+ HOME_DIR/\.fonts(/.*)? gen_context(system_u:object_r:user_fonts_t,s0)
++HOME_DIR/\.fontconfig(/.*)? gen_context(system_u:object_r:user_fonts_cache_t,s0)
+ HOME_DIR/\.fonts/auto(/.*)? gen_context(system_u:object_r:user_fonts_cache_t,s0)
+ HOME_DIR/\.fonts\.cache-.* -- gen_context(system_u:object_r:user_fonts_cache_t,s0)
++HOME_DIR/\.DCOP.* -- gen_context(system_u:object_r:iceauth_home_t,s0)
+ HOME_DIR/\.ICEauthority.* -- gen_context(system_u:object_r:iceauth_home_t,s0)
+ HOME_DIR/\.serverauth.* -- gen_context(system_u:object_r:xauth_home_t,s0)
+ HOME_DIR/\.xauth.* -- gen_context(system_u:object_r:xauth_home_t,s0)
++HOME_DIR/\.Xauth.* -- gen_context(system_u:object_r:xauth_home_t,s0)
+ HOME_DIR/\.Xauthority.* -- gen_context(system_u:object_r:xauth_home_t,s0)
++HOME_DIR/\.cache/gdm(/.*)? gen_context(system_u:object_r:xdm_home_t,s0)
++HOME_DIR/\.xsession-errors.* -- gen_context(system_u:object_r:xdm_home_t,s0)
++HOME_DIR/\.dmrc.* -- gen_context(system_u:object_r:xdm_home_t,s0)
++
++/root/\.fonts\.conf -- gen_context(system_u:object_r:user_fonts_config_t,s0)
++/root/\.fonts\.d(/.*)? gen_context(system_u:object_r:user_fonts_config_t,s0)
++/root/\.fonts(/.*)? gen_context(system_u:object_r:user_fonts_t,s0)
++/root/\.fontconfig(/.*)? gen_context(system_u:object_r:user_fonts_cache_t,s0)
++/root/\.fonts/auto(/.*)? gen_context(system_u:object_r:user_fonts_cache_t,s0)
++/root/\.fonts\.cache-.* -- gen_context(system_u:object_r:user_fonts_cache_t,s0)
++/root/\.DCOP.* -- gen_context(system_u:object_r:iceauth_home_t,s0)
++/root/\.ICEauthority.* -- gen_context(system_u:object_r:iceauth_home_t,s0)
++/root/\.serverauth.* -- gen_context(system_u:object_r:xauth_home_t,s0)
++/root/\.xauth.* -- gen_context(system_u:object_r:xauth_home_t,s0)
++/root/\.Xauth.* -- gen_context(system_u:object_r:xauth_home_t,s0)
++/root/\.Xauthority.* -- gen_context(system_u:object_r:xauth_home_t,s0)
++/root/\.xsession-errors.* -- gen_context(system_u:object_r:xdm_home_t,s0)
++/root/\.dmrc.* -- gen_context(system_u:object_r:xdm_home_t,s0)
+
+ #
+ # /dev
+@@ -24,11 +46,18 @@ HOME_DIR/\.Xauthority.* -- gen_context(system_u:object_r:xauth_home_t,s0)
+
+ /etc/init\.d/xfree86-common -- gen_context(system_u:object_r:xserver_exec_t,s0)
+
++/etc/[mg]dm(/.*)? gen_context(system_u:object_r:xdm_etc_t,s0)
++/etc/[mg]dm/Init(/.*)? gen_context(system_u:object_r:xdm_unconfined_exec_t,s0)
++/etc/[mg]dm/PostLogin(/.*)? gen_context(system_u:object_r:xdm_unconfined_exec_t,s0)
++/etc/[mg]dm/PostSession(/.*)? gen_context(system_u:object_r:xdm_unconfined_exec_t,s0)
++/etc/[mg]dm/PreSession(/.*)? gen_context(system_u:object_r:xdm_unconfined_exec_t,s0)
++
+ /etc/kde[34]?/kdm/Xstartup -- gen_context(system_u:object_r:xsession_exec_t,s0)
+ /etc/kde[34]?/kdm/Xreset -- gen_context(system_u:object_r:xsession_exec_t,s0)
+ /etc/kde[34]?/kdm/Xsession -- gen_context(system_u:object_r:xsession_exec_t,s0)
+ /etc/kde[34]?/kdm/backgroundrc gen_context(system_u:object_r:xdm_var_run_t,s0)
+
++/etc/opt/VirtualGL(/.*)? gen_context(system_u:object_r:xdm_rw_etc_t,s0)
+ /etc/X11/[wx]dm/Xreset.* -- gen_context(system_u:object_r:xsession_exec_t,s0)
+ /etc/X11/[wxg]dm/Xsession -- gen_context(system_u:object_r:xsession_exec_t,s0)
+ /etc/X11/wdm(/.*)? gen_context(system_u:object_r:xdm_rw_etc_t,s0)
+@@ -46,23 +75,25 @@ HOME_DIR/\.Xauthority.* -- gen_context(system_u:object_r:xauth_home_t,s0)
+ # /tmp
+ #
+
+-/tmp/\.ICE-unix -d gen_context(system_u:object_r:xdm_tmp_t,s0)
+-/tmp/\.ICE-unix/.* -s <>
+-/tmp/\.X0-lock -- gen_context(system_u:object_r:xserver_tmp_t,s0)
+-/tmp/\.X11-unix -d gen_context(system_u:object_r:xdm_tmp_t,s0)
+-/tmp/\.X11-unix/.* -s <>
++/tmp/\.X0-lock -- gen_context(system_u:object_r:xdm_tmp_t,s0)
++/tmp/\.X11-unix(/.*)? gen_context(system_u:object_r:xdm_tmp_t,s0)
++/tmp/\.ICE-unix(/.*)? gen_context(system_u:object_r:xdm_tmp_t,s0)
++/tmp/\.font-unix(/.*)? gen_context(system_u:object_r:user_fonts_t,s0)
+
+ #
+ # /usr
+ #
+
++/usr/sbin/mdm-binary -- gen_context(system_u:object_r:xdm_exec_t,s0)
+ /usr/(s)?bin/gdm-binary -- gen_context(system_u:object_r:xdm_exec_t,s0)
+ /usr/(s)?bin/lxdm(-binary)? -- gen_context(system_u:object_r:xdm_exec_t,s0)
+-/usr/(s)?bin/[xgkw]dm -- gen_context(system_u:object_r:xdm_exec_t,s0)
++/usr/(s)?bin/lightdm* -- gen_context(system_u:object_r:xdm_exec_t,s0)
++/usr/(s)?bin/[mxgkw]dm -- gen_context(system_u:object_r:xdm_exec_t,s0)
+ /usr/bin/gpe-dm -- gen_context(system_u:object_r:xdm_exec_t,s0)
+ /usr/bin/iceauth -- gen_context(system_u:object_r:iceauth_exec_t,s0)
+ /usr/bin/slim -- gen_context(system_u:object_r:xdm_exec_t,s0)
+ /usr/bin/Xair -- gen_context(system_u:object_r:xserver_exec_t,s0)
++/usr/bin/Xephyr -- gen_context(system_u:object_r:xserver_exec_t,s0)
+ /usr/bin/xauth -- gen_context(system_u:object_r:xauth_exec_t,s0)
+ /usr/bin/Xorg -- gen_context(system_u:object_r:xserver_exec_t,s0)
+
+@@ -90,24 +121,47 @@ ifndef(`distro_debian',`
+ /var/[xgkw]dm(/.*)? gen_context(system_u:object_r:xserver_log_t,s0)
+
+ /var/lib/lxdm(/.*)? gen_context(system_u:object_r:xdm_var_lib_t,s0)
+-/var/lib/[xkw]dm(/.*)? gen_context(system_u:object_r:xdm_var_lib_t,s0)
++/var/lib/lightdm(/.*)? gen_context(system_u:object_r:xdm_var_lib_t,s0)
++/var/lib/[mxkwg]dm(/.*)? gen_context(system_u:object_r:xdm_var_lib_t,s0)
+ /var/lib/xkb(/.*)? gen_context(system_u:object_r:xkb_var_lib_t,s0)
++/var/lib/xorg(/.*)? gen_context(system_u:object_r:xserver_var_lib_t,s0)
++
++/var/cache/lightdm(/.*)? gen_context(system_u:object_r:xdm_var_lib_t,s0)
++/var/cache/[mg]dm(/.*)? gen_context(system_u:object_r:xdm_var_lib_t,s0)
+
+-/var/log/[kwx]dm\.log.* -- gen_context(system_u:object_r:xserver_log_t,s0)
+-/var/log/lxdm\.log -- gen_context(system_u:object_r:xserver_log_t,s0)
+-/var/log/gdm(/.*)? gen_context(system_u:object_r:xserver_log_t,s0)
+-/var/log/slim\.log -- gen_context(system_u:object_r:xserver_log_t,s0)
++/var/log/[mkwx]dm\.log.* -- gen_context(system_u:object_r:xdm_log_t,s0)
++/var/log/lightdm(/.*)? gen_context(system_u:object_r:xserver_log_t,s0)
++/var/log/lxdm\.log.* -- gen_context(system_u:object_r:xdm_log_t,s0)
++/var/log/[mg]dm(/.*)? gen_context(system_u:object_r:xdm_log_t,s0)
++/var/log/slim\.log -- gen_context(system_u:object_r:xdm_log_t,s0)
+ /var/log/XFree86.* -- gen_context(system_u:object_r:xserver_log_t,s0)
+ /var/log/Xorg.* -- gen_context(system_u:object_r:xserver_log_t,s0)
++/var/log/nvidia-installer\.log.* -- gen_context(system_u:object_r:xserver_log_t,s0)
++
++/var/spool/[mg]dm(/.*)? gen_context(system_u:object_r:xdm_spool_t,s0)
+
++/var/run/[kgm]dm(/.*)? gen_context(system_u:object_r:xdm_var_run_t,s0)
++/var/run/gdm_socket -s gen_context(system_u:object_r:xdm_var_run_t,s0)
+ /var/run/[gx]dm\.pid -- gen_context(system_u:object_r:xdm_var_run_t,s0)
++/var/run/lightdm(/.*)? gen_context(system_u:object_r:xdm_var_run_t,s0)
+ /var/run/lxdm\.auth -- gen_context(system_u:object_r:xdm_var_run_t,s0)
+ /var/run/lxdm\.pid -- gen_context(system_u:object_r:xdm_var_run_t,s0)
+ /var/run/lxdm(/.*)? gen_context(system_u:object_r:xdm_var_run_t,s0)
+-/var/run/slim(/.*)? gen_context(system_u:object_r:xdm_var_run_t,s0)
++/var/run/slim(/.*)? gen_context(system_u:object_r:xdm_var_run_t,s0)
++/var/run/slim.* -- gen_context(system_u:object_r:xdm_var_run_t,s0)
+ /var/run/xauth(/.*)? gen_context(system_u:object_r:xdm_var_run_t,s0)
+ /var/run/xdmctl(/.*)? gen_context(system_u:object_r:xdm_var_run_t,s0)
+
++/var/run/video.rom -- gen_context(system_u:object_r:xserver_var_run_t,s0)
++/var/run/xorg(/.*)? gen_context(system_u:object_r:xserver_var_run_t,s0)
++/var/run/systemd/multi-session-x(/.*)? gen_context(system_u:object_r:xdm_var_run_t,s0)
++
+ ifdef(`distro_suse',`
+ /var/lib/pam_devperm/:0 -- gen_context(system_u:object_r:xdm_var_lib_t,s0)
+ ')
++
++/var/lib/nxserver/home/\.xauth.* -- gen_context(system_u:object_r:xauth_home_t,s0)
++/var/lib/nxserver/home/\.Xauthority.* -- gen_context(system_u:object_r:xauth_home_t,s0)
++/var/lib/pqsql/\.xauth.* -- gen_context(system_u:object_r:xauth_home_t,s0)
++/var/lib/pqsql/\.Xauthority.* -- gen_context(system_u:object_r:xauth_home_t,s0)
++
+diff --git a/policy/modules/services/xserver.if b/policy/modules/services/xserver.if
+index 130ced9..a75282a 100644
+--- a/policy/modules/services/xserver.if
++++ b/policy/modules/services/xserver.if
+@@ -19,9 +19,10 @@
+ interface(`xserver_restricted_role',`
+ gen_require(`
+ type xserver_t, xserver_exec_t, xserver_tmp_t, xserver_tmpfs_t;
+- type user_fonts_t, user_fonts_cache_t, user_fonts_config_t;
++ type user_fonts_t, user_fonts_cache_t, user_fonts_config_t, xdm_tmp_t;
+ type iceauth_t, iceauth_exec_t, iceauth_home_t;
+ type xauth_t, xauth_exec_t, xauth_home_t;
++ class dbus send_msg;
+ ')
+
+ role $1 types { xserver_t xauth_t iceauth_t };
+@@ -30,12 +31,13 @@ interface(`xserver_restricted_role',`
+ allow xserver_t $2:fd use;
+ allow xserver_t $2:shm rw_shm_perms;
+
+- allow xserver_t $2:process signal;
++ allow xserver_t $2:process { getpgid signal };
+
+ allow xserver_t $2:shm rw_shm_perms;
+
+ allow $2 user_fonts_t:dir list_dir_perms;
+ allow $2 user_fonts_t:file read_file_perms;
++ allow $2 user_fonts_t:lnk_file read_lnk_file_perms;
+
+ allow $2 user_fonts_config_t:dir list_dir_perms;
+ allow $2 user_fonts_config_t:file read_file_perms;
+@@ -44,6 +46,8 @@ interface(`xserver_restricted_role',`
+ manage_files_pattern($2, user_fonts_cache_t, user_fonts_cache_t)
+
+ stream_connect_pattern($2, xserver_tmp_t, xserver_tmp_t, xserver_t)
++ allow $2 xserver_tmp_t:sock_file delete_sock_file_perms;
++ dontaudit $2 xdm_tmp_t:sock_file setattr_sock_file_perms;
+ files_search_tmp($2)
+
+ # Communicate via System V shared memory.
+@@ -69,17 +73,21 @@ interface(`xserver_restricted_role',`
+
+ # for when /tmp/.X11-unix is created by the system
+ allow $2 xdm_t:fd use;
+- allow $2 xdm_t:fifo_file { getattr read write ioctl };
+- allow $2 xdm_tmp_t:dir search;
+- allow $2 xdm_tmp_t:sock_file { read write };
++ allow $2 xdm_t:fifo_file rw_inherited_fifo_file_perms;
++ allow $2 xdm_tmp_t:dir search_dir_perms;
++ allow $2 xdm_tmp_t:sock_file rw_inherited_sock_file_perms;
+ dontaudit $2 xdm_t:tcp_socket { read write };
++ dontaudit $2 xdm_tmp_t:dir setattr_dir_perms;
++
++ allow $2 xdm_t:dbus send_msg;
++ allow xdm_t $2:dbus send_msg;
+
+ # Client read xserver shm
+ allow $2 xserver_t:fd use;
+ allow $2 xserver_tmpfs_t:file read_file_perms;
+
+ # Read /tmp/.X0-lock
+- allow $2 xserver_tmp_t:file { getattr read };
++ allow $2 xserver_tmp_t:file read_inherited_file_perms;
+
+ dev_rw_xserver_misc($2)
+ dev_rw_power_management($2)
+@@ -88,15 +96,17 @@ interface(`xserver_restricted_role',`
+ dev_write_misc($2)
+ # open office is looking for the following
+ dev_getattr_agp_dev($2)
+- dev_dontaudit_rw_dri($2)
++
+ # GNOME checks for usb and other devices:
+ dev_rw_usbfs($2)
+
+ miscfiles_read_fonts($2)
++ miscfiles_setattr_fonts_cache_dirs($2)
++ miscfiles_read_hwdata($2)
+
+ xserver_common_x_domain_template(user, $2)
+ xserver_domtrans($2)
+- xserver_unconfined($2)
++ #xserver_unconfined($2)
+ xserver_xsession_entry_type($2)
+ xserver_dontaudit_write_log($2)
+ xserver_stream_connect_xdm($2)
+@@ -106,12 +116,26 @@ interface(`xserver_restricted_role',`
+ xserver_create_xdm_tmp_sockets($2)
+ # Needed for escd, remove if we get escd policy
+ xserver_manage_xdm_tmp_files($2)
++ xserver_read_xdm_etc_files($2)
++ xserver_xdm_append_log($2)
++
++ term_use_virtio_console($2)
++
++ modutils_run_insmod(xserver_t, $1)
+
+ # Client write xserver shm
+- tunable_policy(`allow_write_xshm',`
++ tunable_policy(`xserver_clients_write_xshm',`
+ allow $2 xserver_t:shm rw_shm_perms;
+ allow $2 xserver_tmpfs_t:file rw_file_perms;
+ ')
++
++ tunable_policy(`selinuxuser_direct_dri_enabled',`
++ dev_rw_dri($2)
++ ')
++
++ optional_policy(`
++ gnome_read_gconf_config($2)
++ ')
+ ')
+
+ ########################################
+@@ -143,13 +167,15 @@ interface(`xserver_role',`
+ allow $2 xserver_tmpfs_t:file rw_file_perms;
+
+ allow $2 iceauth_home_t:file manage_file_perms;
+- allow $2 iceauth_home_t:file { relabelfrom relabelto };
++ allow $2 iceauth_home_t:file relabel_file_perms;
+
+ allow $2 xauth_home_t:file manage_file_perms;
+- allow $2 xauth_home_t:file { relabelfrom relabelto };
++ allow $2 xauth_home_t:file relabel_file_perms;
+
++ mls_xwin_read_to_clearance($2)
+ manage_dirs_pattern($2, user_fonts_t, user_fonts_t)
+ manage_files_pattern($2, user_fonts_t, user_fonts_t)
++ allow $2 user_fonts_t:lnk_file read_lnk_file_perms;
+ relabel_dirs_pattern($2, user_fonts_t, user_fonts_t)
+ relabel_files_pattern($2, user_fonts_t, user_fonts_t)
+
+@@ -162,7 +188,6 @@ interface(`xserver_role',`
+ manage_files_pattern($2, user_fonts_config_t, user_fonts_config_t)
+ relabel_dirs_pattern($2, user_fonts_config_t, user_fonts_config_t)
+ relabel_files_pattern($2, user_fonts_config_t, user_fonts_config_t)
+-
+ ')
+
+ #######################################
+@@ -197,7 +222,7 @@ interface(`xserver_ro_session',`
+ allow $1 xserver_t:process signal;
+
+ # Read /tmp/.X0-lock
+- allow $1 xserver_tmp_t:file { getattr read };
++ allow $1 xserver_tmp_t:file read_file_perms;
+
+ # Client read xserver shm
+ allow $1 xserver_t:fd use;
+@@ -227,7 +252,7 @@ interface(`xserver_rw_session',`
+ type xserver_t, xserver_tmpfs_t;
+ ')
+
+- xserver_ro_session($1,$2)
++ xserver_ro_session($1, $2)
+ allow $1 xserver_t:shm rw_shm_perms;
+ allow $1 xserver_tmpfs_t:file rw_file_perms;
+ ')
+@@ -255,7 +280,7 @@ interface(`xserver_non_drawing_client',`
+
+ allow $1 self:x_gc { create setattr };
+
+- allow $1 xdm_var_run_t:dir search;
++ allow $1 xdm_var_run_t:dir search_dir_perms;
+ allow $1 xserver_t:unix_stream_socket connectto;
+
+ allow $1 xextension_t:x_extension { query use };
+@@ -291,13 +316,13 @@ interface(`xserver_user_client',`
+ allow $1 self:unix_stream_socket { connectto create_stream_socket_perms };
+
+ # Read .Xauthority file
+- allow $1 xauth_home_t:file { getattr read };
+- allow $1 iceauth_home_t:file { getattr read };
++ allow $1 xauth_home_t:file read_file_perms;
++ allow $1 iceauth_home_t:file read_file_perms;
+
+ # for when /tmp/.X11-unix is created by the system
+ allow $1 xdm_t:fd use;
+- allow $1 xdm_t:fifo_file { getattr read write ioctl };
+- allow $1 xdm_tmp_t:dir search;
++ allow $1 xdm_t:fifo_file rw_inherited_fifo_file_perms;
++ allow $1 xdm_tmp_t:dir search_dir_perms;
+ allow $1 xdm_tmp_t:sock_file { read write };
+ dontaudit $1 xdm_t:tcp_socket { read write };
+
+@@ -316,7 +341,7 @@ interface(`xserver_user_client',`
+ xserver_read_xdm_tmp_files($1)
+
+ # Client write xserver shm
+- tunable_policy(`allow_write_xshm',`
++ tunable_policy(`xserver_clients_write_xshm',`
+ allow $1 xserver_t:shm rw_shm_perms;
+ allow $1 xserver_tmpfs_t:file rw_file_perms;
+ ')
+@@ -342,19 +367,23 @@ interface(`xserver_user_client',`
+ #
+ template(`xserver_common_x_domain_template',`
+ gen_require(`
+- type root_xdrawable_t;
++ type root_xdrawable_t, xdm_t, xserver_t;
+ type xproperty_t, $1_xproperty_t;
+ type xevent_t, client_xevent_t;
+ type input_xevent_t, $1_input_xevent_t;
+
+- attribute x_domain;
++ attribute x_domain, input_xevent_type;
+ attribute xdrawable_type, xcolormap_type;
+- attribute input_xevent_type;
+
+ class x_drawable all_x_drawable_perms;
+ class x_property all_x_property_perms;
+ class x_event all_x_event_perms;
+ class x_synthetic_event all_x_synthetic_event_perms;
++ class x_client destroy;
++ class x_server manage;
++ class x_screen { saver_setattr saver_hide saver_show };
++ class x_pointer { get_property set_property manage };
++ class x_keyboard { read manage };
+ ')
+
+ ##############################
+@@ -386,6 +415,15 @@ template(`xserver_common_x_domain_template',`
+ allow $2 xevent_t:{ x_event x_synthetic_event } receive;
+ # dont audit send failures
+ dontaudit $2 input_xevent_type:x_event send;
++
++ allow $2 xdm_t:x_drawable { hide read add_child manage };
++ allow $2 xdm_t:x_client destroy;
++
++ allow $2 root_xdrawable_t:x_drawable write;
++ allow $2 xserver_t:x_server manage;
++ allow $2 xserver_t:x_screen { saver_setattr saver_hide saver_show };
++ allow $2 xserver_t:x_pointer { get_property set_property manage };
++ allow $2 xserver_t:x_keyboard { read manage };
+ ')
+
+ #######################################
+@@ -444,8 +482,9 @@ template(`xserver_object_types_template',`
+ #
+ template(`xserver_user_x_domain_template',`
+ gen_require(`
+- type xdm_t, xdm_tmp_t;
+- type xauth_home_t, iceauth_home_t, xserver_t, xserver_tmpfs_t;
++ type xdm_t, xdm_tmp_t, xserver_tmpfs_t;
++ type xdm_home_t;
++ type xauth_home_t, iceauth_home_t, xserver_t;
+ ')
+
+ allow $2 self:shm create_shm_perms;
+@@ -456,11 +495,24 @@ template(`xserver_user_x_domain_template',`
+ allow $2 xauth_home_t:file read_file_perms;
+ allow $2 iceauth_home_t:file read_file_perms;
+
++ userdom_user_home_dir_filetrans($2, iceauth_home_t, file, ".DCOP")
++ userdom_user_home_dir_filetrans($2, iceauth_home_t, file, ".ICEauthority")
++ userdom_user_home_dir_filetrans($2, iceauth_home_t, file, ".ICEauthority-c")
++ userdom_user_home_dir_filetrans($2, iceauth_home_t, file, ".ICEauthority-n")
++ userdom_user_home_dir_filetrans($2, xauth_home_t, file, ".Xauthority")
++ userdom_user_home_dir_filetrans($2, xauth_home_t, file, ".Xauthority-l")
++ userdom_user_home_dir_filetrans($2, xauth_home_t, file, ".Xauthority-c")
++ userdom_user_home_dir_filetrans($2, xauth_home_t, file, ".xauth")
++ userdom_user_home_dir_filetrans($2, xdm_home_t, file, ".xsession-errors")
++ userdom_user_home_dir_filetrans($2, xdm_home_t, file, ".xsession-errors-stamped")
++ userdom_user_home_dir_filetrans($2, xdm_home_t, file, ".xsession-errors-stamped.old")
++ userdom_user_home_dir_filetrans($2, xdm_home_t, file, ".dmrc")
++
+ # for when /tmp/.X11-unix is created by the system
+ allow $2 xdm_t:fd use;
+- allow $2 xdm_t:fifo_file { getattr read write ioctl };
++ allow $2 xdm_t:fifo_file rw_inherited_fifo_file_perms;
+ allow $2 xdm_tmp_t:dir search_dir_perms;
+- allow $2 xdm_tmp_t:sock_file { read write };
++ allow $2 xdm_tmp_t:sock_file rw_inherited_sock_file_perms;
+ dontaudit $2 xdm_t:tcp_socket { read write };
+
+ # Allow connections to X server.
+@@ -472,20 +524,26 @@ template(`xserver_user_x_domain_template',`
+ # for .xsession-errors
+ userdom_dontaudit_write_user_home_content_files($2)
+
+- xserver_ro_session($2,$3)
++ xserver_ro_session($2, $3)
+ xserver_use_user_fonts($2)
+
+ xserver_read_xdm_tmp_files($2)
++ xserver_read_xdm_pid($2)
++ xserver_xdm_append_log($2)
+
+ # X object manager
+ xserver_object_types_template($1)
+- xserver_common_x_domain_template($1,$2)
++ xserver_common_x_domain_template($1, $2)
+
+ # Client write xserver shm
+- tunable_policy(`allow_write_xshm',`
++ tunable_policy(`xserver_clients_write_xshm',`
+ allow $2 xserver_t:shm rw_shm_perms;
+ allow $2 xserver_tmpfs_t:file rw_file_perms;
+ ')
++
++ tunable_policy(`selinuxuser_direct_dri_enabled',`
++ dev_rw_dri($2)
++ ')
+ ')
+
+ ########################################
+@@ -517,6 +575,7 @@ interface(`xserver_use_user_fonts',`
+ # Read per user fonts
+ allow $1 user_fonts_t:dir list_dir_perms;
+ allow $1 user_fonts_t:file read_file_perms;
++ allow $1 user_fonts_t:lnk_file read_lnk_file_perms;
+
+ # Manipulate the global font cache
+ manage_dirs_pattern($1, user_fonts_cache_t, user_fonts_cache_t)
+@@ -547,6 +606,42 @@ interface(`xserver_domtrans_xauth',`
+ domtrans_pattern($1, xauth_exec_t, xauth_t)
+ ')
+
++######################################
++##
++## Allow exec of Xauthority program..
++##
++##
++##
++## Domain allowed to transition.
++##
++##
++#
++interface(`xserver_exec_xauth',`
++ gen_require(`
++ type xauth_t, xauth_exec_t;
++ ')
++
++ can_exec($1, xauth_exec_t)
++')
++
++########################################
++##
++## Dontaudit exec of Xauthority program.
++##
++##
++##
++## Domain to not audit.
++##
++##
++#
++interface(`xserver_dontaudit_exec_xauth',`
++ gen_require(`
++ type xauth_exec_t;
++ ')
++
++ dontaudit $1 xauth_exec_t:file execute;
++')
++
+ ########################################
+ ##
+ ## Create a Xauthority file in the user home directory.
+@@ -598,6 +693,7 @@ interface(`xserver_read_user_xauth',`
+
+ allow $1 xauth_home_t:file read_file_perms;
+ userdom_search_user_home_dirs($1)
++ xserver_read_xdm_pid($1)
+ ')
+
+ ########################################
+@@ -615,7 +711,7 @@ interface(`xserver_setattr_console_pipes',`
+ type xconsole_device_t;
+ ')
+
+- allow $1 xconsole_device_t:fifo_file setattr;
++ allow $1 xconsole_device_t:fifo_file setattr_fifo_file_perms;
+ ')
+
+ ########################################
+@@ -638,6 +734,25 @@ interface(`xserver_rw_console',`
+
+ ########################################
+ ##
++## Read XDM state files.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`xserver_read_state_xdm',`
++ gen_require(`
++ type xdm_t;
++ ')
++
++ kernel_search_proc($1)
++ ps_process_pattern($1, xdm_t)
++')
++
++########################################
++##
+ ## Use file descriptors for xdm.
+ ##
+ ##
+@@ -651,7 +766,7 @@ interface(`xserver_use_xdm_fds',`
+ type xdm_t;
+ ')
+
+- allow $1 xdm_t:fd use;
++ allow $1 xdm_t:fd use;
+ ')
+
+ ########################################
+@@ -670,7 +785,7 @@ interface(`xserver_dontaudit_use_xdm_fds',`
+ type xdm_t;
+ ')
+
+- dontaudit $1 xdm_t:fd use;
++ dontaudit $1 xdm_t:fd use;
+ ')
+
+ ########################################
+@@ -688,7 +803,7 @@ interface(`xserver_rw_xdm_pipes',`
+ type xdm_t;
+ ')
+
+- allow $1 xdm_t:fifo_file { getattr read write };
++ allow $1 xdm_t:fifo_file rw_inherited_fifo_file_perms;
+ ')
+
+ ########################################
+@@ -703,12 +818,11 @@ interface(`xserver_rw_xdm_pipes',`
+ ##
+ #
+ interface(`xserver_dontaudit_rw_xdm_pipes',`
+-
+ gen_require(`
+ type xdm_t;
+ ')
+
+- dontaudit $1 xdm_t:fifo_file rw_fifo_file_perms;
++ dontaudit $1 xdm_t:fifo_file rw_fifo_file_perms;
+ ')
+
+ ########################################
+@@ -724,11 +838,31 @@ interface(`xserver_dontaudit_rw_xdm_pipes',`
+ #
+ interface(`xserver_stream_connect_xdm',`
+ gen_require(`
+- type xdm_t, xdm_tmp_t;
++ type xdm_t, xdm_tmp_t, xdm_var_run_t;
+ ')
+
+ files_search_tmp($1)
+- stream_connect_pattern($1, xdm_tmp_t, xdm_tmp_t, xdm_t)
++ files_search_pids($1)
++ stream_connect_pattern($1, { xdm_tmp_t xdm_var_run_t }, { xdm_tmp_t xdm_var_run_t }, xdm_t)
++')
++
++########################################
++##
++## Read XDM files in user home directories.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`xserver_read_xdm_home_files',`
++ gen_require(`
++ type xdm_home_t;
++ ')
++
++ userdom_search_user_home_dirs($1)
++ allow $1 xdm_home_t:file read_file_perms;
+ ')
+
+ ########################################
+@@ -752,6 +886,25 @@ interface(`xserver_read_xdm_rw_config',`
+
+ ########################################
+ ##
++## Search XDM temporary directories.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`xserver_search_xdm_tmp_dirs',`
++ gen_require(`
++ type xdm_tmp_t;
++ ')
++
++ files_search_tmp($1)
++ allow $1 xdm_tmp_t:dir search_dir_perms;
++')
++
++########################################
++##
+ ## Set the attributes of XDM temporary directories.
+ ##
+ ##
+@@ -765,7 +918,25 @@ interface(`xserver_setattr_xdm_tmp_dirs',`
+ type xdm_tmp_t;
+ ')
+
+- allow $1 xdm_tmp_t:dir setattr;
++ allow $1 xdm_tmp_t:dir setattr_dir_perms;
++')
++
++########################################
++##
++## Dont audit attempts to set the attributes of XDM temporary directories.
++##
++##
++##
++## Domain to not audit.
++##
++##
++#
++interface(`xserver_dontaudit_xdm_tmp_dirs',`
++ gen_require(`
++ type xdm_tmp_t;
++ ')
++
++ dontaudit $1 xdm_tmp_t:dir setattr_dir_perms;
+ ')
+
+ ########################################
+@@ -805,7 +976,26 @@ interface(`xserver_read_xdm_pid',`
+ ')
+
+ files_search_pids($1)
+- allow $1 xdm_var_run_t:file read_file_perms;
++ read_files_pattern($1, xdm_var_run_t, xdm_var_run_t)
++')
++
++######################################
++##
++## Dontaudit Read XDM pid files.
++##
++##
++##
++## Domain to not audit.
++##
++##
++#
++interface(`xserver_dontaudit_read_xdm_pid',`
++ gen_require(`
++ type xdm_var_run_t;
++ ')
++
++ dontaudit $1 xdm_var_run_t:dir search_dir_perms;
++ dontaudit $1 xdm_var_run_t:file read_file_perms;
+ ')
+
+ ########################################
+@@ -828,6 +1018,24 @@ interface(`xserver_read_xdm_lib_files',`
+
+ ########################################
+ ##
++## Read inherited XDM var lib files.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`xserver_read_inherited_xdm_lib_files',`
++ gen_require(`
++ type xdm_var_lib_t;
++ ')
++
++ allow $1 xdm_var_lib_t:file read_inherited_file_perms;
++')
++
++########################################
++##
+ ## Make an X session script an entrypoint for the specified domain.
+ ##
+ ##
+@@ -897,7 +1105,26 @@ interface(`xserver_getattr_log',`
+ ')
+
+ logging_search_logs($1)
+- allow $1 xserver_log_t:file getattr;
++ allow $1 xserver_log_t:file getattr_file_perms;
++')
++
++#######################################
++##
++## Allow domain to read X server logs.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`xserver_read_log',`
++ gen_require(`
++ type xserver_log_t;
++ ')
++
++ logging_search_logs($1)
++ allow $1 xserver_log_t:file read_file_perms;
+ ')
+
+ ########################################
+@@ -916,7 +1143,7 @@ interface(`xserver_dontaudit_write_log',`
+ type xserver_log_t;
+ ')
+
+- dontaudit $1 xserver_log_t:file { append write };
++ dontaudit $1 xserver_log_t:file rw_inherited_file_perms;
+ ')
+
+ ########################################
+@@ -963,6 +1190,45 @@ interface(`xserver_read_xkb_libs',`
+
+ ########################################
+ ##
++## Read xdm config files.
++##
++##
++##
++## Domain to not audit
++##
++##
++#
++interface(`xserver_read_xdm_etc_files',`
++ gen_require(`
++ type xdm_etc_t;
++ ')
++
++ files_search_etc($1)
++ read_files_pattern($1, xdm_etc_t, xdm_etc_t)
++ read_lnk_files_pattern($1, xdm_etc_t, xdm_etc_t)
++')
++
++########################################
++##
++## Manage xdm config files.
++##
++##
++##
++## Domain to not audit
++##
++##
++#
++interface(`xserver_manage_xdm_etc_files',`
++ gen_require(`
++ type xdm_etc_t;
++ ')
++
++ files_search_etc($1)
++ manage_files_pattern($1, xdm_etc_t, xdm_etc_t)
++')
++
++########################################
++##
+ ## Read xdm temporary files.
+ ##
+ ##
+@@ -976,7 +1242,7 @@ interface(`xserver_read_xdm_tmp_files',`
+ type xdm_tmp_t;
+ ')
+
+- files_search_tmp($1)
++ files_search_tmp($1)
+ read_files_pattern($1, xdm_tmp_t, xdm_tmp_t)
+ ')
+
+@@ -1038,6 +1304,42 @@ interface(`xserver_manage_xdm_tmp_files',`
+
+ ########################################
+ ##
++## Create, read, write, and delete xdm temporary dirs.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`xserver_relabel_xdm_tmp_dirs',`
++ gen_require(`
++ type xdm_tmp_t;
++ ')
++
++ allow $1 xdm_tmp_t:dir relabel_dir_perms;
++')
++
++########################################
++##
++## Create, read, write, and delete xdm temporary dirs.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`xserver_manage_xdm_tmp_dirs',`
++ gen_require(`
++ type xdm_tmp_t;
++ ')
++
++ manage_dirs_pattern($1, xdm_tmp_t, xdm_tmp_t)
++')
++
++########################################
++##
+ ## Do not audit attempts to get the attributes of
+ ## xdm temporary named sockets.
+ ##
+@@ -1052,7 +1354,7 @@ interface(`xserver_dontaudit_getattr_xdm_tmp_sockets',`
+ type xdm_tmp_t;
+ ')
+
+- dontaudit $1 xdm_tmp_t:sock_file getattr;
++ dontaudit $1 xdm_tmp_t:sock_file getattr_sock_file_perms;
+ ')
+
+ ########################################
+@@ -1070,8 +1372,10 @@ interface(`xserver_domtrans',`
+ type xserver_t, xserver_exec_t;
+ ')
+
+- allow $1 xserver_t:process siginh;
++ allow $1 xserver_t:process siginh;
+ domtrans_pattern($1, xserver_exec_t, xserver_t)
++
++ allow xserver_t $1:process getpgid;
+ ')
+
+ ########################################
+@@ -1185,6 +1489,26 @@ interface(`xserver_stream_connect',`
+
+ files_search_tmp($1)
+ stream_connect_pattern($1, xserver_tmp_t, xserver_tmp_t, xserver_t)
++ allow xserver_t $1:shm rw_shm_perms;
++')
++
++######################################
++##
++## Dontaudit attempts to connect to xserver
++## over a unix stream socket.
++##
++##
++##
++## Domain to not audit.
++##
++##
++#
++interface(`xserver_dontaudit_stream_connect',`
++ gen_require(`
++ type xserver_t, xserver_tmp_t;
++ ')
++
++ stream_connect_pattern($1, xserver_tmp_t, xserver_tmp_t, xserver_t)
+ ')
+
+ ########################################
+@@ -1210,7 +1534,7 @@ interface(`xserver_read_tmp_files',`
+ ##
+ ## Interface to provide X object permissions on a given X server to
+ ## an X client domain. Gives the domain permission to read the
+-## virtual core keyboard and virtual core pointer devices.
++## virtual core keyboard and virtual core pointer devices.
+ ##
+ ##
+ ##
+@@ -1220,13 +1544,23 @@ interface(`xserver_read_tmp_files',`
+ #
+ interface(`xserver_manage_core_devices',`
+ gen_require(`
+- type xserver_t;
++ type xserver_t, root_xdrawable_t;
+ class x_device all_x_device_perms;
+ class x_pointer all_x_pointer_perms;
+ class x_keyboard all_x_keyboard_perms;
++ class x_screen all_x_screen_perms;
++ class x_drawable { manage };
++ attribute x_domain;
++ class x_drawable { read manage setattr show };
++ class x_resource { write read };
+ ')
+
+ allow $1 xserver_t:{ x_device x_pointer x_keyboard } *;
++ allow $1 xserver_t:{ x_screen } setattr;
++
++ allow $1 x_domain:x_drawable { read manage setattr show };
++ allow $1 x_domain:x_resource { write read };
++ allow $1 root_xdrawable_t:x_drawable { manage read };
+ ')
+
+ ########################################
+@@ -1243,10 +1577,541 @@ interface(`xserver_manage_core_devices',`
+ #
+ interface(`xserver_unconfined',`
+ gen_require(`
+- attribute x_domain;
+- attribute xserver_unconfined_type;
++ attribute x_domain, xserver_unconfined_type;
+ ')
+
+ typeattribute $1 x_domain;
+ typeattribute $1 xserver_unconfined_type;
+ ')
++
++########################################
++##
++## Dontaudit append to .xsession-errors file
++##
++##
++##
++## Domain to not audit
++##
++##
++#
++interface(`xserver_dontaudit_append_xdm_home_files',`
++ gen_require(`
++ type xdm_home_t;
++ ')
++
++ dontaudit $1 xdm_home_t:file rw_inherited_file_perms;
++
++ tunable_policy(`use_nfs_home_dirs',`
++ fs_dontaudit_rw_nfs_files($1)
++ ')
++
++ tunable_policy(`use_samba_home_dirs',`
++ fs_dontaudit_rw_cifs_files($1)
++ ')
++')
++
++########################################
++##
++## append to .xsession-errors file
++##
++##
++##
++## Domain to not audit
++##
++##
++#
++interface(`xserver_append_xdm_home_files',`
++ gen_require(`
++ type xdm_home_t, xserver_tmp_t;
++ ')
++
++ allow $1 xdm_home_t:file append_file_perms;
++ allow $1 xserver_tmp_t:file append_file_perms;
++
++ tunable_policy(`use_nfs_home_dirs',`
++ fs_append_nfs_files($1)
++ ')
++
++ tunable_policy(`use_samba_home_dirs',`
++ fs_append_cifs_files($1)
++ ')
++')
++
++#######################################
++##
++## Allow search the xdm_spool files
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`xserver_xdm_search_spool',`
++ gen_require(`
++ type xdm_spool_t;
++ ')
++
++ files_search_spool($1)
++ search_dirs_pattern($1, xdm_spool_t, xdm_spool_t)
++')
++
++######################################
++##
++## Allow read the xdm_spool files
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`xserver_xdm_read_spool',`
++ gen_require(`
++ type xdm_spool_t;
++ ')
++
++ files_search_spool($1)
++ read_files_pattern($1, xdm_spool_t, xdm_spool_t)
++')
++
++########################################
++##
++## Manage the xdm_spool files
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`xserver_xdm_manage_spool',`
++ gen_require(`
++ type xdm_spool_t;
++ ')
++
++ files_search_spool($1)
++ manage_files_pattern($1, xdm_spool_t, xdm_spool_t)
++')
++
++########################################
++##
++## Send and receive messages from
++## xdm over dbus.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`xserver_dbus_chat_xdm',`
++ gen_require(`
++ type xdm_t;
++ class dbus send_msg;
++ ')
++
++ allow $1 xdm_t:dbus send_msg;
++ allow xdm_t $1:dbus send_msg;
++')
++
++########################################
++##
++## Read xserver files created in /var/run
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`xserver_read_pid',`
++ gen_require(`
++ type xserver_var_run_t;
++ ')
++
++ files_search_pids($1)
++ read_files_pattern($1, xserver_var_run_t, xserver_var_run_t)
++')
++
++########################################
++##
++## Execute xserver files created in /var/run
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`xserver_exec_pid',`
++ gen_require(`
++ type xserver_var_run_t;
++ ')
++
++ files_search_pids($1)
++ exec_files_pattern($1, xserver_var_run_t, xserver_var_run_t)
++')
++
++########################################
++##
++## Write xserver files created in /var/run
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`xserver_write_pid',`
++ gen_require(`
++ type xserver_var_run_t;
++ ')
++
++ files_search_pids($1)
++ write_files_pattern($1, xserver_var_run_t, xserver_var_run_t)
++')
++
++########################################
++##
++## Allow append the xdm
++## log files.
++##
++##
++##
++## Domain to not audit
++##
++##
++#
++interface(`xserver_xdm_append_log',`
++ gen_require(`
++ type xdm_log_t;
++ attribute xdmhomewriter;
++ ')
++
++ typeattribute $1 xdmhomewriter;
++ allow $1 xdm_log_t:file append_inherited_file_perms;
++')
++
++########################################
++##
++## Allow append the xdm
++## tmp files.
++##
++##
++##
++## Domain to not audit
++##
++##
++#
++interface(`xserver_append_xdm_tmp_files',`
++ gen_require(`
++ type xdm_tmp_t;
++ ')
++
++ allow $1 xdm_tmp_t:file append_inherited_file_perms;
++')
++
++########################################
++##
++## Read a user Iceauthority domain.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`xserver_read_user_iceauth',`
++ gen_require(`
++ type iceauth_home_t;
++ ')
++
++ # Read .Iceauthority file
++ allow $1 iceauth_home_t:file read_file_perms;
++')
++
++########################################
++##
++## Read/write inherited user homedir fonts.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`xserver_rw_inherited_user_fonts',`
++ gen_require(`
++ type user_fonts_t, user_fonts_config_t;
++ ')
++
++ allow $1 user_fonts_t:file rw_inherited_file_perms;
++ allow $1 user_fonts_t:file read_lnk_file_perms;
++
++ allow $1 user_fonts_config_t:file rw_inherited_file_perms;
++')
++
++########################################
++##
++## Search XDM var lib dirs.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`xserver_search_xdm_lib',`
++ gen_require(`
++ type xdm_var_lib_t;
++ ')
++
++ allow $1 xdm_var_lib_t:dir search_dir_perms;
++')
++
++########################################
++##
++## Make an X executable an entrypoint for the specified domain.
++##
++##
++##
++## The domain for which the shell is an entrypoint.
++##
++##
++#
++interface(`xserver_entry_type',`
++ gen_require(`
++ type xserver_exec_t;
++ ')
++
++ domain_entry_file($1, xserver_exec_t)
++')
++
++########################################
++##
++## Execute xsever in the xserver domain, and
++## allow the specified role the xserver domain.
++##
++##
++##
++## Domain allowed access.
++##
++##
++##
++##
++## The role to be allowed the xserver domain.
++##
++##
++##
++#
++interface(`xserver_run',`
++ gen_require(`
++ type xserver_t;
++ ')
++
++ xserver_domtrans($1)
++ role $2 types xserver_t;
++')
++
++########################################
++##
++## Execute xsever in the xserver domain, and
++## allow the specified role the xserver domain.
++##
++##
++##
++## Domain allowed access.
++##
++##
++##
++##
++## The role to be allowed the xserver domain.
++##
++##
++##
++#
++interface(`xserver_run_xauth',`
++ gen_require(`
++ type xauth_t;
++ ')
++
++ xserver_domtrans_xauth($1)
++ role $2 types xauth_t;
++')
++
++########################################
++##
++## Read user homedir fonts.
++##
++##
++##
++## Domain allowed access.
++##
++##
++##
++#
++interface(`xserver_read_home_fonts',`
++ gen_require(`
++ type user_fonts_t, user_fonts_config_t;
++ ')
++
++ list_dirs_pattern($1, user_fonts_t, user_fonts_t)
++ read_files_pattern($1, user_fonts_t, user_fonts_t)
++ read_lnk_files_pattern($1, user_fonts_t, user_fonts_t)
++
++ read_files_pattern($1, user_fonts_config_t, user_fonts_config_t)
++')
++
++########################################
++##
++## Manage user fonts dir.
++##
++##
++##
++## Domain allowed access.
++##
++##
++##
++#
++interface(`xserver_manage_user_fonts_dir',`
++ gen_require(`
++ type user_fonts_t;
++ ')
++
++ manage_dirs_pattern($1, user_fonts_t, user_fonts_t)
++ files_tmp_filetrans($1, user_fonts_t, dir, ".font-unix")
++')
++
++########################################
++##
++## Manage user homedir fonts.
++##
++##
++##
++## Domain allowed access.
++##
++##
++##
++#
++interface(`xserver_manage_home_fonts',`
++ gen_require(`
++ type user_fonts_t, user_fonts_config_t, user_fonts_cache_t;
++ ')
++
++ manage_dirs_pattern($1, user_fonts_t, user_fonts_t)
++ manage_files_pattern($1, user_fonts_t, user_fonts_t)
++ manage_lnk_files_pattern($1, user_fonts_t, user_fonts_t)
++
++ manage_files_pattern($1, user_fonts_config_t, user_fonts_config_t)
++
++# userdom_user_home_dir_filetrans($1, user_fonts_t, dir, ".fonts.d")
++# userdom_user_home_dir_filetrans($1, user_fonts_t, dir, ".fonts")
++# userdom_user_home_dir_filetrans($1, user_fonts_cache_t, dir, ".fontconfig")
++')
++
++########################################
++##
++## Transition to xserver named content
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`xserver_filetrans_home_content',`
++ gen_require(`
++ type xdm_home_t, xauth_home_t, iceauth_home_t;
++ type user_home_t, user_fonts_t, user_fonts_cache_t;
++ type user_fonts_config_t;
++ ')
++
++ userdom_user_home_dir_filetrans($1, xdm_home_t, file, ".dmrc")
++ userdom_user_home_dir_filetrans($1, xdm_home_t, file, ".xsession-errors")
++ userdom_user_home_dir_filetrans($1, iceauth_home_t, file, ".DCOP")
++ userdom_user_home_dir_filetrans($1, iceauth_home_t, file, ".ICEauthority")
++ userdom_user_home_dir_filetrans($1, xauth_home_t, file, ".Xauthority")
++ userdom_user_home_dir_filetrans($1, xauth_home_t, file, ".Xauthority-l")
++ userdom_user_home_dir_filetrans($1, xauth_home_t, file, ".Xauthority-c")
++ userdom_user_home_dir_filetrans($1, xauth_home_t, file, ".xauth")
++ userdom_user_home_dir_filetrans($1, xauth_home_t, file, ".Xauth")
++ userdom_user_home_dir_filetrans($1, user_fonts_config_t, file, ".fonts.conf")
++ userdom_user_home_dir_filetrans($1, user_fonts_config_t, dir, ".fonts.d")
++ userdom_user_home_dir_filetrans($1, user_fonts_t, dir, ".fonts")
++ userdom_user_home_dir_filetrans($1, user_fonts_cache_t, dir, ".fontconfig")
++ filetrans_pattern($1, user_fonts_t, user_fonts_cache_t, dir, "auto")
++ files_tmp_filetrans($1, user_fonts_t, dir, ".font-unix")
++')
++
++########################################
++##
++## Create xserver content in admin home
++## directory with a named file transition.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`xserver_filetrans_admin_home_content',`
++ gen_require(`
++ type xdm_home_t, xauth_home_t, iceauth_home_t;
++ type user_home_t, user_fonts_t, user_fonts_cache_t;
++ type user_fonts_config_t;
++ ')
++
++ userdom_admin_home_dir_filetrans($1, xdm_home_t, file, ".dmrc")
++ userdom_admin_home_dir_filetrans($1, xdm_home_t, file, ".xsession-errors")
++ userdom_admin_home_dir_filetrans($1, iceauth_home_t, file, ".DCOP")
++ userdom_admin_home_dir_filetrans($1, iceauth_home_t, file, ".ICEauthority")
++ userdom_admin_home_dir_filetrans($1, xauth_home_t, file, ".Xauthority")
++ userdom_admin_home_dir_filetrans($1, xauth_home_t, file, ".Xauthority-l")
++ userdom_admin_home_dir_filetrans($1, xauth_home_t, file, ".Xauthority-c")
++ userdom_admin_home_dir_filetrans($1, xauth_home_t, file, ".xauth")
++ userdom_admin_home_dir_filetrans($1, xauth_home_t, file, ".Xauth")
++ userdom_admin_home_dir_filetrans($1, user_fonts_config_t, file, ".fonts.conf")
++ userdom_admin_home_dir_filetrans($1, user_fonts_config_t, dir, ".fonts.d")
++ userdom_admin_home_dir_filetrans($1, user_fonts_t, dir, ".fonts")
++ userdom_admin_home_dir_filetrans($1, user_fonts_cache_t, dir, ".fontconfig")
++ optional_policy(`
++ gnome_cache_filetrans($1, xdm_home_t, dir, "xdm")
++ ')
++')
++
++########################################
++##
++## Create objects in a xdm temporary directory
++## with an automatic type transition to
++## a specified private type.
++##
++##
++##
++## Domain allowed access.
++##
++##
++##
++##
++## The type of the object to create.
++##
++##
++##
++##
++## The class of the object to be created.
++##
++##
++##
++##
++## The name of the object being created.
++##
++##
++#
++interface(`xserver_xdm_tmp_filetrans',`
++ gen_require(`
++ type xdm_tmp_t;
++ ')
++
++ filetrans_pattern($1, xdm_tmp_t, $2, $3, $4)
++ files_search_tmp($1)
++')
+diff --git a/policy/modules/services/xserver.te b/policy/modules/services/xserver.te
+index d40f750..9f53f97 100644
+--- a/policy/modules/services/xserver.te
++++ b/policy/modules/services/xserver.te
+@@ -26,27 +26,50 @@ gen_require(`
+ #
+
+ ##
+-##
+-## Allows clients to write to the X server shared
+-## memory segments.
+-##
++##
++## Allows clients to write to the X server shared
++## memory segments.
++##
++##
++gen_tunable(xserver_clients_write_xshm, false)
++
++##
++##
++## Allows XServer to execute writable memory
++##
+ ##
+-gen_tunable(allow_write_xshm, false)
++gen_tunable(xserver_execmem, false)
+
+ ##
+ ##
+-## Allow xdm logins as sysadm
++## Allow the graphical login program to execute bootloader
+ ##
+ ##
++gen_tunable(xdm_exec_bootloader, false)
++
++##
++##
++## Allow the graphical login program to login directly as sysadm_r:sysadm_t
++##
++##
+ gen_tunable(xdm_sysadm_login, false)
+
+ ##
+-##
+-## Support X userspace object manager
+-##
++##
++## Support X userspace object manager
++##
+ ##
+ gen_tunable(xserver_object_manager, false)
+
++##
++##
++## Allow regular users direct dri device access
++##
++##
++gen_tunable(selinuxuser_direct_dri_enabled, false)
++
++attribute xdmhomewriter;
++attribute x_userdomain;
+ attribute x_domain;
+
+ # X Events
+@@ -107,44 +130,54 @@ xserver_object_types_template(remote)
+ xserver_common_x_domain_template(remote, remote_t)
+
+ type user_fonts_t;
+-typealias user_fonts_t alias { staff_fonts_t sysadm_fonts_t };
++typealias user_fonts_t alias { staff_fonts_t sysadm_fonts_t xfs_fonts_t };
+ typealias user_fonts_t alias { auditadm_fonts_t secadm_fonts_t };
++typealias user_fonts_t alias { xguest_fonts_t unconfined_fonts_t user_fonts_home_t };
++typealias user_fonts_t alias xfs_tmp_t;
+ userdom_user_home_content(user_fonts_t)
++files_tmp_file(user_fonts_t)
+
+ type user_fonts_cache_t;
+ typealias user_fonts_cache_t alias { staff_fonts_cache_t sysadm_fonts_cache_t };
+ typealias user_fonts_cache_t alias { auditadm_fonts_cache_t secadm_fonts_cache_t };
++typealias user_fonts_cache_t alias { xguest_fonts_cache_t unconfined_fonts_cache_t };
+ userdom_user_home_content(user_fonts_cache_t)
+
+ type user_fonts_config_t;
+ typealias user_fonts_config_t alias { staff_fonts_config_t sysadm_fonts_config_t };
+ typealias user_fonts_config_t alias { auditadm_fonts_config_t secadm_fonts_config_t };
++typealias user_fonts_config_t alias { fonts_config_home_t xguest_fonts_config_t unconfined_fonts_config_t };
+ userdom_user_home_content(user_fonts_config_t)
+
+ type iceauth_t;
+ type iceauth_exec_t;
+ typealias iceauth_t alias { user_iceauth_t staff_iceauth_t sysadm_iceauth_t };
++typealias iceauth_t alias { xguest_iceauth_t };
+ typealias iceauth_t alias { auditadm_iceauth_t secadm_iceauth_t };
+ userdom_user_application_domain(iceauth_t, iceauth_exec_t)
+
+ type iceauth_home_t;
+ typealias iceauth_home_t alias { user_iceauth_home_t staff_iceauth_home_t sysadm_iceauth_home_t };
+ typealias iceauth_home_t alias { auditadm_iceauth_home_t secadm_iceauth_home_t };
++typealias iceauth_home_t alias { xguest_iceauth_home_t };
+ userdom_user_home_content(iceauth_home_t)
+
+ type xauth_t;
+ type xauth_exec_t;
+ typealias xauth_t alias { user_xauth_t staff_xauth_t sysadm_xauth_t };
+ typealias xauth_t alias { auditadm_xauth_t secadm_xauth_t };
++typealias xauth_t alias { xguest_xauth_t unconfined_xauth_t };
+ userdom_user_application_domain(xauth_t, xauth_exec_t)
+
+ type xauth_home_t;
+ typealias xauth_home_t alias { user_xauth_home_t staff_xauth_home_t sysadm_xauth_home_t };
+ typealias xauth_home_t alias { auditadm_xauth_home_t secadm_xauth_home_t };
++typealias xauth_home_t alias { xguest_xauth_home_t unconfined_xauth_home_t };
+ userdom_user_home_content(xauth_home_t)
+
+ type xauth_tmp_t;
+ typealias xauth_tmp_t alias { user_xauth_tmp_t staff_xauth_tmp_t sysadm_xauth_tmp_t };
++typealias xauth_tmp_t alias { xguest_xauth_tmp_t unconfined_xauth_tmp_t };
+ typealias xauth_tmp_t alias { auditadm_xauth_tmp_t secadm_xauth_tmp_t };
+ userdom_user_tmp_file(xauth_tmp_t)
+
+@@ -154,19 +187,28 @@ files_type(xconsole_device_t)
+ fs_associate_tmpfs(xconsole_device_t)
+ files_associate_tmp(xconsole_device_t)
+
++type xdm_unconfined_exec_t;
++application_executable_file(xdm_unconfined_exec_t)
++
+ type xdm_t;
+ type xdm_exec_t;
+ auth_login_pgm_domain(xdm_t)
+ init_domain(xdm_t, xdm_exec_t)
+-init_daemon_domain(xdm_t, xdm_exec_t)
++init_system_domain(xdm_t, xdm_exec_t)
+ xserver_object_types_template(xdm)
+ xserver_common_x_domain_template(xdm, xdm_t)
+
+ type xdm_lock_t;
+ files_lock_file(xdm_lock_t)
+
++type xdm_etc_t;
++files_config_file(xdm_etc_t)
++
+ type xdm_rw_etc_t;
+-files_type(xdm_rw_etc_t)
++files_config_file(xdm_rw_etc_t)
++
++type xdm_spool_t;
++files_spool_file(xdm_spool_t)
+
+ type xdm_var_lib_t;
+ files_type(xdm_var_lib_t)
+@@ -174,13 +216,27 @@ files_type(xdm_var_lib_t)
+ type xdm_var_run_t;
+ files_pid_file(xdm_var_run_t)
+
++type xserver_var_lib_t;
++files_type(xserver_var_lib_t)
++
++type xserver_var_run_t;
++files_pid_file(xserver_var_run_t)
++
+ type xdm_tmp_t;
+ files_tmp_file(xdm_tmp_t)
+-typealias xdm_tmp_t alias ice_tmp_t;
++typealias xdm_tmp_t alias { xserver_tmp_t user_xserver_tmp_t staff_xserver_tmp_t sysadm_xserver_tmp_t ice_tmp_t };
++typealias xdm_tmp_t alias { auditadm_xserver_tmp_t secadm_xserver_tmp_t xdm_xserver_tmp_t };
++userdom_user_tmp_file(xserver_tmp_t)
+
+ type xdm_tmpfs_t;
+ files_tmpfs_file(xdm_tmpfs_t)
+
++type xdm_home_t;
++userdom_user_home_content(xdm_home_t)
++
++type xdm_log_t;
++logging_log_file(xdm_log_t)
++
+ # type for /var/lib/xkb
+ type xkb_var_lib_t;
+ files_type(xkb_var_lib_t)
+@@ -193,14 +249,9 @@ typealias xserver_t alias { auditadm_xserver_t secadm_xserver_t xdm_xserver_t };
+ init_system_domain(xserver_t, xserver_exec_t)
+ ubac_constrained(xserver_t)
+
+-type xserver_tmp_t;
+-typealias xserver_tmp_t alias { user_xserver_tmp_t staff_xserver_tmp_t sysadm_xserver_tmp_t };
+-typealias xserver_tmp_t alias { auditadm_xserver_tmp_t secadm_xserver_tmp_t xdm_xserver_tmp_t };
+-userdom_user_tmp_file(xserver_tmp_t)
+-
+ type xserver_tmpfs_t;
+-typealias xserver_tmpfs_t alias { user_xserver_tmpfs_t staff_xserver_tmpfs_t sysadm_xserver_tmpfs_t };
+-typealias xserver_tmpfs_t alias { auditadm_xserver_tmpfs_t secadm_xserver_tmpfs_t xdm_xserver_tmpfs_t };
++typealias xserver_tmpfs_t alias { user_xserver_tmpfs_t staff_xserver_tmpfs_t sysadm_xserver_tmpfs_t xguest_xserver_tmpfs_t unconfined_xserver_tmpfs_t xdm_xserver_tmpfs_t };
++typealias xserver_tmpfs_t alias { auditadm_xserver_tmpfs_t secadm_xserver_tmpfs_t };
+ userdom_user_tmpfs_file(xserver_tmpfs_t)
+
+ type xsession_exec_t;
+@@ -229,17 +280,30 @@ userdom_user_home_dir_filetrans(iceauth_t, iceauth_home_t, file)
+
+ allow xdm_t iceauth_home_t:file read_file_perms;
+
++dev_read_rand(iceauth_t)
++
+ fs_search_auto_mountpoints(iceauth_t)
+
+-userdom_use_user_terminals(iceauth_t)
++userdom_use_inherited_user_terminals(iceauth_t)
+ userdom_read_user_tmp_files(iceauth_t)
+-
+-tunable_policy(`use_nfs_home_dirs',`
+- fs_manage_nfs_files(iceauth_t)
+-')
+-
+-tunable_policy(`use_samba_home_dirs',`
+- fs_manage_cifs_files(iceauth_t)
++userdom_read_all_users_state(iceauth_t)
++userdom_home_manager(iceauth_t)
++
++ifdef(`hide_broken_symptoms',`
++ dev_dontaudit_read_urand(iceauth_t)
++ dev_dontaudit_rw_dri(iceauth_t)
++ dev_dontaudit_rw_generic_dev_nodes(iceauth_t)
++ fs_dontaudit_list_inotifyfs(iceauth_t)
++ fs_dontaudit_rw_anon_inodefs_files(iceauth_t)
++ term_dontaudit_use_unallocated_ttys(iceauth_t)
++
++ userdom_dontaudit_read_user_home_content_files(iceauth_t)
++ userdom_dontaudit_write_user_home_content_files(iceauth_t)
++ userdom_dontaudit_write_user_tmp_files(iceauth_t)
++
++ optional_policy(`
++ mozilla_dontaudit_rw_user_home_files(iceauth_t)
++ ')
+ ')
+
+ ########################################
+@@ -247,45 +311,81 @@ tunable_policy(`use_samba_home_dirs',`
+ # Xauth local policy
+ #
+
++allow xauth_t self:capability dac_override;
+ allow xauth_t self:process signal;
++allow xauth_t self:shm create_shm_perms;
+ allow xauth_t self:unix_stream_socket create_stream_socket_perms;
++allow xauth_t self:unix_dgram_socket create_socket_perms;
++
++allow xauth_t xdm_t:process sigchld;
++allow xauth_t xserver_t:unix_stream_socket connectto;
++
++corenet_tcp_connect_xserver_port(xauth_t)
+
+ allow xauth_t xauth_home_t:file manage_file_perms;
+ userdom_user_home_dir_filetrans(xauth_t, xauth_home_t, file)
++userdom_admin_home_dir_filetrans(xauth_t, xauth_home_t, file)
++
++manage_dirs_pattern(xauth_t, xdm_var_run_t, xdm_var_run_t)
++manage_files_pattern(xauth_t, xdm_var_run_t, xdm_var_run_t)
+
+ manage_dirs_pattern(xauth_t, xauth_tmp_t, xauth_tmp_t)
+ manage_files_pattern(xauth_t, xauth_tmp_t, xauth_tmp_t)
+ files_tmp_filetrans(xauth_t, xauth_tmp_t, { file dir })
+
+-allow xdm_t xauth_home_t:file manage_file_perms;
+-userdom_user_home_dir_filetrans(xdm_t, xauth_home_t, file)
++stream_connect_pattern(xauth_t, xserver_tmp_t, xserver_tmp_t, xserver_t)
+
++kernel_read_network_state(xauth_t)
++kernel_read_system_state(xauth_t)
+ kernel_request_load_module(xauth_t)
+
++dev_read_rand(xauth_t)
++dev_read_urand(xauth_t)
++
+ domain_use_interactive_fds(xauth_t)
++domain_dontaudit_leaks(xauth_t)
+
+ files_read_etc_files(xauth_t)
++files_read_usr_files(xauth_t)
+ files_search_pids(xauth_t)
++files_dontaudit_getattr_all_dirs(xauth_t)
++files_dontaudit_leaks(xauth_t)
++files_var_lib_filetrans(xauth_t, xauth_home_t, file)
+
+-fs_getattr_xattr_fs(xauth_t)
++fs_dontaudit_leaks(xauth_t)
++fs_getattr_all_fs(xauth_t)
+ fs_search_auto_mountpoints(xauth_t)
+
+-# cjp: why?
+-term_use_ptmx(xauth_t)
++# Probably a leak
++term_dontaudit_use_ptmx(xauth_t)
++term_dontaudit_use_console(xauth_t)
+
+ auth_use_nsswitch(xauth_t)
+
+-userdom_use_user_terminals(xauth_t)
++userdom_use_inherited_user_terminals(xauth_t)
+ userdom_read_user_tmp_files(xauth_t)
++userdom_read_all_users_state(xauth_t)
+
+ xserver_rw_xdm_tmp_files(xauth_t)
+
+-tunable_policy(`use_nfs_home_dirs',`
+- fs_manage_nfs_files(xauth_t)
++ifdef(`hide_broken_symptoms',`
++ fs_dontaudit_rw_anon_inodefs_files(xauth_t)
++ fs_dontaudit_list_inotifyfs(xauth_t)
++ userdom_manage_user_home_content_files(xauth_t)
++ userdom_manage_user_tmp_files(xauth_t)
++ dev_dontaudit_rw_generic_dev_nodes(xauth_t)
++ miscfiles_read_fonts(xauth_t)
+ ')
+
+-tunable_policy(`use_samba_home_dirs',`
+- fs_manage_cifs_files(xauth_t)
++userdom_home_manager(xauth_t)
++
++ifdef(`hide_broken_symptoms',`
++ term_dontaudit_use_unallocated_ttys(xauth_t)
++ dev_dontaudit_rw_dri(xauth_t)
++')
++
++optional_policy(`
++ nx_var_lib_filetrans(xauth_t, xauth_home_t, file)
+ ')
+
+ optional_policy(`
+@@ -299,64 +399,108 @@ optional_policy(`
+ # XDM Local policy
+ #
+
+-allow xdm_t self:capability { setgid setuid sys_resource kill sys_tty_config mknod chown dac_override dac_read_search fowner fsetid ipc_owner sys_nice sys_rawio net_bind_service };
+-allow xdm_t self:process { setexec setpgid getsched setsched setrlimit signal_perms setkeycreate };
++allow xdm_t self:capability { setgid setuid sys_resource kill sys_tty_config mknod chown dac_override dac_read_search fowner fsetid ipc_owner sys_nice sys_rawio net_bind_service sys_ptrace };
++allow xdm_t self:capability2 { block_suspend };
++dontaudit xdm_t self:capability sys_admin;
++tunable_policy(`deny_ptrace',`',`
++ allow xdm_t self:process ptrace;
++')
++
++allow xdm_t self:process { setexec setpgid getattr getcap setcap getsched getsession setsched setrlimit signal_perms setkeycreate };
+ allow xdm_t self:fifo_file rw_fifo_file_perms;
+ allow xdm_t self:shm create_shm_perms;
+ allow xdm_t self:sem create_sem_perms;
+ allow xdm_t self:unix_stream_socket { connectto create_stream_socket_perms };
+-allow xdm_t self:unix_dgram_socket create_socket_perms;
++allow xdm_t self:unix_dgram_socket { create_socket_perms sendto };
+ allow xdm_t self:tcp_socket create_stream_socket_perms;
+ allow xdm_t self:udp_socket create_socket_perms;
++allow xdm_t self:netlink_kobject_uevent_socket create_socket_perms;
+ allow xdm_t self:socket create_socket_perms;
+ allow xdm_t self:appletalk_socket create_socket_perms;
+ allow xdm_t self:key { search link write };
+
+-allow xdm_t xconsole_device_t:fifo_file { getattr setattr };
++allow xdm_t xauth_home_t:file manage_file_perms;
++
++allow xdm_t xconsole_device_t:fifo_file { getattr_fifo_file_perms setattr_fifo_file_perms };
++manage_dirs_pattern(xdm_t, xkb_var_lib_t, xkb_var_lib_t)
++manage_files_pattern(xdm_t, xkb_var_lib_t, xkb_var_lib_t)
++
++manage_dirs_pattern(xdm_t, xdm_home_t, xdm_home_t)
++manage_files_pattern(xdm_t, xdm_home_t, xdm_home_t)
++userdom_user_home_dir_filetrans(xdm_t, xdm_home_t, file)
++userdom_admin_home_dir_filetrans(xdm_t, xdm_home_t, file)
++xserver_filetrans_home_content(xdm_t)
++xserver_filetrans_admin_home_content(xdm_t)
++
++#Handle mislabeled files in homedir
++userdom_delete_user_home_content_files(xdm_t)
++userdom_signull_unpriv_users(xdm_t)
++userdom_dontaudit_read_admin_home_lnk_files(xdm_t)
+
+ # Allow gdm to run gdm-binary
+ can_exec(xdm_t, xdm_exec_t)
++can_exec(xdm_t, xsession_exec_t)
+
+ allow xdm_t xdm_lock_t:file manage_file_perms;
+ files_lock_filetrans(xdm_t, xdm_lock_t, file)
+
++read_lnk_files_pattern(xdm_t, xdm_etc_t, xdm_etc_t)
++read_files_pattern(xdm_t, xdm_etc_t, xdm_etc_t)
+ # wdm has its own config dir /etc/X11/wdm
+ # this is ugly, daemons should not create files under /etc!
+ manage_files_pattern(xdm_t, xdm_rw_etc_t, xdm_rw_etc_t)
+
+ manage_dirs_pattern(xdm_t, xdm_tmp_t, xdm_tmp_t)
+ manage_files_pattern(xdm_t, xdm_tmp_t, xdm_tmp_t)
++manage_lnk_files_pattern(xdm_t, xdm_tmp_t, xdm_tmp_t)
+ manage_sock_files_pattern(xdm_t, xdm_tmp_t, xdm_tmp_t)
+-files_tmp_filetrans(xdm_t, xdm_tmp_t, { file dir sock_file })
++files_tmp_filetrans(xdm_t, xdm_tmp_t, { file dir sock_file lnk_file })
++relabelfrom_dirs_pattern(xdm_t, xdm_tmp_t, xdm_tmp_t)
++relabelfrom_files_pattern(xdm_t, xdm_tmp_t, xdm_tmp_t)
++can_exec(xdm_t, xdm_tmp_t)
+
+ manage_dirs_pattern(xdm_t, xdm_tmpfs_t, xdm_tmpfs_t)
+ manage_files_pattern(xdm_t, xdm_tmpfs_t, xdm_tmpfs_t)
+ manage_lnk_files_pattern(xdm_t, xdm_tmpfs_t, xdm_tmpfs_t)
+ manage_fifo_files_pattern(xdm_t, xdm_tmpfs_t, xdm_tmpfs_t)
+ manage_sock_files_pattern(xdm_t, xdm_tmpfs_t, xdm_tmpfs_t)
+-fs_tmpfs_filetrans(xdm_t, xdm_tmpfs_t, { dir file lnk_file sock_file fifo_file })
++
++manage_files_pattern(xdm_t, user_fonts_t, user_fonts_t)
++
++files_search_spool(xdm_t)
++manage_dirs_pattern(xdm_t, xdm_spool_t, xdm_spool_t)
++manage_files_pattern(xdm_t, xdm_spool_t, xdm_spool_t)
++files_spool_filetrans(xdm_t, xdm_spool_t, { file dir })
+
+ manage_dirs_pattern(xdm_t, xdm_var_lib_t, xdm_var_lib_t)
+ manage_files_pattern(xdm_t, xdm_var_lib_t, xdm_var_lib_t)
+-files_var_lib_filetrans(xdm_t, xdm_var_lib_t, file)
++manage_lnk_files_pattern(xdm_t, xdm_var_lib_t, xdm_var_lib_t)
++manage_sock_files_pattern(xdm_t, xdm_var_lib_t, xdm_var_lib_t)
++files_var_lib_filetrans(xdm_t, xdm_var_lib_t, { file dir })
++# Read machine-id
++files_read_var_lib_files(xdm_t)
+
+ manage_dirs_pattern(xdm_t, xdm_var_run_t, xdm_var_run_t)
+ manage_files_pattern(xdm_t, xdm_var_run_t, xdm_var_run_t)
+ manage_fifo_files_pattern(xdm_t, xdm_var_run_t, xdm_var_run_t)
+-files_pid_filetrans(xdm_t, xdm_var_run_t, { dir file fifo_file })
++manage_sock_files_pattern(xdm_t, xdm_var_run_t, xdm_var_run_t)
++files_pid_filetrans(xdm_t, xdm_var_run_t, { dir file fifo_file sock_file })
+
+-allow xdm_t xserver_t:process signal;
++allow xdm_t xserver_t:process { signal signull };
+ allow xdm_t xserver_t:unix_stream_socket connectto;
+
+ allow xdm_t xserver_tmp_t:sock_file rw_sock_file_perms;
+-allow xdm_t xserver_tmp_t:dir { setattr list_dir_perms };
++allow xdm_t xserver_tmp_t:dir { setattr_dir_perms list_dir_perms };
+
+ # transition to the xdm xserver
+ domtrans_pattern(xdm_t, xserver_exec_t, xserver_t)
++
++ps_process_pattern(xserver_t, xdm_t)
+ allow xserver_t xdm_t:process signal;
+ allow xdm_t xserver_t:process { noatsecure siginh rlimitinh signal sigkill };
+
+ allow xdm_t xserver_t:shm rw_shm_perms;
++read_files_pattern(xdm_t, xserver_t, xserver_t)
+
+ # connect to xdm xserver over stream socket
+ stream_connect_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t, xserver_t)
+@@ -365,20 +509,27 @@ stream_connect_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t, xserver_t)
+ delete_files_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t)
+ delete_sock_files_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t)
+
++manage_dirs_pattern(xdm_t, xdm_log_t, xdm_log_t)
++manage_files_pattern(xdm_t, xdm_log_t, xdm_log_t)
++manage_fifo_files_pattern(xdm_t, xdm_log_t, xdm_log_t)
++logging_log_filetrans(xdm_t, xdm_log_t, { dir file })
++
+ manage_dirs_pattern(xdm_t, xserver_log_t, xserver_log_t)
+ manage_files_pattern(xdm_t, xserver_log_t, xserver_log_t)
+ manage_fifo_files_pattern(xdm_t, xserver_log_t, xserver_log_t)
+-logging_log_filetrans(xdm_t, xserver_log_t, file)
+
+ kernel_read_system_state(xdm_t)
++kernel_read_device_sysctls(xdm_t)
+ kernel_read_kernel_sysctls(xdm_t)
+ kernel_read_net_sysctls(xdm_t)
+ kernel_read_network_state(xdm_t)
++kernel_request_load_module(xdm_t)
++kernel_stream_connect(xdm_t)
+
+ corecmd_exec_shell(xdm_t)
+ corecmd_exec_bin(xdm_t)
++corecmd_dontaudit_access_all_executables(xdm_t)
+
+-corenet_all_recvfrom_unlabeled(xdm_t)
+ corenet_all_recvfrom_netlabel(xdm_t)
+ corenet_tcp_sendrecv_generic_if(xdm_t)
+ corenet_udp_sendrecv_generic_if(xdm_t)
+@@ -388,38 +539,48 @@ corenet_tcp_sendrecv_all_ports(xdm_t)
+ corenet_udp_sendrecv_all_ports(xdm_t)
+ corenet_tcp_bind_generic_node(xdm_t)
+ corenet_udp_bind_generic_node(xdm_t)
++corenet_udp_bind_ipp_port(xdm_t)
++corenet_udp_bind_xdmcp_port(xdm_t)
+ corenet_tcp_connect_all_ports(xdm_t)
+ corenet_sendrecv_all_client_packets(xdm_t)
+ # xdm tries to bind to biff_port_t
+ corenet_dontaudit_tcp_bind_all_ports(xdm_t)
+
++dev_rwx_zero(xdm_t)
+ dev_read_rand(xdm_t)
+-dev_read_sysfs(xdm_t)
++dev_rw_sysfs(xdm_t)
+ dev_getattr_framebuffer_dev(xdm_t)
+ dev_setattr_framebuffer_dev(xdm_t)
+ dev_getattr_mouse_dev(xdm_t)
+ dev_setattr_mouse_dev(xdm_t)
+ dev_rw_apm_bios(xdm_t)
++dev_rw_input_dev(xdm_t)
+ dev_setattr_apm_bios_dev(xdm_t)
+ dev_rw_dri(xdm_t)
+ dev_rw_agp(xdm_t)
+ dev_getattr_xserver_misc_dev(xdm_t)
+ dev_setattr_xserver_misc_dev(xdm_t)
++dev_rw_xserver_misc(xdm_t)
+ dev_getattr_misc_dev(xdm_t)
+ dev_setattr_misc_dev(xdm_t)
+ dev_dontaudit_rw_misc(xdm_t)
+-dev_getattr_video_dev(xdm_t)
++dev_read_video_dev(xdm_t)
++dev_write_video_dev(xdm_t)
+ dev_setattr_video_dev(xdm_t)
+ dev_getattr_scanner_dev(xdm_t)
+ dev_setattr_scanner_dev(xdm_t)
+-dev_getattr_sound_dev(xdm_t)
+-dev_setattr_sound_dev(xdm_t)
++dev_read_sound(xdm_t)
++dev_write_sound(xdm_t)
+ dev_getattr_power_mgmt_dev(xdm_t)
+ dev_setattr_power_mgmt_dev(xdm_t)
++dev_getattr_null_dev(xdm_t)
++dev_setattr_null_dev(xdm_t)
+
+ domain_use_interactive_fds(xdm_t)
+ # Do not audit denied probes of /proc.
+ domain_dontaudit_read_all_domains_state(xdm_t)
++domain_dontaudit_signal_all_domains(xdm_t)
++domain_dontaudit_getattr_all_entry_files(xdm_t)
+
+ files_read_etc_files(xdm_t)
+ files_read_var_files(xdm_t)
+@@ -430,9 +591,26 @@ files_list_mnt(xdm_t)
+ files_read_usr_files(xdm_t)
+ # Poweroff wants to create the /poweroff file when run from xdm
+ files_create_boot_flag(xdm_t)
++files_dontaudit_getattr_boot_dirs(xdm_t)
++files_dontaudit_write_usr_files(xdm_t)
++files_dontaudit_access_check_etc(xdm_t)
++files_dontaudit_getattr_all_dirs(xdm_t)
++files_dontaudit_getattr_all_symlinks(xdm_t)
++files_dontaudit_getattr_all_tmp_sockets(xdm_t)
++files_dontaudit_all_access_check(xdm_t)
+
+ fs_getattr_all_fs(xdm_t)
+ fs_search_auto_mountpoints(xdm_t)
++fs_search_all(xdm_t)
++fs_rw_anon_inodefs_files(xdm_t)
++fs_mount_tmpfs(xdm_t)
++fs_list_inotifyfs(xdm_t)
++fs_dontaudit_list_noxattr_fs(xdm_t)
++fs_dontaudit_read_noxattr_fs_files(xdm_t)
++fs_manage_cgroup_dirs(xdm_t)
++fs_manage_cgroup_files(xdm_t)
++
++mls_socket_write_to_clearance(xdm_t)
+
+ storage_dontaudit_read_fixed_disk(xdm_t)
+ storage_dontaudit_write_fixed_disk(xdm_t)
+@@ -441,28 +619,42 @@ storage_dontaudit_raw_read_removable_device(xdm_t)
+ storage_dontaudit_raw_write_removable_device(xdm_t)
+ storage_dontaudit_setattr_removable_dev(xdm_t)
+ storage_dontaudit_rw_scsi_generic(xdm_t)
++storage_dontaudit_rw_fuse(xdm_t)
+
+ term_setattr_console(xdm_t)
++term_use_console(xdm_t)
++term_use_virtio_console(xdm_t)
+ term_use_unallocated_ttys(xdm_t)
+ term_setattr_unallocated_ttys(xdm_t)
++term_relabel_all_ttys(xdm_t)
++term_relabel_unallocated_ttys(xdm_t)
+
+ auth_domtrans_pam_console(xdm_t)
+-auth_manage_pam_pid(xdm_t)
++#auth_manage_pam_pid(xdm_t)
+ auth_manage_pam_console_data(xdm_t)
++auth_signal_pam(xdm_t)
+ auth_rw_faillog(xdm_t)
+ auth_write_login_records(xdm_t)
+
+ # Run telinit->init to shutdown.
+ init_telinit(xdm_t)
++init_dbus_chat(xdm_t)
++init_pid_filetrans(xdm_t, xdm_var_run_t, dir, "multi-session-x")
++init_status(xdm_t)
++
++systemd_write_inhibit_pipes(xdm_t)
+
+ libs_exec_lib_files(xdm_t)
+
+ logging_read_generic_logs(xdm_t)
+
+-miscfiles_read_localization(xdm_t)
++miscfiles_search_man_pages(xdm_t)
+ miscfiles_read_fonts(xdm_t)
++miscfiles_manage_fonts_cache(xdm_t)
++miscfiles_manage_localization(xdm_t)
++miscfiles_read_hwdata(xdm_t)
+
+-sysnet_read_config(xdm_t)
++systemd_write_inhibit_pipes(xdm_t)
+
+ userdom_dontaudit_use_unpriv_user_fds(xdm_t)
+ userdom_create_all_users_keys(xdm_t)
+@@ -471,24 +663,43 @@ userdom_read_user_home_content_files(xdm_t)
+ # Search /proc for any user domain processes.
+ userdom_read_all_users_state(xdm_t)
+ userdom_signal_all_users(xdm_t)
++userdom_stream_connect(xdm_t)
++userdom_manage_user_tmp_dirs(xdm_t)
++userdom_manage_user_tmp_files(xdm_t)
++userdom_manage_user_tmp_sockets(xdm_t)
++userdom_manage_tmpfs_role(system_r, xdm_t)
++userdom_home_manager(xdm_t)
++
++application_signal(xdm_t)
+
+ xserver_rw_session(xdm_t, xdm_tmpfs_t)
+ xserver_unconfined(xdm_t)
++xserver_domtrans_xauth(xdm_t)
++
++ifndef(`distro_redhat',`
++ allow xdm_t self:process { execheap execmem };
++')
++
++ifdef(`distro_rhel4',`
++ allow xdm_t self:process { execheap execmem };
++')
+
+ tunable_policy(`use_nfs_home_dirs',`
+- fs_manage_nfs_dirs(xdm_t)
+- fs_manage_nfs_files(xdm_t)
+- fs_manage_nfs_symlinks(xdm_t)
+ fs_exec_nfs_files(xdm_t)
+ ')
+
+ tunable_policy(`use_samba_home_dirs',`
+- fs_manage_cifs_dirs(xdm_t)
+- fs_manage_cifs_files(xdm_t)
+- fs_manage_cifs_symlinks(xdm_t)
+ fs_exec_cifs_files(xdm_t)
+ ')
+
++optional_policy(`
++ tunable_policy(`xdm_exec_bootloader',`
++ bootloader_exec(xdm_t)
++ files_read_boot_files(xdm_t)
++ files_read_boot_symlinks(xdm_t)
++ ')
++')
++
+ tunable_policy(`xdm_sysadm_login',`
+ userdom_xsession_spec_domtrans_all_users(xdm_t)
+ # FIXME:
+@@ -502,11 +713,26 @@ tunable_policy(`xdm_sysadm_login',`
+ ')
+
+ optional_policy(`
++ accountsd_read_lib_files(xdm_t)
++ accountsd_dbus_chat(xdm_t)
++')
++
++optional_policy(`
++ acct_dontaudit_list_data(xdm_t)
++')
++
++optional_policy(`
++ boinc_dontaudit_getattr_lib(xdm_t)
++')
++
++optional_policy(`
+ alsa_domtrans(xdm_t)
++ alsa_read_rw_config(xdm_t)
+ ')
+
+ optional_policy(`
+ consolekit_dbus_chat(xdm_t)
++ consolekit_read_log(xdm_t)
+ ')
+
+ optional_policy(`
+@@ -514,12 +740,71 @@ optional_policy(`
+ ')
+
+ optional_policy(`
++ # Use dbus to start other processes as xdm_t
++ dbus_role_template(xdm, system_r, xdm_t)
++ dbus_system_bus_client(xdm_dbusd_t)
++ dbus_system_bus_client(xdm_t)
++
++ application_dontaudit_exec(xdm_dbusd_t)
++ #fixes for xfce4-notifyd
++ allow xdm_dbusd_t self:unix_stream_socket connectto;
++ allow xdm_dbusd_t xserver_t:unix_stream_socket connectto;
++
++
++ dontaudit xdm_dbusd_t xdm_var_lib_t:dir search_dir_perms;
++ xserver_xdm_append_log(xdm_dbusd_t)
++ xserver_read_xdm_pid(xdm_dbusd_t)
++
++ miscfiles_read_fonts(xdm_dbusd_t)
++
++ corecmd_bin_entry_type(xdm_t)
++
++ optional_policy(`
++ bluetooth_dbus_chat(xdm_t)
++ ')
++
++ optional_policy(`
++ cpufreqselector_dbus_chat(xdm_t)
++ ')
++
++ optional_policy(`
++ devicekit_dbus_chat_disk(xdm_t)
++ devicekit_dbus_chat_power(xdm_t)
++ ')
++
++ optional_policy(`
++ hal_dbus_chat(xdm_t)
++ ')
++
++ optional_policy(`
++ gnomeclock_dbus_chat(xdm_t)
++ ')
++
++ optional_policy(`
++ networkmanager_dbus_chat(xdm_t)
++ ')
++')
++
++optional_policy(`
+ # Talk to the console mouse server.
+ gpm_stream_connect(xdm_t)
+ gpm_setattr_gpmctl(xdm_t)
+ ')
+
+ optional_policy(`
++ gnome_stream_connect_gkeyringd(xdm_t)
++ gnome_exec_keyringd(xdm_t)
++ gnome_manage_config(xdm_t)
++ gnome_manage_gconf_home_files(xdm_t)
++ gnome_filetrans_home_content(xdm_t)
++ gnome_read_config(xdm_t)
++ gnome_read_usr_config(xdm_t)
++ gnome_read_gconf_config(xdm_t)
++ gnome_transition_gkeyringd(xdm_t)
++ gnome_cache_filetrans(xdm_t, xdm_home_t, dir, "gdm")
++')
++
++optional_policy(`
+ hostname_exec(xdm_t)
+ ')
+
+@@ -537,28 +822,78 @@ optional_policy(`
+ ')
+
+ optional_policy(`
++ policykit_dbus_chat(xdm_t)
++ policykit_domtrans_auth(xdm_t)
++ policykit_read_lib(xdm_t)
++ policykit_read_reload(xdm_t)
++ policykit_signal_auth(xdm_t)
++')
++
++optional_policy(`
++ pcscd_stream_connect(xdm_t)
++')
++
++optional_policy(`
++ plymouthd_search_spool(xdm_t)
++ plymouthd_exec_plymouth(xdm_t)
++ plymouthd_stream_connect(xdm_t)
++ plymouthd_read_log(xdm_t)
++')
++
++optional_policy(`
++ pulseaudio_exec(xdm_t)
++ pulseaudio_dbus_chat(xdm_t)
++ pulseaudio_stream_connect(xdm_t)
++ pulseaudio_read_state(xserver_t)
++')
++
++optional_policy(`
+ resmgr_stream_connect(xdm_t)
+ ')
+
+ optional_policy(`
++ rhev_stream_connect_agentd(xdm_t)
++ rhev_read_pid_files_agentd(xdm_t)
++')
++
++# On crash gdm execs gdb to dump stack
++optional_policy(`
++ rpm_exec(xdm_t)
++ rpm_read_db(xdm_t)
++ rpm_dontaudit_manage_db(xdm_t)
++ rpm_dontaudit_dbus_chat(xdm_t)
++')
++
++optional_policy(`
++ rtkit_scheduled(xdm_t)
++')
++
++optional_policy(`
+ seutil_sigchld_newrole(xdm_t)
+ ')
+
+ optional_policy(`
+- udev_read_db(xdm_t)
++ ssh_signull(xdm_t)
++')
++
++optional_policy(`
++ shutdown_domtrans(xdm_t)
+ ')
+
+ optional_policy(`
+- unconfined_domain(xdm_t)
+- unconfined_domtrans(xdm_t)
++ telepathy_exec(xdm_t)
++')
+
+- ifndef(`distro_redhat',`
+- allow xdm_t self:process { execheap execmem };
+- ')
++optional_policy(`
++ udev_read_db(xdm_t)
++')
+
+- ifdef(`distro_rhel4',`
+- allow xdm_t self:process { execheap execmem };
+- ')
++optional_policy(`
++ unconfined_signal(xdm_t)
++')
++
++optional_policy(`
++ usbmuxd_stream_connect(xdm_t)
+ ')
+
+ optional_policy(`
+@@ -570,6 +905,14 @@ optional_policy(`
+ ')
+
+ optional_policy(`
++ vdagent_stream_connect(xdm_t)
++')
++
++optional_policy(`
++ wm_exec(xdm_t)
++')
++
++optional_policy(`
+ xfs_stream_connect(xdm_t)
+ ')
+
+@@ -594,8 +937,11 @@ allow xserver_t input_xevent_t:x_event send;
+ # execheap needed until the X module loader is fixed.
+ # NVIDIA Needs execstack
+
+-allow xserver_t self:capability { dac_override fowner fsetid setgid setuid ipc_owner sys_rawio sys_admin sys_nice sys_tty_config mknod net_bind_service };
++allow xserver_t self:capability { sys_ptrace dac_override fowner fsetid setgid setuid ipc_owner sys_rawio sys_admin sys_nice sys_tty_config mknod net_bind_service };
++
+ dontaudit xserver_t self:capability chown;
++allow xserver_t self:capability2 compromise_kernel;
++
+ allow xserver_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
+ allow xserver_t self:fd use;
+ allow xserver_t self:fifo_file rw_fifo_file_perms;
+@@ -608,8 +954,15 @@ allow xserver_t self:unix_dgram_socket { create_socket_perms sendto };
+ allow xserver_t self:unix_stream_socket { create_stream_socket_perms connectto };
+ allow xserver_t self:tcp_socket create_stream_socket_perms;
+ allow xserver_t self:udp_socket create_socket_perms;
++allow xserver_t self:netlink_selinux_socket create_socket_perms;
+ allow xserver_t self:netlink_kobject_uevent_socket create_socket_perms;
+
++allow xserver_t { input_xevent_t input_xevent_type }:x_event send;
++
++domtrans_pattern(xserver_t, xauth_exec_t, xauth_t)
++
++allow xserver_t xauth_home_t:file read_file_perms;
++
+ manage_dirs_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t)
+ manage_files_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t)
+ manage_sock_files_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t)
+@@ -628,12 +981,19 @@ manage_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t)
+ manage_lnk_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t)
+ files_search_var_lib(xserver_t)
+
+-domtrans_pattern(xserver_t, xauth_exec_t, xauth_t)
+-allow xserver_t xauth_home_t:file read_file_perms;
++manage_dirs_pattern(xserver_t, xserver_var_lib_t, xserver_var_lib_t)
++manage_files_pattern(xserver_t, xserver_var_lib_t, xserver_var_lib_t)
++files_var_lib_filetrans(xserver_t, xserver_var_lib_t, dir)
++
++manage_dirs_pattern(xserver_t, xserver_var_run_t, xserver_var_run_t)
++manage_files_pattern(xserver_t, xserver_var_run_t, xserver_var_run_t)
++manage_sock_files_pattern(xserver_t, xdm_var_run_t, xdm_var_run_t)
++files_pid_filetrans(xserver_t, xserver_var_run_t, { file dir })
+
+ # Create files in /var/log with the xserver_log_t type.
+ manage_files_pattern(xserver_t, xserver_log_t, xserver_log_t)
+ logging_log_filetrans(xserver_t, xserver_log_t, file)
++manage_files_pattern(xserver_t, xdm_log_t, xdm_log_t)
+
+ kernel_read_system_state(xserver_t)
+ kernel_read_device_sysctls(xserver_t)
+@@ -641,12 +1001,12 @@ kernel_read_modprobe_sysctls(xserver_t)
+ # Xorg wants to check if kernel is tainted
+ kernel_read_kernel_sysctls(xserver_t)
+ kernel_write_proc_files(xserver_t)
++kernel_request_load_module(xserver_t)
+
+ # Run helper programs in xserver_t.
+ corecmd_exec_bin(xserver_t)
+ corecmd_exec_shell(xserver_t)
+
+-corenet_all_recvfrom_unlabeled(xserver_t)
+ corenet_all_recvfrom_netlabel(xserver_t)
+ corenet_tcp_sendrecv_generic_if(xserver_t)
+ corenet_udp_sendrecv_generic_if(xserver_t)
+@@ -667,23 +1027,28 @@ dev_rw_apm_bios(xserver_t)
+ dev_rw_agp(xserver_t)
+ dev_rw_framebuffer(xserver_t)
+ dev_manage_dri_dev(xserver_t)
+-dev_filetrans_dri(xserver_t)
+ dev_create_generic_dirs(xserver_t)
+ dev_setattr_generic_dirs(xserver_t)
+ # raw memory access is needed if not using the frame buffer
+ dev_read_raw_memory(xserver_t)
+ dev_wx_raw_memory(xserver_t)
+ # for other device nodes such as the NVidia binary-only driver
+-dev_rw_xserver_misc(xserver_t)
++dev_manage_xserver_misc(xserver_t)
++dev_filetrans_xserver_misc(xserver_t)
++
+ # read events - the synaptics touchpad driver reads raw events
+ dev_rw_input_dev(xserver_t)
++dev_read_raw_memory(xserver_t)
++dev_write_raw_memory(xserver_t)
+ dev_rwx_zero(xserver_t)
+
+-domain_dontaudit_search_all_domains_state(xserver_t)
++domain_dontaudit_read_all_domains_state(xserver_t)
++domain_signal_all_domains(xserver_t)
+
+ files_read_etc_files(xserver_t)
+ files_read_etc_runtime_files(xserver_t)
+ files_read_usr_files(xserver_t)
++files_rw_tmpfs_files(xserver_t)
+
+ # brought on by rhgb
+ files_search_mnt(xserver_t)
+@@ -694,8 +1059,13 @@ fs_getattr_xattr_fs(xserver_t)
+ fs_search_nfs(xserver_t)
+ fs_search_auto_mountpoints(xserver_t)
+ fs_search_ramfs(xserver_t)
++fs_rw_tmpfs_files(xserver_t)
+
+ mls_xwin_read_to_clearance(xserver_t)
++mls_process_write_to_clearance(xserver_t)
++mls_file_read_to_clearance(xserver_t)
++mls_file_write_all_levels(xserver_t)
++mls_file_upgrade(xserver_t)
+
+ selinux_validate_context(xserver_t)
+ selinux_compute_access_vector(xserver_t)
+@@ -708,20 +1078,18 @@ init_getpgid(xserver_t)
+ term_setattr_unallocated_ttys(xserver_t)
+ term_use_unallocated_ttys(xserver_t)
+
+-getty_use_fds(xserver_t)
+-
+ locallogin_use_fds(xserver_t)
+
+ logging_send_syslog_msg(xserver_t)
+ logging_send_audit_msgs(xserver_t)
+
+-miscfiles_read_localization(xserver_t)
+ miscfiles_read_fonts(xserver_t)
+-
+-modutils_domtrans_insmod(xserver_t)
++miscfiles_read_hwdata(xserver_t)
+
+ # read x_contexts
+ seutil_read_default_contexts(xserver_t)
++seutil_read_config(xserver_t)
++seutil_read_file_contexts(xserver_t)
+
+ userdom_search_user_home_dirs(xserver_t)
+ userdom_use_user_ttys(xserver_t)
+@@ -775,16 +1143,40 @@ optional_policy(`
+ ')
+
+ optional_policy(`
++ consolekit_read_state(xserver_t)
++')
++
++optional_policy(`
++ devicekit_signal_power(xserver_t)
++')
++
++optional_policy(`
++ getty_use_fds(xserver_t)
++')
++
++optional_policy(`
++ modutils_domtrans_insmod(xserver_t)
++')
++
++optional_policy(`
+ rhgb_getpgid(xserver_t)
+ rhgb_signal(xserver_t)
+ ')
+
+ optional_policy(`
++ setrans_translate_context(xserver_t)
++')
++
++optional_policy(`
++ sandbox_rw_xserver_tmpfs_files(xserver_t)
++')
++
++optional_policy(`
+ udev_read_db(xserver_t)
+ ')
+
+ optional_policy(`
+- unconfined_domain_noaudit(xserver_t)
++ unconfined_domain(xserver_t)
+ unconfined_domtrans(xserver_t)
+ ')
+
+@@ -793,6 +1185,10 @@ optional_policy(`
+ ')
+
+ optional_policy(`
++ wine_rw_shm(xserver_t)
++')
++
++optional_policy(`
+ xfs_stream_connect(xserver_t)
+ ')
+
+@@ -808,10 +1204,10 @@ allow xserver_t xdm_t:shm rw_shm_perms;
+
+ # NB we do NOT allow xserver_t xdm_var_lib_t:dir, only access to an open
+ # handle of a file inside the dir!!!
+-allow xserver_t xdm_var_lib_t:file { getattr read };
+-dontaudit xserver_t xdm_var_lib_t:dir search;
++allow xserver_t xdm_var_lib_t:file read_file_perms;
++dontaudit xserver_t xdm_var_lib_t:dir search_dir_perms;
+
+-allow xserver_t xdm_var_run_t:file read_file_perms;
++read_files_pattern(xserver_t, xdm_var_run_t, xdm_var_run_t)
+
+ # Label pid and temporary files with derived types.
+ manage_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t)
+@@ -819,7 +1215,7 @@ manage_lnk_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t)
+ manage_sock_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t)
+
+ # Run xkbcomp.
+-allow xserver_t xkb_var_lib_t:lnk_file read;
++allow xserver_t xkb_var_lib_t:lnk_file read_lnk_file_perms;
+ can_exec(xserver_t, xkb_var_lib_t)
+
+ # VNC v4 module in X server
+@@ -832,26 +1228,21 @@ init_use_fds(xserver_t)
+ # to read ROLE_home_t - examine this in more detail
+ # (xauth?)
+ userdom_read_user_home_content_files(xserver_t)
++userdom_read_all_users_state(xserver_t)
++userdom_home_manager(xserver_t)
+
+-tunable_policy(`use_nfs_home_dirs',`
+- fs_manage_nfs_dirs(xserver_t)
+- fs_manage_nfs_files(xserver_t)
+- fs_manage_nfs_symlinks(xserver_t)
+-')
+-
+-tunable_policy(`use_samba_home_dirs',`
+- fs_manage_cifs_dirs(xserver_t)
+- fs_manage_cifs_files(xserver_t)
+- fs_manage_cifs_symlinks(xserver_t)
+-')
++xserver_use_user_fonts(xserver_t)
+
+ optional_policy(`
+ dbus_system_bus_client(xserver_t)
+- hal_dbus_chat(xserver_t)
++
++ optional_policy(`
++ hal_dbus_chat(xserver_t)
++ ')
+ ')
+
+ optional_policy(`
+- resmgr_stream_connect(xdm_t)
++ mono_rw_shm(xserver_t)
+ ')
+
+ optional_policy(`
+@@ -859,6 +1250,10 @@ optional_policy(`
+ rhgb_rw_tmpfs_files(xserver_t)
+ ')
+
++optional_policy(`
++ userhelper_search_config(xserver_t)
++')
++
+ ########################################
+ #
+ # Rules common to all X window domains
+@@ -902,7 +1297,7 @@ allow x_domain xproperty_t:x_property { getattr create read write append destroy
+ allow x_domain root_xdrawable_t:x_drawable { getattr setattr list_child add_child remove_child send receive hide show };
+ # operations allowed on my windows
+ allow x_domain self:x_drawable { create destroy getattr setattr read write show hide list_child add_child remove_child manage send receive };
+-allow x_domain self:x_drawable { blend };
++allow x_domain self:x_drawable blend;
+ # operations allowed on all windows
+ allow x_domain x_domain:x_drawable { getattr get_property set_property remove_child };
+
+@@ -956,11 +1351,31 @@ allow x_domain self:x_resource { read write };
+ # can mess with the screensaver
+ allow x_domain xserver_t:x_screen { getattr saver_getattr };
+
++# Device rules
++allow x_domain xserver_t:x_device { read getattr use setattr setfocus grab bell };
++allow x_domain xserver_t:x_screen getattr;
++
+ ########################################
+ #
+ # Rules for unconfined access to this module
+ #
+
++allow xserver_unconfined_type xserver_t:x_server *;
++allow xserver_unconfined_type xdrawable_type:x_drawable *;
++allow xserver_unconfined_type xserver_t:x_screen *;
++allow xserver_unconfined_type x_domain:x_gc *;
++allow xserver_unconfined_type xcolormap_type:x_colormap *;
++allow xserver_unconfined_type xproperty_type:x_property *;
++allow xserver_unconfined_type xselection_type:x_selection *;
++allow xserver_unconfined_type x_domain:x_cursor *;
++allow xserver_unconfined_type x_domain:x_client *;
++allow xserver_unconfined_type { x_domain xserver_t }:x_device *;
++allow xserver_unconfined_type { x_domain xserver_t }:x_pointer *;
++allow xserver_unconfined_type { x_domain xserver_t }:x_keyboard *;
++allow xserver_unconfined_type xextension_type:x_extension *;
++allow xserver_unconfined_type { x_domain xserver_t }:x_resource *;
++allow xserver_unconfined_type xevent_type:{ x_event x_synthetic_event } *;
++
+ tunable_policy(`! xserver_object_manager',`
+ # should be xserver_unconfined(x_domain),
+ # but typeattribute doesnt work in conditionals
+@@ -982,18 +1397,44 @@ tunable_policy(`! xserver_object_manager',`
+ allow x_domain xevent_type:{ x_event x_synthetic_event } *;
+ ')
+
+-allow xserver_unconfined_type xserver_t:x_server *;
+-allow xserver_unconfined_type xdrawable_type:x_drawable *;
+-allow xserver_unconfined_type xserver_t:x_screen *;
+-allow xserver_unconfined_type x_domain:x_gc *;
+-allow xserver_unconfined_type xcolormap_type:x_colormap *;
+-allow xserver_unconfined_type xproperty_type:x_property *;
+-allow xserver_unconfined_type xselection_type:x_selection *;
+-allow xserver_unconfined_type x_domain:x_cursor *;
+-allow xserver_unconfined_type x_domain:x_client *;
+-allow xserver_unconfined_type { x_domain xserver_t }:x_device *;
+-allow xserver_unconfined_type { x_domain xserver_t }:x_pointer *;
+-allow xserver_unconfined_type { x_domain xserver_t }:x_keyboard *;
+-allow xserver_unconfined_type xextension_type:x_extension *;
+-allow xserver_unconfined_type { x_domain xserver_t }:x_resource *;
+-allow xserver_unconfined_type xevent_type:{ x_event x_synthetic_event } *;
++tunable_policy(`xserver_execmem',`
++ allow xserver_t self:process { execheap execmem execstack };
++')
++
++# Hack to handle the problem of using the nvidia blobs
++tunable_policy(`deny_execmem',`',`
++ allow xdm_t self:process execmem;
++')
++
++tunable_policy(`selinuxuser_execstack',`
++ allow xdm_t self:process { execstack execmem };
++')
++
++tunable_policy(`use_nfs_home_dirs',`
++ fs_append_nfs_files(xdmhomewriter)
++')
++
++tunable_policy(`use_nfs_home_dirs',`
++ fs_append_nfs_files(xdmhomewriter)
++')
++
++optional_policy(`
++ unconfined_rw_shm(xserver_t)
++
++ # xserver signals unconfined user on startx
++ unconfined_signal(xserver_t)
++ unconfined_getpgid(xserver_t)
++')
++
++allow xdm_t xdm_unconfined_exec_t:dir search_dir_perms;
++can_exec(xdm_t, xdm_unconfined_exec_t)
++
++optional_policy(`
++ type xdm_unconfined_t;
++ domain_type(xdm_unconfined_t)
++ domain_entry_file(xdm_unconfined_t, xdm_unconfined_exec_t)
++ role system_r types xdm_unconfined_t;
++
++ domtrans_pattern(xdm_t, xdm_unconfined_exec_t, xdm_unconfined_t)
++ unconfined_domain(xdm_unconfined_t)
++')
+diff --git a/policy/modules/system/application.if b/policy/modules/system/application.if
+index 1b6619e..be02b96 100644
+--- a/policy/modules/system/application.if
++++ b/policy/modules/system/application.if
+@@ -43,6 +43,27 @@ interface(`application_executable_file',`
+ corecmd_executable_file($1)
+ ')
+
++#######################################
++##
++## Make the specified type usable for files
++## that are exectuables, such as binary programs.
++## This does not include shared libraries.
++##
++##
++##
++## Type to be used for files.
++##
++##
++#
++interface(`application_executable_ioctl',`
++ gen_require(`
++ attribute application_exec_type;
++ ')
++
++ allow $1 application_exec_type:file ioctl;
++
++')
++
+ ########################################
+ ##
+ ## Execute application executables in the caller domain.
+@@ -76,13 +97,30 @@ interface(`application_exec_all',`
+ corecmd_dontaudit_exec_all_executables($1)
+ corecmd_exec_bin($1)
+ corecmd_exec_shell($1)
+- corecmd_exec_chroot($1)
+
+ application_exec($1)
+ ')
+
+ ########################################
+ ##
++## Dontaudit execute all executable files.
++##
++##
++##
++## Domain to not audit.
++##
++##
++#
++interface(`application_dontaudit_exec',`
++ gen_require(`
++ attribute application_exec_type;
++ ')
++
++ dontaudit $1 application_exec_type:file execute;
++')
++
++########################################
++##
+ ## Create a domain for applications.
+ ##
+ ##
+@@ -189,6 +227,24 @@ interface(`application_dontaudit_signal',`
+
+ ########################################
+ ##
++## Send kill signals to all application domains.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`application_sigkill',`
++ gen_require(`
++ attribute application_domain_type;
++ ')
++
++ allow $1 application_domain_type:process sigkill;
++')
++
++########################################
++##
+ ## Do not audit attempts to send kill signals
+ ## to all application domains.
+ ##
+@@ -205,3 +261,21 @@ interface(`application_dontaudit_sigkill',`
+
+ dontaudit $1 application_domain_type:process sigkill;
+ ')
++
++#######################################
++##
++## Getattr all application sockets.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`application_getattr_socket',`
++ gen_require(`
++ attribute application_domain_type;
++ ')
++
++ allow $1 application_domain_type:socket_class_set getattr;
++')
+diff --git a/policy/modules/system/application.te b/policy/modules/system/application.te
+index c6fdab7..c59902a 100644
+--- a/policy/modules/system/application.te
++++ b/policy/modules/system/application.te
+@@ -6,6 +6,30 @@ attribute application_domain_type;
+ # Executables to be run by user
+ attribute application_exec_type;
+
++domain_use_interactive_fds(application_domain_type)
++
++userdom_inherit_append_user_home_content_files(application_domain_type)
++userdom_inherit_append_admin_home_files(application_domain_type)
++userdom_inherit_append_user_tmp_files(application_domain_type)
++userdom_rw_inherited_user_tmp_files(application_domain_type)
++userdom_rw_inherited_user_pipes(application_domain_type)
++logging_inherit_append_all_logs(application_domain_type)
++
++files_dontaudit_search_non_security_dirs(application_domain_type)
++
++optional_policy(`
++ afs_rw_udp_sockets(application_domain_type)
++')
++
++optional_policy(`
++ cfengine_append_inherited_log(application_domain_type)
++')
++
++optional_policy(`
++ cron_rw_inherited_user_spool_files(application_domain_type)
++ cron_sigchld(application_domain_type)
++')
++
+ optional_policy(`
+ cron_sigchld(application_domain_type)
+ ')
+diff --git a/policy/modules/system/authlogin.fc b/policy/modules/system/authlogin.fc
+index 28ad538..ffa1f8f 100644
+--- a/policy/modules/system/authlogin.fc
++++ b/policy/modules/system/authlogin.fc
+@@ -1,14 +1,25 @@
++HOME_DIR/\.google_authenticator gen_context(system_u:object_r:auth_home_t,s0)
++HOME_DIR/\.google_authenticator~ gen_context(system_u:object_r:auth_home_t,s0)
++/root/\.google_authenticator gen_context(system_u:object_r:auth_home_t,s0)
++/root/\.google_authenticator~ gen_context(system_u:object_r:auth_home_t,s0)
+
+ /bin/login -- gen_context(system_u:object_r:login_exec_t,s0)
+
+-/etc/\.pwd\.lock -- gen_context(system_u:object_r:shadow_t,s0)
+-/etc/group\.lock -- gen_context(system_u:object_r:shadow_t,s0)
++/etc/group\.lock -- gen_context(system_u:object_r:passwd_file_t,s0)
+ /etc/gshadow.* -- gen_context(system_u:object_r:shadow_t,s0)
+-/etc/passwd\.lock -- gen_context(system_u:object_r:shadow_t,s0)
+ /etc/shadow.* -- gen_context(system_u:object_r:shadow_t,s0)
++/etc/security/opasswd -- gen_context(system_u:object_r:shadow_t,s0)
++/etc/security/opasswd\.old -- gen_context(system_u:object_r:shadow_t,s0)
++/etc/passwd\.lock -- gen_context(system_u:object_r:passwd_file_t,s0)
++/etc/passwd\.adjunct.* -- gen_context(system_u:object_r:passwd_file_t,s0)
++/etc/\.pwd\.lock -- gen_context(system_u:object_r:passwd_file_t,s0)
++/etc/passwd[-\+]? -- gen_context(system_u:object_r:passwd_file_t,s0)
++/etc/passwd\.OLD -- gen_context(system_u:object_r:passwd_file_t,s0)
++/etc/ptmptmp -- gen_context(system_u:object_r:passwd_file_t,s0)
++/etc/group[-\+]? -- gen_context(system_u:object_r:passwd_file_t,s0)
+
+ /sbin/pam_console_apply -- gen_context(system_u:object_r:pam_console_exec_t,s0)
+-/sbin/pam_timestamp_check -- gen_context(system_u:object_r:pam_exec_t,s0)
++/sbin/pam_timestamp_check -- gen_context(system_u:object_r:pam_timestamp_exec_t,s0)
+ /sbin/unix_chkpwd -- gen_context(system_u:object_r:chkpwd_exec_t,s0)
+ /sbin/unix_update -- gen_context(system_u:object_r:updpwd_exec_t,s0)
+ /sbin/unix_verify -- gen_context(system_u:object_r:chkpwd_exec_t,s0)
+@@ -16,13 +27,24 @@ ifdef(`distro_suse', `
+ /sbin/unix2_chkpwd -- gen_context(system_u:object_r:chkpwd_exec_t,s0)
+ ')
+
++/usr/bin/login -- gen_context(system_u:object_r:login_exec_t,s0)
++
+ /usr/kerberos/sbin/login\.krb5 -- gen_context(system_u:object_r:login_exec_t,s0)
+
+-/usr/sbin/utempter -- gen_context(system_u:object_r:utempter_exec_t,s0)
+-/usr/sbin/validate -- gen_context(system_u:object_r:chkpwd_exec_t,s0)
++/usr/sbin/pam_console_apply -- gen_context(system_u:object_r:pam_console_exec_t,s0)
++/usr/sbin/pam_timestamp_check -- gen_context(system_u:object_r:pam_timestamp_exec_t,s0)
++/usr/sbin/unix_chkpwd -- gen_context(system_u:object_r:chkpwd_exec_t,s0)
++/usr/sbin/unix_update -- gen_context(system_u:object_r:updpwd_exec_t,s0)
++/usr/sbin/unix_verify -- gen_context(system_u:object_r:chkpwd_exec_t,s0)
+ ifdef(`distro_gentoo', `
+ /usr/sbin/unix_chkpwd -- gen_context(system_u:object_r:chkpwd_exec_t,s0)
+ ')
++/usr/sbin/utempter -- gen_context(system_u:object_r:utempter_exec_t,s0)
++/usr/sbin/validate -- gen_context(system_u:object_r:chkpwd_exec_t,s0)
++
++/var/ace(/.*)? gen_context(system_u:object_r:var_auth_t,s0)
++
++/var/opt/quest/vas/vasd(/.*)? gen_context(system_u:object_r:var_auth_t,s0)
+
+ /var/cache/coolkey(/.*)? gen_context(system_u:object_r:auth_cache_t,s0)
+
+@@ -30,20 +52,24 @@ ifdef(`distro_gentoo', `
+
+ /var/lib/abl(/.*)? gen_context(system_u:object_r:var_auth_t,s0)
+ /var/lib/pam_ssh(/.*)? gen_context(system_u:object_r:var_auth_t,s0)
++/var/lib/pam_shield(/.*)? gen_context(system_u:object_r:var_auth_t,s0)
++/var/lib/google-authenticator(/.*)? gen_context(system_u:object_r:var_auth_t,s0)
+
+ /var/log/btmp.* -- gen_context(system_u:object_r:faillog_t,s0)
+ /var/log/dmesg -- gen_context(system_u:object_r:var_log_t,s0)
+-/var/log/faillog -- gen_context(system_u:object_r:faillog_t,s0)
+-/var/log/lastlog -- gen_context(system_u:object_r:lastlog_t,s0)
++/var/log/faillog.* -- gen_context(system_u:object_r:faillog_t,s0)
++/var/log/lastlog.* -- gen_context(system_u:object_r:lastlog_t,s0)
+ /var/log/syslog -- gen_context(system_u:object_r:var_log_t,s0)
+-/var/log/tallylog -- gen_context(system_u:object_r:faillog_t,s0)
++/var/log/tallylog.* -- gen_context(system_u:object_r:faillog_t,s0)
+ /var/log/wtmp.* -- gen_context(system_u:object_r:wtmp_t,s0)
+
++/var/lib/rsa(/.*)? gen_context(system_u:object_r:var_auth_t,s0)
++/var/rsa(/.*)? gen_context(system_u:object_r:var_auth_t,s0)
++
+ /var/run/console(/.*)? gen_context(system_u:object_r:pam_var_console_t,s0)
+ /var/run/faillock(/.*)? gen_context(system_u:object_r:faillog_t,s0)
+ /var/run/pam_mount(/.*)? gen_context(system_u:object_r:pam_var_run_t,s0)
+ /var/run/pam_ssh(/.*)? gen_context(system_u:object_r:var_auth_t,s0)
+ /var/run/sepermit(/.*)? gen_context(system_u:object_r:pam_var_run_t,s0)
+ /var/run/sudo(/.*)? gen_context(system_u:object_r:pam_var_run_t,s0)
+-/var/run/user(/.*)? gen_context(system_u:object_r:var_auth_t,s0)
+ /var/(db|lib|adm)/sudo(/.*)? gen_context(system_u:object_r:pam_var_run_t,s0)
+diff --git a/policy/modules/system/authlogin.if b/policy/modules/system/authlogin.if
+index f416ce9..b4efacf 100644
+--- a/policy/modules/system/authlogin.if
++++ b/policy/modules/system/authlogin.if
+@@ -23,11 +23,17 @@ interface(`auth_role',`
+ role $1 types chkpwd_t;
+
+ # Transition from the user domain to this domain.
+- domtrans_pattern($2, chkpwd_exec_t, chkpwd_t)
++ auth_domtrans_chkpwd($2)
+
+ ps_process_pattern($2, chkpwd_t)
+
+ dontaudit $2 shadow_t:file read_file_perms;
++
++ logging_send_syslog_msg($2)
++ logging_send_audit_msgs($2)
++
++ usermanage_read_crack_db($2)
++
+ ')
+
+ ########################################
+@@ -57,6 +63,8 @@ interface(`auth_use_pam',`
+ auth_exec_pam($1)
+ auth_use_nsswitch($1)
+
++ init_rw_stream_sockets($1)
++
+ logging_send_audit_msgs($1)
+ logging_send_syslog_msg($1)
+
+@@ -78,8 +86,19 @@ interface(`auth_use_pam',`
+ ')
+
+ optional_policy(`
++ locallogin_getattr_home_content($1)
++ ')
++
++ optional_policy(`
+ nis_authenticate($1)
+ ')
++
++ optional_policy(`
++ systemd_dbus_chat_logind($1)
++ systemd_use_fds_logind($1)
++ systemd_write_inherited_logind_sessions_pipes($1)
++ systemd_read_logind_sessions_files($1)
++ ')
+ ')
+
+ ########################################
+@@ -95,48 +114,21 @@ interface(`auth_use_pam',`
+ interface(`auth_login_pgm_domain',`
+ gen_require(`
+ type var_auth_t, auth_cache_t;
++ attribute polydomain;
++ attribute login_pgm;
++ type auth_home_t;
+ ')
+
+ domain_type($1)
++ typeattribute $1 polydomain;
++ typeattribute $1 login_pgm;
++
+ domain_subj_id_change_exemption($1)
+ domain_role_change_exemption($1)
+ domain_obj_id_change_exemption($1)
+ role system_r types $1;
+
+- # Needed for pam_selinux_permit to cleanup properly
+- domain_read_all_domains_state($1)
+- domain_kill_all_domains($1)
+-
+- # pam_keyring
+- allow $1 self:capability ipc_lock;
+- allow $1 self:process setkeycreate;
+- allow $1 self:key manage_key_perms;
+-
+- files_list_var_lib($1)
+- manage_files_pattern($1, var_auth_t, var_auth_t)
+-
+- manage_dirs_pattern($1, auth_cache_t, auth_cache_t)
+- manage_files_pattern($1, auth_cache_t, auth_cache_t)
+- manage_sock_files_pattern($1, auth_cache_t, auth_cache_t)
+- files_var_filetrans($1, auth_cache_t, dir)
+-
+- # needed for afs - https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=253321
+- kernel_rw_afs_state($1)
+-
+- # for fingerprint readers
+- dev_rw_input_dev($1)
+- dev_rw_generic_usb_dev($1)
+-
+- files_read_etc_files($1)
+-
+- fs_list_auto_mountpoints($1)
+-
+ selinux_get_fs_mount($1)
+- selinux_validate_context($1)
+- selinux_compute_access_vector($1)
+- selinux_compute_create_context($1)
+- selinux_compute_relabel_context($1)
+- selinux_compute_user_contexts($1)
+
+ mls_file_read_all_levels($1)
+ mls_file_write_all_levels($1)
+@@ -146,18 +138,43 @@ interface(`auth_login_pgm_domain',`
+ mls_fd_share_all_levels($1)
+
+ auth_use_pam($1)
++')
+
+- init_rw_utmp($1)
+-
+- logging_set_loginuid($1)
+- logging_set_tty_audit($1)
++########################################
++##
++## Read authlogin state files.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`authlogin_read_state',`
++ gen_require(`
++ attribute polydomain;
++ ')
+
+- seutil_read_config($1)
+- seutil_read_default_contexts($1)
++ kernel_search_proc($1)
++ ps_process_pattern($1, polydomain)
++')
+
+- tunable_policy(`allow_polyinstantiation',`
+- files_polyinstantiate_all($1)
++########################################
++##
++## Read and write a authlogin unnamed pipe.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`authlogin_rw_pipes',`
++ gen_require(`
++ attribute polydomain;
+ ')
++
++ allow $1 polydomain:fifo_file rw_inherited_fifo_file_perms;
+ ')
+
+ ########################################
+@@ -231,6 +248,25 @@ interface(`auth_domtrans_login_program',`
+
+ ########################################
+ ##
++## Execute a login_program in the caller domain.
++##
++##
++##
++## Domain allowed to transition.
++##
++##
++#
++interface(`auth_exec_login_program',`
++ gen_require(`
++ type login_exec_t;
++ ')
++
++ corecmd_search_bin($1)
++ can_exec($1, login_exec_t)
++')
++
++########################################
++##
+ ## Execute a login_program in the target domain,
+ ## with a range transition.
+ ##
+@@ -395,13 +431,15 @@ interface(`auth_domtrans_chk_passwd',`
+ ')
+
+ optional_policy(`
+- pcscd_read_pub_files($1)
++ pcscd_manage_pub_files($1)
++ pcscd_manage_pub_pipes($1)
+ pcscd_stream_connect($1)
+ ')
+
+ optional_policy(`
+ samba_stream_connect_winbind($1)
+ ')
++ auth_domtrans_upd_passwd($1)
+ ')
+
+ ########################################
+@@ -448,6 +486,25 @@ interface(`auth_run_chk_passwd',`
+
+ auth_domtrans_chk_passwd($1)
+ role $2 types chkpwd_t;
++ auth_run_upd_passwd($1, $2)
++')
++
++########################################
++##
++## Send generic signals to chkpwd processes.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`auth_signal_chk_passwd',`
++ gen_require(`
++ type chkpwd_t;
++ ')
++
++ allow $1 chkpwd_t:process signal;
+ ')
+
+ ########################################
+@@ -467,7 +524,6 @@ interface(`auth_domtrans_upd_passwd',`
+
+ domtrans_pattern($1, updpwd_exec_t, updpwd_t)
+ auth_dontaudit_read_shadow($1)
+-
+ ')
+
+ ########################################
+@@ -664,6 +720,9 @@ interface(`auth_manage_shadow',`
+
+ allow $1 shadow_t:file manage_file_perms;
+ typeattribute $1 can_read_shadow_passwords, can_write_shadow_passwords;
++ files_var_filetrans($1, shadow_t, file, "shadow")
++ files_var_filetrans($1, shadow_t, file, "shadow-")
++ files_etc_filetrans($1, shadow_t, file, "gshadow")
+ ')
+
+ #######################################
+@@ -763,7 +822,50 @@ interface(`auth_rw_faillog',`
+ ')
+
+ logging_search_logs($1)
+- allow $1 faillog_t:file rw_file_perms;
++ rw_files_pattern($1, faillog_t, faillog_t)
++')
++
++########################################
++##
++## Relabel the login failure log.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`auth_relabel_faillog',`
++ gen_require(`
++ type faillog_t;
++ ')
++
++ allow $1 faillog_t:dir relabel_dir_perms;
++ allow $1 faillog_t:file relabel_file_perms;
++')
++
++########################################
++##
++## Manage the login failure log.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`auth_manage_faillog',`
++ gen_require(`
++ type faillog_t;
++ ')
++
++ logging_search_logs($1)
++ files_search_pids($1)
++ allow $1 faillog_t:dir manage_dir_perms;
++ allow $1 faillog_t:file manage_file_perms;
++ logging_log_named_filetrans($1, faillog_t, file, "tallylog")
++ logging_log_named_filetrans($1, faillog_t, file, "faillog")
++ logging_log_named_filetrans($1, faillog_t, file, "btmp")
+ ')
+
+ #######################################
+@@ -826,7 +928,7 @@ interface(`auth_rw_lastlog',`
+
+ ########################################
+ ##
+-## Execute pam programs in the pam domain.
++## Execute pam timestamp programs in the pam timestamp domain.
+ ##
+ ##
+ ##
+@@ -834,12 +936,27 @@ interface(`auth_rw_lastlog',`
+ ##
+ ##
+ #
+-interface(`auth_domtrans_pam',`
++interface(`auth_domtrans_pam_timestamp',`
+ gen_require(`
+- type pam_t, pam_exec_t;
++ type pam_timestamp_t, pam_timestamp_exec_t;
+ ')
+
+- domtrans_pattern($1, pam_exec_t, pam_t)
++ domtrans_pattern($1, pam_timestamp_exec_t, pam_timestamp_t)
++')
++
++########################################
++##
++## Execute pam timestamp programs in the pam timestamp domain.
++##
++##
++##
++## Domain allowed to transition.
++##
++##
++#
++interface(`auth_domtrans_pam',`
++ auth_domtrans_pam_timestamp($1)
++ refpolicywarn(`$0() has been deprecated, please use auth_domtrans_pam_timestamp() instead.')
+ ')
+
+ ########################################
+@@ -854,15 +971,15 @@ interface(`auth_domtrans_pam',`
+ #
+ interface(`auth_signal_pam',`
+ gen_require(`
+- type pam_t;
++ type pam_timestamp_t;
+ ')
+
+- allow $1 pam_t:process signal;
++ allow $1 pam_timestamp_t:process signal;
+ ')
+
+ ########################################
+ ##
+-## Execute pam programs in the PAM domain.
++## Execute pam_timestamp programs in the PAM timestamp domain.
+ ##
+ ##
+ ##
+@@ -875,13 +992,33 @@ interface(`auth_signal_pam',`
+ ##
+ ##
+ #
+-interface(`auth_run_pam',`
++interface(`auth_run_pam_timestamp',`
+ gen_require(`
+- type pam_t;
++ type pam_timestamp_t;
+ ')
+
+- auth_domtrans_pam($1)
+- role $2 types pam_t;
++ auth_domtrans_pam_timestamp($1)
++ role $2 types pam_timestamp_t;
++')
++
++########################################
++##
++## Execute pam_timestamp programs in the PAM timestamp domain.
++##
++##
++##
++## Domain allowed to transition.
++##
++##
++##
++##
++## The role to allow the PAM domain.
++##
++##
++#
++interface(`auth_run_pam',`
++ auth_run_pam_timestamp($1, $2)
++ refpolicywarn(`$0() has been deprecated, please use auth_run_pam_timestamp.')
+ ')
+
+ ########################################
+@@ -959,9 +1096,30 @@ interface(`auth_manage_var_auth',`
+ ')
+
+ files_search_var($1)
+- allow $1 var_auth_t:dir manage_dir_perms;
+- allow $1 var_auth_t:file rw_file_perms;
+- allow $1 var_auth_t:lnk_file rw_lnk_file_perms;
++
++ manage_dirs_pattern($1, var_auth_t, var_auth_t)
++ manage_files_pattern($1, var_auth_t, var_auth_t)
++ manage_lnk_files_pattern($1, var_auth_t, var_auth_t)
++')
++
++########################################
++##
++## Relabel all var auth files. Used by various other applications
++## and pam applets etc.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`auth_relabel_var_auth_dirs',`
++ gen_require(`
++ type var_auth_t;
++ ')
++
++ files_search_var($1)
++ relabel_dirs_pattern($1, var_auth_t, var_auth_t)
+ ')
+
+ ########################################
+@@ -1040,6 +1198,10 @@ interface(`auth_manage_pam_pid',`
+ files_search_pids($1)
+ allow $1 pam_var_run_t:dir manage_dir_perms;
+ allow $1 pam_var_run_t:file manage_file_perms;
++ files_pid_filetrans($1, pam_var_run_t, dir, "pam_mount")
++ files_pid_filetrans($1, pam_var_run_t, dir, "pam_ssh")
++ files_pid_filetrans($1, pam_var_run_t, dir, "sepermit")
++ files_pid_filetrans($1, pam_var_run_t, dir, "sudo")
+ ')
+
+ ########################################
+@@ -1157,6 +1319,7 @@ interface(`auth_manage_pam_console_data',`
+ files_search_pids($1)
+ manage_files_pattern($1, pam_var_console_t, pam_var_console_t)
+ manage_lnk_files_pattern($1, pam_var_console_t, pam_var_console_t)
++ files_pid_filetrans($1, pam_var_console_t, dir, "console")
+ ')
+
+ #######################################
+@@ -1526,6 +1689,25 @@ interface(`auth_setattr_login_records',`
+
+ ########################################
+ ##
++## Relabel login record files.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`auth_relabel_login_records',`
++ gen_require(`
++ type wtmp_t;
++ ')
++
++ allow $1 wtmp_t:file relabel_file_perms;
++')
++
++
++########################################
++##
+ ## Read login records files (/var/log/wtmp).
+ ##
+ ##
+@@ -1676,24 +1858,7 @@ interface(`auth_manage_login_records',`
+
+ logging_rw_generic_log_dirs($1)
+ allow $1 wtmp_t:file manage_file_perms;
+-')
+-
+-########################################
+-##
+-## Relabel login record files.
+-##
+-##
+-##
+-## Domain allowed access.
+-##
+-##
+-#
+-interface(`auth_relabel_login_records',`
+- gen_require(`
+- type wtmp_t;
+- ')
+-
+- allow $1 wtmp_t:file relabel_file_perms;
++ logging_log_named_filetrans($1, wtmp_t, file, "wtmp")
+ ')
+
+ ########################################
+@@ -1717,11 +1882,13 @@ interface(`auth_relabel_login_records',`
+ ##
+ #
+ interface(`auth_use_nsswitch',`
+- gen_require(`
+- attribute nsswitch_domain;
+- ')
++ gen_require(`
++ attribute nsswitch_domain;
++ ')
+
+ typeattribute $1 nsswitch_domain;
++
++ corenet_all_recvfrom_netlabel($1)
+ ')
+
+ ########################################
+@@ -1755,3 +1922,199 @@ interface(`auth_unconfined',`
+ typeattribute $1 can_write_shadow_passwords;
+ typeattribute $1 can_relabelto_shadow_passwords;
+ ')
++
++########################################
++##
++## Transition to authlogin named content
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`auth_filetrans_named_content',`
++ gen_require(`
++ type shadow_t;
++ type passwd_file_t;
++ type faillog_t;
++ type lastlog_t;
++ type wtmp_t;
++ type pam_var_console_t;
++ type pam_var_run_t;
++ type auth_cache_t;
++ ')
++
++ files_etc_filetrans($1, passwd_file_t, file, "group")
++ files_etc_filetrans($1, passwd_file_t, file, "group-")
++ #files_etc_filetrans($1, passwd_file_t, file, "group+")
++ files_etc_filetrans($1, passwd_file_t, file, "passwd")
++ files_etc_filetrans($1, passwd_file_t, file, "passwd-")
++ #files_etc_filetrans($1, passwd_file_t, file, "passwd+")
++ files_etc_filetrans($1, passwd_file_t, file, "passwd.OLD")
++ files_etc_filetrans($1, passwd_file_t, file, "ptmptmp")
++ files_etc_filetrans($1, passwd_file_t, file, "passwd.lock")
++ files_etc_filetrans($1, passwd_file_t, file, "group.lock")
++ files_etc_filetrans($1, passwd_file_t, file, "passwd.adjunct")
++ files_etc_filetrans($1, passwd_file_t, file, ".pwd.lock")
++ files_etc_filetrans($1, shadow_t, file, "shadow")
++ files_etc_filetrans($1, shadow_t, file, "shadow-")
++ files_etc_filetrans($1, shadow_t, file, "gshadow")
++ logging_log_named_filetrans($1, lastlog_t, file, "lastlog")
++ logging_log_named_filetrans($1, faillog_t, file, "tallylog")
++ logging_log_named_filetrans($1, faillog_t, file, "faillog")
++ logging_log_named_filetrans($1, faillog_t, file, "btmp")
++ files_pid_filetrans($1, faillog_t, file, "faillog")
++ files_pid_filetrans($1, faillog_t, dir, "faillock")
++ files_pid_filetrans($1, pam_var_console_t, dir, "console")
++ files_pid_filetrans($1, pam_var_run_t, dir, "pam_mount")
++ files_pid_filetrans($1, pam_var_run_t, dir, "pam_ssh")
++ files_pid_filetrans($1, pam_var_run_t, dir, "sepermit")
++ files_pid_filetrans($1, pam_var_run_t, dir, "sudo")
++ logging_log_named_filetrans($1, wtmp_t, file, "wtmp")
++ files_var_filetrans($1, auth_cache_t, dir, "coolkey")
++')
++
++########################################
++##
++## Get the attributes of the passwd passwords file.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`auth_getattr_passwd',`
++ gen_require(`
++ type passwd_file_t;
++ ')
++
++ files_search_etc($1)
++ allow $1 passwd_file_t:file getattr;
++')
++
++########################################
++##
++## Do not audit attempts to get the attributes
++## of the passwd passwords file.
++##
++##
++##
++## Domain to not audit.
++##
++##
++#
++interface(`auth_dontaudit_getattr_passwd',`
++ gen_require(`
++ type passwd_file_t;
++ ')
++
++ dontaudit $1 passwd_file_t:file getattr;
++')
++
++########################################
++##
++## Read the passwd passwords file (/etc/passwd)
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`auth_read_passwd',`
++ gen_require(`
++ type passwd_file_t;
++ ')
++
++ allow $1 passwd_file_t:file read_file_perms;
++')
++
++########################################
++##
++## Do not audit attempts to read the passwd
++## password file (/etc/passwd).
++##
++##
++##
++## Domain to not audit.
++##
++##
++#
++interface(`auth_dontaudit_read_passwd',`
++ gen_require(`
++ type passwd_file_t;
++ ')
++
++ dontaudit $1 passwd_file_t:file read_file_perms;
++')
++
++########################################
++##
++## Create, read, write, and delete the passwd
++## password file.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`auth_manage_passwd',`
++ gen_require(`
++ type passwd_file_t;
++ ')
++
++ files_rw_etc_dirs($1)
++ allow $1 passwd_file_t:file manage_file_perms;
++ files_etc_filetrans($1, passwd_file_t, file, "passwd")
++ files_etc_filetrans($1, passwd_file_t, file, "passwd-")
++ files_etc_filetrans($1, passwd_file_t, file, "ptmptmp")
++ files_etc_filetrans($1, passwd_file_t, file, "group")
++ files_etc_filetrans($1, passwd_file_t, file, "group-")
++ files_etc_filetrans($1, passwd_file_t, file, ".pwd.lock")
++ files_etc_filetrans($1, passwd_file_t, file, "passwd.lock")
++ files_etc_filetrans($1, passwd_file_t, file, "group.lock")
++')
++
++########################################
++##
++## Create auth directory in the /root directory
++## with an correct label.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`auth_filetrans_admin_home_content',`
++ gen_require(`
++ type auth_home_t;
++ ')
++
++ userdom_admin_home_dir_filetrans($1, auth_home_t, file, ".google_authenticator")
++ userdom_admin_home_dir_filetrans($1, auth_home_t, file, ".google_authenticator~")
++')
++
++########################################
++##
++## Create auth directory in the user home directory
++## with an correct label.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`auth_filetrans_home_content',`
++
++ gen_require(`
++ type auth_home_t;
++ ')
++
++ userdom_user_home_dir_filetrans($1, auth_home_t, file, ".google_authenticator")
++ userdom_user_home_dir_filetrans($1, auth_home_t, file, ".google_authenticator~")
++')
+diff --git a/policy/modules/system/authlogin.te b/policy/modules/system/authlogin.te
+index f145ccb..499ee40 100644
+--- a/policy/modules/system/authlogin.te
++++ b/policy/modules/system/authlogin.te
+@@ -5,6 +5,19 @@ policy_module(authlogin, 2.4.0)
+ # Declarations
+ #
+
++##
++##
++## Allow users to login using a radius server
++##
++##
++gen_tunable(authlogin_radius, false)
++
++##
++##
++## Allow users to login using a yubikey server
++##
++##
++gen_tunable(authlogin_yubikey, false)
+
+ ##
+ ##
+@@ -16,20 +29,26 @@ gen_tunable(authlogin_nsswitch_use_ldap, false)
+ attribute can_read_shadow_passwords;
+ attribute can_write_shadow_passwords;
+ attribute can_relabelto_shadow_passwords;
++attribute polydomain;
+ attribute nsswitch_domain;
++attribute login_pgm;
+
+ type auth_cache_t;
+ logging_log_file(auth_cache_t)
+
++type auth_home_t;
++userdom_user_home_content(auth_home_t)
++
+ type chkpwd_t, can_read_shadow_passwords;
+ type chkpwd_exec_t;
+ typealias chkpwd_t alias { user_chkpwd_t staff_chkpwd_t sysadm_chkpwd_t };
+-typealias chkpwd_t alias { auditadm_chkpwd_t secadm_chkpwd_t };
++typealias chkpwd_t alias { auditadm_chkpwd_t secadm_chkpwd_t system_chkpwd_t };
+ application_domain(chkpwd_t, chkpwd_exec_t)
+ role system_r types chkpwd_t;
+
+ type faillog_t;
+ logging_log_file(faillog_t)
++mls_trusted_object(faillog_t)
+
+ type lastlog_t;
+ logging_log_file(lastlog_t)
+@@ -42,15 +61,15 @@ type pam_console_exec_t;
+ init_system_domain(pam_console_t, pam_console_exec_t)
+ role system_r types pam_console_t;
+
+-type pam_t;
+-domain_type(pam_t)
+-role system_r types pam_t;
++type pam_timestamp_t alias pam_t;
++domain_type(pam_timestamp_t)
++role system_r types pam_timestamp_t;
+
+-type pam_exec_t;
+-domain_entry_file(pam_t, pam_exec_t)
++type pam_timestamp_exec_t alias pam_exec_t;
++domain_entry_file(pam_timestamp_t, pam_timestamp_exec_t)
+
+-type pam_tmp_t;
+-files_tmp_file(pam_tmp_t)
++type pam_timestamp_tmp_t;
++files_tmp_file(pam_timestamp_tmp_t)
+
+ type pam_var_console_t;
+ files_pid_file(pam_var_console_t)
+@@ -64,6 +83,9 @@ neverallow ~can_read_shadow_passwords shadow_t:file read;
+ neverallow ~can_write_shadow_passwords shadow_t:file { create write };
+ neverallow ~can_relabelto_shadow_passwords shadow_t:file relabelto;
+
++type passwd_file_t;
++files_type(passwd_file_t)
++
+ type updpwd_t;
+ type updpwd_exec_t;
+ domain_type(updpwd_t)
+@@ -109,6 +131,8 @@ dev_read_urand(chkpwd_t)
+ files_read_etc_files(chkpwd_t)
+ # for nscd
+ files_dontaudit_search_var(chkpwd_t)
++files_read_usr_symlinks(chkpwd_t)
++files_list_tmp(chkpwd_t)
+
+ fs_dontaudit_getattr_xattr_fs(chkpwd_t)
+
+@@ -122,12 +146,11 @@ auth_use_nsswitch(chkpwd_t)
+ logging_send_audit_msgs(chkpwd_t)
+ logging_send_syslog_msg(chkpwd_t)
+
+-miscfiles_read_localization(chkpwd_t)
+
+ seutil_read_config(chkpwd_t)
+ seutil_dontaudit_use_newrole_fds(chkpwd_t)
+
+-userdom_use_user_terminals(chkpwd_t)
++userdom_dontaudit_use_user_ttys(chkpwd_t)
+
+ ifdef(`distro_ubuntu',`
+ optional_policy(`
+@@ -153,53 +176,52 @@ optional_policy(`
+ # PAM local policy
+ #
+
+-allow pam_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
+-dontaudit pam_t self:capability sys_tty_config;
++allow pam_timestamp_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
++dontaudit pam_timestamp_t self:capability sys_tty_config;
+
+-allow pam_t self:fd use;
+-allow pam_t self:fifo_file rw_file_perms;
+-allow pam_t self:unix_dgram_socket create_socket_perms;
+-allow pam_t self:unix_stream_socket rw_stream_socket_perms;
+-allow pam_t self:unix_dgram_socket sendto;
+-allow pam_t self:unix_stream_socket connectto;
+-allow pam_t self:shm create_shm_perms;
+-allow pam_t self:sem create_sem_perms;
+-allow pam_t self:msgq create_msgq_perms;
+-allow pam_t self:msg { send receive };
++allow pam_timestamp_t self:fd use;
++allow pam_timestamp_t self:fifo_file rw_file_perms;
++allow pam_timestamp_t self:unix_dgram_socket create_socket_perms;
++allow pam_timestamp_t self:unix_stream_socket rw_stream_socket_perms;
++allow pam_timestamp_t self:unix_dgram_socket sendto;
++allow pam_timestamp_t self:unix_stream_socket connectto;
++allow pam_timestamp_t self:shm create_shm_perms;
++allow pam_timestamp_t self:sem create_sem_perms;
++allow pam_timestamp_t self:msgq create_msgq_perms;
++allow pam_timestamp_t self:msg { send receive };
+
+-delete_files_pattern(pam_t, pam_var_run_t, pam_var_run_t)
+-read_files_pattern(pam_t, pam_var_run_t, pam_var_run_t)
+-files_list_pids(pam_t)
++delete_files_pattern(pam_timestamp_t, pam_var_run_t, pam_var_run_t)
++read_files_pattern(pam_timestamp_t, pam_var_run_t, pam_var_run_t)
++files_list_pids(pam_timestamp_t)
+
+-allow pam_t pam_tmp_t:dir manage_dir_perms;
+-allow pam_t pam_tmp_t:file manage_file_perms;
+-files_tmp_filetrans(pam_t, pam_tmp_t, { file dir })
++allow pam_timestamp_t pam_timestamp_tmp_t:dir manage_dir_perms;
++allow pam_timestamp_t pam_timestamp_tmp_t:file manage_file_perms;
++files_tmp_filetrans(pam_timestamp_t, pam_timestamp_tmp_t, { file dir })
+
+-auth_use_nsswitch(pam_t)
++auth_use_nsswitch(pam_timestamp_t)
+
+-kernel_read_system_state(pam_t)
++kernel_read_system_state(pam_timestamp_t)
+
+-files_read_etc_files(pam_t)
++files_read_etc_files(pam_timestamp_t)
+
+-fs_search_auto_mountpoints(pam_t)
++fs_search_auto_mountpoints(pam_timestamp_t)
+
+-miscfiles_read_localization(pam_t)
+
+-term_use_all_ttys(pam_t)
+-term_use_all_ptys(pam_t)
++term_use_all_ttys(pam_timestamp_t)
++term_use_all_ptys(pam_timestamp_t)
+
+-init_dontaudit_rw_utmp(pam_t)
++init_dontaudit_rw_utmp(pam_timestamp_t)
+
+-logging_send_syslog_msg(pam_t)
++logging_send_syslog_msg(pam_timestamp_t)
+
+ ifdef(`distro_ubuntu',`
+ optional_policy(`
+- unconfined_domain(pam_t)
++ unconfined_domain(pam_timestamp_t)
+ ')
+ ')
+
+ optional_policy(`
+- locallogin_use_fds(pam_t)
++ locallogin_use_fds(pam_timestamp_t)
+ ')
+
+ ########################################
+@@ -289,7 +311,6 @@ init_use_script_ptys(pam_console_t)
+
+ logging_send_syslog_msg(pam_console_t)
+
+-miscfiles_read_localization(pam_console_t)
+ miscfiles_read_generic_certs(pam_console_t)
+
+ seutil_read_file_contexts(pam_console_t)
+@@ -341,6 +362,7 @@ kernel_read_system_state(updpwd_t)
+ dev_read_urand(updpwd_t)
+
+ files_manage_etc_files(updpwd_t)
++auth_manage_passwd(updpwd_t)
+
+ term_dontaudit_use_console(updpwd_t)
+ term_dontaudit_use_unallocated_ttys(updpwd_t)
+@@ -350,9 +372,8 @@ auth_use_nsswitch(updpwd_t)
+
+ logging_send_syslog_msg(updpwd_t)
+
+-miscfiles_read_localization(updpwd_t)
+
+-userdom_use_user_terminals(updpwd_t)
++userdom_use_inherited_user_terminals(updpwd_t)
+
+ ifdef(`distro_ubuntu',`
+ optional_policy(`
+@@ -380,13 +401,15 @@ term_dontaudit_use_all_ttys(utempter_t)
+ term_dontaudit_use_all_ptys(utempter_t)
+ term_dontaudit_use_ptmx(utempter_t)
+
++auth_use_nsswitch(utempter_t)
++
+ init_rw_utmp(utempter_t)
+
+ domain_use_interactive_fds(utempter_t)
+
+ logging_search_logs(utempter_t)
+
+-userdom_use_user_terminals(utempter_t)
++userdom_use_inherited_user_terminals(utempter_t)
+ # Allow utemper to write to /tmp/.xses-*
+ userdom_write_user_tmp_files(utempter_t)
+
+@@ -397,19 +420,27 @@ ifdef(`distro_ubuntu',`
+ ')
+
+ optional_policy(`
+- nscd_socket_use(utempter_t)
++ xserver_use_xdm_fds(utempter_t)
++ xserver_rw_xdm_pipes(utempter_t)
++')
++
++tunable_policy(`polyinstantiation_enabled',`
++ files_polyinstantiate_all(polydomain)
+ ')
+
+ optional_policy(`
+- xserver_use_xdm_fds(utempter_t)
+- xserver_rw_xdm_pipes(utempter_t)
++ tunable_policy(`polyinstantiation_enabled',`
++ namespace_init_domtrans(polydomain)
++ ')
+ ')
+
+-#######################################
++######################################
+ #
+ # nsswitch_domain local policy
+ #
+
++auth_read_passwd(nsswitch_domain)
++
+ files_list_var_lib(nsswitch_domain)
+
+ # read /etc/nsswitch.conf
+@@ -426,6 +457,12 @@ tunable_policy(`authlogin_nsswitch_use_ldap',`
+
+ optional_policy(`
+ tunable_policy(`authlogin_nsswitch_use_ldap',`
++ dirsrv_stream_connect(nsswitch_domain)
++ ')
++')
++
++optional_policy(`
++ tunable_policy(`authlogin_nsswitch_use_ldap',`
+ ldap_stream_connect(nsswitch_domain)
+ ')
+ ')
+@@ -438,6 +475,7 @@ optional_policy(`
+ likewise_stream_connect_lsassd(nsswitch_domain)
+ ')
+
++# can not wrap nis_use_ypbind or kerberos_use, but they both have booleans you can turn off.
+ optional_policy(`
+ kerberos_use(nsswitch_domain)
+ ')
+@@ -447,7 +485,7 @@ optional_policy(`
+ ')
+
+ optional_policy(`
+- nscd_socket_use(nsswitch_domain)
++ nscd_use(nsswitch_domain)
+ ')
+
+ optional_policy(`
+@@ -456,6 +494,7 @@ optional_policy(`
+
+ optional_policy(`
+ sssd_stream_connect(nsswitch_domain)
++ sssd_read_public_files(nsswitch_domain)
+ ')
+
+ optional_policy(`
+@@ -463,3 +502,132 @@ optional_policy(`
+ samba_read_var_files(nsswitch_domain)
+ samba_dontaudit_write_var_files(nsswitch_domain)
+ ')
++
++#######################################
++#
++# Login Program local policy
++#
++
++domain_read_all_domains_state(login_pgm)
++corecmd_getattr_all_executables(login_pgm)
++domain_kill_all_domains(login_pgm)
++
++# pam_keyring
++allow login_pgm self:capability ipc_lock;
++allow login_pgm self:process setkeycreate;
++allow login_pgm self:key manage_key_perms;
++userdom_manage_all_users_keys(login_pgm)
++
++files_list_var_lib(login_pgm)
++manage_dirs_pattern(login_pgm, var_auth_t, var_auth_t)
++manage_files_pattern(login_pgm, var_auth_t, var_auth_t)
++manage_sock_files_pattern(login_pgm, var_auth_t, var_auth_t)
++
++manage_dirs_pattern(login_pgm, auth_cache_t, auth_cache_t)
++manage_files_pattern(login_pgm, auth_cache_t, auth_cache_t)
++manage_sock_files_pattern(login_pgm, auth_cache_t, auth_cache_t)
++files_var_filetrans(login_pgm, auth_cache_t, dir)
++
++manage_dirs_pattern(login_pgm, auth_home_t, auth_home_t)
++manage_files_pattern(login_pgm, auth_home_t, auth_home_t)
++auth_filetrans_admin_home_content(login_pgm)
++auth_filetrans_home_content(login_pgm)
++
++# needed for afs - https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=253321
++kernel_search_network_sysctl(login_pgm)
++kernel_rw_afs_state(login_pgm)
++
++tunable_policy(`authlogin_radius',`
++ corenet_udp_bind_all_unreserved_ports(login_pgm)
++')
++
++tunable_policy(`authlogin_yubikey',`
++ corenet_tcp_connect_http_port(login_pgm)
++')
++
++corenet_tcp_connect_pki_ca_port(login_pgm)
++
++# for fingerprint readers
++dev_rw_input_dev(login_pgm)
++dev_rw_generic_usb_dev(login_pgm)
++
++files_read_config_files(login_pgm)
++
++fs_list_auto_mountpoints(login_pgm)
++fs_manage_cgroup_dirs(login_pgm)
++fs_manage_cgroup_files(login_pgm)
++fs_read_ecryptfs_symlinks(login_pgm)
++fs_read_ecryptfs_files(login_pgm)
++
++selinux_validate_context(login_pgm)
++selinux_compute_access_vector(login_pgm)
++selinux_compute_create_context(login_pgm)
++selinux_compute_relabel_context(login_pgm)
++selinux_compute_user_contexts(login_pgm)
++
++auth_manage_faillog(login_pgm)
++auth_manage_pam_pid(login_pgm)
++
++init_rw_utmp(login_pgm)
++
++logging_set_loginuid(login_pgm)
++logging_set_tty_audit(login_pgm)
++
++miscfiles_dontaudit_write_generic_cert_files(login_pgm)
++
++seutil_read_config(login_pgm)
++seutil_read_login_config(login_pgm)
++seutil_read_default_contexts(login_pgm)
++systemd_login_read_pid_files(login_pgm)
++
++userdom_set_rlimitnh(login_pgm)
++userdom_read_user_home_content_symlinks(login_pgm)
++userdom_delete_user_tmp_files(login_pgm)
++userdom_search_admin_dir(login_pgm)
++userdom_stream_connect(login_pgm)
++userdom_manage_user_tmp_dirs(login_pgm)
++userdom_manage_user_tmp_files(login_pgm)
++
++optional_policy(`
++ afs_rw_udp_sockets(login_pgm)
++')
++
++optional_policy(`
++ kerberos_read_config(login_pgm)
++')
++
++optional_policy(`
++ oddjob_dbus_chat(login_pgm)
++ oddjob_domtrans_mkhomedir(login_pgm)
++')
++
++optional_policy(`
++ openct_stream_connect(login_pgm)
++ openct_signull(login_pgm)
++ openct_read_pid_files(login_pgm)
++')
++
++optional_policy(`
++ corecmd_exec_bin(login_pgm)
++ storage_getattr_fixed_disk_dev(login_pgm)
++ mount_domtrans(login_pgm)
++ mount_domtrans_ecryptmount(login_pgm)
++')
++
++optional_policy(`
++ fprintd_dbus_chat(login_pgm)
++')
++
++optional_policy(`
++ realmd_dbus_chat(login_pgm)
++')
++
++optional_policy(`
++ # allow execute tmux
++ screen_exec(login_pgm)
++')
++
++optional_policy(`
++ ssh_agent_exec(login_pgm)
++ ssh_read_user_home_files(login_pgm)
++')
+diff --git a/policy/modules/system/clock.fc b/policy/modules/system/clock.fc
+index c5e05ca..c9ddbee 100644
+--- a/policy/modules/system/clock.fc
++++ b/policy/modules/system/clock.fc
+@@ -3,3 +3,5 @@
+
+ /sbin/hwclock -- gen_context(system_u:object_r:hwclock_exec_t,s0)
+
++/usr/sbin/hwclock -- gen_context(system_u:object_r:hwclock_exec_t,s0)
++
+diff --git a/policy/modules/system/clock.if b/policy/modules/system/clock.if
+index e2f6d93..c78ccc6 100644
+--- a/policy/modules/system/clock.if
++++ b/policy/modules/system/clock.if
+@@ -82,6 +82,25 @@ interface(`clock_dontaudit_write_adjtime',`
+
+ ########################################
+ ##
++## Read clock drift adjustments.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`clock_read_adjtime',`
++ gen_require(`
++ type adjtime_t;
++ ')
++
++ allow $1 adjtime_t:file read_file_perms;
++ files_list_etc($1)
++')
++
++########################################
++##
+ ## Read and write clock drift adjustments.
+ ##
+ ##
+diff --git a/policy/modules/system/clock.te b/policy/modules/system/clock.te
+index b9ed25b..91e25b5 100644
+--- a/policy/modules/system/clock.te
++++ b/policy/modules/system/clock.te
+@@ -46,18 +46,19 @@ fs_search_auto_mountpoints(hwclock_t)
+
+ term_dontaudit_use_console(hwclock_t)
+ term_use_unallocated_ttys(hwclock_t)
+-term_use_all_ttys(hwclock_t)
+-term_use_all_ptys(hwclock_t)
++term_use_all_inherited_ttys(hwclock_t)
++term_use_all_inherited_ptys(hwclock_t)
+
+ domain_use_interactive_fds(hwclock_t)
+
++auth_use_nsswitch(hwclock_t)
++
+ init_use_fds(hwclock_t)
+ init_use_script_ptys(hwclock_t)
+
+ logging_send_audit_msgs(hwclock_t)
+ logging_send_syslog_msg(hwclock_t)
+
+-miscfiles_read_localization(hwclock_t)
+
+ optional_policy(`
+ apm_append_log(hwclock_t)
+@@ -65,10 +66,6 @@ optional_policy(`
+ ')
+
+ optional_policy(`
+- nscd_socket_use(hwclock_t)
+-')
+-
+-optional_policy(`
+ seutil_sigchld_newrole(hwclock_t)
+ ')
+
+diff --git a/policy/modules/system/fstools.fc b/policy/modules/system/fstools.fc
+index a97a096..f65892c 100644
+--- a/policy/modules/system/fstools.fc
++++ b/policy/modules/system/fstools.fc
+@@ -1,4 +1,3 @@
+-/sbin/badblocks -- gen_context(system_u:object_r:fsadm_exec_t,s0)
+ /sbin/blkid -- gen_context(system_u:object_r:fsadm_exec_t,s0)
+ /sbin/blockdev -- gen_context(system_u:object_r:fsadm_exec_t,s0)
+ /sbin/cfdisk -- gen_context(system_u:object_r:fsadm_exec_t,s0)
+@@ -23,7 +22,6 @@
+ /sbin/mkfs.* -- gen_context(system_u:object_r:fsadm_exec_t,s0)
+ /sbin/mkraid -- gen_context(system_u:object_r:fsadm_exec_t,s0)
+ /sbin/mkreiserfs -- gen_context(system_u:object_r:fsadm_exec_t,s0)
+-/sbin/mkswap -- gen_context(system_u:object_r:fsadm_exec_t,s0)
+ /sbin/parted -- gen_context(system_u:object_r:fsadm_exec_t,s0)
+ /sbin/partprobe -- gen_context(system_u:object_r:fsadm_exec_t,s0)
+ /sbin/partx -- gen_context(system_u:object_r:fsadm_exec_t,s0)
+@@ -41,7 +39,46 @@
+ /usr/bin/scsi_unique_id -- gen_context(system_u:object_r:fsadm_exec_t,s0)
+ /usr/bin/syslinux -- gen_context(system_u:object_r:fsadm_exec_t,s0)
+
++/usr/lib/systemd/systemd-fsck -- gen_context(system_u:object_r:fsadm_exec_t,s0)
++
++/usr/sbin/blkid -- gen_context(system_u:object_r:fsadm_exec_t,s0)
++/usr/sbin/blockdev -- gen_context(system_u:object_r:fsadm_exec_t,s0)
++/usr/sbin/cfdisk -- gen_context(system_u:object_r:fsadm_exec_t,s0)
+ /usr/sbin/clubufflush -- gen_context(system_u:object_r:fsadm_exec_t,s0)
++/usr/sbin/dosfsck -- gen_context(system_u:object_r:fsadm_exec_t,s0)
++/usr/sbin/dump -- gen_context(system_u:object_r:fsadm_exec_t,s0)
++/usr/sbin/dumpe2fs -- gen_context(system_u:object_r:fsadm_exec_t,s0)
++/usr/sbin/e2fsck -- gen_context(system_u:object_r:fsadm_exec_t,s0)
++/usr/sbin/e4fsck -- gen_context(system_u:object_r:fsadm_exec_t,s0)
++/usr/sbin/e2label -- gen_context(system_u:object_r:fsadm_exec_t,s0)
++/usr/sbin/fdisk -- gen_context(system_u:object_r:fsadm_exec_t,s0)
++/usr/sbin/findfs -- gen_context(system_u:object_r:fsadm_exec_t,s0)
++/usr/sbin/fsck.* -- gen_context(system_u:object_r:fsadm_exec_t,s0)
++/usr/sbin/hdparm -- gen_context(system_u:object_r:fsadm_exec_t,s0)
++/usr/sbin/install-mbr -- gen_context(system_u:object_r:fsadm_exec_t,s0)
++/usr/sbin/jfs_.* -- gen_context(system_u:object_r:fsadm_exec_t,s0)
++/usr/sbin/losetup.* -- gen_context(system_u:object_r:fsadm_exec_t,s0)
++/usr/sbin/lsraid -- gen_context(system_u:object_r:fsadm_exec_t,s0)
++/usr/sbin/make_reiser4 -- gen_context(system_u:object_r:fsadm_exec_t,s0)
++/usr/sbin/mkdosfs -- gen_context(system_u:object_r:fsadm_exec_t,s0)
++/usr/sbin/mke2fs -- gen_context(system_u:object_r:fsadm_exec_t,s0)
++/usr/sbin/mke4fs -- gen_context(system_u:object_r:fsadm_exec_t,s0)
++/usr/sbin/mkfs.* -- gen_context(system_u:object_r:fsadm_exec_t,s0)
++/usr/sbin/mkraid -- gen_context(system_u:object_r:fsadm_exec_t,s0)
++/usr/sbin/mkreiserfs -- gen_context(system_u:object_r:fsadm_exec_t,s0)
++/usr/sbin/parted -- gen_context(system_u:object_r:fsadm_exec_t,s0)
++/usr/sbin/partprobe -- gen_context(system_u:object_r:fsadm_exec_t,s0)
++/usr/sbin/partx -- gen_context(system_u:object_r:fsadm_exec_t,s0)
++/usr/sbin/raidautorun -- gen_context(system_u:object_r:fsadm_exec_t,s0)
++/usr/sbin/raidstart -- gen_context(system_u:object_r:fsadm_exec_t,s0)
++/usr/sbin/reiserfs(ck|tune) -- gen_context(system_u:object_r:fsadm_exec_t,s0)
++/usr/sbin/resize.*fs -- gen_context(system_u:object_r:fsadm_exec_t,s0)
++/usr/sbin/scsi_info -- gen_context(system_u:object_r:fsadm_exec_t,s0)
++/usr/sbin/sfdisk -- gen_context(system_u:object_r:fsadm_exec_t,s0)
+ /usr/sbin/smartctl -- gen_context(system_u:object_r:fsadm_exec_t,s0)
++/usr/sbin/swapon.* -- gen_context(system_u:object_r:fsadm_exec_t,s0)
++/usr/sbin/tune2fs -- gen_context(system_u:object_r:fsadm_exec_t,s0)
+
+ /var/log/fsck(/.*)? gen_context(system_u:object_r:fsadm_log_t,s0)
++
++/var/run/blkid(/.*)? gen_context(system_u:object_r:fsadm_var_run_t,s0)
+diff --git a/policy/modules/system/fstools.if b/policy/modules/system/fstools.if
+index 016a770..927f4b8 100644
+--- a/policy/modules/system/fstools.if
++++ b/policy/modules/system/fstools.if
+@@ -154,3 +154,23 @@ interface(`fstools_getattr_swap_files',`
+
+ allow $1 swapfile_t:file getattr;
+ ')
++
++########################################
++##
++## Create, read, write, and delete the FSADM pid files.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`fsadm_manage_pid',`
++ gen_require(`
++ type fsadm_var_run_t;
++ ')
++
++ files_search_pids($1)
++ manage_files_pattern($1, fsadm_var_run_t, fsadm_var_run_t)
++ files_pid_filetrans($1, fsadm_var_run_t, dir, "blkid")
++')
+diff --git a/policy/modules/system/fstools.te b/policy/modules/system/fstools.te
+index 6c4b6ee..86a90a2 100644
+--- a/policy/modules/system/fstools.te
++++ b/policy/modules/system/fstools.te
+@@ -13,6 +13,9 @@ role system_r types fsadm_t;
+ type fsadm_log_t;
+ logging_log_file(fsadm_log_t)
+
++type fsadm_var_run_t;
++files_pid_file(fsadm_var_run_t)
++
+ type fsadm_tmp_t;
+ files_tmp_file(fsadm_tmp_t)
+
+@@ -41,9 +44,15 @@ allow fsadm_t self:msg { send receive };
+
+ can_exec(fsadm_t, fsadm_exec_t)
+
++manage_dirs_pattern(fsadm_t, fsadm_var_run_t, fsadm_var_run_t)
++manage_files_pattern(fsadm_t, fsadm_var_run_t, fsadm_var_run_t)
++files_pid_filetrans(fsadm_t, fsadm_var_run_t, {dir file })
++
+ allow fsadm_t fsadm_tmp_t:dir manage_dir_perms;
+ allow fsadm_t fsadm_tmp_t:file manage_file_perms;
+ files_tmp_filetrans(fsadm_t, fsadm_tmp_t, { file dir })
++files_create_boot_flag(fsadm_t)
++files_setattr_root_dirs(fsadm_t)
+
+ # log files
+ allow fsadm_t fsadm_log_t:dir setattr;
+@@ -101,6 +110,8 @@ files_read_usr_files(fsadm_t)
+ files_read_etc_files(fsadm_t)
+ files_manage_lost_found(fsadm_t)
+ files_manage_isid_type_dirs(fsadm_t)
++# /etc/mtab is a link
++files_read_etc_runtime_files(fsadm_t)
+ # Write to /etc/mtab.
+ files_manage_etc_runtime_files(fsadm_t)
+ files_etc_filetrans_etc_runtime(fsadm_t, file)
+@@ -120,11 +131,16 @@ fs_list_auto_mountpoints(fsadm_t)
+ fs_search_tmpfs(fsadm_t)
+ fs_getattr_tmpfs_dirs(fsadm_t)
+ fs_read_tmpfs_symlinks(fsadm_t)
++fs_manage_nfs_files(fsadm_t)
++fs_manage_cifs_files(fsadm_t)
++fs_rw_hugetlbfs_files(fsadm_t)
+ # Recreate /mnt/cdrom.
+ files_manage_mnt_dirs(fsadm_t)
+ # for tune2fs
+ files_search_all(fsadm_t)
+
++mcs_file_read_all(fsadm_t)
++
+ mls_file_read_all_levels(fsadm_t)
+ mls_file_write_all_levels(fsadm_t)
+
+@@ -133,21 +149,24 @@ storage_raw_write_fixed_disk(fsadm_t)
+ storage_raw_read_removable_device(fsadm_t)
+ storage_raw_write_removable_device(fsadm_t)
+ storage_read_scsi_generic(fsadm_t)
++storage_rw_fuse(fsadm_t)
+ storage_swapon_fixed_disk(fsadm_t)
+
+ term_use_console(fsadm_t)
+
++init_read_state(fsadm_t)
+ init_use_fds(fsadm_t)
+ init_use_script_ptys(fsadm_t)
+ init_dontaudit_getattr_initctl(fsadm_t)
++init_stream_connect(fsadm_t)
+
+ logging_send_syslog_msg(fsadm_t)
++logging_stream_connect_syslog(fsadm_t)
+
+-miscfiles_read_localization(fsadm_t)
+
+ seutil_read_config(fsadm_t)
+
+-userdom_use_user_terminals(fsadm_t)
++term_use_all_inherited_terms(fsadm_t)
+
+ ifdef(`distro_redhat',`
+ optional_policy(`
+@@ -166,6 +185,11 @@ optional_policy(`
+ ')
+
+ optional_policy(`
++ devicekit_dontaudit_read_pid_files(fsadm_t)
++ devicekit_dontaudit_rw_log(fsadm_t)
++')
++
++optional_policy(`
+ hal_dontaudit_write_log(fsadm_t)
+ ')
+
+@@ -179,6 +203,10 @@ optional_policy(`
+ ')
+
+ optional_policy(`
++ mount_read_pid_files(fsadm_t)
++')
++
++optional_policy(`
+ nis_use_ypbind(fsadm_t)
+ ')
+
+@@ -192,6 +220,10 @@ optional_policy(`
+ ')
+
+ optional_policy(`
++ virt_read_blk_images(fsadm_t)
++')
++
++optional_policy(`
+ xen_append_log(fsadm_t)
+ xen_rw_image_files(fsadm_t)
+ ')
+diff --git a/policy/modules/system/getty.fc b/policy/modules/system/getty.fc
+index e1a1848..c0d34e7 100644
+--- a/policy/modules/system/getty.fc
++++ b/policy/modules/system/getty.fc
+@@ -3,6 +3,10 @@
+
+ /sbin/.*getty -- gen_context(system_u:object_r:getty_exec_t,s0)
+
++/usr/lib/systemd/system/[^/]*getty.* -- gen_context(system_u:object_r:getty_unit_file_t,s0)
++
++/usr/sbin/.*getty -- gen_context(system_u:object_r:getty_exec_t,s0)
++
+ /var/log/mgetty\.log.* -- gen_context(system_u:object_r:getty_log_t,s0)
+ /var/log/vgetty\.log\..* -- gen_context(system_u:object_r:getty_log_t,s0)
+
+diff --git a/policy/modules/system/getty.if b/policy/modules/system/getty.if
+index e4376aa..2c98c56 100644
+--- a/policy/modules/system/getty.if
++++ b/policy/modules/system/getty.if
+@@ -96,3 +96,45 @@ interface(`getty_rw_config',`
+ files_search_etc($1)
+ allow $1 getty_etc_t:file rw_file_perms;
+ ')
++
++########################################
++##
++## Execute getty server in the getty domain.
++##
++##
++##
++## Domain allowed to transition.
++##
++##
++#
++interface(`getty_systemctl',`
++ gen_require(`
++ type getty_unit_file_t;
++ type getty_t;
++ ')
++
++ systemd_exec_systemctl($1)
++ allow $1 getty_unit_file_t:file read_file_perms;
++ allow $1 getty_unit_file_t:service manage_service_perms;
++
++ ps_process_pattern($1, getty_t)
++')
++
++########################################
++##
++## Start getty unit files domain.
++##
++##
++##
++## Domain allowed to transition.
++##
++##
++#
++interface(`getty_start_services',`
++ gen_require(`
++ type getty_unit_file_t;
++ ')
++
++ systemd_exec_systemctl($1)
++ allow $1 getty_unit_file_t:service start;
++')
+diff --git a/policy/modules/system/getty.te b/policy/modules/system/getty.te
+index fd100fc..3e61328 100644
+--- a/policy/modules/system/getty.te
++++ b/policy/modules/system/getty.te
+@@ -27,6 +27,9 @@ files_tmp_file(getty_tmp_t)
+ type getty_var_run_t;
+ files_pid_file(getty_var_run_t)
+
++type getty_unit_file_t;
++systemd_unit_file(getty_unit_file_t)
++
+ ########################################
+ #
+ # Getty local policy
+@@ -83,8 +86,11 @@ term_use_unallocated_ttys(getty_t)
+ term_setattr_all_ttys(getty_t)
+ term_setattr_unallocated_ttys(getty_t)
+ term_setattr_console(getty_t)
++term_setattr_usb_ttys(getty_t)
++term_use_console(getty_t)
+
+ auth_rw_login_records(getty_t)
++auth_use_nsswitch(getty_t)
+
+ init_rw_utmp(getty_t)
+ init_use_script_ptys(getty_t)
+@@ -94,7 +100,6 @@ locallogin_domtrans(getty_t)
+
+ logging_send_syslog_msg(getty_t)
+
+-miscfiles_read_localization(getty_t)
+
+ ifdef(`distro_gentoo',`
+ # Gentoo default /etc/issue makes agetty
+@@ -113,7 +118,7 @@ ifdef(`distro_ubuntu',`
+ ')
+ ')
+
+-tunable_policy(`console_login',`
++tunable_policy(`login_console_enabled',`
+ # Support logging in from /dev/console
+ term_use_console(getty_t)
+ ',`
+@@ -125,10 +130,6 @@ optional_policy(`
+ ')
+
+ optional_policy(`
+- nscd_socket_use(getty_t)
+-')
+-
+-optional_policy(`
+ ppp_domtrans(getty_t)
+ ')
+
+diff --git a/policy/modules/system/hostname.fc b/policy/modules/system/hostname.fc
+index 9dfecf7..6d00f5c 100644
+--- a/policy/modules/system/hostname.fc
++++ b/policy/modules/system/hostname.fc
+@@ -1,2 +1,4 @@
+
+ /bin/hostname -- gen_context(system_u:object_r:hostname_exec_t,s0)
++
++/usr/bin/hostname -- gen_context(system_u:object_r:hostname_exec_t,s0)
+diff --git a/policy/modules/system/hostname.te b/policy/modules/system/hostname.te
+index f6cbda9..8c37105 100644
+--- a/policy/modules/system/hostname.te
++++ b/policy/modules/system/hostname.te
+@@ -23,39 +23,47 @@ dontaudit hostname_t self:capability sys_tty_config;
+
+ kernel_list_proc(hostname_t)
+ kernel_read_proc_symlinks(hostname_t)
++kernel_read_network_state(hostname_t)
+
+ dev_read_sysfs(hostname_t)
+ # Early devtmpfs, before udev relabel
+ dev_dontaudit_rw_generic_chr_files(hostname_t)
+
++domain_dontaudit_leaks(hostname_t)
+ domain_use_interactive_fds(hostname_t)
+
+ files_read_etc_files(hostname_t)
++files_dontaudit_leaks(hostname_t)
+ files_dontaudit_search_var(hostname_t)
+ # for when /usr is not mounted:
+ files_dontaudit_search_isid_type_dirs(hostname_t)
+
+ fs_getattr_xattr_fs(hostname_t)
+ fs_search_auto_mountpoints(hostname_t)
++fs_dontaudit_leaks(hostname_t)
+ fs_dontaudit_use_tmpfs_chr_dev(hostname_t)
+
+ term_dontaudit_use_console(hostname_t)
+-term_use_all_ttys(hostname_t)
+-term_use_all_ptys(hostname_t)
++term_use_all_inherited_ttys(hostname_t)
++term_use_all_inherited_ptys(hostname_t)
+
+ init_use_fds(hostname_t)
+ init_use_script_fds(hostname_t)
+ init_use_script_ptys(hostname_t)
++init_rw_inherited_script_tmp_files(hostname_t)
+
+ logging_send_syslog_msg(hostname_t)
+
+-miscfiles_read_localization(hostname_t)
+
+ sysnet_dontaudit_rw_dhcpc_unix_stream_sockets(hostname_t)
+ sysnet_read_config(hostname_t)
+ sysnet_dns_name_resolve(hostname_t)
+
+ optional_policy(`
++ mock_dontaudit_write_lib_chr_files(hostname_t)
++')
++
++optional_policy(`
+ nis_use_ypbind(hostname_t)
+ ')
+
+diff --git a/policy/modules/system/hotplug.fc b/policy/modules/system/hotplug.fc
+index caf736b..91c4c6f 100644
+--- a/policy/modules/system/hotplug.fc
++++ b/policy/modules/system/hotplug.fc
+@@ -7,5 +7,8 @@
+ /sbin/hotplug -- gen_context(system_u:object_r:hotplug_exec_t,s0)
+ /sbin/netplugd -- gen_context(system_u:object_r:hotplug_exec_t,s0)
+
++/usr/sbin/hotplug -- gen_context(system_u:object_r:hotplug_exec_t,s0)
++/usr/sbin/netplugd -- gen_context(system_u:object_r:hotplug_exec_t,s0)
++
+ /var/run/usb(/.*)? gen_context(system_u:object_r:hotplug_var_run_t,s0)
+ /var/run/hotplug(/.*)? gen_context(system_u:object_r:hotplug_var_run_t,s0)
+diff --git a/policy/modules/system/hotplug.if b/policy/modules/system/hotplug.if
+index 40eb10c..2a0a32c 100644
+--- a/policy/modules/system/hotplug.if
++++ b/policy/modules/system/hotplug.if
+@@ -34,7 +34,7 @@ interface(`hotplug_domtrans',`
+ #
+ interface(`hotplug_exec',`
+ gen_require(`
+- type hotplug_t;
++ type hotplug_exec_t;
+ ')
+
+ corecmd_search_bin($1)
+diff --git a/policy/modules/system/hotplug.te b/policy/modules/system/hotplug.te
+index b2e41cc..6a37dca 100644
+--- a/policy/modules/system/hotplug.te
++++ b/policy/modules/system/hotplug.te
+@@ -23,7 +23,7 @@ files_pid_file(hotplug_var_run_t)
+ #
+
+ allow hotplug_t self:capability { net_admin sys_tty_config mknod sys_rawio };
+-dontaudit hotplug_t self:capability { sys_module sys_admin sys_ptrace sys_tty_config };
++dontaudit hotplug_t self:capability { sys_module sys_admin sys_tty_config };
+ # for access("/etc/bashrc", X_OK) on Red Hat
+ dontaudit hotplug_t self:capability { dac_override dac_read_search };
+ allow hotplug_t self:process { setpgid getsession getattr signal_perms };
+@@ -52,7 +52,6 @@ kernel_rw_net_sysctls(hotplug_t)
+
+ files_read_kernel_modules(hotplug_t)
+
+-corenet_all_recvfrom_unlabeled(hotplug_t)
+ corenet_all_recvfrom_netlabel(hotplug_t)
+ corenet_tcp_sendrecv_generic_if(hotplug_t)
+ corenet_udp_sendrecv_generic_if(hotplug_t)
+@@ -96,6 +95,8 @@ init_domtrans_script(hotplug_t)
+ # kernel threads inherit from shared descriptor table used by init
+ init_dontaudit_rw_initctl(hotplug_t)
+
++auth_use_nsswitch(hotplug_t)
++
+ logging_send_syslog_msg(hotplug_t)
+ logging_search_logs(hotplug_t)
+
+@@ -103,9 +104,6 @@ logging_search_logs(hotplug_t)
+ libs_read_lib_files(hotplug_t)
+
+ miscfiles_read_hwdata(hotplug_t)
+-miscfiles_read_localization(hotplug_t)
+-
+-seutil_dontaudit_search_config(hotplug_t)
+
+ sysnet_read_config(hotplug_t)
+
+@@ -164,14 +162,6 @@ optional_policy(`
+ ')
+
+ optional_policy(`
+- nis_use_ypbind(hotplug_t)
+-')
+-
+-optional_policy(`
+- nscd_socket_use(hotplug_t)
+-')
+-
+-optional_policy(`
+ seutil_sigchld_newrole(hotplug_t)
+ ')
+
+diff --git a/policy/modules/system/init.fc b/policy/modules/system/init.fc
+index d2e40b8..3ba2e4c 100644
+--- a/policy/modules/system/init.fc
++++ b/policy/modules/system/init.fc
+@@ -2,6 +2,7 @@
+ # /etc
+ #
+ /etc/init\.d/.* -- gen_context(system_u:object_r:initrc_exec_t,s0)
++/etc/machine-id -- gen_context(system_u:object_r:machineid_t,s0)
+
+ /etc/rc\.d/rc -- gen_context(system_u:object_r:initrc_exec_t,s0)
+ /etc/rc\.d/rc\.[^/]+ -- gen_context(system_u:object_r:initrc_exec_t,s0)
+@@ -31,6 +32,11 @@ ifdef(`distro_gentoo', `
+ #
+ # /sbin
+ #
++/bin/systemd -- gen_context(system_u:object_r:init_exec_t,s0)
++
++#
++# /sbin
++#
+ /sbin/init(ng)? -- gen_context(system_u:object_r:init_exec_t,s0)
+ # because nowadays, /sbin/init is often a symlink to /sbin/upstart
+ /sbin/upstart -- gen_context(system_u:object_r:init_exec_t,s0)
+@@ -48,11 +54,23 @@ ifdef(`distro_gentoo', `
+ #
+ /usr/bin/sepg_ctl -- gen_context(system_u:object_r:initrc_exec_t,s0)
+
++/usr/sbin/init(ng)? -- gen_context(system_u:object_r:init_exec_t,s0)
++# because nowadays, /sbin/init is often a symlink to /sbin/upstart
++/usr/sbin/upstart -- gen_context(system_u:object_r:init_exec_t,s0)
++
++/usr/lib/systemd/[^/]* -- gen_context(system_u:object_r:init_exec_t,s0)
++/usr/lib/systemd/fedora[^/]* -- gen_context(system_u:object_r:initrc_exec_t,s0)
++/usr/lib/systemd/system-generators/[^/]* -- gen_context(system_u:object_r:init_exec_t,s0)
++
+ /usr/libexec/dcc/start-.* -- gen_context(system_u:object_r:initrc_exec_t,s0)
+ /usr/libexec/dcc/stop-.* -- gen_context(system_u:object_r:initrc_exec_t,s0)
+
+ /usr/sbin/apachectl -- gen_context(system_u:object_r:initrc_exec_t,s0)
+ /usr/sbin/open_init_pty -- gen_context(system_u:object_r:initrc_exec_t,s0)
++/usr/sbin/startx -- gen_context(system_u:object_r:initrc_exec_t,s0)
++/usr/bin/systemd -- gen_context(system_u:object_r:init_exec_t,s0)
++
++/usr/share/system-config-services/system-config-services-mechanism\.py -- gen_context(system_u:object_r:initrc_exec_t,s0)
+
+ #
+ # /var
+@@ -61,6 +79,7 @@ ifdef(`distro_gentoo', `
+ /var/run/runlevel\.dir gen_context(system_u:object_r:initrc_var_run_t,s0)
+ /var/run/random-seed -- gen_context(system_u:object_r:initrc_var_run_t,s0)
+ /var/run/setmixer_flag -- gen_context(system_u:object_r:initrc_var_run_t,s0)
++/var/run/systemd/machine-id -- gen_context(system_u:object_r:machineid_t,s0)
+
+ ifdef(`distro_debian',`
+ /var/run/hotkey-setup -- gen_context(system_u:object_r:initrc_var_run_t,s0)
+@@ -79,3 +98,4 @@ ifdef(`distro_suse', `
+ /var/run/setleds-on -- gen_context(system_u:object_r:initrc_var_run_t,s0)
+ /var/run/sysconfig(/.*)? gen_context(system_u:object_r:initrc_var_run_t,s0)
+ ')
++/var/run/systemd(/.*)? gen_context(system_u:object_r:init_var_run_t,s0)
+diff --git a/policy/modules/system/init.if b/policy/modules/system/init.if
+index d26fe81..95c1bd8 100644
+--- a/policy/modules/system/init.if
++++ b/policy/modules/system/init.if
+@@ -106,6 +106,8 @@ interface(`init_domain',`
+ role system_r types $1;
+
+ domtrans_pattern(init_t, $2, $1)
++ allow init_t $1:unix_stream_socket create_stream_socket_perms;
++ allow $1 init_t:unix_dgram_socket sendto;
+
+ ifdef(`hide_broken_symptoms',`
+ # RHEL4 systems seem to have a stray
+@@ -192,50 +194,43 @@ interface(`init_ranged_domain',`
+ interface(`init_daemon_domain',`
+ gen_require(`
+ attribute direct_run_init, direct_init, direct_init_entry;
+- type initrc_t;
++ type init_t;
+ role system_r;
+ attribute daemon;
++ attribute initrc_transition_domain;
++ attribute initrc_domain;
+ ')
+
+ typeattribute $1 daemon;
++ typeattribute $2 direct_init_entry;
+
+ domain_type($1)
+ domain_entry_file($1, $2)
+
+- role system_r types $1;
+-
+- domtrans_pattern(initrc_t, $2, $1)
+-
+- # daemons started from init will
+- # inherit fds from init for the console
+- init_dontaudit_use_fds($1)
+- term_dontaudit_use_console($1)
+-
+- # init script ptys are the stdin/out/err
+- # when using run_init
+- init_use_script_ptys($1)
++ type_transition initrc_domain $2:process $1;
+
+ ifdef(`direct_sysadm_daemon',`
+- domtrans_pattern(direct_run_init, $2, $1)
+- allow direct_run_init $1:process { noatsecure siginh rlimitinh };
+-
++ type_transition direct_run_init $2:process $1;
+ typeattribute $1 direct_init;
+- typeattribute $2 direct_init_entry;
+-
+- userdom_dontaudit_use_user_terminals($1)
+ ')
++')
+
+- ifdef(`hide_broken_symptoms',`
+- # RHEL4 systems seem to have a stray
+- # fds open from the initrd
+- ifdef(`distro_rhel4',`
+- kernel_dontaudit_use_fds($1)
+- ')
+- ')
++#######################################
++##
++## Create initrc domain.
++##
++##
++##
++## Type to be used as a initrc daemon domain.
++##
++##
++#
++interface(`init_initrc_domain',`
++ gen_require(`
++ attribute initrc_domain;
++ ')
+
+- optional_policy(`
+- nscd_socket_use($1)
+- ')
++ typeattribute $1 initrc_domain;
+ ')
+
+ ########################################
+@@ -283,17 +278,20 @@ interface(`init_daemon_domain',`
+ interface(`init_ranged_daemon_domain',`
+ gen_require(`
+ type initrc_t;
++ type init_t;
+ ')
+
+- init_daemon_domain($1, $2)
++# init_daemon_domain($1, $2)
+
+ ifdef(`enable_mcs',`
+ range_transition initrc_t $2:process $3;
++ range_transition init_t $2:process $3;
+ ')
+
+ ifdef(`enable_mls',`
+ range_transition initrc_t $2:process $3;
+ mls_rangetrans_target($1)
++ range_transition init_t $2:process $3;
+ ')
+ ')
+
+@@ -336,23 +334,19 @@ interface(`init_ranged_daemon_domain',`
+ #
+ interface(`init_system_domain',`
+ gen_require(`
+- type initrc_t;
++ type init_t;
+ role system_r;
++ attribute initrc_transition_domain;
++ attribute systemprocess, systemprocess_entry;
++ attribute initrc_domain;
+ ')
+
++ typeattribute $1 systemprocess;
+ application_domain($1, $2)
+-
+ role system_r types $1;
++ typeattribute $2 systemprocess_entry;
+
+- domtrans_pattern(initrc_t, $2, $1)
+-
+- ifdef(`hide_broken_symptoms',`
+- # RHEL4 systems seem to have a stray
+- # fds open from the initrd
+- ifdef(`distro_rhel4',`
+- kernel_dontaudit_use_fds($1)
+- ')
+- ')
++ type_transition initrc_domain $2:process $1;
+ ')
+
+ ########################################
+@@ -401,20 +395,41 @@ interface(`init_system_domain',`
+ interface(`init_ranged_system_domain',`
+ gen_require(`
+ type initrc_t;
++ type init_t;
+ ')
+
+ init_system_domain($1, $2)
+
+ ifdef(`enable_mcs',`
+ range_transition initrc_t $2:process $3;
++ range_transition init_t $2:process $3;
+ ')
+
+ ifdef(`enable_mls',`
+ range_transition initrc_t $2:process $3;
++ range_transition init_t $2:process $3;
+ mls_rangetrans_target($1)
+ ')
+ ')
+
++######################################
++##
++## Allow domain dyntransition to init_t domain.
++##
++##
++##
++## Domain allowed to transition.
++##
++##
++#
++interface(`init_dyntrans',`
++ gen_require(`
++ type init_t;
++ ')
++
++ dyntrans_pattern($1, init_t)
++')
++
+ ########################################
+ ##
+ ## Execute init (/sbin/init) with a domain transition.
+@@ -442,7 +457,6 @@ interface(`init_domtrans',`
+ ## Domain allowed access.
+ ##
+ ##
+-##
+ #
+ interface(`init_exec',`
+ gen_require(`
+@@ -451,6 +465,48 @@ interface(`init_exec',`
+
+ corecmd_search_bin($1)
+ can_exec($1, init_exec_t)
++
++ optional_policy(`
++ systemd_exec_systemctl($1)
++ ')
++')
++
++#######################################
++##
++## Check access to the init/systemd executable.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`init_access_check',`
++ gen_require(`
++ type init_exec_t;
++ ')
++
++ corecmd_search_bin($1)
++ allow $1 init_exec_t:file { getattr_file_perms execute };
++')
++
++#######################################
++##
++## Dontaudit getattr on the init program.
++##
++##
++##
++## Domain allowed access.
++##
++##
++##
++#
++interface(`init_dontaudit_getattr_exec',`
++ gen_require(`
++ type init_exec_t;
++ ')
++
++ dontaudit $1 init_exec_t:file getattr;
+ ')
+
+ ########################################
+@@ -539,6 +595,24 @@ interface(`init_sigchld',`
+
+ ########################################
+ ##
++## Send generic signals to init.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`init_signal',`
++ gen_require(`
++ type init_t;
++ ')
++
++ allow $1 init_t:process signal;
++')
++
++########################################
++##
+ ## Connect to init with a unix socket.
+ ##
+ ##
+@@ -549,10 +623,66 @@ interface(`init_sigchld',`
+ #
+ interface(`init_stream_connect',`
+ gen_require(`
+- type init_t;
++ type init_t, init_var_run_t;
+ ')
+
+- allow $1 init_t:unix_stream_socket connectto;
++ files_search_pids($1)
++ stream_connect_pattern($1, init_var_run_t, init_var_run_t, init_t)
++ allow $1 init_t:unix_stream_socket getattr;
++')
++
++#######################################
++##
++## Dontaudit Connect to init with a unix socket.
++##
++##
++##
++## Domain to not audit.
++##
++##
++#
++interface(`init_dontaudit_stream_connect',`
++ gen_require(`
++ type init_t;
++ ')
++
++ dontaudit $1 init_t:unix_stream_socket connectto;
++')
++
++######################################
++##
++## Dontaudit getattr to init with a unix socket.
++##
++##
++##
++## Domain to not audit.
++##
++##
++#
++interface(`init_dontaudit_getattr_stream_socket',`
++ gen_require(`
++ type init_t;
++ ')
++
++ dontaudit $1 init_t:unix_stream_socket getattr;
++')
++
++######################################
++##
++## Dontaudit read and write to init with a unix socket.
++##
++##
++##
++## Domain to not audit.
++##
++##
++#
++interface(`init_dontaudit_rw_stream_socket',`
++ gen_require(`
++ type init_t;
++ ')
++
++ dontaudit $1 init_t:unix_stream_socket { getattr read write };
+ ')
+
+ ########################################
+@@ -716,22 +846,23 @@ interface(`init_write_initctl',`
+ interface(`init_telinit',`
+ gen_require(`
+ type initctl_t;
++ type init_t;
+ ')
+
++ corecmd_exec_bin($1)
++
+ dev_list_all_dev_nodes($1)
+ allow $1 initctl_t:fifo_file rw_fifo_file_perms;
+
+ init_exec($1)
+
+- tunable_policy(`init_upstart',`
+- gen_require(`
+- type init_t;
+- ')
+-
+- # upstart uses a datagram socket instead of initctl pipe
+- allow $1 self:unix_dgram_socket create_socket_perms;
+- allow $1 init_t:unix_dgram_socket sendto;
+- ')
++ ps_process_pattern($1, init_t)
++ allow $1 init_t:process signal;
++ # upstart uses a datagram socket instead of initctl pipe
++ allow $1 self:unix_dgram_socket create_socket_perms;
++ allow $1 init_t:unix_dgram_socket sendto;
++ #576913
++ allow $1 init_t:unix_stream_socket connectto;
+ ')
+
+ ########################################
+@@ -760,7 +891,7 @@ interface(`init_rw_initctl',`
+ ##
+ ##
+ ##
+-## Domain allowed access.
++## Domain to not audit.
+ ##
+ ##
+ #
+@@ -803,11 +934,12 @@ interface(`init_script_file_entry_type',`
+ #
+ interface(`init_spec_domtrans_script',`
+ gen_require(`
+- type initrc_t, initrc_exec_t;
++ type initrc_t;
++ attribute init_script_file_type;
+ ')
+
+ files_list_etc($1)
+- spec_domtrans_pattern($1, initrc_exec_t, initrc_t)
++ spec_domtrans_pattern($1, init_script_file_type, initrc_t)
+
+ ifdef(`distro_gentoo',`
+ gen_require(`
+@@ -818,11 +950,11 @@ interface(`init_spec_domtrans_script',`
+ ')
+
+ ifdef(`enable_mcs',`
+- range_transition $1 initrc_exec_t:process s0;
++ range_transition $1 init_script_file_type:process s0;
+ ')
+
+ ifdef(`enable_mls',`
+- range_transition $1 initrc_exec_t:process s0 - mls_systemhigh;
++ range_transition $1 init_script_file_type:process s0 - mls_systemhigh;
+ ')
+ ')
+
+@@ -838,19 +970,41 @@ interface(`init_spec_domtrans_script',`
+ #
+ interface(`init_domtrans_script',`
+ gen_require(`
+- type initrc_t, initrc_exec_t;
++ type initrc_t;
++ attribute init_script_file_type;
++ attribute initrc_transition_domain;
+ ')
++ typeattribute $1 initrc_transition_domain;
+
+ files_list_etc($1)
+- domtrans_pattern($1, initrc_exec_t, initrc_t)
++ domtrans_pattern($1, init_script_file_type, initrc_t)
+
+ ifdef(`enable_mcs',`
+- range_transition $1 initrc_exec_t:process s0;
++ range_transition $1 init_script_file_type:process s0;
+ ')
+
+ ifdef(`enable_mls',`
+- range_transition $1 initrc_exec_t:process s0 - mls_systemhigh;
++ range_transition $1 init_script_file_type:process s0 - mls_systemhigh;
++ ')
++')
++
++########################################
++##
++## Execute a file in a bin directory
++## in the initrc_t domain
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`init_bin_domtrans_spec',`
++ gen_require(`
++ type initrc_t;
+ ')
++
++ corecmd_bin_domtrans($1, initrc_t)
+ ')
+
+ ########################################
+@@ -906,9 +1060,14 @@ interface(`init_script_file_domtrans',`
+ interface(`init_labeled_script_domtrans',`
+ gen_require(`
+ type initrc_t;
++ attribute initrc_transition_domain;
+ ')
+
++ typeattribute $1 initrc_transition_domain;
++ # service script searches all filesystems via mountpoint
++ fs_search_all($1)
+ domtrans_pattern($1, $2, initrc_t)
++ allow $1 $2:file ioctl;
+ files_search_etc($1)
+ ')
+
+@@ -999,7 +1158,9 @@ interface(`init_ptrace',`
+ type init_t;
+ ')
+
+- allow $1 init_t:process ptrace;
++ tunable_policy(`deny_ptrace',`',`
++ allow $1 init_t:process ptrace;
++ ')
+ ')
+
+ ########################################
+@@ -1098,6 +1259,25 @@ interface(`init_getattr_all_script_files',`
+
+ ########################################
+ ##
++## Allow the specified domain to modify the systemd configuration of
++## all init scripts.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`init_config_all_script_files',`
++ gen_require(`
++ attribute init_script_file_type;
++ ')
++
++ allow $1 init_script_file_type:service all_service_perms;
++')
++
++########################################
++##
+ ## Read all init script files.
+ ##
+ ##
+@@ -1117,6 +1297,24 @@ interface(`init_read_all_script_files',`
+
+ #######################################
+ ##
++## Dontaudit getattr all init script files.
++##
++##
++##
++## Domain to not audit.
++##
++##
++#
++interface(`init_dontaudit_getattr_all_script_files',`
++ gen_require(`
++ attribute init_script_file_type;
++ ')
++
++ dontaudit $1 init_script_file_type:file getattr;
++')
++
++#######################################
++##
+ ## Dontaudit read all init script files.
+ ##
+ ##
+@@ -1168,12 +1366,7 @@ interface(`init_read_script_state',`
+ ')
+
+ kernel_search_proc($1)
+- read_files_pattern($1, initrc_t, initrc_t)
+- read_lnk_files_pattern($1, initrc_t, initrc_t)
+- list_dirs_pattern($1, initrc_t, initrc_t)
+-
+- # should move this to separate interface
+- allow $1 initrc_t:process getattr;
++ ps_process_pattern($1, initrc_t)
+ ')
+
+ ########################################
+@@ -1413,6 +1606,27 @@ interface(`init_dbus_send_script',`
+ ########################################
+ ##
+ ## Send and receive messages from
++## init over dbus.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`init_dbus_chat',`
++ gen_require(`
++ type init_t;
++ class dbus send_msg;
++ ')
++
++ allow $1 init_t:dbus send_msg;
++ allow init_t $1:dbus send_msg;
++')
++
++########################################
++##
++## Send and receive messages from
+ ## init scripts over dbus.
+ ##
+ ##
+@@ -1499,6 +1713,25 @@ interface(`init_getattr_script_status_files',`
+
+ ########################################
+ ##
++## Manage init script
++## status files.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`init_manage_script_status_files',`
++ gen_require(`
++ type initrc_state_t;
++ ')
++
++ manage_files_pattern($1, initrc_state_t, initrc_state_t)
++')
++
++########################################
++##
+ ## Do not audit attempts to read init script
+ ## status files.
+ ##
+@@ -1557,6 +1790,24 @@ interface(`init_rw_script_tmp_files',`
+
+ ########################################
+ ##
++## Read and write init script inherited temporary data.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`init_rw_inherited_script_tmp_files',`
++ gen_require(`
++ type initrc_tmp_t;
++ ')
++
++ allow $1 initrc_tmp_t:file rw_inherited_file_perms;
++')
++
++########################################
++##
+ ## Create files in a init script
+ ## temporary data directory.
+ ##
+@@ -1629,6 +1880,43 @@ interface(`init_read_utmp',`
+
+ ########################################
+ ##
++## Read utmp.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`init_read_machineid',`
++ gen_require(`
++ type machineid_t;
++ ')
++
++ files_search_etc($1)
++ allow $1 machineid_t:file read_file_perms;
++')
++
++########################################
++##
++## Do not audit attempts to read utmp.
++##
++##
++##
++## Domain to not audit.
++##
++##
++#
++interface(`init_dontaudit_read_utmp',`
++ gen_require(`
++ type initrc_var_run_t;
++ ')
++
++ dontaudit $1 initrc_var_run_t:file read_file_perms;
++')
++
++########################################
++##
+ ## Do not audit attempts to write utmp.
+ ##
+ ##
+@@ -1717,7 +2005,7 @@ interface(`init_dontaudit_rw_utmp',`
+ type initrc_var_run_t;
+ ')
+
+- dontaudit $1 initrc_var_run_t:file { getattr read write append lock };
++ dontaudit $1 initrc_var_run_t:file rw_file_perms;
+ ')
+
+ ########################################
+@@ -1758,7 +2046,134 @@ interface(`init_pid_filetrans_utmp',`
+ files_pid_filetrans($1, initrc_var_run_t, file, "utmp")
+ ')
+
+-########################################
++######################################
++##
++## Allow search directory in the /run/systemd directory.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`init_search_pid_dirs',`
++ gen_require(`
++ type init_var_run_t;
++ ')
++
++ allow $1 init_var_run_t:dir search_dir_perms;
++')
++
++######################################
++##
++## Allow listing of the /run/systemd directory.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`init_list_pid_dirs',`
++ gen_require(`
++ type init_var_run_t;
++ ')
++
++ allow $1 init_var_run_t:dir list_dir_perms;
++')
++
++#######################################
++##
++## Create a directory in the /run/systemd directory.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`init_create_pid_dirs',`
++ gen_require(`
++ type init_var_run_t;
++ ')
++
++ allow $1 init_var_run_t:dir list_dir_perms;
++ create_dirs_pattern($1, init_var_run_t, init_var_run_t)
++')
++
++#######################################
++##
++## Create objects in /run/systemd directory
++## with an automatic type transition to
++## a specified private type.
++##
++##
++##
++## Domain allowed access.
++##
++##
++##
++##
++## The type of the object to create.
++##
++##
++##
++##
++## The class of the object to be created.
++##
++##
++##
++##
++## The name of the object being created.
++##
++##
++#
++interface(`init_pid_filetrans',`
++ gen_require(`
++ type init_var_run_t;
++ ')
++
++ files_search_pids($1)
++ filetrans_pattern($1, init_var_run_t, $2, $3, $4)
++')
++
++#######################################
++##
++## Create objects in /run/systemd directory
++## with an automatic type transition to
++## a specified private type.
++##
++##
++##
++## Domain allowed access.
++##
++##
++##
++##
++## The type of the object to create.
++##
++##
++##
++##
++## The class of the object to be created.
++##
++##
++##
++##
++## The name of the object being created.
++##
++##
++#
++interface(`init_named_pid_filetrans',`
++ gen_require(`
++ type init_var_run_t;
++ ')
++
++ files_search_pids($1)
++ filetrans_pattern($1, init_var_run_t, $2, $3, $4)
++')
++
++########################################
+ ##
+ ## Allow the specified domain to connect to daemon with a tcp socket
+ ##
+@@ -1792,3 +2207,283 @@ interface(`init_udp_recvfrom_all_daemons',`
+ ')
+ corenet_udp_recvfrom_labeled($1, daemon)
+ ')
++
++########################################
++##
++## Transition to system_r when execute an init script
++##
++##
++##
++## Execute a init script in a specified role
++##
++##
++## No interprocess communication (signals, pipes,
++## etc.) is provided by this interface since
++## the domains are not owned by this module.
++##
++##
++##
++##
++## Role to transition from.
++##
++##
++#
++interface(`init_script_role_transition',`
++ gen_require(`
++ attribute init_script_file_type;
++ ')
++
++ role_transition $1 init_script_file_type system_r;
++')
++
++########################################
++##
++## dontaudit read and write an leaked init scrip file descriptors
++##
++##
++##
++## Domain to not audit.
++##
++##
++#
++interface(`init_dontaudit_script_leaks',`
++ gen_require(`
++ type initrc_t;
++ ')
++
++ dontaudit $1 initrc_t:socket_class_set { read write };
++ dontaudit $1 initrc_t:shm rw_shm_perms;
++ init_dontaudit_use_script_ptys($1)
++ init_dontaudit_use_script_fds($1)
++')
++
++#######################################
++##
++## Allow the specified domain to ioctl an
++## init with a unix domain stream sockets.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`init_ioctl_stream_sockets',`
++ gen_require(`
++ type init_t;
++ ')
++
++ allow $1 init_t:unix_stream_socket ioctl;
++')
++
++########################################
++##
++## Allow the specified domain to read/write to
++## init with a unix domain stream sockets.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`init_rw_stream_sockets',`
++ gen_require(`
++ type init_t;
++ ')
++
++ allow $1 init_t:unix_stream_socket rw_stream_socket_perms;
++')
++
++#######################################
++##
++## Allow the specified domain to write to
++## init sock file.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`init_write_pid_socket',`
++ gen_require(`
++ type init_var_run_t;
++ ')
++
++ allow $1 init_var_run_t:sock_file write;
++')
++
++########################################
++##
++## Send a message to init over a unix domain
++## datagram socket.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`init_dgram_send',`
++ gen_require(`
++ type init_t;
++ ')
++
++ allow $1 init_t:unix_dgram_socket sendto;
++')
++
++########################################
++##
++## Send a message to init over a unix domain
++## stream socket.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`init_stream_send',`
++ gen_require(`
++ type init_t;
++ ')
++
++ allow $1 init_t:unix_stream_socket sendto;
++')
++
++########################################
++##
++## Create a file type used for init socket files.
++##
++##
++##
++## This defines a type that init can create sock_file within for
++## impersonation purposes
++##
++##
++##
++##
++## Type to be used for a sock file.
++##
++##
++##
++#
++interface(`init_sock_file',`
++ gen_require(`
++ attribute init_sock_file_type;
++ ')
++
++ typeattribute $1 init_sock_file_type;
++
++')
++
++########################################
++##
++## Read init unnamed pipes.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`init_read_pipes',`
++ gen_require(`
++ type init_var_run_t;
++ ')
++
++ read_fifo_files_pattern($1, init_var_run_t, init_var_run_t)
++')
++
++########################################
++##
++## Read/Write init unnamed pipes.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`init_rw_pipes',`
++ gen_require(`
++ type init_var_run_t;
++ ')
++
++ rw_fifo_files_pattern($1, init_var_run_t, init_var_run_t)
++')
++
++########################################
++##
++## Get the system status information from init
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`init_status',`
++ gen_require(`
++ type init_t;
++ ')
++
++ allow $1 init_t:system status;
++')
++
++########################################
++##
++## Tell init to reboot the system.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`init_reboot',`
++ gen_require(`
++ type init_t;
++ ')
++
++ allow $1 init_t:system reboot;
++ systemd_config_power_services($1)
++')
++
++########################################
++##
++## Tell init to halt the system.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`init_halt',`
++ gen_require(`
++ type init_t;
++ ')
++
++ allow $1 init_t:system halt;
++ systemd_config_power_services($1)
++')
++
++########################################
++##
++## Tell init to do an unknown access.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`init_undefined',`
++ gen_require(`
++ type init_t;
++ ')
++
++ allow $1 init_t:system undefined;
++')
+diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
+index 4a88fa1..c57afad 100644
+--- a/policy/modules/system/init.te
++++ b/policy/modules/system/init.te
+@@ -11,10 +11,24 @@ gen_require(`
+
+ ##
+ ##
+-## Enable support for upstart as the init program.
++## Allow all daemons to use tcp wrappers.
+ ##
+ ##
+-gen_tunable(init_upstart, false)
++gen_tunable(daemons_use_tcp_wrapper, false)
++
++##
++##
++## Allow all daemons the ability to read/write terminals
++##
++##
++gen_tunable(daemons_use_tty, false)
++
++##
++##
++## Allow all daemons to write corefiles to /
++##
++##
++gen_tunable(daemons_dump_core, false)
+
+ # used for direct running of init scripts
+ # by admin domains
+@@ -25,19 +39,28 @@ attribute direct_init_entry;
+ attribute init_script_domain_type;
+ attribute init_script_file_type;
+ attribute init_run_all_scripts_domain;
++attribute initrc_transition_domain;
++# Attribute used for systemd so domains can allow systemd to create sock_files
++attribute init_sock_file_type;
+
+ # Mark process types as daemons
+ attribute daemon;
++attribute systemprocess;
++attribute systemprocess_entry;
++
++# Mark process types as initrc domain
++attribute initrc_domain;
+
+ #
+ # init_t is the domain of the init process.
+ #
+-type init_t;
++type init_t, initrc_transition_domain;
+ type init_exec_t;
+ domain_type(init_t)
+ domain_entry_file(init_t, init_exec_t)
+ kernel_domtrans_to(init_t, init_exec_t)
+ role system_r types init_t;
++init_initrc_domain(init_t)
+
+ #
+ # init_var_run_t is the type for /var/run/shutdown.pid.
+@@ -46,6 +69,15 @@ type init_var_run_t;
+ files_pid_file(init_var_run_t)
+
+ #
++# init_var_lib_t is the type for /var/lib/random-seed
++#
++type init_var_lib_t;
++files_pid_file(init_var_lib_t)
++
++type machineid_t;
++files_config_file(machineid_t)
++
++#
+ # initctl_t is the type of the named pipe created
+ # by init during initialization. This pipe is used
+ # to communicate with init.
+@@ -54,7 +86,7 @@ type initctl_t;
+ files_type(initctl_t)
+ mls_trusted_object(initctl_t)
+
+-type initrc_t, init_script_domain_type, init_run_all_scripts_domain;
++type initrc_t, initrc_domain, init_script_domain_type, init_run_all_scripts_domain;
+ type initrc_exec_t, init_script_file_type;
+ domain_type(initrc_t)
+ domain_entry_file(initrc_t, initrc_exec_t)
+@@ -63,6 +95,8 @@ role system_r types initrc_t;
+ # of the below init_upstart tunable
+ # but this has a typeattribute in it
+ corecmd_shell_entry_type(initrc_t)
++corecmd_bin_entry_type(initrc_t)
++corecmd_bin_domtrans(init_t, initrc_t)
+
+ type initrc_devpts_t;
+ term_pty(initrc_devpts_t)
+@@ -95,7 +129,8 @@ ifdef(`enable_mls',`
+ #
+
+ # Use capabilities. old rule:
+-allow init_t self:capability ~sys_module;
++allow init_t self:capability ~{ audit_control audit_write sys_module };
++allow init_t self:capability2 ~{ mac_admin mac_override };
+ # is ~sys_module really needed? observed:
+ # sys_boot
+ # sys_tty_config
+@@ -107,12 +142,32 @@ allow init_t self:fifo_file rw_fifo_file_perms;
+
+ # Re-exec itself
+ can_exec(init_t, init_exec_t)
+-
+-allow init_t initrc_t:unix_stream_socket connectto;
+-
+-# For /var/run/shutdown.pid.
+-allow init_t init_var_run_t:file manage_file_perms;
+-files_pid_filetrans(init_t, init_var_run_t, file)
++# executing content in /run/initramfs
++manage_files_pattern(init_t, initrc_state_t, initrc_state_t)
++can_exec(init_t, initrc_state_t)
++
++allow init_t initrc_t:unix_stream_socket { connectto create_stream_socket_perms };
++allow initrc_t init_t:unix_stream_socket { connectto rw_stream_socket_perms sendto };
++allow initrc_t init_t:fifo_file rw_fifo_file_perms;
++
++manage_dirs_pattern(init_t, init_var_lib_t, init_var_lib_t)
++manage_files_pattern(init_t, init_var_lib_t, init_var_lib_t)
++manage_lnk_files_pattern(init_t, init_var_lib_t, init_var_lib_t)
++manage_sock_files_pattern(init_t, init_var_lib_t, init_var_lib_t)
++files_var_lib_filetrans(init_t, init_var_lib_t, { dir file })
++
++manage_dirs_pattern(init_t, init_var_run_t, init_var_run_t)
++manage_files_pattern(init_t, init_var_run_t, init_var_run_t)
++manage_lnk_files_pattern(init_t, init_var_run_t, init_var_run_t)
++manage_sock_files_pattern(init_t, init_var_run_t, init_var_run_t)
++files_pid_filetrans(init_t, init_var_run_t, { dir file })
++allow init_t init_var_run_t:dir mounton;
++allow init_t init_var_run_t:sock_file relabelto;
++
++allow init_t machineid_t:file manage_file_perms;
++files_pid_filetrans(init_t, machineid_t, file, "machine-id")
++files_etc_filetrans(init_t, machineid_t, file, "machine-id")
++allow init_t machineid_t:file mounton;
+
+ allow init_t initctl_t:fifo_file manage_fifo_file_perms;
+ dev_filetrans(init_t, initctl_t, fifo_file)
+@@ -122,28 +177,38 @@ allow init_t initrc_var_run_t:file { rw_file_perms setattr };
+
+ kernel_read_system_state(init_t)
+ kernel_share_state(init_t)
++kernel_stream_connect(init_t)
+
+ corecmd_exec_chroot(init_t)
+ corecmd_exec_bin(init_t)
+
+-dev_read_sysfs(init_t)
++dev_rw_sysfs(init_t)
++dev_read_urand(init_t)
+ # Early devtmpfs
+ dev_rw_generic_chr_files(init_t)
++dev_filetrans_all_named_dev(init_t)
+
+ domain_getpgid_all_domains(init_t)
+ domain_kill_all_domains(init_t)
+ domain_signal_all_domains(init_t)
+ domain_signull_all_domains(init_t)
+ domain_sigstop_all_domains(init_t)
++domain_sigstop_all_domains(init_t)
+ domain_sigchld_all_domains(init_t)
++domain_read_all_domains_state(init_t)
+
+ files_read_etc_files(init_t)
++files_read_all_pids(init_t)
++files_read_system_conf_files(init_t)
+ files_rw_generic_pids(init_t)
+ files_dontaudit_search_isid_type_dirs(init_t)
++files_read_etc_runtime_files(init_t)
+ files_manage_etc_runtime_files(init_t)
++files_manage_etc_symlinks(init_t)
+ files_etc_filetrans_etc_runtime(init_t, file)
+ # Run /etc/X11/prefdm:
+ files_exec_etc_files(init_t)
++files_read_usr_files(init_t)
+ # file descriptors inherited from the rootfs:
+ files_dontaudit_rw_root_files(init_t)
+ files_dontaudit_rw_root_chr_files(init_t)
+@@ -152,6 +217,8 @@ fs_list_inotifyfs(init_t)
+ # cjp: this may be related to /dev/log
+ fs_write_ramfs_sockets(init_t)
+
++mcs_file_read_all(init_t)
++mcs_file_write_all(init_t)
+ mcs_process_set_categories(init_t)
+ mcs_killall(init_t)
+
+@@ -159,22 +226,41 @@ mls_file_read_all_levels(init_t)
+ mls_file_write_all_levels(init_t)
+ mls_process_write_down(init_t)
+ mls_fd_use_all_levels(init_t)
++mls_socket_read_all_levels(init_t)
++mls_socket_write_all_levels(init_t)
++
++mls_rangetrans_source(init_t)
++mls_rangetrans_source(initrc_t)
+
+ selinux_set_all_booleans(init_t)
++selinux_load_policy(init_t)
++selinux_mounton_fs(init_t)
++allow init_t security_t:security load_policy;
+
+-term_use_all_terms(init_t)
++term_use_unallocated_ttys(init_t)
++term_use_console(init_t)
++term_use_all_inherited_terms(init_t)
+
+ # Run init scripts.
+ init_domtrans_script(init_t)
+
+ libs_rw_ld_so_cache(init_t)
+
++logging_create_devlog_dev(init_t)
+ logging_send_syslog_msg(init_t)
++logging_send_audit_msgs(init_t)
+ logging_rw_generic_logs(init_t)
++logging_relabel_devlog_dev(init_t)
+
+ seutil_read_config(init_t)
++seutil_read_module_store(init_t)
++
++miscfiles_manage_localization(init_t)
++miscfiles_filetrans_named_content(init_t)
++
++userdom_use_user_ttys(init_t)
+
+-miscfiles_read_localization(init_t)
++allow init_t self:process setsched;
+
+ ifdef(`distro_gentoo',`
+ allow init_t self:process { getcap setcap };
+@@ -183,29 +269,177 @@ ifdef(`distro_gentoo',`
+ ')
+
+ ifdef(`distro_redhat',`
++ fs_manage_tmpfs_files(init_t)
++ fs_manage_tmpfs_sockets(init_t)
++ fs_exec_tmpfs_files(init_t)
+ fs_read_tmpfs_symlinks(init_t)
+ fs_rw_tmpfs_chr_files(init_t)
+ fs_tmpfs_filetrans(init_t, initctl_t, fifo_file)
++ fs_tmpfs_filetrans_named_content(init_t)
++
++ logging_stream_connect_syslog(init_t)
++ logging_relabel_syslog_pid_socket(init_t)
+ ')
+
+-tunable_policy(`init_upstart',`
+- corecmd_shell_domtrans(init_t, initrc_t)
+-',`
+- # Run the shell in the sysadm role for single-user mode.
+- # causes problems with upstart
+- sysadm_shell_domtrans(init_t)
++corecmd_shell_domtrans(init_t, initrc_t)
++
++storage_raw_rw_fixed_disk(init_t)
++
++optional_policy(`
++ gnome_filetrans_home_content(init_t)
++')
++
++optional_policy(`
++ modutils_domtrans_insmod(init_t)
++ modutils_list_module_config(init_t)
++')
++
++optional_policy(`
++ postfix_exec(init_t)
++ postfix_list_spool(init_t)
++ mta_read_aliases(init_t)
++')
++
++allow init_t self:system all_system_perms;
++allow init_t self:unix_dgram_socket { create_socket_perms sendto };
++allow init_t self:process { setsockcreate setfscreate setrlimit };
++allow init_t self:process { getcap setcap };
++allow init_t self:unix_stream_socket { create_stream_socket_perms connectto };
++allow init_t self:netlink_kobject_uevent_socket create_socket_perms;
++allow init_t self:netlink_selinux_socket create_socket_perms;
++# Until systemd is fixed
++allow daemon init_t:socket_class_set { getopt read getattr ioctl setopt write };
++allow init_t self:udp_socket create_socket_perms;
++allow init_t self:netlink_route_socket create_netlink_socket_perms;
++
++allow init_t initrc_t:unix_dgram_socket create_socket_perms;
++
++kernel_list_unlabeled(init_t)
++kernel_read_network_state(init_t)
++kernel_rw_kernel_sysctl(init_t)
++kernel_rw_net_sysctls(init_t)
++kernel_read_all_sysctls(init_t)
++kernel_read_software_raid_state(init_t)
++kernel_unmount_debugfs(init_t)
++kernel_setsched(init_t)
++
++dev_write_kmsg(init_t)
++dev_write_urand(init_t)
++dev_rw_lvm_control(init_t)
++dev_rw_autofs(init_t)
++dev_manage_generic_symlinks(init_t)
++dev_manage_generic_dirs(init_t)
++dev_manage_generic_files(init_t)
++dev_read_generic_chr_files(init_t)
++dev_relabel_generic_dev_dirs(init_t)
++dev_relabel_all_dev_nodes(init_t)
++dev_relabel_all_dev_files(init_t)
++dev_manage_sysfs_dirs(init_t)
++dev_relabel_sysfs_dirs(init_t)
++
++files_search_all(init_t)
++files_mounton_all_mountpoints(init_t)
++files_unmount_all_file_type_fs(init_t)
++files_manage_all_pid_dirs(init_t)
++files_manage_etc_dirs(init_t)
++files_manage_generic_tmp_dirs(init_t)
++files_relabel_all_pid_dirs(init_t)
++files_relabel_all_pid_files(init_t)
++files_create_all_pid_sockets(init_t)
++files_delete_all_pids(init_t)
++files_exec_generic_pid_files(init_t)
++files_create_all_pid_pipes(init_t)
++files_create_all_spool_sockets(init_t)
++files_delete_all_spool_sockets(init_t)
++files_manage_urandom_seed(init_t)
++files_list_locks(init_t)
++files_list_spool(init_t)
++files_list_var(init_t)
++files_list_boot(init_t)
++files_list_home(init_t)
++files_create_lock_dirs(init_t)
++files_relabel_all_lock_dirs(init_t)
++files_read_kernel_modules(init_t)
++fs_getattr_all_fs(init_t)
++fs_manage_cgroup_dirs(init_t)
++fs_manage_cgroup_files(init_t)
++fs_manage_hugetlbfs_dirs(init_t)
++fs_manage_tmpfs_dirs(init_t)
++fs_relabel_tmpfs_dirs(init_t)
++fs_relabel_tmpfs_files(init_t)
++fs_relabel_tmpfs_fifo_files(init_t)
++fs_mount_all_fs(init_t)
++fs_unmount_all_fs(init_t)
++fs_remount_all_fs(init_t)
++fs_list_auto_mountpoints(init_t)
++fs_register_binary_executable_type(init_t)
++fs_relabel_tmpfs_sock_file(init_t)
++fs_rw_tmpfs_files(init_t)
++fs_relabel_cgroup_dirs(init_t)
++fs_search_cgroup_dirs(init_t)
++selinux_compute_access_vector(init_t)
++selinux_compute_create_context(init_t)
++selinux_validate_context(init_t)
++selinux_unmount_fs(init_t)
++
++storage_getattr_removable_dev(init_t)
++
++term_relabel_ptys_dirs(init_t)
++
++auth_relabel_login_records(init_t)
++auth_relabel_pam_console_data_dirs(init_t)
++
++clock_read_adjtime(init_t)
++
++init_read_script_state(init_t)
++
++modutils_read_module_config(init_t)
++
++seutil_read_file_contexts(init_t)
++
++systemd_exec_systemctl(init_t)
++systemd_manage_unit_dirs(init_t)
++systemd_manage_random_seed(init_t)
++systemd_manage_all_unit_files(init_t)
++systemd_logger_stream_connect(init_t)
++systemd_config_all_services(init_t)
++systemd_relabelto_fifo_file_passwd_run(init_t)
++systemd_relabel_unit_dirs(init_t)
++systemd_relabel_unit_files(init_t)
++systemd_config_all_services(initrc_t)
++systemd_read_unit_files(initrc_t)
++
++create_sock_files_pattern(init_t, init_sock_file_type, init_sock_file_type)
++
++auth_use_nsswitch(init_t)
++auth_rw_login_records(init_t)
++
++optional_policy(`
++ lvm_rw_pipes(init_t)
++ lvm_read_config(init_t)
+ ')
+
+ optional_policy(`
+- auth_rw_login_records(init_t)
++ consolekit_manage_log(init_t)
+ ')
+
+ optional_policy(`
++ dbus_connect_system_bus(init_t)
+ dbus_system_bus_client(init_t)
++ dbus_delete_pid_files(init_t)
+ ')
+
+ optional_policy(`
+- nscd_socket_use(init_t)
++ # /var/run/dovecot/login/ssl-parameters.dat is a hard link to
++ # /var/lib/dovecot/ssl-parameters.dat and init tries to clean up
++ # the directory. But we do not want to allow this.
++ # The master process of dovecot will manage this file.
++ dovecot_dontaudit_unlink_lib_files(initrc_t)
++')
++
++optional_policy(`
++ plymouthd_stream_connect(init_t)
++ plymouthd_exec_plymouth(init_t)
+ ')
+
+ optional_policy(`
+@@ -213,6 +447,27 @@ optional_policy(`
+ ')
+
+ optional_policy(`
++ rpcbind_filetrans_named_content(init_t)
++ rpcbind_relabel_sock_file(init_t)
++')
++
++optional_policy(`
++ systemd_filetrans_named_content(init_t)
++')
++
++optional_policy(`
++ udev_read_db(init_t)
++ udev_relabelto_db(init_t)
++ udev_create_kobject_uevent_socket(init_t)
++ udev_relabel_pid_sockfile(init_t)
++')
++
++optional_policy(`
++ xserver_relabel_xdm_tmp_dirs(init_t)
++ xserver_manage_xdm_tmp_dirs(init_t)
++')
++
++optional_policy(`
+ unconfined_domain(init_t)
+ ')
+
+@@ -222,8 +477,9 @@ optional_policy(`
+ #
+
+ allow initrc_t self:process { getpgid setsched setpgid setrlimit getsched };
+-allow initrc_t self:capability ~{ sys_admin sys_module };
+-dontaudit initrc_t self:capability sys_module; # sysctl is triggering this
++allow initrc_t self:capability ~{ sys_ptrace audit_control audit_write sys_admin sys_module };
++allow initrc_t self:capability2 block_suspend;
++dontaudit initrc_t self:capability { sys_ptrace sys_module }; # sysctl is triggering this
+ allow initrc_t self:passwd rootok;
+ allow initrc_t self:key manage_key_perms;
+
+@@ -251,12 +507,16 @@ manage_fifo_files_pattern(initrc_t, initrc_state_t, initrc_state_t)
+
+ allow initrc_t initrc_var_run_t:file manage_file_perms;
+ files_pid_filetrans(initrc_t, initrc_var_run_t, file)
++files_manage_generic_pids_symlinks(initrc_t)
++files_create_var_run_dirs(initrc_t)
++files_relabelfrom_isid_type(initrc_t)
+
+ can_exec(initrc_t, initrc_tmp_t)
+ manage_files_pattern(initrc_t, initrc_tmp_t, initrc_tmp_t)
+ manage_dirs_pattern(initrc_t, initrc_tmp_t, initrc_tmp_t)
+ manage_lnk_files_pattern(initrc_t, initrc_tmp_t, initrc_tmp_t)
+ files_tmp_filetrans(initrc_t, initrc_tmp_t, { file dir })
++allow initrc_t initrc_tmp_t:dir relabelfrom;
+
+ manage_dirs_pattern(initrc_t, initrc_var_log_t, initrc_var_log_t)
+ manage_files_pattern(initrc_t, initrc_var_log_t, initrc_var_log_t)
+@@ -272,23 +532,36 @@ kernel_change_ring_buffer_level(initrc_t)
+ kernel_clear_ring_buffer(initrc_t)
+ kernel_get_sysvipc_info(initrc_t)
+ kernel_read_all_sysctls(initrc_t)
++kernel_request_load_module(initrc_t)
+ kernel_rw_all_sysctls(initrc_t)
+ # for lsof which is used by alsa shutdown:
+ kernel_dontaudit_getattr_message_if(initrc_t)
++kernel_stream_connect(initrc_t)
++files_read_kernel_modules(initrc_t)
++files_read_config_files(initrc_t)
++files_read_var_lib_symlinks(initrc_t)
++files_setattr_pid_dirs(initrc_t)
+
+ files_create_lock_dirs(initrc_t)
+ files_pid_filetrans_lock_dir(initrc_t, "lock")
+ files_read_kernel_symbol_table(initrc_t)
+-files_setattr_lock_dirs(initrc_t)
++files_exec_etc_files(initrc_t)
++files_manage_etc_symlinks(initrc_t)
++files_manage_system_conf_files(initrc_t)
++
++fs_manage_tmpfs_dirs(initrc_t)
++fs_manage_tmpfs_symlinks(initrc_t)
++fs_delete_tmpfs_files(initrc_t)
++fs_tmpfs_filetrans(initrc_t, initrc_state_t, file)
++fs_read_nfsd_files(initrc_t)
+
+ corecmd_exec_all_executables(initrc_t)
+
+-corenet_all_recvfrom_unlabeled(initrc_t)
+ corenet_all_recvfrom_netlabel(initrc_t)
+-corenet_tcp_sendrecv_all_if(initrc_t)
+-corenet_udp_sendrecv_all_if(initrc_t)
+-corenet_tcp_sendrecv_all_nodes(initrc_t)
+-corenet_udp_sendrecv_all_nodes(initrc_t)
++corenet_tcp_sendrecv_generic_if(initrc_t)
++corenet_udp_sendrecv_generic_if(initrc_t)
++corenet_tcp_sendrecv_generic_node(initrc_t)
++corenet_udp_sendrecv_generic_node(initrc_t)
+ corenet_tcp_sendrecv_all_ports(initrc_t)
+ corenet_udp_sendrecv_all_ports(initrc_t)
+ corenet_tcp_connect_all_ports(initrc_t)
+@@ -296,9 +569,11 @@ corenet_sendrecv_all_client_packets(initrc_t)
+
+ dev_read_rand(initrc_t)
+ dev_read_urand(initrc_t)
++dev_dontaudit_read_kmsg(initrc_t)
+ dev_write_kmsg(initrc_t)
+ dev_write_rand(initrc_t)
+ dev_write_urand(initrc_t)
++dev_write_watchdog(initrc_t)
+ dev_rw_sysfs(initrc_t)
+ dev_list_usbfs(initrc_t)
+ dev_read_framebuffer(initrc_t)
+@@ -306,8 +581,10 @@ dev_write_framebuffer(initrc_t)
+ dev_read_realtime_clock(initrc_t)
+ dev_read_sound_mixer(initrc_t)
+ dev_write_sound_mixer(initrc_t)
++dev_setattr_generic_dirs(initrc_t)
+ dev_setattr_all_chr_files(initrc_t)
+ dev_rw_lvm_control(initrc_t)
++dev_rw_generic_chr_files(initrc_t)
+ dev_delete_lvm_control_dev(initrc_t)
+ dev_manage_generic_symlinks(initrc_t)
+ dev_manage_generic_files(initrc_t)
+@@ -315,17 +592,16 @@ dev_manage_generic_files(initrc_t)
+ dev_delete_generic_symlinks(initrc_t)
+ dev_getattr_all_blk_files(initrc_t)
+ dev_getattr_all_chr_files(initrc_t)
+-# Early devtmpfs
+-dev_rw_generic_chr_files(initrc_t)
++dev_rw_xserver_misc(initrc_t)
+
+ domain_kill_all_domains(initrc_t)
+ domain_signal_all_domains(initrc_t)
+ domain_signull_all_domains(initrc_t)
+ domain_sigstop_all_domains(initrc_t)
++domain_sigstop_all_domains(initrc_t)
+ domain_sigchld_all_domains(initrc_t)
+ domain_read_all_domains_state(initrc_t)
+ domain_getattr_all_domains(initrc_t)
+-domain_dontaudit_ptrace_all_domains(initrc_t)
+ domain_getsession_all_domains(initrc_t)
+ domain_use_interactive_fds(initrc_t)
+ # for lsof which is used by alsa shutdown:
+@@ -333,6 +609,7 @@ domain_dontaudit_getattr_all_udp_sockets(initrc_t)
+ domain_dontaudit_getattr_all_tcp_sockets(initrc_t)
+ domain_dontaudit_getattr_all_dgram_sockets(initrc_t)
+ domain_dontaudit_getattr_all_pipes(initrc_t)
++domain_obj_id_change_exemption(initrc_t)
+
+ files_getattr_all_dirs(initrc_t)
+ files_getattr_all_files(initrc_t)
+@@ -340,8 +617,10 @@ files_getattr_all_symlinks(initrc_t)
+ files_getattr_all_pipes(initrc_t)
+ files_getattr_all_sockets(initrc_t)
+ files_purge_tmp(initrc_t)
+-files_delete_all_locks(initrc_t)
++files_manage_all_locks(initrc_t)
++files_manage_boot_files(initrc_t)
+ files_read_all_pids(initrc_t)
++files_delete_root_files(initrc_t)
+ files_delete_all_pids(initrc_t)
+ files_delete_all_pid_dirs(initrc_t)
+ files_read_etc_files(initrc_t)
+@@ -357,8 +636,12 @@ files_list_isid_type_dirs(initrc_t)
+ files_mounton_isid_type_dirs(initrc_t)
+ files_list_default(initrc_t)
+ files_mounton_default(initrc_t)
++files_manage_mnt_dirs(initrc_t)
++files_manage_mnt_files(initrc_t)
+
+-fs_write_cgroup_files(initrc_t)
++fs_delete_cgroup_dirs(initrc_t)
++fs_list_cgroup_dirs(initrc_t)
++fs_rw_cgroup_files(initrc_t)
+ fs_list_inotifyfs(initrc_t)
+ fs_register_binary_executable_type(initrc_t)
+ # rhgb-console writes to ramfs
+@@ -368,9 +651,13 @@ fs_mount_all_fs(initrc_t)
+ fs_unmount_all_fs(initrc_t)
+ fs_remount_all_fs(initrc_t)
+ fs_getattr_all_fs(initrc_t)
++fs_search_all(initrc_t)
++fs_getattr_nfsd_files(initrc_t)
++fs_dontaudit_create_tmpfs_chr_dev(initrc_t)
+
+ # initrc_t needs to do a pidof which requires ptrace
+-mcs_ptrace_all(initrc_t)
++mcs_file_read_all(initrc_t)
++mcs_file_write_all(initrc_t)
+ mcs_killall(initrc_t)
+ mcs_process_set_categories(initrc_t)
+
+@@ -380,6 +667,7 @@ mls_process_read_up(initrc_t)
+ mls_process_write_down(initrc_t)
+ mls_rangetrans_source(initrc_t)
+ mls_fd_share_all_levels(initrc_t)
++mls_socket_write_to_clearance(initrc_t)
+
+ selinux_get_enforce_mode(initrc_t)
+
+@@ -391,6 +679,7 @@ term_use_all_terms(initrc_t)
+ term_reset_tty_labels(initrc_t)
+
+ auth_rw_login_records(initrc_t)
++auth_manage_faillog(initrc_t)
+ auth_setattr_login_records(initrc_t)
+ auth_rw_lastlog(initrc_t)
+ auth_read_pam_pid(initrc_t)
+@@ -409,20 +698,18 @@ logging_read_all_logs(initrc_t)
+ logging_append_all_logs(initrc_t)
+ logging_read_audit_config(initrc_t)
+
+-miscfiles_read_localization(initrc_t)
+ # slapd needs to read cert files from its initscript
+-miscfiles_read_generic_certs(initrc_t)
++miscfiles_manage_generic_cert_files(initrc_t)
+
+-modutils_read_module_config(initrc_t)
+-modutils_domtrans_insmod(initrc_t)
+
+ seutil_read_config(initrc_t)
+
++userdom_read_admin_home_files(initrc_t)
+ userdom_read_user_home_content_files(initrc_t)
+ # Allow access to the sysadm TTYs. Note that this will give access to the
+ # TTYs to any process in the initrc_t domain. Therefore, daemons and such
+ # started from init should be placed in their own domain.
+-userdom_use_user_terminals(initrc_t)
++userdom_use_inherited_user_terminals(initrc_t)
+
+ ifdef(`distro_debian',`
+ dev_setattr_generic_dirs(initrc_t)
+@@ -476,6 +763,10 @@ ifdef(`distro_gentoo',`
+ sysnet_setattr_config(initrc_t)
+
+ optional_policy(`
++ abrt_manage_pid_files(initrc_t)
++ ')
++
++ optional_policy(`
+ alsa_read_lib(initrc_t)
+ ')
+
+@@ -496,7 +787,7 @@ ifdef(`distro_redhat',`
+
+ # Red Hat systems seem to have a stray
+ # fd open from the initrd
+- kernel_dontaudit_use_fds(initrc_t)
++ kernel_use_fds(initrc_t)
+ files_dontaudit_read_root_files(initrc_t)
+
+ # These seem to be from the initrd
+@@ -511,6 +802,7 @@ ifdef(`distro_redhat',`
+ files_create_boot_dirs(initrc_t)
+ files_create_boot_flag(initrc_t)
+ files_rw_boot_symlinks(initrc_t)
++
+ # wants to read /.fonts directory
+ files_read_default_files(initrc_t)
+ files_mountpoint(initrc_tmp_t)
+@@ -531,6 +823,7 @@ ifdef(`distro_redhat',`
+ miscfiles_rw_localization(initrc_t)
+ miscfiles_setattr_localization(initrc_t)
+ miscfiles_relabel_localization(initrc_t)
++ miscfiles_filetrans_named_content(initrc_t)
+
+ miscfiles_read_fonts(initrc_t)
+ miscfiles_read_hwdata(initrc_t)
+@@ -540,8 +833,40 @@ ifdef(`distro_redhat',`
+ ')
+
+ optional_policy(`
++ abrt_manage_pid_files(initrc_t)
++ ')
++
++ optional_policy(`
+ bind_manage_config_dirs(initrc_t)
++ bind_manage_config(initrc_t)
+ bind_write_config(initrc_t)
++ bind_setattr_zone_dirs(initrc_t)
++ ')
++
++ optional_policy(`
++ cyrus_write_data(initrc_t)
++ ')
++
++ optional_policy(`
++ devicekit_append_inherited_log_files(initrc_t)
++ devicekit_dbus_chat_power(initrc_t)
++ ')
++
++ optional_policy(`
++ dirsrvadmin_read_config(initrc_t)
++ dirsrv_manage_var_run(initrc_t)
++ ')
++
++ optional_policy(`
++ gnome_manage_gconf_config(initrc_t)
++ ')
++
++ optional_policy(`
++ ldap_read_db_files(initrc_t)
++ ')
++
++ optional_policy(`
++ pulseaudio_stream_connect(initrc_t)
+ ')
+
+ optional_policy(`
+@@ -549,14 +874,31 @@ ifdef(`distro_redhat',`
+ rpc_write_exports(initrc_t)
+ rpc_manage_nfs_state_data(initrc_t)
+ ')
++ optional_policy(`
++ rpcbind_stream_connect(initrc_t)
++ ')
+
+ optional_policy(`
+ sysnet_rw_dhcp_config(initrc_t)
+ sysnet_manage_config(initrc_t)
++ sysnet_manage_dhcpc_state(initrc_t)
++ sysnet_relabelfrom_dhcpc_state(initrc_t)
++ sysnet_relabelfrom_net_conf(initrc_t)
++ sysnet_relabelto_net_conf(initrc_t)
++ sysnet_filetrans_named_content(initrc_t)
++ ')
++
++ optional_policy(`
++ tgtd_stream_connect(initrc_t)
++ ')
++
++ optional_policy(`
++ wdmd_manage_pid_files(initrc_t)
+ ')
+
+ optional_policy(`
+ xserver_delete_log(initrc_t)
++ xserver_manage_user_fonts_dir(initrc_t)
+ ')
+ ')
+
+@@ -567,6 +909,39 @@ ifdef(`distro_suse',`
+ ')
+ ')
+
++domain_dontaudit_use_interactive_fds(daemon)
++
++userdom_dontaudit_list_admin_dir(daemon)
++userdom_dontaudit_search_user_tmp(daemon)
++
++tunable_policy(`daemons_use_tcp_wrapper',`
++ corenet_tcp_connect_auth_port(daemon)
++')
++
++tunable_policy(`daemons_use_tty',`
++ term_use_unallocated_ttys(daemon)
++ term_use_generic_ptys(daemon)
++ term_use_all_ttys(daemon)
++ term_use_all_ptys(daemon)
++',`
++ term_dontaudit_use_unallocated_ttys(daemon)
++ term_dontaudit_use_generic_ptys(daemon)
++ term_dontaudit_use_all_ttys(daemon)
++ term_dontaudit_use_all_ptys(daemon)
++ ')
++
++# system-config-services causes avc messages that should be dontaudited
++tunable_policy(`daemons_dump_core',`
++ files_manage_root_files(daemon)
++')
++
++optional_policy(`
++ unconfined_dontaudit_rw_pipes(daemon)
++ unconfined_dontaudit_rw_stream(daemon)
++ userdom_dontaudit_read_user_tmp_files(daemon)
++ userdom_dontaudit_write_user_tmp_files(daemon)
++')
++
+ optional_policy(`
+ amavis_search_lib(initrc_t)
+ amavis_setattr_pid_files(initrc_t)
+@@ -579,6 +954,8 @@ optional_policy(`
+ optional_policy(`
+ apache_read_config(initrc_t)
+ apache_list_modules(initrc_t)
++ # webmin seems to cause this.
++ apache_search_sys_content(daemon)
+ ')
+
+ optional_policy(`
+@@ -600,6 +977,7 @@ optional_policy(`
+
+ optional_policy(`
+ cgroup_stream_connect_cgred(initrc_t)
++ domain_setpriority_all_domains(initrc_t)
+ ')
+
+ optional_policy(`
+@@ -612,6 +990,17 @@ optional_policy(`
+ ')
+
+ optional_policy(`
++ chronyd_append_keys(initrc_t)
++ chronyd_read_keys(initrc_t)
++')
++
++optional_policy(`
++ cron_read_pipes(initrc_t)
++ # managing /etc/cron.d/mailman content
++ cron_manage_system_spool(initrc_t)
++')
++
++optional_policy(`
+ dev_getattr_printer_dev(initrc_t)
+
+ cups_read_log(initrc_t)
+@@ -628,9 +1017,13 @@ optional_policy(`
+ dbus_connect_system_bus(initrc_t)
+ dbus_system_bus_client(initrc_t)
+ dbus_read_config(initrc_t)
++ dbus_manage_lib_files(initrc_t)
++
++ init_dbus_chat(initrc_t)
+
+ optional_policy(`
+ consolekit_dbus_chat(initrc_t)
++ consolekit_manage_log(initrc_t)
+ ')
+
+ optional_policy(`
+@@ -655,6 +1048,10 @@ optional_policy(`
+ ')
+
+ optional_policy(`
++ glance_manage_pid_files(initrc_t)
++')
++
++optional_policy(`
+ gpm_setattr_gpmctl(initrc_t)
+ ')
+
+@@ -672,6 +1069,15 @@ optional_policy(`
+ ')
+
+ optional_policy(`
++ firewalld_dbus_chat(initrc_t)
++')
++
++optional_policy(`
++ modutils_read_module_config(initrc_t)
++ modutils_domtrans_insmod(initrc_t)
++')
++
++optional_policy(`
+ inn_exec_config(initrc_t)
+ ')
+
+@@ -712,6 +1118,7 @@ optional_policy(`
+ lpd_list_spool(initrc_t)
+
+ lpd_read_config(initrc_t)
++ lpd_manage_spool(init_t)
+ ')
+
+ optional_policy(`
+@@ -729,7 +1136,14 @@ optional_policy(`
+ ')
+
+ optional_policy(`
++ milter_delete_dkim_pid_files(initrc_t)
++ milter_setattr_all_dirs(initrc_t)
++')
++
++optional_policy(`
++ mta_manage_aliases(initrc_t)
+ mta_read_config(initrc_t)
++ mta_write_config(initrc_t)
+ mta_dontaudit_read_spool_symlinks(initrc_t)
+ ')
+
+@@ -752,6 +1166,10 @@ optional_policy(`
+ ')
+
+ optional_policy(`
++ plymouthd_stream_connect(initrc_t)
++')
++
++optional_policy(`
+ postgresql_manage_db(initrc_t)
+ postgresql_read_config(initrc_t)
+ ')
+@@ -761,10 +1179,20 @@ optional_policy(`
+ ')
+
+ optional_policy(`
++ psad_setattr_fifo_file(initrc_t)
++ psad_setattr_log(initrc_t)
++ psad_write_log(initrc_t)
++')
++
++optional_policy(`
+ puppet_rw_tmp(initrc_t)
+ ')
+
+ optional_policy(`
++ qpidd_manage_var_run(initrc_t)
++')
++
++optional_policy(`
+ quota_manage_flags(initrc_t)
+ ')
+
+@@ -773,6 +1201,10 @@ optional_policy(`
+ ')
+
+ optional_policy(`
++ ricci_manage_lib_files(initrc_t)
++')
++
++optional_policy(`
+ fs_write_ramfs_sockets(initrc_t)
+ fs_search_ramfs(initrc_t)
+
+@@ -794,8 +1226,6 @@ optional_policy(`
+ # bash tries ioctl for some reason
+ files_dontaudit_ioctl_all_pids(initrc_t)
+
+- # why is this needed:
+- rpm_manage_db(initrc_t)
+ ')
+
+ optional_policy(`
+@@ -804,6 +1234,10 @@ optional_policy(`
+ ')
+
+ optional_policy(`
++ sendmail_setattr_pid_files(initrc_t)
++')
++
++optional_policy(`
+ # shorewall-init script run /var/lib/shorewall/firewall
+ shorewall_lib_domtrans(initrc_t)
+ ')
+@@ -813,10 +1247,12 @@ optional_policy(`
+ squid_manage_logs(initrc_t)
+ ')
+
++ifdef(`enabled_mls',`
+ optional_policy(`
+ # allow init scripts to su
+ su_restricted_domain_template(initrc, initrc_t, system_r)
+ ')
++')
+
+ optional_policy(`
+ ssh_dontaudit_read_server_keys(initrc_t)
+@@ -828,8 +1264,6 @@ optional_policy(`
+ ')
+
+ optional_policy(`
+- udev_rw_db(initrc_t)
+- udev_generic_pid_filetrans_run_dirs(initrc_t, "udev")
+ udev_manage_pid_files(initrc_t)
+ udev_manage_pid_dirs(initrc_t)
+ udev_manage_rules_files(initrc_t)
+@@ -840,12 +1274,30 @@ optional_policy(`
+ ')
+
+ optional_policy(`
+- virt_stream_connect(initrc_t)
+- virt_manage_svirt_cache(initrc_t)
++ virt_manage_pid_dirs(initrc_t)
++ virt_manage_cache(initrc_t)
++ virt_manage_lib_files(initrc_t)
++')
++
++# Cron jobs used to start and stop services
++optional_policy(`
++ cron_rw_pipes(daemon)
++ cron_rw_inherited_user_spool_files(daemon)
++')
++
++optional_policy(`
++ cfengine_append_inherited_log(daemon)
+ ')
+
+ optional_policy(`
+ unconfined_domain(initrc_t)
++ domain_role_change_exemption(initrc_t)
++ mcs_file_read_all(initrc_t)
++ mcs_file_write_all(initrc_t)
++ mcs_socket_write_all_levels(initrc_t)
++ mcs_killall(initrc_t)
++
++ files_tmp_filetrans(initrc_t, initrc_tmp_t, { dir_file_class_set })
+
+ ifdef(`distro_redhat',`
+ # system-config-services causes avc messages that should be dontaudited
+@@ -855,6 +1307,18 @@ optional_policy(`
+ optional_policy(`
+ mono_domtrans(initrc_t)
+ ')
++
++ # Allow SELinux aware applications to request rpm_script_t execution
++ rpm_transition_script(initrc_t)
++
++ optional_policy(`
++ rtkit_scheduled(initrc_t)
++ ')
++')
++
++optional_policy(`
++ rpm_read_db(initrc_t)
++ rpm_delete_db(initrc_t)
+ ')
+
+ optional_policy(`
+@@ -870,6 +1334,10 @@ optional_policy(`
+ ')
+
+ optional_policy(`
++ sanlock_manage_pid_files(initrc_t)
++')
++
++optional_policy(`
+ # Set device ownerships/modes.
+ xserver_setattr_console_pipes(initrc_t)
+
+@@ -880,3 +1348,185 @@ optional_policy(`
+ optional_policy(`
+ zebra_read_config(initrc_t)
+ ')
++
++userdom_inherit_append_user_home_content_files(daemon)
++userdom_inherit_append_user_tmp_files(daemon)
++userdom_dontaudit_rw_stream(daemon)
++
++logging_inherit_append_all_logs(daemon)
++
++optional_policy(`
++ # sudo service restart causes this
++ unconfined_signull(daemon)
++')
++
++
++optional_policy(`
++ xserver_dontaudit_append_xdm_home_files(daemon)
++ tunable_policy(`use_nfs_home_dirs',`
++ fs_dontaudit_rw_nfs_files(daemon)
++ ')
++ tunable_policy(`use_samba_home_dirs',`
++ fs_dontaudit_rw_cifs_files(daemon)
++ ')
++')
++
++init_rw_script_stream_sockets(daemon)
++
++optional_policy(`
++ abrt_stream_connect(daemon)
++')
++
++optional_policy(`
++ fail2ban_read_lib_files(daemon)
++')
++
++optional_policy(`
++ firstboot_dontaudit_leaks(daemon)
++')
++
++init_rw_stream_sockets(daemon)
++init_dontaudit_script_leaks(daemon)
++
++allow init_t var_run_t:dir relabelto;
++
++init_stream_connect(initrc_t)
++
++allow initrc_t daemon:process siginh;
++allow daemon initrc_transition_domain:fifo_file rw_inherited_fifo_file_perms;
++allow daemon initrc_transition_domain:fd use;
++
++allow init_t daemon:unix_stream_socket create_stream_socket_perms;
++allow init_t daemon:unix_dgram_socket create_socket_perms;
++allow init_t daemon:tcp_socket create_stream_socket_perms;
++allow init_t daemon:udp_socket create_socket_perms;
++allow daemon init_t:unix_dgram_socket sendto;
++# need write to /var/run/systemd/notify
++init_write_pid_socket(daemon)
++allow daemon init_t:unix_stream_socket { append write read getattr ioctl };
++
++# daemons started from init will
++# inherit fds from init for the console
++init_dontaudit_use_fds(daemon)
++term_dontaudit_use_console(daemon)
++# init script ptys are the stdin/out/err
++# when using run_init
++init_use_script_ptys(daemon)
++
++allow init_t daemon:process siginh;
++
++ifdef(`hide_broken_symptoms',`
++ # RHEL4 systems seem to have a stray
++ # fds open from the initrd
++ ifdef(`distro_rhel4',`
++ kernel_dontaudit_use_fds(daemon)
++ ')
++
++ dontaudit daemon init_t:dir search_dir_perms;
++')
++
++optional_policy(`
++ nscd_socket_use(daemon)
++')
++
++optional_policy(`
++ puppet_rw_tmp(daemon)
++')
++
++allow direct_run_init daemon:process { noatsecure siginh rlimitinh };
++
++allow initrc_t systemprocess:process siginh;
++allow systemprocess initrc_transition_domain:fifo_file rw_inherited_fifo_file_perms;
++allow systemprocess initrc_transition_domain:fd use;
++
++dontaudit systemprocess init_t:unix_stream_socket getattr;
++
++allow init_t daemon:unix_stream_socket create_stream_socket_perms;
++allow init_t daemon:unix_dgram_socket create_socket_perms;
++allow daemon init_t:unix_stream_socket ioctl;
++allow daemon init_t:unix_dgram_socket sendto;
++# need write to /var/run/systemd/notify
++init_write_pid_socket(daemon)
++init_rw_inherited_script_tmp_files(daemon)
++
++# Handle upstart/systemd direct transition to a executable
++allow init_t systemprocess:process { dyntransition siginh };
++allow init_t systemprocess:unix_stream_socket create_stream_socket_perms;
++allow init_t systemprocess:unix_dgram_socket create_socket_perms;
++allow systemprocess init_t:unix_dgram_socket sendto;
++allow systemprocess init_t:unix_stream_socket { append write read getattr ioctl };
++
++files_dontaudit_rw_inherited_locks(systemprocess)
++
++init_rw_inherited_script_tmp_files(systemprocess)
++
++logging_dontaudit_rw_inherited_generic_logs(systemprocess)
++
++userdom_dontaudit_search_user_home_dirs(systemprocess)
++userdom_dontaudit_rw_stream(systemprocess)
++userdom_dontaudit_write_user_tmp_files(systemprocess)
++
++tunable_policy(`daemons_use_tty',`
++ term_use_all_ttys(systemprocess)
++ term_use_all_ptys(systemprocess)
++',`
++ term_dontaudit_use_all_ttys(systemprocess)
++ term_dontaudit_use_all_ptys(systemprocess)
++')
++
++# these apps are often redirect output to random log files
++logging_inherit_append_all_logs(systemprocess)
++
++optional_policy(`
++ abrt_stream_connect(systemprocess)
++')
++
++optional_policy(`
++ cfengine_append_inherited_log(systemprocess)
++')
++
++optional_policy(`
++ cron_rw_pipes(systemprocess)
++')
++
++optional_policy(`
++ puppet_rw_tmp(systemprocess)
++')
++
++optional_policy(`
++ xserver_dontaudit_append_xdm_home_files(systemprocess)
++')
++
++optional_policy(`
++ unconfined_dontaudit_rw_pipes(systemprocess)
++ unconfined_dontaudit_rw_stream(systemprocess)
++ userdom_dontaudit_read_user_tmp_files(systemprocess)
++')
++
++init_rw_script_stream_sockets(systemprocess)
++
++role system_r types systemprocess;
++role system_r types daemon;
++
++#ifdef(`enable_mls',`
++# mls_rangetrans_target(systemprocess)
++#')
++
++allow initrc_domain daemon:process transition;
++allow daemon initrc_domain:fd use;
++allow daemon initrc_domain:fifo_file rw_inherited_fifo_file_perms;
++allow daemon initrc_domain:process sigchld;
++allow initrc_domain direct_init_entry:file { getattr open read execute };
++
++allow systemprocess initrc_domain:fd use;
++allow systemprocess initrc_domain:fifo_file rw_inherited_fifo_file_perms;
++allow systemprocess initrc_domain:process sigchld;
++allow initrc_domain systemprocess_entry:file { getattr open read execute };
++allow initrc_domain systemprocess:process transition;
++
++ifdef(`direct_sysadm_daemon',`
++ allow daemon direct_run_init:fd use;
++ allow daemon direct_run_init:fifo_file rw_inherited_fifo_file_perms;
++ allow daemon direct_run_init:process sigchld;
++ allow direct_run_init direct_init_entry:file { getattr open read execute };
++')
+diff --git a/policy/modules/system/ipsec.fc b/policy/modules/system/ipsec.fc
+index ec85acb..662e79b 100644
+--- a/policy/modules/system/ipsec.fc
++++ b/policy/modules/system/ipsec.fc
+@@ -27,11 +27,6 @@
+ /usr/libexec/ipsec/spi -- gen_context(system_u:object_r:ipsec_exec_t,s0)
+ /usr/libexec/nm-openswan-service -- gen_context(system_u:object_r:ipsec_mgmt_exec_t,s0)
+
+-/usr/local/lib(64)?/ipsec/eroute -- gen_context(system_u:object_r:ipsec_exec_t,s0)
+-/usr/local/lib(64)?/ipsec/klipsdebug -- gen_context(system_u:object_r:ipsec_exec_t,s0)
+-/usr/local/lib(64)?/ipsec/pluto -- gen_context(system_u:object_r:ipsec_exec_t,s0)
+-/usr/local/lib(64)?/ipsec/spi -- gen_context(system_u:object_r:ipsec_exec_t,s0)
+-
+ /usr/sbin/ipsec -- gen_context(system_u:object_r:ipsec_mgmt_exec_t,s0)
+ /usr/sbin/racoon -- gen_context(system_u:object_r:racoon_exec_t,s0)
+ /usr/sbin/setkey -- gen_context(system_u:object_r:setkey_exec_t,s0)
+diff --git a/policy/modules/system/ipsec.if b/policy/modules/system/ipsec.if
+index 0d4c8d3..9d66bf7 100644
+--- a/policy/modules/system/ipsec.if
++++ b/policy/modules/system/ipsec.if
+@@ -120,7 +120,6 @@ interface(`ipsec_exec_mgmt',`
+ ##
+ ##
+ #
+-#
+ interface(`ipsec_signal_mgmt',`
+ gen_require(`
+ type ipsec_mgmt_t;
+@@ -139,7 +138,6 @@ interface(`ipsec_signal_mgmt',`
+ ##
+ ##
+ #
+-#
+ interface(`ipsec_signull_mgmt',`
+ gen_require(`
+ type ipsec_mgmt_t;
+@@ -158,7 +156,6 @@ interface(`ipsec_signull_mgmt',`
+ ##
+ ##
+ #
+-#
+ interface(`ipsec_kill_mgmt',`
+ gen_require(`
+ type ipsec_mgmt_t;
+@@ -225,6 +222,7 @@ interface(`ipsec_match_default_spd',`
+
+ allow $1 ipsec_spd_t:association polmatch;
+ allow $1 self:association sendto;
++ allow $1 self:peer recv;
+ ')
+
+ ########################################
+diff --git a/policy/modules/system/ipsec.te b/policy/modules/system/ipsec.te
+index a30840c..77206a0 100644
+--- a/policy/modules/system/ipsec.te
++++ b/policy/modules/system/ipsec.te
+@@ -73,13 +73,15 @@ role system_r types setkey_t;
+ #
+
+ allow ipsec_t self:capability { net_admin dac_override dac_read_search setpcap sys_nice };
+-dontaudit ipsec_t self:capability { sys_ptrace sys_tty_config };
++dontaudit ipsec_t self:capability sys_tty_config;
+ allow ipsec_t self:process { getcap setcap getsched signal setsched };
+ allow ipsec_t self:tcp_socket create_stream_socket_perms;
+ allow ipsec_t self:udp_socket create_socket_perms;
+ allow ipsec_t self:key_socket create_socket_perms;
+ allow ipsec_t self:fifo_file read_fifo_file_perms;
+ allow ipsec_t self:netlink_xfrm_socket { create_netlink_socket_perms nlmsg_write };
++allow ipsec_t self:netlink_selinux_socket create_socket_perms;
++allow ipsec_t self:unix_stream_socket create_stream_socket_perms;
+
+ allow ipsec_t ipsec_initrc_exec_t:file read_file_perms;
+
+@@ -113,6 +115,7 @@ allow ipsec_mgmt_t ipsec_t:unix_stream_socket { read write };
+ allow ipsec_mgmt_t ipsec_t:process { rlimitinh sigchld };
+
+ kernel_read_kernel_sysctls(ipsec_t)
++kernel_read_net_sysctls(ipsec_t)
+ kernel_list_proc(ipsec_t)
+ kernel_read_proc_symlinks(ipsec_t)
+ # allow pluto to access /proc/net/ipsec_eroute;
+@@ -127,20 +130,21 @@ corecmd_exec_shell(ipsec_t)
+ corecmd_exec_bin(ipsec_t)
+
+ # Pluto needs network access
+-corenet_all_recvfrom_unlabeled(ipsec_t)
+-corenet_tcp_sendrecv_all_if(ipsec_t)
+-corenet_raw_sendrecv_all_if(ipsec_t)
+-corenet_tcp_sendrecv_all_nodes(ipsec_t)
+-corenet_raw_sendrecv_all_nodes(ipsec_t)
++corenet_tcp_sendrecv_generic_if(ipsec_t)
++corenet_raw_sendrecv_generic_if(ipsec_t)
++corenet_tcp_sendrecv_generic_node(ipsec_t)
++corenet_raw_sendrecv_generic_node(ipsec_t)
+ corenet_tcp_sendrecv_all_ports(ipsec_t)
+-corenet_tcp_bind_all_nodes(ipsec_t)
+-corenet_udp_bind_all_nodes(ipsec_t)
++corenet_tcp_bind_generic_node(ipsec_t)
++corenet_udp_bind_generic_node(ipsec_t)
+ corenet_tcp_bind_reserved_port(ipsec_t)
+ corenet_tcp_bind_isakmp_port(ipsec_t)
+ corenet_udp_bind_isakmp_port(ipsec_t)
+ corenet_udp_bind_ipsecnat_port(ipsec_t)
+ corenet_sendrecv_generic_server_packets(ipsec_t)
+ corenet_sendrecv_isakmp_server_packets(ipsec_t)
++corenet_tcp_connect_http_port(ipsec_t)
++corenet_tcp_connect_ldap_port(ipsec_t)
+
+ dev_read_sysfs(ipsec_t)
+ dev_read_rand(ipsec_t)
+@@ -156,6 +160,8 @@ files_dontaudit_search_home(ipsec_t)
+ fs_getattr_all_fs(ipsec_t)
+ fs_search_auto_mountpoints(ipsec_t)
+
++selinux_compute_access_vector(ipsec_t)
++
+ term_use_console(ipsec_t)
+ term_dontaudit_use_all_ttys(ipsec_t)
+
+@@ -164,11 +170,13 @@ auth_use_nsswitch(ipsec_t)
+ init_use_fds(ipsec_t)
+ init_use_script_ptys(ipsec_t)
+
++logging_read_all_logs(ipsec_mgmt_t)
+ logging_send_syslog_msg(ipsec_t)
+
+-miscfiles_read_localization(ipsec_t)
+
+ sysnet_domtrans_ifconfig(ipsec_t)
++sysnet_manage_config(ipsec_t)
++sysnet_etc_filetrans_config(ipsec_t)
+
+ userdom_dontaudit_use_unpriv_user_fds(ipsec_t)
+ userdom_dontaudit_search_user_home_dirs(ipsec_t)
+@@ -186,9 +194,9 @@ optional_policy(`
+ # ipsec_mgmt Local policy
+ #
+
+-allow ipsec_mgmt_t self:capability { dac_override dac_read_search net_admin setpcap sys_nice };
+-dontaudit ipsec_mgmt_t self:capability { sys_ptrace sys_tty_config };
+-allow ipsec_mgmt_t self:process { getsched ptrace setrlimit setsched signal };
++allow ipsec_mgmt_t self:capability { dac_override dac_read_search net_admin setpcap sys_nice sys_ptrace };
++dontaudit ipsec_mgmt_t self:capability sys_tty_config;
++allow ipsec_mgmt_t self:process { getsched setrlimit setsched signal };
+ allow ipsec_mgmt_t self:unix_stream_socket create_stream_socket_perms;
+ allow ipsec_mgmt_t self:tcp_socket create_stream_socket_perms;
+ allow ipsec_mgmt_t self:udp_socket create_socket_perms;
+@@ -245,6 +253,16 @@ kernel_read_kernel_sysctls(ipsec_mgmt_t)
+ kernel_getattr_core_if(ipsec_mgmt_t)
+ kernel_getattr_message_if(ipsec_mgmt_t)
+
++domain_dontaudit_getattr_all_sockets(ipsec_mgmt_t)
++domain_dontaudit_getattr_all_pipes(ipsec_mgmt_t)
++
++dev_dontaudit_getattr_all_blk_files(ipsec_mgmt_t)
++dev_dontaudit_getattr_all_chr_files(ipsec_mgmt_t)
++
++dev_read_sysfs(ipsec_mgmt_t)
++
++files_dontaudit_getattr_all_files(ipsec_mgmt_t)
++files_dontaudit_getattr_all_sockets(ipsec_mgmt_t)
+ files_read_kernel_symbol_table(ipsec_mgmt_t)
+ files_getattr_kernel_modules(ipsec_mgmt_t)
+
+@@ -254,6 +272,8 @@ files_getattr_kernel_modules(ipsec_mgmt_t)
+ corecmd_exec_bin(ipsec_mgmt_t)
+ corecmd_exec_shell(ipsec_mgmt_t)
+
++corenet_tcp_connect_rndc_port(ipsec_mgmt_t)
++
+ dev_read_rand(ipsec_mgmt_t)
+ dev_read_urand(ipsec_mgmt_t)
+
+@@ -277,9 +297,10 @@ fs_getattr_xattr_fs(ipsec_mgmt_t)
+ fs_list_tmpfs(ipsec_mgmt_t)
+
+ term_use_console(ipsec_mgmt_t)
+-term_dontaudit_getattr_unallocated_ttys(ipsec_mgmt_t)
++term_use_all_inherited_terms(ipsec_mgmt_t)
+
+ auth_dontaudit_read_login_records(ipsec_mgmt_t)
++auth_use_nsswitch(ipsec_mgmt_t)
+
+ init_read_utmp(ipsec_mgmt_t)
+ init_use_script_ptys(ipsec_mgmt_t)
+@@ -289,15 +310,16 @@ init_labeled_script_domtrans(ipsec_mgmt_t, ipsec_initrc_exec_t)
+
+ logging_send_syslog_msg(ipsec_mgmt_t)
+
+-miscfiles_read_localization(ipsec_mgmt_t)
+-
+-seutil_dontaudit_search_config(ipsec_mgmt_t)
+-
+ sysnet_manage_config(ipsec_mgmt_t)
+ sysnet_domtrans_ifconfig(ipsec_mgmt_t)
+ sysnet_etc_filetrans_config(ipsec_mgmt_t)
+
+-userdom_use_user_terminals(ipsec_mgmt_t)
++userdom_use_inherited_user_terminals(ipsec_mgmt_t)
++
++optional_policy(`
++ bind_read_dnssec_keys(ipsec_mgmt_t)
++ bind_read_config(ipsec_mgmt_t)
++')
+
+ optional_policy(`
+ consoletype_exec(ipsec_mgmt_t)
+@@ -369,13 +391,12 @@ kernel_request_load_module(racoon_t)
+ corecmd_exec_shell(racoon_t)
+ corecmd_exec_bin(racoon_t)
+
+-corenet_all_recvfrom_unlabeled(racoon_t)
+-corenet_tcp_sendrecv_all_if(racoon_t)
+-corenet_udp_sendrecv_all_if(racoon_t)
+-corenet_tcp_sendrecv_all_nodes(racoon_t)
+-corenet_udp_sendrecv_all_nodes(racoon_t)
+-corenet_tcp_bind_all_nodes(racoon_t)
+-corenet_udp_bind_all_nodes(racoon_t)
++corenet_tcp_sendrecv_generic_if(racoon_t)
++corenet_udp_sendrecv_generic_if(racoon_t)
++corenet_tcp_sendrecv_generic_node(racoon_t)
++corenet_udp_sendrecv_generic_node(racoon_t)
++corenet_tcp_bind_generic_node(racoon_t)
++corenet_udp_bind_generic_node(racoon_t)
+ corenet_udp_bind_isakmp_port(racoon_t)
+ corenet_udp_bind_ipsecnat_port(racoon_t)
+
+@@ -400,10 +421,11 @@ locallogin_use_fds(racoon_t)
+ logging_send_syslog_msg(racoon_t)
+ logging_send_audit_msgs(racoon_t)
+
+-miscfiles_read_localization(racoon_t)
+
+ sysnet_exec_ifconfig(racoon_t)
+
++auth_use_pam(racoon_t)
++
+ auth_can_read_shadow_passwords(racoon_t)
+ tunable_policy(`racoon_read_shadow',`
+ auth_tunable_read_shadow(racoon_t)
+@@ -437,9 +459,9 @@ corenet_setcontext_all_spds(setkey_t)
+
+ locallogin_use_fds(setkey_t)
+
+-miscfiles_read_localization(setkey_t)
+
+ seutil_read_config(setkey_t)
+
+-userdom_use_user_terminals(setkey_t)
++userdom_use_inherited_user_terminals(setkey_t)
++userdom_read_user_tmp_files(setkey_t)
+
+diff --git a/policy/modules/system/iptables.fc b/policy/modules/system/iptables.fc
+index 14cffd2..5effebe 100644
+--- a/policy/modules/system/iptables.fc
++++ b/policy/modules/system/iptables.fc
+@@ -1,7 +1,8 @@
+ /etc/rc\.d/init\.d/ip6?tables -- gen_context(system_u:object_r:iptables_initrc_exec_t,s0)
+-/etc/rc\.d/init\.d/ebtables -- gen_context(system_u:object_r:iptables_initrc_exec_t,s0)
+-/etc/sysconfig/ip6?tables.* -- gen_context(system_u:object_r:iptables_conf_t,s0)
+-/etc/sysconfig/system-config-firewall.* -- gen_context(system_u:object_r:iptables_conf_t,s0)
++/etc/rc\.d/init\.d/ebtables -- gen_context(system_u:object_r:iptables_initrc_exec_t,s0)
++
++/usr/lib/systemd/system/iptables.* -- gen_context(system_u:object_r:iptables_unit_file_t,s0)
++/usr/lib/systemd/system/ip6tables.* -- gen_context(system_u:object_r:iptables_unit_file_t,s0)
+
+ /sbin/ebtables -- gen_context(system_u:object_r:iptables_exec_t,s0)
+ /sbin/ebtables-restore -- gen_context(system_u:object_r:iptables_exec_t,s0)
+@@ -14,7 +15,13 @@
+ /sbin/ipvsadm-save -- gen_context(system_u:object_r:iptables_exec_t,s0)
+ /sbin/xtables-multi -- gen_context(system_u:object_r:iptables_exec_t,s0)
+
++/usr/sbin/ebtables -- gen_context(system_u:object_r:iptables_exec_t,s0)
++/usr/sbin/ebtables-restore -- gen_context(system_u:object_r:iptables_exec_t,s0)
+ /usr/sbin/ipchains.* -- gen_context(system_u:object_r:iptables_exec_t,s0)
+-/usr/sbin/iptables -- gen_context(system_u:object_r:iptables_exec_t,s0)
+-/usr/sbin/iptables-multi -- gen_context(system_u:object_r:iptables_exec_t,s0)
+-/usr/sbin/iptables-restore -- gen_context(system_u:object_r:iptables_exec_t,s0)
++/usr/sbin/ip6?tables -- gen_context(system_u:object_r:iptables_exec_t,s0)
++/usr/sbin/ip6?tables-restore -- gen_context(system_u:object_r:iptables_exec_t,s0)
++/usr/sbin/ip6?tables-multi -- gen_context(system_u:object_r:iptables_exec_t,s0)
++/usr/sbin/ipvsadm -- gen_context(system_u:object_r:iptables_exec_t,s0)
++/usr/sbin/ipvsadm-restore -- gen_context(system_u:object_r:iptables_exec_t,s0)
++/usr/sbin/ipvsadm-save -- gen_context(system_u:object_r:iptables_exec_t,s0)
++/usr/sbin/xtables-multi -- gen_context(system_u:object_r:iptables_exec_t,s0)
+diff --git a/policy/modules/system/iptables.if b/policy/modules/system/iptables.if
+index c42fbc3..7071460 100644
+--- a/policy/modules/system/iptables.if
++++ b/policy/modules/system/iptables.if
+@@ -17,10 +17,6 @@ interface(`iptables_domtrans',`
+
+ corecmd_search_bin($1)
+ domtrans_pattern($1, iptables_exec_t, iptables_t)
+-
+- ifdef(`hide_broken_symptoms', `
+- dontaudit iptables_t $1:socket_class_set { read write };
+- ')
+ ')
+
+ ########################################
+@@ -42,11 +38,22 @@ interface(`iptables_domtrans',`
+ #
+ interface(`iptables_run',`
+ gen_require(`
+- attribute_role iptables_roles;
++ #attribute_role iptables_roles;
++ type iptables_t;
+ ')
+
++ #iptables_domtrans($1)
++ #roleattribute $2 iptables_roles;
++
+ iptables_domtrans($1)
+- roleattribute $2 iptables_roles;
++ role $2 types iptables_t;
++
++ sysnet_run_ifconfig(iptables_t, $2)
++
++ optional_policy(`
++ modutils_run_insmod(iptables_t, $2)
++ ')
++
+ ')
+
+ ########################################
+@@ -86,6 +93,29 @@ interface(`iptables_initrc_domtrans',`
+ init_labeled_script_domtrans($1, iptables_initrc_exec_t)
+ ')
+
++########################################
++##
++## Execute iptables server in the iptables domain.
++##
++##
++##
++## Domain allowed to transition.
++##
++##
++#
++interface(`iptables_systemctl',`
++ gen_require(`
++ type iptables_unit_file_t;
++ type iptables_t;
++ ')
++
++ systemd_exec_systemctl($1)
++ allow $1 iptables_unit_file_t:file read_file_perms;
++ allow $1 iptables_unit_file_t:service manage_service_perms;
++
++ ps_process_pattern($1, iptables_t)
++')
++
+ #####################################
+ ##
+ ## Set the attributes of iptables config files.
+diff --git a/policy/modules/system/iptables.te b/policy/modules/system/iptables.te
+index 0646ee7..da1337a 100644
+--- a/policy/modules/system/iptables.te
++++ b/policy/modules/system/iptables.te
+@@ -5,26 +5,27 @@ policy_module(iptables, 1.13.0)
+ # Declarations
+ #
+
+-attribute_role iptables_roles;
+-roleattribute system_r iptables_roles;
++#attribute_role iptables_roles;
++#roleattribute system_r iptables_roles;
+
+ type iptables_t;
+ type iptables_exec_t;
+ init_system_domain(iptables_t, iptables_exec_t)
+-role iptables_roles types iptables_t;
++#role iptables_roles types iptables_t;
++role system_r types iptables_t;
+
+ type iptables_initrc_exec_t;
+ init_script_file(iptables_initrc_exec_t)
+
+-type iptables_conf_t;
+-files_config_file(iptables_conf_t)
+-
+ type iptables_tmp_t;
+ files_tmp_file(iptables_tmp_t)
+
+ type iptables_var_run_t;
+ files_pid_file(iptables_var_run_t)
+
++type iptables_unit_file_t;
++systemd_unit_file(iptables_unit_file_t)
++
+ ########################################
+ #
+ # Iptables local policy
+@@ -37,8 +38,8 @@ allow iptables_t self:process { sigchld sigkill sigstop signull signal };
+ allow iptables_t self:netlink_socket create_socket_perms;
+ allow iptables_t self:rawip_socket create_socket_perms;
+
+-manage_files_pattern(iptables_t, iptables_conf_t, iptables_conf_t)
+-files_etc_filetrans(iptables_t, iptables_conf_t, file)
++files_manage_system_conf_files(iptables_t)
++files_etc_filetrans_system_conf(iptables_t)
+
+ manage_files_pattern(iptables_t, iptables_var_run_t, iptables_var_run_t)
+ files_pid_filetrans(iptables_t, iptables_var_run_t, file)
+@@ -49,6 +50,7 @@ allow iptables_t iptables_tmp_t:dir manage_dir_perms;
+ allow iptables_t iptables_tmp_t:file manage_file_perms;
+ files_tmp_filetrans(iptables_t, iptables_tmp_t, { file dir })
+
++kernel_getattr_proc(iptables_t)
+ kernel_request_load_module(iptables_t)
+ kernel_read_system_state(iptables_t)
+ kernel_read_network_state(iptables_t)
+@@ -64,6 +66,10 @@ corenet_relabelto_all_packets(iptables_t)
+ corenet_dontaudit_rw_tun_tap_dev(iptables_t)
+
+ dev_read_sysfs(iptables_t)
++dev_read_urand(iptables_t)
++ifdef(`hide_broken_symptoms',`
++ dev_dontaudit_write_mtrr(iptables_t)
++')
+
+ fs_getattr_xattr_fs(iptables_t)
+ fs_search_auto_mountpoints(iptables_t)
+@@ -72,11 +78,13 @@ fs_list_inotifyfs(iptables_t)
+ mls_file_read_all_levels(iptables_t)
+
+ term_dontaudit_use_console(iptables_t)
++term_use_all_inherited_terms(iptables_t)
+
+ domain_use_interactive_fds(iptables_t)
+
+ files_read_etc_files(iptables_t)
+-files_read_etc_runtime_files(iptables_t)
++files_rw_etc_runtime_files(iptables_t)
++files_read_usr_files(iptables_t)
+
+ auth_use_nsswitch(iptables_t)
+
+@@ -85,15 +93,16 @@ init_use_script_ptys(iptables_t)
+ # to allow rules to be saved on reboot:
+ init_rw_script_tmp_files(iptables_t)
+ init_rw_script_stream_sockets(iptables_t)
++init_dontaudit_script_leaks(iptables_t)
+
+ logging_send_syslog_msg(iptables_t)
+
+-miscfiles_read_localization(iptables_t)
+
+-sysnet_run_ifconfig(iptables_t, iptables_roles)
++#sysnet_run_ifconfig(iptables_t, iptables_roles)
++sysnet_domtrans_ifconfig(iptables_t)
+ sysnet_dns_name_resolve(iptables_t)
+
+-userdom_use_user_terminals(iptables_t)
++userdom_use_inherited_user_terminals(iptables_t)
+ userdom_use_all_users_fds(iptables_t)
+
+ ifdef(`hide_broken_symptoms',`
+@@ -102,6 +111,8 @@ ifdef(`hide_broken_symptoms',`
+
+ optional_policy(`
+ fail2ban_append_log(iptables_t)
++ fail2ban_dontaudit_leaks(iptables_t)
++ fail2ban_rw_inherited_tmp_files(iptables_t)
+ ')
+
+ optional_policy(`
+@@ -110,7 +121,8 @@ optional_policy(`
+ ')
+
+ optional_policy(`
+- modutils_run_insmod(iptables_t, iptables_roles)
++ modutils_domtrans_insmod(iptables_t)
++ #modutils_run_insmod(iptables_t, iptables_roles)
+ ')
+
+ optional_policy(`
+@@ -124,6 +136,7 @@ optional_policy(`
+
+ optional_policy(`
+ psad_rw_tmp_files(iptables_t)
++ psad_write_log(iptables_t)
+ ')
+
+ optional_policy(`
+@@ -137,6 +150,7 @@ optional_policy(`
+ optional_policy(`
+ shorewall_read_tmp_files(iptables_t)
+ shorewall_rw_lib_files(iptables_t)
++ shorewall_read_tmp_files(iptables_t)
+ shorewall_read_config(iptables_t)
+ ')
+
+diff --git a/policy/modules/system/libraries.fc b/policy/modules/system/libraries.fc
+index ef8bbaf..a21d5fe 100644
+--- a/policy/modules/system/libraries.fc
++++ b/policy/modules/system/libraries.fc
+@@ -1,3 +1,4 @@
++
+ #
+ # /emul
+ #
+@@ -28,14 +29,17 @@ ifdef(`distro_redhat',`
+ # /etc
+ #
+ /etc/ld\.so\.cache -- gen_context(system_u:object_r:ld_so_cache_t,s0)
++/etc/ld\.so\.cache~ -- gen_context(system_u:object_r:ld_so_cache_t,s0)
+ /etc/ld\.so\.preload -- gen_context(system_u:object_r:ld_so_cache_t,s0)
++/etc/ld\.so\.preload~ -- gen_context(system_u:object_r:ld_so_cache_t,s0)
+
+ /etc/ppp/plugins/rp-pppoe\.so -- gen_context(system_u:object_r:lib_t,s0)
+
+ #
+ # /lib(64)?
+ #
+-/lib -d gen_context(system_u:object_r:lib_t,s0)
++/lib gen_context(system_u:object_r:lib_t,s0)
++/lib64 gen_context(system_u:object_r:lib_t,s0)
+ /lib/.* gen_context(system_u:object_r:lib_t,s0)
+ /lib/ld-[^/]*\.so(\.[^/]*)* -- gen_context(system_u:object_r:ld_so_t,s0)
+
+@@ -52,9 +56,8 @@ ifdef(`distro_gentoo',`
+ #
+ # /opt
+ #
+-/opt/.*\.so gen_context(system_u:object_r:lib_t,s0)
++/opt/.*\.so(\.[^/]*)* gen_context(system_u:object_r:lib_t,s0)
+ /opt/(.*/)?lib(/.*)? gen_context(system_u:object_r:lib_t,s0)
+-/opt/(.*/)?lib64(/.*)? gen_context(system_u:object_r:lib_t,s0)
+ /opt/(.*/)?java/.+\.jar -- gen_context(system_u:object_r:lib_t,s0)
+ /opt/(.*/)?jre.*/.+\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+ /opt/(.*/)?jre/.+\.jar -- gen_context(system_u:object_r:lib_t,s0)
+@@ -103,6 +106,12 @@ ifdef(`distro_redhat',`
+ #
+ # /usr
+ #
++/usr/lib -d gen_context(system_u:object_r:lib_t,s0)
++/usr/lib/.* gen_context(system_u:object_r:lib_t,s0)
++/usr/lib/ld-[^/]*\.so(\.[^/]*)* -- gen_context(system_u:object_r:ld_so_t,s0)
++
++/usr/lib/security/pam_poldi\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
++
+ /usr/(.*/)?/HelixPlayer/.+\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+ /usr/(.*/)?/RealPlayer/.+\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+
+@@ -111,12 +120,12 @@ ifdef(`distro_redhat',`
+ /usr/(.*/)?java/.+\.jsa -- gen_context(system_u:object_r:lib_t,s0)
+
+ /usr/(.*/)?lib(/.*)? gen_context(system_u:object_r:lib_t,s0)
+-/usr/(.*/)?lib64(/.*)? gen_context(system_u:object_r:lib_t,s0)
+
+-/usr/(.*/)?lib(64)?(/.*)?/ld-[^/]*\.so(\.[^/]*)* gen_context(system_u:object_r:ld_so_t,s0)
++/usr/(.*/)?lib(/.*)?/ld-[^/]*\.so(\.[^/]*)* gen_context(system_u:object_r:ld_so_t,s0)
+
+ /usr/(.*/)?nvidia/.+\.so(\..*)? -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+
++/usr/lib/(sse2/)?libfame-.*\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+ /usr/lib/altivec/libavcodec\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+ /usr/lib/cedega/.+\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+ /usr/lib/vlc/video_chroma/libi420_rgb_mmx_plugin\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+@@ -140,6 +149,8 @@ ifdef(`distro_redhat',`
+ /usr/lib/ati-fglrx/.+\.so(\..*)? -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+ /usr/lib/fglrx/.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+ /usr/lib/libjs\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
++/usr/lib/libjavascriptcoregtk[^/]*\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
++/usr/lib/libzvbi\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+ /usr/lib/sse2/libx264\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+ /usr/lib(/.*)?/libnvidia.+\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+ /usr/lib(/.*)?/nvidia_drv.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+@@ -147,12 +158,11 @@ ifdef(`distro_redhat',`
+ /usr/lib/nvidia-graphics(-[^/]*/)?libGL(core)?\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+ /usr/lib/nvidia-graphics(-[^/]*/)?libnvidia.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+ /usr/lib/nvidia-graphics(-[^/]*/)?libXvMCNVIDIA\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+-/usr/lib/nvidia/libGL(core)?\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
++/usr/lib/nvidia.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+ /usr/lib/xorg/modules/glesx\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+
+-/usr/(local/)?.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:lib_t,s0)
+-/usr/(local/)?lib(64)?/wine/.+\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+-/usr/(local/)?lib(64)?/(sse2/)?libfame-.*\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
++/usr/.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:lib_t,s0)
++/usr/lib/wine/.+\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+ /usr/NX/lib/libXcomp\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+ /usr/NX/lib/libjpeg\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+
+@@ -181,11 +191,13 @@ ifdef(`distro_redhat',`
+ # Fedora Core packages: gstreamer-plugins, compat-libstdc++, Glide3, libdv
+ # HelixPlayer, SDL, xorg-x11, xorg-x11-libs, Hermes, valgrind, openoffice.org-libs, httpd - php
+ HOME_DIR/.*/plugins/nppdf\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
++/usr/(.*/)?nprhapengine\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+ /usr/lib/allegro/(.*/)?alleg-vga\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+ /usr/lib/firefox-[^/]*/extensions(/.*)?/libqfaservices.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+ /usr/lib/firefox-[^/]*/plugins/nppdf.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+ /usr/lib/firefox/plugins/libractrl\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+ /usr/lib/libFLAC\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
++/usr/lib/dri/fglrx_dri.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+ /usr/lib/libfglrx_gamma\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+ /usr/lib/mozilla/plugins/nppdf\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+ /usr/lib/mozilla/plugins/libvlcplugin\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+@@ -240,14 +252,10 @@ HOME_DIR/.*/plugins/nppdf\.so.* -- gen_context(system_u:object_r:textrel_shlib_
+
+ # Livna.org packages: xmms-mp3, ffmpeg, xvidcore, xine-lib, gsm, lame
+ /usr/lib.*/libmpg123\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+-/usr/local(/.*)?/libmpg123\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
++/usr/libmpg123\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+ /usr/lib/codecs/drv[1-9c]\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+-/usr/local/lib/codecs/drv[1-9c]\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+
+-HOME_DIR/.*/plugins/nppdf\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+-HOME_DIR/.mozilla/plugins/nprhapengine\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+ /usr/lib/.*/nprhapengine\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+-/usr/local/(.*/)?nprhapengine\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+
+ # Jai, Sun Microsystems (Jpackage SPRM)
+ /usr/lib/libmlib_jai\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+@@ -269,20 +277,19 @@ HOME_DIR/.mozilla/plugins/nprhapengine\.so.* -- gen_context(system_u:object_r:te
+
+ # Java, Sun Microsystems (JPackage SRPM)
+ /usr/(.*/)?jre.*/.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+-/usr/local/(.*/)?jre.*/.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+ /usr/lib/(.*/)?jre.*/.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+
+-/usr/(local/)?Adobe/(.*/)?intellinux/nppdf\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+-/usr/(local/)?Adobe/(.*/)?intellinux/sidecars/* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
++/usr/Adobe/(.*/)?intellinux/nppdf\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
++/usr/Adobe/(.*/)?intellinux/sidecars/* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+
+-/usr/(local/)?acroread/(.*/)?intellinux/nppdf\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+-/usr/(local/)?Adobe/(.*/)?lib/[^/]*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+-/usr/(local/)?acroread/(.*/)?lib/[^/]*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+-/usr/(local/)?Adobe/.*\.api -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+-/usr/(local/)?lib/xchat/plugins/systray\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+-/usr/(local/)?matlab.*/bin/glnx86/libmwlapack\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+-/usr/(local/)?matlab.*/bin/glnx86/(libmw(lapack|mathutil|services)|lapack|libmkl)\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+-/usr/(local/)?matlab.*/sys/os/glnx86/libtermcap\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
++/usr/acroread/(.*/)?intellinux/nppdf\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
++/usr/Adobe/(.*/)?lib/[^/]*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
++/usr/acroread/(.*/)?lib/[^/]*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
++/usr/Adobe/.*\.api -- gen_context(system_u:object_r:textrel_shlib_t,s0)
++/usr/lib/xchat/plugins/systray\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
++/usr/matlab.*/bin/glnx86/libmwlapack\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
++/usr/matlab.*/bin/glnx86/(libmw(lapack|mathutil|services)|lapack|libmkl)\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
++/usr/matlab.*/sys/os/glnx86/libtermcap\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+
+ /usr/(.*/)?intellinux/SPPlugins/ADMPlugin\.apl -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+
+@@ -299,17 +306,151 @@ HOME_DIR/.mozilla/plugins/nprhapengine\.so.* -- gen_context(system_u:object_r:te
+ #
+ /var/cache/ldconfig(/.*)? gen_context(system_u:object_r:ldconfig_cache_t,s0)
+
+-/var/ftp/lib(64)?(/.*)? gen_context(system_u:object_r:lib_t,s0)
+-/var/ftp/lib(64)?/ld[^/]*\.so(\.[^/]*)* -- gen_context(system_u:object_r:ld_so_t,s0)
+-
+-/var/lib/spamassassin/compiled/.*\.so.* -- gen_context(system_u:object_r:lib_t,s0)
++/var/ftp/lib(/.*)? gen_context(system_u:object_r:lib_t,s0)
++/var/ftp/lib/ld[^/]*\.so(\.[^/]*)* -- gen_context(system_u:object_r:ld_so_t,s0)
+
+ /var/mailman/pythonlib(/.*)?/.+\.so(\..*)? -- gen_context(system_u:object_r:lib_t,s0)
+
++/usr/lib/pgsql/.*\.so.* -- gen_context(system_u:object_r:lib_t,s0)
++/usr/lib/pgsql/test/regress/.*\.so.* -- gen_context(system_u:object_r:lib_t,s0)
++/var/lib/spamassassin/compiled/.*\.so.* -- gen_context(system_u:object_r:lib_t,s0)
++/usr/lib/xfce4/.*\.so.* -- gen_context(system_u:object_r:lib_t,s0)
++
+ ifdef(`distro_suse',`
+ /var/lib/samba/bin/.+\.so(\.[^/]*)* -l gen_context(system_u:object_r:lib_t,s0)
+ ')
+
+-/var/spool/postfix/lib(64)?(/.*)? gen_context(system_u:object_r:lib_t,s0)
++/usr/share/hplip/prnt/plugins(/.*)? gen_context(system_u:object_r:lib_t,s0)
++/usr/share/squeezeboxserver/CPAN/arch/.+\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
++
++/var/spool/postfix/lib(/.*)? gen_context(system_u:object_r:lib_t,s0)
++/var/spool/postfix/lib64(/.*)? gen_context(system_u:object_r:lib_t,s0)
+ /var/spool/postfix/usr(/.*)? gen_context(system_u:object_r:lib_t,s0)
+-/var/spool/postfix/lib(64)?/ld.*\.so.* -- gen_context(system_u:object_r:ld_so_t,s0)
++/var/spool/postfix/lib/ld.*\.so.* -- gen_context(system_u:object_r:ld_so_t,s0)
++
++/usr/lib/libmyth[^/]+\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
++/usr/lib/mythtv/filters/.*\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
++
++/usr/lib/jvm/java(.*/)bin(/.*)?/.*\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
++
++/usr/lib/oracle/.*/lib/libnnz10\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
++
++/opt/altera9.1/quartus/linux/libccl_err\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
++
++/opt/novell/groupwise/client/lib/libgwapijni\.so\.1 -- gen_context(system_u:object_r:textrel_shlib_t,s0)
++
++/usr/lib/sse2/.*\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
++/usr/lib/i686/.*\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
++/usr/google-earth/.*\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
++/usr/lib/googleearth/.*\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
++/usr/lib/google-earth/.*\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
++/opt/google-earth/.*\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
++/opt/google/.*\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
++/opt/google/chrome/.*\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
++
++/usr/lib/nspluginwrapper/np.*\.so -- gen_context(system_u:object_r:lib_t,s0)
++
++/usr/lib/oracle/.*/lib/libnnz.*\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
++/usr/lib/oracle/.*/lib/libclntsh\.so(\.[^/]*)* gen_context(system_u:object_r:textrel_shlib_t,s0)
++
++/opt/(.*/)?oracle/(.*/)?libnnz.*\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
++/usr/lib/libnnz11.so(\.[^/]*)* gen_context(system_u:object_r:textrel_shlib_t,s0)
++/usr/lib/libxvidcore\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
++
++
++/opt/matlab.*\.so(\.[^/]*)* gen_context(system_u:object_r:textrel_shlib_t,s0)
++/usr/matlab.*\.so(\.[^/]*)* gen_context(system_u:object_r:textrel_shlib_t,s0)
++/opt/local/matlab.*\.so(\.[^/]*)* gen_context(system_u:object_r:textrel_shlib_t,s0)
++
++/usr/Zend/lib/ZendExtensionManager\.so gen_context(system_u:object_r:textrel_shlib_t,s0)
++
++/usr/lib/libcncpmslld328\.so(\.[^/]*)* gen_context(system_u:object_r:textrel_shlib_t,s0)
++
++/usr/lib/ICAClient/.*\.so(\.[^/]*)* gen_context(system_u:object_r:textrel_shlib_t,s0)
++
++/usr/lib/midori/.*\.so(\.[^/]*)* gen_context(system_u:object_r:textrel_shlib_t,s0)
++
++/usr/lib/libav.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
++
++/usr/lib/xine/plugins/.+\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
++
++/usr/lib/yafaray/libDarkSky.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
++
++/usr/lib/libpostproc\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
++
++/usr/lib/libswscale\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
++
++/usr/lib/libADM.*\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
++
++/usr/lib/gstreamer-.*/[^/]*\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
++
++/usr/lib/libx264\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
++
++/usr/lib/libmp3lame\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
++/usr/lib/libmpeg2\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
++
++/usr/lib/.*/libflashplayer\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
++
++/usr/lib/xorg/modules/dri/.+\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
++/usr/X11R6/lib/modules/dri/.+\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
++/usr/lib/dri/.+\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
++
++ifdef(`fixed',`
++/usr/lib/libavfilter\.so(\..*)? -- gen_context(system_u:object_r:textrel_shlib_t,s0)
++/usr/lib/libavdevice\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
++/usr/lib/libavformat.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
++/usr/lib/libavcodec.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
++/usr/lib/libavutil.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
++/usr/lib/libdv\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
++/usr/lib/libGLU\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
++/usr/lib/libgsm\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
++/usr/lib/libImlib2\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
++/usr/lib/libjackserver\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
++/usr/X11R6/lib/libOSMesa.*\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
++/usr/lib/libOSMesa.*\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
++/usr/lib/libSDL-.*\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
++/usr/lib/xulrunner-[^/]*/libgtkembedmoz\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
++/usr/lib/xulrunner-[^/]*/libxul\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
++# Flash plugin, Macromedia
++/usr/lib/php/modules/.+\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
++/usr/lib/httpd/modules/libphp5\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
++')
++/opt/VBoxGuestAdditions.*/lib/VBox.*\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
++
++/usr/lib/nmm/liba52\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
++/opt/lampp/lib/libct\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
++/opt/lampp/lib/.*\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
++/opt/VirtualBox(/.*)?/VBox.*\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
++
++/usr/lib/chromium-browser/.*\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
++/usr/zend/lib/apache2/libphp5\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
++
++/usr/lib/python.*/site-packages/pymedia/muxer\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
++/usr/games/darwinia/lib/libSDL.*\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
++
++/usr/lib/octagaplayer/libapplication\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
++/opt/AutoScan/usr/lib/libvte\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
++
++/usr/bin/bsnes -- gen_context(system_u:object_r:textrel_shlib_t,s0)
++
++/usr/lib/libGLcore\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
++
++/usr/lib/libkmplayercommon\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
++
++/opt/Unify/SQLBase/libgptsblmsui11\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
++
++/opt/real/RealPlayer/plugins(/.*)? -- gen_context(system_u:object_r:textrel_shlib_t,s0)
++
++/opt/real/RealPlayer/codecs(/.*)? -- gen_context(system_u:object_r:textrel_shlib_t,s0)
++
++/usr/lib/vdpau/libvdpau_nvidia\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
++
++/usr/lib/libGTL.*\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
++
++/usr/lib/nsr/(.*/)?.*\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
++/opt/lgtonmc/bin/.*\.so(\.[0-9])? -- gen_context(system_u:object_r:textrel_shlib_t,s0)
++/opt/google/picasa/.*\.dll -- gen_context(system_u:object_r:textrel_shlib_t,s0)
++/opt/google/picasa/.*\.yti -- gen_context(system_u:object_r:textrel_shlib_t,s0)
++/opt/google/talkplugin/.*\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
++
++/usr/sbin/ldconfig -- gen_context(system_u:object_r:ldconfig_exec_t,s0)
+diff --git a/policy/modules/system/libraries.if b/policy/modules/system/libraries.if
+index 808ba93..7b506f2 100644
+--- a/policy/modules/system/libraries.if
++++ b/policy/modules/system/libraries.if
+@@ -66,6 +66,25 @@ interface(`libs_exec_ldconfig',`
+
+ ########################################
+ ##
++## Make ldconfig_exec_t entrypoint for
++## the specified domain.
++##
++##
++##
++## The domain for which bin_t is an entrypoint.
++##
++##
++#
++interface(`libs_ldconfig_exec_entry_type',`
++ gen_require(`
++ type ldconfig_exec_t;
++ ')
++
++ domain_entry_file($1, ldconfig_exec_t)
++')
++
++########################################
++##
+ ## Use the dynamic link/loader for automatic loading
+ ## of shared libraries.
+ ##
+@@ -147,6 +166,7 @@ interface(`libs_manage_ld_so',`
+ type lib_t, ld_so_t;
+ ')
+
++ read_lnk_files_pattern($1, lib_t, lib_t)
+ manage_files_pattern($1, lib_t, ld_so_t)
+ ')
+
+@@ -205,8 +225,26 @@ interface(`libs_search_lib',`
+ type lib_t;
+ ')
+
++ read_lnk_files_pattern($1, lib_t, lib_t)
+ allow $1 lib_t:dir search_dir_perms;
+ ')
++########################################
++##
++## dontaudit attempts to setattr on library files
++##
++##
++##
++## Domain to not audit.
++##
++##
++#
++interface(`libs_dontaudit_setattr_lib_files',`
++ gen_require(`
++ type lib_t;
++ ')
++
++ dontaudit $1 lib_t:file setattr;
++')
+
+ ########################################
+ ##
+@@ -248,29 +286,12 @@ interface(`libs_manage_lib_dirs',`
+ type lib_t;
+ ')
+
++ read_lnk_files_pattern($1, lib_t, lib_t)
+ allow $1 lib_t:dir manage_dir_perms;
+ ')
+
+ ########################################
+ ##
+-## dontaudit attempts to setattr on library files
+-##
+-##
+-##
+-## Domain to not audit.
+-##
+-##
+-#
+-interface(`libs_dontaudit_setattr_lib_files',`
+- gen_require(`
+- type lib_t;
+- ')
+-
+- dontaudit $1 lib_t:file setattr;
+-')
+-
+-########################################
+-##
+ ## Read files in the library directories, such
+ ## as static libraries.
+ ##
+@@ -345,6 +366,7 @@ interface(`libs_manage_lib_files',`
+ type lib_t;
+ ')
+
++ read_lnk_files_pattern($1, lib_t, lib_t)
+ manage_files_pattern($1, lib_t, lib_t)
+ ')
+
+@@ -421,7 +443,8 @@ interface(`libs_manage_shared_libs',`
+ type lib_t, textrel_shlib_t;
+ ')
+
+- manage_files_pattern($1, lib_t, { lib_t textrel_shlib_t })
++ read_lnk_files_pattern($1, lib_t, lib_t)
++ manage_files_pattern($1, { textrel_shlib_t lib_t }, { lib_t textrel_shlib_t })
+ ')
+
+ ########################################
+@@ -440,9 +463,9 @@ interface(`libs_use_shared_libs',`
+ ')
+
+ files_search_usr($1)
+- allow $1 lib_t:dir list_dir_perms;
+- read_lnk_files_pattern($1, lib_t, { lib_t textrel_shlib_t })
+- mmap_files_pattern($1, lib_t, { lib_t textrel_shlib_t })
++ allow $1 { textrel_shlib_t lib_t }:dir list_dir_perms;
++ read_lnk_files_pattern($1, { textrel_shlib_t lib_t }, { lib_t textrel_shlib_t })
++ mmap_files_pattern($1, { textrel_shlib_t lib_t }, { lib_t textrel_shlib_t })
+ allow $1 textrel_shlib_t:file execmod;
+ ')
+
+@@ -483,7 +506,7 @@ interface(`libs_relabel_shared_libs',`
+ type lib_t, textrel_shlib_t;
+ ')
+
+- relabel_files_pattern($1, lib_t, { lib_t textrel_shlib_t })
++ relabel_files_pattern($1, { textrel_shlib_t lib_t }, { lib_t textrel_shlib_t })
+ ')
+
+ ########################################
+@@ -534,3 +557,26 @@ interface(`lib_filetrans_shared_lib',`
+ interface(`files_lib_filetrans_shared_lib',`
+ refpolicywarn(`$0($*) has been deprecated.')
+ ')
++
++########################################
++##
++## Transition to lib named content
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`libs_filetrans_named_content',`
++ gen_require(`
++ type ld_so_cache_t;
++ type ldconfig_cache_t;
++ ')
++
++ files_var_filetrans($1, ldconfig_cache_t, dir, "ldconfig")
++ files_etc_filetrans($1, ld_so_cache_t, file, "ld.so.cache")
++ files_etc_filetrans($1, ld_so_cache_t, file, "ld.so.cache~")
++ files_etc_filetrans($1, ld_so_cache_t, file, "ld.so.preload")
++ files_etc_filetrans($1, ld_so_cache_t, file, "ld.so.preload~")
++')
+diff --git a/policy/modules/system/libraries.te b/policy/modules/system/libraries.te
+index ad01883..a003fa8 100644
+--- a/policy/modules/system/libraries.te
++++ b/policy/modules/system/libraries.te
+@@ -32,14 +32,14 @@ files_tmp_file(ldconfig_tmp_t)
+ # lib_t is the type of files in the system lib directories.
+ #
+ type lib_t alias shlib_t;
+-files_type(lib_t)
++files_ro_base_file(lib_t)
+
+ #
+ # textrel_shlib_t is the type of shared objects in the system lib
+ # directories, which require text relocation.
+ #
+ type textrel_shlib_t alias texrel_shlib_t;
+-files_type(textrel_shlib_t)
++files_ro_base_file(textrel_shlib_t)
+
+ ifdef(`distro_gentoo',`
+ # openrc unfortunately mounts a tmpfs
+@@ -59,9 +59,11 @@ optional_policy(`
+
+ allow ldconfig_t self:capability { dac_override sys_chroot };
+
++manage_dirs_pattern(ldconfig_t, ldconfig_cache_t, ldconfig_cache_t)
+ manage_files_pattern(ldconfig_t, ldconfig_cache_t, ldconfig_cache_t)
++files_var_filetrans(ldconfig_t, ldconfig_cache_t, dir, "ldconfig")
+
+-allow ldconfig_t ld_so_cache_t:file manage_file_perms;
++manage_files_pattern(ldconfig_t, ld_so_cache_t, ld_so_cache_t)
+ files_etc_filetrans(ldconfig_t, ld_so_cache_t, file)
+
+ manage_dirs_pattern(ldconfig_t, ldconfig_tmp_t, ldconfig_tmp_t)
+@@ -75,10 +77,14 @@ kernel_read_system_state(ldconfig_t)
+
+ fs_getattr_xattr_fs(ldconfig_t)
+
++files_list_var_lib(ldconfig_t)
++files_manage_var_lib_symlinks(ldconfig_t)
++
+ corecmd_search_bin(ldconfig_t)
+
+ domain_use_interactive_fds(ldconfig_t)
+
++files_search_home(ldconfig_t)
+ files_search_var_lib(ldconfig_t)
+ files_read_etc_files(ldconfig_t)
+ files_read_usr_files(ldconfig_t)
+@@ -90,11 +96,11 @@ files_delete_etc_files(ldconfig_t)
+ init_use_script_ptys(ldconfig_t)
+ init_read_script_tmp_files(ldconfig_t)
+
+-miscfiles_read_localization(ldconfig_t)
+
+ logging_send_syslog_msg(ldconfig_t)
+
+-userdom_use_user_terminals(ldconfig_t)
++term_use_console(ldconfig_t)
++userdom_use_inherited_user_terminals(ldconfig_t)
+ userdom_use_all_users_fds(ldconfig_t)
+
+ ifdef(`distro_ubuntu',`
+@@ -103,6 +109,12 @@ ifdef(`distro_ubuntu',`
+ ')
+ ')
+
++userdom_dontaudit_list_admin_dir(ldconfig_t)
++userdom_list_user_home_dirs(ldconfig_t)
++userdom_manage_user_home_content_files(ldconfig_t)
++userdom_manage_user_tmp_files(ldconfig_t)
++userdom_manage_user_tmp_symlinks(ldconfig_t)
++
+ ifdef(`hide_broken_symptoms',`
+ ifdef(`distro_gentoo',`
+ # leaked fds from portage
+@@ -114,6 +126,9 @@ ifdef(`hide_broken_symptoms',`
+ ')
+ ')
+
++ dev_dontaudit_rw_lvm_control(ldconfig_t)
++ term_dontaudit_use_unallocated_ttys(ldconfig_t)
++
+ optional_policy(`
+ unconfined_dontaudit_rw_tcp_sockets(ldconfig_t)
+ ')
+@@ -131,6 +146,14 @@ optional_policy(`
+ ')
+
+ optional_policy(`
++ gnome_append_generic_cache_files(ldconfig_t)
++')
++
++optional_policy(`
++ kdump_manage_kdumpctl_tmp_files(ldconfig_t)
++')
++
++optional_policy(`
+ puppet_rw_tmp(ldconfig_t)
+ ')
+
+@@ -141,6 +164,3 @@ optional_policy(`
+ rpm_manage_script_tmp_files(ldconfig_t)
+ ')
+
+-optional_policy(`
+- unconfined_domain(ldconfig_t)
+-')
+diff --git a/policy/modules/system/locallogin.fc b/policy/modules/system/locallogin.fc
+index be6a81b..a5303e9 100644
+--- a/policy/modules/system/locallogin.fc
++++ b/policy/modules/system/locallogin.fc
+@@ -1,3 +1,8 @@
++HOME_DIR/\.hushlogin -- gen_context(system_u:object_r:local_login_home_t,s0)
++/root/\.hushlogin -- gen_context(system_u:object_r:local_login_home_t,s0)
+
+ /sbin/sulogin -- gen_context(system_u:object_r:sulogin_exec_t,s0)
+ /sbin/sushell -- gen_context(system_u:object_r:sulogin_exec_t,s0)
++
++/usr/sbin/sulogin -- gen_context(system_u:object_r:sulogin_exec_t,s0)
++/usr/sbin/sushell -- gen_context(system_u:object_r:sulogin_exec_t,s0)
+diff --git a/policy/modules/system/locallogin.if b/policy/modules/system/locallogin.if
+index 0e3c2a9..40adf5a 100644
+--- a/policy/modules/system/locallogin.if
++++ b/policy/modules/system/locallogin.if
+@@ -129,3 +129,59 @@ interface(`locallogin_domtrans_sulogin',`
+
+ domtrans_pattern($1, sulogin_exec_t, sulogin_t)
+ ')
++
++#######################################
++##
++## Allow domain to gettatr local login home content
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`locallogin_getattr_home_content',`
++ gen_require(`
++ type local_login_home_t;
++ ')
++
++ getattr_files_pattern($1, local_login_home_t, local_login_home_t)
++')
++
++########################################
++##
++## create local login content in the in the /root directory
++## with an correct label.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`locallogin_filetrans_admin_home_content',`
++ gen_require(`
++ type local_login_home_t;
++ ')
++
++ userdom_admin_home_dir_filetrans($1, local_login_home_t, file, ".hushlogin")
++')
++
++########################################
++##
++## Transition to local login named content
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`locallogin_filetrans_home_content',`
++ gen_require(`
++ type local_login_home_t;
++ ')
++
++ userdom_user_home_dir_filetrans($1, local_login_home_t, file, ".hushlogin")
++')
++
+diff --git a/policy/modules/system/locallogin.te b/policy/modules/system/locallogin.te
+index 9fd5be7..7e2a02e 100644
+--- a/policy/modules/system/locallogin.te
++++ b/policy/modules/system/locallogin.te
+@@ -13,9 +13,8 @@ auth_login_entry_type(local_login_t)
+ type local_login_lock_t;
+ files_lock_file(local_login_lock_t)
+
+-type local_login_tmp_t;
+-files_tmp_file(local_login_tmp_t)
+-files_poly_parent(local_login_tmp_t)
++type local_login_home_t;
++userdom_user_home_content(local_login_home_t)
+
+ type sulogin_t;
+ type sulogin_exec_t;
+@@ -27,14 +26,21 @@ init_domain(sulogin_t, sulogin_exec_t)
+ init_system_domain(sulogin_t, sulogin_exec_t)
+ role system_r types sulogin_t;
+
++ifdef(`enable_mcs',`
++ init_ranged_daemon_domain(sulogin_t, sulogin_exec_t, s0 - mcs_systemhigh)
++')
++
++ifdef(`enable_mls',`
++ init_ranged_daemon_domain(sulogin_t, sulogin_exec_t, mls_systemhigh)
++')
++
+ ########################################
+ #
+ # Local login local policy
+ #
+
+-allow local_login_t self:capability { dac_override chown fowner fsetid kill setgid setuid sys_nice sys_resource sys_tty_config };
+-allow local_login_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
+-allow local_login_t self:process { setrlimit setexec };
++allow local_login_t self:capability { dac_override chown fowner fsetid kill setgid setuid sys_admin sys_nice sys_resource sys_tty_config };
++allow local_login_t self:process ~{ ptrace setcurrent setfscreate execmem execstack execheap };
+ allow local_login_t self:fd use;
+ allow local_login_t self:fifo_file rw_fifo_file_perms;
+ allow local_login_t self:sock_file read_sock_file_perms;
+@@ -51,9 +57,7 @@ allow local_login_t self:key { search write link };
+ allow local_login_t local_login_lock_t:file manage_file_perms;
+ files_lock_filetrans(local_login_t, local_login_lock_t, file)
+
+-allow local_login_t local_login_tmp_t:dir manage_dir_perms;
+-allow local_login_t local_login_tmp_t:file manage_file_perms;
+-files_tmp_filetrans(local_login_t, local_login_tmp_t, { file dir })
++allow local_login_t local_login_home_t:file read_file_perms;
+
+ kernel_read_system_state(local_login_t)
+ kernel_read_kernel_sysctls(local_login_t)
+@@ -73,6 +77,8 @@ dev_getattr_power_mgmt_dev(local_login_t)
+ dev_setattr_power_mgmt_dev(local_login_t)
+ dev_getattr_sound_dev(local_login_t)
+ dev_setattr_sound_dev(local_login_t)
++dev_rw_generic_usb_dev(local_login_t)
++dev_read_video_dev(local_login_t)
+ dev_dontaudit_getattr_apm_bios_dev(local_login_t)
+ dev_dontaudit_setattr_apm_bios_dev(local_login_t)
+ dev_dontaudit_read_framebuffer(local_login_t)
+@@ -117,16 +123,19 @@ term_relabel_unallocated_ttys(local_login_t)
+ term_relabel_all_ttys(local_login_t)
+ term_setattr_all_ttys(local_login_t)
+ term_setattr_unallocated_ttys(local_login_t)
++term_relabel_all_ptys(local_login_t)
++term_setattr_generic_ptys(local_login_t)
+
+ auth_rw_login_records(local_login_t)
+ auth_rw_faillog(local_login_t)
+-auth_manage_pam_pid(local_login_t)
++#auth_manage_pam_pid(local_login_t)
+ auth_manage_pam_console_data(local_login_t)
+ auth_domtrans_pam_console(local_login_t)
++auth_use_nsswitch(local_login_t)
+
+ init_dontaudit_use_fds(local_login_t)
++init_stream_connect(local_login_t)
+
+-miscfiles_read_localization(local_login_t)
+
+ userdom_spec_domtrans_all_users(local_login_t)
+ userdom_signal_all_users(local_login_t)
+@@ -141,19 +150,19 @@ ifdef(`distro_ubuntu',`
+ ')
+ ')
+
+-tunable_policy(`console_login',`
++tunable_policy(`login_console_enabled',`
+ # Able to relabel /dev/console to user tty types.
+ term_relabel_console(local_login_t)
+ ')
+
+-tunable_policy(`use_nfs_home_dirs',`
+- fs_read_nfs_files(local_login_t)
+- fs_read_nfs_symlinks(local_login_t)
+-')
++userdom_home_reader(local_login_t)
++userdom_manage_tmp_files(local_login_t)
++userdom_tmp_filetrans_user_tmp(local_login_t, file)
+
+-tunable_policy(`use_samba_home_dirs',`
+- fs_read_cifs_files(local_login_t)
+- fs_read_cifs_symlinks(local_login_t)
++tunable_policy(`login_console_enabled',`
++ term_use_console(local_login_t)
++ term_relabel_console(local_login_t)
++ term_setattr_console(local_login_t)
+ ')
+
+ optional_policy(`
+@@ -177,14 +186,6 @@ optional_policy(`
+ ')
+
+ optional_policy(`
+- nis_use_ypbind(local_login_t)
+-')
+-
+-optional_policy(`
+- nscd_socket_use(local_login_t)
+-')
+-
+-optional_policy(`
+ unconfined_shell_domtrans(local_login_t)
+ ')
+
+@@ -215,6 +216,7 @@ allow sulogin_t self:sem create_sem_perms;
+ allow sulogin_t self:msgq create_msgq_perms;
+ allow sulogin_t self:msg { send receive };
+
++kernel_read_crypto_sysctls(sulogin_t)
+ kernel_read_system_state(sulogin_t)
+
+ fs_search_auto_mountpoints(sulogin_t)
+@@ -223,13 +225,16 @@ fs_rw_tmpfs_chr_files(sulogin_t)
+ files_read_etc_files(sulogin_t)
+ # because file systems are not mounted:
+ files_dontaudit_search_isid_type_dirs(sulogin_t)
++files_search_pids(sulogin_t)
+
+ auth_read_shadow(sulogin_t)
++auth_use_nsswitch(sulogin_t)
+
+ init_getpgid_script(sulogin_t)
+
+ logging_send_syslog_msg(sulogin_t)
+
++
+ seutil_read_config(sulogin_t)
+ seutil_read_default_contexts(sulogin_t)
+
+@@ -238,14 +243,24 @@ userdom_use_unpriv_users_fds(sulogin_t)
+ userdom_search_user_home_dirs(sulogin_t)
+ userdom_use_user_ptys(sulogin_t)
+
+-sysadm_shell_domtrans(sulogin_t)
++term_use_console(sulogin_t)
++term_use_unallocated_ttys(sulogin_t)
++term_use_generic_ptys(sulogin_t)
++
++ifdef(`enable_mls',`
++ sysadm_shell_domtrans(sulogin_t)
++',`
++ optional_policy(`
++ unconfined_shell_domtrans(sulogin_t)
++ ')
++')
+
+ # suse and debian do not use pam with sulogin...
+ ifdef(`distro_suse', `define(`sulogin_no_pam')')
+ ifdef(`distro_debian', `define(`sulogin_no_pam')')
+
++allow sulogin_t self:capability sys_tty_config;
+ ifdef(`sulogin_no_pam', `
+- allow sulogin_t self:capability sys_tty_config;
+ init_getpgid(sulogin_t)
+ ', `
+ allow sulogin_t self:process setexec;
+@@ -256,11 +271,3 @@ ifdef(`sulogin_no_pam', `
+ selinux_compute_relabel_context(sulogin_t)
+ selinux_compute_user_contexts(sulogin_t)
+ ')
+-
+-optional_policy(`
+- nis_use_ypbind(sulogin_t)
+-')
+-
+-optional_policy(`
+- nscd_socket_use(sulogin_t)
+-')
+diff --git a/policy/modules/system/logging.fc b/policy/modules/system/logging.fc
+index 02f4c97..70248c6 100644
+--- a/policy/modules/system/logging.fc
++++ b/policy/modules/system/logging.fc
+@@ -2,10 +2,13 @@
+
+ /etc/rsyslog.conf gen_context(system_u:object_r:syslog_conf_t,s0)
+ /etc/syslog.conf gen_context(system_u:object_r:syslog_conf_t,s0)
++/etc/rsyslog.d(/.*)? gen_context(system_u:object_r:syslog_conf_t,s0)
+ /etc/audit(/.*)? gen_context(system_u:object_r:auditd_etc_t,mls_systemhigh)
+ /etc/rc\.d/init\.d/auditd -- gen_context(system_u:object_r:auditd_initrc_exec_t,s0)
+ /etc/rc\.d/init\.d/rsyslog -- gen_context(system_u:object_r:syslogd_initrc_exec_t,s0)
+
++/usr/lib/systemd/system/auditd.* -- gen_context(system_u:object_r:auditd_unit_file_t,s0)
++
+ /sbin/audispd -- gen_context(system_u:object_r:audisp_exec_t,s0)
+ /sbin/audisp-remote -- gen_context(system_u:object_r:audisp_remote_exec_t,s0)
+ /sbin/auditctl -- gen_context(system_u:object_r:auditctl_exec_t,s0)
+@@ -17,12 +20,25 @@
+ /sbin/syslogd -- gen_context(system_u:object_r:syslogd_exec_t,s0)
+ /sbin/syslog-ng -- gen_context(system_u:object_r:syslogd_exec_t,s0)
+
++/opt/zimbra/log(/.*)? gen_context(system_u:object_r:var_log_t,s0)
++/opt/Symantec/scspagent/IDS/system(/.*)? gen_context(system_u:object_r:var_log_t,s0)
++
++/usr/lib/systemd/systemd-journald -- gen_context(system_u:object_r:syslogd_exec_t,s0)
++/usr/lib/systemd/systemd-kmsg-syslogd -- gen_context(system_u:object_r:syslogd_exec_t,s0)
++
++/usr/centreon/log(/.*)? gen_context(system_u:object_r:var_log_t,s0)
++
++/usr/sbin/audispd -- gen_context(system_u:object_r:audisp_exec_t,s0)
++/usr/sbin/audisp-remote -- gen_context(system_u:object_r:audisp_remote_exec_t,s0)
++/usr/sbin/auditctl -- gen_context(system_u:object_r:auditctl_exec_t,s0)
++/usr/sbin/auditd -- gen_context(system_u:object_r:auditd_exec_t,s0)
+ /usr/sbin/klogd -- gen_context(system_u:object_r:klogd_exec_t,s0)
+ /usr/sbin/metalog -- gen_context(system_u:object_r:syslogd_exec_t,s0)
++/usr/sbin/minilogd -- gen_context(system_u:object_r:syslogd_exec_t,s0)
+ /usr/sbin/rklogd -- gen_context(system_u:object_r:klogd_exec_t,s0)
+ /usr/sbin/rsyslogd -- gen_context(system_u:object_r:syslogd_exec_t,s0)
+-/usr/sbin/syslog-ng -- gen_context(system_u:object_r:syslogd_exec_t,s0)
+ /usr/sbin/syslogd -- gen_context(system_u:object_r:syslogd_exec_t,s0)
++/usr/sbin/syslog-ng -- gen_context(system_u:object_r:syslogd_exec_t,s0)
+
+ /var/lib/syslog-ng(/.*)? gen_context(system_u:object_r:syslogd_var_lib_t,s0)
+ /var/lib/r?syslog(/.*)? gen_context(system_u:object_r:syslogd_var_lib_t,s0)
+@@ -34,11 +50,10 @@ ifdef(`distro_suse', `
+
+ /var/axfrdns/log/main(/.*)? gen_context(system_u:object_r:var_log_t,s0)
+ /var/dnscache/log/main(/.*)? gen_context(system_u:object_r:var_log_t,s0)
+-/var/cfengine/outputs(/.*)? gen_context(system_u:object_r:var_log_t,s0)
++#/var/cfengine/outputs(/.*)? gen_context(system_u:object_r:var_log_t,s0)
+
+ /var/log -d gen_context(system_u:object_r:var_log_t,s0-mls_systemhigh)
+ /var/log/.* gen_context(system_u:object_r:var_log_t,s0)
+-/var/log/boot\.log -- gen_context(system_u:object_r:var_log_t,mls_systemhigh)
+ /var/log/messages[^/]* gen_context(system_u:object_r:var_log_t,mls_systemhigh)
+ /var/log/secure[^/]* gen_context(system_u:object_r:var_log_t,mls_systemhigh)
+ /var/log/cron[^/]* gen_context(system_u:object_r:var_log_t,mls_systemhigh)
+@@ -46,6 +61,8 @@ ifdef(`distro_suse', `
+ /var/log/spooler[^/]* gen_context(system_u:object_r:var_log_t,mls_systemhigh)
+ /var/log/audit(/.*)? gen_context(system_u:object_r:auditd_log_t,mls_systemhigh)
+ /var/log/syslog-ng(/.*)? gen_context(system_u:object_r:syslogd_var_run_t,mls_systemhigh)
++/var/run/log(/.*)? gen_context(system_u:object_r:syslogd_var_run_t,mls_systemhigh)
++/var/run/systemd/journal(/.*)? gen_context(system_u:object_r:syslogd_var_run_t,mls_systemhigh)
+
+ ifndef(`distro_gentoo',`
+ /var/log/audit\.log -- gen_context(system_u:object_r:auditd_log_t,mls_systemhigh)
+@@ -54,6 +71,7 @@ ifndef(`distro_gentoo',`
+ ifdef(`distro_redhat',`
+ /var/named/chroot/var/log -d gen_context(system_u:object_r:var_log_t,s0)
+ /var/named/chroot/dev/log -s gen_context(system_u:object_r:devlog_t,s0)
++/var/spool/postfix/dev/log -s gen_context(system_u:object_r:devlog_t,s0)
+ ')
+
+ /var/run/audit_events -s gen_context(system_u:object_r:auditd_var_run_t,mls_systemhigh)
+@@ -66,11 +84,16 @@ ifdef(`distro_redhat',`
+ /var/run/syslogd\.pid -- gen_context(system_u:object_r:syslogd_var_run_t,mls_systemhigh)
+ /var/run/syslog-ng.ctl -- gen_context(system_u:object_r:syslogd_var_run_t,s0)
+ /var/run/syslog-ng(/.*)? gen_context(system_u:object_r:syslogd_var_run_t,s0)
++/var/run/systemd/journal/syslog -s gen_context(system_u:object_r:devlog_t,mls_systemhigh)
+
+ /var/spool/audit(/.*)? gen_context(system_u:object_r:audit_spool_t,mls_systemhigh)
+ /var/spool/bacula/log(/.*)? gen_context(system_u:object_r:var_log_t,s0)
+ /var/spool/postfix/pid -d gen_context(system_u:object_r:var_run_t,s0)
+-/var/spool/plymouth/boot\.log gen_context(system_u:object_r:var_log_t,mls_systemhigh)
+ /var/spool/rsyslog(/.*)? gen_context(system_u:object_r:var_log_t,s0)
+
++/var/stockmaniac/templates_cache(/.*)? gen_context(system_u:object_r:var_log_t,s0)
++
+ /var/tinydns/log/main(/.*)? gen_context(system_u:object_r:var_log_t,s0)
++
++/var/webmin(/.*)? gen_context(system_u:object_r:var_log_t,s0)
++
+diff --git a/policy/modules/system/logging.if b/policy/modules/system/logging.if
+index 321bb13..3638d50 100644
+--- a/policy/modules/system/logging.if
++++ b/policy/modules/system/logging.if
+@@ -233,7 +233,7 @@ interface(`logging_run_auditd',`
+
+ ########################################
+ ##
+-## Connect to auditdstored over an unix stream socket.
++## Connect to auditdstored over a unix stream socket.
+ ##
+ ##
+ ##
+@@ -318,7 +318,7 @@ interface(`logging_dispatcher_domain',`
+
+ ########################################
+ ##
+-## Connect to the audit dispatcher over an unix stream socket.
++## Connect to the audit dispatcher over a unix stream socket.
+ ##
+ ##
+ ##
+@@ -496,6 +496,68 @@ interface(`logging_log_filetrans',`
+ filetrans_pattern($1, var_log_t, $2, $3, $4)
+ ')
+
++#######################################
++##
++## Create an object in the log directory, with a private type.
++##
++##
++##
++## Allow the specified domain to create an object
++## in the general system log directories (e.g., /var/log)
++## with a private type. Typically this is used for creating
++## private log files in /var/log with the private type instead
++## of the general system log type. To accomplish this goal,
++## either the program must be SELinux-aware, or use this interface.
++##
++##
++## Related interfaces:
++##
++##
++## - logging_log_file()
++##
++##
++## Example usage with a domain that can create
++## and append to a private log file stored in the
++## general directories (e.g., /var/log):
++##
++##
++## type mylogfile_t;
++## logging_log_file(mylogfile_t)
++## allow mydomain_t mylogfile_t:file { create_file_perms append_file_perms };
++## logging_log_filetrans(mydomain_t, mylogfile_t, file)
++##
++##
++##
++##
++## Domain allowed access.
++##
++##
++##
++##
++## The type of the object to be created.
++##
++##
++##
++##
++## The object class of the object being created.
++##
++##
++##
++##
++## The name of the object being created.
++##
++##
++##
++#
++interface(`logging_log_named_filetrans',`
++ gen_require(`
++ type var_log_t;
++ ')
++
++ files_search_var($1)
++ filetrans_pattern($1, var_log_t, $2, $3, $4)
++')
++
+ ########################################
+ ##
+ ## Send system log messages.
+@@ -530,22 +592,85 @@ interface(`logging_log_filetrans',`
+ #
+ interface(`logging_send_syslog_msg',`
+ gen_require(`
+- type syslogd_t, devlog_t;
++ attribute syslog_client_type;
++ ')
++
++ typeattribute $1 syslog_client_type;
++')
++
++########################################
++##
++## Connect to the syslog control unix stream socket.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`logging_create_devlog_dev',`
++ gen_require(`
++ type devlog_t;
++ ')
++
++ allow $1 devlog_t:sock_file manage_sock_file_perms;
++ dev_filetrans($1, devlog_t, sock_file)
++ init_pid_filetrans($1, devlog_t, sock_file, "syslog")
++')
++
++########################################
++##
++## Relabel the devlog sock_file.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`logging_relabel_devlog_dev',`
++ gen_require(`
++ type devlog_t;
++ ')
++
++ allow $1 devlog_t:sock_file relabel_sock_file_perms;
++')
++
++########################################
++##
++## Relabel the syslog pid sock_file.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`logging_relabel_syslog_pid_socket',`
++ gen_require(`
++ type devlog_t;
+ ')
+
+- allow $1 devlog_t:lnk_file read_lnk_file_perms;
+- allow $1 devlog_t:sock_file write_sock_file_perms;
++ allow $1 syslogd_var_run_t:sock_file relabel_sock_file_perms;
++')
+
+- # the type of socket depends on the syslog daemon
+- allow $1 syslogd_t:unix_dgram_socket sendto;
+- allow $1 syslogd_t:unix_stream_socket connectto;
+- allow $1 self:unix_dgram_socket create_socket_perms;
+- allow $1 self:unix_stream_socket create_socket_perms;
++########################################
++##
++## Connect to the syslog control unix stream socket.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`logging_stream_connect_syslog',`
++ gen_require(`
++ type syslogd_t, syslogd_var_run_t;
++ ')
+
+- # If syslog is down, the glibc syslog() function
+- # will write to the console.
+- term_write_console($1)
+- term_dontaudit_read_console($1)
++ files_search_pids($1)
++ stream_connect_pattern($1, syslogd_var_run_t, syslogd_var_run_t, syslogd_t)
+ ')
+
+ ########################################
+@@ -739,7 +864,25 @@ interface(`logging_append_all_logs',`
+ ')
+
+ files_search_var($1)
+- append_files_pattern($1, var_log_t, logfile)
++ append_files_pattern($1, logfile, logfile)
++')
++
++########################################
++##
++## Append to all log files.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`logging_inherit_append_all_logs',`
++ gen_require(`
++ attribute logfile;
++ ')
++
++ allow $1 logfile:file { getattr append ioctl lock };
+ ')
+
+ ########################################
+@@ -822,7 +965,7 @@ interface(`logging_manage_all_logs',`
+
+ files_search_var($1)
+ manage_files_pattern($1, logfile, logfile)
+- read_lnk_files_pattern($1, logfile, logfile)
++ manage_lnk_files_pattern($1, logfile, logfile)
+ ')
+
+ ########################################
+@@ -848,6 +991,44 @@ interface(`logging_read_generic_logs',`
+
+ ########################################
+ ##
++## Link generic log files.
++##
++##
++##
++## Domain allowed access.
++##
++##
++##
++#
++interface(`logging_link_generic_logs',`
++ gen_require(`
++ type var_log_t;
++ ')
++
++ allow $1 var_log_t:file link;
++')
++
++########################################
++##
++## Delete generic log files.
++##
++##
++##
++## Domain allowed access.
++##
++##
++##
++#
++interface(`logging_delete_generic_logs',`
++ gen_require(`
++ type var_log_t;
++ ')
++
++ allow $1 var_log_t:file unlink;
++')
++
++########################################
++##
+ ## Write generic log files.
+ ##
+ ##
+@@ -868,6 +1049,24 @@ interface(`logging_write_generic_logs',`
+
+ ########################################
+ ##
++## Dontaudit read/Write inherited generic log files.
++##
++##
++##
++## Domain to not audit.
++##
++##
++#
++interface(`logging_dontaudit_rw_inherited_generic_logs',`
++ gen_require(`
++ type var_log_t;
++ ')
++
++ dontaudit $1 var_log_t:file rw_inherited_file_perms;
++')
++
++########################################
++##
+ ## Dontaudit Write generic log files.
+ ##
+ ##
+@@ -947,11 +1146,16 @@ interface(`logging_admin_audit',`
+ type auditd_t, auditd_etc_t, auditd_log_t;
+ type auditd_var_run_t;
+ type auditd_initrc_exec_t;
++ type auditd_unit_file_t;
+ ')
+
+- allow $1 auditd_t:process { ptrace signal_perms };
++ allow $1 auditd_t:process signal_perms;
+ ps_process_pattern($1, auditd_t)
+
++ tunable_policy(`deny_ptrace',`',`
++ allow $1 auditd_t:process ptrace;
++ ')
++
+ manage_dirs_pattern($1, auditd_etc_t, auditd_etc_t)
+ manage_files_pattern($1, auditd_etc_t, auditd_etc_t)
+
+@@ -967,6 +1171,33 @@ interface(`logging_admin_audit',`
+ domain_system_change_exemption($1)
+ role_transition $2 auditd_initrc_exec_t system_r;
+ allow $2 system_r;
++
++ logging_systemctl_audit($1)
++ admin_pattern($1, auditd_unit_file_t)
++ allow $1 auditd_unit_file_t:service all_service_perms;
++')
++
++########################################
++##
++## Execute auditd server in the auditd domain.
++##
++##
++##
++## Domain allowed to transition.
++##
++##
++#
++interface(`logging_systemctl_audit',`
++ gen_require(`
++ type auditd_t;
++ type auditd_unit_file_t;
++ ')
++
++ systemd_exec_systemctl($1)
++ allow $1 auditd_unit_file_t:file read_file_perms;
++ allow $1 auditd_unit_file_t:service manage_service_perms;
++
++ ps_process_pattern($1, auditd_t)
+ ')
+
+ ########################################
+@@ -995,10 +1226,15 @@ interface(`logging_admin_syslog',`
+ type syslogd_initrc_exec_t;
+ ')
+
+- allow $1 syslogd_t:process { ptrace signal_perms };
+- allow $1 klogd_t:process { ptrace signal_perms };
++ allow $1 self:capability2 syslog;
++ allow $1 syslogd_t:process signal_perms;
++ allow $1 klogd_t:process signal_perms;
+ ps_process_pattern($1, syslogd_t)
+ ps_process_pattern($1, klogd_t)
++ tunable_policy(`deny_ptrace',`',`
++ allow $1 syslogd_t:process ptrace;
++ allow $1 klogd_t:process ptrace;
++ ')
+
+ manage_dirs_pattern($1, klogd_var_run_t, klogd_var_run_t)
+ manage_files_pattern($1, klogd_var_run_t, klogd_var_run_t)
+@@ -1020,6 +1256,8 @@ interface(`logging_admin_syslog',`
+ manage_files_pattern($1, syslogd_var_run_t, syslogd_var_run_t)
+
+ logging_manage_all_logs($1)
++ allow $1 logfile:dir relabel_dir_perms;
++ allow $1 logfile:file relabel_file_perms;
+
+ init_labeled_script_domtrans($1, syslogd_initrc_exec_t)
+ domain_system_change_exemption($1)
+@@ -1048,3 +1286,29 @@ interface(`logging_admin',`
+ logging_admin_audit($1, $2)
+ logging_admin_syslog($1, $2)
+ ')
++
++########################################
++##
++## Transition to logging named content
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`logging_filetrans_named_content',`
++ gen_require(`
++ type var_log_t;
++ type audit_spool_t;
++ type syslogd_var_run_t;
++ ')
++
++ files_pid_filetrans($1, syslogd_var_run_t, dir, "log")
++ files_spool_filetrans($1, var_log_t, dir, "rsyslog")
++ files_spool_filetrans($1, var_log_t, dir, "log")
++ files_spool_filetrans($1, audit_spool_t, dir, "audit")
++ files_var_filetrans($1, var_log_t, dir, "webmin")
++
++ init_named_pid_filetrans($1, syslogd_var_run_t, dir, "journal")
++')
+diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te
+index 0034021..c62bd95 100644
+--- a/policy/modules/system/logging.te
++++ b/policy/modules/system/logging.te
+@@ -4,6 +4,21 @@ policy_module(logging, 1.19.0)
+ #
+ # Declarations
+ #
++attribute syslog_client_type;
++
++##
++##
++## Allow syslogd daemon to send mail
++##
++##
++gen_tunable(logging_syslogd_can_sendmail, false)
++
++##
++##
++## Allow syslogd the ability to read/write terminals
++##
++##
++gen_tunable(logging_syslogd_use_tty, false)
+
+ attribute logfile;
+
+@@ -20,6 +35,7 @@ files_security_file(auditd_log_t)
+ files_security_mountpoint(auditd_log_t)
+
+ type audit_spool_t;
++files_spool_file(audit_spool_t)
+ files_security_file(audit_spool_t)
+ files_security_mountpoint(audit_spool_t)
+
+@@ -33,6 +49,9 @@ init_script_file(auditd_initrc_exec_t)
+ type auditd_var_run_t;
+ files_pid_file(auditd_var_run_t)
+
++type auditd_unit_file_t;
++systemd_unit_file(auditd_unit_file_t)
++
+ type audisp_t;
+ type audisp_exec_t;
+ init_system_domain(audisp_t, audisp_exec_t)
+@@ -64,6 +83,7 @@ files_config_file(syslog_conf_t)
+ type syslogd_t;
+ type syslogd_exec_t;
+ init_daemon_domain(syslogd_t, syslogd_exec_t)
++mls_trusted_object(syslogd_t)
+
+ type syslogd_initrc_exec_t;
+ init_script_file(syslogd_initrc_exec_t)
+@@ -76,6 +96,7 @@ files_type(syslogd_var_lib_t)
+
+ type syslogd_var_run_t;
+ files_pid_file(syslogd_var_run_t)
++mls_trusted_object(syslogd_var_run_t)
+
+ type var_log_t;
+ logging_log_file(var_log_t)
+@@ -94,6 +115,8 @@ ifdef(`enable_mls',`
+ allow auditctl_t self:capability { fsetid dac_read_search dac_override };
+ allow auditctl_t self:netlink_audit_socket nlmsg_readpriv;
+
++allow auditctl_t self:process getcap;
++
+ read_files_pattern(auditctl_t, auditd_etc_t, auditd_etc_t)
+ allow auditctl_t auditd_etc_t:dir list_dir_perms;
+
+@@ -111,7 +134,7 @@ domain_use_interactive_fds(auditctl_t)
+
+ mls_file_read_all_levels(auditctl_t)
+
+-term_use_all_terms(auditctl_t)
++term_use_all_inherited_terms(auditctl_t)
+
+ init_dontaudit_use_fds(auditctl_t)
+
+@@ -148,6 +171,7 @@ kernel_read_kernel_sysctls(auditd_t)
+ # Needs to be able to run dispatcher. see /etc/audit/auditd.conf
+ # Probably want a transition, and a new auditd_helper app
+ kernel_read_system_state(auditd_t)
++kernel_read_network_state(auditd_t)
+
+ dev_read_sysfs(auditd_t)
+
+@@ -155,9 +179,6 @@ fs_getattr_all_fs(auditd_t)
+ fs_search_auto_mountpoints(auditd_t)
+ fs_rw_anon_inodefs_files(auditd_t)
+
+-selinux_search_fs(auditctl_t)
+-
+-corenet_all_recvfrom_unlabeled(auditd_t)
+ corenet_all_recvfrom_netlabel(auditd_t)
+ corenet_tcp_sendrecv_generic_if(auditd_t)
+ corenet_tcp_sendrecv_generic_node(auditd_t)
+@@ -183,16 +204,16 @@ logging_send_syslog_msg(auditd_t)
+ logging_domtrans_dispatcher(auditd_t)
+ logging_signal_dispatcher(auditd_t)
+
+-miscfiles_read_localization(auditd_t)
++auth_use_nsswitch(auditd_t)
++
+
+ mls_file_read_all_levels(auditd_t)
+ mls_file_write_all_levels(auditd_t) # Need to be able to write to /var/run/ directory
+-
+-seutil_dontaudit_read_config(auditd_t)
++mls_socket_write_all_levels(auditd_t)
+
+ sysnet_dns_name_resolve(auditd_t)
+
+-userdom_use_user_terminals(auditd_t)
++userdom_use_inherited_user_terminals(auditd_t)
+ userdom_dontaudit_use_unpriv_user_fds(auditd_t)
+ userdom_dontaudit_search_user_home_dirs(auditd_t)
+
+@@ -237,19 +258,29 @@ corecmd_exec_shell(audisp_t)
+
+ domain_use_interactive_fds(audisp_t)
+
++fs_getattr_all_fs(audisp_t)
++
+ files_read_etc_files(audisp_t)
+ files_read_etc_runtime_files(audisp_t)
+
++mls_file_read_all_levels(audisp_t)
+ mls_file_write_all_levels(audisp_t)
++mls_socket_write_all_levels(audisp_t)
++mls_dbus_send_all_levels(audisp_t)
++
++auth_use_nsswitch(audisp_t)
+
+ logging_send_syslog_msg(audisp_t)
+
+-miscfiles_read_localization(audisp_t)
+
+ sysnet_dns_name_resolve(audisp_t)
+
+ optional_policy(`
+ dbus_system_bus_client(audisp_t)
++
++ optional_policy(`
++ setroubleshoot_dbus_chat(audisp_t)
++ ')
+ ')
+
+ ########################################
+@@ -268,7 +299,6 @@ files_spool_filetrans(audisp_remote_t, audit_spool_t, { dir file })
+
+ corecmd_exec_bin(audisp_remote_t)
+
+-corenet_all_recvfrom_unlabeled(audisp_remote_t)
+ corenet_all_recvfrom_netlabel(audisp_remote_t)
+ corenet_tcp_sendrecv_generic_if(audisp_remote_t)
+ corenet_tcp_sendrecv_generic_node(audisp_remote_t)
+@@ -280,10 +310,18 @@ corenet_sendrecv_audit_client_packets(audisp_remote_t)
+
+ files_read_etc_files(audisp_remote_t)
+
++mls_socket_write_all_levels(audisp_remote_t)
++
+ logging_send_syslog_msg(audisp_remote_t)
+ logging_send_audit_msgs(audisp_remote_t)
+
+-miscfiles_read_localization(audisp_remote_t)
++auth_use_nsswitch(audisp_remote_t)
++auth_append_login_records(audisp_remote_t)
++
++
++init_telinit(audisp_remote_t)
++init_read_utmp(audisp_remote_t)
++init_dontaudit_write_utmp(audisp_remote_t)
+
+ sysnet_dns_name_resolve(audisp_remote_t)
+
+@@ -326,7 +364,6 @@ files_read_etc_files(klogd_t)
+
+ logging_send_syslog_msg(klogd_t)
+
+-miscfiles_read_localization(klogd_t)
+
+ mls_file_read_all_levels(klogd_t)
+
+@@ -354,12 +391,12 @@ optional_policy(`
+ # chown fsetid for syslog-ng
+ # sys_admin for the integrated klog of syslog-ng and metalog
+ # cjp: why net_admin!
+-allow syslogd_t self:capability { dac_override sys_resource sys_tty_config net_admin sys_admin chown fsetid };
++allow syslogd_t self:capability { sys_ptrace dac_override sys_resource sys_tty_config ipc_lock net_admin sys_admin sys_nice chown fsetid setuid setgid };
+ dontaudit syslogd_t self:capability sys_tty_config;
++allow syslogd_t self:capability2 { syslog block_suspend };
+ # setpgid for metalog
+ # setrlimit for syslog-ng
+-# getsched for syslog-ng
+-allow syslogd_t self:process { signal_perms setpgid setrlimit getsched };
++allow syslogd_t self:process { signal_perms getcap setcap setpgid getsched setsched setrlimit };
+ # receive messages to be logged
+ allow syslogd_t self:unix_dgram_socket create_socket_perms;
+ allow syslogd_t self:unix_stream_socket create_stream_socket_perms;
+@@ -369,6 +406,7 @@ allow syslogd_t self:udp_socket create_socket_perms;
+ allow syslogd_t self:tcp_socket create_stream_socket_perms;
+
+ allow syslogd_t syslog_conf_t:file read_file_perms;
++allow syslogd_t syslog_conf_t:dir list_dir_perms;
+
+ # Create and bind to /dev/log or /var/run/log.
+ allow syslogd_t devlog_t:sock_file manage_sock_file_perms;
+@@ -377,6 +415,7 @@ files_pid_filetrans(syslogd_t, devlog_t, sock_file)
+ # create/append log files.
+ manage_files_pattern(syslogd_t, var_log_t, var_log_t)
+ rw_fifo_files_pattern(syslogd_t, var_log_t, var_log_t)
++files_search_spool(syslogd_t)
+
+ # Allow access for syslog-ng
+ allow syslogd_t var_log_t:dir { create setattr };
+@@ -386,22 +425,35 @@ manage_dirs_pattern(syslogd_t, syslogd_tmp_t, syslogd_tmp_t)
+ manage_files_pattern(syslogd_t, syslogd_tmp_t, syslogd_tmp_t)
+ files_tmp_filetrans(syslogd_t, syslogd_tmp_t, { dir file })
+
++manage_sock_files_pattern(syslogd_t, syslogd_var_lib_t, syslogd_var_lib_t)
+ manage_files_pattern(syslogd_t, syslogd_var_lib_t, syslogd_var_lib_t)
+ files_search_var_lib(syslogd_t)
+
++manage_dirs_pattern(syslogd_t, syslogd_var_run_t, syslogd_var_run_t)
++manage_files_pattern(syslogd_t, syslogd_var_run_t, syslogd_var_run_t)
++manage_sock_files_pattern(syslogd_t, syslogd_var_run_t, syslogd_var_run_t)
++files_pid_filetrans(syslogd_t, syslogd_var_run_t, { file dir })
++
+ # manage pid file
+ manage_files_pattern(syslogd_t, syslogd_var_run_t, syslogd_var_run_t)
+ files_pid_filetrans(syslogd_t, syslogd_var_run_t, file)
+
++kernel_rw_stream_socket_perms(syslogd_t)
+ kernel_read_system_state(syslogd_t)
++kernel_read_network_state(syslogd_t)
+ kernel_read_kernel_sysctls(syslogd_t)
+ kernel_read_proc_symlinks(syslogd_t)
+ # Allow access to /proc/kmsg for syslog-ng
+ kernel_read_messages(syslogd_t)
++kernel_request_load_module(syslogd_t)
+ kernel_clear_ring_buffer(syslogd_t)
+ kernel_change_ring_buffer_level(syslogd_t)
++kernel_read_ring_buffer(syslogd_t)
++
++ifdef(`hide_broken_symptoms',`
++ kernel_rw_unix_dgram_sockets(syslogd_t)
++')
+
+-corenet_all_recvfrom_unlabeled(syslogd_t)
+ corenet_all_recvfrom_netlabel(syslogd_t)
+ corenet_udp_sendrecv_generic_if(syslogd_t)
+ corenet_udp_sendrecv_generic_node(syslogd_t)
+@@ -427,10 +479,28 @@ corenet_sendrecv_syslogd_server_packets(syslogd_t)
+ corenet_sendrecv_postgresql_client_packets(syslogd_t)
+ corenet_sendrecv_mysqld_client_packets(syslogd_t)
+
++tunable_policy(`logging_syslogd_use_tty',`
++ term_use_all_ttys(syslogd_t)
++ term_use_all_ptys(syslogd_t)
++')
++
++tunable_policy(`logging_syslogd_can_sendmail',`
++ # support for ommail module to send logs via mail
++ corenet_tcp_connect_smtp_port(syslogd_t)
++')
++
+ dev_filetrans(syslogd_t, devlog_t, sock_file)
+ dev_read_sysfs(syslogd_t)
++dev_read_rand(syslogd_t)
++dev_read_urand(syslogd_t)
++# relating to systemd-kmsg-syslogd
++dev_write_kmsg(syslogd_t)
++dev_read_kmsg(syslogd_t)
+
++domain_read_all_domains_state(syslogd_t)
+ domain_use_interactive_fds(syslogd_t)
++domain_read_all_domains_state(syslogd_t)
++domain_getattr_all_domains(syslogd_t)
+
+ files_read_etc_files(syslogd_t)
+ files_read_usr_files(syslogd_t)
+@@ -441,14 +511,18 @@ files_dontaudit_search_isid_type_dirs(syslogd_t)
+ files_read_kernel_symbol_table(syslogd_t)
+
+ fs_getattr_all_fs(syslogd_t)
++fs_rw_tmpfs_files(syslogd_t)
+ fs_search_auto_mountpoints(syslogd_t)
++fs_search_cgroup_dirs(syslogd_t)
+
+ mls_file_write_all_levels(syslogd_t) # Need to be able to write to /var/run/ and /var/log directories
+
+ term_write_console(syslogd_t)
+ # Allow syslog to a terminal
+ term_write_unallocated_ttys(syslogd_t)
++term_use_generic_ptys(syslogd_t)
+
++init_stream_connect(syslogd_t)
+ # for sending messages to logged in users
+ init_read_utmp(syslogd_t)
+ init_dontaudit_write_utmp(syslogd_t)
+@@ -460,11 +534,11 @@ init_use_fds(syslogd_t)
+
+ # cjp: this doesnt make sense
+ logging_send_syslog_msg(syslogd_t)
++logging_manage_all_logs(syslogd_t)
+
+-miscfiles_read_localization(syslogd_t)
+
+ userdom_dontaudit_use_unpriv_user_fds(syslogd_t)
+-userdom_dontaudit_search_user_home_dirs(syslogd_t)
++userdom_search_user_home_dirs(syslogd_t)
+
+ ifdef(`distro_gentoo',`
+ # default gentoo syslog-ng config appends kernel
+@@ -493,15 +567,36 @@ optional_policy(`
+ ')
+
+ optional_policy(`
++ kerberos_keytab_template(syslogd, syslogd_t)
++ kerberos_manage_host_rcache(syslogd_t)
++ kerberos_read_config(syslogd_t)
++')
++
++optional_policy(`
++ mysql_read_config(syslogd_t)
+ mysql_stream_connect(syslogd_t)
+ ')
+
+ optional_policy(`
++ plymouthd_manage_log(syslogd_t)
++')
++
++optional_policy(`
++ postfix_search_spool(syslogd_t)
++')
++
++optional_policy(`
+ postgresql_stream_connect(syslogd_t)
+ ')
+
+ optional_policy(`
+ seutil_sigchld_newrole(syslogd_t)
++ snmp_read_snmp_var_lib_files(syslogd_t)
++ snmp_dontaudit_write_snmp_var_lib_files(syslogd_t)
++')
++
++optional_policy(`
++ daemontools_search_svc_dir(syslogd_t)
+ ')
+
+ optional_policy(`
+@@ -512,3 +607,24 @@ optional_policy(`
+ # log to the xconsole
+ xserver_rw_console(syslogd_t)
+ ')
++
++#####################################################
++#
++# syslog client rules
++#
++allow syslog_client_type devlog_t:lnk_file read_lnk_file_perms;
++allow syslog_client_type devlog_t:sock_file write_sock_file_perms;
++
++# the type of socket depends on the syslog daemon
++allow syslog_client_type syslogd_t:unix_dgram_socket sendto;
++allow syslog_client_type syslogd_t:unix_stream_socket connectto;
++allow syslog_client_type self:unix_dgram_socket create_socket_perms;
++allow syslog_client_type self:unix_stream_socket create_socket_perms;
++
++# If syslog is down, the glibc syslog() function
++# will write to the console.
++term_write_console(syslog_client_type)
++term_dontaudit_read_console(syslog_client_type)
++ifdef(`hide_broken_symptoms',`
++ kernel_dgram_send(syslog_client_type)
++')
+diff --git a/policy/modules/system/lvm.fc b/policy/modules/system/lvm.fc
+index 879bb1e..c11d48b 100644
+--- a/policy/modules/system/lvm.fc
++++ b/policy/modules/system/lvm.fc
+@@ -23,28 +23,34 @@ ifdef(`distro_gentoo',`
+ /etc/lvmtab(/.*)? gen_context(system_u:object_r:lvm_metadata_t,s0)
+ /etc/lvmtab\.d(/.*)? gen_context(system_u:object_r:lvm_metadata_t,s0)
+
++/etc/multipath(/.*)? gen_context(system_u:object_r:lvm_metadata_t,s0)
++
+ #
+ # /lib
+ #
+ /lib/lvm-10/.* -- gen_context(system_u:object_r:lvm_exec_t,s0)
+ /lib/lvm-200/.* -- gen_context(system_u:object_r:lvm_exec_t,s0)
++/lib/udev/udisks-lvm-pv-export -- gen_context(system_u:object_r:lvm_exec_t,s0)
+
+ #
+ # /sbin
+ #
++/sbin/mount\.crypt -- gen_context(system_u:object_r:lvm_exec_t,s0)
+ /sbin/cryptsetup -- gen_context(system_u:object_r:lvm_exec_t,s0)
+ /sbin/dmraid -- gen_context(system_u:object_r:lvm_exec_t,s0)
+ /sbin/dmsetup -- gen_context(system_u:object_r:lvm_exec_t,s0)
+ /sbin/dmsetup\.static -- gen_context(system_u:object_r:lvm_exec_t,s0)
+ /sbin/e2fsadm -- gen_context(system_u:object_r:lvm_exec_t,s0)
++/sbin/kpartx -- gen_context(system_u:object_r:lvm_exec_t,s0)
+ /sbin/lvchange -- gen_context(system_u:object_r:lvm_exec_t,s0)
+ /sbin/lvcreate -- gen_context(system_u:object_r:lvm_exec_t,s0)
+ /sbin/lvdisplay -- gen_context(system_u:object_r:lvm_exec_t,s0)
+ /sbin/lvextend -- gen_context(system_u:object_r:lvm_exec_t,s0)
+-/sbin/lvm -- gen_context(system_u:object_r:lvm_exec_t,s0)
++/sbin/lvm -- gen_context(system_u:object_r:lvm_exec_t,s0)
+ /sbin/lvm\.static -- gen_context(system_u:object_r:lvm_exec_t,s0)
+ /sbin/lvmchange -- gen_context(system_u:object_r:lvm_exec_t,s0)
+ /sbin/lvmdiskscan -- gen_context(system_u:object_r:lvm_exec_t,s0)
++/sbin/lvmetad -- gen_context(system_u:object_r:lvm_exec_t,s0)
+ /sbin/lvmiopversion -- gen_context(system_u:object_r:lvm_exec_t,s0)
+ /sbin/lvmsadc -- gen_context(system_u:object_r:lvm_exec_t,s0)
+ /sbin/lvmsar -- gen_context(system_u:object_r:lvm_exec_t,s0)
+@@ -88,8 +94,69 @@ ifdef(`distro_gentoo',`
+ #
+ # /usr
+ #
+-/usr/sbin/clvmd -- gen_context(system_u:object_r:clvmd_exec_t,s0)
+-/usr/sbin/lvm -- gen_context(system_u:object_r:lvm_exec_t,s0)
++/usr/sbin/clvmd -- gen_context(system_u:object_r:clvmd_exec_t,s0)
++/usr/sbin/cryptsetup -- gen_context(system_u:object_r:lvm_exec_t,s0)
++/usr/sbin/dmeventd -- gen_context(system_u:object_r:lvm_exec_t,s0)
++/usr/sbin/dmraid -- gen_context(system_u:object_r:lvm_exec_t,s0)
++/usr/sbin/dmsetup -- gen_context(system_u:object_r:lvm_exec_t,s0)
++/usr/sbin/dmsetup\.static -- gen_context(system_u:object_r:lvm_exec_t,s0)
++/usr/sbin/e2fsadm -- gen_context(system_u:object_r:lvm_exec_t,s0)
++/usr/sbin/kpartx -- gen_context(system_u:object_r:lvm_exec_t,s0)
++/usr/sbin/lvchange -- gen_context(system_u:object_r:lvm_exec_t,s0)
++/usr/sbin/lvcreate -- gen_context(system_u:object_r:lvm_exec_t,s0)
++/usr/sbin/lvdisplay -- gen_context(system_u:object_r:lvm_exec_t,s0)
++/usr/sbin/lvextend -- gen_context(system_u:object_r:lvm_exec_t,s0)
++/usr/sbin/lvm -- gen_context(system_u:object_r:lvm_exec_t,s0)
++/usr/sbin/lvm\.static -- gen_context(system_u:object_r:lvm_exec_t,s0)
++/usr/sbin/lvmchange -- gen_context(system_u:object_r:lvm_exec_t,s0)
++/usr/sbin/lvmdiskscan -- gen_context(system_u:object_r:lvm_exec_t,s0)
++/usr/sbin/lvmetad -- gen_context(system_u:object_r:lvm_exec_t,s0)
++/usr/sbin/lvmiopversion -- gen_context(system_u:object_r:lvm_exec_t,s0)
++/usr/sbin/lvmsadc -- gen_context(system_u:object_r:lvm_exec_t,s0)
++/usr/sbin/lvmsar -- gen_context(system_u:object_r:lvm_exec_t,s0)
++/usr/sbin/lvreduce -- gen_context(system_u:object_r:lvm_exec_t,s0)
++/usr/sbin/lvremove -- gen_context(system_u:object_r:lvm_exec_t,s0)
++/usr/sbin/lvrename -- gen_context(system_u:object_r:lvm_exec_t,s0)
++/usr/sbin/lvresize -- gen_context(system_u:object_r:lvm_exec_t,s0)
++/usr/sbin/lvs -- gen_context(system_u:object_r:lvm_exec_t,s0)
++/usr/sbin/lvscan -- gen_context(system_u:object_r:lvm_exec_t,s0)
++/usr/sbin/mount\.crypt -- gen_context(system_u:object_r:lvm_exec_t,s0)
++/usr/sbin/multipathd -- gen_context(system_u:object_r:lvm_exec_t,s0)
++/usr/sbin/multipath\.static -- gen_context(system_u:object_r:lvm_exec_t,s0)
++/usr/sbin/pvchange -- gen_context(system_u:object_r:lvm_exec_t,s0)
++/usr/sbin/pvcreate -- gen_context(system_u:object_r:lvm_exec_t,s0)
++/usr/sbin/pvdata -- gen_context(system_u:object_r:lvm_exec_t,s0)
++/usr/sbin/pvdisplay -- gen_context(system_u:object_r:lvm_exec_t,s0)
++/usr/sbin/pvmove -- gen_context(system_u:object_r:lvm_exec_t,s0)
++/usr/sbin/pvremove -- gen_context(system_u:object_r:lvm_exec_t,s0)
++/usr/sbin/pvs -- gen_context(system_u:object_r:lvm_exec_t,s0)
++/usr/sbin/pvscan -- gen_context(system_u:object_r:lvm_exec_t,s0)
++/usr/sbin/vgcfgbackup -- gen_context(system_u:object_r:lvm_exec_t,s0)
++/usr/sbin/vgcfgrestore -- gen_context(system_u:object_r:lvm_exec_t,s0)
++/usr/sbin/vgchange -- gen_context(system_u:object_r:lvm_exec_t,s0)
++/usr/sbin/vgchange\.static -- gen_context(system_u:object_r:lvm_exec_t,s0)
++/usr/sbin/vgck -- gen_context(system_u:object_r:lvm_exec_t,s0)
++/usr/sbin/vgcreate -- gen_context(system_u:object_r:lvm_exec_t,s0)
++/usr/sbin/vgdisplay -- gen_context(system_u:object_r:lvm_exec_t,s0)
++/usr/sbin/vgexport -- gen_context(system_u:object_r:lvm_exec_t,s0)
++/usr/sbin/vgextend -- gen_context(system_u:object_r:lvm_exec_t,s0)
++/usr/sbin/vgimport -- gen_context(system_u:object_r:lvm_exec_t,s0)
++/usr/sbin/vgmerge -- gen_context(system_u:object_r:lvm_exec_t,s0)
++/usr/sbin/vgmknodes -- gen_context(system_u:object_r:lvm_exec_t,s0)
++/usr/sbin/vgreduce -- gen_context(system_u:object_r:lvm_exec_t,s0)
++/usr/sbin/vgremove -- gen_context(system_u:object_r:lvm_exec_t,s0)
++/usr/sbin/vgrename -- gen_context(system_u:object_r:lvm_exec_t,s0)
++/usr/sbin/vgs -- gen_context(system_u:object_r:lvm_exec_t,s0)
++/usr/sbin/vgscan -- gen_context(system_u:object_r:lvm_exec_t,s0)
++/usr/sbin/vgscan\.static -- gen_context(system_u:object_r:lvm_exec_t,s0)
++/usr/sbin/vgsplit -- gen_context(system_u:object_r:lvm_exec_t,s0)
++/usr/sbin/vgwrapper -- gen_context(system_u:object_r:lvm_exec_t,s0)
++
++/usr/lib/lvm-10/.* -- gen_context(system_u:object_r:lvm_exec_t,s0)
++/usr/lib/lvm-200/.* -- gen_context(system_u:object_r:lvm_exec_t,s0)
++/usr/lib/systemd/systemd-cryptsetup -- gen_context(system_u:object_r:lvm_exec_t,s0)
++/usr/lib/systemd/system-generators/lvm2.* -- gen_context(system_u:object_r:lvm_exec_t,s0)
++/usr/lib/udev/udisks-lvm-pv-export -- gen_context(system_u:object_r:lvm_exec_t,s0)
+
+ #
+ # /var
+@@ -97,5 +164,7 @@ ifdef(`distro_gentoo',`
+ /var/cache/multipathd(/.*)? gen_context(system_u:object_r:lvm_metadata_t,s0)
+ /var/lib/multipath(/.*)? gen_context(system_u:object_r:lvm_var_lib_t,s0)
+ /var/lock/lvm(/.*)? gen_context(system_u:object_r:lvm_lock_t,s0)
++/var/run/lvm(/.*)? gen_context(system_u:object_r:lvm_var_run_t,s0)
+ /var/run/multipathd\.sock -s gen_context(system_u:object_r:lvm_var_run_t,s0)
++/var/run/clvmd\.pid -- gen_context(system_u:object_r:clvmd_var_run_t,s0)
+ /var/run/dmevent.* gen_context(system_u:object_r:lvm_var_run_t,s0)
+diff --git a/policy/modules/system/lvm.if b/policy/modules/system/lvm.if
+index 58bc27f..51e9872 100644
+--- a/policy/modules/system/lvm.if
++++ b/policy/modules/system/lvm.if
+@@ -123,3 +123,94 @@ interface(`lvm_domtrans_clvmd',`
+ corecmd_search_bin($1)
+ domtrans_pattern($1, clvmd_exec_t, clvmd_t)
+ ')
++
++########################################
++##
++## Read and write to lvm temporary file system.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`lvm_rw_clvmd_tmpfs_files',`
++ gen_require(`
++ type clvmd_tmpfs_t;
++ ')
++
++ allow $1 clvmd_tmpfs_t:file rw_file_perms;
++')
++
++########################################
++##
++## Delete lvm temporary file system.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`lvm_delete_clvmd_tmpfs_files',`
++ gen_require(`
++ type clvmd_tmpfs_t;
++ ')
++
++ allow $1 clvmd_tmpfs_t:file unlink;
++')
++
++########################################
++##
++## Send lvm a null signal.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`lvm_signull',`
++ gen_require(`
++ type lvm_t;
++ ')
++
++ allow $1 lvm_t:process signull;
++')
++
++########################################
++##
++## Send a message to lvm over the
++## datagram socket.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`lvm_dgram_send',`
++ gen_require(`
++ type lvm_t;
++ ')
++
++ allow $1 lvm_t:unix_dgram_socket sendto;
++')
++
++########################################
++##
++## Read and write a lvm unnamed pipe.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`lvm_rw_pipes',`
++ gen_require(`
++ type lvm_var_run_t;
++ ')
++
++ allow $1 lvm_var_run_t:fifo_file rw_inherited_fifo_file_perms;
++')
+diff --git a/policy/modules/system/lvm.te b/policy/modules/system/lvm.te
+index f8eeecd..0d42470 100644
+--- a/policy/modules/system/lvm.te
++++ b/policy/modules/system/lvm.te
+@@ -12,6 +12,9 @@ init_daemon_domain(clvmd_t, clvmd_exec_t)
+ type clvmd_initrc_exec_t;
+ init_script_file(clvmd_initrc_exec_t)
+
++type clvmd_tmpfs_t alias clmvd_tmpfs_t;
++files_tmpfs_file(clvmd_tmpfs_t)
++
+ type clvmd_var_run_t;
+ files_pid_file(clvmd_var_run_t)
+
+@@ -24,7 +27,7 @@ domain_obj_id_change_exemption(lvm_t)
+ role system_r types lvm_t;
+
+ type lvm_etc_t;
+-files_type(lvm_etc_t)
++files_config_file(lvm_etc_t)
+
+ type lvm_lock_t;
+ files_lock_file(lvm_lock_t)
+@@ -49,13 +52,16 @@ files_tmp_file(lvm_tmp_t)
+ allow clvmd_t self:capability { sys_nice chown ipc_lock sys_admin mknod };
+ dontaudit clvmd_t self:capability sys_tty_config;
+ allow clvmd_t self:process { signal_perms setsched };
+-dontaudit clvmd_t self:process ptrace;
+ allow clvmd_t self:socket create_socket_perms;
+ allow clvmd_t self:fifo_file rw_fifo_file_perms;
+ allow clvmd_t self:unix_stream_socket { connectto create_stream_socket_perms };
+ allow clvmd_t self:tcp_socket create_stream_socket_perms;
+ allow clvmd_t self:udp_socket create_socket_perms;
+
++manage_dirs_pattern(clvmd_t, clvmd_tmpfs_t, clvmd_tmpfs_t)
++manage_files_pattern(clvmd_t, clvmd_tmpfs_t,clvmd_tmpfs_t)
++fs_tmpfs_filetrans(clvmd_t, clvmd_tmpfs_t, { dir file })
++
+ manage_files_pattern(clvmd_t, clvmd_var_run_t, clvmd_var_run_t)
+ files_pid_filetrans(clvmd_t, clvmd_var_run_t, file)
+
+@@ -71,7 +77,6 @@ kernel_dontaudit_getattr_core_if(clvmd_t)
+ corecmd_exec_shell(clvmd_t)
+ corecmd_getattr_bin_files(clvmd_t)
+
+-corenet_all_recvfrom_unlabeled(clvmd_t)
+ corenet_all_recvfrom_netlabel(clvmd_t)
+ corenet_tcp_sendrecv_generic_if(clvmd_t)
+ corenet_udp_sendrecv_generic_if(clvmd_t)
+@@ -120,9 +125,7 @@ init_dontaudit_getattr_initctl(clvmd_t)
+
+ logging_send_syslog_msg(clvmd_t)
+
+-miscfiles_read_localization(clvmd_t)
+
+-seutil_dontaudit_search_config(clvmd_t)
+ seutil_sigchld_newrole(clvmd_t)
+ seutil_read_config(clvmd_t)
+ seutil_read_file_contexts(clvmd_t)
+@@ -141,6 +144,11 @@ ifdef(`distro_redhat',`
+ ')
+
+ optional_policy(`
++ aisexec_stream_connect(clvmd_t)
++ corosync_stream_connect(clvmd_t)
++')
++
++optional_policy(`
+ ccs_stream_connect(clvmd_t)
+ ')
+
+@@ -170,6 +178,7 @@ dontaudit lvm_t self:capability sys_tty_config;
+ allow lvm_t self:process { sigchld sigkill sigstop signull signal setfscreate };
+ # LVM will complain a lot if it cannot set its priority.
+ allow lvm_t self:process setsched;
++allow lvm_t self:sem create_sem_perms;
+ allow lvm_t self:file rw_file_perms;
+ allow lvm_t self:fifo_file manage_fifo_file_perms;
+ allow lvm_t self:unix_dgram_socket create_socket_perms;
+@@ -191,8 +200,9 @@ read_lnk_files_pattern(lvm_t, lvm_exec_t, lvm_exec_t)
+ can_exec(lvm_t, lvm_exec_t)
+
+ # Creating lock files
++manage_dirs_pattern(lvm_t, lvm_lock_t, lvm_lock_t)
+ manage_files_pattern(lvm_t, lvm_lock_t, lvm_lock_t)
+-files_lock_filetrans(lvm_t, lvm_lock_t, file)
++files_lock_filetrans(lvm_t, lvm_lock_t, { file dir })
+
+ manage_dirs_pattern(lvm_t, lvm_var_lib_t, lvm_var_lib_t)
+ manage_files_pattern(lvm_t, lvm_var_lib_t, lvm_var_lib_t)
+@@ -200,8 +210,9 @@ files_var_lib_filetrans(lvm_t, lvm_var_lib_t, { dir file })
+
+ manage_dirs_pattern(lvm_t, lvm_var_run_t, lvm_var_run_t)
+ manage_files_pattern(lvm_t, lvm_var_run_t, lvm_var_run_t)
++manage_fifo_files_pattern(lvm_t, lvm_var_run_t, lvm_var_run_t)
+ manage_sock_files_pattern(lvm_t, lvm_var_run_t, lvm_var_run_t)
+-files_pid_filetrans(lvm_t, lvm_var_run_t, { file sock_file })
++files_pid_filetrans(lvm_t, lvm_var_run_t, { dir file fifo_file sock_file })
+
+ read_files_pattern(lvm_t, lvm_etc_t, lvm_etc_t)
+ read_lnk_files_pattern(lvm_t, lvm_etc_t, lvm_etc_t)
+@@ -213,11 +224,13 @@ files_search_mnt(lvm_t)
+
+ kernel_get_sysvipc_info(lvm_t)
+ kernel_read_system_state(lvm_t)
++kernel_read_kernel_sysctls(lvm_t)
+ # Read system variables in /proc/sys
+ kernel_read_kernel_sysctls(lvm_t)
+ # it has no reason to need this
+ kernel_dontaudit_getattr_core_if(lvm_t)
+ kernel_use_fds(lvm_t)
++kernel_request_load_module(lvm_t)
+ kernel_search_debugfs(lvm_t)
+
+ corecmd_exec_bin(lvm_t)
+@@ -228,11 +241,13 @@ dev_delete_generic_dirs(lvm_t)
+ dev_read_rand(lvm_t)
+ dev_read_urand(lvm_t)
+ dev_rw_lvm_control(lvm_t)
++dev_write_kmsg(lvm_t)
+ dev_manage_generic_symlinks(lvm_t)
+ dev_relabel_generic_dev_dirs(lvm_t)
+ dev_manage_generic_blk_files(lvm_t)
+ # Read /sys/block. Device mapper metadata is kept there.
+-dev_read_sysfs(lvm_t)
++# cryptsetup writes read_ahead_kb
++dev_rw_sysfs(lvm_t)
+ # cjp: this has no effect since LVM does not
+ # have lnk_file relabelto for anything else.
+ # perhaps this should be blk_files?
+@@ -244,6 +259,7 @@ dev_dontaudit_getattr_generic_chr_files(lvm_t)
+ dev_dontaudit_getattr_generic_blk_files(lvm_t)
+ dev_dontaudit_getattr_generic_pipes(lvm_t)
+ dev_create_generic_dirs(lvm_t)
++dev_rw_generic_files(lvm_t)
+
+ domain_use_interactive_fds(lvm_t)
+ domain_read_all_domains_state(lvm_t)
+@@ -253,17 +269,21 @@ files_read_etc_files(lvm_t)
+ files_read_etc_runtime_files(lvm_t)
+ # for when /usr is not mounted:
+ files_dontaudit_search_isid_type_dirs(lvm_t)
++fs_rw_inherited_tmpfs_files(lvm_t)
+
+-fs_getattr_xattr_fs(lvm_t)
++fs_getattr_all_fs(lvm_t)
+ fs_search_auto_mountpoints(lvm_t)
+ fs_list_tmpfs(lvm_t)
+ fs_read_tmpfs_symlinks(lvm_t)
+ fs_dontaudit_read_removable_files(lvm_t)
+ fs_dontaudit_getattr_tmpfs_files(lvm_t)
+ fs_rw_anon_inodefs_files(lvm_t)
++fs_list_auto_mountpoints(lvm_t)
++fs_list_hugetlbfs(lvm_t)
+
+ mls_file_read_all_levels(lvm_t)
+ mls_file_write_to_clearance(lvm_t)
++mls_file_upgrade(lvm_t)
+
+ selinux_get_fs_mount(lvm_t)
+ selinux_validate_context(lvm_t)
+@@ -283,7 +303,7 @@ storage_dev_filetrans_fixed_disk(lvm_t)
+ # Access raw devices and old /dev/lvm (c 109,0). Is this needed?
+ storage_manage_fixed_disk(lvm_t)
+
+-term_use_all_terms(lvm_t)
++term_use_all_inherited_terms(lvm_t)
+
+ init_use_fds(lvm_t)
+ init_dontaudit_getattr_initctl(lvm_t)
+@@ -291,15 +311,20 @@ init_use_script_ptys(lvm_t)
+ init_read_script_state(lvm_t)
+
+ logging_send_syslog_msg(lvm_t)
++logging_stream_connect_syslog(lvm_t)
++
++authlogin_rw_pipes(lvm_t)
+
+-miscfiles_read_localization(lvm_t)
+
+ seutil_read_config(lvm_t)
+ seutil_read_file_contexts(lvm_t)
+ seutil_search_default_contexts(lvm_t)
+ seutil_sigchld_newrole(lvm_t)
+
++userdom_use_inherited_user_terminals(lvm_t)
+ userdom_use_user_terminals(lvm_t)
++userdom_rw_semaphores(lvm_t)
++userdom_search_user_home_dirs(lvm_t)
+
+ ifdef(`distro_redhat',`
+ # this is from the initrd:
+@@ -311,6 +336,11 @@ ifdef(`distro_redhat',`
+ ')
+
+ optional_policy(`
++ aisexec_stream_connect(lvm_t)
++ corosync_stream_connect(lvm_t)
++')
++
++optional_policy(`
+ bootloader_rw_tmp_files(lvm_t)
+ ')
+
+@@ -331,14 +361,26 @@ optional_policy(`
+ ')
+
+ optional_policy(`
++ livecd_rw_semaphores(lvm_t)
++')
++
++optional_policy(`
+ modutils_domtrans_insmod(lvm_t)
+ ')
+
+ optional_policy(`
++ raid_read_mdadm_pid(lvm_t)
++')
++
++optional_policy(`
+ rpm_manage_script_tmp_files(lvm_t)
+ ')
+
+ optional_policy(`
++ systemd_manage_passwd_run(lvm_t)
++')
++
++optional_policy(`
+ udev_read_db(lvm_t)
+ ')
+
+diff --git a/policy/modules/system/miscfiles.fc b/policy/modules/system/miscfiles.fc
+index fe3427d..2410a4e 100644
+--- a/policy/modules/system/miscfiles.fc
++++ b/policy/modules/system/miscfiles.fc
+@@ -9,8 +9,9 @@ ifdef(`distro_gentoo',`
+ # /etc
+ #
+ /etc/avahi/etc/localtime -- gen_context(system_u:object_r:locale_t,s0)
+-/etc/httpd/alias/[^/]*\.db(\.[^/]*)* -- gen_context(system_u:object_r:cert_t,s0)
+-/etc/localtime -- gen_context(system_u:object_r:locale_t,s0)
++/etc/httpd/alias(/.*)? gen_context(system_u:object_r:cert_t,s0)
++/etc/localtime gen_context(system_u:object_r:locale_t,s0)
++/etc/locale.conf -- gen_context(system_u:object_r:locale_t,s0)
+ /etc/pki(/.*)? gen_context(system_u:object_r:cert_t,s0)
+ /etc/timezone -- gen_context(system_u:object_r:locale_t,s0)
+
+@@ -36,11 +37,6 @@ ifdef(`distro_redhat',`
+
+ /usr/lib/perl5/man(/.*)? gen_context(system_u:object_r:man_t,s0)
+
+-/usr/local/man(/.*)? gen_context(system_u:object_r:man_t,s0)
+-/usr/local/share/man(/.*)? gen_context(system_u:object_r:man_t,s0)
+-
+-/usr/local/share/fonts(/.*)? gen_context(system_u:object_r:fonts_t,s0)
+-
+ /usr/man(/.*)? gen_context(system_u:object_r:man_t,s0)
+
+ /usr/share/fonts(/.*)? gen_context(system_u:object_r:fonts_t,s0)
+@@ -75,8 +71,9 @@ ifdef(`distro_redhat',`
+
+ /var/cache/fontconfig(/.*)? gen_context(system_u:object_r:fonts_cache_t,s0)
+ /var/cache/fonts(/.*)? gen_context(system_u:object_r:tetex_data_t,s0)
+-/var/cache/man(/.*)? gen_context(system_u:object_r:man_t,s0)
+
++
++/var/named/chroot/etc/localtime -- gen_context(system_u:object_r:cert_t,s0)
+ /var/named/chroot/etc/pki(/.*)? gen_context(system_u:object_r:cert_t,s0)
+
+ /var/spool/abrt-upload(/.*)? gen_context(system_u:object_r:public_content_rw_t,s0)
+diff --git a/policy/modules/system/miscfiles.if b/policy/modules/system/miscfiles.if
+index 926ba65..9cac7b3 100644
+--- a/policy/modules/system/miscfiles.if
++++ b/policy/modules/system/miscfiles.if
+@@ -106,6 +106,24 @@ interface(`miscfiles_manage_generic_cert_dirs',`
+
+ ########################################
+ ##
++## Dontaudit attempts to write generic SSL certificates.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`miscfiles_dontaudit_write_generic_cert_files',`
++ gen_require(`
++ type cert_t;
++ ')
++
++ dontaudit $1 cert_t:file write;
++')
++
++########################################
++##
+ ## Manage generic SSL certificates.
+ ##
+ ##
+@@ -434,6 +452,7 @@ interface(`miscfiles_rw_localization',`
+ files_search_usr($1)
+ allow $1 locale_t:dir list_dir_perms;
+ rw_files_pattern($1, locale_t, locale_t)
++ manage_lnk_files_pattern($1, locale_t, locale_t)
+ ')
+
+ ########################################
+@@ -453,6 +472,7 @@ interface(`miscfiles_relabel_localization',`
+
+ files_search_usr($1)
+ relabel_files_pattern($1, locale_t, locale_t)
++ relabel_lnk_files_pattern($1, locale_t, locale_t)
+ ')
+
+ ########################################
+@@ -470,7 +490,6 @@ interface(`miscfiles_legacy_read_localization',`
+ type locale_t;
+ ')
+
+- miscfiles_read_localization($1)
+ allow $1 locale_t:file execute;
+ ')
+
+@@ -531,6 +550,10 @@ interface(`miscfiles_read_man_pages',`
+ allow $1 man_t:dir list_dir_perms;
+ read_files_pattern($1, man_t, man_t)
+ read_lnk_files_pattern($1, man_t, man_t)
++
++ optional_policy(`
++ mandb_read_cache_files($1)
++ ')
+ ')
+
+ ########################################
+@@ -557,6 +580,11 @@ interface(`miscfiles_delete_man_pages',`
+ delete_dirs_pattern($1, man_t, man_t)
+ delete_files_pattern($1, man_t, man_t)
+ delete_lnk_files_pattern($1, man_t, man_t)
++
++ optional_policy(`
++ mandb_setattr_cache_dirs($1)
++ mandb_delete_cache($1)
++ ')
+ ')
+
+ ########################################
+@@ -582,6 +610,30 @@ interface(`miscfiles_manage_man_pages',`
+
+ ########################################
+ ##
++## Allow process to relabel man_pages info
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`miscfiles_relabel_man_pages',`
++ gen_require(`
++ type man_t;
++ ')
++
++ files_search_usr($1)
++ relabel_dirs_pattern($1, man_t, man_t)
++ relabel_files_pattern($1, man_t, man_t)
++
++ optional_policy(`
++ mandb_relabel_cache($1)
++ ')
++')
++
++########################################
++##
+ ## Read public files used for file
+ ## transfer services.
+ ##
+@@ -744,8 +796,10 @@ interface(`miscfiles_etc_filetrans_localization',`
+ type locale_t;
+ ')
+
+- files_etc_filetrans($1, locale_t, file)
+-
++ files_etc_filetrans($1, locale_t, lnk_file)
++ files_etc_filetrans($1, locale_t, {lnk_file file}, "localtime" )
++ files_etc_filetrans($1, locale_t, file, "locale.conf" )
++ files_etc_filetrans($1, locale_t, file, "timezone" )
+ ')
+
+ ########################################
+@@ -769,3 +823,43 @@ interface(`miscfiles_manage_localization',`
+ manage_lnk_files_pattern($1, locale_t, locale_t)
+ ')
+
++########################################
++##
++## Transition to miscfiles named content
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`miscfiles_filetrans_named_content',`
++ gen_require(`
++ type locale_t;
++ type man_t;
++ type cert_t;
++ type fonts_t;
++ type fonts_cache_t;
++ type hwdata_t;
++ type tetex_data_t;
++ type public_content_t;
++ ')
++
++ files_etc_filetrans($1, locale_t, { lnk_file file }, "localtime")
++ files_etc_filetrans($1, locale_t, file, "locale.conf")
++ files_etc_filetrans($1, locale_t, file, "locale.conf.new")
++ files_var_filetrans($1, man_t, dir, "man")
++ files_etc_filetrans($1, locale_t, file, "timezone")
++ files_etc_filetrans($1, locale_t, file, "clock")
++ files_etc_filetrans($1, cert_t, dir, "pki")
++ files_usr_filetrans($1, locale_t, dir, "locale")
++ files_usr_filetrans($1, locale_t, dir, "zoneinfo")
++ files_usr_filetrans($1, cert_t, dir, "certs")
++ files_usr_filetrans($1, fonts_t, dir, "fonts")
++ files_usr_filetrans($1, hwdata_t, dir, "hwdata")
++ files_var_filetrans($1, fonts_cache_t, dir, "fontconfig")
++ files_var_filetrans($1, tetex_data_t, dir, "fonts")
++ files_spool_filetrans($1, tetex_data_t, dir, "texmf")
++ files_var_lib_filetrans($1, tetex_data_t, dir, "texmf")
++ files_var_filetrans($1, public_content_t, dir, "ftp")
++')
+diff --git a/policy/modules/system/miscfiles.te b/policy/modules/system/miscfiles.te
+index 622fb4f..69b6fef 100644
+--- a/policy/modules/system/miscfiles.te
++++ b/policy/modules/system/miscfiles.te
+@@ -4,7 +4,6 @@ policy_module(miscfiles, 1.10.0)
+ #
+ # Declarations
+ #
+-
+ attribute cert_type;
+
+ #
+diff --git a/policy/modules/system/modutils.fc b/policy/modules/system/modutils.fc
+index 2410551..e5026a9 100644
+--- a/policy/modules/system/modutils.fc
++++ b/policy/modules/system/modutils.fc
+@@ -20,3 +20,15 @@ ifdef(`distro_gentoo',`
+ /sbin/modules-update -- gen_context(system_u:object_r:update_modules_exec_t,s0)
+ /sbin/rmmod.* -- gen_context(system_u:object_r:insmod_exec_t,s0)
+ /sbin/update-modules -- gen_context(system_u:object_r:update_modules_exec_t,s0)
++
++/usr/bin/kmod -- gen_context(system_u:object_r:insmod_exec_t,s0)
++
++/usr/sbin/depmod.* -- gen_context(system_u:object_r:depmod_exec_t,s0)
++/usr/sbin/generate-modprobe\.conf -- gen_context(system_u:object_r:update_modules_exec_t,s0)
++/usr/sbin/insmod.* -- gen_context(system_u:object_r:insmod_exec_t,s0)
++/usr/sbin/modprobe.* -- gen_context(system_u:object_r:insmod_exec_t,s0)
++/usr/sbin/modules-update -- gen_context(system_u:object_r:update_modules_exec_t,s0)
++/usr/sbin/rmmod.* -- gen_context(system_u:object_r:insmod_exec_t,s0)
++/usr/sbin/update-modules -- gen_context(system_u:object_r:update_modules_exec_t,s0)
++
++/usr/lib/modules/modprobe\.conf -- gen_context(system_u:object_r:modules_conf_t,s0)
+diff --git a/policy/modules/system/modutils.if b/policy/modules/system/modutils.if
+index 350c450..2debedc 100644
+--- a/policy/modules/system/modutils.if
++++ b/policy/modules/system/modutils.if
+@@ -12,7 +12,7 @@
+ #
+ interface(`modutils_getattr_module_deps',`
+ gen_require(`
+- type modules_dep_t;
++ type modules_dep_t, modules_object_t;
+ ')
+
+ getattr_files_pattern($1, modules_object_t, modules_dep_t)
+@@ -39,6 +39,44 @@ interface(`modutils_read_module_deps',`
+
+ ########################################
+ ##
++## Read the dependencies of kernel modules.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`modutils_delete_module_deps',`
++ gen_require(`
++ type modules_dep_t;
++ ')
++
++ delete_files_pattern($1, modules_dep_t, modules_dep_t)
++')
++
++########################################
++##
++## list the configuration options used when
++## loading modules.
++##
++##
++##
++## Domain allowed access.
++##
++##
++##
++#
++interface(`modutils_list_module_config',`
++ gen_require(`
++ type modules_conf_t;
++ ')
++
++ list_dirs_pattern($1, modules_conf_t, modules_conf_t)
++')
++
++########################################
++##
+ ## Read the configuration options used when
+ ## loading modules.
+ ##
+@@ -307,11 +345,18 @@ interface(`modutils_domtrans_update_mods',`
+ #
+ interface(`modutils_run_update_mods',`
+ gen_require(`
+- attribute_role update_modules_roles;
++ #attribute_role update_modules_roles;
++ type update_modules_t;
+ ')
+
++ #modutils_domtrans_update_mods($1)
++ #roleattribute $2 update_modules_roles;
++
+ modutils_domtrans_update_mods($1)
+- roleattribute $2 update_modules_roles;
++ role $2 types update_modules_t;
++
++ modutils_run_insmod(update_modules_t, $2)
++
+ ')
+
+ ########################################
+@@ -332,3 +377,25 @@ interface(`modutils_exec_update_mods',`
+ corecmd_search_bin($1)
+ can_exec($1, update_modules_exec_t)
+ ')
++
++########################################
++##
++## Transition to modutils named content
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`modules_filetrans_named_content',`
++ gen_require(`
++ type modules_dep_t;
++ type modules_conf_t;
++ ')
++
++ files_etc_filetrans($1, modules_conf_t, file, "modprobe.conf")
++ files_etc_filetrans($1, modules_conf_t, file, "modules.conf")
++ files_kernel_modules_filetrans($1, modules_dep_t, file, "modules.dep")
++ files_kernel_modules_filetrans($1, modules_dep_t, file, "modules.dep.bin")
++')
+diff --git a/policy/modules/system/modutils.te b/policy/modules/system/modutils.te
+index b4ff2f7..0db04d2 100644
+--- a/policy/modules/system/modutils.te
++++ b/policy/modules/system/modutils.te
+@@ -5,7 +5,7 @@ policy_module(modutils, 1.13.0)
+ # Declarations
+ #
+
+-attribute_role update_modules_roles;
++#attribute_role update_modules_roles;
+
+ type depmod_t;
+ type depmod_exec_t;
+@@ -16,11 +16,12 @@ type insmod_t;
+ type insmod_exec_t;
+ application_domain(insmod_t, insmod_exec_t)
+ mls_file_write_all_levels(insmod_t)
++mls_process_write_down(insmod_t)
+ role system_r types insmod_t;
+
+ # module loading config
+ type modules_conf_t;
+-files_type(modules_conf_t)
++files_config_file(modules_conf_t)
+
+ # module dependencies
+ type modules_dep_t;
+@@ -29,12 +30,16 @@ files_type(modules_dep_t)
+ type update_modules_t;
+ type update_modules_exec_t;
+ init_system_domain(update_modules_t, update_modules_exec_t)
+-roleattribute system_r update_modules_roles;
+-role update_modules_roles types update_modules_t;
++#roleattribute system_r update_modules_roles;
++#role update_modules_roles types update_modules_t;
++role system_r types update_modules_t;
+
+ type update_modules_tmp_t;
+ files_tmp_file(update_modules_tmp_t)
+
++type insmod_tmpfs_t;
++files_tmpfs_file(insmod_tmpfs_t)
++
+ ########################################
+ #
+ # depmod local policy
+@@ -54,12 +59,15 @@ corecmd_search_bin(depmod_t)
+
+ domain_use_interactive_fds(depmod_t)
+
++files_delete_kernel_modules(depmod_t)
+ files_read_kernel_symbol_table(depmod_t)
+ files_read_kernel_modules(depmod_t)
+ files_read_etc_runtime_files(depmod_t)
+ files_read_etc_files(depmod_t)
+ files_read_usr_src_files(depmod_t)
+ files_list_usr(depmod_t)
++files_append_var_files(depmod_t)
++files_read_boot_files(depmod_t)
+
+ fs_getattr_xattr_fs(depmod_t)
+
+@@ -69,10 +77,12 @@ init_use_fds(depmod_t)
+ init_use_script_fds(depmod_t)
+ init_use_script_ptys(depmod_t)
+
+-userdom_use_user_terminals(depmod_t)
++userdom_use_inherited_user_terminals(depmod_t)
+ # Read System.map from home directories.
+ files_list_home(depmod_t)
+ userdom_read_user_home_content_files(depmod_t)
++userdom_manage_user_tmp_files(depmod_t)
++userdom_home_reader(depmod_t)
+
+ ifdef(`distro_ubuntu',`
+ optional_policy(`
+@@ -80,12 +90,8 @@ ifdef(`distro_ubuntu',`
+ ')
+ ')
+
+-tunable_policy(`use_nfs_home_dirs',`
+- fs_read_nfs_files(depmod_t)
+-')
+-
+-tunable_policy(`use_samba_home_dirs',`
+- fs_read_cifs_files(depmod_t)
++optional_policy(`
++ bootloader_rw_tmp_files(insmod_t)
+ ')
+
+ optional_policy(`
+@@ -94,7 +100,6 @@ optional_policy(`
+ ')
+
+ optional_policy(`
+- # Read System.map from home directories.
+ unconfined_domain(depmod_t)
+ ')
+
+@@ -103,11 +108,12 @@ optional_policy(`
+ # insmod local policy
+ #
+
+-allow insmod_t self:capability { dac_override net_raw sys_nice sys_tty_config };
++allow insmod_t self:capability { dac_override mknod net_raw sys_nice sys_tty_config };
+ allow insmod_t self:process { execmem sigchld sigkill sigstop signull signal };
+
+ allow insmod_t self:udp_socket create_socket_perms;
+ allow insmod_t self:rawip_socket create_socket_perms;
++allow insmod_t self:shm create_shm_perms;
+
+ # Read module config and dependency information
+ list_dirs_pattern(insmod_t, modules_conf_t, modules_conf_t)
+@@ -117,7 +123,11 @@ read_files_pattern(insmod_t, modules_dep_t, modules_dep_t)
+
+ can_exec(insmod_t, insmod_exec_t)
+
++manage_files_pattern(insmod_t,insmod_tmpfs_t,insmod_tmpfs_t)
++fs_tmpfs_filetrans(insmod_t,insmod_tmpfs_t,file)
++
+ kernel_load_module(insmod_t)
++files_manage_kernel_modules(insmod_t)
+ kernel_request_load_module(insmod_t)
+ kernel_read_system_state(insmod_t)
+ kernel_read_network_state(insmod_t)
+@@ -125,6 +135,7 @@ kernel_write_proc_files(insmod_t)
+ kernel_mount_debugfs(insmod_t)
+ kernel_mount_kvmfs(insmod_t)
+ kernel_read_debugfs(insmod_t)
++kernel_request_load_module(insmod_t)
+ # Rules for /proc/sys/kernel/tainted
+ kernel_read_kernel_sysctls(insmod_t)
+ kernel_rw_kernel_sysctl(insmod_t)
+@@ -142,6 +153,7 @@ dev_rw_agp(insmod_t)
+ dev_read_sound(insmod_t)
+ dev_write_sound(insmod_t)
+ dev_rw_apm_bios(insmod_t)
++dev_create_generic_chr_files(insmod_t)
+
+ domain_signal_all_domains(insmod_t)
+ domain_use_interactive_fds(insmod_t)
+@@ -151,30 +163,38 @@ files_read_etc_runtime_files(insmod_t)
+ files_read_etc_files(insmod_t)
+ files_read_usr_files(insmod_t)
+ files_exec_etc_files(insmod_t)
++files_read_kernel_symbol_table(insmod_t)
+ # for nscd:
+ files_dontaudit_search_pids(insmod_t)
+ # for when /var is not mounted early in the boot:
+ files_dontaudit_search_isid_type_dirs(insmod_t)
+ # for locking: (cjp: ????)
+ files_write_kernel_modules(insmod_t)
++allow insmod_t modules_dep_t:file manage_file_perms;
++files_kernel_modules_filetrans(depmod_t, modules_dep_t, file)
+
+ fs_getattr_xattr_fs(insmod_t)
+ fs_dontaudit_use_tmpfs_chr_dev(insmod_t)
++fs_mount_rpc_pipefs(insmod_t)
++fs_search_rpc(insmod_t)
++
++auth_use_nsswitch(insmod_t)
+
+ init_rw_initctl(insmod_t)
+ init_use_fds(insmod_t)
+ init_use_script_fds(insmod_t)
+ init_use_script_ptys(insmod_t)
++init_spec_domtrans_script(insmod_t)
++init_rw_script_tmp_files(insmod_t)
++init_dontaudit_getattr_stream_socket(insmod_t)
+
+ logging_send_syslog_msg(insmod_t)
+ logging_search_logs(insmod_t)
+
+-miscfiles_read_localization(insmod_t)
+
+ seutil_read_file_contexts(insmod_t)
+
+-userdom_use_user_terminals(insmod_t)
+-
++term_use_all_inherited_terms(insmod_t)
+ userdom_dontaudit_search_user_home_dirs(insmod_t)
+
+ kernel_domtrans_to(insmod_t, insmod_exec_t)
+@@ -184,28 +204,32 @@ optional_policy(`
+ ')
+
+ optional_policy(`
+- firstboot_dontaudit_rw_pipes(insmod_t)
+- firstboot_dontaudit_rw_stream_sockets(insmod_t)
++ devicekit_use_fds_disk(insmod_t)
++ devicekit_dontaudit_read_pid_files(insmod_t)
+ ')
+
+ optional_policy(`
+- hal_write_log(insmod_t)
++ firstboot_dontaudit_leaks(insmod_t)
+ ')
+
+ optional_policy(`
+- hotplug_search_config(insmod_t)
++ firewallgui_dontaudit_rw_pipes(insmod_t)
+ ')
+
+ optional_policy(`
+- mount_domtrans(insmod_t)
++ hal_write_log(insmod_t)
++')
++
++optional_policy(`
++ hotplug_search_config(insmod_t)
+ ')
+
+ optional_policy(`
+- nis_use_ypbind(insmod_t)
++ kdump_manage_kdumpctl_tmp_files(insmod_t)
+ ')
+
+ optional_policy(`
+- nscd_socket_use(insmod_t)
++ mount_domtrans(insmod_t)
+ ')
+
+ optional_policy(`
+@@ -225,6 +249,7 @@ optional_policy(`
+
+ optional_policy(`
+ rpm_rw_pipes(insmod_t)
++ rpm_manage_script_tmp_files(insmod_t)
+ ')
+
+ optional_policy(`
+@@ -233,6 +258,10 @@ optional_policy(`
+ ')
+
+ optional_policy(`
++ virt_dontaudit_write_pipes(insmod_t)
++')
++
++optional_policy(`
+ # cjp: why is this needed:
+ dev_rw_xserver_misc(insmod_t)
+
+@@ -291,11 +320,10 @@ init_use_script_ptys(update_modules_t)
+
+ logging_send_syslog_msg(update_modules_t)
+
+-miscfiles_read_localization(update_modules_t)
+
+-modutils_run_insmod(update_modules_t, update_modules_roles)
++#modutils_run_insmod(update_modules_t, update_modules_roles)
+
+-userdom_use_user_terminals(update_modules_t)
++userdom_use_inherited_user_terminals(update_modules_t)
+ userdom_dontaudit_search_user_home_dirs(update_modules_t)
+
+ ifdef(`distro_gentoo',`
+diff --git a/policy/modules/system/mount.fc b/policy/modules/system/mount.fc
+index 72c746e..f035d9f 100644
+--- a/policy/modules/system/mount.fc
++++ b/policy/modules/system/mount.fc
+@@ -1,4 +1,26 @@
++/bin/fusermount -- gen_context(system_u:object_r:fusermount_exec_t,s0)
+ /bin/mount.* -- gen_context(system_u:object_r:mount_exec_t,s0)
+ /bin/umount.* -- gen_context(system_u:object_r:mount_exec_t,s0)
+
+-/usr/bin/fusermount -- gen_context(system_u:object_r:mount_exec_t,s0)
++/dev/\.mount(/.*)? gen_context(system_u:object_r:mount_var_run_t,s0)
++/run/mount(/.*)? gen_context(system_u:object_r:mount_var_run_t,s0)
++
++/sbin/mount.* -- gen_context(system_u:object_r:mount_exec_t,s0)
++/sbin/umount.* -- gen_context(system_u:object_r:mount_exec_t,s0)
++
++/usr/bin/fusermount -- gen_context(system_u:object_r:fusermount_exec_t,s0)
++/usr/bin/mount.* -- gen_context(system_u:object_r:mount_exec_t,s0)
++/usr/bin/umount.* -- gen_context(system_u:object_r:mount_exec_t,s0)
++
++/usr/sbin/mount.* -- gen_context(system_u:object_r:mount_exec_t,s0)
++/usr/sbin/umount.* -- gen_context(system_u:object_r:mount_exec_t,s0)
++/usr/sbin/showmount -- gen_context(system_u:object_r:showmount_exec_t,s0)
++
++/var/cache/davfs2(/.*)? gen_context(system_u:object_r:mount_var_run_t,s0)
++/var/run/davfs2(/.*)? gen_context(system_u:object_r:mount_var_run_t,s0)
++/var/run/mount(/.*)? gen_context(system_u:object_r:mount_var_run_t,s0)
++
++/usr/sbin/mount\.ecryptfs_private -- gen_context(system_u:object_r:mount_ecryptfs_exec_t,s0)
++/usr/sbin/mount\.ecryptfs -- gen_context(system_u:object_r:mount_ecryptfs_exec_t,s0)
++/usr/sbin/umount\.ecryptfs_private -- gen_context(system_u:object_r:mount_ecryptfs_exec_t,s0)
++/usr/sbin/umount\.ecryptfs -- gen_context(system_u:object_r:mount_ecryptfs_exec_t,s0)
+diff --git a/policy/modules/system/mount.if b/policy/modules/system/mount.if
+index 4584457..300c3f7 100644
+--- a/policy/modules/system/mount.if
++++ b/policy/modules/system/mount.if
+@@ -16,6 +16,13 @@ interface(`mount_domtrans',`
+ ')
+
+ domtrans_pattern($1, mount_exec_t, mount_t)
++ mount_domtrans_fusermount($1)
++
++ allow $1 mount_t:fd use;
++ ps_process_pattern(mount_t, $1)
++
++ allow mount_t $1:key write;
++ allow mount_t $1:unix_stream_socket { read write };
+ ')
+
+ ########################################
+@@ -38,11 +45,103 @@ interface(`mount_domtrans',`
+ #
+ interface(`mount_run',`
+ gen_require(`
+- attribute_role mount_roles;
++ #attribute_role mount_roles;
++ type mount_t;
+ ')
+
++ #mount_domtrans($1)
++ #roleattribute $2 mount_roles;
++
+ mount_domtrans($1)
+- roleattribute $2 mount_roles;
++ role $2 types mount_t;
++
++ optional_policy(`
++ fstools_run(mount_t, $2)
++ ')
++
++ optional_policy(`
++ lvm_run(mount_t, $2)
++ ')
++
++ optional_policy(`
++ modutils_run_insmod(mount_t, $2)
++ ')
++
++ optional_policy(`
++ rpc_run_rpcd(mount_t, $2)
++ ')
++
++ optional_policy(`
++ samba_run_smbmount(mount_t, $2)
++ ')
++
++')
++
++########################################
++##
++## Execute fusermount in the mount domain, and
++## allow the specified role the mount domain,
++## and use the caller's terminal.
++##
++##
++##
++## Domain allowed access.
++##
++##
++##
++##
++## The role to be allowed the mount domain.
++##
++##
++##
++#
++interface(`mount_run_fusermount',`
++ gen_require(`
++ type mount_t;
++ ')
++
++ mount_domtrans_fusermount($1)
++ role $2 types mount_t;
++
++ fstools_run(mount_t, $2)
++')
++
++########################################
++##
++## Read mount PID files.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`mount_read_pid_files',`
++ gen_require(`
++ type mount_var_run_t;
++ ')
++
++ allow $1 mount_var_run_t:file read_file_perms;
++ files_search_pids($1)
++')
++
++########################################
++##
++## Manage mount PID files.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`mount_manage_pid_files',`
++ gen_require(`
++ type mount_var_run_t;
++ ')
++
++ allow $1 mount_var_run_t:file manage_file_perms;
++ files_search_pids($1)
+ ')
+
+ ########################################
+@@ -91,7 +190,7 @@ interface(`mount_signal',`
+ ##
+ ##
+ ##
+-## The type of the process performing this action.
++## Domain allowed access.
+ ##
+ ##
+ #
+@@ -131,45 +230,138 @@ interface(`mount_send_nfs_client_request',`
+
+ ########################################
+ ##
+-## Execute mount in the unconfined mount domain.
++## Read the mount tmp directory
+ ##
+ ##
+ ##
+-## Domain allowed to transition.
++## Domain allowed access.
+ ##
+ ##
+ #
+-interface(`mount_domtrans_unconfined',`
++interface(`mount_list_tmp',`
+ gen_require(`
+- type unconfined_mount_t, mount_exec_t;
++ type mount_tmp_t;
+ ')
+
+- domtrans_pattern($1, mount_exec_t, unconfined_mount_t)
++ allow $1 mount_tmp_t:dir list_dir_perms;
+ ')
+
+ ########################################
+ ##
+-## Execute mount in the unconfined mount domain, and
+-## allow the specified role the unconfined mount domain,
+-## and use the caller's terminal.
++## Execute fusermount in the mount domain.
+ ##
+ ##
+ ##
+-## Domain allowed to transition.
++## Domain allowed access.
+ ##
+ ##
+-##
++#
++interface(`mount_domtrans_fusermount',`
++ gen_require(`
++ type mount_t, fusermount_exec_t;
++ ')
++
++ domtrans_pattern($1, fusermount_exec_t, mount_t)
++ ps_process_pattern(mount_t, $1)
++
++ allow mount_t $1:unix_stream_socket { read write };
++ allow $1 mount_t:fd use;
++')
++
++########################################
++##
++## Execute fusermount.
++##
++##
+ ##
+-## Role allowed access.
++## Domain allowed access.
++##
++##
++#
++interface(`mount_exec_fusermount',`
++ gen_require(`
++ type fusermount_exec_t;
++ ')
++
++ can_exec($1, fusermount_exec_t)
++')
++
++########################################
++##
++## dontaudit Execute fusermount.
++##
++##
++##
++## Domain to not audit.
+ ##
+ ##
+-##
+ #
+-interface(`mount_run_unconfined',`
++interface(`mount_dontaudit_exec_fusermount',`
+ gen_require(`
+- type unconfined_mount_t;
++ type fusermount_exec_t;
+ ')
+
+- mount_domtrans_unconfined($1)
+- role $2 types unconfined_mount_t;
++ dontaudit $1 fusermount_exec_t:file exec_file_perms;
++')
++
++######################################
++##
++## Execute a domain transition to run showmount.
++##
++##
++##
++## Domain allowed to transition.
++##
++##
++#
++interface(`mount_domtrans_showmount',`
++ gen_require(`
++ type showmount_t, showmount_exec_t;
++ ')
++
++ domtrans_pattern($1, showmount_exec_t, showmount_t)
++')
++
++######################################
++##
++## Execute showmount in the showmount domain, and
++## allow the specified role the showmount domain.
++##
++##
++##
++## Domain allowed access
++##
++##
++##
++##
++## The role to be allowed the showmount domain.
++##
++##
++#
++interface(`mount_run_showmount',`
++ gen_require(`
++ type showmount_t;
++ ')
++
++ mount_domtrans_showmount($1)
++ role $2 types showmount_t;
++')
++
++#######################################
++##
++## Transition to ecryptmount.
++##
++##
++##
++## Domain allowed to transition.
++##
++##
++#
++interface(`mount_domtrans_ecryptmount',`
++ gen_require(`
++ type mount_ecryptfs_t, mount_ecryptfs_exec_t;
++ ')
++
++ corecmd_search_bin($1)
++ domtrans_pattern($1, mount_ecryptfs_exec_t, mount_ecryptfs_t)
+ ')
+diff --git a/policy/modules/system/mount.te b/policy/modules/system/mount.te
+index 63931f6..041c38f 100644
+--- a/policy/modules/system/mount.te
++++ b/policy/modules/system/mount.te
+@@ -10,35 +10,60 @@ policy_module(mount, 1.15.0)
+ ## Allow the mount command to mount any directory or file.
+ ##
+ ##
+-gen_tunable(allow_mount_anyfile, false)
++gen_tunable(mount_anyfile, false)
+
+-attribute_role mount_roles;
+-roleattribute system_r mount_roles;
++#attribute_role mount_roles;
++#roleattribute system_r mount_roles;
+
+ type mount_t;
+ type mount_exec_t;
+ init_system_domain(mount_t, mount_exec_t)
+-role mount_roles types mount_t;
++#role mount_roles types mount_t;
++role system_r types mount_t;
++
++type fusermount_exec_t;
++domain_entry_file(mount_t, fusermount_exec_t)
++
++typealias mount_t alias mount_ntfs_t;
++typealias mount_exec_t alias mount_ntfs_exec_t;
+
+ type mount_loopback_t; # customizable
+ files_type(mount_loopback_t)
++typealias mount_loopback_t alias mount_loop_t;
+
+ type mount_tmp_t;
+ files_tmp_file(mount_tmp_t)
+
+-# causes problems with interfaces when
+-# this is optionally declared in monolithic
+-# policy--duplicate type declaration
+-type unconfined_mount_t;
+-application_domain(unconfined_mount_t, mount_exec_t)
++type mount_var_run_t;
++files_pid_file(mount_var_run_t)
++dev_associate(mount_var_run_t)
++
++# showmount - show mount information for an NFS server
++
++type showmount_t;
++type showmount_exec_t;
++application_domain(showmount_t, showmount_exec_t)
++role system_r types showmount_t;
++
++type mount_ecryptfs_t;
++type mount_ecryptfs_exec_t;
++application_domain(mount_ecryptfs_t, mount_ecryptfs_exec_t)
++role system_r types mount_ecryptfs_t;
++
++type mount_ecryptfs_tmpfs_t;
++files_tmpfs_file(mount_ecryptfs_tmpfs_t)
+
+ ########################################
+ #
+ # mount local policy
+ #
+
+-# setuid/setgid needed to mount cifs
+-allow mount_t self:capability { ipc_lock sys_rawio sys_admin dac_override chown sys_tty_config setuid setgid };
++# setuid/setgid needed to mount cifs
++allow mount_t self:capability { fsetid fowner ipc_lock setpcap sys_rawio sys_resource sys_admin dac_override dac_read_search chown sys_tty_config setuid setgid sys_nice };
++allow mount_t self:process { getcap getsched setsched setcap setrlimit signal };
++allow mount_t self:fifo_file rw_fifo_file_perms;
++allow mount_t self:unix_stream_socket create_stream_socket_perms;
++allow mount_t self:unix_dgram_socket create_socket_perms;
+
+ allow mount_t mount_loopback_t:file read_file_perms;
+
+@@ -49,9 +74,25 @@ can_exec(mount_t, mount_exec_t)
+
+ files_tmp_filetrans(mount_t, mount_tmp_t, { file dir })
+
++manage_dirs_pattern(mount_t,mount_var_run_t,mount_var_run_t)
++manage_files_pattern(mount_t,mount_var_run_t,mount_var_run_t)
++files_pid_filetrans(mount_t,mount_var_run_t,dir)
++files_var_filetrans(mount_t,mount_var_run_t,dir)
++dev_filetrans(mount_t, mount_var_run_t, dir)
++
++# In order to mount reiserfs_t
++kernel_dontaudit_getattr_core_if(mount_t)
++kernel_list_unlabeled(mount_t)
++kernel_mount_unlabeled(mount_t)
++kernel_unmount_unlabeled(mount_t)
+ kernel_read_system_state(mount_t)
++kernel_read_network_state(mount_t)
+ kernel_read_kernel_sysctls(mount_t)
+-kernel_dontaudit_getattr_core_if(mount_t)
++kernel_relabelfrom_unlabeled_fs(mount_t)
++kernel_manage_debugfs(mount_t)
++kernel_setsched(mount_t)
++kernel_use_fds(mount_t)
++kernel_request_load_module(mount_t)
+ kernel_dontaudit_write_debugfs_dirs(mount_t)
+ kernel_dontaudit_write_proc_dirs(mount_t)
+ # To load binfmt_misc kernel module
+@@ -60,31 +101,46 @@ kernel_request_load_module(mount_t)
+ # required for mount.smbfs
+ corecmd_exec_bin(mount_t)
+
++dev_getattr_generic_blk_files(mount_t)
+ dev_getattr_all_blk_files(mount_t)
+ dev_list_all_dev_nodes(mount_t)
++dev_read_usbfs(mount_t)
++dev_read_rand(mount_t)
++dev_read_urand(mount_t)
+ dev_read_sysfs(mount_t)
+ dev_dontaudit_write_sysfs_dirs(mount_t)
+ dev_rw_lvm_control(mount_t)
+ dev_dontaudit_getattr_all_chr_files(mount_t)
+ dev_dontaudit_getattr_memory_dev(mount_t)
+ dev_getattr_sound_dev(mount_t)
++
++ifdef(`hide_broken_symptoms',`
++ dev_rw_generic_blk_files(mount_t)
++')
++
+ # Early devtmpfs, before udev relabel
+ dev_dontaudit_rw_generic_chr_files(mount_t)
+
+ domain_use_interactive_fds(mount_t)
++domain_read_all_domains_state(mount_t)
+
+ files_search_all(mount_t)
+ files_read_etc_files(mount_t)
++files_read_etc_runtime_files(mount_t)
+ files_manage_etc_runtime_files(mount_t)
+ files_etc_filetrans_etc_runtime(mount_t, file)
++# for when /etc/mtab loses its type
++files_delete_etc_files(mount_t)
+ files_mounton_all_mountpoints(mount_t)
++files_setattr_all_mountpoints(mount_t)
++# ntfs-3g checks whether the mountpoint is writable before mounting
++files_write_all_mountpoints(mount_t)
+ files_unmount_rootfs(mount_t)
++
+ # These rules need to be generalized. Only admin, initrc should have it:
+-files_relabelto_all_file_type_fs(mount_t)
++files_relabel_all_file_type_fs(mount_t)
+ files_mount_all_file_type_fs(mount_t)
+ files_unmount_all_file_type_fs(mount_t)
+-# for when /etc/mtab loses its type
+-# cjp: this seems wrong, the type should probably be etc
+ files_read_isid_type_files(mount_t)
+ # For reading cert files
+ files_read_usr_files(mount_t)
+@@ -92,28 +148,42 @@ files_list_mnt(mount_t)
+ files_dontaudit_write_all_mountpoints(mount_t)
+ files_dontaudit_setattr_all_mountpoints(mount_t)
+
+-fs_getattr_xattr_fs(mount_t)
+-fs_getattr_cifs(mount_t)
++fs_list_all(mount_t)
++fs_getattr_all_fs(mount_t)
+ fs_mount_all_fs(mount_t)
+ fs_unmount_all_fs(mount_t)
+ fs_remount_all_fs(mount_t)
+ fs_relabelfrom_all_fs(mount_t)
+-fs_list_auto_mountpoints(mount_t)
++fs_rw_anon_inodefs_files(mount_t)
+ fs_rw_tmpfs_chr_files(mount_t)
++fs_rw_nfsd_fs(mount_t)
++fs_rw_removable_blk_files(mount_t)
++#fs_manage_tmpfs_dirs(mount_t)
+ fs_read_tmpfs_symlinks(mount_t)
++fs_read_fusefs_files(mount_t)
++fs_manage_nfs_dirs(mount_t)
++fs_read_nfs_symlinks(mount_t)
++fs_manage_cgroup_dirs(mount_t)
++fs_manage_cgroup_files(mount_t)
+ fs_dontaudit_write_tmpfs_dirs(mount_t)
+
+-mls_file_read_all_levels(mount_t)
+-mls_file_write_all_levels(mount_t)
++mcs_file_read_all(mount_t)
++mcs_file_write_all(mount_t)
++
++mls_file_read_to_clearance(mount_t)
++mls_file_write_to_clearance(mount_t)
++mls_process_write_to_clearance(mount_t)
+
+ selinux_get_enforce_mode(mount_t)
++selinux_mounton_fs(mount_t)
+
+ storage_raw_read_fixed_disk(mount_t)
+ storage_raw_write_fixed_disk(mount_t)
+ storage_raw_read_removable_device(mount_t)
+ storage_raw_write_removable_device(mount_t)
++storage_rw_fuse(mount_t)
+
+-term_use_all_terms(mount_t)
++term_use_all_inherited_terms(mount_t)
+ term_dontaudit_manage_pty_dirs(mount_t)
+
+ auth_use_nsswitch(mount_t)
+@@ -121,16 +191,20 @@ auth_use_nsswitch(mount_t)
+ init_use_fds(mount_t)
+ init_use_script_ptys(mount_t)
+ init_dontaudit_getattr_initctl(mount_t)
++init_stream_connect_script(mount_t)
++init_rw_script_stream_sockets(mount_t)
+
+ logging_send_syslog_msg(mount_t)
+
+-miscfiles_read_localization(mount_t)
+
+ sysnet_use_portmap(mount_t)
+
+ seutil_read_config(mount_t)
+
+ userdom_use_all_users_fds(mount_t)
++userdom_manage_user_home_content_dirs(mount_t)
++userdom_read_user_home_content_symlinks(mount_t)
++userdom_list_user_tmp(mount_t)
+
+ ifdef(`distro_redhat',`
+ optional_policy(`
+@@ -146,26 +220,27 @@ ifdef(`distro_ubuntu',`
+ ')
+ ')
+
+-tunable_policy(`allow_mount_anyfile',`
+- files_list_non_auth_dirs(mount_t)
+- files_read_non_auth_files(mount_t)
++corecmd_exec_shell(mount_t)
++
++tunable_policy(`mount_anyfile',`
++ files_read_non_security_files(mount_t)
+ files_mounton_non_security(mount_t)
++ files_rw_inherited_non_security_files(mount_t)
+ ')
+
+ optional_policy(`
+ # for nfs
+- corenet_all_recvfrom_unlabeled(mount_t)
+ corenet_all_recvfrom_netlabel(mount_t)
+- corenet_tcp_sendrecv_all_if(mount_t)
+- corenet_raw_sendrecv_all_if(mount_t)
+- corenet_udp_sendrecv_all_if(mount_t)
+- corenet_tcp_sendrecv_all_nodes(mount_t)
+- corenet_raw_sendrecv_all_nodes(mount_t)
+- corenet_udp_sendrecv_all_nodes(mount_t)
++ corenet_tcp_sendrecv_generic_if(mount_t)
++ corenet_raw_sendrecv_generic_if(mount_t)
++ corenet_udp_sendrecv_generic_if(mount_t)
++ corenet_tcp_sendrecv_generic_node(mount_t)
++ corenet_raw_sendrecv_generic_node(mount_t)
++ corenet_udp_sendrecv_generic_node(mount_t)
+ corenet_tcp_sendrecv_all_ports(mount_t)
+ corenet_udp_sendrecv_all_ports(mount_t)
+- corenet_tcp_bind_all_nodes(mount_t)
+- corenet_udp_bind_all_nodes(mount_t)
++ corenet_tcp_bind_generic_node(mount_t)
++ corenet_udp_bind_generic_node(mount_t)
+ corenet_tcp_bind_generic_port(mount_t)
+ corenet_udp_bind_generic_port(mount_t)
+ corenet_tcp_bind_reserved_port(mount_t)
+@@ -179,6 +254,8 @@ optional_policy(`
+ fs_search_rpc(mount_t)
+
+ rpc_stub(mount_t)
++
++ rpc_domtrans_rpcd(mount_t)
+ ')
+
+ optional_policy(`
+@@ -186,6 +263,28 @@ optional_policy(`
+ ')
+
+ optional_policy(`
++ cron_system_entry(mount_t, mount_exec_t)
++')
++
++optional_policy(`
++ devicekit_read_state_power(mount_t)
++')
++
++optional_policy(`
++ dbus_system_bus_client(mount_t)
++
++ optional_policy(`
++ hal_dbus_chat(mount_t)
++ ')
++')
++
++optional_policy(`
++ hal_write_log(mount_t)
++ hal_use_fds(mount_t)
++ hal_dontaudit_rw_pipes(mount_t)
++')
++
++optional_policy(`
+ ifdef(`hide_broken_symptoms',`
+ # for a bug in the X server
+ rhgb_dontaudit_rw_stream_sockets(mount_t)
+@@ -193,21 +292,121 @@ optional_policy(`
+ ')
+ ')
+
++optional_policy(`
++ livecd_rw_tmp_files(mount_t)
++')
++
++# Needed for mount crypt https://bugzilla.redhat.com/show_bug.cgi?id=418711
++optional_policy(`
++# lvm_run(mount_t, mount_roles)
++ lvm_domtrans(mount_t)
++')
++
++optional_policy(`
++ #modutils_run_insmod(mount_t, mount_roles)
++ modutils_domtrans_insmod(mount_t)
++ modutils_read_module_deps(mount_t)
++')
++
++optional_policy(`
++ fstools_domtrans(mount_t)
++ #fstools_run(mount_t, mount_roles)
++')
++
++optional_policy(`
++ rhcs_stream_connect_gfs_controld(mount_t)
++')
++
++#optional_policy(`
++# rpc_run_rpcd(mount_t, mount_roles)
++#')
++
+ # for kernel package installation
+ optional_policy(`
+ rpm_rw_pipes(mount_t)
++ rpm_dontaudit_leaks(mount_t)
+ ')
+
+ optional_policy(`
+- samba_run_smbmount(mount_t, mount_roles)
++ samba_read_config(mount_t)
++ samba_domtrans_smbmount(mount_t)
++ #samba_run_smbmount(mount_t, mount_roles)
+ ')
+
+-########################################
+-#
+-# Unconfined mount local policy
+-#
++optional_policy(`
++ ssh_exec(mount_t)
++')
++
++optional_policy(`
++ usbmuxd_stream_connect(mount_t)
++')
++
++optional_policy(`
++ userhelper_exec_console(mount_t)
++')
++
++optional_policy(`
++ virt_read_blk_images(mount_t)
++')
+
+ optional_policy(`
+- files_etc_filetrans_etc_runtime(unconfined_mount_t, file)
+- unconfined_domain(unconfined_mount_t)
++ vmware_exec_host(mount_t)
+ ')
++
++######################################
++#
++# showmount local policy
++#
++
++allow showmount_t self:tcp_socket create_stream_socket_perms;
++allow showmount_t self:udp_socket create_socket_perms;
++
++kernel_read_system_state(showmount_t)
++
++corenet_all_recvfrom_netlabel(showmount_t)
++corenet_tcp_sendrecv_generic_if(showmount_t)
++corenet_udp_sendrecv_generic_if(showmount_t)
++corenet_tcp_sendrecv_generic_node(showmount_t)
++corenet_udp_sendrecv_generic_node(showmount_t)
++corenet_tcp_sendrecv_all_ports(showmount_t)
++corenet_udp_sendrecv_all_ports(showmount_t)
++corenet_tcp_bind_generic_node(showmount_t)
++corenet_udp_bind_generic_node(showmount_t)
++corenet_tcp_bind_all_rpc_ports(showmount_t)
++corenet_udp_bind_all_rpc_ports(showmount_t)
++corenet_tcp_connect_all_ports(showmount_t)
++
++files_read_etc_files(showmount_t)
++files_read_etc_runtime_files(showmount_t)
++
++
++sysnet_dns_name_resolve(showmount_t)
++
++userdom_use_inherited_user_terminals(showmount_t)
++
++#######################################
++#
++# mount_ecryptfs local policy
++#
++
++domtrans_pattern(mount_ecryptfs_t, mount_exec_t, mount_t)
++
++allow mount_ecryptfs_t self:capability setgid;
++allow mount_ecryptfs_t self:capability { setuid sys_admin };
++allow mount_ecryptfs_t self:fifo_file rw_fifo_file_perms;
++allow mount_ecryptfs_t self:unix_stream_socket create_stream_socket_perms;
++
++manage_dirs_pattern(mount_ecryptfs_t, mount_ecryptfs_tmpfs_t, mount_ecryptfs_tmpfs_t)
++manage_files_pattern(mount_ecryptfs_t, mount_ecryptfs_tmpfs_t, mount_ecryptfs_tmpfs_t)
++fs_tmpfs_filetrans(mount_ecryptfs_t, mount_ecryptfs_tmpfs_t, { dir file })
++userdom_rw_user_tmpfs_files(mount_ecryptfs_t)
++
++domain_use_interactive_fds(mount_ecryptfs_t)
++
++files_read_etc_files(mount_ecryptfs_t)
++
++fs_read_ecryptfs_symlinks(mount_ecryptfs_t)
++fs_read_ecryptfs_files(mount_ecryptfs_t)
++
++auth_use_nsswitch(mount_ecryptfs_t)
++
+diff --git a/policy/modules/system/netlabel.fc b/policy/modules/system/netlabel.fc
+index b263a8a..9348c8c 100644
+--- a/policy/modules/system/netlabel.fc
++++ b/policy/modules/system/netlabel.fc
+@@ -1 +1,3 @@
+ /sbin/netlabelctl -- gen_context(system_u:object_r:netlabel_mgmt_exec_t,s0)
++
++/usr/sbin/netlabelctl -- gen_context(system_u:object_r:netlabel_mgmt_exec_t,s0)
+diff --git a/policy/modules/system/netlabel.te b/policy/modules/system/netlabel.te
+index cbbda4a..8dcc346 100644
+--- a/policy/modules/system/netlabel.te
++++ b/policy/modules/system/netlabel.te
+@@ -23,6 +23,11 @@ kernel_read_network_state(netlabel_mgmt_t)
+
+ files_read_etc_files(netlabel_mgmt_t)
+
++term_use_all_inherited_terms(netlabel_mgmt_t)
++
+ seutil_use_newrole_fds(netlabel_mgmt_t)
+
+-userdom_use_user_terminals(netlabel_mgmt_t)
++term_use_all_terms(netlabel_mgmt_t)
++
++userdom_use_inherited_user_terminals(netlabel_mgmt_t)
++
+diff --git a/policy/modules/system/selinuxutil.fc b/policy/modules/system/selinuxutil.fc
+index d43f3b1..c4182e8 100644
+--- a/policy/modules/system/selinuxutil.fc
++++ b/policy/modules/system/selinuxutil.fc
+@@ -6,13 +6,14 @@
+ /etc/selinux(/.*)? gen_context(system_u:object_r:selinux_config_t,s0)
+ /etc/selinux/([^/]*/)?contexts(/.*)? gen_context(system_u:object_r:default_context_t,s0)
+ /etc/selinux/([^/]*/)?contexts/files(/.*)? gen_context(system_u:object_r:file_context_t,s0)
+-/etc/selinux/([^/]*/)?policy(/.*)? gen_context(system_u:object_r:policy_config_t,mls_systemhigh)
++/etc/selinux/([^/]*/)?logins(/.*)? gen_context(system_u:object_r:selinux_login_config_t,s0)
++/etc/selinux/([^/]*/)?policy(/.*)? gen_context(system_u:object_r:semanage_store_t,s0)
+ /etc/selinux/([^/]*/)?setrans\.conf -- gen_context(system_u:object_r:selinux_config_t,mls_systemhigh)
+-/etc/selinux/([^/]*/)?seusers -- gen_context(system_u:object_r:selinux_config_t,mls_systemhigh)
++/etc/selinux/([^/]*/)?seusers -- gen_context(system_u:object_r:selinux_config_t,s0)
+ /etc/selinux/([^/]*/)?modules/(active|tmp|previous)(/.*)? gen_context(system_u:object_r:semanage_store_t,s0)
+ /etc/selinux/([^/]*/)?modules/semanage\.read\.LOCK -- gen_context(system_u:object_r:semanage_read_lock_t,s0)
+ /etc/selinux/([^/]*/)?modules/semanage\.trans\.LOCK -- gen_context(system_u:object_r:semanage_trans_lock_t,s0)
+-/etc/selinux/([^/]*/)?users(/.*)? -- gen_context(system_u:object_r:selinux_config_t,mls_systemhigh)
++/etc/selinux/([^/]*/)?users(/.*)? -- gen_context(system_u:object_r:selinux_config_t,s0)
+
+ #
+ # /root
+@@ -35,12 +36,14 @@
+ /usr/lib/selinux(/.*)? gen_context(system_u:object_r:policy_src_t,s0)
+
+ /usr/sbin/load_policy -- gen_context(system_u:object_r:load_policy_exec_t,s0)
++/usr/sbin/restorecon -- gen_context(system_u:object_r:setfiles_exec_t,s0)
+ /usr/sbin/restorecond -- gen_context(system_u:object_r:restorecond_exec_t,s0)
+ /usr/sbin/run_init -- gen_context(system_u:object_r:run_init_exec_t,s0)
+ /usr/sbin/setfiles.* -- gen_context(system_u:object_r:setfiles_exec_t,s0)
+-/usr/sbin/setsebool -- gen_context(system_u:object_r:semanage_exec_t,s0)
++/usr/sbin/setsebool -- gen_context(system_u:object_r:setsebool_exec_t,s0)
+ /usr/sbin/semanage -- gen_context(system_u:object_r:semanage_exec_t,s0)
+ /usr/sbin/semodule -- gen_context(system_u:object_r:semanage_exec_t,s0)
++/usr/share/system-config-selinux/system-config-selinux-dbus\.py -- gen_context(system_u:object_r:semanage_exec_t,s0)
+
+ #
+ # /var/lib
+@@ -51,3 +54,7 @@
+ # /var/run
+ #
+ /var/run/restorecond\.pid -- gen_context(system_u:object_r:restorecond_var_run_t,s0)
++
++
++/etc/share/selinux/targeted(/.*)? gen_context(system_u:object_r:semanage_store_t,s0)
++/etc/share/selinux/mls(/.*)? gen_context(system_u:object_r:semanage_store_t,s0)
+diff --git a/policy/modules/system/selinuxutil.if b/policy/modules/system/selinuxutil.if
+index 3822072..702e0e0 100644
+--- a/policy/modules/system/selinuxutil.if
++++ b/policy/modules/system/selinuxutil.if
+@@ -192,11 +192,22 @@ interface(`seutil_domtrans_newrole',`
+ #
+ interface(`seutil_run_newrole',`
+ gen_require(`
+- attribute_role newrole_roles;
++ type newrole_t;
++ #attribute_role newrole_roles;
+ ')
+
++ #seutil_domtrans_newrole($1)
++ #roleattribute $2 newrole_roles;
++
+ seutil_domtrans_newrole($1)
+- roleattribute $2 newrole_roles;
++ role $2 types newrole_t;
++
++ auth_run_upd_passwd(newrole_t, $2)
++
++ optional_policy(`
++ namespace_init_run(newrole_t, $2)
++ ')
++
+ ')
+
+ ########################################
+@@ -359,6 +370,27 @@ interface(`seutil_exec_restorecon',`
+
+ ########################################
+ ##
++## Execute restorecond in the caller domain.
++##
++##
++##
++## Domain allowed access.
++##
++##
++##
++#
++interface(`seutil_exec_restorecond',`
++ gen_require(`
++ type restorecond_exec_t;
++ ')
++
++ files_search_usr($1)
++ corecmd_search_bin($1)
++ can_exec($1, restorecond_exec_t)
++')
++
++########################################
++##
+ ## Execute run_init in the run_init domain.
+ ##
+ ##
+@@ -425,11 +457,20 @@ interface(`seutil_init_script_domtrans_runinit',`
+ #
+ interface(`seutil_run_runinit',`
+ gen_require(`
+- attribute_role run_init_roles;
++ #attribute_role run_init_roles;
++ type run_init_t;
++ role system_r;
+ ')
+
+- seutil_domtrans_runinit($1)
+- roleattribute $2 run_init_roles;
++ #seutil_domtrans_runinit($1)
++ #roleattribute $2 run_init_roles;
++
++ auth_run_chk_passwd(run_init_t, $2)
++ seutil_domtrans_runinit($1)
++ role $2 types run_init_t;
++
++ allow $2 system_r;
++
+ ')
+
+ ########################################
+@@ -461,11 +502,19 @@ interface(`seutil_run_runinit',`
+ #
+ interface(`seutil_init_script_run_runinit',`
+ gen_require(`
+- attribute_role run_init_roles;
++ #attribute_role run_init_roles;
++ type run_init_t;
++ role system_r;
+ ')
+
+- seutil_init_script_domtrans_runinit($1)
+- roleattribute $2 run_init_roles;
++ #seutil_init_script_domtrans_runinit($1)
++ #roleattribute $2 run_init_roles;
++ auth_run_chk_passwd(run_init_t, $2)
++ seutil_init_script_domtrans_runinit($1)
++ role $2 types run_init_t;
++
++ allow $2 system_r;
++
+ ')
+
+ ########################################
+@@ -535,6 +584,53 @@ interface(`seutil_run_setfiles',`
+
+ ########################################
+ ##
++## Execute setfiles in the setfiles domain.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`seutil_domtrans_setfiles_mac',`
++ gen_require(`
++ type setfiles_mac_t, setfiles_exec_t;
++ ')
++
++ files_search_usr($1)
++ corecmd_search_bin($1)
++ domtrans_pattern($1, setfiles_exec_t, setfiles_mac_t)
++')
++
++########################################
++##
++## Execute setfiles in the setfiles_mac domain, and
++## allow the specified role the setfiles_mac domain,
++## and use the caller's terminal.
++##
++##
++##
++## Domain allowed access.
++##
++##
++##
++##
++## The role to be allowed the setfiles_mac domain.
++##
++##
++##
++#
++interface(`seutil_run_setfiles_mac',`
++ gen_require(`
++ type setfiles_mac_t;
++ ')
++
++ seutil_domtrans_setfiles_mac($1)
++ role $2 types setfiles_mac_t;
++')
++
++########################################
++##
+ ## Execute setfiles in the caller domain.
+ ##
+ ##
+@@ -680,10 +776,115 @@ interface(`seutil_manage_config',`
+ ')
+
+ files_search_etc($1)
++ manage_dirs_pattern($1, selinux_config_t, selinux_config_t)
+ manage_files_pattern($1, selinux_config_t, selinux_config_t)
+ read_lnk_files_pattern($1, selinux_config_t, selinux_config_t)
+ ')
+
++######################################
++##
++## Create, read, write, and delete
++## the general selinux configuration files.
++##
++##
++##
++## Domain allowed access.
++##
++##
++##
++#
++interface(`seutil_manage_config_dirs',`
++ gen_require(`
++ type selinux_config_t;
++ ')
++
++ files_search_etc($1)
++ allow $1 selinux_config_t:dir manage_dir_perms;
++')
++
++########################################
++##
++## Do not audit attempts to search the SELinux
++## login configuration directory.
++##
++##
++##
++## Domain to not audit.
++##
++##
++#
++interface(`seutil_dontaudit_search_login_config',`
++ gen_require(`
++ type selinux_login_config_t;
++ ')
++
++ dontaudit $1 selinux_login_config_t:dir search_dir_perms;
++')
++
++########################################
++##
++## Do not audit attempts to read the SELinux
++## login configuration.
++##
++##
++##
++## Domain to not audit.
++##
++##
++#
++interface(`seutil_dontaudit_read_login_config',`
++ gen_require(`
++ type selinux_login_config_t;
++ ')
++ dontaudit $1 selinux_login_config_t:dir search_dir_perms;
++ dontaudit $1 selinux_login_config_t:file read_file_perms;
++')
++
++########################################
++##
++## Read the SELinux login configuration files.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`seutil_read_login_config',`
++ gen_require(`
++ type selinux_config_t;
++ type selinux_login_config_t;
++ ')
++
++ files_search_etc($1)
++ allow $1 selinux_config_t:dir search_dir_perms;
++ allow $1 selinux_login_config_t:dir list_dir_perms;
++ read_files_pattern($1, selinux_login_config_t, selinux_login_config_t)
++ read_lnk_files_pattern($1, selinux_login_config_t, selinux_login_config_t)
++')
++
++########################################
++##
++## Read and write the SELinux login configuration files.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`seutil_rw_login_config',`
++ gen_require(`
++ type selinux_config_t;
++ type selinux_login_config_t;
++ ')
++
++ files_search_etc($1)
++ allow $1 selinux_config_t:dir search_dir_perms;
++ allow $1 selinux_login_config_t:dir list_dir_perms;
++ rw_files_pattern($1, selinux_login_config_t, selinux_login_config_t)
++')
++
+ #######################################
+ ##
+ ## Create, read, write, and delete
+@@ -694,15 +895,62 @@ interface(`seutil_manage_config',`
+ ## Domain allowed access.
+ ##
+ ##
+-##
+ #
+-interface(`seutil_manage_config_dirs',`
++interface(`seutil_rw_login_config_dirs',`
+ gen_require(`
+ type selinux_config_t;
++ type selinux_login_config_t;
+ ')
+
+ files_search_etc($1)
+- allow $1 selinux_config_t:dir manage_dir_perms;
++ allow $1 selinux_config_t:dir search_dir_perms;
++ allow $1 selinux_login_config_t:dir rw_dir_perms;
++')
++
++######################################
++##
++## Create, read, write, and delete
++## the general selinux configuration files.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`seutil_manage_login_config',`
++ gen_require(`
++ type selinux_config_t;
++ type selinux_login_config_t;
++ ')
++
++ files_search_etc($1)
++ allow $1 selinux_config_t:dir search_dir_perms;
++ manage_dirs_pattern($1, selinux_login_config_t, selinux_login_config_t)
++ manage_files_pattern($1, selinux_login_config_t, selinux_login_config_t)
++ read_lnk_files_pattern($1, selinux_login_config_t, selinux_login_config_t)
++')
++
++######################################
++##
++## manage the login selinux configuration files.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`seutil_manage_login_config_files',`
++ gen_require(`
++ type selinux_config_t;
++ type selinux_login_config_t;
++ ')
++
++ files_search_etc($1)
++ allow $1 selinux_config_t:dir search_dir_perms;
++ manage_files_pattern($1, selinux_login_config_t, selinux_login_config_t)
++ read_lnk_files_pattern($1, selinux_login_config_t, selinux_login_config_t)
+ ')
+
+ ########################################
+@@ -746,6 +994,29 @@ interface(`seutil_read_default_contexts',`
+ read_files_pattern($1, default_context_t, default_context_t)
+ ')
+
++#######################################
++##
++## Read and write the default_contexts files.
++##
++##
++##
++## Domain allowed access.
++##
++##
++##
++#
++interface(`seutil_rw_default_contexts',`
++ gen_require(`
++ type default_context_t;
++ type selinux_config_t;
++ ')
++
++ files_search_etc($1)
++ allow $1 selinux_config_t:dir list_dir_perms;
++ allow $1 default_context_t:dir list_dir_perms;
++ rw_files_pattern($1, default_context_t, default_context_t)
++')
++
+ ########################################
+ ##
+ ## Create, read, write, and delete the default_contexts files.
+@@ -999,6 +1270,26 @@ interface(`seutil_domtrans_semanage',`
+
+ ########################################
+ ##
++## Execute a domain transition to run setsebool.
++##
++##
++##
++## Domain allowed to transition.
++##
++##
++#
++interface(`seutil_domtrans_setsebool',`
++ gen_require(`
++ type setsebool_t, setsebool_exec_t;
++ ')
++
++ files_search_usr($1)
++ corecmd_search_bin($1)
++ domtrans_pattern($1, setsebool_exec_t, setsebool_t)
++')
++
++########################################
++##
+ ## Execute semanage in the semanage domain, and
+ ## allow the specified role the semanage domain,
+ ## and use the caller's terminal.
+@@ -1017,11 +1308,66 @@ interface(`seutil_domtrans_semanage',`
+ #
+ interface(`seutil_run_semanage',`
+ gen_require(`
+- attribute_role semanage_roles;
++ #attribute_role semanage_roles;
++ type semanage_t;
+ ')
+
++ #seutil_domtrans_semanage($1)
++ #roleattribute $2 semanage_roles;
++
+ seutil_domtrans_semanage($1)
+- roleattribute $2 semanage_roles;
++ seutil_run_setfiles(semanage_t, $2)
++ seutil_run_loadpolicy(semanage_t, $2)
++ role $2 types semanage_t;
++
++')
++
++########################################
++##
++## Execute setsebool in the semanage domain, and
++## allow the specified role the semanage domain,
++## and use the caller's terminal.
++##
++##
++##
++## Domain allowed access.
++##
++##
++##
++##
++## The role to be allowed the setsebool domain.
++##
++##
++##
++#
++interface(`seutil_run_setsebool',`
++ gen_require(`
++ type semanage_t;
++ ')
++
++ seutil_domtrans_setsebool($1)
++ role $2 types setsebool_t;
++')
++
++########################################
++##
++## Full management of the semanage
++## module store.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`seutil_read_module_store',`
++ gen_require(`
++ type selinux_config_t, semanage_store_t;
++ ')
++
++ files_search_etc($1)
++ list_dirs_pattern($1, selinux_config_t, semanage_store_t)
++ read_files_pattern($1, semanage_store_t, semanage_store_t)
+ ')
+
+ ########################################
+@@ -1044,6 +1390,9 @@ interface(`seutil_manage_module_store',`
+ manage_dirs_pattern($1, selinux_config_t, semanage_store_t)
+ manage_files_pattern($1, semanage_store_t, semanage_store_t)
+ filetrans_pattern($1, selinux_config_t, semanage_store_t, dir, "modules")
++ filetrans_pattern($1, selinux_config_t, semanage_store_t, dir, "active")
++ filetrans_pattern($1, selinux_config_t, semanage_store_t, dir, "previous")
++ filetrans_pattern($1, selinux_config_t, semanage_store_t, dir, "tmp")
+ ')
+
+ #######################################
+@@ -1137,3 +1486,69 @@ interface(`seutil_dontaudit_libselinux_linked',`
+ selinux_dontaudit_get_fs_mount($1)
+ seutil_dontaudit_read_config($1)
+ ')
++
++#######################################
++##
++## All rules necessary to run semanage command
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`seutil_semanage_policy',`
++ gen_require(`
++ type semanage_tmp_t;
++ type policy_config_t;
++ attribute policy_manager_domain;
++ ')
++ typeattribute $1 policy_manager_domain;
++
++ kernel_read_system_state($1)
++
++ # Running genhomedircon requires this for finding all users
++ auth_use_nsswitch($1)
++
++ mls_file_write_all_levels($1)
++ mls_file_read_all_levels($1)
++
++ selinux_get_enforce_mode($1)
++
++ seutil_manage_bin_policy($1)
++
++ logging_send_syslog_msg($1)
++')
++
++#######################################
++##
++## All rules necessary to run setfiles command
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`seutil_setfiles',`
++
++ gen_require(`
++ attribute setfiles_domain;
++ ')
++ typeattribute $1 setfiles_domain;
++
++ kernel_read_system_state($1)
++ seutil_libselinux_linked($1)
++
++ files_relabel_all_files($1)
++
++ mls_file_read_all_levels($1)
++ mls_file_write_all_levels($1)
++ mls_file_upgrade($1)
++ mls_file_downgrade($1)
++
++ # this is to satisfy the assertion:
++ auth_relabelto_shadow($1)
++
++ logging_send_syslog_msg($1)
++')
+diff --git a/policy/modules/system/selinuxutil.te b/policy/modules/system/selinuxutil.te
+index ec01d0b..51e91d2 100644
+--- a/policy/modules/system/selinuxutil.te
++++ b/policy/modules/system/selinuxutil.te
+@@ -11,14 +11,17 @@ gen_require(`
+
+ attribute can_write_binary_policy;
+ attribute can_relabelto_binary_policy;
++attribute setfiles_domain;
++attribute seutil_semanage_domain;
++attribute policy_manager_domain;
+
+-attribute_role newrole_roles;
++#attribute_role newrole_roles;
+
+-attribute_role run_init_roles;
+-role system_r types run_init_t;
++#attribute_role run_init_roles;
++#role system_r types run_init_t;
+
+-attribute_role semanage_roles;
+-roleattribute system_r semanage_roles;
++#attribute_role semanage_roles;
++#roleattribute system_r semanage_roles;
+
+ #
+ # selinux_config_t is the type applied to
+@@ -30,6 +33,12 @@ roleattribute system_r semanage_roles;
+ type selinux_config_t;
+ files_type(selinux_config_t)
+
++type selinux_login_config_t;
++files_type(selinux_login_config_t)
++
++type selinux_var_lib_t;
++files_type(selinux_var_lib_t)
++
+ type checkpolicy_t, can_write_binary_policy;
+ type checkpolicy_exec_t;
+ application_domain(checkpolicy_t, checkpolicy_exec_t)
+@@ -60,14 +69,20 @@ application_domain(newrole_t, newrole_exec_t)
+ domain_role_change_exemption(newrole_t)
+ domain_obj_id_change_exemption(newrole_t)
+ domain_interactive_fd(newrole_t)
+-role newrole_roles types newrole_t;
++#role newrole_roles types newrole_t;
++role system_r types newrole_t;
+
+ #
+ # policy_config_t is the type of /etc/security/selinux/*
+ # the security server policy configuration.
+ #
+-type policy_config_t;
+-files_type(policy_config_t)
++#type policy_config_t;
++#files_type(policy_config_t)
++gen_require(`
++ type semanage_store_t;
++')
++
++typealias semanage_store_t alias policy_config_t;
+
+ neverallow ~can_relabelto_binary_policy policy_config_t:file relabelto;
+ #neverallow ~can_write_binary_policy policy_config_t:file { write append };
+@@ -83,7 +98,6 @@ type restorecond_t;
+ type restorecond_exec_t;
+ init_daemon_domain(restorecond_t, restorecond_exec_t)
+ domain_obj_id_change_exemption(restorecond_t)
+-role system_r types restorecond_t;
+
+ type restorecond_var_run_t;
+ files_pid_file(restorecond_var_run_t)
+@@ -92,25 +106,32 @@ type run_init_t;
+ type run_init_exec_t;
+ application_domain(run_init_t, run_init_exec_t)
+ domain_system_change_exemption(run_init_t)
+-role run_init_roles types run_init_t;
++#role run_init_roles types run_init_t;
++role system_r types run_init_t;
+
+ type semanage_t;
+ type semanage_exec_t;
+ application_domain(semanage_t, semanage_exec_t)
++init_daemon_domain(semanage_t, semanage_exec_t)
+ domain_interactive_fd(semanage_t)
+-role semanage_roles types semanage_t;
++#role semanage_roles types semanage_t;
++role system_r types semanage_t;
++
++type setsebool_t;
++type setsebool_exec_t;
++init_system_domain(setsebool_t, setsebool_exec_t)
+
+ type semanage_store_t;
+ files_type(semanage_store_t)
+
+ type semanage_read_lock_t;
+-files_type(semanage_read_lock_t)
++files_lock_file(semanage_read_lock_t)
+
+ type semanage_tmp_t;
+ files_tmp_file(semanage_tmp_t)
+
+-type semanage_trans_lock_t;
+-files_type(semanage_trans_lock_t)
++type semanage_trans_lock_t;
++files_lock_file(semanage_trans_lock_t)
+
+ type semanage_var_lib_t;
+ files_type(semanage_var_lib_t)
+@@ -120,6 +141,11 @@ type setfiles_exec_t alias restorecon_exec_t;
+ init_system_domain(setfiles_t, setfiles_exec_t)
+ domain_obj_id_change_exemption(setfiles_t)
+
++type setfiles_mac_t;
++domain_type(setfiles_mac_t)
++domain_entry_file(setfiles_mac_t, setfiles_exec_t)
++domain_obj_id_change_exemption(setfiles_mac_t)
++
+ ########################################
+ #
+ # Checkpolicy local policy
+@@ -137,6 +163,7 @@ filetrans_add_pattern(checkpolicy_t, policy_src_t, policy_config_t, file)
+ read_files_pattern(checkpolicy_t, policy_src_t, policy_src_t)
+ read_lnk_files_pattern(checkpolicy_t, policy_src_t, policy_src_t)
+ allow checkpolicy_t selinux_config_t:dir search_dir_perms;
++allow checkpolicy_t selinux_login_config_t:dir search_dir_perms;
+
+ domain_use_interactive_fds(checkpolicy_t)
+
+@@ -151,7 +178,7 @@ term_use_console(checkpolicy_t)
+ init_use_fds(checkpolicy_t)
+ init_use_script_ptys(checkpolicy_t)
+
+-userdom_use_user_terminals(checkpolicy_t)
++userdom_use_inherited_user_terminals(checkpolicy_t)
+ userdom_use_all_users_fds(checkpolicy_t)
+
+ ifdef(`distro_ubuntu',`
+@@ -188,13 +215,13 @@ term_list_ptys(load_policy_t)
+
+ init_use_script_fds(load_policy_t)
+ init_use_script_ptys(load_policy_t)
+-
+-miscfiles_read_localization(load_policy_t)
++init_write_script_pipes(load_policy_t)
+
+ seutil_libselinux_linked(load_policy_t)
+
+-userdom_use_user_terminals(load_policy_t)
++userdom_use_inherited_user_terminals(load_policy_t)
+ userdom_use_all_users_fds(load_policy_t)
++userdom_dontaudit_read_user_tmp_files(load_policy_t)
+
+ ifdef(`distro_ubuntu',`
+ optional_policy(`
+@@ -205,6 +232,7 @@ ifdef(`distro_ubuntu',`
+ ifdef(`hide_broken_symptoms',`
+ # cjp: cover up stray file descriptors.
+ dontaudit load_policy_t selinux_config_t:file write;
++ dontaudit load_policy_t selinux_login_config_t:file write;
+
+ optional_policy(`
+ unconfined_dontaudit_read_pipes(load_policy_t)
+@@ -215,12 +243,17 @@ optional_policy(`
+ portage_dontaudit_use_fds(load_policy_t)
+ ')
+
++optional_policy(`
++ # pki is leaking
++ pki_dontaudit_write_log(load_policy_t)
++')
++
+ ########################################
+ #
+ # Newrole local policy
+ #
+
+-allow newrole_t self:capability { fowner setuid setgid dac_override };
++allow newrole_t self:capability { fowner setpcap setuid setgid dac_override };
+ allow newrole_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execheap execstack };
+ allow newrole_t self:process setexec;
+ allow newrole_t self:fd use;
+@@ -232,7 +265,7 @@ allow newrole_t self:msgq create_msgq_perms;
+ allow newrole_t self:msg { send receive };
+ allow newrole_t self:unix_dgram_socket sendto;
+ allow newrole_t self:unix_stream_socket { create_stream_socket_perms connectto };
+-allow newrole_t self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay };
++logging_send_audit_msgs(newrole_t)
+
+ read_files_pattern(newrole_t, default_context_t, default_context_t)
+ read_lnk_files_pattern(newrole_t, default_context_t, default_context_t)
+@@ -249,6 +282,7 @@ domain_use_interactive_fds(newrole_t)
+ # for when the user types "exec newrole" at the command line:
+ domain_sigchld_interactive_fds(newrole_t)
+
++files_list_var(newrole_t)
+ files_read_etc_files(newrole_t)
+ files_read_var_files(newrole_t)
+ files_read_var_symlinks(newrole_t)
+@@ -276,25 +310,38 @@ term_relabel_all_ptys(newrole_t)
+ term_getattr_unallocated_ttys(newrole_t)
+ term_dontaudit_use_unallocated_ttys(newrole_t)
+
+-auth_use_nsswitch(newrole_t)
+-auth_run_chk_passwd(newrole_t, newrole_roles)
+-auth_run_upd_passwd(newrole_t, newrole_roles)
+-auth_rw_faillog(newrole_t)
++#auth_use_nsswitch(newrole_t)
++#auth_run_chk_passwd(newrole_t, newrole_roles)
++#auth_run_upd_passwd(newrole_t, newrole_roles)
++#auth_rw_faillog(newrole_t)
++auth_use_pam(newrole_t)
+
+ # Write to utmp.
+ init_rw_utmp(newrole_t)
+ init_use_fds(newrole_t)
+
+-logging_send_syslog_msg(newrole_t)
+-
+-miscfiles_read_localization(newrole_t)
+
+ seutil_libselinux_linked(newrole_t)
+
++userdom_use_unpriv_users_fds(newrole_t)
+ # for some PAM modules and for cwd
+ userdom_dontaudit_search_user_home_content(newrole_t)
+ userdom_search_user_home_dirs(newrole_t)
+
++# need to talk with dbus
++optional_policy(`
++ dbus_system_bus_client(newrole_t)
++')
++
++#optional_policy(`
++# namespace_init_run(newrole_t, newrole_roles)
++#')
++
++
++optional_policy(`
++ xserver_dontaudit_exec_xauth(newrole_t)
++')
++
+ ifdef(`distro_ubuntu',`
+ optional_policy(`
+ unconfined_domain(newrole_t)
+@@ -309,7 +356,7 @@ if(secure_mode) {
+ userdom_spec_domtrans_all_users(newrole_t)
+ }
+
+-tunable_policy(`allow_polyinstantiation',`
++tunable_policy(`polyinstantiation_enabled',`
+ files_polyinstantiate_all(newrole_t)
+ ')
+
+@@ -328,9 +375,13 @@ kernel_use_fds(restorecond_t)
+ kernel_rw_pipes(restorecond_t)
+ kernel_read_system_state(restorecond_t)
+
++dev_relabel_all_dev_nodes(restorecond_t)
++
++files_dontaudit_read_all_symlinks(restorecond_t)
++
+ fs_relabelfrom_noxattr_fs(restorecond_t)
+ fs_dontaudit_list_nfs(restorecond_t)
+-fs_getattr_xattr_fs(restorecond_t)
++fs_getattr_all_fs(restorecond_t)
+ fs_list_inotifyfs(restorecond_t)
+
+ selinux_validate_context(restorecond_t)
+@@ -341,16 +392,17 @@ selinux_compute_user_contexts(restorecond_t)
+
+ files_relabel_non_auth_files(restorecond_t )
+ files_read_non_auth_files(restorecond_t)
++
+ auth_use_nsswitch(restorecond_t)
+
+ locallogin_dontaudit_use_fds(restorecond_t)
+
+ logging_send_syslog_msg(restorecond_t)
+
+-miscfiles_read_localization(restorecond_t)
+-
+ seutil_libselinux_linked(restorecond_t)
+
++userdom_read_user_home_content_symlinks(restorecond_t)
++
+ ifdef(`distro_ubuntu',`
+ optional_policy(`
+ unconfined_domain(restorecond_t)
+@@ -366,21 +418,24 @@ optional_policy(`
+ # Run_init local policy
+ #
+
+-allow run_init_roles system_r;
++#allow run_init_roles system_r;
+
+ allow run_init_t self:process setexec;
+ allow run_init_t self:capability setuid;
+ allow run_init_t self:fifo_file rw_file_perms;
+-allow run_init_t self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay };
++logging_send_audit_msgs(run_init_t)
+
+ # often the administrator runs such programs from a directory that is owned
+ # by a different user or has restrictive SE permissions, do not want to audit
+ # the failed access to the current directory
+ dontaudit run_init_t self:capability { dac_override dac_read_search };
+
++kernel_dontaudit_getattr_core_if(run_init_t)
++
+ corecmd_exec_bin(run_init_t)
+ corecmd_exec_shell(run_init_t)
+
++dev_dontaudit_getattr_all(run_init_t)
+ dev_dontaudit_list_all_dev_nodes(run_init_t)
+
+ domain_use_interactive_fds(run_init_t)
+@@ -398,23 +453,30 @@ selinux_compute_create_context(run_init_t)
+ selinux_compute_relabel_context(run_init_t)
+ selinux_compute_user_contexts(run_init_t)
+
++term_use_console(run_init_t)
++
++#auth_use_nsswitch(run_init_t)
++#auth_run_chk_passwd(run_init_t, run_init_roles)
++#auth_run_upd_passwd(run_init_t, run_init_roles)
++#auth_dontaudit_read_shadow(run_init_t)
++
+ auth_use_nsswitch(run_init_t)
+-auth_run_chk_passwd(run_init_t, run_init_roles)
+-auth_run_upd_passwd(run_init_t, run_init_roles)
++auth_domtrans_chk_passwd(run_init_t)
++auth_domtrans_upd_passwd(run_init_t)
+ auth_dontaudit_read_shadow(run_init_t)
+
++
+ init_spec_domtrans_script(run_init_t)
+ # for utmp
+ init_rw_utmp(run_init_t)
++init_dontaudit_getattr_initctl(run_init_t)
+
+ logging_send_syslog_msg(run_init_t)
+
+-miscfiles_read_localization(run_init_t)
+-
+ seutil_libselinux_linked(run_init_t)
+ seutil_read_default_contexts(run_init_t)
+
+-userdom_use_user_terminals(run_init_t)
++userdom_use_inherited_user_terminals(run_init_t)
+
+ ifndef(`direct_sysadm_daemon',`
+ ifdef(`distro_gentoo',`
+@@ -425,6 +487,19 @@ ifndef(`direct_sysadm_daemon',`
+ ')
+ ')
+
++# need to talk with dbus
++optional_policy(`
++ dbus_system_bus_client(run_init_t)
++')
++
++optional_policy(`
++ gpm_dontaudit_getattr_gpmctl(run_init_t)
++')
++
++optional_policy(`
++ rpm_domtrans(run_init_t)
++')
++
+ ifdef(`distro_ubuntu',`
+ optional_policy(`
+ unconfined_domain(run_init_t)
+@@ -440,81 +515,87 @@ optional_policy(`
+ # semodule local policy
+ #
+
+-allow semanage_t self:capability { dac_override audit_write };
+-allow semanage_t self:unix_stream_socket create_stream_socket_perms;
+-allow semanage_t self:unix_dgram_socket create_socket_perms;
+ allow semanage_t self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay };
+-allow semanage_t self:fifo_file rw_fifo_file_perms;
+-
+-allow semanage_t policy_config_t:file rw_file_perms;
+-
+-allow semanage_t semanage_tmp_t:dir manage_dir_perms;
+-allow semanage_t semanage_tmp_t:file manage_file_perms;
+-files_tmp_filetrans(semanage_t, semanage_tmp_t, { file dir })
+
+ manage_dirs_pattern(semanage_t, semanage_var_lib_t, semanage_var_lib_t)
+ manage_files_pattern(semanage_t, semanage_var_lib_t, semanage_var_lib_t)
+
+-kernel_read_system_state(semanage_t)
+-kernel_read_kernel_sysctls(semanage_t)
+-
+-corecmd_exec_bin(semanage_t)
+-
+-dev_read_urand(semanage_t)
+-
+-domain_use_interactive_fds(semanage_t)
+-
+-files_read_etc_files(semanage_t)
+-files_read_etc_runtime_files(semanage_t)
+-files_read_usr_files(semanage_t)
+-files_list_pids(semanage_t)
+-
+-mls_file_write_all_levels(semanage_t)
+-mls_file_read_all_levels(semanage_t)
+-
+-selinux_validate_context(semanage_t)
+-selinux_get_enforce_mode(semanage_t)
+-selinux_getattr_fs(semanage_t)
+-# for setsebool:
+ selinux_set_all_booleans(semanage_t)
++can_exec(semanage_t, semanage_exec_t)
+
+-term_use_all_terms(semanage_t)
+-
+-# Running genhomedircon requires this for finding all users
+-auth_use_nsswitch(semanage_t)
+-
+-locallogin_use_fds(semanage_t)
+-
+-logging_send_syslog_msg(semanage_t)
++# Admins are creating pp files in random locations
++files_read_non_security_files(semanage_t)
+
+-miscfiles_read_localization(semanage_t)
+-
+-seutil_libselinux_linked(semanage_t)
++seutil_semanage_policy(semanage_t)
+ seutil_manage_file_contexts(semanage_t)
+ seutil_manage_config(semanage_t)
+-seutil_run_setfiles(semanage_t, semanage_roles)
+-seutil_run_loadpolicy(semanage_t, semanage_roles)
+-seutil_manage_bin_policy(semanage_t)
+-seutil_use_newrole_fds(semanage_t)
+-seutil_manage_module_store(semanage_t)
+-seutil_get_semanage_trans_lock(semanage_t)
+-seutil_get_semanage_read_lock(semanage_t)
++seutil_domtrans_setfiles(semanage_t)
++
++#seutil_run_setfiles(semanage_t, semanage_roles)
++#seutil_run_loadpolicy(semanage_t, semanage_roles)
++#seutil_manage_bin_policy(semanage_t)
++#seutil_use_newrole_fds(semanage_t)
++#seutil_manage_module_store(semanage_t)
++#seutil_get_semanage_trans_lock(semanage_t)
++#seutil_get_semanage_read_lock(semanage_t)
+ # netfilter_contexts:
+ seutil_manage_default_contexts(semanage_t)
+
+ # Handle pp files created in homedir and /tmp
+ userdom_read_user_home_content_files(semanage_t)
+ userdom_read_user_tmp_files(semanage_t)
++userdom_home_reader(semanage_t)
+
+ ifdef(`distro_debian',`
+ files_read_var_lib_files(semanage_t)
+ files_read_var_lib_symlinks(semanage_t)
+ ')
+
+-ifdef(`distro_ubuntu',`
+- optional_policy(`
+- unconfined_domain(semanage_t)
+- ')
++optional_policy(`
++ dbus_system_domain(semanage_t, semanage_exec_t)
++')
++
++optional_policy(`
++ mock_manage_lib_files(semanage_t)
++ mock_manage_lib_dirs(semanage_t)
++')
++
++optional_policy(`
++ unconfined_domain(semanage_t)
++')
++
++####################################n####
++#
++# setsebool local policy
++#
++seutil_semanage_policy(setsebool_t)
++selinux_set_all_booleans(setsebool_t)
++
++init_dontaudit_use_fds(setsebool_t)
++
++# Bug in semanage
++seutil_domtrans_setfiles(setsebool_t)
++seutil_manage_file_contexts(setsebool_t)
++seutil_manage_default_contexts(setsebool_t)
++seutil_manage_config(setsebool_t)
++
++########################################
++#
++# Setfiles mac local policy
++#
++seutil_setfiles(setfiles_mac_t)
++allow setfiles_mac_t self:capability2 mac_admin;
++kernel_relabelto_unlabeled(setfiles_mac_t)
++
++optional_policy(`
++ files_dontaudit_write_isid_chr_files(setfiles_mac_t)
++ livecd_dontaudit_leaks(setfiles_mac_t)
++ livecd_rw_tmp_files(setfiles_mac_t)
++ dev_dontaudit_write_all_chr_files(setfiles_mac_t)
++')
++
++optional_policy(`
++ unconfined_domain(setfiles_mac_t)
+ ')
+
+ ########################################
+@@ -522,108 +603,180 @@ ifdef(`distro_ubuntu',`
+ # Setfiles local policy
+ #
+
+-allow setfiles_t self:capability { dac_override dac_read_search fowner };
+-dontaudit setfiles_t self:capability sys_tty_config;
+-allow setfiles_t self:fifo_file rw_file_perms;
+-
+-allow setfiles_t { policy_src_t policy_config_t file_context_t default_context_t }:dir list_dir_perms;
+-allow setfiles_t { policy_src_t policy_config_t file_context_t default_context_t }:file read_file_perms;
+-allow setfiles_t { policy_src_t policy_config_t file_context_t default_context_t }:lnk_file { read_lnk_file_perms ioctl lock };
+-
+-kernel_read_system_state(setfiles_t)
+-kernel_relabelfrom_unlabeled_dirs(setfiles_t)
+-kernel_relabelfrom_unlabeled_files(setfiles_t)
+-kernel_relabelfrom_unlabeled_symlinks(setfiles_t)
+-kernel_relabelfrom_unlabeled_pipes(setfiles_t)
+-kernel_relabelfrom_unlabeled_sockets(setfiles_t)
+-kernel_use_fds(setfiles_t)
+-kernel_rw_pipes(setfiles_t)
+-kernel_rw_unix_dgram_sockets(setfiles_t)
+-kernel_dontaudit_list_all_proc(setfiles_t)
+-kernel_dontaudit_list_all_sysctls(setfiles_t)
+-
+-dev_relabel_all_dev_nodes(setfiles_t)
+-
+-domain_use_interactive_fds(setfiles_t)
+-domain_dontaudit_search_all_domains_state(setfiles_t)
+-
+-files_read_etc_runtime_files(setfiles_t)
+-files_read_etc_files(setfiles_t)
+-files_list_all(setfiles_t)
+-files_relabel_all_files(setfiles_t)
+-files_read_usr_symlinks(setfiles_t)
+-
+-fs_getattr_xattr_fs(setfiles_t)
+-fs_list_all(setfiles_t)
+-fs_search_auto_mountpoints(setfiles_t)
+-fs_relabelfrom_noxattr_fs(setfiles_t)
+-
+-mls_file_read_all_levels(setfiles_t)
+-mls_file_write_all_levels(setfiles_t)
+-mls_file_upgrade(setfiles_t)
+-mls_file_downgrade(setfiles_t)
+-
+-selinux_validate_context(setfiles_t)
+-selinux_compute_access_vector(setfiles_t)
+-selinux_compute_create_context(setfiles_t)
+-selinux_compute_relabel_context(setfiles_t)
+-selinux_compute_user_contexts(setfiles_t)
+-
+-term_use_all_ttys(setfiles_t)
+-term_use_all_ptys(setfiles_t)
+-term_use_unallocated_ttys(setfiles_t)
+-
+-# this is to satisfy the assertion:
+-auth_relabelto_shadow(setfiles_t)
+-
+-init_use_fds(setfiles_t)
+-init_use_script_fds(setfiles_t)
+-init_use_script_ptys(setfiles_t)
+-init_exec_script_files(setfiles_t)
++seutil_setfiles(setfiles_t)
++# During boot in Rawhide
++term_use_generic_ptys(setfiles_t)
++
++# needs to be able to read symlinks to make restorecon on symlink working
++files_read_all_symlinks(setfiles_t)
+
+ logging_send_audit_msgs(setfiles_t)
+ logging_send_syslog_msg(setfiles_t)
+
+-miscfiles_read_localization(setfiles_t)
++optional_policy(`
++ devicekit_dontaudit_read_pid_files(setfiles_t)
++ devicekit_dontaudit_rw_log(setfiles_t)
++')
++
++optional_policy(`
++ # pki is leaking
++ pki_dontaudit_write_log(setfiles_t)
++')
++
++optional_policy(`
++ xserver_append_xdm_tmp_files(setfiles_t)
++')
+
+-seutil_libselinux_linked(setfiles_t)
++ifdef(`hide_broken_symptoms',`
++
++ optional_policy(`
++ setroubleshoot_fixit_dontaudit_leaks(setfiles_t)
++ setroubleshoot_fixit_dontaudit_leaks(setsebool_t)
++ ')
++')
++ifdef(`distro_ubuntu',`
++ optional_policy(`
++ unconfined_domain(setfiles_t)
++ ')
++')
+
+-userdom_use_all_users_fds(setfiles_t)
++########################################
++#
++# Setfiles common policy
++#
++allow setfiles_domain self:capability { dac_override dac_read_search fowner };
++dontaudit setfiles_domain self:capability sys_tty_config;
++allow setfiles_domain self:fifo_file rw_file_perms;
++dontaudit setfiles_domain self:dir relabelfrom;
++dontaudit setfiles_domain self:file relabelfrom;
++dontaudit setfiles_domain self:lnk_file relabelfrom;
++
++domain_relabelfrom(setfiles_domain)
++
++allow setfiles_domain { policy_src_t policy_config_t file_context_t default_context_t }:dir list_dir_perms;
++allow setfiles_domain { policy_src_t policy_config_t file_context_t default_context_t }:file read_file_perms;
++allow setfiles_domain { policy_src_t policy_config_t file_context_t default_context_t }:lnk_file { read_lnk_file_perms ioctl lock };
++
++logging_send_audit_msgs(setfiles_domain)
++
++kernel_relabelfrom_unlabeled_dirs(setfiles_domain)
++kernel_relabelfrom_unlabeled_files(setfiles_domain)
++kernel_relabelfrom_unlabeled_symlinks(setfiles_domain)
++kernel_relabelfrom_unlabeled_pipes(setfiles_domain)
++kernel_relabelfrom_unlabeled_sockets(setfiles_domain)
++kernel_use_fds(setfiles_domain)
++kernel_rw_pipes(setfiles_domain)
++kernel_rw_unix_dgram_sockets(setfiles_domain)
++kernel_dontaudit_list_all_proc(setfiles_domain)
++kernel_read_all_sysctls(setfiles_domain)
++kernel_read_network_state_symlinks(setfiles_domain)
++
++dev_relabel_all_dev_nodes(setfiles_domain)
++dev_dontaudit_rw_lvm_control(setfiles_domain)
++dev_dontaudit_read_rand(setfiles_domain)
++dev_dontaudit_read_urand(setfiles_domain)
++
++domain_use_interactive_fds(setfiles_domain)
++domain_read_all_domains_state(setfiles_domain)
++
++files_read_etc_runtime_files(setfiles_domain)
++files_read_etc_files(setfiles_domain)
++files_list_all(setfiles_domain)
++files_list_isid_type_dirs(setfiles_domain)
++files_read_isid_type_files(setfiles_domain)
++files_dontaudit_read_all_symlinks(setfiles_domain)
++
++fs_getattr_all_fs(setfiles_domain)
++fs_list_all(setfiles_domain)
++fs_getattr_all_files(setfiles_domain)
++fs_search_auto_mountpoints(setfiles_domain)
++fs_relabelfrom_noxattr_fs(setfiles_domain)
++
++selinux_validate_context(setfiles_domain)
++selinux_compute_access_vector(setfiles_domain)
++selinux_compute_create_context(setfiles_domain)
++selinux_compute_relabel_context(setfiles_domain)
++selinux_compute_user_contexts(setfiles_domain)
++
++term_use_all_inherited_terms(setfiles_domain)
++
++init_use_fds(setfiles_domain)
++init_use_script_fds(setfiles_domain)
++init_use_script_ptys(setfiles_domain)
++init_exec_script_files(setfiles_domain)
++
++userdom_use_all_users_fds(setfiles_domain)
+ # for config files in a home directory
+-userdom_read_user_home_content_files(setfiles_t)
++userdom_read_user_home_content_files(setfiles_domain)
++userdom_rw_inherited_user_home_content_files(setfiles_domain)
+
+ ifdef(`distro_debian',`
+ # udev tmpfs is populated with static device nodes
+ # and then relabeled afterwards; thus
+ # /dev/console has the tmpfs type
+- fs_rw_tmpfs_chr_files(setfiles_t)
++ fs_rw_tmpfs_chr_files(setfiles_domain)
+ ')
+
+-ifdef(`distro_redhat', `
+- fs_rw_tmpfs_chr_files(setfiles_t)
+- fs_rw_tmpfs_blk_files(setfiles_t)
+- fs_relabel_tmpfs_blk_file(setfiles_t)
+- fs_relabel_tmpfs_chr_file(setfiles_t)
++ifdef(`distro_redhat',`
++ fs_rw_tmpfs_chr_files(setfiles_domain)
++ fs_rw_tmpfs_blk_files(setfiles_domain)
++ fs_relabel_tmpfs_blk_file(setfiles_domain)
++ fs_relabel_tmpfs_chr_file(setfiles_domain)
+ ')
+
+-ifdef(`distro_ubuntu',`
+- optional_policy(`
+- unconfined_domain(setfiles_t)
+- ')
++optional_policy(`
++ hotplug_use_fds(setfiles_domain)
+ ')
+
+-ifdef(`hide_broken_symptoms',`
+- optional_policy(`
+- udev_dontaudit_rw_dgram_sockets(setfiles_t)
+- ')
++allow policy_manager_domain self:capability { dac_override sys_nice sys_resource };
++dontaudit policy_manager_domain self:capability sys_tty_config;
++allow policy_manager_domain self:process { signal setsched };
++allow policy_manager_domain self:unix_stream_socket create_stream_socket_perms;
++allow policy_manager_domain self:unix_dgram_socket create_socket_perms;
++allow policy_manager_domain self:fifo_file rw_fifo_file_perms;
+
+- # cjp: cover up stray file descriptors.
+- optional_policy(`
+- unconfined_dontaudit_read_pipes(setfiles_t)
+- unconfined_dontaudit_rw_tcp_sockets(setfiles_t)
+- ')
+-')
++dev_read_rand(policy_manager_domain)
++dev_read_urand(policy_manager_domain)
+
+-optional_policy(`
+- hotplug_use_fds(setfiles_t)
+-')
++logging_send_audit_msgs(policy_manager_domain)
++
++# Domains that will manage policy
++allow policy_manager_domain policy_config_t:file rw_file_perms;
++
++allow policy_manager_domain semanage_tmp_t:dir manage_dir_perms;
++allow policy_manager_domain semanage_tmp_t:file manage_file_perms;
++files_tmp_filetrans(policy_manager_domain, semanage_tmp_t, { file dir })
++
++kernel_read_kernel_sysctls(policy_manager_domain)
++
++corecmd_exec_bin(policy_manager_domain)
++corecmd_exec_shell(policy_manager_domain)
++
++dev_read_urand(policy_manager_domain)
++
++domain_use_interactive_fds(policy_manager_domain)
++
++files_read_etc_files(policy_manager_domain)
++files_read_etc_runtime_files(policy_manager_domain)
++files_read_usr_files(policy_manager_domain)
++files_list_pids(policy_manager_domain)
++fs_list_inotifyfs(policy_manager_domain)
++fs_getattr_all_fs(policy_manager_domain)
++
++selinux_validate_context(policy_manager_domain)
++selinux_read_policy(policy_manager_domain)
++
++term_use_all_inherited_terms(policy_manager_domain)
++
++locallogin_use_fds(policy_manager_domain)
++
++seutil_search_default_contexts(policy_manager_domain)
++seutil_domtrans_loadpolicy(policy_manager_domain)
++seutil_read_config(policy_manager_domain)
++seutil_use_newrole_fds(policy_manager_domain)
++seutil_manage_module_store(policy_manager_domain)
++seutil_get_semanage_trans_lock(policy_manager_domain)
++seutil_get_semanage_read_lock(policy_manager_domain)
++
++userdom_dontaudit_write_user_home_content_files(policy_manager_domain)
++userdom_use_user_ptys(policy_manager_domain)
+diff --git a/policy/modules/system/setrans.fc b/policy/modules/system/setrans.fc
+index bea4629..06e2834 100644
+--- a/policy/modules/system/setrans.fc
++++ b/policy/modules/system/setrans.fc
+@@ -2,4 +2,7 @@
+
+ /sbin/mcstransd -- gen_context(system_u:object_r:setrans_exec_t,s0)
+
++/usr/sbin/mcstransd -- gen_context(system_u:object_r:setrans_exec_t,s0)
++
+ /var/run/setrans(/.*)? gen_context(system_u:object_r:setrans_var_run_t,mls_systemhigh)
++/var/run/mcstransd\.pid gen_context(system_u:object_r:setrans_var_run_t,mls_systemhigh)
+diff --git a/policy/modules/system/setrans.te b/policy/modules/system/setrans.te
+index 1447687..d5e6fb9 100644
+--- a/policy/modules/system/setrans.te
++++ b/policy/modules/system/setrans.te
+@@ -12,6 +12,7 @@ gen_require(`
+ type setrans_t;
+ type setrans_exec_t;
+ init_daemon_domain(setrans_t, setrans_exec_t)
++mls_trusted_object(setrans_t)
+
+ type setrans_initrc_exec_t;
+ init_script_file(setrans_initrc_exec_t)
+@@ -78,7 +79,6 @@ locallogin_dontaudit_use_fds(setrans_t)
+
+ logging_send_syslog_msg(setrans_t)
+
+-miscfiles_read_localization(setrans_t)
+
+ seutil_read_config(setrans_t)
+
+diff --git a/policy/modules/system/sysnetwork.fc b/policy/modules/system/sysnetwork.fc
+index 346a7cc..1285089 100644
+--- a/policy/modules/system/sysnetwork.fc
++++ b/policy/modules/system/sysnetwork.fc
+@@ -17,10 +17,10 @@ ifdef(`distro_debian',`
+ /etc/dhclient.*conf -- gen_context(system_u:object_r:dhcp_etc_t,s0)
+ /etc/dhclient-script -- gen_context(system_u:object_r:dhcp_etc_t,s0)
+ /etc/dhcpc.* gen_context(system_u:object_r:dhcp_etc_t,s0)
+-/etc/dhcpd\.conf -- gen_context(system_u:object_r:dhcp_etc_t,s0)
+-/etc/dhcp/dhcpd\.conf -- gen_context(system_u:object_r:dhcp_etc_t,s0)
++/etc/dhcpd(6)?\.conf -- gen_context(system_u:object_r:dhcp_etc_t,s0)
++/etc/dhcp/dhcpd(6)?\.conf -- gen_context(system_u:object_r:dhcp_etc_t,s0)
+ /etc/ethers -- gen_context(system_u:object_r:net_conf_t,s0)
+-/etc/hosts -- gen_context(system_u:object_r:net_conf_t,s0)
++/etc/hosts[^/]* -- gen_context(system_u:object_r:net_conf_t,s0)
+ /etc/hosts\.deny.* -- gen_context(system_u:object_r:net_conf_t,s0)
+ /etc/denyhosts.* -- gen_context(system_u:object_r:net_conf_t,s0)
+ /etc/resolv\.conf.* -- gen_context(system_u:object_r:net_conf_t,s0)
+@@ -55,6 +55,20 @@ ifdef(`distro_redhat',`
+ #
+ # /usr
+ #
++/usr/bin/ip -- gen_context(system_u:object_r:ifconfig_exec_t,s0)
++
++/usr/sbin/dhclient.* -- gen_context(system_u:object_r:dhcpc_exec_t,s0)
++/usr/sbin/dhcdbd -- gen_context(system_u:object_r:dhcpc_exec_t,s0)
++/usr/sbin/dhcpcd -- gen_context(system_u:object_r:dhcpc_exec_t,s0)
++/usr/sbin/ethtool -- gen_context(system_u:object_r:ifconfig_exec_t,s0)
++/usr/sbin/ifconfig -- gen_context(system_u:object_r:ifconfig_exec_t,s0)
++/usr/sbin/ip -- gen_context(system_u:object_r:ifconfig_exec_t,s0)
++/usr/sbin/ipx_configure -- gen_context(system_u:object_r:ifconfig_exec_t,s0)
++/usr/sbin/ipx_interface -- gen_context(system_u:object_r:ifconfig_exec_t,s0)
++/usr/sbin/ipx_internal_net -- gen_context(system_u:object_r:ifconfig_exec_t,s0)
++/usr/sbin/iwconfig -- gen_context(system_u:object_r:ifconfig_exec_t,s0)
++/usr/sbin/mii-tool -- gen_context(system_u:object_r:ifconfig_exec_t,s0)
++/usr/sbin/pump -- gen_context(system_u:object_r:dhcpc_exec_t,s0)
+ /usr/sbin/tc -- gen_context(system_u:object_r:ifconfig_exec_t,s0)
+
+ #
+@@ -72,3 +86,5 @@ ifdef(`distro_redhat',`
+ ifdef(`distro_gentoo',`
+ /var/lib/dhcpc(/.*)? gen_context(system_u:object_r:dhcpc_state_t,s0)
+ ')
++
++/etc/firestarter/firestarter\.sh gen_context(system_u:object_r:dhcpc_helper_exec_t,s0)
+diff --git a/policy/modules/system/sysnetwork.if b/policy/modules/system/sysnetwork.if
+index 41a1853..af08353 100644
+--- a/policy/modules/system/sysnetwork.if
++++ b/policy/modules/system/sysnetwork.if
+@@ -38,11 +38,47 @@ interface(`sysnet_domtrans_dhcpc',`
+ #
+ interface(`sysnet_run_dhcpc',`
+ gen_require(`
+- attribute_role dhcpc_roles;
++ type dhcpc_t;
++ #attribute_role dhcpc_roles;
+ ')
+
++ #sysnet_domtrans_dhcpc($1)
++ #roleattribute $2 dhcpc_roles;
++
+ sysnet_domtrans_dhcpc($1)
+- roleattribute $2 dhcpc_roles;
++ role $2 types dhcpc_t;
++
++ modutils_run_insmod(dhcpc_t, $2)
++
++ sysnet_run_ifconfig(dhcpc_t, $2)
++
++ optional_policy(`
++ hostname_run(dhcpc_t, $2)
++ ')
++
++ optional_policy(`
++ netutils_run(dhcpc_t, $2)
++ netutils_run_ping(dhcpc_t, $2)
++ ')
++
++ optional_policy(`
++ networkmanager_run(dhcpc_t, $2)
++ ')
++
++ optional_policy(`
++ nis_run_ypbind(dhcpc_t, $2)
++ ')
++
++ optional_policy(`
++ nscd_run(dhcpc_t, $2)
++ ')
++
++ optional_policy(`
++ ntp_run(dhcpc_t, $2)
++ ')
++
++ seutil_run_setfiles(dhcpc_t, $2)
++
+ ')
+
+ ########################################
+@@ -271,6 +307,43 @@ interface(`sysnet_delete_dhcpc_state',`
+ delete_files_pattern($1, dhcpc_state_t, dhcpc_state_t)
+ ')
+
++########################################
++##
++## Allow caller to relabel dhcpc_state files
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`sysnet_relabelfrom_dhcpc_state',`
++
++ gen_require(`
++ type dhcpc_state_t;
++ ')
++
++ allow $1 dhcpc_state_t:file relabelfrom;
++')
++
++#######################################
++##
++## Manage the dhcp client state files.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`sysnet_manage_dhcpc_state',`
++ gen_require(`
++ type dhcpc_state_t;
++ ')
++
++ manage_files_pattern($1, dhcpc_state_t, dhcpc_state_t)
++')
++
+ #######################################
+ ##
+ ## Set the attributes of network config files.
+@@ -292,6 +365,44 @@ interface(`sysnet_setattr_config',`
+
+ #######################################
+ ##
++## Allow caller to relabel net_conf files
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`sysnet_relabelfrom_net_conf',`
++
++ gen_require(`
++ type net_conf_t;
++ ')
++
++ allow $1 net_conf_t:file relabelfrom;
++')
++
++######################################
++##
++## Allow caller to relabel net_conf files
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`sysnet_relabelto_net_conf',`
++
++ gen_require(`
++ type net_conf_t;
++ ')
++
++ allow $1 net_conf_t:file relabelto;
++')
++
++#######################################
++##
+ ## Read network config files.
+ ##
+ ##
+@@ -331,6 +442,7 @@ interface(`sysnet_read_config',`
+
+ ifdef(`distro_redhat',`
+ allow $1 net_conf_t:dir list_dir_perms;
++ allow $1 net_conf_t:lnk_file read_lnk_file_perms;
+ read_files_pattern($1, net_conf_t, net_conf_t)
+ ')
+ ')
+@@ -433,6 +545,7 @@ interface(`sysnet_manage_config',`
+ allow $1 net_conf_t:file manage_file_perms;
+
+ ifdef(`distro_redhat',`
++ allow $1 net_conf_t:dir list_dir_perms;
+ manage_files_pattern($1, net_conf_t, net_conf_t)
+ ')
+ ')
+@@ -471,6 +584,7 @@ interface(`sysnet_delete_dhcpc_pid',`
+ type dhcpc_var_run_t;
+ ')
+
++ files_rw_pid_dirs($1)
+ allow $1 dhcpc_var_run_t:file unlink;
+ ')
+
+@@ -561,6 +675,45 @@ interface(`sysnet_signal_ifconfig',`
+
+ ########################################
+ ##
++## Send a null signal to ifconfig.
++##
++##
++##
++## Domain allowed access.pwd
++
++##
++##
++##
++#
++interface(`sysnet_signull_ifconfig',`
++ gen_require(`
++ type ifconfig_t;
++ ')
++
++ allow $1 ifconfig_t:process signull;
++')
++
++########################################
++##
++## Send a kill signal to iconfig.
++##
++##
++##
++## Domain allowed access.
++##
++##
++##
++#
++interface(`sysnet_kill_ifconfig',`
++ gen_require(`
++ type ifconfig_t;
++ ')
++
++ allow $1 ifconfig_t:process sigkill;
++')
++
++########################################
++##
+ ## Read the DHCP configuration files.
+ ##
+ ##
+@@ -577,6 +730,7 @@ interface(`sysnet_read_dhcp_config',`
+ files_search_etc($1)
+ allow $1 dhcp_etc_t:dir list_dir_perms;
+ read_files_pattern($1, dhcp_etc_t, dhcp_etc_t)
++ allow $1 dhcp_etc_t:lnk_file read_lnk_file_perms;
+ ')
+
+ ########################################
+@@ -662,8 +816,6 @@ interface(`sysnet_dns_name_resolve',`
+ allow $1 self:udp_socket create_socket_perms;
+ allow $1 self:netlink_route_socket r_netlink_socket_perms;
+
+- corenet_all_recvfrom_unlabeled($1)
+- corenet_all_recvfrom_netlabel($1)
+ corenet_tcp_sendrecv_generic_if($1)
+ corenet_udp_sendrecv_generic_if($1)
+ corenet_tcp_sendrecv_generic_node($1)
+@@ -673,6 +825,8 @@ interface(`sysnet_dns_name_resolve',`
+ corenet_tcp_connect_dns_port($1)
+ corenet_sendrecv_dns_client_packets($1)
+
++ miscfiles_read_generic_certs($1)
++
+ sysnet_read_config($1)
+
+ optional_policy(`
+@@ -701,8 +855,6 @@ interface(`sysnet_use_ldap',`
+
+ allow $1 self:tcp_socket create_socket_perms;
+
+- corenet_all_recvfrom_unlabeled($1)
+- corenet_all_recvfrom_netlabel($1)
+ corenet_tcp_sendrecv_generic_if($1)
+ corenet_tcp_sendrecv_generic_node($1)
+ corenet_tcp_sendrecv_ldap_port($1)
+@@ -714,6 +866,9 @@ interface(`sysnet_use_ldap',`
+ dev_read_urand($1)
+
+ sysnet_read_config($1)
++
++ # LDAP Configuration using encrypted requires
++ dev_read_urand($1)
+ ')
+
+ ########################################
+@@ -735,7 +890,6 @@ interface(`sysnet_use_portmap',`
+ allow $1 self:udp_socket create_socket_perms;
+
+ corenet_all_recvfrom_unlabeled($1)
+- corenet_all_recvfrom_netlabel($1)
+ corenet_tcp_sendrecv_generic_if($1)
+ corenet_udp_sendrecv_generic_if($1)
+ corenet_tcp_sendrecv_generic_node($1)
+@@ -747,3 +901,73 @@ interface(`sysnet_use_portmap',`
+
+ sysnet_read_config($1)
+ ')
++
++########################################
++##
++## Do not audit attempts to use
++## the dhcp file descriptors.
++##
++##
++##
++## Domain to not audit.
++##
++##
++#
++interface(`sysnet_dontaudit_dhcpc_use_fds',`
++ gen_require(`
++ type dhcpc_t;
++ ')
++
++ dontaudit $1 dhcpc_t:fd use;
++')
++
++########################################
++##
++## Transition to system_r when execute an dhclient script
++##
++##
++##
++## Execute dhclient script in a specified role
++##
++##
++## No interprocess communication (signals, pipes,
++## etc.) is provided by this interface since
++## the domains are not owned by this module.
++##
++##
++##
++##
++## Role to transition from.
++##
++##
++interface(`sysnet_role_transition_dhcpc',`
++ gen_require(`
++ type dhcpc_exec_t;
++ ')
++
++ role_transition $1 dhcpc_exec_t system_r;
++')
++
++########################################
++##
++## Transition to sysnet named content
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`sysnet_filetrans_named_content',`
++ gen_require(`
++ type net_conf_t;
++ ')
++
++ files_etc_filetrans($1, net_conf_t, file, "resolv.conf")
++ files_etc_filetrans($1, net_conf_t, file, "resolv.conf.tmp")
++ files_etc_filetrans($1, net_conf_t, file, "denyhosts")
++ files_etc_filetrans($1, net_conf_t, file, "hosts")
++ files_etc_filetrans($1, net_conf_t, file, "hosts.deny")
++ files_etc_filetrans($1, net_conf_t, file, "ethers")
++ files_etc_filetrans($1, net_conf_t, file, "yp.conf")
++')
+diff --git a/policy/modules/system/sysnetwork.te b/policy/modules/system/sysnetwork.te
+index ed363e1..808e49e 100644
+--- a/policy/modules/system/sysnetwork.te
++++ b/policy/modules/system/sysnetwork.te
+@@ -5,8 +5,15 @@ policy_module(sysnetwork, 1.14.0)
+ # Declarations
+ #
+
+-attribute_role dhcpc_roles;
+-roleattribute system_r dhcpc_roles;
++##
++##
++## Allow dhcpc client applications to execute iptables commands
++##
++##
++gen_tunable(dhcpc_exec_iptables, false)
++
++#attribute_role dhcpc_roles;
++#roleattribute system_r dhcpc_roles;
+
+ # this is shared between dhcpc and dhcpd:
+ type dhcp_etc_t;
+@@ -20,7 +27,11 @@ files_type(dhcp_state_t)
+ type dhcpc_t;
+ type dhcpc_exec_t;
+ init_daemon_domain(dhcpc_t, dhcpc_exec_t)
+-role dhcpc_roles types dhcpc_t;
++#role dhcpc_roles types dhcpc_t;
++role system_r types dhcpc_t;
++
++type dhcpc_helper_exec_t;
++init_script_file(dhcpc_helper_exec_t)
+
+ type dhcpc_state_t;
+ files_type(dhcpc_state_t)
+@@ -37,17 +48,17 @@ init_system_domain(ifconfig_t, ifconfig_exec_t)
+ role system_r types ifconfig_t;
+
+ type net_conf_t alias resolv_conf_t;
+-files_type(net_conf_t)
++files_config_file(net_conf_t)
+
+ ########################################
+ #
+ # DHCP client local policy
+ #
+ allow dhcpc_t self:capability { dac_override fsetid net_admin net_raw net_bind_service setpcap sys_nice sys_resource sys_tty_config };
+-dontaudit dhcpc_t self:capability { sys_tty_config sys_ptrace };
++dontaudit dhcpc_t self:capability sys_tty_config;
+ # for access("/etc/bashrc", X_OK) on Red Hat
+ dontaudit dhcpc_t self:capability { dac_read_search sys_module };
+-allow dhcpc_t self:process { getsched getcap setcap setfscreate ptrace signal_perms };
++allow dhcpc_t self:process { getsched setsched getcap setcap setfscreate signal_perms };
+
+ allow dhcpc_t self:fifo_file rw_fifo_file_perms;
+ allow dhcpc_t self:tcp_socket create_stream_socket_perms;
+@@ -60,8 +71,11 @@ read_lnk_files_pattern(dhcpc_t, dhcp_etc_t, dhcp_etc_t)
+ exec_files_pattern(dhcpc_t, dhcp_etc_t, dhcp_etc_t)
+
+ allow dhcpc_t dhcp_state_t:file read_file_perms;
++allow dhcpc_t dhcp_state_t:file relabel_file_perms;
++
+ manage_files_pattern(dhcpc_t, dhcpc_state_t, dhcpc_state_t)
+ filetrans_pattern(dhcpc_t, dhcp_state_t, dhcpc_state_t, file)
++allow dhcpc_t dhcpc_state_t:file relabel_file_perms;
+
+ # create pid file
+ manage_files_pattern(dhcpc_t, dhcpc_var_run_t, dhcpc_var_run_t)
+@@ -69,6 +83,8 @@ files_pid_filetrans(dhcpc_t, dhcpc_var_run_t, file)
+
+ # Allow read/write to /etc/resolv.conf and /etc/ntp.conf. Note that any files
+ # in /etc created by dhcpcd will be labelled net_conf_t.
++allow dhcpc_t net_conf_t:file manage_file_perms;
++allow dhcpc_t net_conf_t:file relabel_file_perms;
+ sysnet_manage_config(dhcpc_t)
+ files_etc_filetrans(dhcpc_t, net_conf_t, file)
+
+@@ -90,27 +106,29 @@ kernel_rw_net_sysctls(dhcpc_t)
+ corecmd_exec_bin(dhcpc_t)
+ corecmd_exec_shell(dhcpc_t)
+
+-corenet_all_recvfrom_unlabeled(dhcpc_t)
+ corenet_all_recvfrom_netlabel(dhcpc_t)
+-corenet_tcp_sendrecv_all_if(dhcpc_t)
+-corenet_raw_sendrecv_all_if(dhcpc_t)
+-corenet_udp_sendrecv_all_if(dhcpc_t)
+-corenet_tcp_sendrecv_all_nodes(dhcpc_t)
+-corenet_raw_sendrecv_all_nodes(dhcpc_t)
+-corenet_udp_sendrecv_all_nodes(dhcpc_t)
++corenet_tcp_sendrecv_generic_if(dhcpc_t)
++corenet_raw_sendrecv_generic_if(dhcpc_t)
++corenet_udp_sendrecv_generic_if(dhcpc_t)
++corenet_tcp_sendrecv_generic_node(dhcpc_t)
++corenet_raw_sendrecv_generic_node(dhcpc_t)
++corenet_udp_sendrecv_generic_node(dhcpc_t)
+ corenet_tcp_sendrecv_all_ports(dhcpc_t)
+ corenet_udp_sendrecv_all_ports(dhcpc_t)
+-corenet_tcp_bind_all_nodes(dhcpc_t)
+-corenet_udp_bind_all_nodes(dhcpc_t)
++corenet_tcp_bind_generic_node(dhcpc_t)
++corenet_udp_bind_generic_node(dhcpc_t)
+ corenet_udp_bind_dhcpc_port(dhcpc_t)
+ corenet_tcp_connect_all_ports(dhcpc_t)
+ corenet_sendrecv_dhcpd_client_packets(dhcpc_t)
+ corenet_sendrecv_dhcpc_server_packets(dhcpc_t)
++corenet_dontaudit_udp_bind_all_reserved_ports(dhcpc_t)
++corenet_udp_bind_all_unreserved_ports(dhcpc_t)
+
+ dev_read_sysfs(dhcpc_t)
+ # for SSP:
+ dev_read_urand(dhcpc_t)
+
++domain_obj_id_change_exemption(dhcpc_t)
+ domain_use_interactive_fds(dhcpc_t)
+ domain_dontaudit_read_all_domains_state(dhcpc_t)
+
+@@ -130,15 +148,20 @@ term_dontaudit_use_all_ptys(dhcpc_t)
+ term_dontaudit_use_unallocated_ttys(dhcpc_t)
+ term_dontaudit_use_generic_ptys(dhcpc_t)
+
++auth_use_nsswitch(dhcpc_t)
++
+ init_rw_utmp(dhcpc_t)
++init_stream_connect(dhcpc_t)
++init_stream_send(dhcpc_t)
+
+ logging_send_syslog_msg(dhcpc_t)
+
+-miscfiles_read_localization(dhcpc_t)
++miscfiles_read_generic_certs(dhcpc_t)
+
+-modutils_run_insmod(dhcpc_t, dhcpc_roles)
++#modutils_run_insmod(dhcpc_t, dhcpc_roles)
++modutils_domtrans_insmod(dhcpc_t)
++#sysnet_run_ifconfig(dhcpc_t, dhcpc_roles)
+
+-sysnet_run_ifconfig(dhcpc_t, dhcpc_roles)
+
+ userdom_use_user_terminals(dhcpc_t)
+ userdom_dontaudit_search_user_home_dirs(dhcpc_t)
+@@ -153,8 +176,23 @@ ifdef(`distro_ubuntu',`
+ ')
+ ')
+
++#optional_policy(`
++# consoletype_run(dhcpc_t, dhcpc_roles)
++#')
++
++optional_policy(`
++ chronyd_initrc_domtrans(dhcpc_t)
++ chronyd_systemctl(dhcpc_t)
++ chronyd_read_keys(dhcpc_t)
++')
++
++optional_policy(`
++ consoletype_exec(dhcpc_t)
++')
++
+ optional_policy(`
+- consoletype_run(dhcpc_t, dhcpc_roles)
++ devicekit_dontaudit_rw_log(dhcpc_t)
++ devicekit_dontaudit_read_pid_files(dhcpc_t)
+ ')
+
+ optional_policy(`
+@@ -169,11 +207,14 @@ optional_policy(`
+ ')
+
+ optional_policy(`
+- hostname_run(dhcpc_t, dhcpc_roles)
++ hostname_domtrans(dhcpc_t)
++# hostname_run(dhcpc_t, dhcpc_roles)
+ ')
+
+ optional_policy(`
+ hal_dontaudit_rw_dgram_sockets(dhcpc_t)
++ hal_dontaudit_read_pid_files(dhcpc_t)
++ hal_dontaudit_write_log(dhcpc_t)
+ ')
+
+ optional_policy(`
+@@ -187,25 +228,41 @@ optional_policy(`
+
+ # for the dhcp client to run ping to check IP addresses
+ optional_policy(`
+- netutils_run_ping(dhcpc_t, dhcpc_roles)
+- netutils_run(dhcpc_t, dhcpc_roles)
++ #netutils_run_ping(dhcpc_t, dhcpc_roles)
++ #netutils_run(dhcpc_t, dhcpc_roles)
++ netutils_domtrans_ping(dhcpc_t)
++ netutils_domtrans(dhcpc_t)
+ ',`
+ allow dhcpc_t self:capability setuid;
+ allow dhcpc_t self:rawip_socket create_socket_perms;
+ ')
+
+ optional_policy(`
++ modutils_domtrans_insmod(dhcpc_t)
++')
++
++optional_policy(`
++ networkmanager_domtrans(dhcpc_t)
++ networkmanager_read_pid_files(dhcpc_t)
++ networkmanager_manage_lib(dhcpc_t)
++')
++
++optional_policy(`
++ nis_initrc_domtrans_ypbind(dhcpc_t)
+ nis_read_ypbind_pid(dhcpc_t)
++ nis_systemctl_ypbind(dhcpc_t)
+ ')
+
+ optional_policy(`
+ nscd_initrc_domtrans(dhcpc_t)
++ nscd_systemctl(dhcpc_t)
+ nscd_domtrans(dhcpc_t)
+ nscd_read_pid(dhcpc_t)
+ ')
+
+ optional_policy(`
+ ntp_initrc_domtrans(dhcpc_t)
++ ntp_systemctl(dhcpc_t)
+ ')
+
+ optional_policy(`
+@@ -215,7 +272,11 @@ optional_policy(`
+
+ optional_policy(`
+ seutil_sigchld_newrole(dhcpc_t)
+- seutil_dontaudit_search_config(dhcpc_t)
++ seutil_domtrans_setfiles(dhcpc_t)
++')
++optional_policy(`
++ systemd_passwd_agent_domtrans(dhcpc_t)
++ systemd_signal_passwd_agent(dhcpc_t)
+ ')
+
+ optional_policy(`
+@@ -258,6 +319,7 @@ allow ifconfig_t self:msgq create_msgq_perms;
+ allow ifconfig_t self:msg { send receive };
+ # Create UDP sockets, necessary when called from dhcpc
+ allow ifconfig_t self:udp_socket create_socket_perms;
++allow ifconfig_t self:appletalk_socket create_socket_perms;
+ # for /sbin/ip
+ allow ifconfig_t self:packet_socket create_socket_perms;
+ allow ifconfig_t self:netlink_route_socket create_netlink_socket_perms;
+@@ -276,11 +338,18 @@ corenet_rw_tun_tap_dev(ifconfig_t)
+ dev_read_sysfs(ifconfig_t)
+ # for IPSEC setup:
+ dev_read_urand(ifconfig_t)
++# needed by tuned
++dev_rw_netcontrol(ifconfig_t)
+
+ domain_use_interactive_fds(ifconfig_t)
+
++read_files_pattern(ifconfig_t, dhcpc_state_t, dhcpc_state_t)
++
++files_dontaudit_rw_inherited_pipes(ifconfig_t)
++files_dontaudit_read_root_files(ifconfig_t)
+ files_read_etc_files(ifconfig_t)
+ files_read_etc_runtime_files(ifconfig_t)
++files_read_usr_files(ifconfig_t)
+
+ fs_getattr_xattr_fs(ifconfig_t)
+ fs_search_auto_mountpoints(ifconfig_t)
+@@ -293,22 +362,22 @@ term_dontaudit_use_all_ptys(ifconfig_t)
+ term_dontaudit_use_ptmx(ifconfig_t)
+ term_dontaudit_use_generic_ptys(ifconfig_t)
+
+-files_dontaudit_read_root_files(ifconfig_t)
++auth_use_nsswitch(ifconfig_t)
+
+ init_use_fds(ifconfig_t)
+ init_use_script_ptys(ifconfig_t)
++init_rw_inherited_script_tmp_files(ifconfig_t)
+
+ libs_read_lib_files(ifconfig_t)
+
+ logging_send_syslog_msg(ifconfig_t)
+
+-miscfiles_read_localization(ifconfig_t)
+-
+-modutils_domtrans_insmod(ifconfig_t)
+
+ seutil_use_runinit_fds(ifconfig_t)
+
+-userdom_use_user_terminals(ifconfig_t)
++sysnet_dns_name_resolve(ifconfig_t)
++
++userdom_use_inherited_user_terminals(ifconfig_t)
+ userdom_use_all_users_fds(ifconfig_t)
+
+ ifdef(`distro_ubuntu',`
+@@ -317,7 +386,22 @@ ifdef(`distro_ubuntu',`
+ ')
+ ')
+
++optional_policy(`
++ brctl_domtrans(ifconfig_t)
++')
++
++optional_policy(`
++ cfengine_dontaudit_write_log(ifconfig_t)
++')
++
++optional_policy(`
++ ctdbd_read_lib_files(ifconfig_t)
++')
++
+ ifdef(`hide_broken_symptoms',`
++ # caused by some bogus kernel code
++ dontaudit ifconfig_t self:capability sys_module;
++
+ optional_policy(`
+ dev_dontaudit_rw_cardmgr(ifconfig_t)
+ ')
+@@ -328,8 +412,14 @@ ifdef(`hide_broken_symptoms',`
+ ')
+
+ optional_policy(`
++ devicekit_dontaudit_read_pid_files(ifconfig_t)
++')
++
++optional_policy(`
+ hal_dontaudit_rw_pipes(ifconfig_t)
+ hal_dontaudit_rw_dgram_sockets(ifconfig_t)
++ hal_dontaudit_read_pid_files(ifconfig_t)
++ hal_write_log(ifconfig_t)
+ ')
+
+ optional_policy(`
+@@ -338,7 +428,15 @@ optional_policy(`
+ ')
+
+ optional_policy(`
+- nis_use_ypbind(ifconfig_t)
++ kdump_dontaudit_read_config(ifconfig_t)
++')
++
++optional_policy(`
++ modutils_domtrans_insmod(ifconfig_t)
++')
++
++optional_policy(`
++ netutils_domtrans(dhcpc_t)
+ ')
+
+ optional_policy(`
+@@ -359,3 +457,9 @@ optional_policy(`
+ xen_append_log(ifconfig_t)
+ xen_dontaudit_rw_unix_stream_sockets(ifconfig_t)
+ ')
++
++optional_policy(`
++ tunable_policy(`dhcpc_exec_iptables',`
++ iptables_domtrans(dhcpc_t)
++ ')
++')
+diff --git a/policy/modules/system/systemd.fc b/policy/modules/system/systemd.fc
+new file mode 100644
+index 0000000..6d7c302
+--- /dev/null
++++ b/policy/modules/system/systemd.fc
+@@ -0,0 +1,34 @@
++/bin/systemd-notify -- gen_context(system_u:object_r:systemd_notify_exec_t,s0)
++/bin/systemctl -- gen_context(system_u:object_r:systemd_systemctl_exec_t,s0)
++/bin/systemd-tty-ask-password-agent -- gen_context(system_u:object_r:systemd_passwd_agent_exec_t,s0)
++/bin/systemd-tmpfiles -- gen_context(system_u:object_r:systemd_tmpfiles_exec_t,s0)
++
++/usr/bin/systemctl -- gen_context(system_u:object_r:systemd_systemctl_exec_t,s0)
++/usr/bin/systemd-gnome-ask-password-agent -- gen_context(system_u:object_r:systemd_passwd_agent_exec_t,s0)
++/usr/bin/systemd-notify -- gen_context(system_u:object_r:systemd_notify_exec_t,s0)
++/usr/bin/systemd-tmpfiles -- gen_context(system_u:object_r:systemd_tmpfiles_exec_t,s0)
++/usr/bin/systemd-tty-ask-password-agent -- gen_context(system_u:object_r:systemd_passwd_agent_exec_t,s0)
++
++/usr/lib/systemd/system(/.*)? gen_context(system_u:object_r:systemd_unit_file_t,s0)
++/usr/lib/systemd/system/.*halt.* -- gen_context(system_u:object_r:power_unit_file_t,s0)
++/usr/lib/systemd/system/.*hibernate.* -- gen_context(system_u:object_r:power_unit_file_t,s0)
++/usr/lib/systemd/system/.*power.* -- gen_context(system_u:object_r:power_unit_file_t,s0)
++/usr/lib/systemd/system/.*reboot.* -- gen_context(system_u:object_r:power_unit_file_t,s0)
++/usr/lib/systemd/system/.*sleep.* -- gen_context(system_u:object_r:power_unit_file_t,s0)
++/usr/lib/systemd/system/.*shutdown.* -- gen_context(system_u:object_r:power_unit_file_t,s0)
++/usr/lib/systemd/system/.*suspend.* -- gen_context(system_u:object_r:power_unit_file_t,s0)
++/usr/lib/systemd/systemd-logind -- gen_context(system_u:object_r:systemd_logind_exec_t,s0)
++/usr/lib/systemd/systemd-logger -- gen_context(system_u:object_r:systemd_logger_exec_t,s0)
++/usr/lib/systemd/systemd-tmpfiles -- gen_context(system_u:object_r:systemd_tmpfiles_exec_t,s0)
++
++/var/lib/random-seed gen_context(system_u:object_r:random_seed_t,mls_systemhigh)
++/usr/var/lib/random-seed gen_context(system_u:object_r:random_seed_t,mls_systemhigh)
++
++/var/run/nologin gen_context(system_u:object_r:systemd_logind_var_run_t,s0)
++/var/run/systemd/seats(/.*)? gen_context(system_u:object_r:systemd_logind_var_run_t,s0)
++/var/run/systemd/sessions(/.*)? gen_context(system_u:object_r:systemd_logind_sessions_t,s0)
++/var/run/systemd/users(/.*)? gen_context(system_u:object_r:systemd_logind_var_run_t,s0)
++/var/run/systemd/inhibit(/.*)? gen_context(system_u:object_r:systemd_logind_inhibit_var_run_t,s0)
++/var/run/systemd/ask-password-block(/.*)? gen_context(system_u:object_r:systemd_passwd_var_run_t,s0)
++/var/run/systemd/ask-password(/.*)? gen_context(system_u:object_r:systemd_passwd_var_run_t,s0)
++/var/run/initramfs(/.*)? <>
+diff --git a/policy/modules/system/systemd.if b/policy/modules/system/systemd.if
+new file mode 100644
+index 0000000..5d53f08
+--- /dev/null
++++ b/policy/modules/system/systemd.if
+@@ -0,0 +1,924 @@
++## SELinux policy for systemd components
++
++#######################################
++##
++## Create a domain for processes which are started
++## exuting systemctl.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`systemd_systemctl_domain',`
++ gen_require(`
++ type systemd_systemctl_exec_t;
++ role system_r;
++ attribute systemctl_domain;
++ ')
++
++ type $1_systemctl_t, systemctl_domain;
++ domain_type($1_systemctl_t)
++ domain_entry_file($1_systemctl_t, systemd_systemctl_exec_t)
++
++ role system_r types $1_systemctl_t;
++
++ domtrans_pattern($1_t, systemd_systemctl_exec_t , $1_systemctl_t)
++')
++
++########################################
++##
++## Execute systemctl in the caller domain.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`systemd_exec_systemctl',`
++ gen_require(`
++ type systemd_systemctl_exec_t;
++ ')
++
++ corecmd_search_bin($1)
++ can_exec($1, systemd_systemctl_exec_t)
++
++ fs_list_cgroup_dirs($1)
++ fs_read_cgroup_files($1)
++ systemd_list_unit_dirs($1)
++ init_list_pid_dirs($1)
++ init_read_state($1)
++ init_stream_send($1)
++ init_stream_connect($1)
++
++ systemd_login_list_pid_dirs($1)
++ systemd_login_read_pid_files($1)
++ systemd_passwd_agent_exec($1)
++')
++
++#######################################
++##
++## Create a file type used for systemd unit files.
++##
++##
++##
++## Type to be used for an unit file.
++##
++##
++#
++interface(`systemd_unit_file',`
++ gen_require(`
++ attribute systemd_unit_file_type;
++ ')
++
++ typeattribute $1 systemd_unit_file_type;
++ files_type($1)
++')
++
++######################################
++##
++## Allow domain to search systemd unit dirs.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`systemd_search_unit_dirs',`
++ gen_require(`
++ attribute systemd_unit_file_type;
++ ')
++
++ files_search_var_lib($1)
++ allow $1 systemd_unit_file_type:dir search_dir_perms;
++')
++
++######################################
++##
++## Allow domain to list systemd unit dirs.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`systemd_list_unit_dirs',`
++ gen_require(`
++ attribute systemd_unit_file_type;
++ ')
++
++ files_search_var_lib($1)
++ allow $1 systemd_unit_file_type:dir list_dir_perms;
++')
++
++#####################################
++##
++## Allow domain to getattr all systemd unit files.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`systemd_getattr_unit_files',`
++ gen_require(`
++ attribute systemd_unit_file_type;
++ ')
++
++ files_search_var_lib($1)
++ allow $1 systemd_unit_file_type:file getattr_file_perms;
++')
++
++######################################
++##
++## Allow domain to read all systemd unit files.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`systemd_read_unit_files',`
++ gen_require(`
++ attribute systemd_unit_file_type;
++ ')
++
++ files_search_var_lib($1)
++ allow $1 systemd_unit_file_type:file read_file_perms;
++ allow $1 systemd_unit_file_type:lnk_file read_lnk_file_perms;
++ allow $1 systemd_unit_file_type:dir list_dir_perms;
++')
++
++#####################################
++##
++## Dontaudit domain to read all systemd unit files.
++##
++##
++##
++## Domain to not audit.
++##
++##
++#
++interface(`systemd_dontaudit_read_unit_files',`
++ gen_require(`
++ attribute systemd_unit_file_type;
++ ')
++
++ dontaudit $1 systemd_unit_file_type:file read_file_perms;
++')
++
++######################################
++##
++## Read systemd_login PID files.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`systemd_login_read_pid_files',`
++ gen_require(`
++ type systemd_logind_var_run_t;
++ ')
++
++ files_search_pids($1)
++ read_files_pattern($1, systemd_logind_var_run_t, systemd_logind_var_run_t)
++')
++
++######################################
++##
++## Read systemd_login PID files.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`systemd_login_list_pid_dirs',`
++ gen_require(`
++ type systemd_logind_var_run_t;
++ ')
++
++ files_search_pids($1)
++ list_dirs_pattern($1, systemd_logind_var_run_t, systemd_logind_var_run_t)
++')
++
++######################################
++##
++## Use and and inherited systemd
++## logind file descriptors.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`systemd_use_fds_logind',`
++ gen_require(`
++ type systemd_logind_t;
++ ')
++
++ allow $1 systemd_logind_t:fd use;
++')
++
++######################################
++##
++## Read logind sessions files.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`systemd_read_logind_sessions_files',`
++ gen_require(`
++ type systemd_logind_sessions_t;
++ ')
++
++ init_search_pid_dirs($1)
++ allow $1 systemd_logind_sessions_t:dir list_dir_perms;
++ read_files_pattern($1, systemd_logind_sessions_t, systemd_logind_sessions_t)
++')
++
++######################################
++##
++## Write inherited logind sessions pipes.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`systemd_write_inherited_logind_sessions_pipes',`
++ gen_require(`
++ type systemd_logind_sessions_t;
++ ')
++
++ allow $1 systemd_logind_sessions_t:fifo_file write;
++')
++
++######################################
++##
++## Write systemd inhibit pipes.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`systemd_write_inhibit_pipes',`
++ gen_require(`
++ type systemd_logind_inhibit_var_run_t;
++ ')
++
++ allow $1 systemd_logind_inhibit_var_run_t:fifo_file write;
++')
++
++########################################
++##
++## Send and receive messages from
++## systemd logind over dbus.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`systemd_dbus_chat_logind',`
++ gen_require(`
++ type systemd_logind_t;
++ class dbus send_msg;
++ ')
++
++ allow $1 systemd_logind_t:dbus send_msg;
++ allow systemd_logind_t $1:dbus send_msg;
++ ps_process_pattern(systemd_logind_t, $1)
++ allow systemd_logind_t $1:process signal;
++')
++
++#######################################
++##
++## Execute a domain transition to run systemd-tmpfiles.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`systemd_tmpfiles_domtrans',`
++ gen_require(`
++ type systemd_tmpfiles_t, systemd_tmpfiles_exec_t;
++ ')
++
++ domtrans_pattern($1, systemd_tmpfiles_exec_t, systemd_tmpfiles_t)
++')
++
++########################################
++##
++## Execute a domain transition to run systemd-tty-ask-password-agent.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`systemd_passwd_agent_domtrans',`
++ gen_require(`
++ type systemd_passwd_agent_t, systemd_passwd_agent_exec_t;
++ ')
++
++ domtrans_pattern($1, systemd_passwd_agent_exec_t, systemd_passwd_agent_t)
++')
++
++#######################################
++##
++## Execute systemd-tty-ask-password-agent in the caller domain
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`systemd_passwd_agent_exec',`
++ gen_require(`
++ type systemd_passwd_agent_t, systemd_passwd_agent_exec_t;
++ ')
++
++ can_exec($1, systemd_passwd_agent_exec_t)
++ systemd_manage_passwd_run($1)
++')
++
++########################################
++##
++## Execute a domain transition to run systemd_notify.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`systemd_notify_domtrans',`
++ gen_require(`
++ type systemd_notify_t, systemd_notify_exec_t;
++ ')
++
++ domtrans_pattern($1, systemd_notify_exec_t, systemd_notify_t)
++')
++
++########################################
++##
++## Execute systemd-tty-ask-password-agent in the systemd_passwd_agent domain, and
++## allow the specified role the systemd_passwd_agent domain.
++##
++##
++##
++## Domain allowed access
++##
++##
++##
++##
++## The role to be allowed the systemd_passwd_agent domain.
++##
++##
++#
++interface(`systemd_passwd_agent_run',`
++ gen_require(`
++ type systemd_passwd_agent_t;
++ ')
++
++ systemd_passwd_agent_domtrans($1)
++ role $2 types systemd_passwd_agent_t;
++')
++
++########################################
++##
++## Role access for systemd_passwd_agent
++##
++##
++##
++## Role allowed access
++##
++##
++##
++##
++## User domain for the role
++##
++##
++#
++interface(`systemd_passwd_agent_role',`
++ gen_require(`
++ type systemd_passwd_agent_t;
++ ')
++
++ role $1 types systemd_passwd_agent_t;
++
++ systemd_passwd_agent_domtrans($2)
++
++ ps_process_pattern($2, systemd_passwd_agent_t)
++ allow $2 systemd_passwd_agent_t:process signal;
++')
++
++########################################
++##
++## Send generic signals to systemd_passwd_agent processes.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`systemd_signal_passwd_agent',`
++ gen_require(`
++ type systemd_passwd_agent_t;
++ ')
++
++ allow $1 systemd_passwd_agent_t:process signal;
++')
++
++######################################
++##
++## Allow to domain to read systemd-passwd pipe
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`systemd_read_fifo_file_passwd_run',`
++ gen_require(`
++ type systemd_passwd_var_run_t;
++ ')
++
++ init_search_pid_dirs($1)
++ read_sock_files_pattern($1, systemd_passwd_var_run_t, systemd_passwd_var_run_t)
++')
++
++########################################
++##
++## Relabel to user home directories.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`systemd_relabelto_fifo_file_passwd_run',`
++ gen_require(`
++ type systemd_passwd_var_run_t;
++ ')
++
++ allow $1 systemd_passwd_var_run_t:fifo_file relabelto;
++')
++
++#######################################
++##
++## Relabel systemd unit directories
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`systemd_relabel_unit_dirs',`
++ gen_require(`
++ attribute systemd_unit_file_type;
++ ')
++
++ relabel_dirs_pattern($1, systemd_unit_file_type, systemd_unit_file_type)
++')
++
++#######################################
++##
++## Relabel systemd unit files
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`systemd_relabel_unit_files',`
++ gen_require(`
++ attribute systemd_unit_file_type;
++ ')
++
++ relabel_files_pattern($1, systemd_unit_file_type, systemd_unit_file_type)
++')
++
++#######################################
++##
++## Send generic signals to systemd_passwd_agent processes.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`systemd_manage_passwd_run',`
++ gen_require(`
++ type systemd_passwd_agent_t;
++ type systemd_passwd_var_run_t;
++ ')
++
++ init_search_pid_dirs($1)
++ manage_files_pattern($1, systemd_passwd_var_run_t, systemd_passwd_var_run_t)
++ manage_sock_files_pattern($1, systemd_passwd_var_run_t, systemd_passwd_var_run_t)
++ manage_fifo_files_pattern($1, systemd_passwd_var_run_t, systemd_passwd_var_run_t)
++
++ allow systemd_passwd_agent_t $1:process signull;
++ allow systemd_passwd_agent_t $1:unix_dgram_socket sendto;
++')
++
++######################################
++##
++## Template for temporary sockets and files in /dev/.systemd/ask-password
++## which are used by systemd-passwd-agent
++##
++##
++##
++## The prefix of the domain (e.g., user
++## is the prefix for user_t).
++##
++##
++#
++interface(`systemd_passwd_agent_dev_template',`
++ gen_require(`
++ type systemd_passwd_agent_t;
++ ')
++
++ type systemd_$1_device_t;
++ files_type(systemd_$1_device_t)
++ dev_associate(systemd_$1_device_t)
++
++ dev_filetrans($1_t, systemd_$1_device_t, { file sock_file })
++ init_pid_filetrans($1_t, systemd_$1_device_t, { file sock_file })
++ allow $1_t systemd_$1_device_t:file manage_file_perms;
++ allow $1_t systemd_$1_device_t:sock_file manage_sock_file_perms;
++
++ allow systemd_passwd_agent_t $1_t:process signull;
++ allow systemd_passwd_agent_t $1_t:unix_dgram_socket sendto;
++ allow systemd_passwd_agent_t systemd_$1_device_t:sock_file write;
++ allow systemd_passwd_agent_t systemd_$1_device_t:file read_file_perms;
++')
++
++########################################
++##
++## Allow the specified domain to connect to
++## systemd_logger with a unix socket.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`systemd_logger_stream_connect',`
++ gen_require(`
++ type systemd_logger_t;
++ ')
++
++ allow $1 systemd_logger_t:unix_stream_socket connectto;
++')
++
++########################################
++##
++## manage systemd unit dirs
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`systemd_manage_unit_dirs',`
++ gen_require(`
++ attribute systemd_unit_file_type;
++ ')
++
++ manage_dirs_pattern($1, systemd_unit_file_type, systemd_unit_file_type)
++')
++
++########################################
++##
++## manage all systemd unit files
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`systemd_manage_all_unit_files',`
++ gen_require(`
++ attribute systemd_unit_file_type;
++ ')
++
++ manage_files_pattern($1, systemd_unit_file_type, systemd_unit_file_type)
++ manage_lnk_files_pattern($1, systemd_unit_file_type, systemd_unit_file_type)
++')
++
++########################################
++##
++## manage all systemd unit lnk_files
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`systemd_manage_all_unit_lnk_files',`
++ gen_require(`
++ attribute systemd_unit_file_type;
++ ')
++
++ manage_lnk_files_pattern($1, systemd_unit_file_type, systemd_unit_file_type)
++')
++
++########################################
++##
++## Allow the specified domain to start all systemd services.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`systemd_start_all_services',`
++ gen_require(`
++ attribute systemd_unit_file_type;
++ ')
++
++ allow $1 systemd_unit_file_type:service start;
++')
++
++#######################################
++##
++## Allow the specified domain to reload all systemd services.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`systemd_reload_all_services',`
++ gen_require(`
++ attribute systemd_unit_file_type;
++ ')
++
++ allow $1 systemd_unit_file_type:service reload;
++')
++
++########################################
++##
++## Allow the specified domain to modify the systemd configuration of
++## all systemd services
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`systemd_config_all_services',`
++ gen_require(`
++ attribute systemd_unit_file_type;
++ ')
++
++ allow $1 systemd_unit_file_type:service all_service_perms;
++ init_config_all_script_files($1)
++')
++
++
++########################################
++##
++## manage all systemd random seed file
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`systemd_manage_random_seed',`
++ gen_require(`
++ type random_seed_t;
++ ')
++
++ allow $1 random_seed_t:file manage_file_perms;
++ files_var_lib_filetrans($1, random_seed_t, file, "random_seed")
++')
++
++
++########################################
++##
++## Transition to systemd named content
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`systemd_filetrans_named_content',`
++ gen_require(`
++ type systemd_passwd_var_run_t;
++ type systemd_logind_var_run_t;
++ ')
++
++ files_pid_filetrans($1, systemd_logind_var_run_t, file, "nologin")
++ init_named_pid_filetrans($1, systemd_passwd_var_run_t, dir, "ask-password-block")
++ init_named_pid_filetrans($1, systemd_passwd_var_run_t, dir, "ask-password")
++')
++
++########################################
++##
++## Get the system status information from systemd_login
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`systemd_login_status',`
++ gen_require(`
++ type systemd_logind_t;
++ ')
++
++ allow $1 systemd_logind_t:system status;
++')
++
++########################################
++##
++## Send systemd_login a null signal.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`systemd_login_signull',`
++ gen_require(`
++ type systemd_logind_t;
++ ')
++
++ allow $1 systemd_logind_t:process signull;
++')
++
++########################################
++##
++## Tell systemd_login to reboot the system.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`systemd_login_reboot',`
++ gen_require(`
++ type systemd_logind_t;
++ ')
++
++ allow $1 systemd_logind_t:system reboot;
++')
++
++########################################
++##
++## Tell systemd_login to halt the system.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`systemd_login_halt',`
++ gen_require(`
++ type systemd_logind_t;
++ ')
++
++ allow $1 systemd_logind_t:system halt;
++')
++
++########################################
++##
++## Tell systemd_login to do an unknown access.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`systemd_login_undefined',`
++ gen_require(`
++ type systemd_logind_t;
++ ')
++
++ allow $1 systemd_logind_t:system undefined;
++')
++
++########################################
++##
++## Configure generic unit files domain.
++##
++##
++##
++## Domain allowed to transition.
++##
++##
++#
++interface(`systemd_config_generic_services',`
++ gen_require(`
++ type systemd_unit_file_t;
++ ')
++
++ systemd_exec_systemctl($1)
++ allow $1 systemd_unit_file_t:file read_file_perms;
++ allow $1 systemd_unit_file_t:service manage_service_perms;
++')
++
++########################################
++##
++## Configure power unit files domain.
++##
++##
++##
++## Domain allowed to transition.
++##
++##
++#
++interface(`systemd_config_power_services',`
++ gen_require(`
++ type power_unit_file_t;
++ ')
++
++ systemd_exec_systemctl($1)
++ allow $1 power_unit_file_t:file read_file_perms;
++ allow $1 power_unit_file_t:service manage_service_perms;
++')
++
++########################################
++##
++## Start power unit files domain.
++##
++##
++##
++## Domain allowed to transition.
++##
++##
++#
++interface(`systemd_start_power_services',`
++ gen_require(`
++ type power_unit_file_t;
++ ')
++
++ systemd_exec_systemctl($1)
++ allow $1 power_unit_file_t:service start;
++')
++
++#######################################
++##
++## Start power unit files domain.
++##
++##
++##
++## Domain allowed to transition.
++##
++##
++#
++interface(`systemd_start_all_unit_files',`
++ gen_require(`
++ attribute systemd_unit_file_type;
++ ')
++
++ systemd_exec_systemctl($1)
++ allow $1 systemd_unit_file_type:service start;
++')
+diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
+new file mode 100644
+index 0000000..223e3f0
+--- /dev/null
++++ b/policy/modules/system/systemd.te
+@@ -0,0 +1,451 @@
++policy_module(systemd, 1.0.0)
++
++#######################################
++#
++# Declarations
++#
++
++attribute systemd_unit_file_type;
++attribute systemd_domain;
++attribute systemctl_domain;
++
++type systemd_logger_t;
++type systemd_logger_exec_t;
++init_daemon_domain(systemd_logger_t, systemd_logger_exec_t)
++
++type systemd_logind_t;
++type systemd_logind_exec_t;
++init_daemon_domain(systemd_logind_t, systemd_logind_exec_t)
++
++# /run/systemd/sessions
++type systemd_logind_sessions_t;
++files_pid_file(systemd_logind_sessions_t)
++
++# /run/systemd/{seats, users}
++type systemd_logind_var_run_t;
++files_pid_file(systemd_logind_var_run_t)
++
++type systemd_logind_inhibit_var_run_t;
++files_pid_file(systemd_logind_inhibit_var_run_t)
++
++type random_seed_t;
++files_security_file(random_seed_t)
++
++# domain for systemd-tty-ask-password-agent and systemd-gnome-ask-password-agent
++# systemd components
++
++type systemd_passwd_agent_t;
++type systemd_passwd_agent_exec_t;
++init_daemon_domain(systemd_passwd_agent_t, systemd_passwd_agent_exec_t)
++
++type systemd_passwd_var_run_t alias systemd_device_t;
++files_pid_file(systemd_passwd_var_run_t)
++
++# domain for systemd-tmpfiles component
++type systemd_tmpfiles_t;
++type systemd_tmpfiles_exec_t;
++init_daemon_domain(systemd_tmpfiles_t, systemd_tmpfiles_exec_t)
++
++type systemd_notify_t;
++type systemd_notify_exec_t;
++init_daemon_domain(systemd_notify_t, systemd_notify_exec_t)
++
++# type for systemd unit files
++type systemd_unit_file_t;
++systemd_unit_file(systemd_unit_file_t)
++
++type power_unit_file_t;
++systemd_unit_file(power_unit_file_t)
++
++# executable for systemctl
++type systemd_systemctl_exec_t;
++corecmd_executable_file(systemd_systemctl_exec_t)
++
++#######################################
++#
++# Systemd_logind local policy
++#
++
++# dac_override is for /run/user/$USER ($USER ownership is $USER:$USER)
++allow systemd_logind_t self:capability { chown kill dac_override fowner sys_tty_config };
++allow systemd_logind_t self:process getcap;
++allow systemd_logind_t self:netlink_kobject_uevent_socket create_socket_perms;
++allow systemd_logind_t self:unix_dgram_socket create_socket_perms;
++
++mls_file_read_all_levels(systemd_logind_t)
++mls_file_write_all_levels(systemd_logind_t)
++
++manage_dirs_pattern(systemd_logind_t, { systemd_logind_sessions_t systemd_logind_var_run_t }, { systemd_logind_sessions_t systemd_logind_var_run_t })
++manage_files_pattern(systemd_logind_t, { systemd_logind_sessions_t systemd_logind_var_run_t }, { systemd_logind_var_run_t systemd_logind_sessions_t })
++manage_fifo_files_pattern(systemd_logind_t, systemd_logind_sessions_t, { systemd_logind_sessions_t systemd_logind_var_run_t })
++init_named_pid_filetrans(systemd_logind_t, systemd_logind_sessions_t, dir, "sessions")
++init_pid_filetrans(systemd_logind_t, systemd_logind_var_run_t, dir)
++
++manage_dirs_pattern(systemd_logind_t, systemd_logind_inhibit_var_run_t, systemd_logind_inhibit_var_run_t)
++manage_files_pattern(systemd_logind_t, systemd_logind_inhibit_var_run_t, systemd_logind_inhibit_var_run_t)
++manage_fifo_files_pattern(systemd_logind_t, systemd_logind_inhibit_var_run_t, systemd_logind_inhibit_var_run_t)
++manage_sock_files_pattern(systemd_logind_t, systemd_logind_inhibit_var_run_t, systemd_logind_inhibit_var_run_t)
++
++kernel_read_system_state(systemd_logind_t)
++
++dev_getattr_all_chr_files(systemd_logind_t)
++dev_getattr_all_blk_files(systemd_logind_t)
++dev_rw_sysfs(systemd_logind_t)
++dev_rw_input_dev(systemd_logind_t)
++dev_setattr_all_chr_files(systemd_logind_t)
++dev_setattr_dri_dev(systemd_logind_t)
++dev_setattr_generic_usb_dev(systemd_logind_t)
++dev_setattr_input_dev(systemd_logind_t)
++dev_setattr_kvm_dev(systemd_logind_t)
++dev_setattr_mouse_dev(systemd_logind_t)
++dev_setattr_sound_dev(systemd_logind_t)
++dev_setattr_video_dev(systemd_logind_t)
++dev_write_kmsg(systemd_logind_t)
++
++domain_read_all_domains_state(systemd_logind_t)
++domain_signal_all_domains(systemd_logind_t)
++domain_signull_all_domains(systemd_logind_t)
++domain_kill_all_domains(systemd_logind_t)
++
++# /etc/udev/udev.conf should probably have a private type if only for confined administration
++# /etc/nsswitch.conf
++files_read_etc_files(systemd_logind_t)
++
++# /sys/fs/cgroup/systemd/user
++fs_manage_cgroup_dirs(systemd_logind_t)
++# write getattr open setattr
++fs_manage_cgroup_files(systemd_logind_t)
++fs_getattr_tmpfs(systemd_logind_t)
++fs_read_tmpfs_symlinks(systemd_logind_t)
++
++mcs_killall(systemd_logind_t)
++
++storage_setattr_removable_dev(systemd_logind_t)
++storage_setattr_scsi_generic_dev(systemd_logind_t)
++
++term_use_unallocated_ttys(systemd_logind_t)
++
++init_named_pid_filetrans(systemd_logind_t, systemd_logind_inhibit_var_run_t, dir, "inhibit")
++
++init_status(systemd_logind_t)
++init_signal(systemd_logind_t)
++init_reboot(systemd_logind_t)
++init_halt(systemd_logind_t)
++init_undefined(systemd_logind_t)
++init_signal_script(systemd_logind_t)
++
++getty_systemctl(systemd_logind_t)
++
++systemd_config_generic_services(systemd_logind_t)
++
++# /run/user/.*
++# Actually only have proof of it creating dirs and symlinks (/run/user/$USER/X11/display)
++auth_manage_var_auth(systemd_logind_t)
++auth_use_nsswitch(systemd_logind_t)
++
++authlogin_read_state(systemd_logind_t)
++
++init_dbus_chat(systemd_logind_t)
++init_dbus_chat_script(systemd_logind_t)
++init_read_script_state(systemd_logind_t)
++init_read_state(systemd_logind_t)
++init_rw_stream_sockets(systemd_logind_t)
++
++logging_send_syslog_msg(systemd_logind_t)
++logging_stream_connect_syslog(systemd_logind_t)
++
++
++udev_read_db(systemd_logind_t)
++udev_manage_rules_files(systemd_logind_t)
++
++userdom_read_all_users_state(systemd_logind_t)
++userdom_use_user_ttys(systemd_logind_t)
++userdom_manage_all_user_tmp_content(systemd_logind_t)
++
++optional_policy(`
++ apache_read_tmp_files(systemd_logind_t)
++')
++
++optional_policy(`
++ cron_dbus_chat_crond(systemd_logind_t)
++ cron_read_state_crond(systemd_logind_t)
++')
++
++optional_policy(`
++ dbus_connect_system_bus(systemd_logind_t)
++ dbus_system_bus_client(systemd_logind_t)
++')
++
++optional_policy(`
++ devicekit_dbus_chat_power(systemd_logind_t)
++ devicekit_dbus_chat_disk(systemd_logind_t)
++')
++
++optional_policy(`
++ # we label /run/user/$USER/dconf as config_home_t
++ gnome_manage_home_config_dirs(systemd_logind_t)
++ gnome_manage_home_config(systemd_logind_t)
++ gnome_manage_gkeyringd_tmp_dirs(systemd_logind_t)
++ gnome_manage_gstreamer_home_dirs(systemd_logind_t)
++')
++
++optional_policy(`
++ policykit_dbus_chat(systemd_logind_t)
++')
++
++optional_policy(`
++ rpm_dbus_chat(systemd_logind_t)
++')
++
++optional_policy(`
++ # It links /run/user/$USER/X11/display to /tmp/.X11-unix/X* sock_file
++ xserver_search_xdm_tmp_dirs(systemd_logind_t)
++')
++
++#######################################
++#
++# Local policy
++#
++
++allow systemd_passwd_agent_t self:capability { chown sys_tty_config dac_override };
++allow systemd_passwd_agent_t self:process { setfscreate setsockcreate signal };
++allow systemd_passwd_agent_t self:unix_dgram_socket create_socket_perms;
++
++manage_dirs_pattern(systemd_passwd_agent_t, systemd_passwd_var_run_t, systemd_passwd_var_run_t);
++manage_files_pattern(systemd_passwd_agent_t, systemd_passwd_var_run_t, systemd_passwd_var_run_t);
++manage_sock_files_pattern(systemd_passwd_agent_t, systemd_passwd_var_run_t, systemd_passwd_var_run_t);
++manage_fifo_files_pattern(systemd_passwd_agent_t, systemd_passwd_var_run_t, systemd_passwd_var_run_t);
++init_pid_filetrans(systemd_passwd_agent_t, systemd_passwd_var_run_t, { dir fifo_file file })
++
++kernel_stream_connect(systemd_passwd_agent_t)
++
++files_read_etc_files(systemd_passwd_agent_t)
++
++dev_create_generic_dirs(systemd_passwd_agent_t)
++dev_read_generic_files(systemd_passwd_agent_t)
++dev_write_generic_sock_files(systemd_passwd_agent_t)
++
++term_read_console(systemd_passwd_agent_t)
++
++auth_use_nsswitch(systemd_passwd_agent_t)
++
++init_create_pid_dirs(systemd_passwd_agent_t)
++init_rw_pipes(systemd_passwd_agent_t)
++init_read_utmp(systemd_passwd_agent_t)
++init_stream_connect(systemd_passwd_agent_t)
++
++logging_send_syslog_msg(systemd_passwd_agent_t)
++logging_stream_connect_syslog(systemd_passwd_agent_t)
++
++
++userdom_use_user_ptys(systemd_passwd_agent_t)
++
++optional_policy(`
++ lvm_signull(systemd_passwd_agent_t)
++')
++
++optional_policy(`
++ plymouthd_stream_connect(systemd_passwd_agent_t)
++')
++
++#######################################
++#
++# Local policy
++#
++
++allow systemd_tmpfiles_t self:capability { chown dac_override fsetid fowner mknod };
++allow systemd_tmpfiles_t self:process { setfscreate };
++
++allow systemd_tmpfiles_t self:unix_dgram_socket create_socket_perms;
++
++kernel_read_network_state(systemd_tmpfiles_t)
++kernel_request_load_module(systemd_tmpfiles_t)
++
++dev_write_kmsg(systemd_tmpfiles_t)
++dev_rw_sysfs(systemd_tmpfiles_t)
++dev_relabel_all_sysfs(systemd_tmpfiles_t)
++dev_relabel_cpu_online(systemd_tmpfiles_t)
++dev_read_cpu_online(systemd_tmpfiles_t)
++dev_manage_printer(systemd_tmpfiles_t)
++dev_relabel_printer(systemd_tmpfiles_t)
++
++domain_obj_id_change_exemption(systemd_tmpfiles_t)
++
++# systemd-tmpfiles relabel /run/lock and creates /run/lock/lockdev
++fs_manage_tmpfs_dirs(systemd_tmpfiles_t)
++fs_relabel_tmpfs_dirs(systemd_tmpfiles_t)
++fs_list_all(systemd_tmpfiles_t)
++
++files_read_etc_files(systemd_tmpfiles_t)
++files_getattr_all_dirs(systemd_tmpfiles_t)
++files_getattr_all_files(systemd_tmpfiles_t)
++files_getattr_all_sockets(systemd_tmpfiles_t)
++files_getattr_all_symlinks(systemd_tmpfiles_t)
++files_relabel_all_lock_dirs(systemd_tmpfiles_t)
++files_relabel_all_pid_dirs(systemd_tmpfiles_t)
++files_relabel_all_pid_files(systemd_tmpfiles_t)
++files_manage_all_pids(systemd_tmpfiles_t)
++files_manage_all_pid_dirs(systemd_tmpfiles_t)
++files_manage_all_locks(systemd_tmpfiles_t)
++files_read_generic_tmp_symlinks(systemd_tmpfiles_t)
++files_setattr_all_tmp_dirs(systemd_tmpfiles_t)
++files_delete_boot_flag(systemd_tmpfiles_t)
++files_delete_all_non_security_files(systemd_tmpfiles_t)
++files_delete_all_pid_sockets(systemd_tmpfiles_t)
++files_delete_all_pid_pipes(systemd_tmpfiles_t)
++files_purge_tmp(systemd_tmpfiles_t)
++files_manage_generic_tmp_files(systemd_tmpfiles_t)
++files_manage_generic_tmp_dirs(systemd_tmpfiles_t)
++files_relabelfrom_tmp_dirs(systemd_tmpfiles_t)
++files_relabelfrom_tmp_files(systemd_tmpfiles_t)
++files_relabel_all_tmp_dirs(systemd_tmpfiles_t)
++files_relabel_all_tmp_files(systemd_tmpfiles_t)
++files_list_lost_found(systemd_tmpfiles_t)
++
++mcs_file_read_all(systemd_tmpfiles_t)
++mcs_file_write_all(systemd_tmpfiles_t)
++mls_file_read_all_levels(systemd_tmpfiles_t)
++mls_file_write_all_levels(systemd_tmpfiles_t)
++
++selinux_get_enforce_mode(systemd_tmpfiles_t)
++
++auth_manage_faillog(systemd_tmpfiles_t)
++auth_relabel_faillog(systemd_tmpfiles_t)
++auth_manage_var_auth(systemd_tmpfiles_t)
++auth_relabel_var_auth_dirs(systemd_tmpfiles_t)
++auth_relabel_login_records(systemd_tmpfiles_t)
++auth_setattr_login_records(systemd_tmpfiles_t)
++auth_use_nsswitch(systemd_tmpfiles_t)
++
++init_dgram_send(systemd_tmpfiles_t)
++init_rw_stream_sockets(systemd_tmpfiles_t)
++
++logging_create_devlog_dev(systemd_tmpfiles_t)
++logging_send_syslog_msg(systemd_tmpfiles_t)
++logging_stream_connect_syslog(systemd_tmpfiles_t)
++
++miscfiles_filetrans_named_content(systemd_tmpfiles_t)
++miscfiles_manage_man_pages(systemd_tmpfiles_t)
++miscfiles_relabel_man_pages(systemd_tmpfiles_t)
++miscfiles_delete_man_pages(systemd_tmpfiles_t)
++
++seutil_read_config(systemd_tmpfiles_t)
++seutil_read_file_contexts(systemd_tmpfiles_t)
++
++ifdef(`distro_redhat',`
++ userdom_list_user_home_content(systemd_tmpfiles_t)
++ userdom_delete_all_user_home_content_dirs(systemd_tmpfiles_t)
++ userdom_delete_all_user_home_content_files(systemd_tmpfiles_t)
++ userdom_delete_all_user_home_content_sock_files(systemd_tmpfiles_t)
++ userdom_delete_all_user_home_content_symlinks(systemd_tmpfiles_t)
++ userdom_delete_admin_home_files(systemd_tmpfiles_t)
++')
++
++optional_policy(`
++ apache_delete_sys_content_rw(systemd_tmpfiles_t)
++ apache_list_cache(systemd_tmpfiles_t)
++ apache_delete_cache_dirs(systemd_tmpfiles_t)
++ apache_delete_cache_files(systemd_tmpfiles_t)
++ apache_setattr_cache_dirs(systemd_tmpfiles_t)
++')
++
++
++optional_policy(`
++ auth_rw_login_records(systemd_tmpfiles_t)
++')
++
++optional_policy(`
++ # we have /run/user/$USER/dconf
++ gnome_delete_home_config(systemd_tmpfiles_t)
++ gnome_delete_home_config_dirs(systemd_tmpfiles_t)
++ gnome_setattr_home_config_dirs(systemd_tmpfiles_t)
++')
++
++optional_policy(`
++ rpm_read_db(systemd_tmpfiles_t)
++ rpm_delete_db(systemd_tmpfiles_t)
++')
++
++optional_policy(`
++ sandbox_list(systemd_tmpfiles_t)
++ sandbox_delete_dirs(systemd_tmpfiles_t)
++ sandbox_delete_files(systemd_tmpfiles_t)
++ sandbox_delete_lnk_files(systemd_tmpfiles_t)
++ sandbox_delete_pipes(systemd_tmpfiles_t)
++ sandbox_delete_sock_files(systemd_tmpfiles_t)
++ sandbox_setattr_dirs(systemd_tmpfiles_t)
++')
++
++########################################
++#
++# systemd_notify local policy
++#
++allow systemd_notify_t self:capability chown;
++allow systemd_notify_t self:process { fork setfscreate setsockcreate };
++
++allow systemd_notify_t self:fifo_file rw_fifo_file_perms;
++allow systemd_notify_t self:unix_stream_socket create_stream_socket_perms;
++
++domain_use_interactive_fds(systemd_notify_t)
++
++files_read_etc_files(systemd_notify_t)
++files_read_usr_files(systemd_notify_t)
++
++fs_getattr_cgroup_files(systemd_notify_t)
++
++auth_use_nsswitch(systemd_notify_t)
++
++init_rw_stream_sockets(systemd_notify_t)
++
++
++optional_policy(`
++ readahead_manage_pid_files(systemd_notify_t)
++')
++
++########################################
++#
++# systemd_logger local policy
++#
++
++allow systemd_logger_t self:capability { sys_admin chown kill };
++allow systemd_logger_t self:process { fork setfscreate setsockcreate };
++
++allow systemd_logger_t self:fifo_file rw_fifo_file_perms;
++allow systemd_logger_t self:unix_stream_socket create_stream_socket_perms;
++
++kernel_use_fds(systemd_logger_t)
++
++dev_write_kmsg(systemd_logger_t)
++
++domain_use_interactive_fds(systemd_logger_t)
++
++files_read_etc_files(systemd_logger_t)
++files_read_usr_files(systemd_logger_t)
++
++# only needs write
++term_use_generic_ptys(systemd_logger_t)
++
++auth_use_nsswitch(systemd_logger_t)
++
++# /run/systemd/notify
++init_write_pid_socket(systemd_logger_t)
++
++logging_send_syslog_msg(systemd_logger_t)
++logging_stream_connect_syslog(systemd_logger_t)
++
++########################################
++#
++# systemd_sysctl domains local policy
++#
++
++allow systemctl_domain systemd_unit_file_type:dir search_dir_perms;
++
++fs_list_cgroup_dirs(systemctl_domain)
++fs_read_cgroup_files(systemctl_domain)
++
++# needed by systemctl
++init_dgram_send(systemctl_domain)
++init_stream_connect(systemctl_domain)
++init_read_state(systemctl_domain)
++init_list_pid_dirs(systemctl_domain)
++init_use_fds(systemctl_domain)
+diff --git a/policy/modules/system/udev.fc b/policy/modules/system/udev.fc
+index 2575393..49fd32e 100644
+--- a/policy/modules/system/udev.fc
++++ b/policy/modules/system/udev.fc
+@@ -1,6 +1,8 @@
+-/dev/\.udev(/.*)? -- gen_context(system_u:object_r:udev_tbl_t,s0)
+-/dev/\.udevdb -- gen_context(system_u:object_r:udev_tbl_t,s0)
+-/dev/udev\.tbl -- gen_context(system_u:object_r:udev_tbl_t,s0)
++/bin/udevadm -- gen_context(system_u:object_r:udev_exec_t,s0)
++
++/dev/\.udev(/.*)? -- gen_context(system_u:object_r:udev_var_run_t,s0)
++/dev/\.udevdb -- gen_context(system_u:object_r:udev_var_run_t,s0)
++/dev/udev\.tbl -- gen_context(system_u:object_r:udev_var_run_t,s0)
+
+ /etc/dev\.d/.+ -- gen_context(system_u:object_r:udev_helper_exec_t,s0)
+
+@@ -10,6 +12,7 @@
+ /etc/udev/scripts/.+ -- gen_context(system_u:object_r:udev_helper_exec_t,s0)
+
+ /lib/udev/udev-acl -- gen_context(system_u:object_r:udev_exec_t,s0)
++/lib/udev/udevd -- gen_context(system_u:object_r:udev_exec_t,s0)
+
+ ifdef(`distro_debian',`
+ /lib/udev/create_static_nodes -- gen_context(system_u:object_r:udev_exec_t,s0)
+@@ -27,9 +30,23 @@ ifdef(`distro_redhat',`
+ ')
+
+ /usr/bin/udevinfo -- gen_context(system_u:object_r:udev_exec_t,s0)
+-
+-/var/run/PackageKit/udev(/.*)? gen_context(system_u:object_r:udev_var_run_t,s0)
+-/var/run/udev(/.*)? gen_context(system_u:object_r:udev_tbl_t,s0)
++/usr/bin/udevadm -- gen_context(system_u:object_r:udev_exec_t,s0)
++
++/usr/sbin/start_udev -- gen_context(system_u:object_r:udev_exec_t,s0)
++/usr/sbin/udev -- gen_context(system_u:object_r:udev_exec_t,s0)
++/usr/sbin/udevadm -- gen_context(system_u:object_r:udev_exec_t,s0)
++/usr/sbin/udevd -- gen_context(system_u:object_r:udev_exec_t,s0)
++/usr/sbin/udevsend -- gen_context(system_u:object_r:udev_exec_t,s0)
++/usr/sbin/udevstart -- gen_context(system_u:object_r:udev_exec_t,s0)
++/usr/sbin/wait_for_sysfs -- gen_context(system_u:object_r:udev_exec_t,s0)
++
++/usr/lib/systemd/systemd-udevd -- gen_context(system_u:object_r:udev_exec_t,s0)
++/usr/lib/udev/udev-acl -- gen_context(system_u:object_r:udev_exec_t,s0)
++/usr/lib/udev/udevd -- gen_context(system_u:object_r:udev_exec_t,s0)
++
++/var/run/PackageKit/udev(/.*)? gen_context(system_u:object_r:udev_var_run_t,s0)
++/var/run/libgpod(/.*)? gen_context(system_u:object_r:udev_var_run_t,s0)
++/var/run/udev(/.*)? gen_context(system_u:object_r:udev_var_run_t,s0)
+
+ ifdef(`distro_debian',`
+ /var/run/xen-hotplug -d gen_context(system_u:object_r:udev_var_run_t,s0)
+diff --git a/policy/modules/system/udev.if b/policy/modules/system/udev.if
+index 77a13a5..9a5a73f 100644
+--- a/policy/modules/system/udev.if
++++ b/policy/modules/system/udev.if
+@@ -34,6 +34,7 @@ interface(`udev_domtrans',`
+ ')
+
+ domtrans_pattern($1, udev_exec_t, udev_t)
++ allow $1 udev_t:process noatsecure;
+ ')
+
+ ########################################
+@@ -88,8 +89,7 @@ interface(`udev_read_state',`
+ ')
+
+ kernel_search_proc($1)
+- allow $1 udev_t:file read_file_perms;
+- allow $1 udev_t:lnk_file read_lnk_file_perms;
++ ps_process_pattern($1, udev_t)
+ ')
+
+ ########################################
+@@ -164,10 +164,10 @@ interface(`udev_manage_rules_files',`
+ #
+ interface(`udev_dontaudit_search_db',`
+ gen_require(`
+- type udev_tbl_t;
++ type udev_var_run_t;
+ ')
+
+- dontaudit $1 udev_tbl_t:dir search_dir_perms;
++ dontaudit $1 udev_var_run_t:dir search_dir_perms;
+ ')
+
+ ########################################
+@@ -187,25 +187,70 @@ interface(`udev_dontaudit_search_db',`
+ ##
+ #
+ interface(`udev_read_db',`
++ udev_read_pid_files($1)
++')
++
++########################################
++##
++## Allow process to modify list of devices.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`udev_rw_db',`
+ gen_require(`
+- type udev_tbl_t;
++ type udev_var_run_t;
+ ')
+
+- allow $1 udev_tbl_t:dir list_dir_perms;
++ files_search_pids($1)
++ dev_list_all_dev_nodes($1)
++ rw_files_pattern($1, udev_var_run_t, udev_var_run_t)
++')
+
+- read_files_pattern($1, udev_tbl_t, udev_tbl_t)
+- read_lnk_files_pattern($1, udev_tbl_t, udev_tbl_t)
++########################################
++##
++## Allow process to modify relabelto udev database
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`udev_relabelto_db',`
++ gen_require(`
++ type udev_var_run_t;
++ ')
+
+- dev_list_all_dev_nodes($1)
++ files_search_pids($1)
++ allow $1 udev_var_run_t:file relabelto_file_perms;
++')
+
+- files_search_etc($1)
++########################################
++##
++## Relabel the udev sock_file.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`udev_relabel_pid_sockfile',`
++ gen_require(`
++ type udev_var_run_t;
++ ')
+
+- udev_search_pids($1)
++ allow $1 udev_var_run_t:sock_file relabel_sock_file_perms;
+ ')
+
+ ########################################
+ ##
+-## Allow process to modify list of devices.
++## Create, read, write, and delete
++## udev pid files.
+ ##
+ ##
+ ##
+@@ -213,13 +258,16 @@ interface(`udev_read_db',`
+ ##
+ ##
+ #
+-interface(`udev_rw_db',`
++interface(`udev_read_pid_files',`
+ gen_require(`
+- type udev_tbl_t;
++ type udev_var_run_t;
+ ')
+
+ dev_list_all_dev_nodes($1)
+- allow $1 udev_tbl_t:file rw_file_perms;
++ files_search_pids($1)
++ allow $1 udev_var_run_t:dir list_dir_perms;
++ read_files_pattern($1, udev_var_run_t, udev_var_run_t)
++ read_lnk_files_pattern($1, udev_var_run_t, udev_var_run_t)
+ ')
+
+ ########################################
+@@ -300,6 +348,84 @@ interface(`udev_manage_pid_files',`
+ type udev_var_run_t;
+ ')
+
+- files_search_var_lib($1)
++ files_search_pids($1)
+ manage_files_pattern($1, udev_var_run_t, udev_var_run_t)
+ ')
++
++#######################################
++##
++## Execute udev in the udev domain, and
++## allow the specified role the udev domain.
++##
++##
++##
++## Domain allowed access.
++##
++##
++##
++##
++## The role to be allowed the iptables domain.
++##
++##
++##
++#
++interface(`udev_run',`
++ gen_require(`
++ type udev_t;
++ ')
++
++ udev_domtrans($1)
++ role $2 types udev_t;
++')
++
++#######################################
++##
++## Allow caller to create kobject uevent socket for udev
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`udev_create_kobject_uevent_socket',`
++ gen_require(`
++ type udev_t;
++ role system_r;
++ ')
++
++ allow $1 udev_t:netlink_kobject_uevent_socket create_socket_perms;
++')
++
++########################################
++##
++## Create a domain for processes
++## which can be started by udev.
++##
++##
++##
++## Type to be used as a domain.
++##
++##
++##
++##
++## Type of the program to be used as an entry point to this domain.
++##
++##
++#
++interface(`udev_system_domain',`
++ gen_require(`
++ type udev_t;
++ role system_r;
++ ')
++
++ domain_type($1)
++ domain_entry_file($1, $2)
++
++ role system_r types $1;
++
++ domtrans_pattern(udev_t, $2, $1)
++
++ dontaudit $1 udev_t:unix_dgram_socket { read write };
++')
++
+diff --git a/policy/modules/system/udev.te b/policy/modules/system/udev.te
+index 29075b3..8d185fc 100644
+--- a/policy/modules/system/udev.te
++++ b/policy/modules/system/udev.te
+@@ -17,14 +17,12 @@ init_daemon_domain(udev_t, udev_exec_t)
+ type udev_etc_t alias etc_udev_t;
+ files_config_file(udev_etc_t)
+
+-type udev_tbl_t alias udev_tdb_t;
+-files_type(udev_tbl_t)
+-
+ type udev_rules_t;
+ files_type(udev_rules_t)
+
+ type udev_var_run_t;
+ files_pid_file(udev_var_run_t)
++typealias udev_var_run_t alias udev_tbl_t;
+
+ ifdef(`enable_mcs',`
+ kernel_ranged_domtrans_to(udev_t, udev_exec_t, s0 - mcs_systemhigh)
+@@ -36,9 +34,11 @@ ifdef(`enable_mcs',`
+ # Local policy
+ #
+
+-allow udev_t self:capability { chown dac_override dac_read_search fowner fsetid sys_admin mknod net_raw net_admin sys_nice sys_rawio sys_resource setuid setgid sys_nice sys_ptrace };
++allow udev_t self:capability { chown dac_override dac_read_search fowner fsetid sys_admin mknod net_raw net_admin sys_nice sys_rawio sys_resource setuid setgid sys_nice };
++allow udev_t self:capability2 { block_suspend compromise_kernel };
+ dontaudit udev_t self:capability sys_tty_config;
+-allow udev_t self:process ~{ setcurrent setexec setfscreate setrlimit execmem execstack execheap };
++
++allow udev_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
+ allow udev_t self:process { execmem setfscreate };
+ allow udev_t self:fd use;
+ allow udev_t self:fifo_file rw_fifo_file_perms;
+@@ -52,6 +52,7 @@ allow udev_t self:unix_dgram_socket sendto;
+ allow udev_t self:unix_stream_socket connectto;
+ allow udev_t self:netlink_kobject_uevent_socket create_socket_perms;
+ allow udev_t self:rawip_socket create_socket_perms;
++allow udev_t self:netlink_socket create_socket_perms;
+
+ allow udev_t udev_exec_t:file write;
+ can_exec(udev_t, udev_exec_t)
+@@ -62,31 +63,35 @@ can_exec(udev_t, udev_helper_exec_t)
+ # read udev config
+ allow udev_t udev_etc_t:file read_file_perms;
+
+-# create udev database in /dev/.udevdb
+-allow udev_t udev_tbl_t:file manage_file_perms;
+-dev_filetrans(udev_t, udev_tbl_t, file)
+-
+ list_dirs_pattern(udev_t, udev_rules_t, udev_rules_t)
+-read_files_pattern(udev_t, udev_rules_t, udev_rules_t)
++manage_files_pattern(udev_t, udev_rules_t, udev_rules_t)
++manage_lnk_files_pattern(udev_t, udev_rules_t, udev_rules_t)
+
+ manage_dirs_pattern(udev_t, udev_var_run_t, udev_var_run_t)
++manage_sock_files_pattern(udev_t, udev_var_run_t, udev_var_run_t)
+ manage_files_pattern(udev_t, udev_var_run_t, udev_var_run_t)
+ manage_lnk_files_pattern(udev_t, udev_var_run_t, udev_var_run_t)
+-files_pid_filetrans(udev_t, udev_var_run_t, { dir file })
++files_pid_filetrans(udev_t, udev_var_run_t, { file dir })
++allow udev_t udev_var_run_t:file mounton;
++dev_filetrans(udev_t, udev_var_run_t, { file lnk_file } )
+
++kernel_load_module(udev_t)
+ kernel_read_system_state(udev_t)
+ kernel_request_load_module(udev_t)
+ kernel_getattr_core_if(udev_t)
+ kernel_use_fds(udev_t)
+ kernel_read_device_sysctls(udev_t)
++kernel_read_fs_sysctls(udev_t)
+ kernel_read_hotplug_sysctls(udev_t)
+ kernel_read_modprobe_sysctls(udev_t)
+ kernel_read_kernel_sysctls(udev_t)
+ kernel_rw_hotplug_sysctls(udev_t)
+ kernel_rw_unix_dgram_sockets(udev_t)
+ kernel_dgram_send(udev_t)
+-kernel_signal(udev_t)
+ kernel_search_debugfs(udev_t)
++kernel_setsched(udev_t)
++kernel_stream_connect(udev_t)
++kernel_signal(udev_t)
+
+ #https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=235182
+ kernel_rw_net_sysctls(udev_t)
+@@ -97,6 +102,7 @@ corecmd_exec_all_executables(udev_t)
+
+ dev_rw_sysfs(udev_t)
+ dev_manage_all_dev_nodes(udev_t)
++dev_rw_generic_usb_dev(udev_t)
+ dev_rw_generic_files(udev_t)
+ dev_delete_generic_files(udev_t)
+ dev_search_usbfs(udev_t)
+@@ -105,23 +111,31 @@ dev_relabel_all_dev_nodes(udev_t)
+ # preserved, instead of short circuiting the relabel
+ dev_relabel_generic_symlinks(udev_t)
+ dev_manage_generic_symlinks(udev_t)
++dev_filetrans_all_named_dev(udev_t)
+
+ domain_read_all_domains_state(udev_t)
+-domain_dontaudit_ptrace_all_domains(udev_t) #pidof triggers these
+
+ files_read_usr_files(udev_t)
+ files_read_etc_runtime_files(udev_t)
+-files_read_etc_files(udev_t)
++files_read_kernel_modules(udev_t)
++files_read_system_conf_files(udev_t)
++
++
++# console_init manages files in /etc/sysconfig
++files_manage_etc_files(udev_t)
+ files_exec_etc_files(udev_t)
++files_exec_usr_files(udev_t)
+ files_dontaudit_search_isid_type_dirs(udev_t)
+ files_getattr_generic_locks(udev_t)
+ files_search_mnt(udev_t)
++files_list_tmp(udev_t)
+
+ fs_getattr_all_fs(udev_t)
+ fs_list_inotifyfs(udev_t)
+ fs_rw_anon_inodefs_files(udev_t)
+-
+-mcs_ptrace_all(udev_t)
++fs_list_auto_mountpoints(udev_t)
++fs_list_hugetlbfs(udev_t)
++fs_read_cgroup_files(udev_t)
+
+ mls_file_read_all_levels(udev_t)
+ mls_file_write_all_levels(udev_t)
+@@ -143,17 +157,20 @@ auth_use_nsswitch(udev_t)
+ init_read_utmp(udev_t)
+ init_dontaudit_write_utmp(udev_t)
+ init_getattr_initctl(udev_t)
++init_stream_connect(udev_t)
+
+ logging_search_logs(udev_t)
+ logging_send_syslog_msg(udev_t)
+ logging_send_audit_msgs(udev_t)
++logging_stream_connect_syslog(udev_t)
+
+-miscfiles_read_localization(udev_t)
+ miscfiles_read_hwdata(udev_t)
+
+ modutils_domtrans_insmod(udev_t)
+ # read modules.inputmap:
+ modutils_read_module_deps(udev_t)
++modutils_list_module_config(udev_t)
++modutils_read_module_config(udev_t)
+
+ seutil_read_config(udev_t)
+ seutil_read_default_contexts(udev_t)
+@@ -169,6 +186,8 @@ sysnet_signal_dhcpc(udev_t)
+ sysnet_manage_config(udev_t)
+ sysnet_etc_filetrans_config(udev_t)
+
++systemd_login_read_pid_files(udev_t)
++
+ userdom_dontaudit_search_user_home_content(udev_t)
+
+ ifdef(`distro_gentoo',`
+@@ -178,16 +197,9 @@ ifdef(`distro_gentoo',`
+ ')
+
+ ifdef(`distro_redhat',`
+- fs_manage_tmpfs_dirs(udev_t)
+- fs_manage_tmpfs_files(udev_t)
+- fs_manage_tmpfs_symlinks(udev_t)
+- fs_manage_tmpfs_sockets(udev_t)
+- fs_manage_tmpfs_blk_files(udev_t)
+- fs_manage_tmpfs_chr_files(udev_t)
+- fs_relabel_tmpfs_blk_file(udev_t)
+- fs_relabel_tmpfs_chr_file(udev_t)
++ fs_manage_hugetlbfs_dirs(udev_t)
+
+- term_search_ptys(udev_t)
++ term_use_generic_ptys(udev_t)
+
+ # for arping used for static IP addresses on PCMCIA ethernet
+ netutils_domtrans(udev_t)
+@@ -216,11 +228,16 @@ optional_policy(`
+ ')
+
+ optional_policy(`
++ consolekit_read_pid_files(udev_t)
++')
++
++optional_policy(`
+ consoletype_exec(udev_t)
+ ')
+
+ optional_policy(`
+ cups_domtrans_config(udev_t)
++ cups_read_config(udev_t)
+ ')
+
+ optional_policy(`
+@@ -230,10 +247,20 @@ optional_policy(`
+ optional_policy(`
+ devicekit_read_pid_files(udev_t)
+ devicekit_dgram_send(udev_t)
++ devicekit_domtrans_disk(udev_t)
++')
++
++optional_policy(`
++ gnome_read_home_config(udev_t)
++')
++
++optional_policy(`
++ gpsd_domtrans(udev_t)
+ ')
+
+ optional_policy(`
+ lvm_domtrans(udev_t)
++ lvm_dgram_send(udev_t)
+ ')
+
+ optional_policy(`
+@@ -259,6 +286,10 @@ optional_policy(`
+ ')
+
+ optional_policy(`
++ networkmanager_dbus_chat(udev_t)
++')
++
++optional_policy(`
+ openct_read_pid_files(udev_t)
+ openct_domtrans(udev_t)
+ ')
+@@ -273,6 +304,15 @@ optional_policy(`
+ ')
+
+ optional_policy(`
++ radvd_read_pid_files(udev_t)
++')
++
++optional_policy(`
++ usbmuxd_domtrans(udev_t)
++ usbmuxd_stream_connect(udev_t)
++')
++
++optional_policy(`
+ unconfined_signal(udev_t)
+ ')
+
+@@ -285,6 +325,7 @@ optional_policy(`
+ kernel_read_xen_state(udev_t)
+ xen_manage_log(udev_t)
+ xen_read_image_files(udev_t)
++ xen_stream_connect_xenstore(udev_t)
+ ')
+
+ optional_policy(`
+diff --git a/policy/modules/system/unconfined.fc b/policy/modules/system/unconfined.fc
+index 0abaf84..8b34dbc 100644
+--- a/policy/modules/system/unconfined.fc
++++ b/policy/modules/system/unconfined.fc
+@@ -1,21 +1 @@
+ # Add programs here which should not be confined by SELinux
+-# e.g.:
+-# /usr/local/bin/appsrv -- gen_context(system_u:object_r:unconfined_exec_t,s0)
+-# For the time being until someone writes a sane policy, we need initrc to transition to unconfined_t
+-/usr/bin/valgrind -- gen_context(system_u:object_r:unconfined_execmem_exec_t,s0)
+-/usr/bin/vncserver -- gen_context(system_u:object_r:unconfined_exec_t,s0)
+-
+-/usr/lib/ia32el/ia32x_loader -- gen_context(system_u:object_r:unconfined_execmem_exec_t,s0)
+-/usr/lib/openoffice\.org.*/program/.+\.bin -- gen_context(system_u:object_r:unconfined_execmem_exec_t,s0)
+-
+-/usr/local/RealPlayer/realplay\.bin -- gen_context(system_u:object_r:unconfined_execmem_exec_t,s0)
+-
+-ifdef(`distro_debian',`
+-/usr/bin/gcj-dbtool-4\.1 -- gen_context(system_u:object_r:unconfined_execmem_exec_t,s0)
+-/usr/bin/gij-4\.1 -- gen_context(system_u:object_r:unconfined_execmem_exec_t,s0)
+-/usr/lib/openoffice/program/soffice\.bin -- gen_context(system_u:object_r:unconfined_execmem_exec_t,s0)
+-')
+-
+-ifdef(`distro_gentoo',`
+-/usr/lib/openoffice/program/[^/]+\.bin -- gen_context(system_u:object_r:unconfined_execmem_exec_t,s0)
+-')
+diff --git a/policy/modules/system/unconfined.if b/policy/modules/system/unconfined.if
+index db7aabb..4012a61 100644
+--- a/policy/modules/system/unconfined.if
++++ b/policy/modules/system/unconfined.if
+@@ -12,53 +12,59 @@
+ #
+ interface(`unconfined_domain_noaudit',`
+ gen_require(`
+- type unconfined_t;
+ class dbus all_dbus_perms;
+ class nscd all_nscd_perms;
+ class passwd all_passwd_perms;
+ ')
+
+- # Use most Linux capabilities
+- allow $1 self:capability ~sys_module;
+- allow $1 self:fifo_file manage_fifo_file_perms;
++ # Use any Linux capability.
++
++ allow $1 self:capability ~{ sys_module };
++ allow $1 self:capability2 ~{ mac_admin mac_override };
++ allow $1 self:fifo_file { manage_fifo_file_perms relabelfrom relabelto };
+
+ # Transition to myself, to make get_ordered_context_list happy.
+- allow $1 self:process transition;
++ allow $1 self:process { dyntransition transition };
+
+ # Write access is for setting attributes under /proc/self/attr.
+ allow $1 self:file rw_file_perms;
++ allow $1 self:dir rw_dir_perms;
+
+ # Userland object managers
+- allow $1 self:nscd *;
+- allow $1 self:dbus *;
+- allow $1 self:passwd *;
+- allow $1 self:association *;
++ allow $1 self:nscd all_nscd_perms;
++ allow $1 self:dbus all_dbus_perms;
++ allow $1 self:passwd all_passwd_perms;
++ allow $1 self:association all_association_perms;
++ allow $1 self:socket_class_set create_socket_perms;
+
+ kernel_unconfined($1)
+ corenet_unconfined($1)
+ dev_unconfined($1)
+ domain_unconfined($1)
+- domain_dontaudit_read_all_domains_state($1)
+- domain_dontaudit_ptrace_all_domains($1)
+ files_unconfined($1)
+ fs_unconfined($1)
+ selinux_unconfined($1)
++ systemd_config_all_services($1)
++
++ domain_mmap_low($1)
++
++ mcs_file_read_all($1)
+
+- tunable_policy(`allow_execheap',`
++ ubac_process_exempt($1)
++
++ tunable_policy(`selinuxuser_execheap',`
+ # Allow making the stack executable via mprotect.
+ allow $1 self:process execheap;
+ ')
+
+- tunable_policy(`allow_execmem',`
++ tunable_policy(`deny_execmem',`',`
+ # Allow making anonymous memory executable, e.g.
+ # for runtime-code generation or executable stack.
+ allow $1 self:process execmem;
+ ')
+
+- tunable_policy(`allow_execstack',`
+- # Allow making the stack executable via mprotect;
+- # execstack implies execmem;
+- allow $1 self:process { execstack execmem };
++ tunable_policy(`selinuxuser_execstack',`
++ allow $1 self:process execstack;
+ # auditallow $1 self:process execstack;
+ ')
+
+@@ -69,6 +75,7 @@ interface(`unconfined_domain_noaudit',`
+ optional_policy(`
+ # Communicate via dbusd.
+ dbus_system_bus_unconfined($1)
++ dbus_unconfined($1)
+ ')
+
+ optional_policy(`
+@@ -122,9 +129,13 @@ interface(`unconfined_domain_noaudit',`
+ ##
+ #
+ interface(`unconfined_domain',`
++ gen_require(`
++ attribute unconfined_services;
++ ')
++
+ unconfined_domain_noaudit($1)
+
+- tunable_policy(`allow_execheap',`
++ tunable_policy(`selinuxuser_execheap',`
+ auditallow $1 self:process execheap;
+ ')
+ ')
+@@ -150,7 +161,7 @@ interface(`unconfined_domain',`
+ ##
+ #
+ interface(`unconfined_alias_domain',`
+- refpolicywarn(`$0($1) has been deprecated.')
++ refpolicywarn(`$0() has been deprecated.')
+ ')
+
+ ########################################
+@@ -176,414 +187,5 @@ interface(`unconfined_alias_domain',`
+ ##
+ #
+ interface(`unconfined_execmem_alias_program',`
+- refpolicywarn(`$0($1) has been deprecated.')
+-')
+-
+-########################################
+-##
+-## Transition to the unconfined domain.
+-##
+-##
+-##
+-## Domain allowed to transition.
+-##
+-##
+-#
+-interface(`unconfined_domtrans',`
+- gen_require(`
+- type unconfined_t, unconfined_exec_t;
+- ')
+-
+- domtrans_pattern($1, unconfined_exec_t, unconfined_t)
+-')
+-
+-########################################
+-##
+-## Execute specified programs in the unconfined domain.
+-##
+-##
+-##
+-## Domain allowed to transition.
+-##
+-##
+-##
+-##
+-## The role to allow the unconfined domain.
+-##
+-##
+-#
+-interface(`unconfined_run',`
+- gen_require(`
+- type unconfined_t;
+- ')
+-
+- unconfined_domtrans($1)
+- role $2 types unconfined_t;
+-')
+-
+-########################################
+-##
+-## Transition to the unconfined domain by executing a shell.
+-##
+-##
+-##
+-## Domain allowed to transition.
+-##
+-##
+-#
+-interface(`unconfined_shell_domtrans',`
+- gen_require(`
+- type unconfined_t;
+- ')
+-
+- corecmd_shell_domtrans($1, unconfined_t)
+- allow unconfined_t $1:fd use;
+- allow unconfined_t $1:fifo_file rw_file_perms;
+- allow unconfined_t $1:process sigchld;
+-')
+-
+-########################################
+-##
+-## Allow unconfined to execute the specified program in
+-## the specified domain.
+-##
+-##
+-##
+-## Allow unconfined to execute the specified program in
+-## the specified domain.
+-##
+-##
+-## This is a interface to support third party modules
+-## and its use is not allowed in upstream reference
+-## policy.
+-##
+-##
+-##
+-##
+-## Domain to execute in.
+-##
+-##
+-##
+-##
+-## Domain entry point file.
+-##
+-##
+-#
+-interface(`unconfined_domtrans_to',`
+- gen_require(`
+- type unconfined_t;
+- ')
+-
+- domtrans_pattern(unconfined_t,$2,$1)
+-')
+-
+-########################################
+-##
+-## Allow unconfined to execute the specified program in
+-## the specified domain. Allow the specified domain the
+-## unconfined role and use of unconfined user terminals.
+-##
+-##
+-##
+-## Allow unconfined to execute the specified program in
+-## the specified domain. Allow the specified domain the
+-## unconfined role and use of unconfined user terminals.
+-##
+-##
+-## This is a interface to support third party modules
+-## and its use is not allowed in upstream reference
+-## policy.
+-##
+-##
+-##
+-##
+-## Domain to execute in.
+-##
+-##
+-##
+-##
+-## Domain entry point file.
+-##
+-##
+-#
+-interface(`unconfined_run_to',`
+- gen_require(`
+- type unconfined_t;
+- role unconfined_r;
+- ')
+-
+- domtrans_pattern(unconfined_t,$2,$1)
+- role unconfined_r types $1;
+- userdom_use_user_terminals($1)
+-')
+-
+-########################################
+-##
+-## Inherit file descriptors from the unconfined domain.
+-##
+-##
+-##
+-## Domain allowed access.
+-##
+-##
+-#
+-interface(`unconfined_use_fds',`
+- gen_require(`
+- type unconfined_t;
+- ')
+-
+- allow $1 unconfined_t:fd use;
+-')
+-
+-########################################
+-##
+-## Send a SIGCHLD signal to the unconfined domain.
+-##
+-##
+-##
+-## Domain allowed access.
+-##
+-##
+-#
+-interface(`unconfined_sigchld',`
+- gen_require(`
+- type unconfined_t;
+- ')
+-
+- allow $1 unconfined_t:process sigchld;
+-')
+-
+-########################################
+-##
+-## Send a SIGNULL signal to the unconfined domain.
+-##
+-##
+-##
+-## Domain allowed access.
+-##
+-##
+-#
+-interface(`unconfined_signull',`
+- gen_require(`
+- type unconfined_t;
+- ')
+-
+- allow $1 unconfined_t:process signull;
+-')
+-
+-########################################
+-##
+-## Send generic signals to the unconfined domain.
+-##
+-##
+-##
+-## Domain allowed access.
+-##
+-##
+-#
+-interface(`unconfined_signal',`
+- gen_require(`
+- type unconfined_t;
+- ')
+-
+- allow $1 unconfined_t:process signal;
+-')
+-
+-########################################
+-##
+-## Read unconfined domain unnamed pipes.
+-##
+-##
+-##
+-## Domain allowed access.
+-##
+-##
+-#
+-interface(`unconfined_read_pipes',`
+- gen_require(`
+- type unconfined_t;
+- ')
+-
+- allow $1 unconfined_t:fifo_file read_fifo_file_perms;
+-')
+-
+-########################################
+-##
+-## Do not audit attempts to read unconfined domain unnamed pipes.
+-##
+-##
+-##
+-## Domain to not audit.
+-##
+-##
+-#
+-interface(`unconfined_dontaudit_read_pipes',`
+- gen_require(`
+- type unconfined_t;
+- ')
+-
+- dontaudit $1 unconfined_t:fifo_file read;
+-')
+-
+-########################################
+-##
+-## Read and write unconfined domain unnamed pipes.
+-##
+-##
+-##
+-## Domain allowed access.
+-##
+-##
+-#
+-interface(`unconfined_rw_pipes',`
+- gen_require(`
+- type unconfined_t;
+- ')
+-
+- allow $1 unconfined_t:fifo_file rw_fifo_file_perms;
+-')
+-
+-########################################
+-##
+-## Do not audit attempts to read and write
+-## unconfined domain unnamed pipes.
+-##
+-##
+-##
+-## Domain to not audit.
+-##
+-##
+-#
+-interface(`unconfined_dontaudit_rw_pipes',`
+- gen_require(`
+- type unconfined_t;
+- ')
+-
+- dontaudit $1 unconfined_t:fifo_file rw_file_perms;
+-')
+-
+-########################################
+-##
+-## Connect to the unconfined domain using
+-## a unix domain stream socket.
+-##
+-##
+-##
+-## Domain allowed access.
+-##
+-##
+-#
+-interface(`unconfined_stream_connect',`
+- gen_require(`
+- type unconfined_t;
+- ')
+-
+- allow $1 unconfined_t:unix_stream_socket connectto;
+-')
+-
+-########################################
+-##
+-## Do not audit attempts to read or write
+-## unconfined domain tcp sockets.
+-##
+-##
+-##
+-## Do not audit attempts to read or write
+-## unconfined domain tcp sockets.
+-##
+-##
+-## This interface was added due to a broken
+-## symptom in ldconfig.
+-##
+-##
+-##
+-##
+-## Domain to not audit.
+-##
+-##
+-#
+-interface(`unconfined_dontaudit_rw_tcp_sockets',`
+- gen_require(`
+- type unconfined_t;
+- ')
+-
+- dontaudit $1 unconfined_t:tcp_socket { read write };
+-')
+-
+-########################################
+-##
+-## Create keys for the unconfined domain.
+-##
+-##
+-##
+-## Domain allowed access.
+-##
+-##
+-#
+-interface(`unconfined_create_keys',`
+- gen_require(`
+- type unconfined_t;
+- ')
+-
+- allow $1 unconfined_t:key create;
+-')
+-
+-########################################
+-##
+-## Send messages to the unconfined domain over dbus.
+-##
+-##
+-##
+-## Domain allowed access.
+-##
+-##
+-#
+-interface(`unconfined_dbus_send',`
+- gen_require(`
+- type unconfined_t;
+- class dbus send_msg;
+- ')
+-
+- allow $1 unconfined_t:dbus send_msg;
+-')
+-
+-########################################
+-##
+-## Send and receive messages from
+-## unconfined_t over dbus.
+-##
+-##
+-##
+-## Domain allowed access.
+-##
+-##
+-#
+-interface(`unconfined_dbus_chat',`
+- gen_require(`
+- type unconfined_t;
+- class dbus send_msg;
+- ')
+-
+- allow $1 unconfined_t:dbus send_msg;
+- allow unconfined_t $1:dbus send_msg;
+-')
+-
+-########################################
+-##
+-## Connect to the the unconfined DBUS
+-## for service (acquire_svc).
+-##
+-##
+-##
+-## Domain allowed access.
+-##
+-##
+-#
+-interface(`unconfined_dbus_connect',`
+- gen_require(`
+- type unconfined_t;
+- class dbus acquire_svc;
+- ')
+-
+- allow $1 unconfined_t:dbus acquire_svc;
++ refpolicywarn(`$0() has been deprecated.')
+ ')
+diff --git a/policy/modules/system/unconfined.te b/policy/modules/system/unconfined.te
+index 0280b32..61f19e9 100644
+--- a/policy/modules/system/unconfined.te
++++ b/policy/modules/system/unconfined.te
+@@ -4,237 +4,4 @@ policy_module(unconfined, 3.5.0)
+ #
+ # Declarations
+ #
+-
+-# usage in this module of types created by these
+-# calls is not correct, however we dont currently
+-# have another method to add access to these types
+-userdom_base_user_template(unconfined)
+-userdom_manage_home_role(unconfined_r, unconfined_t)
+-userdom_manage_tmp_role(unconfined_r, unconfined_t)
+-userdom_manage_tmpfs_role(unconfined_r, unconfined_t)
+-
+-type unconfined_exec_t;
+-init_system_domain(unconfined_t, unconfined_exec_t)
+-
+-type unconfined_execmem_t;
+-type unconfined_execmem_exec_t;
+-init_system_domain(unconfined_execmem_t, unconfined_execmem_exec_t)
+-role unconfined_r types unconfined_execmem_t;
+-
+-########################################
+-#
+-# Local policy
+-#
+-
+-domtrans_pattern(unconfined_t, unconfined_execmem_exec_t, unconfined_execmem_t)
+-
+-files_create_boot_flag(unconfined_t)
+-
+-mcs_killall(unconfined_t)
+-mcs_ptrace_all(unconfined_t)
+-
+-init_run_daemon(unconfined_t, unconfined_r)
+-
+-libs_run_ldconfig(unconfined_t, unconfined_r)
+-
+-logging_send_syslog_msg(unconfined_t)
+-logging_run_auditctl(unconfined_t, unconfined_r)
+-
+-mount_run_unconfined(unconfined_t, unconfined_r)
+-
+-seutil_run_setfiles(unconfined_t, unconfined_r)
+-seutil_run_semanage(unconfined_t, unconfined_r)
+-
+-unconfined_domain(unconfined_t)
+-
+-userdom_user_home_dir_filetrans_user_home_content(unconfined_t, { dir file lnk_file fifo_file sock_file })
+-
+-ifdef(`distro_gentoo',`
+- seutil_run_runinit(unconfined_t, unconfined_r)
+- seutil_init_script_run_runinit(unconfined_t, unconfined_r)
+-')
+-
+-optional_policy(`
+- ada_domtrans(unconfined_t)
+-')
+-
+-optional_policy(`
+- apache_run_helper(unconfined_t, unconfined_r)
+- apache_role(unconfined_r, unconfined_t)
+-')
+-
+-optional_policy(`
+- bind_run_ndc(unconfined_t, unconfined_r)
+-')
+-
+-optional_policy(`
+- bootloader_run(unconfined_t, unconfined_r)
+-')
+-
+-optional_policy(`
+- cron_unconfined_role(unconfined_r, unconfined_t)
+-')
+-
+-optional_policy(`
+- init_dbus_chat_script(unconfined_t)
+-
+- dbus_stub(unconfined_t)
+-
+- optional_policy(`
+- avahi_dbus_chat(unconfined_t)
+- ')
+-
+- optional_policy(`
+- bluetooth_dbus_chat(unconfined_t)
+- ')
+-
+- optional_policy(`
+- consolekit_dbus_chat(unconfined_t)
+- ')
+-
+- optional_policy(`
+- cups_dbus_chat_config(unconfined_t)
+- ')
+-
+- optional_policy(`
+- hal_dbus_chat(unconfined_t)
+- ')
+-
+- optional_policy(`
+- networkmanager_dbus_chat(unconfined_t)
+- ')
+-
+- optional_policy(`
+- oddjob_dbus_chat(unconfined_t)
+- ')
+-')
+-
+-optional_policy(`
+- firstboot_run(unconfined_t, unconfined_r)
+-')
+-
+-optional_policy(`
+- ftp_run_ftpdctl(unconfined_t, unconfined_r)
+-')
+-
+-optional_policy(`
+- hadoop_role(unconfined_r, unconfined_t)
+-')
+-
+-optional_policy(`
+- inn_domtrans(unconfined_t)
+-')
+-
+-optional_policy(`
+- java_run_unconfined(unconfined_t, unconfined_r)
+-')
+-
+-optional_policy(`
+- lpd_run_checkpc(unconfined_t, unconfined_r)
+-')
+-
+-optional_policy(`
+- modutils_run_update_mods(unconfined_t, unconfined_r)
+-')
+-
+-optional_policy(`
+- mono_domtrans(unconfined_t)
+-')
+-
+-optional_policy(`
+- mta_role(unconfined_r, unconfined_t)
+-')
+-
+-optional_policy(`
+- oddjob_domtrans_mkhomedir(unconfined_t)
+-')
+-
+-optional_policy(`
+- portage_run(unconfined_t, unconfined_r)
+- portage_run_fetch(unconfined_t, unconfined_r)
+- portage_run_gcc_config(unconfined_t, unconfined_r)
+-')
+-
+-optional_policy(`
+- prelink_run(unconfined_t, unconfined_r)
+-')
+-
+-optional_policy(`
+- portmap_run_helper(unconfined_t, unconfined_r)
+-')
+-
+-optional_policy(`
+- postfix_run_map(unconfined_t, unconfined_r)
+- # cjp: this should probably be removed:
+- postfix_domtrans_master(unconfined_t)
+-')
+-
+-optional_policy(`
+- pyzor_role(unconfined_r, unconfined_t)
+-')
+-
+-optional_policy(`
+- # cjp: this should probably be removed:
+- rpc_domtrans_nfsd(unconfined_t)
+-')
+-
+-optional_policy(`
+- rpm_run(unconfined_t, unconfined_r)
+-')
+-
+-optional_policy(`
+- samba_run_net(unconfined_t, unconfined_r)
+- samba_run_winbind_helper(unconfined_t, unconfined_r)
+-')
+-
+-optional_policy(`
+- spamassassin_role(unconfined_r, unconfined_t)
+-')
+-
+-optional_policy(`
+- sysnet_run_dhcpc(unconfined_t, unconfined_r)
+- sysnet_dbus_chat_dhcpc(unconfined_t)
+-')
+-
+-optional_policy(`
+- tzdata_run(unconfined_t, unconfined_r)
+-')
+-
+-optional_policy(`
+- usermanage_run_admin_passwd(unconfined_t, unconfined_r)
+-')
+-
+-optional_policy(`
+- vpn_run(unconfined_t, unconfined_r)
+-')
+-
+-optional_policy(`
+- webalizer_run(unconfined_t, unconfined_r)
+-')
+-
+-optional_policy(`
+- wine_domtrans(unconfined_t)
+-')
+-
+-optional_policy(`
+- xserver_domtrans(unconfined_t)
+-')
+-
+-########################################
+-#
+-# Unconfined Execmem Local policy
+-#
+-
+-allow unconfined_execmem_t self:process { execstack execmem };
+-unconfined_domain_noaudit(unconfined_execmem_t)
+-
+-optional_policy(`
+- dbus_stub(unconfined_execmem_t)
+-
+- init_dbus_chat_script(unconfined_execmem_t)
+- unconfined_dbus_chat(unconfined_execmem_t)
+-
+- optional_policy(`
+- hal_dbus_chat(unconfined_execmem_t)
+- ')
+-')
++attribute unconfined_services;
+diff --git a/policy/modules/system/userdomain.fc b/policy/modules/system/userdomain.fc
+index db75976..65191bd 100644
+--- a/policy/modules/system/userdomain.fc
++++ b/policy/modules/system/userdomain.fc
+@@ -1,4 +1,21 @@
+ HOME_DIR -d gen_context(system_u:object_r:user_home_dir_t,s0-mls_systemhigh)
++HOME_DIR -l gen_context(system_u:object_r:user_home_dir_t,s0-mls_systemhigh)
+ HOME_DIR/.+ gen_context(system_u:object_r:user_home_t,s0)
+-
+ /tmp/gconfd-USER -d gen_context(system_u:object_r:user_tmp_t,s0)
++/root(/.*)? gen_context(system_u:object_r:admin_home_t,s0)
++/root/\.cert(/.*)? gen_context(system_u:object_r:home_cert_t,s0)
++/root/\.pki(/.*)? gen_context(system_u:object_r:home_cert_t,s0)
++/root/\.debug(/.*)? <>
++/dev/shm/pulse-shm.* gen_context(system_u:object_r:user_tmpfs_t,s0)
++/dev/shm/mono.* gen_context(system_u:object_r:user_tmpfs_t,s0)
++HOME_DIR/bin(/.*)? gen_context(system_u:object_r:home_bin_t,s0)
++HOME_DIR/\.local/bin(/.*)? gen_context(system_u:object_r:home_bin_t,s0)
++HOME_DIR/Audio(/.*)? gen_context(system_u:object_r:audio_home_t,s0)
++HOME_DIR/Music(/.*)? gen_context(system_u:object_r:audio_home_t,s0)
++HOME_DIR/\.cert(/.*)? gen_context(system_u:object_r:home_cert_t,s0)
++HOME_DIR/.kde/share/apps/networkmanagement/certificates(/.*)? gen_context(system_u:object_r:home_cert_t,s0)
++HOME_DIR/\.pki(/.*)? gen_context(system_u:object_r:home_cert_t,s0)
++HOME_DIR/\.gvfs/.* <>
++HOME_DIR/\.debug(/.*)? <>
++
++/var/run/user(/.*)? gen_context(system_u:object_r:user_tmp_t,s0)
+diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
+index e720dcd..53ea674 100644
+--- a/policy/modules/system/userdomain.if
++++ b/policy/modules/system/userdomain.if
+@@ -30,9 +30,11 @@ template(`userdom_base_user_template',`
+ ')
+
+ attribute $1_file_type;
++ attribute $1_usertype;
+
+- type $1_t, userdomain;
++ type $1_t, userdomain, $1_usertype;
+ domain_type($1_t)
++ role $1_r;
+ corecmd_shell_entry_type($1_t)
+ corecmd_bin_entry_type($1_t)
+ domain_user_exemption_target($1_t)
+@@ -44,79 +46,131 @@ template(`userdom_base_user_template',`
+ term_user_pty($1_t, user_devpts_t)
+
+ term_user_tty($1_t, user_tty_device_t)
+-
+- allow $1_t self:process { signal_perms getsched setsched share getpgid setpgid setcap getsession getattr };
+- allow $1_t self:fd use;
+- allow $1_t self:fifo_file rw_fifo_file_perms;
+- allow $1_t self:unix_dgram_socket { create_socket_perms sendto };
+- allow $1_t self:unix_stream_socket { create_stream_socket_perms connectto };
+- allow $1_t self:shm create_shm_perms;
+- allow $1_t self:sem create_sem_perms;
+- allow $1_t self:msgq create_msgq_perms;
+- allow $1_t self:msg { send receive };
+- allow $1_t self:context contains;
+- dontaudit $1_t self:socket create;
+-
+- allow $1_t user_devpts_t:chr_file { setattr rw_chr_file_perms };
+- term_create_pty($1_t, user_devpts_t)
++ term_dontaudit_getattr_generic_ptys($1_t)
++
++ allow $1_usertype $1_usertype:process { signal_perms getsched setsched share getpgid setpgid getcap setcap getsession getattr };
++ tunable_policy(`deny_ptrace',`',`
++ allow $1_usertype $1_usertype:process ptrace;
++ ')
++ allow $1_usertype $1_usertype:fd use;
++ allow $1_usertype $1_t:key { create view read write search link setattr };
++
++ allow $1_usertype $1_usertype:fifo_file rw_fifo_file_perms;
++ allow $1_usertype $1_usertype:unix_dgram_socket { create_socket_perms sendto };
++ allow $1_usertype $1_usertype:unix_stream_socket { create_stream_socket_perms connectto };
++ allow $1_usertype $1_usertype:shm create_shm_perms;
++ allow $1_usertype $1_usertype:sem create_sem_perms;
++ allow $1_usertype $1_usertype:msgq create_msgq_perms;
++ allow $1_usertype $1_usertype:msg { send receive };
++ allow $1_usertype $1_usertype:context contains;
++ dontaudit $1_usertype $1_usertype:socket create;
++
++ allow $1_usertype user_devpts_t:chr_file { setattr rw_chr_file_perms };
++ term_create_pty($1_usertype, user_devpts_t)
+ # avoid annoying messages on terminal hangup on role change
+- dontaudit $1_t user_devpts_t:chr_file ioctl;
++ dontaudit $1_usertype user_devpts_t:chr_file ioctl;
+
+- allow $1_t user_tty_device_t:chr_file { setattr rw_chr_file_perms };
++ allow $1_usertype user_tty_device_t:chr_file { setattr rw_chr_file_perms };
+ # avoid annoying messages on terminal hangup on role change
+- dontaudit $1_t user_tty_device_t:chr_file ioctl;
+-
+- kernel_read_kernel_sysctls($1_t)
+- kernel_dontaudit_list_unlabeled($1_t)
+- kernel_dontaudit_getattr_unlabeled_files($1_t)
+- kernel_dontaudit_getattr_unlabeled_symlinks($1_t)
+- kernel_dontaudit_getattr_unlabeled_pipes($1_t)
+- kernel_dontaudit_getattr_unlabeled_sockets($1_t)
+- kernel_dontaudit_getattr_unlabeled_blk_files($1_t)
+- kernel_dontaudit_getattr_unlabeled_chr_files($1_t)
+-
+- dev_dontaudit_getattr_all_blk_files($1_t)
+- dev_dontaudit_getattr_all_chr_files($1_t)
++ dontaudit $1_usertype user_tty_device_t:chr_file ioctl;
++
++ application_exec_all($1_usertype)
++
++ kernel_read_kernel_sysctls($1_usertype)
++ kernel_read_all_sysctls($1_usertype)
++ kernel_dontaudit_list_unlabeled($1_usertype)
++ kernel_dontaudit_getattr_unlabeled_files($1_usertype)
++ kernel_dontaudit_getattr_unlabeled_symlinks($1_usertype)
++ kernel_dontaudit_getattr_unlabeled_pipes($1_usertype)
++ kernel_dontaudit_getattr_unlabeled_sockets($1_usertype)
++ kernel_dontaudit_getattr_unlabeled_blk_files($1_usertype)
++ kernel_dontaudit_getattr_unlabeled_chr_files($1_usertype)
++ kernel_dontaudit_list_proc($1_usertype)
++
++ dev_dontaudit_getattr_all_blk_files($1_usertype)
++ dev_dontaudit_getattr_all_chr_files($1_usertype)
++ dev_getattr_mtrr_dev($1_t)
+
+ # When the user domain runs ps, there will be a number of access
+ # denials when ps tries to search /proc. Do not audit these denials.
+- domain_dontaudit_read_all_domains_state($1_t)
+- domain_dontaudit_getattr_all_domains($1_t)
+- domain_dontaudit_getsession_all_domains($1_t)
+-
+- files_read_etc_files($1_t)
+- files_read_etc_runtime_files($1_t)
+- files_read_usr_files($1_t)
++ domain_dontaudit_read_all_domains_state($1_usertype)
++ domain_dontaudit_getattr_all_domains($1_usertype)
++ domain_dontaudit_getsession_all_domains($1_usertype)
++ dev_dontaudit_all_access_check($1_usertype)
++
++ files_read_etc_files($1_usertype)
++ files_list_mnt($1_usertype)
++ files_list_var($1_usertype)
++ files_read_mnt_files($1_usertype)
++ files_dontaudit_access_check_mnt($1_usertype)
++ files_read_etc_runtime_files($1_usertype)
++ files_read_usr_files($1_usertype)
++ files_read_usr_src_files($1_usertype)
+ # Read directories and files with the readable_t type.
+ # This type is a general type for "world"-readable files.
+- files_list_world_readable($1_t)
+- files_read_world_readable_files($1_t)
+- files_read_world_readable_symlinks($1_t)
+- files_read_world_readable_pipes($1_t)
+- files_read_world_readable_sockets($1_t)
++ files_list_world_readable($1_usertype)
++ files_read_world_readable_files($1_usertype)
++ files_read_world_readable_symlinks($1_usertype)
++ files_read_world_readable_pipes($1_usertype)
++ files_read_world_readable_sockets($1_usertype)
+ # old broswer_domain():
+- files_dontaudit_list_non_security($1_t)
+- files_dontaudit_getattr_non_security_files($1_t)
+- files_dontaudit_getattr_non_security_symlinks($1_t)
+- files_dontaudit_getattr_non_security_pipes($1_t)
+- files_dontaudit_getattr_non_security_sockets($1_t)
++ files_dontaudit_getattr_all_dirs($1_usertype)
++ files_dontaudit_list_non_security($1_usertype)
++ files_dontaudit_getattr_all_files($1_usertype)
++ files_dontaudit_getattr_non_security_symlinks($1_usertype)
++ files_dontaudit_getattr_non_security_pipes($1_usertype)
++ files_dontaudit_getattr_non_security_sockets($1_usertype)
++ files_dontaudit_setattr_etc_runtime_files($1_usertype)
++
++ files_exec_usr_files($1_t)
++
++ fs_list_cgroup_dirs($1_usertype)
++ fs_dontaudit_rw_cgroup_files($1_usertype)
++
++ storage_rw_fuse($1_usertype)
++
++ auth_use_nsswitch($1_t)
++
++ init_stream_connect($1_usertype)
++ # The library functions always try to open read-write first,
++ # then fall back to read-only if it fails.
++ init_dontaudit_rw_utmp($1_usertype)
+
+- libs_exec_ld_so($1_t)
++ libs_exec_ld_so($1_usertype)
+
+- miscfiles_read_localization($1_t)
+ miscfiles_read_generic_certs($1_t)
+
+- sysnet_read_config($1_t)
++ miscfiles_read_all_certs($1_usertype)
++ miscfiles_read_public_files($1_usertype)
+
+- tunable_policy(`allow_execmem',`
++ systemd_dbus_chat_logind($1_usertype)
++ systemd_read_logind_sessions_files($1_usertype)
++ systemd_write_inhibit_pipes($1_usertype)
++ systemd_write_inherited_logind_sessions_pipes($1_usertype)
++
++ tunable_policy(`deny_execmem',`', `
+ # Allow loading DSOs that require executable stack.
+ allow $1_t self:process execmem;
+ ')
+
+- tunable_policy(`allow_execmem && allow_execstack',`
++ tunable_policy(`selinuxuser_execstack',`
+ # Allow making the stack executable via mprotect.
+ allow $1_t self:process execstack;
+ ')
++
++ optional_policy(`
++ abrt_stream_connect($1_usertype)
++ ')
++
++ optional_policy(`
++ fs_list_cgroup_dirs($1_usertype)
++ ')
++
++ optional_policy(`
++ ssh_rw_stream_sockets($1_usertype)
++ ssh_delete_tmp($1_t)
++ ssh_signal($1_t)
++ ')
+ ')
+
+ #######################################
+@@ -150,6 +204,8 @@ interface(`userdom_ro_home_role',`
+ type user_home_t, user_home_dir_t;
+ ')
+
++ role $1 types { user_home_t user_home_dir_t };
++
+ ##############################
+ #
+ # Domain access to home dir
+@@ -167,27 +223,6 @@ interface(`userdom_ro_home_role',`
+ read_sock_files_pattern($2, { user_home_t user_home_dir_t }, user_home_t)
+ files_list_home($2)
+
+- tunable_policy(`use_nfs_home_dirs',`
+- fs_list_nfs($2)
+- fs_read_nfs_files($2)
+- fs_read_nfs_symlinks($2)
+- fs_read_nfs_named_sockets($2)
+- fs_read_nfs_named_pipes($2)
+- ',`
+- fs_dontaudit_list_nfs($2)
+- fs_dontaudit_read_nfs_files($2)
+- ')
+-
+- tunable_policy(`use_samba_home_dirs',`
+- fs_list_cifs($2)
+- fs_read_cifs_files($2)
+- fs_read_cifs_symlinks($2)
+- fs_read_cifs_named_sockets($2)
+- fs_read_cifs_named_pipes($2)
+- ',`
+- fs_dontaudit_list_cifs($2)
+- fs_dontaudit_read_cifs_files($2)
+- ')
+ ')
+
+ #######################################
+@@ -219,8 +254,11 @@ interface(`userdom_ro_home_role',`
+ interface(`userdom_manage_home_role',`
+ gen_require(`
+ type user_home_t, user_home_dir_t;
++ attribute user_home_type;
+ ')
+
++ role $1 types { user_home_type user_home_dir_t };
++
+ ##############################
+ #
+ # Domain access to home dir
+@@ -229,43 +267,47 @@ interface(`userdom_manage_home_role',`
+ type_member $2 user_home_dir_t:dir user_home_dir_t;
+
+ # full control of the home directory
++ allow $2 user_home_t:dir mounton;
+ allow $2 user_home_t:file entrypoint;
+- manage_dirs_pattern($2, { user_home_dir_t user_home_t }, user_home_t)
+- manage_files_pattern($2, { user_home_dir_t user_home_t }, user_home_t)
+- manage_lnk_files_pattern($2, { user_home_dir_t user_home_t }, user_home_t)
+- manage_sock_files_pattern($2, { user_home_dir_t user_home_t }, user_home_t)
+- manage_fifo_files_pattern($2, { user_home_dir_t user_home_t }, user_home_t)
+- relabel_dirs_pattern($2, { user_home_dir_t user_home_t }, user_home_t)
+- relabel_files_pattern($2, { user_home_dir_t user_home_t }, user_home_t)
+- relabel_lnk_files_pattern($2, { user_home_dir_t user_home_t }, user_home_t)
+- relabel_sock_files_pattern($2, { user_home_dir_t user_home_t }, user_home_t)
+- relabel_fifo_files_pattern($2, { user_home_dir_t user_home_t }, user_home_t)
++
++ allow $2 user_home_type:dir_file_class_set { relabelto relabelfrom };
++ allow $2 user_home_dir_t:lnk_file read_lnk_file_perms;
++ manage_dirs_pattern($2, { user_home_dir_t user_home_type }, user_home_type)
++ manage_files_pattern($2, { user_home_dir_t user_home_type }, user_home_type)
++ manage_lnk_files_pattern($2, { user_home_dir_t user_home_type }, user_home_type)
++ manage_sock_files_pattern($2, { user_home_dir_t user_home_type }, user_home_type)
++ manage_fifo_files_pattern($2, { user_home_dir_t user_home_type }, user_home_type)
++ relabel_dirs_pattern($2, { user_home_dir_t user_home_type }, user_home_type)
++ relabel_files_pattern($2, { user_home_dir_t user_home_type }, user_home_type)
++ relabel_lnk_files_pattern($2, { user_home_dir_t user_home_type }, user_home_type)
++ relabel_sock_files_pattern($2, { user_home_dir_t user_home_type }, user_home_type)
++ relabel_fifo_files_pattern($2, { user_home_dir_t user_home_type }, user_home_type)
+ filetrans_pattern($2, user_home_dir_t, user_home_t, { dir file lnk_file sock_file fifo_file })
++ userdom_filetrans_home_content($2)
++
+ files_list_home($2)
+
+ # cjp: this should probably be removed:
+ allow $2 user_home_dir_t:dir { manage_dir_perms relabel_dir_perms };
+
+ tunable_policy(`use_nfs_home_dirs',`
++ fs_mount_nfs($2)
++ fs_mounton_nfs($2)
+ fs_manage_nfs_dirs($2)
+ fs_manage_nfs_files($2)
+ fs_manage_nfs_symlinks($2)
+ fs_manage_nfs_named_sockets($2)
+ fs_manage_nfs_named_pipes($2)
+- ',`
+- fs_dontaudit_manage_nfs_dirs($2)
+- fs_dontaudit_manage_nfs_files($2)
+ ')
+
+ tunable_policy(`use_samba_home_dirs',`
++ fs_mount_cifs($2)
++ fs_mounton_cifs($2)
+ fs_manage_cifs_dirs($2)
+ fs_manage_cifs_files($2)
+ fs_manage_cifs_symlinks($2)
+ fs_manage_cifs_named_sockets($2)
+ fs_manage_cifs_named_pipes($2)
+- ',`
+- fs_dontaudit_manage_cifs_dirs($2)
+- fs_dontaudit_manage_cifs_files($2)
+ ')
+ ')
+
+@@ -273,6 +315,25 @@ interface(`userdom_manage_home_role',`
+ ##
+ ## Manage user temporary files
+ ##
++##
++##
++## Domain allowed access.
++##
++##
++##
++#
++interface(`userdom_manage_tmp_files',`
++ gen_require(`
++ type user_tmp_t;
++ ')
++
++ allow $1 user_tmp_t:file manage_file_perms;
++')
++
++#######################################
++##
++## Manage user temporary files
++##
+ ##
+ ##
+ ## Role allowed access.
+@@ -287,17 +348,64 @@ interface(`userdom_manage_home_role',`
+ #
+ interface(`userdom_manage_tmp_role',`
+ gen_require(`
++ attribute user_tmp_type;
+ type user_tmp_t;
+ ')
+
++ role $1 types user_tmp_t;
++
+ files_poly_member_tmp($2, user_tmp_t)
+
+- manage_dirs_pattern($2, user_tmp_t, user_tmp_t)
+- manage_files_pattern($2, user_tmp_t, user_tmp_t)
+- manage_lnk_files_pattern($2, user_tmp_t, user_tmp_t)
+- manage_sock_files_pattern($2, user_tmp_t, user_tmp_t)
+- manage_fifo_files_pattern($2, user_tmp_t, user_tmp_t)
++ allow $2 user_tmp_type:dir mounton;
++ manage_dirs_pattern($2, user_tmp_type, user_tmp_type)
++ manage_files_pattern($2, user_tmp_type, user_tmp_type)
++ manage_lnk_files_pattern($2, user_tmp_type, user_tmp_type)
++ manage_sock_files_pattern($2, user_tmp_type, user_tmp_type)
++ manage_fifo_files_pattern($2, user_tmp_type, user_tmp_type)
+ files_tmp_filetrans($2, user_tmp_t, { dir file lnk_file sock_file fifo_file })
++ relabel_dirs_pattern($2, user_tmp_type, user_tmp_type)
++ relabel_files_pattern($2, user_tmp_type, user_tmp_type)
++ relabel_lnk_files_pattern($2, user_tmp_type, user_tmp_type)
++ relabel_sock_files_pattern($2, user_tmp_type, user_tmp_type)
++ relabel_fifo_files_pattern($2, user_tmp_type, user_tmp_type)
++')
++
++#######################################
++##
++## Dontaudit search of user bin dirs.
++##
++##
++##
++## Domain to not audit.
++##
++##
++#
++interface(`userdom_dontaudit_search_user_bin_dirs',`
++ gen_require(`
++ type home_bin_t;
++ ')
++
++ dontaudit $1 home_bin_t:dir search_dir_perms;
++')
++
++#######################################
++##
++## Execute user bin files.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`userdom_exec_user_bin_files',`
++ gen_require(`
++ attribute user_home_type;
++ type home_bin_t, user_home_dir_t;
++ ')
++
++ exec_files_pattern($1, { user_home_dir_t user_home_type }, home_bin_t)
++ files_search_home($1)
+ ')
+
+ #######################################
+@@ -317,11 +425,31 @@ interface(`userdom_exec_user_tmp_files',`
+ ')
+
+ exec_files_pattern($1, user_tmp_t, user_tmp_t)
++ dontaudit $1 user_tmp_t:sock_file execute;
+ files_search_tmp($1)
+ ')
+
+ #######################################
+ ##
++## Manage user temporary file system files
++##
++##
++##
++## Domain allowed access.
++##
++##
++##
++#
++interface(`userdom_manage_tmpfs_files',`
++ gen_require(`
++ type user_tmpfs_t;
++ ')
++
++ allow $1 user_tmpfs_t:file manage_file_perms;
++')
++
++#######################################
++##
+ ## Role access for the user tmpfs type
+ ## that the user has full access.
+ ##
+@@ -348,59 +476,60 @@ interface(`userdom_exec_user_tmp_files',`
+ #
+ interface(`userdom_manage_tmpfs_role',`
+ gen_require(`
++ attribute user_tmpfs_type;
+ type user_tmpfs_t;
+ ')
+
+- manage_dirs_pattern($2, user_tmpfs_t, user_tmpfs_t)
+- manage_files_pattern($2, user_tmpfs_t, user_tmpfs_t)
+- manage_lnk_files_pattern($2, user_tmpfs_t, user_tmpfs_t)
+- manage_sock_files_pattern($2, user_tmpfs_t, user_tmpfs_t)
+- manage_fifo_files_pattern($2, user_tmpfs_t, user_tmpfs_t)
++ role $1 types user_tmpfs_t;
++
++ manage_dirs_pattern($2, user_tmpfs_type, user_tmpfs_type)
++ manage_files_pattern($2, user_tmpfs_type, user_tmpfs_type)
++ manage_lnk_files_pattern($2, user_tmpfs_type, user_tmpfs_type)
++ manage_sock_files_pattern($2, user_tmpfs_type, user_tmpfs_type)
++ manage_fifo_files_pattern($2, user_tmpfs_type, user_tmpfs_type)
+ fs_tmpfs_filetrans($2, user_tmpfs_t, { dir file lnk_file sock_file fifo_file })
++ relabel_dirs_pattern($2, user_tmpfs_type, user_tmpfs_type)
++ relabel_files_pattern($2, user_tmpfs_type, user_tmpfs_type)
++ relabel_lnk_files_pattern($2, user_tmpfs_type, user_tmpfs_type)
++ relabel_sock_files_pattern($2, user_tmpfs_type, user_tmpfs_type)
++ relabel_fifo_files_pattern($2, user_tmpfs_type, user_tmpfs_type)
+ ')
+
+ #######################################
+ ##
+-## The template allowing the user basic
++## The interface allowing the user basic
+ ## network permissions
+ ##
+-##
++##
+ ##
+-## The prefix of the user domain (e.g., user
+-## is the prefix for user_t).
++## The user domain
+ ##
+ ##
+ ##
+ #
+-template(`userdom_basic_networking_template',`
+- gen_require(`
+- type $1_t;
+- ')
+-
+- allow $1_t self:tcp_socket create_stream_socket_perms;
+- allow $1_t self:udp_socket create_socket_perms;
++interface(`userdom_basic_networking',`
+
+- corenet_all_recvfrom_unlabeled($1_t)
+- corenet_all_recvfrom_netlabel($1_t)
+- corenet_tcp_sendrecv_generic_if($1_t)
+- corenet_udp_sendrecv_generic_if($1_t)
+- corenet_tcp_sendrecv_generic_node($1_t)
+- corenet_udp_sendrecv_generic_node($1_t)
+- corenet_tcp_sendrecv_all_ports($1_t)
+- corenet_udp_sendrecv_all_ports($1_t)
+- corenet_tcp_connect_all_ports($1_t)
+- corenet_sendrecv_all_client_packets($1_t)
++ allow $1 self:tcp_socket create_stream_socket_perms;
++ allow $1 self:udp_socket create_socket_perms;
+
+- corenet_all_recvfrom_labeled($1_t, $1_t)
++ corenet_tcp_sendrecv_generic_if($1)
++ corenet_udp_sendrecv_generic_if($1)
++ corenet_tcp_sendrecv_generic_node($1)
++ corenet_udp_sendrecv_generic_node($1)
++ corenet_tcp_sendrecv_all_ports($1)
++ corenet_udp_sendrecv_all_ports($1)
++ corenet_tcp_connect_all_ports($1)
++ corenet_sendrecv_all_client_packets($1)
+
+ optional_policy(`
+- init_tcp_recvfrom_all_daemons($1_t)
+- init_udp_recvfrom_all_daemons($1_t)
++ init_tcp_recvfrom_all_daemons($1)
++ init_udp_recvfrom_all_daemons($1)
+ ')
+
+ optional_policy(`
+- ipsec_match_default_spd($1_t)
++ ipsec_match_default_spd($1)
+ ')
++
+ ')
+
+ #######################################
+@@ -431,6 +560,7 @@ template(`userdom_xwindows_client_template',`
+ dev_dontaudit_rw_dri($1_t)
+ # GNOME checks for usb and other devices:
+ dev_rw_usbfs($1_t)
++ dev_rw_generic_usb_dev($1_t)
+
+ xserver_user_x_domain_template($1, $1_t, user_tmpfs_t)
+ xserver_xsession_entry_type($1_t)
+@@ -463,8 +593,8 @@ template(`userdom_change_password_template',`
+ ')
+
+ optional_policy(`
+- usermanage_run_chfn($1_t, $1_r)
+- usermanage_run_passwd($1_t, $1_r)
++ usermanage_run_chfn($1_t,$1_r)
++ usermanage_run_passwd($1_t,$1_r)
+ ')
+ ')
+
+@@ -491,7 +621,8 @@ template(`userdom_common_user_template',`
+ attribute unpriv_userdomain;
+ ')
+
+- userdom_basic_networking_template($1)
++ userdom_basic_networking($1_usertype)
++ corenet_all_recvfrom_netlabel($1_t)
+
+ ##############################
+ #
+@@ -501,41 +632,51 @@ template(`userdom_common_user_template',`
+ # evolution and gnome-session try to create a netlink socket
+ dontaudit $1_t self:netlink_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown };
+ dontaudit $1_t self:netlink_route_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown nlmsg_read nlmsg_write };
++ allow $1_t self:netlink_kobject_uevent_socket create_socket_perms;
++ allow $1_t self:socket create_socket_perms;
+
+- allow $1_t unpriv_userdomain:fd use;
++ allow $1_usertype unpriv_userdomain:fd use;
+
+ kernel_read_system_state($1_t)
+- kernel_read_network_state($1_t)
+- kernel_read_net_sysctls($1_t)
++ kernel_read_network_state($1_usertype)
++ kernel_read_software_raid_state($1_usertype)
++ kernel_read_net_sysctls($1_usertype)
+ # Very permissive allowing every domain to see every type:
+- kernel_get_sysvipc_info($1_t)
++ kernel_get_sysvipc_info($1_usertype)
+ # Find CDROM devices:
+- kernel_read_device_sysctls($1_t)
++ kernel_read_device_sysctls($1_usertype)
++ kernel_request_load_module($1_usertype)
+
+- corecmd_exec_bin($1_t)
++ corenet_udp_bind_generic_node($1_usertype)
++ corenet_udp_bind_generic_port($1_usertype)
+
+- corenet_udp_bind_generic_node($1_t)
+- corenet_udp_bind_generic_port($1_t)
++ dev_read_rand($1_usertype)
++ dev_write_sound($1_usertype)
++ dev_read_sound($1_usertype)
++ dev_read_sound_mixer($1_usertype)
++ dev_write_sound_mixer($1_usertype)
+
+- dev_read_rand($1_t)
+- dev_write_sound($1_t)
+- dev_read_sound($1_t)
+- dev_read_sound_mixer($1_t)
+- dev_write_sound_mixer($1_t)
+-
+- files_exec_etc_files($1_t)
+- files_search_locks($1_t)
++ files_exec_etc_files($1_usertype)
++ files_search_locks($1_usertype)
+ # Check to see if cdrom is mounted
+- files_search_mnt($1_t)
++ files_search_mnt($1_usertype)
+ # cjp: perhaps should cut back on file reads:
+- files_read_var_files($1_t)
+- files_read_var_symlinks($1_t)
+- files_read_generic_spool($1_t)
+- files_read_var_lib_files($1_t)
++ files_read_var_files($1_usertype)
++ files_read_var_symlinks($1_usertype)
++ files_read_generic_spool($1_usertype)
++ files_read_var_lib_files($1_usertype)
+ # Stat lost+found.
+- files_getattr_lost_found_dirs($1_t)
++ files_getattr_lost_found_dirs($1_usertype)
++ files_read_config_files($1_usertype)
++ fs_read_noxattr_fs_files($1_usertype)
++ fs_read_noxattr_fs_symlinks($1_usertype)
++ fs_rw_cgroup_files($1_usertype)
++
++ application_getattr_socket($1_usertype)
+
+- fs_rw_cgroup_files($1_t)
++ logging_send_syslog_msg($1_t)
++
++ selinux_get_enforce_mode($1_t)
+
+ # cjp: some of this probably can be removed
+ selinux_get_fs_mount($1_t)
+@@ -546,100 +687,140 @@ template(`userdom_common_user_template',`
+ selinux_compute_user_contexts($1_t)
+
+ # for eject
+- storage_getattr_fixed_disk_dev($1_t)
++ storage_getattr_fixed_disk_dev($1_usertype)
+
+- auth_use_nsswitch($1_t)
+- auth_read_login_records($1_t)
+- auth_search_pam_console_data($1_t)
+- auth_run_pam($1_t, $1_r)
+- auth_run_utempter($1_t, $1_r)
++ auth_read_login_records($1_usertype)
++ auth_run_pam_timestamp($1_t,$1_r)
++ auth_run_utempter($1_t,$1_r)
++ auth_filetrans_admin_home_content($1_t)
++ auth_filetrans_home_content($1_t)
+
+- init_read_utmp($1_t)
++ init_read_utmp($1_usertype)
+
+- seutil_read_file_contexts($1_t)
+- seutil_read_default_contexts($1_t)
+- seutil_run_newrole($1_t, $1_r)
++ seutil_read_file_contexts($1_usertype)
++ seutil_read_default_contexts($1_usertype)
++ seutil_run_newrole($1_t,$1_r)
+ seutil_exec_checkpolicy($1_t)
+- seutil_exec_setfiles($1_t)
++ seutil_exec_setfiles($1_usertype)
+ # for when the network connection is killed
+ # this is needed when a login role can change
+ # to this one.
+ seutil_dontaudit_signal_newrole($1_t)
+
+- tunable_policy(`user_direct_mouse',`
+- dev_read_mouse($1_t)
+- ')
++ term_getattr_all_ttys($1_t)
+
+- tunable_policy(`user_ttyfile_stat',`
+- term_getattr_all_ttys($1_t)
++ optional_policy(`
++ # Allow graphical boot to check battery lifespan
++ apm_stream_connect($1_usertype)
+ ')
+
+ optional_policy(`
+- alsa_manage_home_files($1_t)
+- alsa_read_rw_config($1_t)
+- alsa_relabel_home_files($1_t)
++ canna_stream_connect($1_usertype)
+ ')
+
+ optional_policy(`
+- # Allow graphical boot to check battery lifespan
+- apm_stream_connect($1_t)
++ chrome_role($1_r, $1_usertype)
+ ')
+
+ optional_policy(`
+- canna_stream_connect($1_t)
++ colord_read_lib_files($1_usertype)
+ ')
+
+ optional_policy(`
+- dbus_system_bus_client($1_t)
++ dbus_system_bus_client($1_usertype)
++
++ allow $1_usertype $1_usertype:dbus send_msg;
+
+ optional_policy(`
+- bluetooth_dbus_chat($1_t)
++ avahi_dbus_chat($1_usertype)
+ ')
+
+ optional_policy(`
+- evolution_dbus_chat($1_t)
+- evolution_alarm_dbus_chat($1_t)
++ policykit_dbus_chat($1_usertype)
+ ')
+
+ optional_policy(`
+- cups_dbus_chat_config($1_t)
++ bluetooth_dbus_chat($1_usertype)
+ ')
+
+ optional_policy(`
+- hal_dbus_chat($1_t)
++ consolekit_dbus_chat($1_usertype)
++ consolekit_read_log($1_usertype)
+ ')
+
+ optional_policy(`
+- networkmanager_dbus_chat($1_t)
++ devicekit_dbus_chat($1_usertype)
++ devicekit_dbus_chat_power($1_usertype)
++ devicekit_dbus_chat_disk($1_usertype)
+ ')
++
++ optional_policy(`
++ evolution_dbus_chat($1_usertype)
++ evolution_alarm_dbus_chat($1_usertype)
++ ')
++
++ optional_policy(`
++ gnome_dbus_chat_gconfdefault($1_usertype)
++ ')
++
++ optional_policy(`
++ hal_dbus_chat($1_usertype)
++ ')
++
++ optional_policy(`
++ kde_dbus_chat_backlighthelper($1_usertype)
++ ')
++
++ optional_policy(`
++ modemmanager_dbus_chat($1_usertype)
++ ')
++
++ optional_policy(`
++ networkmanager_dbus_chat($1_usertype)
++ networkmanager_read_lib_files($1_usertype)
++ ')
++
++ optional_policy(`
++ vpn_dbus_chat($1_usertype)
++ ')
++ ')
++
++ optional_policy(`
++ git_session_role($1_r, $1_usertype)
+ ')
+
+ optional_policy(`
+- inetd_use_fds($1_t)
+- inetd_rw_tcp_sockets($1_t)
++ inetd_use_fds($1_usertype)
++ inetd_rw_tcp_sockets($1_usertype)
+ ')
+
+ optional_policy(`
+- inn_read_config($1_t)
+- inn_read_news_lib($1_t)
+- inn_read_news_spool($1_t)
++ inn_read_config($1_usertype)
++ inn_read_news_lib($1_usertype)
++ inn_read_news_spool($1_usertype)
+ ')
+
+ optional_policy(`
+- locate_read_lib_files($1_t)
++ lircd_stream_connect($1_usertype)
++ ')
++
++ optional_policy(`
++ locate_read_lib_files($1_usertype)
+ ')
+
+ # for running depmod as part of the kernel packaging process
+ optional_policy(`
+- modutils_read_module_config($1_t)
++ modutils_read_module_config($1_usertype)
+ ')
+
+ optional_policy(`
+- mta_rw_spool($1_t)
++ mta_rw_spool($1_usertype)
++ mta_manage_queue($1_usertype)
++ mta_filetrans_home_content($1_usertype)
+ ')
+
+ optional_policy(`
+- tunable_policy(`allow_user_mysql_connect',`
++ tunable_policy(`selinuxuser_mysql_connect_enabled',`
+ mysql_stream_connect($1_t)
+ ')
+ ')
+@@ -651,40 +832,52 @@ template(`userdom_common_user_template',`
+
+ optional_policy(`
+ # to allow monitoring of pcmcia status
+- pcmcia_read_pid($1_t)
++ pcmcia_read_pid($1_usertype)
+ ')
+
+ optional_policy(`
+- pcscd_read_pub_files($1_t)
+- pcscd_stream_connect($1_t)
++ pcscd_read_pub_files($1_usertype)
++ pcscd_stream_connect($1_usertype)
+ ')
+
+ optional_policy(`
+- tunable_policy(`allow_user_postgresql_connect',`
+- postgresql_stream_connect($1_t)
+- postgresql_tcp_connect($1_t)
++ tunable_policy(`selinuxuser_postgresql_connect_enabled',`
++ postgresql_stream_connect($1_usertype)
++ postgresql_tcp_connect($1_usertype)
+ ')
+ ')
+
+ optional_policy(`
+- resmgr_stream_connect($1_t)
++ resmgr_stream_connect($1_usertype)
++ ')
++
++ optional_policy(`
++ rpc_dontaudit_getattr_exports($1_usertype)
++ rpc_manage_nfs_rw_content($1_usertype)
++ ')
++
++ optional_policy(`
++ rpcbind_stream_connect($1_usertype)
++ ')
++
++ optional_policy(`
++ samba_stream_connect_winbind($1_usertype)
+ ')
+
+ optional_policy(`
+- rpc_dontaudit_getattr_exports($1_t)
+- rpc_manage_nfs_rw_content($1_t)
++ sandbox_transition($1_usertype, $1_r)
+ ')
+
+ optional_policy(`
+- samba_stream_connect_winbind($1_t)
++ seunshare_role_template($1, $1_r, $1_t)
+ ')
+
+ optional_policy(`
+- slrnpull_search_spool($1_t)
++ slrnpull_search_spool($1_usertype)
+ ')
+
+ optional_policy(`
+- usernetctl_run($1_t, $1_r)
++ thumb_role($1_r, $1_usertype)
+ ')
+ ')
+
+@@ -709,17 +902,33 @@ template(`userdom_common_user_template',`
+ template(`userdom_login_user_template', `
+ gen_require(`
+ class context contains;
++ attribute login_userdomain;
+ ')
+
+ userdom_base_user_template($1)
+
+- userdom_manage_home_role($1_r, $1_t)
++ typeattribute $1_t login_userdomain;
+
+- userdom_manage_tmp_role($1_r, $1_t)
+- userdom_manage_tmpfs_role($1_r, $1_t)
++ userdom_manage_home_role($1_r, $1_usertype)
++
++ userdom_manage_tmp_role($1_r, $1_usertype)
++ userdom_manage_tmpfs_role($1_r, $1_usertype)
++
++ ifelse(`$1',`unconfined',`',`
++ gen_tunable($1_exec_content, true)
++
++ tunable_policy(`$1_exec_content',`
++ userdom_exec_user_tmp_files($1_usertype)
++ userdom_exec_user_home_content_files($1_usertype)
++ ')
++ tunable_policy(`$1_exec_content && use_nfs_home_dirs',`
++ fs_exec_nfs_files($1_usertype)
++ ')
+
+- userdom_exec_user_tmp_files($1_t)
+- userdom_exec_user_home_content_files($1_t)
++ tunable_policy(`$1_exec_content && use_samba_home_dirs',`
++ fs_exec_cifs_files($1_usertype)
++ ')
++ ')
+
+ userdom_change_password_template($1)
+
+@@ -727,82 +936,100 @@ template(`userdom_login_user_template', `
+ #
+ # User domain Local policy
+ #
+-
+- allow $1_t self:capability { setgid chown fowner };
+ dontaudit $1_t self:capability { sys_nice fsetid };
++ allow $1_t self:process ~{ ptrace execmem execstack execheap };
++
++ tunable_policy(`selinuxuser_use_ssh_chroot',`
++ allow $1_t self:capability { setuid sys_chroot };
++ ')
+
+- allow $1_t self:process ~{ setcurrent setexec setrlimit execmem execstack execheap };
+ dontaudit $1_t self:process setrlimit;
+ dontaudit $1_t self:netlink_route_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown nlmsg_read nlmsg_write };
++ domain_dyntrans_type($1_t)
+
+ allow $1_t self:context contains;
+
+- kernel_dontaudit_read_system_state($1_t)
++ kernel_dontaudit_read_system_state($1_usertype)
++ kernel_dontaudit_list_all_proc($1_usertype)
+
+- dev_read_sysfs($1_t)
+- dev_read_urand($1_t)
++ dev_read_sysfs($1_usertype)
++ dev_read_rand($1_usertype)
++ dev_read_urand($1_usertype)
+
+- domain_use_interactive_fds($1_t)
++ domain_use_interactive_fds($1_usertype)
+ # Command completion can fire hundreds of denials
+- domain_dontaudit_exec_all_entry_files($1_t)
++ domain_dontaudit_exec_all_entry_files($1_usertype)
+
+- files_dontaudit_list_default($1_t)
+- files_dontaudit_read_default_files($1_t)
++ files_dontaudit_list_default($1_usertype)
++ files_dontaudit_read_default_files($1_usertype)
+ # Stat lost+found.
+- files_getattr_lost_found_dirs($1_t)
++ files_getattr_lost_found_dirs($1_usertype)
+
+- fs_get_all_fs_quotas($1_t)
+- fs_getattr_all_fs($1_t)
+- fs_getattr_all_dirs($1_t)
+- fs_search_auto_mountpoints($1_t)
+- fs_list_cgroup_dirs($1_t)
+- fs_list_inotifyfs($1_t)
+- fs_rw_anon_inodefs_files($1_t)
+- fs_dontaudit_rw_cgroup_files($1_t)
++ fs_get_all_fs_quotas($1_usertype)
++ fs_getattr_all_fs($1_usertype)
++ fs_search_all($1_usertype)
++ fs_list_inotifyfs($1_usertype)
++ fs_rw_anon_inodefs_files($1_usertype)
+
++ auth_role($1_r, $1_t)
++ auth_rw_cache($1_t)
++ auth_search_pam_console_data($1_t)
++ auth_dontaudit_read_login_records($1_t)
+ auth_dontaudit_write_login_records($1_t)
+
+ application_exec_all($1_t)
+-
+ # The library functions always try to open read-write first,
+ # then fall back to read-only if it fails.
+ init_dontaudit_rw_utmp($1_t)
++
+ # Stop warnings about access to /dev/console
+- init_dontaudit_use_fds($1_t)
+- init_dontaudit_use_script_fds($1_t)
++ init_dontaudit_use_fds($1_usertype)
++ init_dontaudit_use_script_fds($1_usertype)
+
+- libs_exec_lib_files($1_t)
++ libs_exec_lib_files($1_usertype)
+
+- logging_dontaudit_getattr_all_logs($1_t)
++ logging_dontaudit_getattr_all_logs($1_usertype)
+
+- miscfiles_read_man_pages($1_t)
+ # for running TeX programs
+- miscfiles_read_tetex_data($1_t)
+- miscfiles_exec_tetex_data($1_t)
++ miscfiles_read_tetex_data($1_usertype)
++ miscfiles_exec_tetex_data($1_usertype)
++
++ seutil_read_config($1_usertype)
++ seutil_read_file_contexts($1_usertype)
++ seutil_read_default_contexts($1_usertype)
++ seutil_exec_setfiles($1_usertype)
++
++ optional_policy(`
++ cups_read_config($1_usertype)
++ cups_stream_connect($1_usertype)
++ cups_stream_connect_ptal($1_usertype)
++ ')
+
+- seutil_read_config($1_t)
++ optional_policy(`
++ kerberos_use($1_usertype)
++ kerberos_filetrans_home_content($1_usertype)
++ ')
+
+ optional_policy(`
+- cups_read_config($1_t)
+- cups_stream_connect($1_t)
+- cups_stream_connect_ptal($1_t)
++ mysql_filetrans_named_content($1_usertype)
+ ')
+
+ optional_policy(`
+- kerberos_use($1_t)
++ mta_dontaudit_read_spool_symlinks($1_usertype)
+ ')
+
+ optional_policy(`
+- mta_dontaudit_read_spool_symlinks($1_t)
++ quota_dontaudit_getattr_db($1_usertype)
+ ')
+
+ optional_policy(`
+- quota_dontaudit_getattr_db($1_t)
++ rpm_read_db($1_usertype)
++ rpm_dontaudit_manage_db($1_usertype)
++ rpm_read_cache($1_usertype)
+ ')
+
+ optional_policy(`
+- rpm_read_db($1_t)
+- rpm_dontaudit_manage_db($1_t)
++ oddjob_run_mkhomedir($1_t, $1_r)
+ ')
+ ')
+
+@@ -834,6 +1061,12 @@ template(`userdom_restricted_user_template',`
+ typeattribute $1_t unpriv_userdomain;
+ domain_interactive_fd($1_t)
+
++ allow $1_usertype self:netlink_kobject_uevent_socket create_socket_perms;
++ dontaudit $1_usertype self:netlink_audit_socket create_socket_perms;
++
++ seutil_read_file_contexts($1_t)
++ seutil_read_default_contexts($1_t)
++
+ ##############################
+ #
+ # Local policy
+@@ -874,46 +1107,118 @@ template(`userdom_restricted_xwindows_user_template',`
+ # Local policy
+ #
+
+- auth_role($1_r, $1_t)
+- auth_search_pam_console_data($1_t)
+-
+- dev_read_sound($1_t)
+- dev_write_sound($1_t)
++ dev_read_sound($1_usertype)
++ dev_write_sound($1_usertype)
+ # gnome keyring wants to read this.
+- dev_dontaudit_read_rand($1_t)
++ dev_dontaudit_read_rand($1_usertype)
++ # temporarily allow since openoffice requires this
++ dev_read_rand($1_usertype)
++
++ dev_read_video_dev($1_usertype)
++ dev_write_video_dev($1_usertype)
++ dev_rw_wireless($1_usertype)
++
++ libs_dontaudit_setattr_lib_files($1_usertype)
++
++ tunable_policy(`selinuxuser_rw_noexattrfile',`
++ dev_rw_usbfs($1_t)
++ dev_rw_generic_usb_dev($1_usertype)
++
++ fs_manage_noxattr_fs_files($1_usertype)
++ fs_manage_noxattr_fs_dirs($1_usertype)
++ fs_manage_dos_dirs($1_usertype)
++ fs_manage_dos_files($1_usertype)
++ storage_raw_read_removable_device($1_usertype)
++ storage_raw_write_removable_device($1_usertype)
++ ')
+
+ logging_send_syslog_msg($1_t)
+ logging_dontaudit_send_audit_msgs($1_t)
+
+ # Need to to this just so screensaver will work. Should be moved to screensaver domain
+- logging_send_audit_msgs($1_t)
+ selinux_get_enforce_mode($1_t)
++ seutil_exec_restorecond($1_t)
++ seutil_read_file_contexts($1_t)
++ seutil_read_default_contexts($1_t)
+
+ xserver_restricted_role($1_r, $1_t)
+
+ optional_policy(`
+- alsa_read_rw_config($1_t)
++ alsa_read_rw_config($1_usertype)
++ ')
++
++ # cjp: needed by KDE apps
++ # bug: #682499
++ optional_policy(`
++ gnome_read_usr_config($1_usertype)
++ gnome_role_gkeyringd($1, $1_r, $1_usertype)
++ # cjp: telepathy F15 bugs
++ telepathy_role($1_r, $1_t, $1)
++ ')
++
++ optional_policy(`
++ obex_role($1_r, $1_t, $1)
+ ')
+
+ optional_policy(`
+- dbus_role_template($1, $1_r, $1_t)
+- dbus_system_bus_client($1_t)
++ dbus_role_template($1, $1_r, $1_usertype)
++ dbus_system_bus_client($1_usertype)
++ allow $1_usertype $1_usertype:dbus send_msg;
++
++ optional_policy(`
++ abrt_dbus_chat($1_usertype)
++ abrt_run_helper($1_usertype, $1_r)
++ ')
++
++ optional_policy(`
++ consolekit_dontaudit_read_log($1_usertype)
++ consolekit_dbus_chat($1_usertype)
++ ')
++
++ optional_policy(`
++ cups_dbus_chat($1_usertype)
++ cups_dbus_chat_config($1_usertype)
++ ')
+
+ optional_policy(`
+- consolekit_dbus_chat($1_t)
++ devicekit_dbus_chat($1_usertype)
++ devicekit_dbus_chat_disk($1_usertype)
++ devicekit_dbus_chat_power($1_usertype)
+ ')
+
+ optional_policy(`
+- cups_dbus_chat($1_t)
++ fprintd_dbus_chat($1_t)
+ ')
++
++ optional_policy(`
++ realmd_dbus_chat($1_t)
++ ')
++ ')
++
++ optional_policy(`
++ policykit_role($1_r, $1_usertype)
++ ')
++
++ optional_policy(`
++ pulseaudio_role($1_r, $1_usertype)
++ pulseaudio_filetrans_admin_home_content($1_usertype)
++ pulseaudio_filetrans_home_content($1_usertype)
+ ')
+
+ optional_policy(`
+- java_role($1_r, $1_t)
++ rtkit_scheduled($1_usertype)
+ ')
+
+ optional_policy(`
+ setroubleshoot_dontaudit_stream_connect($1_t)
++ ')
++
++ optional_policy(`
++ udev_read_db($1_usertype)
++ ')
++
++ optional_policy(`
++ wm_role_template($1, $1_r, $1_t)
+ ')
+ ')
+
+@@ -948,27 +1253,33 @@ template(`userdom_unpriv_user_template', `
+ #
+
+ # Inherit rules for ordinary users.
+- userdom_restricted_user_template($1)
++ userdom_restricted_xwindows_user_template($1)
+ userdom_common_user_template($1)
+
+ ##############################
+ #
+ # Local policy
+ #
++ allow $1_t self:capability { setgid chown fowner };
++
++ corecmd_exec_chroot($1_t)
+
+ # port access is audited even if dac would not have allowed it, so dontaudit it here
+- corenet_dontaudit_tcp_bind_all_reserved_ports($1_t)
++# corenet_dontaudit_tcp_bind_all_reserved_ports($1_t)
+ # Need the following rule to allow users to run vpnc
+ corenet_tcp_bind_xserver_port($1_t)
++ corenet_tcp_bind_generic_node($1_usertype)
++
++ storage_rw_fuse($1_t)
+
+ files_exec_usr_files($1_t)
+- # cjp: why?
++ # cjp: why?
+ files_read_kernel_symbol_table($1_t)
+
+ ifndef(`enable_mls',`
+ fs_exec_noxattr($1_t)
+
+- tunable_policy(`user_rw_noexattrfile',`
++ tunable_policy(`selinuxuser_rw_noexattrfile',`
+ fs_manage_noxattr_fs_files($1_t)
+ fs_manage_noxattr_fs_dirs($1_t)
+ # Write floppies
+@@ -979,54 +1290,89 @@ template(`userdom_unpriv_user_template', `
+ ')
+ ')
+
+- tunable_policy(`user_dmesg',`
+- kernel_read_ring_buffer($1_t)
+- ',`
+- kernel_dontaudit_read_ring_buffer($1_t)
+- ')
++ miscfiles_read_hwdata($1_usertype)
+
+ # Allow users to run TCP servers (bind to ports and accept connection from
+ # the same domain and outside users) disabling this forces FTP passive mode
+ # and may change other protocols
+- tunable_policy(`user_tcp_server',`
+- corenet_tcp_bind_generic_node($1_t)
+- corenet_tcp_bind_generic_port($1_t)
++
++ tunable_policy(`selinuxuser_user_share_music',`
++ corenet_tcp_bind_daap_port($1_usertype)
++ ')
++
++ tunable_policy(`selinuxuser_tcp_server',`
++ corenet_tcp_bind_all_unreserved_ports($1_usertype)
+ ')
+
+ optional_policy(`
+- netutils_run_ping_cond($1_t, $1_r)
+- netutils_run_traceroute_cond($1_t, $1_r)
++ cdrecord_role($1_r, $1_t)
+ ')
+
+- # Run pppd in pppd_t by default for user
+ optional_policy(`
+- ppp_run_cond($1_t, $1_r)
++ cron_role($1_r, $1_t)
+ ')
+
+ optional_policy(`
+- setroubleshoot_stream_connect($1_t)
++ games_rw_data($1_usertype)
+ ')
+-')
+
+-#######################################
+-##
+-## The template for creating an administrative user.
+-##
+-##
+-##
+-## This template creates a user domain, types, and
+-## rules for the user's tty, pty, home directories,
+-## tmp, and tmpfs files.
+-##
+-##
+-## The privileges given to administrative users are:
+-##
+-## - Raw disk access
+-## - Set all sysctls
+-## - All kernel ring buffer controls
+-## - Create, read, write, and delete all files but shadow
+-## - Manage source and binary format SELinux policy
+-## - Run insmod
++ optional_policy(`
++ gpg_role($1_r, $1_usertype)
++ ')
++
++ optional_policy(`
++ gnomeclock_dbus_chat($1_t)
++ ')
++
++ optional_policy(`
++ gpm_stream_connect($1_usertype)
++ ')
++
++ optional_policy(`
++ mount_run_fusermount($1_t, $1_r)
++ mount_read_pid_files($1_t)
++ ')
++
++ optional_policy(`
++ wine_role_template($1, $1_r, $1_t)
++ ')
++
++ optional_policy(`
++ postfix_run_postdrop($1_t, $1_r)
++ postfix_search_spool($1_t)
++ ')
++
++ # Run pppd in pppd_t by default for user
++ optional_policy(`
++ ppp_run_cond($1_t, $1_r)
++ ')
++
++ optional_policy(`
++ vdagent_getattr_log($1_t)
++ vdagent_getattr_exec_files($1_t)
++ vdagent_stream_connect($1_t)
++ ')
++')
++
++#######################################
++##
++## The template for creating an administrative user.
++##
++##
++##
++## This template creates a user domain, types, and
++## rules for the user's tty, pty, home directories,
++## tmp, and tmpfs files.
++##
++##
++## The privileges given to administrative users are:
++##
++## - Raw disk access
++## - Set all sysctls
++## - All kernel ring buffer controls
++## - Create, read, write, and delete all files but shadow
++## - Manage source and binary format SELinux policy
++## - Run insmod
+ ##
+ ##
+ ##
+@@ -1040,7 +1386,7 @@ template(`userdom_unpriv_user_template', `
+ template(`userdom_admin_user_template',`
+ gen_require(`
+ attribute admindomain;
+- class passwd { passwd chfn chsh rootok };
++ class passwd { passwd chfn chsh rootok crontab };
+ ')
+
+ ##############################
+@@ -1067,6 +1413,7 @@ template(`userdom_admin_user_template',`
+ #
+
+ allow $1_t self:capability ~{ sys_module audit_control audit_write };
++ allow $1_t self:capability2 { block_suspend syslog };
+ allow $1_t self:process { setexec setfscreate };
+ allow $1_t self:netlink_audit_socket nlmsg_readpriv;
+ allow $1_t self:tun_socket create;
+@@ -1075,6 +1422,9 @@ template(`userdom_admin_user_template',`
+ # Skip authentication when pam_rootok is specified.
+ allow $1_t self:passwd rootok;
+
++ # Manipulate other users crontab.
++ allow $1_t self:passwd crontab;
++
+ kernel_read_software_raid_state($1_t)
+ kernel_getattr_core_if($1_t)
+ kernel_getattr_message_if($1_t)
+@@ -1089,6 +1439,7 @@ template(`userdom_admin_user_template',`
+ kernel_sigstop_unlabeled($1_t)
+ kernel_signull_unlabeled($1_t)
+ kernel_sigchld_unlabeled($1_t)
++ kernel_signal($1_t)
+
+ corenet_tcp_bind_generic_port($1_t)
+ # allow setting up tunnels
+@@ -1106,10 +1457,14 @@ template(`userdom_admin_user_template',`
+ dev_rename_all_blk_files($1_t)
+ dev_rename_all_chr_files($1_t)
+ dev_create_generic_symlinks($1_t)
++ dev_rw_generic_usb_dev($1_t)
++ dev_rw_usbfs($1_t)
++ dev_read_kmsg($1_t)
+
+ domain_setpriority_all_domains($1_t)
+ domain_read_all_domains_state($1_t)
+ domain_getattr_all_domains($1_t)
++ domain_getcap_all_domains($1_t)
+ domain_dontaudit_ptrace_all_domains($1_t)
+ # signal all domains:
+ domain_kill_all_domains($1_t)
+@@ -1120,29 +1475,38 @@ template(`userdom_admin_user_template',`
+ domain_sigchld_all_domains($1_t)
+ # for lsof
+ domain_getattr_all_sockets($1_t)
++ domain_dontaudit_getattr_all_sockets($1_t)
+
+ files_exec_usr_src_files($1_t)
+
+ fs_getattr_all_fs($1_t)
++ fs_getattr_all_files($1_t)
++ fs_list_all($1_t)
+ fs_set_all_quotas($1_t)
+ fs_exec_noxattr($1_t)
+
+ storage_raw_read_removable_device($1_t)
+ storage_raw_write_removable_device($1_t)
++ storage_dontaudit_read_fixed_disk($1_t)
+
+- term_use_all_terms($1_t)
++ term_use_all_inherited_terms($1_t)
++ term_use_unallocated_ttys($1_t)
+
+ auth_getattr_shadow($1_t)
+ # Manage almost all files
+- files_manage_non_auth_files($1_t)
++ files_manage_non_security_dirs($1_t)
++ files_manage_non_security_files($1_t)
+ # Relabel almost all files
+- files_relabel_non_auth_files($1_t)
++ files_relabel_non_security_files($1_t)
+
+ init_telinit($1_t)
+
+ logging_send_syslog_msg($1_t)
+
+- modutils_domtrans_insmod($1_t)
++ optional_policy(`
++ modutils_domtrans_insmod($1_t)
++ modutils_domtrans_depmod($1_t)
++ ')
+
+ # The following rule is temporary until such time that a complete
+ # policy management infrastructure is in place so that an administrator
+@@ -1152,6 +1516,8 @@ template(`userdom_admin_user_template',`
+ # But presently necessary for installing the file_contexts file.
+ seutil_manage_bin_policy($1_t)
+
++ systemd_config_all_services($1_t)
++
+ userdom_manage_user_home_content_dirs($1_t)
+ userdom_manage_user_home_content_files($1_t)
+ userdom_manage_user_home_content_symlinks($1_t)
+@@ -1159,13 +1525,17 @@ template(`userdom_admin_user_template',`
+ userdom_manage_user_home_content_sockets($1_t)
+ userdom_user_home_dir_filetrans_user_home_content($1_t, { dir file lnk_file fifo_file sock_file })
+
+- tunable_policy(`user_rw_noexattrfile',`
++ tunable_policy(`selinuxuser_rw_noexattrfile',`
+ fs_manage_noxattr_fs_files($1_t)
+ fs_manage_noxattr_fs_dirs($1_t)
+ ',`
+ fs_read_noxattr_fs_files($1_t)
+ ')
+
++ tunable_policy(`selinuxuser_tcp_server',`
++ corenet_tcp_bind_all_unreserved_ports($1_t)
++ ')
++
+ optional_policy(`
+ postgresql_unconfined($1_t)
+ ')
+@@ -1211,6 +1581,8 @@ template(`userdom_security_admin_template',`
+ dev_relabel_all_dev_nodes($1)
+
+ files_create_boot_flag($1)
++ files_create_default_dir($1)
++ files_root_filetrans_default($1, dir)
+
+ # Necessary for managing /boot/efi
+ fs_manage_dos_files($1)
+@@ -1223,8 +1595,10 @@ template(`userdom_security_admin_template',`
+ selinux_set_enforce_mode($1)
+ selinux_set_all_booleans($1)
+ selinux_set_parameters($1)
++ selinux_read_policy($1)
++
++ files_relabel_all_files($1)
+
+- files_relabel_non_auth_files($1)
+ auth_relabel_shadow($1)
+
+ init_exec($1)
+@@ -1235,29 +1609,31 @@ template(`userdom_security_admin_template',`
+ logging_read_audit_config($1)
+
+ seutil_manage_bin_policy($1)
+- seutil_run_checkpolicy($1, $2)
+- seutil_run_loadpolicy($1, $2)
+- seutil_run_semanage($1, $2)
++ seutil_manage_default_contexts($1)
++ seutil_manage_file_contexts($1)
++ seutil_manage_module_store($1)
++ seutil_manage_config($1)
++ seutil_manage_login_config($1)
++ seutil_run_checkpolicy($1,$2)
++ seutil_run_loadpolicy($1,$2)
++ seutil_run_semanage($1,$2)
++ seutil_run_setsebool($1,$2)
+ seutil_run_setfiles($1, $2)
+
+ optional_policy(`
+- aide_run($1, $2)
++ aide_run($1,$2)
+ ')
+
+ optional_policy(`
+ consoletype_exec($1)
+ ')
+
+- optional_policy(`
+- dmesg_exec($1)
+- ')
+-
+- optional_policy(`
+- ipsec_run_setkey($1, $2)
++ optional_policy(`
++ ipsec_run_setkey($1,$2)
+ ')
+
+ optional_policy(`
+- netlabel_run_mgmt($1, $2)
++ netlabel_run_mgmt($1,$2)
+ ')
+
+ optional_policy(`
+@@ -1317,12 +1693,15 @@ interface(`userdom_user_application_domain',`
+ interface(`userdom_user_home_content',`
+ gen_require(`
+ type user_home_t;
++ attribute user_home_type;
+ ')
+
+ allow $1 user_home_t:filesystem associate;
+ files_type($1)
+- files_poly_member($1)
+ ubac_constrained($1)
++
++ files_poly_member($1)
++ typeattribute $1 user_home_type;
+ ')
+
+ ########################################
+@@ -1363,6 +1742,51 @@ interface(`userdom_user_tmpfs_file',`
+ ##
+ ## Allow domain to attach to TUN devices created by administrative users.
+ ##
++##
++##
++## Type to be used as a file in the
++## generic temporary directory.
++##
++##
++#
++interface(`userdom_user_tmp_content',`
++ gen_require(`
++ attribute user_tmp_type;
++ ')
++
++ typeattribute $1 user_tmp_type;
++
++ files_tmp_file($1)
++ ubac_constrained($1)
++')
++
++########################################
++##
++## Make the specified type usable in a
++## generic tmpfs_t directory.
++##
++##
++##
++## Type to be used as a file in the
++## generic temporary directory.
++##
++##
++#
++interface(`userdom_user_tmpfs_content',`
++ gen_require(`
++ attribute user_tmpfs_type;
++ ')
++
++ typeattribute $1 user_tmpfs_type;
++
++ files_tmpfs_file($1)
++ ubac_constrained($1)
++')
++
++########################################
++##
++## Allow domain to attach to TUN devices created by administrative users.
++##
+ ##
+ ##
+ ## Domain allowed access.
+@@ -1467,11 +1891,31 @@ interface(`userdom_search_user_home_dirs',`
+ ')
+
+ allow $1 user_home_dir_t:dir search_dir_perms;
++ allow $1 user_home_dir_t:lnk_file read_lnk_file_perms;
+ files_search_home($1)
+ ')
+
+ ########################################
+ ##
++## Search user tmp directories.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`userdom_search_user_tmp_dirs',`
++ gen_require(`
++ type user_tmp_t;
++ ')
++
++ files_search_tmp($1)
++ allow $1 user_tmp_t:dir search_dir_perms;
++')
++
++########################################
++##
+ ## Do not audit attempts to search user home directories.
+ ##
+ ##
+@@ -1513,6 +1957,14 @@ interface(`userdom_list_user_home_dirs',`
+
+ allow $1 user_home_dir_t:dir list_dir_perms;
+ files_search_home($1)
++
++ tunable_policy(`use_nfs_home_dirs',`
++ fs_list_nfs($1)
++ ')
++
++ tunable_policy(`use_samba_home_dirs',`
++ fs_list_cifs($1)
++ ')
+ ')
+
+ ########################################
+@@ -1528,9 +1980,11 @@ interface(`userdom_list_user_home_dirs',`
+ interface(`userdom_dontaudit_list_user_home_dirs',`
+ gen_require(`
+ type user_home_dir_t;
++ type user_home_t;
+ ')
+
+ dontaudit $1 user_home_dir_t:dir list_dir_perms;
++ dontaudit $1 user_home_t:dir list_dir_perms;
+ ')
+
+ ########################################
+@@ -1587,6 +2041,42 @@ interface(`userdom_relabelto_user_home_dirs',`
+ allow $1 user_home_dir_t:dir relabelto;
+ ')
+
++
++########################################
++##
++## Relabel to user home files.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`userdom_relabelto_user_home_files',`
++ gen_require(`
++ type user_home_t;
++ ')
++
++ allow $1 user_home_t:file relabelto;
++')
++########################################
++##
++## Relabel user home files.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`userdom_relabel_user_home_files',`
++ gen_require(`
++ type user_home_t;
++ ')
++
++ allow $1 user_home_t:file relabel_file_perms;
++')
++
+ ########################################
+ ##
+ ## Create directories in the home dir root with
+@@ -1666,6 +2156,8 @@ interface(`userdom_dontaudit_search_user_home_content',`
+ ')
+
+ dontaudit $1 user_home_t:dir search_dir_perms;
++ fs_dontaudit_list_nfs($1)
++ fs_dontaudit_list_cifs($1)
+ ')
+
+ ########################################
+@@ -1680,10 +2172,12 @@ interface(`userdom_dontaudit_search_user_home_content',`
+ #
+ interface(`userdom_list_user_home_content',`
+ gen_require(`
+- type user_home_t;
++ type user_home_dir_t;
++ attribute user_home_type;
+ ')
+
+- allow $1 user_home_t:dir list_dir_perms;
++ files_list_home($1)
++ allow $1 { user_home_dir_t user_home_type }:dir list_dir_perms;
+ ')
+
+ ########################################
+@@ -1726,6 +2220,43 @@ interface(`userdom_delete_user_home_content_dirs',`
+
+ ########################################
+ ##
++## Delete all directories in a user home subdirectory.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`userdom_delete_all_user_home_content_dirs',`
++ gen_require(`
++ attribute user_home_type;
++ ')
++
++ allow $1 user_home_type:dir delete_dir_perms;
++')
++
++########################################
++##
++## Set the attributes of user home files.
++##
++##
++##
++## Domain allowed access.
++##
++##
++##
++#
++interface(`userdom_setattr_user_home_content_files',`
++ gen_require(`
++ type user_home_t;
++ ')
++
++ allow $1 user_home_t:file setattr;
++')
++
++########################################
++##
+ ## Do not audit attempts to set the
+ ## attributes of user home files.
+ ##
+@@ -1745,6 +2276,25 @@ interface(`userdom_dontaudit_setattr_user_home_content_files',`
+
+ ########################################
+ ##
++## Set the attributes of all user home directories.
++##
++##
++##
++## Domain allowed access.
++##
++##
++##
++#
++interface(`userdom_setattr_all_user_home_content_dirs',`
++ gen_require(`
++ attribute user_home_type;
++ ')
++
++ allow $1 user_home_type:dir setattr_dir_perms;
++')
++
++########################################
++##
+ ## Mmap user home files.
+ ##
+ ##
+@@ -1775,14 +2325,36 @@ interface(`userdom_mmap_user_home_content_files',`
+ interface(`userdom_read_user_home_content_files',`
+ gen_require(`
+ type user_home_dir_t, user_home_t;
++ attribute user_home_type;
+ ')
+
+- read_files_pattern($1, { user_home_dir_t user_home_t }, user_home_t)
++ allow $1 user_home_dir_t:lnk_file read_lnk_file_perms;
++ list_dirs_pattern($1, { user_home_dir_t user_home_type }, { user_home_dir_t user_home_type })
++ read_files_pattern($1, { user_home_dir_t user_home_type }, user_home_type)
+ files_search_home($1)
+ ')
+
+ ########################################
+ ##
++## Do not audit attempts to getattr user home files.
++##
++##
++##
++## Domain to not audit.
++##
++##
++#
++interface(`userdom_dontaudit_getattr_user_home_content',`
++ gen_require(`
++ attribute user_home_type;
++ ')
++
++ dontaudit $1 user_home_type:dir getattr;
++ dontaudit $1 user_home_type:file getattr;
++')
++
++########################################
++##
+ ## Do not audit attempts to read user home files.
+ ##
+ ##
+@@ -1793,11 +2365,14 @@ interface(`userdom_read_user_home_content_files',`
+ #
+ interface(`userdom_dontaudit_read_user_home_content_files',`
+ gen_require(`
+- type user_home_t;
++ attribute user_home_type;
++ type user_home_dir_t;
+ ')
+
+- dontaudit $1 user_home_t:dir list_dir_perms;
+- dontaudit $1 user_home_t:file read_file_perms;
++ dontaudit $1 user_home_dir_t:dir list_dir_perms;
++ dontaudit $1 user_home_type:dir list_dir_perms;
++ dontaudit $1 user_home_type:file read_file_perms;
++ dontaudit $1 user_home_type:lnk_file read_lnk_file_perms;
+ ')
+
+ ########################################
+@@ -1856,25 +2431,25 @@ interface(`userdom_delete_user_home_content_files',`
+
+ ########################################
+ ##
+-## Do not audit attempts to write user home files.
++## Delete all files in a user home subdirectory.
+ ##
+ ##
+ ##
+-## Domain to not audit.
++## Domain allowed access.
+ ##
+ ##
+ #
+-interface(`userdom_dontaudit_relabel_user_home_content_files',`
++interface(`userdom_delete_all_user_home_content_files',`
+ gen_require(`
+- type user_home_t;
++ attribute user_home_type;
+ ')
+
+- dontaudit $1 user_home_t:file relabel_file_perms;
++ allow $1 user_home_type:file delete_file_perms;
+ ')
+
+ ########################################
+ ##
+-## Read user home subdirectory symbolic links.
++## Delete sock files in a user home subdirectory.
+ ##
+ ##
+ ##
+@@ -1882,46 +2457,53 @@ interface(`userdom_dontaudit_relabel_user_home_content_files',`
+ ##
+ ##
+ #
+-interface(`userdom_read_user_home_content_symlinks',`
++interface(`userdom_delete_user_home_content_sock_files',`
+ gen_require(`
+- type user_home_dir_t, user_home_t;
++ type user_home_t;
+ ')
+
+- read_lnk_files_pattern($1, { user_home_dir_t user_home_t }, user_home_t)
+- files_search_home($1)
++ allow $1 user_home_t:sock_file delete_file_perms;
+ ')
+
+ ########################################
+ ##
+-## Execute user home files.
++## Delete all sock files in a user home subdirectory.
+ ##
+ ##
+ ##
+ ## Domain allowed access.
+ ##
+ ##
+-##
+ #
+-interface(`userdom_exec_user_home_content_files',`
++interface(`userdom_delete_all_user_home_content_sock_files',`
+ gen_require(`
+- type user_home_dir_t, user_home_t;
++ attribute user_home_type;
+ ')
+
+- files_search_home($1)
+- exec_files_pattern($1, { user_home_dir_t user_home_t }, user_home_t)
++ allow $1 user_home_type:sock_file delete_file_perms;
++')
+
+- tunable_policy(`use_nfs_home_dirs',`
+- fs_exec_nfs_files($1)
++########################################
++##
++## Delete all files in a user home subdirectory.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`userdom_delete_all_user_home_content',`
++ gen_require(`
++ attribute user_home_type;
+ ')
+
+- tunable_policy(`use_samba_home_dirs',`
+- fs_exec_cifs_files($1)
+- ')
++ allow $1 user_home_type:dir_file_class_set delete_file_perms;
+ ')
+
+ ########################################
+ ##
+-## Do not audit attempts to execute user home files.
++## Do not audit attempts to write user home files.
+ ##
+ ##
+ ##
+@@ -1929,18 +2511,17 @@ interface(`userdom_exec_user_home_content_files',`
+ ##
+ ##
+ #
+-interface(`userdom_dontaudit_exec_user_home_content_files',`
++interface(`userdom_dontaudit_relabel_user_home_content_files',`
+ gen_require(`
+ type user_home_t;
+ ')
+
+- dontaudit $1 user_home_t:file exec_file_perms;
++ dontaudit $1 user_home_t:file relabel_file_perms;
+ ')
+
+ ########################################
+ ##
+-## Create, read, write, and delete files
+-## in a user home subdirectory.
++## Read user home subdirectory symbolic links.
+ ##
+ ##
+ ##
+@@ -1948,7 +2529,66 @@ interface(`userdom_dontaudit_exec_user_home_content_files',`
+ ##
+ ##
+ #
+-interface(`userdom_manage_user_home_content_files',`
++interface(`userdom_read_user_home_content_symlinks',`
++ gen_require(`
++ type user_home_dir_t, user_home_t;
++ ')
++
++ allow $1 { user_home_dir_t user_home_t }:lnk_file read_lnk_file_perms;
++')
++
++########################################
++##
++## Execute user home files.
++##
++##
++##
++## Domain allowed access.
++##
++##
++##
++#
++interface(`userdom_exec_user_home_content_files',`
++ gen_require(`
++ type user_home_dir_t;
++ attribute user_home_type;
++ ')
++
++ files_search_home($1)
++ exec_files_pattern($1, { user_home_dir_t user_home_type }, user_home_type)
++ dontaudit $1 user_home_type:sock_file execute;
++ ')
++
++########################################
++##
++## Do not audit attempts to execute user home files.
++##
++##
++##
++## Domain to not audit.
++##
++##
++#
++interface(`userdom_dontaudit_exec_user_home_content_files',`
++ gen_require(`
++ type user_home_t;
++ ')
++
++ dontaudit $1 user_home_t:file exec_file_perms;
++')
++
++########################################
++##
++## Create, read, write, and delete files
++## in a user home subdirectory.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`userdom_manage_user_home_content_files',`
+ gen_require(`
+ type user_home_dir_t, user_home_t;
+ ')
+@@ -2018,6 +2658,24 @@ interface(`userdom_delete_user_home_content_symlinks',`
+
+ ########################################
+ ##
++## Delete all symbolic links in a user home directory.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`userdom_delete_all_user_home_content_symlinks',`
++ gen_require(`
++ attribute user_home_type;
++ ')
++
++ allow $1 user_home_type:lnk_file delete_lnk_file_perms;
++')
++
++########################################
++##
+ ## Create, read, write, and delete named pipes
+ ## in a user home subdirectory.
+ ##
+@@ -2250,11 +2908,11 @@ interface(`userdom_dontaudit_manage_user_tmp_dirs',`
+ #
+ interface(`userdom_read_user_tmp_files',`
+ gen_require(`
+- type user_tmp_t;
++ attribute user_tmp_type;
+ ')
+
+- read_files_pattern($1, user_tmp_t, user_tmp_t)
+- allow $1 user_tmp_t:dir list_dir_perms;
++ read_files_pattern($1, user_tmp_type, user_tmp_type)
++ allow $1 user_tmp_type:dir list_dir_perms;
+ files_search_tmp($1)
+ ')
+
+@@ -2274,7 +2932,7 @@ interface(`userdom_dontaudit_read_user_tmp_files',`
+ type user_tmp_t;
+ ')
+
+- dontaudit $1 user_tmp_t:file read_file_perms;
++ dontaudit $1 user_tmp_t:file read_inherited_file_perms;
+ ')
+
+ ########################################
+@@ -2521,6 +3179,25 @@ interface(`userdom_tmp_filetrans_user_tmp',`
+ files_tmp_filetrans($1, user_tmp_t, $2, $3)
+ ')
+
++#######################################
++##
++## Getattr user tmpfs files.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`userdom_getattr_user_tmpfs_files',`
++ gen_require(`
++ type user_tmpfs_t;
++ ')
++
++ getattr_files_pattern($1, user_tmpfs_t, user_tmpfs_t)
++ fs_search_tmpfs($1)
++')
++
+ ########################################
+ ##
+ ## Read user tmpfs files.
+@@ -2537,13 +3214,14 @@ interface(`userdom_read_user_tmpfs_files',`
+ ')
+
+ read_files_pattern($1, user_tmpfs_t, user_tmpfs_t)
++ read_lnk_files_pattern($1, user_tmpfs_t, user_tmpfs_t)
+ allow $1 user_tmpfs_t:dir list_dir_perms;
+ fs_search_tmpfs($1)
+ ')
+
+ ########################################
+ ##
+-## Read user tmpfs files.
++## Read/Write user tmpfs files.
+ ##
+ ##
+ ##
+@@ -2564,7 +3242,7 @@ interface(`userdom_rw_user_tmpfs_files',`
+
+ ########################################
+ ##
+-## Create, read, write, and delete user tmpfs files.
++## Read/Write inherited user tmpfs files.
+ ##
+ ##
+ ##
+@@ -2572,14 +3250,30 @@ interface(`userdom_rw_user_tmpfs_files',`
+ ##
+ ##
+ #
+-interface(`userdom_manage_user_tmpfs_files',`
++interface(`userdom_rw_inherited_user_tmpfs_files',`
+ gen_require(`
+ type user_tmpfs_t;
+ ')
+
+- manage_files_pattern($1, user_tmpfs_t, user_tmpfs_t)
+- allow $1 user_tmpfs_t:dir list_dir_perms;
+- fs_search_tmpfs($1)
++ allow $1 user_tmpfs_t:file rw_inherited_file_perms;
++')
++
++########################################
++##
++## Execute user tmpfs files.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`userdom_execute_user_tmpfs_files',`
++ gen_require(`
++ type user_tmpfs_t;
++ ')
++
++ allow $1 user_tmpfs_t:file execute;
+ ')
+
+ ########################################
+@@ -2674,6 +3368,24 @@ interface(`userdom_use_user_ttys',`
+
+ ########################################
+ ##
++## Read and write a inherited user domain tty.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`userdom_use_inherited_user_ttys',`
++ gen_require(`
++ type user_tty_device_t;
++ ')
++
++ allow $1 user_tty_device_t:chr_file rw_inherited_term_perms;
++')
++
++########################################
++##
+ ## Read and write a user domain pty.
+ ##
+ ##
+@@ -2692,22 +3404,34 @@ interface(`userdom_use_user_ptys',`
+
+ ########################################
+ ##
+-## Read and write a user TTYs and PTYs.
++## Read and write a inherited user domain pty.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`userdom_use_inherited_user_ptys',`
++ gen_require(`
++ type user_devpts_t;
++ ')
++
++ allow $1 user_devpts_t:chr_file rw_inherited_term_perms;
++')
++
++########################################
++##
++## Read and write a inherited user TTYs and PTYs.
+ ##
+ ##
+ ##
+-## Allow the specified domain to read and write user
++## Allow the specified domain to read and write inherited user
+ ## TTYs and PTYs. This will allow the domain to
+ ## interact with the user via the terminal. Typically
+ ## all interactive applications will require this
+ ## access.
+ ##
+-##
+-## However, this also allows the applications to spy
+-## on user sessions or inject information into the
+-## user session. Thus, this access should likely
+-## not be allowed for non-interactive domains.
+-##
+ ##
+ ##
+ ##
+@@ -2716,14 +3440,33 @@ interface(`userdom_use_user_ptys',`
+ ##
+ ##
+ #
+-interface(`userdom_use_user_terminals',`
++interface(`userdom_use_inherited_user_terminals',`
+ gen_require(`
+ type user_tty_device_t, user_devpts_t;
+ ')
+
+- allow $1 user_tty_device_t:chr_file rw_term_perms;
+- allow $1 user_devpts_t:chr_file rw_term_perms;
+- term_list_ptys($1)
++ allow $1 user_tty_device_t:chr_file rw_inherited_term_perms;
++ allow $1 user_devpts_t:chr_file rw_inherited_term_perms;
++')
++
++#######################################
++##
++## Allow attempts to read and write
++## a user domain tty and pty.
++##
++##
++##
++## Domain to not audit.
++##
++##
++#
++interface(`userdom_use_user_terminals',`
++ gen_require(`
++ type user_tty_device_t, user_devpts_t;
++ ')
++
++ allow $1 user_tty_device_t:chr_file rw_term_perms;
++ allow $1 user_devpts_t:chr_file rw_term_perms;
+ ')
+
+ ########################################
+@@ -2742,8 +3485,27 @@ interface(`userdom_dontaudit_use_user_terminals',`
+ type user_tty_device_t, user_devpts_t;
+ ')
+
+- dontaudit $1 user_tty_device_t:chr_file rw_term_perms;
+- dontaudit $1 user_devpts_t:chr_file rw_term_perms;
++ dontaudit $1 user_tty_device_t:chr_file rw_inherited_term_perms;
++ dontaudit $1 user_devpts_t:chr_file rw_inherited_term_perms;
++')
++
++
++########################################
++##
++## Get attributes of user domain tty and pty.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`userdom_getattr_user_terminals',`
++ gen_require(`
++ type user_tty_device_t, user_devpts_t;
++ ')
++
++ allow $1 { user_tty_device_t user_devpts_t }:chr_file getattr_chr_file_perms;
+ ')
+
+ ########################################
+@@ -2815,69 +3577,68 @@ interface(`userdom_spec_domtrans_unpriv_users',`
+ allow unpriv_userdomain $1:process sigchld;
+ ')
+
+-########################################
++#####################################
+ ##
+-## Execute an Xserver session in all unprivileged user domains. This
+-## is an explicit transition, requiring the
+-## caller to use setexeccon().
++## Allow domain dyntrans to unpriv userdomain.
+ ##
+ ##
+-##
+-## Domain allowed to transition.
+-##
++##
++## Domain allowed access.
++##
+ ##
+ #
+-interface(`userdom_xsession_spec_domtrans_unpriv_users',`
+- gen_require(`
+- attribute unpriv_userdomain;
+- ')
++interface(`userdom_dyntransition_unpriv_users',`
++ gen_require(`
++ attribute unpriv_userdomain;
++ ')
+
+- xserver_xsession_spec_domtrans($1, unpriv_userdomain)
+- allow unpriv_userdomain $1:fd use;
+- allow unpriv_userdomain $1:fifo_file rw_file_perms;
+- allow unpriv_userdomain $1:process sigchld;
++ allow $1 unpriv_userdomain:process dyntransition;
+ ')
+
+-#######################################
++####################################
+ ##
+-## Read and write unpriviledged user SysV sempaphores.
++## Allow domain dyntrans to admin userdomain.
+ ##
+ ##
+-##
+-## Domain allowed access.
+-##
++##
++## Domain allowed access.
++##
+ ##
+ #
+-interface(`userdom_rw_unpriv_user_semaphores',`
+- gen_require(`
+- attribute unpriv_userdomain;
+- ')
++interface(`userdom_dyntransition_admin_users',`
++ gen_require(`
++ attribute admindomain;
++ ')
+
+- allow $1 unpriv_userdomain:sem rw_sem_perms;
++ allow $1 admindomain:process dyntransition;
+ ')
+
+ ########################################
+ ##
+-## Manage unpriviledged user SysV sempaphores.
++## Execute an Xserver session in all unprivileged user domains. This
++## is an explicit transition, requiring the
++## caller to use setexeccon().
+ ##
+ ##
+ ##
+-## Domain allowed access.
++## Domain allowed to transition.
+ ##
+ ##
+ #
+-interface(`userdom_manage_unpriv_user_semaphores',`
++interface(`userdom_xsession_spec_domtrans_unpriv_users',`
+ gen_require(`
+ attribute unpriv_userdomain;
+ ')
+
+- allow $1 unpriv_userdomain:sem create_sem_perms;
++ xserver_xsession_spec_domtrans($1, unpriv_userdomain)
++ allow unpriv_userdomain $1:fd use;
++ allow unpriv_userdomain $1:fifo_file rw_file_perms;
++ allow unpriv_userdomain $1:process sigchld;
+ ')
+
+-#######################################
++########################################
+ ##
+-## Read and write unpriviledged user SysV shared
+-## memory segments.
++## Manage unpriviledged user SysV sempaphores.
+ ##
+ ##
+ ##
+@@ -2885,12 +3646,12 @@ interface(`userdom_manage_unpriv_user_semaphores',`
+ ##
+ ##
+ #
+-interface(`userdom_rw_unpriv_user_shared_mem',`
++interface(`userdom_manage_unpriv_user_semaphores',`
+ gen_require(`
+ attribute unpriv_userdomain;
+ ')
+
+- allow $1 unpriv_userdomain:shm rw_shm_perms;
++ allow $1 unpriv_userdomain:sem create_sem_perms;
+ ')
+
+ ########################################
+@@ -2954,7 +3715,7 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',`
+
+ domain_entry_file_spec_domtrans($1, unpriv_userdomain)
+ allow unpriv_userdomain $1:fd use;
+- allow unpriv_userdomain $1:fifo_file rw_file_perms;
++ allow unpriv_userdomain $1:fifo_file rw_fifo_file_perms;
+ allow unpriv_userdomain $1:process sigchld;
+ ')
+
+@@ -2970,29 +3731,13 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',`
+ #
+ interface(`userdom_search_user_home_content',`
+ gen_require(`
+- type user_home_dir_t, user_home_t;
++ type user_home_dir_t;
++ attribute user_home_type;
+ ')
+
+ files_list_home($1)
+- allow $1 { user_home_dir_t user_home_t }:dir search_dir_perms;
+-')
+-
+-########################################
+-##
+-## Send signull to unprivileged user domains.
+-##
+-##
+-##
+-## Domain allowed access.
+-##
+-##
+-#
+-interface(`userdom_signull_unpriv_users',`
+- gen_require(`
+- attribute unpriv_userdomain;
+- ')
+-
+- allow $1 unpriv_userdomain:process signull;
++ allow $1 { user_home_dir_t user_home_type }:dir search_dir_perms;
++ allow $1 { user_home_dir_t user_home_type }:lnk_file read_lnk_file_perms;
+ ')
+
+ ########################################
+@@ -3074,7 +3819,7 @@ interface(`userdom_dontaudit_use_user_ptys',`
+ type user_devpts_t;
+ ')
+
+- dontaudit $1 user_devpts_t:chr_file rw_file_perms;
++ dontaudit $1 user_devpts_t:chr_file rw_inherited_file_perms;
+ ')
+
+ ########################################
+@@ -3129,12 +3874,13 @@ interface(`userdom_write_user_tmp_files',`
+ type user_tmp_t;
+ ')
+
+- allow $1 user_tmp_t:file write_file_perms;
++ write_files_pattern($1, user_tmp_t, user_tmp_t)
+ ')
+
+ ########################################
+ ##
+-## Do not audit attempts to use user ttys.
++## Do not audit attempts to write users
++## temporary files.
+ ##
+ ##
+ ##
+@@ -3142,36 +3888,37 @@ interface(`userdom_write_user_tmp_files',`
+ ##
+ ##
+ #
+-interface(`userdom_dontaudit_use_user_ttys',`
++interface(`userdom_dontaudit_write_user_tmp_files',`
+ gen_require(`
+- type user_tty_device_t;
++ type user_tmp_t;
+ ')
+
+- dontaudit $1 user_tty_device_t:chr_file rw_file_perms;
++ dontaudit $1 user_tmp_t:file write;
+ ')
+
+ ########################################
+ ##
+-## Read the process state of all user domains.
++## Do not audit attempts to read/write users
++## temporary fifo files.
+ ##
+ ##
+ ##
+-## Domain allowed access.
++## Domain to not audit.
+ ##
+ ##
+ #
+-interface(`userdom_read_all_users_state',`
++interface(`userdom_dontaudit_rw_user_tmp_pipes',`
+ gen_require(`
+- attribute userdomain;
++ type user_tmp_t;
+ ')
+
+- read_files_pattern($1, userdomain, userdomain)
+- kernel_search_proc($1)
++ dontaudit $1 user_tmp_t:fifo_file rw_inherited_fifo_file_perms;
+ ')
+
+ ########################################
+ ##
+-## Get the attributes of all user domains.
++## Allow domain to read/write inherited users
++## fifo files.
+ ##
+ ##
+ ##
+@@ -3179,40 +3926,96 @@ interface(`userdom_read_all_users_state',`
+ ##
+ ##
+ #
+-interface(`userdom_getattr_all_users',`
++interface(`userdom_rw_inherited_user_pipes',`
+ gen_require(`
+ attribute userdomain;
+ ')
+
+- allow $1 userdomain:process getattr;
++ allow $1 userdomain:fifo_file rw_inherited_fifo_file_perms;
+ ')
+
+ ########################################
+ ##
+-## Inherit the file descriptors from all user domains
++## Do not audit attempts to use user ttys.
+ ##
+ ##
+ ##
+-## Domain allowed access.
++## Domain to not audit.
+ ##
+ ##
+ #
+-interface(`userdom_use_all_users_fds',`
++interface(`userdom_dontaudit_use_user_ttys',`
+ gen_require(`
+- attribute userdomain;
++ type user_tty_device_t;
+ ')
+
+- allow $1 userdomain:fd use;
++ dontaudit $1 user_tty_device_t:chr_file rw_inherited_file_perms;
+ ')
+
+ ########################################
+ ##
+-## Do not audit attempts to inherit the file
+-## descriptors from any user domains.
++## Read the process state of all user domains.
+ ##
+ ##
+ ##
+-## Domain to not audit.
++## Domain allowed access.
++##
++##
++#
++interface(`userdom_read_all_users_state',`
++ gen_require(`
++ attribute userdomain;
++ ')
++
++ read_files_pattern($1, userdomain, userdomain)
++ read_lnk_files_pattern($1,userdomain,userdomain)
++ kernel_search_proc($1)
++')
++
++########################################
++##
++## Get the attributes of all user domains.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`userdom_getattr_all_users',`
++ gen_require(`
++ attribute userdomain;
++ ')
++
++ allow $1 userdomain:process getattr;
++')
++
++########################################
++##
++## Inherit the file descriptors from all user domains
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`userdom_use_all_users_fds',`
++ gen_require(`
++ attribute userdomain;
++ ')
++
++ allow $1 userdomain:fd use;
++')
++
++########################################
++##
++## Do not audit attempts to inherit the file
++## descriptors from any user domains.
++##
++##
++##
++## Domain to not audit.
+ ##
+ ##
+ #
+@@ -3242,6 +4045,42 @@ interface(`userdom_signal_all_users',`
+ allow $1 userdomain:process signal;
+ ')
+
++#######################################
++##
++## Send signull to all user domains.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`userdom_signull_all_users',`
++ gen_require(`
++ attribute userdomain;
++ ')
++
++ allow $1 userdomain:process signull;
++')
++
++########################################
++##
++## Send kill signals to all user domains.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`userdom_kill_all_users',`
++ gen_require(`
++ attribute userdomain;
++ ')
++
++ allow $1 userdomain:process sigkill;
++')
++
+ ########################################
+ ##
+ ## Send a SIGCHLD signal to all user domains.
+@@ -3262,6 +4101,24 @@ interface(`userdom_sigchld_all_users',`
+
+ ########################################
+ ##
++## Read keys for all user domains.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`userdom_read_all_users_keys',`
++ gen_require(`
++ attribute userdomain;
++ ')
++
++ allow $1 userdomain:key read;
++')
++
++########################################
++##
+ ## Create keys for all user domains.
+ ##
+ ##
+@@ -3296,3 +4153,1365 @@ interface(`userdom_dbus_send_all_users',`
+
+ allow $1 userdomain:dbus send_msg;
+ ')
++
++########################################
++##
++## Allow apps to set rlimits on userdomain
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`userdom_set_rlimitnh',`
++ gen_require(`
++ attribute userdomain;
++ ')
++
++ allow $1 userdomain:process rlimitinh;
++')
++
++########################################
++##
++## Define this type as a Allow apps to set rlimits on userdomain
++##
++##
++##
++## The prefix of the user domain (e.g., user
++## is the prefix for user_t).
++##
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++template(`userdom_unpriv_usertype',`
++ gen_require(`
++ attribute unpriv_userdomain, userdomain;
++ attribute $1_usertype;
++ ')
++ typeattribute $2 $1_usertype;
++ typeattribute $2 unpriv_userdomain;
++ typeattribute $2 userdomain;
++
++ auth_use_nsswitch($2)
++ ubac_constrained($2)
++')
++
++#######################################
++##
++## Define this type as a Allow apps to set rlimits on userdomain
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++template(`userdom_unpriv_type',`
++ gen_require(`
++ attribute unpriv_userdomain, userdomain;
++ ')
++ typeattribute $1 unpriv_userdomain;
++ typeattribute $1 userdomain;
++
++ auth_use_nsswitch($1)
++ ubac_constrained($1)
++')
++
++########################################
++##
++## Connect to users over a unix stream socket.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`userdom_stream_connect',`
++ gen_require(`
++ type user_tmp_t;
++ attribute userdomain;
++ ')
++
++ stream_connect_pattern($1, user_tmp_t, user_tmp_t, userdomain)
++')
++
++########################################
++##
++## Ptrace user domains.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`userdom_ptrace_all_users',`
++ gen_require(`
++ attribute userdomain;
++ ')
++
++ tunable_policy(`deny_ptrace',`',`
++ allow $1 userdomain:process ptrace;
++ ')
++')
++
++########################################
++##
++## dontaudit Search /root
++##
++##
++##
++## Domain to not audit.
++##
++##
++#
++interface(`userdom_dontaudit_search_admin_dir',`
++ gen_require(`
++ type admin_home_t;
++ ')
++
++ dontaudit $1 admin_home_t:dir search_dir_perms;
++')
++
++########################################
++##
++## dontaudit list /root
++##
++##
++##
++## Domain to not audit.
++##
++##
++#
++interface(`userdom_dontaudit_list_admin_dir',`
++ gen_require(`
++ type admin_home_t;
++ ')
++
++ dontaudit $1 admin_home_t:dir list_dir_perms;
++')
++
++########################################
++##
++## Allow domain to list /root
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`userdom_list_admin_dir',`
++ gen_require(`
++ type admin_home_t;
++ ')
++
++ allow $1 admin_home_t:dir list_dir_perms;
++')
++
++########################################
++##
++## Allow Search /root
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`userdom_search_admin_dir',`
++ gen_require(`
++ type admin_home_t;
++ ')
++
++ allow $1 admin_home_t:dir search_dir_perms;
++')
++
++########################################
++##
++## RW unpriviledged user SysV sempaphores.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`userdom_rw_semaphores',`
++ gen_require(`
++ attribute unpriv_userdomain;
++ ')
++
++ allow $1 unpriv_userdomain:sem rw_sem_perms;
++')
++
++########################################
++##
++## Send a message to unpriv users over a unix domain
++## datagram socket.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`userdom_dgram_send',`
++ gen_require(`
++ attribute unpriv_userdomain;
++ ')
++
++ allow $1 unpriv_userdomain:unix_dgram_socket sendto;
++')
++
++######################################
++##
++## Send a message to users over a unix domain
++## datagram socket.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`userdom_users_dgram_send',`
++ gen_require(`
++ attribute userdomain;
++ ')
++
++ allow $1 userdomain:unix_dgram_socket sendto;
++')
++
++#######################################
++##
++## Allow execmod on files in homedirectory
++##
++##
++##
++## Domain allowed access.
++##
++##
++##
++#
++interface(`userdom_execmod_user_home_files',`
++ gen_require(`
++ type user_home_type;
++ ')
++
++ allow $1 user_home_type:file execmod;
++')
++
++########################################
++##
++## Read admin home files.
++##
++##
++##
++## Domain allowed access.
++##
++##
++##
++#
++interface(`userdom_read_admin_home_files',`
++ gen_require(`
++ type admin_home_t;
++ ')
++
++ read_files_pattern($1, admin_home_t, admin_home_t)
++')
++
++########################################
++##
++## Delete admin home files.
++##
++##
++##
++## Domain allowed access.
++##
++##
++##
++#
++interface(`userdom_delete_admin_home_files',`
++ gen_require(`
++ type admin_home_t;
++ ')
++
++ allow $1 admin_home_t:file delete_file_perms;
++')
++
++########################################
++##
++## Execute admin home files.
++##
++##
++##
++## Domain allowed access.
++##
++##
++##
++#
++interface(`userdom_exec_admin_home_files',`
++ gen_require(`
++ type admin_home_t;
++ ')
++
++ exec_files_pattern($1, admin_home_t, admin_home_t)
++')
++
++########################################
++##
++## Append files inherited
++## in the /root directory.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`userdom_inherit_append_admin_home_files',`
++ gen_require(`
++ type admin_home_t;
++ ')
++
++ allow $1 admin_home_t:file { getattr append };
++')
++
++
++#######################################
++##
++## Manage all files/directories in the homedir
++##
++##
++##
++## The user domain
++##
++##
++##
++#
++interface(`userdom_manage_user_home_content',`
++ gen_require(`
++ type user_home_dir_t, user_home_t;
++ attribute user_home_type;
++ ')
++
++ files_list_home($1)
++ manage_dirs_pattern($1, { user_home_dir_t user_home_type }, user_home_type)
++ manage_files_pattern($1, { user_home_dir_t user_home_type }, user_home_type)
++ manage_lnk_files_pattern($1, { user_home_dir_t user_home_type }, user_home_type)
++ manage_sock_files_pattern($1, { user_home_dir_t user_home_type }, user_home_type)
++ manage_fifo_files_pattern($1, { user_home_dir_t user_home_type }, user_home_type)
++ filetrans_pattern($1, user_home_dir_t, user_home_t, { dir file lnk_file sock_file fifo_file })
++
++')
++
++
++########################################
++##
++## Create objects in a user home directory
++## with an automatic type transition to
++## the user home file type.
++##
++##
++##
++## Domain allowed access.
++##
++##
++##
++##
++## The class of the object to be created.
++##
++##
++#
++interface(`userdom_user_home_dir_filetrans_pattern',`
++ gen_require(`
++ type user_home_dir_t, user_home_t;
++ ')
++
++ type_transition $1 user_home_dir_t:$2 user_home_t;
++')
++
++########################################
++##
++## Create objects in the /root directory
++## with an automatic type transition to
++## a specified private type.
++##
++##
++##
++## Domain allowed access.
++##
++##
++##
++##
++## The type of the object to create.
++##
++##
++##
++##
++## The class of the object to be created.
++##
++##
++##
++##
++## The name of the object being created.
++##
++##
++#
++interface(`userdom_admin_home_dir_filetrans',`
++ gen_require(`
++ type admin_home_t;
++ ')
++
++ filetrans_pattern($1, admin_home_t, $2, $3, $4)
++')
++
++########################################
++##
++## Send signull to unprivileged user domains.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`userdom_signull_unpriv_users',`
++ gen_require(`
++ attribute unpriv_userdomain;
++ ')
++
++ allow $1 unpriv_userdomain:process signull;
++')
++
++########################################
++##
++## Write all users files in /tmp
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`userdom_write_user_tmp_dirs',`
++ gen_require(`
++ type user_tmp_t;
++ ')
++
++ write_files_pattern($1, user_tmp_t, user_tmp_t)
++')
++
++########################################
++##
++## Manage keys for all user domains.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`userdom_manage_all_users_keys',`
++ gen_require(`
++ attribute userdomain;
++ ')
++
++ allow $1 userdomain:key manage_key_perms;
++')
++
++
++########################################
++##
++## Do not audit attempts to read and write
++## unserdomain stream.
++##
++##
++##
++## Domain to not audit.
++##
++##
++#
++interface(`userdom_dontaudit_rw_stream',`
++ gen_require(`
++ attribute userdomain;
++ ')
++
++ dontaudit $1 userdomain:unix_stream_socket rw_socket_perms;
++')
++
++########################################
++##
++## Do not audit attempts to read and write
++## unserdomain datagram socket.
++##
++##
++##
++## Domain to not audit.
++##
++##
++#
++interface(`userdom_dontaudit_rw_dgram_socket',`
++ gen_require(`
++ attribute userdomain;
++ ')
++
++ dontaudit $1 userdomain:unix_dgram_socket { read write };
++')
++
++########################################
++##
++## Append files
++## in a user home subdirectory.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`userdom_append_user_home_content_files',`
++ gen_require(`
++ type user_home_dir_t, user_home_t;
++ ')
++
++ append_files_pattern($1, user_home_t, user_home_t)
++ allow $1 user_home_dir_t:dir search_dir_perms;
++ files_search_home($1)
++')
++
++########################################
++##
++## Read files inherited
++## in a user home subdirectory.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`userdom_read_inherited_user_home_content_files',`
++ gen_require(`
++ attribute user_home_type;
++ ')
++
++ allow $1 user_home_type:file { getattr read };
++')
++
++########################################
++##
++## Read/Write files inherited
++## in a user home subdirectory.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`userdom_rw_inherited_user_home_content_files',`
++ gen_require(`
++ attribute user_home_type;
++ ')
++
++ allow $1 user_home_type:file rw_inherited_file_perms;
++')
++
++########################################
++##
++## Append files inherited
++## in a user home subdirectory.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`userdom_inherit_append_user_home_content_files',`
++ gen_require(`
++ type user_home_t;
++ ')
++
++ allow $1 user_home_t:file { getattr append };
++')
++
++########################################
++##
++## Append files inherited
++## in a user tmp files.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`userdom_inherit_append_user_tmp_files',`
++ gen_require(`
++ type user_tmp_t;
++ ')
++
++ allow $1 user_tmp_t:file { getattr append };
++')
++
++######################################
++##
++## Read audio files in the users homedir.
++##
++##
++##
++## Domain allowed access.
++##
++##
++##
++#
++interface(`userdom_read_home_audio_files',`
++ gen_require(`
++ type audio_home_t;
++ ')
++
++ userdom_search_user_home_dirs($1)
++ allow $1 audio_home_t:dir list_dir_perms;
++ read_files_pattern($1, audio_home_t, audio_home_t)
++ read_lnk_files_pattern($1, audio_home_t, audio_home_t)
++')
++
++########################################
++##
++## Do not audit attempts to write all user home content files.
++##
++##
++##
++## Domain to not audit.
++##
++##
++#
++interface(`userdom_dontaudit_write_all_user_home_content_files',`
++ gen_require(`
++ attribute user_home_type;
++ ')
++
++ dontaudit $1 user_home_type:file write_inherited_file_perms;
++')
++
++########################################
++##
++## Do not audit attempts to write all user tmp content files.
++##
++##
++##
++## Domain to not audit.
++##
++##
++#
++interface(`userdom_dontaudit_write_all_user_tmp_content_files',`
++ gen_require(`
++ attribute user_tmp_type;
++ ')
++
++ dontaudit $1 user_tmp_type:file write_inherited_file_perms;
++')
++
++########################################
++##
++## Manage all user temporary content.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`userdom_manage_all_user_tmp_content',`
++ gen_require(`
++ attribute user_tmp_type;
++ ')
++
++ manage_dirs_pattern($1, user_tmp_type, user_tmp_type)
++ manage_files_pattern($1, user_tmp_type, user_tmp_type)
++ manage_lnk_files_pattern($1, user_tmp_type, user_tmp_type)
++ manage_sock_files_pattern($1, user_tmp_type, user_tmp_type)
++ manage_fifo_files_pattern($1, user_tmp_type, user_tmp_type)
++ files_search_tmp($1)
++')
++
++########################################
++##
++## List all user temporary content.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`userdom_list_all_user_tmp_content',`
++ gen_require(`
++ attribute user_tmp_type;
++ ')
++
++ list_dirs_pattern($1, user_tmp_type, user_tmp_type)
++ getattr_files_pattern($1, user_tmp_type, user_tmp_type)
++ read_lnk_files_pattern($1, user_tmp_type, user_tmp_type)
++ getattr_sock_files_pattern($1, user_tmp_type, user_tmp_type)
++ getattr_fifo_files_pattern($1, user_tmp_type, user_tmp_type)
++ files_search_var($1)
++ files_search_tmp($1)
++')
++
++########################################
++##
++## Manage all user tmpfs content.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`userdom_manage_all_user_tmpfs_content',`
++ gen_require(`
++ attribute user_tmpfs_type;
++ ')
++
++ manage_dirs_pattern($1, user_tmpfs_type, user_tmpfs_type)
++ manage_files_pattern($1, user_tmpfs_type, user_tmpfs_type)
++ manage_lnk_files_pattern($1, user_tmpfs_type, user_tmpfs_type)
++ manage_sock_files_pattern($1, user_tmpfs_type, user_tmpfs_type)
++ manage_fifo_files_pattern($1, user_tmpfs_type, user_tmpfs_type)
++ fs_search_tmpfs($1)
++')
++
++########################################
++##
++## Delete all user temporary content.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`userdom_delete_all_user_tmp_content',`
++ gen_require(`
++ attribute user_tmp_type;
++ ')
++
++ delete_dirs_pattern($1, user_tmp_type, user_tmp_type)
++ delete_files_pattern($1, user_tmp_type, user_tmp_type)
++ delete_lnk_files_pattern($1, user_tmp_type, user_tmp_type)
++ delete_sock_files_pattern($1, user_tmp_type, user_tmp_type)
++ delete_fifo_files_pattern($1, user_tmp_type, user_tmp_type)
++ # /var/tmp
++ files_search_var($1)
++ files_delete_tmp_dir_entry($1)
++')
++
++########################################
++##
++## Read system SSL certificates in the users homedir.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`userdom_read_home_certs',`
++ gen_require(`
++ type home_cert_t;
++ ')
++
++ userdom_search_user_home_content($1)
++ allow $1 home_cert_t:dir list_dir_perms;
++ read_files_pattern($1, home_cert_t, home_cert_t)
++ read_lnk_files_pattern($1, home_cert_t, home_cert_t)
++')
++
++########################################
++##
++## Manage system SSL certificates in the users homedir.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`userdom_manage_home_certs',`
++ gen_require(`
++ type home_cert_t;
++ ')
++
++ allow $1 home_cert_t:dir list_dir_perms;
++ manage_dirs_pattern($1, home_cert_t, home_cert_t)
++ manage_files_pattern($1, home_cert_t, home_cert_t)
++ manage_lnk_files_pattern($1, home_cert_t, home_cert_t)
++
++ userdom_user_home_dir_filetrans($1, home_cert_t, dir, ".cert")
++ userdom_user_home_dir_filetrans($1, home_cert_t, dir, ".pki")
++')
++
++#######################################
++##
++## Dontaudit Write system SSL certificates in the users homedir.
++##
++##
++##
++## Domain to not audit.
++##
++##
++#
++interface(`userdom_dontaudit_write_home_certs',`
++ gen_require(`
++ type home_cert_t;
++ ')
++
++ dontaudit $1 home_cert_t:file write;
++')
++
++########################################
++##
++## dontaudit Search getatrr /root files
++##
++##
++##
++## Domain to not audit.
++##
++##
++#
++interface(`userdom_dontaudit_getattr_admin_home_files',`
++ gen_require(`
++ type admin_home_t;
++ ')
++
++ dontaudit $1 admin_home_t:file getattr;
++')
++
++########################################
++##
++## dontaudit read /root lnk files
++##
++##
++##
++## Domain to not audit.
++##
++##
++#
++interface(`userdom_dontaudit_read_admin_home_lnk_files',`
++ gen_require(`
++ type admin_home_t;
++ ')
++
++ dontaudit $1 admin_home_t:lnk_file read;
++')
++
++########################################
++##
++## dontaudit read /root files
++##
++##
++##
++## Domain to not audit.
++##
++##
++#
++interface(`userdom_dontaudit_read_admin_home_files',`
++ gen_require(`
++ type admin_home_t;
++ ')
++
++ dontaudit $1 admin_home_t:file read_file_perms;
++')
++
++########################################
++##
++## Create, read, write, and delete user
++## temporary chr files.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`userdom_manage_user_tmp_chr_files',`
++ gen_require(`
++ type user_tmp_t;
++ ')
++
++ manage_chr_files_pattern($1, user_tmp_t, user_tmp_t)
++ files_search_tmp($1)
++')
++
++########################################
++##
++## Create, read, write, and delete user
++## temporary blk files.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`userdom_manage_user_tmp_blk_files',`
++ gen_require(`
++ type user_tmp_t;
++ ')
++
++ manage_blk_files_pattern($1, user_tmp_t, user_tmp_t)
++ files_search_tmp($1)
++')
++
++########################################
++##
++## Dontaudit attempt to set attributes on user temporary directories.
++##
++##
++##
++## Domain to not audit.
++##
++##
++#
++interface(`userdom_dontaudit_setattr_user_tmp',`
++ gen_require(`
++ type user_tmp_t;
++ ')
++
++ dontaudit $1 user_tmp_t:dir setattr;
++')
++
++########################################
++##
++## Dontaudit attempt to set attributes on user temporary file system files.
++##
++##
++##
++## Domain to not audit.
++##
++##
++#
++interface(`userdom_dontaudit_setattr_user_tmpfs',`
++ gen_require(`
++ type user_tmpfs_t;
++ ')
++
++ dontaudit $1 user_tmpfs_t:file setattr;
++')
++
++########################################
++##
++## Read all inherited users files in /tmp
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`userdom_read_inherited_user_tmp_files',`
++ gen_require(`
++ type user_tmp_t;
++ ')
++
++ allow $1 user_tmp_t:file read_inherited_file_perms;
++')
++
++########################################
++##
++## Read/write all inherited users files in /tmp
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`userdom_rw_inherited_user_tmp_files',`
++ gen_require(`
++ type user_tmp_t;
++ ')
++
++ allow $1 user_tmp_t:file rw_inherited_file_perms;
++')
++
++########################################
++##
++## Write all inherited users files in /tmp
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`userdom_write_inherited_user_tmp_files',`
++ gen_require(`
++ type user_tmp_t;
++ ')
++
++ allow $1 user_tmp_t:file write;
++')
++
++########################################
++##
++## Write all inherited users home files
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`userdom_rw_inherited_user_home_sock_files',`
++ gen_require(`
++ attribute user_home_type;
++ ')
++
++ allow $1 user_home_type:sock_file write;
++')
++
++########################################
++##
++## Delete all users files in /tmp
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`userdom_delete_user_tmp_files',`
++ gen_require(`
++ type user_tmp_t;
++ ')
++
++ allow $1 user_tmp_t:file delete_file_perms;
++')
++
++########################################
++##
++## Delete user tmpfs files.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`userdom_delete_user_tmpfs_files',`
++ gen_require(`
++ type user_tmpfs_t;
++ ')
++
++ allow $1 user_tmpfs_t:file delete_file_perms;
++')
++
++########################################
++##
++## Read/Write unpriviledged user SysV shared
++## memory segments.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`userdom_rw_unpriv_user_shared_mem',`
++ gen_require(`
++ attribute unpriv_userdomain;
++ ')
++
++ allow $1 unpriv_userdomain:shm rw_shm_perms;
++')
++
++########################################
++##
++## Do not audit attempts to search user
++## temporary directories.
++##
++##
++##
++## Domain to not audit.
++##
++##
++#
++interface(`userdom_dontaudit_search_user_tmp',`
++ gen_require(`
++ type user_tmp_t;
++ ')
++
++ dontaudit $1 user_tmp_t:dir search_dir_perms;
++')
++
++########################################
++##
++## Execute a file in a user home directory
++## in the specified domain.
++##
++##
++##
++## Execute a file in a user home directory
++## in the specified domain.
++##
++##
++## No interprocess communication (signals, pipes,
++## etc.) is provided by this interface since
++## the domains are not owned by this module.
++##
++##
++##
++##
++## Domain allowed access.
++##
++##
++##
++##
++## The type of the new process.
++##
++##
++#
++interface(`userdom_domtrans_user_home',`
++ gen_require(`
++ type user_home_t;
++ ')
++
++ read_lnk_files_pattern($1, user_home_t, user_home_t)
++ domain_transition_pattern($1, user_home_t, $2)
++ type_transition $1 user_home_t:process $2;
++')
++
++########################################
++##
++## Execute a file in a user tmp directory
++## in the specified domain.
++##
++##
++##
++## Execute a file in a user tmp directory
++## in the specified domain.
++##
++##
++## No interprocess communication (signals, pipes,
++## etc.) is provided by this interface since
++## the domains are not owned by this module.
++##
++##
++##
++##
++## Domain allowed access.
++##
++##
++##
++##
++## The type of the new process.
++##
++##
++#
++interface(`userdom_domtrans_user_tmp',`
++ gen_require(`
++ type user_tmp_t;
++ ')
++
++ files_search_tmp($1)
++ read_lnk_files_pattern($1, user_tmp_t, user_tmp_t)
++ domain_transition_pattern($1, user_tmp_t, $2)
++ type_transition $1 user_tmp_t:process $2;
++')
++
++########################################
++##
++## Do not audit attempts to read all user home content files.
++##
++##
++##
++## Domain to not audit.
++##
++##
++#
++interface(`userdom_dontaudit_read_all_user_home_content_files',`
++ gen_require(`
++ attribute user_home_type;
++ ')
++
++ dontaudit $1 user_home_type:file read_file_perms;
++')
++
++########################################
++##
++## Do not audit attempts to read all user tmp content files.
++##
++##
++##
++## Domain to not audit.
++##
++##
++#
++interface(`userdom_dontaudit_read_all_user_tmp_content_files',`
++ gen_require(`
++ attribute user_tmp_type;
++ ')
++
++ dontaudit $1 user_tmp_type:file read_file_perms;
++')
++
++#######################################
++##
++## Read and write unpriviledged user SysV sempaphores.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`userdom_rw_unpriv_user_semaphores',`
++ gen_require(`
++ attribute unpriv_userdomain;
++ ')
++
++ allow $1 unpriv_userdomain:sem rw_sem_perms;
++')
++
++########################################
++##
++## Transition to userdom named content
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`userdom_filetrans_home_content',`
++ gen_require(`
++ type home_bin_t, home_cert_t;
++ type audio_home_t;
++ ')
++
++ userdom_user_home_dir_filetrans($1, home_bin_t, dir, "bin")
++ userdom_user_home_dir_filetrans($1, audio_home_t, dir, "Audio")
++ userdom_user_home_dir_filetrans($1, audio_home_t, dir, "Music")
++ userdom_user_home_dir_filetrans($1, home_cert_t, dir, ".cert")
++ userdom_user_home_dir_filetrans($1, home_cert_t, dir, ".pki")
++ userdom_user_home_dir_filetrans($1, home_cert_t, dir, "certificates")
++
++ optional_policy(`
++ gnome_config_filetrans($1, home_cert_t, dir, "certificates")
++ #gnome_admin_home_gconf_filetrans($1, home_bin_t, dir, "bin")
++ ')
++')
++
++########################################
++##
++## Make the specified type able to read content in user home dirs
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`userdom_home_reader',`
++ gen_require(`
++ attribute userdom_home_reader_type;
++ ')
++
++ typeattribute $1 userdom_home_reader_type;
++')
++
++
++########################################
++##
++## Make the specified type able to manage content in user home dirs
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`userdom_home_manager',`
++ gen_require(`
++ attribute userdom_home_manager_type;
++ ')
++
++ typeattribute $1 userdom_home_manager_type;
++')
++
++########################################
++##
++## Create objects in the temporary filesystem directory
++## with an automatic type transition to
++## the user temporary filesystem type.
++##
++##
++##
++## Domain allowed access.
++##
++##
++##
++##
++## The class of the object to be created.
++##
++##
++##
++##
++## The name of the object being created.
++##
++##
++#
++interface(`userdom_tmpfs_filetrans',`
++ gen_require(`
++ type user_tmpfs_t;
++ ')
++
++ fs_tmpfs_filetrans($1, user_tmpfs_t, $2, $3)
++')
++
++
++#######################################
++##
++## Create objects in the temporary filesystem directory
++## with an automatic type transition to
++## the user temporary filesystem type.
++##
++##
++##
++## Domain allowed access.
++##
++##
++##
++##
++## The class of the object to be created.
++##
++##
++##
++##
++## The name of the object being created.
++##
++##
++##
++##
++## The name of the object being created.
++##
++##
++#
++interface(`userdom_tmpfs_filetrans_to',`
++ gen_require(`
++ type user_tmpfs_t;
++ ')
++
++ filetrans_pattern($1, user_tmpfs_t, $2, $3, $4)
++')
+diff --git a/policy/modules/system/userdomain.te b/policy/modules/system/userdomain.te
+index 6a4bd85..4f23ca8 100644
+--- a/policy/modules/system/userdomain.te
++++ b/policy/modules/system/userdomain.te
+@@ -7,48 +7,42 @@ policy_module(userdomain, 4.8.0)
+
+ ##
+ ##
+-## Allow users to connect to mysql
++## Allow users to connect to the local mysql server
+ ##
+ ##
+-gen_tunable(allow_user_mysql_connect, false)
++gen_tunable(selinuxuser_mysql_connect_enabled, false)
+
+ ##
+ ##
+ ## Allow users to connect to PostgreSQL
+ ##
+ ##
+-gen_tunable(allow_user_postgresql_connect, false)
++gen_tunable(selinuxuser_postgresql_connect_enabled, false)
+
+ ##
+ ##
+-## Allow regular users direct mouse access
++## Allow user to r/w files on filesystems
++## that do not have extended attributes (FAT, CDROM, FLOPPY)
+ ##
+ ##
+-gen_tunable(user_direct_mouse, false)
++gen_tunable(selinuxuser_rw_noexattrfile, false)
+
+ ##
+ ##
+-## Allow users to read system messages.
++## Allow user music sharing
+ ##
+ ##
+-gen_tunable(user_dmesg, false)
++gen_tunable(selinuxuser_user_share_music, false)
+
+ ##
+ ##
+-## Allow user to r/w files on filesystems
+-## that do not have extended attributes (FAT, CDROM, FLOPPY)
++## Allow user to use ssh chroot environment.
+ ##
+ ##
+-gen_tunable(user_rw_noexattrfile, false)
+-
+-##
+-##
+-## Allow w to display everyone
+-##
+-##
+-gen_tunable(user_ttyfile_stat, false)
++gen_tunable(selinuxuser_use_ssh_chroot, false)
+
+ attribute admindomain;
++attribute login_userdomain;
+
+ # all user domains
+ attribute userdomain;
+@@ -59,6 +53,22 @@ attribute unpriv_userdomain;
+ attribute untrusted_content_type;
+ attribute untrusted_content_tmp_type;
+
++attribute userdom_home_reader_type;
++attribute userdom_home_manager_type;
++
++# unprivileged user domains
++attribute user_home_type;
++attribute user_tmp_type;
++attribute user_tmpfs_type;
++
++type admin_home_t;
++files_type(admin_home_t)
++files_associate_tmp(admin_home_t)
++fs_associate_tmpfs(admin_home_t)
++files_mountpoint(admin_home_t)
++files_poly_member(admin_home_t)
++files_poly_parent(admin_home_t)
++
+ type user_home_dir_t alias { staff_home_dir_t sysadm_home_dir_t secadm_home_dir_t auditadm_home_dir_t unconfined_home_dir_t };
+ fs_associate_tmpfs(user_home_dir_t)
+ files_type(user_home_dir_t)
+@@ -71,26 +81,122 @@ ubac_constrained(user_home_dir_t)
+
+ type user_home_t alias { staff_home_t sysadm_home_t secadm_home_t auditadm_home_t unconfined_home_t };
+ typealias user_home_t alias { staff_untrusted_content_t sysadm_untrusted_content_t secadm_untrusted_content_t auditadm_untrusted_content_t unconfined_untrusted_content_t };
++typeattribute user_home_t user_home_type;
+ userdom_user_home_content(user_home_t)
+ fs_associate_tmpfs(user_home_t)
+ files_associate_tmp(user_home_t)
++files_poly_member(user_home_t)
+ files_poly_parent(user_home_t)
+ files_mountpoint(user_home_t)
++ubac_constrained(user_home_t)
+
+ type user_devpts_t alias { staff_devpts_t sysadm_devpts_t secadm_devpts_t auditadm_devpts_t unconfined_devpts_t };
+ dev_node(user_devpts_t)
+ files_type(user_devpts_t)
+ ubac_constrained(user_devpts_t)
+
+-type user_tmp_t alias { staff_tmp_t sysadm_tmp_t secadm_tmp_t auditadm_tmp_t unconfined_tmp_t };
++type user_tmp_t, user_tmp_type;
++typealias user_tmp_t alias { screen_tmp_t winbind_tmp_t sshd_tmp_t staff_tmp_t sysadm_tmp_t secadm_tmp_t auditadm_tmp_t unconfined_tmp_t };
+ typealias user_tmp_t alias { staff_untrusted_content_tmp_t sysadm_untrusted_content_tmp_t secadm_untrusted_content_tmp_t auditadm_untrusted_content_tmp_t unconfined_untrusted_content_tmp_t };
+ files_tmp_file(user_tmp_t)
+ userdom_user_home_content(user_tmp_t)
++files_poly_parent(user_tmp_t)
++files_mountpoint(user_tmp_t)
+
+-type user_tmpfs_t alias { staff_tmpfs_t sysadm_tmpfs_t secadm_tmpfs_t auditadm_tmpfs_t unconfined_tmpfs_t };
++type user_tmpfs_t, user_tmpfs_type;
++typealias user_tmpfs_t alias { staff_tmpfs_t sysadm_tmpfs_t secadm_tmpfs_t auditadm_tmpfs_t unconfined_tmpfs_t };
+ files_tmpfs_file(user_tmpfs_t)
+ userdom_user_home_content(user_tmpfs_t)
+
+ type user_tty_device_t alias { staff_tty_device_t sysadm_tty_device_t secadm_tty_device_t auditadm_tty_device_t unconfined_tty_device_t };
+ dev_node(user_tty_device_t)
+ ubac_constrained(user_tty_device_t)
++
++type audio_home_t;
++userdom_user_home_content(audio_home_t)
++ubac_constrained(audio_home_t)
++
++type home_bin_t;
++userdom_user_home_content(home_bin_t)
++ubac_constrained(home_bin_t)
++
++type home_cert_t;
++miscfiles_cert_type(home_cert_t)
++userdom_user_home_content(home_cert_t)
++ubac_constrained(home_cert_t)
++
++tunable_policy(`login_console_enabled',`
++ term_use_console(userdomain)
++')
++
++allow userdomain userdomain:process signull;
++allow userdomain userdomain:fifo_file rw_inherited_fifo_file_perms;
++
++# Nautilus causes this avc
++dontaudit unpriv_userdomain self:dir setattr;
++allow unpriv_userdomain self:key manage_key_perms;
++
++optional_policy(`
++ alsa_read_rw_config(unpriv_userdomain)
++ alsa_manage_home_files(unpriv_userdomain)
++ alsa_relabel_home_files(unpriv_userdomain)
++')
++
++optional_policy(`
++ gnome_filetrans_home_content(userdomain)
++')
++
++optional_policy(`
++ ssh_filetrans_home_content(userdomain)
++ ssh_rw_tcp_sockets(userdomain)
++')
++
++optional_policy(`
++ telepathy_filetrans_home_content(userdomain)
++')
++
++optional_policy(`
++ xserver_filetrans_home_content(userdomain)
++')
++
++tunable_policy(`use_nfs_home_dirs',`
++ fs_list_auto_mountpoints(userdom_home_reader_type)
++ fs_read_nfs_files(userdom_home_reader_type)
++')
++
++tunable_policy(`use_samba_home_dirs',`
++ fs_read_cifs_files(userdom_home_reader_type)
++')
++
++tunable_policy(`use_fusefs_home_dirs',`
++ fs_read_fusefs_files(userdom_home_reader_type)
++')
++
++tunable_policy(`use_ecryptfs_home_dirs',`
++ fs_read_ecryptfs_files(userdom_home_reader_type)
++')
++
++tunable_policy(`use_nfs_home_dirs',`
++ fs_list_auto_mountpoints(userdom_home_manager_type)
++ fs_manage_nfs_dirs(userdom_home_manager_type)
++ fs_manage_nfs_files(userdom_home_manager_type)
++ fs_manage_nfs_symlinks(userdom_home_manager_type)
++')
++
++tunable_policy(`use_samba_home_dirs',`
++ fs_manage_cifs_dirs(userdom_home_manager_type)
++ fs_manage_cifs_files(userdom_home_manager_type)
++ fs_manage_cifs_symlinks(userdom_home_manager_type)
++')
++
++tunable_policy(`use_fusefs_home_dirs',`
++ fs_manage_fusefs_dirs(userdom_home_manager_type)
++ fs_manage_fusefs_files(userdom_home_manager_type)
++ fs_manage_fusefs_symlinks(userdom_home_manager_type)
++')
++
++tunable_policy(`use_ecryptfs_home_dirs',`
++ fs_manage_ecryptfs_dirs(userdom_home_manager_type)
++ fs_manage_ecryptfs_files(userdom_home_manager_type)
++ fs_manage_ecryptfs_files(userdom_home_manager_type)
++')
+diff --git a/policy/support/misc_patterns.spt b/policy/support/misc_patterns.spt
+index e79d545..101086d 100644
+--- a/policy/support/misc_patterns.spt
++++ b/policy/support/misc_patterns.spt
+@@ -4,7 +4,7 @@
+ define(`domain_transition_pattern',`
+ allow $1 $2:file { getattr open read execute };
+ allow $1 $3:process transition;
+- dontaudit $1 $3:process { noatsecure siginh rlimitinh };
++# dontaudit $1 $3:process { noatsecure siginh rlimitinh };
+ ')
+
+ # compatibility:
+@@ -15,7 +15,7 @@ define(`spec_domtrans_pattern',`
+ domain_transition_pattern($1,$2,$3)
+
+ allow $3 $1:fd use;
+- allow $3 $1:fifo_file rw_fifo_file_perms;
++ allow $3 $1:fifo_file rw_inherited_fifo_file_perms;
+ allow $3 $1:process sigchld;
+ ')
+
+@@ -34,7 +34,7 @@ define(`domtrans_pattern',`
+ domain_auto_transition_pattern($1,$2,$3)
+
+ allow $3 $1:fd use;
+- allow $3 $1:fifo_file rw_fifo_file_perms;
++ allow $3 $1:fifo_file rw_inherited_fifo_file_perms;
+ allow $3 $1:process sigchld;
+ ')
+
+diff --git a/policy/support/obj_perm_sets.spt b/policy/support/obj_perm_sets.spt
+index 6e91317..936a91d 100644
+--- a/policy/support/obj_perm_sets.spt
++++ b/policy/support/obj_perm_sets.spt
+@@ -28,8 +28,7 @@ define(`devfile_class_set', `{ chr_file blk_file }')
+ #
+ # All socket classes.
+ #
+-define(`socket_class_set', `{ tcp_socket udp_socket rawip_socket netlink_socket packet_socket unix_stream_socket unix_dgram_socket appletalk_socket netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinux_socket netlink_audit_socket netlink_ip6fw_socket netlink_dnrt_socket netlink_kobject_uevent_socket tun_socket }')
+-
++define(`socket_class_set', `{ socket dccp_socket tcp_socket udp_socket rawip_socket netlink_socket packet_socket unix_stream_socket unix_dgram_socket appletalk_socket netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinux_socket netlink_audit_socket netlink_ip6fw_socket netlink_dnrt_socket netlink_kobject_uevent_socket tun_socket }')
+
+ #
+ # Datagram socket classes.
+@@ -59,7 +58,7 @@ define(`mount_fs_perms', `{ mount remount unmount getattr }')
+ #
+ # Permissions for using sockets.
+ #
+-define(`rw_socket_perms', `{ ioctl read getattr write setattr append bind connect getopt setopt shutdown }')
++define(`rw_socket_perms', `{ ioctl read getattr lock write setattr append bind connect getopt setopt shutdown }')
+
+ #
+ # Permissions for creating and using sockets.
+@@ -153,12 +152,16 @@ define(`relabel_dir_perms',`{ getattr relabelfrom relabelto }')
+ #
+ define(`getattr_file_perms',`{ getattr }')
+ define(`setattr_file_perms',`{ setattr }')
+-define(`read_file_perms',`{ getattr open read lock ioctl }')
++define(`read_inherited_file_perms',`{ getattr read ioctl lock }')
++define(`read_file_perms',`{ open read_inherited_file_perms }')
+ define(`mmap_file_perms',`{ getattr open read execute ioctl }')
+ define(`exec_file_perms',`{ getattr open read execute ioctl execute_no_trans }')
+-define(`append_file_perms',`{ getattr open append lock ioctl }')
+-define(`write_file_perms',`{ getattr open write append lock ioctl }')
+-define(`rw_file_perms',`{ getattr open read write append ioctl lock }')
++define(`append_inherited_file_perms',`{ getattr append }')
++define(`append_file_perms',`{ open lock ioctl append_inherited_file_perms }')
++define(`write_inherited_file_perms',`{ getattr write append lock ioctl }')
++define(`write_file_perms',`{ open write_inherited_file_perms }')
++define(`rw_inherited_file_perms',`{ getattr read write append ioctl lock }')
++define(`rw_file_perms',`{ open rw_inherited_file_perms }')
+ define(`create_file_perms',`{ getattr create open }')
+ define(`rename_file_perms',`{ getattr rename }')
+ define(`delete_file_perms',`{ getattr unlink }')
+@@ -179,7 +182,7 @@ define(`rw_lnk_file_perms',`{ getattr read write lock ioctl }')
+ define(`create_lnk_file_perms',`{ create getattr }')
+ define(`rename_lnk_file_perms',`{ getattr rename }')
+ define(`delete_lnk_file_perms',`{ getattr unlink }')
+-define(`manage_lnk_file_perms',`{ create read write getattr setattr link unlink rename }')
++define(`manage_lnk_file_perms',`{ create getattr setattr read write append rename link unlink ioctl lock }')
+ define(`relabelfrom_lnk_file_perms',`{ getattr relabelfrom }')
+ define(`relabelto_lnk_file_perms',`{ getattr relabelto }')
+ define(`relabel_lnk_file_perms',`{ getattr relabelfrom relabelto }')
+@@ -192,7 +195,8 @@ define(`setattr_fifo_file_perms',`{ setattr }')
+ define(`read_fifo_file_perms',`{ getattr open read lock ioctl }')
+ define(`append_fifo_file_perms',`{ getattr open append lock ioctl }')
+ define(`write_fifo_file_perms',`{ getattr open write append lock ioctl }')
+-define(`rw_fifo_file_perms',`{ getattr open read write append ioctl lock }')
++define(`rw_inherited_fifo_file_perms',`{ getattr read write append ioctl lock }')
++define(`rw_fifo_file_perms',`{ open rw_inherited_fifo_file_perms }')
+ define(`create_fifo_file_perms',`{ getattr create open }')
+ define(`rename_fifo_file_perms',`{ getattr rename }')
+ define(`delete_fifo_file_perms',`{ getattr unlink }')
+@@ -208,7 +212,8 @@ define(`getattr_sock_file_perms',`{ getattr }')
+ define(`setattr_sock_file_perms',`{ setattr }')
+ define(`read_sock_file_perms',`{ getattr open read }')
+ define(`write_sock_file_perms',`{ getattr write open append }')
+-define(`rw_sock_file_perms',`{ getattr open read write append }')
++define(`rw_inherited_sock_file_perms',`{ getattr read write append }')
++define(`rw_sock_file_perms',`{ open rw_inherited_sock_file_perms }')
+ define(`create_sock_file_perms',`{ getattr create open }')
+ define(`rename_sock_file_perms',`{ getattr rename }')
+ define(`delete_sock_file_perms',`{ getattr unlink }')
+@@ -225,7 +230,8 @@ define(`setattr_blk_file_perms',`{ setattr }')
+ define(`read_blk_file_perms',`{ getattr open read lock ioctl }')
+ define(`append_blk_file_perms',`{ getattr open append lock ioctl }')
+ define(`write_blk_file_perms',`{ getattr open write append lock ioctl }')
+-define(`rw_blk_file_perms',`{ getattr open read write append ioctl lock }')
++define(`rw_inherited_blk_file_perms',`{ getattr read write append ioctl lock }')
++define(`rw_blk_file_perms',`{ open rw_inherited_blk_file_perms }')
+ define(`create_blk_file_perms',`{ getattr create }')
+ define(`rename_blk_file_perms',`{ getattr rename }')
+ define(`delete_blk_file_perms',`{ getattr unlink }')
+@@ -242,7 +248,8 @@ define(`setattr_chr_file_perms',`{ setattr }')
+ define(`read_chr_file_perms',`{ getattr open read lock ioctl }')
+ define(`append_chr_file_perms',`{ getattr open append lock ioctl }')
+ define(`write_chr_file_perms',`{ getattr open write append lock ioctl }')
+-define(`rw_chr_file_perms',`{ getattr open read write append ioctl lock }')
++define(`rw_inherited_chr_file_perms',`{ getattr read write append ioctl lock }')
++define(`rw_chr_file_perms',`{ open rw_inherited_chr_file_perms }')
+ define(`create_chr_file_perms',`{ getattr create }')
+ define(`rename_chr_file_perms',`{ getattr rename }')
+ define(`delete_chr_file_perms',`{ getattr unlink }')
+@@ -259,7 +266,8 @@ define(`relabel_chr_file_perms',`{ getattr relabelfrom relabelto }')
+ #
+ # Use (read and write) terminals
+ #
+-define(`rw_term_perms', `{ getattr open read write append ioctl }')
++define(`rw_inherited_term_perms', `{ getattr read write append ioctl }')
++define(`rw_term_perms', `{ rw_inherited_term_perms open }')
+
+ #
+ # Sockets
+@@ -271,3 +279,8 @@ define(`server_stream_socket_perms', `{ client_stream_socket_perms listen accept
+ # Keys
+ #
+ define(`manage_key_perms', `{ create link read search setattr view write } ')
++
++#
++# Service
++#
++define(`manage_service_perms', `{ start stop status reload kill load } ')
+diff --git a/policy/users b/policy/users
+index c4ebc7e..30d6d7a 100644
+--- a/policy/users
++++ b/policy/users
+@@ -15,7 +15,7 @@
+ # and a user process should never be assigned the system user
+ # identity.
+ #
+-gen_user(system_u,, system_r, s0, s0 - mls_systemhigh, mcs_allcats)
++gen_user(system_u,, system_r unconfined_r, s0, s0 - mls_systemhigh, mcs_allcats)
+
+ #
+ # user_u is a generic user identity for Linux users who have no
+@@ -24,12 +24,9 @@ gen_user(system_u,, system_r, s0, s0 - mls_systemhigh, mcs_allcats)
+ # SELinux user identity for a Linux user. If you do not want to
+ # permit any access to such users, then remove this entry.
+ #
+-gen_user(user_u, user, user_r, s0, s0)
+-gen_user(staff_u, staff, staff_r sysadm_r ifdef(`enable_mls',`secadm_r auditadm_r'), s0, s0 - mls_systemhigh, mcs_allcats)
+-gen_user(sysadm_u, sysadm, sysadm_r, s0, s0 - mls_systemhigh, mcs_allcats)
+-
+-# Until order dependence is fixed for users:
+-gen_user(unconfined_u, unconfined, unconfined_r, s0, s0 - mls_systemhigh, mcs_allcats)
++gen_user(user_u, user, user_r, s0, s0 - mls_systemhigh, mcs_allcats)
++gen_user(staff_u, user, staff_r system_r sysadm_r ifdef(`enable_mls',`secadm_r auditadm_r'), s0, s0 - mls_systemhigh, mcs_allcats)
++gen_user(sysadm_u, user, sysadm_r, s0, s0 - mls_systemhigh, mcs_allcats)
+
+ #
+ # The following users correspond to Unix identities.
+@@ -38,8 +35,4 @@ gen_user(unconfined_u, unconfined, unconfined_r, s0, s0 - mls_systemhigh, mcs_al
+ # role should use the staff_r role instead of the user_r role when
+ # not in the sysadm_r.
+ #
+-ifdef(`direct_sysadm_daemon',`
+- gen_user(root, sysadm, sysadm_r staff_r ifdef(`enable_mls',`secadm_r auditadm_r') system_r, s0, s0 - mls_systemhigh, mcs_allcats)
+-',`
+- gen_user(root, sysadm, sysadm_r staff_r ifdef(`enable_mls',`secadm_r auditadm_r'), s0, s0 - mls_systemhigh, mcs_allcats)
+-')
++gen_user(root, user, unconfined_r sysadm_r staff_r ifdef(`enable_mls',`secadm_r auditadm_r') system_r, s0, s0 - mls_systemhigh, mcs_allcats)
+diff --git a/support/Makefile.devel b/support/Makefile.devel
+index b96e9b3..ff7340f 100644
+--- a/support/Makefile.devel
++++ b/support/Makefile.devel
+@@ -26,7 +26,6 @@ XMLLINT := $(BINDIR)/xmllint
+ # set default build options if missing
+ TYPE ?= standard
+ DIRECT_INITRC ?= n
+-POLY ?= n
+ QUIET ?= y
+
+ genxml := $(PYTHON) $(HEADERDIR)/support/segenxml.py
diff --git a/policy-rawhide-contrib.patch b/policy-rawhide-contrib.patch
new file mode 100644
index 0000000..916914e
--- /dev/null
+++ b/policy-rawhide-contrib.patch
@@ -0,0 +1,75176 @@
+diff --git a/abrt.fc b/abrt.fc
+index 1bd5812..ad5baf5 100644
+--- a/abrt.fc
++++ b/abrt.fc
+@@ -1,20 +1,37 @@
+ /etc/abrt(/.*)? gen_context(system_u:object_r:abrt_etc_t,s0)
+ /etc/rc\.d/init\.d/abrt -- gen_context(system_u:object_r:abrt_initrc_exec_t,s0)
+
+-/usr/bin/abrt-pyhook-helper -- gen_context(system_u:object_r:abrt_helper_exec_t,s0)
++/usr/lib/systemd/system/abrt.* -- gen_context(system_u:object_r:abrt_unit_file_t,s0)
+
+-/usr/libexec/abrt-pyhook-helper -- gen_context(system_u:object_r:abrt_helper_exec_t,s0)
+-/usr/libexec/abrt-hook-python -- gen_context(system_u:object_r:abrt_helper_exec_t,s0)
++/usr/bin/abrt-dump-oops -- gen_context(system_u:object_r:abrt_dump_oops_exec_t,s0)
++/usr/bin/abrt-pyhook-helper -- gen_context(system_u:object_r:abrt_helper_exec_t,s0)
++/usr/bin/abrt-watch-log -- gen_context(system_u:object_r:abrt_watch_log_exec_t,s0)
+
+ /usr/sbin/abrtd -- gen_context(system_u:object_r:abrt_exec_t,s0)
++/usr/sbin/abrt-dbus -- gen_context(system_u:object_r:abrt_exec_t,s0)
++
++/usr/libexec/abrt-handle-event -- gen_context(system_u:object_r:abrt_handle_event_exec_t,s0)
+
+ /var/cache/abrt(/.*)? gen_context(system_u:object_r:abrt_var_cache_t,s0)
+ /var/cache/abrt-di(/.*)? gen_context(system_u:object_r:abrt_var_cache_t,s0)
+
+-/var/log/abrt-logger -- gen_context(system_u:object_r:abrt_var_log_t,s0)
++/var/log/abrt-logger.* -- gen_context(system_u:object_r:abrt_var_log_t,s0)
+
+ /var/run/abrt\.pid -- gen_context(system_u:object_r:abrt_var_run_t,s0)
+ /var/run/abrtd?\.lock -- gen_context(system_u:object_r:abrt_var_run_t,s0)
++/var/run/abrtd?\.socket -- gen_context(system_u:object_r:abrt_var_run_t,s0)
+ /var/run/abrt(/.*)? gen_context(system_u:object_r:abrt_var_run_t,s0)
+
+ /var/spool/abrt(/.*)? gen_context(system_u:object_r:abrt_var_cache_t,s0)
++
++# ABRT retrace server
++/usr/bin/abrt-retrace-worker -- gen_context(system_u:object_r:abrt_retrace_worker_exec_t,s0)
++/usr/bin/coredump2packages -- gen_context(system_u:object_r:abrt_retrace_coredump_exec_t,s0)
++
++/var/cache/abrt-retrace(/.*)? gen_context(system_u:object_r:abrt_retrace_cache_t,s0)
++/var/spool/abrt-retrace(/.*)? gen_context(system_u:object_r:abrt_retrace_spool_t,s0)
++
++# cjp: new version
++/usr/bin/retrace-server-worker -- gen_context(system_u:object_r:abrt_retrace_worker_exec_t,s0)
++/var/cache/retrace-server(/.*)? gen_context(system_u:object_r:abrt_retrace_cache_t,s0)
++/var/spool/retrace-server(/.*)? gen_context(system_u:object_r:abrt_retrace_spool_t,s0)
+diff --git a/abrt.if b/abrt.if
+index 0b827c5..cce58bb 100644
+--- a/abrt.if
++++ b/abrt.if
+@@ -2,6 +2,28 @@
+
+ ######################################
+ ##
++## Creates types and rules for a basic
++## ABRT daemon domain.
++##
++##
++##
++## Prefix for the domain.
++##
++##
++#
++template(`abrt_basic_types_template',`
++ gen_require(`
++ attribute abrt_domain;
++ ')
++
++ type $1_t, abrt_domain;
++ type $1_exec_t;
++
++ kernel_read_system_state($1_t)
++')
++
++######################################
++##
+ ## Execute abrt in the abrt domain.
+ ##
+ ##
+@@ -71,12 +93,13 @@ interface(`abrt_read_state',`
+ type abrt_t;
+ ')
+
++ kernel_search_proc($1)
+ ps_process_pattern($1, abrt_t)
+ ')
+
+ ########################################
+ ##
+-## Connect to abrt over an unix stream socket.
++## Connect to abrt over a unix stream socket.
+ ##
+ ##
+ ##
+@@ -160,8 +183,26 @@ interface(`abrt_run_helper',`
+
+ ########################################
+ ##
+-## Send and receive messages from
+-## abrt over dbus.
++## Read abrt cache
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`abrt_read_cache',`
++ gen_require(`
++ type abrt_var_cache_t;
++ ')
++
++ read_files_pattern($1, abrt_var_cache_t, abrt_var_cache_t)
++ read_lnk_files_pattern($1, abrt_var_cache_t, abrt_var_cache_t)
++')
++
++########################################
++##
++## Append abrt cache
+ ##
+ ##
+ ##
+@@ -169,12 +210,52 @@ interface(`abrt_run_helper',`
+ ##
+ ##
+ #
+-interface(`abrt_cache_manage',`
++interface(`abrt_append_cache',`
++ gen_require(`
++ type abrt_var_cache_t;
++ ')
++
++
++ allow $1 abrt_var_cache_t:file append_inherited_file_perms;
++')
++
++########################################
++##
++## Read/Write inherited abrt cache
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`abrt_rw_inherited_cache',`
++ gen_require(`
++ type abrt_var_cache_t;
++ ')
++
++
++ allow $1 abrt_var_cache_t:file rw_inherited_file_perms;
++')
++
++########################################
++##
++## Manage abrt cache
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`abrt_manage_cache',`
+ gen_require(`
+ type abrt_var_cache_t;
+ ')
+
+ manage_files_pattern($1, abrt_var_cache_t, abrt_var_cache_t)
++ manage_lnk_files_pattern($1, abrt_var_cache_t, abrt_var_cache_t)
++ manage_dirs_pattern($1, abrt_var_cache_t, abrt_var_cache_t)
+ ')
+
+ ####################################
+@@ -253,6 +334,47 @@ interface(`abrt_manage_pid_files',`
+ manage_files_pattern($1, abrt_var_run_t, abrt_var_run_t)
+ ')
+
++########################################
++##
++## Read and write abrt fifo files.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`abrt_rw_fifo_file',`
++ gen_require(`
++ type abrt_t;
++ ')
++
++ allow $1 abrt_t:fifo_file rw_inherited_fifo_file_perms;
++')
++
++########################################
++##
++## Execute abrt server in the abrt domain.
++##
++##
++##
++## Domain allowed to transition.
++##
++##
++#
++interface(`abrt_systemctl',`
++ gen_require(`
++ type abrt_t;
++ type abrt_unit_file_t;
++ ')
++
++ systemd_exec_systemctl($1)
++ allow $1 abrt_unit_file_t:file read_file_perms;
++ allow $1 abrt_unit_file_t:service manage_service_perms;
++
++ ps_process_pattern($1, abrt_t)
++')
++
+ #####################################
+ ##
+ ## All of the rules required to administrate
+@@ -276,28 +398,135 @@ interface(`abrt_admin',`
+ type abrt_var_cache_t, abrt_var_log_t;
+ type abrt_var_run_t, abrt_tmp_t;
+ type abrt_initrc_exec_t;
++ type abrt_unit_file_t;
+ ')
+
+- allow $1 abrt_t:process { ptrace signal_perms };
++ allow $1 abrt_t:process { signal_perms };
+ ps_process_pattern($1, abrt_t)
+
++ tunable_policy(`deny_ptrace',`',`
++ allow $1 abrt_t:process ptrace;
++ ')
++
+ init_labeled_script_domtrans($1, abrt_initrc_exec_t)
+ domain_system_change_exemption($1)
+ role_transition $2 abrt_initrc_exec_t system_r;
+ allow $2 system_r;
+
+- files_search_etc($1)
++ files_list_etc($1)
+ admin_pattern($1, abrt_etc_t)
+
+- logging_search_logs($1)
++ logging_list_logs($1)
+ admin_pattern($1, abrt_var_log_t)
+
+- files_search_var($1)
++ files_list_var($1)
+ admin_pattern($1, abrt_var_cache_t)
+
+- files_search_pids($1)
++ files_list_pids($1)
+ admin_pattern($1, abrt_var_run_t)
+
+- files_search_tmp($1)
++ files_list_tmp($1)
+ admin_pattern($1, abrt_tmp_t)
++
++ abrt_systemctl($1)
++ admin_pattern($1, abrt_unit_file_t)
++ allow $1 abrt_unit_file_t:service all_service_perms;
++')
++
++####################################
++##
++## Execute abrt-retrace in the abrt-retrace domain.
++##
++##
++##
++## Domain allowed to transition.
++##
++##
++#
++interface(`abrt_domtrans_retrace_worker',`
++ gen_require(`
++ type abrt_retrace_worker_t, abrt_retrace_worker_exec_t;
++ ')
++
++ corecmd_search_bin($1)
++ domtrans_pattern($1, abrt_retrace_worker_exec_t, abrt_retrace_worker_t)
++')
++
++######################################
++##
++## Manage abrt retrace server cache
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`abrt_manage_spool_retrace',`
++ gen_require(`
++ type abrt_retrace_spool_t;
++ ')
++
++ manage_dirs_pattern($1, abrt_retrace_spool_t, abrt_retrace_spool_t)
++ manage_files_pattern($1, abrt_retrace_spool_t, abrt_retrace_spool_t)
++ manage_lnk_files_pattern($1, abrt_retrace_spool_t, abrt_retrace_spool_t)
++')
++
++#####################################
++##
++## Read abrt retrace server cache
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`abrt_read_spool_retrace',`
++ gen_require(`
++ type abrt_retrace_spool_t;
++ ')
++
++ list_dirs_pattern($1, abrt_retrace_spool_t, abrt_retrace_spool_t)
++ read_files_pattern($1, abrt_retrace_spool_t, abrt_retrace_spool_t)
++ read_lnk_files_pattern($1, abrt_retrace_spool_t, abrt_retrace_spool_t)
++')
++
++
++#####################################
++##
++## Read abrt retrace server cache
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`abrt_read_cache_retrace',`
++ gen_require(`
++ type abrt_retrace_cache_t;
++ ')
++
++ list_dirs_pattern($1, abrt_retrace_cache_t, abrt_retrace_cache_t)
++ read_files_pattern($1, abrt_retrace_cache_t, abrt_retrace_cache_t)
++ read_lnk_files_pattern($1, abrt_retrace_cache_t, abrt_retrace_cache_t)
++')
++
++########################################
++##
++## Do not audit attempts to write abrt sock files
++##
++##
++##
++## Domain to not audit.
++##
++##
++#
++interface(`abrt_dontaudit_write_sock_file',`
++ gen_require(`
++ type abrt_t;
++ ')
++
++ dontaudit $1 abrt_t:sock_file write;
+ ')
+diff --git a/abrt.te b/abrt.te
+index 30861ec..864d511 100644
+--- a/abrt.te
++++ b/abrt.te
+@@ -5,13 +5,33 @@ policy_module(abrt, 1.2.0)
+ # Declarations
+ #
+
+-type abrt_t;
+-type abrt_exec_t;
++##
++##
++## Allow ABRT to modify public files
++## used for public file transfer services.
++##
++##
++gen_tunable(abrt_anon_write, false)
++
++##
++##
++## Allow ABRT to run in abrt_handle_event_t domain
++## to handle ABRT event scripts
++##
++##
++gen_tunable(abrt_handle_event, false)
++
++attribute abrt_domain;
++
++abrt_basic_types_template(abrt)
+ init_daemon_domain(abrt_t, abrt_exec_t)
+
+ type abrt_initrc_exec_t;
+ init_script_file(abrt_initrc_exec_t)
+
++type abrt_unit_file_t;
++systemd_unit_file(abrt_unit_file_t)
++
+ # etc files
+ type abrt_etc_t;
+ files_config_file(abrt_etc_t)
+@@ -32,10 +52,20 @@ files_type(abrt_var_cache_t)
+ type abrt_var_run_t;
+ files_pid_file(abrt_var_run_t)
+
++abrt_basic_types_template(abrt_dump_oops)
++init_system_domain(abrt_dump_oops_t, abrt_dump_oops_exec_t)
++
++# type for abrt-handle-event to handle
++# ABRT event scripts
++abrt_basic_types_template(abrt_handle_event)
++application_domain(abrt_handle_event_t, abrt_handle_event_exec_t)
++role system_r types abrt_handle_event_t;
++
+ # type needed to allow all domains
+ # to handle /var/cache/abrt
+-type abrt_helper_t;
+-type abrt_helper_exec_t;
++# type needed to allow all domains
++# to handle /var/cache/abrt
++abrt_basic_types_template(abrt_helper)
+ application_domain(abrt_helper_t, abrt_helper_exec_t)
+ role system_r types abrt_helper_t;
+
+@@ -43,14 +73,36 @@ ifdef(`enable_mcs',`
+ init_ranged_daemon_domain(abrt_t, abrt_exec_t, s0 - mcs_systemhigh)
+ ')
+
++#
++# Support for ABRT retrace server
++#
++
++abrt_basic_types_template(abrt_retrace_worker)
++application_domain(abrt_retrace_worker_t, abrt_retrace_worker_exec_t)
++role system_r types abrt_retrace_worker_t;
++
++abrt_basic_types_template(abrt_retrace_coredump)
++application_domain(abrt_retrace_coredump_t, abrt_retrace_coredump_exec_t)
++role system_r types abrt_retrace_coredump_t;
++
++type abrt_retrace_cache_t;
++files_type(abrt_retrace_cache_t)
++
++type abrt_retrace_spool_t;
++files_spool_file(abrt_retrace_spool_t)
++
++# Support abrt-watch log
++abrt_basic_types_template(abrt_watch_log)
++init_daemon_domain(abrt_watch_log_t, abrt_watch_log_exec_t)
++
+ ########################################
+ #
+ # abrt local policy
+ #
+
+-allow abrt_t self:capability { chown kill setuid setgid sys_nice dac_override };
++allow abrt_t self:capability { chown dac_override fowner fsetid kill setgid setuid sys_nice };
+ dontaudit abrt_t self:capability sys_rawio;
+-allow abrt_t self:process { signal signull setsched getsched };
++allow abrt_t self:process { setpgid sigkill signal signull setsched getsched };
+
+ allow abrt_t self:fifo_file rw_fifo_file_perms;
+ allow abrt_t self:tcp_socket create_stream_socket_perms;
+@@ -59,6 +111,7 @@ allow abrt_t self:unix_dgram_socket create_socket_perms;
+ allow abrt_t self:netlink_route_socket r_netlink_socket_perms;
+
+ # abrt etc files
++list_dirs_pattern(abrt_t, abrt_etc_t, abrt_etc_t)
+ rw_files_pattern(abrt_t, abrt_etc_t, abrt_etc_t)
+
+ # log file
+@@ -68,7 +121,9 @@ logging_log_filetrans(abrt_t, abrt_var_log_t, file)
+ # abrt tmp files
+ manage_dirs_pattern(abrt_t, abrt_tmp_t, abrt_tmp_t)
+ manage_files_pattern(abrt_t, abrt_tmp_t, abrt_tmp_t)
++manage_lnk_files_pattern(abrt_t, abrt_tmp_t, abrt_tmp_t)
+ files_tmp_filetrans(abrt_t, abrt_tmp_t, { file dir })
++can_exec(abrt_t, abrt_tmp_t)
+
+ # abrt var/cache files
+ manage_files_pattern(abrt_t, abrt_var_cache_t, abrt_var_cache_t)
+@@ -82,10 +137,12 @@ manage_files_pattern(abrt_t, abrt_var_run_t, abrt_var_run_t)
+ manage_dirs_pattern(abrt_t, abrt_var_run_t, abrt_var_run_t)
+ manage_sock_files_pattern(abrt_t, abrt_var_run_t, abrt_var_run_t)
+ manage_lnk_files_pattern(abrt_t, abrt_var_run_t, abrt_var_run_t)
+-files_pid_filetrans(abrt_t, abrt_var_run_t, { file dir })
++files_pid_filetrans(abrt_t, abrt_var_run_t, { file dir sock_file })
++
++kernel_read_ring_buffer(abrt_t)
++kernel_request_load_module(abrt_t)
+
+ kernel_read_ring_buffer(abrt_t)
+-kernel_read_system_state(abrt_t)
+ kernel_rw_kernel_sysctl(abrt_t)
+
+ corecmd_exec_bin(abrt_t)
+@@ -93,7 +150,6 @@ corecmd_exec_shell(abrt_t)
+ corecmd_read_all_executables(abrt_t)
+
+ corenet_all_recvfrom_netlabel(abrt_t)
+-corenet_all_recvfrom_unlabeled(abrt_t)
+ corenet_tcp_sendrecv_generic_if(abrt_t)
+ corenet_tcp_sendrecv_generic_node(abrt_t)
+ corenet_tcp_sendrecv_generic_port(abrt_t)
+@@ -104,6 +160,8 @@ corenet_tcp_connect_all_ports(abrt_t)
+ corenet_sendrecv_http_client_packets(abrt_t)
+
+ dev_getattr_all_chr_files(abrt_t)
++dev_getattr_all_blk_files(abrt_t)
++dev_read_rand(abrt_t)
+ dev_read_urand(abrt_t)
+ dev_rw_sysfs(abrt_t)
+ dev_dontaudit_read_raw_memory(abrt_t)
+@@ -113,7 +171,8 @@ domain_read_all_domains_state(abrt_t)
+ domain_signull_all_domains(abrt_t)
+
+ files_getattr_all_files(abrt_t)
+-files_read_etc_files(abrt_t)
++files_read_config_files(abrt_t)
++files_read_etc_runtime_files(abrt_t)
+ files_read_var_symlinks(abrt_t)
+ files_read_var_lib_files(abrt_t)
+ files_read_usr_files(abrt_t)
+@@ -121,6 +180,9 @@ files_read_generic_tmp_files(abrt_t)
+ files_read_kernel_modules(abrt_t)
+ files_dontaudit_list_default(abrt_t)
+ files_dontaudit_read_default_files(abrt_t)
++files_dontaudit_read_all_symlinks(abrt_t)
++files_dontaudit_getattr_all_sockets(abrt_t)
++files_list_mnt(abrt_t)
+
+ fs_list_inotifyfs(abrt_t)
+ fs_getattr_all_fs(abrt_t)
+@@ -131,22 +193,37 @@ fs_read_nfs_files(abrt_t)
+ fs_read_nfs_symlinks(abrt_t)
+ fs_search_all(abrt_t)
+
+-sysnet_read_config(abrt_t)
+-
+ logging_read_generic_logs(abrt_t)
+ logging_send_syslog_msg(abrt_t)
+
++auth_use_nsswitch(abrt_t)
++
+ miscfiles_read_generic_certs(abrt_t)
+-miscfiles_read_localization(abrt_t)
++miscfiles_read_public_files(abrt_t)
+
+ userdom_dontaudit_read_user_home_content_files(abrt_t)
++userdom_dontaudit_read_admin_home_files(abrt_t)
++
++tunable_policy(`abrt_anon_write',`
++ miscfiles_manage_public_files(abrt_t)
++')
++
++optional_policy(`
++ apache_list_modules(abrt_t)
++ apache_read_modules(abrt_t)
++')
+
+ optional_policy(`
+ dbus_system_domain(abrt_t, abrt_exec_t)
+ ')
+
+ optional_policy(`
+- nis_use_ypbind(abrt_t)
++ dmesg_domtrans(abrt_t)
++')
++
++optional_policy(`
++ mozilla_plugin_dontaudit_rw_tmp_files(abrt_t)
++ mozilla_plugin_read_rw_files(abrt_t)
+ ')
+
+ optional_policy(`
+@@ -167,6 +244,7 @@ optional_policy(`
+ rpm_exec(abrt_t)
+ rpm_dontaudit_manage_db(abrt_t)
+ rpm_manage_cache(abrt_t)
++ rpm_manage_log(abrt_t)
+ rpm_manage_pid_files(abrt_t)
+ rpm_read_db(abrt_t)
+ rpm_signull(abrt_t)
+@@ -178,9 +256,36 @@ optional_policy(`
+ ')
+
+ optional_policy(`
++ sosreport_domtrans(abrt_t)
++ sosreport_read_tmp_files(abrt_t)
++ sosreport_delete_tmp_files(abrt_t)
++')
++
++optional_policy(`
+ sssd_stream_connect(abrt_t)
+ ')
+
++optional_policy(`
++ xserver_read_log(abrt_t)
++')
++
++#######################################
++#
++# abrt-handle-event local policy
++#
++
++allow abrt_handle_event_t self:fifo_file rw_fifo_file_perms;
++
++tunable_policy(`abrt_handle_event',`
++ domtrans_pattern(abrt_t, abrt_handle_event_exec_t, abrt_handle_event_t)
++',`
++ can_exec(abrt_t, abrt_handle_event_exec_t)
++')
++
++optional_policy(`
++ unconfined_domain(abrt_handle_event_t)
++')
++
+ ########################################
+ #
+ # abrt--helper local policy
+@@ -200,9 +305,11 @@ files_var_filetrans(abrt_helper_t, abrt_var_cache_t, { file dir })
+ read_files_pattern(abrt_helper_t, abrt_var_run_t, abrt_var_run_t)
+ read_lnk_files_pattern(abrt_helper_t, abrt_var_run_t, abrt_var_run_t)
+
++corecmd_read_all_executables(abrt_helper_t)
++
+ domain_read_all_domains_state(abrt_helper_t)
+
+-files_read_etc_files(abrt_helper_t)
++files_dontaudit_all_non_security_leaks(abrt_helper_t)
+
+ fs_list_inotifyfs(abrt_helper_t)
+ fs_getattr_all_fs(abrt_helper_t)
+@@ -211,12 +318,11 @@ auth_use_nsswitch(abrt_helper_t)
+
+ logging_send_syslog_msg(abrt_helper_t)
+
+-miscfiles_read_localization(abrt_helper_t)
+-
+ term_dontaudit_use_all_ttys(abrt_helper_t)
+ term_dontaudit_use_all_ptys(abrt_helper_t)
+
+-ifdef(`hide_broken_symptoms', `
++ifdef(`hide_broken_symptoms',`
++ domain_dontaudit_leaks(abrt_helper_t)
+ userdom_dontaudit_read_user_home_content_files(abrt_helper_t)
+ userdom_dontaudit_read_user_tmp_files(abrt_helper_t)
+ dev_dontaudit_read_all_blk_files(abrt_helper_t)
+@@ -224,4 +330,149 @@ ifdef(`hide_broken_symptoms', `
+ dev_dontaudit_write_all_chr_files(abrt_helper_t)
+ dev_dontaudit_write_all_blk_files(abrt_helper_t)
+ fs_dontaudit_rw_anon_inodefs_files(abrt_helper_t)
++
++ optional_policy(`
++ rpm_dontaudit_leaks(abrt_helper_t)
++ ')
+ ')
++
++ifdef(`hide_broken_symptoms',`
++ gen_require(`
++ attribute domain;
++ ')
++
++ allow abrt_t self:capability sys_resource;
++ allow abrt_t domain:file write;
++ allow abrt_t domain:process setrlimit;
++')
++
++#######################################
++#
++# abrt retrace coredump policy
++#
++
++allow abrt_retrace_coredump_t self:fifo_file rw_fifo_file_perms;
++
++list_dirs_pattern(abrt_retrace_coredump_t, abrt_retrace_cache_t, abrt_retrace_cache_t)
++read_files_pattern(abrt_retrace_coredump_t, abrt_retrace_cache_t, abrt_retrace_cache_t)
++read_lnk_files_pattern(abrt_retrace_coredump_t, abrt_retrace_cache_t, abrt_retrace_cache_t)
++
++list_dirs_pattern(abrt_retrace_coredump_t, abrt_retrace_spool_t, abrt_retrace_spool_t)
++read_files_pattern(abrt_retrace_coredump_t, abrt_retrace_spool_t, abrt_retrace_spool_t)
++read_lnk_files_pattern(abrt_retrace_coredump_t, abrt_retrace_spool_t, abrt_retrace_spool_t)
++
++corecmd_exec_bin(abrt_retrace_coredump_t)
++corecmd_exec_shell(abrt_retrace_coredump_t)
++
++dev_read_urand(abrt_retrace_coredump_t)
++
++files_read_usr_files(abrt_retrace_coredump_t)
++
++logging_send_syslog_msg(abrt_retrace_coredump_t)
++
++sysnet_dns_name_resolve(abrt_retrace_coredump_t)
++
++# to install debuginfo packages
++optional_policy(`
++ rpm_exec(abrt_retrace_coredump_t)
++ rpm_dontaudit_manage_db(abrt_retrace_coredump_t)
++ rpm_manage_cache(abrt_retrace_coredump_t)
++ rpm_manage_log(abrt_retrace_coredump_t)
++ rpm_manage_pid_files(abrt_retrace_coredump_t)
++ rpm_read_db(abrt_retrace_coredump_t)
++ rpm_signull(abrt_retrace_coredump_t)
++')
++
++#######################################
++#
++# abrt retrace worker policy
++#
++
++allow abrt_retrace_worker_t self:capability { setuid };
++
++allow abrt_retrace_worker_t self:fifo_file rw_fifo_file_perms;
++
++domtrans_pattern(abrt_retrace_worker_t, abrt_retrace_coredump_exec_t, abrt_retrace_coredump_t)
++allow abrt_retrace_worker_t abrt_retrace_coredump_exec_t:file ioctl;
++
++manage_dirs_pattern(abrt_retrace_worker_t, abrt_retrace_spool_t, abrt_retrace_spool_t)
++manage_files_pattern(abrt_retrace_worker_t, abrt_retrace_spool_t, abrt_retrace_spool_t)
++manage_lnk_files_pattern(abrt_retrace_worker_t, abrt_retrace_spool_t, abrt_retrace_spool_t)
++
++allow abrt_retrace_worker_t abrt_etc_t:file read_file_perms;
++
++can_exec(abrt_retrace_worker_t, abrt_retrace_worker_exec_t)
++
++corecmd_exec_bin(abrt_retrace_worker_t)
++corecmd_exec_shell(abrt_retrace_worker_t)
++
++dev_read_urand(abrt_retrace_worker_t)
++
++files_read_usr_files(abrt_retrace_worker_t)
++
++logging_send_syslog_msg(abrt_retrace_worker_t)
++
++sysnet_dns_name_resolve(abrt_retrace_worker_t)
++
++optional_policy(`
++ mock_domtrans(abrt_retrace_worker_t)
++')
++
++########################################
++#
++# abrt_dump_oops local policy
++#
++
++allow abrt_dump_oops_t self:capability dac_override;
++allow abrt_dump_oops_t self:fifo_file rw_fifo_file_perms;
++allow abrt_dump_oops_t self:unix_stream_socket create_stream_socket_perms;
++
++files_search_spool(abrt_dump_oops_t)
++manage_dirs_pattern(abrt_dump_oops_t, abrt_var_cache_t, abrt_var_cache_t)
++manage_files_pattern(abrt_dump_oops_t, abrt_var_cache_t, abrt_var_cache_t)
++manage_lnk_files_pattern(abrt_dump_oops_t, abrt_var_cache_t, abrt_var_cache_t)
++files_var_filetrans(abrt_dump_oops_t, abrt_var_cache_t, { file dir })
++
++read_files_pattern(abrt_dump_oops_t, abrt_var_run_t, abrt_var_run_t)
++read_lnk_files_pattern(abrt_dump_oops_t, abrt_var_run_t, abrt_var_run_t)
++
++read_files_pattern(abrt_dump_oops_t, abrt_etc_t, abrt_etc_t)
++
++kernel_read_debugfs(abrt_dump_oops_t)
++kernel_read_kernel_sysctls(abrt_dump_oops_t)
++kernel_read_ring_buffer(abrt_dump_oops_t)
++
++domain_use_interactive_fds(abrt_dump_oops_t)
++
++fs_list_inotifyfs(abrt_dump_oops_t)
++
++logging_read_generic_logs(abrt_dump_oops_t)
++logging_send_syslog_msg(abrt_dump_oops_t)
++
++#######################################
++#
++# abrt_watch_log local policy
++#
++
++allow abrt_watch_log_t self:fifo_file rw_fifo_file_perms;
++allow abrt_watch_log_t self:unix_stream_socket create_stream_socket_perms;
++
++read_files_pattern(abrt_watch_log_t, abrt_etc_t, abrt_etc_t)
++
++domtrans_pattern(abrt_watch_log_t, abrt_dump_oops_exec_t, abrt_dump_oops_t)
++
++corecmd_exec_bin(abrt_watch_log_t)
++
++logging_read_all_logs(abrt_watch_log_t)
++logging_send_syslog_msg(abrt_watch_log_t)
++
++optional_policy(`
++ unconfined_domain(abrt_watch_log_t)
++')
++
++#######################################
++#
++# Local policy for all abrt domain
++#
++
++files_read_etc_files(abrt_domain)
+diff --git a/accountsd.fc b/accountsd.fc
+index 1adca53..18e0e41 100644
+--- a/accountsd.fc
++++ b/accountsd.fc
+@@ -1,3 +1,5 @@
++/usr/lib/systemd/system/accountsd.* -- gen_context(system_u:object_r:accountsd_unit_file_t,s0)
++
+ /usr/libexec/accounts-daemon -- gen_context(system_u:object_r:accountsd_exec_t,s0)
+
+ /var/lib/AccountsService(/.*)? gen_context(system_u:object_r:accountsd_var_lib_t,s0)
+diff --git a/accountsd.if b/accountsd.if
+index c0f858d..4a3dab6 100644
+--- a/accountsd.if
++++ b/accountsd.if
+@@ -5,9 +5,9 @@
+ ## Execute a domain transition to run accountsd.
+ ##
+ ##
+-##
++##
+ ## Domain allowed access.
+-##
++##
+ ##
+ #
+ interface(`accountsd_domtrans',`
+@@ -25,7 +25,7 @@ interface(`accountsd_domtrans',`
+ ##
+ ##
+ ##
+-## Domain allowed access.
++## Domain to not audit.
+ ##
+ ##
+ #
+@@ -93,6 +93,7 @@ interface(`accountsd_read_lib_files',`
+ ')
+
+ files_search_var_lib($1)
++ allow $1 accountsd_var_lib_t:dir list_dir_perms;
+ read_files_pattern($1, accountsd_var_lib_t, accountsd_var_lib_t)
+ ')
+
+@@ -118,28 +119,54 @@ interface(`accountsd_manage_lib_files',`
+
+ ########################################
+ ##
+-## All of the rules required to administrate
+-## an accountsd environment
++## Execute accountsd server in the accountsd domain.
+ ##
+ ##
+ ##
+-## Domain allowed access.
++## Domain allowed to transition.
+ ##
+ ##
+-##
++#
++interface(`accountsd_systemctl',`
++ gen_require(`
++ type accountsd_t;
++ type accountsd_unit_file_t;
++ ')
++
++ systemd_exec_systemctl($1)
++ allow $1 accountsd_unit_file_t:file read_file_perms;
++ allow $1 accountsd_unit_file_t:service manage_service_perms;
++
++ ps_process_pattern($1, accountsd_t)
++')
++
++########################################
++##
++## All of the rules required to administrate
++## an accountsd environment
++##
++##
+ ##
+-## Role allowed access.
++## Domain allowed access.
+ ##
+ ##
+-##
+ #
+ interface(`accountsd_admin',`
+ gen_require(`
+ type accountsd_t;
++ type accountsd_unit_file_t;
+ ')
+
+- allow $1 accountsd_t:process { ptrace signal_perms getattr };
++ allow $1 accountsd_t:process signal_perms;
+ ps_process_pattern($1, accountsd_t)
+
++ tunable_policy(`deny_ptrace',`',`
++ allow $1 accountsd_t:process ptrace;
++ ')
++
+ accountsd_manage_lib_files($1)
++
++ accountsd_systemctl($1)
++ admin_pattern($1, accountsd_unit_file_t)
++ allow $1 accountsd_unit_file_t:service all_service_perms;
+ ')
+diff --git a/accountsd.te b/accountsd.te
+index 1632f10..074ebc9 100644
+--- a/accountsd.te
++++ b/accountsd.te
+@@ -1,5 +1,9 @@
+ policy_module(accountsd, 1.0.0)
+
++gen_require(`
++ class passwd { passwd chfn chsh rootok crontab };
++')
++
+ ########################################
+ #
+ # Declarations
+@@ -7,37 +11,48 @@ policy_module(accountsd, 1.0.0)
+
+ type accountsd_t;
+ type accountsd_exec_t;
+-dbus_system_domain(accountsd_t, accountsd_exec_t)
++init_daemon_domain(accountsd_t, accountsd_exec_t)
++role system_r types accountsd_t;
+
+ type accountsd_var_lib_t;
+ files_type(accountsd_var_lib_t)
+
++type accountsd_unit_file_t;
++systemd_unit_file(accountsd_unit_file_t)
++
+ ########################################
+ #
+ # accountsd local policy
+ #
+
+-allow accountsd_t self:capability { dac_override setuid setgid sys_ptrace };
++allow accountsd_t self:capability { chown dac_override setuid setgid };
++allow accountsd_t self:process signal;
+ allow accountsd_t self:fifo_file rw_fifo_file_perms;
++allow accountsd_t self:passwd { rootok passwd chfn chsh };
+
+ manage_dirs_pattern(accountsd_t, accountsd_var_lib_t, accountsd_var_lib_t)
+ manage_files_pattern(accountsd_t, accountsd_var_lib_t, accountsd_var_lib_t)
+ files_var_lib_filetrans(accountsd_t, accountsd_var_lib_t, { file dir })
+
++kernel_read_system_state(accountsd_t)
+ kernel_read_kernel_sysctls(accountsd_t)
+
+ corecmd_exec_bin(accountsd_t)
+
++dev_read_sysfs(accountsd_t)
++
+ files_read_usr_files(accountsd_t)
+ files_read_mnt_files(accountsd_t)
+
+ fs_list_inotifyfs(accountsd_t)
++fs_getattr_xattr_fs(accountsd_t)
+ fs_read_noxattr_fs_files(accountsd_t)
+
+ auth_use_nsswitch(accountsd_t)
+ auth_read_shadow(accountsd_t)
++auth_read_login_records(accountsd_t)
+
+-miscfiles_read_localization(accountsd_t)
++init_dbus_chat(accountsd_t)
+
+ logging_send_syslog_msg(accountsd_t)
+ logging_set_loginuid(accountsd_t)
+@@ -50,8 +65,20 @@ usermanage_domtrans_passwd(accountsd_t)
+
+ optional_policy(`
+ consolekit_read_log(accountsd_t)
++ consolekit_dbus_chat(accountsd_t)
++')
++
++optional_policy(`
++ dbus_system_domain(accountsd_t, accountsd_exec_t)
+ ')
+
+ optional_policy(`
+ policykit_dbus_chat(accountsd_t)
+ ')
++
++optional_policy(`
++ xserver_read_xdm_tmp_files(accountsd_t)
++ xserver_read_state_xdm(accountsd_t)
++ xserver_dbus_chat_xdm(accountsd_t)
++ xserver_manage_xdm_etc_files(accountsd_t)
++')
+diff --git a/acct.if b/acct.if
+index e66c296..993a1e9 100644
+--- a/acct.if
++++ b/acct.if
+@@ -78,3 +78,21 @@ interface(`acct_manage_data',`
+ manage_files_pattern($1, acct_data_t, acct_data_t)
+ manage_lnk_files_pattern($1, acct_data_t, acct_data_t)
+ ')
++
++########################################
++##
++## Dontaudit Attempts to list acct_data directory
++##
++##
++##
++## Domain to not audit.
++##
++##
++#
++interface(`acct_dontaudit_list_data',`
++ gen_require(`
++ type acct_data_t;
++ ')
++
++ dontaudit $1 acct_data_t:dir list_dir_perms;
++')
+diff --git a/acct.te b/acct.te
+index 63ef90e..31f524e 100644
+--- a/acct.te
++++ b/acct.te
+@@ -49,20 +49,19 @@ corecmd_exec_shell(acct_t)
+
+ domain_use_interactive_fds(acct_t)
+
+-files_read_etc_files(acct_t)
+ files_read_etc_runtime_files(acct_t)
+ files_list_usr(acct_t)
+ # for nscd
+ files_dontaudit_search_pids(acct_t)
+
++auth_use_nsswitch(acct_t)
++
+ init_use_fds(acct_t)
+ init_use_script_ptys(acct_t)
+ init_exec_script_files(acct_t)
+
+ logging_send_syslog_msg(acct_t)
+
+-miscfiles_read_localization(acct_t)
+-
+ userdom_dontaudit_use_unpriv_user_fds(acct_t)
+ userdom_dontaudit_search_user_home_dirs(acct_t)
+
+diff --git a/ada.te b/ada.te
+index 39c75fb..057d8b1 100644
+--- a/ada.te
++++ b/ada.te
+@@ -17,7 +17,7 @@ role system_r types ada_t;
+
+ allow ada_t self:process { execstack execmem };
+
+-userdom_use_user_terminals(ada_t)
++userdom_use_inherited_user_terminals(ada_t)
+
+ optional_policy(`
+ unconfined_domain(ada_t)
+diff --git a/afs.if b/afs.if
+index 8559cdc..641044e 100644
+--- a/afs.if
++++ b/afs.if
+@@ -97,8 +97,12 @@ interface(`afs_admin',`
+ type afs_t, afs_initrc_exec_t;
+ ')
+
+- allow $1 afs_t:process { ptrace signal_perms getattr };
+- read_files_pattern($1, afs_t, afs_t)
++ allow $1 afs_t:process signal_perms;
++ ps_process_pattern($1, afs_t)
++
++ tunable_policy(`deny_ptrace',`',`
++ allow $1 afs_t:process ptrace;
++ ')
+
+ # Allow afs_admin to restart the afs service
+ afs_initrc_domtrans($1)
+diff --git a/afs.te b/afs.te
+index a496fde..8170a8c 100644
+--- a/afs.te
++++ b/afs.te
+@@ -71,6 +71,7 @@ role system_r types afs_vlserver_t;
+ #
+
+ allow afs_t self:capability { sys_admin sys_nice sys_tty_config };
++dontaudit afs_t self:capability dac_override;
+ allow afs_t self:process { setsched signal };
+ allow afs_t self:udp_socket create_socket_perms;
+ allow afs_t self:fifo_file rw_file_perms;
+@@ -82,7 +83,6 @@ files_var_filetrans(afs_t, afs_cache_t, { file dir })
+
+ kernel_rw_afs_state(afs_t)
+
+-corenet_all_recvfrom_unlabeled(afs_t)
+ corenet_all_recvfrom_netlabel(afs_t)
+ corenet_tcp_sendrecv_generic_if(afs_t)
+ corenet_udp_sendrecv_generic_if(afs_t)
+@@ -103,10 +103,12 @@ fs_read_nfs_symlinks(afs_t)
+
+ logging_send_syslog_msg(afs_t)
+
+-miscfiles_read_localization(afs_t)
+-
+ sysnet_dns_name_resolve(afs_t)
+
++ifdef(`hide_broken_symptoms',`
++ kernel_rw_unlabeled_files(afs_t)
++')
++
+ ########################################
+ #
+ # AFS bossserver local policy
+@@ -140,7 +142,6 @@ domtrans_pattern(afs_bosserver_t, afs_vlserver_exec_t, afs_vlserver_t)
+
+ kernel_read_kernel_sysctls(afs_bosserver_t)
+
+-corenet_all_recvfrom_unlabeled(afs_bosserver_t)
+ corenet_all_recvfrom_netlabel(afs_bosserver_t)
+ corenet_tcp_sendrecv_generic_if(afs_bosserver_t)
+ corenet_udp_sendrecv_generic_if(afs_bosserver_t)
+@@ -156,7 +157,6 @@ files_read_etc_files(afs_bosserver_t)
+ files_list_home(afs_bosserver_t)
+ files_read_usr_files(afs_bosserver_t)
+
+-miscfiles_read_localization(afs_bosserver_t)
+
+ seutil_read_config(afs_bosserver_t)
+
+@@ -202,7 +202,6 @@ corenet_tcp_sendrecv_generic_node(afs_fsserver_t)
+ corenet_udp_sendrecv_generic_node(afs_fsserver_t)
+ corenet_tcp_sendrecv_all_ports(afs_fsserver_t)
+ corenet_udp_sendrecv_all_ports(afs_fsserver_t)
+-corenet_all_recvfrom_unlabeled(afs_fsserver_t)
+ corenet_all_recvfrom_netlabel(afs_fsserver_t)
+ corenet_tcp_bind_generic_node(afs_fsserver_t)
+ corenet_udp_bind_generic_node(afs_fsserver_t)
+@@ -225,8 +224,6 @@ init_dontaudit_use_script_fds(afs_fsserver_t)
+
+ logging_send_syslog_msg(afs_fsserver_t)
+
+-miscfiles_read_localization(afs_fsserver_t)
+-
+ seutil_read_config(afs_fsserver_t)
+
+ sysnet_read_config(afs_fsserver_t)
+@@ -252,7 +249,6 @@ manage_files_pattern(afs_kaserver_t, afs_logfile_t, afs_logfile_t)
+
+ kernel_read_kernel_sysctls(afs_kaserver_t)
+
+-corenet_all_recvfrom_unlabeled(afs_kaserver_t)
+ corenet_all_recvfrom_netlabel(afs_kaserver_t)
+ corenet_tcp_sendrecv_generic_if(afs_kaserver_t)
+ corenet_udp_sendrecv_generic_if(afs_kaserver_t)
+@@ -270,7 +266,6 @@ files_read_etc_files(afs_kaserver_t)
+ files_list_home(afs_kaserver_t)
+ files_read_usr_files(afs_kaserver_t)
+
+-miscfiles_read_localization(afs_kaserver_t)
+
+ seutil_read_config(afs_kaserver_t)
+
+@@ -296,7 +291,6 @@ manage_files_pattern(afs_ptserver_t, afs_logfile_t, afs_logfile_t)
+ manage_files_pattern(afs_ptserver_t, afs_dbdir_t, afs_pt_db_t)
+ filetrans_pattern(afs_ptserver_t, afs_dbdir_t, afs_pt_db_t, file)
+
+-corenet_all_recvfrom_unlabeled(afs_ptserver_t)
+ corenet_all_recvfrom_netlabel(afs_ptserver_t)
+ corenet_tcp_sendrecv_generic_if(afs_ptserver_t)
+ corenet_udp_sendrecv_generic_if(afs_ptserver_t)
+@@ -310,7 +304,6 @@ corenet_sendrecv_afs_pt_server_packets(afs_ptserver_t)
+
+ files_read_etc_files(afs_ptserver_t)
+
+-miscfiles_read_localization(afs_ptserver_t)
+
+ sysnet_read_config(afs_ptserver_t)
+
+@@ -334,7 +327,6 @@ manage_files_pattern(afs_vlserver_t, afs_logfile_t, afs_logfile_t)
+ manage_files_pattern(afs_vlserver_t, afs_dbdir_t, afs_vl_db_t)
+ filetrans_pattern(afs_vlserver_t, afs_dbdir_t, afs_vl_db_t, file)
+
+-corenet_all_recvfrom_unlabeled(afs_vlserver_t)
+ corenet_all_recvfrom_netlabel(afs_vlserver_t)
+ corenet_tcp_sendrecv_generic_if(afs_vlserver_t)
+ corenet_udp_sendrecv_generic_if(afs_vlserver_t)
+@@ -348,7 +340,6 @@ corenet_sendrecv_afs_vl_server_packets(afs_vlserver_t)
+
+ files_read_etc_files(afs_vlserver_t)
+
+-miscfiles_read_localization(afs_vlserver_t)
+
+ sysnet_read_config(afs_vlserver_t)
+
+diff --git a/aiccu.if b/aiccu.if
+index 184c9a8..8f77bf5 100644
+--- a/aiccu.if
++++ b/aiccu.if
+@@ -79,9 +79,13 @@ interface(`aiccu_admin',`
+ type aiccu_var_run_t;
+ ')
+
+- allow $1 aiccu_t:process { ptrace signal_perms };
++ allow $1 aiccu_t:process signal_perms;
+ ps_process_pattern($1, aiccu_t)
+
++ tunable_policy(`deny_ptrace',`',`
++ allow $1 aiccu_t:process ptrace;
++ ')
++
+ aiccu_initrc_domtrans($1)
+ domain_system_change_exemption($1)
+ role_transition $2 aiccu_initrc_exec_t system_r;
+diff --git a/aiccu.te b/aiccu.te
+index 6d685ba..5a3021d 100644
+--- a/aiccu.te
++++ b/aiccu.te
+@@ -44,10 +44,11 @@ kernel_read_system_state(aiccu_t)
+ corecmd_exec_shell(aiccu_t)
+
+ corenet_all_recvfrom_netlabel(aiccu_t)
+-corenet_all_recvfrom_unlabeled(aiccu_t)
++corenet_tcp_bind_generic_node(aiccu_t)
+ corenet_tcp_sendrecv_generic_if(aiccu_t)
+ corenet_tcp_sendrecv_generic_node(aiccu_t)
+ corenet_tcp_sendrecv_generic_port(aiccu_t)
++corenet_sendrecv_sixxsconfig_client_packets(aiccu_t)
+ corenet_tcp_sendrecv_sixxsconfig_port(aiccu_t)
+ corenet_tcp_bind_generic_node(aiccu_t)
+ corenet_tcp_connect_sixxsconfig_port(aiccu_t)
+@@ -62,9 +63,9 @@ dev_read_urand(aiccu_t)
+
+ files_read_etc_files(aiccu_t)
+
+-logging_send_syslog_msg(aiccu_t)
++auth_read_passwd(aiccu_t)
+
+-miscfiles_read_localization(aiccu_t)
++logging_send_syslog_msg(aiccu_t)
+
+ optional_policy(`
+ modutils_domtrans_insmod(aiccu_t)
+diff --git a/aide.fc b/aide.fc
+index 7798464..62ccdc6 100644
+--- a/aide.fc
++++ b/aide.fc
+@@ -3,4 +3,4 @@
+ /var/lib/aide(/.*) gen_context(system_u:object_r:aide_db_t,mls_systemhigh)
+
+ /var/log/aide(/.*)? gen_context(system_u:object_r:aide_log_t,mls_systemhigh)
+-/var/log/aide\.log -- gen_context(system_u:object_r:aide_log_t,mls_systemhigh)
++/var/log/aide\.log.* -- gen_context(system_u:object_r:aide_log_t,mls_systemhigh)
+diff --git a/aide.if b/aide.if
+index 838d25b..33981e0 100644
+--- a/aide.if
++++ b/aide.if
+@@ -60,9 +60,13 @@ interface(`aide_admin',`
+ type aide_t, aide_db_t, aide_log_t;
+ ')
+
+- allow $1 aide_t:process { ptrace signal_perms };
++ allow $1 aide_t:process signal_perms;
+ ps_process_pattern($1, aide_t)
+
++ tunable_policy(`deny_ptrace',`',`
++ allow $1 aide_t:process ptrace;
++ ')
++
+ files_list_etc($1)
+ admin_pattern($1, aide_db_t)
+
+diff --git a/aide.te b/aide.te
+index 2509dd2..88d5615 100644
+--- a/aide.te
++++ b/aide.te
+@@ -8,6 +8,7 @@ policy_module(aide, 1.6.0)
+ type aide_t;
+ type aide_exec_t;
+ application_domain(aide_t, aide_exec_t)
++cron_system_entry(aide_t, aide_exec_t)
+
+ # log files
+ type aide_log_t;
+@@ -32,6 +33,13 @@ manage_files_pattern(aide_t, aide_log_t, aide_log_t)
+ logging_log_filetrans(aide_t, aide_log_t, file)
+
+ files_read_all_files(aide_t)
++files_read_boot_symlinks(aide_t)
++files_read_all_symlinks(aide_t)
++files_getattr_all_pipes(aide_t)
++files_getattr_all_sockets(aide_t)
++
++mls_file_read_to_clearance(aide_t)
++mls_file_write_to_clearance(aide_t)
+
+ logging_send_audit_msgs(aide_t)
+ # AIDE can be configured to log to syslog
+@@ -39,4 +47,4 @@ logging_send_syslog_msg(aide_t)
+
+ seutil_use_newrole_fds(aide_t)
+
+-userdom_use_user_terminals(aide_t)
++userdom_use_inherited_user_terminals(aide_t)
+diff --git a/aisexec.fc b/aisexec.fc
+index 7b4f4b9..9c2daa5 100644
+--- a/aisexec.fc
++++ b/aisexec.fc
+@@ -4,6 +4,6 @@
+
+ /var/lib/openais(/.*)? gen_context(system_u:object_r:aisexec_var_lib_t,s0)
+
+-/var/log/cluster/aisexec\.log -- gen_context(system_u:object_r:aisexec_var_log_t,s0)
++/var/log/cluster/aisexec\.log.* -- gen_context(system_u:object_r:aisexec_var_log_t,s0)
+
+ /var/run/aisexec\.pid -- gen_context(system_u:object_r:aisexec_var_run_t,s0)
+diff --git a/aisexec.if b/aisexec.if
+index 0370dba..c2d68a4 100644
+--- a/aisexec.if
++++ b/aisexec.if
+@@ -82,9 +82,13 @@ interface(`aisexecd_admin',`
+ type aisexec_initrc_exec_t;
+ ')
+
+- allow $1 aisexec_t:process { ptrace signal_perms };
++ allow $1 aisexec_t:process signal_perms;
+ ps_process_pattern($1, aisexec_t)
+
++ tunable_policy(`deny_ptrace',`',`
++ allow $1 aisexec_t:process ptrace;
++ ')
++
+ init_labeled_script_domtrans($1, aisexec_initrc_exec_t)
+ domain_system_change_exemption($1)
+ role_transition $2 aisexec_initrc_exec_t system_r;
+diff --git a/aisexec.te b/aisexec.te
+index 50b9b48..bd0ccb4 100644
+--- a/aisexec.te
++++ b/aisexec.te
+@@ -64,6 +64,7 @@ files_pid_filetrans(aisexec_t, aisexec_var_run_t, { file sock_file })
+ kernel_read_system_state(aisexec_t)
+
+ corecmd_exec_bin(aisexec_t)
++corecmd_exec_shell(aisexec_t)
+
+ corenet_udp_bind_netsupport_port(aisexec_t)
+ corenet_tcp_bind_reserved_port(aisexec_t)
+@@ -79,8 +80,6 @@ init_rw_script_tmp_files(aisexec_t)
+
+ logging_send_syslog_msg(aisexec_t)
+
+-miscfiles_read_localization(aisexec_t)
+-
+ userdom_rw_unpriv_user_semaphores(aisexec_t)
+ userdom_rw_unpriv_user_shared_mem(aisexec_t)
+
+@@ -89,6 +88,10 @@ optional_policy(`
+ ')
+
+ optional_policy(`
++ corosync_domtrans(aisexec_t)
++')
++
++optional_policy(`
+ # to communication with RHCS
+ rhcs_rw_dlm_controld_semaphores(aisexec_t)
+
+diff --git a/ajaxterm.fc b/ajaxterm.fc
+new file mode 100644
+index 0000000..aeb1888
+--- /dev/null
++++ b/ajaxterm.fc
+@@ -0,0 +1,6 @@
++
++/etc/rc\.d/init\.d/ajaxterm -- gen_context(system_u:object_r:ajaxterm_initrc_exec_t,s0)
++
++/usr/share/ajaxterm/ajaxterm\.py -- gen_context(system_u:object_r:ajaxterm_exec_t,s0)
++
++/var/run/ajaxterm\.pid -- gen_context(system_u:object_r:ajaxterm_var_run_t,s0)
+diff --git a/ajaxterm.if b/ajaxterm.if
+new file mode 100644
+index 0000000..7abe946
+--- /dev/null
++++ b/ajaxterm.if
+@@ -0,0 +1,90 @@
++## policy for ajaxterm
++
++########################################
++##
++## Execute a domain transition to run ajaxterm.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`ajaxterm_domtrans',`
++ gen_require(`
++ type ajaxterm_t, ajaxterm_exec_t;
++ ')
++
++ domtrans_pattern($1, ajaxterm_exec_t, ajaxterm_t)
++')
++
++########################################
++##
++## Execute ajaxterm server in the ajaxterm domain.
++##
++##
++##
++## Domain allowed to transition.
++##
++##
++#
++interface(`ajaxterm_initrc_domtrans',`
++ gen_require(`
++ type ajaxterm_initrc_exec_t;
++ ')
++
++ init_labeled_script_domtrans($1, ajaxterm_initrc_exec_t)
++')
++
++#######################################
++##
++## Read and write the ajaxterm pty type.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`ajaxterm_rw_ptys',`
++ gen_require(`
++ type ajaxterm_devpts_t;
++ ')
++
++ allow $1 ajaxterm_devpts_t:chr_file rw_inherited_term_perms;
++')
++
++########################################
++##
++## All of the rules required to administrate
++## an ajaxterm environment
++##
++##
++##
++## Domain allowed access.
++##
++##
++##
++##
++## Role allowed access.
++##
++##
++##
++#
++interface(`ajaxterm_admin',`
++ gen_require(`
++ type ajaxterm_t, ajaxterm_initrc_exec_t;
++ ')
++
++ allow $1 ajaxterm_t:process signal_perms;
++ ps_process_pattern($1, ajaxterm_t)
++
++ tunable_policy(`deny_ptrace',`',`
++ allow $1 ajaxterm_t:process ptrace;
++ ')
++
++ ajaxterm_initrc_domtrans($1)
++ domain_system_change_exemption($1)
++ role_transition $2 ajaxterm_initrc_exec_t system_r;
++ allow $2 system_r;
++')
+diff --git a/ajaxterm.te b/ajaxterm.te
+new file mode 100644
+index 0000000..8ba128b
+--- /dev/null
++++ b/ajaxterm.te
+@@ -0,0 +1,62 @@
++policy_module(ajaxterm, 1.0.0)
++
++########################################
++#
++# Declarations
++#
++
++type ajaxterm_t;
++type ajaxterm_exec_t;
++init_daemon_domain(ajaxterm_t, ajaxterm_exec_t)
++
++type ajaxterm_initrc_exec_t;
++init_script_file(ajaxterm_initrc_exec_t)
++
++type ajaxterm_var_run_t;
++files_pid_file(ajaxterm_var_run_t)
++
++type ajaxterm_devpts_t;
++term_login_pty(ajaxterm_devpts_t)
++
++########################################
++#
++# ajaxterm local policy
++#
++allow ajaxterm_t self:capability setuid;
++allow ajaxterm_t self:process { setpgid signal };
++allow ajaxterm_t self:fifo_file rw_fifo_file_perms;
++allow ajaxterm_t self:unix_stream_socket create_stream_socket_perms;
++allow ajaxterm_t self:tcp_socket create_stream_socket_perms;
++
++allow ajaxterm_t ajaxterm_devpts_t:chr_file { rw_chr_file_perms setattr_chr_file_perms relabelfrom };
++term_create_pty(ajaxterm_t, ajaxterm_devpts_t)
++
++manage_dirs_pattern(ajaxterm_t, ajaxterm_var_run_t, ajaxterm_var_run_t)
++manage_files_pattern(ajaxterm_t, ajaxterm_var_run_t, ajaxterm_var_run_t)
++files_pid_filetrans(ajaxterm_t, ajaxterm_var_run_t, { file dir })
++
++kernel_read_system_state(ajaxterm_t)
++
++corecmd_exec_bin(ajaxterm_t)
++
++corenet_tcp_bind_generic_node(ajaxterm_t)
++corenet_tcp_bind_ajaxterm_port(ajaxterm_t)
++
++dev_read_urand(ajaxterm_t)
++
++domain_use_interactive_fds(ajaxterm_t)
++
++files_read_etc_files(ajaxterm_t)
++files_read_usr_files(ajaxterm_t)
++
++sysnet_dns_name_resolve(ajaxterm_t)
++
++#######################################
++#
++# SSH component local policy
++#
++
++optional_policy(`
++ ssh_basic_client_template(ajaxterm, ajaxterm_t, system_r)
++')
++
+diff --git a/alsa.fc b/alsa.fc
+index d362d9c..230a2f6 100644
+--- a/alsa.fc
++++ b/alsa.fc
+@@ -11,10 +11,14 @@ HOME_DIR/\.asoundrc -- gen_context(system_u:object_r:alsa_home_t,s0)
+ /sbin/salsa -- gen_context(system_u:object_r:alsa_exec_t,s0)
+
+ /usr/bin/ainit -- gen_context(system_u:object_r:alsa_exec_t,s0)
++/usr/bin/alsaunmute -- gen_context(system_u:object_r:alsa_exec_t,s0)
+
+ /usr/sbin/alsactl -- gen_context(system_u:object_r:alsa_exec_t,s0)
++/usr/sbin/salsa -- gen_context(system_u:object_r:alsa_exec_t,s0)
+
+ /usr/share/alsa/alsa\.conf gen_context(system_u:object_r:alsa_etc_rw_t,s0)
+ /usr/share/alsa/pcm(/.*)? gen_context(system_u:object_r:alsa_etc_rw_t,s0)
+
+ /var/lib/alsa(/.*)? gen_context(system_u:object_r:alsa_var_lib_t,s0)
++
++/usr/lib/systemd/system/alsa.* -- gen_context(system_u:object_r:alsa_unit_file_t,s0)
+diff --git a/alsa.if b/alsa.if
+index 1392679..64e685f 100644
+--- a/alsa.if
++++ b/alsa.if
+@@ -148,6 +148,7 @@ interface(`alsa_manage_home_files',`
+
+ userdom_search_user_home_dirs($1)
+ allow $1 alsa_home_t:file manage_file_perms;
++ alsa_filetrans_home_content($1)
+ ')
+
+ ########################################
+@@ -206,3 +207,69 @@ interface(`alsa_read_lib',`
+ files_search_var_lib($1)
+ read_files_pattern($1, alsa_var_lib_t, alsa_var_lib_t)
+ ')
++
++########################################
++##
++## Transition to alsa named content
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`alsa_filetrans_home_content',`
++ gen_require(`
++ type alsa_home_t;
++ ')
++
++ userdom_user_home_dir_filetrans($1, alsa_home_t, file, ".asoundrc")
++')
++
++########################################
++##
++## Transition to alsa named content
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`alsa_filetrans_named_content',`
++ gen_require(`
++ type alsa_home_t;
++ type alsa_etc_rw_t;
++ type alsa_var_lib_t;
++ ')
++
++ files_etc_filetrans($1, alsa_etc_rw_t, file, "asound.state")
++ files_etc_filetrans($1, alsa_etc_rw_t, dir, "pcm")
++ files_etc_filetrans($1, alsa_etc_rw_t, dir, "asound")
++ files_usr_filetrans($1, alsa_etc_rw_t, file, "alsa.conf")
++ files_usr_filetrans($1, alsa_etc_rw_t, dir, "pcm")
++ files_var_lib_filetrans($1, alsa_var_lib_t, dir, "alsa")
++')
++
++########################################
++##
++## Execute alsa server in the alsa domain.
++##
++##
++##
++## Domain allowed to transition.
++##
++##
++#
++interface(`alsa_systemctl',`
++ gen_require(`
++ type alsa_t;
++ type alsa_unit_file_t;
++ ')
++
++ systemd_exec_systemctl($1)
++ allow $1 alsa_unit_file_t:file read_file_perms;
++ allow $1 alsa_unit_file_t:service manage_service_perms;
++
++ ps_process_pattern($1, alsa_t)
++')
+diff --git a/alsa.te b/alsa.te
+index dc1b088..33678e4 100644
+--- a/alsa.te
++++ b/alsa.te
+@@ -22,6 +22,9 @@ files_type(alsa_var_lib_t)
+ type alsa_home_t;
+ userdom_user_home_content(alsa_home_t)
+
++type alsa_unit_file_t;
++systemd_unit_file(alsa_unit_file_t)
++
+ ########################################
+ #
+ # Local policy
+@@ -59,7 +62,6 @@ dev_read_sysfs(alsa_t)
+
+ corecmd_exec_bin(alsa_t)
+
+-files_read_etc_files(alsa_t)
+ files_read_usr_files(alsa_t)
+
+ term_dontaudit_use_console(alsa_t)
+@@ -72,8 +74,6 @@ init_use_fds(alsa_t)
+
+ logging_send_syslog_msg(alsa_t)
+
+-miscfiles_read_localization(alsa_t)
+-
+ userdom_manage_unpriv_user_semaphores(alsa_t)
+ userdom_manage_unpriv_user_shared_mem(alsa_t)
+ userdom_search_user_home_dirs(alsa_t)
+diff --git a/amanda.te b/amanda.te
+index d8b5abe..a4f5d3a 100644
+--- a/amanda.te
++++ b/amanda.te
+@@ -58,7 +58,7 @@ optional_policy(`
+ #
+
+ allow amanda_t self:capability { chown dac_override setuid kill };
+-allow amanda_t self:process { setpgid signal };
++allow amanda_t self:process { getsched setsched setpgid signal };
+ allow amanda_t self:fifo_file rw_fifo_file_perms;
+ allow amanda_t self:unix_stream_socket create_stream_socket_perms;
+ allow amanda_t self:unix_dgram_socket create_socket_perms;
+@@ -71,6 +71,7 @@ allow amanda_t amanda_config_t:file read_file_perms;
+
+ manage_dirs_pattern(amanda_t, amanda_data_t, amanda_data_t)
+ manage_files_pattern(amanda_t, amanda_data_t, amanda_data_t)
++manage_lnk_files_pattern(amanda_t, amanda_data_t, amanda_data_t)
+ filetrans_pattern(amanda_t, amanda_config_t, amanda_data_t, { file dir })
+
+ allow amanda_t amanda_dumpdates_t:file rw_file_perms;
+@@ -101,7 +102,6 @@ kernel_dontaudit_read_proc_symlinks(amanda_t)
+ corecmd_exec_shell(amanda_t)
+ corecmd_exec_bin(amanda_t)
+
+-corenet_all_recvfrom_unlabeled(amanda_t)
+ corenet_all_recvfrom_netlabel(amanda_t)
+ corenet_tcp_sendrecv_generic_if(amanda_t)
+ corenet_udp_sendrecv_generic_if(amanda_t)
+@@ -120,7 +120,6 @@ corenet_dontaudit_tcp_bind_all_ports(amanda_t)
+ dev_getattr_all_blk_files(amanda_t)
+ dev_getattr_all_chr_files(amanda_t)
+
+-files_read_etc_files(amanda_t)
+ files_read_etc_runtime_files(amanda_t)
+ files_list_all(amanda_t)
+ files_read_all_files(amanda_t)
+@@ -177,7 +176,6 @@ kernel_read_kernel_sysctls(amanda_recover_t)
+ corecmd_exec_shell(amanda_recover_t)
+ corecmd_exec_bin(amanda_recover_t)
+
+-corenet_all_recvfrom_unlabeled(amanda_recover_t)
+ corenet_all_recvfrom_netlabel(amanda_recover_t)
+ corenet_tcp_sendrecv_generic_if(amanda_recover_t)
+ corenet_udp_sendrecv_generic_if(amanda_recover_t)
+@@ -193,7 +191,6 @@ corenet_sendrecv_amanda_client_packets(amanda_recover_t)
+
+ domain_use_interactive_fds(amanda_recover_t)
+
+-files_read_etc_files(amanda_recover_t)
+ files_read_etc_runtime_files(amanda_recover_t)
+ files_search_tmp(amanda_recover_t)
+ files_search_pids(amanda_recover_t)
+@@ -205,7 +202,11 @@ fstools_signal(amanda_t)
+
+ logging_search_logs(amanda_recover_t)
+
+-miscfiles_read_localization(amanda_recover_t)
+
+-userdom_use_user_terminals(amanda_recover_t)
++userdom_use_inherited_user_terminals(amanda_recover_t)
+ userdom_search_user_home_content(amanda_recover_t)
++
++optional_policy(`
++ fstools_domtrans(amanda_t)
++ fstools_signal(amanda_t)
++')
+diff --git a/amavis.fc b/amavis.fc
+index 446ee16..2346f65 100644
+--- a/amavis.fc
++++ b/amavis.fc
+@@ -2,6 +2,7 @@
+ /etc/amavis(d)?\.conf -- gen_context(system_u:object_r:amavis_etc_t,s0)
+ /etc/amavisd(/.*)? gen_context(system_u:object_r:amavis_etc_t,s0)
+ /etc/rc\.d/init\.d/amavis -- gen_context(system_u:object_r:amavis_initrc_exec_t,s0)
++/etc/rc\.d/init\.d/amavisd-snmp -- gen_context(system_u:object_r:amavis_initrc_exec_t,s0)
+
+ /usr/sbin/amavisd.* -- gen_context(system_u:object_r:amavis_exec_t,s0)
+ /usr/lib/AntiVir/antivir -- gen_context(system_u:object_r:amavis_exec_t,s0)
+@@ -12,7 +13,7 @@ ifdef(`distro_debian',`
+
+ /var/amavis(/.*)? gen_context(system_u:object_r:amavis_var_lib_t,s0)
+ /var/lib/amavis(/.*)? gen_context(system_u:object_r:amavis_var_lib_t,s0)
+-/var/log/amavisd\.log -- gen_context(system_u:object_r:amavis_var_log_t,s0)
++/var/log/amavisd\.log.* -- gen_context(system_u:object_r:amavis_var_log_t,s0)
+ /var/run/amavis(d)?(/.*)? gen_context(system_u:object_r:amavis_var_run_t,s0)
+ /var/spool/amavisd(/.*)? gen_context(system_u:object_r:amavis_spool_t,s0)
+ /var/virusmails(/.*)? gen_context(system_u:object_r:amavis_quarantine_t,s0)
+diff --git a/amavis.if b/amavis.if
+index e31d92a..5cb091a 100644
+--- a/amavis.if
++++ b/amavis.if
+@@ -57,6 +57,7 @@ interface(`amavis_read_spool_files',`
+
+ files_search_spool($1)
+ read_files_pattern($1, amavis_spool_t, amavis_spool_t)
++ allow $1 amavis_spool_t:dir list_dir_perms;
+ ')
+
+ ########################################
+@@ -150,6 +151,26 @@ interface(`amavis_read_lib_files',`
+
+ ########################################
+ ##
++## Read and write amavis lib files.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`amavis_rw_lib_files',`
++ gen_require(`
++ type amavis_var_lib_t;
++ ')
++
++ rw_files_pattern($1, amavis_var_lib_t, amavis_var_lib_t)
++ allow $1 amavis_var_lib_t:dir list_dir_perms;
++ files_search_var_lib($1)
++')
++
++########################################
++##
+ ## Create, read, write, and delete
+ ## amavis lib files.
+ ##
+@@ -202,6 +223,7 @@ interface(`amavis_create_pid_files',`
+ type amavis_var_run_t;
+ ')
+
++ allow $1 amavis_var_run_t:dir rw_dir_perms;
+ allow $1 amavis_var_run_t:file create_file_perms;
+ files_search_pids($1)
+ ')
+@@ -231,9 +253,13 @@ interface(`amavis_admin',`
+ type amavis_initrc_exec_t;
+ ')
+
+- allow $1 amavis_t:process { ptrace signal_perms };
++ allow $1 amavis_t:process signal_perms;
+ ps_process_pattern($1, amavis_t)
+
++ tunable_policy(`deny_ptrace',`',`
++ allow $1 amavis_t:process ptrace;
++ ')
++
+ amavis_initrc_domtrans($1)
+ domain_system_change_exemption($1)
+ role_transition $2 amavis_initrc_exec_t system_r;
+diff --git a/amavis.te b/amavis.te
+index 505309b..58c37b3 100644
+--- a/amavis.te
++++ b/amavis.te
+@@ -5,6 +5,13 @@ policy_module(amavis, 1.14.0)
+ # Declarations
+ #
+
++##
++##
++## Allow amavis to use JIT compiler
++##
++##
++gen_tunable(amavis_use_jit, false)
++
+ type amavis_t;
+ type amavis_exec_t;
+ domain_type(amavis_t)
+@@ -38,7 +45,7 @@ type amavis_quarantine_t;
+ files_type(amavis_quarantine_t)
+
+ type amavis_spool_t;
+-files_type(amavis_spool_t)
++files_spool_file(amavis_spool_t)
+
+ ########################################
+ #
+@@ -49,7 +56,7 @@ allow amavis_t self:capability { kill chown dac_override setgid setuid };
+ dontaudit amavis_t self:capability sys_tty_config;
+ allow amavis_t self:process { signal sigchld sigkill signull };
+ allow amavis_t self:fifo_file rw_fifo_file_perms;
+-allow amavis_t self:unix_stream_socket create_stream_socket_perms;
++allow amavis_t self:unix_stream_socket { create_stream_socket_perms connectto };
+ allow amavis_t self:unix_dgram_socket create_socket_perms;
+ allow amavis_t self:tcp_socket { listen accept };
+ allow amavis_t self:netlink_route_socket r_netlink_socket_perms;
+@@ -75,9 +82,11 @@ filetrans_pattern(amavis_t, amavis_spool_t, amavis_var_run_t, sock_file)
+ files_search_spool(amavis_t)
+
+ # tmp files
++manage_dirs_pattern(amavis_t, amavis_tmp_t, amavis_tmp_t)
+ manage_files_pattern(amavis_t, amavis_tmp_t, amavis_tmp_t)
++manage_sock_files_pattern(amavis_t, amavis_tmp_t, amavis_tmp_t)
+ allow amavis_t amavis_tmp_t:dir setattr_dir_perms;
+-files_tmp_filetrans(amavis_t, amavis_tmp_t, file)
++files_tmp_filetrans(amavis_t, amavis_tmp_t, { file dir sock_file } )
+
+ # var/lib files for amavis
+ manage_dirs_pattern(amavis_t, amavis_var_lib_t, amavis_var_lib_t)
+@@ -98,16 +107,15 @@ manage_sock_files_pattern(amavis_t, amavis_var_run_t, amavis_var_run_t)
+ files_pid_filetrans(amavis_t, amavis_var_run_t, { dir file sock_file })
+
+ kernel_read_kernel_sysctls(amavis_t)
++kernel_read_system_state(amavis_t)
+ # amavis tries to access /proc/self/stat, /etc/shadow and /root - perl...
+ kernel_dontaudit_list_proc(amavis_t)
+ kernel_dontaudit_read_proc_symlinks(amavis_t)
+-kernel_dontaudit_read_system_state(amavis_t)
+
+ # find perl
+ corecmd_exec_bin(amavis_t)
+ corecmd_exec_shell(amavis_t)
+
+-corenet_all_recvfrom_unlabeled(amavis_t)
+ corenet_all_recvfrom_netlabel(amavis_t)
+ corenet_tcp_sendrecv_generic_if(amavis_t)
+ corenet_tcp_sendrecv_generic_node(amavis_t)
+@@ -125,20 +133,24 @@ corenet_tcp_bind_amavisd_recv_port(amavis_t)
+ corenet_udp_bind_generic_port(amavis_t)
+ corenet_dontaudit_udp_bind_all_ports(amavis_t)
+ corenet_tcp_connect_razor_port(amavis_t)
++corenet_tcp_connect_agentx_port(amavis_t)
+
+ dev_read_rand(amavis_t)
+ dev_read_urand(amavis_t)
++dev_read_sysfs(amavis_t)
+
+ domain_use_interactive_fds(amavis_t)
++domain_dontaudit_read_all_domains_state(amavis_t)
+
+-files_read_etc_files(amavis_t)
+ files_read_etc_runtime_files(amavis_t)
+ files_read_usr_files(amavis_t)
+
+ fs_getattr_xattr_fs(amavis_t)
+
++auth_use_nsswitch(amavis_t)
+ auth_dontaudit_read_shadow(amavis_t)
+
++init_read_state(amavis_t)
+ # uses uptime which reads utmp - redhat bug 561383
+ init_read_utmp(amavis_t)
+ init_stream_connect_script(amavis_t)
+@@ -146,23 +158,32 @@ init_stream_connect_script(amavis_t)
+ logging_send_syslog_msg(amavis_t)
+
+ miscfiles_read_generic_certs(amavis_t)
+-miscfiles_read_localization(amavis_t)
+
+-sysnet_dns_name_resolve(amavis_t)
+ sysnet_use_ldap(amavis_t)
+
+ userdom_dontaudit_search_user_home_dirs(amavis_t)
+
+-# Cron handling
+-cron_use_fds(amavis_t)
+-cron_use_system_job_fds(amavis_t)
+-cron_rw_pipes(amavis_t)
++tunable_policy(`amavis_use_jit',`
++ allow amavis_t self:process execmem;
++',`
++ dontaudit amavis_t self:process execmem;
++')
+
+-mta_read_config(amavis_t)
++optional_policy(`
++ antivirus_domain_template(amavis_t)
++')
+
+ optional_policy(`
+ clamav_stream_connect(amavis_t)
+ clamav_domtrans_clamscan(amavis_t)
++ clamav_read_state_clamd(amavis_t)
++')
++
++optional_policy(`
++ #Cron handling
++ cron_use_fds(amavis_t)
++ cron_use_system_job_fds(amavis_t)
++ cron_rw_pipes(amavis_t)
+ ')
+
+ optional_policy(`
+@@ -171,11 +192,16 @@ optional_policy(`
+ ')
+
+ optional_policy(`
++ mta_read_config(amavis_t)
++')
++
++optional_policy(`
+ nslcd_stream_connect(amavis_t)
+ ')
+
+ optional_policy(`
+ postfix_read_config(amavis_t)
++ postfix_list_spool(amavis_t)
+ ')
+
+ optional_policy(`
+@@ -188,6 +214,12 @@ optional_policy(`
+ ')
+
+ optional_policy(`
++ snmp_manage_var_lib_files(amavis_t)
++ snmp_manage_var_lib_dirs(amavis_t)
++ snmp_stream_connect(amavis_t)
++')
++
++optional_policy(`
+ spamassassin_exec(amavis_t)
+ spamassassin_exec_client(amavis_t)
+ spamassassin_read_lib_files(amavis_t)
+diff --git a/amtu.te b/amtu.te
+index 057abb0..c75e9e9 100644
+--- a/amtu.te
++++ b/amtu.te
+@@ -23,7 +23,7 @@ files_read_etc_files(amtu_t)
+
+ logging_send_audit_msgs(amtu_t)
+
+-userdom_use_user_terminals(amtu_t)
++userdom_use_inherited_user_terminals(amtu_t)
+
+ optional_policy(`
+ nscd_dontaudit_search_pid(amtu_t)
+diff --git a/anaconda.te b/anaconda.te
+index e81bdbd..e3a396b 100644
+--- a/anaconda.te
++++ b/anaconda.te
+@@ -1,5 +1,9 @@
+ policy_module(anaconda, 1.6.0)
+
++gen_require(`
++ class passwd { passwd chfn chsh rootok crontab };
++')
++
+ ########################################
+ #
+ # Declarations
+@@ -17,27 +21,23 @@ role system_r types anaconda_t;
+ #
+
+ allow anaconda_t self:process execmem;
++allow anaconda_t self:passwd { rootok passwd chfn chsh };
+
+ kernel_domtrans_to(anaconda_t, anaconda_exec_t)
+
+ init_domtrans_script(anaconda_t)
+
+-libs_domtrans_ldconfig(anaconda_t)
+-
+ logging_send_syslog_msg(anaconda_t)
+
+ modutils_domtrans_insmod(anaconda_t)
+ modutils_domtrans_depmod(anaconda_t)
+
+ seutil_domtrans_semanage(anaconda_t)
++seutil_domtrans_setsebool(anaconda_t)
+
+ userdom_user_home_dir_filetrans_user_home_content(anaconda_t, { dir file lnk_file fifo_file sock_file })
+
+ optional_policy(`
+- kudzu_domtrans(anaconda_t)
+-')
+-
+-optional_policy(`
+ rpm_domtrans(anaconda_t)
+ rpm_domtrans_script(anaconda_t)
+ ')
+@@ -51,9 +51,6 @@ optional_policy(`
+ ')
+
+ optional_policy(`
+- unconfined_domain(anaconda_t)
++ unconfined_domain_noaudit(anaconda_t)
+ ')
+
+-optional_policy(`
+- usermanage_domtrans_admin_passwd(anaconda_t)
+-')
+diff --git a/antivirus.fc b/antivirus.fc
+new file mode 100644
+index 0000000..e9a09f0
+--- /dev/null
++++ b/antivirus.fc
+@@ -0,0 +1 @@
++/var/opt/f-secure(/.*)? gen_context(system_u:object_r:antivirus_db_t,s0)
+diff --git a/antivirus.if b/antivirus.if
+new file mode 100644
+index 0000000..fe0cdf0
+--- /dev/null
++++ b/antivirus.if
+@@ -0,0 +1,20 @@
++## SELinux policy for antivirus programs.
++
++######################################
++##
++## Creates types and rules for a basic
++## antivirus domain.
++##
++##
++##
++## Prefix for the domain.
++##
++##
++#
++interface(`antivirus_domain_template',`
++ gen_require(`
++ attribute antivirus_domain;
++ ')
++
++ typeattribute $1 antivirus_domain;
++')
+diff --git a/antivirus.te b/antivirus.te
+new file mode 100644
+index 0000000..feabdf3
+--- /dev/null
++++ b/antivirus.te
+@@ -0,0 +1,36 @@
++policy_module(antivirus, 1.0.0)
++
++########################################
++#
++# Declarations
++#
++
++##
++##
++## Allow antivirus programs to read non security files on a system
++##
++##
++gen_tunable(antivirus_can_scan_system, false)
++
++attribute antivirus_domain;
++
++type antivirus_db_t;
++files_type(antivirus_db_t)
++
++########################################
++#
++# antivirus domain local policy
++#
++
++manage_files_pattern(antivirus_domain, antivirus_db_t, antivirus_db_t)
++manage_dirs_pattern(antivirus_domain, antivirus_db_t, antivirus_db_t)
++
++optional_policy(`
++ amavis_manage_spool_files(antivirus_domain)
++')
++
++tunable_policy(`antivirus_can_scan_system',`
++ files_read_non_security_files(antivirus_domain)
++ files_getattr_all_pipes(antivirus_domain)
++ files_getattr_all_sockets(antivirus_domain)
++')
+diff --git a/apache.fc b/apache.fc
+index fd9fa07..cca43af 100644
+--- a/apache.fc
++++ b/apache.fc
+@@ -1,20 +1,37 @@
+ HOME_DIR/((www)|(web)|(public_html))(/.+)? gen_context(system_u:object_r:httpd_user_content_t,s0)
++HOME_DIR/((www)|(web)|(public_html))/cgi-bin(/.+)? gen_context(system_u:object_r:httpd_user_script_exec_t,s0)
++HOME_DIR/((www)|(web)|(public_html))(/.*)?/\.htaccess -- gen_context(system_u:object_r:httpd_user_htaccess_t,s0)
++HOME_DIR/((www)|(web)|(public_html))(/.*)?/logs(/.*)? gen_context(system_u:object_r:httpd_user_ra_content_t,s0)
+
+ /etc/apache(2)?(/.*)? gen_context(system_u:object_r:httpd_config_t,s0)
+ /etc/apache-ssl(2)?(/.*)? gen_context(system_u:object_r:httpd_config_t,s0)
+-/etc/drupal(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
++/etc/cherokee(/.*)? gen_context(system_u:object_r:httpd_config_t,s0)
++/etc/drupal.* gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
++/etc/owncloud/config\.php -- gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
++/etc/horde(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
+ /etc/htdig(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
+ /etc/httpd(/.*)? gen_context(system_u:object_r:httpd_config_t,s0)
+ /etc/httpd/conf/keytab -- gen_context(system_u:object_r:httpd_keytab_t,s0)
+ /etc/httpd/logs gen_context(system_u:object_r:httpd_log_t,s0)
+ /etc/httpd/modules gen_context(system_u:object_r:httpd_modules_t,s0)
++/etc/init\.d/cherokee -- gen_context(system_u:object_r:httpd_initrc_exec_t,s0)
+ /etc/lighttpd(/.*)? gen_context(system_u:object_r:httpd_config_t,s0)
+ /etc/mock/koji(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
+ /etc/rc\.d/init\.d/httpd -- gen_context(system_u:object_r:httpd_initrc_exec_t,s0)
+ /etc/rc\.d/init\.d/lighttpd -- gen_context(system_u:object_r:httpd_initrc_exec_t,s0)
+
+ /etc/vhosts -- gen_context(system_u:object_r:httpd_config_t,s0)
++/etc/WebCalendar(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
+ /etc/zabbix/web(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
++/etc/z-push(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
++
++/usr/.*\.cgi -- gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
++/opt/.*\.cgi -- gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
++/usr/lib/systemd/system/httpd.* -- gen_context(system_u:object_r:httpd_unit_file_t,s0)
++/usr/lib/systemd/system/jetty.* -- gen_context(system_u:object_r:httpd_unit_file_t,s0)
++/usr/lib/systemd/system/php-fpm.* -- gen_context(system_u:object_r:httpd_unit_file_t,s0)
++
++/usr/libexec/httpd-ssl-pass-dialog -- gen_context(system_u:object_r:httpd_passwd_exec_t,s0)
+
+ /srv/([^/]*/)?www(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
+ /srv/gallery2(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
+@@ -22,20 +39,25 @@ HOME_DIR/((www)|(web)|(public_html))(/.+)? gen_context(system_u:object_r:httpd_u
+ /usr/bin/htsslpass -- gen_context(system_u:object_r:httpd_helper_exec_t,s0)
+ /usr/bin/mongrel_rails -- gen_context(system_u:object_r:httpd_exec_t,s0)
+
++/usr/share/jetty/bin/jetty.sh -- gen_context(system_u:object_r:httpd_exec_t,s0)
++
+ /usr/lib/apache-ssl/.+ -- gen_context(system_u:object_r:httpd_exec_t,s0)
+ /usr/lib/cgi-bin(/.*)? gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
+-/usr/lib/dirsrv/cgi-bin(/.*)? gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
+-/usr/lib/apache(/.*)? gen_context(system_u:object_r:httpd_modules_t,s0)
+-/usr/lib/apache2/modules(/.*)? gen_context(system_u:object_r:httpd_modules_t,s0)
+-/usr/lib/apache(2)?/suexec(2)? -- gen_context(system_u:object_r:httpd_suexec_exec_t,s0)
+-/usr/lib/cgi-bin/(nph-)?cgiwrap(d)? -- gen_context(system_u:object_r:httpd_suexec_exec_t,s0)
+-/usr/lib/httpd(/.*)? gen_context(system_u:object_r:httpd_modules_t,s0)
+-/usr/lib/lighttpd(/.*)? gen_context(system_u:object_r:httpd_modules_t,s0)
++/usr/lib/apache(/.*)? gen_context(system_u:object_r:httpd_modules_t,s0)
++/usr/lib/apache2/modules(/.*)? gen_context(system_u:object_r:httpd_modules_t,s0)
++/usr/lib/apache(2)?/suexec(2)? -- gen_context(system_u:object_r:httpd_suexec_exec_t,s0)
++/usr/lib/cgi-bin/(nph-)?cgiwrap(d)? -- gen_context(system_u:object_r:httpd_suexec_exec_t,s0)
++/usr/lib/cherokee(/.*)? gen_context(system_u:object_r:httpd_modules_t,s0)
++/usr/lib/httpd(/.*)? gen_context(system_u:object_r:httpd_modules_t,s0)
++/usr/lib/lighttpd(/.*)? gen_context(system_u:object_r:httpd_modules_t,s0)
+
+ /usr/sbin/apache(2)? -- gen_context(system_u:object_r:httpd_exec_t,s0)
+ /usr/sbin/apache-ssl(2)? -- gen_context(system_u:object_r:httpd_exec_t,s0)
++/usr/sbin/cherokee -- gen_context(system_u:object_r:httpd_exec_t,s0)
++/usr/sbin/httpd\.event -- gen_context(system_u:object_r:httpd_exec_t,s0)
+ /usr/sbin/httpd(\.worker)? -- gen_context(system_u:object_r:httpd_exec_t,s0)
+ /usr/sbin/lighttpd -- gen_context(system_u:object_r:httpd_exec_t,s0)
++/usr/sbin/php-fpm -- gen_context(system_u:object_r:httpd_exec_t,s0)
+ /usr/sbin/rotatelogs -- gen_context(system_u:object_r:httpd_rotatelogs_exec_t,s0)
+ /usr/sbin/suexec -- gen_context(system_u:object_r:httpd_suexec_exec_t,s0)
+
+@@ -43,8 +65,9 @@ ifdef(`distro_suse', `
+ /usr/sbin/httpd2-.* -- gen_context(system_u:object_r:httpd_exec_t,s0)
+ ')
+
+-/usr/share/dirsrv(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
+-/usr/share/drupal(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
++/usr/share/drupal.* gen_context(system_u:object_r:httpd_sys_content_t,s0)
++/usr/share/doc/ghc/html(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
++
+ /usr/share/htdig(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
+ /usr/share/icecast(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
+ /usr/share/mythweb(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
+@@ -54,9 +77,13 @@ ifdef(`distro_suse', `
+ /usr/share/ntop/html(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
+ /usr/share/openca/htdocs(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
+ /usr/share/selinux-policy[^/]*/html(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
++/usr/share/wordpress/.*\.php -- gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
+ /usr/share/wordpress-mu/wp-config\.php -- gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
+ /usr/share/wordpress-mu/wp-content(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
+ /usr/share/wordpress/wp-content/uploads(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
++/usr/share/wordpress/wp-content/upgrade(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
++/usr/share/wordpress/wp-includes/.*\.php -- gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
++/usr/share/z-push(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
+
+ /var/cache/httpd(/.*)? gen_context(system_u:object_r:httpd_cache_t,s0)
+ /var/cache/lighttpd(/.*)? gen_context(system_u:object_r:httpd_cache_t,s0)
+@@ -73,31 +100,50 @@ ifdef(`distro_suse', `
+ /var/cache/ssl.*\.sem -- gen_context(system_u:object_r:httpd_cache_t,s0)
+
+ /var/lib/cacti/rra(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
++/var/lib/cherokee(/.*)? gen_context(system_u:object_r:httpd_var_lib_t,s0)
+ /var/lib/dav(/.*)? gen_context(system_u:object_r:httpd_var_lib_t,s0)
+-/var/lib/drupal(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
++/var/lib/php(/.*)? gen_context(system_u:object_r:httpd_var_lib_t,s0)
++/var/lib/dokuwiki(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
++/var/lib/drupal.* gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
+ /var/lib/htdig(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
+ /var/lib/httpd(/.*)? gen_context(system_u:object_r:httpd_var_lib_t,s0)
++/var/lib/lighttpd(/.*)? gen_context(system_u:object_r:httpd_var_lib_t,s0)
+ /var/lib/php/session(/.*)? gen_context(system_u:object_r:httpd_var_run_t,s0)
+ /var/lib/squirrelmail/prefs(/.*)? gen_context(system_u:object_r:httpd_squirrelmail_t,s0)
++/var/lib/openshift/\.httpd\.d(/.*)? gen_context(system_u:object_r:httpd_config_t,s0)
++/var/lib/openshift/\.log/httpd(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
++/var/lib/stickshift/\.httpd\.d(/.*)? gen_context(system_u:object_r:httpd_config_t,s0)
++/var/lib/svn(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
++/var/lib/trac(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
++/var/lib/z-push(/.*)? gen_context(system_u:object_r:httpd_var_lib_t,s0)
+
+ /var/log/apache(2)?(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
+ /var/log/apache-ssl(2)?(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
+ /var/log/cacti(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
+ /var/log/cgiwrap\.log.* -- gen_context(system_u:object_r:httpd_log_t,s0)
+-/var/log/httpd(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
+-/var/log/lighttpd(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
+-/var/log/piranha(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
+-
++/var/log/cherokee(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
++/var/log/httpd(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
++/var/log/lighttpd(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
++/var/log/php-fpm(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
++/var/log/roundcubemail(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
++/var/log/suphp\.log.* -- gen_context(system_u:object_r:httpd_log_t,s0)
++/var/log/z-push(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
+ ifdef(`distro_debian', `
+ /var/log/horde2(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
+ ')
+
++/var/lib/pootle/po(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
++/var/lib/rt3/data/RT-Shredder(/.*)? gen_context(system_u:object_r:httpd_var_lib_t,s0)
++
+ /var/run/apache.* gen_context(system_u:object_r:httpd_var_run_t,s0)
++/var/run/cherokee\.pid -- gen_context(system_u:object_r:httpd_var_run_t,s0)
+ /var/run/gcache_port -s gen_context(system_u:object_r:httpd_var_run_t,s0)
+ /var/run/httpd.* gen_context(system_u:object_r:httpd_var_run_t,s0)
+ /var/run/lighttpd(/.*)? gen_context(system_u:object_r:httpd_var_run_t,s0)
+ /var/run/mod_.* gen_context(system_u:object_r:httpd_var_run_t,s0)
++/var/run/php-fpm(/.*)? gen_context(system_u:object_r:httpd_var_run_t,s0)
+ /var/run/wsgi.* -s gen_context(system_u:object_r:httpd_var_run_t,s0)
++/var/run/user/apache(/.*)? gen_context(system_u:object_r:httpd_tmp_t,s0)
+
+ /var/spool/gosa(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
+ /var/spool/squirrelmail(/.*)? gen_context(system_u:object_r:squirrelmail_spool_t,s0)
+@@ -109,3 +155,34 @@ ifdef(`distro_debian', `
+ /var/www/cgi-bin(/.*)? gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
+ /var/www/icons(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
+ /var/www/perl(/.*)? gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
++
++/var/www/html/[^/]*/cgi-bin(/.*)? gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
++
++/var/www/html/[^/]*/sites/default/settings\.php -- gen_context(system_u:object_r:httpd_sys_rw_content_t, s0)
++/var/www/html/[^/]*/sites/default/files(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t, s0)
++
++/var/www/html/configuration\.php gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
++
++/var/www/html/wp-content(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
++
++/var/www/gallery/albums(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
++
++/var/www/moodledata(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
++
++/var/www/openshift/console/tmp(/.*)? gen_context(system_u:object_r:httpd_tmp_t,s0)
++/var/www/openshift/console/log(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
++
++/var/www/openshift/broker/httpd/logs(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
++/var/www/openshift/console/httpd/logs(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
++/var/www/openshift/broker/httpd/run(/.*)? gen_context(system_u:object_r:httpd_var_run_t,s0)
++/var/www/openshift/console/httpd/run(/.*)? gen_context(system_u:object_r:httpd_var_run_t,s0)
++
++/var/www/stickshift/[^/]*/log(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
++/var/www/svn(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
++/var/www/svn/hooks(/.*)? gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
++/var/www/svn/conf(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
++
++/var/log/dirsrv/admin-serv(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
++
++/var/run/dirsrv/admin-serv.* gen_context(system_u:object_r:httpd_var_run_t,s0)
++/opt/dirsrv/var/run/dirsrv/dsgw/cookies(/.*)? gen_context(system_u:object_r:httpd_var_run_t,s0)
+diff --git a/apache.if b/apache.if
+index 6480167..7b2ad39 100644
+--- a/apache.if
++++ b/apache.if
+@@ -13,68 +13,55 @@
+ #
+ template(`apache_content_template',`
+ gen_require(`
+- attribute httpdcontent;
+- attribute httpd_exec_scripts;
+- attribute httpd_script_exec_type;
++ attribute httpd_exec_scripts, httpd_script_exec_type;
+ type httpd_t, httpd_suexec_t, httpd_log_t;
++ type httpd_sys_content_t;
++ attribute httpd_script_type, httpd_content_type;
+ ')
+- # allow write access to public file transfer
+- # services files.
+- gen_tunable(allow_httpd_$1_script_anon_write, false)
+
+ #This type is for webpages
+- type httpd_$1_content_t, httpdcontent; # customizable
++ type httpd_$1_content_t; # customizable;
++ typeattribute httpd_$1_content_t httpd_content_type;
+ typealias httpd_$1_content_t alias httpd_$1_script_ro_t;
+ files_type(httpd_$1_content_t)
+
+ # This type is used for .htaccess files
+- type httpd_$1_htaccess_t; # customizable;
++ type httpd_$1_htaccess_t, httpd_content_type; # customizable;
++ typeattribute httpd_$1_htaccess_t httpd_content_type;
+ files_type(httpd_$1_htaccess_t)
+
+ # Type that CGI scripts run as
+- type httpd_$1_script_t;
++ type httpd_$1_script_t, httpd_script_type;
+ domain_type(httpd_$1_script_t)
+ role system_r types httpd_$1_script_t;
+
++ kernel_read_system_state(httpd_$1_script_t)
++
+ # This type is used for executable scripts files
+ type httpd_$1_script_exec_t, httpd_script_exec_type; # customizable;
+- corecmd_shell_entry_type(httpd_$1_script_t)
++ typeattribute httpd_$1_script_exec_t httpd_content_type;
+ domain_entry_file(httpd_$1_script_t, httpd_$1_script_exec_t)
+
+- type httpd_$1_rw_content_t, httpdcontent; # customizable
++ type httpd_$1_rw_content_t; # customizable
++ typeattribute httpd_$1_rw_content_t httpd_content_type;
+ typealias httpd_$1_rw_content_t alias { httpd_$1_script_rw_t httpd_$1_content_rw_t };
+ files_type(httpd_$1_rw_content_t)
+
+- type httpd_$1_ra_content_t, httpdcontent; # customizable
++ type httpd_$1_ra_content_t, httpd_content_type; # customizable
++ typeattribute httpd_$1_ra_content_t httpd_content_type;
+ typealias httpd_$1_ra_content_t alias { httpd_$1_script_ra_t httpd_$1_content_ra_t };
+ files_type(httpd_$1_ra_content_t)
+
+- read_files_pattern(httpd_t, httpd_$1_content_t, httpd_$1_htaccess_t)
+-
+- domtrans_pattern(httpd_suexec_t, httpd_$1_script_exec_t, httpd_$1_script_t)
+-
+- allow httpd_t { httpd_$1_content_t httpd_$1_rw_content_t httpd_$1_script_exec_t }:dir search_dir_perms;
+- allow httpd_suexec_t { httpd_$1_content_t httpd_$1_content_t httpd_$1_rw_content_t httpd_$1_script_exec_t }:dir search_dir_perms;
+-
+- allow httpd_$1_script_t self:fifo_file rw_file_perms;
+- allow httpd_$1_script_t self:unix_stream_socket connectto;
+-
+- allow httpd_$1_script_t httpd_t:fifo_file write;
+- # apache should set close-on-exec
+- dontaudit httpd_$1_script_t httpd_t:unix_stream_socket { read write };
+-
+ # Allow the script process to search the cgi directory, and users directory
+ allow httpd_$1_script_t httpd_$1_content_t:dir search_dir_perms;
+
+- append_files_pattern(httpd_$1_script_t, httpd_log_t, httpd_log_t)
+- logging_search_logs(httpd_$1_script_t)
+-
+ can_exec(httpd_$1_script_t, httpd_$1_script_exec_t)
+ allow httpd_$1_script_t httpd_$1_script_exec_t:dir list_dir_perms;
+
+ allow httpd_$1_script_t httpd_$1_ra_content_t:dir { list_dir_perms add_entry_dir_perms };
+ read_files_pattern(httpd_$1_script_t, httpd_$1_ra_content_t, httpd_$1_ra_content_t)
+ append_files_pattern(httpd_$1_script_t, httpd_$1_ra_content_t, httpd_$1_ra_content_t)
++ create_files_pattern(httpd_$1_script_t, httpd_$1_ra_content_t, httpd_$1_ra_content_t)
+ read_lnk_files_pattern(httpd_$1_script_t, httpd_$1_ra_content_t, httpd_$1_ra_content_t)
+
+ allow httpd_$1_script_t httpd_$1_content_t:dir list_dir_perms;
+@@ -86,40 +73,6 @@ template(`apache_content_template',`
+ manage_lnk_files_pattern(httpd_$1_script_t, httpd_$1_rw_content_t, httpd_$1_rw_content_t)
+ manage_fifo_files_pattern(httpd_$1_script_t, httpd_$1_rw_content_t, httpd_$1_rw_content_t)
+ manage_sock_files_pattern(httpd_$1_script_t, httpd_$1_rw_content_t, httpd_$1_rw_content_t)
+- files_tmp_filetrans(httpd_$1_script_t, httpd_$1_rw_content_t, { dir file lnk_file sock_file fifo_file })
+-
+- kernel_dontaudit_search_sysctl(httpd_$1_script_t)
+- kernel_dontaudit_search_kernel_sysctl(httpd_$1_script_t)
+-
+- dev_read_rand(httpd_$1_script_t)
+- dev_read_urand(httpd_$1_script_t)
+-
+- corecmd_exec_all_executables(httpd_$1_script_t)
+-
+- files_exec_etc_files(httpd_$1_script_t)
+- files_read_etc_files(httpd_$1_script_t)
+- files_search_home(httpd_$1_script_t)
+-
+- libs_exec_ld_so(httpd_$1_script_t)
+- libs_exec_lib_files(httpd_$1_script_t)
+-
+- miscfiles_read_fonts(httpd_$1_script_t)
+- miscfiles_read_public_files(httpd_$1_script_t)
+-
+- seutil_dontaudit_search_config(httpd_$1_script_t)
+-
+- tunable_policy(`httpd_enable_cgi && httpd_unified',`
+- allow httpd_$1_script_t httpdcontent:file entrypoint;
+-
+- manage_dirs_pattern(httpd_$1_script_t, httpdcontent, httpdcontent)
+- manage_files_pattern(httpd_$1_script_t, httpdcontent, httpdcontent)
+- manage_lnk_files_pattern(httpd_$1_script_t, httpdcontent, httpdcontent)
+- can_exec(httpd_$1_script_t, httpdcontent)
+- ')
+-
+- tunable_policy(`allow_httpd_$1_script_anon_write',`
+- miscfiles_manage_public_files(httpd_$1_script_t)
+- ')
+
+ # Allow the web server to run scripts and serve pages
+ tunable_policy(`httpd_builtin_scripting',`
+@@ -128,68 +81,26 @@ template(`apache_content_template',`
+ manage_lnk_files_pattern(httpd_t, httpd_$1_rw_content_t, httpd_$1_rw_content_t)
+ rw_sock_files_pattern(httpd_t, httpd_$1_rw_content_t, httpd_$1_rw_content_t)
+
+- allow httpd_t httpd_$1_ra_content_t:dir { list_dir_perms add_entry_dir_perms };
++ allow httpd_t httpd_$1_ra_content_t:dir { add_entry_dir_perms };
+ read_files_pattern(httpd_t, httpd_$1_ra_content_t, httpd_$1_ra_content_t)
+ append_files_pattern(httpd_t, httpd_$1_ra_content_t, httpd_$1_ra_content_t)
++ create_files_pattern(httpd_t, httpd_$1_ra_content_t, httpd_$1_ra_content_t)
+ read_lnk_files_pattern(httpd_t, httpd_$1_ra_content_t, httpd_$1_ra_content_t)
+
+- allow httpd_t httpd_$1_content_t:dir list_dir_perms;
+- read_files_pattern(httpd_t, httpd_$1_content_t, httpd_$1_content_t)
+- read_lnk_files_pattern(httpd_t, httpd_$1_content_t, httpd_$1_content_t)
+-
+- allow httpd_t httpd_$1_content_t:dir list_dir_perms;
+- read_files_pattern(httpd_t, httpd_$1_content_t, httpd_$1_content_t)
+- read_lnk_files_pattern(httpd_t, httpd_$1_content_t, httpd_$1_content_t)
+ ')
+
+ tunable_policy(`httpd_enable_cgi',`
+ allow httpd_$1_script_t httpd_$1_script_exec_t:file entrypoint;
+
++ domtrans_pattern(httpd_suexec_t, httpd_$1_script_exec_t, httpd_$1_script_t)
++
+ # privileged users run the script:
+ domtrans_pattern(httpd_exec_scripts, httpd_$1_script_exec_t, httpd_$1_script_t)
+
++ allow httpd_exec_scripts httpd_$1_script_exec_t:file read_file_perms;
++
+ # apache runs the script:
+ domtrans_pattern(httpd_t, httpd_$1_script_exec_t, httpd_$1_script_t)
+-
+- allow httpd_t httpd_$1_script_t:process { signal sigkill sigstop };
+- allow httpd_t httpd_$1_script_exec_t:dir list_dir_perms;
+-
+- allow httpd_$1_script_t self:process { setsched signal_perms };
+- allow httpd_$1_script_t self:unix_stream_socket create_stream_socket_perms;
+-
+- allow httpd_$1_script_t httpd_t:fd use;
+- allow httpd_$1_script_t httpd_t:process sigchld;
+-
+- kernel_read_system_state(httpd_$1_script_t)
+-
+- dev_read_urand(httpd_$1_script_t)
+-
+- fs_getattr_xattr_fs(httpd_$1_script_t)
+-
+- files_read_etc_runtime_files(httpd_$1_script_t)
+- files_read_usr_files(httpd_$1_script_t)
+-
+- libs_read_lib_files(httpd_$1_script_t)
+-
+- miscfiles_read_localization(httpd_$1_script_t)
+- ')
+-
+- optional_policy(`
+- tunable_policy(`httpd_enable_cgi && allow_ypbind',`
+- nis_use_ypbind_uncond(httpd_$1_script_t)
+- ')
+- ')
+-
+- optional_policy(`
+- postgresql_unpriv_client(httpd_$1_script_t)
+-
+- tunable_policy(`httpd_enable_cgi && httpd_can_network_connect_db',`
+- postgresql_tcp_connect(httpd_$1_script_t)
+- ')
+- ')
+-
+- optional_policy(`
+- nscd_socket_use(httpd_$1_script_t)
+ ')
+ ')
+
+@@ -211,9 +122,8 @@ template(`apache_content_template',`
+ interface(`apache_role',`
+ gen_require(`
+ attribute httpdcontent;
+- type httpd_user_content_t, httpd_user_htaccess_t;
+- type httpd_user_script_t, httpd_user_script_exec_t;
+- type httpd_user_ra_content_t, httpd_user_rw_content_t;
++ type httpd_user_content_t, httpd_user_htaccess_t, httpd_user_script_t;
++ type httpd_user_ra_content_t, httpd_user_rw_content_t, httpd_user_script_exec_t;
+ ')
+
+ role $1 types httpd_user_script_t;
+@@ -234,6 +144,13 @@ interface(`apache_role',`
+ relabel_files_pattern($2, httpd_user_ra_content_t, httpd_user_ra_content_t)
+ relabel_lnk_files_pattern($2, httpd_user_ra_content_t, httpd_user_ra_content_t)
+
++ manage_dirs_pattern($2, httpd_user_content_t, httpd_user_content_t)
++ manage_files_pattern($2, httpd_user_content_t, httpd_user_content_t)
++ manage_lnk_files_pattern($2, httpd_user_content_t, httpd_user_content_t)
++ relabel_dirs_pattern($2, httpd_user_content_t, httpd_user_content_t)
++ relabel_files_pattern($2, httpd_user_content_t, httpd_user_content_t)
++ relabel_lnk_files_pattern($2, httpd_user_content_t, httpd_user_content_t)
++
+ manage_dirs_pattern($2, httpd_user_rw_content_t, httpd_user_rw_content_t)
+ manage_files_pattern($2, httpd_user_rw_content_t, httpd_user_rw_content_t)
+ manage_lnk_files_pattern($2, httpd_user_rw_content_t, httpd_user_rw_content_t)
+@@ -248,6 +165,9 @@ interface(`apache_role',`
+ relabel_files_pattern($2, httpd_user_script_exec_t, httpd_user_script_exec_t)
+ relabel_lnk_files_pattern($2, httpd_user_script_exec_t, httpd_user_script_exec_t)
+
++ apache_exec_modules($2)
++ apache_filetrans_home_content($2)
++
+ tunable_policy(`httpd_enable_cgi',`
+ # If a user starts a script by hand it gets the proper context
+ domtrans_pattern($2, httpd_user_script_exec_t, httpd_user_script_t)
+@@ -317,6 +237,25 @@ interface(`apache_domtrans',`
+ domtrans_pattern($1, httpd_exec_t, httpd_t)
+ ')
+
++######################################
++##
++## Allow the specified domain to execute apache
++## in the caller domain.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`apache_exec',`
++ gen_require(`
++ type httpd_exec_t;
++ ')
++
++ can_exec($1, httpd_exec_t)
++')
++
+ #######################################
+ ##
+ ## Send a generic signal to apache.
+@@ -405,7 +344,7 @@ interface(`apache_dontaudit_rw_fifo_file',`
+ type httpd_t;
+ ')
+
+- dontaudit $1 httpd_t:fifo_file rw_fifo_file_perms;
++ dontaudit $1 httpd_t:fifo_file rw_inherited_fifo_file_perms;
+ ')
+
+ ########################################
+@@ -487,7 +426,7 @@ interface(`apache_setattr_cache_dirs',`
+ type httpd_cache_t;
+ ')
+
+- allow $1 httpd_cache_t:dir setattr;
++ allow $1 httpd_cache_t:dir setattr_dir_perms;
+ ')
+
+ ########################################
+@@ -531,6 +470,25 @@ interface(`apache_rw_cache_files',`
+ ########################################
+ ##
+ ## Allow the specified domain to delete
++## Apache cache dirs.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`apache_delete_cache_dirs',`
++ gen_require(`
++ type httpd_cache_t;
++ ')
++
++ delete_dirs_pattern($1, httpd_cache_t, httpd_cache_t)
++')
++
++########################################
++##
++## Allow the specified domain to delete
+ ## Apache cache.
+ ##
+ ##
+@@ -549,6 +507,26 @@ interface(`apache_delete_cache_files',`
+
+ ########################################
+ ##
++## Allow the specified domain to search
++## apache configuration dirs.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`apache_search_config',`
++ gen_require(`
++ type httpd_config_t;
++ ')
++
++ files_search_etc($1)
++ allow $1 httpd_config_t:dir search_dir_perms;
++')
++
++########################################
++##
+ ## Allow the specified domain to read
+ ## apache configuration files.
+ ##
+@@ -641,6 +619,27 @@ interface(`apache_run_helper',`
+
+ ########################################
+ ##
++## dontaudit attempts to read
++## apache log files.
++##
++##
++##
++## Domain allowed access.
++##
++##
++##
++#
++interface(`apache_dontaudit_read_log',`
++ gen_require(`
++ type httpd_log_t;
++ ')
++
++ dontaudit $1 httpd_log_t:file read_file_perms;
++ dontaudit $1 httpd_log_t:lnk_file read_lnk_file_perms;
++')
++
++########################################
++##
+ ## Allow the specified domain to read
+ ## apache log files.
+ ##
+@@ -683,6 +682,25 @@ interface(`apache_append_log',`
+ append_files_pattern($1, httpd_log_t, httpd_log_t)
+ ')
+
++#######################################
++##
++## Allow the specified domain to write
++## to apache log files.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`apache_write_log',`
++ gen_require(`
++ type httpd_log_t;
++ ')
++
++ allow $1 httpd_log_t:file write;
++')
++
+ ########################################
+ ##
+ ## Do not audit attempts to append to the
+@@ -699,7 +717,7 @@ interface(`apache_dontaudit_append_log',`
+ type httpd_log_t;
+ ')
+
+- dontaudit $1 httpd_log_t:file { getattr append };
++ dontaudit $1 httpd_log_t:file append_file_perms;
+ ')
+
+ ########################################
+@@ -745,6 +763,25 @@ interface(`apache_dontaudit_search_modules',`
+
+ ########################################
+ ##
++## Allow the specified domain to read
++## the apache module directories.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`apache_read_modules',`
++ gen_require(`
++ type httpd_modules_t;
++ ')
++
++ read_files_pattern($1, httpd_modules_t, httpd_modules_t)
++')
++
++########################################
++##
+ ## Allow the specified domain to list
+ ## the contents of the apache modules
+ ## directory.
+@@ -761,6 +798,7 @@ interface(`apache_list_modules',`
+ ')
+
+ allow $1 httpd_modules_t:dir list_dir_perms;
++ read_lnk_files_pattern($1, httpd_modules_t, httpd_modules_t)
+ ')
+
+ ########################################
+@@ -802,6 +840,43 @@ interface(`apache_domtrans_rotatelogs',`
+ domtrans_pattern($1, httpd_rotatelogs_exec_t, httpd_rotatelogs_t)
+ ')
+
++#######################################
++##
++## Execute httpd_rotatelogs in the caller domain.
++##
++##
++##
++## Domain allowed to transition.
++##
++##
++#
++interface(`apache_exec_rotatelogs',`
++ gen_require(`
++ type httpd_rotatelogs_exec_t;
++ ')
++
++ can_exec($1, httpd_rotatelogs_exec_t)
++')
++
++#######################################
++##
++## Execute httpd system scripts in the caller domain.
++##
++##
++##
++## Domain allowed to transition.
++##
++##
++#
++interface(`apache_exec_sys_script',`
++ gen_require(`
++ type httpd_sys_script_exec_t;
++ ')
++
++ allow $1 httpd_sys_script_exec_t:dir search_dir_perms;
++ can_exec($1, httpd_sys_script_exec_t)
++')
++
+ ########################################
+ ##
+ ## Allow the specified domain to list
+@@ -819,6 +894,7 @@ interface(`apache_list_sys_content',`
+ ')
+
+ list_dirs_pattern($1, httpd_sys_content_t, httpd_sys_content_t)
++ read_lnk_files_pattern($1, httpd_sys_content_t, httpd_sys_content_t)
+ files_search_var($1)
+ ')
+
+@@ -846,6 +922,74 @@ interface(`apache_manage_sys_content',`
+ manage_lnk_files_pattern($1, httpd_sys_content_t, httpd_sys_content_t)
+ ')
+
++######################################
++##
++## Allow the specified domain to read
++## apache system content rw files.
++##
++##
++##
++## Domain allowed access.
++##
++##
++##
++#
++interface(`apache_read_sys_content_rw_files',`
++ gen_require(`
++ type httpd_sys_rw_content_t;
++ ')
++
++ read_files_pattern($1, httpd_sys_rw_content_t, httpd_sys_rw_content_t)
++')
++
++######################################
++##
++## Allow the specified domain to manage
++## apache system content rw files.
++##
++##
++##
++## Domain allowed access.
++##
++##
++##
++#
++interface(`apache_manage_sys_content_rw',`
++ gen_require(`
++ type httpd_sys_rw_content_t;
++ ')
++
++ files_search_var($1)
++ manage_dirs_pattern($1, httpd_sys_rw_content_t, httpd_sys_rw_content_t)
++ manage_files_pattern($1, httpd_sys_rw_content_t, httpd_sys_rw_content_t)
++ manage_lnk_files_pattern($1, httpd_sys_rw_content_t, httpd_sys_rw_content_t)
++')
++
++########################################
++##
++## Allow the specified domain to delete
++## apache system content rw files.
++##
++##
++##
++## Domain allowed access.
++##
++##
++##
++#
++interface(`apache_delete_sys_content_rw',`
++ gen_require(`
++ type httpd_sys_rw_content_t;
++ ')
++
++ files_search_tmp($1)
++ delete_dirs_pattern($1, httpd_sys_rw_content_t, httpd_sys_rw_content_t)
++ delete_files_pattern($1, httpd_sys_rw_content_t, httpd_sys_rw_content_t)
++ delete_lnk_files_pattern($1, httpd_sys_rw_content_t, httpd_sys_rw_content_t)
++ delete_fifo_files_pattern($1, httpd_sys_rw_content_t, httpd_sys_rw_content_t)
++ delete_sock_files_pattern($1, httpd_sys_rw_content_t, httpd_sys_rw_content_t)
++')
++
+ ########################################
+ ##
+ ## Execute all web scripts in the system
+@@ -862,7 +1006,12 @@ interface(`apache_manage_sys_content',`
+ interface(`apache_domtrans_sys_script',`
+ gen_require(`
+ attribute httpdcontent;
+- type httpd_sys_script_t;
++ type httpd_sys_script_exec_t;
++ type httpd_sys_script_t, httpd_sys_content_t;
++ ')
++
++ tunable_policy(`httpd_enable_cgi',`
++ domtrans_pattern($1, httpd_sys_script_exec_t, httpd_sys_script_t)
+ ')
+
+ tunable_policy(`httpd_enable_cgi && httpd_unified',`
+@@ -921,9 +1070,10 @@ interface(`apache_domtrans_all_scripts',`
+ ##
+ ##
+ ##
+-## Role allowed access..
++## Role allowed access.
+ ##
+ ##
++##
+ #
+ interface(`apache_run_all_scripts',`
+ gen_require(`
+@@ -950,7 +1100,7 @@ interface(`apache_read_squirrelmail_data',`
+ type httpd_squirrelmail_t;
+ ')
+
+- allow $1 httpd_squirrelmail_t:file read_file_perms;
++ read_files_pattern($1, httpd_squirrelmail_t, httpd_squirrelmail_t)
+ ')
+
+ ########################################
+@@ -1091,6 +1241,25 @@ interface(`apache_read_tmp_files',`
+ read_files_pattern($1, httpd_tmp_t, httpd_tmp_t)
+ ')
+
++######################################
++##
++## Dontaudit attempts to read and write
++## apache tmp files.
++##
++##
++##
++## Domain to not audit.
++##
++##
++#
++interface(`apache_dontaudit_rw_tmp_files',`
++ gen_require(`
++ type httpd_tmp_t;
++ ')
++
++ dontaudit $1 httpd_tmp_t:file { read write };
++')
++
+ ########################################
+ ##
+ ## Dontaudit attempts to write
+@@ -1107,7 +1276,7 @@ interface(`apache_dontaudit_write_tmp_files',`
+ type httpd_tmp_t;
+ ')
+
+- dontaudit $1 httpd_tmp_t:file write_file_perms;
++ dontaudit $1 httpd_tmp_t:file write;
+ ')
+
+ ########################################
+@@ -1148,14 +1317,31 @@ interface(`apache_cgi_domain',`
+
+ ########################################
+ ##
+-## All of the rules required to administrate an apache environment
++## Execute httpd server in the httpd domain.
+ ##
+-##
++##
+ ##
+-## Prefix of the domain. Example, user would be
+-## the prefix for the uder_t domain.
++## Domain allowed to transition.
+ ##
+ ##
++#
++interface(`apache_systemctl',`
++ gen_require(`
++ type httpd_t;
++ type httpd_unit_file_t;
++ ')
++
++ systemd_exec_systemctl($1)
++ allow $1 httpd_unit_file_t:file read_file_perms;
++ allow $1 httpd_unit_file_t:service manage_service_perms;
++
++ ps_process_pattern($1, httpd_t)
++')
++
++########################################
++##
++## All of the rules required to administrate an apache environment
++##
+ ##
+ ##
+ ## Domain allowed access.
+@@ -1170,19 +1356,21 @@ interface(`apache_cgi_domain',`
+ #
+ interface(`apache_admin',`
+ gen_require(`
+- attribute httpdcontent;
+- attribute httpd_script_exec_type;
+-
++ attribute httpdcontent, httpd_script_exec_type;
+ type httpd_t, httpd_config_t, httpd_log_t;
+- type httpd_modules_t, httpd_lock_t;
+- type httpd_var_run_t, httpd_php_tmp_t;
++ type httpd_modules_t, httpd_lock_t, httpd_bool_t;
++ type httpd_var_run_t, httpd_php_tmp_t, httpd_initrc_exec_t;
+ type httpd_suexec_tmp_t, httpd_tmp_t;
+- type httpd_initrc_exec_t;
++ type httpd_unit_file_t;
+ ')
+
+- allow $1 httpd_t:process { getattr ptrace signal_perms };
++ allow $1 httpd_t:process signal_perms;
+ ps_process_pattern($1, httpd_t)
+
++ tunable_policy(`deny_ptrace',`',`
++ allow $1 httpd_t:process ptrace;
++ ')
++
+ init_labeled_script_domtrans($1, httpd_initrc_exec_t)
+ domain_system_change_exemption($1)
+ role_transition $2 httpd_initrc_exec_t system_r;
+@@ -1191,10 +1379,10 @@ interface(`apache_admin',`
+ apache_manage_all_content($1)
+ miscfiles_manage_public_files($1)
+
+- files_search_etc($1)
++ files_list_etc($1)
+ admin_pattern($1, httpd_config_t)
+
+- logging_search_logs($1)
++ logging_list_logs($1)
+ admin_pattern($1, httpd_log_t)
+
+ admin_pattern($1, httpd_modules_t)
+@@ -1205,14 +1393,106 @@ interface(`apache_admin',`
+ admin_pattern($1, httpd_var_run_t)
+ files_pid_filetrans($1, httpd_var_run_t, file)
+
+- kernel_search_proc($1)
+- allow $1 httpd_t:dir list_dir_perms;
+-
+- read_lnk_files_pattern($1, httpd_t, httpd_t)
+-
+ admin_pattern($1, httpdcontent)
+ admin_pattern($1, httpd_script_exec_type)
++
++ seutil_domtrans_setfiles($1)
++
++ files_list_tmp($1)
+ admin_pattern($1, httpd_tmp_t)
+ admin_pattern($1, httpd_php_tmp_t)
+ admin_pattern($1, httpd_suexec_tmp_t)
++
++ apache_systemctl($1)
++ admin_pattern($1, httpd_unit_file_t)
++ allow $1 httpd_unit_file_t:service all_service_perms;
++
++ apache_filetrans_named_content($1)
++')
++
++########################################
++##
++## dontaudit read and write an leaked file descriptors
++##
++##
++##
++## Domain to not audit.
++##
++##
++#
++interface(`apache_dontaudit_leaks',`
++ gen_require(`
++ type httpd_t;
++ type httpd_tmp_t;
++ ')
++
++ dontaudit $1 httpd_t:fifo_file rw_inherited_fifo_file_perms;
++ dontaudit $1 httpd_t:tcp_socket { read write };
++ dontaudit $1 httpd_t:unix_dgram_socket { read write };
++ dontaudit $1 httpd_t:unix_stream_socket { read write };
++ dontaudit $1 httpd_tmp_t:file { read write };
++')
++
++########################################
++##
++## Transition to apache named content
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`apache_filetrans_named_content',`
++ gen_require(`
++ type httpd_sys_content_t, httpd_sys_rw_content_t;
++ type httpd_tmp_t;
++ ')
++
++
++ apache_filetrans_home_content($1)
++ filetrans_pattern($1, httpd_sys_content_t, httpd_sys_rw_content_t, file, "settings.php")
++ userdom_user_tmp_filetrans($1, httpd_tmp_t, dir, "apache")
++')
++
++########################################
++##
++## Allow any httpd_exec_t to be an entrypoint of this domain
++##
++##
++##
++## Domain allowed access.
++##
++##
++##
++#
++interface(`apache_entrypoint',`
++ gen_require(`
++ type httpd_exec_t;
++ ')
++ allow $1 httpd_exec_t:file entrypoint;
++')
++
++########################################
++##
++## Transition to apache home content
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`apache_filetrans_home_content',`
++ gen_require(`
++ type httpd_user_content_t, httpd_user_script_exec_t, httpd_user_htaccess_t;
++ type httpd_user_content_ra_t;
++ ')
++
++ userdom_user_home_dir_filetrans($1, httpd_user_content_t, dir, "public_html")
++ userdom_user_home_dir_filetrans($1, httpd_user_content_t, dir, "www")
++ userdom_user_home_dir_filetrans($1, httpd_user_content_t, dir, "web")
++ filetrans_pattern($1, httpd_user_content_t, httpd_user_script_exec_t, dir, "cgi-bin")
++ filetrans_pattern($1, httpd_user_content_t, httpd_user_content_ra_t, dir, "logs")
++ filetrans_pattern($1, { httpd_user_content_t httpd_user_script_exec_t }, httpd_user_htaccess_t, file, ".htaccess")
+ ')
+diff --git a/apache.te b/apache.te
+index 0833afb..2864927 100644
+--- a/apache.te
++++ b/apache.te
+@@ -18,6 +18,8 @@ policy_module(apache, 2.4.0)
+ # Declarations
+ #
+
++selinux_genbool(httpd_bool_t)
++
+ ##
+ ##
+ ## Allow Apache to modify public files
+@@ -25,14 +27,35 @@ policy_module(apache, 2.4.0)
+ ## be labeled public_content_rw_t.
+ ##
+ ##
+-gen_tunable(allow_httpd_anon_write, false)
++gen_tunable(httpd_anon_write, false)
+
+ ##
+ ##
+ ## Allow Apache to use mod_auth_pam
+ ##
+ ##
+-gen_tunable(allow_httpd_mod_auth_pam, false)
++gen_tunable(httpd_mod_auth_pam, false)
++
++##
++##
++## Allow Apache to use mod_auth_ntlm_winbind
++##
++##
++gen_tunable(httpd_mod_auth_ntlm_winbind, false)
++
++##
++##
++## Allow httpd scripts and modules execmem/execstack
++##
++##
++gen_tunable(httpd_execmem, false)
++
++##
++##
++## Allow httpd processes to manage IPA content
++##
++##
++gen_tunable(httpd_manage_ipa, false)
+
+ ##
+ ##
+@@ -50,6 +73,20 @@ gen_tunable(httpd_can_network_connect, false)
+
+ ##
+ ##
++## Allow HTTPD scripts and modules to connect to cobbler over the network.
++##
++##
++gen_tunable(httpd_can_network_connect_cobbler, false)
++
++##
++##
++## Allow HTTPD to connect to port 80 for graceful shutdown
++##
++##
++gen_tunable(httpd_graceful_shutdown, false)
++
++##
++##
+ ## Allow HTTPD scripts and modules to connect to databases over the network.
+ ##
+ ##
+@@ -57,12 +94,33 @@ gen_tunable(httpd_can_network_connect_db, false)
+
+ ##
+ ##
++## Allow httpd to connect to memcache server
++##
++##
++gen_tunable(httpd_can_network_memcache, false)
++
++##
++##
+ ## Allow httpd to act as a relay
+ ##
+ ##
+ gen_tunable(httpd_can_network_relay, false)
+
+ ##
++##
++## Allow http daemon to connect to zabbix
++##
++##
++gen_tunable(httpd_can_connect_zabbix, false)
++
++##
++##
++## Allow http daemon to check spam
++##
++##
++gen_tunable(httpd_can_check_spam, false)
++
++##
+ ##
+ ## Allow http daemon to send mail
+ ##
+@@ -93,6 +151,21 @@ gen_tunable(httpd_enable_ftp_server, false)
+
+ ##
+ ##
++## Allow httpd to act as a FTP client
++## connecting to the ftp port and ephemeral ports
++##
++##
++gen_tunable(httpd_can_connect_ftp, false)
++
++##
++##
++## Allow httpd to connect to the ldap port
++##
++##
++gen_tunable(httpd_can_connect_ldap, false)
++
++##
++##
+ ## Allow httpd to read home directories
+ ##
+ ##
+@@ -100,6 +173,27 @@ gen_tunable(httpd_enable_homedirs, false)
+
+ ##
+ ##
++## Allow httpd to read user content
++##
++##
++gen_tunable(httpd_read_user_content, false)
++
++##
++##
++## Allow Apache to run in stickshift mode, not transition to passenger
++##
++##
++gen_tunable(httpd_run_stickshift, false)
++
++##
++##
++## Allow Apache to query NS records
++##
++##
++gen_tunable(httpd_verify_dns, false)
++
++##
++##
+ ## Allow httpd daemon to change its resource limits
+ ##
+ ##
+@@ -114,6 +208,13 @@ gen_tunable(httpd_ssi_exec, false)
+
+ ##
+ ##
++## Allow Apache to execute tmp content.
++##
++##
++gen_tunable(httpd_tmp_exec, false)
++
++##
++##
+ ## Unify HTTPD to communicate with the terminal.
+ ## Needed for entering the passphrase for certificates at
+ ## the terminal.
+@@ -130,12 +231,26 @@ gen_tunable(httpd_unified, false)
+
+ ##
+ ##
++## Allow httpd to access openstack ports
++##
++##
++gen_tunable(httpd_use_openstack, false)
++
++##
++##
+ ## Allow httpd to access cifs file systems
+ ##
+ ##
+ gen_tunable(httpd_use_cifs, false)
+
+ ##
++##
++## Allow httpd to access FUSE file systems
++##
++##
++gen_tunable(httpd_use_fusefs, false)
++
++##
+ ##
+ ## Allow httpd to run gpg
+ ##
+@@ -149,12 +264,28 @@ gen_tunable(httpd_use_gpg, false)
+ ##
+ gen_tunable(httpd_use_nfs, false)
+
++##
++##
++## Allow apache scripts to write to public content, directories/files must be labeled public_rw_content_t.
++##
++##
++gen_tunable(httpd_sys_script_anon_write, false)
++
++##
++##
++## Allow httpd to communicate with oddjob to start up a service
++##
++##
++gen_tunable(httpd_use_oddjob, false)
++
+ attribute httpdcontent;
+ attribute httpd_user_content_type;
++attribute httpd_content_type;
+
+ # domains that can exec all users scripts
+ attribute httpd_exec_scripts;
+
++attribute httpd_script_type;
+ attribute httpd_script_exec_type;
+ attribute httpd_user_script_exec_type;
+
+@@ -163,6 +294,10 @@ attribute httpd_script_domains;
+
+ type httpd_t;
+ type httpd_exec_t;
++ifdef(`distro_redhat',`
++ typealias httpd_t alias phpfpm_t;
++ typealias httpd_exec_t alias phpfpm_exec_t;
++')
+ init_daemon_domain(httpd_t, httpd_exec_t)
+ role system_r types httpd_t;
+
+@@ -173,7 +308,7 @@ files_type(httpd_cache_t)
+
+ # httpd_config_t is the type given to the configuration files
+ type httpd_config_t;
+-files_type(httpd_config_t)
++files_config_file(httpd_config_t)
+
+ type httpd_helper_t;
+ type httpd_helper_exec_t;
+@@ -184,10 +319,19 @@ role system_r types httpd_helper_t;
+ type httpd_initrc_exec_t;
+ init_script_file(httpd_initrc_exec_t)
+
++type httpd_unit_file_t;
++ifdef(`distro_redhat',`
++ typealias httpd_unit_file_t alias phpfpm_unit_file_t;
++')
++systemd_unit_file(httpd_unit_file_t)
++
+ type httpd_lock_t;
+ files_lock_file(httpd_lock_t)
+
+ type httpd_log_t;
++ifdef(`distro_redhat',`
++ typealias httpd_log_t alias phpfpm_log_t;
++')
+ logging_log_file(httpd_log_t)
+
+ # httpd_modules_t is the type given to module files (libraries)
+@@ -223,7 +367,21 @@ files_tmp_file(httpd_suexec_tmp_t)
+
+ # setup the system domain for system CGI scripts
+ apache_content_template(sys)
+-typealias httpd_sys_content_t alias ntop_http_content_t;
++
++optional_policy(`
++ postgresql_unpriv_client(httpd_sys_script_t)
++')
++
++typeattribute httpd_sys_content_t httpdcontent; # customizable
++typeattribute httpd_sys_rw_content_t httpdcontent; # customizable
++typeattribute httpd_sys_ra_content_t httpdcontent; # customizable
++
++# Removal of fastcgi, will cause problems without the following
++typealias httpd_sys_script_exec_t alias httpd_fastcgi_script_exec_t;
++typealias httpd_sys_content_t alias { httpd_fastcgi_content_t httpd_fastcgi_script_ro_t };
++typealias httpd_sys_rw_content_t alias { httpd_fastcgi_rw_content_t httpd_fastcgi_script_rw_t };
++typealias httpd_sys_ra_content_t alias httpd_fastcgi_script_ra_t;
++typealias httpd_sys_script_t alias httpd_fastcgi_script_t;
+
+ type httpd_tmp_t;
+ files_tmp_file(httpd_tmp_t)
+@@ -233,6 +391,11 @@ files_tmpfs_file(httpd_tmpfs_t)
+
+ apache_content_template(user)
+ ubac_constrained(httpd_user_script_t)
++
++typeattribute httpd_user_content_t httpdcontent;
++typeattribute httpd_user_rw_content_t httpdcontent;
++typeattribute httpd_user_ra_content_t httpdcontent;
++
+ userdom_user_home_content(httpd_user_content_t)
+ userdom_user_home_content(httpd_user_htaccess_t)
+ userdom_user_home_content(httpd_user_script_exec_t)
+@@ -240,6 +403,7 @@ userdom_user_home_content(httpd_user_ra_content_t)
+ userdom_user_home_content(httpd_user_rw_content_t)
+ typeattribute httpd_user_script_t httpd_script_domains;
+ typealias httpd_user_content_t alias { httpd_staff_content_t httpd_sysadm_content_t };
++typealias httpd_user_content_t alias httpd_unconfined_content_t;
+ typealias httpd_user_content_t alias { httpd_auditadm_content_t httpd_secadm_content_t };
+ typealias httpd_user_content_t alias { httpd_staff_script_ro_t httpd_sysadm_script_ro_t };
+ typealias httpd_user_content_t alias { httpd_auditadm_script_ro_t httpd_secadm_script_ro_t };
+@@ -259,16 +423,28 @@ type httpd_var_lib_t;
+ files_type(httpd_var_lib_t)
+
+ type httpd_var_run_t;
++ifdef(`distro_redhat',`
++ typealias httpd_var_run_t alias phpfpm_var_run_t;
++')
+ files_pid_file(httpd_var_run_t)
+
++# Removal of fastcgi, will cause problems without the following
++typealias httpd_var_run_t alias httpd_fastcgi_var_run_t;
++
+ # File Type of squirrelmail attachments
+ type squirrelmail_spool_t;
+ files_tmp_file(squirrelmail_spool_t)
++files_spool_file(squirrelmail_spool_t)
+
+ optional_policy(`
+ prelink_object_file(httpd_modules_t)
+ ')
+
++type httpd_passwd_t;
++type httpd_passwd_exec_t;
++application_domain(httpd_passwd_t, httpd_passwd_exec_t)
++role system_r types httpd_passwd_t;
++
+ ########################################
+ #
+ # Apache server local policy
+@@ -288,11 +464,13 @@ allow httpd_t self:unix_dgram_socket { create_socket_perms sendto };
+ allow httpd_t self:unix_stream_socket { create_stream_socket_perms connectto };
+ allow httpd_t self:tcp_socket create_stream_socket_perms;
+ allow httpd_t self:udp_socket create_socket_perms;
++dontaudit httpd_t self:netlink_audit_socket create_socket_perms;
+
+ # Allow httpd_t to put files in /var/cache/httpd etc
+ manage_dirs_pattern(httpd_t, httpd_cache_t, httpd_cache_t)
+ manage_files_pattern(httpd_t, httpd_cache_t, httpd_cache_t)
+ manage_lnk_files_pattern(httpd_t, httpd_cache_t, httpd_cache_t)
++files_var_filetrans(httpd_t, httpd_cache_t, { file dir })
+
+ # Allow the httpd_t to read the web servers config files
+ allow httpd_t httpd_config_t:dir list_dir_perms;
+@@ -305,6 +483,7 @@ allow httpd_t httpd_lock_t:file manage_file_perms;
+ files_lock_filetrans(httpd_t, httpd_lock_t, file)
+
+ allow httpd_t httpd_log_t:dir setattr;
++create_dirs_pattern(httpd_t, httpd_log_t, httpd_log_t)
+ create_files_pattern(httpd_t, httpd_log_t, httpd_log_t)
+ append_files_pattern(httpd_t, httpd_log_t, httpd_log_t)
+ read_files_pattern(httpd_t, httpd_log_t, httpd_log_t)
+@@ -336,8 +515,10 @@ allow httpd_t httpd_sys_script_t:unix_stream_socket connectto;
+
+ manage_dirs_pattern(httpd_t, httpd_tmp_t, httpd_tmp_t)
+ manage_files_pattern(httpd_t, httpd_tmp_t, httpd_tmp_t)
++manage_sock_files_pattern(httpd_t, httpd_tmp_t, httpd_tmp_t)
+ manage_lnk_files_pattern(httpd_t, httpd_tmp_t, httpd_tmp_t)
+-files_tmp_filetrans(httpd_t, httpd_tmp_t, { file dir lnk_file })
++files_tmp_filetrans(httpd_t, httpd_tmp_t, { file dir lnk_file sock_file })
++userdom_user_tmp_filetrans(httpd_t, httpd_tmp_t, dir)
+
+ manage_dirs_pattern(httpd_t, httpd_tmpfs_t, httpd_tmpfs_t)
+ manage_files_pattern(httpd_t, httpd_tmpfs_t, httpd_tmpfs_t)
+@@ -346,8 +527,9 @@ manage_fifo_files_pattern(httpd_t, httpd_tmpfs_t, httpd_tmpfs_t)
+ manage_sock_files_pattern(httpd_t, httpd_tmpfs_t, httpd_tmpfs_t)
+ fs_tmpfs_filetrans(httpd_t, httpd_tmpfs_t, { dir file lnk_file sock_file fifo_file })
+
++manage_dirs_pattern(httpd_t, httpd_var_lib_t, httpd_var_lib_t)
+ manage_files_pattern(httpd_t, httpd_var_lib_t, httpd_var_lib_t)
+-files_var_lib_filetrans(httpd_t, httpd_var_lib_t, file)
++files_var_lib_filetrans(httpd_t, httpd_var_lib_t, { dir file })
+
+ setattr_dirs_pattern(httpd_t, httpd_var_run_t, httpd_var_run_t)
+ manage_dirs_pattern(httpd_t, httpd_var_run_t, httpd_var_run_t)
+@@ -362,8 +544,9 @@ manage_lnk_files_pattern(httpd_t, squirrelmail_spool_t, squirrelmail_spool_t)
+ kernel_read_kernel_sysctls(httpd_t)
+ # for modules that want to access /proc/meminfo
+ kernel_read_system_state(httpd_t)
++kernel_read_network_state(httpd_t)
++kernel_search_network_sysctl(httpd_t)
+
+-corenet_all_recvfrom_unlabeled(httpd_t)
+ corenet_all_recvfrom_netlabel(httpd_t)
+ corenet_tcp_sendrecv_generic_if(httpd_t)
+ corenet_udp_sendrecv_generic_if(httpd_t)
+@@ -372,11 +555,19 @@ corenet_udp_sendrecv_generic_node(httpd_t)
+ corenet_tcp_sendrecv_all_ports(httpd_t)
+ corenet_udp_sendrecv_all_ports(httpd_t)
+ corenet_tcp_bind_generic_node(httpd_t)
++corenet_udp_bind_generic_node(httpd_t)
+ corenet_tcp_bind_http_port(httpd_t)
++corenet_udp_bind_http_port(httpd_t)
+ corenet_tcp_bind_http_cache_port(httpd_t)
++corenet_tcp_bind_ntop_port(httpd_t)
++corenet_tcp_bind_jboss_management_port(httpd_t)
++corenet_tcp_bind_jboss_messaging_port(httpd_t)
+ corenet_sendrecv_http_server_packets(httpd_t)
++corenet_tcp_bind_puppet_port(httpd_t)
+ # Signal self for shutdown
+-corenet_tcp_connect_http_port(httpd_t)
++tunable_policy(`httpd_graceful_shutdown',`
++ corenet_tcp_connect_http_port(httpd_t)
++')
+
+ dev_read_sysfs(httpd_t)
+ dev_read_rand(httpd_t)
+@@ -385,9 +576,14 @@ dev_rw_crypto(httpd_t)
+
+ fs_getattr_all_fs(httpd_t)
+ fs_search_auto_mountpoints(httpd_t)
++fs_read_iso9660_files(httpd_t)
++fs_read_anon_inodefs_files(httpd_t)
++fs_read_hugetlbfs_files(httpd_t)
+
+ auth_use_nsswitch(httpd_t)
+
++application_exec_all(httpd_t)
++
+ # execute perl
+ corecmd_exec_bin(httpd_t)
+ corecmd_exec_shell(httpd_t)
+@@ -396,61 +592,112 @@ domain_use_interactive_fds(httpd_t)
+
+ files_dontaudit_getattr_all_pids(httpd_t)
+ files_read_usr_files(httpd_t)
++files_exec_usr_files(httpd_t)
+ files_list_mnt(httpd_t)
+ files_search_spool(httpd_t)
++files_read_var_symlinks(httpd_t)
+ files_read_var_lib_files(httpd_t)
+ files_search_home(httpd_t)
+ files_getattr_home_dir(httpd_t)
+ # for modules that want to access /etc/mtab
+ files_read_etc_runtime_files(httpd_t)
+ # Allow httpd_t to have access to files such as nisswitch.conf
+-files_read_etc_files(httpd_t)
+ # for tomcat
+ files_read_var_lib_symlinks(httpd_t)
+
+ fs_search_auto_mountpoints(httpd_sys_script_t)
++# php uploads a file to /tmp and then execs programs to acton them
++manage_dirs_pattern(httpd_sys_script_t, httpd_tmp_t, httpd_tmp_t)
++manage_files_pattern(httpd_sys_script_t, httpd_tmp_t, httpd_tmp_t)
++manage_sock_files_pattern(httpd_sys_script_t, httpd_tmp_t, httpd_tmp_t)
++manage_fifo_files_pattern(httpd_sys_script_t, httpd_tmp_t, httpd_tmp_t)
++manage_lnk_files_pattern(httpd_sys_script_t, httpd_tmp_t, httpd_tmp_t)
++files_tmp_filetrans(httpd_sys_script_t, httpd_sys_rw_content_t, { dir file lnk_file sock_file fifo_file })
+
+ libs_read_lib_files(httpd_t)
+
++ifdef(`hide_broken_symptoms',`
++ libs_exec_lib_files(httpd_t)
++')
++
+ logging_send_syslog_msg(httpd_t)
+
+-miscfiles_read_localization(httpd_t)
+ miscfiles_read_fonts(httpd_t)
+ miscfiles_read_public_files(httpd_t)
+ miscfiles_read_generic_certs(httpd_t)
+-
+-seutil_dontaudit_search_config(httpd_t)
++miscfiles_read_tetex_data(httpd_t)
+
+ userdom_use_unpriv_users_fds(httpd_t)
+
+-tunable_policy(`allow_httpd_anon_write',`
++tunable_policy(`httpd_setrlimit',`
++ allow httpd_t self:process setrlimit;
++ allow httpd_t self:capability sys_resource;
++')
++
++tunable_policy(`httpd_anon_write',`
+ miscfiles_manage_public_files(httpd_t)
+ ')
+
+-ifdef(`TODO', `
+ #
+ # We need optionals to be able to be within booleans to make this work
+ #
+-tunable_policy(`allow_httpd_mod_auth_pam',`
+- auth_domtrans_chk_passwd(httpd_t)
++tunable_policy(`httpd_mod_auth_pam',`
++ auth_domtrans_chkpwd(httpd_t)
++ logging_send_audit_msgs(httpd_t)
+ ')
++
++optional_policy(`
++ tunable_policy(`httpd_mod_auth_ntlm_winbind',`
++ samba_domtrans_winbind_helper(httpd_t)
++ ')
+ ')
+
+ tunable_policy(`httpd_can_network_connect',`
+ corenet_tcp_connect_all_ports(httpd_t)
+ ')
+
++tunable_policy(`httpd_can_network_connect_db',`
++ corenet_tcp_connect_firebird_port(httpd_t)
++ corenet_tcp_connect_mssql_port(httpd_t)
++ corenet_sendrecv_mssql_client_packets(httpd_t)
++ corenet_tcp_connect_oracle_port(httpd_t)
++ corenet_sendrecv_oracle_client_packets(httpd_t)
++')
++
++tunable_policy(`httpd_can_network_memcache',`
++ corenet_tcp_connect_memcache_port(httpd_t)
++')
++
+ tunable_policy(`httpd_can_network_relay',`
+ # allow httpd to work as a relay
+ corenet_tcp_connect_gopher_port(httpd_t)
+ corenet_tcp_connect_ftp_port(httpd_t)
+ corenet_tcp_connect_http_port(httpd_t)
+ corenet_tcp_connect_http_cache_port(httpd_t)
++ corenet_tcp_connect_squid_port(httpd_t)
+ corenet_tcp_connect_memcache_port(httpd_t)
+ corenet_sendrecv_gopher_client_packets(httpd_t)
+ corenet_sendrecv_ftp_client_packets(httpd_t)
+ corenet_sendrecv_http_client_packets(httpd_t)
+ corenet_sendrecv_http_cache_client_packets(httpd_t)
++ corenet_sendrecv_squid_client_packets(httpd_t)
++ corenet_tcp_connect_all_ephemeral_ports(httpd_t)
++')
++
++tunable_policy(`httpd_execmem',`
++ allow httpd_t self:process { execmem execstack };
++ allow httpd_sys_script_t self:process { execmem execstack };
++ allow httpd_suexec_t self:process { execmem execstack };
++')
++
++tunable_policy(`httpd_enable_cgi && httpd_unified',`
++ allow httpd_sys_script_t httpd_sys_content_t:file entrypoint;
++ filetrans_pattern(httpd_sys_script_t, httpd_sys_content_t, httpd_sys_rw_content_t, { file dir lnk_file })
++ can_exec(httpd_sys_script_t, httpd_sys_content_t)
++')
++
++tunable_policy(`httpd_sys_script_anon_write',`
++ miscfiles_manage_public_files(httpd_sys_script_t)
+ ')
+
+ tunable_policy(`httpd_enable_cgi && httpd_use_nfs',`
+@@ -461,27 +708,61 @@ tunable_policy(`httpd_enable_cgi && httpd_use_cifs',`
+ fs_cifs_domtrans(httpd_t, httpd_sys_script_t)
+ ')
+
++tunable_policy(`httpd_enable_cgi && httpd_use_fusefs',`
++ fs_fusefs_domtrans(httpd_t, httpd_sys_script_t)
++')
++
+ tunable_policy(`httpd_enable_cgi && httpd_unified && httpd_builtin_scripting',`
+ domtrans_pattern(httpd_t, httpdcontent, httpd_sys_script_t)
++ filetrans_pattern(httpd_t, httpd_sys_content_t, httpd_sys_rw_content_t, { file dir lnk_file })
++ manage_dirs_pattern(httpd_t, httpdcontent, httpd_sys_rw_content_t)
++ manage_files_pattern(httpd_t, httpdcontent, httpd_sys_rw_content_t)
++ manage_lnk_files_pattern(httpd_t, httpdcontent, httpd_sys_rw_content_t)
+
+ manage_dirs_pattern(httpd_t, httpdcontent, httpdcontent)
+ manage_files_pattern(httpd_t, httpdcontent, httpdcontent)
+ manage_lnk_files_pattern(httpd_t, httpdcontent, httpdcontent)
+ ')
+
++tunable_policy(`httpd_can_connect_ftp',`
++ corenet_tcp_connect_ftp_port(httpd_t)
++ corenet_tcp_connect_all_ephemeral_ports(httpd_t)
++')
++
++tunable_policy(`httpd_can_connect_ldap',`
++ corenet_tcp_connect_ldap_port(httpd_t)
++')
++
++tunable_policy(`httpd_can_connect_zabbix',`
++ corenet_tcp_connect_zabbix_port(httpd_t)
++')
++
+ tunable_policy(`httpd_enable_ftp_server',`
+ corenet_tcp_bind_ftp_port(httpd_t)
++ corenet_tcp_bind_all_ephemeral_ports(httpd_t)
+ ')
+
+-tunable_policy(`httpd_enable_homedirs',`
+- userdom_read_user_home_content_files(httpd_t)
++tunable_policy(`httpd_tmp_exec && httpd_builtin_scripting',`
++ can_exec(httpd_t, httpd_tmp_t)
++')
++
++tunable_policy(`httpd_tmp_exec && httpd_enable_cgi',`
++ can_exec(httpd_sys_script_t, httpd_tmp_t)
+ ')
+
+ tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',`
++ fs_list_auto_mountpoints(httpd_t)
+ fs_read_nfs_files(httpd_t)
+ fs_read_nfs_symlinks(httpd_t)
+ ')
+
++tunable_policy(`httpd_use_nfs',`
++ fs_list_auto_mountpoints(httpd_t)
++ fs_manage_nfs_dirs(httpd_t)
++ fs_manage_nfs_files(httpd_t)
++ fs_manage_nfs_symlinks(httpd_t)
++')
++
+ tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',`
+ fs_read_cifs_files(httpd_t)
+ fs_read_cifs_symlinks(httpd_t)
+@@ -491,7 +772,22 @@ tunable_policy(`httpd_can_sendmail',`
+ # allow httpd to connect to mail servers
+ corenet_tcp_connect_smtp_port(httpd_t)
+ corenet_sendrecv_smtp_client_packets(httpd_t)
++ corenet_tcp_connect_pop_port(httpd_t)
++ corenet_sendrecv_pop_client_packets(httpd_t)
+ mta_send_mail(httpd_t)
++ mta_signal_system_mail(httpd_t)
++')
++
++tunable_policy(`httpd_use_cifs',`
++ fs_manage_cifs_dirs(httpd_t)
++ fs_manage_cifs_files(httpd_t)
++ fs_manage_cifs_symlinks(httpd_t)
++')
++
++tunable_policy(`httpd_use_fusefs',`
++ fs_manage_fusefs_dirs(httpd_t)
++ fs_manage_fusefs_files(httpd_t)
++ fs_manage_fusefs_symlinks(httpd_t)
+ ')
+
+ tunable_policy(`httpd_setrlimit',`
+@@ -511,9 +807,19 @@ tunable_policy(`httpd_ssi_exec',`
+ # to run correctly without this permission, so the permission
+ # are dontaudited here.
+ tunable_policy(`httpd_tty_comm',`
+- userdom_use_user_terminals(httpd_t)
++ userdom_use_inherited_user_terminals(httpd_t)
++ userdom_use_inherited_user_terminals(httpd_suexec_t)
+ ',`
+ userdom_dontaudit_use_user_terminals(httpd_t)
++ userdom_dontaudit_use_user_terminals(httpd_suexec_t)
++')
++
++optional_policy(`
++ # Support for ABRT retrace server
++ # mod_wsgi
++ abrt_manage_spool_retrace(httpd_t)
++ abrt_domtrans_retrace_worker(httpd_t)
++ abrt_read_config(httpd_t)
+ ')
+
+ optional_policy(`
+@@ -525,6 +831,9 @@ optional_policy(`
+ ')
+
+ optional_policy(`
++ cobbler_list_config(httpd_t)
++ cobbler_read_config(httpd_t)
++ cobbler_read_lib_files(httpd_t)
+ cobbler_search_lib(httpd_t)
+ ')
+
+@@ -540,6 +849,24 @@ optional_policy(`
+ daemontools_service_domain(httpd_t, httpd_exec_t)
+ ')
+
++optional_policy(`
++ # needed by FreeIPA
++ dirsrv_stream_connect(httpd_t)
++ ldap_stream_connect(httpd_t)
++')
++
++optional_policy(`
++ dirsrv_manage_config(httpd_t)
++ dirsrv_manage_log(httpd_t)
++ dirsrv_manage_var_run(httpd_t)
++ dirsrv_read_share(httpd_t)
++ dirsrv_signal(httpd_t)
++ dirsrv_signull(httpd_t)
++ dirsrvadmin_manage_config(httpd_t)
++ dirsrvadmin_manage_tmp(httpd_t)
++ dirsrvadmin_domtrans_unconfined_script_t(httpd_t)
++')
++
+ optional_policy(`
+ dbus_system_bus_client(httpd_t)
+
+@@ -549,13 +876,24 @@ optional_policy(`
+ ')
+
+ optional_policy(`
++ git_read_generic_system_content_files(httpd_t)
++ gitosis_read_lib_files(httpd_t)
++')
++
++optional_policy(`
+ tunable_policy(`httpd_enable_cgi && httpd_use_gpg',`
+- gpg_domtrans(httpd_t)
++ gpg_domtrans_web(httpd_t)
+ ')
+ ')
+
+ optional_policy(`
++ jetty_admin(httpd_t)
++')
++
++optional_policy(`
+ kerberos_keytab_template(httpd, httpd_t)
++ kerberos_tmp_filetrans_host_rcache(httpd_t, "HTTP_23")
++ kerberos_tmp_filetrans_host_rcache(httpd_t, "HTTP_48")
+ ')
+
+ optional_policy(`
+@@ -573,7 +911,21 @@ optional_policy(`
+ ')
+
+ optional_policy(`
++ mediawiki_read_tmp_files(httpd_t)
++ mediawiki_delete_tmp_files(httpd_t)
++')
++
++optional_policy(`
++ memcached_stream_connect(httpd_t)
++
++ tunable_policy(`httpd_manage_ipa',`
++ memcached_manage_pid_files(httpd_t)
++ ')
++')
++
++optional_policy(`
+ # Allow httpd to work with mysql
++ mysql_read_config(httpd_t)
+ mysql_stream_connect(httpd_t)
+ mysql_rw_db_sockets(httpd_t)
+
+@@ -584,6 +936,7 @@ optional_policy(`
+
+ optional_policy(`
+ nagios_read_config(httpd_t)
++ nagios_read_log(httpd_t)
+ ')
+
+ optional_policy(`
+@@ -594,6 +947,42 @@ optional_policy(`
+ ')
+
+ optional_policy(`
++ openshift_search_lib(httpd_t)
++ openshift_initrc_signull(httpd_t)
++ openshift_initrc_signal(httpd_t)
++')
++
++optional_policy(`
++ passenger_exec(httpd_t)
++ passenger_manage_pid_content(httpd_t)
++')
++
++optional_policy(`
++ pcscd_read_pub_files(httpd_t)
++')
++
++optional_policy(`
++ pki_apache_domain_signal(httpd_t)
++ pki_apache_domain_signal(httpd_t)
++ pki_manage_apache_run(httpd_t)
++ pki_manage_apache_config_files(httpd_t)
++ pki_manage_apache_log_files(httpd_t)
++ pki_manage_apache_lib(httpd_t)
++')
++
++optional_policy(`
++ puppet_read_lib(httpd_t)
++')
++
++optional_policy(`
++ pwauth_domtrans(httpd_t)
++')
++
++optional_policy(`
++ rpc_search_nfs_state_data(httpd_t)
++')
++
++optional_policy(`
+ # Allow httpd to work with postgresql
+ postgresql_stream_connect(httpd_t)
+ postgresql_unpriv_client(httpd_t)
+@@ -608,6 +997,11 @@ optional_policy(`
+ ')
+
+ optional_policy(`
++ smokeping_read_lib_files(httpd_t)
++')
++
++optional_policy(`
++ files_dontaudit_rw_usr_dirs(httpd_t)
+ snmp_dontaudit_read_snmp_var_lib_files(httpd_t)
+ snmp_dontaudit_write_snmp_var_lib_files(httpd_t)
+ ')
+@@ -620,6 +1014,12 @@ optional_policy(`
+ yam_read_content(httpd_t)
+ ')
+
++optional_policy(`
++ zarafa_manage_lib_files(httpd_t)
++ zarafa_stream_connect_server(httpd_t)
++ zarafa_search_config(httpd_t)
++')
++
+ ########################################
+ #
+ # Apache helper local policy
+@@ -633,7 +1033,43 @@ allow httpd_helper_t httpd_log_t:file append_file_perms;
+
+ logging_send_syslog_msg(httpd_helper_t)
+
+-userdom_use_user_terminals(httpd_helper_t)
++userdom_use_inherited_user_terminals(httpd_helper_t)
++
++tunable_policy(`httpd_verify_dns',`
++ corenet_udp_bind_all_ephemeral_ports(httpd_t)
++')
++
++tunable_policy(`httpd_run_stickshift', `
++ allow httpd_t self:capability { fowner fsetid sys_resource };
++ dontaudit httpd_t self:capability sys_ptrace;
++ allow httpd_t self:process setexec;
++
++ files_dontaudit_getattr_all_files(httpd_t)
++ domain_dontaudit_read_all_domains_state(httpd_t)
++ domain_getpgid_all_domains(httpd_t)
++')
++
++optional_policy(`
++ tunable_policy(`httpd_run_stickshift', `
++ passenger_manage_lib_files(httpd_t)
++ passenger_getattr_log_files(httpd_t)
++ ',`
++ passenger_domtrans(httpd_t)
++ passenger_read_lib_files(httpd_t)
++ passenger_stream_connect(httpd_t)
++ passenger_manage_tmp_files(httpd_t)
++ ')
++')
++
++optional_policy(`
++ tunable_policy(`httpd_run_stickshift', `
++ oddjob_dbus_chat(httpd_t)
++ ')
++')
++
++tunable_policy(`httpd_tty_comm',`
++ userdom_use_inherited_user_terminals(httpd_helper_t)
++')
+
+ ########################################
+ #
+@@ -671,28 +1107,30 @@ libs_exec_lib_files(httpd_php_t)
+ userdom_use_unpriv_users_fds(httpd_php_t)
+
+ tunable_policy(`httpd_can_network_connect_db',`
+- corenet_tcp_connect_mysqld_port(httpd_t)
+- corenet_sendrecv_mysqld_client_packets(httpd_t)
+- corenet_tcp_connect_mysqld_port(httpd_sys_script_t)
+- corenet_sendrecv_mysqld_client_packets(httpd_sys_script_t)
+- corenet_tcp_connect_mysqld_port(httpd_suexec_t)
+- corenet_sendrecv_mysqld_client_packets(httpd_suexec_t)
+-
+- corenet_tcp_connect_mssql_port(httpd_t)
+- corenet_sendrecv_mssql_client_packets(httpd_t)
+- corenet_tcp_connect_mssql_port(httpd_sys_script_t)
+- corenet_sendrecv_mssql_client_packets(httpd_sys_script_t)
+- corenet_tcp_connect_mssql_port(httpd_suexec_t)
+- corenet_sendrecv_mssql_client_packets(httpd_suexec_t)
++ corenet_tcp_connect_firebird_port(httpd_php_t)
++ corenet_tcp_connect_mssql_port(httpd_php_t)
++ corenet_sendrecv_mssql_client_packets(httpd_php_t)
++ corenet_tcp_connect_oracle_port(httpd_php_t)
++ corenet_sendrecv_oracle_client_packets(httpd_php_t)
+ ')
+
+ optional_policy(`
+ mysql_stream_connect(httpd_php_t)
++ mysql_rw_db_sockets(httpd_php_t)
+ mysql_read_config(httpd_php_t)
++
++ tunable_policy(`httpd_can_network_connect_db',`
++ mysql_tcp_connect(httpd_php_t)
++ ')
+ ')
+
+ optional_policy(`
+ postgresql_stream_connect(httpd_php_t)
++ postgresql_unpriv_client(httpd_php_t)
++
++ tunable_policy(`httpd_can_network_connect_db',`
++ postgresql_tcp_connect(httpd_php_t)
++ ')
+ ')
+
+ ########################################
+@@ -702,6 +1140,7 @@ optional_policy(`
+
+ allow httpd_suexec_t self:capability { setuid setgid };
+ allow httpd_suexec_t self:process signal_perms;
++allow httpd_suexec_t self:fifo_file rw_fifo_file_perms;
+ allow httpd_suexec_t self:unix_stream_socket create_stream_socket_perms;
+
+ domtrans_pattern(httpd_t, httpd_suexec_exec_t, httpd_suexec_t)
+@@ -716,19 +1155,27 @@ manage_dirs_pattern(httpd_suexec_t, httpd_suexec_tmp_t, httpd_suexec_tmp_t)
+ manage_files_pattern(httpd_suexec_t, httpd_suexec_tmp_t, httpd_suexec_tmp_t)
+ files_tmp_filetrans(httpd_suexec_t, httpd_suexec_tmp_t, { file dir })
+
++can_exec(httpd_suexec_t, httpd_sys_script_exec_t)
++
++read_files_pattern(httpd_suexec_t, httpd_user_content_t, httpd_user_content_t)
++read_files_pattern(httpd_suexec_t, httpd_user_rw_content_t, httpd_user_rw_content_t)
++read_files_pattern(httpd_suexec_t, httpd_user_ra_content_t, httpd_user_ra_content_t)
++
+ kernel_read_kernel_sysctls(httpd_suexec_t)
+ kernel_list_proc(httpd_suexec_t)
+ kernel_read_proc_symlinks(httpd_suexec_t)
+
+ dev_read_urand(httpd_suexec_t)
+
++fs_read_iso9660_files(httpd_suexec_t)
+ fs_search_auto_mountpoints(httpd_suexec_t)
+
++application_exec_all(httpd_suexec_t)
++
+ # for shell scripts
+ corecmd_exec_bin(httpd_suexec_t)
+ corecmd_exec_shell(httpd_suexec_t)
+
+-files_read_etc_files(httpd_suexec_t)
+ files_read_usr_files(httpd_suexec_t)
+ files_dontaudit_search_pids(httpd_suexec_t)
+ files_search_home(httpd_suexec_t)
+@@ -738,15 +1185,14 @@ auth_use_nsswitch(httpd_suexec_t)
+ logging_search_logs(httpd_suexec_t)
+ logging_send_syslog_msg(httpd_suexec_t)
+
+-miscfiles_read_localization(httpd_suexec_t)
+ miscfiles_read_public_files(httpd_suexec_t)
+
++corenet_all_recvfrom_netlabel(httpd_suexec_t)
++
+ tunable_policy(`httpd_can_network_connect',`
+ allow httpd_suexec_t self:tcp_socket create_stream_socket_perms;
+ allow httpd_suexec_t self:udp_socket create_socket_perms;
+
+- corenet_all_recvfrom_unlabeled(httpd_suexec_t)
+- corenet_all_recvfrom_netlabel(httpd_suexec_t)
+ corenet_tcp_sendrecv_generic_if(httpd_suexec_t)
+ corenet_udp_sendrecv_generic_if(httpd_suexec_t)
+ corenet_tcp_sendrecv_generic_node(httpd_suexec_t)
+@@ -757,13 +1203,31 @@ tunable_policy(`httpd_can_network_connect',`
+ corenet_sendrecv_all_client_packets(httpd_suexec_t)
+ ')
+
++tunable_policy(`httpd_can_network_connect_db',`
++ corenet_tcp_connect_firebird_port(httpd_suexec_t)
++ corenet_tcp_connect_mssql_port(httpd_suexec_t)
++ corenet_sendrecv_mssql_client_packets(httpd_suexec_t)
++ corenet_tcp_connect_oracle_port(httpd_suexec_t)
++ corenet_sendrecv_oracle_client_packets(httpd_suexec_t)
++')
++
++domain_entry_file(httpd_sys_script_t, httpd_sys_content_t)
++
++tunable_policy(`httpd_can_sendmail',`
++ mta_send_mail(httpd_suexec_t)
++')
++
+ tunable_policy(`httpd_enable_cgi && httpd_unified',`
+ allow httpd_sys_script_t httpdcontent:file entrypoint;
+ domtrans_pattern(httpd_suexec_t, httpdcontent, httpd_sys_script_t)
+-
++ manage_dirs_pattern(httpd_sys_script_t, httpdcontent, httpdcontent)
++ manage_files_pattern(httpd_sys_script_t, httpdcontent, httpdcontent)
++ manage_sock_files_pattern(httpd_sys_script_t, httpdcontent, httpdcontent)
++ manage_lnk_files_pattern(httpd_sys_script_t, httpdcontent, httpdcontent)
+ ')
+
+ tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',`
++ fs_list_auto_mountpoints(httpd_suexec_t)
+ fs_read_nfs_files(httpd_suexec_t)
+ fs_read_nfs_symlinks(httpd_suexec_t)
+ fs_exec_nfs_files(httpd_suexec_t)
+@@ -786,6 +1250,25 @@ optional_policy(`
+ dontaudit httpd_suexec_t httpd_t:unix_stream_socket { read write };
+ ')
+
++optional_policy(`
++ mysql_stream_connect(httpd_suexec_t)
++ mysql_rw_db_sockets(httpd_suexec_t)
++ mysql_read_config(httpd_suexec_t)
++
++ tunable_policy(`httpd_can_network_connect_db',`
++ mysql_tcp_connect(httpd_suexec_t)
++ ')
++')
++
++optional_policy(`
++ postgresql_stream_connect(httpd_suexec_t)
++ postgresql_unpriv_client(httpd_suexec_t)
++
++ tunable_policy(`httpd_can_network_connect_db',`
++ postgresql_tcp_connect(httpd_suexec_t)
++ ')
++')
++
+ ########################################
+ #
+ # Apache system script local policy
+@@ -806,12 +1289,17 @@ read_lnk_files_pattern(httpd_sys_script_t, squirrelmail_spool_t, squirrelmail_sp
+
+ kernel_read_kernel_sysctls(httpd_sys_script_t)
+
++files_read_var_symlinks(httpd_sys_script_t)
+ files_search_var_lib(httpd_sys_script_t)
+ files_search_spool(httpd_sys_script_t)
+
++logging_inherit_append_all_logs(httpd_sys_script_t)
++
+ # Should we add a boolean?
+ apache_domtrans_rotatelogs(httpd_sys_script_t)
+
++auth_use_nsswitch(httpd_sys_script_t)
++
+ ifdef(`distro_redhat',`
+ allow httpd_sys_script_t httpd_log_t:file append_file_perms;
+ ')
+@@ -820,18 +1308,50 @@ tunable_policy(`httpd_can_sendmail',`
+ mta_send_mail(httpd_sys_script_t)
+ ')
+
++optional_policy(`
++ tunable_policy(`httpd_can_sendmail && httpd_can_check_spam',`
++ spamassassin_domtrans_client(httpd_t)
++ ')
++')
++
++tunable_policy(`httpd_can_network_connect_db',`
++ corenet_tcp_connect_firebird_port(httpd_sys_script_t)
++ corenet_tcp_connect_mssql_port(httpd_sys_script_t)
++ corenet_sendrecv_mssql_client_packets(httpd_sys_script_t)
++ corenet_tcp_connect_oracle_port(httpd_sys_script_t)
++ corenet_sendrecv_oracle_client_packets(httpd_sys_script_t)
++')
++
++fs_cifs_entry_type(httpd_sys_script_t)
++fs_read_iso9660_files(httpd_sys_script_t)
++fs_nfs_entry_type(httpd_sys_script_t)
++
++tunable_policy(`httpd_use_nfs',`
++ fs_list_auto_mountpoints(httpd_sys_script_t)
++ fs_manage_nfs_dirs(httpd_sys_script_t)
++ fs_manage_nfs_files(httpd_sys_script_t)
++ fs_manage_nfs_symlinks(httpd_sys_script_t)
++ fs_exec_nfs_files(httpd_sys_script_t)
++
++ fs_list_auto_mountpoints(httpd_suexec_t)
++ fs_manage_nfs_dirs(httpd_suexec_t)
++ fs_manage_nfs_files(httpd_suexec_t)
++ fs_manage_nfs_symlinks(httpd_suexec_t)
++ fs_exec_nfs_files(httpd_suexec_t)
++')
++
++corenet_all_recvfrom_netlabel(httpd_sys_script_t)
++
+ tunable_policy(`httpd_enable_cgi && httpd_can_network_connect',`
+ allow httpd_sys_script_t self:tcp_socket create_stream_socket_perms;
+ allow httpd_sys_script_t self:udp_socket create_socket_perms;
+
+- corenet_tcp_bind_all_nodes(httpd_sys_script_t)
+- corenet_udp_bind_all_nodes(httpd_sys_script_t)
+- corenet_all_recvfrom_unlabeled(httpd_sys_script_t)
+- corenet_all_recvfrom_netlabel(httpd_sys_script_t)
+- corenet_tcp_sendrecv_all_if(httpd_sys_script_t)
+- corenet_udp_sendrecv_all_if(httpd_sys_script_t)
+- corenet_tcp_sendrecv_all_nodes(httpd_sys_script_t)
+- corenet_udp_sendrecv_all_nodes(httpd_sys_script_t)
++ corenet_tcp_bind_generic_node(httpd_sys_script_t)
++ corenet_udp_bind_generic_node(httpd_sys_script_t)
++ corenet_tcp_sendrecv_generic_if(httpd_sys_script_t)
++ corenet_udp_sendrecv_generic_if(httpd_sys_script_t)
++ corenet_tcp_sendrecv_generic_node(httpd_sys_script_t)
++ corenet_udp_sendrecv_generic_node(httpd_sys_script_t)
+ corenet_tcp_sendrecv_all_ports(httpd_sys_script_t)
+ corenet_udp_sendrecv_all_ports(httpd_sys_script_t)
+ corenet_tcp_connect_all_ports(httpd_sys_script_t)
+@@ -839,14 +1359,39 @@ tunable_policy(`httpd_enable_cgi && httpd_can_network_connect',`
+ ')
+
+ tunable_policy(`httpd_enable_homedirs',`
+- userdom_read_user_home_content_files(httpd_sys_script_t)
++ userdom_search_user_home_dirs(httpd_sys_script_t)
+ ')
+
+ tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',`
++ fs_list_auto_mountpoints(httpd_sys_script_t)
+ fs_read_nfs_files(httpd_sys_script_t)
+ fs_read_nfs_symlinks(httpd_sys_script_t)
+ ')
+
++tunable_policy(`httpd_read_user_content',`
++ userdom_read_user_home_content_files(httpd_sys_script_t)
++')
++
++tunable_policy(`httpd_use_cifs',`
++ fs_manage_cifs_dirs(httpd_sys_script_t)
++ fs_manage_cifs_files(httpd_sys_script_t)
++ fs_manage_cifs_symlinks(httpd_sys_script_t)
++ fs_manage_cifs_dirs(httpd_suexec_t)
++ fs_manage_cifs_files(httpd_suexec_t)
++ fs_manage_cifs_symlinks(httpd_suexec_t)
++ fs_exec_cifs_files(httpd_suexec_t)
++')
++
++tunable_policy(`httpd_use_fusefs',`
++ fs_manage_fusefs_dirs(httpd_sys_script_t)
++ fs_manage_fusefs_files(httpd_sys_script_t)
++ fs_manage_fusefs_symlinks(httpd_sys_script_t)
++ fs_manage_fusefs_dirs(httpd_suexec_t)
++ fs_manage_fusefs_files(httpd_suexec_t)
++ fs_manage_fusefs_symlinks(httpd_suexec_t)
++ fs_exec_fusefs_files(httpd_suexec_t)
++')
++
+ tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',`
+ fs_read_cifs_files(httpd_sys_script_t)
+ fs_read_cifs_symlinks(httpd_sys_script_t)
+@@ -854,15 +1399,26 @@ tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',`
+
+ optional_policy(`
+ clamav_domtrans_clamscan(httpd_sys_script_t)
++ clamav_domtrans_clamscan(httpd_t)
+ ')
+
+ optional_policy(`
+ mysql_stream_connect(httpd_sys_script_t)
+ mysql_rw_db_sockets(httpd_sys_script_t)
++ mysql_read_config(httpd_sys_script_t)
++
++ tunable_policy(`httpd_can_network_connect_db',`
++ mysql_tcp_connect(httpd_sys_script_t)
++ ')
+ ')
+
+ optional_policy(`
+ postgresql_stream_connect(httpd_sys_script_t)
++ postgresql_unpriv_client(httpd_sys_script_t)
++
++ tunable_policy(`httpd_can_network_connect_db',`
++ postgresql_tcp_connect(httpd_sys_script_t)
++ ')
+ ')
+
+ ########################################
+@@ -878,11 +1434,9 @@ kernel_read_kernel_sysctls(httpd_rotatelogs_t)
+ kernel_dontaudit_list_proc(httpd_rotatelogs_t)
+ kernel_dontaudit_read_proc_symlinks(httpd_rotatelogs_t)
+
+-files_read_etc_files(httpd_rotatelogs_t)
+
+ logging_search_logs(httpd_rotatelogs_t)
+
+-miscfiles_read_localization(httpd_rotatelogs_t)
+
+ ########################################
+ #
+@@ -908,11 +1462,138 @@ optional_policy(`
+
+ tunable_policy(`httpd_enable_cgi && httpd_unified',`
+ allow httpd_user_script_t httpdcontent:file entrypoint;
++ manage_dirs_pattern(httpd_user_script_t, httpd_user_content_t, httpd_user_content_t)
++ manage_files_pattern(httpd_user_script_t, httpd_user_content_t, httpd_user_content_t)
++ manage_dirs_pattern(httpd_user_script_t, httpd_user_ra_content_t, httpd_user_ra_content_t)
++ manage_files_pattern(httpd_user_script_t, httpd_user_ra_content_t, httpd_user_ra_content_t)
+ ')
+
+ # allow accessing files/dirs below the users home dir
+ tunable_policy(`httpd_enable_homedirs',`
+- userdom_search_user_home_dirs(httpd_t)
+- userdom_search_user_home_dirs(httpd_suexec_t)
+- userdom_search_user_home_dirs(httpd_user_script_t)
++ userdom_search_user_home_content(httpd_t)
++ userdom_search_user_home_content(httpd_suexec_t)
++ userdom_search_user_home_content(httpd_user_script_t)
++')
++
++tunable_policy(`httpd_read_user_content',`
++ userdom_read_user_home_content_files(httpd_t)
++ userdom_read_user_home_content_files(httpd_suexec_t)
++ userdom_read_user_home_content_files(httpd_user_script_t)
++')
++
++########################################
++#
++# httpd_passwd local policy
++#
++
++allow httpd_passwd_t self:fifo_file manage_fifo_file_perms;
++allow httpd_passwd_t self:unix_stream_socket create_stream_socket_perms;
++allow httpd_passwd_t self:unix_dgram_socket create_socket_perms;
++
++kernel_read_system_state(httpd_passwd_t)
++
++corecmd_exec_bin(httpd_passwd_t)
++corecmd_exec_shell(httpd_passwd_t)
++
++dev_read_urand(httpd_passwd_t)
++
++domain_use_interactive_fds(httpd_passwd_t)
++
++
++auth_use_nsswitch(httpd_passwd_t)
++
++miscfiles_read_certs(httpd_passwd_t)
++
++systemd_manage_passwd_run(httpd_passwd_t)
++systemd_manage_passwd_run(httpd_t)
++#systemd_passwd_agent_dev_template(httpd)
++
++domtrans_pattern(httpd_t, httpd_passwd_exec_t, httpd_passwd_t)
++dontaudit httpd_passwd_t httpd_config_t:file read;
++
++search_dirs_pattern(httpd_script_type, httpd_sys_content_t, httpd_script_exec_type)
++corecmd_shell_entry_type(httpd_script_type)
++
++allow httpd_script_type self:fifo_file rw_file_perms;
++allow httpd_script_type self:unix_stream_socket connectto;
++
++allow httpd_script_type httpd_t:fifo_file write;
++# apache should set close-on-exec
++apache_dontaudit_leaks(httpd_script_type)
++
++append_files_pattern(httpd_script_type, httpd_log_t, httpd_log_t)
++logging_search_logs(httpd_script_type)
++
++kernel_dontaudit_search_sysctl(httpd_script_type)
++kernel_dontaudit_search_kernel_sysctl(httpd_script_type)
++
++dev_read_rand(httpd_script_type)
++dev_read_urand(httpd_script_type)
++
++corecmd_exec_all_executables(httpd_script_type)
++application_exec_all(httpd_script_type)
++
++files_exec_etc_files(httpd_script_type)
++files_search_home(httpd_script_type)
++
++libs_exec_ld_so(httpd_script_type)
++libs_exec_lib_files(httpd_script_type)
++
++miscfiles_read_fonts(httpd_script_type)
++miscfiles_read_public_files(httpd_script_type)
++
++allow httpd_t httpd_script_type:unix_stream_socket connectto;
++
++allow httpd_t httpd_script_exec_type:file read_file_perms;
++allow httpd_t httpd_script_exec_type:lnk_file read_lnk_file_perms;
++allow httpd_t httpd_script_type:process { signal sigkill sigstop };
++allow httpd_t httpd_script_exec_type:dir list_dir_perms;
++
++allow httpd_script_type self:process { setsched signal_perms };
++allow httpd_script_type self:unix_stream_socket create_stream_socket_perms;
++allow httpd_script_type self:unix_dgram_socket create_socket_perms;
++
++allow httpd_script_type httpd_t:fd use;
++allow httpd_script_type httpd_t:process sigchld;
++
++dontaudit httpd_script_type httpd_t:tcp_socket { read write };
++
++dev_read_urand(httpd_script_type)
++
++fs_getattr_xattr_fs(httpd_script_type)
++
++files_read_etc_runtime_files(httpd_script_type)
++files_read_usr_files(httpd_script_type)
++
++libs_read_lib_files(httpd_script_type)
++
++allow httpd_script_type httpd_sys_content_t:dir search_dir_perms;
++
++tunable_policy(`httpd_enable_cgi && nis_enabled',`
++ nis_use_ypbind_uncond(httpd_script_type)
++')
++
++optional_policy(`
++ nscd_socket_use(httpd_script_type)
++')
++
++read_files_pattern(httpd_t, httpd_content_type, httpd_content_type)
++
++tunable_policy(`httpd_builtin_scripting',`
++ allow httpd_t httpd_content_type:dir search_dir_perms;
++ allow httpd_suexec_t httpd_content_type:dir search_dir_perms;
++
++ allow httpd_t httpd_content_type:dir list_dir_perms;
++ read_files_pattern(httpd_t, httpd_content_type, httpd_content_type)
++ read_lnk_files_pattern(httpd_t, httpd_content_type, httpd_content_type)
++
++ allow httpd_t httpd_content_type:dir list_dir_perms;
++ read_files_pattern(httpd_t, httpd_content_type, httpd_content_type)
++ read_lnk_files_pattern(httpd_t, httpd_content_type, httpd_content_type)
++')
++
++tunable_policy(`httpd_use_openstack',`
++ corenet_tcp_connect_keystone_port(httpd_sys_script_t)
++ corenet_tcp_connect_all_ephemeral_ports(httpd_t)
++ corenet_tcp_connect_glance_port(httpd_sys_script_t)
+ ')
+diff --git a/apcupsd.fc b/apcupsd.fc
+index cd07b96..f3506be 100644
+--- a/apcupsd.fc
++++ b/apcupsd.fc
+@@ -1,9 +1,13 @@
+ /etc/rc\.d/init\.d/apcupsd -- gen_context(system_u:object_r:apcupsd_initrc_exec_t,s0)
+
++/usr/lib/systemd/system/apcupsd.* -- gen_context(system_u:object_r:apcupsd_unit_file_t,s0)
++
+ /sbin/apcupsd -- gen_context(system_u:object_r:apcupsd_exec_t,s0)
+
+ /usr/sbin/apcupsd -- gen_context(system_u:object_r:apcupsd_exec_t,s0)
+
++/var/lock/subsys/apcupsd -- gen_context(system_u:object_r:apcupsd_lock_t,s0)
++
+ /var/log/apcupsd\.events.* -- gen_context(system_u:object_r:apcupsd_log_t,s0)
+ /var/log/apcupsd\.status.* -- gen_context(system_u:object_r:apcupsd_log_t,s0)
+
+@@ -13,3 +17,4 @@
+ /var/www/apcupsd/upsfstats\.cgi -- gen_context(system_u:object_r:httpd_apcupsd_cgi_script_exec_t,s0)
+ /var/www/apcupsd/upsimage\.cgi -- gen_context(system_u:object_r:httpd_apcupsd_cgi_script_exec_t,s0)
+ /var/www/apcupsd/upsstats\.cgi -- gen_context(system_u:object_r:httpd_apcupsd_cgi_script_exec_t,s0)
++/var/www/cgi-bin/apcgui(/.*)? gen_context(system_u:object_r:httpd_apcupsd_cgi_script_exec_t,s0)
+diff --git a/apcupsd.if b/apcupsd.if
+index e342775..1fedbe5 100644
+--- a/apcupsd.if
++++ b/apcupsd.if
+@@ -123,6 +123,29 @@ interface(`apcupsd_cgi_script_domtrans',`
+
+ ########################################
+ ##
++## Execute apcupsd server in the apcupsd domain.
++##
++##
++##
++## Domain allowed to transition.
++##
++##
++#
++interface(`apcupsd_systemctl',`
++ gen_require(`
++ type apcupsd_t;
++ type apcupsd_unit_file_t;
++ ')
++
++ systemd_exec_systemctl($1)
++ allow $1 apcupsd_unit_file_t:file read_file_perms;
++ allow $1 apcupsd_unit_file_t:service manage_service_perms;
++
++ ps_process_pattern($1, apcupsd_t)
++')
++
++########################################
++##
+ ## All of the rules required to administrate
+ ## an apcupsd environment
+ ##
+@@ -144,11 +167,16 @@ interface(`apcupsd_admin',`
+ type apcupsd_log_t, apcupsd_lock_t;
+ type apcupsd_var_run_t;
+ type apcupsd_initrc_exec_t;
++ type apcupsd_unit_file_t;
+ ')
+
+- allow $1 apcupsd_t:process { ptrace signal_perms };
++ allow $1 apcupsd_t:process signal_perms;
+ ps_process_pattern($1, apcupsd_t)
+
++ tunable_policy(`deny_ptrace',`',`
++ allow $1 apcupsd_t:process ptrace;
++ ')
++
+ apcupsd_initrc_domtrans($1, apcupsd_initrc_exec_t)
+ domain_system_change_exemption($1)
+ role_transition $2 apcupsd_initrc_exec_t system_r;
+@@ -165,4 +193,8 @@ interface(`apcupsd_admin',`
+
+ files_list_pids($1)
+ admin_pattern($1, apcupsd_var_run_t)
++
++ apcupsd_systemctl($1)
++ admin_pattern($1, apcupsd_unit_file_t)
++ allow $1 apcupsd_unit_file_t:service all_service_perms;
+ ')
+diff --git a/apcupsd.te b/apcupsd.te
+index d052bf0..8f2695f 100644
+--- a/apcupsd.te
++++ b/apcupsd.te
+@@ -24,6 +24,9 @@ files_tmp_file(apcupsd_tmp_t)
+ type apcupsd_var_run_t;
+ files_pid_file(apcupsd_var_run_t)
+
++type apcupsd_unit_file_t;
++systemd_unit_file(apcupsd_unit_file_t)
++
+ ########################################
+ #
+ # apcupsd local policy
+@@ -53,15 +56,16 @@ kernel_read_system_state(apcupsd_t)
+ corecmd_exec_bin(apcupsd_t)
+ corecmd_exec_shell(apcupsd_t)
+
+-corenet_all_recvfrom_unlabeled(apcupsd_t)
+ corenet_all_recvfrom_netlabel(apcupsd_t)
+ corenet_tcp_sendrecv_generic_if(apcupsd_t)
+ corenet_tcp_sendrecv_generic_node(apcupsd_t)
+ corenet_tcp_sendrecv_all_ports(apcupsd_t)
+ corenet_tcp_bind_generic_node(apcupsd_t)
+ corenet_tcp_bind_apcupsd_port(apcupsd_t)
++corenet_udp_bind_generic_node(apcupsd_t)
+ corenet_sendrecv_apcupsd_server_packets(apcupsd_t)
+ corenet_tcp_connect_apcupsd_port(apcupsd_t)
++corenet_udp_bind_snmp_port(apcupsd_t)
+
+ dev_rw_generic_usb_dev(apcupsd_t)
+
+@@ -76,24 +80,29 @@ files_etc_filetrans_etc_runtime(apcupsd_t, file)
+
+ # https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=240805
+ term_use_unallocated_ttys(apcupsd_t)
++term_use_usb_ttys(apcupsd_t)
+
+ #apcupsd runs shutdown, probably need a shutdown domain
+ init_rw_utmp(apcupsd_t)
+ init_telinit(apcupsd_t)
+
+-logging_send_syslog_msg(apcupsd_t)
++auth_read_passwd(apcupsd_t)
+
+-miscfiles_read_localization(apcupsd_t)
++logging_send_syslog_msg(apcupsd_t)
+
+ sysnet_dns_name_resolve(apcupsd_t)
+
+-userdom_use_user_ttys(apcupsd_t)
++userdom_use_inherited_user_ttys(apcupsd_t)
+
+ optional_policy(`
+ hostname_exec(apcupsd_t)
+ ')
+
+ optional_policy(`
++ shutdown_domtrans(apcupsd_t)
++')
++
++optional_policy(`
+ mta_send_mail(apcupsd_t)
+ mta_system_content(apcupsd_tmp_t)
+ ')
+@@ -113,7 +122,6 @@ optional_policy(`
+ allow httpd_apcupsd_cgi_script_t self:tcp_socket create_stream_socket_perms;
+ allow httpd_apcupsd_cgi_script_t self:udp_socket create_socket_perms;
+
+- corenet_all_recvfrom_unlabeled(httpd_apcupsd_cgi_script_t)
+ corenet_all_recvfrom_netlabel(httpd_apcupsd_cgi_script_t)
+ corenet_tcp_sendrecv_generic_if(httpd_apcupsd_cgi_script_t)
+ corenet_tcp_sendrecv_generic_node(httpd_apcupsd_cgi_script_t)
+diff --git a/apm.fc b/apm.fc
+index 0123777..5bfd421 100644
+--- a/apm.fc
++++ b/apm.fc
+@@ -1,3 +1,4 @@
++/usr/lib/systemd/system/apmd.* -- gen_context(system_u:object_r:apmd_unit_file_t,s0)
+
+ #
+ # /usr
+@@ -14,6 +15,7 @@
+ /var/log/acpid.* -- gen_context(system_u:object_r:apmd_log_t,s0)
+
+ /var/run/\.?acpid\.socket -s gen_context(system_u:object_r:apmd_var_run_t,s0)
++/var/run/acpid\.pid -- gen_context(system_u:object_r:apmd_var_run_t,s0)
+ /var/run/apmd\.pid -- gen_context(system_u:object_r:apmd_var_run_t,s0)
+ /var/run/powersaved\.pid -- gen_context(system_u:object_r:apmd_var_run_t,s0)
+ /var/run/powersave_socket -s gen_context(system_u:object_r:apmd_var_run_t,s0)
+diff --git a/apm.if b/apm.if
+index 1ea99b2..0b668ae 100644
+--- a/apm.if
++++ b/apm.if
+@@ -89,7 +89,7 @@ interface(`apm_append_log',`
+ ')
+
+ logging_search_logs($1)
+- allow $1 apmd_log_t:file append;
++ allow $1 apmd_log_t:file append_file_perms;
+ ')
+
+ ########################################
+@@ -108,6 +108,28 @@ interface(`apm_stream_connect',`
+ ')
+
+ files_search_pids($1)
+- allow $1 apmd_var_run_t:sock_file write;
+- allow $1 apmd_t:unix_stream_socket connectto;
++ stream_connect_pattern($1, apmd_var_run_t, apmd_var_run_t, apmd_t)
++')
++
++########################################
++##
++## Execute apmd server in the apmd domain.
++##
++##
++##
++## Domain allowed to transition.
++##
++##
++#
++interface(`apmd_systemctl',`
++ gen_require(`
++ type apmd_t;
++ type apmd_unit_file_t;
++ ')
++
++ systemd_exec_systemctl($1)
++ allow $1 apmd_unit_file_t:file read_file_perms;
++ allow $1 apmd_unit_file_t:service manage_service_perms;
++
++ ps_process_pattern($1, apmd_t)
+ ')
+diff --git a/apm.te b/apm.te
+index 1c8c27e..4c09721 100644
+--- a/apm.te
++++ b/apm.te
+@@ -4,6 +4,7 @@ policy_module(apm, 1.11.0)
+ #
+ # Declarations
+ #
++
+ type apmd_t;
+ type apmd_exec_t;
+ init_daemon_domain(apmd_t, apmd_exec_t)
+@@ -32,6 +33,9 @@ ifdef(`distro_suse',`
+ files_type(apmd_var_lib_t)
+ ')
+
++type apmd_unit_file_t;
++systemd_unit_file(apmd_unit_file_t)
++
+ ########################################
+ #
+ # apm client Local policy
+@@ -45,7 +49,7 @@ dev_rw_apm_bios(apm_t)
+
+ fs_getattr_xattr_fs(apm_t)
+
+-term_use_all_terms(apm_t)
++term_use_all_inherited_terms(apm_t)
+
+ domain_use_interactive_fds(apm_t)
+
+@@ -59,9 +63,10 @@ logging_send_syslog_msg(apm_t)
+ # mknod: controlling an orderly resume of PCMCIA requires creating device
+ # nodes 254,{0,1,2} for some reason.
+ allow apmd_t self:capability { sys_admin sys_nice sys_time kill mknod };
+-dontaudit apmd_t self:capability { setuid dac_override dac_read_search sys_ptrace sys_tty_config };
++dontaudit apmd_t self:capability { setuid dac_override dac_read_search sys_tty_config };
+ allow apmd_t self:process { signal_perms getsession };
+ allow apmd_t self:fifo_file rw_fifo_file_perms;
++allow apmd_t self:netlink_socket create_socket_perms;
+ allow apmd_t self:unix_dgram_socket create_socket_perms;
+ allow apmd_t self:unix_stream_socket create_stream_socket_perms;
+
+@@ -81,6 +86,8 @@ kernel_rw_all_sysctls(apmd_t)
+ kernel_read_system_state(apmd_t)
+ kernel_write_proc_files(apmd_t)
+
++dev_read_input(apmd_t)
++dev_read_mouse(apmd_t)
+ dev_read_realtime_clock(apmd_t)
+ dev_read_urand(apmd_t)
+ dev_rw_apm_bios(apmd_t)
+@@ -96,8 +103,6 @@ fs_dontaudit_getattr_all_symlinks(apmd_t) # Excessive?
+ fs_dontaudit_getattr_all_pipes(apmd_t) # Excessive?
+ fs_dontaudit_getattr_all_sockets(apmd_t) # Excessive?
+
+-selinux_search_fs(apmd_t)
+-
+ corecmd_exec_all_executables(apmd_t)
+
+ domain_read_all_domains_state(apmd_t)
+@@ -114,6 +119,8 @@ files_dontaudit_getattr_all_symlinks(apmd_t) # Excessive?
+ files_dontaudit_getattr_all_pipes(apmd_t) # Excessive?
+ files_dontaudit_getattr_all_sockets(apmd_t) # Excessive?
+
++auth_use_nsswitch(apmd_t)
++
+ init_domtrans_script(apmd_t)
+ init_rw_utmp(apmd_t)
+ init_telinit(apmd_t)
+@@ -124,13 +131,12 @@ libs_exec_lib_files(apmd_t)
+ logging_send_syslog_msg(apmd_t)
+ logging_send_audit_msgs(apmd_t)
+
+-miscfiles_read_localization(apmd_t)
+ miscfiles_read_hwdata(apmd_t)
+
+ modutils_domtrans_insmod(apmd_t)
+ modutils_read_module_config(apmd_t)
+
+-seutil_dontaudit_read_config(apmd_t)
++seutil_sigchld_newrole(apmd_t)
+
+ userdom_dontaudit_use_unpriv_user_fds(apmd_t)
+ userdom_dontaudit_search_user_home_dirs(apmd_t)
+@@ -142,9 +148,8 @@ ifdef(`distro_redhat',`
+
+ can_exec(apmd_t, apmd_var_run_t)
+
+- # ifconfig_exec_t needs to be run in its own domain for Red Hat
+ optional_policy(`
+- sysnet_domtrans_ifconfig(apmd_t)
++ fstools_domtrans(apmd_t)
+ ')
+
+ optional_policy(`
+@@ -155,6 +160,15 @@ ifdef(`distro_redhat',`
+ netutils_domtrans(apmd_t)
+ ')
+
++ # ifconfig_exec_t needs to be run in its own domain for Red Hat
++ optional_policy(`
++ sssd_search_lib(apmd_t)
++ ')
++
++ optional_policy(`
++ sysnet_domtrans_ifconfig(apmd_t)
++ ')
++
+ ',`
+ # for ifconfig which is run all the time
+ kernel_dontaudit_search_sysctl(apmd_t)
+@@ -181,6 +195,12 @@ optional_policy(`
+ ')
+
+ optional_policy(`
++ devicekit_manage_pid_files(apmd_t)
++ devicekit_manage_log_files(apmd_t)
++ devicekit_relabel_log_files(apmd_t)
++')
++
++optional_policy(`
+ dbus_system_bus_client(apmd_t)
+
+ optional_policy(`
+@@ -210,7 +230,11 @@ optional_policy(`
+ ')
+
+ optional_policy(`
+- seutil_sigchld_newrole(apmd_t)
++ shutdown_domtrans(apmd_t)
++')
++
++optional_policy(`
++ systemd_dbus_chat_logind(apmd_t)
+ ')
+
+ optional_policy(`
+diff --git a/apt.te b/apt.te
+index 8555315..af9bcbe 100644
+--- a/apt.te
++++ b/apt.te
+@@ -94,7 +94,6 @@ kernel_read_kernel_sysctls(apt_t)
+ corecmd_exec_bin(apt_t)
+ corecmd_exec_shell(apt_t)
+
+-corenet_all_recvfrom_unlabeled(apt_t)
+ corenet_all_recvfrom_netlabel(apt_t)
+ corenet_tcp_sendrecv_generic_if(apt_t)
+ corenet_udp_sendrecv_generic_if(apt_t)
+@@ -121,20 +120,18 @@ fs_getattr_all_fs(apt_t)
+
+ term_create_pty(apt_t, apt_devpts_t)
+ term_list_ptys(apt_t)
+-term_use_all_terms(apt_t)
++term_use_all_inherited_terms(apt_t)
+
+ libs_exec_ld_so(apt_t)
+ libs_exec_lib_files(apt_t)
+
+ logging_send_syslog_msg(apt_t)
+
+-miscfiles_read_localization(apt_t)
+-
+ seutil_use_newrole_fds(apt_t)
+
+ sysnet_read_config(apt_t)
+
+-userdom_use_user_terminals(apt_t)
++userdom_use_inherited_user_terminals(apt_t)
+
+ # with boolean, for cron-apt and such?
+ #optional_policy(`
+diff --git a/arpwatch.fc b/arpwatch.fc
+index a86a6c7..ab50afe 100644
+--- a/arpwatch.fc
++++ b/arpwatch.fc
+@@ -1,5 +1,7 @@
+ /etc/rc\.d/init\.d/arpwatch -- gen_context(system_u:object_r:arpwatch_initrc_exec_t,s0)
+
++/usr/lib/systemd/system/arpwatch.* -- gen_context(system_u:object_r:arpwatch_unit_file_t,s0)
++
+ #
+ # /usr
+ #
+diff --git a/arpwatch.if b/arpwatch.if
+index c804110..06a516f 100644
+--- a/arpwatch.if
++++ b/arpwatch.if
+@@ -115,6 +115,29 @@ interface(`arpwatch_dontaudit_rw_packet_sockets',`
+
+ ########################################
+ ##
++## Execute arpwatch server in the arpwatch domain.
++##
++##
++##
++## Domain allowed to transition.
++##
++##
++#
++interface(`arpwatch_systemctl',`
++ gen_require(`
++ type arpwatch_t;
++ type arpwatch_unit_file_t;
++ ')
++
++ systemd_exec_systemctl($1)
++ allow $1 arpwatch_unit_file_t:file read_file_perms;
++ allow $1 arpwatch_unit_file_t:service manage_service_perms;
++
++ ps_process_pattern($1, arpwatch_t)
++')
++
++########################################
++##
+ ## All of the rules required to administrate
+ ## an arpwatch environment
+ ##
+@@ -135,11 +158,16 @@ interface(`arpwatch_admin',`
+ type arpwatch_t, arpwatch_tmp_t;
+ type arpwatch_data_t, arpwatch_var_run_t;
+ type arpwatch_initrc_exec_t;
++ type arpwatch_unit_file_t;
+ ')
+
+- allow $1 arpwatch_t:process { ptrace signal_perms getattr };
++ allow $1 arpwatch_t:process signal_perms;
+ ps_process_pattern($1, arpwatch_t)
+
++ tunable_policy(`deny_ptrace',`',`
++ allow $1 arpwatch_t:process ptrace;
++ ')
++
+ arpwatch_initrc_domtrans($1)
+ domain_system_change_exemption($1)
+ role_transition $2 arpwatch_initrc_exec_t system_r;
+@@ -153,4 +181,8 @@ interface(`arpwatch_admin',`
+
+ files_list_pids($1)
+ admin_pattern($1, arpwatch_var_run_t)
++
++ arpwatch_systemctl($1)
++ admin_pattern($1, arpwatch_unit_file_t)
++ allow $1 arpwatch_unit_file_t:service all_service_perms;
+ ')
+diff --git a/arpwatch.te b/arpwatch.te
+index 804135f..8d012f7 100644
+--- a/arpwatch.te
++++ b/arpwatch.te
+@@ -21,6 +21,9 @@ files_tmp_file(arpwatch_tmp_t)
+ type arpwatch_var_run_t;
+ files_pid_file(arpwatch_var_run_t)
+
++type arpwatch_unit_file_t;
++systemd_unit_file(arpwatch_unit_file_t)
++
+ ########################################
+ #
+ # Local policy
+@@ -34,6 +37,7 @@ allow arpwatch_t self:tcp_socket { connect create_stream_socket_perms };
+ allow arpwatch_t self:udp_socket create_socket_perms;
+ allow arpwatch_t self:packet_socket create_socket_perms;
+ allow arpwatch_t self:socket create_socket_perms;
++allow arpwatch_t self:netlink_socket create_socket_perms;
+
+ manage_dirs_pattern(arpwatch_t, arpwatch_data_t, arpwatch_data_t)
+ manage_files_pattern(arpwatch_t, arpwatch_data_t, arpwatch_data_t)
+@@ -47,12 +51,12 @@ manage_files_pattern(arpwatch_t, arpwatch_var_run_t, arpwatch_var_run_t)
+ files_pid_filetrans(arpwatch_t, arpwatch_var_run_t, file)
+
+ kernel_read_network_state(arpwatch_t)
++# meminfo
++kernel_read_system_state(arpwatch_t)
+ kernel_read_kernel_sysctls(arpwatch_t)
+-kernel_list_proc(arpwatch_t)
+ kernel_read_proc_symlinks(arpwatch_t)
+ kernel_request_load_module(arpwatch_t)
+
+-corenet_all_recvfrom_unlabeled(arpwatch_t)
+ corenet_all_recvfrom_netlabel(arpwatch_t)
+ corenet_tcp_sendrecv_generic_if(arpwatch_t)
+ corenet_udp_sendrecv_generic_if(arpwatch_t)
+@@ -74,7 +78,6 @@ corecmd_read_bin_symlinks(arpwatch_t)
+
+ domain_use_interactive_fds(arpwatch_t)
+
+-files_read_etc_files(arpwatch_t)
+ files_read_usr_files(arpwatch_t)
+ files_search_var_lib(arpwatch_t)
+
+@@ -82,8 +85,6 @@ auth_use_nsswitch(arpwatch_t)
+
+ logging_send_syslog_msg(arpwatch_t)
+
+-miscfiles_read_localization(arpwatch_t)
+-
+ userdom_dontaudit_search_user_home_dirs(arpwatch_t)
+ userdom_dontaudit_use_unpriv_user_fds(arpwatch_t)
+
+diff --git a/asterisk.if b/asterisk.if
+index b6168fd..313c6e4 100644
+--- a/asterisk.if
++++ b/asterisk.if
+@@ -105,9 +105,13 @@ interface(`asterisk_admin',`
+ type asterisk_initrc_exec_t;
+ ')
+
+- allow $1 asterisk_t:process { ptrace signal_perms getattr };
++ allow $1 asterisk_t:process signal_perms;
+ ps_process_pattern($1, asterisk_t)
+
++ tunable_policy(`deny_ptrace',`',`
++ allow $1 asterisk_t:process ptrace;
++ ')
++
+ init_labeled_script_domtrans($1, asterisk_initrc_exec_t)
+ domain_system_change_exemption($1)
+ role_transition $2 asterisk_initrc_exec_t system_r;
+diff --git a/asterisk.te b/asterisk.te
+index 159610b..164b672 100644
+--- a/asterisk.te
++++ b/asterisk.te
+@@ -20,10 +20,11 @@ type asterisk_log_t;
+ logging_log_file(asterisk_log_t)
+
+ type asterisk_spool_t;
+-files_type(asterisk_spool_t)
++files_spool_file(asterisk_spool_t)
+
+ type asterisk_tmp_t;
+ files_tmp_file(asterisk_tmp_t)
++mta_system_content(asterisk_tmp_t)
+
+ type asterisk_tmpfs_t;
+ files_tmpfs_file(asterisk_tmpfs_t)
+@@ -40,8 +41,8 @@ files_pid_file(asterisk_var_run_t)
+ #
+
+ # dac_override for /var/run/asterisk
+-allow asterisk_t self:capability { dac_override setgid setuid sys_nice net_admin chown };
+-dontaudit asterisk_t self:capability sys_tty_config;
++allow asterisk_t self:capability { dac_override chown setgid setuid sys_nice net_admin };
++dontaudit asterisk_t self:capability { sys_module sys_tty_config };
+ allow asterisk_t self:process { getsched setsched signal_perms getcap setcap };
+ allow asterisk_t self:fifo_file rw_fifo_file_perms;
+ allow asterisk_t self:sem create_sem_perms;
+@@ -77,11 +78,13 @@ fs_tmpfs_filetrans(asterisk_t, asterisk_tmpfs_t, { dir file lnk_file sock_file f
+ manage_files_pattern(asterisk_t, asterisk_var_lib_t, asterisk_var_lib_t)
+ files_var_lib_filetrans(asterisk_t, asterisk_var_lib_t, file)
+
++manage_dirs_pattern(asterisk_t, asterisk_var_run_t, asterisk_var_run_t)
+ manage_files_pattern(asterisk_t, asterisk_var_run_t, asterisk_var_run_t)
+ manage_fifo_files_pattern(asterisk_t, asterisk_var_run_t, asterisk_var_run_t)
+ manage_sock_files_pattern(asterisk_t, asterisk_var_run_t, asterisk_var_run_t)
+-files_pid_filetrans(asterisk_t, asterisk_var_run_t, file)
++files_pid_filetrans(asterisk_t, asterisk_var_run_t, { dir file })
+
++kernel_read_network_state(asterisk_t)
+ kernel_read_system_state(asterisk_t)
+ kernel_read_kernel_sysctls(asterisk_t)
+ kernel_request_load_module(asterisk_t)
+@@ -89,7 +92,6 @@ kernel_request_load_module(asterisk_t)
+ corecmd_exec_bin(asterisk_t)
+ corecmd_exec_shell(asterisk_t)
+
+-corenet_all_recvfrom_unlabeled(asterisk_t)
+ corenet_all_recvfrom_netlabel(asterisk_t)
+ corenet_tcp_sendrecv_generic_if(asterisk_t)
+ corenet_udp_sendrecv_generic_if(asterisk_t)
+@@ -109,9 +111,13 @@ corenet_tcp_bind_generic_port(asterisk_t)
+ corenet_udp_bind_generic_port(asterisk_t)
+ corenet_dontaudit_udp_bind_all_ports(asterisk_t)
+ corenet_sendrecv_generic_server_packets(asterisk_t)
++corenet_tcp_connect_festival_port(asterisk_t)
++corenet_tcp_connect_jabber_client_port(asterisk_t)
++corenet_tcp_connect_pktcable_port(asterisk_t)
+ corenet_tcp_connect_postgresql_port(asterisk_t)
+ corenet_tcp_connect_snmp_port(asterisk_t)
+ corenet_tcp_connect_sip_port(asterisk_t)
++corenet_tcp_connect_jabber_client_port(asterisk_t)
+
+ dev_rw_generic_usb_dev(asterisk_t)
+ dev_read_sysfs(asterisk_t)
+@@ -122,11 +128,11 @@ dev_read_urand(asterisk_t)
+
+ domain_use_interactive_fds(asterisk_t)
+
+-files_read_etc_files(asterisk_t)
+ files_search_spool(asterisk_t)
+ # demo files installed in /usr/share/asterisk/sounds/demo-instruct.gsm
+ # are labeled usr_t
+ files_read_usr_files(asterisk_t)
++files_dontaudit_search_home(asterisk_t)
+
+ fs_getattr_all_fs(asterisk_t)
+ fs_list_inotifyfs(asterisk_t)
+@@ -137,12 +143,14 @@ auth_use_nsswitch(asterisk_t)
+
+ logging_send_syslog_msg(asterisk_t)
+
+-miscfiles_read_localization(asterisk_t)
+-
+ userdom_dontaudit_use_unpriv_user_fds(asterisk_t)
+ userdom_dontaudit_search_user_home_dirs(asterisk_t)
+
+ optional_policy(`
++ alsa_read_rw_config(asterisk_t)
++')
++
++optional_policy(`
+ mysql_stream_connect(asterisk_t)
+ ')
+
+diff --git a/authconfig.fc b/authconfig.fc
+new file mode 100644
+index 0000000..86bbf21
+--- /dev/null
++++ b/authconfig.fc
+@@ -0,0 +1,3 @@
++/usr/share/authconfig/authconfig.py -- gen_context(system_u:object_r:authconfig_exec_t,s0)
++
++/var/lib/authconfig(/.*)? gen_context(system_u:object_r:authconfig_var_lib_t,s0)
+diff --git a/authconfig.if b/authconfig.if
+new file mode 100644
+index 0000000..98ab9ed
+--- /dev/null
++++ b/authconfig.if
+@@ -0,0 +1,132 @@
++
++## policy for authconfig
++
++########################################
++##
++## Execute TEMPLATE in the authconfig domin.
++##
++##
++##
++## Domain allowed to transition.
++##
++##
++#
++interface(`authconfig_domtrans',`
++ gen_require(`
++ type authconfig_t, authconfig_exec_t;
++ ')
++
++ corecmd_search_bin($1)
++ domtrans_pattern($1, authconfig_exec_t, authconfig_t)
++')
++
++########################################
++##
++## Search authconfig lib directories.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`authconfig_search_lib',`
++ gen_require(`
++ type authconfig_var_lib_t;
++ ')
++
++ allow $1 authconfig_var_lib_t:dir search_dir_perms;
++ files_search_var_lib($1)
++')
++
++########################################
++##
++## Read authconfig lib files.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`authconfig_read_lib_files',`
++ gen_require(`
++ type authconfig_var_lib_t;
++ ')
++
++ files_search_var_lib($1)
++ read_files_pattern($1, authconfig_var_lib_t, authconfig_var_lib_t)
++')
++
++########################################
++##
++## Manage authconfig lib files.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`authconfig_manage_lib_files',`
++ gen_require(`
++ type authconfig_var_lib_t;
++ ')
++
++ files_search_var_lib($1)
++ manage_files_pattern($1, authconfig_var_lib_t, authconfig_var_lib_t)
++')
++
++########################################
++##
++## Manage authconfig lib directories.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`authconfig_manage_lib_dirs',`
++ gen_require(`
++ type authconfig_var_lib_t;
++ ')
++
++ files_search_var_lib($1)
++ manage_dirs_pattern($1, authconfig_var_lib_t, authconfig_var_lib_t)
++')
++
++
++########################################
++##
++## All of the rules required to administrate
++## an authconfig environment
++##
++##
++##
++## Domain allowed access.
++##
++##
++##
++##
++## Role allowed access.
++##
++##
++##
++#
++interface(`authconfig_admin',`
++ gen_require(`
++ type authconfig_t;
++ type authconfig_var_lib_t;
++ ')
++
++ allow $1 authconfig_t:process { ptrace signal_perms };
++ ps_process_pattern($1, authconfig_t)
++
++ files_search_var_lib($1)
++ admin_pattern($1, authconfig_var_lib_t)
++ optional_policy(`
++ systemd_passwd_agent_exec($1)
++ systemd_read_fifo_file_passwd_run($1)
++ ')
++')
+diff --git a/authconfig.te b/authconfig.te
+new file mode 100644
+index 0000000..aeea7cf
+--- /dev/null
++++ b/authconfig.te
+@@ -0,0 +1,33 @@
++policy_module(authconfig, 1.0.0)
++
++########################################
++#
++# Declarations
++#
++
++type authconfig_t;
++type authconfig_exec_t;
++application_domain(authconfig_t, authconfig_exec_t)
++
++type authconfig_var_lib_t;
++files_type(authconfig_var_lib_t)
++
++########################################
++#
++# authconfig local policy
++#
++allow authconfig_t self:fifo_file rw_fifo_file_perms;
++allow authconfig_t self:unix_stream_socket create_stream_socket_perms;
++
++manage_dirs_pattern(authconfig_t, authconfig_var_lib_t, authconfig_var_lib_t)
++manage_files_pattern(authconfig_t, authconfig_var_lib_t, authconfig_var_lib_t)
++manage_lnk_files_pattern(authconfig_t, authconfig_var_lib_t, authconfig_var_lib_t)
++files_var_lib_filetrans(authconfig_t, authconfig_var_lib_t, { dir file lnk_file })
++
++domain_use_interactive_fds(authconfig_t)
++
++files_read_etc_files(authconfig_t)
++
++init_domtrans_script(authconfig_t)
++
++unconfined_domain_noaudit(authconfig_t)
+diff --git a/automount.fc b/automount.fc
+index f16ab68..e4178a4 100644
+--- a/automount.fc
++++ b/automount.fc
+@@ -4,6 +4,8 @@
+ /etc/apm/event\.d/autofs -- gen_context(system_u:object_r:automount_exec_t,s0)
+ /etc/rc\.d/init\.d/autofs -- gen_context(system_u:object_r:automount_initrc_exec_t,s0)
+
++/usr/lib/systemd/system/autofs.* -- gen_context(system_u:object_r:automount_unit_file_t,s0)
++
+ #
+ # /usr
+ #
+diff --git a/automount.if b/automount.if
+index d80a16b..ef740ef 100644
+--- a/automount.if
++++ b/automount.if
+@@ -29,7 +29,6 @@ interface(`automount_domtrans',`
+ ##
+ ##
+ #
+-#
+ interface(`automount_signal',`
+ gen_require(`
+ type automount_t;
+@@ -123,7 +122,30 @@ interface(`automount_dontaudit_getattr_tmp_dirs',`
+ type automount_tmp_t;
+ ')
+
+- dontaudit $1 automount_tmp_t:dir getattr;
++ dontaudit $1 automount_tmp_t:dir getattr_dir_perms;
++')
++
++########################################
++##
++## Execute automount server in the automount domain.
++##
++##
++##
++## Domain allowed to transition.
++##
++##
++#
++interface(`automount_systemctl',`
++ gen_require(`
++ type automount_t;
++ type automount_unit_file_t;
++ ')
++
++ systemd_exec_systemctl($1)
++ allow $1 automount_unit_file_t:file read_file_perms;
++ allow $1 automount_unit_file_t:service manage_service_perms;
++
++ ps_process_pattern($1, automount_t)
+ ')
+
+ ########################################
+@@ -147,11 +169,16 @@ interface(`automount_admin',`
+ gen_require(`
+ type automount_t, automount_lock_t, automount_tmp_t;
+ type automount_var_run_t, automount_initrc_exec_t;
++ type automount_unit_file_t;
+ ')
+
+- allow $1 automount_t:process { ptrace signal_perms getattr };
++ allow $1 automount_t:process signal_perms;
+ ps_process_pattern($1, automount_t)
+
++ tunable_policy(`deny_ptrace',`',`
++ allow $1 automount_t:process ptrace;
++ ')
++
+ init_labeled_script_domtrans($1, automount_initrc_exec_t)
+ domain_system_change_exemption($1)
+ role_transition $2 automount_initrc_exec_t system_r;
+@@ -165,4 +192,8 @@ interface(`automount_admin',`
+
+ files_list_pids($1)
+ admin_pattern($1, automount_var_run_t)
++
++ automount_systemctl($1)
++ admin_pattern($1, automount_unit_file_t)
++ allow $1 automount_unit_file_t:service all_service_perms;
+ ')
+diff --git a/automount.te b/automount.te
+index 39799db..6264256 100644
+--- a/automount.te
++++ b/automount.te
+@@ -22,6 +22,9 @@ type automount_tmp_t;
+ files_tmp_file(automount_tmp_t)
+ files_mountpoint(automount_tmp_t)
+
++type automount_unit_file_t;
++systemd_unit_file(automount_unit_file_t)
++
+ ########################################
+ #
+ # Local policy
+@@ -56,14 +59,17 @@ manage_fifo_files_pattern(automount_t, automount_var_run_t, automount_var_run_t)
+ files_pid_filetrans(automount_t, automount_var_run_t, { file fifo_file })
+
+ kernel_read_kernel_sysctls(automount_t)
++kernel_read_vm_sysctls(automount_t)
+ kernel_read_irq_sysctls(automount_t)
+ kernel_read_fs_sysctls(automount_t)
+ kernel_read_proc_symlinks(automount_t)
+ kernel_read_system_state(automount_t)
+ kernel_read_network_state(automount_t)
++kernel_search_vm_sysctl(automount_t)
+ kernel_list_proc(automount_t)
+ kernel_dontaudit_search_xen_state(automount_t)
+
++files_read_usr_files(automount_t)
+ files_search_boot(automount_t)
+ # Automount is slowly adding all mount functionality internally
+ files_search_all(automount_t)
+@@ -79,7 +85,6 @@ fs_search_all(automount_t)
+ corecmd_exec_bin(automount_t)
+ corecmd_exec_shell(automount_t)
+
+-corenet_all_recvfrom_unlabeled(automount_t)
+ corenet_all_recvfrom_netlabel(automount_t)
+ corenet_tcp_sendrecv_generic_if(automount_t)
+ corenet_udp_sendrecv_generic_if(automount_t)
+@@ -113,7 +118,6 @@ files_dontaudit_write_var_dirs(automount_t)
+ files_getattr_all_dirs(automount_t)
+ files_list_mnt(automount_t)
+ files_getattr_home_dir(automount_t)
+-files_read_etc_files(automount_t)
+ files_read_etc_runtime_files(automount_t)
+ # for if the mount point is not labelled
+ files_getattr_isid_type_dirs(automount_t)
+@@ -140,13 +144,8 @@ auth_use_nsswitch(automount_t)
+ logging_send_syslog_msg(automount_t)
+ logging_search_logs(automount_t)
+
+-miscfiles_read_localization(automount_t)
+ miscfiles_read_generic_certs(automount_t)
+
+-# Run mount in the mount_t domain.
+-mount_domtrans(automount_t)
+-mount_signal(automount_t)
+-
+ userdom_dontaudit_use_unpriv_user_fds(automount_t)
+ userdom_dontaudit_search_user_home_dirs(automount_t)
+
+@@ -155,6 +154,13 @@ optional_policy(`
+ ')
+
+ optional_policy(`
++ # Run mount in the mount_t domain.
++ mount_domtrans(automount_t)
++ mount_domtrans_showmount(automount_t)
++ mount_signal(automount_t)
++')
++
++optional_policy(`
+ fstools_domtrans(automount_t)
+ ')
+
+diff --git a/avahi.fc b/avahi.fc
+index 7e36549..010b2bc 100644
+--- a/avahi.fc
++++ b/avahi.fc
+@@ -1,5 +1,7 @@
+ /etc/rc\.d/init\.d/avahi.* -- gen_context(system_u:object_r:avahi_initrc_exec_t,s0)
+
++/usr/lib/systemd/system/avahi.* -- gen_context(system_u:object_r:avahi_unit_file_t,s0)
++
+ /usr/sbin/avahi-daemon -- gen_context(system_u:object_r:avahi_exec_t,s0)
+ /usr/sbin/avahi-dnsconfd -- gen_context(system_u:object_r:avahi_exec_t,s0)
+ /usr/sbin/avahi-autoipd -- gen_context(system_u:object_r:avahi_exec_t,s0)
+diff --git a/avahi.if b/avahi.if
+index 61c74bc..17b3ecc 100644
+--- a/avahi.if
++++ b/avahi.if
+@@ -133,6 +133,29 @@ interface(`avahi_dontaudit_search_pid',`
+
+ ########################################
+ ##
++## Execute avahi server in the avahi domain.
++##
++##
++##
++## Domain allowed to transition.
++##
++##
++#
++interface(`avahi_systemctl',`
++ gen_require(`
++ type avahi_t;
++ type avahi_unit_file_t;
++ ')
++
++ systemd_exec_systemctl($1)
++ allow $1 avahi_unit_file_t:file read_file_perms;
++ allow $1 avahi_unit_file_t:service manage_service_perms;
++
++ ps_process_pattern($1, avahi_t)
++')
++
++########################################
++##
+ ## All of the rules required to administrate
+ ## an avahi environment
+ ##
+@@ -151,11 +174,16 @@ interface(`avahi_dontaudit_search_pid',`
+ interface(`avahi_admin',`
+ gen_require(`
+ type avahi_t, avahi_var_run_t, avahi_initrc_exec_t;
++ type avahi_unit_file_t;
+ ')
+
+- allow $1 avahi_t:process { ptrace signal_perms };
++ allow $1 avahi_t:process signal_perms;
+ ps_process_pattern($1, avahi_t)
+
++ tunable_policy(`deny_ptrace',`',`
++ allow $1 avahi_t:process ptrace;
++ ')
++
+ init_labeled_script_domtrans($1, avahi_initrc_exec_t)
+ domain_system_change_exemption($1)
+ role_transition $2 avahi_initrc_exec_t system_r;
+@@ -163,4 +191,8 @@ interface(`avahi_admin',`
+
+ files_list_pids($1)
+ admin_pattern($1, avahi_var_run_t)
++
++ avahi_systemctl($1)
++ admin_pattern($1, avahi_unit_file_t)
++ allow $1 avahi_unit_file_t:service all_service_perms;
+ ')
+diff --git a/avahi.te b/avahi.te
+index a7a0e71..34bc1be 100644
+--- a/avahi.te
++++ b/avahi.te
+@@ -17,6 +17,10 @@ files_pid_file(avahi_var_lib_t)
+
+ type avahi_var_run_t;
+ files_pid_file(avahi_var_run_t)
++init_sock_file(avahi_var_run_t)
++
++type avahi_unit_file_t;
++systemd_unit_file(avahi_unit_file_t)
+
+ ########################################
+ #
+@@ -46,11 +50,11 @@ files_pid_filetrans(avahi_t, avahi_var_run_t, { dir file })
+ kernel_read_system_state(avahi_t)
+ kernel_read_kernel_sysctls(avahi_t)
+ kernel_read_network_state(avahi_t)
++kernel_request_load_module(avahi_t)
+
+ corecmd_exec_bin(avahi_t)
+ corecmd_exec_shell(avahi_t)
+
+-corenet_all_recvfrom_unlabeled(avahi_t)
+ corenet_all_recvfrom_netlabel(avahi_t)
+ corenet_tcp_sendrecv_generic_if(avahi_t)
+ corenet_udp_sendrecv_generic_if(avahi_t)
+@@ -73,8 +77,8 @@ fs_search_auto_mountpoints(avahi_t)
+ fs_list_inotifyfs(avahi_t)
+
+ domain_use_interactive_fds(avahi_t)
++domain_dontaudit_signull_all_domains(avahi_t)
+
+-files_read_etc_files(avahi_t)
+ files_read_etc_runtime_files(avahi_t)
+ files_read_usr_files(avahi_t)
+
+@@ -85,13 +89,14 @@ init_signull_script(avahi_t)
+
+ logging_send_syslog_msg(avahi_t)
+
+-miscfiles_read_localization(avahi_t)
+ miscfiles_read_generic_certs(avahi_t)
+
+ sysnet_domtrans_ifconfig(avahi_t)
+ sysnet_manage_config(avahi_t)
+ sysnet_etc_filetrans_config(avahi_t)
+
++systemd_login_signull(avahi_t)
++
+ userdom_dontaudit_use_unpriv_user_fds(avahi_t)
+ userdom_dontaudit_search_user_home_dirs(avahi_t)
+
+@@ -104,6 +109,10 @@ optional_policy(`
+ ')
+
+ optional_policy(`
++ rpcbind_signull(avahi_t)
++')
++
++optional_policy(`
+ seutil_sigchld_newrole(avahi_t)
+ ')
+
+diff --git a/awstats.if b/awstats.if
+index 283ff0d..53f9ba1 100644
+--- a/awstats.if
++++ b/awstats.if
+@@ -5,6 +5,25 @@
+
+ ########################################
+ ##
++## Execute the awstats program in the awstats domain.
++##
++##
++##
++## Domain allowed to transition.
++##
++##
++#
++interface(`awstats_domtrans',`
++ gen_require(`
++ type awstats_t, awstats_exec_t;
++ ')
++
++ corecmd_search_bin($1)
++ domtrans_pattern($1, awstats_exec_t, awstats_t)
++')
++
++########################################
++##
+ ## Read and write awstats unnamed pipes.
+ ##
+ ##
+diff --git a/awstats.te b/awstats.te
+index 6bd3ad3..9cd42eb 100644
+--- a/awstats.te
++++ b/awstats.te
+@@ -5,6 +5,13 @@ policy_module(awstats, 1.4.0)
+ # Declarations
+ #
+
++##
++##
++## Allow awstats to purge Apache logs
++##
++##
++gen_tunable(awstats_purge_apache_log, false)
++
+ type awstats_t;
+ type awstats_exec_t;
+ domain_type(awstats_t)
+@@ -17,8 +24,6 @@ files_tmp_file(awstats_tmp_t)
+ type awstats_var_lib_t;
+ files_type(awstats_var_lib_t)
+
+-apache_content_template(awstats)
+-
+ ########################################
+ #
+ # awstats policy
+@@ -55,11 +60,15 @@ libs_read_lib_files(awstats_t)
+
+ logging_read_generic_logs(awstats_t)
+
+-miscfiles_read_localization(awstats_t)
+-
+ sysnet_dns_name_resolve(awstats_t)
+
+-apache_read_log(awstats_t)
++tunable_policy(`awstats_purge_apache_log',`
++ apache_write_log(awstats_t)
++')
++
++optional_policy(`
++ apache_read_log(awstats_t)
++')
+
+ optional_policy(`
+ cron_system_entry(awstats_t, awstats_exec_t)
+@@ -79,7 +88,16 @@ optional_policy(`
+ # awstats cgi script policy
+ #
+
+-allow httpd_awstats_script_t awstats_var_lib_t:dir list_dir_perms;
++optional_policy(`
++ apache_content_template(awstats)
++ apache_read_log(httpd_awstats_script_t)
++
++ manage_dirs_pattern(httpd_awstats_script_t, awstats_tmp_t, awstats_tmp_t)
++ manage_files_pattern(httpd_awstats_script_t, awstats_tmp_t, awstats_tmp_t)
++ files_tmp_filetrans(httpd_awstats_script_t, awstats_tmp_t, { dir file })
+
+-read_files_pattern(httpd_awstats_script_t, awstats_var_lib_t, awstats_var_lib_t)
+-files_search_var_lib(httpd_awstats_script_t)
++ allow httpd_awstats_script_t awstats_var_lib_t:dir list_dir_perms;
++
++ read_files_pattern(httpd_awstats_script_t, awstats_var_lib_t, awstats_var_lib_t)
++ files_search_var_lib(httpd_awstats_script_t)
++')
+diff --git a/backup.te b/backup.te
+index 0bfc958..81fc8bd 100644
+--- a/backup.te
++++ b/backup.te
+@@ -36,7 +36,6 @@ kernel_read_kernel_sysctls(backup_t)
+ corecmd_exec_bin(backup_t)
+ corecmd_exec_shell(backup_t)
+
+-corenet_all_recvfrom_unlabeled(backup_t)
+ corenet_all_recvfrom_netlabel(backup_t)
+ corenet_tcp_sendrecv_generic_if(backup_t)
+ corenet_udp_sendrecv_generic_if(backup_t)
+@@ -70,7 +69,7 @@ logging_send_syslog_msg(backup_t)
+
+ sysnet_read_config(backup_t)
+
+-userdom_use_user_terminals(backup_t)
++userdom_use_inherited_user_terminals(backup_t)
+
+ optional_policy(`
+ cron_system_entry(backup_t, backup_exec_t)
+diff --git a/bacula.te b/bacula.te
+index fc4ba2a..813e5c1 100644
+--- a/bacula.te
++++ b/bacula.te
+@@ -111,7 +111,6 @@ domain_use_interactive_fds(bacula_admin_t)
+
+ files_read_etc_files(bacula_admin_t)
+
+-miscfiles_read_localization(bacula_admin_t)
+
+ sysnet_dns_name_resolve(bacula_admin_t)
+
+diff --git a/bcfg2.fc b/bcfg2.fc
+index f5413da..9e06a9d 100644
+--- a/bcfg2.fc
++++ b/bcfg2.fc
+@@ -1,5 +1,7 @@
+ /etc/rc\.d/init\.d/bcfg2 -- gen_context(system_u:object_r:bcfg2_initrc_exec_t,s0)
+
++/usr/lib/systemd/system/bcfg2-server.* -- gen_context(system_u:object_r:bcfg2_unit_file_t,s0)
++
+ /usr/sbin/bcfg2-server -- gen_context(system_u:object_r:bcfg2_exec_t,s0)
+
+ /var/lib/bcfg2(/.*)? gen_context(system_u:object_r:bcfg2_var_lib_t,s0)
+diff --git a/bcfg2.if b/bcfg2.if
+index b289d93..070f22b 100644
+--- a/bcfg2.if
++++ b/bcfg2.if
+@@ -115,6 +115,31 @@ interface(`bcfg2_manage_lib_dirs',`
+
+ ########################################
+ ##
++## Execute bcfg2 server in the bcfg2 domain.
++##
++##
++##
++## Domain allowed to transition.
++##
++##
++#
++interface(`bcfg2_systemctl',`
++ gen_require(`
++ type bcfg2_t;
++ type bcfg2_unit_file_t;
++ ')
++
++ systemd_exec_systemctl($1)
++ systemd_read_fifo_file_passwd_run($1)
++ allow $1 bcfg2_unit_file_t:file read_file_perms;
++ allow $1 bcfg2_unit_file_t:service manage_service_perms;
++
++ ps_process_pattern($1, bcfg2_t)
++')
++
++
++########################################
++##
+ ## All of the rules required to administrate
+ ## an bcfg2 environment
+ ##
+@@ -135,6 +160,7 @@ interface(`bcfg2_admin',`
+ type bcfg2_t;
+ type bcfg2_initrc_exec_t;
+ type bcfg2_var_lib_t;
++ type bcfg2_unit_file_t;
+ ')
+
+ allow $1 bcfg2_t:process { ptrace signal_perms };
+@@ -147,4 +173,13 @@ interface(`bcfg2_admin',`
+
+ files_search_var_lib($1)
+ admin_pattern($1, bcfg2_var_lib_t)
++
++ bcfg2_systemctl($1)
++ admin_pattern($1, bcfg2_unit_file_t)
++ allow $1 bcfg2_unit_file_t:service all_service_perms;
++
++ optional_policy(`
++ systemd_passwd_agent_exec($1)
++ systemd_read_fifo_file_passwd_run($1)
++ ')
+ ')
+diff --git a/bcfg2.te b/bcfg2.te
+index cf8e59f..ad57d4a 100644
+--- a/bcfg2.te
++++ b/bcfg2.te
+@@ -15,6 +15,9 @@ init_script_file(bcfg2_initrc_exec_t)
+ type bcfg2_var_lib_t;
+ files_type(bcfg2_var_lib_t)
+
++type bcfg2_unit_file_t;
++systemd_unit_file(bcfg2_unit_file_t)
++
+ type bcfg2_var_run_t;
+ files_pid_file(bcfg2_var_run_t)
+
+@@ -36,6 +39,8 @@ files_pid_filetrans(bcfg2_t, bcfg2_var_run_t, file )
+
+ kernel_read_system_state(bcfg2_t)
+
++corenet_tcp_bind_cyphesis_port(bcfg2_t)
++
+ corecmd_exec_bin(bcfg2_t)
+
+ dev_read_urand(bcfg2_t)
+@@ -47,5 +52,3 @@ files_read_usr_files(bcfg2_t)
+ auth_use_nsswitch(bcfg2_t)
+
+ logging_send_syslog_msg(bcfg2_t)
+-
+-miscfiles_read_localization(bcfg2_t)
+diff --git a/bind.fc b/bind.fc
+index 59aa54f..b01072c 100644
+--- a/bind.fc
++++ b/bind.fc
+@@ -4,6 +4,11 @@
+ /etc/rndc.* -- gen_context(system_u:object_r:named_conf_t,s0)
+ /etc/rndc\.key -- gen_context(system_u:object_r:dnssec_t,s0)
+ /etc/unbound(/.*)? gen_context(system_u:object_r:named_conf_t,s0)
++/etc/unbound/.*\.key -- gen_context(system_u:object_r:dnssec_t,s0)
++/etc/dnssec-trigger/dnssec_trigger_server\.key -- gen_context(system_u:object_r:dnssec_t,s0)
++
++/usr/lib/systemd/system/unbound.* -- gen_context(system_u:object_r:named_unit_file_t,s0)
++/usr/lib/systemd/system/named.* -- gen_context(system_u:object_r:named_unit_file_t,s0)
+
+ /usr/sbin/lwresd -- gen_context(system_u:object_r:named_exec_t,s0)
+ /usr/sbin/named -- gen_context(system_u:object_r:named_exec_t,s0)
+diff --git a/bind.if b/bind.if
+index 44a1e3d..bc50fd6 100644
+--- a/bind.if
++++ b/bind.if
+@@ -20,6 +20,29 @@ interface(`bind_initrc_domtrans',`
+
+ ########################################
+ ##
++## Execute bind server in the bind domain.
++##
++##
++##
++## Domain allowed to transition.
++##
++##
++#
++interface(`bind_systemctl',`
++ gen_require(`
++ type named_unit_file_t;
++ type named_t;
++ ')
++
++ systemd_exec_systemctl($1)
++ allow $1 named_unit_file_t:file read_file_perms;
++ allow $1 named_unit_file_t:service manage_service_perms;
++
++ ps_process_pattern($1, named_t)
++')
++
++########################################
++##
+ ## Execute ndc in the ndc domain.
+ ##
+ ##
+@@ -167,6 +190,7 @@ interface(`bind_read_config',`
+ type named_conf_t;
+ ')
+
++ allow $1 named_conf_t:dir list_dir_perms;
+ read_files_pattern($1, named_conf_t, named_conf_t)
+ ')
+
+@@ -186,7 +210,7 @@ interface(`bind_write_config',`
+ ')
+
+ write_files_pattern($1, named_conf_t, named_conf_t)
+- allow $1 named_conf_t:file setattr;
++ allow $1 named_conf_t:file setattr_file_perms;
+ ')
+
+ ########################################
+@@ -210,6 +234,25 @@ interface(`bind_manage_config_dirs',`
+
+ ########################################
+ ##
++## Create, read, write, and delete
++## BIND configuration files.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`bind_manage_config',`
++ gen_require(`
++ type named_conf_t;
++ ')
++
++ manage_files_pattern($1, named_conf_t, named_conf_t)
++')
++
++########################################
++##
+ ## Search the BIND cache directory.
+ ##
+ ##
+@@ -266,7 +309,7 @@ interface(`bind_setattr_pid_dirs',`
+ type named_var_run_t;
+ ')
+
+- allow $1 named_var_run_t:dir setattr;
++ allow $1 named_var_run_t:dir setattr_dir_perms;
+ ')
+
+ ########################################
+@@ -284,7 +327,7 @@ interface(`bind_setattr_zone_dirs',`
+ type named_zone_t;
+ ')
+
+- allow $1 named_zone_t:dir setattr;
++ allow $1 named_zone_t:dir setattr_dir_perms;
+ ')
+
+ ########################################
+@@ -308,6 +351,27 @@ interface(`bind_read_zone',`
+
+ ########################################
+ ##
++## Read BIND zone files.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`bind_read_log',`
++ gen_require(`
++ type named_zone_t;
++ type named_log_t;
++ ')
++
++ files_search_var($1)
++ allow $1 named_zone_t:dir search_dir_perms;
++ read_files_pattern($1, named_log_t, named_log_t)
++')
++
++########################################
++##
+ ## Manage BIND zone files.
+ ##
+ ##
+@@ -359,18 +423,26 @@ interface(`bind_udp_chat_named',`
+ interface(`bind_admin',`
+ gen_require(`
+ type named_t, named_tmp_t, named_log_t;
+- type named_conf_t, named_var_lib_t, named_var_run_t;
+- type named_cache_t, named_zone_t;
+- type dnssec_t, ndc_t;
+- type named_initrc_exec_t;
++ type named_conf_t, named_var_run_t, named_cache_t;
++ type named_zone_t, named_initrc_exec_t;
++ type dnssec_t, ndc_t, named_keytab_t;
++ type named_unit_file_t;
+ ')
+
+- allow $1 named_t:process { ptrace signal_perms };
++ allow $1 named_t:process signal_perms;
+ ps_process_pattern($1, named_t)
+
+- allow $1 ndc_t:process { ptrace signal_perms };
++ tunable_policy(`deny_ptrace',`',`
++ allow $1 named_t:process ptrace;
++ ')
++
++ allow $1 ndc_t:process signal_perms;
+ ps_process_pattern($1, ndc_t)
+
++ tunable_policy(`deny_ptrace',`',`
++ allow $1 ndc_t:process ptrace;
++ ')
++
+ bind_run_ndc($1, $2)
+
+ init_labeled_script_domtrans($1, named_initrc_exec_t)
+@@ -391,9 +463,12 @@ interface(`bind_admin',`
+ admin_pattern($1, named_zone_t)
+ admin_pattern($1, dnssec_t)
+
+- files_list_var_lib($1)
+- admin_pattern($1, named_var_lib_t)
++ admin_pattern($1, named_keytab_t)
+
+ files_list_pids($1)
+ admin_pattern($1, named_var_run_t)
++
++ admin_pattern($1, named_unit_file_t)
++ bind_systemctl($1)
++ allow $1 named_unit_file_t:service all_service_perms;
+ ')
+diff --git a/bind.te b/bind.te
+index 0968cb4..70bebb1 100644
+--- a/bind.te
++++ b/bind.te
+@@ -6,6 +6,13 @@ policy_module(bind, 1.11.0)
+ #
+
+ ##
++##
++## Allow BIND to bind apache port.
++##
++##
++gen_tunable(named_bind_http_port, false)
++
++##
+ ##
+ ## Allow BIND to write the master zone files.
+ ## Generally this is used for dynamic DNS or zone transfers.
+@@ -16,6 +23,7 @@ gen_tunable(named_write_master_zones, false)
+ # for DNSSEC key files
+ type dnssec_t;
+ files_security_file(dnssec_t)
++files_mountpoint(dnssec_t)
+
+ type named_t;
+ type named_exec_t;
+@@ -27,7 +35,7 @@ init_system_domain(named_t, named_checkconf_exec_t)
+
+ # A type for configuration files of named.
+ type named_conf_t;
+-files_type(named_conf_t)
++files_config_file(named_conf_t)
+ files_mountpoint(named_conf_t)
+
+ # for secondary zone files
+@@ -37,6 +45,9 @@ files_type(named_cache_t)
+ type named_initrc_exec_t;
+ init_script_file(named_initrc_exec_t)
+
++type named_unit_file_t;
++systemd_unit_file(named_unit_file_t)
++
+ type named_log_t;
+ logging_log_file(named_log_t)
+
+@@ -89,9 +100,10 @@ manage_dirs_pattern(named_t, named_tmp_t, named_tmp_t)
+ manage_files_pattern(named_t, named_tmp_t, named_tmp_t)
+ files_tmp_filetrans(named_t, named_tmp_t, { file dir })
+
++manage_dirs_pattern(named_t, named_var_run_t, named_var_run_t)
+ manage_files_pattern(named_t, named_var_run_t, named_var_run_t)
+ manage_sock_files_pattern(named_t, named_var_run_t, named_var_run_t)
+-files_pid_filetrans(named_t, named_var_run_t, { file sock_file })
++files_pid_filetrans(named_t, named_var_run_t, { file sock_file dir })
+
+ # read zone files
+ allow named_t named_zone_t:dir list_dir_perms;
+@@ -104,7 +116,6 @@ kernel_read_network_state(named_t)
+
+ corecmd_search_bin(named_t)
+
+-corenet_all_recvfrom_unlabeled(named_t)
+ corenet_all_recvfrom_netlabel(named_t)
+ corenet_tcp_sendrecv_generic_if(named_t)
+ corenet_udp_sendrecv_generic_if(named_t)
+@@ -131,7 +142,6 @@ dev_read_urand(named_t)
+
+ domain_use_interactive_fds(named_t)
+
+-files_read_etc_files(named_t)
+ files_read_etc_runtime_files(named_t)
+
+ fs_getattr_all_fs(named_t)
+@@ -141,12 +151,15 @@ auth_use_nsswitch(named_t)
+
+ logging_send_syslog_msg(named_t)
+
+-miscfiles_read_localization(named_t)
+ miscfiles_read_generic_certs(named_t)
+
+ userdom_dontaudit_use_unpriv_user_fds(named_t)
+ userdom_dontaudit_search_user_home_dirs(named_t)
+
++tunable_policy(`named_bind_http_port',`
++ corenet_tcp_bind_http_port(named_t)
++')
++
+ tunable_policy(`named_write_master_zones',`
+ manage_dirs_pattern(named_t, named_zone_t, named_zone_t)
+ manage_files_pattern(named_t, named_zone_t, named_zone_t)
+@@ -154,6 +167,12 @@ tunable_policy(`named_write_master_zones',`
+ ')
+
+ optional_policy(`
++ # needed by FreeIPA with DNS support
++ dirsrv_stream_connect(named_t)
++ ldap_stream_connect(named_t)
++')
++
++optional_policy(`
+ init_dbus_chat_script(named_t)
+
+ sysnet_dbus_chat_dhcpc(named_t)
+@@ -168,6 +187,7 @@ optional_policy(`
+
+ optional_policy(`
+ kerberos_keytab_template(named, named_t)
++ kerberos_tmp_filetrans_host_rcache(named_t, "DNS_25")
+ ')
+
+ optional_policy(`
+@@ -199,6 +219,7 @@ optional_policy(`
+
+ # cjp: why net_admin?!
+ allow ndc_t self:capability { dac_override net_admin };
++allow ndc_t self:capability2 block_suspend;
+ allow ndc_t self:process { fork signal_perms };
+ allow ndc_t self:fifo_file rw_fifo_file_perms;
+ allow ndc_t self:unix_stream_socket { connect create_stream_socket_perms };
+@@ -211,13 +232,13 @@ allow ndc_t dnssec_t:lnk_file { getattr read };
+ stream_connect_pattern(ndc_t, named_var_run_t, named_var_run_t, named_t)
+
+ allow ndc_t named_conf_t:file read_file_perms;
+-allow ndc_t named_conf_t:lnk_file { getattr read };
++allow ndc_t named_conf_t:lnk_file read_lnk_file_perms;
+
+ allow ndc_t named_zone_t:dir search_dir_perms;
+
++kernel_read_system_state(ndc_t)
+ kernel_read_kernel_sysctls(ndc_t)
+
+-corenet_all_recvfrom_unlabeled(ndc_t)
+ corenet_all_recvfrom_netlabel(ndc_t)
+ corenet_tcp_sendrecv_generic_if(ndc_t)
+ corenet_tcp_sendrecv_generic_node(ndc_t)
+@@ -228,28 +249,26 @@ corenet_sendrecv_rndc_client_packets(ndc_t)
+
+ domain_use_interactive_fds(ndc_t)
+
+-files_read_etc_files(ndc_t)
+ files_search_pids(ndc_t)
+
+ fs_getattr_xattr_fs(ndc_t)
+
++auth_use_nsswitch(ndc_t)
++
+ init_use_fds(ndc_t)
+ init_use_script_ptys(ndc_t)
+
+ logging_send_syslog_msg(ndc_t)
+
+-miscfiles_read_localization(ndc_t)
++userdom_use_inherited_user_terminals(ndc_t)
+
+ sysnet_read_config(ndc_t)
+-sysnet_dns_name_resolve(ndc_t)
+-
+-userdom_use_user_terminals(ndc_t)
+
+ term_dontaudit_use_console(ndc_t)
+
+ # for /etc/rndc.key
+ ifdef(`distro_redhat',`
+- allow ndc_t named_conf_t:dir search;
++ allow ndc_t named_conf_t:dir search_dir_perms;
+ ')
+
+ optional_policy(`
+diff --git a/bitlbee.fc b/bitlbee.fc
+index 0197980..909ce04 100644
+--- a/bitlbee.fc
++++ b/bitlbee.fc
+@@ -1,6 +1,13 @@
+ /etc/rc\.d/init\.d/bitlbee -- gen_context(system_u:object_r:bitlbee_initrc_exec_t,s0)
+ /etc/bitlbee(/.*)? gen_context(system_u:object_r:bitlbee_conf_t,s0)
+
++/usr/bin/bip -- gen_context(system_u:object_r:bitlbee_exec_t,s0)
+ /usr/sbin/bitlbee -- gen_context(system_u:object_r:bitlbee_exec_t,s0)
+
+ /var/lib/bitlbee(/.*)? gen_context(system_u:object_r:bitlbee_var_t,s0)
++
++/var/log/bip(/.*)? gen_context(system_u:object_r:bitlbee_log_t,s0)
++
++/var/run/bitlbee\.pid -- gen_context(system_u:object_r:bitlbee_var_run_t,s0)
++/var/run/bitlbee\.sock -s gen_context(system_u:object_r:bitlbee_var_run_t,s0)
++/var/run/bip(/.*)? gen_context(system_u:object_r:bitlbee_var_run_t,s0)
+diff --git a/bitlbee.if b/bitlbee.if
+index de0bd67..1df2048 100644
+--- a/bitlbee.if
++++ b/bitlbee.if
+@@ -43,9 +43,13 @@ interface(`bitlbee_admin',`
+ type bitlbee_initrc_exec_t;
+ ')
+
+- allow $1 bitlbee_t:process { ptrace signal_perms };
++ allow $1 bitlbee_t:process signal_perms;
+ ps_process_pattern($1, bitlbee_t)
+
++ tunable_policy(`deny_ptrace',`',`
++ allow $1 bitlbee_t:process ptrace;
++ ')
++
+ init_labeled_script_domtrans($1, bitlbee_initrc_exec_t)
+ domain_system_change_exemption($1)
+ role_transition $2 bitlbee_initrc_exec_t system_r;
+diff --git a/bitlbee.te b/bitlbee.te
+index f4e7ad3..8e85e9d 100644
+--- a/bitlbee.te
++++ b/bitlbee.te
+@@ -22,36 +22,57 @@ files_tmp_file(bitlbee_tmp_t)
+ type bitlbee_var_t;
+ files_type(bitlbee_var_t)
+
++type bitlbee_log_t;
++logging_log_file(bitlbee_log_t)
++
++type bitlbee_var_run_t;
++files_pid_file(bitlbee_var_run_t)
++
+ ########################################
+ #
+ # Local policy
+ #
+
+-allow bitlbee_t self:capability { setgid setuid };
+-allow bitlbee_t self:process signal;
++allow bitlbee_t self:capability { dac_override kill setgid setuid sys_nice };
++allow bitlbee_t self:process { setsched signal };
++
++allow bitlbee_t self:fifo_file rw_fifo_file_perms;
+ allow bitlbee_t self:udp_socket create_socket_perms;
+ allow bitlbee_t self:tcp_socket { create_stream_socket_perms connected_stream_socket_perms };
+ allow bitlbee_t self:unix_stream_socket create_stream_socket_perms;
+-allow bitlbee_t self:fifo_file rw_fifo_file_perms;
++allow bitlbee_t self:netlink_route_socket r_netlink_socket_perms;
+
+ bitlbee_read_config(bitlbee_t)
+
+ # tmp files
+ manage_files_pattern(bitlbee_t, bitlbee_tmp_t, bitlbee_tmp_t)
+-files_tmp_filetrans(bitlbee_t, bitlbee_tmp_t, file)
++manage_dirs_pattern(bitlbee_t, bitlbee_tmp_t, bitlbee_tmp_t)
++files_tmp_filetrans(bitlbee_t, bitlbee_tmp_t, { dir file })
+
+ # user account information is read and edited at runtime; give the usual
+ # r/w access to bitlbee_var_t
+ manage_files_pattern(bitlbee_t, bitlbee_var_t, bitlbee_var_t)
+ files_var_lib_filetrans(bitlbee_t, bitlbee_var_t, file)
+
++# log files
++manage_dirs_pattern(bitlbee_t, bitlbee_log_t, bitlbee_log_t)
++manage_files_pattern(bitlbee_t, bitlbee_log_t, bitlbee_log_t)
++
++manage_dirs_pattern(bitlbee_t, bitlbee_var_run_t, bitlbee_var_run_t)
++manage_files_pattern(bitlbee_t, bitlbee_var_run_t, bitlbee_var_run_t)
++manage_sock_files_pattern(bitlbee_t, bitlbee_var_run_t, bitlbee_var_run_t)
++files_pid_filetrans(bitlbee_t, bitlbee_var_run_t, { dir file sock_file })
++
+ kernel_read_system_state(bitlbee_t)
++kernel_read_kernel_sysctls(bitlbee_t)
+
+-corenet_all_recvfrom_unlabeled(bitlbee_t)
+ corenet_udp_sendrecv_generic_if(bitlbee_t)
+ corenet_udp_sendrecv_generic_node(bitlbee_t)
+ corenet_tcp_sendrecv_generic_if(bitlbee_t)
+ corenet_tcp_sendrecv_generic_node(bitlbee_t)
++corenet_tcp_bind_generic_node(bitlbee_t)
++corenet_tcp_connect_gatekeeper_port(bitlbee_t)
++corenet_tcp_connect_ircd_port(bitlbee_t)
+ # Allow bitlbee to connect to jabber servers
+ corenet_tcp_connect_jabber_client_port(bitlbee_t)
+ corenet_tcp_sendrecv_jabber_client_port(bitlbee_t)
+@@ -69,11 +90,15 @@ corenet_tcp_connect_http_port(bitlbee_t)
+ corenet_tcp_sendrecv_http_port(bitlbee_t)
+ corenet_tcp_connect_http_cache_port(bitlbee_t)
+ corenet_tcp_sendrecv_http_cache_port(bitlbee_t)
++corenet_tcp_bind_ircd_port(bitlbee_t)
++corenet_tcp_sendrecv_ircd_port(bitlbee_t)
++corenet_sendrecv_ircd_server_packets(bitlbee_t)
++corenet_tcp_bind_interwise_port(bitlbee_t)
++corenet_tcp_sendrecv_interwise_port(bitlbee_t)
+
+ dev_read_rand(bitlbee_t)
+ dev_read_urand(bitlbee_t)
+
+-files_read_etc_files(bitlbee_t)
+ files_search_pids(bitlbee_t)
+ # grant read-only access to the user help files
+ files_read_usr_files(bitlbee_t)
+@@ -84,10 +109,6 @@ auth_use_nsswitch(bitlbee_t)
+
+ logging_send_syslog_msg(bitlbee_t)
+
+-miscfiles_read_localization(bitlbee_t)
+-
+-sysnet_dns_name_resolve(bitlbee_t)
+-
+ optional_policy(`
+ # normally started from inetd using tcpwrappers, so use those entry points
+ tcpd_wrapped_domain(bitlbee_t, bitlbee_exec_t)
+diff --git a/blueman.fc b/blueman.fc
+index 6355318..98ba16a 100644
+--- a/blueman.fc
++++ b/blueman.fc
+@@ -1,3 +1,4 @@
++
+ /usr/libexec/blueman-mechanism -- gen_context(system_u:object_r:blueman_exec_t,s0)
+
+ /var/lib/blueman(/.*)? gen_context(system_u:object_r:blueman_var_lib_t,s0)
+diff --git a/blueman.te b/blueman.te
+index 70969fa..4d18e6e 100644
+--- a/blueman.te
++++ b/blueman.te
+@@ -7,23 +7,35 @@ policy_module(blueman, 1.0.0)
+
+ type blueman_t;
+ type blueman_exec_t;
+-dbus_system_domain(blueman_t, blueman_exec_t)
+ init_daemon_domain(blueman_t, blueman_exec_t)
+
+ type blueman_var_lib_t;
+ files_type(blueman_var_lib_t)
+
++type blueman_var_run_t;
++files_pid_file(blueman_var_run_t)
++
+ ########################################
+ #
+ # blueman local policy
+ #
++
++allow blueman_t self:capability { net_admin sys_nice };
++allow blueman_t self:process { signal_perms setsched };
++
+ allow blueman_t self:fifo_file rw_fifo_file_perms;
+
+ manage_dirs_pattern(blueman_t, blueman_var_lib_t, blueman_var_lib_t)
+ manage_files_pattern(blueman_t, blueman_var_lib_t, blueman_var_lib_t)
+ files_var_lib_filetrans(blueman_t, blueman_var_lib_t, dir)
+
++manage_dirs_pattern(blueman_t, blueman_var_run_t, blueman_var_run_t)
++manage_files_pattern(blueman_t, blueman_var_run_t, blueman_var_run_t)
++files_pid_filetrans(blueman_t, blueman_var_run_t, { dir file })
++
+ kernel_read_system_state(blueman_t)
++kernel_request_load_module(blueman_t)
++kernel_read_net_sysctls(blueman_t)
+
+ corecmd_exec_bin(blueman_t)
+
+@@ -34,13 +46,36 @@ dev_rw_wireless(blueman_t)
+ domain_use_interactive_fds(blueman_t)
+
+ files_read_usr_files(blueman_t)
++files_list_tmp(blueman_t)
+
+ auth_use_nsswitch(blueman_t)
+
+ logging_send_syslog_msg(blueman_t)
+
+-miscfiles_read_localization(blueman_t)
++sysnet_domtrans_ifconfig(blueman_t)
++sysnet_dns_name_resolve(blueman_t)
+
+ optional_policy(`
+ avahi_domtrans(blueman_t)
+ ')
++
++optional_policy(`
++ dbus_system_domain(blueman_t, blueman_exec_t)
++')
++
++optional_policy(`
++ dnsmasq_domtrans(blueman_t)
++ dnsmasq_read_pid_files(blueman_t)
++')
++
++optional_policy(`
++ gnome_search_gconf(blueman_t)
++')
++
++optional_policy(`
++ iptables_domtrans(blueman_t)
++')
++
++optional_policy(`
++ xserver_read_state_xdm(blueman_t)
++')
+diff --git a/bluetooth.fc b/bluetooth.fc
+index dc687e6..e0255eb 100644
+--- a/bluetooth.fc
++++ b/bluetooth.fc
+@@ -7,6 +7,8 @@
+ /etc/rc\.d/init\.d/dund -- gen_context(system_u:object_r:bluetooth_initrc_exec_t,s0)
+ /etc/rc\.d/init\.d/pand -- gen_context(system_u:object_r:bluetooth_initrc_exec_t,s0)
+
++/usr/lib/systemd/system/bluetooth.* -- gen_context(system_u:object_r:bluetooth_unit_file_t,s0)
++
+ #
+ # /usr
+ #
+diff --git a/bluetooth.if b/bluetooth.if
+index 3e45431..758bd64 100644
+--- a/bluetooth.if
++++ b/bluetooth.if
+@@ -27,7 +27,11 @@ interface(`bluetooth_role',`
+
+ # allow ps to show cdrecord and allow the user to kill it
+ ps_process_pattern($2, bluetooth_helper_t)
+- allow $2 bluetooth_helper_t:process signal;
++ allow $2 bluetooth_helper_t:process signal_perms;
++
++ tunable_policy(`deny_ptrace',`',`
++ allow $2 bluetooth_helper_t:process ptrace;
++ ')
+
+ manage_dirs_pattern($2, bluetooth_helper_tmp_t, bluetooth_helper_tmp_t)
+ manage_files_pattern($2, bluetooth_helper_tmp_t, bluetooth_helper_tmp_t)
+@@ -35,6 +39,8 @@ interface(`bluetooth_role',`
+
+ manage_dirs_pattern($2, bluetooth_helper_tmpfs_t, bluetooth_helper_tmpfs_t)
+ manage_files_pattern($2, bluetooth_helper_tmpfs_t, bluetooth_helper_tmpfs_t)
++
++ bluetooth_stream_connect($2)
+ ')
+
+ #####################################
+@@ -91,7 +97,7 @@ interface(`bluetooth_read_config',`
+ type bluetooth_conf_t;
+ ')
+
+- allow $1 bluetooth_conf_t:file { getattr read ioctl };
++ allow $1 bluetooth_conf_t:file read_file_perms;
+ ')
+
+ ########################################
+@@ -117,6 +123,27 @@ interface(`bluetooth_dbus_chat',`
+
+ ########################################
+ ##
++## dontaudit Send and receive messages from
++## bluetooth over dbus.
++##
++##
++##
++## Domain to not audit.
++##
++##
++#
++interface(`bluetooth_dontaudit_dbus_chat',`
++ gen_require(`
++ type bluetooth_t;
++ class dbus send_msg;
++ ')
++
++ dontaudit $1 bluetooth_t:dbus send_msg;
++ dontaudit bluetooth_t $1:dbus send_msg;
++')
++
++########################################
++##
+ ## Execute bluetooth_helper in the bluetooth_helper domain. (Deprecated)
+ ##
+ ##
+@@ -157,7 +184,7 @@ interface(`bluetooth_run_helper',`
+
+ ########################################
+ ##
+-## Read bluetooth helper state files.
++## Do not audit attempts to read bluetooth helper state files.
+ ##
+ ##
+ ##
+@@ -170,8 +197,31 @@ interface(`bluetooth_dontaudit_read_helper_state',`
+ type bluetooth_helper_t;
+ ')
+
+- dontaudit $1 bluetooth_helper_t:dir search;
+- dontaudit $1 bluetooth_helper_t:file { read getattr };
++ dontaudit $1 bluetooth_helper_t:dir search_dir_perms;
++ dontaudit $1 bluetooth_helper_t:file read_file_perms;
++')
++
++########################################
++##
++## Execute bluetooth server in the bluetooth domain.
++##
++##
++##
++## Domain allowed to transition.
++##
++##
++#
++interface(`bluetooth_systemctl',`
++ gen_require(`
++ type bluetooth_t;
++ type bluetooth_unit_file_t;
++ ')
++
++ systemd_exec_systemctl($1)
++ allow $1 bluetooth_unit_file_t:file read_file_perms;
++ allow $1 bluetooth_unit_file_t:service manage_service_perms;
++
++ ps_process_pattern($1, bluetooth_t)
+ ')
+
+ ########################################
+@@ -193,15 +243,19 @@ interface(`bluetooth_dontaudit_read_helper_state',`
+ #
+ interface(`bluetooth_admin',`
+ gen_require(`
+- type bluetooth_t, bluetooth_tmp_t, bluetooth_lock_t;
+- type bluetooth_spool_t, bluetooth_var_lib_t, bluetooth_var_run_t;
+- type bluetooth_conf_t, bluetooth_conf_rw_t;
+- type bluetooth_initrc_exec_t;
++ type bluetooth_t, bluetooth_lock_t, bluetooth_spool_t;
++ type bluetooth_var_lib_t, bluetooth_var_run_t, bluetooth_initrc_exec_t;
++ type bluetooth_conf_t, bluetooth_conf_rw_t, bluetooth_tmp_t;
++ type bluetooth_unit_file_t;
+ ')
+
+- allow $1 bluetooth_t:process { ptrace signal_perms };
++ allow $1 bluetooth_t:process signal_perms;
+ ps_process_pattern($1, bluetooth_t)
+
++ tunable_policy(`deny_ptrace',`',`
++ allow $1 bluetooth_t:process ptrace;
++ ')
++
+ init_labeled_script_domtrans($1, bluetooth_initrc_exec_t)
+ domain_system_change_exemption($1)
+ role_transition $2 bluetooth_initrc_exec_t system_r;
+@@ -225,4 +279,8 @@ interface(`bluetooth_admin',`
+
+ files_list_pids($1)
+ admin_pattern($1, bluetooth_var_run_t)
++
++ bluetooth_systemctl($1)
++ admin_pattern($1, bluetooth_unit_file_t)
++ allow $1 bluetooth_unit_file_t:service all_service_perms;
+ ')
+diff --git a/bluetooth.te b/bluetooth.te
+index d3019b3..aed14bb 100644
+--- a/bluetooth.te
++++ b/bluetooth.te
+@@ -4,12 +4,13 @@ policy_module(bluetooth, 3.4.0)
+ #
+ # Declarations
+ #
++
+ type bluetooth_t;
+ type bluetooth_exec_t;
+ init_daemon_domain(bluetooth_t, bluetooth_exec_t)
+
+ type bluetooth_conf_t;
+-files_type(bluetooth_conf_t)
++files_config_file(bluetooth_conf_t)
+
+ type bluetooth_conf_rw_t;
+ files_type(bluetooth_conf_rw_t)
+@@ -45,6 +46,9 @@ files_type(bluetooth_var_lib_t)
+ type bluetooth_var_run_t;
+ files_pid_file(bluetooth_var_run_t)
+
++type bluetooth_unit_file_t;
++systemd_unit_file(bluetooth_unit_file_t)
++
+ ########################################
+ #
+ # Bluetooth services local policy
+@@ -96,7 +100,6 @@ kernel_request_load_module(bluetooth_t)
+ #search debugfs - redhat bug 548206
+ kernel_search_debugfs(bluetooth_t)
+
+-corenet_all_recvfrom_unlabeled(bluetooth_t)
+ corenet_all_recvfrom_netlabel(bluetooth_t)
+ corenet_tcp_sendrecv_generic_if(bluetooth_t)
+ corenet_udp_sendrecv_generic_if(bluetooth_t)
+@@ -127,7 +130,6 @@ corecmd_exec_shell(bluetooth_t)
+ domain_use_interactive_fds(bluetooth_t)
+ domain_dontaudit_search_all_domains_state(bluetooth_t)
+
+-files_read_etc_files(bluetooth_t)
+ files_read_etc_runtime_files(bluetooth_t)
+ files_read_usr_files(bluetooth_t)
+
+@@ -135,7 +137,6 @@ auth_use_nsswitch(bluetooth_t)
+
+ logging_send_syslog_msg(bluetooth_t)
+
+-miscfiles_read_localization(bluetooth_t)
+ miscfiles_read_fonts(bluetooth_t)
+ miscfiles_read_hwdata(bluetooth_t)
+
+@@ -144,6 +145,10 @@ userdom_dontaudit_use_user_terminals(bluetooth_t)
+ userdom_dontaudit_search_user_home_dirs(bluetooth_t)
+
+ optional_policy(`
++ devicekit_dbus_chat_power(bluetooth_t)
++')
++
++optional_policy(`
+ dbus_system_bus_client(bluetooth_t)
+ dbus_connect_system_bus(bluetooth_t)
+
+@@ -212,17 +217,16 @@ corecmd_exec_shell(bluetooth_helper_t)
+
+ domain_read_all_domains_state(bluetooth_helper_t)
+
+-files_read_etc_files(bluetooth_helper_t)
+ files_read_etc_runtime_files(bluetooth_helper_t)
+ files_read_usr_files(bluetooth_helper_t)
+ files_dontaudit_list_default(bluetooth_helper_t)
+
++auth_use_nsswitch(bluetooth_helper_t)
++
+ locallogin_dontaudit_use_fds(bluetooth_helper_t)
+
+ logging_send_syslog_msg(bluetooth_helper_t)
+
+-miscfiles_read_localization(bluetooth_helper_t)
+-
+ sysnet_read_config(bluetooth_helper_t)
+
+ optional_policy(`
+diff --git a/boinc.fc b/boinc.fc
+new file mode 100644
+index 0000000..bda740a
+--- /dev/null
++++ b/boinc.fc
+@@ -0,0 +1,12 @@
++
++/etc/rc\.d/init\.d/boinc-client -- gen_context(system_u:object_r:boinc_initrc_exec_t,s0)
++
++/usr/bin/boinc_client -- gen_context(system_u:object_r:boinc_exec_t,s0)
++
++/usr/lib/systemd/system/boinc-client\.service -- gen_context(system_u:object_r:boinc_unit_file_t,s0)
++
++/var/lib/boinc(/.*)? gen_context(system_u:object_r:boinc_var_lib_t,s0)
++/var/lib/boinc/projects(/.*)? gen_context(system_u:object_r:boinc_project_var_lib_t,s0)
++/var/lib/boinc/slots(/.*)? gen_context(system_u:object_r:boinc_project_var_lib_t,s0)
++
++/var/log/boinc\.log.* -- gen_context(system_u:object_r:boinc_log_t,s0)
+diff --git a/boinc.if b/boinc.if
+new file mode 100644
+index 0000000..fbcef10
+--- /dev/null
++++ b/boinc.if
+@@ -0,0 +1,206 @@
++## policy for boinc
++
++########################################
++##
++## Execute a domain transition to run boinc.
++##
++##
++##
++## Domain allowed to transition.
++##
++##
++#
++interface(`boinc_domtrans',`
++ gen_require(`
++ type boinc_t, boinc_exec_t;
++ ')
++
++ domtrans_pattern($1, boinc_exec_t, boinc_t)
++')
++
++#######################################
++##
++## Execute boinc server in the boinc domain.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`boinc_initrc_domtrans',`
++ gen_require(`
++ type boinc_initrc_exec_t;
++ ')
++
++ init_labeled_script_domtrans($1, boinc_initrc_exec_t)
++')
++
++#######################################
++##
++## Dontaudit getattr on boinc lib files.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`boinc_dontaudit_getattr_lib',`
++ gen_require(`
++ type boinc_var_lib_t;
++ ')
++
++ dontaudit $1 boinc_var_lib_t:file getattr;
++')
++
++########################################
++##
++## Search boinc lib directories.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`boinc_search_lib',`
++ gen_require(`
++ type boinc_var_lib_t;
++ ')
++
++ allow $1 boinc_var_lib_t:dir search_dir_perms;
++ files_search_var_lib($1)
++')
++
++########################################
++##
++## Read boinc lib files.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`boinc_read_lib_files',`
++ gen_require(`
++ type boinc_var_lib_t;
++ ')
++
++ files_search_var_lib($1)
++ read_files_pattern($1, boinc_var_lib_t, boinc_var_lib_t)
++')
++
++########################################
++##
++## Create, read, write, and delete
++## boinc lib files.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`boinc_manage_lib_files',`
++ gen_require(`
++ type boinc_var_lib_t;
++ ')
++
++ files_search_var_lib($1)
++ manage_files_pattern($1, boinc_var_lib_t, boinc_var_lib_t)
++')
++
++########################################
++##
++## Manage boinc var_lib files.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`boinc_manage_var_lib',`
++ gen_require(`
++ type boinc_var_lib_t;
++ ')
++
++ files_search_var_lib($1)
++ manage_dirs_pattern($1, boinc_var_lib_t, boinc_var_lib_t)
++ manage_files_pattern($1, boinc_var_lib_t, boinc_var_lib_t)
++ manage_lnk_files_pattern($1, boinc_var_lib_t, boinc_var_lib_t)
++')
++
++#######################################
++##
++## Execute boinc server in the boinc domain.
++##
++##
++##
++## Domain allowed to transition.
++##
++##
++#
++interface(`boinc_systemctl',`
++ gen_require(`
++ type boinc_t;
++ type boinc_unit_file_t;
++ ')
++
++ systemd_exec_systemctl($1)
++ allow $1 boinc_unit_file_t:file read_file_perms;
++ allow $1 boinc_unit_file_t:service manage_service_perms;
++
++ ps_process_pattern($1, boinc_t)
++')
++
++########################################
++##
++## All of the rules required to administrate
++## an boinc environment.
++##
++##
++##
++## Domain allowed access.
++##
++##
++##
++##
++## Role allowed access.
++##
++##
++##
++#
++interface(`boinc_admin',`
++ gen_require(`
++ type boinc_t, boinc_initrc_exec_t, boinc_var_lib_t;
++ type boinc_unit_file_t;
++ ')
++
++ allow $1 boinc_t:process signal_perms;
++ ps_process_pattern($1, boinc_t)
++
++ tunable_policy(`deny_ptrace',`',`
++ allow $1 boinc_t:process ptrace;
++ ')
++
++ boinc_initrc_domtrans($1)
++ domain_system_change_exemption($1)
++ role_transition $2 boinc_initrc_exec_t system_r;
++ allow $2 system_r;
++
++ files_list_var_lib($1)
++ admin_pattern($1, boinc_var_lib_t)
++
++ boinc_systemctl($1)
++ admin_pattern($1, boinc_unit_file_t)
++
++ allow $1 boinc_unit_file_t:service all_service_perms;
++
++ optional_policy(`
++ systemd_passwd_agent_exec($1)
++ systemd_read_fifo_file_passwd_run($1)
++ ')
++')
+diff --git a/boinc.te b/boinc.te
+new file mode 100644
+index 0000000..0a7e857
+--- /dev/null
++++ b/boinc.te
+@@ -0,0 +1,199 @@
++policy_module(boinc, 1.0.0)
++
++########################################
++#
++# Declarations
++#
++
++attribute boinc_domain;
++
++type boinc_t, boinc_domain;
++type boinc_exec_t;
++init_daemon_domain(boinc_t, boinc_exec_t)
++
++type boinc_initrc_exec_t;
++init_script_file(boinc_initrc_exec_t)
++
++type boinc_tmp_t;
++files_tmp_file(boinc_tmp_t)
++
++type boinc_tmpfs_t;
++files_tmpfs_file(boinc_tmpfs_t)
++
++type boinc_var_lib_t;
++files_type(boinc_var_lib_t)
++
++type boinc_log_t;
++logging_log_file(boinc_log_t)
++
++type boinc_unit_file_t;
++systemd_unit_file(boinc_unit_file_t)
++
++type boinc_project_t;
++domain_type(boinc_project_t)
++role system_r types boinc_project_t;
++
++type boinc_project_tmp_t;
++files_tmp_file(boinc_project_tmp_t)
++
++type boinc_project_var_lib_t;
++files_type(boinc_project_var_lib_t)
++
++#######################################
++#
++# boinc domain local policy
++#
++
++allow boinc_domain self:fifo_file rw_fifo_file_perms;
++allow boinc_domain self:sem create_sem_perms;
++
++manage_dirs_pattern(boinc_domain, boinc_var_lib_t, boinc_var_lib_t)
++manage_files_pattern(boinc_domain, boinc_var_lib_t, boinc_var_lib_t)
++manage_lnk_files_pattern(boinc_domain, boinc_var_lib_t, boinc_var_lib_t)
++
++
++corecmd_exec_bin(boinc_domain)
++corecmd_exec_shell(boinc_domain)
++
++dev_read_rand(boinc_domain)
++dev_read_urand(boinc_domain)
++dev_read_sysfs(boinc_domain)
++dev_rw_xserver_misc(boinc_domain)
++
++domain_read_all_domains_state(boinc_domain)
++
++files_read_etc_files(boinc_domain)
++files_read_etc_runtime_files(boinc_domain)
++files_read_usr_files(boinc_domain)
++
++fs_getattr_all_fs(boinc_domain)
++
++miscfiles_read_fonts(boinc_domain)
++
++optional_policy(`
++ sysnet_dns_name_resolve(boinc_domain)
++')
++
++########################################
++#
++# boinc local policy
++#
++
++allow boinc_t self:process { setsched setpgid signull sigkill };
++
++allow boinc_t self:unix_stream_socket create_stream_socket_perms;
++allow boinc_t self:tcp_socket create_stream_socket_perms;
++allow boinc_t self:shm create_shm_perms;
++
++manage_dirs_pattern(boinc_t, boinc_tmp_t, boinc_tmp_t)
++manage_files_pattern(boinc_t, boinc_tmp_t, boinc_tmp_t)
++files_tmp_filetrans(boinc_t, boinc_tmp_t, { dir file })
++
++manage_files_pattern(boinc_t, boinc_tmpfs_t, boinc_tmpfs_t)
++fs_tmpfs_filetrans(boinc_t, boinc_tmpfs_t, file)
++
++exec_files_pattern(boinc_t, boinc_var_lib_t, boinc_var_lib_t)
++# this should be created by default by boinc
++# we need this label for transition to boinc_project_t
++# other boinc lib files will end up with boinc_var_lib_t
++filetrans_pattern(boinc_t, boinc_var_lib_t, boinc_project_var_lib_t, dir, "slots")
++filetrans_pattern(boinc_t, boinc_var_lib_t, boinc_project_var_lib_t, dir, "projects")
++
++manage_dirs_pattern(boinc_t, boinc_project_var_lib_t, boinc_project_var_lib_t)
++manage_files_pattern(boinc_t, boinc_project_var_lib_t, boinc_project_var_lib_t)
++
++manage_files_pattern(boinc_t, boinc_log_t, boinc_log_t)
++logging_log_filetrans(boinc_t, boinc_log_t, { file })
++
++# needs read /proc/interrupts
++kernel_read_system_state(boinc_t)
++kernel_search_vm_sysctl(boinc_t)
++
++files_getattr_all_dirs(boinc_t)
++files_getattr_all_files(boinc_t)
++
++corenet_all_recvfrom_netlabel(boinc_t)
++corenet_tcp_sendrecv_generic_if(boinc_t)
++corenet_udp_sendrecv_generic_if(boinc_t)
++corenet_tcp_sendrecv_generic_node(boinc_t)
++corenet_udp_sendrecv_generic_node(boinc_t)
++corenet_tcp_sendrecv_all_ports(boinc_t)
++corenet_udp_sendrecv_all_ports(boinc_t)
++corenet_tcp_bind_generic_node(boinc_t)
++corenet_udp_bind_generic_node(boinc_t)
++corenet_tcp_bind_boinc_port(boinc_t)
++corenet_tcp_bind_boinc_client_ctrl_port(boinc_t)
++corenet_tcp_connect_boinc_port(boinc_t)
++corenet_tcp_connect_http_port(boinc_t)
++corenet_tcp_connect_http_cache_port(boinc_t)
++corenet_tcp_connect_squid_port(boinc_t)
++
++files_dontaudit_getattr_boot_dirs(boinc_t)
++
++auth_read_passwd(boinc_t)
++
++term_getattr_all_ptys(boinc_t)
++term_getattr_unallocated_ttys(boinc_t)
++
++init_read_utmp(boinc_t)
++
++logging_send_syslog_msg(boinc_t)
++
++optional_policy(`
++ mta_send_mail(boinc_t)
++')
++
++########################################
++#
++# boinc-projects local policy
++#
++
++allow boinc_project_t self:capability { setuid setgid };
++
++domtrans_pattern(boinc_t, boinc_project_var_lib_t, boinc_project_t)
++allow boinc_t boinc_project_t:process sigkill;
++allow boinc_t boinc_project_t:process noatsecure;
++
++allow boinc_project_t self:process { ptrace setcap getcap setpgid setsched signal signull sigkill sigstop };
++allow boinc_project_t self:process { execmem execstack };
++
++manage_dirs_pattern(boinc_project_t, boinc_project_tmp_t, boinc_project_tmp_t)
++manage_files_pattern(boinc_project_t, boinc_project_tmp_t, boinc_project_tmp_t)
++manage_sock_files_pattern(boinc_project_t, boinc_project_tmp_t, boinc_project_tmp_t)
++files_tmp_filetrans(boinc_project_t, boinc_project_tmp_t, { dir file sock_file})
++
++allow boinc_project_t boinc_project_var_lib_t:file entrypoint;
++exec_files_pattern(boinc_project_t, boinc_project_var_lib_t, boinc_project_var_lib_t)
++manage_dirs_pattern(boinc_project_t, boinc_project_var_lib_t, boinc_project_var_lib_t)
++manage_files_pattern(boinc_project_t, boinc_project_var_lib_t, boinc_project_var_lib_t)
++files_var_lib_filetrans(boinc_project_t, boinc_project_var_lib_t, dir, "projects")
++files_var_lib_filetrans(boinc_project_t, boinc_project_var_lib_t, dir, "slots" )
++
++allow boinc_project_t boinc_project_var_lib_t:file execmod;
++
++allow boinc_project_t boinc_t:shm rw_shm_perms;
++allow boinc_project_t boinc_tmpfs_t:file rw_inherited_file_perms;
++
++kernel_read_kernel_sysctls(boinc_project_t)
++kernel_search_vm_sysctl(boinc_project_t)
++kernel_read_network_state(boinc_project_t)
++
++corenet_tcp_connect_boinc_port(boinc_project_t)
++
++files_dontaudit_search_home(boinc_project_t)
++
++# needed by java
++fs_read_hugetlbfs_files(boinc_project_t)
++
++optional_policy(`
++ gnome_read_gconf_config(boinc_project_t)
++')
++
++optional_policy(`
++ java_exec(boinc_project_t)
++')
++
++# until solution for VirtualBox, java ..
++optional_policy(`
++ unconfined_domain(boinc_project_t)
++')
+diff --git a/brctl.if b/brctl.if
+index 2c2cdb6..73b3814 100644
+--- a/brctl.if
++++ b/brctl.if
+@@ -18,3 +18,28 @@ interface(`brctl_domtrans',`
+ corecmd_search_bin($1)
+ domtrans_pattern($1, brctl_exec_t, brctl_t)
+ ')
++
++#####################################
++##
++## Execute brctl in the brctl domain.
++##
++##
++##
++## Domain allowed to transition.
++##
++##
++##
++##
++## Role allowed access.
++##
++##
++##
++#
++interface(`brctl_run',`
++ gen_require(`
++ type brctl_t, brctl_exec_t;
++ ')
++
++ brctl_domtrans($1)
++ role $2 types brctl_t;
++')
+diff --git a/brctl.te b/brctl.te
+index 9a62a1d..283f4fa 100644
+--- a/brctl.te
++++ b/brctl.te
+@@ -36,7 +36,6 @@ files_read_etc_files(brctl_t)
+
+ term_dontaudit_use_console(brctl_t)
+
+-miscfiles_read_localization(brctl_t)
+
+ optional_policy(`
+ xen_append_log(brctl_t)
+diff --git a/bugzilla.if b/bugzilla.if
+index de89d0f..86e4ee7 100644
+--- a/bugzilla.if
++++ b/bugzilla.if
+@@ -48,23 +48,24 @@ interface(`bugzilla_dontaudit_rw_stream_sockets',`
+ ## Domain allowed access.
+ ##
+ ##
+-##
+-##
+-## The role to be allowed to manage the bugzilla domain.
+-##
+-##
+-##
+ #
+ interface(`bugzilla_admin',`
+ gen_require(`
+ type httpd_bugzilla_script_t, httpd_bugzilla_content_t, httpd_bugzilla_ra_content_t;
+ type httpd_bugzilla_rw_content_t, httpd_bugzilla_script_exec_t;
+- type httpd_bugzilla_htaccess_t;
++ type httpd_bugzilla_htaccess_t, httpd_bugzilla_tmp_t;
+ ')
+
+- allow $1 httpd_bugzilla_script_t:process { ptrace signal_perms };
++ allow $1 httpd_bugzilla_script_t:process signal_perms;
+ ps_process_pattern($1, httpd_bugzilla_script_t)
+
++ tunable_policy(`deny_ptrace',`',`
++ allow $1 httpd_bugzilla_script_t:process ptrace;
++ ')
++
++ files_list_tmp($1)
++ admin_pattern($1, httpd_bugzilla_tmp_t)
++
+ files_list_var_lib(httpd_bugzilla_script_t)
+
+ apache_list_sys_content($1)
+diff --git a/bugzilla.te b/bugzilla.te
+index 048abbf..dece084 100644
+--- a/bugzilla.te
++++ b/bugzilla.te
+@@ -7,6 +7,9 @@ policy_module(bugzilla, 1.0.0)
+
+ apache_content_template(bugzilla)
+
++type httpd_bugzilla_tmp_t;
++files_tmp_file(httpd_bugzilla_tmp_t)
++
+ ########################################
+ #
+ # bugzilla local policy
+@@ -16,7 +19,6 @@ allow httpd_bugzilla_script_t self:netlink_route_socket r_netlink_socket_perms;
+ allow httpd_bugzilla_script_t self:tcp_socket create_stream_socket_perms;
+ allow httpd_bugzilla_script_t self:udp_socket create_socket_perms;
+
+-corenet_all_recvfrom_unlabeled(httpd_bugzilla_script_t)
+ corenet_all_recvfrom_netlabel(httpd_bugzilla_script_t)
+ corenet_tcp_sendrecv_generic_if(httpd_bugzilla_script_t)
+ corenet_udp_sendrecv_generic_if(httpd_bugzilla_script_t)
+@@ -31,8 +33,14 @@ corenet_tcp_connect_smtp_port(httpd_bugzilla_script_t)
+ corenet_sendrecv_postgresql_client_packets(httpd_bugzilla_script_t)
+ corenet_sendrecv_mysqld_client_packets(httpd_bugzilla_script_t)
+
++manage_dirs_pattern(httpd_bugzilla_script_t, httpd_bugzilla_tmp_t, httpd_bugzilla_tmp_t)
++manage_files_pattern(httpd_bugzilla_script_t, httpd_bugzilla_tmp_t, httpd_bugzilla_tmp_t)
++files_tmp_filetrans(httpd_bugzilla_script_t, httpd_bugzilla_tmp_t, { file dir })
++
+ files_search_var_lib(httpd_bugzilla_script_t)
+
++auth_read_passwd(httpd_bugzilla_script_t)
++
+ sysnet_read_config(httpd_bugzilla_script_t)
+ sysnet_use_ldap(httpd_bugzilla_script_t)
+
+diff --git a/cachefilesd.fc b/cachefilesd.fc
+new file mode 100644
+index 0000000..aa03fc8
+--- /dev/null
++++ b/cachefilesd.fc
+@@ -0,0 +1,34 @@
++###############################################################################
++#
++# Copyright (C) 2006 Red Hat, Inc. All Rights Reserved.
++# Written by David Howells (dhowells@redhat.com)
++# Karl MacMillan (kmacmill@redhat.com)
++#
++# This program is free software; you can redistribute it and/or
++# modify it under the terms of the GNU General Public License
++# as published by the Free Software Foundation; either version
++# 2 of the License, or (at your option) any later version.
++#
++###############################################################################
++
++#
++# Define the contexts to be assigned to various files and directories of
++# importance to the CacheFiles kernel module and userspace management daemon.
++#
++
++# cachefilesd executable will have:
++# label: system_u:object_r:cachefilesd_exec_t
++# MLS sensitivity: s0
++# MCS categories:
++
++/dev/cachefiles -c gen_context(system_u:object_r:cachefiles_dev_t,s0)
++
++/sbin/cachefilesd -- gen_context(system_u:object_r:cachefilesd_exec_t,s0)
++
++/usr/sbin/cachefilesd -- gen_context(system_u:object_r:cachefilesd_exec_t,s0)
++
++/var/cache/fscache(/.*)? gen_context(system_u:object_r:cachefiles_var_t,s0)
++
++/var/fscache(/.*)? gen_context(system_u:object_r:cachefiles_var_t,s0)
++
++/var/run/cachefilesd\.pid -- gen_context(system_u:object_r:cachefilesd_var_run_t,s0)
+diff --git a/cachefilesd.if b/cachefilesd.if
+new file mode 100644
+index 0000000..3b41945
+--- /dev/null
++++ b/cachefilesd.if
+@@ -0,0 +1,35 @@
++###############################################################################
++#
++# Copyright (C) 2006 Red Hat, Inc. All Rights Reserved.
++# Written by David Howells (dhowells@redhat.com)
++# Karl MacMillan (kmacmill@redhat.com)
++#
++# This program is free software; you can redistribute it and/or
++# modify it under the terms of the GNU General Public License
++# as published by the Free Software Foundation; either version
++# 2 of the License, or (at your option) any later version.
++#
++###############################################################################
++
++#
++# Define the policy interface for the CacheFiles userspace management daemon.
++#
++## policy for cachefilesd
++
++########################################
++##
++## Execute a domain transition to run cachefilesd.
++##
++##
++##
++## Domain allowed to transition.
++##
++##
++#
++interface(`cachefilesd_domtrans',`
++ gen_require(`
++ type cachefilesd_t, cachefilesd_exec_t;
++ ')
++
++ domtrans_pattern($1, cachefilesd_exec_t, cachefilesd_t)
++')
+diff --git a/cachefilesd.te b/cachefilesd.te
+new file mode 100644
+index 0000000..3eda1b1
+--- /dev/null
++++ b/cachefilesd.te
+@@ -0,0 +1,144 @@
++###############################################################################
++#
++# Copyright (C) 2006, 2010 Red Hat, Inc. All Rights Reserved.
++# Written by David Howells (dhowells@redhat.com)
++# Karl MacMillan (kmacmill@redhat.com)
++#
++# This program is free software; you can redistribute it and/or
++# modify it under the terms of the GNU General Public License
++# as published by the Free Software Foundation; either version
++# 2 of the License, or (at your option) any later version.
++#
++###############################################################################
++
++#
++# This security policy governs access by the CacheFiles kernel module and
++# userspace management daemon to the files and directories in the on-disk
++# cache, on behalf of the processes accessing the cache through a network
++# filesystem such as NFS
++#
++policy_module(cachefilesd, 1.0.17)
++
++###############################################################################
++#
++# Declarations
++#
++
++#
++# Files in the cache are created by the cachefiles module with security ID
++# cachefiles_var_t
++#
++type cachefiles_var_t;
++files_type(cachefiles_var_t)
++
++#
++# The /dev/cachefiles character device has security ID cachefiles_dev_t
++#
++type cachefiles_dev_t;
++dev_node(cachefiles_dev_t)
++
++#
++# The cachefilesd daemon normally runs with security ID cachefilesd_t
++#
++type cachefilesd_t;
++type cachefilesd_exec_t;
++init_daemon_domain(cachefilesd_t, cachefilesd_exec_t)
++
++#
++# The cachefilesd daemon pid file context
++#
++type cachefilesd_var_run_t;
++files_pid_file(cachefilesd_var_run_t)
++
++#
++# The CacheFiles kernel module causes processes accessing the cache files to do
++# so acting as security ID cachefiles_kernel_t
++#
++type cachefiles_kernel_t;
++domain_type(cachefiles_kernel_t)
++domain_obj_id_change_exemption(cachefiles_kernel_t)
++role system_r types cachefiles_kernel_t;
++
++###############################################################################
++#
++# Permit RPM to deal with files in the cache
++#
++optional_policy(`
++ rpm_use_script_fds(cachefilesd_t)
++')
++
++###############################################################################
++#
++# cachefilesd local policy
++#
++# These define what cachefilesd is permitted to do. This doesn't include very
++# much: startup stuff, logging, pid file, scanning the cache superstructure and
++# deleting files from the cache. It is not permitted to read/write files in
++# the cache.
++#
++# Check in /usr/share/selinux/devel/include/ for macros to use instead of allow
++# rules.
++#
++allow cachefilesd_t self:capability { setuid setgid sys_admin dac_override };
++
++# Allow manipulation of pid file
++allow cachefilesd_t cachefilesd_var_run_t:file create_file_perms;
++manage_files_pattern(cachefilesd_t, cachefilesd_var_run_t, cachefilesd_var_run_t)
++manage_dirs_pattern(cachefilesd_t, cachefilesd_var_run_t, cachefilesd_var_run_t)
++files_pid_filetrans(cachefilesd_t, cachefilesd_var_run_t, file)
++files_create_as_is_all_files(cachefilesd_t)
++
++# Allow access to cachefiles device file
++allow cachefilesd_t cachefiles_dev_t:chr_file rw_file_perms;
++
++# Allow access to cache superstructure
++manage_dirs_pattern(cachefilesd_t, cachefiles_var_t, cachefiles_var_t)
++manage_files_pattern(cachefilesd_t, cachefiles_var_t, cachefiles_var_t)
++
++# Permit statfs on the backing filesystem
++fs_getattr_xattr_fs(cachefilesd_t)
++
++# Basic access
++files_read_etc_files(cachefilesd_t)
++logging_send_syslog_msg(cachefilesd_t)
++init_dontaudit_use_script_ptys(cachefilesd_t)
++term_dontaudit_use_generic_ptys(cachefilesd_t)
++term_dontaudit_getattr_unallocated_ttys(cachefilesd_t)
++
++###############################################################################
++#
++# When cachefilesd invokes the kernel module to begin caching, it has to tell
++# the kernel module the security context in which it should act, and this
++# policy has to approve that.
++#
++# There are two parts to this:
++#
++# (1) the security context used by the module to access files in the cache,
++# as set by the 'secctx' command in /etc/cachefilesd.conf, and
++#
++allow cachefilesd_t cachefiles_kernel_t:kernel_service { use_as_override };
++
++#
++# (2) the label that will be assigned to new files and directories created in
++# the cache by the module, which will be the same as the label on the
++# directory pointed to by the 'dir' command.
++#
++allow cachefilesd_t cachefiles_var_t:kernel_service { create_files_as };
++
++###############################################################################
++#
++# cachefiles kernel module local policy
++#
++# This governs what the kernel module is allowed to do the contents of the
++# cache.
++#
++allow cachefiles_kernel_t self:capability { dac_override dac_read_search };
++
++manage_dirs_pattern(cachefiles_kernel_t, cachefiles_var_t, cachefiles_var_t)
++manage_files_pattern(cachefiles_kernel_t, cachefiles_var_t, cachefiles_var_t)
++
++fs_getattr_xattr_fs(cachefiles_kernel_t)
++
++dev_search_sysfs(cachefiles_kernel_t)
++
++init_sigchld_script(cachefiles_kernel_t)
+diff --git a/calamaris.te b/calamaris.te
+index b13fb66..8926e84 100644
+--- a/calamaris.te
++++ b/calamaris.te
+@@ -39,7 +39,6 @@ kernel_read_system_state(calamaris_t)
+
+ corecmd_exec_bin(calamaris_t)
+
+-corenet_all_recvfrom_unlabeled(calamaris_t)
+ corenet_all_recvfrom_netlabel(calamaris_t)
+ corenet_tcp_sendrecv_generic_if(calamaris_t)
+ corenet_udp_sendrecv_generic_if(calamaris_t)
+@@ -51,7 +50,6 @@ corenet_udp_sendrecv_all_ports(calamaris_t)
+ dev_read_urand(calamaris_t)
+
+ files_search_pids(calamaris_t)
+-files_read_etc_files(calamaris_t)
+ files_read_usr_files(calamaris_t)
+ files_read_var_files(calamaris_t)
+ files_read_etc_runtime_files(calamaris_t)
+@@ -62,8 +60,6 @@ auth_use_nsswitch(calamaris_t)
+
+ logging_send_syslog_msg(calamaris_t)
+
+-miscfiles_read_localization(calamaris_t)
+-
+ userdom_dontaudit_list_user_home_dirs(calamaris_t)
+
+ optional_policy(`
+diff --git a/callweaver.fc b/callweaver.fc
+new file mode 100644
+index 0000000..3e15c63
+--- /dev/null
++++ b/callweaver.fc
+@@ -0,0 +1,11 @@
++/etc/rc\.d/init\.d/callweaver -- gen_context(system_u:object_r:callweaver_initrc_exec_t,s0)
++
++/usr/sbin/callweaver -- gen_context(system_u:object_r:callweaver_exec_t,s0)
++
++/var/lib/callweaver(/.*)? gen_context(system_u:object_r:callweaver_var_lib_t,s0)
++
++/var/log/callweaver(/.*)? gen_context(system_u:object_r:callweaver_log_t,s0)
++
++/var/run/callweaver(/.*)? gen_context(system_u:object_r:callweaver_var_run_t,s0)
++
++/var/spool/callweaver(/.*)? gen_context(system_u:object_r:callweaver_spool_t,s0)
+diff --git a/callweaver.if b/callweaver.if
+new file mode 100644
+index 0000000..e07d3b8
+--- /dev/null
++++ b/callweaver.if
+@@ -0,0 +1,362 @@
++## Open source PBX project.
++
++########################################
++##
++## Execute callweaver in the
++## callweaver domain.
++##
++##
++##
++## Domain allowed to transition.
++##
++##
++#
++interface(`callweaver_domtrans',`
++ gen_require(`
++ type callweaver_t, callweaver_exec_t;
++ ')
++
++ corecmd_search_bin($1)
++ domtrans_pattern($1, callweaver_exec_t, callweaver_t)
++')
++
++########################################
++##
++## Execute callweaver in the
++## callers domain.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`callweaver_exec',`
++ gen_require(`
++ type callweaver_exec_t;
++ ')
++
++ corecmd_search_bin($1)
++ can_exec($1, callweaver_exec_t)
++')
++
++########################################
++##
++## Execute callweaver in the
++## callweaver domain.
++##
++##
++##
++## Domain allowed to transition.
++##
++##
++#
++interface(`callweaver_initrc_domtrans',`
++ gen_require(`
++ type callweaver_initrc_exec_t;
++ ')
++
++ init_labeled_script_domtrans($1, callweaver_initrc_exec_t)
++')
++
++########################################
++##
++## Read callweaver log files.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`callweaver_read_log',`
++ gen_require(`
++ type callweaver_log_t;
++ ')
++
++ logging_search_logs($1)
++ read_files_pattern($1, callweaver_log_t, callweaver_log_t)
++')
++
++########################################
++##
++## Append to callweaver log files.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`callweaver_append_log',`
++ gen_require(`
++ type callweaver_log_t;
++ ')
++
++ logging_search_logs($1)
++ append_files_pattern($1, callweaver_log_t, callweaver_log_t)
++')
++
++########################################
++##
++## Manage callweaver log files
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`callweaver_manage_log',`
++ gen_require(`
++ type callweaver_log_t;
++ ')
++
++ logging_search_logs($1)
++ manage_dirs_pattern($1, callweaver_log_t, callweaver_log_t)
++ manage_files_pattern($1, callweaver_log_t, callweaver_log_t)
++ manage_lnk_files_pattern($1, callweaver_log_t, callweaver_log_t)
++')
++
++########################################
++##
++## Search callweaver lib directories.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`callweaver_search_lib',`
++ gen_require(`
++ type callweaver_var_lib_t;
++ ')
++
++ allow $1 callweaver_var_lib_t:dir search_dir_perms;
++ files_search_var_lib($1)
++')
++
++########################################
++##
++## Read callweaver lib files.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`callweaver_read_lib_files',`
++ gen_require(`
++ type callweaver_var_lib_t;
++ ')
++
++ files_search_var_lib($1)
++ read_files_pattern($1, callweaver_var_lib_t, callweaver_var_lib_t)
++')
++
++########################################
++##
++## Manage callweaver lib files.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`callweaver_manage_lib_files',`
++ gen_require(`
++ type callweaver_var_lib_t;
++ ')
++
++ files_search_var_lib($1)
++ manage_files_pattern($1, callweaver_var_lib_t, callweaver_var_lib_t)
++')
++
++########################################
++##
++## Manage callweaver lib directories.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`callweaver_manage_lib_dirs',`
++ gen_require(`
++ type callweaver_var_lib_t;
++ ')
++
++ files_search_var_lib($1)
++ manage_dirs_pattern($1, callweaver_var_lib_t, callweaver_var_lib_t)
++')
++
++
++########################################
++##
++## Read callweaver PID files.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`callweaver_read_pid_files',`
++ gen_require(`
++ type callweaver_var_run_t;
++ ')
++
++ files_search_pids($1)
++ allow $1 callweaver_var_run_t:file read_file_perms;
++')
++
++########################################
++##
++## Connect to callweaver over a unix stream socket.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`callweaver_stream_connect',`
++ gen_require(`
++ type callweaver_t, callweaver_var_run_t;
++ ')
++
++ files_search_pids($1)
++ stream_connect_pattern($1, callweaver_var_run_t, callweaver_var_run_t, callweaver_t)
++')
++
++########################################
++##
++## Search callweaver spool directories.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`callweaver_search_spool',`
++ gen_require(`
++ type callweaver_spool_t;
++ ')
++
++ allow $1 callweaver_spool_t:dir search_dir_perms;
++ files_search_spool($1)
++')
++
++########################################
++##
++## Read callweaver spool files.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`callweaver_read_spool_files',`
++ gen_require(`
++ type callweaver_spool_t;
++ ')
++
++ files_search_spool($1)
++ read_files_pattern($1, callweaver_spool_t, callweaver_spool_t)
++')
++
++########################################
++##
++## Manage callweaver spool files.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`callweaver_manage_spool_files',`
++ gen_require(`
++ type callweaver_spool_t;
++ ')
++
++ files_search_spool($1)
++ manage_files_pattern($1, callweaver_spool_t, callweaver_spool_t)
++')
++
++########################################
++##
++## Manage callweaver spool dirs.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`callweaver_manage_spool_dirs',`
++ gen_require(`
++ type callweaver_spool_t;
++ ')
++
++ files_search_spool($1)
++ manage_dirs_pattern($1, callweaver_spool_t, callweaver_spool_t)
++')
++
++########################################
++##
++## All of the rules required to administrate
++## an callweaver environment
++##
++##
++##
++## Domain allowed access.
++##
++##
++##
++##
++## Role allowed access.
++##
++##
++##
++#
++interface(`callweaver_admin',`
++ gen_require(`
++ type callweaver_t;
++ type callweaver_initrc_exec_t;
++ type callweaver_log_t;
++ type callweaver_var_lib_t;
++ type callweaver_var_run_t;
++ type callweaver_spool_t;
++ ')
++
++ allow $1 callweaver_t:process signal_perms;
++ ps_process_pattern($1, callweaver_t)
++
++ tunable_policy(`deny_ptrace',`',`
++ allow $1 callweaver_t:process ptrace;
++ ')
++
++ callweaver_initrc_domtrans($1)
++ domain_system_change_exemption($1)
++ role_transition $2 callweaver_initrc_exec_t system_r;
++ allow $2 system_r;
++
++ logging_search_logs($1)
++ admin_pattern($1, callweaver_log_t)
++
++ files_search_var_lib($1)
++ admin_pattern($1, callweaver_var_lib_t)
++
++ files_search_pids($1)
++ admin_pattern($1, callweaver_var_run_t)
++
++ files_search_spool($1)
++ admin_pattern($1, callweaver_spool_t)
++')
+diff --git a/callweaver.te b/callweaver.te
+new file mode 100644
+index 0000000..978f92f
+--- /dev/null
++++ b/callweaver.te
+@@ -0,0 +1,75 @@
++policy_module(callweaver,1.0.0)
++
++########################################
++#
++# Declarations
++#
++
++type callweaver_t;
++type callweaver_exec_t;
++init_daemon_domain(callweaver_t, callweaver_exec_t)
++
++type callweaver_initrc_exec_t;
++init_script_file(callweaver_initrc_exec_t)
++
++type callweaver_log_t;
++logging_log_file(callweaver_log_t)
++
++type callweaver_var_lib_t;
++files_type(callweaver_var_lib_t)
++
++type callweaver_var_run_t;
++files_pid_file(callweaver_var_run_t)
++
++type callweaver_spool_t;
++files_spool_file(callweaver_spool_t)
++
++########################################
++#
++# callweaver local policy
++#
++
++allow callweaver_t self:capability { setuid sys_nice setgid };
++allow callweaver_t self:process { setsched signal };
++allow callweaver_t self:fifo_file rw_fifo_file_perms;
++allow callweaver_t self:unix_stream_socket create_stream_socket_perms;
++
++manage_dirs_pattern(callweaver_t, callweaver_log_t, callweaver_log_t)
++manage_files_pattern(callweaver_t, callweaver_log_t, callweaver_log_t)
++logging_log_filetrans(callweaver_t, callweaver_log_t, { dir file } )
++
++manage_dirs_pattern(callweaver_t, callweaver_var_lib_t, callweaver_var_lib_t)
++manage_files_pattern(callweaver_t, callweaver_var_lib_t, callweaver_var_lib_t)
++files_var_lib_filetrans(callweaver_t, callweaver_var_lib_t, { dir file } )
++
++manage_dirs_pattern(callweaver_t, callweaver_var_run_t, callweaver_var_run_t)
++manage_files_pattern(callweaver_t, callweaver_var_run_t, callweaver_var_run_t)
++manage_sock_files_pattern(callweaver_t, callweaver_var_run_t, callweaver_var_run_t)
++files_pid_filetrans(callweaver_t, callweaver_var_run_t, { dir file sock_file })
++
++manage_dirs_pattern(callweaver_t, callweaver_spool_t, callweaver_spool_t)
++manage_files_pattern(callweaver_t, callweaver_spool_t, callweaver_spool_t)
++manage_lnk_files_pattern(callweaver_t, callweaver_spool_t, callweaver_spool_t)
++files_spool_filetrans(callweaver_t, callweaver_spool_t, { dir file })
++
++allow callweaver_t self:tcp_socket create_stream_socket_perms;
++allow callweaver_t self:udp_socket create_socket_perms;
++
++kernel_read_sysctl(callweaver_t)
++kernel_read_kernel_sysctls(callweaver_t)
++
++corenet_udp_bind_asterisk_port(callweaver_t)
++corenet_udp_bind_generic_port(callweaver_t)
++corenet_udp_bind_sip_port(callweaver_t)
++
++dev_manage_generic_symlinks(callweaver_t)
++
++domain_use_interactive_fds(callweaver_t)
++
++
++term_getattr_pty_fs(callweaver_t)
++term_use_generic_ptys(callweaver_t)
++term_use_ptmx(callweaver_t)
++
++auth_use_nsswitch(callweaver_t)
++
+diff --git a/canna.fc b/canna.fc
+index 5432d0e..f77df02 100644
+--- a/canna.fc
++++ b/canna.fc
+@@ -20,4 +20,4 @@
+
+ /var/run/\.iroha_unix -d gen_context(system_u:object_r:canna_var_run_t,s0)
+ /var/run/\.iroha_unix/.* -s gen_context(system_u:object_r:canna_var_run_t,s0)
+-/var/run/wnn-unix(/.*) gen_context(system_u:object_r:canna_var_run_t,s0)
++/var/run/wnn-unix(/.*)? gen_context(system_u:object_r:canna_var_run_t,s0)
+diff --git a/canna.if b/canna.if
+index 4a26b0c..00b64dc 100644
+--- a/canna.if
++++ b/canna.if
+@@ -42,9 +42,13 @@ interface(`canna_admin',`
+ type canna_var_run_t, canna_initrc_exec_t;
+ ')
+
+- allow $1 canna_t:process { ptrace signal_perms };
++ allow $1 canna_t:process signal_perms;
+ ps_process_pattern($1, canna_t)
+
++ tunable_policy(`deny_ptrace',`',`
++ allow $1 canna_t:process ptrace;
++ ')
++
+ init_labeled_script_domtrans($1, canna_initrc_exec_t)
+ domain_system_change_exemption($1)
+ role_transition $2 canna_initrc_exec_t system_r;
+diff --git a/canna.te b/canna.te
+index 1d25efe..910b94c 100644
+--- a/canna.te
++++ b/canna.te
+@@ -34,7 +34,7 @@ allow canna_t self:unix_dgram_socket create_stream_socket_perms;
+ allow canna_t self:tcp_socket create_stream_socket_perms;
+
+ manage_files_pattern(canna_t, canna_log_t, canna_log_t)
+-allow canna_t canna_log_t:dir setattr;
++allow canna_t canna_log_t:dir setattr_dir_perms;
+ logging_log_filetrans(canna_t, canna_log_t, { file dir })
+
+ manage_dirs_pattern(canna_t, canna_var_lib_t, canna_var_lib_t)
+@@ -50,7 +50,6 @@ files_pid_filetrans(canna_t, canna_var_run_t, { dir file sock_file })
+ kernel_read_kernel_sysctls(canna_t)
+ kernel_read_system_state(canna_t)
+
+-corenet_all_recvfrom_unlabeled(canna_t)
+ corenet_all_recvfrom_netlabel(canna_t)
+ corenet_tcp_sendrecv_generic_if(canna_t)
+ corenet_tcp_sendrecv_generic_node(canna_t)
+@@ -73,8 +72,6 @@ files_dontaudit_read_root_files(canna_t)
+
+ logging_send_syslog_msg(canna_t)
+
+-miscfiles_read_localization(canna_t)
+-
+ sysnet_read_config(canna_t)
+
+ userdom_dontaudit_use_unpriv_user_fds(canna_t)
+diff --git a/ccs.fc b/ccs.fc
+index 8a7177d..bc4f6e7 100644
+--- a/ccs.fc
++++ b/ccs.fc
+@@ -2,5 +2,7 @@
+
+ /sbin/ccsd -- gen_context(system_u:object_r:ccs_exec_t,s0)
+
++/usr/sbin/ccsd -- gen_context(system_u:object_r:ccs_exec_t,s0)
++
+ /var/run/cluster/ccsd\.pid -- gen_context(system_u:object_r:ccs_var_run_t,s0)
+ /var/run/cluster/ccsd\.sock -s gen_context(system_u:object_r:ccs_var_run_t,s0)
+diff --git a/ccs.te b/ccs.te
+index 4c90b57..30265d4 100644
+--- a/ccs.te
++++ b/ccs.te
+@@ -10,7 +10,7 @@ type ccs_exec_t;
+ init_daemon_domain(ccs_t, ccs_exec_t)
+
+ type cluster_conf_t;
+-files_type(cluster_conf_t)
++files_config_file(cluster_conf_t)
+
+ type ccs_tmp_t;
+ files_tmp_file(ccs_tmp_t)
+@@ -34,7 +34,7 @@ files_pid_file(ccs_var_run_t)
+
+ allow ccs_t self:capability { ipc_owner ipc_lock sys_nice sys_resource sys_admin };
+ allow ccs_t self:process { signal setrlimit setsched };
+-dontaudit ccs_t self:process ptrace;
++
+ allow ccs_t self:fifo_file rw_fifo_file_perms;
+ allow ccs_t self:unix_stream_socket { connectto create_stream_socket_perms };
+ allow ccs_t self:unix_dgram_socket create_socket_perms;
+@@ -61,7 +61,7 @@ manage_dirs_pattern(ccs_t, ccs_var_lib_t, ccs_var_lib_t)
+ manage_files_pattern(ccs_t, ccs_var_lib_t, ccs_var_lib_t)
+ files_var_lib_filetrans(ccs_t, ccs_var_lib_t, { file dir })
+
+-allow ccs_t ccs_var_log_t:dir setattr;
++allow ccs_t ccs_var_log_t:dir setattr_dir_perms;
+ manage_files_pattern(ccs_t, ccs_var_log_t, ccs_var_log_t)
+ manage_sock_files_pattern(ccs_t, ccs_var_log_t, ccs_var_log_t)
+ logging_log_filetrans(ccs_t, ccs_var_log_t, { sock_file file dir })
+@@ -77,7 +77,6 @@ kernel_read_kernel_sysctls(ccs_t)
+ corecmd_list_bin(ccs_t)
+ corecmd_exec_bin(ccs_t)
+
+-corenet_all_recvfrom_unlabeled(ccs_t)
+ corenet_all_recvfrom_netlabel(ccs_t)
+ corenet_tcp_sendrecv_generic_if(ccs_t)
+ corenet_udp_sendrecv_generic_if(ccs_t)
+@@ -97,11 +96,10 @@ files_read_etc_files(ccs_t)
+ files_read_etc_runtime_files(ccs_t)
+
+ init_rw_script_tmp_files(ccs_t)
++init_signal(ccs_t)
+
+ logging_send_syslog_msg(ccs_t)
+
+-miscfiles_read_localization(ccs_t)
+-
+ sysnet_dns_name_resolve(ccs_t)
+
+ userdom_manage_unpriv_user_shared_mem(ccs_t)
+@@ -118,5 +116,10 @@ optional_policy(`
+ ')
+
+ optional_policy(`
++ qpidd_rw_semaphores(ccs_t)
++ qpidd_rw_shm(ccs_t)
++')
++
++optional_policy(`
+ unconfined_use_fds(ccs_t)
+ ')
+diff --git a/cdrecord.te b/cdrecord.te
+index 4626931..93e1495 100644
+--- a/cdrecord.te
++++ b/cdrecord.te
+@@ -52,10 +52,8 @@ storage_write_scsi_generic(cdrecord_t)
+
+ logging_send_syslog_msg(cdrecord_t)
+
+-miscfiles_read_localization(cdrecord_t)
+-
+ # write to the user domain tty.
+-userdom_use_user_terminals(cdrecord_t)
++userdom_use_inherited_user_terminals(cdrecord_t)
+ userdom_read_user_home_content_files(cdrecord_t)
+
+ # Handle nfs home dirs
+@@ -108,11 +106,7 @@ tunable_policy(`cdrecord_read_content',`
+ userdom_dontaudit_read_user_home_content_files(cdrecord_t)
+ ')
+
+-tunable_policy(`use_nfs_home_dirs',`
+- files_search_mnt(cdrecord_t)
+- fs_read_nfs_files(cdrecord_t)
+- fs_read_nfs_symlinks(cdrecord_t)
+-')
++userdom_home_manager(cdrecord_t)
+
+ optional_policy(`
+ resmgr_stream_connect(cdrecord_t)
+diff --git a/certmaster.if b/certmaster.if
+index fa62787..4230c25 100644
+--- a/certmaster.if
++++ b/certmaster.if
+@@ -116,19 +116,23 @@ interface(`certmaster_manage_log',`
+ interface(`certmaster_admin',`
+ gen_require(`
+ type certmaster_t, certmaster_var_run_t, certmaster_var_lib_t;
+- type certmaster_etc_rw_t, certmaster_var_log_t;
+- type certmaster_initrc_exec_t;
++ type certmaster_etc_rw_t, certmaster_var_log_t, certmaster_initrc_exec_t;
+ ')
+
+- allow $1 certmaster_t:process { ptrace signal_perms };
++ allow $1 certmaster_t:process signal_perms;
+ ps_process_pattern($1, certmaster_t)
+
++ tunable_policy(`deny_ptrace',`',`
++ allow $1 certmaster_t:process ptrace;
++ ')
++
+ init_labeled_script_domtrans($1, certmaster_initrc_exec_t)
+ domain_system_change_exemption($1)
+ role_transition $2 certmaster_initrc_exec_t system_r;
+ allow $2 system_r;
+
+ files_list_etc($1)
++
+ miscfiles_manage_generic_cert_dirs($1)
+ miscfiles_manage_generic_cert_files($1)
+
+diff --git a/certmaster.te b/certmaster.te
+index 3384132..e40c81c 100644
+--- a/certmaster.te
++++ b/certmaster.te
+@@ -53,19 +53,20 @@ files_pid_filetrans(certmaster_t ,certmaster_var_run_t, { file sock_file })
+ # read meminfo
+ kernel_read_system_state(certmaster_t)
+
+-corecmd_search_bin(certmaster_t)
+-corecmd_getattr_bin_files(certmaster_t)
++corecmd_exec_bin(certmaster_t)
+
+ corenet_tcp_bind_generic_node(certmaster_t)
+ corenet_tcp_bind_certmaster_port(certmaster_t)
+
++dev_read_urand(certmaster_t)
++
+ files_search_etc(certmaster_t)
++files_read_usr_files(certmaster_t)
+ files_list_var(certmaster_t)
+ files_search_var_lib(certmaster_t)
+
+ auth_use_nsswitch(certmaster_t)
+
+-miscfiles_read_localization(certmaster_t)
+
+ miscfiles_manage_generic_cert_dirs(certmaster_t)
+ miscfiles_manage_generic_cert_files(certmaster_t)
+diff --git a/certmonger.fc b/certmonger.fc
+index 5ad1a52..e66fcf6 100644
+--- a/certmonger.fc
++++ b/certmonger.fc
+@@ -4,3 +4,5 @@
+
+ /var/lib/certmonger(/.*)? gen_context(system_u:object_r:certmonger_var_lib_t,s0)
+ /var/run/certmonger.pid -- gen_context(system_u:object_r:certmonger_var_run_t,s0)
++
++/usr/lib/ipa/certmonger(/.*)? gen_context(system_u:object_r:certmonger_unconfined_exec_t,s0)
+diff --git a/certmonger.if b/certmonger.if
+index 7a6e5ba..7475aa5 100644
+--- a/certmonger.if
++++ b/certmonger.if
+@@ -158,7 +158,11 @@ interface(`certmonger_admin',`
+ ')
+
+ ps_process_pattern($1, certmonger_t)
+- allow $1 certmonger_t:process { ptrace signal_perms };
++ allow $1 certmonger_t:process signal_perms;
++
++ tunable_policy(`deny_ptrace',`',`
++ allow $1 certmonger_t:process ptrace;
++ ')
+
+ # Allow certmonger_t to restart the apache service
+ certmonger_initrc_domtrans($1)
+@@ -166,9 +170,9 @@ interface(`certmonger_admin',`
+ role_transition $2 certmonger_initrc_exec_t system_r;
+ allow $2 system_r;
+
+- files_search_var_lib($1)
++ files_list_var_lib($1)
+ admin_pattern($1, certmonger_var_lib_t)
+
+- files_search_pids($1)
++ files_list_pids($1)
+ admin_pattern($1, certmonger_var_run_t)
+ ')
+diff --git a/certmonger.te b/certmonger.te
+index c3e3f79..89db900 100644
+--- a/certmonger.te
++++ b/certmonger.te
+@@ -18,13 +18,19 @@ files_pid_file(certmonger_var_run_t)
+ type certmonger_var_lib_t;
+ files_type(certmonger_var_lib_t)
+
++type certmonger_unconfined_exec_t;
++application_executable_file(certmonger_unconfined_exec_t)
++
+ ########################################
+ #
+ # certmonger local policy
+ #
+
+-allow certmonger_t self:capability { kill sys_nice };
+-allow certmonger_t self:process { getsched setsched sigkill };
++allow certmonger_t self:capability { dac_override dac_read_search setgid setuid kill sys_nice };
++dontaudit certmonger_t self:capability sys_tty_config;
++allow certmonger_t self:capability2 block_suspend;
++
++allow certmonger_t self:process { getsched setsched sigkill signal };
+ allow certmonger_t self:fifo_file rw_file_perms;
+ allow certmonger_t self:unix_stream_socket create_stream_socket_perms;
+ allow certmonger_t self:tcp_socket create_stream_socket_perms;
+@@ -38,25 +44,52 @@ manage_dirs_pattern(certmonger_t, certmonger_var_run_t, certmonger_var_run_t)
+ manage_files_pattern(certmonger_t, certmonger_var_run_t, certmonger_var_run_t)
+ files_pid_filetrans(certmonger_t, certmonger_var_run_t, { file dir })
+
++kernel_read_kernel_sysctls(certmonger_t)
++kernel_read_system_state(certmonger_t)
++
++corecmd_exec_bin(certmonger_t)
++corecmd_exec_shell(certmonger_t)
++
+ corenet_tcp_sendrecv_generic_if(certmonger_t)
+ corenet_tcp_sendrecv_generic_node(certmonger_t)
+ corenet_tcp_sendrecv_all_ports(certmonger_t)
+ corenet_tcp_connect_certmaster_port(certmonger_t)
++corenet_tcp_connect_http_port(certmonger_t)
++corenet_tcp_connect_http_cache_port(certmonger_t)
++corenet_tcp_connect_pki_ca_port(certmonger_t)
+
+ dev_read_urand(certmonger_t)
+
+ domain_use_interactive_fds(certmonger_t)
+
+-files_read_etc_files(certmonger_t)
+ files_read_usr_files(certmonger_t)
+ files_list_tmp(certmonger_t)
+
++fs_search_cgroup_dirs(certmonger_t)
++
++auth_use_nsswitch(certmonger_t)
++auth_rw_cache(certmonger_t)
++
++init_getattr_all_script_files(certmonger_t)
++
+ logging_send_syslog_msg(certmonger_t)
+
+-miscfiles_read_localization(certmonger_t)
+ miscfiles_manage_generic_cert_files(certmonger_t)
+
+-sysnet_dns_name_resolve(certmonger_t)
++systemd_exec_systemctl(certmonger_t)
++
++userdom_search_user_home_content(certmonger_t)
++
++optional_policy(`
++ apache_search_config(certmonger_t)
++ apache_signal(certmonger_t)
++ apache_signull(certmonger_t)
++ apache_systemctl(certmonger_t)
++')
++
++optional_policy(`
++ bind_search_cache(certmonger_t)
++')
+
+ optional_policy(`
+ dbus_system_bus_client(certmonger_t)
+@@ -64,9 +97,46 @@ optional_policy(`
+ ')
+
+ optional_policy(`
++ dirsrv_manage_config(certmonger_t)
++ dirsrv_signal(certmonger_t)
++ dirsrv_signull(certmonger_t)
++')
++
++optional_policy(`
+ kerberos_use(certmonger_t)
++ kerberos_read_keytab(certmonger_t)
+ ')
+
+ optional_policy(`
++ pcscd_read_pub_files(certmonger_t)
+ pcscd_stream_connect(certmonger_t)
+ ')
++
++optional_policy(`
++ pki_rw_tomcat_cert(certmonger_t)
++')
++
++########################################
++#
++# certmonger_unconfined_script_t local policy
++#
++
++optional_policy(`
++ type certmonger_unconfined_t;
++ domain_type(certmonger_unconfined_t)
++
++ domain_entry_file(certmonger_unconfined_t, certmonger_unconfined_exec_t)
++ role system_r types certmonger_unconfined_t;
++
++ domtrans_pattern(certmonger_t, certmonger_unconfined_exec_t, certmonger_unconfined_t)
++
++ unconfined_domain(certmonger_unconfined_t)
++
++ allow certmonger_t certmonger_unconfined_exec_t:dir search_dir_perms;
++ allow certmonger_t certmonger_unconfined_exec_t:dir read_file_perms;
++ allow certmonger_t certmonger_unconfined_exec_t:file ioctl;
++
++ init_domtrans_script(certmonger_unconfined_t)
++
++ unconfined_domain(certmonger_unconfined_t)
++')
+diff --git a/certwatch.te b/certwatch.te
+index e07cef5..55051ce 100644
+--- a/certwatch.te
++++ b/certwatch.te
+@@ -27,15 +27,15 @@ files_list_tmp(certwatch_t)
+ fs_list_inotifyfs(certwatch_t)
+
+ auth_manage_cache(certwatch_t)
++auth_read_passwd(certwatch_t)
+ auth_var_filetrans_cache(certwatch_t)
+
+ logging_send_syslog_msg(certwatch_t)
+
+ miscfiles_read_all_certs(certwatch_t)
+-miscfiles_read_localization(certwatch_t)
+
+-userdom_use_user_terminals(certwatch_t)
+-userdom_dontaudit_list_user_home_dirs(certwatch_t)
++userdom_use_inherited_user_terminals(certwatch_t)
++userdom_dontaudit_list_admin_dir(certwatch_t)
+
+ optional_policy(`
+ apache_exec_modules(certwatch_t)
+diff --git a/cfengine.fc b/cfengine.fc
+new file mode 100644
+index 0000000..4c52fa3
+--- /dev/null
++++ b/cfengine.fc
+@@ -0,0 +1,12 @@
++
++/usr/sbin/cf-serverd -- gen_context(system_u:object_r:cfengine_serverd_exec_t,s0)
++/usr/sbin/cf-execd -- gen_context(system_u:object_r:cfengine_execd_exec_t,s0)
++/usr/sbin/cf-monitord -- gen_context(system_u:object_r:cfengine_monitord_exec_t,s0)
++
++/etc/rc\.d/init\.d/cf-serverd -- gen_context(system_u:object_r:cfengine_initrc_exec_t,s0)
++/etc/rc\.d/init\.d/cf-monitord -- gen_context(system_u:object_r:cfengine_initrc_exec_t,s0)
++/etc/rc\.d/init\.d/cf-execd -- gen_context(system_u:object_r:cfengine_initrc_exec_t,s0)
++
++/var/cfengine(/.*)? gen_context(system_u:object_r:cfengine_var_lib_t,s0)
++/var/cfengine/outputs(/.*)? gen_context(system_u:object_r:cfengine_var_log_t,s0)
++
+diff --git a/cfengine.if b/cfengine.if
+new file mode 100644
+index 0000000..f3c23e9
+--- /dev/null
++++ b/cfengine.if
+@@ -0,0 +1,146 @@
++
++## policy for cfengine
++
++######################################
++##
++## Creates types and rules for a basic
++## cfengine init daemon domain.
++##
++##
++##
++## Prefix for the domain.
++##
++##
++#
++template(`cfengine_domain_template',`
++ gen_require(`
++ attribute cfengine_domain;
++ ')
++
++ ##############################
++ #
++ # Declarations
++ #
++
++ type cfengine_$1_t, cfengine_domain;
++ type cfengine_$1_exec_t;
++ init_daemon_domain(cfengine_$1_t, cfengine_$1_exec_t)
++
++ kernel_read_system_state(cfengine_$1_t)
++
++ logging_send_syslog_msg(cfengine_$1_t)
++')
++
++########################################
++##
++## Transition to cfengine.
++##
++##
++##
++## Domain allowed to transition.
++##
++##
++#
++interface(`cfengine_domtrans_server',`
++ gen_require(`
++ type cfengine_server_t, cfengine_server_exec_t;
++ ')
++
++ corecmd_search_bin($1)
++ domtrans_pattern($1, cfengine_server_exec_t, cfengine_server_t)
++')
++
++#######################################
++##
++## Search cfengine lib files.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`cfengine_search_lib_files',`
++ gen_require(`
++ type cfengine_var_lib_t;
++ ')
++
++ allow $1 cfengine_var_lib_t:dir search_dir_perms;
++')
++
++########################################
++##
++## Read cfengine lib files.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`cfengine_read_lib_files',`
++ gen_require(`
++ type cfengine_var_lib_t;
++ ')
++
++ files_search_var_lib($1)
++ read_files_pattern($1, cfengine_var_lib_t, cfengine_var_lib_t)
++')
++
++######################################
++##
++## Allow the specified domain to read cfengine's log files.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`cfengine_read_log',`
++ gen_require(`
++ type cfengine_var_log_t;
++ ')
++
++ logging_search_logs($1)
++ files_search_var_lib($1)
++ cfengine_search_lib_files($1)
++ read_files_pattern($1, cfengine_var_log_t, cfengine_var_log_t)
++')
++
++#####################################
++##
++## Allow the specified domain to append cfengine's log files.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`cfengine_append_inherited_log',`
++ gen_require(`
++ type cfengine_var_log_t;
++ ')
++
++ cfengine_search_lib_files($1)
++ allow $1 cfengine_var_log_t:file { getattr append ioctl lock };
++')
++
++####################################
++##
++## Dontaudit the specified domain to write cfengine's log files.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`cfengine_dontaudit_write_log',`
++ gen_require(`
++ type cfengine_var_log_t;
++ ')
++
++ dontaudit $1 cfengine_var_log_t:file write;
++')
+diff --git a/cfengine.te b/cfengine.te
+new file mode 100644
+index 0000000..5b123e1
+--- /dev/null
++++ b/cfengine.te
+@@ -0,0 +1,94 @@
++policy_module(cfengine, 1.0.0)
++
++########################################
++#
++# Declarations
++#
++
++attribute cfengine_domain;
++
++cfengine_domain_template(serverd)
++cfengine_domain_template(execd)
++cfengine_domain_template(monitord)
++
++type cfengine_initrc_exec_t;
++init_script_file(cfengine_initrc_exec_t)
++
++type cfengine_var_lib_t;
++files_type(cfengine_var_lib_t)
++
++type cfengine_var_log_t;
++logging_log_file(cfengine_var_log_t)
++
++#######################################
++#
++# cfengine domain local policy
++#
++
++allow cfengine_domain self:fifo_file rw_fifo_file_perms;
++allow cfengine_domain self:unix_stream_socket create_stream_socket_perms;
++
++manage_dirs_pattern(cfengine_domain, cfengine_var_lib_t, cfengine_var_lib_t)
++manage_files_pattern(cfengine_domain, cfengine_var_lib_t, cfengine_var_lib_t)
++manage_lnk_files_pattern(cfengine_domain, cfengine_var_lib_t, cfengine_var_lib_t)
++files_var_lib_filetrans(cfengine_domain, cfengine_var_lib_t, { dir file })
++
++manage_files_pattern(cfengine_domain, cfengine_var_log_t,cfengine_var_log_t)
++manage_dirs_pattern(cfengine_domain, cfengine_var_log_t,cfengine_var_log_t)
++logging_log_filetrans(cfengine_domain,cfengine_var_log_t,{ dir file })
++
++corecmd_exec_bin(cfengine_domain)
++corecmd_exec_shell(cfengine_domain)
++
++dev_read_urand(cfengine_domain)
++dev_read_sysfs(cfengine_domain)
++
++sysnet_dns_name_resolve(cfengine_domain)
++sysnet_domtrans_ifconfig(cfengine_domain)
++
++files_read_etc_files(cfengine_domain)
++
++########################################
++#
++# cfengine-server local policy
++#
++
++allow cfengine_serverd_t self:capability { chown kill setgid setuid sys_chroot };
++allow cfengine_serverd_t self:process { fork setfscreate signal };
++
++domain_use_interactive_fds(cfengine_serverd_t)
++
++auth_use_nsswitch(cfengine_serverd_t)
++
++########################################
++#
++# cfengine_exec local policy
++#
++
++allow cfengine_execd_t self:capability { chown kill setgid setuid sys_chroot };
++allow cfengine_execd_t self:process { fork setfscreate signal };
++
++kernel_read_sysctl(cfengine_execd_t)
++
++domain_read_all_domains_state(cfengine_execd_t)
++domain_use_interactive_fds(cfengine_execd_t)
++
++auth_use_nsswitch(cfengine_execd_t)
++
++########################################
++#
++# cfengine_monitord local policy
++#
++
++allow cfengine_monitord_t self:capability { chown kill setgid setuid sys_chroot };
++allow cfengine_monitord_t self:process { fork setfscreate signal };
++
++kernel_read_hotplug_sysctls(cfengine_monitord_t)
++kernel_read_network_state(cfengine_monitord_t)
++
++domain_read_all_domains_state(cfengine_monitord_t)
++domain_use_interactive_fds(cfengine_monitord_t)
++
++fs_getattr_xattr_fs(cfengine_monitord_t)
++
++auth_use_nsswitch(cfengine_monitord_t)
+diff --git a/cgroup.fc b/cgroup.fc
+index b6bb46c..9a2bf65 100644
+--- a/cgroup.fc
++++ b/cgroup.fc
+@@ -11,5 +11,9 @@
+ /sbin/cgrulesengd -- gen_context(system_u:object_r:cgred_exec_t,s0)
+ /sbin/cgclear -- gen_context(system_u:object_r:cgclear_exec_t,s0)
+
+-/var/log/cgrulesengd\.log -- gen_context(system_u:object_r:cgred_log_t,s0)
++/usr/sbin/cgconfigparser -- gen_context(system_u:object_r:cgconfig_exec_t,s0)
++/usr/sbin/cgrulesengd -- gen_context(system_u:object_r:cgred_exec_t,s0)
++/usr/sbin/cgclear -- gen_context(system_u:object_r:cgclear_exec_t,s0)
++
++/var/log/cgrulesengd\.log.* -- gen_context(system_u:object_r:cgred_log_t,s0)
+ /var/run/cgred.* gen_context(system_u:object_r:cgred_var_run_t,s0)
+diff --git a/cgroup.if b/cgroup.if
+index 33facaf..11700ae 100644
+--- a/cgroup.if
++++ b/cgroup.if
+@@ -171,15 +171,27 @@ interface(`cgroup_admin',`
+ type cgrules_etc_t, cgclear_t;
+ ')
+
+- allow $1 cgclear_t:process { ptrace signal_perms };
++ allow $1 cgclear_t:process signal_perms;
+ ps_process_pattern($1, cgclear_t)
+
+- allow $1 cgconfig_t:process { ptrace signal_perms };
++ tunable_policy(`deny_ptrace',`',`
++ allow $1 cgclear_t:process ptrace;
++ ')
++
++ allow $1 cgconfig_t:process signal_perms;
+ ps_process_pattern($1, cgconfig_t)
+
+- allow $1 cgred_t:process { ptrace signal_perms };
++ tunable_policy(`deny_ptrace',`',`
++ allow $1 cgconfig_t:process ptrace;
++ ')
++
++ allow $1 cgred_t:process signal_perms;
+ ps_process_pattern($1, cgred_t)
+
++ tunable_policy(`deny_ptrace',`',`
++ allow $1 cgred_t:process ptrace;
++ ')
++
+ admin_pattern($1, cgconfig_etc_t)
+ admin_pattern($1, cgrules_etc_t)
+ files_list_etc($1)
+diff --git a/cgroup.te b/cgroup.te
+index 806191a..d962a82 100644
+--- a/cgroup.te
++++ b/cgroup.te
+@@ -25,8 +25,8 @@ files_pid_file(cgred_var_run_t)
+ type cgrules_etc_t;
+ files_config_file(cgrules_etc_t)
+
+-type cgconfig_t;
+-type cgconfig_exec_t;
++type cgconfig_t alias cgconfigparser_t;
++type cgconfig_exec_t alias cgconfigparser_exec_t;
+ init_daemon_domain(cgconfig_t, cgconfig_exec_t)
+
+ type cgconfig_initrc_exec_t;
+@@ -42,8 +42,12 @@ files_config_file(cgconfig_etc_t)
+
+ allow cgclear_t self:capability { dac_read_search dac_override sys_admin };
+
++read_files_pattern(cgclear_t, cgconfig_etc_t, cgconfig_etc_t)
++
+ kernel_read_system_state(cgclear_t)
+
++auth_use_nsswitch(cgclear_t)
++
+ domain_setpriority_all_domains(cgclear_t)
+
+ fs_manage_cgroup_dirs(cgclear_t)
+@@ -64,7 +68,6 @@ kernel_list_unlabeled(cgconfig_t)
+ kernel_read_system_state(cgconfig_t)
+
+ # /etc/nsswitch.conf, /etc/passwd
+-files_read_etc_files(cgconfig_t)
+
+ fs_manage_cgroup_dirs(cgconfig_t)
+ fs_manage_cgroup_files(cgconfig_t)
+@@ -72,12 +75,15 @@ fs_mount_cgroup(cgconfig_t)
+ fs_mounton_cgroup(cgconfig_t)
+ fs_unmount_cgroup(cgconfig_t)
+
++auth_use_nsswitch(cgconfig_t)
++
+ ########################################
+ #
+ # cgred personal policy.
+ #
+
+-allow cgred_t self:capability { chown fsetid net_admin sys_admin sys_ptrace dac_override };
++allow cgred_t self:capability { chown fsetid net_admin sys_admin dac_override sys_ptrace };
++
+ allow cgred_t self:netlink_socket { write bind create read };
+ allow cgred_t self:unix_dgram_socket { write create connect };
+
+@@ -86,12 +92,16 @@ logging_log_filetrans(cgred_t, cgred_log_t, file)
+
+ allow cgred_t cgrules_etc_t:file read_file_perms;
+
++manage_files_pattern(cgred_t, cgred_log_t, cgred_log_t)
++logging_log_filetrans(cgred_t, cgred_log_t, file)
++
+ # rc script creates pid file
+ manage_files_pattern(cgred_t, cgred_var_run_t, cgred_var_run_t)
+ manage_sock_files_pattern(cgred_t, cgred_var_run_t, cgred_var_run_t)
+ files_pid_filetrans(cgred_t, cgred_var_run_t, { file sock_file })
+
+ kernel_read_system_state(cgred_t)
++kernel_read_all_sysctls(cgred_t)
+
+ domain_read_all_domains_state(cgred_t)
+ domain_setpriority_all_domains(cgred_t)
+@@ -100,10 +110,9 @@ files_getattr_all_files(cgred_t)
+ files_getattr_all_sockets(cgred_t)
+ files_read_all_symlinks(cgred_t)
+ # /etc/group
+-files_read_etc_files(cgred_t)
+
+ fs_write_cgroup_files(cgred_t)
+
+-logging_send_syslog_msg(cgred_t)
++auth_use_nsswitch(cgred_t)
+
+-miscfiles_read_localization(cgred_t)
++logging_send_syslog_msg(cgred_t)
+diff --git a/chrome.fc b/chrome.fc
+new file mode 100644
+index 0000000..88107d7
+--- /dev/null
++++ b/chrome.fc
+@@ -0,0 +1,6 @@
++/opt/google/chrome/chrome-sandbox -- gen_context(system_u:object_r:chrome_sandbox_exec_t,s0)
++
++/usr/lib/chromium-browser/chrome-sandbox -- gen_context(system_u:object_r:chrome_sandbox_exec_t,s0)
++
++/opt/google/chrome/nacl_helper_bootstrap -- gen_context(system_u:object_r:chrome_sandbox_nacl_exec_t,s0)
++/usr/lib/chromium-browser/nacl_helper_bootstrap -- gen_context(system_u:object_r:chrome_sandbox_nacl_exec_t,s0)
+diff --git a/chrome.if b/chrome.if
+new file mode 100644
+index 0000000..efebae7
+--- /dev/null
++++ b/chrome.if
+@@ -0,0 +1,134 @@
++
++## policy for chrome
++
++########################################
++##
++## Execute a domain transition to run chrome_sandbox.
++##
++##
++##
++## Domain allowed to transition.
++##
++##
++#
++interface(`chrome_domtrans_sandbox',`
++ gen_require(`
++ type chrome_sandbox_t, chrome_sandbox_exec_t;
++ ')
++
++ domtrans_pattern($1, chrome_sandbox_exec_t, chrome_sandbox_t)
++ ps_process_pattern(chrome_sandbox_t, $1)
++
++ allow $1 chrome_sandbox_t:fd use;
++
++ ifdef(`hide_broken_symptoms',`
++ fs_dontaudit_rw_anon_inodefs_files(chrome_sandbox_t)
++ ')
++')
++
++
++########################################
++##
++## Execute chrome_sandbox in the chrome_sandbox domain, and
++## allow the specified role the chrome_sandbox domain.
++##
++##
++##
++## Domain allowed access
++##
++##
++##
++##
++## The role to be allowed the chrome_sandbox domain.
++##
++##
++#
++interface(`chrome_run_sandbox',`
++ gen_require(`
++ type chrome_sandbox_t;
++ type chrome_sandbox_nacl_t;
++ ')
++
++ chrome_domtrans_sandbox($1)
++ role $2 types chrome_sandbox_t;
++ role $2 types chrome_sandbox_nacl_t;
++')
++
++########################################
++##
++## Role access for chrome sandbox
++##
++##
++##
++## Role allowed access
++##
++##
++##
++##
++## User domain for the role
++##
++##
++#
++interface(`chrome_role_notrans',`
++ gen_require(`
++ type chrome_sandbox_t;
++ type chrome_sandbox_tmpfs_t;
++ type chrome_sandbox_nacl_t;
++ ')
++
++ role $1 types chrome_sandbox_t;
++ role $1 types chrome_sandbox_nacl_t;
++
++ ps_process_pattern($2, chrome_sandbox_t)
++ allow $2 chrome_sandbox_t:process signal_perms;
++
++ allow chrome_sandbox_t $2:unix_dgram_socket { read write };
++ allow $2 chrome_sandbox_t:unix_dgram_socket { read write };
++ allow chrome_sandbox_t $2:unix_stream_socket { getattr read write };
++ dontaudit chrome_sandbox_t $2:unix_stream_socket shutdown;
++ allow chrome_sandbox_nacl_t $2:unix_stream_socket { getattr read write };
++ allow $2 chrome_sandbox_nacl_t:unix_stream_socket { getattr read write };
++ allow $2 chrome_sandbox_t:unix_stream_socket { getattr read write };
++
++ allow $2 chrome_sandbox_t:shm rw_shm_perms;
++
++ allow $2 chrome_sandbox_tmpfs_t:file rw_file_perms;
++')
++
++########################################
++##
++## Role access for chrome sandbox
++##
++##
++##
++## Role allowed access
++##
++##
++##
++##
++## User domain for the role
++##
++##
++#
++interface(`chrome_role',`
++ chrome_role_notrans($1, $2)
++ chrome_domtrans_sandbox($2)
++')
++
++########################################
++##
++## Dontaudit read/write to a chrome_sandbox leaks
++##
++##
++##
++## Domain to not audit.
++##
++##
++#
++interface(`chrome_dontaudit_sandbox_leaks',`
++ gen_require(`
++ type chrome_sandbox_t;
++ ')
++
++ dontaudit $1 chrome_sandbox_t:unix_stream_socket { read write };
++')
+diff --git a/chrome.te b/chrome.te
+new file mode 100644
+index 0000000..32ff486
+--- /dev/null
++++ b/chrome.te
+@@ -0,0 +1,195 @@
++policy_module(chrome,1.0.0)
++
++########################################
++#
++# Declarations
++#
++
++type chrome_sandbox_t;
++type chrome_sandbox_exec_t;
++application_domain(chrome_sandbox_t, chrome_sandbox_exec_t)
++role system_r types chrome_sandbox_t;
++ubac_constrained(chrome_sandbox_t)
++
++type chrome_sandbox_tmp_t;
++files_tmp_file(chrome_sandbox_tmp_t)
++
++type chrome_sandbox_tmpfs_t;
++files_tmpfs_file(chrome_sandbox_tmpfs_t)
++ubac_constrained(chrome_sandbox_tmpfs_t)
++
++type chrome_sandbox_nacl_t;
++type chrome_sandbox_nacl_exec_t;
++application_domain(chrome_sandbox_nacl_t, chrome_sandbox_nacl_exec_t)
++role system_r types chrome_sandbox_nacl_t;
++ubac_constrained(chrome_sandbox_nacl_t)
++
++########################################
++#
++# chrome_sandbox local policy
++#
++allow chrome_sandbox_t self:capability { chown dac_override fsetid setgid setuid sys_admin sys_chroot sys_ptrace };
++allow chrome_sandbox_t self:process { signal_perms setrlimit execmem execstack };
++allow chrome_sandbox_t self:process setsched;
++allow chrome_sandbox_t self:fifo_file manage_fifo_file_perms;
++allow chrome_sandbox_t self:unix_stream_socket create_stream_socket_perms;
++allow chrome_sandbox_t self:unix_dgram_socket { create_socket_perms sendto };
++allow chrome_sandbox_t self:shm create_shm_perms;
++allow chrome_sandbox_t self:sem create_sem_perms;
++allow chrome_sandbox_t self:msgq create_msgq_perms;
++allow chrome_sandbox_t self:netlink_route_socket r_netlink_socket_perms;
++dontaudit chrome_sandbox_t self:memprotect mmap_zero;
++
++manage_dirs_pattern(chrome_sandbox_t, chrome_sandbox_tmp_t, chrome_sandbox_tmp_t)
++manage_files_pattern(chrome_sandbox_t, chrome_sandbox_tmp_t, chrome_sandbox_tmp_t)
++files_tmp_filetrans(chrome_sandbox_t, chrome_sandbox_tmp_t, { dir file })
++
++manage_files_pattern(chrome_sandbox_t, chrome_sandbox_tmpfs_t, chrome_sandbox_tmpfs_t)
++fs_tmpfs_filetrans(chrome_sandbox_t, chrome_sandbox_tmpfs_t, file)
++
++kernel_read_system_state(chrome_sandbox_t)
++kernel_read_kernel_sysctls(chrome_sandbox_t)
++
++fs_manage_cgroup_dirs(chrome_sandbox_t)
++fs_manage_cgroup_files(chrome_sandbox_t)
++fs_read_dos_files(chrome_sandbox_t)
++fs_read_hugetlbfs_files(chrome_sandbox_t)
++
++corecmd_exec_bin(chrome_sandbox_t)
++
++corenet_all_recvfrom_netlabel(chrome_sandbox_t)
++corenet_tcp_connect_asterisk_port(chrome_sandbox_t)
++corenet_tcp_connect_flash_port(chrome_sandbox_t)
++corenet_tcp_connect_streaming_port(chrome_sandbox_t)
++corenet_tcp_connect_pulseaudio_port(chrome_sandbox_t)
++corenet_tcp_connect_http_port(chrome_sandbox_t)
++corenet_tcp_connect_http_cache_port(chrome_sandbox_t)
++corenet_tcp_connect_msnp_port(chrome_sandbox_t)
++corenet_tcp_connect_squid_port(chrome_sandbox_t)
++corenet_tcp_connect_tor_socks_port(chrome_sandbox_t)
++corenet_tcp_sendrecv_generic_if(chrome_sandbox_t)
++corenet_tcp_sendrecv_generic_node(chrome_sandbox_t)
++corenet_tcp_connect_ipp_port(chrome_sandbox_t)
++corenet_tcp_connect_speech_port(chrome_sandbox_t)
++
++domain_dontaudit_read_all_domains_state(chrome_sandbox_t)
++
++dev_read_urand(chrome_sandbox_t)
++dev_read_sysfs(chrome_sandbox_t)
++dev_rwx_zero(chrome_sandbox_t)
++dev_dontaudit_getattr_all_chr_files(chrome_sandbox_t)
++
++files_read_etc_files(chrome_sandbox_t)
++files_read_usr_files(chrome_sandbox_t)
++
++fs_dontaudit_getattr_all_fs(chrome_sandbox_t)
++
++userdom_rw_inherited_user_tmpfs_files(chrome_sandbox_t)
++userdom_execute_user_tmpfs_files(chrome_sandbox_t)
++
++userdom_use_user_ptys(chrome_sandbox_t)
++userdom_write_inherited_user_tmp_files(chrome_sandbox_t)
++userdom_read_inherited_user_home_content_files(chrome_sandbox_t)
++userdom_dontaudit_use_user_terminals(chrome_sandbox_t)
++userdom_search_user_home_content(chrome_sandbox_t)
++# This one we should figure a way to make it more secure
++userdom_manage_home_certs(chrome_sandbox_t)
++
++miscfiles_read_fonts(chrome_sandbox_t)
++
++sysnet_dns_name_resolve(chrome_sandbox_t)
++
++optional_policy(`
++ gnome_rw_inherited_config(chrome_sandbox_t)
++ gnome_read_home_config(chrome_sandbox_t)
++')
++
++optional_policy(`
++ mozilla_write_user_home_files(chrome_sandbox_t)
++')
++
++optional_policy(`
++ xserver_use_user_fonts(chrome_sandbox_t)
++ xserver_user_x_domain_template(chrome_sandbox, chrome_sandbox_t, chrome_sandbox_tmpfs_t)
++')
++
++tunable_policy(`use_nfs_home_dirs',`
++ fs_search_nfs(chrome_sandbox_t)
++ fs_exec_nfs_files(chrome_sandbox_t)
++ fs_read_nfs_files(chrome_sandbox_t)
++ fs_rw_inherited_nfs_files(chrome_sandbox_t)
++ fs_read_nfs_symlinks(chrome_sandbox_t)
++ fs_dontaudit_append_nfs_files(chrome_sandbox_t)
++')
++
++tunable_policy(`use_samba_home_dirs',`
++ fs_search_cifs(chrome_sandbox_t)
++ fs_exec_cifs_files(chrome_sandbox_t)
++ fs_rw_inherited_cifs_files(chrome_sandbox_t)
++ fs_read_cifs_files(chrome_sandbox_t)
++ fs_read_cifs_symlinks(chrome_sandbox_t)
++ fs_dontaudit_append_cifs_files(chrome_sandbox_t)
++')
++
++tunable_policy(`use_fusefs_home_dirs',`
++ fs_search_fusefs(chrome_sandbox_t)
++ fs_read_fusefs_files(chrome_sandbox_t)
++ fs_exec_fusefs_files(chrome_sandbox_t)
++ fs_read_fusefs_symlinks(chrome_sandbox_t)
++')
++
++optional_policy(`
++ sandbox_use_ptys(chrome_sandbox_t)
++')
++
++
++########################################
++#
++# chrome_sandbox_nacl local policy
++#
++
++allow chrome_sandbox_nacl_t self:process { execmem setsched sigkill sigstop signull signal };
++
++allow chrome_sandbox_nacl_t self:fifo_file manage_fifo_file_perms;
++allow chrome_sandbox_nacl_t self:unix_stream_socket create_stream_socket_perms;
++allow chrome_sandbox_nacl_t self:shm create_shm_perms;
++allow chrome_sandbox_nacl_t self:unix_dgram_socket { create_socket_perms sendto };
++allow chrome_sandbox_nacl_t chrome_sandbox_t:unix_stream_socket { getattr write read };
++allow chrome_sandbox_t chrome_sandbox_nacl_t:unix_stream_socket { getattr write read };
++allow chrome_sandbox_nacl_t chrome_sandbox_t:unix_dgram_socket { read write };
++
++allow chrome_sandbox_nacl_t chrome_sandbox_t:shm rw_shm_perms;
++allow chrome_sandbox_nacl_t chrome_sandbox_tmpfs_t:file rw_inherited_file_perms;
++allow chrome_sandbox_t chrome_sandbox_nacl_t:process { sigkill sigstop signull signal share };
++
++manage_files_pattern(chrome_sandbox_nacl_t, chrome_sandbox_tmpfs_t, chrome_sandbox_tmpfs_t)
++fs_tmpfs_filetrans(chrome_sandbox_nacl_t, chrome_sandbox_tmpfs_t, file)
++
++domain_use_interactive_fds(chrome_sandbox_nacl_t)
++
++dontaudit chrome_sandbox_nacl_t self:memprotect mmap_zero;
++
++domtrans_pattern(chrome_sandbox_t, chrome_sandbox_nacl_exec_t, chrome_sandbox_nacl_t)
++ps_process_pattern(chrome_sandbox_t, chrome_sandbox_nacl_t)
++
++kernel_read_state(chrome_sandbox_nacl_t)
++kernel_read_system_state(chrome_sandbox_nacl_t)
++
++corecmd_sbin_entry_type(chrome_sandbox_nacl_t)
++
++dev_read_urand(chrome_sandbox_nacl_t)
++dev_read_sysfs(chrome_sandbox_nacl_t)
++
++files_read_etc_files(chrome_sandbox_nacl_t)
++
++init_read_state(chrome_sandbox_nacl_t)
++
++userdom_use_inherited_user_ptys(chrome_sandbox_nacl_t)
++userdom_rw_inherited_user_tmpfs_files(chrome_sandbox_nacl_t)
++userdom_execute_user_tmpfs_files(chrome_sandbox_nacl_t)
++userdom_rw_inherited_user_tmp_files(chrome_sandbox_nacl_t)
++userdom_dontaudit_read_user_home_content_files(chrome_sandbox_nacl_t)
++
++optional_policy(`
++ gnome_dontaudit_write_config_files(chrome_sandbox_nacl_t)
++')
+diff --git a/chronyd.fc b/chronyd.fc
+index fd8cd0b..f33885f 100644
+--- a/chronyd.fc
++++ b/chronyd.fc
+@@ -2,8 +2,12 @@
+
+ /etc/rc\.d/init\.d/chronyd -- gen_context(system_u:object_r:chronyd_initrc_exec_t,s0)
+
++/usr/lib/systemd/system/chrony.* -- gen_context(system_u:object_r:chronyd_unit_file_t,s0)
++
+ /usr/sbin/chronyd -- gen_context(system_u:object_r:chronyd_exec_t,s0)
+
+ /var/lib/chrony(/.*)? gen_context(system_u:object_r:chronyd_var_lib_t,s0)
+ /var/log/chrony(/.*)? gen_context(system_u:object_r:chronyd_var_log_t,s0)
+ /var/run/chronyd\.pid -- gen_context(system_u:object_r:chronyd_var_run_t,s0)
++/var/run/chronyd(/.*) gen_context(system_u:object_r:chronyd_var_run_t,s0)
++/var/run/chronyd\.sock gen_context(system_u:object_r:chronyd_var_run_t,s0)
+diff --git a/chronyd.if b/chronyd.if
+index 9a0da94..113eae2 100644
+--- a/chronyd.if
++++ b/chronyd.if
+@@ -19,6 +19,24 @@ interface(`chronyd_domtrans',`
+ domtrans_pattern($1, chronyd_exec_t, chronyd_t)
+ ')
+
++########################################
++##
++## Execute chronyd server in the chronyd domain.
++##
++##
++##
++## Domain allowed to transition.
++##
++##
++#
++interface(`chronyd_initrc_domtrans',`
++ gen_require(`
++ type chronyd_initrc_exec_t;
++ ')
++
++ init_labeled_script_domtrans($1, chronyd_initrc_exec_t)
++')
++
+ ####################################
+ ##
+ ## Execute chronyd
+@@ -56,6 +74,125 @@ interface(`chronyd_read_log',`
+ read_files_pattern($1, chronyd_var_log_t, chronyd_var_log_t)
+ ')
+
++########################################
++##
++## Read and write chronyd shared memory.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`chronyd_rw_shm',`
++ gen_require(`
++ type chronyd_t, chronyd_tmpfs_t;
++ ')
++
++ allow $1 chronyd_t:shm rw_shm_perms;
++ allow $1 chronyd_tmpfs_t:dir list_dir_perms;
++ rw_files_pattern($1, chronyd_tmpfs_t, chronyd_tmpfs_t)
++ read_lnk_files_pattern($1, chronyd_tmpfs_t, chronyd_tmpfs_t)
++ fs_search_tmpfs($1)
++')
++
++########################################
++##
++## Read chronyd keys files.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`chronyd_read_keys',`
++ gen_require(`
++ type chronyd_keys_t;
++ ')
++
++ read_files_pattern($1, chronyd_keys_t, chronyd_keys_t)
++')
++
++########################################
++##
++## Append chronyd keys files.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`chronyd_append_keys',`
++ gen_require(`
++ type chronyd_keys_t;
++ ')
++
++ append_files_pattern($1, chronyd_keys_t, chronyd_keys_t)
++')
++
++########################################
++##
++## Execute chronyd server in the chronyd domain.
++##
++##
++##
++## Domain allowed to transition.
++##
++##
++#
++interface(`chronyd_systemctl',`
++ gen_require(`
++ type chronyd_t;
++ type chronyd_unit_file_t;
++ ')
++
++ systemd_exec_systemctl($1)
++ allow $1 chronyd_unit_file_t:file read_file_perms;
++ allow $1 chronyd_unit_file_t:service manage_service_perms;
++
++ ps_process_pattern($1, chronyd_t)
++')
++
++########################################
++##
++## Connect to chronyd over a unix stream socket.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`chronyd_stream_connect',`
++ gen_require(`
++ type chronyd_t, chronyd_var_run_t;
++ ')
++
++ files_search_pids($1)
++ stream_connect_pattern($1, chronyd_var_run_t, chronyd_var_run_t, chronyd_t)
++')
++
++########################################
++##
++## Send to chronyd over a unix domain
++## datagram socket.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`chronyd_dgram_send',`
++ gen_require(`
++ type chronyd_t;
++ ')
++
++ allow $1 chronyd_t:unix_dgram_socket sendto;
++')
++
+ ####################################
+ ##
+ ## All of the rules required to administrate
+@@ -75,31 +212,38 @@ interface(`chronyd_read_log',`
+ #
+ interface(`chronyd_admin',`
+ gen_require(`
+- type chronyd_t, chronyd_var_log_t;
+- type chronyd_var_run_t, chronyd_var_lib_t;
+- type chronyd_initrc_exec_t, chronyd_keys_t;
++ type chronyd_t, chronyd_var_log_t, chronyd_var_run_t;
++ type chronyd_var_lib_t, chronyd_tmpfs_t, chronyd_initrc_exec_t;
++ type chronyd_keys_t, chronyd_unit_file_t;
+ ')
+
+- allow $1 chronyd_t:process { ptrace signal_perms };
++ allow $1 chronyd_t:process signal_perms;
+ ps_process_pattern($1, chronyd_t)
+
++ tunable_policy(`deny_ptrace',`',`
++ allow $1 chronyd_t:process ptrace;
++ ')
++
+ init_labeled_script_domtrans($1, chronyd_initrc_exec_t)
+ domain_system_change_exemption($1)
+ role_transition $2 chronyd_initrc_exec_t system_r;
+ allow $2 system_r;
+
+- files_search_etc($1)
++ files_list_etc($1)
+ admin_pattern($1, chronyd_keys_t)
+
+- logging_search_logs($1)
++ logging_list_logs($1)
+ admin_pattern($1, chronyd_var_log_t)
+
+- files_search_var_lib($1)
++ files_list_var_lib($1)
+ admin_pattern($1, chronyd_var_lib_t)
+
+- files_search_pids($1)
++ files_list_pids($1)
+ admin_pattern($1, chronyd_var_run_t)
+
+- files_search_tmp($1)
+- admin_pattern($1, chronyd_tmp_t)
++ admin_pattern($1, chronyd_tmpfs_t)
++
++ admin_pattern($1, chronyd_unit_file_t)
++ chronyd_systemctl($1)
++ allow $1 chronyd_unit_file_t:service all_service_perms;
+ ')
+diff --git a/chronyd.te b/chronyd.te
+index fa82327..ab88d78 100644
+--- a/chronyd.te
++++ b/chronyd.te
+@@ -15,6 +15,12 @@ init_script_file(chronyd_initrc_exec_t)
+ type chronyd_keys_t;
+ files_type(chronyd_keys_t)
+
++type chronyd_tmpfs_t;
++files_tmpfs_file(chronyd_tmpfs_t)
++
++type chronyd_unit_file_t;
++systemd_unit_file(chronyd_unit_file_t)
++
+ type chronyd_var_lib_t;
+ files_type(chronyd_var_lib_t)
+
+@@ -30,13 +36,18 @@ files_pid_file(chronyd_var_run_t)
+ #
+
+ allow chronyd_t self:capability { dac_override ipc_lock setuid setgid sys_resource sys_time };
+-allow chronyd_t self:process { getcap setcap setrlimit };
++allow chronyd_t self:process { getcap setcap setrlimit signal };
+ allow chronyd_t self:shm create_shm_perms;
+ allow chronyd_t self:udp_socket create_socket_perms;
+ allow chronyd_t self:unix_dgram_socket create_socket_perms;
++allow chronyd_t self:fifo_file rw_fifo_file_perms;
+
+ allow chronyd_t chronyd_keys_t:file read_file_perms;
+
++manage_dirs_pattern(chronyd_t, chronyd_tmpfs_t, chronyd_tmpfs_t)
++manage_files_pattern(chronyd_t, chronyd_tmpfs_t, chronyd_tmpfs_t)
++fs_tmpfs_filetrans(chronyd_t, chronyd_tmpfs_t, { dir file })
++
+ manage_files_pattern(chronyd_t, chronyd_var_lib_t, chronyd_var_lib_t)
+ manage_dirs_pattern(chronyd_t, chronyd_var_lib_t, chronyd_var_lib_t)
+ manage_sock_files_pattern(chronyd_t, chronyd_var_lib_t, chronyd_var_lib_t)
+@@ -48,8 +59,15 @@ logging_log_filetrans(chronyd_t, chronyd_var_log_t, { file dir })
+
+ manage_files_pattern(chronyd_t, chronyd_var_run_t, chronyd_var_run_t)
+ manage_dirs_pattern(chronyd_t, chronyd_var_run_t, chronyd_var_run_t)
+-files_pid_filetrans(chronyd_t, chronyd_var_run_t, file)
++manage_sock_files_pattern(chronyd_t, chronyd_var_run_t, chronyd_var_run_t)
++files_pid_filetrans(chronyd_t, chronyd_var_run_t, { dir file sock_file })
++
++kernel_read_system_state(chronyd_t)
++kernel_read_network_state(chronyd_t)
++
++corecmd_exec_shell(chronyd_t)
+
++corenet_udp_bind_generic_node(chronyd_t)
+ corenet_udp_bind_ntp_port(chronyd_t)
+ # bind to udp/323
+ corenet_udp_bind_chronyd_port(chronyd_t)
+@@ -61,7 +79,7 @@ auth_use_nsswitch(chronyd_t)
+
+ logging_send_syslog_msg(chronyd_t)
+
+-miscfiles_read_localization(chronyd_t)
++mta_send_mail(chronyd_t)
+
+ optional_policy(`
+ gpsd_rw_shm(chronyd_t)
+diff --git a/cipe.te b/cipe.te
+index 8e1ef38..08b238c 100644
+--- a/cipe.te
++++ b/cipe.te
+@@ -28,7 +28,6 @@ kernel_read_system_state(ciped_t)
+ corecmd_exec_shell(ciped_t)
+ corecmd_exec_bin(ciped_t)
+
+-corenet_all_recvfrom_unlabeled(ciped_t)
+ corenet_all_recvfrom_netlabel(ciped_t)
+ corenet_udp_sendrecv_generic_if(ciped_t)
+ corenet_udp_sendrecv_generic_node(ciped_t)
+@@ -53,8 +52,6 @@ fs_search_auto_mountpoints(ciped_t)
+
+ logging_send_syslog_msg(ciped_t)
+
+-miscfiles_read_localization(ciped_t)
+-
+ sysnet_read_config(ciped_t)
+
+ userdom_dontaudit_use_unpriv_user_fds(ciped_t)
+diff --git a/clamav.fc b/clamav.fc
+index e8e9a21..9c47777 100644
+--- a/clamav.fc
++++ b/clamav.fc
+@@ -1,5 +1,5 @@
+ /etc/clamav(/.*)? gen_context(system_u:object_r:clamd_etc_t,s0)
+-/etc/rc\.d/init\.d/clamd-wrapper -- gen_context(system_u:object_r:clamd_initrc_exec_t,s0)
++/etc/rc\.d/init\.d/clamd.* -- gen_context(system_u:object_r:clamd_initrc_exec_t,s0)
+
+ /usr/bin/clamscan -- gen_context(system_u:object_r:clamscan_exec_t,s0)
+ /usr/bin/clamdscan -- gen_context(system_u:object_r:clamscan_exec_t,s0)
+@@ -8,9 +8,13 @@
+ /usr/sbin/clamd -- gen_context(system_u:object_r:clamd_exec_t,s0)
+ /usr/sbin/clamav-milter -- gen_context(system_u:object_r:clamd_exec_t,s0)
+
++/usr/lib/systemd/system/clamd.* -- gen_context(system_u:object_r:clamd_unit_file_t,s0)
++
+ /var/clamav(/.*)? gen_context(system_u:object_r:clamd_var_lib_t,s0)
+ /var/lib/clamav(/.*)? gen_context(system_u:object_r:clamd_var_lib_t,s0)
++/var/lib/clamd.* gen_context(system_u:object_r:clamd_var_lib_t,s0)
+ /var/log/clamav.* gen_context(system_u:object_r:clamd_var_log_t,s0)
++/var/log/freshclam.* -- gen_context(system_u:object_r:freshclam_var_log_t,s0)
+ /var/log/clamav/freshclam.* -- gen_context(system_u:object_r:freshclam_var_log_t,s0)
+ /var/log/clamd.* gen_context(system_u:object_r:clamd_var_log_t,s0)
+ /var/run/amavis(d)?/clamd\.pid -- gen_context(system_u:object_r:clamd_var_run_t,s0)
+diff --git a/clamav.if b/clamav.if
+index bbac14a..99c5cca 100644
+--- a/clamav.if
++++ b/clamav.if
+@@ -33,6 +33,7 @@ interface(`clamav_stream_connect',`
+ type clamd_t, clamd_var_run_t;
+ ')
+
++ files_search_pids($1)
+ stream_connect_pattern($1, clamd_var_run_t, clamd_var_run_t, clamd_t)
+ ')
+
+@@ -133,6 +134,68 @@ interface(`clamav_exec_clamscan',`
+
+ ########################################
+ ##
++## Manage clamd pid content.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`clamav_manage_clamd_pid',`
++ gen_require(`
++ type clamd_var_run_t;
++ ')
++
++ manage_dirs_pattern($1, clamd_var_run_t, clamd_var_run_t)
++ manage_files_pattern($1, clamd_var_run_t, clamd_var_run_t)
++')
++
++#######################################
++##
++## Read clamd state files.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`clamav_read_state_clamd',`
++ gen_require(`
++ type clamd_t;
++ ')
++
++ kernel_search_proc($1)
++ ps_process_pattern($1, clamd_t)
++')
++
++#######################################
++##
++## Execute clamd server in the clamd domain.
++##
++##
++##
++## Domain allowed to transition.
++##
++##
++#
++interface(`clamd_systemctl',`
++ gen_require(`
++ type clamd_t;
++ type clamd_unit_file_t;
++ ')
++
++ systemd_exec_systemctl($1)
++ systemd_read_fifo_file_passwd_run($1)
++ allow $1 clamd_unit_file_t:file read_file_perms;
++ allow $1 clamd_unit_file_t:service manage_service_perms;
++
++ ps_process_pattern($1, clamd_t)
++')
++
++########################################
++##
+ ## All of the rules required to administrate
+ ## an clamav environment
+ ##
+@@ -151,19 +214,25 @@ interface(`clamav_exec_clamscan',`
+ interface(`clamav_admin',`
+ gen_require(`
+ type clamd_t, clamd_etc_t, clamd_tmp_t;
+- type clamd_var_log_t, clamd_var_lib_t;
+- type clamd_var_run_t, clamscan_t, clamscan_tmp_t;
+- type clamd_initrc_exec_t;
++ type clamd_var_log_t, clamd_var_lib_t, clamd_var_run_t;
++ type clamscan_t, clamscan_tmp_t, clamd_initrc_exec_t;
+ type freshclam_t, freshclam_var_log_t;
++ type clamd_unit_file_t;
+ ')
+
+- allow $1 clamd_t:process { ptrace signal_perms };
++ allow $1 clamd_t:process signal_perms;
+ ps_process_pattern($1, clamd_t)
+
+- allow $1 clamscan_t:process { ptrace signal_perms };
++ tunable_policy(`deny_ptrace',`',`
++ allow $1 clamd_t:process ptrace;
++ allow $1 clamscan_t:process ptrace;
++ allow $1 freshclam_t:process ptrace;
++ ')
++
++ allow $1 clamscan_t:process signal_perms;
+ ps_process_pattern($1, clamscan_t)
+
+- allow $1 freshclam_t:process { ptrace signal_perms };
++ allow $1 freshclam_t:process signal_perms;
+ ps_process_pattern($1, freshclam_t)
+
+ init_labeled_script_domtrans($1, clamd_initrc_exec_t)
+@@ -171,6 +240,10 @@ interface(`clamav_admin',`
+ role_transition $2 clamd_initrc_exec_t system_r;
+ allow $2 system_r;
+
++ clamd_systemctl($1)
++ admin_pattern($1, clamd_unit_file_t)
++ allow $1 clamd_unit_file_t:service all_service_perms;
++
+ files_list_etc($1)
+ admin_pattern($1, clamd_etc_t)
+
+@@ -189,4 +262,10 @@ interface(`clamav_admin',`
+ admin_pattern($1, clamscan_tmp_t)
+
+ admin_pattern($1, freshclam_var_log_t)
++
++ optional_policy(`
++ systemd_passwd_agent_exec($1)
++ systemd_read_fifo_file_passwd_run($1)
++ ')
++
+ ')
+diff --git a/clamav.te b/clamav.te
+index a10350e..a28f16e 100644
+--- a/clamav.te
++++ b/clamav.te
+@@ -1,9 +1,23 @@
+ policy_module(clamav, 1.10.0)
+
+ ##
+-##
+-## Allow clamd to use JIT compiler
+-##
++##
++## Allow clamscan to read user content
++##
++##
++gen_tunable(clamscan_read_user_content, false)
++
++##
++##
++## Allow clamscan to non security files on a system
++##
++##
++gen_tunable(clamscan_can_scan_system, false)
++
++##
++##
++## Allow clamd to use JIT compiler
++##
+ ##
+ gen_tunable(clamd_use_jit, false)
+
+@@ -24,6 +38,9 @@ files_config_file(clamd_etc_t)
+ type clamd_initrc_exec_t;
+ init_script_file(clamd_initrc_exec_t)
+
++type clamd_unit_file_t;
++systemd_unit_file(clamd_unit_file_t)
++
+ # tmp files
+ type clamd_tmp_t;
+ files_tmp_file(clamd_tmp_t)
+@@ -64,6 +81,8 @@ logging_log_file(freshclam_var_log_t)
+
+ allow clamd_t self:capability { kill setgid setuid dac_override };
+ dontaudit clamd_t self:capability sys_tty_config;
++allow clamd_t self:process signal;
++
+ allow clamd_t self:fifo_file rw_fifo_file_perms;
+ allow clamd_t self:unix_stream_socket { create_stream_socket_perms connectto };
+ allow clamd_t self:unix_dgram_socket create_socket_perms;
+@@ -80,6 +99,7 @@ manage_files_pattern(clamd_t, clamd_tmp_t, clamd_tmp_t)
+ files_tmp_filetrans(clamd_t, clamd_tmp_t, { file dir })
+
+ # var/lib files for clamd
++manage_sock_files_pattern(clamd_t, clamd_var_lib_t, clamd_var_lib_t)
+ manage_dirs_pattern(clamd_t, clamd_var_lib_t, clamd_var_lib_t)
+ manage_files_pattern(clamd_t, clamd_var_lib_t, clamd_var_lib_t)
+
+@@ -89,9 +109,10 @@ manage_files_pattern(clamd_t, clamd_var_log_t, clamd_var_log_t)
+ logging_log_filetrans(clamd_t, clamd_var_log_t, { dir file })
+
+ # pid file
++manage_dirs_pattern(clamd_t, clamd_var_run_t, clamd_var_run_t)
+ manage_files_pattern(clamd_t, clamd_var_run_t, clamd_var_run_t)
+ manage_sock_files_pattern(clamd_t, clamd_var_run_t, clamd_var_run_t)
+-files_pid_filetrans(clamd_t, clamd_var_run_t, { file dir })
++files_pid_filetrans(clamd_t, clamd_var_run_t, { sock_file file dir })
+
+ kernel_dontaudit_list_proc(clamd_t)
+ kernel_read_sysctl(clamd_t)
+@@ -100,7 +121,6 @@ kernel_read_system_state(clamd_t)
+
+ corecmd_exec_shell(clamd_t)
+
+-corenet_all_recvfrom_unlabeled(clamd_t)
+ corenet_all_recvfrom_netlabel(clamd_t)
+ corenet_tcp_sendrecv_generic_if(clamd_t)
+ corenet_tcp_sendrecv_generic_node(clamd_t)
+@@ -110,6 +130,7 @@ corenet_tcp_bind_generic_node(clamd_t)
+ corenet_tcp_bind_clamd_port(clamd_t)
+ corenet_tcp_bind_generic_port(clamd_t)
+ corenet_tcp_connect_generic_port(clamd_t)
++corenet_tcp_connect_clamd_port(clamd_t)
+ corenet_sendrecv_clamd_server_packets(clamd_t)
+
+ dev_read_rand(clamd_t)
+@@ -117,7 +138,6 @@ dev_read_urand(clamd_t)
+
+ domain_use_interactive_fds(clamd_t)
+
+-files_read_etc_files(clamd_t)
+ files_read_etc_runtime_files(clamd_t)
+ files_search_spool(clamd_t)
+
+@@ -125,30 +145,51 @@ auth_use_nsswitch(clamd_t)
+
+ logging_send_syslog_msg(clamd_t)
+
+-miscfiles_read_localization(clamd_t)
+-
+-cron_use_fds(clamd_t)
+-cron_use_system_job_fds(clamd_t)
+-cron_rw_pipes(clamd_t)
+-
+-mta_read_config(clamd_t)
+-mta_send_mail(clamd_t)
+-
+ optional_policy(`
+ amavis_read_lib_files(clamd_t)
+ amavis_read_spool_files(clamd_t)
+- amavis_spool_filetrans(clamd_t, clamd_var_run_t, sock_file)
++ amavis_spool_filetrans(clamd_t, clamd_var_run_t, { file dir sock_file })
+ amavis_create_pid_files(clamd_t)
+ ')
+
+ optional_policy(`
++ cron_use_fds(clamd_t)
++ cron_use_system_job_fds(clamd_t)
++ cron_rw_pipes(clamd_t)
++')
++
++optional_policy(`
+ exim_read_spool_files(clamd_t)
+ ')
+
++optional_policy(`
++ mta_read_config(clamd_t)
++ mta_send_mail(clamd_t)
++')
++
++optional_policy(`
++ spamd_stream_connect(clamd_t)
++ spamassassin_read_pid_files(clamd_t)
++')
++
+ tunable_policy(`clamd_use_jit',`
+ allow clamd_t self:process execmem;
+-', `
++ allow clamscan_t self:process execmem;
++',`
+ dontaudit clamd_t self:process execmem;
++ dontaudit clamscan_t self:process execmem;
++')
++
++optional_policy(`
++ antivirus_domain_template(clamd_t)
++')
++
++optional_policy(`
++ antivirus_domain_template(clamscan_t)
++')
++
++optional_policy(`
++ antivirus_domain_template(freshclam_t)
+ ')
+
+ ########################################
+@@ -178,17 +219,27 @@ files_pid_filetrans(freshclam_t, clamd_var_run_t, file)
+
+ # log files (own logfiles only)
+ manage_files_pattern(freshclam_t, freshclam_var_log_t, freshclam_var_log_t)
+-allow freshclam_t freshclam_var_log_t:dir setattr;
+-allow freshclam_t clamd_var_log_t:dir search_dir_perms;
++allow freshclam_t freshclam_var_log_t:dir setattr_dir_perms;
++read_files_pattern(freshclam_t, clamd_var_log_t, clamd_var_log_t)
+ logging_log_filetrans(freshclam_t, freshclam_var_log_t, file)
+
+-corenet_all_recvfrom_unlabeled(freshclam_t)
++kernel_dontaudit_list_proc(freshclam_t)
++kernel_read_kernel_sysctls(freshclam_t)
++kernel_read_network_state(freshclam_t)
++kernel_read_system_state(freshclam_t)
++
++corecmd_exec_shell(freshclam_t)
++corecmd_exec_bin(freshclam_t)
++
+ corenet_all_recvfrom_netlabel(freshclam_t)
+ corenet_tcp_sendrecv_generic_if(freshclam_t)
+ corenet_tcp_sendrecv_generic_node(freshclam_t)
+ corenet_tcp_sendrecv_all_ports(freshclam_t)
+ corenet_tcp_sendrecv_clamd_port(freshclam_t)
+ corenet_tcp_connect_http_port(freshclam_t)
++corenet_tcp_connect_http_cache_port(freshclam_t)
++corenet_tcp_connect_clamd_port(freshclam_t)
++corenet_tcp_connect_squid_port(freshclam_t)
+ corenet_sendrecv_http_client_packets(freshclam_t)
+
+ dev_read_rand(freshclam_t)
+@@ -196,27 +247,32 @@ dev_read_urand(freshclam_t)
+
+ domain_use_interactive_fds(freshclam_t)
+
+-files_read_etc_files(freshclam_t)
++files_search_var_lib(freshclam_t)
+ files_read_etc_runtime_files(freshclam_t)
++files_read_usr_files(freshclam_t)
+
+ auth_use_nsswitch(freshclam_t)
+
+ logging_send_syslog_msg(freshclam_t)
+
+-miscfiles_read_localization(freshclam_t)
+-
+ clamav_stream_connect(freshclam_t)
+
+-optional_policy(`
+- cron_system_entry(freshclam_t, freshclam_exec_t)
+-')
++userdom_stream_connect(freshclam_t)
+
+ tunable_policy(`clamd_use_jit',`
+ allow freshclam_t self:process execmem;
+-', `
++',`
+ dontaudit freshclam_t self:process execmem;
+ ')
+
++optional_policy(`
++ clamd_systemctl(freshclam_t)
++')
++
++optional_policy(`
++ cron_system_entry(freshclam_t, freshclam_exec_t)
++')
++
+ ########################################
+ #
+ # clamscam local policy
+@@ -242,15 +298,39 @@ files_tmp_filetrans(clamscan_t, clamscan_tmp_t, { file dir })
+ manage_files_pattern(clamscan_t, clamd_var_lib_t, clamd_var_lib_t)
+ allow clamscan_t clamd_var_lib_t:dir list_dir_perms;
+
+-corenet_all_recvfrom_unlabeled(clamscan_t)
++read_files_pattern(clamscan_t, clamd_var_run_t, clamd_var_run_t)
++allow clamscan_t clamd_var_run_t:dir list_dir_perms;
++
++kernel_dontaudit_list_proc(clamscan_t)
++kernel_read_system_state(clamscan_t)
++
+ corenet_all_recvfrom_netlabel(clamscan_t)
+ corenet_tcp_sendrecv_generic_if(clamscan_t)
+ corenet_tcp_sendrecv_generic_node(clamscan_t)
+ corenet_tcp_sendrecv_all_ports(clamscan_t)
+ corenet_tcp_sendrecv_clamd_port(clamscan_t)
++corenet_tcp_bind_generic_node(clamscan_t)
+ corenet_tcp_connect_clamd_port(clamscan_t)
+
++corecmd_read_all_executables(clamscan_t)
++
++tunable_policy(`clamscan_read_user_content',`
++ userdom_read_user_home_content_files(clamscan_t)
++ userdom_dontaudit_read_user_home_content_files(clamscan_t)
++')
++
++tunable_policy(`clamscan_can_scan_system',`
++ files_read_non_security_files(clamscan_t)
++ files_getattr_all_pipes(clamscan_t)
++ files_getattr_all_sockets(clamscan_t)
++
++ files_read_non_security_files(clamd_t)
++ files_getattr_all_pipes(clamd_t)
++ files_getattr_all_sockets(clamd_t)
++')
++
+ kernel_read_kernel_sysctls(clamscan_t)
++kernel_read_system_state(clamscan_t)
+
+ files_read_etc_files(clamscan_t)
+ files_read_etc_runtime_files(clamscan_t)
+@@ -259,15 +339,15 @@ files_search_var_lib(clamscan_t)
+ init_read_utmp(clamscan_t)
+ init_dontaudit_write_utmp(clamscan_t)
+
+-miscfiles_read_localization(clamscan_t)
+ miscfiles_read_public_files(clamscan_t)
+
+ clamav_stream_connect(clamscan_t)
+
+-mta_send_mail(clamscan_t)
++sysnet_read_config(clamscan_t)
+
+ optional_policy(`
+- amavis_read_spool_files(clamscan_t)
++ mta_send_mail(clamscan_t)
++ mta_read_queue(clamscan_t)
+ ')
+
+ optional_policy(`
+diff --git a/clockspeed.te b/clockspeed.te
+index b40f3f7..e8c9c35 100644
+--- a/clockspeed.te
++++ b/clockspeed.te
+@@ -26,7 +26,6 @@ allow clockspeed_cli_t self:udp_socket create_socket_perms;
+
+ read_files_pattern(clockspeed_cli_t, clockspeed_var_lib_t, clockspeed_var_lib_t)
+
+-corenet_all_recvfrom_unlabeled(clockspeed_cli_t)
+ corenet_all_recvfrom_netlabel(clockspeed_cli_t)
+ corenet_udp_sendrecv_generic_if(clockspeed_cli_t)
+ corenet_udp_sendrecv_generic_node(clockspeed_cli_t)
+@@ -36,9 +35,8 @@ corenet_sendrecv_ntp_client_packets(clockspeed_cli_t)
+ files_list_var_lib(clockspeed_cli_t)
+ files_read_etc_files(clockspeed_cli_t)
+
+-miscfiles_read_localization(clockspeed_cli_t)
+
+-userdom_use_user_terminals(clockspeed_cli_t)
++userdom_use_inherited_user_terminals(clockspeed_cli_t)
+
+ ########################################
+ #
+@@ -53,7 +51,6 @@ allow clockspeed_srv_t self:unix_stream_socket create_socket_perms;
+ manage_files_pattern(clockspeed_srv_t, clockspeed_var_lib_t, clockspeed_var_lib_t)
+ manage_fifo_files_pattern(clockspeed_srv_t, clockspeed_var_lib_t, clockspeed_var_lib_t)
+
+-corenet_all_recvfrom_unlabeled(clockspeed_srv_t)
+ corenet_all_recvfrom_netlabel(clockspeed_srv_t)
+ corenet_udp_sendrecv_generic_if(clockspeed_srv_t)
+ corenet_udp_sendrecv_generic_node(clockspeed_srv_t)
+@@ -65,7 +62,6 @@ corenet_sendrecv_clockspeed_server_packets(clockspeed_srv_t)
+ files_read_etc_files(clockspeed_srv_t)
+ files_list_var_lib(clockspeed_srv_t)
+
+-miscfiles_read_localization(clockspeed_srv_t)
+
+ optional_policy(`
+ daemontools_service_domain(clockspeed_srv_t, clockspeed_srv_exec_t)
+diff --git a/clogd.te b/clogd.te
+index 6077339..d44d33f 100644
+--- a/clogd.te
++++ b/clogd.te
+@@ -46,8 +46,6 @@ storage_raw_write_fixed_disk(clogd_t)
+
+ logging_send_syslog_msg(clogd_t)
+
+-miscfiles_read_localization(clogd_t)
+-
+ optional_policy(`
+ aisexec_stream_connect(clogd_t)
+ corosync_stream_connect(clogd_t)
+diff --git a/cloudform.fc b/cloudform.fc
+new file mode 100644
+index 0000000..8a40857
+--- /dev/null
++++ b/cloudform.fc
+@@ -0,0 +1,22 @@
++/etc/rc\.d/init\.d/iwhd -- gen_context(system_u:object_r:iwhd_initrc_exec_t,s0)
++/etc/rc\.d/init\.d/mongod -- gen_context(system_u:object_r:mongod_initrc_exec_t,s0)
++
++/usr/bin/deltacloudd -- gen_context(system_u:object_r:deltacloudd_exec_t,s0)
++/usr/bin/iwhd -- gen_context(system_u:object_r:iwhd_exec_t,s0)
++/usr/bin/mongod -- gen_context(system_u:object_r:mongod_exec_t,s0)
++
++/usr/share/aeolus-conductor/dbomatic/dbomatic -- gen_context(system_u:object_r:mongod_exec_t,s0)
++
++/var/lib/iwhd(/.*)? gen_context(system_u:object_r:iwhd_var_lib_t,s0)
++/var/lib/mongodb(/.*)? gen_context(system_u:object_r:mongod_var_lib_t,s0)
++
++/var/log/deltacloud-core(/.*)? gen_context(system_u:object_r:deltacloudd_log_t,s0)
++/var/log/iwhd\.log.* -- gen_context(system_u:object_r:iwhd_log_t,s0)
++/var/log/mongodb(/.*)? gen_context(system_u:object_r:mongod_log_t,s0)
++/var/log/mongo(/.*)? gen_context(system_u:object_r:mongod_log_t,s0)
++/var/log/mongo/mongod\.log.* -- gen_context(system_u:object_r:mongod_log_t,s0)
++/var/log/aeolus-conductor/dbomatic\.log.* -- gen_context(system_u:object_r:mongod_log_t,s0)
++
++/var/run/mongodb(/.*)? gen_context(system_u:object_r:mongod_var_run_t,s0)
++/var/run/aeolus/dbomatic\.pid -- gen_context(system_u:object_r:mongod_var_run_t,s0)
++/var/run/iwhd\.pid -- gen_context(system_u:object_r:iwhd_var_run_t,s0)
+diff --git a/cloudform.if b/cloudform.if
+new file mode 100644
+index 0000000..8ac848b
+--- /dev/null
++++ b/cloudform.if
+@@ -0,0 +1,42 @@
++## cloudform policy
++
++#######################################
++##
++## Creates types and rules for a basic
++## cloudform daemon domain.
++##
++##
++##
++## Prefix for the domain.
++##
++##
++#
++template(`cloudform_domain_template',`
++ gen_require(`
++ attribute cloudform_domain;
++ ')
++
++ type $1_t, cloudform_domain;
++ type $1_exec_t;
++ init_daemon_domain($1_t, $1_exec_t)
++
++ kernel_read_system_state($1_t)
++')
++
++######################################
++##
++## Execute mongod in the caller domain.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`cloudform_exec_mongod',`
++ gen_require(`
++ type mongod_exec_t;
++ ')
++
++ can_exec($1, mongod_exec_t)
++')
+diff --git a/cloudform.te b/cloudform.te
+new file mode 100644
+index 0000000..b73fed6
+--- /dev/null
++++ b/cloudform.te
+@@ -0,0 +1,201 @@
++policy_module(cloudform, 1.0)
++########################################
++#
++# Declarations
++#
++
++attribute cloudform_domain;
++
++cloudform_domain_template(deltacloudd)
++cloudform_domain_template(iwhd)
++cloudform_domain_template(mongod)
++
++type deltacloudd_log_t;
++logging_log_file(deltacloudd_log_t)
++
++type deltacloudd_var_run_t;
++files_pid_file(deltacloudd_var_run_t)
++
++type deltacloudd_tmp_t;
++files_tmp_file(deltacloudd_tmp_t)
++
++type iwhd_initrc_exec_t;
++init_script_file(iwhd_initrc_exec_t)
++
++type iwhd_var_lib_t;
++files_type(iwhd_var_lib_t)
++
++type iwhd_var_run_t;
++files_pid_file(iwhd_var_run_t)
++
++type mongod_initrc_exec_t;
++init_script_file(mongod_initrc_exec_t)
++
++type mongod_log_t;
++logging_log_file(mongod_log_t)
++
++type mongod_var_lib_t;
++files_type(mongod_var_lib_t)
++
++type mongod_tmp_t;
++files_tmp_file(mongod_tmp_t)
++
++type mongod_var_run_t;
++files_pid_file(mongod_var_run_t)
++
++type iwhd_log_t;
++logging_log_file(iwhd_log_t)
++
++########################################
++#
++# cloudform_domain local policy
++#
++
++allow cloudform_domain self:fifo_file rw_fifo_file_perms;
++allow cloudform_domain self:tcp_socket create_stream_socket_perms;
++
++dev_read_rand(cloudform_domain)
++dev_read_urand(cloudform_domain)
++dev_read_sysfs(cloudform_domain)
++
++files_read_etc_files(cloudform_domain)
++
++auth_read_passwd(cloudform_domain)
++
++miscfiles_read_certs(cloudform_domain)
++
++########################################
++#
++# deltacloudd local policy
++#
++
++allow deltacloudd_t self:capability { dac_override setuid setgid };
++
++allow deltacloudd_t self:netlink_route_socket r_netlink_socket_perms;
++allow deltacloudd_t self:udp_socket create_socket_perms;
++
++allow deltacloudd_t self:process signal;
++
++allow deltacloudd_t self:fifo_file rw_fifo_file_perms;
++allow deltacloudd_t self:tcp_socket create_stream_socket_perms;
++allow deltacloudd_t self:unix_stream_socket create_stream_socket_perms;
++
++manage_dirs_pattern(deltacloudd_t, deltacloudd_tmp_t, deltacloudd_tmp_t)
++manage_files_pattern(deltacloudd_t, deltacloudd_tmp_t, deltacloudd_tmp_t)
++files_tmp_filetrans(deltacloudd_t, deltacloudd_tmp_t, { file dir })
++
++manage_files_pattern(deltacloudd_t, deltacloudd_var_run_t, deltacloudd_var_run_t)
++manage_dirs_pattern(deltacloudd_t, deltacloudd_var_run_t, deltacloudd_var_run_t)
++manage_lnk_files_pattern(deltacloudd_t, deltacloudd_var_run_t, deltacloudd_var_run_t)
++files_pid_filetrans(deltacloudd_t, deltacloudd_var_run_t, { file dir })
++
++manage_files_pattern(deltacloudd_t, deltacloudd_log_t, deltacloudd_log_t)
++manage_dirs_pattern(deltacloudd_t, deltacloudd_log_t, deltacloudd_log_t)
++logging_log_filetrans(deltacloudd_t, deltacloudd_log_t, { file dir })
++
++kernel_read_kernel_sysctls(deltacloudd_t)
++kernel_read_system_state(deltacloudd_t)
++
++corecmd_exec_bin(deltacloudd_t)
++
++corenet_tcp_bind_generic_node(deltacloudd_t)
++corenet_tcp_bind_generic_port(deltacloudd_t)
++corenet_tcp_connect_http_port(deltacloudd_t)
++corenet_tcp_connect_keystone_port(deltacloudd_t)
++
++auth_use_nsswitch(deltacloudd_t)
++
++files_read_usr_files(deltacloudd_t)
++
++logging_send_syslog_msg(deltacloudd_t)
++
++optional_policy(`
++ sysnet_read_config(deltacloudd_t)
++')
++
++########################################
++#
++# iwhd local policy
++#
++
++allow iwhd_t self:capability { chown kill };
++allow iwhd_t self:process { fork };
++
++allow iwhd_t self:netlink_route_socket r_netlink_socket_perms;
++allow iwhd_t self:unix_stream_socket create_stream_socket_perms;
++
++manage_dirs_pattern(iwhd_t, iwhd_var_lib_t, iwhd_var_lib_t)
++manage_files_pattern(iwhd_t, iwhd_var_lib_t, iwhd_var_lib_t)
++
++manage_files_pattern(iwhd_t, iwhd_log_t, iwhd_log_t)
++logging_log_filetrans(iwhd_t, iwhd_log_t, { file })
++
++manage_dirs_pattern(iwhd_t, iwhd_var_run_t, iwhd_var_run_t)
++manage_files_pattern(iwhd_t, iwhd_var_run_t, iwhd_var_run_t)
++files_pid_filetrans(iwhd_t, iwhd_var_run_t, { dir file })
++
++kernel_read_system_state(iwhd_t)
++
++corenet_tcp_bind_generic_node(iwhd_t)
++corenet_tcp_bind_websm_port(iwhd_t)
++corenet_tcp_connect_all_ports(iwhd_t)
++
++dev_read_rand(iwhd_t)
++dev_read_urand(iwhd_t)
++
++userdom_home_manager(iwhd_t)
++
++########################################
++#
++# mongod local policy
++#
++
++allow mongod_t self:process { execmem setsched signal };
++
++allow mongod_t self:netlink_route_socket r_netlink_socket_perms;
++allow mongod_t self:unix_stream_socket create_stream_socket_perms;
++allow mongod_t self:udp_socket create_socket_perms;
++
++manage_dirs_pattern(mongod_t, mongod_log_t, mongod_log_t)
++manage_files_pattern(mongod_t, mongod_log_t, mongod_log_t)
++logging_log_filetrans(mongod_t, mongod_log_t, file, "dbomatic.log")
++logging_log_filetrans(mongod_t, mongod_log_t, file, "mongod.log")
++
++manage_dirs_pattern(mongod_t, mongod_var_lib_t, mongod_var_lib_t)
++manage_files_pattern(mongod_t, mongod_var_lib_t, mongod_var_lib_t)
++
++manage_dirs_pattern(mongod_t, mongod_tmp_t, mongod_tmp_t)
++manage_files_pattern(mongod_t, mongod_tmp_t, mongod_tmp_t)
++manage_sock_files_pattern(mongod_t, mongod_tmp_t, mongod_tmp_t)
++files_tmp_filetrans(mongod_t, mongod_tmp_t, { file dir sock_file })
++
++manage_dirs_pattern(mongod_t, mongod_var_run_t, mongod_var_run_t)
++manage_files_pattern(mongod_t, mongod_var_run_t, mongod_var_run_t)
++#needed by dbomatic
++files_pid_filetrans(mongod_t, mongod_var_run_t, { file })
++
++corecmd_exec_bin(mongod_t)
++corecmd_exec_shell(mongod_t)
++
++corenet_tcp_bind_generic_node(mongod_t)
++corenet_tcp_bind_mongod_port(mongod_t)
++corenet_tcp_connect_postgresql_port(mongod_t)
++
++kernel_read_vm_sysctls(mongod_t)
++kernel_read_system_state(mongod_t)
++
++files_read_usr_files(mongod_t)
++
++fs_getattr_all_fs(mongod_t)
++
++optional_policy(`
++ mysql_stream_connect(mongod_t)
++')
++
++optional_policy(`
++ postgresql_stream_connect(mongod_t)
++')
++
++optional_policy(`
++ sysnet_dns_name_resolve(mongod_t)
++')
+diff --git a/cmirrord.if b/cmirrord.if
+index f8463c0..cc4d9ef 100644
+--- a/cmirrord.if
++++ b/cmirrord.if
+@@ -70,10 +70,11 @@ interface(`cmirrord_rw_shm',`
+ type cmirrord_t, cmirrord_tmpfs_t;
+ ')
+
+- allow $1 cmirrord_t:shm rw_shm_perms;
++ allow $1 cmirrord_t:shm { rw_shm_perms destroy };
+
+ allow $1 cmirrord_tmpfs_t:dir list_dir_perms;
+ rw_files_pattern($1, cmirrord_tmpfs_t, cmirrord_tmpfs_t)
++ delete_files_pattern($1, cmirrord_tmpfs_t, cmirrord_tmpfs_t)
+ read_lnk_files_pattern($1, cmirrord_tmpfs_t, cmirrord_tmpfs_t)
+ fs_search_tmpfs($1)
+ ')
+@@ -100,9 +101,13 @@ interface(`cmirrord_admin',`
+ type cmirrord_t, cmirrord_initrc_exec_t, cmirrord_var_run_t;
+ ')
+
+- allow $1 cmirrord_t:process { ptrace signal_perms };
++ allow $1 cmirrord_t:process signal_perms;
+ ps_process_pattern($1, cmirrord_t)
+
++ tunable_policy(`deny_ptrace',`',`
++ allow $1 cmirrord_t:process ptrace;
++ ')
++
+ cmirrord_initrc_domtrans($1)
+ domain_system_change_exemption($1)
+ role_transition $2 cmirrord_initrc_exec_t system_r;
+diff --git a/cmirrord.te b/cmirrord.te
+index 28fdd8a..5605ed7 100644
+--- a/cmirrord.te
++++ b/cmirrord.te
+@@ -51,8 +51,6 @@ seutil_read_file_contexts(cmirrord_t)
+
+ logging_send_syslog_msg(cmirrord_t)
+
+-miscfiles_read_localization(cmirrord_t)
+-
+ optional_policy(`
+ corosync_stream_connect(cmirrord_t)
+ ')
+diff --git a/cobbler.fc b/cobbler.fc
+index 1cf6c4e..0858f92 100644
+--- a/cobbler.fc
++++ b/cobbler.fc
+@@ -1,7 +1,35 @@
+-/etc/cobbler(/.*)? gen_context(system_u:object_r:cobbler_etc_t, s0)
+-/etc/rc\.d/init\.d/cobblerd -- gen_context(system_u:object_r:cobblerd_initrc_exec_t, s0)
+
+-/usr/bin/cobblerd -- gen_context(system_u:object_r:cobblerd_exec_t, s0)
++/etc/cobbler(/.*)? gen_context(system_u:object_r:cobbler_etc_t,s0)
++
++/etc/rc\.d/init\.d/cobblerd -- gen_context(system_u:object_r:cobblerd_initrc_exec_t,s0)
++
++/usr/lib/systemd/system/cobblerd.* -- gen_context(system_u:object_r:cobblerd_unit_file_t,s0)
++
++/usr/bin/cobblerd -- gen_context(system_u:object_r:cobblerd_exec_t,s0)
++
++/var/lib/cobbler(/.*)? gen_context(system_u:object_r:cobbler_var_lib_t,s0)
++
++/var/lib/tftpboot/etc(/.*)? gen_context(system_u:object_r:cobbler_var_lib_t,s0)
++/var/lib/tftpboot/grub(/.*)? gen_context(system_u:object_r:cobbler_var_lib_t,s0)
++/var/lib/tftpboot/images(/.*)? gen_context(system_u:object_r:cobbler_var_lib_t,s0)
++/var/lib/tftpboot/memdisk -- gen_context(system_u:object_r:cobbler_var_lib_t,s0)
++/var/lib/tftpboot/menu\.c32 -- gen_context(system_u:object_r:cobbler_var_lib_t,s0)
++/var/lib/tftpboot/ppc(/.*)? gen_context(system_u:object_r:cobbler_var_lib_t,s0)
++/var/lib/tftpboot/pxelinux\.0 -- gen_context(system_u:object_r:cobbler_var_lib_t,s0)
++/var/lib/tftpboot/pxelinux\.cfg(/.*)? gen_context(system_u:object_r:cobbler_var_lib_t,s0)
++/var/lib/tftpboot/s390x(/.*)? gen_context(system_u:object_r:cobbler_var_lib_t,s0)
++/var/lib/tftpboot/yaboot -- gen_context(system_u:object_r:cobbler_var_lib_t,s0)
++
++/var/log/cobbler(/.*)? gen_context(system_u:object_r:cobbler_var_log_t,s0)
++
++# This should removable when cobbler package installs /var/www/cobbler/rendered
++/var/www/cobbler(/.*)? gen_context(system_u:object_r:httpd_cobbler_content_t,s0)
++
++/var/www/cobbler/images(/.*)? gen_context(system_u:object_r:cobbler_var_lib_t,s0)
++/var/www/cobbler/ks_mirror(/.*)? gen_context(system_u:object_r:cobbler_var_lib_t,s0)
++/var/www/cobbler/links(/.*)? gen_context(system_u:object_r:cobbler_var_lib_t,s0)
++/var/www/cobbler/localmirror(/.*)? gen_context(system_u:object_r:cobbler_var_lib_t,s0)
++/var/www/cobbler/pub(/.*)? gen_context(system_u:object_r:cobbler_var_lib_t,s0)
++/var/www/cobbler/rendered(/.*)? gen_context(system_u:object_r:cobbler_var_lib_t,s0)
++/var/www/cobbler/repo_mirror(/.*)? gen_context(system_u:object_r:cobbler_var_lib_t,s0)
+
+-/var/lib/cobbler(/.*)? gen_context(system_u:object_r:cobbler_var_lib_t, s0)
+-/var/log/cobbler(/.*)? gen_context(system_u:object_r:cobbler_var_log_t, s0)
+diff --git a/cobbler.if b/cobbler.if
+index 116d60f..e2c6ec6 100644
+--- a/cobbler.if
++++ b/cobbler.if
+@@ -1,12 +1,12 @@
+ ## Cobbler installation server.
+ ##
+ ##
+-## Cobbler is a Linux installation server that allows for
+-## rapid setup of network installation environments. It
+-## glues together and automates many associated Linux
+-## tasks so you do not have to hop between lots of various
+-## commands and applications when rolling out new systems,
+-## and, in some cases, changing existing ones.
++## Cobbler is a Linux installation server that allows for
++## rapid setup of network installation environments. It
++## glues together and automates many associated Linux
++## tasks so you do not have to hop between lots of various
++## commands and applications when rolling out new systems,
++## and, in some cases, changing existing ones.
+ ##
+ ##
+
+@@ -15,9 +15,9 @@
+ ## Execute a domain transition to run cobblerd.
+ ##
+ ##
+-##
++##
+ ## Domain allowed to transition.
+-##
++##
+ ##
+ #
+ interface(`cobblerd_domtrans',`
+@@ -26,6 +26,7 @@ interface(`cobblerd_domtrans',`
+ ')
+
+ domtrans_pattern($1, cobblerd_exec_t, cobblerd_t)
++ corecmd_search_bin($1)
+ ')
+
+ ########################################
+@@ -48,7 +49,7 @@ interface(`cobblerd_initrc_domtrans',`
+
+ ########################################
+ ##
+-## Read Cobbler content in /etc
++## List Cobbler configuration.
+ ##
+ ##
+ ##
+@@ -56,19 +57,18 @@ interface(`cobblerd_initrc_domtrans',`
+ ##
+ ##
+ #
+-interface(`cobbler_read_config',`
++interface(`cobbler_list_config',`
+ gen_require(`
+ type cobbler_etc_t;
+ ')
+
+- read_files_pattern($1, cobbler_etc_t, cobbler_etc_t)
++ list_dirs_pattern($1, cobbler_etc_t, cobbler_etc_t)
+ files_search_etc($1)
+ ')
+
+ ########################################
+ ##
+-## Do not audit attempts to read and write
+-## Cobbler log files (leaked fd).
++## Read Cobbler configuration files.
+ ##
+ ##
+ ##
+@@ -76,12 +76,13 @@ interface(`cobbler_read_config',`
+ ##
+ ##
+ #
+-interface(`cobbler_dontaudit_rw_log',`
++interface(`cobbler_read_config',`
+ gen_require(`
+- type cobbler_var_log_t;
++ type cobbler_etc_t;
+ ')
+
+- dontaudit $1 cobbler_var_log_t:file rw_file_perms;
++ read_files_pattern($1, cobbler_etc_t, cobbler_etc_t)
++ files_search_etc($1)
+ ')
+
+ ########################################
+@@ -100,6 +101,7 @@ interface(`cobbler_search_lib',`
+ ')
+
+ search_dirs_pattern($1, cobbler_var_lib_t, cobbler_var_lib_t)
++ read_lnk_files_pattern($1, cobbler_var_lib_t, cobbler_var_lib_t)
+ files_search_var_lib($1)
+ ')
+
+@@ -119,6 +121,7 @@ interface(`cobbler_read_lib_files',`
+ ')
+
+ read_files_pattern($1, cobbler_var_lib_t, cobbler_var_lib_t)
++ read_lnk_files_pattern($1, cobbler_var_lib_t, cobbler_var_lib_t)
+ files_search_var_lib($1)
+ ')
+
+@@ -137,12 +140,56 @@ interface(`cobbler_manage_lib_files',`
+ type cobbler_var_lib_t;
+ ')
+
++ manage_dirs_pattern($1, cobbler_var_lib_t, cobbler_var_lib_t)
+ manage_files_pattern($1, cobbler_var_lib_t, cobbler_var_lib_t)
++ manage_lnk_files_pattern($1, cobbler_var_lib_t, cobbler_var_lib_t)
+ files_search_var_lib($1)
+ ')
+
+ ########################################
+ ##
++## Do not audit attempts to read and write
++## Cobbler log files (leaked fd).
++##
++##
++##
++## Domain to not audit.
++##
++##
++#
++interface(`cobbler_dontaudit_rw_log',`
++ gen_require(`
++ type cobbler_var_log_t;
++ ')
++
++ dontaudit $1 cobbler_var_log_t:file rw_inherited_file_perms;
++')
++
++########################################
++##
++## Execute cobblerd server in the cobblerd domain.
++##
++##
++##
++## Domain allowed to transition.
++##
++##
++#
++interface(`cobblerd_systemctl',`
++ gen_require(`
++ type cobblerd_t;
++ type cobblerd_unit_file_t;
++ ')
++
++ systemd_exec_systemctl($1)
++ allow $1 cobblerd_unit_file_t:file read_file_perms;
++ allow $1 cobblerd_unit_file_t:service manage_service_perms;
++
++ ps_process_pattern($1, cobblerd_t)
++')
++
++########################################
++##
+ ## All of the rules required to administrate
+ ## an cobblerd environment
+ ##
+@@ -161,25 +208,43 @@ interface(`cobbler_manage_lib_files',`
+ interface(`cobblerd_admin',`
+ gen_require(`
+ type cobblerd_t, cobbler_var_lib_t, cobbler_var_log_t;
+- type cobbler_etc_t, cobblerd_initrc_exec_t;
++ type cobbler_etc_t, cobblerd_initrc_exec_t, httpd_cobbler_content_t;
++ type httpd_cobbler_content_ra_t, httpd_cobbler_content_rw_t;
++ type cobblerd_unit_file_t;
+ ')
+
+- allow $1 cobblerd_t:process { ptrace signal_perms getattr };
+- read_files_pattern($1, cobblerd_t, cobblerd_t)
++ allow $1 cobblerd_t:process signal_perms;
++ ps_process_pattern($1, cobblerd_t)
+
+- files_search_etc($1)
++ tunable_policy(`deny_ptrace',`',`
++ allow $1 cobblerd_t:process ptrace;
++ ')
++
++ files_list_etc($1)
+ admin_pattern($1, cobbler_etc_t)
+
+ files_list_var_lib($1)
+ admin_pattern($1, cobbler_var_lib_t)
+
+- logging_search_logs($1)
++ logging_list_logs($1)
+ admin_pattern($1, cobbler_var_log_t)
+
++ apache_list_sys_content($1)
++ admin_pattern($1, httpd_cobbler_content_t)
++ admin_pattern($1, httpd_cobbler_content_ra_t)
+ admin_pattern($1, httpd_cobbler_content_rw_t)
+
+ cobblerd_initrc_domtrans($1)
+ domain_system_change_exemption($1)
+ role_transition $2 cobblerd_initrc_exec_t system_r;
+ allow $2 system_r;
++
++ optional_policy(`
++ # traverse /var/lib/tftpdir to get to cobbler_var_lib_t there.
++ tftp_search_rw_content($1)
++ ')
++
++ cobblerd_systemctl($1)
++ admin_pattern($1, cobblerd_unit_file_t)
++ allow $1 cobblerd_unit_file_t:service all_service_perms;
+ ')
+diff --git a/cobbler.te b/cobbler.te
+index 0258b48..c68160d 100644
+--- a/cobbler.te
++++ b/cobbler.te
+@@ -6,13 +6,35 @@ policy_module(cobbler, 1.1.0)
+ #
+
+ ##
+-##
+-## Allow Cobbler to modify public files
+-## used for public file transfer services.
+-##
++##
++## Allow Cobbler to modify public files
++## used for public file transfer services.
++##
+ ##
+ gen_tunable(cobbler_anon_write, false)
+
++##
++##
++## Allow Cobbler to connect to the
++## network using TCP.
++##
++##
++gen_tunable(cobbler_can_network_connect, false)
++
++##
++##
++## Allow Cobbler to access cifs file systems.
++##
++##
++gen_tunable(cobbler_use_cifs, false)
++
++##
++##
++## Allow Cobbler to access nfs file systems.
++##
++##
++gen_tunable(cobbler_use_nfs, false)
++
+ type cobblerd_t;
+ type cobblerd_exec_t;
+ init_daemon_domain(cobblerd_t, cobblerd_exec_t)
+@@ -26,25 +48,43 @@ files_config_file(cobbler_etc_t)
+ type cobbler_var_log_t;
+ logging_log_file(cobbler_var_log_t)
+
+-type cobbler_var_lib_t;
++type cobbler_var_lib_t alias cobbler_content_t;
+ files_type(cobbler_var_lib_t)
+
++type cobbler_tmp_t;
++files_tmp_file(cobbler_tmp_t)
++
++type cobblerd_unit_file_t;
++systemd_unit_file(cobblerd_unit_file_t)
++
+ ########################################
+ #
+ # Cobbler personal policy.
+ #
+
+-allow cobblerd_t self:capability { chown dac_override fowner sys_nice };
++allow cobblerd_t self:capability { chown dac_override fowner fsetid sys_nice };
++dontaudit cobblerd_t self:capability sys_tty_config;
++
+ allow cobblerd_t self:process { getsched setsched signal };
+ allow cobblerd_t self:fifo_file rw_fifo_file_perms;
++allow cobblerd_t self:netlink_route_socket create_netlink_socket_perms;
+ allow cobblerd_t self:tcp_socket create_stream_socket_perms;
++allow cobblerd_t self:udp_socket create_socket_perms;
++allow cobblerd_t self:unix_dgram_socket create_socket_perms;
+
+ list_dirs_pattern(cobblerd_t, cobbler_etc_t, cobbler_etc_t)
+ read_files_pattern(cobblerd_t, cobbler_etc_t, cobbler_etc_t)
+
++# Something that runs in the cobberd_t domain tries to relabelfrom cobbler_var_lib_t dir to httpd_sys_content_t.
++dontaudit cobblerd_t cobbler_var_lib_t:dir relabel_dir_perms;
++
+ manage_dirs_pattern(cobblerd_t, cobbler_var_lib_t, cobbler_var_lib_t)
+ manage_files_pattern(cobblerd_t, cobbler_var_lib_t, cobbler_var_lib_t)
+-files_var_lib_filetrans(cobblerd_t, cobbler_var_lib_t, { dir file })
++manage_lnk_files_pattern(cobblerd_t, cobbler_var_lib_t, cobbler_var_lib_t)
++files_var_lib_filetrans(cobblerd_t, cobbler_var_lib_t, { dir file lnk_file })
++
++# Something really needs to write to cobbler.log. Ideally this should not be happening.
++allow cobblerd_t cobbler_var_log_t:file write;
+
+ append_files_pattern(cobblerd_t, cobbler_var_log_t, cobbler_var_log_t)
+ create_files_pattern(cobblerd_t, cobbler_var_log_t, cobbler_var_log_t)
+@@ -52,57 +92,131 @@ read_files_pattern(cobblerd_t, cobbler_var_log_t, cobbler_var_log_t)
+ setattr_files_pattern(cobblerd_t, cobbler_var_log_t, cobbler_var_log_t)
+ logging_log_filetrans(cobblerd_t, cobbler_var_log_t, file)
+
++manage_dirs_pattern(cobblerd_t, cobbler_tmp_t, cobbler_tmp_t)
++manage_files_pattern(cobblerd_t, cobbler_tmp_t, cobbler_tmp_t)
++files_tmp_filetrans(cobblerd_t, cobbler_tmp_t, { dir file })
++
+ kernel_read_system_state(cobblerd_t)
++kernel_dontaudit_search_network_state(cobblerd_t)
++
++auth_read_passwd(cobblerd_t)
+
+ corecmd_exec_bin(cobblerd_t)
+ corecmd_exec_shell(cobblerd_t)
+
+ corenet_all_recvfrom_netlabel(cobblerd_t)
+-corenet_all_recvfrom_unlabeled(cobblerd_t)
+ corenet_sendrecv_cobbler_server_packets(cobblerd_t)
+ corenet_tcp_bind_cobbler_port(cobblerd_t)
+ corenet_tcp_bind_generic_node(cobblerd_t)
+ corenet_tcp_sendrecv_generic_if(cobblerd_t)
+ corenet_tcp_sendrecv_generic_node(cobblerd_t)
+ corenet_tcp_sendrecv_generic_port(cobblerd_t)
++corenet_tcp_sendrecv_cobbler_port(cobblerd_t)
++# sync and rsync to ftp and http are permitted by default, for any other media use cobbler_can_network_connect.
++corenet_tcp_connect_ftp_port(cobblerd_t)
++corenet_tcp_connect_all_ephemeral_ports(cobblerd_t)
++corenet_tcp_sendrecv_ftp_port(cobblerd_t)
++corenet_sendrecv_ftp_client_packets(cobblerd_t)
++corenet_tcp_connect_http_port(cobblerd_t)
++corenet_tcp_sendrecv_http_port(cobblerd_t)
++corenet_sendrecv_http_client_packets(cobblerd_t)
+
+ dev_read_urand(cobblerd_t)
+
++domain_dontaudit_exec_all_entry_files(cobblerd_t)
++domain_dontaudit_read_all_domains_state(cobblerd_t)
++
++files_read_etc_files(cobblerd_t)
++# mtab
++files_read_etc_runtime_files(cobblerd_t)
+ files_read_usr_files(cobblerd_t)
+ files_list_boot(cobblerd_t)
++files_read_boot_files(cobblerd_t)
+ files_list_tmp(cobblerd_t)
+-# read /etc/nsswitch.conf
+-files_read_etc_files(cobblerd_t)
+
+-miscfiles_read_localization(cobblerd_t)
++# read from mounted images (install media)
++fs_read_iso9660_files(cobblerd_t)
++
++auth_read_passwd(cobblerd_t)
++
++init_dontaudit_read_all_script_files(cobblerd_t)
++
++term_use_console(cobblerd_t)
++
++logging_send_syslog_msg(cobblerd_t)
++
+ miscfiles_read_public_files(cobblerd_t)
+
++selinux_get_enforce_mode(cobblerd_t)
++
+ sysnet_read_config(cobblerd_t)
+ sysnet_rw_dhcp_config(cobblerd_t)
+ sysnet_write_config(cobblerd_t)
+
++userdom_dontaudit_use_user_terminals(cobblerd_t)
++userdom_dontaudit_search_user_home_dirs(cobblerd_t)
++userdom_dontaudit_search_admin_dir(cobblerd_t)
++
+ tunable_policy(`cobbler_anon_write',`
+ miscfiles_manage_public_files(cobblerd_t)
+ ')
+
++tunable_policy(`cobbler_can_network_connect',`
++ corenet_tcp_connect_all_ports(cobblerd_t)
++ corenet_tcp_sendrecv_all_ports(cobblerd_t)
++ corenet_sendrecv_all_client_packets(cobblerd_t)
++')
++
++tunable_policy(`cobbler_use_cifs',`
++ fs_manage_cifs_dirs(cobblerd_t)
++ fs_manage_cifs_files(cobblerd_t)
++ fs_manage_cifs_symlinks(cobblerd_t)
++')
++
++tunable_policy(`cobbler_use_nfs',`
++ fs_manage_nfs_dirs(cobblerd_t)
++ fs_manage_nfs_files(cobblerd_t)
++ fs_manage_nfs_symlinks(cobblerd_t)
++')
++
++optional_policy(`
++ # Cobbler traverses /var/www to get to /var/www/cobbler/*
++ apache_search_sys_content(cobblerd_t)
++')
++
+ optional_policy(`
+ bind_read_config(cobblerd_t)
+ bind_write_config(cobblerd_t)
+ bind_domtrans_ndc(cobblerd_t)
+ bind_domtrans(cobblerd_t)
+ bind_initrc_domtrans(cobblerd_t)
++ bind_systemctl(cobblerd_t)
+ bind_manage_zone(cobblerd_t)
+ ')
+
+ optional_policy(`
++ certmaster_exec(cobblerd_t)
++')
++
++optional_policy(`
+ dhcpd_domtrans(cobblerd_t)
+ dhcpd_initrc_domtrans(cobblerd_t)
++ dhcpd_systemctl(cobblerd_t)
+ ')
+
+ optional_policy(`
+ dnsmasq_domtrans(cobblerd_t)
+ dnsmasq_initrc_domtrans(cobblerd_t)
+ dnsmasq_write_config(cobblerd_t)
++ dnsmasq_systemctl(cobblerd_t)
++')
++
++optional_policy(`
++ gnome_dontaudit_search_config(cobblerd_t)
++')
++
++optional_policy(`
++ puppet_domtrans_puppetca(cobblerd_t)
+ ')
+
+ optional_policy(`
+@@ -110,12 +224,21 @@ optional_policy(`
+ ')
+
+ optional_policy(`
+- rsync_read_config(cobblerd_t)
+- rsync_write_config(cobblerd_t)
++ rsync_exec(cobblerd_t)
++ rsync_manage_config(cobblerd_t)
++ # cobbler creates /etc/rsync.conf if its not there.
++ rsync_filetrans_config(cobblerd_t, file)
+ ')
+
+ optional_policy(`
+- tftp_manage_rw_content(cobblerd_t)
++ # Cobbler puts objects in both /var/lib/tftpdir as well as /var/lib/tftpdir/images.
++ # tftp_manage_rw_content(cobblerd_t) can be used instead if:
++ # 1. cobbler package installs /var/lib/tftpdir/images.
++ # 2. no FILES in /var/lib/TFTPDIR are hard linked.
++ # Cobbler also creates other directories in /var/lib/tftpdir (etc, s390x, ppc, pxelinux.cfg)
++ # are any of those hard linked?
++ tftp_filetrans_tftpdir(cobblerd_t, cobbler_var_lib_t, { dir file })
++ tftp_manage_config(cobblerd_t)
+ ')
+
+ ########################################
+@@ -123,6 +246,10 @@ optional_policy(`
+ # Cobbler web local policy.
+ #
+
+-apache_content_template(cobbler)
+-manage_dirs_pattern(cobblerd_t, httpd_cobbler_content_rw_t, httpd_cobbler_content_rw_t)
+-manage_files_pattern(cobblerd_t, httpd_cobbler_content_rw_t, httpd_cobbler_content_rw_t)
++optional_policy(`
++ apache_content_template(cobbler)
++
++ list_dirs_pattern(cobblerd_t, httpd_cobbler_content_t, httpd_cobbler_content_t)
++ manage_dirs_pattern(cobblerd_t, httpd_cobbler_content_rw_t, httpd_cobbler_content_rw_t)
++ manage_files_pattern(cobblerd_t, httpd_cobbler_content_rw_t, httpd_cobbler_content_rw_t)
++')
+diff --git a/collectd.fc b/collectd.fc
+new file mode 100644
+index 0000000..2e1007b
+--- /dev/null
++++ b/collectd.fc
+@@ -0,0 +1,13 @@
++
++/etc/rc\.d/init\.d/collectd -- gen_context(system_u:object_r:collectd_initrc_exec_t,s0)
++
++/usr/lib/systemd/system/collectd.* -- gen_context(system_u:object_r:collectd_unit_file_t,s0)
++
++/usr/sbin/collectd -- gen_context(system_u:object_r:collectd_exec_t,s0)
++
++/var/lib/collectd(/.*)? gen_context(system_u:object_r:collectd_var_lib_t,s0)
++
++/var/run/collectd\.pid gen_context(system_u:object_r:collectd_var_run_t,s0)
++
++/usr/share/collectd/collection3/bin/.*\.cgi -- gen_context(system_u:object_r:httpd_collectd_script_exec_t,s0)
++
+diff --git a/collectd.if b/collectd.if
+new file mode 100644
+index 0000000..40415f8
+--- /dev/null
++++ b/collectd.if
+@@ -0,0 +1,186 @@
++
++## policy for collectd
++
++########################################
++##
++## Transition to collectd.
++##
++##
++##
++## Domain allowed to transition.
++##
++##
++#
++interface(`collectd_domtrans',`
++ gen_require(`
++ type collectd_t, collectd_exec_t;
++ ')
++
++ corecmd_search_bin($1)
++ domtrans_pattern($1, collectd_exec_t, collectd_t)
++')
++
++
++########################################
++##
++## Execute collectd server in the collectd domain.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`collectd_initrc_domtrans',`
++ gen_require(`
++ type collectd_initrc_exec_t;
++ ')
++
++ init_labeled_script_domtrans($1, collectd_initrc_exec_t)
++')
++
++
++########################################
++##
++## Search collectd lib directories.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`collectd_search_lib',`
++ gen_require(`
++ type collectd_var_lib_t;
++ ')
++
++ allow $1 collectd_var_lib_t:dir search_dir_perms;
++ files_search_var_lib($1)
++')
++
++########################################
++##
++## Read collectd lib files.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`collectd_read_lib_files',`
++ gen_require(`
++ type collectd_var_lib_t;
++ ')
++
++ files_search_var_lib($1)
++ read_files_pattern($1, collectd_var_lib_t, collectd_var_lib_t)
++')
++
++########################################
++##
++## Manage collectd lib files.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`collectd_manage_lib_files',`
++ gen_require(`
++ type collectd_var_lib_t;
++ ')
++
++ files_search_var_lib($1)
++ manage_files_pattern($1, collectd_var_lib_t, collectd_var_lib_t)
++')
++
++########################################
++##
++## Manage collectd lib directories.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`collectd_manage_lib_dirs',`
++ gen_require(`
++ type collectd_var_lib_t;
++ ')
++
++ files_search_var_lib($1)
++ manage_dirs_pattern($1, collectd_var_lib_t, collectd_var_lib_t)
++')
++
++########################################
++##
++## Execute collectd server in the collectd domain.
++##
++##
++##
++## Domain allowed to transition.
++##
++##
++#
++interface(`collectd_systemctl',`
++ gen_require(`
++ type collectd_t;
++ type collectd_unit_file_t;
++ ')
++
++ systemd_exec_systemctl($1)
++ allow $1 collectd_unit_file_t:file read_file_perms;
++ allow $1 collectd_unit_file_t:service manage_service_perms;
++
++ ps_process_pattern($1, collectd_t)
++')
++
++########################################
++##
++## All of the rules required to administrate
++## an collectd environment
++##
++##
++##
++## Domain allowed access.
++##
++##
++##
++##
++## Role allowed access.
++##
++##
++##
++#
++interface(`collectd_admin',`
++ gen_require(`
++ type collectd_t;
++ type collectd_initrc_exec_t;
++ type collectd_var_lib_t;
++ type collectd_unit_file_t;
++ ')
++
++ allow $1 collectd_t:process signal_perms;
++ ps_process_pattern($1, collectd_t)
++
++ tunable_policy(`deny_ptrace',`',`
++ allow $1 collectd_t:process ptrace;
++ ')
++
++ collectd_initrc_domtrans($1)
++ domain_system_change_exemption($1)
++ role_transition $2 collectd_initrc_exec_t system_r;
++ allow $2 system_r;
++
++ files_search_var_lib($1)
++ admin_pattern($1, collectd_var_lib_t)
++
++ collectd_systemctl($1)
++ admin_pattern($1, collectd_unit_file_t)
++ allow $1 collectd_unit_file_t:service all_service_perms;
++')
++
+diff --git a/collectd.te b/collectd.te
+new file mode 100644
+index 0000000..cb6dbe6
+--- /dev/null
++++ b/collectd.te
+@@ -0,0 +1,89 @@
++policy_module(collectd, 1.0.0)
++
++########################################
++#
++# Declarations
++#
++
++##
++##
++## Allow collectd to connect to the
++## network using TCP.
++##
++##
++gen_tunable(collectd_can_network_connect, false)
++
++type collectd_t;
++type collectd_exec_t;
++init_daemon_domain(collectd_t, collectd_exec_t)
++
++type collectd_initrc_exec_t;
++init_script_file(collectd_initrc_exec_t)
++
++type collectd_var_lib_t;
++files_type(collectd_var_lib_t)
++
++type collectd_var_run_t;
++files_pid_file(collectd_var_run_t)
++
++type collectd_unit_file_t;
++systemd_unit_file(collectd_unit_file_t)
++
++########################################
++#
++# collectd local policy
++#
++
++allow collectd_t self:capability { ipc_lock sys_nice };
++allow collectd_t self:process { getsched setsched signal fork };
++
++allow collectd_t self:fifo_file rw_fifo_file_perms;
++allow collectd_t self:packet_socket create_socket_perms;
++allow collectd_t self:unix_stream_socket create_stream_socket_perms;
++
++manage_dirs_pattern(collectd_t, collectd_var_lib_t, collectd_var_lib_t)
++manage_files_pattern(collectd_t, collectd_var_lib_t, collectd_var_lib_t)
++files_var_lib_filetrans(collectd_t, collectd_var_lib_t, { dir file })
++
++manage_dirs_pattern(collectd_t, collectd_var_run_t, collectd_var_run_t)
++manage_files_pattern(collectd_t, collectd_var_run_t, collectd_var_run_t)
++files_pid_filetrans(collectd_t, collectd_var_run_t, { dir file })
++
++domain_use_interactive_fds(collectd_t)
++
++kernel_read_network_state(collectd_t)
++kernel_read_net_sysctls(collectd_t)
++kernel_read_system_state(collectd_t)
++
++dev_read_sysfs(collectd_t)
++dev_read_urand(collectd_t)
++dev_read_rand(collectd_t)
++
++files_getattr_all_dirs(collectd_t)
++files_read_etc_files(collectd_t)
++files_read_usr_files(collectd_t)
++
++fs_getattr_all_fs(collectd_t)
++
++logging_send_syslog_msg(collectd_t)
++
++sysnet_dns_name_resolve(collectd_t)
++
++tunable_policy(`collectd_can_network_connect',`
++ corenet_tcp_connect_all_ports(collectd_t)
++ corenet_tcp_sendrecv_all_ports(collectd_t)
++ corenet_sendrecv_all_client_packets(collectd_t)
++')
++
++optional_policy(`
++ apache_content_template(collectd)
++
++ files_search_var_lib(httpd_collectd_script_t)
++ read_files_pattern(httpd_collectd_script_t, collectd_var_lib_t, collectd_var_lib_t)
++ list_dirs_pattern(httpd_collectd_script_t, collectd_var_lib_t, collectd_var_lib_t)
++ miscfiles_setattr_fonts_cache_dirs(httpd_collectd_script_t)
++')
++
++optional_policy(`
++ virt_read_config(collectd_t)
++')
+diff --git a/colord.fc b/colord.fc
+index 78b2fea..ef975ac 100644
+--- a/colord.fc
++++ b/colord.fc
+@@ -1,4 +1,7 @@
+ /usr/libexec/colord -- gen_context(system_u:object_r:colord_exec_t,s0)
++/usr/libexec/colord-sane -- gen_context(system_u:object_r:colord_exec_t,s0)
++
++/usr/lib/systemd/system/colord.* -- gen_context(system_u:object_r:colord_unit_file_t,s0)
+
+ /var/lib/color(/.*)? gen_context(system_u:object_r:colord_var_lib_t,s0)
+ /var/lib/colord(/.*)? gen_context(system_u:object_r:colord_var_lib_t,s0)
+diff --git a/colord.if b/colord.if
+index 733e4e6..fa2c3cb 100644
+--- a/colord.if
++++ b/colord.if
+@@ -57,3 +57,26 @@ interface(`colord_read_lib_files',`
+ files_search_var_lib($1)
+ read_files_pattern($1, colord_var_lib_t, colord_var_lib_t)
+ ')
++
++########################################
++##
++## Execute colord server in the colord domain.
++##
++##
++##
++## Domain allowed to transition.
++##
++##
++#
++interface(`colord_systemctl',`
++ gen_require(`
++ type colord_t;
++ type colord_unit_file_t;
++ ')
++
++ systemd_exec_systemctl($1)
++ allow $1 colord_unit_file_t:file read_file_perms;
++ allow $1 colord_unit_file_t:service manage_service_perms;
++
++ ps_process_pattern($1, colord_t)
++')
+diff --git a/colord.te b/colord.te
+index 74505cc..10d9a27 100644
+--- a/colord.te
++++ b/colord.te
+@@ -8,6 +8,7 @@ policy_module(colord, 1.0.0)
+ type colord_t;
+ type colord_exec_t;
+ dbus_system_domain(colord_t, colord_exec_t)
++init_daemon_domain(colord_t, colord_exec_t)
+
+ type colord_tmp_t;
+ files_tmp_file(colord_tmp_t)
+@@ -18,14 +19,20 @@ files_tmpfs_file(colord_tmpfs_t)
+ type colord_var_lib_t;
+ files_type(colord_var_lib_t)
+
++type colord_unit_file_t;
++systemd_unit_file(colord_unit_file_t)
++
+ ########################################
+ #
+ # colord local policy
+ #
+ allow colord_t self:capability { dac_read_search dac_override };
++dontaudit colord_t self:capability sys_admin;
+ allow colord_t self:process signal;
+ allow colord_t self:fifo_file rw_fifo_file_perms;
+ allow colord_t self:netlink_kobject_uevent_socket create_socket_perms;
++allow colord_t self:tcp_socket create_stream_socket_perms;
++allow colord_t self:shm create_shm_perms;
+ allow colord_t self:udp_socket create_socket_perms;
+ allow colord_t self:unix_dgram_socket create_socket_perms;
+
+@@ -41,15 +48,22 @@ manage_dirs_pattern(colord_t, colord_var_lib_t, colord_var_lib_t)
+ manage_files_pattern(colord_t, colord_var_lib_t, colord_var_lib_t)
+ files_var_lib_filetrans(colord_t, colord_var_lib_t, { file dir })
+
+-kernel_getattr_proc_files(colord_t)
++kernel_read_network_state(colord_t)
++kernel_read_system_state(colord_t)
+ kernel_read_device_sysctls(colord_t)
++kernel_request_load_module(colord_t)
++
++# reads *.ini files
++corecmd_exec_bin(colord_t)
++corecmd_exec_shell(colord_t)
+
+-corenet_all_recvfrom_unlabeled(colord_t)
+ corenet_all_recvfrom_netlabel(colord_t)
+ corenet_udp_bind_generic_node(colord_t)
+ corenet_udp_bind_ipp_port(colord_t)
+ corenet_tcp_connect_ipp_port(colord_t)
+
++dev_read_raw_memory(colord_t)
++dev_write_raw_memory(colord_t)
+ dev_read_video_dev(colord_t)
+ dev_write_video_dev(colord_t)
+ dev_rw_printer(colord_t)
+@@ -62,22 +76,36 @@ dev_rw_generic_usb_dev(colord_t)
+ domain_use_interactive_fds(colord_t)
+
+ files_list_mnt(colord_t)
+-files_read_etc_files(colord_t)
+ files_read_usr_files(colord_t)
+
++fs_search_all(colord_t)
++fs_getattr_noxattr_fs(colord_t)
++fs_dontaudit_getattr_all_fs(colord_t)
++fs_list_noxattr_fs(colord_t)
+ fs_read_noxattr_fs_files(colord_t)
+
++storage_getattr_fixed_disk_dev(colord_t)
++storage_getattr_removable_dev(colord_t)
++storage_read_scsi_generic(colord_t)
++storage_write_scsi_generic(colord_t)
++
++auth_use_nsswitch(colord_t)
++
+ logging_send_syslog_msg(colord_t)
+
+-miscfiles_read_localization(colord_t)
++fs_getattr_tmpfs(colord_t)
++userdom_rw_user_tmpfs_files(colord_t)
+
+-sysnet_dns_name_resolve(colord_t)
++userdom_home_reader(colord_t)
++userdom_read_inherited_user_home_content_files(colord_t)
+
+ tunable_policy(`use_nfs_home_dirs',`
++ fs_getattr_nfs(colord_t)
+ fs_read_nfs_files(colord_t)
+ ')
+
+ tunable_policy(`use_samba_home_dirs',`
++ fs_getattr_cifs(colord_t)
+ fs_read_cifs_files(colord_t)
+ ')
+
+@@ -89,6 +117,12 @@ optional_policy(`
+ ')
+
+ optional_policy(`
++ gnome_read_home_icc_data_content(colord_t)
++ # Fixes lots of breakage in F16 on upgrade
++ gnome_read_generic_data_home_files(colord_t)
++')
++
++optional_policy(`
+ policykit_dbus_chat(colord_t)
+ policykit_domtrans_auth(colord_t)
+ policykit_read_lib(colord_t)
+@@ -96,5 +130,19 @@ optional_policy(`
+ ')
+
+ optional_policy(`
++ sysnet_exec_ifconfig(colord_t)
++')
++
++optional_policy(`
+ udev_read_db(colord_t)
+ ')
++
++optional_policy(`
++ xserver_dbus_chat_xdm(colord_t)
++ # /var/lib/gdm/.local/share/icc/edid-0a027915105823af34f99b1704e80336.icc
++ xserver_read_inherited_xdm_lib_files(colord_t)
++')
++
++optional_policy(`
++ zoneminder_rw_tmpfs_files(colord_t)
++')
+diff --git a/comsat.te b/comsat.te
+index 3d121fd..b64c98c 100644
+--- a/comsat.te
++++ b/comsat.te
+@@ -39,7 +39,6 @@ kernel_read_kernel_sysctls(comsat_t)
+ kernel_read_network_state(comsat_t)
+ kernel_read_system_state(comsat_t)
+
+-corenet_all_recvfrom_unlabeled(comsat_t)
+ corenet_all_recvfrom_netlabel(comsat_t)
+ corenet_tcp_sendrecv_generic_if(comsat_t)
+ corenet_udp_sendrecv_generic_if(comsat_t)
+@@ -51,7 +50,6 @@ dev_read_urand(comsat_t)
+
+ fs_getattr_xattr_fs(comsat_t)
+
+-files_read_etc_files(comsat_t)
+ files_list_usr(comsat_t)
+ files_search_spool(comsat_t)
+ files_search_home(comsat_t)
+@@ -63,8 +61,6 @@ init_dontaudit_write_utmp(comsat_t)
+
+ logging_send_syslog_msg(comsat_t)
+
+-miscfiles_read_localization(comsat_t)
+-
+ userdom_dontaudit_getattr_user_ttys(comsat_t)
+
+ mta_getattr_spool(comsat_t)
+diff --git a/condor.fc b/condor.fc
+new file mode 100644
+index 0000000..b3a5b51
+--- /dev/null
++++ b/condor.fc
+@@ -0,0 +1,21 @@
++/usr/lib/systemd/system/condor.* -- gen_context(system_u:object_r:condor_unit_file_t,s0)
++
++/usr/sbin/condor_master -- gen_context(system_u:object_r:condor_master_exec_t,s0)
++/usr/sbin/condor_collector -- gen_context(system_u:object_r:condor_collector_exec_t,s0)
++/usr/sbin/condor_negotiator -- gen_context(system_u:object_r:condor_negotiator_exec_t,s0)
++/usr/sbin/condor_schedd -- gen_context(system_u:object_r:condor_schedd_exec_t,s0)
++/usr/sbin/condor_startd -- gen_context(system_u:object_r:condor_startd_exec_t,s0)
++/usr/sbin/condor_starter -- gen_context(system_u:object_r:condor_startd_exec_t,s0)
++/usr/sbin/condor_procd -- gen_context(system_u:object_r:condor_procd_exec_t,s0)
++
++/var/lib/condor(/.*)? gen_context(system_u:object_r:condor_var_lib_t,s0)
++
++/var/lib/condor/execute(/.*)? gen_context(system_u:object_r:condor_var_lib_t,s0)
++
++/var/lib/condor/spool(/.*)? gen_context(system_u:object_r:condor_var_lib_t,s0)
++
++/var/lock/condor(/.*)? gen_context(system_u:object_r:condor_var_lock_t,s0)
++
++/var/log/condor(/.*)? gen_context(system_u:object_r:condor_log_t,s0)
++
++/var/run/condor(/.*)? gen_context(system_u:object_r:condor_var_run_t,s0)
+diff --git a/condor.if b/condor.if
+new file mode 100644
+index 0000000..8424fdb
+--- /dev/null
++++ b/condor.if
+@@ -0,0 +1,393 @@
++
++## policy for condor
++
++#####################################
++##
++## Creates types and rules for a basic
++## condor init daemon domain.
++##
++##
++##
++## Prefix for the domain.
++##
++##
++#
++template(`condor_domain_template',`
++ gen_require(`
++ type condor_master_t;
++ attribute condor_domain;
++ ')
++
++ #############################
++ #
++ # Declarations
++ #
++
++ type condor_$1_t, condor_domain;
++ type condor_$1_exec_t;
++ init_daemon_domain(condor_$1_t, condor_$1_exec_t)
++ role system_r types condor_$1_t;
++
++ domtrans_pattern(condor_master_t, condor_$1_exec_t, condor_$1_t)
++ allow condor_master_t condor_$1_exec_t:file ioctl;
++
++ kernel_read_system_state(condor_$1_t)
++
++ auth_use_nsswitch(condor_$1_t)
++
++ logging_send_syslog_msg(condor_$1_t)
++')
++
++########################################
++##
++## Transition to condor.
++##
++##
++##
++## Domain allowed to transition.
++##
++##
++#
++interface(`condor_domtrans',`
++ gen_require(`
++ type condor_t, condor_exec_t;
++ ')
++
++ corecmd_search_bin($1)
++ domtrans_pattern($1, condor_exec_t, condor_t)
++')
++
++#######################################
++##
++## Allows to start userland processes
++## by transitioning to the specified domain,
++## with a range transition.
++##
++##
++##
++## The process type entered by condor_startd.
++##
++##
++##
++##
++## The executable type for the entrypoint.
++##
++##
++##
++##
++## Range for the domain.
++##
++##
++#
++interface(`condor_startd_ranged_domtrans_to',`
++ gen_require(`
++ type sshd_t;
++ ')
++ condor_startd_domtrans_to($1, $2)
++
++
++ ifdef(`enable_mcs',`
++ range_transition condor_startd_t $2:process $3;
++ ')
++
++')
++
++#######################################
++##
++## Allows to start userlandprocesses
++## by transitioning to the specified domain.
++##
++##
++##
++## The process type entered by condor_startd.
++##
++##
++##
++##
++## The executable type for the entrypoint.
++##
++##
++#
++interface(`condor_startd_domtrans_to',`
++ gen_require(`
++ type condor_startd_t;
++ ')
++
++ domtrans_pattern(condor_startd_t, $2, $1)
++')
++
++########################################
++##
++## Read condor's log files.
++##
++##
++##
++## Domain allowed access.
++##
++##
++##
++#
++interface(`condor_read_log',`
++ gen_require(`
++ type condor_log_t;
++ ')
++
++ logging_search_logs($1)
++ read_files_pattern($1, condor_log_t, condor_log_t)
++')
++
++########################################
++##
++## Append to condor log files.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`condor_append_log',`
++ gen_require(`
++ type condor_log_t;
++ ')
++
++ logging_search_logs($1)
++ append_files_pattern($1, condor_log_t, condor_log_t)
++')
++
++########################################
++##
++## Manage condor log files
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`condor_manage_log',`
++ gen_require(`
++ type condor_log_t;
++ ')
++
++ logging_search_logs($1)
++ manage_dirs_pattern($1, condor_log_t, condor_log_t)
++ manage_files_pattern($1, condor_log_t, condor_log_t)
++ manage_lnk_files_pattern($1, condor_log_t, condor_log_t)
++')
++
++########################################
++##
++## Search condor lib directories.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`condor_search_lib',`
++ gen_require(`
++ type condor_var_lib_t;
++ ')
++
++ allow $1 condor_var_lib_t:dir search_dir_perms;
++ files_search_var_lib($1)
++')
++
++########################################
++##
++## Read condor lib files.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`condor_read_lib_files',`
++ gen_require(`
++ type condor_var_lib_t;
++ ')
++
++ files_search_var_lib($1)
++ read_files_pattern($1, condor_var_lib_t, condor_var_lib_t)
++')
++
++######################################
++##
++## Read and write condor lib files.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`condor_rw_lib_files',`
++ gen_require(`
++ type condor_var_lib_t;
++ ')
++
++ files_search_var_lib($1)
++ rw_files_pattern($1, condor_var_lib_t, condor_var_lib_t)
++')
++
++########################################
++##
++## Manage condor lib files.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`condor_manage_lib_files',`
++ gen_require(`
++ type condor_var_lib_t;
++ ')
++
++ files_search_var_lib($1)
++ manage_files_pattern($1, condor_var_lib_t, condor_var_lib_t)
++')
++
++########################################
++##
++## Manage condor lib directories.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`condor_manage_lib_dirs',`
++ gen_require(`
++ type condor_var_lib_t;
++ ')
++
++ files_search_var_lib($1)
++ manage_dirs_pattern($1, condor_var_lib_t, condor_var_lib_t)
++')
++
++########################################
++##
++## Read condor PID files.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`condor_read_pid_files',`
++ gen_require(`
++ type condor_var_run_t;
++ ')
++
++ files_search_pids($1)
++ allow $1 condor_var_run_t:file read_file_perms;
++')
++
++########################################
++##
++## Execute condor server in the condor domain.
++##
++##
++##
++## Domain allowed to transition.
++##
++##
++#
++interface(`condor_systemctl',`
++ gen_require(`
++ type condor_t;
++ type condor_unit_file_t;
++ ')
++
++ systemd_exec_systemctl($1)
++ systemd_read_fifo_file_passwd_run($1)
++ allow $1 condor_unit_file_t:file read_file_perms;
++ allow $1 condor_unit_file_t:service manage_service_perms;
++
++ ps_process_pattern($1, condor_t)
++')
++
++
++#######################################
++##
++## Read and write condor_startd server TCP sockets.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`condor_rw_tcp_sockets_startd',`
++ gen_require(`
++ type condor_startd_t;
++ ')
++
++ allow $1 condor_startd_t:tcp_socket rw_socket_perms;
++')
++
++######################################
++##
++## Read and write condor_schedd server TCP sockets.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`condor_rw_tcp_sockets_schedd',`
++ gen_require(`
++ type condor_schedd_t;
++ ')
++
++ allow $1 condor_schedd_t:tcp_socket rw_socket_perms;
++')
++
++########################################
++##
++## All of the rules required to administrate
++## an condor environment
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`condor_admin',`
++ gen_require(`
++ type condor_t;
++ type condor_log_t;
++ type condor_var_lib_t;
++ type condor_var_run_t;
++ type condor_unit_file_t;
++ ')
++
++ allow $1 condor_t:process { ptrace signal_perms };
++ ps_process_pattern($1, condor_t)
++
++ logging_search_logs($1)
++ admin_pattern($1, condor_log_t)
++
++ files_search_var_lib($1)
++ admin_pattern($1, condor_var_lib_t)
++
++ files_search_pids($1)
++ admin_pattern($1, condor_var_run_t)
++
++ condor_systemctl($1)
++ admin_pattern($1, condor_unit_file_t)
++ allow $1 condor_unit_file_t:service all_service_perms;
++ optional_policy(`
++ systemd_passwd_agent_exec($1)
++ systemd_read_fifo_file_passwd_run($1)
++ ')
++')
+diff --git a/condor.te b/condor.te
+new file mode 100644
+index 0000000..c2bc300
+--- /dev/null
++++ b/condor.te
+@@ -0,0 +1,240 @@
++policy_module(condor, 1.0.0)
++
++########################################
++#
++# Declarations
++#
++
++##
++##
++## Allow codnor domain to connect to the network using TCP.
++##
++##
++gen_tunable(condor_domain_can_network_connect, false)
++
++attribute condor_domain;
++
++type condor_master_t, condor_domain;
++type condor_master_exec_t;
++init_daemon_domain(condor_master_t, condor_master_exec_t)
++
++condor_domain_template(collector)
++condor_domain_template(negotiator)
++condor_domain_template(schedd)
++condor_domain_template(startd)
++condor_domain_template(procd)
++
++type condor_master_tmp_t;
++files_tmp_file(condor_master_tmp_t)
++
++type condor_schedd_tmp_t;
++files_tmp_file(condor_schedd_tmp_t)
++
++type condor_startd_tmp_t;
++files_tmp_file(condor_startd_tmp_t)
++
++type condor_startd_tmpfs_t;
++files_tmpfs_file(condor_startd_tmpfs_t)
++
++type condor_log_t;
++logging_log_file(condor_log_t)
++
++type condor_var_lib_t;
++files_type(condor_var_lib_t)
++
++type condor_var_lock_t;
++files_lock_file(condor_var_lock_t)
++
++type condor_var_run_t;
++files_pid_file(condor_var_run_t)
++
++type condor_unit_file_t;
++systemd_unit_file(condor_unit_file_t)
++
++########################################
++#
++# condor domain local policy
++#
++
++allow condor_domain self:process signal_perms;
++allow condor_domain self:fifo_file rw_fifo_file_perms;
++
++allow condor_domain self:tcp_socket create_stream_socket_perms;
++allow condor_domain self:udp_socket create_socket_perms;
++allow condor_domain self:unix_stream_socket create_stream_socket_perms;
++
++allow condor_domain condor_master_t:process signull;
++allow condor_domain condor_master_t:tcp_socket getattr;
++
++manage_dirs_pattern(condor_domain, condor_log_t, condor_log_t)
++manage_files_pattern(condor_domain, condor_log_t, condor_log_t)
++logging_log_filetrans(condor_domain, condor_log_t, { dir file })
++
++manage_dirs_pattern(condor_domain, condor_var_lib_t, condor_var_lib_t)
++manage_files_pattern(condor_domain, condor_var_lib_t, condor_var_lib_t)
++files_var_lib_filetrans(condor_domain, condor_var_lib_t, { dir file })
++
++manage_dirs_pattern(condor_domain, condor_var_lock_t, condor_var_lock_t)
++manage_files_pattern(condor_domain, condor_var_lock_t, condor_var_lock_t)
++files_lock_filetrans(condor_domain, condor_var_lock_t, { dir file })
++
++manage_dirs_pattern(condor_domain, condor_var_run_t, condor_var_run_t)
++manage_files_pattern(condor_domain, condor_var_run_t, condor_var_run_t)
++manage_fifo_files_pattern(condor_domain, condor_var_run_t, condor_var_run_t)
++files_pid_filetrans(condor_domain, condor_var_run_t, { dir file fifo_file })
++
++kernel_read_network_state(condor_domain)
++kernel_read_kernel_sysctls(condor_domain)
++
++corecmd_exec_bin(condor_domain)
++corecmd_exec_shell(condor_domain)
++
++corenet_tcp_connect_condor_port(condor_domain)
++corenet_tcp_connect_all_ephemeral_ports(condor_domain)
++
++domain_use_interactive_fds(condor_domain)
++
++dev_read_rand(condor_domain)
++dev_read_urand(condor_domain)
++dev_read_sysfs(condor_domain)
++
++files_read_etc_files(condor_domain)
++
++tunable_policy(`condor_domain_can_network_connect',`
++ corenet_tcp_connect_all_ports(condor_domain)
++')
++
++optional_policy(`
++ rhcs_stream_connect_cluster(condor_domain)
++')
++
++optional_policy(`
++ sysnet_dns_name_resolve(condor_domain)
++')
++
++#####################################
++#
++# condor master local policy
++#
++
++allow condor_master_t self:capability { setuid setgid dac_override sys_ptrace };
++
++allow condor_master_t condor_domain:process { sigkill signal };
++
++manage_dirs_pattern(condor_master_t, condor_master_tmp_t, condor_master_tmp_t)
++manage_files_pattern(condor_master_t, condor_master_tmp_t, condor_master_tmp_t)
++files_tmp_filetrans(condor_master_t, condor_master_tmp_t, { file dir })
++
++corenet_tcp_bind_condor_port(condor_master_t)
++corenet_udp_bind_condor_port(condor_master_t)
++corenet_tcp_connect_amqp_port(condor_master_t)
++
++domain_read_all_domains_state(condor_master_t)
++
++optional_policy(`
++ mta_send_mail(condor_master_t)
++ mta_read_config(condor_master_t)
++')
++
++######################################
++#
++# condor collector local policy
++#
++
++allow condor_collector_t self:capability { setuid setgid };
++
++allow condor_collector_t condor_master_t:tcp_socket rw_stream_socket_perms;
++allow condor_collector_t condor_master_t:udp_socket rw_socket_perms;
++
++kernel_read_network_state(condor_collector_t)
++
++#####################################
++#
++# condor negotiator local policy
++#
++allow condor_negotiator_t self:capability { setuid setgid };
++allow condor_negotiator_t condor_master_t:tcp_socket rw_stream_socket_perms;
++allow condor_negotiator_t condor_master_t:udp_socket getattr;
++
++corenet_tcp_connect_all_ephemeral_ports(condor_negotiator_t)
++
++######################################
++#
++# condor procd local policy
++#
++
++allow condor_procd_t self:capability { fowner chown dac_override sys_ptrace };
++
++allow condor_procd_t self:capability kill;
++allow condor_procd_t condor_startd_t:process sigkill;
++
++domain_read_all_domains_state(condor_procd_t)
++
++#######################################
++#
++# condor schedd local policy
++#
++
++domtrans_pattern(condor_schedd_t, condor_procd_exec_t, condor_procd_t)
++domtrans_pattern(condor_schedd_t, condor_startd_exec_t, condor_startd_t)
++
++# dac_override because of /var/log/condor
++allow condor_schedd_t self:capability { setuid chown setgid dac_override };
++allow condor_schedd_t condor_master_t:tcp_socket rw_stream_socket_perms;
++allow condor_schedd_t condor_master_t:udp_socket getattr;
++
++allow condor_schedd_t condor_var_lock_t:dir manage_file_perms;
++
++manage_dirs_pattern(condor_schedd_t, condor_schedd_tmp_t, condor_schedd_tmp_t)
++manage_files_pattern(condor_schedd_t, condor_schedd_tmp_t, condor_schedd_tmp_t)
++files_tmp_filetrans(condor_schedd_t, condor_schedd_tmp_t, { file dir })
++allow condor_schedd_t condor_schedd_tmp_t:file { relabelfrom relabelto };
++
++corenet_tcp_connect_all_ephemeral_ports(condor_schedd_t)
++
++#####################################
++#
++# condor startd local policy
++#
++
++# also needed by java
++allow condor_startd_t self:capability { setuid net_admin setgid dac_override };
++allow condor_startd_t self:process execmem;
++
++manage_dirs_pattern(condor_startd_t, condor_startd_tmp_t, condor_startd_tmp_t)
++manage_files_pattern(condor_startd_t, condor_startd_tmp_t, condor_startd_tmp_t)
++files_tmp_filetrans(condor_startd_t, condor_startd_tmp_t, { file dir })
++allow condor_startd_t condor_startd_tmp_t:file { relabelfrom relabelto };
++
++manage_dirs_pattern(condor_startd_t, condor_startd_tmpfs_t, condor_startd_tmpfs_t)
++manage_files_pattern(condor_startd_t, condor_startd_tmpfs_t, condor_startd_tmpfs_t)
++fs_tmpfs_filetrans(condor_startd_t, condor_startd_tmpfs_t, { dir file })
++
++can_exec(condor_startd_t, condor_startd_exec_t)
++
++domain_read_all_domains_state(condor_startd_t)
++
++mcs_process_set_categories(condor_startd_t)
++
++init_domtrans_script(condor_startd_t)
++init_initrc_domain(condor_startd_t)
++
++libs_exec_lib_files(condor_startd_t)
++
++files_read_usr_files(condor_startd_t)
++
++optional_policy(`
++ ssh_basic_client_template(condor_startd, condor_startd_t, system_r)
++ ssh_domtrans(condor_startd_t)
++
++ manage_files_pattern(condor_startd_ssh_t, condor_var_lib_t, condor_var_lib_t)
++ manage_dirs_pattern(condor_startd_ssh_t, condor_var_lib_t, condor_var_lib_t)
++
++ optional_policy(`
++ kerberos_use(condor_startd_ssh_t)
++ ')
++')
++
++optional_policy(`
++ unconfined_domain(condor_startd_t)
++')
+diff --git a/consolekit.fc b/consolekit.fc
+index 32233ab..7058d21 100644
+--- a/consolekit.fc
++++ b/consolekit.fc
+@@ -1,3 +1,5 @@
++/usr/lib/systemd/system/console-kit.* -- gen_context(system_u:object_r:consolekit_unit_file_t,s0)
++
+ /usr/sbin/console-kit-daemon -- gen_context(system_u:object_r:consolekit_exec_t,s0)
+
+ /var/log/ConsoleKit(/.*)? gen_context(system_u:object_r:consolekit_log_t,s0)
+diff --git a/consolekit.if b/consolekit.if
+index fd15dfe..aac1e5d 100644
+--- a/consolekit.if
++++ b/consolekit.if
+@@ -20,6 +20,27 @@ interface(`consolekit_domtrans',`
+
+ ########################################
+ ##
++## dontaudit Send and receive messages from
++## consolekit over dbus.
++##
++##
++##
++## Domain to not audit.
++##
++##
++#
++interface(`consolekit_dontaudit_dbus_chat',`
++ gen_require(`
++ type consolekit_t;
++ class dbus send_msg;
++ ')
++
++ dontaudit $1 consolekit_t:dbus send_msg;
++ dontaudit consolekit_t $1:dbus send_msg;
++')
++
++########################################
++##
+ ## Send and receive messages from
+ ## consolekit over dbus.
+ ##
+@@ -41,6 +62,24 @@ interface(`consolekit_dbus_chat',`
+
+ ########################################
+ ##
++## Dontaudit attempts to read consolekit log files.
++##
++##
++##
++## Domain to not audit.
++##
++##
++#
++interface(`consolekit_dontaudit_read_log',`
++ gen_require(`
++ type consolekit_log_t;
++ ')
++
++ dontaudit $1 consolekit_log_t:file read_file_perms;
++')
++
++########################################
++##
+ ## Read consolekit log files.
+ ##
+ ##
+@@ -96,3 +135,64 @@ interface(`consolekit_read_pid_files',`
+ allow $1 consolekit_var_run_t:dir list_dir_perms;
+ read_files_pattern($1, consolekit_var_run_t, consolekit_var_run_t)
+ ')
++
++########################################
++##
++## List consolekit PID files.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`consolekit_list_pid_files',`
++ gen_require(`
++ type consolekit_var_run_t;
++ ')
++
++ files_search_pids($1)
++ list_dirs_pattern($1, consolekit_var_run_t, consolekit_var_run_t)
++')
++
++########################################
++##
++## Allow the domain to read consolekit state files in /proc.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`consolekit_read_state',`
++ gen_require(`
++ type consolekit_t;
++ ')
++
++ kernel_search_proc($1)
++ ps_process_pattern($1, consolekit_t)
++')
++
++########################################
++##
++## Execute consolekit server in the consolekit domain.
++##
++##
++##
++## Domain allowed to transition.
++##
++##
++#
++interface(`consolekit_systemctl',`
++ gen_require(`
++ type consolekit_t;
++ type consolekit_unit_file_t;
++ ')
++
++ systemd_exec_systemctl($1)
++ allow $1 consolekit_unit_file_t:file read_file_perms;
++ allow $1 consolekit_unit_file_t:service manage_service_perms;
++
++ ps_process_pattern($1, consolekit_t)
++')
+diff --git a/consolekit.te b/consolekit.te
+index 6f2896d..ca0b28a 100644
+--- a/consolekit.te
++++ b/consolekit.te
+@@ -15,12 +15,19 @@ logging_log_file(consolekit_log_t)
+ type consolekit_var_run_t;
+ files_pid_file(consolekit_var_run_t)
+
++type consolekit_tmpfs_t;
++files_tmpfs_file(consolekit_tmpfs_t)
++
++type consolekit_unit_file_t;
++systemd_unit_file(consolekit_unit_file_t)
++
+ ########################################
+ #
+ # consolekit local policy
+ #
+
+ allow consolekit_t self:capability { chown setuid setgid sys_tty_config dac_override sys_nice sys_ptrace };
++
+ allow consolekit_t self:process { getsched signal };
+ allow consolekit_t self:fifo_file rw_fifo_file_perms;
+ allow consolekit_t self:unix_stream_socket create_stream_socket_perms;
+@@ -43,9 +50,7 @@ dev_read_sysfs(consolekit_t)
+
+ domain_read_all_domains_state(consolekit_t)
+ domain_use_interactive_fds(consolekit_t)
+-domain_dontaudit_ptrace_all_domains(consolekit_t)
+
+-files_read_etc_files(consolekit_t)
+ files_read_usr_files(consolekit_t)
+ # needs to read /var/lib/dbus/machine-id
+ files_read_var_lib_files(consolekit_t)
+@@ -67,17 +72,17 @@ init_rw_utmp(consolekit_t)
+ logging_send_syslog_msg(consolekit_t)
+ logging_send_audit_msgs(consolekit_t)
+
+-miscfiles_read_localization(consolekit_t)
++systemd_exec_systemctl(consolekit_t)
+
++userdom_read_all_users_state(consolekit_t)
+ userdom_dontaudit_read_user_home_content_files(consolekit_t)
++userdom_dontaudit_getattr_admin_home_files(consolekit_t)
+ userdom_read_user_tmp_files(consolekit_t)
+
+-tunable_policy(`use_nfs_home_dirs',`
+- fs_read_nfs_files(consolekit_t)
+-')
++userdom_home_reader(consolekit_t)
+
+-tunable_policy(`use_samba_home_dirs',`
+- fs_read_cifs_files(consolekit_t)
++optional_policy(`
++ cron_read_system_job_lib_files(consolekit_t)
+ ')
+
+ optional_policy(`
+@@ -97,7 +102,7 @@ optional_policy(`
+ ')
+
+ optional_policy(`
+- hal_ptrace(consolekit_t)
++ networkmanager_append_log(consolekit_t)
+ ')
+
+ optional_policy(`
+@@ -108,9 +113,10 @@ optional_policy(`
+ ')
+
+ optional_policy(`
+- type consolekit_tmpfs_t;
+- files_tmpfs_file(consolekit_tmpfs_t)
++ shutdown_domtrans(consolekit_t)
++')
+
++optional_policy(`
+ xserver_read_xdm_pid(consolekit_t)
+ xserver_read_user_xauth(consolekit_t)
+ xserver_non_drawing_client(consolekit_t)
+@@ -126,6 +132,5 @@ optional_policy(`
+ ')
+
+ optional_policy(`
+- #reading .Xauthity
+ unconfined_stream_connect(consolekit_t)
+ ')
+diff --git a/corosync.fc b/corosync.fc
+index 3a6d7eb..1bb208a 100644
+--- a/corosync.fc
++++ b/corosync.fc
+@@ -1,12 +1,14 @@
+ /etc/rc\.d/init\.d/corosync -- gen_context(system_u:object_r:corosync_initrc_exec_t,s0)
+
+-/usr/sbin/corosync -- gen_context(system_u:object_r:corosync_exec_t,s0)
++/usr/lib/systemd/system/corosync.* -- gen_context(system_u:object_r:corosync_unit_file_t,s0)
+
+-/usr/sbin/ccs_tool -- gen_context(system_u:object_r:corosync_exec_t,s0)
++/usr/sbin/corosync -- gen_context(system_u:object_r:corosync_exec_t,s0)
++/usr/sbin/corosync-notifyd -- gen_context(system_u:object_r:corosync_exec_t,s0)
+
+ /var/lib/corosync(/.*)? gen_context(system_u:object_r:corosync_var_lib_t,s0)
+
+-/var/log/cluster/corosync\.log -- gen_context(system_u:object_r:corosync_var_log_t,s0)
++/var/log/cluster/corosync\.log.* -- gen_context(system_u:object_r:corosync_var_log_t,s0)
+
+ /var/run/cman_.* -s gen_context(system_u:object_r:corosync_var_run_t,s0)
+ /var/run/corosync\.pid -- gen_context(system_u:object_r:corosync_var_run_t,s0)
++/var/run/rsctmp(/.*)? gen_context(system_u:object_r:corosync_var_run_t,s0)
+diff --git a/corosync.if b/corosync.if
+index 5220c9d..33df583 100644
+--- a/corosync.if
++++ b/corosync.if
+@@ -20,6 +20,43 @@ interface(`corosync_domtrans',`
+
+ #######################################
+ ##
++## Execute a domain transition to run corosync.
++##
++##
++##
++## Domain allowed to transition.
++##
++##
++#
++interface(`corosync_initrc_domtrans',`
++ gen_require(`
++ type corosync_initrc_exec_t;
++ ')
++
++ init_labeled_script_domtrans($1, corosync_initrc_exec_t)
++')
++
++######################################
++##
++## Execute corosync in the caller domain.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`corosync_exec',`
++ gen_require(`
++ type corosync_exec_t;
++ ')
++
++ corecmd_search_bin($1)
++ can_exec($1, corosync_exec_t)
++')
++
++#######################################
++##
+ ## Allow the specified domain to read corosync's log files.
+ ##
+ ##
+@@ -52,14 +89,58 @@ interface(`corosync_read_log',`
+ interface(`corosync_stream_connect',`
+ gen_require(`
+ type corosync_t, corosync_var_run_t;
++ type corosync_var_lib_t;
+ ')
+
+ files_search_pids($1)
++ stream_connect_pattern($1, corosync_var_lib_t, corosync_var_lib_t, corosync_t)
+ stream_connect_pattern($1, corosync_var_run_t, corosync_var_run_t, corosync_t)
+ ')
+
+ ######################################
+ ##
++## Allow the specified domain to read/write corosync's tmpfs files.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`corosync_rw_tmpfs',`
++ gen_require(`
++ type corosync_tmpfs_t;
++ ')
++
++ rw_files_pattern($1, corosync_tmpfs_t, corosync_tmpfs_t)
++
++')
++
++########################################
++##
++## Execute corosync server in the corosync domain.
++##
++##
++##
++## Domain allowed to transition.
++##
++##
++#
++interface(`corosync_systemctl',`
++ gen_require(`
++ type corosync_t;
++ type corosync_unit_file_t;
++ ')
++
++ systemd_exec_systemctl($1)
++ allow $1 corosync_unit_file_t:file read_file_perms;
++ allow $1 corosync_unit_file_t:service manage_service_perms;
++
++ ps_process_pattern($1, corosync_t)
++')
++
++######################################
++##
+ ## All of the rules required to administrate
+ ## an corosync environment
+ ##
+@@ -80,11 +161,16 @@ interface(`corosyncd_admin',`
+ type corosync_t, corosync_var_lib_t, corosync_var_log_t;
+ type corosync_var_run_t, corosync_tmp_t, corosync_tmpfs_t;
+ type corosync_initrc_exec_t;
++ type corosync_unit_file_t;
+ ')
+
+- allow $1 corosync_t:process { ptrace signal_perms };
++ allow $1 corosync_t:process signal_perms;
+ ps_process_pattern($1, corosync_t)
+
++ tunable_policy(`deny_ptrace',`',`
++ allow $1 corosync_t:process ptrace;
++ ')
++
+ init_labeled_script_domtrans($1, corosync_initrc_exec_t)
+ domain_system_change_exemption($1)
+ role_transition $2 corosync_initrc_exec_t system_r;
+@@ -103,4 +189,8 @@ interface(`corosyncd_admin',`
+
+ files_list_pids($1)
+ admin_pattern($1, corosync_var_run_t)
++
++ corosync_systemctl($1)
++ admin_pattern($1, corosync_unit_file_t)
++ allow $1 corosync_unit_file_t:service all_service_perms;
+ ')
+diff --git a/corosync.te b/corosync.te
+index 04969e5..1d60d9f 100644
+--- a/corosync.te
++++ b/corosync.te
+@@ -8,6 +8,7 @@ policy_module(corosync, 1.0.0)
+ type corosync_t;
+ type corosync_exec_t;
+ init_daemon_domain(corosync_t, corosync_exec_t)
++domain_obj_id_change_exemption(corosync_t)
+
+ type corosync_initrc_exec_t;
+ init_script_file(corosync_initrc_exec_t)
+@@ -27,23 +28,32 @@ logging_log_file(corosync_var_log_t)
+ type corosync_var_run_t;
+ files_pid_file(corosync_var_run_t)
+
++type corosync_unit_file_t;
++systemd_unit_file(corosync_unit_file_t)
++
+ ########################################
+ #
+ # corosync local policy
+ #
+
+-allow corosync_t self:capability { sys_nice sys_resource ipc_lock };
+-allow corosync_t self:process { setrlimit setsched signal };
++allow corosync_t self:capability { dac_override fowner setuid setgid sys_nice sys_admin sys_resource ipc_lock };
++# for hearbeat
++allow corosync_t self:capability { net_raw chown };
++allow corosync_t self:process { setpgid setrlimit setsched signal signull };
+
+ allow corosync_t self:fifo_file rw_fifo_file_perms;
+ allow corosync_t self:sem create_sem_perms;
++allow corosync_t self:shm create_shm_perms;
+ allow corosync_t self:unix_stream_socket { create_stream_socket_perms connectto };
+-allow corosync_t self:unix_dgram_socket create_socket_perms;
++allow corosync_t self:unix_dgram_socket { create_socket_perms sendto };
+ allow corosync_t self:udp_socket create_socket_perms;
+
++can_exec(corosync_t, corosync_exec_t)
++
+ manage_dirs_pattern(corosync_t, corosync_tmp_t, corosync_tmp_t)
+ manage_files_pattern(corosync_t, corosync_tmp_t, corosync_tmp_t)
+ files_tmp_filetrans(corosync_t, corosync_tmp_t, { file dir })
++allow corosync_t corosync_tmp_t:file { relabelfrom relabelto };
+
+ manage_dirs_pattern(corosync_t, corosync_tmpfs_t, corosync_tmpfs_t)
+ manage_files_pattern(corosync_t, corosync_tmpfs_t, corosync_tmpfs_t)
+@@ -52,7 +62,8 @@ fs_tmpfs_filetrans(corosync_t, corosync_tmpfs_t, { dir file })
+ manage_files_pattern(corosync_t, corosync_var_lib_t, corosync_var_lib_t)
+ manage_dirs_pattern(corosync_t, corosync_var_lib_t, corosync_var_lib_t)
+ manage_sock_files_pattern(corosync_t, corosync_var_lib_t, corosync_var_lib_t)
+-files_var_lib_filetrans(corosync_t, corosync_var_lib_t, { file dir sock_file })
++manage_fifo_files_pattern(corosync_t, corosync_var_lib_t,corosync_var_lib_t)
++files_var_lib_filetrans(corosync_t,corosync_var_lib_t, { file dir fifo_file sock_file })
+
+ manage_files_pattern(corosync_t, corosync_var_log_t, corosync_var_log_t)
+ manage_sock_files_pattern(corosync_t, corosync_var_log_t, corosync_var_log_t)
+@@ -60,44 +71,96 @@ logging_log_filetrans(corosync_t, corosync_var_log_t, { sock_file file })
+
+ manage_files_pattern(corosync_t, corosync_var_run_t, corosync_var_run_t)
+ manage_sock_files_pattern(corosync_t, corosync_var_run_t, corosync_var_run_t)
+-files_pid_filetrans(corosync_t, corosync_var_run_t, { file sock_file })
++manage_dirs_pattern(corosync_t, corosync_var_run_t,corosync_var_run_t)
++files_pid_filetrans(corosync_t, corosync_var_run_t, { file sock_file dir })
+
+ kernel_read_system_state(corosync_t)
++kernel_read_network_state(corosync_t)
++kernel_read_all_sysctls(corosync_t)
+
+ corecmd_exec_bin(corosync_t)
++corecmd_exec_shell(corosync_t)
+
+ corenet_udp_bind_netsupport_port(corosync_t)
++corenet_tcp_connect_saphostctrl_port(corosync_t)
+
+ dev_read_urand(corosync_t)
++dev_read_sysfs(corosync_t)
+
+ domain_read_all_domains_state(corosync_t)
+
+ files_manage_mounttab(corosync_t)
++files_read_usr_files(corosync_t)
+
+ auth_use_nsswitch(corosync_t)
+
++init_domtrans_script(corosync_t)
+ init_read_script_state(corosync_t)
+ init_rw_script_tmp_files(corosync_t)
+
+ logging_send_syslog_msg(corosync_t)
+
+-miscfiles_read_localization(corosync_t)
+-
++userdom_read_user_tmp_files(corosync_t)
++userdom_delete_user_tmpfs_files(corosync_t)
+ userdom_rw_user_tmpfs_files(corosync_t)
+
+ optional_policy(`
++ fs_manage_tmpfs_files(corosync_t)
++ init_manage_script_status_files(corosync_t)
++')
++
++optional_policy(`
+ ccs_read_config(corosync_t)
+ ')
+
+ optional_policy(`
+- # to communication with RHCS
+- rhcs_rw_dlm_controld_semaphores(corosync_t)
++ cmirrord_rw_shm(corosync_t)
++')
+
+- rhcs_rw_fenced_semaphores(corosync_t)
++optional_policy(`
++ consoletype_exec(corosync_t)
++')
++
++optional_policy(`
++ dbus_system_bus_client(corosync_t)
++')
+
+- rhcs_rw_gfs_controld_semaphores(corosync_t)
++optional_policy(`
++ drbd_domtrans(corosync_t)
+ ')
+
+ optional_policy(`
++ lvm_rw_clvmd_tmpfs_files(corosync_t)
++ lvm_delete_clvmd_tmpfs_files(corosync_t)
++')
++
++optional_policy(`
++ qpidd_rw_shm(corosync_t)
++')
++
++optional_policy(`
++ rhcs_getattr_fenced(corosync_t)
++ # to communication with RHCS
++ rhcs_rw_cluster_shm(corosync_t)
++ rhcs_rw_cluster_semaphores(corosync_t)
++ rhcs_stream_connect_cluster(corosync_t)
++ rhcs_read_cluster_lib_files(corosync_t)
++ rhcs_manage_cluster_lib_files(corosync_t)
++ rhcs_relabel_cluster_lib_files(corosync_t)
++')
++
++optional_policy(`
++ # should be removed in F19
++ # workaround because we switch hearbeat from corosync to rgmanager
++ rgmanager_manage_files(corosync_t)
++
+ rgmanager_manage_tmpfs_files(corosync_t)
+ ')
++
++optional_policy(`
++ rpc_search_nfs_state_data(corosync_t)
++')
++
++optional_policy(`
++ wdmd_rw_tmpfs(corosync_t)
++')
+diff --git a/couchdb.fc b/couchdb.fc
+new file mode 100644
+index 0000000..196461b
+--- /dev/null
++++ b/couchdb.fc
+@@ -0,0 +1,11 @@
++/etc/couchdb(/.*)? gen_context(system_u:object_r:couchdb_etc_t,s0)
++
++/usr/bin/couchdb -- gen_context(system_u:object_r:couchdb_exec_t,s0)
++
++/usr/lib/systemd/system/couchdb.* -- gen_context(system_u:object_r:couchdb_unit_file_t,s0)
++
++/var/lib/couchdb(/.*)? gen_context(system_u:object_r:couchdb_var_lib_t,s0)
++
++/var/log/couchdb(/.*)? gen_context(system_u:object_r:couchdb_log_t,s0)
++
++/var/run/couchdb(/.*)? gen_context(system_u:object_r:couchdb_var_run_t,s0)
+diff --git a/couchdb.if b/couchdb.if
+new file mode 100644
+index 0000000..3e17383
+--- /dev/null
++++ b/couchdb.if
+@@ -0,0 +1,244 @@
++
++## policy for couchdb
++
++########################################
++##
++## Transition to couchdb.
++##
++##
++##
++## Domain allowed to transition.
++##
++##
++#
++interface(`couchdb_domtrans',`
++ gen_require(`
++ type couchdb_t, couchdb_exec_t;
++ ')
++
++ corecmd_search_bin($1)
++ domtrans_pattern($1, couchdb_exec_t, couchdb_t)
++')
++########################################
++##
++## Read couchdb's log files.
++##
++##
++##
++## Domain allowed access.
++##
++##
++##
++#
++interface(`couchdb_read_log',`
++ gen_require(`
++ type couchdb_log_t;
++ ')
++
++ logging_search_logs($1)
++ read_files_pattern($1, couchdb_log_t, couchdb_log_t)
++')
++
++########################################
++##
++## Append to couchdb log files.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`couchdb_append_log',`
++ gen_require(`
++ type couchdb_log_t;
++ ')
++
++ logging_search_logs($1)
++ append_files_pattern($1, couchdb_log_t, couchdb_log_t)
++')
++
++########################################
++##
++## Manage couchdb log files
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`couchdb_manage_log',`
++ gen_require(`
++ type couchdb_log_t;
++ ')
++
++ logging_search_logs($1)
++ manage_dirs_pattern($1, couchdb_log_t, couchdb_log_t)
++ manage_files_pattern($1, couchdb_log_t, couchdb_log_t)
++ manage_lnk_files_pattern($1, couchdb_log_t, couchdb_log_t)
++')
++
++########################################
++##
++## Search couchdb lib directories.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`couchdb_search_lib',`
++ gen_require(`
++ type couchdb_var_lib_t;
++ ')
++
++ allow $1 couchdb_var_lib_t:dir search_dir_perms;
++ files_search_var_lib($1)
++')
++
++########################################
++##
++## Read couchdb lib files.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`couchdb_read_lib_files',`
++ gen_require(`
++ type couchdb_var_lib_t;
++ ')
++
++ files_search_var_lib($1)
++ read_files_pattern($1, couchdb_var_lib_t, couchdb_var_lib_t)
++')
++
++########################################
++##
++## Manage couchdb lib files.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`couchdb_manage_lib_files',`
++ gen_require(`
++ type couchdb_var_lib_t;
++ ')
++
++ files_search_var_lib($1)
++ manage_files_pattern($1, couchdb_var_lib_t, couchdb_var_lib_t)
++')
++
++########################################
++##
++## Manage couchdb lib directories.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`couchdb_manage_lib_dirs',`
++ gen_require(`
++ type couchdb_var_lib_t;
++ ')
++
++ files_search_var_lib($1)
++ manage_dirs_pattern($1, couchdb_var_lib_t, couchdb_var_lib_t)
++')
++
++########################################
++##
++## Read couchdb PID files.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`couchdb_read_pid_files',`
++ gen_require(`
++ type couchdb_var_run_t;
++ ')
++
++ files_search_pids($1)
++ allow $1 couchdb_var_run_t:file read_file_perms;
++')
++
++########################################
++##
++## Execute couchdb server in the couchdb domain.
++##
++##
++##
++## Domain allowed to transition.
++##
++##
++#
++interface(`couchdb_systemctl',`
++ gen_require(`
++ type couchdb_t;
++ type couchdb_unit_file_t;
++ ')
++
++ systemd_exec_systemctl($1)
++ systemd_read_fifo_file_passwd_run($1)
++ allow $1 couchdb_unit_file_t:file read_file_perms;
++ allow $1 couchdb_unit_file_t:service manage_service_perms;
++
++ ps_process_pattern($1, couchdb_t)
++')
++
++
++########################################
++##
++## All of the rules required to administrate
++## an couchdb environment
++##
++##
++##
++## Domain allowed access.
++##
++##
++##
++#
++interface(`couchdb_admin',`
++ gen_require(`
++ type couchdb_t, couchdb_etc_t, couchdb_log_t;
++ type couchdb_var_lib_t, couchdb_var_run_t;
++ type couchdb_unit_file_t;
++ ')
++
++ allow $1 couchdb_t:process { ptrace signal_perms };
++ ps_process_pattern($1, couchdb_t)
++
++ logging_search_logs($1)
++ admin_pattern($1, couchdb_log_t)
++
++ files_search_etc($1)
++ admin_pattern($1, couchdb_etc_t)
++
++ files_search_var_lib($1)
++ admin_pattern($1, couchdb_var_lib_t)
++
++ files_search_pids($1)
++ admin_pattern($1, couchdb_var_run_t)
++
++ admin_pattern($1, couchdb_unit_file_t)
++ couchdb_systemctl($1)
++ allow $1 couchdb_unit_file_t:service all_service_perms;
++
++ optional_policy(`
++ systemd_passwd_agent_exec($1)
++ systemd_read_fifo_file_passwd_run($1)
++ ')
++')
+diff --git a/couchdb.te b/couchdb.te
+new file mode 100644
+index 0000000..4b0535f
+--- /dev/null
++++ b/couchdb.te
+@@ -0,0 +1,83 @@
++policy_module(couchdb, 1.0.0)
++
++########################################
++#
++# Declarations
++#
++
++type couchdb_t;
++type couchdb_exec_t;
++init_daemon_domain(couchdb_t, couchdb_exec_t)
++
++type couchdb_etc_t;
++files_config_file(couchdb_etc_t)
++
++type couchdb_tmp_t;
++files_tmp_file(couchdb_tmp_t)
++
++type couchdb_log_t;
++logging_log_file(couchdb_log_t)
++
++type couchdb_var_lib_t;
++files_type(couchdb_var_lib_t)
++
++type couchdb_var_run_t;
++files_pid_file(couchdb_var_run_t)
++
++type couchdb_unit_file_t;
++systemd_unit_file(couchdb_unit_file_t)
++
++########################################
++#
++# couchdb local policy
++#
++allow couchdb_t self:process { setsched signal signull sigkill };
++allow couchdb_t self:fifo_file rw_fifo_file_perms;
++allow couchdb_t self:unix_stream_socket create_stream_socket_perms;
++allow couchdb_t self:tcp_socket create_stream_socket_perms;
++allow couchdb_t self:udp_socket create_socket_perms;
++
++allow couchdb_t couchdb_etc_t:dir list_dir_perms;
++read_files_pattern(couchdb_t, couchdb_etc_t, couchdb_etc_t)
++
++manage_dirs_pattern(couchdb_t, couchdb_log_t, couchdb_log_t)
++manage_files_pattern(couchdb_t, couchdb_log_t, couchdb_log_t)
++logging_log_filetrans(couchdb_t, couchdb_log_t, { dir file })
++
++manage_dirs_pattern(couchdb_t, couchdb_tmp_t, couchdb_tmp_t)
++manage_files_pattern(couchdb_t, couchdb_tmp_t, couchdb_tmp_t)
++files_tmp_filetrans(couchdb_t, couchdb_tmp_t, { dir file })
++
++manage_dirs_pattern(couchdb_t, couchdb_var_lib_t, couchdb_var_lib_t)
++manage_files_pattern(couchdb_t, couchdb_var_lib_t, couchdb_var_lib_t)
++files_var_lib_filetrans(couchdb_t, couchdb_var_lib_t, { dir file })
++
++manage_dirs_pattern(couchdb_t, couchdb_var_run_t, couchdb_var_run_t)
++manage_files_pattern(couchdb_t, couchdb_var_run_t, couchdb_var_run_t)
++files_pid_filetrans(couchdb_t, couchdb_var_run_t, { dir file })
++
++can_exec(couchdb_t, couchdb_exec_t)
++
++kernel_read_system_state(couchdb_t)
++
++corecmd_exec_bin(couchdb_t)
++corecmd_exec_shell(couchdb_t)
++
++corenet_tcp_bind_generic_node(couchdb_t)
++corenet_udp_bind_generic_node(couchdb_t)
++corenet_tcp_bind_couchdb_port(couchdb_t)
++
++dev_list_sysfs(couchdb_t)
++dev_read_sysfs(couchdb_t)
++dev_read_urand(couchdb_t)
++
++domain_use_interactive_fds(couchdb_t)
++
++files_read_usr_files(couchdb_t)
++
++fs_getattr_xattr_fs(couchdb_t)
++
++auth_use_nsswitch(couchdb_t)
++
++libs_exec_lib_files(couchdb_t)
++
+diff --git a/courier.fc b/courier.fc
+index 47dfa07..1beadbd 100644
+--- a/courier.fc
++++ b/courier.fc
+@@ -8,15 +8,15 @@
+ /usr/sbin/courierldapaliasd -- gen_context(system_u:object_r:courier_exec_t,s0)
+ /usr/sbin/couriertcpd -- gen_context(system_u:object_r:courier_tcpd_exec_t,s0)
+
+-/usr/lib/courier/(courier-)?authlib/.* -- gen_context(system_u:object_r:courier_authdaemon_exec_t,s0)
+-/usr/lib/courier/courier/.* -- gen_context(system_u:object_r:courier_exec_t,s0)
+-/usr/lib/courier/courier/courierpop.* -- gen_context(system_u:object_r:courier_pop_exec_t,s0)
+-/usr/lib/courier/courier/imaplogin -- gen_context(system_u:object_r:courier_pop_exec_t,s0)
+-/usr/lib/courier/courier/pcpd -- gen_context(system_u:object_r:courier_pcp_exec_t,s0)
+-/usr/lib/courier/imapd -- gen_context(system_u:object_r:courier_pop_exec_t,s0)
+-/usr/lib/courier/pop3d -- gen_context(system_u:object_r:courier_pop_exec_t,s0)
++/usr/lib/courier/authlib/.* -- gen_context(system_u:object_r:courier_authdaemon_exec_t,s0)
++/usr/lib/courier/courier/.* -- gen_context(system_u:object_r:courier_exec_t,s0)
++/usr/lib/courier/courier/courierpop.* -- gen_context(system_u:object_r:courier_pop_exec_t,s0)
++/usr/lib/courier/courier/imaplogin -- gen_context(system_u:object_r:courier_pop_exec_t,s0)
++/usr/lib/courier/courier/pcpd -- gen_context(system_u:object_r:courier_pcp_exec_t,s0)
++/usr/lib/courier/imapd -- gen_context(system_u:object_r:courier_pop_exec_t,s0)
++/usr/lib/courier/pop3d -- gen_context(system_u:object_r:courier_pop_exec_t,s0)
+ /usr/lib/courier/rootcerts(/.*)? gen_context(system_u:object_r:courier_etc_t,s0)
+-/usr/lib/courier/sqwebmail/cleancache\.pl -- gen_context(system_u:object_r:sqwebmail_cron_exec_t,s0)
++/usr/lib/courier/sqwebmail/cleancache\.pl -- gen_context(system_u:object_r:sqwebmail_cron_exec_t,s0)
+
+ ifdef(`distro_gentoo',`
+ /usr/lib/courier-imap/couriertcpd -- gen_context(system_u:object_r:courier_tcpd_exec_t,s0)
+diff --git a/courier.if b/courier.if
+index 9971337..4078c26 100644
+--- a/courier.if
++++ b/courier.if
+@@ -50,7 +50,6 @@ template(`courier_domain_template',`
+
+ corecmd_exec_bin(courier_$1_t)
+
+- corenet_all_recvfrom_unlabeled(courier_$1_t)
+ corenet_all_recvfrom_netlabel(courier_$1_t)
+ corenet_tcp_sendrecv_generic_if(courier_$1_t)
+ corenet_udp_sendrecv_generic_if(courier_$1_t)
+@@ -90,7 +89,7 @@ template(`courier_domain_template',`
+ ## Execute the courier authentication daemon with
+ ## a domain transition.
+ ##
+-##
++##
+ ##
+ ## Domain allowed to transition.
+ ##
+@@ -104,12 +103,31 @@ interface(`courier_domtrans_authdaemon',`
+ domtrans_pattern($1, courier_authdaemon_exec_t, courier_authdaemon_t)
+ ')
+
++#######################################
++##
++## Connect to courier-authdaemon over a unix stream socket.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`courier_stream_connect_authdaemon',`
++ gen_require(`
++ type courier_authdaemon_t, courier_spool_t;
++ ')
++
++ files_search_spool($1)
++ stream_connect_pattern($1, courier_spool_t, courier_spool_t, courier_authdaemon_t)
++')
++
+ ########################################
+ ##
+ ## Execute the courier POP3 and IMAP server with
+ ## a domain transition.
+ ##
+-##
++##
+ ##
+ ## Domain allowed to transition.
+ ##
+@@ -127,7 +145,7 @@ interface(`courier_domtrans_pop',`
+ ##
+ ## Read courier config files
+ ##
+-##
++##
+ ##
+ ## Domain allowed access.
+ ##
+@@ -138,6 +156,7 @@ interface(`courier_read_config',`
+ type courier_etc_t;
+ ')
+
++ files_search_etc($1)
+ read_files_pattern($1, courier_etc_t, courier_etc_t)
+ ')
+
+@@ -146,7 +165,7 @@ interface(`courier_read_config',`
+ ## Create, read, write, and delete courier
+ ## spool directories.
+ ##
+-##
++##
+ ##
+ ## Domain allowed access.
+ ##
+@@ -157,6 +176,7 @@ interface(`courier_manage_spool_dirs',`
+ type courier_spool_t;
+ ')
+
++ files_search_spool($1)
+ manage_dirs_pattern($1, courier_spool_t, courier_spool_t)
+ ')
+
+@@ -165,7 +185,7 @@ interface(`courier_manage_spool_dirs',`
+ ## Create, read, write, and delete courier
+ ## spool files.
+ ##
+-##
++##
+ ##
+ ## Domain allowed access.
+ ##
+@@ -176,6 +196,7 @@ interface(`courier_manage_spool_files',`
+ type courier_spool_t;
+ ')
+
++ files_search_spool($1)
+ manage_files_pattern($1, courier_spool_t, courier_spool_t)
+ ')
+
+@@ -183,7 +204,7 @@ interface(`courier_manage_spool_files',`
+ ##
+ ## Read courier spool files.
+ ##
+-##
++##
+ ##
+ ## Domain allowed access.
+ ##
+@@ -194,6 +215,7 @@ interface(`courier_read_spool',`
+ type courier_spool_t;
+ ')
+
++ files_search_spool($1)
+ read_files_pattern($1, courier_spool_t, courier_spool_t)
+ ')
+
+diff --git a/courier.te b/courier.te
+index d034450..820c10b 100644
+--- a/courier.te
++++ b/courier.te
+@@ -15,7 +15,7 @@ courier_domain_template(pcp)
+ courier_domain_template(pop)
+
+ type courier_spool_t;
+-files_type(courier_spool_t)
++files_spool_file(courier_spool_t)
+
+ courier_domain_template(tcpd)
+
+@@ -68,7 +68,6 @@ auth_domtrans_chk_passwd(courier_authdaemon_t)
+
+ libs_read_lib_files(courier_authdaemon_t)
+
+-miscfiles_read_localization(courier_authdaemon_t)
+
+ # should not be needed!
+ userdom_search_user_home_dirs(courier_authdaemon_t)
+@@ -95,9 +94,8 @@ allow courier_pop_t courier_authdaemon_t:process sigchld;
+ allow courier_pop_t courier_tcpd_t:{ unix_stream_socket tcp_socket } rw_stream_socket_perms;
+
+ # inherits file handle - should it?
+-allow courier_pop_t courier_var_lib_t:file { read write };
++allow courier_pop_t courier_var_lib_t:file rw_inherited_file_perms;
+
+-miscfiles_read_localization(courier_pop_t)
+
+ courier_domtrans_authdaemon(courier_pop_t)
+
+@@ -132,7 +130,6 @@ corenet_sendrecv_pop_server_packets(courier_tcpd_t)
+ dev_read_rand(courier_tcpd_t)
+ dev_read_urand(courier_tcpd_t)
+
+-miscfiles_read_localization(courier_tcpd_t)
+
+ courier_domtrans_pop(courier_tcpd_t)
+
+diff --git a/cpucontrol.fc b/cpucontrol.fc
+index 789c8c7..d1723f5 100644
+--- a/cpucontrol.fc
++++ b/cpucontrol.fc
+@@ -3,6 +3,7 @@
+
+ /sbin/microcode_ctl -- gen_context(system_u:object_r:cpucontrol_exec_t,s0)
+
++/usr/sbin/microcode_ctl -- gen_context(system_u:object_r:cpucontrol_exec_t,s0)
+ /usr/sbin/cpufreqd -- gen_context(system_u:object_r:cpuspeed_exec_t,s0)
+ /usr/sbin/cpuspeed -- gen_context(system_u:object_r:cpuspeed_exec_t,s0)
+ /usr/sbin/powernowd -- gen_context(system_u:object_r:cpuspeed_exec_t,s0)
+diff --git a/cpucontrol.te b/cpucontrol.te
+index 13d2f63..1a00094 100644
+--- a/cpucontrol.te
++++ b/cpucontrol.te
+@@ -10,7 +10,7 @@ type cpucontrol_exec_t;
+ init_system_domain(cpucontrol_t, cpucontrol_exec_t)
+
+ type cpucontrol_conf_t;
+-files_type(cpucontrol_conf_t)
++files_config_file(cpucontrol_conf_t)
+
+ type cpuspeed_t;
+ type cpuspeed_exec_t;
+@@ -105,8 +105,6 @@ init_use_script_ptys(cpuspeed_t)
+
+ logging_send_syslog_msg(cpuspeed_t)
+
+-miscfiles_read_localization(cpuspeed_t)
+-
+ userdom_dontaudit_use_unpriv_user_fds(cpuspeed_t)
+
+ optional_policy(`
+diff --git a/cpufreqselector.te b/cpufreqselector.te
+index f77d58a..f3d98a9 100644
+--- a/cpufreqselector.te
++++ b/cpufreqselector.te
+@@ -14,9 +14,10 @@ application_domain(cpufreqselector_t, cpufreqselector_exec_t)
+ # cpufreq-selector local policy
+ #
+
+-allow cpufreqselector_t self:capability { sys_nice sys_ptrace };
++allow cpufreqselector_t self:capability sys_nice;
+ allow cpufreqselector_t self:process getsched;
+ allow cpufreqselector_t self:fifo_file rw_fifo_file_perms;
++allow cpufreqselector_t self:process getsched;
+
+ kernel_read_system_state(cpufreqselector_t)
+
+@@ -27,13 +28,15 @@ corecmd_search_bin(cpufreqselector_t)
+
+ dev_rw_sysfs(cpufreqselector_t)
+
+-miscfiles_read_localization(cpufreqselector_t)
++kernel_read_system_state(cpufreqselector_t)
++
+
+ userdom_read_all_users_state(cpufreqselector_t)
+-userdom_dontaudit_search_user_home_dirs(cpufreqselector_t)
++userdom_dontaudit_search_admin_dir(cpufreqselector_t)
+
+ optional_policy(`
+ dbus_system_domain(cpufreqselector_t, cpufreqselector_exec_t)
++ init_daemon_domain(cpufreqselector_t, cpufreqselector_exec_t)
+
+ optional_policy(`
+ consolekit_dbus_chat(cpufreqselector_t)
+@@ -53,3 +56,7 @@ optional_policy(`
+ policykit_read_lib(cpufreqselector_t)
+ policykit_read_reload(cpufreqselector_t)
+ ')
++
++optional_policy(`
++ xserver_dbus_chat_xdm(cpufreqselector_t)
++')
+diff --git a/cron.fc b/cron.fc
+index 3559a05..224142a 100644
+--- a/cron.fc
++++ b/cron.fc
+@@ -3,6 +3,9 @@
+ /etc/cron\.d(/.*)? gen_context(system_u:object_r:system_cron_spool_t,s0)
+ /etc/crontab -- gen_context(system_u:object_r:system_cron_spool_t,s0)
+
++/usr/lib/systemd/system/atd.* -- gen_context(system_u:object_r:crond_unit_file_t,s0)
++/usr/lib/systemd/system/crond.* -- gen_context(system_u:object_r:crond_unit_file_t,s0)
++
+ /usr/bin/at -- gen_context(system_u:object_r:crontab_exec_t,s0)
+ /usr/bin/(f)?crontab -- gen_context(system_u:object_r:crontab_exec_t,s0)
+
+@@ -12,20 +15,34 @@
+ /usr/sbin/fcron -- gen_context(system_u:object_r:crond_exec_t,s0)
+ /usr/sbin/fcronsighup -- gen_context(system_u:object_r:crontab_exec_t,s0)
+
++/var/log/rpmpkgs.* -- gen_context(system_u:object_r:cron_log_t,s0)
++
+ /var/run/anacron\.pid -- gen_context(system_u:object_r:crond_var_run_t,s0)
+ /var/run/atd\.pid -- gen_context(system_u:object_r:crond_var_run_t,s0)
+ /var/run/crond?\.pid -- gen_context(system_u:object_r:crond_var_run_t,s0)
+-/var/run/crond\.reboot -- gen_context(system_u:object_r:crond_var_run_t,s0)
++/var/run/crond?\.reboot -- gen_context(system_u:object_r:crond_var_run_t,s0)
+ /var/run/fcron\.fifo -s gen_context(system_u:object_r:crond_var_run_t,s0)
+ /var/run/fcron\.pid -- gen_context(system_u:object_r:crond_var_run_t,s0)
++/var/run/.*cron.* -- gen_context(system_u:object_r:crond_var_run_t,s0)
+
+ /var/spool/anacron(/.*)? gen_context(system_u:object_r:system_cron_spool_t,s0)
+ /var/spool/at(/.*)? gen_context(system_u:object_r:user_cron_spool_t,s0)
+
+-/var/spool/cron -d gen_context(system_u:object_r:cron_spool_t,s0)
++/var/spool/cron -d gen_context(system_u:object_r:user_cron_spool_t,s0)
+ #/var/spool/cron/root -- gen_context(system_u:object_r:sysadm_cron_spool_t,s0)
+ /var/spool/cron/[^/]* -- <>
+
++ifdef(`distro_gentoo',`
++/var/spool/cron/lastrun -d gen_context(system_u:object_r:crond_tmp_t,s0)
++/var/spool/cron/lastrun/[^/]* -- <>
++')
++
++ifdef(`distro_suse', `
++/var/spool/cron/lastrun -d gen_context(system_u:object_r:crond_tmp_t,s0)
++/var/spool/cron/lastrun/[^/]* -- <>
++/var/spool/cron/tabs -d gen_context(system_u:object_r:cron_spool_t,s0)
++')
++
+ /var/spool/cron/crontabs -d gen_context(system_u:object_r:cron_spool_t,s0)
+ /var/spool/cron/crontabs/.* -- <>
+ #/var/spool/cron/crontabs/root -- gen_context(system_u:object_r:sysadm_cron_spool_t,s0)
+@@ -36,8 +53,10 @@
+ /var/spool/fcron/systab -- gen_context(system_u:object_r:system_cron_spool_t,s0)
+ /var/spool/fcron/new\.systab -- gen_context(system_u:object_r:system_cron_spool_t,s0)
+
++/var/lib/glpi/files(/.*)? gen_context(system_u:object_r:cron_var_lib_t,s0)
++
+ ifdef(`distro_debian',`
+-/var/log/prelink.log -- gen_context(system_u:object_r:cron_log_t,s0)
++/var/log/prelink.log.* -- gen_context(system_u:object_r:cron_log_t,s0)
+
+ /var/spool/cron/atjobs -d gen_context(system_u:object_r:cron_spool_t,s0)
+ /var/spool/cron/atjobs/[^/]* -- <>
+diff --git a/cron.if b/cron.if
+index 6e12dc7..b006818 100644
+--- a/cron.if
++++ b/cron.if
+@@ -12,12 +12,17 @@
+ ##
+ #
+ template(`cron_common_crontab_template',`
++ gen_require(`
++ attribute crontab_domain;
++ type crontab_exec_t;
++ ')
++
+ ##############################
+ #
+ # Declarations
+ #
+
+- type $1_t;
++ type $1_t, crontab_domain;
+ userdom_user_application_domain($1_t, crontab_exec_t)
+
+ type $1_tmp_t;
+@@ -28,63 +33,19 @@ template(`cron_common_crontab_template',`
+ # Local policy
+ #
+
+- # dac_override is to create the file in the directory under /tmp
+- allow $1_t self:capability { fowner setuid setgid chown dac_override };
+- allow $1_t self:process { setsched signal_perms };
+- allow $1_t self:fifo_file rw_fifo_file_perms;
+-
+- allow $1_t $1_tmp_t:file manage_file_perms;
+- files_tmp_filetrans($1_t, $1_tmp_t, file)
+-
+- # create files in /var/spool/cron
+- manage_files_pattern($1_t, { cron_spool_t user_cron_spool_t }, user_cron_spool_t)
+- filetrans_pattern($1_t, cron_spool_t, user_cron_spool_t, file)
+- files_list_spool($1_t)
+-
+- # crontab signals crond by updating the mtime on the spooldir
+- allow $1_t cron_spool_t:dir setattr;
++ manage_dirs_pattern($1_t, $1_tmp_t, $1_tmp_t)
++ manage_files_pattern($1_t, $1_tmp_t, $1_tmp_t)
++ files_tmp_filetrans($1_t, $1_tmp_t, { dir file })
+
+ kernel_read_system_state($1_t)
+
+- # for the checks used by crontab -u
+- selinux_dontaudit_search_fs($1_t)
+-
+- fs_getattr_xattr_fs($1_t)
+-
+- domain_use_interactive_fds($1_t)
+-
+- files_read_etc_files($1_t)
+- files_read_usr_files($1_t)
+- files_dontaudit_search_pids($1_t)
+-
+ auth_domtrans_chk_passwd($1_t)
++ auth_use_nsswitch($1_t)
+
+ logging_send_syslog_msg($1_t)
+- logging_send_audit_msgs($1_t)
+-
+- init_dontaudit_write_utmp($1_t)
+- init_read_utmp($1_t)
+-
+- miscfiles_read_localization($1_t)
+
+- seutil_read_config($1_t)
++ userdom_home_reader($1_t)
+
+- userdom_manage_user_tmp_dirs($1_t)
+- userdom_manage_user_tmp_files($1_t)
+- # Access terminals.
+- userdom_use_user_terminals($1_t)
+- # Read user crontabs
+- userdom_read_user_home_content_files($1_t)
+-
+- tunable_policy(`fcron_crond',`
+- # fcron wants an instant update of a crontab change for the administrator
+- # also crontab does a security check for crontab -u
+- dontaudit $1_t crond_t:process signal;
+- ')
+-
+- optional_policy(`
+- nscd_socket_use($1_t)
+- ')
+ ')
+
+ ########################################
+@@ -101,10 +62,12 @@ template(`cron_common_crontab_template',`
+ ## User domain for the role
+ ##
+ ##
++##
+ #
+ interface(`cron_role',`
+ gen_require(`
+ type cronjob_t, crontab_t, crontab_exec_t;
++ type user_cron_spool_t, crond_t;
+ ')
+
+ role $1 types { cronjob_t crontab_t };
+@@ -115,9 +78,20 @@ interface(`cron_role',`
+ # Transition from the user domain to the derived domain.
+ domtrans_pattern($2, crontab_exec_t, crontab_t)
+
++ allow crond_t $2:process transition;
++ dontaudit crond_t $2:process { noatsecure siginh rlimitinh };
++ allow $2 crond_t:process sigchld;
++
++ # needs to be authorized SELinux context for cron
++ allow $2 user_cron_spool_t:file { getattr read write ioctl entrypoint };
++
+ # crontab shows up in user ps
+ ps_process_pattern($2, crontab_t)
+- allow $2 crontab_t:process signal;
++ allow $2 crontab_t:process signal_perms;
++
++ tunable_policy(`deny_ptrace',`',`
++ allow $2 crontab_t:process ptrace;
++ ')
+
+ # Run helper programs as the user domain
+ #corecmd_bin_domtrans(crontab_t, $2)
+@@ -150,29 +124,21 @@ interface(`cron_role',`
+ ## User domain for the role
+ ##
+ ##
++##
+ #
+ interface(`cron_unconfined_role',`
+ gen_require(`
+- type unconfined_cronjob_t, crontab_t, crontab_tmp_t, crontab_exec_t;
++ type unconfined_cronjob_t;
+ ')
+
+- role $1 types { unconfined_cronjob_t crontab_t };
++ role $1 types unconfined_cronjob_t;
+
+ # cronjob shows up in user ps
+ ps_process_pattern($2, unconfined_cronjob_t)
+-
+- # Transition from the user domain to the derived domain.
+- domtrans_pattern($2, crontab_exec_t, crontab_t)
+-
+- # crontab shows up in user ps
+- ps_process_pattern($2, crontab_t)
+- allow $2 crontab_t:process signal;
+-
+- # Run helper programs as the user domain
+- #corecmd_bin_domtrans(crontab_t, $2)
+- #corecmd_shell_domtrans(crontab_t, $2)
+- corecmd_exec_bin(crontab_t)
+- corecmd_exec_shell(crontab_t)
++ allow $2 unconfined_cronjob_t:process signal_perms;
++ tunable_policy(`deny_ptrace',`',`
++ allow $2 unconfined_cronjob_t:process ptrace;
++ ')
+
+ optional_policy(`
+ gen_require(`
+@@ -180,9 +146,8 @@ interface(`cron_unconfined_role',`
+ ')
+
+ dbus_stub(unconfined_cronjob_t)
+-
+ allow unconfined_cronjob_t $2:dbus send_msg;
+- ')
++ ')
+ ')
+
+ ########################################
+@@ -199,10 +164,12 @@ interface(`cron_unconfined_role',`
+ ## User domain for the role
+ ##
+ ##
++##
+ #
+ interface(`cron_admin_role',`
+ gen_require(`
+ type cronjob_t, crontab_exec_t, admin_crontab_t, admin_crontab_tmp_t;
++ type user_cron_spool_t, crond_t;
+ class passwd crontab;
+ ')
+
+@@ -219,7 +186,18 @@ interface(`cron_admin_role',`
+
+ # crontab shows up in user ps
+ ps_process_pattern($2, admin_crontab_t)
+- allow $2 admin_crontab_t:process signal;
++ allow $2 admin_crontab_t:process signal_perms;
++ tunable_policy(`deny_ptrace',`',`
++ allow $2 admin_crontab_t:process ptrace;
++ ')
++
++ allow $2 crond_t:process sigchld;
++ allow crond_t $2:process transition;
++
++ dontaudit crond_t $2:process { noatsecure siginh rlimitinh };
++
++ # needs to be authorized SELinux context for cron
++ allow $2 user_cron_spool_t:file entrypoint;
+
+ # Run helper programs as the user domain
+ #corecmd_bin_domtrans(admin_crontab_t, $2)
+@@ -263,6 +241,9 @@ interface(`cron_system_entry',`
+ domtrans_pattern(crond_t, $2, $1)
+
+ role system_r types $1;
++
++ allow $1 crond_t:fifo_file rw_fifo_file_perms;
++ allow $1 system_cronjob_t:fifo_file rw_fifo_file_perms;
+ ')
+
+ ########################################
+@@ -303,7 +284,7 @@ interface(`cron_exec',`
+
+ ########################################
+ ##
+-## Execute crond server in the nscd domain.
++## Execute crond server in the crond domain.
+ ##
+ ##
+ ##
+@@ -321,6 +302,29 @@ interface(`cron_initrc_domtrans',`
+
+ ########################################
+ ##
++## Execute crond server in the crond domain.
++##
++##
++##
++## Domain allowed to transition.
++##
++##
++#
++interface(`cron_systemctl',`
++ gen_require(`
++ type crond_unit_file_t;
++ type crond_t;
++ ')
++
++ systemd_exec_systemctl($1)
++ allow $1 crond_unit_file_t:file read_file_perms;
++ allow $1 crond_unit_file_t:service manage_service_perms;
++
++ ps_process_pattern($1, crond_t)
++')
++
++########################################
++##
+ ## Inherit and use a file descriptor
+ ## from the cron daemon.
+ ##
+@@ -358,6 +362,24 @@ interface(`cron_sigchld',`
+
+ ########################################
+ ##
++## Send a generic signal to cron daemon.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`cron_signal',`
++ gen_require(`
++ type crond_t;
++ ')
++
++ allow $1 crond_t:process signal;
++')
++
++########################################
++##
+ ## Read a cron daemon unnamed pipe.
+ ##
+ ##
+@@ -376,6 +398,47 @@ interface(`cron_read_pipes',`
+
+ ########################################
+ ##
++## Read crond state files.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`cron_read_state_crond',`
++ gen_require(`
++ type crond_t;
++ ')
++
++ kernel_search_proc($1)
++ ps_process_pattern($1, crond_t)
++')
++
++
++########################################
++##
++## Send and receive messages from
++## crond over dbus.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`cron_dbus_chat_crond',`
++ gen_require(`
++ type crond_t;
++ class dbus send_msg;
++ ')
++
++ allow $1 crond_t:dbus send_msg;
++ allow crond_t $1:dbus send_msg;
++')
++
++########################################
++##
+ ## Do not audit attempts to write cron daemon unnamed pipes.
+ ##
+ ##
+@@ -407,7 +470,43 @@ interface(`cron_rw_pipes',`
+ type crond_t;
+ ')
+
+- allow $1 crond_t:fifo_file { getattr read write };
++ allow $1 crond_t:fifo_file rw_inherited_fifo_file_perms;
++')
++
++########################################
++##
++## Read and write inherited user spool files.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`cron_rw_inherited_user_spool_files',`
++ gen_require(`
++ type user_cron_spool_t;
++ ')
++
++ allow $1 user_cron_spool_t:file rw_inherited_file_perms;
++')
++
++########################################
++##
++## Read and write inherited spool files.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`cron_rw_inherited_spool_files',`
++ gen_require(`
++ type cron_spool_t;
++ ')
++
++ allow $1 cron_spool_t:file rw_inherited_file_perms;
+ ')
+
+ ########################################
+@@ -467,6 +566,25 @@ interface(`cron_search_spool',`
+
+ ########################################
+ ##
++## Search the directory containing user cron tables.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`cron_manage_system_spool',`
++ gen_require(`
++ type cron_system_spool_t;
++ ')
++
++ files_search_spool($1)
++ manage_files_pattern($1, cron_system_spool_t, cron_system_spool_t)
++')
++
++########################################
++##
+ ## Manage pid files used by cron
+ ##
+ ##
+@@ -480,6 +598,7 @@ interface(`cron_manage_pid_files',`
+ type crond_var_run_t;
+ ')
+
++ files_search_pids($1)
+ manage_files_pattern($1, crond_var_run_t, crond_var_run_t)
+ ')
+
+@@ -535,7 +654,7 @@ interface(`cron_write_system_job_pipes',`
+ type system_cronjob_t;
+ ')
+
+- allow $1 system_cronjob_t:file write;
++ allow $1 system_cronjob_t:fifo_file write;
+ ')
+
+ ########################################
+@@ -553,7 +672,7 @@ interface(`cron_rw_system_job_pipes',`
+ type system_cronjob_t;
+ ')
+
+- allow $1 system_cronjob_t:fifo_file rw_fifo_file_perms;
++ allow $1 system_cronjob_t:fifo_file rw_inherited_fifo_file_perms;
+ ')
+
+ ########################################
+@@ -586,11 +705,14 @@ interface(`cron_rw_system_job_stream_sockets',`
+ #
+ interface(`cron_read_system_job_tmp_files',`
+ gen_require(`
+- type system_cronjob_tmp_t;
++ type system_cronjob_tmp_t, cron_var_run_t;
+ ')
+
+ files_search_tmp($1)
+ allow $1 system_cronjob_tmp_t:file read_file_perms;
++
++ files_search_pids($1)
++ allow $1 cron_var_run_t:file read_file_perms;
+ ')
+
+ ########################################
+@@ -626,7 +748,47 @@ interface(`cron_dontaudit_append_system_job_tmp_files',`
+ interface(`cron_dontaudit_write_system_job_tmp_files',`
+ gen_require(`
+ type system_cronjob_tmp_t;
++ type cron_var_run_t;
+ ')
+
+ dontaudit $1 system_cronjob_tmp_t:file write_file_perms;
++ dontaudit $1 cron_var_run_t:file write_file_perms;
++')
++
++########################################
++##
++## Read temporary files from the system cron jobs.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`cron_read_system_job_lib_files',`
++ gen_require(`
++ type system_cronjob_var_lib_t;
++ ')
++
++ files_search_var_lib($1)
++ read_files_pattern($1, system_cronjob_var_lib_t, system_cronjob_var_lib_t)
++')
++
++########################################
++##
++## Manage files from the system cron jobs.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`cron_manage_system_job_lib_files',`
++ gen_require(`
++ type system_cronjob_var_lib_t;
++ ')
++
++ files_search_var_lib($1)
++ manage_files_pattern($1, system_cronjob_var_lib_t, system_cronjob_var_lib_t)
+ ')
+diff --git a/cron.te b/cron.te
+index b357856..28ae123 100644
+--- a/cron.te
++++ b/cron.te
+@@ -1,4 +1,4 @@
+-policy_module(cron, 2.4.0)
++policy_module(cron, 2.2.1)
+
+ gen_require(`
+ class passwd rootok;
+@@ -10,35 +10,36 @@ gen_require(`
+ #
+
+ ##
+-##
+-## Allow system cron jobs to relabel filesystem
+-## for restoring file contexts.
+-##
++##
++## Allow system cron jobs to relabel filesystem
++## for restoring file contexts.
++##
+ ##
+ gen_tunable(cron_can_relabel, false)
+
+ ##
+-##
+-## Enable extra rules in the cron domain
+-## to support fcron.
+-##
++##
++## Enable extra rules in the cron domain
++## to support fcron.
++##
+ ##
+ gen_tunable(fcron_crond, false)
+
++attribute crontab_domain;
+ attribute cron_spool_type;
+
+ type anacron_exec_t;
+ application_executable_file(anacron_exec_t)
+
+ type cron_spool_t;
+-files_type(cron_spool_t)
++files_spool_file(cron_spool_t)
+
+ # var/lib files
+ type cron_var_lib_t;
+ files_type(cron_var_lib_t)
+
+ type cron_var_run_t;
+-files_type(cron_var_run_t)
++files_pid_file(cron_var_run_t)
+
+ # var/log files
+ type cron_log_t;
+@@ -61,11 +62,17 @@ domain_cron_exemption_source(crond_t)
+ type crond_initrc_exec_t;
+ init_script_file(crond_initrc_exec_t)
+
++type crond_unit_file_t;
++systemd_unit_file(crond_unit_file_t)
++
+ type crond_tmp_t;
+ files_tmp_file(crond_tmp_t)
++files_poly_parent(crond_tmp_t)
++mta_system_content(crond_tmp_t)
+
+ type crond_var_run_t;
+ files_pid_file(crond_var_run_t)
++mta_system_content(crond_var_run_t)
+
+ type crontab_exec_t;
+ application_executable_file(crontab_exec_t)
+@@ -79,14 +86,16 @@ typealias crontab_t alias { user_crontab_t staff_crontab_t };
+ typealias crontab_t alias { auditadm_crontab_t secadm_crontab_t };
+ typealias crontab_tmp_t alias { user_crontab_tmp_t staff_crontab_tmp_t };
+ typealias crontab_tmp_t alias { auditadm_crontab_tmp_t secadm_crontab_tmp_t };
++allow admin_crontab_t crond_t:process signal;
+
+ type system_cron_spool_t, cron_spool_type;
+-files_type(system_cron_spool_t)
++files_spool_file(system_cron_spool_t)
+
+ type system_cronjob_t alias system_crond_t;
+ init_daemon_domain(system_cronjob_t, anacron_exec_t)
+ corecmd_shell_entry_type(system_cronjob_t)
+ role system_r types system_cronjob_t;
++domtrans_pattern(crond_t, anacron_exec_t, system_cronjob_t)
+
+ type system_cronjob_lock_t alias system_crond_lock_t;
+ files_lock_file(system_cronjob_lock_t)
+@@ -94,10 +103,6 @@ files_lock_file(system_cronjob_lock_t)
+ type system_cronjob_tmp_t alias system_crond_tmp_t;
+ files_tmp_file(system_cronjob_tmp_t)
+
+-ifdef(`enable_mcs',`
+- init_ranged_daemon_domain(crond_t, crond_exec_t, s0 - mcs_systemhigh)
+-')
+-
+ type unconfined_cronjob_t;
+ domain_type(unconfined_cronjob_t)
+ domain_cron_exemption_target(unconfined_cronjob_t)
+@@ -106,8 +111,20 @@ domain_cron_exemption_target(unconfined_cronjob_t)
+ type user_cron_spool_t, cron_spool_type;
+ typealias user_cron_spool_t alias { staff_cron_spool_t sysadm_cron_spool_t unconfined_cron_spool_t };
+ typealias user_cron_spool_t alias { auditadm_cron_spool_t secadm_cron_spool_t };
+-files_type(user_cron_spool_t)
++files_spool_file(user_cron_spool_t)
+ ubac_constrained(user_cron_spool_t)
++mta_system_content(user_cron_spool_t)
++
++type system_cronjob_var_lib_t;
++files_type(system_cronjob_var_lib_t)
++typealias system_cronjob_var_lib_t alias system_crond_var_lib_t;
++
++type system_cronjob_var_run_t;
++files_pid_file(system_cronjob_var_run_t)
++
++ifdef(`enable_mcs',`
++ init_ranged_daemon_domain(crond_t, crond_exec_t, s0 - mcs_systemhigh)
++')
+
+ ########################################
+ #
+@@ -115,7 +132,7 @@ ubac_constrained(user_cron_spool_t)
+ #
+
+ # Allow our crontab domain to unlink a user cron spool file.
+-allow admin_crontab_t user_cron_spool_t:file { getattr read unlink };
++allow admin_crontab_t user_cron_spool_t:file { read_file_perms delete_file_perms };
+
+ # Manipulate other users crontab.
+ selinux_get_fs_mount(admin_crontab_t)
+@@ -125,7 +142,7 @@ selinux_compute_create_context(admin_crontab_t)
+ selinux_compute_relabel_context(admin_crontab_t)
+ selinux_compute_user_contexts(admin_crontab_t)
+
+-tunable_policy(`fcron_crond', `
++tunable_policy(`fcron_crond',`
+ # fcron wants an instant update of a crontab change for the administrator
+ # also crontab does a security check for crontab -u
+ allow admin_crontab_t self:process setfscreate;
+@@ -136,9 +153,9 @@ tunable_policy(`fcron_crond', `
+ # Cron daemon local policy
+ #
+
+-allow crond_t self:capability { dac_override setgid setuid sys_nice dac_read_search };
++allow crond_t self:capability { dac_override chown fowner setgid setuid sys_nice dac_read_search };
+ dontaudit crond_t self:capability { sys_resource sys_tty_config };
+-allow crond_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
++allow crond_t self:process ~{ ptrace setcurrent setexec setfscreate execmem execstack execheap };
+ allow crond_t self:process { setexec setfscreate };
+ allow crond_t self:fd use;
+ allow crond_t self:fifo_file rw_fifo_file_perms;
+@@ -151,6 +168,7 @@ allow crond_t self:sem create_sem_perms;
+ allow crond_t self:msgq create_msgq_perms;
+ allow crond_t self:msg { send receive };
+ allow crond_t self:key { search write link };
++dontaudit crond_t self:netlink_audit_socket nlmsg_tty_audit;
+
+ manage_files_pattern(crond_t, cron_log_t, cron_log_t)
+ logging_log_filetrans(crond_t, cron_log_t, file)
+@@ -187,27 +205,47 @@ fs_list_inotifyfs(crond_t)
+
+ # need auth_chkpwd to check for locked accounts.
+ auth_domtrans_chk_passwd(crond_t)
++auth_manage_var_auth(crond_t)
+
+ corecmd_exec_shell(crond_t)
+ corecmd_list_bin(crond_t)
++corecmd_exec_bin(crond_t)
+ corecmd_read_bin_symlinks(crond_t)
+
+ domain_use_interactive_fds(crond_t)
++domain_subj_id_change_exemption(crond_t)
++domain_role_change_exemption(crond_t)
+
+ files_read_usr_files(crond_t)
+ files_read_etc_runtime_files(crond_t)
+-files_read_etc_files(crond_t)
+ files_read_generic_spool(crond_t)
+ files_list_usr(crond_t)
+ # Read from /var/spool/cron.
+ files_search_var_lib(crond_t)
+ files_search_default(crond_t)
+
++fs_manage_cgroup_dirs(crond_t)
++fs_manage_cgroup_files(crond_t)
++
++# needed by "crontab -e"
++mls_file_read_all_levels(crond_t)
++mls_file_write_all_levels(crond_t)
++
++# needed because of kernel check of transition
++mls_process_set_level(crond_t)
++
++# to make cronjob working
++mls_fd_share_all_levels(crond_t)
++mls_trusted_object(crond_t)
++
++init_read_state(crond_t)
+ init_rw_utmp(crond_t)
+ init_spec_domtrans_script(crond_t)
+
++auth_manage_var_auth(crond_t)
+ auth_use_nsswitch(crond_t)
+
++logging_send_audit_msgs(crond_t)
+ logging_send_syslog_msg(crond_t)
+ logging_set_loginuid(crond_t)
+
+@@ -215,25 +253,27 @@ seutil_read_config(crond_t)
+ seutil_read_default_contexts(crond_t)
+ seutil_sigchld_newrole(crond_t)
+
+-miscfiles_read_localization(crond_t)
+
+ userdom_use_unpriv_users_fds(crond_t)
+ # Not sure why this is needed
+ userdom_list_user_home_dirs(crond_t)
++userdom_list_admin_dir(crond_t)
++userdom_manage_all_users_keys(crond_t)
+
+ mta_send_mail(crond_t)
++mta_system_content(cron_spool_t)
+
+ ifdef(`distro_debian',`
+ # pam_limits is used
+ allow crond_t self:process setrlimit;
+
+- optional_policy(`
+- # Debian logcheck has the home dir set to its cache
+- logwatch_search_cache_dir(crond_t)
+- ')
+ ')
+
+-ifdef(`distro_redhat', `
++optional_policy(`
++ logwatch_search_cache_dir(crond_t)
++')
++
++ifdef(`distro_redhat',`
+ # Run the rpm program in the rpm_t domain. Allow creation of RPM log files
+ # via redirection of standard out.
+ optional_policy(`
+@@ -241,7 +281,7 @@ ifdef(`distro_redhat', `
+ ')
+ ')
+
+-tunable_policy(`allow_polyinstantiation',`
++tunable_policy(`polyinstantiation_enabled',`
+ files_polyinstantiate_all(crond_t)
+ ')
+
+@@ -250,11 +290,27 @@ tunable_policy(`fcron_crond', `
+ ')
+
+ optional_policy(`
++ apache_search_sys_content(crond_t)
++')
++
++optional_policy(`
++ djbdns_search_tinydns_keys(crond_t)
++ djbdns_link_tinydns_keys(crond_t)
++')
++
++optional_policy(`
+ locallogin_search_keys(crond_t)
+ locallogin_link_keys(crond_t)
+ ')
+
+ optional_policy(`
++ # these should probably be unconfined_crond_t
++ dbus_system_bus_client(crond_t)
++ init_dbus_send_script(crond_t)
++ init_dbus_chat(crond_t)
++')
++
++optional_policy(`
+ amanda_search_var_lib(crond_t)
+ ')
+
+@@ -264,6 +320,8 @@ optional_policy(`
+
+ optional_policy(`
+ hal_dbus_chat(crond_t)
++ hal_write_log(crond_t)
++ hal_dbus_chat(system_cronjob_t)
+ ')
+
+ optional_policy(`
+@@ -286,15 +344,25 @@ optional_policy(`
+ ')
+
+ optional_policy(`
++ systemd_use_fds_logind(crond_t)
++ systemd_write_inherited_logind_sessions_pipes(crond_t)
++')
++
++optional_policy(`
+ udev_read_db(crond_t)
+ ')
+
++optional_policy(`
++ vnstatd_search_lib(crond_t)
++')
++
+ ########################################
+ #
+ # System cron process domain
+ #
+
+ allow system_cronjob_t self:capability { dac_override dac_read_search chown setgid setuid fowner net_bind_service fsetid sys_nice };
++
+ allow system_cronjob_t self:process { signal_perms getsched setsched };
+ allow system_cronjob_t self:fifo_file rw_fifo_file_perms;
+ allow system_cronjob_t self:passwd rootok;
+@@ -306,10 +374,19 @@ logging_log_filetrans(system_cronjob_t, cron_log_t, file)
+
+ # This is to handle /var/lib/misc directory. Used currently
+ # by prelink var/lib files for cron
+-allow system_cronjob_t cron_var_lib_t:file manage_file_perms;
++allow system_cronjob_t cron_var_lib_t:file { manage_file_perms relabel_file_perms };
+ files_var_lib_filetrans(system_cronjob_t, cron_var_lib_t, file)
+
++allow system_cronjob_t cron_var_run_t:file manage_file_perms;
++files_pid_filetrans(system_cronjob_t, cron_var_run_t, file)
++
+ allow system_cronjob_t system_cron_spool_t:file read_file_perms;
++
++mls_file_read_to_clearance(system_cronjob_t)
++
++# anacron forces the following
++manage_files_pattern(system_cronjob_t, system_cron_spool_t, system_cron_spool_t)
++
+ # The entrypoint interface is not used as this is not
+ # a regular entrypoint. Since crontab files are
+ # not directly executed, crond must ensure that
+@@ -329,6 +406,7 @@ allow crond_t system_cronjob_t:fd use;
+ allow system_cronjob_t crond_t:fd use;
+ allow system_cronjob_t crond_t:fifo_file rw_file_perms;
+ allow system_cronjob_t crond_t:process sigchld;
++allow crond_t system_cronjob_t:key manage_key_perms;
+
+ # Write /var/lock/makewhatis.lock.
+ allow system_cronjob_t system_cronjob_lock_t:file manage_file_perms;
+@@ -340,11 +418,16 @@ manage_lnk_files_pattern(system_cronjob_t, crond_tmp_t, system_cronjob_tmp_t)
+ filetrans_pattern(system_cronjob_t, crond_tmp_t, system_cronjob_tmp_t, { file lnk_file })
+ files_tmp_filetrans(system_cronjob_t, system_cronjob_tmp_t, file)
+
++# var/lib files for system_crond
++files_search_var_lib(system_cronjob_t)
++manage_files_pattern(system_cronjob_t, system_cronjob_var_lib_t, system_cronjob_var_lib_t)
++
+ # Read from /var/spool/cron.
+ allow system_cronjob_t cron_spool_t:dir list_dir_perms;
+-allow system_cronjob_t cron_spool_t:file read_file_perms;
++allow system_cronjob_t cron_spool_t:file rw_file_perms;
+
+ kernel_read_kernel_sysctls(system_cronjob_t)
++kernel_read_network_state(system_cronjob_t)
+ kernel_read_system_state(system_cronjob_t)
+ kernel_read_software_raid_state(system_cronjob_t)
+
+@@ -353,7 +436,6 @@ files_dontaudit_search_boot(system_cronjob_t)
+
+ corecmd_exec_all_executables(system_cronjob_t)
+
+-corenet_all_recvfrom_unlabeled(system_cronjob_t)
+ corenet_all_recvfrom_netlabel(system_cronjob_t)
+ corenet_tcp_sendrecv_generic_if(system_cronjob_t)
+ corenet_udp_sendrecv_generic_if(system_cronjob_t)
+@@ -365,6 +447,7 @@ corenet_udp_sendrecv_all_ports(system_cronjob_t)
+ dev_getattr_all_blk_files(system_cronjob_t)
+ dev_getattr_all_chr_files(system_cronjob_t)
+ dev_read_urand(system_cronjob_t)
++dev_read_sysfs(system_cronjob_t)
+
+ fs_getattr_all_fs(system_cronjob_t)
+ fs_getattr_all_files(system_cronjob_t)
+@@ -376,7 +459,6 @@ fs_getattr_all_sockets(system_cronjob_t)
+ domain_dontaudit_read_all_domains_state(system_cronjob_t)
+
+ files_exec_etc_files(system_cronjob_t)
+-files_read_etc_files(system_cronjob_t)
+ files_read_etc_runtime_files(system_cronjob_t)
+ files_list_all(system_cronjob_t)
+ files_getattr_all_dirs(system_cronjob_t)
+@@ -391,6 +473,7 @@ files_dontaudit_search_pids(system_cronjob_t)
+ # Access other spool directories like
+ # /var/spool/anacron and /var/spool/slrnpull.
+ files_manage_generic_spool(system_cronjob_t)
++files_create_boot_flag(system_cronjob_t)
+
+ init_use_script_fds(system_cronjob_t)
+ init_read_utmp(system_cronjob_t)
+@@ -408,23 +491,23 @@ logging_read_generic_logs(system_cronjob_t)
+ logging_send_audit_msgs(system_cronjob_t)
+ logging_send_syslog_msg(system_cronjob_t)
+
+-miscfiles_read_localization(system_cronjob_t)
+-miscfiles_manage_man_pages(system_cronjob_t)
+-
+ seutil_read_config(system_cronjob_t)
+
+-ifdef(`distro_redhat', `
++ifdef(`distro_redhat',`
+ # Run the rpm program in the rpm_t domain. Allow creation of RPM log files
++ allow crond_t system_cron_spool_t:file manage_file_perms;
++
+ # via redirection of standard out.
+ optional_policy(`
+ rpm_manage_log(system_cronjob_t)
+ ')
+ ')
+
++selinux_get_fs_mount(system_cronjob_t)
++
+ tunable_policy(`cron_can_relabel',`
+ seutil_domtrans_setfiles(system_cronjob_t)
+ ',`
+- selinux_get_fs_mount(system_cronjob_t)
+ selinux_validate_context(system_cronjob_t)
+ selinux_compute_access_vector(system_cronjob_t)
+ selinux_compute_create_context(system_cronjob_t)
+@@ -439,6 +522,12 @@ optional_policy(`
+ apache_read_config(system_cronjob_t)
+ apache_read_log(system_cronjob_t)
+ apache_read_sys_content(system_cronjob_t)
++ apache_delete_cache_dirs(system_cronjob_t)
++ apache_delete_cache_files(system_cronjob_t)
++')
++
++optional_policy(`
++ bind_read_config(system_cronjob_t)
+ ')
+
+ optional_policy(`
+@@ -446,6 +535,14 @@ optional_policy(`
+ ')
+
+ optional_policy(`
++ dbus_system_bus_client(system_cronjob_t)
++')
++
++optional_policy(`
++ exim_read_spool_files(system_cronjob_t)
++')
++
++optional_policy(`
+ ftp_read_log(system_cronjob_t)
+ ')
+
+@@ -456,6 +553,10 @@ optional_policy(`
+ ')
+
+ optional_policy(`
++ livecd_read_tmp_files(system_cronjob_t)
++')
++
++optional_policy(`
+ lpd_list_spool(system_cronjob_t)
+ ')
+
+@@ -464,7 +565,9 @@ optional_policy(`
+ ')
+
+ optional_policy(`
++ mta_read_config(system_cronjob_t)
+ mta_send_mail(system_cronjob_t)
++ mta_system_content(system_cron_spool_t)
+ ')
+
+ optional_policy(`
+@@ -472,6 +575,10 @@ optional_policy(`
+ ')
+
+ optional_policy(`
++ networkmanager_dbus_chat(system_cronjob_t)
++')
++
++optional_policy(`
+ postfix_read_config(system_cronjob_t)
+ ')
+
+@@ -480,7 +587,7 @@ optional_policy(`
+ prelink_manage_lib(system_cronjob_t)
+ prelink_manage_log(system_cronjob_t)
+ prelink_read_cache(system_cronjob_t)
+- prelink_relabelfrom_lib(system_cronjob_t)
++ prelink_relabel_lib(system_cronjob_t)
+ ')
+
+ optional_policy(`
+@@ -495,6 +602,7 @@ optional_policy(`
+
+ optional_policy(`
+ spamassassin_manage_lib_files(system_cronjob_t)
++ spamassassin_manage_home_client(system_cronjob_t)
+ ')
+
+ optional_policy(`
+@@ -502,7 +610,18 @@ optional_policy(`
+ ')
+
+ optional_policy(`
++ systemd_dbus_chat_logind(system_cronjob_t)
++ systemd_write_inherited_logind_sessions_pipes(system_cronjob_t)
++')
++
++optional_policy(`
++ unconfined_domain(crond_t)
+ unconfined_domain(system_cronjob_t)
++')
++
++optional_policy(`
++ unconfined_shell_domtrans(crond_t)
++ unconfined_dbus_send(crond_t)
+ userdom_user_home_dir_filetrans_user_home_content(system_cronjob_t, { dir file lnk_file fifo_file sock_file })
+ ')
+
+@@ -542,7 +661,6 @@ kernel_read_kernel_sysctls(cronjob_t)
+ # ps does not need to access /boot when run from cron
+ files_dontaudit_search_boot(cronjob_t)
+
+-corenet_all_recvfrom_unlabeled(cronjob_t)
+ corenet_all_recvfrom_netlabel(cronjob_t)
+ corenet_tcp_sendrecv_generic_if(cronjob_t)
+ corenet_udp_sendrecv_generic_if(cronjob_t)
+@@ -579,7 +697,6 @@ logging_search_logs(cronjob_t)
+
+ seutil_read_config(cronjob_t)
+
+-miscfiles_read_localization(cronjob_t)
+
+ userdom_manage_user_tmp_files(cronjob_t)
+ userdom_manage_user_tmp_symlinks(cronjob_t)
+@@ -595,9 +712,12 @@ userdom_manage_user_home_content_sockets(cronjob_t)
+ #userdom_user_home_dir_filetrans_user_home_content(cronjob_t, notdevfile_class_set)
+
+ list_dirs_pattern(crond_t, user_cron_spool_t, user_cron_spool_t)
++rw_dirs_pattern(crond_t, user_cron_spool_t, user_cron_spool_t)
+ read_files_pattern(crond_t, user_cron_spool_t, user_cron_spool_t)
++read_lnk_files_pattern(crond_t, user_cron_spool_t, user_cron_spool_t)
++allow crond_t user_cron_spool_t:file manage_lnk_file_perms;
+
+-tunable_policy(`fcron_crond', `
++tunable_policy(`fcron_crond',`
+ allow crond_t user_cron_spool_t:file manage_file_perms;
+ ')
+
+@@ -626,3 +746,74 @@ optional_policy(`
+
+ unconfined_domain(unconfined_cronjob_t)
+ ')
++
++##############################
++#
++# crontab common policy
++#
++
++# dac_override is to create the file in the directory under /tmp
++allow crontab_domain self:capability { fowner setuid setgid chown dac_override };
++allow crontab_domain self:process { getcap setsched signal_perms };
++allow crontab_domain self:fifo_file rw_fifo_file_perms;
++
++allow crontab_domain crond_t:process signal;
++allow crontab_domain crond_var_run_t:file read_file_perms;
++
++# create files in /var/spool/cron
++manage_files_pattern(crontab_domain, { cron_spool_t user_cron_spool_t }, user_cron_spool_t)
++filetrans_pattern(crontab_domain, cron_spool_t, user_cron_spool_t, file)
++files_list_spool(crontab_domain)
++
++# crontab signals crond by updating the mtime on the spooldir
++allow crontab_domain cron_spool_t:dir setattr_dir_perms;
++
++# for the checks used by crontab -u
++selinux_dontaudit_search_fs(crontab_domain)
++
++fs_getattr_xattr_fs(crontab_domain)
++fs_manage_cgroup_dirs(crontab_domain)
++fs_manage_cgroup_files(crontab_domain)
++
++domain_use_interactive_fds(crontab_domain)
++
++files_read_etc_files(crontab_domain)
++files_read_usr_files(crontab_domain)
++files_dontaudit_search_pids(crontab_domain)
++
++fs_dontaudit_rw_anon_inodefs_files(crontab_domain)
++
++auth_rw_var_auth(crontab_domain)
++
++logging_send_audit_msgs(crontab_domain)
++logging_set_loginuid(crontab_domain)
++
++init_dontaudit_write_utmp(crontab_domain)
++init_read_utmp(crontab_domain)
++init_read_state(crontab_domain)
++
++
++seutil_read_config(crontab_domain)
++
++userdom_manage_user_tmp_dirs(crontab_domain)
++userdom_manage_user_tmp_files(crontab_domain)
++# Access terminals.
++userdom_use_inherited_user_terminals(crontab_domain)
++# Read user crontabs
++userdom_read_user_home_content_files(crontab_domain)
++userdom_read_user_home_content_symlinks(crontab_domain)
++
++tunable_policy(`fcron_crond',`
++ # fcron wants an instant update of a crontab change for the administrator
++ # also crontab does a security check for crontab -u
++ dontaudit crontab_domain crond_t:process signal;
++')
++
++optional_policy(`
++ ssh_dontaudit_use_ptys(crontab_domain)
++')
++
++optional_policy(`
++ openshift_dontaudit_rw_inherited_fifo_files(crontab_domain)
++ openshift_transition(system_cronjob_t)
++')
+diff --git a/ctdbd.fc b/ctdbd.fc
+new file mode 100644
+index 0000000..255568d
+--- /dev/null
++++ b/ctdbd.fc
+@@ -0,0 +1,19 @@
++
++/etc/rc\.d/init\.d/ctdb -- gen_context(system_u:object_r:ctdbd_initrc_exec_t,s0)
++
++/etc/ctdb(/.*)? gen_context(system_u:object_r:ctdbd_var_lib_t,s0)
++
++/usr/sbin/ctdbd -- gen_context(system_u:object_r:ctdbd_exec_t,s0)
++
++/var/log/log\.ctdb.* -- gen_context(system_u:object_r:ctdbd_log_t,s0)
++/var/log/ctdb\.log.* -- gen_context(system_u:object_r:ctdbd_log_t,s0)
++
++/var/spool/ctdb(/.*)? gen_context(system_u:object_r:ctdbd_spool_t,s0)
++
++/var/run/ctdbd(/.*)? gen_context(system_u:object_r:ctdbd_var_run_t,s0)
++
++
++/var/ctdbd(/.*)? gen_context(system_u:object_r:ctdbd_var_lib_t,s0)
++/var/ctdb(/.*)? gen_context(system_u:object_r:ctdbd_var_lib_t,s0)
++/var/lib/ctdbd(/.*)? gen_context(system_u:object_r:ctdbd_var_lib_t,s0)
++
+diff --git a/ctdbd.if b/ctdbd.if
+new file mode 100644
+index 0000000..4f7d237
+--- /dev/null
++++ b/ctdbd.if
+@@ -0,0 +1,259 @@
++
++## policy for ctdbd
++
++########################################
++##
++## Transition to ctdbd.
++##
++##
++##
++## Domain allowed to transition.
++##
++##
++#
++interface(`ctdbd_domtrans',`
++ gen_require(`
++ type ctdbd_t, ctdbd_exec_t;
++ ')
++
++ corecmd_search_bin($1)
++ domtrans_pattern($1, ctdbd_exec_t, ctdbd_t)
++')
++
++########################################
++##
++## Execute ctdbd server in the ctdbd domain.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`ctdbd_initrc_domtrans',`
++ gen_require(`
++ type ctdbd_initrc_exec_t;
++ ')
++
++ init_labeled_script_domtrans($1, ctdbd_initrc_exec_t)
++')
++
++########################################
++##
++## Read ctdbd's log files.
++##
++##
++##
++## Domain allowed access.
++##
++##
++##
++#
++interface(`ctdbd_read_log',`
++ gen_require(`
++ type ctdbd_log_t;
++ ')
++
++ logging_search_logs($1)
++ read_files_pattern($1, ctdbd_log_t, ctdbd_log_t)
++')
++
++########################################
++##
++## Append to ctdbd log files.
++##
++##
++##
++## Domain allowed to transition.
++##
++##
++#
++interface(`ctdbd_append_log',`
++ gen_require(`
++ type ctdbd_log_t;
++ ')
++
++ logging_search_logs($1)
++ append_files_pattern($1, ctdbd_log_t, ctdbd_log_t)
++')
++
++########################################
++##
++## Manage ctdbd log files
++##
++##
++##
++## Domain to not audit.
++##
++##
++#
++interface(`ctdbd_manage_log',`
++ gen_require(`
++ type ctdbd_log_t;
++ ')
++
++ logging_search_logs($1)
++ manage_dirs_pattern($1, ctdbd_log_t, ctdbd_log_t)
++ manage_files_pattern($1, ctdbd_log_t, ctdbd_log_t)
++ manage_lnk_files_pattern($1, ctdbd_log_t, ctdbd_log_t)
++')
++
++########################################
++##
++## Search ctdbd lib directories.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`ctdbd_search_lib',`
++ gen_require(`
++ type ctdbd_var_lib_t;
++ ')
++
++ allow $1 ctdbd_var_lib_t:dir search_dir_perms;
++ files_search_var_lib($1)
++')
++
++########################################
++##
++## Read ctdbd lib files.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`ctdbd_read_lib_files',`
++ gen_require(`
++ type ctdbd_var_lib_t;
++ ')
++
++ files_search_var_lib($1)
++ read_files_pattern($1, ctdbd_var_lib_t, ctdbd_var_lib_t)
++')
++
++########################################
++##
++## Manage ctdbd lib files.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`ctdbd_manage_lib_files',`
++ gen_require(`
++ type ctdbd_var_lib_t;
++ ')
++
++ files_search_var_lib($1)
++ manage_files_pattern($1, ctdbd_var_lib_t, ctdbd_var_lib_t)
++')
++
++########################################
++##
++## Manage ctdbd lib directories.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`ctdbd_manage_lib_dirs',`
++ gen_require(`
++ type ctdbd_var_lib_t;
++ ')
++
++ files_search_var_lib($1)
++ manage_dirs_pattern($1, ctdbd_var_lib_t, ctdbd_var_lib_t)
++')
++
++########################################
++##
++## Read ctdbd PID files.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`ctdbd_read_pid_files',`
++ gen_require(`
++ type ctdbd_var_run_t;
++ ')
++
++ files_search_pids($1)
++ allow $1 ctdbd_var_run_t:file read_file_perms;
++')
++
++#######################################
++##
++## Connect to ctdbd over a unix stream socket.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`ctdbd_stream_connect',`
++ gen_require(`
++ type ctdbd_t, ctdbd_var_run_t, ctdbd_tmp_t;
++ ')
++
++ files_search_pids($1)
++ stream_connect_pattern($1, ctdbd_var_run_t, ctdbd_var_run_t, ctdbd_t)
++ stream_connect_pattern($1, ctdbd_tmp_t, ctdbd_tmp_t, ctdbd_t)
++')
++
++########################################
++##
++## All of the rules required to administrate
++## an ctdbd environment
++##
++##
++##
++## Domain allowed access.
++##
++##
++##
++##
++## Role allowed access.
++##
++##
++##
++#
++interface(`ctdbd_admin',`
++ gen_require(`
++ type ctdbd_t, ctdbd_initrc_exec_t;
++ type ctdbd_log_t, ctdbd_var_lib_t, ctdbd_var_run_t;
++ ')
++
++ allow $1 ctdbd_t:process signal_perms;
++ ps_process_pattern($1, ctdbd_t)
++ tunable_policy(`deny_ptrace',`',`
++ allow $1 ctdbd_t:process ptrace;
++ ')
++
++ ctdbd_initrc_domtrans($1)
++ domain_system_change_exemption($1)
++ role_transition $2 ctdbd_initrc_exec_t system_r;
++ allow $2 system_r;
++
++ logging_search_logs($1)
++ admin_pattern($1, ctdbd_log_t)
++
++ files_search_var_lib($1)
++ admin_pattern($1, ctdbd_var_lib_t)
++
++ files_search_pids($1)
++ admin_pattern($1, ctdbd_var_run_t)
++')
++
+diff --git a/ctdbd.te b/ctdbd.te
+new file mode 100644
+index 0000000..33656de
+--- /dev/null
++++ b/ctdbd.te
+@@ -0,0 +1,114 @@
++policy_module(ctdbd, 1.0.0)
++
++########################################
++#
++# Declarations
++#
++
++type ctdbd_t;
++type ctdbd_exec_t;
++init_daemon_domain(ctdbd_t, ctdbd_exec_t)
++
++type ctdbd_initrc_exec_t;
++init_script_file(ctdbd_initrc_exec_t)
++
++type ctdbd_log_t;
++logging_log_file(ctdbd_log_t)
++
++type ctdbd_spool_t;
++files_type(ctdbd_spool_t)
++#files_spool_file(ctdbd_spool_t)
++
++type ctdbd_tmp_t;
++files_tmp_file(ctdbd_tmp_t)
++
++type ctdbd_var_lib_t;
++files_type(ctdbd_var_lib_t)
++
++type ctdbd_var_run_t;
++files_pid_file(ctdbd_var_run_t)
++
++########################################
++#
++# ctdbd local policy
++#
++
++allow ctdbd_t self:capability { chown ipc_lock net_admin net_raw sys_nice };
++allow ctdbd_t self:process { setpgid signal_perms setsched };
++
++allow ctdbd_t self:fifo_file rw_fifo_file_perms;
++allow ctdbd_t self:unix_stream_socket { connectto create_stream_socket_perms };
++allow ctdbd_t self:netlink_route_socket r_netlink_socket_perms;
++allow ctdbd_t self:packet_socket create_socket_perms;
++allow ctdbd_t self:tcp_socket create_stream_socket_perms;
++
++manage_dirs_pattern(ctdbd_t, ctdbd_log_t, ctdbd_log_t)
++manage_files_pattern(ctdbd_t, ctdbd_log_t, ctdbd_log_t)
++logging_log_filetrans(ctdbd_t, ctdbd_log_t, { dir file } )
++
++manage_files_pattern(ctdbd_t, ctdbd_tmp_t, ctdbd_tmp_t)
++manage_sock_files_pattern(ctdbd_t, ctdbd_tmp_t, ctdbd_tmp_t)
++files_tmp_filetrans(ctdbd_t, ctdbd_tmp_t, { file sock_file})
++
++manage_dirs_pattern(ctdbd_t, ctdbd_spool_t, ctdbd_spool_t)
++manage_files_pattern(ctdbd_t, ctdbd_spool_t, ctdbd_spool_t)
++manage_lnk_files_pattern(ctdbd_t, ctdbd_spool_t, ctdbd_spool_t)
++files_spool_filetrans(ctdbd_t, ctdbd_spool_t, { dir file })
++
++exec_files_pattern(ctdbd_t, ctdbd_var_lib_t, ctdbd_var_lib_t)
++manage_dirs_pattern(ctdbd_t, ctdbd_var_lib_t, ctdbd_var_lib_t)
++manage_files_pattern(ctdbd_t, ctdbd_var_lib_t, ctdbd_var_lib_t)
++files_var_lib_filetrans(ctdbd_t, ctdbd_var_lib_t, { dir file } )
++
++manage_dirs_pattern(ctdbd_t, ctdbd_var_run_t, ctdbd_var_run_t)
++manage_files_pattern(ctdbd_t, ctdbd_var_run_t, ctdbd_var_run_t)
++files_pid_filetrans(ctdbd_t, ctdbd_var_run_t, { dir file })
++
++kernel_read_network_state(ctdbd_t)
++kernel_rw_net_sysctls(ctdbd_t)
++kernel_read_system_state(ctdbd_t)
++
++corenet_tcp_bind_generic_node(ctdbd_t)
++corenet_tcp_bind_ctdb_port(ctdbd_t)
++corenet_tcp_connect_ctdb_port(ctdbd_t)
++
++corecmd_exec_bin(ctdbd_t)
++corecmd_exec_shell(ctdbd_t)
++
++dev_read_sysfs(ctdbd_t)
++dev_read_urand(ctdbd_t)
++
++domain_use_interactive_fds(ctdbd_t)
++domain_dontaudit_read_all_domains_state(ctdbd_t)
++
++files_read_etc_files(ctdbd_t)
++files_search_all_mountpoints(ctdbd_t)
++
++auth_use_nsswitch(ctdbd_t)
++
++logging_send_syslog_msg(ctdbd_t)
++
++miscfiles_read_public_files(ctdbd_t)
++
++optional_policy(`
++ consoletype_exec(ctdbd_t)
++')
++
++optional_policy(`
++ hostname_exec(ctdbd_t)
++')
++
++optional_policy(`
++ iptables_domtrans(ctdbd_t)
++')
++
++optional_policy(`
++ samba_initrc_domtrans(ctdbd_t)
++ samba_domtrans_net(ctdbd_t)
++ samba_rw_var_files(ctdbd_t)
++ samba_systemctl(ctdbd_t)
++')
++
++optional_policy(`
++ sysnet_domtrans_ifconfig(ctdbd_t)
++')
+diff --git a/cups.fc b/cups.fc
+index 848bb92..600efa5 100644
+--- a/cups.fc
++++ b/cups.fc
+@@ -19,7 +19,10 @@
+
+ /etc/printcap.* -- gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
+
++/usr/lib/systemd/system/cups.* -- gen_context(system_u:object_r:cupsd_unit_file_t,s0)
++
+ /lib/udev/udev-configure-printer -- gen_context(system_u:object_r:cupsd_config_exec_t,s0)
++/usr/lib/udev/udev-configure-printer -- gen_context(system_u:object_r:cupsd_config_exec_t,s0)
+
+ /opt/gutenprint/ppds(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
+
+@@ -52,18 +55,32 @@
+
+ /var/lib/cups/certs -d gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
+ /var/lib/cups/certs/.* -- gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
++/usr/lib/bjlib(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,mls_systemhigh)
+
+ /var/lib/hp(/.*)? gen_context(system_u:object_r:hplip_var_lib_t,s0)
++/var/lib/iscan(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
+
+ /var/log/cups(/.*)? gen_context(system_u:object_r:cupsd_log_t,s0)
+ /var/log/turboprint.* gen_context(system_u:object_r:cupsd_log_t,s0)
+
++/var/log/hp(/.*)? gen_context(system_u:object_r:hplip_var_log_t,s0)
++
+ /var/ccpd(/.*)? gen_context(system_u:object_r:cupsd_var_run_t,s0)
+ /var/ekpd(/.*)? gen_context(system_u:object_r:cupsd_var_run_t,s0)
+-/var/run/cups(/.*)? gen_context(system_u:object_r:cupsd_var_run_t,s0)
++/var/run/cups(/.*)? gen_context(system_u:object_r:cupsd_var_run_t,mls_systemhigh)
+ /var/run/hp.*\.pid -- gen_context(system_u:object_r:hplip_var_run_t,s0)
+ /var/run/hp.*\.port -- gen_context(system_u:object_r:hplip_var_run_t,s0)
+ /var/run/ptal-printd(/.*)? gen_context(system_u:object_r:ptal_var_run_t,s0)
+ /var/run/ptal-mlcd(/.*)? gen_context(system_u:object_r:ptal_var_run_t,s0)
+ /var/run/udev-configure-printer(/.*)? gen_context(system_u:object_r:cupsd_config_var_run_t,s0)
+ /var/turboprint(/.*)? gen_context(system_u:object_r:cupsd_var_run_t,s0)
++
++/usr/Brother/fax/.*\.log.* gen_context(system_u:object_r:cupsd_log_t,s0)
++/usr/Brother/(.*/)?inf(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
++/etc/opt/Brother/(.*/)?inf(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
++/usr/Printer/(.*/)?inf(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
++
++/usr/local/linuxprinter/ppd(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
++
++/etc/opt/brother/Printers/(.*/)?inf(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
++/opt/brother/Printers(.*/)?inf(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
+diff --git a/cups.if b/cups.if
+index 305ddf4..f3cd95f 100644
+--- a/cups.if
++++ b/cups.if
+@@ -9,6 +9,11 @@
+ ## Domain allowed access.
+ ##
+ ##
++##
++##
++## Domain allowed access.
++##
++##
+ #
+ interface(`cups_backend',`
+ gen_require(`
+@@ -190,10 +195,12 @@ interface(`cups_dbus_chat_config',`
+ interface(`cups_read_config',`
+ gen_require(`
+ type cupsd_etc_t, cupsd_rw_etc_t;
++ type hplip_etc_t;
+ ')
+
+ files_search_etc($1)
+ read_files_pattern($1, cupsd_etc_t, cupsd_etc_t)
++ read_files_pattern($1, hplip_etc_t, hplip_etc_t)
+ read_files_pattern($1, cupsd_etc_t, cupsd_rw_etc_t)
+ ')
+
+@@ -296,6 +303,29 @@ interface(`cups_stream_connect_ptal',`
+
+ ########################################
+ ##
++## Execute cupsd server in the cupsd domain.
++##
++##
++##
++## Domain allowed to transition.
++##
++##
++#
++interface(`cupsd_systemctl',`
++ gen_require(`
++ type cupsd_t;
++ type cupsd_unit_file_t;
++ ')
++
++ systemd_exec_systemctl($1)
++ allow $1 cupsd_unit_file_t:file read_file_perms;
++ allow $1 cupsd_unit_file_t:service manage_service_perms;
++
++ ps_process_pattern($1, cupsd_t)
++')
++
++########################################
++##
+ ## All of the rules required to administrate
+ ## an cups environment
+ ##
+@@ -314,16 +344,20 @@ interface(`cups_stream_connect_ptal',`
+ interface(`cups_admin',`
+ gen_require(`
+ type cupsd_t, cupsd_tmp_t, cupsd_lpd_tmp_t;
+- type cupsd_etc_t, cupsd_log_t, cupsd_spool_t;
+- type cupsd_config_var_run_t, cupsd_lpd_var_run_t;
+- type cupsd_var_run_t, ptal_etc_t;
+- type ptal_var_run_t, hplip_var_run_t;
+- type cupsd_initrc_exec_t;
++ type cupsd_etc_t, cupsd_log_t, hplip_etc_t;
++ type cupsd_config_var_run_t, cupsd_lpd_var_run_t, cupsd_initrc_exec_t;
++ type cupsd_var_run_t, ptal_etc_t, hplip_var_run_t;
++ type ptal_var_run_t;
++ type cupsd_unit_file_t;
+ ')
+
+- allow $1 cupsd_t:process { ptrace signal_perms };
++ allow $1 cupsd_t:process signal_perms;
+ ps_process_pattern($1, cupsd_t)
+
++ tunable_policy(`deny_ptrace',`',`
++ allow $1 cupsd_t:process ptrace;
++ ')
++
+ init_labeled_script_domtrans($1, cupsd_initrc_exec_t)
+ domain_system_change_exemption($1)
+ role_transition $2 cupsd_initrc_exec_t system_r;
+@@ -341,18 +375,53 @@ interface(`cups_admin',`
+
+ admin_pattern($1, cupsd_lpd_var_run_t)
+
+- admin_pattern($1, cupsd_spool_t)
+- files_list_spool($1)
+-
+ admin_pattern($1, cupsd_tmp_t)
+ files_list_tmp($1)
+
+ admin_pattern($1, cupsd_var_run_t)
+ files_list_pids($1)
+
++ admin_pattern($1, hplip_etc_t)
++
+ admin_pattern($1, hplip_var_run_t)
+
+ admin_pattern($1, ptal_etc_t)
+
+ admin_pattern($1, ptal_var_run_t)
++
++ cupsd_systemctl($1)
++ admin_pattern($1, cupsd_unit_file_t)
++ allow $1 cupsd_unit_file_t:service all_service_perms;
++')
++
++########################################
++##
++## Transition to cups named content
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`cups_filetrans_named_content',`
++ gen_require(`
++ type cupsd_rw_etc_t;
++ type cupsd_etc_t;
++ ')
++
++ filetrans_pattern($1, cupsd_etc_t, cupsd_rw_etc_t, file, "classes.conf")
++ filetrans_pattern($1, cupsd_etc_t, cupsd_rw_etc_t, file, "printers.conf")
++ filetrans_pattern($1, cupsd_etc_t, cupsd_rw_etc_t, file, "printers.conf.O")
++ filetrans_pattern($1, cupsd_etc_t, cupsd_rw_etc_t, file, "cupsd.conf")
++ filetrans_pattern($1, cupsd_etc_t, cupsd_rw_etc_t, file, "cupsd.conf.default")
++ filetrans_pattern($1, cupsd_etc_t, cupsd_rw_etc_t, file, "lpoptions")
++ filetrans_pattern($1, cupsd_etc_t, cupsd_rw_etc_t, file, "subscriptions.conf")
++ filetrans_pattern($1, cupsd_etc_t, cupsd_rw_etc_t, file, "subscriptions.conf.O")
++ filetrans_pattern($1, cupsd_etc_t, cupsd_rw_etc_t, file, "subscriptions.conf.N")
++ filetrans_pattern($1, cupsd_etc_t, cupsd_rw_etc_t, file, "ppds.dat")
++ files_etc_filetrans($1, cupsd_rw_etc_t, file, "ppds.dat")
++ files_etc_filetrans($1, cupsd_rw_etc_t, dir, "inf")
++ files_usr_filetrans($1, cupsd_rw_etc_t, dir, "inf")
++ corecmd_bin_filetrans($1, cupsd_rw_etc_t, dir, "inf")
+ ')
+diff --git a/cups.te b/cups.te
+index e5a8924..e12c890 100644
+--- a/cups.te
++++ b/cups.te
+@@ -15,6 +15,7 @@ files_pid_file(cupsd_config_var_run_t)
+ type cupsd_t;
+ type cupsd_exec_t;
+ init_daemon_domain(cupsd_t, cupsd_exec_t)
++mls_trusted_object(cupsd_t)
+
+ type cupsd_etc_t;
+ files_config_file(cupsd_etc_t)
+@@ -60,6 +61,9 @@ type cupsd_var_run_t;
+ files_pid_file(cupsd_var_run_t)
+ mls_trusted_object(cupsd_var_run_t)
+
++type cupsd_unit_file_t;
++systemd_unit_file(cupsd_unit_file_t)
++
+ type hplip_t;
+ type hplip_exec_t;
+ init_daemon_domain(hplip_t, hplip_exec_t)
+@@ -75,6 +79,9 @@ files_tmp_file(hplip_tmp_t)
+ type hplip_var_lib_t;
+ files_type(hplip_var_lib_t)
+
++type hplip_var_log_t;
++logging_log_file(hplip_var_log_t)
++
+ type hplip_var_run_t;
+ files_pid_file(hplip_var_run_t)
+
+@@ -104,6 +111,7 @@ ifdef(`enable_mls',`
+ # /usr/lib/cups/backend/serial needs sys_admin(?!)
+ allow cupsd_t self:capability { ipc_lock sys_admin dac_override dac_read_search kill setgid setuid fsetid net_bind_service fowner chown dac_override sys_rawio sys_resource sys_tty_config };
+ dontaudit cupsd_t self:capability { sys_tty_config net_admin };
++allow cupsd_t self:capability2 { block_suspend };
+ allow cupsd_t self:process { getpgid setpgid setsched signal_perms };
+ allow cupsd_t self:fifo_file rw_fifo_file_perms;
+ allow cupsd_t self:unix_stream_socket { create_stream_socket_perms connectto };
+@@ -123,6 +131,7 @@ read_lnk_files_pattern(cupsd_t, cupsd_etc_t, cupsd_etc_t)
+ files_search_etc(cupsd_t)
+
+ manage_files_pattern(cupsd_t, cupsd_interface_t, cupsd_interface_t)
++can_exec(cupsd_t, cupsd_interface_t)
+
+ manage_dirs_pattern(cupsd_t, cupsd_etc_t, cupsd_rw_etc_t)
+ manage_files_pattern(cupsd_t, cupsd_etc_t, cupsd_rw_etc_t)
+@@ -137,6 +146,7 @@ allow cupsd_t cupsd_exec_t:lnk_file read_lnk_file_perms;
+ allow cupsd_t cupsd_lock_t:file manage_file_perms;
+ files_lock_filetrans(cupsd_t, cupsd_lock_t, file)
+
++manage_dirs_pattern(cupsd_t, cupsd_log_t, cupsd_log_t)
+ manage_files_pattern(cupsd_t, cupsd_log_t, cupsd_log_t)
+ allow cupsd_t cupsd_log_t:dir setattr;
+ logging_log_filetrans(cupsd_t, cupsd_log_t, { file dir })
+@@ -146,11 +156,12 @@ manage_files_pattern(cupsd_t, cupsd_tmp_t, cupsd_tmp_t)
+ manage_fifo_files_pattern(cupsd_t, cupsd_tmp_t, cupsd_tmp_t)
+ files_tmp_filetrans(cupsd_t, cupsd_tmp_t, { file dir fifo_file })
+
+-allow cupsd_t cupsd_var_run_t:dir setattr;
++allow cupsd_t cupsd_var_run_t:dir setattr_dir_perms;
++manage_dirs_pattern(cupsd_t, cupsd_var_run_t, cupsd_var_run_t)
+ manage_files_pattern(cupsd_t, cupsd_var_run_t, cupsd_var_run_t)
+ manage_sock_files_pattern(cupsd_t, cupsd_var_run_t, cupsd_var_run_t)
+ manage_fifo_files_pattern(cupsd_t, cupsd_var_run_t, cupsd_var_run_t)
+-files_pid_filetrans(cupsd_t, cupsd_var_run_t, { file fifo_file })
++files_pid_filetrans(cupsd_t, cupsd_var_run_t, { dir file fifo_file })
+
+ allow cupsd_t hplip_t:process { signal sigkill };
+
+@@ -159,14 +170,13 @@ read_files_pattern(cupsd_t, hplip_etc_t, hplip_etc_t)
+ allow cupsd_t hplip_var_run_t:file read_file_perms;
+
+ stream_connect_pattern(cupsd_t, ptal_var_run_t, ptal_var_run_t, ptal_t)
+-allow cupsd_t ptal_var_run_t : sock_file setattr;
++allow cupsd_t ptal_var_run_t:sock_file setattr_sock_file_perms;
+
+ kernel_read_system_state(cupsd_t)
+ kernel_read_network_state(cupsd_t)
+ kernel_read_all_sysctls(cupsd_t)
+ kernel_request_load_module(cupsd_t)
+
+-corenet_all_recvfrom_unlabeled(cupsd_t)
+ corenet_all_recvfrom_netlabel(cupsd_t)
+ corenet_tcp_sendrecv_generic_if(cupsd_t)
+ corenet_udp_sendrecv_generic_if(cupsd_t)
+@@ -211,6 +221,7 @@ mls_rangetrans_target(cupsd_t)
+ mls_socket_write_all_levels(cupsd_t)
+ mls_fd_use_all_levels(cupsd_t)
+
++term_use_usb_ttys(cupsd_t)
+ term_use_unallocated_ttys(cupsd_t)
+ term_search_ptys(cupsd_t)
+
+@@ -220,11 +231,12 @@ corecmd_exec_bin(cupsd_t)
+
+ domain_use_interactive_fds(cupsd_t)
+
++files_getattr_boot_dirs(cupsd_t)
+ files_list_spool(cupsd_t)
+-files_read_etc_files(cupsd_t)
+ files_read_etc_runtime_files(cupsd_t)
+ # read python modules
+ files_read_usr_files(cupsd_t)
++files_exec_usr_files(cupsd_t)
+ # for /var/lib/defoma
+ files_read_var_lib_files(cupsd_t)
+ files_list_world_readable(cupsd_t)
+@@ -258,7 +270,6 @@ libs_exec_lib_files(cupsd_t)
+ logging_send_audit_msgs(cupsd_t)
+ logging_send_syslog_msg(cupsd_t)
+
+-miscfiles_read_localization(cupsd_t)
+ # invoking ghostscript needs to read fonts
+ miscfiles_read_fonts(cupsd_t)
+ miscfiles_setattr_fonts_cache_dirs(cupsd_t)
+@@ -269,12 +280,7 @@ sysnet_exec_ifconfig(cupsd_t)
+ files_dontaudit_list_home(cupsd_t)
+ userdom_dontaudit_use_unpriv_user_fds(cupsd_t)
+ userdom_dontaudit_search_user_home_content(cupsd_t)
+-
+-# Write to /var/spool/cups.
+-lpd_manage_spool(cupsd_t)
+-lpd_read_config(cupsd_t)
+-lpd_exec_lpr(cupsd_t)
+-lpd_relabel_spool(cupsd_t)
++userdom_search_admin_dir(cupsd_t)
+
+ optional_policy(`
+ apm_domtrans_client(cupsd_t)
+@@ -287,6 +293,8 @@ optional_policy(`
+ optional_policy(`
+ dbus_system_bus_client(cupsd_t)
+
++ init_dbus_chat(cupsd_t)
++
+ userdom_dbus_send_all_users(cupsd_t)
+
+ optional_policy(`
+@@ -297,8 +305,10 @@ optional_policy(`
+ hal_dbus_chat(cupsd_t)
+ ')
+
++ # talk to processes that do not have policy
+ optional_policy(`
+ unconfined_dbus_chat(cupsd_t)
++ files_write_generic_pid_pipes(cupsd_t)
+ ')
+ ')
+
+@@ -311,10 +321,23 @@ optional_policy(`
+ ')
+
+ optional_policy(`
++ kerberos_tmp_filetrans_host_rcache(cupsd_t, "host_0")
++ kerberos_manage_host_rcache(cupsd_t)
++')
++
++optional_policy(`
+ logrotate_domtrans(cupsd_t)
+ ')
+
+ optional_policy(`
++ # Write to /var/spool/cups.
++ lpd_manage_spool(cupsd_t)
++ lpd_read_config(cupsd_t)
++ lpd_exec_lpr(cupsd_t)
++ lpd_relabel_spool(cupsd_t)
++')
++
++optional_policy(`
+ mta_send_mail(cupsd_t)
+ ')
+
+@@ -322,6 +345,8 @@ optional_policy(`
+ # cups execs smbtool which reads samba_etc_t files
+ samba_read_config(cupsd_t)
+ samba_rw_var_files(cupsd_t)
++ # needed by smbspool
++ samba_stream_connect_nmbd(cupsd_t)
+ ')
+
+ optional_policy(`
+@@ -336,12 +361,16 @@ optional_policy(`
+ udev_read_db(cupsd_t)
+ ')
+
++optional_policy(`
++ virt_rw_chr_files(cupsd_t)
++')
++
+ ########################################
+ #
+ # Cups configuration daemon local policy
+ #
+
+-allow cupsd_config_t self:capability { chown dac_override sys_tty_config };
++allow cupsd_config_t self:capability { chown dac_override setuid setgid sys_tty_config };
+ dontaudit cupsd_config_t self:capability sys_tty_config;
+ allow cupsd_config_t self:process { getsched signal_perms };
+ allow cupsd_config_t self:fifo_file rw_fifo_file_perms;
+@@ -371,8 +400,9 @@ files_tmp_filetrans(cupsd_config_t, cupsd_tmp_t, { lnk_file file dir })
+
+ allow cupsd_config_t cupsd_var_run_t:file read_file_perms;
+
++manage_dirs_pattern(cupsd_config_t, cupsd_config_var_run_t, cupsd_config_var_run_t)
+ manage_files_pattern(cupsd_config_t, cupsd_config_var_run_t, cupsd_config_var_run_t)
+-files_pid_filetrans(cupsd_config_t, cupsd_config_var_run_t, file)
++files_pid_filetrans(cupsd_config_t, cupsd_config_var_run_t, { dir file })
+
+ domtrans_pattern(cupsd_config_t, hplip_exec_t, hplip_t)
+
+@@ -381,7 +411,6 @@ read_files_pattern(cupsd_config_t, hplip_etc_t, hplip_etc_t)
+ kernel_read_system_state(cupsd_config_t)
+ kernel_read_all_sysctls(cupsd_config_t)
+
+-corenet_all_recvfrom_unlabeled(cupsd_config_t)
+ corenet_all_recvfrom_netlabel(cupsd_config_t)
+ corenet_tcp_sendrecv_generic_if(cupsd_config_t)
+ corenet_tcp_sendrecv_generic_node(cupsd_config_t)
+@@ -407,7 +436,6 @@ domain_use_interactive_fds(cupsd_config_t)
+ domain_dontaudit_search_all_domains_state(cupsd_config_t)
+
+ files_read_usr_files(cupsd_config_t)
+-files_read_etc_files(cupsd_config_t)
+ files_read_etc_runtime_files(cupsd_config_t)
+ files_read_var_symlinks(cupsd_config_t)
+
+@@ -418,18 +446,15 @@ auth_use_nsswitch(cupsd_config_t)
+
+ logging_send_syslog_msg(cupsd_config_t)
+
+-miscfiles_read_localization(cupsd_config_t)
+ miscfiles_read_hwdata(cupsd_config_t)
+
+-seutil_dontaudit_search_config(cupsd_config_t)
+-
+ userdom_dontaudit_use_unpriv_user_fds(cupsd_config_t)
+ userdom_dontaudit_search_user_home_dirs(cupsd_config_t)
++userdom_rw_user_tmp_files(cupsd_config_t)
++userdom_read_user_tmp_symlinks(cupsd_config_t)
+
+ cups_stream_connect(cupsd_config_t)
+
+-lpd_read_config(cupsd_config_t)
+-
+ ifdef(`distro_redhat',`
+ optional_policy(`
+ rpm_read_db(cupsd_config_t)
+@@ -453,6 +478,10 @@ optional_policy(`
+ ')
+
+ optional_policy(`
++ gnome_dontaudit_search_config(cupsd_config_t)
++')
++
++optional_policy(`
+ hal_domtrans(cupsd_config_t)
+ hal_read_tmp_files(cupsd_config_t)
+ hal_dontaudit_use_fds(hplip_t)
+@@ -467,6 +496,10 @@ optional_policy(`
+ ')
+
+ optional_policy(`
++ lpd_read_config(cupsd_config_t)
++')
++
++optional_policy(`
+ policykit_dbus_chat(cupsd_config_t)
+ userdom_read_all_users_state(cupsd_config_t)
+ ')
+@@ -526,7 +559,6 @@ kernel_read_kernel_sysctls(cupsd_lpd_t)
+ kernel_read_system_state(cupsd_lpd_t)
+ kernel_read_network_state(cupsd_lpd_t)
+
+-corenet_all_recvfrom_unlabeled(cupsd_lpd_t)
+ corenet_all_recvfrom_netlabel(cupsd_lpd_t)
+ corenet_tcp_sendrecv_generic_if(cupsd_lpd_t)
+ corenet_udp_sendrecv_generic_if(cupsd_lpd_t)
+@@ -537,19 +569,18 @@ corenet_udp_sendrecv_all_ports(cupsd_lpd_t)
+ corenet_tcp_bind_generic_node(cupsd_lpd_t)
+ corenet_udp_bind_generic_node(cupsd_lpd_t)
+ corenet_tcp_connect_ipp_port(cupsd_lpd_t)
++corenet_tcp_connect_printer_port(cupsd_lpd_t)
+
+ dev_read_urand(cupsd_lpd_t)
+ dev_read_rand(cupsd_lpd_t)
+
+ fs_getattr_xattr_fs(cupsd_lpd_t)
+
+-files_read_etc_files(cupsd_lpd_t)
+
+ auth_use_nsswitch(cupsd_lpd_t)
+
+ logging_send_syslog_msg(cupsd_lpd_t)
+
+-miscfiles_read_localization(cupsd_lpd_t)
+ miscfiles_setattr_fonts_cache_dirs(cupsd_lpd_t)
+
+ cups_stream_connect(cupsd_lpd_t)
+@@ -577,7 +608,6 @@ fs_rw_anon_inodefs_files(cups_pdf_t)
+
+ kernel_read_system_state(cups_pdf_t)
+
+-files_read_etc_files(cups_pdf_t)
+ files_read_usr_files(cups_pdf_t)
+
+ corecmd_exec_shell(cups_pdf_t)
+@@ -585,25 +615,23 @@ corecmd_exec_bin(cups_pdf_t)
+
+ auth_use_nsswitch(cups_pdf_t)
+
+-miscfiles_read_localization(cups_pdf_t)
+ miscfiles_read_fonts(cups_pdf_t)
++miscfiles_setattr_fonts_cache_dirs(cups_pdf_t)
+
+ userdom_home_filetrans_user_home_dir(cups_pdf_t)
++userdom_user_home_dir_filetrans_pattern(cups_pdf_t, { file dir })
+ userdom_manage_user_home_content_dirs(cups_pdf_t)
+ userdom_manage_user_home_content_files(cups_pdf_t)
++userdom_dontaudit_search_admin_dir(cups_pdf_t)
+
+-lpd_manage_spool(cups_pdf_t)
+-
+-
+-tunable_policy(`use_nfs_home_dirs',`
+- fs_search_auto_mountpoints(cups_pdf_t)
+- fs_manage_nfs_dirs(cups_pdf_t)
+- fs_manage_nfs_files(cups_pdf_t)
++optional_policy(`
++ lpd_manage_spool(cups_pdf_t)
+ ')
+
+-tunable_policy(`use_samba_home_dirs',`
+- fs_manage_cifs_dirs(cups_pdf_t)
+- fs_manage_cifs_files(cups_pdf_t)
++userdom_home_manager(cups_pdf_t)
++
++optional_policy(`
++ gnome_read_config(cups_pdf_t)
+ ')
+
+ ########################################
+@@ -635,9 +663,16 @@ read_files_pattern(hplip_t, hplip_etc_t, hplip_etc_t)
+ read_lnk_files_pattern(hplip_t, hplip_etc_t, hplip_etc_t)
+ files_search_etc(hplip_t)
+
++allow hplip_t cupsd_unit_file_t:file read_file_perms;
++
+ manage_files_pattern(hplip_t, hplip_var_lib_t, hplip_var_lib_t)
+ manage_lnk_files_pattern(hplip_t, hplip_var_lib_t, hplip_var_lib_t)
+
++manage_files_pattern(hplip_t, hplip_var_log_t,hplip_var_log_t)
++manage_fifo_files_pattern(hplip_t, hplip_var_log_t,hplip_var_log_t)
++manage_dirs_pattern(hplip_t, hplip_var_log_t,hplip_var_log_t)
++logging_log_filetrans(hplip_t,hplip_var_log_t,{ dir fifo_file file })
++
+ manage_fifo_files_pattern(hplip_t, hplip_tmp_t, hplip_tmp_t)
+ files_tmp_filetrans(hplip_t, hplip_tmp_t, fifo_file )
+
+@@ -647,7 +682,9 @@ files_pid_filetrans(hplip_t, hplip_var_run_t, file)
+ kernel_read_system_state(hplip_t)
+ kernel_read_kernel_sysctls(hplip_t)
+
+-corenet_all_recvfrom_unlabeled(hplip_t)
++# for python
++corecmd_exec_bin(hplip_t)
++
+ corenet_all_recvfrom_netlabel(hplip_t)
+ corenet_tcp_sendrecv_generic_if(hplip_t)
+ corenet_udp_sendrecv_generic_if(hplip_t)
+@@ -661,10 +698,10 @@ corenet_tcp_bind_generic_node(hplip_t)
+ corenet_udp_bind_generic_node(hplip_t)
+ corenet_tcp_bind_hplip_port(hplip_t)
+ corenet_tcp_connect_hplip_port(hplip_t)
+-corenet_tcp_connect_ipp_port(hplip_t)
+-corenet_sendrecv_hplip_client_packets(hplip_t)
+-corenet_receive_hplip_server_packets(hplip_t)
++corenet_tcp_bind_glance_port(hplip_t)
++corenet_tcp_connect_glance_port(hplip_t)
+ corenet_udp_bind_howl_port(hplip_t)
++corenet_tcp_connect_ipp_port(hplip_t)
+
+ dev_read_sysfs(hplip_t)
+ dev_rw_printer(hplip_t)
+@@ -673,31 +710,34 @@ dev_read_rand(hplip_t)
+ dev_rw_generic_usb_dev(hplip_t)
+ dev_rw_usbfs(hplip_t)
+
+-fs_getattr_all_fs(hplip_t)
+-fs_search_auto_mountpoints(hplip_t)
+-fs_rw_anon_inodefs_files(hplip_t)
+-
+-# for python
+-corecmd_exec_bin(hplip_t)
+-
+ domain_use_interactive_fds(hplip_t)
+
+ files_read_etc_files(hplip_t)
+ files_read_etc_runtime_files(hplip_t)
+ files_read_usr_files(hplip_t)
++files_dontaudit_write_usr_dirs(hplip_t)
+
+-logging_send_syslog_msg(hplip_t)
++fs_getattr_all_fs(hplip_t)
++fs_search_auto_mountpoints(hplip_t)
++fs_rw_anon_inodefs_files(hplip_t)
+
+-miscfiles_read_localization(hplip_t)
++term_use_ptmx(hplip_t)
++
++auth_read_passwd(hplip_t)
++
++logging_send_syslog_msg(hplip_t)
+
+ sysnet_read_config(hplip_t)
+
+ userdom_dontaudit_use_unpriv_user_fds(hplip_t)
+ userdom_dontaudit_search_user_home_dirs(hplip_t)
+ userdom_dontaudit_search_user_home_content(hplip_t)
++userdom_dbus_send_all_users(hplip_t)
+
+-lpd_read_config(hplip_t)
+-lpd_manage_spool(hplip_t)
++optional_policy(`
++ lpd_read_config(hplip_t)
++ lpd_manage_spool(hplip_t)
++')
+
+ optional_policy(`
+ dbus_system_bus_client(hplip_t)
+@@ -743,7 +783,6 @@ kernel_read_kernel_sysctls(ptal_t)
+ kernel_list_proc(ptal_t)
+ kernel_read_proc_symlinks(ptal_t)
+
+-corenet_all_recvfrom_unlabeled(ptal_t)
+ corenet_all_recvfrom_netlabel(ptal_t)
+ corenet_tcp_sendrecv_generic_if(ptal_t)
+ corenet_tcp_sendrecv_generic_node(ptal_t)
+@@ -760,13 +799,10 @@ fs_search_auto_mountpoints(ptal_t)
+
+ domain_use_interactive_fds(ptal_t)
+
+-files_read_etc_files(ptal_t)
+ files_read_etc_runtime_files(ptal_t)
+
+ logging_send_syslog_msg(ptal_t)
+
+-miscfiles_read_localization(ptal_t)
+-
+ sysnet_read_config(ptal_t)
+
+ userdom_dontaudit_use_unpriv_user_fds(ptal_t)
+diff --git a/cvs.if b/cvs.if
+index c43ff4c..5da88b5 100644
+--- a/cvs.if
++++ b/cvs.if
+@@ -1,5 +1,23 @@
+ ## Concurrent versions system
+
++######################################
++##
++## Dontaudit Attempts to list the CVS data and metadata.
++##
++##
++##
++## Domain to not audit.
++##
++##
++#
++interface(`cvs_dontaudit_list_data',`
++ gen_require(`
++ type cvs_data_t;
++ ')
++
++ dontaudit $1 cvs_data_t:dir list_dir_perms;
++')
++
+ ########################################
+ ##
+ ## Read the CVS data and metadata.
+@@ -58,14 +76,17 @@ interface(`cvs_exec',`
+ #
+ interface(`cvs_admin',`
+ gen_require(`
+- type cvs_t, cvs_tmp_t;
++ type cvs_t, cvs_tmp_t, cvs_initrc_exec_t;
+ type cvs_data_t, cvs_var_run_t;
+- type cvs_initrc_exec_t;
+ ')
+
+- allow $1 cvs_t:process { ptrace signal_perms };
++ allow $1 cvs_t:process signal_perms;
+ ps_process_pattern($1, cvs_t)
+
++ tunable_policy(`deny_ptrace',`',`
++ allow $1 cvs_t:process ptrace;
++ ')
++
+ # Allow cvs_t to restart the apache service
+ init_labeled_script_domtrans($1, cvs_initrc_exec_t)
+ domain_system_change_exemption($1)
+diff --git a/cvs.te b/cvs.te
+index 88e7e97..b475317 100644
+--- a/cvs.te
++++ b/cvs.te
+@@ -10,7 +10,7 @@ policy_module(cvs, 1.9.0)
+ ## Allow cvs daemon to read shadow
+ ##
+ ##
+-gen_tunable(allow_cvs_read_shadow, false)
++gen_tunable(cvs_read_shadow, false)
+
+ type cvs_t;
+ type cvs_exec_t;
+@@ -35,12 +35,12 @@ files_pid_file(cvs_var_run_t)
+ # Local policy
+ #
+
++allow cvs_t self:capability { setuid setgid };
+ allow cvs_t self:process signal_perms;
+ allow cvs_t self:fifo_file rw_fifo_file_perms;
+ allow cvs_t self:tcp_socket connected_stream_socket_perms;
+ # for identd; cjp: this should probably only be inetd_child rules?
+ allow cvs_t self:netlink_tcpdiag_socket r_netlink_socket_perms;
+-allow cvs_t self:capability { setuid setgid };
+
+ manage_dirs_pattern(cvs_t, cvs_data_t, cvs_data_t)
+ manage_files_pattern(cvs_t, cvs_data_t, cvs_data_t)
+@@ -57,7 +57,6 @@ kernel_read_kernel_sysctls(cvs_t)
+ kernel_read_system_state(cvs_t)
+ kernel_read_network_state(cvs_t)
+
+-corenet_all_recvfrom_unlabeled(cvs_t)
+ corenet_all_recvfrom_netlabel(cvs_t)
+ corenet_tcp_sendrecv_generic_if(cvs_t)
+ corenet_udp_sendrecv_generic_if(cvs_t)
+@@ -76,21 +75,22 @@ auth_use_nsswitch(cvs_t)
+ corecmd_exec_bin(cvs_t)
+ corecmd_exec_shell(cvs_t)
+
+-files_read_etc_files(cvs_t)
+ files_read_etc_runtime_files(cvs_t)
+ # for identd; cjp: this should probably only be inetd_child rules?
+ files_search_home(cvs_t)
+
++init_dontaudit_read_utmp(cvs_t)
++
+ logging_send_syslog_msg(cvs_t)
+ logging_send_audit_msgs(cvs_t)
+
+-miscfiles_read_localization(cvs_t)
+-
+ mta_send_mail(cvs_t)
+
++userdom_dontaudit_search_user_home_dirs(cvs_t)
++
+ # cjp: typeattribute doesnt work in conditionals yet
+ auth_can_read_shadow_passwords(cvs_t)
+-tunable_policy(`allow_cvs_read_shadow',`
++tunable_policy(`cvs_read_shadow',`
+ allow cvs_t self:capability dac_override;
+ auth_tunable_read_shadow(cvs_t)
+ ')
+@@ -112,4 +112,5 @@ optional_policy(`
+ read_files_pattern(httpd_cvs_script_t, cvs_data_t, cvs_data_t)
+ manage_dirs_pattern(httpd_cvs_script_t, cvs_tmp_t, cvs_tmp_t)
+ manage_files_pattern(httpd_cvs_script_t, cvs_tmp_t, cvs_tmp_t)
++ files_tmp_filetrans(httpd_cvs_script_t, cvs_tmp_t, { file dir })
+ ')
+diff --git a/cyphesis.te b/cyphesis.te
+index 25897c9..814bdae 100644
+--- a/cyphesis.te
++++ b/cyphesis.te
+@@ -48,7 +48,6 @@ kernel_read_kernel_sysctls(cyphesis_t)
+ corecmd_search_bin(cyphesis_t)
+ corecmd_getattr_bin_files(cyphesis_t)
+
+-corenet_all_recvfrom_unlabeled(cyphesis_t)
+ corenet_tcp_sendrecv_generic_if(cyphesis_t)
+ corenet_tcp_sendrecv_generic_node(cyphesis_t)
+ corenet_tcp_sendrecv_all_ports(cyphesis_t)
+@@ -66,8 +65,6 @@ files_read_usr_files(cyphesis_t)
+
+ logging_send_syslog_msg(cyphesis_t)
+
+-miscfiles_read_localization(cyphesis_t)
+-
+ sysnet_dns_name_resolve(cyphesis_t)
+
+ # cyphesis wants to talk to avahi via dbus
+diff --git a/cyrus.if b/cyrus.if
+index e4e86d0..4203ea9 100644
+--- a/cyrus.if
++++ b/cyrus.if
+@@ -20,6 +20,25 @@ interface(`cyrus_manage_data',`
+ manage_files_pattern($1, cyrus_var_lib_t, cyrus_var_lib_t)
+ ')
+
++#######################################
++##
++## Allow write cyrus data files.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`cyrus_write_data',`
++ gen_require(`
++ type cyrus_var_lib_t;
++ ')
++
++ files_search_var_lib($1)
++ write_files_pattern($1, cyrus_var_lib_t, cyrus_var_lib_t)
++')
++
+ ########################################
+ ##
+ ## Connect to Cyrus using a unix domain stream socket.
+@@ -62,9 +81,13 @@ interface(`cyrus_admin',`
+ type cyrus_var_run_t, cyrus_initrc_exec_t;
+ ')
+
+- allow $1 cyrus_t:process { ptrace signal_perms };
++ allow $1 cyrus_t:process signal_perms;
+ ps_process_pattern($1, cyrus_t)
+
++ tunable_policy(`deny_ptrace',`',`
++ allow $1 cyrus_t:process ptrace;
++ ')
++
+ init_labeled_script_domtrans($1, cyrus_initrc_exec_t)
+ domain_system_change_exemption($1)
+ role_transition $2 cyrus_initrc_exec_t system_r;
+diff --git a/cyrus.te b/cyrus.te
+index 097fdcc..fb6e6da 100644
+--- a/cyrus.te
++++ b/cyrus.te
+@@ -26,7 +26,7 @@ files_pid_file(cyrus_var_run_t)
+ # Local policy
+ #
+
+-allow cyrus_t self:capability { dac_override net_bind_service setgid setuid sys_resource };
++allow cyrus_t self:capability { fsetid dac_override net_bind_service setgid setuid sys_resource };
+ dontaudit cyrus_t self:capability sys_tty_config;
+ allow cyrus_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
+ allow cyrus_t self:process setrlimit;
+@@ -62,7 +62,6 @@ kernel_read_kernel_sysctls(cyrus_t)
+ kernel_read_system_state(cyrus_t)
+ kernel_read_all_sysctls(cyrus_t)
+
+-corenet_all_recvfrom_unlabeled(cyrus_t)
+ corenet_all_recvfrom_netlabel(cyrus_t)
+ corenet_tcp_sendrecv_generic_if(cyrus_t)
+ corenet_udp_sendrecv_generic_if(cyrus_t)
+@@ -73,6 +72,7 @@ corenet_udp_sendrecv_all_ports(cyrus_t)
+ corenet_tcp_bind_generic_node(cyrus_t)
+ corenet_tcp_bind_mail_port(cyrus_t)
+ corenet_tcp_bind_lmtp_port(cyrus_t)
++corenet_tcp_bind_innd_port(cyrus_t)
+ corenet_tcp_bind_pop_port(cyrus_t)
+ corenet_tcp_bind_sieve_port(cyrus_t)
+ corenet_tcp_connect_all_ports(cyrus_t)
+@@ -93,7 +93,6 @@ corecmd_exec_bin(cyrus_t)
+ domain_use_interactive_fds(cyrus_t)
+
+ files_list_var_lib(cyrus_t)
+-files_read_etc_files(cyrus_t)
+ files_read_etc_runtime_files(cyrus_t)
+ files_read_usr_files(cyrus_t)
+
+@@ -103,7 +102,6 @@ libs_exec_lib_files(cyrus_t)
+
+ logging_send_syslog_msg(cyrus_t)
+
+-miscfiles_read_localization(cyrus_t)
+ miscfiles_read_generic_certs(cyrus_t)
+
+ sysnet_read_config(cyrus_t)
+@@ -119,6 +117,10 @@ optional_policy(`
+ ')
+
+ optional_policy(`
++ dirsrv_stream_connect(cyrus_t)
++')
++
++optional_policy(`
+ kerberos_keytab_template(cyrus, cyrus_t)
+ ')
+
+@@ -135,6 +137,7 @@ optional_policy(`
+ ')
+
+ optional_policy(`
++ files_dontaudit_write_usr_dirs(cyrus_t)
+ snmp_read_snmp_var_lib_files(cyrus_t)
+ snmp_dontaudit_write_snmp_var_lib_files(cyrus_t)
+ snmp_stream_connect(cyrus_t)
+diff --git a/daemontools.if b/daemontools.if
+index ce3e676..0158314 100644
+--- a/daemontools.if
++++ b/daemontools.if
+@@ -210,3 +210,4 @@ interface(`daemontools_manage_svc',`
+ allow $1 svc_svc_t:file manage_file_perms;
+ allow $1 svc_svc_t:lnk_file { read create };
+ ')
++
+diff --git a/daemontools.te b/daemontools.te
+index dcc5f1c..c6fa5c0 100644
+--- a/daemontools.te
++++ b/daemontools.te
+@@ -38,7 +38,10 @@ files_type(svc_svc_t)
+ # multilog creates /service/*/log/status
+ manage_files_pattern(svc_multilog_t, svc_svc_t, svc_svc_t)
+
++term_write_console(svc_multilog_t)
++
+ init_use_fds(svc_multilog_t)
++init_dontaudit_use_script_fds(svc_multilog_t)
+
+ # writes to /var/log/*/*
+ logging_manage_generic_logs(svc_multilog_t)
+@@ -69,6 +72,8 @@ dev_read_urand(svc_run_t)
+ corecmd_exec_bin(svc_run_t)
+ corecmd_exec_shell(svc_run_t)
+
++term_write_console(svc_run_t)
++
+ files_read_etc_files(svc_run_t)
+ files_read_etc_runtime_files(svc_run_t)
+ files_search_pids(svc_run_t)
+@@ -99,12 +104,19 @@ allow svc_start_t self:unix_stream_socket create_socket_perms;
+
+ can_exec(svc_start_t, svc_start_exec_t)
+
++mmap_files_pattern(svc_start_t, svc_svc_t, svc_svc_t)
++
+ kernel_read_kernel_sysctls(svc_start_t)
+ kernel_read_system_state(svc_start_t)
+
+ corecmd_exec_bin(svc_start_t)
+ corecmd_exec_shell(svc_start_t)
+
++corenet_tcp_bind_generic_node(svc_start_t)
++corenet_tcp_bind_generic_port(svc_start_t)
++
++term_write_console(svc_start_t)
++
+ files_read_etc_files(svc_start_t)
+ files_read_etc_runtime_files(svc_start_t)
+ files_search_var(svc_start_t)
+@@ -114,5 +126,3 @@ daemontools_domtrans_run(svc_start_t)
+ daemontools_manage_svc(svc_start_t)
+
+ logging_send_syslog_msg(svc_start_t)
+-
+-miscfiles_read_localization(svc_start_t)
+diff --git a/dante.te b/dante.te
+index 9636326..637fc71 100644
+--- a/dante.te
++++ b/dante.te
+@@ -10,7 +10,7 @@ type dante_exec_t;
+ init_daemon_domain(dante_t, dante_exec_t)
+
+ type dante_conf_t;
+-files_type(dante_conf_t)
++files_config_file(dante_conf_t)
+
+ type dante_var_run_t;
+ files_pid_file(dante_var_run_t)
+@@ -37,7 +37,6 @@ kernel_read_kernel_sysctls(dante_t)
+ kernel_list_proc(dante_t)
+ kernel_read_proc_symlinks(dante_t)
+
+-corenet_all_recvfrom_unlabeled(dante_t)
+ corenet_all_recvfrom_netlabel(dante_t)
+ corenet_tcp_sendrecv_generic_if(dante_t)
+ corenet_udp_sendrecv_generic_if(dante_t)
+@@ -46,7 +45,6 @@ corenet_udp_sendrecv_generic_node(dante_t)
+ corenet_tcp_sendrecv_all_ports(dante_t)
+ corenet_udp_sendrecv_all_ports(dante_t)
+ corenet_tcp_bind_generic_node(dante_t)
+-corenet_tcp_bind_socks_port(dante_t)
+
+ dev_read_sysfs(dante_t)
+
+@@ -62,8 +60,6 @@ init_write_utmp(dante_t)
+
+ logging_send_syslog_msg(dante_t)
+
+-miscfiles_read_localization(dante_t)
+-
+ sysnet_read_config(dante_t)
+
+ userdom_dontaudit_use_unpriv_user_fds(dante_t)
+diff --git a/dbadm.te b/dbadm.te
+index 1875064..2adc35f 100644
+--- a/dbadm.te
++++ b/dbadm.te
+@@ -28,7 +28,7 @@ userdom_base_user_template(dbadm)
+ # database admin local policy
+ #
+
+-allow dbadm_t self:capability { dac_override dac_read_search sys_ptrace };
++allow dbadm_t self:capability { dac_override dac_read_search };
+
+ files_dontaudit_search_all_dirs(dbadm_t)
+ files_delete_generic_locks(dbadm_t)
+@@ -37,6 +37,7 @@ files_list_var(dbadm_t)
+ selinux_get_enforce_mode(dbadm_t)
+
+ logging_send_syslog_msg(dbadm_t)
++logging_send_audit_msgs(dbadm_t)
+
+ userdom_dontaudit_search_user_home_dirs(dbadm_t)
+
+@@ -58,3 +59,7 @@ optional_policy(`
+ optional_policy(`
+ postgresql_admin(dbadm_t, dbadm_r)
+ ')
++
++optional_policy(`
++ sudo_role_template(dbadm, dbadm_r, dbadm_t)
++')
+diff --git a/dbskk.te b/dbskk.te
+index 1445f97..8ca064c 100644
+--- a/dbskk.te
++++ b/dbskk.te
+@@ -47,7 +47,6 @@ kernel_read_kernel_sysctls(dbskkd_t)
+ kernel_read_system_state(dbskkd_t)
+ kernel_read_network_state(dbskkd_t)
+
+-corenet_all_recvfrom_unlabeled(dbskkd_t)
+ corenet_all_recvfrom_netlabel(dbskkd_t)
+ corenet_tcp_sendrecv_generic_if(dbskkd_t)
+ corenet_udp_sendrecv_generic_if(dbskkd_t)
+@@ -60,10 +59,7 @@ dev_read_urand(dbskkd_t)
+
+ fs_getattr_xattr_fs(dbskkd_t)
+
+-files_read_etc_files(dbskkd_t)
+
+ auth_use_nsswitch(dbskkd_t)
+
+ logging_send_syslog_msg(dbskkd_t)
+-
+-miscfiles_read_localization(dbskkd_t)
+diff --git a/dbus.fc b/dbus.fc
+index e6345ce..31f269b 100644
+--- a/dbus.fc
++++ b/dbus.fc
+@@ -4,6 +4,7 @@
+
+ ifdef(`distro_redhat',`
+ /lib/dbus-1/dbus-daemon-launch-helper -- gen_context(system_u:object_r:dbusd_exec_t,s0)
++/usr/lib/dbus-1/dbus-daemon-launch-helper -- gen_context(system_u:object_r:dbusd_exec_t,s0)
+ ')
+
+ /usr/bin/dbus-daemon(-1)? -- gen_context(system_u:object_r:dbusd_exec_t,s0)
+diff --git a/dbus.if b/dbus.if
+index fb4bf82..126d543 100644
+--- a/dbus.if
++++ b/dbus.if
+@@ -41,9 +41,9 @@ interface(`dbus_stub',`
+ template(`dbus_role_template',`
+ gen_require(`
+ class dbus { send_msg acquire_svc };
+-
+- attribute session_bus_type;
++ attribute dbusd_unconfined, session_bus_type;
+ type system_dbusd_t, session_dbusd_tmp_t, dbusd_exec_t, dbusd_etc_t;
++ type $1_t;
+ ')
+
+ ##############################
+@@ -52,117 +52,47 @@ template(`dbus_role_template',`
+ #
+
+ type $1_dbusd_t, session_bus_type;
+- domain_type($1_dbusd_t)
+- domain_entry_file($1_dbusd_t, dbusd_exec_t)
++ application_domain($1_dbusd_t, dbusd_exec_t)
+ ubac_constrained($1_dbusd_t)
+ role $2 types $1_dbusd_t;
+
++ kernel_read_system_state($1_dbusd_t)
++
++ selinux_get_fs_mount($1_dbusd_t)
++
++ userdom_home_manager($1_dbusd_t)
++
+ ##############################
+ #
+ # Local policy
+ #
+
+- allow $1_dbusd_t self:process { getattr sigkill signal };
+- dontaudit $1_dbusd_t self:process ptrace;
+- allow $1_dbusd_t self:file { getattr read write };
+- allow $1_dbusd_t self:fifo_file rw_fifo_file_perms;
+- allow $1_dbusd_t self:dbus { send_msg acquire_svc };
+- allow $1_dbusd_t self:unix_stream_socket create_stream_socket_perms;
+- allow $1_dbusd_t self:unix_dgram_socket create_socket_perms;
+- allow $1_dbusd_t self:tcp_socket create_stream_socket_perms;
+- allow $1_dbusd_t self:netlink_selinux_socket create_socket_perms;
+-
+ # For connecting to the bus
+ allow $3 $1_dbusd_t:unix_stream_socket connectto;
+
+ # SE-DBus specific permissions
+- allow $3 $1_dbusd_t:dbus { send_msg acquire_svc };
++ allow { dbusd_unconfined $3 } $1_dbusd_t:dbus { send_msg acquire_svc };
+ allow $3 system_dbusd_t:dbus { send_msg acquire_svc };
+
+- allow $1_dbusd_t dbusd_etc_t:dir list_dir_perms;
+- read_files_pattern($1_dbusd_t, dbusd_etc_t, dbusd_etc_t)
+- read_lnk_files_pattern($1_dbusd_t, dbusd_etc_t, dbusd_etc_t)
++ domtrans_pattern($3, dbusd_exec_t, $1_dbusd_t)
+
+- manage_dirs_pattern($1_dbusd_t, session_dbusd_tmp_t, session_dbusd_tmp_t)
+- manage_files_pattern($1_dbusd_t, session_dbusd_tmp_t, session_dbusd_tmp_t)
+- files_tmp_filetrans($1_dbusd_t, session_dbusd_tmp_t, { file dir })
++ ps_process_pattern($3, $1_dbusd_t)
++ allow $3 $1_dbusd_t:process signal_perms;
+
+- domtrans_pattern($3, dbusd_exec_t, $1_dbusd_t)
+- allow $3 $1_dbusd_t:process { signull sigkill signal };
++ tunable_policy(`deny_ptrace',`',`
++ allow $3 $1_dbusd_t:process ptrace;
++ ')
+
+ # cjp: this seems very broken
+- corecmd_bin_domtrans($1_dbusd_t, $3)
++ corecmd_bin_domtrans($1_dbusd_t, $1_t)
++ corecmd_shell_domtrans($1_dbusd_t, $1_t)
+ allow $1_dbusd_t $3:process sigkill;
+ allow $3 $1_dbusd_t:fd use;
+ allow $3 $1_dbusd_t:fifo_file rw_fifo_file_perms;
+- allow $3 $1_dbusd_t:process sigchld;
+-
+- kernel_read_system_state($1_dbusd_t)
+- kernel_read_kernel_sysctls($1_dbusd_t)
+-
+- corecmd_list_bin($1_dbusd_t)
+- corecmd_read_bin_symlinks($1_dbusd_t)
+- corecmd_read_bin_files($1_dbusd_t)
+- corecmd_read_bin_pipes($1_dbusd_t)
+- corecmd_read_bin_sockets($1_dbusd_t)
+
+- corenet_all_recvfrom_unlabeled($1_dbusd_t)
+- corenet_all_recvfrom_netlabel($1_dbusd_t)
+- corenet_tcp_sendrecv_generic_if($1_dbusd_t)
+- corenet_tcp_sendrecv_generic_node($1_dbusd_t)
+- corenet_tcp_sendrecv_all_ports($1_dbusd_t)
+- corenet_tcp_bind_generic_node($1_dbusd_t)
+- corenet_tcp_bind_reserved_port($1_dbusd_t)
+-
+- dev_read_urand($1_dbusd_t)
+-
+- domain_use_interactive_fds($1_dbusd_t)
+- domain_read_all_domains_state($1_dbusd_t)
+-
+- files_read_etc_files($1_dbusd_t)
+- files_list_home($1_dbusd_t)
+- files_read_usr_files($1_dbusd_t)
+- files_dontaudit_search_var($1_dbusd_t)
+-
+- fs_getattr_romfs($1_dbusd_t)
+- fs_getattr_xattr_fs($1_dbusd_t)
+- fs_list_inotifyfs($1_dbusd_t)
+- fs_dontaudit_list_nfs($1_dbusd_t)
+-
+- selinux_get_fs_mount($1_dbusd_t)
+- selinux_validate_context($1_dbusd_t)
+- selinux_compute_access_vector($1_dbusd_t)
+- selinux_compute_create_context($1_dbusd_t)
+- selinux_compute_relabel_context($1_dbusd_t)
+- selinux_compute_user_contexts($1_dbusd_t)
+-
+- auth_read_pam_console_data($1_dbusd_t)
+ auth_use_nsswitch($1_dbusd_t)
+
+- logging_send_audit_msgs($1_dbusd_t)
+ logging_send_syslog_msg($1_dbusd_t)
+-
+- miscfiles_read_localization($1_dbusd_t)
+-
+- seutil_read_config($1_dbusd_t)
+- seutil_read_default_contexts($1_dbusd_t)
+-
+- term_use_all_terms($1_dbusd_t)
+-
+- userdom_read_user_home_content_files($1_dbusd_t)
+-
+- ifdef(`hide_broken_symptoms', `
+- dontaudit $3 $1_dbusd_t:netlink_selinux_socket { read write };
+- ')
+-
+- optional_policy(`
+- hal_dbus_chat($1_dbusd_t)
+- ')
+-
+- optional_policy(`
+- xserver_use_xdm_fds($1_dbusd_t)
+- xserver_rw_xdm_pipes($1_dbusd_t)
+- ')
+ ')
+
+ #######################################
+@@ -181,11 +111,12 @@ interface(`dbus_system_bus_client',`
+ type system_dbusd_t, system_dbusd_t;
+ type system_dbusd_var_run_t, system_dbusd_var_lib_t;
+ class dbus send_msg;
++ attribute dbusd_unconfined;
+ ')
+
+ # SE-DBus specific permissions
+ allow $1 { system_dbusd_t self }:dbus send_msg;
+- allow system_dbusd_t $1:dbus send_msg;
++ allow { system_dbusd_t dbusd_unconfined } $1:dbus send_msg;
+
+ read_files_pattern($1, system_dbusd_var_lib_t, system_dbusd_var_lib_t)
+ files_search_var_lib($1)
+@@ -198,6 +129,34 @@ interface(`dbus_system_bus_client',`
+
+ #######################################
+ ##
++## Creating connections to specified
++## DBUS sessions.
++##
++##
++##
++## The prefix of the user role (e.g., user
++## is the prefix for user_r).
++##
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`dbus_session_client',`
++ gen_require(`
++ class dbus send_msg;
++ type $1_dbusd_t;
++ ')
++
++ allow $2 $1_dbusd_t:fd use;
++ allow $2 { $1_dbusd_t self }:dbus send_msg;
++ allow $2 $1_dbusd_t:unix_stream_socket connectto;
++')
++
++#######################################
++##
+ ## Template for creating connections to
+ ## a user DBUS.
+ ##
+@@ -219,7 +178,7 @@ interface(`dbus_session_bus_client',`
+ # For connecting to the bus
+ allow $1 session_bus_type:unix_stream_socket connectto;
+
+- dontaudit $1 session_bus_type:fd use;
++ allow session_bus_type $1:process sigkill;
+ ')
+
+ ########################################
+@@ -324,6 +283,11 @@ interface(`dbus_connect_session_bus',`
+ ## Allow a application domain to be started
+ ## by the session dbus.
+ ##
++##
++##
++## User domain prefix to be used.
++##
++##
+ ##
+ ##
+ ## Type to be used as a domain.
+@@ -338,13 +302,13 @@ interface(`dbus_connect_session_bus',`
+ #
+ interface(`dbus_session_domain',`
+ gen_require(`
+- attribute session_bus_type;
++ type $1_dbusd_t;
+ ')
+
+- domtrans_pattern(session_bus_type, $2, $1)
++ domtrans_pattern($1_dbusd_t, $2, $3)
+
+- dbus_session_bus_client($1)
+- dbus_connect_session_bus($1)
++ dbus_session_bus_client($3)
++ dbus_connect_session_bus($3)
+ ')
+
+ ########################################
+@@ -423,27 +387,16 @@ interface(`dbus_system_bus_unconfined',`
+ #
+ interface(`dbus_system_domain',`
+ gen_require(`
++ attribute system_bus_type;
+ type system_dbusd_t;
+ role system_r;
+ ')
++ typeattribute $1 system_bus_type;
+
+ domain_type($1)
+ domain_entry_file($1, $2)
+
+- role system_r types $1;
+-
+ domtrans_pattern(system_dbusd_t, $2, $1)
+-
+- dbus_system_bus_client($1)
+- dbus_connect_system_bus($1)
+-
+- ps_process_pattern(system_dbusd_t, $1)
+-
+- userdom_read_all_users_state($1)
+-
+- ifdef(`hide_broken_symptoms', `
+- dontaudit $1 system_dbusd_t:netlink_selinux_socket { read write };
+- ')
+ ')
+
+ ########################################
+@@ -466,26 +419,25 @@ interface(`dbus_use_system_bus_fds',`
+
+ ########################################
+ ##
+-## Dontaudit Read, and write system dbus TCP sockets.
++## Allow unconfined access to the system DBUS.
+ ##
+ ##
+ ##
+-## Domain to not audit.
++## Domain allowed access.
+ ##
+ ##
+ #
+-interface(`dbus_dontaudit_system_bus_rw_tcp_sockets',`
++interface(`dbus_unconfined',`
+ gen_require(`
+- type system_dbusd_t;
++ attribute dbusd_unconfined;
+ ')
+
+- allow $1 system_dbusd_t:tcp_socket { read write };
+- allow $1 system_dbusd_t:fd use;
++ typeattribute $1 dbusd_unconfined;
+ ')
+
+ ########################################
+ ##
+-## Allow unconfined access to the system DBUS.
++## Delete all dbus pid files
+ ##
+ ##
+ ##
+@@ -493,10 +445,51 @@ interface(`dbus_dontaudit_system_bus_rw_tcp_sockets',`
+ ##
+ ##
+ #
+-interface(`dbus_unconfined',`
++interface(`dbus_delete_pid_files',`
+ gen_require(`
+- attribute dbusd_unconfined;
++ type system_dbusd_var_run_t;
+ ')
+
+- typeattribute $1 dbusd_unconfined;
++ files_search_pids($1)
++ delete_files_pattern($1, system_dbusd_var_run_t, system_dbusd_var_run_t)
++')
++
++########################################
++##
++## Do not audit attempts to connect to
++## session bus types with a unix
++## stream socket.
++##
++##
++##
++## Domain to not audit.
++##
++##
++#
++interface(`dbus_dontaudit_stream_connect_session_bus',`
++ gen_require(`
++ attribute session_bus_type;
++ ')
++
++ dontaudit $1 session_bus_type:unix_stream_socket connectto;
++')
++
++########################################
++##
++## Do not audit attempts to send dbus
++## messages to session bus types.
++##
++##
++##
++## Domain to not audit.
++##
++##
++#
++interface(`dbus_dontaudit_chat_session_bus',`
++ gen_require(`
++ attribute session_bus_type;
++ class dbus send_msg;
++ ')
++
++ dontaudit $1 session_bus_type:dbus send_msg;
+ ')
+diff --git a/dbus.te b/dbus.te
+index 625cb32..087cecf 100644
+--- a/dbus.te
++++ b/dbus.te
+@@ -10,6 +10,7 @@ gen_require(`
+ #
+
+ attribute dbusd_unconfined;
++attribute system_bus_type;
+ attribute session_bus_type;
+
+ type dbusd_etc_t;
+@@ -35,6 +36,7 @@ files_type(system_dbusd_var_lib_t)
+
+ type system_dbusd_var_run_t;
+ files_pid_file(system_dbusd_var_run_t)
++init_sock_file(system_dbusd_var_run_t)
+
+ ifdef(`enable_mcs',`
+ init_ranged_system_domain(system_dbusd_t, dbusd_exec_t, s0 - mcs_systemhigh)
+@@ -51,9 +53,9 @@ ifdef(`enable_mls',`
+
+ # dac_override: /var/run/dbus is owned by messagebus on Debian
+ # cjp: dac_override should probably go in a distro_debian
+-allow system_dbusd_t self:capability { dac_override setgid setpcap setuid };
++allow system_dbusd_t self:capability { sys_resource dac_override setgid setpcap setuid };
+ dontaudit system_dbusd_t self:capability sys_tty_config;
+-allow system_dbusd_t self:process { getattr getsched signal_perms setpgid getcap setcap };
++allow system_dbusd_t self:process { getattr getsched signal_perms setpgid getcap setcap setrlimit };
+ allow system_dbusd_t self:fifo_file rw_fifo_file_perms;
+ allow system_dbusd_t self:dbus { send_msg acquire_svc };
+ allow system_dbusd_t self:unix_stream_socket { connectto create_stream_socket_perms connectto };
+@@ -73,9 +75,10 @@ files_tmp_filetrans(system_dbusd_t, system_dbusd_tmp_t, { file dir })
+
+ read_files_pattern(system_dbusd_t, system_dbusd_var_lib_t, system_dbusd_var_lib_t)
+
++manage_dirs_pattern(system_dbusd_t, system_dbusd_var_run_t, system_dbusd_var_run_t)
+ manage_files_pattern(system_dbusd_t, system_dbusd_var_run_t, system_dbusd_var_run_t)
+ manage_sock_files_pattern(system_dbusd_t, system_dbusd_var_run_t, system_dbusd_var_run_t)
+-files_pid_filetrans(system_dbusd_t, system_dbusd_var_run_t, file)
++files_pid_filetrans(system_dbusd_t, system_dbusd_var_run_t, { file dir })
+
+ kernel_read_system_state(system_dbusd_t)
+ kernel_read_kernel_sysctls(system_dbusd_t)
+@@ -83,11 +86,16 @@ kernel_read_kernel_sysctls(system_dbusd_t)
+ dev_read_urand(system_dbusd_t)
+ dev_read_sysfs(system_dbusd_t)
+
++files_rw_inherited_non_security_files(system_dbusd_t)
++
+ fs_getattr_all_fs(system_dbusd_t)
+ fs_list_inotifyfs(system_dbusd_t)
+ fs_search_auto_mountpoints(system_dbusd_t)
+ fs_dontaudit_list_nfs(system_dbusd_t)
+
++storage_rw_inherited_fixed_disk_dev(system_dbusd_t)
++storage_rw_inherited_removable_device(system_dbusd_t)
++
+ mls_fd_use_all_levels(system_dbusd_t)
+ mls_rangetrans_target(system_dbusd_t)
+ mls_file_read_all_levels(system_dbusd_t)
+@@ -110,22 +118,25 @@ auth_read_pam_console_data(system_dbusd_t)
+ corecmd_list_bin(system_dbusd_t)
+ corecmd_read_bin_pipes(system_dbusd_t)
+ corecmd_read_bin_sockets(system_dbusd_t)
++# needed for system-tools-backends
++corecmd_exec_shell(system_dbusd_t)
+
+ domain_use_interactive_fds(system_dbusd_t)
+ domain_read_all_domains_state(system_dbusd_t)
+
+-files_read_etc_files(system_dbusd_t)
+ files_list_home(system_dbusd_t)
+ files_read_usr_files(system_dbusd_t)
+
+ init_use_fds(system_dbusd_t)
+ init_use_script_ptys(system_dbusd_t)
++init_bin_domtrans_spec(system_dbusd_t)
+ init_domtrans_script(system_dbusd_t)
++init_rw_stream_sockets(system_dbusd_t)
++init_status(system_dbusd_t)
+
+ logging_send_audit_msgs(system_dbusd_t)
+ logging_send_syslog_msg(system_dbusd_t)
+
+-miscfiles_read_localization(system_dbusd_t)
+ miscfiles_read_generic_certs(system_dbusd_t)
+
+ seutil_read_config(system_dbusd_t)
+@@ -135,11 +146,35 @@ seutil_sigchld_newrole(system_dbusd_t)
+ userdom_dontaudit_use_unpriv_user_fds(system_dbusd_t)
+ userdom_dontaudit_search_user_home_dirs(system_dbusd_t)
+
++userdom_home_reader(system_dbusd_t)
++
+ optional_policy(`
+ bind_domtrans(system_dbusd_t)
+ ')
+
+ optional_policy(`
++ bluetooth_stream_connect(system_dbusd_t)
++')
++
++optional_policy(`
++ cpufreqselector_dbus_chat(system_dbusd_t)
++')
++
++optional_policy(`
++ getty_start_services(system_dbusd_t)
++')
++
++optional_policy(`
++ gnome_exec_gconf(system_dbusd_t)
++ gnome_read_inherited_home_icc_data_files(system_dbusd_t)
++')
++
++optional_policy(`
++ networkmanager_initrc_domtrans(system_dbusd_t)
++ networkmanager_systemctl(system_dbusd_t)
++')
++
++optional_policy(`
+ policykit_dbus_chat(system_dbusd_t)
+ policykit_domtrans_auth(system_dbusd_t)
+ policykit_search_lib(system_dbusd_t)
+@@ -150,12 +185,162 @@ optional_policy(`
+ ')
+
+ optional_policy(`
++ systemd_use_fds_logind(system_dbusd_t)
++ systemd_write_inherited_logind_sessions_pipes(system_dbusd_t)
++ systemd_write_inhibit_pipes(system_dbusd_t)
++# These are caused by broken systemd patch
++ systemd_start_power_services(system_dbusd_t)
++ systemd_config_all_services(system_dbusd_t)
++ files_config_all_files(system_dbusd_t)
++')
++
++optional_policy(`
+ udev_read_db(system_dbusd_t)
+ ')
+
++optional_policy(`
++ # /var/lib/gdm/.local/share/icc/edid-0a027915105823af34f99b1704e80336.icc
++ xserver_read_inherited_xdm_lib_files(system_dbusd_t)
++')
++
++########################################
++#
++# system_bus_type rules
++#
++role system_r types system_bus_type;
++
++fs_search_all(system_bus_type)
++
++dbus_system_bus_client(system_bus_type)
++dbus_connect_system_bus(system_bus_type)
++
++init_status(system_bus_type)
++init_stream_connect(system_bus_type)
++init_dgram_send(system_bus_type)
++init_use_fds(system_bus_type)
++init_rw_stream_sockets(system_bus_type)
++
++ps_process_pattern(system_dbusd_t, system_bus_type)
++
++userdom_dontaudit_search_admin_dir(system_bus_type)
++userdom_read_all_users_state(system_bus_type)
++
++optional_policy(`
++ abrt_stream_connect(system_bus_type)
++')
++
++optional_policy(`
++ rpm_script_dbus_chat(system_bus_type)
++')
++
++optional_policy(`
++ unconfined_dbus_send(system_bus_type)
++')
++
++ifdef(`hide_broken_symptoms',`
++ dontaudit system_bus_type system_dbusd_t:netlink_selinux_socket { read write };
++')
++
++########################################
++#
++# session_bus_type rules
++#
++allow session_bus_type self:capability2 block_suspend;
++dontaudit session_bus_type self:capability sys_resource;
++allow session_bus_type self:process { getattr sigkill signal };
++dontaudit session_bus_type self:process setrlimit;
++allow session_bus_type self:file { getattr read write };
++allow session_bus_type self:fifo_file rw_fifo_file_perms;
++allow session_bus_type self:dbus { send_msg acquire_svc };
++allow session_bus_type self:unix_stream_socket create_stream_socket_perms;
++allow session_bus_type self:unix_dgram_socket create_socket_perms;
++allow session_bus_type self:tcp_socket create_stream_socket_perms;
++allow session_bus_type self:netlink_selinux_socket create_socket_perms;
++
++allow session_bus_type dbusd_etc_t:dir list_dir_perms;
++read_files_pattern(session_bus_type, dbusd_etc_t, dbusd_etc_t)
++read_lnk_files_pattern(session_bus_type, dbusd_etc_t, dbusd_etc_t)
++
++manage_dirs_pattern(session_bus_type, session_dbusd_tmp_t, session_dbusd_tmp_t)
++manage_files_pattern(session_bus_type, session_dbusd_tmp_t, session_dbusd_tmp_t)
++files_tmp_filetrans(session_bus_type, session_dbusd_tmp_t, { file dir })
++
++kernel_read_kernel_sysctls(session_bus_type)
++
++corecmd_list_bin(session_bus_type)
++corecmd_read_bin_symlinks(session_bus_type)
++corecmd_read_bin_files(session_bus_type)
++corecmd_read_bin_pipes(session_bus_type)
++corecmd_read_bin_sockets(session_bus_type)
++
++corenet_tcp_sendrecv_generic_if(session_bus_type)
++corenet_tcp_sendrecv_generic_node(session_bus_type)
++corenet_tcp_sendrecv_all_ports(session_bus_type)
++corenet_tcp_bind_generic_node(session_bus_type)
++corenet_tcp_bind_reserved_port(session_bus_type)
++
++dev_read_urand(session_bus_type)
++
++domain_use_interactive_fds(session_bus_type)
++domain_read_all_domains_state(session_bus_type)
++
++files_list_home(session_bus_type)
++files_read_usr_files(session_bus_type)
++files_dontaudit_search_var(session_bus_type)
++
++fs_getattr_romfs(session_bus_type)
++fs_getattr_xattr_fs(session_bus_type)
++fs_list_inotifyfs(session_bus_type)
++fs_dontaudit_list_nfs(session_bus_type)
++
++selinux_validate_context(session_bus_type)
++selinux_compute_access_vector(session_bus_type)
++selinux_compute_create_context(session_bus_type)
++selinux_compute_relabel_context(session_bus_type)
++selinux_compute_user_contexts(session_bus_type)
++
++auth_read_pam_console_data(session_bus_type)
++
++logging_send_audit_msgs(session_bus_type)
++
++seutil_read_config(session_bus_type)
++seutil_read_default_contexts(session_bus_type)
++
++term_use_all_inherited_terms(session_bus_type)
++
++userdom_dontaudit_search_admin_dir(session_bus_type)
++userdom_manage_user_home_content_dirs(session_bus_type)
++userdom_manage_user_home_content_files(session_bus_type)
++userdom_user_home_dir_filetrans_user_home_content(session_bus_type, { dir file })
++userdom_manage_tmpfs_files(session_bus_type, file)
++userdom_tmpfs_filetrans(session_bus_type, file)
++
++optional_policy(`
++ gnome_read_gconf_home_files(session_bus_type)
++')
++
++optional_policy(`
++ hal_dbus_chat(session_bus_type)
++')
++
++optional_policy(`
++ thumb_domtrans(session_bus_type)
++')
++
++optional_policy(`
++ xserver_search_xdm_lib(session_bus_type)
++ xserver_use_xdm_fds(session_bus_type)
++ xserver_rw_xdm_pipes(session_bus_type)
++ xserver_use_xdm_fds(session_bus_type)
++ xserver_rw_xdm_pipes(session_bus_type)
++ xserver_append_xdm_home_files(session_bus_type)
++')
++
+ ########################################
+ #
+ # Unconfined access to this module
+ #
+
+ allow dbusd_unconfined session_bus_type:dbus all_dbus_perms;
++allow dbusd_unconfined dbusd_unconfined:dbus all_dbus_perms;
++allow session_bus_type dbusd_unconfined:dbus send_msg;
+diff --git a/dcc.if b/dcc.if
+index 784753e..bf65e7d 100644
+--- a/dcc.if
++++ b/dcc.if
+@@ -168,6 +168,6 @@ interface(`dcc_stream_connect_dccifd',`
+ type dcc_var_t, dccifd_var_run_t, dccifd_t;
+ ')
+
+- files_search_var($1)
++ files_search_pids($1)
+ stream_connect_pattern($1, dcc_var_t, dccifd_var_run_t, dccifd_t)
+ ')
+diff --git a/dcc.te b/dcc.te
+index 5178337..46bbbed 100644
+--- a/dcc.te
++++ b/dcc.te
+@@ -36,7 +36,7 @@ type dcc_var_t;
+ files_type(dcc_var_t)
+
+ type dcc_var_run_t;
+-files_type(dcc_var_run_t)
++files_pid_file(dcc_var_run_t)
+
+ type dccd_t;
+ type dccd_exec_t;
+@@ -95,22 +95,18 @@ allow cdcc_t dcc_var_t:dir list_dir_perms;
+ read_files_pattern(cdcc_t, dcc_var_t, dcc_var_t)
+ read_lnk_files_pattern(cdcc_t, dcc_var_t, dcc_var_t)
+
+-corenet_all_recvfrom_unlabeled(cdcc_t)
+ corenet_all_recvfrom_netlabel(cdcc_t)
+ corenet_udp_sendrecv_generic_if(cdcc_t)
+ corenet_udp_sendrecv_generic_node(cdcc_t)
+ corenet_udp_sendrecv_all_ports(cdcc_t)
+
+-files_read_etc_files(cdcc_t)
+ files_read_etc_runtime_files(cdcc_t)
+
+ auth_use_nsswitch(cdcc_t)
+
+ logging_send_syslog_msg(cdcc_t)
+
+-miscfiles_read_localization(cdcc_t)
+-
+-userdom_use_user_terminals(cdcc_t)
++userdom_use_inherited_user_terminals(cdcc_t)
+
+ ########################################
+ #
+@@ -134,14 +130,12 @@ read_lnk_files_pattern(dcc_client_t, dcc_var_t, dcc_var_t)
+
+ kernel_read_system_state(dcc_client_t)
+
+-corenet_all_recvfrom_unlabeled(dcc_client_t)
+ corenet_all_recvfrom_netlabel(dcc_client_t)
+ corenet_udp_sendrecv_generic_if(dcc_client_t)
+ corenet_udp_sendrecv_generic_node(dcc_client_t)
+ corenet_udp_sendrecv_all_ports(dcc_client_t)
+ corenet_udp_bind_generic_node(dcc_client_t)
+
+-files_read_etc_files(dcc_client_t)
+ files_read_etc_runtime_files(dcc_client_t)
+
+ fs_getattr_all_fs(dcc_client_t)
+@@ -150,9 +144,7 @@ auth_use_nsswitch(dcc_client_t)
+
+ logging_send_syslog_msg(dcc_client_t)
+
+-miscfiles_read_localization(dcc_client_t)
+-
+-userdom_use_user_terminals(dcc_client_t)
++userdom_use_inherited_user_terminals(dcc_client_t)
+
+ optional_policy(`
+ amavis_read_spool_files(dcc_client_t)
+@@ -182,22 +174,18 @@ manage_lnk_files_pattern(dcc_dbclean_t, dcc_var_t, dcc_var_t)
+
+ kernel_read_system_state(dcc_dbclean_t)
+
+-corenet_all_recvfrom_unlabeled(dcc_dbclean_t)
+ corenet_all_recvfrom_netlabel(dcc_dbclean_t)
+ corenet_udp_sendrecv_generic_if(dcc_dbclean_t)
+ corenet_udp_sendrecv_generic_node(dcc_dbclean_t)
+ corenet_udp_sendrecv_all_ports(dcc_dbclean_t)
+
+-files_read_etc_files(dcc_dbclean_t)
+ files_read_etc_runtime_files(dcc_dbclean_t)
+
+ auth_use_nsswitch(dcc_dbclean_t)
+
+ logging_send_syslog_msg(dcc_dbclean_t)
+
+-miscfiles_read_localization(dcc_dbclean_t)
+-
+-userdom_use_user_terminals(dcc_dbclean_t)
++userdom_use_inherited_user_terminals(dcc_dbclean_t)
+
+ ########################################
+ #
+@@ -238,7 +226,6 @@ files_pid_filetrans(dccd_t, dccd_var_run_t, { dir file })
+ kernel_read_system_state(dccd_t)
+ kernel_read_kernel_sysctls(dccd_t)
+
+-corenet_all_recvfrom_unlabeled(dccd_t)
+ corenet_all_recvfrom_netlabel(dccd_t)
+ corenet_udp_sendrecv_generic_if(dccd_t)
+ corenet_udp_sendrecv_generic_node(dccd_t)
+@@ -251,7 +238,6 @@ dev_read_sysfs(dccd_t)
+
+ domain_use_interactive_fds(dccd_t)
+
+-files_read_etc_files(dccd_t)
+ files_read_etc_runtime_files(dccd_t)
+
+ fs_getattr_all_fs(dccd_t)
+@@ -261,8 +247,6 @@ auth_use_nsswitch(dccd_t)
+
+ logging_send_syslog_msg(dccd_t)
+
+-miscfiles_read_localization(dccd_t)
+-
+ userdom_dontaudit_use_unpriv_user_fds(dccd_t)
+ userdom_dontaudit_search_user_home_dirs(dccd_t)
+
+@@ -306,7 +290,6 @@ files_pid_filetrans(dccifd_t, dccifd_var_run_t, file)
+ kernel_read_system_state(dccifd_t)
+ kernel_read_kernel_sysctls(dccifd_t)
+
+-corenet_all_recvfrom_unlabeled(dccifd_t)
+ corenet_all_recvfrom_netlabel(dccifd_t)
+ corenet_udp_sendrecv_generic_if(dccifd_t)
+ corenet_udp_sendrecv_generic_node(dccifd_t)
+@@ -316,7 +299,6 @@ dev_read_sysfs(dccifd_t)
+
+ domain_use_interactive_fds(dccifd_t)
+
+-files_read_etc_files(dccifd_t)
+ files_read_etc_runtime_files(dccifd_t)
+
+ fs_getattr_all_fs(dccifd_t)
+@@ -326,8 +308,6 @@ auth_use_nsswitch(dccifd_t)
+
+ logging_send_syslog_msg(dccifd_t)
+
+-miscfiles_read_localization(dccifd_t)
+-
+ userdom_dontaudit_use_unpriv_user_fds(dccifd_t)
+ userdom_dontaudit_search_user_home_dirs(dccifd_t)
+
+@@ -370,7 +350,6 @@ files_pid_filetrans(dccm_t, dccm_var_run_t, file)
+ kernel_read_system_state(dccm_t)
+ kernel_read_kernel_sysctls(dccm_t)
+
+-corenet_all_recvfrom_unlabeled(dccm_t)
+ corenet_all_recvfrom_netlabel(dccm_t)
+ corenet_udp_sendrecv_generic_if(dccm_t)
+ corenet_udp_sendrecv_generic_node(dccm_t)
+@@ -380,7 +359,6 @@ dev_read_sysfs(dccm_t)
+
+ domain_use_interactive_fds(dccm_t)
+
+-files_read_etc_files(dccm_t)
+ files_read_etc_runtime_files(dccm_t)
+
+ fs_getattr_all_fs(dccm_t)
+@@ -390,8 +368,6 @@ auth_use_nsswitch(dccm_t)
+
+ logging_send_syslog_msg(dccm_t)
+
+-miscfiles_read_localization(dccm_t)
+-
+ userdom_dontaudit_use_unpriv_user_fds(dccm_t)
+ userdom_dontaudit_search_user_home_dirs(dccm_t)
+
+diff --git a/ddclient.if b/ddclient.if
+index 0a1a61b..64742c6 100644
+--- a/ddclient.if
++++ b/ddclient.if
+@@ -64,13 +64,17 @@ interface(`ddclient_run',`
+ interface(`ddclient_admin',`
+ gen_require(`
+ type ddclient_t, ddclient_etc_t, ddclient_log_t;
+- type ddclient_var_t, ddclient_var_lib_t;
+- type ddclient_var_run_t, ddclient_initrc_exec_t;
++ type ddclient_var_t, ddclient_var_lib_t, ddclient_initrc_exec_t;
++ type ddclient_var_run_t;
+ ')
+
+- allow $1 ddclient_t:process { ptrace signal_perms };
++ allow $1 ddclient_t:process signal_perms;
+ ps_process_pattern($1, ddclient_t)
+
++ tunable_policy(`deny_ptrace',`',`
++ allow $1 ddclient_t:process ptrace;
++ ')
++
+ init_labeled_script_domtrans($1, ddclient_initrc_exec_t)
+ domain_system_change_exemption($1)
+ role_transition $2 ddclient_initrc_exec_t system_r;
+diff --git a/ddclient.te b/ddclient.te
+index 24ba98a..318a5a1 100644
+--- a/ddclient.te
++++ b/ddclient.te
+@@ -18,6 +18,9 @@ init_script_file(ddclient_initrc_exec_t)
+ type ddclient_log_t;
+ logging_log_file(ddclient_log_t)
+
++type ddclient_tmp_t;
++files_tmp_file(ddclient_tmp_t)
++
+ type ddclient_var_t;
+ files_type(ddclient_var_t)
+
+@@ -32,17 +35,23 @@ files_pid_file(ddclient_var_run_t)
+ # Declarations
+ #
+
++
+ dontaudit ddclient_t self:capability sys_tty_config;
+ allow ddclient_t self:process signal_perms;
+ allow ddclient_t self:fifo_file rw_fifo_file_perms;
+ allow ddclient_t self:tcp_socket create_socket_perms;
+ allow ddclient_t self:udp_socket create_socket_perms;
++allow ddclient_t self:netlink_route_socket r_netlink_socket_perms;
+
+-allow ddclient_t ddclient_etc_t:file read_file_perms;
++read_files_pattern(ddclient_t, ddclient_etc_t, ddclient_etc_t)
++setattr_files_pattern(ddclient_t, ddclient_etc_t, ddclient_etc_t)
+
+ allow ddclient_t ddclient_log_t:file manage_file_perms;
+ logging_log_filetrans(ddclient_t, ddclient_log_t, file)
+
++manage_files_pattern(ddclient_t, ddclient_tmp_t, ddclient_tmp_t)
++files_tmp_filetrans(ddclient_t, ddclient_tmp_t, { file })
++
+ manage_dirs_pattern(ddclient_t, ddclient_var_t, ddclient_var_t)
+ manage_files_pattern(ddclient_t, ddclient_var_t, ddclient_var_t)
+ manage_lnk_files_pattern(ddclient_t, ddclient_var_t, ddclient_var_t)
+@@ -62,11 +71,11 @@ kernel_read_software_raid_state(ddclient_t)
+ kernel_getattr_core_if(ddclient_t)
+ kernel_getattr_message_if(ddclient_t)
+ kernel_read_kernel_sysctls(ddclient_t)
++kernel_search_network_sysctl(ddclient_t)
+
+ corecmd_exec_shell(ddclient_t)
+ corecmd_exec_bin(ddclient_t)
+
+-corenet_all_recvfrom_unlabeled(ddclient_t)
+ corenet_all_recvfrom_netlabel(ddclient_t)
+ corenet_tcp_sendrecv_generic_if(ddclient_t)
+ corenet_udp_sendrecv_generic_if(ddclient_t)
+@@ -74,6 +83,8 @@ corenet_tcp_sendrecv_generic_node(ddclient_t)
+ corenet_udp_sendrecv_generic_node(ddclient_t)
+ corenet_tcp_sendrecv_all_ports(ddclient_t)
+ corenet_udp_sendrecv_all_ports(ddclient_t)
++corenet_tcp_bind_generic_node(ddclient_t)
++corenet_udp_bind_generic_node(ddclient_t)
+ corenet_tcp_connect_all_ports(ddclient_t)
+ corenet_sendrecv_all_client_packets(ddclient_t)
+
+@@ -89,9 +100,11 @@ files_read_usr_files(ddclient_t)
+ fs_getattr_all_fs(ddclient_t)
+ fs_search_auto_mountpoints(ddclient_t)
+
++auth_read_passwd(ddclient_t)
++
+ logging_send_syslog_msg(ddclient_t)
+
+-miscfiles_read_localization(ddclient_t)
++mta_send_mail(ddclient_t)
+
+ sysnet_exec_ifconfig(ddclient_t)
+ sysnet_read_config(ddclient_t)
+diff --git a/ddcprobe.te b/ddcprobe.te
+index 5e062bc..c85c30d 100644
+--- a/ddcprobe.te
++++ b/ddcprobe.te
+@@ -40,12 +40,15 @@ term_use_all_ptys(ddcprobe_t)
+
+ libs_read_lib_files(ddcprobe_t)
+
+-miscfiles_read_localization(ddcprobe_t)
+
+-modutils_read_module_deps(ddcprobe_t)
+-
+-userdom_use_user_terminals(ddcprobe_t)
++userdom_use_inherited_user_terminals(ddcprobe_t)
+ userdom_use_all_users_fds(ddcprobe_t)
+
+-#reh why? this does not seem even necessary to function properly
+-kudzu_getattr_exec_files(ddcprobe_t)
++optional_policy(`
++ #reh why? this does not seem even necessary to function properly
++ kudzu_getattr_exec_files(ddcprobe_t)
++')
++
++optional_policy(`
++ modutils_read_module_deps(ddcprobe_t)
++')
+diff --git a/denyhosts.if b/denyhosts.if
+index 567865f..b5e9376 100644
+--- a/denyhosts.if
++++ b/denyhosts.if
+@@ -59,6 +59,7 @@ interface(`denyhosts_initrc_domtrans', `
+ ## Role allowed access.
+ ##
+ ##
++##
+ #
+ interface(`denyhosts_admin', `
+ gen_require(`
+@@ -66,20 +67,24 @@ interface(`denyhosts_admin', `
+ type denyhosts_var_log_t, denyhosts_initrc_exec_t;
+ ')
+
+- allow $1 denyhosts_t:process { ptrace signal_perms };
++ allow $1 denyhosts_t:process signal_perms;
+ ps_process_pattern($1, denyhosts_t)
+
++ tunable_policy(`deny_ptrace',`',`
++ allow $1 denyhosts_t:process ptrace;
++ ')
++
+ denyhosts_initrc_domtrans($1)
+ domain_system_change_exemption($1)
+ role_transition $2 denyhosts_initrc_exec_t system_r;
+ allow $2 system_r;
+
+- files_search_var_lib($1)
++ files_list_var_lib($1)
+ admin_pattern($1, denyhosts_var_lib_t)
+
+- logging_search_logs($1)
++ logging_list_logs($1)
+ admin_pattern($1, denyhosts_var_log_t)
+
+- files_search_locks($1)
++ files_list_locks($1)
+ admin_pattern($1, denyhosts_var_lock_t)
+ ')
+diff --git a/denyhosts.te b/denyhosts.te
+index 8ba9425..2030529 100644
+--- a/denyhosts.te
++++ b/denyhosts.te
+@@ -25,6 +25,9 @@ logging_log_file(denyhosts_var_log_t)
+ #
+ # DenyHosts personal policy.
+ #
++# Bug #588563
++allow denyhosts_t self:capability sys_tty_config;
++allow denyhosts_t self:fifo_file rw_fifo_file_perms;
+
+ allow denyhosts_t self:netlink_route_socket create_netlink_socket_perms;
+ allow denyhosts_t self:tcp_socket create_socket_perms;
+@@ -43,26 +46,30 @@ read_files_pattern(denyhosts_t, denyhosts_var_log_t, denyhosts_var_log_t)
+ setattr_files_pattern(denyhosts_t, denyhosts_var_log_t, denyhosts_var_log_t)
+ logging_log_filetrans(denyhosts_t, denyhosts_var_log_t, file)
+
++kernel_read_network_state(denyhosts_t)
+ kernel_read_system_state(denyhosts_t)
++kernel_read_network_state(denyhosts_t)
+
++corecmd_exec_shell(denyhosts_t)
+ corecmd_exec_bin(denyhosts_t)
+
+-corenet_all_recvfrom_unlabeled(denyhosts_t)
+ corenet_all_recvfrom_netlabel(denyhosts_t)
+ corenet_tcp_sendrecv_generic_if(denyhosts_t)
+ corenet_tcp_sendrecv_generic_node(denyhosts_t)
+ corenet_tcp_bind_generic_node(denyhosts_t)
+ corenet_tcp_connect_smtp_port(denyhosts_t)
++corenet_tcp_connect_sype_port(denyhosts_t)
+ corenet_sendrecv_smtp_client_packets(denyhosts_t)
+
+ dev_read_urand(denyhosts_t)
+
+-files_read_etc_files(denyhosts_t)
++files_read_usr_files(denyhosts_t)
++
++auth_use_nsswitch(denyhosts_t)
+
+ # /var/log/secure
+ logging_read_generic_logs(denyhosts_t)
+-
+-miscfiles_read_localization(denyhosts_t)
++logging_send_syslog_msg(denyhosts_t)
+
+ sysnet_manage_config(denyhosts_t)
+ sysnet_etc_filetrans_config(denyhosts_t)
+@@ -70,3 +77,7 @@ sysnet_etc_filetrans_config(denyhosts_t)
+ optional_policy(`
+ cron_system_entry(denyhosts_t, denyhosts_exec_t)
+ ')
++
++optional_policy(`
++ gnome_dontaudit_search_config(denyhosts_t)
++')
+diff --git a/devicekit.fc b/devicekit.fc
+index 9af85c8..5483806 100644
+--- a/devicekit.fc
++++ b/devicekit.fc
+@@ -1,3 +1,8 @@
++/lib/udev/udisks-part-id -- gen_context(system_u:object_r:devicekit_disk_exec_t,s0)
++/lib/udisks2/udisksd -- gen_context(system_u:object_r:devicekit_disk_exec_t,s0)
++
++/usr/lib/udev/udisks-part-id -- gen_context(system_u:object_r:devicekit_disk_exec_t,s0)
++/usr/lib/udisks2/udisksd -- gen_context(system_u:object_r:devicekit_disk_exec_t,s0)
+ /usr/lib/udisks/udisks-daemon -- gen_context(system_u:object_r:devicekit_disk_exec_t,s0)
+
+ /usr/libexec/devkit-daemon -- gen_context(system_u:object_r:devicekit_exec_t,s0)
+@@ -6,15 +11,16 @@
+ /usr/libexec/udisks-daemon -- gen_context(system_u:object_r:devicekit_disk_exec_t,s0)
+ /usr/libexec/upowerd -- gen_context(system_u:object_r:devicekit_power_exec_t,s0)
+
+-ifdef(`distro_debian',`
+-/usr/lib/upower/upowerd -- gen_context(system_u:object_r:devicekit_power_exec_t,s0)
+-')
+-
+ /var/lib/DeviceKit-.* gen_context(system_u:object_r:devicekit_var_lib_t,s0)
+ /var/lib/upower(/.*)? gen_context(system_u:object_r:devicekit_var_lib_t,s0)
+-/var/lib/udisks(/.*)? gen_context(system_u:object_r:devicekit_var_lib_t,s0)
++/var/lib/udisks.* gen_context(system_u:object_r:devicekit_var_lib_t,s0)
++
++/var/log/pm-powersave\.log.* -- gen_context(system_u:object_r:devicekit_var_log_t,s0)
++/var/log/pm-suspend\.log.* -- gen_context(system_u:object_r:devicekit_var_log_t,s0)
+
+ /var/run/devkit(/.*)? gen_context(system_u:object_r:devicekit_var_run_t,s0)
+ /var/run/DeviceKit-disks(/.*)? gen_context(system_u:object_r:devicekit_var_run_t,s0)
+-/var/run/udisks(/.*)? gen_context(system_u:object_r:devicekit_var_run_t,s0)
++/var/run/pm-utils(/.*)? gen_context(system_u:object_r:devicekit_var_run_t,s0)
++
++/var/run/udisks.* gen_context(system_u:object_r:devicekit_var_run_t,s0)
+ /var/run/upower(/.*)? gen_context(system_u:object_r:devicekit_var_run_t,s0)
+diff --git a/devicekit.if b/devicekit.if
+index f706b99..3b4f593 100644
+--- a/devicekit.if
++++ b/devicekit.if
+@@ -20,6 +20,24 @@ interface(`devicekit_domtrans',`
+
+ ########################################
+ ##
++## Execute a domain transition to run devicekit_disk.
++##
++##
++##
++## Domain allowed to transition.
++##
++##
++#
++interface(`devicekit_domtrans_disk',`
++ gen_require(`
++ type devicekit_disk_t, devicekit_disk_exec_t;
++ ')
++
++ domtrans_pattern($1, devicekit_disk_exec_t, devicekit_disk_t)
++')
++
++########################################
++##
+ ## Send to devicekit over a unix domain
+ ## datagram socket.
+ ##
+@@ -81,6 +99,45 @@ interface(`devicekit_dbus_chat_disk',`
+
+ ########################################
+ ##
++## Use file descriptors for devicekit_disk.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`devicekit_use_fds_disk',`
++ gen_require(`
++ type devicekit_disk_t;
++ ')
++
++ allow $1 devicekit_disk_t:fd use;
++')
++
++########################################
++##
++## Dontaudit Send and receive messages from
++## devicekit disk over dbus.
++##
++##
++##
++## Domain to not audit.
++##
++##
++#
++interface(`devicekit_dontaudit_dbus_chat_disk',`
++ gen_require(`
++ type devicekit_disk_t;
++ class dbus send_msg;
++ ')
++
++ dontaudit $1 devicekit_disk_t:dbus send_msg;
++ dontaudit devicekit_disk_t $1:dbus send_msg;
++')
++
++########################################
++##
+ ## Send signal devicekit power
+ ##
+ ##
+@@ -118,6 +175,62 @@ interface(`devicekit_dbus_chat_power',`
+ allow devicekit_power_t $1:dbus send_msg;
+ ')
+
++#######################################
++##
++## Append inherited devicekit log files.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`devicekit_append_inherited_log_files',`
++ gen_require(`
++ type devicekit_var_log_t;
++ ')
++
++ allow $1 devicekit_var_log_t:file append_inherited_file_perms;
++')
++
++#######################################
++##
++## Do not audit attempts to write the devicekit
++## log files.
++##
++##
++##
++## Domain to not audit.
++##
++##
++#
++interface(`devicekit_dontaudit_rw_log',`
++ gen_require(`
++ type devicekit_var_log_t;
++ ')
++
++ dontaudit $1 devicekit_var_log_t:file rw_file_perms;
++')
++
++########################################
++##
++## Allow the domain to read devicekit_power state files in /proc.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`devicekit_read_state_power',`
++ gen_require(`
++ type devicekit_power_t;
++ ')
++
++ kernel_search_proc($1)
++ ps_process_pattern($1, devicekit_power_t)
++')
++
+ ########################################
+ ##
+ ## Read devicekit PID files.
+@@ -139,22 +252,93 @@ interface(`devicekit_read_pid_files',`
+
+ ########################################
+ ##
+-## All of the rules required to administrate
+-## an devicekit environment
++## Do not audit attempts to read
++## devicekit PID files.
++##
++##
++##
++## Domain to not audit.
++##
++##
++#
++interface(`devicekit_dontaudit_read_pid_files',`
++ gen_require(`
++ type devicekit_var_run_t;
++ ')
++
++ dontaudit $1 devicekit_var_run_t:file read_inherited_file_perms;
++')
++
++
++########################################
++##
++## Manage devicekit PID files.
+ ##
+ ##
+ ##
+ ## Domain allowed access.
+ ##
+ ##
+-##
++#
++interface(`devicekit_manage_pid_files',`
++ gen_require(`
++ type devicekit_var_run_t;
++ ')
++
++ files_search_pids($1)
++ manage_dirs_pattern($1, devicekit_var_run_t, devicekit_var_run_t)
++ manage_files_pattern($1, devicekit_var_run_t, devicekit_var_run_t)
++ files_pid_filetrans($1, devicekit_var_run_t, dir, "pm-utils")
++')
++
++#######################################
++##
++## Relabel devicekit LOG files.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`devicekit_relabel_log_files',`
++ gen_require(`
++ type devicekit_var_log_t;
++ ')
++
++ logging_search_logs($1)
++ relabel_files_pattern($1, devicekit_var_log_t, devicekit_var_log_t)
++')
++
++########################################
++##
++## Manage devicekit LOG files.
++##
++##
+ ##
+-## The role to be allowed to manage the devicekit domain.
++## Domain allowed access.
+ ##
+ ##
+-##
++#
++interface(`devicekit_manage_log_files',`
++ gen_require(`
++ type devicekit_var_log_t;
++ ')
++
++ logging_search_logs($1)
++ manage_files_pattern($1, devicekit_var_log_t, devicekit_var_log_t)
++ #logging_log_filetrans($1, devicekit_var_log_t, file, "pm-powersave.log")
++ #logging_log_filetrans($1, devicekit_var_log_t, file, "pm-suspend.log")
++')
++
++########################################
++##
++## All of the rules required to administrate
++## an devicekit environment
++##
++##
+ ##
+-## The type of the user terminal.
++## Domain allowed access.
+ ##
+ ##
+ ##
+@@ -165,21 +349,46 @@ interface(`devicekit_admin',`
+ type devicekit_var_lib_t, devicekit_var_run_t, devicekit_tmp_t;
+ ')
+
+- allow $1 devicekit_t:process { ptrace signal_perms getattr };
++ allow $1 devicekit_t:process signal_perms;
+ ps_process_pattern($1, devicekit_t)
++ tunable_policy(`deny_ptrace',`',`
++ allow $1 devicekit_t:process ptrace;
++ allow $1 devicekit_disk_t:process ptrace;
++ allow $1 devicekit_power_t:process ptrace;
++ ')
+
+- allow $1 devicekit_disk_t:process { ptrace signal_perms getattr };
++ allow $1 devicekit_disk_t:process signal_perms;
+ ps_process_pattern($1, devicekit_disk_t)
+
+- allow $1 devicekit_power_t:process { ptrace signal_perms getattr };
++ allow $1 devicekit_power_t:process signal_perms;
+ ps_process_pattern($1, devicekit_power_t)
+
+ admin_pattern($1, devicekit_tmp_t)
+- files_search_tmp($1)
++ files_list_tmp($1)
+
+ admin_pattern($1, devicekit_var_lib_t)
+- files_search_var_lib($1)
++ files_list_var_lib($1)
+
+ admin_pattern($1, devicekit_var_run_t)
+- files_search_pids($1)
++ files_list_pids($1)
++')
++
++########################################
++##
++## Transition to devicekit named content
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`devicekit_filetrans_named_content',`
++ gen_require(`
++ type devicekit_var_run_t, devicekit_var_log_t;
++ ')
++
++ files_pid_filetrans($1, devicekit_var_run_t, dir, "pm-utils")
++ logging_log_filetrans($1, devicekit_var_log_t, file, "pm-powersave.log")
++ logging_log_filetrans($1, devicekit_var_log_t, file, "pm-suspend.log")
+ ')
+diff --git a/devicekit.te b/devicekit.te
+index 1819518..1363f96 100644
+--- a/devicekit.te
++++ b/devicekit.te
+@@ -7,15 +7,15 @@ policy_module(devicekit, 1.2.0)
+
+ type devicekit_t;
+ type devicekit_exec_t;
+-dbus_system_domain(devicekit_t, devicekit_exec_t)
++init_daemon_domain(devicekit_t, devicekit_exec_t)
+
+ type devicekit_power_t;
+ type devicekit_power_exec_t;
+-dbus_system_domain(devicekit_power_t, devicekit_power_exec_t)
++init_daemon_domain(devicekit_power_t, devicekit_power_exec_t)
+
+ type devicekit_disk_t;
+ type devicekit_disk_exec_t;
+-dbus_system_domain(devicekit_disk_t, devicekit_disk_exec_t)
++init_daemon_domain(devicekit_disk_t, devicekit_disk_exec_t)
+
+ type devicekit_tmp_t;
+ files_tmp_file(devicekit_tmp_t)
+@@ -26,6 +26,9 @@ files_pid_file(devicekit_var_run_t)
+ type devicekit_var_lib_t;
+ files_type(devicekit_var_lib_t)
+
++type devicekit_var_log_t;
++logging_log_file(devicekit_var_log_t)
++
+ ########################################
+ #
+ # DeviceKit local policy
+@@ -42,11 +45,10 @@ kernel_read_system_state(devicekit_t)
+ dev_read_sysfs(devicekit_t)
+ dev_read_urand(devicekit_t)
+
+-files_read_etc_files(devicekit_t)
+
+-miscfiles_read_localization(devicekit_t)
+
+ optional_policy(`
++ dbus_system_domain(devicekit_t, devicekit_exec_t)
+ dbus_system_bus_client(devicekit_t)
+
+ allow devicekit_t devicekit_disk_t:dbus send_msg;
+@@ -62,7 +64,8 @@ optional_policy(`
+ # DeviceKit disk local policy
+ #
+
+-allow devicekit_disk_t self:capability { chown setuid setgid dac_override fowner fsetid net_admin sys_admin sys_nice sys_ptrace sys_rawio };
++allow devicekit_disk_t self:capability { chown setuid setgid dac_override fowner fsetid net_admin sys_admin sys_nice sys_rawio };
++
+ allow devicekit_disk_t self:process { getsched signal_perms };
+ allow devicekit_disk_t self:fifo_file rw_fifo_file_perms;
+ allow devicekit_disk_t self:netlink_kobject_uevent_socket create_socket_perms;
+@@ -75,10 +78,14 @@ manage_dirs_pattern(devicekit_disk_t, devicekit_var_lib_t, devicekit_var_lib_t)
+ manage_files_pattern(devicekit_disk_t, devicekit_var_lib_t, devicekit_var_lib_t)
+ files_var_lib_filetrans(devicekit_disk_t, devicekit_var_lib_t, dir)
+
++allow devicekit_disk_t devicekit_var_run_t:dir mounton;
+ manage_dirs_pattern(devicekit_disk_t, devicekit_var_run_t, devicekit_var_run_t)
+ manage_files_pattern(devicekit_disk_t, devicekit_var_run_t, devicekit_var_run_t)
+ files_pid_filetrans(devicekit_disk_t, devicekit_var_run_t, { file dir })
++files_filetrans_named_content(devicekit_disk_t)
+
++kernel_list_unlabeled(devicekit_disk_t)
++kernel_dontaudit_getattr_unlabeled_files(devicekit_disk_t)
+ kernel_getattr_message_if(devicekit_disk_t)
+ kernel_read_fs_sysctls(devicekit_disk_t)
+ kernel_read_network_state(devicekit_disk_t)
+@@ -97,6 +104,7 @@ dev_getattr_usbfs_dirs(devicekit_disk_t)
+ dev_manage_generic_files(devicekit_disk_t)
+ dev_getattr_all_chr_files(devicekit_disk_t)
+ dev_getattr_mtrr_dev(devicekit_disk_t)
++dev_rw_generic_blk_files(devicekit_disk_t)
+
+ domain_getattr_all_pipes(devicekit_disk_t)
+ domain_getattr_all_sockets(devicekit_disk_t)
+@@ -105,14 +113,16 @@ domain_read_all_domains_state(devicekit_disk_t)
+
+ files_dontaudit_read_all_symlinks(devicekit_disk_t)
+ files_getattr_all_sockets(devicekit_disk_t)
+-files_getattr_all_mountpoints(devicekit_disk_t)
++files_getattr_all_dirs(devicekit_disk_t)
+ files_getattr_all_files(devicekit_disk_t)
++files_getattr_all_pipes(devicekit_disk_t)
++files_manage_boot_dirs(devicekit_disk_t)
+ files_manage_isid_type_dirs(devicekit_disk_t)
+ files_manage_mnt_dirs(devicekit_disk_t)
+-files_read_etc_files(devicekit_disk_t)
+ files_read_etc_runtime_files(devicekit_disk_t)
+ files_read_usr_files(devicekit_disk_t)
+
++fs_getattr_all_fs(devicekit_disk_t)
+ fs_list_inotifyfs(devicekit_disk_t)
+ fs_manage_fusefs_dirs(devicekit_disk_t)
+ fs_mount_all_fs(devicekit_disk_t)
+@@ -127,16 +137,18 @@ storage_raw_write_fixed_disk(devicekit_disk_t)
+ storage_raw_read_removable_device(devicekit_disk_t)
+ storage_raw_write_removable_device(devicekit_disk_t)
+
+-term_use_all_terms(devicekit_disk_t)
++term_use_all_inherited_terms(devicekit_disk_t)
+
+ auth_use_nsswitch(devicekit_disk_t)
+
+-miscfiles_read_localization(devicekit_disk_t)
++logging_send_syslog_msg(devicekit_disk_t)
+
+ userdom_read_all_users_state(devicekit_disk_t)
+ userdom_search_user_home_dirs(devicekit_disk_t)
++userdom_manage_user_tmp_dirs(devicekit_disk_t)
+
+ optional_policy(`
++ dbus_system_domain(devicekit_disk_t, devicekit_disk_exec_t)
+ dbus_system_bus_client(devicekit_disk_t)
+
+ allow devicekit_disk_t devicekit_t:dbus send_msg;
+@@ -170,6 +182,10 @@ optional_policy(`
+ ')
+
+ optional_policy(`
++ systemd_read_logind_sessions_files(devicekit_disk_t)
++')
++
++optional_policy(`
+ udev_domtrans(devicekit_disk_t)
+ udev_read_db(devicekit_disk_t)
+ ')
+@@ -178,55 +194,84 @@ optional_policy(`
+ virt_manage_images(devicekit_disk_t)
+ ')
+
++optional_policy(`
++ unconfined_domain(devicekit_t)
++ unconfined_domain(devicekit_power_t)
++ unconfined_domain(devicekit_disk_t)
++')
++
+ ########################################
+ #
+ # DeviceKit-Power local policy
+ #
+
+-allow devicekit_power_t self:capability { dac_override net_admin sys_admin sys_tty_config sys_nice sys_ptrace };
+-allow devicekit_power_t self:process getsched;
++allow devicekit_power_t self:capability { dac_override net_admin sys_admin sys_tty_config sys_nice };
++allow devicekit_power_t self:capability2 compromise_kernel;
++allow devicekit_power_t self:process { getsched signal_perms };
+ allow devicekit_power_t self:fifo_file rw_fifo_file_perms;
+ allow devicekit_power_t self:unix_dgram_socket create_socket_perms;
+ allow devicekit_power_t self:netlink_kobject_uevent_socket create_socket_perms;
+
++manage_files_pattern(devicekit_power_t, devicekit_var_log_t, devicekit_var_log_t)
++logging_log_filetrans(devicekit_power_t, devicekit_var_log_t, file)
++
++manage_dirs_pattern(devicekit_power_t, devicekit_tmp_t, devicekit_tmp_t)
++manage_files_pattern(devicekit_power_t, devicekit_tmp_t, devicekit_tmp_t)
++files_tmp_filetrans(devicekit_power_t, devicekit_tmp_t, { file dir })
++
+ manage_dirs_pattern(devicekit_power_t, devicekit_var_lib_t, devicekit_var_lib_t)
+ manage_files_pattern(devicekit_power_t, devicekit_var_lib_t, devicekit_var_lib_t)
+ files_var_lib_filetrans(devicekit_power_t, devicekit_var_lib_t, dir)
+
++manage_files_pattern(devicekit_power_t, devicekit_var_log_t, devicekit_var_log_t)
++logging_log_filetrans(devicekit_power_t, devicekit_var_log_t, file)
++
++manage_files_pattern(devicekit_power_t, devicekit_var_run_t, devicekit_var_run_t)
++manage_dirs_pattern(devicekit_power_t, devicekit_var_run_t, devicekit_var_run_t)
++files_pid_filetrans(devicekit_power_t, devicekit_var_run_t, dir)
++
++kernel_read_fs_sysctls(devicekit_power_t)
+ kernel_read_network_state(devicekit_power_t)
+ kernel_read_system_state(devicekit_power_t)
+ kernel_rw_hotplug_sysctls(devicekit_power_t)
+ kernel_rw_kernel_sysctl(devicekit_power_t)
++kernel_rw_vm_sysctls(devicekit_power_t)
+ kernel_search_debugfs(devicekit_power_t)
+ kernel_write_proc_files(devicekit_power_t)
++kernel_setsched(devicekit_power_t)
+
+ corecmd_exec_bin(devicekit_power_t)
+ corecmd_exec_shell(devicekit_power_t)
+
+-consoletype_exec(devicekit_power_t)
+-
+ domain_read_all_domains_state(devicekit_power_t)
+
+ dev_read_input(devicekit_power_t)
++dev_read_urand(devicekit_power_t)
+ dev_rw_generic_usb_dev(devicekit_power_t)
+ dev_rw_generic_chr_files(devicekit_power_t)
+ dev_rw_netcontrol(devicekit_power_t)
+ dev_rw_sysfs(devicekit_power_t)
++dev_read_rand(devicekit_power_t)
++dev_getattr_all_chr_files(devicekit_power_t)
+
+ files_read_kernel_img(devicekit_power_t)
+-files_read_etc_files(devicekit_power_t)
++files_read_etc_runtime_files(devicekit_power_t)
+ files_read_usr_files(devicekit_power_t)
++files_dontaudit_list_mnt(devicekit_power_t)
+
+ fs_list_inotifyfs(devicekit_power_t)
++fs_getattr_all_fs(devicekit_power_t)
+
+-term_use_all_terms(devicekit_power_t)
++term_use_all_inherited_terms(devicekit_power_t)
+
+ auth_use_nsswitch(devicekit_power_t)
+
+-miscfiles_read_localization(devicekit_power_t)
++
++seutil_exec_setfiles(devicekit_power_t)
+
+ sysnet_read_config(devicekit_power_t)
+ sysnet_domtrans_ifconfig(devicekit_power_t)
++sysnet_domtrans_dhcpc(devicekit_power_t)
+
+ userdom_read_all_users_state(devicekit_power_t)
+
+@@ -235,10 +280,16 @@ optional_policy(`
+ ')
+
+ optional_policy(`
++ consoletype_exec(devicekit_power_t)
++')
++
++optional_policy(`
+ cron_initrc_domtrans(devicekit_power_t)
++ cron_systemctl(devicekit_power_t)
+ ')
+
+ optional_policy(`
++ dbus_system_domain(devicekit_power_t, devicekit_power_exec_t)
+ dbus_system_bus_client(devicekit_power_t)
+
+ allow devicekit_power_t devicekit_t:dbus send_msg;
+@@ -261,14 +312,21 @@ optional_policy(`
+ ')
+
+ optional_policy(`
++ gnome_manage_home_config(devicekit_power_t)
++')
++
++optional_policy(`
+ hal_domtrans_mac(devicekit_power_t)
+- hal_manage_log(devicekit_power_t)
+ hal_manage_pid_dirs(devicekit_power_t)
+ hal_manage_pid_files(devicekit_power_t)
+ hal_dbus_chat(devicekit_power_t)
+ ')
+
+ optional_policy(`
++ networkmanager_domtrans(devicekit_power_t)
++')
++
++optional_policy(`
+ policykit_dbus_chat(devicekit_power_t)
+ policykit_domtrans_auth(devicekit_power_t)
+ policykit_read_lib(devicekit_power_t)
+@@ -276,9 +334,31 @@ optional_policy(`
+ ')
+
+ optional_policy(`
++ modutils_domtrans_insmod(devicekit_power_t)
++')
++
++optional_policy(`
++ mount_domtrans(devicekit_power_t)
++')
++
++optional_policy(`
++ readahead_domtrans(devicekit_power_t)
++')
++
++optional_policy(`
+ udev_read_db(devicekit_power_t)
+ ')
+
+ optional_policy(`
++ usbmuxd_stream_connect(devicekit_power_t)
++')
++
++optional_policy(`
+ vbetool_domtrans(devicekit_power_t)
+ ')
++
++optional_policy(`
++ corenet_tcp_connect_xserver_port(devicekit_power_t)
++ xserver_stream_connect(devicekit_power_t)
++')
++
+diff --git a/dhcp.fc b/dhcp.fc
+index 767e0c7..9553bcf 100644
+--- a/dhcp.fc
++++ b/dhcp.fc
+@@ -1,8 +1,10 @@
+-/etc/rc\.d/init\.d/dhcpd -- gen_context(system_u:object_r:dhcpd_initrc_exec_t,s0)
++/etc/rc\.d/init\.d/dhcpd(6)? -- gen_context(system_u:object_r:dhcpd_initrc_exec_t,s0)
++
++/usr/lib/systemd/system/dhcpcd.* -- gen_context(system_u:object_r:dhcpd_unit_file_t,s0)
+
+ /usr/sbin/dhcpd.* -- gen_context(system_u:object_r:dhcpd_exec_t,s0)
+
+ /var/lib/dhcpd(/.*)? gen_context(system_u:object_r:dhcpd_state_t,s0)
+ /var/lib/dhcp(3)?/dhcpd\.leases.* -- gen_context(system_u:object_r:dhcpd_state_t,s0)
+
+-/var/run/dhcpd\.pid -- gen_context(system_u:object_r:dhcpd_var_run_t,s0)
++/var/run/dhcpd(6)?\.pid -- gen_context(system_u:object_r:dhcpd_var_run_t,s0)
+diff --git a/dhcp.if b/dhcp.if
+index 5e2cea8..2ab8a14 100644
+--- a/dhcp.if
++++ b/dhcp.if
+@@ -36,7 +36,7 @@ interface(`dhcpd_setattr_state_files',`
+ ')
+
+ sysnet_search_dhcp_state($1)
+- allow $1 dhcpd_state_t:file setattr;
++ allow $1 dhcpd_state_t:file setattr_file_perms;
+ ')
+
+ ########################################
+@@ -60,6 +60,30 @@ interface(`dhcpd_initrc_domtrans',`
+
+ ########################################
+ ##
++## Execute dhcpd server in the dhcpd domain.
++##
++##
++##
++## Domain allowed to transition.
++##
++##
++#
++interface(`dhcpd_systemctl',`
++ gen_require(`
++ type dhcpd_unit_file_t;
++ type dhcpd_t;
++ ')
++
++ systemd_exec_systemctl($1)
++ systemd_search_unit_dirs($1)
++ allow $1 dhcpd_unit_file_t:file read_file_perms;
++ allow $1 dhcpd_unit_file_t:service manage_service_perms;
++
++ ps_process_pattern($1, dhcpd_t)
++')
++
++########################################
++##
+ ## All of the rules required to administrate
+ ## an dhcp environment
+ ##
+@@ -77,12 +101,16 @@ interface(`dhcpd_initrc_domtrans',`
+ #
+ interface(`dhcpd_admin',`
+ gen_require(`
+- type dhcpd_t; type dhcpd_tmp_t; type dhcpd_state_t;
++ type dhcpd_t, dhcpd_tmp_t, dhcpd_state_t;
+ type dhcpd_var_run_t, dhcpd_initrc_exec_t;
++ type dhcpd_unit_file_t;
+ ')
+
+- allow $1 dhcpd_t:process { ptrace signal_perms };
++ allow $1 dhcpd_t:process signal_perms;
+ ps_process_pattern($1, dhcpd_t)
++ tunable_policy(`deny_ptrace',`',`
++ allow $1 dhcpd_t:process ptrace;
++ ')
+
+ init_labeled_script_domtrans($1, dhcpd_initrc_exec_t)
+ domain_system_change_exemption($1)
+@@ -96,4 +124,8 @@ interface(`dhcpd_admin',`
+
+ files_list_pids($1)
+ admin_pattern($1, dhcpd_var_run_t)
++
++ dhcpd_systemctl($1)
++ admin_pattern($1, dhcpd_unit_file_t)
++ allow $1 dhcpd_unit_file_t:service all_service_perms;
+ ')
+diff --git a/dhcp.te b/dhcp.te
+index ed07b26..bed6b0d 100644
+--- a/dhcp.te
++++ b/dhcp.te
+@@ -19,6 +19,9 @@ init_daemon_domain(dhcpd_t, dhcpd_exec_t)
+ type dhcpd_initrc_exec_t;
+ init_script_file(dhcpd_initrc_exec_t)
+
++type dhcpd_unit_file_t;
++systemd_unit_file(dhcpd_unit_file_t)
++
+ type dhcpd_state_t;
+ files_type(dhcpd_state_t)
+
+@@ -33,9 +36,9 @@ files_pid_file(dhcpd_var_run_t)
+ # Local policy
+ #
+
+-allow dhcpd_t self:capability { net_raw sys_resource };
++allow dhcpd_t self:capability { chown dac_override sys_chroot net_raw setgid setuid sys_resource };
+ dontaudit dhcpd_t self:capability { net_admin sys_tty_config };
+-allow dhcpd_t self:process signal_perms;
++allow dhcpd_t self:process { getcap setcap signal_perms };
+ allow dhcpd_t self:fifo_file rw_fifo_file_perms;
+ allow dhcpd_t self:unix_dgram_socket create_socket_perms;
+ allow dhcpd_t self:unix_stream_socket create_socket_perms;
+@@ -61,7 +64,6 @@ kernel_read_system_state(dhcpd_t)
+ kernel_read_kernel_sysctls(dhcpd_t)
+ kernel_read_network_state(dhcpd_t)
+
+-corenet_all_recvfrom_unlabeled(dhcpd_t)
+ corenet_all_recvfrom_netlabel(dhcpd_t)
+ corenet_tcp_sendrecv_generic_if(dhcpd_t)
+ corenet_udp_sendrecv_generic_if(dhcpd_t)
+@@ -80,7 +82,7 @@ corenet_tcp_connect_all_ports(dhcpd_t)
+ corenet_sendrecv_dhcpd_server_packets(dhcpd_t)
+ corenet_sendrecv_pxe_server_packets(dhcpd_t)
+ corenet_sendrecv_all_client_packets(dhcpd_t)
+-# Needed to detect open number of interfaces (common/discover.c::begin_iface_scan)
++corenet_dontaudit_udp_bind_all_reserved_ports(dhcpd_t)
+ corenet_udp_bind_all_unreserved_ports(dhcpd_t)
+
+ dev_read_sysfs(dhcpd_t)
+@@ -94,7 +96,6 @@ corecmd_exec_bin(dhcpd_t)
+
+ domain_use_interactive_fds(dhcpd_t)
+
+-files_read_etc_files(dhcpd_t)
+ files_read_usr_files(dhcpd_t)
+ files_read_etc_runtime_files(dhcpd_t)
+ files_search_var_lib(dhcpd_t)
+@@ -103,19 +104,26 @@ auth_use_nsswitch(dhcpd_t)
+
+ logging_send_syslog_msg(dhcpd_t)
+
+-miscfiles_read_localization(dhcpd_t)
+-
+ sysnet_read_dhcp_config(dhcpd_t)
+
+ userdom_dontaudit_use_unpriv_user_fds(dhcpd_t)
+ userdom_dontaudit_search_user_home_dirs(dhcpd_t)
+
++tunable_policy(`dhcpd_use_ldap',`
++ sysnet_use_ldap(dhcpd_t)
++')
++
+ ifdef(`distro_gentoo',`
+ allow dhcpd_t self:capability { chown dac_override setgid setuid sys_chroot };
+ ')
+
+-tunable_policy(`dhcpd_use_ldap',`
+- sysnet_use_ldap(dhcpd_t)
++optional_policy(`
++ # used for dynamic DNS
++ bind_read_dnssec_keys(dhcpd_t)
++')
++
++optional_policy(`
++ cobbler_dontaudit_rw_log(dhcpd_t)
+ ')
+
+ optional_policy(`
+diff --git a/dictd.if b/dictd.if
+index a0d23ce..83a7ca5 100644
+--- a/dictd.if
++++ b/dictd.if
+@@ -38,8 +38,11 @@ interface(`dictd_admin',`
+ type dictd_var_run_t, dictd_initrc_exec_t;
+ ')
+
+- allow $1 dictd_t:process { ptrace signal_perms };
++ allow $1 dictd_t:process signal_perms;
+ ps_process_pattern($1, dictd_t)
++ tunable_policy(`deny_ptrace',`',`
++ allow $1 dictd_t:process ptrace;
++ ')
+
+ init_labeled_script_domtrans($1, dictd_initrc_exec_t)
+ domain_system_change_exemption($1)
+diff --git a/dictd.te b/dictd.te
+index d2d9359..b14ece6 100644
+--- a/dictd.te
++++ b/dictd.te
+@@ -45,7 +45,6 @@ files_pid_filetrans(dictd_t, dictd_var_run_t, file)
+ kernel_read_system_state(dictd_t)
+ kernel_read_kernel_sysctls(dictd_t)
+
+-corenet_all_recvfrom_unlabeled(dictd_t)
+ corenet_all_recvfrom_netlabel(dictd_t)
+ corenet_tcp_sendrecv_generic_if(dictd_t)
+ corenet_raw_sendrecv_generic_if(dictd_t)
+@@ -66,30 +65,19 @@ fs_search_auto_mountpoints(dictd_t)
+
+ domain_use_interactive_fds(dictd_t)
+
+-files_read_etc_files(dictd_t)
+ files_read_etc_runtime_files(dictd_t)
+ files_read_usr_files(dictd_t)
+ files_search_var_lib(dictd_t)
+ # for checking for nscd
+ files_dontaudit_search_pids(dictd_t)
+
+-logging_send_syslog_msg(dictd_t)
+-
+-miscfiles_read_localization(dictd_t)
++auth_use_nsswitch(dictd_t)
+
+-sysnet_read_config(dictd_t)
++logging_send_syslog_msg(dictd_t)
+
+ userdom_dontaudit_use_unpriv_user_fds(dictd_t)
+
+ optional_policy(`
+- nis_use_ypbind(dictd_t)
+-')
+-
+-optional_policy(`
+- nscd_socket_use(dictd_t)
+-')
+-
+-optional_policy(`
+ seutil_sigchld_newrole(dictd_t)
+ ')
+
+diff --git a/dirsrv-admin.fc b/dirsrv-admin.fc
+new file mode 100644
+index 0000000..fdf5675
+--- /dev/null
++++ b/dirsrv-admin.fc
+@@ -0,0 +1,15 @@
++/etc/dirsrv/admin-serv(/.*)? gen_context(system_u:object_r:dirsrvadmin_config_t,s0)
++
++/etc/dirsrv/dsgw(/.*)? gen_context(system_u:object_r:dirsrvadmin_config_t,s0)
++
++/usr/sbin/restart-ds-admin -- gen_context(system_u:object_r:dirsrvadmin_exec_t,s0)
++/usr/sbin/start-ds-admin -- gen_context(system_u:object_r:dirsrvadmin_exec_t,s0)
++/usr/sbin/stop-ds-admin -- gen_context(system_u:object_r:dirsrvadmin_exec_t,s0)
++
++/usr/lib/dirsrv/cgi-bin(/.*)? gen_context(system_u:object_r:httpd_dirsrvadmin_script_exec_t,s0)
++/usr/lib/dirsrv/dsgw-cgi-bin(/.*)? gen_context(system_u:object_r:httpd_dirsrvadmin_script_exec_t,s0)
++
++/usr/lib/dirsrv/cgi-bin/ds_create -- gen_context(system_u:object_r:dirsrvadmin_unconfined_script_exec_t,s0)
++/usr/lib/dirsrv/cgi-bin/ds_remove -- gen_context(system_u:object_r:dirsrvadmin_unconfined_script_exec_t,s0)
++
++/var/lock/subsys/dirsrv -- gen_context(system_u:object_r:dirsrvadmin_lock_t,s0)
+diff --git a/dirsrv-admin.if b/dirsrv-admin.if
+new file mode 100644
+index 0000000..332a1c9
+--- /dev/null
++++ b/dirsrv-admin.if
+@@ -0,0 +1,134 @@
++## Administration Server for Directory Server, dirsrv-admin.
++
++########################################
++##
++## Exec dirsrv-admin programs.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`dirsrvadmin_run_exec',`
++ gen_require(`
++ type dirsrvadmin_exec_t;
++ ')
++
++ allow $1 dirsrvadmin_exec_t:dir search_dir_perms;
++ can_exec($1, dirsrvadmin_exec_t)
++')
++
++########################################
++##
++## Exec cgi programs.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`dirsrvadmin_run_httpd_script_exec',`
++ gen_require(`
++ type httpd_dirsrvadmin_script_exec_t;
++ ')
++
++ allow $1 httpd_dirsrvadmin_script_exec_t:dir search_dir_perms;
++ can_exec($1, httpd_dirsrvadmin_script_exec_t)
++')
++
++########################################
++##
++## Manage dirsrv-adminserver configuration files.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`dirsrvadmin_read_config',`
++ gen_require(`
++ type dirsrvadmin_config_t;
++ ')
++
++ read_files_pattern($1, dirsrvadmin_config_t, dirsrvadmin_config_t)
++')
++
++########################################
++##
++## Manage dirsrv-adminserver configuration files.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`dirsrvadmin_manage_config',`
++ gen_require(`
++ type dirsrvadmin_config_t;
++ ')
++
++ allow $1 dirsrvadmin_config_t:dir manage_dir_perms;
++ allow $1 dirsrvadmin_config_t:file manage_file_perms;
++')
++
++#######################################
++##
++## Read dirsrv-adminserver tmp files.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`dirsrvadmin_read_tmp',`
++ gen_require(`
++ type dirsrvadmin_tmp_t;
++ ')
++
++ read_files_pattern($1, dirsrvadmin_tmp_t, dirsrvadmin_tmp_t)
++')
++
++########################################
++##
++## Manage dirsrv-adminserver tmp files.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`dirsrvadmin_manage_tmp',`
++ gen_require(`
++ type dirsrvadmin_tmp_t;
++ ')
++
++ manage_files_pattern($1, dirsrvadmin_tmp_t, dirsrvadmin_tmp_t)
++ manage_dirs_pattern($1, dirsrvadmin_tmp_t, dirsrvadmin_tmp_t)
++')
++
++#######################################
++##
++## Execute admin cgi programs in caller domain.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`dirsrvadmin_domtrans_unconfined_script_t',`
++ gen_require(`
++ type dirsrvadmin_unconfined_script_t;
++ type dirsrvadmin_unconfined_script_exec_t;
++ ')
++
++ domtrans_pattern($1, dirsrvadmin_unconfined_script_exec_t, dirsrvadmin_unconfined_script_t)
++ allow $1 dirsrvadmin_unconfined_script_t:process signal_perms;
++
++')
+diff --git a/dirsrv-admin.te b/dirsrv-admin.te
+new file mode 100644
+index 0000000..a3d076f
+--- /dev/null
++++ b/dirsrv-admin.te
+@@ -0,0 +1,144 @@
++policy_module(dirsrv-admin,1.0.0)
++
++########################################
++#
++# Declarations for the daemon
++#
++
++type dirsrvadmin_t;
++type dirsrvadmin_exec_t;
++init_daemon_domain(dirsrvadmin_t, dirsrvadmin_exec_t)
++role system_r types dirsrvadmin_t;
++
++type dirsrvadmin_config_t;
++files_type(dirsrvadmin_config_t)
++
++type dirsrvadmin_lock_t;
++files_lock_file(dirsrvadmin_lock_t)
++
++type dirsrvadmin_tmp_t;
++files_tmp_file(dirsrvadmin_tmp_t)
++
++type dirsrvadmin_unconfined_script_t;
++type dirsrvadmin_unconfined_script_exec_t;
++domain_type(dirsrvadmin_unconfined_script_t)
++domain_entry_file(dirsrvadmin_unconfined_script_t, dirsrvadmin_unconfined_script_exec_t)
++corecmd_shell_entry_type(dirsrvadmin_unconfined_script_t)
++role system_r types dirsrvadmin_unconfined_script_t;
++
++########################################
++#
++# Local policy for the daemon
++#
++allow dirsrvadmin_t self:fifo_file rw_fifo_file_perms;
++allow dirsrvadmin_t self:capability { dac_read_search dac_override sys_tty_config sys_resource };
++allow dirsrvadmin_t self:process setrlimit;
++
++manage_files_pattern(dirsrvadmin_t, dirsrvadmin_tmp_t, dirsrvadmin_tmp_t)
++manage_dirs_pattern(dirsrvadmin_t, dirsrvadmin_tmp_t, dirsrvadmin_tmp_t)
++files_tmp_filetrans(dirsrvadmin_t, dirsrvadmin_tmp_t, { file dir })
++
++kernel_read_system_state(dirsrvadmin_t)
++
++corecmd_exec_bin(dirsrvadmin_t)
++corecmd_read_bin_symlinks(dirsrvadmin_t)
++corecmd_search_bin(dirsrvadmin_t)
++corecmd_shell_entry_type(dirsrvadmin_t)
++
++files_exec_etc_files(dirsrvadmin_t)
++
++libs_exec_ld_so(dirsrvadmin_t)
++
++logging_search_logs(dirsrvadmin_t)
++
++
++# Needed for stop and restart scripts
++dirsrv_read_var_run(dirsrvadmin_t)
++
++optional_policy(`
++ apache_domtrans(dirsrvadmin_t)
++ apache_signal(dirsrvadmin_t)
++')
++
++########################################
++#
++# Local policy for the CGIs
++#
++#
++#
++# Create a domain for the CGI scripts
++
++optional_policy(`
++ apache_content_template(dirsrvadmin)
++
++ allow httpd_dirsrvadmin_script_t self:process { getsched getpgid };
++ allow httpd_dirsrvadmin_script_t self:capability { setuid net_bind_service setgid chown sys_nice kill dac_read_search dac_override };
++ allow httpd_dirsrvadmin_script_t self:tcp_socket create_stream_socket_perms;
++ allow httpd_dirsrvadmin_script_t self:udp_socket create_socket_perms;
++ allow httpd_dirsrvadmin_script_t self:unix_dgram_socket create_socket_perms;
++ allow httpd_dirsrvadmin_script_t self:netlink_route_socket r_netlink_socket_perms;
++ allow httpd_dirsrvadmin_script_t self:sem create_sem_perms;
++
++
++ manage_files_pattern(httpd_dirsrvadmin_script_t, dirsrvadmin_lock_t, dirsrvadmin_lock_t)
++ files_lock_filetrans(httpd_dirsrvadmin_script_t, dirsrvadmin_lock_t, { file })
++
++ kernel_read_kernel_sysctls(httpd_dirsrvadmin_script_t)
++
++ corenet_all_recvfrom_netlabel(httpd_dirsrvadmin_script_t)
++ corenet_tcp_connect_generic_port(httpd_dirsrvadmin_script_t)
++ corenet_tcp_connect_ldap_port(httpd_dirsrvadmin_script_t)
++ corenet_tcp_connect_http_port(httpd_dirsrvadmin_script_t)
++
++ files_search_var_lib(httpd_dirsrvadmin_script_t)
++
++ sysnet_read_config(httpd_dirsrvadmin_script_t)
++
++ manage_files_pattern(httpd_dirsrvadmin_script_t, dirsrvadmin_tmp_t, dirsrvadmin_tmp_t)
++ manage_dirs_pattern(httpd_dirsrvadmin_script_t, dirsrvadmin_tmp_t, dirsrvadmin_tmp_t)
++ files_tmp_filetrans(httpd_dirsrvadmin_script_t, dirsrvadmin_tmp_t, { file dir })
++
++ optional_policy(`
++ # The CGI scripts must be able to manage dirsrv-admin
++ dirsrvadmin_run_exec(httpd_dirsrvadmin_script_t)
++ dirsrvadmin_manage_config(httpd_dirsrvadmin_script_t)
++ dirsrv_domtrans(httpd_dirsrvadmin_script_t)
++ dirsrv_signal(httpd_dirsrvadmin_script_t)
++ dirsrv_signull(httpd_dirsrvadmin_script_t)
++ dirsrv_manage_log(httpd_dirsrvadmin_script_t)
++ dirsrv_manage_var_lib(httpd_dirsrvadmin_script_t)
++ dirsrv_pid_filetrans(httpd_dirsrvadmin_script_t)
++ dirsrv_manage_var_run(httpd_dirsrvadmin_script_t)
++ dirsrv_manage_config(httpd_dirsrvadmin_script_t)
++ dirsrv_read_share(httpd_dirsrvadmin_script_t)
++ ')
++')
++
++#######################################
++#
++# Local policy for the admin CGIs
++#
++#
++
++
++manage_files_pattern(dirsrvadmin_unconfined_script_t, dirsrvadmin_tmp_t, dirsrvadmin_tmp_t)
++manage_dirs_pattern(dirsrvadmin_unconfined_script_t, dirsrvadmin_tmp_t, dirsrvadmin_tmp_t)
++files_tmp_filetrans(dirsrvadmin_unconfined_script_t, dirsrvadmin_tmp_t, { file dir })
++
++# needed because of filetrans rules
++dirsrvadmin_run_exec(dirsrvadmin_unconfined_script_t)
++dirsrvadmin_manage_config(dirsrvadmin_unconfined_script_t)
++dirsrv_domtrans(dirsrvadmin_unconfined_script_t)
++dirsrv_signal(dirsrvadmin_unconfined_script_t)
++dirsrv_signull(dirsrvadmin_unconfined_script_t)
++dirsrv_manage_log(dirsrvadmin_unconfined_script_t)
++dirsrv_manage_var_lib(dirsrvadmin_unconfined_script_t)
++dirsrv_pid_filetrans(dirsrvadmin_unconfined_script_t)
++dirsrv_manage_var_run(dirsrvadmin_unconfined_script_t)
++dirsrv_manage_config(dirsrvadmin_unconfined_script_t)
++dirsrv_read_share(dirsrvadmin_unconfined_script_t)
++
++optional_policy(`
++ unconfined_domain(dirsrvadmin_unconfined_script_t)
++')
++
+diff --git a/dirsrv.fc b/dirsrv.fc
+new file mode 100644
+index 0000000..0ea1ebb
+--- /dev/null
++++ b/dirsrv.fc
+@@ -0,0 +1,23 @@
++/etc/dirsrv(/.*)? gen_context(system_u:object_r:dirsrv_config_t,s0)
++
++/usr/sbin/ns-slapd -- gen_context(system_u:object_r:dirsrv_exec_t,s0)
++/usr/sbin/ldap-agent -- gen_context(system_u:object_r:initrc_exec_t,s0)
++/usr/sbin/ldap-agent-bin -- gen_context(system_u:object_r:dirsrv_snmp_exec_t,s0)
++/usr/sbin/start-dirsrv -- gen_context(system_u:object_r:initrc_exec_t,s0)
++/usr/sbin/restart-dirsrv -- gen_context(system_u:object_r:initrc_exec_t,s0)
++
++/usr/share/dirsrv(/.*)? gen_context(system_u:object_r:dirsrv_share_t,s0)
++
++/var/run/dirsrv(/.*)? gen_context(system_u:object_r:dirsrv_var_run_t,s0)
++/var/run/ldap-agent\.pid gen_context(system_u:object_r:dirsrv_snmp_var_run_t,s0)
++
++# BZ:
++/var/run/slapd.* -s gen_context(system_u:object_r:slapd_var_run_t,s0)
++
++/var/lib/dirsrv(/.*)? gen_context(system_u:object_r:dirsrv_var_lib_t,s0)
++
++/var/lock/dirsrv(/.*)? gen_context(system_u:object_r:dirsrv_var_lock_t,s0)
++
++/var/log/dirsrv(/.*)? gen_context(system_u:object_r:dirsrv_var_log_t,s0)
++
++/var/log/dirsrv/ldap-agent.log.* gen_context(system_u:object_r:dirsrv_snmp_var_log_t,s0)
+diff --git a/dirsrv.if b/dirsrv.if
+new file mode 100644
+index 0000000..b214253
+--- /dev/null
++++ b/dirsrv.if
+@@ -0,0 +1,208 @@
++## policy for dirsrv
++
++########################################
++##
++## Execute a domain transition to run dirsrv.
++##
++##
++##
++## Domain allowed to transition.
++##
++##
++#
++interface(`dirsrv_domtrans',`
++ gen_require(`
++ type dirsrv_t, dirsrv_exec_t;
++ ')
++
++ domtrans_pattern($1, dirsrv_exec_t,dirsrv_t)
++')
++
++
++########################################
++##
++## Allow caller to signal dirsrv.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`dirsrv_signal',`
++ gen_require(`
++ type dirsrv_t;
++ ')
++
++ allow $1 dirsrv_t:process signal;
++')
++
++
++########################################
++##
++## Send a null signal to dirsrv.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`dirsrv_signull',`
++ gen_require(`
++ type dirsrv_t;
++ ')
++
++ allow $1 dirsrv_t:process signull;
++')
++
++#######################################
++##
++## Allow a domain to manage dirsrv logs.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`dirsrv_manage_log',`
++ gen_require(`
++ type dirsrv_var_log_t;
++ ')
++
++ allow $1 dirsrv_var_log_t:dir manage_dir_perms;
++ allow $1 dirsrv_var_log_t:file manage_file_perms;
++ allow $1 dirsrv_var_log_t:fifo_file manage_fifo_file_perms;
++')
++
++#######################################
++##
++## Allow a domain to manage dirsrv /var/lib files.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`dirsrv_manage_var_lib',`
++ gen_require(`
++ type dirsrv_var_lib_t;
++ ')
++ allow $1 dirsrv_var_lib_t:dir manage_dir_perms;
++ allow $1 dirsrv_var_lib_t:file manage_file_perms;
++')
++
++########################################
++##
++## Connect to dirsrv over a unix stream socket.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`dirsrv_stream_connect',`
++ gen_require(`
++ type dirsrv_t, dirsrv_var_run_t;
++ ')
++
++ files_search_pids($1)
++ stream_connect_pattern($1, dirsrv_var_run_t, dirsrv_var_run_t, dirsrv_t)
++')
++
++#######################################
++##
++## Allow a domain to manage dirsrv /var/run files.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`dirsrv_manage_var_run',`
++ gen_require(`
++ type dirsrv_var_run_t;
++ ')
++ allow $1 dirsrv_var_run_t:dir manage_dir_perms;
++ allow $1 dirsrv_var_run_t:file manage_file_perms;
++ allow $1 dirsrv_var_run_t:sock_file manage_file_perms;
++')
++
++######################################
++##
++## Allow a domain to create dirsrv pid directories.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`dirsrv_pid_filetrans',`
++ gen_require(`
++ type dirsrv_var_run_t;
++ ')
++ # Allow creating a dir in /var/run with this type
++ files_pid_filetrans($1, dirsrv_var_run_t, dir)
++')
++
++#######################################
++##
++## Allow a domain to read dirsrv /var/run files.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`dirsrv_read_var_run',`
++ gen_require(`
++ type dirsrv_var_run_t;
++ ')
++ allow $1 dirsrv_var_run_t:dir list_dir_perms;
++ allow $1 dirsrv_var_run_t:file read_file_perms;
++')
++
++########################################
++##
++## Manage dirsrv configuration files.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`dirsrv_manage_config',`
++ gen_require(`
++ type dirsrv_config_t;
++ ')
++
++ allow $1 dirsrv_config_t:dir manage_dir_perms;
++ allow $1 dirsrv_config_t:file manage_file_perms;
++')
++
++########################################
++##
++## Read dirsrv share files.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`dirsrv_read_share',`
++ gen_require(`
++ type dirsrv_share_t;
++ ')
++
++ allow $1 dirsrv_share_t:dir list_dir_perms;
++ allow $1 dirsrv_share_t:file read_file_perms;
++ allow $1 dirsrv_share_t:lnk_file read;
++')
+diff --git a/dirsrv.te b/dirsrv.te
+new file mode 100644
+index 0000000..7f0b4f6
+--- /dev/null
++++ b/dirsrv.te
+@@ -0,0 +1,193 @@
++policy_module(dirsrv,1.0.0)
++
++########################################
++#
++# Declarations
++#
++
++# main daemon
++type dirsrv_t;
++type dirsrv_exec_t;
++domain_type(dirsrv_t)
++init_daemon_domain(dirsrv_t, dirsrv_exec_t)
++
++type dirsrv_snmp_t;
++type dirsrv_snmp_exec_t;
++domain_type(dirsrv_snmp_t)
++init_daemon_domain(dirsrv_snmp_t, dirsrv_snmp_exec_t)
++
++type dirsrv_var_lib_t;
++files_type(dirsrv_var_lib_t)
++
++type dirsrv_var_log_t;
++logging_log_file(dirsrv_var_log_t)
++
++type dirsrv_snmp_var_log_t;
++logging_log_file(dirsrv_snmp_var_log_t)
++
++type dirsrv_var_run_t;
++files_pid_file(dirsrv_var_run_t)
++
++type dirsrv_snmp_var_run_t;
++files_pid_file(dirsrv_snmp_var_run_t)
++
++type dirsrv_var_lock_t;
++files_lock_file(dirsrv_var_lock_t)
++
++type dirsrv_config_t;
++files_type(dirsrv_config_t)
++
++type dirsrv_tmp_t;
++files_tmp_file(dirsrv_tmp_t)
++
++type dirsrv_tmpfs_t;
++files_tmpfs_file(dirsrv_tmpfs_t)
++
++type dirsrv_share_t;
++files_type(dirsrv_share_t);
++
++########################################
++#
++# dirsrv local policy
++#
++allow dirsrv_t self:process { getsched setsched setfscreate signal_perms};
++allow dirsrv_t self:capability { sys_nice setuid setgid fsetid chown dac_override fowner };
++allow dirsrv_t self:fifo_file manage_fifo_file_perms;
++allow dirsrv_t self:sem create_sem_perms;
++allow dirsrv_t self:tcp_socket create_stream_socket_perms;
++
++manage_files_pattern(dirsrv_t, dirsrv_tmpfs_t, dirsrv_tmpfs_t)
++fs_tmpfs_filetrans(dirsrv_t, dirsrv_tmpfs_t, file)
++
++manage_dirs_pattern(dirsrv_t, dirsrv_var_lib_t, dirsrv_var_lib_t)
++manage_files_pattern(dirsrv_t, dirsrv_var_lib_t, dirsrv_var_lib_t)
++manage_sock_files_pattern(dirsrv_t, dirsrv_var_lib_t, dirsrv_var_lib_t)
++files_var_lib_filetrans(dirsrv_t,dirsrv_var_lib_t, { file dir sock_file })
++
++manage_dirs_pattern(dirsrv_t, dirsrv_var_log_t, dirsrv_var_log_t)
++manage_files_pattern(dirsrv_t, dirsrv_var_log_t, dirsrv_var_log_t)
++manage_fifo_files_pattern(dirsrv_t, dirsrv_var_log_t, dirsrv_var_log_t)
++allow dirsrv_t dirsrv_var_log_t:dir { setattr };
++logging_log_filetrans(dirsrv_t,dirsrv_var_log_t,{ sock_file file dir })
++
++manage_dirs_pattern(dirsrv_t, dirsrv_var_run_t, dirsrv_var_run_t)
++manage_files_pattern(dirsrv_t, dirsrv_var_run_t, dirsrv_var_run_t)
++manage_sock_files_pattern(dirsrv_t, dirsrv_var_run_t, dirsrv_var_run_t)
++files_pid_filetrans(dirsrv_t, dirsrv_var_run_t, { file dir sock_file })
++
++manage_files_pattern(dirsrv_t, dirsrv_var_lock_t, dirsrv_var_lock_t)
++manage_dirs_pattern(dirsrv_t, dirsrv_var_lock_t, dirsrv_var_lock_t)
++files_lock_filetrans(dirsrv_t, dirsrv_var_lock_t, file)
++files_setattr_lock_dirs(dirsrv_t)
++
++manage_files_pattern(dirsrv_t, dirsrv_config_t, dirsrv_config_t)
++manage_dirs_pattern(dirsrv_t, dirsrv_config_t, dirsrv_config_t)
++manage_lnk_files_pattern(dirsrv_t, dirsrv_config_t, dirsrv_config_t)
++
++manage_files_pattern(dirsrv_t, dirsrv_tmp_t, dirsrv_tmp_t)
++manage_dirs_pattern(dirsrv_t, dirsrv_tmp_t, dirsrv_tmp_t)
++files_tmp_filetrans(dirsrv_t, dirsrv_tmp_t, { file dir })
++allow dirsrv_t dirsrv_tmp_t:file relabel_file_perms;
++
++kernel_read_system_state(dirsrv_t)
++kernel_read_kernel_sysctls(dirsrv_t)
++
++corecmd_search_bin(dirsrv_t)
++
++corenet_all_recvfrom_netlabel(dirsrv_t)
++corenet_tcp_sendrecv_generic_if(dirsrv_t)
++corenet_tcp_sendrecv_generic_node(dirsrv_t)
++corenet_tcp_sendrecv_all_ports(dirsrv_t)
++corenet_tcp_bind_generic_node(dirsrv_t)
++corenet_tcp_bind_ldap_port(dirsrv_t)
++corenet_tcp_bind_dogtag_port(dirsrv_t)
++corenet_tcp_bind_all_rpc_ports(dirsrv_t)
++corenet_udp_bind_all_rpc_ports(dirsrv_t)
++corenet_tcp_connect_all_ports(dirsrv_t)
++corenet_sendrecv_ldap_server_packets(dirsrv_t)
++corenet_sendrecv_all_client_packets(dirsrv_t)
++
++dev_read_sysfs(dirsrv_t)
++dev_read_urand(dirsrv_t)
++
++files_read_etc_files(dirsrv_t)
++files_read_usr_symlinks(dirsrv_t)
++
++fs_getattr_all_fs(dirsrv_t)
++
++auth_use_pam(dirsrv_t)
++
++logging_send_syslog_msg(dirsrv_t)
++
++sysnet_dns_name_resolve(dirsrv_t)
++
++optional_policy(`
++ apache_dontaudit_leaks(dirsrv_t)
++')
++
++optional_policy(`
++ dirsrvadmin_read_tmp(dirsrv_t)
++')
++
++
++optional_policy(`
++ kerberos_use(dirsrv_t)
++ kerberos_tmp_filetrans_host_rcache(dirsrv_t, "ldapmap1_0")
++ kerberos_tmp_filetrans_host_rcache(dirsrv_t, "ldap_487")
++ kerberos_tmp_filetrans_host_rcache(dirsrv_t, "ldap_55")
++')
++
++# FIPS mode
++optional_policy(`
++ prelink_exec(dirsrv_t)
++')
++
++optional_policy(`
++ rpcbind_stream_connect(dirsrv_t)
++')
++
++########################################
++#
++# dirsrv-snmp local policy
++#
++allow dirsrv_snmp_t self:capability { dac_override dac_read_search };
++allow dirsrv_snmp_t self:fifo_file rw_fifo_file_perms;
++
++rw_files_pattern(dirsrv_snmp_t, dirsrv_tmpfs_t, dirsrv_tmpfs_t)
++
++read_files_pattern(dirsrv_snmp_t, dirsrv_var_run_t, dirsrv_var_run_t)
++
++read_files_pattern(dirsrv_snmp_t, dirsrv_config_t, dirsrv_config_t)
++
++manage_files_pattern(dirsrv_snmp_t, dirsrv_snmp_var_run_t, dirsrv_snmp_var_run_t)
++files_pid_filetrans(dirsrv_snmp_t, dirsrv_snmp_var_run_t, { file sock_file })
++search_dirs_pattern(dirsrv_snmp_t, dirsrv_var_run_t, dirsrv_var_run_t)
++
++manage_files_pattern(dirsrv_snmp_t, dirsrv_var_log_t, dirsrv_snmp_var_log_t);
++filetrans_pattern(dirsrv_snmp_t, dirsrv_var_log_t, dirsrv_snmp_var_log_t, file)
++
++corenet_tcp_connect_agentx_port(dirsrv_snmp_t)
++
++dev_read_rand(dirsrv_snmp_t)
++dev_read_urand(dirsrv_snmp_t)
++
++domain_use_interactive_fds(dirsrv_snmp_t)
++
++#files_manage_var_files(dirsrv_snmp_t)
++files_read_etc_files(dirsrv_snmp_t)
++files_read_usr_files(dirsrv_snmp_t)
++
++fs_getattr_tmpfs(dirsrv_snmp_t)
++fs_search_tmpfs(dirsrv_snmp_t)
++
++
++sysnet_read_config(dirsrv_snmp_t)
++sysnet_dns_name_resolve(dirsrv_snmp_t)
++
++optional_policy(`
++ snmp_dontaudit_read_snmp_var_lib_files(dirsrv_snmp_t)
++ snmp_dontaudit_write_snmp_var_lib_files(dirsrv_snmp_t)
++ snmp_manage_var_lib_dirs(dirsrv_snmp_t)
++ snmp_manage_var_lib_files(dirsrv_snmp_t)
++ snmp_stream_connect(dirsrv_snmp_t)
++')
+diff --git a/distcc.te b/distcc.te
+index 54d93e8..16d2e18 100644
+--- a/distcc.te
++++ b/distcc.te
+@@ -44,7 +44,6 @@ files_pid_filetrans(distccd_t, distccd_var_run_t, file)
+ kernel_read_system_state(distccd_t)
+ kernel_read_kernel_sysctls(distccd_t)
+
+-corenet_all_recvfrom_unlabeled(distccd_t)
+ corenet_all_recvfrom_netlabel(distccd_t)
+ corenet_tcp_sendrecv_generic_if(distccd_t)
+ corenet_udp_sendrecv_generic_if(distccd_t)
+@@ -73,8 +72,6 @@ libs_exec_lib_files(distccd_t)
+
+ logging_send_syslog_msg(distccd_t)
+
+-miscfiles_read_localization(distccd_t)
+-
+ sysnet_read_config(distccd_t)
+
+ userdom_dontaudit_use_unpriv_user_fds(distccd_t)
+diff --git a/djbdns.if b/djbdns.if
+index ade3079..41a21f1 100644
+--- a/djbdns.if
++++ b/djbdns.if
+@@ -34,7 +34,6 @@ template(`djbdns_daemontools_domain_template',`
+ allow djbdns_$1_t djbdns_$1_conf_t:dir list_dir_perms;
+ allow djbdns_$1_t djbdns_$1_conf_t:file read_file_perms;
+
+- corenet_all_recvfrom_unlabeled(djbdns_$1_t)
+ corenet_all_recvfrom_netlabel(djbdns_$1_t)
+ corenet_tcp_sendrecv_generic_if(djbdns_$1_t)
+ corenet_udp_sendrecv_generic_if(djbdns_$1_t)
+diff --git a/djbdns.te b/djbdns.te
+index 03b5286..62fbae1 100644
+--- a/djbdns.te
++++ b/djbdns.te
+@@ -39,6 +39,9 @@ allow djbdns_axfrdns_t djbdns_tinydns_conf_t:file read_file_perms;
+
+ files_search_var(djbdns_axfrdns_t)
+
++daemontools_ipc_domain(djbdns_axfrdns_t)
++daemontools_read_svc(djbdns_axfrdns_t)
++
+ ucspitcp_service_domain(djbdns_axfrdns_t, djbdns_axfrdns_exec_t)
+
+ ########################################
+diff --git a/dkim.fc b/dkim.fc
+index bf4321a..1820764 100644
+--- a/dkim.fc
++++ b/dkim.fc
+@@ -9,6 +9,7 @@
+ /var/run/dkim-filter(/.*)? gen_context(system_u:object_r:dkim_milter_data_t,s0)
+ /var/run/dkim-milter(/.*)? gen_context(system_u:object_r:dkim_milter_data_t,s0)
+ /var/run/dkim-milter\.pid -- gen_context(system_u:object_r:dkim_milter_data_t,s0)
++
+ /var/run/opendkim(/.*)? gen_context(system_u:object_r:dkim_milter_data_t,s0)
+
+ /var/spool/opendkim(/.*)? gen_context(system_u:object_r:dkim_milter_data_t,s0)
+diff --git a/dmidecode.te b/dmidecode.te
+index d6356b5..5db989e 100644
+--- a/dmidecode.te
++++ b/dmidecode.te
+@@ -27,4 +27,4 @@ files_list_usr(dmidecode_t)
+
+ locallogin_use_fds(dmidecode_t)
+
+-userdom_use_user_terminals(dmidecode_t)
++userdom_use_inherited_user_terminals(dmidecode_t)
+diff --git a/dnsmasq.fc b/dnsmasq.fc
+index b886676..fb3b2d6 100644
+--- a/dnsmasq.fc
++++ b/dnsmasq.fc
+@@ -1,12 +1,14 @@
+ /etc/dnsmasq\.conf -- gen_context(system_u:object_r:dnsmasq_etc_t, s0)
+ /etc/rc\.d/init\.d/dnsmasq -- gen_context(system_u:object_r:dnsmasq_initrc_exec_t,s0)
+
++/usr/lib/systemd/system/dnsmasq.* -- gen_context(system_u:object_r:dnsmasq_unit_file_t,s0)
++
+ /usr/sbin/dnsmasq -- gen_context(system_u:object_r:dnsmasq_exec_t,s0)
+
+ /var/lib/misc/dnsmasq\.leases -- gen_context(system_u:object_r:dnsmasq_lease_t,s0)
+ /var/lib/dnsmasq(/.*)? gen_context(system_u:object_r:dnsmasq_lease_t,s0)
+
+-/var/log/dnsmasq\.log gen_context(system_u:object_r:dnsmasq_var_log_t,s0)
++/var/log/dnsmasq.* -- gen_context(system_u:object_r:dnsmasq_var_log_t,s0)
+
+-/var/run/dnsmasq\.pid -- gen_context(system_u:object_r:dnsmasq_var_run_t,s0)
++/var/run/dnsmasq.* -- gen_context(system_u:object_r:dnsmasq_var_run_t,s0)
+ /var/run/libvirt/network(/.*)? gen_context(system_u:object_r:dnsmasq_var_run_t,s0)
+diff --git a/dnsmasq.if b/dnsmasq.if
+index 9bd812b..53f895e 100644
+--- a/dnsmasq.if
++++ b/dnsmasq.if
+@@ -10,7 +10,6 @@
+ ##
+ ##
+ #
+-#
+ interface(`dnsmasq_domtrans',`
+ gen_require(`
+ type dnsmasq_exec_t, dnsmasq_t;
+@@ -20,6 +19,24 @@ interface(`dnsmasq_domtrans',`
+ domtrans_pattern($1, dnsmasq_exec_t, dnsmasq_t)
+ ')
+
++#######################################
++##
++## Execute dnsmasq server in the caller domain.
++##
++##
++##
++## Domain allowed to transition.
++##
++##
++#
++interface(`dnsmasq_exec',`
++ gen_require(`
++ type dnsmasq_exec_t;
++ ')
++
++ can_exec($1, dnsmasq_exec_t)
++')
++
+ ########################################
+ ##
+ ## Execute the dnsmasq init script in the init script domain.
+@@ -41,6 +58,29 @@ interface(`dnsmasq_initrc_domtrans',`
+
+ ########################################
+ ##
++## Execute dnsmasq server in the dnsmasq domain.
++##
++##
++##
++## Domain allowed to transition.
++##
++##
++#
++interface(`dnsmasq_systemctl',`
++ gen_require(`
++ type dnsmasq_unit_file_t;
++ type dnsmasq_t;
++ ')
++
++ systemd_exec_systemctl($1)
++ allow $1 dnsmasq_unit_file_t:file read_file_perms;
++ allow $1 dnsmasq_unit_file_t:service manage_service_perms;
++
++ ps_process_pattern($1, dnsmasq_t)
++')
++
++########################################
++##
+ ## Send dnsmasq a signal
+ ##
+ ##
+@@ -144,18 +184,18 @@ interface(`dnsmasq_write_config',`
+ ##
+ ##
+ #
+-#
+ interface(`dnsmasq_delete_pid_files',`
+ gen_require(`
+ type dnsmasq_var_run_t;
+ ')
+
++ files_search_pids($1)
+ delete_files_pattern($1, dnsmasq_var_run_t, dnsmasq_var_run_t)
+ ')
+
+ ########################################
+ ##
+-## Read dnsmasq pid files
++## Manage dnsmasq pid files
+ ##
+ ##
+ ##
+@@ -163,17 +203,99 @@ interface(`dnsmasq_delete_pid_files',`
+ ##
+ ##
+ #
++interface(`dnsmasq_manage_pid_files',`
++ gen_require(`
++ type dnsmasq_var_run_t;
++ ')
++
++ files_search_pids($1)
++ manage_files_pattern($1, dnsmasq_var_run_t, dnsmasq_var_run_t)
++')
++
++########################################
++##
++## Read dnsmasq pid files
++##
++##
++##
++## Domain allowed access.
++##
++##
+ #
+ interface(`dnsmasq_read_pid_files',`
+ gen_require(`
+ type dnsmasq_var_run_t;
+ ')
+
++ files_search_pids($1)
+ read_files_pattern($1, dnsmasq_var_run_t, dnsmasq_var_run_t)
+ ')
+
+ ########################################
+ ##
++## Create dnsmasq pid dirs
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`dnsmasq_create_pid_dirs',`
++ gen_require(`
++ type dnsmasq_var_run_t;
++ ')
++
++ files_search_pids($1)
++ create_dirs_pattern($1, dnsmasq_var_run_t, dnsmasq_var_run_t)
++')
++
++########################################
++##
++## Transition to dnsmasq named content
++##
++##
++##
++## Domain allowed access.
++##
++##
++##
++##
++## The type of the directory for the object to be created.
++##
++##
++#
++interface(`dnsmasq_filetrans_named_content_fromdir',`
++ gen_require(`
++ type dnsmasq_var_run_t;
++ ')
++
++ filetrans_pattern($1, $2, dnsmasq_var_run_t, dir, "network")
++ filetrans_pattern($1, $2, dnsmasq_var_run_t, file, "dnsmasq.pid")
++')
++
++########################################
++##
++## Transition to dnsmasq named content
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`dnsmasq_filetrans_named_content',`
++ gen_require(`
++ type dnsmasq_var_run_t;
++ ')
++
++ files_pid_filetrans($1, dnsmasq_var_run_t, dir, "network")
++ files_pid_filetrans($1, dnsmasq_var_run_t, file, "dnsmasq.pid")
++ virt_pid_filetrans($1, dnsmasq_var_run_t, file, "network")
++')
++
++########################################
++##
+ ## All of the rules required to administrate
+ ## an dnsmasq environment
+ ##
+@@ -193,10 +315,14 @@ interface(`dnsmasq_admin',`
+ gen_require(`
+ type dnsmasq_t, dnsmasq_lease_t, dnsmasq_var_run_t;
+ type dnsmasq_initrc_exec_t;
++ type dnsmasq_unit_file_t;
+ ')
+
+- allow $1 dnsmasq_t:process { ptrace signal_perms };
++ allow $1 dnsmasq_t:process signal_perms;
+ ps_process_pattern($1, dnsmasq_t)
++ tunable_policy(`deny_ptrace',`',`
++ allow $1 dnsmasq_t:process ptrace;
++ ')
+
+ init_labeled_script_domtrans($1, dnsmasq_initrc_exec_t)
+ domain_system_change_exemption($1)
+@@ -208,4 +334,8 @@ interface(`dnsmasq_admin',`
+
+ files_list_pids($1)
+ admin_pattern($1, dnsmasq_var_run_t)
++
++ dnsmasq_systemctl($1)
++ admin_pattern($1, dnsmasq_unit_file_t)
++ allow $1 dnsmasq_unit_file_t:service all_service_perms;
+ ')
+diff --git a/dnsmasq.te b/dnsmasq.te
+index fdaeeba..a29af29 100644
+--- a/dnsmasq.te
++++ b/dnsmasq.te
+@@ -24,6 +24,9 @@ logging_log_file(dnsmasq_var_log_t)
+ type dnsmasq_var_run_t;
+ files_pid_file(dnsmasq_var_run_t)
+
++type dnsmasq_unit_file_t;
++systemd_unit_file(dnsmasq_unit_file_t)
++
+ ########################################
+ #
+ # Local policy
+@@ -48,13 +51,15 @@ files_var_lib_filetrans(dnsmasq_t, dnsmasq_lease_t, file)
+ manage_files_pattern(dnsmasq_t, dnsmasq_var_log_t, dnsmasq_var_log_t)
+ logging_log_filetrans(dnsmasq_t, dnsmasq_var_log_t, file)
+
++manage_dirs_pattern(dnsmasq_t, dnsmasq_var_run_t, dnsmasq_var_run_t)
+ manage_files_pattern(dnsmasq_t, dnsmasq_var_run_t, dnsmasq_var_run_t)
+-files_pid_filetrans(dnsmasq_t, dnsmasq_var_run_t, file)
++files_pid_filetrans(dnsmasq_t, dnsmasq_var_run_t, { dir file })
+
+ kernel_read_kernel_sysctls(dnsmasq_t)
+ kernel_read_system_state(dnsmasq_t)
++kernel_read_network_state(dnsmasq_t)
++kernel_request_load_module(dnsmasq_t)
+
+-corenet_all_recvfrom_unlabeled(dnsmasq_t)
+ corenet_all_recvfrom_netlabel(dnsmasq_t)
+ corenet_tcp_sendrecv_generic_if(dnsmasq_t)
+ corenet_udp_sendrecv_generic_if(dnsmasq_t)
+@@ -76,7 +81,6 @@ dev_read_urand(dnsmasq_t)
+
+ domain_use_interactive_fds(dnsmasq_t)
+
+-files_read_etc_files(dnsmasq_t)
+ files_read_etc_runtime_files(dnsmasq_t)
+
+ fs_getattr_all_fs(dnsmasq_t)
+@@ -86,8 +90,6 @@ auth_use_nsswitch(dnsmasq_t)
+
+ logging_send_syslog_msg(dnsmasq_t)
+
+-miscfiles_read_localization(dnsmasq_t)
+-
+ userdom_dontaudit_use_unpriv_user_fds(dnsmasq_t)
+ userdom_dontaudit_search_user_home_dirs(dnsmasq_t)
+
+@@ -96,7 +98,21 @@ optional_policy(`
+ ')
+
+ optional_policy(`
++ cron_manage_pid_files(dnsmasq_t)
++')
++
++optional_policy(`
+ dbus_system_bus_client(dnsmasq_t)
++ dbus_connect_system_bus(dnsmasq_t)
++')
++
++optional_policy(`
++ networkmanager_read_conf(dnsmasq_t)
++ networkmanager_read_pid_files(dnsmasq_t)
++')
++
++optional_policy(`
++ ppp_read_pid_files(dnsmasq_t)
+ ')
+
+ optional_policy(`
+@@ -113,5 +129,7 @@ optional_policy(`
+
+ optional_policy(`
+ virt_manage_lib_files(dnsmasq_t)
++ virt_read_lib_files(dnsmasq_t)
+ virt_read_pid_files(dnsmasq_t)
++ virt_pid_filetrans(dnsmasq_t, dnsmasq_var_run_t, { dir file })
+ ')
+diff --git a/dnssec.fc b/dnssec.fc
+new file mode 100644
+index 0000000..9e231a8
+--- /dev/null
++++ b/dnssec.fc
+@@ -0,0 +1,3 @@
++/usr/sbin/dnssec-triggerd -- gen_context(system_u:object_r:dnssec_trigger_exec_t,s0)
++
++/var/run/dnssec.* gen_context(system_u:object_r:dnssec_trigger_var_run_t,s0)
+diff --git a/dnssec.if b/dnssec.if
+new file mode 100644
+index 0000000..a952041
+--- /dev/null
++++ b/dnssec.if
+@@ -0,0 +1,64 @@
++
++## policy for dnssec_trigger
++
++########################################
++##
++## Transition to dnssec_trigger.
++##
++##
++##
++## Domain allowed to transition.
++##
++##
++#
++interface(`dnssec_trigger_domtrans',`
++ gen_require(`
++ type dnssec_trigger_t, dnssec_trigger_exec_t;
++ ')
++
++ corecmd_search_bin($1)
++ domtrans_pattern($1, dnssec_trigger_exec_t, dnssec_trigger_t)
++')
++########################################
++##
++## Read dnssec_trigger PID files.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`dnssec_trigger_read_pid_files',`
++ gen_require(`
++ type dnssec_trigger_var_run_t;
++ ')
++
++ files_search_pids($1)
++ allow $1 dnssec_trigger_var_run_t:file read_file_perms;
++')
++
++
++########################################
++##
++## All of the rules required to administrate
++## an dnssec_trigger environment
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`dnssec_trigger_admin',`
++ gen_require(`
++ type dnssec_trigger_t;
++ type dnssec_trigger_var_run_t;
++ ')
++
++ allow $1 dnssec_trigger_t:process { ptrace signal_perms };
++ ps_process_pattern($1, dnssec_trigger_t)
++
++ files_search_pids($1)
++ admin_pattern($1, dnssec_trigger_var_run_t)
++')
+diff --git a/dnssec.te b/dnssec.te
+new file mode 100644
+index 0000000..25daf6c
+--- /dev/null
++++ b/dnssec.te
+@@ -0,0 +1,59 @@
++policy_module(dnssec, 1.0.0)
++
++########################################
++#
++# Declarations
++#
++
++type dnssec_trigger_t;
++type dnssec_trigger_exec_t;
++init_daemon_domain(dnssec_trigger_t, dnssec_trigger_exec_t)
++
++type dnssec_trigger_var_run_t;
++files_pid_file(dnssec_trigger_var_run_t)
++
++########################################
++#
++# dnssec_trigger local policy
++#
++allow dnssec_trigger_t self:capability linux_immutable;
++allow dnssec_trigger_t self:process signal;
++allow dnssec_trigger_t self:fifo_file rw_fifo_file_perms;
++allow dnssec_trigger_t self:unix_stream_socket create_stream_socket_perms;
++allow dnssec_trigger_t self:tcp_socket create_stream_socket_perms;
++allow dnssec_trigger_t self:udp_socket create_socket_perms;
++
++manage_dirs_pattern(dnssec_trigger_t, dnssec_trigger_var_run_t, dnssec_trigger_var_run_t)
++manage_files_pattern(dnssec_trigger_t, dnssec_trigger_var_run_t, dnssec_trigger_var_run_t)
++files_pid_filetrans(dnssec_trigger_t, dnssec_trigger_var_run_t, { dir file })
++
++kernel_read_system_state(dnssec_trigger_t)
++
++corecmd_exec_bin(dnssec_trigger_t)
++corecmd_exec_shell(dnssec_trigger_t)
++
++corenet_tcp_bind_generic_node(dnssec_trigger_t)
++corenet_tcp_bind_dnssec_port(dnssec_trigger_t)
++corenet_tcp_connect_rndc_port(dnssec_trigger_t)
++corenet_tcp_connect_http_port(dnssec_trigger_t)
++
++dev_read_urand(dnssec_trigger_t)
++
++domain_use_interactive_fds(dnssec_trigger_t)
++
++files_read_etc_runtime_files(dnssec_trigger_t)
++files_read_etc_files(dnssec_trigger_t)
++
++logging_send_syslog_msg(dnssec_trigger_t)
++
++auth_read_passwd(dnssec_trigger_t)
++
++sysnet_dns_name_resolve(dnssec_trigger_t)
++sysnet_manage_config(dnssec_trigger_t)
++
++optional_policy(`
++ bind_read_config(dnssec_trigger_t)
++ bind_read_dnssec_keys(dnssec_trigger_t)
++')
++
++
+diff --git a/dovecot.fc b/dovecot.fc
+index 3a3ecb2..4448055 100644
+--- a/dovecot.fc
++++ b/dovecot.fc
+@@ -2,7 +2,7 @@
+ #
+ # /etc
+ #
+-/etc/dovecot(/.*)?* gen_context(system_u:object_r:dovecot_etc_t,s0)
++/etc/dovecot(/.*)? gen_context(system_u:object_r:dovecot_etc_t,s0)
+ /etc/dovecot\.conf.* gen_context(system_u:object_r:dovecot_etc_t,s0)
+ /etc/dovecot\.passwd.* gen_context(system_u:object_r:dovecot_passwd_t,s0)
+
+@@ -24,12 +24,13 @@ ifdef(`distro_debian',`
+
+ ifdef(`distro_debian', `
+ /usr/lib/dovecot/dovecot-auth -- gen_context(system_u:object_r:dovecot_auth_exec_t,s0)
++/usr/lib/dovecot/deliver -- gen_context(system_u:object_r:dovecot_deliver_exec_t,s0)
+ ')
+
+ ifdef(`distro_redhat', `
+ /usr/libexec/dovecot/auth -- gen_context(system_u:object_r:dovecot_auth_exec_t,s0)
+ /usr/libexec/dovecot/deliver -- gen_context(system_u:object_r:dovecot_deliver_exec_t,s0)
+-/usr/libexec/dovecot/deliver-lda -- gen_context(system_u:object_r:dovecot_deliver_exec_t,s0)
++/usr/libexec/dovecot/dovecot-lda -- gen_context(system_u:object_r:dovecot_deliver_exec_t,s0)
+ /usr/libexec/dovecot/dovecot-auth -- gen_context(system_u:object_r:dovecot_auth_exec_t,s0)
+ ')
+
+@@ -37,6 +38,7 @@ ifdef(`distro_redhat', `
+ # /var
+ #
+ /var/run/dovecot(-login)?(/.*)? gen_context(system_u:object_r:dovecot_var_run_t,s0)
++/var/run/dovecot/login/ssl-parameters.dat -- gen_context(system_u:object_r:dovecot_var_lib_t,s0)
+
+ /var/lib/dovecot(/.*)? gen_context(system_u:object_r:dovecot_var_lib_t,s0)
+
+diff --git a/dovecot.if b/dovecot.if
+index e1d7dc5..66d42bb 100644
+--- a/dovecot.if
++++ b/dovecot.if
+@@ -1,5 +1,46 @@
+ ## Dovecot POP and IMAP mail server
+
++######################################
++##
++## Creates types and rules for a basic
++## dovecot daemon domain.
++##
++##
++##
++## Prefix for the domain.
++##
++##
++#
++template(`dovecot_basic_types_template',`
++ gen_require(`
++ attribute dovecot_domain;
++ ')
++
++ type $1_t, dovecot_domain;
++ type $1_exec_t;
++
++ kernel_read_system_state($1_t)
++')
++
++#######################################
++##
++## Connect to dovecot unix domain stream socket.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`dovecot_stream_connect',`
++ gen_require(`
++ type dovecot_t, dovecot_var_run_t;
++ ')
++
++ files_search_pids($1)
++ stream_connect_pattern($1, dovecot_var_run_t, dovecot_var_run_t, dovecot_t)
++')
++
+ ########################################
+ ##
+ ## Connect to dovecot auth unix domain stream socket.
+@@ -16,6 +57,7 @@ interface(`dovecot_stream_connect_auth',`
+ type dovecot_auth_t, dovecot_var_run_t;
+ ')
+
++ files_search_pids($1)
+ stream_connect_pattern($1, dovecot_var_run_t, dovecot_var_run_t, dovecot_auth_t)
+ ')
+
+@@ -52,6 +94,7 @@ interface(`dovecot_manage_spool',`
+ type dovecot_spool_t;
+ ')
+
++ files_search_spool($1)
+ manage_files_pattern($1, dovecot_spool_t, dovecot_spool_t)
+ manage_lnk_files_pattern($1, dovecot_spool_t, dovecot_spool_t)
+ ')
+@@ -74,6 +117,25 @@ interface(`dovecot_dontaudit_unlink_lib_files',`
+ dontaudit $1 dovecot_var_lib_t:file unlink;
+ ')
+
++######################################
++##
++## Allow attempts to write inherited
++## dovecot tmp files.
++##
++##
++##
++## Domain to not audit.
++##
++##
++#
++interface(`dovecot_write_inherited_tmp_files',`
++ gen_require(`
++ type dovecot_tmp_t;
++ ')
++
++ allow $1 dovecot_tmp_t:file write;
++')
++
+ ########################################
+ ##
+ ## All of the rules required to administrate
+@@ -93,16 +155,17 @@ interface(`dovecot_dontaudit_unlink_lib_files',`
+ #
+ interface(`dovecot_admin',`
+ gen_require(`
+- type dovecot_t, dovecot_etc_t, dovecot_log_t;
+- type dovecot_spool_t, dovecot_var_lib_t;
+- type dovecot_var_run_t;
+-
+- type dovecot_cert_t, dovecot_passwd_t;
+- type dovecot_initrc_exec_t;
++ type dovecot_t, dovecot_etc_t, dovecot_auth_tmp_t;
++ type dovecot_spool_t, dovecot_var_lib_t, dovecot_var_log_t;
++ type dovecot_var_run_t, dovecot_tmp_t, dovecot_keytab_t;
++ type dovecot_cert_t, dovecot_passwd_t, dovecot_initrc_exec_t;
+ ')
+
+- allow $1 dovecot_t:process { ptrace signal_perms };
++ allow $1 dovecot_t:process signal_perms;
+ ps_process_pattern($1, dovecot_t)
++ tunable_policy(`deny_ptrace',`',`
++ allow $1 dovecot_t:process ptrace;
++ ')
+
+ init_labeled_script_domtrans($1, dovecot_initrc_exec_t)
+ domain_system_change_exemption($1)
+@@ -112,8 +175,11 @@ interface(`dovecot_admin',`
+ files_list_etc($1)
+ admin_pattern($1, dovecot_etc_t)
+
+- logging_list_logs($1)
+- admin_pattern($1, dovecot_log_t)
++ files_list_tmp($1)
++ admin_pattern($1, dovecot_auth_tmp_t)
++ admin_pattern($1, dovecot_tmp_t)
++
++ admin_pattern($1, dovecot_keytab_t)
+
+ files_list_spool($1)
+ admin_pattern($1, dovecot_spool_t)
+@@ -121,6 +187,9 @@ interface(`dovecot_admin',`
+ files_list_var_lib($1)
+ admin_pattern($1, dovecot_var_lib_t)
+
++ logging_search_logs($1)
++ admin_pattern($1, dovecot_var_log_t)
++
+ files_list_pids($1)
+ admin_pattern($1, dovecot_var_run_t)
+
+diff --git a/dovecot.te b/dovecot.te
+index 2df7766..d4e008b 100644
+--- a/dovecot.te
++++ b/dovecot.te
+@@ -4,12 +4,12 @@ policy_module(dovecot, 1.14.0)
+ #
+ # Declarations
+ #
+-type dovecot_t;
+-type dovecot_exec_t;
++attribute dovecot_domain;
++
++dovecot_basic_types_template(dovecot)
+ init_daemon_domain(dovecot_t, dovecot_exec_t)
+
+-type dovecot_auth_t;
+-type dovecot_auth_exec_t;
++dovecot_basic_types_template(dovecot_auth)
+ domain_type(dovecot_auth_t)
+ domain_entry_file(dovecot_auth_t, dovecot_auth_exec_t)
+ role system_r types dovecot_auth_t;
+@@ -18,14 +18,16 @@ type dovecot_auth_tmp_t;
+ files_tmp_file(dovecot_auth_tmp_t)
+
+ type dovecot_cert_t;
+-files_type(dovecot_cert_t)
++miscfiles_cert_type(dovecot_cert_t)
+
+-type dovecot_deliver_t;
+-type dovecot_deliver_exec_t;
++dovecot_basic_types_template(dovecot_deliver)
+ domain_type(dovecot_deliver_t)
+ domain_entry_file(dovecot_deliver_t, dovecot_deliver_exec_t)
+ role system_r types dovecot_deliver_t;
+
++type dovecot_deliver_tmp_t;
++files_tmp_file(dovecot_deliver_tmp_t)
++
+ type dovecot_etc_t;
+ files_config_file(dovecot_etc_t)
+
+@@ -36,7 +38,7 @@ type dovecot_passwd_t;
+ files_type(dovecot_passwd_t)
+
+ type dovecot_spool_t;
+-files_type(dovecot_spool_t)
++files_spool_file(dovecot_spool_t)
+
+ type dovecot_tmp_t;
+ files_tmp_file(dovecot_tmp_t)
+@@ -51,17 +53,37 @@ logging_log_file(dovecot_var_log_t)
+ type dovecot_var_run_t;
+ files_pid_file(dovecot_var_run_t)
+
++#######################################
++#
++# dovecot domain local policy
++#
++
++allow dovecot_domain self:capability2 block_suspend;
++
++allow dovecot_domain self:unix_dgram_socket create_socket_perms;
++allow dovecot_domain self:fifo_file rw_fifo_file_perms;
++
++kernel_read_all_sysctls(dovecot_domain)
++
++corecmd_exec_bin(dovecot_domain)
++corecmd_exec_shell(dovecot_domain)
++
++dev_read_sysfs(dovecot_domain)
++dev_read_rand(dovecot_domain)
++dev_read_urand(dovecot_domain)
++
++# Dovecot now has quota support and it uses getmntent() to find the mountpoints.
++files_read_etc_runtime_files(dovecot_domain)
++
+ ########################################
+ #
+ # dovecot local policy
+ #
+
+-allow dovecot_t self:capability { dac_override dac_read_search chown kill net_bind_service setgid setuid sys_chroot };
++allow dovecot_t self:capability { dac_override dac_read_search chown fsetid kill net_bind_service setgid setuid sys_chroot };
+ dontaudit dovecot_t self:capability sys_tty_config;
+-allow dovecot_t self:process { setrlimit signal_perms getcap setcap };
+-allow dovecot_t self:fifo_file rw_fifo_file_perms;
++allow dovecot_t self:process { setrlimit signal_perms getcap setcap setsched };
+ allow dovecot_t self:tcp_socket create_stream_socket_perms;
+-allow dovecot_t self:unix_dgram_socket create_socket_perms;
+ allow dovecot_t self:unix_stream_socket { create_stream_socket_perms connectto };
+
+ domtrans_pattern(dovecot_t, dovecot_auth_exec_t, dovecot_auth_t)
+@@ -72,7 +94,9 @@ allow dovecot_t dovecot_cert_t:dir list_dir_perms;
+ read_files_pattern(dovecot_t, dovecot_cert_t, dovecot_cert_t)
+ read_lnk_files_pattern(dovecot_t, dovecot_cert_t, dovecot_cert_t)
+
+-allow dovecot_t dovecot_etc_t:file read_file_perms;
++allow dovecot_t dovecot_etc_t:dir list_dir_perms;
++read_files_pattern(dovecot_t, dovecot_etc_t, dovecot_etc_t)
++read_lnk_files_pattern(dovecot_t, dovecot_etc_t, dovecot_etc_t)
+ files_search_etc(dovecot_t)
+
+ can_exec(dovecot_t, dovecot_exec_t)
+@@ -94,15 +118,13 @@ manage_dirs_pattern(dovecot_t, dovecot_spool_t, dovecot_spool_t)
+ manage_files_pattern(dovecot_t, dovecot_spool_t, dovecot_spool_t)
+ manage_lnk_files_pattern(dovecot_t, dovecot_spool_t, dovecot_spool_t)
+
++manage_dirs_pattern(dovecot_t, dovecot_var_run_t, dovecot_var_run_t)
+ manage_files_pattern(dovecot_t, dovecot_var_run_t, dovecot_var_run_t)
+ manage_lnk_files_pattern(dovecot_t, dovecot_var_run_t, dovecot_var_run_t)
+ manage_sock_files_pattern(dovecot_t, dovecot_var_run_t, dovecot_var_run_t)
+-files_pid_filetrans(dovecot_t, dovecot_var_run_t, file)
+-
+-kernel_read_kernel_sysctls(dovecot_t)
+-kernel_read_system_state(dovecot_t)
++manage_fifo_files_pattern(dovecot_t, dovecot_var_run_t, dovecot_var_run_t)
++files_pid_filetrans(dovecot_t, dovecot_var_run_t, { dir file fifo_file })
+
+-corenet_all_recvfrom_unlabeled(dovecot_t)
+ corenet_all_recvfrom_netlabel(dovecot_t)
+ corenet_tcp_sendrecv_generic_if(dovecot_t)
+ corenet_tcp_sendrecv_generic_node(dovecot_t)
+@@ -110,41 +132,36 @@ corenet_tcp_sendrecv_all_ports(dovecot_t)
+ corenet_tcp_bind_generic_node(dovecot_t)
+ corenet_tcp_bind_mail_port(dovecot_t)
+ corenet_tcp_bind_pop_port(dovecot_t)
++corenet_tcp_bind_lmtp_port(dovecot_t)
+ corenet_tcp_bind_sieve_port(dovecot_t)
+ corenet_tcp_connect_all_ports(dovecot_t)
+ corenet_tcp_connect_postgresql_port(dovecot_t)
+ corenet_sendrecv_pop_server_packets(dovecot_t)
+ corenet_sendrecv_all_client_packets(dovecot_t)
+
+-dev_read_sysfs(dovecot_t)
+-dev_read_urand(dovecot_t)
+-
+ fs_getattr_all_fs(dovecot_t)
+ fs_getattr_all_dirs(dovecot_t)
+ fs_search_auto_mountpoints(dovecot_t)
+ fs_list_inotifyfs(dovecot_t)
+
+-corecmd_exec_bin(dovecot_t)
+-
+ domain_use_interactive_fds(dovecot_t)
+
+-files_read_etc_files(dovecot_t)
+ files_search_spool(dovecot_t)
+ files_search_tmp(dovecot_t)
+ files_dontaudit_list_default(dovecot_t)
+-# Dovecot now has quota support and it uses getmntent() to find the mountpoints.
+-files_read_etc_runtime_files(dovecot_t)
++files_dontaudit_search_all_dirs(dovecot_t)
+ files_search_all_mountpoints(dovecot_t)
++files_read_var_lib_files(dovecot_t)
+
+ init_getattr_utmp(dovecot_t)
+
+ auth_use_nsswitch(dovecot_t)
+
+-logging_send_syslog_msg(dovecot_t)
+-
+ miscfiles_read_generic_certs(dovecot_t)
+-miscfiles_read_localization(dovecot_t)
+
++logging_send_syslog_msg(dovecot_t)
++
++userdom_home_manager(dovecot_t)
+ userdom_dontaudit_use_unpriv_user_fds(dovecot_t)
+ userdom_manage_user_home_content_dirs(dovecot_t)
+ userdom_manage_user_home_content_files(dovecot_t)
+@@ -153,10 +170,23 @@ userdom_manage_user_home_content_pipes(dovecot_t)
+ userdom_manage_user_home_content_sockets(dovecot_t)
+ userdom_user_home_dir_filetrans_user_home_content(dovecot_t, { dir file lnk_file fifo_file sock_file })
+
+-mta_manage_spool(dovecot_t)
++optional_policy(`
++ mta_manage_home_rw(dovecot_t)
++ mta_manage_spool(dovecot_t)
++')
++
++optional_policy(`
++ kerberos_keytab_template(dovecot_t, dovecot_t)
++ kerberos_tmp_filetrans_host_rcache(dovecot_t, "imap_0")
++')
+
+ optional_policy(`
+- kerberos_keytab_template(dovecot, dovecot_t)
++ gnome_manage_data(dovecot_t)
++')
++
++optional_policy(`
++ postfix_manage_private_sockets(dovecot_t)
++ postfix_search_spool(dovecot_t)
+ ')
+
+ optional_policy(`
+@@ -164,6 +194,11 @@ optional_policy(`
+ ')
+
+ optional_policy(`
++ # Handle sieve scripts
++ sendmail_domtrans(dovecot_t)
++')
++
++optional_policy(`
+ seutil_sigchld_newrole(dovecot_t)
+ ')
+
+@@ -180,16 +215,17 @@ optional_policy(`
+ # dovecot auth local policy
+ #
+
+-allow dovecot_auth_t self:capability { chown dac_override setgid setuid };
+-allow dovecot_auth_t self:process { signal_perms getcap setcap };
+-allow dovecot_auth_t self:fifo_file rw_fifo_file_perms;
+-allow dovecot_auth_t self:unix_dgram_socket create_socket_perms;
++allow dovecot_auth_t self:capability { chown dac_override ipc_lock setgid setuid sys_nice };
++allow dovecot_auth_t self:process { getsched setsched signal_perms getcap setcap };
+ allow dovecot_auth_t self:unix_stream_socket create_stream_socket_perms;
+
+ allow dovecot_auth_t dovecot_t:unix_stream_socket { connectto rw_stream_socket_perms };
+
+ read_files_pattern(dovecot_auth_t, dovecot_passwd_t, dovecot_passwd_t)
+
++read_files_pattern(dovecot_auth_t, dovecot_etc_t, dovecot_etc_t)
++read_lnk_files_pattern(dovecot_auth_t, dovecot_etc_t, dovecot_etc_t)
++
+ manage_dirs_pattern(dovecot_auth_t, dovecot_auth_tmp_t, dovecot_auth_tmp_t)
+ manage_files_pattern(dovecot_auth_t, dovecot_auth_tmp_t, dovecot_auth_tmp_t)
+ files_tmp_filetrans(dovecot_auth_t, dovecot_auth_tmp_t, { file dir })
+@@ -198,31 +234,24 @@ allow dovecot_auth_t dovecot_var_run_t:dir list_dir_perms;
+ manage_sock_files_pattern(dovecot_auth_t, dovecot_var_run_t, dovecot_var_run_t)
+ dovecot_stream_connect_auth(dovecot_auth_t)
+
+-kernel_read_all_sysctls(dovecot_auth_t)
+-kernel_read_system_state(dovecot_auth_t)
+-
+ logging_send_audit_msgs(dovecot_auth_t)
+-logging_send_syslog_msg(dovecot_auth_t)
+-
+-dev_read_urand(dovecot_auth_t)
+
+ auth_domtrans_chk_passwd(dovecot_auth_t)
+ auth_use_nsswitch(dovecot_auth_t)
+
+-files_read_etc_files(dovecot_auth_t)
+-files_read_etc_runtime_files(dovecot_auth_t)
++logging_send_syslog_msg(dovecot_auth_t)
++
+ files_search_pids(dovecot_auth_t)
+ files_read_usr_files(dovecot_auth_t)
+ files_read_usr_symlinks(dovecot_auth_t)
+ files_read_var_lib_files(dovecot_auth_t)
+ files_search_tmp(dovecot_auth_t)
+-files_read_var_lib_files(dovecot_t)
+
+-init_rw_utmp(dovecot_auth_t)
++fs_getattr_xattr_fs(dovecot_auth_t)
+
+-miscfiles_read_localization(dovecot_auth_t)
++init_rw_utmp(dovecot_auth_t)
+
+-seutil_dontaudit_search_config(dovecot_auth_t)
++sysnet_use_ldap(dovecot_auth_t)
+
+ optional_policy(`
+ kerberos_use(dovecot_auth_t)
+@@ -236,6 +265,8 @@ optional_policy(`
+ optional_policy(`
+ mysql_search_db(dovecot_auth_t)
+ mysql_stream_connect(dovecot_auth_t)
++ mysql_read_config(dovecot_auth_t)
++ mysql_tcp_connect(dovecot_auth_t)
+ ')
+
+ optional_policy(`
+@@ -243,6 +274,8 @@ optional_policy(`
+ ')
+
+ optional_policy(`
++ postfix_manage_private_sockets(dovecot_auth_t)
++ postfix_rw_master_pipes(dovecot_deliver_t)
+ postfix_search_spool(dovecot_auth_t)
+ ')
+
+@@ -250,25 +283,32 @@ optional_policy(`
+ #
+ # dovecot deliver local policy
+ #
+-allow dovecot_deliver_t self:unix_dgram_socket create_socket_perms;
+
+ allow dovecot_deliver_t dovecot_t:process signull;
+
+-allow dovecot_deliver_t dovecot_etc_t:file read_file_perms;
+-allow dovecot_deliver_t dovecot_var_run_t:dir list_dir_perms;
++allow dovecot_deliver_t dovecot_etc_t:dir list_dir_perms;
++read_files_pattern(dovecot_deliver_t, dovecot_etc_t, dovecot_etc_t)
++read_lnk_files_pattern(dovecot_deliver_t, dovecot_etc_t, dovecot_etc_t)
+
+-kernel_read_all_sysctls(dovecot_deliver_t)
+-kernel_read_system_state(dovecot_deliver_t)
++allow dovecot_deliver_t dovecot_cert_t:dir search_dir_perms;
+
+-files_read_etc_files(dovecot_deliver_t)
+-files_read_etc_runtime_files(dovecot_deliver_t)
++append_files_pattern(dovecot_deliver_t, dovecot_var_log_t, dovecot_var_log_t)
++
++manage_dirs_pattern(dovecot_deliver_t, dovecot_deliver_tmp_t, dovecot_deliver_tmp_t)
++manage_files_pattern(dovecot_deliver_t, dovecot_deliver_tmp_t, dovecot_deliver_tmp_t)
++files_tmp_filetrans(dovecot_deliver_t, dovecot_deliver_tmp_t, { file dir })
++
++allow dovecot_deliver_t dovecot_var_run_t:dir list_dir_perms;
++read_files_pattern(dovecot_deliver_t, dovecot_var_run_t, dovecot_var_run_t)
++read_sock_files_pattern(dovecot_deliver_t, dovecot_var_run_t, dovecot_var_run_t)
++dovecot_stream_connect(dovecot_deliver_t)
++
++can_exec(dovecot_deliver_t, dovecot_deliver_exec_t)
+
+ auth_use_nsswitch(dovecot_deliver_t)
+
++logging_append_all_logs(dovecot_deliver_t)
+ logging_send_syslog_msg(dovecot_deliver_t)
+-logging_search_logs(dovecot_auth_t)
+-
+-miscfiles_read_localization(dovecot_deliver_t)
+
+ dovecot_stream_connect_auth(dovecot_deliver_t)
+
+@@ -283,24 +323,22 @@ userdom_manage_user_home_content_pipes(dovecot_deliver_t)
+ userdom_manage_user_home_content_sockets(dovecot_deliver_t)
+ userdom_user_home_dir_filetrans_user_home_content(dovecot_deliver_t, { dir file lnk_file fifo_file sock_file })
+
+-tunable_policy(`use_nfs_home_dirs',`
+- fs_manage_nfs_dirs(dovecot_deliver_t)
+- fs_manage_nfs_files(dovecot_deliver_t)
+- fs_manage_nfs_symlinks(dovecot_deliver_t)
+- fs_manage_nfs_dirs(dovecot_t)
+- fs_manage_nfs_files(dovecot_t)
+- fs_manage_nfs_symlinks(dovecot_t)
++userdom_home_manager(dovecot_deliver_t)
++
++optional_policy(`
++ gnome_manage_data(dovecot_deliver_t)
++')
++
++optional_policy(`
++ mta_mailserver_delivery(dovecot_deliver_t)
++ mta_read_queue(dovecot_deliver_t)
+ ')
+
+-tunable_policy(`use_samba_home_dirs',`
+- fs_manage_cifs_dirs(dovecot_deliver_t)
+- fs_manage_cifs_files(dovecot_deliver_t)
+- fs_manage_cifs_symlinks(dovecot_deliver_t)
+- fs_manage_cifs_dirs(dovecot_t)
+- fs_manage_cifs_files(dovecot_t)
+- fs_manage_cifs_symlinks(dovecot_t)
++optional_policy(`
++ postfix_use_fds_master(dovecot_deliver_t)
+ ')
+
+ optional_policy(`
+- mta_manage_spool(dovecot_deliver_t)
++ # Handle sieve scripts
++ sendmail_domtrans(dovecot_deliver_t)
+ ')
+diff --git a/dpkg.if b/dpkg.if
+index 4d32b42..78736d8 100644
+--- a/dpkg.if
++++ b/dpkg.if
+@@ -62,11 +62,18 @@ interface(`dpkg_domtrans_script',`
+ #
+ interface(`dpkg_run',`
+ gen_require(`
+- attribute_role dpkg_roles;
++ #attribute_role dpkg_roles;
++ type dpkg_t, dpkg_script_t;
+ ')
+
++ #dpkg_domtrans($1)
++ #roleattribute $2 dpkg_roles;
++
+ dpkg_domtrans($1)
+- roleattribute $2 dpkg_roles;
++ role $2 types dpkg_t;
++ role $2 types dpkg_script_t;
++ seutil_run_loadpolicy(dpkg_script_t, $2)
++
+ ')
+
+ ########################################
+diff --git a/dpkg.te b/dpkg.te
+index 52725c4..934ce11 100644
+--- a/dpkg.te
++++ b/dpkg.te
+@@ -5,8 +5,8 @@ policy_module(dpkg, 1.10.0)
+ # Declarations
+ #
+
+-attribute_role dpkg_roles;
+-roleattribute system_r dpkg_roles;
++#attribute_role dpkg_roles;
++#roleattribute system_r dpkg_roles;
+
+ type dpkg_t;
+ type dpkg_exec_t;
+@@ -17,7 +17,8 @@ domain_obj_id_change_exemption(dpkg_t)
+ domain_role_change_exemption(dpkg_t)
+ domain_system_change_exemption(dpkg_t)
+ domain_interactive_fd(dpkg_t)
+-role dpkg_roles types dpkg_t;
++#role dpkg_roles types dpkg_t;
++role system_r types dpkg_t;
+
+ # lockfile
+ type dpkg_lock_t;
+@@ -41,7 +42,8 @@ corecmd_shell_entry_type(dpkg_script_t)
+ domain_obj_id_change_exemption(dpkg_script_t)
+ domain_system_change_exemption(dpkg_script_t)
+ domain_interactive_fd(dpkg_script_t)
+-role dpkg_roles types dpkg_script_t;
++#role dpkg_roles types dpkg_script_t;
++role system_r types dpkg_script_t;
+
+ type dpkg_script_tmp_t;
+ files_tmp_file(dpkg_script_tmp_t)
+@@ -92,7 +94,6 @@ kernel_read_kernel_sysctls(dpkg_t)
+ corecmd_exec_all_executables(dpkg_t)
+
+ # TODO: do we really need all networking?
+-corenet_all_recvfrom_unlabeled(dpkg_t)
+ corenet_all_recvfrom_netlabel(dpkg_t)
+ corenet_tcp_sendrecv_generic_if(dpkg_t)
+ corenet_raw_sendrecv_generic_if(dpkg_t)
+@@ -152,9 +153,12 @@ files_exec_etc_files(dpkg_t)
+ init_domtrans_script(dpkg_t)
+ init_use_script_ptys(dpkg_t)
+
++#libs_exec_ld_so(dpkg_t)
++#libs_exec_lib_files(dpkg_t)
++#libs_run_ldconfig(dpkg_t, dpkg_roles)
+ libs_exec_ld_so(dpkg_t)
+ libs_exec_lib_files(dpkg_t)
+-libs_run_ldconfig(dpkg_t, dpkg_roles)
++libs_domtrans_ldconfig(dpkg_t)
+
+ logging_send_syslog_msg(dpkg_t)
+
+@@ -195,20 +199,30 @@ domain_signal_all_domains(dpkg_t)
+ domain_signull_all_domains(dpkg_t)
+ files_read_etc_runtime_files(dpkg_t)
+ files_exec_usr_files(dpkg_t)
+-miscfiles_read_localization(dpkg_t)
+-modutils_run_depmod(dpkg_t, dpkg_roles)
+-modutils_run_insmod(dpkg_t, dpkg_roles)
+-seutil_run_loadpolicy(dpkg_t, dpkg_roles)
+-seutil_run_setfiles(dpkg_t, dpkg_roles)
++#modutils_run_depmod(dpkg_t, dpkg_roles)
++#modutils_run_insmod(dpkg_t, dpkg_roles)
++#seutil_run_loadpolicy(dpkg_t, dpkg_roles)
++#seutil_run_setfiles(dpkg_t, dpkg_roles)
+ userdom_use_all_users_fds(dpkg_t)
+ optional_policy(`
+ mta_send_mail(dpkg_t)
+ ')
++
++
+ optional_policy(`
+- usermanage_run_groupadd(dpkg_t, dpkg_roles)
+- usermanage_run_useradd(dpkg_t, dpkg_roles)
++ modutils_domtrans_depmod(dpkg_t)
++ modutils_domtrans_insmod(dpkg_t)
++ seutil_domtrans_loadpolicy(dpkg_t)
++ seutil_domtrans_setfiles(dpkg_t)
++ usermanage_domtrans_groupadd(dpkg_t)
++ usermanage_domtrans_useradd(dpkg_t)
+ ')
+
++#optional_policy(`
++# usermanage_run_groupadd(dpkg_t, dpkg_roles)
++# usermanage_run_useradd(dpkg_t, dpkg_roles)
++#')
++
+ ########################################
+ #
+ # dpkg-script Local policy
+@@ -296,21 +310,20 @@ init_use_script_fds(dpkg_script_t)
+
+ libs_exec_ld_so(dpkg_script_t)
+ libs_exec_lib_files(dpkg_script_t)
+-libs_run_ldconfig(dpkg_script_t, dpkg_roles)
++libs_domtrans_ldconfig(dpkg_script_t)
++#libs_run_ldconfig(dpkg_script_t, dpkg_roles)
+
+ logging_send_syslog_msg(dpkg_script_t)
+
+-miscfiles_read_localization(dpkg_script_t)
+-
+-modutils_run_depmod(dpkg_script_t, dpkg_roles)
+-modutils_run_insmod(dpkg_script_t, dpkg_roles)
++#modutils_run_depmod(dpkg_script_t, dpkg_roles)
++#modutils_run_insmod(dpkg_script_t, dpkg_roles)
+
+-seutil_run_loadpolicy(dpkg_script_t, dpkg_roles)
+-seutil_run_setfiles(dpkg_script_t, dpkg_roles)
++#seutil_run_loadpolicy(dpkg_script_t, dpkg_roles)
++#seutil_run_setfiles(dpkg_script_t, dpkg_roles)
+
+ userdom_use_all_users_fds(dpkg_script_t)
+
+-tunable_policy(`allow_execmem',`
++tunable_policy(`selinuxuser_execmem',`
+ allow dpkg_script_t self:process execmem;
+ ')
+
+@@ -319,9 +332,9 @@ optional_policy(`
+ apt_use_fds(dpkg_script_t)
+ ')
+
+-optional_policy(`
+- bootloader_run(dpkg_script_t, dpkg_roles)
+-')
++#optional_policy(`
++# bootloader_run(dpkg_script_t, dpkg_roles)
++#')
+
+ optional_policy(`
+ mta_send_mail(dpkg_script_t)
+@@ -335,7 +348,7 @@ optional_policy(`
+ unconfined_domain(dpkg_script_t)
+ ')
+
+-optional_policy(`
+- usermanage_run_groupadd(dpkg_script_t, dpkg_roles)
+- usermanage_run_useradd(dpkg_script_t, dpkg_roles)
+-')
++#optional_policy(`
++# usermanage_run_groupadd(dpkg_script_t, dpkg_roles)
++# usermanage_run_useradd(dpkg_script_t, dpkg_roles)
++#')
+diff --git a/drbd.fc b/drbd.fc
+new file mode 100644
+index 0000000..60c19b9
+--- /dev/null
++++ b/drbd.fc
+@@ -0,0 +1,12 @@
++
++/sbin/drbdadm -- gen_context(system_u:object_r:drbd_exec_t,s0)
++/sbin/drbdsetup -- gen_context(system_u:object_r:drbd_exec_t,s0)
++
++/usr/lib/ocf/resource.\d/linbit/drbd -- gen_context(system_u:object_r:drbd_exec_t,s0)
++
++/usr/sbin/drbdadm -- gen_context(system_u:object_r:drbd_exec_t,s0)
++/usr/sbin/drbdsetup -- gen_context(system_u:object_r:drbd_exec_t,s0)
++
++/var/lib/drbd(/.*)? gen_context(system_u:object_r:drbd_var_lib_t,s0)
++
++
+diff --git a/drbd.if b/drbd.if
+new file mode 100644
+index 0000000..659d051
+--- /dev/null
++++ b/drbd.if
+@@ -0,0 +1,127 @@
++
++## policy for drbd
++
++########################################
++##
++## Execute a domain transition to run drbd.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`drbd_domtrans',`
++ gen_require(`
++ type drbd_t, drbd_exec_t;
++ ')
++
++ domtrans_pattern($1, drbd_exec_t, drbd_t)
++')
++
++########################################
++##
++## Search drbd lib directories.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`drbd_search_lib',`
++ gen_require(`
++ type drbd_var_lib_t;
++ ')
++
++ allow $1 drbd_var_lib_t:dir search_dir_perms;
++ files_search_var_lib($1)
++')
++
++########################################
++##
++## Read drbd lib files.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`drbd_read_lib_files',`
++ gen_require(`
++ type drbd_var_lib_t;
++ ')
++
++ files_search_var_lib($1)
++ read_files_pattern($1, drbd_var_lib_t, drbd_var_lib_t)
++')
++
++########################################
++##
++## Create, read, write, and delete
++## drbd lib files.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`drbd_manage_lib_files',`
++ gen_require(`
++ type drbd_var_lib_t;
++ ')
++
++ files_search_var_lib($1)
++ manage_files_pattern($1, drbd_var_lib_t, drbd_var_lib_t)
++')
++
++########################################
++##
++## Manage drbd lib dirs files.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`drbd_manage_lib_dirs',`
++ gen_require(`
++ type drbd_var_lib_t;
++ ')
++
++ files_search_var_lib($1)
++ manage_dirs_pattern($1, drbd_var_lib_t, drbd_var_lib_t)
++')
++
++
++########################################
++##
++## All of the rules required to administrate
++## an drbd environment
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`drbd_admin',`
++ gen_require(`
++ type drbd_t;
++ type drbd_var_lib_t;
++ ')
++
++ allow $1 drbd_t:process signal_perms;
++ ps_process_pattern($1, drbd_t)
++ tunable_policy(`deny_ptrace',`',`
++ allow $1 drbd_t:process ptrace;
++ ')
++
++ files_search_var_lib($1)
++ admin_pattern($1, drbd_var_lib_t)
++
++')
++
+diff --git a/drbd.te b/drbd.te
+new file mode 100644
+index 0000000..2f3efe7
+--- /dev/null
++++ b/drbd.te
+@@ -0,0 +1,51 @@
++policy_module(drbd, 1.0.0)
++
++########################################
++#
++# Declarations
++#
++
++type drbd_t;
++type drbd_exec_t;
++init_daemon_domain(drbd_t, drbd_exec_t)
++
++type drbd_var_lib_t;
++files_type(drbd_var_lib_t)
++
++type drbd_lock_t;
++files_lock_file(drbd_lock_t)
++
++########################################
++#
++# drbd local policy
++#
++
++allow drbd_t self:capability { kill net_admin };
++dontaudit drbd_t self:capability sys_tty_config;
++allow drbd_t self:fifo_file rw_fifo_file_perms;
++allow drbd_t self:unix_stream_socket create_stream_socket_perms;
++allow drbd_t self:netlink_socket create_socket_perms;
++allow drbd_t self:netlink_route_socket rw_netlink_socket_perms;
++
++manage_dirs_pattern(drbd_t, drbd_var_lib_t, drbd_var_lib_t)
++manage_files_pattern(drbd_t, drbd_var_lib_t, drbd_var_lib_t)
++manage_lnk_files_pattern(drbd_t, drbd_var_lib_t, drbd_var_lib_t)
++files_var_lib_filetrans(drbd_t, drbd_var_lib_t, { dir file } )
++
++manage_files_pattern(drbd_t, drbd_lock_t, drbd_lock_t)
++files_lock_filetrans(drbd_t, drbd_lock_t, file)
++
++can_exec(drbd_t, drbd_exec_t)
++
++kernel_read_system_state(drbd_t)
++
++dev_read_sysfs(drbd_t)
++dev_read_rand(drbd_t)
++dev_read_urand(drbd_t)
++
++files_read_etc_files(drbd_t)
++
++storage_raw_read_fixed_disk(drbd_t)
++
++
++sysnet_dns_name_resolve(drbd_t)
+diff --git a/dspam.fc b/dspam.fc
+new file mode 100644
+index 0000000..4dc92b3
+--- /dev/null
++++ b/dspam.fc
+@@ -0,0 +1,18 @@
++
++/etc/rc\.d/init\.d/dspam -- gen_context(system_u:object_r:dspam_initrc_exec_t,s0)
++
++/usr/bin/dspam -- gen_context(system_u:object_r:dspam_exec_t,s0)
++
++/var/lib/dspam(/.*)? gen_context(system_u:object_r:dspam_var_lib_t,s0)
++
++/var/log/dspam(/.*)? gen_context(system_u:object_r:dspam_log_t,s0)
++
++/var/run/dspam(/.*)? gen_context(system_u:object_r:dspam_var_run_t,s0)
++
++# web
++
++/var/www/dspam/.*\.cgi -- gen_context(system_u:object_r:httpd_dspam_script_exec_t,s0)
++/var/www/dspam(/.*?) gen_context(system_u:object_r:httpd_dspam_content_t,s0)
++/usr/share/dspam-web/dspam\.cgi -- gen_context(system_u:object_r:httpd_dspam_script_exec_t,s0)
++
++/var/lib/dspam/data(/.*)? gen_context(system_u:object_r:httpd_dspam_content_rw_t,s0)
+diff --git a/dspam.if b/dspam.if
+new file mode 100644
+index 0000000..a446210
+--- /dev/null
++++ b/dspam.if
+@@ -0,0 +1,267 @@
++
++## policy for dspam
++
++
++########################################
++##
++## Execute a domain transition to run dspam.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`dspam_domtrans',`
++ gen_require(`
++ type dspam_t, dspam_exec_t;
++ ')
++
++ domtrans_pattern($1, dspam_exec_t, dspam_t)
++')
++
++
++########################################
++##
++## Execute dspam server in the dspam domain.
++##
++##
++##
++## The type of the process performing this action.
++##
++##
++#
++interface(`dspam_initrc_domtrans',`
++ gen_require(`
++ type dspam_initrc_exec_t;
++ ')
++
++ init_labeled_script_domtrans($1, dspam_initrc_exec_t)
++')
++
++########################################
++##
++## Allow the specified domain to read dspam's log files.
++##
++##
++##
++## Domain allowed access.
++##
++##
++##
++#
++interface(`dspam_read_log',`
++ gen_require(`
++ type dspam_log_t;
++ ')
++
++ logging_search_logs($1)
++ read_files_pattern($1, dspam_log_t, dspam_log_t)
++')
++
++########################################
++##
++## Allow the specified domain to append
++## dspam log files.
++##
++##
++##
++## Domain allowed to transition.
++##
++##
++#
++interface(`dspam_append_log',`
++ gen_require(`
++ type dspam_log_t;
++ ')
++
++ logging_search_logs($1)
++ append_files_pattern($1, dspam_log_t, dspam_log_t)
++')
++
++########################################
++##
++## Allow domain to manage dspam log files
++##
++##
++##
++## Domain to not audit.
++##
++##
++#
++interface(`dspam_manage_log',`
++ gen_require(`
++ type dspam_log_t;
++ ')
++
++ logging_search_logs($1)
++ manage_dirs_pattern($1, dspam_log_t, dspam_log_t)
++ manage_files_pattern($1, dspam_log_t, dspam_log_t)
++ manage_lnk_files_pattern($1, dspam_log_t, dspam_log_t)
++')
++
++########################################
++##
++## Search dspam lib directories.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`dspam_search_lib',`
++ gen_require(`
++ type dspam_var_lib_t;
++ ')
++
++ allow $1 dspam_var_lib_t:dir search_dir_perms;
++ files_search_var_lib($1)
++')
++
++########################################
++##
++## Read dspam lib files.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`dspam_read_lib_files',`
++ gen_require(`
++ type dspam_var_lib_t;
++ ')
++
++ files_search_var_lib($1)
++ read_files_pattern($1, dspam_var_lib_t, dspam_var_lib_t)
++')
++
++########################################
++##
++## Create, read, write, and delete
++## dspam lib files.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`dspam_manage_lib_files',`
++ gen_require(`
++ type dspam_var_lib_t;
++ ')
++
++ files_search_var_lib($1)
++ manage_files_pattern($1, dspam_var_lib_t, dspam_var_lib_t)
++')
++
++########################################
++##
++## Manage dspam lib dirs files.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`dspam_manage_lib_dirs',`
++ gen_require(`
++ type dspam_var_lib_t;
++ ')
++
++ files_search_var_lib($1)
++ manage_dirs_pattern($1, dspam_var_lib_t, dspam_var_lib_t)
++')
++
++
++########################################
++##
++## Read dspam PID files.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`dspam_read_pid_files',`
++ gen_require(`
++ type dspam_var_run_t;
++ ')
++
++ files_search_pids($1)
++ allow $1 dspam_var_run_t:file read_file_perms;
++')
++
++#######################################
++##
++## Connect to DSPAM using a unix domain stream socket.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`dspam_stream_connect',`
++ gen_require(`
++ type dspam_t, dspam_var_run_t, dspam_tmp_t;
++ ')
++
++ files_search_pids($1)
++ files_search_tmp($1)
++ stream_connect_pattern($1, dspam_var_run_t, dspam_var_run_t, dspam_t)
++ stream_connect_pattern($1, dspam_tmp_t, dspam_tmp_t, dspam_t)
++')
++
++########################################
++##
++## All of the rules required to administrate
++## an dspam environment
++##
++##
++##
++## Domain allowed access.
++##
++##
++##
++##
++## Role allowed access.
++##
++##
++##
++#
++interface(`dspam_admin',`
++ gen_require(`
++ type dspam_t;
++ type dspam_initrc_exec_t;
++ type dspam_log_t;
++ type dspam_var_lib_t;
++ type dspam_var_run_t;
++ ')
++
++ allow $1 dspam_t:process signal_perms;
++ ps_process_pattern($1, dspam_t)
++ tunable_policy(`deny_ptrace',`',`
++ allow $1 dspam_t:process ptrace;
++ ')
++
++ dspam_initrc_domtrans($1)
++ domain_system_change_exemption($1)
++ role_transition $2 dspam_initrc_exec_t system_r;
++ allow $2 system_r;
++
++ logging_search_logs($1)
++ admin_pattern($1, dspam_log_t)
++
++ files_search_var_lib($1)
++ admin_pattern($1, dspam_var_lib_t)
++
++ files_search_pids($1)
++ admin_pattern($1, dspam_var_run_t)
++
++')
+diff --git a/dspam.te b/dspam.te
+new file mode 100644
+index 0000000..e6f0960
+--- /dev/null
++++ b/dspam.te
+@@ -0,0 +1,113 @@
++
++policy_module(dspam, 1.0.0)
++
++########################################
++#
++# Declarations
++#
++
++type dspam_t;
++type dspam_exec_t;
++init_daemon_domain(dspam_t, dspam_exec_t)
++
++type dspam_initrc_exec_t;
++init_script_file(dspam_initrc_exec_t)
++
++type dspam_log_t;
++logging_log_file(dspam_log_t)
++
++type dspam_var_lib_t;
++files_type(dspam_var_lib_t)
++
++type dspam_var_run_t;
++files_pid_file(dspam_var_run_t)
++
++# FIXME
++# /tmp/dspam.sock
++type dspam_tmp_t;
++files_tmp_file(dspam_tmp_t)
++
++########################################
++#
++# dspam local policy
++#
++
++allow dspam_t self:capability net_admin;
++
++allow dspam_t self:process { signal };
++
++allow dspam_t self:fifo_file rw_fifo_file_perms;
++allow dspam_t self:unix_stream_socket create_stream_socket_perms;
++
++manage_dirs_pattern(dspam_t, dspam_log_t, dspam_log_t)
++manage_files_pattern(dspam_t, dspam_log_t, dspam_log_t)
++
++files_search_var_lib(dspam_t)
++manage_dirs_pattern(dspam_t, dspam_var_lib_t, dspam_var_lib_t)
++manage_files_pattern(dspam_t, dspam_var_lib_t, dspam_var_lib_t)
++
++manage_dirs_pattern(dspam_t, dspam_var_run_t, dspam_var_run_t)
++manage_files_pattern(dspam_t, dspam_var_run_t, dspam_var_run_t)
++manage_sock_files_pattern(dspam_t, dspam_var_run_t, dspam_var_run_t)
++files_pid_filetrans(dspam_t, dspam_var_run_t, dir, "dspam")
++
++manage_sock_files_pattern(dspam_t, dspam_tmp_t, dspam_tmp_t)
++files_tmp_filetrans(dspam_t, dspam_tmp_t, sock_file)
++
++corenet_tcp_connect_spamd_port(dspam_t)
++corenet_tcp_bind_spamd_port(dspam_t)
++
++auth_use_nsswitch(dspam_t)
++
++files_search_spool(dspam_t)
++
++# for RHEL5
++libs_use_ld_so(dspam_t)
++libs_use_shared_libs(dspam_t)
++libs_read_lib_files(dspam_t)
++
++logging_send_syslog_msg(dspam_t)
++
++optional_policy(`
++ mysql_tcp_connect(dspam_t)
++ mysql_search_db(dspam_t)
++ mysql_stream_connect(dspam_t)
++')
++
++optional_policy(`
++ postgresql_tcp_connect(dspam_t)
++ postgresql_stream_connect(dspam_t)
++')
++
++#######################################
++#
++# dspam web local policy.
++#
++
++optional_policy(`
++ apache_content_template(dspam)
++
++ read_files_pattern(httpd_dspam_script_t, dspam_var_lib_t, dspam_var_lib_t)
++
++ files_search_var_lib(httpd_dspam_script_t)
++ list_dirs_pattern(dspam_t, httpd_dspam_content_t, httpd_dspam_content_t)
++ manage_dirs_pattern(dspam_t, httpd_dspam_content_rw_t, httpd_dspam_content_rw_t)
++ manage_files_pattern(dspam_t, httpd_dspam_content_rw_t, httpd_dspam_content_rw_t)
++
++ domain_dontaudit_read_all_domains_state(httpd_dspam_script_t)
++
++ term_dontaudit_search_ptys(httpd_dspam_script_t)
++ term_dontaudit_getattr_all_ttys(httpd_dspam_script_t)
++ term_dontaudit_getattr_all_ptys(httpd_dspam_script_t)
++
++ init_read_utmp(httpd_dspam_script_t)
++
++ logging_send_syslog_msg(httpd_dspam_script_t)
++
++ mta_send_mail(httpd_dspam_script_t)
++
++ optional_policy(`
++ mysql_tcp_connect(httpd_dspam_script_t)
++ mysql_stream_connect(httpd_dspam_script_t)
++ ')
++')
+diff --git a/entropyd.te b/entropyd.te
+index b6ac808..6235eb0 100644
+--- a/entropyd.te
++++ b/entropyd.te
+@@ -33,7 +33,7 @@ manage_files_pattern(entropyd_t, entropyd_var_run_t, entropyd_var_run_t)
+ files_pid_filetrans(entropyd_t, entropyd_var_run_t, file)
+
+ kernel_rw_kernel_sysctl(entropyd_t)
+-kernel_list_proc(entropyd_t)
++kernel_read_system_state(entropyd_t)
+ kernel_read_proc_symlinks(entropyd_t)
+
+ dev_read_sysfs(entropyd_t)
+@@ -42,7 +42,6 @@ dev_write_urand(entropyd_t)
+ dev_read_rand(entropyd_t)
+ dev_write_rand(entropyd_t)
+
+-files_read_etc_files(entropyd_t)
+ files_read_usr_files(entropyd_t)
+
+ fs_getattr_all_fs(entropyd_t)
+@@ -52,7 +51,7 @@ domain_use_interactive_fds(entropyd_t)
+
+ logging_send_syslog_msg(entropyd_t)
+
+-miscfiles_read_localization(entropyd_t)
++auth_use_nsswitch(entropyd_t)
+
+ userdom_dontaudit_use_unpriv_user_fds(entropyd_t)
+ userdom_dontaudit_search_user_home_dirs(entropyd_t)
+diff --git a/evolution.te b/evolution.te
+index 73cb712..2c6f3bc 100644
+--- a/evolution.te
++++ b/evolution.te
+@@ -146,7 +146,6 @@ corecmd_exec_shell(evolution_t)
+ # Run various programs
+ corecmd_exec_bin(evolution_t)
+
+-corenet_all_recvfrom_unlabeled(evolution_t)
+ corenet_all_recvfrom_netlabel(evolution_t)
+ corenet_tcp_sendrecv_generic_if(evolution_t)
+ corenet_udp_sendrecv_generic_if(evolution_t)
+@@ -181,19 +180,17 @@ dev_read_urand(evolution_t)
+
+ domain_dontaudit_read_all_domains_state(evolution_t)
+
+-files_read_etc_files(evolution_t)
+ files_read_usr_files(evolution_t)
+ files_read_usr_symlinks(evolution_t)
+ files_read_var_files(evolution_t)
+
+ fs_search_auto_mountpoints(evolution_t)
+
+-logging_send_syslog_msg(evolution_t)
++auth_use_nsswitch(evolution_t)
+
+-miscfiles_read_localization(evolution_t)
++logging_send_syslog_msg(evolution_t)
+
+ sysnet_read_config(evolution_t)
+-sysnet_dns_name_resolve(evolution_t)
+
+ udev_read_state(evolution_t)
+
+@@ -201,7 +198,7 @@ userdom_rw_user_tmp_files(evolution_t)
+ userdom_manage_user_tmp_dirs(evolution_t)
+ userdom_manage_user_tmp_sockets(evolution_t)
+ userdom_manage_user_tmp_files(evolution_t)
+-userdom_use_user_terminals(evolution_t)
++userdom_use_inherited_user_terminals(evolution_t)
+ # FIXME: suppress access to .local/.icons/.themes until properly implemented
+ # FIXME: suppress access to .gaim/blist.xml (buddy list synchronization)
+ # until properly implemented
+@@ -357,12 +354,12 @@ allow evolution_alarm_t evolution_server_orbit_tmp_t:sock_file write;
+
+ dev_read_urand(evolution_alarm_t)
+
+-files_read_etc_files(evolution_alarm_t)
+ files_read_usr_files(evolution_alarm_t)
+
+ fs_search_auto_mountpoints(evolution_alarm_t)
+
+-miscfiles_read_localization(evolution_alarm_t)
++auth_use_nsswitch(evolution_alarm_t)
++
+
+ # Access evolution home
+ userdom_search_user_home_dirs(evolution_alarm_t)
+@@ -439,13 +436,13 @@ corecmd_exec_bin(evolution_exchange_t)
+
+ dev_read_urand(evolution_exchange_t)
+
+-files_read_etc_files(evolution_exchange_t)
+ files_read_usr_files(evolution_exchange_t)
+
+ # Access evolution home
+ fs_search_auto_mountpoints(evolution_exchange_t)
+
+-miscfiles_read_localization(evolution_exchange_t)
++auth_use_nsswitch(evolution_exchange_t)
++
+
+ userdom_write_user_tmp_sockets(evolution_exchange_t)
+ # Access evolution home
+@@ -506,7 +503,6 @@ kernel_read_system_state(evolution_server_t)
+ corecmd_exec_shell(evolution_server_t)
+
+ # Obtain weather data via http (read server name from xml file in /usr)
+-corenet_all_recvfrom_unlabeled(evolution_server_t)
+ corenet_all_recvfrom_netlabel(evolution_server_t)
+ corenet_tcp_sendrecv_generic_if(evolution_server_t)
+ corenet_tcp_sendrecv_generic_node(evolution_server_t)
+@@ -519,19 +515,18 @@ corenet_sendrecv_http_cache_client_packets(evolution_server_t)
+
+ dev_read_urand(evolution_server_t)
+
+-files_read_etc_files(evolution_server_t)
+ # Obtain weather data via http (read server name from xml file in /usr)
+ files_read_usr_files(evolution_server_t)
+
+ fs_search_auto_mountpoints(evolution_server_t)
+
+-miscfiles_read_localization(evolution_server_t)
++auth_use_nsswitch(evolution_server_t)
++
+ # Look in /etc/pki
+ miscfiles_read_generic_certs(evolution_server_t)
+
+ # Talk to ldap (address book)
+ sysnet_read_config(evolution_server_t)
+-sysnet_dns_name_resolve(evolution_server_t)
+ sysnet_use_ldap(evolution_server_t)
+
+ # Access evolution home
+@@ -573,7 +568,6 @@ allow evolution_webcal_t evolution_webcal_tmpfs_t:sock_file manage_sock_file_per
+ allow evolution_webcal_t evolution_webcal_tmpfs_t:fifo_file manage_fifo_file_perms;
+ fs_tmpfs_filetrans(evolution_webcal_t, evolution_webcal_tmpfs_t, { dir file lnk_file sock_file fifo_file })
+
+-corenet_all_recvfrom_unlabeled(evolution_webcal_t)
+ corenet_all_recvfrom_netlabel(evolution_webcal_t)
+ corenet_tcp_sendrecv_generic_if(evolution_webcal_t)
+ corenet_raw_sendrecv_generic_if(evolution_webcal_t)
+@@ -586,9 +580,9 @@ corenet_tcp_connect_http_port(evolution_webcal_t)
+ corenet_sendrecv_http_client_packets(evolution_webcal_t)
+ corenet_sendrecv_http_cache_client_packets(evolution_webcal_t)
+
+-# Networking capability - connect to website and handle ics link
++auth_use_nsswitch(evolution_webcal_t)
++
+ sysnet_read_config(evolution_webcal_t)
+-sysnet_dns_name_resolve(evolution_webcal_t)
+
+ # Search home directory (?)
+ userdom_search_user_home_dirs(evolution_webcal_t)
+diff --git a/exim.fc b/exim.fc
+index 298f066..02c2561 100644
+--- a/exim.fc
++++ b/exim.fc
+@@ -1,4 +1,9 @@
++
++/etc/rc\.d/init\.d/exim -- gen_context(system_u:object_r:exim_initrc_exec_t,s0)
++
+ /usr/sbin/exim[0-9]? -- gen_context(system_u:object_r:exim_exec_t,s0)
++/usr/sbin/exim_tidydb -- gen_context(system_u:object_r:exim_exec_t,s0)
++
+ /var/log/exim[0-9]?(/.*)? gen_context(system_u:object_r:exim_log_t,s0)
+ /var/run/exim[0-9]?\.pid -- gen_context(system_u:object_r:exim_var_run_t,s0)
+ /var/spool/exim[0-9]?(/.*)? gen_context(system_u:object_r:exim_spool_t,s0)
+diff --git a/exim.if b/exim.if
+index 6bef7f8..ba138e8 100644
+--- a/exim.if
++++ b/exim.if
+@@ -20,6 +20,49 @@ interface(`exim_domtrans',`
+
+ ########################################
+ ##
++## Execute the mailman program in the mailman domain.
++##
++##
++##
++## Domain allowed to transition.
++##
++##
++##
++##
++## The role to allow the mailman domain.
++##
++##
++##
++#
++interface(`exim_run',`
++ gen_require(`
++ type exim_t;
++ ')
++
++ exim_domtrans($1)
++ role $2 types exim_t;
++')
++
++########################################
++##
++## Execute exim in the exim domain.
++##
++##
++##
++## Domain allowed to transition.
++##
++##
++#
++interface(`exim_initrc_domtrans',`
++ gen_require(`
++ type exim_initrc_exec_t;
++ ')
++
++ init_labeled_script_domtrans($1, exim_initrc_exec_t)
++')
++
++########################################
++##
+ ## Do not audit attempts to read,
+ ## exim tmp files
+ ##
+@@ -194,3 +237,49 @@ interface(`exim_manage_spool_files',`
+ manage_files_pattern($1, exim_spool_t, exim_spool_t)
+ files_search_spool($1)
+ ')
++
++########################################
++##
++## All of the rules required to administrate
++## an exim environment.
++##
++##
++##
++## Domain allowed access.
++##
++##
++##
++##
++## Role allowed access.
++##
++##
++#
++interface(`exim_admin',`
++ gen_require(`
++ type exim_t, exim_initrc_exec_t, exim_log_t;
++ type exim_tmp_t, exim_spool_t, exim_var_run_t;
++ ')
++
++ allow $1 exim_t:process signal_perms;
++ ps_process_pattern($1, exim_t)
++ tunable_policy(`deny_ptrace',`',`
++ allow $1 exim_t:process ptrace;
++ ')
++
++ exim_initrc_domtrans($1)
++ domain_system_change_exemption($1)
++ role_transition $2 exim_initrc_exec_t system_r;
++ allow $2 system_r;
++
++ logging_list_logs($1)
++ admin_pattern($1, exim_log_t)
++
++ files_list_tmp($1)
++ admin_pattern($1, exim_tmp_t)
++
++ files_list_spool($1)
++ admin_pattern($1, exim_spool_t)
++
++ files_list_pids($1)
++ admin_pattern($1, exim_var_run_t)
++')
+diff --git a/exim.te b/exim.te
+index f28f64b..91758d5 100644
+--- a/exim.te
++++ b/exim.te
+@@ -35,11 +35,14 @@ mta_mailserver_user_agent(exim_t)
+ application_executable_file(exim_exec_t)
+ mta_agent_executable(exim_exec_t)
+
++type exim_initrc_exec_t;
++init_script_file(exim_initrc_exec_t)
++
+ type exim_log_t;
+ logging_log_file(exim_log_t)
+
+ type exim_spool_t;
+-files_type(exim_spool_t)
++files_spool_file(exim_spool_t)
+
+ type exim_tmp_t;
+ files_tmp_file(exim_tmp_t)
+@@ -79,11 +82,10 @@ files_pid_filetrans(exim_t, exim_var_run_t, { file dir })
+
+ kernel_read_kernel_sysctls(exim_t)
+ kernel_read_network_state(exim_t)
+-kernel_dontaudit_read_system_state(exim_t)
++kernel_read_system_state(exim_t)
+
+ corecmd_search_bin(exim_t)
+
+-corenet_all_recvfrom_unlabeled(exim_t)
+ corenet_all_recvfrom_netlabel(exim_t)
+ corenet_tcp_sendrecv_generic_if(exim_t)
+ corenet_udp_sendrecv_generic_if(exim_t)
+@@ -108,7 +110,7 @@ domain_use_interactive_fds(exim_t)
+
+ files_search_usr(exim_t)
+ files_search_var(exim_t)
+-files_read_etc_files(exim_t)
++files_read_usr_files(exim_t)
+ files_read_etc_runtime_files(exim_t)
+ files_getattr_all_mountpoints(exim_t)
+
+@@ -119,7 +121,6 @@ auth_use_nsswitch(exim_t)
+
+ logging_send_syslog_msg(exim_t)
+
+-miscfiles_read_localization(exim_t)
+ miscfiles_read_generic_certs(exim_t)
+
+ userdom_dontaudit_search_user_home_dirs(exim_t)
+@@ -162,6 +163,10 @@ optional_policy(`
+ ')
+
+ optional_policy(`
++ dovecot_stream_connect(exim_t)
++')
++
++optional_policy(`
+ kerberos_keytab_template(exim, exim_t)
+ ')
+
+@@ -171,6 +176,10 @@ optional_policy(`
+ ')
+
+ optional_policy(`
++ nagios_search_spool(exim_t)
++')
++
++optional_policy(`
+ tunable_policy(`exim_can_connect_db',`
+ mysql_stream_connect(exim_t)
+ ')
+@@ -184,6 +193,7 @@ optional_policy(`
+
+ optional_policy(`
+ procmail_domtrans(exim_t)
++ procmail_read_home_files(exim_t)
+ ')
+
+ optional_policy(`
+diff --git a/fail2ban.fc b/fail2ban.fc
+index 0de2b83..6de0fca 100644
+--- a/fail2ban.fc
++++ b/fail2ban.fc
+@@ -4,5 +4,5 @@
+ /usr/bin/fail2ban-server -- gen_context(system_u:object_r:fail2ban_exec_t,s0)
+
+ /var/lib/fail2ban(/.*)? gen_context(system_u:object_r:fail2ban_var_lib_t,s0)
+-/var/log/fail2ban\.log -- gen_context(system_u:object_r:fail2ban_log_t,s0)
++/var/log/fail2ban\.log.* -- gen_context(system_u:object_r:fail2ban_log_t,s0)
+ /var/run/fail2ban.* gen_context(system_u:object_r:fail2ban_var_run_t,s0)
+diff --git a/fail2ban.if b/fail2ban.if
+index f590a1f..b1b13b0 100644
+--- a/fail2ban.if
++++ b/fail2ban.if
+@@ -40,7 +40,26 @@ interface(`fail2ban_stream_connect',`
+
+ ########################################
+ ##
+-## Read and write to an fail2ban unix stream socket.
++## Read and write inherited temporary files.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`fail2ban_rw_inherited_tmp_files',`
++ gen_require(`
++ type fail2ban_tmp_t;
++ ')
++
++ files_search_tmp($1)
++ allow $1 fail2ban_tmp_t:file rw_inherited_file_perms;
++')
++
++########################################
++##
++## Read and write to an fail2ba unix stream socket.
+ ##
+ ##
+ ##
+@@ -72,7 +91,7 @@ interface(`fail2ban_read_lib_files',`
+ ')
+
+ files_search_var_lib($1)
+- allow $1 fail2ban_var_lib_t:file read_file_perms;
++ read_files_pattern($1, fail2ban_var_lib_t, fail2ban_var_lib_t)
+ ')
+
+ ########################################
+@@ -138,6 +157,26 @@ interface(`fail2ban_read_pid_files',`
+
+ ########################################
+ ##
++## dontaudit read and write an leaked file descriptors
++##
++##
++##
++## Domain to not audit.
++##
++##
++#
++interface(`fail2ban_dontaudit_leaks',`
++ gen_require(`
++ type fail2ban_t;
++ ')
++
++ dontaudit $1 fail2ban_t:tcp_socket { read write };
++ dontaudit $1 fail2ban_t:unix_dgram_socket { read write };
++ dontaudit $1 fail2ban_t:unix_stream_socket { read write };
++')
++
++########################################
++##
+ ## All of the rules required to administrate
+ ## an fail2ban environment
+ ##
+@@ -155,12 +194,16 @@ interface(`fail2ban_read_pid_files',`
+ #
+ interface(`fail2ban_admin',`
+ gen_require(`
+- type fail2ban_t, fail2ban_log_t;
+- type fail2ban_var_run_t, fail2ban_initrc_exec_t;
++ type fail2ban_t, fail2ban_log_t, fail2ban_initrc_exec_t;
++ type fail2ban_var_run_t, fail2ban_var_lib_t, fail2ban_tmp_t;
++ type fail2ban_client_t;
+ ')
+
+- allow $1 fail2ban_t:process { ptrace signal_perms };
+- ps_process_pattern($1, fail2ban_t)
++ allow $1 { fail2ban_t fail2ban_client_t }:process signal_perms;
++ ps_process_pattern($1, { fail2ban_t fail2ban_client_t })
++ tunable_policy(`deny_ptrace',`',`
++ allow $1 { fail2ban_t fail2ban_client_t }:process ptrace;
++ ')
+
+ init_labeled_script_domtrans($1, fail2ban_initrc_exec_t)
+ domain_system_change_exemption($1)
+@@ -172,4 +215,10 @@ interface(`fail2ban_admin',`
+
+ files_list_pids($1)
+ admin_pattern($1, fail2ban_var_run_t)
++
++ files_list_var_lib($1)
++ admin_pattern($1, fail2ban_var_lib_t)
++
++ files_list_tmp($1)
++ admin_pattern($1, fail2ban_tmp_t)
+ ')
+diff --git a/fail2ban.te b/fail2ban.te
+index 2a69e5e..5dccf2c 100644
+--- a/fail2ban.te
++++ b/fail2ban.te
+@@ -23,12 +23,19 @@ files_type(fail2ban_var_lib_t)
+ type fail2ban_var_run_t;
+ files_pid_file(fail2ban_var_run_t)
+
++type fail2ban_tmp_t;
++files_tmp_file(fail2ban_tmp_t)
++
++type fail2ban_client_t;
++type fail2ban_client_exec_t;
++init_daemon_domain(fail2ban_client_t, fail2ban_client_exec_t)
++
+ ########################################
+ #
+-# fail2ban local policy
++# fail2ban server local policy
+ #
+
+-allow fail2ban_t self:capability { sys_tty_config };
++allow fail2ban_t self:capability { dac_read_search dac_override sys_tty_config };
+ allow fail2ban_t self:process signal;
+ allow fail2ban_t self:fifo_file rw_fifo_file_perms;
+ allow fail2ban_t self:unix_stream_socket { connectto create_stream_socket_perms };
+@@ -36,7 +43,7 @@ allow fail2ban_t self:unix_dgram_socket create_socket_perms;
+ allow fail2ban_t self:tcp_socket create_stream_socket_perms;
+
+ # log files
+-allow fail2ban_t fail2ban_log_t:dir setattr;
++allow fail2ban_t fail2ban_log_t:dir setattr_dir_perms;
+ manage_files_pattern(fail2ban_t, fail2ban_log_t, fail2ban_log_t)
+ logging_log_filetrans(fail2ban_t, fail2ban_log_t, file)
+
+@@ -50,12 +57,16 @@ manage_sock_files_pattern(fail2ban_t, fail2ban_var_run_t, fail2ban_var_run_t)
+ manage_files_pattern(fail2ban_t, fail2ban_var_run_t, fail2ban_var_run_t)
+ files_pid_filetrans(fail2ban_t, fail2ban_var_run_t, { dir file sock_file })
+
++manage_dirs_pattern(fail2ban_t, fail2ban_tmp_t, fail2ban_tmp_t)
++manage_files_pattern(fail2ban_t, fail2ban_tmp_t, fail2ban_tmp_t)
++exec_files_pattern(fail2ban_t, fail2ban_tmp_t, fail2ban_tmp_t)
++files_tmp_filetrans(fail2ban_t, fail2ban_tmp_t, { dir file })
++
+ kernel_read_system_state(fail2ban_t)
+
+ corecmd_exec_bin(fail2ban_t)
+ corecmd_exec_shell(fail2ban_t)
+
+-corenet_all_recvfrom_unlabeled(fail2ban_t)
+ corenet_all_recvfrom_netlabel(fail2ban_t)
+ corenet_tcp_sendrecv_generic_if(fail2ban_t)
+ corenet_tcp_sendrecv_generic_node(fail2ban_t)
+@@ -66,8 +77,8 @@ corenet_sendrecv_whois_client_packets(fail2ban_t)
+ dev_read_urand(fail2ban_t)
+
+ domain_use_interactive_fds(fail2ban_t)
++domain_dontaudit_read_all_domains_state(fail2ban_t)
+
+-files_read_etc_files(fail2ban_t)
+ files_read_etc_runtime_files(fail2ban_t)
+ files_read_usr_files(fail2ban_t)
+ files_list_var(fail2ban_t)
+@@ -81,10 +92,11 @@ auth_use_nsswitch(fail2ban_t)
+ logging_read_all_logs(fail2ban_t)
+ logging_send_syslog_msg(fail2ban_t)
+
+-miscfiles_read_localization(fail2ban_t)
+-
+ mta_send_mail(fail2ban_t)
+
++sysnet_manage_config(fail2ban_t)
++sysnet_filetrans_named_content(fail2ban_t)
++
+ optional_policy(`
+ apache_read_log(fail2ban_t)
+ ')
+@@ -94,5 +106,43 @@ optional_policy(`
+ ')
+
+ optional_policy(`
++ gnome_dontaudit_search_config(fail2ban_t)
++')
++
++optional_policy(`
+ iptables_domtrans(fail2ban_t)
+ ')
++
++optional_policy(`
++ libs_exec_ldconfig(fail2ban_t)
++')
++
++optional_policy(`
++ shorewall_domtrans(fail2ban_t)
++')
++
++########################################
++#
++# fail2ban client local policy
++#
++
++domtrans_pattern(fail2ban_client_t, fail2ban_exec_t, fail2ban_t)
++
++stream_connect_pattern(fail2ban_client_t, fail2ban_var_run_t, fail2ban_var_run_t, fail2ban_t)
++
++kernel_read_system_state(fail2ban_client_t)
++
++# python
++corecmd_exec_bin(fail2ban_client_t)
++
++# nsswitch.conf, passwd
++files_read_usr_files(fail2ban_client_t)
++files_search_pids(fail2ban_client_t)
++
++auth_read_passwd(fail2ban_client_t)
++
++
++optional_policy(`
++ gnome_dontaudit_search_config(fail2ban_client_t)
++')
++
+diff --git a/fcoemon.fc b/fcoemon.fc
+new file mode 100644
+index 0000000..83279fb
+--- /dev/null
++++ b/fcoemon.fc
+@@ -0,0 +1,5 @@
++
++/usr/sbin/fcoemon -- gen_context(system_u:object_r:fcoemon_exec_t,s0)
++
++/var/run/fcm(/.*)? gen_context(system_u:object_r:fcoemon_var_run_t,s0)
++/var/run/fcoemon\.pid -- gen_context(system_u:object_r:fcoemon_var_run_t,s0)
+diff --git a/fcoemon.if b/fcoemon.if
+new file mode 100644
+index 0000000..33508c1
+--- /dev/null
++++ b/fcoemon.if
+@@ -0,0 +1,88 @@
++
++## policy for fcoemon
++
++########################################
++##
++## Transition to fcoemon.
++##
++##
++##
++## Domain allowed to transition.
++##
++##
++#
++interface(`fcoemon_domtrans',`
++ gen_require(`
++ type fcoemon_t, fcoemon_exec_t;
++ ')
++
++ corecmd_search_bin($1)
++ domtrans_pattern($1, fcoemon_exec_t, fcoemon_t)
++')
++
++
++########################################
++##
++## Read fcoemon PID files.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`fcoemon_read_pid_files',`
++ gen_require(`
++ type fcoemon_var_run_t;
++ ')
++
++ files_search_pids($1)
++ allow $1 fcoemon_var_run_t:file read_file_perms;
++')
++
++#######################################
++##
++## Send to a fcoemon unix dgram socket.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`fcoemon_dgram_send',`
++ gen_require(`
++ type fcoemon_t;
++ ')
++
++ allow $1 fcoemon_t:unix_dgram_socket sendto;
++')
++
++########################################
++##
++## All of the rules required to administrate
++## an fcoemon environment
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`fcoemon_admin',`
++ gen_require(`
++ type fcoemon_t;
++ type fcoemon_var_run_t;
++ ')
++
++ allow $1 fcoemon_t:process signal_perms;
++ ps_process_pattern($1, fcoemon_t)
++ tunable_policy(`deny_ptrace',`',`
++ allow $1 fcoemon_t:process ptrace;
++ ')
++
++ files_search_pids($1)
++ admin_pattern($1, fcoemon_var_run_t)
++
++')
++
+diff --git a/fcoemon.te b/fcoemon.te
+new file mode 100644
+index 0000000..724ca0d
+--- /dev/null
++++ b/fcoemon.te
+@@ -0,0 +1,44 @@
++policy_module(fcoemon, 1.0.0)
++
++########################################
++#
++# Declarations
++#
++
++type fcoemon_t;
++type fcoemon_exec_t;
++init_daemon_domain(fcoemon_t, fcoemon_exec_t)
++
++type fcoemon_var_run_t;
++files_pid_file(fcoemon_var_run_t)
++
++########################################
++#
++# fcoemon local policy
++#
++
++# dac_override
++# /var/rnn/fcm/fcm_clif socket is owned by root
++allow fcoemon_t self:capability { net_admin dac_override };
++allow fcoemon_t self:capability { kill };
++
++allow fcoemon_t self:fifo_file rw_fifo_file_perms;
++allow fcoemon_t self:unix_stream_socket create_stream_socket_perms;
++allow fcoemon_t self:netlink_socket create_socket_perms;
++allow fcoemon_t self:netlink_route_socket create_netlink_socket_perms;
++
++manage_dirs_pattern(fcoemon_t, fcoemon_var_run_t, fcoemon_var_run_t)
++manage_files_pattern(fcoemon_t, fcoemon_var_run_t, fcoemon_var_run_t)
++manage_sock_files_pattern(fcoemon_t, fcoemon_var_run_t, fcoemon_var_run_t)
++files_pid_filetrans(fcoemon_t, fcoemon_var_run_t, { dir file sock_file })
++
++files_read_etc_files(fcoemon_t)
++
++dev_read_sysfs(fcoemon_t)
++
++logging_send_syslog_msg(fcoemon_t)
++
++optional_policy(`
++ lldpad_dgram_send(fcoemon_t)
++')
++
+diff --git a/fetchmail.fc b/fetchmail.fc
+index 39928d5..6c24c84 100644
+--- a/fetchmail.fc
++++ b/fetchmail.fc
+@@ -1,3 +1,9 @@
++#
++# /HOME
++#
++HOME_DIR/\.fetchmailrc -- gen_context(system_u:object_r:fetchmail_home_t, s0)
++/root/\.fetchmailrc -- gen_context(system_u:object_r:fetchmail_home_t, s0)
++
+
+ #
+ # /etc
+@@ -14,6 +20,7 @@
+ #
+ # /var
+ #
++/var/log/fetchmail.* gen_context(system_u:object_r:fetchmail_log_t,s0)
+ /var/lib/fetchmail(/.*)? gen_context(system_u:object_r:fetchmail_uidl_cache_t,s0)
+ /var/mail/\.fetchmail-UIDL-cache -- gen_context(system_u:object_r:fetchmail_uidl_cache_t,s0)
+ /var/run/fetchmail/.* -- gen_context(system_u:object_r:fetchmail_var_run_t,s0)
+diff --git a/fetchmail.if b/fetchmail.if
+index 6537214..406d62b 100644
+--- a/fetchmail.if
++++ b/fetchmail.if
+@@ -15,14 +15,20 @@
+ interface(`fetchmail_admin',`
+ gen_require(`
+ type fetchmail_t, fetchmail_etc_t, fetchmail_uidl_cache_t;
+- type fetchmail_var_run_t;
++ type fetchmail_var_run_t, fetchmail_log_t;
+ ')
+
++ allow $1 fetchmail_t:process signal_perms;
+ ps_process_pattern($1, fetchmail_t)
++ tunable_policy(`deny_ptrace',`',`
++ allow $1 fetchmail_t:process ptrace;
++ ')
+
+ files_list_etc($1)
+ admin_pattern($1, fetchmail_etc_t)
+
++ admin_pattern($1, fetchmail_log_t)
++
+ admin_pattern($1, fetchmail_uidl_cache_t)
+
+ files_list_pids($1)
+diff --git a/fetchmail.te b/fetchmail.te
+index ac6626e..656f329 100644
+--- a/fetchmail.te
++++ b/fetchmail.te
+@@ -10,6 +10,12 @@ type fetchmail_exec_t;
+ init_daemon_domain(fetchmail_t, fetchmail_exec_t)
+ application_executable_file(fetchmail_exec_t)
+
++type fetchmail_home_t;
++userdom_user_home_content(fetchmail_home_t)
++
++type fetchmail_log_t;
++logging_log_file(fetchmail_log_t)
++
+ type fetchmail_var_run_t;
+ files_pid_file(fetchmail_var_run_t)
+
+@@ -37,10 +43,19 @@ allow fetchmail_t fetchmail_etc_t:file read_file_perms;
+ allow fetchmail_t fetchmail_uidl_cache_t:file manage_file_perms;
+ mta_spool_filetrans(fetchmail_t, fetchmail_uidl_cache_t, file)
+
++manage_dirs_pattern(fetchmail_t, fetchmail_log_t, fetchmail_log_t)
++manage_files_pattern(fetchmail_t, fetchmail_log_t, fetchmail_log_t)
++logging_log_filetrans(fetchmail_t, fetchmail_log_t, { dir file })
++
+ manage_dirs_pattern(fetchmail_t, fetchmail_var_run_t, fetchmail_var_run_t)
+ manage_files_pattern(fetchmail_t, fetchmail_var_run_t, fetchmail_var_run_t)
+ files_pid_filetrans(fetchmail_t, fetchmail_var_run_t, { dir file })
+
++list_dirs_pattern(fetchmail_t, fetchmail_home_t, fetchmail_home_t)
++read_files_pattern(fetchmail_t, fetchmail_home_t, fetchmail_home_t)
++userdom_search_user_home_dirs(fetchmail_t)
++userdom_search_admin_dir(fetchmail_t)
++
+ kernel_read_kernel_sysctls(fetchmail_t)
+ kernel_list_proc(fetchmail_t)
+ kernel_getattr_proc_files(fetchmail_t)
+@@ -51,7 +66,6 @@ kernel_dontaudit_read_system_state(fetchmail_t)
+ corecmd_exec_bin(fetchmail_t)
+ corecmd_exec_shell(fetchmail_t)
+
+-corenet_all_recvfrom_unlabeled(fetchmail_t)
+ corenet_all_recvfrom_netlabel(fetchmail_t)
+ corenet_tcp_sendrecv_generic_if(fetchmail_t)
+ corenet_udp_sendrecv_generic_if(fetchmail_t)
+@@ -77,9 +91,10 @@ fs_search_auto_mountpoints(fetchmail_t)
+
+ domain_use_interactive_fds(fetchmail_t)
+
++auth_read_passwd(fetchmail_t)
++
+ logging_send_syslog_msg(fetchmail_t)
+
+-miscfiles_read_localization(fetchmail_t)
+ miscfiles_read_generic_certs(fetchmail_t)
+
+ sysnet_read_config(fetchmail_t)
+@@ -88,6 +103,10 @@ userdom_dontaudit_use_unpriv_user_fds(fetchmail_t)
+ userdom_dontaudit_search_user_home_dirs(fetchmail_t)
+
+ optional_policy(`
++ kerberos_use(fetchmail_t)
++')
++
++optional_policy(`
+ procmail_domtrans(fetchmail_t)
+ ')
+
+diff --git a/finger.te b/finger.te
+index 9b7036a..864b94a 100644
+--- a/finger.te
++++ b/finger.te
+@@ -46,7 +46,6 @@ logging_log_filetrans(fingerd_t, fingerd_log_t, file)
+ kernel_read_kernel_sysctls(fingerd_t)
+ kernel_read_system_state(fingerd_t)
+
+-corenet_all_recvfrom_unlabeled(fingerd_t)
+ corenet_all_recvfrom_netlabel(fingerd_t)
+ corenet_tcp_sendrecv_generic_if(fingerd_t)
+ corenet_udp_sendrecv_generic_if(fingerd_t)
+@@ -66,6 +65,7 @@ term_getattr_all_ttys(fingerd_t)
+ term_getattr_all_ptys(fingerd_t)
+
+ auth_read_lastlog(fingerd_t)
++auth_use_nsswitch(fingerd_t)
+
+ corecmd_exec_bin(fingerd_t)
+ corecmd_exec_shell(fingerd_t)
+@@ -73,7 +73,6 @@ corecmd_exec_shell(fingerd_t)
+ domain_use_interactive_fds(fingerd_t)
+
+ files_search_home(fingerd_t)
+-files_read_etc_files(fingerd_t)
+ files_read_etc_runtime_files(fingerd_t)
+
+ init_read_utmp(fingerd_t)
+@@ -85,7 +84,6 @@ mta_getattr_spool(fingerd_t)
+
+ sysnet_read_config(fingerd_t)
+
+-miscfiles_read_localization(fingerd_t)
+
+ # stop it accessing sub-directories, prevents checking a Maildir for new mail,
+ # have to change this when we create a type for Maildir
+diff --git a/firewalld.fc b/firewalld.fc
+new file mode 100644
+index 0000000..f440549
+--- /dev/null
++++ b/firewalld.fc
+@@ -0,0 +1,13 @@
++
++/etc/rc\.d/init\.d/firewalld -- gen_context(system_u:object_r:firewalld_initrc_exec_t,s0)
++
++/etc/firewalld(/.*)? gen_context(system_u:object_r:firewalld_etc_rw_t,s0)
++
++/usr/lib/systemd/system/firewalld.* -- gen_context(system_u:object_r:firewalld_unit_file_t,s0)
++
++/usr/sbin/firewalld -- gen_context(system_u:object_r:firewalld_exec_t,s0)
++
++/var/log/firewalld -- gen_context(system_u:object_r:firewalld_var_log_t,s0)
++
++/var/run/firewalld(/.*)? gen_context(system_u:object_r:firewalld_var_run_t,s0)
++/var/run/firewalld\.pid -- gen_context(system_u:object_r:firewalld_var_run_t,s0)
+diff --git a/firewalld.if b/firewalld.if
+new file mode 100644
+index 0000000..c4c7510
+--- /dev/null
++++ b/firewalld.if
+@@ -0,0 +1,130 @@
++## policy for firewalld
++
++########################################
++##
++## Execute a domain transition to run firewalld.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`firewalld_domtrans',`
++ gen_require(`
++ type firewalld_t, firewalld_exec_t;
++ ')
++
++ domtrans_pattern($1, firewalld_exec_t, firewalld_t)
++')
++
++
++########################################
++##
++## Execute firewalld server in the firewalld domain.
++##
++##
++##
++## The type of the process performing this action.
++##
++##
++#
++interface(`firewalld_initrc_domtrans',`
++ gen_require(`
++ type firewalld_initrc_exec_t;
++ ')
++
++ init_labeled_script_domtrans($1, firewalld_initrc_exec_t)
++')
++
++########################################
++##
++## Execute firewalld server in the firewalld domain.
++##
++##
++##
++## Domain allowed to transition.
++##
++##
++#
++interface(`firewalld_systemctl',`
++ gen_require(`
++ type firewalld_t;
++ type firewalld_unit_file_t;
++ ')
++
++ systemd_exec_systemctl($1)
++ allow $1 firewalld_unit_file_t:file read_file_perms;
++ allow $1 firewalld_unit_file_t:service manage_service_perms;
++
++ ps_process_pattern($1, firewalld_t)
++')
++
++########################################
++##
++## Send and receive messages from
++## firewalld over dbus.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`firewalld_dbus_chat',`
++ gen_require(`
++ type firewalld_t;
++ class dbus send_msg;
++ ')
++
++ allow $1 firewalld_t:dbus send_msg;
++ allow firewalld_t $1:dbus send_msg;
++')
++
++########################################
++##
++## All of the rules required to administrate
++## an firewalld environment
++##
++##
++##
++## Domain allowed access.
++##
++##
++##
++##
++## Role allowed access.
++##
++##
++##
++#
++interface(`firewalld_admin',`
++ gen_require(`
++ type firewalld_t, firewalld_initrc_exec_t;
++ type firewall_etc_rw_t, firewalld_var_run_t;
++ type firewalld_var_log_t;
++ ')
++
++ allow $1 firewalld_t:process signal_perms;
++ ps_process_pattern($1, firewalld_t)
++ tunable_policy(`deny_ptrace',`',`
++ allow $1 firewalld_t:process ptrace;
++ ')
++
++ firewalld_initrc_domtrans($1)
++ domain_system_change_exemption($1)
++ role_transition $2 firewalld_initrc_exec_t system_r;
++ allow $2 system_r;
++
++ files_search_pids($1)
++ admin_pattern($1, firewalld_var_run_t)
++
++ logging_search_logs($1)
++ admin_pattern($1, firewalld_var_log_t)
++
++ admin_pattern($1, firewall_etc_rw_t)
++
++ admin_pattern($1, firewalld_unit_file_t)
++ firewalld_systemctl($1)
++ allow $1 firewalld_unit_file_t:service all_service_perms;
++')
+diff --git a/firewalld.te b/firewalld.te
+new file mode 100644
+index 0000000..a7fcf3c
+--- /dev/null
++++ b/firewalld.te
+@@ -0,0 +1,94 @@
++
++policy_module(firewalld,1.0.0)
++
++########################################
++#
++# Declarations
++#
++
++type firewalld_t;
++type firewalld_exec_t;
++init_daemon_domain(firewalld_t, firewalld_exec_t)
++
++type firewalld_initrc_exec_t;
++init_script_file(firewalld_initrc_exec_t)
++
++type firewalld_etc_rw_t;
++files_config_file(firewalld_etc_rw_t)
++
++type firewalld_var_log_t;
++logging_log_file(firewalld_var_log_t)
++
++type firewalld_var_run_t;
++files_pid_file(firewalld_var_run_t)
++
++type firewalld_unit_file_t;
++systemd_unit_file(firewalld_unit_file_t)
++
++########################################
++#
++# firewalld local policy
++#
++dontaudit firewalld_t self:capability sys_tty_config;
++allow firewalld_t self:fifo_file rw_fifo_file_perms;
++allow firewalld_t self:unix_stream_socket create_stream_socket_perms;
++
++manage_dirs_pattern(firewalld_t, firewalld_etc_rw_t, firewalld_etc_rw_t)
++manage_files_pattern(firewalld_t, firewalld_etc_rw_t, firewalld_etc_rw_t)
++
++append_files_pattern(firewalld_t, firewalld_var_log_t, firewalld_var_log_t)
++create_files_pattern(firewalld_t, firewalld_var_log_t, firewalld_var_log_t)
++read_files_pattern(firewalld_t, firewalld_var_log_t, firewalld_var_log_t)
++setattr_files_pattern(firewalld_t, firewalld_var_log_t, firewalld_var_log_t)
++logging_log_filetrans(firewalld_t, firewalld_var_log_t, file)
++
++# should be fixed to cooperate with systemd to create /var/run/firewalld directory
++manage_files_pattern(firewalld_t, firewalld_var_run_t, firewalld_var_run_t)
++files_pid_filetrans(firewalld_t, firewalld_var_run_t, { file })
++
++kernel_read_network_state(firewalld_t)
++kernel_read_system_state(firewalld_t)
++
++corecmd_exec_bin(firewalld_t)
++corecmd_exec_shell(firewalld_t)
++
++dev_read_urand(firewalld_t)
++
++domain_use_interactive_fds(firewalld_t)
++
++files_read_etc_files(firewalld_t)
++files_read_usr_files(firewalld_t)
++
++fs_getattr_xattr_fs(firewalld_t)
++
++auth_read_passwd(firewalld_t)
++
++logging_send_syslog_msg(firewalld_t)
++
++sysnet_dns_name_resolve(firewalld_t)
++
++sysnet_read_config(firewalld_t)
++
++optional_policy(`
++ dbus_system_domain(firewalld_t, firewalld_exec_t)
++
++ optional_policy(`
++ devicekit_dbus_chat_power(firewalld_t)
++ ')
++
++ optional_policy(`
++ policykit_dbus_chat(firewalld_t)
++ ')
++
++ optional_policy(`
++ networkmanager_dbus_chat(firewalld_t)
++ ')
++')
++
++optional_policy(`
++ iptables_domtrans(firewalld_t)
++')
++
++optional_policy(`
++ modutils_domtrans_insmod(firewalld_t)
++')
+diff --git a/firewallgui.fc b/firewallgui.fc
+new file mode 100644
+index 0000000..ce498b3
+--- /dev/null
++++ b/firewallgui.fc
+@@ -0,0 +1,3 @@
++
++/usr/share/system-config-firewall/system-config-firewall-mechanism.py -- gen_context(system_u:object_r:firewallgui_exec_t,s0)
++
+diff --git a/firewallgui.if b/firewallgui.if
+new file mode 100644
+index 0000000..2bd5790
+--- /dev/null
++++ b/firewallgui.if
+@@ -0,0 +1,41 @@
++
++## policy for firewallgui
++
++########################################
++##
++## Send and receive messages from
++## firewallgui over dbus.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`firewallgui_dbus_chat',`
++ gen_require(`
++ type firewallgui_t;
++ class dbus send_msg;
++ ')
++
++ allow $1 firewallgui_t:dbus send_msg;
++ allow firewallgui_t $1:dbus send_msg;
++')
++
++########################################
++##
++## Read and write firewallgui unnamed pipes.
++##
++##
++##
++## Domain to not audit.
++##
++##
++#
++interface(`firewallgui_dontaudit_rw_pipes',`
++ gen_require(`
++ type firewallgui_t;
++ ')
++
++ dontaudit $1 firewallgui_t:fifo_file rw_inherited_fifo_file_perms;
++')
+diff --git a/firewallgui.te b/firewallgui.te
+new file mode 100644
+index 0000000..6bd855e
+--- /dev/null
++++ b/firewallgui.te
+@@ -0,0 +1,73 @@
++policy_module(firewallgui,1.0.0)
++
++########################################
++#
++# Declarations
++#
++
++type firewallgui_t;
++type firewallgui_exec_t;
++dbus_system_domain(firewallgui_t, firewallgui_exec_t)
++init_daemon_domain(firewallgui_t, firewallgui_exec_t)
++
++type firewallgui_tmp_t;
++files_tmp_file(firewallgui_tmp_t)
++
++########################################
++#
++# firewallgui local policy
++#
++
++allow firewallgui_t self:capability { net_admin sys_rawio } ;
++allow firewallgui_t self:fifo_file rw_fifo_file_perms;
++
++manage_files_pattern(firewallgui_t,firewallgui_tmp_t,firewallgui_tmp_t)
++manage_dirs_pattern(firewallgui_t,firewallgui_tmp_t,firewallgui_tmp_t)
++files_tmp_filetrans(firewallgui_t,firewallgui_tmp_t, { file dir })
++
++kernel_read_system_state(firewallgui_t)
++kernel_read_network_state(firewallgui_t)
++kernel_rw_net_sysctls(firewallgui_t)
++kernel_rw_kernel_sysctl(firewallgui_t)
++kernel_rw_vm_sysctls(firewallgui_t)
++
++corecmd_exec_shell(firewallgui_t)
++corecmd_exec_bin(firewallgui_t)
++
++dev_read_urand(firewallgui_t)
++dev_read_sysfs(firewallgui_t)
++
++files_manage_system_conf_files(firewallgui_t)
++files_etc_filetrans_system_conf(firewallgui_t)
++files_read_usr_files(firewallgui_t)
++files_search_kernel_modules(firewallgui_t)
++files_list_kernel_modules(firewallgui_t)
++
++auth_use_nsswitch(firewallgui_t)
++
++
++seutil_read_config(firewallgui_t)
++
++userdom_dontaudit_search_user_home_dirs(firewallgui_t)
++
++optional_policy(`
++ consoletype_exec(firewallgui_t)
++')
++
++optional_policy(`
++ gnome_read_gconf_home_files(firewallgui_t)
++')
++
++optional_policy(`
++ iptables_domtrans(firewallgui_t)
++ iptables_initrc_domtrans(firewallgui_t)
++ iptables_systemctl(firewallgui_t)
++')
++
++optional_policy(`
++ modutils_getattr_module_deps(firewallgui_t)
++')
++
++optional_policy(`
++ policykit_dbus_chat(firewallgui_t)
++')
+diff --git a/firstboot.if b/firstboot.if
+index 8fa451c..f3a67c9 100644
+--- a/firstboot.if
++++ b/firstboot.if
+@@ -85,6 +85,25 @@ interface(`firstboot_dontaudit_use_fds',`
+
+ ########################################
+ ##
++## dontaudit read and write an leaked file descriptors
++##
++##
++##
++## Domain to not audit.
++##
++##
++#
++interface(`firstboot_dontaudit_leaks',`
++ gen_require(`
++ type firstboot_t;
++ ')
++
++ dontaudit $1 firstboot_t:socket_class_set { read write };
++ dontaudit $1 firstboot_t:fifo_file rw_inherited_fifo_file_perms;
++')
++
++########################################
++##
+ ## Write to a firstboot unnamed pipe.
+ ##
+ ##
+@@ -98,6 +117,7 @@ interface(`firstboot_write_pipes',`
+ type firstboot_t;
+ ')
+
++ allow $1 firstboot_t:fd use;
+ allow $1 firstboot_t:fifo_file write;
+ ')
+
+diff --git a/firstboot.te b/firstboot.te
+index c4d8998..0647c46 100644
+--- a/firstboot.te
++++ b/firstboot.te
+@@ -1,7 +1,7 @@
+ policy_module(firstboot, 1.12.0)
+
+ gen_require(`
+- class passwd rootok;
++ class passwd { passwd chfn chsh rootok crontab };
+ ')
+
+ ########################################
+@@ -29,14 +29,16 @@ allow firstboot_t self:process setfscreate;
+ allow firstboot_t self:fifo_file rw_fifo_file_perms;
+ allow firstboot_t self:tcp_socket create_stream_socket_perms;
+ allow firstboot_t self:unix_stream_socket { connect create };
+-allow firstboot_t self:passwd rootok;
++allow firstboot_t self:passwd { rootok passwd chfn chsh };
+
+ allow firstboot_t firstboot_etc_t:file read_file_perms;
+
++files_manage_generic_tmp_dirs(firstboot_t)
++files_manage_generic_tmp_files(firstboot_t)
++
+ kernel_read_system_state(firstboot_t)
+ kernel_read_kernel_sysctls(firstboot_t)
+
+-corenet_all_recvfrom_unlabeled(firstboot_t)
+ corenet_all_recvfrom_netlabel(firstboot_t)
+ corenet_tcp_sendrecv_generic_if(firstboot_t)
+ corenet_tcp_sendrecv_generic_node(firstboot_t)
+@@ -62,6 +64,8 @@ files_read_usr_files(firstboot_t)
+ files_manage_var_dirs(firstboot_t)
+ files_manage_var_files(firstboot_t)
+ files_manage_var_symlinks(firstboot_t)
++files_create_boot_flag(firstboot_t)
++files_delete_boot_flag(firstboot_t)
+
+ init_domtrans_script(firstboot_t)
+ init_rw_utmp(firstboot_t)
+@@ -73,14 +77,10 @@ locallogin_use_fds(firstboot_t)
+
+ logging_send_syslog_msg(firstboot_t)
+
+-miscfiles_read_localization(firstboot_t)
++sysnet_dns_name_resolve(firstboot_t)
+
+-modutils_domtrans_insmod(firstboot_t)
+-modutils_domtrans_depmod(firstboot_t)
+-modutils_read_module_config(firstboot_t)
+-modutils_read_module_deps(firstboot_t)
++userdom_use_inherited_user_terminals(firstboot_t)
+
+-userdom_use_user_terminals(firstboot_t)
+ # Add/remove user home directories
+ userdom_manage_user_home_content_dirs(firstboot_t)
+ userdom_manage_user_home_content_files(firstboot_t)
+@@ -91,10 +91,6 @@ userdom_home_filetrans_user_home_dir(firstboot_t)
+ userdom_user_home_dir_filetrans_user_home_content(firstboot_t, { dir file lnk_file fifo_file sock_file })
+
+ optional_policy(`
+- consoletype_domtrans(firstboot_t)
+-')
+-
+-optional_policy(`
+ dbus_system_bus_client(firstboot_t)
+
+ optional_policy(`
+@@ -103,7 +99,10 @@ optional_policy(`
+ ')
+
+ optional_policy(`
+- nis_use_ypbind(firstboot_t)
++ modutils_domtrans_insmod(firstboot_t)
++ modutils_domtrans_depmod(firstboot_t)
++ modutils_read_module_config(firstboot_t)
++ modutils_read_module_deps(firstboot_t)
+ ')
+
+ optional_policy(`
+@@ -113,18 +112,11 @@ optional_policy(`
+ optional_policy(`
+ unconfined_domtrans(firstboot_t)
+ # The big hammer
+- unconfined_domain(firstboot_t)
+-')
+-
+-optional_policy(`
+- usermanage_domtrans_chfn(firstboot_t)
+- usermanage_domtrans_groupadd(firstboot_t)
+- usermanage_domtrans_passwd(firstboot_t)
+- usermanage_domtrans_useradd(firstboot_t)
+- usermanage_domtrans_admin_passwd(firstboot_t)
++ unconfined_domain_noaudit(firstboot_t)
+ ')
+
+ optional_policy(`
++ gnome_admin_home_gconf_filetrans(firstboot_t, dir)
+ gnome_manage_config(firstboot_t)
+ ')
+
+@@ -132,4 +124,5 @@ optional_policy(`
+ xserver_domtrans(firstboot_t)
+ xserver_rw_shm(firstboot_t)
+ xserver_unconfined(firstboot_t)
++ xserver_stream_connect(firstboot_t)
+ ')
+diff --git a/fprintd.if b/fprintd.if
+index ebad8c4..640293e 100644
+--- a/fprintd.if
++++ b/fprintd.if
+@@ -38,4 +38,3 @@ interface(`fprintd_dbus_chat',`
+ allow $1 fprintd_t:dbus send_msg;
+ allow fprintd_t $1:dbus send_msg;
+ ')
+-
+diff --git a/fprintd.te b/fprintd.te
+index 7df52c7..46499bd 100644
+--- a/fprintd.te
++++ b/fprintd.te
+@@ -7,7 +7,7 @@ policy_module(fprintd, 1.1.0)
+
+ type fprintd_t;
+ type fprintd_exec_t;
+-dbus_system_domain(fprintd_t, fprintd_exec_t)
++init_daemon_domain(fprintd_t, fprintd_exec_t)
+
+ type fprintd_var_lib_t;
+ files_type(fprintd_var_lib_t)
+@@ -17,9 +17,10 @@ files_type(fprintd_var_lib_t)
+ # Local policy
+ #
+
+-allow fprintd_t self:capability sys_ptrace;
++allow fprintd_t self:capability sys_nice;
++
+ allow fprintd_t self:fifo_file rw_fifo_file_perms;
+-allow fprintd_t self:process { getsched signal };
++allow fprintd_t self:process { getsched setsched signal sigkill };
+
+ manage_dirs_pattern(fprintd_t, fprintd_var_lib_t, fprintd_var_lib_t)
+ manage_files_pattern(fprintd_t, fprintd_var_lib_t, fprintd_var_lib_t)
+@@ -33,14 +34,12 @@ dev_list_usbfs(fprintd_t)
+ dev_rw_generic_usb_dev(fprintd_t)
+ dev_read_sysfs(fprintd_t)
+
+-files_read_etc_files(fprintd_t)
+ files_read_usr_files(fprintd_t)
+
+ fs_getattr_all_fs(fprintd_t)
+
+ auth_use_nsswitch(fprintd_t)
+
+-miscfiles_read_localization(fprintd_t)
+
+ userdom_use_user_ptys(fprintd_t)
+ userdom_read_all_users_state(fprintd_t)
+@@ -50,8 +49,17 @@ optional_policy(`
+ ')
+
+ optional_policy(`
++ dbus_system_domain(fprintd_t, fprintd_exec_t)
++')
++
++optional_policy(`
+ policykit_read_reload(fprintd_t)
+ policykit_read_lib(fprintd_t)
+ policykit_dbus_chat(fprintd_t)
+ policykit_domtrans_auth(fprintd_t)
++ policykit_dbus_chat_auth(fprintd_t)
++')
++
++optional_policy(`
++ xserver_read_state_xdm(fprintd_t)
+ ')
+diff --git a/ftp.fc b/ftp.fc
+index 69dcd2a..4d97da7 100644
+--- a/ftp.fc
++++ b/ftp.fc
+@@ -6,6 +6,9 @@
+ /etc/rc\.d/init\.d/vsftpd -- gen_context(system_u:object_r:ftpd_initrc_exec_t,s0)
+ /etc/rc\.d/init\.d/proftpd -- gen_context(system_u:object_r:ftpd_initrc_exec_t,s0)
+
++/usr/lib/systemd/system/vsftpd.* -- gen_context(system_u:object_r:iptables_unit_file_t,s0)
++/usr/lib/systemd/system/proftpd.* -- gen_context(system_u:object_r:iptables_unit_file_t,s0)
++
+ #
+ # /usr
+ #
+@@ -29,3 +32,4 @@
+ /var/log/vsftpd.* -- gen_context(system_u:object_r:xferlog_t,s0)
+ /var/log/xferlog.* -- gen_context(system_u:object_r:xferlog_t,s0)
+ /var/log/xferreport.* -- gen_context(system_u:object_r:xferlog_t,s0)
++/usr/libexec/webmin/vsftpd/webalizer/xfer_log -- gen_context(system_u:object_r:xferlog_t,s0)
+diff --git a/ftp.if b/ftp.if
+index 9d3201b..6e75e3d 100644
+--- a/ftp.if
++++ b/ftp.if
+@@ -1,5 +1,66 @@
+ ## File transfer protocol service
+
++######################################
++##
++## Execute a domain transition to run ftpd.
++##
++##
++##
++## Domain allowed to transition.
++##
++##
++#
++interface(`ftp_domtrans',`
++ gen_require(`
++ type ftpd_t, ftpd_exec_t;
++ ')
++
++ corecmd_search_bin($1)
++ domtrans_pattern($1,ftpd_exec_t, ftpd_t)
++
++')
++
++#######################################
++##
++## Execute ftpd server in the ftpd domain.
++##
++##
++##
++## The type of the process performing this action.
++##
++##
++#
++interface(`ftp_initrc_domtrans',`
++ gen_require(`
++ type ftpd_initrc_exec_t;
++ ')
++
++ init_labeled_script_domtrans($1, ftpd_initrc_exec_t)
++')
++
++########################################
++##
++## Execute ftpd server in the ftpd domain.
++##
++##
++##
++## Domain allowed to transition.
++##
++##
++#
++interface(`ftp_systemctl',`
++ gen_require(`
++ type ftpd_unit_file_t;
++ type ftpd_t;
++ ')
++
++ systemd_exec_systemctl($1)
++ allow $1 ftpd_unit_file_t:file read_file_perms;
++ allow $1 ftpd_unit_file_t:service manage_service_perms;
++
++ ps_process_pattern($1, ftpd_t)
++')
++
+ #######################################
+ ##
+ ## Allow domain dyntransition to sftpd_anon domain.
+@@ -174,10 +235,14 @@ interface(`ftp_admin',`
+ type ftpd_etc_t, ftpd_lock_t;
+ type ftpd_var_run_t, xferlog_t;
+ type ftpd_initrc_exec_t;
++ type ftpd_unit_file_t;
+ ')
+
+- allow $1 ftpd_t:process { ptrace signal_perms };
++ allow $1 ftpd_t:process signal_perms;
+ ps_process_pattern($1, ftpd_t)
++ tunable_policy(`deny_ptrace',`',`
++ allow $1 ftpd_t:process ptrace;
++ ')
+
+ init_labeled_script_domtrans($1, ftpd_initrc_exec_t)
+ domain_system_change_exemption($1)
+@@ -203,4 +268,8 @@ interface(`ftp_admin',`
+
+ logging_list_logs($1)
+ admin_pattern($1, xferlog_t)
++
++ ftp_systemctl($1)
++ admin_pattern($1, ftpd_unit_file_t)
++ allow $1 ftpd_unit_file_t:service all_service_perms;
+ ')
+diff --git a/ftp.te b/ftp.te
+index 80026bb..30968b3 100644
+--- a/ftp.te
++++ b/ftp.te
+@@ -12,7 +12,7 @@ policy_module(ftp, 1.14.0)
+ ## public_content_rw_t.
+ ##
+ ##
+-gen_tunable(allow_ftpd_anon_write, false)
++gen_tunable(ftpd_anon_write, false)
+
+ ##
+ ##
+@@ -20,7 +20,7 @@ gen_tunable(allow_ftpd_anon_write, false)
+ ## read/write all files on the system, governed by DAC.
+ ##
+ ##
+-gen_tunable(allow_ftpd_full_access, false)
++gen_tunable(ftpd_full_access, false)
+
+ ##
+ ##
+@@ -28,7 +28,7 @@ gen_tunable(allow_ftpd_full_access, false)
+ ## used for public file transfer services.
+ ##
+ ##
+-gen_tunable(allow_ftpd_use_cifs, false)
++gen_tunable(ftpd_use_cifs, false)
+
+ ##
+ ##
+@@ -36,7 +36,28 @@ gen_tunable(allow_ftpd_use_cifs, false)
+ ## used for public file transfer services.
+ ##
+ ##
+-gen_tunable(allow_ftpd_use_nfs, false)
++gen_tunable(ftpd_use_nfs, false)
++
++##
++##
++## Allow ftp servers to connect to mysql database ports
++##
++##
++gen_tunable(ftpd_connect_db, false)
++
++##
++##
++## Allow ftp servers to use bind to all unreserved ports for passive mode
++##
++##
++gen_tunable(ftpd_use_passive_mode, false)
++
++##
++##
++## Allow ftp servers to connect to all ports > 1023
++##
++##
++gen_tunable(ftpd_connect_all_unreserved, false)
+
+ ##
+ ##
+@@ -70,6 +91,14 @@ gen_tunable(sftpd_enable_homedirs, false)
+ ##
+ gen_tunable(sftpd_full_access, false)
+
++##
++##
++## Allow internal-sftp to read and write files
++## in the user ssh home directories.
++##
++##
++gen_tunable(sftpd_write_ssh_home, false)
++
+ type anon_sftpd_t;
+ typealias anon_sftpd_t alias sftpd_anon_t;
+ domain_type(anon_sftpd_t)
+@@ -85,6 +114,9 @@ files_config_file(ftpd_etc_t)
+ type ftpd_initrc_exec_t;
+ init_script_file(ftpd_initrc_exec_t)
+
++type ftpd_unit_file_t;
++systemd_unit_file(ftpd_unit_file_t)
++
+ type ftpd_lock_t;
+ files_lock_file(ftpd_lock_t)
+
+@@ -115,6 +147,10 @@ ifdef(`enable_mcs',`
+ init_ranged_daemon_domain(ftpd_t, ftpd_exec_t, s0 - mcs_systemhigh)
+ ')
+
++ifdef(`enable_mls',`
++ init_ranged_daemon_domain(ftpd_t, ftpd_exec_t, mls_systemhigh)
++')
++
+ ########################################
+ #
+ # anon-sftp local policy
+@@ -133,7 +169,7 @@ tunable_policy(`sftpd_anon_write',`
+ # ftpd local policy
+ #
+
+-allow ftpd_t self:capability { chown fowner fsetid setgid setuid sys_chroot sys_nice sys_resource };
++allow ftpd_t self:capability { chown fowner fsetid ipc_lock kill setgid setuid sys_chroot sys_admin sys_nice sys_resource };
+ dontaudit ftpd_t self:capability sys_tty_config;
+ allow ftpd_t self:process { getcap getpgid setcap setsched setrlimit signal_perms };
+ allow ftpd_t self:fifo_file rw_fifo_file_perms;
+@@ -151,7 +187,6 @@ files_lock_filetrans(ftpd_t, ftpd_lock_t, file)
+
+ manage_dirs_pattern(ftpd_t, ftpd_tmp_t, ftpd_tmp_t)
+ manage_files_pattern(ftpd_t, ftpd_tmp_t, ftpd_tmp_t)
+-files_tmp_filetrans(ftpd_t, ftpd_tmp_t, { file dir })
+
+ manage_dirs_pattern(ftpd_t, ftpd_tmpfs_t, ftpd_tmpfs_t)
+ manage_files_pattern(ftpd_t, ftpd_tmpfs_t, ftpd_tmpfs_t)
+@@ -163,13 +198,13 @@ fs_tmpfs_filetrans(ftpd_t, ftpd_tmpfs_t, { dir file lnk_file sock_file fifo_file
+ manage_dirs_pattern(ftpd_t, ftpd_var_run_t, ftpd_var_run_t)
+ manage_files_pattern(ftpd_t, ftpd_var_run_t, ftpd_var_run_t)
+ manage_sock_files_pattern(ftpd_t, ftpd_var_run_t, ftpd_var_run_t)
+-files_pid_filetrans(ftpd_t, ftpd_var_run_t, { file dir} )
++files_pid_filetrans(ftpd_t, ftpd_var_run_t, { file dir })
+
+ # proftpd requires the client side to bind a socket so that
+ # it can stat the socket to perform access control decisions,
+ # since getsockopt with SO_PEERCRED is not available on all
+ # proftpd-supported OSs
+-allow ftpd_t ftpdctl_tmp_t:sock_file { getattr unlink };
++allow ftpd_t ftpdctl_tmp_t:sock_file delete_sock_file_perms;
+
+ # Create and modify /var/log/xferlog.
+ manage_files_pattern(ftpd_t, xferlog_t, xferlog_t)
+@@ -177,14 +212,13 @@ logging_log_filetrans(ftpd_t, xferlog_t, file)
+
+ kernel_read_kernel_sysctls(ftpd_t)
+ kernel_read_system_state(ftpd_t)
+-kernel_search_network_state(ftpd_t)
++kernel_read_network_state(ftpd_t)
+
+ dev_read_sysfs(ftpd_t)
+ dev_read_urand(ftpd_t)
+
+ corecmd_exec_bin(ftpd_t)
+
+-corenet_all_recvfrom_unlabeled(ftpd_t)
+ corenet_all_recvfrom_netlabel(ftpd_t)
+ corenet_tcp_sendrecv_generic_if(ftpd_t)
+ corenet_udp_sendrecv_generic_if(ftpd_t)
+@@ -196,9 +230,8 @@ corenet_tcp_bind_generic_node(ftpd_t)
+ corenet_tcp_bind_ftp_port(ftpd_t)
+ corenet_tcp_bind_ftp_data_port(ftpd_t)
+ corenet_tcp_bind_generic_port(ftpd_t)
+-corenet_tcp_bind_all_unreserved_ports(ftpd_t)
+-corenet_dontaudit_tcp_bind_all_ports(ftpd_t)
+-corenet_tcp_connect_all_ports(ftpd_t)
++corenet_tcp_bind_all_ephemeral_ports(ftpd_t)
++corenet_tcp_connect_all_ephemeral_ports(ftpd_t)
+ corenet_sendrecv_ftp_server_packets(ftpd_t)
+
+ domain_use_interactive_fds(ftpd_t)
+@@ -212,13 +245,11 @@ fs_search_auto_mountpoints(ftpd_t)
+ fs_getattr_all_fs(ftpd_t)
+ fs_search_fusefs(ftpd_t)
+
+-auth_use_nsswitch(ftpd_t)
+-auth_domtrans_chk_passwd(ftpd_t)
+-# Append to /var/log/wtmp.
+-auth_append_login_records(ftpd_t)
++auth_use_pam(ftpd_t)
+ #kerberized ftp requires the following
+ auth_write_login_records(ftpd_t)
+ auth_rw_faillog(ftpd_t)
++auth_manage_var_auth(ftpd_t)
+
+ init_rw_utmp(ftpd_t)
+
+@@ -226,42 +257,47 @@ logging_send_audit_msgs(ftpd_t)
+ logging_send_syslog_msg(ftpd_t)
+ logging_set_loginuid(ftpd_t)
+
+-miscfiles_read_localization(ftpd_t)
+ miscfiles_read_public_files(ftpd_t)
+
+-seutil_dontaudit_search_config(ftpd_t)
+-
+ sysnet_read_config(ftpd_t)
+ sysnet_use_ldap(ftpd_t)
+
+ userdom_dontaudit_use_unpriv_user_fds(ftpd_t)
+ userdom_dontaudit_search_user_home_dirs(ftpd_t)
+
+-tunable_policy(`allow_ftpd_anon_write',`
++tunable_policy(`ftpd_anon_write',`
+ miscfiles_manage_public_files(ftpd_t)
+ ')
+
+-tunable_policy(`allow_ftpd_use_cifs',`
++tunable_policy(`ftpd_use_cifs',`
+ fs_read_cifs_files(ftpd_t)
+ fs_read_cifs_symlinks(ftpd_t)
+ ')
+
+-tunable_policy(`allow_ftpd_use_cifs && allow_ftpd_anon_write',`
++tunable_policy(`ftpd_use_cifs && ftpd_anon_write',`
+ fs_manage_cifs_files(ftpd_t)
+ ')
+
+-tunable_policy(`allow_ftpd_use_nfs',`
++tunable_policy(`ftpd_use_nfs',`
+ fs_read_nfs_files(ftpd_t)
+ fs_read_nfs_symlinks(ftpd_t)
+ ')
+
+-tunable_policy(`allow_ftpd_use_nfs && allow_ftpd_anon_write',`
++tunable_policy(`ftpd_use_nfs && ftpd_anon_write',`
+ fs_manage_nfs_files(ftpd_t)
+ ')
+
+-tunable_policy(`allow_ftpd_full_access',`
++tunable_policy(`ftpd_full_access',`
+ allow ftpd_t self:capability { dac_override dac_read_search };
+- files_manage_non_auth_files(ftpd_t)
++ files_manage_non_security_files(ftpd_t)
++')
++
++tunable_policy(`ftpd_use_passive_mode',`
++ corenet_tcp_bind_all_unreserved_ports(ftpd_t)
++')
++
++tunable_policy(`ftpd_connect_all_unreserved',`
++ corenet_tcp_connect_all_unreserved_ports(ftpd_t)
+ ')
+
+ tunable_policy(`ftp_home_dir',`
+@@ -270,10 +306,13 @@ tunable_policy(`ftp_home_dir',`
+ # allow access to /home
+ files_list_home(ftpd_t)
+ userdom_read_user_home_content_files(ftpd_t)
+- userdom_manage_user_home_content_dirs(ftpd_t)
+- userdom_manage_user_home_content_files(ftpd_t)
+- userdom_manage_user_home_content_symlinks(ftpd_t)
+- userdom_user_home_dir_filetrans_user_home_content(ftpd_t, { dir file lnk_file })
++ userdom_manage_user_home_content(ftpd_t)
++ userdom_manage_user_tmp_files(ftpd_t)
++ userdom_tmp_filetrans_user_tmp(ftpd_t, file)
++',`
++ # Needed for permissive mode, to make sure everything gets labeled correctly
++ userdom_user_home_dir_filetrans_pattern(ftpd_t, { dir file lnk_file })
++ files_tmp_filetrans(ftpd_t, ftpd_tmp_t, { file dir })
+ ')
+
+ tunable_policy(`ftp_home_dir && use_nfs_home_dirs',`
+@@ -309,10 +348,35 @@ optional_policy(`
+ ')
+
+ optional_policy(`
++ fail2ban_read_lib_files(ftpd_t)
++')
++
++optional_policy(`
+ selinux_validate_context(ftpd_t)
+
+ kerberos_keytab_template(ftpd, ftpd_t)
+- kerberos_manage_host_rcache(ftpd_t)
++ # this part of auth_use_pam
++ #kerberos_manage_host_rcache(ftpd_t)
++ kerberos_tmp_filetrans_host_rcache(ftpd_t, "host_0")
++')
++
++optional_policy(`
++ tunable_policy(`ftpd_connect_db',`
++ mysql_stream_connect(ftpd_t)
++ ')
++')
++
++optional_policy(`
++ tunable_policy(`ftpd_connect_db',`
++ postgresql_stream_connect(ftpd_t)
++ ')
++')
++
++optional_policy(`
++ tunable_policy(`ftpd_connect_db',`
++ mysql_tcp_connect(ftpd_t)
++ postgresql_tcp_connect(ftpd_t)
++ ')
+ ')
+
+ optional_policy(`
+@@ -347,16 +411,17 @@ optional_policy(`
+
+ # Allow ftpdctl to talk to ftpd over a socket connection
+ stream_connect_pattern(ftpdctl_t, ftpd_var_run_t, ftpd_var_run_t, ftpd_t)
++files_search_pids(ftpdctl_t)
+
+ # ftpdctl creates a socket so that the daemon can perform
+ # access control decisions (see comments in ftpd_t rules above)
+-allow ftpdctl_t ftpdctl_tmp_t:sock_file { create setattr };
++allow ftpdctl_t ftpdctl_tmp_t:sock_file manage_sock_file_perms;
+ files_tmp_filetrans(ftpdctl_t, ftpdctl_tmp_t, sock_file)
+
+ # Allow ftpdctl to read config files
+ files_read_etc_files(ftpdctl_t)
+
+-userdom_use_user_terminals(ftpdctl_t)
++userdom_use_inherited_user_terminals(ftpdctl_t)
+
+ ########################################
+ #
+@@ -365,18 +430,34 @@ userdom_use_user_terminals(ftpdctl_t)
+
+ files_read_etc_files(sftpd_t)
+
++
+ # allow read access to /home by default
+ userdom_read_user_home_content_files(sftpd_t)
+ userdom_read_user_home_content_symlinks(sftpd_t)
++userdom_dontaudit_list_admin_dir(sftpd_t)
++
++tunable_policy(`sftpd_full_access',`
++ allow sftpd_t self:capability { dac_override dac_read_search };
++ fs_read_noxattr_fs_files(sftpd_t)
++ files_manage_non_security_files(sftpd_t)
++')
++
++optional_policy(`
++ tunable_policy(`sftpd_write_ssh_home',`
++ ssh_manage_home_files(sftpd_t)
++ ')
++')
+
+ tunable_policy(`sftpd_enable_homedirs',`
+ allow sftpd_t self:capability { dac_override dac_read_search };
+
+ # allow access to /home
+ files_list_home(sftpd_t)
+- userdom_manage_user_home_content_files(sftpd_t)
+- userdom_manage_user_home_content_dirs(sftpd_t)
+- userdom_user_home_dir_filetrans_user_home_content(sftpd_t, { dir file })
++ userdom_read_user_home_content_files(sftpd_t)
++ userdom_manage_user_home_content(sftpd_t)
++',`
++ # Needed for permissive mode, to make sure everything gets labeled correctly
++ userdom_user_home_dir_filetrans_pattern(sftpd_t, { dir file lnk_file })
+ ')
+
+ tunable_policy(`sftpd_enable_homedirs && use_nfs_home_dirs',`
+@@ -394,19 +475,7 @@ tunable_policy(`sftpd_enable_homedirs && use_samba_home_dirs',`
+ tunable_policy(`sftpd_full_access',`
+ allow sftpd_t self:capability { dac_override dac_read_search };
+ fs_read_noxattr_fs_files(sftpd_t)
+- files_manage_non_auth_files(sftpd_t)
++ files_manage_non_security_files(sftpd_t)
+ ')
+
+-tunable_policy(`use_samba_home_dirs',`
+- # allow read access to /home by default
+- fs_list_cifs(sftpd_t)
+- fs_read_cifs_files(sftpd_t)
+- fs_read_cifs_symlinks(sftpd_t)
+-')
+-
+-tunable_policy(`use_nfs_home_dirs',`
+- # allow read access to /home by default
+- fs_list_nfs(sftpd_t)
+- fs_read_nfs_files(sftpd_t)
+- fs_read_nfs_symlinks(ftpd_t)
+-')
++userdom_home_reader(sftpd_t)
+diff --git a/games.te b/games.te
+index b73d33c..ffacbd2 100644
+--- a/games.te
++++ b/games.te
+@@ -75,8 +75,6 @@ init_use_script_ptys(games_srv_t)
+
+ logging_send_syslog_msg(games_srv_t)
+
+-miscfiles_read_localization(games_srv_t)
+-
+ userdom_dontaudit_use_unpriv_user_fds(games_srv_t)
+
+ userdom_dontaudit_search_user_home_dirs(games_srv_t)
+@@ -120,7 +118,6 @@ kernel_read_system_state(games_t)
+
+ corecmd_exec_bin(games_t)
+
+-corenet_all_recvfrom_unlabeled(games_t)
+ corenet_all_recvfrom_netlabel(games_t)
+ corenet_tcp_sendrecv_generic_if(games_t)
+ corenet_udp_sendrecv_generic_if(games_t)
+@@ -151,9 +148,6 @@ init_dontaudit_rw_utmp(games_t)
+
+ logging_dontaudit_search_logs(games_t)
+
+-miscfiles_read_man_pages(games_t)
+-miscfiles_read_localization(games_t)
+-
+ sysnet_read_config(games_t)
+
+ userdom_manage_user_tmp_dirs(games_t)
+@@ -163,7 +157,7 @@ userdom_manage_user_tmp_sockets(games_t)
+ # Suppress .icons denial until properly implemented
+ userdom_dontaudit_read_user_home_content_files(games_t)
+
+-tunable_policy(`allow_execmem',`
++tunable_policy(`deny_execmem',`', `
+ allow games_t self:process execmem;
+ ')
+
+diff --git a/gatekeeper.te b/gatekeeper.te
+index 99a94de..8b84eda 100644
+--- a/gatekeeper.te
++++ b/gatekeeper.te
+@@ -33,7 +33,7 @@ allow gatekeeper_t self:fifo_file rw_fifo_file_perms;
+ allow gatekeeper_t self:tcp_socket create_stream_socket_perms;
+ allow gatekeeper_t self:udp_socket create_socket_perms;
+
+-allow gatekeeper_t gatekeeper_etc_t:lnk_file { getattr read };
++allow gatekeeper_t gatekeeper_etc_t:lnk_file read_lnk_file_perms;
+ allow gatekeeper_t gatekeeper_etc_t:file read_file_perms;
+ files_search_etc(gatekeeper_t)
+
+@@ -52,7 +52,6 @@ kernel_read_kernel_sysctls(gatekeeper_t)
+
+ corecmd_list_bin(gatekeeper_t)
+
+-corenet_all_recvfrom_unlabeled(gatekeeper_t)
+ corenet_all_recvfrom_netlabel(gatekeeper_t)
+ corenet_tcp_sendrecv_generic_if(gatekeeper_t)
+ corenet_udp_sendrecv_generic_if(gatekeeper_t)
+@@ -79,8 +78,6 @@ fs_search_auto_mountpoints(gatekeeper_t)
+
+ logging_send_syslog_msg(gatekeeper_t)
+
+-miscfiles_read_localization(gatekeeper_t)
+-
+ sysnet_read_config(gatekeeper_t)
+
+ userdom_dontaudit_use_unpriv_user_fds(gatekeeper_t)
+diff --git a/gift.te b/gift.te
+index 4975343..1c20b64 100644
+--- a/gift.te
++++ b/gift.te
+@@ -52,7 +52,6 @@ domtrans_pattern(gift_t, giftd_exec_t, giftd_t)
+ kernel_read_system_state(gift_t)
+
+ # Connect to gift daemon
+-corenet_all_recvfrom_unlabeled(gift_t)
+ corenet_all_recvfrom_netlabel(gift_t)
+ corenet_tcp_sendrecv_generic_if(gift_t)
+ corenet_tcp_sendrecv_generic_node(gift_t)
+@@ -67,17 +66,7 @@ sysnet_read_config(gift_t)
+ # giftui looks in .icons, .themes.
+ userdom_dontaudit_read_user_home_content_files(gift_t)
+
+-tunable_policy(`use_nfs_home_dirs',`
+- fs_manage_nfs_dirs(gift_t)
+- fs_manage_nfs_files(gift_t)
+- fs_manage_nfs_symlinks(gift_t)
+-')
+-
+-tunable_policy(`use_samba_home_dirs',`
+- fs_manage_cifs_dirs(gift_t)
+- fs_manage_cifs_files(gift_t)
+- fs_manage_cifs_symlinks(gift_t)
+-')
++userdom_home_manager(gift_t)
+
+ optional_policy(`
+ nscd_socket_use(gift_t)
+@@ -106,7 +95,6 @@ kernel_read_system_state(giftd_t)
+ kernel_read_kernel_sysctls(giftd_t)
+
+ # Serve content on various p2p networks. Ports can be random.
+-corenet_all_recvfrom_unlabeled(giftd_t)
+ corenet_all_recvfrom_netlabel(giftd_t)
+ corenet_tcp_sendrecv_generic_if(giftd_t)
+ corenet_udp_sendrecv_generic_if(giftd_t)
+@@ -125,20 +113,8 @@ files_read_usr_files(giftd_t)
+ # Read /etc/mtab
+ files_read_etc_runtime_files(giftd_t)
+
+-miscfiles_read_localization(giftd_t)
+
+ sysnet_read_config(giftd_t)
+
+-userdom_use_user_terminals(giftd_t)
+-
+-tunable_policy(`use_nfs_home_dirs',`
+- fs_manage_nfs_dirs(giftd_t)
+- fs_manage_nfs_files(giftd_t)
+- fs_manage_nfs_symlinks(giftd_t)
+-')
+-
+-tunable_policy(`use_samba_home_dirs',`
+- fs_manage_cifs_dirs(giftd_t)
+- fs_manage_cifs_files(giftd_t)
+- fs_manage_cifs_symlinks(giftd_t)
+-')
++userdom_use_inherited_user_terminals(giftd_t)
++userdom_home_manager(gitd_t)
+diff --git a/git.fc b/git.fc
+index 13e72a7..a4dc0b9 100644
+--- a/git.fc
++++ b/git.fc
+@@ -1,11 +1,15 @@
+ HOME_DIR/public_git(/.*)? gen_context(system_u:object_r:git_user_content_t,s0)
+
++/srv/git(/.*)? gen_context(system_u:object_r:git_sys_content_t,s0)
++
+ /usr/libexec/git-core/git-daemon -- gen_context(system_u:object_r:gitd_exec_t,s0)
+
+ /var/cache/cgit(/.*)? gen_context(system_u:object_r:httpd_git_rw_content_t,s0)
++/var/cache/gitweb-caching(/.*)? gen_context(system_u:object_r:httpd_git_rw_content_t,s0)
+
+ /var/lib/git(/.*)? gen_context(system_u:object_r:git_sys_content_t,s0)
+
+ /var/www/cgi-bin/cgit -- gen_context(system_u:object_r:httpd_git_script_exec_t,s0)
+ /var/www/git(/.*)? gen_context(system_u:object_r:httpd_git_content_t,s0)
+ /var/www/git/gitweb\.cgi -- gen_context(system_u:object_r:httpd_git_script_exec_t,s0)
++/var/www/gitweb-caching/gitweb\.cgi -- gen_context(system_u:object_r:httpd_git_script_exec_t,s0)
+diff --git a/git.if b/git.if
+index b0242d9..407e79d 100644
+--- a/git.if
++++ b/git.if
+@@ -15,9 +15,9 @@
+ ##
+ ##
+ #
+-template(`git_role',`
++template(`git_session_role',`
+ gen_require(`
+- type git_session_t, gitd_exec_t, git_user_content_t;
++ type git_session_t, gitd_exec_t;
+ ')
+
+ ########################################
+@@ -32,19 +32,495 @@ template(`git_role',`
+ # Policy
+ #
+
+- manage_dirs_pattern($2, git_user_content_t, git_user_content_t)
+- relabel_dirs_pattern($2, git_user_content_t, git_user_content_t)
+-
+- exec_files_pattern($2, git_user_content_t, git_user_content_t)
+- manage_files_pattern($2, git_user_content_t, git_user_content_t)
+- relabel_files_pattern($2, git_user_content_t, git_user_content_t)
+-
+- allow $2 git_session_t:process { ptrace signal_perms };
++ allow $2 git_session_t:process signal_perms;
+ ps_process_pattern($2, git_session_t)
+
++ tunable_policy(`deny_ptrace',`',`
++ allow $2 git_session_t:process ptrace;
++ ')
++
+ tunable_policy(`git_session_users',`
+ domtrans_pattern($2, gitd_exec_t, git_session_t)
+ ',`
+ can_exec($2, gitd_exec_t)
+ ')
+ ')
++
++########################################
++##
++## Create a set of derived types for Git
++## daemon shared repository content.
++##
++##
++##
++## The prefix to be used for deriving type names.
++##
++##
++#
++template(`git_content_template',`
++ gen_require(`
++ attribute git_system_content, git_content;
++ ')
++
++ ########################################
++ #
++ # Git daemon content shared declarations.
++ #
++
++ type git_$1_content_t, git_system_content, git_content;
++ files_type(git_$1_content_t)
++')
++
++########################################
++##
++## Create a set of derived types for Git
++## daemon shared repository roles.
++##
++##
++##
++## The prefix to be used for deriving type names.
++##
++##
++#
++template(`git_role_template',`
++ gen_require(`
++ class context contains;
++ role system_r;
++ ')
++
++ ########################################
++ #
++ # Git daemon role shared declarations.
++ #
++
++ attribute $1_usertype;
++
++ type $1_t;
++ userdom_unpriv_usertype($1, $1_t)
++ domain_type($1_t)
++
++ role $1_r types $1_t;
++ allow system_r $1_r;
++
++ ########################################
++ #
++ # Git daemon role shared policy.
++ #
++
++ allow $1_t self:context contains;
++ allow $1_t self:fifo_file rw_fifo_file_perms;
++
++ corecmd_exec_bin($1_t)
++ corecmd_bin_entry_type($1_t)
++ corecmd_shell_entry_type($1_t)
++
++ domain_interactive_fd($1_t)
++ domain_user_exemption_target($1_t)
++
++ kernel_read_system_state($1_t)
++
++ files_read_etc_files($1_t)
++ files_dontaudit_search_home($1_t)
++
++
++ git_rwx_generic_system_content($1_t)
++
++ ssh_rw_stream_sockets($1_t)
++
++ tunable_policy(`git_system_use_cifs',`
++ fs_exec_cifs_files($1_t)
++ fs_manage_cifs_dirs($1_t)
++ fs_manage_cifs_files($1_t)
++ ')
++
++ tunable_policy(`git_system_use_nfs',`
++ fs_exec_nfs_files($1_t)
++ fs_manage_nfs_dirs($1_t)
++ fs_manage_nfs_files($1_t)
++ ')
++
++ optional_policy(`
++ nscd_read_pid($1_t)
++ ')
++')
++
++#######################################
++##
++## Allow specified domain access to the
++## specified Git daemon content.
++##
++##
++##
++## Domain allowed access.
++##
++##
++##
++##
++## Type of the object that access is allowed to.
++##
++##
++#
++interface(`git_content_delegation',`
++ gen_require(`
++ type $1, $2;
++ ')
++
++ exec_files_pattern($1, $2, $2)
++ manage_dirs_pattern($1, $2, $2)
++ manage_files_pattern($1, $2, $2)
++ files_search_var_lib($1)
++
++ tunable_policy(`git_system_use_cifs',`
++ fs_exec_cifs_files($1)
++ fs_manage_cifs_dirs($1)
++ fs_manage_cifs_files($1)
++ ')
++
++ tunable_policy(`git_system_use_nfs',`
++ fs_exec_nfs_files($1)
++ fs_manage_nfs_dirs($1)
++ fs_manage_nfs_files($1)
++ ')
++')
++
++########################################
++##
++## Allow the specified domain to manage
++## and execute all Git daemon content.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`git_rwx_all_content',`
++ gen_require(`
++ attribute git_content;
++ ')
++
++ exec_files_pattern($1, git_content, git_content)
++ manage_dirs_pattern($1, git_content, git_content)
++ manage_files_pattern($1, git_content, git_content)
++ userdom_search_user_home_dirs($1)
++ files_search_var_lib($1)
++
++ tunable_policy(`git_system_use_cifs',`
++ fs_exec_cifs_files($1)
++ fs_manage_cifs_dirs($1)
++ fs_manage_cifs_files($1)
++ ')
++
++ tunable_policy(`git_system_use_nfs',`
++ fs_exec_nfs_files($1)
++ fs_manage_nfs_dirs($1)
++ fs_manage_nfs_files($1)
++ ')
++')
++
++########################################
++##
++## Allow the specified domain to manage
++## and execute all Git daemon system content.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`git_rwx_all_system_content',`
++ gen_require(`
++ attribute git_system_content;
++ ')
++
++ exec_files_pattern($1, git_system_content, git_system_content)
++ manage_dirs_pattern($1, git_system_content, git_system_content)
++ manage_files_pattern($1, git_system_content, git_system_content)
++ files_search_var_lib($1)
++
++ tunable_policy(`git_system_use_cifs',`
++ fs_exec_cifs_files($1)
++ fs_manage_cifs_dirs($1)
++ fs_manage_cifs_files($1)
++ ')
++
++ tunable_policy(`git_system_use_nfs',`
++ fs_exec_nfs_files($1)
++ fs_manage_nfs_dirs($1)
++ fs_manage_nfs_files($1)
++ ')
++')
++
++########################################
++##
++## Allow the specified domain to manage
++## and execute Git daemon generic system content.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`git_rwx_generic_system_content',`
++ gen_require(`
++ type git_sys_content_t;
++ ')
++
++ exec_files_pattern($1, git_sys_content_t, git_sys_content_t)
++ manage_dirs_pattern($1, git_sys_content_t, git_sys_content_t)
++ manage_files_pattern($1, git_sys_content_t, git_sys_content_t)
++ files_search_var_lib($1)
++
++ tunable_policy(`git_system_use_cifs',`
++ fs_exec_cifs_files($1)
++ fs_manage_cifs_dirs($1)
++ fs_manage_cifs_files($1)
++ ')
++
++ tunable_policy(`git_system_use_nfs',`
++ fs_exec_nfs_files($1)
++ fs_manage_nfs_dirs($1)
++ fs_manage_nfs_files($1)
++ ')
++')
++
++########################################
++##
++## Allow the specified domain to read
++## all Git daemon content files.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`git_read_all_content_files',`
++ gen_require(`
++ attribute git_content;
++ ')
++
++ list_dirs_pattern($1, git_content, git_content)
++ read_files_pattern($1, git_content, git_content)
++ userdom_search_user_home_dirs($1)
++ files_search_var_lib($1)
++
++ tunable_policy(`git_system_use_cifs',`
++ fs_list_cifs($1)
++ fs_read_cifs_files($1)
++ ')
++
++ tunable_policy(`git_system_use_nfs',`
++ fs_list_nfs($1)
++ fs_read_nfs_files($1)
++ ')
++')
++
++########################################
++##
++## Allow the specified domain to read
++## Git daemon session content files.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`git_read_session_content_files',`
++ gen_require(`
++ type git_user_content_t;
++ ')
++
++ list_dirs_pattern($1, git_user_content_t, git_user_content_t)
++ read_files_pattern($1, git_user_content_t, git_user_content_t)
++ userdom_search_user_home_dirs($1)
++')
++
++#######################################
++##
++## Dontaudit the specified domain to read
++## Git daemon session content files.
++##
++##
++##
++## Domain to not audit.
++##
++##
++#
++interface(`git_dontaudit_read_session_content_files',`
++ gen_require(`
++ type git_user_content_t;
++ ')
++
++ dontaudit $1 git_user_content_t:file read_file_perms;
++')
++
++########################################
++##
++## Allow the specified domain to read
++## all Git daemon system content files.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`git_read_all_system_content_files',`
++ gen_require(`
++ attribute git_system_content;
++ ')
++
++ list_dirs_pattern($1, git_system_content, git_system_content)
++ read_files_pattern($1, git_system_content, git_system_content)
++ files_search_var_lib($1)
++
++ tunable_policy(`git_system_use_cifs',`
++ fs_list_cifs($1)
++ fs_read_cifs_files($1)
++ ')
++
++ tunable_policy(`git_system_use_nfs',`
++ fs_list_nfs($1)
++ fs_read_nfs_files($1)
++ ')
++')
++
++########################################
++##
++## Allow the specified domain to read
++## Git daemon generic system content files.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`git_read_generic_system_content_files',`
++ gen_require(`
++ type git_sys_content_t;
++ ')
++
++ list_dirs_pattern($1, git_sys_content_t, git_sys_content_t)
++ read_files_pattern($1, git_sys_content_t, git_sys_content_t)
++ read_lnk_files_pattern($1, git_sys_content_t, git_sys_content_t)
++ files_search_var_lib($1)
++
++ tunable_policy(`git_system_use_cifs',`
++ fs_list_cifs($1)
++ fs_read_cifs_files($1)
++ ')
++
++ tunable_policy(`git_system_use_nfs',`
++ fs_list_nfs($1)
++ fs_read_nfs_files($1)
++ ')
++')
++
++########################################
++##
++## Allow the specified domain to relabel
++## all Git daemon content.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`git_relabel_all_content',`
++ gen_require(`
++ attribute git_content;
++ ')
++
++ relabel_dirs_pattern($1, git_content, git_content)
++ relabel_files_pattern($1, git_content, git_content)
++ userdom_search_user_home_dirs($1)
++ files_search_var_lib($1)
++')
++
++########################################
++##
++## Allow the specified domain to relabel
++## all Git daemon system content.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`git_relabel_all_system_content',`
++ gen_require(`
++ attribute git_system_content;
++ ')
++
++ relabel_dirs_pattern($1, git_system_content, git_system_content)
++ relabel_files_pattern($1, git_system_content, git_system_content)
++ files_search_var_lib($1)
++')
++
++########################################
++##
++## Allow the specified domain to relabel
++## Git daemon generic system content.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`git_relabel_generic_system_content',`
++ gen_require(`
++ type git_sys_content_t;
++ ')
++
++ relabel_dirs_pattern($1, git_sys_content_t, git_sys_content_t)
++ relabel_files_pattern($1, git_sys_content_t, git_sys_content_t)
++ files_search_var_lib($1)
++')
++
++########################################
++##
++## Allow the specified domain to relabel
++## Git daemon session content.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`git_relabel_session_content',`
++ gen_require(`
++ type git_user_content_t;
++ ')
++
++ relabel_dirs_pattern($1, git_user_content_t, git_user_content_t)
++ relabel_files_pattern($1, git_user_content_t, git_user_content_t)
++ userdom_search_user_home_dirs($1)
++')
++
++########################################
++##
++## Create Git user content with a
++## named file transition.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`git_filetrans_user_content',`
++ gen_require(`
++ type git_user_content_t;
++ ')
++
++ userdom_user_home_dir_filetrans($1, git_user_content_t, dir, "public_git")
++')
+diff --git a/git.te b/git.te
+index 6e8e1f3..decdda3 100644
+--- a/git.te
++++ b/git.te
+@@ -31,20 +31,21 @@ gen_tunable(git_cgi_use_nfs, false)
+
+ ##
+ ##
+-## Determine whether calling user domains
+-## can execute Git daemon in the
+-## git_session_t domain.
++## Determine whether Git session daemon
++## can bind TCP sockets to all
++## unreserved ports.
+ ##
+ ##
+-gen_tunable(git_session_users, false)
++gen_tunable(git_session_bind_all_unreserved_ports, false)
+
+ ##
+ ##
+-## Determine whether Git session daemons
+-## can send syslog messages.
++## Determine whether calling user domains
++## can execute Git daemon in the
++## git_session_t domain.
+ ##
+ ##
+-gen_tunable(git_session_send_syslog_msg, false)
++gen_tunable(git_session_users, false)
+
+ ##
+ ##
+@@ -71,6 +72,10 @@ gen_tunable(git_system_use_cifs, false)
+ gen_tunable(git_system_use_nfs, false)
+
+ attribute git_daemon;
++attribute git_system_content;
++attribute git_content;
++
++role git_shell_r;
+
+ apache_content_template(git)
+
+@@ -79,13 +84,16 @@ type gitd_exec_t;
+ inetd_service_domain(git_system_t, gitd_exec_t)
+
+ type git_session_t, git_daemon;
+-userdom_user_application_domain(git_session_t, gitd_exec_t)
++application_domain(git_session_t, gitd_exec_t)
++ubac_constrained(git_session_t)
+
+-type git_sys_content_t;
++type git_sys_content_t, git_content, git_system_content;
+ files_type(git_sys_content_t)
++typealias git_sys_content_t alias { git_data_t git_system_content_t };
+
+-type git_user_content_t;
++type git_user_content_t, git_content;
+ userdom_user_home_content(git_user_content_t)
++typealias git_user_content_t alias git_session_content_t;
+
+ ########################################
+ #
+@@ -98,8 +106,9 @@ list_dirs_pattern(git_session_t, git_user_content_t, git_user_content_t)
+ read_files_pattern(git_session_t, git_user_content_t, git_user_content_t)
+ userdom_search_user_home_dirs(git_session_t)
+
++kernel_read_system_state(git_session_t)
++
+ corenet_all_recvfrom_netlabel(git_session_t)
+-corenet_all_recvfrom_unlabeled(git_session_t)
+ corenet_tcp_bind_generic_node(git_session_t)
+ corenet_tcp_sendrecv_generic_if(git_session_t)
+ corenet_tcp_sendrecv_generic_node(git_session_t)
+@@ -112,10 +121,13 @@ auth_use_nsswitch(git_session_t)
+
+ userdom_use_user_terminals(git_session_t)
+
+-tunable_policy(`git_session_send_syslog_msg',`
+- logging_send_syslog_msg(git_session_t)
++tunable_policy(`git_session_bind_all_unreserved_ports',`
++ corenet_tcp_bind_all_unreserved_ports(git_session_t)
++ corenet_sendrecv_generic_server_packets(git_session_t)
+ ')
+
++logging_send_syslog_msg(git_session_t)
++
+ tunable_policy(`use_nfs_home_dirs',`
+ fs_read_nfs_files(git_session_t)
+ ',`
+@@ -133,10 +145,12 @@ tunable_policy(`use_samba_home_dirs',`
+ # Git system policy
+ #
+
+-list_dirs_pattern(git_system_t, git_sys_content_t, git_sys_content_t)
+-read_files_pattern(git_system_t, git_sys_content_t, git_sys_content_t)
++list_dirs_pattern(git_system_t, git_content, git_content)
++read_files_pattern(git_system_t, git_content, git_content)
+ files_search_var_lib(git_system_t)
+
++kernel_read_system_state(git_system_t)
++
+ auth_use_nsswitch(git_system_t)
+
+ logging_send_syslog_msg(git_system_t)
+@@ -174,8 +188,8 @@ tunable_policy(`git_system_use_nfs',`
+ # Git CGI policy
+ #
+
+-list_dirs_pattern(httpd_git_script_t, { git_sys_content_t git_user_content_t }, { git_sys_content_t git_user_content_t })
+-read_files_pattern(httpd_git_script_t, { git_sys_content_t git_user_content_t }, { git_sys_content_t git_user_content_t })
++list_dirs_pattern(httpd_git_script_t, git_content, git_content)
++read_files_pattern(httpd_git_script_t, git_content, git_content)
+ files_search_var_lib(httpd_git_script_t)
+
+ files_dontaudit_getattr_tmp_dirs(httpd_git_script_t)
+@@ -217,12 +231,16 @@ tunable_policy(`git_cgi_use_nfs',`
+
+ allow git_daemon self:fifo_file rw_fifo_file_perms;
+
+-kernel_read_system_state(git_daemon)
+-
+ corecmd_exec_bin(git_daemon)
+
+ files_read_usr_files(git_daemon)
+
+ fs_search_auto_mountpoints(git_daemon)
+
+-miscfiles_read_localization(git_daemon)
++
++########################################
++#
++# Git-shell private policy.
++#
++git_role_template(git_shell)
++gen_user(git_shell_u, user, git_shell_r, s0, s0)
+diff --git a/gitosis.fc b/gitosis.fc
+index 24f6441..4de3a6b 100644
+--- a/gitosis.fc
++++ b/gitosis.fc
+@@ -6,4 +6,4 @@ ifdef(`distro_debian',`
+ /usr/bin/gl-auth-command -- gen_context(system_u:object_r:gitosis_exec_t,s0)
+
+ /var/lib/gitosis(/.*)? gen_context(system_u:object_r:gitosis_var_lib_t,s0)
+-/var/lib/gitolite(/.*)? gen_context(system_u:object_r:gitosis_var_lib_t,s0)
++/var/lib/gitolite(3)?(/.*)? gen_context(system_u:object_r:gitosis_var_lib_t,s0)
+diff --git a/gitosis.te b/gitosis.te
+index 0eb75f4..3607a5b 100644
+--- a/gitosis.te
++++ b/gitosis.te
+@@ -5,6 +5,13 @@ policy_module(gitosis, 1.3.0)
+ # Declarations
+ #
+
++##
++##
++## Allow gitisis daemon to send mail
++##
++##
++gen_tunable(gitosis_can_sendmail, false)
++
+ type gitosis_t;
+ type gitosis_exec_t;
+ application_domain(gitosis_t, gitosis_exec_t)
+@@ -36,6 +43,11 @@ files_read_etc_files(gitosis_t)
+ files_read_usr_files(gitosis_t)
+ files_search_var_lib(gitosis_t)
+
+-miscfiles_read_localization(gitosis_t)
+
+ sysnet_read_config(gitosis_t)
++
++corenet_tcp_bind_all_ports(gitosis_t)
++
++tunable_policy(`gitosis_can_sendmail',`
++ mta_send_mail(gitosis_t)
++')
+diff --git a/glance.if b/glance.if
+index 7ff9d6d..b1c97f2 100644
+--- a/glance.if
++++ b/glance.if
+@@ -1,5 +1,27 @@
+ ## policy for glance
+
++#######################################
++##
++## Creates types and rules for a basic
++## glance daemon domain.
++##
++##
++##
++## Prefix for the domain.
++##
++##
++#
++template(`glance_basic_types_template',`
++ gen_require(`
++ attribute glance_domain;
++ ')
++
++ type $1_t, glance_domain;
++ type $1_exec_t;
++
++ kernel_read_system_state($1_t)
++')
++
+ ########################################
+ ##
+ ## Transition to glance registry.
+@@ -24,9 +46,9 @@ interface(`glance_domtrans_registry',`
+ ## Transition to glance api.
+ ##
+ ##
+-##
++##
+ ## Domain allowed to transition.
+-##
++##
+ ##
+ #
+ interface(`glance_domtrans_api',`
+@@ -238,6 +260,10 @@ interface(`glance_admin',`
+
+ allow $1 glance_registry_t:process signal_perms;
+ ps_process_pattern($1, glance_registry_t)
++ tunable_policy(`deny_ptrace',`',`
++ allow $1 glance_registry_t:process ptrace;
++ allow $1 glance_api_t:process ptrace;
++ ')
+
+ allow $1 glance_api_t:process signal_perms;
+ ps_process_pattern($1, glance_api_t)
+diff --git a/glance.te b/glance.te
+index 4afb81f..efff577 100644
+--- a/glance.te
++++ b/glance.te
+@@ -7,8 +7,7 @@ policy_module(glance, 1.0.0)
+
+ attribute glance_domain;
+
+-type glance_registry_t, glance_domain;
+-type glance_registry_exec_t;
++glance_basic_types_template(glance_registry)
+ init_daemon_domain(glance_registry_t, glance_registry_exec_t)
+
+ type glance_registry_initrc_exec_t;
+@@ -17,8 +16,10 @@ init_script_file(glance_registry_initrc_exec_t)
+ type glance_registry_tmp_t;
+ files_tmp_file(glance_registry_tmp_t)
+
+-type glance_api_t, glance_domain;
+-type glance_api_exec_t;
++type glance_registry_tmpfs_t;
++files_tmpfs_file(glance_registry_tmpfs_t)
++
++glance_basic_types_template(glance_api)
+ init_daemon_domain(glance_api_t, glance_api_exec_t)
+
+ type glance_api_initrc_exec_t;
+@@ -54,16 +55,18 @@ manage_files_pattern(glance_domain, glance_var_lib_t, glance_var_lib_t)
+ manage_dirs_pattern(glance_domain, glance_var_run_t, glance_var_run_t)
+ manage_files_pattern(glance_domain, glance_var_run_t, glance_var_run_t)
+
+-kernel_read_system_state(glance_domain)
+-
+ corecmd_exec_bin(glance_domain)
++corecmd_exec_shell(glance_domain)
+
+ dev_read_urand(glance_domain)
+
+ files_read_etc_files(glance_domain)
+ files_read_usr_files(glance_domain)
+
+-miscfiles_read_localization(glance_domain)
++auth_read_passwd(glance_domain)
++
++libs_exec_ldconfig(glance_domain)
++
+
+ optional_policy(`
+ sysnet_dns_name_resolve(glance_domain)
+@@ -78,8 +81,20 @@ manage_dirs_pattern(glance_registry_t, glance_registry_tmp_t, glance_registry_tm
+ manage_files_pattern(glance_registry_t, glance_registry_tmp_t, glance_registry_tmp_t)
+ files_tmp_filetrans(glance_registry_t, glance_registry_tmp_t, { file dir })
+
++manage_dirs_pattern(glance_registry_t, glance_registry_tmpfs_t, glance_registry_tmpfs_t)
++manage_files_pattern(glance_registry_t, glance_registry_tmpfs_t, glance_registry_tmpfs_t)
++fs_tmpfs_filetrans(glance_registry_t, glance_registry_tmpfs_t,{ dir file })
++
+ corenet_tcp_bind_generic_node(glance_registry_t)
+ corenet_tcp_bind_glance_registry_port(glance_registry_t)
++corenet_tcp_connect_mysqld_port(glance_registry_t)
++corenet_tcp_connect_all_ephemeral_ports(glance_registry_t)
++
++logging_send_syslog_msg(glance_registry_t)
++
++optional_policy(`
++ mysql_stream_connect(glance_registry_t)
++')
+
+ ########################################
+ #
+@@ -94,11 +109,15 @@ can_exec(glance_api_t, glance_tmp_t)
+ corecmd_exec_shell(glance_api_t)
+
+ corenet_tcp_bind_generic_node(glance_api_t)
++corenet_tcp_bind_glance_port(glance_api_t)
+ corenet_tcp_bind_hplip_port(glance_api_t)
+ corenet_tcp_connect_glance_registry_port(glance_api_t)
++corenet_tcp_connect_all_ephemeral_ports(glance_api_t)
+
+ dev_read_urand(glance_api_t)
+
+ fs_getattr_xattr_fs(glance_api_t)
+
+-libs_exec_ldconfig(glance_api_t)
++optional_policy(`
++ mysql_stream_connect(glance_api_t)
++')
+diff --git a/glusterd.fc b/glusterd.fc
+new file mode 100644
+index 0000000..6418e39
+--- /dev/null
++++ b/glusterd.fc
+@@ -0,0 +1,16 @@
++
++/etc/rc\.d/init\.d/glusterd -- gen_context(system_u:object_r:glusterd_initrc_exec_t,s0)
++
++/etc/glusterfs(/.*)? gen_context(system_u:object_r:glusterd_etc_t,s0)
++/etc/glusterd(/.*)? gen_context(system_u:object_r:glusterd_etc_t,s0)
++
++/usr/sbin/glusterd -- gen_context(system_u:object_r:glusterd_initrc_exec_t,s0)
++/usr/sbin/glusterfsd -- gen_context(system_u:object_r:glusterd_exec_t,s0)
++
++/opt/glusterfs/[^/]+/sbin/glusterfsd -- gen_context(system_u:object_r:glusterd_exec_t,s0)
++
++/var/log/glusterfs(/.*)? gen_context(system_u:object_r:glusterd_log_t,s0)
++
++/var/run/glusterd(/.*)? gen_context(system_u:object_r:glusterd_var_run_t,s0)
++/var/run/glusterd\.pid -- gen_context(system_u:object_r:glusterd_var_run_t,s0)
++
+diff --git a/glusterd.if b/glusterd.if
+new file mode 100644
+index 0000000..e15bbb0
+--- /dev/null
++++ b/glusterd.if
+@@ -0,0 +1,146 @@
++
++## policy for glusterd
++
++
++########################################
++##
++## Transition to glusterd.
++##
++##
++##
++## Domain allowed to transition.
++##
++##
++#
++interface(`glusterd_domtrans',`
++ gen_require(`
++ type glusterd_t, glusterd_exec_t;
++ ')
++
++ corecmd_search_bin($1)
++ domtrans_pattern($1, glusterd_exec_t, glusterd_t)
++')
++
++
++########################################
++##
++## Execute glusterd server in the glusterd domain.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`glusterd_initrc_domtrans',`
++ gen_require(`
++ type glusterd_initrc_exec_t;
++ ')
++
++ init_labeled_script_domtrans($1, glusterd_initrc_exec_t)
++')
++
++
++########################################
++##
++## Read glusterd's log files.
++##
++##
++##
++## Domain allowed access.
++##
++##
++##
++#
++interface(`glusterd_read_log',`
++ gen_require(`
++ type glusterd_log_t;
++ ')
++
++ logging_search_logs($1)
++ read_files_pattern($1, glusterd_log_t, glusterd_log_t)
++')
++
++########################################
++##
++## Append to glusterd log files.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`glusterd_append_log',`
++ gen_require(`
++ type glusterd_log_t;
++ ')
++
++ logging_search_logs($1)
++ append_files_pattern($1, glusterd_log_t, glusterd_log_t)
++')
++
++########################################
++##
++## Manage glusterd log files
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`glusterd_manage_log',`
++ gen_require(`
++ type glusterd_log_t;
++ ')
++
++ logging_search_logs($1)
++ manage_dirs_pattern($1, glusterd_log_t, glusterd_log_t)
++ manage_files_pattern($1, glusterd_log_t, glusterd_log_t)
++ manage_lnk_files_pattern($1, glusterd_log_t, glusterd_log_t)
++')
++
++########################################
++##
++## All of the rules required to administrate
++## an glusterd environment
++##
++##
++##
++## Domain allowed access.
++##
++##
++##
++##
++## Role allowed access.
++##
++##
++##
++#
++interface(`glusterd_admin',`
++ gen_require(`
++ type glusterd_t;
++ type glusterd_initrc_exec_t;
++ type glusterd_log_t;
++ type glusterd_tmp_t;
++ type glusterd_etc_t;
++ ')
++
++ allow $1 glusterd_t:process { ptrace signal_perms };
++ ps_process_pattern($1, glusterd_t)
++
++ glusterd_initrc_domtrans($1)
++ domain_system_change_exemption($1)
++ role_transition $2 glusterd_initrc_exec_t system_r;
++ allow $2 system_r;
++
++ logging_search_logs($1)
++ admin_pattern($1, glusterd_log_t)
++
++ admin_pattern($1, glusterd_tmp_t)
++
++ admin_pattern($1, glusterd_etc_t)
++
++')
++
+diff --git a/glusterd.te b/glusterd.te
+new file mode 100644
+index 0000000..d35f2b0
+--- /dev/null
++++ b/glusterd.te
+@@ -0,0 +1,101 @@
++policy_module(glusterd, 1.0.0)
++
++########################################
++#
++# Declarations
++#
++
++type glusterd_t;
++type glusterd_exec_t;
++init_daemon_domain(glusterd_t, glusterd_exec_t)
++
++type glusterd_etc_t;
++files_type(glusterd_etc_t)
++
++type glusterd_tmp_t;
++files_tmp_file(glusterd_tmp_t)
++
++type glusterd_initrc_exec_t;
++init_script_file(glusterd_initrc_exec_t)
++
++type glusterd_log_t;
++logging_log_file(glusterd_log_t)
++
++type glusterd_var_run_t;
++files_pid_file(glusterd_var_run_t)
++
++type glusterd_var_lib_t;
++files_type(glusterd_var_lib_t);
++
++
++########################################
++#
++# glusterd local policy
++#
++
++allow glusterd_t self:capability { net_bind_service sys_admin dac_override chown dac_read_search fowner };
++allow glusterd_t self:process { setrlimit signal };
++allow glusterd_t self:capability sys_resource;
++
++allow glusterd_t self:fifo_file rw_fifo_file_perms;
++allow glusterd_t self:netlink_route_socket r_netlink_socket_perms;
++allow glusterd_t self:tcp_socket create_stream_socket_perms;
++allow glusterd_t self:udp_socket create_socket_perms;
++allow glusterd_t self:unix_stream_socket create_stream_socket_perms;
++allow glusterd_t self:unix_dgram_socket create_socket_perms;
++
++manage_dirs_pattern(glusterd_t, glusterd_tmp_t, glusterd_tmp_t)
++manage_files_pattern(glusterd_t, glusterd_tmp_t, glusterd_tmp_t)
++manage_sock_files_pattern(glusterd_t, glusterd_tmp_t, glusterd_tmp_t)
++files_tmp_filetrans(glusterd_t, glusterd_tmp_t, { dir file sock_file })
++userdom_user_tmp_filetrans(glusterd_t, glusterd_tmp_t, { dir file sock_file })
++
++manage_dirs_pattern(glusterd_t, glusterd_log_t, glusterd_log_t)
++manage_files_pattern(glusterd_t, glusterd_log_t, glusterd_log_t)
++logging_log_filetrans(glusterd_t, glusterd_log_t, { dir file })
++
++manage_dirs_pattern(glusterd_t, glusterd_var_run_t, glusterd_var_run_t)
++manage_files_pattern(glusterd_t, glusterd_var_run_t, glusterd_var_run_t)
++files_pid_filetrans(glusterd_t, glusterd_var_run_t, { dir file })
++
++manage_dirs_pattern(glusterd_t, glusterd_var_lib_t, glusterd_var_lib_t)
++manage_files_pattern(glusterd_t, glusterd_var_lib_t, glusterd_var_lib_t)
++files_var_lib_filetrans(glusterd_t, glusterd_var_lib_t, { dir file })
++
++manage_dirs_pattern(glusterd_t, glusterd_etc_t, glusterd_etc_t)
++manage_files_pattern(glusterd_t, glusterd_etc_t, glusterd_etc_t)
++files_etc_filetrans(glusterd_t, glusterd_etc_t, { dir file }, "glusterfs")
++
++can_exec(glusterd_t, glusterd_exec_t)
++
++kernel_read_system_state(glusterd_t)
++
++corecmd_exec_bin(glusterd_t)
++corecmd_exec_shell(glusterd_t)
++
++domain_use_interactive_fds(glusterd_t)
++
++corenet_tcp_bind_generic_node(glusterd_t)
++corenet_tcp_bind_generic_port(glusterd_t)
++corenet_tcp_bind_all_reserved_ports(glusterd_t)
++corenet_udp_bind_all_rpc_ports(glusterd_t)
++corenet_tcp_connect_unreserved_ports(glusterd_t)
++corenet_udp_bind_generic_node(glusterd_t)
++corenet_udp_bind_ipp_port(glusterd_t)
++
++dev_read_sysfs(glusterd_t)
++dev_read_urand(glusterd_t)
++
++files_read_usr_files(glusterd_t)
++files_rw_pid_dirs(glusterd_t)
++
++# Why is this needed
++#files_manage_urandom_seed(glusterd_t)
++
++auth_use_nsswitch(glusterd_t)
++
++logging_send_syslog_msg(glusterd_t)
++
++sysnet_read_config(glusterd_t)
++
++userdom_manage_user_home_dirs(glusterd_t)
+diff --git a/gnome.fc b/gnome.fc
+index 00a19e3..52e5a3a 100644
+--- a/gnome.fc
++++ b/gnome.fc
+@@ -1,9 +1,57 @@
+-HOME_DIR/\.config/gtk-.* gen_context(system_u:object_r:gnome_home_t,s0)
++HOME_DIR/\.cache(/.*)? gen_context(system_u:object_r:cache_home_t,s0)
++HOME_DIR/\.color/icc(/.*)? gen_context(system_u:object_r:icc_data_home_t,s0)
++HOME_DIR/\.dbus(/.*)? gen_context(system_u:object_r:dbus_home_t,s0)
++HOME_DIR/\.config(/.*)? gen_context(system_u:object_r:config_home_t,s0)
++HOME_DIR/\.kde(/.*)? gen_context(system_u:object_r:config_home_t,s0)
++HOME_DIR/\.nv(/.*)? gen_context(system_u:object_r:cache_home_t,s0)
+ HOME_DIR/\.gconf(d)?(/.*)? gen_context(system_u:object_r:gconf_home_t,s0)
+ HOME_DIR/\.gnome2(/.*)? gen_context(system_u:object_r:gnome_home_t,s0)
++HOME_DIR/\.gnome2/keyrings(/.*)? gen_context(system_u:object_r:gkeyringd_gnome_home_t,s0)
++HOME_DIR/\.grl-bookmarks gen_context(system_u:object_r:gstreamer_home_t,s0)
++HOME_DIR/\.grl-metadata-store gen_context(system_u:object_r:gstreamer_home_t,s0)
++HOME_DIR/\.grl-bookmarks gen_context(system_u:object_r:gstreamer_home_t,s0)
++HOME_DIR/\.gstreamer-.* gen_context(system_u:object_r:gstreamer_home_t,s0)
++HOME_DIR/\.cache/gstreamer-.* gen_context(system_u:object_r:gstreamer_home_t,s0)
++HOME_DIR/\.orc(/.*)? gen_context(system_u:object_r:gstreamer_home_t,s0)
++HOME_DIR/\.local.* gen_context(system_u:object_r:gconf_home_t,s0)
++HOME_DIR/\.local/share(/.*)? gen_context(system_u:object_r:data_home_t,s0)
++HOME_DIR/\.local/share/icc(/.*)? gen_context(system_u:object_r:icc_data_home_t,s0)
++HOME_DIR/\.local/share/keyrings(/.*)? gen_context(system_u:object_r:gkeyringd_gnome_home_t,s0)
++HOME_DIR/\.Xdefaults gen_context(system_u:object_r:config_home_t,s0)
++HOME_DIR/\.xine(/.*)? gen_context(system_u:object_r:config_home_t,s0)
++
++/var/run/user/[^/]*/\.orc(/.*)? gen_context(system_u:object_r:gstreamer_home_t,s0)
++/var/run/user/[^/]*/dconf(/.*)? gen_context(system_u:object_r:config_home_t,s0)
++/var/run/user/[^/]*/keyring.* gen_context(system_u:object_r:gkeyringd_tmp_t,s0)
++
++/root/\.cache(/.*)? gen_context(system_u:object_r:cache_home_t,s0)
++/root/\.color/icc(/.*)? gen_context(system_u:object_r:icc_data_home_t,s0)
++/root/\.config(/.*)? gen_context(system_u:object_r:config_home_t,s0)
++/root/\.kde(/.*)? gen_context(system_u:object_r:config_home_t,s0)
++/root/\.gconf(d)?(/.*)? gen_context(system_u:object_r:gconf_home_t,s0)
++/root/\.dbus(/.*)? gen_context(system_u:object_r:dbus_home_t,s0)
++/root/\.gnome2(/.*)? gen_context(system_u:object_r:gnome_home_t,s0)
++/root/\.gnome2/keyrings(/.*)? gen_context(system_u:object_r:gkeyringd_gnome_home_t,s0)
++/root/\.gstreamer-.* gen_context(system_u:object_r:gstreamer_home_t,s0)
++/root/\.cache/gstreamer-.* gen_context(system_u:object_r:gstreamer_home_t,s0)
++/root/\.local.* gen_context(system_u:object_r:gconf_home_t,s0)
++/root/\.local/share(/.*)? gen_context(system_u:object_r:data_home_t,s0)
++/root/\.local/share/icc(/.*)? gen_context(system_u:object_r:icc_data_home_t,s0)
++/root/\.Xdefaults gen_context(system_u:object_r:config_home_t,s0)
++/root/\.xine(/.*)? gen_context(system_u:object_r:config_home_t,s0)
+
+ /etc/gconf(/.*)? gen_context(system_u:object_r:gconf_etc_t,s0)
+
+ /tmp/gconfd-USER/.* -- gen_context(system_u:object_r:gconf_tmp_t,s0)
+
+-/usr/libexec/gconfd-2 -- gen_context(system_u:object_r:gconfd_exec_t,s0)
++/usr/share/config(/.*)? gen_context(system_u:object_r:config_usr_t,s0)
++
++/usr/bin/gnome-keyring-daemon -- gen_context(system_u:object_r:gkeyringd_exec_t,s0)
++
++# Don't use because toolchain is broken
++#/usr/libexec/gconfd-2 -- gen_context(system_u:object_r:gconfd_exec_t,s0)
++
++/usr/libexec/gconf-defaults-mechanism -- gen_context(system_u:object_r:gconfdefaultsm_exec_t,s0)
++
++/usr/libexec/gnome-system-monitor-mechanism -- gen_context(system_u:object_r:gnomesystemmm_exec_t,s0)
++/usr/libexec/kde(3|4)/ksysguardprocesslist_helper -- gen_context(system_u:object_r:gnomesystemmm_exec_t,s0)
+diff --git a/gnome.if b/gnome.if
+index f5afe78..69577c7 100644
+--- a/gnome.if
++++ b/gnome.if
+@@ -1,44 +1,1048 @@
+ ## GNU network object model environment (GNOME)
+
+-############################################################
++###########################################################
+ ##
+-## Role access for gnome
++## Role access for gnome
+ ##
+ ##
++##
++## Role allowed access
++##
++##
++##
++##
++## User domain for the role
++##
++##
++#
++interface(`gnome_role',`
++ gen_require(`
++ type gconfd_t, gconfd_exec_t;
++ type gconf_tmp_t;
++ ')
++
++ role $1 types gconfd_t;
++
++ domain_auto_trans($2, gconfd_exec_t, gconfd_t)
++ allow gconfd_t $2:fd use;
++ allow gconfd_t $2:fifo_file write;
++ allow gconfd_t $2:unix_stream_socket connectto;
++
++ ps_process_pattern($2, gconfd_t)
++
++ #gnome_stream_connect_gconf_template($1, $2)
++ read_files_pattern($2, gconf_tmp_t, gconf_tmp_t)
++ allow $2 gconfd_t:unix_stream_socket connectto;
++')
++
++######################################
++##
++## The role template for the gnome-keyring-daemon.
++##
++##
++##
++## The user prefix.
++##
++##
++##
++##
++## The user role.
++##
++##
++##
++##
++## The user domain associated with the role.
++##
++##
++#
++interface(`gnome_role_gkeyringd',`
++ gen_require(`
++ attribute gkeyringd_domain;
++ attribute gnomedomain;
++ type gnome_home_t;
++ type gkeyringd_exec_t, gkeyringd_tmp_t, gkeyringd_gnome_home_t;
++ class dbus send_msg;
++ ')
++
++ type $1_gkeyringd_t, gnomedomain, gkeyringd_domain;
++ typealias $1_gkeyringd_t alias gkeyringd_$1_t;
++ application_domain($1_gkeyringd_t, gkeyringd_exec_t)
++ ubac_constrained($1_gkeyringd_t)
++ domain_user_exemption_target($1_gkeyringd_t)
++
++ userdom_home_manager($1_gkeyringd_t)
++
++ role $2 types $1_gkeyringd_t;
++
++ domtrans_pattern($3, gkeyringd_exec_t, $1_gkeyringd_t)
++
++ allow $3 gkeyringd_gnome_home_t:dir { relabel_dir_perms manage_dir_perms };
++ allow $3 gkeyringd_gnome_home_t:file { relabel_file_perms manage_file_perms };
++
++ allow $3 gkeyringd_tmp_t:dir { relabel_dir_perms manage_dir_perms };
++ allow $3 gkeyringd_tmp_t:sock_file { relabel_sock_file_perms manage_sock_file_perms };
++
++ corecmd_bin_domtrans($1_gkeyringd_t, $1_t)
++ corecmd_shell_domtrans($1_gkeyringd_t, $1_t)
++ allow $1_gkeyringd_t $3:process sigkill;
++ allow $3 $1_gkeyringd_t:fd use;
++ allow $3 $1_gkeyringd_t:fifo_file rw_fifo_file_perms;
++
++ kernel_read_system_state($1_gkeyringd_t)
++
++ ps_process_pattern($1_gkeyringd_t, $3)
++
++ auth_use_nsswitch($1_gkeyringd_t)
++
++ logging_send_syslog_msg($1_gkeyringd_t)
++
++ ps_process_pattern($3, $1_gkeyringd_t)
++ allow $3 $1_gkeyringd_t:process signal_perms;
++ dontaudit $3 gkeyringd_exec_t:file entrypoint;
++
++ stream_connect_pattern($3, gkeyringd_tmp_t, gkeyringd_tmp_t, $1_gkeyringd_t)
++
++ allow $1_gkeyringd_t $3:dbus send_msg;
++ allow $3 $1_gkeyringd_t:dbus send_msg;
++ optional_policy(`
++ dbus_session_domain($1, gkeyringd_exec_t, $1_gkeyringd_t)
++ dbus_session_bus_client($1_gkeyringd_t)
++ gnome_home_dir_filetrans($1_gkeyringd_t)
++ gnome_manage_generic_home_dirs($1_gkeyringd_t)
++ gnome_read_generic_data_home_files($1_gkeyringd_t)
++ gnome_read_generic_data_home_dirs($1_gkeyringd_t)
++
++ optional_policy(`
++ telepathy_mission_control_read_state($1_gkeyringd_t)
++ ')
++ ')
++')
++
++#######################################
++##
++## Allow domain to run gkeyring in the $1_gkeyringd_t domain.
++##
++##
++##
++## The user prefix.
++##
++##
++##
++##
++## The user role.
++##
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`gnome_run_gkeyringd',`
++ gen_require(`
++ type $1_gkeyringd_t;
++ type gkeyringd_exec_t;
++ ')
++ role $2 types $1_gkeyringd_t;
++ domtrans_pattern($3, gkeyringd_exec_t, $1_gkeyringd_t)
++')
++
++########################################
++##
++## gconf connection template.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`gnome_stream_connect_gconf',`
++ gen_require(`
++ type gconfd_t, gconf_tmp_t;
++ ')
++
++ read_files_pattern($1, gconf_tmp_t, gconf_tmp_t)
++ allow $1 gconfd_t:unix_stream_socket connectto;
++')
++
++########################################
++##
++## Connect to gkeyringd with a unix stream socket.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`gnome_stream_connect_gkeyringd',`
++ gen_require(`
++ attribute gkeyringd_domain;
++ type gkeyringd_tmp_t;
++ type gconf_tmp_t;
++ type cache_home_t;
++ ')
++
++ allow $1 gconf_tmp_t:dir search_dir_perms;
++ userdom_search_user_tmp_dirs($1)
++ stream_connect_pattern($1, gkeyringd_tmp_t, gkeyringd_tmp_t, gkeyringd_domain)
++ stream_connect_pattern($1, cache_home_t, cache_home_t, gkeyringd_domain)
++')
++
++########################################
++##
++## Run gconfd in gconfd domain.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`gnome_domtrans_gconfd',`
++ gen_require(`
++ type gconfd_t, gconfd_exec_t;
++ ')
++
++ domtrans_pattern($1, gconfd_exec_t, gconfd_t)
++')
++
++########################################
++##
++## Dontaudit read gnome homedir content (.config)
++##
++##
++##
++## Domain to not audit.
++##
++##
++#
++interface(`gnome_dontaudit_read_config',`
++ gen_require(`
++ attribute gnome_home_type;
++ ')
++
++ dontaudit $1 gnome_home_type:dir read_inherited_file_perms;
++')
++
++########################################
++##
++## Dontaudit search gnome homedir content (.config)
++##
++##
++##
++## Domain to not audit.
++##
++##
++#
++interface(`gnome_dontaudit_search_config',`
++ gen_require(`
++ attribute gnome_home_type;
++ ')
++
++ dontaudit $1 gnome_home_type:dir search_dir_perms;
++')
++
++########################################
++##
++## Dontaudit write gnome homedir content (.config)
++##
++##
++##
++## Domain to not audit.
++##
++##
++#
++interface(`gnome_dontaudit_write_config_files',`
++ gen_require(`
++ attribute gnome_home_type;
++ ')
++
++ dontaudit $1 gnome_home_type:file write;
++')
++
++########################################
++##
++## manage gnome homedir content (.config)
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`gnome_manage_config',`
++ gen_require(`
++ attribute gnome_home_type;
++ ')
++
++ allow $1 gnome_home_type:dir manage_dir_perms;
++ allow $1 gnome_home_type:file manage_file_perms;
++ allow $1 gnome_home_type:lnk_file manage_lnk_file_perms;
++ allow $1 gnome_home_type:sock_file manage_sock_file_perms;
++ userdom_search_user_home_dirs($1)
++')
++
++########################################
++##
++## Send general signals to all gconf domains.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`gnome_signal_all',`
++ gen_require(`
++ attribute gnomedomain;
++ ')
++
++ allow $1 gnomedomain:process signal;
++')
++
++########################################
++##
++## Create objects in a Gnome cache home directory
++## with an automatic type transition to
++## a specified private type.
++##
++##
++##
++## Domain allowed access.
++##
++##
++##
++##
++## The type of the object to create.
++##
++##
++##
++##
++## The class of the object to be created.
++##
++##
++##
++##
++## The name of the object being created.
++##
++##
++#
++interface(`gnome_cache_filetrans',`
++ gen_require(`
++ type cache_home_t;
++ ')
++
++ filetrans_pattern($1, cache_home_t, $2, $3, $4)
++ userdom_search_user_home_dirs($1)
++')
++
++########################################
++##
++## Create objects in a Gnome cache home directory
++## with an automatic type transition to
++## a specified private type.
++##
++##
++##
++## Domain allowed access.
++##
++##
++##
++##
++## The type of the object to create.
++##
++##
++##
++##
++## The class of the object to be created.
++##
++##
++##
++##
++## The name of the object being created.
++##
++##
++#
++interface(`gnome_config_filetrans',`
++ gen_require(`
++ type config_home_t;
++ ')
++
++ filetrans_pattern($1, config_home_t, $2, $3, $4)
++ userdom_search_user_home_dirs($1)
++')
++
++########################################
++##
++## Read generic cache home files (.cache)
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`gnome_read_generic_cache_files',`
++ gen_require(`
++ type cache_home_t;
++ ')
++
++ read_files_pattern($1, cache_home_t, cache_home_t)
++ userdom_search_user_home_dirs($1)
++')
++
++########################################
++##
++## Set attributes of cache home dir (.cache)
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`gnome_setattr_cache_home_dir',`
++ gen_require(`
++ type cache_home_t;
++ ')
++
++ setattr_dirs_pattern($1, cache_home_t, cache_home_t)
++ userdom_search_user_home_dirs($1)
++')
++
++########################################
++##
++## Manage cache home dir (.cache)
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`gnome_manage_cache_home_dir',`
++ gen_require(`
++ type cache_home_t;
++ ')
++
++ manage_dirs_pattern($1, cache_home_t, cache_home_t)
++ userdom_search_user_home_dirs($1)
++')
++
++########################################
++##
++## append to generic cache home files (.cache)
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`gnome_append_generic_cache_files',`
++ gen_require(`
++ type cache_home_t;
++ ')
++
++ append_files_pattern($1, cache_home_t, cache_home_t)
++ userdom_search_user_home_dirs($1)
++')
++
++########################################
++##
++## write to generic cache home files (.cache)
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`gnome_write_generic_cache_files',`
++ gen_require(`
++ type cache_home_t;
++ ')
++
++ write_files_pattern($1, cache_home_t, cache_home_t)
++ userdom_search_user_home_dirs($1)
++')
++
++########################################
++##
++## Manage a sock_file in the generic cache home files (.cache)
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`gnome_manage_generic_cache_sockets',`
++ gen_require(`
++ type cache_home_t;
++ ')
++
++ userdom_search_user_home_dirs($1)
++ manage_sock_files_pattern($1, cache_home_t, cache_home_t)
++')
++
++########################################
++##
++## Dontaudit read/write to generic cache home files (.cache)
++##
++##
++##
++## Domain to not audit.
++##
++##
++#
++interface(`gnome_dontaudit_rw_generic_cache_files',`
++ gen_require(`
++ type cache_home_t;
++ ')
++
++ dontaudit $1 cache_home_t:file rw_inherited_file_perms;
++')
++
++########################################
++##
++## read gnome homedir content (.config)
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`gnome_read_config',`
++ gen_require(`
++ attribute gnome_home_type;
++ ')
++
++ list_dirs_pattern($1, gnome_home_type, gnome_home_type)
++ read_files_pattern($1, gnome_home_type, gnome_home_type)
++ read_lnk_files_pattern($1, gnome_home_type, gnome_home_type)
++')
++
++########################################
++##
++## Create objects in a Gnome gconf home directory
++## with an automatic type transition to
++## a specified private type.
++##
++##
++##
++## Domain allowed access.
++##
++##
++##
++##
++## The type of the object to create.
++##
++##
++##
++##
++## The class of the object to be created.
++##
++##
++##
++##
++## The name of the object being created.
++##
++##
++#
++interface(`gnome_data_filetrans',`
++ gen_require(`
++ type data_home_t;
++ ')
++
++ filetrans_pattern($1, data_home_t, $2, $3, $4)
++ gnome_search_gconf($1)
++')
++
++#######################################
++##
++## Read generic data home files.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`gnome_read_generic_data_home_files',`
++ gen_require(`
++ type data_home_t, gconf_home_t;
++ ')
++
++ read_files_pattern($1, { gconf_home_t data_home_t }, data_home_t)
++')
++
++######################################
++##
++## Read generic data home dirs.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`gnome_read_generic_data_home_dirs',`
++ gen_require(`
++ type data_home_t, gconf_home_t;
++ ')
++
++ list_dirs_pattern($1, { gconf_home_t data_home_t }, data_home_t)
++')
++
++#######################################
++##
++## Manage gconf data home files
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`gnome_manage_data',`
++ gen_require(`
++ type data_home_t;
++ type gconf_home_t;
++ ')
++
++ allow $1 gconf_home_t:dir search_dir_perms;
++ manage_dirs_pattern($1, data_home_t, data_home_t)
++ manage_files_pattern($1, data_home_t, data_home_t)
++ manage_lnk_files_pattern($1, data_home_t, data_home_t)
++')
++
++########################################
++##
++## Read icc data home content.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`gnome_read_home_icc_data_content',`
++ gen_require(`
++ type icc_data_home_t, gconf_home_t, data_home_t;
++ ')
++
++ userdom_search_user_home_dirs($1)
++ allow $1 { gconf_home_t data_home_t }:dir search_dir_perms;
++ list_dirs_pattern($1, icc_data_home_t, icc_data_home_t)
++ read_files_pattern($1, icc_data_home_t, icc_data_home_t)
++ read_lnk_files_pattern($1, icc_data_home_t, icc_data_home_t)
++')
++
++########################################
++##
++## Read inherited icc data home files.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`gnome_read_inherited_home_icc_data_files',`
++ gen_require(`
++ type icc_data_home_t;
++ ')
++
++ allow $1 icc_data_home_t:file read_inherited_file_perms;
++')
++
++########################################
++##
++## Create gconf_home_t objects in the /root directory
++##
++##
++##
++## Domain allowed access.
++##
++##
++##
++##
++## The class of the object to be created.
++##
++##
++##
++##
++## The name of the object being created.
++##
++##
++#
++interface(`gnome_admin_home_gconf_filetrans',`
++ gen_require(`
++ type gconf_home_t;
++ ')
++
++ userdom_admin_home_dir_filetrans($1, gconf_home_t, $2, $3)
++')
++
++########################################
++##
++## Do not audit attempts to read
++## inherited gconf config files.
++##
++##
++##
++## Domain to not audit.
++##
++##
++#
++interface(`gnome_dontaudit_read_inherited_gconf_config_files',`
++ gen_require(`
++ type gconf_etc_t;
++ ')
++
++ dontaudit $1 gconf_etc_t:file read_inherited_file_perms;
++')
++
++########################################
++##
++## read gconf config files
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`gnome_read_gconf_config',`
++ gen_require(`
++ type gconf_etc_t;
++ ')
++
++ allow $1 gconf_etc_t:dir list_dir_perms;
++ read_files_pattern($1, gconf_etc_t, gconf_etc_t)
++ files_search_etc($1)
++')
++
++#######################################
++##
++## Manage gconf config files
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`gnome_manage_gconf_config',`
++ gen_require(`
++ type gconf_etc_t;
++ ')
++
++ allow $1 gconf_etc_t:dir list_dir_perms;
++ manage_files_pattern($1, gconf_etc_t, gconf_etc_t)
++')
++
++########################################
++##
++## Execute gconf programs in
++## in the caller domain.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`gnome_exec_gconf',`
++ gen_require(`
++ type gconfd_exec_t;
++ ')
++
++ can_exec($1, gconfd_exec_t)
++')
++
++########################################
++##
++## Execute gnome keyringd in the caller domain.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`gnome_exec_keyringd',`
++ gen_require(`
++ type gkeyringd_exec_t;
++ ')
++
++ can_exec($1, gkeyringd_exec_t)
++ corecmd_search_bin($1)
++')
++
++########################################
++##
++## Read gconf home files
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`gnome_read_gconf_home_files',`
++ gen_require(`
++ type gconf_home_t;
++ type data_home_t;
++ ')
++
++ userdom_search_user_home_dirs($1)
++ allow $1 gconf_home_t:dir list_dir_perms;
++ allow $1 data_home_t:dir list_dir_perms;
++ read_files_pattern($1, gconf_home_t, gconf_home_t)
++ read_files_pattern($1, data_home_t, data_home_t)
++ read_lnk_files_pattern($1, gconf_home_t, gconf_home_t)
++ read_lnk_files_pattern($1, data_home_t, data_home_t)
++')
++
++########################################
++##
++## Search gkeyringd temporary directories.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`gnome_search_gkeyringd_tmp_dirs',`
++ gen_require(`
++ type gkeyringd_tmp_t;
++ ')
++
++ files_search_tmp($1)
++ allow $1 gkeyringd_tmp_t:dir search_dir_perms;
++')
++
++########################################
++##
++## List gkeyringd temporary directories.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`gnome_list_gkeyringd_tmp_dirs',`
++ gen_require(`
++ type gkeyringd_tmp_t;
++ ')
++
++ files_search_tmp($1)
++ allow $1 gkeyringd_tmp_t:dir list_dir_perms;
++')
++
++#######################################
++##
++## Manage gkeyringd temporary directories.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`gnome_manage_gkeyringd_tmp_dirs',`
++ gen_require(`
++ type gkeyringd_tmp_t;
++ ')
++
++ files_search_tmp($1)
++ manage_dirs_pattern($1, gkeyringd_tmp_t, gkeyringd_tmp_t)
++')
++
++########################################
++##
++## search gconf homedir (.local)
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`gnome_search_gconf',`
++ gen_require(`
++ type gconf_home_t;
++ ')
++
++ allow $1 gconf_home_t:dir search_dir_perms;
++ userdom_search_user_home_dirs($1)
++')
++
++########################################
++##
++## Set attributes of Gnome config dirs.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`gnome_setattr_config_dirs',`
++ gen_require(`
++ type gnome_home_t;
++ ')
++
++ setattr_dirs_pattern($1, gnome_home_t, gnome_home_t)
++ files_search_home($1)
++')
++
++########################################
++##
++## Manage generic gnome home files.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`gnome_manage_generic_home_files',`
++ gen_require(`
++ type gnome_home_t;
++ ')
++
++ userdom_search_user_home_dirs($1)
++ manage_files_pattern($1, gnome_home_t, gnome_home_t)
++')
++
++########################################
++##
++## Manage generic gnome home directories.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`gnome_manage_generic_home_dirs',`
++ gen_require(`
++ type gnome_home_t;
++ ')
++
++ userdom_search_user_home_dirs($1)
++ allow $1 gnome_home_t:dir manage_dir_perms;
++')
++
++########################################
++##
++## Append gconf home files
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`gnome_append_gconf_home_files',`
++ gen_require(`
++ type gconf_home_t;
++ ')
++
++ append_files_pattern($1, gconf_home_t, gconf_home_t)
++')
++
++########################################
++##
++## manage gconf home files
++##
++##
+ ##
+-## Role allowed access
++## Domain allowed access.
+ ##
+ ##
++#
++interface(`gnome_manage_gconf_home_files',`
++ gen_require(`
++ type gconf_home_t;
++ ')
++
++ allow $1 gconf_home_t:dir list_dir_perms;
++ manage_files_pattern($1, gconf_home_t, gconf_home_t)
++')
++
++########################################
++##
++## Connect to gnome over a unix stream socket.
++##
+ ##
+ ##
+-## User domain for the role
++## Domain allowed access.
++##
++##
++##
++##
++## The type of the user domain.
+ ##
+ ##
+ #
+-interface(`gnome_role',`
++interface(`gnome_stream_connect',`
+ gen_require(`
+- type gconfd_t, gconfd_exec_t;
+- type gconf_tmp_t;
++ attribute gnome_home_type;
+ ')
+
+- role $1 types gconfd_t;
++ # Connect to pulseaudit server
++ stream_connect_pattern($1, gnome_home_type, gnome_home_type, $2)
++')
++
++########################################
++##
++## list gnome homedir content (.config)
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`gnome_list_home_config',`
++ gen_require(`
++ type config_home_t;
++ ')
+
+- domain_auto_trans($2, gconfd_exec_t, gconfd_t)
+- allow gconfd_t $2:fd use;
+- allow gconfd_t $2:fifo_file write;
+- allow gconfd_t $2:unix_stream_socket connectto;
++ allow $1 config_home_t:dir list_dir_perms;
++')
+
+- ps_process_pattern($2, gconfd_t)
++########################################
++##
++## Set attributes of gnome homedir content (.config)
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`gnome_setattr_home_config',`
++ gen_require(`
++ type config_home_t;
++ ')
+
+- #gnome_stream_connect_gconf_template($1, $2)
+- read_files_pattern($2, gconf_tmp_t, gconf_tmp_t)
+- allow $2 gconfd_t:unix_stream_socket connectto;
++ setattr_dirs_pattern($1, config_home_t, config_home_t)
++ userdom_search_user_home_dirs($1)
+ ')
+
+ ########################################
+ ##
+-## Execute gconf programs in
+-## in the caller domain.
++## read gnome homedir content (.config)
+ ##
+ ##
+ ##
+@@ -46,37 +1050,91 @@ interface(`gnome_role',`
+ ##
+ ##
+ #
+-interface(`gnome_exec_gconf',`
++interface(`gnome_read_home_config',`
+ gen_require(`
+- type gconfd_exec_t;
++ type config_home_t;
+ ')
+
+- can_exec($1, gconfd_exec_t)
++ list_dirs_pattern($1, config_home_t, config_home_t)
++ read_files_pattern($1, config_home_t, config_home_t)
++ read_lnk_files_pattern($1, config_home_t, config_home_t)
++')
++
++#######################################
++##
++## delete gnome homedir content (.config)
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`gnome_delete_home_config',`
++ gen_require(`
++ type config_home_t;
++ ')
++
++ delete_files_pattern($1, config_home_t, config_home_t)
++')
++
++#######################################
++##
++## setattr gnome homedir content (.config)
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`gnome_setattr_home_config_dirs',`
++ gen_require(`
++ type config_home_t;
++ ')
++
++ setattr_dirs_pattern($1, config_home_t, config_home_t)
+ ')
+
+ ########################################
+ ##
+-## Read gconf config files.
++## manage gnome homedir content (.config)
+ ##
+-##
++##
+ ##
+ ## Domain allowed access.
+ ##
+ ##
+ #
+-template(`gnome_read_gconf_config',`
++interface(`gnome_manage_home_config',`
+ gen_require(`
+- type gconf_etc_t;
++ type config_home_t;
+ ')
+
+- allow $1 gconf_etc_t:dir list_dir_perms;
+- read_files_pattern($1, gconf_etc_t, gconf_etc_t)
+- files_search_etc($1)
++ manage_files_pattern($1, config_home_t, config_home_t)
+ ')
+
+ #######################################
+ ##
+-## Create, read, write, and delete gconf config files.
++## delete gnome homedir content (.config)
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`gnome_delete_home_config_dirs',`
++ gen_require(`
++ type config_home_t;
++ ')
++
++ delete_dirs_pattern($1, config_home_t, config_home_t)
++')
++
++########################################
++##
++## manage gnome homedir content (.config)
+ ##
+ ##
+ ##
+@@ -84,37 +1142,107 @@ template(`gnome_read_gconf_config',`
+ ##
+ ##
+ #
+-interface(`gnome_manage_gconf_config',`
++interface(`gnome_manage_home_config_dirs',`
+ gen_require(`
+- type gconf_etc_t;
++ type config_home_t;
+ ')
+
+- manage_files_pattern($1, gconf_etc_t, gconf_etc_t)
+- files_search_etc($1)
++ manage_dirs_pattern($1, config_home_t, config_home_t)
+ ')
+
+ ########################################
+ ##
+-## gconf connection template.
++## manage gstreamer home content files.
+ ##
+-##
++##
+ ##
+ ## Domain allowed access.
+ ##
+ ##
+ #
+-interface(`gnome_stream_connect_gconf',`
++interface(`gnome_manage_gstreamer_home_files',`
+ gen_require(`
+- type gconfd_t, gconf_tmp_t;
++ type gstreamer_home_t;
+ ')
+
+- read_files_pattern($1, gconf_tmp_t, gconf_tmp_t)
+- allow $1 gconfd_t:unix_stream_socket connectto;
++ manage_dirs_pattern($1, gstreamer_home_t, gstreamer_home_t)
++ manage_files_pattern($1, gstreamer_home_t, gstreamer_home_t)
++ gnome_filetrans_gstreamer_home_content($1)
++')
++
++######################################
++##
++## Allow to execute gstreamer home content files.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`gnome_exec_gstreamer_home_files',`
++ gen_require(`
++ type gstreamer_home_t;
++ ')
++
++ can_exec($1, gstreamer_home_t)
++')
++
++#######################################
++##
++## file name transition gstreamer home content files.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`gnome_filetrans_gstreamer_home_content',`
++ gen_require(`
++ type gstreamer_home_t;
++ ')
++
++ userdom_user_home_dir_filetrans($1, gstreamer_home_t, file, ".grl-bookmarks")
++ userdom_user_home_dir_filetrans($1, gstreamer_home_t, file, ".grl-metadata-store")
++ userdom_user_home_dir_filetrans($1, gstreamer_home_t, file, ".grl-podcasts")
++ userdom_user_home_dir_filetrans($1, gstreamer_home_t, dir, ".gstreamer-0.12")
++ userdom_user_home_dir_filetrans($1, gstreamer_home_t, dir, ".gstreamer-0.10")
++ userdom_user_home_dir_filetrans($1, gstreamer_home_t, dir, ".gstreamer-1.0")
++ userdom_user_home_dir_filetrans($1, gstreamer_home_t, dir, ".gstreamer-1.2")
++ userdom_user_home_dir_filetrans($1, gstreamer_home_t, dir, ".gstreamer-10")
++ userdom_user_home_dir_filetrans($1, gstreamer_home_t, dir, ".gstreamer-12")
++ userdom_user_home_dir_filetrans($1, gstreamer_home_t, dir, ".orc")
++ userdom_user_tmp_filetrans($1, gstreamer_home_t, dir, ".orc")
++ gnome_cache_filetrans($1, gstreamer_home_t, dir, "gstreamer-0.12")
++ gnome_cache_filetrans($1, gstreamer_home_t, dir, "gstreamer-0.10")
++ gnome_cache_filetrans($1, gstreamer_home_t, dir, "gstreamer-1.0")
++ gnome_cache_filetrans($1, gstreamer_home_t, dir, "gstreamer-1.2")
++ gnome_cache_filetrans($1, gstreamer_home_t, dir, "gstreamer-10")
++ gnome_cache_filetrans($1, gstreamer_home_t, dir, "gstreamer-12")
++')
++
++#######################################
++##
++## manage gstreamer home content files.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`gnome_manage_gstreamer_home_dirs',`
++ gen_require(`
++ type gstreamer_home_t;
++ ')
++
++ manage_dirs_pattern($1, gstreamer_home_t, gstreamer_home_t)
+ ')
+
+ ########################################
+ ##
+-## Run gconfd in gconfd domain.
++## Read/Write all inherited gnome home config
+ ##
+ ##
+ ##
+@@ -122,17 +1250,36 @@ interface(`gnome_stream_connect_gconf',`
+ ##
+ ##
+ #
+-interface(`gnome_domtrans_gconfd',`
++interface(`gnome_rw_inherited_config',`
+ gen_require(`
+- type gconfd_t, gconfd_exec_t;
++ attribute gnome_home_type;
+ ')
+
+- domtrans_pattern($1, gconfd_exec_t, gconfd_t)
++ allow $1 gnome_home_type:file rw_inherited_file_perms;
+ ')
+
+ ########################################
+ ##
+-## Set attributes of Gnome config dirs.
++## Dontaudit Read/Write all inherited gnome home config
++##
++##
++##
++## Domain to not audit.
++##
++##
++#
++interface(`gnome_dontaudit_rw_inherited_config',`
++ gen_require(`
++ attribute gnome_home_type;
++ ')
++
++ dontaudit $1 gnome_home_type:file rw_inherited_file_perms;
++')
++
++########################################
++##
++## Send and receive messages from
++## gconf system service over dbus.
+ ##
+ ##
+ ##
+@@ -140,51 +1287,279 @@ interface(`gnome_domtrans_gconfd',`
+ ##
+ ##
+ #
+-interface(`gnome_setattr_config_dirs',`
++interface(`gnome_dbus_chat_gconfdefault',`
+ gen_require(`
+- type gnome_home_t;
++ type gconfdefaultsm_t;
++ class dbus send_msg;
+ ')
+
+- setattr_dirs_pattern($1, gnome_home_t, gnome_home_t)
+- files_search_home($1)
++ allow $1 gconfdefaultsm_t:dbus send_msg;
++ allow gconfdefaultsm_t $1:dbus send_msg;
+ ')
+
+ ########################################
+ ##
+-## Read gnome homedir content (.config)
++## Send and receive messages from
++## gkeyringd over dbus.
+ ##
+-##
++##
+ ##
+ ## Domain allowed access.
+ ##
+ ##
+ #
+-template(`gnome_read_config',`
++interface(`gnome_dbus_chat_gkeyringd',`
+ gen_require(`
+- type gnome_home_t;
++ attribute gkeyringd_domain;
++ class dbus send_msg;
+ ')
+
+- list_dirs_pattern($1, gnome_home_t, gnome_home_t)
+- read_files_pattern($1, gnome_home_t, gnome_home_t)
+- read_lnk_files_pattern($1, gnome_home_t, gnome_home_t)
++ allow $1 gkeyringd_domain:dbus send_msg;
++ allow gkeyringd_domain $1:dbus send_msg;
+ ')
+
+ ########################################
+ ##
+-## manage gnome homedir content (.config)
++## Send signull signal to gkeyringd processes.
+ ##
+-##
++##
+ ##
+ ## Domain allowed access.
+ ##
+ ##
+ #
+-interface(`gnome_manage_config',`
++interface(`gnome_signull_gkeyringd',`
++ gen_require(`
++ attribute gkeyringd_domain;
++ ')
++
++ allow $1 gkeyringd_domain:process signull;
++')
++
++########################################
++##
++## Allow the domain to read gkeyringd state files in /proc.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`gnome_read_gkeyringd_state',`
++ gen_require(`
++ attribute gkeyringd_domain;
++ ')
++
++ ps_process_pattern($1, gkeyringd_domain)
++')
++
++########################################
++##
++## Create directories in user home directories
++## with the gnome home file type.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`gnome_home_dir_filetrans',`
+ gen_require(`
+ type gnome_home_t;
+ ')
+
+- allow $1 gnome_home_t:dir manage_dir_perms;
+- allow $1 gnome_home_t:file manage_file_perms;
++ userdom_user_home_dir_filetrans($1, gnome_home_t, dir)
+ userdom_search_user_home_dirs($1)
+ ')
++
++######################################
++##
++## Allow read kde config content
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`gnome_read_usr_config',`
++ gen_require(`
++ type config_usr_t;
++ ')
++
++ files_search_usr($1)
++ list_dirs_pattern($1, config_usr_t, config_usr_t)
++ read_files_pattern($1, config_usr_t, config_usr_t)
++ read_lnk_files_pattern($1, config_usr_t, config_usr_t)
++')
++
++#######################################
++##
++## Allow manage kde config content
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`gnome_manage_usr_config',`
++ gen_require(`
++ type config_usr_t;
++ ')
++
++ files_search_usr($1)
++ manage_dirs_pattern($1, config_usr_t, config_usr_t)
++ manage_files_pattern($1, config_usr_t, config_usr_t)
++ manage_lnk_files_pattern($1, config_usr_t, config_usr_t)
++')
++
++########################################
++##
++## Execute gnome-keyring in the user gkeyring domain
++##
++##
++##
++## Domain allowed access
++##
++##
++#
++interface(`gnome_transition_gkeyringd',`
++ gen_require(`
++ attribute gkeyringd_domain;
++ ')
++
++ allow $1 gkeyringd_domain:process transition;
++ dontaudit $1 gkeyringd_domain:process { noatsecure siginh rlimitinh };
++ allow gkeyringd_domain $1:process { sigchld signull };
++ allow gkeyringd_domain $1:fifo_file rw_inherited_fifo_file_perms;
++')
++
++########################################
++##
++## Create gnome content in the user home directory
++## with an correct label.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`gnome_filetrans_home_content',`
++
++gen_require(`
++ type config_home_t;
++ type cache_home_t;
++ type dbus_home_t;
++ type gconf_home_t;
++ type gnome_home_t;
++ type data_home_t, icc_data_home_t;
++ type gkeyringd_gnome_home_t;
++')
++
++ userdom_user_home_dir_filetrans($1, config_home_t, dir, ".config")
++ userdom_user_home_dir_filetrans($1, config_home_t, file, ".Xdefaults")
++ userdom_user_home_dir_filetrans($1, config_home_t, dir, ".xine")
++ userdom_user_home_dir_filetrans($1, cache_home_t, dir, ".cache")
++ userdom_user_home_dir_filetrans($1, dbus_home_t, dir, ".dbus")
++ userdom_user_home_dir_filetrans($1, cache_home_t, dir, ".nv")
++ userdom_user_home_dir_filetrans($1, config_home_t, dir, ".kde")
++ userdom_user_home_dir_filetrans($1, gconf_home_t, dir, ".gconf")
++ userdom_user_home_dir_filetrans($1, gconf_home_t, dir, ".gconfd")
++ userdom_user_home_dir_filetrans($1, gconf_home_t, dir, ".local")
++ userdom_user_home_dir_filetrans($1, gnome_home_t, dir, ".gnome2")
++
++ # ~/.color/icc: legacy
++ userdom_user_home_content_filetrans($1, icc_data_home_t, dir, "icc")
++ filetrans_pattern($1, gnome_home_t, gkeyringd_gnome_home_t, dir, "keyrings")
++ filetrans_pattern($1, data_home_t, gkeyringd_gnome_home_t, dir, "keyrings")
++ filetrans_pattern($1, gconf_home_t, data_home_t, dir, "share")
++ filetrans_pattern($1, data_home_t, icc_data_home_t, dir, "icc")
++ userdom_user_tmp_filetrans($1, config_home_t, dir, "dconf")
++ gnome_filetrans_gstreamer_home_content($1)
++')
++
++########################################
++##
++## Create gnome directory in the /root directory
++## with an correct label.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`gnome_filetrans_admin_home_content',`
++
++gen_require(`
++ type config_home_t;
++ type cache_home_t;
++ type dbus_home_t;
++ type gstreamer_home_t;
++ type gconf_home_t;
++ type gnome_home_t;
++ type icc_data_home_t;
++')
++
++ userdom_admin_home_dir_filetrans($1, config_home_t, dir, ".config")
++ userdom_admin_home_dir_filetrans($1, config_home_t, file, ".Xdefaults")
++ userdom_admin_home_dir_filetrans($1, config_home_t, dir, ".xine")
++ userdom_admin_home_dir_filetrans($1, cache_home_t, dir, ".cache")
++ userdom_admin_home_dir_filetrans($1, dbus_home_t, dir, ".dbus")
++ userdom_admin_home_dir_filetrans($1, config_home_t, dir, ".kde")
++ userdom_admin_home_dir_filetrans($1, gconf_home_t, dir, ".gconf")
++ userdom_admin_home_dir_filetrans($1, gconf_home_t, dir, ".gconfd")
++ userdom_admin_home_dir_filetrans($1, gconf_home_t, dir, ".local")
++ userdom_admin_home_dir_filetrans($1, gnome_home_t, dir, ".gnome2")
++ gnome_filetrans_gstreamer_home_content($1)
++ # /root/.color/icc: legacy
++ userdom_admin_home_dir_filetrans($1, icc_data_home_t, dir, "icc")
++')
++
++#####################################
++##
++## Execute gnome-keyring executable
++## in the specified domain.
++##
++##
++##
++## Execute a telepathy executable
++## in the specified domain. This allows
++## the specified domain to execute any file
++## on these filesystems in the specified
++## domain.
++##
++##
++## No interprocess communication (signals, pipes,
++## etc.) is provided by this interface since
++## the domains are not owned by this module.
++##
++##
++## This interface was added to handle
++## the ssh-agent policy.
++##
++##
++##
++##
++## Domain allowed to transition.
++##
++##
++##
++##
++## The type of the new process.
++##
++##
++#
++interface(`gnome_command_domtrans_gkeyringd', `
++ gen_require(`
++ type gkeyringd_exec_t;
++ ')
++
++ allow $2 gkeyringd_exec_t:file entrypoint;
++ domain_transition_pattern($1, gkeyringd_exec_t, $2)
++ type_transition $1 gkeyringd_exec_t:process $2;
++')
+diff --git a/gnome.te b/gnome.te
+index 783c5fb..7757943 100644
+--- a/gnome.te
++++ b/gnome.te
+@@ -6,11 +6,31 @@ policy_module(gnome, 2.2.0)
+ #
+
+ attribute gnomedomain;
++attribute gnome_home_type;
++attribute gkeyringd_domain;
+
+ type gconf_etc_t;
+ files_config_file(gconf_etc_t)
+
+-type gconf_home_t;
++type data_home_t, gnome_home_type;
++userdom_user_home_content(data_home_t)
++
++type config_home_t, gnome_home_type;
++userdom_user_home_content(config_home_t)
++
++type cache_home_t, gnome_home_type;
++userdom_user_home_content(cache_home_t)
++
++type gstreamer_home_t, gnome_home_type;
++userdom_user_home_content(gstreamer_home_t)
++
++type dbus_home_t, gnome_home_type;
++userdom_user_home_content(dbus_home_t)
++
++type icc_data_home_t, gnome_home_type;
++userdom_user_home_content(icc_data_home_t)
++
++type gconf_home_t, gnome_home_type;
+ typealias gconf_home_t alias { user_gconf_home_t staff_gconf_home_t sysadm_gconf_home_t };
+ typealias gconf_home_t alias { auditadm_gconf_home_t secadm_gconf_home_t };
+ typealias gconf_home_t alias unconfined_gconf_home_t;
+@@ -28,12 +48,33 @@ typealias gconfd_t alias { user_gconfd_t staff_gconfd_t sysadm_gconfd_t };
+ typealias gconfd_t alias { auditadm_gconfd_t secadm_gconfd_t };
+ userdom_user_application_domain(gconfd_t, gconfd_exec_t)
+
+-type gnome_home_t;
++type gnome_home_t, gnome_home_type;
+ typealias gnome_home_t alias { user_gnome_home_t staff_gnome_home_t sysadm_gnome_home_t };
+ typealias gnome_home_t alias { auditadm_gnome_home_t secadm_gnome_home_t };
+ typealias gnome_home_t alias unconfined_gnome_home_t;
+ userdom_user_home_content(gnome_home_t)
+
++# type KDE /usr/share/config files
++type config_usr_t;
++files_type(config_usr_t)
++
++type gkeyringd_exec_t;
++corecmd_executable_file(gkeyringd_exec_t)
++
++type gkeyringd_gnome_home_t;
++userdom_user_home_content(gkeyringd_gnome_home_t)
++
++type gkeyringd_tmp_t;
++userdom_user_tmp_content(gkeyringd_tmp_t)
++
++type gconfdefaultsm_t;
++type gconfdefaultsm_exec_t;
++init_daemon_domain(gconfdefaultsm_t, gconfdefaultsm_exec_t)
++
++type gnomesystemmm_t;
++type gnomesystemmm_exec_t;
++init_daemon_domain(gnomesystemmm_t, gnomesystemmm_exec_t)
++
+ ##############################
+ #
+ # Local Policy
+@@ -57,7 +98,6 @@ dev_read_urand(gconfd_t)
+
+ files_read_etc_files(gconfd_t)
+
+-miscfiles_read_localization(gconfd_t)
+
+ logging_send_syslog_msg(gconfd_t)
+
+@@ -73,3 +113,163 @@ optional_policy(`
+ xserver_use_xdm_fds(gconfd_t)
+ xserver_rw_xdm_pipes(gconfd_t)
+ ')
++
++#######################################
++#
++# gconf-defaults-mechanisms local policy
++#
++
++allow gconfdefaultsm_t self:capability { dac_override sys_nice };
++allow gconfdefaultsm_t self:process getsched;
++allow gconfdefaultsm_t self:fifo_file rw_fifo_file_perms;
++
++corecmd_search_bin(gconfdefaultsm_t)
++
++files_read_etc_files(gconfdefaultsm_t)
++files_read_usr_files(gconfdefaultsm_t)
++
++
++gnome_manage_gconf_home_files(gconfdefaultsm_t)
++gnome_manage_gconf_config(gconfdefaultsm_t)
++
++userdom_read_all_users_state(gconfdefaultsm_t)
++userdom_search_user_home_dirs(gconfdefaultsm_t)
++
++userdom_dontaudit_search_admin_dir(gconfdefaultsm_t)
++
++optional_policy(`
++ consolekit_dbus_chat(gconfdefaultsm_t)
++')
++
++optional_policy(`
++ dbus_system_domain(gconfdefaultsm_t, gconfdefaultsm_exec_t)
++')
++
++optional_policy(`
++ nscd_dontaudit_search_pid(gconfdefaultsm_t)
++')
++
++optional_policy(`
++ policykit_domtrans_auth(gconfdefaultsm_t)
++ policykit_dbus_chat(gconfdefaultsm_t)
++ policykit_read_lib(gconfdefaultsm_t)
++ policykit_read_reload(gconfdefaultsm_t)
++')
++
++userdom_home_manager(gconfdefaultsm_t)
++
++#######################################
++#
++# gnome-system-monitor-mechanisms local policy
++#
++
++allow gnomesystemmm_t self:capability sys_nice;
++allow gnomesystemmm_t self:fifo_file rw_fifo_file_perms;
++
++rw_files_pattern(gnomesystemmm_t, config_usr_t, config_usr_t)
++
++kernel_read_system_state(gnomesystemmm_t)
++
++corecmd_search_bin(gnomesystemmm_t)
++
++domain_kill_all_domains(gnomesystemmm_t)
++domain_search_all_domains_state(gnomesystemmm_t)
++domain_setpriority_all_domains(gnomesystemmm_t)
++domain_signal_all_domains(gnomesystemmm_t)
++domain_sigstop_all_domains(gnomesystemmm_t)
++
++files_read_etc_files(gnomesystemmm_t)
++files_read_usr_files(gnomesystemmm_t)
++
++fs_getattr_xattr_fs(gnomesystemmm_t)
++
++auth_read_passwd(gnomesystemmm_t)
++
++logging_send_syslog_msg(gnomesystemmm_t)
++
++userdom_read_all_users_state(gnomesystemmm_t)
++userdom_dontaudit_search_admin_dir(gnomesystemmm_t)
++
++optional_policy(`
++ consolekit_dbus_chat(gnomesystemmm_t)
++')
++
++optional_policy(`
++ dbus_system_domain(gnomesystemmm_t, gnomesystemmm_exec_t)
++')
++
++optional_policy(`
++ gnome_read_home_config(gnomesystemmm_t)
++')
++
++optional_policy(`
++ nscd_dontaudit_search_pid(gnomesystemmm_t)
++')
++
++optional_policy(`
++ policykit_dbus_chat(gnomesystemmm_t)
++ policykit_domtrans_auth(gnomesystemmm_t)
++ policykit_read_lib(gnomesystemmm_t)
++ policykit_read_reload(gnomesystemmm_t)
++')
++
++######################################
++#
++# gnome-keyring-daemon local policy
++#
++
++allow gkeyringd_domain self:capability ipc_lock;
++allow gkeyringd_domain self:process { getcap getsched setcap signal };
++allow gkeyringd_domain self:fifo_file rw_fifo_file_perms;
++allow gkeyringd_domain self:unix_stream_socket { connectto accept listen };
++
++allow gkeyringd_domain config_home_t:file write;
++
++manage_dirs_pattern(gkeyringd_domain, gkeyringd_gnome_home_t, gkeyringd_gnome_home_t)
++manage_files_pattern(gkeyringd_domain, gkeyringd_gnome_home_t, gkeyringd_gnome_home_t)
++filetrans_pattern(gkeyringd_domain, gnome_home_t, gkeyringd_gnome_home_t, dir)
++
++manage_dirs_pattern(gkeyringd_domain, gkeyringd_tmp_t, gkeyringd_tmp_t)
++manage_sock_files_pattern(gkeyringd_domain, gkeyringd_tmp_t, gkeyringd_tmp_t)
++files_tmp_filetrans(gkeyringd_domain, gkeyringd_tmp_t, dir)
++userdom_user_tmp_filetrans(gkeyringd_domain, gkeyringd_tmp_t, { sock_file dir })
++
++kernel_read_crypto_sysctls(gkeyringd_domain)
++
++corecmd_search_bin(gkeyringd_domain)
++
++dev_read_rand(gkeyringd_domain)
++dev_read_urand(gkeyringd_domain)
++dev_read_sysfs(gkeyringd_domain)
++
++files_read_etc_files(gkeyringd_domain)
++files_read_usr_files(gkeyringd_domain)
++# for nscd?
++files_search_pids(gkeyringd_domain)
++
++fs_getattr_xattr_fs(gkeyringd_domain)
++fs_getattr_tmpfs(gkeyringd_domain)
++
++userdom_user_home_dir_filetrans(gkeyringd_domain, gnome_home_t, dir)
++
++optional_policy(`
++ xserver_append_xdm_home_files(gkeyringd_domain)
++ xserver_read_xdm_home_files(gkeyringd_domain)
++ xserver_use_xdm_fds(gkeyringd_domain)
++')
++
++optional_policy(`
++ gnome_read_home_config(gkeyringd_domain)
++ gnome_read_generic_cache_files(gkeyringd_domain)
++ gnome_write_generic_cache_files(gkeyringd_domain)
++ gnome_manage_cache_home_dir(gkeyringd_domain)
++ gnome_manage_generic_cache_sockets(gkeyringd_domain)
++')
++
++optional_policy(`
++ ssh_read_user_home_files(gkeyringd_domain)
++')
++
++domain_use_interactive_fds(gnomedomain)
++
++userdom_use_inherited_user_terminals(gnomedomain)
+diff --git a/gnomeclock.fc b/gnomeclock.fc
+index 462de63..5d92f4e 100644
+--- a/gnomeclock.fc
++++ b/gnomeclock.fc
+@@ -1,2 +1,7 @@
++/usr/lib/systemd/systemd-timedated -- gen_context(system_u:object_r:gnomeclock_exec_t,s0)
++
+ /usr/libexec/gnome-clock-applet-mechanism -- gen_context(system_u:object_r:gnomeclock_exec_t,s0)
+
++/usr/libexec/gsd-datetime-mechanism -- gen_context(system_u:object_r:gnomeclock_exec_t,s0)
++
++/usr/libexec/kde(3|4)/kcmdatetimehelper -- gen_context(system_u:object_r:gnomeclock_exec_t,s0)
+diff --git a/gnomeclock.if b/gnomeclock.if
+index 671d8fd..25c7ab8 100644
+--- a/gnomeclock.if
++++ b/gnomeclock.if
+@@ -63,3 +63,24 @@ interface(`gnomeclock_dbus_chat',`
+ allow $1 gnomeclock_t:dbus send_msg;
+ allow gnomeclock_t $1:dbus send_msg;
+ ')
++
++########################################
++##
++## Do not audit send and receive messages from
++## gnomeclock over dbus.
++##
++##
++##
++## Domain to not audit.
++##
++##
++#
++interface(`gnomeclock_dontaudit_dbus_chat',`
++ gen_require(`
++ type gnomeclock_t;
++ class dbus send_msg;
++ ')
++
++ dontaudit $1 gnomeclock_t:dbus send_msg;
++ dontaudit gnomeclock_t $1:dbus send_msg;
++')
+diff --git a/gnomeclock.te b/gnomeclock.te
+index 4fde46b..d58acfc 100644
+--- a/gnomeclock.te
++++ b/gnomeclock.te
+@@ -7,38 +7,84 @@ policy_module(gnomeclock, 1.0.0)
+
+ type gnomeclock_t;
+ type gnomeclock_exec_t;
+-dbus_system_domain(gnomeclock_t, gnomeclock_exec_t)
++init_daemon_domain(gnomeclock_t, gnomeclock_exec_t)
+
+ ########################################
+ #
+ # gnomeclock local policy
+ #
+
+-allow gnomeclock_t self:capability { sys_nice sys_time sys_ptrace };
+-allow gnomeclock_t self:process { getattr getsched };
++allow gnomeclock_t self:capability { sys_nice sys_time dac_override };
++allow gnomeclock_t self:process { getattr getsched signal };
+ allow gnomeclock_t self:fifo_file rw_fifo_file_perms;
+ allow gnomeclock_t self:unix_stream_socket create_stream_socket_perms;
++allow gnomeclock_t self:unix_dgram_socket create_socket_perms;
++
++kernel_read_system_state(gnomeclock_t)
+
+ corecmd_exec_bin(gnomeclock_t)
++corecmd_exec_shell(gnomeclock_t)
++corecmd_dontaudit_access_check_bin(gnomeclock_t)
++
++corenet_tcp_connect_time_port(gnomeclock_t)
++
++dev_rw_realtime_clock(gnomeclock_t)
++dev_read_urand(gnomeclock_t)
++dev_write_kmsg(gnomeclock_t)
++dev_read_sysfs(gnomeclock_t)
+
+-files_read_etc_files(gnomeclock_t)
++files_read_etc_runtime_files(gnomeclock_t)
+ files_read_usr_files(gnomeclock_t)
+
++fs_getattr_xattr_fs(gnomeclock_t)
++
+ auth_use_nsswitch(gnomeclock_t)
+
+-clock_domtrans(gnomeclock_t)
++init_dbus_chat(gnomeclock_t)
++
++logging_stream_connect_syslog(gnomeclock_t)
++logging_send_syslog_msg(gnomeclock_t)
+
+-miscfiles_read_localization(gnomeclock_t)
+ miscfiles_manage_localization(gnomeclock_t)
+ miscfiles_etc_filetrans_localization(gnomeclock_t)
+
+ userdom_read_all_users_state(gnomeclock_t)
+
+ optional_policy(`
++ chronyd_systemctl(gnomeclock_t)
++')
++
++optional_policy(`
++ clock_read_adjtime(gnomeclock_t)
++ clock_domtrans(gnomeclock_t)
++')
++
++optional_policy(`
+ consolekit_dbus_chat(gnomeclock_t)
+ ')
+
+ optional_policy(`
++ consoletype_exec(gnomeclock_t)
++')
++
++optional_policy(`
++dbus_system_domain(gnomeclock_t, gnomeclock_exec_t)
++')
++
++optional_policy(`
++ gnome_manage_usr_config(gnomeclock_t)
++ gnome_manage_home_config(gnomeclock_t)
++')
++
++optional_policy(`
++ ntp_domtrans_ntpdate(gnomeclock_t)
++ ntp_initrc_domtrans(gnomeclock_t)
++ init_dontaudit_getattr_all_script_files(gnomeclock_t)
++ init_dontaudit_getattr_exec(gnomeclock_t)
++ ntp_systemctl(gnomeclock_t)
++')
++
++optional_policy(`
+ policykit_dbus_chat(gnomeclock_t)
+ policykit_domtrans_auth(gnomeclock_t)
+ policykit_read_lib(gnomeclock_t)
+diff --git a/gpg.fc b/gpg.fc
+index 5207fc2..c02fa56 100644
+--- a/gpg.fc
++++ b/gpg.fc
+@@ -1,10 +1,13 @@
+ HOME_DIR/\.gnupg(/.+)? gen_context(system_u:object_r:gpg_secret_t,s0)
+ HOME_DIR/\.gnupg/log-socket gen_context(system_u:object_r:gpg_agent_tmp_t,s0)
+
++/etc/mail/spamassassin/sa-update-keys(/.*)? gen_context(system_u:object_r:gpg_secret_t,s0)
++
++/root/\.gnupg(/.+)? gen_context(system_u:object_r:gpg_secret_t,s0)
++
+ /usr/bin/gpg(2)? -- gen_context(system_u:object_r:gpg_exec_t,s0)
+ /usr/bin/gpgsm -- gen_context(system_u:object_r:gpg_exec_t,s0)
+ /usr/bin/gpg-agent -- gen_context(system_u:object_r:gpg_agent_exec_t,s0)
+-/usr/bin/kgpg -- gen_context(system_u:object_r:gpg_exec_t,s0)
+ /usr/bin/pinentry.* -- gen_context(system_u:object_r:pinentry_exec_t,s0)
+
+ /usr/lib/gnupg/.* -- gen_context(system_u:object_r:gpg_exec_t,s0)
+diff --git a/gpg.if b/gpg.if
+index 6d50300..2f0feca 100644
+--- a/gpg.if
++++ b/gpg.if
+@@ -54,15 +54,16 @@ interface(`gpg_role',`
+ manage_sock_files_pattern($2, gpg_pinentry_tmp_t, gpg_pinentry_tmp_t)
+ relabel_sock_files_pattern($2, gpg_pinentry_tmp_t, gpg_pinentry_tmp_t)
+
++ allow gpg_pinentry_t $2:fifo_file { read write };
++
+ optional_policy(`
+ gpg_pinentry_dbus_chat($2)
+ ')
+
++ allow $2 gpg_agent_t:unix_stream_socket { rw_socket_perms connectto };
+ ifdef(`hide_broken_symptoms',`
+ #Leaked File Descriptors
+- dontaudit gpg_t $2:socket_class_set { getattr read write };
+ dontaudit gpg_t $2:fifo_file rw_fifo_file_perms;
+- dontaudit gpg_agent_t $2:socket_class_set { getattr read write };
+ dontaudit gpg_agent_t $2:fifo_file rw_fifo_file_perms;
+ ')
+ ')
+@@ -85,13 +86,13 @@ interface(`gpg_domtrans',`
+ domtrans_pattern($1, gpg_exec_t, gpg_t)
+ ')
+
+-########################################
++######################################
+ ##
+-## Execute the gpg application without transitioning
++## Execute gpg in the caller domain.
+ ##
+ ##
+ ##
+-## Domain allowed to execute gpg
++## Domain allowed access.
+ ##
+ ##
+ #
+@@ -100,9 +101,47 @@ interface(`gpg_exec',`
+ type gpg_exec_t;
+ ')
+
++ corecmd_search_bin($1)
+ can_exec($1, gpg_exec_t)
+ ')
+
++######################################
++##
++## Transition to a gpg web domain.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`gpg_domtrans_web',`
++ gen_require(`
++ type gpg_web_t, gpg_exec_t;
++ ')
++
++ domtrans_pattern($1, gpg_exec_t, gpg_web_t)
++')
++
++######################################
++##
++## Make gpg an entrypoint for
++## the specified domain.
++##
++##
++##
++## The domain for which cifs_t is an entrypoint.
++##
++##
++#
++interface(`gpg_entry_type',`
++ gen_require(`
++ type gpg_exec_t;
++ ')
++
++ domain_entry_file($1, gpg_exec_t)
++')
++
+ ########################################
+ ##
+ ## Send generic signals to user gpg processes.
+@@ -179,3 +218,21 @@ interface(`gpg_list_user_secrets',`
+ list_dirs_pattern($1, gpg_secret_t, gpg_secret_t)
+ userdom_search_user_home_dirs($1)
+ ')
++
++########################################
++##
++## Transition to gpg named home content
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`gpg_filetrans_home_content',`
++ gen_require(`
++ type gpg_secret_t;
++ ')
++
++ userdom_user_home_dir_filetrans($1, gpg_secret_t, dir, ".gnupg")
++')
+diff --git a/gpg.te b/gpg.te
+index 72a113e..29063e5 100644
+--- a/gpg.te
++++ b/gpg.te
+@@ -4,6 +4,7 @@ policy_module(gpg, 2.6.0)
+ #
+ # Declarations
+ #
++attribute gpgdomain;
+
+ ##
+ ##
+@@ -13,23 +14,34 @@ policy_module(gpg, 2.6.0)
+ ##
+ gen_tunable(gpg_agent_env_file, false)
+
+-type gpg_t;
++##
++##
++## Allow gpg web domain to modify public files
++## used for public file transfer services.
++##
++##
++gen_tunable(gpg_web_anon_write, false)
++
++type gpg_t, gpgdomain;
+ type gpg_exec_t;
+ typealias gpg_t alias { user_gpg_t staff_gpg_t sysadm_gpg_t };
+ typealias gpg_t alias { auditadm_gpg_t secadm_gpg_t };
+-userdom_user_application_domain(gpg_t, gpg_exec_t)
++application_domain(gpg_t, gpg_exec_t)
++ubac_constrained(gpg_t)
+ role system_r types gpg_t;
+
+ type gpg_agent_t;
+ type gpg_agent_exec_t;
+ typealias gpg_agent_t alias { user_gpg_agent_t staff_gpg_agent_t sysadm_gpg_agent_t };
+ typealias gpg_agent_t alias { auditadm_gpg_agent_t secadm_gpg_agent_t };
+-userdom_user_application_domain(gpg_agent_t, gpg_agent_exec_t)
++application_domain(gpg_agent_t, gpg_agent_exec_t)
++ubac_constrained(gpg_agent_t)
+
+ type gpg_agent_tmp_t;
+ typealias gpg_agent_tmp_t alias { user_gpg_agent_tmp_t staff_gpg_agent_tmp_t sysadm_gpg_agent_tmp_t };
+ typealias gpg_agent_tmp_t alias { auditadm_gpg_agent_tmp_t secadm_gpg_agent_tmp_t };
+-userdom_user_tmp_file(gpg_agent_tmp_t)
++files_tmp_file(gpg_agent_tmp_t)
++ubac_constrained(gpg_agent_tmp_t)
+
+ type gpg_secret_t;
+ typealias gpg_secret_t alias { user_gpg_secret_t staff_gpg_secret_t sysadm_gpg_secret_t };
+@@ -40,32 +52,43 @@ type gpg_helper_t;
+ type gpg_helper_exec_t;
+ typealias gpg_helper_t alias { user_gpg_helper_t staff_gpg_helper_t sysadm_gpg_helper_t };
+ typealias gpg_helper_t alias { auditadm_gpg_helper_t secadm_gpg_helper_t };
+-userdom_user_application_domain(gpg_helper_t, gpg_helper_exec_t)
++application_domain(gpg_helper_t, gpg_helper_exec_t)
++ubac_constrained(gpg_helper_t)
+ role system_r types gpg_helper_t;
+
+ type gpg_pinentry_t;
+ type pinentry_exec_t;
+ typealias gpg_pinentry_t alias { user_gpg_pinentry_t staff_gpg_pinentry_t sysadm_gpg_pinentry_t };
+ typealias gpg_pinentry_t alias { auditadm_gpg_pinentry_t secadm_gpg_pinentry_t };
+-userdom_user_application_domain(gpg_pinentry_t, pinentry_exec_t)
++application_domain(gpg_pinentry_t, pinentry_exec_t)
++ubac_constrained(gpg_pinentry_t)
+
+ type gpg_pinentry_tmp_t;
+-userdom_user_tmp_file(gpg_pinentry_tmp_t)
++files_tmp_file(gpg_pinentry_tmp_t)
++ubac_constrained(gpg_pinentry_tmp_t)
+
+ type gpg_pinentry_tmpfs_t;
+-userdom_user_tmpfs_file(gpg_pinentry_tmpfs_t)
++files_tmpfs_file(gpg_pinentry_tmpfs_t)
++ubac_constrained(gpg_pinentry_tmpfs_t)
++
++type gpg_web_t;
++domain_type(gpg_web_t)
++gpg_entry_type(gpg_web_t)
++role system_r types gpg_web_t;
+
+ ########################################
+ #
+ # GPG local policy
+ #
+
+-allow gpg_t self:capability { ipc_lock setuid };
+-# setrlimit is for ulimit -c 0
+-allow gpg_t self:process { signal signull setrlimit getcap setcap setpgid };
++allow gpgdomain self:capability { ipc_lock setuid };
++allow gpgdomain self:process { getsched setsched };
++#at setrlimit is for ulimit -c 0
++allow gpgdomain self:process { signal signull setrlimit getcap setcap setpgid };
++dontaudit gpgdomain self:netlink_audit_socket r_netlink_socket_perms;
+
+-allow gpg_t self:fifo_file rw_fifo_file_perms;
+-allow gpg_t self:tcp_socket create_stream_socket_perms;
++allow gpgdomain self:fifo_file rw_fifo_file_perms;
++allow gpgdomain self:tcp_socket create_stream_socket_perms;
+
+ manage_dirs_pattern(gpg_t, gpg_agent_tmp_t, gpg_agent_tmp_t)
+ manage_files_pattern(gpg_t, gpg_agent_tmp_t, gpg_agent_tmp_t)
+@@ -77,16 +100,16 @@ domtrans_pattern(gpg_t, gpg_agent_exec_t, gpg_agent_t)
+ domtrans_pattern(gpg_t, gpg_helper_exec_t, gpg_helper_t)
+
+ allow gpg_t gpg_secret_t:dir create_dir_perms;
++manage_sock_files_pattern(gpg_t, gpg_secret_t, gpg_secret_t)
+ manage_files_pattern(gpg_t, gpg_secret_t, gpg_secret_t)
+ manage_lnk_files_pattern(gpg_t, gpg_secret_t, gpg_secret_t)
+-userdom_user_home_dir_filetrans(gpg_t, gpg_secret_t, dir)
++userdom_user_home_dir_filetrans(gpg_t, gpg_secret_t, dir, ".gnupg")
+
+ kernel_read_sysctl(gpg_t)
+
+ corecmd_exec_shell(gpg_t)
+ corecmd_exec_bin(gpg_t)
+
+-corenet_all_recvfrom_unlabeled(gpg_t)
+ corenet_all_recvfrom_netlabel(gpg_t)
+ corenet_tcp_sendrecv_generic_if(gpg_t)
+ corenet_udp_sendrecv_generic_if(gpg_t)
+@@ -106,7 +129,6 @@ fs_list_inotifyfs(gpg_t)
+
+ domain_use_interactive_fds(gpg_t)
+
+-files_read_etc_files(gpg_t)
+ files_read_usr_files(gpg_t)
+ files_dontaudit_search_var(gpg_t)
+
+@@ -114,24 +136,23 @@ auth_use_nsswitch(gpg_t)
+
+ logging_send_syslog_msg(gpg_t)
+
+-miscfiles_read_localization(gpg_t)
+-
+-userdom_use_user_terminals(gpg_t)
++userdom_use_inherited_user_terminals(gpg_t)
+ # sign/encrypt user files
+-userdom_manage_user_tmp_files(gpg_t)
++userdom_manage_all_user_tmp_content(gpg_t)
++#userdom_manage_user_home_content(gpg_t)
+ userdom_manage_user_home_content_files(gpg_t)
++userdom_manage_user_home_content_dirs(gpg_t)
+ userdom_user_home_dir_filetrans_user_home_content(gpg_t, file)
++userdom_stream_connect(gpg_t)
+
+-mta_write_config(gpg_t)
++mta_manage_config(gpg_t)
++mta_read_spool(gpg_t)
+
+-tunable_policy(`use_nfs_home_dirs',`
+- fs_manage_nfs_dirs(gpg_t)
+- fs_manage_nfs_files(gpg_t)
+-')
++userdom_home_manager(gpg_t)
+
+-tunable_policy(`use_samba_home_dirs',`
+- fs_manage_cifs_dirs(gpg_t)
+- fs_manage_cifs_files(gpg_t)
++optional_policy(`
++ gnome_read_config(gpg_t)
++ gnome_stream_connect_gkeyringd(gpg_t)
+ ')
+
+ optional_policy(`
+@@ -140,15 +161,19 @@ optional_policy(`
+ ')
+
+ optional_policy(`
+- xserver_use_xdm_fds(gpg_t)
+- xserver_rw_xdm_pipes(gpg_t)
++ spamassassin_read_spamd_tmp_files(gpg_t)
+ ')
+
+ optional_policy(`
+- cron_system_entry(gpg_t, gpg_exec_t)
+- cron_read_system_job_tmp_files(gpg_t)
++ xserver_use_xdm_fds(gpg_t)
++ xserver_rw_xdm_pipes(gpg_t)
+ ')
+
++#optional_policy(`
++# cron_system_entry(gpg_t, gpg_exec_t)
++# cron_read_system_job_tmp_files(gpg_t)
++#')
++
+ ########################################
+ #
+ # GPG helper local policy
+@@ -166,7 +191,6 @@ allow gpg_helper_t self:udp_socket { connect connected_socket_perms };
+
+ dontaudit gpg_helper_t gpg_secret_t:file read;
+
+-corenet_all_recvfrom_unlabeled(gpg_helper_t)
+ corenet_all_recvfrom_netlabel(gpg_helper_t)
+ corenet_tcp_sendrecv_generic_if(gpg_helper_t)
+ corenet_raw_sendrecv_generic_if(gpg_helper_t)
+@@ -180,11 +204,10 @@ corenet_tcp_bind_generic_node(gpg_helper_t)
+ corenet_udp_bind_generic_node(gpg_helper_t)
+ corenet_tcp_connect_all_ports(gpg_helper_t)
+
+-files_read_etc_files(gpg_helper_t)
+
+ auth_use_nsswitch(gpg_helper_t)
+
+-userdom_use_user_terminals(gpg_helper_t)
++userdom_use_inherited_user_terminals(gpg_helper_t)
+
+ tunable_policy(`use_nfs_home_dirs',`
+ fs_dontaudit_rw_nfs_files(gpg_helper_t)
+@@ -198,15 +221,17 @@ tunable_policy(`use_samba_home_dirs',`
+ #
+ # GPG agent local policy
+ #
++domtrans_pattern(gpg_t, gpg_agent_exec_t, gpg_agent_t)
+
+ # rlimit: gpg-agent wants to prevent coredumps
+ allow gpg_agent_t self:process setrlimit;
+
+-allow gpg_agent_t self:unix_stream_socket create_stream_socket_perms ;
++allow gpg_agent_t self:unix_stream_socket { create_stream_socket_perms connectto } ;
+ allow gpg_agent_t self:fifo_file rw_fifo_file_perms;
+
+ # read and write ~/.gnupg (gpg-agent stores secret keys in ~/.gnupg/private-keys-v1.d )
+ manage_dirs_pattern(gpg_agent_t, gpg_secret_t, gpg_secret_t)
++manage_sock_files_pattern(gpg_agent_t, gpg_secret_t, gpg_secret_t)
+ manage_files_pattern(gpg_agent_t, gpg_secret_t, gpg_secret_t)
+ manage_lnk_files_pattern(gpg_agent_t, gpg_secret_t, gpg_secret_t)
+
+@@ -223,43 +248,34 @@ corecmd_read_bin_symlinks(gpg_agent_t)
+ corecmd_search_bin(gpg_agent_t)
+ corecmd_exec_shell(gpg_agent_t)
+
++dev_read_rand(gpg_agent_t)
+ dev_read_urand(gpg_agent_t)
+
+ domain_use_interactive_fds(gpg_agent_t)
+
+ fs_dontaudit_list_inotifyfs(gpg_agent_t)
+
+-miscfiles_read_localization(gpg_agent_t)
+
+ # Write to the user domain tty.
+-userdom_use_user_terminals(gpg_agent_t)
++userdom_use_inherited_user_terminals(gpg_agent_t)
+ # read and write ~/.gnupg (gpg-agent stores secret keys in ~/.gnupg/private-keys-v1.d )
+ userdom_search_user_home_dirs(gpg_agent_t)
+
+ ifdef(`hide_broken_symptoms',`
+ userdom_dontaudit_read_user_tmp_files(gpg_agent_t)
++ userdom_dontaudit_write_user_tmp_files(gpg_agent_t)
+ ')
+
+ tunable_policy(`gpg_agent_env_file',`
+ # write ~/.gpg-agent-info or a similar to the users home dir
+ # or subdir (gpg-agent --write-env-file option)
+ #
+- userdom_user_home_dir_filetrans_user_home_content(gpg_agent_t, file)
++ userdom_user_home_dir_filetrans_user_home_content(gpg_agent_t, { dir file })
+ userdom_manage_user_home_content_dirs(gpg_agent_t)
+ userdom_manage_user_home_content_files(gpg_agent_t)
+ ')
+
+-tunable_policy(`use_nfs_home_dirs',`
+- fs_manage_nfs_dirs(gpg_agent_t)
+- fs_manage_nfs_files(gpg_agent_t)
+- fs_manage_nfs_symlinks(gpg_agent_t)
+-')
+-
+-tunable_policy(`use_samba_home_dirs',`
+- fs_manage_cifs_dirs(gpg_agent_t)
+- fs_manage_cifs_files(gpg_agent_t)
+- fs_manage_cifs_symlinks(gpg_agent_t)
+-')
++userdom_home_manager(gpg_agent_t)
+
+ optional_policy(`
+ mozilla_dontaudit_rw_user_home_files(gpg_agent_t)
+@@ -294,10 +310,10 @@ fs_tmpfs_filetrans(gpg_pinentry_t, gpg_pinentry_tmpfs_t, { file dir })
+ # read /proc/meminfo
+ kernel_read_system_state(gpg_pinentry_t)
+
++corecmd_exec_shell(gpg_pinentry_t)
+ corecmd_exec_bin(gpg_pinentry_t)
+
+ corenet_all_recvfrom_netlabel(gpg_pinentry_t)
+-corenet_all_recvfrom_unlabeled(gpg_pinentry_t)
+ corenet_sendrecv_pulseaudio_client_packets(gpg_pinentry_t)
+ corenet_tcp_bind_generic_node(gpg_pinentry_t)
+ corenet_tcp_connect_pulseaudio_port(gpg_pinentry_t)
+@@ -310,7 +326,6 @@ dev_read_rand(gpg_pinentry_t)
+
+ files_read_usr_files(gpg_pinentry_t)
+ # read /etc/X11/qtrc
+-files_read_etc_files(gpg_pinentry_t)
+
+ fs_dontaudit_list_inotifyfs(gpg_pinentry_t)
+ fs_getattr_tmpfs(gpg_pinentry_t)
+@@ -320,18 +335,19 @@ auth_use_nsswitch(gpg_pinentry_t)
+ logging_send_syslog_msg(gpg_pinentry_t)
+
+ miscfiles_read_fonts(gpg_pinentry_t)
+-miscfiles_read_localization(gpg_pinentry_t)
+
+ # for .Xauthority
+ userdom_read_user_home_content_files(gpg_pinentry_t)
+ userdom_read_user_tmpfs_files(gpg_pinentry_t)
++# Bug: user pulseaudio files need open,read and unlink:
++allow gpg_pinentry_t user_tmpfs_t:file unlink;
++userdom_signull_unpriv_users(gpg_pinentry_t)
++userdom_use_user_terminals(gpg_pinentry_t)
+
+-tunable_policy(`use_nfs_home_dirs',`
+- fs_read_nfs_files(gpg_pinentry_t)
+-')
++userdom_home_reader(gpg_pinentry_t)
+
+-tunable_policy(`use_samba_home_dirs',`
+- fs_read_cifs_files(gpg_pinentry_t)
++optional_policy(`
++ gnome_read_home_config(gpg_pinentry_t)
+ ')
+
+ optional_policy(`
+@@ -340,6 +356,12 @@ optional_policy(`
+ ')
+
+ optional_policy(`
++ gnome_write_generic_cache_files(gpg_pinentry_t)
++ gnome_read_generic_cache_files(gpg_pinentry_t)
++ gnome_read_gconf_home_files(gpg_pinentry_t)
++')
++
++optional_policy(`
+ pulseaudio_exec(gpg_pinentry_t)
+ pulseaudio_rw_home_files(gpg_pinentry_t)
+ pulseaudio_setattr_home_dir(gpg_pinentry_t)
+@@ -349,4 +371,27 @@ optional_policy(`
+
+ optional_policy(`
+ xserver_user_x_domain_template(gpg_pinentry, gpg_pinentry_t, gpg_pinentry_tmpfs_t)
++
++')
++
++#############################
++#
++# gpg web local policy
++#
++
++allow gpg_web_t self:process setrlimit;
++
++dev_read_rand(gpg_web_t)
++dev_read_urand(gpg_web_t)
++
++can_exec(gpg_web_t, gpg_exec_t)
++
++files_read_usr_files(gpg_web_t)
++
++
++apache_dontaudit_rw_tmp_files(gpg_web_t)
++apache_manage_sys_content_rw(gpg_web_t)
++
++tunable_policy(`gpg_web_anon_write',`
++ miscfiles_manage_public_files(gpg_web_t)
+ ')
+diff --git a/gpm.if b/gpm.if
+index 7d97298..d6b2959 100644
+--- a/gpm.if
++++ b/gpm.if
+@@ -16,8 +16,8 @@ interface(`gpm_stream_connect',`
+ type gpmctl_t, gpm_t;
+ ')
+
+- allow $1 gpmctl_t:sock_file rw_sock_file_perms;
+- allow $1 gpm_t:unix_stream_socket connectto;
++ dev_list_all_dev_nodes($1)
++ stream_connect_pattern($1, gpmctl_t, gpmctl_t, gpm_t)
+ ')
+
+ ########################################
+@@ -37,7 +37,7 @@ interface(`gpm_getattr_gpmctl',`
+ ')
+
+ dev_list_all_dev_nodes($1)
+- allow $1 gpmctl_t:sock_file getattr;
++ allow $1 gpmctl_t:sock_file getattr_sock_file_perms;
+ ')
+
+ ########################################
+@@ -57,7 +57,7 @@ interface(`gpm_dontaudit_getattr_gpmctl',`
+ type gpmctl_t;
+ ')
+
+- dontaudit $1 gpmctl_t:sock_file getattr;
++ dontaudit $1 gpmctl_t:sock_file getattr_sock_file_perms;
+ ')
+
+ ########################################
+@@ -77,5 +77,5 @@ interface(`gpm_setattr_gpmctl',`
+ ')
+
+ dev_list_all_dev_nodes($1)
+- allow $1 gpmctl_t:sock_file setattr;
++ allow $1 gpmctl_t:sock_file setattr_sock_file_perms;
+ ')
+diff --git a/gpm.te b/gpm.te
+index a627b34..0120907 100644
+--- a/gpm.te
++++ b/gpm.te
+@@ -10,7 +10,7 @@ type gpm_exec_t;
+ init_daemon_domain(gpm_t, gpm_exec_t)
+
+ type gpm_conf_t;
+-files_type(gpm_conf_t)
++files_config_file(gpm_conf_t)
+
+ type gpm_tmp_t;
+ files_tmp_file(gpm_tmp_t)
+@@ -65,10 +65,9 @@ domain_use_interactive_fds(gpm_t)
+
+ logging_send_syslog_msg(gpm_t)
+
+-miscfiles_read_localization(gpm_t)
+-
+ userdom_dontaudit_use_unpriv_user_fds(gpm_t)
+ userdom_dontaudit_search_user_home_dirs(gpm_t)
++userdom_use_inherited_user_terminals(gpm_t)
+
+ optional_policy(`
+ seutil_sigchld_newrole(gpm_t)
+diff --git a/gpsd.te b/gpsd.te
+index 03742d8..4fefc6e 100644
+--- a/gpsd.te
++++ b/gpsd.te
+@@ -24,8 +24,9 @@ files_pid_file(gpsd_var_run_t)
+ # gpsd local policy
+ #
+
+-allow gpsd_t self:capability { fowner fsetid setuid setgid sys_nice sys_tty_config };
+-allow gpsd_t self:process setsched;
++allow gpsd_t self:capability { fowner fsetid setuid setgid sys_nice sys_time sys_tty_config };
++dontaudit gpsd_t self:capability { dac_read_search dac_override };
++allow gpsd_t self:process { setsched signal_perms };
+ allow gpsd_t self:shm create_shm_perms;
+ allow gpsd_t self:unix_dgram_socket { create_socket_perms sendto };
+ allow gpsd_t self:tcp_socket create_stream_socket_perms;
+@@ -38,22 +39,34 @@ manage_files_pattern(gpsd_t, gpsd_var_run_t, gpsd_var_run_t)
+ manage_sock_files_pattern(gpsd_t, gpsd_var_run_t, gpsd_var_run_t)
+ files_pid_filetrans(gpsd_t, gpsd_var_run_t, { file sock_file })
+
+-corenet_all_recvfrom_unlabeled(gpsd_t)
++kernel_list_proc(gpsd_t)
++kernel_request_load_module(gpsd_t)
++
+ corenet_all_recvfrom_netlabel(gpsd_t)
+ corenet_tcp_sendrecv_generic_if(gpsd_t)
+ corenet_tcp_sendrecv_generic_node(gpsd_t)
+ corenet_tcp_sendrecv_all_ports(gpsd_t)
+-corenet_tcp_bind_all_nodes(gpsd_t)
++corenet_tcp_bind_generic_node(gpsd_t)
+ corenet_tcp_bind_gpsd_port(gpsd_t)
+
++dev_read_sysfs(gpsd_t)
++dev_rw_realtime_clock(gpsd_t)
++
++domain_dontaudit_read_all_domains_state(gpsd_t)
++
+ term_use_unallocated_ttys(gpsd_t)
+ term_setattr_unallocated_ttys(gpsd_t)
++term_use_usb_ttys(gpsd_t)
+
+ auth_use_nsswitch(gpsd_t)
+
+ logging_send_syslog_msg(gpsd_t)
+
+-miscfiles_read_localization(gpsd_t)
++optional_policy(`
++ chronyd_rw_shm(gpsd_t)
++ chronyd_stream_connect(gpsd_t)
++ chronyd_dgram_send(gpsd_t)
++')
+
+ optional_policy(`
+ dbus_system_bus_client(gpsd_t)
+diff --git a/guest.te b/guest.te
+index 1cb7311..1de82b2 100644
+--- a/guest.te
++++ b/guest.te
+@@ -9,9 +9,15 @@ role guest_r;
+
+ userdom_restricted_user_template(guest)
+
++kernel_read_system_state(guest_t)
++
+ ########################################
+ #
+ # Local policy
+ #
+
+-#gen_user(guest_u,, guest_r, s0, s0)
++optional_policy(`
++ apache_role(guest_r, guest_t)
++')
++
++gen_user(guest_u, user, guest_r, s0, s0)
+diff --git a/hadoop.if b/hadoop.if
+index 2d0b4e1..6649814 100644
+--- a/hadoop.if
++++ b/hadoop.if
+@@ -89,7 +89,6 @@ template(`hadoop_domain_template',`
+ corecmd_exec_bin(hadoop_$1_t)
+ corecmd_exec_shell(hadoop_$1_t)
+
+- corenet_all_recvfrom_unlabeled(hadoop_$1_t)
+ corenet_all_recvfrom_netlabel(hadoop_$1_t)
+ corenet_tcp_bind_all_nodes(hadoop_$1_t)
+ corenet_tcp_sendrecv_generic_if(hadoop_$1_t)
+@@ -120,7 +119,6 @@ template(`hadoop_domain_template',`
+ logging_send_audit_msgs(hadoop_$1_t)
+ logging_send_syslog_msg(hadoop_$1_t)
+
+- miscfiles_read_localization(hadoop_$1_t)
+
+ sysnet_read_config(hadoop_$1_t)
+
+@@ -191,7 +189,6 @@ template(`hadoop_domain_template',`
+ logging_send_syslog_msg(hadoop_$1_initrc_t)
+ logging_send_audit_msgs(hadoop_$1_initrc_t)
+
+- miscfiles_read_localization(hadoop_$1_initrc_t)
+
+ userdom_dontaudit_search_user_home_dirs(hadoop_$1_initrc_t)
+
+@@ -224,14 +221,21 @@ interface(`hadoop_role',`
+ hadoop_domtrans($2)
+ role $1 types hadoop_t;
+
+- allow $2 hadoop_t:process { ptrace signal_perms };
++ allow $2 hadoop_t:process signal_perms;
+ ps_process_pattern($2, hadoop_t)
++ tunable_policy(`deny_ptrace',`',`
++ allow $2 hadoop_t:process ptrace;
++ ')
+
+ hadoop_domtrans_zookeeper_client($2)
+ role $1 types zookeeper_t;
+
+- allow $2 zookeeper_t:process { ptrace signal_perms };
++ allow $2 zookeeper_t:process signal_perms;
+ ps_process_pattern($2, zookeeper_t)
++ tunable_policy(`deny_ptrace',`',`
++ allow $2 zookeeper_t:process ptrace;
++ ')
++
+ ')
+
+ ########################################
+diff --git a/hadoop.te b/hadoop.te
+index c81c58a..86e3d1d 100644
+--- a/hadoop.te
++++ b/hadoop.te
+@@ -123,7 +123,6 @@ kernel_read_system_state(hadoop_t)
+ corecmd_exec_bin(hadoop_t)
+ corecmd_exec_shell(hadoop_t)
+
+-corenet_all_recvfrom_unlabeled(hadoop_t)
+ corenet_all_recvfrom_netlabel(hadoop_t)
+ corenet_tcp_sendrecv_generic_if(hadoop_t)
+ corenet_udp_sendrecv_generic_if(hadoop_t)
+@@ -151,20 +150,22 @@ dev_read_urand(hadoop_t)
+ domain_use_interactive_fds(hadoop_t)
+
+ files_dontaudit_search_spool(hadoop_t)
+-files_read_etc_files(hadoop_t)
+ files_read_usr_files(hadoop_t)
+
+ fs_getattr_xattr_fs(hadoop_t)
+
+-miscfiles_read_localization(hadoop_t)
++auth_use_nsswitch(hadoop_t)
+
+-sysnet_read_config(hadoop_t)
+
+-userdom_use_user_terminals(hadoop_t)
++userdom_use_inherited_user_terminals(hadoop_t)
+
+-java_exec(hadoop_t)
++optional_policy(`
++ java_exec(hadoop_t)
++')
+
+-kerberos_use(hadoop_t)
++optional_policy(`
++ kerberos_use(hadoop_t)
++')
+
+ optional_policy(`
+ nis_use_ypbind(hadoop_t)
+@@ -311,7 +312,6 @@ kernel_read_system_state(zookeeper_t)
+ corecmd_exec_bin(zookeeper_t)
+ corecmd_exec_shell(zookeeper_t)
+
+-corenet_all_recvfrom_unlabeled(zookeeper_t)
+ corenet_all_recvfrom_netlabel(zookeeper_t)
+ corenet_tcp_sendrecv_generic_if(zookeeper_t)
+ corenet_udp_sendrecv_generic_if(zookeeper_t)
+@@ -333,20 +333,18 @@ dev_read_urand(zookeeper_t)
+
+ domain_use_interactive_fds(zookeeper_t)
+
+-files_read_etc_files(zookeeper_t)
+ files_read_usr_files(zookeeper_t)
+
+-miscfiles_read_localization(zookeeper_t)
++auth_use_nsswitch(zookeeper_t)
++
+
+ sysnet_read_config(zookeeper_t)
+
+-userdom_use_user_terminals(zookeeper_t)
++userdom_use_inherited_user_terminals(zookeeper_t)
+ userdom_dontaudit_search_user_home_dirs(zookeeper_t)
+
+-java_exec(zookeeper_t)
+-
+ optional_policy(`
+- nscd_socket_use(zookeeper_t)
++ java_exec(zookeeper_t)
+ ')
+
+ ########################################
+@@ -393,7 +391,6 @@ kernel_read_system_state(zookeeper_server_t)
+ corecmd_exec_bin(zookeeper_server_t)
+ corecmd_exec_shell(zookeeper_server_t)
+
+-corenet_all_recvfrom_unlabeled(zookeeper_server_t)
+ corenet_all_recvfrom_netlabel(zookeeper_server_t)
+ corenet_tcp_sendrecv_generic_if(zookeeper_server_t)
+ corenet_udp_sendrecv_generic_if(zookeeper_server_t)
+@@ -421,15 +418,14 @@ dev_read_rand(zookeeper_server_t)
+ dev_read_sysfs(zookeeper_server_t)
+ dev_read_urand(zookeeper_server_t)
+
+-files_read_etc_files(zookeeper_server_t)
+ files_read_usr_files(zookeeper_server_t)
+
+ fs_getattr_xattr_fs(zookeeper_server_t)
+
+ logging_send_syslog_msg(zookeeper_server_t)
+
+-miscfiles_read_localization(zookeeper_server_t)
+-
+ sysnet_read_config(zookeeper_server_t)
+
+-java_exec(zookeeper_server_t)
++optional_policy(`
++ java_exec(zookeeper_server_t)
++')
+diff --git a/hal.if b/hal.if
+index 7cf6763..9d2be6b 100644
+--- a/hal.if
++++ b/hal.if
+@@ -69,7 +69,9 @@ interface(`hal_ptrace',`
+ type hald_t;
+ ')
+
+- allow $1 hald_t:process ptrace;
++ tunable_policy(`deny_ptrace',`',`
++ allow $1 hald_t:process ptrace;
++ ')
+ ')
+
+ ########################################
+@@ -431,3 +433,22 @@ interface(`hal_manage_pid_files',`
+ files_search_pids($1)
+ manage_files_pattern($1, hald_var_run_t, hald_var_run_t)
+ ')
++
++#######################################
++##
++## Do not audit attempts to read
++## hald PID files.
++##
++##
++##
++## Domain to not audit.
++##
++##
++#
++interface(`hal_dontaudit_read_pid_files',`
++ gen_require(`
++ type hald_var_run_t;
++ ')
++
++ dontaudit $1 hald_var_run_t:file read_inherited_file_perms;
++')
+diff --git a/hal.te b/hal.te
+index e0476cb..0caa5ba 100644
+--- a/hal.te
++++ b/hal.te
+@@ -54,6 +54,9 @@ files_pid_file(hald_var_run_t)
+ type hald_var_lib_t;
+ files_type(hald_var_lib_t)
+
++typealias hald_log_t alias pmtools_log_t;
++typealias hald_var_run_t alias pmtools_var_run_t;
++
+ ########################################
+ #
+ # Local policy
+@@ -61,7 +64,7 @@ files_type(hald_var_lib_t)
+
+ # execute openvt which needs setuid
+ allow hald_t self:capability { chown setuid setgid kill net_admin sys_admin sys_nice dac_override dac_read_search mknod sys_rawio sys_tty_config };
+-dontaudit hald_t self:capability {sys_ptrace sys_tty_config };
++dontaudit hald_t self:capability sys_tty_config;
+ allow hald_t self:process { getsched getattr signal_perms };
+ allow hald_t self:fifo_file rw_fifo_file_perms;
+ allow hald_t self:unix_stream_socket { create_stream_socket_perms connectto };
+@@ -99,6 +102,7 @@ kernel_read_fs_sysctls(hald_t)
+ kernel_rw_irq_sysctls(hald_t)
+ kernel_rw_vm_sysctls(hald_t)
+ kernel_write_proc_files(hald_t)
++kernel_rw_net_sysctls(hald_t)
+ kernel_search_network_sysctl(hald_t)
+ kernel_setsched(hald_t)
+ kernel_request_load_module(hald_t)
+@@ -107,7 +111,6 @@ auth_read_pam_console_data(hald_t)
+
+ corecmd_exec_all_executables(hald_t)
+
+-corenet_all_recvfrom_unlabeled(hald_t)
+ corenet_all_recvfrom_netlabel(hald_t)
+ corenet_tcp_sendrecv_generic_if(hald_t)
+ corenet_udp_sendrecv_generic_if(hald_t)
+@@ -139,7 +142,6 @@ domain_read_all_domains_state(hald_t)
+ domain_dontaudit_ptrace_all_domains(hald_t)
+
+ files_exec_etc_files(hald_t)
+-files_read_etc_files(hald_t)
+ files_rw_etc_runtime_files(hald_t)
+ files_manage_mnt_dirs(hald_t)
+ files_manage_mnt_files(hald_t)
+@@ -201,7 +203,6 @@ logging_send_audit_msgs(hald_t)
+ logging_send_syslog_msg(hald_t)
+ logging_search_logs(hald_t)
+
+-miscfiles_read_localization(hald_t)
+ miscfiles_read_hwdata(hald_t)
+
+ modutils_domtrans_insmod(hald_t)
+@@ -372,7 +373,6 @@ dev_setattr_generic_usb_dev(hald_acl_t)
+ dev_setattr_usbfs_files(hald_acl_t)
+
+ files_read_usr_files(hald_acl_t)
+-files_read_etc_files(hald_acl_t)
+
+ fs_getattr_all_fs(hald_acl_t)
+
+@@ -385,8 +385,6 @@ auth_use_nsswitch(hald_acl_t)
+
+ logging_send_syslog_msg(hald_acl_t)
+
+-miscfiles_read_localization(hald_acl_t)
+-
+ optional_policy(`
+ policykit_dbus_chat(hald_acl_t)
+ policykit_domtrans_auth(hald_acl_t)
+@@ -418,14 +416,11 @@ dev_write_raw_memory(hald_mac_t)
+ dev_read_sysfs(hald_mac_t)
+
+ files_read_usr_files(hald_mac_t)
+-files_read_etc_files(hald_mac_t)
+
+ auth_use_nsswitch(hald_mac_t)
+
+ logging_send_syslog_msg(hald_mac_t)
+
+-miscfiles_read_localization(hald_mac_t)
+-
+ ########################################
+ #
+ # Local hald sonypic policy
+@@ -446,7 +441,6 @@ write_files_pattern(hald_sonypic_t, hald_log_t, hald_log_t)
+
+ files_read_usr_files(hald_sonypic_t)
+
+-miscfiles_read_localization(hald_sonypic_t)
+
+ ########################################
+ #
+@@ -465,10 +459,8 @@ write_files_pattern(hald_keymap_t, hald_log_t, hald_log_t)
+
+ dev_rw_input_dev(hald_keymap_t)
+
+-files_read_etc_files(hald_keymap_t)
+ files_read_usr_files(hald_keymap_t)
+
+-miscfiles_read_localization(hald_keymap_t)
+
+ ########################################
+ #
+@@ -504,7 +496,6 @@ kernel_search_network_sysctl(hald_dccm_t)
+
+ dev_read_urand(hald_dccm_t)
+
+-corenet_all_recvfrom_unlabeled(hald_dccm_t)
+ corenet_all_recvfrom_netlabel(hald_dccm_t)
+ corenet_tcp_sendrecv_generic_if(hald_dccm_t)
+ corenet_udp_sendrecv_generic_if(hald_dccm_t)
+@@ -518,14 +509,12 @@ corenet_udp_bind_dhcpc_port(hald_dccm_t)
+ corenet_tcp_bind_ftp_port(hald_dccm_t)
+ corenet_tcp_bind_dccm_port(hald_dccm_t)
+
+-logging_send_syslog_msg(hald_dccm_t)
+-
+ files_read_usr_files(hald_dccm_t)
+
+-miscfiles_read_localization(hald_dccm_t)
+-
+ hal_dontaudit_rw_dgram_sockets(hald_dccm_t)
+
++logging_send_syslog_msg(hald_dccm_t)
++
+ optional_policy(`
+ dbus_system_bus_client(hald_dccm_t)
+ ')
+diff --git a/hddtemp.if b/hddtemp.if
+index 87b4531..901d905 100644
+--- a/hddtemp.if
++++ b/hddtemp.if
+@@ -60,8 +60,11 @@ interface(`hddtemp_admin',`
+ type hddtemp_t, hddtemp_etc_t, hddtemp_initrc_exec_t;
+ ')
+
+- allow $1 hddtemp_t:process { ptrace signal_perms };
++ allow $1 hddtemp_t:process signal_perms;
+ ps_process_pattern($1, hddtemp_t)
++ tunable_policy(`deny_ptrace',`',`
++ allow $1 hddtemp_t:process ptrace;
++ ')
+
+ init_labeled_script_domtrans($1, hddtemp_initrc_exec_t)
+ domain_system_change_exemption($1)
+@@ -69,9 +72,5 @@ interface(`hddtemp_admin',`
+ allow $2 system_r;
+
+ admin_pattern($1, hddtemp_etc_t)
+- files_search_etc($1)
+-
+- allow $1 hddtemp_t:dir list_dir_perms;
+- read_lnk_files_pattern($1, hddtemp_t, hddtemp_t)
+- kernel_search_proc($1)
++ files_list_etc($1)
+ ')
+diff --git a/hddtemp.te b/hddtemp.te
+index c234b32..41d985d 100644
+--- a/hddtemp.te
++++ b/hddtemp.te
+@@ -28,7 +28,6 @@ allow hddtemp_t self:udp_socket create_socket_perms;
+
+ allow hddtemp_t hddtemp_etc_t:file read_file_perms;
+
+-corenet_all_recvfrom_unlabeled(hddtemp_t)
+ corenet_all_recvfrom_netlabel(hddtemp_t)
+ corenet_tcp_sendrecv_generic_if(hddtemp_t)
+ corenet_tcp_sendrecv_generic_node(hddtemp_t)
+@@ -38,12 +37,13 @@ corenet_tcp_bind_hddtemp_port(hddtemp_t)
+ corenet_sendrecv_hddtemp_server_packets(hddtemp_t)
+ corenet_tcp_sendrecv_hddtemp_port(hddtemp_t)
+
+-files_search_etc(hddtemp_t)
++files_read_etc_files(hddtemp_t)
+ files_read_usr_files(hddtemp_t)
+
+ storage_raw_read_fixed_disk(hddtemp_t)
+-
++storage_raw_read_removable_device(hddtemp_t)
+ logging_send_syslog_msg(hddtemp_t)
+
+-miscfiles_read_localization(hddtemp_t)
+-
++optional_policy(`
++ sysnet_dns_name_resolve(hddtemp_t)
++')
+diff --git a/howl.te b/howl.te
+index 6ad2d3c..b23d54a 100644
+--- a/howl.te
++++ b/howl.te
+@@ -33,7 +33,6 @@ kernel_request_load_module(howl_t)
+ kernel_list_proc(howl_t)
+ kernel_read_proc_symlinks(howl_t)
+
+-corenet_all_recvfrom_unlabeled(howl_t)
+ corenet_all_recvfrom_netlabel(howl_t)
+ corenet_tcp_sendrecv_generic_if(howl_t)
+ corenet_udp_sendrecv_generic_if(howl_t)
+@@ -60,8 +59,6 @@ init_rw_utmp(howl_t)
+
+ logging_send_syslog_msg(howl_t)
+
+-miscfiles_read_localization(howl_t)
+-
+ sysnet_read_config(howl_t)
+
+ userdom_dontaudit_use_unpriv_user_fds(howl_t)
+diff --git a/i18n_input.te b/i18n_input.te
+index 5fc89c4..087c2d0 100644
+--- a/i18n_input.te
++++ b/i18n_input.te
+@@ -36,7 +36,6 @@ can_exec(i18n_input_t, i18n_input_exec_t)
+ kernel_read_kernel_sysctls(i18n_input_t)
+ kernel_read_system_state(i18n_input_t)
+
+-corenet_all_recvfrom_unlabeled(i18n_input_t)
+ corenet_all_recvfrom_netlabel(i18n_input_t)
+ corenet_tcp_sendrecv_generic_if(i18n_input_t)
+ corenet_udp_sendrecv_generic_if(i18n_input_t)
+@@ -68,22 +67,11 @@ init_stream_connect_script(i18n_input_t)
+
+ logging_send_syslog_msg(i18n_input_t)
+
+-miscfiles_read_localization(i18n_input_t)
+-
+ sysnet_read_config(i18n_input_t)
+
+ userdom_dontaudit_use_unpriv_user_fds(i18n_input_t)
+ userdom_read_user_home_content_files(i18n_input_t)
+-
+-tunable_policy(`use_nfs_home_dirs',`
+- fs_read_nfs_files(i18n_input_t)
+- fs_read_nfs_symlinks(i18n_input_t)
+-')
+-
+-tunable_policy(`use_samba_home_dirs',`
+- fs_read_cifs_files(i18n_input_t)
+- fs_read_cifs_symlinks(i18n_input_t)
+-')
++userdom_home_reader(i18n_input_t)
+
+ optional_policy(`
+ canna_stream_connect(i18n_input_t)
+diff --git a/icecast.if b/icecast.if
+index ecab47a..6eddc6d 100644
+--- a/icecast.if
++++ b/icecast.if
+@@ -173,7 +173,11 @@ interface(`icecast_admin',`
+ type icecast_t, icecast_initrc_exec_t;
+ ')
+
++ allow $1 icecast_t:process signal_perms;
+ ps_process_pattern($1, icecast_t)
++ tunable_policy(`deny_ptrace',`',`
++ allow $1 icecast_t:process ptrace;
++ ')
+
+ # Allow icecast_t to restart the apache service
+ icecast_initrc_domtrans($1)
+@@ -184,5 +188,4 @@ interface(`icecast_admin',`
+ icecast_manage_pid_files($1)
+
+ icecast_manage_log($1)
+-
+ ')
+diff --git a/icecast.te b/icecast.te
+index fdb7e9a..b910581 100644
+--- a/icecast.te
++++ b/icecast.te
+@@ -5,6 +5,14 @@ policy_module(icecast, 1.1.0)
+ # Declarations
+ #
+
++##
++##
++## Allow icecast to connect to all ports, not just
++## sound ports.
++##
++##
++gen_tunable(icecast_connect_any, false)
++
+ type icecast_t;
+ type icecast_exec_t;
+ init_daemon_domain(icecast_t, icecast_exec_t)
+@@ -39,18 +47,24 @@ files_pid_filetrans(icecast_t, icecast_var_run_t, { file dir })
+
+ kernel_read_system_state(icecast_t)
+
++dev_read_sysfs(icecast_t)
++dev_read_urand(icecast_t)
++dev_read_rand(icecast_t)
++
+ corenet_tcp_bind_soundd_port(icecast_t)
++corenet_tcp_connect_soundd_port(icecast_t)
++
++tunable_policy(`icecast_connect_any',`
++ corenet_tcp_connect_all_ports(icecast_t)
++ corenet_tcp_bind_all_ports(icecast_t)
++ corenet_sendrecv_all_client_packets(icecast_t)
++')
+
+ # Init script handling
+ domain_use_interactive_fds(icecast_t)
+
+-files_read_etc_files(icecast_t)
+-
+ auth_use_nsswitch(icecast_t)
+
+-miscfiles_read_localization(icecast_t)
+-
+-sysnet_dns_name_resolve(icecast_t)
+
+ optional_policy(`
+ apache_read_sys_content(icecast_t)
+diff --git a/ifplugd.if b/ifplugd.if
+index dfb4232..35343f8 100644
+--- a/ifplugd.if
++++ b/ifplugd.if
+@@ -113,11 +113,11 @@ interface(`ifplugd_read_pid_files',`
+ #
+ interface(`ifplugd_admin',`
+ gen_require(`
+- type ifplugd_t, ifplugd_etc_t;
+- type ifplugd_var_run_t, ifplugd_initrc_exec_t;
++ type ifplugd_t, ifplugd_etc_t, ifplugd_var_run_t;
++ type ifplugd_initrc_exec_t;
+ ')
+
+- allow $1 ifplugd_t:process { ptrace signal_perms };
++ allow $1 ifplugd_t:process signal_perms;
+ ps_process_pattern($1, ifplugd_t)
+
+ init_labeled_script_domtrans($1, ifplugd_initrc_exec_t)
+diff --git a/ifplugd.te b/ifplugd.te
+index 978c32f..05927a7 100644
+--- a/ifplugd.te
++++ b/ifplugd.te
+@@ -11,7 +11,7 @@ init_daemon_domain(ifplugd_t, ifplugd_exec_t)
+
+ # config files
+ type ifplugd_etc_t;
+-files_type(ifplugd_etc_t)
++files_config_file(ifplugd_etc_t)
+
+ type ifplugd_initrc_exec_t;
+ init_script_file(ifplugd_initrc_exec_t)
+@@ -26,7 +26,7 @@ files_pid_file(ifplugd_var_run_t)
+ #
+
+ allow ifplugd_t self:capability { net_admin sys_nice net_bind_service };
+-dontaudit ifplugd_t self:capability { sys_tty_config sys_ptrace };
++dontaudit ifplugd_t self:capability sys_tty_config;
+ allow ifplugd_t self:process { signal signull };
+ allow ifplugd_t self:fifo_file rw_fifo_file_perms;
+ allow ifplugd_t self:tcp_socket create_stream_socket_perms;
+@@ -54,15 +54,14 @@ corecmd_exec_bin(ifplugd_t)
+ # reading of hardware information
+ dev_read_sysfs(ifplugd_t)
+
++#domain_read_all_domains_state(ifplugd_t)
+ domain_read_confined_domains_state(ifplugd_t)
+-domain_dontaudit_read_all_domains_state(ifplugd_t)
++#domain_dontaudit_read_all_domains_state(ifplugd_t)
+
+ auth_use_nsswitch(ifplugd_t)
+
+ logging_send_syslog_msg(ifplugd_t)
+
+-miscfiles_read_localization(ifplugd_t)
+-
+ netutils_domtrans(ifplugd_t)
+ # transition to ifconfig & dhcpc
+ sysnet_domtrans_ifconfig(ifplugd_t)
+diff --git a/imaze.fc b/imaze.fc
+index 8d455ba..58729cb 100644
+--- a/imaze.fc
++++ b/imaze.fc
+@@ -1,4 +1,4 @@
+ /usr/games/imazesrv -- gen_context(system_u:object_r:imazesrv_exec_t,s0)
+ /usr/share/games/imaze(/.*)? gen_context(system_u:object_r:imazesrv_data_t,s0)
+
+-/var/log/imaze\.log -- gen_context(system_u:object_r:imazesrv_log_t,s0)
++/var/log/imaze\.log.* -- gen_context(system_u:object_r:imazesrv_log_t,s0)
+diff --git a/imaze.te b/imaze.te
+index 0778af8..66fb4ae 100644
+--- a/imaze.te
++++ b/imaze.te
+@@ -54,7 +54,6 @@ kernel_read_kernel_sysctls(imazesrv_t)
+ kernel_list_proc(imazesrv_t)
+ kernel_read_proc_symlinks(imazesrv_t)
+
+-corenet_all_recvfrom_unlabeled(imazesrv_t)
+ corenet_all_recvfrom_netlabel(imazesrv_t)
+ corenet_tcp_sendrecv_generic_if(imazesrv_t)
+ corenet_udp_sendrecv_generic_if(imazesrv_t)
+@@ -79,8 +78,6 @@ fs_search_auto_mountpoints(imazesrv_t)
+
+ logging_send_syslog_msg(imazesrv_t)
+
+-miscfiles_read_localization(imazesrv_t)
+-
+ sysnet_read_config(imazesrv_t)
+
+ userdom_use_unpriv_users_fds(imazesrv_t)
+diff --git a/inetd.fc b/inetd.fc
+index 39d5baa..4288778 100644
+--- a/inetd.fc
++++ b/inetd.fc
+@@ -7,6 +7,6 @@
+ /usr/sbin/rlinetd -- gen_context(system_u:object_r:inetd_exec_t,s0)
+ /usr/sbin/xinetd -- gen_context(system_u:object_r:inetd_exec_t,s0)
+
+-/var/log/(x)?inetd\.log -- gen_context(system_u:object_r:inetd_log_t,s0)
++/var/log/(x)?inetd\.log.* -- gen_context(system_u:object_r:inetd_log_t,s0)
+
+ /var/run/(x)?inetd\.pid -- gen_context(system_u:object_r:inetd_var_run_t,s0)
+diff --git a/inetd.if b/inetd.if
+index df48e5e..161814e 100644
+--- a/inetd.if
++++ b/inetd.if
+@@ -37,6 +37,10 @@ interface(`inetd_core_service_domain',`
+
+ domtrans_pattern(inetd_t, $2, $1)
+ allow inetd_t $1:process { siginh sigkill };
++
++ optional_policy(`
++ abrt_stream_connect($1)
++ ')
+ ')
+
+ ########################################
+diff --git a/inetd.te b/inetd.te
+index 10f25d3..ec4cd54 100644
+--- a/inetd.te
++++ b/inetd.te
+@@ -38,9 +38,9 @@ ifdef(`enable_mcs',`
+ # Local policy
+ #
+
+-allow inetd_t self:capability { setuid setgid sys_resource };
++allow inetd_t self:capability { setuid setgid };
+ dontaudit inetd_t self:capability sys_tty_config;
+-allow inetd_t self:process { setsched setexec setrlimit };
++allow inetd_t self:process { setsched setexec };
+ allow inetd_t self:fifo_file rw_fifo_file_perms;
+ allow inetd_t self:tcp_socket create_stream_socket_perms;
+ allow inetd_t self:udp_socket create_socket_perms;
+@@ -65,7 +65,6 @@ kernel_tcp_recvfrom_unlabeled(inetd_t)
+ corecmd_bin_domtrans(inetd_t, inetd_child_t)
+
+ # base networking:
+-corenet_all_recvfrom_unlabeled(inetd_t)
+ corenet_all_recvfrom_netlabel(inetd_t)
+ corenet_tcp_sendrecv_generic_if(inetd_t)
+ corenet_udp_sendrecv_generic_if(inetd_t)
+@@ -89,16 +88,19 @@ corenet_tcp_bind_ftp_port(inetd_t)
+ corenet_udp_bind_ftp_port(inetd_t)
+ corenet_tcp_bind_inetd_child_port(inetd_t)
+ corenet_udp_bind_inetd_child_port(inetd_t)
++corenet_tcp_bind_echo_port(inetd_t)
++corenet_udp_bind_echo_port(inetd_t)
++corenet_tcp_bind_time_port(inetd_t)
++corenet_udp_bind_time_port(inetd_t)
+ corenet_tcp_bind_ircd_port(inetd_t)
+ corenet_udp_bind_ktalkd_port(inetd_t)
+-corenet_tcp_bind_pop_port(inetd_t)
+ corenet_tcp_bind_printer_port(inetd_t)
+ corenet_udp_bind_rlogind_port(inetd_t)
+ corenet_udp_bind_rsh_port(inetd_t)
+ corenet_tcp_bind_rsh_port(inetd_t)
+ corenet_tcp_bind_rsync_port(inetd_t)
+ corenet_udp_bind_rsync_port(inetd_t)
+-corenet_tcp_bind_stunnel_port(inetd_t)
++#corenet_tcp_bind_stunnel_port(inetd_t)
+ corenet_tcp_bind_swat_port(inetd_t)
+ corenet_udp_bind_swat_port(inetd_t)
+ corenet_tcp_bind_telnetd_port(inetd_t)
+@@ -119,7 +121,7 @@ corenet_sendrecv_ktalkd_server_packets(inetd_t)
+ corenet_sendrecv_printer_server_packets(inetd_t)
+ corenet_sendrecv_rsh_server_packets(inetd_t)
+ corenet_sendrecv_rsync_server_packets(inetd_t)
+-corenet_sendrecv_stunnel_server_packets(inetd_t)
++#corenet_sendrecv_stunnel_server_packets(inetd_t)
+ corenet_sendrecv_swat_server_packets(inetd_t)
+ corenet_sendrecv_tftp_server_packets(inetd_t)
+
+@@ -137,20 +139,20 @@ corecmd_read_bin_symlinks(inetd_t)
+
+ domain_use_interactive_fds(inetd_t)
+
+-files_read_etc_files(inetd_t)
+ files_read_etc_runtime_files(inetd_t)
+
+ auth_use_nsswitch(inetd_t)
+
+ logging_send_syslog_msg(inetd_t)
+
+-miscfiles_read_localization(inetd_t)
+-
+ # xinetd needs MLS override privileges to work
+ mls_fd_share_all_levels(inetd_t)
+ mls_socket_read_to_clearance(inetd_t)
+ mls_socket_write_to_clearance(inetd_t)
++mls_net_outbound_all_levels(inetd_t)
+ mls_process_set_level(inetd_t)
++#706086
++mls_net_outbound_all_levels(inetd_t)
+
+ sysnet_read_config(inetd_t)
+
+@@ -177,6 +179,10 @@ optional_policy(`
+ ')
+
+ optional_policy(`
++ tftp_read_config(inetd_t)
++')
++
++optional_policy(`
+ udev_read_db(inetd_t)
+ ')
+
+@@ -210,7 +216,6 @@ kernel_read_kernel_sysctls(inetd_child_t)
+ kernel_read_system_state(inetd_child_t)
+ kernel_read_network_state(inetd_child_t)
+
+-corenet_all_recvfrom_unlabeled(inetd_child_t)
+ corenet_all_recvfrom_netlabel(inetd_child_t)
+ corenet_tcp_sendrecv_generic_if(inetd_child_t)
+ corenet_udp_sendrecv_generic_if(inetd_child_t)
+@@ -223,15 +228,12 @@ dev_read_urand(inetd_child_t)
+
+ fs_getattr_xattr_fs(inetd_child_t)
+
+-files_read_etc_files(inetd_child_t)
+ files_read_etc_runtime_files(inetd_child_t)
+
+ auth_use_nsswitch(inetd_child_t)
+
+ logging_send_syslog_msg(inetd_child_t)
+
+-miscfiles_read_localization(inetd_child_t)
+-
+ sysnet_read_config(inetd_child_t)
+
+ optional_policy(`
+diff --git a/inn.if b/inn.if
+index ebc9e0d..617f52f 100644
+--- a/inn.if
++++ b/inn.if
+@@ -13,7 +13,7 @@
+ #
+ interface(`inn_exec',`
+ gen_require(`
+- type innd_t;
++ type innd_exec_t;
+ ')
+
+ can_exec($1, innd_exec_t)
+@@ -93,6 +93,7 @@ interface(`inn_read_config',`
+ type innd_etc_t;
+ ')
+
++ files_search_etc($1)
+ allow $1 innd_etc_t:dir list_dir_perms;
+ allow $1 innd_etc_t:file read_file_perms;
+ allow $1 innd_etc_t:lnk_file read_lnk_file_perms;
+@@ -113,6 +114,7 @@ interface(`inn_read_news_lib',`
+ type innd_var_lib_t;
+ ')
+
++ files_search_var_lib($1)
+ allow $1 innd_var_lib_t:dir list_dir_perms;
+ allow $1 innd_var_lib_t:file read_file_perms;
+ allow $1 innd_var_lib_t:lnk_file read_lnk_file_perms;
+@@ -133,6 +135,7 @@ interface(`inn_read_news_spool',`
+ type news_spool_t;
+ ')
+
++ files_search_spool($1)
+ allow $1 news_spool_t:dir list_dir_perms;
+ allow $1 news_spool_t:file read_file_perms;
+ allow $1 news_spool_t:lnk_file read_lnk_file_perms;
+@@ -195,12 +198,15 @@ interface(`inn_domtrans',`
+ interface(`inn_admin',`
+ gen_require(`
+ type innd_t, innd_etc_t, innd_log_t;
+- type news_spool_t, innd_var_lib_t;
+- type innd_var_run_t, innd_initrc_exec_t;
++ type news_spool_t, innd_var_lib_t, innd_var_run_t;
++ type innd_initrc_exec_t;
+ ')
+
+- allow $1 innd_t:process { ptrace signal_perms };
++ allow $1 innd_t:process signal_perms;
+ ps_process_pattern($1, innd_t)
++ tunable_policy(`deny_ptrace',`',`
++ allow $1 innd_t:process ptrace;
++ ')
+
+ init_labeled_script_domtrans($1, innd_initrc_exec_t)
+ domain_system_change_exemption($1)
+diff --git a/inn.te b/inn.te
+index 7311364..28012eb 100644
+--- a/inn.te
++++ b/inn.te
+@@ -4,6 +4,7 @@ policy_module(inn, 1.10.0)
+ #
+ # Declarations
+ #
++
+ type innd_t;
+ type innd_exec_t;
+ init_daemon_domain(innd_t, innd_exec_t)
+@@ -25,11 +26,13 @@ files_pid_file(innd_var_run_t)
+
+ type news_spool_t;
+ files_mountpoint(news_spool_t)
++files_spool_file(news_spool_t)
+
+ ########################################
+ #
+ # Local policy
+ #
++
+ allow innd_t self:capability { dac_override kill setgid setuid };
+ dontaudit innd_t self:capability sys_tty_config;
+ allow innd_t self:process { setsched signal_perms };
+@@ -46,7 +49,7 @@ read_lnk_files_pattern(innd_t, innd_etc_t, innd_etc_t)
+ can_exec(innd_t, innd_exec_t)
+
+ manage_files_pattern(innd_t, innd_log_t, innd_log_t)
+-allow innd_t innd_log_t:dir setattr;
++allow innd_t innd_log_t:dir setattr_dir_perms;
+ logging_log_filetrans(innd_t, innd_log_t, file)
+
+ manage_dirs_pattern(innd_t, innd_var_lib_t, innd_var_lib_t)
+@@ -56,7 +59,7 @@ files_var_lib_filetrans(innd_t, innd_var_lib_t, file)
+ manage_dirs_pattern(innd_t, innd_var_run_t, innd_var_run_t)
+ manage_files_pattern(innd_t, innd_var_run_t, innd_var_run_t)
+ manage_sock_files_pattern(innd_t, innd_var_run_t, innd_var_run_t)
+-files_pid_filetrans(innd_t, innd_var_run_t, file)
++files_pid_filetrans(innd_t, innd_var_run_t, { dir file })
+
+ manage_dirs_pattern(innd_t, news_spool_t, news_spool_t)
+ manage_files_pattern(innd_t, news_spool_t, news_spool_t)
+@@ -65,7 +68,6 @@ manage_lnk_files_pattern(innd_t, news_spool_t, news_spool_t)
+ kernel_read_kernel_sysctls(innd_t)
+ kernel_read_system_state(innd_t)
+
+-corenet_all_recvfrom_unlabeled(innd_t)
+ corenet_all_recvfrom_netlabel(innd_t)
+ corenet_tcp_sendrecv_generic_if(innd_t)
+ corenet_udp_sendrecv_generic_if(innd_t)
+@@ -97,14 +99,11 @@ files_read_usr_files(innd_t)
+
+ logging_send_syslog_msg(innd_t)
+
+-miscfiles_read_localization(innd_t)
+-
+-seutil_dontaudit_search_config(innd_t)
+-
+ sysnet_read_config(innd_t)
+
+ userdom_dontaudit_use_unpriv_user_fds(innd_t)
+ userdom_dontaudit_search_user_home_dirs(innd_t)
++userdom_dgram_send(innd_t)
+
+ mta_send_mail(innd_t)
+
+diff --git a/irc.fc b/irc.fc
+index 65ece18..7e7873c 100644
+--- a/irc.fc
++++ b/irc.fc
+@@ -2,10 +2,15 @@
+ # /home
+ #
+ HOME_DIR/\.ircmotd -- gen_context(system_u:object_r:irc_home_t,s0)
++HOME_DIR/\.irssi(/.*)? gen_context(system_u:object_r:irssi_home_t,s0)
++HOME_DIR/irclogs(/.*)? gen_context(system_u:object_r:irssi_home_t,s0)
++
++/etc/irssi\.conf -- gen_context(system_u:object_r:irssi_etc_t,s0)
+
+ #
+ # /usr
+ #
+ /usr/bin/[st]irc -- gen_context(system_u:object_r:irc_exec_t,s0)
+ /usr/bin/ircII -- gen_context(system_u:object_r:irc_exec_t,s0)
++/usr/bin/irssi -- gen_context(system_u:object_r:irssi_exec_t,s0)
+ /usr/bin/tinyirc -- gen_context(system_u:object_r:irc_exec_t,s0)
+diff --git a/irc.if b/irc.if
+index 4f9dc90..2af9361 100644
+--- a/irc.if
++++ b/irc.if
+@@ -18,9 +18,11 @@
+ interface(`irc_role',`
+ gen_require(`
+ type irc_t, irc_exec_t;
++ type irssi_t, irssi_exec_t, irssi_home_t;
+ ')
+
+ role $1 types irc_t;
++ role $1 types irssi_t;
+
+ # Transition from the user domain to the derived domain.
+ domtrans_pattern($2, irc_exec_t, irc_t)
+@@ -28,4 +30,39 @@ interface(`irc_role',`
+ # allow ps to show irc
+ ps_process_pattern($2, irc_t)
+ allow $2 irc_t:process signal;
++
++ domtrans_pattern($2, irssi_exec_t, irssi_t)
++
++ allow $2 irssi_t:process signal_perms;
++ ps_process_pattern($2, irssi_t)
++
++ manage_dirs_pattern($2, irssi_home_t, irssi_home_t)
++ manage_files_pattern($2, irssi_home_t, irssi_home_t)
++ manage_lnk_files_pattern($2, irssi_home_t, irssi_home_t)
++
++ relabel_dirs_pattern($2, irssi_home_t, irssi_home_t)
++ relabel_files_pattern($2, irssi_home_t, irssi_home_t)
++ relabel_lnk_files_pattern($2, irssi_home_t, irssi_home_t)
++
++ irc_filetrans_home_content($2)
++')
++
++########################################
++##
++## Transition to alsa named content
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`irc_filetrans_home_content',`
++ gen_require(`
++ type irc_home_t;
++ ')
++
++ userdom_user_home_dir_filetrans($1, irc_home_t, file, ".ircmotd")
++ userdom_user_home_dir_filetrans($1, irc_home_t, dir, ".irssi")
++ userdom_user_home_dir_filetrans($1, irc_home_t, dir, "irclogs")
+ ')
+diff --git a/irc.te b/irc.te
+index 6e2dbd2..73e129e 100644
+--- a/irc.te
++++ b/irc.te
+@@ -19,7 +19,31 @@ userdom_user_home_content(irc_home_t)
+ type irc_tmp_t;
+ typealias irc_tmp_t alias { user_irc_tmp_t staff_irc_tmp_t sysadm_irc_tmp_t };
+ typealias irc_tmp_t alias { auditadm_irc_tmp_t secadm_irc_tmp_t };
+-userdom_user_tmp_file(irc_tmp_t)
++userdom_user_home_content(irc_tmp_t)
++
++########################################
++#
++# Irssi personal declarations.
++#
++
++##
++##
++## Allow the Irssi IRC Client to connect to any port,
++## and to bind to any unreserved port.
++##
++##
++gen_tunable(irssi_use_full_network, false)
++
++type irssi_t;
++type irssi_exec_t;
++application_domain(irssi_t, irssi_exec_t)
++ubac_constrained(irssi_t)
++
++type irssi_etc_t;
++files_config_file(irssi_etc_t)
++
++type irssi_home_t;
++userdom_user_home_content(irssi_home_t)
+
+ ########################################
+ #
+@@ -33,7 +57,7 @@ allow irc_t self:udp_socket create_socket_perms;
+ manage_dirs_pattern(irc_t, irc_home_t, irc_home_t)
+ manage_files_pattern(irc_t, irc_home_t, irc_home_t)
+ manage_lnk_files_pattern(irc_t, irc_home_t, irc_home_t)
+-userdom_user_home_dir_filetrans(irc_t, irc_home_t, { dir file lnk_file })
++irc_filetrans_home_content(irc_t)
+
+ # access files under /tmp
+ manage_dirs_pattern(irc_t, irc_tmp_t, irc_tmp_t)
+@@ -45,7 +69,6 @@ files_tmp_filetrans(irc_t, irc_tmp_t, { file dir lnk_file sock_file fifo_file })
+
+ kernel_read_proc_symlinks(irc_t)
+
+-corenet_all_recvfrom_unlabeled(irc_t)
+ corenet_all_recvfrom_netlabel(irc_t)
+ corenet_tcp_sendrecv_generic_if(irc_t)
+ corenet_udp_sendrecv_generic_if(irc_t)
+@@ -75,7 +98,6 @@ term_list_ptys(irc_t)
+ init_read_utmp(irc_t)
+ init_dontaudit_lock_utmp(irc_t)
+
+-miscfiles_read_localization(irc_t)
+
+ # Inherit and use descriptors from newrole.
+ seutil_use_newrole_fds(irc_t)
+@@ -83,20 +105,74 @@ seutil_use_newrole_fds(irc_t)
+ sysnet_read_config(irc_t)
+
+ # Write to the user domain tty.
+-userdom_use_user_terminals(irc_t)
++userdom_use_inherited_user_terminals(irc_t)
+
+-tunable_policy(`use_nfs_home_dirs',`
+- fs_manage_nfs_dirs(irc_t)
+- fs_manage_nfs_files(irc_t)
+- fs_manage_nfs_symlinks(irc_t)
++userdom_home_manager(irc_t)
++
++optional_policy(`
++ nis_use_ypbind(irc_t)
+ ')
+
+-tunable_policy(`use_samba_home_dirs',`
+- fs_manage_cifs_dirs(irc_t)
+- fs_manage_cifs_files(irc_t)
+- fs_manage_cifs_symlinks(irc_t)
++########################################
++#
++# Irssi personal declarations.
++#
++
++allow irssi_t self:process { signal sigkill };
++allow irssi_t self:fifo_file rw_fifo_file_perms;
++allow irssi_t self:tcp_socket create_stream_socket_perms;
++
++read_files_pattern(irssi_t, irssi_etc_t, irssi_etc_t)
++
++manage_dirs_pattern(irssi_t, irssi_home_t, irssi_home_t)
++manage_files_pattern(irssi_t, irssi_home_t, irssi_home_t)
++manage_lnk_files_pattern(irssi_t, irssi_home_t, irssi_home_t)
++irc_filetrans_home_content(irssi_t)
++userdom_search_user_home_dirs(irssi_t)
++
++kernel_read_system_state(irssi_t)
++
++corecmd_search_bin(irssi_t)
++corecmd_read_bin_symlinks(irssi_t)
++
++corenet_tcp_connect_ircd_port(irssi_t)
++corenet_tcp_sendrecv_ircd_port(irssi_t)
++corenet_sendrecv_ircd_client_packets(irssi_t)
++
++# tcp:7000 is often used for SSL irc
++corenet_tcp_connect_gatekeeper_port(irssi_t)
++corenet_tcp_sendrecv_gatekeeper_port(irssi_t)
++corenet_sendrecv_gatekeeper_client_packets(irssi_t)
++
++# Privoxy
++corenet_tcp_connect_http_cache_port(irssi_t)
++corenet_tcp_sendrecv_http_cache_port(irssi_t)
++corenet_sendrecv_http_cache_client_packets(irssi_t)
++
++corenet_tcp_bind_generic_node(irssi_t)
++
++dev_read_urand(irssi_t)
++# irssi-otr genkey.
++dev_read_rand(irssi_t)
++
++files_read_usr_files(irssi_t)
++
++fs_search_auto_mountpoints(irssi_t)
++
++auth_use_nsswitch(irssi_t)
++
++
++userdom_use_inherited_user_terminals(irssi_t)
++
++tunable_policy(`irssi_use_full_network', `
++ corenet_tcp_bind_all_unreserved_ports(irssi_t)
++ corenet_tcp_connect_all_ports(irssi_t)
++ corenet_sendrecv_generic_server_packets(irssi_t)
++ corenet_sendrecv_all_client_packets(irssi_t)
+ ')
+
++userdom_home_manager(irssi_t)
++
+ optional_policy(`
+- nis_use_ypbind(irc_t)
++ automount_dontaudit_getattr_tmp_dirs(irssi_t)
+ ')
+diff --git a/ircd.te b/ircd.te
+index 75ab1e2..603ea55 100644
+--- a/ircd.te
++++ b/ircd.te
+@@ -49,7 +49,6 @@ kernel_read_kernel_sysctls(ircd_t)
+
+ corecmd_search_bin(ircd_t)
+
+-corenet_all_recvfrom_unlabeled(ircd_t)
+ corenet_all_recvfrom_netlabel(ircd_t)
+ corenet_tcp_sendrecv_generic_if(ircd_t)
+ corenet_udp_sendrecv_generic_if(ircd_t)
+@@ -73,8 +72,6 @@ fs_search_auto_mountpoints(ircd_t)
+
+ logging_send_syslog_msg(ircd_t)
+
+-miscfiles_read_localization(ircd_t)
+-
+ sysnet_read_config(ircd_t)
+
+ userdom_dontaudit_use_unpriv_user_fds(ircd_t)
+diff --git a/irqbalance.te b/irqbalance.te
+index 9aeeaf9..a91de65 100644
+--- a/irqbalance.te
++++ b/irqbalance.te
+@@ -19,6 +19,12 @@ files_pid_file(irqbalance_var_run_t)
+
+ allow irqbalance_t self:capability { setpcap net_admin };
+ dontaudit irqbalance_t self:capability sys_tty_config;
++
++ifdef(`hide_broken_symptoms',`
++ # caused by some bogus kernel code
++ dontaudit irqbalance_t self:capability sys_module;
++')
++
+ allow irqbalance_t self:process { getcap setcap signal_perms };
+ allow irqbalance_t self:udp_socket create_socket_perms;
+
+@@ -42,8 +48,6 @@ domain_use_interactive_fds(irqbalance_t)
+
+ logging_send_syslog_msg(irqbalance_t)
+
+-miscfiles_read_localization(irqbalance_t)
+-
+ userdom_dontaudit_use_unpriv_user_fds(irqbalance_t)
+ userdom_dontaudit_search_user_home_dirs(irqbalance_t)
+
+diff --git a/iscsi.fc b/iscsi.fc
+index 14d9670..e94b352 100644
+--- a/iscsi.fc
++++ b/iscsi.fc
+@@ -1,7 +1,17 @@
+ /sbin/iscsid -- gen_context(system_u:object_r:iscsid_exec_t,s0)
+ /sbin/brcm_iscsiuio -- gen_context(system_u:object_r:iscsid_exec_t,s0)
++/sbin/iscsiuio -- gen_context(system_u:object_r:iscsid_exec_t,s0)
+
+ /var/lib/iscsi(/.*)? gen_context(system_u:object_r:iscsi_var_lib_t,s0)
++
+ /var/lock/iscsi(/.*)? gen_context(system_u:object_r:iscsi_lock_t,s0)
+-/var/log/brcm-iscsi\.log -- gen_context(system_u:object_r:iscsi_log_t,s0)
++
++/var/log/brcm-iscsi\.log.* -- gen_context(system_u:object_r:iscsi_log_t,s0)
++/var/log/iscsiuio\.log.* -- gen_context(system_u:object_r:iscsi_log_t,s0)
++
+ /var/run/iscsid\.pid -- gen_context(system_u:object_r:iscsi_var_run_t,s0)
++/var/run/iscsiuio\.pid -- gen_context(system_u:object_r:iscsi_var_run_t,s0)
++
++/usr/sbin/iscsid -- gen_context(system_u:object_r:iscsid_exec_t,s0)
++/usr/sbin/brcm_iscsiuio -- gen_context(system_u:object_r:iscsid_exec_t,s0)
++/usr/sbin/iscsiuio -- gen_context(system_u:object_r:iscsid_exec_t,s0)
+diff --git a/iscsi.te b/iscsi.te
+index 8bcfa2f..f71614d 100644
+--- a/iscsi.te
++++ b/iscsi.te
+@@ -31,7 +31,6 @@ files_pid_file(iscsi_var_run_t)
+ #
+
+ allow iscsid_t self:capability { dac_override ipc_lock net_admin net_raw sys_admin sys_nice sys_resource };
+-dontaudit iscsid_t self:capability sys_ptrace;
+ allow iscsid_t self:process { setrlimit setsched signal };
+ allow iscsid_t self:fifo_file rw_fifo_file_perms;
+ allow iscsid_t self:unix_stream_socket { create_stream_socket_perms connectto };
+@@ -66,8 +65,8 @@ files_pid_filetrans(iscsid_t, iscsi_var_run_t, file)
+
+ kernel_read_network_state(iscsid_t)
+ kernel_read_system_state(iscsid_t)
++kernel_setsched(iscsid_t)
+
+-corenet_all_recvfrom_unlabeled(iscsid_t)
+ corenet_all_recvfrom_netlabel(iscsid_t)
+ corenet_tcp_sendrecv_generic_if(iscsid_t)
+ corenet_tcp_sendrecv_generic_node(iscsid_t)
+@@ -75,14 +74,16 @@ corenet_tcp_sendrecv_all_ports(iscsid_t)
+ corenet_tcp_connect_http_port(iscsid_t)
+ corenet_tcp_connect_iscsi_port(iscsid_t)
+ corenet_tcp_connect_isns_port(iscsid_t)
++corenet_tcp_connect_winshadow_port(iscsid_t)
+
+ dev_rw_sysfs(iscsid_t)
+ dev_rw_userio_dev(iscsid_t)
++dev_read_raw_memory(iscsid_t)
++dev_write_raw_memory(iscsid_t)
+
+ domain_use_interactive_fds(iscsid_t)
+ domain_dontaudit_read_all_domains_state(iscsid_t)
+
+-files_read_etc_files(iscsid_t)
+
+ auth_use_nsswitch(iscsid_t)
+
+@@ -90,8 +91,6 @@ init_stream_connect_script(iscsid_t)
+
+ logging_send_syslog_msg(iscsid_t)
+
+-miscfiles_read_localization(iscsid_t)
+-
+ optional_policy(`
+ tgtd_manage_semaphores(iscsid_t)
+ ')
+diff --git a/isnsd.fc b/isnsd.fc
+new file mode 100644
+index 0000000..3e29080
+--- /dev/null
++++ b/isnsd.fc
+@@ -0,0 +1,8 @@
++/etc/rc\.d/init\.d/isnsd -- gen_context(system_u:object_r:isnsd_initrc_exec_t,s0)
++
++/usr/sbin/isnsd -- gen_context(system_u:object_r:isnsd_exec_t,s0)
++
++/var/lib/isns(/.*)? gen_context(system_u:object_r:isnsd_var_lib_t,s0)
++
++/var/run/isnsd\.pid -- gen_context(system_u:object_r:isnsd_var_run_t,s0)
++/var/run/isnsctl -s gen_context(system_u:object_r:isnsd_var_run_t,s0)
+diff --git a/isnsd.if b/isnsd.if
+new file mode 100644
+index 0000000..1b3514a
+--- /dev/null
++++ b/isnsd.if
+@@ -0,0 +1,181 @@
++
++## policy for isnsd
++
++
++########################################
++##
++## Transition to isnsd.
++##
++##
++##
++## Domain allowed to transition.
++##
++##
++#
++interface(`isnsd_domtrans',`
++ gen_require(`
++ type isnsd_t, isnsd_exec_t;
++ ')
++
++ corecmd_search_bin($1)
++ domtrans_pattern($1, isnsd_exec_t, isnsd_t)
++')
++
++
++########################################
++##
++## Execute isnsd server in the isnsd domain.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`isnsd_initrc_domtrans',`
++ gen_require(`
++ type isnsd_initrc_exec_t;
++ ')
++
++ init_labeled_script_domtrans($1, isnsd_initrc_exec_t)
++')
++
++
++########################################
++##
++## Search isnsd lib directories.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`isnsd_search_lib',`
++ gen_require(`
++ type isnsd_var_lib_t;
++ ')
++
++ allow $1 isnsd_var_lib_t:dir search_dir_perms;
++ files_search_var_lib($1)
++')
++
++########################################
++##
++## Read isnsd lib files.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`isnsd_read_lib_files',`
++ gen_require(`
++ type isnsd_var_lib_t;
++ ')
++
++ files_search_var_lib($1)
++ read_files_pattern($1, isnsd_var_lib_t, isnsd_var_lib_t)
++')
++
++########################################
++##
++## Manage isnsd lib files.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`isnsd_manage_lib_files',`
++ gen_require(`
++ type isnsd_var_lib_t;
++ ')
++
++ files_search_var_lib($1)
++ manage_files_pattern($1, isnsd_var_lib_t, isnsd_var_lib_t)
++')
++
++########################################
++##
++## Manage isnsd lib directories.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`isnsd_manage_lib_dirs',`
++ gen_require(`
++ type isnsd_var_lib_t;
++ ')
++
++ files_search_var_lib($1)
++ manage_dirs_pattern($1, isnsd_var_lib_t, isnsd_var_lib_t)
++')
++
++
++########################################
++##
++## Read isnsd PID files.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`isnsd_read_pid_files',`
++ gen_require(`
++ type isnsd_var_run_t;
++ ')
++
++ files_search_pids($1)
++ allow $1 isnsd_var_run_t:file read_file_perms;
++')
++
++
++########################################
++##
++## All of the rules required to administrate
++## an isnsd environment
++##
++##
++##
++## Domain allowed access.
++##
++##
++##
++##
++## Role allowed access.
++##
++##
++##
++#
++interface(`isnsd_admin',`
++ gen_require(`
++ type isnsd_t;
++ type isnsd_initrc_exec_t;
++ type isnsd_var_lib_t;
++ type isnsd_var_run_t;
++ ')
++
++ allow $1 isnsd_t:process { ptrace signal_perms };
++ ps_process_pattern($1, isnsd_t)
++
++ isnsd_initrc_domtrans($1)
++ domain_system_change_exemption($1)
++ role_transition $2 isnsd_initrc_exec_t system_r;
++ allow $2 system_r;
++
++ files_search_var_lib($1)
++ admin_pattern($1, isnsd_var_lib_t)
++
++ files_search_pids($1)
++ admin_pattern($1, isnsd_var_run_t)
++
++')
++
+diff --git a/isnsd.te b/isnsd.te
+new file mode 100644
+index 0000000..951fbae
+--- /dev/null
++++ b/isnsd.te
+@@ -0,0 +1,52 @@
++policy_module(isnsd, 1.0.0)
++
++########################################
++#
++# Declarations
++#
++
++type isnsd_t;
++type isnsd_exec_t;
++init_daemon_domain(isnsd_t, isnsd_exec_t)
++
++type isnsd_initrc_exec_t;
++init_script_file(isnsd_initrc_exec_t)
++
++type isnsd_var_lib_t;
++files_type(isnsd_var_lib_t)
++
++type isnsd_var_run_t;
++files_pid_file(isnsd_var_run_t)
++
++########################################
++#
++# isnsd local policy
++#
++
++allow isnsd_t self:capability { kill };
++allow isnsd_t self:process { signal };
++
++allow isnsd_t self:fifo_file rw_fifo_file_perms;
++allow isnsd_t self:tcp_socket { listen };
++allow isnsd_t self:udp_socket { listen };
++allow isnsd_t self:unix_stream_socket create_stream_socket_perms;
++
++manage_dirs_pattern(isnsd_t, isnsd_var_lib_t, isnsd_var_lib_t)
++manage_files_pattern(isnsd_t, isnsd_var_lib_t, isnsd_var_lib_t)
++files_var_lib_filetrans(isnsd_t, isnsd_var_lib_t, { dir file })
++
++manage_dirs_pattern(isnsd_t, isnsd_var_run_t, isnsd_var_run_t)
++manage_sock_files_pattern(isnsd_t, isnsd_var_run_t, isnsd_var_run_t)
++manage_files_pattern(isnsd_t, isnsd_var_run_t, isnsd_var_run_t)
++files_pid_filetrans(isnsd_t, isnsd_var_run_t, { dir file sock_file })
++
++corenet_tcp_bind_generic_node(isnsd_t)
++corenet_tcp_bind_isns_port(isnsd_t)
++
++domain_use_interactive_fds(isnsd_t)
++
++files_read_etc_files(isnsd_t)
++
++logging_send_syslog_msg(isnsd_t)
++
++sysnet_dns_name_resolve(isnsd_t)
+diff --git a/jabber.fc b/jabber.fc
+index da6f4b4..bd02cc8 100644
+--- a/jabber.fc
++++ b/jabber.fc
+@@ -1,10 +1,18 @@
+-/etc/rc\.d/init\.d/jabber -- gen_context(system_u:object_r:jabberd_initrc_exec_t,s0)
++/etc/rc\.d/init\.d/jabberd -- gen_context(system_u:object_r:jabberd_initrc_exec_t,s0)
+
+-/usr/sbin/ejabberd -- gen_context(system_u:object_r:jabberd_exec_t,s0)
+-/usr/sbin/jabberd -- gen_context(system_u:object_r:jabberd_exec_t,s0)
++/usr/bin/router -- gen_context(system_u:object_r:jabberd_router_exec_t,s0)
++/usr/bin/c2s -- gen_context(system_u:object_r:jabberd_router_exec_t,s0)
++/usr/bin/s2s -- gen_context(system_u:object_r:jabberd_exec_t,s0)
++/usr/bin/sm -- gen_context(system_u:object_r:jabberd_exec_t,s0)
+
+-/var/lib/ejabberd(/.*)? gen_context(system_u:object_r:jabberd_var_lib_t,s0)
+-/var/lib/jabber(/.*)? gen_context(system_u:object_r:jabberd_var_lib_t,s0)
++/var/lib/jabberd(/.*)? gen_context(system_u:object_r:jabberd_var_lib_t,s0)
+
+-/var/log/ejabberd(/.*)? gen_context(system_u:object_r:jabberd_log_t,s0)
+-/var/log/jabber(/.*)? gen_context(system_u:object_r:jabberd_log_t,s0)
++# pyicq-t
++
++/usr/share/pyicq-t/PyICQt\.py -- gen_context(system_u:object_r:pyicqt_exec_t,s0)
++
++/var/log/pyicq-t\.log.* gen_context(system_u:object_r:pyicqt_log_t,s0)
++
++/var/run/pyicq-t(/.*)? gen_context(system_u:object_r:pyicqt_var_run_t,s0)
++
++/var/spool/pyicq-t(/.*)? gen_context(system_u:object_r:pyicqt_var_spool_t,s0)
+diff --git a/jabber.if b/jabber.if
+index 9878499..01673a4 100644
+--- a/jabber.if
++++ b/jabber.if
+@@ -1,8 +1,114 @@
+ ## Jabber instant messaging server
+
+-########################################
++#####################################
++##
++## Creates types and rules for a basic
++## jabber init daemon domain.
++##
++##
++##
++## Prefix for the domain.
++##
++##
++#
++template(`jabber_domain_template',`
++ gen_require(`
++ attribute jabberd_domain;
++ ')
++
++ ##############################
++ #
++ # $1_t declarations
++ #
++
++ type $1_t, jabberd_domain;
++ type $1_exec_t;
++ init_daemon_domain($1_t, $1_exec_t)
++
++ kernel_read_system_state($1_t)
++
++ corenet_all_recvfrom_netlabel($1_t)
++
++ logging_send_syslog_msg($1_t)
++')
++
++#######################################
++##
++## Execute a domain transition to run jabberd services
++##
++##
++##
++## Domain allowed to transition.
++##
++##
++#
++interface(`jabber_domtrans_jabberd',`
++ gen_require(`
++ type jabberd_t, jabberd_exec_t;
++ ')
++
++ domtrans_pattern($1, jabberd_exec_t, jabberd_t)
++')
++
++######################################
++##
++## Execute a domain transition to run jabberd router service
++##
++##
++##
++## Domain allowed to transition.
++##
++##
++#
++interface(`jabber_domtrans_jabberd_router',`
++ gen_require(`
++ type jabberd_router_t, jabberd_router_exec_t;
++ ')
++
++ domtrans_pattern($1, jabberd_router_exec_t, jabberd_router_t)
++')
++
++#######################################
++##
++## Read jabberd lib files.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`jabberd_read_lib_files',`
++ gen_require(`
++ type jabberd_var_lib_t;
++ ')
++
++ files_search_var_lib($1)
++ read_files_pattern($1, jabberd_var_lib_t, jabberd_var_lib_t)
++')
++
++#######################################
++##
++## Dontaudit inherited read jabberd lib files.
++##
++##
++##
++## Domain to not audit.
++##
++##
++#
++interface(`jabberd_dontaudit_read_lib_files',`
++ gen_require(`
++ type jabberd_var_lib_t;
++ ')
++
++ dontaudit $1 jabberd_var_lib_t:file read_inherited_file_perms;
++')
++
++#######################################
+ ##
+-## Connect to jabber over a TCP socket (Deprecated)
++## Create, read, write, and delete
++## jabberd lib files.
+ ##
+ ##
+ ##
+@@ -10,8 +116,13 @@
+ ##
+ ##
+ #
+-interface(`jabber_tcp_connect',`
+- refpolicywarn(`$0($*) has been deprecated.')
++interface(`jabberd_manage_lib_files',`
++ gen_require(`
++ type jabberd_var_lib_t;
++ ')
++
++ files_search_var_lib($1)
++ manage_files_pattern($1, jabberd_var_lib_t, jabberd_var_lib_t)
+ ')
+
+ ########################################
+@@ -33,24 +144,25 @@ interface(`jabber_tcp_connect',`
+ #
+ interface(`jabber_admin',`
+ gen_require(`
+- type jabberd_t, jabberd_log_t, jabberd_var_lib_t;
+- type jabberd_var_run_t, jabberd_initrc_exec_t;
++ type jabberd_t, jabberd_var_lib_t;
++ type jabberd_initrc_exec_t, jabberd_router_t;
+ ')
+
+- allow $1 jabberd_t:process { ptrace signal_perms };
++ allow $1 jabberd_t:process signal_perms;
+ ps_process_pattern($1, jabberd_t)
++ tunable_policy(`deny_ptrace',`',`
++ allow $1 jabberd_t:process ptrace;
++ allow $1 jabberd_router_t:process ptrace;
++ ')
++
++ allow $1 jabberd_router_t:process signal_perms;
++ ps_process_pattern($1, jabberd_router_t)
+
+ init_labeled_script_domtrans($1, jabberd_initrc_exec_t)
+ domain_system_change_exemption($1)
+ role_transition $2 jabberd_initrc_exec_t system_r;
+ allow $2 system_r;
+
+- logging_list_logs($1)
+- admin_pattern($1, jabberd_log_t)
+-
+ files_list_var_lib($1)
+ admin_pattern($1, jabberd_var_lib_t)
+-
+- files_list_pids($1)
+- admin_pattern($1, jabberd_var_run_t)
+ ')
+diff --git a/jabber.te b/jabber.te
+index 53e53ca..c1ce1b7 100644
+--- a/jabber.te
++++ b/jabber.te
+@@ -1,94 +1,146 @@
+-policy_module(jabber, 1.9.0)
++policy_module(jabber, 1.8.0)
+
+ ########################################
+ #
+ # Declarations
+ #
+
+-type jabberd_t;
+-type jabberd_exec_t;
+-init_daemon_domain(jabberd_t, jabberd_exec_t)
++attribute jabberd_domain;
++
++jabber_domain_template(jabberd)
++jabber_domain_template(jabberd_router)
++jabber_domain_template(pyicqt)
+
+ type jabberd_initrc_exec_t;
+ init_script_file(jabberd_initrc_exec_t)
+
+-type jabberd_log_t;
+-logging_log_file(jabberd_log_t)
+-
++# type which includes log/pid files pro jabberd components
+ type jabberd_var_lib_t;
+ files_type(jabberd_var_lib_t)
+
+-type jabberd_var_run_t;
+-files_pid_file(jabberd_var_run_t)
++# pyicq-t types
++type pyicqt_log_t;
++logging_log_file(pyicqt_log_t);
+
+-########################################
++type pyicqt_var_spool_t;
++files_spool_file(pyicqt_var_spool_t)
++
++type pyicqt_var_run_t;
++files_pid_file(pyicqt_var_run_t)
++
++######################################
+ #
+-# Local policy
++# Local policy for jabberd-router and c2s components
+ #
+
+-allow jabberd_t self:capability dac_override;
+-dontaudit jabberd_t self:capability sys_tty_config;
+-allow jabberd_t self:process signal_perms;
+-allow jabberd_t self:fifo_file read_fifo_file_perms;
+-allow jabberd_t self:tcp_socket create_stream_socket_perms;
+-allow jabberd_t self:udp_socket create_socket_perms;
++allow jabberd_router_t self:netlink_route_socket r_netlink_socket_perms;
+
+-manage_files_pattern(jabberd_t, jabberd_var_lib_t, jabberd_var_lib_t)
+-files_var_lib_filetrans(jabberd_t, jabberd_var_lib_t, file)
+-
+-manage_files_pattern(jabberd_t, jabberd_log_t, jabberd_log_t)
+-logging_log_filetrans(jabberd_t, jabberd_log_t, { file dir })
+-
+-manage_files_pattern(jabberd_t, jabberd_var_run_t, jabberd_var_run_t)
+-files_pid_filetrans(jabberd_t, jabberd_var_run_t, file)
+-
+-kernel_read_kernel_sysctls(jabberd_t)
+-kernel_list_proc(jabberd_t)
+-kernel_read_proc_symlinks(jabberd_t)
+-
+-corenet_all_recvfrom_unlabeled(jabberd_t)
+-corenet_all_recvfrom_netlabel(jabberd_t)
+-corenet_tcp_sendrecv_generic_if(jabberd_t)
+-corenet_udp_sendrecv_generic_if(jabberd_t)
+-corenet_tcp_sendrecv_generic_node(jabberd_t)
+-corenet_udp_sendrecv_generic_node(jabberd_t)
+-corenet_tcp_sendrecv_all_ports(jabberd_t)
+-corenet_udp_sendrecv_all_ports(jabberd_t)
+-corenet_tcp_bind_generic_node(jabberd_t)
+-corenet_tcp_bind_jabber_client_port(jabberd_t)
+-corenet_tcp_bind_jabber_interserver_port(jabberd_t)
+-corenet_sendrecv_jabber_client_server_packets(jabberd_t)
+-corenet_sendrecv_jabber_interserver_server_packets(jabberd_t)
++manage_files_pattern(jabberd_router_t, jabberd_var_lib_t, jabberd_var_lib_t)
++manage_dirs_pattern(jabberd_router_t, jabberd_var_lib_t, jabberd_var_lib_t)
++
++kernel_read_network_state(jabberd_router_t)
++
++corenet_tcp_bind_jabber_client_port(jabberd_router_t)
++corenet_tcp_bind_jabber_router_port(jabberd_router_t)
++corenet_tcp_connect_jabber_router_port(jabberd_router_t)
++corenet_sendrecv_jabber_router_server_packets(jabberd_router_t)
++corenet_sendrecv_jabber_client_server_packets(jabberd_router_t)
+
+-dev_read_sysfs(jabberd_t)
+-# For SSL
+-dev_read_rand(jabberd_t)
++fs_getattr_all_fs(jabberd_router_t)
+
+-domain_use_interactive_fds(jabberd_t)
++miscfiles_read_generic_certs(jabberd_router_t)
+
+-files_read_etc_files(jabberd_t)
+-files_read_etc_runtime_files(jabberd_t)
++optional_policy(`
++ kerberos_use(jabberd_router_t)
++')
+
+-fs_getattr_all_fs(jabberd_t)
+-fs_search_auto_mountpoints(jabberd_t)
++optional_policy(`
++ nis_use_ypbind(jabberd_router_t)
++')
+
+-logging_send_syslog_msg(jabberd_t)
++#####################################
++#
++# Local policy for other jabberd components
++#
+
+-miscfiles_read_localization(jabberd_t)
++manage_files_pattern(jabberd_t, jabberd_var_lib_t, jabberd_var_lib_t)
++manage_dirs_pattern(jabberd_t, jabberd_var_lib_t, jabberd_var_lib_t)
+
+-sysnet_read_config(jabberd_t)
++corenet_tcp_bind_jabber_interserver_port(jabberd_t)
++corenet_tcp_connect_jabber_router_port(jabberd_t)
+
+ userdom_dontaudit_use_unpriv_user_fds(jabberd_t)
+ userdom_dontaudit_search_user_home_dirs(jabberd_t)
+
+ optional_policy(`
+- nis_use_ypbind(jabberd_t)
++ seutil_sigchld_newrole(jabberd_t)
+ ')
+
+ optional_policy(`
+- seutil_sigchld_newrole(jabberd_t)
++ udev_read_db(jabberd_t)
++')
++
++######################################
++#
++# Local policy for pyicq-t
++#
++
++# need for /var/log/pyicq-t.log
++manage_files_pattern(pyicqt_t, pyicqt_log_t, pyicqt_log_t)
++logging_log_filetrans(pyicqt_t, pyicqt_log_t, file)
++
++manage_files_pattern(pyicqt_t, pyicqt_var_run_t, pyicqt_var_run_t);
++
++files_search_spool(pyicqt_t)
++manage_files_pattern(pyicqt_t, pyicqt_var_spool_t, pyicqt_var_spool_t);
++
++corenet_tcp_bind_jabber_router_port(pyicqt_t)
++corenet_tcp_connect_jabber_router_port(pyicqt_t)
++
++corecmd_exec_bin(pyicqt_t)
++
++dev_read_urand(pyicqt_t);
++
++files_read_usr_files(pyicqt_t)
++
++auth_use_nsswitch(pyicqt_t);
++
++# for RHEL5
++libs_use_ld_so(pyicqt_t)
++libs_use_shared_libs(pyicqt_t)
++
++# needed for pyicq-t-mysql
++optional_policy(`
++ corenet_tcp_connect_mysqld_port(pyicqt_t)
+ ')
+
+ optional_policy(`
+- udev_read_db(jabberd_t)
++ sysnet_use_ldap(pyicqt_t)
+ ')
++
++#######################################
++#
++# Local policy for jabberd domains
++#
++
++allow jabberd_domain self:process signal_perms;
++allow jabberd_domain self:fifo_file rw_fifo_file_perms;
++allow jabberd_domain self:tcp_socket create_stream_socket_perms;
++allow jabberd_domain self:udp_socket create_socket_perms;
++
++corenet_tcp_sendrecv_generic_if(jabberd_domain)
++corenet_udp_sendrecv_generic_if(jabberd_domain)
++corenet_tcp_sendrecv_generic_node(jabberd_domain)
++corenet_udp_sendrecv_generic_node(jabberd_domain)
++corenet_tcp_sendrecv_all_ports(jabberd_domain)
++corenet_udp_sendrecv_all_ports(jabberd_domain)
++corenet_tcp_bind_generic_node(jabberd_domain)
++
++dev_read_urand(jabberd_domain)
++dev_read_urand(jabberd_domain)
++dev_read_sysfs(jabberd_domain)
++
++files_read_etc_files(jabberd_domain)
++files_read_etc_runtime_files(jabberd_domain)
++
++sysnet_read_config(jabberd_domain)
+diff --git a/java.fc b/java.fc
+index bc1a419..f630930 100644
+--- a/java.fc
++++ b/java.fc
+@@ -28,8 +28,6 @@
+ /usr/lib/opera(/.*)?/opera -- gen_context(system_u:object_r:java_exec_t,s0)
+ /usr/lib/opera(/.*)?/works -- gen_context(system_u:object_r:java_exec_t,s0)
+
+-/usr/local/matlab.*/bin.*/MATLAB.* -- gen_context(system_u:object_r:java_exec_t,s0)
+-
+ /usr/matlab.*/bin.*/MATLAB.* -- gen_context(system_u:object_r:java_exec_t,s0)
+
+ ifdef(`distro_redhat',`
+diff --git a/java.te b/java.te
+index ff52c16..bdb4610 100644
+--- a/java.te
++++ b/java.te
+@@ -10,7 +10,7 @@ policy_module(java, 2.6.0)
+ ## Allow java executable stack
+ ##
+ ##
+-gen_tunable(allow_java_execstack, false)
++gen_tunable(java_execstack, false)
+
+ type java_t;
+ type java_exec_t;
+@@ -62,7 +62,6 @@ kernel_read_system_state(java_t)
+ # Search bin directory under java for java executable
+ corecmd_search_bin(java_t)
+
+-corenet_all_recvfrom_unlabeled(java_t)
+ corenet_all_recvfrom_netlabel(java_t)
+ corenet_tcp_sendrecv_generic_if(java_t)
+ corenet_udp_sendrecv_generic_if(java_t)
+@@ -91,7 +90,6 @@ fs_dontaudit_rw_tmpfs_files(java_t)
+
+ logging_send_syslog_msg(java_t)
+
+-miscfiles_read_localization(java_t)
+ # Read global fonts and font config
+ miscfiles_read_fonts(java_t)
+
+@@ -108,7 +106,7 @@ userdom_manage_user_home_content_sockets(java_t)
+ userdom_user_home_dir_filetrans_user_home_content(java_t, { file lnk_file sock_file fifo_file })
+ userdom_write_user_tmp_sockets(java_t)
+
+-tunable_policy(`allow_java_execstack',`
++tunable_policy(`java_execstack',`
+ allow java_t self:process execstack;
+
+ allow java_t java_tmp_t:file execute;
+diff --git a/jetty.fc b/jetty.fc
+new file mode 100644
+index 0000000..1725b7e
+--- /dev/null
++++ b/jetty.fc
+@@ -0,0 +1,9 @@
++
++/var/cache/jetty(/.*)? gen_context(system_u:object_r:jetty_cache_t,s0)
++
++/var/lib/jetty(/.*)? gen_context(system_u:object_r:jetty_var_lib_t,s0)
++
++/var/log/jetty(/.*)? gen_context(system_u:object_r:jetty_log_t,s0)
++
++/var/run/jetty(/.*)? gen_context(system_u:object_r:jetty_var_run_t,s0)
++
+diff --git a/jetty.if b/jetty.if
+new file mode 100644
+index 0000000..2abc285
+--- /dev/null
++++ b/jetty.if
+@@ -0,0 +1,268 @@
++
++## policy for jetty
++
++########################################
++##
++## Search jetty cache directories.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`jetty_search_cache',`
++ gen_require(`
++ type jetty_cache_t;
++ ')
++
++ allow $1 jetty_cache_t:dir search_dir_perms;
++ files_search_var($1)
++')
++
++########################################
++##
++## Read jetty cache files.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`jetty_read_cache_files',`
++ gen_require(`
++ type jetty_cache_t;
++ ')
++
++ files_search_var($1)
++ read_files_pattern($1, jetty_cache_t, jetty_cache_t)
++')
++
++########################################
++##
++## Create, read, write, and delete
++## jetty cache files.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`jetty_manage_cache_files',`
++ gen_require(`
++ type jetty_cache_t;
++ ')
++
++ files_search_var($1)
++ manage_files_pattern($1, jetty_cache_t, jetty_cache_t)
++')
++
++########################################
++##
++## Manage jetty cache dirs.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`jetty_manage_cache_dirs',`
++ gen_require(`
++ type jetty_cache_t;
++ ')
++
++ files_search_var($1)
++ manage_dirs_pattern($1, jetty_cache_t, jetty_cache_t)
++')
++
++########################################
++##
++## Read jetty's log files.
++##
++##
++##
++## Domain allowed access.
++##
++##
++##
++#
++interface(`jetty_read_log',`
++ gen_require(`
++ type jetty_log_t;
++ ')
++
++ logging_search_logs($1)
++ read_files_pattern($1, jetty_log_t, jetty_log_t)
++')
++
++########################################
++##
++## Append to jetty log files.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`jetty_append_log',`
++ gen_require(`
++ type jetty_log_t;
++ ')
++
++ logging_search_logs($1)
++ append_files_pattern($1, jetty_log_t, jetty_log_t)
++')
++
++########################################
++##
++## Manage jetty log files
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`jetty_manage_log',`
++ gen_require(`
++ type jetty_log_t;
++ ')
++
++ logging_search_logs($1)
++ manage_dirs_pattern($1, jetty_log_t, jetty_log_t)
++ manage_files_pattern($1, jetty_log_t, jetty_log_t)
++ manage_lnk_files_pattern($1, jetty_log_t, jetty_log_t)
++')
++
++########################################
++##
++## Search jetty lib directories.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`jetty_search_lib',`
++ gen_require(`
++ type jetty_var_lib_t;
++ ')
++
++ allow $1 jetty_var_lib_t:dir search_dir_perms;
++ files_search_var_lib($1)
++')
++
++########################################
++##
++## Read jetty lib files.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`jetty_read_lib_files',`
++ gen_require(`
++ type jetty_var_lib_t;
++ ')
++
++ files_search_var_lib($1)
++ read_files_pattern($1, jetty_var_lib_t, jetty_var_lib_t)
++')
++
++########################################
++##
++## Manage jetty lib files.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`jetty_manage_lib_files',`
++ gen_require(`
++ type jetty_var_lib_t;
++ ')
++
++ files_search_var_lib($1)
++ manage_files_pattern($1, jetty_var_lib_t, jetty_var_lib_t)
++')
++
++########################################
++##
++## Manage jetty lib directories.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`jetty_manage_lib_dirs',`
++ gen_require(`
++ type jetty_var_lib_t;
++ ')
++
++ files_search_var_lib($1)
++ manage_dirs_pattern($1, jetty_var_lib_t, jetty_var_lib_t)
++')
++
++########################################
++##
++## Read jetty PID files.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`jetty_read_pid_files',`
++ gen_require(`
++ type jetty_var_run_t;
++ ')
++
++ files_search_pids($1)
++ allow $1 jetty_var_run_t:file read_file_perms;
++')
++
++
++########################################
++##
++## All of the rules required to administrate
++## an jetty environment
++##
++##
++##
++## Domain allowed access.
++##
++##
++##
++#
++interface(`jetty_admin',`
++ gen_require(`
++ type jetty_cache_t;
++ type jetty_log_t;
++ type jetty_var_lib_t;
++ type jetty_var_run_t;
++ ')
++
++ files_search_var($1)
++ admin_pattern($1, jetty_cache_t)
++
++ logging_search_logs($1)
++ admin_pattern($1, jetty_log_t)
++
++ files_search_var_lib($1)
++ admin_pattern($1, jetty_var_lib_t)
++
++ files_search_pids($1)
++ admin_pattern($1, jetty_var_run_t)
++')
+diff --git a/jetty.te b/jetty.te
+new file mode 100644
+index 0000000..af510ea
+--- /dev/null
++++ b/jetty.te
+@@ -0,0 +1,25 @@
++policy_module(jetty, 1.0.0)
++
++########################################
++#
++# Declarations
++#
++
++type jetty_cache_t;
++files_type(jetty_cache_t)
++
++type jetty_log_t;
++logging_log_file(jetty_log_t)
++
++type jetty_var_lib_t;
++files_type(jetty_var_lib_t)
++
++type jetty_var_run_t;
++files_pid_file(jetty_var_run_t)
++
++########################################
++#
++# jetty local policy
++#
++
++# No local policy. This module just contains type definitions
+diff --git a/jockey.fc b/jockey.fc
+new file mode 100644
+index 0000000..a59ad8d
+--- /dev/null
++++ b/jockey.fc
+@@ -0,0 +1,6 @@
++/usr/share/jockey/jockey-backend -- gen_context(system_u:object_r:jockey_exec_t,s0)
++
++/var/cache/jockey(/.*)? gen_context(system_u:object_r:jockey_cache_t,s0)
++
++/var/log/jockey(/.*)? gen_context(system_u:object_r:jockey_var_log_t,s0)
++/var/log/jockey\.log.* -- gen_context(system_u:object_r:jockey_var_log_t,s0)
+diff --git a/jockey.if b/jockey.if
+new file mode 100644
+index 0000000..868c7d0
+--- /dev/null
++++ b/jockey.if
+@@ -0,0 +1,126 @@
++
++## policy for jockey
++
++########################################
++##
++## Transition to jockey.
++##
++##
++##
++## Domain allowed to transition.
++##
++##
++#
++interface(`jockey_domtrans',`
++ gen_require(`
++ type jockey_t, jockey_exec_t;
++ ')
++
++ corecmd_search_bin($1)
++ domtrans_pattern($1, jockey_exec_t, jockey_t)
++')
++
++########################################
++##
++## Search jockey cache directories.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`jockey_search_cache',`
++ gen_require(`
++ type jockey_cache_t;
++ ')
++
++ allow $1 jockey_cache_t:dir search_dir_perms;
++ files_search_var($1)
++')
++
++########################################
++##
++## Read jockey cache files.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`jockey_read_cache_files',`
++ gen_require(`
++ type jockey_cache_t;
++ ')
++
++ files_search_var($1)
++ read_files_pattern($1, jockey_cache_t, jockey_cache_t)
++')
++
++########################################
++##
++## Create, read, write, and delete
++## jockey cache files.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`jockey_manage_cache_files',`
++ gen_require(`
++ type jockey_cache_t;
++ ')
++
++ files_search_var($1)
++ manage_files_pattern($1, jockey_cache_t, jockey_cache_t)
++')
++
++########################################
++##
++## Manage jockey cache dirs.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`jockey_manage_cache_dirs',`
++ gen_require(`
++ type jockey_cache_t;
++ ')
++
++ files_search_var($1)
++ manage_dirs_pattern($1, jockey_cache_t, jockey_cache_t)
++')
++
++########################################
++##
++## All of the rules required to administrate
++## an jockey environment
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`jockey_admin',`
++ gen_require(`
++ type jockey_t;
++ type jockey_cache_t;
++ ')
++
++ allow $1 jockey_t:process { ptrace signal_perms };
++ ps_process_pattern($1, jockey_t)
++
++ files_search_var($1)
++ admin_pattern($1, jockey_cache_t)
++ optional_policy(`
++ systemd_passwd_agent_exec($1)
++ systemd_read_fifo_file_passwd_run($1)
++ ')
++')
+diff --git a/jockey.te b/jockey.te
+new file mode 100644
+index 0000000..03a01b4
+--- /dev/null
++++ b/jockey.te
+@@ -0,0 +1,62 @@
++policy_module(jockey, 1.0.0)
++
++########################################
++#
++# Declarations
++#
++
++type jockey_t;
++type jockey_exec_t;
++init_daemon_domain(jockey_t, jockey_exec_t)
++
++type jockey_cache_t;
++files_type(jockey_cache_t)
++
++type jockey_var_log_t;
++logging_log_file(jockey_var_log_t)
++
++########################################
++#
++# jockey local policy
++#
++allow jockey_t self:fifo_file rw_fifo_file_perms;
++
++manage_dirs_pattern(jockey_t, jockey_cache_t, jockey_cache_t)
++manage_files_pattern(jockey_t, jockey_cache_t, jockey_cache_t)
++manage_lnk_files_pattern(jockey_t, jockey_cache_t, jockey_cache_t)
++files_var_filetrans(jockey_t, jockey_cache_t, { dir file })
++
++manage_files_pattern(jockey_t, jockey_var_log_t, jockey_var_log_t)
++manage_dirs_pattern(jockey_t, jockey_var_log_t, jockey_var_log_t)
++logging_log_filetrans(jockey_t, jockey_var_log_t, { file dir })
++
++kernel_read_system_state(jockey_t)
++
++corecmd_exec_bin(jockey_t)
++corecmd_exec_shell(jockey_t)
++
++dev_read_rand(jockey_t)
++dev_read_urand(jockey_t)
++
++dev_read_sysfs(jockey_t)
++
++domain_use_interactive_fds(jockey_t)
++
++files_read_etc_files(jockey_t)
++files_read_usr_files(jockey_t)
++
++auth_read_passwd(jockey_t)
++
++optional_policy(`
++ dbus_system_domain(jockey_t, jockey_exec_t)
++')
++
++optional_policy(`
++ gnome_dontaudit_search_config(jockey_t)
++')
++
++optional_policy(`
++ modutils_domtrans_insmod(jockey_t)
++ modutils_read_module_config(jockey_t)
++ modutils_list_module_config(jockey_t)
++')
+diff --git a/kde.fc b/kde.fc
+new file mode 100644
+index 0000000..25e4b68
+--- /dev/null
++++ b/kde.fc
+@@ -0,0 +1 @@
++#/usr/libexec/kde(3|4)/backlighthelper -- gen_context(system_u:object_r:kdebacklighthelper_exec_t,s0)
+diff --git a/kde.if b/kde.if
+new file mode 100644
+index 0000000..cf65577
+--- /dev/null
++++ b/kde.if
+@@ -0,0 +1,22 @@
++## Policy for KDE components
++
++#######################################
++##
++## Send and receive messages from
++## firewallgui over dbus.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`kde_dbus_chat_backlighthelper',`
++ gen_require(`
++ type kdebacklighthelper_t;
++ class dbus send_msg;
++ ')
++
++ allow $1 kdebacklighthelper_t:dbus send_msg;
++ allow kdebacklighthelper_t $1:dbus send_msg;
++')
+diff --git a/kde.te b/kde.te
+new file mode 100644
+index 0000000..7b4b5ff
+--- /dev/null
++++ b/kde.te
+@@ -0,0 +1,42 @@
++policy_module(kde,1.0.0)
++
++########################################
++#
++# Declarations
++#
++
++type kdebacklighthelper_t;
++type kdebacklighthelper_exec_t;
++init_daemon_domain(kdebacklighthelper_t, kdebacklighthelper_exec_t)
++
++########################################
++#
++# backlighthelper local policy
++#
++allow kdebacklighthelper_t self:fifo_file rw_fifo_file_perms;
++
++kernel_read_system_state(kdebacklighthelper_t)
++
++# r/w brightness values
++dev_rw_sysfs(kdebacklighthelper_t)
++
++files_read_etc_files(kdebacklighthelper_t)
++files_read_etc_runtime_files(kdebacklighthelper_t)
++files_read_usr_files(kdebacklighthelper_t)
++
++fs_getattr_all_fs(kdebacklighthelper_t)
++
++logging_send_syslog_msg(kdebacklighthelper_t)
++
++optional_policy(`
++ dbus_system_domain(kdebacklighthelper_t, kdebacklighthelper_exec_t)
++')
++
++optional_policy(`
++ consolekit_dbus_chat(kdebacklighthelper_t)
++')
++
++optional_policy(`
++ policykit_dbus_chat(kdebacklighthelper_t)
++')
++
+diff --git a/kdump.fc b/kdump.fc
+index c66934f..1906ffe 100644
+--- a/kdump.fc
++++ b/kdump.fc
+@@ -3,3 +3,11 @@
+
+ /sbin/kdump -- gen_context(system_u:object_r:kdump_exec_t,s0)
+ /sbin/kexec -- gen_context(system_u:object_r:kdump_exec_t,s0)
++
++
++/usr/lib/systemd/system/kdump\.service -- gen_context(system_u:object_r:kdump_unit_file_t,s0)
++
++/usr/bin/kdumpctl -- gen_context(system_u:object_r:kdumpctl_exec_t,s0)
++/usr/sbin/kdump -- gen_context(system_u:object_r:kdump_exec_t,s0)
++/usr/sbin/kexec -- gen_context(system_u:object_r:kdump_exec_t,s0)
++
+diff --git a/kdump.if b/kdump.if
+index 4198ff5..15d521b 100644
+--- a/kdump.if
++++ b/kdump.if
+@@ -19,6 +19,26 @@ interface(`kdump_domtrans',`
+ domtrans_pattern($1, kdump_exec_t, kdump_t)
+ ')
+
++######################################
++##
++## Execute kdumpctl in the kdumpctl domain.
++##
++##
++##
++## Domain allowed to transition.
++##
++##
++#
++interface(`kdumpctl_domtrans',`
++ gen_require(`
++ type kdumpctl_t, kdumpctl_exec_t;
++ ')
++
++ corecmd_search_bin($1)
++ domtrans_pattern($1, kdumpctl_exec_t, kdumpctl_t)
++')
++
++
+ #######################################
+ ##
+ ## Execute kdump in the kdump domain.
+@@ -37,6 +57,30 @@ interface(`kdump_initrc_domtrans',`
+ init_labeled_script_domtrans($1, kdump_initrc_exec_t)
+ ')
+
++########################################
++##
++## Execute kdump server in the kdump domain.
++##
++##
++##
++## Domain allowed to transition.
++##
++##
++#
++interface(`kdump_systemctl',`
++ gen_require(`
++ type kdump_unit_file_t;
++ type kdump_t;
++ ')
++
++ systemd_exec_systemctl($1)
++ systemd_search_unit_dirs($1)
++ allow $1 kdump_unit_file_t:file read_file_perms;
++ allow $1 kdump_unit_file_t:service all_service_perms;
++
++ ps_process_pattern($1, kdump_t)
++')
++
+ #####################################
+ ##
+ ## Read kdump configuration file.
+@@ -56,6 +100,24 @@ interface(`kdump_read_config',`
+ allow $1 kdump_etc_t:file read_file_perms;
+ ')
+
++#####################################
++##
++## Dontaudit read kdump configuration file.
++##
++##
++##
++## Domain to not audit.
++##
++##
++#
++interface(`kdump_dontaudit_read_config',`
++ gen_require(`
++ type kdump_etc_t;
++ ')
++
++ dontaudit $1 kdump_etc_t:file read_inherited_file_perms;
++')
++
+ ####################################
+ ##
+ ## Manage kdump configuration file.
+@@ -75,6 +137,27 @@ interface(`kdump_manage_config',`
+ allow $1 kdump_etc_t:file manage_file_perms;
+ ')
+
++###################################
++##
++## Manage kdump /var/tmp files.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`kdump_manage_kdumpctl_tmp_files',`
++ gen_require(`
++ type kdumpctl_tmp_t;
++ ')
++
++ files_search_tmp($1)
++ manage_files_pattern($1, kdumpctl_tmp_t, kdumpctl_tmp_t)
++ manage_dirs_pattern($1, kdumpctl_tmp_t, kdumpctl_tmp_t)
++ manage_lnk_files_pattern($1, kdumpctl_tmp_t, kdumpctl_tmp_t)
++')
++
+ ######################################
+ ##
+ ## All of the rules required to administrate
+@@ -96,10 +179,14 @@ interface(`kdump_admin',`
+ gen_require(`
+ type kdump_t, kdump_etc_t;
+ type kdump_initrc_exec_t;
++ type kdump_unit_file_t;
+ ')
+
+- allow $1 kdump_t:process { ptrace signal_perms };
++ allow $1 kdump_t:process signal_perms;
+ ps_process_pattern($1, kdump_t)
++ tunable_policy(`deny_ptrace',`',`
++ allow $1 kdump_t:process ptrace;
++ ')
+
+ init_labeled_script_domtrans($1, kdump_initrc_exec_t)
+ domain_system_change_exemption($1)
+@@ -108,4 +195,8 @@ interface(`kdump_admin',`
+
+ files_search_etc($1)
+ admin_pattern($1, kdump_etc_t)
++
++ kdump_systemctl($1)
++ admin_pattern($1, kdump_unit_file_t)
++ allow $1 kdump_unit_file_t:service all_service_perms;
+ ')
+diff --git a/kdump.te b/kdump.te
+index b29d8e2..6b6a6c4 100644
+--- a/kdump.te
++++ b/kdump.te
+@@ -15,15 +15,28 @@ files_config_file(kdump_etc_t)
+ type kdump_initrc_exec_t;
+ init_script_file(kdump_initrc_exec_t)
+
++type kdump_unit_file_t alias kdumpctl_unit_file_t;
++systemd_unit_file(kdump_unit_file_t)
++
++type kdumpctl_t;
++type kdumpctl_exec_t;
++init_daemon_domain(kdumpctl_t, kdumpctl_exec_t)
++init_initrc_domain(kdumpctl_t)
++
++type kdumpctl_tmp_t;
++files_tmp_file(kdumpctl_tmp_t)
++
+ #####################################
+ #
+ # kdump local policy
+ #
+
+ allow kdump_t self:capability { sys_boot dac_override };
++allow kdump_t self:capability2 compromise_kernel;
+
+ read_files_pattern(kdump_t, kdump_etc_t, kdump_etc_t)
+
++files_read_etc_files(kdump_t)
+ files_read_etc_runtime_files(kdump_t)
+ files_read_kernel_img(kdump_t)
+
+@@ -36,3 +49,89 @@ dev_read_framebuffer(kdump_t)
+ dev_read_sysfs(kdump_t)
+
+ term_use_console(kdump_t)
++
++#######################################
++#
++# kdumpctl local policy
++#
++
++#cjp:almost all rules are needed by dracut
++
++kdump_domtrans(kdumpctl_t)
++
++allow kdumpctl_t self:capability { dac_override sys_chroot };
++allow kdumpctl_t self:process setfscreate;
++
++allow kdumpctl_t self:fifo_file rw_fifo_file_perms;
++allow kdumpctl_t self:unix_stream_socket create_stream_socket_perms;
++
++manage_dirs_pattern(kdumpctl_t, kdumpctl_tmp_t, kdumpctl_tmp_t)
++manage_chr_files_pattern(kdumpctl_t, kdumpctl_tmp_t, kdumpctl_tmp_t)
++manage_files_pattern(kdumpctl_t, kdumpctl_tmp_t, kdumpctl_tmp_t)
++manage_lnk_files_pattern(kdumpctl_t, kdumpctl_tmp_t, kdumpctl_tmp_t)
++files_tmp_filetrans(kdumpctl_t, kdumpctl_tmp_t, { file dir lnk_file })
++can_exec(kdumpctl_t, kdumpctl_tmp_t)
++
++read_files_pattern(kdumpctl_t, kdump_etc_t, kdump_etc_t)
++
++kernel_read_system_state(kdumpctl_t)
++
++corecmd_exec_bin(kdumpctl_t)
++corecmd_exec_shell(kdumpctl_t)
++
++dev_read_sysfs(kdumpctl_t)
++# dracut
++dev_manage_all_dev_nodes(kdumpctl_t)
++
++domain_use_interactive_fds(kdumpctl_t)
++
++files_create_kernel_img(kdumpctl_t)
++files_read_etc_files(kdumpctl_t)
++files_read_etc_runtime_files(kdumpctl_t)
++files_read_usr_files(kdumpctl_t)
++files_read_kernel_modules(kdumpctl_t)
++files_getattr_all_dirs(kdumpctl_t)
++files_delete_kernel(kdumpctl_t)
++
++fs_getattr_all_fs(kdumpctl_t)
++fs_search_all(kdumpctl_t)
++
++application_executable_ioctl(kdumpctl_t)
++
++auth_read_passwd(kdumpctl_t)
++
++init_exec(kdumpctl_t)
++systemd_exec_systemctl(kdumpctl_t)
++systemd_read_unit_files(kdumpctl_t)
++
++libs_exec_ld_so(kdumpctl_t)
++
++logging_send_syslog_msg(kdumpctl_t)
++# Need log file from /var/log/dracut.log
++logging_write_generic_logs(kdumpctl_t)
++
++optional_policy(`
++ gpg_exec(kdumpctl_t)
++')
++
++optional_policy(`
++ lvm_read_config(kdumpctl_t)
++')
++
++optional_policy(`
++ modutils_domtrans_insmod(kdumpctl_t)
++ modutils_list_module_config(kdumpctl_t)
++ modutils_read_module_config(kdumpctl_t)
++')
++
++optional_policy(`
++ plymouthd_domtrans_plymouth(kdumpctl_t)
++')
++
++optional_policy(`
++ ssh_exec(kdumpctl_t)
++')
++
++optional_policy(`
++ unconfined_domain(kdumpctl_t)
++')
+diff --git a/kdumpgui.if b/kdumpgui.if
+index d6af9b0..8b1d9c2 100644
+--- a/kdumpgui.if
++++ b/kdumpgui.if
+@@ -1,2 +1,23 @@
+ ## system-config-kdump GUI
+
++########################################
++##
++## Send and receive messages from
++## kdumpgui over dbus.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`kdumpgui_dbus_chat',`
++ gen_require(`
++ type kdumpgui_t;
++ class dbus send_msg;
++ ')
++
++ allow $1 kdumpgui_t:dbus send_msg;
++ allow kdumpgui_t $1:dbus send_msg;
++')
++
+diff --git a/kdumpgui.te b/kdumpgui.te
+index 0c52f60..acb89ac 100644
+--- a/kdumpgui.te
++++ b/kdumpgui.te
+@@ -7,25 +7,36 @@ policy_module(kdumpgui, 1.1.0)
+
+ type kdumpgui_t;
+ type kdumpgui_exec_t;
+-dbus_system_domain(kdumpgui_t, kdumpgui_exec_t)
++init_daemon_domain(kdumpgui_t, kdumpgui_exec_t)
++
++type kdumpgui_tmp_t;
++files_tmp_file(kdumpgui_tmp_t)
+
+ ######################################
+ #
+ # system-config-kdump local policy
+ #
+
+-allow kdumpgui_t self:capability { net_admin sys_admin sys_rawio };
++allow kdumpgui_t self:capability { net_admin sys_admin sys_nice sys_rawio };
+ allow kdumpgui_t self:fifo_file rw_fifo_file_perms;
+ allow kdumpgui_t self:netlink_kobject_uevent_socket create_socket_perms;
++allow kdumpgui_t self:process { setsched sigkill };
++
++manage_dirs_pattern(kdumpgui_t, kdumpgui_tmp_t, kdumpgui_tmp_t)
++manage_files_pattern(kdumpgui_t, kdumpgui_tmp_t, kdumpgui_tmp_t)
++files_tmp_filetrans(kdumpgui_t, kdumpgui_tmp_t, { dir file })
+
+ kernel_read_system_state(kdumpgui_t)
+ kernel_read_network_state(kdumpgui_t)
++kernel_getattr_core_if(kdumpgui_t)
+
+ corecmd_exec_bin(kdumpgui_t)
+ corecmd_exec_shell(kdumpgui_t)
+
+ dev_dontaudit_getattr_all_chr_files(kdumpgui_t)
+ dev_read_sysfs(kdumpgui_t)
++dev_read_urand(kdumpgui_t)
++dev_getattr_all_blk_files(kdumpgui_t)
+
+ files_manage_boot_files(kdumpgui_t)
+ files_manage_boot_symlinks(kdumpgui_t)
+@@ -36,28 +47,53 @@ files_manage_etc_runtime_files(kdumpgui_t)
+ files_etc_filetrans_etc_runtime(kdumpgui_t, file)
+ files_read_usr_files(kdumpgui_t)
+
++fs_read_dos_files(kdumpgui_t)
++fs_getattr_all_fs(kdumpgui_t)
++fs_list_hugetlbfs(kdumpgui_t)
++
+ storage_raw_read_fixed_disk(kdumpgui_t)
+ storage_raw_write_fixed_disk(kdumpgui_t)
++storage_getattr_removable_dev(kdumpgui_t)
+
+ auth_use_nsswitch(kdumpgui_t)
+
+ logging_send_syslog_msg(kdumpgui_t)
++logging_list_logs(kdumpgui_t)
++logging_read_generic_logs(kdumpgui_t)
+
+-miscfiles_read_localization(kdumpgui_t)
++mount_exec(kdumpgui_t)
+
+ init_dontaudit_read_all_script_files(kdumpgui_t)
++init_access_check(kdumpgui_t)
++
++userdom_dontaudit_search_admin_dir(kdumpgui_t)
++
++optional_policy(`
++ bootloader_exec(kdumpgui_t)
++ bootloader_rw_config(kdumpgui_t)
++')
+
+ optional_policy(`
+ consoletype_exec(kdumpgui_t)
+ ')
+
+ optional_policy(`
++ consoletype_exec(kdumpgui_t)
++')
++
++optional_policy(`
++ dbus_system_domain(kdumpgui_t, kdumpgui_exec_t)
++')
++
++optional_policy(`
+ dev_rw_lvm_control(kdumpgui_t)
+ ')
+
+ optional_policy(`
+ kdump_manage_config(kdumpgui_t)
+ kdump_initrc_domtrans(kdumpgui_t)
++ kdump_systemctl(kdumpgui_t)
++ kdumpctl_domtrans(kdumpgui_t)
+ ')
+
+ optional_policy(`
+diff --git a/kerberos.fc b/kerberos.fc
+index 3525d24..8c702c9 100644
+--- a/kerberos.fc
++++ b/kerberos.fc
+@@ -13,13 +13,14 @@ HOME_DIR/\.k5login -- gen_context(system_u:object_r:krb5_home_t,s0)
+ /etc/rc\.d/init\.d/krb524d -- gen_context(system_u:object_r:kerberos_initrc_exec_t,s0)
+ /etc/rc\.d/init\.d/krb5kdc -- gen_context(system_u:object_r:kerberos_initrc_exec_t,s0)
+
+-/usr/(local/)?(kerberos/)?sbin/krb5kdc -- gen_context(system_u:object_r:krb5kdc_exec_t,s0)
+-/usr/(local/)?(kerberos/)?sbin/kadmind -- gen_context(system_u:object_r:kadmind_exec_t,s0)
++/usr/(kerberos/)?sbin/krb5kdc -- gen_context(system_u:object_r:krb5kdc_exec_t,s0)
++/usr/(kerberos/)?sbin/kadmind -- gen_context(system_u:object_r:kadmind_exec_t,s0)
+ /usr/kerberos/sbin/kadmin\.local -- gen_context(system_u:object_r:kadmind_exec_t,s0)
+ /usr/kerberos/sbin/kpropd -- gen_context(system_u:object_r:kpropd_exec_t,s0)
++/usr/sbin/kpropd -- gen_context(system_u:object_r:kpropd_exec_t,s0)
+
+-/usr/local/var/krb5kdc(/.*)? gen_context(system_u:object_r:krb5kdc_conf_t,s0)
+-/usr/local/var/krb5kdc/principal.* gen_context(system_u:object_r:krb5kdc_principal_t,s0)
++/usr/var/krb5kdc(/.*)? gen_context(system_u:object_r:krb5kdc_conf_t,s0)
++/usr/var/krb5kdc/principal.* gen_context(system_u:object_r:krb5kdc_principal_t,s0)
+
+ /var/kerberos/krb5kdc(/.*)? gen_context(system_u:object_r:krb5kdc_conf_t,s0)
+ /var/kerberos/krb5kdc/from_master.* gen_context(system_u:object_r:krb5kdc_lock_t,s0)
+@@ -27,7 +28,17 @@ HOME_DIR/\.k5login -- gen_context(system_u:object_r:krb5_home_t,s0)
+ /var/kerberos/krb5kdc/principal.* gen_context(system_u:object_r:krb5kdc_principal_t,s0)
+ /var/kerberos/krb5kdc/principal.*\.ok gen_context(system_u:object_r:krb5kdc_lock_t,s0)
+
+-/var/log/krb5kdc\.log gen_context(system_u:object_r:krb5kdc_log_t,s0)
+-/var/log/kadmin(d)?\.log gen_context(system_u:object_r:kadmind_log_t,s0)
++/var/log/krb5kdc\.log.* gen_context(system_u:object_r:krb5kdc_log_t,s0)
++/var/log/kadmin(d)?\.log.* gen_context(system_u:object_r:kadmind_log_t,s0)
+
++/var/cache/krb5rcache(/.*)? gen_context(system_u:object_r:krb5_host_rcache_t,s0)
++
++/var/tmp/DNS_25 -- gen_context(system_u:object_r:krb5_host_rcache_t,s0)
+ /var/tmp/host_0 -- gen_context(system_u:object_r:krb5_host_rcache_t,s0)
++/var/tmp/HTTP_23 -- gen_context(system_u:object_r:krb5_host_rcache_t,s0)
++/var/tmp/HTTP_48 -- gen_context(system_u:object_r:krb5_host_rcache_t,s0)
++/var/tmp/imap_0 -- gen_context(system_u:object_r:krb5_host_rcache_t,s0)
++/var/tmp/nfs_0 -- gen_context(system_u:object_r:krb5_host_rcache_t,s0)
++/var/tmp/ldapmap1_0 -- gen_context(system_u:object_r:krb5_host_rcache_t,s0)
++/var/tmp/ldap_487 -- gen_context(system_u:object_r:krb5_host_rcache_t,s0)
++/var/tmp/ldap_55 -- gen_context(system_u:object_r:krb5_host_rcache_t,s0)
+diff --git a/kerberos.if b/kerberos.if
+index 604f67b..138e1e2 100644
+--- a/kerberos.if
++++ b/kerberos.if
+@@ -82,14 +82,11 @@ interface(`kerberos_use',`
+ #kerberos libraries are attempting to set the correct file context
+ dontaudit $1 self:process setfscreate;
+ selinux_dontaudit_validate_context($1)
+- seutil_dontaudit_read_file_contexts($1)
+
+- tunable_policy(`allow_kerberos',`
++ tunable_policy(`kerberos_enabled',`
+ allow $1 self:tcp_socket create_socket_perms;
+ allow $1 self:udp_socket create_socket_perms;
+
+- corenet_all_recvfrom_unlabeled($1)
+- corenet_all_recvfrom_netlabel($1)
+ corenet_tcp_sendrecv_generic_if($1)
+ corenet_udp_sendrecv_generic_if($1)
+ corenet_tcp_sendrecv_generic_node($1)
+@@ -103,11 +100,12 @@ interface(`kerberos_use',`
+ corenet_sendrecv_kerberos_client_packets($1)
+ corenet_sendrecv_ocsp_client_packets($1)
+
+- allow $1 krb5_host_rcache_t:file getattr;
++ allow $1 krb5_host_rcache_t:dir search_dir_perms;
++ allow $1 krb5_host_rcache_t:file getattr_file_perms;
+ ')
+
+ optional_policy(`
+- tunable_policy(`allow_kerberos',`
++ tunable_policy(`kerberos_enabled',`
+ pcscd_stream_connect($1)
+ ')
+ ')
+@@ -218,6 +216,30 @@ interface(`kerberos_rw_keytab',`
+
+ ########################################
+ ##
++## Create keytab file in /etc
++##
++##
++##
++## Domain allowed access.
++##
++##
++##
++##
++## The name of the object being created.
++##
++##
++#
++interface(`kerberos_etc_filetrans_keytab',`
++ gen_require(`
++ type krb5_keytab_t;
++ ')
++
++ allow $1 krb5_keytab_t:file manage_file_perms;
++ files_etc_filetrans($1, krb5_keytab_t, file, $2)
++')
++
++########################################
++##
+ ## Create a derived type for kerberos keytab
+ ##
+ ##
+@@ -235,8 +257,13 @@ template(`kerberos_keytab_template',`
+ type $1_keytab_t;
+ files_type($1_keytab_t)
+
++ allow $2 self:process setfscreate;
+ allow $2 $1_keytab_t:file read_file_perms;
+
++ seutil_read_file_contexts($2)
++ seutil_read_config($2)
++ selinux_get_enforce_mode($2)
++
+ kerberos_read_keytab($2)
+ kerberos_use($2)
+ ')
+@@ -282,42 +309,21 @@ interface(`kerberos_manage_host_rcache',`
+ # does not work in conditionals
+ domain_obj_id_change_exemption($1)
+
+- tunable_policy(`allow_kerberos',`
++ tunable_policy(`kerberos_enabled',`
+ allow $1 self:process setfscreate;
+
+ selinux_validate_context($1)
+
+ seutil_read_file_contexts($1)
+
+- allow $1 krb5_host_rcache_t:file manage_file_perms;
++ files_rw_generic_tmp_dir($1)
++ manage_files_pattern($1, krb5_host_rcache_t, krb5_host_rcache_t)
+ files_search_tmp($1)
+ ')
+ ')
+
+ ########################################
+ ##
+-## Connect to krb524 service
+-##
+-##
+-##
+-## Domain allowed access.
+-##
+-##
+-#
+-interface(`kerberos_connect_524',`
+- tunable_policy(`allow_kerberos',`
+- allow $1 self:udp_socket create_socket_perms;
+-
+- corenet_all_recvfrom_unlabeled($1)
+- corenet_udp_sendrecv_generic_if($1)
+- corenet_udp_sendrecv_generic_node($1)
+- corenet_udp_sendrecv_kerberos_master_port($1)
+- corenet_sendrecv_kerberos_master_client_packets($1)
+- ')
+-')
+-
+-########################################
+-##
+ ## All of the rules required to administrate
+ ## an kerberos environment
+ ##
+@@ -338,18 +344,22 @@ interface(`kerberos_admin',`
+ type kadmind_t, krb5kdc_t, kerberos_initrc_exec_t;
+ type kadmind_log_t, kadmind_tmp_t, kadmind_var_run_t;
+ type krb5_conf_t, krb5_keytab_t, krb5kdc_conf_t;
+- type krb5kdc_principal_t, krb5kdc_tmp_t;
++ type krb5kdc_principal_t, krb5kdc_tmp_t, kpropd_t;
+ type krb5kdc_var_run_t, krb5_host_rcache_t;
+- type kpropd_t;
+ ')
+
+- allow $1 kadmind_t:process { ptrace signal_perms };
++ allow $1 kadmind_t:process signal_perms;
+ ps_process_pattern($1, kadmind_t)
++ tunable_policy(`deny_ptrace',`',`
++ allow $1 kadmind_t:process ptrace;
++ allow $1 krb5kdc_t:process ptrace;
++ allow $1 kpropd_t:process ptrace;
++ ')
+
+- allow $1 krb5kdc_t:process { ptrace signal_perms };
++ allow $1 krb5kdc_t:process signal_perms;
+ ps_process_pattern($1, krb5kdc_t)
+
+- allow $1 kpropd_t:process { ptrace signal_perms };
++ allow $1 kpropd_t:process signal_perms;
+ ps_process_pattern($1, kpropd_t)
+
+ init_labeled_script_domtrans($1, kerberos_initrc_exec_t)
+@@ -378,3 +388,121 @@ interface(`kerberos_admin',`
+
+ admin_pattern($1, krb5kdc_var_run_t)
+ ')
++
++########################################
++##
++## Type transition files created in /tmp
++## to the krb5_host_rcache type.
++##
++##
++##
++## Domain allowed access.
++##
++##
++##
++##
++## The name of the object being created.
++##
++##
++#
++interface(`kerberos_tmp_filetrans_host_rcache',`
++ gen_require(`
++ type krb5_host_rcache_t;
++ ')
++
++ manage_files_pattern($1, krb5_host_rcache_t, krb5_host_rcache_t)
++ files_tmp_filetrans($1, krb5_host_rcache_t, file, $2)
++')
++
++########################################
++##
++## read kerberos homedir content (.k5login)
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`kerberos_read_home_content',`
++ gen_require(`
++ type krb5_home_t;
++ ')
++
++ userdom_search_user_home_dirs($1)
++ read_files_pattern($1, krb5_home_t, krb5_home_t)
++')
++
++########################################
++##
++## create kerberos content in the in the /root directory
++## with an correct label.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`kerberos_filetrans_admin_home_content',`
++ gen_require(`
++ type krb5_home_t;
++ ')
++
++ userdom_admin_home_dir_filetrans($1, krb5_home_t, file, ".k5login")
++')
++
++########################################
++##
++## Transition to kerberos named content
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`kerberos_filetrans_home_content',`
++ gen_require(`
++ type krb5_home_t;
++ ')
++
++ userdom_user_home_dir_filetrans($1, krb5_home_t, file, ".k5login")
++')
++
++########################################
++##
++## Transition to kerberos named content
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`kerberos_filetrans_named_content',`
++ gen_require(`
++ type krb5_conf_t, krb5_keytab_t, krb5kdc_conf_t;
++ type krb5kdc_principal_t;
++ ')
++
++ files_etc_filetrans($1, krb5_conf_t, file, "krb5.conf")
++ filetrans_pattern($1, krb5kdc_conf_t, krb5_keytab_t, file, "kadm5.keytab")
++ filetrans_pattern($1, krb5kdc_conf_t, krb5kdc_principal_t, file, "principal")
++ filetrans_pattern($1, krb5kdc_conf_t, krb5kdc_principal_t, file, "principal0")
++ filetrans_pattern($1, krb5kdc_conf_t, krb5kdc_principal_t, file, "principal1")
++ #filetrans_pattern($1, krb5kdc_conf_t, krb5kdc_principal_t, file, "principal1")
++
++ kerberos_etc_filetrans_keytab($1, "krb5.keytab")
++ kerberos_filetrans_admin_home_content($1)
++
++ kerberos_tmp_filetrans_host_rcache($1, "DNS_25")
++ kerberos_tmp_filetrans_host_rcache($1, "host_0")
++ kerberos_tmp_filetrans_host_rcache($1, "HTTP_23")
++ kerberos_tmp_filetrans_host_rcache($1, "HTTP_48")
++ kerberos_tmp_filetrans_host_rcache($1, "imap_0")
++ kerberos_tmp_filetrans_host_rcache($1, "nfs_0")
++ kerberos_tmp_filetrans_host_rcache($1, "ldapmap1_0")
++ kerberos_tmp_filetrans_host_rcache($1, "ldap_487")
++ kerberos_tmp_filetrans_host_rcache($1, "ldap_55")
++')
+diff --git a/kerberos.te b/kerberos.te
+index 6a95faf..6127834 100644
+--- a/kerberos.te
++++ b/kerberos.te
+@@ -10,7 +10,7 @@ policy_module(kerberos, 1.11.0)
+ ## Allow confined applications to run with kerberos.
+ ##
+ ##
+-gen_tunable(allow_kerberos, false)
++gen_tunable(kerberos_enabled, false)
+
+ type kadmind_t;
+ type kadmind_exec_t;
+@@ -35,12 +35,12 @@ init_daemon_domain(kpropd_t, kpropd_exec_t)
+ domain_obj_id_change_exemption(kpropd_t)
+
+ type krb5_conf_t;
+-files_type(krb5_conf_t)
++files_config_file(krb5_conf_t)
+
+ type krb5_home_t;
+ userdom_user_home_content(krb5_home_t)
+
+-type krb5_host_rcache_t;
++type krb5_host_rcache_t alias saslauthd_tmp_t;
+ files_tmp_file(krb5_host_rcache_t)
+
+ # types for general configuration files in /etc
+@@ -49,10 +49,11 @@ files_security_file(krb5_keytab_t)
+
+ # types for KDC configs and principal file(s)
+ type krb5kdc_conf_t;
+-files_type(krb5kdc_conf_t)
++files_config_file(krb5kdc_conf_t)
+
+ type krb5kdc_lock_t;
+-files_type(krb5kdc_lock_t)
++files_lock_file(krb5kdc_lock_t)
++
+
+ # types for KDC principal file(s)
+ type krb5kdc_principal_t;
+@@ -79,8 +80,9 @@ files_pid_file(krb5kdc_var_run_t)
+
+ # Use capabilities. Surplus capabilities may be allowed.
+ allow kadmind_t self:capability { setuid setgid chown fowner dac_override sys_nice };
++allow kadmind_t self:capability2 block_suspend;
+ dontaudit kadmind_t self:capability sys_tty_config;
+-allow kadmind_t self:process { setfscreate signal_perms };
++allow kadmind_t self:process { setfscreate setsched getsched signal_perms };
+ allow kadmind_t self:netlink_route_socket r_netlink_socket_perms;
+ allow kadmind_t self:unix_dgram_socket { connect create write };
+ allow kadmind_t self:tcp_socket connected_stream_socket_perms;
+@@ -92,10 +94,9 @@ logging_log_filetrans(kadmind_t, kadmind_log_t, file)
+ allow kadmind_t krb5_conf_t:file read_file_perms;
+ dontaudit kadmind_t krb5_conf_t:file write;
+
+-read_files_pattern(kadmind_t, krb5kdc_conf_t, krb5kdc_conf_t)
+-dontaudit kadmind_t krb5kdc_conf_t:file { write setattr };
++manage_files_pattern(kadmind_t, krb5kdc_conf_t, krb5kdc_conf_t)
+
+-allow kadmind_t krb5kdc_lock_t:file { rw_file_perms setattr };
++allow kadmind_t krb5kdc_lock_t:file { rw_file_perms setattr_file_perms };
+
+ allow kadmind_t krb5kdc_principal_t:file manage_file_perms;
+ filetrans_pattern(kadmind_t, krb5kdc_conf_t, krb5kdc_principal_t, file)
+@@ -115,7 +116,9 @@ kernel_read_network_state(kadmind_t)
+ kernel_read_proc_symlinks(kadmind_t)
+ kernel_read_system_state(kadmind_t)
+
+-corenet_all_recvfrom_unlabeled(kadmind_t)
++corecmd_exec_bin(kadmind_t)
++corecmd_exec_shell(kadmind_t)
++
+ corenet_all_recvfrom_netlabel(kadmind_t)
+ corenet_tcp_sendrecv_generic_if(kadmind_t)
+ corenet_udp_sendrecv_generic_if(kadmind_t)
+@@ -126,10 +129,14 @@ corenet_udp_sendrecv_all_ports(kadmind_t)
+ corenet_tcp_bind_generic_node(kadmind_t)
+ corenet_udp_bind_generic_node(kadmind_t)
+ corenet_tcp_bind_kerberos_admin_port(kadmind_t)
++corenet_tcp_bind_kerberos_password_port(kadmind_t)
+ corenet_udp_bind_kerberos_admin_port(kadmind_t)
++corenet_udp_bind_kerberos_password_port(kadmind_t)
+ corenet_tcp_bind_reserved_port(kadmind_t)
+ corenet_dontaudit_tcp_bind_all_reserved_ports(kadmind_t)
+ corenet_sendrecv_kerberos_admin_server_packets(kadmind_t)
++corenet_sendrecv_kerberos_password_server_packets(kadmind_t)
++corenet_tcp_connect_kprop_port(kadmind_t)
+
+ dev_read_sysfs(kadmind_t)
+ dev_read_rand(kadmind_t)
+@@ -137,6 +144,7 @@ dev_read_urand(kadmind_t)
+
+ fs_getattr_all_fs(kadmind_t)
+ fs_search_auto_mountpoints(kadmind_t)
++fs_rw_anon_inodefs_files(kadmind_t)
+
+ domain_use_interactive_fds(kadmind_t)
+
+@@ -149,8 +157,9 @@ selinux_validate_context(kadmind_t)
+
+ logging_send_syslog_msg(kadmind_t)
+
+-miscfiles_read_localization(kadmind_t)
++miscfiles_read_generic_certs(kadmind_t)
+
++seutil_read_config(kadmind_t)
+ seutil_read_file_contexts(kadmind_t)
+
+ sysnet_read_config(kadmind_t)
+@@ -164,10 +173,18 @@ optional_policy(`
+ ')
+
+ optional_policy(`
++ dirsrv_stream_connect(kadmind_t)
++')
++
++optional_policy(`
+ nis_use_ypbind(kadmind_t)
+ ')
+
+ optional_policy(`
++ sssd_read_public_files(kadmind_t)
++')
++
++optional_policy(`
+ seutil_sigchld_newrole(kadmind_t)
+ ')
+
+@@ -182,6 +199,7 @@ optional_policy(`
+
+ # Use capabilities. Surplus capabilities may be allowed.
+ allow krb5kdc_t self:capability { setuid setgid net_admin chown fowner dac_override sys_nice };
++allow krb5kdc_t self:capability2 block_suspend;
+ dontaudit krb5kdc_t self:capability sys_tty_config;
+ allow krb5kdc_t self:process { setfscreate setsched getsched signal_perms };
+ allow krb5kdc_t self:netlink_route_socket r_netlink_socket_perms;
+@@ -197,13 +215,12 @@ can_exec(krb5kdc_t, krb5kdc_exec_t)
+ read_files_pattern(krb5kdc_t, krb5kdc_conf_t, krb5kdc_conf_t)
+ dontaudit krb5kdc_t krb5kdc_conf_t:file write;
+
+-allow krb5kdc_t krb5kdc_lock_t:file { rw_file_perms setattr };
++allow krb5kdc_t krb5kdc_lock_t:file { rw_file_perms setattr_file_perms };
+
+ allow krb5kdc_t krb5kdc_log_t:file manage_file_perms;
+ logging_log_filetrans(krb5kdc_t, krb5kdc_log_t, file)
+
+-allow krb5kdc_t krb5kdc_principal_t:file read_file_perms;
+-dontaudit krb5kdc_t krb5kdc_principal_t:file write;
++allow krb5kdc_t krb5kdc_principal_t:file rw_file_perms;
+
+ manage_dirs_pattern(krb5kdc_t, krb5kdc_tmp_t, krb5kdc_tmp_t)
+ manage_files_pattern(krb5kdc_t, krb5kdc_tmp_t, krb5kdc_tmp_t)
+@@ -221,7 +238,6 @@ kernel_search_network_sysctl(krb5kdc_t)
+
+ corecmd_exec_bin(krb5kdc_t)
+
+-corenet_all_recvfrom_unlabeled(krb5kdc_t)
+ corenet_all_recvfrom_netlabel(krb5kdc_t)
+ corenet_tcp_sendrecv_generic_if(krb5kdc_t)
+ corenet_udp_sendrecv_generic_if(krb5kdc_t)
+@@ -242,6 +258,7 @@ dev_read_urand(krb5kdc_t)
+
+ fs_getattr_all_fs(krb5kdc_t)
+ fs_search_auto_mountpoints(krb5kdc_t)
++fs_rw_anon_inodefs_files(krb5kdc_t)
+
+ domain_use_interactive_fds(krb5kdc_t)
+
+@@ -253,7 +270,7 @@ selinux_validate_context(krb5kdc_t)
+
+ logging_send_syslog_msg(krb5kdc_t)
+
+-miscfiles_read_localization(krb5kdc_t)
++miscfiles_read_generic_certs(krb5kdc_t)
+
+ seutil_read_file_contexts(krb5kdc_t)
+
+@@ -268,6 +285,10 @@ optional_policy(`
+ ')
+
+ optional_policy(`
++ dirsrv_stream_connect(krb5kdc_t)
++')
++
++optional_policy(`
+ nis_use_ypbind(krb5kdc_t)
+ ')
+
+@@ -276,6 +297,10 @@ optional_policy(`
+ ')
+
+ optional_policy(`
++ sssd_read_public_files(krb5kdc_t)
++')
++
++optional_policy(`
+ udev_read_db(krb5kdc_t)
+ ')
+
+@@ -308,7 +333,6 @@ files_tmp_filetrans(kpropd_t, krb5kdc_tmp_t, { file dir })
+
+ corecmd_exec_bin(kpropd_t)
+
+-corenet_all_recvfrom_unlabeled(kpropd_t)
+ corenet_tcp_sendrecv_generic_if(kpropd_t)
+ corenet_tcp_sendrecv_generic_node(kpropd_t)
+ corenet_tcp_sendrecv_all_ports(kpropd_t)
+@@ -324,8 +348,6 @@ selinux_validate_context(kpropd_t)
+
+ logging_send_syslog_msg(kpropd_t)
+
+-miscfiles_read_localization(kpropd_t)
+-
+ seutil_read_file_contexts(kpropd_t)
+
+ sysnet_dns_name_resolve(kpropd_t)
+diff --git a/kerneloops.if b/kerneloops.if
+index 835b16b..5992eb1 100644
+--- a/kerneloops.if
++++ b/kerneloops.if
+@@ -99,17 +99,21 @@ interface(`kerneloops_manage_tmp_files',`
+ #
+ interface(`kerneloops_admin',`
+ gen_require(`
+- type kerneloops_t, kerneloops_initrc_exec_t;
+- type kerneloops_tmp_t;
++ type kerneloops_t, kerneloops_initrc_exec_t, kerneloops_tmp_t;
++ type kerneloops_initrc_exec_t;
+ ')
+
+- allow $1 kerneloops_t:process { ptrace signal_perms };
++ allow $1 kerneloops_t:process signal_perms;
+ ps_process_pattern($1, kerneloops_t)
++ tunable_policy(`deny_ptrace',`',`
++ allow $1 kerneloops_t:process ptrace;
++ ')
+
+ init_labeled_script_domtrans($1, kerneloops_initrc_exec_t)
+ domain_system_change_exemption($1)
+ role_transition $2 kerneloops_initrc_exec_t system_r;
+ allow $2 system_r;
+
++ files_list_tmp($1)
+ admin_pattern($1, kerneloops_tmp_t)
+ ')
+diff --git a/kerneloops.te b/kerneloops.te
+index 6b35547..5c641b9 100644
+--- a/kerneloops.te
++++ b/kerneloops.te
+@@ -32,7 +32,6 @@ kernel_read_ring_buffer(kerneloops_t)
+ # Init script handling
+ domain_use_interactive_fds(kerneloops_t)
+
+-corenet_all_recvfrom_unlabeled(kerneloops_t)
+ corenet_all_recvfrom_netlabel(kerneloops_t)
+ corenet_tcp_sendrecv_generic_if(kerneloops_t)
+ corenet_tcp_sendrecv_generic_node(kerneloops_t)
+@@ -40,15 +39,12 @@ corenet_tcp_sendrecv_all_ports(kerneloops_t)
+ corenet_tcp_bind_http_port(kerneloops_t)
+ corenet_tcp_connect_http_port(kerneloops_t)
+
+-files_read_etc_files(kerneloops_t)
+
+ auth_use_nsswitch(kerneloops_t)
+
+ logging_send_syslog_msg(kerneloops_t)
+ logging_read_generic_logs(kerneloops_t)
+
+-miscfiles_read_localization(kerneloops_t)
+-
+ optional_policy(`
+ dbus_system_domain(kerneloops_t, kerneloops_exec_t)
+ ')
+diff --git a/keyboardd.fc b/keyboardd.fc
+new file mode 100644
+index 0000000..485aacc
+--- /dev/null
++++ b/keyboardd.fc
+@@ -0,0 +1,2 @@
++
++/usr/bin/system-setup-keyboard -- gen_context(system_u:object_r:keyboardd_exec_t,s0)
+diff --git a/keyboardd.if b/keyboardd.if
+new file mode 100644
+index 0000000..6134ef2
+--- /dev/null
++++ b/keyboardd.if
+@@ -0,0 +1,39 @@
++
++## policy for system-setup-keyboard daemon
++
++########################################
++##
++## Execute a domain transition to run keyboard setup daemon.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`keyboardd_domtrans',`
++ gen_require(`
++ type keyboardd_t, keyboardd_exec_t;
++ ')
++
++ domtrans_pattern($1, keyboardd_exec_t, keyboardd_t)
++')
++
++######################################
++##
++## Allow attempts to read to
++## keyboardd unnamed pipes.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`keyboardd_read_pipes',`
++ gen_require(`
++ type keyboardd_t;
++ ')
++
++ allow $1 keyboardd_t:fifo_file read_fifo_file_perms;
++')
+diff --git a/keyboardd.te b/keyboardd.te
+new file mode 100644
+index 0000000..081ae84
+--- /dev/null
++++ b/keyboardd.te
+@@ -0,0 +1,25 @@
++
++policy_module(keyboardd, 1.0.0)
++
++########################################
++#
++# Declarations
++#
++
++type keyboardd_t;
++type keyboardd_exec_t;
++init_daemon_domain(keyboardd_t, keyboardd_exec_t)
++
++########################################
++#
++# keyboardd local policy
++#
++
++allow keyboardd_t self:fifo_file rw_fifo_file_perms;
++allow keyboardd_t self:unix_stream_socket create_stream_socket_perms;
++
++files_manage_etc_runtime_files(keyboardd_t)
++files_etc_filetrans_etc_runtime(keyboardd_t, file)
++
++files_read_etc_files(keyboardd_t)
++
+diff --git a/keystone.fc b/keystone.fc
+new file mode 100644
+index 0000000..408d6c0
+--- /dev/null
++++ b/keystone.fc
+@@ -0,0 +1,7 @@
++/usr/bin/keystone-all -- gen_context(system_u:object_r:keystone_exec_t,s0)
++
++/usr/lib/systemd/system/openstack-keystone.* -- gen_context(system_u:object_r:keystone_unit_file_t,s0)
++
++/var/lib/keystone(/.*)? gen_context(system_u:object_r:keystone_var_lib_t,s0)
++
++/var/log/keystone(/.*)? gen_context(system_u:object_r:keystone_log_t,s0)
+diff --git a/keystone.if b/keystone.if
+new file mode 100644
+index 0000000..f20248c
+--- /dev/null
++++ b/keystone.if
+@@ -0,0 +1,218 @@
++
++## policy for keystone
++
++########################################
++##
++## Transition to keystone.
++##
++##
++##
++## Domain allowed to transition.
++##
++##
++#
++interface(`keystone_domtrans',`
++ gen_require(`
++ type keystone_t, keystone_exec_t;
++ ')
++
++ corecmd_search_bin($1)
++ domtrans_pattern($1, keystone_exec_t, keystone_t)
++')
++########################################
++##
++## Read keystone's log files.
++##
++##
++##
++## Domain allowed access.
++##
++##
++##
++#
++interface(`keystone_read_log',`
++ gen_require(`
++ type keystone_log_t;
++ ')
++
++ logging_search_logs($1)
++ read_files_pattern($1, keystone_log_t, keystone_log_t)
++')
++
++########################################
++##
++## Append to keystone log files.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`keystone_append_log',`
++ gen_require(`
++ type keystone_log_t;
++ ')
++
++ logging_search_logs($1)
++ append_files_pattern($1, keystone_log_t, keystone_log_t)
++')
++
++########################################
++##
++## Manage keystone log files
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`keystone_manage_log',`
++ gen_require(`
++ type keystone_log_t;
++ ')
++
++ logging_search_logs($1)
++ manage_dirs_pattern($1, keystone_log_t, keystone_log_t)
++ manage_files_pattern($1, keystone_log_t, keystone_log_t)
++ manage_lnk_files_pattern($1, keystone_log_t, keystone_log_t)
++')
++
++########################################
++##
++## Search keystone lib directories.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`keystone_search_lib',`
++ gen_require(`
++ type keystone_var_lib_t;
++ ')
++
++ allow $1 keystone_var_lib_t:dir search_dir_perms;
++ files_search_var_lib($1)
++')
++
++########################################
++##
++## Read keystone lib files.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`keystone_read_lib_files',`
++ gen_require(`
++ type keystone_var_lib_t;
++ ')
++
++ files_search_var_lib($1)
++ read_files_pattern($1, keystone_var_lib_t, keystone_var_lib_t)
++')
++
++########################################
++##
++## Manage keystone lib files.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`keystone_manage_lib_files',`
++ gen_require(`
++ type keystone_var_lib_t;
++ ')
++
++ files_search_var_lib($1)
++ manage_files_pattern($1, keystone_var_lib_t, keystone_var_lib_t)
++')
++
++########################################
++##
++## Manage keystone lib directories.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`keystone_manage_lib_dirs',`
++ gen_require(`
++ type keystone_var_lib_t;
++ ')
++
++ files_search_var_lib($1)
++ manage_dirs_pattern($1, keystone_var_lib_t, keystone_var_lib_t)
++')
++
++########################################
++##
++## Execute keystone server in the keystone domain.
++##
++##
++##
++## Domain allowed to transition.
++##
++##
++#
++interface(`keystone_systemctl',`
++ gen_require(`
++ type keystone_t;
++ type keystone_unit_file_t;
++ ')
++
++ systemd_exec_systemctl($1)
++ systemd_read_fifo_file_passwd_run($1)
++ allow $1 keystone_unit_file_t:file read_file_perms;
++ allow $1 keystone_unit_file_t:service manage_service_perms;
++
++ ps_process_pattern($1, keystone_t)
++')
++
++
++########################################
++##
++## All of the rules required to administrate
++## an keystone environment
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`keystone_admin',`
++ gen_require(`
++ type keystone_t;
++ type keystone_log_t;
++ type keystone_var_lib_t;
++ type keystone_unit_file_t;
++ ')
++
++ allow $1 keystone_t:process { ptrace signal_perms };
++ ps_process_pattern($1, keystone_t)
++
++ logging_search_logs($1)
++ admin_pattern($1, keystone_log_t)
++
++ files_search_var_lib($1)
++ admin_pattern($1, keystone_var_lib_t)
++
++ keystone_systemctl($1)
++ admin_pattern($1, keystone_unit_file_t)
++ allow $1 keystone_unit_file_t:service all_service_perms;
++ optional_policy(`
++ systemd_passwd_agent_exec($1)
++ systemd_read_fifo_file_passwd_run($1)
++ ')
++')
+diff --git a/keystone.te b/keystone.te
+new file mode 100644
+index 0000000..a6606f3
+--- /dev/null
++++ b/keystone.te
+@@ -0,0 +1,68 @@
++policy_module(keystone, 1.0.0)
++
++########################################
++#
++# Declarations
++#
++
++type keystone_t;
++type keystone_exec_t;
++init_daemon_domain(keystone_t, keystone_exec_t)
++
++type keystone_log_t;
++logging_log_file(keystone_log_t)
++
++type keystone_var_lib_t;
++files_type(keystone_var_lib_t)
++
++type keystone_tmp_t;
++files_tmp_file(keystone_tmp_t)
++
++type keystone_unit_file_t;
++systemd_unit_file(keystone_unit_file_t)
++
++########################################
++#
++# keystone local policy
++#
++allow keystone_t self:fifo_file rw_fifo_file_perms;
++allow keystone_t self:unix_stream_socket create_stream_socket_perms;
++allow keystone_t self:tcp_socket create_stream_socket_perms;
++
++manage_dirs_pattern(keystone_t, keystone_log_t, keystone_log_t)
++manage_files_pattern(keystone_t, keystone_log_t, keystone_log_t)
++logging_log_filetrans(keystone_t, keystone_log_t, { dir file })
++
++manage_dirs_pattern(keystone_t, keystone_tmp_t, keystone_tmp_t)
++manage_files_pattern(keystone_t, keystone_tmp_t, keystone_tmp_t)
++manage_lnk_files_pattern(keystone_t, keystone_tmp_t, keystone_tmp_t)
++files_tmp_filetrans(keystone_t, keystone_tmp_t, { file dir lnk_file })
++can_exec(keystone_t, keystone_tmp_t)
++
++manage_dirs_pattern(keystone_t, keystone_var_lib_t, keystone_var_lib_t)
++manage_files_pattern(keystone_t, keystone_var_lib_t, keystone_var_lib_t)
++files_var_lib_filetrans(keystone_t, keystone_var_lib_t, { dir file })
++
++kernel_read_system_state(keystone_t)
++
++corecmd_exec_bin(keystone_t)
++corecmd_exec_shell(keystone_t)
++
++corenet_tcp_bind_keystone_port(keystone_t)
++corenet_tcp_bind_generic_node(keystone_t)
++
++dev_read_urand(keystone_t)
++
++domain_use_interactive_fds(keystone_t)
++
++files_read_etc_files(keystone_t)
++files_read_usr_files(keystone_t)
++
++auth_use_pam(keystone_t)
++
++libs_exec_ldconfig(keystone_t)
++
++
++optional_policy(`
++ mysql_stream_connect(keystone_t)
++')
+diff --git a/kismet.if b/kismet.if
+index c18c920..582f7f3 100644
+--- a/kismet.if
++++ b/kismet.if
+@@ -239,7 +239,10 @@ interface(`kismet_admin',`
+ ')
+
+ ps_process_pattern($1, kismet_t)
+- allow $1 kismet_t:process { ptrace signal_perms };
++ allow $1 kismet_t:process signal_perms;
++ tunable_policy(`deny_ptrace',`',`
++ allow $1 kismet_t:process ptrace;
++ ')
+
+ kismet_manage_pid_files($1)
+ kismet_manage_lib($1)
+diff --git a/kismet.te b/kismet.te
+index 9dd6880..77c768b 100644
+--- a/kismet.te
++++ b/kismet.te
+@@ -74,24 +74,21 @@ kernel_read_network_state(kismet_t)
+
+ corecmd_exec_bin(kismet_t)
+
+-corenet_all_recvfrom_unlabeled(kismet_t)
+ corenet_all_recvfrom_netlabel(kismet_t)
+ corenet_tcp_sendrecv_generic_if(kismet_t)
+ corenet_tcp_sendrecv_generic_node(kismet_t)
+ corenet_tcp_sendrecv_all_ports(kismet_t)
+ corenet_tcp_bind_generic_node(kismet_t)
+-corenet_tcp_bind_kismet_port(kismet_t)
+-corenet_tcp_connect_kismet_port(kismet_t)
++corenet_tcp_bind_rtsclient_port(kismet_t)
++corenet_tcp_connect_rtsclient_port(kismet_t)
+ corenet_tcp_connect_pulseaudio_port(kismet_t)
+
+ auth_use_nsswitch(kismet_t)
+
+-files_read_etc_files(kismet_t)
+ files_read_usr_files(kismet_t)
+
+-miscfiles_read_localization(kismet_t)
+
+-userdom_use_user_terminals(kismet_t)
++userdom_use_inherited_user_terminals(kismet_t)
+ userdom_read_user_tmpfs_files(kismet_t)
+
+ optional_policy(`
+diff --git a/ksmtuned.fc b/ksmtuned.fc
+index 9c0c835..8360166 100644
+--- a/ksmtuned.fc
++++ b/ksmtuned.fc
+@@ -3,3 +3,5 @@
+ /usr/sbin/ksmtuned -- gen_context(system_u:object_r:ksmtuned_exec_t,s0)
+
+ /var/run/ksmtune\.pid -- gen_context(system_u:object_r:ksmtuned_var_run_t,s0)
++
++/var/log/ksmtuned.* gen_context(system_u:object_r:ksmtuned_log_t,s0)
+diff --git a/ksmtuned.if b/ksmtuned.if
+index 6fd0b4c..568f842 100644
+--- a/ksmtuned.if
++++ b/ksmtuned.if
+@@ -55,12 +55,14 @@ interface(`ksmtuned_initrc_domtrans',`
+ #
+ interface(`ksmtuned_admin',`
+ gen_require(`
+- type ksmtuned_t, ksmtuned_var_run_t;
+- type ksmtuned_initrc_exec_t;
++ type ksmtuned_t, ksmtuned_var_run_t, ksmtuned_initrc_exec_t;
+ ')
+
+- allow $1 ksmtuned_t:process { ptrace signal_perms };
+- ps_process_pattern(ksmtumed_t)
++ allow $1 ksmtuned_t:process signal_perms;
++ ps_process_pattern($1, ksmtuned_t)
++ tunable_policy(`deny_ptrace',`',`
++ allow $1 ksmtuned_t:process ptrace;
++ ')
+
+ files_list_pids($1)
+ admin_pattern($1, ksmtuned_var_run_t)
+diff --git a/ksmtuned.te b/ksmtuned.te
+index a73b7a1..d143b12 100644
+--- a/ksmtuned.te
++++ b/ksmtuned.te
+@@ -9,6 +9,9 @@ type ksmtuned_t;
+ type ksmtuned_exec_t;
+ init_daemon_domain(ksmtuned_t, ksmtuned_exec_t)
+
++type ksmtuned_log_t;
++logging_log_file(ksmtuned_log_t)
++
+ type ksmtuned_initrc_exec_t;
+ init_script_file(ksmtuned_initrc_exec_t)
+
+@@ -20,9 +23,13 @@ files_pid_file(ksmtuned_var_run_t)
+ # ksmtuned local policy
+ #
+
+-allow ksmtuned_t self:capability { sys_ptrace sys_tty_config };
++allow ksmtuned_t self:capability sys_tty_config;
+ allow ksmtuned_t self:fifo_file rw_file_perms;
+
++manage_dirs_pattern(ksmtuned_t, ksmtuned_log_t, ksmtuned_log_t)
++manage_files_pattern(ksmtuned_t, ksmtuned_log_t, ksmtuned_log_t)
++logging_log_filetrans(ksmtuned_t, ksmtuned_log_t, { file dir })
++
+ manage_files_pattern(ksmtuned_t, ksmtuned_var_run_t, ksmtuned_var_run_t)
+ files_pid_filetrans(ksmtuned_t, ksmtuned_var_run_t, file)
+
+@@ -31,9 +38,16 @@ kernel_read_system_state(ksmtuned_t)
+ dev_rw_sysfs(ksmtuned_t)
+
+ domain_read_all_domains_state(ksmtuned_t)
++domain_dontaudit_read_all_domains_state(ksmtuned_t)
+
+ corecmd_exec_bin(ksmtuned_t)
++corecmd_exec_shell(ksmtuned_t)
++
++
++mls_file_read_to_clearance(ksmtuned_t)
++
++term_use_all_inherited_terms(ksmtuned_t)
+
+-files_read_etc_files(ksmtuned_t)
++auth_use_nsswitch(ksmtuned_t)
+
+-miscfiles_read_localization(ksmtuned_t)
++logging_send_syslog_msg(ksmtuned_t)
+diff --git a/ktalk.te b/ktalk.te
+index ca5cfdf..a4457d0 100644
+--- a/ktalk.te
++++ b/ktalk.te
+@@ -52,7 +52,6 @@ kernel_read_kernel_sysctls(ktalkd_t)
+ kernel_read_system_state(ktalkd_t)
+ kernel_read_network_state(ktalkd_t)
+
+-corenet_all_recvfrom_unlabeled(ktalkd_t)
+ corenet_all_recvfrom_netlabel(ktalkd_t)
+ corenet_tcp_sendrecv_generic_if(ktalkd_t)
+ corenet_udp_sendrecv_generic_if(ktalkd_t)
+@@ -65,15 +64,12 @@ dev_read_urand(ktalkd_t)
+
+ fs_getattr_xattr_fs(ktalkd_t)
+
+-files_read_etc_files(ktalkd_t)
+
+ term_search_ptys(ktalkd_t)
+-term_use_all_terms(ktalkd_t)
++term_use_all_inherited_terms(ktalkd_t)
+
+ auth_use_nsswitch(ktalkd_t)
+
+ init_read_utmp(ktalkd_t)
+
+ logging_send_syslog_msg(ktalkd_t)
+-
+-miscfiles_read_localization(ktalkd_t)
+diff --git a/kudzu.fc b/kudzu.fc
+index dd88f74..3317a0c 100644
+--- a/kudzu.fc
++++ b/kudzu.fc
+@@ -2,4 +2,5 @@
+ /sbin/kmodule -- gen_context(system_u:object_r:kudzu_exec_t,s0)
+ /sbin/kudzu -- gen_context(system_u:object_r:kudzu_exec_t,s0)
+
++/usr/sbin/kmodule -- gen_context(system_u:object_r:kudzu_exec_t,s0)
+ /usr/sbin/kudzu -- gen_context(system_u:object_r:kudzu_exec_t,s0)
+diff --git a/kudzu.te b/kudzu.te
+index 4f7bd3c..74cc11d 100644
+--- a/kudzu.te
++++ b/kudzu.te
+@@ -20,7 +20,7 @@ files_pid_file(kudzu_var_run_t)
+ # Local policy
+ #
+
+-allow kudzu_t self:capability { dac_override sys_admin sys_ptrace sys_rawio net_admin sys_tty_config mknod };
++allow kudzu_t self:capability { dac_override sys_admin sys_rawio net_admin sys_tty_config mknod };
+ dontaudit kudzu_t self:capability sys_tty_config;
+ allow kudzu_t self:process { signal_perms execmem };
+ allow kudzu_t self:fifo_file rw_fifo_file_perms;
+@@ -109,17 +109,10 @@ libs_read_lib_files(kudzu_t)
+ logging_send_syslog_msg(kudzu_t)
+
+ miscfiles_read_hwdata(kudzu_t)
+-miscfiles_read_localization(kudzu_t)
+-
+-modutils_read_module_config(kudzu_t)
+-modutils_read_module_deps(kudzu_t)
+-modutils_rename_module_config(kudzu_t)
+-modutils_delete_module_config(kudzu_t)
+-modutils_domtrans_insmod(kudzu_t)
+
+ sysnet_read_config(kudzu_t)
+
+-userdom_use_user_terminals(kudzu_t)
++userdom_use_inherited_user_terminals(kudzu_t)
+ userdom_dontaudit_use_unpriv_user_fds(kudzu_t)
+ userdom_search_user_home_dirs(kudzu_t)
+
+@@ -128,6 +121,14 @@ optional_policy(`
+ ')
+
+ optional_policy(`
++ modutils_read_module_config(kudzu_t)
++ modutils_read_module_deps(kudzu_t)
++ modutils_rename_module_config(kudzu_t)
++ modutils_delete_module_config(kudzu_t)
++ modutils_domtrans_insmod(kudzu_t)
++')
++
++optional_policy(`
+ nscd_socket_use(kudzu_t)
+ ')
+
+diff --git a/l2tpd.fc b/l2tpd.fc
+new file mode 100644
+index 0000000..6b27066
+--- /dev/null
++++ b/l2tpd.fc
+@@ -0,0 +1,18 @@
++/etc/prol2tp(/.*)? gen_context(system_u:object_r:l2tp_etc_t,s0)
++
++/etc/rc\.d/init\.d/openl2tpd -- gen_context(system_u:object_r:l2tpd_initrc_exec_t,s0)
++/etc/rc\.d/init\.d/prol2tpd -- gen_context(system_u:object_r:l2tpd_initrc_exec_t,s0)
++/etc/rc\.d/init\.d/xl2tpd -- gen_context(system_u:object_r:l2tpd_initrc_exec_t,s0)
++
++/etc/sysconfig/prol2tpd -- gen_context(system_u:object_r:l2tp_etc_t,s0)
++
++/usr/sbin/openl2tpd -- gen_context(system_u:object_r:l2tpd_exec_t,s0)
++/usr/sbin/prol2tpd -- gen_context(system_u:object_r:l2tpd_exec_t,s0)
++/usr/sbin/xl2tpd -- gen_context(system_u:object_r:l2tpd_exec_t,s0)
++
++/var/run/openl2tpd\.pid -- gen_context(system_u:object_r:l2tpd_var_run_t,s0)
++/var/run/prol2tpd(/.*)? gen_context(system_u:object_r:l2tpd_var_run_t,s0)
++/var/run/prol2tpd\.ctl -s gen_context(system_u:object_r:l2tpd_var_run_t,s0)
++/var/run/prol2tpd\.pid -- gen_context(system_u:object_r:l2tpd_var_run_t,s0)
++/var/run/xl2tpd(/.*)? gen_context(system_u:object_r:l2tpd_var_run_t,s0)
++/var/run/xl2tpd\.pid -- gen_context(system_u:object_r:l2tpd_var_run_t,s0)
+diff --git a/l2tpd.if b/l2tpd.if
+new file mode 100644
+index 0000000..562d25b
+--- /dev/null
++++ b/l2tpd.if
+@@ -0,0 +1,178 @@
++## Layer 2 Tunneling Protocol daemons.
++
++########################################
++##
++## Transition to l2tpd.
++##
++##
++##
++## Domain allowed to transition.
++##
++##
++#
++interface(`l2tpd_domtrans',`
++ gen_require(`
++ type l2tpd_t, l2tpd_exec_t;
++ ')
++
++ corecmd_search_bin($1)
++ domtrans_pattern($1, l2tpd_exec_t, l2tpd_t)
++')
++
++########################################
++##
++## Execute l2tpd server in the l2tpd domain.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`l2tpd_initrc_domtrans',`
++ gen_require(`
++ type l2tpd_initrc_exec_t;
++ ')
++
++ init_labeled_script_domtrans($1, l2tpd_initrc_exec_t)
++')
++
++########################################
++##
++## Send to l2tpd via a unix dgram socket.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`l2tpd_dgram_send',`
++ gen_require(`
++ type l2tpd_t, l2tpd_tmp_t, l2tpd_var_run_t;
++ ')
++
++ files_search_tmp($1)
++ dgram_send_pattern($1, { l2tpd_tmp_t l2tpd_var_run_t }, { l2tpd_tmp_t l2tpd_var_run_t }, l2tpd_t)
++')
++
++########################################
++##
++## Read and write l2tpd sockets.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`l2tpd_rw_socket',`
++ gen_require(`
++ type l2tpd_t;
++ ')
++
++ allow $1 l2tpd_t:socket rw_socket_perms;
++')
++
++########################################
++##
++## Read l2tpd PID files.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`l2tpd_read_pid_files',`
++ gen_require(`
++ type l2tpd_var_run_t;
++ ')
++
++ files_search_pids($1)
++ allow $1 l2tpd_var_run_t:file read_file_perms;
++')
++
++#####################################
++##
++## Connect to l2tpd over a unix domain
++## stream socket.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`l2tpd_stream_connect',`
++ gen_require(`
++ type l2tpd_t, l2tpd_var_run_t, l2tpd_tmp_t;
++ ')
++
++ files_search_pids($1)
++ stream_connect_pattern($1, l2tpd_tmp_t, l2tpd_tmp_t, l2tpd_t)
++ stream_connect_pattern($1, l2tpd_var_run_t, l2tpd_var_run_t, l2tpd_t)
++')
++
++########################################
++##
++## Read and write l2tpd unnamed pipes.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`l2tpd_rw_pipes',`
++ gen_require(`
++ type l2tpd_t;
++ ')
++
++ allow $1 l2tpd_t:fifo_file rw_fifo_file_perms;
++')
++
++########################################
++##
++## All of the rules required to administrate
++## an l2tpd environment
++##
++##
++##
++## Domain allowed access.
++##
++##
++##
++##
++## Role allowed access.
++##
++##
++##
++#
++interface(`l2tpd_admin',`
++ gen_require(`
++ type l2tpd_t, l2tpd_initrc_exec_t, l2tpd_var_run_t;
++ type l2tp_etc_t, l2tpd_tmp_t;
++ ')
++
++ allow $1 l2tpd_t:process signal_perms;
++ ps_process_pattern($1, l2tpd_t)
++
++ tunable_policy(`deny_ptrace',`',`
++ allow $1 l2tpd_t:process ptrace;
++ ')
++
++ l2tpd_initrc_domtrans($1)
++ domain_system_change_exemption($1)
++ role_transition $2 l2tpd_initrc_exec_t system_r;
++ allow $2 system_r;
++
++ files_search_etc($1)
++ admin_pattern($1, l2tp_etc_t)
++
++ files_search_pids($1)
++ admin_pattern($1, l2tpd_var_run_t)
++
++ files_search_tmp($1)
++ admin_pattern($1, l2tpd_tmp_t)
++')
+diff --git a/l2tpd.te b/l2tpd.te
+new file mode 100644
+index 0000000..1e292d4
+--- /dev/null
++++ b/l2tpd.te
+@@ -0,0 +1,99 @@
++policy_module(l2tpd, 1.0.0)
++
++########################################
++#
++# Declarations
++#
++
++type l2tpd_t;
++type l2tpd_exec_t;
++init_daemon_domain(l2tpd_t, l2tpd_exec_t)
++
++type l2tpd_initrc_exec_t;
++init_script_file(l2tpd_initrc_exec_t)
++
++type l2tp_etc_t;
++files_config_file(l2tp_etc_t)
++
++type l2tpd_tmp_t;
++files_tmp_file(l2tpd_tmp_t)
++
++type l2tpd_var_run_t;
++files_pid_file(l2tpd_var_run_t)
++
++########################################
++#
++# Local policy
++#
++
++allow l2tpd_t self:capability { net_admin net_bind_service };
++allow l2tpd_t self:process signal;
++allow l2tpd_t self:fifo_file rw_fifo_file_perms;
++allow l2tpd_t self:netlink_socket create_socket_perms;
++allow l2tpd_t self:rawip_socket create_socket_perms;
++allow l2tpd_t self:socket create_socket_perms;
++allow l2tpd_t self:tcp_socket create_stream_socket_perms;
++allow l2tpd_t self:unix_dgram_socket sendto;
++allow l2tpd_t self:unix_stream_socket create_stream_socket_perms;
++
++read_files_pattern(l2tpd_t, l2tp_etc_t, l2tp_etc_t)
++
++manage_dirs_pattern(l2tpd_t, l2tpd_var_run_t, l2tpd_var_run_t)
++manage_files_pattern(l2tpd_t, l2tpd_var_run_t, l2tpd_var_run_t)
++manage_sock_files_pattern(l2tpd_t, l2tpd_var_run_t, l2tpd_var_run_t)
++manage_fifo_files_pattern(l2tpd_t, l2tpd_var_run_t, l2tpd_var_run_t)
++files_pid_filetrans(l2tpd_t, l2tpd_var_run_t, { dir file sock_file fifo_file })
++
++manage_sock_files_pattern(l2tpd_t, l2tpd_tmp_t, l2tpd_tmp_t)
++files_tmp_filetrans(l2tpd_t, l2tpd_tmp_t, sock_file)
++
++corenet_all_recvfrom_netlabel(l2tpd_t)
++corenet_raw_sendrecv_generic_if(l2tpd_t)
++corenet_tcp_sendrecv_generic_if(l2tpd_t)
++corenet_udp_sendrecv_generic_if(l2tpd_t)
++corenet_raw_bind_generic_node(l2tpd_t)
++corenet_tcp_bind_generic_node(l2tpd_t)
++corenet_udp_bind_generic_node(l2tpd_t)
++corenet_raw_sendrecv_generic_node(l2tpd_t)
++corenet_tcp_sendrecv_generic_node(l2tpd_t)
++corenet_udp_sendrecv_generic_node(l2tpd_t)
++
++corenet_tcp_bind_all_rpc_ports(l2tpd_t)
++corenet_udp_bind_all_rpc_ports(l2tpd_t)
++corenet_udp_bind_generic_port(l2tpd_t)
++
++corenet_udp_bind_l2tp_port(l2tpd_t)
++corenet_udp_sendrecv_l2tp_port(l2tpd_t)
++corenet_sendrecv_l2tp_server_packets(l2tpd_t)
++
++kernel_read_system_state(l2tpd_t)
++kernel_read_network_state(l2tpd_t)
++# net-pf-24 (pppox)
++kernel_request_load_module(l2tpd_t)
++
++term_use_ptmx(l2tpd_t)
++term_use_generic_ptys(l2tpd_t)
++term_setattr_generic_ptys(l2tpd_t)
++
++# prol2tpc
++corecmd_exec_bin(l2tpd_t)
++
++dev_read_urand(l2tpd_t)
++
++domain_use_interactive_fds(l2tpd_t)
++
++files_read_etc_files(l2tpd_t)
++
++term_use_ptmx(l2tpd_t)
++
++auth_read_passwd(l2tpd_t)
++
++logging_send_syslog_msg(l2tpd_t)
++
++sysnet_dns_name_resolve(l2tpd_t)
++
++optional_policy(`
++ ppp_domtrans(l2tpd_t)
++ ppp_signal(l2tpd_t)
++ ppp_kill(l2tpd_t)
++')
+diff --git a/ldap.fc b/ldap.fc
+index c62f23e..40c6b4d 100644
+--- a/ldap.fc
++++ b/ldap.fc
+@@ -1,6 +1,11 @@
+
+ /etc/ldap/slapd\.conf -- gen_context(system_u:object_r:slapd_etc_t,s0)
+-/etc/rc\.d/init\.d/ldap -- gen_context(system_u:object_r:slapd_initrc_exec_t,s0)
++/etc/openldap/certs(/.*)? gen_context(system_u:object_r:slapd_cert_t,s0)
++/etc/openldap/slapd\.d(/.*)? gen_context(system_u:object_r:slapd_db_t,s0)
++
++/etc/rc\.d/init\.d/slapd -- gen_context(system_u:object_r:slapd_initrc_exec_t,s0)
++
++/usr/lib/systemd/system/slapd.* -- gen_context(system_u:object_r:iptables_unit_file_t,s0)
+
+ /usr/sbin/slapd -- gen_context(system_u:object_r:slapd_exec_t,s0)
+
+diff --git a/ldap.if b/ldap.if
+index d6b7b2d..bc0ccb3 100644
+--- a/ldap.if
++++ b/ldap.if
+@@ -1,5 +1,64 @@
+ ## OpenLDAP directory server
+
++#######################################
++##
++## Execute OpenLDAP in the ldap domain.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`ldap_domtrans',`
++ gen_require(`
++ type slapd_t, slapd_exec_t;
++ ')
++
++ domtrans_pattern($1, slapd_exec_t, slapd_t)
++')
++
++#######################################
++##
++## Execute OpenLDAP server in the ldap domain.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`ldap_initrc_domtrans',`
++ gen_require(`
++ type slapd_initrc_exec_t;
++ ')
++
++ init_labeled_script_domtrans($1, slapd_initrc_exec_t)
++')
++
++########################################
++##
++## Execute slapd server in the slapd domain.
++##
++##
++##
++## Domain allowed to transition.
++##
++##
++#
++interface(`ldap_systemctl',`
++ gen_require(`
++ type slapd_unit_file_t;
++ type slapd_t;
++ ')
++
++ systemd_exec_systemctl($1)
++ allow $1 slapd_unit_file_t:file read_file_perms;
++ allow $1 slapd_unit_file_t:service manage_service_perms;
++
++ ps_process_pattern($1, slapd_t)
++')
++
+ ########################################
+ ##
+ ## Read the contents of the OpenLDAP
+@@ -21,6 +80,25 @@ interface(`ldap_list_db',`
+
+ ########################################
+ ##
++## Read the contents of the OpenLDAP
++## database files.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`ldap_read_db_files',`
++ gen_require(`
++ type slapd_db_t;
++ ')
++
++ read_files_pattern($1, slapd_db_t, slapd_db_t)
++')
++
++########################################
++##
+ ## Read the OpenLDAP configuration files.
+ ##
+ ##
+@@ -94,10 +172,14 @@ interface(`ldap_admin',`
+ type slapd_t, slapd_tmp_t, slapd_replog_t;
+ type slapd_lock_t, slapd_etc_t, slapd_var_run_t;
+ type slapd_initrc_exec_t;
++ type ldap_unit_file_t;
+ ')
+
+- allow $1 slapd_t:process { ptrace signal_perms };
++ allow $1 slapd_t:process signal_perms;
+ ps_process_pattern($1, slapd_t)
++ tunable_policy(`deny_ptrace',`',`
++ allow $1 slapd_t:process ptrace;
++ ')
+
+ init_labeled_script_domtrans($1, slapd_initrc_exec_t)
+ domain_system_change_exemption($1)
+@@ -109,6 +191,7 @@ interface(`ldap_admin',`
+
+ admin_pattern($1, slapd_lock_t)
+
++ files_list_var_lib($1)
+ admin_pattern($1, slapd_replog_t)
+
+ files_list_tmp($1)
+@@ -116,4 +199,8 @@ interface(`ldap_admin',`
+
+ files_list_pids($1)
+ admin_pattern($1, slapd_var_run_t)
++
++ ldap_systemctl($1)
++ admin_pattern($1, ldap_unit_file_t)
++ allow $1 ldap_unit_file_t:service all_service_perms;
+ ')
+diff --git a/ldap.te b/ldap.te
+index 64fd1ff..3ee778a 100644
+--- a/ldap.te
++++ b/ldap.te
+@@ -10,7 +10,7 @@ type slapd_exec_t;
+ init_daemon_domain(slapd_t, slapd_exec_t)
+
+ type slapd_cert_t;
+-files_type(slapd_cert_t)
++miscfiles_cert_type(slapd_cert_t)
+
+ type slapd_db_t;
+ files_type(slapd_db_t)
+@@ -21,15 +21,24 @@ files_config_file(slapd_etc_t)
+ type slapd_initrc_exec_t;
+ init_script_file(slapd_initrc_exec_t)
+
++type slapd_unit_file_t;
++systemd_unit_file(slapd_unit_file_t)
++
+ type slapd_lock_t;
+ files_lock_file(slapd_lock_t)
+
+ type slapd_replog_t;
+ files_type(slapd_replog_t)
+
++type slapd_log_t;
++logging_log_file(slapd_log_t)
++
+ type slapd_tmp_t;
+ files_tmp_file(slapd_tmp_t)
+
++type slapd_tmpfs_t;
++files_tmpfs_file(slapd_tmpfs_t)
++
+ type slapd_var_run_t;
+ files_pid_file(slapd_var_run_t)
+
+@@ -67,18 +76,25 @@ manage_dirs_pattern(slapd_t, slapd_replog_t, slapd_replog_t)
+ manage_files_pattern(slapd_t, slapd_replog_t, slapd_replog_t)
+ manage_lnk_files_pattern(slapd_t, slapd_replog_t, slapd_replog_t)
+
++manage_dirs_pattern(slapd_t, slapd_log_t, slapd_log_t)
++manage_files_pattern(slapd_t, slapd_log_t, slapd_log_t)
++logging_log_filetrans(slapd_t, slapd_log_t, { file dir })
++
+ manage_dirs_pattern(slapd_t, slapd_tmp_t, slapd_tmp_t)
+ manage_files_pattern(slapd_t, slapd_tmp_t, slapd_tmp_t)
+ files_tmp_filetrans(slapd_t, slapd_tmp_t, { file dir })
+
++manage_files_pattern(slapd_t, slapd_tmpfs_t, slapd_tmpfs_t)
++fs_tmpfs_filetrans(slapd_t, slapd_tmpfs_t, file)
++
++manage_dirs_pattern(slapd_t, slapd_var_run_t, slapd_var_run_t)
+ manage_files_pattern(slapd_t, slapd_var_run_t, slapd_var_run_t)
+ manage_sock_files_pattern(slapd_t, slapd_var_run_t, slapd_var_run_t)
+-files_pid_filetrans(slapd_t, slapd_var_run_t, { file sock_file })
++files_pid_filetrans(slapd_t, slapd_var_run_t, { dir file sock_file })
+
+ kernel_read_system_state(slapd_t)
+ kernel_read_kernel_sysctls(slapd_t)
+
+-corenet_all_recvfrom_unlabeled(slapd_t)
+ corenet_all_recvfrom_netlabel(slapd_t)
+ corenet_tcp_sendrecv_generic_if(slapd_t)
+ corenet_udp_sendrecv_generic_if(slapd_t)
+@@ -100,23 +116,25 @@ fs_search_auto_mountpoints(slapd_t)
+
+ domain_use_interactive_fds(slapd_t)
+
+-files_read_etc_files(slapd_t)
+ files_read_etc_runtime_files(slapd_t)
+ files_read_usr_files(slapd_t)
+ files_list_var_lib(slapd_t)
+
+ auth_use_nsswitch(slapd_t)
++auth_rw_cache(slapd_t)
+
+ logging_send_syslog_msg(slapd_t)
+
+ miscfiles_read_generic_certs(slapd_t)
+-miscfiles_read_localization(slapd_t)
+
+ userdom_dontaudit_use_unpriv_user_fds(slapd_t)
+ userdom_dontaudit_search_user_home_dirs(slapd_t)
+
+ optional_policy(`
+ kerberos_keytab_template(slapd, slapd_t)
++ kerberos_tmp_filetrans_host_rcache(slapd_t, "ldapmap1_0")
++ kerberos_tmp_filetrans_host_rcache(slapd_t, "ldap_487")
++ kerberos_tmp_filetrans_host_rcache(slapd_t, "ldap_55")
+ ')
+
+ optional_policy(`
+diff --git a/likewise.fc b/likewise.fc
+index 057a4e4..57491fc 100644
+--- a/likewise.fc
++++ b/likewise.fc
+@@ -20,7 +20,8 @@
+ /usr/sbin/netlogond -- gen_context(system_u:object_r:netlogond_exec_t,s0)
+ /usr/sbin/srvsvcd -- gen_context(system_u:object_r:srvsvcd_exec_t,s0)
+
+-/var/lib/likewise-open(/.*)? gen_context(system_u:object_r:likewise_var_lib_t,s0)
++/var/lib/likewise-open(/.*)? gen_context(system_u:object_r:likewise_var_lib_t,s0)
++/var/lib/likewise(/.*)? gen_context(system_u:object_r:likewise_var_lib_t,s0)
+ /var/lib/likewise-open/\.lsassd -s gen_context(system_u:object_r:lsassd_var_socket_t,s0)
+ /var/lib/likewise-open/\.lwiod -s gen_context(system_u:object_r:lwiod_var_socket_t,s0)
+ /var/lib/likewise-open/\.regsd -s gen_context(system_u:object_r:lwregd_var_socket_t,s0)
+diff --git a/likewise.if b/likewise.if
+index 771e04b..1072aea 100644
+--- a/likewise.if
++++ b/likewise.if
+@@ -63,7 +63,7 @@ template(`likewise_domain_template',`
+ allow $1_t self:tcp_socket create_stream_socket_perms;
+ allow $1_t self:udp_socket create_socket_perms;
+
+- allow $1_t likewise_var_lib_t:dir setattr;
++ allow $1_t likewise_var_lib_t:dir setattr_dir_perms;
+
+ manage_files_pattern($1_t, $1_var_run_t, $1_var_run_t)
+ files_pid_filetrans($1_t, $1_var_run_t, file)
+@@ -82,7 +82,6 @@ template(`likewise_domain_template',`
+
+ logging_send_syslog_msg($1_t)
+
+- miscfiles_read_localization($1_t)
+ ')
+
+ ########################################
+diff --git a/likewise.te b/likewise.te
+index 5ba6cc2..e3f65d6 100644
+--- a/likewise.te
++++ b/likewise.te
+@@ -17,7 +17,7 @@ type likewise_var_lib_t;
+ files_type(likewise_var_lib_t)
+
+ type likewise_pstore_lock_t;
+-files_type(likewise_pstore_lock_t)
++files_lock_file(likewise_pstore_lock_t)
+
+ type likewise_krb5_ad_t;
+ files_type(likewise_krb5_ad_t)
+@@ -49,7 +49,6 @@ likewise_domain_template(srvsvcd)
+ stream_connect_pattern(dcerpcd_t, likewise_var_lib_t, lwregd_var_socket_t, lwregd_t)
+
+ corenet_all_recvfrom_netlabel(dcerpcd_t)
+-corenet_all_recvfrom_unlabeled(dcerpcd_t)
+ corenet_sendrecv_generic_client_packets(dcerpcd_t)
+ corenet_sendrecv_generic_server_packets(dcerpcd_t)
+ corenet_tcp_sendrecv_generic_if(dcerpcd_t)
+@@ -73,7 +72,6 @@ stream_connect_pattern(eventlogd_t, likewise_var_lib_t, dcerpcd_var_socket_t, dc
+ stream_connect_pattern(eventlogd_t, likewise_var_lib_t, lwregd_var_socket_t, lwregd_t)
+
+ corenet_all_recvfrom_netlabel(eventlogd_t)
+-corenet_all_recvfrom_unlabeled(eventlogd_t)
+ corenet_sendrecv_generic_server_packets(eventlogd_t)
+ corenet_tcp_sendrecv_generic_if(eventlogd_t)
+ corenet_tcp_sendrecv_generic_node(eventlogd_t)
+@@ -116,7 +114,6 @@ corecmd_exec_bin(lsassd_t)
+ corecmd_exec_shell(lsassd_t)
+
+ corenet_all_recvfrom_netlabel(lsassd_t)
+-corenet_all_recvfrom_unlabeled(lsassd_t)
+ corenet_tcp_sendrecv_generic_if(lsassd_t)
+ corenet_tcp_sendrecv_generic_node(lsassd_t)
+ corenet_tcp_sendrecv_generic_port(lsassd_t)
+@@ -165,7 +162,6 @@ stream_connect_pattern(lwiod_t, likewise_var_lib_t, lwregd_var_socket_t, lwregd_
+ stream_connect_pattern(lwiod_t, likewise_var_lib_t, lsassd_var_socket_t, lsassd_t)
+
+ corenet_all_recvfrom_netlabel(lwiod_t)
+-corenet_all_recvfrom_unlabeled(lwiod_t)
+ corenet_sendrecv_smbd_server_packets(lwiod_t)
+ corenet_sendrecv_smbd_client_packets(lwiod_t)
+ corenet_tcp_sendrecv_generic_if(lwiod_t)
+@@ -205,7 +201,7 @@ stream_connect_pattern(lwsmd_t, likewise_var_lib_t, lwregd_var_socket_t, lwregd_
+ # Likewise DC location service local policy
+ #
+
+-allow netlogond_t self:capability {dac_override};
++allow netlogond_t self:capability dac_override;
+
+ manage_files_pattern(netlogond_t, likewise_etc_t, likewise_etc_t)
+
+@@ -226,7 +222,6 @@ stream_connect_pattern(srvsvcd_t, likewise_var_lib_t, lwiod_var_socket_t, lwiod_
+ stream_connect_pattern(srvsvcd_t, likewise_var_lib_t, lwregd_var_socket_t, lwregd_t)
+
+ corenet_all_recvfrom_netlabel(srvsvcd_t)
+-corenet_all_recvfrom_unlabeled(srvsvcd_t)
+ corenet_sendrecv_generic_server_packets(srvsvcd_t)
+ corenet_tcp_sendrecv_generic_if(srvsvcd_t)
+ corenet_tcp_sendrecv_generic_node(srvsvcd_t)
+diff --git a/lircd.fc b/lircd.fc
+index 49e04e5..69db026 100644
+--- a/lircd.fc
++++ b/lircd.fc
+@@ -2,6 +2,7 @@
+
+ /etc/rc\.d/init\.d/lirc -- gen_context(system_u:object_r:lircd_initrc_exec_t,s0)
+ /etc/lircd\.conf -- gen_context(system_u:object_r:lircd_etc_t,s0)
++/etc/lirc(/.*)? gen_context(system_u:object_r:lircd_etc_t,s0)
+
+ /usr/sbin/lircd -- gen_context(system_u:object_r:lircd_exec_t,s0)
+
+diff --git a/lircd.if b/lircd.if
+index 418cc81..cdb2561 100644
+--- a/lircd.if
++++ b/lircd.if
+@@ -80,8 +80,11 @@ interface(`lircd_admin',`
+ type lircd_initrc_exec_t, lircd_etc_t;
+ ')
+
+- allow $1 lircd_t:process { ptrace signal_perms };
++ allow $1 lircd_t:process signal_perms;
+ ps_process_pattern($1, lircd_t)
++ tunable_policy(`deny_ptrace',`',`
++ allow $1 lircd_t:process ptrace;
++ ')
+
+ init_labeled_script_domtrans($1, lircd_initrc_exec_t)
+ domain_system_change_exemption($1)
+diff --git a/lircd.te b/lircd.te
+index 6a78de1..57f0aa2 100644
+--- a/lircd.te
++++ b/lircd.te
+@@ -13,7 +13,7 @@ type lircd_initrc_exec_t;
+ init_script_file(lircd_initrc_exec_t)
+
+ type lircd_etc_t;
+-files_type(lircd_etc_t)
++files_config_file(lircd_etc_t)
+
+ type lircd_var_run_t alias lircd_sock_t;
+ files_pid_file(lircd_var_run_t)
+@@ -24,6 +24,7 @@ files_pid_file(lircd_var_run_t)
+ #
+
+ allow lircd_t self:capability { chown kill sys_admin };
++allow lircd_t self:process signal;
+ allow lircd_t self:fifo_file rw_fifo_file_perms;
+ allow lircd_t self:unix_dgram_socket create_socket_perms;
+ allow lircd_t self:tcp_socket create_stream_socket_perms;
+@@ -38,27 +39,29 @@ files_pid_filetrans(lircd_t, lircd_var_run_t, { dir file })
+ # /dev/lircd socket
+ dev_filetrans(lircd_t, lircd_var_run_t, sock_file)
+
++kernel_request_load_module(lircd_t)
++
+ corenet_tcp_sendrecv_generic_if(lircd_t)
+ corenet_tcp_bind_generic_node(lircd_t)
+ corenet_tcp_bind_lirc_port(lircd_t)
+ corenet_tcp_sendrecv_all_ports(lircd_t)
+ corenet_tcp_connect_lirc_port(lircd_t)
+
+-dev_read_generic_usb_dev(lircd_t)
++dev_rw_generic_usb_dev(lircd_t) # this needs to be reproduced. might not be right
+ dev_read_mouse(lircd_t)
+ dev_filetrans_lirc(lircd_t)
+ dev_rw_lirc(lircd_t)
+ dev_rw_input_dev(lircd_t)
++dev_read_sysfs(lircd_t)
+
+-files_read_etc_files(lircd_t)
++files_read_config_files(lircd_t)
+ files_list_var(lircd_t)
+ files_manage_generic_locks(lircd_t)
+ files_read_all_locks(lircd_t)
+
+ term_use_ptmx(lircd_t)
++term_use_usb_ttys(lircd_t)
+
+ logging_send_syslog_msg(lircd_t)
+
+-miscfiles_read_localization(lircd_t)
+-
+ sysnet_dns_name_resolve(lircd_t)
+diff --git a/livecd.if b/livecd.if
+index ae29d9f..fb7869e 100644
+--- a/livecd.if
++++ b/livecd.if
+@@ -36,11 +36,39 @@ interface(`livecd_domtrans',`
+ #
+ interface(`livecd_run',`
+ gen_require(`
+- attribute_role livecd_roles;
++ type livecd_t;
++ type livecd_exec_t;
++ #attribute_role livecd_roles;
+ ')
+
+ livecd_domtrans($1)
+- roleattribute $2 livecd_roles;
++ #roleattribute $2 livecd_roles;
++ role $2 types livecd_t;
++ role_transition $2 livecd_exec_t system_r;
++
++ seutil_run_setfiles_mac(livecd_t, system_r)
++
++ optional_policy(`
++ mount_run(livecd_t, $2)
++ ')
++')
++
++########################################
++##
++## Dontaudit read/write to a livecd leaks
++##
++##
++##
++## Domain to not audit.
++##
++##
++#
++interface(`livecd_dontaudit_leaks',`
++ gen_require(`
++ type livecd_t;
++ ')
++
++ dontaudit $1 livecd_t:unix_dgram_socket { read write };
+ ')
+
+ ########################################
+diff --git a/livecd.te b/livecd.te
+index 008f718..2a9d6c0 100644
+--- a/livecd.te
++++ b/livecd.te
+@@ -5,13 +5,14 @@ policy_module(livecd, 1.2.0)
+ # Declarations
+ #
+
+-attribute_role livecd_roles;
+-roleattribute system_r livecd_roles;
++#attribute_role livecd_roles;
++#roleattribute system_r livecd_roles;
+
+ type livecd_t;
+ type livecd_exec_t;
+ application_domain(livecd_t, livecd_exec_t)
+-role livecd_roles types livecd_t;
++role system_r types livecd_t;
++#role livecd_roles types livecd_t;
+
+ type livecd_tmp_t;
+ files_tmp_file(livecd_tmp_t)
+@@ -21,7 +22,7 @@ files_tmp_file(livecd_tmp_t)
+ # livecd local policy
+ #
+
+-dontaudit livecd_t self:capability2 mac_admin;
++allow livecd_t self:capability2 mac_admin;
+
+ domain_ptrace_all_domains(livecd_t)
+
+@@ -30,14 +31,5 @@ manage_files_pattern(livecd_t, livecd_tmp_t, livecd_tmp_t)
+ files_tmp_filetrans(livecd_t, livecd_tmp_t, { dir file })
+
+ optional_policy(`
+- mount_run(livecd_t, livecd_roles)
++ unconfined_domain_noaudit(livecd_t)
+ ')
+-
+-optional_policy(`
+- hal_dbus_chat(livecd_t)
+-')
+-
+-optional_policy(`
+- unconfined_domain(livecd_t)
+-')
+-
+diff --git a/lldpad.fc b/lldpad.fc
+new file mode 100644
+index 0000000..83a4348
+--- /dev/null
++++ b/lldpad.fc
+@@ -0,0 +1,8 @@
++
++/etc/rc\.d/init\.d/lldpad -- gen_context(system_u:object_r:lldpad_initrc_exec_t,s0)
++
++/usr/sbin/lldpad -- gen_context(system_u:object_r:lldpad_exec_t,s0)
++
++/var/lib/lldpad(/.*)? gen_context(system_u:object_r:lldpad_var_lib_t,s0)
++
++/var/run/lldpad\.pid -- gen_context(system_u:object_r:lldpad_var_run_t,s0)
+diff --git a/lldpad.if b/lldpad.if
+new file mode 100644
+index 0000000..6550968
+--- /dev/null
++++ b/lldpad.if
+@@ -0,0 +1,201 @@
++
++## policy for lldpad
++
++########################################
++##
++## Transition to lldpad.
++##
++##
++##
++## Domain allowed to transition.
++##
++##
++#
++interface(`lldpad_domtrans',`
++ gen_require(`
++ type lldpad_t, lldpad_exec_t;
++ ')
++
++ corecmd_search_bin($1)
++ domtrans_pattern($1, lldpad_exec_t, lldpad_t)
++')
++
++
++########################################
++##
++## Execute lldpad server in the lldpad domain.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`lldpad_initrc_domtrans',`
++ gen_require(`
++ type lldpad_initrc_exec_t;
++ ')
++
++ init_labeled_script_domtrans($1, lldpad_initrc_exec_t)
++')
++
++
++########################################
++##
++## Search lldpad lib directories.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`lldpad_search_lib',`
++ gen_require(`
++ type lldpad_var_lib_t;
++ ')
++
++ allow $1 lldpad_var_lib_t:dir search_dir_perms;
++ files_search_var_lib($1)
++')
++
++########################################
++##
++## Read lldpad lib files.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`lldpad_read_lib_files',`
++ gen_require(`
++ type lldpad_var_lib_t;
++ ')
++
++ files_search_var_lib($1)
++ read_files_pattern($1, lldpad_var_lib_t, lldpad_var_lib_t)
++')
++
++########################################
++##
++## Manage lldpad lib files.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`lldpad_manage_lib_files',`
++ gen_require(`
++ type lldpad_var_lib_t;
++ ')
++
++ files_search_var_lib($1)
++ manage_files_pattern($1, lldpad_var_lib_t, lldpad_var_lib_t)
++')
++
++########################################
++##
++## Manage lldpad lib directories.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`lldpad_manage_lib_dirs',`
++ gen_require(`
++ type lldpad_var_lib_t;
++ ')
++
++ files_search_var_lib($1)
++ manage_dirs_pattern($1, lldpad_var_lib_t, lldpad_var_lib_t)
++')
++
++
++########################################
++##
++## Read lldpad PID files.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`lldpad_read_pid_files',`
++ gen_require(`
++ type lldpad_var_run_t;
++ ')
++
++ files_search_pids($1)
++ allow $1 lldpad_var_run_t:file read_file_perms;
++')
++
++#####################################
++##
++## Send to a lldpad unix dgram socket.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`lldpad_dgram_send',`
++ gen_require(`
++ type lldpad_t;
++ ')
++
++ allow $1 lldpad_t:unix_dgram_socket sendto;
++ allow lldpad_t $1:unix_dgram_socket sendto;
++')
++
++########################################
++##
++## All of the rules required to administrate
++## an lldpad environment
++##
++##
++##
++## Domain allowed access.
++##
++##
++##
++##
++## Role allowed access.
++##
++##
++##
++#
++interface(`lldpad_admin',`
++ gen_require(`
++ type lldpad_t;
++ type lldpad_initrc_exec_t;
++ type lldpad_var_lib_t;
++ type lldpad_var_run_t;
++ ')
++
++ allow $1 lldpad_t:process signal_perms;
++ ps_process_pattern($1, lldpad_t)
++ tunable_policy(`deny_ptrace',`',`
++ allow $1 lldpad_t:process ptrace;
++ ')
++
++ lldpad_initrc_domtrans($1)
++ domain_system_change_exemption($1)
++ role_transition $2 lldpad_initrc_exec_t system_r;
++ allow $2 system_r;
++
++ files_search_var_lib($1)
++ admin_pattern($1, lldpad_var_lib_t)
++
++ files_search_pids($1)
++ admin_pattern($1, lldpad_var_run_t)
++
++')
++
+diff --git a/lldpad.te b/lldpad.te
+new file mode 100644
+index 0000000..c38f564
+--- /dev/null
++++ b/lldpad.te
+@@ -0,0 +1,70 @@
++policy_module(lldpad, 1.0.0)
++
++########################################
++#
++# Declarations
++#
++
++type lldpad_t;
++type lldpad_exec_t;
++init_daemon_domain(lldpad_t, lldpad_exec_t)
++
++type lldpad_initrc_exec_t;
++init_script_file(lldpad_initrc_exec_t)
++
++type lldpad_tmpfs_t;
++files_tmpfs_file(lldpad_tmpfs_t)
++
++type lldpad_var_lib_t;
++files_type(lldpad_var_lib_t)
++
++type lldpad_var_run_t;
++files_pid_file(lldpad_var_run_t)
++
++########################################
++#
++# lldpad local policy
++#
++
++allow lldpad_t self:capability { net_admin net_raw };
++ifdef(`hide_broken_symptoms',`
++ # caused by some bogus kernel code
++ dontaudit lldpad_t self:capability sys_module;
++')
++
++allow lldpad_t self:shm create_shm_perms;
++allow lldpad_t self:fifo_file rw_fifo_file_perms;
++
++allow lldpad_t self:unix_stream_socket create_stream_socket_perms;
++allow lldpad_t self:netlink_route_socket create_netlink_socket_perms;
++allow lldpad_t self:packet_socket create_socket_perms;
++allow lldpad_t self:udp_socket create_socket_perms;
++
++manage_files_pattern(lldpad_t,lldpad_tmpfs_t,lldpad_tmpfs_t)
++fs_tmpfs_filetrans(lldpad_t,lldpad_tmpfs_t,file)
++
++manage_dirs_pattern(lldpad_t, lldpad_var_lib_t, lldpad_var_lib_t)
++manage_files_pattern(lldpad_t, lldpad_var_lib_t, lldpad_var_lib_t)
++
++manage_dirs_pattern(lldpad_t, lldpad_var_run_t, lldpad_var_run_t)
++manage_files_pattern(lldpad_t, lldpad_var_run_t, lldpad_var_run_t)
++manage_sock_files_pattern(lldpad_t, lldpad_var_run_t, lldpad_var_run_t)
++# this needs to be fixed in lldpad package
++# bug: #
++files_pid_filetrans(lldpad_t, lldpad_var_run_t, { dir file sock_file })
++
++kernel_read_all_sysctls(lldpad_t)
++kernel_read_network_state(lldpad_t)
++kernel_request_load_module(lldpad_t)
++
++dev_read_sysfs(lldpad_t)
++
++files_read_etc_files(lldpad_t)
++
++logging_send_syslog_msg(lldpad_t)
++
++userdom_dgram_send(lldpad_t)
++
++optional_policy(`
++ fcoemon_dgram_send(lldpad_t)
++')
+diff --git a/loadkeys.fc b/loadkeys.fc
+index 8549f9f..68be454 100644
+--- a/loadkeys.fc
++++ b/loadkeys.fc
+@@ -1,3 +1,3 @@
+
+-/bin/loadkeys -- gen_context(system_u:object_r:loadkeys_exec_t,s0)
+-/bin/unikeys -- gen_context(system_u:object_r:loadkeys_exec_t,s0)
++/usr/bin/loadkeys -- gen_context(system_u:object_r:loadkeys_exec_t,s0)
++/usr/bin/unikeys -- gen_context(system_u:object_r:loadkeys_exec_t,s0)
+diff --git a/loadkeys.te b/loadkeys.te
+index 2523758..96308b5 100644
+--- a/loadkeys.te
++++ b/loadkeys.te
+@@ -31,14 +31,15 @@ files_read_etc_runtime_files(loadkeys_t)
+ term_dontaudit_use_console(loadkeys_t)
+ term_use_unallocated_ttys(loadkeys_t)
+
++auth_read_passwd(loadkeys_t)
++
+ init_dontaudit_use_fds(loadkeys_t)
+ init_dontaudit_use_script_ptys(loadkeys_t)
+
+ locallogin_use_fds(loadkeys_t)
+
+-miscfiles_read_localization(loadkeys_t)
+
+-userdom_use_user_ttys(loadkeys_t)
++userdom_use_inherited_user_ttys(loadkeys_t)
+ userdom_list_user_home_content(loadkeys_t)
+
+ ifdef(`hide_broken_symptoms',`
+@@ -46,5 +47,9 @@ ifdef(`hide_broken_symptoms',`
+ ')
+
+ optional_policy(`
++ keyboardd_read_pipes(loadkeys_t)
++')
++
++optional_policy(`
+ nscd_dontaudit_search_pid(loadkeys_t)
+ ')
+diff --git a/lockdev.te b/lockdev.te
+index 572b5db..1e55f43 100644
+--- a/lockdev.te
++++ b/lockdev.te
+@@ -34,4 +34,5 @@ fs_getattr_xattr_fs(lockdev_t)
+
+ logging_send_syslog_msg(lockdev_t)
+
+-userdom_use_user_terminals(lockdev_t)
++userdom_use_inherited_user_terminals(lockdev_t)
++
+diff --git a/logrotate.te b/logrotate.te
+index 7090dae..4aaa8fb 100644
+--- a/logrotate.te
++++ b/logrotate.te
+@@ -29,9 +29,8 @@ files_type(logrotate_var_lib_t)
+ #
+
+ # Change ownership on log files.
+-allow logrotate_t self:capability { chown dac_override dac_read_search kill fsetid fowner sys_resource sys_nice };
+-# for mailx
+-dontaudit logrotate_t self:capability { setuid setgid sys_ptrace };
++allow logrotate_t self:capability { chown dac_override dac_read_search kill fsetid fowner setuid setgid sys_resource sys_nice };
++dontaudit logrotate_t self:capability sys_resource;
+
+ allow logrotate_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
+
+@@ -39,6 +38,7 @@ allow logrotate_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimi
+ allow logrotate_t self:process setfscreate;
+
+ allow logrotate_t self:fd use;
++allow logrotate_t self:key manage_key_perms;
+ allow logrotate_t self:fifo_file rw_fifo_file_perms;
+ allow logrotate_t self:unix_dgram_socket create_socket_perms;
+ allow logrotate_t self:unix_stream_socket create_stream_socket_perms;
+@@ -61,6 +61,7 @@ files_tmp_filetrans(logrotate_t, logrotate_tmp_t, { file dir })
+ # for /var/lib/logrotate.status and /var/lib/logcheck
+ create_dirs_pattern(logrotate_t, logrotate_var_lib_t, logrotate_var_lib_t)
+ manage_files_pattern(logrotate_t, logrotate_var_lib_t, logrotate_var_lib_t)
++read_lnk_files_pattern(logrotate_t, logrotate_var_lib_t, logrotate_var_lib_t)
+ files_var_lib_filetrans(logrotate_t, logrotate_var_lib_t, file)
+
+ kernel_read_system_state(logrotate_t)
+@@ -75,6 +76,7 @@ fs_list_inotifyfs(logrotate_t)
+ mls_file_read_all_levels(logrotate_t)
+ mls_file_write_all_levels(logrotate_t)
+ mls_file_upgrade(logrotate_t)
++mls_process_write_to_clearance(logrotate_t)
+
+ selinux_get_fs_mount(logrotate_t)
+ selinux_get_enforce_mode(logrotate_t)
+@@ -85,6 +87,7 @@ auth_use_nsswitch(logrotate_t)
+ # Run helper programs.
+ corecmd_exec_bin(logrotate_t)
+ corecmd_exec_shell(logrotate_t)
++corecmd_getattr_all_executables(logrotate_t)
+
+ domain_signal_all_domains(logrotate_t)
+ domain_use_interactive_fds(logrotate_t)
+@@ -93,7 +96,6 @@ domain_getattr_all_entry_files(logrotate_t)
+ domain_read_all_domains_state(logrotate_t)
+
+ files_read_usr_files(logrotate_t)
+-files_read_etc_files(logrotate_t)
+ files_read_etc_runtime_files(logrotate_t)
+ files_read_all_pids(logrotate_t)
+ files_search_all(logrotate_t)
+@@ -102,6 +104,7 @@ files_read_var_lib_files(logrotate_t)
+ files_manage_generic_spool(logrotate_t)
+ files_manage_generic_spool_dirs(logrotate_t)
+ files_getattr_generic_locks(logrotate_t)
++files_dontaudit_list_mnt(logrotate_t)
+
+ # cjp: why is this needed?
+ init_domtrans_script(logrotate_t)
+@@ -112,21 +115,20 @@ logging_send_audit_msgs(logrotate_t)
+ # cjp: why is this needed?
+ logging_exec_all_logs(logrotate_t)
+
+-miscfiles_read_localization(logrotate_t)
++systemd_exec_systemctl(logrotate_t)
++systemd_getattr_unit_files(logrotate_t)
++systemd_start_all_unit_files(logrotate_t)
++systemd_reload_all_services(logrotate_t)
++init_stream_connect(logrotate_t)
+
+-seutil_dontaudit_read_config(logrotate_t)
+-
+-userdom_use_user_terminals(logrotate_t)
++userdom_use_inherited_user_terminals(logrotate_t)
+ userdom_list_user_home_dirs(logrotate_t)
+ userdom_use_unpriv_users_fds(logrotate_t)
+-
+-cron_system_entry(logrotate_t, logrotate_exec_t)
+-cron_search_spool(logrotate_t)
+-
+-mta_send_mail(logrotate_t)
++userdom_list_admin_dir(logrotate_t)
++userdom_dontaudit_getattr_user_home_content(logrotate_t)
+
+ ifdef(`distro_debian', `
+- allow logrotate_t logrotate_tmp_t:file { relabelfrom relabelto };
++ allow logrotate_t logrotate_tmp_t:file relabel_file_perms;
+ # for savelog
+ can_exec(logrotate_t, logrotate_exec_t)
+
+@@ -138,7 +140,7 @@ ifdef(`distro_debian', `
+ ')
+
+ optional_policy(`
+- abrt_cache_manage(logrotate_t)
++ abrt_manage_cache(logrotate_t)
+ ')
+
+ optional_policy(`
+@@ -154,6 +156,10 @@ optional_policy(`
+ ')
+
+ optional_policy(`
++ awstats_domtrans(logrotate_t)
++')
++
++optional_policy(`
+ asterisk_domtrans(logrotate_t)
+ ')
+
+@@ -162,10 +168,20 @@ optional_policy(`
+ ')
+
+ optional_policy(`
++ callweaver_exec(logrotate_t)
++ callweaver_stream_connect(logrotate_t)
++')
++
++optional_policy(`
+ consoletype_exec(logrotate_t)
+ ')
+
+ optional_policy(`
++ cron_system_entry(logrotate_t, logrotate_exec_t)
++ cron_search_spool(logrotate_t)
++')
++
++optional_policy(`
+ cups_domtrans(logrotate_t)
+ ')
+
+@@ -178,6 +194,10 @@ optional_policy(`
+ ')
+
+ optional_policy(`
++ chronyd_read_keys(logrotate_t)
++')
++
++optional_policy(`
+ icecast_signal(logrotate_t)
+ ')
+
+@@ -194,15 +214,19 @@ optional_policy(`
+ ')
+
+ optional_policy(`
++ mysql_read_home_content(logrotate_t)
+ mysql_read_config(logrotate_t)
+ mysql_search_db(logrotate_t)
+ mysql_stream_connect(logrotate_t)
+ ')
+
+ optional_policy(`
+- psad_domtrans(logrotate_t)
++ polipo_named_filetrans_log_files(logrotate_t)
+ ')
+
++optional_policy(`
++ psad_domtrans(logrotate_t)
++')
+
+ optional_policy(`
+ samba_exec_log(logrotate_t)
+@@ -217,6 +241,11 @@ optional_policy(`
+ ')
+
+ optional_policy(`
++ openvswitch_read_pid_files(logrotate_t)
++ openvswitch_domtrans(logrotate_t)
++')
++
++optional_policy(`
+ squid_domtrans(logrotate_t)
+ ')
+
+@@ -228,3 +257,14 @@ optional_policy(`
+ optional_policy(`
+ varnishd_manage_log(logrotate_t)
+ ')
++
++#######################################
++#
++# logrotate_mail local policy
++#
++
++mta_base_mail_template(logrotate)
++mta_sendmail_domtrans(logrotate_t, logrotate_mail_t)
++role system_r types logrotate_mail_t;
++logging_read_all_logs(logrotate_mail_t)
++manage_files_pattern(logrotate_mail_t, logrotate_tmp_t, logrotate_tmp_t)
+diff --git a/logwatch.fc b/logwatch.fc
+index 3c7b1e8..1e155f5 100644
+--- a/logwatch.fc
++++ b/logwatch.fc
+@@ -1,7 +1,11 @@
+ /usr/sbin/logcheck -- gen_context(system_u:object_r:logwatch_exec_t,s0)
++/usr/sbin/epylog -- gen_context(system_u:object_r:logwatch_exec_t,s0)
+
+ /usr/share/logwatch/scripts/logwatch\.pl -- gen_context(system_u:object_r:logwatch_exec_t, s0)
+
+ /var/cache/logwatch(/.*)? gen_context(system_u:object_r:logwatch_cache_t, s0)
+ /var/lib/logcheck(/.*)? gen_context(system_u:object_r:logwatch_cache_t,s0)
++/var/lib/epylog(/.*)? gen_context(system_u:object_r:logwatch_cache_t,s0)
+ /var/log/logcheck/.+ -- gen_context(system_u:object_r:logwatch_lock_t,s0)
++
++/var/run/epylog\.pid gen_context(system_u:object_r:logwatch_var_run_t,s0)
+diff --git a/logwatch.te b/logwatch.te
+index 75ce30f..061b725 100644
+--- a/logwatch.te
++++ b/logwatch.te
+@@ -7,6 +7,7 @@ policy_module(logwatch, 1.11.0)
+
+ type logwatch_t;
+ type logwatch_exec_t;
++init_daemon_domain(logwatch_t, logwatch_exec_t)
+ application_domain(logwatch_t, logwatch_exec_t)
+ role system_r types logwatch_t;
+
+@@ -19,6 +20,12 @@ files_lock_file(logwatch_lock_t)
+ type logwatch_tmp_t;
+ files_tmp_file(logwatch_tmp_t)
+
++type logwatch_var_run_t;
++files_pid_file(logwatch_var_run_t)
++
++mta_base_mail_template(logwatch)
++role system_r types logwatch_mail_t;
++
+ ########################################
+ #
+ # Local policy
+@@ -39,6 +46,9 @@ manage_dirs_pattern(logwatch_t, logwatch_tmp_t, logwatch_tmp_t)
+ manage_files_pattern(logwatch_t, logwatch_tmp_t, logwatch_tmp_t)
+ files_tmp_filetrans(logwatch_t, logwatch_tmp_t, { file dir })
+
++allow logwatch_t logwatch_var_run_t:file manage_file_perms;
++files_pid_filetrans(logwatch_t, logwatch_var_run_t, file)
++
+ kernel_read_fs_sysctls(logwatch_t)
+ kernel_read_kernel_sysctls(logwatch_t)
+ kernel_read_system_state(logwatch_t)
+@@ -56,8 +66,8 @@ domain_read_all_domains_state(logwatch_t)
+
+ files_list_var(logwatch_t)
+ files_read_var_symlinks(logwatch_t)
+-files_read_etc_files(logwatch_t)
+ files_read_etc_runtime_files(logwatch_t)
++files_read_system_conf_files(logwatch_t)
+ files_read_usr_files(logwatch_t)
+ files_search_spool(logwatch_t)
+ files_search_mnt(logwatch_t)
+@@ -67,9 +77,14 @@ files_dontaudit_search_boot(logwatch_t)
+ files_dontaudit_search_all_dirs(logwatch_t)
+
+ fs_getattr_all_fs(logwatch_t)
++fs_getattr_all_dirs(logwatch_t)
+ fs_dontaudit_list_auto_mountpoints(logwatch_t)
+ fs_list_inotifyfs(logwatch_t)
+
++storage_dontaudit_getattr_fixed_disk_dev(logwatch_t)
++
++mls_file_read_to_clearance(logwatch_t)
++
+ term_dontaudit_getattr_pty_dirs(logwatch_t)
+ term_dontaudit_list_ptys(logwatch_t)
+
+@@ -84,19 +99,19 @@ libs_read_lib_files(logwatch_t)
+ logging_read_all_logs(logwatch_t)
+ logging_send_syslog_msg(logwatch_t)
+
+-miscfiles_read_localization(logwatch_t)
+-
+ selinux_dontaudit_getattr_dir(logwatch_t)
+
+-sysnet_dns_name_resolve(logwatch_t)
+ sysnet_exec_ifconfig(logwatch_t)
+
+ userdom_dontaudit_search_user_home_dirs(logwatch_t)
++userdom_dontaudit_list_admin_dir(logwatch_t)
+
+-mta_send_mail(logwatch_t)
++#mta_send_mail(logwatch_t)
++mta_sendmail_domtrans(logwatch_t, logwatch_mail_t)
+
+ ifdef(`distro_redhat',`
+ files_search_all(logwatch_t)
++ files_getattr_all_files(logwatch_t)
+ files_getattr_all_file_type_fs(logwatch_t)
+ ')
+
+@@ -145,3 +160,24 @@ optional_policy(`
+ samba_read_log(logwatch_t)
+ samba_read_share_files(logwatch_t)
+ ')
++
++########################################
++#
++# Logwatch mail Local policy
++#
++
++allow logwatch_mail_t self:capability { dac_read_search dac_override };
++
++manage_files_pattern(logwatch_mail_t, logwatch_tmp_t, logwatch_tmp_t)
++
++dev_read_rand(logwatch_mail_t)
++dev_read_urand(logwatch_mail_t)
++dev_read_sysfs(logwatch_mail_t)
++
++logging_read_all_logs(logwatch_mail_t)
++
++mta_read_home(logwatch_mail_t)
++
++optional_policy(`
++ cron_use_system_job_fds(logwatch_mail_t)
++')
+diff --git a/lpd.fc b/lpd.fc
+index 5c9eb68..e4f3c24 100644
+--- a/lpd.fc
++++ b/lpd.fc
+@@ -24,7 +24,7 @@
+ /usr/sbin/lpinfo -- gen_context(system_u:object_r:lpr_exec_t,s0)
+ /usr/sbin/lpmove -- gen_context(system_u:object_r:lpr_exec_t,s0)
+
+-/usr/local/linuxprinter/bin/l?lpr -- gen_context(system_u:object_r:lpr_exec_t,s0)
++/usr/linuxprinter/bin/l?lpr -- gen_context(system_u:object_r:lpr_exec_t,s0)
+
+ /usr/share/printconf/.* -- gen_context(system_u:object_r:printconf_t,s0)
+
+@@ -35,3 +35,4 @@
+ /var/spool/cups-pdf(/.*)? gen_context(system_u:object_r:print_spool_t,mls_systemhigh)
+ /var/spool/lpd(/.*)? gen_context(system_u:object_r:print_spool_t,s0)
+ /var/run/lprng(/.*)? gen_context(system_u:object_r:lpd_var_run_t,s0)
++/var/spool/turboprint(/.*)? gen_context(system_u:object_r:lpd_var_run_t,mls_systemhigh)
+diff --git a/lpd.if b/lpd.if
+index a4f32f5..628b63c 100644
+--- a/lpd.if
++++ b/lpd.if
+@@ -14,6 +14,7 @@
+ ## User domain for the role
+ ##
+ ##
++##
+ #
+ interface(`lpd_role',`
+ gen_require(`
+@@ -27,7 +28,10 @@ interface(`lpd_role',`
+ dontaudit lpr_t $2:unix_stream_socket { read write };
+
+ ps_process_pattern($2, lpr_t)
+- allow $2 lpr_t:process signull;
++ allow $2 lpr_t:process signal_perms;
++ tunable_policy(`deny_ptrace',`',`
++ allow $2 lpr_t:process ptrace;
++ ')
+
+ optional_policy(`
+ cups_read_config($2)
+@@ -153,7 +157,7 @@ interface(`lpd_relabel_spool',`
+ ')
+
+ files_search_spool($1)
+- allow $1 print_spool_t:file { relabelto relabelfrom };
++ allow $1 print_spool_t:file relabel_file_perms;
+ ')
+
+ ########################################
+@@ -186,7 +190,7 @@ interface(`lpd_read_config',`
+ ##
+ ##
+ #
+-template(`lpd_domtrans_lpr',`
++interface(`lpd_domtrans_lpr',`
+ gen_require(`
+ type lpr_t, lpr_exec_t;
+ ')
+@@ -196,6 +200,32 @@ template(`lpd_domtrans_lpr',`
+
+ ########################################
+ ##
++## Execute lpr in the lpr domain, and
++## allow the specified role the lpr domain.
++##
++##
++##
++## Domain allowed to transition.
++##
++##
++##
++##
++## Role allowed access.
++##
++##
++##
++#
++interface(`lpd_run_lpr',`
++ gen_require(`
++ type lpr_t;
++ ')
++
++ lpd_domtrans_lpr($1)
++ role $2 types lpr_t;
++')
++
++########################################
++##
+ ## Allow the specified domain to execute lpr
+ ## in the caller domain.
+ ##
+diff --git a/lpd.te b/lpd.te
+index a03b63a..99e8d96 100644
+--- a/lpd.te
++++ b/lpd.te
+@@ -45,14 +45,14 @@ userdom_user_tmp_file(lpr_tmp_t)
+ type print_spool_t;
+ typealias print_spool_t alias { user_print_spool_t staff_print_spool_t sysadm_print_spool_t };
+ typealias print_spool_t alias { auditadm_print_spool_t secadm_print_spool_t };
+-files_type(print_spool_t)
++files_spool_file(print_spool_t)
+ ubac_constrained(print_spool_t)
+
+ type printer_t;
+ files_type(printer_t)
+
+ type printconf_t;
+-files_type(printconf_t)
++files_config_file(printconf_t)
+
+ ########################################
+ #
+@@ -78,12 +78,11 @@ rw_files_pattern(checkpc_t, print_spool_t, print_spool_t)
+ delete_files_pattern(checkpc_t, print_spool_t, print_spool_t)
+ files_search_spool(checkpc_t)
+
+-allow checkpc_t printconf_t:file getattr;
++allow checkpc_t printconf_t:file getattr_file_perms;
+ allow checkpc_t printconf_t:dir list_dir_perms;
+
+ kernel_read_system_state(checkpc_t)
+
+-corenet_all_recvfrom_unlabeled(checkpc_t)
+ corenet_all_recvfrom_netlabel(checkpc_t)
+ corenet_tcp_sendrecv_generic_if(checkpc_t)
+ corenet_udp_sendrecv_generic_if(checkpc_t)
+@@ -102,7 +101,6 @@ corecmd_exec_bin(checkpc_t)
+
+ domain_use_interactive_fds(checkpc_t)
+
+-files_read_etc_files(checkpc_t)
+ files_read_etc_runtime_files(checkpc_t)
+
+ init_use_script_ptys(checkpc_t)
+@@ -111,7 +109,7 @@ init_use_fds(checkpc_t)
+
+ sysnet_read_config(checkpc_t)
+
+-userdom_use_user_terminals(checkpc_t)
++userdom_use_inherited_user_terminals(checkpc_t)
+
+ optional_policy(`
+ cron_system_entry(checkpc_t, checkpc_exec_t)
+@@ -143,9 +141,10 @@ manage_dirs_pattern(lpd_t, lpd_tmp_t, lpd_tmp_t)
+ manage_files_pattern(lpd_t, lpd_tmp_t, lpd_tmp_t)
+ files_tmp_filetrans(lpd_t, lpd_tmp_t, { file dir })
+
++manage_dirs_pattern(lpd_t, lpd_var_run_t, lpd_var_run_t)
+ manage_files_pattern(lpd_t, lpd_var_run_t, lpd_var_run_t)
+ manage_sock_files_pattern(lpd_t, lpd_var_run_t, lpd_var_run_t)
+-files_pid_filetrans(lpd_t, lpd_var_run_t, file)
++files_pid_filetrans(lpd_t, lpd_var_run_t, { dir file })
+
+ # Write to /var/spool/lpd.
+ manage_files_pattern(lpd_t, print_spool_t, print_spool_t)
+@@ -163,7 +162,6 @@ kernel_read_kernel_sysctls(lpd_t)
+ # bash wants access to /proc/meminfo
+ kernel_read_system_state(lpd_t)
+
+-corenet_all_recvfrom_unlabeled(lpd_t)
+ corenet_all_recvfrom_netlabel(lpd_t)
+ corenet_tcp_sendrecv_generic_if(lpd_t)
+ corenet_udp_sendrecv_generic_if(lpd_t)
+@@ -197,12 +195,10 @@ files_list_var_lib(lpd_t)
+ files_read_var_lib_files(lpd_t)
+ files_read_var_lib_symlinks(lpd_t)
+ # config files for lpd are of type etc_t, probably should change this
+-files_read_etc_files(lpd_t)
+
+ logging_send_syslog_msg(lpd_t)
+
+ miscfiles_read_fonts(lpd_t)
+-miscfiles_read_localization(lpd_t)
+
+ sysnet_read_config(lpd_t)
+
+@@ -236,9 +232,9 @@ can_exec(lpr_t, lpr_exec_t)
+ # Allow lpd to read, rename, and unlink spool files.
+ allow lpd_t print_spool_t:file { read_file_perms rename_file_perms delete_file_perms };
+
++kernel_read_system_state(lpr_t)
+ kernel_read_kernel_sysctls(lpr_t)
+
+-corenet_all_recvfrom_unlabeled(lpr_t)
+ corenet_all_recvfrom_netlabel(lpr_t)
+ corenet_tcp_sendrecv_generic_if(lpr_t)
+ corenet_udp_sendrecv_generic_if(lpr_t)
+@@ -256,7 +252,6 @@ domain_use_interactive_fds(lpr_t)
+
+ files_search_spool(lpr_t)
+ # for lpd config files (should have a new type)
+-files_read_etc_files(lpr_t)
+ # for test print
+ files_read_usr_files(lpr_t)
+ #Added to cover read_content macro
+@@ -271,23 +266,25 @@ term_use_generic_ptys(lpr_t)
+
+ auth_use_nsswitch(lpr_t)
+
+-miscfiles_read_localization(lpr_t)
++miscfiles_read_fonts(lpr_t)
+
+ userdom_read_user_tmp_symlinks(lpr_t)
+ # Write to the user domain tty.
+-userdom_use_user_terminals(lpr_t)
++userdom_use_inherited_user_terminals(lpr_t)
+ userdom_read_user_home_content_files(lpr_t)
+ userdom_read_user_tmp_files(lpr_t)
++userdom_write_user_tmp_sockets(lpr_t)
++userdom_stream_connect(lpr_t)
+
+ tunable_policy(`use_lpd_server',`
+ # lpr can run in lightweight mode, without a local print spooler.
+- allow lpr_t lpd_var_run_t:dir search;
+- allow lpr_t lpd_var_run_t:sock_file write;
++ allow lpr_t lpd_var_run_t:dir search_dir_perms;
++ allow lpr_t lpd_var_run_t:sock_file write_sock_file_perms;
+ files_read_var_files(lpr_t)
+
+ # Connect to lpd via a Unix domain socket.
+- allow lpr_t printer_t:sock_file rw_sock_file_perms;
+- allow lpr_t lpd_t:unix_stream_socket connectto;
++ allow lpr_t printer_t:sock_file read_sock_file_perms;
++ stream_connect_pattern(lpr_t, printer_t, printer_t, lpd_t)
+ # Send SIGHUP to lpd.
+ allow lpr_t lpd_t:process signal;
+
+@@ -305,17 +302,7 @@ tunable_policy(`use_lpd_server',`
+ read_lnk_files_pattern(lpr_t, printconf_t, printconf_t)
+ ')
+
+-tunable_policy(`use_nfs_home_dirs',`
+- fs_list_auto_mountpoints(lpr_t)
+- fs_read_nfs_files(lpr_t)
+- fs_read_nfs_symlinks(lpr_t)
+-')
+-
+-tunable_policy(`use_samba_home_dirs',`
+- fs_list_auto_mountpoints(lpr_t)
+- fs_read_cifs_files(lpr_t)
+- fs_read_cifs_symlinks(lpr_t)
+-')
++userdom_home_reader(lpr_t)
+
+ optional_policy(`
+ cups_read_config(lpr_t)
+@@ -324,5 +311,13 @@ optional_policy(`
+ ')
+
+ optional_policy(`
++ gnome_stream_connect_gkeyringd(lpr_t)
++')
++
++optional_policy(`
+ logging_send_syslog_msg(lpr_t)
+ ')
++
++optional_policy(`
++ mozilla_plugin_dontaudit_rw_tmp_files(lpr_t)
++')
+diff --git a/mailman.fc b/mailman.fc
+index 1083f98..c7daa85 100644
+--- a/mailman.fc
++++ b/mailman.fc
+@@ -1,11 +1,14 @@
+-/usr/lib/mailman/bin/mailmanctl -- gen_context(system_u:object_r:mailman_mail_exec_t,s0)
+-/usr/lib/mailman/cron/.* -- gen_context(system_u:object_r:mailman_queue_exec_t,s0)
+
+-/var/lib/mailman(/.*)? gen_context(system_u:object_r:mailman_data_t,s0)
+-/var/lib/mailman/archives(/.*)? gen_context(system_u:object_r:mailman_archive_t,s0)
+-/var/lock/mailman(/.*)? gen_context(system_u:object_r:mailman_lock_t,s0)
+-/var/log/mailman(/.*)? gen_context(system_u:object_r:mailman_log_t,s0)
+-/var/run/mailman(/.*)? gen_context(system_u:object_r:mailman_lock_t,s0)
++/usr/lib/mailman.*/bin/mailmanctl -- gen_context(system_u:object_r:mailman_mail_exec_t,s0)
++/usr/lib/mailman.*/bin/mm-handler.* -- gen_context(system_u:object_r:mailman_mail_exec_t,s0)
++/usr/lib/mailman.*/cron/.* -- gen_context(system_u:object_r:mailman_queue_exec_t,s0)
++/usr/share/doc/mailman.*/mm-handler.* -- gen_context(system_u:object_r:mailman_mail_exec_t,s0)
++
++/var/lib/mailman.* gen_context(system_u:object_r:mailman_data_t,s0)
++/var/lib/mailman.*/archives(/.*)? gen_context(system_u:object_r:mailman_archive_t,s0)
++/var/lock/mailman.* gen_context(system_u:object_r:mailman_lock_t,s0)
++/var/log/mailman.* gen_context(system_u:object_r:mailman_log_t,s0)
++/var/run/mailman.* gen_context(system_u:object_r:mailman_var_run_t,s0)
+
+ #
+ # distro_debian
+@@ -23,12 +26,12 @@ ifdef(`distro_debian', `
+ # distro_redhat
+ #
+ ifdef(`distro_redhat', `
+-/etc/mailman(/.*)? gen_context(system_u:object_r:mailman_data_t,s0)
++/etc/mailman.* gen_context(system_u:object_r:mailman_data_t,s0)
+
+-/usr/lib/mailman/bin/qrunner -- gen_context(system_u:object_r:mailman_queue_exec_t,s0)
+-/usr/lib/mailman/cgi-bin/.* -- gen_context(system_u:object_r:mailman_cgi_exec_t,s0)
+-/usr/lib/mailman/mail/mailman -- gen_context(system_u:object_r:mailman_mail_exec_t,s0)
+-/usr/lib/mailman/scripts/mailman -- gen_context(system_u:object_r:mailman_mail_exec_t,s0)
++/usr/lib/mailman.*/bin/qrunner -- gen_context(system_u:object_r:mailman_queue_exec_t,s0)
++/usr/lib/mailman.*/cgi-bin/.* -- gen_context(system_u:object_r:mailman_cgi_exec_t,s0)
++/usr/lib/mailman.*/mail/mailman -- gen_context(system_u:object_r:mailman_mail_exec_t,s0)
++/usr/lib/mailman.*/scripts/mailman -- gen_context(system_u:object_r:mailman_mail_exec_t,s0)
+
+-/var/spool/mailman(/.*)? gen_context(system_u:object_r:mailman_data_t,s0)
++/var/spool/mailman.* gen_context(system_u:object_r:mailman_data_t,s0)
+ ')
+diff --git a/mailman.if b/mailman.if
+index 67c7fdd..2f226de 100644
+--- a/mailman.if
++++ b/mailman.if
+@@ -54,7 +54,6 @@ template(`mailman_domain_template', `
+ kernel_read_kernel_sysctls(mailman_$1_t)
+ kernel_read_system_state(mailman_$1_t)
+
+- corenet_all_recvfrom_unlabeled(mailman_$1_t)
+ corenet_all_recvfrom_netlabel(mailman_$1_t)
+ corenet_tcp_sendrecv_generic_if(mailman_$1_t)
+ corenet_udp_sendrecv_generic_if(mailman_$1_t)
+@@ -74,7 +73,7 @@ template(`mailman_domain_template', `
+ corecmd_exec_all_executables(mailman_$1_t)
+
+ files_exec_etc_files(mailman_$1_t)
+- files_list_usr(mailman_$1_t)
++ files_read_usr_files(mailman_$1_t)
+ files_list_var(mailman_$1_t)
+ files_list_var_lib(mailman_$1_t)
+ files_read_var_lib_symlinks(mailman_$1_t)
+@@ -87,7 +86,6 @@ template(`mailman_domain_template', `
+
+ logging_send_syslog_msg(mailman_$1_t)
+
+- miscfiles_read_localization(mailman_$1_t)
+ ')
+
+ #######################################
+@@ -108,6 +106,31 @@ interface(`mailman_domtrans',`
+ domtrans_pattern($1, mailman_mail_exec_t, mailman_mail_t)
+ ')
+
++########################################
++##
++## Execute the mailman program in the mailman domain.
++##
++##
++##
++## Domain allowed to transition.
++##
++##
++##
++##
++## The role to allow the mailman domain.
++##
++##
++##
++#
++interface(`mailman_run',`
++ gen_require(`
++ type mailman_mail_t;
++ ')
++
++ mailman_domtrans($1)
++ role $2 types mailman_mail_t;
++')
++
+ #######################################
+ ##
+ ## Execute mailman CGI scripts in the
+diff --git a/mailman.te b/mailman.te
+index 22265f0..da52800 100644
+--- a/mailman.te
++++ b/mailman.te
+@@ -19,6 +19,9 @@ logging_log_file(mailman_log_t)
+ type mailman_lock_t;
+ files_lock_file(mailman_lock_t)
+
++type mailman_var_run_t;
++files_pid_file(mailman_var_run_t)
++
+ mailman_domain_template(mail)
+ init_daemon_domain(mailman_mail_t, mailman_mail_exec_t)
+
+@@ -54,6 +57,9 @@ optional_policy(`
+ apache_search_sys_script_state(mailman_cgi_t)
+ apache_read_config(mailman_cgi_t)
+ apache_dontaudit_rw_stream_sockets(mailman_cgi_t)
++
++ postfix_read_config(mailman_cgi_t)
++
+ ')
+
+ ########################################
+@@ -62,13 +68,23 @@ optional_policy(`
+ #
+
+ allow mailman_mail_t self:unix_dgram_socket create_socket_perms;
+-allow mailman_mail_t self:process { signal signull };
+-allow mailman_mail_t self:capability { kill dac_override setuid setgid sys_tty_config };
++allow mailman_mail_t self:process { setsched signal signull };
++allow mailman_mail_t self:capability { kill dac_override setuid setgid sys_nice sys_tty_config };
+
+ manage_dirs_pattern(mailman_mail_t, mailman_archive_t, mailman_archive_t)
+ manage_files_pattern(mailman_mail_t, mailman_archive_t, mailman_archive_t)
+ manage_lnk_files_pattern(mailman_mail_t, mailman_archive_t, mailman_archive_t)
+
++manage_files_pattern(mailman_mail_t, mailman_var_run_t, mailman_var_run_t)
++manage_dirs_pattern(mailman_mail_t, mailman_var_run_t, mailman_var_run_t)
++files_pid_filetrans(mailman_mail_t, mailman_var_run_t, { file dir })
++
++# make NNTP gateway working
++corenet_tcp_connect_innd_port(mailman_mail_t)
++corenet_tcp_connect_spamd_port(mailman_mail_t)
++
++dev_read_urand(mailman_mail_t)
++
+ files_search_spool(mailman_mail_t)
+
+ fs_rw_anon_inodefs_files(mailman_mail_t)
+@@ -81,11 +97,16 @@ optional_policy(`
+ ')
+
+ optional_policy(`
++ gnome_dontaudit_search_config(mailman_mail_t)
++')
++
++optional_policy(`
+ cron_read_pipes(mailman_mail_t)
+ ')
+
+ optional_policy(`
+ postfix_search_spool(mailman_mail_t)
++ postfix_rw_master_pipes(mailman_mail_t)
+ ')
+
+ ########################################
+@@ -94,7 +115,7 @@ optional_policy(`
+ #
+
+ allow mailman_queue_t self:capability { setgid setuid };
+-allow mailman_queue_t self:process signal;
++allow mailman_queue_t self:process { setsched signal_perms };
+ allow mailman_queue_t self:fifo_file rw_fifo_file_perms;
+ allow mailman_queue_t self:unix_dgram_socket create_socket_perms;
+
+@@ -104,13 +125,12 @@ manage_lnk_files_pattern(mailman_queue_t, mailman_archive_t, mailman_archive_t)
+
+ kernel_read_proc_symlinks(mailman_queue_t)
+
++corenet_tcp_connect_innd_port(mailman_queue_t)
++
+ auth_domtrans_chk_passwd(mailman_queue_t)
+
+ files_dontaudit_search_pids(mailman_queue_t)
+
+-# for su
+-seutil_dontaudit_search_config(mailman_queue_t)
+-
+ # some of the following could probably be changed to dontaudit, someone who
+ # knows mailman well should test this out and send the changes
+ userdom_search_user_home_dirs(mailman_queue_t)
+@@ -125,4 +145,4 @@ optional_policy(`
+
+ optional_policy(`
+ su_exec(mailman_queue_t)
+-')
+\ No newline at end of file
++')
+diff --git a/mailscanner.fc b/mailscanner.fc
+new file mode 100644
+index 0000000..827e22e
+--- /dev/null
++++ b/mailscanner.fc
+@@ -0,0 +1,11 @@
++/etc/MailScanner(/.*)? gen_context(system_u:object_r:mscan_etc_t,s0)
++
++/etc/rc\.d/init\.d/MailScanner -- gen_context(system_u:object_r:mscan_initrc_exec_t,s0)
++
++/etc/sysconfig/MailScanner -- gen_context(system_u:object_r:mscan_etc_t,s0)
++
++/etc/sysconfig/update_spamassassin -- gen_context(system_u:object_r:mscan_etc_t,s0)
++
++/usr/sbin/MailScanner -- gen_context(system_u:object_r:mscan_exec_t,s0)
++
++/var/run/MailScanner\.pid -- gen_context(system_u:object_r:mscan_var_run_t,s0)
+diff --git a/mailscanner.if b/mailscanner.if
+new file mode 100644
+index 0000000..bd1d48e
+--- /dev/null
++++ b/mailscanner.if
+@@ -0,0 +1,61 @@
++## E-mail security and anti-spam package for e-mail gateway systems.
++
++########################################
++##
++## Execute a domain transition to run
++## MailScanner.
++##
++##
++##
++## Domain allowed to transition.
++##
++##
++#
++interface(`mailscanner_initrc_domtrans',`
++ gen_require(`
++ type mscan_initrc_exec_t;
++ ')
++
++ init_labeled_script_domtrans($1, mscan_initrc_exec_t)
++')
++
++########################################
++##
++## All of the rules required to administrate
++## an mailscanner environment.
++##
++##
++##
++## Domain allowed access.
++##
++##
++##
++##
++## Role allowed access.
++##
++##
++##
++#
++interface(`mailscanner_admin',`
++ gen_require(`
++ type mscan_t, mscan_var_run_t, mscan_etc_t;
++ type mscan_initrc_exec_t;
++ ')
++
++ mailscanner_initrc_domtrans($1)
++ domain_system_change_exemption($1)
++ role_transition $2 mscan_initrc_exec_t system_r;
++ allow $2 system_r;
++
++ allow $1 mscan_t:process signal_perms;
++ ps_process_pattern($1, mscan_t)
++ tunable_policy(`deny_ptrace',`',`
++ allow $1 mscan_t:process ptrace;
++ ')
++
++ admin_pattern($1, mscan_etc_t)
++ files_list_etc($1)
++
++ admin_pattern($1, mscan_var_run_t)
++ files_list_pids($1)
++')
+diff --git a/mailscanner.te b/mailscanner.te
+new file mode 100644
+index 0000000..45f3262
+--- /dev/null
++++ b/mailscanner.te
+@@ -0,0 +1,85 @@
++policy_module(mailscanner, 1.0.0)
++
++########################################
++#
++# Declarations
++#
++
++type mscan_t;
++type mscan_exec_t;
++init_daemon_domain(mscan_t, mscan_exec_t)
++
++type mscan_initrc_exec_t;
++init_script_file(mscan_initrc_exec_t)
++
++type mscan_etc_t;
++files_config_file(mscan_etc_t)
++
++type mscan_tmp_t;
++files_tmp_file(mscan_tmp_t)
++
++type mscan_var_run_t;
++files_pid_file(mscan_var_run_t)
++
++########################################
++#
++# Local policy
++#
++
++allow mscan_t self:capability { setuid chown setgid dac_override };
++allow mscan_t self:process signal;
++allow mscan_t self:fifo_file rw_fifo_file_perms;
++
++read_files_pattern(mscan_t, mscan_etc_t, mscan_etc_t)
++
++manage_files_pattern(mscan_t, mscan_var_run_t, mscan_var_run_t)
++files_pid_filetrans(mscan_t, mscan_var_run_t, file)
++
++manage_dirs_pattern(mscan_t, mscan_tmp_t, mscan_tmp_t)
++manage_files_pattern(mscan_t, mscan_tmp_t, mscan_tmp_t)
++files_tmp_filetrans(mscan_t, mscan_tmp_t, { dir file })
++
++can_exec(mscan_t, mscan_exec_t)
++
++kernel_read_system_state(mscan_t)
++
++corecmd_exec_bin(mscan_t)
++corecmd_exec_shell(mscan_t)
++
++corenet_tcp_connect_fprot_port(mscan_t)
++corenet_tcp_sendrecv_fprot_port(mscan_t)
++corenet_sendrecv_fprot_client_packets(mscan_t)
++corenet_udp_bind_generic_node(mscan_t)
++corenet_udp_bind_generic_port(mscan_t)
++corenet_udp_sendrecv_all_ports(mscan_t)
++corenet_sendrecv_generic_server_packets(mscan_t)
++
++dev_read_urand(mscan_t)
++
++files_read_usr_files(mscan_t)
++
++fs_getattr_xattr_fs(mscan_t)
++
++auth_dontaudit_read_shadow(mscan_t)
++auth_use_nsswitch(mscan_t)
++
++logging_send_syslog_msg(mscan_t)
++
++optional_policy(`
++ clamav_domtrans_clamscan(mscan_t)
++ clamav_manage_clamd_pid(mscan_t)
++')
++
++optional_policy(`
++ mta_send_mail(mscan_t)
++ mta_manage_queue(mscan_t)
++')
++
++optional_policy(`
++ procmail_domtrans(mscan_t)
++')
++
++optional_policy(`
++ spamassassin_read_home_client(mscan_t)
++ spamassassin_read_lib_files(mscan_t)
++')
+diff --git a/man2html.fc b/man2html.fc
+new file mode 100644
+index 0000000..2907017
+--- /dev/null
++++ b/man2html.fc
+@@ -0,0 +1,5 @@
++/usr/lib/man2html/cgi-bin/man/man2html -- gen_context(system_u:object_r:httpd_man2html_script_exec_t,s0)
++/usr/lib/man2html/cgi-bin/man/mansec -- gen_context(system_u:object_r:httpd_man2html_script_exec_t,s0)
++/usr/lib/man2html/cgi-bin/man/manwhatis -- gen_context(system_u:object_r:httpd_man2html_script_exec_t,s0)
++
++/var/cache/man2html(/.*)? gen_context(system_u:object_r:httpd_man2html_script_cache_t,s0)
+diff --git a/man2html.if b/man2html.if
+new file mode 100644
+index 0000000..050157a
+--- /dev/null
++++ b/man2html.if
+@@ -0,0 +1,127 @@
++
++## policy for httpd_man2html_script
++
++########################################
++##
++## Transition to httpd_man2html_script.
++##
++##
++##
++## Domain allowed to transition.
++##
++##
++#
++interface(`httpd_man2html_script_domtrans',`
++ gen_require(`
++ type httpd_man2html_script_t, httpd_man2html_script_exec_t;
++ ')
++
++ corecmd_search_bin($1)
++ domtrans_pattern($1, httpd_man2html_script_exec_t, httpd_man2html_script_t)
++')
++
++########################################
++##
++## Search httpd_man2html_script cache directories.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`httpd_man2html_script_search_cache',`
++ gen_require(`
++ type httpd_man2html_script_cache_t;
++ ')
++
++ allow $1 httpd_man2html_script_cache_t:dir search_dir_perms;
++ files_search_var($1)
++')
++
++########################################
++##
++## Read httpd_man2html_script cache files.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`httpd_man2html_script_read_cache_files',`
++ gen_require(`
++ type httpd_man2html_script_cache_t;
++ ')
++
++ files_search_var($1)
++ read_files_pattern($1, httpd_man2html_script_cache_t, httpd_man2html_script_cache_t)
++')
++
++########################################
++##
++## Create, read, write, and delete
++## httpd_man2html_script cache files.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`httpd_man2html_script_manage_cache_files',`
++ gen_require(`
++ type httpd_man2html_script_cache_t;
++ ')
++
++ files_search_var($1)
++ manage_files_pattern($1, httpd_man2html_script_cache_t, httpd_man2html_script_cache_t)
++')
++
++########################################
++##
++## Manage httpd_man2html_script cache dirs.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`httpd_man2html_script_manage_cache_dirs',`
++ gen_require(`
++ type httpd_man2html_script_cache_t;
++ ')
++
++ files_search_var($1)
++ manage_dirs_pattern($1, httpd_man2html_script_cache_t, httpd_man2html_script_cache_t)
++')
++
++
++########################################
++##
++## All of the rules required to administrate
++## an httpd_man2html_script environment
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`httpd_man2html_script_admin',`
++ gen_require(`
++ type httpd_man2html_script_t;
++ type httpd_man2html_script_cache_t;
++ ')
++
++ allow $1 httpd_man2html_script_t:process { ptrace signal_perms };
++ ps_process_pattern($1, httpd_man2html_script_t)
++
++ files_search_var($1)
++ admin_pattern($1, httpd_man2html_script_cache_t)
++ optional_policy(`
++ systemd_passwd_agent_exec($1)
++ systemd_read_fifo_file_passwd_run($1)
++ ')
++')
+diff --git a/man2html.te b/man2html.te
+new file mode 100644
+index 0000000..29b79eb
+--- /dev/null
++++ b/man2html.te
+@@ -0,0 +1,30 @@
++policy_module(man2html, 1.0.0)
++
++########################################
++#
++# Declarations
++#
++
++type httpd_man2html_script_cache_t;
++files_type(httpd_man2html_script_cache_t)
++
++########################################
++#
++# httpd_man2html_script local policy
++#
++
++optional_policy(`
++
++ apache_content_template(man2html)
++
++ allow httpd_man2html_script_t self:process { fork };
++
++ manage_dirs_pattern(httpd_man2html_script_t, httpd_man2html_script_cache_t, httpd_man2html_script_cache_t)
++ manage_files_pattern(httpd_man2html_script_t, httpd_man2html_script_cache_t, httpd_man2html_script_cache_t)
++ manage_lnk_files_pattern(httpd_man2html_script_t, httpd_man2html_script_cache_t, httpd_man2html_script_cache_t)
++ files_var_filetrans(httpd_man2html_script_t, httpd_man2html_script_cache_t, { dir file })
++
++ domain_use_interactive_fds(httpd_man2html_script_t)
++
++ files_read_etc_files(httpd_man2html_script_t)
++')
+diff --git a/mandb.fc b/mandb.fc
+new file mode 100644
+index 0000000..75b9968
+--- /dev/null
++++ b/mandb.fc
+@@ -0,0 +1,3 @@
++/usr/bin/mandb -- gen_context(system_u:object_r:mandb_exec_t,s0)
++
++/var/cache/man(/.*)? gen_context(system_u:object_r:mandb_cache_t,s0)
+diff --git a/mandb.if b/mandb.if
+new file mode 100644
+index 0000000..4a4e899
+--- /dev/null
++++ b/mandb.if
+@@ -0,0 +1,187 @@
++
++## policy for mandb
++
++########################################
++##
++## Transition to mandb.
++##
++##
++##
++## Domain allowed to transition.
++##
++##
++#
++interface(`mandb_domtrans',`
++ gen_require(`
++ type mandb_t, mandb_exec_t;
++ ')
++
++ corecmd_search_bin($1)
++ domtrans_pattern($1, mandb_exec_t, mandb_t)
++')
++
++########################################
++##
++## Search mandb cache directories.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`mandb_search_cache',`
++ gen_require(`
++ type mandb_cache_t;
++ ')
++
++ allow $1 mandb_cache_t:dir search_dir_perms;
++ files_search_var($1)
++')
++
++########################################
++##
++## Read mandb cache files.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`mandb_read_cache_files',`
++ gen_require(`
++ type mandb_cache_t;
++ ')
++
++ files_search_var($1)
++ read_files_pattern($1, mandb_cache_t, mandb_cache_t)
++')
++
++########################################
++##
++## Relabel mandb cache files/directories
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`mandb_relabel_cache',`
++ gen_require(`
++ type mandb_cache_t;
++ ')
++
++ allow $1 mandb_cache_t:dir relabel_dir_perms;
++ allow $1 mandb_cache_t:file relabel_file_perms;
++')
++
++########################################
++##
++## Set attributes on mandb cache files.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`mandb_setattr_cache_dirs',`
++ gen_require(`
++ type mandb_cache_t;
++ ')
++
++ files_search_var($1)
++ allow $1 mandb_cache_t:dir setattr;
++')
++
++########################################
++##
++## Delete mandb cache files.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`mandb_delete_cache',`
++ gen_require(`
++ type mandb_cache_t;
++ ')
++
++ files_search_var($1)
++ allow $1 mandb_cache_t:dir list_dir_perms;
++ delete_dirs_pattern($1, mandb_cache_t, mandb_cache_t)
++ delete_files_pattern($1, mandb_cache_t, mandb_cache_t)
++ delete_lnk_files_pattern($1, mandb_cache_t, mandb_cache_t)
++')
++
++########################################
++##
++## Create, read, write, and delete
++## mandb cache files.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`mandb_manage_cache_files',`
++ gen_require(`
++ type mandb_cache_t;
++ ')
++
++ files_search_var($1)
++ manage_files_pattern($1, mandb_cache_t, mandb_cache_t)
++')
++
++########################################
++##
++## Manage mandb cache dirs.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`mandb_manage_cache_dirs',`
++ gen_require(`
++ type mandb_cache_t;
++ ')
++
++ files_search_var($1)
++ manage_dirs_pattern($1, mandb_cache_t, mandb_cache_t)
++')
++
++
++########################################
++##
++## All of the rules required to administrate
++## an mandb environment
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`mandb_admin',`
++ gen_require(`
++ type mandb_t;
++ type mandb_cache_t;
++ ')
++
++ allow $1 mandb_t:process { ptrace signal_perms };
++ ps_process_pattern($1, mandb_t)
++
++ files_search_var($1)
++ admin_pattern($1, mandb_cache_t)
++ optional_policy(`
++ systemd_passwd_agent_exec($1)
++ systemd_read_fifo_file_passwd_run($1)
++ ')
++')
+diff --git a/mandb.te b/mandb.te
+new file mode 100644
+index 0000000..8cc45e7
+--- /dev/null
++++ b/mandb.te
+@@ -0,0 +1,35 @@
++policy_module(mandb, 1.0.0)
++
++########################################
++#
++# Declarations
++#
++
++type mandb_t;
++type mandb_exec_t;
++init_daemon_domain(mandb_t, mandb_exec_t)
++cron_system_entry(mandb_t, mandb_exec_t)
++
++type mandb_cache_t;
++files_type(mandb_cache_t)
++
++########################################
++#
++# mandb local policy
++#
++allow mandb_t self:fifo_file rw_fifo_file_perms;
++allow mandb_t self:unix_stream_socket create_stream_socket_perms;
++allow mandb_t self:process signal;
++
++manage_dirs_pattern(mandb_t, mandb_cache_t, mandb_cache_t)
++manage_files_pattern(mandb_t, mandb_cache_t, mandb_cache_t)
++manage_lnk_files_pattern(mandb_t, mandb_cache_t, mandb_cache_t)
++files_var_filetrans(mandb_t, mandb_cache_t, { dir file lnk_file })
++
++kernel_read_system_state(mandb_t)
++
++corecmd_exec_bin(mandb_t)
++
++domain_use_interactive_fds(mandb_t)
++
++files_read_etc_files(mandb_t)
+diff --git a/mcelog.fc b/mcelog.fc
+index 56c43c0..409bbfc 100644
+--- a/mcelog.fc
++++ b/mcelog.fc
+@@ -1 +1,5 @@
+ /usr/sbin/mcelog -- gen_context(system_u:object_r:mcelog_exec_t,s0)
++
++/var/log/mcelog.* -- gen_context(system_u:object_r:mcelog_log_t,s0)
++
++/var/run/mcelog.* gen_context(system_u:object_r:mcelog_var_run_t,s0)
+diff --git a/mcelog.te b/mcelog.te
+index 5671977..99a63b2 100644
+--- a/mcelog.te
++++ b/mcelog.te
+@@ -7,8 +7,14 @@ policy_module(mcelog, 1.1.0)
+
+ type mcelog_t;
+ type mcelog_exec_t;
++init_system_domain(mcelog_t, mcelog_exec_t)
+ application_domain(mcelog_t, mcelog_exec_t)
+-cron_system_entry(mcelog_t, mcelog_exec_t)
++
++type mcelog_var_run_t;
++files_pid_file(mcelog_var_run_t)
++
++type mcelog_log_t;
++logging_log_file(mcelog_log_t)
+
+ ########################################
+ #
+@@ -17,16 +23,33 @@ cron_system_entry(mcelog_t, mcelog_exec_t)
+
+ allow mcelog_t self:capability sys_admin;
+
++manage_files_pattern(mcelog_t, mcelog_log_t, mcelog_log_t)
++manage_dirs_pattern(mcelog_t, mcelog_log_t, mcelog_log_t)
++logging_log_filetrans(mcelog_t, mcelog_log_t, { file dir })
++
++manage_files_pattern(mcelog_t, mcelog_var_run_t, mcelog_var_run_t)
++manage_dirs_pattern(mcelog_t, mcelog_var_run_t, mcelog_var_run_t)
++manage_sock_files_pattern(mcelog_t, mcelog_var_run_t, mcelog_var_run_t)
++files_pid_filetrans(mcelog_t, mcelog_var_run_t, { dir file sock_file } )
++
+ kernel_read_system_state(mcelog_t)
+
++corecmd_exec_shell(mcelog_t)
++corecmd_exec_bin(mcelog_t)
++
+ dev_read_raw_memory(mcelog_t)
+ dev_read_kmsg(mcelog_t)
++dev_rw_sysfs(mcelog_t)
+
+ files_read_etc_files(mcelog_t)
+
+ # for /dev/mem access
+ mls_file_read_all_levels(mcelog_t)
+
++auth_read_passwd(mcelog_t)
++
+ logging_send_syslog_msg(mcelog_t)
+
+-miscfiles_read_localization(mcelog_t)
++optional_policy(`
++ cron_system_entry(mcelog_t, mcelog_exec_t)
++')
+diff --git a/mcollective.fc b/mcollective.fc
+new file mode 100644
+index 0000000..821bf88
+--- /dev/null
++++ b/mcollective.fc
+@@ -0,0 +1,3 @@
++/etc/mcollective/facts\.yaml -- gen_context(system_u:object_r:mcollective_etc_rw_t,s0)
++
++/usr/libexec/mcollective/update_yaml\.rb -- gen_context(system_u:object_r:mcollective_exec_t,s0)
+diff --git a/mcollective.if b/mcollective.if
+new file mode 100644
+index 0000000..e76a9b5
+--- /dev/null
++++ b/mcollective.if
+@@ -0,0 +1,114 @@
++
++## policy for mcollective
++
++########################################
++##
++## Execute TEMPLATE in the mcollective domin.
++##
++##
++##
++## Domain allowed to transition.
++##
++##
++#
++interface(`mcollective_domtrans',`
++ gen_require(`
++ type mcollective_t, mcollective_exec_t;
++ ')
++
++ corecmd_search_bin($1)
++ domtrans_pattern($1, mcollective_exec_t, mcollective_t)
++')
++
++########################################
++##
++## Search mcollective conf directories.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`mcollective_search_conf',`
++ gen_require(`
++ type mcollective_etc_rw_t;
++ ')
++
++ allow $1 mcollective_etc_rw_t:dir search_dir_perms;
++ files_search_etc($1)
++')
++
++########################################
++##
++## Read mcollective conf files.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`mcollective_read_conf_files',`
++ gen_require(`
++ type mcollective_etc_rw_t;
++ ')
++
++ allow $1 mcollective_etc_rw_t:dir list_dir_perms;
++ read_files_pattern($1, mcollective_etc_rw_t, mcollective_etc_rw_t)
++ files_search_etc($1)
++')
++
++########################################
++##
++## Manage mcollective conf files.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`mcollective_manage_conf_files',`
++ gen_require(`
++ type mcollective_etc_rw_t;
++ ')
++
++ manage_files_pattern($1, mcollective_etc_rw_t, mcollective_etc_rw_t)
++ files_search_etc($1)
++')
++
++
++########################################
++##
++## All of the rules required to administrate
++## an mcollective environment
++##
++##
++##
++## Domain allowed access.
++##
++##
++##
++##
++## Role allowed access.
++##
++##
++##
++#
++interface(`mcollective_admin',`
++ gen_require(`
++ type mcollective_t;
++ type mcollective_etc_rw_t;
++ ')
++
++ allow $1 mcollective_t:process { ptrace signal_perms };
++ ps_process_pattern($1, mcollective_t)
++
++ files_search_etc($1)
++ admin_pattern($1, mcollective_etc_rw_t)
++ optional_policy(`
++ systemd_passwd_agent_exec($1)
++ systemd_read_fifo_file_passwd_run($1)
++ ')
++')
+diff --git a/mcollective.te b/mcollective.te
+new file mode 100644
+index 0000000..5dd171f
+--- /dev/null
++++ b/mcollective.te
+@@ -0,0 +1,30 @@
++policy_module(mcollective, 1.0.0)
++
++########################################
++#
++# Declarations
++#
++
++type mcollective_t;
++type mcollective_exec_t;
++init_daemon_domain(mcollective_t, mcollective_exec_t)
++cron_system_entry(mcollective_t, mcollective_exec_t)
++
++permissive mcollective_t;
++
++type mcollective_etc_rw_t;
++files_type(mcollective_etc_rw_t)
++
++########################################
++#
++# mcollective local policy
++#
++allow mcollective_t self:fifo_file rw_fifo_file_perms;
++allow mcollective_t self:unix_stream_socket create_stream_socket_perms;
++
++manage_files_pattern(mcollective_t, mcollective_etc_rw_t, mcollective_etc_rw_t)
++files_etc_filetrans(mcollective_t, mcollective_etc_rw_t, file, "facts.yaml")
++
++domain_use_interactive_fds(mcollective_t)
++
++files_read_etc_files(mcollective_t)
+diff --git a/mediawiki.if b/mediawiki.if
+index 98d28b4..1c1d012 100644
+--- a/mediawiki.if
++++ b/mediawiki.if
+@@ -1 +1,40 @@
+ ## Mediawiki policy
++
++#######################################
++##
++## Allow the specified domain to read
++## mediawiki tmp files.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`mediawiki_read_tmp_files',`
++ gen_require(`
++ type httpd_mediawiki_tmp_t;
++ ')
++
++ files_search_tmp($1)
++ read_files_pattern($1, httpd_mediawiki_tmp_t, httpd_mediawiki_tmp_t)
++ read_lnk_files_pattern($1, httpd_mediawiki_tmp_t, httpd_mediawiki_tmp_t)
++')
++
++#######################################
++##
++## Delete mediawiki tmp files.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`mediawiki_delete_tmp_files',`
++ gen_require(`
++ type httpd_mediawiki_tmp_t;
++ ')
++
++ delete_files_pattern($1, httpd_mediawiki_tmp_t, httpd_mediawiki_tmp_t)
++')
+diff --git a/mediawiki.te b/mediawiki.te
+index d7cb9e4..7e81838 100644
+--- a/mediawiki.te
++++ b/mediawiki.te
+@@ -5,13 +5,16 @@ policy_module(mediawiki, 1.0.0)
+ # Declarations
+ #
+
+-apache_content_template(mediawiki)
++optional_policy(`
++
++ apache_content_template(mediawiki)
+
+ ########################################
+ #
+ # mediawiki local policy
+ #
+
+-files_search_var_lib(httpd_mediawiki_script_t)
++ files_search_var_lib(httpd_mediawiki_script_t)
+
+-miscfiles_read_tetex_data(httpd_mediawiki_script_t)
++ miscfiles_read_tetex_data(httpd_mediawiki_script_t)
++')
+diff --git a/memcached.fc b/memcached.fc
+index 4d69477..d3b4f39 100644
+--- a/memcached.fc
++++ b/memcached.fc
+@@ -2,4 +2,5 @@
+
+ /usr/bin/memcached -- gen_context(system_u:object_r:memcached_exec_t,s0)
+
++/var/run/ipa_memcached(/.*)? gen_context(system_u:object_r:memcached_var_run_t,s0)
+ /var/run/memcached(/.*)? gen_context(system_u:object_r:memcached_var_run_t,s0)
+diff --git a/memcached.if b/memcached.if
+index db4fd6f..650014e 100644
+--- a/memcached.if
++++ b/memcached.if
+@@ -40,6 +40,44 @@ interface(`memcached_read_pid_files',`
+
+ ########################################
+ ##
++## Manage memcached PID files
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`memcached_manage_pid_files',`
++ gen_require(`
++ type memcached_var_run_t;
++ ')
++
++ files_search_pids($1)
++ manage_files_pattern($1, memcached_var_run_t, memcached_var_run_t)
++')
++
++########################################
++##
++## Connect to memcached over a unix stream socket.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`memcached_stream_connect',`
++ gen_require(`
++ type memcached_t, memcached_var_run_t;
++ ')
++
++ files_search_pids($1)
++ stream_connect_pattern($1, memcached_var_run_t, memcached_var_run_t, memcached_t)
++')
++
++########################################
++##
+ ## All of the rules required to administrate
+ ## an memcached environment
+ ##
+@@ -57,17 +95,20 @@ interface(`memcached_read_pid_files',`
+ #
+ interface(`memcached_admin',`
+ gen_require(`
+- type memcached_t;
+- type memcached_initrc_exec_t;
++ type memcached_t, memcached_initrc_exec_t, memcached_var_run_t;
+ ')
+
+- allow $1 memcached_t:process { ptrace signal_perms };
++ allow $1 memcached_t:process signal_perms;
+ ps_process_pattern($1, memcached_t)
++ tunable_policy(`deny_ptrace',`',`
++ allow $1 memcached_t:process ptrace;
++ ')
+
+ init_labeled_script_domtrans($1, memcached_initrc_exec_t)
+ domain_system_change_exemption($1)
+ role_transition $2 memcached_initrc_exec_t system_r;
+ allow $2 system_r;
+
++ files_list_pids($1)
+ admin_pattern($1, memcached_var_run_t)
+ ')
+diff --git a/memcached.te b/memcached.te
+index b681608..9c4fc55 100644
+--- a/memcached.te
++++ b/memcached.te
+@@ -28,7 +28,6 @@ allow memcached_t self:udp_socket { create_socket_perms listen };
+ allow memcached_t self:fifo_file rw_fifo_file_perms;
+ allow memcached_t self:unix_stream_socket create_stream_socket_perms;
+
+-corenet_all_recvfrom_unlabeled(memcached_t)
+ corenet_udp_sendrecv_generic_if(memcached_t)
+ corenet_udp_sendrecv_generic_node(memcached_t)
+ corenet_udp_sendrecv_all_ports(memcached_t)
+@@ -42,12 +41,12 @@ corenet_udp_bind_memcache_port(memcached_t)
+
+ manage_dirs_pattern(memcached_t, memcached_var_run_t, memcached_var_run_t)
+ manage_files_pattern(memcached_t, memcached_var_run_t, memcached_var_run_t)
+-files_pid_filetrans(memcached_t, memcached_var_run_t, { file dir })
++manage_sock_files_pattern(memcached_t, memcached_var_run_t, memcached_var_run_t)
++files_pid_filetrans(memcached_t, memcached_var_run_t, { file dir sock_file })
+
+ kernel_read_kernel_sysctls(memcached_t)
+ kernel_read_system_state(memcached_t)
+
+-files_read_etc_files(memcached_t)
+
+ term_dontaudit_use_all_ptys(memcached_t)
+ term_dontaudit_use_all_ttys(memcached_t)
+@@ -55,4 +54,3 @@ term_dontaudit_use_console(memcached_t)
+
+ auth_use_nsswitch(memcached_t)
+
+-miscfiles_read_localization(memcached_t)
+diff --git a/milter.fc b/milter.fc
+index 1ec5a6c..64ac6f0 100644
+--- a/milter.fc
++++ b/milter.fc
+@@ -1,15 +1,26 @@
++/etc/mail/dkim-milter/keys(/.*)? gen_context(system_u:object_r:dkim_milter_private_key_t,s0)
++
++/usr/sbin/dkim-filter -- gen_context(system_u:object_r:dkim_milter_exec_t,s0)
++/usr/sbin/opendkim -- gen_context(system_u:object_r:dkim_milter_exec_t,s0)
+ /usr/sbin/milter-greylist -- gen_context(system_u:object_r:greylist_milter_exec_t,s0)
+-/usr/sbin/milter-regex -- gen_context(system_u:object_r:regex_milter_exec_t,s0)
++/usr/sbin/sqlgrey -- gen_context(system_u:object_r:greylist_milter_exec_t,s0)
++/usr/sbin/milter-regex -- gen_context(system_u:object_r:regex_milter_exec_t,s0)
+ /usr/sbin/spamass-milter -- gen_context(system_u:object_r:spamass_milter_exec_t,s0)
+
++/var/lib/dkim-milter(/.*)? gen_context(system_u:object_r:dkim_milter_data_t,s0)
+ /var/lib/milter-greylist(/.*)? gen_context(system_u:object_r:greylist_milter_data_t,s0)
++/var/lib/sqlgrey(/.*)? gen_context(system_u:object_r:greylist_milter_data_t,s0)
+ /var/lib/spamass-milter(/.*)? gen_context(system_u:object_r:spamass_milter_state_t,s0)
+
++/var/run/dkim-milter(/.*)? gen_context(system_u:object_r:dkim_milter_data_t,s0)
+ /var/run/milter-greylist(/.*)? gen_context(system_u:object_r:greylist_milter_data_t,s0)
+ /var/run/milter-greylist\.pid -- gen_context(system_u:object_r:greylist_milter_data_t,s0)
+ /var/run/spamass(/.*)? gen_context(system_u:object_r:spamass_milter_data_t,s0)
++/var/run/sqlgrey\.pid -- gen_context(system_u:object_r:greylist_milter_data_t,s0)
+ /var/run/spamass-milter(/.*)? gen_context(system_u:object_r:spamass_milter_data_t,s0)
+ /var/run/spamass-milter\.pid -- gen_context(system_u:object_r:spamass_milter_data_t,s0)
++/var/run/opendkim(/.*)? gen_context(system_u:object_r:dkim_milter_data_t,s0)
+
+ /var/spool/milter-regex(/.*)? gen_context(system_u:object_r:regex_milter_data_t,s0)
+ /var/spool/postfix/spamass(/.*)? gen_context(system_u:object_r:spamass_milter_data_t,s0)
++/var/spool/opendkim(/.*)? gen_context(system_u:object_r:dkim_milter_data_t,s0)
+diff --git a/milter.if b/milter.if
+index ee72cbe..bdf319a 100644
+--- a/milter.if
++++ b/milter.if
+@@ -24,9 +24,13 @@ template(`milter_template',`
+
+ # Type for the milter data (e.g. the socket used to communicate with the MTA)
+ type $1_milter_data_t, milter_data_type;
+- files_type($1_milter_data_t)
++ files_pid_file($1_milter_data_t)
++
++ # Allow communication with MTA over a unix-domain socket
++ # Note: usage with TCP sockets requires additional policy
+
+ allow $1_milter_t self:fifo_file rw_fifo_file_perms;
++
+ # Allow communication with MTA over a TCP socket
+ allow $1_milter_t self:tcp_socket create_stream_socket_perms;
+
+@@ -36,12 +40,13 @@ template(`milter_template',`
+ # Create other data files and directories in the data directory
+ manage_files_pattern($1_milter_t, $1_milter_data_t, $1_milter_data_t)
+
++ kernel_dontaudit_read_system_state($1_milter_t)
++
+ corenet_tcp_bind_generic_node($1_milter_t)
+ corenet_tcp_bind_milter_port($1_milter_t)
+
+ files_read_etc_files($1_milter_t)
+
+- miscfiles_read_localization($1_milter_t)
+
+ logging_send_syslog_msg($1_milter_t)
+ ')
+@@ -61,6 +66,7 @@ interface(`milter_stream_connect_all',`
+ attribute milter_data_type, milter_domains;
+ ')
+
++ files_search_pids($1)
+ getattr_dirs_pattern($1, milter_data_type, milter_data_type)
+ stream_connect_pattern($1, milter_data_type, milter_data_type, milter_domains)
+ ')
+@@ -86,6 +92,24 @@ interface(`milter_getattr_all_sockets',`
+
+ ########################################
+ ##
++## Allow setattr of milter dirs
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`milter_setattr_all_dirs',`
++ gen_require(`
++ attribute milter_data_type;
++ ')
++
++ setattr_dirs_pattern($1, milter_data_type, milter_data_type)
++')
++
++########################################
++##
+ ## Manage spamassassin milter state
+ ##
+ ##
+@@ -104,3 +128,22 @@ interface(`milter_manage_spamass_state',`
+ manage_dirs_pattern($1, spamass_milter_state_t, spamass_milter_state_t)
+ manage_lnk_files_pattern($1, spamass_milter_state_t, spamass_milter_state_t)
+ ')
++
++#######################################
++##
++## Delete dkim-milter PID files.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`milter_delete_dkim_pid_files',`
++ gen_require(`
++ type dkim_milter_data_t;
++ ')
++
++ files_search_pids($1)
++ delete_files_pattern($1, dkim_milter_data_t, dkim_milter_data_t)
++')
+diff --git a/milter.te b/milter.te
+index 26101cb..64c2969 100644
+--- a/milter.te
++++ b/milter.te
+@@ -9,6 +9,13 @@ policy_module(milter, 1.4.0)
+ attribute milter_domains;
+ attribute milter_data_type;
+
++# support for dkim-milter - domainKeys Identified Mail sender authentication sendmail milter
++milter_template(dkim)
++
++# type for the private key of dkim-milter
++type dkim_milter_private_key_t;
++files_type(dkim_milter_private_key_t)
++
+ # currently-supported milters are milter-greylist, milter-regex and spamass-milter
+ milter_template(greylist)
+ milter_template(regex)
+@@ -20,6 +27,26 @@ milter_template(spamass)
+ type spamass_milter_state_t;
+ files_type(spamass_milter_state_t)
+
++#######################################
++#
++# dkim-milter local policy
++#
++
++allow dkim_milter_t self:capability { kill setgid setuid };
++allow dkim_milter_t self:process signal;
++allow dkim_milter_t self:tcp_socket create_stream_socket_perms;
++allow dkim_milter_t self:unix_stream_socket create_stream_socket_perms;
++
++read_files_pattern(dkim_milter_t, dkim_milter_private_key_t, dkim_milter_private_key_t)
++
++kernel_read_kernel_sysctls(dkim_milter_t)
++
++auth_use_nsswitch(dkim_milter_t)
++
++sysnet_dns_name_resolve(dkim_milter_t)
++
++mta_read_config(dkim_milter_t)
++
+ ########################################
+ #
+ # milter-greylist local policy
+@@ -33,11 +60,25 @@ files_type(spamass_milter_state_t)
+ allow greylist_milter_t self:capability { chown dac_override setgid setuid sys_nice };
+ allow greylist_milter_t self:process { setsched getsched };
+
++allow greylist_milter_t self:tcp_socket create_stream_socket_perms;
++
+ # It creates a pid file /var/run/milter-greylist.pid
+ files_pid_filetrans(greylist_milter_t, greylist_milter_data_t, file)
+
+ kernel_read_kernel_sysctls(greylist_milter_t)
+
++dev_read_rand(greylist_milter_t)
++dev_read_urand(greylist_milter_t)
++
++corecmd_exec_bin(greylist_milter_t)
++corecmd_exec_shell(greylist_milter_t)
++
++corenet_tcp_bind_movaz_ssc_port(greylist_milter_t)
++corenet_tcp_connect_movaz_ssc_port(greylist_milter_t)
++corenet_tcp_bind_rtsclient_port(greylist_milter_t)
++
++# perl getgroups() reads a bunch of files in /etc
++files_read_etc_files(greylist_milter_t)
+ # Allow the milter to read a GeoIP database in /usr/share
+ files_read_usr_files(greylist_milter_t)
+ # The milter runs from /var/lib/milter-greylist and maintains files there
+@@ -49,6 +90,14 @@ auth_use_nsswitch(greylist_milter_t)
+ # Config is in /etc/mail/greylist.conf
+ mta_read_config(greylist_milter_t)
+
++
++sysnet_read_config(greylist_milter_t)
++
++
++optional_policy(`
++ mysql_stream_connect(greylist_milter_t)
++')
++
+ ########################################
+ #
+ # milter-regex local policy
+@@ -88,6 +137,8 @@ corecmd_exec_shell(spamass_milter_t)
+ corecmd_read_bin_symlinks(spamass_milter_t)
+ corecmd_search_bin(spamass_milter_t)
+
++auth_use_nsswitch(spamass_milter_t)
++
+ mta_send_mail(spamass_milter_t)
+
+ # The main job of the milter is to pipe spam through spamc and act on the result
+diff --git a/mock.fc b/mock.fc
+new file mode 100644
+index 0000000..8d0e473
+--- /dev/null
++++ b/mock.fc
+@@ -0,0 +1,5 @@
++
++/usr/sbin/mock -- gen_context(system_u:object_r:mock_exec_t,s0)
++
++/var/lib/mock(/.*)? gen_context(system_u:object_r:mock_var_lib_t,s0)
++/var/cache/mock(/.*)? gen_context(system_u:object_r:mock_cache_t,s0)
+diff --git a/mock.if b/mock.if
+new file mode 100644
+index 0000000..7f6f2d6
+--- /dev/null
++++ b/mock.if
+@@ -0,0 +1,307 @@
++## policy for mock
++
++########################################
++##
++## Execute a domain transition to run mock.
++##
++##
++##
++## Domain allowed to transition.
++##
++##
++#
++interface(`mock_domtrans',`
++ gen_require(`
++ type mock_t, mock_exec_t;
++ ')
++
++ domtrans_pattern($1, mock_exec_t, mock_t)
++')
++
++########################################
++##
++## Search mock lib directories.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`mock_search_lib',`
++ gen_require(`
++ type mock_var_lib_t;
++ ')
++
++ allow $1 mock_var_lib_t:dir search_dir_perms;
++ files_search_var_lib($1)
++')
++
++########################################
++##
++## Read mock lib files.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`mock_read_lib_files',`
++ gen_require(`
++ type mock_var_lib_t;
++ ')
++
++ files_search_var_lib($1)
++ read_files_pattern($1, mock_var_lib_t, mock_var_lib_t)
++')
++
++########################################
++##
++## Getattr on mock lib file,dir,sock_file ...
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`mock_getattr_lib',`
++ gen_require(`
++ type mock_var_lib_t;
++ ')
++
++ allow $1 mock_var_lib_t:dir_file_class_set getattr;
++')
++
++########################################
++##
++## Create, read, write, and delete
++## mock lib files.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`mock_manage_lib_files',`
++ gen_require(`
++ type mock_var_lib_t;
++ ')
++
++ files_search_var_lib($1)
++ manage_files_pattern($1, mock_var_lib_t, mock_var_lib_t)
++')
++
++########################################
++##
++## Manage mock lib dirs files.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`mock_manage_lib_dirs',`
++ gen_require(`
++ type mock_var_lib_t;
++ ')
++
++ files_search_var_lib($1)
++ manage_dirs_pattern($1, mock_var_lib_t, mock_var_lib_t)
++')
++
++#########################################
++##
++## Manage mock lib symlinks.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`mock_manage_lib_symlinks',`
++ gen_require(`
++ type mock_var_lib_t;
++ ')
++
++ files_search_var_lib($1)
++ manage_lnk_files_pattern($1, mock_var_lib_t, mock_var_lib_t)
++')
++
++########################################
++##
++## Manage mock lib files.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`mock_manage_lib_chr_files',`
++ gen_require(`
++ type mock_var_lib_t;
++ ')
++
++ files_search_var_lib($1)
++ manage_chr_files_pattern($1, mock_var_lib_t, mock_var_lib_t)
++')
++
++########################################
++##
++## Manage mock lib files.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`mock_dontaudit_write_lib_chr_files',`
++ gen_require(`
++ type mock_var_lib_t;
++ ')
++
++ dontaudit $1 mock_var_lib_t:chr_file write;
++')
++
++#######################################
++##
++## Dontaudit read and write an leaked file descriptors
++##
++##
++##
++## Domain to not audit.
++##
++##
++#
++interface(`mock_dontaudit_leaks',`
++ gen_require(`
++ type mock_tmp_t;
++ ')
++
++ dontaudit $1 mock_tmp_t:file rw_inherited_file_perms;
++')
++
++########################################
++##
++## Execute mock in the mock domain, and
++## allow the specified role the mock domain.
++##
++##
++##
++## Domain allowed access
++##
++##
++##
++##
++## The role to be allowed the mock domain.
++##
++##
++##
++#
++interface(`mock_run',`
++ gen_require(`
++ type mock_t;
++ type mock_build_t;
++ ')
++
++ mock_domtrans($1)
++ role $2 types mock_t;
++ role $2 types mock_build_t;
++
++ optional_policy(`
++ mount_run(mock_t, $2)
++ ')
++')
++
++########################################
++##
++## Role access for mock
++##
++##
++##
++## Role allowed access
++##
++##
++##
++##
++## User domain for the role
++##
++##
++##
++#
++interface(`mock_role',`
++ gen_require(`
++ type mock_t;
++ ')
++
++ role $1 types mock_t;
++
++ mock_run($2, $1)
++
++ ps_process_pattern($2, mock_t)
++ allow $2 mock_t:process signal_perms;
++ tunable_policy(`deny_ptrace',`',`
++ allow $2 mock_t:process ptrace;
++ ')
++')
++
++#######################################
++##
++## Send a generic signal to mock.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`mock_signal',`
++ gen_require(`
++ type mock_t;
++ ')
++
++ allow $1 mock_t:process signal;
++')
++
++########################################
++##
++## All of the rules required to administrate
++## an mock environment
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`mock_admin',`
++ gen_require(`
++ type mock_t, mock_var_lib_t;
++ type mock_build_t, mock_etc_t, mock_tmp_t;
++ ')
++
++ allow $1 mock_t:process signal_perms;
++ ps_process_pattern($1, mock_t)
++ tunable_policy(`deny_ptrace',`',`
++ allow $1 mock_t:process ptrace;
++ allow $1 mock_build_t:process ptrace;
++ ')
++
++ allow $1 mock_build_t:process signal_perms;
++ ps_process_pattern($1, mock_build_t)
++
++ files_list_var_lib($1)
++ admin_pattern($1, mock_var_lib_t)
++
++ files_list_tmp($1)
++ admin_pattern($1, mock_tmp_t)
++
++ files_search_etc($1)
++ admin_pattern($1, mock_etc_t)
++')
+diff --git a/mock.te b/mock.te
+new file mode 100644
+index 0000000..ecfd7be
+--- /dev/null
++++ b/mock.te
+@@ -0,0 +1,247 @@
++policy_module(mock,1.0.0)
++
++##
++##
++## Allow mock to read files in home directories.
++##
++##
++gen_tunable(mock_enable_homedirs, false)
++
++########################################
++#
++# Declarations
++#
++
++type mock_t;
++type mock_exec_t;
++application_domain(mock_t, mock_exec_t)
++domain_role_change_exemption(mock_t)
++domain_system_change_exemption(mock_t)
++role system_r types mock_t;
++
++type mock_build_t;
++type mock_build_exec_t;
++application_domain(mock_build_t, mock_build_exec_t)
++role system_r types mock_build_t;
++
++type mock_cache_t;
++files_type(mock_cache_t)
++
++type mock_tmp_t;
++files_tmp_file(mock_tmp_t)
++
++type mock_var_lib_t;
++files_type(mock_var_lib_t)
++
++type mock_etc_t;
++files_config_file(mock_etc_t)
++
++########################################
++#
++# mock local policy
++#
++
++allow mock_t self:capability { sys_admin sys_ptrace setfcap setuid sys_chroot chown audit_write dac_override sys_nice mknod fsetid setgid fowner };
++allow mock_t self:process { siginh noatsecure signal_perms transition rlimitinh setsched setpgid };
++# Needed because mock can run java and mono withing build environment
++allow mock_t self:process { execmem execstack };
++dontaudit mock_t self:process { siginh noatsecure rlimitinh };
++allow mock_t self:fifo_file manage_fifo_file_perms;
++allow mock_t self:unix_stream_socket create_stream_socket_perms;
++allow mock_t self:unix_dgram_socket create_socket_perms;
++
++manage_dirs_pattern(mock_t, mock_cache_t, mock_cache_t)
++manage_files_pattern(mock_t, mock_cache_t, mock_cache_t)
++manage_lnk_files_pattern(mock_t, mock_cache_t, mock_cache_t)
++files_var_filetrans(mock_t, mock_cache_t, { dir file } )
++
++read_files_pattern(mock_t, mock_etc_t, mock_etc_t)
++read_lnk_files_pattern(mock_t, mock_etc_t, mock_etc_t)
++
++manage_dirs_pattern(mock_t, mock_tmp_t, mock_tmp_t)
++manage_files_pattern(mock_t, mock_tmp_t, mock_tmp_t)
++manage_lnk_files_pattern(mock_t, mock_tmp_t, mock_tmp_t)
++files_tmp_filetrans(mock_t, mock_tmp_t, { dir file lnk_file })
++
++manage_dirs_pattern(mock_t, mock_var_lib_t, mock_var_lib_t)
++manage_files_pattern(mock_t, mock_var_lib_t, mock_var_lib_t)
++manage_lnk_files_pattern(mock_t, mock_var_lib_t, mock_var_lib_t)
++manage_blk_files_pattern(mock_t, mock_var_lib_t, mock_var_lib_t)
++manage_chr_files_pattern(mock_t, mock_var_lib_t, mock_var_lib_t)
++files_var_lib_filetrans(mock_t, mock_var_lib_t, { dir file })
++allow mock_t mock_var_lib_t:dir mounton;
++allow mock_t mock_var_lib_t:dir relabel_dir_perms;
++allow mock_t mock_var_lib_t:file relabel_file_perms;
++
++kernel_list_proc(mock_t)
++kernel_read_irq_sysctls(mock_t)
++kernel_read_system_state(mock_t)
++kernel_read_network_state(mock_t)
++kernel_read_kernel_sysctls(mock_t)
++kernel_request_load_module(mock_t)
++kernel_dontaudit_setattr_proc_dirs(mock_t)
++kernel_read_fs_sysctls(mock_t)
++
++corecmd_exec_bin(mock_t)
++corecmd_exec_shell(mock_t)
++corecmd_dontaudit_exec_all_executables(mock_t)
++
++corenet_tcp_connect_git_port(mock_t)
++corenet_tcp_connect_http_port(mock_t)
++corenet_tcp_connect_ftp_port(mock_t)
++corenet_tcp_connect_all_ephemeral_ports(mock_t)
++
++dev_read_urand(mock_t)
++dev_read_sysfs(mock_t)
++dev_setattr_sysfs_dirs(mock_t)
++
++domain_read_all_domains_state(mock_t)
++domain_use_interactive_fds(mock_t)
++
++files_read_etc_runtime_files(mock_t)
++files_read_usr_files(mock_t)
++files_dontaudit_list_boot(mock_t)
++
++fs_getattr_all_fs(mock_t)
++fs_search_all(mock_t)
++fs_manage_cgroup_dirs(mock_t)
++files_list_isid_type_dirs(mock_t)
++
++selinux_get_enforce_mode(mock_t)
++
++term_search_ptys(mock_t)
++
++auth_use_nsswitch(mock_t)
++
++init_exec(mock_t)
++init_dontaudit_stream_connect(mock_t)
++
++libs_exec_ldconfig(mock_t)
++
++logging_send_audit_msgs(mock_t)
++logging_send_syslog_msg(mock_t)
++
++userdom_use_user_ptys(mock_t)
++
++files_search_home(mock_t)
++
++tunable_policy(`mock_enable_homedirs',`
++ userdom_manage_user_home_content_dirs(mock_t)
++ userdom_manage_user_home_content_files(mock_t)
++')
++
++tunable_policy(`mock_enable_homedirs && use_nfs_home_dirs',`
++ rpc_search_nfs_state_data(mock_t)
++ fs_list_auto_mountpoints(mock_t)
++ fs_manage_nfs_files(mock_t)
++')
++
++tunable_policy(`mock_enable_homedirs && use_samba_home_dirs',`
++ fs_list_auto_mountpoints(mock_t)
++ fs_read_cifs_files(mock_t)
++ fs_manage_cifs_files(mock_t)
++')
++
++optional_policy(`
++ abrt_read_spool_retrace(mock_t)
++ abrt_read_cache_retrace(mock_t)
++ abrt_stream_connect(mock_t)
++')
++
++optional_policy(`
++ rpm_exec(mock_t)
++')
++
++optional_policy(`
++ mount_exec(mock_t)
++')
++
++optional_policy(`
++ apache_read_sys_content_rw_files(mock_t)
++')
++
++########################################
++#
++# mock_build local policy
++#
++allow mock_build_t self:capability { sys_admin setfcap setuid sys_chroot chown dac_override sys_nice mknod fsetid setgid fowner };
++dontaudit mock_build_t self:capability audit_write;
++allow mock_build_t self:process { fork setsched setpgid signal_perms };
++allow mock_build_t self:netlink_audit_socket { create_socket_perms nlmsg_relay };
++# Needed because mock can run java and mono withing build environment
++allow mock_build_t self:process { execmem execstack };
++dontaudit mock_build_t self:process { siginh noatsecure rlimitinh };
++allow mock_build_t self:fifo_file manage_fifo_file_perms;
++allow mock_build_t self:unix_stream_socket create_stream_socket_perms;
++allow mock_build_t self:unix_dgram_socket create_socket_perms;
++allow mock_build_t self:dir list_dir_perms;
++allow mock_build_t self:dir read_file_perms;
++
++ps_process_pattern(mock_t, mock_build_t)
++allow mock_t mock_build_t:process signal_perms;
++domtrans_pattern(mock_t, mock_build_exec_t, mock_build_t)
++domtrans_pattern(mock_t, mock_tmp_t, mock_build_t)
++domain_entry_file(mock_build_t, mock_tmp_t)
++domtrans_pattern(mock_t, mock_var_lib_t, mock_build_t)
++domain_entry_file(mock_build_t, mock_var_lib_t)
++
++manage_dirs_pattern(mock_build_t, mock_cache_t, mock_cache_t)
++manage_files_pattern(mock_build_t, mock_cache_t, mock_cache_t)
++manage_lnk_files_pattern(mock_build_t, mock_cache_t, mock_cache_t)
++files_var_filetrans(mock_build_t, mock_cache_t, { dir file } )
++
++manage_dirs_pattern(mock_build_t, mock_tmp_t, mock_tmp_t)
++manage_files_pattern(mock_build_t, mock_tmp_t, mock_tmp_t)
++files_tmp_filetrans(mock_build_t, mock_tmp_t, { dir file })
++can_exec(mock_build_t, mock_tmp_t)
++
++manage_dirs_pattern(mock_build_t, mock_var_lib_t, mock_var_lib_t)
++manage_files_pattern(mock_build_t, mock_var_lib_t, mock_var_lib_t)
++manage_lnk_files_pattern(mock_build_t, mock_var_lib_t, mock_var_lib_t)
++manage_blk_files_pattern(mock_build_t, mock_var_lib_t, mock_var_lib_t)
++manage_chr_files_pattern(mock_build_t, mock_var_lib_t, mock_var_lib_t)
++files_var_lib_filetrans(mock_build_t, mock_var_lib_t, { dir file })
++can_exec(mock_build_t, mock_var_lib_t)
++allow mock_build_t mock_var_lib_t:dir mounton;
++allow mock_build_t mock_var_lib_t:dir relabel_dir_perms;
++allow mock_build_t mock_var_lib_t:file relabel_file_perms;
++
++kernel_list_proc(mock_build_t)
++kernel_read_irq_sysctls(mock_build_t)
++kernel_read_system_state(mock_build_t)
++kernel_read_network_state(mock_build_t)
++kernel_read_kernel_sysctls(mock_build_t)
++kernel_request_load_module(mock_build_t)
++kernel_dontaudit_setattr_proc_dirs(mock_build_t)
++
++corecmd_exec_bin(mock_build_t)
++corecmd_exec_shell(mock_build_t)
++corecmd_dontaudit_exec_all_executables(mock_build_t)
++
++dev_getattr_all_chr_files(mock_build_t)
++dev_dontaudit_list_all_dev_nodes(mock_build_t)
++dev_dontaudit_getattr_all(mock_build_t)
++fs_getattr_all_dirs(mock_build_t)
++dev_read_sysfs(mock_build_t)
++
++domain_dontaudit_read_all_domains_state(mock_build_t)
++domain_use_interactive_fds(mock_build_t)
++
++files_read_usr_files(mock_build_t)
++files_dontaudit_list_boot(mock_build_t)
++
++fs_getattr_all_fs(mock_build_t)
++fs_manage_cgroup_dirs(mock_build_t)
++
++selinux_get_enforce_mode(mock_build_t)
++
++auth_use_nsswitch(mock_build_t)
++
++init_exec(mock_build_t)
++init_dontaudit_stream_connect(mock_build_t)
++
++libs_exec_ldconfig(mock_build_t)
++
++tunable_policy(`mock_enable_homedirs',`
++ userdom_read_user_home_content_files(mock_build_t)
++')
+diff --git a/modemmanager.te b/modemmanager.te
+index b3ace16..41f9aa5 100644
+--- a/modemmanager.te
++++ b/modemmanager.te
+@@ -7,7 +7,7 @@ policy_module(modemmanager, 1.1.0)
+
+ type modemmanager_t;
+ type modemmanager_exec_t;
+-dbus_system_domain(modemmanager_t, modemmanager_exec_t)
++init_daemon_domain(modemmanager_t, modemmanager_exec_t)
+ typealias modemmanager_t alias ModemManager_t;
+ typealias modemmanager_exec_t alias ModemManager_exec_t;
+
+@@ -16,7 +16,8 @@ typealias modemmanager_exec_t alias ModemManager_exec_t;
+ # ModemManager local policy
+ #
+
+-allow modemmanager_t self:process signal;
++allow modemmanager_t self:capability { net_admin sys_admin sys_tty_config };
++allow modemmanager_t self:process { getsched signal };
+ allow modemmanager_t self:fifo_file rw_file_perms;
+ allow modemmanager_t self:unix_stream_socket create_stream_socket_perms;
+ allow modemmanager_t self:netlink_kobject_uevent_socket create_socket_perms;
+@@ -28,13 +29,29 @@ dev_rw_modem(modemmanager_t)
+
+ files_read_etc_files(modemmanager_t)
+
+-term_use_unallocated_ttys(modemmanager_t)
++term_use_generic_ptys(modemmanager_t)
++term_use_unallocated_ttys(modemmanager_t) # this should be reproduced, might have been mislabelled usbtty_device_t
++term_use_usb_ttys(modemmanager_t)
+
+-miscfiles_read_localization(modemmanager_t)
++xserver_read_state_xdm(modemmanager_t)
+
+ logging_send_syslog_msg(modemmanager_t)
+
+-networkmanager_dbus_chat(modemmanager_t)
++optional_policy(`
++ dbus_system_domain(modemmanager_t, modemmanager_exec_t)
++')
++
++optional_policy(`
++ networkmanager_dbus_chat(modemmanager_t)
++')
++
++optional_policy(`
++ devicekit_dbus_chat_power(modemmanager_t)
++')
++
++optional_policy(`
++ policykit_dbus_chat(modemmanager_t)
++')
+
+ optional_policy(`
+ udev_read_db(modemmanager_t)
+diff --git a/mojomojo.if b/mojomojo.if
+index 657a9fc..7022903 100644
+--- a/mojomojo.if
++++ b/mojomojo.if
+@@ -10,27 +10,26 @@
+ ## Domain allowed access.
+ ##
+ ##
+-##
+-##
+-## Role allowed access.
+-##
+-##
+-##
+ #
+ interface(`mojomojo_admin',`
+ gen_require(`
+- type httpd_mojomojo_script_t;
+- type httpd_mojomojo_content_t, httpd_mojomojo_ra_content_t;
+- type httpd_mojomojo_rw_content_t;
+- type httpd_mojomojo_script_exec_t, httpd_mojomojo_htaccess_t;
++ type httpd_mojomojo_script_t, httpd_mojomojo_content_t, httpd_mojomojo_ra_content_t;
++ type httpd_mojomojo_rw_content_t, httpd_mojomojo_tmp_t, httpd_mojomojo_htaccess_t;
++ type httpd_mojomojo_script_exec_t, httpd_mojomo_script_t;
+ ')
+
+- allow $1 httpd_mojomojo_script_t:process { ptrace signal_perms };
++ allow $1 httpd_mojomojo_script_t:process signal_perms;
+ ps_process_pattern($1, httpd_mojomojo_script_t)
++ tunable_policy(`deny_ptrace',`',`
++ allow $1 httpd_mojomo_script_t:process ptrace;
++ ')
++
++ files_list_tmp($1)
++ admin_pattern($1, httpd_mojomojo_tmp_t)
+
+- files_search_var_lib(httpd_mojomojo_script_t)
++ files_list_var_lib(httpd_mojomojo_script_t)
+
+- apache_search_sys_content($1)
++ apache_list_sys_content($1)
+ admin_pattern($1, httpd_mojomojo_script_exec_t)
+ admin_pattern($1, httpd_mojomojo_script_t)
+ admin_pattern($1, httpd_mojomojo_content_t)
+diff --git a/mojomojo.te b/mojomojo.te
+index 83f002c..d09878d 100644
+--- a/mojomojo.te
++++ b/mojomojo.te
+@@ -5,32 +5,42 @@ policy_module(mojomojo, 1.0.0)
+ # Declarations
+ #
+
+-apache_content_template(mojomojo)
++
++type httpd_mojomojo_tmp_t;
++files_tmp_file(httpd_mojomojo_tmp_t)
+
+ ########################################
+ #
+ # mojomojo local policy
+ #
+
+-allow httpd_mojomojo_script_t httpd_t:unix_stream_socket rw_stream_socket_perms;
++optional_policy(`
++ apache_content_template(mojomojo)
+
+-corenet_tcp_connect_postgresql_port(httpd_mojomojo_script_t)
+-corenet_tcp_connect_mysqld_port(httpd_mojomojo_script_t)
+-corenet_tcp_connect_smtp_port(httpd_mojomojo_script_t)
+-corenet_sendrecv_postgresql_client_packets(httpd_mojomojo_script_t)
+-corenet_sendrecv_mysqld_client_packets(httpd_mojomojo_script_t)
+-corenet_sendrecv_smtp_client_packets(httpd_mojomojo_script_t)
++ allow httpd_mojomojo_script_t httpd_t:unix_stream_socket rw_stream_socket_perms;
+
+-files_search_var_lib(httpd_mojomojo_script_t)
++ manage_dirs_pattern(httpd_mojomojo_script_t, httpd_mojomojo_tmp_t, httpd_mojomojo_tmp_t)
++ manage_files_pattern(httpd_mojomojo_script_t, httpd_mojomojo_tmp_t, httpd_mojomojo_tmp_t)
++ files_tmp_filetrans(httpd_mojomojo_script_t, httpd_mojomojo_tmp_t, { file dir })
+
+-sysnet_dns_name_resolve(httpd_mojomojo_script_t)
++ corenet_tcp_connect_postgresql_port(httpd_mojomojo_script_t)
++ corenet_tcp_connect_mysqld_port(httpd_mojomojo_script_t)
++ corenet_tcp_connect_smtp_port(httpd_mojomojo_script_t)
++ corenet_sendrecv_postgresql_client_packets(httpd_mojomojo_script_t)
++ corenet_sendrecv_mysqld_client_packets(httpd_mojomojo_script_t)
++ corenet_sendrecv_smtp_client_packets(httpd_mojomojo_script_t)
+
+-mta_send_mail(httpd_mojomojo_script_t)
++ files_search_var_lib(httpd_mojomojo_script_t)
+
+-optional_policy(`
+- mysql_stream_connect(httpd_mojomojo_script_t)
+-')
++ sysnet_dns_name_resolve(httpd_mojomojo_script_t)
+
+-optional_policy(`
+- postgresql_stream_connect(httpd_mojomojo_script_t)
++ mta_send_mail(httpd_mojomojo_script_t)
++
++ optional_policy(`
++ mysql_stream_connect(httpd_mojomojo_script_t)
++ ')
++
++ optional_policy(`
++ postgresql_stream_connect(httpd_mojomojo_script_t)
++ ')
+ ')
+diff --git a/mono.te b/mono.te
+index dff0f12..ecab36d 100644
+--- a/mono.te
++++ b/mono.te
+@@ -15,7 +15,7 @@ init_system_domain(mono_t, mono_exec_t)
+ # Local policy
+ #
+
+-allow mono_t self:process { ptrace signal getsched execheap execmem execstack };
++allow mono_t self:process { signal getsched execheap execmem execstack };
+
+ init_dbus_chat_script(mono_t)
+
+diff --git a/monop.te b/monop.te
+index 6647a35..f3b35e1 100644
+--- a/monop.te
++++ b/monop.te
+@@ -42,7 +42,6 @@ kernel_read_kernel_sysctls(monopd_t)
+ kernel_list_proc(monopd_t)
+ kernel_read_proc_symlinks(monopd_t)
+
+-corenet_all_recvfrom_unlabeled(monopd_t)
+ corenet_all_recvfrom_netlabel(monopd_t)
+ corenet_tcp_sendrecv_generic_if(monopd_t)
+ corenet_udp_sendrecv_generic_if(monopd_t)
+@@ -65,8 +64,6 @@ fs_search_auto_mountpoints(monopd_t)
+
+ logging_send_syslog_msg(monopd_t)
+
+-miscfiles_read_localization(monopd_t)
+-
+ sysnet_read_config(monopd_t)
+
+ userdom_dontaudit_use_unpriv_user_fds(monopd_t)
+diff --git a/mozilla.fc b/mozilla.fc
+index 3a73e74..60e7237 100644
+--- a/mozilla.fc
++++ b/mozilla.fc
+@@ -2,8 +2,17 @@ HOME_DIR/\.config/chromium(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0
+ HOME_DIR/\.galeon(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0)
+ HOME_DIR/\.java(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0)
+ HOME_DIR/\.mozilla(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0)
++HOME_DIR/\.thunderbird(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0)
+ HOME_DIR/\.netscape(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0)
+ HOME_DIR/\.phoenix(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0)
++HOME_DIR/\.adobe(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0)
++HOME_DIR/\.macromedia(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0)
++HOME_DIR/\.gnash(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0)
++HOME_DIR/\.gcjwebplugin(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0)
++HOME_DIR/\.icedteaplugin(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0)
++HOME_DIR/\.spicec(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0)
++HOME_DIR/\.ICAClient(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0)
++HOME_DIR/zimbrauserdata(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0)
+
+ #
+ # /bin
+@@ -16,6 +25,12 @@ HOME_DIR/\.phoenix(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0)
+ /usr/bin/mozilla-[0-9].* -- gen_context(system_u:object_r:mozilla_exec_t,s0)
+ /usr/bin/mozilla-bin-[0-9].* -- gen_context(system_u:object_r:mozilla_exec_t,s0)
+
++ifdef(`distro_redhat',`
++/usr/bin/nspluginscan -- gen_context(system_u:object_r:mozilla_plugin_exec_t,s0)
++/usr/bin/nspluginviewer -- gen_context(system_u:object_r:mozilla_plugin_exec_t,s0)
++/usr/lib/nspluginwrapper/npviewer.bin -- gen_context(system_u:object_r:mozilla_plugin_exec_t,s0)
++')
++
+ ifdef(`distro_debian',`
+ /usr/lib/iceweasel/iceweasel -- gen_context(system_u:object_r:mozilla_exec_t,s0)
+ ')
+@@ -23,11 +38,20 @@ ifdef(`distro_debian',`
+ #
+ # /lib
+ #
+-/usr/lib/galeon/galeon -- gen_context(system_u:object_r:mozilla_exec_t,s0)
++
++/usr/lib/galeon/galeon -- gen_context(system_u:object_r:mozilla_exec_t,s0)
+ /usr/lib/netscape/.+/communicator/communicator-smotif\.real -- gen_context(system_u:object_r:mozilla_exec_t,s0)
+-/usr/lib/netscape/base-4/wrapper -- gen_context(system_u:object_r:mozilla_exec_t,s0)
+-/usr/lib/mozilla[^/]*/reg.+ -- gen_context(system_u:object_r:mozilla_exec_t,s0)
+-/usr/lib/mozilla[^/]*/mozilla-.* -- gen_context(system_u:object_r:mozilla_exec_t,s0)
+-/usr/lib/firefox[^/]*/mozilla-.* -- gen_context(system_u:object_r:mozilla_exec_t,s0)
++/usr/lib/netscape/base-4/wrapper -- gen_context(system_u:object_r:mozilla_exec_t,s0)
++/usr/lib/mozilla[^/]*/reg.+ -- gen_context(system_u:object_r:mozilla_exec_t,s0)
++/usr/lib/mozilla[^/]*/mozilla-.* -- gen_context(system_u:object_r:mozilla_exec_t,s0)
++/usr/lib/firefox[^/]*/mozilla-.* -- gen_context(system_u:object_r:mozilla_exec_t,s0)
+ /usr/lib/[^/]*firefox[^/]*/firefox-bin -- gen_context(system_u:object_r:mozilla_exec_t,s0)
+-/usr/lib/[^/]*firefox[^/]*/firefox -- gen_context(system_u:object_r:mozilla_exec_t,s0)
++/usr/lib/[^/]*firefox[^/]*/firefox -- gen_context(system_u:object_r:mozilla_exec_t,s0)
++
++/usr/lib/xulrunner[^/]*/plugin-container -- gen_context(system_u:object_r:mozilla_plugin_exec_t,s0)
++
++/usr/lib/mozilla/plugins-wrapped(/.*)? gen_context(system_u:object_r:mozilla_plugin_rw_t,s0)
++
++ifdef(`distro_redhat',`
++/usr/lib/nspluginwrapper/plugin-config -- gen_context(system_u:object_r:mozilla_plugin_config_exec_t,s0)
++')
+diff --git a/mozilla.if b/mozilla.if
+index b397fde..17b14ad 100644
+--- a/mozilla.if
++++ b/mozilla.if
+@@ -18,10 +18,11 @@
+ interface(`mozilla_role',`
+ gen_require(`
+ type mozilla_t, mozilla_exec_t, mozilla_home_t;
+- attribute_role mozilla_roles;
++ #attribute_role mozilla_roles;
+ ')
+
+- roleattribute $1 mozilla_roles;
++ #roleattribute $1 mozilla_roles;
++ role $1 types mozilla_t;
+
+ domain_auto_trans($2, mozilla_exec_t, mozilla_t)
+ # Unrestricted inheritance from the caller.
+@@ -47,7 +48,24 @@ interface(`mozilla_role',`
+ relabel_files_pattern($2, mozilla_home_t, mozilla_home_t)
+ relabel_lnk_files_pattern($2, mozilla_home_t, mozilla_home_t)
+
++ #should be remove then with adding of roleattribute
++ mozilla_run_plugin(mozilla_t, $1)
+ mozilla_dbus_chat($2)
++
++ userdom_manage_tmp_role($1, mozilla_t)
++
++ optional_policy(`
++ nsplugin_role($1, mozilla_t)
++ ')
++
++ optional_policy(`
++ pulseaudio_role($1, mozilla_t)
++ pulseaudio_filetrans_admin_home_content(mozilla_t)
++ pulseaudio_filetrans_home_content(mozilla_t)
++ ')
++
++ mozilla_filetrans_home_content($2)
++
+ ')
+
+ ########################################
+@@ -105,7 +123,7 @@ interface(`mozilla_dontaudit_rw_user_home_files',`
+ type mozilla_home_t;
+ ')
+
+- dontaudit $1 mozilla_home_t:file rw_file_perms;
++ dontaudit $1 mozilla_home_t:file rw_inherited_file_perms;
+ ')
+
+ ########################################
+@@ -193,11 +211,38 @@ interface(`mozilla_domtrans',`
+ #
+ interface(`mozilla_domtrans_plugin',`
+ gen_require(`
+- type mozilla_plugin_t, mozilla_plugin_exec_t, mozilla_plugin_tmpfs_t;
++ type mozilla_plugin_t, mozilla_plugin_exec_t;
++ type mozilla_plugin_config_t, mozilla_plugin_config_exec_t;
++ type mozilla_plugin_rw_t;
+ class dbus send_msg;
+ ')
+
+ domtrans_pattern($1, mozilla_plugin_exec_t, mozilla_plugin_t)
++ domtrans_pattern($1, mozilla_plugin_config_exec_t, mozilla_plugin_config_t)
++ allow mozilla_plugin_t $1:process signull;
++ allow $1 mozilla_plugin_t:unix_stream_socket { connectto rw_socket_perms };
++ allow $1 mozilla_plugin_t:fd use;
++
++ #tunable_policy(`deny_ptrace',`',`
++ # allow $1 mozilla_plugin_t:process ptrace;
++ #')
++
++ allow mozilla_plugin_t $1:unix_stream_socket rw_socket_perms;
++ allow mozilla_plugin_t $1:unix_dgram_socket { sendto rw_socket_perms };
++ allow mozilla_plugin_t $1:shm { rw_shm_perms destroy };
++ allow mozilla_plugin_t $1:sem create_sem_perms;
++
++ ps_process_pattern($1, mozilla_plugin_t)
++ allow $1 mozilla_plugin_t:process signal_perms;
++
++ list_dirs_pattern($1, mozilla_plugin_rw_t, mozilla_plugin_rw_t)
++ read_files_pattern($1, mozilla_plugin_rw_t, mozilla_plugin_rw_t)
++ read_lnk_files_pattern($1, mozilla_plugin_rw_t, mozilla_plugin_rw_t)
++ can_exec($1, mozilla_plugin_rw_t)
++
++ allow $1 mozilla_plugin_t:dbus send_msg;
++ allow mozilla_plugin_t $1:dbus send_msg;
++
+ allow mozilla_plugin_t $1:process signull;
+ ')
+
+@@ -224,6 +269,32 @@ interface(`mozilla_run_plugin',`
+
+ mozilla_domtrans_plugin($1)
+ role $2 types mozilla_plugin_t;
++ role $2 types mozilla_plugin_config_t;
++')
++
++#######################################
++##
++## Execute qemu unconfined programs in the role.
++##
++##
++##
++## The role to allow the mozilla_plugin domain.
++##
++##
++##
++#
++interface(`mozilla_role_plugin',`
++ gen_require(`
++ type mozilla_plugin_t;
++ type mozilla_plugin_config_t;
++ ')
++
++ role $1 types mozilla_plugin_t;
++ role $1 types mozilla_plugin_config_t;
++
++ optional_policy(`
++ lpd_run_lpr(mozilla_plugin_t, $1)
++ ')
+ ')
+
+ ########################################
+@@ -265,9 +336,27 @@ interface(`mozilla_rw_tcp_sockets',`
+ allow $1 mozilla_t:tcp_socket rw_socket_perms;
+ ')
+
++#######################################
++##
++## Read mozilla_plugin tmpfs files
++##
++##
++##
++## Domain allowed access
++##
++##
++#
++interface(`mozilla_plugin_read_tmpfs_files',`
++ gen_require(`
++ type mozilla_plugin_tmpfs_t;
++ ')
++
++ allow $1 mozilla_plugin_tmpfs_t:file read_file_perms;
++')
++
+ ########################################
+ ##
+-## Read mozilla_plugin tmpfs files
++## Delete mozilla_plugin tmpfs files
+ ##
+ ##
+ ##
+@@ -275,28 +364,118 @@ interface(`mozilla_rw_tcp_sockets',`
+ ##
+ ##
+ #
+-interface(`mozilla_plugin_read_tmpfs_files',`
++interface(`mozilla_plugin_delete_tmpfs_files',`
+ gen_require(`
+ type mozilla_plugin_tmpfs_t;
+ ')
+
+- allow $1 mozilla_plugin_tmpfs_t:file read_file_perms;
++ allow $1 mozilla_plugin_tmpfs_t:file delete_file_perms;
+ ')
+
+ ########################################
+ ##
+-## Delete mozilla_plugin tmpfs files
++## Dontaudit read/write to a mozilla_plugin leaks
+ ##
+ ##
+ ##
+-## Domain allowed access
++## Domain to not audit.
+ ##
+ ##
+ #
+-interface(`mozilla_plugin_delete_tmpfs_files',`
++interface(`mozilla_plugin_dontaudit_leaks',`
+ gen_require(`
+- type mozilla_plugin_tmpfs_t;
++ type mozilla_plugin_t;
++ ')
++
++ dontaudit $1 mozilla_plugin_t:unix_stream_socket { read write };
++')
++
++#######################################
++##
++## Dontaudit read/write to a mozilla_plugin tmp files.
++##
++##
++##
++## Domain to not audit.
++##
++##
++#
++interface(`mozilla_plugin_dontaudit_rw_tmp_files',`
++ gen_require(`
++ type mozilla_plugin_tmp_t;
++ ')
++
++ dontaudit $1 mozilla_plugin_tmp_t:file { read write };
++')
++
++########################################
++##
++## Create, read, write, and delete
++## mozilla_plugin rw files.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`mozilla_plugin_manage_rw_files',`
++ gen_require(`
++ type mozilla_plugin_rw_t;
++ ')
++
++ allow $1 mozilla_plugin_rw_t:file manage_file_perms;
++ allow $1 mozilla_plugin_rw_t:dir rw_dir_perms;
++')
++
++########################################
++##
++## read mozilla_plugin rw files.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`mozilla_plugin_read_rw_files',`
++ gen_require(`
++ type mozilla_plugin_rw_t;
+ ')
+
+- allow $1 mozilla_plugin_tmpfs_t:file unlink;
++ read_files_pattern($1, mozilla_plugin_rw_t, mozilla_plugin_rw_t)
+ ')
++
++########################################
++##
++## Create mozilla content in the user home directory
++## with an correct label.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`mozilla_filetrans_home_content',`
++
++ gen_require(`
++ type mozilla_home_t;
++ ')
++
++ userdom_user_home_dir_filetrans($1, mozilla_home_t, dir, ".galeon")
++ userdom_user_home_dir_filetrans($1, mozilla_home_t, dir, ".java")
++ userdom_user_home_dir_filetrans($1, mozilla_home_t, dir, ".mozilla")
++ userdom_user_home_dir_filetrans($1, mozilla_home_t, dir, ".thunderbird")
++ userdom_user_home_dir_filetrans($1, mozilla_home_t, dir, ".netscape")
++ userdom_user_home_dir_filetrans($1, mozilla_home_t, dir, ".phoenix")
++ userdom_user_home_dir_filetrans($1, mozilla_home_t, dir, ".adobe")
++ userdom_user_home_dir_filetrans($1, mozilla_home_t, dir, ".macromedia")
++ userdom_user_home_dir_filetrans($1, mozilla_home_t, dir, ".gnash")
++ userdom_user_home_dir_filetrans($1, mozilla_home_t, dir, ".gcjwebplugin")
++ userdom_user_home_dir_filetrans($1, mozilla_home_t, dir, ".icedteaplugin")
++ userdom_user_home_dir_filetrans($1, mozilla_home_t, dir, ".spicec")
++ userdom_user_home_dir_filetrans($1, mozilla_home_t, dir, ".ICAClient")
++ userdom_user_home_dir_filetrans($1, mozilla_home_t, dir, "zimbrauserdata")
++')
++
+diff --git a/mozilla.te b/mozilla.te
+index d4fcb75..907ff48 100644
+--- a/mozilla.te
++++ b/mozilla.te
+@@ -7,19 +7,34 @@ policy_module(mozilla, 2.6.0)
+
+ ##
+ ##
++## Allow mozilla plugin domain to connect to the network using TCP.
++##
++##
++gen_tunable(mozilla_plugin_can_network_connect, false)
++
++##
++##
+ ## Allow confined web browsers to read home directory content
+ ##
+ ##
+ gen_tunable(mozilla_read_content, false)
+
+-attribute_role mozilla_roles;
++##
++##
++## Allow mozilla_plugins to create random content in the users home directory
++##
++##
++gen_tunable(mozilla_plugin_enable_homedirs, false)
++
++#attribute_role mozilla_roles;
+
+ type mozilla_t;
+ type mozilla_exec_t;
+ typealias mozilla_t alias { user_mozilla_t staff_mozilla_t sysadm_mozilla_t };
+ typealias mozilla_t alias { auditadm_mozilla_t secadm_mozilla_t };
+ userdom_user_application_domain(mozilla_t, mozilla_exec_t)
+-role mozilla_roles types mozilla_t;
++#role mozilla_roles types mozilla_t;
++role system_r types mozilla_t;
+
+ type mozilla_conf_t;
+ files_config_file(mozilla_conf_t)
+@@ -32,14 +47,26 @@ userdom_user_home_content(mozilla_home_t)
+ type mozilla_plugin_t;
+ type mozilla_plugin_exec_t;
+ application_domain(mozilla_plugin_t, mozilla_plugin_exec_t)
+-role mozilla_roles types mozilla_plugin_t;
++#role mozilla_roles types mozilla_plugin_t;
++role system_r types mozilla_plugin_t;
+
+ type mozilla_plugin_tmp_t;
++userdom_user_tmp_content(mozilla_plugin_tmp_t)
+ userdom_user_tmp_file(mozilla_plugin_tmp_t)
+
+ type mozilla_plugin_tmpfs_t;
++userdom_user_tmpfs_content(mozilla_plugin_tmpfs_t)
+ userdom_user_tmpfs_file(mozilla_plugin_tmpfs_t)
+
++type mozilla_plugin_rw_t;
++files_type(mozilla_plugin_rw_t)
++
++type mozilla_plugin_config_t;
++type mozilla_plugin_config_exec_t;
++application_domain(mozilla_plugin_config_t, mozilla_plugin_config_exec_t)
++#role mozilla_roles types mozilla_plugin_config_t;
++role system_r types mozilla_plugin_config_t;
++
+ type mozilla_tmp_t;
+ userdom_user_tmp_file(mozilla_tmp_t)
+
+@@ -100,7 +127,6 @@ corecmd_exec_shell(mozilla_t)
+ corecmd_exec_bin(mozilla_t)
+
+ # Browse the web, connect to printer
+-corenet_all_recvfrom_unlabeled(mozilla_t)
+ corenet_all_recvfrom_netlabel(mozilla_t)
+ corenet_tcp_sendrecv_generic_if(mozilla_t)
+ corenet_raw_sendrecv_generic_if(mozilla_t)
+@@ -110,6 +136,7 @@ corenet_tcp_sendrecv_http_port(mozilla_t)
+ corenet_tcp_sendrecv_http_cache_port(mozilla_t)
+ corenet_tcp_sendrecv_squid_port(mozilla_t)
+ corenet_tcp_sendrecv_ftp_port(mozilla_t)
++corenet_tcp_connect_all_ephemeral_ports(mozilla_t)
+ corenet_tcp_sendrecv_ipp_port(mozilla_t)
+ corenet_tcp_connect_http_port(mozilla_t)
+ corenet_tcp_connect_http_cache_port(mozilla_t)
+@@ -140,7 +167,6 @@ domain_dontaudit_read_all_domains_state(mozilla_t)
+
+ files_read_etc_runtime_files(mozilla_t)
+ files_read_usr_files(mozilla_t)
+-files_read_etc_files(mozilla_t)
+ # /var/lib
+ files_read_var_lib_files(mozilla_t)
+ # interacting with gstreamer
+@@ -151,42 +177,34 @@ files_dontaudit_getattr_boot_dirs(mozilla_t)
+ fs_dontaudit_getattr_all_fs(mozilla_t)
+ fs_search_auto_mountpoints(mozilla_t)
+ fs_list_inotifyfs(mozilla_t)
+-fs_rw_tmpfs_files(mozilla_t)
++fs_rw_inherited_tmpfs_files(mozilla_t)
+
+ term_dontaudit_getattr_pty_dirs(mozilla_t)
+
++auth_use_nsswitch(mozilla_t)
++
+ logging_send_syslog_msg(mozilla_t)
+
+ miscfiles_read_fonts(mozilla_t)
+-miscfiles_read_localization(mozilla_t)
+ miscfiles_dontaudit_setattr_fonts_dirs(mozilla_t)
+
+-# Browse the web, connect to printer
+-sysnet_dns_name_resolve(mozilla_t)
+-
+-userdom_use_user_ptys(mozilla_t)
++userdom_use_inherited_user_ptys(mozilla_t)
+
+-mozilla_run_plugin(mozilla_t, mozilla_roles)
++#mozilla_run_plugin(mozilla_t, mozilla_roles)
+
+ xserver_user_x_domain_template(mozilla, mozilla_t, mozilla_tmpfs_t)
+ xserver_dontaudit_read_xdm_tmp_files(mozilla_t)
+ xserver_dontaudit_getattr_xdm_tmp_sockets(mozilla_t)
+
+-tunable_policy(`allow_execmem',`
+- allow mozilla_t self:process { execmem execstack };
++tunable_policy(`selinuxuser_execstack',`
++ allow mozilla_t self:process execstack;
+ ')
+
+-tunable_policy(`use_nfs_home_dirs',`
+- fs_manage_nfs_dirs(mozilla_t)
+- fs_manage_nfs_files(mozilla_t)
+- fs_manage_nfs_symlinks(mozilla_t)
++tunable_policy(`deny_execmem',`',`
++ allow mozilla_t self:process execmem;
+ ')
+
+-tunable_policy(`use_samba_home_dirs',`
+- fs_manage_cifs_dirs(mozilla_t)
+- fs_manage_cifs_files(mozilla_t)
+- fs_manage_cifs_symlinks(mozilla_t)
+-')
++userdom_home_manager(mozilla_t)
+
+ # Uploads, local html
+ tunable_policy(`mozilla_read_content && use_nfs_home_dirs',`
+@@ -263,6 +281,7 @@ optional_policy(`
+ optional_policy(`
+ gnome_stream_connect_gconf(mozilla_t)
+ gnome_manage_config(mozilla_t)
++ gnome_manage_gconf_home_files(mozilla_t)
+ ')
+
+ optional_policy(`
+@@ -283,7 +302,8 @@ optional_policy(`
+ ')
+
+ optional_policy(`
+- pulseaudio_role(mozilla_roles, mozilla_t)
++ #pulseaudio_role(mozilla_roles, mozilla_t)
++ pulseaudio_exec(mozilla_t)
+ pulseaudio_stream_connect(mozilla_t)
+ pulseaudio_manage_home_files(mozilla_t)
+ ')
+@@ -297,65 +317,101 @@ optional_policy(`
+ # mozilla_plugin local policy
+ #
+
+-dontaudit mozilla_plugin_t self:capability { sys_ptrace };
+-allow mozilla_plugin_t self:process { setsched signal_perms execmem };
+-allow mozilla_plugin_t self:fifo_file manage_fifo_file_perms;
+-allow mozilla_plugin_t self:unix_stream_socket { connectto create_stream_socket_perms };
++dontaudit mozilla_plugin_t self:capability { ipc_lock sys_nice sys_tty_config };
++
++allow mozilla_plugin_t self:process { setpgid getsched setsched signal_perms execmem execstack setrlimit };
++allow mozilla_plugin_t self:netlink_route_socket r_netlink_socket_perms;
+ allow mozilla_plugin_t self:tcp_socket create_stream_socket_perms;
+ allow mozilla_plugin_t self:udp_socket create_socket_perms;
+-allow mozilla_plugin_t self:netlink_route_socket r_netlink_socket_perms;
+ allow mozilla_plugin_t self:netlink_kobject_uevent_socket create_socket_perms;
++
+ allow mozilla_plugin_t self:sem create_sem_perms;
+ allow mozilla_plugin_t self:shm create_shm_perms;
++allow mozilla_plugin_t self:msgq create_msgq_perms;
++allow mozilla_plugin_t self:fifo_file manage_fifo_file_perms;
++allow mozilla_plugin_t self:unix_dgram_socket sendto;
++allow mozilla_plugin_t self:unix_stream_socket { connectto create_stream_socket_perms };
+
+ can_exec(mozilla_plugin_t, mozilla_home_t)
+-read_files_pattern(mozilla_plugin_t, mozilla_home_t, mozilla_home_t)
++manage_dirs_pattern(mozilla_plugin_t, mozilla_home_t, mozilla_home_t)
++manage_files_pattern(mozilla_plugin_t, mozilla_home_t, mozilla_home_t)
++manage_lnk_files_pattern(mozilla_plugin_t, mozilla_home_t, mozilla_home_t)
++mozilla_filetrans_home_content(mozilla_plugin_t)
+
+ manage_dirs_pattern(mozilla_plugin_t, mozilla_plugin_tmp_t, mozilla_plugin_tmp_t)
+ manage_files_pattern(mozilla_plugin_t, mozilla_plugin_tmp_t, mozilla_plugin_tmp_t)
++manage_lnk_files_pattern(mozilla_plugin_t, mozilla_plugin_tmp_t, mozilla_plugin_tmp_t)
+ manage_fifo_files_pattern(mozilla_plugin_t, mozilla_plugin_tmp_t, mozilla_plugin_tmp_t)
+-files_tmp_filetrans(mozilla_plugin_t, mozilla_plugin_tmp_t, { dir file fifo_file })
+-userdom_user_tmp_filetrans(mozilla_plugin_t, mozilla_plugin_tmp_t, { dir file fifo_file })
++manage_sock_files_pattern(mozilla_plugin_t, mozilla_plugin_tmp_t, mozilla_plugin_tmp_t)
++files_tmp_filetrans(mozilla_plugin_t, mozilla_plugin_tmp_t, { dir file fifo_file sock_file lnk_file })
++userdom_user_tmp_filetrans(mozilla_plugin_t, mozilla_plugin_tmp_t, { dir file fifo_file sock_file })
++xserver_xdm_tmp_filetrans(mozilla_plugin_t, mozilla_plugin_tmp_t, { dir file fifo_file sock_file lnk_file })
++can_exec(mozilla_plugin_t, mozilla_plugin_tmp_t)
+
+ manage_files_pattern(mozilla_plugin_t, mozilla_plugin_tmpfs_t, mozilla_plugin_tmpfs_t)
+ manage_lnk_files_pattern(mozilla_plugin_t, mozilla_plugin_tmpfs_t, mozilla_plugin_tmpfs_t)
+ manage_fifo_files_pattern(mozilla_plugin_t, mozilla_plugin_tmpfs_t, mozilla_plugin_tmpfs_t)
+ manage_sock_files_pattern(mozilla_plugin_t, mozilla_plugin_tmpfs_t, mozilla_plugin_tmpfs_t)
+ fs_tmpfs_filetrans(mozilla_plugin_t, mozilla_plugin_tmpfs_t, { file lnk_file sock_file fifo_file })
++userdom_tmpfs_filetrans_to(mozilla_plugin_t, mozilla_plugin_tmpfs_t, { file lnk_file sock_file fifo_file })
++
++allow mozilla_plugin_t mozilla_plugin_rw_t:dir list_dir_perms;
++read_lnk_files_pattern(mozilla_plugin_t, mozilla_plugin_rw_t, mozilla_plugin_rw_t)
++read_files_pattern(mozilla_plugin_t, mozilla_plugin_rw_t, mozilla_plugin_rw_t)
+
+ can_exec(mozilla_plugin_t, mozilla_exec_t)
+
+-kernel_read_kernel_sysctls(mozilla_plugin_t)
++kernel_read_all_sysctls(mozilla_plugin_t)
+ kernel_read_system_state(mozilla_plugin_t)
+ kernel_read_network_state(mozilla_plugin_t)
+ kernel_request_load_module(mozilla_plugin_t)
++kernel_dontaudit_getattr_core_if(mozilla_plugin_t)
+
+ corecmd_exec_bin(mozilla_plugin_t)
+ corecmd_exec_shell(mozilla_plugin_t)
++corecmd_dontaudit_access_all_executables(mozilla_plugin_t)
+
+-corenet_all_recvfrom_netlabel(mozilla_plugin_t)
+-corenet_all_recvfrom_unlabeled(mozilla_plugin_t)
+-corenet_tcp_sendrecv_generic_if(mozilla_plugin_t)
+-corenet_tcp_sendrecv_generic_node(mozilla_plugin_t)
++corenet_tcp_connect_asterisk_port(mozilla_plugin_t)
+ corenet_tcp_connect_generic_port(mozilla_plugin_t)
+-corenet_tcp_connect_pulseaudio_port(mozilla_plugin_t)
++corenet_tcp_connect_flash_port(mozilla_plugin_t)
++corenet_tcp_connect_ftp_port(mozilla_plugin_t)
+ corenet_tcp_connect_http_port(mozilla_plugin_t)
++corenet_tcp_connect_gatekeeper_port(mozilla_plugin_t)
+ corenet_tcp_connect_http_cache_port(mozilla_plugin_t)
+-corenet_tcp_connect_squid_port(mozilla_plugin_t)
++corenet_tcp_connect_ipsecnat_port(mozilla_plugin_t)
+ corenet_tcp_connect_ipp_port(mozilla_plugin_t)
++corenet_tcp_connect_ircd_port(mozilla_plugin_t)
++corenet_tcp_connect_jabber_client_port(mozilla_plugin_t)
+ corenet_tcp_connect_mmcc_port(mozilla_plugin_t)
++corenet_tcp_connect_msnp_port(mozilla_plugin_t)
++corenet_tcp_connect_pulseaudio_port(mozilla_plugin_t)
+ corenet_tcp_connect_speech_port(mozilla_plugin_t)
++corenet_tcp_connect_squid_port(mozilla_plugin_t)
++corenet_tcp_connect_streaming_port(mozilla_plugin_t)
++corenet_tcp_connect_soundd_port(mozilla_plugin_t)
++corenet_tcp_connect_tor_socks_port(mozilla_plugin_t)
++corenet_tcp_connect_vnc_port(mozilla_plugin_t)
++corenet_tcp_connect_commplex_port(mozilla_plugin_t)
++corenet_tcp_connect_couchdb_port(mozilla_plugin_t)
++corenet_tcp_connect_monopd_port(mozilla_plugin_t)
++corenet_tcp_connect_all_ephemeral_ports(mozilla_plugin_t)
++corenet_tcp_bind_generic_node(mozilla_plugin_t)
++corenet_udp_bind_generic_node(mozilla_plugin_t)
++corenet_dontaudit_udp_bind_ssdp_port(mozilla_plugin_t)
+
+ dev_read_rand(mozilla_plugin_t)
+ dev_read_urand(mozilla_plugin_t)
++dev_read_generic_usb_dev(mozilla_plugin_t)
+ dev_read_video_dev(mozilla_plugin_t)
+ dev_write_video_dev(mozilla_plugin_t)
++dev_read_realtime_clock(mozilla_plugin_t)
+ dev_read_sysfs(mozilla_plugin_t)
+ dev_read_sound(mozilla_plugin_t)
+ dev_write_sound(mozilla_plugin_t)
+ # for nvidia driver
+ dev_rw_xserver_misc(mozilla_plugin_t)
+ dev_dontaudit_rw_dri(mozilla_plugin_t)
++dev_dontaudit_getattr_all(mozilla_plugin_t)
+
+ domain_use_interactive_fds(mozilla_plugin_t)
+ domain_dontaudit_read_all_domains_state(mozilla_plugin_t)
+@@ -363,55 +419,59 @@ domain_dontaudit_read_all_domains_state(mozilla_plugin_t)
+ files_read_config_files(mozilla_plugin_t)
+ files_read_usr_files(mozilla_plugin_t)
+ files_list_mnt(mozilla_plugin_t)
++files_exec_usr_files(mozilla_plugin_t)
++fs_rw_inherited_tmpfs_files(mozilla_plugin_t)
+
+ fs_getattr_all_fs(mozilla_plugin_t)
+ fs_list_dos(mozilla_plugin_t)
+-fs_read_dos_files(mozilla_plugin_t)
++fs_read_noxattr_fs_files(mozilla_plugin_t)
++fs_read_hugetlbfs_files(mozilla_plugin_t)
+
++application_exec(mozilla_plugin_t)
+ application_dontaudit_signull(mozilla_plugin_t)
+
+ auth_use_nsswitch(mozilla_plugin_t)
+
++init_dontaudit_getattr_initctl(mozilla_plugin_t)
++init_read_all_script_files(mozilla_plugin_t)
++
++libs_exec_ld_so(mozilla_plugin_t)
++libs_exec_lib_files(mozilla_plugin_t)
++
+ logging_send_syslog_msg(mozilla_plugin_t)
+
+-miscfiles_read_localization(mozilla_plugin_t)
+ miscfiles_read_fonts(mozilla_plugin_t)
+ miscfiles_read_generic_certs(mozilla_plugin_t)
+ miscfiles_dontaudit_setattr_fonts_dirs(mozilla_plugin_t)
+ miscfiles_dontaudit_setattr_fonts_cache_dirs(mozilla_plugin_t)
+
+-sysnet_dns_name_resolve(mozilla_plugin_t)
+-
+ term_getattr_all_ttys(mozilla_plugin_t)
+ term_getattr_all_ptys(mozilla_plugin_t)
++term_getattr_ptmx(mozilla_plugin_t)
+
++userdom_dontaudit_setattr_user_tmpfs(mozilla_plugin_t)
+ userdom_rw_user_tmpfs_files(mozilla_plugin_t)
++userdom_delete_user_tmpfs_files(mozilla_plugin_t)
+ userdom_dontaudit_use_user_terminals(mozilla_plugin_t)
+ userdom_manage_user_tmp_sockets(mozilla_plugin_t)
+ userdom_manage_user_tmp_dirs(mozilla_plugin_t)
+-userdom_read_user_tmp_files(mozilla_plugin_t)
++userdom_rw_inherited_user_tmp_files(mozilla_plugin_t)
++userdom_delete_user_tmp_files(mozilla_plugin_t)
++userdom_rw_inherited_user_home_sock_files(mozilla_plugin_t)
++userdom_manage_home_certs(mozilla_plugin_t)
+ userdom_read_user_tmp_symlinks(mozilla_plugin_t)
++userdom_stream_connect(mozilla_plugin_t)
++userdom_dontaudit_rw_user_tmp_pipes(mozilla_plugin_t)
++
+ userdom_read_user_home_content_files(mozilla_plugin_t)
+ userdom_read_user_home_content_symlinks(mozilla_plugin_t)
++userdom_read_home_certs(mozilla_plugin_t)
++userdom_read_home_audio_files(mozilla_plugin_t)
+
+-tunable_policy(`allow_execmem',`
+- allow mozilla_plugin_t self:process { execmem execstack };
+-')
+-
+-tunable_policy(`allow_execstack',`
+- allow mozilla_plugin_t self:process { execstack };
+-')
+-
+-tunable_policy(`use_nfs_home_dirs',`
+- fs_manage_nfs_dirs(mozilla_plugin_t)
+- fs_manage_nfs_files(mozilla_plugin_t)
+- fs_manage_nfs_symlinks(mozilla_plugin_t)
+-')
++userdom_home_manager(mozilla_plugin_t)
+
+-tunable_policy(`use_samba_home_dirs',`
+- fs_manage_cifs_dirs(mozilla_plugin_t)
+- fs_manage_cifs_files(mozilla_plugin_t)
+- fs_manage_cifs_symlinks(mozilla_plugin_t)
++tunable_policy(`mozilla_plugin_can_network_connect',`
++ corenet_tcp_connect_all_ports(mozilla_plugin_t)
+ ')
+
+ optional_policy(`
+@@ -422,24 +482,39 @@ optional_policy(`
+ optional_policy(`
+ dbus_system_bus_client(mozilla_plugin_t)
+ dbus_session_bus_client(mozilla_plugin_t)
++ dbus_connect_session_bus(mozilla_plugin_t)
+ dbus_read_lib_files(mozilla_plugin_t)
+ ')
+
+ optional_policy(`
++ git_dontaudit_read_session_content_files(mozilla_plugin_t)
++')
++
++
++optional_policy(`
+ gnome_manage_config(mozilla_plugin_t)
++ gnome_read_usr_config(mozilla_plugin_t)
++ gnome_filetrans_home_content(mozilla_plugin_t)
++ gnome_exec_gstreamer_home_files(mozilla_plugin_t)
+ ')
+
+ optional_policy(`
+- java_exec(mozilla_plugin_t)
++ gpm_dontaudit_getattr_gpmctl(mozilla_plugin_t)
+ ')
+
+ optional_policy(`
+- mplayer_exec(mozilla_plugin_t)
+- mplayer_read_user_home_files(mozilla_plugin_t)
++ java_exec(mozilla_plugin_t)
+ ')
+
++#optional_policy(`
++# lpd_run_lpr(mozilla_plugin_t, mozilla_roles)
++#')
++
+ optional_policy(`
+- pcscd_stream_connect(mozilla_plugin_t)
++ mplayer_exec(mozilla_plugin_t)
++ mplayer_filetrans_home_content(mozilla_plugin_t)
++ mplayer_manage_user_home_dirs(mozilla_plugin_t)
++ mplayer_manage_user_home_files(mozilla_plugin_t)
+ ')
+
+ optional_policy(`
+@@ -447,10 +522,115 @@ optional_policy(`
+ pulseaudio_stream_connect(mozilla_plugin_t)
+ pulseaudio_setattr_home_dir(mozilla_plugin_t)
+ pulseaudio_manage_home_files(mozilla_plugin_t)
++ pulseaudio_manage_home_symlinks(mozilla_plugin_t)
++')
++
++optional_policy(`
++ pcscd_stream_connect(mozilla_plugin_t)
++')
++
++optional_policy(`
++ rtkit_scheduled(mozilla_plugin_t)
+ ')
+
+ optional_policy(`
++ udev_read_db(mozilla_plugin_t)
++')
++
++optional_policy(`
++ xserver_xdm_tmp_filetrans(mozilla_plugin_t, mozilla_plugin_tmp_t, { dir file fifo_file sock_file })
++ xserver_dontaudit_read_xdm_tmp_files(mozilla_plugin_t)
+ xserver_read_xdm_pid(mozilla_plugin_t)
+ xserver_stream_connect(mozilla_plugin_t)
+ xserver_use_user_fonts(mozilla_plugin_t)
++ xserver_read_user_iceauth(mozilla_plugin_t)
++ xserver_read_user_xauth(mozilla_plugin_t)
++ xserver_append_xdm_home_files(mozilla_plugin_t)
++ xserver_dontaudit_xdm_tmp_dirs(mozilla_plugin_t)
++')
++
++########################################
++#
++# mozilla_plugin_config local policy
++#
++
++allow mozilla_plugin_config_t self:capability { dac_override dac_read_search sys_nice setuid setgid };
++allow mozilla_plugin_config_t self:process { setsched signal_perms getsched execmem execstack };
++
++allow mozilla_plugin_config_t self:fifo_file rw_file_perms;
++allow mozilla_plugin_config_t self:unix_stream_socket create_stream_socket_perms;
++
++ps_process_pattern(mozilla_plugin_config_t,mozilla_plugin_t)
++
++dev_search_sysfs(mozilla_plugin_config_t)
++dev_read_urand(mozilla_plugin_config_t)
++dev_dontaudit_read_rand(mozilla_plugin_config_t)
++dev_dontaudit_rw_dri(mozilla_plugin_config_t)
++
++fs_search_auto_mountpoints(mozilla_plugin_config_t)
++fs_list_inotifyfs(mozilla_plugin_config_t)
++
++can_exec(mozilla_plugin_config_t, mozilla_plugin_rw_t)
++manage_dirs_pattern(mozilla_plugin_config_t, mozilla_plugin_rw_t, mozilla_plugin_rw_t)
++manage_files_pattern(mozilla_plugin_config_t, mozilla_plugin_rw_t, mozilla_plugin_rw_t)
++manage_lnk_files_pattern(mozilla_plugin_config_t, mozilla_plugin_rw_t, mozilla_plugin_rw_t)
++
++manage_dirs_pattern(mozilla_plugin_config_t, mozilla_home_t, mozilla_home_t)
++manage_files_pattern(mozilla_plugin_config_t, mozilla_home_t, mozilla_home_t)
++manage_lnk_files_pattern(mozilla_plugin_config_t, mozilla_home_t, mozilla_home_t)
++
++corecmd_exec_bin(mozilla_plugin_config_t)
++corecmd_exec_shell(mozilla_plugin_config_t)
++
++kernel_read_system_state(mozilla_plugin_config_t)
++kernel_request_load_module(mozilla_plugin_config_t)
++
++domain_use_interactive_fds(mozilla_plugin_config_t)
++
++files_read_usr_files(mozilla_plugin_config_t)
++files_dontaudit_search_home(mozilla_plugin_config_t)
++files_list_tmp(mozilla_plugin_config_t)
++
++fs_getattr_all_fs(mozilla_plugin_config_t)
++
++auth_use_nsswitch(mozilla_plugin_config_t)
++
++miscfiles_read_fonts(mozilla_plugin_config_t)
++
++userdom_search_user_home_content(mozilla_plugin_config_t)
++userdom_read_user_home_content_symlinks(mozilla_plugin_config_t)
++userdom_read_user_home_content_files(mozilla_plugin_config_t)
++userdom_dontaudit_search_admin_dir(mozilla_plugin_config_t)
++userdom_use_inherited_user_ptys(mozilla_plugin_config_t)
++userdom_dontaudit_use_user_terminals(mozilla_plugin_config_t)
++userdom_dontaudit_rw_user_tmp_pipes(mozilla_plugin_config_t)
++userdom_dontaudit_write_all_user_home_content_files(mozilla_plugin_config_t)
++userdom_dontaudit_write_all_user_tmp_content_files(mozilla_plugin_config_t)
++
++domtrans_pattern(mozilla_plugin_config_t, mozilla_plugin_exec_t, mozilla_plugin_t)
++
++optional_policy(`
++ gnome_dontaudit_rw_inherited_config(mozilla_plugin_config_t)
++')
++
++optional_policy(`
++ xserver_use_user_fonts(mozilla_plugin_config_t)
++')
++
++ifdef(`distro_redhat',`
++ typealias mozilla_plugin_t alias nsplugin_t;
++ typealias mozilla_plugin_exec_t alias nsplugin_exec_t;
++ typealias mozilla_plugin_rw_t alias nsplugin_rw_t;
++ typealias mozilla_plugin_tmp_t alias nsplugin_tmp_t;
++ typealias mozilla_home_t alias nsplugin_home_t;
++ typealias mozilla_plugin_config_t alias nsplugin_config_t;
++ typealias mozilla_plugin_config_exec_t alias nsplugin_config_exec_t;
++')
++
++tunable_policy(`mozilla_plugin_enable_homedirs',`
++ userdom_user_home_dir_filetrans(mozilla_plugin_t, mozilla_home_t, { dir file })
++')
++
++tunable_policy(`selinuxuser_execmod',`
++ userdom_execmod_user_home_files(mozilla_plugin_t)
+ ')
+diff --git a/mpd.fc b/mpd.fc
+index ddc14d6..c74bf3d 100644
+--- a/mpd.fc
++++ b/mpd.fc
+@@ -6,3 +6,5 @@
+ /var/lib/mpd(/.*)? gen_context(system_u:object_r:mpd_var_lib_t,s0)
+ /var/lib/mpd/music(/.*)? gen_context(system_u:object_r:mpd_data_t,s0)
+ /var/lib/mpd/playlists(/.*)? gen_context(system_u:object_r:mpd_data_t,s0)
++
++/var/log/mpd(/.*)? gen_context(system_u:object_r:mpd_log_t,s0)
+diff --git a/mpd.if b/mpd.if
+index d72276f..cb8c563 100644
+--- a/mpd.if
++++ b/mpd.if
+@@ -244,8 +244,11 @@ interface(`mpd_admin',`
+ type mpd_tmpfs_t;
+ ')
+
+- allow $1 mpd_t:process { ptrace signal_perms };
++ allow $1 mpd_t:process signal_perms;
+ ps_process_pattern($1, mpd_t)
++ tunable_policy(`deny_ptrace',`',`
++ allow $1 mpd_t:process ptrace;
++ ')
+
+ mpd_initrc_domtrans($1)
+ domain_system_change_exemption($1)
+diff --git a/mpd.te b/mpd.te
+index 7f68872..d92aaa8 100644
+--- a/mpd.te
++++ b/mpd.te
+@@ -44,6 +44,9 @@ allow mpd_t self:unix_stream_socket { connectto create_stream_socket_perms };
+ allow mpd_t self:unix_dgram_socket { create_socket_perms sendto };
+ allow mpd_t self:tcp_socket create_stream_socket_perms;
+ allow mpd_t self:netlink_kobject_uevent_socket create_socket_perms;
++allow mpd_t self:unix_dgram_socket { create_socket_perms sendto };
++
++read_files_pattern(mpd_t, mpd_etc_t, mpd_etc_t)
+
+ manage_dirs_pattern(mpd_t, mpd_data_t, mpd_data_t)
+ manage_files_pattern(mpd_t, mpd_data_t, mpd_data_t)
+@@ -51,6 +54,10 @@ manage_lnk_files_pattern(mpd_t, mpd_data_t, mpd_data_t)
+
+ read_files_pattern(mpd_t, mpd_etc_t, mpd_etc_t)
+
++manage_dirs_pattern(mpd_t, mpd_log_t, mpd_log_t)
++manage_files_pattern(mpd_t, mpd_log_t, mpd_log_t)
++logging_log_filetrans(mpd_t, mpd_log_t, { dir file lnk_file })
++
+ manage_dirs_pattern(mpd_t, mpd_tmp_t, mpd_tmp_t)
+ manage_files_pattern(mpd_t, mpd_tmp_t, mpd_tmp_t)
+ manage_sock_files_pattern(mpd_t, mpd_tmp_t, mpd_tmp_t)
+@@ -72,7 +79,6 @@ kernel_read_kernel_sysctls(mpd_t)
+
+ corecmd_exec_bin(mpd_t)
+
+-corenet_all_recvfrom_unlabeled(mpd_t)
+ corenet_all_recvfrom_netlabel(mpd_t)
+ corenet_tcp_sendrecv_generic_if(mpd_t)
+ corenet_tcp_sendrecv_generic_node(mpd_t)
+@@ -87,6 +93,7 @@ corenet_sendrecv_http_cache_client_packets(mpd_t)
+ corenet_sendrecv_pulseaudio_client_packets(mpd_t)
+ corenet_sendrecv_soundd_client_packets(mpd_t)
+
++dev_read_urand(mpd_t)
+ dev_read_sound(mpd_t)
+ dev_write_sound(mpd_t)
+ dev_read_sysfs(mpd_t)
+@@ -101,7 +108,9 @@ auth_use_nsswitch(mpd_t)
+
+ logging_send_syslog_msg(mpd_t)
+
+-miscfiles_read_localization(mpd_t)
++userdom_read_home_audio_files(mpd_t)
++userdom_read_user_tmpfs_files(mpd_t)
++userdom_home_reader(mpd_t)
+
+ optional_policy(`
+ alsa_read_rw_config(mpd_t)
+@@ -122,5 +131,20 @@ optional_policy(`
+ ')
+
+ optional_policy(`
++ #needed by pulseaudio
++ systemd_read_logind_sessions_files(mpd_t)
++ systemd_login_read_pid_files(mpd_t)
++')
++
++optional_policy(`
++ rtkit_daemon_dontaudit_dbus_chat(mpd_t)
++')
++
++optional_policy(`
+ udev_read_db(mpd_t)
+ ')
++
++optional_policy(`
++ xserver_dontaudit_stream_connect(mpd_t)
++ xserver_dontaudit_read_xdm_pid(mpd_t)
++')
+diff --git a/mplayer.if b/mplayer.if
+index d8ea41d..87c7046 100644
+--- a/mplayer.if
++++ b/mplayer.if
+@@ -102,3 +102,96 @@ interface(`mplayer_read_user_home_files',`
+ read_files_pattern($1, mplayer_home_t, mplayer_home_t)
+ userdom_search_user_home_dirs($1)
+ ')
++
++########################################
++##
++## Manage mplayer per user homedir
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`mplayer_manage_user_home_dirs',`
++ gen_require(`
++ type mplayer_home_t;
++ ')
++
++ manage_dirs_pattern($1, mplayer_home_t, mplayer_home_t)
++ userdom_search_user_home_dirs($1)
++')
++
++########################################
++##
++## Manage mplayer per user homedir
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`mplayer_manage_user_home_files',`
++ gen_require(`
++ type mplayer_home_t;
++ ')
++
++ manage_files_pattern($1, mplayer_home_t, mplayer_home_t)
++ manage_lnk_files_pattern($1, mplayer_home_t, mplayer_home_t)
++ userdom_search_user_home_dirs($1)
++')
++
++########################################
++##
++## Transition to mplayer named content
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`mplayer_filetrans_home_content',`
++ gen_require(`
++ type mplayer_home_t;
++ ')
++
++ userdom_user_home_dir_filetrans($1, mplayer_home_t, file, ".mplayer")
++')
++
++########################################
++##
++## Execute mplayer_exec_t
++## in the specified domain.
++##
++##
++##
++## Execute a mplayer_exec_t
++## in the specified domain.
++##
++##
++## No interprocess communication (signals, pipes,
++## etc.) is provided by this interface since
++## the domains are not owned by this module.
++##
++##
++##
++##
++## Domain allowed access.
++##
++##
++##
++##
++## The type of the new process.
++##
++##
++#
++interface(`mplayer_exec_domtrans',`
++ gen_require(`
++ type mplayer_exec_t;
++ ')
++
++ allow $2 mplayer_exec_t:file entrypoint;
++ domtrans_pattern($1, mplayer_exec_t, $2)
++')
+diff --git a/mplayer.te b/mplayer.te
+index 0cdea57..321a21a 100644
+--- a/mplayer.te
++++ b/mplayer.te
+@@ -10,7 +10,7 @@ policy_module(mplayer, 2.4.0)
+ ## Allow mplayer executable stack
+ ##
+ ##
+-gen_tunable(allow_mplayer_execstack, false)
++gen_tunable(mplayer_execstack, false)
+
+ type mencoder_t;
+ type mencoder_exec_t;
+@@ -71,15 +71,15 @@ fs_search_auto_mountpoints(mencoder_t)
+ # Access to DVD/CD/V4L
+ storage_raw_read_removable_device(mencoder_t)
+
+-miscfiles_read_localization(mencoder_t)
+
+-userdom_use_user_terminals(mencoder_t)
++userdom_use_inherited_user_terminals(mencoder_t)
+ # Handle removable media, /tmp, and /home
+ userdom_list_user_tmp(mencoder_t)
+ userdom_read_user_tmp_files(mencoder_t)
+ userdom_read_user_tmp_symlinks(mencoder_t)
+ userdom_read_user_home_content_files(mencoder_t)
+ userdom_read_user_home_content_symlinks(mencoder_t)
++userdom_home_manager(mencoder_t)
+
+ # Read content to encode
+ ifndef(`enable_mls',`
+@@ -88,58 +88,18 @@ ifndef(`enable_mls',`
+ fs_read_removable_symlinks(mencoder_t)
+ ')
+
+-tunable_policy(`allow_execmem',`
++tunable_policy(`deny_execmem',`',`
+ allow mencoder_t self:process execmem;
+ ')
+
+-tunable_policy(`allow_execmod',`
++tunable_policy(`selinuxuser_execmod',`
+ dev_execmod_zero(mencoder_t)
+ ')
+
+-tunable_policy(`allow_mplayer_execstack',`
++tunable_policy(`mplayer_execstack',`
+ allow mencoder_t self:process { execmem execstack };
+ ')
+
+-tunable_policy(`use_nfs_home_dirs',`
+- fs_manage_nfs_dirs(mencoder_t)
+- fs_manage_nfs_files(mencoder_t)
+- fs_manage_nfs_symlinks(mencoder_t)
+-
+-')
+-
+-tunable_policy(`use_samba_home_dirs',`
+- fs_manage_cifs_dirs(mencoder_t)
+- fs_manage_cifs_files(mencoder_t)
+- fs_manage_cifs_symlinks(mencoder_t)
+-
+-')
+-
+-# Read content to encode
+-tunable_policy(`use_nfs_home_dirs',`
+- fs_list_auto_mountpoints(mencoder_t)
+- files_list_home(mencoder_t)
+- fs_read_nfs_files(mencoder_t)
+- fs_read_nfs_symlinks(mencoder_t)
+-
+-',`
+- files_dontaudit_list_home(mencoder_t)
+- fs_dontaudit_list_auto_mountpoints(mencoder_t)
+- fs_dontaudit_read_nfs_files(mencoder_t)
+- fs_dontaudit_list_nfs(mencoder_t)
+-')
+-
+-tunable_policy(`use_samba_home_dirs',`
+- fs_list_auto_mountpoints(mencoder_t)
+- files_list_home(mencoder_t)
+- fs_read_cifs_files(mencoder_t)
+- fs_read_cifs_symlinks(mencoder_t)
+-',`
+- files_dontaudit_list_home(mencoder_t)
+- fs_dontaudit_list_auto_mountpoints(mencoder_t)
+- fs_dontaudit_read_cifs_files(mencoder_t)
+- fs_dontaudit_list_cifs(mencoder_t)
+-')
+-
+ ########################################
+ #
+ # mplayer local policy
+@@ -156,6 +116,7 @@ manage_dirs_pattern(mplayer_t, mplayer_home_t, mplayer_home_t)
+ manage_files_pattern(mplayer_t, mplayer_home_t, mplayer_home_t)
+ manage_lnk_files_pattern(mplayer_t, mplayer_home_t, mplayer_home_t)
+ userdom_user_home_dir_filetrans(mplayer_t, mplayer_home_t, dir)
++userdom_search_user_home_dirs(mplayer_t)
+
+ manage_files_pattern(mplayer_t, mplayer_tmpfs_t, mplayer_tmpfs_t)
+ manage_lnk_files_pattern(mplayer_t, mplayer_tmpfs_t, mplayer_tmpfs_t)
+@@ -177,7 +138,6 @@ kernel_read_system_state(mplayer_t)
+ kernel_read_kernel_sysctls(mplayer_t)
+
+ corenet_all_recvfrom_netlabel(mplayer_t)
+-corenet_all_recvfrom_unlabeled(mplayer_t)
+ corenet_tcp_sendrecv_generic_if(mplayer_t)
+ corenet_tcp_sendrecv_generic_node(mplayer_t)
+ corenet_tcp_bind_generic_node(mplayer_t)
+@@ -206,7 +166,6 @@ domain_use_interactive_fds(mplayer_t)
+ # Access to DVD/CD/V4L
+ storage_raw_read_removable_device(mplayer_t)
+
+-files_read_etc_files(mplayer_t)
+ files_dontaudit_list_non_security(mplayer_t)
+ files_dontaudit_getattr_non_security_files(mplayer_t)
+ files_read_non_security_files(mplayer_t)
+@@ -222,10 +181,13 @@ fs_dontaudit_getattr_all_fs(mplayer_t)
+ fs_search_auto_mountpoints(mplayer_t)
+ fs_list_inotifyfs(mplayer_t)
+
+-miscfiles_read_localization(mplayer_t)
++auth_use_nsswitch(mplayer_t)
++
++logging_send_syslog_msg(mplayer_t)
++
+ miscfiles_read_fonts(mplayer_t)
+
+-userdom_use_user_terminals(mplayer_t)
++userdom_use_inherited_user_terminals(mplayer_t)
+ # Read media files
+ userdom_list_user_tmp(mplayer_t)
+ userdom_read_user_tmp_files(mplayer_t)
+@@ -233,6 +195,7 @@ userdom_read_user_tmp_symlinks(mplayer_t)
+ userdom_read_user_home_content_files(mplayer_t)
+ userdom_read_user_home_content_symlinks(mplayer_t)
+ userdom_write_user_tmp_sockets(mplayer_t)
++userdom_home_manager(mplayer_t)
+
+ xserver_user_x_domain_template(mplayer, mplayer_t, mplayer_tmpfs_t)
+
+@@ -243,62 +206,31 @@ ifdef(`enable_mls',`',`
+ fs_read_removable_symlinks(mplayer_t)
+ ')
+
+-tunable_policy(`allow_execmem',`
++tunable_policy(`deny_execmem',`',`
+ allow mplayer_t self:process execmem;
+ ')
+
+-tunable_policy(`allow_execmod',`
++tunable_policy(`selinuxuser_execmod',`
+ dev_execmod_zero(mplayer_t)
+ ')
+
+-tunable_policy(`allow_mplayer_execstack',`
++tunable_policy(`mplayer_execstack',`
+ allow mplayer_t self:process { execmem execstack };
+ ')
+
+-tunable_policy(`use_nfs_home_dirs',`
+- fs_manage_nfs_dirs(mplayer_t)
+- fs_manage_nfs_files(mplayer_t)
+- fs_manage_nfs_symlinks(mplayer_t)
+-')
+-tunable_policy(`use_samba_home_dirs',`
+- fs_manage_cifs_dirs(mplayer_t)
+- fs_manage_cifs_files(mplayer_t)
+- fs_manage_cifs_symlinks(mplayer_t)
+-')
+-
+ # Legacy domain issues
+-tunable_policy(`allow_mplayer_execstack',`
++tunable_policy(`mplayer_execstack',`
+ allow mplayer_t mplayer_tmpfs_t:file execute;
+ ')
+
+-# Read songs
+-tunable_policy(`use_nfs_home_dirs',`
+- fs_list_auto_mountpoints(mplayer_t)
+- files_list_home(mplayer_t)
+- fs_read_nfs_files(mplayer_t)
+- fs_read_nfs_symlinks(mplayer_t)
+-
+-',`
+- files_dontaudit_list_home(mplayer_t)
+- fs_dontaudit_list_auto_mountpoints(mplayer_t)
+- fs_dontaudit_read_nfs_files(mplayer_t)
+- fs_dontaudit_list_nfs(mplayer_t)
+-')
++userdom_home_manager(mplayer_t)
+
+-tunable_policy(`use_samba_home_dirs',`
+- fs_list_auto_mountpoints(mplayer_t)
+- files_list_home(mplayer_t)
+- fs_read_cifs_files(mplayer_t)
+- fs_read_cifs_symlinks(mplayer_t)
+-',`
+- files_dontaudit_list_home(mplayer_t)
+- fs_dontaudit_list_auto_mountpoints(mplayer_t)
+- fs_dontaudit_read_cifs_files(mplayer_t)
+- fs_dontaudit_list_cifs(mplayer_t)
++optional_policy(`
++ alsa_read_rw_config(mplayer_t)
+ ')
+
+ optional_policy(`
+- alsa_read_rw_config(mplayer_t)
++ gnome_setattr_config_dirs(mplayer_t)
+ ')
+
+ optional_policy(`
+diff --git a/mrtg.fc b/mrtg.fc
+index 37fb953..7e9773a 100644
+--- a/mrtg.fc
++++ b/mrtg.fc
+@@ -14,5 +14,6 @@
+ #
+ /var/lib/mrtg(/.*)? gen_context(system_u:object_r:mrtg_var_lib_t,s0)
+ /var/lock/mrtg(/.*)? gen_context(system_u:object_r:mrtg_lock_t,s0)
++/var/lock/mrtg-rrd(/.*)? gen_context(system_u:object_r:mrtg_lock_t,s0)
+ /var/log/mrtg(/.*)? gen_context(system_u:object_r:mrtg_log_t,s0)
+ /var/run/mrtg\.pid gen_context(system_u:object_r:mrtg_var_run_t,s0)
+diff --git a/mrtg.te b/mrtg.te
+index 0e19d80..c203717 100644
+--- a/mrtg.te
++++ b/mrtg.te
+@@ -43,9 +43,12 @@ read_lnk_files_pattern(mrtg_t, mrtg_etc_t, mrtg_etc_t)
+ dontaudit mrtg_t mrtg_etc_t:dir write;
+ dontaudit mrtg_t mrtg_etc_t:file { write ioctl };
+
++manage_dirs_pattern(mrtg_t, mrtg_lock_t, mrtg_lock_t)
+ manage_files_pattern(mrtg_t, mrtg_lock_t, mrtg_lock_t)
+ manage_lnk_files_pattern(mrtg_t, mrtg_lock_t, mrtg_lock_t)
++files_lock_filetrans(mrtg_t, mrtg_lock_t, { dir file })
+
++manage_dirs_pattern(mrtg_t, mrtg_log_t, mrtg_log_t)
+ manage_files_pattern(mrtg_t, mrtg_log_t, mrtg_log_t)
+ logging_log_filetrans(mrtg_t, mrtg_log_t, { file dir })
+
+@@ -62,7 +65,6 @@ kernel_read_kernel_sysctls(mrtg_t)
+ corecmd_exec_bin(mrtg_t)
+ corecmd_exec_shell(mrtg_t)
+
+-corenet_all_recvfrom_unlabeled(mrtg_t)
+ corenet_all_recvfrom_netlabel(mrtg_t)
+ corenet_tcp_sendrecv_generic_if(mrtg_t)
+ corenet_udp_sendrecv_generic_if(mrtg_t)
+@@ -88,7 +90,6 @@ files_getattr_tmp_dirs(mrtg_t)
+ # for uptime
+ files_read_etc_runtime_files(mrtg_t)
+ # read config files
+-files_read_etc_files(mrtg_t)
+
+ fs_search_auto_mountpoints(mrtg_t)
+ fs_getattr_xattr_fs(mrtg_t)
+@@ -108,13 +109,12 @@ libs_read_lib_files(mrtg_t)
+
+ logging_send_syslog_msg(mrtg_t)
+
+-miscfiles_read_localization(mrtg_t)
+-
+ selinux_dontaudit_getattr_dir(mrtg_t)
+
+-userdom_use_user_terminals(mrtg_t)
++userdom_use_inherited_user_terminals(mrtg_t)
+ userdom_dontaudit_read_user_home_content_files(mrtg_t)
+ userdom_dontaudit_use_unpriv_user_fds(mrtg_t)
++userdom_dontaudit_list_admin_dir(mrtg_t)
+
+ netutils_domtrans_ping(mrtg_t)
+
+diff --git a/mta.fc b/mta.fc
+index afa18c8..2f102b2 100644
+--- a/mta.fc
++++ b/mta.fc
+@@ -1,30 +1,41 @@
+-HOME_DIR/\.forward -- gen_context(system_u:object_r:mail_forward_t,s0)
++HOME_DIR/\.esmtp_queue -- gen_context(system_u:object_r:mail_home_t,s0)
++HOME_DIR/\.forward[^/]* -- gen_context(system_u:object_r:mail_home_t,s0)
++HOME_DIR/dead\.letter -- gen_context(system_u:object_r:mail_home_t,s0)
++HOME_DIR/\.mailrc -- gen_context(system_u:object_r:mail_home_t,s0)
++HOME_DIR/Maildir(/.*)? gen_context(system_u:object_r:mail_home_rw_t,s0)
+
+ /bin/mail(x)? -- gen_context(system_u:object_r:sendmail_exec_t,s0)
+
+ /etc/aliases -- gen_context(system_u:object_r:etc_aliases_t,s0)
+ /etc/aliases\.db -- gen_context(system_u:object_r:etc_aliases_t,s0)
+ /etc/mail(/.*)? gen_context(system_u:object_r:etc_mail_t,s0)
+-/etc/mail/aliases -- gen_context(system_u:object_r:etc_aliases_t,s0)
+-/etc/mail/aliases\.db -- gen_context(system_u:object_r:etc_aliases_t,s0)
++/etc/mail/aliases.* -- gen_context(system_u:object_r:etc_aliases_t,s0)
+ ifdef(`distro_redhat',`
+ /etc/postfix/aliases.* gen_context(system_u:object_r:etc_aliases_t,s0)
+ ')
+
+-/usr/bin/esmtp -- gen_context(system_u:object_r:sendmail_exec_t,s0)
++/root/\.esmtp_queue -- gen_context(system_u:object_r:mail_home_t,s0)
++/root/\.forward -- gen_context(system_u:object_r:mail_home_t,s0)
++/root/dead\.letter -- gen_context(system_u:object_r:mail_home_t,s0)
++/root/\.mailrc -- gen_context(system_u:object_r:mail_home_t,s0)
++/root/Maildir(/.*)? gen_context(system_u:object_r:mail_home_rw_t,s0)
++
++/usr/bin/esmtp -- gen_context(system_u:object_r:sendmail_exec_t,s0)
++/usr/bin/mail(x)? -- gen_context(system_u:object_r:sendmail_exec_t,s0)
+
+ /usr/lib/sendmail -- gen_context(system_u:object_r:sendmail_exec_t,s0)
+-/usr/lib/courier/bin/sendmail -- gen_context(system_u:object_r:sendmail_exec_t,s0)
++/usr/lib/courier/bin/sendmail -- gen_context(system_u:object_r:sendmail_exec_t,s0)
+
+-/usr/sbin/rmail -- gen_context(system_u:object_r:sendmail_exec_t,s0)
+-/usr/sbin/sendmail\.postfix -- gen_context(system_u:object_r:sendmail_exec_t,s0)
+-/usr/sbin/sendmail(\.sendmail)? -- gen_context(system_u:object_r:sendmail_exec_t,s0)
+-/usr/sbin/ssmtp -- gen_context(system_u:object_r:sendmail_exec_t,s0)
++/usr/sbin/rmail -- gen_context(system_u:object_r:sendmail_exec_t,s0)
++/usr/sbin/sendmail\.postfix -- gen_context(system_u:object_r:sendmail_exec_t,s0)
++/usr/sbin/sendmail(\.sendmail)? -- gen_context(system_u:object_r:sendmail_exec_t,s0)
++/usr/sbin/ssmtp -- gen_context(system_u:object_r:sendmail_exec_t,s0)
+
+ /var/mail(/.*)? gen_context(system_u:object_r:mail_spool_t,s0)
+
+ /var/qmail/bin/sendmail -- gen_context(system_u:object_r:sendmail_exec_t,s0)
+
+ /var/spool/imap(/.*)? gen_context(system_u:object_r:mail_spool_t,s0)
+-/var/spool/(client)?mqueue(/.*)? gen_context(system_u:object_r:mqueue_spool_t,s0)
++/var/spool/(client)?mqueue(/.*)? gen_context(system_u:object_r:mqueue_spool_t,s0)
++/var/spool/mqueue\.in(/.*)? gen_context(system_u:object_r:mqueue_spool_t,s0)
+ /var/spool/mail(/.*)? gen_context(system_u:object_r:mail_spool_t,s0)
+diff --git a/mta.if b/mta.if
+index 4e2a5ba..0005ac0 100644
+--- a/mta.if
++++ b/mta.if
+@@ -37,6 +37,7 @@ interface(`mta_stub',`
+ ## is the prefix for user_t).
+ ##
+ ##
++##
+ #
+ template(`mta_base_mail_template',`
+
+@@ -56,92 +57,19 @@ template(`mta_base_mail_template',`
+ type $1_mail_tmp_t;
+ files_tmp_file($1_mail_tmp_t)
+
+- ##############################
+- #
+- # $1_mail_t local policy
+- #
+-
+- allow $1_mail_t self:capability { setuid setgid chown };
+- allow $1_mail_t self:process { signal_perms setrlimit };
+- allow $1_mail_t self:tcp_socket create_socket_perms;
+-
+- # re-exec itself
+- can_exec($1_mail_t, sendmail_exec_t)
+- allow $1_mail_t sendmail_exec_t:lnk_file read_lnk_file_perms;
++ manage_dirs_pattern($1_mail_t, $1_mail_tmp_t, $1_mail_tmp_t)
++ manage_files_pattern($1_mail_t, $1_mail_tmp_t, $1_mail_tmp_t)
++ files_tmp_filetrans($1_mail_t, $1_mail_tmp_t, { file dir })
+
+ kernel_read_system_state($1_mail_t)
+- kernel_read_kernel_sysctls($1_mail_t)
+-
+- corenet_all_recvfrom_unlabeled($1_mail_t)
+- corenet_all_recvfrom_netlabel($1_mail_t)
+- corenet_tcp_sendrecv_generic_if($1_mail_t)
+- corenet_tcp_sendrecv_generic_node($1_mail_t)
+- corenet_tcp_sendrecv_all_ports($1_mail_t)
+- corenet_tcp_connect_all_ports($1_mail_t)
+- corenet_tcp_connect_smtp_port($1_mail_t)
+- corenet_sendrecv_smtp_client_packets($1_mail_t)
+-
+- corecmd_exec_bin($1_mail_t)
+-
+- files_read_etc_files($1_mail_t)
+- files_search_spool($1_mail_t)
+- # It wants to check for nscd
+- files_dontaudit_search_pids($1_mail_t)
+
+ auth_use_nsswitch($1_mail_t)
+
+- init_dontaudit_rw_utmp($1_mail_t)
+-
+ logging_send_syslog_msg($1_mail_t)
+
+- miscfiles_read_localization($1_mail_t)
+-
+- optional_policy(`
+- exim_read_log($1_mail_t)
+- exim_append_log($1_mail_t)
+- exim_manage_spool_files($1_mail_t)
+- ')
+-
+ optional_policy(`
+ postfix_domtrans_user_mail_handler($1_mail_t)
+ ')
+-
+- optional_policy(`
+- procmail_exec($1_mail_t)
+- ')
+-
+- optional_policy(`
+- qmail_domtrans_inject($1_mail_t)
+- ')
+-
+- optional_policy(`
+- gen_require(`
+- type etc_mail_t, mail_spool_t, mqueue_spool_t;
+- ')
+-
+- manage_dirs_pattern($1_mail_t, $1_mail_tmp_t, $1_mail_tmp_t)
+- manage_files_pattern($1_mail_t, $1_mail_tmp_t, $1_mail_tmp_t)
+- files_tmp_filetrans($1_mail_t, $1_mail_tmp_t, { file dir })
+-
+- allow $1_mail_t etc_mail_t:dir search_dir_perms;
+-
+- # Write to /var/spool/mail and /var/spool/mqueue.
+- manage_files_pattern($1_mail_t, mail_spool_t, mail_spool_t)
+- manage_files_pattern($1_mail_t, mqueue_spool_t, mqueue_spool_t)
+-
+- # Check available space.
+- fs_getattr_xattr_fs($1_mail_t)
+-
+- files_read_etc_runtime_files($1_mail_t)
+-
+- # Write to /var/log/sendmail.st
+- sendmail_manage_log($1_mail_t)
+- sendmail_create_log($1_mail_t)
+- ')
+-
+- optional_policy(`
+- uucp_manage_spool($1_mail_t)
+- ')
+ ')
+
+ ########################################
+@@ -169,11 +97,19 @@ interface(`mta_role',`
+
+ # Transition from the user domain to the derived domain.
+ domtrans_pattern($2, sendmail_exec_t, user_mail_t)
+- allow $2 sendmail_exec_t:lnk_file { getattr read };
++ allow $2 sendmail_exec_t:lnk_file read_lnk_file_perms;
+
+ allow mta_user_agent $2:fd use;
+ allow mta_user_agent $2:process sigchld;
+- allow mta_user_agent $2:fifo_file { read write };
++ allow mta_user_agent $2:fifo_file rw_inherited_fifo_file_perms;
++
++ optional_policy(`
++ exim_run($2, $1)
++ ')
++
++ optional_policy(`
++ mailman_run(mta_user_agent, $1)
++ ')
+ ')
+
+ ########################################
+@@ -220,6 +156,25 @@ interface(`mta_agent_executable',`
+ application_executable_file($1)
+ ')
+
++######################################
++##
++## Dontaudit read and write an leaked file descriptors
++##
++##
++##
++## Domain to not audit.
++##
++##
++#
++interface(`mta_dontaudit_leaks_system_mail',`
++ gen_require(`
++ type system_mail_t;
++ ')
++
++ dontaudit $1 system_mail_t:fifo_file write;
++ dontaudit $1 system_mail_t:tcp_socket { read write };
++')
++
+ ########################################
+ ##
+ ## Make the specified type by a system MTA.
+@@ -306,10 +261,15 @@ interface(`mta_mailserver_sender',`
+ interface(`mta_mailserver_delivery',`
+ gen_require(`
+ attribute mailserver_delivery;
+- type mail_spool_t;
+ ')
+
+ typeattribute $1 mailserver_delivery;
++
++ userdom_home_manager($1)
++
++ optional_policy(`
++ mta_rw_delivery_tcp_sockets($1)
++ ')
+ ')
+
+ #######################################
+@@ -361,8 +321,7 @@ interface(`mta_send_mail',`
+
+ allow mta_user_agent $1:fd use;
+ allow mta_user_agent $1:process sigchld;
+- allow mta_user_agent $1:fifo_file rw_fifo_file_perms;
+-
++ allow mta_user_agent $1:fifo_file rw_inherited_fifo_file_perms;
+ dontaudit mta_user_agent $1:unix_stream_socket rw_socket_perms;
+ ')
+
+@@ -393,12 +352,19 @@ interface(`mta_send_mail',`
+ #
+ interface(`mta_sendmail_domtrans',`
+ gen_require(`
+- type sendmail_exec_t;
++ attribute mta_exec_type;
++ attribute mta_user_agent;
+ ')
+
+ files_search_usr($1)
++ allow $1 mta_exec_type:lnk_file read_lnk_file_perms;
+ corecmd_read_bin_symlinks($1)
+- domain_auto_trans($1, sendmail_exec_t, $2)
++
++ allow $2 mta_exec_type:file entrypoint;
++ domtrans_pattern($1, mta_exec_type, $2)
++ allow mta_user_agent $1:fd use;
++ allow mta_user_agent $1:process sigchld;
++ allow mta_user_agent $1:fifo_file rw_inherited_fifo_file_perms;
+ ')
+
+ ########################################
+@@ -411,7 +377,6 @@ interface(`mta_sendmail_domtrans',`
+ ##
+ ##
+ #
+-#
+ interface(`mta_signal_system_mail',`
+ gen_require(`
+ type system_mail_t;
+@@ -422,6 +387,60 @@ interface(`mta_signal_system_mail',`
+
+ ########################################
+ ##
++## Send all user mail client a signal
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`mta_signal_user_agent',`
++ gen_require(`
++ attribute mta_user_agent;
++ ')
++
++ allow $1 mta_user_agent:process signal;
++')
++
++########################################
++##
++## Send all user mail client a kill signal
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`mta_kill_user_agent',`
++ gen_require(`
++ attribute mta_user_agent;
++ ')
++
++ allow $1 mta_user_agent:process sigkill;
++')
++
++########################################
++##
++## Send system mail client a kill signal
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`mta_kill_system_mail',`
++ gen_require(`
++ type system_mail_t;
++ ')
++
++ allow $1 system_mail_t:process sigkill;
++')
++
++########################################
++##
+ ## Execute sendmail in the caller domain.
+ ##
+ ##
+@@ -440,6 +459,26 @@ interface(`mta_sendmail_exec',`
+
+ ########################################
+ ##
++## Check whether sendmail executable
++## files are executable.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`mta_sendmail_access_check',`
++ gen_require(`
++ type sendmail_exec_t;
++ ')
++
++ corecmd_search_bin($1)
++ allow $1 sendmail_exec_t:file { getattr_file_perms execute };
++')
++
++########################################
++##
+ ## Read mail server configuration.
+ ##
+ ##
+@@ -481,6 +520,25 @@ interface(`mta_write_config',`
+
+ ########################################
+ ##
++## Manage mail server configuration.
++##
++##
++##
++## Domain allowed access.
++##
++##
++##
++#
++interface(`mta_manage_config',`
++ gen_require(`
++ type etc_mail_t;
++ ')
++
++ manage_files_pattern($1, etc_mail_t, etc_mail_t)
++')
++
++########################################
++##
+ ## Read mail address aliases.
+ ##
+ ##
+@@ -496,6 +554,7 @@ interface(`mta_read_aliases',`
+
+ files_search_etc($1)
+ allow $1 etc_aliases_t:file read_file_perms;
++ allow $1 etc_aliases_t:lnk_file read_lnk_file_perms;
+ ')
+
+ ########################################
+@@ -516,6 +575,9 @@ interface(`mta_manage_aliases',`
+ files_search_etc($1)
+ manage_files_pattern($1, etc_aliases_t, etc_aliases_t)
+ manage_lnk_files_pattern($1, etc_aliases_t, etc_aliases_t)
++ mta_etc_filetrans_aliases($1, "aliases")
++ mta_etc_filetrans_aliases($1, "aliases.db")
++ mta_etc_filetrans_aliases($1, "aliasesdb-stamp")
+ ')
+
+ ########################################
+@@ -528,13 +590,18 @@ interface(`mta_manage_aliases',`
+ ## Domain allowed access.
+ ##
+ ##
++##
++##
++## The name of the object being created.
++##
++##
+ #
+ interface(`mta_etc_filetrans_aliases',`
+ gen_require(`
+ type etc_aliases_t;
+ ')
+
+- files_etc_filetrans($1, etc_aliases_t, file)
++ files_etc_filetrans($1, etc_aliases_t, file, $2)
+ ')
+
+ ########################################
+@@ -554,7 +621,7 @@ interface(`mta_rw_aliases',`
+ ')
+
+ files_search_etc($1)
+- allow $1 etc_aliases_t:file { rw_file_perms setattr };
++ allow $1 etc_aliases_t:file { rw_file_perms setattr_file_perms };
+ ')
+
+ #######################################
+@@ -576,6 +643,25 @@ interface(`mta_dontaudit_rw_delivery_tcp_sockets',`
+ dontaudit $1 mailserver_delivery:tcp_socket { read write };
+ ')
+
++######################################
++##
++## Allow attempts to read and write TCP
++## sockets of mail delivery domains.
++##
++##
++##
++## Domain to not audit.
++##
++##
++#
++interface(`mta_rw_delivery_tcp_sockets',`
++ gen_require(`
++ attribute mailserver_delivery;
++ ')
++
++ allow $1 mailserver_delivery:tcp_socket { read write };
++')
++
+ #######################################
+ ##
+ ## Connect to all mail servers over TCP. (Deprecated)
+@@ -648,8 +734,8 @@ interface(`mta_dontaudit_getattr_spool_files',`
+
+ files_dontaudit_search_spool($1)
+ dontaudit $1 mail_spool_t:dir search_dir_perms;
+- dontaudit $1 mail_spool_t:lnk_file read;
+- dontaudit $1 mail_spool_t:file getattr;
++ dontaudit $1 mail_spool_t:lnk_file read_lnk_file_perms;
++ dontaudit $1 mail_spool_t:file getattr_file_perms;
+ ')
+
+ #######################################
+@@ -672,6 +758,11 @@ interface(`mta_dontaudit_getattr_spool_files',`
+ ## The object class of the object being created.
+ ##
+ ##
++##
++##
++## The name of the object being created.
++##
++##
+ #
+ interface(`mta_spool_filetrans',`
+ gen_require(`
+@@ -679,7 +770,26 @@ interface(`mta_spool_filetrans',`
+ ')
+
+ files_search_spool($1)
+- filetrans_pattern($1, mail_spool_t, $2, $3)
++ filetrans_pattern($1, mail_spool_t, $2, $3, $4)
++')
++
++#######################################
++##
++## Read the mail spool.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`mta_read_spool',`
++ gen_require(`
++ type mail_spool_t;
++ ')
++
++ files_search_spool($1)
++ read_files_pattern($1, mail_spool_t, mail_spool_t)
+ ')
+
+ ########################################
+@@ -699,8 +809,8 @@ interface(`mta_rw_spool',`
+
+ files_search_spool($1)
+ allow $1 mail_spool_t:dir list_dir_perms;
+- allow $1 mail_spool_t:file setattr;
+- rw_files_pattern($1, mail_spool_t, mail_spool_t)
++ allow $1 mail_spool_t:file setattr_file_perms;
++ manage_files_pattern($1, mail_spool_t, mail_spool_t)
+ read_lnk_files_pattern($1, mail_spool_t, mail_spool_t)
+ ')
+
+@@ -840,7 +950,7 @@ interface(`mta_dontaudit_rw_queue',`
+ ')
+
+ dontaudit $1 mqueue_spool_t:dir search_dir_perms;
+- dontaudit $1 mqueue_spool_t:file { getattr read write };
++ dontaudit $1 mqueue_spool_t:file rw_file_perms;
+ ')
+
+ ########################################
+@@ -866,6 +976,41 @@ interface(`mta_manage_queue',`
+
+ #######################################
+ ##
++## Create private objects in the
++## mqueue spool directory.
++##
++##
++##
++## Domain allowed access.
++##
++##
++##
++##
++## The type of the object to be created.
++##
++##
++##
++##
++## The object class of the object being created.
++##
++##
++##
++##
++## The name of the object being created.
++##
++##
++#
++interface(`mta_spool_filetrans_queue',`
++ gen_require(`
++ type mqueue_spool_t;
++ ')
++
++ files_search_spool($1)
++ filetrans_pattern($1, mqueue_spool_t, $2, $3, $4)
++')
++
++#######################################
++##
+ ## Read sendmail binary.
+ ##
+ ##
+@@ -901,3 +1046,173 @@ interface(`mta_rw_user_mail_stream_sockets',`
+
+ allow $1 user_mail_domain:unix_stream_socket rw_socket_perms;
+ ')
++
++########################################
++##
++## Type transition files created in calling dir
++## to the mail address aliases type.
++##
++##
++##
++## Domain allowed access.
++##
++##
++##
++##
++## Directory to transition on.
++##
++##
++#
++interface(`mta_filetrans_aliases',`
++ gen_require(`
++ type etc_aliases_t;
++ ')
++
++ filetrans_pattern($1, $2, etc_aliases_t, file)
++')
++
++######################################
++##
++## ALlow domain to read mail content in the homedir
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`mta_read_home',`
++ gen_require(`
++ type mail_home_t;
++ ')
++
++ userdom_search_user_home_dirs($1)
++ read_files_pattern($1, mail_home_t, mail_home_t)
++
++ ifdef(`distro_redhat',`
++ userdom_search_admin_dir($1)
++ ')
++')
++
++####################################
++##
++## ALlow domain to read mail content in the homedir
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`mta_read_home_rw',`
++ gen_require(`
++ type mail_home_rw_t;
++ ')
++
++ userdom_search_user_home_dirs($1)
++ read_files_pattern($1, mail_home_rw_t, mail_home_rw_t)
++ read_lnk_files_pattern($1, mail_home_rw_t, mail_home_rw_t)
++
++ ifdef(`distro_redhat',`
++ userdom_search_admin_dir($1)
++ ')
++')
++
++####################################
++##
++## Allow domain to manage mail content in the homedir
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`mta_manage_home_rw',`
++ gen_require(`
++ type mail_home_rw_t;
++ ')
++
++ userdom_search_user_home_dirs($1)
++ userdom_search_admin_dir($1)
++ manage_files_pattern($1, mail_home_rw_t, mail_home_rw_t)
++ manage_dirs_pattern($1, mail_home_rw_t, mail_home_rw_t)
++ manage_lnk_files_pattern($1, mail_home_rw_t, mail_home_rw_t)
++ userdom_user_home_dir_filetrans($1, mail_home_rw_t, dir, "Maildir")
++
++ ifdef(`distro_redhat',`
++ userdom_search_admin_dir($1)
++ userdom_admin_home_dir_filetrans($1, mail_home_rw_t, dir, "Maildir")
++ ')
++')
++
++########################################
++##
++## create mail content in the in the /root directory
++## with an correct label.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`mta_filetrans_admin_home_content',`
++ gen_require(`
++ type mail_home_t;
++ type mail_home_rw_t;
++ ')
++
++ userdom_admin_home_dir_filetrans($1, mail_home_t, file, "dead.letter")
++ userdom_admin_home_dir_filetrans($1, mail_home_t, file, ".mailrc")
++ userdom_admin_home_dir_filetrans($1, mail_home_t, file, ".forward")
++ userdom_admin_home_dir_filetrans($1, mail_home_rw_t, dir, "Maildir")
++ userdom_admin_home_dir_filetrans($1, mail_home_rw_t, file, ".esmtp_queue")
++')
++
++########################################
++##
++## Transition to mta named home content
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`mta_filetrans_home_content',`
++ gen_require(`
++ type mail_home_t;
++ type mail_home_rw_t;
++ ')
++
++ userdom_user_home_dir_filetrans($1, mail_home_t, file, ".mailrc")
++ userdom_user_home_dir_filetrans($1, mail_home_t, file, "dead.letter")
++ userdom_user_home_dir_filetrans($1, mail_home_t, file, ".forward")
++ userdom_user_home_dir_filetrans($1, mail_home_rw_t, dir, "Maildir")
++ userdom_user_home_dir_filetrans($1, mail_home_rw_t, file, ".esmtp_queue")
++')
++
++########################################
++##
++## Transition to mta named content
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`mta_filetrans_named_content',`
++ gen_require(`
++ type etc_aliases_t;
++ type etc_mail_t;
++ ')
++
++ filetrans_pattern($1, etc_mail_t, etc_aliases_t, { dir file })
++ mta_etc_filetrans_aliases($1, "aliases")
++ mta_etc_filetrans_aliases($1, "aliases.db")
++ mta_etc_filetrans_aliases($1, "aliasesdb-stamp")
++ mta_filetrans_home_content($1)
++ mta_filetrans_admin_home_content($1)
++')
+diff --git a/mta.te b/mta.te
+index 84a7d66..61f95e2 100644
+--- a/mta.te
++++ b/mta.te
+@@ -20,14 +20,19 @@ files_type(etc_aliases_t)
+ type etc_mail_t;
+ files_config_file(etc_mail_t)
+
+-type mail_forward_t;
+-files_type(mail_forward_t)
++type mail_home_t alias mail_forward_t;
++userdom_user_home_content(mail_home_t)
++
++type mail_home_rw_t;
++userdom_user_home_content(mail_home_rw_t)
+
+ type mqueue_spool_t;
+ files_mountpoint(mqueue_spool_t)
++files_spool_file(mqueue_spool_t)
+
+ type mail_spool_t;
+ files_mountpoint(mail_spool_t)
++files_spool_file(mail_spool_t)
+
+ type sendmail_exec_t;
+ mta_agent_executable(sendmail_exec_t)
+@@ -50,21 +55,12 @@ userdom_user_tmp_file(user_mail_tmp_t)
+
+ # newalias required this, not sure if it is needed in 'if' file
+ allow system_mail_t self:capability { dac_override fowner };
+-allow system_mail_t self:fifo_file rw_fifo_file_perms;
+
+-read_files_pattern(system_mail_t, etc_mail_t, etc_mail_t)
++allow system_mail_t mail_home_t:file manage_file_perms;
+
+ read_files_pattern(system_mail_t, mailcontent_type, mailcontent_type)
+
+-allow system_mail_t mail_forward_t:file read_file_perms;
+-
+-allow system_mail_t mta_exec_type:file entrypoint;
+-
+-can_exec(system_mail_t, mta_exec_type)
+-
+-kernel_read_system_state(system_mail_t)
+-kernel_read_network_state(system_mail_t)
+-kernel_request_load_module(system_mail_t)
++corecmd_exec_shell(system_mail_t)
+
+ dev_read_sysfs(system_mail_t)
+ dev_read_rand(system_mail_t)
+@@ -74,14 +70,25 @@ files_read_usr_files(system_mail_t)
+
+ fs_rw_anon_inodefs_files(system_mail_t)
+
+-selinux_getattr_fs(system_mail_t)
+-
+ term_dontaudit_use_unallocated_ttys(system_mail_t)
+
+ init_use_script_ptys(system_mail_t)
++init_dontaudit_rw_stream_socket(system_mail_t)
+
+-userdom_use_user_terminals(system_mail_t)
++userdom_use_inherited_user_terminals(system_mail_t)
+ userdom_dontaudit_search_user_home_dirs(system_mail_t)
++userdom_dontaudit_list_admin_dir(system_mail_t)
++
++manage_dirs_pattern(system_mail_t, mail_home_rw_t, mail_home_rw_t)
++manage_files_pattern(system_mail_t, mail_home_rw_t, mail_home_rw_t)
++
++allow system_mail_t mail_home_t:file manage_file_perms;
++userdom_admin_home_dir_filetrans(system_mail_t, mail_home_t, file)
++
++
++logging_append_all_logs(system_mail_t)
++
++logging_send_syslog_msg(system_mail_t)
+
+ optional_policy(`
+ apache_read_squirrelmail_data(system_mail_t)
+@@ -92,25 +99,40 @@ optional_policy(`
+ apache_dontaudit_rw_stream_sockets(system_mail_t)
+ apache_dontaudit_rw_tcp_sockets(system_mail_t)
+ apache_dontaudit_rw_sys_script_stream_sockets(system_mail_t)
++ apache_dontaudit_rw_tmp_files(system_mail_t)
++
++ apache_dontaudit_rw_fifo_file(user_mail_domain)
++ apache_dontaudit_rw_fifo_file(mta_user_agent)
++ # apache should set close-on-exec
++ apache_dontaudit_rw_stream_sockets(mta_user_agent)
++ apache_dontaudit_rw_sys_script_stream_sockets(mta_user_agent)
++ apache_append_log(mta_user_agent)
+ ')
+
+ optional_policy(`
+ arpwatch_manage_tmp_files(system_mail_t)
+
+- ifdef(`hide_broken_symptoms', `
+- arpwatch_dontaudit_rw_packet_sockets(system_mail_t)
+- ')
++ ifdef(`hide_broken_symptoms', `
++ arpwatch_dontaudit_rw_packet_sockets(system_mail_t)
++ ')
++
+ ')
+
+ optional_policy(`
+- clamav_stream_connect(system_mail_t)
+- clamav_append_log(system_mail_t)
++ bugzilla_search_content(system_mail_t)
++ bugzilla_dontaudit_rw_stream_sockets(system_mail_t)
++')
++
++optional_policy(`
++ courier_stream_connect_authdaemon(system_mail_t)
+ ')
+
+ optional_policy(`
+ cron_read_system_job_tmp_files(system_mail_t)
+ cron_dontaudit_write_pipes(system_mail_t)
+ cron_rw_system_job_stream_sockets(system_mail_t)
++ cron_rw_inherited_spool_files(system_mail_t)
++ cron_rw_inherited_user_spool_files(system_mail_t)
+ ')
+
+ optional_policy(`
+@@ -124,12 +146,9 @@ optional_policy(`
+ ')
+
+ optional_policy(`
+- exim_domtrans(system_mail_t)
+- exim_manage_log(system_mail_t)
+-')
+-
+-optional_policy(`
+ fail2ban_append_log(system_mail_t)
++ fail2ban_dontaudit_leaks(system_mail_t)
++ fail2ban_rw_inherited_tmp_files(system_mail_t)
+ ')
+
+ optional_policy(`
+@@ -146,6 +165,10 @@ optional_policy(`
+ ')
+
+ optional_policy(`
++ munin_dontaudit_leaks(system_mail_t)
++')
++
++optional_policy(`
+ nagios_read_tmp_files(system_mail_t)
+ ')
+
+@@ -158,22 +181,13 @@ optional_policy(`
+ files_etc_filetrans(system_mail_t, etc_aliases_t, { file lnk_file sock_file fifo_file })
+
+ domain_use_interactive_fds(system_mail_t)
+-
+- # postfix needs this for newaliases
+- files_getattr_tmp_dirs(system_mail_t)
+-
+- postfix_exec_master(system_mail_t)
+- postfix_read_config(system_mail_t)
+- postfix_search_spool(system_mail_t)
+-
+- ifdef(`distro_redhat',`
+- # compatability for old default main.cf
+- postfix_config_filetrans(system_mail_t, etc_aliases_t, { dir file lnk_file sock_file fifo_file })
+- ')
+ ')
+
+ optional_policy(`
+ qmail_domtrans_inject(system_mail_t)
++ qmail_manage_spool_dirs(system_mail_t)
++ qmail_manage_spool_files(system_mail_t)
++ qmail_rw_spool_pipes(system_mail_t)
+ ')
+
+ optional_policy(`
+@@ -189,6 +203,10 @@ optional_policy(`
+ ')
+
+ optional_policy(`
++ spamd_stream_connect(system_mail_t)
++')
++
++optional_policy(`
+ smartmon_read_tmp_files(system_mail_t)
+ ')
+
+@@ -199,20 +217,23 @@ optional_policy(`
+ arpwatch_search_data(mailserver_delivery)
+ arpwatch_manage_tmp_files(mta_user_agent)
+
+- ifdef(`hide_broken_symptoms', `
+- arpwatch_dontaudit_rw_packet_sockets(mta_user_agent)
+- ')
+-
+ optional_policy(`
+ cron_read_system_job_tmp_files(mta_user_agent)
+ ')
+ ')
+
++ifdef(`hide_broken_symptoms',`
++ domain_dontaudit_leaks(user_mail_domain)
++ domain_dontaudit_leaks(mta_user_agent)
++')
++
+ ########################################
+ #
+ # Mailserver delivery local policy
+ #
+
++allow mailserver_delivery self:fifo_file rw_inherited_fifo_file_perms;
++
+ allow mailserver_delivery mail_spool_t:dir list_dir_perms;
+ create_files_pattern(mailserver_delivery, mail_spool_t, mail_spool_t)
+ read_files_pattern(mailserver_delivery, mail_spool_t, mail_spool_t)
+@@ -220,21 +241,14 @@ append_files_pattern(mailserver_delivery, mail_spool_t, mail_spool_t)
+ create_lnk_files_pattern(mailserver_delivery, mail_spool_t, mail_spool_t)
+ read_lnk_files_pattern(mailserver_delivery, mail_spool_t, mail_spool_t)
+
+-read_files_pattern(mailserver_delivery, mail_forward_t, mail_forward_t)
++userdom_search_admin_dir(mailserver_delivery)
++read_files_pattern(mailserver_delivery, mail_home_t, mail_home_t)
+
+-read_files_pattern(mailserver_delivery, system_mail_tmp_t, system_mail_tmp_t)
+-
+-tunable_policy(`use_samba_home_dirs',`
+- fs_manage_cifs_dirs(mailserver_delivery)
+- fs_manage_cifs_files(mailserver_delivery)
+- fs_manage_cifs_symlinks(mailserver_delivery)
+-')
++manage_dirs_pattern(mailserver_delivery, mail_home_rw_t, mail_home_rw_t)
++manage_files_pattern(mailserver_delivery, mail_home_rw_t, mail_home_rw_t)
++manage_lnk_files_pattern(mailserver_delivery, mail_home_rw_t, mail_home_rw_t)
+
+-tunable_policy(`use_nfs_home_dirs',`
+- fs_manage_nfs_dirs(mailserver_delivery)
+- fs_manage_nfs_files(mailserver_delivery)
+- fs_manage_nfs_symlinks(mailserver_delivery)
+-')
++read_files_pattern(mailserver_delivery, system_mail_tmp_t, system_mail_tmp_t)
+
+ optional_policy(`
+ dovecot_manage_spool(mailserver_delivery)
+@@ -242,6 +256,10 @@ optional_policy(`
+ ')
+
+ optional_policy(`
++ logwatch_search_cache_dir(mailserver_delivery)
++')
++
++optional_policy(`
+ # so MTA can access /var/lib/mailman/mail/wrapper
+ files_search_var_lib(mailserver_delivery)
+
+@@ -249,6 +267,14 @@ optional_policy(`
+ mailman_read_data_symlinks(mailserver_delivery)
+ ')
+
++optional_policy(`
++ postfix_rw_master_pipes(mailserver_delivery)
++')
++
++optional_policy(`
++ uucp_domtrans_uux(mailserver_delivery)
++')
++
+ ########################################
+ #
+ # User send mail local policy
+@@ -256,9 +282,9 @@ optional_policy(`
+
+ domain_use_interactive_fds(user_mail_t)
+
+-userdom_use_user_terminals(user_mail_t)
++userdom_use_inherited_user_terminals(user_mail_t)
+ # Write to the user domain tty. cjp: why?
+-userdom_use_user_terminals(mta_user_agent)
++userdom_use_inherited_user_terminals(mta_user_agent)
+ # Create dead.letter in user home directories.
+ userdom_manage_user_home_content_files(user_mail_t)
+ userdom_user_home_dir_filetrans_user_home_content(user_mail_t, file)
+@@ -270,6 +296,8 @@ userdom_manage_user_home_content_symlinks(mailserver_delivery)
+ userdom_manage_user_home_content_pipes(mailserver_delivery)
+ userdom_manage_user_home_content_sockets(mailserver_delivery)
+ userdom_user_home_dir_filetrans_user_home_content(mailserver_delivery, { dir file lnk_file fifo_file sock_file })
++allow mailserver_delivery mailserver_delivery:fifo_file rw_inherited_fifo_file_perms;
++
+ # Read user temporary files.
+ userdom_read_user_tmp_files(user_mail_t)
+ userdom_dontaudit_append_user_tmp_files(user_mail_t)
+@@ -277,6 +305,8 @@ userdom_dontaudit_append_user_tmp_files(user_mail_t)
+ # files in an appropriate place for mta_user_agent
+ userdom_read_user_tmp_files(mta_user_agent)
+
++dev_read_sysfs(user_mail_t)
++
+ tunable_policy(`use_samba_home_dirs',`
+ fs_manage_cifs_files(user_mail_t)
+ fs_manage_cifs_symlinks(user_mail_t)
+@@ -292,3 +322,123 @@ optional_policy(`
+ postfix_read_config(user_mail_t)
+ postfix_list_spool(user_mail_t)
+ ')
++
++########################################
++#
++# Comman user_mail_domain policy
++#
++
++allow user_mail_domain self:capability { setuid setgid chown };
++allow user_mail_domain self:process { signal_perms setrlimit };
++allow user_mail_domain self:tcp_socket create_socket_perms;
++allow user_mail_domain self:fifo_file rw_fifo_file_perms;
++allow user_mail_domain mta_exec_type:file entrypoint;
++
++append_files_pattern(user_mail_domain, mail_home_t, mail_home_t)
++read_files_pattern(user_mail_domain, mail_home_t, mail_home_t)
++
++manage_dirs_pattern(user_mail_domain, mail_home_rw_t, mail_home_rw_t)
++manage_files_pattern(user_mail_domain, mail_home_rw_t, mail_home_rw_t)
++
++read_files_pattern(user_mail_domain, etc_aliases_t, etc_aliases_t)
++
++can_exec(user_mail_domain, mta_exec_type)
++
++allow system_mail_t user_mail_domain:file read_file_perms;
++
++read_files_pattern(user_mail_domain, etc_mail_t, etc_mail_t)
++
++kernel_read_network_state(user_mail_domain)
++kernel_request_load_module(user_mail_domain)
++
++dev_read_urand(user_mail_domain)
++
++files_read_usr_files(user_mail_domain)
++
++# Write to /var/spool/mail and /var/spool/mqueue.
++manage_files_pattern(user_mail_domain, mail_spool_t, mail_spool_t)
++manage_files_pattern(user_mail_domain, mqueue_spool_t, mqueue_spool_t)
++read_lnk_files_pattern(user_mail_domain, mail_spool_t, mail_spool_t)
++read_lnk_files_pattern(user_mail_domain, mqueue_spool_t, mqueue_spool_t)
++
++# re-exec itself
++can_exec(user_mail_domain, sendmail_exec_t)
++allow user_mail_domain sendmail_exec_t:lnk_file read_lnk_file_perms;
++
++kernel_read_kernel_sysctls(user_mail_domain)
++
++corenet_tcp_sendrecv_generic_if(user_mail_domain)
++corenet_tcp_sendrecv_generic_node(user_mail_domain)
++corenet_tcp_sendrecv_all_ports(user_mail_domain)
++corenet_tcp_connect_all_ports(user_mail_domain)
++corenet_tcp_connect_smtp_port(user_mail_domain)
++corenet_sendrecv_smtp_client_packets(user_mail_domain)
++
++corecmd_exec_bin(user_mail_domain)
++
++files_read_etc_files(user_mail_domain)
++files_search_spool(user_mail_domain)
++# It wants to check for nscd
++files_dontaudit_search_pids(user_mail_domain)
++allow user_mail_domain etc_mail_t:dir search_dir_perms;
++
++files_read_etc_runtime_files(user_mail_domain)
++
++# Check available space.
++fs_getattr_xattr_fs(user_mail_domain)
++
++init_dontaudit_rw_utmp(user_mail_domain)
++
++optional_policy(`
++ courier_manage_spool_dirs(user_mail_domain)
++ courier_manage_spool_files(user_mail_domain)
++ courier_rw_spool_pipes(user_mail_domain)
++')
++
++optional_policy(`
++ exim_domtrans(user_mail_domain)
++ exim_manage_log(user_mail_domain)
++ exim_manage_spool_files(user_mail_domain)
++')
++
++optional_policy(`
++ # postfix needs this for newaliases
++ files_getattr_tmp_dirs(user_mail_domain)
++
++ postfix_exec_master(user_mail_domain)
++ postfix_read_config(user_mail_domain)
++ postfix_search_spool(user_mail_domain)
++ postfix_rw_master_pipes(user_mail_domain)
++
++ ifdef(`distro_redhat',`
++ # compatability for old default main.cf
++ postfix_config_filetrans(user_mail_domain, etc_aliases_t, { dir file lnk_file sock_file fifo_file })
++ ')
++')
++
++optional_policy(`
++ openshift_rw_inherited_content(mta_user_agent)
++')
++
++optional_policy(`
++ procmail_exec(user_mail_domain)
++')
++
++optional_policy(`
++ qmail_domtrans_inject(user_mail_domain)
++')
++
++optional_policy(`
++ # Write to /var/log/sendmail.st
++ sendmail_manage_log(user_mail_domain)
++ sendmail_create_log(user_mail_domain)
++')
++
++optional_policy(`
++ uucp_manage_spool(user_mail_domain)
++')
++
++optional_policy(`
++ clamav_stream_connect(user_mail_domain)
++ clamav_stream_connect(mta_user_agent)
++')
+diff --git a/munin.fc b/munin.fc
+index fd71d69..123ee4c 100644
+--- a/munin.fc
++++ b/munin.fc
+@@ -4,7 +4,9 @@
+ /usr/bin/munin-.* -- gen_context(system_u:object_r:munin_exec_t,s0)
+ /usr/sbin/munin-.* -- gen_context(system_u:object_r:munin_exec_t,s0)
+ /usr/share/munin/munin-.* -- gen_context(system_u:object_r:munin_exec_t,s0)
+-/usr/share/munin/plugins/.* -- gen_context(system_u:object_r:munin_exec_t,s0)
++
++# label all plugins as unconfined_munin_plugin_exec_t
++/usr/share/munin/plugins/.* -- gen_context(system_u:object_r:unconfined_munin_plugin_exec_t,s0)
+
+ # disk plugins
+ /usr/share/munin/plugins/diskstat.* -- gen_context(system_u:object_r:disk_munin_plugin_exec_t,s0)
+@@ -41,6 +43,9 @@
+ /usr/share/munin/plugins/tomcat_.* -- gen_context(system_u:object_r:services_munin_plugin_exec_t,s0)
+ /usr/share/munin/plugins/varnish_.* -- gen_context(system_u:object_r:services_munin_plugin_exec_t,s0)
+
++# selinux plugins
++/usr/share/munin/plugins/selinux_avcstat -- gen_context(system_u:object_r:selinux_munin_plugin_exec_t,s0)
++
+ # system plugins
+ /usr/share/munin/plugins/acpi -- gen_context(system_u:object_r:system_munin_plugin_exec_t,s0)
+ /usr/share/munin/plugins/cpu.* -- gen_context(system_u:object_r:system_munin_plugin_exec_t,s0)
+@@ -51,6 +56,7 @@
+ /usr/share/munin/plugins/irqstats -- gen_context(system_u:object_r:system_munin_plugin_exec_t,s0)
+ /usr/share/munin/plugins/load -- gen_context(system_u:object_r:system_munin_plugin_exec_t,s0)
+ /usr/share/munin/plugins/memory -- gen_context(system_u:object_r:system_munin_plugin_exec_t,s0)
++/usr/share/munin/plugins/munin_.* -- gen_context(system_u:object_r:system_munin_plugin_exec_t,s0)
+ /usr/share/munin/plugins/netstat -- gen_context(system_u:object_r:system_munin_plugin_exec_t,s0)
+ /usr/share/munin/plugins/nfs.* -- gen_context(system_u:object_r:system_munin_plugin_exec_t,s0)
+ /usr/share/munin/plugins/open_files -- gen_context(system_u:object_r:system_munin_plugin_exec_t,s0)
+@@ -58,12 +64,15 @@
+ /usr/share/munin/plugins/processes -- gen_context(system_u:object_r:system_munin_plugin_exec_t,s0)
+ /usr/share/munin/plugins/swap -- gen_context(system_u:object_r:system_munin_plugin_exec_t,s0)
+ /usr/share/munin/plugins/threads -- gen_context(system_u:object_r:system_munin_plugin_exec_t,s0)
++/usr/share/munin/plugins/unbound -- gen_context(system_u:object_r:system_munin_plugin_exec_t,s0)
+ /usr/share/munin/plugins/uptime -- gen_context(system_u:object_r:system_munin_plugin_exec_t,s0)
+ /usr/share/munin/plugins/users -- gen_context(system_u:object_r:system_munin_plugin_exec_t,s0)
+ /usr/share/munin/plugins/yum -- gen_context(system_u:object_r:system_munin_plugin_exec_t,s0)
+
+ /var/lib/munin(/.*)? gen_context(system_u:object_r:munin_var_lib_t,s0)
++/var/lib/munin/plugin-state(/.*)? gen_context(system_u:object_r:munin_plugin_state_t,s0)
+ /var/log/munin.* gen_context(system_u:object_r:munin_log_t,s0)
+ /var/run/munin(/.*)? gen_context(system_u:object_r:munin_var_run_t,s0)
+ /var/www/html/munin(/.*)? gen_context(system_u:object_r:httpd_munin_content_t,s0)
+ /var/www/html/munin/cgi(/.*)? gen_context(system_u:object_r:httpd_munin_script_exec_t,s0)
++/var/www/html/cgi/munin.* gen_context(system_u:object_r:httpd_munin_script_exec_t,s0)
+diff --git a/munin.if b/munin.if
+index c358d8f..1cc176c 100644
+--- a/munin.if
++++ b/munin.if
+@@ -13,10 +13,11 @@
+ #
+ template(`munin_plugin_template',`
+ gen_require(`
+- type munin_t, munin_exec_t, munin_etc_t;
++ type munin_t;
++ attribute munin_plugin_domain;
+ ')
+
+- type $1_munin_plugin_t;
++ type $1_munin_plugin_t, munin_plugin_domain;
+ type $1_munin_plugin_exec_t;
+ typealias $1_munin_plugin_t alias munin_$1_plugin_t;
+ typealias $1_munin_plugin_exec_t alias munin_$1_plugin_exec_t;
+@@ -36,17 +37,9 @@ template(`munin_plugin_template',`
+ # automatic transition rules from munin domain
+ # to specific munin plugin domain
+ domtrans_pattern(munin_t, $1_munin_plugin_exec_t, $1_munin_plugin_t)
+-
+- allow $1_munin_plugin_t munin_exec_t:file read_file_perms;
+- allow $1_munin_plugin_t munin_t:tcp_socket rw_socket_perms;
+-
+- read_lnk_files_pattern($1_munin_plugin_t, munin_etc_t, munin_etc_t)
++ allow munin_t $1_munin_plugin_t:process signal_perms;
+
+ kernel_read_system_state($1_munin_plugin_t)
+-
+- corecmd_exec_bin($1_munin_plugin_t)
+-
+- miscfiles_read_localization($1_munin_plugin_t)
+ ')
+
+ ########################################
+@@ -65,9 +58,8 @@ interface(`munin_stream_connect',`
+ type munin_var_run_t, munin_t;
+ ')
+
+- allow $1 munin_t:unix_stream_socket connectto;
+- allow $1 munin_var_run_t:sock_file { getattr write };
+ files_search_pids($1)
++ stream_connect_pattern($1, munin_var_run_t, munin_var_run_t, munin_t)
+ ')
+
+ #######################################
+@@ -88,12 +80,50 @@ interface(`munin_read_config',`
+
+ allow $1 munin_etc_t:dir list_dir_perms;
+ allow $1 munin_etc_t:file read_file_perms;
+- allow $1 munin_etc_t:lnk_file { getattr read };
++ allow $1 munin_etc_t:lnk_file read_lnk_file_perms;
+ files_search_etc($1)
+ ')
+
+ #######################################
+ ##
++## Read munin library files.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`munin_read_var_lib_files',`
++ gen_require(`
++ type munin_var_lib_t;
++ ')
++
++ files_search_var_lib($1)
++ read_files_pattern($1, munin_var_lib_t, munin_var_lib_t)
++
++')
++
++######################################
++##
++## dontaudit read and write an leaked file descriptors
++##
++##
++##
++## Domain to not audit.
++##
++##
++#
++interface(`munin_dontaudit_leaks',`
++ gen_require(`
++ type munin_t;
++ ')
++
++ dontaudit $1 munin_t:tcp_socket { read write };
++')
++
++#######################################
++##
+ ## Append to the munin log.
+ ##
+ ##
+@@ -172,12 +202,14 @@ interface(`munin_admin',`
+ gen_require(`
+ type munin_t, munin_etc_t, munin_tmp_t;
+ type munin_log_t, munin_var_lib_t, munin_var_run_t;
+- type httpd_munin_content_t;
+- type munin_initrc_exec_t;
++ type httpd_munin_content_t, munin_initrc_exec_t;
+ ')
+
+- allow $1 munin_t:process { ptrace signal_perms };
++ allow $1 munin_t:process signal_perms;
+ ps_process_pattern($1, munin_t)
++ tunable_policy(`deny_ptrace',`',`
++ allow $1 munin_t:process ptrace;
++ ')
+
+ init_labeled_script_domtrans($1, munin_initrc_exec_t)
+ domain_system_change_exemption($1)
+diff --git a/munin.te b/munin.te
+index f17583b..3a691c7 100644
+--- a/munin.te
++++ b/munin.te
+@@ -5,6 +5,8 @@ policy_module(munin, 1.8.0)
+ # Declarations
+ #
+
++attribute munin_plugin_domain;
++
+ type munin_t alias lrrd_t;
+ type munin_exec_t alias lrrd_exec_t;
+ init_daemon_domain(munin_t, munin_exec_t)
+@@ -24,6 +26,9 @@ files_tmp_file(munin_tmp_t)
+ type munin_var_lib_t alias lrrd_var_lib_t;
+ files_type(munin_var_lib_t)
+
++type munin_plugin_state_t;
++files_type(munin_plugin_state_t)
++
+ type munin_var_run_t alias lrrd_var_run_t;
+ files_pid_file(munin_var_run_t)
+
+@@ -31,16 +36,20 @@ munin_plugin_template(disk)
+
+ munin_plugin_template(mail)
+
++munin_plugin_template(selinux)
++
+ munin_plugin_template(services)
+
+ munin_plugin_template(system)
+
++munin_plugin_template(unconfined)
++
+ ########################################
+ #
+ # Local policy
+ #
+
+-allow munin_t self:capability { chown dac_override setgid setuid };
++allow munin_t self:capability { chown dac_override kill setgid setuid sys_rawio };
+ dontaudit munin_t self:capability sys_tty_config;
+ allow munin_t self:process { getsched setsched signal_perms };
+ allow munin_t self:unix_stream_socket { create_stream_socket_perms connectto };
+@@ -71,9 +80,12 @@ manage_files_pattern(munin_t, munin_var_lib_t, munin_var_lib_t)
+ manage_lnk_files_pattern(munin_t, munin_var_lib_t, munin_var_lib_t)
+ files_search_var_lib(munin_t)
+
++manage_dirs_pattern(munin_t, munin_var_run_t, munin_var_run_t)
+ manage_files_pattern(munin_t, munin_var_run_t, munin_var_run_t)
+ manage_sock_files_pattern(munin_t, munin_var_run_t, munin_var_run_t)
+-files_pid_filetrans(munin_t, munin_var_run_t, file)
++files_pid_filetrans(munin_t, munin_var_run_t, { file dir })
++
++rw_files_pattern(munin_t, munin_plugin_state_t, munin_plugin_state_t)
+
+ kernel_read_system_state(munin_t)
+ kernel_read_network_state(munin_t)
+@@ -82,7 +94,6 @@ kernel_read_all_sysctls(munin_t)
+ corecmd_exec_bin(munin_t)
+ corecmd_exec_shell(munin_t)
+
+-corenet_all_recvfrom_unlabeled(munin_t)
+ corenet_all_recvfrom_netlabel(munin_t)
+ corenet_tcp_sendrecv_generic_if(munin_t)
+ corenet_udp_sendrecv_generic_if(munin_t)
+@@ -101,7 +112,6 @@ dev_read_urand(munin_t)
+ domain_use_interactive_fds(munin_t)
+ domain_read_all_domains_state(munin_t)
+
+-files_read_etc_files(munin_t)
+ files_read_etc_runtime_files(munin_t)
+ files_read_usr_files(munin_t)
+ files_list_spool(munin_t)
+@@ -115,7 +125,7 @@ logging_send_syslog_msg(munin_t)
+ logging_read_all_logs(munin_t)
+
+ miscfiles_read_fonts(munin_t)
+-miscfiles_read_localization(munin_t)
++miscfiles_setattr_fonts_cache_dirs(munin_t)
+
+ sysnet_exec_ifconfig(munin_t)
+
+@@ -128,6 +138,11 @@ optional_policy(`
+ manage_dirs_pattern(munin_t, httpd_munin_content_t, httpd_munin_content_t)
+ manage_files_pattern(munin_t, httpd_munin_content_t, httpd_munin_content_t)
+ apache_search_sys_content(munin_t)
++
++ read_files_pattern(httpd_munin_script_t, munin_var_lib_t, munin_var_lib_t)
++ read_files_pattern(httpd_munin_script_t, munin_etc_t, munin_etc_t)
++
++ files_search_var_lib(httpd_munin_script_t)
+ ')
+
+ optional_policy(`
+@@ -145,6 +160,7 @@ optional_policy(`
+ optional_policy(`
+ mta_read_config(munin_t)
+ mta_send_mail(munin_t)
++ mta_list_queue(munin_t)
+ mta_read_queue(munin_t)
+ ')
+
+@@ -155,10 +171,13 @@ optional_policy(`
+
+ optional_policy(`
+ netutils_domtrans_ping(munin_t)
++ netutils_signal_ping(munin_t)
++ netutils_kill_ping(munin_t)
+ ')
+
+ optional_policy(`
+ postfix_list_spool(munin_t)
++ postfix_getattr_spool_files(munin_t)
+ ')
+
+ optional_policy(`
+@@ -182,6 +201,7 @@ optional_policy(`
+ # local policy for disk plugins
+ #
+
++allow disk_munin_plugin_t self:capability { sys_admin sys_rawio };
+ allow disk_munin_plugin_t self:tcp_socket create_stream_socket_perms;
+
+ rw_files_pattern(disk_munin_plugin_t, munin_var_lib_t, munin_var_lib_t)
+@@ -190,15 +210,18 @@ corecmd_exec_shell(disk_munin_plugin_t)
+
+ corenet_tcp_connect_hddtemp_port(disk_munin_plugin_t)
+
+-files_read_etc_files(disk_munin_plugin_t)
+ files_read_etc_runtime_files(disk_munin_plugin_t)
++files_read_usr_files(disk_munin_plugin_t)
+
+-fs_getattr_all_fs(disk_munin_plugin_t)
+-
++dev_getattr_lvm_control(disk_munin_plugin_t)
+ dev_read_sysfs(disk_munin_plugin_t)
+ dev_read_urand(disk_munin_plugin_t)
++dev_read_all_blk_files(munin_disk_plugin_t)
++
++fs_getattr_all_fs(disk_munin_plugin_t)
++fs_getattr_all_dirs(disk_munin_plugin_t)
+
+-storage_getattr_fixed_disk_dev(disk_munin_plugin_t)
++storage_raw_read_fixed_disk(disk_munin_plugin_t)
+
+ sysnet_read_config(disk_munin_plugin_t)
+
+@@ -221,30 +244,47 @@ rw_files_pattern(mail_munin_plugin_t, munin_var_lib_t, munin_var_lib_t)
+
+ dev_read_urand(mail_munin_plugin_t)
+
+-files_read_etc_files(mail_munin_plugin_t)
++logging_read_generic_logs(mail_munin_plugin_t)
+
+-fs_getattr_all_fs(mail_munin_plugin_t)
++optional_policy(`
++ exim_read_log(mail_munin_plugin_t)
++')
+
+-logging_read_generic_logs(mail_munin_plugin_t)
++optional_policy(`
++ mta_read_config(mail_munin_plugin_t)
++ mta_send_mail(mail_munin_plugin_t)
++ mta_list_queue(mail_munin_plugin_t)
++ mta_read_queue(mail_munin_plugin_t)
++')
+
+-mta_read_config(mail_munin_plugin_t)
+-mta_send_mail(mail_munin_plugin_t)
+-mta_read_queue(mail_munin_plugin_t)
++optional_policy(`
++ nscd_socket_use(mail_munin_plugin_t)
++')
+
+ optional_policy(`
+ postfix_read_config(mail_munin_plugin_t)
+ postfix_list_spool(mail_munin_plugin_t)
++ postfix_getattr_spool_files(mail_munin_plugin_t)
+ ')
+
+ optional_policy(`
+ sendmail_read_log(mail_munin_plugin_t)
+ ')
+
++##################################
++#
++# local policy for selinux plugins
++#
++
++selinux_get_enforce_mode(selinux_munin_plugin_t)
++
+ ###################################
+ #
+ # local policy for service plugins
+ #
+
++allow services_munin_plugin_t self:shm create_sem_perms;
++allow services_munin_plugin_t self:sem create_sem_perms;
+ allow services_munin_plugin_t self:tcp_socket create_stream_socket_perms;
+ allow services_munin_plugin_t self:udp_socket create_socket_perms;
+ allow services_munin_plugin_t self:netlink_route_socket r_netlink_socket_perms;
+@@ -255,13 +295,10 @@ corenet_tcp_connect_http_port(services_munin_plugin_t)
+ dev_read_urand(services_munin_plugin_t)
+ dev_read_rand(services_munin_plugin_t)
+
+-fs_getattr_all_fs(services_munin_plugin_t)
+-
+-files_read_etc_files(services_munin_plugin_t)
+-
+ sysnet_read_config(services_munin_plugin_t)
+
+ optional_policy(`
++ cups_read_config(services_munin_plugin_t)
+ cups_stream_connect(services_munin_plugin_t)
+ ')
+
+@@ -279,6 +316,10 @@ optional_policy(`
+ ')
+
+ optional_policy(`
++ nscd_socket_use(services_munin_plugin_t)
++')
++
++optional_policy(`
+ postgresql_stream_connect(services_munin_plugin_t)
+ ')
+
+@@ -286,6 +327,18 @@ optional_policy(`
+ snmp_read_snmp_var_lib_files(services_munin_plugin_t)
+ ')
+
++optional_policy(`
++ sssd_stream_connect(services_munin_plugin_t)
++')
++
++optional_policy(`
++ varnishd_read_lib_files(services_munin_plugin_t)
++')
++
++optional_policy(`
++ bind_read_config(munin_services_plugin_t)
++')
++
+ ##################################
+ #
+ # local policy for system plugins
+@@ -295,12 +348,10 @@ allow system_munin_plugin_t self:udp_socket create_socket_perms;
+
+ rw_files_pattern(system_munin_plugin_t, munin_var_lib_t, munin_var_lib_t)
+
+-kernel_read_network_state(system_munin_plugin_t)
+-kernel_read_all_sysctls(system_munin_plugin_t)
+-
+-corecmd_exec_shell(system_munin_plugin_t)
++# needed by munin_* plugins
++read_files_pattern(system_munin_plugin_t, munin_log_t, munin_log_t)
+
+-fs_getattr_all_fs(system_munin_plugin_t)
++kernel_read_network_state(system_munin_plugin_t)
+
+ dev_read_sysfs(system_munin_plugin_t)
+ dev_read_urand(system_munin_plugin_t)
+@@ -313,3 +364,47 @@ init_read_utmp(system_munin_plugin_t)
+ sysnet_exec_ifconfig(system_munin_plugin_t)
+
+ term_getattr_unallocated_ttys(system_munin_plugin_t)
++term_getattr_all_ttys(system_munin_plugin_t)
++term_getattr_all_ptys(system_munin_plugin_t)
++
++optional_policy(`
++ bind_read_config(system_munin_plugin_t)
++')
++
++#######################################
++#
++# Unconfined plugin policy
++#
++
++optional_policy(`
++ unconfined_domain(unconfined_munin_plugin_t)
++')
++
++################################
++#
++# local policy for munin plugin domains
++#
++
++allow munin_plugin_domain self:process signal;
++
++allow munin_plugin_domain munin_exec_t:file read_file_perms;
++allow munin_plugin_domain munin_t:tcp_socket rw_socket_perms;
++
++# creates plugin state files
++manage_files_pattern(munin_plugin_domain, munin_plugin_state_t, munin_plugin_state_t)
++
++read_lnk_files_pattern(munin_plugin_domain, munin_etc_t, munin_etc_t)
++
++corecmd_exec_bin(munin_plugin_domain)
++corecmd_exec_shell(munin_plugin_domain)
++
++files_search_var_lib(munin_plugin_domain)
++files_read_usr_files(munin_plugin_domain)
++
++fs_getattr_all_fs(munin_plugin_domain)
++
++auth_read_passwd(munin_plugin_domain)
++
++optional_policy(`
++ nscd_socket_use(munin_plugin_domain)
++')
+diff --git a/mysql.fc b/mysql.fc
+index 716d666..43f60de 100644
+--- a/mysql.fc
++++ b/mysql.fc
+@@ -1,6 +1,14 @@
+ # mysql database server
+
+ #
++# /HOME
++#
++HOME_DIR/\.my\.cnf -- gen_context(system_u:object_r:mysqld_home_t, s0)
++/root/\.my\.cnf -- gen_context(system_u:object_r:mysqld_home_t, s0)
++
++/usr/lib/systemd/system/mysqld.* -- gen_context(system_u:object_r:mysqld_unit_file_t,s0)
++
++#
+ # /etc
+ #
+ /etc/my\.cnf -- gen_context(system_u:object_r:mysqld_etc_t,s0)
+diff --git a/mysql.if b/mysql.if
+index e9c0982..404ed6d 100644
+--- a/mysql.if
++++ b/mysql.if
+@@ -18,6 +18,24 @@ interface(`mysql_domtrans',`
+ domtrans_pattern($1, mysqld_exec_t, mysqld_t)
+ ')
+
++######################################
++##
++## Execute MySQL in the caller domain.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`mysql_exec',`
++ gen_require(`
++ type mysqld_exec_t;
++ ')
++
++ can_exec($1, mysqld_exec_t)
++')
++
+ ########################################
+ ##
+ ## Send a generic signal to MySQL.
+@@ -36,6 +54,24 @@ interface(`mysql_signal',`
+ allow $1 mysqld_t:process signal;
+ ')
+
++#######################################
++##
++## Send a null signal to mysql.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`mysql_signull',`
++ gen_require(`
++ type mysqld_t;
++ ')
++
++ allow $1 mysqld_t:process signull;
++')
++
+ ########################################
+ ##
+ ## Allow the specified domain to connect to postgresql with a tcp socket.
+@@ -73,6 +109,7 @@ interface(`mysql_stream_connect',`
+ type mysqld_t, mysqld_var_run_t, mysqld_db_t;
+ ')
+
++ files_search_pids($1)
+ stream_connect_pattern($1, mysqld_var_run_t, mysqld_var_run_t, mysqld_t)
+ stream_connect_pattern($1, mysqld_db_t, mysqld_var_run_t, mysqld_t)
+ ')
+@@ -122,6 +159,26 @@ interface(`mysql_search_db',`
+
+ ########################################
+ ##
++## List the directories that contain MySQL
++## database storage.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`mysql_list_db',`
++ gen_require(`
++ type mysqld_db_t;
++ ')
++
++ files_search_var_lib($1)
++ allow $1 mysqld_db_t:dir list_dir_perms;
++')
++
++########################################
++##
+ ## Read and write to the MySQL database directory.
+ ##
+ ##
+@@ -252,12 +309,12 @@ interface(`mysql_write_log',`
+ ')
+
+ logging_search_logs($1)
+- allow $1 mysqld_log_t:file { write_file_perms setattr };
++ allow $1 mysqld_log_t:file { write_file_perms setattr_file_perms };
+ ')
+
+ ######################################
+ ##
+-## Execute MySQL server in the mysql domain.
++## Execute MySQL safe script in the mysql safe domain.
+ ##
+ ##
+ ##
+@@ -273,6 +330,24 @@ interface(`mysql_domtrans_mysql_safe',`
+ domtrans_pattern($1, mysqld_safe_exec_t, mysqld_safe_t)
+ ')
+
++######################################
++##
++## Execute MySQL_safe in the caller domain.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`mysql_safe_exec',`
++ gen_require(`
++ type mysqld_safe_exec_t;
++ ')
++
++ can_exec($1, mysqld_safe_exec_t)
++')
++
+ #####################################
+ ##
+ ## Read MySQL PID files.
+@@ -313,6 +388,67 @@ interface(`mysql_search_pid_files',`
+
+ ########################################
+ ##
++## Execute mysqld server in the mysqld domain.
++##
++##
++##
++## Domain allowed to transition.
++##
++##
++#
++interface(`mysql_systemctl',`
++ gen_require(`
++ type mysqld_unit_file_t;
++ type mysqld_t;
++ ')
++
++ systemd_exec_systemctl($1)
++ allow $1 mysqld_unit_file_t:file read_file_perms;
++ allow $1 mysqld_unit_file_t:service manage_service_perms;
++
++ ps_process_pattern($1, mysqld_t)
++')
++
++########################################
++##
++## read mysqld homedir content (.k5login)
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`mysql_read_home_content',`
++ gen_require(`
++ type mysqld_home_t;
++ ')
++
++ userdom_search_user_home_dirs($1)
++ read_files_pattern($1, mysqld_home_t, mysqld_home_t)
++')
++
++########################################
++##
++## Transition to mysqld named content
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`mysql_filetrans_named_content',`
++ gen_require(`
++ type mysqld_home_t;
++ ')
++
++ userdom_admin_home_dir_filetrans($1, mysqld_home_t, file, ".my.cnf")
++ userdom_user_home_dir_filetrans($1, mysqld_home_t, file, ".my.cnf")
++')
++
++########################################
++##
+ ## All of the rules required to administrate an mysql environment
+ ##
+ ##
+@@ -329,27 +465,45 @@ interface(`mysql_search_pid_files',`
+ #
+ interface(`mysql_admin',`
+ gen_require(`
+- type mysqld_t, mysqld_var_run_t;
+- type mysqld_tmp_t, mysqld_db_t;
+- type mysqld_etc_t, mysqld_log_t;
+- type mysqld_initrc_exec_t;
++ type mysqld_t, mysqld_var_run_t, mysqld_initrc_exec_t;
++ type mysqld_tmp_t, mysqld_db_t, mysqld_log_t;
++ type mysqld_etc_t;
++ type mysqld_home_t;
++ type mysqld_unit_file_t;
+ ')
+
+- allow $1 mysqld_t:process { ptrace signal_perms };
++ allow $1 mysqld_t:process signal_perms;
+ ps_process_pattern($1, mysqld_t)
++ tunable_policy(`deny_ptrace',`',`
++ allow $1 mysqld_t:process ptrace;
++ ')
+
+ init_labeled_script_domtrans($1, mysqld_initrc_exec_t)
+ domain_system_change_exemption($1)
+ role_transition $2 mysqld_initrc_exec_t system_r;
+ allow $2 system_r;
+
++ files_list_pids($1)
+ admin_pattern($1, mysqld_var_run_t)
+
+ admin_pattern($1, mysqld_db_t)
+
++ files_list_etc($1)
+ admin_pattern($1, mysqld_etc_t)
+
++ logging_list_logs($1)
+ admin_pattern($1, mysqld_log_t)
+
++ files_list_tmp($1)
+ admin_pattern($1, mysqld_tmp_t)
++
++ userdom_search_user_home_dirs($1)
++ files_list_root($1)
++ admin_pattern($1, mysqld_home_t)
++
++ mysql_systemctl($1)
++ admin_pattern($1, mysqld_unit_file_t)
++ allow $1 mysqld_unit_file_t:service all_service_perms;
++
++ mysql_stream_connect($1)
+ ')
+diff --git a/mysql.te b/mysql.te
+index 1cf05a3..8855ea2 100644
+--- a/mysql.te
++++ b/mysql.te
+@@ -29,6 +29,12 @@ files_type(mysqld_db_t)
+ type mysqld_etc_t alias etc_mysqld_t;
+ files_config_file(mysqld_etc_t)
+
++type mysqld_home_t;
++userdom_user_home_content(mysqld_home_t)
++
++type mysqld_unit_file_t;
++systemd_unit_file(mysqld_unit_file_t)
++
+ type mysqld_initrc_exec_t;
+ init_script_file(mysqld_initrc_exec_t)
+
+@@ -64,11 +70,12 @@ allow mysqld_t self:udp_socket create_socket_perms;
+
+ manage_dirs_pattern(mysqld_t, mysqld_db_t, mysqld_db_t)
+ manage_files_pattern(mysqld_t, mysqld_db_t, mysqld_db_t)
++manage_sock_files_pattern(mysqld_t, mysqld_db_t, mysqld_db_t)
+ manage_lnk_files_pattern(mysqld_t, mysqld_db_t, mysqld_db_t)
+ files_var_lib_filetrans(mysqld_t, mysqld_db_t, { dir file lnk_file })
+
+ allow mysqld_t mysqld_etc_t:file read_file_perms;
+-allow mysqld_t mysqld_etc_t:lnk_file { getattr read };
++allow mysqld_t mysqld_etc_t:lnk_file read_lnk_file_perms;
+ allow mysqld_t mysqld_etc_t:dir list_dir_perms;
+
+ allow mysqld_t mysqld_log_t:file manage_file_perms;
+@@ -78,14 +85,21 @@ manage_dirs_pattern(mysqld_t, mysqld_tmp_t, mysqld_tmp_t)
+ manage_files_pattern(mysqld_t, mysqld_tmp_t, mysqld_tmp_t)
+ files_tmp_filetrans(mysqld_t, mysqld_tmp_t, { file dir })
+
++manage_dirs_pattern(mysqld_t, mysqld_var_run_t, mysqld_var_run_t)
+ manage_files_pattern(mysqld_t, mysqld_var_run_t, mysqld_var_run_t)
+ manage_sock_files_pattern(mysqld_t, mysqld_var_run_t, mysqld_var_run_t)
+-files_pid_filetrans(mysqld_t, mysqld_var_run_t, { file sock_file })
++files_pid_filetrans(mysqld_t, mysqld_var_run_t, { dir file sock_file })
++
++userdom_dontaudit_use_unpriv_user_fds(mysqld_t)
+
++kernel_read_network_state(mysqld_t)
+ kernel_read_system_state(mysqld_t)
++kernel_read_network_state(mysqld_t)
+ kernel_read_kernel_sysctls(mysqld_t)
+
+-corenet_all_recvfrom_unlabeled(mysqld_t)
++corecmd_exec_bin(mysqld_t)
++corecmd_exec_shell(mysqld_t)
++
+ corenet_all_recvfrom_netlabel(mysqld_t)
+ corenet_tcp_sendrecv_generic_if(mysqld_t)
+ corenet_udp_sendrecv_generic_if(mysqld_t)
+@@ -110,7 +124,6 @@ domain_use_interactive_fds(mysqld_t)
+
+ files_getattr_var_lib_dirs(mysqld_t)
+ files_read_etc_runtime_files(mysqld_t)
+-files_read_etc_files(mysqld_t)
+ files_read_usr_files(mysqld_t)
+ files_search_var_lib(mysqld_t)
+
+@@ -118,17 +131,10 @@ auth_use_nsswitch(mysqld_t)
+
+ logging_send_syslog_msg(mysqld_t)
+
+-miscfiles_read_localization(mysqld_t)
+-
+ sysnet_read_config(mysqld_t)
+
+-userdom_dontaudit_use_unpriv_user_fds(mysqld_t)
+-# for /root/.my.cnf - should not be needed:
+-userdom_read_user_home_content_files(mysqld_t)
+-
+ ifdef(`distro_redhat',`
+- # because Fedora has the sock_file in the database directory
+- type_transition mysqld_t mysqld_db_t:sock_file mysqld_var_run_t;
++ filetrans_pattern(mysqld_t, mysqld_db_t, mysqld_var_run_t, sock_file)
+ ')
+
+ tunable_policy(`mysql_connect_any',`
+@@ -154,10 +160,11 @@ optional_policy(`
+ #
+
+ allow mysqld_safe_t self:capability { chown dac_override fowner kill };
+-dontaudit mysqld_safe_t self:capability sys_ptrace;
++allow mysqld_safe_t self:process { setsched getsched setrlimit };
+ allow mysqld_safe_t self:fifo_file rw_fifo_file_perms;
+
+ read_lnk_files_pattern(mysqld_safe_t, mysqld_db_t, mysqld_db_t)
++delete_sock_files_pattern(mysqld_safe_t, mysqld_db_t, mysqld_db_t)
+
+ domtrans_pattern(mysqld_safe_t, mysqld_exec_t, mysqld_t)
+
+@@ -170,26 +177,33 @@ kernel_read_system_state(mysqld_safe_t)
+ kernel_read_kernel_sysctls(mysqld_safe_t)
+
+ corecmd_exec_bin(mysqld_safe_t)
++corecmd_exec_shell(mysqld_safe_t)
+
+ dev_list_sysfs(mysqld_safe_t)
+
+ domain_read_all_domains_state(mysqld_safe_t)
+
+-files_read_etc_files(mysqld_safe_t)
++files_dontaudit_search_all_mountpoints(mysqld_safe_t)
+ files_read_usr_files(mysqld_safe_t)
+ files_dontaudit_getattr_all_dirs(mysqld_safe_t)
+
+ logging_log_filetrans(mysqld_safe_t, mysqld_log_t, file)
++logging_send_syslog_msg(mysqld_safe_t)
+
+-hostname_exec(mysqld_safe_t)
++auth_read_passwd(mysqld_safe_t)
+
+-miscfiles_read_localization(mysqld_safe_t)
++domain_dontaudit_signull_all_domains(mysqld_safe_t)
+
+ mysql_manage_db_files(mysqld_safe_t)
+ mysql_read_config(mysqld_safe_t)
+ mysql_search_pid_files(mysqld_safe_t)
++mysql_signull(mysqld_safe_t)
+ mysql_write_log(mysqld_safe_t)
+
++optional_policy(`
++ hostname_exec(mysqld_safe_t)
++')
++
+ ########################################
+ #
+ # MySQL Manager Policy
+@@ -218,7 +232,6 @@ kernel_read_system_state(mysqlmanagerd_t)
+
+ corecmd_exec_shell(mysqlmanagerd_t)
+
+-corenet_all_recvfrom_unlabeled(mysqlmanagerd_t)
+ corenet_all_recvfrom_netlabel(mysqlmanagerd_t)
+ corenet_tcp_sendrecv_generic_if(mysqlmanagerd_t)
+ corenet_tcp_sendrecv_generic_node(mysqlmanagerd_t)
+@@ -231,9 +244,7 @@ corenet_sendrecv_mysqlmanagerd_client_packets(mysqlmanagerd_t)
+
+ dev_read_urand(mysqlmanagerd_t)
+
+-files_read_etc_files(mysqlmanagerd_t)
+ files_read_usr_files(mysqlmanagerd_t)
+
+-miscfiles_read_localization(mysqlmanagerd_t)
+
+ userdom_getattr_user_home_dirs(mysqlmanagerd_t)
+diff --git a/nagios.fc b/nagios.fc
+index 1238f2e..d80b4db 100644
+--- a/nagios.fc
++++ b/nagios.fc
+@@ -6,7 +6,7 @@
+ /usr/s?bin/nagios -- gen_context(system_u:object_r:nagios_exec_t,s0)
+ /usr/s?bin/nrpe -- gen_context(system_u:object_r:nrpe_exec_t,s0)
+
+-/usr/lib/cgi-bin/netsaint(/.*)? gen_context(system_u:object_r:httpd_nagios_script_exec_t,s0)
++/usr/lib/cgi-bin/netsaint(/.*)? gen_context(system_u:object_r:httpd_nagios_script_exec_t,s0)
+ /usr/lib/nagios/cgi(/.*)? gen_context(system_u:object_r:httpd_nagios_script_exec_t,s0)
+
+ /var/log/nagios(/.*)? gen_context(system_u:object_r:nagios_log_t,s0)
+@@ -19,70 +19,75 @@
+ ifdef(`distro_debian',`
+ /usr/sbin/nagios -- gen_context(system_u:object_r:nagios_exec_t,s0)
+ ')
+-/usr/lib/cgi-bin/nagios(/.+)? gen_context(system_u:object_r:httpd_nagios_script_exec_t,s0)
+-/usr/lib/nagios/cgi-bin(/.*)? gen_context(system_u:object_r:httpd_nagios_script_exec_t,s0)
++/usr/lib/cgi-bin/nagios(/.+)? gen_context(system_u:object_r:httpd_nagios_script_exec_t,s0)
++/usr/lib/nagios/cgi-bin(/.*)? gen_context(system_u:object_r:httpd_nagios_script_exec_t,s0)
+
+ # admin plugins
+-/usr/lib/nagios/plugins/check_file_age -- gen_context(system_u:object_r:nagios_admin_plugin_exec_t,s0)
++/usr/lib/nagios/plugins/check_file_age -- gen_context(system_u:object_r:nagios_admin_plugin_exec_t,s0)
+
+ # check disk plugins
+ /usr/lib/nagios/plugins/check_disk -- gen_context(system_u:object_r:nagios_checkdisk_plugin_exec_t,s0)
+-/usr/lib/nagios/plugins/check_disk_smb -- gen_context(system_u:object_r:nagios_checkdisk_plugin_exec_t,s0)
+-/usr/lib/nagios/plugins/check_ide_smart -- gen_context(system_u:object_r:nagios_checkdisk_plugin_exec_t,s0)
++/usr/lib/nagios/plugins/check_disk_smb -- gen_context(system_u:object_r:nagios_checkdisk_plugin_exec_t,s0)
++/usr/lib/nagios/plugins/check_ide_smart -- gen_context(system_u:object_r:nagios_checkdisk_plugin_exec_t,s0)
+ /usr/lib/nagios/plugins/check_linux_raid -- gen_context(system_u:object_r:nagios_checkdisk_plugin_exec_t,s0)
+
+ # mail plugins
+-/usr/lib/nagios/plugins/check_mailq -- gen_context(system_u:object_r:nagios_mail_plugin_exec_t,s0)
++/usr/lib/nagios/plugins/check_mailq -- gen_context(system_u:object_r:nagios_mail_plugin_exec_t,s0)
++
++/usr/lib/pnp4nagios(/.*)? gen_context(system_u:object_r:nagios_var_lib_t,s0)
+
+ # system plugins
+-/usr/lib/nagios/plugins/check_breeze -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
+-/usr/lib/nagios/plugins/check_dummy -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
+-/usr/lib/nagios/plugins/check_flexlm -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0)
++/usr/lib/nagios/plugins/check_breeze -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
++/usr/lib/nagios/plugins/check_dummy -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
++/usr/lib/nagios/plugins/check_flexlm -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0)
+ /usr/lib/nagios/plugins/check_ifoperstatus -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0)
+-/usr/lib/nagios/plugins/check_ifstatus -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0)
++/usr/lib/nagios/plugins/check_ifstatus -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0)
+ /usr/lib/nagios/plugins/check_load -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0)
+ /usr/lib/nagios/plugins/check_log -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0)
+ /usr/lib/nagios/plugins/check_mrtg -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0)
+-/usr/lib/nagios/plugins/check_mrtgtraf -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0)
+-/usr/lib/nagios/plugins/check_nagios -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0)
+-/usr/lib/nagios/plugins/check_nwstat -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0)
+-/usr/lib/nagios/plugins/check_overcr -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0)
+-/usr/lib/nagios/plugins/check_procs -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0)
+-/usr/lib/nagios/plugins/check_sensors -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0)
++/usr/lib/nagios/plugins/check_mrtgtraf -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0)
++/usr/lib/nagios/plugins/check_nagios -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0)
++/usr/lib/nagios/plugins/check_nwstat -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0)
++/usr/lib/nagios/plugins/check_overcr -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0)
++/usr/lib/nagios/plugins/check_procs -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0)
++/usr/lib/nagios/plugins/check_sensors -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0)
+ /usr/lib/nagios/plugins/check_swap -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0)
+-/usr/lib/nagios/plugins/check_users -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0)
++/usr/lib/nagios/plugins/check_users -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0)
+ /usr/lib/nagios/plugins/check_wave -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0)
+
+ # services plugins
+-/usr/lib/nagios/plugins/check_cluster -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
++/usr/lib/nagios/plugins/check_cluster -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
+ /usr/lib/nagios/plugins/check_dhcp -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
+ /usr/lib/nagios/plugins/check_dig -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
+ /usr/lib/nagios/plugins/check_dns -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
+ /usr/lib/nagios/plugins/check_game -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
+-/usr/lib/nagios/plugins/check_fping -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
++/usr/lib/nagios/plugins/check_fping -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
+ /usr/lib/nagios/plugins/check_hpjd -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
+ /usr/lib/nagios/plugins/check_http -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
+ /usr/lib/nagios/plugins/check_icmp -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
+ /usr/lib/nagios/plugins/check_ircd -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
+ /usr/lib/nagios/plugins/check_ldap -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
+-/usr/lib/nagios/plugins/check_mysql -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
++/usr/lib/nagios/plugins/check_mysql -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
+ /usr/lib/nagios/plugins/check_mysql_query -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
+ /usr/lib/nagios/plugins/check_nrpe -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
+ /usr/lib/nagios/plugins/check_nt -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
+-/usr/lib/nagios/plugins/check_ntp.* -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
+-/usr/lib/nagios/plugins/check_oracle -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
+-/usr/lib/nagios/plugins/check_pgsql -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
++/usr/lib/nagios/plugins/check_ntp.* -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
++/usr/lib/nagios/plugins/check_oracle -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
++/usr/lib/nagios/plugins/check_pgsql -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
+ /usr/lib/nagios/plugins/check_ping -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
+-/usr/lib/nagios/plugins/check_radius -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
++/usr/lib/nagios/plugins/check_radius -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
+ /usr/lib/nagios/plugins/check_real -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
+ /usr/lib/nagios/plugins/check_rpc -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
+ /usr/lib/nagios/plugins/check_tcp -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
+ /usr/lib/nagios/plugins/check_time -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
+ /usr/lib/nagios/plugins/check_sip -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
+ /usr/lib/nagios/plugins/check_smtp -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
+-/usr/lib/nagios/plugins/check_snmp.* -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
++/usr/lib/nagios/plugins/check_snmp.* -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
+ /usr/lib/nagios/plugins/check_ssh -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
+ /usr/lib/nagios/plugins/check_ups -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
+
+ # unconfined plugins
+-/usr/lib/nagios/plugins/check_by_ssh -- gen_context(system_u:object_r:nagios_unconfined_plugin_exec_t,s0)
++/usr/lib/nagios/plugins/check_by_ssh -- gen_context(system_u:object_r:nagios_unconfined_plugin_exec_t,s0)
++
++# eventhandlers
++/usr/lib/nagios/plugins/eventhandlers(/.*) gen_context(system_u:object_r:nagios_eventhandler_plugin_exec_t,s0)
+diff --git a/nagios.if b/nagios.if
+index 8581040..d7d9a79 100644
+--- a/nagios.if
++++ b/nagios.if
+@@ -12,31 +12,24 @@
+ ##
+ #
+ template(`nagios_plugin_template',`
+-
+ gen_require(`
++ attribute nagios_plugin_domain;
+ type nagios_t, nrpe_t;
+- type nagios_log_t;
+ ')
+
+- type nagios_$1_plugin_t;
++ type nagios_$1_plugin_t, nagios_plugin_domain;
+ type nagios_$1_plugin_exec_t;
+ application_domain(nagios_$1_plugin_t, nagios_$1_plugin_exec_t)
+ role system_r types nagios_$1_plugin_t;
+
+- allow nagios_$1_plugin_t self:fifo_file rw_fifo_file_perms;
+-
+ domtrans_pattern(nrpe_t, nagios_$1_plugin_exec_t, nagios_$1_plugin_t)
++ allow nagios_t nagios_$1_plugin_exec_t:file ioctl;
+
+ # needed by command.cfg
+ domtrans_pattern(nagios_t, nagios_$1_plugin_exec_t, nagios_$1_plugin_t)
+
+- allow nagios_t nagios_$1_plugin_t:process signal_perms;
+-
+- # cjp: leaked file descriptor
+- dontaudit nagios_$1_plugin_t nrpe_t:tcp_socket { read write };
+- dontaudit nagios_$1_plugin_t nagios_log_t:file { read write };
++ kernel_read_system_state(nagios_$1_plugin_t)
+
+- miscfiles_read_localization(nagios_$1_plugin_t)
+ ')
+
+ ########################################
+@@ -49,7 +42,6 @@ template(`nagios_plugin_template',`
+ ## Domain to not audit.
+ ##
+ ##
+-##
+ #
+ interface(`nagios_dontaudit_rw_pipes',`
+ gen_require(`
+@@ -159,6 +151,26 @@ interface(`nagios_read_tmp_files',`
+
+ ########################################
+ ##
++## Allow the specified domain to read
++## nagios temporary files.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`nagios_rw_inerited_tmp_files',`
++ gen_require(`
++ type nagios_tmp_t;
++ ')
++
++ allow $1 nagios_tmp_t:file rw_inherited_file_perms;
++ files_search_tmp($1)
++')
++
++########################################
++##
+ ## Execute the nagios NRPE with
+ ## a domain transition.
+ ##
+@@ -195,15 +207,16 @@ interface(`nagios_domtrans_nrpe',`
+ #
+ interface(`nagios_admin',`
+ gen_require(`
+- type nagios_t, nrpe_t;
+- type nagios_tmp_t, nagios_log_t;
+- type nagios_etc_t, nrpe_etc_t;
+- type nagios_spool_t, nagios_var_run_t;
+- type nagios_initrc_exec_t;
++ type nagios_t, nrpe_t, nagios_initrc_exec_t;
++ type nagios_tmp_t, nagios_log_t, nagios_var_run_t;
++ type nagios_etc_t, nrpe_etc_t, nagios_spool_t;
+ ')
+
+- allow $1 nagios_t:process { ptrace signal_perms };
++ allow $1 nagios_t:process signal_perms;
+ ps_process_pattern($1, nagios_t)
++ tunable_policy(`deny_ptrace',`',`
++ allow $1 nagios_t:process ptrace;
++ ')
+
+ init_labeled_script_domtrans($1, nagios_initrc_exec_t)
+ domain_system_change_exemption($1)
+diff --git a/nagios.te b/nagios.te
+index c3e2a2d..f4cbdff 100644
+--- a/nagios.te
++++ b/nagios.te
+@@ -5,6 +5,8 @@ policy_module(nagios, 1.12.0)
+ # Declarations
+ #
+
++attribute nagios_plugin_domain;
++
+ type nagios_t;
+ type nagios_exec_t;
+ init_daemon_domain(nagios_t, nagios_exec_t)
+@@ -25,7 +27,10 @@ type nagios_var_run_t;
+ files_pid_file(nagios_var_run_t)
+
+ type nagios_spool_t;
+-files_type(nagios_spool_t)
++files_spool_file(nagios_spool_t)
++
++type nagios_var_lib_t;
++files_type(nagios_var_lib_t)
+
+ nagios_plugin_template(admin)
+ nagios_plugin_template(checkdisk)
+@@ -33,6 +38,10 @@ nagios_plugin_template(mail)
+ nagios_plugin_template(services)
+ nagios_plugin_template(system)
+ nagios_plugin_template(unconfined)
++nagios_plugin_template(eventhandler)
++
++type nagios_eventhandler_plugin_tmp_t;
++files_tmp_file(nagios_eventhandler_plugin_tmp_t)
+
+ type nagios_system_plugin_tmp_t;
+ files_tmp_file(nagios_system_plugin_tmp_t)
+@@ -77,13 +86,17 @@ files_pid_filetrans(nagios_t, nagios_var_run_t, file)
+ manage_fifo_files_pattern(nagios_t, nagios_spool_t, nagios_spool_t)
+ files_spool_filetrans(nagios_t, nagios_spool_t, fifo_file)
+
++manage_files_pattern(nagios_t, nagios_var_lib_t, nagios_var_lib_t)
++manage_fifo_files_pattern(nagios_t, nagios_var_lib_t, nagios_var_lib_t)
++files_var_lib_filetrans(nagios_t, nagios_var_lib_t, { file dir })
++
+ kernel_read_system_state(nagios_t)
+ kernel_read_kernel_sysctls(nagios_t)
++kernel_read_software_raid_state(nagios_t)
+
+ corecmd_exec_bin(nagios_t)
+ corecmd_exec_shell(nagios_t)
+
+-corenet_all_recvfrom_unlabeled(nagios_t)
+ corenet_all_recvfrom_netlabel(nagios_t)
+ corenet_tcp_sendrecv_generic_if(nagios_t)
+ corenet_udp_sendrecv_generic_if(nagios_t)
+@@ -103,31 +116,27 @@ domain_use_interactive_fds(nagios_t)
+ # for ps
+ domain_read_all_domains_state(nagios_t)
+
+-files_read_etc_files(nagios_t)
+ files_read_etc_runtime_files(nagios_t)
+ files_read_kernel_symbol_table(nagios_t)
+ files_search_spool(nagios_t)
++files_read_usr_files(nagios_t)
+
+ fs_getattr_all_fs(nagios_t)
+ fs_search_auto_mountpoints(nagios_t)
+
+-# for who
+-init_read_utmp(nagios_t)
+-
+ auth_use_nsswitch(nagios_t)
+
+ logging_send_syslog_msg(nagios_t)
+
+-miscfiles_read_localization(nagios_t)
+
+ userdom_dontaudit_use_unpriv_user_fds(nagios_t)
+ userdom_dontaudit_search_user_home_dirs(nagios_t)
+
+ mta_send_mail(nagios_t)
++mta_signal_system_mail(nagios_t)
++mta_kill_system_mail(nagios_t)
+
+ optional_policy(`
+- netutils_domtrans_ping(nagios_t)
+- netutils_signal_ping(nagios_t)
+ netutils_kill_ping(nagios_t)
+ ')
+
+@@ -143,6 +152,7 @@ optional_policy(`
+ #
+ # Nagios CGI local policy
+ #
++
+ optional_policy(`
+ apache_content_template(nagios)
+ typealias httpd_nagios_script_t alias nagios_cgi_t;
+@@ -180,29 +190,31 @@ optional_policy(`
+ #
+
+ allow nrpe_t self:capability { setuid setgid };
+-dontaudit nrpe_t self:capability {sys_tty_config sys_resource};
++dontaudit nrpe_t self:capability { sys_tty_config sys_resource };
+ allow nrpe_t self:process { setpgid signal_perms setsched setrlimit };
+ allow nrpe_t self:fifo_file rw_fifo_file_perms;
+ allow nrpe_t self:tcp_socket create_stream_socket_perms;
+
++read_files_pattern(nrpe_t, nrpe_etc_t, nrpe_etc_t)
++
+ domtrans_pattern(nrpe_t, nagios_checkdisk_plugin_exec_t, nagios_checkdisk_plugin_t)
+
+-read_files_pattern(nrpe_t, nagios_etc_t, nrpe_etc_t)
++read_files_pattern(nrpe_t, nagios_etc_t, nagios_etc_t)
+ files_search_etc(nrpe_t)
+
+ manage_files_pattern(nrpe_t, nrpe_var_run_t, nrpe_var_run_t)
+ files_pid_filetrans(nrpe_t, nrpe_var_run_t, file)
+
++kernel_read_system_state(nrpe_t)
+ kernel_read_kernel_sysctls(nrpe_t)
+ kernel_read_software_raid_state(nrpe_t)
+-kernel_read_system_state(nrpe_t)
+
+ corecmd_exec_bin(nrpe_t)
+ corecmd_exec_shell(nrpe_t)
+
+ corenet_tcp_bind_generic_node(nrpe_t)
+ corenet_tcp_bind_inetd_child_port(nrpe_t)
+-corenet_sendrecv_unlabeled_packets(nrpe_t)
++corenet_all_recvfrom_netlabel(nrpe_t)
+
+ dev_read_sysfs(nrpe_t)
+ dev_read_urand(nrpe_t)
+@@ -211,7 +223,7 @@ domain_use_interactive_fds(nrpe_t)
+ domain_read_all_domains_state(nrpe_t)
+
+ files_read_etc_runtime_files(nrpe_t)
+-files_read_etc_files(nrpe_t)
++files_read_usr_files(nrpe_t)
+
+ fs_getattr_all_fs(nrpe_t)
+ fs_search_auto_mountpoints(nrpe_t)
+@@ -220,7 +232,6 @@ auth_use_nsswitch(nrpe_t)
+
+ logging_send_syslog_msg(nrpe_t)
+
+-miscfiles_read_localization(nrpe_t)
+
+ userdom_dontaudit_use_unpriv_user_fds(nrpe_t)
+
+@@ -252,11 +263,9 @@ optional_policy(`
+ corecmd_read_bin_files(nagios_admin_plugin_t)
+ corecmd_read_bin_symlinks(nagios_admin_plugin_t)
+
+-dev_read_urand(nagios_admin_plugin_t)
+ dev_getattr_all_chr_files(nagios_admin_plugin_t)
+ dev_getattr_all_blk_files(nagios_admin_plugin_t)
+
+-files_read_etc_files(nagios_admin_plugin_t)
+ # for check_file_age plugin
+ files_getattr_all_dirs(nagios_admin_plugin_t)
+ files_getattr_all_files(nagios_admin_plugin_t)
+@@ -271,20 +280,15 @@ files_getattr_all_file_type_fs(nagios_admin_plugin_t)
+ #
+
+ allow nagios_mail_plugin_t self:capability { setuid setgid dac_override };
+-
+ allow nagios_mail_plugin_t self:netlink_route_socket r_netlink_socket_perms;
+ allow nagios_mail_plugin_t self:tcp_socket create_stream_socket_perms;
+ allow nagios_mail_plugin_t self:udp_socket create_socket_perms;
+
+-kernel_read_system_state(nagios_mail_plugin_t)
+ kernel_read_kernel_sysctls(nagios_mail_plugin_t)
+
+ corecmd_read_bin_files(nagios_mail_plugin_t)
+ corecmd_read_bin_symlinks(nagios_mail_plugin_t)
+
+-dev_read_urand(nagios_mail_plugin_t)
+-
+-files_read_etc_files(nagios_mail_plugin_t)
+
+ logging_send_syslog_msg(nagios_mail_plugin_t)
+
+@@ -300,7 +304,7 @@ optional_policy(`
+
+ optional_policy(`
+ postfix_stream_connect_master(nagios_mail_plugin_t)
+- posftix_exec_postqueue(nagios_mail_plugin_t)
++ postfix_exec_postqueue(nagios_mail_plugin_t)
+ ')
+
+ ######################################
+@@ -311,7 +315,9 @@ optional_policy(`
+ # needed by ioctl()
+ allow nagios_checkdisk_plugin_t self:capability { sys_admin sys_rawio };
+
+-files_getattr_all_mountpoints(nagios_checkdisk_plugin_t)
++kernel_read_software_raid_state(nagios_checkdisk_plugin_t)
++
++files_getattr_all_dirs(nagios_checkdisk_plugin_t)
+ files_read_etc_runtime_files(nagios_checkdisk_plugin_t)
+
+ fs_getattr_all_fs(nagios_checkdisk_plugin_t)
+@@ -323,11 +329,11 @@ storage_raw_read_fixed_disk(nagios_checkdisk_plugin_t)
+ # local policy for service check plugins
+ #
+
+-allow nagios_services_plugin_t self:capability { net_bind_service net_raw };
++allow nagios_services_plugin_t self:capability { setuid net_bind_service net_raw };
+ allow nagios_services_plugin_t self:process { signal sigkill };
+-
+ allow nagios_services_plugin_t self:tcp_socket create_stream_socket_perms;
+ allow nagios_services_plugin_t self:udp_socket create_socket_perms;
++allow nagios_services_plugin_t self:rawip_socket create_socket_perms;
+
+ corecmd_exec_bin(nagios_services_plugin_t)
+
+@@ -342,6 +348,8 @@ files_read_usr_files(nagios_services_plugin_t)
+
+ optional_policy(`
+ netutils_domtrans_ping(nagios_services_plugin_t)
++ netutils_signal_ping(nagios_services_plugin_t)
++ netutils_kill_ping(nagios_services_plugin_t)
+ ')
+
+ optional_policy(`
+@@ -365,6 +373,8 @@ manage_files_pattern(nagios_system_plugin_t, nagios_system_plugin_tmp_t, nagios_
+ manage_dirs_pattern(nagios_system_plugin_t, nagios_system_plugin_tmp_t, nagios_system_plugin_tmp_t)
+ files_tmp_filetrans(nagios_system_plugin_t, nagios_system_plugin_tmp_t, { dir file })
+
++read_files_pattern(nagios_system_plugin_t, nagios_log_t, nagios_log_t)
++
+ kernel_read_system_state(nagios_system_plugin_t)
+ kernel_read_kernel_sysctls(nagios_system_plugin_t)
+
+@@ -372,11 +382,13 @@ corecmd_exec_bin(nagios_system_plugin_t)
+ corecmd_exec_shell(nagios_system_plugin_t)
+
+ dev_read_sysfs(nagios_system_plugin_t)
+-dev_read_urand(nagios_system_plugin_t)
+
+ domain_read_all_domains_state(nagios_system_plugin_t)
+
+-files_read_etc_files(nagios_system_plugin_t)
++
++fs_getattr_all_fs(nagios_system_plugin_t)
++
++auth_read_passwd(nagios_system_plugin_t)
+
+ # needed by check_users plugin
+ optional_policy(`
+@@ -391,3 +403,48 @@ optional_policy(`
+ optional_policy(`
+ unconfined_domain(nagios_unconfined_plugin_t)
+ ')
++
++#######################################
++#
++# Event handler plugin plugin policy
++#
++
++manage_files_pattern(nagios_eventhandler_plugin_t, nagios_eventhandler_plugin_tmp_t, nagios_eventhandler_plugin_tmp_t)
++manage_dirs_pattern(nagios_eventhandler_plugin_t, nagios_eventhandler_plugin_tmp_t, nagios_eventhandler_plugin_tmp_t)
++files_tmp_filetrans(nagios_eventhandler_plugin_t, nagios_eventhandler_plugin_tmp_t, { dir file })
++
++corecmd_exec_bin(nagios_eventhandler_plugin_t)
++corecmd_exec_shell(nagios_eventhandler_plugin_t)
++
++init_domtrans_script(nagios_eventhandler_plugin_t)
++
++systemd_exec_systemctl(nagios_eventhandler_plugin_t)
++
++allow nagios_t nagios_eventhandler_plugin_exec_t:dir list_dir_perms;
++
++optional_policy(`
++ unconfined_domain(nagios_eventhandler_plugin_t)
++')
++
++######################################
++#
++# nagios plugin domain policy
++#
++
++allow nagios_plugin_domain self:fifo_file rw_fifo_file_perms;
++
++allow nrpe_t nagios_plugin_domain:process { signal sigkill };
++
++allow nagios_t nagios_plugin_domain:process signal_perms;
++
++# cjp: leaked file descriptor
++dontaudit nagios_plugin_domain nrpe_t:tcp_socket { read write };
++dontaudit nagios_plugin_domain nagios_log_t:file { read write };
++
++dev_read_urand(nagios_plugin_domain)
++dev_read_rand(nagios_plugin_domain)
++
++files_read_usr_files(nagios_plugin_domain)
++
++userdom_use_inherited_user_ptys(nagios_plugin_domain)
++userdom_use_inherited_user_ttys(nagios_plugin_domain)
+diff --git a/namespace.fc b/namespace.fc
+new file mode 100644
+index 0000000..ce51c8d
+--- /dev/null
++++ b/namespace.fc
+@@ -0,0 +1,3 @@
++
++/etc/security/namespace.init -- gen_context(system_u:object_r:namespace_init_exec_t,s0)
++
+diff --git a/namespace.if b/namespace.if
+new file mode 100644
+index 0000000..8d7c751
+--- /dev/null
++++ b/namespace.if
+@@ -0,0 +1,48 @@
++
++## policy for namespace
++
++########################################
++##
++## Execute a domain transition to run namespace_init.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`namespace_init_domtrans',`
++ gen_require(`
++ type namespace_init_t, namespace_init_exec_t;
++ ')
++
++ domtrans_pattern($1, namespace_init_exec_t, namespace_init_t)
++')
++
++
++########################################
++##
++## Execute namespace_init in the namespace_init domain, and
++## allow the specified role the namespace_init domain.
++##
++##
++##
++## Domain allowed access
++##
++##
++##
++##
++## The role to be allowed the namespace_init domain.
++##
++##
++#
++interface(`namespace_init_run',`
++ gen_require(`
++ type namespace_init_t;
++ ')
++
++ namespace_init_domtrans($1)
++ role $2 types namespace_init_t;
++
++ seutil_run_setfiles(namespace_init_t, $2)
++')
+diff --git a/namespace.te b/namespace.te
+new file mode 100644
+index 0000000..ef7b846
+--- /dev/null
++++ b/namespace.te
+@@ -0,0 +1,43 @@
++policy_module(namespace,1.0.0)
++
++########################################
++#
++# Declarations
++#
++
++type namespace_init_t;
++type namespace_init_exec_t;
++init_system_domain(namespace_init_t, namespace_init_exec_t)
++role system_r types namespace_init_t;
++
++########################################
++#
++# namespace_init local policy
++#
++
++allow namespace_init_t self:capability dac_override;
++
++allow namespace_init_t self:fifo_file manage_fifo_file_perms;
++allow namespace_init_t self:unix_stream_socket create_stream_socket_perms;
++
++kernel_read_system_state(namespace_init_t)
++
++corecmd_exec_shell(namespace_init_t)
++
++domain_use_interactive_fds(namespace_init_t)
++domain_obj_id_change_exemption(namespace_init_t)
++
++files_polyinstantiate_all(namespace_init_t)
++
++mcs_file_write_all(namespace_init_t)
++
++auth_use_nsswitch(namespace_init_t)
++
++
++term_use_console(namespace_init_t)
++
++userdom_manage_user_home_content_dirs(namespace_init_t)
++userdom_manage_user_home_content_files(namespace_init_t)
++userdom_relabelto_user_home_dirs(namespace_init_t)
++userdom_relabelto_user_home_files(namespace_init_t)
++userdom_user_home_dir_filetrans_user_home_content(namespace_init_t, { dir file lnk_file fifo_file sock_file })
+diff --git a/ncftool.if b/ncftool.if
+index a648982..59f096b 100644
+--- a/ncftool.if
++++ b/ncftool.if
+@@ -36,9 +36,19 @@ interface(`ncftool_domtrans',`
+ #
+ interface(`ncftool_run',`
+ gen_require(`
+- attribute_role ncftool_roles;
+- ')
++ type ncftool_t;
++ #attribute_role ncftool_roles;
++ ')
++
++ #ncftool_domtrans($1)
++ #roleattribute $2 ncftool_roles;
+
+ ncftool_domtrans($1)
+- roleattribute $2 ncftool_roles;
++ role $2 types ncftool_t;
++
++ optional_policy(`
++ brctl_run(ncftool_t, $2)
++ ')
++
+ ')
++
+diff --git a/ncftool.te b/ncftool.te
+index f19ca0b..3eadfbb 100644
+--- a/ncftool.te
++++ b/ncftool.te
+@@ -5,25 +5,29 @@ policy_module(ncftool, 1.1.0)
+ # Declarations
+ #
+
+-attribute_role ncftool_roles;
+-roleattribute system_r ncftool_roles;
++#attribute_role ncftool_roles;
++#roleattribute system_r ncftool_roles;
+
+ type ncftool_t;
+ type ncftool_exec_t;
+ application_domain(ncftool_t, ncftool_exec_t)
+ domain_obj_id_change_exemption(ncftool_t)
+ domain_system_change_exemption(ncftool_t)
+-role ncftool_roles types ncftool_t;
++#role ncftool_roles types ncftool_t;
++role system_r types ncftool_t;
+
+ ########################################
+ #
+ # ncftool local policy
+ #
+
+-allow ncftool_t self:capability { net_admin sys_ptrace };
++allow ncftool_t self:capability net_admin;
+ allow ncftool_t self:process signal;
++
+ allow ncftool_t self:fifo_file manage_fifo_file_perms;
+ allow ncftool_t self:unix_stream_socket create_stream_socket_perms;
++
++allow ncftool_t self:netlink_route_socket create_netlink_socket_perms;
+ allow ncftool_t self:tcp_socket create_stream_socket_perms;
+ allow ncftool_t self:netlink_route_socket create_netlink_socket_perms;
+
+@@ -41,24 +45,33 @@ domain_read_all_domains_state(ncftool_t)
+
+ dev_read_sysfs(ncftool_t)
+
+-files_read_etc_files(ncftool_t)
++files_manage_system_conf_files(ncftool_t)
++files_relabelto_system_conf_files(ncftool_t)
+ files_read_etc_runtime_files(ncftool_t)
+ files_read_usr_files(ncftool_t)
+
+-miscfiles_read_localization(ncftool_t)
++term_use_all_inherited_terms(ncftool_t)
+
+ sysnet_delete_dhcpc_pid(ncftool_t)
+-sysnet_run_dhcpc(ncftool_t, ncftool_roles)
+-sysnet_run_ifconfig(ncftool_t, ncftool_roles)
++sysnet_domtrans_dhcpc(ncftool_t)
++sysnet_domtrans_ifconfig(ncftool_t)
++#sysnet_run_dhcpc(ncftool_t, ncftool_roles)
++#sysnet_run_ifconfig(ncftool_t, ncftool_roles)
+ sysnet_etc_filetrans_config(ncftool_t)
+ sysnet_manage_config(ncftool_t)
+ sysnet_read_dhcpc_state(ncftool_t)
++sysnet_relabelfrom_net_conf(ncftool_t)
++sysnet_relabelto_net_conf(ncftool_t)
+ sysnet_read_dhcpc_pid(ncftool_t)
+ sysnet_signal_dhcpc(ncftool_t)
+
+ userdom_use_user_terminals(ncftool_t)
+ userdom_read_user_tmp_files(ncftool_t)
+
++#optional_policy(`
++# brctl_run(ncftool_t, ncftool_roles)
++#')
++
+ optional_policy(`
+ consoletype_exec(ncftool_t)
+ ')
+@@ -69,13 +82,18 @@ optional_policy(`
+
+ optional_policy(`
+ iptables_initrc_domtrans(ncftool_t)
++ iptables_systemctl(ncftool_t)
+ ')
+
+ optional_policy(`
++ modutils_list_module_config(ncftool_t)
+ modutils_read_module_config(ncftool_t)
+- modutils_run_insmod(ncftool_t, ncftool_roles)
++ modutils_domtrans_insmod(ncftool_t)
++ #modutils_run_insmod(ncftool_t, ncftool_roles)
++
+ ')
+
+ optional_policy(`
+- netutils_run(ncftool_t, ncftool_roles)
++ netutils_domtrans(ncftool_t)
++ #netutils_run(ncftool_t, ncftool_roles)
+ ')
+diff --git a/nessus.te b/nessus.te
+index abf25da..bad6973 100644
+--- a/nessus.te
++++ b/nessus.te
+@@ -56,7 +56,6 @@ kernel_read_kernel_sysctls(nessusd_t)
+ # for nmap etc
+ corecmd_exec_bin(nessusd_t)
+
+-corenet_all_recvfrom_unlabeled(nessusd_t)
+ corenet_all_recvfrom_netlabel(nessusd_t)
+ corenet_tcp_sendrecv_generic_if(nessusd_t)
+ corenet_udp_sendrecv_generic_if(nessusd_t)
+@@ -85,7 +84,6 @@ fs_search_auto_mountpoints(nessusd_t)
+
+ logging_send_syslog_msg(nessusd_t)
+
+-miscfiles_read_localization(nessusd_t)
+
+ sysnet_read_config(nessusd_t)
+
+diff --git a/networkmanager.fc b/networkmanager.fc
+index 386543b..8fe1d63 100644
+--- a/networkmanager.fc
++++ b/networkmanager.fc
+@@ -1,6 +1,19 @@
+ /etc/rc\.d/init\.d/wicd -- gen_context(system_u:object_r:NetworkManager_initrc_exec_t,s0)
+
+-/etc/NetworkManager/dispatcher\.d(/.*) gen_context(system_u:object_r:NetworkManager_initrc_exec_t,s0)
++/etc/NetworkManager(/.*)? gen_context(system_u:object_r:NetworkManager_etc_t,s0)
++/etc/NetworkManager/NetworkManager\.conf gen_context(system_u:object_r:NetworkManager_etc_rw_t,s0)
++/etc/NetworkManager/system-connections(/.*)? gen_context(system_u:object_r:NetworkManager_etc_rw_t,s0)
++/etc/NetworkManager/dispatcher\.d(/.*)? gen_context(system_u:object_r:NetworkManager_initrc_exec_t,s0)
++
++/etc/dhcp/manager-settings.conf -- gen_context(system_u:object_r:NetworkManager_var_lib_t, s0)
++/etc/dhcp/wireless-settings.conf -- gen_context(system_u:object_r:NetworkManager_var_lib_t, s0)
++/etc/dhcp/wired-settings.conf -- gen_context(system_u:object_r:NetworkManager_var_lib_t, s0)
++
++/etc/wicd/manager-settings.conf -- gen_context(system_u:object_r:NetworkManager_var_lib_t, s0)
++/etc/wicd/wireless-settings.conf -- gen_context(system_u:object_r:NetworkManager_var_lib_t, s0)
++/etc/wicd/wired-settings.conf -- gen_context(system_u:object_r:NetworkManager_var_lib_t, s0)
++
++/usr/lib/systemd/system/NetworkManager.* -- gen_context(system_u:object_r:NetworkManager_unit_file_t,s0)
+
+ /usr/libexec/nm-dispatcher.action -- gen_context(system_u:object_r:NetworkManager_initrc_exec_t,s0)
+
+@@ -12,15 +25,19 @@
+ /usr/sbin/NetworkManagerDispatcher -- gen_context(system_u:object_r:NetworkManager_exec_t,s0)
+ /usr/sbin/nm-system-settings -- gen_context(system_u:object_r:NetworkManager_exec_t,s0)
+ /usr/sbin/wicd -- gen_context(system_u:object_r:NetworkManager_exec_t,s0)
++/usr/sbin/wpa_cli -- gen_context(system_u:object_r:wpa_cli_exec_t,s0)
++/usr/sbin/wpa_supplicant -- gen_context(system_u:object_r:NetworkManager_exec_t,s0)
+
+ /var/lib/wicd(/.*)? gen_context(system_u:object_r:NetworkManager_var_lib_t,s0)
+ /var/lib/NetworkManager(/.*)? gen_context(system_u:object_r:NetworkManager_var_lib_t,s0)
+
+-/var/log/wicd(/.*)? gen_context(system_u:object_r:NetworkManager_log_t,s0)
++/var/log/wicd.* -- gen_context(system_u:object_r:NetworkManager_log_t,s0)
++
+ /var/log/wpa_supplicant.* -- gen_context(system_u:object_r:NetworkManager_log_t,s0)
+
+ /var/run/NetworkManager\.pid -- gen_context(system_u:object_r:NetworkManager_var_run_t,s0)
+ /var/run/NetworkManager(/.*)? gen_context(system_u:object_r:NetworkManager_var_run_t,s0)
+ /var/run/nm-dhclient.* gen_context(system_u:object_r:NetworkManager_var_run_t,s0)
++/var/run/nm-dns-dnsmasq\.conf -- gen_context(system_u:object_r:NetworkManager_var_run_t,s0)
+ /var/run/wpa_supplicant(/.*)? gen_context(system_u:object_r:NetworkManager_var_run_t,s0)
+ /var/run/wpa_supplicant-global -s gen_context(system_u:object_r:NetworkManager_var_run_t,s0)
+diff --git a/networkmanager.if b/networkmanager.if
+index 2324d9e..96dbf6f 100644
+--- a/networkmanager.if
++++ b/networkmanager.if
+@@ -43,9 +43,9 @@ interface(`networkmanager_rw_packet_sockets',`
+ ## Allow caller to relabel tun_socket
+ ##
+ ##
+-##
+-## Domain allowed access.
+-##
++##
++## Domain allowed access.
++##
+ ##
+ #
+ interface(`networkmanager_attach_tun_iface',`
+@@ -116,6 +116,29 @@ interface(`networkmanager_initrc_domtrans',`
+
+ ########################################
+ ##
++## Execute NetworkManager server in the NetworkManager domain.
++##
++##
++##
++## Domain allowed to transition.
++##
++##
++#
++interface(`networkmanager_systemctl',`
++ gen_require(`
++ type NetworkManager_unit_file_t;
++ type NetworkManager_t;
++ ')
++
++ systemd_exec_systemctl($1)
++ allow $1 NetworkManager_unit_file_t:file read_file_perms;
++ allow $1 NetworkManager_unit_file_t:service manage_service_perms;
++
++ ps_process_pattern($1, NetworkManager_t)
++')
++
++########################################
++##
+ ## Send and receive messages from
+ ## NetworkManager over dbus.
+ ##
+@@ -137,6 +160,28 @@ interface(`networkmanager_dbus_chat',`
+
+ ########################################
+ ##
++## Do not audit attempts to send and
++## receive messages from NetworkManager
++## over dbus.
++##
++##
++##
++## Domain to not audit.
++##
++##
++#
++interface(`networkmanager_dontaudit_dbus_chat',`
++ gen_require(`
++ type NetworkManager_t;
++ class dbus send_msg;
++ ')
++
++ dontaudit $1 NetworkManager_t:dbus send_msg;
++ dontaudit NetworkManager_t $1:dbus send_msg;
++')
++
++########################################
++##
+ ## Send a generic signal to NetworkManager
+ ##
+ ##
+@@ -173,6 +218,25 @@ interface(`networkmanager_read_lib_files',`
+ read_files_pattern($1, NetworkManager_var_lib_t, NetworkManager_var_lib_t)
+ ')
+
++#######################################
++##
++## Read NetworkManager conf files.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`networkmanager_read_conf',`
++ gen_require(`
++ type NetworkManager_etc_t;
++ ')
++
++ allow $1 NetworkManager_etc_t:dir list_dir_perms;
++ read_files_pattern($1,NetworkManager_etc_t,NetworkManager_etc_t)
++')
++
+ ########################################
+ ##
+ ## Read NetworkManager PID files.
+@@ -191,3 +255,110 @@ interface(`networkmanager_read_pid_files',`
+ files_search_pids($1)
+ allow $1 NetworkManager_var_run_t:file read_file_perms;
+ ')
++
++########################################
++##
++## Execute NetworkManager in the NetworkManager domain, and
++## allow the specified role the NetworkManager domain.
++##
++##
++##
++## Domain allowed to transition.
++##
++##
++##
++##
++## Role allowed access.
++##
++##
++##
++#
++interface(`networkmanager_run',`
++ gen_require(`
++ type NetworkManager_t, NetworkManager_exec_t;
++ ')
++
++ networkmanager_domtrans($1)
++ role $2 types NetworkManager_t;
++')
++
++########################################
++##
++## Allow the specified domain to append
++## to Network Manager log files.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`networkmanager_append_log',`
++ gen_require(`
++ type NetworkManager_log_t;
++ ')
++
++ logging_search_logs($1)
++ allow $1 NetworkManager_log_t:dir list_dir_perms;
++ append_files_pattern($1, NetworkManager_log_t, NetworkManager_log_t)
++')
++
++#######################################
++##
++## Allow the specified domain to manage
++## to Network Manager lib files.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`networkmanager_manage_lib',`
++ gen_require(`
++ type NetworkManager_var_lib_t;
++ ')
++
++ manage_files_pattern($1, NetworkManager_var_lib_t, NetworkManager_var_lib_t)
++')
++
++
++########################################
++##
++## Transition to networkmanager named content
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`networkmanager_filetrans_named_content',`
++ gen_require(`
++ type NetworkManager_var_run_t;
++ type NetworkManager_var_lib_t;
++ ')
++
++ files_pid_filetrans($1, NetworkManager_var_run_t, file, "nm-dhclient.-eth0.conf")
++ files_pid_filetrans($1, NetworkManager_var_run_t, file, "nm-dhclient.-eth1.conf")
++ files_pid_filetrans($1, NetworkManager_var_run_t, file, "nm-dhclient.-eth2.conf")
++ files_pid_filetrans($1, NetworkManager_var_run_t, file, "nm-dhclient.-eth3.conf")
++ files_pid_filetrans($1, NetworkManager_var_run_t, file, "nm-dhclient.-eth4.conf")
++ files_pid_filetrans($1, NetworkManager_var_run_t, file, "nm-dhclient.-eth5.conf")
++ files_pid_filetrans($1, NetworkManager_var_run_t, file, "nm-dhclient.-eth6.conf")
++ files_pid_filetrans($1, NetworkManager_var_run_t, file, "nm-dhclient.-eth7.conf")
++ files_pid_filetrans($1, NetworkManager_var_run_t, file, "nm-dhclient.-eth8.conf")
++ files_pid_filetrans($1, NetworkManager_var_run_t, file, "nm-dhclient.-eth9.conf")
++ files_pid_filetrans($1, NetworkManager_var_run_t, file, "nm-dhclient-em0.conf")
++ files_pid_filetrans($1, NetworkManager_var_run_t, file, "nm-dhclient-em1.conf")
++ files_pid_filetrans($1, NetworkManager_var_run_t, file, "nm-dhclient-em2.conf")
++ files_pid_filetrans($1, NetworkManager_var_run_t, file, "nm-dhclient-em3.conf")
++ files_pid_filetrans($1, NetworkManager_var_run_t, file, "nm-dhclient-em4.conf")
++ files_pid_filetrans($1, NetworkManager_var_run_t, file, "nm-dhclient-em5.conf")
++ files_pid_filetrans($1, NetworkManager_var_run_t, file, "nm-dhclient-em6.conf")
++ files_pid_filetrans($1, NetworkManager_var_run_t, file, "nm-dhclient-em7.conf")
++ files_pid_filetrans($1, NetworkManager_var_run_t, file, "nm-dhclient-em8.conf")
++ files_etc_filetrans($1, NetworkManager_var_lib_t, file, "manager-settings.conf")
++ files_etc_filetrans($1, NetworkManager_var_lib_t, file, "wireless-settings.conf")
++ files_etc_filetrans($1, NetworkManager_var_lib_t, file, "wireed-settings.conf")
++')
+diff --git a/networkmanager.te b/networkmanager.te
+index 0619395..a953cf1 100644
+--- a/networkmanager.te
++++ b/networkmanager.te
+@@ -12,6 +12,15 @@ init_daemon_domain(NetworkManager_t, NetworkManager_exec_t)
+ type NetworkManager_initrc_exec_t;
+ init_script_file(NetworkManager_initrc_exec_t)
+
++type NetworkManager_unit_file_t;
++systemd_unit_file(NetworkManager_unit_file_t)
++
++type NetworkManager_etc_t;
++files_config_file(NetworkManager_etc_t)
++
++type NetworkManager_etc_rw_t;
++files_config_file(NetworkManager_etc_rw_t)
++
+ type NetworkManager_log_t;
+ logging_log_file(NetworkManager_log_t)
+
+@@ -35,26 +44,49 @@ init_system_domain(wpa_cli_t, wpa_cli_exec_t)
+
+ # networkmanager will ptrace itself if gdb is installed
+ # and it receives a unexpected signal (rh bug #204161)
+-allow NetworkManager_t self:capability { chown fsetid kill setgid setuid sys_nice sys_ptrace dac_override net_admin net_raw net_bind_service ipc_lock };
+-dontaudit NetworkManager_t self:capability { sys_tty_config sys_ptrace };
+-allow NetworkManager_t self:process { ptrace getcap setcap setpgid getsched setsched signal_perms };
++allow NetworkManager_t self:capability { chown fsetid kill setgid setuid sys_admin sys_nice dac_override net_admin net_raw net_bind_service ipc_lock };
++dontaudit NetworkManager_t self:capability sys_tty_config;
++ifdef(`hide_broken_symptoms',`
++ # caused by some bogus kernel code
++ dontaudit NetworkManager_t self:capability sys_module;
++')
++allow NetworkManager_t self:process { getcap setcap setpgid getsched setsched signal_perms };
++tunable_policy(`deny_ptrace',`',`
++ allow NetworkManager_t self:capability sys_ptrace;
++ allow NetworkManager_t self:process ptrace;
++')
++
+ allow NetworkManager_t self:fifo_file rw_fifo_file_perms;
+ allow NetworkManager_t self:unix_dgram_socket { sendto create_socket_perms };
+ allow NetworkManager_t self:unix_stream_socket create_stream_socket_perms;
+ allow NetworkManager_t self:netlink_route_socket create_netlink_socket_perms;
++allow NetworkManager_t self:netlink_socket create_socket_perms;
+ allow NetworkManager_t self:netlink_kobject_uevent_socket create_socket_perms;
+ allow NetworkManager_t self:tcp_socket create_stream_socket_perms;
+-allow NetworkManager_t self:tun_socket { create_socket_perms relabelfrom };
++allow NetworkManager_t self:tun_socket { create_socket_perms relabelfrom relabelto };
+ allow NetworkManager_t self:udp_socket create_socket_perms;
+ allow NetworkManager_t self:packet_socket create_socket_perms;
+
+ allow NetworkManager_t wpa_cli_t:unix_dgram_socket sendto;
+
+ can_exec(NetworkManager_t, NetworkManager_exec_t)
++#wicd
++can_exec(NetworkManager_t, wpa_cli_exec_t)
++
++list_dirs_pattern(NetworkManager_t, NetworkManager_etc_t, NetworkManager_etc_t)
++read_files_pattern(NetworkManager_t, NetworkManager_etc_t, NetworkManager_etc_t)
++read_lnk_files_pattern(NetworkManager_t, NetworkManager_etc_t, NetworkManager_etc_t)
++
++manage_dirs_pattern(NetworkManager_t, NetworkManager_etc_rw_t, NetworkManager_etc_rw_t)
++manage_files_pattern(NetworkManager_t, NetworkManager_etc_rw_t, NetworkManager_etc_rw_t)
++filetrans_pattern(NetworkManager_t, NetworkManager_etc_t, NetworkManager_etc_rw_t, { dir file })
++
++logging_log_filetrans(NetworkManager_t, NetworkManager_log_t, file)
+
+ manage_files_pattern(NetworkManager_t, NetworkManager_log_t, NetworkManager_log_t)
+ logging_log_filetrans(NetworkManager_t, NetworkManager_log_t, file)
+
++can_exec(NetworkManager_t, NetworkManager_tmp_t)
+ manage_files_pattern(NetworkManager_t, NetworkManager_tmp_t, NetworkManager_tmp_t)
+ manage_sock_files_pattern(NetworkManager_t, NetworkManager_tmp_t, NetworkManager_tmp_t)
+ files_tmp_filetrans(NetworkManager_t, NetworkManager_tmp_t, { sock_file file })
+@@ -75,7 +107,6 @@ kernel_request_load_module(NetworkManager_t)
+ kernel_read_debugfs(NetworkManager_t)
+ kernel_rw_net_sysctls(NetworkManager_t)
+
+-corenet_all_recvfrom_unlabeled(NetworkManager_t)
+ corenet_all_recvfrom_netlabel(NetworkManager_t)
+ corenet_tcp_sendrecv_generic_if(NetworkManager_t)
+ corenet_udp_sendrecv_generic_if(NetworkManager_t)
+@@ -95,11 +126,12 @@ corenet_sendrecv_all_client_packets(NetworkManager_t)
+ corenet_rw_tun_tap_dev(NetworkManager_t)
+ corenet_getattr_ppp_dev(NetworkManager_t)
+
+-dev_read_sysfs(NetworkManager_t)
++dev_rw_sysfs(NetworkManager_t)
+ dev_read_rand(NetworkManager_t)
+ dev_read_urand(NetworkManager_t)
+ dev_dontaudit_getattr_generic_blk_files(NetworkManager_t)
+ dev_getattr_all_chr_files(NetworkManager_t)
++dev_rw_wireless(NetworkManager_t)
+
+ fs_getattr_all_fs(NetworkManager_t)
+ fs_search_auto_mountpoints(NetworkManager_t)
+@@ -113,10 +145,10 @@ corecmd_exec_shell(NetworkManager_t)
+ corecmd_exec_bin(NetworkManager_t)
+
+ domain_use_interactive_fds(NetworkManager_t)
+-domain_read_confined_domains_state(NetworkManager_t)
++domain_read_all_domains_state(NetworkManager_t)
+
+-files_read_etc_files(NetworkManager_t)
+ files_read_etc_runtime_files(NetworkManager_t)
++files_read_system_conf_files(NetworkManager_t)
+ files_read_usr_files(NetworkManager_t)
+ files_read_usr_src_files(NetworkManager_t)
+
+@@ -128,35 +160,51 @@ init_domtrans_script(NetworkManager_t)
+
+ auth_use_nsswitch(NetworkManager_t)
+
++libs_exec_ldconfig(NetworkManager_t)
++
+ logging_send_syslog_msg(NetworkManager_t)
+
+-miscfiles_read_localization(NetworkManager_t)
+ miscfiles_read_generic_certs(NetworkManager_t)
+
+-modutils_domtrans_insmod(NetworkManager_t)
+-
+ seutil_read_config(NetworkManager_t)
+
+ sysnet_domtrans_ifconfig(NetworkManager_t)
+ sysnet_domtrans_dhcpc(NetworkManager_t)
+ sysnet_signal_dhcpc(NetworkManager_t)
++sysnet_signull_dhcpc(NetworkManager_t)
+ sysnet_read_dhcpc_pid(NetworkManager_t)
++sysnet_read_dhcp_config(NetworkManager_t)
+ sysnet_delete_dhcpc_pid(NetworkManager_t)
++sysnet_kill_dhcpc(NetworkManager_t)
++sysnet_read_dhcpc_state(NetworkManager_t)
++sysnet_delete_dhcpc_state(NetworkManager_t)
+ sysnet_search_dhcp_state(NetworkManager_t)
+ # in /etc created by NetworkManager will be labelled net_conf_t.
+ sysnet_manage_config(NetworkManager_t)
+ sysnet_etc_filetrans_config(NetworkManager_t)
+
++userdom_stream_connect(NetworkManager_t)
+ userdom_dontaudit_use_unpriv_user_fds(NetworkManager_t)
+ userdom_dontaudit_use_user_ttys(NetworkManager_t)
+ # Read gnome-keyring
++userdom_read_home_certs(NetworkManager_t)
+ userdom_read_user_home_content_files(NetworkManager_t)
++userdom_dgram_send(NetworkManager_t)
++
++tunable_policy(`use_nfs_home_dirs',`
++ fs_read_nfs_files(NetworkManager_t)
++')
++
++tunable_policy(`use_samba_home_dirs',`
++ fs_read_cifs_files(NetworkManager_t)
++')
+
+ optional_policy(`
+ avahi_domtrans(NetworkManager_t)
+ avahi_kill(NetworkManager_t)
+ avahi_signal(NetworkManager_t)
+ avahi_signull(NetworkManager_t)
++ avahi_dbus_chat(NetworkManager_t)
+ ')
+
+ optional_policy(`
+@@ -176,10 +224,17 @@ optional_policy(`
+ ')
+
+ optional_policy(`
++ cron_read_system_job_lib_files(NetworkManager_t)
++')
++
++optional_policy(`
+ dbus_system_domain(NetworkManager_t, NetworkManager_exec_t)
+
++ init_dbus_chat(NetworkManager_t)
++
+ optional_policy(`
+ consolekit_dbus_chat(NetworkManager_t)
++ consolekit_read_pid_files(NetworkManager_t)
+ ')
+ ')
+
+@@ -191,6 +246,7 @@ optional_policy(`
+ dnsmasq_kill(NetworkManager_t)
+ dnsmasq_signal(NetworkManager_t)
+ dnsmasq_signull(NetworkManager_t)
++ dnsmasq_systemctl(NetworkManager_t)
+ ')
+
+ optional_policy(`
+@@ -202,23 +258,45 @@ optional_policy(`
+ ')
+
+ optional_policy(`
++ gnome_dontaudit_search_config(NetworkManager_t)
++')
++
++optional_policy(`
++ ipsec_domtrans_mgmt(NetworkManager_t)
++ ipsec_kill_mgmt(NetworkManager_t)
++ ipsec_signal_mgmt(NetworkManager_t)
++ ipsec_signull_mgmt(NetworkManager_t)
++')
++
++optional_policy(`
+ iptables_domtrans(NetworkManager_t)
+ ')
+
+ optional_policy(`
++ netutils_exec_ping(NetworkManager_t)
++')
++
++optional_policy(`
+ nscd_domtrans(NetworkManager_t)
+ nscd_signal(NetworkManager_t)
+ nscd_signull(NetworkManager_t)
+ nscd_kill(NetworkManager_t)
+ nscd_initrc_domtrans(NetworkManager_t)
++ nscd_systemctl(NetworkManager_t)
+ ')
+
+ optional_policy(`
+ # Dispatcher starting and stoping ntp
+ ntp_initrc_domtrans(NetworkManager_t)
++ ntp_systemctl(NetworkManager_t)
+ ')
+
+ optional_policy(`
++ modutils_domtrans_insmod(NetworkManager_t)
++')
++
++optional_policy(`
++ openvpn_read_config(NetworkManager_t)
+ openvpn_domtrans(NetworkManager_t)
+ openvpn_kill(NetworkManager_t)
+ openvpn_signal(NetworkManager_t)
+@@ -234,6 +312,10 @@ optional_policy(`
+ ')
+
+ optional_policy(`
++ polipo_systemctl(NetworkManager_t)
++')
++
++optional_policy(`
+ ppp_initrc_domtrans(NetworkManager_t)
+ ppp_domtrans(NetworkManager_t)
+ ppp_manage_pid_files(NetworkManager_t)
+@@ -241,6 +323,7 @@ optional_policy(`
+ ppp_signal(NetworkManager_t)
+ ppp_signull(NetworkManager_t)
+ ppp_read_config(NetworkManager_t)
++ ppp_systemctl(NetworkManager_t)
+ ')
+
+ optional_policy(`
+@@ -254,6 +337,12 @@ optional_policy(`
+ ')
+
+ optional_policy(`
++ systemd_write_inhibit_pipes(NetworkManager_t)
++ systemd_read_logind_sessions_files(NetworkManager_t)
++ systemd_dbus_chat_logind(NetworkManager_t)
++')
++
++optional_policy(`
+ udev_exec(NetworkManager_t)
+ udev_read_db(NetworkManager_t)
+ ')
+@@ -263,6 +352,7 @@ optional_policy(`
+ vpn_kill(NetworkManager_t)
+ vpn_signal(NetworkManager_t)
+ vpn_signull(NetworkManager_t)
++ vpn_relabelfrom_tun_socket(NetworkManager_t)
+ ')
+
+ ########################################
+@@ -284,6 +374,5 @@ rw_sock_files_pattern(wpa_cli_t, NetworkManager_var_run_t, NetworkManager_var_ru
+ init_dontaudit_use_fds(wpa_cli_t)
+ init_use_script_ptys(wpa_cli_t)
+
+-miscfiles_read_localization(wpa_cli_t)
+
+ term_dontaudit_use_console(wpa_cli_t)
+diff --git a/nis.fc b/nis.fc
+index 632a565..cd0e015 100644
+--- a/nis.fc
++++ b/nis.fc
+@@ -9,7 +9,9 @@
+ /usr/lib/yp/ypxfr -- gen_context(system_u:object_r:ypxfr_exec_t,s0)
+
+ /usr/sbin/rpc\.yppasswdd -- gen_context(system_u:object_r:yppasswdd_exec_t,s0)
++/usr/sbin/rpc\.yppasswdd\.env -- gen_context(system_u:object_r:yppasswdd_exec_t,s0)
+ /usr/sbin/rpc\.ypxfrd -- gen_context(system_u:object_r:ypxfr_exec_t,s0)
++/usr/sbin/ypbind -- gen_context(system_u:object_r:ypbind_exec_t,s0)
+ /usr/sbin/ypserv -- gen_context(system_u:object_r:ypserv_exec_t,s0)
+
+ /var/yp(/.*)? gen_context(system_u:object_r:var_yp_t,s0)
+@@ -18,3 +20,8 @@
+ /var/run/ypbind.* -- gen_context(system_u:object_r:ypbind_var_run_t,s0)
+ /var/run/ypserv.* -- gen_context(system_u:object_r:ypserv_var_run_t,s0)
+ /var/run/yppass.* -- gen_context(system_u:object_r:yppasswdd_var_run_t,s0)
++
++/usr/lib/systemd/system/ypbind.* -- gen_context(system_u:object_r:ypbind_unit_file_t,s0)
++/usr/lib/systemd/system/ypserv.* -- gen_context(system_u:object_r:nis_unit_file_t,s0)
++/usr/lib/systemd/system/yppasswdd.* -- gen_context(system_u:object_r:nis_unit_file_t,s0)
++/usr/lib/systemd/system/ypxfrd.* -- gen_context(system_u:object_r:nis_unit_file_t,s0)
+diff --git a/nis.if b/nis.if
+index abe3f7f..1112fae 100644
+--- a/nis.if
++++ b/nis.if
+@@ -27,18 +27,13 @@ interface(`nis_use_ypbind_uncond',`
+ gen_require(`
+ type var_yp_t;
+ ')
+-
+- allow $1 self:capability net_bind_service;
+-
+ allow $1 self:tcp_socket create_stream_socket_perms;
+ allow $1 self:udp_socket create_socket_perms;
+
+ allow $1 var_yp_t:dir list_dir_perms;
+- allow $1 var_yp_t:lnk_file { getattr read };
++ allow $1 var_yp_t:lnk_file read_lnk_file_perms;
+ allow $1 var_yp_t:file read_file_perms;
+
+- corenet_all_recvfrom_unlabeled($1)
+- corenet_all_recvfrom_netlabel($1)
+ corenet_tcp_sendrecv_generic_if($1)
+ corenet_udp_sendrecv_generic_if($1)
+ corenet_tcp_sendrecv_generic_node($1)
+@@ -49,14 +44,13 @@ interface(`nis_use_ypbind_uncond',`
+ corenet_udp_bind_generic_node($1)
+ corenet_tcp_bind_generic_port($1)
+ corenet_udp_bind_generic_port($1)
+- corenet_dontaudit_tcp_bind_all_reserved_ports($1)
+- corenet_dontaudit_udp_bind_all_reserved_ports($1)
++ corenet_tcp_bind_all_rpc_ports($1)
++ corenet_udp_bind_all_rpc_ports($1)
+ corenet_dontaudit_tcp_bind_all_ports($1)
+ corenet_dontaudit_udp_bind_all_ports($1)
+ corenet_tcp_connect_portmap_port($1)
+- corenet_tcp_connect_reserved_port($1)
++ corenet_tcp_connect_all_reserved_ports($1)
+ corenet_tcp_connect_generic_port($1)
+- corenet_dontaudit_tcp_connect_all_ports($1)
+ corenet_sendrecv_portmap_client_packets($1)
+ corenet_sendrecv_generic_client_packets($1)
+ corenet_sendrecv_generic_server_packets($1)
+@@ -88,7 +82,7 @@ interface(`nis_use_ypbind_uncond',`
+ ##
+ #
+ interface(`nis_use_ypbind',`
+- tunable_policy(`allow_ypbind',`
++ tunable_policy(`nis_enabled',`
+ nis_use_ypbind_uncond($1)
+ ')
+ ')
+@@ -105,7 +99,7 @@ interface(`nis_use_ypbind',`
+ ##
+ #
+ interface(`nis_authenticate',`
+- tunable_policy(`allow_ypbind',`
++ tunable_policy(`nis_enabled',`
+ nis_use_ypbind_uncond($1)
+ corenet_tcp_bind_all_rpc_ports($1)
+ corenet_udp_bind_all_rpc_ports($1)
+@@ -131,6 +125,24 @@ interface(`nis_domtrans_ypbind',`
+ domtrans_pattern($1, ypbind_exec_t, ypbind_t)
+ ')
+
++#######################################
++##
++## Execute ypbind in the caller domain.
++##
++##
++##
++## Domain allowed to transition.
++##
++##
++#
++interface(`nis_exec_ypbind',`
++ gen_require(`
++ type ypbind_t, ypbind_exec_t;
++ ')
++
++ can_exec($1, ypbind_exec_t)
++')
++
+ ########################################
+ ##
+ ## Execute ypbind in the ypbind domain, and
+@@ -337,6 +349,55 @@ interface(`nis_initrc_domtrans_ypbind',`
+
+ ########################################
+ ##
++## Execute ypbind server in the ypbind domain.
++##
++##
++##
++## Domain allowed to transition.
++##
++##
++#
++interface(`nis_systemctl_ypbind',`
++ gen_require(`
++ type ypbind_unit_file_t;
++ type ypbind_t;
++ ')
++
++ systemd_exec_systemctl($1)
++ allow $1 ypbind_unit_file_t:file read_file_perms;
++ allow $1 ypbind_unit_file_t:service manage_service_perms;
++
++ ps_process_pattern($1, ypbind_t)
++')
++
++########################################
++##
++## Execute ypbind server in the ypbind domain.
++##
++##
++##
++## Domain allowed to transition.
++##
++##
++#
++interface(`nis_systemctl',`
++ gen_require(`
++ type nis_unit_file_t, ypbind_unit_file_t;
++ type ypbind_t, yppasswdd_t, ypserv_t, ypxfr_t;
++ ')
++
++ systemd_exec_systemctl($1)
++ allow $1 nis_unit_file_t:file read_file_perms;
++ allow $1 nis_unit_file_t:service manage_service_perms;
++
++ ps_process_pattern($1, ypbind_t)
++ ps_process_pattern($1, yppasswdd_t)
++ ps_process_pattern($1, ypserv_t)
++ ps_process_pattern($1, ypxfr_t)
++')
++
++########################################
++##
+ ## All of the rules required to administrate
+ ## an nis environment
+ ##
+@@ -354,22 +415,31 @@ interface(`nis_initrc_domtrans_ypbind',`
+ #
+ interface(`nis_admin',`
+ gen_require(`
+- type ypbind_t, yppasswdd_t, ypserv_t, ypxfr_t;
+- type ypbind_tmp_t, ypserv_tmp_t, ypserv_conf_t;
++ type ypbind_t, yppasswdd_t, ypserv_t;
++ type ypserv_conf_t;
+ type ypbind_var_run_t, yppasswdd_var_run_t, ypserv_var_run_t;
+- type ypbind_initrc_exec_t, nis_initrc_exec_t;
++ type ypserv_tmp_t;
++ type ypbind_initrc_exec_t, nis_initrc_exec_t, ypxfr_t;
++ type nis_unit_file_t;
++ type ypbind_unit_file_t;
+ ')
+
+- allow $1 ypbind_t:process { ptrace signal_perms };
++ allow $1 ypbind_t:process signal_perms;
+ ps_process_pattern($1, ypbind_t)
++ tunable_policy(`deny_ptrace',`',`
++ allow $1 ypbind_t:process ptrace;
++ allow $1 yppasswdd_t:process ptrace;
++ allow $1 ypserv_t:process ptrace;
++ allow $1 ypxfr_t:process ptrace;
++ ')
+
+- allow $1 yppasswdd_t:process { ptrace signal_perms };
++ allow $1 yppasswdd_t:process signal_perms;
+ ps_process_pattern($1, yppasswdd_t)
+
+- allow $1 ypserv_t:process { ptrace signal_perms };
++ allow $1 ypserv_t:process signal_perms;
+ ps_process_pattern($1, ypserv_t)
+
+- allow $1 ypxfr_t:process { ptrace signal_perms };
++ allow $1 ypxfr_t:process signal_perms;
+ ps_process_pattern($1, ypxfr_t)
+
+ nis_initrc_domtrans($1)
+@@ -379,18 +449,22 @@ interface(`nis_admin',`
+ role_transition $2 ypbind_initrc_exec_t system_r;
+ allow $2 system_r;
+
+- files_list_tmp($1)
+- admin_pattern($1, ypbind_tmp_t)
+-
+ files_list_pids($1)
+ admin_pattern($1, ypbind_var_run_t)
++ nis_systemctl_ypbind($1)
++ admin_pattern($1, ypbind_unit_file_t)
++ allow $1 ypbind_unit_file_t:service all_service_perms;
+
+ admin_pattern($1, yppasswdd_var_run_t)
+
+ files_list_etc($1)
+ admin_pattern($1, ypserv_conf_t)
+
++ admin_pattern($1, ypserv_var_run_t)
++
+ admin_pattern($1, ypserv_tmp_t)
+
+- admin_pattern($1, ypserv_var_run_t)
++ nis_systemctl($1)
++ admin_pattern($1, nis_unit_file_t)
++ allow $1 nis_unit_file_t:service all_service_perms;
+ ')
+diff --git a/nis.te b/nis.te
+index f27899c..f1dd1fa 100644
+--- a/nis.te
++++ b/nis.te
+@@ -18,11 +18,14 @@ init_daemon_domain(ypbind_t, ypbind_exec_t)
+ type ypbind_initrc_exec_t;
+ init_script_file(ypbind_initrc_exec_t)
+
++type ypbind_var_run_t;
++files_pid_file(ypbind_var_run_t)
++
+ type ypbind_tmp_t;
+ files_tmp_file(ypbind_tmp_t)
+
+-type ypbind_var_run_t;
+-files_pid_file(ypbind_var_run_t)
++type ypbind_unit_file_t;
++systemd_unit_file(ypbind_unit_file_t)
+
+ type yppasswdd_t;
+ type yppasswdd_exec_t;
+@@ -37,7 +40,7 @@ type ypserv_exec_t;
+ init_daemon_domain(ypserv_t, ypserv_exec_t)
+
+ type ypserv_conf_t;
+-files_type(ypserv_conf_t)
++files_config_file(ypserv_conf_t)
+
+ type ypserv_tmp_t;
+ files_tmp_file(ypserv_tmp_t)
+@@ -52,6 +55,9 @@ init_daemon_domain(ypxfr_t, ypxfr_exec_t)
+ type ypxfr_var_run_t;
+ files_pid_file(ypxfr_var_run_t)
+
++type nis_unit_file_t;
++systemd_unit_file(nis_unit_file_t)
++
+ ########################################
+ #
+ # ypbind local policy
+@@ -76,7 +82,6 @@ manage_files_pattern(ypbind_t, var_yp_t, var_yp_t)
+ kernel_read_system_state(ypbind_t)
+ kernel_read_kernel_sysctls(ypbind_t)
+
+-corenet_all_recvfrom_unlabeled(ypbind_t)
+ corenet_all_recvfrom_netlabel(ypbind_t)
+ corenet_tcp_sendrecv_generic_if(ypbind_t)
+ corenet_udp_sendrecv_generic_if(ypbind_t)
+@@ -108,9 +113,9 @@ domain_use_interactive_fds(ypbind_t)
+ files_read_etc_files(ypbind_t)
+ files_list_var(ypbind_t)
+
+-logging_send_syslog_msg(ypbind_t)
++init_search_pid_dirs(ypbind_t)
+
+-miscfiles_read_localization(ypbind_t)
++logging_send_syslog_msg(ypbind_t)
+
+ sysnet_read_config(ypbind_t)
+
+@@ -156,12 +161,13 @@ files_pid_filetrans(yppasswdd_t, yppasswdd_var_run_t, file)
+ manage_files_pattern(yppasswdd_t, var_yp_t, var_yp_t)
+ manage_lnk_files_pattern(yppasswdd_t, var_yp_t, var_yp_t)
+
++can_exec(yppasswdd_t,yppasswdd_exec_t)
++
+ kernel_list_proc(yppasswdd_t)
+ kernel_read_proc_symlinks(yppasswdd_t)
+ kernel_getattr_proc_files(yppasswdd_t)
+ kernel_read_kernel_sysctls(yppasswdd_t)
+
+-corenet_all_recvfrom_unlabeled(yppasswdd_t)
+ corenet_all_recvfrom_netlabel(yppasswdd_t)
+ corenet_tcp_sendrecv_generic_if(yppasswdd_t)
+ corenet_udp_sendrecv_generic_if(yppasswdd_t)
+@@ -186,6 +192,7 @@ selinux_get_fs_mount(yppasswdd_t)
+
+ auth_manage_shadow(yppasswdd_t)
+ auth_relabel_shadow(yppasswdd_t)
++auth_read_passwd(yppasswdd_t)
+ auth_etc_filetrans_shadow(yppasswdd_t)
+
+ corecmd_exec_bin(yppasswdd_t)
+@@ -199,7 +206,6 @@ files_relabel_etc_files(yppasswdd_t)
+
+ logging_send_syslog_msg(yppasswdd_t)
+
+-miscfiles_read_localization(yppasswdd_t)
+
+ sysnet_read_config(yppasswdd_t)
+
+@@ -211,6 +217,10 @@ optional_policy(`
+ ')
+
+ optional_policy(`
++ mta_send_mail(yppasswdd_t)
++')
++
++optional_policy(`
+ seutil_sigchld_newrole(yppasswdd_t)
+ ')
+
+@@ -247,7 +257,6 @@ kernel_read_kernel_sysctls(ypserv_t)
+ kernel_list_proc(ypserv_t)
+ kernel_read_proc_symlinks(ypserv_t)
+
+-corenet_all_recvfrom_unlabeled(ypserv_t)
+ corenet_all_recvfrom_netlabel(ypserv_t)
+ corenet_tcp_sendrecv_generic_if(ypserv_t)
+ corenet_udp_sendrecv_generic_if(ypserv_t)
+@@ -279,7 +288,6 @@ files_read_etc_files(ypserv_t)
+
+ logging_send_syslog_msg(ypserv_t)
+
+-miscfiles_read_localization(ypserv_t)
+
+ nis_domtrans_ypxfr(ypserv_t)
+
+@@ -317,7 +325,6 @@ allow ypxfr_t ypserv_conf_t:file read_file_perms;
+ manage_files_pattern(ypxfr_t, ypxfr_var_run_t, ypxfr_var_run_t)
+ files_pid_filetrans(ypxfr_t, ypxfr_var_run_t, file)
+
+-corenet_all_recvfrom_unlabeled(ypxfr_t)
+ corenet_all_recvfrom_netlabel(ypxfr_t)
+ corenet_tcp_sendrecv_generic_if(ypxfr_t)
+ corenet_udp_sendrecv_generic_if(ypxfr_t)
+@@ -342,6 +349,5 @@ files_search_usr(ypxfr_t)
+
+ logging_send_syslog_msg(ypxfr_t)
+
+-miscfiles_read_localization(ypxfr_t)
+
+ sysnet_read_config(ypxfr_t)
+diff --git a/nova.fc b/nova.fc
+new file mode 100644
+index 0000000..02dc6dc
+--- /dev/null
++++ b/nova.fc
+@@ -0,0 +1,32 @@
++
++/usr/bin/nova-ajax-console-proxy -- gen_context(system_u:object_r:nova_ajax_exec_t,s0)
++/usr/bin/nova-console.* -- gen_context(system_u:object_r:nova_console_exec_t,s0)
++/usr/bin/nova-direct-api -- gen_context(system_u:object_r:nova_direct_exec_t,s0)
++/usr/bin/nova-api -- gen_context(system_u:object_r:nova_api_exec_t,s0)
++/usr/bin/nova-cert -- gen_context(system_u:object_r:nova_cert_exec_t,s0)
++/usr//bin/nova-api-metadata -- gen_context(system_u:object_r:nova_api_exec_t,s0)
++/usr/bin/nova-network -- gen_context(system_u:object_r:nova_network_exec_t,s0)
++/usr/bin/nova-objectstore -- gen_context(system_u:object_r:nova_objectstore_exec_t,s0)
++/usr/bin/nova-scheduler -- gen_context(system_u:object_r:nova_scheduler_exec_t,s0)
++/usr/bin/nova-vncproxy -- gen_context(system_u:object_r:nova_vncproxy_exec_t,s0)
++/usr/bin/nova-volume -- gen_context(system_u:object_r:nova_volume_exec_t,s0)
++/usr/bin/nova-xvpvncproxy -- gen_context(system_u:object_r:nova_vncproxy_exec_t,s0)
++
++/usr/lib/systemd/system/openstack-nova-ajax-console-proxy.* -- gen_context(system_u:object_r:nova_ajax_unit_file_t,s0)
++/usr/lib/systemd/system/openstack-nova-api.* -- gen_context(system_u:object_r:nova_api_unit_file_t,s0)
++/usr/lib/systemd/system/openstack-nova-cert.* -- gen_context(system_u:object_r:nova_cert_unit_file_t,s0)
++/usr/lib/systemd/system/openstack-nova-console.* -- gen_context(system_u:object_r:nova_console_unit_file_t,s0)
++/usr/lib/systemd/system/openstack-nova-direct-api.* -- gen_context(system_u:object_r:nova_direct_unit_file_t,s0)
++/usr/lib/systemd/system/openstack-nova-metadata-api.service.* -- gen_context(system_u:object_r:nova_api_unit_file_t,s0)
++/usr/lib/systemd/system/openstack-nova-network.* -- gen_context(system_u:object_r:nova_network_unit_file_t,s0)
++/usr/lib/systemd/system/openstack-nova-objectstore.* -- gen_context(system_u:object_r:nova_objectstore_unit_file_t,s0)
++/usr/lib/systemd/system/openstack-nova-scheduler.* -- gen_context(system_u:object_r:nova_scheduler_unit_file_t,s0)
++/usr/lib/systemd/system/openstack-nova-vncproxy.* -- gen_context(system_u:object_r:nova_vncproxy_unit_file_t,s0)
++/usr/lib/systemd/system/openstack-nova-xvpvncproxy.* -- gen_context(system_u:object_r:nova_vncproxy_unit_file_t,s0)
++/usr/lib/systemd/system/openstack-nova-volume.* -- gen_context(system_u:object_r:nova_volume_unit_file_t,s0)
++
++/var/lib/nova(/.*)? gen_context(system_u:object_r:nova_var_lib_t,s0)
++
++/var/log/nova(/.*)? gen_context(system_u:object_r:nova_log_t,s0)
++
++/var/run/nova(/.*)? gen_context(system_u:object_r:nova_var_run_t,s0)
+diff --git a/nova.if b/nova.if
+new file mode 100644
+index 0000000..7d11148
+--- /dev/null
++++ b/nova.if
+@@ -0,0 +1,36 @@
++## openstack-nova
++
++#######################################
++##
++## Creates types and rules for a basic
++## openstack-nova systemd daemon domain.
++##
++##
++##
++## Prefix for the domain.
++##
++##
++#
++template(`nova_domain_template',`
++ gen_require(`
++ attribute nova_domain;
++ ')
++
++ type nova_$1_t, nova_domain;
++ type nova_$1_exec_t;
++ init_daemon_domain(nova_$1_t, nova_$1_exec_t)
++
++ type nova_$1_unit_file_t;
++ systemd_unit_file(nova_$1_unit_file_t)
++
++ type nova_$1_tmp_t;
++ files_tmp_file(nova_$1_tmp_t)
++
++ manage_dirs_pattern(nova_$1_t, nova_$1_tmp_t, nova_$1_tmp_t)
++ manage_files_pattern(nova_$1_t, nova_$1_tmp_t, nova_$1_tmp_t)
++ files_tmp_filetrans(nova_$1_t, nova_$1_tmp_t, { file dir })
++ can_exec(nova_$1_t, nova_$1_tmp_t)
++
++ kernel_read_system_state(nova_$1_t)
++
++')
+diff --git a/nova.te b/nova.te
+new file mode 100644
+index 0000000..f0aaecf
+--- /dev/null
++++ b/nova.te
+@@ -0,0 +1,324 @@
++policy_module(nova, 1.0.0)
++
++########################################
++#
++# Declarations
++#
++
++#
++# nova-stack daemons contain security issue with using sudo in the code
++# we make this policy as unconfined until this issue is fixed
++#
++
++attribute nova_domain;
++
++nova_domain_template(ajax)
++nova_domain_template(api)
++nova_domain_template(cert)
++nova_domain_template(compute)
++nova_domain_template(console)
++nova_domain_template(direct)
++nova_domain_template(network)
++nova_domain_template(objectstore)
++nova_domain_template(scheduler)
++nova_domain_template(vncproxy)
++nova_domain_template(volume)
++
++type nova_log_t;
++logging_log_file(nova_log_t)
++
++type nova_var_lib_t;
++files_type(nova_var_lib_t)
++
++type nova_var_run_t;
++files_pid_file(nova_var_run_t)
++
++
++######################################
++#
++# nova general domain local policy
++#
++
++allow nova_domain self:fifo_file rw_fifo_file_perms;
++allow nova_domain self:tcp_socket create_stream_socket_perms;
++allow nova_domain self:unix_stream_socket create_stream_socket_perms;
++
++manage_dirs_pattern(nova_domain, nova_log_t, nova_log_t)
++manage_files_pattern(nova_domain, nova_log_t, nova_log_t)
++
++manage_dirs_pattern(nova_domain, nova_var_lib_t, nova_var_lib_t)
++manage_files_pattern(nova_domain, nova_var_lib_t, nova_var_lib_t)
++
++manage_dirs_pattern(nova_domain, nova_var_run_t, nova_var_run_t)
++manage_files_pattern(nova_domain, nova_var_run_t, nova_var_run_t)
++
++corenet_tcp_connect_amqp_port(nova_domain)
++
++corecmd_exec_bin(nova_domain)
++corecmd_exec_shell(nova_domain)
++
++dev_read_urand(nova_domain)
++
++fs_getattr_xattr_fs(nova_domain)
++
++files_read_usr_files(nova_domain)
++
++libs_exec_ldconfig(nova_domain)
++
++files_read_etc_files(nova_domain)
++
++
++optional_policy(`
++ sysnet_read_config(nova_domain)
++')
++
++######################################
++#
++# nova ajax local policy
++#
++
++optional_policy(`
++ unconfined_domain(nova_ajax_t)
++')
++
++#######################################
++#
++# nova api local policy
++#
++
++allow nova_api_t self:process setfscreate;
++
++allow nova_api_t self:key write;
++
++allow nova_api_t self:netlink_route_socket r_netlink_socket_perms;
++
++allow nova_api_t self:udp_socket create_socket_perms;
++
++kernel_read_kernel_sysctls(nova_api_t)
++
++corenet_tcp_bind_generic_node(nova_api_t)
++corenet_udp_bind_generic_node(nova_api_t)
++# should be add to booleans
++corenet_tcp_connect_all_ports(nova_api_t)
++corenet_tcp_bind_all_unreserved_ports(nova_api_t)
++
++auth_read_passwd(nova_api_t)
++
++logging_send_syslog_msg(nova_api_t)
++
++miscfiles_read_certs(nova_api_t)
++
++ifdef(`hide_broken_symptoms',`
++ optional_policy(`
++ sudo_exec(nova_api_t)
++ allow nova_api_t self:capability { setuid sys_resource setgid };
++ allow nova_api_t self:process { setsched setrlimit };
++ logging_send_audit_msgs(nova_api_t)
++ ')
++')
++
++optional_policy(`
++ iptables_domtrans(nova_api_t)
++')
++
++optional_policy(`
++ ssh_exec_keygen(nova_api_t)
++')
++
++optional_policy(`
++ unconfined_domain(nova_api_t)
++')
++
++######################################
++#
++# nova cert local policy
++#
++
++allow nova_cert_t self:process setfscreate;
++
++allow nova_cert_t self:udp_socket create_socket_perms;
++
++auth_use_nsswitch(nova_cert_t)
++
++miscfiles_read_certs(nova_cert_t)
++
++optional_policy(`
++ mysql_stream_connect(nova_cert_t)
++')
++
++#######################################
++#
++# nova compute local policy
++#
++
++# needs to be re-write since now runs as virtd_t
++
++allow nova_compute_t self:udp_socket create_socket_perms;
++
++kernel_read_network_state(nova_compute_t)
++
++dev_read_rand(nova_compute_t)
++
++dev_read_sysfs(nova_compute_t)
++
++optional_policy(`
++ virt_getattr_exec(nova_compute_t)
++ virt_stream_connect(nova_compute_t)
++')
++
++######################################
++#
++# nova console local policy
++#
++
++allow nova_console_t self:udp_socket create_socket_perms;
++
++auth_use_nsswitch(nova_console_t)
++
++#######################################
++#
++# nova direct local policy
++#
++
++optional_policy(`
++ unconfined_domain(nova_direct_t)
++')
++
++#######################################
++#
++# nova network local policy
++#
++
++allow nova_network_t self:capability { dac_override net_admin net_bind_service };
++allow nova_network_t self:process { getcap setcap };
++
++allow nova_network_t self:netlink_route_socket r_netlink_socket_perms;
++allow nova_network_t self:udp_socket create_socket_perms;
++
++kernel_read_network_state(nova_network_t)
++kernel_read_kernel_sysctls(nova_network_t)
++
++# should be added to boolean or fixed in the code
++# dnsmasq domtrans does not work since then dnsmasq_t wants
++# to do some stuff with nova_lib, nova_tmp
++# nova-dhcpbridge runs in dnsmasq domain
++corenet_all_recvfrom_netlabel(nova_network_t)
++corenet_tcp_sendrecv_generic_if(nova_network_t)
++corenet_udp_sendrecv_generic_if(nova_network_t)
++corenet_raw_sendrecv_generic_if(nova_network_t)
++corenet_tcp_sendrecv_generic_node(nova_network_t)
++corenet_udp_sendrecv_generic_node(nova_network_t)
++corenet_raw_sendrecv_generic_node(nova_network_t)
++corenet_tcp_sendrecv_all_ports(nova_network_t)
++corenet_udp_sendrecv_all_ports(nova_network_t)
++corenet_tcp_bind_generic_node(nova_network_t)
++corenet_udp_bind_generic_node(nova_network_t)
++corenet_tcp_bind_dns_port(nova_network_t)
++corenet_udp_bind_all_ports(nova_network_t)
++corenet_sendrecv_dns_server_packets(nova_network_t)
++corenet_sendrecv_dhcpd_server_packets(nova_network_t)
++
++libs_exec_ldconfig(nova_network_t)
++
++logging_send_syslog_msg(nova_network_t)
++
++ifdef(`hide_broken_symptoms',`
++ optional_policy(`
++ sudo_exec(nova_network_t)
++ allow nova_network_t self:capability { setuid sys_resource setgid };
++ allow nova_network_t self:process { setsched setrlimit };
++ logging_send_audit_msgs(nova_network_t)
++ ')
++')
++
++optional_policy(`
++ brctl_domtrans(nova_network_t)
++')
++
++optional_policy(`
++ dnsmasq_exec(nova_network_t)
++# dnsmasq_domtrans(nova_network_t)
++')
++
++optional_policy(`
++ iptables_domtrans(nova_network_t)
++')
++
++optional_policy(`
++ sysnet_domtrans_ifconfig(nova_network_t)
++')
++
++optional_policy(`
++ unconfined_domain(nova_network_t)
++')
++
++#######################################
++#
++# nova object store local policy
++#
++
++allow nova_objectstore_t self:udp_socket create_socket_perms;
++
++corenet_tcp_bind_generic_node(nova_objectstore_t)
++corenet_udp_bind_generic_node(nova_objectstore_t)
++
++optional_policy(`
++ unconfined_domain(nova_objectstore_t)
++')
++
++#######################################
++#
++# nova scheduler local policy
++#
++
++allow nova_scheduler_t self:netlink_route_socket r_netlink_socket_perms;
++allow nova_scheduler_t self:udp_socket create_socket_perms;
++
++optional_policy(`
++ unconfined_domain(nova_scheduler_t)
++')
++
++#######################################
++#
++# nova vncproxy local policy
++#
++
++optional_policy(`
++ unconfined_domain(nova_vncproxy_t)
++')
++
++#######################################
++#
++# nova volume local policy
++#
++
++allow nova_volume_t self:netlink_route_socket r_netlink_socket_perms;
++
++allow nova_volume_t self:udp_socket create_socket_perms;
++
++kernel_read_kernel_sysctls(nova_volume_t)
++
++logging_send_syslog_msg(nova_volume_t)
++
++optional_policy(`
++ lvm_domtrans(nova_volume_t)
++')
++
++ifdef(`hide_broken_symptoms',`
++ require {
++ type sudo_exec_t;
++ }
++
++ allow nova_volume_t sudo_exec_t:file { read execute open execute_no_trans };
++
++ allow nova_volume_t self:capability { setuid sys_resource setgid audit_write };
++ allow nova_volume_t self:process { setsched setrlimit };
++
++ logging_send_audit_msgs(nova_volume_t)
++
++')
++
++optional_policy(`
++ unconfined_domain(nova_volume_t)
++')
++
+diff --git a/nscd.fc b/nscd.fc
+index 623b731..429bd79 100644
+--- a/nscd.fc
++++ b/nscd.fc
+@@ -11,3 +11,5 @@
+ /var/run/\.nscd_socket -s gen_context(system_u:object_r:nscd_var_run_t,s0)
+
+ /var/run/nscd(/.*)? gen_context(system_u:object_r:nscd_var_run_t,s0)
++
++/usr/lib/systemd/system/nscd\.service -- gen_context(system_u:object_r:nscd_unit_file_t,s0)
+diff --git a/nscd.if b/nscd.if
+index 85188dc..2b37836 100644
+--- a/nscd.if
++++ b/nscd.if
+@@ -116,7 +116,26 @@ interface(`nscd_socket_use',`
+ dontaudit $1 nscd_t:nscd { getserv shmempwd shmemgrp shmemhost shmemserv };
+ files_search_pids($1)
+ stream_connect_pattern($1, nscd_var_run_t, nscd_var_run_t, nscd_t)
+- dontaudit $1 nscd_var_run_t:file { getattr read };
++ dontaudit $1 nscd_var_run_t:file read_file_perms;
++ ps_process_pattern(nscd_t, $1)
++')
++
++########################################
++##
++## Use nscd services
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`nscd_use',`
++ tunable_policy(`nscd_use_shm',`
++ nscd_shm_use($1)
++ ',`
++ nscd_socket_use($1)
++ ')
+ ')
+
+ ########################################
+@@ -146,11 +165,14 @@ interface(`nscd_shm_use',`
+ # nscd_socket_domain macro. need to investigate
+ # if they are all actually required
+ allow $1 self:unix_stream_socket create_stream_socket_perms;
+- allow $1 nscd_t:unix_stream_socket connectto;
+- allow $1 nscd_var_run_t:sock_file rw_file_perms;
++
++ # dg: This may not be required.
++ allow $1 nscd_var_run_t:sock_file read_sock_file_perms;
++
++ stream_connect_pattern($1, nscd_var_run_t, nscd_var_run_t, nscd_t)
+ files_search_pids($1)
+ allow $1 nscd_t:nscd { getpwd getgrp gethost };
+- dontaudit $1 nscd_var_run_t:file { getattr read };
++ dontaudit $1 nscd_var_run_t:file read_file_perms;
+ ')
+
+ ########################################
+@@ -168,7 +190,7 @@ interface(`nscd_dontaudit_search_pid',`
+ type nscd_var_run_t;
+ ')
+
+- dontaudit $1 nscd_var_run_t:dir search;
++ dontaudit $1 nscd_var_run_t:dir search_dir_perms;
+ ')
+
+ ########################################
+@@ -224,6 +246,7 @@ interface(`nscd_unconfined',`
+ ## Role allowed access.
+ ##
+ ##
++##
+ #
+ interface(`nscd_run',`
+ gen_require(`
+@@ -254,6 +277,29 @@ interface(`nscd_initrc_domtrans',`
+
+ ########################################
+ ##
++## Execute nscd server in the nscd domain.
++##
++##
++##
++## Domain allowed to transition.
++##
++##
++#
++interface(`nscd_systemctl',`
++ gen_require(`
++ type nscd_unit_file_t;
++ type nscd_t;
++ ')
++
++ systemd_exec_systemctl($1)
++ allow $1 nscd_unit_file_t:file read_file_perms;
++ allow $1 nscd_unit_file_t:service manage_service_perms;
++
++ ps_process_pattern($1, nscd_t)
++')
++
++########################################
++##
+ ## All of the rules required to administrate
+ ## an nscd environment
+ ##
+@@ -273,10 +319,14 @@ interface(`nscd_admin',`
+ gen_require(`
+ type nscd_t, nscd_log_t, nscd_var_run_t;
+ type nscd_initrc_exec_t;
++ type nscd_unit_file_t;
+ ')
+
+- allow $1 nscd_t:process { ptrace signal_perms };
++ allow $1 nscd_t:process signal_perms;
+ ps_process_pattern($1, nscd_t)
++ tunable_policy(`deny_ptrace',`',`
++ allow $1 nscd_t:process ptrace;
++ ')
+
+ init_labeled_script_domtrans($1, nscd_initrc_exec_t)
+ domain_system_change_exemption($1)
+@@ -288,4 +338,8 @@ interface(`nscd_admin',`
+
+ files_list_pids($1)
+ admin_pattern($1, nscd_var_run_t)
++
++ nscd_systemctl($1)
++ admin_pattern($1, nscd_unit_file_t)
++ allow $1 nscd_unit_file_t:service all_service_perms;
+ ')
+diff --git a/nscd.te b/nscd.te
+index 7936e09..2814186 100644
+--- a/nscd.te
++++ b/nscd.te
+@@ -4,6 +4,13 @@ gen_require(`
+ class nscd all_nscd_perms;
+ ')
+
++##
++##
++## Allow confined applications to use nscd shared memory.
++##
++##
++gen_tunable(nscd_use_shm, false)
++
+ ########################################
+ #
+ # Declarations
+@@ -22,6 +29,9 @@ init_daemon_domain(nscd_t, nscd_exec_t)
+ type nscd_initrc_exec_t;
+ init_script_file(nscd_initrc_exec_t)
+
++type nscd_unit_file_t;
++systemd_unit_file(nscd_unit_file_t)
++
+ type nscd_log_t;
+ logging_log_file(nscd_log_t)
+
+@@ -47,13 +57,15 @@ allow nscd_t self:nscd { admin getstat };
+ allow nscd_t nscd_log_t:file manage_file_perms;
+ logging_log_filetrans(nscd_t, nscd_log_t, file)
+
++manage_dirs_pattern(nscd_t, nscd_var_run_t, nscd_var_run_t)
+ manage_files_pattern(nscd_t, nscd_var_run_t, nscd_var_run_t)
+ manage_sock_files_pattern(nscd_t, nscd_var_run_t, nscd_var_run_t)
+-files_pid_filetrans(nscd_t, nscd_var_run_t, { file sock_file })
++files_pid_filetrans(nscd_t, nscd_var_run_t, { file sock_file dir })
+
+ corecmd_search_bin(nscd_t)
+ can_exec(nscd_t, nscd_exec_t)
+
++kernel_read_network_state(nscd_t)
+ kernel_read_kernel_sysctls(nscd_t)
+ kernel_list_proc(nscd_t)
+ kernel_read_proc_symlinks(nscd_t)
+@@ -70,7 +82,6 @@ fs_list_inotifyfs(nscd_t)
+ auth_getattr_shadow(nscd_t)
+ auth_use_nsswitch(nscd_t)
+
+-corenet_all_recvfrom_unlabeled(nscd_t)
+ corenet_all_recvfrom_netlabel(nscd_t)
+ corenet_tcp_sendrecv_generic_if(nscd_t)
+ corenet_udp_sendrecv_generic_if(nscd_t)
+@@ -90,8 +101,8 @@ selinux_compute_create_context(nscd_t)
+ selinux_compute_relabel_context(nscd_t)
+ selinux_compute_user_contexts(nscd_t)
+ domain_use_interactive_fds(nscd_t)
++domain_search_all_domains_state(nscd_t)
+
+-files_read_etc_files(nscd_t)
+ files_read_generic_tmp_symlinks(nscd_t)
+ # Needed to read files created by firstboot "/etc/hesiod.conf"
+ files_read_etc_runtime_files(nscd_t)
+@@ -99,7 +110,6 @@ files_read_etc_runtime_files(nscd_t)
+ logging_send_audit_msgs(nscd_t)
+ logging_send_syslog_msg(nscd_t)
+
+-miscfiles_read_localization(nscd_t)
+
+ seutil_read_config(nscd_t)
+ seutil_read_default_contexts(nscd_t)
+@@ -112,6 +122,10 @@ userdom_dontaudit_use_unpriv_user_fds(nscd_t)
+ userdom_dontaudit_search_user_home_dirs(nscd_t)
+
+ optional_policy(`
++ accountsd_dontaudit_rw_fifo_file(nscd_t)
++')
++
++optional_policy(`
+ cron_read_system_job_tmp_files(nscd_t)
+ ')
+
+@@ -127,3 +141,19 @@ optional_policy(`
+ xen_dontaudit_rw_unix_stream_sockets(nscd_t)
+ xen_append_log(nscd_t)
+ ')
++
++optional_policy(`
++ tunable_policy(`samba_domain_controller',`
++ samba_append_log(nscd_t)
++ samba_dontaudit_use_fds(nscd_t)
++ ')
++')
++
++optional_policy(`
++ samba_read_config(nscd_t)
++ samba_read_var_files(nscd_t)
++')
++
++optional_policy(`
++ unconfined_dontaudit_rw_packet_sockets(nscd_t)
++')
+diff --git a/nsd.fc b/nsd.fc
+index 53cc800..5348e92 100644
+--- a/nsd.fc
++++ b/nsd.fc
+@@ -1,6 +1,6 @@
+
+ /etc/nsd(/.*)? gen_context(system_u:object_r:nsd_conf_t,s0)
+-/etc/nsd/nsd\.db -- gen_context(system_u:object_r:nsd_db_t,s0)
++/etc/nsd/nsd\.db -- gen_context(system_u:object_r:nsd_zone_t,s0)
+ /etc/nsd/primary(/.*)? gen_context(system_u:object_r:nsd_zone_t,s0)
+ /etc/nsd/secondary(/.*)? gen_context(system_u:object_r:nsd_zone_t,s0)
+
+@@ -10,5 +10,4 @@
+ /usr/sbin/zonec -- gen_context(system_u:object_r:nsd_exec_t,s0)
+
+ /var/lib/nsd(/.*)? gen_context(system_u:object_r:nsd_zone_t,s0)
+-/var/lib/nsd/nsd\.db -- gen_context(system_u:object_r:nsd_db_t,s0)
+ /var/run/nsd\.pid -- gen_context(system_u:object_r:nsd_var_run_t,s0)
+diff --git a/nsd.if b/nsd.if
+index a1371d5..ad4f14a 100644
+--- a/nsd.if
++++ b/nsd.if
+@@ -2,6 +2,25 @@
+
+ ########################################
+ ##
++## Read NSD pid file.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`nsd_read_pid',`
++ gen_require(`
++ type nsd_var_run_t;
++ ')
++
++ files_search_pids($1)
++ read_files_pattern($1, nsd_var_run_t, nsd_var_run_t)
++')
++
++########################################
++##
+ ## Send and receive datagrams from NSD. (Deprecated)
+ ##
+ ##
+diff --git a/nsd.te b/nsd.te
+index 4b15536..82e97aa 100644
+--- a/nsd.te
++++ b/nsd.te
+@@ -18,15 +18,11 @@ domain_type(nsd_crond_t)
+ domain_entry_file(nsd_crond_t, nsd_exec_t)
+ role system_r types nsd_crond_t;
+
+-# a type for nsd.db
+-type nsd_db_t;
+-files_type(nsd_db_t)
+-
+ type nsd_var_run_t;
+ files_pid_file(nsd_var_run_t)
+
+ # A type for zone files
+-type nsd_zone_t;
++type nsd_zone_t alias nsd_db_t;
+ files_type(nsd_zone_t)
+
+ ########################################
+@@ -34,25 +30,24 @@ files_type(nsd_zone_t)
+ # NSD Local policy
+ #
+
+-allow nsd_t self:capability { dac_override chown setuid setgid };
++allow nsd_t self:capability { chown dac_override kill setgid setuid };
+ dontaudit nsd_t self:capability sys_tty_config;
+ allow nsd_t self:process signal_perms;
+ allow nsd_t self:tcp_socket create_stream_socket_perms;
+ allow nsd_t self:udp_socket create_socket_perms;
++allow nsd_t self:fifo_file rw_fifo_file_perms;
+
+ allow nsd_t nsd_conf_t:dir list_dir_perms;
+ read_files_pattern(nsd_t, nsd_conf_t, nsd_conf_t)
+ read_lnk_files_pattern(nsd_t, nsd_conf_t, nsd_conf_t)
+
+-allow nsd_t nsd_db_t:file manage_file_perms;
+-filetrans_pattern(nsd_t, nsd_zone_t, nsd_db_t, file)
+-
+ manage_files_pattern(nsd_t, nsd_var_run_t, nsd_var_run_t)
+ files_pid_filetrans(nsd_t, nsd_var_run_t, file)
+
+-allow nsd_t nsd_zone_t:dir list_dir_perms;
+-read_files_pattern(nsd_t, nsd_zone_t, nsd_zone_t)
+-read_lnk_files_pattern(nsd_t, nsd_zone_t, nsd_zone_t)
++manage_dirs_pattern(nsd_t, nsd_zone_t, nsd_zone_t)
++manage_files_pattern(nsd_t, nsd_zone_t, nsd_zone_t)
++manage_lnk_files_pattern(nsd_t, nsd_zone_t, nsd_zone_t)
++files_var_lib_filetrans(nsd_t, nsd_zone_t, dir)
+
+ can_exec(nsd_t, nsd_exec_t)
+
+@@ -61,7 +56,6 @@ kernel_read_kernel_sysctls(nsd_t)
+
+ corecmd_exec_bin(nsd_t)
+
+-corenet_all_recvfrom_unlabeled(nsd_t)
+ corenet_all_recvfrom_netlabel(nsd_t)
+ corenet_tcp_sendrecv_generic_if(nsd_t)
+ corenet_udp_sendrecv_generic_if(nsd_t)
+@@ -79,17 +73,17 @@ dev_read_sysfs(nsd_t)
+
+ domain_use_interactive_fds(nsd_t)
+
+-files_read_etc_files(nsd_t)
+ files_read_etc_runtime_files(nsd_t)
++files_search_var_lib(nsd_t)
+
+ fs_getattr_all_fs(nsd_t)
+ fs_search_auto_mountpoints(nsd_t)
+
+-logging_send_syslog_msg(nsd_t)
++auth_use_nsswitch(nsd_t)
+
+-miscfiles_read_localization(nsd_t)
++logging_send_syslog_msg(nsd_t)
+
+-sysnet_read_config(nsd_t)
++sysnet_dns_name_resolve(nsd_t)
+
+ userdom_dontaudit_use_unpriv_user_fds(nsd_t)
+ userdom_dontaudit_search_user_home_dirs(nsd_t)
+@@ -121,8 +115,6 @@ allow nsd_crond_t self:udp_socket create_socket_perms;
+
+ allow nsd_crond_t nsd_conf_t:file read_file_perms;
+
+-allow nsd_crond_t nsd_db_t:file manage_file_perms;
+-filetrans_pattern(nsd_crond_t, nsd_zone_t, nsd_db_t, file)
+ files_search_var_lib(nsd_crond_t)
+
+ allow nsd_crond_t nsd_t:process signal;
+@@ -139,7 +131,6 @@ kernel_read_system_state(nsd_crond_t)
+ corecmd_exec_bin(nsd_crond_t)
+ corecmd_exec_shell(nsd_crond_t)
+
+-corenet_all_recvfrom_unlabeled(nsd_crond_t)
+ corenet_all_recvfrom_netlabel(nsd_crond_t)
+ corenet_tcp_sendrecv_generic_if(nsd_crond_t)
+ corenet_udp_sendrecv_generic_if(nsd_crond_t)
+@@ -155,13 +146,13 @@ dev_read_urand(nsd_crond_t)
+
+ domain_dontaudit_read_all_domains_state(nsd_crond_t)
+
+-files_read_etc_files(nsd_crond_t)
+ files_read_etc_runtime_files(nsd_crond_t)
+ files_search_var_lib(nsd_t)
+
++auth_use_nsswitch(nsd_crond_t)
++
+ logging_send_syslog_msg(nsd_crond_t)
+
+-miscfiles_read_localization(nsd_crond_t)
+
+ sysnet_read_config(nsd_crond_t)
+
+diff --git a/nslcd.if b/nslcd.if
+index 23c769c..0398e70 100644
+--- a/nslcd.if
++++ b/nslcd.if
+@@ -93,12 +93,15 @@ interface(`nslcd_stream_connect',`
+ #
+ interface(`nslcd_admin',`
+ gen_require(`
+- type nslcd_t, nslcd_initrc_exec_t;
+- type nslcd_conf_t, nslcd_var_run_t;
++ type nslcd_t, nslcd_initrc_exec_t, nslcd_var_run_t;
++ type nslcd_conf_t;
+ ')
+
+ ps_process_pattern($1, nslcd_t)
+- allow $1 nslcd_t:process { ptrace signal_perms };
++ allow $1 nslcd_t:process signal_perms;
++ tunable_policy(`deny_ptrace',`',`
++ allow $1 nslcd_t:process ptrace;
++ ')
+
+ # Allow nslcd_t to restart the apache service
+ nslcd_initrc_domtrans($1)
+@@ -106,9 +109,9 @@ interface(`nslcd_admin',`
+ role_transition $2 nslcd_initrc_exec_t system_r;
+ allow $2 system_r;
+
+- manage_files_pattern($1, nslcd_conf_t, nslcd_conf_t)
++ files_list_etc($1)
++ admin_pattern($1, nslcd_conf_t)
+
+- manage_dirs_pattern($1, nslcd_var_run_t, nslcd_var_run_t)
+- manage_files_pattern($1, nslcd_var_run_t, nslcd_var_run_t)
+- manage_lnk_files_pattern($1, nslcd_var_run_t, nslcd_var_run_t)
++ files_list_pids($1)
++ admin_pattern($1, nslcd_var_run_t, nslcd_var_run_t)
+ ')
+diff --git a/nslcd.te b/nslcd.te
+index 01594c8..bcc61b5 100644
+--- a/nslcd.te
++++ b/nslcd.te
+@@ -16,15 +16,15 @@ type nslcd_var_run_t;
+ files_pid_file(nslcd_var_run_t)
+
+ type nslcd_conf_t;
+-files_type(nslcd_conf_t)
++files_config_file(nslcd_conf_t)
+
+ ########################################
+ #
+ # nslcd local policy
+ #
+
+-allow nslcd_t self:capability { setgid setuid dac_override };
+-allow nslcd_t self:process signal;
++allow nslcd_t self:capability { dac_override setgid setuid sys_nice };
++allow nslcd_t self:process { setsched signal };
+ allow nslcd_t self:unix_stream_socket create_stream_socket_perms;
+
+ allow nslcd_t nslcd_conf_t:file read_file_perms;
+@@ -42,13 +42,21 @@ corenet_tcp_connect_ldap_port(nslcd_t)
+ corenet_sendrecv_ldap_client_packets(nslcd_t)
+
+ files_read_etc_files(nslcd_t)
++files_read_usr_symlinks(nslcd_t)
++files_list_tmp(nslcd_t)
+
+ auth_use_nsswitch(nslcd_t)
+
+ logging_send_syslog_msg(nslcd_t)
+
+-miscfiles_read_localization(nslcd_t)
++
++userdom_read_user_tmp_files(nslcd_t)
++
++optional_policy(`
++ dirsrv_stream_connect(nslcd_t)
++')
+
+ optional_policy(`
+ ldap_stream_connect(nslcd_t)
+ ')
++
+diff --git a/nsplugin.fc b/nsplugin.fc
+new file mode 100644
+index 0000000..22e6c96
+--- /dev/null
++++ b/nsplugin.fc
+@@ -0,0 +1,11 @@
++HOME_DIR/\.adobe(/.*)? gen_context(system_u:object_r:nsplugin_home_t,s0)
++HOME_DIR/\.macromedia(/.*)? gen_context(system_u:object_r:nsplugin_home_t,s0)
++HOME_DIR/\.gnash(/.*)? gen_context(system_u:object_r:nsplugin_home_t,s0)
++HOME_DIR/\.gcjwebplugin(/.*)? gen_context(system_u:object_r:nsplugin_home_t,s0)
++HOME_DIR/\.icedteaplugin(/.*)? gen_context(system_u:object_r:nsplugin_home_t,s0)
++
++/usr/bin/nspluginscan -- gen_context(system_u:object_r:nsplugin_exec_t,s0)
++/usr/bin/nspluginviewer -- gen_context(system_u:object_r:nsplugin_exec_t,s0)
++/usr/lib/nspluginwrapper/npviewer.bin -- gen_context(system_u:object_r:nsplugin_exec_t,s0)
++/usr/lib/nspluginwrapper/plugin-config -- gen_context(system_u:object_r:nsplugin_config_exec_t,s0)
++/usr/lib/mozilla/plugins-wrapped(/.*)? gen_context(system_u:object_r:nsplugin_rw_t,s0)
+diff --git a/nsplugin.if b/nsplugin.if
+new file mode 100644
+index 0000000..fce899a
+--- /dev/null
++++ b/nsplugin.if
+@@ -0,0 +1,472 @@
++
++## policy for nsplugin
++
++########################################
++##
++## Create, read, write, and delete
++## nsplugin rw files.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`nsplugin_manage_rw_files',`
++ gen_require(`
++ type nsplugin_rw_t;
++ ')
++
++ allow $1 nsplugin_rw_t:file manage_file_perms;
++ allow $1 nsplugin_rw_t:dir rw_dir_perms;
++')
++
++########################################
++##
++## Manage nsplugin rw files.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`nsplugin_manage_rw',`
++ gen_require(`
++ type nsplugin_rw_t;
++ ')
++
++ manage_dirs_pattern($1, nsplugin_rw_t, nsplugin_rw_t)
++ manage_files_pattern($1, nsplugin_rw_t, nsplugin_rw_t)
++ manage_lnk_files_pattern($1, nsplugin_rw_t, nsplugin_rw_t)
++')
++
++#######################################
++##
++## The per role template for the nsplugin module.
++##
++##
++##
++## The role associated with the user domain.
++##
++##
++##
++##
++## The type of the user domain.
++##
++##
++#
++interface(`nsplugin_role_notrans',`
++ gen_require(`
++ type nsplugin_rw_t;
++ type nsplugin_home_t;
++ type nsplugin_exec_t;
++ type nsplugin_config_exec_t;
++ type nsplugin_t;
++ type nsplugin_config_t;
++ class x_drawable all_x_drawable_perms;
++ class x_resource all_x_resource_perms;
++ class dbus send_msg;
++ ')
++
++ role $1 types nsplugin_t;
++ role $1 types nsplugin_config_t;
++
++ allow nsplugin_t $2:process signull;
++ allow nsplugin_t $2:dbus send_msg;
++ allow $2 nsplugin_t:dbus send_msg;
++
++ list_dirs_pattern($2, nsplugin_rw_t, nsplugin_rw_t)
++ read_files_pattern($2, nsplugin_rw_t, nsplugin_rw_t)
++ read_lnk_files_pattern($2, nsplugin_rw_t, nsplugin_rw_t)
++ can_exec($2, nsplugin_rw_t)
++
++ #Leaked File Descriptors
++ifdef(`hide_broken_symptoms', `
++ dontaudit nsplugin_t $2:fifo_file rw_inherited_fifo_file_perms;
++ dontaudit nsplugin_config_t $2:fifo_file rw_inherited_fifo_file_perms;
++')
++ allow nsplugin_t $2:unix_stream_socket connectto;
++ dontaudit nsplugin_t $2:process ptrace;
++ allow nsplugin_t $2:sem rw_sem_perms;
++ allow nsplugin_t $2:shm rw_shm_perms;
++ dontaudit nsplugin_t $2:shm destroy;
++ allow $2 nsplugin_t:sem rw_sem_perms;
++
++ allow $2 nsplugin_t:process { getattr signal_perms };
++ allow $2 nsplugin_t:unix_stream_socket connectto;
++
++ # Connect to pulseaudit server
++ stream_connect_pattern(nsplugin_t, user_home_t, user_home_t, $2)
++ gnome_stream_connect(nsplugin_t, $2)
++
++ userdom_use_inherited_user_terminals(nsplugin_t)
++ userdom_use_inherited_user_terminals(nsplugin_config_t)
++ userdom_dontaudit_setattr_user_home_content_files(nsplugin_t)
++ userdom_manage_tmpfs_role($1, nsplugin_t)
++
++ optional_policy(`
++ pulseaudio_role($1, nsplugin_t)
++ ')
++')
++
++#######################################
++##
++## Role access for nsplugin
++##
++##
++##
++## The role associated with the user domain.
++##
++##
++##
++##
++## The type of the user domain.
++##
++##
++#
++interface(`nsplugin_role',`
++ gen_require(`
++ type nsplugin_exec_t;
++ type nsplugin_config_exec_t;
++ type nsplugin_t;
++ type nsplugin_config_t;
++ ')
++
++ nsplugin_role_notrans($1, $2)
++
++ domtrans_pattern($2, nsplugin_exec_t, nsplugin_t)
++ domtrans_pattern($2, nsplugin_config_exec_t, nsplugin_config_t)
++
++')
++
++#######################################
++##
++## The per role template for the nsplugin module.
++##
++##
++##
++## The type of the user domain.
++##
++##
++#
++interface(`nsplugin_domtrans',`
++ gen_require(`
++ type nsplugin_exec_t;
++ type nsplugin_t;
++ ')
++
++ domtrans_pattern($1, nsplugin_exec_t, nsplugin_t)
++ allow $1 nsplugin_t:unix_stream_socket connectto;
++ allow nsplugin_t $1:process signal;
++')
++
++#######################################
++##
++## The per role template for the nsplugin module.
++##
++##
++##
++## The type of the user domain.
++##
++##
++#
++interface(`nsplugin_domtrans_config',`
++ gen_require(`
++ type nsplugin_config_exec_t;
++ type nsplugin_config_t;
++ ')
++
++ domtrans_pattern($1, nsplugin_config_exec_t, nsplugin_config_t)
++')
++
++########################################
++##
++## Search nsplugin rw directories.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`nsplugin_search_rw_dir',`
++ gen_require(`
++ type nsplugin_rw_t;
++ ')
++
++ allow $1 nsplugin_rw_t:dir search_dir_perms;
++')
++
++########################################
++##
++## Read nsplugin rw files.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`nsplugin_read_rw_files',`
++ gen_require(`
++ type nsplugin_rw_t;
++ ')
++
++ list_dirs_pattern($1, nsplugin_rw_t, nsplugin_rw_t)
++ read_files_pattern($1, nsplugin_rw_t, nsplugin_rw_t)
++ read_lnk_files_pattern($1, nsplugin_rw_t, nsplugin_rw_t)
++')
++
++########################################
++##
++## Read nsplugin home files.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`nsplugin_read_home',`
++ gen_require(`
++ type nsplugin_home_t;
++ ')
++
++ list_dirs_pattern($1, nsplugin_home_t, nsplugin_home_t)
++ read_files_pattern($1, nsplugin_home_t, nsplugin_home_t)
++ read_lnk_files_pattern($1, nsplugin_home_t, nsplugin_home_t)
++')
++
++########################################
++##
++## Exec nsplugin rw files.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`nsplugin_rw_exec',`
++ gen_require(`
++ type nsplugin_rw_t;
++ ')
++
++ can_exec($1, nsplugin_rw_t)
++')
++
++########################################
++##
++## Create, read, write, and delete
++## nsplugin home files.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`nsplugin_manage_home_files',`
++ gen_require(`
++ type nsplugin_home_t;
++ ')
++
++ manage_files_pattern($1, nsplugin_home_t, nsplugin_home_t)
++')
++
++########################################
++##
++## manage nnsplugin home dirs.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`nsplugin_manage_home_dirs',`
++ gen_require(`
++ type nsplugin_home_t;
++ ')
++
++ manage_dirs_pattern($1, nsplugin_home_t, nsplugin_home_t)
++')
++
++########################################
++##
++## Allow attempts to read and write to
++## nsplugin named pipes.
++##
++##
++##
++## Domain to not audit.
++##
++##
++#
++interface(`nsplugin_rw_pipes',`
++ gen_require(`
++ type nsplugin_home_t;
++ ')
++
++ allow $1 nsplugin_home_t:fifo_file rw_fifo_file_perms;
++')
++
++########################################
++##
++## Read and write to nsplugin shared memory.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`nsplugin_rw_shm',`
++ gen_require(`
++ type nsplugin_t;
++ ')
++
++ allow $1 nsplugin_t:shm rw_shm_perms;
++')
++
++#####################################
++##
++## Allow read and write access to nsplugin semaphores.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`nsplugin_rw_semaphores',`
++ gen_require(`
++ type nsplugin_t;
++ ')
++
++ allow $1 nsplugin_t:sem rw_sem_perms;
++')
++
++########################################
++##
++## Execute nsplugin_exec_t
++## in the specified domain.
++##
++##
++##
++## Execute a nsplugin_exec_t
++## in the specified domain.
++##
++##
++## No interprocess communication (signals, pipes,
++## etc.) is provided by this interface since
++## the domains are not owned by this module.
++##
++##
++##
++##
++## Domain allowed access.
++##
++##
++##
++##
++## The type of the new process.
++##
++##
++#
++interface(`nsplugin_exec_domtrans',`
++ gen_require(`
++ type nsplugin_exec_t;
++ ')
++
++ allow $2 nsplugin_exec_t:file entrypoint;
++ domtrans_pattern($1, nsplugin_exec_t, $2)
++')
++
++########################################
++##
++## Send generic signals to user nsplugin processes.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`nsplugin_signal',`
++ gen_require(`
++ type nsplugin_t;
++ ')
++
++ allow $1 nsplugin_t:process signal;
++')
++
++########################################
++##
++## Create objects in a user home directory
++## with an automatic type transition to
++## the nsplugin home file type.
++##
++##
++##
++## Domain allowed access.
++##
++##
++##
++##
++## The class of the object to be created.
++##
++##
++#
++interface(`nsplugin_user_home_dir_filetrans',`
++ gen_require(`
++ type nsplugin_home_t;
++ ')
++
++ userdom_user_home_dir_filetrans($1, nsplugin_home_t, $2)
++')
++
++#######################################
++##
++## Create objects in a user home directory
++## with an automatic type transition to
++## the nsplugin home file type.
++##
++##
++##
++## Domain allowed access.
++##
++##
++##
++##
++## The class of the object to be created.
++##
++##
++#
++interface(`nsplugin_user_home_filetrans',`
++ gen_require(`
++ type nsplugin_home_t;
++ ')
++
++ userdom_user_home_content_filetrans($1, nsplugin_home_t, $2)
++')
++
++########################################
++##
++## Send signull signal to nsplugin
++## processes.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`nsplugin_signull',`
++ gen_require(`
++ type nsplugin_t;
++ ')
++
++ allow $1 nsplugin_t:process signull;
++')
+diff --git a/nsplugin.te b/nsplugin.te
+new file mode 100644
+index 0000000..a333e40
+--- /dev/null
++++ b/nsplugin.te
+@@ -0,0 +1,323 @@
++policy_module(nsplugin, 1.0.0)
++
++########################################
++#
++# Declarations
++#
++
++##
++##
++## Allow nsplugin code to execmem/execstack
++##
++##
++gen_tunable(nsplugin_execmem, false)
++
++##
++##
++## Allow nsplugin code to connect to unreserved ports
++##
++##
++gen_tunable(nsplugin_can_network, true)
++
++type nsplugin_exec_t;
++application_executable_file(nsplugin_exec_t)
++
++type nsplugin_config_exec_t;
++application_executable_file(nsplugin_config_exec_t)
++
++type nsplugin_rw_t;
++files_poly_member(nsplugin_rw_t)
++files_type(nsplugin_rw_t)
++
++type nsplugin_tmp_t;
++files_tmp_file(nsplugin_tmp_t)
++
++type nsplugin_home_t;
++files_poly_member(nsplugin_home_t)
++userdom_user_home_content(nsplugin_home_t)
++typealias nsplugin_home_t alias user_nsplugin_home_t;
++
++type nsplugin_t;
++application_domain(nsplugin_t, nsplugin_exec_t)
++
++type nsplugin_config_t;
++domain_type(nsplugin_config_t)
++domain_entry_file(nsplugin_config_t, nsplugin_config_exec_t)
++
++application_executable_file(nsplugin_exec_t)
++application_executable_file(nsplugin_config_exec_t)
++
++
++########################################
++#
++# nsplugin local policy
++#
++dontaudit nsplugin_t self:capability { sys_nice sys_tty_config };
++allow nsplugin_t self:fifo_file rw_file_perms;
++allow nsplugin_t self:process { setpgid getsched setsched signal_perms };
++
++allow nsplugin_t self:sem create_sem_perms;
++allow nsplugin_t self:shm create_shm_perms;
++allow nsplugin_t self:msgq create_msgq_perms;
++allow nsplugin_t self:netlink_kobject_uevent_socket create_socket_perms;
++allow nsplugin_t self:unix_stream_socket { connectto create_stream_socket_perms };
++allow nsplugin_t self:unix_dgram_socket { sendto create_socket_perms };
++allow nsplugin_t self:tcp_socket create_stream_socket_perms;
++allow nsplugin_t nsplugin_rw_t:dir list_dir_perms;
++read_lnk_files_pattern(nsplugin_t, nsplugin_rw_t, nsplugin_rw_t)
++read_files_pattern(nsplugin_t, nsplugin_rw_t, nsplugin_rw_t)
++
++tunable_policy(`nsplugin_execmem',`
++ allow nsplugin_t self:process { execstack execmem };
++ allow nsplugin_config_t self:process { execstack execmem };
++')
++
++tunable_policy(`nsplugin_can_network',`
++ corenet_tcp_connect_all_unreserved_ports(nsplugin_t)
++ corenet_tcp_connect_all_ephemeral_ports(nsplugin_t)
++')
++
++manage_dirs_pattern(nsplugin_t, nsplugin_home_t, nsplugin_home_t)
++exec_files_pattern(nsplugin_t, nsplugin_home_t, nsplugin_home_t)
++manage_files_pattern(nsplugin_t, nsplugin_home_t, nsplugin_home_t)
++manage_fifo_files_pattern(nsplugin_t, nsplugin_home_t, nsplugin_home_t)
++manage_sock_files_pattern(nsplugin_t, nsplugin_home_t, nsplugin_home_t)
++manage_lnk_files_pattern(nsplugin_t, nsplugin_home_t, nsplugin_home_t)
++userdom_user_home_dir_filetrans(nsplugin_t, nsplugin_home_t, {file dir})
++userdom_user_home_content_filetrans(nsplugin_t, nsplugin_home_t, {file dir})
++userdom_dontaudit_getattr_user_home_content(nsplugin_t)
++userdom_dontaudit_search_user_bin_dirs(nsplugin_t)
++userdom_dontaudit_write_user_home_content_files(nsplugin_t)
++userdom_dontaudit_search_admin_dir(nsplugin_t)
++
++corecmd_exec_bin(nsplugin_t)
++corecmd_exec_shell(nsplugin_t)
++
++corenet_all_recvfrom_netlabel(nsplugin_t)
++corenet_tcp_connect_flash_port(nsplugin_t)
++corenet_tcp_connect_streaming_port(nsplugin_t)
++corenet_tcp_connect_pulseaudio_port(nsplugin_t)
++corenet_tcp_connect_http_port(nsplugin_t)
++corenet_tcp_connect_http_cache_port(nsplugin_t)
++corenet_tcp_connect_squid_port(nsplugin_t)
++corenet_tcp_sendrecv_generic_if(nsplugin_t)
++corenet_tcp_sendrecv_generic_node(nsplugin_t)
++corenet_tcp_connect_ipp_port(nsplugin_t)
++corenet_tcp_connect_speech_port(nsplugin_t)
++
++domain_dontaudit_read_all_domains_state(nsplugin_t)
++
++dev_read_urand(nsplugin_t)
++dev_read_rand(nsplugin_t)
++dev_read_sound(nsplugin_t)
++dev_write_sound(nsplugin_t)
++dev_read_video_dev(nsplugin_t)
++dev_write_video_dev(nsplugin_t)
++dev_getattr_dri_dev(nsplugin_t)
++dev_getattr_mouse_dev(nsplugin_t)
++dev_rwx_zero(nsplugin_t)
++dev_read_sysfs(nsplugin_t)
++dev_dontaudit_getattr_all(nsplugin_t)
++
++kernel_read_kernel_sysctls(nsplugin_t)
++kernel_read_system_state(nsplugin_t)
++kernel_read_network_state(nsplugin_t)
++
++files_dontaudit_getattr_lost_found_dirs(nsplugin_t)
++files_dontaudit_list_home(nsplugin_t)
++files_read_usr_files(nsplugin_t)
++files_read_config_files(nsplugin_t)
++
++fs_getattr_tmpfs(nsplugin_t)
++fs_getattr_xattr_fs(nsplugin_t)
++fs_search_auto_mountpoints(nsplugin_t)
++fs_rw_anon_inodefs_files(nsplugin_t)
++fs_list_inotifyfs(nsplugin_t)
++fs_dontaudit_list_fusefs(nsplugin_t)
++
++storage_dontaudit_getattr_fixed_disk_dev(nsplugin_t)
++storage_dontaudit_getattr_removable_dev(nsplugin_t)
++
++term_dontaudit_getattr_all_ptys(nsplugin_t)
++term_dontaudit_getattr_all_ttys(nsplugin_t)
++
++auth_use_nsswitch(nsplugin_t)
++
++libs_exec_ld_so(nsplugin_t)
++
++miscfiles_read_fonts(nsplugin_t)
++miscfiles_dontaudit_write_fonts(nsplugin_t)
++miscfiles_setattr_fonts_cache_dirs(nsplugin_t)
++
++userdom_manage_user_tmp_dirs(nsplugin_t)
++userdom_manage_user_tmp_files(nsplugin_t)
++userdom_manage_user_tmp_sockets(nsplugin_t)
++userdom_tmp_filetrans_user_tmp(nsplugin_t, { file dir sock_file })
++userdom_rw_semaphores(nsplugin_t)
++userdom_dontaudit_rw_user_tmp_pipes(nsplugin_t)
++
++userdom_read_user_home_content_symlinks(nsplugin_t)
++userdom_read_user_home_content_files(nsplugin_t)
++userdom_read_user_tmp_files(nsplugin_t)
++userdom_write_user_tmp_sockets(nsplugin_t)
++userdom_dontaudit_append_user_home_content_files(nsplugin_t)
++userdom_read_home_audio_files(nsplugin_t)
++
++optional_policy(`
++ alsa_read_rw_config(nsplugin_t)
++ alsa_read_home_files(nsplugin_t)
++')
++
++optional_policy(`
++ chrome_dontaudit_sandbox_leaks(nsplugin_t)
++')
++
++optional_policy(`
++ cups_stream_connect(nsplugin_t)
++')
++
++optional_policy(`
++ dbus_session_bus_client(nsplugin_t)
++ dbus_connect_session_bus(nsplugin_t)
++ dbus_system_bus_client(nsplugin_t)
++')
++
++optional_policy(`
++ gnome_exec_gconf(nsplugin_t)
++ gnome_manage_config(nsplugin_t)
++ gnome_read_gconf_home_files(nsplugin_t)
++ gnome_read_usr_config(nsplugin_t)
++')
++
++optional_policy(`
++ gpm_getattr_gpmctl(nsplugin_t)
++')
++
++optional_policy(`
++ mozilla_exec_user_home_files(nsplugin_t)
++ mozilla_read_user_home_files(nsplugin_t)
++ mozilla_write_user_home_files(nsplugin_t)
++ mozilla_plugin_delete_tmpfs_files(nsplugin_t)
++')
++
++optional_policy(`
++ mplayer_exec(nsplugin_t)
++ mplayer_read_user_home_files(nsplugin_t)
++')
++
++optional_policy(`
++ sandbox_read_tmpfs_files(nsplugin_t)
++')
++
++optional_policy(`
++ gen_require(`
++ type user_tmpfs_t;
++ ')
++ xserver_user_x_domain_template(nsplugin, nsplugin_t, user_tmpfs_t)
++ xserver_rw_shm(nsplugin_t)
++ xserver_read_xdm_pid(nsplugin_t)
++ xserver_read_xdm_tmp_files(nsplugin_t)
++ xserver_read_user_xauth(nsplugin_t)
++ xserver_read_user_iceauth(nsplugin_t)
++ xserver_use_user_fonts(nsplugin_t)
++ xserver_rw_inherited_user_fonts(nsplugin_t)
++')
++
++########################################
++#
++# nsplugin_config local policy
++#
++
++allow nsplugin_config_t self:capability { dac_override dac_read_search sys_nice setuid setgid };
++allow nsplugin_config_t self:process { setsched signal_perms getsched execmem };
++#execing pulseaudio
++dontaudit nsplugin_t self:process { getcap setcap };
++
++allow nsplugin_config_t self:fifo_file rw_file_perms;
++allow nsplugin_config_t self:unix_stream_socket create_stream_socket_perms;
++
++dev_search_sysfs(nsplugin_config_t)
++dev_read_urand(nsplugin_config_t)
++dev_dontaudit_read_rand(nsplugin_config_t)
++dev_dontaudit_rw_dri(nsplugin_config_t)
++
++fs_search_auto_mountpoints(nsplugin_config_t)
++fs_list_inotifyfs(nsplugin_config_t)
++
++can_exec(nsplugin_config_t, nsplugin_rw_t)
++manage_dirs_pattern(nsplugin_config_t, nsplugin_rw_t, nsplugin_rw_t)
++manage_files_pattern(nsplugin_config_t, nsplugin_rw_t, nsplugin_rw_t)
++manage_lnk_files_pattern(nsplugin_config_t, nsplugin_rw_t, nsplugin_rw_t)
++
++manage_dirs_pattern(nsplugin_config_t, nsplugin_home_t, nsplugin_home_t)
++manage_files_pattern(nsplugin_config_t, nsplugin_home_t, nsplugin_home_t)
++manage_lnk_files_pattern(nsplugin_config_t, nsplugin_home_t, nsplugin_home_t)
++
++corecmd_exec_bin(nsplugin_config_t)
++corecmd_exec_shell(nsplugin_config_t)
++
++kernel_read_system_state(nsplugin_config_t)
++kernel_request_load_module(nsplugin_config_t)
++
++domain_use_interactive_fds(nsplugin_config_t)
++
++files_read_usr_files(nsplugin_config_t)
++files_dontaudit_search_home(nsplugin_config_t)
++files_list_tmp(nsplugin_config_t)
++
++auth_use_nsswitch(nsplugin_config_t)
++
++miscfiles_read_fonts(nsplugin_config_t)
++
++userdom_search_user_home_content(nsplugin_config_t)
++userdom_read_user_home_content_symlinks(nsplugin_config_t)
++userdom_read_user_home_content_files(nsplugin_config_t)
++userdom_dontaudit_search_admin_dir(nsplugin_config_t)
++
++tunable_policy(`use_nfs_home_dirs',`
++ fs_getattr_nfs(nsplugin_t)
++ fs_manage_nfs_dirs(nsplugin_t)
++ fs_manage_nfs_files(nsplugin_t)
++ fs_manage_nfs_symlinks(nsplugin_t)
++ fs_manage_nfs_named_pipes(nsplugin_t)
++ fs_manage_nfs_dirs(nsplugin_config_t)
++ fs_manage_nfs_files(nsplugin_config_t)
++ fs_manage_nfs_named_pipes(nsplugin_config_t)
++ fs_manage_nfs_symlinks(nsplugin_config_t)
++')
++
++tunable_policy(`use_samba_home_dirs',`
++ fs_getattr_cifs(nsplugin_t)
++ fs_manage_cifs_dirs(nsplugin_t)
++ fs_manage_cifs_files(nsplugin_t)
++ fs_manage_cifs_symlinks(nsplugin_t)
++ fs_manage_cifs_named_pipes(nsplugin_t)
++ fs_manage_cifs_dirs(nsplugin_config_t)
++ fs_manage_cifs_files(nsplugin_config_t)
++ fs_manage_cifs_named_pipes(nsplugin_config_t)
++ fs_manage_cifs_symlinks(nsplugin_config_t)
++')
++
++domtrans_pattern(nsplugin_config_t, nsplugin_exec_t, nsplugin_t)
++
++optional_policy(`
++ xserver_use_user_fonts(nsplugin_config_t)
++')
++
++optional_policy(`
++ mozilla_read_user_home_files(nsplugin_config_t)
++ mozilla_write_user_home_files(nsplugin_config_t)
++')
++
++application_signull(nsplugin_t)
++
++optional_policy(`
++ devicekit_dbus_chat_power(nsplugin_t)
++')
++
++optional_policy(`
++ pulseaudio_exec(nsplugin_t)
++ pulseaudio_stream_connect(nsplugin_t)
++ pulseaudio_manage_home_files(nsplugin_t)
++ pulseaudio_setattr_home_dir(nsplugin_t)
++')
+diff --git a/ntop.te b/ntop.te
+index ded9fb6..6b11681 100644
+--- a/ntop.te
++++ b/ntop.te
+@@ -63,7 +63,6 @@ kernel_read_kernel_sysctls(ntop_t)
+ kernel_list_proc(ntop_t)
+ kernel_read_proc_symlinks(ntop_t)
+
+-corenet_all_recvfrom_unlabeled(ntop_t)
+ corenet_all_recvfrom_netlabel(ntop_t)
+ corenet_tcp_sendrecv_generic_if(ntop_t)
+ corenet_udp_sendrecv_generic_if(ntop_t)
+@@ -85,7 +84,6 @@ dev_rw_generic_usb_dev(ntop_t)
+
+ domain_use_interactive_fds(ntop_t)
+
+-files_read_etc_files(ntop_t)
+ files_read_usr_files(ntop_t)
+
+ fs_getattr_all_fs(ntop_t)
+@@ -95,7 +93,6 @@ auth_use_nsswitch(ntop_t)
+
+ logging_send_syslog_msg(ntop_t)
+
+-miscfiles_read_localization(ntop_t)
+ miscfiles_read_fonts(ntop_t)
+
+ userdom_dontaudit_use_unpriv_user_fds(ntop_t)
+diff --git a/ntp.fc b/ntp.fc
+index e79dccc..2a3c6af 100644
+--- a/ntp.fc
++++ b/ntp.fc
+@@ -10,10 +10,14 @@
+
+ /etc/rc\.d/init\.d/ntpd -- gen_context(system_u:object_r:ntpd_initrc_exec_t,s0)
+
++/usr/lib/systemd/system/ntpd.* -- gen_context(system_u:object_r:ntpd_unit_file_t,s0)
++
+ /usr/sbin/ntpd -- gen_context(system_u:object_r:ntpd_exec_t,s0)
+ /usr/sbin/ntpdate -- gen_context(system_u:object_r:ntpdate_exec_t,s0)
++/usr/sbin/sntp -- gen_context(system_u:object_r:ntpdate_exec_t,s0)
+
+ /var/lib/ntp(/.*)? gen_context(system_u:object_r:ntp_drift_t,s0)
++/var/lib/sntp-kod(/.*)? gen_context(system_u:object_r:ntp_drift_t,s0)
+
+ /var/log/ntp.* -- gen_context(system_u:object_r:ntpd_log_t,s0)
+ /var/log/ntpstats(/.*)? gen_context(system_u:object_r:ntpd_log_t,s0)
+diff --git a/ntp.if b/ntp.if
+index e80f8c0..0044e73 100644
+--- a/ntp.if
++++ b/ntp.if
+@@ -98,6 +98,48 @@ interface(`ntp_initrc_domtrans',`
+ init_labeled_script_domtrans($1, ntpd_initrc_exec_t)
+ ')
+
++#####################################
++##
++## Allow domain to read ntpd systemd unit files.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`ntp_read_unit_file',`
++ gen_require(`
++ type ntpd_unit_file_t;
++ ')
++
++ files_search_var_lib($1)
++ allow $1 ntpd_unit_file_t:file read_file_perms;
++')
++
++########################################
++##
++## Execute ntpd server in the ntpd domain.
++##
++##
++##
++## Domain allowed to transition.
++##
++##
++#
++interface(`ntp_systemctl',`
++ gen_require(`
++ type ntpd_unit_file_t;
++ type ntpd_t;
++ ')
++
++ systemd_exec_systemctl($1)
++ allow $1 ntpd_unit_file_t:file read_file_perms;
++ allow $1 ntpd_unit_file_t:service manage_service_perms;
++
++ ps_process_pattern($1, ntpd_t)
++')
++
+ ########################################
+ ##
+ ## Read and write ntpd shared memory.
+@@ -122,6 +164,25 @@ interface(`ntp_rw_shm',`
+
+ ########################################
+ ##
++## Allow the domain to read ntpd state files in /proc.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`ntp_read_state',`
++ gen_require(`
++ type ntpd_t;
++ ')
++
++ kernel_search_proc($1)
++ ps_process_pattern($1, ntpd_t)
++')
++
++########################################
++##
+ ## All of the rules required to administrate
+ ## an ntp environment
+ ##
+@@ -140,12 +201,15 @@ interface(`ntp_rw_shm',`
+ interface(`ntp_admin',`
+ gen_require(`
+ type ntpd_t, ntpd_tmp_t, ntpd_log_t;
+- type ntpd_key_t, ntpd_var_run_t;
+- type ntpd_initrc_exec_t;
++ type ntpd_key_t, ntpd_var_run_t, ntpd_initrc_exec_t;
++ type ntpd_unit_file_t;
+ ')
+
+- allow $1 ntpd_t:process { ptrace signal_perms getattr };
++ allow $1 ntpd_t:process signal_perms;
+ ps_process_pattern($1, ntpd_t)
++ tunable_policy(`deny_ptrace',`',`
++ allow $1 ntpd_t:process ptrace;
++ ')
+
+ init_labeled_script_domtrans($1, ntpd_initrc_exec_t)
+ domain_system_change_exemption($1)
+@@ -162,4 +226,8 @@ interface(`ntp_admin',`
+
+ files_list_pids($1)
+ admin_pattern($1, ntpd_var_run_t)
++
++ ntp_systemctl($1)
++ admin_pattern($1, ntpd_unit_file_t)
++ allow $1 ntpd_unit_file_t:service all_service_perms;
+ ')
+diff --git a/ntp.te b/ntp.te
+index c61adc8..cb20a9d 100644
+--- a/ntp.te
++++ b/ntp.te
+@@ -15,6 +15,9 @@ init_daemon_domain(ntpd_t, ntpd_exec_t)
+ type ntpd_initrc_exec_t;
+ init_script_file(ntpd_initrc_exec_t)
+
++type ntpd_unit_file_t;
++systemd_unit_file(ntpd_unit_file_t)
++
+ type ntpd_key_t;
+ files_type(ntpd_key_t)
+
+@@ -50,6 +53,7 @@ allow ntpd_t self:unix_stream_socket create_socket_perms;
+ allow ntpd_t self:tcp_socket create_stream_socket_perms;
+ allow ntpd_t self:udp_socket create_socket_perms;
+
++manage_dirs_pattern(ntpd_t, ntp_drift_t, ntp_drift_t)
+ manage_files_pattern(ntpd_t, ntp_drift_t, ntp_drift_t)
+
+ can_exec(ntpd_t, ntpd_exec_t)
+@@ -78,7 +82,6 @@ kernel_read_system_state(ntpd_t)
+ kernel_read_network_state(ntpd_t)
+ kernel_request_load_module(ntpd_t)
+
+-corenet_all_recvfrom_unlabeled(ntpd_t)
+ corenet_all_recvfrom_netlabel(ntpd_t)
+ corenet_tcp_sendrecv_generic_if(ntpd_t)
+ corenet_udp_sendrecv_generic_if(ntpd_t)
+@@ -96,11 +99,15 @@ corenet_sendrecv_ntp_client_packets(ntpd_t)
+ dev_read_sysfs(ntpd_t)
+ # for SSP
+ dev_read_urand(ntpd_t)
++dev_rw_realtime_clock(ntpd_t)
+
+ fs_getattr_all_fs(ntpd_t)
+ fs_search_auto_mountpoints(ntpd_t)
++# Necessary to communicate with gpsd devices
++fs_rw_tmpfs_files(ntpd_t)
+
+ term_use_ptmx(ntpd_t)
++term_use_unallocated_ttys(ntpd_t)
+
+ auth_use_nsswitch(ntpd_t)
+
+@@ -110,7 +117,6 @@ corecmd_exec_shell(ntpd_t)
+ domain_use_interactive_fds(ntpd_t)
+ domain_dontaudit_list_all_domains_state(ntpd_t)
+
+-files_read_etc_files(ntpd_t)
+ files_read_etc_runtime_files(ntpd_t)
+ files_read_usr_files(ntpd_t)
+ files_list_var_lib(ntpd_t)
+@@ -119,7 +125,6 @@ init_exec_script_files(ntpd_t)
+
+ logging_send_syslog_msg(ntpd_t)
+
+-miscfiles_read_localization(ntpd_t)
+
+ userdom_dontaudit_use_unpriv_user_fds(ntpd_t)
+ userdom_list_user_home_dirs(ntpd_t)
+diff --git a/numad.fc b/numad.fc
+new file mode 100644
+index 0000000..1f97624
+--- /dev/null
++++ b/numad.fc
+@@ -0,0 +1,7 @@
++/usr/bin/numad -- gen_context(system_u:object_r:numad_exec_t,s0)
++
++/usr/lib/systemd/system/numad.* -- gen_context(system_u:object_r:numad_unit_file_t,s0)
++
++/var/log/numad\.log.* -- gen_context(system_u:object_r:numad_var_log_t,s0)
++
++/var/run/numad\.pid -- gen_context(system_u:object_r:numad_var_run_t,s0)
+diff --git a/numad.if b/numad.if
+new file mode 100644
+index 0000000..709dda1
+--- /dev/null
++++ b/numad.if
+@@ -0,0 +1,72 @@
++
++## policy for numad
++
++########################################
++##
++## Transition to numad.
++##
++##
++##
++## Domain allowed to transition.
++##
++##
++#
++interface(`numad_domtrans',`
++ gen_require(`
++ type numad_t, numad_exec_t;
++ ')
++
++ corecmd_search_bin($1)
++ domtrans_pattern($1, numad_exec_t, numad_t)
++')
++########################################
++##
++## Execute numad server in the numad domain.
++##
++##
++##
++## Domain allowed to transition.
++##
++##
++#
++interface(`numad_systemctl',`
++ gen_require(`
++ type numad_t;
++ type numad_unit_file_t;
++ ')
++
++ systemd_exec_systemctl($1)
++ systemd_read_fifo_file_passwd_run($1)
++ allow $1 numad_unit_file_t:file read_file_perms;
++ allow $1 numad_unit_file_t:service all_service_perms;
++
++ ps_process_pattern($1, numad_t)
++')
++
++
++########################################
++##
++## All of the rules required to administrate
++## an numad environment
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`numad_admin',`
++ gen_require(`
++ type numad_t;
++ type numad_unit_file_t;
++ ')
++
++ allow $1 numad_t:process { ptrace signal_perms };
++ ps_process_pattern($1, numad_t)
++
++ numad_systemctl($1)
++ optional_policy(`
++ systemd_passwd_agent_exec($1)
++ systemd_read_fifo_file_passwd_run($1)
++ ')
++')
+diff --git a/numad.te b/numad.te
+new file mode 100644
+index 0000000..c2d4196
+--- /dev/null
++++ b/numad.te
+@@ -0,0 +1,46 @@
++policy_module(numad, 1.0.0)
++
++########################################
++#
++# Declarations
++#
++
++type numad_t;
++type numad_exec_t;
++init_daemon_domain(numad_t, numad_exec_t)
++
++type numad_unit_file_t;
++systemd_unit_file(numad_unit_file_t)
++
++type numad_var_log_t;
++logging_log_file(numad_var_log_t)
++
++type numad_var_run_t;
++files_pid_file(numad_var_run_t)
++
++########################################
++#
++# numad local policy
++#
++
++allow numad_t self:process { fork };
++allow numad_t self:fifo_file rw_fifo_file_perms;
++allow numad_t self:msgq create_msgq_perms;
++allow numad_t self:msg { send receive };
++allow numad_t self:unix_stream_socket create_stream_socket_perms;
++
++manage_files_pattern(numad_t, numad_var_log_t, numad_var_log_t)
++logging_log_filetrans(numad_t, numad_var_log_t, { file })
++
++manage_files_pattern(numad_t, numad_var_run_t, numad_var_run_t)
++files_pid_filetrans(numad_t, numad_var_run_t, { file })
++
++kernel_read_system_state(numad_t)
++
++dev_read_sysfs(numad_t)
++
++domain_use_interactive_fds(numad_t)
++
++files_read_etc_files(numad_t)
++
++fs_search_cgroup_dirs(numad_t)
+diff --git a/nut.fc b/nut.fc
+index 0a929ef..371119d 100644
+--- a/nut.fc
++++ b/nut.fc
+@@ -3,6 +3,7 @@
+ /sbin/upsdrvctl -- gen_context(system_u:object_r:nut_upsdrvctl_exec_t,s0)
+
+ /usr/sbin/upsd -- gen_context(system_u:object_r:nut_upsd_exec_t,s0)
++/usr/sbin/upsdrvctl -- gen_context(system_u:object_r:nut_upsdrvctl_exec_t,s0)
+ /usr/sbin/upsmon -- gen_context(system_u:object_r:nut_upsmon_exec_t,s0)
+
+ /var/run/nut(/.*)? gen_context(system_u:object_r:nut_var_run_t,s0)
+diff --git a/nut.te b/nut.te
+index ff962dd..7c6ea74 100644
+--- a/nut.te
++++ b/nut.te
+@@ -29,6 +29,7 @@ files_pid_file(nut_var_run_t)
+ #
+
+ allow nut_upsd_t self:capability { setgid setuid dac_override };
++allow nut_upsd_t self:process signal_perms;
+
+ allow nut_upsd_t self:unix_dgram_socket { create_socket_perms sendto };
+ allow nut_upsd_t self:tcp_socket connected_stream_socket_perms;
+@@ -55,7 +56,6 @@ auth_use_nsswitch(nut_upsd_t)
+
+ logging_send_syslog_msg(nut_upsd_t)
+
+-miscfiles_read_localization(nut_upsd_t)
+
+ ########################################
+ #
+@@ -100,7 +100,6 @@ logging_send_syslog_msg(nut_upsmon_t)
+
+ auth_use_nsswitch(nut_upsmon_t)
+
+-miscfiles_read_localization(nut_upsmon_t)
+
+ mta_send_mail(nut_upsmon_t)
+
+@@ -133,6 +132,7 @@ kernel_read_kernel_sysctls(nut_upsdrvctl_t)
+ # /sbin/upsdrvctl executes other drivers
+ corecmd_exec_bin(nut_upsdrvctl_t)
+
++dev_read_sysfs(nut_upsdrvctl_t)
+ dev_read_urand(nut_upsdrvctl_t)
+ dev_rw_generic_usb_dev(nut_upsdrvctl_t)
+
+@@ -144,7 +144,6 @@ init_sigchld(nut_upsdrvctl_t)
+
+ logging_send_syslog_msg(nut_upsdrvctl_t)
+
+-miscfiles_read_localization(nut_upsdrvctl_t)
+
+ #######################################
+ #
+@@ -157,7 +156,6 @@ optional_policy(`
+
+ read_files_pattern(httpd_nutups_cgi_script_t, nut_conf_t, nut_conf_t)
+
+- corenet_all_recvfrom_unlabeled(httpd_nutups_cgi_script_t)
+ corenet_all_recvfrom_netlabel(httpd_nutups_cgi_script_t)
+ corenet_tcp_sendrecv_generic_if(httpd_nutups_cgi_script_t)
+ corenet_tcp_sendrecv_generic_node(httpd_nutups_cgi_script_t)
+diff --git a/nx.if b/nx.if
+index 79a225c..d82b231 100644
+--- a/nx.if
++++ b/nx.if
+@@ -33,8 +33,10 @@ interface(`nx_read_home_files',`
+ type nx_server_home_ssh_t, nx_server_var_lib_t;
+ ')
+
++ files_search_var_lib($1)
+ allow $1 nx_server_var_lib_t:dir search_dir_perms;
+ read_files_pattern($1, nx_server_home_ssh_t, nx_server_home_ssh_t)
++ read_lnk_files_pattern($1, nx_server_home_ssh_t, nx_server_home_ssh_t)
+ ')
+
+ ########################################
+@@ -52,6 +54,7 @@ interface(`nx_search_var_lib',`
+ type nx_server_var_lib_t;
+ ')
+
++ files_search_var_lib($1)
+ allow $1 nx_server_var_lib_t:dir search_dir_perms;
+ ')
+
+@@ -81,5 +84,24 @@ interface(`nx_var_lib_filetrans',`
+ type nx_server_var_lib_t;
+ ')
+
++ files_search_var_lib($1)
+ filetrans_pattern($1, nx_server_var_lib_t, $2, $3)
+ ')
++
++########################################
++##
++## Transition to nx named content
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`nx_filetrans_named_content',`
++ gen_require(`
++ type nx_server_home_ssh_t, nx_server_var_lib_t;
++ ')
++
++ filetrans_pattern($1, nx_server_var_lib_t, nx_server_home_ssh_t, dir, ".ssh")
++')
+diff --git a/nx.te b/nx.te
+index 58e2972..4633dd2 100644
+--- a/nx.te
++++ b/nx.te
+@@ -28,6 +28,9 @@ files_type(nx_server_var_lib_t)
+ type nx_server_var_run_t;
+ files_pid_file(nx_server_var_run_t)
+
++type nx_server_home_ssh_t;
++files_type(nx_server_home_ssh_t)
++
+ ########################################
+ #
+ # NX server local policy
+@@ -37,7 +40,7 @@ allow nx_server_t self:fifo_file rw_fifo_file_perms;
+ allow nx_server_t self:tcp_socket create_socket_perms;
+ allow nx_server_t self:udp_socket create_socket_perms;
+
+-allow nx_server_t nx_server_devpts_t:chr_file { rw_chr_file_perms setattr };
++allow nx_server_t nx_server_devpts_t:chr_file { rw_chr_file_perms setattr_chr_file_perms };
+ term_create_pty(nx_server_t, nx_server_devpts_t)
+
+ manage_dirs_pattern(nx_server_t, nx_server_tmp_t, nx_server_tmp_t)
+@@ -51,6 +54,9 @@ files_var_lib_filetrans(nx_server_t, nx_server_var_lib_t, { file dir })
+ manage_files_pattern(nx_server_t, nx_server_var_run_t, nx_server_var_run_t)
+ files_pid_filetrans(nx_server_t, nx_server_var_run_t, file)
+
++manage_dirs_pattern(nx_server_t, nx_server_home_ssh_t, nx_server_home_ssh_t)
++manage_files_pattern(nx_server_t, nx_server_home_ssh_t, nx_server_home_ssh_t)
++
+ kernel_read_system_state(nx_server_t)
+ kernel_read_kernel_sysctls(nx_server_t)
+
+@@ -58,7 +64,6 @@ kernel_read_kernel_sysctls(nx_server_t)
+ corecmd_exec_shell(nx_server_t)
+ corecmd_exec_bin(nx_server_t)
+
+-corenet_all_recvfrom_unlabeled(nx_server_t)
+ corenet_all_recvfrom_netlabel(nx_server_t)
+ corenet_tcp_sendrecv_generic_if(nx_server_t)
+ corenet_udp_sendrecv_generic_if(nx_server_t)
+@@ -77,10 +82,6 @@ files_read_etc_runtime_files(nx_server_t)
+ # but users need to be able to also read the config
+ files_read_usr_files(nx_server_t)
+
+-miscfiles_read_localization(nx_server_t)
+-
+-seutil_dontaudit_search_config(nx_server_t)
+-
+ sysnet_read_config(nx_server_t)
+
+ ifdef(`TODO',`
+diff --git a/oav.fc b/oav.fc
+index 0a66474..cf90b6e 100644
+--- a/oav.fc
++++ b/oav.fc
+@@ -6,4 +6,4 @@
+
+ /var/lib/oav-virussignatures -- gen_context(system_u:object_r:oav_update_var_lib_t,s0)
+ /var/lib/oav-update(/.*)? gen_context(system_u:object_r:oav_update_var_lib_t,s0)
+-/var/log/scannerdaemon\.log -- gen_context(system_u:object_r:scannerdaemon_log_t,s0)
++/var/log/scannerdaemon\.log.* -- gen_context(system_u:object_r:scannerdaemon_log_t,s0)
+diff --git a/oav.te b/oav.te
+index b4c5f86..9ecd4a3 100644
+--- a/oav.te
++++ b/oav.te
+@@ -48,7 +48,6 @@ read_lnk_files_pattern(oav_update_t, oav_update_var_lib_t, oav_update_var_lib_t)
+
+ corecmd_exec_all_executables(oav_update_t)
+
+-corenet_all_recvfrom_unlabeled(oav_update_t)
+ corenet_all_recvfrom_netlabel(oav_update_t)
+ corenet_tcp_sendrecv_generic_if(oav_update_t)
+ corenet_udp_sendrecv_generic_if(oav_update_t)
+@@ -66,7 +65,7 @@ logging_send_syslog_msg(oav_update_t)
+
+ sysnet_read_config(oav_update_t)
+
+-userdom_use_user_terminals(oav_update_t)
++userdom_use_inherited_user_terminals(oav_update_t)
+
+ optional_policy(`
+ cron_system_entry(oav_update_t, oav_update_exec_t)
+@@ -101,7 +100,6 @@ kernel_read_kernel_sysctls(scannerdaemon_t)
+ # Can run kaffe
+ corecmd_exec_all_executables(scannerdaemon_t)
+
+-corenet_all_recvfrom_unlabeled(scannerdaemon_t)
+ corenet_all_recvfrom_netlabel(scannerdaemon_t)
+ corenet_tcp_sendrecv_generic_if(scannerdaemon_t)
+ corenet_udp_sendrecv_generic_if(scannerdaemon_t)
+@@ -130,7 +128,6 @@ libs_exec_lib_files(scannerdaemon_t)
+
+ logging_send_syslog_msg(scannerdaemon_t)
+
+-miscfiles_read_localization(scannerdaemon_t)
+
+ sysnet_read_config(scannerdaemon_t)
+
+diff --git a/obex.fc b/obex.fc
+new file mode 100644
+index 0000000..7b31529
+--- /dev/null
++++ b/obex.fc
+@@ -0,0 +1,3 @@
++
++
++/usr/bin/obex-data-server -- gen_context(system_u:object_r:obex_exec_t,s0)
+diff --git a/obex.if b/obex.if
+new file mode 100644
+index 0000000..d3b9544
+--- /dev/null
++++ b/obex.if
+@@ -0,0 +1,77 @@
++## SELinux policy for obex-data-server
++
++########################################
++##
++## Transition to obex.
++##
++##
++##
++## Domain allowed to transition.
++##
++##
++#
++interface(`obex_domtrans',`
++ gen_require(`
++ type obex_t, obex_exec_t;
++ ')
++
++ corecmd_search_bin($1)
++ domtrans_pattern($1, obex_exec_t, obex_t)
++')
++
++########################################
++##
++## Send and receive messages from
++## obex over dbus.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`obex_dbus_chat',`
++ gen_require(`
++ type obex_t;
++ class dbus send_msg;
++ ')
++
++ allow $1 obex_t:dbus send_msg;
++ allow obex_t $1:dbus send_msg;
++')
++
++#######################################
++##
++## Role access for obex domains
++## that executes via dbus-session
++##
++##
++##
++## The role associated with the user domain.
++##
++##
++##
++##
++## The type of the user domain.
++##
++##
++##
++##
++## User domain prefix to be used.
++##
++##
++#
++template(`obex_role',`
++ gen_require(`
++ type obex_t, obex_exec_t;
++ ')
++
++ role $1 types obex_t;
++
++ allow $2 obex_t:process signal_perms;
++ ps_process_pattern($2, obex_t)
++
++ dbus_session_domain($3, obex_exec_t, obex_t)
++
++ obex_dbus_chat($2)
++')
+diff --git a/obex.te b/obex.te
+new file mode 100644
+index 0000000..e9f259e
+--- /dev/null
++++ b/obex.te
+@@ -0,0 +1,37 @@
++policy_module(obex,1.0.0)
++
++########################################
++#
++# Declarations
++#
++
++type obex_t;
++type obex_exec_t;
++application_domain(obex_t, obex_exec_t)
++ubac_constrained(obex_t)
++
++########################################
++#
++# obex local policy
++#
++
++allow obex_t self:fifo_file rw_fifo_file_perms;
++allow obex_t self:socket create_stream_socket_perms;
++
++dev_read_urand(obex_t)
++
++files_read_etc_files(obex_t)
++
++logging_send_syslog_msg(obex_t)
++
++
++userdom_search_user_home_content(obex_t)
++
++optional_policy(`
++ bluetooth_stream_connect(obex_t)
++ bluetooth_dbus_chat(obex_t)
++')
++
++optional_policy(`
++ dbus_system_bus_client(obex_t)
++')
+diff --git a/oddjob.fc b/oddjob.fc
+index 9c272c2..7e2287c 100644
+--- a/oddjob.fc
++++ b/oddjob.fc
+@@ -1,7 +1,7 @@
+ /usr/lib/oddjob/mkhomedir -- gen_context(system_u:object_r:oddjob_mkhomedir_exec_t,s0)
++/usr/libexec/oddjob/mkhomedir -- gen_context(system_u:object_r:oddjob_mkhomedir_exec_t,s0)
+
++/usr/sbin/mkhomedir_helper -- gen_context(system_u:object_r:oddjob_mkhomedir_exec_t,s0)
+ /usr/sbin/oddjobd -- gen_context(system_u:object_r:oddjob_exec_t,s0)
+
+-/sbin/mkhomedir_helper -- gen_context(system_u:object_r:oddjob_mkhomedir_exec_t,s0)
+-
+ /var/run/oddjobd\.pid gen_context(system_u:object_r:oddjob_var_run_t,s0)
+diff --git a/oddjob.if b/oddjob.if
+index bd76ec2..dec6bc7 100644
+--- a/oddjob.if
++++ b/oddjob.if
+@@ -22,6 +22,25 @@ interface(`oddjob_domtrans',`
+ domtrans_pattern($1, oddjob_exec_t, oddjob_t)
+ ')
+
++#####################################
++##
++## Do not audit attempts to read and write
++## oddjob fifo file.
++##
++##
++##
++## Domain to not audit.
++##
++##
++#
++interface(`oddjob_dontaudit_rw_fifo_file',`
++ gen_require(`
++ type oddjob_t;
++ ')
++
++ dontaudit $1 oddjob_t:fifo_file rw_inherited_fifo_file_perms;
++')
++
+ ########################################
+ ##
+ ## Make the specified program domain accessable
+@@ -44,6 +63,7 @@ interface(`oddjob_system_entry',`
+ ')
+
+ domtrans_pattern(oddjob_t, $2, $1)
++ domain_user_exemption_target($1)
+ ')
+
+ ########################################
+@@ -67,6 +87,24 @@ interface(`oddjob_dbus_chat',`
+ allow oddjob_t $1:dbus send_msg;
+ ')
+
++######################################
++##
++## Send a SIGCHLD signal to oddjob.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`oddjob_sigchld',`
++ gen_require(`
++ type oddjob_t;
++ ')
++
++ allow $1 oddjob_t:process sigchld;
++')
++
+ ########################################
+ ##
+ ## Execute a domain transition to run oddjob_mkhomedir.
+@@ -109,3 +147,41 @@ interface(`oddjob_run_mkhomedir',`
+ oddjob_domtrans_mkhomedir($1)
+ role $2 types oddjob_mkhomedir_t;
+ ')
++
++########################################
++##
++## Create a domain which can be started by init,
++## with a range transition.
++##
++##
++##
++## Type to be used as a domain.
++##
++##
++##
++##
++## Type of the program to be used as an entry point to this domain.
++##
++##
++##
++##
++## Range for the domain.
++##
++##
++#
++interface(`oddjob_ranged_domain',`
++ gen_require(`
++ type oddjob_t;
++ ')
++
++ oddjob_system_entry($1, $2)
++
++ ifdef(`enable_mcs',`
++ range_transition oddjob_t $2:process $3;
++ ')
++
++ ifdef(`enable_mls',`
++ range_transition oddjob_t $2:process $3;
++ mls_rangetrans_target($1)
++ ')
++')
+diff --git a/oddjob.te b/oddjob.te
+index a17ba31..467700e 100644
+--- a/oddjob.te
++++ b/oddjob.te
+@@ -51,9 +51,9 @@ mcs_process_set_categories(oddjob_t)
+
+ selinux_compute_create_context(oddjob_t)
+
+-files_read_etc_files(oddjob_t)
+
+-miscfiles_read_localization(oddjob_t)
++auth_use_nsswitch(oddjob_t)
++
+
+ locallogin_dontaudit_use_fds(oddjob_t)
+
+@@ -78,13 +78,10 @@ allow oddjob_mkhomedir_t self:unix_stream_socket create_stream_socket_perms;
+
+ kernel_read_system_state(oddjob_mkhomedir_t)
+
+-files_read_etc_files(oddjob_mkhomedir_t)
+-
+ auth_use_nsswitch(oddjob_mkhomedir_t)
+
+ logging_send_syslog_msg(oddjob_mkhomedir_t)
+
+-miscfiles_read_localization(oddjob_mkhomedir_t)
+
+ selinux_get_fs_mount(oddjob_mkhomedir_t)
+ selinux_validate_context(oddjob_mkhomedir_t)
+@@ -99,8 +96,9 @@ seutil_read_default_contexts(oddjob_mkhomedir_t)
+
+ # Add/remove user home directories
+ userdom_home_filetrans_user_home_dir(oddjob_mkhomedir_t)
+-userdom_manage_user_home_content_dirs(oddjob_mkhomedir_t)
+-userdom_manage_user_home_content_files(oddjob_mkhomedir_t)
+ userdom_manage_user_home_dirs(oddjob_mkhomedir_t)
+-userdom_user_home_dir_filetrans_user_home_content(oddjob_mkhomedir_t, notdevfile_class_set)
++userdom_manage_user_home_content_dirs(oddjob_mkhomedir_t)
++userdom_manage_user_home_content(oddjob_mkhomedir_t)
++userdom_home_manager(oddjob_mkhomedir_t)
++userdom_stream_connect(oddjob_mkhomedir_t)
+
+diff --git a/oident.if b/oident.if
+index bb4fae5..4dfed8a 100644
+--- a/oident.if
++++ b/oident.if
+@@ -66,3 +66,40 @@ interface(`oident_relabel_user_content', `
+ allow $1 oidentd_home_t:file relabel_file_perms;
+ userdom_search_user_home_dirs($1)
+ ')
++
++########################################
++##
++## All of the rules required to administrate
++## an oident environment
++##
++##
++##
++## Domain allowed access.
++##
++##
++##
++##
++## Role allowed access.
++##
++##
++##
++#
++interface(`oident_admin',`
++ gen_require(`
++ type oidentd_t, oidentd_initrc_exec_t, oidentd_config_t;
++ ')
++
++ allow $1 oidentd_t:process signal_perms;
++ ps_process_pattern($1, oidentd_t)
++ tunable_policy(`deny_ptrace',`',`
++ allow $1 oidentd_t:process ptrace;
++ ')
++
++ init_labeled_script_domtrans($1, oidentd_initrc_exec_t)
++ domain_system_change_exemption($1)
++ role_transition $2 oidentd_initrc_exec_t system_r;
++ allow $2 system_r;
++
++ files_list_etc($1)
++ admin_pattern($1, oidentd_config_t)
++')
+diff --git a/oident.te b/oident.te
+index 8845174..f7b073f 100644
+--- a/oident.te
++++ b/oident.te
+@@ -26,15 +26,14 @@ files_config_file(oidentd_config_t)
+ #
+
+ allow oidentd_t self:capability { setuid setgid };
+-allow oidentd_t self:netlink_route_socket { write getattr read bind create nlmsg_read };
+-allow oidentd_t self:netlink_tcpdiag_socket { write read create nlmsg_read };
+-allow oidentd_t self:tcp_socket { setopt read bind create accept write getattr listen };
+-allow oidentd_t self:udp_socket { write read create connect getattr ioctl };
++allow oidentd_t self:netlink_route_socket create_netlink_socket_perms;
++allow oidentd_t self:netlink_tcpdiag_socket create_netlink_socket_perms;
++allow oidentd_t self:tcp_socket create_stream_socket_perms;
++allow oidentd_t self:udp_socket create_socket_perms;
+ allow oidentd_t self:unix_dgram_socket { create connect };
+
+ allow oidentd_t oidentd_config_t:file read_file_perms;
+
+-corenet_all_recvfrom_unlabeled(oidentd_t)
+ corenet_all_recvfrom_netlabel(oidentd_t)
+ corenet_tcp_sendrecv_generic_if(oidentd_t)
+ corenet_tcp_sendrecv_generic_node(oidentd_t)
+@@ -54,22 +53,7 @@ kernel_request_load_module(oidentd_t)
+
+ logging_send_syslog_msg(oidentd_t)
+
+-miscfiles_read_localization(oidentd_t)
+-
+ sysnet_read_config(oidentd_t)
+
+ oident_read_user_content(oidentd_t)
+-
+-optional_policy(`
+- nis_use_ypbind(oidentd_t)
+-')
+-
+-tunable_policy(`use_samba_home_dirs', `
+- fs_list_cifs(oidentd_t)
+- fs_read_cifs_files(oidentd_t)
+-')
+-
+-tunable_policy(`use_nfs_home_dirs', `
+- fs_list_nfs(oidentd_t)
+- fs_read_nfs_files(oidentd_t)
+-')
++userdom_home_reader(oidentd_t)
+diff --git a/openct.te b/openct.te
+index 7f8fdc2..bc14bc4 100644
+--- a/openct.te
++++ b/openct.te
+@@ -29,6 +29,8 @@ kernel_read_kernel_sysctls(openct_t)
+ kernel_list_proc(openct_t)
+ kernel_read_proc_symlinks(openct_t)
+
++can_exec(openct_t, openct_exec_t)
++
+ dev_read_sysfs(openct_t)
+ # openct asks for this
+ dev_rw_usbfs(openct_t)
+@@ -45,12 +47,12 @@ fs_search_auto_mountpoints(openct_t)
+
+ logging_send_syslog_msg(openct_t)
+
+-miscfiles_read_localization(openct_t)
+-
+ userdom_dontaudit_use_unpriv_user_fds(openct_t)
+ userdom_dontaudit_search_user_home_dirs(openct_t)
+
+-openct_exec(openct_t)
++optional_policy(`
++ pcscd_stream_connect(openct_t)
++')
+
+ optional_policy(`
+ seutil_sigchld_newrole(openct_t)
+diff --git a/openhpid.fc b/openhpid.fc
+new file mode 100644
+index 0000000..9441fd7
+--- /dev/null
++++ b/openhpid.fc
+@@ -0,0 +1,8 @@
++
++/etc/rc\.d/init\.d/openhpid -- gen_context(system_u:object_r:openhpid_initrc_exec_t,s0)
++
++/usr/sbin/openhpid -- gen_context(system_u:object_r:openhpid_exec_t,s0)
++
++/var/lib/openhpi(/.*)? gen_context(system_u:object_r:openhpid_var_lib_t,s0)
++
++/var/run/openhpid\.pid -- gen_context(system_u:object_r:openhpid_var_run_t,s0)
+diff --git a/openhpid.if b/openhpid.if
+new file mode 100644
+index 0000000..598789a
+--- /dev/null
++++ b/openhpid.if
+@@ -0,0 +1,159 @@
++
++## policy for openhpid
++
++
++########################################
++##
++## Transition to openhpid.
++##
++##
++##
++## Domain allowed to transition.
++##
++##
++#
++interface(`openhpid_domtrans',`
++ gen_require(`
++ type openhpid_t, openhpid_exec_t;
++ ')
++
++ corecmd_search_bin($1)
++ domtrans_pattern($1, openhpid_exec_t, openhpid_t)
++')
++
++
++########################################
++##
++## Execute openhpid server in the openhpid domain.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`openhpid_initrc_domtrans',`
++ gen_require(`
++ type openhpid_initrc_exec_t;
++ ')
++
++ init_labeled_script_domtrans($1, openhpid_initrc_exec_t)
++')
++
++
++########################################
++##
++## Search openhpid lib directories.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`openhpid_search_lib',`
++ gen_require(`
++ type openhpid_var_lib_t;
++ ')
++
++ allow $1 openhpid_var_lib_t:dir search_dir_perms;
++ files_search_var_lib($1)
++')
++
++########################################
++##
++## Read openhpid lib files.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`openhpid_read_lib_files',`
++ gen_require(`
++ type openhpid_var_lib_t;
++ ')
++
++ files_search_var_lib($1)
++ read_files_pattern($1, openhpid_var_lib_t, openhpid_var_lib_t)
++')
++
++########################################
++##
++## Manage openhpid lib files.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`openhpid_manage_lib_files',`
++ gen_require(`
++ type openhpid_var_lib_t;
++ ')
++
++ files_search_var_lib($1)
++ manage_files_pattern($1, openhpid_var_lib_t, openhpid_var_lib_t)
++')
++
++########################################
++##
++## Manage openhpid lib directories.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`openhpid_manage_lib_dirs',`
++ gen_require(`
++ type openhpid_var_lib_t;
++ ')
++
++ files_search_var_lib($1)
++ manage_dirs_pattern($1, openhpid_var_lib_t, openhpid_var_lib_t)
++')
++
++
++########################################
++##
++## All of the rules required to administrate
++## an openhpid environment
++##
++##
++##
++## Domain allowed access.
++##
++##
++##
++##
++## Role allowed access.
++##
++##
++##
++#
++interface(`openhpid_admin',`
++ gen_require(`
++ type openhpid_t;
++ type openhpid_initrc_exec_t;
++ type openhpid_var_lib_t;
++ ')
++
++ allow $1 openhpid_t:process { ptrace signal_perms };
++ ps_process_pattern($1, openhpid_t)
++
++ openhpid_initrc_domtrans($1)
++ domain_system_change_exemption($1)
++ role_transition $2 openhpid_initrc_exec_t system_r;
++ allow $2 system_r;
++
++ files_search_var_lib($1)
++ admin_pattern($1, openhpid_var_lib_t)
++
++
++
++')
++
+diff --git a/openhpid.te b/openhpid.te
+new file mode 100644
+index 0000000..c4ecca7
+--- /dev/null
++++ b/openhpid.te
+@@ -0,0 +1,51 @@
++policy_module(openhpid, 1.0.0)
++
++########################################
++#
++# Declarations
++#
++
++type openhpid_t;
++type openhpid_exec_t;
++init_daemon_domain(openhpid_t, openhpid_exec_t)
++
++type openhpid_initrc_exec_t;
++init_script_file(openhpid_initrc_exec_t)
++
++type openhpid_var_lib_t;
++files_type(openhpid_var_lib_t)
++
++type openhpid_var_run_t;
++files_pid_file(openhpid_var_run_t)
++
++########################################
++#
++# openhpid local policy
++#
++
++allow openhpid_t self:capability { kill };
++allow openhpid_t self:process { fork signal };
++
++allow openhpid_t self:fifo_file rw_fifo_file_perms;
++allow openhpid_t self:netlink_route_socket r_netlink_socket_perms;
++allow openhpid_t self:unix_stream_socket create_stream_socket_perms;
++allow openhpid_t self:tcp_socket create_stream_socket_perms;
++allow openhpid_t self:udp_socket create_socket_perms;
++
++manage_dirs_pattern(openhpid_t, openhpid_var_lib_t, openhpid_var_lib_t)
++manage_files_pattern(openhpid_t, openhpid_var_lib_t, openhpid_var_lib_t)
++files_var_lib_filetrans(openhpid_t, openhpid_var_lib_t, { dir file })
++
++manage_files_pattern(openhpid_t, openhpid_var_run_t, openhpid_var_run_t)
++files_pid_filetrans(openhpid_t, openhpid_var_run_t, { file })
++
++corenet_tcp_bind_generic_node(openhpid_t)
++corenet_tcp_bind_openhpid_port(openhpid_t)
++
++domain_use_interactive_fds(openhpid_t)
++
++dev_read_urand(openhpid_t)
++
++files_read_etc_files(openhpid_t)
++
++logging_send_syslog_msg(openhpid_t)
+diff --git a/openshift-origin.fc b/openshift-origin.fc
+new file mode 100644
+index 0000000..30ca148
+--- /dev/null
++++ b/openshift-origin.fc
+@@ -0,0 +1 @@
++# Left Blank
+diff --git a/openshift-origin.if b/openshift-origin.if
+new file mode 100644
+index 0000000..3eb6a30
+--- /dev/null
++++ b/openshift-origin.if
+@@ -0,0 +1 @@
++##
+diff --git a/openshift-origin.te b/openshift-origin.te
+new file mode 100644
+index 0000000..a437f80
+--- /dev/null
++++ b/openshift-origin.te
+@@ -0,0 +1,13 @@
++policy_module(openshift-origin,1.0.0)
++gen_require(`
++ attribute openshift_domain;
++')
++
++########################################
++#
++# openshift origin standard local policy
++#
++allow openshift_domain self:socket_class_set create_socket_perms;
++corenet_tcp_connect_all_ports(openshift_domain)
++corenet_tcp_bind_all_ports(openshift_domain)
++files_read_config_files(openshift_domain)
+diff --git a/openshift.fc b/openshift.fc
+new file mode 100644
+index 0000000..c9a5f74
+--- /dev/null
++++ b/openshift.fc
+@@ -0,0 +1,24 @@
++/etc/rc\.d/init\.d/libra gen_context(system_u:object_r:openshift_initrc_exec_t,s0)
++/etc/rc\.d/init\.d/mcollective gen_context(system_u:object_r:openshift_initrc_exec_t,s0)
++
++/var/lib/stickshift(/.*)? gen_context(system_u:object_r:openshift_var_lib_t,s0)
++/var/lib/stickshift/.*/data(/.*)? gen_context(system_u:object_r:openshift_rw_file_t,s0)
++/var/lib/openshift(/.*)? gen_context(system_u:object_r:openshift_var_lib_t,s0)
++/var/lib/openshift/.*/data(/.*)? gen_context(system_u:object_r:openshift_rw_file_t,s0)
++
++/var/lib/stickshift/.*/\.tmp(/.*)? gen_context(system_u:object_r:openshift_tmp_t,s0)
++/var/lib/stickshift/.*/\.sandbox(/.*)? gen_context(system_u:object_r:openshift_tmp_t,s0)
++/var/lib/openshift/.*/\.tmp(/.*)? gen_context(system_u:object_r:openshift_tmp_t,s0)
++/var/lib/openshift/.*/\.sandbox(/.*)? gen_context(system_u:object_r:openshift_tmp_t,s0)
++
++/var/log/mcollective\.log -- gen_context(system_u:object_r:openshift_log_t,s0)
++
++/usr/s?bin/(oo|rhc)-cgroup-read -- gen_context(system_u:object_r:openshift_cgroup_read_exec_t,s0)
++
++/usr/s?bin/(oo|rhc)-restorer -- gen_context(system_u:object_r:openshift_initrc_exec_t,s0)
++/usr/s?bin/(oo|rhc)-restorer-wrapper.sh -- gen_context(unconfined_u:object_r:httpd_openshift_script_exec_t,s0)
++/usr/s?bin/oo-admin-ctl-gears -- gen_context(system_u:object_r:openshift_initrc_exec_t,s0)
++/usr/s?bin/mcollectived -- gen_context(system_u:object_r:openshift_initrc_exec_t,s0)
++
++/var/run/stickshift(/.*)? gen_context(system_u:object_r:openshift_var_run_t,s0)
++/var/run/openshift(/.*)? gen_context(system_u:object_r:openshift_var_run_t,s0)
+diff --git a/openshift.if b/openshift.if
+new file mode 100644
+index 0000000..6e20e72
+--- /dev/null
++++ b/openshift.if
+@@ -0,0 +1,644 @@
++
++## policy for openshift
++
++########################################
++##
++## Execute openshift server in the openshift domain.
++##
++##
++##
++## The type of the process performing this action.
++##
++##
++#
++interface(`openshift_initrc_domtrans',`
++ gen_require(`
++ type openshift_initrc_t;
++ type openshift_initrc_exec_t;
++ ')
++
++ domtrans_pattern($1, openshift_initrc_exec_t, openshift_initrc_t)
++')
++
++########################################
++##
++## Send a null signal to openshift init scripts.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`openshift_initrc_signull',`
++ gen_require(`
++ type openshift_initrc_t;
++ ')
++
++ allow $1 openshift_initrc_t:process signull;
++')
++
++#######################################
++##
++## Send a signal to openshift init scripts.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`openshift_initrc_signal',`
++ gen_require(`
++ type openshift_initrc_t;
++ ')
++
++ allow $1 openshift_initrc_t:process signal;
++')
++
++########################################
++##
++## Send a signal to openshift init scripts.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`openshift_initrc_signl',`
++ gen_require(`
++ type openshift_initrc_t;
++ ')
++
++ allow $1 openshift_initrc_t:process signal;
++')
++
++########################################
++##
++## Search openshift cache directories.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`openshift_search_cache',`
++ gen_require(`
++ type openshift_cache_t;
++ ')
++
++ allow $1 openshift_cache_t:dir search_dir_perms;
++ files_search_var($1)
++')
++
++########################################
++##
++## Read openshift cache files.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`openshift_read_cache_files',`
++ gen_require(`
++ type openshift_cache_t;
++ ')
++
++ files_search_var($1)
++ read_files_pattern($1, openshift_cache_t, openshift_cache_t)
++')
++
++########################################
++##
++## Create, read, write, and delete
++## openshift cache files.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`openshift_manage_cache_files',`
++ gen_require(`
++ type openshift_cache_t;
++ ')
++
++ files_search_var($1)
++ manage_files_pattern($1, openshift_cache_t, openshift_cache_t)
++')
++
++########################################
++##
++## Create, read, write, and delete
++## openshift cache dirs.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`openshift_manage_cache_dirs',`
++ gen_require(`
++ type openshift_cache_t;
++ ')
++
++ files_search_var($1)
++ manage_dirs_pattern($1, openshift_cache_t, openshift_cache_t)
++')
++
++
++########################################
++##
++## Allow the specified domain to read openshift's log files.
++##
++##
++##
++## Domain allowed access.
++##
++##
++##
++#
++interface(`openshift_read_log',`
++ gen_require(`
++ type openshift_log_t;
++ ')
++
++ logging_search_logs($1)
++ read_files_pattern($1, openshift_log_t, openshift_log_t)
++')
++
++########################################
++##
++## Allow the specified domain to append
++## openshift log files.
++##
++##
++##
++## Domain allowed to transition.
++##
++##
++#
++interface(`openshift_append_log',`
++ gen_require(`
++ type openshift_log_t;
++ ')
++
++ logging_search_logs($1)
++ append_files_pattern($1, openshift_log_t, openshift_log_t)
++')
++
++########################################
++##
++## Allow domain to manage openshift log files
++##
++##
++##
++## Domain to not audit.
++##
++##
++#
++interface(`openshift_manage_log',`
++ gen_require(`
++ type openshift_log_t;
++ ')
++
++ logging_search_logs($1)
++ manage_dirs_pattern($1, openshift_log_t, openshift_log_t)
++ manage_files_pattern($1, openshift_log_t, openshift_log_t)
++ manage_lnk_files_pattern($1, openshift_log_t, openshift_log_t)
++')
++
++########################################
++##
++## Search openshift lib directories.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`openshift_search_lib',`
++ gen_require(`
++ type openshift_var_lib_t;
++ ')
++
++ allow $1 openshift_var_lib_t:dir search_dir_perms;
++ files_search_var_lib($1)
++')
++
++########################################
++##
++## Read openshift lib files.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`openshift_read_lib_files',`
++ gen_require(`
++ type openshift_var_lib_t;
++ ')
++
++ files_search_var_lib($1)
++ read_files_pattern($1, openshift_var_lib_t, openshift_var_lib_t)
++')
++
++########################################
++##
++## Read openshift lib files.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`openshift_append_lib_files',`
++ gen_require(`
++ type openshift_var_lib_t;
++ ')
++
++ files_search_var_lib($1)
++ append_files_pattern($1, openshift_var_lib_t, openshift_var_lib_t)
++')
++
++########################################
++##
++## Create, read, write, and delete
++## openshift lib files.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`openshift_manage_lib_files',`
++ gen_require(`
++ type openshift_var_lib_t;
++ ')
++
++ files_search_var_lib($1)
++ manage_files_pattern($1, openshift_var_lib_t, openshift_var_lib_t)
++')
++
++########################################
++##
++## Manage openshift lib dirs files.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`openshift_manage_lib_dirs',`
++ gen_require(`
++ type openshift_var_lib_t;
++ ')
++
++ files_search_var_lib($1)
++ manage_dirs_pattern($1, openshift_var_lib_t, openshift_var_lib_t)
++')
++
++#######################################
++##
++## Create private objects in the
++## mail lib directory.
++##
++##
++##
++## Domain allowed access.
++##
++##
++##
++##
++## The type of the object to be created.
++##
++##
++##
++##
++## The object class of the object being created.
++##
++##
++##
++##
++## The name of the object being created.
++##
++##
++#
++interface(`openshift_lib_filetrans',`
++ gen_require(`
++ type openshift_var_lib_t;
++ ')
++
++ files_search_var_lib($1)
++ filetrans_pattern($1, openshift_var_lib_t, $2, $3, $4)
++')
++
++########################################
++##
++## Read openshift PID files.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`openshift_read_pid_files',`
++ gen_require(`
++ type openshift_var_run_t;
++ ')
++
++ files_search_pids($1)
++ allow $1 openshift_var_run_t:file read_file_perms;
++')
++
++
++########################################
++##
++## All of the rules required to administrate
++## an openshift environment
++##
++##
++##
++## Domain allowed access.
++##
++##
++##
++##
++## Role allowed access.
++##
++##
++##
++#
++interface(`openshift_admin',`
++ gen_require(`
++ type openshift_t;
++ type openshift_initrc_exec_t;
++ type openshift_cache_t;
++ type openshift_log_t;
++ type openshift_var_lib_t;
++ type openshift_var_run_t;
++ ')
++
++ allow $1 openshift_t:process { ptrace signal_perms };
++ ps_process_pattern($1, openshift_t)
++
++ openshift_initrc_domtrans($1)
++ domain_system_change_exemption($1)
++ role_transition $2 openshift_initrc_exec_t system_r;
++ allow $2 system_r;
++
++ files_search_var($1)
++ admin_pattern($1, openshift_cache_t)
++
++ logging_search_logs($1)
++ admin_pattern($1, openshift_log_t)
++
++ files_search_var_lib($1)
++ admin_pattern($1, openshift_var_lib_t)
++
++ files_search_pids($1)
++ admin_pattern($1, openshift_var_run_t)
++
++')
++
++########################################
++##
++## Make the specified type usable as a openshift domain.
++##
++##
++##
++## The prefix of the domain (e.g., openshift
++## is the prefix for openshift_t).
++##
++##
++#
++template(`openshift_service_domain_template',`
++ gen_require(`
++ attribute openshift_domain;
++ attribute openshift_user_domain;
++ ')
++
++ type $1_t;
++ typeattribute $1_t openshift_domain, openshift_user_domain;
++ domain_type($1_t)
++ role system_r types $1_t;
++ mcs_untrusted_proc($1_t)
++ domain_user_exemption_target($1_t)
++ auth_use_nsswitch($1_t)
++ domain_subj_id_change_exemption($1_t)
++ domain_obj_id_change_exemption($1_t)
++ domain_dyntrans_type($1_t)
++
++ kernel_read_system_state($1_t)
++
++ logging_send_syslog_msg($1_t)
++
++ type $1_app_t;
++ typeattribute $1_app_t openshift_domain;
++ domain_type($1_app_t)
++ role system_r types $1_app_t;
++ mcs_untrusted_proc($1_app_t)
++ domain_user_exemption_target($1_app_t)
++ domain_obj_id_change_exemption($1_app_t)
++ domain_dyntrans_type($1_app_t)
++
++ kernel_read_system_state($1_app_t)
++
++ logging_send_syslog_msg($1_app_t)
++')
++
++########################################
++##
++## Make the specified type usable as a openshift domain.
++##
++##
++##
++## Type to be used as a openshift domain type.
++##
++##
++#
++template(`openshift_net_type',`
++ gen_require(`
++ attribute openshift_net_domain;
++ ')
++
++ typeattribute $1 openshift_net_domain;
++')
++
++########################################
++##
++## Read and write inherited openshift files.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`openshift_rw_inherited_content',`
++ gen_require(`
++ attribute openshift_file_type;
++ ')
++
++ allow $1 openshift_file_type:file rw_inherited_file_perms;
++')
++
++########################################
++##
++## Manage openshift tmp files.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`openshift_manage_tmp_files',`
++ gen_require(`
++ type openshift_tmp_t;
++ ')
++
++ manage_files_pattern($1, openshift_tmp_t, openshift_tmp_t)
++')
++
++########################################
++##
++## Manage openshift tmp sockets.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`openshift_manage_tmp_sockets',`
++ gen_require(`
++ type openshift_tmp_t;
++ ')
++
++ manage_sock_files_pattern($1, openshift_tmp_t, openshift_tmp_t)
++')
++
++########################################
++##
++## Mounton openshift tmp directory.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`openshift_mounton_tmp',`
++ gen_require(`
++ type openshift_tmp_t;
++ ')
++
++ allow $1 openshift_tmp_t:dir mounton;
++')
++
++########################################
++##
++## Dontaudit Read and write inherited script fifo files.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`openshift_dontaudit_rw_inherited_fifo_files',`
++ gen_require(`
++ type openshift_initrc_t;
++ ')
++
++ dontaudit $1 openshift_initrc_t:fifo_file rw_inherited_fifo_file_perms;
++')
++
++########################################
++##
++## Allow calling app to transition to an openshift domain
++##
++##
++##
++## Domain allowed access
++##
++##
++##
++#
++interface(`openshift_transition',`
++ gen_require(`
++ attribute openshift_user_domain;
++ ')
++
++ allow $1 openshift_user_domain:process transition;
++ dontaudit $1 openshift_user_domain:process { noatsecure siginh rlimitinh };
++ allow openshift_user_domain $1:fd use;
++ allow openshift_user_domain $1:fifo_file rw_inherited_fifo_file_perms;
++ allow openshift_user_domain $1:process sigchld;
++ dontaudit $1 openshift_user_domain:socket_class_set { read write };
++')
++
++########################################
++##
++## Allow calling app to transition to an openshift domain
++##
++##
++##
++## Domain allowed access
++##
++##
++##
++#
++interface(`openshift_dyntransition',`
++ gen_require(`
++ attribute openshift_domain;
++ attribute openshift_user_domain;
++ ')
++
++ allow $1 openshift_user_domain:process dyntransition;
++ dontaudit openshift_user_domain $1:key view;
++ allow openshift_user_domain $1:unix_stream_socket { connectto rw_socket_perms };
++ allow openshift_user_domain $1:unix_dgram_socket rw_socket_perms;
++ allow $1 openshift_user_domain:process { rlimitinh signal };
++ dontaudit openshift_domain $1:tcp_socket { read write getattr setopt getopt shutdown };
++')
++
++########################################
++##
++## Execute openshift in the openshift domain, and
++## allow the specified role the openshift domain.
++##
++##
++##
++## Domain allowed to transition.
++##
++##
++##
++##
++## Role allowed access.
++##
++##
++#
++interface(`openshift_run',`
++ gen_require(`
++ type openshift_initrc_exec_t;
++ ')
++
++ openshift_initrc_domtrans($1)
++ role_transition $2 openshift_initrc_exec_t system_r;
++ openshift_transition($1)
++')
+diff --git a/openshift.te b/openshift.te
+new file mode 100644
+index 0000000..d97b009
+--- /dev/null
++++ b/openshift.te
+@@ -0,0 +1,383 @@
++policy_module(openshift,1.0.0)
++
++gen_require(`
++ role system_r;
++')
++
++########################################
++#
++# Declarations
++#
++
++# openshift applications that can use the network.
++attribute openshift_net_domain;
++# Attribute representing all openshift user processes (excludes apache processes)
++attribute openshift_user_domain;
++# Attribute representing all openshift processes
++attribute openshift_domain;
++
++# Attribute for all openshift content
++attribute openshift_file_type;
++
++# Type of openshift init script
++type openshift_initrc_t;
++type openshift_initrc_exec_t;
++init_daemon_domain(openshift_initrc_t, openshift_initrc_exec_t)
++init_ranged_daemon_domain(openshift_initrc_t, openshift_initrc_exec_t, s0 - mcs_systemhigh)
++domain_obj_id_change_exemption(openshift_initrc_t)
++optional_policy(`
++ oddjob_ranged_domain(openshift_initrc_t, openshift_initrc_exec_t, s0 - mcs_systemhigh)
++')
++
++
++type openshift_initrc_tmp_t;
++files_tmp_file(openshift_initrc_tmp_t)
++
++type openshift_tmpfs_t;
++files_tmpfs_file(openshift_tmpfs_t)
++
++type openshift_tmp_t, openshift_file_type;
++files_tmp_file(openshift_tmp_t)
++files_mountpoint(openshift_tmp_t)
++files_poly(openshift_tmp_t)
++files_poly_parent(openshift_tmp_t)
++
++type openshift_var_run_t;
++files_pid_file(openshift_var_run_t)
++
++type openshift_var_lib_t, openshift_file_type;
++files_poly(openshift_var_lib_t)
++files_poly_parent(openshift_var_lib_t)
++files_mountpoint(openshift_var_lib_t)
++
++type openshift_rw_file_t, openshift_file_type;
++files_poly(openshift_rw_file_t)
++files_poly_parent(openshift_rw_file_t)
++
++type openshift_log_t;
++logging_log_file(openshift_log_t)
++
++type openshift_port_t;
++corenet_port(openshift_port_t)
++corenet_reserved_port(openshift_port_t)
++
++type openshift_cgroup_read_t;
++type openshift_cgroup_read_exec_t;
++application_domain(openshift_cgroup_read_t, openshift_cgroup_read_exec_t)
++
++########################################
++#
++# Template to create openshift_t and openshift_app_t
++#
++
++openshift_service_domain_template(openshift)
++
++########################################
++#
++# openshift initrc local policy
++#
++unconfined_domain_noaudit(openshift_initrc_t)
++mcs_process_set_categories(openshift_initrc_t)
++
++systemd_dbus_chat_logind(openshift_initrc_t)
++
++manage_dirs_pattern(openshift_initrc_t, openshift_initrc_tmp_t, openshift_initrc_tmp_t)
++manage_files_pattern(openshift_initrc_t, openshift_initrc_tmp_t, openshift_initrc_tmp_t)
++manage_lnk_files_pattern(openshift_initrc_t, openshift_initrc_tmp_t, openshift_initrc_tmp_t)
++files_tmp_filetrans(openshift_initrc_t, openshift_initrc_tmp_t, { file dir })
++
++manage_dirs_pattern(openshift_initrc_t, openshift_var_run_t, openshift_var_run_t)
++manage_files_pattern(openshift_initrc_t, openshift_var_run_t, openshift_var_run_t)
++manage_lnk_files_pattern(openshift_initrc_t, openshift_var_run_t, openshift_var_run_t)
++files_pid_filetrans(openshift_initrc_t, openshift_var_run_t, { file dir })
++
++manage_dirs_pattern(openshift_initrc_t, openshift_log_t, openshift_log_t)
++manage_files_pattern(openshift_initrc_t, openshift_log_t, openshift_log_t)
++logging_log_filetrans(openshift_initrc_t, openshift_log_t, { file dir })
++
++allow openshift_initrc_t openshift_domain:process { getattr getsched setsched transition signal signull sigkill };
++allow openshift_domain openshift_initrc_t:fd use;
++allow openshift_domain openshift_initrc_t:fifo_file rw_inherited_fifo_file_perms;
++allow openshift_domain openshift_initrc_t:process sigchld;
++dontaudit openshift_domain openshift_initrc_t:key view;
++dontaudit openshift_domain openshift_initrc_t:process signull;
++dontaudit openshift_domain openshift_initrc_t:socket_class_set { read write };
++
++#######################################################
++#
++# Policy for all openshift domains
++#
++allow openshift_domain self:process all_process_perms;
++allow openshift_domain self:msg all_msg_perms;
++allow openshift_domain self:msgq create_msgq_perms;
++allow openshift_domain self:shm create_shm_perms;
++allow openshift_domain self:sem create_sem_perms;
++dontaudit openshift_domain self:dir write;
++
++dontaudit openshift_domain self:netlink_tcpdiag_socket create;
++allow openshift_domain self:tcp_socket create_stream_socket_perms;
++allow openshift_domain self:fifo_file manage_fifo_file_perms;
++allow openshift_domain self:unix_stream_socket { create_stream_socket_perms connectto };
++allow openshift_domain self:unix_dgram_socket { create_socket_perms sendto };
++dontaudit openshift_domain self:netlink_audit_socket { create_socket_perms nlmsg_relay };
++
++manage_dirs_pattern(openshift_domain, openshift_rw_file_t, openshift_rw_file_t)
++manage_files_pattern(openshift_domain, openshift_rw_file_t, openshift_rw_file_t)
++manage_fifo_files_pattern(openshift_domain, openshift_rw_file_t, openshift_rw_file_t)
++manage_sock_files_pattern(openshift_domain, openshift_rw_file_t, openshift_rw_file_t)
++manage_lnk_files_pattern(openshift_domain, openshift_rw_file_t, openshift_rw_file_t)
++allow openshift_domain openshift_rw_file_t:dir_file_class_set { relabelfrom relabelto };
++
++list_dirs_pattern(openshift_domain, openshift_file_type, openshift_file_type)
++read_files_pattern(openshift_domain, openshift_file_type, openshift_file_type)
++rw_fifo_files_pattern(openshift_domain, openshift_file_type, openshift_file_type)
++rw_sock_files_pattern(openshift_domain, openshift_file_type, openshift_file_type)
++read_lnk_files_pattern(openshift_domain, openshift_file_type, openshift_file_type)
++allow openshift_domain openshift_file_type:file execmod;
++can_exec(openshift_domain, openshift_file_type)
++allow openshift_domain openshift_file_type:file entrypoint;
++# Allow users to execute files in their home dir
++allow openshift_domain openshift_file_type:file { execute execute_no_trans };
++
++# Dontaudit openshift domains trying to search other openshift domains directories,
++# this happens just when users are probing the system
++dontaudit openshift_domain openshift_file_type:dir search_dir_perms
++;
++
++manage_dirs_pattern(openshift_domain, openshift_tmpfs_t, openshift_tmpfs_t)
++manage_files_pattern(openshift_domain, openshift_tmpfs_t, openshift_tmpfs_t)
++fs_tmpfs_filetrans(openshift_domain, openshift_tmpfs_t, { dir file })
++can_exec(openshift_domain, openshift_tmpfs_t)
++
++manage_dirs_pattern(openshift_domain, openshift_tmp_t, openshift_tmp_t)
++manage_fifo_files_pattern(openshift_domain, openshift_tmp_t, openshift_tmp_t)
++manage_files_pattern(openshift_domain, openshift_tmp_t, openshift_tmp_t)
++manage_lnk_files_pattern(openshift_domain, openshift_tmp_t, openshift_tmp_t)
++manage_sock_files_pattern(openshift_domain, openshift_tmp_t, openshift_tmp_t)
++files_tmp_filetrans(openshift_domain, openshift_tmp_t, { lnk_file file dir sock_file fifo_file })
++allow openshift_domain openshift_tmp_t:dir_file_class_set { relabelfrom relabelto };
++
++allow openshift_domain openshift_log_t:file { getattr append lock ioctl };
++
++#lsof
++allow openshift_domain openshift_initrc_t:tcp_socket getattr;
++
++dontaudit openshift_domain openshift_initrc_tmp_t:file append;
++dontaudit openshift_domain openshift_var_run_t:file append;
++dontaudit openshift_domain openshift_file_type:sock_file execute;
++
++kernel_read_network_state(openshift_domain)
++kernel_dontaudit_list_all_proc(openshift_domain)
++kernel_dontaudit_list_all_sysctls(openshift_domain)
++kernel_dontaudit_request_load_module(openshift_domain)
++kernel_get_sysvipc_info(openshift_domain)
++
++corecmd_shell_entry_type(openshift_domain)
++corecmd_bin_entry_type(openshift_domain)
++corecmd_exec_all_executables(openshift_domain)
++
++dev_read_sysfs(openshift_domain)
++dev_read_rand(openshift_domain)
++dev_read_urand(openshift_domain)
++dev_dontaudit_append_rand(openshift_domain)
++dev_dontaudit_write_urand(openshift_domain)
++dev_dontaudit_getattr_all_blk_files(openshift_domain)
++dev_dontaudit_getattr_all_chr_files(openshift_domain)
++
++domain_use_interactive_fds(openshift_domain)
++domain_dontaudit_read_all_domains_state(openshift_domain)
++
++files_read_var_lib_symlinks(openshift_domain)
++
++fs_rw_hugetlbfs_files(openshift_domain)
++fs_rw_anon_inodefs_files(openshift_domain)
++fs_search_tmpfs(openshift_domain)
++fs_getattr_all_fs(openshift_domain)
++fs_dontaudit_getattr_all_fs(openshift_domain)
++fs_list_inotifyfs(openshift_domain)
++fs_dontaudit_list_auto_mountpoints(openshift_domain)
++fs_dontaudit_list_tmpfs(openshift_domain)
++storage_dontaudit_getattr_fixed_disk_dev(openshift_domain)
++storage_getattr_fixed_disk_dev(openshift_domain)
++fs_get_xattr_fs_quotas(openshift_domain)
++fs_rw_inherited_tmpfs_files(openshift_domain)
++fs_dontaudit_rw_anon_inodefs_files(openshift_domain)
++
++dontaudit openshift_domain file_type:dir read;
++files_dontaudit_list_home(openshift_domain)
++files_dontaudit_search_all_pids(openshift_domain)
++files_dontaudit_getattr_all_dirs(openshift_domain)
++files_dontaudit_getattr_all_files(openshift_domain)
++files_dontaudit_list_mnt(openshift_domain)
++files_dontaudit_list_var(openshift_domain)
++files_dontaudit_getattr_lost_found_dirs(openshift_domain)
++files_dontaudit_search_all_mountpoints(openshift_domain)
++files_dontaudit_search_spool(openshift_domain)
++files_dontaudit_search_all_dirs(openshift_domain)
++files_dontaudit_list_var(openshift_domain)
++files_read_etc_files(openshift_domain)
++files_exec_etc_files(openshift_domain)
++files_read_usr_files(openshift_domain)
++files_exec_usr_files(openshift_domain)
++files_dontaudit_getattr_non_security_sockets(openshift_domain)
++files_dontaudit_setattr_non_security_dirs(openshift_domain)
++files_dontaudit_setattr_non_security_files(openshift_domain)
++
++libs_exec_lib_files(openshift_domain)
++libs_exec_ld_so(openshift_domain)
++
++term_use_ptmx(openshift_domain)
++term_use_generic_ptys(openshift_domain)
++
++selinux_validate_context(openshift_domain)
++
++logging_inherit_append_all_logs(openshift_domain)
++
++init_dontaudit_read_utmp(openshift_domain)
++
++miscfiles_read_fonts(openshift_domain)
++miscfiles_dontaudit_setattr_fonts_cache_dirs(openshift_domain)
++
++mta_dontaudit_read_spool_symlinks(openshift_domain)
++
++term_dontaudit_search_ptys(openshift_domain)
++term_use_ptmx(openshift_domain)
++
++userdom_use_inherited_user_ptys(openshift_domain)
++userdom_dontaudit_search_admin_dir(openshift_domain)
++
++application_exec(openshift_domain)
++
++optional_policy(`
++ apache_exec_modules(openshift_domain)
++ apache_list_modules(openshift_domain)
++ apache_read_config(openshift_domain)
++ apache_search_config(openshift_domain)
++ apache_read_sys_content(openshift_domain)
++ apache_exec_sys_script(openshift_domain)
++ apache_entrypoint(openshift_domain)
++ apache_dontaudit_read_log(openshift_domain)
++')
++
++optional_policy(`
++ #############################################
++ #
++ # openshift cgi script policy
++ #
++ apache_content_template(openshift)
++ domtrans_pattern(httpd_openshift_script_t, openshift_initrc_exec_t, openshift_initrc_t)
++
++ optional_policy(`
++ dbus_system_bus_client(httpd_openshift_script_t)
++
++ optional_policy(`
++ oddjob_dbus_chat(httpd_openshift_script_t)
++ oddjob_dontaudit_rw_fifo_file(openshift_domain)
++ ')
++ ')
++')
++
++optional_policy(`
++ cron_role(system_r, openshift_domain)
++')
++
++optional_policy(`
++ gpg_entry_type(openshift_domain)
++')
++
++optional_policy(`
++ mysql_search_db(openshift_domain)
++')
++
++optional_policy(`
++ screen_exec(openshift_domain)
++')
++
++optional_policy(`
++ ssh_use_ptys(openshift_domain)
++ ssh_getattr_user_home_dir(openshift_domain)
++ ssh_dontaudit_search_user_home_dir(openshift_domain)
++')
++
++#######################################################
++#
++# Policy for openshift user domain process
++#
++manage_dirs_pattern(openshift_user_domain, openshift_file_type, openshift_file_type)
++manage_files_pattern(openshift_user_domain, openshift_file_type, openshift_file_type)
++manage_fifo_files_pattern(openshift_user_domain, openshift_file_type, openshift_file_type)
++manage_sock_files_pattern(openshift_user_domain, openshift_file_type, openshift_file_type)
++manage_lnk_files_pattern(openshift_user_domain, openshift_file_type, openshift_file_type)
++allow openshift_user_domain openshift_file_type:dir_file_class_set { relabelfrom relabelto };
++
++allow openshift_user_domain openshift_domain:process transition;
++allow openshift_domain openshift_user_domain:fd use;
++allow openshift_domain openshift_user_domain:fifo_file rw_inherited_fifo_file_perms;
++allow openshift_domain openshift_user_domain:process sigchld;
++dontaudit openshift_domain openshift_user_domain:key view;
++dontaudit openshift_domain openshift_user_domain:process signull;
++dontaudit openshift_domain openshift_user_domain:socket_class_set { read write };
++
++allow openshift_user_domain openshift_domain:process ptrace;
++
++optional_policy(`
++ ssh_rw_tcp_sockets(openshift_user_domain)
++')
++
++############################################################################
++#
++# Rules specific to openshift and openshift_app_t
++#
++kernel_read_vm_sysctls(openshift_t)
++kernel_read_vm_sysctls(openshift_app_t)
++kernel_search_vm_sysctl(openshift_t)
++kernel_search_vm_sysctl(openshift_app_t)
++netutils_domtrans_ping(openshift_t)
++netutils_kill_ping(openshift_t)
++netutils_signal_ping(openshift_t)
++
++openshift_net_type(openshift_app_t)
++openshift_net_type(openshift_t)
++
++optional_policy(`
++ postfix_rw_public_pipes(openshift_t)
++ postfix_manage_spool_maildrop_files(openshift_t)
++')
++
++########################################
++#
++# openshift_cgroup_read local policy
++#
++
++allow openshift_cgroup_read_t self:process { getattr signal_perms };
++allow openshift_cgroup_read_t self:fifo_file rw_fifo_file_perms;
++allow openshift_cgroup_read_t self:unix_stream_socket create_stream_socket_perms;
++allow openshift_cgroup_read_t openshift_initrc_t:fifo_file rw_inherited_fifo_file_perms;
++
++optional_policy(`
++ ssh_use_ptys(openshift_cgroup_read_t)
++')
++
++corecmd_exec_bin(openshift_cgroup_read_t)
++
++dev_read_urand(openshift_cgroup_read_t)
++
++domain_use_interactive_fds(openshift_cgroup_read_t)
++
++files_read_etc_files(openshift_cgroup_read_t)
++
++fs_dontaudit_rw_anon_inodefs_files(openshift_cgroup_read_t)
++
++userdom_use_inherited_user_ptys(openshift_cgroup_read_t)
++
++miscfiles_read_generic_certs(openshift_cgroup_read_t)
++
++domtrans_pattern(openshift_domain, openshift_cgroup_read_exec_t, openshift_cgroup_read_t)
++role system_r types openshift_cgroup_read_t;
++
++allow openshift_domain openshift_cgroup_read_t:process { getattr signal signull sigkill };
++
++fs_read_cgroup_files(openshift_cgroup_read_t)
++
++allow openshift_cgroup_read_t openshift_var_lib_t:dir list_dir_perms;
++read_files_pattern(openshift_cgroup_read_t, openshift_var_lib_t, openshift_var_lib_t)
+diff --git a/openvpn.if b/openvpn.if
+index d883214..d6afa87 100644
+--- a/openvpn.if
++++ b/openvpn.if
+@@ -144,8 +144,11 @@ interface(`openvpn_admin',`
+ type openvpn_var_run_t, openvpn_initrc_exec_t;
+ ')
+
+- allow $1 openvpn_t:process { ptrace signal_perms };
++ allow $1 openvpn_t:process signal_perms;
+ ps_process_pattern($1, openvpn_t)
++ tunable_policy(`deny_ptrace',`',`
++ allow $1 openvpn_t:process ptrace;
++ ')
+
+ init_labeled_script_domtrans($1, openvpn_initrc_exec_t)
+ domain_system_change_exemption($1)
+diff --git a/openvpn.te b/openvpn.te
+index 66a52ee..6db0311 100644
+--- a/openvpn.te
++++ b/openvpn.te
+@@ -24,6 +24,9 @@ files_config_file(openvpn_etc_t)
+ type openvpn_etc_rw_t;
+ files_config_file(openvpn_etc_rw_t)
+
++type openvpn_tmp_t;
++files_tmp_file(openvpn_tmp_t)
++
+ type openvpn_initrc_exec_t;
+ init_script_file(openvpn_initrc_exec_t)
+
+@@ -40,15 +43,15 @@ files_pid_file(openvpn_var_run_t)
+ # openvpn local policy
+ #
+
+-allow openvpn_t self:capability { dac_read_search dac_override ipc_lock net_bind_service net_admin setgid setuid sys_chroot sys_tty_config };
+-allow openvpn_t self:process { signal getsched };
++allow openvpn_t self:capability { dac_read_search dac_override ipc_lock net_bind_service net_admin setgid setuid sys_chroot sys_tty_config sys_nice };
++allow openvpn_t self:process { signal getsched setsched };
+ allow openvpn_t self:fifo_file rw_fifo_file_perms;
+
+ allow openvpn_t self:unix_dgram_socket { create_socket_perms sendto };
+ allow openvpn_t self:unix_stream_socket { create_stream_socket_perms connectto };
+ allow openvpn_t self:udp_socket create_socket_perms;
+ allow openvpn_t self:tcp_socket server_stream_socket_perms;
+-allow openvpn_t self:tun_socket create;
++allow openvpn_t self:tun_socket { create_socket_perms relabelfrom };
+ allow openvpn_t self:netlink_route_socket rw_netlink_socket_perms;
+
+ can_exec(openvpn_t, openvpn_etc_t)
+@@ -58,9 +61,14 @@ read_lnk_files_pattern(openvpn_t, openvpn_etc_t, openvpn_etc_t)
+ manage_files_pattern(openvpn_t, openvpn_etc_t, openvpn_etc_rw_t)
+ filetrans_pattern(openvpn_t, openvpn_etc_t, openvpn_etc_rw_t, file)
+
+-allow openvpn_t openvpn_var_log_t:file manage_file_perms;
+-logging_log_filetrans(openvpn_t, openvpn_var_log_t, file)
++manage_files_pattern(openvpn_t, openvpn_tmp_t, openvpn_tmp_t)
++files_tmp_filetrans(openvpn_t, openvpn_tmp_t, file)
++
++manage_dirs_pattern(openvpn_t, openvpn_var_log_t, openvpn_var_log_t)
++manage_files_pattern(openvpn_t, openvpn_var_log_t, openvpn_var_log_t)
++logging_log_filetrans(openvpn_t, openvpn_var_log_t, { dir file })
+
++manage_dirs_pattern(openvpn_t, openvpn_var_run_t, openvpn_var_run_t)
+ manage_files_pattern(openvpn_t, openvpn_var_run_t, openvpn_var_run_t)
+ files_pid_filetrans(openvpn_t, openvpn_var_run_t, { file dir })
+
+@@ -68,11 +76,11 @@ kernel_read_kernel_sysctls(openvpn_t)
+ kernel_read_net_sysctls(openvpn_t)
+ kernel_read_network_state(openvpn_t)
+ kernel_read_system_state(openvpn_t)
++kernel_request_load_module(openvpn_t)
+
+ corecmd_exec_bin(openvpn_t)
+ corecmd_exec_shell(openvpn_t)
+
+-corenet_all_recvfrom_unlabeled(openvpn_t)
+ corenet_all_recvfrom_netlabel(openvpn_t)
+ corenet_tcp_sendrecv_generic_if(openvpn_t)
+ corenet_udp_sendrecv_generic_if(openvpn_t)
+@@ -87,6 +95,7 @@ corenet_udp_bind_openvpn_port(openvpn_t)
+ corenet_tcp_bind_http_port(openvpn_t)
+ corenet_tcp_connect_openvpn_port(openvpn_t)
+ corenet_tcp_connect_http_port(openvpn_t)
++corenet_tcp_connect_tor_socks_port(openvpn_t)
+ corenet_tcp_connect_http_cache_port(openvpn_t)
+ corenet_rw_tun_tap_dev(openvpn_t)
+ corenet_sendrecv_openvpn_server_packets(openvpn_t)
+@@ -100,33 +109,39 @@ dev_read_urand(openvpn_t)
+ files_read_etc_files(openvpn_t)
+ files_read_etc_runtime_files(openvpn_t)
+
++fs_getattr_xattr_fs(openvpn_t)
++
+ auth_use_pam(openvpn_t)
+
++init_read_utmp(openvpn_t)
++
+ logging_send_syslog_msg(openvpn_t)
+
+-miscfiles_read_localization(openvpn_t)
+ miscfiles_read_all_certs(openvpn_t)
+
+ sysnet_dns_name_resolve(openvpn_t)
++sysnet_use_ldap(openvpn_t)
+ sysnet_exec_ifconfig(openvpn_t)
+ sysnet_manage_config(openvpn_t)
+ sysnet_etc_filetrans_config(openvpn_t)
+
+-userdom_use_user_terminals(openvpn_t)
++userdom_use_inherited_user_terminals(openvpn_t)
++userdom_read_home_certs(openvpn_t)
++userdom_attach_admin_tun_iface(openvpn_t)
++userdom_read_inherited_user_tmp_files(openvpn_t)
++userdom_read_inherited_user_home_content_files(openvpn_t)
+
+ tunable_policy(`openvpn_enable_homedirs',`
+- userdom_read_user_home_content_files(openvpn_t)
++ userdom_search_user_home_dirs(openvpn_t)
+ ')
+
+ tunable_policy(`openvpn_enable_homedirs && use_nfs_home_dirs',`
+- fs_read_nfs_files(openvpn_t)
+- fs_read_nfs_symlinks(openvpn_t)
+-')
++ fs_read_nfs_files(openvpn_t)
++')
+
+ tunable_policy(`openvpn_enable_homedirs && use_samba_home_dirs',`
+- fs_read_cifs_files(openvpn_t)
+- fs_read_cifs_symlinks(openvpn_t)
+-')
++ fs_read_cifs_files(openvpn_t)
++')
+
+ optional_policy(`
+ daemontools_service_domain(openvpn_t, openvpn_exec_t)
+@@ -138,3 +153,7 @@ optional_policy(`
+
+ networkmanager_dbus_chat(openvpn_t)
+ ')
++
++optional_policy(`
++ unconfined_attach_tun_iface(openvpn_t)
++')
+diff --git a/openvswitch.fc b/openvswitch.fc
+new file mode 100644
+index 0000000..baf8d21
+--- /dev/null
++++ b/openvswitch.fc
+@@ -0,0 +1,15 @@
++/usr/lib/systemd/system/openvswitch.service -- gen_context(system_u:object_r:openvswitch_unit_file_t,s0)
++
++/usr/share/openvswitch/scripts/ovs-ctl -- gen_context(system_u:object_r:openvswitch_exec_t,s0)
++/usr/bin/ovs-vsctl -- gen_context(system_u:object_r:openvswitch_exec_t,s0)
++/usr/sbin/ovsdb-ctl -- gen_context(system_u:object_r:openvswitch_exec_t,s0)
++/usr/sbin/ovsdb-server -- gen_context(system_u:object_r:openvswitch_exec_t,s0)
++/usr/sbin/ovs-vswitchd -- gen_context(system_u:object_r:openvswitch_exec_t,s0)
++
++/var/lib/openvswitch(/.*)? gen_context(system_u:object_r:openvswitch_var_lib_t,s0)
++
++/var/log/openvswitch(/.*)? gen_context(system_u:object_r:openvswitch_log_t,s0)
++
++/var/run/openvswitch(/.*)? gen_context(system_u:object_r:openvswitch_var_run_t,s0)
++
++/etc/openvswitch(/.*)? gen_context(system_u:object_r:openvswitch_rw_t,s0)
+diff --git a/openvswitch.if b/openvswitch.if
+new file mode 100644
+index 0000000..14f29e4
+--- /dev/null
++++ b/openvswitch.if
+@@ -0,0 +1,242 @@
++
++## policy for openvswitch
++
++########################################
++##
++## Execute TEMPLATE in the openvswitch domin.
++##
++##
++##
++## Domain allowed to transition.
++##
++##
++#
++interface(`openvswitch_domtrans',`
++ gen_require(`
++ type openvswitch_t, openvswitch_exec_t;
++ ')
++
++ corecmd_search_bin($1)
++ domtrans_pattern($1, openvswitch_exec_t, openvswitch_t)
++')
++########################################
++##
++## Read openvswitch's log files.
++##
++##
++##
++## Domain allowed access.
++##
++##
++##
++#
++interface(`openvswitch_read_log',`
++ gen_require(`
++ type openvswitch_log_t;
++ ')
++
++ logging_search_logs($1)
++ read_files_pattern($1, openvswitch_log_t, openvswitch_log_t)
++')
++
++########################################
++##
++## Append to openvswitch log files.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`openvswitch_append_log',`
++ gen_require(`
++ type openvswitch_log_t;
++ ')
++
++ logging_search_logs($1)
++ append_files_pattern($1, openvswitch_log_t, openvswitch_log_t)
++')
++
++########################################
++##
++## Manage openvswitch log files
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`openvswitch_manage_log',`
++ gen_require(`
++ type openvswitch_log_t;
++ ')
++
++ logging_search_logs($1)
++ manage_dirs_pattern($1, openvswitch_log_t, openvswitch_log_t)
++ manage_files_pattern($1, openvswitch_log_t, openvswitch_log_t)
++ manage_lnk_files_pattern($1, openvswitch_log_t, openvswitch_log_t)
++')
++
++########################################
++##
++## Search openvswitch lib directories.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`openvswitch_search_lib',`
++ gen_require(`
++ type openvswitch_var_lib_t;
++ ')
++
++ allow $1 openvswitch_var_lib_t:dir search_dir_perms;
++ files_search_var_lib($1)
++')
++
++########################################
++##
++## Read openvswitch lib files.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`openvswitch_read_lib_files',`
++ gen_require(`
++ type openvswitch_var_lib_t;
++ ')
++
++ files_search_var_lib($1)
++ read_files_pattern($1, openvswitch_var_lib_t, openvswitch_var_lib_t)
++')
++
++########################################
++##
++## Manage openvswitch lib files.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`openvswitch_manage_lib_files',`
++ gen_require(`
++ type openvswitch_var_lib_t;
++ ')
++
++ files_search_var_lib($1)
++ manage_files_pattern($1, openvswitch_var_lib_t, openvswitch_var_lib_t)
++')
++
++########################################
++##
++## Manage openvswitch lib directories.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`openvswitch_manage_lib_dirs',`
++ gen_require(`
++ type openvswitch_var_lib_t;
++ ')
++
++ files_search_var_lib($1)
++ manage_dirs_pattern($1, openvswitch_var_lib_t, openvswitch_var_lib_t)
++')
++
++########################################
++##
++## Read openvswitch PID files.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`openvswitch_read_pid_files',`
++ gen_require(`
++ type openvswitch_var_run_t;
++ ')
++
++ files_search_pids($1)
++ read_files_pattern($1, openvswitch_var_run_t, openvswitch_var_run_t)
++')
++
++########################################
++##
++## Execute openvswitch server in the openvswitch domain.
++##
++##
++##
++## Domain allowed to transition.
++##
++##
++#
++interface(`openvswitch_systemctl',`
++ gen_require(`
++ type openvswitch_t;
++ type openvswitch_unit_file_t;
++ ')
++
++ systemd_exec_systemctl($1)
++ systemd_read_fifo_file_password_run($1)
++ allow $1 openvswitch_unit_file_t:file read_file_perms;
++ allow $1 openvswitch_unit_file_t:service manage_service_perms;
++
++ ps_process_pattern($1, openvswitch_t)
++')
++
++
++########################################
++##
++## All of the rules required to administrate
++## an openvswitch environment
++##
++##
++##
++## Domain allowed access.
++##
++##
++##
++#
++interface(`openvswitch_admin',`
++ gen_require(`
++ type openvswitch_t, openvswitch_log_t, openvswitch_var_lib_t;
++ type openvswitch_rw_t, openvswitch_var_run_t, openvswitch_unit_file_t;
++ ')
++
++ allow $1 openvswitch_t:process { ptrace signal_perms };
++ ps_process_pattern($1, openvswitch_t)
++
++ logging_search_logs($1)
++ admin_pattern($1, openvswitch_rw_t)
++
++ logging_search_logs($1)
++ admin_pattern($1, openvswitch_log_t)
++
++ files_search_var_lib($1)
++ admin_pattern($1, openvswitch_var_lib_t)
++
++ files_search_pids($1)
++ admin_pattern($1, openvswitch_var_run_t)
++
++ openvswitch_systemctl($1)
++ admin_pattern($1, openvswitch_unit_file_t)
++ allow $1 openvswitch_unit_file_t:service all_service_perms;
++ optional_policy(`
++ systemd_passwd_agent_exec($1)
++ systemd_read_fifo_file_passwd_run($1)
++ ')
++')
+diff --git a/openvswitch.te b/openvswitch.te
+new file mode 100644
+index 0000000..31370ed
+--- /dev/null
++++ b/openvswitch.te
+@@ -0,0 +1,83 @@
++policy_module(openvswitch, 1.0.0)
++
++########################################
++#
++# Declarations
++#
++
++type openvswitch_t;
++type openvswitch_exec_t;
++init_daemon_domain(openvswitch_t, openvswitch_exec_t)
++
++type openvswitch_rw_t;
++files_config_file(openvswitch_rw_t)
++
++type openvswitch_var_lib_t;
++files_type(openvswitch_var_lib_t)
++
++type openvswitch_log_t;
++logging_log_file(openvswitch_log_t)
++
++type openvswitch_var_run_t;
++files_pid_file(openvswitch_var_run_t)
++
++type openvswitch_unit_file_t;
++systemd_unit_file(openvswitch_unit_file_t)
++
++########################################
++#
++# openvswitch local policy
++#
++
++allow openvswitch_t self:capability { net_admin ipc_lock sys_nice sys_resource };
++allow openvswitch_t self:process { fork setsched setrlimit signal };
++allow openvswitch_t self:fifo_file rw_fifo_file_perms;
++allow openvswitch_t self:unix_stream_socket { create_stream_socket_perms connectto };
++allow openvswitch_t self:netlink_socket create_socket_perms;
++
++can_exec(openvswitch_t, openvswitch_exec_t)
++
++manage_dirs_pattern(openvswitch_t, openvswitch_rw_t, openvswitch_rw_t)
++manage_files_pattern(openvswitch_t, openvswitch_rw_t, openvswitch_rw_t)
++manage_lnk_files_pattern(openvswitch_t, openvswitch_rw_t, openvswitch_rw_t)
++
++manage_dirs_pattern(openvswitch_t, openvswitch_var_lib_t, openvswitch_var_lib_t)
++manage_files_pattern(openvswitch_t, openvswitch_var_lib_t, openvswitch_var_lib_t)
++manage_lnk_files_pattern(openvswitch_t, openvswitch_var_lib_t, openvswitch_var_lib_t)
++files_var_lib_filetrans(openvswitch_t, openvswitch_var_lib_t, { dir file lnk_file })
++
++manage_dirs_pattern(openvswitch_t, openvswitch_log_t, openvswitch_log_t)
++manage_files_pattern(openvswitch_t, openvswitch_log_t, openvswitch_log_t)
++manage_lnk_files_pattern(openvswitch_t, openvswitch_log_t, openvswitch_log_t)
++logging_log_filetrans(openvswitch_t, openvswitch_log_t, { dir file lnk_file })
++
++manage_dirs_pattern(openvswitch_t, openvswitch_var_run_t, openvswitch_var_run_t)
++manage_files_pattern(openvswitch_t, openvswitch_var_run_t, openvswitch_var_run_t)
++manage_sock_files_pattern(openvswitch_t, openvswitch_var_run_t, openvswitch_var_run_t)
++manage_lnk_files_pattern(openvswitch_t, openvswitch_var_run_t, openvswitch_var_run_t)
++files_pid_filetrans(openvswitch_t, openvswitch_var_run_t, { dir file lnk_file })
++
++kernel_read_network_state(openvswitch_t)
++kernel_read_system_state(openvswitch_t)
++
++corecmd_exec_bin(openvswitch_t)
++
++dev_read_urand(openvswitch_t)
++
++domain_use_interactive_fds(openvswitch_t)
++
++files_read_etc_files(openvswitch_t)
++
++fs_getattr_all_fs(openvswitch_t)
++fs_search_cgroup_dirs(openvswitch_t)
++
++auth_read_passwd(openvswitch_t)
++
++logging_send_syslog_msg(openvswitch_t)
++
++sysnet_dns_name_resolve(openvswitch_t)
++
++optional_policy(`
++ iptables_domtrans(openvswitch_t)
++')
++
+diff --git a/pacemaker.fc b/pacemaker.fc
+new file mode 100644
+index 0000000..3793461
+--- /dev/null
++++ b/pacemaker.fc
+@@ -0,0 +1,12 @@
++/etc/rc\.d/init\.d/pacemaker -- gen_context(system_u:object_r:pacemaker_initrc_exec_t,s0)
++
++/usr/lib/systemd/system/pacemaker.* -- gen_context(system_u:object_r:pacemaker_unit_file_t,s0)
++
++/usr/sbin/pacemakerd -- gen_context(system_u:object_r:pacemaker_exec_t,s0)
++
++/var/lib/heartbeat/crm(/.*)? gen_context(system_u:object_r:pacemaker_var_lib_t,s0)
++
++/var/lib/pacemaker(/.*)? gen_context(system_u:object_r:pacemaker_var_lib_t,s0)
++/var/lib/pengine(/.*)? gen_context(system_u:object_r:pacemaker_var_lib_t,s0)
++
++/var/run/crm(/.*)? gen_context(system_u:object_r:pacemaker_var_run_t,s0)
+diff --git a/pacemaker.if b/pacemaker.if
+new file mode 100644
+index 0000000..e05c78f
+--- /dev/null
++++ b/pacemaker.if
+@@ -0,0 +1,209 @@
++
++## policy for pacemaker
++
++########################################
++##
++## Transition to pacemaker.
++##
++##
++##
++## Domain allowed to transition.
++##
++##
++#
++interface(`pacemaker_domtrans',`
++ gen_require(`
++ type pacemaker_t, pacemaker_exec_t;
++ ')
++
++ corecmd_search_bin($1)
++ domtrans_pattern($1, pacemaker_exec_t, pacemaker_t)
++')
++
++########################################
++##
++## Execute pacemaker server in the pacemaker domain.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`pacemaker_initrc_domtrans',`
++ gen_require(`
++ type pacemaker_initrc_exec_t;
++ ')
++
++ init_labeled_script_domtrans($1, pacemaker_initrc_exec_t)
++')
++
++########################################
++##
++## Search pacemaker lib directories.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`pacemaker_search_lib',`
++ gen_require(`
++ type pacemaker_var_lib_t;
++ ')
++
++ allow $1 pacemaker_var_lib_t:dir search_dir_perms;
++ files_search_var_lib($1)
++')
++
++########################################
++##
++## Read pacemaker lib files.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`pacemaker_read_lib_files',`
++ gen_require(`
++ type pacemaker_var_lib_t;
++ ')
++
++ files_search_var_lib($1)
++ read_files_pattern($1, pacemaker_var_lib_t, pacemaker_var_lib_t)
++')
++
++########################################
++##
++## Manage pacemaker lib files.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`pacemaker_manage_lib_files',`
++ gen_require(`
++ type pacemaker_var_lib_t;
++ ')
++
++ files_search_var_lib($1)
++ manage_files_pattern($1, pacemaker_var_lib_t, pacemaker_var_lib_t)
++')
++
++########################################
++##
++## Manage pacemaker lib directories.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`pacemaker_manage_lib_dirs',`
++ gen_require(`
++ type pacemaker_var_lib_t;
++ ')
++
++ files_search_var_lib($1)
++ manage_dirs_pattern($1, pacemaker_var_lib_t, pacemaker_var_lib_t)
++')
++
++########################################
++##
++## Read pacemaker PID files.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`pacemaker_read_pid_files',`
++ gen_require(`
++ type pacemaker_var_run_t;
++ ')
++
++ files_search_pids($1)
++ allow $1 pacemaker_var_run_t:file read_file_perms;
++')
++
++########################################
++##
++## Execute pacemaker server in the pacemaker domain.
++##
++##
++##
++## Domain allowed to transition.
++##
++##
++#
++interface(`pacemaker_systemctl',`
++ gen_require(`
++ type pacemaker_t;
++ type pacemaker_unit_file_t;
++ ')
++
++ systemd_exec_systemctl($1)
++ systemd_read_fifo_file_passwd_run($1)
++ allow $1 pacemaker_unit_file_t:file read_file_perms;
++ allow $1 pacemaker_unit_file_t:service manage_service_perms;
++
++ ps_process_pattern($1, pacemaker_t)
++')
++
++
++########################################
++##
++## All of the rules required to administrate
++## an pacemaker environment
++##
++##
++##
++## Domain allowed access.
++##
++##
++##
++##
++## Role allowed access.
++##
++##
++##
++#
++interface(`pacemaker_admin',`
++ gen_require(`
++ type pacemaker_t;
++ type pacemaker_initrc_exec_t;
++ type pacemaker_var_lib_t;
++ type pacemaker_var_run_t;
++ type pacemaker_unit_file_t;
++ ')
++
++ allow $1 pacemaker_t:process { ptrace signal_perms };
++ ps_process_pattern($1, pacemaker_t)
++
++ pacemaker_initrc_domtrans($1)
++ domain_system_change_exemption($1)
++ role_transition $2 pacemaker_initrc_exec_t system_r;
++ allow $2 system_r;
++
++ files_search_var_lib($1)
++ admin_pattern($1, pacemaker_var_lib_t)
++
++ files_search_pids($1)
++ admin_pattern($1, pacemaker_var_run_t)
++
++ pacemaker_systemctl($1)
++ admin_pattern($1, pacemaker_unit_file_t)
++ allow $1 pacemaker_unit_file_t:service all_service_perms;
++
++ optional_policy(`
++ systemd_passwd_agent_exec($1)
++ systemd_read_fifo_file_passwd_run($1)
++ ')
++')
+diff --git a/pacemaker.te b/pacemaker.te
+new file mode 100644
+index 0000000..3a97ac3
+--- /dev/null
++++ b/pacemaker.te
+@@ -0,0 +1,86 @@
++policy_module(pacemaker, 1.0.0)
++
++########################################
++#
++# Declarations
++#
++
++type pacemaker_t;
++type pacemaker_exec_t;
++init_daemon_domain(pacemaker_t, pacemaker_exec_t)
++
++type pacemaker_initrc_exec_t;
++init_script_file(pacemaker_initrc_exec_t)
++
++type pacemaker_var_lib_t;
++files_type(pacemaker_var_lib_t)
++
++type pacemaker_var_run_t;
++files_pid_file(pacemaker_var_run_t)
++
++type pacemaker_tmp_t;
++files_tmp_file(pacemaker_tmp_t)
++
++type pacemaker_tmpfs_t;
++files_tmpfs_file(pacemaker_tmpfs_t)
++
++type pacemaker_unit_file_t;
++systemd_unit_file(pacemaker_unit_file_t)
++
++########################################
++#
++# pacemaker local policy
++#
++
++allow pacemaker_t self:capability { fowner fsetid kill chown dac_override setuid };
++allow pacemaker_t self:process { fork setrlimit signal setpgid };
++allow pacemaker_t self:fifo_file rw_fifo_file_perms;
++allow pacemaker_t self:unix_stream_socket { connectto create_stream_socket_perms };
++
++manage_dirs_pattern(pacemaker_t, pacemaker_var_lib_t, pacemaker_var_lib_t)
++manage_files_pattern(pacemaker_t, pacemaker_var_lib_t, pacemaker_var_lib_t)
++files_var_lib_filetrans(pacemaker_t, pacemaker_var_lib_t, { dir file })
++
++manage_dirs_pattern(pacemaker_t, pacemaker_var_run_t, pacemaker_var_run_t)
++manage_files_pattern(pacemaker_t, pacemaker_var_run_t, pacemaker_var_run_t)
++files_pid_filetrans(pacemaker_t, pacemaker_var_run_t, { dir file })
++
++manage_dirs_pattern(pacemaker_t, pacemaker_tmp_t, pacemaker_tmp_t)
++manage_files_pattern(pacemaker_t, pacemaker_tmp_t, pacemaker_tmp_t)
++files_tmp_filetrans(pacemaker_t, pacemaker_tmp_t, { file dir })
++
++manage_dirs_pattern(pacemaker_t, pacemaker_tmpfs_t, pacemaker_tmpfs_t)
++manage_files_pattern(pacemaker_t, pacemaker_tmpfs_t, pacemaker_tmpfs_t)
++fs_tmpfs_filetrans(pacemaker_t, pacemaker_tmpfs_t, { dir file })
++
++kernel_read_system_state(pacemaker_t)
++kernel_read_network_state(pacemaker_t)
++kernel_read_all_sysctls(pacemaker_t)
++kernel_read_messages(pacemaker_t)
++kernel_getattr_core_if(pacemaker_t)
++kernel_read_software_raid_state(pacemaker_t)
++
++corecmd_exec_bin(pacemaker_t)
++corecmd_exec_shell(pacemaker_t)
++
++domain_use_interactive_fds(pacemaker_t)
++domain_read_all_domains_state(pacemaker_t)
++
++dev_getattr_mtrr_dev(pacemaker_t)
++dev_read_rand(pacemaker_t)
++dev_read_urand(pacemaker_t)
++
++files_read_kernel_symbol_table(pacemaker_t)
++
++fs_getattr_all_fs(pacemaker_t)
++
++auth_use_nsswitch(pacemaker_t)
++
++logging_send_syslog_msg(pacemaker_t)
++
++optional_policy(`
++ corosync_read_log(pacemaker_t)
++ corosync_stream_connect(pacemaker_t)
++ corosync_rw_tmpfs(pacemaker_t)
++')
++
+diff --git a/pads.fc b/pads.fc
+index 0870c56..6d5fb1d 100644
+--- a/pads.fc
++++ b/pads.fc
+@@ -1,10 +1,10 @@
+ /etc/pads-ether-codes -- gen_context(system_u:object_r:pads_config_t, s0)
+ /etc/pads-signature-list -- gen_context(system_u:object_r:pads_config_t, s0)
+-/etc/pads.conf -- gen_context(system_u:object_r:pads_config_t, s0)
++/etc/pads\.conf -- gen_context(system_u:object_r:pads_config_t, s0)
+ /etc/pads-assets.csv -- gen_context(system_u:object_r:pads_config_t, s0)
+
+ /etc/rc\.d/init\.d/pads -- gen_context(system_u:object_r:pads_initrc_exec_t, s0)
+
+ /usr/bin/pads -- gen_context(system_u:object_r:pads_exec_t, s0)
+
+-/var/run/pads.pid -- gen_context(system_u:object_r:pads_var_run_t, s0)
++/var/run/pads\.pid -- gen_context(system_u:object_r:pads_var_run_t, s0)
+diff --git a/pads.if b/pads.if
+index 8ac407e..45673ad 100644
+--- a/pads.if
++++ b/pads.if
+@@ -25,20 +25,26 @@
+ ##
+ ##
+ #
+-interface(`pads_admin', `
++interface(`pads_admin',`
+ gen_require(`
+- type pads_t, pads_config_t;
+- type pads_var_run_t, pads_initrc_exec_t;
++ type pads_t, pads_config_t, pads_initrc_exec_t;
++ type pads_var_run_t;
+ ')
+
+- allow $1 pads_t:process { ptrace signal_perms };
++ allow $1 pads_t:process signal_perms;
+ ps_process_pattern($1, pads_t)
++ tunable_policy(`deny_ptrace',`',`
++ allow $1 pads_t:process ptrace;
++ ')
+
+ init_labeled_script_domtrans($1, pads_initrc_exec_t)
+ domain_system_change_exemption($1)
+ role_transition $2 pads_initrc_exec_t system_r;
+ allow $2 system_r;
+
++ files_list_pids($1)
+ admin_pattern($1, pads_var_run_t)
++
++ files_list_etc($1)
+ admin_pattern($1, pads_config_t)
+ ')
+diff --git a/pads.te b/pads.te
+index b246bdd..3cbcc49 100644
+--- a/pads.te
++++ b/pads.te
+@@ -25,10 +25,11 @@ files_pid_file(pads_var_run_t)
+ #
+
+ allow pads_t self:capability { dac_override net_raw };
+-allow pads_t self:netlink_route_socket { write getattr read bind create nlmsg_read };
+-allow pads_t self:packet_socket { ioctl setopt getopt read bind create };
+-allow pads_t self:udp_socket { create ioctl };
+-allow pads_t self:unix_dgram_socket { write create connect };
++allow pads_t self:netlink_route_socket create_netlink_socket_perms;
++allow pads_t self:packet_socket create_socket_perms;
++allow pads_t self:socket create_socket_perms;
++allow pads_t self:udp_socket create_socket_perms;
++allow pads_t self:unix_dgram_socket create_socket_perms;
+
+ allow pads_t pads_config_t:file manage_file_perms;
+ files_etc_filetrans(pads_t, pads_config_t, file)
+@@ -37,10 +38,10 @@ allow pads_t pads_var_run_t:file manage_file_perms;
+ files_pid_filetrans(pads_t, pads_var_run_t, file)
+
+ kernel_read_sysctl(pads_t)
++kernel_read_network_state(pads_t)
+
+ corecmd_search_bin(pads_t)
+
+-corenet_all_recvfrom_unlabeled(pads_t)
+ corenet_all_recvfrom_netlabel(pads_t)
+ corenet_tcp_sendrecv_generic_if(pads_t)
+ corenet_tcp_sendrecv_generic_node(pads_t)
+@@ -48,12 +49,11 @@ corenet_tcp_connect_prelude_port(pads_t)
+
+ dev_read_rand(pads_t)
+ dev_read_urand(pads_t)
++dev_read_sysfs(pads_t)
+
+ files_read_etc_files(pads_t)
+ files_search_spool(pads_t)
+
+-miscfiles_read_localization(pads_t)
+-
+ logging_send_syslog_msg(pads_t)
+
+ sysnet_dns_name_resolve(pads_t)
+diff --git a/passenger.fc b/passenger.fc
+index 545518d..9155bd0 100644
+--- a/passenger.fc
++++ b/passenger.fc
+@@ -1,11 +1,12 @@
+-/usr/lib/ruby/gems/.*/passenger-.*/ext/apache2/ApplicationPoolServerExecutable -- gen_context(system_u:object_r:passenger_exec_t,s0)
+-/usr/lib/ruby/gems/.*/passenger-.*/agents/PassengerWatchdog -- gen_context(system_u:object_r:passenger_exec_t,s0)
+-/usr/lib/ruby/gems/.*/passenger-.*/agents/PassengerLoggingAgent -- gen_context(system_u:object_r:passenger_exec_t,s0)
+-/usr/lib/ruby/gems/.*/passenger-.*/agents/apache2/PassengerHelperAgent -- gen_context(system_u:object_r:passenger_exec_t,s0)
++/usr/share/gems/.*/Passenger.* -- gen_context(system_u:object_r:passenger_exec_t,s0)
++/usr/share/gems/.*/ApplicationPoolServerExecutable -- gen_context(system_u:object_r:passenger_exec_t,s0)
++/usr/lib/gems/.*/Passenger.* -- gen_context(system_u:object_r:passenger_exec_t,s0)
++/usr/lib/gems/.*/ApplicationPoolServerExecutable -- gen_context(system_u:object_r:passenger_exec_t,s0)
++
++/usr/share/.*/gems/.*/helper-scripts/prespawn -- gen_context(system_u:object_r:passenger_exec_t,s0)
+
+ /var/lib/passenger(/.*)? gen_context(system_u:object_r:passenger_var_lib_t,s0)
+
+-/var/log/passenger(/.*)? gen_context(system_u:object_r:passenger_log_t,s0)
+-/var/log/passenger.* -- gen_context(system_u:object_r:passenger_log_t,s0)
++/var/log/passenger.* gen_context(system_u:object_r:passenger_log_t,s0)
+
+ /var/run/passenger(/.*)? gen_context(system_u:object_r:passenger_var_run_t,s0)
+diff --git a/passenger.if b/passenger.if
+index f68b573..c050b37 100644
+--- a/passenger.if
++++ b/passenger.if
+@@ -18,6 +18,42 @@ interface(`passenger_domtrans',`
+ domtrans_pattern($1, passenger_exec_t, passenger_t)
+ ')
+
++######################################
++##
++## Execute passenger in the current domain.
++##
++##
++##
++## Domain allowed to transition.
++##
++##
++#
++interface(`passenger_exec',`
++ gen_require(`
++ type passenger_exec_t;
++ ')
++
++ can_exec($1, passenger_exec_t)
++')
++
++#######################################
++##
++## Getattr passenger log files
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`passenger_getattr_log_files',`
++ gen_require(`
++ type passenger_log_t;
++ ')
++
++ getattr_files_pattern($1, passenger_log_t, passenger_log_t)
++')
++
+ ########################################
+ ##
+ ## Read passenger lib files
+@@ -37,3 +73,84 @@ interface(`passenger_read_lib_files',`
+ read_lnk_files_pattern($1, passenger_var_lib_t, passenger_var_lib_t)
+ files_search_var_lib($1)
+ ')
++
++########################################
++##
++## Manage passenger lib files
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`passenger_manage_lib_files',`
++ gen_require(`
++ type passenger_var_lib_t;
++ ')
++
++ manage_dirs_pattern($1, passenger_var_lib_t, passenger_var_lib_t)
++ manage_files_pattern($1, passenger_var_lib_t, passenger_var_lib_t)
++ manage_lnk_files_pattern($1, passenger_var_lib_t, passenger_var_lib_t)
++ files_search_var_lib($1)
++')
++
++#####################################
++##
++## Manage passenger var_run content.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`passenger_manage_pid_content',`
++ gen_require(`
++ type passenger_var_run_t;
++ ')
++
++ files_search_pids($1)
++ manage_dirs_pattern($1, passenger_var_run_t, passenger_var_run_t)
++ manage_files_pattern($1, passenger_var_run_t, passenger_var_run_t)
++ manage_fifo_files_pattern($1, passenger_var_run_t, passenger_var_run_t)
++ manage_sock_files_pattern($1, passenger_var_run_t, passenger_var_run_t)
++')
++
++########################################
++##
++## Connect to passenger unix stream socket.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`passenger_stream_connect',`
++ gen_require(`
++ type passenger_t;
++ ')
++
++ allow $1 passenger_t:unix_stream_socket connectto;
++')
++
++#######################################
++##
++## Allow to manage passenger tmp files/dirs.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`passenger_manage_tmp_files',`
++ gen_require(`
++ type passenger_tmp_t;
++ ')
++
++ files_search_tmp($1)
++ manage_files_pattern($1, passenger_tmp_t, passenger_tmp_t)
++ manage_dirs_pattern($1, passenger_tmp_t, passenger_tmp_t)
++')
+diff --git a/passenger.te b/passenger.te
+index 3470036..ca09bc0 100644
+--- a/passenger.te
++++ b/passenger.te
+@@ -28,7 +28,7 @@ files_pid_file(passenger_var_run_t)
+ # passanger local policy
+ #
+
+-allow passenger_t self:capability { chown dac_override fsetid fowner kill setuid setgid sys_nice };
++allow passenger_t self:capability { chown dac_override fsetid fowner kill setuid setgid sys_nice sys_ptrace sys_resource };
+ allow passenger_t self:process { setpgid setsched sigkill signal };
+ allow passenger_t self:fifo_file rw_fifo_file_perms;
+ allow passenger_t self:unix_stream_socket { create_stream_socket_perms connectto };
+@@ -37,7 +37,7 @@ can_exec(passenger_t, passenger_exec_t)
+
+ manage_dirs_pattern(passenger_t, passenger_log_t, passenger_log_t)
+ manage_files_pattern(passenger_t, passenger_log_t, passenger_log_t)
+-logging_log_filetrans(passenger_t, passenger_log_t, file)
++logging_log_filetrans(passenger_t, passenger_log_t, { dir file })
+
+ manage_dirs_pattern(passenger_t, passenger_var_lib_t, passenger_var_lib_t)
+ manage_files_pattern(passenger_t, passenger_var_lib_t, passenger_var_lib_t)
+@@ -49,11 +49,16 @@ manage_fifo_files_pattern(passenger_t, passenger_var_run_t, passenger_var_run_t)
+ manage_sock_files_pattern(passenger_t, passenger_var_run_t, passenger_var_run_t)
+ files_pid_filetrans(passenger_t, passenger_var_run_t, { file dir sock_file })
+
++#needed by puppet
++manage_dirs_pattern(passenger_t, passenger_tmp_t, passenger_tmp_t)
++manage_files_pattern(passenger_t, passenger_tmp_t, passenger_tmp_t)
++manage_sock_files_pattern(passenger_t, passenger_tmp_t, passenger_tmp_t)
++files_tmp_filetrans(passenger_t, passenger_tmp_t, { file dir sock_file })
++
+ kernel_read_system_state(passenger_t)
+ kernel_read_kernel_sysctls(passenger_t)
+
+ corenet_all_recvfrom_netlabel(passenger_t)
+-corenet_all_recvfrom_unlabeled(passenger_t)
+ corenet_tcp_sendrecv_generic_if(passenger_t)
+ corenet_tcp_sendrecv_generic_node(passenger_t)
+ corenet_tcp_connect_http_port(passenger_t)
+@@ -63,11 +68,13 @@ corecmd_exec_shell(passenger_t)
+
+ dev_read_urand(passenger_t)
+
+-files_read_etc_files(passenger_t)
++domain_read_all_domains_state(passenger_t)
++
++files_read_usr_files(passenger_t)
+
+ auth_use_nsswitch(passenger_t)
+
+-miscfiles_read_localization(passenger_t)
++logging_send_syslog_msg(passenger_t)
+
+ userdom_dontaudit_use_user_terminals(passenger_t)
+
+@@ -75,3 +82,25 @@ optional_policy(`
+ apache_append_log(passenger_t)
+ apache_read_sys_content(passenger_t)
+ ')
++
++optional_policy(`
++ hostname_exec(passenger_t)
++')
++
++optional_policy(`
++ mta_send_mail(passenger_t)
++')
++
++optional_policy(`
++ puppet_manage_lib(passenger_t)
++ puppet_read_config(passenger_t)
++ puppet_append_log(passenger_t)
++ puppet_create_log(passenger_t)
++ puppet_read_log(passenger_t)
++ puppet_search_pid(passenger_t)
++')
++
++optional_policy(`
++ rpm_exec(passenger_t)
++ rpm_read_db(passenger_t)
++')
+diff --git a/pcmcia.fc b/pcmcia.fc
+index 9cf0e56..2b5260a 100644
+--- a/pcmcia.fc
++++ b/pcmcia.fc
+@@ -4,6 +4,9 @@
+ /sbin/cardctl -- gen_context(system_u:object_r:cardctl_exec_t,s0)
+ /sbin/cardmgr -- gen_context(system_u:object_r:cardmgr_exec_t,s0)
+
++/usr/sbin/cardctl -- gen_context(system_u:object_r:cardctl_exec_t,s0)
++/usr/sbin/cardmgr -- gen_context(system_u:object_r:cardmgr_exec_t,s0)
++
+ /var/lib/pcmcia(/.*)? gen_context(system_u:object_r:cardmgr_var_run_t,s0)
+
+ /var/run/cardmgr\.pid -- gen_context(system_u:object_r:cardmgr_var_run_t,s0)
+diff --git a/pcmcia.te b/pcmcia.te
+index 4d06ae3..e1a4943 100644
+--- a/pcmcia.te
++++ b/pcmcia.te
+@@ -62,9 +62,7 @@ dev_read_urand(cardmgr_t)
+
+ domain_use_interactive_fds(cardmgr_t)
+ # Read /proc/PID directories for all domains (for fuser).
+-domain_read_confined_domains_state(cardmgr_t)
+-domain_getattr_confined_domains(cardmgr_t)
+-domain_dontaudit_ptrace_confined_domains(cardmgr_t)
++domain_read_all_domains_state(cardmgr_t)
+ # cjp: these look excessive:
+ domain_dontaudit_getattr_all_pipes(cardmgr_t)
+ domain_dontaudit_getattr_all_sockets(cardmgr_t)
+@@ -96,8 +94,6 @@ libs_exec_lib_files(cardmgr_t)
+
+ logging_send_syslog_msg(cardmgr_t)
+
+-miscfiles_read_localization(cardmgr_t)
+-
+ modutils_domtrans_insmod(cardmgr_t)
+
+ sysnet_domtrans_ifconfig(cardmgr_t)
+@@ -105,12 +101,11 @@ sysnet_domtrans_ifconfig(cardmgr_t)
+ sysnet_etc_filetrans_config(cardmgr_t)
+ sysnet_manage_config(cardmgr_t)
+
+-userdom_use_user_terminals(cardmgr_t)
++userdom_use_inherited_user_terminals(cardmgr_t)
+ userdom_dontaudit_use_unpriv_user_fds(cardmgr_t)
+ userdom_dontaudit_search_user_home_dirs(cardmgr_t)
+
+ optional_policy(`
+- seutil_dontaudit_read_config(cardmgr_t)
+ seutil_sigchld_newrole(cardmgr_t)
+ ')
+
+diff --git a/pcscd.fc b/pcscd.fc
+index 87f17e8..63ee18a 100644
+--- a/pcscd.fc
++++ b/pcscd.fc
+@@ -1,4 +1,5 @@
+ /var/run/pcscd\.comm -s gen_context(system_u:object_r:pcscd_var_run_t,s0)
++/var/run/pcscd(/.*)? gen_context(system_u:object_r:pcscd_var_run_t,s0)
+ /var/run/pcscd\.pid -- gen_context(system_u:object_r:pcscd_var_run_t,s0)
+ /var/run/pcscd\.pub -- gen_context(system_u:object_r:pcscd_var_run_t,s0)
+ /var/run/pcscd\.events(/.*)? gen_context(system_u:object_r:pcscd_var_run_t,s0)
+diff --git a/pcscd.if b/pcscd.if
+index 1c2a091..3ead3cc 100644
+--- a/pcscd.if
++++ b/pcscd.if
+@@ -34,7 +34,7 @@ interface(`pcscd_read_pub_files',`
+ ')
+
+ files_search_pids($1)
+- allow $1 pcscd_var_run_t:file read_file_perms;
++ read_files_pattern($1, pcscd_var_run_t, pcscd_var_run_t)
+ ')
+
+ ########################################
+diff --git a/pcscd.te b/pcscd.te
+index ceafba6..47b690d 100644
+--- a/pcscd.te
++++ b/pcscd.te
+@@ -25,6 +25,7 @@ allow pcscd_t self:fifo_file rw_fifo_file_perms;
+ allow pcscd_t self:unix_stream_socket create_stream_socket_perms;
+ allow pcscd_t self:unix_dgram_socket create_socket_perms;
+ allow pcscd_t self:tcp_socket create_stream_socket_perms;
++allow pcscd_t self:netlink_kobject_uevent_socket create_socket_perms;
+
+ manage_dirs_pattern(pcscd_t, pcscd_var_run_t, pcscd_var_run_t)
+ manage_files_pattern(pcscd_t, pcscd_var_run_t, pcscd_var_run_t)
+@@ -34,7 +35,6 @@ files_pid_filetrans(pcscd_t, pcscd_var_run_t, { file sock_file dir })
+
+ kernel_read_system_state(pcscd_t)
+
+-corenet_all_recvfrom_unlabeled(pcscd_t)
+ corenet_all_recvfrom_netlabel(pcscd_t)
+ corenet_tcp_sendrecv_generic_if(pcscd_t)
+ corenet_tcp_sendrecv_generic_node(pcscd_t)
+@@ -56,8 +56,6 @@ locallogin_use_fds(pcscd_t)
+
+ logging_send_syslog_msg(pcscd_t)
+
+-miscfiles_read_localization(pcscd_t)
+-
+ sysnet_dns_name_resolve(pcscd_t)
+
+ optional_policy(`
+@@ -77,3 +75,7 @@ optional_policy(`
+ optional_policy(`
+ rpm_use_script_fds(pcscd_t)
+ ')
++
++optional_policy(`
++ udev_read_db(pcscd_t)
++')
+diff --git a/pegasus.te b/pegasus.te
+index 3185114..d459c82 100644
+--- a/pegasus.te
++++ b/pegasus.te
+@@ -9,6 +9,9 @@ type pegasus_t;
+ type pegasus_exec_t;
+ init_daemon_domain(pegasus_t, pegasus_exec_t)
+
++type pegasus_cache_t;
++files_type(pegasus_cache_t)
++
+ type pegasus_data_t;
+ files_type(pegasus_data_t)
+
+@@ -16,7 +19,7 @@ type pegasus_tmp_t;
+ files_tmp_file(pegasus_tmp_t)
+
+ type pegasus_conf_t;
+-files_type(pegasus_conf_t)
++files_config_file(pegasus_conf_t)
+
+ type pegasus_mof_t;
+ files_type(pegasus_mof_t)
+@@ -29,18 +32,23 @@ files_pid_file(pegasus_var_run_t)
+ # Local policy
+ #
+
+-allow pegasus_t self:capability { chown sys_nice setuid setgid dac_override net_bind_service };
++allow pegasus_t self:capability { chown kill ipc_lock sys_nice setuid setgid dac_override net_admin net_bind_service };
+ dontaudit pegasus_t self:capability sys_tty_config;
+ allow pegasus_t self:process signal;
+ allow pegasus_t self:fifo_file rw_fifo_file_perms;
+ allow pegasus_t self:unix_dgram_socket create_socket_perms;
+-allow pegasus_t self:unix_stream_socket create_stream_socket_perms;
++allow pegasus_t self:unix_stream_socket { connectto create_stream_socket_perms };
+ allow pegasus_t self:tcp_socket create_stream_socket_perms;
+
+ allow pegasus_t pegasus_conf_t:dir rw_dir_perms;
+-allow pegasus_t pegasus_conf_t:file { read_file_perms link unlink };
++allow pegasus_t pegasus_conf_t:file { read_file_perms link delete_file_perms rename_file_perms };
+ allow pegasus_t pegasus_conf_t:lnk_file read_lnk_file_perms;
+
++manage_dirs_pattern(pegasus_t, pegasus_cache_t, pegasus_cache_t)
++manage_files_pattern(pegasus_t, pegasus_cache_t, pegasus_cache_t)
++manage_lnk_files_pattern(pegasus_t, pegasus_cache_t, pegasus_cache_t)
++files_var_filetrans(pegasus_t, pegasus_cache_t, { dir file lnk_file })
++
+ manage_dirs_pattern(pegasus_t, pegasus_data_t, pegasus_data_t)
+ manage_files_pattern(pegasus_t, pegasus_data_t, pegasus_data_t)
+ manage_lnk_files_pattern(pegasus_t, pegasus_data_t, pegasus_data_t)
+@@ -56,17 +64,20 @@ manage_dirs_pattern(pegasus_t, pegasus_tmp_t, pegasus_tmp_t)
+ manage_files_pattern(pegasus_t, pegasus_tmp_t, pegasus_tmp_t)
+ files_tmp_filetrans(pegasus_t, pegasus_tmp_t, { file dir })
+
+-allow pegasus_t pegasus_var_run_t:sock_file { create setattr unlink };
++manage_sock_files_pattern(pegasus_t, pegasus_var_run_t, pegasus_var_run_t)
++manage_dirs_pattern(pegasus_t, pegasus_var_run_t, pegasus_var_run_t)
+ manage_files_pattern(pegasus_t, pegasus_var_run_t, pegasus_var_run_t)
+-files_pid_filetrans(pegasus_t, pegasus_var_run_t, file)
++files_pid_filetrans(pegasus_t, pegasus_var_run_t, { file dir })
+
++kernel_read_network_state(pegasus_t)
+ kernel_read_kernel_sysctls(pegasus_t)
+ kernel_read_fs_sysctls(pegasus_t)
+ kernel_read_system_state(pegasus_t)
+ kernel_search_vm_sysctl(pegasus_t)
+ kernel_read_net_sysctls(pegasus_t)
++kernel_read_xen_state(pegasus_t)
++kernel_write_xen_state(pegasus_t)
+
+-corenet_all_recvfrom_unlabeled(pegasus_t)
+ corenet_all_recvfrom_netlabel(pegasus_t)
+ corenet_tcp_sendrecv_generic_if(pegasus_t)
+ corenet_tcp_sendrecv_generic_node(pegasus_t)
+@@ -86,7 +97,7 @@ corenet_sendrecv_pegasus_https_server_packets(pegasus_t)
+ corecmd_exec_bin(pegasus_t)
+ corecmd_exec_shell(pegasus_t)
+
+-dev_read_sysfs(pegasus_t)
++dev_rw_sysfs(pegasus_t)
+ dev_read_urand(pegasus_t)
+
+ fs_getattr_all_fs(pegasus_t)
+@@ -95,11 +106,11 @@ files_getattr_all_dirs(pegasus_t)
+
+ auth_use_nsswitch(pegasus_t)
+ auth_domtrans_chk_passwd(pegasus_t)
++auth_read_shadow(pegasus_t)
+
+ domain_use_interactive_fds(pegasus_t)
+ domain_read_all_domains_state(pegasus_t)
+
+-files_read_etc_files(pegasus_t)
+ files_list_var_lib(pegasus_t)
+ files_read_var_lib_files(pegasus_t)
+ files_read_var_lib_symlinks(pegasus_t)
+@@ -112,8 +123,6 @@ init_stream_connect_script(pegasus_t)
+ logging_send_audit_msgs(pegasus_t)
+ logging_send_syslog_msg(pegasus_t)
+
+-miscfiles_read_localization(pegasus_t)
+-
+ sysnet_read_config(pegasus_t)
+ sysnet_domtrans_ifconfig(pegasus_t)
+
+@@ -121,12 +130,48 @@ userdom_dontaudit_use_unpriv_user_fds(pegasus_t)
+ userdom_dontaudit_search_user_home_dirs(pegasus_t)
+
+ optional_policy(`
++ dbus_system_bus_client(pegasus_t)
++ dbus_connect_system_bus(pegasus_t)
++
++ optional_policy(`
++ networkmanager_dbus_chat(pegasus_t)
++ ')
++')
++
++optional_policy(`
++ corosync_stream_connect(pegasus_t)
++')
++
++optional_policy(`
++ hostname_exec(pegasus_t)
++')
++
++optional_policy(`
++ lldpad_dgram_send(pegasus_t)
++')
++
++optional_policy(`
++ ricci_stream_connect_modclusterd(pegasus_t)
++')
++
++optional_policy(`
+ rpm_exec(pegasus_t)
+ ')
+
+ optional_policy(`
++ samba_manage_config(pegasus_t)
++')
++
++optional_policy(`
++ sysnet_domtrans_ifconfig(pegasus_t)
++')
++
++optional_policy(`
++ ssh_exec(pegasus_t)
++')
++
++optional_policy(`
+ seutil_sigchld_newrole(pegasus_t)
+- seutil_dontaudit_read_config(pegasus_t)
+ ')
+
+ optional_policy(`
+@@ -136,3 +181,14 @@ optional_policy(`
+ optional_policy(`
+ unconfined_signull(pegasus_t)
+ ')
++
++optional_policy(`
++ virt_domtrans(pegasus_t)
++ virt_stream_connect(pegasus_t)
++ virt_manage_config(pegasus_t)
++')
++
++optional_policy(`
++ xen_stream_connect(pegasus_t)
++ xen_stream_connect_xenstore(pegasus_t)
++')
+diff --git a/perdition.te b/perdition.te
+index 3636277..05e65ad 100644
+--- a/perdition.te
++++ b/perdition.te
+@@ -36,7 +36,6 @@ kernel_read_kernel_sysctls(perdition_t)
+ kernel_list_proc(perdition_t)
+ kernel_read_proc_symlinks(perdition_t)
+
+-corenet_all_recvfrom_unlabeled(perdition_t)
+ corenet_all_recvfrom_netlabel(perdition_t)
+ corenet_tcp_sendrecv_generic_if(perdition_t)
+ corenet_udp_sendrecv_generic_if(perdition_t)
+@@ -59,8 +58,6 @@ files_read_etc_files(perdition_t)
+
+ logging_send_syslog_msg(perdition_t)
+
+-miscfiles_read_localization(perdition_t)
+-
+ sysnet_read_config(perdition_t)
+
+ userdom_dontaudit_use_unpriv_user_fds(perdition_t)
+diff --git a/phpfpm.fc b/phpfpm.fc
+new file mode 100644
+index 0000000..4c64b13
+--- /dev/null
++++ b/phpfpm.fc
+@@ -0,0 +1,7 @@
++/usr/lib/systemd/system/php-fpm.service -- gen_context(system_u:object_r:phpfpm_unit_file_t,s0)
++
++/usr/sbin/php-fpm -- gen_context(system_u:object_r:phpfpm_exec_t,s0)
++
++/var/log/php-fpm(/.*)? gen_context(system_u:object_r:phpfpm_log_t,s0)
++
++/var/run/php-fpm(/.*)? gen_context(system_u:object_r:phpfpm_var_run_t,s0)
+diff --git a/phpfpm.if b/phpfpm.if
+new file mode 100644
+index 0000000..18f0425
+--- /dev/null
++++ b/phpfpm.if
+@@ -0,0 +1,162 @@
++
++## PHP-FPM (FastCGI Process Manager) is an alternative PHP FastCGI implementation with some additional features useful for sites of any size, especially busier sites.
++
++########################################
++##
++## Execute php-fpm in the phpfpm domain.
++##
++##
++##
++## Domain allowed to transition.
++##
++##
++#
++interface(`phpfpm_domtrans',`
++ gen_require(`
++ type phpfpm_t, phpfpm_exec_t;
++ ')
++
++ corecmd_search_bin($1)
++ domtrans_pattern($1, phpfpm_exec_t, phpfpm_t)
++')
++
++########################################
++##
++## Read phpfpm's log files.
++##
++##
++##
++## Domain allowed access.
++##
++##
++##
++#
++interface(`phpfpm_read_log',`
++ gen_require(`
++ type phpfpm_log_t;
++ ')
++
++ logging_search_logs($1)
++ read_files_pattern($1, phpfpm_log_t, phpfpm_log_t)
++')
++
++########################################
++##
++## Append to phpfpm log files.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`phpfpm_append_log',`
++ gen_require(`
++ type phpfpm_log_t;
++ ')
++
++ logging_search_logs($1)
++ append_files_pattern($1, phpfpm_log_t, phpfpm_log_t)
++')
++
++########################################
++##
++## Manage phpfpm log files
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`phpfpm_manage_log',`
++ gen_require(`
++ type phpfpm_log_t;
++ ')
++
++ logging_search_logs($1)
++ manage_dirs_pattern($1, phpfpm_log_t, phpfpm_log_t)
++ manage_files_pattern($1, phpfpm_log_t, phpfpm_log_t)
++ manage_lnk_files_pattern($1, phpfpm_log_t, phpfpm_log_t)
++')
++
++########################################
++##
++## Read phpfpm PID files.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`phpfpm_read_pid_files',`
++ gen_require(`
++ type phpfpm_var_run_t;
++ ')
++
++ files_search_pids($1)
++ allow $1 phpfpm_var_run_t:file read_file_perms;
++')
++
++########################################
++##
++## Execute phpfpm server in the phpfpm domain.
++##
++##
++##
++## Domain allowed to transition.
++##
++##
++#
++interface(`phpfpm_systemctl',`
++ gen_require(`
++ type phpfpm_t;
++ type phpfpm_unit_file_t;
++ ')
++
++ systemd_exec_systemctl($1)
++ allow $1 phpfpm_unit_file_t:file read_file_perms;
++ allow $1 phpfpm_unit_file_t:service manage_service_perms;
++
++ ps_process_pattern($1, phpfpm_t)
++')
++
++
++########################################
++##
++## All of the rules required to administrate
++## an phpfpm environment
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`phpfpm_admin',`
++ gen_require(`
++ type phpfpm_t;
++ type phpfpm_log_t;
++ type phpfpm_var_run_t;
++ type phpfpm_unit_file_t;
++ ')
++
++ allow $1 phpfpm_t:process { ptrace signal_perms };
++ ps_process_pattern($1, phpfpm_t)
++
++ logging_search_logs($1)
++ admin_pattern($1, phpfpm_log_t)
++
++ files_search_pids($1)
++ admin_pattern($1, phpfpm_var_run_t)
++
++ phpfpm_systemctl($1)
++ admin_pattern($1, phpfpm_unit_file_t)
++ allow $1 phpfpm_unit_file_t:service all_service_perms;
++
++ optional_policy(`
++ systemd_passwd_agent_exec($1)
++ systemd_read_fifo_file_passwd_run($1)
++ ')
++')
+diff --git a/phpfpm.te b/phpfpm.te
+new file mode 100644
+index 0000000..78af4d7
+--- /dev/null
++++ b/phpfpm.te
+@@ -0,0 +1,61 @@
++policy_module(phpfpm, 1.0.0)
++
++########################################
++#
++# Declarations
++#
++
++type phpfpm_t;
++type phpfpm_exec_t;
++init_daemon_domain(phpfpm_t, phpfpm_exec_t)
++
++type phpfpm_log_t;
++logging_log_file(phpfpm_log_t)
++
++type phpfpm_var_run_t;
++files_pid_file(phpfpm_var_run_t)
++
++type phpfpm_unit_file_t;
++systemd_unit_file(phpfpm_unit_file_t)
++
++########################################
++#
++# phpfpm local policy
++#
++
++allow phpfpm_t self:capability { chown kill setgid setuid sys_chroot sys_nice };
++allow phpfpm_t self:process { setsched setrlimit signal sigkill };
++
++allow phpfpm_t self:fifo_file rw_fifo_file_perms;
++allow phpfpm_t self:tcp_socket { accept listen };
++allow phpfpm_t self:unix_stream_socket create_stream_socket_perms;
++
++manage_dirs_pattern(phpfpm_t, phpfpm_log_t, phpfpm_log_t)
++manage_files_pattern(phpfpm_t, phpfpm_log_t, phpfpm_log_t)
++
++manage_dirs_pattern(phpfpm_t, phpfpm_var_run_t, phpfpm_var_run_t)
++manage_files_pattern(phpfpm_t, phpfpm_var_run_t, phpfpm_var_run_t)
++files_pid_filetrans(phpfpm_t, phpfpm_var_run_t, dir )
++
++kernel_read_system_state(phpfpm_t)
++kernel_read_kernel_sysctls(phpfpm_t)
++
++corenet_tcp_bind_generic_port(phpfpm_t)
++
++domain_use_interactive_fds(phpfpm_t)
++
++files_read_etc_files(phpfpm_t)
++
++auth_use_nsswitch(phpfpm_t)
++
++dev_read_rand(phpfpm_t)
++dev_read_urand(phpfpm_t)
++
++logging_send_syslog_msg(phpfpm_t)
++
++sysnet_dns_name_resolve(phpfpm_t)
++
++optional_policy(`
++ mysql_stream_connect(phpfpm_t)
++ mysql_tcp_connect(phpfpm_t)
++')
+diff --git a/pingd.if b/pingd.if
+index 8688aae..cf34fc1 100644
+--- a/pingd.if
++++ b/pingd.if
+@@ -55,7 +55,6 @@ interface(`pingd_manage_config',`
+ files_search_etc($1)
+ manage_dirs_pattern($1, pingd_etc_t, pingd_etc_t)
+ manage_files_pattern($1, pingd_etc_t, pingd_etc_t)
+-
+ ')
+
+ #######################################
+@@ -77,12 +76,15 @@ interface(`pingd_manage_config',`
+ #
+ interface(`pingd_admin',`
+ gen_require(`
+- type pingd_t, pingd_etc_t;
+- type pingd_initrc_exec_t, pingd_modules_t;
++ type pingd_t, pingd_etc_t, pingd_modules_t;
++ type pingd_initrc_exec_t;
+ ')
+
+- allow $1 pingd_t:process { ptrace signal_perms };
++ allow $1 pingd_t:process signal_perms;
+ ps_process_pattern($1, pingd_t)
++ tunable_policy(`deny_ptrace',`',`
++ allow $1 pingd_t:process ptrace;
++ ')
+
+ init_labeled_script_domtrans($1, pingd_initrc_exec_t)
+ domain_system_change_exemption($1)
+diff --git a/pingd.te b/pingd.te
+index e9cf8a4..c476cf4 100644
+--- a/pingd.te
++++ b/pingd.te
+@@ -11,7 +11,7 @@ init_daemon_domain(pingd_t, pingd_exec_t)
+
+ # type for config
+ type pingd_etc_t;
+-files_type(pingd_etc_t)
++files_config_file(pingd_etc_t)
+
+ type pingd_initrc_exec_t;
+ init_script_file(pingd_initrc_exec_t)
+@@ -27,7 +27,7 @@ files_type(pingd_modules_t)
+
+ allow pingd_t self:capability net_raw;
+ allow pingd_t self:tcp_socket create_stream_socket_perms;
+-allow pingd_t self:rawip_socket { write read create bind };
++allow pingd_t self:rawip_socket create_socket_perms;
+
+ read_files_pattern(pingd_t, pingd_etc_t, pingd_etc_t)
+
+@@ -43,5 +43,3 @@ auth_use_nsswitch(pingd_t)
+ files_search_usr(pingd_t)
+
+ logging_send_syslog_msg(pingd_t)
+-
+-miscfiles_read_localization(pingd_t)
+diff --git a/piranha.fc b/piranha.fc
+new file mode 100644
+index 0000000..20ea9f5
+--- /dev/null
++++ b/piranha.fc
+@@ -0,0 +1,24 @@
++
++/etc/rc\.d/init\.d/pulse -- gen_context(system_u:object_r:piranha_pulse_initrc_exec_t,s0)
++
++# RHEL6
++#/etc/sysconfig/ha/lvs\.cf -- gen_context(system_u:object_r:piranha_etc_rw_t,s0)
++
++/etc/piranha/lvs\.cf -- gen_context(system_u:object_r:piranha_etc_rw_t,s0)
++
++/usr/sbin/fos -- gen_context(system_u:object_r:piranha_fos_exec_t,s0)
++/usr/sbin/lvsd -- gen_context(system_u:object_r:piranha_lvs_exec_t,s0)
++/usr/sbin/piranha_gui -- gen_context(system_u:object_r:piranha_web_exec_t,s0)
++/usr/sbin/pulse -- gen_context(system_u:object_r:piranha_pulse_exec_t,s0)
++
++/var/lib/luci(/.*)? gen_context(system_u:object_r:piranha_web_data_t,s0)
++/var/lib/luci/cert(/.*)? gen_context(system_u:object_r:piranha_web_conf_t,s0)
++/var/lib/luci/etc(/.*)? gen_context(system_u:object_r:piranha_web_conf_t,s0)
++
++/var/log/piranha(/.*)? gen_context(system_u:object_r:piranha_log_t,s0)
++
++/var/run/fos\.pid -- gen_context(system_u:object_r:piranha_fos_var_run_t,s0)
++/var/run/lvs\.pid -- gen_context(system_u:object_r:piranha_lvs_var_run_t,s0)
++/var/run/piranha-httpd\.pid -- gen_context(system_u:object_r:piranha_web_var_run_t,s0)
++/var/run/pulse\.pid -- gen_context(system_u:object_r:piranha_pulse_var_run_t,s0)
++
+diff --git a/piranha.if b/piranha.if
+new file mode 100644
+index 0000000..8d681d1
+--- /dev/null
++++ b/piranha.if
+@@ -0,0 +1,179 @@
++## policy for piranha
++
++#######################################
++##
++## Creates types and rules for a basic
++## cluster init daemon domain.
++##
++##
++##
++## Prefix for the domain.
++##
++##
++#
++template(`piranha_domain_template',`
++ gen_require(`
++ attribute piranha_domain;
++ ')
++
++ ##############################
++ #
++ # piranha_$1_t declarations
++ #
++
++ type piranha_$1_t, piranha_domain;
++ type piranha_$1_exec_t;
++ init_daemon_domain(piranha_$1_t, piranha_$1_exec_t)
++
++ # pid files
++ type piranha_$1_var_run_t;
++ files_pid_file(piranha_$1_var_run_t)
++
++ ##############################
++ #
++ # piranha_$1_t local policy
++ #
++
++ manage_files_pattern(piranha_$1_t, piranha_$1_var_run_t, piranha_$1_var_run_t)
++ manage_dirs_pattern(piranha_$1_t, piranha_$1_var_run_t, piranha_$1_var_run_t)
++ files_pid_filetrans(piranha_$1_t, piranha_$1_var_run_t, { dir file })
++
++ kernel_read_system_state(piranha_$1_t)
++
++ auth_use_nsswitch(piranha_$1_t)
++
++ logging_send_syslog_msg(piranha_$1_t)
++')
++
++########################################
++##
++## Execute a domain transition to run fos.
++##
++##
++##
++## Domain allowed to transition.
++##
++##
++#
++interface(`piranha_domtrans_fos',`
++ gen_require(`
++ type piranha_fos_t, piranha_fos_exec_t;
++ ')
++
++ domtrans_pattern($1, piranha_fos_exec_t, piranha_fos_t)
++')
++
++#######################################
++##
++## Execute a domain transition to run lvsd.
++##
++##
++##
++## Domain allowed to transition.
++##
++##
++#
++interface(`piranha_domtrans_lvs',`
++ gen_require(`
++ type piranha_lvs_t, piranha_lvs_exec_t;
++ ')
++
++ domtrans_pattern($1, piranha_lvs_exec_t, piranha_lvs_t)
++')
++
++#######################################
++##
++## Execute a domain transition to run pulse.
++##
++##
++##
++## Domain allowed to transition.
++##
++##
++#
++interface(`piranha_domtrans_pulse',`
++ gen_require(`
++ type piranha_pulse_t, piranha_pulse_exec_t;
++ ')
++
++ domtrans_pattern($1, piranha_pulse_exec_t, piranha_pulse_t)
++')
++
++#######################################
++##
++## Execute pulse server in the pulse domain.
++##
++##
++##
++## Domain allowed to transition.
++##
++##
++#
++interface(`piranha_pulse_initrc_domtrans',`
++ gen_require(`
++ type piranha_pulse_initrc_exec_t;
++ ')
++
++ init_labeled_script_domtrans($1, piranha_pulse_initrc_exec_t)
++')
++
++########################################
++##
++## Allow the specified domain to read piranha's log files.
++##
++##
++##
++## Domain allowed access.
++##
++##
++##
++#
++interface(`piranha_read_log',`
++ gen_require(`
++ type piranha_log_t;
++ ')
++
++ logging_search_logs($1)
++ read_files_pattern($1, piranha_log_t, piranha_log_t)
++')
++
++########################################
++##
++## Allow the specified domain to append
++## piranha log files.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`piranha_append_log',`
++ gen_require(`
++ type piranha_log_t;
++ ')
++
++ logging_search_logs($1)
++ append_files_pattern($1, piranha_log_t, piranha_log_t)
++')
++
++########################################
++##
++## Allow domain to manage piranha log files
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`piranha_manage_log',`
++ gen_require(`
++ type piranha_log_t;
++ ')
++
++ logging_search_logs($1)
++ manage_dirs_pattern($1, piranha_log_t, piranha_log_t)
++ manage_files_pattern($1, piranha_log_t, piranha_log_t)
++ manage_lnk_files_pattern($1, piranha_log_t, piranha_log_t)
++')
+diff --git a/piranha.te b/piranha.te
+new file mode 100644
+index 0000000..b1d27d7
+--- /dev/null
++++ b/piranha.te
+@@ -0,0 +1,295 @@
++policy_module(piranha, 1.0.0)
++
++########################################
++#
++# Declarations
++#
++
++##
++##
++## Allow piranha-lvs domain to connect to the network using TCP.
++##
++##
++gen_tunable(piranha_lvs_can_network_connect, false)
++
++attribute piranha_domain;
++
++piranha_domain_template(fos)
++
++piranha_domain_template(lvs)
++
++piranha_domain_template(pulse)
++
++type piranha_pulse_initrc_exec_t;
++init_script_file(piranha_pulse_initrc_exec_t)
++
++piranha_domain_template(web)
++
++type piranha_web_tmpfs_t;
++files_tmpfs_file(piranha_web_tmpfs_t)
++
++type piranha_web_conf_t;
++files_config_file(piranha_web_conf_t)
++
++type piranha_web_data_t;
++files_type(piranha_web_data_t)
++
++type piranha_web_tmp_t;
++files_tmp_file(piranha_web_tmp_t)
++
++type piranha_etc_rw_t;
++files_config_file(piranha_etc_rw_t)
++
++type piranha_log_t;
++logging_log_file(piranha_log_t)
++
++#######################################
++#
++# piranha-fos local policy
++#
++
++kernel_read_kernel_sysctls(piranha_fos_t)
++
++domain_read_all_domains_state(piranha_fos_t)
++
++optional_policy(`
++ consoletype_exec(piranha_fos_t)
++')
++
++# start and stop services
++init_domtrans_script(piranha_fos_t)
++
++########################################
++#
++# piranha-gui local policy
++#
++
++allow piranha_web_t self:capability { setuid sys_nice kill setgid };
++allow piranha_web_t self:process { getsched setsched signal signull };
++
++allow piranha_web_t self:rawip_socket create_socket_perms;
++allow piranha_web_t self:netlink_route_socket r_netlink_socket_perms;
++allow piranha_web_t self:sem create_sem_perms;
++allow piranha_web_t self:shm create_shm_perms;
++
++manage_files_pattern(piranha_web_t, piranha_web_data_t, piranha_web_data_t)
++manage_dirs_pattern(piranha_web_t, piranha_web_data_t, piranha_web_data_t)
++files_var_lib_filetrans(piranha_web_t, piranha_web_data_t, file)
++
++read_files_pattern(piranha_web_t, piranha_web_conf_t, piranha_web_conf_t)
++
++rw_files_pattern(piranha_web_t, piranha_etc_rw_t, piranha_etc_rw_t)
++
++manage_dirs_pattern(piranha_web_t, piranha_log_t, piranha_log_t)
++manage_files_pattern(piranha_web_t, piranha_log_t, piranha_log_t)
++logging_log_filetrans(piranha_web_t, piranha_log_t, { dir file })
++
++can_exec(piranha_web_t, piranha_web_tmp_t)
++manage_dirs_pattern(piranha_web_t, piranha_web_tmp_t, piranha_web_tmp_t)
++manage_files_pattern(piranha_web_t, piranha_web_tmp_t, piranha_web_tmp_t)
++files_tmp_filetrans(piranha_web_t, piranha_web_tmp_t, { file dir })
++
++manage_dirs_pattern(piranha_web_t, piranha_web_tmpfs_t, piranha_web_tmpfs_t)
++manage_files_pattern(piranha_web_t, piranha_web_tmpfs_t, piranha_web_tmpfs_t)
++fs_tmpfs_filetrans(piranha_web_t, piranha_web_tmpfs_t, { dir file })
++
++piranha_pulse_initrc_domtrans(piranha_web_t)
++
++kernel_read_kernel_sysctls(piranha_web_t)
++
++corenet_tcp_bind_http_cache_port(piranha_web_t)
++corenet_tcp_bind_luci_port(piranha_web_t)
++corenet_tcp_bind_piranha_port(piranha_web_t)
++corenet_tcp_connect_ricci_port(piranha_web_t)
++
++dev_read_rand(piranha_web_t)
++dev_read_urand(piranha_web_t)
++
++domain_read_all_domains_state(piranha_web_t)
++
++files_read_usr_files(piranha_web_t)
++
++optional_policy(`
++ consoletype_exec(piranha_web_t)
++')
++
++optional_policy(`
++ apache_read_config(piranha_web_t)
++ apache_exec_modules(piranha_web_t)
++ apache_exec(piranha_web_t)
++')
++
++optional_policy(`
++ gnome_dontaudit_search_config(piranha_web_t)
++')
++
++optional_policy(`
++ sasl_connect(piranha_web_t)
++')
++
++optional_policy(`
++ snmp_dontaudit_read_snmp_var_lib_files(piranha_web_t)
++ snmp_dontaudit_write_snmp_var_lib_files(piranha_web_t)
++')
++
++######################################
++#
++# piranha-lvs local policy
++#
++
++# neede by nanny
++allow piranha_lvs_t self:capability { net_raw sys_nice };
++allow piranha_lvs_t self:process signal;
++allow piranha_lvs_t self:unix_dgram_socket create_socket_perms;
++allow piranha_lvs_t self:rawip_socket create_socket_perms;
++
++kernel_read_kernel_sysctls(piranha_lvs_t)
++
++# needed by nanny
++corenet_tcp_connect_ftp_port(piranha_lvs_t)
++corenet_tcp_connect_http_port(piranha_lvs_t)
++corenet_tcp_connect_smtp_port(piranha_lvs_t)
++
++sysnet_dns_name_resolve(piranha_lvs_t)
++
++# needed by nanny
++tunable_policy(`piranha_lvs_can_network_connect',`
++ corenet_tcp_connect_all_ports(piranha_lvs_t)
++')
++
++# needed by ipvsadm
++optional_policy(`
++ iptables_domtrans(piranha_lvs_t)
++')
++
++#######################################
++#
++# piranha-pulse local policy
++#
++
++allow piranha_pulse_t self:capability net_admin;
++
++allow piranha_pulse_t self:packet_socket create_socket_perms;
++
++# pulse starts fos and lvs daemon
++domtrans_pattern(piranha_pulse_t, piranha_fos_exec_t, piranha_fos_t)
++allow piranha_pulse_t piranha_fos_t:process signal;
++
++domtrans_pattern(piranha_pulse_t, piranha_lvs_exec_t, piranha_lvs_t)
++allow piranha_pulse_t piranha_lvs_t:process signal;
++
++kernel_read_kernel_sysctls(piranha_pulse_t)
++kernel_read_rpc_sysctls(piranha_pulse_t)
++kernel_rw_rpc_sysctls(piranha_pulse_t)
++kernel_search_debugfs(piranha_pulse_t)
++kernel_search_network_state(piranha_pulse_t)
++
++corecmd_exec_bin(piranha_pulse_t)
++corecmd_exec_shell(piranha_pulse_t)
++optional_policy(`
++ consoletype_exec(piranha_pulse_t)
++')
++
++corenet_udp_bind_apertus_ldp_port(piranha_pulse_t)
++corenet_udp_bind_cma_port(piranha_pulse_t)
++
++domain_read_all_domains_state(piranha_pulse_t)
++domain_getattr_all_domains(piranha_pulse_t)
++
++fs_getattr_all_fs(piranha_pulse_t)
++
++init_initrc_domain(piranha_pulse_t)
++
++logging_send_syslog_msg(piranha_pulse_t)
++
++# various services to failover
++
++optional_policy(`
++ apache_domtrans(piranha_pulse_t)
++ apache_signal(piranha_pulse_t)
++')
++
++optional_policy(`
++ ftp_domtrans(piranha_pulse_t)
++ ftp_initrc_domtrans(piranha_pulse_t)
++ ftp_systemctl(piranha_pulse_t)
++')
++
++optional_policy(`
++ hostname_exec(piranha_pulse_t)
++')
++
++optional_policy(`
++ iptables_domtrans(piranha_pulse_t)
++')
++
++optional_policy(`
++ ldap_systemctl(piranha_pulse_t)
++ ldap_initrc_domtrans(piranha_pulse_t)
++ ldap_domtrans(piranha_pulse_t)
++')
++
++optional_policy(`
++ mysql_domtrans_mysql_safe(piranha_pulse_t)
++ mysql_stream_connect(piranha_pulse_t)
++')
++
++optional_policy(`
++ netutils_domtrans(piranha_pulse_t)
++ netutils_domtrans_ping(piranha_pulse_t)
++')
++
++optional_policy(`
++ postgresql_domtrans(piranha_pulse_t)
++ postgresql_signal(piranha_pulse_t)
++')
++
++optional_policy(`
++ samba_initrc_domtrans(piranha_pulse_t)
++ samba_systemctl(piranha_pulse_t)
++ samba_domtrans_smbd(piranha_pulse_t)
++ samba_domtrans_nmbd(piranha_pulse_t)
++ samba_manage_var_files(piranha_pulse_t)
++ samba_rw_config(piranha_pulse_t)
++ samba_signal_smbd(piranha_pulse_t)
++ samba_signal_nmbd(piranha_pulse_t)
++')
++
++optional_policy(`
++ sysnet_domtrans_ifconfig(piranha_pulse_t)
++')
++
++optional_policy(`
++ udev_read_db(piranha_pulse_t)
++')
++
++####################################
++#
++# piranha domains common policy
++#
++
++allow piranha_domain self:process signal_perms;
++allow piranha_domain self:fifo_file rw_fifo_file_perms;
++allow piranha_domain self:tcp_socket create_stream_socket_perms;
++allow piranha_domain self:udp_socket create_socket_perms;
++allow piranha_domain self:unix_stream_socket create_stream_socket_perms;
++
++read_files_pattern(piranha_domain, piranha_etc_rw_t, piranha_etc_rw_t)
++
++kernel_read_network_state(piranha_domain)
++
++corenet_tcp_sendrecv_generic_if(piranha_domain)
++corenet_udp_sendrecv_generic_if(piranha_domain)
++corenet_tcp_sendrecv_generic_node(piranha_domain)
++corenet_udp_sendrecv_generic_node(piranha_domain)
++corenet_tcp_sendrecv_all_ports(piranha_domain)
++corenet_udp_sendrecv_all_ports(piranha_domain)
++corenet_tcp_bind_generic_node(piranha_domain)
++corenet_udp_bind_generic_node(piranha_domain)
++
++files_read_etc_files(piranha_domain)
++
++corecmd_exec_bin(piranha_domain)
++corecmd_exec_shell(piranha_domain)
++
++sysnet_read_config(piranha_domain)
+diff --git a/pkcsslotd.fc b/pkcsslotd.fc
+new file mode 100644
+index 0000000..dd1b8f2
+--- /dev/null
++++ b/pkcsslotd.fc
+@@ -0,0 +1,5 @@
++/usr/lib/systemd/system/pkcsslotd.service -- gen_context(system_u:object_r:pkcsslotd_unit_file_t,s0)
++
++/usr/sbin/pkcsslotd -- gen_context(system_u:object_r:pkcsslotd_exec_t,s0)
++
++/var/lib/opencryptoki(/.*)? gen_context(system_u:object_r:pkcsslotd_var_lib_t,s0)
+diff --git a/pkcsslotd.if b/pkcsslotd.if
+new file mode 100644
+index 0000000..848ddc9
+--- /dev/null
++++ b/pkcsslotd.if
+@@ -0,0 +1,155 @@
++
++## policy for pkcsslotd
++
++########################################
++##
++## Transition to pkcsslotd.
++##
++##
++##
++## Domain allowed to transition.
++##
++##
++#
++interface(`pkcsslotd_domtrans',`
++ gen_require(`
++ type pkcsslotd_t, pkcsslotd_exec_t;
++ ')
++
++ corecmd_search_bin($1)
++ domtrans_pattern($1, pkcsslotd_exec_t, pkcsslotd_t)
++')
++
++########################################
++##
++## Search pkcsslotd lib directories.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`pkcsslotd_search_lib',`
++ gen_require(`
++ type pkcsslotd_var_lib_t;
++ ')
++
++ allow $1 pkcsslotd_var_lib_t:dir search_dir_perms;
++ files_search_var_lib($1)
++')
++
++########################################
++##
++## Read pkcsslotd lib files.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`pkcsslotd_read_lib_files',`
++ gen_require(`
++ type pkcsslotd_var_lib_t;
++ ')
++
++ files_search_var_lib($1)
++ read_files_pattern($1, pkcsslotd_var_lib_t, pkcsslotd_var_lib_t)
++')
++
++########################################
++##
++## Manage pkcsslotd lib files.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`pkcsslotd_manage_lib_files',`
++ gen_require(`
++ type pkcsslotd_var_lib_t;
++ ')
++
++ files_search_var_lib($1)
++ manage_files_pattern($1, pkcsslotd_var_lib_t, pkcsslotd_var_lib_t)
++')
++
++########################################
++##
++## Manage pkcsslotd lib directories.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`pkcsslotd_manage_lib_dirs',`
++ gen_require(`
++ type pkcsslotd_var_lib_t;
++ ')
++
++ files_search_var_lib($1)
++ manage_dirs_pattern($1, pkcsslotd_var_lib_t, pkcsslotd_var_lib_t)
++')
++
++########################################
++##
++## Execute pkcsslotd server in the pkcsslotd domain.
++##
++##
++##
++## Domain allowed to transition.
++##
++##
++#
++interface(`pkcsslotd_systemctl',`
++ gen_require(`
++ type pkcsslotd_t;
++ type pkcsslotd_unit_file_t;
++ ')
++
++ systemd_exec_systemctl($1)
++ allow $1 pkcsslotd_unit_file_t:file read_file_perms;
++ allow $1 pkcsslotd_unit_file_t:service manage_service_perms;
++
++ ps_process_pattern($1, pkcsslotd_t)
++')
++
++
++########################################
++##
++## All of the rules required to administrate
++## an pkcsslotd environment
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`pkcsslotd_admin',`
++ gen_require(`
++ type pkcsslotd_t;
++ type pkcsslotd_var_lib_t;
++ type pkcsslotd_unit_file_t;
++ ')
++
++ allow $1 pkcsslotd_t:process { ptrace signal_perms };
++ ps_process_pattern($1, pkcsslotd_t)
++
++ files_search_var_lib($1)
++ admin_pattern($1, pkcsslotd_var_lib_t)
++
++ pkcsslotd_systemctl($1)
++ admin_pattern($1, pkcsslotd_unit_file_t)
++ allow $1 pkcsslotd_unit_file_t:service all_service_perms;
++
++ optional_policy(`
++ systemd_passwd_agent_exec($1)
++ systemd_read_fifo_file_passwd_run($1)
++ ')
++')
+diff --git a/pkcsslotd.te b/pkcsslotd.te
+new file mode 100644
+index 0000000..9ab2c4d
+--- /dev/null
++++ b/pkcsslotd.te
+@@ -0,0 +1,61 @@
++policy_module(pkcsslotd, 1.0.0)
++
++########################################
++#
++# Declarations
++#
++
++type pkcsslotd_t;
++type pkcsslotd_exec_t;
++init_daemon_domain(pkcsslotd_t, pkcsslotd_exec_t)
++
++type pkcsslotd_var_lib_t;
++files_type(pkcsslotd_var_lib_t)
++
++type pkcsslotd_unit_file_t;
++systemd_unit_file(pkcsslotd_unit_file_t)
++
++type pkcsslotd_tmp_t;
++files_tmp_file(pkcsslotd_tmp_t)
++
++type pkcsslotd_tmpfs_t;
++files_tmpfs_file(pkcsslotd_tmpfs_t)
++
++type pkcsslotd_var_run_t;
++files_pid_file(pkcsslotd_var_run_t)
++
++########################################
++#
++# pkcsslotd local policy
++#
++
++allow pkcsslotd_t self:capability { kill };
++allow pkcsslotd_t self:process { fork };
++
++allow pkcsslotd_t self:fifo_file rw_fifo_file_perms;
++allow pkcsslotd_t self:sem create_sem_perms;
++allow pkcsslotd_t self:shm create_shm_perms;
++allow pkcsslotd_t self:unix_stream_socket create_stream_socket_perms;
++
++manage_dirs_pattern(pkcsslotd_t, pkcsslotd_tmp_t, pkcsslotd_tmp_t)
++manage_files_pattern(pkcsslotd_t, pkcsslotd_tmp_t, pkcsslotd_tmp_t)
++files_tmp_filetrans(pkcsslotd_t, pkcsslotd_tmp_t, { file dir })
++
++manage_dirs_pattern(pkcsslotd_t, pkcsslotd_tmpfs_t, pkcsslotd_tmpfs_t)
++manage_files_pattern(pkcsslotd_t, pkcsslotd_tmpfs_t, pkcsslotd_tmpfs_t)
++fs_tmpfs_filetrans(pkcsslotd_t, pkcsslotd_tmpfs_t, { dir file })
++
++manage_dirs_pattern(pkcsslotd_t, pkcsslotd_var_lib_t, pkcsslotd_var_lib_t)
++manage_files_pattern(pkcsslotd_t, pkcsslotd_var_lib_t, pkcsslotd_var_lib_t)
++manage_lnk_files_pattern(pkcsslotd_t, pkcsslotd_var_lib_t, pkcsslotd_var_lib_t)
++files_var_lib_filetrans(pkcsslotd_t, pkcsslotd_var_lib_t, { dir file lnk_file })
++
++manage_files_pattern(pkcsslotd_t, pkcsslotd_var_run_t, pkcsslotd_var_run_t)
++manage_dirs_pattern(pkcsslotd_t, pkcsslotd_var_run_t,pkcsslotd_var_run_t)
++files_pid_filetrans(pkcsslotd_t, pkcsslotd_var_run_t, { file dir })
++
++domain_use_interactive_fds(pkcsslotd_t)
++
++files_read_etc_files(pkcsslotd_t)
++
++logging_send_syslog_msg(pkcsslotd_t)
+diff --git a/pki.fc b/pki.fc
+new file mode 100644
+index 0000000..0c167b7
+--- /dev/null
++++ b/pki.fc
+@@ -0,0 +1,55 @@
++/etc/pki/pki-tomcat(/.*)? gen_context(system_u:object_r:pki_tomcat_etc_rw_t,s0)
++/var/lib/pki/pki-tomcat(/.*)? gen_context(system_u:object_r:pki_tomcat_var_lib_t,s0)
++/var/run/pki/tomcat(/.*)? gen_context(system_u:object_r:pki_tomcat_var_run_t,s0)
++/var/log/pki/pki-tomcat(/.*)? gen_context(system_u:object_r:pki_tomcat_log_t,s0)
++/etc/sysconfig/pki/tomcat(/.*)? gen_context(system_u:object_r:pki_tomcat_etc_rw_t,s0)
++/var/log/pki gen_context(system_u:object_r:pki_log_t,s0)
++/usr/bin/pkidaemon gen_context(system_u:object_r:pki_tomcat_exec_t,s0)
++/etc/pki/pki-tomcat/alias(/.*)? gen_context(system_u:object_r:pki_tomcat_cert_t,s0)
++
++/etc/pki-ra(/.*)? gen_context(system_u:object_r:pki_ra_etc_rw_t,s0)
++/var/lib/pki-ra(/.*)? gen_context(system_u:object_r:pki_ra_var_lib_t,s0)
++/var/log/pki-ra(/.*)? gen_context(system_u:object_r:pki_ra_log_t,s0)
++/var/run/pki/ra(/.*)? gen_context(system_u:object_r:pki_ra_var_run_t,s0)
++/etc/sysconfig/pki/ra(/.*)? gen_context(system_u:object_r:pki_ra_etc_rw_t,s0)
++/var/lib/pki-ra/pki-ra gen_context(system_u:object_r:pki_ra_exec_t,s0)
++
++/etc/pki-tps(/.*)? gen_context(system_u:object_r:pki_tps_etc_rw_t,s0)
++/var/lib/pki-tps(/.*)? gen_context(system_u:object_r:pki_tps_var_lib_t,s0)
++/var/log/pki-tps(/.*)? gen_context(system_u:object_r:pki_tps_log_t,s0)
++/var/run/pki/tps(/.*)? gen_context(system_u:object_r:pki_tps_var_run_t,s0)
++/etc/sysconfig/pki/tps(/.*)? gen_context(system_u:object_r:pki_tps_etc_rw_t,s0)
++/var/lib/pki-tps/pki-tps gen_context(system_u:object_r:pki_tps_exec_t,s0)
++
++# default labeling for nCipher
++/opt/nfast/scripts/init.d/(.*) gen_context(system_u:object_r:initrc_exec_t, s0)
++/opt/nfast/sbin/init.d-ncipher gen_context(system_u:object_r:initrc_exec_t, s0)
++/opt/nfast(/.*)? gen_context(system_u:object_r:pki_common_t, s0)
++/dev/nfast(/.*)? gen_context(system_u:object_r:pki_common_dev_t, s0)
++
++# old paths (for migration)
++/etc/pki-ca(/.*)? gen_context(system_u:object_r:pki_tomcat_etc_rw_t,s0)
++/var/lib/pki-ca(/.*)? gen_context(system_u:object_r:pki_tomcat_var_lib_t,s0)
++/var/run/pki-ca.pid gen_context(system_u:object_r:pki_tomcat_var_run_t,s0)
++/var/log/pki-ca(/.*)? gen_context(system_u:object_r:pki_tomcat_log_t,s0)
++/var/lib/pki-ca/alias(/.*)? gen_context(system_u:object_r:pki_tomcat_cert_t,s0)
++/etc/pki-kra(/.*)? gen_context(system_u:object_r:pki_tomcat_etc_rw_t,s0)
++/var/lib/pki-kra(/.*)? gen_context(system_u:object_r:pki_tomcat_var_lib_t,s0)
++/var/run/pki-kra.pid gen_context(system_u:object_r:pki_tomcat_var_run_t,s0)
++/var/log/pki-kra(/.*)? gen_context(system_u:object_r:pki_tomcat_log_t,s0)
++/var/lib/pki-kra/alias(/.*)? gen_context(system_u:object_r:pki_tomcat_cert_t,s0)
++/etc/pki-ocsp(/.*)? gen_context(system_u:object_r:pki_tomcat_etc_rw_t,s0)
++/var/lib/pki-ocsp(/.*)? gen_context(system_u:object_r:pki_tomcat_var_lib_t,s0)
++/var/run/pki-ocsp.pid gen_context(system_u:object_r:pki_tomcat_var_run_t,s0)
++/var/log/pki-ocsp(/.*)? gen_context(system_u:object_r:pki_tomcat_log_t,s0)
++/var/lib/pki-ocsp/alias(/.*)? gen_context(system_u:object_r:pki_tomcat_cert_t,s0)
++/etc/pki-tks(/.*)? gen_context(system_u:object_r:pki_tomcat_etc_rw_t,s0)
++/var/lib/pki-tks(/.*)? gen_context(system_u:object_r:pki_tomcat_var_lib_t,s0)
++/var/run/pki-tks.pid gen_context(system_u:object_r:pki_tomcat_var_run_t,s0)
++/var/log/pki-tks(/.*)? gen_context(system_u:object_r:pki_tomcat_log_t,s0)
++/var/lib/pki-tks/alias(/.*)? gen_context(system_u:object_r:pki_tomcat_cert_t,s0)
++
++/var/lock/subsys/pkidaemon -- gen_context(system_u:object_r:pki_tomcat_lock_t,s0)
++
++#/etc/systemd/system/pki-tomcatd\.target\.wants(/.*)? gen_context(system_u:object_r:pki_tomcat_unit_file_t,s0)
++/usr/lib/systemd/system/pki-tomcat.* gen_context(system_u:object_r:pki_tomcat_unit_file_t,s0)
+diff --git a/pki.if b/pki.if
+new file mode 100644
+index 0000000..83c13cf
+--- /dev/null
++++ b/pki.if
+@@ -0,0 +1,248 @@
++
++## policy for pki
++########################################
++##
++## Allow read and write pki cert files.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`pki_rw_tomcat_cert',`
++ gen_require(`
++ type pki_tomcat_cert_t;
++ type pki_tomcat_etc_rw_t;
++ ')
++
++ allow $1 pki_tomcat_etc_rw_t:dir search_dir_perms;
++ rw_files_pattern($1, pki_tomcat_cert_t, pki_tomcat_cert_t)
++')
++
++########################################
++##
++## Create a set of derived types for apache
++## web content.
++##
++##
++##
++## The prefix to be used for deriving type names.
++##
++##
++#
++template(`pki_apache_template',`
++ gen_require(`
++ attribute pki_apache_domain;
++ attribute pki_apache_config, pki_apache_var_lib, pki_apache_var_run;
++ attribute pki_apache_executable, pki_apache_script, pki_apache_var_log;
++ ')
++
++ ########################################
++ #
++ # Declarations
++ #
++
++ type $1_t, pki_apache_domain;
++ type $1_exec_t, pki_apache_executable;
++ domain_type($1_t)
++ init_daemon_domain($1_t, $1_exec_t)
++
++ type $1_script_exec_t, pki_apache_script;
++ init_script_file($1_script_exec_t)
++
++ type $1_etc_rw_t, pki_apache_config;
++ files_type($1_etc_rw_t)
++
++ type $1_var_run_t, pki_apache_var_run;
++ files_pid_file($1_var_run_t)
++
++ type $1_var_lib_t, pki_apache_var_lib;
++ files_type($1_var_lib_t)
++
++ type $1_log_t, pki_apache_var_log;
++ logging_log_file($1_log_t)
++
++ type $1_lock_t;
++ files_lock_file($1_lock_t)
++
++ ########################################
++ #
++ # $1 local policy
++ #
++
++ files_read_etc_files($1_t)
++ allow $1_t $1_etc_rw_t:lnk_file read;
++
++ manage_dirs_pattern($1_t, $1_etc_rw_t, $1_etc_rw_t)
++ manage_files_pattern($1_t, $1_etc_rw_t, $1_etc_rw_t)
++ files_etc_filetrans($1_t,$1_etc_rw_t, { file dir })
++
++ manage_dirs_pattern($1_t, $1_var_run_t, $1_var_run_t)
++ manage_files_pattern($1_t, $1_var_run_t, $1_var_run_t)
++ files_pid_filetrans($1_t,$1_var_run_t, { file dir })
++
++ manage_dirs_pattern($1_t, $1_var_lib_t, $1_var_lib_t)
++ manage_files_pattern($1_t, $1_var_lib_t, $1_var_lib_t)
++ read_lnk_files_pattern($1_t, $1_var_lib_t, $1_var_lib_t)
++ files_var_lib_filetrans($1_t, $1_var_lib_t, { file dir } )
++
++ manage_dirs_pattern($1_t, $1_log_t, $1_log_t)
++ manage_files_pattern($1_t, $1_log_t, $1_log_t)
++ logging_log_filetrans($1_t, $1_log_t, { file dir } )
++
++ manage_dirs_pattern($1_t, $1_lock_t, $1_lock_t)
++ manage_files_pattern($1_t, $1_lock_t, $1_lock_t)
++ manage_lnk_files_pattern($1_t, $1_lock_t, $1_lock_t)
++ files_lock_filetrans($1_t, $1_lock_t, { dir file lnk_file })
++
++ #talk to lunasa hsm
++ logging_send_syslog_msg($1_t)
++
++ kernel_read_kernel_sysctls($1_t)
++ kernel_read_system_state($1_t)
++
++ corenet_all_recvfrom_unlabeled($1_t)
++
++ # need to resolve addresses?
++ auth_use_nsswitch($1_t)
++
++ #pki_apache_domain_signal(httpd_t)
++ #pki_apache_domain_signal(httpd_t)
++ #pki_manage_apache_run(httpd_t)
++ #pki_manage_apache_config_files(httpd_t)
++ #pki_manage_apache_log_files(httpd_t)
++ #pki_manage_apache_lib(httpd_t)
++')
++
++#######################################
++##
++## Send a null signal to pki apache domains.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`pki_apache_domain_signal',`
++ gen_require(`
++ attribute pki_apache_domain;
++ ')
++
++ allow $1 pki_apache_domain:process signal;
++')
++
++#######################################
++##
++## Send a null signal to pki apache domains.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`pki_apache_domain_signull',`
++ gen_require(`
++ attribute pki_apache_domain;
++ ')
++
++ allow $1 pki_apache_domain:process signull;
++')
++
++###################################
++##
++## Allow domain to read pki apache subsystem pid files
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`pki_manage_apache_run',`
++ gen_require(`
++ attribute pki_apache_var_run;
++ ')
++
++ files_search_var_lib($1)
++ read_files_pattern($1, pki_apache_var_run, pki_apache_var_run)
++')
++
++####################################
++##
++## Allow domain to manage pki apache subsystem lib files
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`pki_manage_apache_lib',`
++ gen_require(`
++ attribute pki_apache_var_lib;
++ ')
++
++ files_search_var_lib($1)
++ manage_files_pattern($1, pki_apache_var_lib, pki_apache_var_lib)
++ manage_lnk_files_pattern($1, pki_apache_var_lib, pki_apache_var_lib)
++')
++
++##################################
++##
++## Dontaudit domain to write pki log files
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`pki_dontaudit_write_log',`
++ gen_require(`
++ type pki_log_t;
++ ')
++
++ dontaudit $1 pki_log_t:file write;
++')
++
++###################################
++##
++## Allow domain to manage pki apache subsystem log files
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`pki_manage_apache_log_files',`
++ gen_require(`
++ attribute pki_apache_var_log;
++ ')
++
++ files_search_var_lib($1)
++ manage_files_pattern($1, pki_apache_var_log, pki_apache_var_log)
++')
++
++##################################
++##
++## Allow domain to manage pki apache subsystem config files
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`pki_manage_apache_config_files',`
++ gen_require(`
++ attribute pki_apache_config;
++ ')
++
++ files_search_var_lib($1)
++ manage_files_pattern($1, pki_apache_config, pki_apache_config)
++')
++
+diff --git a/pki.te b/pki.te
+new file mode 100644
+index 0000000..dfebbd9
+--- /dev/null
++++ b/pki.te
+@@ -0,0 +1,289 @@
++policy_module(pki,10.0.11)
++
++########################################
++#
++# Declarations
++#
++
++attribute pki_apache_domain;
++attribute pki_apache_config;
++attribute pki_apache_executable;
++attribute pki_apache_var_lib;
++attribute pki_apache_var_log;
++attribute pki_apache_var_run;
++attribute pki_apache_pidfiles;
++attribute pki_apache_script;
++
++type pki_log_t;
++files_type(pki_log_t)
++
++type pki_common_t;
++files_type(pki_common_t)
++
++type pki_common_dev_t;
++files_type(pki_common_dev_t)
++
++type pki_tomcat_etc_rw_t;
++files_type(pki_tomcat_etc_rw_t)
++
++type pki_tomcat_cert_t;
++files_type(pki_tomcat_cert_t)
++
++tomcat_domain_template(pki_tomcat)
++
++type pki_tomcat_unit_file_t;
++systemd_unit_file(pki_tomcat_unit_file_t)
++
++type pki_tomcat_lock_t;
++files_lock_file(pki_tomcat_lock_t)
++
++# old type aliases for migration
++typealias pki_tomcat_t alias { pki_ca_t pki_kra_t pki_ocsp_t pki_tks_t };
++typealias pki_tomcat_etc_rw_t alias { pki_ca_etc_rw_t pki_kra_etc_rw_t pki_ocsp_etc_rw_t pki_tks_etc_rw_t };
++typealias pki_tomcat_var_lib_t alias { pki_ca_var_lib_t pki_kra_var_lib_t pki_ocsp_var_lib_t pki_tks_var_lib_t };
++typealias pki_tomcat_var_run_t alias { pki_ca_var_run_t pki_kra_var_run_t pki_ocsp_var_run_t pki_tks_var_run_t };
++typealias pki_tomcat_log_t alias { pki_ca_log_t pki_kra_log_t pki_ocsp_log_t pki_tks_log_t };
++# typealias http_port_t alias { pki_ca_port_t pki_kra_port_t pki_ocsp_port_t pki_tks_port_t };
++
++
++# pki policy types
++type pki_tps_tomcat_exec_t;
++files_type(pki_tps_tomcat_exec_t)
++
++pki_apache_template(pki_tps)
++
++# ra policy types
++type pki_ra_tomcat_exec_t;
++files_type(pki_ra_tomcat_exec_t)
++
++pki_apache_template(pki_ra)
++
++# needed for dogtag 9 style instances
++type pki_tomcat_script_t;
++domain_type(pki_tomcat_script_t)
++role system_r types pki_tomcat_script_t;
++
++optional_policy(`
++ unconfined_domain(pki_tomcat_script_t)
++')
++
++########################################
++#
++# pki-tomcat local policy
++#
++
++allow pki_tomcat_t self:capability { setuid chown setgid fowner audit_write dac_override sys_nice fsetid};
++allow pki_tomcat_t self:process { signal setsched signull execmem };
++
++allow pki_tomcat_t self:netlink_audit_socket { nlmsg_relay create };
++allow pki_tomcat_t self:tcp_socket { accept listen };
++
++# allow writing to the kernel keyring
++allow pki_tomcat_t self:key { write read };
++
++manage_dirs_pattern(pki_tomcat_t, pki_tomcat_etc_rw_t, pki_tomcat_etc_rw_t)
++manage_files_pattern(pki_tomcat_t, pki_tomcat_etc_rw_t, pki_tomcat_etc_rw_t)
++
++manage_dirs_pattern(pki_tomcat_t, pki_tomcat_cert_t, pki_tomcat_cert_t)
++manage_files_pattern(pki_tomcat_t, pki_tomcat_cert_t, pki_tomcat_cert_t)
++
++manage_dirs_pattern(pki_tomcat_t, pki_tomcat_lock_t, pki_tomcat_lock_t)
++manage_files_pattern(pki_tomcat_t, pki_tomcat_lock_t, pki_tomcat_lock_t)
++manage_lnk_files_pattern(pki_tomcat_t, pki_tomcat_lock_t, pki_tomcat_lock_t)
++files_lock_filetrans(pki_tomcat_t, pki_tomcat_lock_t, { dir file lnk_file })
++
++read_files_pattern(pki_tomcat_t, pki_tomcat_unit_file_t,pki_tomcat_unit_file_t)
++read_lnk_files_pattern(pki_tomcat_t, pki_tomcat_unit_file_t, pki_tomcat_unit_file_t)
++allow pki_tomcat_t pki_tomcat_unit_file_t:file setattr;
++allow pki_tomcat_t pki_tomcat_unit_file_t:lnk_file setattr;
++systemd_search_unit_dirs(pki_tomcat_t)
++
++# allow java subsystems to talk to the ncipher hsm
++allow pki_tomcat_t pki_common_dev_t:sock_file write;
++allow pki_tomcat_t pki_common_dev_t:dir search;
++allow pki_tomcat_t pki_common_t:dir create_dir_perms;
++manage_files_pattern(pki_tomcat_t, pki_common_t, pki_common_t)
++can_exec(pki_tomcat_t, pki_common_t)
++init_stream_connect_script(pki_tomcat_t)
++
++search_dirs_pattern(pki_tomcat_t, pki_log_t, pki_log_t)
++
++kernel_read_kernel_sysctls(pki_tomcat_t)
++
++corenet_tcp_connect_http_cache_port(pki_tomcat_t)
++corenet_tcp_connect_ldap_port(pki_tomcat_t)
++corenet_tcp_connect_smtp_port(pki_tomcat_t)
++corenet_tcp_connect_pki_ca_port(pki_tomcat_t)
++corenet_tcp_connect_ldap_port(pki_tomcat_t)
++
++selinux_get_enforce_mode(pki_tomcat_t)
++
++logging_send_audit_msgs(pki_tomcat_t)
++
++miscfiles_read_hwdata(pki_tomcat_t)
++
++# is this really needed?
++userdom_manage_user_tmp_dirs(pki_tomcat_t)
++userdom_manage_user_tmp_files(pki_tomcat_t)
++
++# forward proxy
++# need to define ports to fix this
++#corenet_tcp_connect_pki_tomcat_port(httpd_t)
++
++# for crl publishing
++allow pki_tomcat_t pki_tomcat_var_lib_t:lnk_file { rename create unlink };
++
++# for ECC
++auth_getattr_shadow(pki_tomcat_t)
++
++optional_policy(`
++ consoletype_exec(pki_tomcat_t)
++')
++
++optional_policy(`
++ dirsrv_manage_var_lib(pki_tomcat_t)
++')
++
++optional_policy(`
++ hostname_exec(pki_tomcat_t)
++')
++
++# install/ uninstall instance
++# WHY? leak?
++#allow load_policy_t pki_log_t:file write;
++#allow setfiles_t pki_log_t:file write;
++
++#######################################
++#
++# tps local policy
++#
++
++# used to serve cgi web pages under /var/lib/pki-tps, formatting, enrollment
++allow pki_tps_t pki_tps_var_lib_t:file {execute execute_no_trans};
++
++corenet_tcp_bind_pki_tps_port(pki_tps_t)
++# customer may run an ldap server on 389
++corenet_tcp_connect_ldap_port(pki_tps_t)
++# connect to other subsystems
++corenet_tcp_connect_pki_ca_port(pki_tps_t)
++corenet_tcp_connect_pki_kra_port(pki_tps_t)
++corenet_tcp_connect_pki_tks_port(pki_tps_t)
++
++files_exec_usr_files(pki_tps_t)
++files_read_usr_files(pki_tps_t)
++
++# why do I need to add this?
++#allow httpd_t httpd_config_t:file execute;
++
++######################################
++#
++# ra local policy
++#
++
++# RA specific? talking to mysql?
++allow pki_ra_t self:udp_socket { write read create connect };
++allow pki_ra_t self:unix_dgram_socket { write create connect };
++
++corenet_tcp_bind_pki_ra_port(pki_ra_t)
++# talk to other subsystems
++corenet_tcp_connect_pki_ca_port(pki_ra_t)
++corenet_tcp_connect_smtp_port(pki_ra_t)
++
++fs_getattr_xattr_fs(pki_ra_t)
++
++files_search_spool(pki_ra_t)
++files_exec_usr_files(pki_ra_t)
++
++optional_policy(`
++ mta_send_mail(pki_ra_t)
++ mta_manage_spool(pki_ra_t)
++ mta_manage_queue(pki_ra_t)
++ mta_read_config(pki_ra_t)
++')
++
++#####################################
++#
++# pki_apache_domain local policy
++#
++
++
++allow pki_apache_domain self:capability { setuid sys_nice setgid dac_override fowner fsetid kill chown};
++allow pki_apache_domain self:process { setsched signal getsched signull execstack execmem sigkill};
++
++allow pki_apache_domain self:sem all_sem_perms;
++allow pki_apache_domain self:tcp_socket create_stream_socket_perms;
++allow pki_apache_domain self:netlink_route_socket { write getattr read bind create nlmsg_read };
++
++# allow writing to the kernel keyring
++allow pki_apache_domain self:key { write read };
++
++## internal communication is often done using fifo and unix sockets.
++allow pki_apache_domain self:fifo_file rw_file_perms;
++allow pki_apache_domain self:unix_stream_socket create_stream_socket_perms;
++
++# talk to the hsm
++allow pki_apache_domain pki_common_dev_t:sock_file write;
++allow pki_apache_domain pki_common_dev_t:dir search;
++allow pki_apache_domain pki_common_t:dir create_dir_perms;
++manage_files_pattern(pki_apache_domain, pki_common_t, pki_common_t)
++can_exec(pki_apache_domain, pki_common_t)
++init_stream_connect_script(pki_apache_domain)
++
++corenet_sendrecv_unlabeled_packets(pki_apache_domain)
++corenet_tcp_bind_all_nodes(pki_apache_domain)
++corenet_tcp_sendrecv_all_if(pki_apache_domain)
++corenet_tcp_sendrecv_all_nodes(pki_apache_domain)
++corenet_tcp_sendrecv_all_ports(pki_apache_domain)
++#corenet_all_recvfrom_unlabeled(pki_apache_domain)
++corenet_tcp_connect_generic_port(pki_apache_domain)
++
++# Init script handling
++domain_use_interactive_fds(pki_apache_domain)
++
++seutil_exec_setfiles(pki_apache_domain)
++
++init_dontaudit_write_utmp(pki_apache_domain)
++
++libs_use_ld_so(pki_apache_domain)
++libs_use_shared_libs(pki_apache_domain)
++libs_exec_ld_so(pki_apache_domain)
++libs_exec_lib_files(pki_apache_domain)
++
++fs_search_cgroup_dirs(pki_apache_domain)
++
++corecmd_exec_bin(pki_apache_domain)
++corecmd_exec_shell(pki_apache_domain)
++
++dev_read_urand(pki_apache_domain)
++dev_read_rand(pki_apache_domain)
++
++# shutdown script uses ps
++domain_dontaudit_read_all_domains_state(pki_apache_domain)
++ps_process_pattern(pki_apache_domain, pki_apache_domain)
++
++sysnet_read_config(pki_apache_domain)
++
++ifdef(`targeted_policy',`
++ term_dontaudit_use_unallocated_ttys(pki_apache_domain)
++ term_dontaudit_use_generic_ptys(pki_apache_domain)
++')
++
++optional_policy(`
++ # apache permissions
++ apache_exec_modules(pki_apache_domain)
++ apache_list_modules(pki_apache_domain)
++ apache_read_config(pki_apache_domain)
++ apache_exec(pki_apache_domain)
++ apache_entrypoint(pki_apache_domain)
++
++ # should be started using a script which will execute httpd
++ # start up httpd in pki_apache_domain mode
++ #can_exec(pki_apache_domain, httpd_config_t)
++ #can_exec(pki_apache_domain, httpd_suexec_exec_t)
++')
++
++# allow rpm -q in init scripts
++optional_policy(`
++ rpm_exec(pki_apache_domain)
++')
++
+diff --git a/plymouthd.fc b/plymouthd.fc
+index 5702ca4..ef1dd7a 100644
+--- a/plymouthd.fc
++++ b/plymouthd.fc
+@@ -2,6 +2,14 @@
+
+ /sbin/plymouthd -- gen_context(system_u:object_r:plymouthd_exec_t,s0)
+
++/usr/bin/plymouth -- gen_context(system_u:object_r:plymouth_exec_t,s0)
++
+ /var/lib/plymouth(/.*)? gen_context(system_u:object_r:plymouthd_var_lib_t,s0)
++
+ /var/run/plymouth(/.*)? gen_context(system_u:object_r:plymouthd_var_run_t,s0)
++/var/log/boot\.log gen_context(system_u:object_r:plymouthd_var_log_t,mls_systemhigh)
++
++/usr/sbin/plymouthd -- gen_context(system_u:object_r:plymouthd_exec_t,s0)
++
+ /var/spool/plymouth(/.*)? gen_context(system_u:object_r:plymouthd_spool_t,s0)
++
+diff --git a/plymouthd.if b/plymouthd.if
+index 9759ed8..17c097d 100644
+--- a/plymouthd.if
++++ b/plymouthd.if
+@@ -120,7 +120,7 @@ interface(`plymouthd_search_spool', `
+ ##
+ ##
+ #
+-interface(`plymouthd_read_spool_files', `
++interface(`plymouthd_read_spool_files',`
+ gen_require(`
+ type plymouthd_spool_t;
+ ')
+@@ -228,20 +228,56 @@ interface(`plymouthd_read_pid_files', `
+
+ ########################################
+ ##
+-## All of the rules required to administrate
+-## an plymouthd environment
++## Allow the specified domain to read
++## to plymouthd log files.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`plymouthd_read_log',`
++ gen_require(`
++ type plymouthd_var_log_t;
++ ')
++
++ logging_search_logs($1)
++ read_files_pattern($1, plymouthd_var_log_t, plymouthd_var_log_t)
++')
++
++########################################
++##
++## Allow the specified domain to manage
++## to plymouthd log files.
+ ##
+ ##
+ ##
+ ## Domain allowed access.
+ ##
+ ##
+-##
++#
++interface(`plymouthd_manage_log',`
++ gen_require(`
++ type plymouthd_var_log_t;
++ ')
++
++ logging_search_logs($1)
++ manage_dirs_pattern($1, plymouthd_var_log_t, plymouthd_var_log_t)
++ manage_files_pattern($1, plymouthd_var_log_t, plymouthd_var_log_t)
++ read_lnk_files_pattern($1, plymouthd_var_log_t, plymouthd_var_log_t)
++')
++
++########################################
++##
++## All of the rules required to administrate
++## an plymouthd environment
++##
++##
+ ##
+-## Role allowed access.
++## Domain allowed access.
+ ##
+ ##
+-##
+ #
+ interface(`plymouthd_admin', `
+ gen_require(`
+@@ -249,12 +285,17 @@ interface(`plymouthd_admin', `
+ type plymouthd_var_run_t;
+ ')
+
+- allow $1 plymouthd_t:process { ptrace signal_perms getattr };
+- read_files_pattern($1, plymouthd_t, plymouthd_t)
++ allow $1 plymouthd_t:process signal_perms;
++ ps_process_pattern($1, plymouthd_t)
++ tunable_policy(`deny_ptrace',`',`
++ allow $1 plymouthd_t:process ptrace;
++ ')
+
++ files_list_var_lib($1)
+ admin_pattern($1, plymouthd_spool_t)
+
+ admin_pattern($1, plymouthd_var_lib_t)
+
++ files_list_pids($1)
+ admin_pattern($1, plymouthd_var_run_t)
+ ')
+diff --git a/plymouthd.te b/plymouthd.te
+index 86700ed..5772ef0 100644
+--- a/plymouthd.te
++++ b/plymouthd.te
+@@ -1,4 +1,4 @@
+-policy_module(plymouthd, 1.1.0)
++policy_module(plymouthd, 1.0.1)
+
+ ########################################
+ #
+@@ -8,17 +8,21 @@ policy_module(plymouthd, 1.1.0)
+ type plymouth_t;
+ type plymouth_exec_t;
+ application_domain(plymouth_t, plymouth_exec_t)
++role system_r types plymouth_t;
+
+ type plymouthd_t;
+ type plymouthd_exec_t;
+ init_daemon_domain(plymouthd_t, plymouthd_exec_t)
+
+ type plymouthd_spool_t;
+-files_type(plymouthd_spool_t)
++files_spool_file(plymouthd_spool_t)
+
+ type plymouthd_var_lib_t;
+ files_type(plymouthd_var_lib_t)
+
++type plymouthd_var_log_t;
++logging_log_file(plymouthd_var_log_t)
++
+ type plymouthd_var_run_t;
+ files_pid_file(plymouthd_var_run_t)
+
+@@ -28,6 +32,7 @@ files_pid_file(plymouthd_var_run_t)
+ #
+
+ allow plymouthd_t self:capability { sys_admin sys_tty_config };
++allow plymouthd_t self:capability2 block_suspend;
+ dontaudit plymouthd_t self:capability dac_override;
+ allow plymouthd_t self:process { signal getsched };
+ allow plymouthd_t self:fifo_file rw_fifo_file_perms;
+@@ -42,6 +47,10 @@ manage_dirs_pattern(plymouthd_t, plymouthd_var_lib_t, plymouthd_var_lib_t)
+ manage_files_pattern(plymouthd_t, plymouthd_var_lib_t, plymouthd_var_lib_t)
+ files_var_lib_filetrans(plymouthd_t, plymouthd_var_lib_t, { file dir })
+
++manage_dirs_pattern(plymouthd_t, plymouthd_var_log_t, plymouthd_var_log_t)
++manage_files_pattern(plymouthd_t, plymouthd_var_log_t, plymouthd_var_log_t)
++logging_log_filetrans(plymouthd_t, plymouthd_var_log_t, { file dir })
++
+ manage_dirs_pattern(plymouthd_t, plymouthd_var_run_t, plymouthd_var_run_t)
+ manage_files_pattern(plymouthd_t, plymouthd_var_run_t, plymouthd_var_run_t)
+ files_pid_filetrans(plymouthd_t, plymouthd_var_run_t, { file dir })
+@@ -57,13 +66,42 @@ dev_write_framebuffer(plymouthd_t)
+
+ domain_use_interactive_fds(plymouthd_t)
+
++fs_getattr_all_fs(plymouthd_t)
++
+ files_read_etc_files(plymouthd_t)
+ files_read_usr_files(plymouthd_t)
+
+-miscfiles_read_localization(plymouthd_t)
++term_getattr_pty_fs(plymouthd_t)
++term_use_all_terms(plymouthd_t)
++term_use_ptmx(plymouthd_t)
++
++init_signal(plymouthd_t)
++
++logging_link_generic_logs(plymouthd_t)
++logging_delete_generic_logs(plymouthd_t)
++
++auth_read_passwd(plymouthd_t)
++
+ miscfiles_read_fonts(plymouthd_t)
+ miscfiles_manage_fonts_cache(plymouthd_t)
+
++userdom_read_admin_home_files(plymouthd_t)
++
++term_use_unallocated_ttys(plymouthd_t)
++
++optional_policy(`
++ gnome_read_config(plymouthd_t)
++')
++
++optional_policy(`
++ sssd_stream_connect(plymouthd_t)
++')
++
++optional_policy(`
++ xserver_xdm_manage_spool(plymouthd_t)
++ xserver_read_state_xdm(plymouthd_t)
++')
++
+ ########################################
+ #
+ # Plymouth private policy
+@@ -74,6 +112,7 @@ allow plymouth_t self:fifo_file rw_file_perms;
+ allow plymouth_t self:unix_stream_socket create_stream_socket_perms;
+
+ kernel_read_system_state(plymouth_t)
++kernel_stream_connect(plymouth_t)
+
+ domain_use_interactive_fds(plymouth_t)
+
+@@ -81,7 +120,6 @@ files_read_etc_files(plymouth_t)
+
+ term_use_ptmx(plymouth_t)
+
+-miscfiles_read_localization(plymouth_t)
+
+ sysnet_read_config(plymouth_t)
+
+diff --git a/podsleuth.te b/podsleuth.te
+index 4cffb07..4170218 100644
+--- a/podsleuth.te
++++ b/podsleuth.te
+@@ -25,7 +25,8 @@ userdom_user_tmpfs_file(podsleuth_tmpfs_t)
+ # podsleuth local policy
+ #
+ allow podsleuth_t self:capability { kill dac_override sys_admin sys_rawio };
+-allow podsleuth_t self:process { ptrace signal signull getsched execheap execmem execstack };
++allow podsleuth_t self:process { signal signull getsched execheap execmem execstack };
++
+ allow podsleuth_t self:fifo_file rw_file_perms;
+ allow podsleuth_t self:unix_stream_socket create_stream_socket_perms;
+ allow podsleuth_t self:sem create_sem_perms;
+@@ -66,7 +67,6 @@ fs_getattr_tmpfs(podsleuth_t)
+ fs_list_tmpfs(podsleuth_t)
+ fs_rw_removable_blk_files(podsleuth_t)
+
+-miscfiles_read_localization(podsleuth_t)
+
+ sysnet_dns_name_resolve(podsleuth_t)
+
+diff --git a/policykit.fc b/policykit.fc
+index 63d0061..4718a93 100644
+--- a/policykit.fc
++++ b/policykit.fc
+@@ -1,16 +1,20 @@
+ /usr/lib/policykit/polkit-read-auth-helper -- gen_context(system_u:object_r:policykit_auth_exec_t,s0)
+-/usr/lib/policykit/polkit-grant-helper.* -- gen_context(system_u:object_r:policykit_grant_exec_t,s0)
++/usr/lib/policykit/polkit-grant-helper.* -- gen_context(system_u:object_r:policykit_grant_exec_t,s0)
+ /usr/lib/policykit/polkit-resolve-exe-helper.* -- gen_context(system_u:object_r:policykit_resolve_exec_t,s0)
+ /usr/lib/policykit/polkitd -- gen_context(system_u:object_r:policykit_exec_t,s0)
+-/usr/lib/policykit-1/polkitd -- gen_context(system_u:object_r:policykit_exec_t,s0)
++/usr/lib/polkit-1/polkitd -- gen_context(system_u:object_r:policykit_exec_t,s0)
+
+ /usr/libexec/polkit-read-auth-helper -- gen_context(system_u:object_r:policykit_auth_exec_t,s0)
+ /usr/libexec/polkit-grant-helper.* -- gen_context(system_u:object_r:policykit_grant_exec_t,s0)
+ /usr/libexec/polkit-resolve-exe-helper.* -- gen_context(system_u:object_r:policykit_resolve_exec_t,s0)
+-/usr/libexec/polkitd -- gen_context(system_u:object_r:policykit_exec_t,s0)
++/usr/libexec/polkitd.* -- gen_context(system_u:object_r:policykit_exec_t,s0)
++/usr/libexec/polkit-1/polkit-agent-helper-1 -- gen_context(system_u:object_r:policykit_auth_exec_t,s0)
++/usr/lib/polkit-1/polkit-agent-helper-1 -- gen_context(system_u:object_r:policykit_auth_exec_t,s0)
++/usr/libexec/polkit-1/polkitd.* -- gen_context(system_u:object_r:policykit_exec_t,s0)
+
+ /var/lib/misc/PolicyKit.reload gen_context(system_u:object_r:policykit_reload_t,s0)
+ /var/lib/PolicyKit(/.*)? gen_context(system_u:object_r:policykit_var_lib_t,s0)
++/var/lib/polkit-1(/.*)? gen_context(system_u:object_r:policykit_var_lib_t,s0)
+ /var/lib/PolicyKit-public(/.*)? gen_context(system_u:object_r:policykit_var_lib_t,s0)
+ /var/run/PolicyKit(/.*)? gen_context(system_u:object_r:policykit_var_run_t,s0)
+
+diff --git a/policykit.if b/policykit.if
+index 48ff1e8..be00a65 100644
+--- a/policykit.if
++++ b/policykit.if
+@@ -17,18 +17,43 @@ interface(`policykit_dbus_chat',`
+ class dbus send_msg;
+ ')
+
++ ps_process_pattern(policykit_t, $1)
++
+ allow $1 policykit_t:dbus send_msg;
+ allow policykit_t $1:dbus send_msg;
+ ')
+
+ ########################################
+ ##
+-## Execute a domain transition to run polkit_auth.
++## Send and receive messages from
++## policykit over dbus.
+ ##
+ ##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`policykit_dbus_chat_auth',`
++ gen_require(`
++ type policykit_auth_t;
++ class dbus send_msg;
++ ')
++
++ ps_process_pattern(policykit_auth_t, $1)
++
++ allow $1 policykit_auth_t:dbus send_msg;
++ allow policykit_auth_t $1:dbus send_msg;
++')
++
++########################################
+ ##
+-## Domain allowed to transition.
++## Execute a domain transition to run polkit_auth.
+ ##
++##
++##
++## Domain allowed to transition.
++##
+ ##
+ #
+ interface(`policykit_domtrans_auth',`
+@@ -54,6 +79,7 @@ interface(`policykit_domtrans_auth',`
+ ## Role allowed access.
+ ##
+ ##
++##
+ #
+ interface(`policykit_run_auth',`
+ gen_require(`
+@@ -62,6 +88,9 @@ interface(`policykit_run_auth',`
+
+ policykit_domtrans_auth($1)
+ role $2 types policykit_auth_t;
++
++ allow $1 policykit_auth_t:process signal;
++ ps_process_pattern(policykit_auth_t, $1)
+ ')
+
+ ########################################
+@@ -69,9 +98,9 @@ interface(`policykit_run_auth',`
+ ## Execute a domain transition to run polkit_grant.
+ ##
+ ##
+-##
++##
+ ## Domain allowed to transition.
+-##
++##
+ ##
+ #
+ interface(`policykit_domtrans_grant',`
+@@ -155,9 +184,9 @@ interface(`policykit_rw_reload',`
+ ## Execute a domain transition to run polkit_resolve.
+ ##
+ ##
+-##
++##
+ ## Domain allowed to transition.
+-##
++##
+ ##
+ #
+ interface(`policykit_domtrans_resolve',`
+@@ -206,4 +235,50 @@ interface(`policykit_read_lib',`
+
+ files_search_var_lib($1)
+ read_files_pattern($1, policykit_var_lib_t, policykit_var_lib_t)
++
++ optional_policy(`
++ # Broken placement
++ cron_read_system_job_lib_files($1)
++ ')
++')
++
++#######################################
++##
++## The per role template for the policykit module.
++##
++##
++##
++## Role allowed access
++##
++##
++##
++##
++## User domain for the role
++##
++##
++#
++template(`policykit_role',`
++ policykit_run_auth($2, $1)
++ policykit_run_grant($2, $1)
++ policykit_read_lib($2)
++ policykit_read_reload($2)
++ policykit_dbus_chat($2)
++')
++
++########################################
++##
++## Send generic signal to policy_auth
++##
++##
++##
++## Domain allowed to transition.
++##
++##
++#
++interface(`policykit_signal_auth',`
++ gen_require(`
++ type policykit_auth_t;
++ ')
++
++ allow $1 policykit_auth_t:process signal;
+ ')
+diff --git a/policykit.te b/policykit.te
+index 44db896..946bfb5 100644
+--- a/policykit.te
++++ b/policykit.te
+@@ -1,51 +1,67 @@
+-policy_module(policykit, 1.2.0)
++policy_module(policykit, 1.1.0)
+
+ ########################################
+ #
+ # Declarations
+ #
+
+-type policykit_t alias polkit_t;
+-type policykit_exec_t alias polkit_exec_t;
++attribute policykit_domain;
++
++type policykit_t, policykit_domain;
++type policykit_exec_t;
+ init_daemon_domain(policykit_t, policykit_exec_t)
+
+-type policykit_auth_t alias polkit_auth_t;
+-type policykit_auth_exec_t alias polkit_auth_exec_t;
++type policykit_auth_t, policykit_domain;
++type policykit_auth_exec_t;
+ init_daemon_domain(policykit_auth_t, policykit_auth_exec_t)
+
+-type policykit_grant_t alias polkit_grant_t;
+-type policykit_grant_exec_t alias polkit_grant_exec_t;
++type policykit_grant_t, policykit_domain;
++type policykit_grant_exec_t;
+ init_system_domain(policykit_grant_t, policykit_grant_exec_t)
+
+-type policykit_resolve_t alias polkit_resolve_t;
+-type policykit_resolve_exec_t alias polkit_resolve_exec_t;
++type policykit_resolve_t, policykit_domain;
++type policykit_resolve_exec_t;
+ init_system_domain(policykit_resolve_t, policykit_resolve_exec_t)
+
+ type policykit_reload_t alias polkit_reload_t;
+ files_type(policykit_reload_t)
+
++type policykit_tmp_t;
++files_tmp_file(policykit_tmp_t)
++
+ type policykit_var_lib_t alias polkit_var_lib_t;
+ files_type(policykit_var_lib_t)
+
+ type policykit_var_run_t alias polkit_var_run_t;
+ files_pid_file(policykit_var_run_t)
+
++#######################################
++#
++# policykit_domain local policy
++#
++
++allow policykit_domain self:process { execmem getattr };
++allow policykit_domain self:fifo_file rw_fifo_file_perms;
++
++dev_read_sysfs(policykit_domain)
++
+ ########################################
+ #
+ # policykit local policy
+ #
+
+-allow policykit_t self:capability { setgid setuid };
+-allow policykit_t self:process getattr;
+-allow policykit_t self:fifo_file rw_file_perms;
++allow policykit_t self:capability { dac_override dac_read_search setgid setuid sys_nice sys_ptrace };
++allow policykit_t self:process { getsched setsched signal };
+ allow policykit_t self:unix_dgram_socket create_socket_perms;
+-allow policykit_t self:unix_stream_socket create_stream_socket_perms;
++allow policykit_t self:unix_stream_socket { create_stream_socket_perms connectto };
+
+ policykit_domtrans_auth(policykit_t)
+
+ can_exec(policykit_t, policykit_exec_t)
+ corecmd_exec_bin(policykit_t)
+
++dev_read_sysfs(policykit_t)
++
+ rw_files_pattern(policykit_t, policykit_reload_t, policykit_reload_t)
+
+ policykit_domtrans_resolve(policykit_t)
+@@ -56,56 +72,115 @@ manage_dirs_pattern(policykit_t, policykit_var_run_t, policykit_var_run_t)
+ manage_files_pattern(policykit_t, policykit_var_run_t, policykit_var_run_t)
+ files_pid_filetrans(policykit_t, policykit_var_run_t, { file dir })
+
++kernel_read_system_state(policykit_t)
+ kernel_read_kernel_sysctls(policykit_t)
+
+-files_read_etc_files(policykit_t)
++domain_read_all_domains_state(policykit_t)
++
+ files_read_usr_files(policykit_t)
++files_dontaudit_search_all_mountpoints(policykit_t)
++
++fs_list_inotifyfs(policykit_t)
+
+ auth_use_nsswitch(policykit_t)
+
+ logging_send_syslog_msg(policykit_t)
+
+-miscfiles_read_localization(policykit_t)
+-
++userdom_getattr_all_users(policykit_t)
+ userdom_read_all_users_state(policykit_t)
++userdom_dontaudit_search_admin_dir(policykit_t)
++
++optional_policy(`
++ dbus_system_domain(policykit_t, policykit_exec_t)
++
++ init_dbus_chat(policykit_t)
++
++ optional_policy(`
++ consolekit_dbus_chat(policykit_t)
++ ')
++
++ optional_policy(`
++ rpm_dbus_chat(policykit_t)
++ ')
++')
++
++optional_policy(`
++ consolekit_list_pid_files(policykit_t)
++ consolekit_read_pid_files(policykit_t)
++')
++
++optional_policy(`
++ kerberos_tmp_filetrans_host_rcache(policykit_t, "host_0")
++ kerberos_manage_host_rcache(policykit_t)
++')
++
++optional_policy(`
++ gnome_read_config(policykit_t)
++')
++
++optional_policy(`
++ systemd_read_logind_sessions_files(policykit_t)
++ systemd_login_list_pid_dirs(policykit_t)
++ systemd_login_read_pid_files(policykit_t)
++')
+
+ ########################################
+ #
+ # polkit_auth local policy
+ #
+
+-allow policykit_auth_t self:capability setgid;
+-allow policykit_auth_t self:process getattr;
+-allow policykit_auth_t self:fifo_file rw_file_perms;
++allow policykit_auth_t self:capability { sys_nice ipc_lock setgid setuid };
++dontaudit policykit_auth_t self:capability sys_tty_config;
++allow policykit_auth_t self:process { setsched getsched signal };
++
+ allow policykit_auth_t self:unix_dgram_socket create_socket_perms;
+ allow policykit_auth_t self:unix_stream_socket create_stream_socket_perms;
+
++policykit_dbus_chat(policykit_auth_t)
++
++kernel_read_system_state(policykit_auth_t)
++
+ can_exec(policykit_auth_t, policykit_auth_exec_t)
+-corecmd_search_bin(policykit_auth_t)
++corecmd_exec_bin(policykit_auth_t)
+
+ rw_files_pattern(policykit_auth_t, policykit_reload_t, policykit_reload_t)
+
++manage_dirs_pattern(policykit_auth_t, policykit_tmp_t, policykit_tmp_t)
++manage_files_pattern(policykit_auth_t, policykit_tmp_t, policykit_tmp_t)
++files_tmp_filetrans(policykit_auth_t, policykit_tmp_t, { file dir })
++
+ manage_files_pattern(policykit_auth_t, policykit_var_lib_t, policykit_var_lib_t)
+
+ manage_dirs_pattern(policykit_auth_t, policykit_var_run_t, policykit_var_run_t)
+ manage_files_pattern(policykit_auth_t, policykit_var_run_t, policykit_var_run_t)
+ files_pid_filetrans(policykit_auth_t, policykit_var_run_t, { file dir })
+
+-kernel_read_system_state(policykit_auth_t)
++kernel_dontaudit_search_kernel_sysctl(policykit_auth_t)
+
+-files_read_etc_files(policykit_auth_t)
++dev_read_video_dev(policykit_auth_t)
++
++files_read_etc_runtime_files(policykit_auth_t)
+ files_read_usr_files(policykit_auth_t)
++files_search_home(policykit_auth_t)
++
++fs_getattr_all_fs(policykit_auth_t)
++fs_search_tmpfs(policykit_auth_t)
+
++auth_rw_var_auth(policykit_auth_t)
+ auth_use_nsswitch(policykit_auth_t)
++auth_domtrans_chk_passwd(policykit_auth_t)
+
+ logging_send_syslog_msg(policykit_auth_t)
+
+-miscfiles_read_localization(policykit_auth_t)
++miscfiles_read_fonts(policykit_auth_t)
++miscfiles_setattr_fonts_cache_dirs(policykit_auth_t)
+
+ userdom_dontaudit_read_user_home_content_files(policykit_auth_t)
++userdom_dontaudit_write_user_tmp_files(policykit_auth_t)
++userdom_read_admin_home_files(policykit_auth_t)
+
+ optional_policy(`
+- dbus_system_bus_client(policykit_auth_t)
++ dbus_system_domain( policykit_auth_t, policykit_auth_exec_t)
+ dbus_session_bus_client(policykit_auth_t)
+
+ optional_policy(`
+@@ -118,14 +193,26 @@ optional_policy(`
+ hal_read_state(policykit_auth_t)
+ ')
+
++optional_policy(`
++ kerberos_tmp_filetrans_host_rcache(policykit_auth_t, "host_0")
++ kerberos_manage_host_rcache(policykit_auth_t)
++')
++
++optional_policy(`
++ xserver_stream_connect(policykit_auth_t)
++ xserver_xdm_append_log(policykit_auth_t)
++ xserver_read_xdm_pid(policykit_auth_t)
++ xserver_search_xdm_lib(policykit_auth_t)
++ xserver_create_xdm_tmp_sockets(policykit_auth_t)
++')
++
+ ########################################
+ #
+ # polkit_grant local policy
+ #
+
+ allow policykit_grant_t self:capability setuid;
+-allow policykit_grant_t self:process getattr;
+-allow policykit_grant_t self:fifo_file rw_file_perms;
++
+ allow policykit_grant_t self:unix_dgram_socket create_socket_perms;
+ allow policykit_grant_t self:unix_stream_socket create_stream_socket_perms;
+
+@@ -142,22 +229,22 @@ manage_files_pattern(policykit_grant_t, policykit_var_run_t, policykit_var_run_t
+
+ manage_files_pattern(policykit_grant_t, policykit_var_lib_t, policykit_var_lib_t)
+
+-files_read_etc_files(policykit_grant_t)
+ files_read_usr_files(policykit_grant_t)
+
+-auth_use_nsswitch(policykit_grant_t)
+ auth_domtrans_chk_passwd(policykit_grant_t)
++auth_use_nsswitch(policykit_grant_t)
+
+ logging_send_syslog_msg(policykit_grant_t)
+
+-miscfiles_read_localization(policykit_grant_t)
+-
+ userdom_read_all_users_state(policykit_grant_t)
+
+ optional_policy(`
+- dbus_system_bus_client(policykit_grant_t)
++ cron_manage_system_job_lib_files(policykit_grant_t)
++')
+
+ optional_policy(`
++ dbus_system_bus_client(policykit_grant_t)
++ optional_policy(`
+ consolekit_dbus_chat(policykit_grant_t)
+ ')
+ ')
+@@ -167,9 +254,8 @@ optional_policy(`
+ # polkit_resolve local policy
+ #
+
+-allow policykit_resolve_t self:capability { setuid sys_nice sys_ptrace };
+-allow policykit_resolve_t self:process getattr;
+-allow policykit_resolve_t self:fifo_file rw_file_perms;
++allow policykit_resolve_t self:capability { setuid sys_nice };
++
+ allow policykit_resolve_t self:unix_dgram_socket create_socket_perms;
+ allow policykit_resolve_t self:unix_stream_socket create_stream_socket_perms;
+
+@@ -182,17 +268,12 @@ read_files_pattern(policykit_resolve_t, policykit_var_lib_t, policykit_var_lib_t
+ can_exec(policykit_resolve_t, policykit_resolve_exec_t)
+ corecmd_search_bin(policykit_resolve_t)
+
+-files_read_etc_files(policykit_resolve_t)
+ files_read_usr_files(policykit_resolve_t)
+
+-mcs_ptrace_all(policykit_resolve_t)
+-
+ auth_use_nsswitch(policykit_resolve_t)
+
+ logging_send_syslog_msg(policykit_resolve_t)
+
+-miscfiles_read_localization(policykit_resolve_t)
+-
+ userdom_read_all_users_state(policykit_resolve_t)
+
+ optional_policy(`
+diff --git a/polipo.fc b/polipo.fc
+new file mode 100644
+index 0000000..11f77ee
+--- /dev/null
++++ b/polipo.fc
+@@ -0,0 +1,16 @@
++HOME_DIR/\.polipo -- gen_context(system_u:object_r:polipo_config_home_t,s0)
++HOME_DIR/\.polipo-cache(/.*)? gen_context(system_u:object_r:polipo_cache_home_t,s0)
++
++/etc/polipo(/.*)? gen_context(system_u:object_r:polipo_etc_t,s0)
++
++/etc/rc\.d/init\.d/polipo -- gen_context(system_u:object_r:polipo_initrc_exec_t,s0)
++
++/usr/lib/systemd/system/polipo.* -- gen_context(system_u:object_r:polipo_unit_file_t,s0)
++
++/usr/bin/polipo -- gen_context(system_u:object_r:polipo_exec_t,s0)
++
++/var/cache/polipo(/.*)? gen_context(system_u:object_r:polipo_cache_t,s0)
++
++/var/log/polipo.* -- gen_context(system_u:object_r:polipo_log_t,s0)
++
++/var/run/polipo(/.*)? gen_context(system_u:object_r:polipo_pid_t,s0)
+diff --git a/polipo.if b/polipo.if
+new file mode 100644
+index 0000000..d00f6ba
+--- /dev/null
++++ b/polipo.if
+@@ -0,0 +1,219 @@
++## Caching web proxy.
++
++########################################
++##
++## Role access for polipo session.
++##
++##
++##
++## Role allowed access.
++##
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++template(`polipo_role',`
++ gen_require(`
++ type polipo_session_t, polipo_exec_t;
++ ')
++
++ ########################################
++ #
++ # Declarations
++ #
++
++ role $1 types polipo_session_t;
++
++ ########################################
++ #
++ # Policy
++ #
++
++ allow $2 polipo_session_t:process signal_perms;
++ ps_process_pattern($2, polipo_session_t)
++ tunable_policy(`deny_ptrace',`',`
++ allow $2 polipo_session_t:process ptrace;
++ ')
++
++ tunable_policy(`polipo_session_users',`
++ domtrans_pattern($2, polipo_exec_t, polipo_session_t)
++ ',`
++ can_exec($2, polipo_exec_t)
++ ')
++')
++
++########################################
++##
++## Create configuration files in user
++## home directories with a named file
++## type transition.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`polipo_named_filetrans_config_home_files',`
++ gen_require(`
++ type polipo_config_home_t;
++ ')
++
++ userdom_user_home_dir_filetrans($1, polipo_config_home_t, file, ".polipo")
++')
++
++########################################
++##
++## Create cache directories in user
++## home directories with a named file
++## type transition.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`polipo_named_filetrans_cache_home_dirs',`
++ gen_require(`
++ type polipo_cache_home_t;
++ ')
++
++ userdom_user_home_dir_filetrans($1, polipo_cache_home_t, dir, ".polipo-cache")
++')
++
++########################################
++##
++## Create configuration files in admin
++## home directories with a named file
++## type transition.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`polipo_named_filetrans_admin_config_home_files',`
++ gen_require(`
++ type polipo_config_home_t;
++ ')
++
++ userdom_admin_home_dir_filetrans($1, polipo_config_home_t, file, ".polipo")
++')
++
++########################################
++##
++## Create cache directories in admin
++## home directories with a named file
++## type transition.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`polipo_named_filetrans_admin_cache_home_dirs',`
++ gen_require(`
++ type polipo_cache_home_t;
++ ')
++
++ userdom_admin_home_dir_filetrans($1, polipo_cache_home_t, dir, ".polipo-cache")
++')
++
++########################################
++##
++## Create log files with a named file
++## type transition.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`polipo_named_filetrans_log_files',`
++ gen_require(`
++ type polipo_log_t;
++ ')
++
++ logging_log_named_filetrans($1, polipo_log_t, file, "polipo")
++')
++
++########################################
++##
++## Execute polipo server in the polipo domain.
++##
++##
++##
++## Domain allowed to transition.
++##
++##
++#
++interface(`polipo_systemctl',`
++ gen_require(`
++ type polipo_t;
++ type polipo_unit_file_t;
++ ')
++
++ systemd_exec_systemctl($1)
++ allow $1 polipo_unit_file_t:file read_file_perms;
++ allow $1 polipo_unit_file_t:service manage_service_perms;
++
++ ps_process_pattern($1, polipo_t)
++')
++
++########################################
++##
++## Administrate an polipo environment.
++##
++##
++##
++## Domain allowed access.
++##
++##
++##
++##
++## Role allowed access.
++##
++##
++##
++#
++interface(`polipo_admin',`
++ gen_require(`
++ type polipo_t, polipo_pid_t, polipo_cache_t;
++ type polipo_etc_t, polipo_log_t, polipo_initrc_exec_t;
++ type polipo_unit_file_t;
++ ')
++
++ allow $1 polipo_t:process signal_perms;
++ ps_process_pattern($1, polipo_t)
++ tunable_policy(`deny_ptrace',`',`
++ allow $1 polipo_t:process ptrace;
++ ')
++
++ init_labeled_script_domtrans($1, polipo_initrc_exec_t)
++ domain_system_change_exemption($1)
++ role_transition $2 polipo_initrc_exec_t system_r;
++ allow $2 system_r;
++
++ files_list_etc($1)
++ admin_pattern($1, polipo_etc_t)
++
++ logging_list_logs($1)
++ admin_pattern($1, polipo_log_t)
++
++ files_list_var($1)
++ admin_pattern($1, polipo_cache_t)
++
++ files_list_pids($1)
++ admin_pattern($1, polipo_pid_t)
++
++ polipo_systemctl($1)
++ admin_pattern($1, polipo_unit_file_t)
++ allow $1 polipo_unit_file_t:service all_service_perms;
++')
+diff --git a/polipo.te b/polipo.te
+new file mode 100644
+index 0000000..a0b37ad
+--- /dev/null
++++ b/polipo.te
+@@ -0,0 +1,159 @@
++policy_module(polipo, 1.0.0)
++
++########################################
++#
++# Declarations
++#
++
++##
++##
++## Determine whether polipo can
++## access cifs file systems.
++##
++##
++gen_tunable(polipo_use_cifs, false)
++
++##
++##
++## Determine whether Polipo can
++## access nfs file systems.
++##
++##
++gen_tunable(polipo_use_nfs, false)
++
++##
++##
++## Determine whether Polipo session daemon
++## can bind tcp sockets to all unreserved ports.
++##
++##
++gen_tunable(polipo_session_bind_all_unreserved_ports, false)
++
++##
++##
++## Determine whether calling user domains
++## can execute Polipo daemon in the
++## polipo_session_t domain.
++##
++##
++gen_tunable(polipo_session_users, false)
++
++##
++##
++## Allow polipo to connect to all ports > 1023
++##
++##
++gen_tunable(polipo_connect_all_unreserved, false)
++
++attribute polipo_daemon;
++
++type polipo_t, polipo_daemon;
++type polipo_exec_t;
++init_daemon_domain(polipo_t, polipo_exec_t)
++
++type polipo_initrc_exec_t;
++init_script_file(polipo_initrc_exec_t)
++
++type polipo_etc_t;
++files_config_file(polipo_etc_t)
++
++type polipo_cache_t;
++files_type(polipo_cache_t)
++
++type polipo_log_t;
++logging_log_file(polipo_log_t)
++
++type polipo_pid_t;
++files_pid_file(polipo_pid_t)
++
++type polipo_session_t, polipo_daemon;
++application_domain(polipo_session_t, polipo_exec_t)
++ubac_constrained(polipo_session_t)
++
++type polipo_config_home_t;
++userdom_user_home_content(polipo_config_home_t)
++
++type polipo_cache_home_t;
++userdom_user_home_content(polipo_cache_home_t)
++
++type polipo_unit_file_t;
++systemd_unit_file(polipo_unit_file_t)
++
++########################################
++#
++# Global local policy
++#
++
++allow polipo_daemon self:fifo_file rw_fifo_file_perms;
++allow polipo_daemon self:tcp_socket { listen accept };
++
++corenet_tcp_bind_generic_node(polipo_daemon)
++corenet_tcp_sendrecv_generic_if(polipo_daemon)
++corenet_tcp_sendrecv_generic_node(polipo_daemon)
++corenet_tcp_sendrecv_http_cache_port(polipo_daemon)
++corenet_tcp_bind_http_cache_port(polipo_daemon)
++corenet_sendrecv_http_cache_server_packets(polipo_daemon)
++corenet_tcp_connect_http_port(polipo_daemon)
++
++files_read_usr_files(polipo_daemon)
++
++fs_search_auto_mountpoints(polipo_daemon)
++
++
++########################################
++#
++# Polipo local policy
++#
++
++read_files_pattern(polipo_t, polipo_etc_t, polipo_etc_t)
++
++manage_files_pattern(polipo_t, polipo_cache_t, polipo_cache_t)
++manage_dirs_pattern(polipo_t, polipo_cache_t, polipo_cache_t)
++files_var_filetrans(polipo_t, polipo_cache_t, dir)
++
++manage_files_pattern(polipo_t, polipo_log_t, polipo_log_t)
++logging_log_filetrans(polipo_t, polipo_log_t, file)
++
++manage_files_pattern(polipo_t, polipo_pid_t, polipo_pid_t)
++files_pid_filetrans(polipo_t, polipo_pid_t, file)
++
++auth_use_nsswitch(polipo_t)
++
++logging_send_syslog_msg(polipo_t)
++
++optional_policy(`
++ cron_system_entry(polipo_t, polipo_exec_t)
++')
++
++tunable_policy(`polipo_connect_all_unreserved',`
++ corenet_tcp_connect_all_unreserved_ports(polipo_t)
++')
++
++tunable_policy(`polipo_use_cifs',`
++ fs_manage_cifs_files(polipo_t)
++')
++
++tunable_policy(`polipo_use_nfs',`
++ fs_manage_nfs_files(polipo_t)
++')
++
++########################################
++#
++# Polipo session local policy
++#
++
++read_files_pattern(polipo_session_t, polipo_config_home_t, polipo_config_home_t)
++manage_files_pattern(polipo_session_t, polipo_cache_home_t, polipo_cache_home_t)
++
++auth_use_nsswitch(polipo_session_t)
++
++userdom_use_user_terminals(polipo_session_t)
++
++tunable_policy(`polipo_session_bind_all_unreserved_ports',`
++ corenet_tcp_sendrecv_all_ports(polipo_session_t)
++ corenet_tcp_bind_all_unreserved_ports(polipo_session_t)
++')
++
++logging_send_syslog_msg(polipo_session_t)
++
++userdom_home_manager(polipo_session_t)
+diff --git a/portage.fc b/portage.fc
+index d9b2a90..5b0e6f8 100644
+--- a/portage.fc
++++ b/portage.fc
+@@ -25,7 +25,7 @@
+ /var/db/pkg(/.*)? gen_context(system_u:object_r:portage_db_t,s0)
+ /var/cache/edb(/.*)? gen_context(system_u:object_r:portage_cache_t,s0)
+ /var/log/emerge\.log.* -- gen_context(system_u:object_r:portage_log_t,s0)
+-/var/log/emerge-fetch.log -- gen_context(system_u:object_r:portage_log_t,s0)
++/var/log/emerge-fetch.log.* -- gen_context(system_u:object_r:portage_log_t,s0)
+ /var/log/portage(/.*)? gen_context(system_u:object_r:portage_log_t,s0)
+ /var/lib/layman(/.*)? gen_context(system_u:object_r:portage_ebuild_t,s0)
+ /var/lib/portage(/.*)? gen_context(system_u:object_r:portage_cache_t,s0)
+diff --git a/portage.if b/portage.if
+index 08ac5af..9c4aa3c 100644
+--- a/portage.if
++++ b/portage.if
+@@ -43,11 +43,15 @@ interface(`portage_domtrans',`
+ #
+ interface(`portage_run',`
+ gen_require(`
+- attribute_role portage_roles;
++ type portage_t, portage_fetch_t, portage_sandbox_t;
++ #attribute_role portage_roles;
+ ')
+
+- portage_domtrans($1)
+- roleattribute $2 portage_roles;
++ #portage_domtrans($1)
++ #roleattribute $2 portage_roles;
++ portage_domtrans($1)
++ role $2 types { portage_t portage_fetch_t portage_sandbox_t };
++
+ ')
+
+ ########################################
+@@ -139,7 +143,6 @@ interface(`portage_compile_domain',`
+ # really shouldnt need this but some packages test
+ # network access, such as during configure
+ # also distcc--need to reinvestigate confining distcc client
+- corenet_all_recvfrom_unlabeled($1)
+ corenet_all_recvfrom_netlabel($1)
+ corenet_tcp_sendrecv_generic_if($1)
+ corenet_udp_sendrecv_generic_if($1)
+diff --git a/portage.te b/portage.te
+index 630f16f..64fb1f5 100644
+--- a/portage.te
++++ b/portage.te
+@@ -12,7 +12,7 @@ policy_module(portage, 1.13.0)
+ ##
+ gen_tunable(portage_use_nfs, false)
+
+-attribute_role portage_roles;
++#attribute_role portage_roles;
+
+ type gcc_config_t;
+ type gcc_config_exec_t;
+@@ -25,7 +25,8 @@ application_domain(portage_t, portage_exec_t)
+ domain_obj_id_change_exemption(portage_t)
+ rsync_entry_type(portage_t)
+ corecmd_shell_entry_type(portage_t)
+-role portage_roles types portage_t;
++#role portage_roles types portage_t;
++role system_r types portage_t;
+
+ # portage compile sandbox domain
+ type portage_sandbox_t;
+@@ -33,7 +34,8 @@ application_domain(portage_sandbox_t, portage_exec_t)
+ # the shell is the entrypoint if regular sandbox is disabled
+ # portage_exec_t is the entrypoint if regular sandbox is enabled
+ corecmd_shell_entry_type(portage_sandbox_t)
+-role portage_roles types portage_sandbox_t;
++#role portage_roles types portage_sandbox_t;
++role system_r types portage_sandbox_t;
+
+ # portage package fetching domain
+ type portage_fetch_t;
+@@ -41,7 +43,8 @@ type portage_fetch_exec_t;
+ application_domain(portage_fetch_t, portage_fetch_exec_t)
+ corecmd_shell_entry_type(portage_fetch_t)
+ rsync_entry_type(portage_fetch_t)
+-role portage_roles types portage_fetch_t;
++#role portage_roles types portage_fetch_t;
++role system_r types portage_fetch_t;
+
+ type portage_devpts_t;
+ term_pty(portage_devpts_t)
+@@ -56,7 +59,7 @@ type portage_db_t;
+ files_type(portage_db_t)
+
+ type portage_conf_t;
+-files_type(portage_conf_t)
++files_config_file(portage_conf_t)
+
+ type portage_cache_t;
+ files_type(portage_cache_t)
+@@ -115,18 +118,19 @@ files_list_all(gcc_config_t)
+ init_dontaudit_read_script_status_files(gcc_config_t)
+
+ libs_read_lib_files(gcc_config_t)
+-libs_run_ldconfig(gcc_config_t, portage_roles)
++#libs_run_ldconfig(gcc_config_t, portage_roles)
++libs_domtrans_ldconfig(gcc_config_t)
+ libs_manage_shared_libs(gcc_config_t)
+ # gcc-config creates a temp dir for the libs
+ libs_manage_lib_dirs(gcc_config_t)
+
+ logging_send_syslog_msg(gcc_config_t)
+
+-miscfiles_read_localization(gcc_config_t)
++userdom_use_inherited_user_terminals(gcc_config_t)
+
+-userdom_use_user_terminals(gcc_config_t)
+-
+-consoletype_exec(gcc_config_t)
++optional_policy(`
++ consoletype_exec(gcc_config_t)
++')
+
+ ifdef(`distro_gentoo',`
+ init_exec_rc(gcc_config_t)
+@@ -198,33 +202,41 @@ auth_manage_shadow(portage_t)
+ init_exec(portage_t)
+
+ # run setfiles -r
+-seutil_run_setfiles(portage_t, portage_roles)
++#seutil_run_setfiles(portage_t, portage_roles)
+ # run semodule
+-seutil_run_semanage(portage_t, portage_roles)
++#seutil_run_semanage(portage_t, portage_roles)
+
+-portage_run_gcc_config(portage_t, portage_roles)
++#portage_run_gcc_config(portage_t, portage_roles)
+ # if sesandbox is disabled, compiling is performed in this domain
+ portage_compile_domain(portage_t)
+
+-optional_policy(`
+- bootloader_run(portage_t, portage_roles)
+-')
++#optional_policy(`
++# bootloader_run(portage_t, portage_roles)
++#')
+
+ optional_policy(`
+ cron_system_entry(portage_t, portage_exec_t)
+ cron_system_entry(portage_fetch_t, portage_fetch_exec_t)
+ ')
+
+-optional_policy(`
+- modutils_run_depmod(portage_t, portage_roles)
+- modutils_run_update_mods(portage_t, portage_roles)
++#optional_policy(`
++# modutils_run_depmod(portage_t, portage_roles)
++# modutils_run_update_mods(portage_t, portage_roles)
+ #dontaudit update_modules_t portage_tmp_t:dir search_dir_perms;
+ ')
+
+-optional_policy(`
+- usermanage_run_groupadd(portage_t, portage_roles)
+- usermanage_run_useradd(portage_t, portage_roles)
+-')
++#optional_policy(`
++# usermanage_run_groupadd(portage_t, portage_roles)
++# usermanage_run_useradd(portage_t, portage_roles)
++#')
++
++seutil_domtrans_setfiles(portage_t)
++seutil_domtrans_semanage(portage_t)
++bootloader_domtrans(portage_t)
++modutils_domtrans_depmod(portage_t)
++modutils_domtrans_update_mods(portage_t)
++usermanage_domtrans_groupadd(portage_t)
++usermanage_domtrans_useradd(portage_t)
+
+ ifdef(`TODO',`
+ # seems to work ok without these
+@@ -271,7 +283,6 @@ kernel_read_kernel_sysctls(portage_fetch_t)
+ corecmd_exec_bin(portage_fetch_t)
+ corecmd_exec_shell(portage_fetch_t)
+
+-corenet_all_recvfrom_unlabeled(portage_fetch_t)
+ corenet_all_recvfrom_netlabel(portage_fetch_t)
+ corenet_tcp_sendrecv_generic_if(portage_fetch_t)
+ corenet_tcp_sendrecv_generic_node(portage_fetch_t)
+@@ -303,16 +314,13 @@ logging_dontaudit_search_logs(portage_fetch_t)
+
+ term_search_ptys(portage_fetch_t)
+
+-miscfiles_read_localization(portage_fetch_t)
+
+ sysnet_read_config(portage_fetch_t)
+ sysnet_dns_name_resolve(portage_fetch_t)
+
+-userdom_use_user_terminals(portage_fetch_t)
++userdom_use_inherited_user_terminals(portage_fetch_t)
+ userdom_dontaudit_read_user_home_content_files(portage_fetch_t)
+
+-rsync_exec(portage_fetch_t)
+-
+ ifdef(`hide_broken_symptoms',`
+ dontaudit portage_fetch_t portage_cache_t:file read;
+ ')
+@@ -328,6 +336,10 @@ optional_policy(`
+ gpg_exec(portage_fetch_t)
+ ')
+
++optional_policy(`
++ rsync_exec(portage_fetch_t)
++')
++
+ ##########################################
+ #
+ # Portage sandbox domain
+diff --git a/portmap.fc b/portmap.fc
+index 3cdcd9f..2061efe 100644
+--- a/portmap.fc
++++ b/portmap.fc
+@@ -1,6 +1,8 @@
+
+ /sbin/portmap -- gen_context(system_u:object_r:portmap_exec_t,s0)
+
++/usr/sbin/portmap -- gen_context(system_u:object_r:portmap_exec_t,s0)
++
+ ifdef(`distro_debian',`
+ /sbin/pmap_dump -- gen_context(system_u:object_r:portmap_helper_exec_t,s0)
+ /sbin/pmap_set -- gen_context(system_u:object_r:portmap_helper_exec_t,s0)
+diff --git a/portmap.te b/portmap.te
+index c1db652..66590bd 100644
+--- a/portmap.te
++++ b/portmap.te
+@@ -43,7 +43,6 @@ files_pid_filetrans(portmap_t, portmap_var_run_t, file)
+ kernel_read_system_state(portmap_t)
+ kernel_read_kernel_sysctls(portmap_t)
+
+-corenet_all_recvfrom_unlabeled(portmap_t)
+ corenet_all_recvfrom_netlabel(portmap_t)
+ corenet_tcp_sendrecv_generic_if(portmap_t)
+ corenet_udp_sendrecv_generic_if(portmap_t)
+@@ -73,12 +72,10 @@ fs_search_auto_mountpoints(portmap_t)
+
+ domain_use_interactive_fds(portmap_t)
+
+-files_read_etc_files(portmap_t)
++auth_use_nsswitch(portmap_t)
+
+ logging_send_syslog_msg(portmap_t)
+
+-miscfiles_read_localization(portmap_t)
+-
+ sysnet_read_config(portmap_t)
+
+ userdom_dontaudit_use_unpriv_user_fds(portmap_t)
+@@ -113,7 +110,6 @@ allow portmap_helper_t self:udp_socket create_socket_perms;
+ allow portmap_helper_t portmap_var_run_t:file manage_file_perms;
+ files_pid_filetrans(portmap_helper_t, portmap_var_run_t, file)
+
+-corenet_all_recvfrom_unlabeled(portmap_helper_t)
+ corenet_all_recvfrom_netlabel(portmap_helper_t)
+ corenet_tcp_sendrecv_generic_if(portmap_helper_t)
+ corenet_udp_sendrecv_generic_if(portmap_helper_t)
+@@ -133,7 +129,6 @@ corenet_tcp_connect_all_ports(portmap_helper_t)
+
+ domain_dontaudit_use_interactive_fds(portmap_helper_t)
+
+-files_read_etc_files(portmap_helper_t)
+ files_rw_generic_pids(portmap_helper_t)
+
+ init_rw_utmp(portmap_helper_t)
+@@ -142,7 +137,7 @@ logging_send_syslog_msg(portmap_helper_t)
+
+ sysnet_read_config(portmap_helper_t)
+
+-userdom_use_user_terminals(portmap_helper_t)
++userdom_use_inherited_user_terminals(portmap_helper_t)
+ userdom_dontaudit_use_all_users_fds(portmap_helper_t)
+
+ optional_policy(`
+diff --git a/portreserve.fc b/portreserve.fc
+index 4313a6f..cc334a3 100644
+--- a/portreserve.fc
++++ b/portreserve.fc
+@@ -1,7 +1,10 @@
+-/etc/portreserve(/.*)? gen_context(system_u:object_r:portreserve_etc_t,s0)
+
+-/etc/rc\.d/init\.d/portreserve -- gen_context(system_u:object_r:portreserve_initrc_exec_t,s0)
++/etc/rc\.d/init\.d/portreserve -- gen_context(system_u:object_r:portreserve_initrc_exec_t,s0)
++
++/etc/portreserve(/.*)? gen_context(system_u:object_r:portreserve_etc_t,s0)
+
+ /sbin/portreserve -- gen_context(system_u:object_r:portreserve_exec_t,s0)
+
++/usr/sbin/portreserve -- gen_context(system_u:object_r:portreserve_exec_t,s0)
++
+ /var/run/portreserve(/.*)? gen_context(system_u:object_r:portreserve_var_run_t,s0)
+diff --git a/portreserve.if b/portreserve.if
+index 7719d16..d283895 100644
+--- a/portreserve.if
++++ b/portreserve.if
+@@ -104,8 +104,11 @@ interface(`portreserve_admin',`
+ type portreserve_initrc_exec_t;
+ ')
+
+- allow $1 portreserve_t:process { ptrace signal_perms };
++ allow $1 portreserve_t:process signal_perms;
+ ps_process_pattern($1, portreserve_t)
++ tunable_policy(`deny_ptrace',`',`
++ allow $1 portreserve_t:process ptrace;
++ ')
+
+ portreserve_initrc_domtrans($1)
+ domain_system_change_exemption($1)
+diff --git a/portreserve.te b/portreserve.te
+index 152af92..d67fea5 100644
+--- a/portreserve.te
++++ b/portreserve.te
+@@ -13,7 +13,7 @@ type portreserve_initrc_exec_t;
+ init_script_file(portreserve_initrc_exec_t)
+
+ type portreserve_etc_t;
+-files_type(portreserve_etc_t)
++files_config_file(portreserve_etc_t)
+
+ type portreserve_var_run_t;
+ files_pid_file(portreserve_var_run_t)
+@@ -42,7 +42,6 @@ files_pid_filetrans(portreserve_t, portreserve_var_run_t, { file sock_file dir }
+
+ corecmd_getattr_bin_files(portreserve_t)
+
+-corenet_all_recvfrom_unlabeled(portreserve_t)
+ corenet_all_recvfrom_netlabel(portreserve_t)
+ corenet_tcp_bind_generic_node(portreserve_t)
+ corenet_udp_bind_generic_node(portreserve_t)
+diff --git a/portslave.te b/portslave.te
+index 69c331e..528f2d8 100644
+--- a/portslave.te
++++ b/portslave.te
+@@ -54,7 +54,6 @@ kernel_read_kernel_sysctls(portslave_t)
+ corecmd_exec_bin(portslave_t)
+ corecmd_exec_shell(portslave_t)
+
+-corenet_all_recvfrom_unlabeled(portslave_t)
+ corenet_all_recvfrom_netlabel(portslave_t)
+ corenet_tcp_sendrecv_generic_if(portslave_t)
+ corenet_udp_sendrecv_generic_if(portslave_t)
+@@ -79,7 +78,7 @@ fs_getattr_xattr_fs(portslave_t)
+
+ term_use_unallocated_ttys(portslave_t)
+ term_setattr_unallocated_ttys(portslave_t)
+-term_use_all_ttys(portslave_t)
++term_use_all_inherited_ttys(portslave_t)
+ term_search_ptys(portslave_t)
+
+ auth_rw_login_records(portslave_t)
+diff --git a/postfix.fc b/postfix.fc
+index 1ddfa16..c0e0959 100644
+--- a/postfix.fc
++++ b/postfix.fc
+@@ -1,5 +1,6 @@
+ # postfix
+-/etc/postfix(/.*)? gen_context(system_u:object_r:postfix_etc_t,s0)
++/etc/rc\.d/init\.d/postfix -- gen_context(system_u:object_r:postfix_initrc_exec_t,s0)
++/etc/postfix.* gen_context(system_u:object_r:postfix_etc_t,s0)
+ ifdef(`distro_redhat', `
+ /usr/libexec/postfix/.* -- gen_context(system_u:object_r:postfix_exec_t,s0)
+ /usr/libexec/postfix/cleanup -- gen_context(system_u:object_r:postfix_cleanup_exec_t,s0)
+@@ -22,16 +23,17 @@ ifdef(`distro_redhat', `
+ /usr/lib/postfix/master -- gen_context(system_u:object_r:postfix_master_exec_t,s0)
+ /usr/lib/postfix/pickup -- gen_context(system_u:object_r:postfix_pickup_exec_t,s0)
+ /usr/lib/postfix/(n)?qmgr -- gen_context(system_u:object_r:postfix_qmgr_exec_t,s0)
++/usr/lib/postfix/showq -- gen_context(system_u:object_r:postfix_showq_exec_t,s0)
+ /usr/lib/postfix/smtp -- gen_context(system_u:object_r:postfix_smtp_exec_t,s0)
+ /usr/lib/postfix/lmtp -- gen_context(system_u:object_r:postfix_smtp_exec_t,s0)
+ /usr/lib/postfix/scache -- gen_context(system_u:object_r:postfix_smtp_exec_t,s0)
+ /usr/lib/postfix/smtpd -- gen_context(system_u:object_r:postfix_smtpd_exec_t,s0)
+ /usr/lib/postfix/bounce -- gen_context(system_u:object_r:postfix_bounce_exec_t,s0)
+ /usr/lib/postfix/pipe -- gen_context(system_u:object_r:postfix_pipe_exec_t,s0)
+-/usr/lib/postfix/virtual -- gen_context(system_u:object_r:postfix_virtual_exec_t,s0)
+ ')
+ /etc/postfix/postfix-script.* -- gen_context(system_u:object_r:postfix_exec_t,s0)
+ /etc/postfix/prng_exch -- gen_context(system_u:object_r:postfix_prng_t,s0)
++/usr/sbin/postalias -- gen_context(system_u:object_r:postfix_master_exec_t,s0)
+ /usr/sbin/postcat -- gen_context(system_u:object_r:postfix_master_exec_t,s0)
+ /usr/sbin/postdrop -- gen_context(system_u:object_r:postfix_postdrop_exec_t,s0)
+ /usr/sbin/postfix -- gen_context(system_u:object_r:postfix_master_exec_t,s0)
+@@ -42,9 +44,11 @@ ifdef(`distro_redhat', `
+ /usr/sbin/postqueue -- gen_context(system_u:object_r:postfix_postqueue_exec_t,s0)
+ /usr/sbin/postsuper -- gen_context(system_u:object_r:postfix_master_exec_t,s0)
+
+-/var/lib/postfix(/.*)? gen_context(system_u:object_r:postfix_data_t,s0)
++/var/lib/postfix.* gen_context(system_u:object_r:postfix_data_t,s0)
+
+-/var/spool/postfix(/.*)? gen_context(system_u:object_r:postfix_spool_t,s0)
++/var/spool/postfix.* gen_context(system_u:object_r:postfix_spool_t,s0)
++/var/spool/postfix/deferred(/.*)? gen_context(system_u:object_r:postfix_spool_maildrop_t,s0)
++/var/spool/postfix/defer(/.*)? gen_context(system_u:object_r:postfix_spool_maildrop_t,s0)
+ /var/spool/postfix/maildrop(/.*)? gen_context(system_u:object_r:postfix_spool_maildrop_t,s0)
+ /var/spool/postfix/pid/.* gen_context(system_u:object_r:postfix_var_run_t,s0)
+ /var/spool/postfix/private(/.*)? gen_context(system_u:object_r:postfix_private_t,s0)
+diff --git a/postfix.if b/postfix.if
+index 46bee12..8ef270f 100644
+--- a/postfix.if
++++ b/postfix.if
+@@ -28,75 +28,23 @@ interface(`postfix_stub',`
+ ##
+ #
+ template(`postfix_domain_template',`
+- type postfix_$1_t;
++ gen_require(`
++ attribute postfix_domain;
++ ')
++
++ type postfix_$1_t, postfix_domain;
+ type postfix_$1_exec_t;
+ domain_type(postfix_$1_t)
+ domain_entry_file(postfix_$1_t, postfix_$1_exec_t)
+ role system_r types postfix_$1_t;
+
+- dontaudit postfix_$1_t self:capability sys_tty_config;
+- allow postfix_$1_t self:process { signal_perms setpgid };
+- allow postfix_$1_t self:unix_dgram_socket create_socket_perms;
+- allow postfix_$1_t self:unix_stream_socket create_stream_socket_perms;
+- allow postfix_$1_t self:unix_stream_socket connectto;
+-
+- allow postfix_master_t postfix_$1_t:process signal;
+- #https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=244456
+- allow postfix_$1_t postfix_master_t:file read;
+-
+- allow postfix_$1_t postfix_etc_t:dir list_dir_perms;
+- read_files_pattern(postfix_$1_t, postfix_etc_t, postfix_etc_t)
+- read_lnk_files_pattern(postfix_$1_t, postfix_etc_t, postfix_etc_t)
+-
+- can_exec(postfix_$1_t, postfix_$1_exec_t)
+-
+- allow postfix_$1_t postfix_exec_t:file { mmap_file_perms lock ioctl };
+-
+- allow postfix_$1_t postfix_master_t:process sigchld;
+-
+- allow postfix_$1_t postfix_spool_t:dir list_dir_perms;
+-
+- allow postfix_$1_t postfix_var_run_t:file manage_file_perms;
+- files_pid_filetrans(postfix_$1_t, postfix_var_run_t, file)
+-
+ kernel_read_system_state(postfix_$1_t)
+- kernel_read_network_state(postfix_$1_t)
+- kernel_read_all_sysctls(postfix_$1_t)
+-
+- dev_read_sysfs(postfix_$1_t)
+- dev_read_rand(postfix_$1_t)
+- dev_read_urand(postfix_$1_t)
+-
+- fs_search_auto_mountpoints(postfix_$1_t)
+- fs_getattr_xattr_fs(postfix_$1_t)
+- fs_rw_anon_inodefs_files(postfix_$1_t)
+-
+- term_dontaudit_use_console(postfix_$1_t)
+-
+- corecmd_exec_shell(postfix_$1_t)
+-
+- files_read_etc_files(postfix_$1_t)
+- files_read_etc_runtime_files(postfix_$1_t)
+- files_read_usr_symlinks(postfix_$1_t)
+- files_search_spool(postfix_$1_t)
+- files_getattr_tmp_dirs(postfix_$1_t)
+- files_search_all_mountpoints(postfix_$1_t)
+-
+- init_dontaudit_use_fds(postfix_$1_t)
+- init_sigchld(postfix_$1_t)
+
+ auth_use_nsswitch(postfix_$1_t)
+
+ logging_send_syslog_msg(postfix_$1_t)
+
+- miscfiles_read_localization(postfix_$1_t)
+- miscfiles_read_generic_certs(postfix_$1_t)
+-
+- userdom_dontaudit_use_unpriv_user_fds(postfix_$1_t)
+-
+- optional_policy(`
+- udev_read_db(postfix_$1_t)
+- ')
++ can_exec(postfix_$1_t, postfix_$1_exec_t)
+ ')
+
+ ########################################
+@@ -115,7 +63,7 @@ template(`postfix_server_domain_template',`
+ type postfix_$1_tmp_t;
+ files_tmp_file(postfix_$1_tmp_t)
+
+- allow postfix_$1_t self:capability { setuid setgid dac_override };
++ allow postfix_$1_t self:capability { setuid setgid sys_chroot dac_override };
+ allow postfix_$1_t postfix_master_t:unix_stream_socket { connectto rw_stream_socket_perms };
+ allow postfix_$1_t self:tcp_socket create_socket_perms;
+ allow postfix_$1_t self:udp_socket create_socket_perms;
+@@ -126,7 +74,6 @@ template(`postfix_server_domain_template',`
+
+ domtrans_pattern(postfix_master_t, postfix_$1_exec_t, postfix_$1_t)
+
+- corenet_all_recvfrom_unlabeled(postfix_$1_t)
+ corenet_all_recvfrom_netlabel(postfix_$1_t)
+ corenet_tcp_sendrecv_generic_if(postfix_$1_t)
+ corenet_udp_sendrecv_generic_if(postfix_$1_t)
+@@ -165,6 +112,8 @@ template(`postfix_user_domain_template',`
+ domtrans_pattern(postfix_user_domtrans, postfix_$1_exec_t, postfix_$1_t)
+
+ domain_use_interactive_fds(postfix_$1_t)
++
++ application_domain(postfix_$1_t, postfix_$1_exec_t)
+ ')
+
+ ########################################
+@@ -208,6 +157,11 @@ interface(`postfix_read_config',`
+ ## The object class of the object being created.
+ ##
+ ##
++##
++##
++## The name of the object being created.
++##
++##
+ #
+ interface(`postfix_config_filetrans',`
+ gen_require(`
+@@ -215,7 +169,7 @@ interface(`postfix_config_filetrans',`
+ ')
+
+ files_search_etc($1)
+- filetrans_pattern($1, postfix_etc_t, $2, $3)
++ filetrans_pattern($1, postfix_etc_t, $2, $3, $4)
+ ')
+
+ ########################################
+@@ -257,6 +211,25 @@ interface(`postfix_rw_local_pipes',`
+ allow $1 postfix_local_t:fifo_file rw_fifo_file_perms;
+ ')
+
++#######################################
++##
++## Allow read/write postfix public pipes
++## TCP sockets.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`postfix_rw_public_pipes',`
++ gen_require(`
++ type postfix_public_t;
++ ')
++
++ allow $1 postfix_public_t:fifo_file rw_fifo_file_perms;
++')
++
+ ########################################
+ ##
+ ## Allow domain to read postfix local process state
+@@ -272,7 +245,8 @@ interface(`postfix_read_local_state',`
+ type postfix_local_t;
+ ')
+
+- read_files_pattern($1, postfix_local_t, postfix_local_t)
++ kernel_search_proc($1)
++ ps_process_pattern($1, postfix_local_t)
+ ')
+
+ ########################################
+@@ -290,7 +264,27 @@ interface(`postfix_read_master_state',`
+ type postfix_master_t;
+ ')
+
+- read_files_pattern($1, postfix_master_t, postfix_master_t)
++ kernel_search_proc($1)
++ ps_process_pattern($1, postfix_master_t)
++')
++
++########################################
++##
++## Use postfix master process file
++## file descriptors.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`postfix_use_fds_master',`
++ gen_require(`
++ type postfix_master_t;
++ ')
++
++ allow $1 postfix_master_t:fd use;
+ ')
+
+ ########################################
+@@ -376,6 +370,25 @@ interface(`postfix_domtrans_master',`
+ domtrans_pattern($1, postfix_master_exec_t, postfix_master_t)
+ ')
+
++
++########################################
++##
++## Execute the master postfix in the postfix master domain.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`postfix_initrc_domtrans',`
++ gen_require(`
++ type postfix_initrc_exec_t;
++ ')
++
++ init_labeled_script_domtrans($1, postfix_initrc_exec_t)
++')
++
+ ########################################
+ ##
+ ## Execute the master postfix program in the
+@@ -404,7 +417,6 @@ interface(`postfix_exec_master',`
+ ## Domain allowed access.
+ ##
+ ##
+-##
+ #
+ interface(`postfix_stream_connect_master',`
+ gen_require(`
+@@ -416,6 +428,24 @@ interface(`postfix_stream_connect_master',`
+
+ ########################################
+ ##
++## Allow read/write postfix master pipes
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`postfix_rw_master_pipes',`
++ gen_require(`
++ type postfix_master_t;
++ ')
++
++ allow $1 postfix_master_t:fifo_file rw_inherited_fifo_file_perms;
++')
++
++########################################
++##
+ ## Execute the master postdrop in the
+ ## postfix_postdrop domain.
+ ##
+@@ -462,7 +492,7 @@ interface(`postfix_domtrans_postqueue',`
+ ##
+ ##
+ #
+-interface(`posftix_exec_postqueue',`
++interface(`postfix_exec_postqueue',`
+ gen_require(`
+ type postfix_postqueue_exec_t;
+ ')
+@@ -529,6 +559,25 @@ interface(`postfix_domtrans_smtp',`
+
+ ########################################
+ ##
++## Getattr postfix mail spool files.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`postfix_getattr_spool_files',`
++ gen_require(`
++ attribute postfix_spool_type;
++ ')
++
++ files_search_spool($1)
++ getattr_files_pattern($1, postfix_spool_type, postfix_spool_type)
++')
++
++########################################
++##
+ ## Search postfix mail spool directories.
+ ##
+ ##
+@@ -539,10 +588,10 @@ interface(`postfix_domtrans_smtp',`
+ #
+ interface(`postfix_search_spool',`
+ gen_require(`
+- type postfix_spool_t;
++ attribute postfix_spool_type;
+ ')
+
+- allow $1 postfix_spool_t:dir search_dir_perms;
++ allow $1 postfix_spool_type:dir search_dir_perms;
+ files_search_spool($1)
+ ')
+
+@@ -558,10 +607,10 @@ interface(`postfix_search_spool',`
+ #
+ interface(`postfix_list_spool',`
+ gen_require(`
+- type postfix_spool_t;
++ attribute postfix_spool_type;
+ ')
+
+- allow $1 postfix_spool_t:dir list_dir_perms;
++ allow $1 postfix_spool_type:dir list_dir_perms;
+ files_search_spool($1)
+ ')
+
+@@ -577,11 +626,11 @@ interface(`postfix_list_spool',`
+ #
+ interface(`postfix_read_spool_files',`
+ gen_require(`
+- type postfix_spool_t;
++ attribute postfix_spool_type;
+ ')
+
+ files_search_spool($1)
+- read_files_pattern($1, postfix_spool_t, postfix_spool_t)
++ read_files_pattern($1, postfix_spool_type, postfix_spool_type)
+ ')
+
+ ########################################
+@@ -596,11 +645,31 @@ interface(`postfix_read_spool_files',`
+ #
+ interface(`postfix_manage_spool_files',`
+ gen_require(`
+- type postfix_spool_t;
++ attribute postfix_spool_type;
+ ')
+
+ files_search_spool($1)
+- manage_files_pattern($1, postfix_spool_t, postfix_spool_t)
++ manage_files_pattern($1, postfix_spool_type, postfix_spool_type)
++')
++
++#######################################
++##
++## Create, read, write, and delete postfix maildrop spool files.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`postfix_manage_spool_maildrop_files',`
++ gen_require(`
++ type postfix_spool_maildrop_t;
++ ')
++
++ files_search_spool($1)
++ manage_dirs_pattern($1, postfix_spool_maildrop_t, postfix_spool_maildrop_t)
++ manage_files_pattern($1, postfix_spool_maildrop_t, postfix_spool_maildrop_t)
+ ')
+
+ ########################################
+@@ -621,3 +690,155 @@ interface(`postfix_domtrans_user_mail_handler',`
+
+ typeattribute $1 postfix_user_domtrans;
+ ')
++
++########################################
++##
++## All of the rules required to administrate
++## an postfix environment.
++##
++##
++##
++## Domain allowed access.
++##
++##
++##
++##
++## Role allowed access.
++##
++##
++##
++#
++interface(`postfix_admin',`
++ gen_require(`
++ attribute postfix_spool_type;
++ type postfix_bounce_t, postfix_cleanup_t, postfix_local_t;
++ type postfix_master_t, postfix_pickup_t, postfix_qmgr_t;
++ type postfix_initrc_exec_t, postfix_data_t, postfix_etc_t;
++ type postfix_map_tmp_t, postfix_prng_t, postfix_public_t;
++ type postfix_smtpd_t, postfix_var_run_t;
++ ')
++
++ allow $1 postfix_bounce_t:process signal_perms;
++ ps_process_pattern($1, postfix_bounce_t)
++ tunable_policy(`deny_ptrace',`',`
++ allow $1 postfix_bounce_t:process ptrace;
++ ')
++
++ allow $1 postfix_cleanup_t:process signal_perms;
++ ps_process_pattern($1, postfix_cleanup_t)
++ tunable_policy(`deny_ptrace',`',`
++ allow $1 postfix_cleanup_t:process ptrace;
++ allow $1 postfix_local_t:process ptrace;
++ allow $1 postfix_master_t:process ptrace;
++ allow $1 postfix_pickup_t:process ptrace;
++ allow $1 postfix_qmgr_t:process ptrace;
++ allow $1 postfix_smtpd_t:process ptrace;
++ ')
++
++ allow $1 postfix_local_t:process signal_perms;
++ ps_process_pattern($1, postfix_local_t)
++
++ allow $1 postfix_master_t:process signal_perms;
++ ps_process_pattern($1, postfix_master_t)
++
++ allow $1 postfix_pickup_t:process signal_perms;
++ ps_process_pattern($1, postfix_pickup_t)
++
++ allow $1 postfix_qmgr_t:process signal_perms;
++ ps_process_pattern($1, postfix_qmgr_t)
++
++ allow $1 postfix_smtpd_t:process signal_perms;
++ ps_process_pattern($1, postfix_smtpd_t)
++
++ postfix_run_map($1, $2)
++ postfix_run_postdrop($1, $2)
++
++ postfix_initrc_domtrans($1)
++ domain_system_change_exemption($1)
++ role_transition $2 postfix_initrc_exec_t system_r;
++ allow $2 system_r;
++
++ admin_pattern($1, postfix_data_t)
++
++ files_list_etc($1)
++ admin_pattern($1, postfix_etc_t)
++
++ files_list_spool($1)
++ admin_pattern($1, postfix_spool_type)
++
++ admin_pattern($1, postfix_var_run_t)
++
++ files_list_tmp($1)
++ admin_pattern($1, postfix_map_tmp_t)
++
++ admin_pattern($1, postfix_prng_t)
++
++ admin_pattern($1, postfix_public_t)
++
++ postfix_filetrans_named_content($1)
++')
++
++########################################
++##
++## Execute the master postdrop in the
++## postfix_postdrop domain.
++##
++##
++##
++## Domain allowed to transition.
++##
++##
++##
++##
++## The role to be allowed the iptables domain.
++##
++##
++##
++#
++interface(`postfix_run_postdrop',`
++ gen_require(`
++ type postfix_postdrop_t;
++ ')
++
++ postfix_domtrans_postdrop($1)
++ role $2 types postfix_postdrop_t;
++ allow postfix_postdrop_t $1:unix_stream_socket { read write getattr };
++')
++
++########################################
++##
++## Execute postfix exec in the users domain
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`postfix_exec',`
++ gen_require(`
++ type postfix_exec_t;
++ ')
++
++ can_exec($1, postfix_exec_t)
++')
++
++########################################
++##
++## Transition to postfix named content
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`postfix_filetrans_named_content',`
++ gen_require(`
++ type postfix_exec_t;
++ type postfix_prng_t;
++ ')
++
++ postfix_config_filetrans($1, postfix_exec_t, file, "postfix-script")
++ postfix_config_filetrans($1, postfix_prng_t, file, "prng_exch")
++')
+diff --git a/postfix.te b/postfix.te
+index a1e0f60..85b12af 100644
+--- a/postfix.te
++++ b/postfix.te
+@@ -5,6 +5,15 @@ policy_module(postfix, 1.14.0)
+ # Declarations
+ #
+
++##
++##
++## Allow postfix_local domain full write access to mail_spool directories
++##
++##
++gen_tunable(postfix_local_write_mail_spool, true)
++
++attribute postfix_domain;
++attribute postfix_spool_type;
+ attribute postfix_user_domains;
+ # domains that transition to the
+ # postfix user domains
+@@ -12,8 +21,8 @@ attribute postfix_user_domtrans;
+
+ postfix_server_domain_template(bounce)
+
+-type postfix_spool_bounce_t;
+-files_type(postfix_spool_bounce_t)
++type postfix_spool_bounce_t, postfix_spool_type;
++files_spool_file(postfix_spool_bounce_t)
+
+ postfix_server_domain_template(cleanup)
+
+@@ -41,6 +50,9 @@ typealias postfix_master_t alias postfix_t;
+ # generation macro work
+ mta_mailserver(postfix_t, postfix_master_exec_t)
+
++type postfix_initrc_exec_t;
++init_script_file(postfix_initrc_exec_t)
++
+ postfix_server_domain_template(pickup)
+
+ postfix_server_domain_template(pipe)
+@@ -49,6 +61,7 @@ postfix_user_domain_template(postdrop)
+ mta_mailserver_user_agent(postfix_postdrop_t)
+
+ postfix_user_domain_template(postqueue)
++mta_mailserver_user_agent(postfix_postqueue_t)
+
+ type postfix_private_t;
+ files_type(postfix_private_t)
+@@ -65,14 +78,14 @@ mta_mailserver_sender(postfix_smtp_t)
+
+ postfix_server_domain_template(smtpd)
+
+-type postfix_spool_t;
+-files_type(postfix_spool_t)
++type postfix_spool_t, postfix_spool_type;
++files_spool_file(postfix_spool_t)
+
+-type postfix_spool_maildrop_t;
+-files_type(postfix_spool_maildrop_t)
++type postfix_spool_maildrop_t, postfix_spool_type;
++files_spool_file(postfix_spool_maildrop_t)
+
+-type postfix_spool_flush_t;
+-files_type(postfix_spool_flush_t)
++type postfix_spool_flush_t, postfix_spool_type;
++files_spool_file(postfix_spool_flush_t)
+
+ type postfix_public_t;
+ files_type(postfix_public_t)
+@@ -94,23 +107,26 @@ mta_mailserver_delivery(postfix_virtual_t)
+
+ # chown is to set the correct ownership of queue dirs
+ allow postfix_master_t self:capability { chown dac_override kill setgid setuid net_bind_service sys_tty_config };
+-allow postfix_master_t self:fifo_file rw_fifo_file_perms;
++allow postfix_master_t self:capability2 block_suspend;
++
++allow postfix_master_t self:process setrlimit;
+ allow postfix_master_t self:tcp_socket create_stream_socket_perms;
+ allow postfix_master_t self:udp_socket create_socket_perms;
+-allow postfix_master_t self:process setrlimit;
+
++allow postfix_master_t postfix_etc_t:dir rw_dir_perms;
+ allow postfix_master_t postfix_etc_t:file rw_file_perms;
++mta_filetrans_aliases(postfix_master_t, postfix_etc_t)
+
+ can_exec(postfix_master_t, postfix_exec_t)
+
+ allow postfix_master_t postfix_data_t:dir manage_dir_perms;
+ allow postfix_master_t postfix_data_t:file manage_file_perms;
+
+-allow postfix_master_t postfix_map_exec_t:file { mmap_file_perms ioctl lock };
++allow postfix_master_t postfix_map_exec_t:file { mmap_file_perms lock };
+
+-allow postfix_master_t postfix_postdrop_exec_t:file getattr;
++allow postfix_master_t postfix_postdrop_exec_t:file getattr_file_perms;
+
+-allow postfix_master_t postfix_postqueue_exec_t:file getattr;
++allow postfix_master_t postfix_postqueue_exec_t:file getattr_file_perms;
+
+ manage_fifo_files_pattern(postfix_master_t, postfix_private_t, postfix_private_t)
+ manage_sock_files_pattern(postfix_master_t, postfix_private_t, postfix_private_t)
+@@ -130,7 +146,7 @@ manage_files_pattern(postfix_master_t, postfix_spool_t, postfix_spool_t)
+ files_spool_filetrans(postfix_master_t, postfix_spool_t, dir)
+
+ allow postfix_master_t postfix_spool_bounce_t:dir manage_dir_perms;
+-allow postfix_master_t postfix_spool_bounce_t:file getattr;
++allow postfix_master_t postfix_spool_bounce_t:file getattr_file_perms;
+
+ manage_dirs_pattern(postfix_master_t, postfix_spool_flush_t, postfix_spool_flush_t)
+ manage_files_pattern(postfix_master_t, postfix_spool_flush_t, postfix_spool_flush_t)
+@@ -138,11 +154,11 @@ manage_lnk_files_pattern(postfix_master_t, postfix_spool_flush_t, postfix_spool_
+
+ delete_files_pattern(postfix_master_t, postfix_spool_maildrop_t, postfix_spool_maildrop_t)
+ rename_files_pattern(postfix_master_t, postfix_spool_maildrop_t, postfix_spool_maildrop_t)
++rw_files_pattern(postfix_master_t, postfix_spool_maildrop_t, postfix_spool_maildrop_t)
+ setattr_dirs_pattern(postfix_master_t, postfix_spool_maildrop_t, postfix_spool_maildrop_t)
+
+ kernel_read_all_sysctls(postfix_master_t)
+
+-corenet_all_recvfrom_unlabeled(postfix_master_t)
+ corenet_all_recvfrom_netlabel(postfix_master_t)
+ corenet_tcp_sendrecv_generic_if(postfix_master_t)
+ corenet_udp_sendrecv_generic_if(postfix_master_t)
+@@ -150,6 +166,9 @@ corenet_tcp_sendrecv_generic_node(postfix_master_t)
+ corenet_udp_sendrecv_generic_node(postfix_master_t)
+ corenet_tcp_sendrecv_all_ports(postfix_master_t)
+ corenet_udp_sendrecv_all_ports(postfix_master_t)
++corenet_udp_bind_generic_node(postfix_master_t)
++corenet_udp_bind_all_unreserved_ports(postfix_master_t)
++corenet_dontaudit_udp_bind_all_ports(postfix_master_t)
+ corenet_tcp_bind_generic_node(postfix_master_t)
+ corenet_tcp_bind_amavisd_send_port(postfix_master_t)
+ corenet_tcp_bind_smtp_port(postfix_master_t)
+@@ -157,6 +176,8 @@ corenet_tcp_connect_all_ports(postfix_master_t)
+ corenet_sendrecv_amavisd_send_server_packets(postfix_master_t)
+ corenet_sendrecv_smtp_server_packets(postfix_master_t)
+ corenet_sendrecv_all_client_packets(postfix_master_t)
++# for spampd
++corenet_tcp_bind_spamd_port(postfix_master_t)
+
+ # for a find command
+ selinux_dontaudit_search_fs(postfix_master_t)
+@@ -167,14 +188,14 @@ corecmd_exec_bin(postfix_master_t)
+ domain_use_interactive_fds(postfix_master_t)
+
+ files_read_usr_files(postfix_master_t)
++files_search_var_lib(postfix_master_t)
++files_search_tmp(postfix_master_t)
+
+-term_dontaudit_search_ptys(postfix_master_t)
++mcs_file_read_all(postfix_master_t)
+
+-miscfiles_read_man_pages(postfix_master_t)
++term_dontaudit_search_ptys(postfix_master_t)
+
+ seutil_sigchld_newrole(postfix_master_t)
+-# postfix does a "find" on startup for some reason - keep it quiet
+-seutil_dontaudit_search_config(postfix_master_t)
+
+ mta_rw_aliases(postfix_master_t)
+ mta_read_sendmail_bin(postfix_master_t)
+@@ -195,7 +216,7 @@ optional_policy(`
+ ')
+
+ optional_policy(`
+-# for postalias
++# for postalias
+ mailman_manage_data_files(postfix_master_t)
+ ')
+
+@@ -220,13 +241,17 @@ allow postfix_bounce_t self:capability dac_read_search;
+ allow postfix_bounce_t self:tcp_socket create_socket_perms;
+
+ allow postfix_bounce_t postfix_public_t:sock_file write;
+-allow postfix_bounce_t postfix_public_t:dir search;
++allow postfix_bounce_t postfix_public_t:dir search_dir_perms;
+
+ manage_dirs_pattern(postfix_bounce_t, postfix_spool_t, postfix_spool_t)
+ manage_files_pattern(postfix_bounce_t, postfix_spool_t, postfix_spool_t)
+ manage_lnk_files_pattern(postfix_bounce_t, postfix_spool_t, postfix_spool_t)
+ files_spool_filetrans(postfix_bounce_t, postfix_spool_t, dir)
+
++manage_files_pattern(postfix_bounce_t, postfix_spool_maildrop_t, postfix_spool_maildrop_t)
++manage_dirs_pattern(postfix_bounce_t, postfix_spool_maildrop_t, postfix_spool_maildrop_t)
++allow postfix_bounce_t postfix_spool_maildrop_t:lnk_file read_lnk_file_perms;
++
+ manage_dirs_pattern(postfix_bounce_t, postfix_spool_bounce_t, postfix_spool_bounce_t)
+ manage_files_pattern(postfix_bounce_t, postfix_spool_bounce_t, postfix_spool_bounce_t)
+ manage_lnk_files_pattern(postfix_bounce_t, postfix_spool_bounce_t, postfix_spool_bounce_t)
+@@ -237,22 +262,31 @@ manage_lnk_files_pattern(postfix_bounce_t, postfix_spool_bounce_t, postfix_spool
+ #
+
+ allow postfix_cleanup_t self:process setrlimit;
++allow postfix_cleanup_t postfix_smtpd_t:tcp_socket rw_stream_socket_perms;
+
+ # connect to master process
+ stream_connect_pattern(postfix_cleanup_t, postfix_private_t, postfix_private_t, postfix_master_t)
+
+ rw_fifo_files_pattern(postfix_cleanup_t, postfix_public_t, postfix_public_t)
+ write_sock_files_pattern(postfix_cleanup_t, postfix_public_t, postfix_public_t)
++allow postfix_cleanup_t postfix_smtpd_t:unix_stream_socket rw_socket_perms;
+
+ manage_dirs_pattern(postfix_cleanup_t, postfix_spool_t, postfix_spool_t)
+ manage_files_pattern(postfix_cleanup_t, postfix_spool_t, postfix_spool_t)
+ manage_lnk_files_pattern(postfix_cleanup_t, postfix_spool_t, postfix_spool_t)
+ files_spool_filetrans(postfix_cleanup_t, postfix_spool_t, dir)
+
++allow postfix_cleanup_t postfix_spool_maildrop_t:dir list_dir_perms;
++allow postfix_cleanup_t postfix_spool_maildrop_t:file read_file_perms;
++allow postfix_cleanup_t postfix_spool_maildrop_t:lnk_file read_lnk_file_perms;
++
+ allow postfix_cleanup_t postfix_spool_bounce_t:dir list_dir_perms;
+
+ corecmd_exec_bin(postfix_cleanup_t)
+
++# allow postfix to connect to sqlgrey
++corenet_tcp_connect_rtsclient_port(postfix_cleanup_t)
++
+ mta_read_aliases(postfix_cleanup_t)
+
+ optional_policy(`
+@@ -264,7 +298,6 @@ optional_policy(`
+ # Postfix local local policy
+ #
+
+-allow postfix_local_t self:fifo_file rw_fifo_file_perms;
+ allow postfix_local_t self:process { setsched setrlimit };
+
+ # connect to master process
+@@ -272,28 +305,51 @@ stream_connect_pattern(postfix_local_t, postfix_public_t, postfix_public_t, post
+
+ # for .forward - maybe we need a new type for it?
+ rw_sock_files_pattern(postfix_local_t, postfix_private_t, postfix_private_t)
++rw_files_pattern(postfix_local_t, postfix_spool_maildrop_t, postfix_spool_maildrop_t)
++
++domtrans_pattern(postfix_local_t, postfix_postdrop_exec_t, postfix_postdrop_t)
+
+ allow postfix_local_t postfix_spool_t:file rw_file_perms;
+
+ corecmd_exec_shell(postfix_local_t)
+ corecmd_exec_bin(postfix_local_t)
+
+-files_read_etc_files(postfix_local_t)
+-
+ logging_dontaudit_search_logs(postfix_local_t)
+
+ mta_read_aliases(postfix_local_t)
+ mta_delete_spool(postfix_local_t)
+ # For reading spamassasin
+ mta_read_config(postfix_local_t)
++# Handle vacation script
++mta_send_mail(postfix_local_t)
+
+-domtrans_pattern(postfix_local_t, postfix_postdrop_exec_t, postfix_postdrop_t)
+-# Might be a leak, but I need a postfix expert to explain
+-allow postfix_postdrop_t postfix_local_t:unix_stream_socket { read write };
++userdom_read_user_home_content_files(postfix_local_t)
++userdom_exec_user_bin_files(postfix_local_t)
++
++tunable_policy(`use_nfs_home_dirs',`
++ fs_exec_nfs_files(postfix_local_t)
++')
++
++tunable_policy(`use_samba_home_dirs',`
++ fs_exec_cifs_files(postfix_local_t)
++')
++
++tunable_policy(`postfix_local_write_mail_spool',`
++ mta_manage_spool(postfix_local_t)
++')
+
+ optional_policy(`
+ clamav_search_lib(postfix_local_t)
+ clamav_exec_clamscan(postfix_local_t)
++ clamav_stream_connect(postfix_domain)
++')
++
++optional_policy(`
++ dovecot_domtrans_deliver(postfix_local_t)
++')
++
++optional_policy(`
++ dspam_domtrans(postfix_local_t)
+ ')
+
+ optional_policy(`
+@@ -304,9 +360,26 @@ optional_policy(`
+ ')
+
+ optional_policy(`
++ nagios_search_spool(postfix_local_t)
++')
++
++optional_policy(`
++ openshift_search_lib(postfix_local_t)
++')
++
++optional_policy(`
+ procmail_domtrans(postfix_local_t)
+ ')
+
++optional_policy(`
++ sendmail_rw_pipes(postfix_local_t)
++')
++
++optional_policy(`
++ zarafa_domtrans_deliver(postfix_local_t)
++ zarafa_stream_connect_server(postfix_local_t)
++')
++
+ ########################################
+ #
+ # Postfix map local policy
+@@ -329,7 +402,6 @@ kernel_read_kernel_sysctls(postfix_map_t)
+ kernel_dontaudit_list_proc(postfix_map_t)
+ kernel_dontaudit_read_system_state(postfix_map_t)
+
+-corenet_all_recvfrom_unlabeled(postfix_map_t)
+ corenet_all_recvfrom_netlabel(postfix_map_t)
+ corenet_tcp_sendrecv_generic_if(postfix_map_t)
+ corenet_udp_sendrecv_generic_if(postfix_map_t)
+@@ -348,7 +420,6 @@ corecmd_read_bin_sockets(postfix_map_t)
+
+ files_list_home(postfix_map_t)
+ files_read_usr_files(postfix_map_t)
+-files_read_etc_files(postfix_map_t)
+ files_read_etc_runtime_files(postfix_map_t)
+ files_dontaudit_search_var(postfix_map_t)
+
+@@ -356,8 +427,6 @@ auth_use_nsswitch(postfix_map_t)
+
+ logging_send_syslog_msg(postfix_map_t)
+
+-miscfiles_read_localization(postfix_map_t)
+-
+ optional_policy(`
+ locallogin_dontaudit_use_fds(postfix_map_t)
+ ')
+@@ -379,18 +448,24 @@ stream_connect_pattern(postfix_pickup_t, postfix_private_t, postfix_private_t, p
+ rw_fifo_files_pattern(postfix_pickup_t, postfix_public_t, postfix_public_t)
+ rw_sock_files_pattern(postfix_pickup_t, postfix_public_t, postfix_public_t)
+
++allow postfix_pickup_t postfix_spool_t:dir list_dir_perms;
++read_files_pattern(postfix_pickup_t, postfix_spool_t, postfix_spool_t)
++delete_files_pattern(postfix_pickup_t, postfix_spool_t, postfix_spool_t)
++
+ postfix_list_spool(postfix_pickup_t)
+
+ allow postfix_pickup_t postfix_spool_maildrop_t:dir list_dir_perms;
+ read_files_pattern(postfix_pickup_t, postfix_spool_maildrop_t, postfix_spool_maildrop_t)
+ delete_files_pattern(postfix_pickup_t, postfix_spool_maildrop_t, postfix_spool_maildrop_t)
+
++mcs_file_read_all(postfix_pickup_t)
++mcs_file_write_all(postfix_pickup_t)
++
+ ########################################
+ #
+ # Postfix pipe local policy
+ #
+
+-allow postfix_pipe_t self:fifo_file rw_fifo_file_perms;
+ allow postfix_pipe_t self:process setrlimit;
+
+ write_sock_files_pattern(postfix_pipe_t, postfix_private_t, postfix_private_t)
+@@ -401,6 +476,8 @@ rw_files_pattern(postfix_pipe_t, postfix_spool_t, postfix_spool_t)
+
+ domtrans_pattern(postfix_pipe_t, postfix_postdrop_exec_t, postfix_postdrop_t)
+
++corecmd_exec_bin(postfix_pipe_t)
++
+ optional_policy(`
+ dovecot_domtrans_deliver(postfix_pipe_t)
+ ')
+@@ -420,6 +497,7 @@ optional_policy(`
+
+ optional_policy(`
+ spamassassin_domtrans_client(postfix_pipe_t)
++ spamassassin_kill_client(postfix_pipe_t)
+ ')
+
+ optional_policy(`
+@@ -436,11 +514,17 @@ allow postfix_postdrop_t self:capability sys_resource;
+ allow postfix_postdrop_t self:tcp_socket create;
+ allow postfix_postdrop_t self:udp_socket create_socket_perms;
+
++# Might be a leak, but I need a postfix expert to explain
++allow postfix_postdrop_t postfix_local_t:unix_stream_socket { read write };
++
+ rw_fifo_files_pattern(postfix_postdrop_t, postfix_public_t, postfix_public_t)
+
+ postfix_list_spool(postfix_postdrop_t)
+ manage_files_pattern(postfix_postdrop_t, postfix_spool_maildrop_t, postfix_spool_maildrop_t)
+
++mcs_file_read_all(postfix_postdrop_t)
++mcs_file_write_all(postfix_postdrop_t)
++
+ corenet_udp_sendrecv_generic_if(postfix_postdrop_t)
+ corenet_udp_sendrecv_generic_node(postfix_postdrop_t)
+
+@@ -487,8 +571,8 @@ write_fifo_files_pattern(postfix_postqueue_t, postfix_public_t, postfix_public_t
+ domtrans_pattern(postfix_postqueue_t, postfix_showq_exec_t, postfix_showq_t)
+
+ # to write the mailq output, it really should not need read access!
+-term_use_all_ptys(postfix_postqueue_t)
+-term_use_all_ttys(postfix_postqueue_t)
++term_use_all_inherited_ptys(postfix_postqueue_t)
++term_use_all_inherited_ttys(postfix_postqueue_t)
+
+ init_sigchld_script(postfix_postqueue_t)
+ init_use_script_fds(postfix_postqueue_t)
+@@ -519,7 +603,11 @@ files_spool_filetrans(postfix_qmgr_t, postfix_spool_t, dir)
+
+ allow postfix_qmgr_t postfix_spool_bounce_t:dir list_dir_perms;
+ allow postfix_qmgr_t postfix_spool_bounce_t:file read_file_perms;
+-allow postfix_qmgr_t postfix_spool_bounce_t:lnk_file { getattr read };
++allow postfix_qmgr_t postfix_spool_bounce_t:lnk_file read_lnk_file_perms;
++
++manage_files_pattern(postfix_qmgr_t, postfix_spool_maildrop_t, postfix_spool_maildrop_t)
++manage_dirs_pattern(postfix_qmgr_t, postfix_spool_maildrop_t, postfix_spool_maildrop_t)
++allow postfix_qmgr_t postfix_spool_maildrop_t:lnk_file read_lnk_file_perms;
+
+ corecmd_exec_bin(postfix_qmgr_t)
+
+@@ -539,7 +627,9 @@ postfix_list_spool(postfix_showq_t)
+
+ allow postfix_showq_t postfix_spool_maildrop_t:dir list_dir_perms;
+ allow postfix_showq_t postfix_spool_maildrop_t:file read_file_perms;
+-allow postfix_showq_t postfix_spool_maildrop_t:lnk_file { getattr read };
++allow postfix_showq_t postfix_spool_maildrop_t:lnk_file read_lnk_file_perms;
++
++mcs_file_read_all(postfix_showq_t)
+
+ # to write the mailq output, it really should not need read access!
+ term_use_all_ptys(postfix_showq_t)
+@@ -558,6 +648,12 @@ allow postfix_smtp_t postfix_prng_t:file rw_file_perms;
+
+ allow postfix_smtp_t postfix_spool_t:file rw_file_perms;
+
++rw_files_pattern(postfix_smtp_t, postfix_spool_maildrop_t, postfix_spool_maildrop_t)
++
++# for spampd
++corenet_tcp_connect_spamd_port(postfix_master_t)
++corenet_tcp_bind_spamd_port(postfix_master_t)
++
+ files_search_all_mountpoints(postfix_smtp_t)
+
+ optional_policy(`
+@@ -565,6 +661,14 @@ optional_policy(`
+ ')
+
+ optional_policy(`
++ dovecot_stream_connect(postfix_smtp_t)
++')
++
++optional_policy(`
++ dspam_stream_connect(postfix_smtp_t)
++')
++
++optional_policy(`
+ milter_stream_connect_all(postfix_smtp_t)
+ ')
+
+@@ -581,17 +685,25 @@ stream_connect_pattern(postfix_smtpd_t, { postfix_private_t postfix_public_t },
+ corenet_tcp_connect_postfix_policyd_port(postfix_smtpd_t)
+
+ # for prng_exch
+-allow postfix_smtpd_t postfix_spool_t:file rw_file_perms;
++manage_dirs_pattern(postfix_smtpd_t, postfix_spool_t, postfix_spool_t)
++manage_files_pattern(postfix_smtpd_t, postfix_spool_t, postfix_spool_t)
++manage_lnk_files_pattern(postfix_smtpd_t, postfix_spool_t, postfix_spool_t)
+ allow postfix_smtpd_t postfix_prng_t:file rw_file_perms;
+
+ corecmd_exec_bin(postfix_smtpd_t)
+
+ # for OpenSSL certificates
+ files_read_usr_files(postfix_smtpd_t)
++
++# postfix checks the size of all mounted file systems
++fs_getattr_all_dirs(postfix_smtpd_t)
++fs_getattr_all_fs(postfix_smtpd_t)
++
+ mta_read_aliases(postfix_smtpd_t)
+
+ optional_policy(`
+ dovecot_stream_connect_auth(postfix_smtpd_t)
++ dovecot_stream_connect(postfix_smtpd_t)
+ ')
+
+ optional_policy(`
+@@ -599,6 +711,11 @@ optional_policy(`
+ ')
+
+ optional_policy(`
++ milter_stream_connect_all(postfix_smtpd_t)
++ spamassassin_read_pid_files(postfix_smtpd_t)
++')
++
++optional_policy(`
+ postgrey_stream_connect(postfix_smtpd_t)
+ ')
+
+@@ -611,7 +728,6 @@ optional_policy(`
+ # Postfix virtual local policy
+ #
+
+-allow postfix_virtual_t self:fifo_file rw_fifo_file_perms;
+ allow postfix_virtual_t self:process { setsched setrlimit };
+
+ allow postfix_virtual_t postfix_spool_t:file rw_file_perms;
+@@ -622,7 +738,6 @@ stream_connect_pattern(postfix_virtual_t, { postfix_private_t postfix_public_t }
+ corecmd_exec_shell(postfix_virtual_t)
+ corecmd_exec_bin(postfix_virtual_t)
+
+-files_read_etc_files(postfix_virtual_t)
+ files_read_usr_files(postfix_virtual_t)
+
+ mta_read_aliases(postfix_virtual_t)
+@@ -630,3 +745,76 @@ mta_delete_spool(postfix_virtual_t)
+ # For reading spamassasin
+ mta_read_config(postfix_virtual_t)
+ mta_manage_spool(postfix_virtual_t)
++
++userdom_manage_user_home_dirs(postfix_virtual_t)
++userdom_manage_user_home_content(postfix_virtual_t)
++userdom_home_filetrans_user_home_dir(postfix_virtual_t)
++userdom_user_home_dir_filetrans_user_home_content(postfix_virtual_t, {file dir })
++
++########################################
++#
++# postfix_domain common policy
++#
++allow postfix_domain self:capability { sys_nice sys_chroot };
++dontaudit postfix_domain self:capability sys_tty_config;
++allow postfix_domain self:process { signal_perms setpgid setsched };
++allow postfix_domain self:unix_dgram_socket create_socket_perms;
++allow postfix_domain self:unix_stream_socket create_stream_socket_perms;
++allow postfix_domain self:unix_stream_socket connectto;
++allow postfix_domain self:fifo_file rw_fifo_file_perms;
++
++allow postfix_master_t postfix_domain:fifo_file { read write };
++allow postfix_master_t postfix_domain:process signal;
++#https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=244456
++allow postfix_domain postfix_master_t:file read;
++allow postfix_domain postfix_etc_t:dir list_dir_perms;
++read_files_pattern(postfix_domain, postfix_etc_t, postfix_etc_t)
++read_lnk_files_pattern(postfix_domain, postfix_etc_t, postfix_etc_t)
++
++allow postfix_domain postfix_exec_t:file { mmap_file_perms lock };
++
++allow postfix_domain postfix_master_t:process sigchld;
++
++allow postfix_domain postfix_spool_t:dir list_dir_perms;
++
++allow postfix_domain postfix_var_run_t:file manage_file_perms;
++files_pid_filetrans(postfix_domain, postfix_var_run_t, file)
++
++kernel_read_network_state(postfix_domain)
++kernel_read_all_sysctls(postfix_domain)
++
++dev_read_sysfs(postfix_domain)
++dev_read_rand(postfix_domain)
++dev_read_urand(postfix_domain)
++
++fs_search_auto_mountpoints(postfix_domain)
++fs_getattr_xattr_fs(postfix_domain)
++fs_rw_anon_inodefs_files(postfix_domain)
++
++term_dontaudit_use_console(postfix_domain)
++
++corecmd_exec_shell(postfix_domain)
++
++files_read_etc_runtime_files(postfix_domain)
++files_read_usr_files(postfix_domain)
++files_read_usr_symlinks(postfix_domain)
++files_search_spool(postfix_domain)
++files_getattr_tmp_dirs(postfix_domain)
++files_search_all_mountpoints(postfix_domain)
++
++init_dontaudit_use_fds(postfix_domain)
++init_sigchld(postfix_domain)
++init_dontaudit_rw_stream_socket(postfix_domain)
++
++miscfiles_read_generic_certs(postfix_domain)
++
++userdom_dontaudit_use_unpriv_user_fds(postfix_domain)
++
++optional_policy(`
++ spamd_stream_connect(postfix_domain)
++ spamassassin_domtrans_client(postfix_domain)
++')
++
++optional_policy(`
++ udev_read_db(postfix_domain)
++')
+diff --git a/postfixpolicyd.if b/postfixpolicyd.if
+index feae93b..b2af729 100644
+--- a/postfixpolicyd.if
++++ b/postfixpolicyd.if
+@@ -20,12 +20,14 @@
+ interface(`postfixpolicyd_admin',`
+ gen_require(`
+ type postfix_policyd_t, postfix_policyd_conf_t;
+- type postfix_policyd_var_run_t;
+- type postfix_policyd_initrc_exec_t;
++ type postfix_policyd_var_run_t, postfix_policyd_initrc_exec_t;
+ ')
+
+- allow $1 postfix_policyd_t:process { ptrace signal_perms };
++ allow $1 postfix_policyd_t:process signal_perms;
+ ps_process_pattern($1, postfix_policyd_t)
++ tunable_policy(`deny_ptrace',`',`
++ allow $1 postfix_policyd_t:process ptrace;
++ ')
+
+ init_labeled_script_domtrans($1, postfix_policyd_initrc_exec_t)
+ domain_system_change_exemption($1)
+diff --git a/postfixpolicyd.te b/postfixpolicyd.te
+index 7257526..e69e0d4 100644
+--- a/postfixpolicyd.te
++++ b/postfixpolicyd.te
+@@ -23,19 +23,18 @@ files_pid_file(postfix_policyd_var_run_t)
+ # Local Policy
+ #
+
+-allow postfix_policyd_t self:tcp_socket create_stream_socket_perms;
+ allow postfix_policyd_t self:capability { sys_resource sys_chroot setgid setuid };
+ allow postfix_policyd_t self:process setrlimit;
+-allow postfix_policyd_t self:unix_dgram_socket { connect create write};
++allow postfix_policyd_t self:tcp_socket create_stream_socket_perms;
++allow postfix_policyd_t self:unix_dgram_socket create_socket_perms;
+
+ allow postfix_policyd_t postfix_policyd_conf_t:dir list_dir_perms;
+ allow postfix_policyd_t postfix_policyd_conf_t:file read_file_perms;
+-allow postfix_policyd_t postfix_policyd_conf_t:lnk_file { getattr read };
++allow postfix_policyd_t postfix_policyd_conf_t:lnk_file read_lnk_file_perms;
+
+ manage_files_pattern(postfix_policyd_t, postfix_policyd_var_run_t, postfix_policyd_var_run_t)
+ files_pid_filetrans(postfix_policyd_t, postfix_policyd_var_run_t, file)
+
+-corenet_all_recvfrom_unlabeled(postfix_policyd_t)
+ corenet_tcp_sendrecv_generic_if(postfix_policyd_t)
+ corenet_tcp_sendrecv_generic_node(postfix_policyd_t)
+ corenet_tcp_sendrecv_all_ports(postfix_policyd_t)
+@@ -48,6 +47,4 @@ files_read_usr_files(postfix_policyd_t)
+
+ logging_send_syslog_msg(postfix_policyd_t)
+
+-miscfiles_read_localization(postfix_policyd_t)
+-
+ sysnet_dns_name_resolve(postfix_policyd_t)
+diff --git a/postgrey.if b/postgrey.if
+index ad15fde..12202e1 100644
+--- a/postgrey.if
++++ b/postgrey.if
+@@ -15,9 +15,9 @@ interface(`postgrey_stream_connect',`
+ type postgrey_var_run_t, postgrey_t, postgrey_spool_t;
+ ')
+
+- stream_connect_pattern($1, postgrey_var_run_t, postgrey_var_run_t, postgrey_t)
+- stream_connect_pattern($1, postgrey_spool_t, postgrey_spool_t, postgrey_t)
++ stream_connect_pattern($1, { postgrey_spool_t postgrey_var_run_t }, { postgrey_spool_t postgrey_var_run_t }, postgrey_t)
+ files_search_pids($1)
++ files_search_spool($1)
+ ')
+
+ ########################################
+@@ -35,6 +35,7 @@ interface(`postgrey_search_spool',`
+ type postgrey_spool_t;
+ ')
+
++ files_search_spool($1)
+ allow $1 postgrey_spool_t:dir search_dir_perms;
+ ')
+
+@@ -57,13 +58,15 @@ interface(`postgrey_search_spool',`
+ #
+ interface(`postgrey_admin',`
+ gen_require(`
+- type postgrey_t, postgrey_etc_t;
++ type postgrey_t, postgrey_etc_t, postgrey_initrc_exec_t;
+ type postgrey_var_lib_t, postgrey_var_run_t;
+- type postgrey_initrc_exec_t;
+ ')
+
+- allow $1 postgrey_t:process { ptrace signal_perms };
++ allow $1 postgrey_t:process signal_perms;
+ ps_process_pattern($1, postgrey_t)
++ tunable_policy(`deny_ptrace',`',`
++ allow $1 postgrey_t:process ptrace;
++ ')
+
+ init_labeled_script_domtrans($1, postgrey_initrc_exec_t)
+ domain_system_change_exemption($1)
+diff --git a/postgrey.te b/postgrey.te
+index db843e2..570cf36 100644
+--- a/postgrey.te
++++ b/postgrey.te
+@@ -16,7 +16,7 @@ type postgrey_initrc_exec_t;
+ init_script_file(postgrey_initrc_exec_t)
+
+ type postgrey_spool_t;
+-files_type(postgrey_spool_t)
++files_spool_file(postgrey_spool_t)
+
+ type postgrey_var_lib_t;
+ files_type(postgrey_var_lib_t)
+@@ -58,7 +58,6 @@ kernel_read_kernel_sysctls(postgrey_t)
+ # for perl
+ corecmd_search_bin(postgrey_t)
+
+-corenet_all_recvfrom_unlabeled(postgrey_t)
+ corenet_all_recvfrom_netlabel(postgrey_t)
+ corenet_tcp_sendrecv_generic_if(postgrey_t)
+ corenet_tcp_sendrecv_generic_node(postgrey_t)
+@@ -80,9 +79,9 @@ files_getattr_tmp_dirs(postgrey_t)
+ fs_getattr_all_fs(postgrey_t)
+ fs_search_auto_mountpoints(postgrey_t)
+
+-logging_send_syslog_msg(postgrey_t)
++auth_read_passwd(postgrey_t)
+
+-miscfiles_read_localization(postgrey_t)
++logging_send_syslog_msg(postgrey_t)
+
+ sysnet_read_config(postgrey_t)
+
+diff --git a/ppp.fc b/ppp.fc
+index 2d82c6d..ff2c96a 100644
+--- a/ppp.fc
++++ b/ppp.fc
+@@ -11,19 +11,24 @@
+ # Fix /etc/ppp {up,down} family scripts (see man pppd)
+ /etc/ppp/(auth|ip(v6|x)?)-(up|down) -- gen_context(system_u:object_r:pppd_initrc_exec_t,s0)
+
++/usr/lib/systemd/system/ppp.* -- gen_context(system_u:object_r:iptables_unit_file_t,s0)
++
+ /root/.ppprc -- gen_context(system_u:object_r:pppd_etc_t,s0)
+
+ #
+ # /sbin
+ #
+-/sbin/ppp-watch -- gen_context(system_u:object_r:pppd_exec_t,s0)
++/sbin/pppoe-server -- gen_context(system_u:object_r:pppd_exec_t,s0)
++/sbin/ppp-watch -- gen_context(system_u:object_r:pppd_exec_t,s0)
+
+ #
+ # /usr
+ #
++/usr/sbin/ipppd -- gen_context(system_u:object_r:pppd_exec_t,s0)
++/usr/sbin/ppp-watch -- gen_context(system_u:object_r:pppd_exec_t,s0)
+ /usr/sbin/pppd -- gen_context(system_u:object_r:pppd_exec_t,s0)
++/usr/sbin/pppoe-server -- gen_context(system_u:object_r:pppd_exec_t,s0)
+ /usr/sbin/pptp -- gen_context(system_u:object_r:pptp_exec_t,s0)
+-/usr/sbin/ipppd -- gen_context(system_u:object_r:pppd_exec_t,s0)
+
+ #
+ # /var
+@@ -34,5 +39,7 @@
+ # Fix pptp sockets
+ /var/run/pptp(/.*)? gen_context(system_u:object_r:pptp_var_run_t,s0)
+
++/var/lock/ppp(/.*)? gen_context(system_u:object_r:pppd_lock_t,s0)
++
+ /var/log/ppp-connect-errors.* -- gen_context(system_u:object_r:pppd_log_t,s0)
+-/var/log/ppp/.* -- gen_context(system_u:object_r:pppd_log_t,s0)
++/var/log/ppp(/.*)? gen_context(system_u:object_r:pppd_log_t,s0)
+diff --git a/ppp.if b/ppp.if
+index de4bdb7..a4cad0b 100644
+--- a/ppp.if
++++ b/ppp.if
+@@ -66,7 +66,6 @@ interface(`ppp_sigchld',`
+ ##
+ ##
+ #
+-#
+ interface(`ppp_kill',`
+ gen_require(`
+ type pppd_t;
+@@ -176,11 +175,18 @@ interface(`ppp_run_cond',`
+ #
+ interface(`ppp_run',`
+ gen_require(`
+- attribute_role pppd_roles;
++ #attribute_role pppd_roles;
++ type pppd_t;
+ ')
+
+- ppp_domtrans($1)
+- roleattribute $2 pppd_roles;
++ #ppp_domtrans($1)
++ #roleattribute $2 pppd_roles;
++
++ role $2 types pppd_t;
++
++ tunable_policy(`pppd_for_user',`
++ ppp_domtrans($1)
++ ')
+ ')
+
+ ########################################
+@@ -276,7 +282,8 @@ interface(`ppp_read_pid_files',`
+ type pppd_var_run_t;
+ ')
+
+- allow $1 pppd_var_run_t:file read_file_perms;
++ files_search_pids($1)
++ read_files_pattern($1, pppd_var_run_t, pppd_var_run_t)
+ ')
+
+ ########################################
+@@ -294,6 +301,7 @@ interface(`ppp_manage_pid_files',`
+ type pppd_var_run_t;
+ ')
+
++ files_search_pids($1)
+ allow $1 pppd_var_run_t:file manage_file_perms;
+ ')
+
+@@ -335,6 +343,29 @@ interface(`ppp_initrc_domtrans',`
+
+ ########################################
+ ##
++## Execute pppd server in the pppd domain.
++##
++##
++##
++## Domain allowed to transition.
++##
++##
++#
++interface(`ppp_systemctl',`
++ gen_require(`
++ type pppd_unit_file_t;
++ type pppd_t;
++ ')
++
++ systemd_exec_systemctl($1)
++ allow $1 pppd_unit_file_t:file read_file_perms;
++ allow $1 pppd_unit_file_t:service manage_service_perms;
++
++ ps_process_pattern($1, pppd_t)
++')
++
++########################################
++##
+ ## All of the rules required to administrate
+ ## an ppp environment
+ ##
+@@ -343,20 +374,31 @@ interface(`ppp_initrc_domtrans',`
+ ## Domain allowed access.
+ ##
+ ##
++##
++##
++## Role allowed access.
++##
++##
+ ##
+ #
+ interface(`ppp_admin',`
+ gen_require(`
+ type pppd_t, pppd_tmp_t, pppd_log_t, pppd_lock_t;
+- type pppd_etc_t, pppd_secret_t;
+- type pppd_etc_rw_t, pppd_var_run_t;
+-
++ type pppd_etc_t, pppd_secret_t, pppd_var_run_t;
+ type pptp_t, pptp_log_t, pptp_var_run_t;
+- type pppd_initrc_exec_t;
++ type pppd_initrc_exec_t, pppd_etc_rw_t;
++ type pppd_unit_file_t;
+ ')
+
+- allow $1 pppd_t:process { ptrace signal_perms getattr };
++ allow $1 pppd_t:process signal_perms;
+ ps_process_pattern($1, pppd_t)
++ tunable_policy(`deny_ptrace',`',`
++ allow $1 pppd_t:process ptrace;
++ allow $1 pptp_t:process ptrace;
++ ')
++
++ allow $1 pptp_t:process signal_perms;
++ ps_process_pattern($1, pptp_t)
+
+ ppp_initrc_domtrans($1)
+ domain_system_change_exemption($1)
+@@ -369,6 +411,7 @@ interface(`ppp_admin',`
+ logging_list_logs($1)
+ admin_pattern($1, pppd_log_t)
+
++ files_list_locks($1)
+ admin_pattern($1, pppd_lock_t)
+
+ files_list_etc($1)
+@@ -381,10 +424,11 @@ interface(`ppp_admin',`
+ files_list_pids($1)
+ admin_pattern($1, pppd_var_run_t)
+
+- allow $1 pptp_t:process { ptrace signal_perms getattr };
+- ps_process_pattern($1, pptp_t)
+-
+ admin_pattern($1, pptp_log_t)
+
+ admin_pattern($1, pptp_var_run_t)
++
++ ppp_systemctl($1)
++ admin_pattern($1, pppd_unit_file_t)
++ allow $1 pppd_unit_file_t:service all_service_perms;
+ ')
+diff --git a/ppp.te b/ppp.te
+index bcbf9ac..5a550bb 100644
+--- a/ppp.te
++++ b/ppp.te
+@@ -19,14 +19,15 @@ gen_tunable(pppd_can_insmod, false)
+ ##
+ gen_tunable(pppd_for_user, false)
+
+-attribute_role pppd_roles;
++#attribute_role pppd_roles;
+
+ # pppd_t is the domain for the pppd program.
+ # pppd_exec_t is the type of the pppd executable.
+ type pppd_t;
+ type pppd_exec_t;
+ init_daemon_domain(pppd_t, pppd_exec_t)
+-role pppd_roles types pppd_t;
++#role pppd_roles types pppd_t;
++role system_r types pppd_t;
+
+ type pppd_devpts_t;
+ term_pty(pppd_devpts_t)
+@@ -42,6 +43,9 @@ files_type(pppd_etc_rw_t)
+ type pppd_initrc_exec_t alias pppd_script_exec_t;
+ init_script_file(pppd_initrc_exec_t)
+
++type pppd_unit_file_t;
++systemd_unit_file(pppd_unit_file_t)
++
+ # pppd_secret_t is the type of the pap and chap password files
+ type pppd_secret_t;
+ files_type(pppd_secret_t)
+@@ -61,7 +65,8 @@ files_pid_file(pppd_var_run_t)
+ type pptp_t;
+ type pptp_exec_t;
+ init_daemon_domain(pptp_t, pptp_exec_t)
+-role pppd_roles types pptp_t;
++#role pppd_roles types pptp_t;
++role system_r types pptp_t;
+
+ type pptp_log_t;
+ logging_log_file(pptp_log_t)
+@@ -74,9 +79,9 @@ files_pid_file(pptp_var_run_t)
+ # PPPD Local policy
+ #
+
+-allow pppd_t self:capability { kill net_admin setuid setgid fsetid fowner net_raw dac_override };
++allow pppd_t self:capability { kill net_admin setuid setgid sys_admin fsetid fowner net_raw dac_override sys_nice };
+ dontaudit pppd_t self:capability sys_tty_config;
+-allow pppd_t self:process { getsched signal };
++allow pppd_t self:process { getsched setsched signal };
+ allow pppd_t self:fifo_file rw_fifo_file_perms;
+ allow pppd_t self:socket create_socket_perms;
+ allow pppd_t self:unix_dgram_socket create_socket_perms;
+@@ -88,28 +93,29 @@ allow pppd_t self:packet_socket create_socket_perms;
+
+ domtrans_pattern(pppd_t, pptp_exec_t, pptp_t)
+
+-allow pppd_t pppd_devpts_t:chr_file { rw_chr_file_perms setattr };
++allow pppd_t pppd_devpts_t:chr_file { rw_chr_file_perms setattr_chr_file_perms };
+
+ allow pppd_t pppd_etc_t:dir rw_dir_perms;
+ allow pppd_t pppd_etc_t:file read_file_perms;
+-allow pppd_t pppd_etc_t:lnk_file { getattr read };
++allow pppd_t pppd_etc_t:lnk_file read_lnk_file_perms;
+
+ manage_files_pattern(pppd_t, pppd_etc_rw_t, pppd_etc_rw_t)
+ # Automatically label newly created files under /etc/ppp with this type
+ filetrans_pattern(pppd_t, pppd_etc_t, pppd_etc_rw_t, file)
+
+-allow pppd_t pppd_lock_t:file manage_file_perms;
+-files_lock_filetrans(pppd_t, pppd_lock_t, file)
++manage_files_pattern(pppd_t, pppd_lock_t, pppd_lock_t)
++files_search_locks(pppd_t)
+
+-allow pppd_t pppd_log_t:file manage_file_perms;
++manage_files_pattern(pppd_t, pppd_log_t, pppd_log_t)
+ logging_log_filetrans(pppd_t, pppd_log_t, file)
+
+ manage_dirs_pattern(pppd_t, pppd_tmp_t, pppd_tmp_t)
+ manage_files_pattern(pppd_t, pppd_tmp_t, pppd_tmp_t)
+ files_tmp_filetrans(pppd_t, pppd_tmp_t, { file dir })
+
++manage_dirs_pattern(pppd_t, pppd_var_run_t, pppd_var_run_t)
+ manage_files_pattern(pppd_t, pppd_var_run_t, pppd_var_run_t)
+-files_pid_filetrans(pppd_t, pppd_var_run_t, file)
++files_pid_filetrans(pppd_t, pppd_var_run_t, { dir file })
+
+ allow pppd_t pptp_t:process signal;
+
+@@ -130,7 +136,6 @@ dev_search_sysfs(pppd_t)
+ dev_read_sysfs(pppd_t)
+ dev_rw_modem(pppd_t)
+
+-corenet_all_recvfrom_unlabeled(pppd_t)
+ corenet_all_recvfrom_netlabel(pppd_t)
+ corenet_tcp_sendrecv_generic_if(pppd_t)
+ corenet_raw_sendrecv_generic_if(pppd_t)
+@@ -147,10 +152,12 @@ fs_getattr_all_fs(pppd_t)
+ fs_search_auto_mountpoints(pppd_t)
+
+ term_use_unallocated_ttys(pppd_t)
++term_use_usb_ttys(pppd_t)
+ term_setattr_unallocated_ttys(pppd_t)
+ term_ioctl_generic_ptys(pppd_t)
+ # for pppoe
+ term_create_pty(pppd_t, pppd_devpts_t)
++term_use_generic_ptys(pppd_t)
+
+ # allow running ip-up and ip-down scripts and running chat.
+ corecmd_exec_bin(pppd_t)
+@@ -161,43 +168,54 @@ domain_use_interactive_fds(pppd_t)
+ files_exec_etc_files(pppd_t)
+ files_manage_etc_runtime_files(pppd_t)
+ files_dontaudit_write_etc_files(pppd_t)
++files_read_usr_files(pppd_t)
+
+ # for scripts
+-files_read_etc_files(pppd_t)
+
+ init_read_utmp(pppd_t)
+ init_dontaudit_write_utmp(pppd_t)
+ init_signal_script(pppd_t)
+
+ auth_use_nsswitch(pppd_t)
++auth_domtrans_chk_passwd(pppd_t)
++#auth_run_chk_passwd(pppd_t,pppd_roles)
++auth_write_login_records(pppd_t)
+
+ logging_send_syslog_msg(pppd_t)
+ logging_send_audit_msgs(pppd_t)
+
+-miscfiles_read_localization(pppd_t)
+-
+ sysnet_exec_ifconfig(pppd_t)
+ sysnet_manage_config(pppd_t)
+ sysnet_etc_filetrans_config(pppd_t)
+
+-userdom_use_user_terminals(pppd_t)
++userdom_use_inherited_user_terminals(pppd_t)
+ userdom_dontaudit_use_unpriv_user_fds(pppd_t)
+ userdom_search_user_home_dirs(pppd_t)
++userdom_search_admin_dir(pppd_t)
+
+ ppp_exec(pppd_t)
+
+ optional_policy(`
+- ddclient_run(pppd_t, pppd_roles)
++ #ddclient_run(pppd_t, pppd_roles)
++ ddclient_domtrans(pppd_t)
++')
++
++optional_policy(`
++ l2tpd_dgram_send(pppd_t)
++ l2tpd_rw_socket(pppd_t)
++ l2tpd_stream_connect(pppd_t)
+ ')
+
+ optional_policy(`
+ tunable_policy(`pppd_can_insmod',`
+- modutils_domtrans_insmod(pppd_t)
++ modutils_domtrans_insmod_uncond(pppd_t)
+ ')
+ ')
+
+ optional_policy(`
+ mta_send_mail(pppd_t)
++ mta_system_content(pppd_etc_t)
++ mta_system_content(pppd_etc_rw_t)
+ ')
+
+ optional_policy(`
+@@ -247,21 +265,24 @@ allow pptp_t pppd_log_t:file append_file_perms;
+ allow pptp_t pptp_log_t:file manage_file_perms;
+ logging_log_filetrans(pptp_t, pptp_log_t, file)
+
++manage_dirs_pattern(pptp_t, pptp_var_run_t, pptp_var_run_t)
+ manage_files_pattern(pptp_t, pptp_var_run_t, pptp_var_run_t)
+ manage_sock_files_pattern(pptp_t, pptp_var_run_t, pptp_var_run_t)
+-files_pid_filetrans(pptp_t, pptp_var_run_t, file)
++files_pid_filetrans(pptp_t, pptp_var_run_t, { file dir })
+
+ kernel_list_proc(pptp_t)
++kernel_signal(pptp_t)
+ kernel_read_kernel_sysctls(pptp_t)
++kernel_read_network_state(pptp_t)
+ kernel_read_proc_symlinks(pptp_t)
+ kernel_read_system_state(pptp_t)
++kernel_signal(pptp_t)
+
+ dev_read_sysfs(pptp_t)
+
+ corecmd_exec_shell(pptp_t)
+ corecmd_read_bin_symlinks(pptp_t)
+
+-corenet_all_recvfrom_unlabeled(pptp_t)
+ corenet_all_recvfrom_netlabel(pptp_t)
+ corenet_tcp_sendrecv_generic_if(pptp_t)
+ corenet_raw_sendrecv_generic_if(pptp_t)
+@@ -272,8 +293,7 @@ corenet_tcp_bind_generic_node(pptp_t)
+ corenet_tcp_connect_generic_port(pptp_t)
+ corenet_tcp_connect_all_reserved_ports(pptp_t)
+ corenet_sendrecv_generic_client_packets(pptp_t)
+-
+-files_read_etc_files(pptp_t)
++corenet_tcp_connect_pptp_port(pptp_t)
+
+ fs_getattr_all_fs(pptp_t)
+ fs_search_auto_mountpoints(pptp_t)
+@@ -288,8 +308,6 @@ auth_use_nsswitch(pptp_t)
+
+ logging_send_syslog_msg(pptp_t)
+
+-miscfiles_read_localization(pptp_t)
+-
+ sysnet_exec_ifconfig(pptp_t)
+
+ userdom_dontaudit_use_unpriv_user_fds(pptp_t)
+diff --git a/prelink.fc b/prelink.fc
+index ec0e76a..62af9a4 100644
+--- a/prelink.fc
++++ b/prelink.fc
+@@ -4,7 +4,7 @@
+
+ /usr/sbin/prelink(\.bin)? -- gen_context(system_u:object_r:prelink_exec_t,s0)
+
+-/var/log/prelink\.log -- gen_context(system_u:object_r:prelink_log_t,s0)
++/var/log/prelink\.log.* -- gen_context(system_u:object_r:prelink_log_t,s0)
+ /var/log/prelink(/.*)? gen_context(system_u:object_r:prelink_log_t,s0)
+
+ /var/lib/misc/prelink.* -- gen_context(system_u:object_r:prelink_var_lib_t,s0)
+diff --git a/prelink.if b/prelink.if
+index 93ec175..e6605c1 100644
+--- a/prelink.if
++++ b/prelink.if
+@@ -202,3 +202,21 @@ interface(`prelink_relabel_lib',`
+ files_search_var_lib($1)
+ relabel_files_pattern($1, prelink_var_lib_t, prelink_var_lib_t)
+ ')
++
++########################################
++##
++## Transition to prelink named content
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`prelink_filetrans_named_content',`
++ gen_require(`
++ type prelink_cache_t;
++ ')
++
++ files_etc_filetrans($1, prelink_cache_t, file, "prelink.cache")
++')
+diff --git a/prelink.te b/prelink.te
+index af55369..9f1d1b5 100644
+--- a/prelink.te
++++ b/prelink.te
+@@ -18,6 +18,7 @@ type prelink_cron_system_t;
+ type prelink_cron_system_exec_t;
+ domain_type(prelink_cron_system_t)
+ domain_entry_file(prelink_cron_system_t, prelink_cron_system_exec_t)
++domain_obj_id_change_exemption(prelink_cron_system_t)
+
+ type prelink_log_t;
+ logging_log_file(prelink_log_t)
+@@ -36,7 +37,7 @@ files_type(prelink_var_lib_t)
+ # Local policy
+ #
+
+-allow prelink_t self:capability { chown dac_override fowner fsetid sys_resource };
++allow prelink_t self:capability { chown dac_override fowner fsetid setfcap sys_resource };
+ allow prelink_t self:process { execheap execmem execstack signal };
+ allow prelink_t self:fifo_file rw_fifo_file_perms;
+
+@@ -59,10 +60,11 @@ manage_dirs_pattern(prelink_t, prelink_var_lib_t, prelink_var_lib_t)
+ manage_files_pattern(prelink_t, prelink_var_lib_t, prelink_var_lib_t)
+ relabel_files_pattern(prelink_t, prelink_var_lib_t, prelink_var_lib_t)
+ files_var_lib_filetrans(prelink_t, prelink_var_lib_t, { dir file })
++files_search_var_lib(prelink_t)
+
+ # prelink misc objects that are not system
+ # libraries or entrypoints
+-allow prelink_t prelink_object:file { manage_file_perms execute relabelto relabelfrom };
++allow prelink_t prelink_object:file { manage_file_perms execute relabel_file_perms };
+
+ kernel_read_system_state(prelink_t)
+ kernel_read_kernel_sysctls(prelink_t)
+@@ -73,6 +75,7 @@ corecmd_mmap_all_executables(prelink_t)
+ corecmd_read_bin_symlinks(prelink_t)
+
+ dev_read_urand(prelink_t)
++dev_getattr_all_chr_files(prelink_t)
+
+ files_list_all(prelink_t)
+ files_getattr_all_files(prelink_t)
+@@ -86,6 +89,8 @@ files_relabelfrom_usr_files(prelink_t)
+
+ fs_getattr_xattr_fs(prelink_t)
+
++storage_getattr_fixed_disk_dev(prelink_t)
++
+ selinux_get_enforce_mode(prelink_t)
+
+ libs_exec_ld_so(prelink_t)
+@@ -96,9 +101,16 @@ libs_manage_shared_libs(prelink_t)
+ libs_relabel_shared_libs(prelink_t)
+ libs_delete_lib_symlinks(prelink_t)
+
+-miscfiles_read_localization(prelink_t)
+
+-userdom_use_user_terminals(prelink_t)
++userdom_use_inherited_user_terminals(prelink_t)
++userdom_manage_user_home_content(prelink_t)
++userdom_relabel_user_home_files(prelink_t)
++userdom_execmod_user_home_files(prelink_t)
++userdom_exec_user_home_content_files(prelink_t)
++
++systemd_read_unit_files(prelink_t)
++
++term_use_all_inherited_terms(prelink_t)
+
+ optional_policy(`
+ amanda_manage_lib(prelink_t)
+@@ -109,6 +121,15 @@ optional_policy(`
+ ')
+
+ optional_policy(`
++ gnome_dontaudit_read_config(prelink_t)
++ gnome_dontaudit_read_inherited_gconf_config_files(prelink_t)
++')
++
++optional_policy(`
++ mozilla_plugin_manage_rw_files(prelink_t)
++')
++
++optional_policy(`
+ rpm_manage_tmp_files(prelink_t)
+ ')
+
+@@ -129,6 +150,7 @@ optional_policy(`
+
+ read_files_pattern(prelink_cron_system_t, prelink_cache_t, prelink_cache_t)
+ allow prelink_cron_system_t prelink_cache_t:file unlink;
++ files_delete_etc_dir_entry(prelink_cron_system_t)
+
+ domtrans_pattern(prelink_cron_system_t, prelink_exec_t, prelink_t)
+ allow prelink_cron_system_t prelink_t:process noatsecure;
+@@ -144,21 +166,38 @@ optional_policy(`
+ corecmd_exec_bin(prelink_cron_system_t)
+ corecmd_exec_shell(prelink_cron_system_t)
+
++ dev_list_sysfs(prelink_cron_system_t)
++ dev_read_sysfs(prelink_cron_system_t)
++
+ files_dontaudit_search_all_mountpoints(prelink_cron_system_t)
+ files_read_etc_files(prelink_cron_system_t)
+ files_search_var_lib(prelink_cron_system_t)
+
++ fs_search_cgroup_dirs(prelink_cron_system_t)
++
++ auth_use_nsswitch(prelink_cron_system_t)
++
++ init_telinit(prelink_cron_system_t)
+ init_exec(prelink_cron_system_t)
+
+ libs_exec_ld_so(prelink_cron_system_t)
+
+ logging_search_logs(prelink_cron_system_t)
+
+- miscfiles_read_localization(prelink_cron_system_t)
++ init_stream_connect(prelink_cron_system_t)
++
+
+ cron_system_entry(prelink_cron_system_t, prelink_cron_system_exec_t)
+
++ userdom_dontaudit_list_admin_dir(prelink_cron_system_t)
++
+ optional_policy(`
+ rpm_read_db(prelink_cron_system_t)
+ ')
+ ')
++
++ifdef(`hide_broken_symptoms', `
++ optional_policy(`
++ dbus_read_config(prelink_t)
++ ')
++')
+diff --git a/prelude.fc b/prelude.fc
+index 3bd847a..a52b025 100644
+--- a/prelude.fc
++++ b/prelude.fc
+@@ -5,6 +5,7 @@
+
+ /sbin/audisp-prelude -- gen_context(system_u:object_r:prelude_audisp_exec_t,s0)
+
++/usr/sbin/audisp-prelude -- gen_context(system_u:object_r:prelude_audisp_exec_t,s0)
+ /usr/bin/prelude-correlator -- gen_context(system_u:object_r:prelude_correlator_exec_t, s0)
+ /usr/bin/prelude-lml -- gen_context(system_u:object_r:prelude_lml_exec_t,s0)
+ /usr/bin/prelude-manager -- gen_context(system_u:object_r:prelude_exec_t,s0)
+diff --git a/prelude.if b/prelude.if
+index 2316653..f41a4f7 100644
+--- a/prelude.if
++++ b/prelude.if
+@@ -112,22 +112,24 @@ interface(`prelude_manage_spool',`
+ #
+ interface(`prelude_admin',`
+ gen_require(`
+- type prelude_t, prelude_spool_t;
+- type prelude_var_run_t, prelude_var_lib_t;
+- type prelude_audisp_t, prelude_audisp_var_run_t;
+- type prelude_initrc_exec_t;
+-
+- type prelude_lml_t, prelude_lml_tmp_t;
+- type prelude_lml_var_run_t;
++ type prelude_t, prelude_spool_t, prelude_initrc_exec_t;
++ type prelude_var_run_t, prelude_var_lib_t, prelude_lml_var_run_t;
++ type prelude_audisp_t, prelude_audisp_var_run_t, prelude_lml_tmp_t;
++ type prelude_lml_t;
+ ')
+
+- allow $1 prelude_t:process { ptrace signal_perms };
++ allow $1 prelude_t:process signal_perms;
+ ps_process_pattern($1, prelude_t)
++ tunable_policy(`deny_ptrace',`',`
++ allow $1 prelude_t:process ptrace;
++ allow $1 prelude_audisp_t:process ptrace;
++ allow $1 prelude_lml_t:process ptrace;
++ ')
+
+- allow $1 prelude_audisp_t:process { ptrace signal_perms };
++ allow $1 prelude_audisp_t:process signal_perms;
+ ps_process_pattern($1, prelude_audisp_t)
+
+- allow $1 prelude_lml_t:process { ptrace signal_perms };
++ allow $1 prelude_lml_t:process signal_perms;
+ ps_process_pattern($1, prelude_lml_t)
+
+ init_labeled_script_domtrans($1, prelude_initrc_exec_t)
+@@ -135,10 +137,17 @@ interface(`prelude_admin',`
+ role_transition $2 prelude_initrc_exec_t system_r;
+ allow $2 system_r;
+
++ files_list_spool($1)
+ admin_pattern($1, prelude_spool_t)
++
++ files_list_var_lib($1)
+ admin_pattern($1, prelude_var_lib_t)
++
++ files_list_pids($1)
+ admin_pattern($1, prelude_var_run_t)
+ admin_pattern($1, prelude_audisp_var_run_t)
+- admin_pattern($1, prelude_lml_tmp_t)
+ admin_pattern($1, prelude_lml_var_run_t)
++
++ files_list_tmp($1)
++ admin_pattern($1, prelude_lml_tmp_t)
+ ')
+diff --git a/prelude.te b/prelude.te
+index b1bc02c..a06f448 100644
+--- a/prelude.te
++++ b/prelude.te
+@@ -13,7 +13,7 @@ type prelude_initrc_exec_t;
+ init_script_file(prelude_initrc_exec_t)
+
+ type prelude_spool_t;
+-files_type(prelude_spool_t)
++files_spool_file(prelude_spool_t)
+
+ type prelude_log_t;
+ logging_log_file(prelude_log_t)
+@@ -82,7 +82,6 @@ kernel_read_sysctl(prelude_t)
+
+ corecmd_search_bin(prelude_t)
+
+-corenet_all_recvfrom_unlabeled(prelude_t)
+ corenet_all_recvfrom_netlabel(prelude_t)
+ corenet_tcp_sendrecv_generic_if(prelude_t)
+ corenet_tcp_sendrecv_generic_node(prelude_t)
+@@ -95,7 +94,6 @@ corenet_tcp_connect_mysqld_port(prelude_t)
+ dev_read_rand(prelude_t)
+ dev_read_urand(prelude_t)
+
+-files_read_etc_files(prelude_t)
+ files_read_etc_runtime_files(prelude_t)
+ files_read_usr_files(prelude_t)
+ files_search_tmp(prelude_t)
+@@ -107,8 +105,6 @@ auth_use_nsswitch(prelude_t)
+ logging_send_audit_msgs(prelude_t)
+ logging_send_syslog_msg(prelude_t)
+
+-miscfiles_read_localization(prelude_t)
+-
+ optional_policy(`
+ mysql_search_db(prelude_t)
+ mysql_stream_connect(prelude_t)
+@@ -143,7 +139,6 @@ kernel_read_system_state(prelude_audisp_t)
+
+ corecmd_search_bin(prelude_audisp_t)
+
+-corenet_all_recvfrom_unlabeled(prelude_audisp_t)
+ corenet_all_recvfrom_netlabel(prelude_audisp_t)
+ corenet_tcp_sendrecv_generic_if(prelude_audisp_t)
+ corenet_tcp_sendrecv_generic_node(prelude_audisp_t)
+@@ -156,14 +151,11 @@ dev_read_urand(prelude_audisp_t)
+ # Init script handling
+ domain_use_interactive_fds(prelude_audisp_t)
+
+-files_read_etc_files(prelude_audisp_t)
+ files_read_etc_runtime_files(prelude_audisp_t)
+ files_search_tmp(prelude_audisp_t)
+
+ logging_send_syslog_msg(prelude_audisp_t)
+
+-miscfiles_read_localization(prelude_audisp_t)
+-
+ sysnet_dns_name_resolve(prelude_audisp_t)
+
+ ########################################
+@@ -183,7 +175,6 @@ kernel_read_sysctl(prelude_correlator_t)
+
+ corecmd_search_bin(prelude_correlator_t)
+
+-corenet_all_recvfrom_unlabeled(prelude_correlator_t)
+ corenet_all_recvfrom_netlabel(prelude_correlator_t)
+ corenet_tcp_sendrecv_generic_if(prelude_correlator_t)
+ corenet_tcp_sendrecv_generic_node(prelude_correlator_t)
+@@ -192,14 +183,11 @@ corenet_tcp_connect_prelude_port(prelude_correlator_t)
+ dev_read_rand(prelude_correlator_t)
+ dev_read_urand(prelude_correlator_t)
+
+-files_read_etc_files(prelude_correlator_t)
+ files_read_usr_files(prelude_correlator_t)
+ files_search_spool(prelude_correlator_t)
+
+ logging_send_syslog_msg(prelude_correlator_t)
+
+-miscfiles_read_localization(prelude_correlator_t)
+-
+ sysnet_dns_name_resolve(prelude_correlator_t)
+
+ prelude_manage_spool(prelude_correlator_t)
+@@ -210,8 +198,8 @@ prelude_manage_spool(prelude_correlator_t)
+ #
+
+ allow prelude_lml_t self:capability dac_override;
+-allow prelude_lml_t self:tcp_socket { write getattr setopt read create connect };
+-allow prelude_lml_t self:unix_dgram_socket { write create connect };
++allow prelude_lml_t self:tcp_socket { setopt create_socket_perms };
++allow prelude_lml_t self:unix_dgram_socket create_socket_perms;
+ allow prelude_lml_t self:fifo_file rw_fifo_file_perms;
+ allow prelude_lml_t self:unix_stream_socket connectto;
+
+@@ -236,10 +224,10 @@ kernel_read_sysctl(prelude_lml_t)
+
+ corecmd_exec_bin(prelude_lml_t)
+
++corenet_all_recvfrom_netlabel(prelude_lml_t)
+ corenet_tcp_sendrecv_generic_if(prelude_lml_t)
+ corenet_tcp_sendrecv_generic_node(prelude_lml_t)
+ corenet_tcp_recvfrom_netlabel(prelude_lml_t)
+-corenet_tcp_recvfrom_unlabeled(prelude_lml_t)
+ corenet_sendrecv_unlabeled_packets(prelude_lml_t)
+ corenet_tcp_connect_prelude_port(prelude_lml_t)
+
+@@ -247,7 +235,6 @@ dev_read_rand(prelude_lml_t)
+ dev_read_urand(prelude_lml_t)
+
+ files_list_etc(prelude_lml_t)
+-files_read_etc_files(prelude_lml_t)
+ files_read_etc_runtime_files(prelude_lml_t)
+
+ fs_getattr_all_fs(prelude_lml_t)
+@@ -262,8 +249,6 @@ libs_read_lib_files(prelude_lml_t)
+ logging_send_syslog_msg(prelude_lml_t)
+ logging_read_generic_logs(prelude_lml_t)
+
+-miscfiles_read_localization(prelude_lml_t)
+-
+ sysnet_dns_name_resolve(prelude_lml_t)
+
+ userdom_read_all_users_state(prelude_lml_t)
+@@ -283,7 +268,6 @@ optional_policy(`
+
+ can_exec(httpd_prewikka_script_t, httpd_prewikka_script_exec_t)
+
+- files_read_etc_files(httpd_prewikka_script_t)
+ files_search_tmp(httpd_prewikka_script_t)
+
+ kernel_read_sysctl(httpd_prewikka_script_t)
+diff --git a/privoxy.if b/privoxy.if
+index afd1751..5aff531 100644
+--- a/privoxy.if
++++ b/privoxy.if
+@@ -23,8 +23,11 @@ interface(`privoxy_admin',`
+ type privoxy_etc_rw_t, privoxy_var_run_t;
+ ')
+
+- allow $1 privoxy_t:process { ptrace signal_perms };
++ allow $1 privoxy_t:process signal_perms;
+ ps_process_pattern($1, privoxy_t)
++ tunable_policy(`deny_ptrace',`',`
++ allow $1 privoxy_t:process ptrace;
++ ')
+
+ init_labeled_script_domtrans($1, privoxy_initrc_exec_t)
+ domain_system_change_exemption($1)
+diff --git a/privoxy.te b/privoxy.te
+index 2dbf4d4..daa7c93 100644
+--- a/privoxy.te
++++ b/privoxy.te
+@@ -46,10 +46,10 @@ logging_log_filetrans(privoxy_t, privoxy_log_t, file)
+ manage_files_pattern(privoxy_t, privoxy_var_run_t, privoxy_var_run_t)
+ files_pid_filetrans(privoxy_t, privoxy_var_run_t, file)
+
+-kernel_read_system_state(privoxy_t)
+ kernel_read_kernel_sysctls(privoxy_t)
++kernel_read_network_state(privoxy_t)
++kernel_read_system_state(privoxy_t)
+
+-corenet_all_recvfrom_unlabeled(privoxy_t)
+ corenet_all_recvfrom_netlabel(privoxy_t)
+ corenet_tcp_sendrecv_generic_if(privoxy_t)
+ corenet_tcp_sendrecv_generic_node(privoxy_t)
+@@ -62,6 +62,7 @@ corenet_tcp_connect_squid_port(privoxy_t)
+ corenet_tcp_connect_ftp_port(privoxy_t)
+ corenet_tcp_connect_pgpkeyserver_port(privoxy_t)
+ corenet_tcp_connect_tor_port(privoxy_t)
++corenet_tcp_connect_tor_socks_port(privoxy_t)
+ corenet_sendrecv_http_cache_client_packets(privoxy_t)
+ corenet_sendrecv_squid_client_packets(privoxy_t)
+ corenet_sendrecv_http_cache_server_packets(privoxy_t)
+@@ -76,18 +77,15 @@ fs_search_auto_mountpoints(privoxy_t)
+
+ domain_use_interactive_fds(privoxy_t)
+
+-files_read_etc_files(privoxy_t)
+
+ auth_use_nsswitch(privoxy_t)
+
+ logging_send_syslog_msg(privoxy_t)
+
+-miscfiles_read_localization(privoxy_t)
+-
+ userdom_dontaudit_use_unpriv_user_fds(privoxy_t)
+ userdom_dontaudit_search_user_home_dirs(privoxy_t)
+ # cjp: this should really not be needed
+-userdom_use_user_terminals(privoxy_t)
++userdom_use_inherited_user_terminals(privoxy_t)
+
+ tunable_policy(`privoxy_connect_any',`
+ corenet_tcp_connect_all_ports(privoxy_t)
+diff --git a/procmail.fc b/procmail.fc
+index 1343621..4b36a13 100644
+--- a/procmail.fc
++++ b/procmail.fc
+@@ -1,3 +1,5 @@
++HOME_DIR/\.procmailrc -- gen_context(system_u:object_r:procmail_home_t, s0)
++/root/\.procmailrc -- gen_context(system_u:object_r:procmail_home_t, s0)
+
+ /usr/bin/procmail -- gen_context(system_u:object_r:procmail_exec_t,s0)
+
+diff --git a/procmail.if b/procmail.if
+index b64b02f..166e9c3 100644
+--- a/procmail.if
++++ b/procmail.if
+@@ -77,3 +77,22 @@ interface(`procmail_rw_tmp_files',`
+ files_search_tmp($1)
+ rw_files_pattern($1, procmail_tmp_t, procmail_tmp_t)
+ ')
++
++########################################
++##
++## Read procmail home directory content
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`procmail_read_home_files',`
++ gen_require(`
++ type procmail_home_t;
++ ')
++
++ userdom_search_user_home_dirs($1)
++ read_files_pattern($1, procmail_home_t, procmail_home_t)
++')
+diff --git a/procmail.te b/procmail.te
+index 29b9295..23625fc 100644
+--- a/procmail.te
++++ b/procmail.te
+@@ -10,6 +10,9 @@ type procmail_exec_t;
+ application_domain(procmail_t, procmail_exec_t)
+ role system_r types procmail_t;
+
++type procmail_home_t;
++userdom_user_home_content(procmail_home_t)
++
+ type procmail_log_t;
+ logging_log_file(procmail_log_t)
+
+@@ -32,7 +35,7 @@ allow procmail_t self:udp_socket create_socket_perms;
+ can_exec(procmail_t, procmail_exec_t)
+
+ # Write log to /var/log/procmail.log or /var/log/procmail/.*
+-allow procmail_t procmail_log_t:dir setattr;
++allow procmail_t procmail_log_t:dir setattr_dir_perms;
+ create_files_pattern(procmail_t, procmail_log_t, procmail_log_t)
+ append_files_pattern(procmail_t, procmail_log_t, procmail_log_t)
+ read_lnk_files_pattern(procmail_t, procmail_log_t, procmail_log_t)
+@@ -44,7 +47,6 @@ files_tmp_filetrans(procmail_t, procmail_tmp_t, file)
+ kernel_read_system_state(procmail_t)
+ kernel_read_kernel_sysctls(procmail_t)
+
+-corenet_all_recvfrom_unlabeled(procmail_t)
+ corenet_all_recvfrom_netlabel(procmail_t)
+ corenet_tcp_sendrecv_generic_if(procmail_t)
+ corenet_udp_sendrecv_generic_if(procmail_t)
+@@ -67,17 +69,23 @@ auth_use_nsswitch(procmail_t)
+
+ corecmd_exec_bin(procmail_t)
+ corecmd_exec_shell(procmail_t)
+-corecmd_read_bin_symlinks(procmail_t)
+
+-files_read_etc_files(procmail_t)
+ files_read_etc_runtime_files(procmail_t)
+ files_search_pids(procmail_t)
+ # for spamassasin
+ files_read_usr_files(procmail_t)
+
++application_exec_all(procmail_t)
++
++init_read_utmp(procmail_t)
++
+ logging_send_syslog_msg(procmail_t)
++logging_append_all_logs(procmail_t)
+
+-miscfiles_read_localization(procmail_t)
++list_dirs_pattern(procmail_t, procmail_home_t, procmail_home_t)
++read_files_pattern(procmail_t, procmail_home_t, procmail_home_t)
++userdom_search_user_home_dirs(procmail_t)
++userdom_search_admin_dir(procmail_t)
+
+ # only works until we define a different type for maildir
+ userdom_manage_user_home_content_dirs(procmail_t)
+@@ -87,8 +95,8 @@ userdom_manage_user_home_content_pipes(procmail_t)
+ userdom_manage_user_home_content_sockets(procmail_t)
+ userdom_user_home_dir_filetrans_user_home_content(procmail_t, { dir file lnk_file fifo_file sock_file })
+
+-# Do not audit attempts to access /root.
+-userdom_dontaudit_search_user_home_dirs(procmail_t)
++# Execute user executables
++userdom_exec_user_bin_files(procmail_t)
+
+ mta_manage_spool(procmail_t)
+ mta_read_queue(procmail_t)
+@@ -97,21 +105,19 @@ ifdef(`hide_broken_symptoms',`
+ mta_dontaudit_rw_queue(procmail_t)
+ ')
+
+-tunable_policy(`use_nfs_home_dirs',`
+- fs_manage_nfs_dirs(procmail_t)
+- fs_manage_nfs_files(procmail_t)
+- fs_manage_nfs_symlinks(procmail_t)
++userdom_home_manager(procmail_t)
++
++optional_policy(`
++ clamav_domtrans_clamscan(procmail_t)
++ clamav_search_lib(procmail_t)
+ ')
+
+-tunable_policy(`use_samba_home_dirs',`
+- fs_manage_cifs_dirs(procmail_t)
+- fs_manage_cifs_files(procmail_t)
+- fs_manage_cifs_symlinks(procmail_t)
++optional_policy(`
++ cyrus_stream_connect(procmail_t)
+ ')
+
+ optional_policy(`
+- clamav_domtrans_clamscan(procmail_t)
+- clamav_search_lib(procmail_t)
++ gnome_manage_data(procmail_t)
+ ')
+
+ optional_policy(`
+@@ -125,6 +131,11 @@ optional_policy(`
+ postfix_read_spool_files(procmail_t)
+ postfix_read_local_state(procmail_t)
+ postfix_read_master_state(procmail_t)
++ postfix_rw_master_pipes(procmail_t)
++')
++
++optional_policy(`
++ nagios_search_spool(procmail_t)
+ ')
+
+ optional_policy(`
+@@ -134,6 +145,7 @@ optional_policy(`
+
+ optional_policy(`
+ mta_read_config(procmail_t)
++ mta_manage_home_rw(procmail_t)
+ sendmail_domtrans(procmail_t)
+ sendmail_signal(procmail_t)
+ sendmail_dontaudit_rw_tcp_sockets(procmail_t)
+diff --git a/psad.if b/psad.if
+index bc329d1..20bb463 100644
+--- a/psad.if
++++ b/psad.if
+@@ -91,7 +91,6 @@ interface(`psad_manage_config',`
+ files_search_etc($1)
+ manage_dirs_pattern($1, psad_etc_t, psad_etc_t)
+ manage_files_pattern($1, psad_etc_t, psad_etc_t)
+-
+ ')
+
+ ########################################
+@@ -115,7 +114,7 @@ interface(`psad_read_pid_files',`
+
+ ########################################
+ ##
+-## Read psad PID files.
++## Read and write psad PID files.
+ ##
+ ##
+ ##
+@@ -176,6 +175,45 @@ interface(`psad_append_log',`
+
+ ########################################
+ ##
++## Allow the specified domain to write to psad's log files.
++##
++##
++##
++## Domain allowed access.
++##
++##
++##
++#
++interface(`psad_write_log',`
++ gen_require(`
++ type psad_var_log_t;
++ ')
++
++ logging_search_logs($1)
++ write_files_pattern($1, psad_var_log_t, psad_var_log_t)
++')
++
++#######################################
++##
++## Allow the specified domain to setattr to psad's log files.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`psad_setattr_log',`
++ gen_require(`
++ type psad_var_log_t;
++ ')
++
++ logging_search_logs($1)
++ setattr_files_pattern($1, psad_var_log_t, psad_var_log_t)
++')
++
++########################################
++##
+ ## Read and write psad fifo files.
+ ##
+ ##
+@@ -186,7 +224,7 @@ interface(`psad_append_log',`
+ #
+ interface(`psad_rw_fifo_file',`
+ gen_require(`
+- type psad_t;
++ type psad_t, psad_var_lib_t;
+ ')
+
+ files_search_var_lib($1)
+@@ -196,6 +234,26 @@ interface(`psad_rw_fifo_file',`
+
+ #######################################
+ ##
++## Allow setattr to psad fifo files.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`psad_setattr_fifo_file',`
++ gen_require(`
++ type psad_t, psad_var_lib_t;
++ ')
++
++ files_search_var_lib($1)
++ allow $1 psad_var_lib_t:fifo_file setattr;
++ search_dirs_pattern($1, psad_var_lib_t, psad_var_lib_t)
++')
++
++#######################################
++##
+ ## Read and write psad tmp files.
+ ##
+ ##
+@@ -233,30 +291,33 @@ interface(`psad_rw_tmp_files',`
+ interface(`psad_admin',`
+ gen_require(`
+ type psad_t, psad_var_run_t, psad_var_log_t;
+- type psad_initrc_exec_t, psad_var_lib_t;
++ type psad_initrc_exec_t, psad_var_lib_t, psad_etc_t;
+ type psad_tmp_t;
+ ')
+
+- allow $1 psad_t:process { ptrace signal_perms };
++ allow $1 psad_t:process signal_perms;
+ ps_process_pattern($1, psad_t)
++ tunable_policy(`deny_ptrace',`',`
++ allow $1 psad_t:process ptrace;
++ ')
+
+ init_labeled_script_domtrans($1, psad_initrc_exec_t)
+ domain_system_change_exemption($1)
+ role_transition $2 psad_initrc_exec_t system_r;
+ allow $2 system_r;
+
+- files_search_etc($1)
++ files_list_etc($1)
+ admin_pattern($1, psad_etc_t)
+
+- files_search_pids($1)
++ files_list_pids($1)
+ admin_pattern($1, psad_var_run_t)
+
+- logging_search_logs($1)
++ logging_list_logs($1)
+ admin_pattern($1, psad_var_log_t)
+
+- files_search_var_lib($1)
++ files_list_var_lib($1)
+ admin_pattern($1, psad_var_lib_t)
+
+- files_search_tmp($1)
++ files_list_tmp($1)
+ admin_pattern($1, psad_tmp_t)
+ ')
+diff --git a/psad.te b/psad.te
+index d4000e0..7fbcae1 100644
+--- a/psad.te
++++ b/psad.te
+@@ -11,7 +11,7 @@ init_daemon_domain(psad_t, psad_exec_t)
+
+ # config files
+ type psad_etc_t;
+-files_type(psad_etc_t)
++files_config_file(psad_etc_t)
+
+ type psad_initrc_exec_t;
+ init_script_file(psad_initrc_exec_t)
+@@ -39,7 +39,7 @@ files_tmp_file(psad_tmp_t)
+
+ allow psad_t self:capability { net_admin net_raw setuid setgid dac_override };
+ dontaudit psad_t self:capability sys_tty_config;
+-allow psad_t self:process signull;
++allow psad_t self:process signal_perms;
+ allow psad_t self:fifo_file rw_fifo_file_perms;
+ allow psad_t self:rawip_socket create_socket_perms;
+
+@@ -53,9 +53,10 @@ manage_dirs_pattern(psad_t, psad_var_log_t, psad_var_log_t)
+ logging_log_filetrans(psad_t, psad_var_log_t, { file dir })
+
+ # pid file
++manage_dirs_pattern(psad_t, psad_var_run_t, psad_var_run_t)
+ manage_files_pattern(psad_t, psad_var_run_t, psad_var_run_t)
+ manage_sock_files_pattern(psad_t, psad_var_run_t, psad_var_run_t)
+-files_pid_filetrans(psad_t, psad_var_run_t, { file sock_file })
++files_pid_filetrans(psad_t, psad_var_run_t, { dir file sock_file })
+
+ # tmp files
+ manage_dirs_pattern(psad_t, psad_tmp_t, psad_tmp_t)
+@@ -73,7 +74,6 @@ kernel_read_net_sysctls(psad_t)
+ corecmd_exec_shell(psad_t)
+ corecmd_exec_bin(psad_t)
+
+-corenet_all_recvfrom_unlabeled(psad_t)
+ corenet_all_recvfrom_netlabel(psad_t)
+ corenet_tcp_sendrecv_generic_if(psad_t)
+ corenet_tcp_sendrecv_generic_node(psad_t)
+@@ -85,22 +85,23 @@ corenet_sendrecv_whois_client_packets(psad_t)
+ dev_read_urand(psad_t)
+
+ files_read_etc_runtime_files(psad_t)
++files_read_usr_files(psad_t)
+
+ fs_getattr_all_fs(psad_t)
+
+ auth_use_nsswitch(psad_t)
+
+-iptables_domtrans(psad_t)
+-
+ logging_read_generic_logs(psad_t)
+ logging_read_syslog_config(psad_t)
+ logging_send_syslog_msg(psad_t)
+
+-miscfiles_read_localization(psad_t)
+-
+ sysnet_exec_ifconfig(psad_t)
+
+ optional_policy(`
++ iptables_domtrans(psad_t)
++')
++
++optional_policy(`
+ mta_send_mail(psad_t)
+ mta_read_queue(psad_t)
+ ')
+diff --git a/ptchown.if b/ptchown.if
+index 96cc023..5919bbd 100644
+--- a/ptchown.if
++++ b/ptchown.if
+@@ -18,6 +18,24 @@ interface(`ptchown_domtrans',`
+ domtrans_pattern($1, ptchown_exec_t, ptchown_t)
+ ')
+
++#######################################
++##
++## Execute ptchown in the caller domain.
++##
++##
++##
++## Domain allowed to transition.
++##
++##
++#
++interface(`ptchown_exec',`
++ gen_require(`
++ type ptchown_exec_t;
++ ')
++
++ can_exec($1, ptchown_exec_t)
++')
++
+ ########################################
+ ##
+ ## Execute ptchown in the ptchown domain, and
+diff --git a/ptchown.te b/ptchown.te
+index d90245a..546474f 100644
+--- a/ptchown.te
++++ b/ptchown.te
+@@ -28,4 +28,4 @@ term_setattr_all_ptys(ptchown_t)
+ term_use_generic_ptys(ptchown_t)
+ term_use_ptmx(ptchown_t)
+
+-miscfiles_read_localization(ptchown_t)
++auth_read_passwd(ptchown_t)
+diff --git a/pulseaudio.fc b/pulseaudio.fc
+index 84f23dc..0e7d875 100644
+--- a/pulseaudio.fc
++++ b/pulseaudio.fc
+@@ -1,5 +1,12 @@
+-HOME_DIR/\.pulse-cookie gen_context(system_u:object_r:pulseaudio_home_t,s0)
++HOME_DIR/\.esd_auth -- gen_context(system_u:object_r:pulseaudio_home_t,s0)
++HOME_DIR/\.pulse-cookie -- gen_context(system_u:object_r:pulseaudio_home_t,s0)
+ HOME_DIR/\.pulse(/.*)? gen_context(system_u:object_r:pulseaudio_home_t,s0)
++HOME_DIR/\.config/pulse(/.*)? gen_context(system_u:object_r:pulseaudio_home_t,s0)
++
++/root/\.esd_auth -- gen_context(system_u:object_r:pulseaudio_home_t,s0)
++/root/\.pulse-cookie -- gen_context(system_u:object_r:pulseaudio_home_t,s0)
++/root/\.pulse(/.*)? gen_context(system_u:object_r:pulseaudio_home_t,s0)
++/root/\.config/pulse(/.*)? gen_context(system_u:object_r:pulseaudio_home_t,s0)
+
+ /usr/bin/pulseaudio -- gen_context(system_u:object_r:pulseaudio_exec_t,s0)
+
+diff --git a/pulseaudio.if b/pulseaudio.if
+index f40c64d..7015dce 100644
+--- a/pulseaudio.if
++++ b/pulseaudio.if
+@@ -35,6 +35,9 @@ interface(`pulseaudio_role',`
+ allow pulseaudio_t $2:unix_stream_socket connectto;
+ allow $2 pulseaudio_t:unix_stream_socket connectto;
+
++ userdom_manage_tmp_role($1, pulseaudio_t)
++ userdom_manage_tmpfs_role($1, pulseaudio_t)
++
+ allow $2 pulseaudio_t:dbus send_msg;
+ allow pulseaudio_t $2:dbus { acquire_svc send_msg };
+ ')
+@@ -151,12 +154,14 @@ interface(`pulseaudio_signull',`
+ interface(`pulseaudio_stream_connect',`
+ gen_require(`
+ type pulseaudio_t, pulseaudio_var_run_t;
++ type pulseaudio_home_t;
+ ')
+
+ files_search_pids($1)
+ allow $1 pulseaudio_t:process signull;
+ allow pulseaudio_t $1:process signull;
+ stream_connect_pattern($1, pulseaudio_var_run_t, pulseaudio_var_run_t, pulseaudio_t)
++ stream_connect_pattern($1, pulseaudio_home_t, pulseaudio_home_t, pulseaudio_t)
+ ')
+
+ ########################################
+@@ -257,4 +262,88 @@ interface(`pulseaudio_manage_home_files',`
+ userdom_search_user_home_dirs($1)
+ manage_files_pattern($1, pulseaudio_home_t, pulseaudio_home_t)
+ read_lnk_files_pattern($1, pulseaudio_home_t, pulseaudio_home_t)
++ pulseaudio_filetrans_home_content($1)
++ pulseaudio_filetrans_admin_home_content($1)
++')
++
++########################################
++##
++## Create, read, write, and delete pulseaudio
++## home directory symlinks.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`pulseaudio_manage_home_symlinks',`
++ gen_require(`
++ type pulseaudio_home_t;
++ ')
++
++ userdom_search_user_home_dirs($1)
++ manage_lnk_files_pattern($1, pulseaudio_home_t, pulseaudio_home_t)
++')
++
++########################################
++##
++## Create pulseaudio content in the user home directory
++## with an correct label.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`pulseaudio_filetrans_home_content',`
++ gen_require(`
++ type pulseaudio_home_t;
++ ')
++
++ userdom_user_home_dir_filetrans($1, pulseaudio_home_t, dir, ".pulse")
++ userdom_user_home_dir_filetrans($1, pulseaudio_home_t, file, ".pulse-cookie")
++ userdom_user_home_dir_filetrans($1, pulseaudio_home_t, file, ".esd_auth")
++ gnome_config_filetrans($1, pulseaudio_home_t, dir, "pulse")
++')
++
++########################################
++##
++## Create pulseaudio content in the admin home directory
++## with an correct label.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`pulseaudio_filetrans_admin_home_content',`
++ gen_require(`
++ type pulseaudio_home_t;
++ ')
++
++ userdom_admin_home_dir_filetrans($1, pulseaudio_home_t, dir, ".pulse")
++ userdom_admin_home_dir_filetrans($1, pulseaudio_home_t, file, ".pulse-cookie")
++ userdom_admin_home_dir_filetrans($1, pulseaudio_home_t, file, ".esd_auth")
++')
++
++########################################
++##
++## Allow the domain to read pulseaudio state files in /proc.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`pulseaudio_read_state',`
++ gen_require(`
++ type pulseaudio_t;
++ ')
++
++ kernel_search_proc($1)
++ ps_process_pattern($1, pulseaudio_t)
+ ')
+diff --git a/pulseaudio.te b/pulseaudio.te
+index 901ac9b..bef43f7 100644
+--- a/pulseaudio.te
++++ b/pulseaudio.te
+@@ -41,7 +41,13 @@ allow pulseaudio_t self:netlink_kobject_uevent_socket create_socket_perms;
+
+ manage_dirs_pattern(pulseaudio_t, pulseaudio_home_t, pulseaudio_home_t)
+ manage_files_pattern(pulseaudio_t, pulseaudio_home_t, pulseaudio_home_t)
++manage_lnk_files_pattern(pulseaudio_t, pulseaudio_home_t, pulseaudio_home_t)
+ userdom_search_user_home_dirs(pulseaudio_t)
++pulseaudio_filetrans_home_content(pulseaudio_t)
++
++# ~/.esd_auth - maybe we should label this pulseaudio_home_t?
++userdom_read_user_home_content_files(pulseaudio_t)
++userdom_search_admin_dir(pulseaudio_t)
+
+ manage_dirs_pattern(pulseaudio_t, pulseaudio_var_lib_t, pulseaudio_var_lib_t)
+ manage_files_pattern(pulseaudio_t, pulseaudio_var_lib_t, pulseaudio_var_lib_t)
+@@ -51,7 +57,7 @@ files_var_lib_filetrans(pulseaudio_t, pulseaudio_var_lib_t, { dir file })
+ manage_dirs_pattern(pulseaudio_t, pulseaudio_var_run_t, pulseaudio_var_run_t)
+ manage_files_pattern(pulseaudio_t, pulseaudio_var_run_t, pulseaudio_var_run_t)
+ manage_sock_files_pattern(pulseaudio_t, pulseaudio_var_run_t, pulseaudio_var_run_t)
+-files_pid_filetrans(pulseaudio_t, pulseaudio_var_run_t, { dir file })
++files_pid_filetrans(pulseaudio_t, pulseaudio_var_run_t, { file dir })
+
+ can_exec(pulseaudio_t, pulseaudio_exec_t)
+
+@@ -61,7 +67,6 @@ kernel_read_kernel_sysctls(pulseaudio_t)
+
+ corecmd_exec_bin(pulseaudio_t)
+
+-corenet_all_recvfrom_unlabeled(pulseaudio_t)
+ corenet_all_recvfrom_netlabel(pulseaudio_t)
+ corenet_tcp_bind_pulseaudio_port(pulseaudio_t)
+ corenet_tcp_bind_soundd_port(pulseaudio_t)
+@@ -70,32 +75,49 @@ corenet_tcp_sendrecv_generic_node(pulseaudio_t)
+ corenet_udp_bind_sap_port(pulseaudio_t)
+ corenet_udp_sendrecv_generic_if(pulseaudio_t)
+ corenet_udp_sendrecv_generic_node(pulseaudio_t)
++corenet_dontaudit_tcp_connect_xserver_port(pulseaudio_t)
+
+ dev_read_sound(pulseaudio_t)
+ dev_write_sound(pulseaudio_t)
+ dev_read_sysfs(pulseaudio_t)
+ dev_read_urand(pulseaudio_t)
+
+-files_read_etc_files(pulseaudio_t)
+ files_read_usr_files(pulseaudio_t)
+
+ fs_rw_anon_inodefs_files(pulseaudio_t)
+ fs_getattr_tmpfs(pulseaudio_t)
+ fs_list_inotifyfs(pulseaudio_t)
+
+-term_use_all_ttys(pulseaudio_t)
+-term_use_all_ptys(pulseaudio_t)
++term_use_all_inherited_ttys(pulseaudio_t)
++term_use_all_inherited_ptys(pulseaudio_t)
+
+ auth_use_nsswitch(pulseaudio_t)
+
+ logging_send_syslog_msg(pulseaudio_t)
+
+-miscfiles_read_localization(pulseaudio_t)
++tunable_policy(`use_nfs_home_dirs',`
++ fs_mount_nfs(pulseaudio_t)
++ fs_mounton_nfs(pulseaudio_t)
++ fs_manage_nfs_dirs(pulseaudio_t)
++ fs_manage_nfs_files(pulseaudio_t)
++ fs_manage_nfs_symlinks(pulseaudio_t)
++ fs_manage_nfs_named_sockets(pulseaudio_t)
++ fs_manage_nfs_named_pipes(pulseaudio_t)
++')
++
++tunable_policy(`use_samba_home_dirs',`
++ fs_mount_cifs(pulseaudio_t)
++ fs_mounton_cifs(pulseaudio_t)
++ fs_manage_cifs_dirs(pulseaudio_t)
++ fs_manage_cifs_files(pulseaudio_t)
++ fs_manage_cifs_symlinks(pulseaudio_t)
++ fs_manage_cifs_named_sockets(pulseaudio_t)
++ fs_manage_cifs_named_pipes(pulseaudio_t)
++')
+
+-# cjp: this seems excessive. need to confirm
+-userdom_manage_user_home_content_files(pulseaudio_t)
+-userdom_manage_user_tmp_files(pulseaudio_t)
+-userdom_manage_user_tmpfs_files(pulseaudio_t)
++optional_policy(`
++ alsa_read_rw_config(pulseaudio_t)
++')
+
+ optional_policy(`
+ bluetooth_stream_connect(pulseaudio_t)
+@@ -125,16 +147,37 @@ optional_policy(`
+ ')
+
+ optional_policy(`
++ gnome_read_gkeyringd_state(pulseaudio_t)
++ gnome_signull_gkeyringd(pulseaudio_t)
++ gnome_manage_gstreamer_home_files(pulseaudio_t)
++ gnome_exec_gstreamer_home_files(pulseaudio_t)
++')
++
++optional_policy(`
+ rtkit_scheduled(pulseaudio_t)
+ ')
+
+ optional_policy(`
++ mozilla_plugin_delete_tmpfs_files(pulseaudio_t)
++ mozilla_plugin_read_tmpfs_files(pulseaudio_t)
++')
++
++optional_policy(`
++ mpd_read_tmpfs_files(pulseaudio_t)
++')
++
++optional_policy(`
+ policykit_domtrans_auth(pulseaudio_t)
+ policykit_read_lib(pulseaudio_t)
+ policykit_read_reload(pulseaudio_t)
+ ')
+
+ optional_policy(`
++ systemd_read_logind_sessions_files(pulseaudio_t)
++ systemd_login_read_pid_files(pulseaudio_t)
++')
++
++optional_policy(`
+ udev_read_state(pulseaudio_t)
+ udev_read_db(pulseaudio_t)
+ ')
+@@ -146,3 +189,7 @@ optional_policy(`
+ xserver_read_xdm_pid(pulseaudio_t)
+ xserver_user_x_domain_template(pulseaudio, pulseaudio_t, pulseaudio_tmpfs_t)
+ ')
++
++optional_policy(`
++ virt_manage_tmpfs_files(pulseaudio_t)
++')
+diff --git a/puppet.fc b/puppet.fc
+index 2f1e529..8c0b242 100644
+--- a/puppet.fc
++++ b/puppet.fc
+@@ -3,6 +3,7 @@
+ /etc/rc\.d/init\.d/puppet -- gen_context(system_u:object_r:puppet_initrc_exec_t,s0)
+ /etc/rc\.d/init\.d/puppetmaster -- gen_context(system_u:object_r:puppetmaster_initrc_exec_t,s0)
+
++/usr/sbin/puppetca -- gen_context(system_u:object_r:puppetca_exec_t,s0)
+ /usr/sbin/puppetd -- gen_context(system_u:object_r:puppet_exec_t,s0)
+ /usr/sbin/puppetmasterd -- gen_context(system_u:object_r:puppetmaster_exec_t,s0)
+
+diff --git a/puppet.if b/puppet.if
+index 2855a44..b7b5ee7 100644
+--- a/puppet.if
++++ b/puppet.if
+@@ -8,6 +8,53 @@
+ ##
+ ##
+
++########################################
++##
++## Execute puppetca in the puppetca
++## domain.
++##
++##
++##
++## Domain allowed to transition.
++##
++##
++#
++interface(`puppet_domtrans_puppetca',`
++ gen_require(`
++ type puppetca_t, puppetca_exec_t;
++ ')
++
++ corecmd_search_bin($1)
++ domtrans_pattern($1, puppetca_exec_t, puppetca_t)
++')
++
++#####################################
++##
++## Execute puppetca in the puppetca
++## domain and allow the specified
++## role the puppetca domain.
++##
++##
++##
++## Domain allowed to transition.
++##
++##
++##
++##
++## Role allowed access.
++##
++##
++##
++#
++interface(`puppet_run_puppetca',`
++ gen_require(`
++ type puppetca_t, puppetca_exec_t;
++ ')
++
++ puppet_domtrans_puppetca($1)
++ role $2 types puppetca_t;
++')
++
+ ################################################
+ ##
+ ## Read / Write to Puppet temp files. Puppet uses
+@@ -26,6 +73,178 @@ interface(`puppet_rw_tmp', `
+ type puppet_tmp_t;
+ ')
+
+- allow $1 puppet_tmp_t:file rw_file_perms;
++ allow $1 puppet_tmp_t:file rw_inherited_file_perms;
+ files_search_tmp($1)
+ ')
++
++################################################
++##
++## Read Puppet lib files.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`puppet_read_lib',`
++ gen_require(`
++ type puppet_var_lib_t;
++ ')
++
++ read_files_pattern($1, puppet_var_lib_t, puppet_var_lib_t)
++ files_search_var_lib($1)
++')
++
++###############################################
++##
++## Manage Puppet lib files.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`puppet_manage_lib',`
++ gen_require(`
++ type puppet_var_lib_t;
++ ')
++
++ manage_files_pattern($1, puppet_var_lib_t, puppet_var_lib_t)
++ files_search_var_lib($1)
++')
++
++######################################
++##
++## Allow the specified domain to search puppet's log files.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`puppet_search_log',`
++ gen_require(`
++ type puppet_log_t;
++ ')
++
++ logging_search_logs($1)
++ allow $1 puppet_log_t:dir search_dir_perms;
++')
++
++#####################################
++##
++## Allow the specified domain to read puppet's log files.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`puppet_read_log',`
++ gen_require(`
++ type puppet_log_t;
++ ')
++
++ logging_search_logs($1)
++ read_files_pattern($1, puppet_log_t, puppet_log_t)
++')
++
++#####################################
++##
++## Allow the specified domain to create puppet's log files.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`puppet_create_log',`
++ gen_require(`
++ type puppet_log_t;
++ ')
++
++ logging_search_logs($1)
++ create_files_pattern($1, puppet_log_t, puppet_log_t)
++')
++
++####################################
++##
++## Allow the specified domain to append puppet's log files.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`puppet_append_log',`
++ gen_require(`
++ type puppet_log_t;
++ ')
++
++ logging_search_logs($1)
++ append_files_pattern($1, puppet_log_t, puppet_log_t)
++')
++
++####################################
++##
++## Allow the specified domain to manage puppet's log files.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`puppet_manage_log',`
++ gen_require(`
++ type puppet_log_t;
++ ')
++
++ logging_search_logs($1)
++ manage_files_pattern($1, puppet_log_t, puppet_log_t)
++')
++
++####################################
++##
++## Allow the specified domain to read puppet's config files.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`puppet_read_config',`
++ gen_require(`
++ type puppet_etc_t;
++ ')
++
++ logging_search_logs($1)
++ list_dirs_pattern($1, puppet_etc_t, puppet_etc_t)
++ read_files_pattern($1, puppet_etc_t, puppet_etc_t)
++')
++
++#####################################
++##
++## Allow the specified domain to search puppet's pid files.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`puppet_search_pid',`
++ gen_require(`
++ type puppet_var_run_t;
++ ')
++
++ files_search_pids($1)
++ allow $1 puppet_var_run_t:dir search_dir_perms;
++')
+diff --git a/puppet.te b/puppet.te
+index baa88f6..050d953 100644
+--- a/puppet.te
++++ b/puppet.te
+@@ -13,6 +13,13 @@ policy_module(puppet, 1.3.0)
+ ##
+ gen_tunable(puppet_manage_all_files, false)
+
++##
++##
++## Allow Puppet master to use connect to MySQL and PostgreSQL database
++##
++##
++gen_tunable(puppetmaster_use_db, false)
++
+ type puppet_t;
+ type puppet_exec_t;
+ init_daemon_domain(puppet_t, puppet_exec_t)
+@@ -35,6 +42,11 @@ files_type(puppet_var_lib_t)
+ type puppet_var_run_t;
+ files_pid_file(puppet_var_run_t)
+
++type puppetca_t;
++type puppetca_exec_t;
++application_domain(puppetca_t, puppetca_exec_t)
++role system_r types puppetca_t;
++
+ type puppetmaster_t;
+ type puppetmaster_exec_t;
+ init_daemon_domain(puppetmaster_t, puppetmaster_exec_t)
+@@ -50,7 +62,7 @@ files_tmp_file(puppetmaster_tmp_t)
+ # Puppet personal policy
+ #
+
+-allow puppet_t self:capability { fowner fsetid setuid setgid dac_override sys_nice sys_ptrace sys_tty_config };
++allow puppet_t self:capability { fowner fsetid setuid setgid dac_override sys_nice sys_tty_config };
+ allow puppet_t self:process { signal signull getsched setsched };
+ allow puppet_t self:fifo_file rw_fifo_file_perms;
+ allow puppet_t self:netlink_route_socket create_netlink_socket_perms;
+@@ -63,7 +75,7 @@ manage_dirs_pattern(puppet_t, puppet_var_lib_t, puppet_var_lib_t)
+ manage_files_pattern(puppet_t, puppet_var_lib_t, puppet_var_lib_t)
+ files_search_var_lib(puppet_t)
+
+-setattr_dirs_pattern(puppet_t, puppet_var_run_t, puppet_var_run_t)
++manage_dirs_pattern(puppet_t, puppet_var_run_t, puppet_var_run_t)
+ manage_files_pattern(puppet_t, puppet_var_run_t, puppet_var_run_t)
+ files_pid_filetrans(puppet_t, puppet_var_run_t, { file dir })
+
+@@ -80,12 +92,14 @@ kernel_dontaudit_search_sysctl(puppet_t)
+ kernel_dontaudit_search_kernel_sysctl(puppet_t)
+ kernel_read_system_state(puppet_t)
+ kernel_read_crypto_sysctls(puppet_t)
++kernel_read_kernel_sysctls(puppet_t)
+
++corecmd_read_all_executables(puppet_t)
++corecmd_dontaudit_access_all_executables(puppet_t)
+ corecmd_exec_bin(puppet_t)
+ corecmd_exec_shell(puppet_t)
+
+ corenet_all_recvfrom_netlabel(puppet_t)
+-corenet_all_recvfrom_unlabeled(puppet_t)
+ corenet_tcp_sendrecv_generic_if(puppet_t)
+ corenet_tcp_sendrecv_generic_node(puppet_t)
+ corenet_tcp_bind_generic_node(puppet_t)
+@@ -103,11 +117,11 @@ files_manage_config_files(puppet_t)
+ files_manage_config_dirs(puppet_t)
+ files_manage_etc_dirs(puppet_t)
+ files_manage_etc_files(puppet_t)
++files_read_usr_files(puppet_t)
+ files_read_usr_symlinks(puppet_t)
+ files_relabel_config_dirs(puppet_t)
+ files_relabel_config_files(puppet_t)
+
+-selinux_search_fs(puppet_t)
+ selinux_set_all_booleans(puppet_t)
+ selinux_set_generic_booleans(puppet_t)
+ selinux_validate_context(puppet_t)
+@@ -115,6 +129,8 @@ selinux_validate_context(puppet_t)
+ term_dontaudit_getattr_unallocated_ttys(puppet_t)
+ term_dontaudit_getattr_all_ttys(puppet_t)
+
++auth_use_nsswitch(puppet_t)
++
+ init_all_labeled_script_domtrans(puppet_t)
+ init_domtrans_script(puppet_t)
+ init_read_utmp(puppet_t)
+@@ -123,22 +139,23 @@ init_signull_script(puppet_t)
+ logging_send_syslog_msg(puppet_t)
+
+ miscfiles_read_hwdata(puppet_t)
+-miscfiles_read_localization(puppet_t)
+-
+-mount_domtrans(puppet_t)
+
+ seutil_domtrans_setfiles(puppet_t)
+ seutil_domtrans_semanage(puppet_t)
++seutil_read_file_contexts(puppet_t)
+
+-sysnet_dns_name_resolve(puppet_t)
+ sysnet_run_ifconfig(puppet_t, system_r)
+
+ tunable_policy(`puppet_manage_all_files',`
+- files_manage_non_auth_files(puppet_t)
++ files_manage_non_security_files(puppet_t)
++')
++
++optional_policy(`
++ cfengine_read_lib_files(puppet_t)
+ ')
+
+ optional_policy(`
+- consoletype_domtrans(puppet_t)
++ consoletype_exec(puppet_t)
+ ')
+
+ optional_policy(`
+@@ -146,6 +163,14 @@ optional_policy(`
+ ')
+
+ optional_policy(`
++ mount_domtrans(puppet_t)
++')
++
++optional_policy(`
++ mta_send_mail(puppet_t)
++')
++
++optional_policy(`
+ portage_domtrans(puppet_t)
+ portage_domtrans_fetch(puppet_t)
+ portage_domtrans_gcc_config(puppet_t)
+@@ -164,8 +189,134 @@ optional_policy(`
+ ')
+
+ optional_policy(`
+- usermanage_domtrans_groupadd(puppet_t)
+- usermanage_domtrans_useradd(puppet_t)
++ usermanage_access_check_groupadd(puppet_t)
++ usermanage_access_check_passwd(puppet_t)
++ usermanage_access_check_useradd(puppet_t)
++')
++
++optional_policy(`
++ auth_filetrans_named_content(puppet_t)
++')
++
++optional_policy(`
++ alsa_filetrans_named_content(puppet_t)
++')
++
++optional_policy(`
++ bootloader_filetrans_config(puppet_t)
++')
++
++optional_policy(`
++ devicekit_filetrans_named_content(puppet_t)
++')
++
++optional_policy(`
++ dnsmasq_filetrans_named_content(puppet_t)
++')
++
++optional_policy(`
++ kerberos_filetrans_named_content(puppet_t)
++')
++
++optional_policy(`
++ libs_filetrans_named_content(puppet_t)
++')
++
++optional_policy(`
++ miscfiles_filetrans_named_content(puppet_t)
++')
++
++optional_policy(`
++ mta_filetrans_named_content(puppet_t)
++')
++
++optional_policy(`
++ modules_filetrans_named_content(puppet_t)
++')
++
++optional_policy(`
++ networkmanager_filetrans_named_content(puppet_t)
++')
++
++optional_policy(`
++ nx_filetrans_named_content(puppet_t)
++')
++
++optional_policy(`
++ postfix_filetrans_named_content(puppet_t)
++')
++
++optional_policy(`
++ openshift_initrc_domtrans(puppet_t)
++')
++
++optional_policy(`
++ quota_filetrans_named_content(puppet_t)
++')
++
++optional_policy(`
++ sysnet_filetrans_named_content(puppet_t)
++')
++
++optional_policy(`
++ virt_filetrans_home_content(puppet_t)
++')
++
++optional_policy(`
++ ssh_filetrans_admin_home_content(puppet_t)
++')
++
++########################################
++#
++# PuppetCA personal policy
++#
++
++allow puppetca_t self:capability { dac_override setgid setuid };
++allow puppetca_t self:fifo_file rw_fifo_file_perms;
++
++read_files_pattern(puppetca_t, puppet_etc_t, puppet_etc_t)
++
++allow puppetca_t puppet_var_lib_t:dir list_dir_perms;
++manage_files_pattern(puppetca_t, puppet_var_lib_t, puppet_var_lib_t)
++manage_dirs_pattern(puppetca_t, puppet_var_lib_t, puppet_var_lib_t)
++
++allow puppetca_t puppet_log_t:dir search_dir_perms;
++
++allow puppetca_t puppet_var_run_t:dir search_dir_perms;
++
++kernel_read_system_state(puppetca_t)
++# Maybe dontaudit this like we did with other puppet domains?
++kernel_read_kernel_sysctls(puppetca_t)
++
++corecmd_exec_bin(puppetca_t)
++corecmd_exec_shell(puppetca_t)
++
++dev_read_urand(puppetca_t)
++dev_search_sysfs(puppetca_t)
++
++files_read_etc_files(puppetca_t)
++files_search_var_lib(puppetca_t)
++
++selinux_validate_context(puppetca_t)
++
++logging_search_logs(puppetca_t)
++
++miscfiles_read_generic_certs(puppetca_t)
++
++seutil_read_file_contexts(puppetca_t)
++
++optional_policy(`
++ hostname_exec(puppetca_t)
++')
++
++optional_policy(`
++ mta_sendmail_access_check(puppetca_t)
++')
++
++optional_policy(`
++ usermanage_access_check_groupadd(puppet_t)
++ usermanage_access_check_passwd(puppet_t)
++ usermanage_access_check_useradd(puppet_t)
+ ')
+
+ ########################################
+@@ -184,51 +335,83 @@ allow puppetmaster_t self:udp_socket create_socket_perms;
+ list_dirs_pattern(puppetmaster_t, puppet_etc_t, puppet_etc_t)
+ read_files_pattern(puppetmaster_t, puppet_etc_t, puppet_etc_t)
+
+-allow puppetmaster_t puppet_log_t:dir { rw_dir_perms setattr };
+-allow puppetmaster_t puppet_log_t:file { rw_file_perms create setattr };
++allow puppetmaster_t puppet_log_t:dir { rw_dir_perms setattr_dir_perms };
++allow puppetmaster_t puppet_log_t:file { rw_file_perms create_file_perms setattr_file_perms };
+ logging_log_filetrans(puppetmaster_t, puppet_log_t, { file dir })
++allow puppetmaster_t puppet_log_t:file relabel_file_perms;
+
+ manage_dirs_pattern(puppetmaster_t, puppet_var_lib_t, puppet_var_lib_t)
+ manage_files_pattern(puppetmaster_t, puppet_var_lib_t, puppet_var_lib_t)
++allow puppetmaster_t puppet_var_lib_t:dir relabel_dir_perms;
++allow puppetmaster_t puppet_var_lib_t:file relabel_file_perms;
+
+ setattr_dirs_pattern(puppetmaster_t, puppet_var_run_t, puppet_var_run_t)
++create_dirs_pattern(puppetmaster_t, puppet_var_run_t, puppet_var_run_t)
+ manage_files_pattern(puppetmaster_t, puppet_var_run_t, puppet_var_run_t)
+ files_pid_filetrans(puppetmaster_t, puppet_var_run_t, { file dir })
++allow puppetmaster_t puppet_var_run_t:dir relabel_dir_perms;
+
+ manage_dirs_pattern(puppetmaster_t, puppetmaster_tmp_t, puppetmaster_tmp_t)
+ manage_files_pattern(puppetmaster_t, puppetmaster_tmp_t, puppetmaster_tmp_t)
+ files_tmp_filetrans(puppetmaster_t, puppetmaster_tmp_t, { file dir })
++allow puppetmaster_t puppet_tmp_t:dir relabel_dir_perms;
+
+ kernel_dontaudit_search_kernel_sysctl(puppetmaster_t)
++kernel_read_network_state(puppetmaster_t)
+ kernel_read_system_state(puppetmaster_t)
+ kernel_read_crypto_sysctls(puppetmaster_t)
++kernel_read_kernel_sysctls(puppetmaster_t)
+
+ corecmd_exec_bin(puppetmaster_t)
+ corecmd_exec_shell(puppetmaster_t)
+
+ corenet_all_recvfrom_netlabel(puppetmaster_t)
+-corenet_all_recvfrom_unlabeled(puppetmaster_t)
+ corenet_tcp_sendrecv_generic_if(puppetmaster_t)
+ corenet_tcp_sendrecv_generic_node(puppetmaster_t)
+ corenet_tcp_bind_generic_node(puppetmaster_t)
+ corenet_tcp_bind_puppet_port(puppetmaster_t)
+ corenet_sendrecv_puppet_server_packets(puppetmaster_t)
++corenet_tcp_connect_ntop_port(puppetmaster_t)
++
++# This needs investigation. Puppermasterd is confirmed to bind udp sockets to random high ports.
++corenet_udp_bind_generic_node(puppetmaster_t)
++corenet_udp_bind_generic_port(puppetmaster_t)
+
+ dev_read_rand(puppetmaster_t)
+ dev_read_urand(puppetmaster_t)
++dev_search_sysfs(puppetmaster_t)
+
+ domain_read_all_domains_state(puppetmaster_t)
++domain_obj_id_change_exemption(puppetmaster_t)
+
+-files_read_etc_files(puppetmaster_t)
+-files_search_var_lib(puppetmaster_t)
++files_read_usr_files(puppetmaster_t)
++
++selinux_validate_context(puppetmaster_t)
++
++auth_use_nsswitch(puppetmaster_t)
+
+ logging_send_syslog_msg(puppetmaster_t)
+
+-miscfiles_read_localization(puppetmaster_t)
++miscfiles_read_generic_certs(puppetmaster_t)
++
++seutil_read_file_contexts(puppetmaster_t)
+
+-sysnet_dns_name_resolve(puppetmaster_t)
+ sysnet_run_ifconfig(puppetmaster_t, system_r)
+
++mta_send_mail(puppetmaster_t)
++
++optional_policy(`
++ tunable_policy(`puppetmaster_use_db',`
++ mysql_stream_connect(puppetmaster_t)
++ ')
++')
++
++optional_policy(`
++ tunable_policy(`puppetmaster_use_db',`
++ postgresql_stream_connect(puppetmaster_t)
++ ')
++')
++
+ optional_policy(`
+ hostname_exec(puppetmaster_t)
+ ')
+@@ -239,3 +422,9 @@ optional_policy(`
+ rpm_exec(puppetmaster_t)
+ rpm_read_db(puppetmaster_t)
+ ')
++
++optional_policy(`
++ usermanage_access_check_groupadd(puppetmaster_t)
++ usermanage_access_check_passwd(puppetmaster_t)
++ usermanage_access_check_useradd(puppetmaster_t)
++')
+diff --git a/pwauth.fc b/pwauth.fc
+new file mode 100644
+index 0000000..e2f8687
+--- /dev/null
++++ b/pwauth.fc
+@@ -0,0 +1,3 @@
++/usr/bin/pwauth -- gen_context(system_u:object_r:pwauth_exec_t,s0)
++
++/var/run/pwauth.lock -- gen_context(system_u:object_r:pwauth_var_run_t,s0)
+diff --git a/pwauth.if b/pwauth.if
+new file mode 100644
+index 0000000..86d25ea
+--- /dev/null
++++ b/pwauth.if
+@@ -0,0 +1,74 @@
++
++## policy for pwauth
++
++########################################
++##
++## Transition to pwauth.
++##
++##
++##
++## Domain allowed to transition.
++##
++##
++#
++interface(`pwauth_domtrans',`
++ gen_require(`
++ type pwauth_t, pwauth_exec_t;
++ ')
++
++ corecmd_search_bin($1)
++ domtrans_pattern($1, pwauth_exec_t, pwauth_t)
++')
++
++########################################
++##
++## Execute pwauth in the pwauth domain, and
++## allow the specified role the pwauth domain.
++##
++##
++##
++## Domain allowed to transition
++##
++##
++##
++##
++## The role to be allowed the pwauth domain.
++##
++##
++#
++interface(`pwauth_run',`
++ gen_require(`
++ type pwauth_t;
++ ')
++
++ pwauth_domtrans($1)
++ role $2 types pwauth_t;
++')
++
++########################################
++##
++## Role access for pwauth
++##
++##
++##
++## Role allowed access
++##
++##
++##
++##
++## User domain for the role
++##
++##
++#
++interface(`pwauth_role',`
++ gen_require(`
++ type pwauth_t;
++ ')
++
++ role $1 types pwauth_t;
++
++ pwauth_domtrans($2)
++
++ ps_process_pattern($2, pwauth_t)
++ allow $2 pwauth_t:process signal;
++')
+diff --git a/pwauth.te b/pwauth.te
+new file mode 100644
+index 0000000..8f357cc
+--- /dev/null
++++ b/pwauth.te
+@@ -0,0 +1,39 @@
++policy_module(pwauth, 1.0.0)
++
++########################################
++#
++# Declarations
++#
++
++type pwauth_t;
++type pwauth_exec_t;
++application_domain(pwauth_t, pwauth_exec_t)
++role system_r types pwauth_t;
++
++type pwauth_var_run_t;
++files_pid_file(pwauth_var_run_t)
++
++########################################
++#
++# pwauth local policy
++#
++allow pwauth_t self:capability setuid;
++allow pwauth_t self:process setrlimit;
++
++allow pwauth_t self:fifo_file manage_fifo_file_perms;
++allow pwauth_t self:unix_stream_socket create_stream_socket_perms;
++
++manage_files_pattern(pwauth_t, pwauth_var_run_t, pwauth_var_run_t)
++files_pid_filetrans(pwauth_t, pwauth_var_run_t, file)
++
++domain_use_interactive_fds(pwauth_t)
++
++
++auth_domtrans_chkpwd(pwauth_t)
++auth_use_nsswitch(pwauth_t)
++auth_read_shadow(pwauth_t)
++
++init_read_utmp(pwauth_t)
++
++logging_send_syslog_msg(pwauth_t)
++logging_send_audit_msgs(pwauth_t)
+diff --git a/pxe.fc b/pxe.fc
+index 44b3a0c..5d247cb 100644
+--- a/pxe.fc
++++ b/pxe.fc
+@@ -1,6 +1,6 @@
+
+ /usr/sbin/pxe -- gen_context(system_u:object_r:pxe_exec_t,s0)
+
+-/var/log/pxe\.log -- gen_context(system_u:object_r:pxe_log_t,s0)
++/var/log/pxe\.log.* -- gen_context(system_u:object_r:pxe_log_t,s0)
+
+ /var/run/pxe\.pid -- gen_context(system_u:object_r:pxe_var_run_t,s0)
+diff --git a/pxe.te b/pxe.te
+index fec69eb..848c311 100644
+--- a/pxe.te
++++ b/pxe.te
+@@ -49,8 +49,6 @@ fs_search_auto_mountpoints(pxe_t)
+
+ logging_send_syslog_msg(pxe_t)
+
+-miscfiles_read_localization(pxe_t)
+-
+ userdom_dontaudit_use_unpriv_user_fds(pxe_t)
+ userdom_dontaudit_search_user_home_dirs(pxe_t)
+
+diff --git a/pyicqt.te b/pyicqt.te
+index a841221..c653e4a 100644
+--- a/pyicqt.te
++++ b/pyicqt.te
+@@ -13,7 +13,7 @@ type pyicqt_conf_t;
+ files_config_file(pyicqt_conf_t)
+
+ type pyicqt_spool_t;
+-files_type(pyicqt_spool_t)
++files_spool_file(pyicqt_spool_t)
+
+ type pyicqt_var_run_t;
+ files_pid_file(pyicqt_var_run_t)
+@@ -40,7 +40,6 @@ kernel_read_system_state(pyicqt_t)
+
+ corecmd_exec_bin(pyicqt_t)
+
+-corenet_all_recvfrom_unlabeled(pyicqt_t)
+ corenet_all_recvfrom_netlabel(pyicqt_t)
+ corenet_tcp_sendrecv_generic_if(pyicqt_t)
+ corenet_tcp_sendrecv_generic_node(pyicqt_t)
+@@ -54,6 +53,5 @@ files_read_usr_files(pyicqt_t)
+
+ libs_read_lib_files(pyicqt_t)
+
+-miscfiles_read_localization(pyicqt_t)
+
+ sysnet_read_config(pyicqt_t)
+diff --git a/pyzor.fc b/pyzor.fc
+index d4a7750..a927c5a 100644
+--- a/pyzor.fc
++++ b/pyzor.fc
+@@ -1,9 +1,13 @@
+ /etc/pyzor(/.*)? gen_context(system_u:object_r:pyzor_etc_t, s0)
++/etc/rc\.d/init\.d/pyzord -- gen_context(system_u:object_r:pyzord_initrc_exec_t,s0)
+
+ HOME_DIR/\.pyzor(/.*)? gen_context(system_u:object_r:pyzor_home_t,s0)
++HOME_DIR/\.spamd(/.*)? gen_context(system_u:object_r:pyzor_home_t,s0)
++/root/\.pyzor(/.*)? gen_context(system_u:object_r:pyzor_home_t,s0)
++/root/\.spamd(/.*)? gen_context(system_u:object_r:pyzor_home_t,s0)
+
+ /usr/bin/pyzor -- gen_context(system_u:object_r:pyzor_exec_t,s0)
+ /usr/bin/pyzord -- gen_context(system_u:object_r:pyzord_exec_t,s0)
+
+ /var/lib/pyzord(/.*)? gen_context(system_u:object_r:pyzor_var_lib_t,s0)
+-/var/log/pyzord\.log -- gen_context(system_u:object_r:pyzord_log_t,s0)
++/var/log/pyzord\.log.* -- gen_context(system_u:object_r:pyzord_log_t,s0)
+diff --git a/pyzor.if b/pyzor.if
+index 494f7e2..2c411af 100644
+--- a/pyzor.if
++++ b/pyzor.if
+@@ -14,6 +14,7 @@
+ ## User domain for the role
+ ##
+ ##
++##
+ #
+ interface(`pyzor_role',`
+ gen_require(`
+@@ -28,7 +29,10 @@ interface(`pyzor_role',`
+
+ # allow ps to show pyzor and allow the user to kill it
+ ps_process_pattern($2, pyzor_t)
+- allow $2 pyzor_t:process signal;
++ allow $2 pyzor_t:process signal_perms;
++ tunable_policy(`deny_ptrace',`',`
++ allow $2 pyzor_t:process ptrace;
++ ')
+ ')
+
+ ########################################
+@@ -88,3 +92,50 @@ interface(`pyzor_exec',`
+ corecmd_search_bin($1)
+ can_exec($1, pyzor_exec_t)
+ ')
++
++########################################
++##
++## All of the rules required to administrate
++## an pyzor environment
++##
++##
++##
++## Domain allowed access.
++##
++##
++##
++##
++## The role to be allowed to manage the pyzor domain.
++##
++##
++##
++#
++interface(`pyzor_admin',`
++ gen_require(`
++ type pyzord_t, pyzor_tmp_t, pyzord_log_t;
++ type pyzor_etc_t, pyzor_var_lib_t, pyzord_initrc_exec_t;
++ ')
++
++ allow $1 pyzord_t:process signal_perms;
++ ps_process_pattern($1, pyzord_t)
++ tunable_policy(`deny_ptrace',`',`
++ allow $1 pyzord_t:process ptrace;
++ ')
++
++ init_labeled_script_domtrans($1, pyzord_initrc_exec_t)
++ domain_system_change_exemption($1)
++ role_transition $2 pyzord_initrc_exec_t system_r;
++ allow $2 system_r;
++
++ files_list_tmp($1)
++ admin_pattern($1, pyzor_tmp_t)
++
++ logging_list_logs($1)
++ admin_pattern($1, pyzord_log_t)
++
++ files_list_etc($1)
++ admin_pattern($1, pyzor_etc_t)
++
++ files_list_var_lib($1)
++ admin_pattern($1, pyzor_var_lib_t)
++')
+diff --git a/pyzor.te b/pyzor.te
+index c8fb70b..f7bf36e 100644
+--- a/pyzor.te
++++ b/pyzor.te
+@@ -1,42 +1,66 @@
+-policy_module(pyzor, 2.2.0)
++policy_module(pyzor, 2.1.0)
+
+ ########################################
+ #
+ # Declarations
+ #
+
+-type pyzor_t;
+-type pyzor_exec_t;
+-typealias pyzor_t alias { user_pyzor_t staff_pyzor_t sysadm_pyzor_t };
+-typealias pyzor_t alias { auditadm_pyzor_t secadm_pyzor_t };
+-userdom_user_application_domain(pyzor_t, pyzor_exec_t)
+-role system_r types pyzor_t;
+-
+-type pyzor_etc_t;
+-files_type(pyzor_etc_t)
+-
+-type pyzor_home_t;
+-typealias pyzor_home_t alias { user_pyzor_home_t staff_pyzor_home_t sysadm_pyzor_home_t };
+-typealias pyzor_home_t alias { auditadm_pyzor_home_t secadm_pyzor_home_t };
+-userdom_user_home_content(pyzor_home_t)
+-
+-type pyzor_tmp_t;
+-typealias pyzor_tmp_t alias { user_pyzor_tmp_t staff_pyzor_tmp_t sysadm_pyzor_tmp_t };
+-typealias pyzor_tmp_t alias { auditadm_pyzor_tmp_t secadm_pyzor_tmp_t };
+-userdom_user_tmp_file(pyzor_tmp_t)
+-
+-type pyzor_var_lib_t;
+-typealias pyzor_var_lib_t alias { user_pyzor_var_lib_t staff_pyzor_var_lib_t sysadm_pyzor_var_lib_t };
+-typealias pyzor_var_lib_t alias { auditadm_pyzor_var_lib_t secadm_pyzor_var_lib_t };
+-files_type(pyzor_var_lib_t)
+-ubac_constrained(pyzor_var_lib_t)
+-
+-type pyzord_t;
+-type pyzord_exec_t;
+-init_daemon_domain(pyzord_t, pyzord_exec_t)
+-
+-type pyzord_log_t;
+-logging_log_file(pyzord_log_t)
++ifdef(`distro_redhat',`
++ gen_require(`
++ type spamc_t, spamc_exec_t, spamd_t;
++ type spamd_initrc_exec_t, spamd_exec_t, spamc_tmp_t;
++ type spamd_log_t, spamd_var_lib_t, spamd_etc_t;
++ type spamc_tmp_t, spamc_home_t;
++ ')
++
++ typealias spamc_t alias pyzor_t;
++ typealias spamc_exec_t alias pyzor_exec_t;
++ typealias spamd_t alias pyzord_t;
++ typealias spamd_initrc_exec_t alias pyzord_initrc_exec_t;
++ typealias spamd_exec_t alias pyzord_exec_t;
++ typealias spamc_tmp_t alias pyzor_tmp_t;
++ typealias spamd_log_t alias pyzor_log_t;
++ typealias spamd_log_t alias pyzord_log_t;
++ typealias spamd_var_lib_t alias pyzor_var_lib_t;
++ typealias spamd_etc_t alias pyzor_etc_t;
++ typealias spamc_home_t alias pyzor_home_t;
++ typealias spamc_home_t alias user_pyzor_home_t;
++',`
++ type pyzor_t;
++ type pyzor_exec_t;
++ typealias pyzor_t alias { user_pyzor_t staff_pyzor_t sysadm_pyzor_t };
++ typealias pyzor_t alias { auditadm_pyzor_t secadm_pyzor_t };
++ application_domain(pyzor_t, pyzor_exec_t)
++ ubac_constrained(pyzor_t)
++ role system_r types pyzor_t;
++
++ type pyzor_etc_t;
++ files_config_file(pyzor_etc_t)
++
++ type pyzor_home_t;
++ typealias pyzor_home_t alias { user_pyzor_home_t staff_pyzor_home_t sysadm_pyzor_home_t };
++ typealias pyzor_home_t alias { auditadm_pyzor_home_t secadm_pyzor_home_t };
++ userdom_user_home_content(pyzor_home_t)
++
++ type pyzor_tmp_t;
++ typealias pyzor_tmp_t alias { user_pyzor_tmp_t staff_pyzor_tmp_t sysadm_pyzor_tmp_t };
++ typealias pyzor_tmp_t alias { auditadm_pyzor_tmp_t secadm_pyzor_tmp_t };
++ files_tmp_file(pyzor_tmp_t)
++ ubac_constrained(pyzor_tmp_t)
++
++ type pyzor_var_lib_t;
++ typealias pyzor_var_lib_t alias { user_pyzor_var_lib_t staff_pyzor_var_lib_t sysadm_pyzor_var_lib_t };
++ typealias pyzor_var_lib_t alias { auditadm_pyzor_var_lib_t secadm_pyzor_var_lib_t };
++ files_type(pyzor_var_lib_t)
++ ubac_constrained(pyzor_var_lib_t)
++
++ type pyzord_t;
++ type pyzord_exec_t;
++ init_daemon_domain(pyzord_t, pyzord_exec_t)
++
++ type pyzord_log_t;
++ logging_log_file(pyzord_log_t)
++')
+
+ ########################################
+ #
+@@ -74,11 +98,13 @@ corenet_tcp_connect_http_port(pyzor_t)
+
+ dev_read_urand(pyzor_t)
+
+-files_read_etc_files(pyzor_t)
++fs_getattr_xattr_fs(pyzor_t)
++
+
+ auth_use_nsswitch(pyzor_t)
+
+-miscfiles_read_localization(pyzor_t)
++
++mta_read_queue(pyzor_t)
+
+ userdom_dontaudit_search_user_home_dirs(pyzor_t)
+
+@@ -109,8 +135,8 @@ allow pyzord_t pyzor_etc_t:dir list_dir_perms;
+ can_exec(pyzord_t, pyzor_exec_t)
+
+ manage_files_pattern(pyzord_t, pyzord_log_t, pyzord_log_t)
+-allow pyzord_t pyzord_log_t:dir setattr;
+-logging_log_filetrans(pyzord_t, pyzord_log_t, { file dir } )
++allow pyzord_t pyzord_log_t:dir setattr_dir_perms;
++logging_log_filetrans(pyzord_t, pyzord_log_t, { file dir })
+
+ kernel_read_kernel_sysctls(pyzord_t)
+ kernel_read_system_state(pyzord_t)
+@@ -119,7 +145,6 @@ dev_read_urand(pyzord_t)
+
+ corecmd_exec_bin(pyzord_t)
+
+-corenet_all_recvfrom_unlabeled(pyzord_t)
+ corenet_all_recvfrom_netlabel(pyzord_t)
+ corenet_udp_sendrecv_generic_if(pyzord_t)
+ corenet_udp_sendrecv_generic_node(pyzord_t)
+@@ -128,13 +153,11 @@ corenet_udp_bind_generic_node(pyzord_t)
+ corenet_udp_bind_pyzor_port(pyzord_t)
+ corenet_sendrecv_pyzor_server_packets(pyzord_t)
+
+-files_read_etc_files(pyzord_t)
+
+ auth_use_nsswitch(pyzord_t)
+
+ locallogin_dontaudit_use_fds(pyzord_t)
+
+-miscfiles_read_localization(pyzord_t)
+
+ # Do not audit attempts to access /root.
+ userdom_dontaudit_search_user_home_dirs(pyzord_t)
+diff --git a/qemu.if b/qemu.if
+index 268d691..580f9ee 100644
+--- a/qemu.if
++++ b/qemu.if
+@@ -43,7 +43,6 @@ template(`qemu_domain_template',`
+
+ kernel_read_system_state($1_t)
+
+- corenet_all_recvfrom_unlabeled($1_t)
+ corenet_all_recvfrom_netlabel($1_t)
+ corenet_tcp_sendrecv_generic_if($1_t)
+ corenet_tcp_sendrecv_generic_node($1_t)
+@@ -72,11 +71,10 @@ template(`qemu_domain_template',`
+ term_getattr_pty_fs($1_t)
+ term_use_generic_ptys($1_t)
+
+- miscfiles_read_localization($1_t)
+
+ sysnet_read_config($1_t)
+
+- userdom_use_user_terminals($1_t)
++ userdom_use_inherited_user_terminals($1_t)
+ userdom_attach_admin_tun_iface($1_t)
+
+ optional_policy(`
+@@ -98,61 +96,40 @@ template(`qemu_domain_template',`
+ ')
+ ')
+
+-#######################################
++########################################
+ ##
+-## The per role template for the qemu module.
++## Execute a domain transition to run qemu.
++##
++##
++##
++## Domain allowed to transition.
+ ##
+-##
+-##
+-## This template creates a derived domains which are used
+-## for qemu web browser.
+-##
+-##
+-## This template is invoked automatically for each user, and
+-## generally does not need to be invoked directly
+-## by policy writers.
+-##
+-##
+-##
+-##
+-## The role associated with the user domain.
+-##
+-##
+-##
+-##
+-## The type of the user domain.
+-##
+ ##
+ #
+-template(`qemu_role',`
++interface(`qemu_domtrans',`
+ gen_require(`
+ type qemu_t, qemu_exec_t;
+- type qemu_config_t, qemu_config_exec_t;
+ ')
+
+- role $1 types { qemu_t qemu_config_t };
+-
+- domtrans_pattern($2, qemu_exec_t, qemu_t)
+- domtrans_pattern($2, qemu_config_exec_t, qemu_config_t)
+- allow qemu_t $2:process signull;
++ domtrans_pattern($1, qemu_exec_t, qemu_t)
+ ')
+
+ ########################################
+ ##
+-## Execute a domain transition to run qemu.
++## Execute a qemu in the callers domain
+ ##
+ ##
+ ##
+-## Domain allowed to transition.
++## Domain allowed access.
+ ##
+ ##
+ #
+-interface(`qemu_domtrans',`
++interface(`qemu_exec',`
+ gen_require(`
+- type qemu_t, qemu_exec_t;
++ type qemu_exec_t;
+ ')
+
+- domtrans_pattern($1, qemu_exec_t, qemu_t)
++ can_exec($1, qemu_exec_t)
+ ')
+
+ ########################################
+@@ -256,20 +233,63 @@ interface(`qemu_kill',`
+
+ ########################################
+ ##
+-## Execute a domain transition to run qemu unconfined.
++## Execute qemu_exec_t
++## in the specified domain but do not
++## do it automatically. This is an explicit
++## transition, requiring the caller to use setexeccon().
+ ##
++##
++##
++## Execute qemu_exec_t
++## in the specified domain. This allows
++## the specified domain to qemu programs
++## on these filesystems in the specified
++## domain.
++##
++##
+ ##
++##
++## Domain allowed access.
++##
++##
++##
++##
++## The type of the new process.
++##
++##
++#
++interface(`qemu_spec_domtrans',`
++ gen_require(`
++ type qemu_exec_t;
++ ')
++
++ read_lnk_files_pattern($1, qemu_exec_t, qemu_exec_t)
++ domain_transition_pattern($1, qemu_exec_t, $2)
++ domain_entry_file($2,qemu_exec_t)
++ can_exec($1,qemu_exec_t)
++
++ allow $2 $1:fd use;
++ allow $2 $1:fifo_file rw_fifo_file_perms;
++ allow $2 $1:process sigchld;
++')
++
++########################################
+ ##
+-## Domain allowed to transition.
++## Execute qemu unconfined programs in the role.
+ ##
++##
++##
++## The role to allow the qemu unconfined domain.
++##
+ ##
+ #
+-interface(`qemu_domtrans_unconfined',`
++interface(`qemu_unconfined_role',`
+ gen_require(`
+- type unconfined_qemu_t, qemu_exec_t;
++ type unconfined_qemu_t;
++ type qemu_t;
+ ')
+-
+- domtrans_pattern($1, qemu_exec_t, unconfined_qemu_t)
++ role $1 types unconfined_qemu_t;
++ role $1 types qemu_t;
+ ')
+
+ ########################################
+@@ -307,3 +327,22 @@ interface(`qemu_manage_tmp_files',`
+
+ manage_files_pattern($1, qemu_tmp_t, qemu_tmp_t)
+ ')
++
++########################################
++##
++## Make qemu_exec_t an entrypoint for
++## the specified domain.
++##
++##
++##
++## The domain for which qemu_exec_t is an entrypoint.
++##
++##
++#
++interface(`qemu_entry_type',`
++ gen_require(`
++ type qemu_exec_t;
++ ')
++
++ domain_entry_file($1, qemu_exec_t)
++')
+diff --git a/qemu.te b/qemu.te
+index 9681d82..695c857 100644
+--- a/qemu.te
++++ b/qemu.te
+@@ -40,9 +40,7 @@ gen_tunable(qemu_use_nfs, true)
+ ##
+ gen_tunable(qemu_use_usb, true)
+
+-type qemu_exec_t;
+ virt_domain_template(qemu)
+-application_domain(qemu_t, qemu_exec_t)
+ role system_r types qemu_t;
+
+ ########################################
+@@ -50,13 +48,12 @@ role system_r types qemu_t;
+ # qemu local policy
+ #
+
+-can_exec(qemu_t, qemu_exec_t)
+-
+ storage_raw_write_removable_device(qemu_t)
+ storage_raw_read_removable_device(qemu_t)
+
+ userdom_search_user_home_content(qemu_t)
+ userdom_read_user_tmpfs_files(qemu_t)
++userdom_stream_connect(qemu_t)
+
+ tunable_policy(`qemu_full_network',`
+ allow qemu_t self:udp_socket create_socket_perms;
+@@ -101,6 +98,17 @@ optional_policy(`
+ ')
+
+ optional_policy(`
++ tunable_policy(`qemu_use_cifs',`
++ samba_domtrans_smbd(qemu_t)
++ ')
++')
++
++optional_policy(`
++ virt_domtrans_bridgehelper(qemu_t)
++')
++
++optional_policy(`
++ virt_manage_home_files(qemu_t)
+ virt_manage_images(qemu_t)
+ virt_append_log(qemu_t)
+ ')
+@@ -113,18 +121,3 @@ optional_policy(`
+ xserver_read_xdm_pid(qemu_t)
+ xserver_stream_connect(qemu_t)
+ ')
+-
+-########################################
+-#
+-# Unconfined qemu local policy
+-#
+-
+-optional_policy(`
+- type unconfined_qemu_t;
+- typealias unconfined_qemu_t alias qemu_unconfined_t;
+- application_type(unconfined_qemu_t)
+- unconfined_domain(unconfined_qemu_t)
+-
+- allow unconfined_qemu_t self:process { execstack execmem };
+- allow unconfined_qemu_t qemu_exec_t:file execmod;
+-')
+diff --git a/qmail.fc b/qmail.fc
+index 0055e54..edee505 100644
+--- a/qmail.fc
++++ b/qmail.fc
+@@ -17,6 +17,7 @@
+ /var/qmail/bin/tcp-env -- gen_context(system_u:object_r:qmail_tcp_env_exec_t,s0)
+
+ /var/qmail/control(/.*)? gen_context(system_u:object_r:qmail_etc_t,s0)
++/var/qmail/owners(/.*)? gen_context(system_u:object_r:qmail_etc_t,s0)
+
+ /var/qmail/queue(/.*)? gen_context(system_u:object_r:qmail_spool_t,s0)
+
+@@ -25,7 +26,7 @@ ifdef(`distro_debian', `
+
+ /usr/bin/tcp-env -- gen_context(system_u:object_r:qmail_tcp_env_exec_t,s0)
+
+-#/usr/local/bin/serialmail/.* -- gen_context(system_u:object_r:qmail_serialmail_exec_t,s0)
++#/usr/bin/serialmail/.* -- gen_context(system_u:object_r:qmail_serialmail_exec_t,s0)
+
+ /usr/sbin/qmail-clean -- gen_context(system_u:object_r:qmail_clean_exec_t,s0)
+ /usr/sbin/qmail-getpw -- gen_context(system_u:object_r:qmail_exec_t,s0)
+diff --git a/qmail.if b/qmail.if
+index a55bf44..05e219e 100644
+--- a/qmail.if
++++ b/qmail.if
+@@ -44,7 +44,6 @@ template(`qmail_child_domain_template',`
+
+ fs_getattr_xattr_fs($1_t)
+
+- miscfiles_read_localization($1_t)
+ ')
+
+ ########################################
+@@ -62,14 +61,13 @@ interface(`qmail_domtrans_inject',`
+ type qmail_inject_t, qmail_inject_exec_t;
+ ')
+
++ corecmd_search_bin($1)
+ domtrans_pattern($1, qmail_inject_exec_t, qmail_inject_t)
+
+ ifdef(`distro_debian',`
+ files_search_usr($1)
+- corecmd_search_bin($1)
+ ',`
+ files_search_var($1)
+- corecmd_search_bin($1)
+ ')
+ ')
+
+@@ -88,14 +86,13 @@ interface(`qmail_domtrans_queue',`
+ type qmail_queue_t, qmail_queue_exec_t;
+ ')
+
++ corecmd_search_bin($1)
+ domtrans_pattern($1, qmail_queue_exec_t, qmail_queue_t)
+
+ ifdef(`distro_debian',`
+ files_search_usr($1)
+- corecmd_search_bin($1)
+ ',`
+ files_search_var($1)
+- corecmd_search_bin($1)
+ ')
+ ')
+
+@@ -149,3 +146,59 @@ interface(`qmail_smtpd_service_domain',`
+
+ domtrans_pattern(qmail_smtpd_t, $2, $1)
+ ')
++
++########################################
++##
++## Create, read, write, and delete qmail
++## spool directories.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`qmail_manage_spool_dirs',`
++ gen_require(`
++ type qmail_spool_t;
++ ')
++
++ manage_dirs_pattern($1, qmail_spool_t, qmail_spool_t)
++')
++
++########################################
++##
++## Create, read, write, and delete qmail
++## spool files.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`qmail_manage_spool_files',`
++ gen_require(`
++ type qmail_spool_t;
++ ')
++
++ manage_files_pattern($1, qmail_spool_t, qmail_spool_t)
++')
++
++########################################
++##
++## Read and write to qmail spool pipes.
++##
++##
++##
++## Domain to not audit.
++##
++##
++#
++interface(`qmail_rw_spool_pipes',`
++ gen_require(`
++ type qmail_spool_t;
++ ')
++
++ allow $1 qmail_spool_t:fifo_file rw_fifo_file_perms;
++')
+diff --git a/qmail.te b/qmail.te
+index 355b2a2..af2850e 100644
+--- a/qmail.te
++++ b/qmail.te
+@@ -47,7 +47,7 @@ qmail_child_domain_template(qmail_smtpd, qmail_tcp_env_t)
+ qmail_child_domain_template(qmail_splogger, qmail_start_t)
+
+ type qmail_spool_t;
+-files_type(qmail_spool_t)
++files_spool_file(qmail_spool_t)
+
+ type qmail_start_t;
+ type qmail_start_exec_t;
+@@ -60,7 +60,7 @@ application_domain(qmail_tcp_env_t, qmail_tcp_env_exec_t)
+ ########################################
+ #
+ # qmail-clean local policy
+-# this component cleans up the queue directory
++# this component cleans up the queue directory
+ #
+
+ read_files_pattern(qmail_clean_t, qmail_spool_t, qmail_spool_t)
+@@ -69,11 +69,11 @@ delete_files_pattern(qmail_clean_t, qmail_spool_t, qmail_spool_t)
+ ########################################
+ #
+ # qmail-inject local policy
+-# this component preprocesses mail from stdin and invokes qmail-queue
++# this component preprocesses mail from stdin and invokes qmail-queue
+ #
+
+-allow qmail_inject_t self:fifo_file write_fifo_file_perms;
+ allow qmail_inject_t self:process signal_perms;
++allow qmail_inject_t self:fifo_file write_fifo_file_perms;
+
+ allow qmail_inject_t qmail_queue_exec_t:file read_file_perms;
+
+@@ -81,18 +81,17 @@ corecmd_search_bin(qmail_inject_t)
+
+ files_search_var(qmail_inject_t)
+
+-miscfiles_read_localization(qmail_inject_t)
+
+ qmail_read_config(qmail_inject_t)
+
+ ########################################
+ #
+ # qmail-local local policy
+-# this component delivers a mail message
++# this component delivers a mail message
+ #
+
+-allow qmail_local_t self:fifo_file write_file_perms;
+ allow qmail_local_t self:process signal_perms;
++allow qmail_local_t self:fifo_file write_file_perms;
+ allow qmail_local_t self:unix_stream_socket create_stream_socket_perms;
+
+ manage_dirs_pattern(qmail_local_t, qmail_alias_home_t, qmail_alias_home_t)
+@@ -109,7 +108,6 @@ kernel_read_system_state(qmail_local_t)
+ corecmd_exec_bin(qmail_local_t)
+ corecmd_exec_shell(qmail_local_t)
+
+-files_read_etc_files(qmail_local_t)
+ files_read_etc_runtime_files(qmail_local_t)
+
+ auth_use_nsswitch(qmail_local_t)
+@@ -121,13 +119,17 @@ mta_append_spool(qmail_local_t)
+ qmail_domtrans_queue(qmail_local_t)
+
+ optional_policy(`
++ uucp_domtrans(qmail_local_t)
++')
++
++optional_policy(`
+ spamassassin_domtrans_client(qmail_local_t)
+ ')
+
+ ########################################
+ #
+ # qmail-lspawn local policy
+-# this component schedules local deliveries
++# this component schedules local deliveries
+ #
+
+ allow qmail_lspawn_t self:capability { setuid setgid };
+@@ -143,22 +145,21 @@ read_files_pattern(qmail_lspawn_t, qmail_spool_t, qmail_spool_t)
+
+ corecmd_search_bin(qmail_lspawn_t)
+
+-files_read_etc_files(qmail_lspawn_t)
+ files_search_pids(qmail_lspawn_t)
+ files_search_tmp(qmail_lspawn_t)
+
+ ########################################
+ #
+ # qmail-queue local policy
+-# this component places a mail in a delivery queue, later to be processed by qmail-send
++# this component places a mail in a delivery queue, later to be processed by qmail-send
+ #
+
+ allow qmail_queue_t qmail_lspawn_t:fd use;
+ allow qmail_queue_t qmail_lspawn_t:fifo_file write_fifo_file_perms;
+
++allow qmail_queue_t qmail_smtpd_t:process sigchld;
+ allow qmail_queue_t qmail_smtpd_t:fd use;
+ allow qmail_queue_t qmail_smtpd_t:fifo_file read_fifo_file_perms;
+-allow qmail_queue_t qmail_smtpd_t:process sigchld;
+
+ manage_dirs_pattern(qmail_queue_t, qmail_spool_t, qmail_spool_t)
+ manage_files_pattern(qmail_queue_t, qmail_spool_t, qmail_spool_t)
+@@ -175,7 +176,7 @@ optional_policy(`
+ ########################################
+ #
+ # qmail-remote local policy
+-# this component sends mail via SMTP
++# this component sends mail via SMTP
+ #
+
+ allow qmail_remote_t self:tcp_socket create_socket_perms;
+@@ -183,7 +184,6 @@ allow qmail_remote_t self:udp_socket create_socket_perms;
+
+ rw_files_pattern(qmail_remote_t, qmail_spool_t, qmail_spool_t)
+
+-corenet_all_recvfrom_unlabeled(qmail_remote_t)
+ corenet_all_recvfrom_netlabel(qmail_remote_t)
+ corenet_tcp_sendrecv_generic_if(qmail_remote_t)
+ corenet_udp_sendrecv_generic_if(qmail_remote_t)
+@@ -202,7 +202,7 @@ sysnet_read_config(qmail_remote_t)
+ ########################################
+ #
+ # qmail-rspawn local policy
+-# this component scedules remote deliveries
++# this component scedules remote deliveries
+ #
+
+ allow qmail_rspawn_t self:process signal_perms;
+@@ -217,7 +217,7 @@ corecmd_search_bin(qmail_rspawn_t)
+ ########################################
+ #
+ # qmail-send local policy
+-# this component delivers mail messages from the queue
++# this component delivers mail messages from the queue
+ #
+
+ allow qmail_send_t self:process signal_perms;
+@@ -236,7 +236,7 @@ optional_policy(`
+ ########################################
+ #
+ # qmail-smtpd local policy
+-# this component receives mails via SMTP
++# this component receives mails via SMTP
+ #
+
+ allow qmail_smtpd_t self:process signal_perms;
+@@ -265,27 +265,25 @@ optional_policy(`
+ ########################################
+ #
+ # splogger local policy
+-# this component creates entries in syslog
++# this component creates entries in syslog
+ #
+
+ allow qmail_splogger_t self:unix_dgram_socket create_socket_perms;
+
+-files_read_etc_files(qmail_splogger_t)
+
+ init_dontaudit_use_script_fds(qmail_splogger_t)
+
+-miscfiles_read_localization(qmail_splogger_t)
+
+ ########################################
+ #
+ # qmail-start local policy
+-# this component starts up the mail delivery component
++# this component starts up the mail delivery component
+ #
+
+ allow qmail_start_t self:capability { setgid setuid };
+ dontaudit qmail_start_t self:capability sys_tty_config;
+-allow qmail_start_t self:fifo_file rw_fifo_file_perms;
+ allow qmail_start_t self:process signal_perms;
++allow qmail_start_t self:fifo_file rw_fifo_file_perms;
+
+ can_exec(qmail_start_t, qmail_start_exec_t)
+
+@@ -303,7 +301,7 @@ optional_policy(`
+ ########################################
+ #
+ # tcp-env local policy
+-# this component sets up TCP-related environment variables
++# this component sets up TCP-related environment variables
+ #
+
+ allow qmail_tcp_env_t qmail_smtpd_exec_t:file read_file_perms;
+diff --git a/qpid.fc b/qpid.fc
+index 4f94229..f3b89e4 100644
+--- a/qpid.fc
++++ b/qpid.fc
+@@ -1,6 +1,7 @@
+-/etc/rc\.d/init\.d/qpidd -- gen_context(system_u:object_r:qpidd_initrc_exec_t,s0)
+
+-/usr/sbin/qpidd -- gen_context(system_u:object_r:qpidd_exec_t,s0)
++/usr/sbin/qpidd -- gen_context(system_u:object_r:qpidd_exec_t,s0)
++
++/etc/rc\.d/init\.d/qpidd -- gen_context(system_u:object_r:qpidd_initrc_exec_t,s0)
+
+ /var/lib/qpidd(/.*)? gen_context(system_u:object_r:qpidd_var_lib_t,s0)
+
+diff --git a/qpid.if b/qpid.if
+index 5a9630c..bedca3a 100644
+--- a/qpid.if
++++ b/qpid.if
+@@ -1,4 +1,4 @@
+-## Apache QPID AMQP messaging server.
++## policy for qpidd
+
+ ########################################
+ ##
+@@ -18,9 +18,9 @@ interface(`qpidd_domtrans',`
+ domtrans_pattern($1, qpidd_exec_t, qpidd_t)
+ ')
+
+-#####################################
++########################################
+ ##
+-## Allow read and write access to qpidd semaphores.
++## Execute qpidd server in the qpidd domain.
+ ##
+ ##
+ ##
+@@ -28,17 +28,17 @@ interface(`qpidd_domtrans',`
+ ##
+ ##
+ #
+-interface(`qpidd_rw_semaphores',`
++interface(`qpidd_initrc_domtrans',`
+ gen_require(`
+- type qpidd_t;
++ type qpidd_initrc_exec_t;
+ ')
+
+- allow $1 qpidd_t:sem rw_sem_perms;
++ init_labeled_script_domtrans($1, qpidd_initrc_exec_t)
+ ')
+
+ ########################################
+ ##
+-## Read and write to qpidd shared memory.
++## Read qpidd PID files.
+ ##
+ ##
+ ##
+@@ -46,17 +46,18 @@ interface(`qpidd_rw_semaphores',`
+ ##
+ ##
+ #
+-interface(`qpidd_rw_shm',`
++interface(`qpidd_read_pid_files',`
+ gen_require(`
+- type qpidd_t;
++ type qpidd_var_run_t;
+ ')
+
+- allow $1 qpidd_t:shm rw_shm_perms;
++ files_search_pids($1)
++ allow $1 qpidd_var_run_t:file read_file_perms;
+ ')
+
+ ########################################
+ ##
+-## Execute qpidd server in the qpidd domain.
++## Manage qpidd var_run files.
+ ##
+ ##
+ ##
+@@ -64,17 +65,20 @@ interface(`qpidd_rw_shm',`
+ ##
+ ##
+ #
+-interface(`qpidd_initrc_domtrans',`
++interface(`qpidd_manage_var_run',`
+ gen_require(`
+- type qpidd_initrc_exec_t;
++ type qpidd_var_run_t;
+ ')
+
+- init_labeled_script_domtrans($1, qpidd_initrc_exec_t)
++ files_search_pids($1)
++ manage_dirs_pattern($1, qpidd_var_run_t, qpidd_var_run_t)
++ manage_files_pattern($1, qpidd_var_run_t, qpidd_var_run_t)
++ manage_lnk_files_pattern($1, qpidd_var_run_t, qpidd_var_run_t)
+ ')
+
+ ########################################
+ ##
+-## Read qpidd PID files.
++## Search qpidd lib directories.
+ ##
+ ##
+ ##
+@@ -82,18 +86,18 @@ interface(`qpidd_initrc_domtrans',`
+ ##
+ ##
+ #
+-interface(`qpidd_read_pid_files',`
++interface(`qpidd_search_lib',`
+ gen_require(`
+- type qpidd_var_run_t;
++ type qpidd_var_lib_t;
+ ')
+
+- files_search_pids($1)
+- allow $1 qpidd_var_run_t:file read_file_perms;
++ allow $1 qpidd_var_lib_t:dir search_dir_perms;
++ files_search_var_lib($1)
+ ')
+
+ ########################################
+ ##
+-## Search qpidd lib directories.
++## Read qpidd lib files.
+ ##
+ ##
+ ##
+@@ -101,18 +105,19 @@ interface(`qpidd_read_pid_files',`
+ ##
+ ##
+ #
+-interface(`qpidd_search_lib',`
++interface(`qpidd_read_lib_files',`
+ gen_require(`
+ type qpidd_var_lib_t;
+ ')
+
+- allow $1 qpidd_var_lib_t:dir search_dir_perms;
+ files_search_var_lib($1)
++ read_files_pattern($1, qpidd_var_lib_t, qpidd_var_lib_t)
+ ')
+
+ ########################################
+ ##
+-## Read qpidd lib files.
++## Create, read, write, and delete
++## qpidd lib files.
+ ##
+ ##
+ ##
+@@ -120,19 +125,18 @@ interface(`qpidd_search_lib',`
+ ##
+ ##
+ #
+-interface(`qpidd_read_lib_files',`
++interface(`qpidd_manage_lib_files',`
+ gen_require(`
+ type qpidd_var_lib_t;
+ ')
+
+ files_search_var_lib($1)
+- read_files_pattern($1, qpidd_var_lib_t, qpidd_var_lib_t)
++ manage_files_pattern($1, qpidd_var_lib_t, qpidd_var_lib_t)
+ ')
+
+ ########################################
+ ##
+-## Create, read, write, and delete
+-## qpidd lib files.
++## Manage qpidd var_lib files.
+ ##
+ ##
+ ##
+@@ -140,13 +144,15 @@ interface(`qpidd_read_lib_files',`
+ ##
+ ##
+ #
+-interface(`qpidd_manage_lib_files',`
++interface(`qpidd_manage_var_lib',`
+ gen_require(`
+ type qpidd_var_lib_t;
+ ')
+
+ files_search_var_lib($1)
++ manage_dirs_pattern($1, qpidd_var_lib_t, qpidd_var_lib_t)
+ manage_files_pattern($1, qpidd_var_lib_t, qpidd_var_lib_t)
++ manage_lnk_files_pattern($1, qpidd_var_lib_t, qpidd_var_lib_t)
+ ')
+
+ ########################################
+@@ -171,8 +177,11 @@ interface(`qpidd_admin',`
+ type qpidd_t, qpidd_initrc_exec_t;
+ ')
+
+- allow $1 qpidd_t:process { ptrace signal_perms };
++ allow $1 qpidd_t:process signal_perms;
+ ps_process_pattern($1, qpidd_t)
++ tunable_policy(`deny_ptrace',`',`
++ allow $1 qpidd_t:process ptrace;
++ ')
+
+ # Allow qpidd_t to restart the apache service
+ qpidd_initrc_domtrans($1)
+@@ -180,7 +189,46 @@ interface(`qpidd_admin',`
+ role_transition $2 qpidd_initrc_exec_t system_r;
+ allow $2 system_r;
+
+- admin_pattern($1, qpidd_var_lib_t)
++ qpidd_manage_var_run($1)
+
+- admin_pattern($1, qpidd_var_run_t)
++ qpidd_manage_var_lib($1)
++')
++
++#####################################
++##
++## Allow read and write access to qpidd semaphores.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`qpidd_rw_semaphores',`
++ gen_require(`
++ type qpidd_t;
++ ')
++
++ allow $1 qpidd_t:sem rw_sem_perms;
++')
++
++#######################################
++##
++## Read and write to qpidd shared memory.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`qpidd_rw_shm',`
++ gen_require(`
++ type qpidd_t;
++ type qpidd_tmpfs_t;
++ ')
++
++ allow $1 qpidd_t:shm rw_shm_perms;
++ fs_search_tmpfs($1)
++ manage_files_pattern($1, qpidd_tmpfs_t, qpidd_tmpfs_t)
+ ')
+diff --git a/qpid.te b/qpid.te
+index cb7ecb5..68f26ad 100644
+--- a/qpid.te
++++ b/qpid.te
+@@ -12,12 +12,15 @@ init_daemon_domain(qpidd_t, qpidd_exec_t)
+ type qpidd_initrc_exec_t;
+ init_script_file(qpidd_initrc_exec_t)
+
+-type qpidd_var_lib_t;
+-files_type(qpidd_var_lib_t)
++type qpidd_tmpfs_t;
++files_tmpfs_file(qpidd_tmpfs_t)
+
+ type qpidd_var_run_t;
+ files_pid_file(qpidd_var_run_t)
+
++type qpidd_var_lib_t;
++files_type(qpidd_var_lib_t)
++
+ ########################################
+ #
+ # qpidd local policy
+@@ -30,34 +33,41 @@ allow qpidd_t self:shm create_shm_perms;
+ allow qpidd_t self:tcp_socket create_stream_socket_perms;
+ allow qpidd_t self:unix_stream_socket create_stream_socket_perms;
+
+-manage_dirs_pattern(qpidd_t, qpidd_var_lib_t, qpidd_var_lib_t)
+-manage_files_pattern(qpidd_t, qpidd_var_lib_t, qpidd_var_lib_t)
++manage_dirs_pattern(qpidd_t, qpidd_tmpfs_t, qpidd_tmpfs_t)
++manage_files_pattern(qpidd_t, qpidd_tmpfs_t, qpidd_tmpfs_t)
++fs_tmpfs_filetrans(qpidd_t, qpidd_tmpfs_t, { dir file })
++
++manage_dirs_pattern(qpidd_t, qpidd_var_lib_t, qpidd_var_lib_t)
++manage_files_pattern(qpidd_t, qpidd_var_lib_t, qpidd_var_lib_t)
+ files_var_lib_filetrans(qpidd_t, qpidd_var_lib_t, { file dir })
+
+-manage_dirs_pattern(qpidd_t, qpidd_var_run_t, qpidd_var_run_t)
+-manage_files_pattern(qpidd_t, qpidd_var_run_t, qpidd_var_run_t)
++manage_dirs_pattern(qpidd_t, qpidd_var_run_t, qpidd_var_run_t)
++manage_files_pattern(qpidd_t, qpidd_var_run_t, qpidd_var_run_t)
+ files_pid_filetrans(qpidd_t, qpidd_var_run_t, { file dir })
+
+ kernel_read_system_state(qpidd_t)
+
+-corenet_all_recvfrom_unlabeled(qpidd_t)
+ corenet_all_recvfrom_netlabel(qpidd_t)
++corenet_tcp_bind_generic_node(qpidd_t)
+ corenet_tcp_sendrecv_generic_if(qpidd_t)
+ corenet_tcp_sendrecv_generic_node(qpidd_t)
+ corenet_tcp_sendrecv_all_ports(qpidd_t)
+-corenet_tcp_bind_generic_node(qpidd_t)
+ corenet_tcp_bind_amqp_port(qpidd_t)
++corenet_tcp_bind_matahari_port(qpidd_t)
++corenet_tcp_connect_amqp_port(qpidd_t)
++corenet_tcp_connect_matahari_port(qpidd_t)
+
++dev_read_sysfs(qpidd_t)
+ dev_read_urand(qpidd_t)
+
+ files_read_etc_files(qpidd_t)
++files_read_usr_files(qpidd_t)
+
+ logging_send_syslog_msg(qpidd_t)
+
+-miscfiles_read_localization(qpidd_t)
+-
+ sysnet_dns_name_resolve(qpidd_t)
+
+ optional_policy(`
+ corosync_stream_connect(qpidd_t)
+ ')
++
+diff --git a/quantum.fc b/quantum.fc
+new file mode 100644
+index 0000000..9108437
+--- /dev/null
++++ b/quantum.fc
+@@ -0,0 +1,10 @@
++/usr/bin/quantum-server -- gen_context(system_u:object_r:quantum_exec_t,s0)
++/usr/bin/quantum-openvswitch-agent -- gen_context(system_u:object_r:quantum_exec_t,s0)
++/usr/bin/quantum-linuxbridge-agent -- gen_context(system_u:object_r:quantum_exec_t,s0)
++/usr/bin/quantum-ryu-agent -- gen_context(system_u:object_r:quantum_exec_t,s0)
++
++/usr/lib/systemd/system/quantum.* -- gen_context(system_u:object_r:quantum_unit_file_t,s0)
++
++/var/lib/quantum(/.*)? gen_context(system_u:object_r:quantum_var_lib_t,s0)
++
++/var/log/quantum(/.*)? gen_context(system_u:object_r:quantum_log_t,s0)
+diff --git a/quantum.if b/quantum.if
+new file mode 100644
+index 0000000..010b2be
+--- /dev/null
++++ b/quantum.if
+@@ -0,0 +1,218 @@
++## Quantum is a virtual network service for Openstack
++
++########################################
++##
++## Transition to quantum.
++##
++##
++##
++## Domain allowed to transition.
++##
++##
++#
++interface(`quantum_domtrans',`
++ gen_require(`
++ type quantum_t, quantum_exec_t;
++ ')
++
++ corecmd_search_bin($1)
++ domtrans_pattern($1, quantum_exec_t, quantum_t)
++')
++
++########################################
++##
++## Read quantum's log files.
++##
++##
++##
++## Domain allowed access.
++##
++##
++##
++#
++interface(`quantum_read_log',`
++ gen_require(`
++ type quantum_log_t;
++ ')
++
++ logging_search_logs($1)
++ read_files_pattern($1, quantum_log_t, quantum_log_t)
++')
++
++########################################
++##
++## Append to quantum log files.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`quantum_append_log',`
++ gen_require(`
++ type quantum_log_t;
++ ')
++
++ logging_search_logs($1)
++ append_files_pattern($1, quantum_log_t, quantum_log_t)
++')
++
++########################################
++##
++## Manage quantum log files
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`quantum_manage_log',`
++ gen_require(`
++ type quantum_log_t;
++ ')
++
++ logging_search_logs($1)
++ manage_dirs_pattern($1, quantum_log_t, quantum_log_t)
++ manage_files_pattern($1, quantum_log_t, quantum_log_t)
++ manage_lnk_files_pattern($1, quantum_log_t, quantum_log_t)
++')
++
++########################################
++##
++## Search quantum lib directories.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`quantum_search_lib',`
++ gen_require(`
++ type quantum_var_lib_t;
++ ')
++
++ allow $1 quantum_var_lib_t:dir search_dir_perms;
++ files_search_var_lib($1)
++')
++
++########################################
++##
++## Read quantum lib files.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`quantum_read_lib_files',`
++ gen_require(`
++ type quantum_var_lib_t;
++ ')
++
++ files_search_var_lib($1)
++ read_files_pattern($1, quantum_var_lib_t, quantum_var_lib_t)
++')
++
++########################################
++##
++## Manage quantum lib files.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`quantum_manage_lib_files',`
++ gen_require(`
++ type quantum_var_lib_t;
++ ')
++
++ files_search_var_lib($1)
++ manage_files_pattern($1, quantum_var_lib_t, quantum_var_lib_t)
++')
++
++########################################
++##
++## Manage quantum lib directories.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`quantum_manage_lib_dirs',`
++ gen_require(`
++ type quantum_var_lib_t;
++ ')
++
++ files_search_var_lib($1)
++ manage_dirs_pattern($1, quantum_var_lib_t, quantum_var_lib_t)
++')
++
++########################################
++##
++## Execute quantum server in the quantum domain.
++##
++##
++##
++## Domain allowed to transition.
++##
++##
++#
++interface(`quantum_systemctl',`
++ gen_require(`
++ type quantum_t;
++ type quantum_unit_file_t;
++ ')
++
++ systemd_exec_systemctl($1)
++ systemd_read_fifo_file_passwd_run($1)
++ allow $1 quantum_unit_file_t:file read_file_perms;
++ allow $1 quantum_unit_file_t:service manage_service_perms;
++
++ ps_process_pattern($1, quantum_t)
++')
++
++
++########################################
++##
++## All of the rules required to administrate
++## an quantum environment
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`quantum_admin',`
++ gen_require(`
++ type quantum_t;
++ type quantum_log_t;
++ type quantum_var_lib_t;
++ type quantum_unit_file_t;
++ ')
++
++ allow $1 quantum_t:process { ptrace signal_perms };
++ ps_process_pattern($1, quantum_t)
++
++ logging_search_logs($1)
++ admin_pattern($1, quantum_log_t)
++
++ files_search_var_lib($1)
++ admin_pattern($1, quantum_var_lib_t)
++
++ quantum_systemctl($1)
++ admin_pattern($1, quantum_unit_file_t)
++ allow $1 quantum_unit_file_t:service all_service_perms;
++ optional_policy(`
++ systemd_passwd_agent_exec($1)
++ systemd_read_fifo_file_passwd_run($1)
++ ')
++')
+diff --git a/quantum.te b/quantum.te
+new file mode 100644
+index 0000000..6e15504
+--- /dev/null
++++ b/quantum.te
+@@ -0,0 +1,80 @@
++policy_module(quantum, 1.0.0)
++
++########################################
++#
++# Declarations
++#
++
++type quantum_t;
++type quantum_exec_t;
++init_daemon_domain(quantum_t, quantum_exec_t)
++
++type quantum_log_t;
++logging_log_file(quantum_log_t)
++
++type quantum_tmp_t;
++files_tmp_file(quantum_tmp_t)
++
++type quantum_var_lib_t;
++files_type(quantum_var_lib_t)
++
++type quantum_unit_file_t;
++systemd_unit_file(quantum_unit_file_t)
++
++########################################
++#
++# quantum local policy
++#
++allow quantum_t self:capability { setuid sys_resource setgid audit_write };
++allow quantum_t self:process { setsched setrlimit };
++allow quantum_t self:key manage_key_perms;
++
++allow quantum_t self:fifo_file rw_fifo_file_perms;
++allow quantum_t self:unix_stream_socket create_stream_socket_perms;
++allow quantum_t self:tcp_socket create_stream_socket_perms;
++
++manage_dirs_pattern(quantum_t, quantum_log_t, quantum_log_t)
++manage_files_pattern(quantum_t, quantum_log_t, quantum_log_t)
++logging_log_filetrans(quantum_t, quantum_log_t, { dir file })
++
++manage_files_pattern(quantum_t, quantum_tmp_t, quantum_tmp_t)
++files_tmp_filetrans(quantum_t, quantum_tmp_t, file)
++can_exec(quantum_t, quantum_tmp_t)
++
++manage_dirs_pattern(quantum_t, quantum_var_lib_t, quantum_var_lib_t)
++manage_files_pattern(quantum_t, quantum_var_lib_t, quantum_var_lib_t)
++files_var_lib_filetrans(quantum_t, quantum_var_lib_t, { dir file })
++
++kernel_read_kernel_sysctls(quantum_t)
++kernel_read_system_state(quantum_t)
++
++corecmd_exec_shell(quantum_t)
++corecmd_exec_bin(quantum_t)
++
++corenet_tcp_bind_generic_node(quantum_t)
++corenet_tcp_bind_quantum_port(quantum_t)
++corenet_tcp_connect_mysqld_port(quantum_t)
++
++dev_read_urand(quantum_t)
++dev_list_sysfs(quantum_t)
++
++domain_use_interactive_fds(quantum_t)
++
++files_read_usr_files(quantum_t)
++
++auth_use_nsswitch(quantum_t)
++
++libs_exec_ldconfig(quantum_t)
++
++logging_send_audit_msgs(quantum_t)
++logging_send_syslog_msg(quantum_t)
++
++sysnet_domtrans_ifconfig(quantum_t)
++
++optional_policy(`
++ brctl_domtrans(quantum_t)
++')
++
++optional_policy(`
++ sudo_exec(quantum_t)
++')
+diff --git a/quota.fc b/quota.fc
+index f387230..0ee2489 100644
+--- a/quota.fc
++++ b/quota.fc
+@@ -1,4 +1,5 @@
+ HOME_ROOT/a?quota\.(user|group) -- gen_context(system_u:object_r:quota_db_t,s0)
++HOME_DIR/a?quota\.(user|group) -- gen_context(system_u:object_r:quota_db_t,s0)
+
+ /a?quota\.(user|group) -- gen_context(system_u:object_r:quota_db_t,s0)
+
+@@ -8,12 +9,21 @@ HOME_ROOT/a?quota\.(user|group) -- gen_context(system_u:object_r:quota_db_t,s0)
+
+ /sbin/quota(check|on) -- gen_context(system_u:object_r:quota_exec_t,s0)
+
++/usr/sbin/quota(check|on) -- gen_context(system_u:object_r:quota_exec_t,s0)
++
+ /var/a?quota\.(user|group) -- gen_context(system_u:object_r:quota_db_t,s0)
+ /var/lib/quota(/.*)? gen_context(system_u:object_r:quota_flag_t,s0)
+-/var/spool/a?quota\.(user|group) -- gen_context(system_u:object_r:quota_db_t,s0)
++/var/spool/(.*/)?a?quota\.(user|group) -- gen_context(system_u:object_r:quota_db_t,s0)
+
+ ifdef(`distro_redhat',`
+ /usr/sbin/convertquota -- gen_context(system_u:object_r:quota_exec_t,s0)
+ ',`
+ /sbin/convertquota -- gen_context(system_u:object_r:quota_exec_t,s0)
+ ')
++
++/usr/sbin/quota_nld -- gen_context(system_u:object_r:quota_nld_exec_t,s0)
++
++/var/lib/stickshift/a?quota\.(user|group) -- gen_context(system_u:object_r:quota_db_t,s0)
++/var/lib/openshift/a?quota\.(user|group) -- gen_context(system_u:object_r:quota_db_t,s0)
++
++/var/run/quota_nld\.pid -- gen_context(system_u:object_r:quota_nld_var_run_t,s0)
+diff --git a/quota.if b/quota.if
+index bf75d99..3fb8575 100644
+--- a/quota.if
++++ b/quota.if
+@@ -45,6 +45,24 @@ interface(`quota_run',`
+ role $2 types quota_t;
+ ')
+
++#######################################
++##
++## Alow to read of filesystem quota data files.
++##
++##
++##
++## Domain to not audit.
++##
++##
++#
++interface(`quota_read_db',`
++ gen_require(`
++ type quota_db_t;
++ ')
++
++ allow $1 quota_db_t:file read_file_perms;
++')
++
+ ########################################
+ ##
+ ## Do not audit attempts to get the attributes
+@@ -67,6 +85,25 @@ interface(`quota_dontaudit_getattr_db',`
+ ########################################
+ ##
+ ## Create, read, write, and delete quota
++## db files.
++##
++##
++##
++## Domain to not audit.
++##
++##
++#
++interface(`quota_manage_db',`
++ gen_require(`
++ type quota_db_t;
++ ')
++
++ allow $1 quota_db_t:file manage_file_perms;
++')
++
++########################################
++##
++## Create, read, write, and delete quota
+ ## flag files.
+ ##
+ ##
+@@ -83,3 +120,59 @@ interface(`quota_manage_flags',`
+ files_search_var_lib($1)
+ manage_files_pattern($1, quota_flag_t, quota_flag_t)
+ ')
++
++########################################
++##
++## Transition to quota named content
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`quota_filetrans_named_content',`
++ gen_require(`
++ type quota_db_t;
++ ')
++
++ files_root_filetrans($1, quota_db_t, file, "aquota.user")
++ files_root_filetrans($1, quota_db_t, file, "aquota.group")
++ files_boot_filetrans($1, quota_db_t, file, "aquota.user")
++ files_boot_filetrans($1, quota_db_t, file, "aquota.group")
++ files_etc_filetrans($1, quota_db_t, file, "aquota.user")
++ files_etc_filetrans($1, quota_db_t, file, "aquota.group")
++ files_tmp_filetrans($1, quota_db_t, file, "aquota.user")
++ files_tmp_filetrans($1, quota_db_t, file, "aquota.group")
++ files_home_filetrans($1, quota_db_t, file, "aquota.user")
++ files_home_filetrans($1, quota_db_t, file, "aquota.group")
++ files_usr_filetrans($1, quota_db_t, file, "aquota.user")
++ files_usr_filetrans($1, quota_db_t, file, "aquota.group")
++ files_var_filetrans($1, quota_db_t, file, "aquota.user")
++ files_var_filetrans($1, quota_db_t, file, "aquota.group")
++ files_spool_filetrans($1, quota_db_t, file, "aquota.user")
++ files_spool_filetrans($1, quota_db_t, file, "aquota.group")
++ mta_spool_filetrans($1, quota_db_t, file, "aquota.user")
++ mta_spool_filetrans($1, quota_db_t, file, "aquota.group")
++ mta_spool_filetrans_queue($1, quota_db_t, file, "aquota.user")
++ mta_spool_filetrans_queue($1, quota_db_t, file, "aquota.group")
++')
++
++#######################################
++##
++## Transition to quota_nld.
++##
++##
++##
++## Domain allowed to transition.
++##
++##
++#
++interface(`quota_domtrans_nld',`
++ gen_require(`
++ type quota_nld_t, quota_nld_exec_t;
++ ')
++
++ corecmd_search_bin($1)
++ domtrans_pattern($1, quota_nld_exec_t, quota_nld_t)
++')
+diff --git a/quota.te b/quota.te
+index 5dd42f5..0df6e21 100644
+--- a/quota.te
++++ b/quota.te
+@@ -7,7 +7,8 @@ policy_module(quota, 1.5.0)
+
+ type quota_t;
+ type quota_exec_t;
+-init_system_domain(quota_t, quota_exec_t)
++application_domain(quota_t, quota_exec_t)
++#init_system_domain(quota_t, quota_exec_t)
+
+ type quota_db_t;
+ files_type(quota_db_t)
+@@ -15,6 +16,13 @@ files_type(quota_db_t)
+ type quota_flag_t;
+ files_type(quota_flag_t)
+
++type quota_nld_t;
++type quota_nld_exec_t;
++init_daemon_domain(quota_nld_t, quota_nld_exec_t)
++
++type quota_nld_var_run_t;
++files_pid_file(quota_nld_var_run_t)
++
+ ########################################
+ #
+ # Local policy
+@@ -34,6 +42,17 @@ files_home_filetrans(quota_t, quota_db_t, file)
+ files_usr_filetrans(quota_t, quota_db_t, file)
+ files_var_filetrans(quota_t, quota_db_t, file)
+ files_spool_filetrans(quota_t, quota_db_t, file)
++userdom_user_home_dir_filetrans(quota_t, quota_db_t, file)
++
++optional_policy(`
++ mta_spool_filetrans(quota_t, quota_db_t, file)
++ mta_spool_filetrans(quota_t, quota_db_t, file)
++ mta_spool_filetrans_queue(quota_t, quota_db_t, file)
++')
++
++optional_policy(`
++ openshift_lib_filetrans(quota_t, quota_db_t, file)
++')
+
+ kernel_list_proc(quota_t)
+ kernel_read_proc_symlinks(quota_t)
+@@ -72,7 +91,7 @@ init_use_script_ptys(quota_t)
+
+ logging_send_syslog_msg(quota_t)
+
+-userdom_use_user_terminals(quota_t)
++userdom_use_inherited_user_terminals(quota_t)
+ userdom_dontaudit_use_unpriv_user_fds(quota_t)
+
+ optional_policy(`
+@@ -82,3 +101,30 @@ optional_policy(`
+ optional_policy(`
+ udev_read_db(quota_t)
+ ')
++
++#######################################
++#
++# Local policy
++#
++
++allow quota_nld_t self:fifo_file rw_fifo_file_perms;
++allow quota_nld_t self:netlink_socket create_socket_perms;
++allow quota_nld_t self:unix_stream_socket create_stream_socket_perms;
++
++manage_files_pattern(quota_nld_t, quota_nld_var_run_t, quota_nld_var_run_t)
++files_pid_filetrans(quota_nld_t, quota_nld_var_run_t, { file })
++
++kernel_read_network_state(quota_nld_t)
++
++auth_use_nsswitch(quota_nld_t)
++
++init_read_utmp(quota_nld_t)
++
++logging_send_syslog_msg(quota_nld_t)
++
++userdom_use_user_terminals(quota_nld_t)
++
++optional_policy(`
++ dbus_system_bus_client(quota_nld_t)
++ dbus_connect_system_bus(quota_nld_t)
++')
+diff --git a/rabbitmq.fc b/rabbitmq.fc
+new file mode 100644
+index 0000000..594c110
+--- /dev/null
++++ b/rabbitmq.fc
+@@ -0,0 +1,7 @@
++
++/usr/lib64/erlang/erts-5.8.5/bin/beam.* -- gen_context(system_u:object_r:rabbitmq_beam_exec_t,s0)
++/usr/lib64/erlang/erts-5.8.5/bin/epmd -- gen_context(system_u:object_r:rabbitmq_epmd_exec_t,s0)
++
++/var/lib/rabbitmq(/.*)? gen_context(system_u:object_r:rabbitmq_var_lib_t,s0)
++
++/var/log/rabbitmq(/.*)? gen_context(system_u:object_r:rabbitmq_var_log_t,s0)
+diff --git a/rabbitmq.if b/rabbitmq.if
+new file mode 100644
+index 0000000..491bd1f
+--- /dev/null
++++ b/rabbitmq.if
+@@ -0,0 +1,21 @@
++
++## policy for rabbitmq
++
++########################################
++##
++## Transition to rabbitmq.
++##
++##
++##
++## Domain allowed to transition.
++##
++##
++#
++interface(`rabbitmq_domtrans',`
++ gen_require(`
++ type rabbitmq_t, rabbitmq_exec_t;
++ ')
++
++ corecmd_search_bin($1)
++ domtrans_pattern($1, rabbitmq_exec_t, rabbitmq_t)
++')
+diff --git a/rabbitmq.te b/rabbitmq.te
+new file mode 100644
+index 0000000..4cb2ad8
+--- /dev/null
++++ b/rabbitmq.te
+@@ -0,0 +1,82 @@
++policy_module(rabbitmq, 1.0.0)
++
++########################################
++#
++# Declarations
++#
++
++type rabbitmq_epmd_t;
++type rabbitmq_epmd_exec_t;
++init_daemon_domain(rabbitmq_epmd_t, rabbitmq_epmd_exec_t)
++
++type rabbitmq_beam_t;
++type rabbitmq_beam_exec_t;
++init_daemon_domain(rabbitmq_beam_t, rabbitmq_beam_exec_t)
++
++type rabbitmq_var_lib_t;
++files_type(rabbitmq_var_lib_t)
++
++type rabbitmq_var_log_t;
++logging_log_file(rabbitmq_var_log_t)
++
++######################################
++#
++# beam local policy
++#
++
++allow rabbitmq_beam_t self:process { setsched signal signull };
++
++allow rabbitmq_beam_t self:fifo_file rw_fifo_file_perms;
++allow rabbitmq_beam_t self:tcp_socket create_stream_socket_perms;
++
++manage_dirs_pattern(rabbitmq_beam_t, rabbitmq_var_lib_t, rabbitmq_var_lib_t)
++manage_files_pattern(rabbitmq_beam_t, rabbitmq_var_lib_t, rabbitmq_var_lib_t)
++
++manage_dirs_pattern(rabbitmq_beam_t, rabbitmq_var_log_t, rabbitmq_var_log_t)
++manage_files_pattern(rabbitmq_beam_t, rabbitmq_var_log_t, rabbitmq_var_log_t)
++
++can_exec(rabbitmq_beam_t, rabbitmq_beam_exec_t)
++
++kernel_read_system_state(rabbitmq_beam_t)
++
++corecmd_exec_bin(rabbitmq_beam_t)
++corecmd_exec_shell(rabbitmq_beam_t)
++
++corenet_tcp_bind_generic_node(rabbitmq_beam_t)
++corenet_udp_bind_generic_node(rabbitmq_beam_t)
++corenet_tcp_connect_all_ephemeral_ports(rabbitmq_beam_t)
++corenet_tcp_bind_amqp_port(rabbitmq_beam_t)
++corenet_tcp_connect_epmd_port(rabbitmq_beam_t)
++
++dev_read_sysfs(rabbitmq_beam_t)
++
++files_read_etc_files(rabbitmq_beam_t)
++
++
++optional_policy(`
++ sysnet_dns_name_resolve(rabbitmq_beam_t)
++')
++
++########################################
++#
++# epmd local policy
++#
++
++domtrans_pattern(rabbitmq_beam_t, rabbitmq_epmd_exec_t, rabbitmq_epmd_t)
++
++allow rabbitmq_epmd_t self:process signal;
++
++allow rabbitmq_epmd_t self:fifo_file rw_fifo_file_perms;
++allow rabbitmq_epmd_t self:tcp_socket create_stream_socket_perms;
++allow rabbitmq_epmd_t self:unix_stream_socket create_stream_socket_perms;
++
++# should be append
++allow rabbitmq_epmd_t rabbitmq_var_log_t:file write_file_perms;
++
++corenet_tcp_bind_generic_node(rabbitmq_epmd_t)
++corenet_udp_bind_generic_node(rabbitmq_epmd_t)
++corenet_tcp_bind_epmd_port(rabbitmq_epmd_t)
++
++files_read_etc_files(rabbitmq_epmd_t)
++
++logging_send_syslog_msg(rabbitmq_epmd_t)
+diff --git a/radius.fc b/radius.fc
+index 09f7b50..61c6d34 100644
+--- a/radius.fc
++++ b/radius.fc
+@@ -9,6 +9,8 @@
+ /usr/sbin/radiusd -- gen_context(system_u:object_r:radiusd_exec_t,s0)
+ /usr/sbin/freeradius -- gen_context(system_u:object_r:radiusd_exec_t,s0)
+
++/usr/lib/systemd/system/radiusd.* -- gen_context(system_u:object_r:radiusd_unit_file_t,s0)
++
+ /var/lib/radiousd(/.*)? gen_context(system_u:object_r:radiusd_var_lib_t,s0)
+
+ /var/log/freeradius(/.*)? gen_context(system_u:object_r:radiusd_log_t,s0)
+@@ -16,7 +18,7 @@
+ /var/log/radius(/.*)? gen_context(system_u:object_r:radiusd_log_t,s0)
+ /var/log/radius\.log.* -- gen_context(system_u:object_r:radiusd_log_t,s0)
+ /var/log/radiusd-freeradius(/.*)? gen_context(system_u:object_r:radiusd_log_t,s0)
+-/var/log/radutmp -- gen_context(system_u:object_r:radiusd_log_t,s0)
++/var/log/radutmp.* -- gen_context(system_u:object_r:radiusd_log_t,s0)
+ /var/log/radwtmp.* -- gen_context(system_u:object_r:radiusd_log_t,s0)
+
+ /var/run/radiusd(/.*)? gen_context(system_u:object_r:radiusd_var_run_t,s0)
+diff --git a/radius.if b/radius.if
+index 75e5dc4..a366f85 100644
+--- a/radius.if
++++ b/radius.if
+@@ -14,6 +14,29 @@ interface(`radius_use',`
+ refpolicywarn(`$0($*) has been deprecated.')
+ ')
+
++#######################################
++##
++## Execute radiusd server in the radiusd domain.
++##
++##
++##
++## Domain allowed to transition.
++##
++##
++#
++interface(`radiusd_systemctl',`
++ gen_require(`
++ type radiusd_unit_file_t;
++ type radiusd_t;
++ ')
++
++ systemd_exec_systemctl($1)
++ allow $1 radiusd_unit_file_t:file read_file_perms;
++ allow $1 radiusd_unit_file_t:service manage_service_perms;
++
++ ps_process_pattern($1, radiusd_t)
++')
++
+ ########################################
+ ##
+ ## All of the rules required to administrate
+@@ -35,11 +58,14 @@ interface(`radius_admin',`
+ gen_require(`
+ type radiusd_t, radiusd_etc_t, radiusd_log_t;
+ type radiusd_etc_rw_t, radiusd_var_lib_t, radiusd_var_run_t;
+- type radiusd_initrc_exec_t;
++ type radiusd_initrc_exec_t, radiusd_unit_file_t;
+ ')
+
+- allow $1 radiusd_t:process { ptrace signal_perms };
++ allow $1 radiusd_t:process signal_perms;
+ ps_process_pattern($1, radiusd_t)
++ tunable_policy(`deny_ptrace',`',`
++ allow $1 radiusd_t:process ptrace;
++ ')
+
+ init_labeled_script_domtrans($1, radiusd_initrc_exec_t)
+ domain_system_change_exemption($1)
+@@ -59,4 +85,9 @@ interface(`radius_admin',`
+
+ files_list_pids($1)
+ admin_pattern($1, radiusd_var_run_t)
++
++ admin_pattern($1, radiusd_unit_file_t)
++ bind_systemctl($1)
++ allow $1 radiusd_unit_file_t:service all_service_perms;
++
+ ')
+diff --git a/radius.te b/radius.te
+index b1ed1bf..8b3f408 100644
+--- a/radius.te
++++ b/radius.te
+@@ -27,6 +27,9 @@ files_type(radiusd_var_lib_t)
+ type radiusd_var_run_t;
+ files_pid_file(radiusd_var_run_t)
+
++type radiusd_unit_file_t;
++systemd_unit_file(radiusd_unit_file_t)
++
+ ########################################
+ #
+ # Local policy
+@@ -62,11 +65,11 @@ manage_sock_files_pattern(radiusd_t, radiusd_var_run_t, radiusd_var_run_t)
+ manage_dirs_pattern(radiusd_t, radiusd_var_run_t, radiusd_var_run_t)
+ manage_files_pattern(radiusd_t, radiusd_var_run_t, radiusd_var_run_t)
+ files_pid_filetrans(radiusd_t, radiusd_var_run_t, { file sock_file dir })
++files_dontaudit_list_tmp(radiusd_t)
+
+ kernel_read_kernel_sysctls(radiusd_t)
+ kernel_read_system_state(radiusd_t)
+
+-corenet_all_recvfrom_unlabeled(radiusd_t)
+ corenet_all_recvfrom_netlabel(radiusd_t)
+ corenet_tcp_sendrecv_generic_if(radiusd_t)
+ corenet_udp_sendrecv_generic_if(radiusd_t)
+@@ -77,6 +80,7 @@ corenet_udp_sendrecv_all_ports(radiusd_t)
+ corenet_udp_bind_generic_node(radiusd_t)
+ corenet_udp_bind_radacct_port(radiusd_t)
+ corenet_udp_bind_radius_port(radiusd_t)
++corenet_tcp_connect_postgresql_port(radiusd_t)
+ corenet_tcp_connect_mysqld_port(radiusd_t)
+ corenet_tcp_connect_snmp_port(radiusd_t)
+ corenet_sendrecv_radius_server_packets(radiusd_t)
+@@ -99,7 +103,6 @@ corecmd_exec_shell(radiusd_t)
+ domain_use_interactive_fds(radiusd_t)
+
+ files_read_usr_files(radiusd_t)
+-files_read_etc_files(radiusd_t)
+ files_read_etc_runtime_files(radiusd_t)
+
+ auth_use_nsswitch(radiusd_t)
+@@ -110,9 +113,10 @@ libs_exec_lib_files(radiusd_t)
+
+ logging_send_syslog_msg(radiusd_t)
+
+-miscfiles_read_localization(radiusd_t)
+ miscfiles_read_generic_certs(radiusd_t)
+
++sysnet_use_ldap(radiusd_t)
++
+ userdom_dontaudit_use_unpriv_user_fds(radiusd_t)
+ userdom_dontaudit_search_user_home_dirs(radiusd_t)
+
+diff --git a/radvd.if b/radvd.if
+index be05bff..924fc0c 100644
+--- a/radvd.if
++++ b/radvd.if
+@@ -1,5 +1,24 @@
+ ## IPv6 router advertisement daemon
+
++######################################
++##
++## Read radvd PID files.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`radvd_read_pid_files',`
++ gen_require(`
++ type radvd_var_run_t;
++ ')
++
++ files_search_pids($1)
++ read_files_pattern($1, radvd_var_run_t, radvd_var_run_t)
++')
++
+ ########################################
+ ##
+ ## All of the rules required to administrate
+@@ -19,12 +38,15 @@
+ #
+ interface(`radvd_admin',`
+ gen_require(`
+- type radvd_t, radvd_etc_t;
+- type radvd_var_run_t, radvd_initrc_exec_t;
++ type radvd_t, radvd_etc_t, radvd_initrc_exec_t;
++ type radvd_var_run_t;
+ ')
+
+- allow $1 radvd_t:process { ptrace signal_perms };
++ allow $1 radvd_t:process signal_perms;
+ ps_process_pattern($1, radvd_t)
++ tunable_policy(`deny_ptrace',`',`
++ allow $1 radvd_t:process ptrace;
++ ')
+
+ init_labeled_script_domtrans($1, radvd_initrc_exec_t)
+ domain_system_change_exemption($1)
+diff --git a/radvd.te b/radvd.te
+index f9a2162..903be76 100644
+--- a/radvd.te
++++ b/radvd.te
+@@ -43,7 +43,6 @@ kernel_read_network_state(radvd_t)
+ kernel_read_system_state(radvd_t)
+ kernel_request_load_module(radvd_t)
+
+-corenet_all_recvfrom_unlabeled(radvd_t)
+ corenet_all_recvfrom_netlabel(radvd_t)
+ corenet_tcp_sendrecv_generic_if(radvd_t)
+ corenet_udp_sendrecv_generic_if(radvd_t)
+@@ -61,15 +60,12 @@ fs_search_auto_mountpoints(radvd_t)
+
+ domain_use_interactive_fds(radvd_t)
+
+-files_read_etc_files(radvd_t)
+ files_list_usr(radvd_t)
+
+ auth_use_nsswitch(radvd_t)
+
+ logging_send_syslog_msg(radvd_t)
+
+-miscfiles_read_localization(radvd_t)
+-
+ userdom_dontaudit_use_unpriv_user_fds(radvd_t)
+ userdom_dontaudit_search_user_home_dirs(radvd_t)
+
+diff --git a/raid.fc b/raid.fc
+index ed9c70d..c298507 100644
+--- a/raid.fc
++++ b/raid.fc
+@@ -1,6 +1,14 @@
+-/dev/.mdadm.map -- gen_context(system_u:object_r:mdadm_map_t,s0)
++/dev/.mdadm\.map -- gen_context(system_u:object_r:mdadm_var_run_t,s0)
++/dev/md/.* -- gen_context(system_u:object_r:mdadm_var_run_t,s0)
+
+ /sbin/mdadm -- gen_context(system_u:object_r:mdadm_exec_t,s0)
+ /sbin/mdmpd -- gen_context(system_u:object_r:mdadm_exec_t,s0)
+
++/usr/sbin/iprdump -- gen_context(system_u:object_r:mdadm_exec_t,s0)
++/usr/sbin/iprinit -- gen_context(system_u:object_r:mdadm_exec_t,s0)
++/usr/sbin/iprupdate -- gen_context(system_u:object_r:mdadm_exec_t,s0)
++/usr/sbin/mdadm -- gen_context(system_u:object_r:mdadm_exec_t,s0)
++/usr/sbin/mdmpd -- gen_context(system_u:object_r:mdadm_exec_t,s0)
++/usr/sbin/raid-check -- gen_context(system_u:object_r:mdadm_exec_t,s0)
++
+ /var/run/mdadm(/.*)? gen_context(system_u:object_r:mdadm_var_run_t,s0)
+diff --git a/raid.if b/raid.if
+index b1a85b5..db0d815 100644
+--- a/raid.if
++++ b/raid.if
+@@ -47,6 +47,24 @@ interface(`raid_run_mdadm',`
+
+ ########################################
+ ##
++## read the mdadm pid files.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`raid_read_mdadm_pid',`
++ gen_require(`
++ type mdadm_var_run_t;
++ ')
++
++ read_files_pattern($1, mdadm_var_run_t, mdadm_var_run_t)
++')
++
++########################################
++##
+ ## Create, read, write, and delete the mdadm pid files.
+ ##
+ ##
+diff --git a/raid.te b/raid.te
+index a8a12b7..a6cbba3 100644
+--- a/raid.te
++++ b/raid.te
+@@ -10,11 +10,9 @@ type mdadm_exec_t;
+ init_daemon_domain(mdadm_t, mdadm_exec_t)
+ role system_r types mdadm_t;
+
+-type mdadm_map_t;
+-files_type(mdadm_map_t)
+-
+-type mdadm_var_run_t;
++type mdadm_var_run_t alias mdadm_map_t;
+ files_pid_file(mdadm_var_run_t)
++dev_associate(mdadm_var_run_t)
+
+ ########################################
+ #
+@@ -23,18 +21,20 @@ files_pid_file(mdadm_var_run_t)
+
+ allow mdadm_t self:capability { dac_override sys_admin ipc_lock };
+ dontaudit mdadm_t self:capability sys_tty_config;
+-allow mdadm_t self:process { sigchld sigkill sigstop signull signal };
++allow mdadm_t self:process { getsched setsched sigchld sigkill sigstop signull signal };
+ allow mdadm_t self:fifo_file rw_fifo_file_perms;
++allow mdadm_t self:netlink_kobject_uevent_socket create_socket_perms;
+
+-# create .mdadm files in /dev
+-allow mdadm_t mdadm_map_t:file manage_file_perms;
+-dev_filetrans(mdadm_t, mdadm_map_t, file)
+-
++manage_dirs_pattern(mdadm_t, mdadm_var_run_t, mdadm_var_run_t)
+ manage_files_pattern(mdadm_t, mdadm_var_run_t, mdadm_var_run_t)
+-files_pid_filetrans(mdadm_t, mdadm_var_run_t, file)
++manage_lnk_files_pattern(mdadm_t, mdadm_var_run_t, mdadm_var_run_t)
++manage_sock_files_pattern(mdadm_t, mdadm_var_run_t, mdadm_var_run_t)
++files_pid_filetrans(mdadm_t, mdadm_var_run_t, { file dir })
++dev_filetrans(mdadm_t, mdadm_var_run_t, { file dir sock_file })
+
+ kernel_read_system_state(mdadm_t)
+ kernel_read_kernel_sysctls(mdadm_t)
++kernel_request_load_module(mdadm_t)
+ kernel_rw_software_raid_state(mdadm_t)
+ kernel_getattr_core_if(mdadm_t)
+
+@@ -52,15 +52,18 @@ dev_dontaudit_getattr_generic_blk_files(mdadm_t)
+ dev_read_realtime_clock(mdadm_t)
+ # unfortunately needed for DMI decoding:
+ dev_read_raw_memory(mdadm_t)
++dev_read_generic_files(mdadm_t)
+
++domain_read_all_domains_state(mdadm_t)
+ domain_use_interactive_fds(mdadm_t)
+
+-files_read_etc_files(mdadm_t)
+ files_read_etc_runtime_files(mdadm_t)
+-files_dontaudit_getattr_all_files(mdadm_t)
++files_dontaudit_getattr_tmpfs_files(mdadm_t)
+
+-fs_search_auto_mountpoints(mdadm_t)
++fs_list_hugetlbfs(mdadm_t)
++fs_list_auto_mountpoints(mdadm_t)
+ fs_dontaudit_list_tmpfs(mdadm_t)
++fs_manage_cgroup_files(mdadm_t)
+
+ mls_file_read_all_levels(mdadm_t)
+ mls_file_write_all_levels(mdadm_t)
+@@ -69,16 +72,17 @@ mls_file_write_all_levels(mdadm_t)
+ storage_manage_fixed_disk(mdadm_t)
+ storage_dev_filetrans_fixed_disk(mdadm_t)
+ storage_read_scsi_generic(mdadm_t)
++storage_write_scsi_generic(mdadm_t)
+
+ term_dontaudit_list_ptys(mdadm_t)
+ term_dontaudit_use_unallocated_ttys(mdadm_t)
+
++auth_use_nsswitch(mdadm_t)
++
+ init_dontaudit_getattr_initctl(mdadm_t)
+
+ logging_send_syslog_msg(mdadm_t)
+
+-miscfiles_read_localization(mdadm_t)
+-
+ userdom_dontaudit_use_unpriv_user_fds(mdadm_t)
+ userdom_dontaudit_search_user_home_content(mdadm_t)
+ userdom_dontaudit_use_user_terminals(mdadm_t)
+@@ -86,6 +90,10 @@ userdom_dontaudit_use_user_terminals(mdadm_t)
+ mta_send_mail(mdadm_t)
+
+ optional_policy(`
++ cron_system_entry(mdadm_t, mdadm_exec_t)
++')
++
++optional_policy(`
+ gpm_dontaudit_getattr_gpmctl(mdadm_t)
+ ')
+
+diff --git a/razor.fc b/razor.fc
+index 1efba0c..6e26673 100644
+--- a/razor.fc
++++ b/razor.fc
+@@ -1,8 +1,9 @@
+-HOME_DIR/\.razor(/.*)? gen_context(system_u:object_r:razor_home_t,s0)
++#/root/\.razor(/.*)? gen_context(system_u:object_r:razor_home_t,s0)
++#HOME_DIR/\.razor(/.*)? gen_context(system_u:object_r:razor_home_t,s0)
+
+-/etc/razor(/.*)? gen_context(system_u:object_r:razor_etc_t,s0)
++#/etc/razor(/.*)? gen_context(system_u:object_r:razor_etc_t,s0)
+
+-/usr/bin/razor.* -- gen_context(system_u:object_r:razor_exec_t,s0)
++#/usr/bin/razor.* -- gen_context(system_u:object_r:razor_exec_t,s0)
+
+-/var/lib/razor(/.*)? gen_context(system_u:object_r:razor_var_lib_t,s0)
+-/var/log/razor-agent\.log -- gen_context(system_u:object_r:razor_log_t,s0)
++#/var/lib/razor(/.*)? gen_context(system_u:object_r:razor_var_lib_t,s0)
++#/var/log/razor-agent\.log.* -- gen_context(system_u:object_r:razor_log_t,s0)
+diff --git a/razor.if b/razor.if
+index f04a595..fee3b7c 100644
+--- a/razor.if
++++ b/razor.if
+@@ -26,6 +26,7 @@ template(`razor_common_domain_template',`
+ gen_require(`
+ type razor_exec_t, razor_etc_t, razor_log_t, razor_var_lib_t;
+ ')
++
+ type $1_t;
+ domain_type($1_t)
+ domain_entry_file($1_t, razor_exec_t)
+@@ -46,7 +47,7 @@ template(`razor_common_domain_template',`
+ # Read system config file
+ allow $1_t razor_etc_t:dir list_dir_perms;
+ allow $1_t razor_etc_t:file read_file_perms;
+- allow $1_t razor_etc_t:lnk_file { getattr read };
++ allow $1_t razor_etc_t:lnk_file read_lnk_file_perms;
+
+ manage_dirs_pattern($1_t, razor_log_t, razor_log_t)
+ manage_files_pattern($1_t, razor_log_t, razor_log_t)
+@@ -93,7 +94,6 @@ template(`razor_common_domain_template',`
+
+ libs_read_lib_files($1_t)
+
+- miscfiles_read_localization($1_t)
+
+ sysnet_read_config($1_t)
+ sysnet_dns_name_resolve($1_t)
+@@ -117,6 +117,7 @@ template(`razor_common_domain_template',`
+ ## User domain for the role
+ ##
+ ##
++##
+ #
+ interface(`razor_role',`
+ gen_require(`
+@@ -130,7 +131,10 @@ interface(`razor_role',`
+
+ # allow ps to show razor and allow the user to kill it
+ ps_process_pattern($2, razor_t)
+- allow $2 razor_t:process signal;
++ allow $2 razor_t:process signal_perms;
++ tunable_policy(`deny_ptrace',`',`
++ allow $2 razor_t:process ptrace;
++ ')
+
+ manage_dirs_pattern($2, razor_home_t, razor_home_t)
+ manage_files_pattern($2, razor_home_t, razor_home_t)
+@@ -157,3 +161,43 @@ interface(`razor_domtrans',`
+
+ domtrans_pattern($1, razor_exec_t, razor_t)
+ ')
++
++########################################
++##
++## Create, read, write, and delete razor files
++## in a user home subdirectory.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`razor_manage_user_home_files',`
++ gen_require(`
++ type razor_home_t;
++ ')
++
++ userdom_search_user_home_dirs($1)
++ manage_files_pattern($1, razor_home_t, razor_home_t)
++ read_lnk_files_pattern($1, razor_home_t, razor_home_t)
++')
++
++########################################
++##
++## read razor lib files.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`razor_read_lib_files',`
++ gen_require(`
++ type razor_var_lib_t;
++ ')
++
++ files_search_var_lib($1)
++ read_files_pattern($1, razor_var_lib_t, razor_var_lib_t)
++')
+diff --git a/razor.te b/razor.te
+index 9353d5e..4e15f29 100644
+--- a/razor.te
++++ b/razor.te
+@@ -5,117 +5,124 @@ policy_module(razor, 2.3.0)
+ # Declarations
+ #
+
+-type razor_exec_t;
+-corecmd_executable_file(razor_exec_t)
++ifdef(`distro_redhat',`
++ gen_require(`
++ type spamc_t, spamc_exec_t, spamd_log_t;
++ type spamd_spool_t, spamd_var_lib_t, spamd_etc_t;
++ type spamc_home_t, spamc_tmp_t;
++ ')
++
++ typealias spamc_t alias razor_t;
++ typealias spamc_exec_t alias razor_exec_t;
++ typealias spamd_log_t alias razor_log_t;
++ typealias spamd_var_lib_t alias razor_var_lib_t;
++ typealias spamd_etc_t alias razor_etc_t;
++ typealias spamc_home_t alias razor_home_t;
++ typealias spamc_home_t alias { user_razor_home_t staff_razor_home_t sysadm_razor_home_t };
++ typealias spamc_home_t alias { auditadm_razor_home_t secadm_razor_home_t };
++ typealias spamc_tmp_t alias { user_razor_tmp_t staff_razor_tmp_t sysadm_razor_tmp_t };
++ typealias spamc_tmp_t alias { auditadm_razor_tmp_t secadm_razor_tmp_t };
++',`
++ type razor_exec_t;
++ corecmd_executable_file(razor_exec_t)
++
++ type razor_etc_t;
++ files_config_file(razor_etc_t)
++
++ type razor_home_t;
++ typealias razor_home_t alias { user_razor_home_t staff_razor_home_t sysadm_razor_home_t };
++ typealias razor_home_t alias { auditadm_razor_home_t secadm_razor_home_t };
++ userdom_user_home_content(razor_home_t)
++
++ type razor_log_t;
++ logging_log_file(razor_log_t)
++
++ type razor_tmp_t;
++ typealias razor_tmp_t alias { user_razor_tmp_t staff_razor_tmp_t sysadm_razor_tmp_t };
++ typealias razor_tmp_t alias { auditadm_razor_tmp_t secadm_razor_tmp_t };
++ files_tmp_file(razor_tmp_t)
++ ubac_constrained(razor_tmp_t)
++
++ type razor_var_lib_t;
++ files_type(razor_var_lib_t)
++
++ # these are here due to ordering issues:
++ razor_common_domain_template(razor)
++ typealias razor_t alias { user_razor_t staff_razor_t sysadm_razor_t };
++ typealias razor_t alias { auditadm_razor_t secadm_razor_t };
++ ubac_constrained(razor_t)
++
++ razor_common_domain_template(system_razor)
++ role system_r types system_razor_t;
++
++ ########################################
++ #
++ # System razor local policy
++ #
++
++ # this version of razor is invoked typically
++ # via the system spam filter
++
++ allow system_razor_t self:tcp_socket create_socket_perms;
++
++ manage_dirs_pattern(system_razor_t, razor_etc_t, razor_etc_t)
++ manage_files_pattern(system_razor_t, razor_etc_t, razor_etc_t)
++ manage_lnk_files_pattern(system_razor_t, razor_etc_t, razor_etc_t)
++ files_search_etc(system_razor_t)
++
++ allow system_razor_t razor_log_t:file manage_file_perms;
++ logging_log_filetrans(system_razor_t, razor_log_t, file)
++
++ manage_files_pattern(system_razor_t, razor_var_lib_t, razor_var_lib_t)
++ files_var_lib_filetrans(system_razor_t, razor_var_lib_t, file)
++
++ corenet_all_recvfrom_netlabel(system_razor_t)
++ corenet_tcp_sendrecv_generic_if(system_razor_t)
++ corenet_raw_sendrecv_generic_if(system_razor_t)
++ corenet_tcp_sendrecv_generic_node(system_razor_t)
++ corenet_raw_sendrecv_generic_node(system_razor_t)
++ corenet_tcp_sendrecv_razor_port(system_razor_t)
++ corenet_tcp_connect_razor_port(system_razor_t)
++ corenet_sendrecv_razor_client_packets(system_razor_t)
++
++ auth_use_nsswitch(system_razor_t)
++
++ # cjp: this shouldn't be needed
++ userdom_use_unpriv_users_fds(system_razor_t)
++
++ optional_policy(`
++ logging_send_syslog_msg(system_razor_t)
++ ')
++
++ ########################################
++ #
++ # User razor local policy
++ #
++
++ # Allow razor to be run by hand. Needed by any action other than
++ # invocation from a spam filter.
++
++ allow razor_t self:unix_stream_socket create_stream_socket_perms;
++
++ manage_dirs_pattern(razor_t, razor_home_t, razor_home_t)
++ manage_files_pattern(razor_t, razor_home_t, razor_home_t)
++ manage_lnk_files_pattern(razor_t, razor_home_t, razor_home_t)
++ userdom_user_home_dir_filetrans(razor_t, razor_home_t, dir)
++
++ manage_dirs_pattern(razor_t, razor_tmp_t, razor_tmp_t)
++ manage_files_pattern(razor_t, razor_tmp_t, razor_tmp_t)
++ files_tmp_filetrans(razor_t, razor_tmp_t, { file dir })
++
++ auth_use_nsswitch(razor_t)
+
+-type razor_etc_t;
+-files_config_file(razor_etc_t)
++ logging_send_syslog_msg(razor_t)
+
+-type razor_home_t;
+-typealias razor_home_t alias { user_razor_home_t staff_razor_home_t sysadm_razor_home_t };
+-typealias razor_home_t alias { auditadm_razor_home_t secadm_razor_home_t };
+-userdom_user_home_content(razor_home_t)
++ userdom_search_user_home_dirs(razor_t)
++ userdom_use_inherited_user_terminals(razor_t)
+
+-type razor_log_t;
+-logging_log_file(razor_log_t)
++ userdom_home_manager(razor_t)
+
+-type razor_tmp_t;
+-typealias razor_tmp_t alias { user_razor_tmp_t staff_razor_tmp_t sysadm_razor_tmp_t };
+-typealias razor_tmp_t alias { auditadm_razor_tmp_t secadm_razor_tmp_t };
+-userdom_user_tmp_file(razor_tmp_t)
+-
+-type razor_var_lib_t;
+-files_type(razor_var_lib_t)
+-
+-# these are here due to ordering issues:
+-razor_common_domain_template(razor)
+-typealias razor_t alias { user_razor_t staff_razor_t sysadm_razor_t };
+-typealias razor_t alias { auditadm_razor_t secadm_razor_t };
+-userdom_user_application_type(razor_t)
+-
+-razor_common_domain_template(system_razor)
+-role system_r types system_razor_t;
+-
+-########################################
+-#
+-# System razor local policy
+-#
+-
+-# this version of razor is invoked typically
+-# via the system spam filter
+-
+-allow system_razor_t self:tcp_socket create_socket_perms;
+-
+-manage_dirs_pattern(system_razor_t, razor_etc_t, razor_etc_t)
+-manage_files_pattern(system_razor_t, razor_etc_t, razor_etc_t)
+-manage_lnk_files_pattern(system_razor_t, razor_etc_t, razor_etc_t)
+-files_search_etc(system_razor_t)
+-
+-allow system_razor_t razor_log_t:file manage_file_perms;
+-logging_log_filetrans(system_razor_t, razor_log_t, file)
+-
+-manage_files_pattern(system_razor_t, razor_var_lib_t, razor_var_lib_t)
+-files_var_lib_filetrans(system_razor_t, razor_var_lib_t, file)
+-
+-corenet_all_recvfrom_unlabeled(system_razor_t)
+-corenet_all_recvfrom_netlabel(system_razor_t)
+-corenet_tcp_sendrecv_generic_if(system_razor_t)
+-corenet_raw_sendrecv_generic_if(system_razor_t)
+-corenet_tcp_sendrecv_generic_node(system_razor_t)
+-corenet_raw_sendrecv_generic_node(system_razor_t)
+-corenet_tcp_sendrecv_razor_port(system_razor_t)
+-corenet_tcp_connect_razor_port(system_razor_t)
+-corenet_sendrecv_razor_client_packets(system_razor_t)
+-
+-sysnet_read_config(system_razor_t)
+-
+-# cjp: this shouldn't be needed
+-userdom_use_unpriv_users_fds(system_razor_t)
+-
+-optional_policy(`
+- logging_send_syslog_msg(system_razor_t)
+-')
+-
+-optional_policy(`
+- nscd_socket_use(system_razor_t)
+-')
+-
+-########################################
+-#
+-# User razor local policy
+-#
+-
+-# Allow razor to be run by hand. Needed by any action other than
+-# invocation from a spam filter.
+-
+-allow razor_t self:unix_stream_socket create_stream_socket_perms;
+-
+-manage_dirs_pattern(razor_t, razor_home_t, razor_home_t)
+-manage_files_pattern(razor_t, razor_home_t, razor_home_t)
+-manage_lnk_files_pattern(razor_t, razor_home_t, razor_home_t)
+-userdom_user_home_dir_filetrans(razor_t, razor_home_t, dir)
+-
+-manage_dirs_pattern(razor_t, razor_tmp_t, razor_tmp_t)
+-manage_files_pattern(razor_t, razor_tmp_t, razor_tmp_t)
+-files_tmp_filetrans(razor_t, razor_tmp_t, { file dir })
+-
+-logging_send_syslog_msg(razor_t)
+-
+-userdom_search_user_home_dirs(razor_t)
+-userdom_use_user_terminals(razor_t)
+-
+-tunable_policy(`use_nfs_home_dirs',`
+- fs_manage_nfs_dirs(razor_t)
+- fs_manage_nfs_files(razor_t)
+- fs_manage_nfs_symlinks(razor_t)
+-')
+-
+-tunable_policy(`use_samba_home_dirs',`
+- fs_manage_cifs_dirs(razor_t)
+- fs_manage_cifs_files(razor_t)
+- fs_manage_cifs_symlinks(razor_t)
+-')
+-
+-optional_policy(`
+- nscd_socket_use(razor_t)
++ optional_policy(`
++ milter_manage_spamass_state(razor_t)
++ ')
+ ')
+diff --git a/rdisc.fc b/rdisc.fc
+index dee4adc..a7e4bc7 100644
+--- a/rdisc.fc
++++ b/rdisc.fc
+@@ -1,2 +1,4 @@
+
+ /sbin/rdisc -- gen_context(system_u:object_r:rdisc_exec_t,s0)
++
++/usr/sbin/rdisc -- gen_context(system_u:object_r:rdisc_exec_t,s0)
+diff --git a/rdisc.te b/rdisc.te
+index 0f07685..1b75760 100644
+--- a/rdisc.te
++++ b/rdisc.te
+@@ -25,7 +25,6 @@ kernel_list_proc(rdisc_t)
+ kernel_read_proc_symlinks(rdisc_t)
+ kernel_read_kernel_sysctls(rdisc_t)
+
+-corenet_all_recvfrom_unlabeled(rdisc_t)
+ corenet_all_recvfrom_netlabel(rdisc_t)
+ corenet_udp_sendrecv_generic_if(rdisc_t)
+ corenet_raw_sendrecv_generic_if(rdisc_t)
+@@ -43,8 +42,6 @@ files_read_etc_files(rdisc_t)
+
+ logging_send_syslog_msg(rdisc_t)
+
+-miscfiles_read_localization(rdisc_t)
+-
+ sysnet_read_config(rdisc_t)
+
+ userdom_dontaudit_use_unpriv_user_fds(rdisc_t)
+diff --git a/readahead.fc b/readahead.fc
+index 7077413..0428aee 100644
+--- a/readahead.fc
++++ b/readahead.fc
+@@ -1,3 +1,10 @@
+-/usr/sbin/readahead.* -- gen_context(system_u:object_r:readahead_exec_t,s0)
++/dev/\.systemd/readahead(/.*)? gen_context(system_u:object_r:readahead_var_run_t,s0)
++
+ /sbin/readahead.* -- gen_context(system_u:object_r:readahead_exec_t,s0)
++/usr/sbin/readahead.* -- gen_context(system_u:object_r:readahead_exec_t,s0)
++
++/usr/lib/systemd/systemd-readahead.* -- gen_context(system_u:object_r:readahead_exec_t,s0)
++
+ /var/lib/readahead(/.*)? gen_context(system_u:object_r:readahead_var_lib_t,s0)
++
++/var/run/systemd/readahead(/.*)? gen_context(system_u:object_r:readahead_var_run_t,s0)
+diff --git a/readahead.if b/readahead.if
+index 47c4723..64c8889 100644
+--- a/readahead.if
++++ b/readahead.if
+@@ -1 +1,44 @@
+ ## Readahead, read files into page cache for improved performance
++
++########################################
++##
++## Transition to the readahead domain.
++##
++##
++##
++## Domain allowed to transition.
++##
++##
++#
++interface(`readahead_domtrans',`
++ gen_require(`
++ type readahead_t, readahead_exec_t;
++ ')
++
++ corecmd_search_bin($1)
++ domtrans_pattern($1, readahead_exec_t, readahead_t)
++')
++
++########################################
++##
++## Manage readahead var_run files.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`readahead_manage_pid_files',`
++ gen_require(`
++ type readahead_var_run_t;
++ ')
++
++ manage_dirs_pattern($1, readahead_var_run_t, readahead_var_run_t)
++ manage_files_pattern($1, readahead_var_run_t, readahead_var_run_t)
++ dev_filetrans($1, readahead_var_run_t, { dir file })
++ init_pid_filetrans($1, readahead_var_run_t, { dir file })
++ files_search_pids($1)
++ init_search_pid_dirs($1)
++')
++
+diff --git a/readahead.te b/readahead.te
+index b4ac57e..e384d8e 100644
+--- a/readahead.te
++++ b/readahead.te
+@@ -16,13 +16,14 @@ typealias readahead_var_lib_t alias readahead_etc_rw_t;
+
+ type readahead_var_run_t;
+ files_pid_file(readahead_var_run_t)
++dev_associate(readahead_var_run_t)
+
+ ########################################
+ #
+ # Local policy
+ #
+
+-allow readahead_t self:capability { fowner dac_override dac_read_search };
++allow readahead_t self:capability { sys_admin fowner dac_override dac_read_search };
+ dontaudit readahead_t self:capability { net_admin sys_tty_config };
+ allow readahead_t self:process { setsched signal_perms };
+
+@@ -31,13 +32,19 @@ manage_files_pattern(readahead_t, readahead_var_lib_t, readahead_var_lib_t)
+ files_search_var_lib(readahead_t)
+
+ manage_files_pattern(readahead_t, readahead_var_run_t, readahead_var_run_t)
+-files_pid_filetrans(readahead_t, readahead_var_run_t, file)
++manage_dirs_pattern(readahead_t, readahead_var_run_t, readahead_var_run_t)
++files_pid_filetrans(readahead_t, readahead_var_run_t, { dir file })
++dev_filetrans(readahead_t, readahead_var_run_t, { dir file })
++init_pid_filetrans(readahead_t, readahead_var_run_t, { dir file })
+
+ kernel_read_all_sysctls(readahead_t)
+ kernel_read_system_state(readahead_t)
+ kernel_dontaudit_getattr_core_if(readahead_t)
++kernel_list_all_proc(readahead_t)
+
+-dev_read_sysfs(readahead_t)
++dev_rw_sysfs(readahead_t)
++dev_read_kmsg(readahead_t)
++dev_write_kmsg(readahead_t)
+ dev_getattr_generic_chr_files(readahead_t)
+ dev_getattr_generic_blk_files(readahead_t)
+ dev_getattr_all_chr_files(readahead_t)
+@@ -53,10 +60,19 @@ domain_read_all_domains_state(readahead_t)
+
+ files_list_non_security(readahead_t)
+ files_read_non_security_files(readahead_t)
++files_dontaudit_read_security_files(readahead_t)
+ files_create_boot_flag(readahead_t)
++files_delete_root_files(readahead_t)
+ files_getattr_all_pipes(readahead_t)
+ files_dontaudit_getattr_all_sockets(readahead_t)
+ files_dontaudit_getattr_non_security_blk_files(readahead_t)
++files_dontaudit_all_access_check(readahead_t)
++
++ifdef(`hide_broken_symptoms', `
++ files_dontaudit_write_all_files(readahead_t)
++ dev_dontaudit_write_all_chr_files(readahead_t)
++ dev_dontaudit_write_all_blk_files(readahead_t)
++')
+
+ fs_getattr_all_fs(readahead_t)
+ fs_search_auto_mountpoints(readahead_t)
+@@ -66,12 +82,14 @@ fs_read_cgroup_files(readahead_t)
+ fs_read_tmpfs_files(readahead_t)
+ fs_read_tmpfs_symlinks(readahead_t)
+ fs_list_inotifyfs(readahead_t)
++fs_dontaudit_read_tmpfs_blk_dev(readahead_t)
+ fs_dontaudit_search_ramfs(readahead_t)
+ fs_dontaudit_read_ramfs_pipes(readahead_t)
+ fs_dontaudit_read_ramfs_files(readahead_t)
+ fs_dontaudit_use_tmpfs_chr_dev(readahead_t)
+
+ mls_file_read_all_levels(readahead_t)
++mcs_file_read_all(readahead_t)
+
+ storage_raw_read_fixed_disk(readahead_t)
+
+@@ -82,13 +100,13 @@ auth_dontaudit_read_shadow(readahead_t)
+ init_use_fds(readahead_t)
+ init_use_script_ptys(readahead_t)
+ init_getattr_initctl(readahead_t)
++# needs to write to /run/systemd/notify
++init_write_pid_socket(readahead_t)
+
+ logging_send_syslog_msg(readahead_t)
+ logging_set_audit_parameters(readahead_t)
+ logging_dontaudit_search_audit_config(readahead_t)
+
+-miscfiles_read_localization(readahead_t)
+-
+ userdom_dontaudit_use_unpriv_user_fds(readahead_t)
+ userdom_dontaudit_search_user_home_dirs(readahead_t)
+
+diff --git a/realmd.fc b/realmd.fc
+new file mode 100644
+index 0000000..3c24ce4
+--- /dev/null
++++ b/realmd.fc
+@@ -0,0 +1 @@
++/usr/lib/realmd/realmd -- gen_context(system_u:object_r:realmd_exec_t,s0)
+diff --git a/realmd.if b/realmd.if
+new file mode 100644
+index 0000000..e38693b
+--- /dev/null
++++ b/realmd.if
+@@ -0,0 +1,42 @@
++
++## dbus system service which manages discovery and enrollment in realms and domains like Active Directory or IPA
++
++########################################
++##
++## Execute realmd in the realmd_t domain.
++##
++##
++##
++## Domain allowed to transition.
++##
++##
++#
++interface(`realmd_domtrans',`
++ gen_require(`
++ type realmd_t, realmd_exec_t;
++ ')
++
++ corecmd_search_bin($1)
++ domtrans_pattern($1, realmd_exec_t, realmd_t)
++')
++
++########################################
++##
++## Send and receive messages from
++## realmd over dbus.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`realmd_dbus_chat',`
++ gen_require(`
++ type realmd_t;
++ class dbus send_msg;
++ ')
++
++ allow $1 realmd_t:dbus send_msg;
++ allow realmd_t $1:dbus send_msg;
++')
+diff --git a/realmd.te b/realmd.te
+new file mode 100644
+index 0000000..c994751
+--- /dev/null
++++ b/realmd.te
+@@ -0,0 +1,103 @@
++policy_module(realmd, 1.0.0)
++
++########################################
++#
++# Declarations
++#
++
++type realmd_t;
++type realmd_exec_t;
++application_domain(realmd_t, realmd_exec_t)
++role system_r types realmd_t;
++
++########################################
++#
++# realmd local policy
++#
++
++allow realmd_t self:capability sys_nice;
++allow realmd_t self:process setsched;
++
++kernel_read_system_state(realmd_t)
++
++corecmd_exec_bin(realmd_t)
++corecmd_exec_shell(realmd_t)
++
++corenet_tcp_connect_http_port(realmd_t)
++
++domain_use_interactive_fds(realmd_t)
++
++dev_read_rand(realmd_t)
++dev_read_urand(realmd_t)
++
++files_read_etc_files(realmd_t)
++files_read_usr_files(realmd_t)
++
++fs_getattr_all_fs(realmd_t)
++
++auth_use_nsswitch(realmd_t)
++
++logging_send_syslog_msg(realmd_t)
++
++sysnet_dns_name_resolve(realmd_t)
++systemd_exec_systemctl(realmd_t)
++
++#userdom_admin_home_dir_filetrans(realmd_t, cache_home_t, dir, ".cache")
++#userdom_user_home_dir_filetrans(realmd_t, cache_home_t, dir, ".cache")
++
++optional_policy(`
++ authconfig_domtrans(realmd_t)
++')
++
++optional_policy(`
++ dbus_system_domain(realmd_t, realmd_exec_t)
++
++ optional_policy(`
++ networkmanager_dbus_chat(realmd_t)
++ ')
++
++ optional_policy(`
++ policykit_dbus_chat(realmd_t)
++ ')
++')
++
++optional_policy(`
++ hostname_exec(realmd_t)
++')
++
++optional_policy(`
++ kerberos_use(realmd_t)
++ kerberos_rw_keytab(realmd_t)
++')
++
++optional_policy(`
++ nis_exec_ypbind(realmd_t)
++ nis_systemctl_ypbind(realmd_t)
++')
++
++optional_policy(`
++ gnome_read_config(realmd_t)
++ gnome_read_generic_cache_files(realmd_t)
++ gnome_write_generic_cache_files(realmd_t)
++ gnome_manage_cache_home_dir(realmd_t)
++
++')
++
++optional_policy(`
++ samba_domtrans_net(realmd_t)
++ samba_manage_config(realmd_t)
++ samba_getattr_winbind(realmd_t)
++')
++
++optional_policy(`
++ sssd_getattr_exec(realmd_t)
++ sssd_manage_config(realmd_t)
++ sssd_manage_lib_files(realmd_t)
++ sssd_manage_public_files(realmd_t)
++ sssd_read_pid_files(realmd_t)
++ sssd_systemctl(realmd_t)
++')
++
++optional_policy(`
++ xserver_read_state_xdm(realmd_t)
++')
+diff --git a/remotelogin.te b/remotelogin.te
+index 0a76027..18f59a7 100644
+--- a/remotelogin.te
++++ b/remotelogin.te
+@@ -10,9 +10,6 @@ domain_interactive_fd(remote_login_t)
+ auth_login_pgm_domain(remote_login_t)
+ auth_login_entry_type(remote_login_t)
+
+-type remote_login_tmp_t;
+-files_tmp_file(remote_login_tmp_t)
+-
+ ########################################
+ #
+ # Remote login remote policy
+@@ -34,10 +31,6 @@ allow remote_login_t self:msgq create_msgq_perms;
+ allow remote_login_t self:msg { send receive };
+ allow remote_login_t self:key write;
+
+-manage_dirs_pattern(remote_login_t, remote_login_tmp_t, remote_login_tmp_t)
+-manage_files_pattern(remote_login_t, remote_login_tmp_t, remote_login_tmp_t)
+-files_tmp_filetrans(remote_login_t, remote_login_tmp_t, { file dir })
+-
+ kernel_read_system_state(remote_login_t)
+ kernel_read_kernel_sysctls(remote_login_t)
+
+@@ -49,6 +42,8 @@ fs_getattr_xattr_fs(remote_login_t)
+ fs_search_auto_mountpoints(remote_login_t)
+
+ term_relabel_all_ptys(remote_login_t)
++term_use_all_ptys(remote_login_t)
++term_setattr_all_ptys(remote_login_t)
+
+ auth_rw_login_records(remote_login_t)
+ auth_rw_faillog(remote_login_t)
+@@ -64,7 +59,6 @@ corecmd_read_bin_sockets(remote_login_t)
+
+ domain_read_all_entry_files(remote_login_t)
+
+-files_read_etc_files(remote_login_t)
+ files_read_etc_runtime_files(remote_login_t)
+ files_list_home(remote_login_t)
+ files_read_usr_files(remote_login_t)
+@@ -77,9 +71,8 @@ files_list_mnt(remote_login_t)
+ # for when /var/mail is a sym-link
+ files_read_var_symlinks(remote_login_t)
+
+-sysnet_dns_name_resolve(remote_login_t)
++auth_use_nsswitch(remote_login_t)
+
+-miscfiles_read_localization(remote_login_t)
+
+ userdom_use_unpriv_users_fds(remote_login_t)
+ userdom_search_user_home_content(remote_login_t)
+@@ -87,34 +80,28 @@ userdom_search_user_home_content(remote_login_t)
+ # since very weak authentication is used.
+ userdom_signal_unpriv_users(remote_login_t)
+ userdom_spec_domtrans_unpriv_users(remote_login_t)
++userdom_use_user_ptys(remote_login_t)
+
+-# Search for mail spool file.
+-mta_getattr_spool(remote_login_t)
++userdom_manage_user_tmp_dirs(remote_login_t)
++userdom_manage_user_tmp_files(remote_login_t)
++userdom_tmp_filetrans_user_tmp(remote_login_t, { file dir })
+
+-tunable_policy(`use_nfs_home_dirs',`
+- fs_read_nfs_files(remote_login_t)
+- fs_read_nfs_symlinks(remote_login_t)
+-')
+-
+-tunable_policy(`use_samba_home_dirs',`
+- fs_read_cifs_files(remote_login_t)
+- fs_read_cifs_symlinks(remote_login_t)
+-')
++userdom_home_reader(remote_login_t)
+
+ optional_policy(`
+ alsa_domtrans(remote_login_t)
+ ')
+
+ optional_policy(`
+- nis_use_ypbind(remote_login_t)
++ # Search for mail spool file.
++ mta_getattr_spool(remote_login_t)
+ ')
+
+ optional_policy(`
+- nscd_socket_use(remote_login_t)
++ telnet_use_ptys(remote_login_t)
+ ')
+
+ optional_policy(`
+- unconfined_domain(remote_login_t)
+ unconfined_shell_domtrans(remote_login_t)
+ ')
+
+diff --git a/resmgr.fc b/resmgr.fc
+index af810b9..a888eb9 100644
+--- a/resmgr.fc
++++ b/resmgr.fc
+@@ -2,6 +2,7 @@
+ /etc/resmgr\.conf -- gen_context(system_u:object_r:resmgrd_etc_t,s0)
+
+ /sbin/resmgrd -- gen_context(system_u:object_r:resmgrd_exec_t,s0)
++/usr/sbin/resmgrd -- gen_context(system_u:object_r:resmgrd_exec_t,s0)
+
+ /var/run/\.resmgr_socket -s gen_context(system_u:object_r:resmgrd_var_run_t,s0)
+ /var/run/resmgr\.pid -- gen_context(system_u:object_r:resmgrd_var_run_t,s0)
+diff --git a/resmgr.if b/resmgr.if
+index d457736..eabdd78 100644
+--- a/resmgr.if
++++ b/resmgr.if
+@@ -16,7 +16,6 @@ interface(`resmgr_stream_connect',`
+ type resmgrd_var_run_t, resmgrd_t;
+ ')
+
+- allow $1 resmgrd_t:unix_stream_socket connectto;
+- allow $1 resmgrd_var_run_t:sock_file { getattr write };
+ files_search_pids($1)
++ stream_connect_pattern($1, resmgrd_var_run_t, resmgrd_var_run_t, resmgrd_t)
+ ')
+diff --git a/resmgr.te b/resmgr.te
+index bf5efbf..b38b22d 100644
+--- a/resmgr.te
++++ b/resmgr.te
+@@ -53,8 +53,6 @@ storage_raw_write_removable_device(resmgrd_t)
+
+ logging_send_syslog_msg(resmgrd_t)
+
+-miscfiles_read_localization(resmgrd_t)
+-
+ userdom_dontaudit_use_unpriv_user_fds(resmgrd_t)
+
+ optional_policy(`
+diff --git a/rgmanager.fc b/rgmanager.fc
+index 3c97ef0..91e69b8 100644
+--- a/rgmanager.fc
++++ b/rgmanager.fc
+@@ -1,7 +1,22 @@
++/etc/rc\.d/init\.d/cpglockd -- gen_context(system_u:object_r:rgmanager_initrc_exec_t,s0)
++/etc/rc\.d/init\.d/rgmanager -- gen_context(system_u:object_r:rgmanager_initrc_exec_t,s0)
++/etc/rc\.d/init\.d/heartbeat -- gen_context(system_u:object_r:rgmanager_initrc_exec_t,s0)
++
++/usr/sbin/cpglockd -- gen_context(system_u:object_r:rgmanager_exec_t,s0)
+ /usr/sbin/rgmanager -- gen_context(system_u:object_r:rgmanager_exec_t,s0)
+
+-/var/log/cluster/rgmanager\.log -- gen_context(system_u:object_r:rgmanager_var_log_t,s0)
++/usr/sbin/ccs_tool -- gen_context(system_u:object_r:rgmanager_exec_t,s0)
++/usr/sbin/cman_tool -- gen_context(system_u:object_r:rgmanager_exec_t,s0)
++
++/usr/lib/heartbeat(/.*)? gen_context(system_u:object_r:rgmanager_var_lib_t,s0)
++/usr/lib/heartbeat/heartbeat -- gen_context(system_u:object_r:rgmanager_exec_t,s0)
++/var/lib/heartbeat(/.*)? gen_context(system_u:object_r:rgmanager_var_lib_t,s0)
++
++/var/log/cluster/cpglockd\.log.* -- gen_context(system_u:object_r:rgmanager_var_log_t,s0)
++/var/log/cluster/rgmanager\.log.* -- gen_context(system_u:object_r:rgmanager_var_log_t,s0)
+
+ /var/run/cluster/rgmanager\.sk -s gen_context(system_u:object_r:rgmanager_var_run_t,s0)
+
++/var/run/cpglockd\.pid -- gen_context(system_u:object_r:rgmanager_var_run_t,s0)
++/var/run/heartbeat(/.*)? gen_context(system_u:object_r:rgmanager_var_run_t,s0)
+ /var/run/rgmanager\.pid -- gen_context(system_u:object_r:rgmanager_var_run_t,s0)
+diff --git a/rgmanager.if b/rgmanager.if
+index 7dc38d1..5bd6fdb 100644
+--- a/rgmanager.if
++++ b/rgmanager.if
+@@ -5,9 +5,9 @@
+ ## Execute a domain transition to run rgmanager.
+ ##
+ ##
+-##
++##
+ ## Domain allowed to transition.
+-##
++##
+ ##
+ #
+ interface(`rgmanager_domtrans',`
+@@ -21,7 +21,7 @@ interface(`rgmanager_domtrans',`
+
+ ########################################
+ ##
+-## Connect to rgmanager over an unix stream socket.
++## Connect to rgmanager over a unix stream socket.
+ ##
+ ##
+ ##
+@@ -75,3 +75,91 @@ interface(`rgmanager_manage_tmpfs_files',`
+ fs_search_tmpfs($1)
+ manage_files_pattern($1, rgmanager_tmpfs_t, rgmanager_tmpfs_t)
+ ')
++
++#######################################
++##
++## Allow read and write access to rgmanager semaphores.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`rgmanager_rw_semaphores',`
++ gen_require(`
++ type rgmanager_t;
++ ')
++
++ allow $1 rgmanager_t:sem rw_sem_perms;
++')
++
++######################################
++##
++## All of the rules required to administrate
++## an rgmanager environment
++##
++##
++##
++## Domain allowed access.
++##
++##
++##
++##
++## The role to be allowed to manage the rgmanager domain.
++##
++##
++##
++#
++interface(`rgmanager_admin',`
++ gen_require(`
++ type rgmanager_t, rgmanager_initrc_exec_t, rgmanager_tmp_t;
++ type rgmanager_tmpfs_t, rgmanager_var_log_t, rgmanager_var_run_t;
++ ')
++
++ allow $1 rgmanager_t:process signal_perms;
++ ps_process_pattern($1, rgmanager_t)
++ tunable_policy(`deny_ptrace',`',`
++ allow $1 rgmanager_t:process ptrace;
++ ')
++
++ init_labeled_script_domtrans($1, rgmanager_initrc_exec_t)
++ domain_system_change_exemption($1)
++ role_transition $2 rgmanager_initrc_exec_t system_r;
++ allow $2 system_r;
++
++ files_list_tmp($1)
++ admin_pattern($1, rgmanager_tmp_t)
++
++ admin_pattern($1, rgmanager_tmpfs_t)
++
++ logging_list_logs($1)
++ admin_pattern($1, rgmanager_var_log_t)
++
++ files_list_pids($1)
++ admin_pattern($1, rgmanager_var_run_t)
++')
++
++
++######################################
++##
++## Allow the specified domain to manage rgmanager's lib/run files.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`rgmanager_manage_files',`
++ gen_require(`
++ type rgmanager_var_lib_t;
++ type rgmanager_var_run_t;
++ ')
++
++ files_list_var_lib($1)
++ admin_pattern($1, rgmanager_var_lib_t)
++
++ files_list_pids($1)
++ admin_pattern($1, rgmanager_var_run_t)
++')
+diff --git a/rgmanager.te b/rgmanager.te
+index 3786c45..1ad9c12 100644
+--- a/rgmanager.te
++++ b/rgmanager.te
+@@ -14,15 +14,20 @@ gen_tunable(rgmanager_can_network_connect, false)
+
+ type rgmanager_t;
+ type rgmanager_exec_t;
+-domain_type(rgmanager_t)
+ init_daemon_domain(rgmanager_t, rgmanager_exec_t)
+
++type rgmanager_initrc_exec_t;
++init_script_file(rgmanager_initrc_exec_t)
++
+ type rgmanager_tmp_t;
+ files_tmp_file(rgmanager_tmp_t)
+
+ type rgmanager_tmpfs_t;
+ files_tmpfs_file(rgmanager_tmpfs_t)
+
++type rgmanager_var_lib_t;
++files_type(rgmanager_var_lib_t)
++
+ type rgmanager_var_log_t;
+ logging_log_file(rgmanager_var_log_t)
+
+@@ -35,9 +40,7 @@ files_pid_file(rgmanager_var_run_t)
+ #
+
+ allow rgmanager_t self:capability { dac_override net_raw sys_resource sys_admin sys_nice ipc_lock };
+-dontaudit rgmanager_t self:capability { sys_ptrace };
+ allow rgmanager_t self:process { setsched signal };
+-dontaudit rgmanager_t self:process { ptrace };
+
+ allow rgmanager_t self:fifo_file rw_fifo_file_perms;
+ allow rgmanager_t self:unix_stream_socket { create_stream_socket_perms };
+@@ -52,14 +55,27 @@ manage_dirs_pattern(rgmanager_t, rgmanager_tmpfs_t, rgmanager_tmpfs_t)
+ manage_files_pattern(rgmanager_t, rgmanager_tmpfs_t, rgmanager_tmpfs_t)
+ fs_tmpfs_filetrans(rgmanager_t, rgmanager_tmpfs_t, { dir file })
+
++# var/lib files
++# # needed by hearbeat
++can_exec(rgmanager_t, rgmanager_var_lib_t)
++manage_files_pattern(rgmanager_t, rgmanager_var_lib_t,rgmanager_var_lib_t)
++manage_dirs_pattern(rgmanager_t, rgmanager_var_lib_t,rgmanager_var_lib_t)
++manage_sock_files_pattern(rgmanager_t, rgmanager_var_lib_t,rgmanager_var_lib_t)
++manage_fifo_files_pattern(rgmanager_t, rgmanager_var_lib_t,rgmanager_var_lib_t)
++files_var_lib_filetrans(rgmanager_t,rgmanager_var_lib_t, { file dir fifo_file sock_file })
++
++
+ manage_files_pattern(rgmanager_t, rgmanager_var_log_t, rgmanager_var_log_t)
+ logging_log_filetrans(rgmanager_t, rgmanager_var_log_t, { file })
+
++manage_dirs_pattern(rgmanager_t, rgmanager_var_run_t, rgmanager_var_run_t)
+ manage_files_pattern(rgmanager_t, rgmanager_var_run_t, rgmanager_var_run_t)
+ manage_sock_files_pattern(rgmanager_t, rgmanager_var_run_t, rgmanager_var_run_t)
+-files_pid_filetrans(rgmanager_t, rgmanager_var_run_t, { file sock_file })
++files_pid_filetrans(rgmanager_t, rgmanager_var_run_t, { file sock_file dir })
+
++kernel_kill(rgmanager_t)
+ kernel_read_kernel_sysctls(rgmanager_t)
++kernel_read_rpc_sysctls(rgmanager_t)
+ kernel_read_system_state(rgmanager_t)
+ kernel_rw_rpc_sysctls(rgmanager_t)
+ kernel_search_debugfs(rgmanager_t)
+@@ -67,7 +83,6 @@ kernel_search_network_state(rgmanager_t)
+
+ corecmd_exec_bin(rgmanager_t)
+ corecmd_exec_shell(rgmanager_t)
+-consoletype_exec(rgmanager_t)
+
+ # need to write to /dev/misc/dlm-control
+ dev_rw_dlm_control(rgmanager_t)
+@@ -76,31 +91,35 @@ dev_search_sysfs(rgmanager_t)
+
+ domain_read_all_domains_state(rgmanager_t)
+ domain_getattr_all_domains(rgmanager_t)
+-domain_dontaudit_ptrace_all_domains(rgmanager_t)
+
+-files_list_all(rgmanager_t)
++files_create_var_run_dirs(rgmanager_t)
+ files_getattr_all_symlinks(rgmanager_t)
++files_list_all(rgmanager_t)
+ files_manage_mnt_dirs(rgmanager_t)
++files_manage_mnt_files(rgmanager_t)
++files_manage_mnt_symlinks(rgmanager_t)
++files_manage_isid_type_files(rgmanager_t)
+ files_manage_isid_type_dirs(rgmanager_t)
+
+ fs_getattr_xattr_fs(rgmanager_t)
+ fs_getattr_all_fs(rgmanager_t)
+
++storage_raw_read_fixed_disk(rgmanager_t)
+ storage_getattr_fixed_disk_dev(rgmanager_t)
+
+ term_getattr_pty_fs(rgmanager_t)
+-#term_use_ptmx(rgmanager_t)
+
+ # needed by resources scripts
+-files_read_non_auth_files(rgmanager_t)
++files_read_non_security_files(rgmanager_t)
+ auth_dontaudit_getattr_shadow(rgmanager_t)
+ auth_use_nsswitch(rgmanager_t)
+
+-logging_send_syslog_msg(rgmanager_t)
++init_domtrans_script(rgmanager_t)
++init_initrc_domain(rgmanager_t)
+
+-miscfiles_read_localization(rgmanager_t)
++logging_send_syslog_msg(rgmanager_t)
+
+-mount_domtrans(rgmanager_t)
++userdom_kill_all_users(rgmanager_t)
+
+ tunable_policy(`rgmanager_can_network_connect',`
+ corenet_tcp_connect_all_ports(rgmanager_t)
+@@ -118,6 +137,14 @@ optional_policy(`
+ ')
+
+ optional_policy(`
++ consoletype_exec(rgmanager_t)
++')
++
++optional_policy(`
++ dbus_system_bus_client(rgmanager_t)
++')
++
++optional_policy(`
+ fstools_domtrans(rgmanager_t)
+ ')
+
+@@ -140,6 +167,16 @@ optional_policy(`
+ ')
+
+ optional_policy(`
++ ldap_initrc_domtrans(rgmanager_t)
++ ldap_systemctl(rgmanager_t)
++ ldap_domtrans(rgmanager_t)
++')
++
++optional_policy(`
++ mount_domtrans(rgmanager_t)
++')
++
++optional_policy(`
+ mysql_domtrans_mysql_safe(rgmanager_t)
+ mysql_stream_connect(rgmanager_t)
+ ')
+@@ -165,6 +202,8 @@ optional_policy(`
+ optional_policy(`
+ rpc_initrc_domtrans_nfsd(rgmanager_t)
+ rpc_initrc_domtrans_rpcd(rgmanager_t)
++ rpc_systemctl_nfsd(rgmanager_t)
++ rpc_systemctl_rpcd(rgmanager_t)
+
+ rpc_domtrans_nfsd(rgmanager_t)
+ rpc_domtrans_rpcd(rgmanager_t)
+diff --git a/rhcs.fc b/rhcs.fc
+index c2ba53b..977f2eb 100644
+--- a/rhcs.fc
++++ b/rhcs.fc
+@@ -1,22 +1,30 @@
+ /usr/sbin/dlm_controld -- gen_context(system_u:object_r:dlm_controld_exec_t,s0)
+ /usr/sbin/fenced -- gen_context(system_u:object_r:fenced_exec_t,s0)
+ /usr/sbin/fence_node -- gen_context(system_u:object_r:fenced_exec_t,s0)
++/usr/sbin/fence_tool -- gen_context(system_u:object_r:fenced_exec_t,s0)
++/usr/sbin/fence_virtd -- gen_context(system_u:object_r:fenced_exec_t,s0)
+ /usr/sbin/gfs_controld -- gen_context(system_u:object_r:gfs_controld_exec_t,s0)
++/usr/sbin/foghorn -- gen_context(system_u:object_r:foghorn_exec_t,s0)
+ /usr/sbin/groupd -- gen_context(system_u:object_r:groupd_exec_t,s0)
+ /usr/sbin/qdiskd -- gen_context(system_u:object_r:qdiskd_exec_t,s0)
+
+ /var/lock/fence_manual\.lock -- gen_context(system_u:object_r:fenced_lock_t,s0)
+
++/var/lib/cluster(/.*)? gen_context(system_u:object_r:cluster_var_lib_t,s0)
+ /var/lib/qdiskd(/.*)? gen_context(system_u:object_r:qdiskd_var_lib_t,s0)
+
++/var/log/cluster/.*\.*log <>
+ /var/log/cluster/dlm_controld\.log.* -- gen_context(system_u:object_r:dlm_controld_var_log_t,s0)
+ /var/log/cluster/fenced\.log.* -- gen_context(system_u:object_r:fenced_var_log_t,s0)
+ /var/log/cluster/gfs_controld\.log.* -- gen_context(system_u:object_r:gfs_controld_var_log_t,s0)
+ /var/log/cluster/qdiskd\.log.* -- gen_context(system_u:object_r:qdiskd_var_log_t,s0)
++/var/log/dlm_controld(/.*)? gen_context(system_u:object_r:dlm_controld_var_log_t,s0)
+
+ /var/run/cluster/fenced_override -- gen_context(system_u:object_r:fenced_var_run_t,s0)
++/var/run/cluster/fence_scsi.* -- gen_context(system_u:object_r:fenced_var_run_t,s0)
+ /var/run/dlm_controld\.pid -- gen_context(system_u:object_r:dlm_controld_var_run_t,s0)
+-/var/run/fenced\.pid -- gen_context(system_u:object_r:fenced_var_run_t,s0)
++/var/run/dlm_controld(/.*)? gen_context(system_u:object_r:dlm_controld_var_run_t,s0)
++/var/run/fence.* gen_context(system_u:object_r:fenced_var_run_t,s0)
+ /var/run/gfs_controld\.pid -- gen_context(system_u:object_r:gfs_controld_var_run_t,s0)
+ /var/run/groupd\.pid -- gen_context(system_u:object_r:groupd_var_run_t,s0)
+ /var/run/qdiskd\.pid -- gen_context(system_u:object_r:qdiskd_var_run_t,s0)
+diff --git a/rhcs.if b/rhcs.if
+index de37806..aee7ba7 100644
+--- a/rhcs.if
++++ b/rhcs.if
+@@ -13,7 +13,7 @@
+ #
+ template(`rhcs_domain_template',`
+ gen_require(`
+- attribute cluster_domain;
++ attribute cluster_domain, cluster_tmpfs, cluster_pid;
+ ')
+
+ ##############################
+@@ -25,13 +25,13 @@ template(`rhcs_domain_template',`
+ type $1_exec_t;
+ init_daemon_domain($1_t, $1_exec_t)
+
+- type $1_tmpfs_t;
++ type $1_tmpfs_t, cluster_tmpfs;
+ files_tmpfs_file($1_tmpfs_t)
+
+ type $1_var_log_t;
+ logging_log_file($1_var_log_t)
+
+- type $1_var_run_t;
++ type $1_var_run_t, cluster_pid;
+ files_pid_file($1_var_run_t)
+
+ ##############################
+@@ -43,15 +43,20 @@ template(`rhcs_domain_template',`
+ manage_files_pattern($1_t, $1_tmpfs_t, $1_tmpfs_t)
+ fs_tmpfs_filetrans($1_t, $1_tmpfs_t, { dir file })
+
++ manage_dirs_pattern($1_t, $1_var_log_t, $1_var_log_t)
+ manage_files_pattern($1_t, $1_var_log_t, $1_var_log_t)
+ manage_sock_files_pattern($1_t, $1_var_log_t, $1_var_log_t)
+- logging_log_filetrans($1_t, $1_var_log_t, { file sock_file })
++ logging_log_filetrans($1_t, $1_var_log_t, { dir file sock_file })
+
++ manage_dirs_pattern($1_t, $1_var_run_t, $1_var_run_t)
+ manage_files_pattern($1_t, $1_var_run_t, $1_var_run_t)
+ manage_fifo_files_pattern($1_t, $1_var_run_t, $1_var_run_t)
+ manage_sock_files_pattern($1_t, $1_var_run_t, $1_var_run_t)
+- files_pid_filetrans($1_t, $1_var_run_t, { file fifo_file })
++ files_pid_filetrans($1_t, $1_var_run_t, { dir file fifo_file })
++
++ auth_use_nsswitch($1_t)
+
++ logging_send_syslog_msg($1_t)
+ ')
+
+ ######################################
+@@ -59,9 +64,9 @@ template(`rhcs_domain_template',`
+ ## Execute a domain transition to run dlm_controld.
+ ##
+ ##
+-##
++##
+ ## Domain allowed to transition.
+-##
++##
+ ##
+ #
+ interface(`rhcs_domtrans_dlm_controld',`
+@@ -133,6 +138,24 @@ interface(`rhcs_domtrans_fenced',`
+ domtrans_pattern($1, fenced_exec_t, fenced_t)
+ ')
+
++#####################################
++##
++## Allow a domain to getattr on fenced executable.
++##
++##
++##
++## Domain allowed to transition.
++##
++##
++#
++interface(`rhcs_getattr_fenced',`
++ gen_require(`
++ type fenced_t, fenced_exec_t;
++ ')
++
++ allow $1 fenced_exec_t:file getattr;
++')
++
+ ######################################
+ ##
+ ## Allow read and write access to fenced semaphores.
+@@ -156,7 +179,26 @@ interface(`rhcs_rw_fenced_semaphores',`
+
+ ######################################
+ ##
+-## Connect to fenced over an unix domain stream socket.
++## Read fenced PID files.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`rhcs_read_fenced_pid_files',`
++ gen_require(`
++ type fenced_var_run_t;
++ ')
++
++ files_search_pids($1)
++ read_files_pattern($1, fenced_var_run_t, fenced_var_run_t)
++')
++
++######################################
++##
++## Connect to fenced over a unix domain stream socket.
+ ##
+ ##
+ ##
+@@ -169,9 +211,8 @@ interface(`rhcs_stream_connect_fenced',`
+ type fenced_var_run_t, fenced_t;
+ ')
+
+- allow $1 fenced_t:unix_stream_socket connectto;
+- allow $1 fenced_var_run_t:sock_file { getattr write };
+ files_search_pids($1)
++ stream_connect_pattern($1, fenced_var_run_t, fenced_var_run_t, fenced_t)
+ ')
+
+ #####################################
+@@ -237,7 +278,7 @@ interface(`rhcs_rw_gfs_controld_shm',`
+
+ #####################################
+ ##
+-## Connect to gfs_controld_t over an unix domain stream socket.
++## Connect to gfs_controld_t over a unix domain stream socket.
+ ##
+ ##
+ ##
+@@ -335,6 +376,65 @@ interface(`rhcs_rw_groupd_shm',`
+ manage_files_pattern($1, groupd_tmpfs_t, groupd_tmpfs_t)
+ ')
+
++########################################
++##
++## Read and write to group shared memory.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`rhcs_rw_cluster_shm',`
++ gen_require(`
++ attribute cluster_domain, cluster_tmpfs;
++ ')
++
++ allow $1 cluster_domain:shm { rw_shm_perms destroy };
++
++ fs_search_tmpfs($1)
++ manage_files_pattern($1, cluster_tmpfs, cluster_tmpfs)
++')
++
++####################################
++##
++## Read and write access to cluster domains semaphores.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`rhcs_rw_cluster_semaphores',`
++ gen_require(`
++ attribute cluster_domain;
++ ')
++
++ allow $1 cluster_domain:sem { rw_sem_perms destroy };
++')
++
++####################################
++##
++## Connect to cluster domains over a unix domain
++## stream socket.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`rhcs_stream_connect_cluster',`
++ gen_require(`
++ attribute cluster_domain, cluster_pid;
++ ')
++
++ files_search_pids($1)
++ stream_connect_pattern($1, cluster_pid, cluster_pid, cluster_domain)
++')
++
+ ######################################
+ ##
+ ## Execute a domain transition to run qdiskd.
+@@ -353,3 +453,80 @@ interface(`rhcs_domtrans_qdiskd',`
+ corecmd_search_bin($1)
+ domtrans_pattern($1, qdiskd_exec_t, qdiskd_t)
+ ')
++
++########################################
++##
++## Allow domain to read qdiskd tmpfs files
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`rhcs_read_qdiskd_tmpfs_files',`
++ gen_require(`
++ type qdiskd_tmpfs_t;
++ ')
++
++ fs_search_tmpfs($1)
++ allow $1 qdiskd_tmpfs_t:file read_file_perms;
++')
++
++######################################
++##
++## Allow domain to read cluster lib files
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`rhcs_read_cluster_lib_files',`
++ gen_require(`
++ type cluster_var_lib_t;
++ ')
++
++ files_search_var_lib($1)
++ read_files_pattern($1, cluster_var_lib_t, cluster_var_lib_t)
++')
++
++#####################################
++##
++## Allow domain to manage cluster lib files
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`rhcs_manage_cluster_lib_files',`
++ gen_require(`
++ type cluster_var_lib_t;
++ ')
++
++ files_search_var_lib($1)
++ manage_files_pattern($1, cluster_var_lib_t, cluster_var_lib_t)
++')
++
++####################################
++##
++## Allow domain to relabel cluster lib files
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`rhcs_relabel_cluster_lib_files',`
++ gen_require(`
++ type cluster_var_lib_t;
++ ')
++
++ files_search_var_lib($1)
++ relabelto_files_pattern($1, cluster_var_lib_t, cluster_var_lib_t)
++ relabelfrom_files_pattern($1, cluster_var_lib_t, cluster_var_lib_t)
++')
+diff --git a/rhcs.te b/rhcs.te
+index 93c896a..8aa7362 100644
+--- a/rhcs.te
++++ b/rhcs.te
+@@ -12,7 +12,16 @@ policy_module(rhcs, 1.1.0)
+ ##
+ gen_tunable(fenced_can_network_connect, false)
+
++##
++##
++## Allow fenced domain to execute ssh.
++##
++##
++gen_tunable(fenced_can_ssh, false)
++
+ attribute cluster_domain;
++attribute cluster_tmpfs;
++attribute cluster_pid;
+
+ rhcs_domain_template(dlm_controld)
+
+@@ -24,6 +33,8 @@ files_lock_file(fenced_lock_t)
+ type fenced_tmp_t;
+ files_tmp_file(fenced_tmp_t)
+
++rhcs_domain_template(foghorn)
++
+ rhcs_domain_template(gfs_controld)
+
+ rhcs_domain_template(groupd)
+@@ -33,6 +44,10 @@ rhcs_domain_template(qdiskd)
+ type qdiskd_var_lib_t;
+ files_type(qdiskd_var_lib_t)
+
++# type for cluster lib files
++type cluster_var_lib_t;
++files_type(cluster_var_lib_t)
++
+ #####################################
+ #
+ # dlm_controld local policy
+@@ -46,6 +61,9 @@ stream_connect_pattern(dlm_controld_t, fenced_var_run_t, fenced_var_run_t, fence
+ stream_connect_pattern(dlm_controld_t, groupd_var_run_t, groupd_var_run_t, groupd_t)
+
+ kernel_read_system_state(dlm_controld_t)
++kernel_rw_net_sysctls(dlm_controld_t)
++
++corecmd_exec_bin(dlm_controld_t)
+
+ dev_rw_dlm_control(dlm_controld_t)
+ dev_rw_sysfs(dlm_controld_t)
+@@ -56,7 +74,7 @@ fs_manage_configfs_dirs(dlm_controld_t)
+ init_rw_script_tmp_files(dlm_controld_t)
+
+ optional_policy(`
+- ccs_stream_connect(dlm_controld_t)
++ corosync_rw_tmpfs(dlm_controld_t)
+ ')
+
+ #######################################
+@@ -65,10 +83,11 @@ optional_policy(`
+ #
+
+ allow fenced_t self:capability { sys_rawio sys_resource };
+-allow fenced_t self:process getsched;
++allow fenced_t self:process { getsched signal_perms };
+
+ allow fenced_t self:tcp_socket create_stream_socket_perms;
+ allow fenced_t self:udp_socket create_socket_perms;
++allow fenced_t self:unix_stream_socket connectto;
+
+ can_exec(fenced_t, fenced_exec_t)
+
+@@ -82,13 +101,23 @@ files_tmp_filetrans(fenced_t, fenced_tmp_t, { file fifo_file dir })
+
+ stream_connect_pattern(fenced_t, groupd_var_run_t, groupd_var_run_t, groupd_t)
+
++kernel_read_system_state(fenced_t)
++kernel_read_network_state(fenced_t)
++
+ corecmd_exec_bin(fenced_t)
++corecmd_exec_shell(fenced_t)
+
++corenet_udp_bind_ionixnetmon_port(fenced_t)
++corenet_tcp_bind_zented_port(fenced_t)
++corenet_udp_bind_zented_port(fenced_t)
+ corenet_tcp_connect_http_port(fenced_t)
++corenet_tcp_connect_zented_port(fenced_t)
+
+ dev_read_sysfs(fenced_t)
+ dev_read_urand(fenced_t)
++dev_read_rand(fenced_t)
+
++files_read_usr_files(fenced_t)
+ files_read_usr_symlinks(fenced_t)
+
+ storage_raw_read_fixed_disk(fenced_t)
+@@ -97,16 +126,37 @@ storage_raw_read_removable_device(fenced_t)
+
+ term_getattr_pty_fs(fenced_t)
+ term_use_ptmx(fenced_t)
+-
+-auth_use_nsswitch(fenced_t)
++term_use_generic_ptys(fenced_t)
+
+ tunable_policy(`fenced_can_network_connect',`
+ corenet_tcp_connect_all_ports(fenced_t)
+ ')
+
+ optional_policy(`
++ tunable_policy(`fenced_can_ssh',`
++
++ allow fenced_t self:capability { setuid setgid };
++
++ corenet_tcp_connect_ssh_port(fenced_t)
++ ')
++')
++
++optional_policy(`
++ ssh_exec(fenced_t)
++ ssh_read_user_home_files(fenced_t)
++ ')
++
++# needed by fence_scsi
++optional_policy(`
++ corosync_exec(fenced_t)
++')
++
++optional_policy(`
+ ccs_read_config(fenced_t)
+- ccs_stream_connect(fenced_t)
++')
++
++optional_policy(`
++ gnome_read_generic_data_home_files(fenced_t)
+ ')
+
+ optional_policy(`
+@@ -114,13 +164,52 @@ optional_policy(`
+ lvm_read_config(fenced_t)
+ ')
+
++optional_policy(`
++ snmp_manage_var_lib_files(fenced_t)
++ snmp_manage_var_lib_dirs(fenced_t)
++')
++
++optional_policy(`
++ virt_domtrans(fenced_t)
++ virt_read_config(fenced_t)
++ virt_read_pid_files(fenced_t)
++ virt_stream_connect(fenced_t)
++')
++
++#######################################
++#
++# foghorn local policy
++#
++
++allow foghorn_t self:process { signal };
++allow foghorn_t self:tcp_socket create_stream_socket_perms;
++allow foghorn_t self:udp_socket create_socket_perms;
++
++corenet_tcp_connect_agentx_port(foghorn_t)
++
++dev_read_urand(foghorn_t)
++
++files_read_etc_files(foghorn_t)
++files_read_usr_files(foghorn_t)
++
++sysnet_dns_name_resolve(foghorn_t)
++
++optional_policy(`
++ dbus_connect_system_bus(foghorn_t)
++')
++
++optional_policy(`
++ snmp_read_snmp_var_lib_files(foghorn_t)
++ snmp_dontaudit_write_snmp_var_lib_files(foghorn_t)
++ snmp_stream_connect(foghorn_t)
++')
++
+ ######################################
+ #
+ # gfs_controld local policy
+ #
+
+ allow gfs_controld_t self:capability { net_admin sys_resource };
+-
+ allow gfs_controld_t self:shm create_shm_perms;
+ allow gfs_controld_t self:netlink_kobject_uevent_socket create_socket_perms;
+
+@@ -139,10 +228,6 @@ storage_getattr_removable_dev(gfs_controld_t)
+ init_rw_script_tmp_files(gfs_controld_t)
+
+ optional_policy(`
+- ccs_stream_connect(gfs_controld_t)
+-')
+-
+-optional_policy(`
+ lvm_exec(gfs_controld_t)
+ dev_rw_lvm_control(gfs_controld_t)
+ ')
+@@ -154,12 +239,12 @@ optional_policy(`
+
+ allow groupd_t self:capability { sys_nice sys_resource };
+ allow groupd_t self:process setsched;
+-
+ allow groupd_t self:shm create_shm_perms;
+
++domtrans_pattern(groupd_t, fenced_exec_t, fenced_t)
++
+ dev_list_sysfs(groupd_t)
+
+-files_read_etc_files(groupd_t)
+
+ init_rw_script_tmp_files(groupd_t)
+
+@@ -168,8 +253,7 @@ init_rw_script_tmp_files(groupd_t)
+ # qdiskd local policy
+ #
+
+-allow qdiskd_t self:capability ipc_lock;
+-
++allow qdiskd_t self:capability { ipc_lock sys_boot };
+ allow qdiskd_t self:tcp_socket create_stream_socket_perms;
+ allow qdiskd_t self:udp_socket create_socket_perms;
+
+@@ -182,7 +266,7 @@ kernel_read_system_state(qdiskd_t)
+ kernel_read_software_raid_state(qdiskd_t)
+ kernel_getattr_core_if(qdiskd_t)
+
+-corecmd_getattr_bin_files(qdiskd_t)
++corecmd_exec_bin(qdiskd_t)
+ corecmd_exec_shell(qdiskd_t)
+
+ dev_read_sysfs(qdiskd_t)
+@@ -197,19 +281,16 @@ domain_dontaudit_getattr_all_sockets(qdiskd_t)
+
+ files_dontaudit_getattr_all_sockets(qdiskd_t)
+ files_dontaudit_getattr_all_pipes(qdiskd_t)
+-files_read_etc_files(qdiskd_t)
++
++files_read_usr_files(qdiskd_t)
++
++fs_list_hugetlbfs(qdiskd_t)
+
+ storage_raw_read_removable_device(qdiskd_t)
+ storage_raw_write_removable_device(qdiskd_t)
+ storage_raw_read_fixed_disk(qdiskd_t)
+ storage_raw_write_fixed_disk(qdiskd_t)
+
+-auth_use_nsswitch(qdiskd_t)
+-
+-optional_policy(`
+- ccs_stream_connect(qdiskd_t)
+-')
+-
+ optional_policy(`
+ netutils_domtrans_ping(qdiskd_t)
+ ')
+@@ -223,18 +304,24 @@ optional_policy(`
+ # rhcs domains common policy
+ #
+
+-allow cluster_domain self:capability { sys_nice };
++allow cluster_domain self:capability sys_nice;
+ allow cluster_domain self:process setsched;
+-
+ allow cluster_domain self:sem create_sem_perms;
+ allow cluster_domain self:fifo_file rw_fifo_file_perms;
+ allow cluster_domain self:unix_stream_socket create_stream_socket_perms;
+ allow cluster_domain self:unix_dgram_socket create_socket_perms;
+
+-logging_send_syslog_msg(cluster_domain)
++manage_files_pattern(cluster_domain, cluster_var_lib_t, cluster_var_lib_t)
++manage_dirs_pattern(cluster_domain, cluster_var_lib_t, cluster_var_lib_t)
+
+-miscfiles_read_localization(cluster_domain)
++optional_policy(`
++ ccs_stream_connect(cluster_domain)
++')
+
+ optional_policy(`
+ corosync_stream_connect(cluster_domain)
+ ')
++
++optional_policy(`
++ dbus_system_bus_client(cluster_domain)
++')
+diff --git a/rhev.fc b/rhev.fc
+new file mode 100644
+index 0000000..4b66adf
+--- /dev/null
++++ b/rhev.fc
+@@ -0,0 +1,13 @@
++/usr/share/rhev-agent/rhev-agentd\.py -- gen_context(system_u:object_r:rhev_agentd_exec_t,s0)
++/usr/share/ovirt-guest-agent -- gen_context(system_u:object_r:rhev_agentd_exec_t,s0)
++
++/usr/share/rhev-agent/LockActiveSession\.py -- gen_context(system_u:object_r:rhev_agentd_exec_t,s0)
++/usr/share/ovirt-guest-agent/LockActiveSession\.py -- gen_context(system_u:object_r:rhev_agentd_exec_t,s0)
++
++/usr/lib/systemd/system/ovirt-guest-agent.* -- gen_context(system_u:object_r:rhev_agentd_unit_file_t,s0)
++
++/var/run/rhev-agentd\.pid -- gen_context(system_u:object_r:rhev_agentd_var_run_t,s0)
++/var/run/ovirt-guest-agent\.pid -- gen_context(system_u:object_r:rhev_agentd_var_run_t,s0)
++
++/var/log/rhev-agent(/.*)? gen_context(system_u:object_r:rhev_agentd_log_t,s0)
++/var/log/ovirt-guest-agent(/.*)? gen_context(system_u:object_r:rhev_agentd_log_t,s0)
+diff --git a/rhev.if b/rhev.if
+new file mode 100644
+index 0000000..bf11e25
+--- /dev/null
++++ b/rhev.if
+@@ -0,0 +1,76 @@
++## rhev polic module contains policies for rhev apps
++
++#####################################
++##
++## Execute rhev-agentd in the rhev_agentd domain.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`rhev_domtrans_agentd',`
++ gen_require(`
++ type rhev_agentd_t, rhev_agentd_exec_t;
++ ')
++
++ domtrans_pattern($1, rhev_agentd_exec_t, rhev_agentd_t)
++')
++
++####################################
++##
++## Read rhev-agentd PID files.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`rhev_read_pid_files_agentd',`
++ gen_require(`
++ type rhev_agentd_var_run_t;
++ ')
++
++ files_search_pids($1)
++ read_files_pattern($1, rhev_agentd_var_run_t, rhev_agentd_var_run_t)
++')
++
++#####################################
++##
++## Connect to rhev_agentd over a unix domain
++## stream socket.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`rhev_stream_connect_agentd',`
++ gen_require(`
++ type rhev_agentd_var_run_t, rhev_agentd_t;
++ ')
++
++ files_search_pids($1)
++ stream_connect_pattern($1, rhev_agentd_var_run_t, rhev_agentd_var_run_t, rhev_agentd_t)
++')
++
++######################################
++##
++## Send sigchld to rhev-agentd
++##
++##
++##
++## Domain allowed access
++##
++##
++#
++interface(`rhev_sigchld_agentd',`
++ gen_require(`
++ type rhev_agentd_t;
++ ')
++
++ allow $1 rhev_agentd_t:process sigchld;
++')
+diff --git a/rhev.te b/rhev.te
+new file mode 100644
+index 0000000..51b00c0
+--- /dev/null
++++ b/rhev.te
+@@ -0,0 +1,117 @@
++policy_module(rhev,1.0)
++
++########################################
++#
++# Declarations
++#
++
++type rhev_agentd_t;
++type rhev_agentd_exec_t;
++init_daemon_domain(rhev_agentd_t, rhev_agentd_exec_t)
++
++type rhev_agentd_unit_file_t;
++systemd_unit_file(rhev_agentd_unit_file_t)
++
++type rhev_agentd_var_run_t;
++files_pid_file(rhev_agentd_var_run_t)
++
++type rhev_agentd_tmp_t;
++files_tmp_file(rhev_agentd_tmp_t)
++
++type rhev_agentd_log_t;
++logging_log_file(rhev_agentd_log_t)
++
++########################################
++#
++# rhev_agentd_t local policy
++#
++
++allow rhev_agentd_t self:capability { setuid setgid sys_nice };
++allow rhev_agentd_t self:process setsched;
++
++allow rhev_agentd_t self:fifo_file rw_fifo_file_perms;
++allow rhev_agentd_t self:unix_stream_socket create_stream_socket_perms;
++
++manage_dirs_pattern(rhev_agentd_t, rhev_agentd_var_run_t, rhev_agentd_var_run_t)
++manage_files_pattern(rhev_agentd_t, rhev_agentd_var_run_t, rhev_agentd_var_run_t)
++manage_sock_files_pattern(rhev_agentd_t, rhev_agentd_var_run_t, rhev_agentd_var_run_t)
++files_pid_filetrans(rhev_agentd_t, rhev_agentd_var_run_t, { dir file sock_file })
++
++manage_files_pattern(rhev_agentd_t, rhev_agentd_log_t, rhev_agentd_log_t)
++manage_dirs_pattern(rhev_agentd_t, rhev_agentd_log_t, rhev_agentd_log_t)
++logging_log_filetrans(rhev_agentd_t, rhev_agentd_log_t, { dir file })
++
++manage_dirs_pattern(rhev_agentd_t, rhev_agentd_tmp_t, rhev_agentd_tmp_t)
++manage_files_pattern(rhev_agentd_t, rhev_agentd_tmp_t, rhev_agentd_tmp_t)
++files_tmp_filetrans(rhev_agentd_t, rhev_agentd_tmp_t, { file dir })
++can_exec(rhev_agentd_t, rhev_agentd_tmp_t)
++
++kernel_read_system_state(rhev_agentd_t)
++kernel_read_kernel_sysctls(rhev_agentd_t)
++
++corecmd_exec_bin(rhev_agentd_t)
++corecmd_exec_shell(rhev_agentd_t)
++
++dev_read_urand(rhev_agentd_t)
++
++term_use_virtio_console(rhev_agentd_t)
++
++fs_getattr_all_fs(rhev_agentd_t)
++
++files_getattr_all_mountpoints(rhev_agentd_t)
++files_search_all_mountpoints(rhev_agentd_t)
++files_read_usr_files(rhev_agentd_t)
++
++auth_use_nsswitch(rhev_agentd_t)
++
++init_read_utmp(rhev_agentd_t)
++
++libs_exec_ldconfig(rhev_agentd_t)
++logging_send_syslog_msg(rhev_agentd_t)
++
++optional_policy(`
++ rpm_read_db(rhev_agentd_t)
++ rpm_dontaudit_manage_db(rhev_agentd_t)
++')
++
++optional_policy(`
++ ssh_signull(rhev_agentd_t)
++')
++
++optional_policy(`
++ dbus_system_bus_client(rhev_agentd_t)
++ dbus_connect_system_bus(rhev_agentd_t)
++ dbus_session_bus_client(rhev_agentd_t)
++')
++
++optional_policy(`
++ xserver_dbus_chat_xdm(rhev_agentd_t)
++ xserver_stream_connect(rhev_agentd_t)
++')
++
++######################################
++#
++# rhev_agentd_t consolehelper local policy
++#
++
++optional_policy(`
++ userhelper_console_role_template(rhev_agentd, system_r, rhev_agentd_t)
++
++ allow rhev_agentd_consolehelper_t rhev_agentd_log_t:file rw_inherited_file_perms;
++ allow rhev_agentd_consolehelper_t rhev_agentd_tmp_t:file rw_inherited_file_perms;
++
++ can_exec(rhev_agentd_consolehelper_t, rhev_agentd_exec_t)
++ kernel_read_system_state(rhev_agentd_consolehelper_t)
++
++ term_use_virtio_console(rhev_agentd_consolehelper_t)
++
++ corenet_tcp_connect_xserver_port(rhev_agentd_consolehelper_t)
++
++ optional_policy(`
++ dbus_session_bus_client(rhev_agentd_consolehelper_t)
++ ')
++
++ optional_policy(`
++ unconfined_dbus_chat(rhev_agentd_consolehelper_t)
++ ')
++')
+diff --git a/rhgb.if b/rhgb.if
+index 96efae7..793a29f 100644
+--- a/rhgb.if
++++ b/rhgb.if
+@@ -194,5 +194,6 @@ interface(`rhgb_rw_tmpfs_files',`
+ type rhgb_tmpfs_t;
+ ')
+
++ fs_search_tmpfs($1)
+ allow $1 rhgb_tmpfs_t:file rw_file_perms;
+ ')
+diff --git a/rhgb.te b/rhgb.te
+index 0f262a7..08c49bc 100644
+--- a/rhgb.te
++++ b/rhgb.te
+@@ -30,7 +30,7 @@ allow rhgb_t self:tcp_socket create_socket_perms;
+ allow rhgb_t self:udp_socket create_socket_perms;
+ allow rhgb_t self:netlink_route_socket r_netlink_socket_perms;
+
+-allow rhgb_t rhgb_devpts_t:chr_file { rw_chr_file_perms setattr };
++allow rhgb_t rhgb_devpts_t:chr_file { rw_chr_file_perms setattr_chr_file_perms };
+ term_create_pty(rhgb_t, rhgb_devpts_t)
+
+ manage_dirs_pattern(rhgb_t, rhgb_tmpfs_t, rhgb_tmpfs_t)
+@@ -46,7 +46,6 @@ kernel_read_system_state(rhgb_t)
+ corecmd_exec_bin(rhgb_t)
+ corecmd_exec_shell(rhgb_t)
+
+-corenet_all_recvfrom_unlabeled(rhgb_t)
+ corenet_all_recvfrom_netlabel(rhgb_t)
+ corenet_tcp_sendrecv_generic_if(rhgb_t)
+ corenet_udp_sendrecv_generic_if(rhgb_t)
+@@ -97,7 +96,6 @@ libs_read_lib_files(rhgb_t)
+
+ logging_send_syslog_msg(rhgb_t)
+
+-miscfiles_read_localization(rhgb_t)
+ miscfiles_read_fonts(rhgb_t)
+ miscfiles_dontaudit_write_fonts(rhgb_t)
+
+diff --git a/rhnsd.fc b/rhnsd.fc
+new file mode 100644
+index 0000000..1936028
+--- /dev/null
++++ b/rhnsd.fc
+@@ -0,0 +1,5 @@
++/etc/rc\.d/init\.d/rhnsd -- gen_context(system_u:object_r:rhnsd_initrc_exec_t,s0)
++
++/usr/sbin/rhnsd -- gen_context(system_u:object_r:rhnsd_exec_t,s0)
++
++/var/run/rhnsd\.pid -- gen_context(system_u:object_r:rhnsd_var_run_t,s0)
+diff --git a/rhnsd.if b/rhnsd.if
+new file mode 100644
+index 0000000..d2a58c1
+--- /dev/null
++++ b/rhnsd.if
+@@ -0,0 +1,75 @@
++
++## policy for rhnsd
++
++########################################
++##
++## Transition to rhnsd.
++##
++##
++##
++## Domain allowed to transition.
++##
++##
++#
++interface(`rhnsd_domtrans',`
++ gen_require(`
++ type rhnsd_t, rhnsd_exec_t;
++ ')
++
++ corecmd_search_bin($1)
++ domtrans_pattern($1, rhnsd_exec_t, rhnsd_t)
++')
++
++########################################
++##
++## Execute rhnsd server in the rhnsd domain.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`rhnsd_initrc_domtrans',`
++ gen_require(`
++ type rhnsd_initrc_exec_t;
++ ')
++
++ init_labeled_script_domtrans($1, rhnsd_initrc_exec_t)
++')
++
++########################################
++##
++## All of the rules required to administrate
++## an rhnsd environment
++##
++##
++##
++## Domain allowed access.
++##
++##
++##
++##
++## Role allowed access.
++##
++##
++##
++#
++interface(`rhnsd_admin',`
++ gen_require(`
++ type rhnsd_t;
++ type rhnsd_initrc_exec_t;
++ ')
++
++ allow $1 rhnsd_t:process { ptrace signal_perms };
++ ps_process_pattern($1, rhnsd_t)
++
++ rhnsd_initrc_domtrans($1)
++ domain_system_change_exemption($1)
++ role_transition $2 rhnsd_initrc_exec_t system_r;
++ allow $2 system_r;
++ optional_policy(`
++ systemd_passwd_agent_exec($1)
++ systemd_read_fifo_file_passwd_run($1)
++ ')
++')
+diff --git a/rhnsd.te b/rhnsd.te
+new file mode 100644
+index 0000000..5b2757d
+--- /dev/null
++++ b/rhnsd.te
+@@ -0,0 +1,41 @@
++policy_module(rhnsd, 1.0.0)
++
++########################################
++#
++# Declarations
++#
++
++type rhnsd_t;
++type rhnsd_exec_t;
++init_daemon_domain(rhnsd_t, rhnsd_exec_t)
++
++type rhnsd_var_run_t;
++files_pid_file(rhnsd_var_run_t)
++
++type rhnsd_initrc_exec_t;
++init_script_file(rhnsd_initrc_exec_t)
++
++########################################
++#
++# rhnsd local policy
++#
++
++allow rhnsd_t self:capability { kill };
++allow rhnsd_t self:process { fork signal };
++allow rhnsd_t self:fifo_file rw_fifo_file_perms;
++allow rhnsd_t self:unix_stream_socket create_stream_socket_perms;
++
++manage_dirs_pattern(rhnsd_t, rhnsd_var_run_t, rhnsd_var_run_t)
++manage_files_pattern(rhnsd_t, rhnsd_var_run_t, rhnsd_var_run_t)
++files_pid_filetrans(rhnsd_t, rhnsd_var_run_t, { dir file })
++
++corecmd_exec_bin(rhnsd_t)
++
++files_read_etc_files(rhnsd_t)
++
++logging_send_syslog_msg(rhnsd_t)
++
++optional_policy(`
++ # execute rhn_check
++ rpm_domtrans(rhnsd_t)
++')
+diff --git a/rhsmcertd.if b/rhsmcertd.if
+index 137605a..fd40b90 100644
+--- a/rhsmcertd.if
++++ b/rhsmcertd.if
+@@ -194,13 +194,13 @@ interface(`rhsmcertd_read_pid_files',`
+
+ ####################################
+ ##
+-## Connect to rhsmcertd over a unix domain
+-## stream socket.
++## Connect to rhsmcertd over a unix domain
++## stream socket.
+ ##
+ ##
+-##
+-## Domain allowed access.
+-##
++##
++## Domain allowed access.
++##
+ ##
+ #
+ interface(`rhsmcertd_stream_connect',`
+@@ -235,23 +235,23 @@ interface(`rhsmcertd_dbus_chat',`
+
+ ######################################
+ ##
+-## Dontaudit Send and receive messages from
+-## rhsmcertd over dbus.
++## Dontaudit Send and receive messages from
++## rhsmcertd over dbus.
+ ##
+ ##
+-##
+-## Domain allowed access.
+-##
++##
++## Domain allowed access.
++##
+ ##
+ #
+ interface(`rhsmcertd_dontaudit_dbus_chat',`
+- gen_require(`
+- type rhsmcertd_t;
+- class dbus send_msg;
+- ')
++ gen_require(`
++ type rhsmcertd_t;
++ class dbus send_msg;
++ ')
+
+- dontaudit $1 rhsmcertd_t:dbus send_msg;
+- dontaudit rhsmcertd_t $1:dbus send_msg;
++ dontaudit $1 rhsmcertd_t:dbus send_msg;
++ dontaudit rhsmcertd_t $1:dbus send_msg;
+ ')
+
+ ########################################
+@@ -264,12 +264,6 @@ interface(`rhsmcertd_dontaudit_dbus_chat',`
+ ## Domain allowed access.
+ ##
+ ##
+-##
+-##
+-## Role allowed access.
+-##
+-##
+-##
+ #
+ interface(`rhsmcertd_admin',`
+ gen_require(`
+@@ -279,18 +273,7 @@ interface(`rhsmcertd_admin',`
+
+ allow $1 rhsmcertd_t:process signal_perms;
+ ps_process_pattern($1, rhsmcertd_t)
+-
+- rhsmcertd_initrc_domtrans($1)
+- domain_system_change_exemption($1)
+- role_transition $2 rhsmcertd_initrc_exec_t system_r;
+- allow $2 system_r;
+-
+- logging_search_logs($1)
+- admin_pattern($1, rhsmcertd_log_t)
+-
+- files_search_var_lib($1)
+- admin_pattern($1, rhsmcertd_var_lib_t)
+-
+- files_search_pids($1)
+- admin_pattern($1, rhsmcertd_var_run_t)
++ tunable_policy(`deny_ptrace',`',`
++ allow $1 rhsmcertd_t:process ptrace;
++ ')
+ ')
+diff --git a/rhsmcertd.te b/rhsmcertd.te
+index 783f678..14193ca 100644
+--- a/rhsmcertd.te
++++ b/rhsmcertd.te
+@@ -29,6 +29,9 @@ files_pid_file(rhsmcertd_var_run_t)
+ # rhsmcertd local policy
+ #
+
++allow rhsmcertd_t self:capability sys_nice;
++allow rhsmcertd_t self:process { signal setsched };
++
+ allow rhsmcertd_t self:fifo_file rw_fifo_file_perms;
+ allow rhsmcertd_t self:unix_stream_socket create_stream_socket_perms;
+
+@@ -43,17 +46,36 @@ manage_files_pattern(rhsmcertd_t, rhsmcertd_var_lib_t, rhsmcertd_var_lib_t)
+
+ manage_dirs_pattern(rhsmcertd_t, rhsmcertd_var_run_t, rhsmcertd_var_run_t)
+ manage_files_pattern(rhsmcertd_t, rhsmcertd_var_run_t, rhsmcertd_var_run_t)
++files_pid_filetrans(rhsmcertd_t, rhsmcertd_var_run_t, { file dir })
+
++kernel_read_network_state(rhsmcertd_t)
+ kernel_read_system_state(rhsmcertd_t)
+
++files_list_tmp(rhsmcertd_t)
++
+ corecmd_exec_bin(rhsmcertd_t)
+
++dev_read_rand(rhsmcertd_t)
+ dev_read_urand(rhsmcertd_t)
++dev_read_sysfs(rhsmcertd_t)
+
+ files_read_etc_files(rhsmcertd_t)
+ files_read_usr_files(rhsmcertd_t)
++files_manage_generic_locks(rhsmcertd_t)
++
++auth_read_passwd(rhsmcertd_t)
++
++logging_send_syslog_msg(rhsmcertd_t)
+
+-miscfiles_read_localization(rhsmcertd_t)
+-miscfiles_read_generic_certs(rhsmcertd_t)
++miscfiles_read_certs(rhsmcertd_t)
+
+ sysnet_dns_name_resolve(rhsmcertd_t)
++
++
++optional_policy(`
++ dmidecode_domtrans(rhsmcertd_t)
++')
++
++optional_policy(`
++ gnome_dontaudit_search_config(rhsmcertd_t)
++')
+diff --git a/ricci.fc b/ricci.fc
+index 5b08327..4d5819e 100644
+--- a/ricci.fc
++++ b/ricci.fc
+@@ -1,3 +1,6 @@
++
++/etc/rc\.d/init\.d/ricci -- gen_context(system_u:object_r:ricci_initrc_exec_t,s0)
++
+ /usr/libexec/modcluster -- gen_context(system_u:object_r:ricci_modcluster_exec_t,s0)
+ /usr/libexec/ricci-modlog -- gen_context(system_u:object_r:ricci_modlog_exec_t,s0)
+ /usr/libexec/ricci-modrpm -- gen_context(system_u:object_r:ricci_modrpm_exec_t,s0)
+@@ -9,7 +12,7 @@
+
+ /var/lib/ricci(/.*)? gen_context(system_u:object_r:ricci_var_lib_t,s0)
+
+-/var/log/clumond\.log -- gen_context(system_u:object_r:ricci_modcluster_var_log_t,s0)
++/var/log/clumond\.log.* -- gen_context(system_u:object_r:ricci_modcluster_var_log_t,s0)
+
+ /var/run/clumond\.sock -s gen_context(system_u:object_r:ricci_modcluster_var_run_t,s0)
+ /var/run/modclusterd\.pid -- gen_context(system_u:object_r:ricci_modcluster_var_run_t,s0)
+diff --git a/ricci.if b/ricci.if
+index f7826f9..23d579c 100644
+--- a/ricci.if
++++ b/ricci.if
+@@ -5,9 +5,9 @@
+ ## Execute a domain transition to run ricci.
+ ##
+ ##
+-##
++##
+ ## Domain allowed to transition.
+-##
++##
+ ##
+ #
+ interface(`ricci_domtrans',`
+@@ -18,14 +18,32 @@ interface(`ricci_domtrans',`
+ domtrans_pattern($1, ricci_exec_t, ricci_t)
+ ')
+
++#######################################
++##
++## Execute ricci server in the ricci domain.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`ricci_initrc_domtrans',`
++ gen_require(`
++ type ricci_initrc_exec_t;
++ ')
++
++ init_labeled_script_domtrans($1, ricci_initrc_exec_t)
++')
++
+ ########################################
+ ##
+ ## Execute a domain transition to run ricci_modcluster.
+ ##
+ ##
+-##
++##
+ ## Domain allowed to transition.
+-##
++##
+ ##
+ #
+ interface(`ricci_domtrans_modcluster',`
+@@ -71,12 +89,12 @@ interface(`ricci_dontaudit_rw_modcluster_pipes',`
+ type ricci_modcluster_t;
+ ')
+
+- dontaudit $1 ricci_modcluster_t:fifo_file { read write };
++ dontaudit $1 ricci_modcluster_t:fifo_file rw_inherited_fifo_file_perms;
+ ')
+
+ ########################################
+ ##
+-## Connect to ricci_modclusterd over an unix stream socket.
++## Connect to ricci_modclusterd over a unix stream socket.
+ ##
+ ##
+ ##
+@@ -90,18 +108,36 @@ interface(`ricci_stream_connect_modclusterd',`
+ ')
+
+ files_search_pids($1)
+- allow $1 ricci_modcluster_var_run_t:sock_file write;
+- allow $1 ricci_modclusterd_t:unix_stream_socket connectto;
++ stream_connect_pattern($1, ricci_modcluster_var_run_t, ricci_modcluster_var_run_t, ricci_modclusterd_t)
+ ')
+
+ ########################################
+ ##
+-## Execute a domain transition to run ricci_modlog.
++## Read and write to ricci_modcluserd temporary file system.
+ ##
+ ##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`ricci_rw_modclusterd_tmpfs_files',`
++ gen_require(`
++ type ricci_modclusterd_tmpfs_t;
++ ')
++
++ fs_search_tmpfs($1)
++ allow $1 ricci_modclusterd_tmpfs_t:file rw_file_perms;
++')
++
++########################################
+ ##
+-## Domain allowed to transition.
++## Execute a domain transition to run ricci_modlog.
+ ##
++##
++##
++## Domain allowed to transition.
++##
+ ##
+ #
+ interface(`ricci_domtrans_modlog',`
+@@ -117,9 +153,9 @@ interface(`ricci_domtrans_modlog',`
+ ## Execute a domain transition to run ricci_modrpm.
+ ##
+ ##
+-##
++##
+ ## Domain allowed to transition.
+-##
++##
+ ##
+ #
+ interface(`ricci_domtrans_modrpm',`
+@@ -135,9 +171,9 @@ interface(`ricci_domtrans_modrpm',`
+ ## Execute a domain transition to run ricci_modservice.
+ ##
+ ##
+-##
++##
+ ## Domain allowed to transition.
+-##
++##
+ ##
+ #
+ interface(`ricci_domtrans_modservice',`
+@@ -153,9 +189,9 @@ interface(`ricci_domtrans_modservice',`
+ ## Execute a domain transition to run ricci_modstorage.
+ ##
+ ##
+-##
++##
+ ## Domain allowed to transition.
+-##
++##
+ ##
+ #
+ interface(`ricci_domtrans_modstorage',`
+@@ -165,3 +201,70 @@ interface(`ricci_domtrans_modstorage',`
+
+ domtrans_pattern($1, ricci_modstorage_exec_t, ricci_modstorage_t)
+ ')
++
++####################################
++##
++## Allow the specified domain to manage ricci's lib files.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`ricci_manage_lib_files',`
++ gen_require(`
++ type ricci_var_lib_t;
++ ')
++
++ files_search_var_lib($1)
++ manage_dirs_pattern($1, ricci_var_lib_t, ricci_var_lib_t)
++ manage_files_pattern($1, ricci_var_lib_t, ricci_var_lib_t)
++')
++
++########################################
++##
++## All of the rules required to administrate
++## an ricci environment
++##
++##
++##
++## Domain allowed access.
++##
++##
++##
++##
++## Role allowed access.
++##
++##
++##
++#
++interface(`ricci_admin',`
++ gen_require(`
++ type ricci_t, ricci_initrc_exec_t, ricci_tmp_t;
++ type ricci_var_lib_t, ricci_var_log_t, ricci_var_run_t;
++ ')
++
++ allow $1 ricci_t:process signal_perms;
++ ps_process_pattern($1, ricci_t)
++ tunable_policy(`deny_ptrace',`',`
++ allow $1 ricci_t:process ptrace;
++ ')
++
++ ricci_initrc_domtrans($1)
++ domain_system_change_exemption($1)
++ role_transition $2 ricci_initrc_exec_t system_r;
++ allow $2 system_r;
++
++ files_list_tmp($1)
++ admin_pattern($1, ricci_tmp_t)
++
++ files_list_var_lib($1)
++ admin_pattern($1, ricci_var_lib_t)
++
++ logging_list_logs($1)
++ admin_pattern($1, ricci_var_log_t)
++
++ files_list_pids($1)
++ admin_pattern($1, ricci_var_run_t)
++')
+diff --git a/ricci.te b/ricci.te
+index 33e72e8..6b0ec3e 100644
+--- a/ricci.te
++++ b/ricci.te
+@@ -7,9 +7,11 @@ policy_module(ricci, 1.7.0)
+
+ type ricci_t;
+ type ricci_exec_t;
+-domain_type(ricci_t)
+ init_daemon_domain(ricci_t, ricci_exec_t)
+
++type ricci_initrc_exec_t;
++init_script_file(ricci_initrc_exec_t)
++
+ type ricci_tmp_t;
+ files_tmp_file(ricci_tmp_t)
+
+@@ -39,9 +41,11 @@ files_pid_file(ricci_modcluster_var_run_t)
+
+ type ricci_modclusterd_t;
+ type ricci_modclusterd_exec_t;
+-domain_type(ricci_modclusterd_t)
+ init_daemon_domain(ricci_modclusterd_t, ricci_modclusterd_exec_t)
+
++type ricci_modclusterd_tmpfs_t;
++files_tmpfs_file(ricci_modclusterd_tmpfs_t)
++
+ type ricci_modlog_t;
+ type ricci_modlog_exec_t;
+ domain_type(ricci_modlog_t)
+@@ -95,7 +99,7 @@ manage_files_pattern(ricci_t, ricci_var_lib_t, ricci_var_lib_t)
+ manage_sock_files_pattern(ricci_t, ricci_var_lib_t, ricci_var_lib_t)
+ files_var_lib_filetrans(ricci_t, ricci_var_lib_t, { file dir sock_file })
+
+-allow ricci_t ricci_var_log_t:dir setattr;
++allow ricci_t ricci_var_log_t:dir setattr_dir_perms;
+ manage_files_pattern(ricci_t, ricci_var_log_t, ricci_var_log_t)
+ manage_sock_files_pattern(ricci_t, ricci_var_log_t, ricci_var_log_t)
+ logging_log_filetrans(ricci_t, ricci_var_log_t, { sock_file file dir })
+@@ -105,10 +109,10 @@ manage_sock_files_pattern(ricci_t, ricci_var_run_t, ricci_var_run_t)
+ files_pid_filetrans(ricci_t, ricci_var_run_t, { file sock_file })
+
+ kernel_read_kernel_sysctls(ricci_t)
++kernel_read_system_state(ricci_t)
+
+ corecmd_exec_bin(ricci_t)
+
+-corenet_all_recvfrom_unlabeled(ricci_t)
+ corenet_all_recvfrom_netlabel(ricci_t)
+ corenet_tcp_sendrecv_generic_if(ricci_t)
+ corenet_tcp_sendrecv_generic_node(ricci_t)
+@@ -123,7 +127,6 @@ dev_read_urand(ricci_t)
+
+ domain_read_all_domains_state(ricci_t)
+
+-files_read_etc_files(ricci_t)
+ files_read_etc_runtime_files(ricci_t)
+ files_create_boot_flag(ricci_t)
+
+@@ -136,8 +139,6 @@ locallogin_dontaudit_use_fds(ricci_t)
+
+ logging_send_syslog_msg(ricci_t)
+
+-miscfiles_read_localization(ricci_t)
+-
+ sysnet_dns_name_resolve(ricci_t)
+
+ optional_policy(`
+@@ -170,6 +171,10 @@ optional_policy(`
+ ')
+
+ optional_policy(`
++ shutdown_domtrans(ricci_t)
++')
++
++optional_policy(`
+ unconfined_use_fds(ricci_t)
+ ')
+
+@@ -193,29 +198,25 @@ corecmd_exec_shell(ricci_modcluster_t)
+ corecmd_exec_bin(ricci_modcluster_t)
+
+ corenet_tcp_bind_cluster_port(ricci_modclusterd_t)
+-corenet_tcp_bind_reserved_port(ricci_modclusterd_t)
++corenet_tcp_bind_all_rpc_ports(ricci_modclusterd_t)
++corenet_tcp_connect_cluster_port(ricci_modclusterd_t)
+
+ domain_read_all_domains_state(ricci_modcluster_t)
+
+ files_search_locks(ricci_modcluster_t)
+ files_read_etc_runtime_files(ricci_modcluster_t)
+-files_read_etc_files(ricci_modcluster_t)
+ files_search_usr(ricci_modcluster_t)
+
++auth_use_nsswitch(ricci_modcluster_t)
++
+ init_exec(ricci_modcluster_t)
+ init_domtrans_script(ricci_modcluster_t)
+
+ logging_send_syslog_msg(ricci_modcluster_t)
+
+-miscfiles_read_localization(ricci_modcluster_t)
+-
+-modutils_domtrans_insmod(ricci_modcluster_t)
+-
+-mount_domtrans(ricci_modcluster_t)
+-
+-consoletype_exec(ricci_modcluster_t)
+-
+-ricci_stream_connect_modclusterd(ricci_modcluster_t)
++optional_policy(`
++ ricci_stream_connect_modclusterd(ricci_modcluster_t)
++')
+
+ optional_policy(`
+ aisexec_stream_connect(ricci_modcluster_t)
+@@ -233,7 +234,15 @@ optional_policy(`
+ ')
+
+ optional_policy(`
+- nscd_socket_use(ricci_modcluster_t)
++ modutils_domtrans_insmod(ricci_modcluster_t)
++')
++
++optional_policy(`
++ mount_domtrans(ricci_modcluster_t)
++')
++
++optional_policy(`
++ consoletype_exec(ricci_modcluster_t)
+ ')
+
+ optional_policy(`
+@@ -241,8 +250,7 @@ optional_policy(`
+ ')
+
+ optional_policy(`
+- # XXX This has got to go.
+- unconfined_domain(ricci_modcluster_t)
++ rgmanager_stream_connect(ricci_modclusterd_t)
+ ')
+
+ ########################################
+@@ -261,6 +269,10 @@ allow ricci_modclusterd_t self:socket create_socket_perms;
+ allow ricci_modclusterd_t ricci_modcluster_t:unix_stream_socket connectto;
+ allow ricci_modclusterd_t ricci_modcluster_t:fifo_file rw_file_perms;
+
++manage_dirs_pattern(ricci_modclusterd_t, ricci_modclusterd_tmpfs_t, ricci_modclusterd_tmpfs_t)
++manage_files_pattern(ricci_modclusterd_t, ricci_modclusterd_tmpfs_t, ricci_modclusterd_tmpfs_t)
++fs_tmpfs_filetrans(ricci_modclusterd_t, ricci_modclusterd_tmpfs_t, { dir file })
++
+ allow ricci_modclusterd_t ricci_modcluster_var_log_t:dir setattr;
+ manage_files_pattern(ricci_modclusterd_t, ricci_modcluster_var_log_t, ricci_modcluster_var_log_t)
+ manage_sock_files_pattern(ricci_modclusterd_t, ricci_modcluster_var_log_t, ricci_modcluster_var_log_t)
+@@ -272,6 +284,7 @@ files_pid_filetrans(ricci_modclusterd_t, ricci_modcluster_var_run_t, { file sock
+
+ kernel_read_kernel_sysctls(ricci_modclusterd_t)
+ kernel_read_system_state(ricci_modclusterd_t)
++kernel_request_load_module(ricci_modclusterd_t)
+
+ corecmd_exec_bin(ricci_modclusterd_t)
+
+@@ -283,7 +296,6 @@ corenet_tcp_connect_ricci_modcluster_port(ricci_modclusterd_t)
+
+ domain_read_all_domains_state(ricci_modclusterd_t)
+
+-files_read_etc_files(ricci_modclusterd_t)
+ files_read_etc_runtime_files(ricci_modclusterd_t)
+
+ fs_getattr_xattr_fs(ricci_modclusterd_t)
+@@ -296,8 +308,6 @@ locallogin_dontaudit_use_fds(ricci_modclusterd_t)
+
+ logging_send_syslog_msg(ricci_modclusterd_t)
+
+-miscfiles_read_localization(ricci_modclusterd_t)
+-
+ sysnet_domtrans_ifconfig(ricci_modclusterd_t)
+
+ optional_policy(`
+@@ -334,12 +344,10 @@ corecmd_exec_bin(ricci_modlog_t)
+
+ domain_read_all_domains_state(ricci_modlog_t)
+
+-files_read_etc_files(ricci_modlog_t)
+ files_search_usr(ricci_modlog_t)
+
+ logging_read_generic_logs(ricci_modlog_t)
+
+-miscfiles_read_localization(ricci_modlog_t)
+
+ optional_policy(`
+ nscd_dontaudit_search_pid(ricci_modlog_t)
+@@ -361,9 +369,8 @@ kernel_read_kernel_sysctls(ricci_modrpm_t)
+ corecmd_exec_bin(ricci_modrpm_t)
+
+ files_search_usr(ricci_modrpm_t)
+-files_read_etc_files(ricci_modrpm_t)
+
+-miscfiles_read_localization(ricci_modrpm_t)
++logging_send_syslog_msg(ricci_modrpm_t)
+
+ optional_policy(`
+ oddjob_system_entry(ricci_modrpm_t, ricci_modrpm_exec_t)
+@@ -388,23 +395,24 @@ kernel_read_system_state(ricci_modservice_t)
+ corecmd_exec_bin(ricci_modservice_t)
+ corecmd_exec_shell(ricci_modservice_t)
+
+-files_read_etc_files(ricci_modservice_t)
+ files_read_etc_runtime_files(ricci_modservice_t)
+ files_search_usr(ricci_modservice_t)
+ # Needed for running chkconfig
+ files_manage_etc_symlinks(ricci_modservice_t)
+
+-consoletype_exec(ricci_modservice_t)
+-
+ init_domtrans_script(ricci_modservice_t)
+
+-miscfiles_read_localization(ricci_modservice_t)
++logging_send_syslog_msg(ricci_modservice_t)
+
+ optional_policy(`
+ ccs_read_config(ricci_modservice_t)
+ ')
+
+ optional_policy(`
++ consoletype_exec(ricci_modservice_t)
++')
++
++optional_policy(`
+ nscd_dontaudit_search_pid(ricci_modservice_t)
+ ')
+
+@@ -418,7 +426,6 @@ optional_policy(`
+ #
+
+ allow ricci_modstorage_t self:process { setsched signal };
+-dontaudit ricci_modstorage_t self:process ptrace;
+ allow ricci_modstorage_t self:capability { mknod sys_nice };
+ allow ricci_modstorage_t self:fifo_file rw_fifo_file_perms;
+ allow ricci_modstorage_t self:unix_dgram_socket create_socket_perms;
+@@ -444,22 +451,20 @@ files_read_etc_runtime_files(ricci_modstorage_t)
+ files_read_usr_files(ricci_modstorage_t)
+ files_read_kernel_modules(ricci_modstorage_t)
+
++files_create_default_dir(ricci_modstorage_t)
++files_root_filetrans_default(ricci_modstorage_t, dir)
++files_mounton_default(ricci_modstorage_t)
++files_manage_default_dirs(ricci_modstorage_t)
++files_manage_default_files(ricci_modstorage_t)
++
+ storage_raw_read_fixed_disk(ricci_modstorage_t)
+
+ term_dontaudit_use_console(ricci_modstorage_t)
+
+-fstools_domtrans(ricci_modstorage_t)
++auth_use_nsswitch(ricci_modstorage_t)
+
+ logging_send_syslog_msg(ricci_modstorage_t)
+
+-miscfiles_read_localization(ricci_modstorage_t)
+-
+-modutils_read_module_deps(ricci_modstorage_t)
+-
+-consoletype_exec(ricci_modstorage_t)
+-
+-mount_domtrans(ricci_modstorage_t)
+-
+ optional_policy(`
+ aisexec_stream_connect(ricci_modstorage_t)
+ corosync_stream_connect(ricci_modstorage_t)
+@@ -471,12 +476,24 @@ optional_policy(`
+ ')
+
+ optional_policy(`
++ consoletype_exec(ricci_modstorage_t)
++')
++
++optional_policy(`
++ fstools_domtrans(ricci_modstorage_t)
++')
++
++optional_policy(`
+ lvm_domtrans(ricci_modstorage_t)
+ lvm_manage_config(ricci_modstorage_t)
+ ')
+
+ optional_policy(`
+- nscd_socket_use(ricci_modstorage_t)
++ modutils_read_module_deps(ricci_modstorage_t)
++')
++
++optional_policy(`
++ mount_domtrans(ricci_modstorage_t)
+ ')
+
+ optional_policy(`
+diff --git a/rlogin.fc b/rlogin.fc
+index 2fae3f0..d7f6b82 100644
+--- a/rlogin.fc
++++ b/rlogin.fc
+@@ -1,7 +1,10 @@
+ HOME_DIR/\.rlogin -- gen_context(system_u:object_r:rlogind_home_t,s0)
++HOME_DIR/\.rhosts -- gen_context(system_u:object_r:rlogind_home_t,s0)
++/root/\.rlogin -- gen_context(system_u:object_r:rlogind_home_t,s0)
++/root/\.rhosts -- gen_context(system_u:object_r:rlogind_home_t,s0)
+
+ /usr/kerberos/sbin/klogind -- gen_context(system_u:object_r:rlogind_exec_t,s0)
+
+-/usr/lib/telnetlogin -- gen_context(system_u:object_r:rlogind_exec_t,s0)
++/usr/lib/telnetlogin -- gen_context(system_u:object_r:rlogind_exec_t,s0)
+
+ /usr/sbin/in\.rlogind -- gen_context(system_u:object_r:rlogind_exec_t,s0)
+diff --git a/rlogin.if b/rlogin.if
+index 63e78c6..fdd8228 100644
+--- a/rlogin.if
++++ b/rlogin.if
+@@ -21,21 +21,15 @@ interface(`rlogin_domtrans',`
+
+ ########################################
+ ##
+-## read rlogin homedir content (.config)
++## read rlogin homedir content (.rlogin)
+ ##
+-##
+-##
+-## The prefix of the user domain (e.g., user
+-## is the prefix for user_t).
+-##
+-##
+-##
++##
+ ##
+-## The type of the user domain.
++## Domain allowed access.
+ ##
+ ##
+ #
+-template(`rlogin_read_home_content',`
++interface(`rlogin_read_home_content',`
+ gen_require(`
+ type rlogind_home_t;
+ ')
+diff --git a/rlogin.te b/rlogin.te
+index 16304ec..3293b25 100644
+--- a/rlogin.te
++++ b/rlogin.te
+@@ -27,15 +27,14 @@ files_pid_file(rlogind_var_run_t)
+ # Local policy
+ #
+
+-allow rlogind_t self:capability { fsetid chown fowner sys_tty_config dac_override };
++allow rlogind_t self:capability { fsetid chown fowner setuid setgid sys_tty_config dac_override };
+ allow rlogind_t self:process signal_perms;
+ allow rlogind_t self:fifo_file rw_fifo_file_perms;
+ allow rlogind_t self:tcp_socket connected_stream_socket_perms;
+ # for identd; cjp: this should probably only be inetd_child rules?
+ allow rlogind_t self:netlink_tcpdiag_socket r_netlink_socket_perms;
+-allow rlogind_t self:capability { setuid setgid };
+
+-allow rlogind_t rlogind_devpts_t:chr_file { rw_chr_file_perms setattr };
++allow rlogind_t rlogind_devpts_t:chr_file { rw_chr_file_perms setattr_chr_file_perms };
+ term_create_pty(rlogind_t, rlogind_devpts_t)
+
+ # for /usr/lib/telnetlogin
+@@ -43,7 +42,6 @@ can_exec(rlogind_t, rlogind_exec_t)
+
+ manage_dirs_pattern(rlogind_t, rlogind_tmp_t, rlogind_tmp_t)
+ manage_files_pattern(rlogind_t, rlogind_tmp_t, rlogind_tmp_t)
+-files_tmp_filetrans(rlogind_t, rlogind_tmp_t, { file dir })
+
+ manage_files_pattern(rlogind_t, rlogind_var_run_t, rlogind_var_run_t)
+ files_pid_filetrans(rlogind_t, rlogind_var_run_t, file)
+@@ -52,7 +50,6 @@ kernel_read_kernel_sysctls(rlogind_t)
+ kernel_read_system_state(rlogind_t)
+ kernel_read_network_state(rlogind_t)
+
+-corenet_all_recvfrom_unlabeled(rlogind_t)
+ corenet_all_recvfrom_netlabel(rlogind_t)
+ corenet_tcp_sendrecv_generic_if(rlogind_t)
+ corenet_udp_sendrecv_generic_if(rlogind_t)
+@@ -69,10 +66,11 @@ fs_getattr_xattr_fs(rlogind_t)
+ fs_search_auto_mountpoints(rlogind_t)
+
+ auth_domtrans_chk_passwd(rlogind_t)
++auth_signal_chk_passwd(rlogind_t)
+ auth_rw_login_records(rlogind_t)
+ auth_use_nsswitch(rlogind_t)
++auth_login_pgm_domain(rlogind_t)
+
+-files_read_etc_files(rlogind_t)
+ files_read_etc_runtime_files(rlogind_t)
+ files_search_home(rlogind_t)
+ files_search_default(rlogind_t)
+@@ -81,34 +79,29 @@ init_rw_utmp(rlogind_t)
+
+ logging_send_syslog_msg(rlogind_t)
+
+-miscfiles_read_localization(rlogind_t)
+-
+ seutil_read_config(rlogind_t)
+
+ userdom_setattr_user_ptys(rlogind_t)
+ # cjp: this is egregious
+ userdom_read_user_home_content_files(rlogind_t)
+-
+-remotelogin_domtrans(rlogind_t)
+-remotelogin_signal(rlogind_t)
++userdom_search_admin_dir(rlogind_t)
++userdom_manage_user_tmp_files(rlogind_t)
++userdom_tmp_filetrans_user_tmp(rlogind_t, file)
++userdom_use_user_terminals(rlogind_t)
++userdom_home_reader(rlogind_t)
+
+ rlogin_read_home_content(rlogind_t)
+
+-tunable_policy(`use_nfs_home_dirs',`
+- fs_list_nfs(rlogind_t)
+- fs_read_nfs_files(rlogind_t)
+- fs_read_nfs_symlinks(rlogind_t)
+-')
+-
+-tunable_policy(`use_samba_home_dirs',`
+- fs_list_cifs(rlogind_t)
+- fs_read_cifs_files(rlogind_t)
+- fs_read_cifs_symlinks(rlogind_t)
++optional_policy(`
++ kerberos_keytab_template(rlogind, rlogind_t)
++ kerberos_tmp_filetrans_host_rcache(rlogind_t, "host_0")
++ #part of auth_use_pam
++ #kerberos_manage_host_rcache(rlogind_t)
+ ')
+
+ optional_policy(`
+- kerberos_keytab_template(rlogind, rlogind_t)
+- kerberos_manage_host_rcache(rlogind_t)
++ remotelogin_domtrans(rlogind_t)
++ remotelogin_signal(rlogind_t)
+ ')
+
+ optional_policy(`
+diff --git a/rngd.fc b/rngd.fc
+new file mode 100644
+index 0000000..f6be09d
+--- /dev/null
++++ b/rngd.fc
+@@ -0,0 +1,6 @@
++
++/etc/rc\.d/init\.d/rngd -- gen_context(system_u:object_r:rngd_initrc_exec_t,s0)
++
++/usr/lib/systemd/system/rngd.* -- gen_context(system_u:object_r:rngd_unit_file_t,s0)
++
++/usr/sbin/rngd -- gen_context(system_u:object_r:rngd_exec_t,s0)
+diff --git a/rngd.if b/rngd.if
+new file mode 100644
+index 0000000..8b505d5
+--- /dev/null
++++ b/rngd.if
+@@ -0,0 +1,62 @@
++## Check and feed random data from hardware device to kernel random device.
++
++########################################
++##
++## Execute rngd in the rngd domain.
++##
++##
++##
++## Domain allowed to transition.
++##
++##
++#
++interface(`rng_systemctl_rngd',`
++ gen_require(`
++ type rngd_t, rngd_unit_file_t;
++ ')
++
++ systemd_exec_systemctl($1)
++ allow $1 rngd_unit_file_t:file read_file_perms;
++ allow $1 rngd_unit_file_t:service manage_service_perms;
++
++ ps_process_pattern($1, rngd_t)
++')
++
++########################################
++##
++## All of the rules required to
++## administrate an rng environment.
++##
++##
++##
++## Domain allowed access.
++##
++##
++##
++##
++## Role allowed access.
++##
++##
++##
++#
++interface(`rng_admin',`
++ gen_require(`
++ type rngd_t, rngd_initrc_exec_t, rngd_unit_file_t;
++ ')
++
++ allow $1 rngd_t:process signal_perms;
++ ps_process_pattern($1, rngd_t)
++
++ tunable_policy(`deny_ptrace',`',`
++ allow $1 rngd_t:process ptrace;
++ ')
++
++ init_labeled_script_domtrans($1, rngd_initrc_exec_t)
++ domain_system_change_exemption($1)
++ role_transition $2 rngd_initrc_exec_t system_r;
++ allow $2 system_r;
++
++ rng_systemctl($1)
++ admin_pattern($1, rngd_unit_file_t)
++ allow $1 rngd_unit_file_t:service all_service_perms;
++')
+diff --git a/rngd.te b/rngd.te
+new file mode 100644
+index 0000000..50b6196
+--- /dev/null
++++ b/rngd.te
+@@ -0,0 +1,37 @@
++policy_module(rngd, 1.0.0)
++
++########################################
++#
++# Declarations
++#
++
++type rngd_t;
++type rngd_exec_t;
++init_daemon_domain(rngd_t, rngd_exec_t)
++
++type rngd_initrc_exec_t;
++init_script_file(rngd_initrc_exec_t)
++
++type rngd_unit_file_t;
++systemd_unit_file(rngd_unit_file_t)
++
++########################################
++#
++# Local policy
++#
++
++allow rngd_t self:capability sys_admin;
++allow rngd_t self:process { signal };
++allow rngd_t self:fifo_file rw_fifo_file_perms;
++allow rngd_t self:unix_stream_socket create_stream_socket_perms;
++
++kernel_rw_kernel_sysctl(rngd_t)
++
++dev_read_rand(rngd_t)
++dev_read_urand(rngd_t)
++dev_rw_tpm(rngd_t)
++dev_write_rand(rngd_t)
++
++files_read_etc_files(rngd_t)
++
++logging_send_syslog_msg(rngd_t)
+diff --git a/roundup.if b/roundup.if
+index 30c4b75..e07c2ff 100644
+--- a/roundup.if
++++ b/roundup.if
+@@ -23,8 +23,11 @@ interface(`roundup_admin',`
+ type roundup_initrc_exec_t;
+ ')
+
+- allow $1 roundup_t:process { ptrace signal_perms };
++ allow $1 roundup_t:process signal_perms;
+ ps_process_pattern($1, roundup_t)
++ tunable_policy(`deny_ptrace',`',`
++ allow $1 roundup_t:process ptrace;
++ ')
+
+ init_labeled_script_domtrans($1, roundup_initrc_exec_t)
+ domain_system_change_exemption($1)
+diff --git a/roundup.te b/roundup.te
+index 57f839f..090dd29 100644
+--- a/roundup.te
++++ b/roundup.te
+@@ -45,7 +45,6 @@ dev_read_sysfs(roundup_t)
+ # execute python
+ corecmd_exec_bin(roundup_t)
+
+-corenet_all_recvfrom_unlabeled(roundup_t)
+ corenet_all_recvfrom_netlabel(roundup_t)
+ corenet_tcp_sendrecv_generic_if(roundup_t)
+ corenet_udp_sendrecv_generic_if(roundup_t)
+@@ -75,8 +74,6 @@ fs_search_auto_mountpoints(roundup_t)
+
+ logging_send_syslog_msg(roundup_t)
+
+-miscfiles_read_localization(roundup_t)
+-
+ sysnet_read_config(roundup_t)
+
+ userdom_dontaudit_use_unpriv_user_fds(roundup_t)
+diff --git a/rpc.fc b/rpc.fc
+index 5c70c0c..b0c22f7 100644
+--- a/rpc.fc
++++ b/rpc.fc
+@@ -6,6 +6,9 @@
+ /etc/rc\.d/init\.d/nfslock -- gen_context(system_u:object_r:rpcd_initrc_exec_t,s0)
+ /etc/rc\.d/init\.d/rpcidmapd -- gen_context(system_u:object_r:rpcd_initrc_exec_t,s0)
+
++/usr/lib/systemd/system/nfs.* -- gen_context(system_u:object_r:nfsd_unit_file_t,s0)
++/usr/lib/systemd/system/rpc.* -- gen_context(system_u:object_r:rpcd_unit_file_t,s0)
++
+ #
+ # /sbin
+ #
+@@ -15,12 +18,14 @@
+ #
+ # /usr
+ #
++/usr/sbin/rpc\..* -- gen_context(system_u:object_r:rpcd_exec_t,s0)
+ /usr/sbin/rpc\.idmapd -- gen_context(system_u:object_r:rpcd_exec_t,s0)
+ /usr/sbin/rpc\.gssd -- gen_context(system_u:object_r:gssd_exec_t,s0)
+ /usr/sbin/rpc\.mountd -- gen_context(system_u:object_r:nfsd_exec_t,s0)
+ /usr/sbin/rpc\.nfsd -- gen_context(system_u:object_r:nfsd_exec_t,s0)
+ /usr/sbin/rpc\.rquotad -- gen_context(system_u:object_r:rpcd_exec_t,s0)
+ /usr/sbin/rpc\.svcgssd -- gen_context(system_u:object_r:gssd_exec_t,s0)
++/usr/sbin/sm-notify -- gen_context(system_u:object_r:rpcd_exec_t,s0)
+
+ #
+ # /var
+@@ -29,3 +34,4 @@
+
+ /var/run/rpc\.statd(/.*)? gen_context(system_u:object_r:rpcd_var_run_t,s0)
+ /var/run/rpc\.statd\.pid -- gen_context(system_u:object_r:rpcd_var_run_t,s0)
++
+diff --git a/rpc.if b/rpc.if
+index dddabcf..a61764b 100644
+--- a/rpc.if
++++ b/rpc.if
+@@ -32,7 +32,11 @@ interface(`rpc_stub',`
+ ##
+ ##
+ #
+-template(`rpc_domain_template', `
++template(`rpc_domain_template',`
++ gen_require(`
++ type var_lib_nfs_t;
++ ')
++
+ ########################################
+ #
+ # Declarations
+@@ -69,7 +73,6 @@ template(`rpc_domain_template', `
+ dev_read_urand($1_t)
+ dev_read_rand($1_t)
+
+- corenet_all_recvfrom_unlabeled($1_t)
+ corenet_all_recvfrom_netlabel($1_t)
+ corenet_tcp_sendrecv_generic_if($1_t)
+ corenet_udp_sendrecv_generic_if($1_t)
+@@ -105,7 +108,6 @@ template(`rpc_domain_template', `
+
+ logging_send_syslog_msg($1_t)
+
+- miscfiles_read_localization($1_t)
+
+ userdom_dontaudit_use_unpriv_user_fds($1_t)
+
+@@ -152,7 +154,7 @@ interface(`rpc_dontaudit_getattr_exports',`
+ type exports_t;
+ ')
+
+- dontaudit $1 exports_t:file getattr;
++ dontaudit $1 exports_t:file getattr_file_perms;
+ ')
+
+ ########################################
+@@ -188,7 +190,7 @@ interface(`rpc_write_exports',`
+ type exports_t;
+ ')
+
+- allow $1 exports_t:file write;
++ allow $1 exports_t:file write_file_perms;
+ ')
+
+ ########################################
+@@ -229,6 +231,29 @@ interface(`rpc_initrc_domtrans_nfsd',`
+
+ ########################################
+ ##
++## Execute nfsd server in the nfsd domain.
++##
++##
++##
++## Domain allowed to transition.
++##
++##
++#
++interface(`rpc_systemctl_nfsd',`
++ gen_require(`
++ type nfsd_unit_file_t;
++ type nfsd_t;
++ ')
++
++ systemd_exec_systemctl($1)
++ allow $1 nfsd_unit_file_t:file read_file_perms;
++ allow $1 nfsd_unit_file_t:service manage_service_perms;
++
++ ps_process_pattern($1, nfsd_t)
++')
++
++########################################
++##
+ ## Execute domain in rpcd domain.
+ ##
+ ##
+@@ -246,6 +271,32 @@ interface(`rpc_domtrans_rpcd',`
+ allow rpcd_t $1:process signal;
+ ')
+
++########################################
++##
++## Execute rpcd in the rcpd domain, and
++## allow the specified role the rpcd domain.
++##
++##
++##
++## Domain allowed to transition.
++##
++##
++##
++##
++## Role allowed access.
++##
++##
++##
++#
++interface(`rpc_run_rpcd',`
++ gen_require(`
++ type rpcd_t;
++ ')
++
++ rpc_domtrans_rpcd($1)
++ role $2 types rpcd_t;
++')
++
+ #######################################
+ ##
+ ## Execute domain in rpcd domain.
+@@ -266,6 +317,29 @@ interface(`rpc_initrc_domtrans_rpcd',`
+
+ ########################################
+ ##
++## Execute rpcd server in the rpcd domain.
++##
++##
++##
++## Domain allowed to transition.
++##
++##
++#
++interface(`rpc_systemctl_rpcd',`
++ gen_require(`
++ type rpcd_unit_file_t;
++ type rpcd_t;
++ ')
++
++ systemd_exec_systemctl($1)
++ allow $1 rpcd_unit_file_t:file read_file_perms;
++ allow $1 rpcd_unit_file_t:service manage_service_perms;
++
++ ps_process_pattern($1, rpcd_t)
++')
++
++########################################
++##
+ ## Read NFS exported content.
+ ##
+ ##
+@@ -282,7 +356,7 @@ interface(`rpc_read_nfs_content',`
+
+ allow $1 { nfsd_ro_t nfsd_rw_t }:dir list_dir_perms;
+ allow $1 { nfsd_ro_t nfsd_rw_t }:file read_file_perms;
+- allow $1 { nfsd_ro_t nfsd_rw_t }:lnk_file { getattr read };
++ allow $1 { nfsd_ro_t nfsd_rw_t }:lnk_file read_lnk_file_perms;
+ ')
+
+ ########################################
+@@ -329,7 +403,7 @@ interface(`rpc_manage_nfs_ro_content',`
+
+ ########################################
+ ##
+-## Allow domain to read and write to an NFS TCP socket.
++## Allow domain to read and write to an NFS UDP socket.
+ ##
+ ##
+ ##
+@@ -337,17 +411,17 @@ interface(`rpc_manage_nfs_ro_content',`
+ ##
+ ##
+ #
+-interface(`rpc_tcp_rw_nfs_sockets',`
++interface(`rpc_udp_rw_nfs_sockets',`
+ gen_require(`
+ type nfsd_t;
+ ')
+
+- allow $1 nfsd_t:tcp_socket rw_socket_perms;
++ allow $1 nfsd_t:udp_socket rw_socket_perms;
+ ')
+
+ ########################################
+ ##
+-## Allow domain to read and write to an NFS UDP socket.
++## Send UDP traffic to NFSd. (Deprecated)
+ ##
+ ##
+ ##
+@@ -355,17 +429,13 @@ interface(`rpc_tcp_rw_nfs_sockets',`
+ ##
+ ##
+ #
+-interface(`rpc_udp_rw_nfs_sockets',`
+- gen_require(`
+- type nfsd_t;
+- ')
+-
+- allow $1 nfsd_t:udp_socket rw_socket_perms;
++interface(`rpc_udp_send_nfs',`
++ refpolicywarn(`$0($*) has been deprecated.')
+ ')
+
+ ########################################
+ ##
+-## Send UDP traffic to NFSd. (Deprecated)
++## Search NFS state data in /var/lib/nfs.
+ ##
+ ##
+ ##
+@@ -373,13 +443,18 @@ interface(`rpc_udp_rw_nfs_sockets',`
+ ##
+ ##
+ #
+-interface(`rpc_udp_send_nfs',`
+- refpolicywarn(`$0($*) has been deprecated.')
++interface(`rpc_search_nfs_state_data',`
++ gen_require(`
++ type var_lib_nfs_t;
++ ')
++
++ files_search_var_lib($1)
++ allow $1 var_lib_nfs_t:dir search_dir_perms;
+ ')
+
+ ########################################
+ ##
+-## Search NFS state data in /var/lib/nfs.
++## List NFS state data in /var/lib/nfs.
+ ##
+ ##
+ ##
+@@ -387,13 +462,13 @@ interface(`rpc_udp_send_nfs',`
+ ##
+ ##
+ #
+-interface(`rpc_search_nfs_state_data',`
++interface(`rpc_list_nfs_state_data',`
+ gen_require(`
+ type var_lib_nfs_t;
+ ')
+
+ files_search_var_lib($1)
+- allow $1 var_lib_nfs_t:dir search;
++ allow $1 var_lib_nfs_t:dir list_dir_perms;
+ ')
+
+ ########################################
+@@ -432,4 +507,5 @@ interface(`rpc_manage_nfs_state_data',`
+
+ files_search_var_lib($1)
+ manage_files_pattern($1, var_lib_nfs_t, var_lib_nfs_t)
++ allow $1 var_lib_nfs_t:file relabel_file_perms;
+ ')
+diff --git a/rpc.te b/rpc.te
+index 330d01f..fd96b3c 100644
+--- a/rpc.te
++++ b/rpc.te
+@@ -10,7 +10,7 @@ policy_module(rpc, 1.14.0)
+ ## Allow gssd to read temp directory. For access to kerberos tgt.
+ ##
+ ##
+-gen_tunable(allow_gssd_read_tmp, true)
++gen_tunable(gssd_read_tmp, true)
+
+ ##
+ ##
+@@ -19,7 +19,7 @@ gen_tunable(allow_gssd_read_tmp, true)
+ ## labeled public_content_rw_t.
+ ##
+ ##
+-gen_tunable(allow_nfsd_anon_write, false)
++gen_tunable(nfsd_anon_write, false)
+
+ type exports_t;
+ files_config_file(exports_t)
+@@ -39,11 +39,17 @@ rpc_domain_template(rpcd)
+ type rpcd_initrc_exec_t;
+ init_script_file(rpcd_initrc_exec_t)
+
++type rpcd_unit_file_t;
++systemd_unit_file(rpcd_unit_file_t)
++
+ rpc_domain_template(nfsd)
+
+ type nfsd_initrc_exec_t;
+ init_script_file(nfsd_initrc_exec_t)
+
++type nfsd_unit_file_t;
++systemd_unit_file(nfsd_unit_file_t)
++
+ type nfsd_rw_t;
+ files_type(nfsd_rw_t)
+
+@@ -58,13 +64,16 @@ files_mountpoint(var_lib_nfs_t)
+ # RPC local policy
+ #
+
+-allow rpcd_t self:capability { sys_admin chown dac_override setgid setuid };
++allow rpcd_t self:capability { setpcap sys_admin chown dac_override setgid setuid };
++allow rpcd_t self:capability2 block_suspend;
++
+ allow rpcd_t self:process { getcap setcap };
+ allow rpcd_t self:fifo_file rw_fifo_file_perms;
+
+-allow rpcd_t rpcd_var_run_t:dir setattr;
++allow rpcd_t rpcd_var_run_t:dir setattr_dir_perms;
++manage_dirs_pattern(rpcd_t, rpcd_var_run_t, rpcd_var_run_t)
+ manage_files_pattern(rpcd_t, rpcd_var_run_t, rpcd_var_run_t)
+-files_pid_filetrans(rpcd_t, rpcd_var_run_t, file)
++files_pid_filetrans(rpcd_t, rpcd_var_run_t, { file dir })
+
+ # rpc.statd executes sm-notify
+ can_exec(rpcd_t, rpcd_exec_t)
+@@ -81,21 +90,26 @@ corecmd_exec_bin(rpcd_t)
+
+ files_manage_mounttab(rpcd_t)
+ files_getattr_all_dirs(rpcd_t)
++files_read_usr_files(rpcd_t)
+
+ fs_list_rpc(rpcd_t)
+ fs_read_rpc_files(rpcd_t)
+ fs_read_rpc_symlinks(rpcd_t)
+ fs_rw_rpc_sockets(rpcd_t)
+ fs_get_all_fs_quotas(rpcd_t)
++fs_set_xattr_fs_quotas(rpcd_t)
+ fs_getattr_all_fs(rpcd_t)
+
+ storage_getattr_fixed_disk_dev(rpcd_t)
+
++init_read_utmp(rpcd_t)
++
+ selinux_dontaudit_read_fs(rpcd_t)
+
+ miscfiles_read_generic_certs(rpcd_t)
+
+-seutil_dontaudit_search_config(rpcd_t)
++userdom_signal_unpriv_users(rpcd_t)
++userdom_read_user_home_content_files(rpcd_t)
+
+ optional_policy(`
+ automount_signal(rpcd_t)
+@@ -103,15 +117,32 @@ optional_policy(`
+ ')
+
+ optional_policy(`
++ domain_unconfined_signal(rpcd_t)
++')
++
++optional_policy(`
++ quota_manage_db(rpcd_t)
++')
++
++optional_policy(`
+ nis_read_ypserv_config(rpcd_t)
+ ')
+
++optional_policy(`
++ quota_read_db(rpcd_t)
++')
++
++optional_policy(`
++ rgmanager_manage_tmp_files(rpcd_t)
++')
++
+ ########################################
+ #
+ # NFSD local policy
+ #
+
+ allow nfsd_t self:capability { dac_override dac_read_search sys_admin sys_resource };
++dontaudit nfsd_t self:capability sys_rawio;
+
+ allow nfsd_t exports_t:file read_file_perms;
+ allow nfsd_t { nfsd_rw_t nfsd_ro_t }:dir list_dir_perms;
+@@ -120,9 +151,16 @@ allow nfsd_t { nfsd_rw_t nfsd_ro_t }:dir list_dir_perms;
+ kernel_read_system_state(nfsd_t)
+ kernel_read_network_state(nfsd_t)
+ kernel_dontaudit_getattr_core_if(nfsd_t)
++kernel_setsched(nfsd_t)
++kernel_request_load_module(nfsd_t)
++kernel_mounton_proc(nfsd_t)
++
++corecmd_exec_shell(nfsd_t)
+
+ corenet_tcp_bind_all_rpc_ports(nfsd_t)
+ corenet_udp_bind_all_rpc_ports(nfsd_t)
++corenet_tcp_bind_nfs_port(nfsd_t)
++corenet_udp_bind_nfs_port(nfsd_t)
+
+ dev_dontaudit_getattr_all_blk_files(nfsd_t)
+ dev_dontaudit_getattr_all_chr_files(nfsd_t)
+@@ -135,12 +173,12 @@ files_getattr_tmp_dirs(nfsd_t)
+ # cjp: this should really have its own type
+ files_manage_mounttab(nfsd_t)
+ files_read_etc_runtime_files(nfsd_t)
++files_read_usr_files(nfsd_t)
+
+ fs_mount_nfsd_fs(nfsd_t)
+-fs_search_nfsd_fs(nfsd_t)
+ fs_getattr_all_fs(nfsd_t)
+ fs_getattr_all_dirs(nfsd_t)
+-fs_rw_nfsd_fs(nfsd_t)
++fs_manage_nfsd_fs(nfsd_t)
+
+ storage_dontaudit_read_fixed_disk(nfsd_t)
+ storage_raw_read_removable_device(nfsd_t)
+@@ -148,8 +186,11 @@ storage_raw_read_removable_device(nfsd_t)
+ # Read access to public_content_t and public_content_rw_t
+ miscfiles_read_public_files(nfsd_t)
+
++userdom_user_home_dir_filetrans_user_home_content(nfsd_t, { file dir })
++userdom_list_user_tmp(nfsd_t)
++
+ # Write access to public_content_t and public_content_rw_t
+-tunable_policy(`allow_nfsd_anon_write',`
++tunable_policy(`nfsd_anon_write',`
+ miscfiles_manage_public_files(nfsd_t)
+ ')
+
+@@ -158,7 +199,6 @@ tunable_policy(`nfs_export_all_rw',`
+ dev_getattr_all_chr_files(nfsd_t)
+
+ fs_read_noxattr_fs_files(nfsd_t)
+- files_manage_non_auth_files(nfsd_t)
+ ')
+
+ tunable_policy(`nfs_export_all_ro',`
+@@ -170,8 +210,12 @@ tunable_policy(`nfs_export_all_ro',`
+
+ fs_read_noxattr_fs_files(nfsd_t)
+
+- files_list_non_auth_dirs(nfsd_t)
+- files_read_non_auth_files(nfsd_t)
++ files_read_non_security_files(nfsd_t)
++')
++
++optional_policy(`
++ mount_exec(nfsd_t)
++ mount_manage_pid_files(nfsd_t)
+ ')
+
+ ########################################
+@@ -181,7 +225,7 @@ tunable_policy(`nfs_export_all_ro',`
+
+ allow gssd_t self:capability { dac_override dac_read_search setuid sys_nice };
+ allow gssd_t self:process { getsched setsched };
+-allow gssd_t self:fifo_file rw_file_perms;
++allow gssd_t self:fifo_file rw_fifo_file_perms;
+
+ manage_dirs_pattern(gssd_t, gssd_tmp_t, gssd_tmp_t)
+ manage_files_pattern(gssd_t, gssd_tmp_t, gssd_tmp_t)
+@@ -199,6 +243,7 @@ corecmd_exec_bin(gssd_t)
+ fs_list_rpc(gssd_t)
+ fs_rw_rpc_sockets(gssd_t)
+ fs_read_rpc_files(gssd_t)
++fs_read_nfsd_files(gssd_t)
+
+ fs_list_inotifyfs(gssd_t)
+ files_list_tmp(gssd_t)
+@@ -210,14 +255,14 @@ auth_manage_cache(gssd_t)
+
+ miscfiles_read_generic_certs(gssd_t)
+
+-mount_signal(gssd_t)
+-
+ userdom_signal_all_users(gssd_t)
+
+-tunable_policy(`allow_gssd_read_tmp',`
++tunable_policy(`gssd_read_tmp',`
+ userdom_list_user_tmp(gssd_t)
+ userdom_read_user_tmp_files(gssd_t)
+ userdom_read_user_tmp_symlinks(gssd_t)
++ userdom_write_user_tmp_files(gssd_t)
++ files_read_generic_tmp_files(gssd_t)
+ ')
+
+ optional_policy(`
+@@ -226,6 +271,11 @@ optional_policy(`
+
+ optional_policy(`
+ kerberos_keytab_template(gssd, gssd_t)
++ kerberos_tmp_filetrans_host_rcache(gssd_t, "nfs_0")
++')
++
++optional_policy(`
++ mount_signal(gssd_t)
+ ')
+
+ optional_policy(`
+diff --git a/rpcbind.fc b/rpcbind.fc
+index f5c47d6..164ce1f 100644
+--- a/rpcbind.fc
++++ b/rpcbind.fc
+@@ -2,8 +2,10 @@
+
+ /sbin/rpcbind -- gen_context(system_u:object_r:rpcbind_exec_t,s0)
+
++/usr/sbin/rpcbind -- gen_context(system_u:object_r:rpcbind_exec_t,s0)
++
++/var/cache/rpcbind(/.*)? gen_context(system_u:object_r:rpcbind_var_lib_t,s0)
+ /var/lib/rpcbind(/.*)? gen_context(system_u:object_r:rpcbind_var_lib_t,s0)
+
+ /var/run/rpc.statd\.pid -- gen_context(system_u:object_r:rpcbind_var_run_t,s0)
+-/var/run/rpcbind\.lock -- gen_context(system_u:object_r:rpcbind_var_run_t,s0)
+-/var/run/rpcbind\.sock -s gen_context(system_u:object_r:rpcbind_var_run_t,s0)
++/var/run/rpcbind.* gen_context(system_u:object_r:rpcbind_var_run_t,s0)
+diff --git a/rpcbind.if b/rpcbind.if
+index a96249c..ff1163f 100644
+--- a/rpcbind.if
++++ b/rpcbind.if
+@@ -34,8 +34,7 @@ interface(`rpcbind_stream_connect',`
+ ')
+
+ files_search_pids($1)
+- allow $1 rpcbind_var_run_t:sock_file write;
+- allow $1 rpcbind_t:unix_stream_socket connectto;
++ stream_connect_pattern($1, rpcbind_var_run_t, rpcbind_var_run_t, rpcbind_t)
+ ')
+
+ ########################################
+@@ -117,6 +116,60 @@ interface(`rpcbind_manage_lib_files',`
+
+ ########################################
+ ##
++## Send a null signal to rpcbind.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`rpcbind_signull',`
++ gen_require(`
++ type rpcbind_t;
++ ')
++
++ allow $1 rpcbind_t:process signull;
++')
++
++########################################
++##
++## Transition to rpcbind named content
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`rpcbind_filetrans_named_content',`
++ gen_require(`
++ type rpcbind_var_run_t;
++ ')
++
++ files_pid_filetrans($1, rpcbind_var_run_t, sock_file, "rpcbind.sock")
++')
++
++########################################
++##
++## Relabel from rpcbind sock file.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`rpcbind_relabel_sock_file',`
++ gen_require(`
++ type rpcbind_var_run_t;
++ ')
++
++ allow $1 rpcbind_var_run_t:sock_file relabel_sock_file_perms;
++')
++
++########################################
++##
+ ## All of the rules required to administrate
+ ## an rpcbind environment
+ ##
+@@ -138,11 +191,20 @@ interface(`rpcbind_admin',`
+ type rpcbind_initrc_exec_t;
+ ')
+
+- allow $1 rpcbind_t:process { ptrace signal_perms };
++ allow $1 rpcbind_t:process signal_perms;
+ ps_process_pattern($1, rpcbind_t)
++ tunable_policy(`deny_ptrace',`',`
++ allow $1 rpcbind_t:process ptrace;
++ ')
+
+- init_labeled_script_domtrans($1, rbcbind_initrc_exec_t)
++ init_labeled_script_domtrans($1, rpcbind_initrc_exec_t)
+ domain_system_change_exemption($1)
+ role_transition $2 rpcbind_initrc_exec_t system_r;
+ allow $2 system_r;
++
++ files_list_var_lib($1)
++ admin_pattern($1, rpcbind_var_lib_t)
++
++ files_list_pids($1)
++ admin_pattern($1, rpcbind_var_run_t)
+ ')
+diff --git a/rpcbind.te b/rpcbind.te
+index a63e9ee..e4a0c9b 100644
+--- a/rpcbind.te
++++ b/rpcbind.te
+@@ -43,7 +43,8 @@ kernel_read_system_state(rpcbind_t)
+ kernel_read_network_state(rpcbind_t)
+ kernel_request_load_module(rpcbind_t)
+
+-corenet_all_recvfrom_unlabeled(rpcbind_t)
++corecmd_exec_shell(rpcbind_t)
++
+ corenet_all_recvfrom_netlabel(rpcbind_t)
+ corenet_tcp_sendrecv_generic_if(rpcbind_t)
+ corenet_udp_sendrecv_generic_if(rpcbind_t)
+@@ -62,8 +63,16 @@ domain_use_interactive_fds(rpcbind_t)
+ files_read_etc_files(rpcbind_t)
+ files_read_etc_runtime_files(rpcbind_t)
+
+-logging_send_syslog_msg(rpcbind_t)
++auth_read_passwd(rpcbind_t)
+
+-miscfiles_read_localization(rpcbind_t)
++logging_send_syslog_msg(rpcbind_t)
+
+ sysnet_dns_name_resolve(rpcbind_t)
++
++ifdef(`hide_broken_symptoms',`
++ dontaudit rpcbind_t self:udp_socket listen;
++')
++
++optional_policy(`
++ nis_use_ypbind(rpcbind_t)
++')
+diff --git a/rpm.fc b/rpm.fc
+index b2a0b6a..ee55335 100644
+--- a/rpm.fc
++++ b/rpm.fc
+@@ -2,10 +2,12 @@
+ /bin/rpm -- gen_context(system_u:object_r:rpm_exec_t,s0)
+
+ /usr/bin/debuginfo-install -- gen_context(system_u:object_r:debuginfo_exec_t,s0)
++/usr/bin/dnf -- gen_context(system_u:object_r:rpm_exec_t,s0)
+ /usr/bin/rpm -- gen_context(system_u:object_r:rpm_exec_t,s0)
+ /usr/bin/smart -- gen_context(system_u:object_r:rpm_exec_t,s0)
+
+ /usr/bin/yum -- gen_context(system_u:object_r:rpm_exec_t,s0)
++/usr/bin/zif -- gen_context(system_u:object_r:rpm_exec_t,s0)
+
+ /usr/libexec/packagekitd -- gen_context(system_u:object_r:rpm_exec_t,s0)
+ /usr/libexec/yumDBUSBackend.py -- gen_context(system_u:object_r:rpm_exec_t,s0)
+@@ -20,12 +22,18 @@
+ /usr/share/yumex/yum_childtask\.py -- gen_context(system_u:object_r:rpm_exec_t,s0)
+
+ ifdef(`distro_redhat', `
++/usr/sbin/bcfg2 -- gen_context(system_u:object_r:rpm_exec_t,s0)
++/usr/bin/package-cleanup -- gen_context(system_u:object_r:rpm_exec_t,s0)
+ /usr/bin/fedora-rmdevelrpms -- gen_context(system_u:object_r:rpm_exec_t,s0)
+ /usr/bin/rpmdev-rmdevelrpms -- gen_context(system_u:object_r:rpm_exec_t,s0)
+ /usr/sbin/pirut -- gen_context(system_u:object_r:rpm_exec_t,s0)
+ /usr/sbin/pup -- gen_context(system_u:object_r:rpm_exec_t,s0)
+ /usr/sbin/rhn_check -- gen_context(system_u:object_r:rpm_exec_t,s0)
++/usr/sbin/rhnreg_ks -- gen_context(system_u:object_r:rpm_exec_t,s0)
+ /usr/sbin/up2date -- gen_context(system_u:object_r:rpm_exec_t,s0)
++/usr/sbin/synaptic -- gen_context(system_u:object_r:rpm_exec_t,s0)
++/usr/bin/apt-get -- gen_context(system_u:object_r:rpm_exec_t,s0)
++/usr/bin/apt-shell -- gen_context(system_u:object_r:rpm_exec_t,s0)
+ ')
+
+ /var/cache/PackageKit(/.*)? gen_context(system_u:object_r:rpm_var_cache_t,s0)
+@@ -36,9 +44,10 @@ ifdef(`distro_redhat', `
+ /var/lib/rpm(/.*)? gen_context(system_u:object_r:rpm_var_lib_t,s0)
+ /var/lib/yum(/.*)? gen_context(system_u:object_r:rpm_var_lib_t,s0)
+
+-/var/log/rpmpkgs.* -- gen_context(system_u:object_r:rpm_log_t,s0)
+ /var/log/yum\.log.* -- gen_context(system_u:object_r:rpm_log_t,s0)
+
++/var/spool/up2date(/.*)? gen_context(system_u:object_r:rpm_var_cache_t,s0)
++
+ /var/run/yum.* -- gen_context(system_u:object_r:rpm_var_run_t,s0)
+ /var/run/PackageKit(/.*)? gen_context(system_u:object_r:rpm_var_run_t,s0)
+
+diff --git a/rpm.if b/rpm.if
+index 951d8f6..bedc8ae 100644
+--- a/rpm.if
++++ b/rpm.if
+@@ -13,10 +13,13 @@
+ interface(`rpm_domtrans',`
+ gen_require(`
+ type rpm_t, rpm_exec_t;
++ attribute rpm_transition_domain;
+ ')
+
+ corecmd_search_bin($1)
+ domtrans_pattern($1, rpm_exec_t, rpm_t)
++ typeattribute $1 rpm_transition_domain;
++ rpm_debuginfo_domtrans($1)
+ ')
+
+ ########################################
+@@ -78,11 +81,19 @@ interface(`rpm_domtrans_script',`
+ #
+ interface(`rpm_run',`
+ gen_require(`
+- attribute_role rpm_roles;
++ type rpm_t, rpm_script_t;
+ ')
+
+ rpm_domtrans($1)
+- roleattribute $2 rpm_roles;
++ role $2 types { rpm_t rpm_script_t };
++
++ domain_system_change_exemption($1)
++ role_transition $2 rpm_exec_t system_r;
++ allow $2 system_r;
++
++ seutil_run_loadpolicy(rpm_script_t, $2)
++ seutil_run_semanage(rpm_script_t, $2)
++ seutil_run_setfiles(rpm_script_t, $2)
+ ')
+
+ ########################################
+@@ -178,6 +189,42 @@ interface(`rpm_rw_pipes',`
+
+ ########################################
+ ##
++## dontaudit read and write an leaked file descriptors
++##
++##
++##
++## Domain to not audit.
++##
++##
++#
++interface(`rpm_dontaudit_leaks',`
++ gen_require(`
++ type rpm_t, rpm_var_cache_t;
++ type rpm_script_t, rpm_var_run_t, rpm_tmp_t;
++ type rpm_tmpfs_t, rpm_script_tmp_t, rpm_var_lib_t;
++ ')
++
++ dontaudit $1 rpm_t:fifo_file rw_inherited_fifo_file_perms;
++ dontaudit $1 rpm_t:tcp_socket { read write };
++ dontaudit $1 rpm_t:unix_dgram_socket { read write };
++ dontaudit $1 rpm_t:shm rw_shm_perms;
++
++ dontaudit $1 rpm_script_t:fd use;
++ dontaudit $1 rpm_script_t:fifo_file rw_inherited_fifo_file_perms;
++
++ dontaudit $1 rpm_var_run_t:file rw_inherited_file_perms;
++
++ dontaudit $1 rpm_tmp_t:file rw_inherited_file_perms;
++ dontaudit $1 rpm_tmpfs_t:dir rw_dir_perms;
++ dontaudit $1 rpm_tmpfs_t:file rw_inherited_file_perms;
++ dontaudit $1 rpm_script_tmp_t:file rw_inherited_file_perms;
++ dontaudit $1 rpm_var_lib_t:dir getattr;
++ dontaudit $1 rpm_var_lib_t:file rw_inherited_file_perms;
++ dontaudit $1 rpm_var_cache_t:file rw_inherited_file_perms;
++')
++
++########################################
++##
+ ## Send and receive messages from
+ ## rpm over dbus.
+ ##
+@@ -274,8 +321,7 @@ interface(`rpm_append_log',`
+ type rpm_log_t;
+ ')
+
+- logging_search_logs($1)
+- append_files_pattern($1, rpm_log_t, rpm_log_t)
++ allow $1 rpm_log_t:file append_inherited_file_perms;
+ ')
+
+ ########################################
+@@ -332,7 +378,9 @@ interface(`rpm_manage_script_tmp_files',`
+ ')
+
+ files_search_tmp($1)
++ manage_dirs_pattern($1, rpm_script_tmp_t, rpm_script_tmp_t)
+ manage_files_pattern($1, rpm_script_tmp_t, rpm_script_tmp_t)
++ manage_lnk_files_pattern($1, rpm_script_tmp_t, rpm_script_tmp_t)
+ ')
+
+ #####################################
+@@ -351,8 +399,7 @@ interface(`rpm_append_tmp_files',`
+ type rpm_tmp_t;
+ ')
+
+- files_search_tmp($1)
+- append_files_pattern($1, rpm_tmp_t, rpm_tmp_t)
++ allow $1 rpm_tmp_t:file append_inherited_file_perms;
+ ')
+
+ ########################################
+@@ -372,7 +419,9 @@ interface(`rpm_manage_tmp_files',`
+ ')
+
+ files_search_tmp($1)
++ manage_dirs_pattern($1, rpm_tmp_t, rpm_tmp_t)
+ manage_files_pattern($1, rpm_tmp_t, rpm_tmp_t)
++ manage_lnk_files_pattern($1, rpm_tmp_t, rpm_tmp_t)
+ ')
+
+ ########################################
+@@ -456,6 +505,7 @@ interface(`rpm_read_db',`
+ allow $1 rpm_var_lib_t:dir list_dir_perms;
+ read_files_pattern($1, rpm_var_lib_t, rpm_var_lib_t)
+ read_lnk_files_pattern($1, rpm_var_lib_t, rpm_var_lib_t)
++ rpm_read_cache($1)
+ ')
+
+ ########################################
+@@ -513,7 +563,7 @@ interface(`rpm_dontaudit_manage_db',`
+ type rpm_var_lib_t;
+ ')
+
+- dontaudit $1 rpm_var_lib_t:dir rw_dir_perms;
++ dontaudit $1 rpm_var_lib_t:dir manage_dir_perms;
+ dontaudit $1 rpm_var_lib_t:file manage_file_perms;
+ dontaudit $1 rpm_var_lib_t:lnk_file manage_lnk_file_perms;
+ ')
+@@ -573,3 +623,66 @@ interface(`rpm_pid_filetrans',`
+
+ files_pid_filetrans($1, rpm_var_run_t, file)
+ ')
++
++########################################
++##
++## Send a null signal to rpm.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`rpm_inherited_fifo',`
++ gen_require(`
++ attribute rpm_transition_domain;
++ ')
++
++ allow $1 rpm_transition_domain:fifo_file rw_inherited_fifo_file_perms;
++')
++
++
++########################################
++##
++## Make rpm_exec_t an entry point for
++## the specified domain.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`rpm_entry_type',`
++ gen_require(`
++ type rpm_exec_t;
++ ')
++
++ domain_entry_file($1, rpm_exec_t)
++')
++
++########################################
++##
++## Allow application to transition to rpm_script domain.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`rpm_transition_script',`
++ gen_require(`
++ type rpm_script_t;
++ attribute rpm_transition_domain;
++ ')
++
++ typeattribute $1 rpm_transition_domain;
++ allow $1 rpm_script_t:process transition;
++
++ allow $1 rpm_script_t:fd use;
++ allow rpm_script_t $1:fd use;
++ allow rpm_script_t $1:fifo_file rw_fifo_file_perms;
++ allow rpm_script_t $1:process sigchld;
++')
+diff --git a/rpm.te b/rpm.te
+index 60149a5..b33a77d 100644
+--- a/rpm.te
++++ b/rpm.te
+@@ -1,15 +1,11 @@
+ policy_module(rpm, 1.15.0)
+
++attribute rpm_transition_domain;
++
+ ########################################
+ #
+ # Declarations
+ #
+-
+-attribute_role rpm_roles;
+-
+-type debuginfo_exec_t;
+-domain_entry_file(rpm_t, debuginfo_exec_t)
+-
+ type rpm_t;
+ type rpm_exec_t;
+ init_system_domain(rpm_t, rpm_exec_t)
+@@ -17,7 +13,10 @@ domain_obj_id_change_exemption(rpm_t)
+ domain_role_change_exemption(rpm_t)
+ domain_system_change_exemption(rpm_t)
+ domain_interactive_fd(rpm_t)
+-role rpm_roles types rpm_t;
++role system_r types rpm_t;
++
++type debuginfo_exec_t;
++domain_entry_file(rpm_t, debuginfo_exec_t)
+
+ type rpm_file_t;
+ files_type(rpm_file_t)
+@@ -50,7 +49,6 @@ corecmd_bin_entry_type(rpm_script_t)
+ domain_type(rpm_script_t)
+ domain_entry_file(rpm_t, rpm_script_exec_t)
+ domain_interactive_fd(rpm_script_t)
+-role rpm_roles types rpm_script_t;
+ role system_r types rpm_script_t;
+
+ type rpm_script_tmp_t;
+@@ -80,6 +78,9 @@ allow rpm_t self:shm create_shm_perms;
+ allow rpm_t self:sem create_sem_perms;
+ allow rpm_t self:msgq create_msgq_perms;
+ allow rpm_t self:msg { send receive };
++allow rpm_t self:dir search;
++allow rpm_t self:file rw_file_perms;;
++allow rpm_t self:netlink_kobject_uevent_socket create_socket_perms;
+
+ allow rpm_t rpm_log_t:file manage_file_perms;
+ logging_log_filetrans(rpm_t, rpm_log_t, file)
+@@ -105,17 +106,19 @@ files_var_filetrans(rpm_t, rpm_var_cache_t, dir)
+ manage_files_pattern(rpm_t, rpm_var_lib_t, rpm_var_lib_t)
+ files_var_lib_filetrans(rpm_t, rpm_var_lib_t, dir)
+
++manage_dirs_pattern(rpm_t, rpm_var_run_t, rpm_var_run_t)
+ manage_files_pattern(rpm_t, rpm_var_run_t, rpm_var_run_t)
+-files_pid_filetrans(rpm_t, rpm_var_run_t, file)
++files_pid_filetrans(rpm_t, rpm_var_run_t, { file dir })
+
+ kernel_read_crypto_sysctls(rpm_t)
+ kernel_read_network_state(rpm_t)
+ kernel_read_system_state(rpm_t)
+ kernel_read_kernel_sysctls(rpm_t)
++kernel_read_network_state_symlinks(rpm_t)
++kernel_rw_irq_sysctls(rpm_t)
+
+ corecmd_exec_all_executables(rpm_t)
+
+-corenet_all_recvfrom_unlabeled(rpm_t)
+ corenet_all_recvfrom_netlabel(rpm_t)
+ corenet_tcp_sendrecv_generic_if(rpm_t)
+ corenet_raw_sendrecv_generic_if(rpm_t)
+@@ -131,6 +134,19 @@ corenet_sendrecv_all_client_packets(rpm_t)
+ dev_list_sysfs(rpm_t)
+ dev_list_usbfs(rpm_t)
+ dev_read_urand(rpm_t)
++dev_read_raw_memory(rpm_t)
++dev_manage_all_dev_nodes(rpm_t)
++
++#devices_manage_all_device_types(rpm_t)
++dev_create_generic_blk_files(rpm_t)
++dev_create_generic_chr_files(rpm_t)
++dev_delete_all_blk_files(rpm_t)
++dev_delete_all_chr_files(rpm_t)
++dev_relabel_all_dev_nodes(rpm_t)
++dev_rename_generic_blk_files(rpm_t)
++dev_rename_generic_chr_files(rpm_t)
++dev_setattr_all_blk_files(rpm_t)
++dev_setattr_all_chr_files(rpm_t)
+
+ fs_getattr_all_dirs(rpm_t)
+ fs_list_inotifyfs(rpm_t)
+@@ -158,8 +174,8 @@ storage_raw_read_fixed_disk(rpm_t)
+
+ term_list_ptys(rpm_t)
+
+-files_relabel_non_auth_files(rpm_t)
+-files_manage_non_auth_files(rpm_t)
++files_relabel_all_files(rpm_t)
++files_manage_all_files(rpm_t)
+ auth_dontaudit_read_shadow(rpm_t)
+ auth_use_nsswitch(rpm_t)
+
+@@ -168,7 +184,6 @@ rpm_domtrans_script(rpm_t)
+
+ domain_read_all_domains_state(rpm_t)
+ domain_getattr_all_domains(rpm_t)
+-domain_dontaudit_ptrace_all_domains(rpm_t)
+ domain_use_interactive_fds(rpm_t)
+ domain_dontaudit_getattr_all_pipes(rpm_t)
+ domain_dontaudit_getattr_all_tcp_sockets(rpm_t)
+@@ -177,23 +192,26 @@ domain_dontaudit_getattr_all_packet_sockets(rpm_t)
+ domain_dontaudit_getattr_all_raw_sockets(rpm_t)
+ domain_dontaudit_getattr_all_stream_sockets(rpm_t)
+ domain_dontaudit_getattr_all_dgram_sockets(rpm_t)
++domain_signull_all_domains(rpm_t)
+
+ files_exec_etc_files(rpm_t)
+
+ init_domtrans_script(rpm_t)
+ init_use_script_ptys(rpm_t)
++init_signull_script(rpm_t)
+
+ libs_exec_ld_so(rpm_t)
+ libs_exec_lib_files(rpm_t)
+-libs_run_ldconfig(rpm_t, rpm_roles)
+
+ logging_send_syslog_msg(rpm_t)
+
++miscfiles_filetrans_named_content(rpm_t)
++
+ # allow compiling and loading new policy
+ seutil_manage_src_policy(rpm_t)
+ seutil_manage_bin_policy(rpm_t)
+
+-userdom_use_user_terminals(rpm_t)
++userdom_use_inherited_user_terminals(rpm_t)
+ userdom_use_unpriv_users_fds(rpm_t)
+
+ optional_policy(`
+@@ -211,14 +229,15 @@ optional_policy(`
+ optional_policy(`
+ networkmanager_dbus_chat(rpm_t)
+ ')
++
+ ')
+
+ optional_policy(`
+- prelink_run(rpm_t, rpm_roles)
++ prelink_domtrans(rpm_t)
+ ')
+
+ optional_policy(`
+- unconfined_domain(rpm_t)
++ unconfined_domain_noaudit(rpm_t)
+ # yum-updatesd requires this
+ unconfined_dbus_chat(rpm_t)
+ unconfined_dbus_chat(rpm_script_t)
+@@ -229,7 +248,8 @@ optional_policy(`
+ # rpm-script Local policy
+ #
+
+-allow rpm_script_t self:capability { chown dac_override dac_read_search fowner fsetid setgid setuid ipc_lock sys_admin sys_chroot sys_ptrace sys_rawio sys_nice mknod kill net_admin };
++allow rpm_script_t self:capability { chown dac_override dac_read_search fowner fsetid setgid setuid ipc_lock sys_admin sys_chroot sys_rawio sys_nice mknod kill net_admin };
++
+ allow rpm_script_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execheap };
+ allow rpm_script_t self:fd use;
+ allow rpm_script_t self:fifo_file rw_fifo_file_perms;
+@@ -261,12 +281,18 @@ manage_sock_files_pattern(rpm_script_t, rpm_script_tmpfs_t, rpm_script_tmpfs_t)
+ fs_tmpfs_filetrans(rpm_script_t, rpm_script_tmpfs_t, { dir file lnk_file sock_file fifo_file })
+ can_exec(rpm_script_t, rpm_script_tmpfs_t)
+
++allow rpm_script_t rpm_t:netlink_route_socket { read write };
++
+ kernel_read_crypto_sysctls(rpm_script_t)
+ kernel_read_kernel_sysctls(rpm_script_t)
+ kernel_read_system_state(rpm_script_t)
+ kernel_read_network_state(rpm_script_t)
++kernel_list_all_proc(rpm_script_t)
+ kernel_read_software_raid_state(rpm_script_t)
+
++# needed by rhn_check
++corenet_tcp_connect_http_port(rpm_script_t)
++
+ dev_list_sysfs(rpm_script_t)
+
+ # ideally we would not need this
+@@ -286,7 +312,6 @@ fs_unmount_xattr_fs(rpm_script_t)
+ fs_search_auto_mountpoints(rpm_script_t)
+
+ mcs_killall(rpm_script_t)
+-mcs_ptrace_all(rpm_script_t)
+
+ mls_file_read_all_levels(rpm_script_t)
+ mls_file_write_all_levels(rpm_script_t)
+@@ -303,19 +328,20 @@ storage_raw_write_fixed_disk(rpm_script_t)
+
+ term_getattr_unallocated_ttys(rpm_script_t)
+ term_list_ptys(rpm_script_t)
+-term_use_all_terms(rpm_script_t)
++term_use_all_inherited_terms(rpm_script_t)
+
+ auth_dontaudit_getattr_shadow(rpm_script_t)
+ auth_use_nsswitch(rpm_script_t)
+ # ideally we would not need this
+-files_manage_non_auth_files(rpm_script_t)
+-auth_relabel_shadow(rpm_script_t)
++files_manage_all_files(rpm_script_t)
++files_relabel_all_files(rpm_script_t)
+
+ corecmd_exec_all_executables(rpm_script_t)
++can_exec(rpm_script_t, rpm_script_tmp_t)
++can_exec(rpm_script_t, rpm_script_tmpfs_t)
+
+ domain_read_all_domains_state(rpm_script_t)
+ domain_getattr_all_domains(rpm_script_t)
+-domain_dontaudit_ptrace_all_domains(rpm_script_t)
+ domain_use_interactive_fds(rpm_script_t)
+ domain_signal_all_domains(rpm_script_t)
+ domain_signull_all_domains(rpm_script_t)
+@@ -328,35 +354,41 @@ files_relabel_all_files(rpm_script_t)
+ init_domtrans_script(rpm_script_t)
+ init_telinit(rpm_script_t)
+
++systemd_config_all_services(rpm_script_t)
++
+ libs_exec_ld_so(rpm_script_t)
+ libs_exec_lib_files(rpm_script_t)
+-libs_run_ldconfig(rpm_script_t, rpm_roles)
++libs_ldconfig_exec_entry_type(rpm_script_t)
+
+ logging_send_syslog_msg(rpm_script_t)
+
+-miscfiles_read_localization(rpm_script_t)
++miscfiles_filetrans_named_content(rpm_script_t)
+
+-modutils_run_depmod(rpm_script_t, rpm_roles)
+-modutils_run_insmod(rpm_script_t, rpm_roles)
+-
+-seutil_run_loadpolicy(rpm_script_t, rpm_roles)
+-seutil_run_setfiles(rpm_script_t, rpm_roles)
+-seutil_run_semanage(rpm_script_t, rpm_roles)
++seutil_domtrans_loadpolicy(rpm_script_t)
++seutil_domtrans_setfiles(rpm_script_t)
++seutil_domtrans_semanage(rpm_script_t)
++seutil_domtrans_setsebool(rpm_script_t)
+
+ userdom_use_all_users_fds(rpm_script_t)
++userdom_exec_admin_home_files(rpm_script_t)
+
+ ifdef(`distro_redhat',`
+ optional_policy(`
+ mta_send_mail(rpm_script_t)
++ mta_system_content(rpm_var_run_t)
+ ')
+ ')
+
+-tunable_policy(`allow_execmem',`
++tunable_policy(`deny_execmem',`',`
+ allow rpm_script_t self:process execmem;
+ ')
+
+ optional_policy(`
+- bootloader_run(rpm_script_t, rpm_roles)
++ bootloader_domtrans(rpm_script_t)
++')
++
++optional_policy(`
++ cups_filetrans_named_content(rpm_script_t)
+ ')
+
+ optional_policy(`
+@@ -364,7 +396,7 @@ optional_policy(`
+ ')
+
+ optional_policy(`
+- lvm_run(rpm_script_t, rpm_roles)
++ lvm_domtrans(rpm_script_t)
+ ')
+
+ optional_policy(`
+@@ -372,8 +404,17 @@ optional_policy(`
+ ')
+
+ optional_policy(`
+- tzdata_run(rpm_t, rpm_roles)
+- tzdata_run(rpm_script_t, rpm_roles)
++ modutils_domtrans_depmod(rpm_script_t)
++ modutils_domtrans_insmod(rpm_script_t)
++')
++
++optional_policy(`
++ openshift_initrc_domtrans(rpm_script_t)
++')
++
++optional_policy(`
++ tzdata_domtrans(rpm_t)
++ tzdata_domtrans(rpm_script_t)
+ ')
+
+ optional_policy(`
+@@ -381,7 +422,7 @@ optional_policy(`
+ ')
+
+ optional_policy(`
+- unconfined_domain(rpm_script_t)
++ unconfined_domain_noaudit(rpm_script_t)
+ unconfined_domtrans(rpm_script_t)
+
+ optional_policy(`
+@@ -394,6 +435,6 @@ optional_policy(`
+ ')
+
+ optional_policy(`
+- usermanage_run_groupadd(rpm_script_t, rpm_roles)
+- usermanage_run_useradd(rpm_script_t, rpm_roles)
++ usermanage_domtrans_groupadd(rpm_script_t)
++ usermanage_domtrans_useradd(rpm_script_t)
+ ')
+diff --git a/rshd.te b/rshd.te
+index 0b405d1..23c58c2 100644
+--- a/rshd.te
++++ b/rshd.te
+@@ -22,7 +22,6 @@ allow rshd_t self:tcp_socket create_stream_socket_perms;
+
+ kernel_read_kernel_sysctls(rshd_t)
+
+-corenet_all_recvfrom_unlabeled(rshd_t)
+ corenet_all_recvfrom_netlabel(rshd_t)
+ corenet_tcp_sendrecv_generic_if(rshd_t)
+ corenet_udp_sendrecv_generic_if(rshd_t)
+@@ -39,6 +38,8 @@ corenet_sendrecv_rsh_server_packets(rshd_t)
+
+ dev_read_urand(rshd_t)
+
++domain_interactive_fd(rshd_t)
++
+ selinux_get_fs_mount(rshd_t)
+ selinux_validate_context(rshd_t)
+ selinux_compute_access_vector(rshd_t)
+@@ -60,26 +61,16 @@ init_rw_utmp(rshd_t)
+ logging_send_syslog_msg(rshd_t)
+ logging_search_logs(rshd_t)
+
+-miscfiles_read_localization(rshd_t)
+-
+ seutil_read_config(rshd_t)
+ seutil_read_default_contexts(rshd_t)
+
+ userdom_search_user_home_content(rshd_t)
++userdom_manage_tmp_role(system_r, rshd_t)
+
+-tunable_policy(`use_nfs_home_dirs',`
+- fs_read_nfs_files(rshd_t)
+- fs_read_nfs_symlinks(rshd_t)
+-')
+-
+-tunable_policy(`use_samba_home_dirs',`
+- fs_read_cifs_files(rshd_t)
+- fs_read_cifs_symlinks(rshd_t)
+-')
++userdom_home_reader(rshd_t)
+
+ optional_policy(`
+ kerberos_keytab_template(rshd, rshd_t)
+- kerberos_manage_host_rcache(rshd_t)
+ ')
+
+ optional_policy(`
+diff --git a/rssh.fc b/rssh.fc
+index 4c091ca..a58f123 100644
+--- a/rssh.fc
++++ b/rssh.fc
+@@ -1 +1,3 @@
+ /usr/bin/rssh -- gen_context(system_u:object_r:rssh_exec_t,s0)
++
++/usr/libexec/rssh_chroot_helper -- gen_context(system_u:object_r:rssh_chroot_helper_exec_t,s0)
+diff --git a/rssh.te b/rssh.te
+index ffb9605..4bb7119 100644
+--- a/rssh.te
++++ b/rssh.te
+@@ -63,7 +63,6 @@ manage_files_pattern(rssh_t, rssh_rw_t, rssh_rw_t)
+ kernel_read_system_state(rssh_t)
+ kernel_read_kernel_sysctls(rssh_t)
+
+-files_read_etc_files(rssh_t)
+ files_read_etc_runtime_files(rssh_t)
+ files_list_home(rssh_t)
+ files_read_usr_files(rssh_t)
+@@ -73,8 +72,6 @@ fs_search_auto_mountpoints(rssh_t)
+
+ logging_send_syslog_msg(rssh_t)
+
+-miscfiles_read_localization(rssh_t)
+-
+ rssh_domtrans_chroot_helper(rssh_t)
+
+ ssh_rw_tcp_sockets(rssh_t)
+@@ -95,10 +92,6 @@ allow rssh_chroot_helper_t self:unix_stream_socket create_stream_socket_perms;
+
+ domain_use_interactive_fds(rssh_chroot_helper_t)
+
+-files_read_etc_files(rssh_chroot_helper_t)
+-
+ auth_use_nsswitch(rssh_chroot_helper_t)
+
+ logging_send_syslog_msg(rssh_chroot_helper_t)
+-
+-miscfiles_read_localization(rssh_chroot_helper_t)
+diff --git a/rsync.fc b/rsync.fc
+index 479615b..2d77839 100644
+--- a/rsync.fc
++++ b/rsync.fc
+@@ -2,6 +2,6 @@
+
+ /usr/bin/rsync -- gen_context(system_u:object_r:rsync_exec_t,s0)
+
+-/var/log/rsync\.log -- gen_context(system_u:object_r:rsync_log_t,s0)
++/var/log/rsync\.log.* -- gen_context(system_u:object_r:rsync_log_t,s0)
+
+ /var/run/rsyncd\.lock -- gen_context(system_u:object_r:rsync_var_run_t,s0)
+diff --git a/rsync.if b/rsync.if
+index 3386f29..8d8f6c5 100644
+--- a/rsync.if
++++ b/rsync.if
+@@ -119,7 +119,7 @@ interface(`rsync_read_config',`
+ type rsync_etc_t;
+ ')
+
+- allow $1 rsync_etc_t:file read_file_perms;
++ read_files_pattern($1, rsync_etc_t, rsync_etc_t)
+ files_search_etc($1)
+ ')
+
+@@ -128,9 +128,9 @@ interface(`rsync_read_config',`
+ ## Write to rsync config files.
+ ##
+ ##
+-##
++##
+ ## Domain allowed access.
+-##
++##
+ ##
+ #
+ interface(`rsync_write_config',`
+@@ -138,6 +138,49 @@ interface(`rsync_write_config',`
+ type rsync_etc_t;
+ ')
+
+- allow $1 rsync_etc_t:file read_file_perms;
++ write_files_pattern($1, rsync_etc_t, rsync_etc_t)
++ files_search_etc($1)
++')
++
++########################################
++##
++## Manage rsync config files.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`rsync_manage_config',`
++ gen_require(`
++ type rsync_etc_t;
++ ')
++
++ manage_files_pattern($1, rsync_etc_t, rsync_etc_t)
+ files_search_etc($1)
+ ')
++
++########################################
++##
++## Create objects in etc directories
++## with rsync etc type.
++##
++##
++##
++## Domain allowed to transition.
++##
++##
++##
++##
++## Class of the object being created.
++##
++##
++#
++interface(`rsync_filetrans_config',`
++ gen_require(`
++ type rsync_etc_t;
++ ')
++
++ files_etc_filetrans($1, rsync_etc_t, $2)
++')
+diff --git a/rsync.te b/rsync.te
+index 2834d86..8fdd060 100644
+--- a/rsync.te
++++ b/rsync.te
+@@ -7,6 +7,27 @@ policy_module(rsync, 1.12.0)
+
+ ##
+ ##
++## Allow rsync servers to share cifs files systems
++##
++##
++gen_tunable(rsync_use_cifs, false)
++
++##
++##
++## Allow rsync servers to share nfs files systems
++##
++##
++gen_tunable(rsync_use_nfs, false)
++
++##
++##
++## Allow rsync to run as a client
++##
++##
++gen_tunable(rsync_client, false)
++
++##
++##
+ ## Allow rsync to export any files/directories read only.
+ ##
+ ##
+@@ -19,7 +40,7 @@ gen_tunable(rsync_export_all_ro, false)
+ ## labeled public_content_rw_t.
+ ##
+ ##
+-gen_tunable(allow_rsync_anon_write, false)
++gen_tunable(rsync_anon_write, false)
+
+ type rsync_t;
+ type rsync_exec_t;
+@@ -59,7 +80,7 @@ allow rsync_t self:udp_socket connected_socket_perms;
+ allow rsync_t self:netlink_tcpdiag_socket r_netlink_socket_perms;
+ #end for identd
+
+-allow rsync_t rsync_etc_t:file read_file_perms;
++read_files_pattern(rsync_t, rsync_etc_t, rsync_etc_t)
+
+ allow rsync_t rsync_data_t:dir list_dir_perms;
+ read_files_pattern(rsync_t, rsync_data_t, rsync_data_t)
+@@ -79,7 +100,6 @@ kernel_read_kernel_sysctls(rsync_t)
+ kernel_read_system_state(rsync_t)
+ kernel_read_network_state(rsync_t)
+
+-corenet_all_recvfrom_unlabeled(rsync_t)
+ corenet_all_recvfrom_netlabel(rsync_t)
+ corenet_tcp_sendrecv_generic_if(rsync_t)
+ corenet_udp_sendrecv_generic_if(rsync_t)
+@@ -94,18 +114,19 @@ corenet_sendrecv_rsync_server_packets(rsync_t)
+ dev_read_urand(rsync_t)
+
+ fs_getattr_xattr_fs(rsync_t)
++fs_search_auto_mountpoints(rsync_t)
+
+-files_read_etc_files(rsync_t)
+ files_search_home(rsync_t)
+
+ auth_use_nsswitch(rsync_t)
+
+ logging_send_syslog_msg(rsync_t)
+
+-miscfiles_read_localization(rsync_t)
+ miscfiles_read_public_files(rsync_t)
+
+-tunable_policy(`allow_rsync_anon_write',`
++userdom_home_manager(rsync_t)
++
++tunable_policy(`rsync_anon_write',`
+ miscfiles_manage_public_files(rsync_t)
+ ')
+
+@@ -122,12 +143,26 @@ optional_policy(`
+ ')
+
+ tunable_policy(`rsync_export_all_ro',`
+- fs_read_noxattr_fs_files(rsync_t)
++ files_getattr_all_pipes(rsync_t)
++ fs_read_noxattr_fs_files(rsync_t)
+ fs_read_nfs_files(rsync_t)
+ fs_read_cifs_files(rsync_t)
+- files_list_non_auth_dirs(rsync_t)
+- files_read_non_auth_files(rsync_t)
+- files_read_non_auth_symlinks(rsync_t)
++ files_read_non_security_files(rsync_t)
+ auth_tunable_read_shadow(rsync_t)
+ ')
++
++tunable_policy(`rsync_client',`
++ corenet_tcp_connect_rsync_port(rsync_t)
++ corenet_tcp_connect_ssh_port(rsync_t)
++ manage_dirs_pattern(rsync_t, rsync_data_t, rsync_data_t)
++ manage_files_pattern(rsync_t, rsync_data_t, rsync_data_t)
++ manage_lnk_files_pattern(rsync_t, rsync_data_t, rsync_data_t)
++')
++
++optional_policy(`
++ tunable_policy(`rsync_client',`
++ ssh_exec(rsync_t)
++ ')
++')
++
+ auth_can_read_shadow_passwords(rsync_t)
+diff --git a/rtkit.if b/rtkit.if
+index 46dad1f..051addd 100644
+--- a/rtkit.if
++++ b/rtkit.if
+@@ -41,6 +41,28 @@ interface(`rtkit_daemon_dbus_chat',`
+
+ ########################################
+ ##
++## Do not audit send and receive messages from
++## rtkit_daemon over dbus.
++##
++##
++##
++## Domain to not audit.
++##
++##
++#
++interface(`rtkit_daemon_dontaudit_dbus_chat',`
++ gen_require(`
++ type rtkit_daemon_t;
++ class dbus send_msg;
++ ')
++
++ dontaudit $1 rtkit_daemon_t:dbus send_msg;
++ dontaudit rtkit_daemon_t $1:dbus send_msg;
++ dontaudit rtkit_daemon_t $1:process { getsched setsched };
++')
++
++########################################
++##
+ ## Allow rtkit to control scheduling for your process
+ ##
+ ##
+@@ -54,6 +76,7 @@ interface(`rtkit_scheduled',`
+ type rtkit_daemon_t;
+ ')
+
++ kernel_search_proc($1)
+ ps_process_pattern(rtkit_daemon_t, $1)
+ allow rtkit_daemon_t $1:process { getsched setsched };
+ rtkit_daemon_dbus_chat($1)
+diff --git a/rtkit.te b/rtkit.te
+index 6f8e268..eaad2c5 100644
+--- a/rtkit.te
++++ b/rtkit.te
+@@ -7,7 +7,7 @@ policy_module(rtkit, 1.1.0)
+
+ type rtkit_daemon_t;
+ type rtkit_daemon_exec_t;
+-dbus_system_domain(rtkit_daemon_t, rtkit_daemon_exec_t)
++init_system_domain(rtkit_daemon_t, rtkit_daemon_exec_t)
+
+ ########################################
+ #
+@@ -28,8 +28,9 @@ auth_use_nsswitch(rtkit_daemon_t)
+
+ logging_send_syslog_msg(rtkit_daemon_t)
+
+-miscfiles_read_localization(rtkit_daemon_t)
+-
++optional_policy(`
++ dbus_system_domain(rtkit_daemon_t, rtkit_daemon_exec_t)
++')
+ optional_policy(`
+ policykit_dbus_chat(rtkit_daemon_t)
+ ')
+diff --git a/rwho.if b/rwho.if
+index 71ea0ea..886a45e 100644
+--- a/rwho.if
++++ b/rwho.if
+@@ -138,8 +138,11 @@ interface(`rwho_admin',`
+ type rwho_initrc_exec_t;
+ ')
+
+- allow $1 rwho_t:process { ptrace signal_perms };
++ allow $1 rwho_t:process signal_perms;
+ ps_process_pattern($1, rwho_t)
++ tunable_policy(`deny_ptrace',`',`
++ allow $1 rwho_t:process ptrace;
++ ')
+
+ init_labeled_script_domtrans($1, rwho_initrc_exec_t)
+ domain_system_change_exemption($1)
+diff --git a/rwho.te b/rwho.te
+index a07b2f4..22e0db0 100644
+--- a/rwho.te
++++ b/rwho.te
+@@ -16,7 +16,7 @@ type rwho_log_t;
+ files_type(rwho_log_t)
+
+ type rwho_spool_t;
+-files_type(rwho_spool_t)
++files_spool_file(rwho_spool_t)
+
+ ########################################
+ #
+@@ -24,6 +24,7 @@ files_type(rwho_spool_t)
+ #
+
+ allow rwho_t self:capability sys_chroot;
++allow rwho_t self:process signal;
+ allow rwho_t self:unix_dgram_socket create;
+ allow rwho_t self:fifo_file rw_file_perms;
+ allow rwho_t self:unix_stream_socket create_stream_socket_perms;
+@@ -39,7 +40,6 @@ files_spool_filetrans(rwho_t, rwho_spool_t, { file dir })
+
+ kernel_read_system_state(rwho_t)
+
+-corenet_all_recvfrom_unlabeled(rwho_t)
+ corenet_all_recvfrom_netlabel(rwho_t)
+ corenet_udp_sendrecv_generic_if(rwho_t)
+ corenet_udp_sendrecv_generic_node(rwho_t)
+@@ -55,6 +55,8 @@ files_read_etc_files(rwho_t)
+ init_read_utmp(rwho_t)
+ init_dontaudit_write_utmp(rwho_t)
+
+-miscfiles_read_localization(rwho_t)
++logging_send_syslog_msg(rwho_t)
+
+ sysnet_dns_name_resolve(rwho_t)
++
++userdom_getattr_user_terminals(rwho_t)
+diff --git a/samba.fc b/samba.fc
+index 69a6074..2ccac49 100644
+--- a/samba.fc
++++ b/samba.fc
+@@ -14,6 +14,9 @@
+ #
+ # /usr
+ #
++/usr/lib/systemd/system/smb.* -- gen_context(system_u:object_r:samba_unit_file_t,s0)
++/usr/lib/systemd/system/nmb.* -- gen_context(system_u:object_r:samba_unit_file_t,s0)
++
+ /usr/bin/net -- gen_context(system_u:object_r:samba_net_exec_t,s0)
+ /usr/bin/ntlm_auth -- gen_context(system_u:object_r:winbind_helper_exec_t,s0)
+ /usr/bin/smbcontrol -- gen_context(system_u:object_r:smbcontrol_exec_t,s0)
+@@ -31,11 +34,17 @@
+ /var/cache/samba(/.*)? gen_context(system_u:object_r:samba_var_t,s0)
+ /var/cache/samba/winbindd_privileged(/.*)? gen_context(system_u:object_r:winbind_var_run_t,s0)
+
++/var/nmbd(/.*)? gen_context(system_u:object_r:samba_var_t,s0)
++
+ /var/lib/samba(/.*)? gen_context(system_u:object_r:samba_var_t,s0)
+ /var/lib/samba/winbindd_privileged(/.*)? gen_context(system_u:object_r:winbind_var_run_t,s0)
+
+ /var/log/samba(/.*)? gen_context(system_u:object_r:samba_log_t,s0)
+
++/var/run/nmbd(/.*)? gen_context(system_u:object_r:nmbd_var_run_t,s0)
++/var/run/samba/nmbd(/.*)? gen_context(system_u:object_r:nmbd_var_run_t,s0)
++
++/var/run/samba(/.*)? gen_context(system_u:object_r:smbd_var_run_t,s0)
+ /var/run/samba/brlock\.tdb -- gen_context(system_u:object_r:smbd_var_run_t,s0)
+ /var/run/samba/connections\.tdb -- gen_context(system_u:object_r:smbd_var_run_t,s0)
+ /var/run/samba/gencache\.tdb -- gen_context(system_u:object_r:smbd_var_run_t,s0)
+@@ -48,6 +57,11 @@
+ /var/run/samba/smbd\.pid -- gen_context(system_u:object_r:smbd_var_run_t,s0)
+ /var/run/samba/unexpected\.tdb -- gen_context(system_u:object_r:nmbd_var_run_t,s0)
+
++/var/run/samba/winbindd(/.*)? gen_context(system_u:object_r:winbind_var_run_t,s0)
+ /var/run/winbindd(/.*)? gen_context(system_u:object_r:winbind_var_run_t,s0)
+
+ /var/spool/samba(/.*)? gen_context(system_u:object_r:samba_var_t,s0)
++
++ifndef(`enable_mls',`
++/var/lib/samba/scripts(/.*)? gen_context(system_u:object_r:samba_unconfined_script_exec_t,s0)
++')
+diff --git a/samba.if b/samba.if
+index 82cb169..a6bab06 100644
+--- a/samba.if
++++ b/samba.if
+@@ -42,6 +42,44 @@ interface(`samba_signal_nmbd',`
+
+ ########################################
+ ##
++## Search the samba pid directory.
++##
++##
++##
++## Domain to not audit.
++##
++##
++#
++interface(`samba_search_pid',`
++ gen_require(`
++ type smbd_var_run_t;
++ ')
++
++ files_search_pids($1)
++ allow $1 smbd_var_run_t:dir search_dir_perms;
++')
++
++########################################
++##
++## Connect to nmbd.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`samba_stream_connect_nmbd',`
++ gen_require(`
++ type nmbd_t, nmbd_var_run_t;
++ ')
++
++ samba_search_pid($1)
++ stream_connect_pattern($1, nmbd_var_run_t, nmbd_var_run_t, nmbd_t)
++')
++
++########################################
++##
+ ## Execute samba server in the samba domain.
+ ##
+ ##
+@@ -60,6 +98,29 @@ interface(`samba_initrc_domtrans',`
+
+ ########################################
+ ##
++## Execute samba server in the samba domain.
++##
++##
++##
++## Domain allowed to transition.
++##
++##
++#
++interface(`samba_systemctl',`
++ gen_require(`
++ type samba_unit_file_t;
++ type smbd_t;
++ ')
++
++ systemd_exec_systemctl($1)
++ allow $1 samba_unit_file_t:file read_file_perms;
++ allow $1 samba_unit_file_t:service manage_service_perms;
++
++ ps_process_pattern($1, smbd_t)
++')
++
++########################################
++##
+ ## Execute samba net in the samba_net domain.
+ ##
+ ##
+@@ -79,6 +140,25 @@ interface(`samba_domtrans_net',`
+
+ ########################################
+ ##
++## Execute samba net in the samba_unconfined_net domain.
++##
++##
++##
++## Domain allowed to transition.
++##
++##
++#
++interface(`samba_domtrans_unconfined_net',`
++ gen_require(`
++ type samba_unconfined_net_t, samba_net_exec_t;
++ ')
++
++ corecmd_search_bin($1)
++ domtrans_pattern($1, samba_net_exec_t, samba_unconfined_net_t)
++')
++
++########################################
++##
+ ## Execute samba net in the samba_net domain, and
+ ## allow the specified role the samba_net domain.
+ ##
+@@ -103,6 +183,51 @@ interface(`samba_run_net',`
+ role $2 types samba_net_t;
+ ')
+
++#######################################
++##
++## The role for the samba module.
++##
++##
++##
++## The role to be allowed the samba_net domain.
++##
++##
++##
++#
++interface(`samba_role_notrans',`
++ gen_require(`
++ type smbd_t;
++ ')
++
++ role $1 types smbd_t;
++')
++
++########################################
++##
++## Execute samba net in the samba_unconfined_net domain, and
++## allow the specified role the samba_unconfined_net domain.
++##
++##
++##
++## Domain allowed to transition.
++##
++##
++##
++##
++## The role to be allowed the samba_unconfined_net domain.
++##
++##
++##
++#
++interface(`samba_run_unconfined_net',`
++ gen_require(`
++ type samba_unconfined_net_t;
++ ')
++
++ samba_domtrans_unconfined_net($1)
++ role $2 types samba_unconfined_net_t;
++')
++
+ ########################################
+ ##
+ ## Execute smbmount in the smbmount domain.
+@@ -166,6 +291,7 @@ interface(`samba_read_config',`
+ ')
+
+ files_search_etc($1)
++ list_dirs_pattern($1, samba_etc_t, samba_etc_t)
+ read_files_pattern($1, samba_etc_t, samba_etc_t)
+ ')
+
+@@ -409,9 +535,10 @@ interface(`samba_manage_var_files',`
+ type samba_var_t;
+ ')
+
+- files_search_var($1)
++ files_search_var_lib($1)
+ files_search_var_lib($1)
+ manage_files_pattern($1, samba_var_t, samba_var_t)
++ manage_lnk_files_pattern($1, samba_var_t, samba_var_t)
+ ')
+
+ ########################################
+@@ -548,6 +675,24 @@ interface(`samba_rw_smbmount_tcp_sockets',`
+ allow $1 smbmount_t:tcp_socket { read write };
+ ')
+
++#######################################
++##
++## Allow to getattr on winbind binary.
++##
++##
++##
++## Domain allowed to transition.
++##
++##
++#
++interface(`samba_getattr_winbind',`
++ gen_require(`
++ type winbind_exec_t;
++ ')
++
++ allow $1 winbind_exec_t:file getattr;
++')
++
+ ########################################
+ ##
+ ## Execute winbind_helper in the winbind_helper domain.
+@@ -564,6 +709,7 @@ interface(`samba_domtrans_winbind_helper',`
+ ')
+
+ domtrans_pattern($1, winbind_helper_exec_t, winbind_helper_t)
++ allow $1 winbind_helper_t:process signal;
+ ')
+
+ ########################################
+@@ -607,7 +753,7 @@ interface(`samba_read_winbind_pid',`
+ type winbind_var_run_t;
+ ')
+
+- files_search_pids($1)
++ samba_search_pid($1)
+ allow $1 winbind_var_run_t:file read_file_perms;
+ ')
+
+@@ -626,9 +772,10 @@ interface(`samba_stream_connect_winbind',`
+ type samba_var_t, winbind_t, winbind_var_run_t;
+ ')
+
+- files_search_pids($1)
++ samba_search_pid($1)
+ allow $1 samba_var_t:dir search_dir_perms;
+ stream_connect_pattern($1, winbind_var_run_t, winbind_var_run_t, winbind_t)
++ samba_read_config($1)
+
+ ifndef(`distro_redhat',`
+ gen_require(`
+@@ -644,6 +791,37 @@ interface(`samba_stream_connect_winbind',`
+
+ ########################################
+ ##
++## Create a set of derived types for apache
++## web content.
++##
++##
++##
++## The prefix to be used for deriving type names.
++##
++##
++#
++template(`samba_helper_template',`
++ gen_require(`
++ type smbd_t;
++ role system_r;
++ ')
++
++ #This type is for samba helper scripts
++ type samba_$1_script_t;
++ domain_type(samba_$1_script_t)
++ role system_r types samba_$1_script_t;
++
++ # This type is used for executable scripts files
++ type samba_$1_script_exec_t;
++ corecmd_shell_entry_type(samba_$1_script_t)
++ domain_entry_file(samba_$1_script_t, samba_$1_script_exec_t)
++
++ domtrans_pattern(smbd_t, samba_$1_script_exec_t, samba_$1_script_t)
++ allow smbd_t samba_$1_script_exec_t:file ioctl;
++')
++
++########################################
++##
+ ## All of the rules required to administrate
+ ## an samba environment
+ ##
+@@ -661,33 +839,33 @@ interface(`samba_stream_connect_winbind',`
+ #
+ interface(`samba_admin',`
+ gen_require(`
+- type nmbd_t, nmbd_var_run_t;
+- type smbd_t, smbd_tmp_t;
+- type smbd_var_run_t;
+- type smbd_spool_t;
+-
+- type samba_log_t, samba_var_t;
+- type samba_etc_t, samba_share_t;
+- type samba_secrets_t;
+-
+- type swat_var_run_t, swat_tmp_t;
+-
+- type winbind_var_run_t, winbind_tmp_t;
+- type winbind_log_t;
+-
+- type samba_initrc_exec_t;
++ type nmbd_t, nmbd_var_run_t, smbd_var_run_t;
++ type smbd_t, smbd_tmp_t, samba_secrets_t;
++ type samba_initrc_exec_t, samba_log_t, samba_var_t;
++ type samba_etc_t, samba_share_t, winbind_log_t;
++ type swat_var_run_t, swat_tmp_t, samba_unconfined_script_exec_t;
++ type winbind_var_run_t, winbind_tmp_t, samba_unconfined_script_t;
++ type samba_unit_file_t;
+ ')
+
+- allow $1 smbd_t:process { ptrace signal_perms };
++ allow $1 smbd_t:process signal_perms;
+ ps_process_pattern($1, smbd_t)
++ tunable_policy(`deny_ptrace',`',`
++ allow $1 smbd_t:process ptrace;
++ allow $1 nmbd_t:process ptrace;
++ allow $1 samba_unconfined_script_t:process ptrace;
++ ')
+
+- allow $1 nmbd_t:process { ptrace signal_perms };
++ allow $1 nmbd_t:process signal_perms;
+ ps_process_pattern($1, nmbd_t)
+
+- samba_run_smbcontrol($1, $2, $3)
+- samba_run_winbind_helper($1, $2, $3)
+- samba_run_smbmount($1, $2, $3)
+- samba_run_net($1, $2, $3)
++ allow $1 samba_unconfined_script_t:process signal_perms;
++ ps_process_pattern($1, samba_unconfined_script_t)
++
++ samba_run_smbcontrol($1, $2)
++ samba_run_winbind_helper($1, $2)
++ samba_run_smbmount($1, $2)
++ samba_run_net($1, $2)
+
+ init_labeled_script_domtrans($1, samba_initrc_exec_t)
+ domain_system_change_exemption($1)
+@@ -709,9 +887,6 @@ interface(`samba_admin',`
+ admin_pattern($1, samba_var_t)
+ files_list_var($1)
+
+- admin_pattern($1, smbd_spool_t)
+- files_list_spool($1)
+-
+ admin_pattern($1, smbd_var_run_t)
+ files_list_pids($1)
+
+@@ -727,4 +902,9 @@ interface(`samba_admin',`
+ admin_pattern($1, winbind_tmp_t)
+
+ admin_pattern($1, winbind_var_run_t)
++ admin_pattern($1, samba_unconfined_script_exec_t)
++
++ samba_systemctl($1)
++ admin_pattern($1, samba_unit_file_t)
++ allow $1 samba_unit_file_t:service all_service_perms;
+ ')
+diff --git a/samba.te b/samba.te
+index 905883f..7e70344 100644
+--- a/samba.te
++++ b/samba.te
+@@ -12,7 +12,7 @@ policy_module(samba, 1.15.0)
+ ## public_content_rw_t.
+ ##
+ ##
+-gen_tunable(allow_smbd_anon_write, false)
++gen_tunable(smbd_anon_write, false)
+
+ ##
+ ##
+@@ -32,6 +32,14 @@ gen_tunable(samba_domain_controller, false)
+
+ ##
+ ##
++## Allow samba to act as a portmapper
++##
++##
++##
++gen_tunable(samba_portmapper, false)
++
++##
++##
+ ## Allow samba to share users home directories.
+ ##
+ ##
+@@ -85,6 +93,9 @@ files_config_file(samba_etc_t)
+ type samba_initrc_exec_t;
+ init_script_file(samba_initrc_exec_t)
+
++type samba_unit_file_t;
++systemd_unit_file(samba_unit_file_t)
++
+ type samba_log_t;
+ logging_log_file(samba_log_t)
+
+@@ -152,9 +163,6 @@ domain_entry_file(winbind_helper_t, winbind_helper_exec_t)
+ type winbind_log_t;
+ logging_log_file(winbind_log_t)
+
+-type winbind_tmp_t;
+-files_tmp_file(winbind_tmp_t)
+-
+ type winbind_var_run_t;
+ files_pid_file(winbind_var_run_t)
+
+@@ -181,11 +189,12 @@ files_tmp_filetrans(samba_net_t, samba_net_tmp_t, { file dir })
+ manage_dirs_pattern(samba_net_t, samba_var_t, samba_var_t)
+ manage_files_pattern(samba_net_t, samba_var_t, samba_var_t)
+ manage_lnk_files_pattern(samba_net_t, samba_var_t, samba_var_t)
++files_var_filetrans(samba_net_t, samba_var_t, dir, "samba")
+
+ kernel_read_proc_symlinks(samba_net_t)
+ kernel_read_system_state(samba_net_t)
++kernel_read_network_state(samba_net_t)
+
+-corenet_all_recvfrom_unlabeled(samba_net_t)
+ corenet_all_recvfrom_netlabel(samba_net_t)
+ corenet_tcp_sendrecv_generic_if(samba_net_t)
+ corenet_udp_sendrecv_generic_if(samba_net_t)
+@@ -203,7 +212,6 @@ dev_read_urand(samba_net_t)
+
+ domain_use_interactive_fds(samba_net_t)
+
+-files_read_etc_files(samba_net_t)
+ files_read_usr_symlinks(samba_net_t)
+
+ auth_use_nsswitch(samba_net_t)
+@@ -211,15 +219,16 @@ auth_manage_cache(samba_net_t)
+
+ logging_send_syslog_msg(samba_net_t)
+
+-miscfiles_read_localization(samba_net_t)
+-
+ samba_read_var_files(samba_net_t)
+
+-userdom_use_user_terminals(samba_net_t)
++sysnet_use_ldap(samba_net_t)
++
++userdom_use_inherited_user_terminals(samba_net_t)
+ userdom_list_user_home_dirs(samba_net_t)
+
+ optional_policy(`
+- ldap_stream_connect(samba_net_t)
++ ldap_stream_connect(samba_net_t)
++ dirsrv_stream_connect(samba_net_t)
+ ')
+
+ optional_policy(`
+@@ -228,13 +237,15 @@ optional_policy(`
+
+ optional_policy(`
+ kerberos_use(samba_net_t)
++ kerberos_etc_filetrans_keytab(samba_net_t)
+ ')
+
+ ########################################
+ #
+ # smbd Local policy
+ #
+-allow smbd_t self:capability { chown fowner setgid setuid sys_nice sys_resource lease dac_override dac_read_search };
++
++allow smbd_t self:capability { chown fowner kill fsetid setgid setuid sys_chroot sys_nice sys_admin sys_resource lease dac_override dac_read_search };
+ dontaudit smbd_t self:capability sys_tty_config;
+ allow smbd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
+ allow smbd_t self:process setrlimit;
+@@ -244,6 +255,7 @@ allow smbd_t self:msg { send receive };
+ allow smbd_t self:msgq create_msgq_perms;
+ allow smbd_t self:sem create_sem_perms;
+ allow smbd_t self:shm create_shm_perms;
++allow smbd_t self:key manage_key_perms;
+ allow smbd_t self:sock_file read_sock_file_perms;
+ allow smbd_t self:tcp_socket create_stream_socket_perms;
+ allow smbd_t self:udp_socket create_socket_perms;
+@@ -253,6 +265,7 @@ allow smbd_t self:unix_stream_socket { create_stream_socket_perms connectto };
+ allow smbd_t nmbd_t:process { signal signull };
+
+ allow smbd_t nmbd_var_run_t:file rw_file_perms;
++stream_connect_pattern(smbd_t, nmbd_var_run_t, nmbd_var_run_t, nmbd_t)
+
+ allow smbd_t samba_etc_t:file { rw_file_perms setattr };
+
+@@ -267,12 +280,13 @@ filetrans_pattern(smbd_t, samba_etc_t, samba_secrets_t, file)
+ manage_dirs_pattern(smbd_t, samba_share_t, samba_share_t)
+ manage_files_pattern(smbd_t, samba_share_t, samba_share_t)
+ manage_lnk_files_pattern(smbd_t, samba_share_t, samba_share_t)
+-allow smbd_t samba_share_t:filesystem getattr;
++allow smbd_t samba_share_t:filesystem { getattr quotaget };
+
+ manage_dirs_pattern(smbd_t, samba_var_t, samba_var_t)
+ manage_files_pattern(smbd_t, samba_var_t, samba_var_t)
+ manage_lnk_files_pattern(smbd_t, samba_var_t, samba_var_t)
+ manage_sock_files_pattern(smbd_t, samba_var_t, samba_var_t)
++files_var_filetrans(smbd_t, samba_var_t, dir, "samba")
+
+ allow smbd_t smbcontrol_t:process { signal signull };
+
+@@ -283,7 +297,7 @@ files_tmp_filetrans(smbd_t, smbd_tmp_t, { file dir })
+ manage_dirs_pattern(smbd_t, smbd_var_run_t, smbd_var_run_t)
+ manage_files_pattern(smbd_t, smbd_var_run_t, smbd_var_run_t)
+ manage_sock_files_pattern(smbd_t, smbd_var_run_t, smbd_var_run_t)
+-files_pid_filetrans(smbd_t, smbd_var_run_t, file)
++files_pid_filetrans(smbd_t, smbd_var_run_t, { dir file })
+
+ allow smbd_t swat_t:process signal;
+
+@@ -302,7 +316,6 @@ kernel_read_system_state(smbd_t)
+ corecmd_exec_shell(smbd_t)
+ corecmd_exec_bin(smbd_t)
+
+-corenet_all_recvfrom_unlabeled(smbd_t)
+ corenet_all_recvfrom_netlabel(smbd_t)
+ corenet_tcp_sendrecv_generic_if(smbd_t)
+ corenet_udp_sendrecv_generic_if(smbd_t)
+@@ -320,6 +333,7 @@ corenet_tcp_connect_smbd_port(smbd_t)
+
+ dev_read_sysfs(smbd_t)
+ dev_read_urand(smbd_t)
++dev_dontaudit_write_urand(smbd_t)
+ dev_getattr_mtrr_dev(smbd_t)
+ dev_dontaudit_getattr_usbfs_dirs(smbd_t)
+ # For redhat bug 566984
+@@ -327,26 +341,29 @@ dev_getattr_all_blk_files(smbd_t)
+ dev_getattr_all_chr_files(smbd_t)
+
+ fs_getattr_all_fs(smbd_t)
++fs_getattr_all_dirs(smbd_t)
+ fs_get_xattr_fs_quotas(smbd_t)
+ fs_search_auto_mountpoints(smbd_t)
+ fs_getattr_rpc_dirs(smbd_t)
+ fs_list_inotifyfs(smbd_t)
++fs_get_all_fs_quotas(smbd_t)
+
+ auth_use_nsswitch(smbd_t)
+ auth_domtrans_chk_passwd(smbd_t)
+ auth_domtrans_upd_passwd(smbd_t)
+ auth_manage_cache(smbd_t)
++auth_write_login_records(smbd_t)
+
+ domain_use_interactive_fds(smbd_t)
+ domain_dontaudit_list_all_domains_state(smbd_t)
+
+ files_list_var_lib(smbd_t)
+-files_read_etc_files(smbd_t)
+ files_read_etc_runtime_files(smbd_t)
+ files_read_usr_files(smbd_t)
+ files_search_spool(smbd_t)
+ # smbd seems to getattr all mountpoints
+ files_dontaudit_getattr_all_dirs(smbd_t)
++files_dontaudit_list_all_mountpoints(smbd_t)
+ # Allow samba to list mnt_t for potential mounted dirs
+ files_list_mnt(smbd_t)
+
+@@ -355,9 +372,10 @@ init_rw_utmp(smbd_t)
+ logging_search_logs(smbd_t)
+ logging_send_syslog_msg(smbd_t)
+
+-miscfiles_read_localization(smbd_t)
+ miscfiles_read_public_files(smbd_t)
+
++sysnet_use_ldap(smbd_t)
++
+ userdom_use_unpriv_users_fds(smbd_t)
+ userdom_search_user_home_content(smbd_t)
+ userdom_signal_all_users(smbd_t)
+@@ -372,8 +390,13 @@ ifdef(`hide_broken_symptoms', `
+ fs_dontaudit_getattr_tmpfs_dirs(smbd_t)
+ ')
+
+-tunable_policy(`allow_smbd_anon_write',`
++tunable_policy(`smbd_anon_write',`
+ miscfiles_manage_public_files(smbd_t)
++')
++
++tunable_policy(`samba_portmapper',`
++ corenet_tcp_bind_epmap_port(smbd_t)
++ corenet_tcp_bind_all_unreserved_ports(smbd_t)
+ ')
+
+ tunable_policy(`samba_domain_controller',`
+@@ -389,12 +412,7 @@ tunable_policy(`samba_domain_controller',`
+ ')
+
+ tunable_policy(`samba_enable_home_dirs',`
+- userdom_manage_user_home_content_dirs(smbd_t)
+- userdom_manage_user_home_content_files(smbd_t)
+- userdom_manage_user_home_content_symlinks(smbd_t)
+- userdom_manage_user_home_content_sockets(smbd_t)
+- userdom_manage_user_home_content_pipes(smbd_t)
+- userdom_user_home_dir_filetrans_user_home_content(smbd_t, { dir file lnk_file sock_file fifo_file })
++ userdom_manage_user_home_content(smbd_t)
+ ')
+
+ # Support Samba sharing of NFS mount points
+@@ -415,6 +433,15 @@ tunable_policy(`samba_share_fusefs',`
+ ')
+
+ optional_policy(`
++ ccs_read_config(smbd_t)
++')
++
++optional_policy(`
++ ctdbd_stream_connect(smbd_t)
++ ctdbd_manage_lib_files(smbd_t)
++')
++
++optional_policy(`
+ cups_read_rw_config(smbd_t)
+ cups_stream_connect(smbd_t)
+ ')
+@@ -426,6 +453,7 @@ optional_policy(`
+
+ optional_policy(`
+ ldap_stream_connect(smbd_t)
++ dirsrv_stream_connect(smbd_t)
+ ')
+
+ optional_policy(`
+@@ -452,26 +480,26 @@ optional_policy(`
+ tunable_policy(`samba_create_home_dirs',`
+ allow smbd_t self:capability chown;
+ userdom_create_user_home_dirs(smbd_t)
+- userdom_home_filetrans_user_home_dir(smbd_t)
+ ')
+
++userdom_home_filetrans_user_home_dir(smbd_t)
++
+ tunable_policy(`samba_export_all_ro',`
+- fs_read_noxattr_fs_files(smbd_t)
+- files_list_non_auth_dirs(smbd_t)
+- files_read_non_auth_files(smbd_t)
+- fs_read_noxattr_fs_files(nmbd_t)
+- files_list_non_auth_dirs(nmbd_t)
+- files_read_non_auth_files(nmbd_t)
++ fs_read_noxattr_fs_files(smbd_t)
++ files_read_non_security_files(smbd_t)
++ fs_read_noxattr_fs_files(nmbd_t)
++ files_read_non_security_files(nmbd_t)
+ ')
+
+ tunable_policy(`samba_export_all_rw',`
+- fs_read_noxattr_fs_files(smbd_t)
+- files_manage_non_auth_files(smbd_t)
+- fs_read_noxattr_fs_files(nmbd_t)
+- files_manage_non_auth_files(nmbd_t)
+- userdom_user_home_dir_filetrans_user_home_content(nmbd_t, { file dir })
++ fs_read_noxattr_fs_files(smbd_t)
++ files_manage_non_security_files(smbd_t)
++ fs_read_noxattr_fs_files(nmbd_t)
++ files_manage_non_security_files(nmbd_t)
+ ')
+
++userdom_user_home_dir_filetrans_user_home_content(nmbd_t, { file dir })
++
+ ########################################
+ #
+ # nmbd Local policy
+@@ -491,8 +519,11 @@ allow nmbd_t self:udp_socket create_socket_perms;
+ allow nmbd_t self:unix_dgram_socket { create_socket_perms sendto };
+ allow nmbd_t self:unix_stream_socket { create_stream_socket_perms connectto };
+
++manage_dirs_pattern(nmbd_t, { smbd_var_run_t nmbd_var_run_t }, nmbd_var_run_t)
+ manage_files_pattern(nmbd_t, nmbd_var_run_t, nmbd_var_run_t)
+-files_pid_filetrans(nmbd_t, nmbd_var_run_t, file)
++manage_sock_files_pattern(nmbd_t, nmbd_var_run_t, nmbd_var_run_t)
++files_pid_filetrans(nmbd_t, nmbd_var_run_t, { dir file sock_file })
++filetrans_pattern(nmbd_t, smbd_var_run_t, nmbd_var_run_t, dir)
+
+ read_files_pattern(nmbd_t, samba_etc_t, samba_etc_t)
+ read_lnk_files_pattern(nmbd_t, samba_etc_t, samba_etc_t)
+@@ -501,11 +532,13 @@ manage_dirs_pattern(nmbd_t, samba_log_t, samba_log_t)
+ manage_files_pattern(nmbd_t, samba_log_t, samba_log_t)
+
+ manage_files_pattern(nmbd_t, samba_var_t, samba_var_t)
++manage_files_pattern(nmbd_t, samba_var_t, samba_var_t)
++manage_lnk_files_pattern(nmbd_t, samba_var_t, samba_var_t)
++manage_sock_files_pattern(nmbd_t, samba_var_t, samba_var_t)
++files_var_filetrans(nmbd_t, samba_var_t, dir, "samba")
+
+ allow nmbd_t smbcontrol_t:process signal;
+
+-allow nmbd_t smbd_var_run_t:dir rw_dir_perms;
+-
+ kernel_getattr_core_if(nmbd_t)
+ kernel_getattr_message_if(nmbd_t)
+ kernel_read_kernel_sysctls(nmbd_t)
+@@ -513,7 +546,6 @@ kernel_read_network_state(nmbd_t)
+ kernel_read_software_raid_state(nmbd_t)
+ kernel_read_system_state(nmbd_t)
+
+-corenet_all_recvfrom_unlabeled(nmbd_t)
+ corenet_all_recvfrom_netlabel(nmbd_t)
+ corenet_tcp_sendrecv_generic_if(nmbd_t)
+ corenet_udp_sendrecv_generic_if(nmbd_t)
+@@ -536,7 +568,6 @@ fs_search_auto_mountpoints(nmbd_t)
+ domain_use_interactive_fds(nmbd_t)
+
+ files_read_usr_files(nmbd_t)
+-files_read_etc_files(nmbd_t)
+ files_list_var_lib(nmbd_t)
+
+ auth_use_nsswitch(nmbd_t)
+@@ -544,12 +575,14 @@ auth_use_nsswitch(nmbd_t)
+ logging_search_logs(nmbd_t)
+ logging_send_syslog_msg(nmbd_t)
+
+-miscfiles_read_localization(nmbd_t)
+-
+ userdom_use_unpriv_users_fds(nmbd_t)
+ userdom_dontaudit_search_user_home_dirs(nmbd_t)
+
+ optional_policy(`
++ ctdbd_stream_connect(nmbd_t)
++')
++
++optional_policy(`
+ seutil_sigchld_newrole(nmbd_t)
+ ')
+
+@@ -562,18 +595,21 @@ optional_policy(`
+ # smbcontrol local policy
+ #
+
++
++allow smbcontrol_t self:process signal;
+ # internal communication is often done using fifo and unix sockets.
+ allow smbcontrol_t self:fifo_file rw_file_perms;
+ allow smbcontrol_t self:unix_stream_socket create_stream_socket_perms;
++allow smbcontrol_t self:process { signal signull };
+
+ allow smbcontrol_t nmbd_t:process { signal signull };
++read_files_pattern(smbcontrol_t, nmbd_var_run_t, nmbd_var_run_t)
+
+-allow smbcontrol_t nmbd_var_run_t:file { read lock };
+-
+-allow smbcontrol_t smbd_t:process signal;
+-
++allow smbcontrol_t smbd_t:process { signal signull };
++read_files_pattern(smbcontrol_t, smbd_var_run_t, smbd_var_run_t)
+ allow smbcontrol_t winbind_t:process { signal signull };
+
++files_search_var_lib(smbcontrol_t)
+ samba_read_config(smbcontrol_t)
+ samba_rw_var_files(smbcontrol_t)
+ samba_search_var(smbcontrol_t)
+@@ -581,11 +617,19 @@ samba_read_winbind_pid(smbcontrol_t)
+
+ domain_use_interactive_fds(smbcontrol_t)
+
+-files_read_etc_files(smbcontrol_t)
++dev_read_urand(smbcontrol_t)
++
++files_read_usr_files(smbcontrol_t)
++
++term_use_console(smbcontrol_t)
++
++sysnet_use_ldap(smbcontrol_t)
+
+-miscfiles_read_localization(smbcontrol_t)
++userdom_use_inherited_user_terminals(smbcontrol_t)
+
+-userdom_use_user_terminals(smbcontrol_t)
++optional_policy(`
++ ctdbd_stream_connect(smbcontrol_t)
++')
+
+ ########################################
+ #
+@@ -604,18 +648,20 @@ allow smbmount_t samba_etc_t:file read_file_perms;
+
+ can_exec(smbmount_t, smbmount_exec_t)
+
+-allow smbmount_t samba_log_t:dir list_dir_perms;
++allow smbmount_t samba_log_t:dir list_dir_perms;
+ allow smbmount_t samba_log_t:file manage_file_perms;
+
+ allow smbmount_t samba_secrets_t:file manage_file_perms;
+
++manage_dirs_pattern(smbmount_t, samba_var_t, samba_var_t)
+ manage_files_pattern(smbmount_t, samba_var_t, samba_var_t)
+ manage_lnk_files_pattern(smbmount_t, samba_var_t, samba_var_t)
++files_var_filetrans(smbmount_t, samba_var_t, dir, "samba")
++
+ files_list_var_lib(smbmount_t)
+
+ kernel_read_system_state(smbmount_t)
+
+-corenet_all_recvfrom_unlabeled(smbmount_t)
+ corenet_all_recvfrom_netlabel(smbmount_t)
+ corenet_tcp_sendrecv_generic_if(smbmount_t)
+ corenet_raw_sendrecv_generic_if(smbmount_t)
+@@ -645,31 +691,32 @@ files_list_mnt(smbmount_t)
+ files_mounton_mnt(smbmount_t)
+ files_manage_etc_runtime_files(smbmount_t)
+ files_etc_filetrans_etc_runtime(smbmount_t, file)
+-files_read_etc_files(smbmount_t)
+
+ auth_use_nsswitch(smbmount_t)
+
+-miscfiles_read_localization(smbmount_t)
+-
+-mount_use_fds(smbmount_t)
+
+ locallogin_use_fds(smbmount_t)
+
+ logging_search_logs(smbmount_t)
+
+-userdom_use_user_terminals(smbmount_t)
++userdom_use_inherited_user_terminals(smbmount_t)
+ userdom_use_all_users_fds(smbmount_t)
+
+ optional_policy(`
+ cups_read_rw_config(smbmount_t)
+ ')
+
++optional_policy(`
++ mount_use_fds(smbmount_t)
++')
++
+ ########################################
+ #
+ # SWAT Local policy
+ #
+
+ allow swat_t self:capability { dac_override setuid setgid sys_resource };
++allow swat_t self:capability2 block_suspend;
+ allow swat_t self:process { setrlimit signal_perms };
+ allow swat_t self:fifo_file rw_fifo_file_perms;
+ allow swat_t self:netlink_tcpdiag_socket r_netlink_socket_perms;
+@@ -684,7 +731,8 @@ samba_domtrans_nmbd(swat_t)
+ allow swat_t nmbd_t:process { signal signull };
+ allow nmbd_t swat_t:process signal;
+
+-allow swat_t smbd_var_run_t:file { lock unlink };
++read_files_pattern(swat_t, nmbd_var_run_t, nmbd_var_run_t)
++stream_connect_pattern(swat_t, nmbd_var_run_t, nmbd_var_run_t, nmbd_t)
+
+ allow swat_t smbd_port_t:tcp_socket name_bind;
+
+@@ -698,13 +746,17 @@ manage_files_pattern(swat_t, samba_log_t, samba_log_t)
+
+ manage_files_pattern(swat_t, samba_etc_t, samba_secrets_t)
+
++manage_dirs_pattern(swat_t, samba_var_t, samba_var_t)
+ manage_files_pattern(swat_t, samba_var_t, samba_var_t)
++files_var_filetrans(swat_t, samba_var_t, dir, "samba")
++files_list_var_lib(swat_t)
+
+ allow swat_t smbd_exec_t:file mmap_file_perms ;
+
+ allow swat_t smbd_t:process signull;
+
+ allow swat_t smbd_var_run_t:file read_file_perms;
++allow swat_t smbd_var_run_t:file { lock unlink };
+
+ manage_dirs_pattern(swat_t, swat_tmp_t, swat_tmp_t)
+ manage_files_pattern(swat_t, swat_tmp_t, swat_tmp_t)
+@@ -717,6 +769,7 @@ allow swat_t winbind_exec_t:file mmap_file_perms;
+ domtrans_pattern(swat_t, winbind_exec_t, winbind_t)
+ allow swat_t winbind_t:process { signal signull };
+
++read_files_pattern(swat_t, winbind_var_run_t, winbind_var_run_t)
+ allow swat_t winbind_var_run_t:dir { write add_name remove_name };
+ allow swat_t winbind_var_run_t:sock_file { create unlink };
+
+@@ -726,7 +779,6 @@ kernel_read_network_state(swat_t)
+
+ corecmd_search_bin(swat_t)
+
+-corenet_all_recvfrom_unlabeled(swat_t)
+ corenet_all_recvfrom_netlabel(swat_t)
+ corenet_tcp_sendrecv_generic_if(swat_t)
+ corenet_udp_sendrecv_generic_if(swat_t)
+@@ -744,7 +796,6 @@ corenet_sendrecv_ipp_client_packets(swat_t)
+ dev_read_urand(swat_t)
+
+ files_list_var_lib(swat_t)
+-files_read_etc_files(swat_t)
+ files_search_home(swat_t)
+ files_read_usr_files(swat_t)
+ fs_getattr_xattr_fs(swat_t)
+@@ -759,7 +810,10 @@ logging_send_syslog_msg(swat_t)
+ logging_send_audit_msgs(swat_t)
+ logging_search_logs(swat_t)
+
+-miscfiles_read_localization(swat_t)
++sysnet_use_ldap(swat_t)
++
++
++userdom_dontaudit_search_admin_dir(swat_t)
+
+ optional_policy(`
+ cups_read_rw_config(swat_t)
+@@ -790,7 +844,8 @@ allow winbind_t self:udp_socket create_socket_perms;
+
+ allow winbind_t nmbd_t:process { signal signull };
+
+-allow winbind_t nmbd_var_run_t:file read_file_perms;
++read_files_pattern(winbind_t, nmbd_var_run_t, nmbd_var_run_t)
++samba_stream_connect_nmbd(winbind_t)
+
+ allow winbind_t samba_etc_t:dir list_dir_perms;
+ read_files_pattern(winbind_t, samba_etc_t, samba_etc_t)
+@@ -806,6 +861,8 @@ manage_lnk_files_pattern(winbind_t, samba_log_t, samba_log_t)
+ manage_dirs_pattern(winbind_t, samba_var_t, samba_var_t)
+ manage_files_pattern(winbind_t, samba_var_t, samba_var_t)
+ manage_lnk_files_pattern(winbind_t, samba_var_t, samba_var_t)
++manage_sock_files_pattern(winbind_t, samba_var_t, samba_var_t)
++files_var_filetrans(winbind_t, samba_var_t, dir, "samba")
+ files_list_var_lib(winbind_t)
+
+ rw_files_pattern(winbind_t, smbd_tmp_t, smbd_tmp_t)
+@@ -813,21 +870,26 @@ rw_files_pattern(winbind_t, smbd_tmp_t, smbd_tmp_t)
+ allow winbind_t winbind_log_t:file manage_file_perms;
+ logging_log_filetrans(winbind_t, winbind_log_t, file)
+
+-manage_dirs_pattern(winbind_t, winbind_tmp_t, winbind_tmp_t)
+-manage_files_pattern(winbind_t, winbind_tmp_t, winbind_tmp_t)
+-manage_sock_files_pattern(winbind_t, winbind_tmp_t, winbind_tmp_t)
+-files_tmp_filetrans(winbind_t, winbind_tmp_t, { file dir })
++userdom_manage_user_tmp_dirs(winbind_t)
++userdom_manage_user_tmp_files(winbind_t)
++userdom_tmp_filetrans_user_tmp(winbind_t, { file dir })
+
++manage_dirs_pattern(winbind_t, { smbd_var_run_t winbind_var_run_t }, winbind_var_run_t)
+ manage_files_pattern(winbind_t, winbind_var_run_t, winbind_var_run_t)
+ manage_sock_files_pattern(winbind_t, winbind_var_run_t, winbind_var_run_t)
+-files_pid_filetrans(winbind_t, winbind_var_run_t, file)
+-
++files_pid_filetrans(winbind_t, winbind_var_run_t, { sock_file file dir })
++filetrans_pattern(winbind_t, smbd_var_run_t, winbind_var_run_t, dir)
++# /run/samba/krb5cc_samba
++manage_files_pattern(winbind_t, smbd_var_run_t, smbd_var_run_t)
++manage_dirs_pattern(winbind_t, smbd_var_run_t, smbd_var_run_t)
++manage_sock_files_pattern(winbind_t, smbd_var_run_t, smbd_var_run_t)
++
++kernel_read_network_state(winbind_t)
+ kernel_read_kernel_sysctls(winbind_t)
+ kernel_read_system_state(winbind_t)
+
+ corecmd_exec_bin(winbind_t)
+
+-corenet_all_recvfrom_unlabeled(winbind_t)
+ corenet_all_recvfrom_netlabel(winbind_t)
+ corenet_tcp_sendrecv_generic_if(winbind_t)
+ corenet_udp_sendrecv_generic_if(winbind_t)
+@@ -840,12 +902,15 @@ corenet_udp_sendrecv_all_ports(winbind_t)
+ corenet_tcp_bind_generic_node(winbind_t)
+ corenet_udp_bind_generic_node(winbind_t)
+ corenet_tcp_connect_smbd_port(winbind_t)
++corenet_tcp_connect_smbd_port(winbind_t)
+ corenet_tcp_connect_epmap_port(winbind_t)
+ corenet_tcp_connect_all_unreserved_ports(winbind_t)
+
+ dev_read_sysfs(winbind_t)
+ dev_read_urand(winbind_t)
+
++files_read_usr_files(winbind_t)
++
+ fs_getattr_all_fs(winbind_t)
+ fs_search_auto_mountpoints(winbind_t)
+
+@@ -855,12 +920,14 @@ auth_manage_cache(winbind_t)
+
+ domain_use_interactive_fds(winbind_t)
+
+-files_read_etc_files(winbind_t)
+ files_read_usr_symlinks(winbind_t)
++files_list_var_lib(winbind_t)
+
+ logging_send_syslog_msg(winbind_t)
+
+-miscfiles_read_localization(winbind_t)
++miscfiles_read_generic_certs(winbind_t)
++
++sysnet_use_ldap(winbind_t)
+
+ userdom_dontaudit_use_unpriv_user_fds(winbind_t)
+ userdom_manage_user_home_content_dirs(winbind_t)
+@@ -871,6 +938,15 @@ userdom_manage_user_home_content_sockets(winbind_t)
+ userdom_user_home_dir_filetrans_user_home_content(winbind_t, { dir file lnk_file fifo_file sock_file })
+
+ optional_policy(`
++ ctdbd_stream_connect(winbind_t)
++ ctdbd_manage_lib_files(winbind_t)
++')
++
++optional_policy(`
++ dirsrv_stream_connect(winbind_t)
++')
++
++optional_policy(`
+ kerberos_use(winbind_t)
+ ')
+
+@@ -909,9 +985,7 @@ auth_use_nsswitch(winbind_helper_t)
+
+ logging_send_syslog_msg(winbind_helper_t)
+
+-miscfiles_read_localization(winbind_helper_t)
+-
+-userdom_use_user_terminals(winbind_helper_t)
++userdom_use_inherited_user_terminals(winbind_helper_t)
+
+ optional_policy(`
+ apache_append_log(winbind_helper_t)
+@@ -929,19 +1003,34 @@ optional_policy(`
+ #
+
+ optional_policy(`
+- type samba_unconfined_script_t;
+- type samba_unconfined_script_exec_t;
+- domain_type(samba_unconfined_script_t)
+- domain_entry_file(samba_unconfined_script_t, samba_unconfined_script_exec_t)
+- corecmd_shell_entry_type(samba_unconfined_script_t)
+- role system_r types samba_unconfined_script_t;
++ type samba_unconfined_net_t;
++ domain_type(samba_unconfined_net_t)
++ domain_entry_file(samba_unconfined_net_t, samba_net_exec_t)
++ role system_r types samba_unconfined_net_t;
+
+- allow smbd_t samba_unconfined_script_exec_t:dir search_dir_perms;
+- allow smbd_t samba_unconfined_script_exec_t:file ioctl;
++ unconfined_domain(samba_unconfined_net_t)
+
++ manage_files_pattern(samba_unconfined_net_t, samba_etc_t, samba_secrets_t)
++ filetrans_pattern(samba_unconfined_net_t, samba_etc_t, samba_secrets_t, file)
++ userdom_use_inherited_user_terminals(samba_unconfined_net_t)
++')
++
++type samba_unconfined_script_t;
++type samba_unconfined_script_exec_t;
++domain_type(samba_unconfined_script_t)
++domain_entry_file(samba_unconfined_script_t, samba_unconfined_script_exec_t)
++corecmd_shell_entry_type(samba_unconfined_script_t)
++role system_r types samba_unconfined_script_t;
++
++allow smbd_t samba_unconfined_script_exec_t:dir search_dir_perms;
++allow smbd_t samba_unconfined_script_exec_t:file ioctl;
++
++optional_policy(`
+ unconfined_domain(samba_unconfined_script_t)
++')
+
+- tunable_policy(`samba_run_unconfined',`
++tunable_policy(`samba_run_unconfined',`
+ domtrans_pattern(smbd_t, samba_unconfined_script_exec_t, samba_unconfined_script_t)
+- ')
++',`
++ can_exec(smbd_t, samba_unconfined_script_exec_t)
+ ')
+diff --git a/sambagui.te b/sambagui.te
+index 1898dbd..1d5e802 100644
+--- a/sambagui.te
++++ b/sambagui.te
+@@ -7,7 +7,8 @@ policy_module(sambagui, 1.1.0)
+
+ type sambagui_t;
+ type sambagui_exec_t;
+-dbus_system_domain(sambagui_t, sambagui_exec_t)
++application_domain(sambagui_t, sambagui_exec_t)
++role system_r types sambagui_t;
+
+ ########################################
+ #
+@@ -27,21 +28,28 @@ corecmd_exec_bin(sambagui_t)
+
+ dev_dontaudit_read_urand(sambagui_t)
+
+-files_read_etc_files(sambagui_t)
++files_read_usr_files(sambagui_t)
+ files_search_var_lib(sambagui_t)
+ files_read_usr_files(sambagui_t)
+
+ auth_use_nsswitch(sambagui_t)
++auth_dontaudit_read_shadow(sambagui_t)
++
++init_access_check(sambagui_t)
+
+ logging_send_syslog_msg(sambagui_t)
+
+-miscfiles_read_localization(sambagui_t)
++sysnet_use_ldap(sambagui_t)
+
+ optional_policy(`
+ consoletype_exec(sambagui_t)
+ ')
+
+ optional_policy(`
++ dbus_system_domain(sambagui_t, sambagui_exec_t)
++')
++
++optional_policy(`
+ nscd_dontaudit_search_pid(sambagui_t)
+ ')
+
+@@ -56,6 +64,7 @@ optional_policy(`
+ samba_manage_var_files(sambagui_t)
+ samba_read_secrets(sambagui_t)
+ samba_initrc_domtrans(sambagui_t)
++ samba_systemctl(sambagui_t)
+ samba_domtrans_smbd(sambagui_t)
+ samba_domtrans_nmbd(sambagui_t)
+ ')
+diff --git a/samhain.if b/samhain.if
+index c040ebf..2b601a5 100644
+--- a/samhain.if
++++ b/samhain.if
+@@ -271,10 +271,14 @@ interface(`samhain_admin',`
+ type samhain_initrc_exec_t, samhain_log_t, samhain_var_run_t;
+ ')
+
+- allow $1 samhain_t:process { ptrace signal_perms };
++ allow $1 samhain_t:process signal_perms;
+ ps_process_pattern($1, samhain_t)
++ tunable_policy(`deny_ptrace',`',`
++ allow $1 samhain_t:process ptrace;
++ allow $1 samhaind_t:process ptrace;
++ ')
+
+- allow $1 samhaind_t:process { ptrace signal_perms };
++ allow $1 samhaind_t:process signal_perms;
+ ps_process_pattern($1, samhaind_t)
+
+ files_list_var_lib($1)
+diff --git a/samhain.te b/samhain.te
+index acd1700..778d18b 100644
+--- a/samhain.te
++++ b/samhain.te
+@@ -55,7 +55,7 @@ domain_use_interactive_fds(samhain_t)
+
+ seutil_sigchld_newrole(samhain_t)
+
+-userdom_use_user_terminals(samhain_t)
++userdom_use_inherited_user_terminals(samhain_t)
+
+ ########################################
+ #
+diff --git a/sandbox.fc b/sandbox.fc
+new file mode 100644
+index 0000000..b7db254
+--- /dev/null
++++ b/sandbox.fc
+@@ -0,0 +1 @@
++# Empty
+diff --git a/sandbox.if b/sandbox.if
+new file mode 100644
+index 0000000..7addd77
+--- /dev/null
++++ b/sandbox.if
+@@ -0,0 +1,55 @@
++
++## policy for sandbox
++
++########################################
++##
++## Execute sandbox in the sandbox domain, and
++## allow the specified role the sandbox domain.
++##
++##
++##
++## Domain allowed access
++##
++##
++##
++##
++## The role to be allowed the sandbox domain.
++##
++##
++#
++interface(`sandbox_transition',`
++ gen_require(`
++ attribute sandbox_domain;
++ ')
++
++ allow $1 sandbox_domain:process transition;
++ dontaudit $1 sandbox_domain:process { noatsecure siginh rlimitinh };
++ role $2 types sandbox_domain;
++ allow sandbox_domain $1:process { sigchld signull };
++ allow sandbox_domain $1:fifo_file rw_inherited_fifo_file_perms;
++ dontaudit sandbox_domain $1:process signal;
++')
++
++########################################
++##
++## Creates types and rules for a basic
++## sandbox process domain.
++##
++##
++##
++## Prefix for the domain.
++##
++##
++#
++template(`sandbox_domain_template',`
++
++ gen_require(`
++ attribute sandbox_domain;
++ ')
++ type $1_t, sandbox_domain;
++
++ application_type($1_t)
++
++ mls_rangetrans_target($1_t)
++ mcs_untrusted_proc($1_t)
++')
+diff --git a/sandbox.te b/sandbox.te
+new file mode 100644
+index 0000000..db440d4
+--- /dev/null
++++ b/sandbox.te
+@@ -0,0 +1,66 @@
++policy_module(sandbox,1.0.0)
++
++attribute sandbox_domain;
++
++########################################
++#
++# Declarations
++#
++sandbox_domain_template(sandbox)
++
++########################################
++#
++# sandbox local policy
++#
++allow sandbox_domain self:process { getattr signal_perms getsched setsched setpgid execstack };
++tunable_policy(`deny_execmem',`',`
++ allow sandbox_domain self:process execmem;
++')
++
++allow sandbox_domain self:fifo_file manage_file_perms;
++allow sandbox_domain self:sem create_sem_perms;
++allow sandbox_domain self:shm create_shm_perms;
++allow sandbox_domain self:msgq create_msgq_perms;
++allow sandbox_domain self:unix_stream_socket create_stream_socket_perms;
++allow sandbox_domain self:unix_dgram_socket { sendto create_socket_perms };
++dontaudit sandbox_domain self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay };
++
++dev_rw_all_inherited_chr_files(sandbox_domain)
++dev_rw_all_inherited_blk_files(sandbox_domain)
++
++# sandbox_file_t was moved to sandboxX.te
++optional_policy(`
++ sandbox_exec_file(sandbox_domain)
++ sandbox_manage_content(sandbox_domain)
++ sandbox_dontaudit_mounton(sandbox_domain)
++ sandbox_manage_tmpfs_files(sandbox_domain)
++')
++
++gen_require(`
++ type usr_t, lib_t, locale_t, device_t;
++ type var_t, var_run_t, rpm_log_t, locale_t;
++ attribute exec_type, configfile;
++')
++
++kernel_dontaudit_read_system_state(sandbox_domain)
++
++corecmd_exec_all_executables(sandbox_domain)
++
++dev_dontaudit_getattr_all(sandbox_domain)
++
++files_rw_all_inherited_files(sandbox_domain, -exec_type -configfile -usr_t -lib_t -locale_t -var_t -var_run_t -device_t -rpm_log_t )
++files_entrypoint_all_files(sandbox_domain)
++
++files_read_config_files(sandbox_domain)
++files_read_usr_files(sandbox_domain)
++files_read_var_files(sandbox_domain)
++files_dontaudit_search_all_dirs(sandbox_domain)
++
++fs_dontaudit_getattr_all_fs(sandbox_domain)
++
++
++userdom_dontaudit_use_user_terminals(sandbox_domain)
++
++mta_dontaudit_read_spool_symlinks(sandbox_domain)
++
++
+diff --git a/sandboxX.fc b/sandboxX.fc
+new file mode 100644
+index 0000000..6caef63
+--- /dev/null
++++ b/sandboxX.fc
+@@ -0,0 +1,2 @@
++
++/usr/share/sandbox/start -- gen_context(system_u:object_r:sandbox_exec_t,s0)
+diff --git a/sandboxX.if b/sandboxX.if
+new file mode 100644
+index 0000000..f00e5c5
+--- /dev/null
++++ b/sandboxX.if
+@@ -0,0 +1,391 @@
++
++## policy for sandboxX
++
++########################################
++##
++## Execute sandbox in the sandbox domain, and
++## allow the specified role the sandbox domain.
++##
++##
++##
++## Domain allowed access
++##
++##
++##
++##
++## The role to be allowed the sandbox domain.
++##
++##
++#
++interface(`sandbox_x_transition',`
++ gen_require(`
++ type sandbox_xserver_t;
++ type sandbox_file_t;
++ attribute sandbox_x_domain;
++ attribute sandbox_tmpfs_type;
++ ')
++
++ allow $1 sandbox_x_domain:process { signal_perms transition };
++ dontaudit $1 sandbox_x_domain:process { noatsecure siginh rlimitinh };
++ allow sandbox_x_domain $1:process { sigchld signull };
++ allow { sandbox_x_domain sandbox_xserver_t } $1:fd use;
++ role $2 types sandbox_x_domain;
++ role $2 types sandbox_xserver_t;
++ allow $1 sandbox_xserver_t:process signal_perms;
++ dontaudit sandbox_xserver_t $1:fifo_file rw_inherited_fifo_file_perms;
++ dontaudit sandbox_xserver_t $1:tcp_socket rw_socket_perms;
++ dontaudit sandbox_xserver_t $1:udp_socket rw_socket_perms;
++ allow sandbox_xserver_t $1:unix_stream_socket { connectto rw_socket_perms };
++ allow sandbox_x_domain sandbox_x_domain:process signal;
++ # Dontaudit leaked file descriptors
++ dontaudit sandbox_x_domain $1:fifo_file { read write };
++ dontaudit sandbox_x_domain $1:tcp_socket rw_socket_perms;
++ dontaudit sandbox_x_domain $1:udp_socket rw_socket_perms;
++ dontaudit sandbox_x_domain $1:unix_stream_socket { read write };
++ dontaudit sandbox_x_domain $1:process { signal sigkill };
++
++ allow $1 sandbox_tmpfs_type:file manage_file_perms;
++ dontaudit $1 sandbox_tmpfs_type:file manage_file_perms;
++
++ can_exec($1, sandbox_file_t)
++ allow $1 sandbox_file_t:filesystem getattr;
++ manage_files_pattern($1, sandbox_file_t, sandbox_file_t);
++ manage_dirs_pattern($1, sandbox_file_t, sandbox_file_t);
++ manage_sock_files_pattern($1, sandbox_file_t, sandbox_file_t);
++ manage_fifo_files_pattern($1, sandbox_file_t, sandbox_file_t);
++ manage_lnk_files_pattern($1, sandbox_file_t, sandbox_file_t);
++ relabel_dirs_pattern($1, sandbox_file_t, sandbox_file_t)
++ relabel_files_pattern($1, sandbox_file_t, sandbox_file_t)
++ relabel_lnk_files_pattern($1, sandbox_file_t, sandbox_file_t)
++ relabel_fifo_files_pattern($1, sandbox_file_t, sandbox_file_t)
++ relabel_sock_files_pattern($1, sandbox_file_t, sandbox_file_t)
++')
++
++########################################
++##
++## Creates types and rules for a basic
++## sandbox process domain.
++##
++##
++##
++## Prefix for the domain.
++##
++##
++#
++template(`sandbox_x_domain_template',`
++ gen_require(`
++ type xserver_exec_t, sandbox_devpts_t;
++ type sandbox_xserver_t;
++ type sandbox_exec_t;
++ attribute sandbox_x_domain;
++ attribute sandbox_tmpfs_type;
++ attribute sandbox_type;
++ ')
++
++ type $1_t, sandbox_x_domain, sandbox_type;
++ application_type($1_t)
++ mcs_untrusted_proc($1_t)
++
++ kernel_read_system_state($1_t)
++ selinux_get_fs_mount($1_t)
++
++ auth_use_nsswitch($1_t)
++
++ logging_send_syslog_msg($1_t)
++
++ # window manager
++ miscfiles_setattr_fonts_cache_dirs($1_t)
++ allow $1_t self:capability setuid;
++
++ type $1_client_t, sandbox_x_domain;
++ application_type($1_client_t)
++ kernel_read_system_state($1_client_t)
++
++ mcs_untrusted_proc($1_t)
++
++ type $1_client_tmpfs_t, sandbox_tmpfs_type;
++ files_tmpfs_file($1_client_tmpfs_t)
++
++ manage_files_pattern($1_client_t, $1_client_tmpfs_t, $1_client_tmpfs_t)
++ manage_files_pattern($1_t, $1_client_tmpfs_t, $1_client_tmpfs_t)
++ fs_tmpfs_filetrans($1_client_t, $1_client_tmpfs_t, file )
++ fs_tmpfs_filetrans($1_t, $1_client_tmpfs_t, file )
++ # Pulseaudio tmpfs files with different MCS labels
++ dontaudit $1_client_t $1_client_tmpfs_t:file { read write };
++ dontaudit $1_t $1_client_tmpfs_t:file { read write };
++ allow sandbox_xserver_t $1_client_tmpfs_t:file { read write };
++
++ domtrans_pattern($1_t, xserver_exec_t, sandbox_xserver_t)
++ allow $1_t sandbox_xserver_t:process signal_perms;
++
++ domtrans_pattern($1_t, sandbox_exec_t, $1_client_t)
++ domain_entry_file($1_client_t, sandbox_exec_t)
++
++ ps_process_pattern(sandbox_xserver_t, $1_client_t)
++ ps_process_pattern(sandbox_xserver_t, $1_t)
++ allow sandbox_xserver_t $1_client_t:shm rw_shm_perms;
++ allow sandbox_xserver_t $1_t:shm rw_shm_perms;
++ allow $1_client_t $1_t:unix_stream_socket connectto;
++ allow $1_t $1_client_t:unix_stream_socket connectto;
++')
++
++########################################
++##
++## allow domain to read,
++## write sandbox_xserver tmp files
++##
++##
++##
++## Domain allowed access
++##
++##
++#
++interface(`sandbox_rw_xserver_tmpfs_files',`
++ gen_require(`
++ type sandbox_xserver_tmpfs_t;
++ ')
++
++ allow $1 sandbox_xserver_tmpfs_t:file rw_file_perms;
++')
++
++########################################
++##
++## allow domain to read
++## sandbox tmpfs files
++##
++##
++##
++## Domain allowed access
++##
++##
++#
++interface(`sandbox_read_tmpfs_files',`
++ gen_require(`
++ attribute sandbox_tmpfs_type;
++ ')
++
++ allow $1 sandbox_tmpfs_type:file read_file_perms;
++')
++
++########################################
++##
++## allow domain to manage
++## sandbox tmpfs files
++##
++##
++##
++## Domain allowed access
++##
++##
++#
++interface(`sandbox_manage_tmpfs_files',`
++ gen_require(`
++ attribute sandbox_tmpfs_type;
++ ')
++
++ allow $1 sandbox_tmpfs_type:file manage_file_perms;
++')
++
++########################################
++##
++## Delete sandbox files
++##
++##
++##
++## Domain allowed access
++##
++##
++#
++interface(`sandbox_delete_files',`
++ gen_require(`
++ type sandbox_file_t;
++ ')
++
++ delete_files_pattern($1, sandbox_file_t, sandbox_file_t)
++')
++
++########################################
++##
++## Manage sandbox content
++##
++##
++##
++## Domain allowed access
++##
++##
++#
++interface(`sandbox_manage_content',`
++ gen_require(`
++ type sandbox_file_t;
++ ')
++
++ allow $1 sandbox_file_t:filesystem getattr;
++ manage_files_pattern($1, sandbox_file_t, sandbox_file_t);
++ manage_dirs_pattern($1, sandbox_file_t, sandbox_file_t);
++ manage_sock_files_pattern($1, sandbox_file_t, sandbox_file_t);
++ manage_fifo_files_pattern($1, sandbox_file_t, sandbox_file_t);
++ manage_lnk_files_pattern($1, sandbox_file_t, sandbox_file_t);
++')
++
++########################################
++##
++## Delete sandbox symbolic links
++##
++##
++##
++## Domain allowed access
++##
++##
++#
++interface(`sandbox_delete_lnk_files',`
++ gen_require(`
++ type sandbox_file_t;
++ ')
++
++ delete_lnk_files_pattern($1, sandbox_file_t, sandbox_file_t)
++')
++
++########################################
++##
++## Delete sandbox fifo files
++##
++##
++##
++## Domain allowed access
++##
++##
++#
++interface(`sandbox_delete_pipes',`
++ gen_require(`
++ type sandbox_file_t;
++ ')
++
++ delete_fifo_files_pattern($1, sandbox_file_t, sandbox_file_t)
++')
++
++########################################
++##
++## Delete sandbox sock files
++##
++##
++##
++## Domain allowed access
++##
++##
++#
++interface(`sandbox_delete_sock_files',`
++ gen_require(`
++ type sandbox_file_t;
++ ')
++
++ delete_sock_files_pattern($1, sandbox_file_t, sandbox_file_t)
++')
++
++########################################
++##
++## Allow domain to set the attributes
++## of the sandbox directory.
++##
++##
++##
++## Domain allowed access
++##
++##
++#
++interface(`sandbox_setattr_dirs',`
++ gen_require(`
++ type sandbox_file_t;
++ ')
++
++ allow $1 sandbox_file_t:dir setattr;
++')
++
++########################################
++##
++## Delete sandbox directories
++##
++##
++##
++## Domain allowed access
++##
++##
++#
++interface(`sandbox_delete_dirs',`
++ gen_require(`
++ type sandbox_file_t;
++ ')
++
++ delete_dirs_pattern($1, sandbox_file_t, sandbox_file_t)
++')
++
++########################################
++##
++## allow domain to list sandbox dirs
++##
++##
++##
++## Domain allowed access
++##
++##
++#
++interface(`sandbox_list',`
++ gen_require(`
++ type sandbox_file_t;
++ ')
++
++ allow $1 sandbox_file_t:dir list_dir_perms;
++')
++
++########################################
++##
++## Read and write a sandbox domain pty.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`sandbox_use_ptys',`
++ gen_require(`
++ type sandbox_devpts_t;
++ ')
++
++ allow $1 sandbox_devpts_t:chr_file rw_inherited_term_perms;
++')
++
++#######################################
++##
++## Allow domain to execute sandbox_file_t in the caller domain.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`sandbox_exec_file',`
++ gen_require(`
++ type sandbox_file_t;
++ ')
++
++ can_exec($1, sandbox_file_t)
++')
++
++######################################
++##
++## Allow domain to execute sandbox_file_t in the caller domain.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`sandbox_dontaudit_mounton',`
++ gen_require(`
++ type sandbox_file_t;
++ ')
++
++ dontaudit $1 sandbox_file_t:dir mounton;
++')
+diff --git a/sandboxX.te b/sandboxX.te
+new file mode 100644
+index 0000000..479ece4
+--- /dev/null
++++ b/sandboxX.te
+@@ -0,0 +1,463 @@
++policy_module(sandboxX,1.0.0)
++
++dbus_stub()
++attribute sandbox_x_domain;
++attribute sandbox_web_type;
++attribute sandbox_file_type;
++attribute sandbox_tmpfs_type;
++attribute sandbox_type;
++
++type sandbox_exec_t;
++files_type(sandbox_exec_t)
++
++type sandbox_file_t, sandbox_file_type;
++files_type(sandbox_file_t)
++typealias sandbox_file_t alias { sandbox_x_file_t sandbox_web_file_t sandbox_net_file_t sandbox_min_file_t };
++
++########################################
++#
++# Declarations
++#
++sandbox_x_domain_template(sandbox_min)
++sandbox_x_domain_template(sandbox_x)
++sandbox_x_domain_template(sandbox_web)
++sandbox_x_domain_template(sandbox_net)
++
++type sandbox_xserver_t;
++domain_type(sandbox_xserver_t)
++xserver_user_x_domain_template(sandbox_xserver, sandbox_xserver_t, sandbox_xserver_tmpfs_t)
++
++type sandbox_xserver_tmpfs_t;
++files_tmpfs_file(sandbox_xserver_tmpfs_t)
++
++type sandbox_devpts_t;
++term_pty(sandbox_devpts_t)
++files_type(sandbox_devpts_t)
++
++########################################
++#
++# sandbox xserver policy
++#
++allow sandbox_xserver_t self:process { signal_perms execstack };
++
++tunable_policy(`deny_execmem',`',`
++ allow sandbox_xserver_t self:process execmem;
++')
++
++allow sandbox_xserver_t self:fifo_file manage_fifo_file_perms;
++allow sandbox_xserver_t self:shm create_shm_perms;
++allow sandbox_xserver_t self:tcp_socket create_stream_socket_perms;
++
++manage_dirs_pattern(sandbox_xserver_t, sandbox_file_t, sandbox_file_t)
++manage_files_pattern(sandbox_xserver_t, sandbox_file_t, sandbox_file_t)
++manage_sock_files_pattern(sandbox_xserver_t, sandbox_file_t, sandbox_file_t)
++allow sandbox_xserver_t sandbox_file_t:sock_file create_sock_file_perms;
++
++manage_dirs_pattern(sandbox_xserver_t, sandbox_xserver_tmpfs_t, sandbox_xserver_tmpfs_t)
++manage_files_pattern(sandbox_xserver_t, sandbox_xserver_tmpfs_t, sandbox_xserver_tmpfs_t)
++manage_lnk_files_pattern(sandbox_xserver_t, sandbox_xserver_tmpfs_t, sandbox_xserver_tmpfs_t)
++manage_fifo_files_pattern(sandbox_xserver_t, sandbox_xserver_tmpfs_t, sandbox_xserver_tmpfs_t)
++manage_sock_files_pattern(sandbox_xserver_t, sandbox_xserver_tmpfs_t, sandbox_xserver_tmpfs_t)
++fs_tmpfs_filetrans(sandbox_xserver_t, sandbox_xserver_tmpfs_t, { dir file lnk_file sock_file fifo_file })
++
++kernel_dontaudit_request_load_module(sandbox_xserver_t)
++kernel_read_system_state(sandbox_xserver_t)
++
++corecmd_exec_bin(sandbox_xserver_t)
++corecmd_exec_shell(sandbox_xserver_t)
++
++corenet_all_recvfrom_netlabel(sandbox_xserver_t)
++corenet_tcp_sendrecv_generic_if(sandbox_xserver_t)
++corenet_udp_sendrecv_generic_if(sandbox_xserver_t)
++corenet_tcp_sendrecv_generic_node(sandbox_xserver_t)
++corenet_udp_sendrecv_generic_node(sandbox_xserver_t)
++corenet_tcp_sendrecv_all_ports(sandbox_xserver_t)
++corenet_udp_sendrecv_all_ports(sandbox_xserver_t)
++corenet_tcp_bind_generic_node(sandbox_xserver_t)
++corenet_tcp_bind_xserver_port(sandbox_xserver_t)
++corenet_sendrecv_xserver_server_packets(sandbox_xserver_t)
++corenet_sendrecv_all_client_packets(sandbox_xserver_t)
++
++dev_read_sysfs(sandbox_xserver_t)
++dev_rwx_zero(sandbox_xserver_t)
++dev_read_urand(sandbox_xserver_t)
++
++domain_use_interactive_fds(sandbox_xserver_t)
++
++files_read_config_files(sandbox_xserver_t)
++files_read_usr_files(sandbox_xserver_t)
++files_search_home(sandbox_xserver_t)
++fs_dontaudit_rw_tmpfs_files(sandbox_xserver_t)
++fs_list_inotifyfs(sandbox_xserver_t)
++fs_search_auto_mountpoints(sandbox_xserver_t)
++
++miscfiles_read_fonts(sandbox_xserver_t)
++
++selinux_validate_context(sandbox_xserver_t)
++selinux_compute_access_vector(sandbox_xserver_t)
++selinux_compute_create_context(sandbox_xserver_t)
++
++auth_use_nsswitch(sandbox_xserver_t)
++
++logging_send_syslog_msg(sandbox_xserver_t)
++logging_send_audit_msgs(sandbox_xserver_t)
++
++userdom_use_inherited_user_terminals(sandbox_xserver_t)
++userdom_dontaudit_search_user_home_content(sandbox_xserver_t)
++userdom_dontaudit_rw_user_tmp_pipes(sandbox_xserver_t)
++
++xserver_entry_type(sandbox_xserver_t)
++
++optional_policy(`
++ dbus_system_bus_client(sandbox_xserver_t)
++
++ optional_policy(`
++ hal_dbus_chat(sandbox_xserver_t)
++ ')
++')
++
++########################################
++#
++# sandbox_x_domain local policy
++#
++allow sandbox_x_domain self:process { getattr signal_perms getsched setsched setpgid execstack };
++tunable_policy(`deny_execmem',`',`
++ allow sandbox_x_domain self:process execmem;
++')
++
++allow sandbox_x_domain self:fifo_file manage_file_perms;
++allow sandbox_x_domain self:sem create_sem_perms;
++allow sandbox_x_domain self:shm create_shm_perms;
++allow sandbox_x_domain self:msgq create_msgq_perms;
++allow sandbox_x_domain self:netlink_selinux_socket create_socket_perms;
++allow sandbox_x_domain self:unix_dgram_socket { sendto create_socket_perms };
++allow sandbox_x_domain self:unix_stream_socket { connectto create_stream_socket_perms };
++
++dontaudit sandbox_x_domain sandbox_x_domain:process signal;
++dontaudit sandbox_x_domain sandbox_xserver_t:process signal;
++dontaudit sandbox_x_domain self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay };
++
++allow sandbox_x_domain sandbox_xserver_t:unix_stream_socket connectto;
++
++allow sandbox_x_domain sandbox_devpts_t:chr_file { rw_term_perms setattr };
++term_create_pty(sandbox_x_domain,sandbox_devpts_t)
++
++can_exec(sandbox_x_domain, sandbox_file_t)
++allow sandbox_x_domain sandbox_file_t:filesystem getattr;
++manage_files_pattern(sandbox_x_domain, sandbox_file_t, sandbox_file_t);
++manage_dirs_pattern(sandbox_x_domain, sandbox_file_t, sandbox_file_t);
++manage_sock_files_pattern(sandbox_x_domain, sandbox_file_t, sandbox_file_t);
++manage_fifo_files_pattern(sandbox_x_domain, sandbox_file_t, sandbox_file_t);
++manage_lnk_files_pattern(sandbox_x_domain, sandbox_file_t, sandbox_file_t);
++dontaudit sandbox_x_domain sandbox_file_t:dir mounton;
++
++kernel_getattr_proc(sandbox_x_domain)
++kernel_read_network_state(sandbox_x_domain)
++kernel_dontaudit_search_kernel_sysctl(sandbox_x_domain)
++
++domain_dontaudit_read_all_domains_state(sandbox_x_domain)
++
++corecmd_exec_all_executables(sandbox_x_domain)
++
++dev_read_urand(sandbox_x_domain)
++dev_dontaudit_read_rand(sandbox_x_domain)
++dev_read_sysfs(sandbox_x_domain)
++dev_dontaudit_rw_dri(sandbox_x_domain)
++
++files_search_home(sandbox_x_domain)
++files_dontaudit_list_all_mountpoints(sandbox_x_domain)
++files_entrypoint_all_files(sandbox_x_domain)
++files_read_config_files(sandbox_x_domain)
++files_read_usr_files(sandbox_x_domain)
++files_read_usr_symlinks(sandbox_x_domain)
++
++fs_getattr_tmpfs(sandbox_x_domain)
++fs_getattr_xattr_fs(sandbox_x_domain)
++fs_list_inotifyfs(sandbox_x_domain)
++fs_dontaudit_getattr_xattr_fs(sandbox_x_domain)
++# Random tmpfs_t that gets created when you run X.
++fs_rw_tmpfs_files(sandbox_x_domain)
++fs_get_xattr_fs_quotas(sandbox_x_domain)
++
++auth_dontaudit_read_login_records(sandbox_x_domain)
++auth_dontaudit_write_login_records(sandbox_x_domain)
++auth_search_pam_console_data(sandbox_x_domain)
++
++init_read_utmp(sandbox_x_domain)
++init_dontaudit_write_utmp(sandbox_x_domain)
++
++libs_dontaudit_setattr_lib_files(sandbox_x_domain)
++
++miscfiles_dontaudit_setattr_fonts_cache_dirs(sandbox_x_domain)
++
++mta_dontaudit_read_spool_symlinks(sandbox_x_domain)
++
++selinux_validate_context(sandbox_x_domain)
++selinux_compute_access_vector(sandbox_x_domain)
++selinux_compute_create_context(sandbox_x_domain)
++selinux_compute_relabel_context(sandbox_x_domain)
++selinux_compute_user_contexts(sandbox_x_domain)
++seutil_read_default_contexts(sandbox_x_domain)
++
++term_getattr_pty_fs(sandbox_x_domain)
++term_use_ptmx(sandbox_x_domain)
++term_search_ptys(sandbox_x_domain)
++
++application_dontaudit_signal(sandbox_x_domain)
++application_dontaudit_sigkill(sandbox_x_domain)
++
++logging_dontaudit_search_logs(sandbox_x_domain)
++
++miscfiles_read_fonts(sandbox_x_domain)
++
++storage_dontaudit_rw_fuse(sandbox_x_domain)
++
++optional_policy(`
++ consolekit_dbus_chat(sandbox_x_domain)
++')
++
++optional_policy(`
++ cups_stream_connect(sandbox_x_domain)
++ cups_read_rw_config(sandbox_x_domain)
++')
++
++optional_policy(`
++ dbus_system_bus_client(sandbox_x_domain)
++')
++
++optional_policy(`
++ devicekit_dontaudit_dbus_chat_disk(sandbox_x_domain)
++')
++
++optional_policy(`
++ gnome_read_gconf_config(sandbox_x_domain)
++')
++
++optional_policy(`
++ nscd_dontaudit_search_pid(sandbox_x_domain)
++')
++
++optional_policy(`
++ sssd_dontaudit_search_lib(sandbox_x_domain)
++')
++
++optional_policy(`
++ udev_read_db(sandbox_x_domain)
++')
++
++userdom_dontaudit_use_user_terminals(sandbox_x_domain)
++userdom_read_user_home_content_symlinks(sandbox_x_domain)
++userdom_search_user_home_content(sandbox_x_domain)
++userdom_dontaudit_rw_user_tmp_pipes(sandbox_x_domain)
++
++fs_search_auto_mountpoints(sandbox_x_domain)
++fs_read_hugetlbfs_files(sandbox_x_domain)
++
++tunable_policy(`use_nfs_home_dirs',`
++ fs_search_auto_mountpoints(sandbox_x_domain)
++ fs_search_nfs(sandbox_xserver_t)
++ fs_read_nfs_files(sandbox_xserver_t)
++ fs_manage_nfs_dirs(sandbox_x_domain)
++ fs_manage_nfs_files(sandbox_x_domain)
++ fs_exec_nfs_files(sandbox_x_domain)
++')
++
++tunable_policy(`use_samba_home_dirs',`
++ fs_search_cifs(sandbox_xserver_t)
++ fs_read_cifs_files(sandbox_xserver_t)
++ fs_manage_cifs_dirs(sandbox_x_domain)
++ fs_manage_cifs_files(sandbox_x_domain)
++ fs_exec_cifs_files(sandbox_x_domain)
++')
++
++tunable_policy(`use_fusefs_home_dirs',`
++ fs_search_fusefs(sandbox_xserver_t)
++ fs_read_fusefs_files(sandbox_xserver_t)
++ fs_manage_fusefs_dirs(sandbox_x_domain)
++ fs_manage_fusefs_files(sandbox_x_domain)
++ fs_exec_fusefs_files(sandbox_x_domain)
++')
++
++files_search_home(sandbox_x_t)
++userdom_use_user_ptys(sandbox_x_t)
++
++########################################
++#
++# sandbox_x_client_t local policy
++#
++allow sandbox_x_client_t self:tcp_socket create_stream_socket_perms;
++allow sandbox_x_client_t self:udp_socket create_socket_perms;
++allow sandbox_x_client_t self:dbus { acquire_svc send_msg };
++
++dev_read_rand(sandbox_x_client_t)
++
++corenet_tcp_connect_ipp_port(sandbox_x_client_t)
++corenet_dontaudit_tcp_connect_xserver_port(sandbox_x_client_t)
++
++auth_use_nsswitch(sandbox_x_client_t)
++
++logging_send_syslog_msg(sandbox_x_client_t)
++
++optional_policy(`
++ colord_dbus_chat(sandbox_x_client_t)
++')
++
++optional_policy(`
++ hal_dbus_chat(sandbox_x_client_t)
++')
++
++optional_policy(`
++ nsplugin_read_rw_files(sandbox_x_client_t)
++')
++
++########################################
++#
++# sandbox_web_client_t local policy
++#
++typeattribute sandbox_web_client_t sandbox_web_type;
++
++selinux_get_fs_mount(sandbox_web_client_t)
++
++auth_use_nsswitch(sandbox_web_client_t)
++
++logging_send_syslog_msg(sandbox_web_client_t)
++
++allow sandbox_web_type self:capability { setuid setgid };
++allow sandbox_web_type self:netlink_audit_socket nlmsg_relay;
++dontaudit sandbox_web_type self:process setrlimit;
++
++allow sandbox_web_type self:tcp_socket create_stream_socket_perms;
++allow sandbox_web_type self:udp_socket create_socket_perms;
++allow sandbox_web_type self:dbus { acquire_svc send_msg };
++
++kernel_dontaudit_search_kernel_sysctl(sandbox_web_type)
++kernel_request_load_module(sandbox_web_type)
++
++dev_read_rand(sandbox_web_type)
++dev_write_sound(sandbox_web_type)
++dev_read_sound(sandbox_web_type)
++
++corenet_tcp_sendrecv_generic_if(sandbox_web_type)
++corenet_raw_sendrecv_generic_if(sandbox_web_type)
++corenet_tcp_sendrecv_generic_node(sandbox_web_type)
++corenet_raw_sendrecv_generic_node(sandbox_web_type)
++corenet_tcp_sendrecv_http_port(sandbox_web_type)
++corenet_tcp_sendrecv_http_cache_port(sandbox_web_type)
++corenet_tcp_sendrecv_squid_port(sandbox_web_type)
++corenet_tcp_sendrecv_ftp_port(sandbox_web_type)
++corenet_tcp_sendrecv_ipp_port(sandbox_web_type)
++corenet_tcp_connect_http_port(sandbox_web_type)
++corenet_tcp_connect_http_cache_port(sandbox_web_type)
++corenet_tcp_connect_squid_port(sandbox_web_type)
++corenet_tcp_connect_flash_port(sandbox_web_type)
++corenet_tcp_connect_ftp_port(sandbox_web_type)
++corenet_tcp_connect_all_ephemeral_ports(sandbox_web_type)
++corenet_tcp_connect_ipp_port(sandbox_web_type)
++corenet_tcp_connect_streaming_port(sandbox_web_type)
++corenet_tcp_connect_pulseaudio_port(sandbox_web_type)
++corenet_tcp_connect_tor_socks_port(sandbox_web_type)
++corenet_tcp_connect_speech_port(sandbox_web_type)
++corenet_tcp_connect_generic_port(sandbox_web_type)
++corenet_tcp_connect_soundd_port(sandbox_web_type)
++corenet_tcp_connect_speech_port(sandbox_web_type)
++corenet_sendrecv_http_client_packets(sandbox_web_type)
++corenet_sendrecv_http_cache_client_packets(sandbox_web_type)
++corenet_sendrecv_squid_client_packets(sandbox_web_type)
++corenet_sendrecv_ftp_client_packets(sandbox_web_type)
++corenet_sendrecv_ipp_client_packets(sandbox_web_type)
++corenet_sendrecv_generic_client_packets(sandbox_web_type)
++
++corenet_dontaudit_tcp_sendrecv_generic_port(sandbox_web_type)
++corenet_dontaudit_tcp_bind_generic_port(sandbox_web_type)
++
++files_dontaudit_getattr_all_dirs(sandbox_web_type)
++
++fs_dontaudit_rw_anon_inodefs_files(sandbox_web_type)
++fs_dontaudit_getattr_all_fs(sandbox_web_type)
++
++storage_dontaudit_getattr_fixed_disk_dev(sandbox_web_type)
++
++dbus_system_bus_client(sandbox_web_type)
++dbus_read_config(sandbox_web_type)
++selinux_validate_context(sandbox_web_type)
++selinux_compute_access_vector(sandbox_web_type)
++selinux_compute_create_context(sandbox_web_type)
++selinux_compute_relabel_context(sandbox_web_type)
++selinux_compute_user_contexts(sandbox_web_type)
++seutil_read_default_contexts(sandbox_web_type)
++
++userdom_rw_user_tmpfs_files(sandbox_web_type)
++userdom_delete_user_tmpfs_files(sandbox_web_type)
++
++optional_policy(`
++ alsa_read_rw_config(sandbox_web_type)
++')
++
++optional_policy(`
++ bluetooth_dontaudit_dbus_chat(sandbox_web_type)
++')
++
++optional_policy(`
++ hal_dbus_chat(sandbox_web_type)
++')
++
++optional_policy(`
++ chrome_domtrans_sandbox(sandbox_web_type)
++')
++
++optional_policy(`
++ nsplugin_manage_rw(sandbox_web_type)
++ nsplugin_read_rw_files(sandbox_web_type)
++ nsplugin_rw_exec(sandbox_web_type)
++')
++
++optional_policy(`
++ pulseaudio_stream_connect(sandbox_web_type)
++ allow sandbox_web_type self:netlink_kobject_uevent_socket create_socket_perms;
++')
++
++optional_policy(`
++ rtkit_daemon_dontaudit_dbus_chat(sandbox_web_type)
++')
++
++optional_policy(`
++ # needed by pulseaudio
++ systemd_read_logind_sessions_files(sandbox_web_type)
++ systemd_login_read_pid_files(sandbox_web_type)
++')
++
++optional_policy(`
++ networkmanager_dontaudit_dbus_chat(sandbox_web_type)
++')
++
++optional_policy(`
++ udev_read_state(sandbox_web_type)
++')
++
++########################################
++#
++# sandbox_net_client_t local policy
++#
++typeattribute sandbox_net_client_t sandbox_web_type;
++
++corenet_tcp_sendrecv_generic_if(sandbox_net_client_t)
++corenet_udp_sendrecv_generic_if(sandbox_net_client_t)
++corenet_tcp_sendrecv_generic_node(sandbox_net_client_t)
++corenet_udp_sendrecv_generic_node(sandbox_net_client_t)
++corenet_tcp_sendrecv_all_ports(sandbox_net_client_t)
++corenet_udp_sendrecv_all_ports(sandbox_net_client_t)
++corenet_tcp_connect_all_ports(sandbox_net_client_t)
++corenet_sendrecv_all_client_packets(sandbox_net_client_t)
++
++selinux_get_fs_mount(sandbox_net_client_t)
++
++auth_use_nsswitch(sandbox_net_client_t)
++
++logging_send_syslog_msg(sandbox_net_client_t)
++
++optional_policy(`
++ mozilla_dontaudit_rw_user_home_files(sandbox_x_t)
++ mozilla_dontaudit_rw_user_home_files(sandbox_xserver_t)
++ mozilla_dontaudit_rw_user_home_files(sandbox_x_domain)
++ mozilla_plugin_dontaudit_leaks(sandbox_x_domain)
++')
+diff --git a/sanlock.fc b/sanlock.fc
+index 5d1826c..9059165 100644
+--- a/sanlock.fc
++++ b/sanlock.fc
+@@ -1,7 +1,10 @@
++
+ /etc/rc\.d/init\.d/sanlock -- gen_context(system_u:object_r:sanlock_initrc_exec_t,s0)
+
+ /var/run/sanlock(/.*)? gen_context(system_u:object_r:sanlock_var_run_t,s0)
+
+-/var/log/sanlock\.log gen_context(system_u:object_r:sanlock_log_t,s0)
++/var/log/sanlock\.log.* gen_context(system_u:object_r:sanlock_log_t,s0)
+
+ /usr/sbin/sanlock -- gen_context(system_u:object_r:sanlock_exec_t,s0)
++
++/usr/lib/systemd/system/sanlock\.service -- gen_context(system_u:object_r:sanlock_unit_file_t,s0)
+diff --git a/sanlock.if b/sanlock.if
+index cfe3172..34b861a 100644
+--- a/sanlock.if
++++ b/sanlock.if
+@@ -1,3 +1,4 @@
++
+ ## policy for sanlock
+
+ ########################################
+@@ -18,6 +19,7 @@ interface(`sanlock_domtrans',`
+ domtrans_pattern($1, sanlock_exec_t, sanlock_t)
+ ')
+
++
+ ########################################
+ ##
+ ## Execute sanlock server in the sanlock domain.
+@@ -57,21 +59,44 @@ interface(`sanlock_manage_pid_files',`
+
+ ########################################
+ ##
+-## Connect to sanlock over an unix stream socket.
++## Connect to sanlock over a unix stream socket.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`sanlock_stream_connect',`
++ gen_require(`
++ type sanlock_t, sanlock_var_run_t;
++ ')
++
++ files_search_pids($1)
++ stream_connect_pattern($1, sanlock_var_run_t, sanlock_var_run_t, sanlock_t)
++')
++
++########################################
++##
++## Execute virt server in the virt domain.
+ ##
+ ##
+ ##
+-## Domain allowed access.
++## Domain allowed to transition.
+ ##
+ ##
+ #
+-interface(`sanlock_stream_connect',`
++interface(`sanlock_systemctl',`
+ gen_require(`
+- type sanlock_t, sanlock_var_run_t;
++ type sanlock_unit_file_t;
++ type sanlock_t;
+ ')
+
+- files_search_pids($1)
+- stream_connect_pattern($1, sanlock_var_run_t, sanlock_var_run_t, sanlock_t)
++ systemd_exec_systemctl($1)
++ allow $1 sanlock_unit_file_t:file read_file_perms;
++ allow $1 sanlock_unit_file_t:service manage_service_perms;
++
++ ps_process_pattern($1, sanlock_t)
+ ')
+
+ ########################################
+@@ -95,13 +120,21 @@ interface(`sanlock_admin',`
+ gen_require(`
+ type sanlock_t;
+ type sanlock_initrc_exec_t;
++ type sanlock_unit_file_t;
+ ')
+
+ allow $1 sanlock_t:process signal_perms;
+ ps_process_pattern($1, sanlock_t)
++ tunable_policy(`deny_ptrace',`',`
++ allow $1 sanlock_t:process ptrace;
++ ')
+
+ sanlock_initrc_domtrans($1)
+ domain_system_change_exemption($1)
+ role_transition $2 sanlock_initrc_exec_t system_r;
+ allow $2 system_r;
++
++ virt_systemctl($1)
++ admin_pattern($1, sanlock_unit_file_t)
++ allow $1 sanlock_unit_file_t:service all_service_perms;
+ ')
+diff --git a/sanlock.te b/sanlock.te
+index e02eb6c..4f4eaf4 100644
+--- a/sanlock.te
++++ b/sanlock.te
+@@ -1,4 +1,4 @@
+-policy_module(sanlock, 1.0.0)
++policy_module(sanlock,1.0.0)
+
+ ########################################
+ #
+@@ -6,18 +6,25 @@ policy_module(sanlock, 1.0.0)
+ #
+
+ ##
+-##
+-## Allow confined virtual guests to manage nfs files
+-##
++##
++## Allow sanlock to manage nfs files
++##
+ ##
+ gen_tunable(sanlock_use_nfs, false)
+
+ ##
++##
++## Allow sanlock to manage cifs files
++##
++##
++gen_tunable(sanlock_use_samba, false)
++
++##
+ ##
+-## Allow confined virtual guests to manage cifs files
++## Allow sanlock to read/write fuse files
+ ##
+ ##
+-gen_tunable(sanlock_use_samba, false)
++gen_tunable(sanlock_use_fusefs, false)
+
+ type sanlock_t;
+ type sanlock_exec_t;
+@@ -32,6 +39,9 @@ logging_log_file(sanlock_log_t)
+ type sanlock_initrc_exec_t;
+ init_script_file(sanlock_initrc_exec_t)
+
++type sanlock_unit_file_t;
++systemd_unit_file(sanlock_unit_file_t)
++
+ ifdef(`enable_mcs',`
+ init_ranged_daemon_domain(sanlock_t, sanlock_exec_t, s0 - mcs_systemhigh)
+ ')
+@@ -44,8 +54,9 @@ ifdef(`enable_mls',`
+ #
+ # sanlock local policy
+ #
+-allow sanlock_t self:capability { sys_nice ipc_lock };
+-allow sanlock_t self:process { setsched signull };
++allow sanlock_t self:capability { chown dac_override ipc_lock kill setgid setuid sys_nice sys_resource };
++allow sanlock_t self:process { setrlimit setsched signull signal sigkill };
++
+ allow sanlock_t self:fifo_file rw_fifo_file_perms;
+ allow sanlock_t self:unix_stream_socket create_stream_socket_perms;
+
+@@ -58,36 +69,51 @@ manage_sock_files_pattern(sanlock_t, sanlock_var_run_t, sanlock_var_run_t)
+ files_pid_filetrans(sanlock_t, sanlock_var_run_t, { file dir sock_file })
+
+ kernel_read_system_state(sanlock_t)
++kernel_read_kernel_sysctls(sanlock_t)
+
+ domain_use_interactive_fds(sanlock_t)
+
+-files_read_etc_files(sanlock_t)
++files_read_mnt_symlinks(sanlock_t)
+
+ storage_raw_rw_fixed_disk(sanlock_t)
+
++dev_read_rand(sanlock_t)
+ dev_read_urand(sanlock_t)
+
++auth_use_nsswitch(sanlock_t)
++
+ init_read_utmp(sanlock_t)
+ init_dontaudit_write_utmp(sanlock_t)
+
+ logging_send_syslog_msg(sanlock_t)
+
+-miscfiles_read_localization(sanlock_t)
++tunable_policy(`sanlock_use_fusefs',`
++ fs_manage_fusefs_dirs(sanlock_t)
++ fs_manage_fusefs_files(sanlock_t)
++ fs_read_fusefs_symlinks(sanlock_t)
++ fs_getattr_fusefs(sanlock_t)
++')
+
+ tunable_policy(`sanlock_use_nfs',`
+- fs_manage_nfs_dirs(sanlock_t)
+- fs_manage_nfs_files(sanlock_t)
+- fs_manage_nfs_named_sockets(sanlock_t)
+- fs_read_nfs_symlinks(sanlock_t)
++ fs_manage_nfs_dirs(sanlock_t)
++ fs_manage_nfs_files(sanlock_t)
++ fs_manage_nfs_named_sockets(sanlock_t)
++ fs_read_nfs_symlinks(sanlock_t)
+ ')
+
+ tunable_policy(`sanlock_use_samba',`
+- fs_manage_cifs_dirs(sanlock_t)
+- fs_manage_cifs_files(sanlock_t)
+- fs_manage_cifs_named_sockets(sanlock_t)
+- fs_read_cifs_symlinks(sanlock_t)
++ fs_manage_cifs_dirs(sanlock_t)
++ fs_manage_cifs_files(sanlock_t)
++ fs_manage_cifs_named_sockets(sanlock_t)
++ fs_read_cifs_symlinks(sanlock_t)
++')
++
++optional_policy(`
++ wdmd_stream_connect(sanlock_t)
+ ')
+
+ optional_policy(`
++ virt_kill_svirt(sanlock_t)
+ virt_manage_lib_files(sanlock_t)
++ virt_signal_svirt(sanlock_t)
+ ')
+diff --git a/sasl.if b/sasl.if
+index f1aea88..3e6a93f 100644
+--- a/sasl.if
++++ b/sasl.if
+@@ -38,21 +38,21 @@ interface(`sasl_connect',`
+ #
+ interface(`sasl_admin',`
+ gen_require(`
+- type saslauthd_t, saslauthd_tmp_t, saslauthd_var_run_t;
++ type saslauthd_t, saslauthd_var_run_t;
+ type saslauthd_initrc_exec_t;
+ ')
+
+- allow $1 saslauthd_t:process { ptrace signal_perms getattr };
++ allow $1 saslauthd_t:process signal_perms;
+ ps_process_pattern($1, saslauthd_t)
++ tunable_policy(`deny_ptrace',`',`
++ allow $1 saslauthd_t:process ptrace;
++ ')
+
+ init_labeled_script_domtrans($1, saslauthd_initrc_exec_t)
+ domain_system_change_exemption($1)
+ role_transition $2 saslauthd_initrc_exec_t system_r;
+ allow $2 system_r;
+
+- files_list_tmp($1)
+- admin_pattern($1, saslauthd_tmp_t)
+-
+ files_list_pids($1)
+ admin_pattern($1, saslauthd_var_run_t)
+ ')
+diff --git a/sasl.te b/sasl.te
+index 9d9f8ce..88a01c0 100644
+--- a/sasl.te
++++ b/sasl.te
+@@ -10,7 +10,7 @@ policy_module(sasl, 1.14.0)
+ ## Allow sasl to read shadow
+ ##
+ ##
+-gen_tunable(allow_saslauthd_read_shadow, false)
++gen_tunable(saslauthd_read_shadow, false)
+
+ type saslauthd_t;
+ type saslauthd_exec_t;
+@@ -19,9 +19,6 @@ init_daemon_domain(saslauthd_t, saslauthd_exec_t)
+ type saslauthd_initrc_exec_t;
+ init_script_file(saslauthd_initrc_exec_t)
+
+-type saslauthd_tmp_t;
+-files_tmp_file(saslauthd_tmp_t)
+-
+ type saslauthd_var_run_t;
+ files_pid_file(saslauthd_var_run_t)
+
+@@ -30,31 +27,32 @@ files_pid_file(saslauthd_var_run_t)
+ # Local policy
+ #
+
+-allow saslauthd_t self:capability { setgid setuid };
++allow saslauthd_t self:capability { setgid setuid sys_nice };
+ dontaudit saslauthd_t self:capability sys_tty_config;
+-allow saslauthd_t self:process signal_perms;
++allow saslauthd_t self:process { setsched signal_perms };
+ allow saslauthd_t self:fifo_file rw_fifo_file_perms;
+ allow saslauthd_t self:unix_dgram_socket create_socket_perms;
+ allow saslauthd_t self:unix_stream_socket create_stream_socket_perms;
+ allow saslauthd_t self:tcp_socket create_socket_perms;
+
+-allow saslauthd_t saslauthd_tmp_t:dir setattr;
+-manage_files_pattern(saslauthd_t, saslauthd_tmp_t, saslauthd_tmp_t)
+-files_tmp_filetrans(saslauthd_t, saslauthd_tmp_t, file)
+-
++manage_dirs_pattern(saslauthd_t, saslauthd_var_run_t, saslauthd_var_run_t)
+ manage_files_pattern(saslauthd_t, saslauthd_var_run_t, saslauthd_var_run_t)
+ manage_sock_files_pattern(saslauthd_t, saslauthd_var_run_t, saslauthd_var_run_t)
+-files_pid_filetrans(saslauthd_t, saslauthd_var_run_t, file)
++files_pid_filetrans(saslauthd_t, saslauthd_var_run_t, { file dir })
+
+ kernel_read_kernel_sysctls(saslauthd_t)
+ kernel_read_system_state(saslauthd_t)
++kernel_rw_afs_state(saslauthd_t)
++
++#577519
++corecmd_exec_bin(saslauthd_t)
+
+-corenet_all_recvfrom_unlabeled(saslauthd_t)
+ corenet_all_recvfrom_netlabel(saslauthd_t)
+ corenet_tcp_sendrecv_generic_if(saslauthd_t)
+ corenet_tcp_sendrecv_generic_node(saslauthd_t)
+ corenet_tcp_sendrecv_all_ports(saslauthd_t)
+ corenet_tcp_connect_pop_port(saslauthd_t)
++corenet_tcp_connect_zarafa_port(saslauthd_t)
+ corenet_sendrecv_pop_client_packets(saslauthd_t)
+
+ dev_read_urand(saslauthd_t)
+@@ -78,21 +76,20 @@ init_dontaudit_stream_connect_script(saslauthd_t)
+
+ logging_send_syslog_msg(saslauthd_t)
+
+-miscfiles_read_localization(saslauthd_t)
+ miscfiles_read_generic_certs(saslauthd_t)
+
+-seutil_dontaudit_read_config(saslauthd_t)
+-
+ userdom_dontaudit_use_unpriv_user_fds(saslauthd_t)
+ userdom_dontaudit_search_user_home_dirs(saslauthd_t)
+
+ # cjp: typeattribute doesnt work in conditionals
+ auth_can_read_shadow_passwords(saslauthd_t)
+-tunable_policy(`allow_saslauthd_read_shadow',`
++tunable_policy(`saslauthd_read_shadow',`
++ allow saslauthd_t self:capability dac_override;
+ auth_tunable_read_shadow(saslauthd_t)
+ ')
+
+ optional_policy(`
++ kerberos_tmp_filetrans_host_rcache(saslauthd_t, "host_0")
+ kerberos_keytab_template(saslauthd, saslauthd_t)
+ ')
+
+diff --git a/sblim.if b/sblim.if
+index fa24879..3abfdf2 100644
+--- a/sblim.if
++++ b/sblim.if
+@@ -1,5 +1,28 @@
+ ## policy for SBLIM Gatherer
+
++######################################
++##
++## Creates types and rules for a basic
++## sblim daemon domain.
++##
++##
++##
++## Prefix for the domain.
++##
++##
++#
++template(`sblim_domain_template',`
++ gen_require(`
++ attribute sblim_domain;
++ ')
++
++ type sblim_$1_t, sblim_domain;
++ type sblim_$1_exec_t;
++ init_daemon_domain(sblim_$1_t, sblim_$1_exec_t)
++
++ kernel_read_system_state(sblim_$1_t)
++')
++
+ ########################################
+ ##
+ ## Transition to gatherd.
+@@ -48,11 +71,6 @@ interface(`sblim_read_pid_files',`
+ ## Domain allowed access.
+ ##
+ ##
+-##
+-##
+-## Role allowed access.
+-##
+-##
+ ##
+ #
+ interface(`sblim_admin',`
+@@ -65,6 +83,11 @@ interface(`sblim_admin',`
+ allow $1 sblim_gatherd_t:process signal_perms;
+ ps_process_pattern($1, sblim_gatherd_t)
+
++ tunable_policy(`deny_ptrace',`',`
++ allow $1 sblim_gatherd_t:process ptrace;
++ allow $1 sblim_reposd_t:process ptrace;
++ ')
++
+ allow $1 sblim_reposd_t:process signal_perms;
+ ps_process_pattern($1, sblim_reposd_t)
+
+diff --git a/sblim.te b/sblim.te
+index 869f976..5171bda 100644
+--- a/sblim.te
++++ b/sblim.te
+@@ -7,13 +7,9 @@ policy_module(sblim, 1.0.0)
+
+ attribute sblim_domain;
+
+-type sblim_gatherd_t, sblim_domain;
+-type sblim_gatherd_exec_t;
+-init_daemon_domain(sblim_gatherd_t, sblim_gatherd_exec_t)
++sblim_domain_template(gatherd)
+
+-type sblim_reposd_t, sblim_domain;
+-type sblim_reposd_exec_t;
+-init_daemon_domain(sblim_reposd_t, sblim_reposd_exec_t)
++sblim_domain_template(reposd)
+
+ type sblim_var_run_t;
+ files_pid_file(sblim_var_run_t)
+@@ -41,6 +37,12 @@ dev_read_urand(sblim_gatherd_t)
+ domain_read_all_domains_state(sblim_gatherd_t)
+
+ fs_getattr_all_fs(sblim_gatherd_t)
++fs_search_cgroup_dirs(sblim_gatherd_t)
++
++storage_raw_read_fixed_disk(sblim_gatherd_t)
++storage_raw_read_removable_device(sblim_gatherd_t)
++
++logging_send_syslog_msg(sblim_gatherd_t)
+
+ sysnet_dns_name_resolve(sblim_gatherd_t)
+
+@@ -63,7 +65,9 @@ optional_policy(`
+ ')
+
+ optional_policy(`
++ virt_read_config(sblim_gatherd_t)
+ virt_stream_connect(sblim_gatherd_t)
++ virt_getattr_exec(sblim_gatherd_t)
+ ')
+
+ optional_policy(`
+@@ -81,6 +85,8 @@ domtrans_pattern(sblim_gatherd_t, sblim_reposd_exec_t, sblim_reposd_t)
+ corenet_tcp_bind_all_nodes(sblim_reposd_t)
+ corenet_tcp_bind_repository_port(sblim_reposd_t)
+
++logging_send_syslog_msg(sblim_reposd_t)
++
+ ######################################
+ #
+ # sblim_domain local policy
+@@ -91,14 +97,13 @@ allow sblim_domain self:tcp_socket create_stream_socket_perms;
+ manage_dirs_pattern(sblim_domain, sblim_var_run_t, sblim_var_run_t)
+ manage_files_pattern(sblim_domain, sblim_var_run_t, sblim_var_run_t)
+ manage_sock_files_pattern(sblim_domain, sblim_var_run_t, sblim_var_run_t)
++files_pid_filetrans(sblim_domain, sblim_var_run_t, { dir file sock_file })
+
+ kernel_read_network_state(sblim_domain)
+-kernel_read_system_state(sblim_domain)
+
+ dev_read_sysfs(sblim_domain)
+
+-logging_send_syslog_msg(sblim_domain)
++auth_read_passwd(sblim_domain)
+
+ files_read_etc_files(sblim_domain)
+
+-miscfiles_read_localization(sblim_domain)
+diff --git a/screen.fc b/screen.fc
+index c8254dd..b73334e 100644
+--- a/screen.fc
++++ b/screen.fc
+@@ -1,15 +1,19 @@
+ #
+ # /home
+ #
+-HOME_DIR/\.screen(/.*)? gen_context(system_u:object_r:screen_home_t,s0)
+ HOME_DIR/\.screenrc -- gen_context(system_u:object_r:screen_home_t,s0)
++HOME_DIR/\.screen(/.*)? gen_context(system_u:object_r:screen_home_t,s0)
++
++/root/\.screen(/.*)? gen_context(system_u:object_r:screen_home_t,s0)
+
+ #
+ # /usr
+ #
+ /usr/bin/screen -- gen_context(system_u:object_r:screen_exec_t,s0)
++/usr/bin/tmux -- gen_context(system_u:object_r:screen_exec_t,s0)
+
+ #
+ # /var
+ #
+ /var/run/screen(/.*)? gen_context(system_u:object_r:screen_var_run_t,s0)
++/var/run/tmux(/.*)? gen_context(system_u:object_r:screen_var_run_t,s0)
+diff --git a/screen.if b/screen.if
+index c50a444..ee00be2 100644
+--- a/screen.if
++++ b/screen.if
+@@ -25,6 +25,7 @@ template(`screen_role_template',`
+ gen_require(`
+ type screen_exec_t, screen_tmp_t;
+ type screen_home_t, screen_var_run_t;
++ attribute screen_domain;
+ ')
+
+ ########################################
+@@ -32,50 +33,24 @@ template(`screen_role_template',`
+ # Declarations
+ #
+
+- type $1_screen_t;
+- userdom_user_application_domain($1_screen_t, screen_exec_t)
++ type $1_screen_t, screen_domain;
++ application_domain($1_screen_t, screen_exec_t)
+ domain_interactive_fd($1_screen_t)
++ ubac_constrained($1_screen_t)
+ role $2 types $1_screen_t;
+
+- ########################################
+- #
+- # Local policy
+- #
+-
+- allow $1_screen_t self:capability { setuid setgid fsetid };
+- allow $1_screen_t self:process signal_perms;
+- allow $1_screen_t self:fifo_file rw_fifo_file_perms;
+- allow $1_screen_t self:tcp_socket create_stream_socket_perms;
+- allow $1_screen_t self:udp_socket create_socket_perms;
+- # Internal screen networking
+- allow $1_screen_t self:fd use;
+- allow $1_screen_t self:unix_stream_socket { create_socket_perms connectto };
+- allow $1_screen_t self:unix_dgram_socket create_socket_perms;
+-
+- manage_dirs_pattern($1_screen_t, screen_tmp_t, screen_tmp_t)
+- manage_files_pattern($1_screen_t, screen_tmp_t, screen_tmp_t)
+- manage_fifo_files_pattern($1_screen_t, screen_tmp_t, screen_tmp_t)
+- files_tmp_filetrans($1_screen_t, screen_tmp_t, { file dir })
+-
+- # Create fifo
+- manage_fifo_files_pattern($1_screen_t, screen_var_run_t, screen_var_run_t)
+- manage_dirs_pattern($1_screen_t, screen_var_run_t, screen_var_run_t)
+- manage_sock_files_pattern($1_screen_t, screen_var_run_t, screen_var_run_t)
+- files_pid_filetrans($1_screen_t, screen_var_run_t, dir)
+-
+- allow $1_screen_t screen_home_t:dir list_dir_perms;
+- manage_dirs_pattern($1_screen_t, screen_home_t, screen_home_t)
+- manage_fifo_files_pattern($1_screen_t, screen_home_t, screen_home_t)
+- userdom_user_home_dir_filetrans($1_screen_t, screen_home_t, dir)
+- read_files_pattern($1_screen_t, screen_home_t, screen_home_t)
+- read_lnk_files_pattern($1_screen_t, screen_home_t, screen_home_t)
++ tunable_policy(`deny_ptrace',`',`
++ allow $3 $1_screen_t:process ptrace;
++ ')
+
+- allow $1_screen_t $3:process signal;
++ userdom_home_reader($1_screen_t)
+
+ domtrans_pattern($3, screen_exec_t, $1_screen_t)
+ allow $3 $1_screen_t:process { signal sigchld };
+ dontaudit $3 $1_screen_t:unix_stream_socket { read write };
++ allow $1_screen_t $3:unix_stream_socket { connectto };
+ allow $1_screen_t $3:process signal;
++ ps_process_pattern($1_screen_t, $3)
+
+ manage_fifo_files_pattern($3, screen_home_t, screen_home_t)
+ manage_dirs_pattern($3, screen_home_t, screen_home_t)
+@@ -86,77 +61,46 @@ template(`screen_role_template',`
+ relabel_lnk_files_pattern($3, screen_home_t, screen_home_t)
+
+ manage_dirs_pattern($3, screen_var_run_t, screen_var_run_t)
+- manage_files_pattern($3, screen_var_run_t, screen_var_run_t)
+- manage_lnk_files_pattern($3, screen_var_run_t, screen_var_run_t)
+ manage_fifo_files_pattern($3, screen_var_run_t, screen_var_run_t)
+
+ kernel_read_system_state($1_screen_t)
+- kernel_read_kernel_sysctls($1_screen_t)
+
+- corecmd_list_bin($1_screen_t)
+- corecmd_read_bin_files($1_screen_t)
+- corecmd_read_bin_symlinks($1_screen_t)
+- corecmd_read_bin_pipes($1_screen_t)
+- corecmd_read_bin_sockets($1_screen_t)
+ # Revert to the user domain when a shell is executed.
+ corecmd_shell_domtrans($1_screen_t, $3)
+ corecmd_bin_domtrans($1_screen_t, $3)
+
+- corenet_all_recvfrom_unlabeled($1_screen_t)
+- corenet_all_recvfrom_netlabel($1_screen_t)
+- corenet_tcp_sendrecv_generic_if($1_screen_t)
+- corenet_udp_sendrecv_generic_if($1_screen_t)
+- corenet_tcp_sendrecv_generic_node($1_screen_t)
+- corenet_udp_sendrecv_generic_node($1_screen_t)
+- corenet_tcp_sendrecv_all_ports($1_screen_t)
+- corenet_udp_sendrecv_all_ports($1_screen_t)
+- corenet_tcp_connect_all_ports($1_screen_t)
+-
+- dev_dontaudit_getattr_all_chr_files($1_screen_t)
+- dev_dontaudit_getattr_all_blk_files($1_screen_t)
+- # for SSP
+- dev_read_urand($1_screen_t)
+-
+- domain_use_interactive_fds($1_screen_t)
+-
+- files_search_tmp($1_screen_t)
+- files_search_home($1_screen_t)
+- files_list_home($1_screen_t)
+- files_read_usr_files($1_screen_t)
+- files_read_etc_files($1_screen_t)
+-
+- fs_search_auto_mountpoints($1_screen_t)
+- fs_getattr_xattr_fs($1_screen_t)
+-
+ auth_domtrans_chk_passwd($1_screen_t)
+ auth_use_nsswitch($1_screen_t)
+- auth_dontaudit_read_shadow($1_screen_t)
+- auth_dontaudit_exec_utempter($1_screen_t)
+-
+- # Write to utmp.
+- init_rw_utmp($1_screen_t)
+
+ logging_send_syslog_msg($1_screen_t)
+
+- miscfiles_read_localization($1_screen_t)
+-
+- seutil_read_config($1_screen_t)
+-
+- userdom_use_user_terminals($1_screen_t)
+- userdom_create_user_pty($1_screen_t)
+ userdom_user_home_domtrans($1_screen_t, $3)
+- userdom_setattr_user_ptys($1_screen_t)
+- userdom_setattr_user_ttys($1_screen_t)
++ userdom_manage_tmp_role($2, $1_screen_t)
+
+ tunable_policy(`use_samba_home_dirs',`
+ fs_cifs_domtrans($1_screen_t, $3)
+- fs_read_cifs_symlinks($1_screen_t)
+- fs_list_cifs($1_screen_t)
+ ')
+
+ tunable_policy(`use_nfs_home_dirs',`
+ fs_nfs_domtrans($1_screen_t, $3)
+- fs_list_nfs($1_screen_t)
+- fs_read_nfs_symlinks($1_screen_t)
+ ')
+ ')
++
++#######################################
++##
++## Execute the rssh program
++## in the caller domain.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`screen_exec',`
++ gen_require(`
++ type screen_exec_t;
++ ')
++
++ can_exec($1, screen_exec_t)
++')
+diff --git a/screen.te b/screen.te
+index 2583626..86af6f6 100644
+--- a/screen.te
++++ b/screen.te
+@@ -5,6 +5,8 @@ policy_module(screen, 2.5.0)
+ # Declarations
+ #
+
++attribute screen_domain;
++
+ type screen_exec_t;
+ application_executable_file(screen_exec_t)
+
+@@ -13,13 +15,84 @@ typealias screen_home_t alias { user_screen_home_t staff_screen_home_t sysadm_sc
+ typealias screen_home_t alias { auditadm_screen_home_t secadm_screen_home_t };
+ userdom_user_home_content(screen_home_t)
+
+-type screen_tmp_t;
+-typealias screen_tmp_t alias { user_screen_tmp_t staff_screen_tmp_t sysadm_screen_tmp_t };
+-typealias screen_tmp_t alias { auditadm_screen_tmp_t secadm_screen_tmp_t };
+-userdom_user_tmp_file(screen_tmp_t)
+-
+ type screen_var_run_t;
+ typealias screen_var_run_t alias { user_screen_var_run_t staff_screen_var_run_t sysadm_screen_var_run_t };
+ typealias screen_var_run_t alias { auditadm_screen_var_run_t secadm_screen_var_run_t screen_dir_t };
+ files_pid_file(screen_var_run_t)
+ ubac_constrained(screen_var_run_t)
++
++########################################
++#
++# Local policy
++#
++
++allow screen_domain self:capability { setuid setgid fsetid };
++allow screen_domain self:process signal_perms;
++allow screen_domain self:fifo_file rw_fifo_file_perms;
++allow screen_domain self:tcp_socket create_stream_socket_perms;
++allow screen_domain self:udp_socket create_socket_perms;
++# Internal screen networking
++allow screen_domain self:fd use;
++allow screen_domain self:unix_stream_socket { create_socket_perms connectto };
++allow screen_domain self:unix_dgram_socket create_socket_perms;
++
++# Create fifo
++manage_fifo_files_pattern(screen_domain, screen_var_run_t, screen_var_run_t)
++manage_dirs_pattern(screen_domain, screen_var_run_t, screen_var_run_t)
++manage_sock_files_pattern(screen_domain, screen_var_run_t, screen_var_run_t)
++files_pid_filetrans(screen_domain, screen_var_run_t, dir)
++
++allow screen_domain screen_home_t:dir list_dir_perms;
++manage_dirs_pattern(screen_domain, screen_home_t, screen_home_t)
++manage_fifo_files_pattern(screen_domain, screen_home_t, screen_home_t)
++userdom_user_home_dir_filetrans(screen_domain, screen_home_t, dir)
++userdom_admin_home_dir_filetrans(screen_domain, screen_home_t, dir)
++read_files_pattern(screen_domain, screen_home_t, screen_home_t)
++read_lnk_files_pattern(screen_domain, screen_home_t, screen_home_t)
++
++kernel_read_kernel_sysctls(screen_domain)
++
++corecmd_list_bin(screen_domain)
++corecmd_read_bin_files(screen_domain)
++corecmd_read_bin_symlinks(screen_domain)
++corecmd_read_bin_pipes(screen_domain)
++corecmd_read_bin_sockets(screen_domain)
++
++corenet_tcp_sendrecv_generic_if(screen_domain)
++corenet_udp_sendrecv_generic_if(screen_domain)
++corenet_tcp_sendrecv_generic_node(screen_domain)
++corenet_udp_sendrecv_generic_node(screen_domain)
++corenet_tcp_sendrecv_all_ports(screen_domain)
++corenet_udp_sendrecv_all_ports(screen_domain)
++corenet_tcp_connect_all_ports(screen_domain)
++
++dev_dontaudit_getattr_all_chr_files(screen_domain)
++dev_dontaudit_getattr_all_blk_files(screen_domain)
++# for SSP
++dev_read_urand(screen_domain)
++
++domain_sigchld_interactive_fds(screen_domain)
++domain_use_interactive_fds(screen_domain)
++domain_read_all_domains_state(screen_domain)
++
++files_search_tmp(screen_domain)
++files_search_home(screen_domain)
++files_list_home(screen_domain)
++files_read_usr_files(screen_domain)
++files_read_etc_files(screen_domain)
++
++fs_search_auto_mountpoints(screen_domain)
++fs_getattr_xattr_fs(screen_domain)
++
++auth_dontaudit_read_shadow(screen_domain)
++auth_dontaudit_exec_utempter(screen_domain)
++
++# Write to utmp.
++init_rw_utmp(screen_domain)
++
++seutil_read_config(screen_domain)
++
++userdom_use_user_terminals(screen_domain)
++userdom_create_user_pty(screen_domain)
++userdom_setattr_user_ptys(screen_domain)
++userdom_setattr_user_ttys(screen_domain)
+diff --git a/sectoolm.fc b/sectoolm.fc
+index 1ed6870..3f1dac5 100644
+--- a/sectoolm.fc
++++ b/sectoolm.fc
+@@ -1,4 +1,4 @@
+ /usr/libexec/sectool-mechanism\.py -- gen_context(system_u:object_r:sectoolm_exec_t,s0)
+
+ /var/lib/sectool(/.*)? gen_context(system_u:object_r:sectool_var_lib_t,s0)
+-/var/log/sectool\.log -- gen_context(system_u:object_r:sectool_var_log_t,s0)
++/var/log/sectool\.log.* -- gen_context(system_u:object_r:sectool_var_log_t,s0)
+diff --git a/sectoolm.te b/sectoolm.te
+index c8ef84b..ffa81dd 100644
+--- a/sectoolm.te
++++ b/sectoolm.te
+@@ -7,7 +7,7 @@ policy_module(sectoolm, 1.0.0)
+
+ type sectoolm_t;
+ type sectoolm_exec_t;
+-dbus_system_domain(sectoolm_t, sectoolm_exec_t)
++init_daemon_domain(sectoolm_t, sectoolm_exec_t)
+
+ type sectool_var_lib_t;
+ files_type(sectool_var_lib_t)
+@@ -23,7 +23,7 @@ files_tmp_file(sectool_tmp_t)
+ # sectool local policy
+ #
+
+-allow sectoolm_t self:capability { dac_override net_admin sys_nice sys_ptrace };
++allow sectoolm_t self:capability { dac_override net_admin sys_nice };
+ allow sectoolm_t self:process { getcap getsched signull setsched };
+ dontaudit sectoolm_t self:process { execstack execmem };
+ allow sectoolm_t self:fifo_file rw_fifo_file_perms;
+@@ -70,12 +70,6 @@ application_exec_all(sectoolm_t)
+
+ auth_use_nsswitch(sectoolm_t)
+
+-# tests related to network
+-hostname_exec(sectoolm_t)
+-
+-# tests related to network
+-iptables_domtrans(sectoolm_t)
+-
+ libs_exec_ld_so(sectoolm_t)
+
+ logging_send_syslog_msg(sectoolm_t)
+@@ -84,6 +78,21 @@ logging_send_syslog_msg(sectoolm_t)
+ sysnet_domtrans_ifconfig(sectoolm_t)
+
+ userdom_manage_user_tmp_sockets(sectoolm_t)
++userdom_dgram_send(sectoolm_t)
++
++optional_policy(`
++ dbus_system_domain(sectoolm_t, sectoolm_exec_t)
++')
++
++optional_policy(`
++ # tests related to network
++ hostname_exec(sectoolm_t)
++')
++
++optional_policy(`
++ # tests related to network
++ iptables_domtrans(sectoolm_t)
++')
+
+ optional_policy(`
+ mount_exec(sectoolm_t)
+diff --git a/sendmail.fc b/sendmail.fc
+index a86ec50..da5d41d 100644
+--- a/sendmail.fc
++++ b/sendmail.fc
+@@ -1,5 +1,7 @@
+
+-/var/log/sendmail\.st -- gen_context(system_u:object_r:sendmail_log_t,s0)
++/etc/rc\.d/init\.d/sendmail -- gen_context(system_u:object_r:sendmail_initrc_exec_t,s0)
++
++/var/log/sendmail\.st.* -- gen_context(system_u:object_r:sendmail_log_t,s0)
+ /var/log/mail(/.*)? gen_context(system_u:object_r:sendmail_log_t,s0)
+
+ /var/run/sendmail\.pid -- gen_context(system_u:object_r:sendmail_var_run_t,s0)
+diff --git a/sendmail.if b/sendmail.if
+index 7e94c7c..ca74cd9 100644
+--- a/sendmail.if
++++ b/sendmail.if
+@@ -51,10 +51,24 @@ interface(`sendmail_domtrans',`
+ ')
+
+ mta_sendmail_domtrans($1, sendmail_t)
++')
++
++#######################################
++##
++## Execute sendmail in the sendmail domain.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`sendmail_initrc_domtrans',`
++ gen_require(`
++ type sendmail_initrc_exec_t;
++ ')
+
+- allow sendmail_t $1:fd use;
+- allow sendmail_t $1:fifo_file rw_file_perms;
+- allow sendmail_t $1:process sigchld;
++ init_labeled_script_domtrans($1, sendmail_initrc_exec_t)
+ ')
+
+ ########################################
+@@ -152,7 +166,7 @@ interface(`sendmail_rw_unix_stream_sockets',`
+ type sendmail_t;
+ ')
+
+- allow $1 sendmail_t:unix_stream_socket { getattr read write ioctl };
++ allow $1 sendmail_t:unix_stream_socket rw_socket_perms;
+ ')
+
+ ########################################
+@@ -171,7 +185,7 @@ interface(`sendmail_dontaudit_rw_unix_stream_sockets',`
+ type sendmail_t;
+ ')
+
+- dontaudit $1 sendmail_t:unix_stream_socket { getattr read write ioctl };
++ dontaudit $1 sendmail_t:unix_stream_socket rw_socket_perms;
+ ')
+
+ ########################################
+@@ -295,3 +309,73 @@ interface(`sendmail_run_unconfined',`
+ sendmail_domtrans_unconfined($1)
+ role $2 types unconfined_sendmail_t;
+ ')
++
++########################################
++##
++## Set the attributes of sendmail pid files.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`sendmail_setattr_pid_files',`
++ gen_require(`
++ type sendmail_var_run_t;
++ ')
++
++ allow $1 sendmail_var_run_t:file setattr_file_perms;
++ files_search_pids($1)
++')
++
++########################################
++##
++## All of the rules required to administrate
++## an sendmail environment
++##
++##
++##
++## Domain allowed access.
++##
++##
++##
++##
++## Role allowed access.
++##
++##
++##
++#
++interface(`sendmail_admin',`
++ gen_require(`
++ type sendmail_t, sendmail_initrc_exec_t, sendmail_log_t;
++ type sendmail_tmp_t, sendmail_var_run_t, unconfined_sendmail_t;
++ type mail_spool_t;
++ ')
++
++ allow $1 sendmail_t:process signal_perms;
++ ps_process_pattern($1, sendmail_t)
++ tunable_policy(`deny_ptrace',`',`
++ allow $1 sendmail_t:process ptrace;
++ allow $1 unconfined_sendmail_t:process ptrace;
++ ')
++
++ allow $1 unconfined_sendmail_t:process signal_perms;
++ ps_process_pattern($1, unconfined_sendmail_t)
++
++ sendmail_initrc_domtrans($1)
++ domain_system_change_exemption($1)
++ role_transition $2 sendmail_initrc_exec_t system_r;
++
++ logging_list_logs($1)
++ admin_pattern($1, sendmail_log_t)
++
++ files_list_tmp($1)
++ admin_pattern($1, sendmail_tmp_t)
++
++ files_list_pids($1)
++ admin_pattern($1, sendmail_var_run_t)
++
++ files_list_spool($1)
++ admin_pattern($1, mail_spool_t)
++')
+diff --git a/sendmail.te b/sendmail.te
+index 22dac1f..a536819 100644
+--- a/sendmail.te
++++ b/sendmail.te
+@@ -19,9 +19,8 @@ mta_sendmail_mailserver(sendmail_t)
+ mta_mailserver_delivery(sendmail_t)
+ mta_mailserver_sender(sendmail_t)
+
+-type unconfined_sendmail_t;
+-application_domain(unconfined_sendmail_t, sendmail_exec_t)
+-role system_r types unconfined_sendmail_t;
++type sendmail_initrc_exec_t;
++init_script_file(sendmail_initrc_exec_t)
+
+ ########################################
+ #
+@@ -52,7 +51,6 @@ kernel_read_kernel_sysctls(sendmail_t)
+ # for piping mail to a command
+ kernel_read_system_state(sendmail_t)
+
+-corenet_all_recvfrom_unlabeled(sendmail_t)
+ corenet_all_recvfrom_netlabel(sendmail_t)
+ corenet_tcp_sendrecv_generic_if(sendmail_t)
+ corenet_tcp_sendrecv_generic_node(sendmail_t)
+@@ -79,17 +77,18 @@ corecmd_exec_bin(sendmail_t)
+
+ domain_use_interactive_fds(sendmail_t)
+
+-files_read_etc_files(sendmail_t)
+ files_read_usr_files(sendmail_t)
+ files_search_spool(sendmail_t)
+ # for piping mail to a command
+ files_read_etc_runtime_files(sendmail_t)
++files_read_all_tmp_files(sendmail_t)
+
+ init_use_fds(sendmail_t)
+ init_use_script_ptys(sendmail_t)
+ # sendmail wants to read /var/run/utmp if the controlling tty is /dev/console
+ init_read_utmp(sendmail_t)
+ init_dontaudit_write_utmp(sendmail_t)
++init_rw_script_tmp_files(sendmail_t)
+
+ auth_use_nsswitch(sendmail_t)
+
+@@ -100,10 +99,10 @@ logging_send_syslog_msg(sendmail_t)
+ logging_dontaudit_write_generic_logs(sendmail_t)
+
+ miscfiles_read_generic_certs(sendmail_t)
+-miscfiles_read_localization(sendmail_t)
+
+ userdom_dontaudit_use_unpriv_user_fds(sendmail_t)
+-userdom_dontaudit_search_user_home_dirs(sendmail_t)
++userdom_read_user_home_content_files(sendmail_t)
++userdom_dontaudit_list_user_home_dirs(sendmail_t)
+
+ mta_read_config(sendmail_t)
+ mta_etc_filetrans_aliases(sendmail_t)
+@@ -115,6 +114,10 @@ mta_manage_spool(sendmail_t)
+ mta_sendmail_exec(sendmail_t)
+
+ optional_policy(`
++ cfengine_dontaudit_write_log(sendmail_t)
++')
++
++optional_policy(`
+ cron_read_pipes(sendmail_t)
+ ')
+
+@@ -128,7 +131,14 @@ optional_policy(`
+ ')
+
+ optional_policy(`
++ dovecot_write_inherited_tmp_files(sendmail_t)
++')
++
++optional_policy(`
+ exim_domtrans(sendmail_t)
++ exim_manage_spool_files(sendmail_t)
++ exim_manage_spool_dirs(sendmail_t)
++ exim_read_log(sendmail_t)
+ ')
+
+ optional_policy(`
+@@ -149,7 +159,14 @@ optional_policy(`
+ ')
+
+ optional_policy(`
++ openshift_dontaudit_rw_inherited_fifo_files(sendmail_t)
++ openshift_rw_inherited_content(sendmail_t)
++')
++
++optional_policy(`
++ postfix_domtrans_postdrop(sendmail_t)
+ postfix_domtrans_master(sendmail_t)
++ postfix_domtrans_postqueue(sendmail_t)
+ postfix_read_config(sendmail_t)
+ postfix_search_spool(sendmail_t)
+ ')
+@@ -168,20 +185,13 @@ optional_policy(`
+ ')
+
+ optional_policy(`
+- udev_read_db(sendmail_t)
++ spamd_stream_connect(sendmail_t)
+ ')
+
+ optional_policy(`
+- uucp_domtrans_uux(sendmail_t)
++ udev_read_db(sendmail_t)
+ ')
+
+-########################################
+-#
+-# Unconfined sendmail local policy
+-# Allow unconfined domain to run newalias and have transitions work
+-#
+-
+ optional_policy(`
+- mta_etc_filetrans_aliases(unconfined_sendmail_t)
+- unconfined_domain(unconfined_sendmail_t)
++ uucp_domtrans_uux(sendmail_t)
+ ')
+diff --git a/sensord.fc b/sensord.fc
+new file mode 100644
+index 0000000..e1ef619
+--- /dev/null
++++ b/sensord.fc
+@@ -0,0 +1,5 @@
++/lib/systemd/system/sensord.service -- gen_context(system_u:object_r:sensord_unit_file_t,s0)
++
++/usr/sbin/sensord -- gen_context(system_u:object_r:sensord_exec_t,s0)
++
++/var/run/sensord\.pid -- gen_context(system_u:object_r:sensord_var_run_t,s0)
+diff --git a/sensord.if b/sensord.if
+new file mode 100644
+index 0000000..5eba5fd
+--- /dev/null
++++ b/sensord.if
+@@ -0,0 +1,75 @@
++
++## Sensor information logging daemon
++
++########################################
++##
++## Execute sensord in the sensord domain.
++##
++##
++##
++## Domain allowed to transition.
++##
++##
++#
++interface(`sensord_domtrans',`
++ gen_require(`
++ type sensord_t, sensord_exec_t;
++ ')
++
++ corecmd_search_bin($1)
++ domtrans_pattern($1, sensord_exec_t, sensord_t)
++')
++########################################
++##
++## Execute sensord server in the sensord domain.
++##
++##
++##
++## Domain allowed to transition.
++##
++##
++#
++interface(`sensord_systemctl',`
++ gen_require(`
++ type sensord_t;
++ type sensord_unit_file_t;
++ ')
++
++ systemd_exec_systemctl($1)
++ allow $1 sensord_unit_file_t:file read_file_perms;
++ allow $1 sensord_unit_file_t:service manage_service_perms;
++
++ ps_process_pattern($1, sensord_t)
++')
++
++
++########################################
++##
++## All of the rules required to administrate
++## an sensord environment
++##
++##
++##
++## Domain allowed access.
++##
++##
++##
++#
++interface(`sensord_admin',`
++ gen_require(`
++ type sensord_t;
++ type sensord_unit_file_t;
++ ')
++
++ allow $1 sensord_t:process { ptrace signal_perms };
++ ps_process_pattern($1, sensord_t)
++
++ sensord_systemctl($1)
++ admin_pattern($1, sensord_unit_file_t)
++ allow $1 sensord_unit_file_t:service all_service_perms;
++
++ optional_policy(`
++ systemd_passwd_agent_exec($1)
++ systemd_read_fifo_file_passwd_run($1)
++ ')
++')
+diff --git a/sensord.te b/sensord.te
+new file mode 100644
+index 0000000..5e92ac9
+--- /dev/null
++++ b/sensord.te
+@@ -0,0 +1,35 @@
++policy_module(sensord, 1.0.0)
++
++########################################
++#
++# Declarations
++#
++
++type sensord_t;
++type sensord_exec_t;
++init_daemon_domain(sensord_t, sensord_exec_t)
++
++type sensord_unit_file_t;
++systemd_unit_file(sensord_unit_file_t)
++
++type sensord_var_run_t;
++files_pid_file(sensord_var_run_t)
++
++########################################
++#
++# sensord local policy
++#
++
++allow sensord_t self:fifo_file rw_fifo_file_perms;
++allow sensord_t self:unix_stream_socket create_stream_socket_perms;
++
++manage_files_pattern(sensord_t, sensord_var_run_t, sensord_var_run_t)
++files_pid_filetrans(sensord_t, sensord_var_run_t, { file })
++
++domain_use_interactive_fds(sensord_t)
++
++dev_read_sysfs(sensord_t)
++
++files_read_etc_files(sensord_t)
++
++logging_send_syslog_msg(sensord_t)
+diff --git a/setroubleshoot.if b/setroubleshoot.if
+index bcdd16c..039b0c8 100644
+--- a/setroubleshoot.if
++++ b/setroubleshoot.if
+@@ -2,7 +2,7 @@
+
+ ########################################
+ ##
+-## Connect to setroubleshootd over an unix stream socket.
++## Connect to setroubleshootd over a unix stream socket.
+ ##
+ ##
+ ##
+@@ -23,7 +23,7 @@ interface(`setroubleshoot_stream_connect',`
+ ########################################
+ ##
+ ## Dontaudit attempts to connect to setroubleshootd
+-## over an unix stream socket.
++## over a unix stream socket.
+ ##
+ ##
+ ##
+@@ -105,6 +105,25 @@ interface(`setroubleshoot_dbus_chat_fixit',`
+
+ ########################################
+ ##
++## Dontaudit read/write to a setroubleshoot leaked sockets.
++##
++##
++##
++## Domain to not audit.
++##
++##
++#
++interface(`setroubleshoot_fixit_dontaudit_leaks',`
++ gen_require(`
++ type setroubleshoot_fixit_t;
++ ')
++
++ dontaudit $1 setroubleshoot_fixit_t:unix_dgram_socket { read write };
++ dontaudit $1 setroubleshoot_fixit_t:unix_stream_socket { read write };
++')
++
++########################################
++##
+ ## All of the rules required to administrate
+ ## an setroubleshoot environment
+ ##
+@@ -117,15 +136,18 @@ interface(`setroubleshoot_dbus_chat_fixit',`
+ #
+ interface(`setroubleshoot_admin',`
+ gen_require(`
+- type setroubleshootd_t, setroubleshoot_log_t;
+- type setroubleshoot_var_lib_t, setroubleshoot_var_run_t;
++ type setroubleshootd_t, setroubleshoot_var_log_t, setroubleshoot_var_run_t;
++ type setroubleshoot_var_lib_t;
+ ')
+
+- allow $1 setroubleshootd_t:process { ptrace signal_perms };
++ allow $1 setroubleshootd_t:process signal_perms;
+ ps_process_pattern($1, setroubleshootd_t)
++ tunable_policy(`deny_ptrace',`',`
++ allow $1 setroubleshootd_t:process ptrace;
++ ')
+
+ logging_list_logs($1)
+- admin_pattern($1, setroubleshoot_log_t)
++ admin_pattern($1, setroubleshoot_var_log_t)
+
+ files_list_var_lib($1)
+ admin_pattern($1, setroubleshoot_var_lib_t)
+diff --git a/setroubleshoot.te b/setroubleshoot.te
+index 086cd5f..08ef0c7 100644
+--- a/setroubleshoot.te
++++ b/setroubleshoot.te
+@@ -12,7 +12,7 @@ init_daemon_domain(setroubleshootd_t, setroubleshootd_exec_t)
+
+ type setroubleshoot_fixit_t;
+ type setroubleshoot_fixit_exec_t;
+-dbus_system_domain(setroubleshoot_fixit_t, setroubleshoot_fixit_exec_t)
++init_daemon_domain(setroubleshoot_fixit_t, setroubleshoot_fixit_exec_t)
+
+ type setroubleshoot_var_lib_t;
+ files_type(setroubleshoot_var_lib_t)
+@@ -30,8 +30,10 @@ files_pid_file(setroubleshoot_var_run_t)
+ # setroubleshootd local policy
+ #
+
+-allow setroubleshootd_t self:capability { dac_override sys_nice sys_tty_config };
++allow setroubleshootd_t self:capability { dac_override sys_nice sys_ptrace sys_tty_config };
+ allow setroubleshootd_t self:process { getattr getsched setsched sigkill signull signal };
++# if bad library causes setroubleshoot to require these, we want to give it so setroubleshoot can continue to run
++allow setroubleshootd_t self:process { execmem execstack };
+ allow setroubleshootd_t self:fifo_file rw_fifo_file_perms;
+ allow setroubleshootd_t self:tcp_socket create_stream_socket_perms;
+ allow setroubleshootd_t self:unix_stream_socket { create_stream_socket_perms connectto };
+@@ -49,19 +51,23 @@ manage_sock_files_pattern(setroubleshootd_t, setroubleshoot_var_log_t, setrouble
+ logging_log_filetrans(setroubleshootd_t, setroubleshoot_var_log_t, { file dir })
+
+ # pid file
++manage_dirs_pattern(setroubleshootd_t, setroubleshoot_var_run_t, setroubleshoot_var_run_t)
+ manage_files_pattern(setroubleshootd_t, setroubleshoot_var_run_t, setroubleshoot_var_run_t)
+ manage_sock_files_pattern(setroubleshootd_t, setroubleshoot_var_run_t, setroubleshoot_var_run_t)
+-files_pid_filetrans(setroubleshootd_t, setroubleshoot_var_run_t, { file sock_file })
++files_pid_filetrans(setroubleshootd_t, setroubleshoot_var_run_t, { file sock_file dir })
+
+ kernel_read_kernel_sysctls(setroubleshootd_t)
+ kernel_read_system_state(setroubleshootd_t)
+ kernel_read_net_sysctls(setroubleshootd_t)
+ kernel_read_network_state(setroubleshootd_t)
++kernel_dontaudit_list_all_proc(setroubleshootd_t)
++kernel_read_irq_sysctls(setroubleshootd_t)
++kernel_read_unlabeled_state(setroubleshootd_t)
+
+ corecmd_exec_bin(setroubleshootd_t)
+ corecmd_exec_shell(setroubleshootd_t)
++corecmd_read_all_executables(setroubleshootd_t)
+
+-corenet_all_recvfrom_unlabeled(setroubleshootd_t)
+ corenet_all_recvfrom_netlabel(setroubleshootd_t)
+ corenet_tcp_sendrecv_generic_if(setroubleshootd_t)
+ corenet_tcp_sendrecv_generic_node(setroubleshootd_t)
+@@ -74,17 +80,18 @@ dev_read_urand(setroubleshootd_t)
+ dev_read_sysfs(setroubleshootd_t)
+ dev_getattr_all_blk_files(setroubleshootd_t)
+ dev_getattr_all_chr_files(setroubleshootd_t)
++dev_getattr_mtrr_dev(setroubleshootd_t)
+
+ domain_dontaudit_search_all_domains_state(setroubleshootd_t)
+ domain_signull_all_domains(setroubleshootd_t)
+
+ files_read_usr_files(setroubleshootd_t)
+-files_read_etc_files(setroubleshootd_t)
+ files_list_all(setroubleshootd_t)
+ files_getattr_all_files(setroubleshootd_t)
+ files_getattr_all_pipes(setroubleshootd_t)
+ files_getattr_all_sockets(setroubleshootd_t)
+ files_read_all_symlinks(setroubleshootd_t)
++files_read_mnt_files(setroubleshootd_t)
+
+ fs_getattr_all_dirs(setroubleshootd_t)
+ fs_getattr_all_files(setroubleshootd_t)
+@@ -95,6 +102,7 @@ fs_dontaudit_read_cifs_files(setroubleshootd_t)
+
+ selinux_get_enforce_mode(setroubleshootd_t)
+ selinux_validate_context(setroubleshootd_t)
++selinux_read_policy(setroubleshootd_t)
+
+ term_dontaudit_use_all_ptys(setroubleshootd_t)
+ term_dontaudit_use_all_ttys(setroubleshootd_t)
+@@ -104,15 +112,15 @@ auth_use_nsswitch(setroubleshootd_t)
+ init_read_utmp(setroubleshootd_t)
+ init_dontaudit_write_utmp(setroubleshootd_t)
+
+-miscfiles_read_localization(setroubleshootd_t)
++libs_exec_ld_so(setroubleshootd_t)
++
+
+ locallogin_dontaudit_use_fds(setroubleshootd_t)
+
+ logging_send_audit_msgs(setroubleshootd_t)
+ logging_send_syslog_msg(setroubleshootd_t)
+ logging_stream_connect_dispatcher(setroubleshootd_t)
+-
+-modutils_read_module_config(setroubleshootd_t)
++logging_stream_connect_syslog(setroubleshootd_t)
+
+ seutil_read_config(setroubleshootd_t)
+ seutil_read_file_contexts(setroubleshootd_t)
+@@ -121,10 +129,27 @@ seutil_read_bin_policy(setroubleshootd_t)
+ userdom_dontaudit_read_user_home_content_files(setroubleshootd_t)
+
+ optional_policy(`
++ abrt_dbus_chat(setroubleshootd_t)
++')
++
++optional_policy(`
++ locate_read_lib_files(setroubleshootd_t)
++')
++
++optional_policy(`
++ mock_getattr_lib(setroubleshootd_t)
++')
++
++optional_policy(`
++ modutils_read_module_config(setroubleshootd_t)
++')
++
++optional_policy(`
+ dbus_system_domain(setroubleshootd_t, setroubleshootd_exec_t)
+ ')
+
+ optional_policy(`
++ rpm_exec(setroubleshootd_t)
+ rpm_signull(setroubleshootd_t)
+ rpm_read_db(setroubleshootd_t)
+ rpm_dontaudit_manage_db(setroubleshootd_t)
+@@ -150,11 +175,16 @@ kernel_read_system_state(setroubleshoot_fixit_t)
+
+ corecmd_exec_bin(setroubleshoot_fixit_t)
+ corecmd_exec_shell(setroubleshoot_fixit_t)
++corecmd_getattr_all_executables(setroubleshoot_fixit_t)
++
++dev_read_sysfs(setroubleshoot_fixit_t)
++dev_read_urand(setroubleshoot_fixit_t)
+
+ seutil_domtrans_setfiles(setroubleshoot_fixit_t)
++seutil_domtrans_setsebool(setroubleshoot_fixit_t)
++seutil_read_module_store(setroubleshoot_fixit_t)
+
+ files_read_usr_files(setroubleshoot_fixit_t)
+-files_read_etc_files(setroubleshoot_fixit_t)
+ files_list_tmp(setroubleshoot_fixit_t)
+
+ auth_use_nsswitch(setroubleshoot_fixit_t)
+@@ -162,7 +192,16 @@ auth_use_nsswitch(setroubleshoot_fixit_t)
+ logging_send_audit_msgs(setroubleshoot_fixit_t)
+ logging_send_syslog_msg(setroubleshoot_fixit_t)
+
+-miscfiles_read_localization(setroubleshoot_fixit_t)
++userdom_dontaudit_search_admin_dir(setroubleshoot_fixit_t)
++userdom_signull_unpriv_users(setroubleshoot_fixit_t)
++
++optional_policy(`
++ dbus_system_domain(setroubleshoot_fixit_t, setroubleshoot_fixit_exec_t)
++')
++
++optional_policy(`
++ gnome_dontaudit_search_config(setroubleshoot_fixit_t)
++')
+
+ optional_policy(`
+ rpm_signull(setroubleshoot_fixit_t)
+diff --git a/sge.fc b/sge.fc
+new file mode 100644
+index 0000000..160ddc2
+--- /dev/null
++++ b/sge.fc
+@@ -0,0 +1,6 @@
++
++/usr/bin/sge_execd -- gen_context(system_u:object_r:sge_execd_exec_t,s0)
++/usr/bin/sge_shepherd -- gen_context(system_u:object_r:sge_shepherd_exec_t,s0)
++
++/var/spool/gridengine(/.*)? gen_context(system_u:object_r:sge_spool_t,s0)
++
+diff --git a/sge.if b/sge.if
+new file mode 100644
+index 0000000..c9d2d9c
+--- /dev/null
++++ b/sge.if
+@@ -0,0 +1,24 @@
++## Policy for gridengine MPI jobs
++
++######################################
++##
++## Creates types and rules for a basic
++## sge domain.
++##
++##
++##
++## Prefix for the domain.
++##
++##
++#
++template(`sge_basic_types_template',`
++ gen_require(`
++ attribute sge_domain;
++ ')
++
++ type $1_t, sge_domain;
++ type $1_exec_t;
++
++ kernel_read_system_state($1_t)
++')
++
+diff --git a/sge.te b/sge.te
+new file mode 100644
+index 0000000..d43336f
+--- /dev/null
++++ b/sge.te
+@@ -0,0 +1,193 @@
++policy_module(sge, 1.0.0)
++
++########################################
++#
++# Declarations
++#
++
++##
++##
++## Allow sge to access nfs file systems.
++##
++##
++gen_tunable(sge_use_nfs, false)
++
++##
++##
++## Allow sge to connect to the network using any TCP port
++##
++##
++gen_tunable(sge_domain_can_network_connect, false)
++
++attribute sge_domain;
++
++sge_basic_types_template(sge_execd)
++init_daemon_domain(sge_execd_t, sge_execd_exec_t)
++
++type sge_spool_t;
++files_type(sge_spool_t)
++
++type sge_tmp_t;
++files_tmp_file(sge_tmp_t)
++
++sge_basic_types_template(sge_shepherd)
++application_domain(sge_shepherd_t, sge_shepherd_exec_t)
++role system_r types sge_shepherd_t;
++
++sge_basic_types_template(sge_job)
++application_domain(sge_job_t, sge_job_exec_t)
++corecmd_shell_entry_type(sge_job_t)
++role system_r types sge_job_t;
++
++#######################################
++#
++# sge_execd local policy
++#
++
++allow sge_execd_t self:capability { dac_override setuid chown setgid };
++allow sge_execd_t self:process { setsched signal setpgid };
++
++allow sge_execd_t sge_shepherd_t:process signal;
++
++kernel_read_kernel_sysctls(sge_execd_t)
++
++dev_read_sysfs(sge_execd_t)
++
++files_exec_usr_files(sge_execd_t)
++files_search_spool(sge_execd_t)
++
++fs_getattr_xattr_fs(sge_execd_t)
++
++auth_use_nsswitch(sge_execd_t)
++
++logging_send_syslog_msg(sge_execd_t)
++
++init_read_utmp(sge_execd_t)
++
++optional_policy(`
++ sendmail_domtrans(sge_execd_t)
++')
++
++######################################
++#
++# sge_shepherd local policy
++#
++
++allow sge_shepherd_t self:capability { setuid sys_nice chown kill setgid dac_override };
++allow sge_shepherd_t self:process { setsched setrlimit setpgid };
++allow sge_shepherd_t self:process signal_perms;
++
++domtrans_pattern(sge_execd_t, sge_shepherd_exec_t, sge_shepherd_t)
++
++kernel_read_sysctl(sge_shepherd_t)
++kernel_read_kernel_sysctls(sge_shepherd_t)
++
++dev_read_sysfs(sge_shepherd_t)
++
++fs_getattr_all_fs(sge_shepherd_t)
++
++logging_send_syslog_msg(sge_shepherd_t)
++
++optional_policy(`
++ mta_send_mail(sge_shepherd_t)
++')
++
++optional_policy(`
++ ssh_domtrans(sge_shepherd_t)
++')
++
++optional_policy(`
++ unconfined_domain(sge_shepherd_t)
++')
++
++#####################################
++#
++# sge_job local policy
++#
++
++allow sge_shepherd_t sge_job_t:process signal_perms;
++
++corecmd_shell_domtrans(sge_shepherd_t, sge_job_t)
++
++kernel_read_kernel_sysctls(sge_job_t)
++
++term_use_all_terms(sge_job_t)
++
++logging_send_syslog_msg(sge_job_t)
++
++optional_policy(`
++ ssh_basic_client_template(sge_job, sge_job_t, system_r)
++ ssh_domtrans(sge_job_t)
++
++ allow sge_job_t sge_job_ssh_t:process sigkill;
++ allow sge_shepherd_t sge_job_ssh_t:process sigkill;
++
++ xserver_exec_xauth(sge_job_ssh_t)
++
++ tunable_policy(`sge_use_nfs',`
++ fs_list_auto_mountpoints(sge_job_ssh_t)
++ fs_manage_nfs_dirs(sge_job_ssh_t)
++ fs_manage_nfs_files(sge_job_ssh_t)
++ fs_read_nfs_symlinks(sge_job_ssh_t)
++ ')
++ ')
++
++optional_policy(`
++ xserver_domtrans_xauth(sge_job_t)
++')
++
++optional_policy(`
++ unconfined_domain(sge_job_t)
++')
++
++#####################################
++#
++# sge_domain local policy
++#
++
++allow sge_domain self:fifo_file rw_fifo_file_perms;
++allow sge_domain self:tcp_socket create_stream_socket_perms;
++
++manage_dirs_pattern(sge_domain, sge_spool_t, sge_spool_t)
++manage_files_pattern(sge_domain, sge_spool_t, sge_spool_t)
++manage_lnk_files_pattern(sge_domain, sge_spool_t, sge_spool_t)
++
++manage_files_pattern(sge_domain, sge_tmp_t, sge_tmp_t)
++manage_dirs_pattern(sge_domain, sge_tmp_t, sge_tmp_t)
++files_tmp_filetrans(sge_domain, sge_tmp_t, { file dir })
++
++kernel_read_network_state(sge_domain)
++
++corecmd_exec_bin(sge_domain)
++corecmd_exec_shell(sge_domain)
++
++domain_read_all_domains_state(sge_domain)
++
++files_read_etc_files(sge_domain)
++files_read_usr_files(sge_domain)
++
++dev_read_urand(sge_domain)
++
++tunable_policy(`sge_domain_can_network_connect',`
++ corenet_tcp_connect_all_ports(sge_domain)
++')
++
++tunable_policy(`sge_use_nfs',`
++ fs_list_auto_mountpoints(sge_domain)
++ fs_manage_nfs_dirs(sge_domain)
++ fs_manage_nfs_files(sge_domain)
++ fs_read_nfs_symlinks(sge_domain)
++ fs_exec_nfs_files(sge_domain)
++')
++
++optional_policy(`
++ sysnet_dns_name_resolve(sge_domain)
++')
++
++optional_policy(`
++ hostname_exec(sge_domain)
++')
++
++optional_policy(`
++ nslcd_stream_connect(sge_domain)
++')
+diff --git a/shorewall.fc b/shorewall.fc
+index 48d1363..4a5b930 100644
+--- a/shorewall.fc
++++ b/shorewall.fc
+@@ -7,6 +7,9 @@
+ /sbin/shorewall6? -- gen_context(system_u:object_r:shorewall_exec_t,s0)
+ /sbin/shorewall-lite -- gen_context(system_u:object_r:shorewall_exec_t,s0)
+
++/usr/sbin/shorewall6? -- gen_context(system_u:object_r:shorewall_exec_t,s0)
++/usr/sbin/shorewall-lite -- gen_context(system_u:object_r:shorewall_exec_t,s0)
++
+ /var/lib/shorewall(/.*)? gen_context(system_u:object_r:shorewall_var_lib_t,s0)
+ /var/lib/shorewall6(/.*)? gen_context(system_u:object_r:shorewall_var_lib_t,s0)
+ /var/lib/shorewall-lite(/.*)? gen_context(system_u:object_r:shorewall_var_lib_t,s0)
+diff --git a/shorewall.if b/shorewall.if
+index 781ad7e..d5ce40a 100644
+--- a/shorewall.if
++++ b/shorewall.if
+@@ -55,28 +55,9 @@ interface(`shorewall_read_config',`
+ read_files_pattern($1, shorewall_etc_t, shorewall_etc_t)
+ ')
+
+-#######################################
+-##
+-## Read shorewall PID files.
+-##
+-##
+-##
+-## Domain allowed access.
+-##
+-##
+-#
+-interface(`shorewall_read_pid_files',`
+- gen_require(`
+- type shorewall_var_run_t;
+- ')
+-
+- files_search_pids($1)
+- read_files_pattern($1, shorewall_var_run_t, shorewall_var_run_t)
+-')
+-
+-#######################################
++######################################
+ ##
+-## Read and write shorewall PID files.
++## Read shorewall /var/lib files.
+ ##
+ ##
+ ##
+@@ -84,28 +65,9 @@ interface(`shorewall_read_pid_files',`
+ ##
+ ##
+ #
+-interface(`shorewall_rw_pid_files',`
+- gen_require(`
+- type shorewall_var_run_t;
+- ')
+-
+- files_search_pids($1)
+- rw_files_pattern($1, shorewall_var_run_t, shorewall_var_run_t)
+-')
+-
+-######################################
+-##
+-## Read shorewall /var/lib files.
+-##
+-##
+-##
+-## Domain allowed access.
+-##
+-##
+-#
+ interface(`shorewall_read_lib_files',`
+ gen_require(`
+- type shorewall_t;
++ type shorewall_var_lib_t;
+ ')
+
+ files_search_var_lib($1)
+@@ -177,8 +139,11 @@ interface(`shorewall_admin',`
+ type shorewall_tmp_t, shorewall_etc_t;
+ ')
+
+- allow $1 shorewall_t:process { ptrace signal_perms };
++ allow $1 shorewall_t:process signal_perms;
+ ps_process_pattern($1, shorewall_t)
++ tunable_policy(`deny_ptrace',`',`
++ allow $1 shorewall_t:process ptrace;
++ ')
+
+ init_labeled_script_domtrans($1, shorewall_initrc_exec_t)
+ domain_system_change_exemption($1)
+diff --git a/shorewall.te b/shorewall.te
+index 4723c6b..c55fcaa 100644
+--- a/shorewall.te
++++ b/shorewall.te
+@@ -37,9 +37,10 @@ logging_log_file(shorewall_log_t)
+ # shorewall local policy
+ #
+
+-allow shorewall_t self:capability { dac_override net_admin net_raw setuid setgid sys_nice sys_ptrace };
++allow shorewall_t self:capability { dac_override net_admin net_raw setuid setgid sys_nice };
+ dontaudit shorewall_t self:capability sys_tty_config;
+ allow shorewall_t self:fifo_file rw_fifo_file_perms;
++allow shorewall_t self:netlink_socket create_socket_perms;
+
+ read_files_pattern(shorewall_t, shorewall_etc_t, shorewall_etc_t)
+ list_dirs_pattern(shorewall_t, shorewall_etc_t, shorewall_etc_t)
+@@ -59,6 +60,9 @@ exec_files_pattern(shorewall_t, shorewall_var_lib_t, shorewall_var_lib_t)
+ manage_dirs_pattern(shorewall_t, shorewall_var_lib_t, shorewall_var_lib_t)
+ manage_files_pattern(shorewall_t, shorewall_var_lib_t, shorewall_var_lib_t)
+ files_var_lib_filetrans(shorewall_t, shorewall_var_lib_t, { dir file })
++allow shorewall_t shorewall_var_lib_t:file entrypoint;
++
++allow shorewall_t shorewall_initrc_exec_t:file read_file_perms;
+
+ allow shorewall_t shorewall_initrc_exec_t:file read_file_perms;
+
+@@ -70,12 +74,12 @@ kernel_rw_net_sysctls(shorewall_t)
+ corecmd_exec_bin(shorewall_t)
+ corecmd_exec_shell(shorewall_t)
+
++dev_read_sysfs(shorewall_t)
+ dev_read_urand(shorewall_t)
+
+ domain_read_all_domains_state(shorewall_t)
+
+ files_getattr_kernel_modules(shorewall_t)
+-files_read_etc_files(shorewall_t)
+ files_read_usr_files(shorewall_t)
+ files_search_kernel_modules(shorewall_t)
+
+@@ -83,13 +87,20 @@ fs_getattr_all_fs(shorewall_t)
+
+ init_rw_utmp(shorewall_t)
+
++logging_read_generic_logs(shorewall_t)
+ logging_send_syslog_msg(shorewall_t)
+
+-miscfiles_read_localization(shorewall_t)
++auth_use_nsswitch(shorewall_t)
+
+ sysnet_domtrans_ifconfig(shorewall_t)
+
+-userdom_dontaudit_list_user_home_dirs(shorewall_t)
++userdom_dontaudit_list_admin_dir(shorewall_t)
++userdom_use_inherited_user_ttys(shorewall_t)
++userdom_use_inherited_user_ptys(shorewall_t)
++
++optional_policy(`
++ brctl_domtrans(shorewall_t)
++')
+
+ optional_policy(`
+ hostname_exec(shorewall_t)
+diff --git a/shutdown.fc b/shutdown.fc
+index 97671a3..e317fbe 100644
+--- a/shutdown.fc
++++ b/shutdown.fc
+@@ -2,6 +2,10 @@
+
+ /lib/upstart/shutdown -- gen_context(system_u:object_r:shutdown_exec_t,s0)
+
+-/sbin/shutdown -- gen_context(system_u:object_r:shutdown_exec_t,s0)
++/sbin/shutdown -- gen_context(system_u:object_r:shutdown_exec_t,s0)
+
+-/var/run/shutdown\.pid -- gen_context(system_u:object_r:shutdown_var_run_t,s0)
++/usr/lib/upstart/shutdown -- gen_context(system_u:object_r:shutdown_exec_t,s0)
++
++/usr/sbin/shutdown -- gen_context(system_u:object_r:shutdown_exec_t,s0)
++
++/var/run/shutdown\.pid -- gen_context(system_u:object_r:shutdown_var_run_t,s0)
+diff --git a/shutdown.if b/shutdown.if
+index d0604cf..b66057c 100644
+--- a/shutdown.if
++++ b/shutdown.if
+@@ -18,9 +18,18 @@ interface(`shutdown_domtrans',`
+ corecmd_search_bin($1)
+ domtrans_pattern($1, shutdown_exec_t, shutdown_t)
+
++ init_reboot($1)
++ init_halt($1)
++
++ optional_policy(`
++ systemd_exec_systemctl($1)
++ init_stream_connect($1)
++ systemd_login_reboot($1)
++ systemd_login_halt($1)
++ ')
++
+ ifdef(`hide_broken_symptoms', `
+- dontaudit shutdown_t $1:socket_class_set { read write };
+- dontaudit shutdown_t $1:fifo_file { read write };
++ dontaudit shutdown_t $1:fifo_file rw_inherited_fifo_file_perms;
+ ')
+ ')
+
+@@ -51,6 +60,73 @@ interface(`shutdown_run',`
+
+ ########################################
+ ##
++## Role access for shutdown
++##
++##
++##
++## Role allowed access
++##
++##
++##
++##
++## User domain for the role
++##
++##
++#
++interface(`shutdown_role',`
++ gen_require(`
++ type shutdown_t;
++ ')
++
++ role $1 types shutdown_t;
++
++ shutdown_domtrans($2)
++
++ ps_process_pattern($2, shutdown_t)
++ allow $2 shutdown_t:process signal;
++')
++
++########################################
++##
++## Recieve sigchld from shutdown
++##
++##
++##
++## Domain allowed access
++##
++##
++#
++interface(`shutdown_send_sigchld',`
++ gen_require(`
++ type shutdown_t;
++ ')
++
++ allow shutdown_t $1:process signal;
++')
++
++########################################
++##
++## Send and receive messages from
++## shutdown over dbus.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`shutdown_dbus_chat',`
++ gen_require(`
++ type shutdown_t;
++ class dbus send_msg;
++ ')
++
++ allow $1 shutdown_t:dbus send_msg;
++ allow shutdown_t $1:dbus send_msg;
++')
++
++########################################
++##
+ ## Get attributes of shutdown executable.
+ ##
+ ##
+diff --git a/shutdown.te b/shutdown.te
+index 8966ec9..2a52a13 100644
+--- a/shutdown.te
++++ b/shutdown.te
+@@ -7,6 +7,7 @@ policy_module(shutdown, 1.1.0)
+
+ type shutdown_t;
+ type shutdown_exec_t;
++init_system_domain(shutdown_t, shutdown_exec_t)
+ application_domain(shutdown_t, shutdown_exec_t)
+ role system_r types shutdown_t;
+
+@@ -21,8 +22,8 @@ files_pid_file(shutdown_var_run_t)
+ # shutdown local policy
+ #
+
+-allow shutdown_t self:capability { dac_override kill setuid sys_tty_config };
+-allow shutdown_t self:process { fork signal signull };
++allow shutdown_t self:capability { dac_override kill setuid sys_nice sys_tty_config };
++allow shutdown_t self:process { fork setsched signal signull };
+
+ allow shutdown_t self:fifo_file manage_fifo_file_perms;
+ allow shutdown_t self:unix_stream_socket create_stream_socket_perms;
+@@ -33,25 +34,31 @@ files_etc_filetrans(shutdown_t, shutdown_etc_t, file)
+ manage_files_pattern(shutdown_t, shutdown_var_run_t, shutdown_var_run_t)
+ files_pid_filetrans(shutdown_t, shutdown_var_run_t, file)
+
++kernel_read_system_state(shutdown_t)
++
+ domain_use_interactive_fds(shutdown_t)
+
+-files_read_etc_files(shutdown_t)
+ files_read_generic_pids(shutdown_t)
++files_delete_boot_flag(shutdown_t)
++
++mls_file_write_to_clearance(shutdown_t)
+
+-term_use_all_terms(shutdown_t)
++term_use_all_inherited_terms(shutdown_t)
+
+ auth_use_nsswitch(shutdown_t)
+ auth_write_login_records(shutdown_t)
+
+-init_dontaudit_write_utmp(shutdown_t)
+-init_read_utmp(shutdown_t)
++init_rw_utmp(shutdown_t)
+ init_stream_connect(shutdown_t)
+ init_telinit(shutdown_t)
+
+ logging_search_logs(shutdown_t)
+ logging_send_audit_msgs(shutdown_t)
+
+-miscfiles_read_localization(shutdown_t)
++
++optional_policy(`
++ cron_system_entry(shutdown_t, shutdown_exec_t)
++')
+
+ optional_policy(`
+ dbus_system_bus_client(shutdown_t)
+@@ -59,5 +66,15 @@ optional_policy(`
+ ')
+
+ optional_policy(`
++ oddjob_dontaudit_rw_fifo_file(shutdown_t)
++ oddjob_sigchld(shutdown_t)
++')
++
++optional_policy(`
++ rhev_sigchld_agentd(shutdown_t)
++')
++
++optional_policy(`
+ xserver_dontaudit_write_log(shutdown_t)
++ xserver_xdm_append_log(shutdown_t)
+ ')
+diff --git a/slocate.te b/slocate.te
+index a225c02..b76ed92 100644
+--- a/slocate.te
++++ b/slocate.te
+@@ -43,7 +43,6 @@ files_getattr_all_files(locate_t)
+ files_getattr_all_pipes(locate_t)
+ files_getattr_all_sockets(locate_t)
+ files_read_etc_runtime_files(locate_t)
+-files_read_etc_files(locate_t)
+
+ fs_getattr_all_fs(locate_t)
+ fs_getattr_all_files(locate_t)
+@@ -58,7 +57,6 @@ fs_read_noxattr_fs_symlinks(locate_t)
+ # getpwnam
+ auth_use_nsswitch(locate_t)
+
+-miscfiles_read_localization(locate_t)
+
+ ifdef(`enable_mls',`
+ # On MLS machines will not be allowed to getattr Anything but SystemLow
+diff --git a/slpd.fc b/slpd.fc
+new file mode 100644
+index 0000000..5064a4a
+--- /dev/null
++++ b/slpd.fc
+@@ -0,0 +1,7 @@
++/etc/rc\.d/init\.d/slpd -- gen_context(system_u:object_r:slpd_initrc_exec_t,s0)
++
++/usr/sbin/slpd -- gen_context(system_u:object_r:slpd_exec_t,s0)
++
++/var/log/slpd\.log -- gen_context(system_u:object_r:slpd_var_log_t,s0)
++
++/var/run/slpd\.pid -- gen_context(system_u:object_r:slpd_var_run_t,s0)
+diff --git a/slpd.if b/slpd.if
+new file mode 100644
+index 0000000..75931f8
+--- /dev/null
++++ b/slpd.if
+@@ -0,0 +1,75 @@
++
++## OpenSLP server daemon to dynamically register services.
++
++########################################
++##
++## Transition to slpd.
++##
++##
++##
++## Domain allowed to transition.
++##
++##
++#
++interface(`slpd_domtrans',`
++ gen_require(`
++ type slpd_t, slpd_exec_t;
++ ')
++
++ corecmd_search_bin($1)
++ domtrans_pattern($1, slpd_exec_t, slpd_t)
++')
++
++########################################
++##
++## Execute slpd server in the slpd domain.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`slpd_initrc_domtrans',`
++ gen_require(`
++ type slpd_initrc_exec_t;
++ ')
++
++ init_labeled_script_domtrans($1, slpd_initrc_exec_t)
++')
++
++########################################
++##
++## All of the rules required to administrate
++## an slpd environment
++##
++##
++##
++## Domain allowed access.
++##
++##
++##
++##
++## Role allowed access.
++##
++##
++##
++#
++interface(`slpd_admin',`
++ gen_require(`
++ type slpd_t;
++ type slpd_initrc_exec_t;
++ ')
++
++ allow $1 slpd_t:process { ptrace signal_perms };
++ ps_process_pattern($1, slpd_t)
++
++ slpd_initrc_domtrans($1)
++ domain_system_change_exemption($1)
++ role_transition $2 slpd_initrc_exec_t system_r;
++ allow $2 system_r;
++ optional_policy(`
++ systemd_passwd_agent_exec($1)
++ systemd_read_fifo_file_passwd_run($1)
++ ')
++')
+diff --git a/slpd.te b/slpd.te
+new file mode 100644
+index 0000000..cd475d6
+--- /dev/null
++++ b/slpd.te
+@@ -0,0 +1,52 @@
++policy_module(slpd, 1.0.0)
++
++########################################
++#
++# Declarations
++#
++
++type slpd_t;
++type slpd_exec_t;
++init_daemon_domain(slpd_t, slpd_exec_t)
++
++type slpd_initrc_exec_t;
++init_script_file(slpd_initrc_exec_t)
++
++type slpd_var_log_t;
++logging_log_file(slpd_var_log_t)
++
++type slpd_var_run_t;
++files_pid_file(slpd_var_run_t)
++
++########################################
++#
++# slpd local policy
++#
++
++allow slpd_t self:capability { kill setgid setuid };
++allow slpd_t self:process { fork signal };
++allow slpd_t self:fifo_file rw_fifo_file_perms;
++allow slpd_t self:tcp_socket { create_socket_perms listen };
++allow slpd_t self:unix_stream_socket create_stream_socket_perms;
++
++manage_files_pattern(slpd_t, slpd_var_log_t, slpd_var_log_t)
++logging_log_filetrans(slpd_t, slpd_var_log_t, { file })
++
++manage_files_pattern(slpd_t, slpd_var_run_t, slpd_var_run_t)
++files_pid_filetrans(slpd_t, slpd_var_run_t, { file })
++
++corenet_all_recvfrom_netlabel(slpd_t)
++corenet_tcp_bind_generic_node(slpd_t)
++corenet_udp_bind_generic_node(slpd_t)
++corenet_tcp_bind_all_ports(slpd_t)
++corenet_udp_bind_all_ports(slpd_t)
++
++dev_read_urand(slpd_t)
++
++domain_use_interactive_fds(slpd_t)
++
++files_read_etc_files(slpd_t)
++
++auth_use_nsswitch(slpd_t)
++
++sysnet_dns_name_resolve(slpd_t)
+diff --git a/slrnpull.te b/slrnpull.te
+index e5e72fd..84936ca 100644
+--- a/slrnpull.te
++++ b/slrnpull.te
+@@ -13,7 +13,7 @@ type slrnpull_var_run_t;
+ files_pid_file(slrnpull_var_run_t)
+
+ type slrnpull_spool_t;
+-files_type(slrnpull_spool_t)
++files_spool_file(slrnpull_spool_t)
+
+ type slrnpull_log_t;
+ logging_log_file(slrnpull_log_t)
+@@ -52,8 +52,6 @@ fs_search_auto_mountpoints(slrnpull_t)
+
+ logging_send_syslog_msg(slrnpull_t)
+
+-miscfiles_read_localization(slrnpull_t)
+-
+ userdom_dontaudit_use_unpriv_user_fds(slrnpull_t)
+ userdom_dontaudit_search_user_home_dirs(slrnpull_t)
+
+diff --git a/smartmon.if b/smartmon.if
+index adea9f9..f5dd0fe 100644
+--- a/smartmon.if
++++ b/smartmon.if
+@@ -15,6 +15,7 @@ interface(`smartmon_read_tmp_files',`
+ type fsdaemon_tmp_t;
+ ')
+
++ files_search_tmp($1)
+ allow $1 fsdaemon_tmp_t:file read_file_perms;
+ ')
+
+@@ -41,8 +42,11 @@ interface(`smartmon_admin',`
+ type fsdaemon_initrc_exec_t;
+ ')
+
+- allow $1 fsdaemon_t:process { ptrace signal_perms getattr };
++ allow $1 fsdaemon_t:process signal_perms;
+ ps_process_pattern($1, fsdaemon_t)
++ tunable_policy(`deny_ptrace',`',`
++ allow $1 fsdaemon_t:process ptrace;
++ ')
+
+ init_labeled_script_domtrans($1, fsdaemon_initrc_exec_t)
+ domain_system_change_exemption($1)
+diff --git a/smartmon.te b/smartmon.te
+index 6b3322b..c955ccc 100644
+--- a/smartmon.te
++++ b/smartmon.te
+@@ -1,4 +1,4 @@
+-policy_module(smartmon, 1.11.0)
++policy_module(smartmon, 1.14.0)
+
+ ########################################
+ #
+@@ -35,7 +35,7 @@ ifdef(`enable_mls',`
+ # Local policy
+ #
+
+-allow fsdaemon_t self:capability { setpcap setgid sys_rawio sys_admin };
++allow fsdaemon_t self:capability { dac_override kill setpcap setgid sys_rawio sys_admin };
+ dontaudit fsdaemon_t self:capability sys_tty_config;
+ allow fsdaemon_t self:process { getcap setcap signal_perms };
+ allow fsdaemon_t self:fifo_file rw_fifo_file_perms;
+@@ -52,12 +52,12 @@ manage_files_pattern(fsdaemon_t, fsdaemon_var_run_t, fsdaemon_var_run_t)
+ files_pid_filetrans(fsdaemon_t, fsdaemon_var_run_t, file)
+
+ kernel_read_kernel_sysctls(fsdaemon_t)
++kernel_read_network_state(fsdaemon_t)
+ kernel_read_software_raid_state(fsdaemon_t)
+ kernel_read_system_state(fsdaemon_t)
+
+ corecmd_exec_all_executables(fsdaemon_t)
+
+-corenet_all_recvfrom_unlabeled(fsdaemon_t)
+ corenet_all_recvfrom_netlabel(fsdaemon_t)
+ corenet_udp_sendrecv_generic_if(fsdaemon_t)
+ corenet_udp_sendrecv_generic_node(fsdaemon_t)
+@@ -73,26 +73,36 @@ files_read_etc_runtime_files(fsdaemon_t)
+ files_read_usr_files(fsdaemon_t)
+ # for config
+ files_read_etc_files(fsdaemon_t)
++files_read_usr_files(fsdaemon_t)
+
+ fs_getattr_all_fs(fsdaemon_t)
+ fs_search_auto_mountpoints(fsdaemon_t)
++fs_read_removable_files(fsdaemon_t)
+
+ mls_file_read_all_levels(fsdaemon_t)
+ #mls_rangetrans_target(fsdaemon_t)
+
++storage_create_fixed_disk_dev(fsdaemon_t)
++storage_dev_filetrans_named_fixed_disk(fsdaemon_t)
+ storage_raw_read_fixed_disk(fsdaemon_t)
+ storage_raw_write_fixed_disk(fsdaemon_t)
+ storage_raw_read_removable_device(fsdaemon_t)
++storage_read_scsi_generic(fsdaemon_t)
++storage_write_scsi_generic(fsdaemon_t)
+
+ term_dontaudit_search_ptys(fsdaemon_t)
+
++application_signull(fsdaemon_t)
++
++auth_read_passwd(fsdaemon_t)
++
++init_read_utmp(fsdaemon_t)
++
+ libs_exec_ld_so(fsdaemon_t)
+ libs_exec_lib_files(fsdaemon_t)
+
+ logging_send_syslog_msg(fsdaemon_t)
+
+-miscfiles_read_localization(fsdaemon_t)
+-
+ seutil_sigchld_newrole(fsdaemon_t)
+
+ sysnet_dns_name_resolve(fsdaemon_t)
+diff --git a/smokeping.if b/smokeping.if
+index 8265278..017b923 100644
+--- a/smokeping.if
++++ b/smokeping.if
+@@ -153,8 +153,11 @@ interface(`smokeping_admin',`
+ type smokeping_t, smokeping_initrc_exec_t;
+ ')
+
+- allow $1 smokeping_t:process { ptrace signal_perms };
++ allow $1 smokeping_t:process signal_perms;
+ ps_process_pattern($1, smokeping_t)
++ tunable_policy(`deny_ptrace',`',`
++ allow $1 smokeping_t:process ptrace;
++ ')
+
+ smokeping_initrc_domtrans($1)
+ domain_system_change_exemption($1)
+diff --git a/smokeping.te b/smokeping.te
+index 740994a..4bfc780 100644
+--- a/smokeping.te
++++ b/smokeping.te
+@@ -36,11 +36,10 @@ manage_dirs_pattern(smokeping_t, smokeping_var_lib_t, smokeping_var_lib_t)
+ manage_files_pattern(smokeping_t, smokeping_var_lib_t, smokeping_var_lib_t)
+ files_var_lib_filetrans(smokeping_t, smokeping_var_lib_t, { file dir } )
+
+-corecmd_read_bin_symlinks(smokeping_t)
++corecmd_exec_bin(smokeping_t)
+
+ dev_read_urand(smokeping_t)
+
+-files_read_etc_files(smokeping_t)
+ files_read_usr_files(smokeping_t)
+ files_search_tmp(smokeping_t)
+
+@@ -49,8 +48,6 @@ auth_dontaudit_read_shadow(smokeping_t)
+
+ logging_send_syslog_msg(smokeping_t)
+
+-miscfiles_read_localization(smokeping_t)
+-
+ mta_send_mail(smokeping_t)
+
+ netutils_domtrans_ping(smokeping_t)
+@@ -73,5 +70,9 @@ optional_policy(`
+ files_search_tmp(httpd_smokeping_cgi_script_t)
+ files_search_var_lib(httpd_smokeping_cgi_script_t)
+
++ auth_read_passwd(httpd_smokeping_cgi_script_t)
++
+ sysnet_dns_name_resolve(httpd_smokeping_cgi_script_t)
++
++ netutils_domtrans_ping(httpd_smokeping_cgi_script_t)
+ ')
+diff --git a/smoltclient.te b/smoltclient.te
+index bc00875..7dd4e53 100644
+--- a/smoltclient.te
++++ b/smoltclient.te
+@@ -8,7 +8,6 @@ policy_module(smoltclient, 1.1.0)
+ type smoltclient_t;
+ type smoltclient_exec_t;
+ application_domain(smoltclient_t, smoltclient_exec_t)
+-cron_system_entry(smoltclient_t, smoltclient_exec_t)
+
+ type smoltclient_tmp_t;
+ files_tmp_file(smoltclient_tmp_t)
+@@ -39,20 +38,29 @@ corecmd_exec_shell(smoltclient_t)
+ corenet_tcp_connect_http_port(smoltclient_t)
+
+ dev_read_sysfs(smoltclient_t)
++dev_read_urand(smoltclient_t)
+
+ fs_getattr_all_fs(smoltclient_t)
+ fs_getattr_all_dirs(smoltclient_t)
+ fs_list_auto_mountpoints(smoltclient_t)
+
+ files_getattr_generic_locks(smoltclient_t)
+-files_read_etc_files(smoltclient_t)
++files_read_etc_runtime_files(smoltclient_t)
+ files_read_usr_files(smoltclient_t)
+
+ auth_use_nsswitch(smoltclient_t)
+
+ logging_send_syslog_msg(smoltclient_t)
+
+-miscfiles_read_localization(smoltclient_t)
++miscfiles_read_hwdata(smoltclient_t)
++
++optional_policy(`
++ abrt_stream_connect(smoltclient_t)
++')
++
++optional_policy(`
++ cron_system_entry(smoltclient_t, smoltclient_exec_t)
++')
+
+ optional_policy(`
+ dbus_system_bus_client(smoltclient_t)
+diff --git a/smsd.fc b/smsd.fc
+new file mode 100644
+index 0000000..4c3fcec
+--- /dev/null
++++ b/smsd.fc
+@@ -0,0 +1,11 @@
++/etc/rc\.d/init\.d/smsd -- gen_context(system_u:object_r:smsd_initrc_exec_t,s0)
++
++/usr/sbin/smsd -- gen_context(system_u:object_r:smsd_exec_t,s0)
++
++/var/lib/smstools(/.*)? gen_context(system_u:object_r:smsd_var_lib_t,s0)
++
++/var/log/smsd(/.*)? gen_context(system_u:object_r:smsd_log_t,s0)
++
++/var/run/smsd(/.*)? gen_context(system_u:object_r:smsd_var_run_t,s0)
++
++/var/spool/sms(/.*)? gen_context(system_u:object_r:smsd_spool_t,s0)
+diff --git a/smsd.if b/smsd.if
+new file mode 100644
+index 0000000..6db3f07
+--- /dev/null
++++ b/smsd.if
+@@ -0,0 +1,241 @@
++
++## The SMS Server Tools are made to send and receive short messages through GSM modems. It supports easy file interfaces and it can run external programs for automatic actions.
++
++########################################
++##
++## Execute smsd in the smsd domin.
++##
++##
++##
++## Domain allowed to transition.
++##
++##
++#
++interface(`smsd_domtrans',`
++ gen_require(`
++ type smsd_t, smsd_exec_t;
++ ')
++
++ corecmd_search_bin($1)
++ domtrans_pattern($1, smsd_exec_t, smsd_t)
++')
++
++########################################
++##
++## Execute smsd server in the smsd domain.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`smsd_initrc_domtrans',`
++ gen_require(`
++ type smsd_initrc_exec_t;
++ ')
++
++ init_labeled_script_domtrans($1, smsd_initrc_exec_t)
++')
++
++########################################
++##
++## Read smsd's log files.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`smsd_read_log',`
++ gen_require(`
++ type smsd_log_t;
++ ')
++
++ logging_search_logs($1)
++ read_files_pattern($1, smsd_log_t, smsd_log_t)
++')
++
++########################################
++##
++## Append to smsd log files.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`smsd_append_log',`
++ gen_require(`
++ type smsd_log_t;
++ ')
++
++ logging_search_logs($1)
++ append_files_pattern($1, smsd_log_t, smsd_log_t)
++')
++
++########################################
++##
++## Manage smsd log files
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`smsd_manage_log',`
++ gen_require(`
++ type smsd_log_t;
++ ')
++
++ logging_search_logs($1)
++ manage_dirs_pattern($1, smsd_log_t, smsd_log_t)
++ manage_files_pattern($1, smsd_log_t, smsd_log_t)
++ manage_lnk_files_pattern($1, smsd_log_t, smsd_log_t)
++')
++########################################
++##
++## Read smsd PID files.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`smsd_read_pid_files',`
++ gen_require(`
++ type smsd_var_run_t;
++ ')
++
++ files_search_pids($1)
++ read_files_pattern($1, smsd_var_run_t, smsd_var_run_t)
++')
++
++########################################
++##
++## Search smsd spool directories.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`smsd_search_spool',`
++ gen_require(`
++ type smsd_spool_t;
++ ')
++
++ allow $1 smsd_spool_t:dir search_dir_perms;
++ files_search_spool($1)
++')
++
++########################################
++##
++## Read smsd spool files.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`smsd_read_spool_files',`
++ gen_require(`
++ type smsd_spool_t;
++ ')
++
++ files_search_spool($1)
++ read_files_pattern($1, smsd_spool_t, smsd_spool_t)
++')
++
++########################################
++##
++## Manage smsd spool files.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`smsd_manage_spool_files',`
++ gen_require(`
++ type smsd_spool_t;
++ ')
++
++ files_search_spool($1)
++ manage_files_pattern($1, smsd_spool_t, smsd_spool_t)
++')
++
++########################################
++##
++## Manage smsd spool dirs.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`smsd_manage_spool_dirs',`
++ gen_require(`
++ type smsd_spool_t;
++ ')
++
++ files_search_spool($1)
++ manage_dirs_pattern($1, smsd_spool_t, smsd_spool_t)
++')
++
++########################################
++##
++## All of the rules required to administrate
++## an smsd environment
++##
++##
++##
++## Domain allowed access.
++##
++##
++##
++##
++## Role allowed access.
++##
++##
++##
++#
++interface(`smsd_admin',`
++ gen_require(`
++ type smsd_t;
++ type smsd_initrc_exec_t;
++ type smsd_log_t;
++ type smsd_var_run_t;
++ type smsd_spool_t;
++ ')
++
++ allow $1 smsd_t:process { ptrace signal_perms };
++ ps_process_pattern($1, smsd_t)
++
++ smsd_initrc_domtrans($1)
++ domain_system_change_exemption($1)
++ role_transition $2 smsd_initrc_exec_t system_r;
++ allow $2 system_r;
++
++ logging_search_logs($1)
++ admin_pattern($1, smsd_log_t)
++
++ files_search_pids($1)
++ admin_pattern($1, smsd_var_run_t)
++
++ files_search_spool($1)
++ admin_pattern($1, smsd_spool_t)
++
++ optional_policy(`
++ systemd_passwd_agent_exec($1)
++ systemd_read_fifo_file_passwd_run($1)
++ ')
++')
+diff --git a/smsd.te b/smsd.te
+new file mode 100644
+index 0000000..4e822e5
+--- /dev/null
++++ b/smsd.te
+@@ -0,0 +1,74 @@
++policy_module(smsd, 1.0.0)
++
++########################################
++#
++# Declarations
++#
++
++type smsd_t;
++type smsd_exec_t;
++init_daemon_domain(smsd_t, smsd_exec_t)
++
++type smsd_initrc_exec_t;
++init_script_file(smsd_initrc_exec_t)
++
++type smsd_log_t;
++logging_log_file(smsd_log_t)
++
++type smsd_var_lib_t;
++files_type(smsd_var_lib_t)
++
++type smsd_var_run_t;
++files_pid_file(smsd_var_run_t)
++
++type smsd_spool_t;
++files_type(smsd_spool_t)
++
++type smsd_tmp_t;
++files_tmp_file(smsd_tmp_t)
++
++########################################
++#
++# smsd local policy
++#
++
++allow smsd_t self:capability { kill setgid setuid };
++allow smsd_t self:process { fork signal };
++allow smsd_t self:fifo_file rw_fifo_file_perms;
++allow smsd_t self:unix_stream_socket create_stream_socket_perms;
++
++manage_dirs_pattern(smsd_t, smsd_log_t, smsd_log_t)
++manage_files_pattern(smsd_t, smsd_log_t, smsd_log_t)
++manage_lnk_files_pattern(smsd_t, smsd_log_t, smsd_log_t)
++logging_log_filetrans(smsd_t, smsd_log_t, { dir })
++
++manage_dirs_pattern(smsd_t, smsd_var_lib_t, smsd_var_lib_t)
++manage_files_pattern(smsd_t, smsd_var_lib_t, smsd_var_lib_t)
++manage_lnk_files_pattern(smsd_t, smsd_var_lib_t, smsd_var_lib_t)
++
++manage_dirs_pattern(smsd_t, smsd_var_run_t, smsd_var_run_t)
++manage_files_pattern(smsd_t, smsd_var_run_t, smsd_var_run_t)
++manage_lnk_files_pattern(smsd_t, smsd_var_run_t, smsd_var_run_t)
++files_pid_filetrans(smsd_t, smsd_var_run_t, { dir })
++
++manage_dirs_pattern(smsd_t, smsd_spool_t, smsd_spool_t)
++manage_files_pattern(smsd_t, smsd_spool_t, smsd_spool_t)
++manage_lnk_files_pattern(smsd_t, smsd_spool_t, smsd_spool_t)
++files_spool_filetrans(smsd_t, smsd_spool_t, { dir })
++
++manage_dirs_pattern(smsd_t, smsd_tmp_t, smsd_tmp_t)
++manage_files_pattern(smsd_t, smsd_tmp_t, smsd_tmp_t)
++files_tmp_filetrans(smsd_t, smsd_tmp_t, { file dir })
++
++kernel_read_system_state(smsd_t)
++kernel_read_kernel_sysctls(smsd_t)
++
++corecmd_exec_shell(smsd_t)
++
++files_read_etc_files(smsd_t)
++
++auth_use_nsswitch(smsd_t)
++
++logging_send_syslog_msg(smsd_t)
++
++sysnet_dns_name_resolve(smsd_t)
+diff --git a/snmp.fc b/snmp.fc
+index 623c8fa..1ef62d0 100644
+--- a/snmp.fc
++++ b/snmp.fc
+@@ -16,9 +16,10 @@
+ /var/lib/net-snmp(/.*)? gen_context(system_u:object_r:snmpd_var_lib_t,s0)
+ /var/lib/snmp(/.*)? gen_context(system_u:object_r:snmpd_var_lib_t,s0)
+
+-/var/log/snmpd\.log -- gen_context(system_u:object_r:snmpd_log_t,s0)
++/var/log/snmpd\.log.* -- gen_context(system_u:object_r:snmpd_log_t,s0)
+
+-/var/net-snmp(/.*) gen_context(system_u:object_r:snmpd_var_lib_t,s0)
++/var/net-snmp(/.*)? gen_context(system_u:object_r:snmpd_var_lib_t,s0)
+
++/var/run/net-snmpd(/.*)? gen_context(system_u:object_r:snmpd_var_run_t,s0)
+ /var/run/snmpd(/.*)? gen_context(system_u:object_r:snmpd_var_run_t,s0)
+ /var/run/snmpd\.pid -- gen_context(system_u:object_r:snmpd_var_run_t,s0)
+diff --git a/snmp.if b/snmp.if
+index 275f9fb..f1343b7 100644
+--- a/snmp.if
++++ b/snmp.if
+@@ -11,12 +11,12 @@
+ ##
+ #
+ interface(`snmp_stream_connect',`
+- gen_require(`
++ gen_require(`
+ type snmpd_t, snmpd_var_lib_t;
+- ')
++ ')
+
+- files_search_var_lib($1)
+- stream_connect_pattern($1, snmpd_var_lib_t, snmpd_var_lib_t, snmpd_t)
++ files_search_var_lib($1)
++ stream_connect_pattern($1, snmpd_var_lib_t, snmpd_var_lib_t, snmpd_t)
+ ')
+
+ ########################################
+@@ -62,11 +62,70 @@ interface(`snmp_read_snmp_var_lib_files',`
+ type snmpd_var_lib_t;
+ ')
+
++ files_search_var_lib($1)
+ allow $1 snmpd_var_lib_t:dir list_dir_perms;
+ read_files_pattern($1, snmpd_var_lib_t, snmpd_var_lib_t)
+ read_lnk_files_pattern($1, snmpd_var_lib_t, snmpd_var_lib_t)
+ ')
+
++#######################################
++##
++## Read snmpd libraries directories
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`snmp_read_snmp_var_lib_dirs',`
++ gen_require(`
++ type snmpd_var_lib_t;
++ ')
++
++ files_search_var_lib($1)
++ allow $1 snmpd_var_lib_t:dir list_dir_perms;
++')
++
++########################################
++##
++## Manage snmpd libraries directories
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`snmp_manage_var_lib_dirs',`
++ gen_require(`
++ type snmpd_var_lib_t;
++ ')
++
++ allow $1 snmpd_var_lib_t:dir manage_dir_perms;
++ files_var_lib_filetrans($1, snmpd_var_lib_t, dir)
++')
++
++########################################
++##
++## Manage snmpd libraries.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`snmp_manage_var_lib_files',`
++ gen_require(`
++ type snmpd_var_lib_t;
++ ')
++
++ files_search_var_lib($1)
++ allow $1 snmpd_var_lib_t:dir list_dir_perms;
++ manage_files_pattern($1, snmpd_var_lib_t, snmpd_var_lib_t)
++')
++
+ ########################################
+ ##
+ ## dontaudit Read snmpd libraries.
+@@ -81,9 +140,10 @@ interface(`snmp_dontaudit_read_snmp_var_lib_files',`
+ gen_require(`
+ type snmpd_var_lib_t;
+ ')
++
+ dontaudit $1 snmpd_var_lib_t:dir list_dir_perms;
+ dontaudit $1 snmpd_var_lib_t:file read_file_perms;
+- dontaudit $1 snmpd_var_lib_t:lnk_file { getattr read };
++ dontaudit $1 snmpd_var_lib_t:lnk_file read_lnk_file_perms;
+ ')
+
+ ########################################
+@@ -123,13 +183,15 @@ interface(`snmp_dontaudit_write_snmp_var_lib_files',`
+ #
+ interface(`snmp_admin',`
+ gen_require(`
+- type snmpd_t, snmpd_log_t;
++ type snmpd_t, snmpd_log_t, snmpd_initrc_exec_t;
+ type snmpd_var_lib_t, snmpd_var_run_t;
+- type snmpd_initrc_exec_t;
+ ')
+
+- allow $1 snmpd_t:process { ptrace signal_perms getattr };
++ allow $1 snmpd_t:process signal_perms;
+ ps_process_pattern($1, snmpd_t)
++ tunable_policy(`deny_ptrace',`',`
++ allow $1 snmpd_t:process ptrace;
++ ')
+
+ init_labeled_script_domtrans($1, snmpd_initrc_exec_t)
+ domain_system_change_exemption($1)
+diff --git a/snmp.te b/snmp.te
+index 56f074c..4909ce8 100644
+--- a/snmp.te
++++ b/snmp.te
+@@ -4,6 +4,7 @@ policy_module(snmp, 1.13.0)
+ #
+ # Declarations
+ #
++
+ type snmpd_t;
+ type snmpd_exec_t;
+ init_daemon_domain(snmpd_t, snmpd_exec_t)
+@@ -24,12 +25,14 @@ files_type(snmpd_var_lib_t)
+ #
+ # Local policy
+ #
+-allow snmpd_t self:capability { chown dac_override kill ipc_lock sys_ptrace net_admin sys_nice sys_tty_config };
++
++allow snmpd_t self:capability { chown dac_override kill ipc_lock setgid setuid net_admin sys_nice sys_tty_config sys_ptrace };
++
+ dontaudit snmpd_t self:capability { sys_module sys_tty_config };
+ allow snmpd_t self:process { signal_perms getsched setsched };
+ allow snmpd_t self:fifo_file rw_fifo_file_perms;
+ allow snmpd_t self:unix_dgram_socket create_socket_perms;
+-allow snmpd_t self:unix_stream_socket create_stream_socket_perms;
++allow snmpd_t self:unix_stream_socket { create_stream_socket_perms connectto };
+ allow snmpd_t self:tcp_socket create_stream_socket_perms;
+ allow snmpd_t self:udp_socket connected_stream_socket_perms;
+
+@@ -41,23 +44,23 @@ manage_files_pattern(snmpd_t, snmpd_var_lib_t, snmpd_var_lib_t)
+ manage_sock_files_pattern(snmpd_t, snmpd_var_lib_t, snmpd_var_lib_t)
+ files_usr_filetrans(snmpd_t, snmpd_var_lib_t, file)
+ files_var_filetrans(snmpd_t, snmpd_var_lib_t, { file dir sock_file })
+-files_var_lib_filetrans(snmpd_t, snmpd_var_lib_t, file)
++files_var_lib_filetrans(snmpd_t, snmpd_var_lib_t, { dir file })
+
++manage_dirs_pattern(snmpd_t, snmpd_var_run_t, snmpd_var_run_t)
+ manage_files_pattern(snmpd_t, snmpd_var_run_t, snmpd_var_run_t)
+-files_pid_filetrans(snmpd_t, snmpd_var_run_t, file)
++files_pid_filetrans(snmpd_t, snmpd_var_run_t, { file dir })
+
+ kernel_read_device_sysctls(snmpd_t)
+ kernel_read_kernel_sysctls(snmpd_t)
+ kernel_read_fs_sysctls(snmpd_t)
+ kernel_read_net_sysctls(snmpd_t)
+-kernel_read_proc_symlinks(snmpd_t)
+-kernel_read_system_state(snmpd_t)
+ kernel_read_network_state(snmpd_t)
++kernel_read_proc_symlinks(snmpd_t)
++kernel_read_all_proc(snmpd_t)
+
+ corecmd_exec_bin(snmpd_t)
+ corecmd_exec_shell(snmpd_t)
+
+-corenet_all_recvfrom_unlabeled(snmpd_t)
+ corenet_all_recvfrom_netlabel(snmpd_t)
+ corenet_tcp_sendrecv_generic_if(snmpd_t)
+ corenet_udp_sendrecv_generic_if(snmpd_t)
+@@ -73,6 +76,7 @@ corenet_sendrecv_snmp_server_packets(snmpd_t)
+ corenet_tcp_connect_agentx_port(snmpd_t)
+ corenet_tcp_bind_agentx_port(snmpd_t)
+ corenet_udp_bind_agentx_port(snmpd_t)
++corenet_tcp_connect_snmp_port(snmpd_t)
+
+ dev_list_sysfs(snmpd_t)
+ dev_read_sysfs(snmpd_t)
+@@ -83,10 +87,8 @@ dev_getattr_usbfs_dirs(snmpd_t)
+ domain_use_interactive_fds(snmpd_t)
+ domain_signull_all_domains(snmpd_t)
+ domain_read_all_domains_state(snmpd_t)
+-domain_dontaudit_ptrace_all_domains(snmpd_t)
+ domain_exec_all_entry_files(snmpd_t)
+
+-files_read_etc_files(snmpd_t)
+ files_read_usr_files(snmpd_t)
+ files_read_etc_runtime_files(snmpd_t)
+ files_search_home(snmpd_t)
+@@ -94,28 +96,28 @@ files_search_home(snmpd_t)
+ fs_getattr_all_dirs(snmpd_t)
+ fs_getattr_all_fs(snmpd_t)
+ fs_search_auto_mountpoints(snmpd_t)
++files_search_all_mountpoints(snmpd_t)
+
+ storage_dontaudit_read_fixed_disk(snmpd_t)
+ storage_dontaudit_read_removable_device(snmpd_t)
++storage_dontaudit_write_removable_device(snmpd_t)
+
+ auth_use_nsswitch(snmpd_t)
+-files_list_non_auth_dirs(snmpd_t)
++files_list_all(snmpd_t)
+
+ init_read_utmp(snmpd_t)
+ init_dontaudit_write_utmp(snmpd_t)
++# need write to /var/run/systemd/notify
++init_write_pid_socket(snmpd_t)
+
+ logging_send_syslog_msg(snmpd_t)
+
+-miscfiles_read_localization(snmpd_t)
+-
+-seutil_dontaudit_search_config(snmpd_t)
+-
+ sysnet_read_config(snmpd_t)
+
+ userdom_dontaudit_use_unpriv_user_fds(snmpd_t)
+ userdom_dontaudit_search_user_home_dirs(snmpd_t)
+
+-ifdef(`distro_redhat', `
++ifdef(`distro_redhat',`
+ optional_policy(`
+ rpm_read_db(snmpd_t)
+ rpm_dontaudit_manage_db(snmpd_t)
+@@ -131,6 +133,10 @@ optional_policy(`
+ ')
+
+ optional_policy(`
++ corosync_stream_connect(snmpd_t)
++')
++
++optional_policy(`
+ cups_read_rw_config(snmpd_t)
+ ')
+
+@@ -140,6 +146,10 @@ optional_policy(`
+ ')
+
+ optional_policy(`
++ ricci_stream_connect_modclusterd(snmpd_t)
++')
++
++optional_policy(`
+ rpc_search_nfs_state_data(snmpd_t)
+ ')
+
+diff --git a/snort.if b/snort.if
+index c117e8b..0eb909b 100644
+--- a/snort.if
++++ b/snort.if
+@@ -41,8 +41,11 @@ interface(`snort_admin',`
+ type snort_etc_t, snort_initrc_exec_t;
+ ')
+
+- allow $1 snort_t:process { ptrace signal_perms };
++ allow $1 snort_t:process signal_perms;
+ ps_process_pattern($1, snort_t)
++ tunable_policy(`deny_ptrace',`',`
++ allow $1 snort_t:process ptrace;
++ ')
+
+ init_labeled_script_domtrans($1, snort_initrc_exec_t)
+ domain_system_change_exemption($1)
+@@ -50,11 +53,11 @@ interface(`snort_admin',`
+ allow $2 system_r;
+
+ admin_pattern($1, snort_etc_t)
+- files_search_etc($1)
++ files_list_etc($1)
+
+ admin_pattern($1, snort_log_t)
+- logging_search_logs($1)
++ logging_list_logs($1)
+
+ admin_pattern($1, snort_var_run_t)
+- files_search_pids($1)
++ files_list_pids($1)
+ ')
+diff --git a/snort.te b/snort.te
+index 179bc1b..3dbbcc0 100644
+--- a/snort.te
++++ b/snort.te
+@@ -32,17 +32,18 @@ files_pid_file(snort_var_run_t)
+ allow snort_t self:capability { setgid setuid net_admin net_raw dac_override };
+ dontaudit snort_t self:capability sys_tty_config;
+ allow snort_t self:process signal_perms;
+-allow snort_t self:netlink_route_socket { bind create getattr nlmsg_read read write };
++allow snort_t self:netlink_route_socket create_netlink_socket_perms;
++allow snort_t self:netlink_socket create_socket_perms;
+ allow snort_t self:tcp_socket create_stream_socket_perms;
+ allow snort_t self:udp_socket create_socket_perms;
+ allow snort_t self:packet_socket create_socket_perms;
+ allow snort_t self:socket create_socket_perms;
+ # Snort IPS node. unverified.
+-allow snort_t self:netlink_firewall_socket { bind create getattr };
++allow snort_t self:netlink_firewall_socket create_socket_perms;
+
+ allow snort_t snort_etc_t:dir list_dir_perms;
+ allow snort_t snort_etc_t:file read_file_perms;
+-allow snort_t snort_etc_t:lnk_file { getattr read };
++allow snort_t snort_etc_t:lnk_file read_lnk_file_perms;
+
+ manage_files_pattern(snort_t, snort_log_t, snort_log_t)
+ create_dirs_pattern(snort_t, snort_log_t, snort_log_t)
+@@ -63,7 +64,6 @@ kernel_request_load_module(snort_t)
+ kernel_dontaudit_read_system_state(snort_t)
+ kernel_read_network_state(snort_t)
+
+-corenet_all_recvfrom_unlabeled(snort_t)
+ corenet_all_recvfrom_netlabel(snort_t)
+ corenet_tcp_sendrecv_generic_if(snort_t)
+ corenet_udp_sendrecv_generic_if(snort_t)
+@@ -95,8 +95,6 @@ init_read_utmp(snort_t)
+
+ logging_send_syslog_msg(snort_t)
+
+-miscfiles_read_localization(snort_t)
+-
+ sysnet_read_config(snort_t)
+ # snorts must be able to resolve dns in case it wants to relay to a remote prelude-manager
+ sysnet_dns_name_resolve(snort_t)
+diff --git a/sosreport.fc b/sosreport.fc
+index a40478e..050f521 100644
+--- a/sosreport.fc
++++ b/sosreport.fc
+@@ -1 +1,3 @@
+ /usr/sbin/sosreport -- gen_context(system_u:object_r:sosreport_exec_t,s0)
++
++/.ismount-test-file -- gen_context(system_u:object_r:sosreport_tmp_t,s0)
+diff --git a/sosreport.if b/sosreport.if
+index 94c01b5..f64bd93 100644
+--- a/sosreport.if
++++ b/sosreport.if
+@@ -106,7 +106,7 @@ interface(`sosreport_append_tmp_files',`
+ type sosreport_tmp_t;
+ ')
+
+- append_files_pattern($1, sosreport_tmp_t, sosreport_tmp_t)
++ allow $1 sosreport_tmp_t:file append_inherited_file_perms;
+ ')
+
+ ########################################
+diff --git a/sosreport.te b/sosreport.te
+index c6079a5..cb59eff 100644
+--- a/sosreport.te
++++ b/sosreport.te
+@@ -21,7 +21,7 @@ files_tmpfs_file(sosreport_tmpfs_t)
+ # sosreport local policy
+ #
+
+-allow sosreport_t self:capability { kill net_admin net_raw setuid sys_admin sys_nice sys_ptrace dac_override };
++allow sosreport_t self:capability { kill net_admin net_raw setuid sys_admin sys_nice dac_override };
+ allow sosreport_t self:process { setsched signull };
+ allow sosreport_t self:fifo_file rw_fifo_file_perms;
+ allow sosreport_t self:tcp_socket create_stream_socket_perms;
+@@ -64,7 +64,6 @@ files_getattr_all_sockets(sosreport_t)
+ files_exec_etc_files(sosreport_t)
+ files_list_all(sosreport_t)
+ files_read_config_files(sosreport_t)
+-files_read_etc_files(sosreport_t)
+ files_read_generic_tmp_files(sosreport_t)
+ files_read_usr_files(sosreport_t)
+ files_read_var_lib_files(sosreport_t)
+@@ -74,13 +73,17 @@ files_read_all_symlinks(sosreport_t)
+ # for blkid.tab
+ files_manage_etc_runtime_files(sosreport_t)
+ files_etc_filetrans_etc_runtime(sosreport_t, file)
++files_root_filetrans(sosreport_t, sosreport_tmp_t, file, ".ismount-test-file")
+
+ fs_getattr_all_fs(sosreport_t)
+ fs_list_inotifyfs(sosreport_t)
+
++storage_dontaudit_read_fixed_disk(sosreport_t)
++storage_dontaudit_read_removable_device(sosreport_t)
++
+ # some config files do not have configfile attribute
+ # sosreport needs to read various files on system
+-files_read_non_auth_files(sosreport_t)
++files_read_non_security_files(sosreport_t)
+ auth_use_nsswitch(sosreport_t)
+
+ init_domtrans_script(sosreport_t)
+@@ -90,15 +93,11 @@ libs_domtrans_ldconfig(sosreport_t)
+ logging_read_all_logs(sosreport_t)
+ logging_send_syslog_msg(sosreport_t)
+
+-miscfiles_read_localization(sosreport_t)
+-
+-# needed by modinfo
+-modutils_read_module_deps(sosreport_t)
+-
+ sysnet_read_config(sosreport_t)
+
+ optional_policy(`
+ abrt_manage_pid_files(sosreport_t)
++ abrt_manage_cache(sosreport_t)
+ ')
+
+ optional_policy(`
+@@ -110,6 +109,11 @@ optional_policy(`
+ ')
+
+ optional_policy(`
++ # needed by modinfo
++ modutils_read_module_deps(sosreport_t)
++')
++
++optional_policy(`
+ fstools_domtrans(sosreport_t)
+ ')
+
+diff --git a/soundserver.if b/soundserver.if
+index 93fe7bf..1b07ed4 100644
+--- a/soundserver.if
++++ b/soundserver.if
+@@ -33,13 +33,15 @@ interface(`soundserver_tcp_connect',`
+ #
+ interface(`soundserver_admin',`
+ gen_require(`
+- type soundd_t, soundd_etc_t;
++ type soundd_t, soundd_etc_t, soundd_initrc_exec_t;
+ type soundd_tmp_t, soundd_var_run_t;
+- type soundd_initrc_exec_t;
+ ')
+
+- allow $1 soundd_t:process { ptrace signal_perms };
++ allow $1 soundd_t:process signal_perms;
+ ps_process_pattern($1, soundd_t)
++ tunable_policy(`deny_ptrace',`',`
++ allow $1 soundd_t:process ptrace;
++ ')
+
+ init_labeled_script_domtrans($1, soundd_initrc_exec_t)
+ domain_system_change_exemption($1)
+diff --git a/soundserver.te b/soundserver.te
+index 3217605..e9a4381 100644
+--- a/soundserver.te
++++ b/soundserver.te
+@@ -68,7 +68,6 @@ kernel_read_kernel_sysctls(soundd_t)
+ kernel_list_proc(soundd_t)
+ kernel_read_proc_symlinks(soundd_t)
+
+-corenet_all_recvfrom_unlabeled(soundd_t)
+ corenet_all_recvfrom_netlabel(soundd_t)
+ corenet_tcp_sendrecv_generic_if(soundd_t)
+ corenet_udp_sendrecv_generic_if(soundd_t)
+@@ -94,8 +93,6 @@ fs_search_auto_mountpoints(soundd_t)
+
+ logging_send_syslog_msg(soundd_t)
+
+-miscfiles_read_localization(soundd_t)
+-
+ sysnet_read_config(soundd_t)
+
+ userdom_dontaudit_use_unpriv_user_fds(soundd_t)
+diff --git a/spamassassin.fc b/spamassassin.fc
+index 6b3abf9..80c9e56 100644
+--- a/spamassassin.fc
++++ b/spamassassin.fc
+@@ -1,15 +1,53 @@
+-HOME_DIR/\.spamassassin(/.*)? gen_context(system_u:object_r:spamassassin_home_t,s0)
++HOME_DIR/\.pyzor(/.*)? gen_context(system_u:object_r:spamc_home_t,s0)
++HOME_DIR/\.spamassassin(/.*)? gen_context(system_u:object_r:spamc_home_t,s0)
++HOME_DIR/\.spamd(/.*)? gen_context(system_u:object_r:spamc_home_t,s0)
++/root/\.pyzor(/.*)? gen_context(system_u:object_r:spamc_home_t,s0)
++/root/\.spamassassin(/.*)? gen_context(system_u:object_r:spamc_home_t,s0)
++/root/\.spamd(/.*)? gen_context(system_u:object_r:spamc_home_t,s0)
++
++/etc/rc\.d/init\.d/spamd -- gen_context(system_u:object_r:spamd_initrc_exec_t,s0)
++/etc/rc\.d/init\.d/spampd -- gen_context(system_u:object_r:spamd_initrc_exec_t,s0)
++/etc/rc\.d/init\.d/mimedefang.* -- gen_context(system_u:object_r:spamd_initrc_exec_t,s0)
+
+ /usr/bin/sa-learn -- gen_context(system_u:object_r:spamc_exec_t,s0)
+-/usr/bin/spamassassin -- gen_context(system_u:object_r:spamassassin_exec_t,s0)
++/usr/bin/spamassassin -- gen_context(system_u:object_r:spamc_exec_t,s0)
+ /usr/bin/spamc -- gen_context(system_u:object_r:spamc_exec_t,s0)
+ /usr/bin/spamd -- gen_context(system_u:object_r:spamd_exec_t,s0)
++/usr/bin/sa-update -- gen_context(system_u:object_r:spamd_update_exec_t,s0)
+
+ /usr/sbin/spamd -- gen_context(system_u:object_r:spamd_exec_t,s0)
++/usr/sbin/spampd -- gen_context(system_u:object_r:spamd_exec_t,s0)
++/usr/bin/mimedefang -- gen_context(system_u:object_r:spamd_exec_t,s0)
++/usr/bin/mimedefang-multiplexor -- gen_context(system_u:object_r:spamd_exec_t,s0)
+
+ /var/lib/spamassassin(/.*)? gen_context(system_u:object_r:spamd_var_lib_t,s0)
++/var/lib/spamassassin/compiled(/.*)? gen_context(system_u:object_r:spamd_compiled_t,s0)
++
++/var/log/spamd\.log.* -- gen_context(system_u:object_r:spamd_log_t,s0)
++/var/log/mimedefang.* -- gen_context(system_u:object_r:spamd_log_t,s0)
+
+ /var/run/spamassassin(/.*)? gen_context(system_u:object_r:spamd_var_run_t,s0)
+
+ /var/spool/spamassassin(/.*)? gen_context(system_u:object_r:spamd_spool_t,s0)
+ /var/spool/spamd(/.*)? gen_context(system_u:object_r:spamd_spool_t,s0)
++/var/spool/spampd(/.*)? gen_context(system_u:object_r:spamd_spool_t,s0)
++/var/spool/MD-Quarantine(/.*)? gen_context(system_u:object_r:spamd_var_run_t,s0)
++/var/spool/MIMEDefang(/.*)? gen_context(system_u:object_r:spamd_var_run_t,s0)
++
++/root/\.razor(/.*)? gen_context(system_u:object_r:spamc_home_t,s0)
++HOME_DIR/\.razor(/.*)? gen_context(system_u:object_r:spamc_home_t,s0)
++
++/etc/pyzor(/.*)? gen_context(system_u:object_r:spamd_etc_t, s0)
++/etc/razor(/.*)? gen_context(system_u:object_r:spamd_etc_t,s0)
++/etc/rc\.d/init\.d/pyzord -- gen_context(system_u:object_r:spamd_initrc_exec_t,s0)
++
++/usr/bin/razor.* -- gen_context(system_u:object_r:spamc_exec_t,s0)
++
++/var/lib/pyzord(/.*)? gen_context(system_u:object_r:spamd_var_lib_t,s0)
++/var/lib/razor(/.*)? gen_context(system_u:object_r:spamd_var_lib_t,s0)
++
++/var/log/pyzord\.log.* -- gen_context(system_u:object_r:spamd_log_t,s0)
++/var/log/razor-agent\.log.* -- gen_context(system_u:object_r:spamd_log_t,s0)
++
++/usr/bin/pyzor -- gen_context(system_u:object_r:spamc_exec_t,s0)
++/usr/bin/pyzord -- gen_context(system_u:object_r:spamd_exec_t,s0)
+diff --git a/spamassassin.if b/spamassassin.if
+index c954f31..82fc7f6 100644
+--- a/spamassassin.if
++++ b/spamassassin.if
+@@ -14,6 +14,7 @@
+ ## User domain for the role
+ ##
+ ##
++##
+ #
+ interface(`spamassassin_role',`
+ gen_require(`
+@@ -25,9 +26,13 @@ interface(`spamassassin_role',`
+ role $1 types { spamc_t spamassassin_t };
+
+ domtrans_pattern($2, spamassassin_exec_t, spamassassin_t)
++
++ allow $2 spamassassin_t:process signal_perms;
+ ps_process_pattern($2, spamassassin_t)
+
+ domtrans_pattern($2, spamc_exec_t, spamc_t)
++
++ allow $2 spamc_t:process signal_perms;
+ ps_process_pattern($2, spamc_t)
+
+ manage_dirs_pattern($2, spamassassin_home_t, spamassassin_home_t)
+@@ -55,7 +60,6 @@ interface(`spamassassin_exec',`
+ ')
+
+ can_exec($1, spamassassin_exec_t)
+-
+ ')
+
+ ########################################
+@@ -111,6 +115,67 @@ interface(`spamassassin_domtrans_client',`
+ ')
+
+ domtrans_pattern($1, spamc_exec_t, spamc_t)
++ allow $1 spamc_exec_t:file ioctl;
++')
++
++########################################
++##
++## Send kill signal to spamassassin client
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`spamassassin_kill_client',`
++ gen_require(`
++ type spamc_t;
++ ')
++
++ allow $1 spamc_t:process sigkill;
++')
++
++########################################
++##
++## Manage spamc home files.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`spamassassin_manage_home_client',`
++ gen_require(`
++ type spamc_home_t;
++ ')
++
++ userdom_search_user_home_dirs($1)
++ manage_dirs_pattern($1, spamc_home_t, spamc_home_t)
++ manage_files_pattern($1, spamc_home_t, spamc_home_t)
++ manage_lnk_files_pattern($1, spamc_home_t, spamc_home_t)
++')
++
++########################################
++##
++## Read spamc home files.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`spamassassin_read_home_client',`
++ gen_require(`
++ type spamc_home_t;
++ ')
++
++ userdom_search_user_home_dirs($1)
++ list_dirs_pattern($1, spamc_home_t, spamc_home_t)
++ read_files_pattern($1, spamc_home_t, spamc_home_t)
++ read_lnk_files_pattern($1, spamc_home_t, spamc_home_t)
+ ')
+
+ ########################################
+@@ -166,7 +231,9 @@ interface(`spamassassin_read_lib_files',`
+ ')
+
+ files_search_var_lib($1)
++ list_dirs_pattern($1, spamd_var_lib_t, spamd_var_lib_t)
+ read_files_pattern($1, spamd_var_lib_t, spamd_var_lib_t)
++ read_lnk_files_pattern($1, spamd_var_lib_t, spamd_var_lib_t)
+ ')
+
+ ########################################
+@@ -204,6 +271,7 @@ interface(`spamassassin_read_spamd_tmp_files',`
+ type spamd_tmp_t;
+ ')
+
++ files_search_tmp($1)
+ allow $1 spamd_tmp_t:file read_file_perms;
+ ')
+
+@@ -223,5 +291,94 @@ interface(`spamassassin_dontaudit_getattr_spamd_tmp_sockets',`
+ type spamd_tmp_t;
+ ')
+
+- dontaudit $1 spamd_tmp_t:sock_file getattr;
++ dontaudit $1 spamd_tmp_t:sock_file getattr_sock_file_perms;
++')
++
++########################################
++##
++## Connect to run spamd.
++##
++##
++##
++## Domain allowed to connect.
++##
++##
++#
++interface(`spamd_stream_connect',`
++ gen_require(`
++ type spamd_t, spamd_var_run_t;
++ ')
++
++ files_search_pids($1)
++ stream_connect_pattern($1, spamd_var_run_t, spamd_var_run_t, spamd_t)
++')
++
++########################################
++##
++## Read spamd pid files.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`spamassassin_read_pid_files',`
++ gen_require(`
++ type spamd_var_run_t;
++ ')
++
++ files_search_pids($1)
++ read_files_pattern($1, spamd_var_run_t, spamd_var_run_t)
++')
++
++########################################
++##
++## All of the rules required to administrate
++## an spamassassin environment
++##
++##
++##
++## Domain allowed access.
++##
++##
++##
++##
++## The role to be allowed to manage the spamassassin domain.
++##
++##
++##
++#
++interface(`spamassassin_spamd_admin',`
++ gen_require(`
++ type spamd_t, spamd_tmp_t, spamd_log_t;
++ type spamd_spool_t, spamd_var_lib_t, spamd_var_run_t;
++ type spamd_initrc_exec_t;
++ ')
++
++ allow $1 spamd_t:process signal_perms;
++ ps_process_pattern($1, spamd_t)
++ tunable_policy(`deny_ptrace',`',`
++ allow $1 spamd_t:process ptrace;
++ ')
++
++ init_labeled_script_domtrans($1, spamd_initrc_exec_t)
++ domain_system_change_exemption($1)
++ role_transition $2 spamd_initrc_exec_t system_r;
++ allow $2 system_r;
++
++ files_list_tmp($1)
++ admin_pattern($1, spamd_tmp_t)
++
++ logging_list_logs($1)
++ admin_pattern($1, spamd_log_t)
++
++ files_list_spool($1)
++ admin_pattern($1, spamd_spool_t)
++
++ files_list_var_lib($1)
++ admin_pattern($1, spamd_var_lib_t)
++
++ files_list_pids($1)
++ admin_pattern($1, spamd_var_run_t)
+ ')
+diff --git a/spamassassin.te b/spamassassin.te
+index 1bbf73b..dd3e5e1 100644
+--- a/spamassassin.te
++++ b/spamassassin.te
+@@ -6,52 +6,40 @@ policy_module(spamassassin, 2.5.0)
+ #
+
+ ##
+-##
+-## Allow user spamassassin clients to use the network.
+-##
++##
++## Allow user spamassassin clients to use the network.
++##
+ ##
+ gen_tunable(spamassassin_can_network, false)
+
+ ##
+-##
+-## Allow spamd to read/write user home directories.
+-##
++##
++## Allow spamd to read/write user home directories.
++##
+ ##
+ gen_tunable(spamd_enable_home_dirs, true)
+
+-type spamassassin_t;
+-type spamassassin_exec_t;
+-typealias spamassassin_t alias { user_spamassassin_t staff_spamassassin_t sysadm_spamassassin_t };
+-typealias spamassassin_t alias { auditadm_spamassassin_t secadm_spamassassin_t };
+-userdom_user_application_domain(spamassassin_t, spamassassin_exec_t)
+-
+-type spamassassin_home_t;
+-typealias spamassassin_home_t alias { user_spamassassin_home_t staff_spamassassin_home_t sysadm_spamassassin_home_t };
+-typealias spamassassin_home_t alias { auditadm_spamassassin_home_t secadm_spamassassin_home_t };
+-userdom_user_home_content(spamassassin_home_t)
+-
+-type spamassassin_tmp_t;
+-typealias spamassassin_tmp_t alias { user_spamassassin_tmp_t staff_spamassassin_tmp_t sysadm_spamassassin_tmp_t };
+-typealias spamassassin_tmp_t alias { auditadm_spamassassin_tmp_t secadm_spamassassin_tmp_t };
+-userdom_user_tmp_file(spamassassin_tmp_t)
+-
+-type spamc_t;
+-type spamc_exec_t;
+-typealias spamc_t alias { user_spamc_t staff_spamc_t sysadm_spamc_t };
+-typealias spamc_t alias { auditadm_spamc_t secadm_spamc_t };
+-userdom_user_application_domain(spamc_t, spamc_exec_t)
+-
+-type spamc_tmp_t;
+-typealias spamc_tmp_t alias { user_spamc_tmp_t staff_spamc_tmp_t sysadm_spamc_tmp_t };
+-typealias spamc_tmp_t alias { auditadm_spamc_tmp_t secadm_spamc_tmp_t };
+-userdom_user_tmp_file(spamc_tmp_t)
++
++type spamd_update_t;
++type spamd_update_exec_t;
++application_domain(spamd_update_t, spamd_update_exec_t)
++role system_r types spamd_update_t;
+
+ type spamd_t;
+ type spamd_exec_t;
+ init_daemon_domain(spamd_t, spamd_exec_t)
+
++type spamd_compiled_t;
++files_type(spamd_compiled_t)
++
++type spamd_initrc_exec_t;
++init_script_file(spamd_initrc_exec_t)
++
++type spamd_log_t;
++logging_log_file(spamd_log_t)
++
+ type spamd_spool_t;
+-files_type(spamd_spool_t)
++files_spool_file(spamd_spool_t)
+
+ type spamd_tmp_t;
+ files_tmp_file(spamd_tmp_t)
+@@ -63,6 +51,89 @@ files_type(spamd_var_lib_t)
+ type spamd_var_run_t;
+ files_pid_file(spamd_var_run_t)
+
++ifdef(`distro_redhat',`
++ # spamassassin client executable
++ type spamc_t;
++ type spamc_exec_t;
++ application_domain(spamc_t, spamc_exec_t)
++ role system_r types spamc_t;
++
++ type spamd_etc_t;
++ files_config_file(spamd_etc_t)
++
++ typealias spamc_exec_t alias spamassassin_exec_t;
++ typealias spamc_t alias spamassassin_t;
++
++ type spamc_home_t;
++ userdom_user_home_content(spamc_home_t)
++ typealias spamc_home_t alias { spamassassin_home_t user_spamassassin_home_t staff_spamassassin_home_t sysadm_spamassassin_home_t };
++ typealias spamc_home_t alias { auditadm_spamassassin_home_t secadm_spamassassin_home_t };
++ typealias spamc_home_t alias { user_spamc_home_t staff_spamc_home_t sysadm_spamc_home_t };
++ typealias spamc_home_t alias { auditadm_spamc_home_t secadm_spamc_home_t };
++
++ type spamc_tmp_t;
++ files_tmp_file(spamc_tmp_t)
++ typealias spamc_tmp_t alias spamassassin_tmp_t;
++ typealias spamc_tmp_t alias { user_spamassassin_tmp_t staff_spamassassin_tmp_t sysadm_spamassassin_tmp_t };
++ typealias spamc_tmp_t alias { auditadm_spamassassin_tmp_t secadm_spamassassin_tmp_t };
++
++ typealias spamc_tmp_t alias { user_spamc_tmp_t staff_spamc_tmp_t sysadm_spamc_tmp_t };
++ typealias spamc_tmp_t alias { auditadm_spamc_tmp_t secadm_spamc_tmp_t };
++ typealias spamc_t alias pyzor_t;
++ typealias spamc_exec_t alias pyzor_exec_t;
++ typealias spamd_t alias pyzord_t;
++ typealias spamd_initrc_exec_t alias pyzord_initrc_exec_t;
++ typealias spamd_exec_t alias pyzord_exec_t;
++ typealias spamc_tmp_t alias pyzor_tmp_t;
++ typealias spamd_log_t alias pyzor_log_t;
++ typealias spamd_log_t alias pyzord_log_t;
++ typealias spamd_var_lib_t alias pyzor_var_lib_t;
++ typealias spamd_etc_t alias pyzor_etc_t;
++ typealias spamc_home_t alias pyzor_home_t;
++ typealias spamc_home_t alias user_pyzor_home_t;
++ typealias spamc_t alias razor_t;
++ typealias spamc_exec_t alias razor_exec_t;
++ typealias spamd_log_t alias razor_log_t;
++ typealias spamd_var_lib_t alias razor_var_lib_t;
++ typealias spamd_etc_t alias razor_etc_t;
++ typealias spamc_home_t alias razor_home_t;
++ typealias spamc_home_t alias { user_razor_home_t staff_razor_home_t sysadm_razor_home_t };
++ typealias spamc_home_t alias { auditadm_razor_home_t secadm_razor_home_t };
++ typealias spamc_tmp_t alias { user_razor_tmp_t staff_razor_tmp_t sysadm_razor_tmp_t };
++ typealias spamc_tmp_t alias { auditadm_razor_tmp_t secadm_razor_tmp_t };
++',`
++ type spamassassin_t;
++ type spamassassin_exec_t;
++ typealias spamassassin_t alias { user_spamassassin_t staff_spamassassin_t sysadm_spamassassin_t };
++ typealias spamassassin_t alias { auditadm_spamassassin_t secadm_spamassassin_t };
++ application_domain(spamassassin_t, spamassassin_exec_t)
++ ubac_constrained(spamassassin_t)
++
++ type spamassassin_home_t;
++ typealias spamassassin_home_t alias { user_spamassassin_home_t staff_spamassassin_home_t sysadm_spamassassin_home_t };
++ typealias spamassassin_home_t alias { auditadm_spamassassin_home_t secadm_spamassassin_home_t };
++ userdom_user_home_content(spamassassin_home_t)
++
++ type spamassassin_tmp_t;
++ typealias spamassassin_tmp_t alias { user_spamassassin_tmp_t staff_spamassassin_tmp_t sysadm_spamassassin_tmp_t };
++ typealias spamassassin_tmp_t alias { auditadm_spamassassin_tmp_t secadm_spamassassin_tmp_t };
++ files_tmp_file(spamassassin_tmp_t)
++ ubac_constrained(spamassassin_tmp_t)
++
++ type spamc_t;
++ type spamc_exec_t;
++ typealias spamc_t alias { user_spamc_t staff_spamc_t sysadm_spamc_t };
++ typealias spamc_t alias { auditadm_spamc_t secadm_spamc_t };
++ application_domain(spamc_t, spamc_exec_t)
++ ubac_constrained(spamc_t)
++
++ type spamc_tmp_t;
++ typealias spamc_tmp_t alias { user_spamc_tmp_t staff_spamc_tmp_t sysadm_spamc_tmp_t };
++ typealias spamc_tmp_t alias { auditadm_spamc_tmp_t secadm_spamc_tmp_t };
++ files_tmp_file(spamc_tmp_t)
++ ubac_constrained(spamc_tmp_t)
++')
++
+ ##############################
+ #
+ # Standalone program local policy
+@@ -98,12 +169,14 @@ manage_lnk_files_pattern(spamd_t, spamassassin_home_t, spamassassin_home_t)
+ manage_fifo_files_pattern(spamd_t, spamassassin_home_t, spamassassin_home_t)
+ manage_sock_files_pattern(spamd_t, spamassassin_home_t, spamassassin_home_t)
+ userdom_user_home_dir_filetrans(spamd_t, spamassassin_home_t, { dir file lnk_file sock_file fifo_file })
++userdom_home_manager(spamassassin_t)
+
+ kernel_read_kernel_sysctls(spamassassin_t)
+
+ dev_read_urand(spamassassin_t)
+
+ fs_search_auto_mountpoints(spamassassin_t)
++fs_getattr_all_fs(spamassassin_t)
+
+ # this should probably be removed
+ corecmd_list_bin(spamassassin_t)
+@@ -114,7 +187,6 @@ corecmd_read_bin_sockets(spamassassin_t)
+
+ domain_use_interactive_fds(spamassassin_t)
+
+-files_read_etc_files(spamassassin_t)
+ files_read_etc_runtime_files(spamassassin_t)
+ files_list_home(spamassassin_t)
+ files_read_usr_files(spamassassin_t)
+@@ -122,8 +194,6 @@ files_dontaudit_search_var(spamassassin_t)
+
+ logging_send_syslog_msg(spamassassin_t)
+
+-miscfiles_read_localization(spamassassin_t)
+-
+ # cjp: this could probably be removed
+ seutil_read_config(spamassassin_t)
+
+@@ -134,8 +204,6 @@ tunable_policy(`spamassassin_can_network',`
+ allow spamassassin_t self:tcp_socket create_stream_socket_perms;
+ allow spamassassin_t self:udp_socket create_socket_perms;
+
+- corenet_all_recvfrom_unlabeled(spamassassin_t)
+- corenet_all_recvfrom_netlabel(spamassassin_t)
+ corenet_tcp_sendrecv_generic_if(spamassassin_t)
+ corenet_udp_sendrecv_generic_if(spamassassin_t)
+ corenet_tcp_sendrecv_generic_node(spamassassin_t)
+@@ -144,6 +212,9 @@ tunable_policy(`spamassassin_can_network',`
+ corenet_udp_sendrecv_all_ports(spamassassin_t)
+ corenet_tcp_connect_all_ports(spamassassin_t)
+ corenet_sendrecv_all_client_packets(spamassassin_t)
++ corenet_udp_bind_generic_node(spamassassin_t)
++ corenet_udp_bind_generic_port(spamassassin_t)
++ corenet_dontaudit_udp_bind_all_ports(spamassassin_t)
+
+ sysnet_read_config(spamassassin_t)
+ ')
+@@ -154,25 +225,13 @@ tunable_policy(`spamd_enable_home_dirs',`
+ userdom_manage_user_home_content_symlinks(spamd_t)
+ ')
+
+-tunable_policy(`use_nfs_home_dirs',`
+- fs_manage_nfs_dirs(spamassassin_t)
+- fs_manage_nfs_files(spamassassin_t)
+- fs_manage_nfs_symlinks(spamassassin_t)
+-')
+-
+-tunable_policy(`use_samba_home_dirs',`
+- fs_manage_cifs_dirs(spamassassin_t)
+- fs_manage_cifs_files(spamassassin_t)
+- fs_manage_cifs_symlinks(spamassassin_t)
+-')
+-
+ optional_policy(`
+ # Write pid file and socket in ~/.evolution/cache/tmp
+ evolution_home_filetrans(spamd_t, spamd_tmp_t, { file sock_file })
+ ')
+
+ optional_policy(`
+- tunable_policy(`spamassassin_can_network && allow_ypbind',`
++ tunable_policy(`spamassassin_can_network && nis_enabled',`
+ nis_use_ypbind_uncond(spamassassin_t)
+ ')
+ ')
+@@ -180,6 +239,8 @@ optional_policy(`
+ optional_policy(`
+ mta_read_config(spamassassin_t)
+ sendmail_stub(spamassassin_t)
++ sendmail_dontaudit_rw_unix_stream_sockets(spamassassin_t)
++ sendmail_dontaudit_rw_tcp_sockets(spamassassin_t)
+ ')
+
+ ########################################
+@@ -202,17 +263,37 @@ allow spamc_t self:unix_stream_socket connectto;
+ allow spamc_t self:tcp_socket create_stream_socket_perms;
+ allow spamc_t self:udp_socket create_socket_perms;
+
++can_exec(spamc_t, spamc_exec_t)
++
+ manage_dirs_pattern(spamc_t, spamc_tmp_t, spamc_tmp_t)
+ manage_files_pattern(spamc_t, spamc_tmp_t, spamc_tmp_t)
+ files_tmp_filetrans(spamc_t, spamc_tmp_t, { file dir })
+
++manage_dirs_pattern(spamc_t, spamc_home_t, spamc_home_t)
++manage_files_pattern(spamc_t, spamc_home_t, spamc_home_t)
++manage_lnk_files_pattern(spamc_t, spamc_home_t, spamc_home_t)
++manage_fifo_files_pattern(spamc_t, spamc_home_t, spamc_home_t)
++manage_sock_files_pattern(spamc_t, spamc_home_t, spamc_home_t)
++userdom_user_home_dir_filetrans(spamc_t, spamc_home_t, { dir file lnk_file sock_file fifo_file })
++userdom_append_user_home_content_files(spamc_t)
++# for /root/.pyzor
++allow spamc_t self:capability dac_override;
++userdom_admin_home_dir_filetrans(spamc_t, spamc_home_t , dir, ".pyzor")
++
++list_dirs_pattern(spamc_t, spamd_var_lib_t, spamd_var_lib_t)
++read_files_pattern(spamc_t, spamd_var_lib_t, spamd_var_lib_t)
++
+ # Allow connecting to a local spamd
+ allow spamc_t spamd_t:unix_stream_socket connectto;
+ allow spamc_t spamd_tmp_t:sock_file rw_sock_file_perms;
++spamd_stream_connect(spamc_t)
++allow spamc_t spamd_tmp_t:file read_inherited_file_perms;
+
+ kernel_read_kernel_sysctls(spamc_t)
++kernel_read_system_state(spamc_t)
++
++corecmd_exec_bin(spamc_t)
+
+-corenet_all_recvfrom_unlabeled(spamc_t)
+ corenet_all_recvfrom_netlabel(spamc_t)
+ corenet_tcp_sendrecv_generic_if(spamc_t)
+ corenet_udp_sendrecv_generic_if(spamc_t)
+@@ -222,6 +303,7 @@ corenet_tcp_sendrecv_all_ports(spamc_t)
+ corenet_udp_sendrecv_all_ports(spamc_t)
+ corenet_tcp_connect_all_ports(spamc_t)
+ corenet_sendrecv_all_client_packets(spamc_t)
++corenet_tcp_connect_spamd_port(spamc_t)
+
+ fs_search_auto_mountpoints(spamc_t)
+
+@@ -234,43 +316,52 @@ corecmd_read_bin_sockets(spamc_t)
+
+ domain_use_interactive_fds(spamc_t)
+
+-files_read_etc_files(spamc_t)
+ files_read_etc_runtime_files(spamc_t)
+ files_read_usr_files(spamc_t)
+ files_dontaudit_search_var(spamc_t)
+ # cjp: this may be removable:
+ files_list_home(spamc_t)
++files_list_var_lib(spamc_t)
++
++fs_search_auto_mountpoints(spamc_t)
+
+ logging_send_syslog_msg(spamc_t)
+
+-miscfiles_read_localization(spamc_t)
++auth_use_nsswitch(spamc_t)
+
+-# cjp: this should probably be removed:
+-seutil_read_config(spamc_t)
++userdom_home_manager(spamc_t)
+
+-sysnet_read_config(spamc_t)
++optional_policy(`
++ abrt_stream_connect(spamc_t)
++')
+
+ optional_policy(`
+- # Allow connection to spamd socket above
+- evolution_stream_connect(spamc_t)
++ amavis_manage_spool_files(spamc_t)
+ ')
+
+ optional_policy(`
+- # Needed for pyzor/razor called from spamd
+- milter_manage_spamass_state(spamc_t)
++ # Allow connection to spamd socket above
++ evolution_stream_connect(spamc_t)
+ ')
+
+ optional_policy(`
+- nis_use_ypbind(spamc_t)
++ milter_manage_spamass_state(spamc_t)
+ ')
+
+ optional_policy(`
+- nscd_socket_use(spamc_t)
++ postfix_domtrans_postdrop(spamc_t)
++ postfix_search_spool(spamc_t)
++ postfix_rw_local_pipes(spamc_t)
++ postfix_rw_master_pipes(spamc_t)
+ ')
+
+ optional_policy(`
++ mta_send_mail(spamc_t)
+ mta_read_config(spamc_t)
++ mta_read_queue(spamc_t)
+ sendmail_stub(spamc_t)
++ sendmail_rw_pipes(spamc_t)
++ sendmail_dontaudit_rw_tcp_sockets(spamc_t)
+ ')
+
+ ########################################
+@@ -282,7 +373,7 @@ optional_policy(`
+ # setuids to the user running spamc. Comment this if you are not
+ # using this ability.
+
+-allow spamd_t self:capability { setuid setgid dac_override sys_tty_config };
++allow spamd_t self:capability { kill setuid setgid dac_override sys_tty_config };
+ dontaudit spamd_t self:capability sys_tty_config;
+ allow spamd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
+ allow spamd_t self:fd use;
+@@ -298,10 +389,20 @@ allow spamd_t self:unix_dgram_socket sendto;
+ allow spamd_t self:unix_stream_socket connectto;
+ allow spamd_t self:tcp_socket create_stream_socket_perms;
+ allow spamd_t self:udp_socket create_socket_perms;
+-allow spamd_t self:netlink_route_socket r_netlink_socket_perms;
++
++# needed by razor
++rw_files_pattern(spamd_t, spamd_etc_t, spamd_etc_t)
++
++can_exec(spamd_t, spamd_compiled_t)
++manage_dirs_pattern(spamd_t, spamd_compiled_t, spamd_compiled_t)
++manage_files_pattern(spamd_t, spamd_compiled_t, spamd_compiled_t)
++
++manage_files_pattern(spamd_t, spamd_log_t, spamd_log_t)
++logging_log_filetrans(spamd_t, spamd_log_t, file)
+
+ manage_dirs_pattern(spamd_t, spamd_spool_t, spamd_spool_t)
+ manage_files_pattern(spamd_t, spamd_spool_t, spamd_spool_t)
++manage_sock_files_pattern(spamd_t, spamd_spool_t, spamd_spool_t)
+ files_spool_filetrans(spamd_t, spamd_spool_t, { file dir })
+
+ manage_dirs_pattern(spamd_t, spamd_tmp_t, spamd_tmp_t)
+@@ -310,16 +411,21 @@ files_tmp_filetrans(spamd_t, spamd_tmp_t, { file dir })
+
+ # var/lib files for spamd
+ allow spamd_t spamd_var_lib_t:dir list_dir_perms;
+-read_files_pattern(spamd_t, spamd_var_lib_t, spamd_var_lib_t)
++manage_files_pattern(spamd_t, spamd_var_lib_t, spamd_var_lib_t)
++manage_lnk_files_pattern(spamd_t, spamd_var_lib_t, spamd_var_lib_t)
+
+ manage_dirs_pattern(spamd_t, spamd_var_run_t, spamd_var_run_t)
+ manage_files_pattern(spamd_t, spamd_var_run_t, spamd_var_run_t)
+-files_pid_filetrans(spamd_t, spamd_var_run_t, { dir file })
++manage_sock_files_pattern(spamd_t, spamd_var_run_t, spamd_var_run_t)
++files_pid_filetrans(spamd_t, spamd_var_run_t, { file dir })
++
++read_files_pattern(spamd_t, spamc_home_t, spamc_home_t)
++
++can_exec(spamd_t, spamd_exec_t)
+
+ kernel_read_all_sysctls(spamd_t)
+ kernel_read_system_state(spamd_t)
+
+-corenet_all_recvfrom_unlabeled(spamd_t)
+ corenet_all_recvfrom_netlabel(spamd_t)
+ corenet_tcp_sendrecv_generic_if(spamd_t)
+ corenet_udp_sendrecv_generic_if(spamd_t)
+@@ -356,30 +462,30 @@ corecmd_exec_bin(spamd_t)
+ domain_use_interactive_fds(spamd_t)
+
+ files_read_usr_files(spamd_t)
+-files_read_etc_files(spamd_t)
+ files_read_etc_runtime_files(spamd_t)
+ # /var/lib/spamassin
+ files_read_var_lib_files(spamd_t)
+
+ init_dontaudit_rw_utmp(spamd_t)
+
+-logging_send_syslog_msg(spamd_t)
++auth_use_nsswitch(spamd_t)
+
+-miscfiles_read_localization(spamd_t)
++libs_use_ld_so(spamd_t)
++libs_use_shared_libs(spamd_t)
+
+-sysnet_read_config(spamd_t)
+-sysnet_use_ldap(spamd_t)
+-sysnet_dns_name_resolve(spamd_t)
++logging_send_syslog_msg(spamd_t)
+
+ userdom_use_unpriv_users_fds(spamd_t)
+ userdom_search_user_home_dirs(spamd_t)
++userdom_home_manager(spamd_t)
+
+-tunable_policy(`use_nfs_home_dirs',`
+- fs_manage_nfs_files(spamd_t)
++optional_policy(`
++ clamav_stream_connect(spamd_t)
+ ')
+
+-tunable_policy(`use_samba_home_dirs',`
+- fs_manage_cifs_files(spamd_t)
++optional_policy(`
++ exim_manage_spool_dirs(spamd_t)
++ exim_manage_spool_files(spamd_t)
+ ')
+
+ optional_policy(`
+@@ -395,7 +501,9 @@ optional_policy(`
+ ')
+
+ optional_policy(`
++ dcc_domtrans_cdcc(spamd_t)
+ dcc_domtrans_client(spamd_t)
++ dcc_signal_client(spamd_t)
+ dcc_stream_connect_dccifd(spamd_t)
+ ')
+
+@@ -404,25 +512,17 @@ optional_policy(`
+ ')
+
+ optional_policy(`
+- corenet_tcp_connect_mysqld_port(spamd_t)
+- corenet_sendrecv_mysqld_client_packets(spamd_t)
+-
++ mysql_tcp_connect(spamd_t)
+ mysql_search_db(spamd_t)
+ mysql_stream_connect(spamd_t)
+ ')
+
+ optional_policy(`
+- nis_use_ypbind(spamd_t)
+-')
+-
+-optional_policy(`
+ postfix_read_config(spamd_t)
+ ')
+
+ optional_policy(`
+- corenet_tcp_connect_postgresql_port(spamd_t)
+- corenet_sendrecv_postgresql_client_packets(spamd_t)
+-
++ postgresql_tcp_connect(spamd_t)
+ postgresql_stream_connect(spamd_t)
+ ')
+
+@@ -433,6 +533,13 @@ optional_policy(`
+
+ optional_policy(`
+ razor_domtrans(spamd_t)
++ razor_read_lib_files(spamd_t)
++')
++
++optional_policy(`
++ tunable_policy(`spamd_enable_home_dirs',`
++ razor_manage_user_home_files(spamd_t)
++ ')
+ ')
+
+ optional_policy(`
+@@ -440,6 +547,7 @@ optional_policy(`
+ ')
+
+ optional_policy(`
++ mta_send_mail(spamd_t)
+ sendmail_stub(spamd_t)
+ mta_read_config(spamd_t)
+ ')
+@@ -447,3 +555,54 @@ optional_policy(`
+ optional_policy(`
+ udev_read_db(spamd_t)
+ ')
++
++########################################
++#
++# spamd_update local policy
++#
++
++allow spamd_update_t self:fifo_file manage_fifo_file_perms;
++allow spamd_update_t self:unix_stream_socket create_stream_socket_perms;
++allow spamd_update_t self:capability dac_read_search;
++dontaudit spamd_update_t self:capability dac_override;
++
++manage_dirs_pattern(spamd_update_t, spamd_tmp_t, spamd_tmp_t)
++manage_files_pattern(spamd_update_t, spamd_tmp_t, spamd_tmp_t)
++files_tmp_filetrans(spamd_update_t, spamd_tmp_t, { file dir })
++
++allow spamd_update_t spamd_var_lib_t:dir list_dir_perms;
++manage_dirs_pattern(spamd_update_t, spamd_var_lib_t, spamd_var_lib_t)
++manage_files_pattern(spamd_update_t, spamd_var_lib_t, spamd_var_lib_t)
++manage_lnk_files_pattern(spamd_update_t, spamd_var_lib_t, spamd_var_lib_t)
++
++allow spamd_update_t spamd_tmp_t:file read_file_perms;
++
++kernel_read_system_state(spamd_update_t)
++
++# for updating rules
++corenet_tcp_connect_http_port(spamd_update_t)
++
++corecmd_exec_bin(spamd_update_t)
++corecmd_exec_shell(spamd_update_t)
++
++dev_read_urand(spamd_update_t)
++
++domain_use_interactive_fds(spamd_update_t)
++
++files_read_usr_files(spamd_update_t)
++
++auth_use_nsswitch(spamd_update_t)
++auth_dontaudit_read_shadow(spamd_update_t)
++
++mta_read_config(spamd_update_t)
++
++userdom_use_inherited_user_ptys(spamd_update_t)
++
++optional_policy(`
++ cron_system_entry(spamd_update_t, spamd_update_exec_t)
++')
++
++optional_policy(`
++ gpg_domtrans(spamd_update_t)
++')
++
+diff --git a/speedtouch.te b/speedtouch.te
+index ade10f5..bed16af 100644
+--- a/speedtouch.te
++++ b/speedtouch.te
+@@ -47,8 +47,6 @@ fs_search_auto_mountpoints(speedmgmt_t)
+
+ logging_send_syslog_msg(speedmgmt_t)
+
+-miscfiles_read_localization(speedmgmt_t)
+-
+ userdom_dontaudit_use_unpriv_user_fds(speedmgmt_t)
+ userdom_dontaudit_search_user_home_dirs(speedmgmt_t)
+
+diff --git a/squid.fc b/squid.fc
+index 2015152..6664de3 100644
+--- a/squid.fc
++++ b/squid.fc
+@@ -1,8 +1,11 @@
+ /etc/rc\.d/init\.d/squid -- gen_context(system_u:object_r:squid_initrc_exec_t,s0)
+ /etc/squid(/.*)? gen_context(system_u:object_r:squid_conf_t,s0)
++/etc/lightsquid(/.*)? gen_context(system_u:object_r:squid_conf_t,s0)
+
++/usr/share/lightsquid/cgi(/.*)? gen_context(system_u:object_r:httpd_squid_script_exec_t,s0)
+ /usr/lib/squid/cachemgr\.cgi -- gen_context(system_u:object_r:httpd_squid_script_exec_t,s0)
+ /usr/sbin/squid -- gen_context(system_u:object_r:squid_exec_t,s0)
++/usr/sbin/lightparser.pl -- gen_context(system_u:object_r:squid_cron_exec_t,s0)
+ /usr/share/squid(/.*)? gen_context(system_u:object_r:squid_conf_t,s0)
+
+ /var/cache/squid(/.*)? gen_context(system_u:object_r:squid_cache_t,s0)
+@@ -11,3 +14,4 @@
+ /var/run/squid\.pid -- gen_context(system_u:object_r:squid_var_run_t,s0)
+ /var/spool/squid(/.*)? gen_context(system_u:object_r:squid_cache_t,s0)
+ /var/squidGuard(/.*)? gen_context(system_u:object_r:squid_cache_t,s0)
++/var/lightsquid(/.*)? gen_context(system_u:object_r:squid_cache_t,s0)
+diff --git a/squid.if b/squid.if
+index d2496bd..c7614d7 100644
+--- a/squid.if
++++ b/squid.if
+@@ -71,7 +71,7 @@ interface(`squid_rw_stream_sockets',`
+ type squid_t;
+ ')
+
+- allow $1 squid_t:unix_stream_socket { getattr read write };
++ allow $1 squid_t:unix_stream_socket rw_socket_perms;
+ ')
+
+ ########################################
+@@ -83,7 +83,6 @@ interface(`squid_rw_stream_sockets',`
+ ## Domain to not audit.
+ ##
+ ##
+-##
+ #
+ interface(`squid_dontaudit_search_cache',`
+ gen_require(`
+@@ -207,12 +206,14 @@ interface(`squid_use',`
+ interface(`squid_admin',`
+ gen_require(`
+ type squid_t, squid_cache_t, squid_conf_t;
+- type squid_log_t, squid_var_run_t;
+- type squid_initrc_exec_t;
++ type squid_log_t, squid_var_run_t, squid_initrc_exec_t;
+ ')
+
+- allow $1 squid_t:process { ptrace signal_perms };
++ allow $1 squid_t:process signal_perms;
+ ps_process_pattern($1, squid_t)
++ tunable_policy(`deny_ptrace',`',`
++ allow $1 squid_t:process ptrace;
++ ')
+
+ init_labeled_script_domtrans($1, squid_initrc_exec_t)
+ domain_system_change_exemption($1)
+diff --git a/squid.te b/squid.te
+index c38de7a..413146c 100644
+--- a/squid.te
++++ b/squid.te
+@@ -29,7 +29,7 @@ type squid_cache_t;
+ files_type(squid_cache_t)
+
+ type squid_conf_t;
+-files_type(squid_conf_t)
++files_config_file(squid_conf_t)
+
+ type squid_initrc_exec_t;
+ init_script_file(squid_initrc_exec_t)
+@@ -40,9 +40,18 @@ logging_log_file(squid_log_t)
+ type squid_tmpfs_t;
+ files_tmpfs_file(squid_tmpfs_t)
+
++type squid_tmp_t;
++files_tmp_file(squid_tmp_t)
++
+ type squid_var_run_t;
+ files_pid_file(squid_var_run_t)
+
++type squid_cron_t;
++type squid_cron_exec_t;
++init_daemon_domain(squid_cron_t, squid_cron_exec_t)
++application_domain(squid_cron_t, squid_cron_exec_t)
++role system_r types squid_cron_t;
++
+ ########################################
+ #
+ # Local policy
+@@ -69,6 +78,7 @@ allow squid_t self:udp_socket create_socket_perms;
+ manage_dirs_pattern(squid_t, squid_cache_t, squid_cache_t)
+ manage_files_pattern(squid_t, squid_cache_t, squid_cache_t)
+ manage_lnk_files_pattern(squid_t, squid_cache_t, squid_cache_t)
++files_var_filetrans(squid_t, squid_cache_t, dir, "squid")
+
+ allow squid_t squid_conf_t:dir list_dir_perms;
+ read_files_pattern(squid_t, squid_conf_t, squid_conf_t)
+@@ -85,15 +95,19 @@ logging_log_filetrans(squid_t, squid_log_t, { file dir })
+ manage_files_pattern(squid_t, squid_tmpfs_t, squid_tmpfs_t)
+ fs_tmpfs_filetrans(squid_t, squid_tmpfs_t, file)
+
++manage_dirs_pattern(squid_t, squid_tmp_t, squid_tmp_t)
++manage_files_pattern(squid_t, squid_tmp_t, squid_tmp_t)
++files_tmp_filetrans(squid_t, squid_tmp_t, { file dir })
++
+ manage_files_pattern(squid_t, squid_var_run_t, squid_var_run_t)
+ files_pid_filetrans(squid_t, squid_var_run_t, file)
+
+ kernel_read_kernel_sysctls(squid_t)
+ kernel_read_system_state(squid_t)
++kernel_read_network_state(squid_t)
+
+ files_dontaudit_getattr_boot_dirs(squid_t)
+
+-corenet_all_recvfrom_unlabeled(squid_t)
+ corenet_all_recvfrom_netlabel(squid_t)
+ corenet_tcp_sendrecv_generic_if(squid_t)
+ corenet_udp_sendrecv_generic_if(squid_t)
+@@ -145,7 +159,6 @@ corecmd_exec_shell(squid_t)
+
+ domain_use_interactive_fds(squid_t)
+
+-files_read_etc_files(squid_t)
+ files_read_etc_runtime_files(squid_t)
+ files_read_usr_files(squid_t)
+ files_search_spool(squid_t)
+@@ -161,7 +174,6 @@ libs_exec_lib_files(squid_t)
+ logging_send_syslog_msg(squid_t)
+
+ miscfiles_read_generic_certs(squid_t)
+-miscfiles_read_localization(squid_t)
+
+ userdom_use_unpriv_users_fds(squid_t)
+ userdom_dontaudit_search_user_home_dirs(squid_t)
+@@ -169,7 +181,8 @@ userdom_dontaudit_search_user_home_dirs(squid_t)
+ tunable_policy(`squid_connect_any',`
+ corenet_tcp_connect_all_ports(squid_t)
+ corenet_tcp_bind_all_ports(squid_t)
+- corenet_sendrecv_all_packets(squid_t)
++ corenet_sendrecv_all_client_packets(squid_t)
++ corenet_sendrecv_all_server_packets(squid_t)
+ ')
+
+ tunable_policy(`squid_use_tproxy',`
+@@ -182,17 +195,19 @@ optional_policy(`
+
+ allow httpd_squid_script_t self:tcp_socket create_socket_perms;
+
+- corenet_all_recvfrom_unlabeled(httpd_squid_script_t)
+ corenet_all_recvfrom_netlabel(httpd_squid_script_t)
+ corenet_tcp_connect_http_cache_port(httpd_squid_script_t)
++ corenet_tcp_connect_squid_port(httpd_squid_script_t)
+
+ sysnet_dns_name_resolve(httpd_squid_script_t)
+
+- squid_read_config(httpd_squid_script_t)
++ optional_policy(`
++ squid_read_config(httpd_squid_script_t)
++ ')
+ ')
+
+ optional_policy(`
+- cron_system_entry(squid_t, squid_exec_t)
++ mysql_stream_connect(squid_t)
+ ')
+
+ optional_policy(`
+@@ -206,3 +221,32 @@ optional_policy(`
+ optional_policy(`
+ udev_read_db(squid_t)
+ ')
++
++optional_policy(`
++ kerberos_tmp_filetrans_host_rcache(squid_t, "host_0")
++')
++
++########################################
++#
++# squid cron Local policy
++#
++manage_dirs_pattern(squid_cron_t, squid_cache_t, squid_cache_t)
++manage_files_pattern(squid_cron_t, squid_cache_t, squid_cache_t)
++manage_lnk_files_pattern(squid_cron_t, squid_cache_t, squid_cache_t)
++files_var_filetrans(squid_cron_t, squid_cache_t, dir, "squid")
++
++read_files_pattern(squid_cron_t, squid_conf_t, squid_conf_t)
++
++read_files_pattern(squid_cron_t, squid_log_t, squid_log_t)
++
++corecmd_exec_bin(squid_cron_t)
++
++dev_read_urand(squid_cron_t)
++
++files_read_etc_files(squid_cron_t)
++files_read_usr_files(squid_cron_t)
++
++
++optional_policy(`
++ cron_system_entry(squid_cron_t, squid_cron_exec_t)
++')
+diff --git a/sssd.fc b/sssd.fc
+index 4271815..45291bb 100644
+--- a/sssd.fc
++++ b/sssd.fc
+@@ -1,9 +1,15 @@
+ /etc/rc\.d/init\.d/sssd -- gen_context(system_u:object_r:sssd_initrc_exec_t,s0)
+
++/etc/sssd(/.*)? gen_context(system_u:object_r:sssd_conf_t,s0)
++
+ /usr/sbin/sssd -- gen_context(system_u:object_r:sssd_exec_t,s0)
+
++/usr/lib/systemd/system/sssd.* -- gen_context(system_u:object_r:sssd_unit_file_t,s0)
++
+ /var/lib/sss(/.*)? gen_context(system_u:object_r:sssd_var_lib_t,s0)
+
++/var/lib/sss/mc(/.*)? gen_context(system_u:object_r:sssd_public_t,s0)
++
+ /var/lib/sss/pubconf(/.*)? gen_context(system_u:object_r:sssd_public_t,s0)
+
+ /var/log/sssd(/.*)? gen_context(system_u:object_r:sssd_var_log_t,s0)
+diff --git a/sssd.if b/sssd.if
+index 941380a..54c45f6 100644
+--- a/sssd.if
++++ b/sssd.if
+@@ -1,13 +1,31 @@
+ ## System Security Services Daemon
+
++#######################################
++##
++## Allow a domain to getattr on sssd binary.
++##
++##
++##
++## Domain allowed to transition.
++##
++##
++#
++interface(`sssd_getattr_exec',`
++ gen_require(`
++ type sssd_t, sssd_exec_t;
++ ')
++
++ allow $1 sssd_exec_t:file getattr;
++')
++
+ ########################################
+ ##
+ ## Execute a domain transition to run sssd.
+ ##
+ ##
+-##
++##
+ ## Domain allowed to transition.
+-##
++##
+ ##
+ #
+ interface(`sssd_domtrans',`
+@@ -38,6 +56,106 @@ interface(`sssd_initrc_domtrans',`
+
+ ########################################
+ ##
++## Execute sssd server in the sssd domain.
++##
++##
++##
++## Domain allowed to transition.
++##
++##
++#
++interface(`sssd_systemctl',`
++ gen_require(`
++ type sssd_t;
++ type sssd_unit_file_t;
++ ')
++
++ systemd_exec_systemctl($1)
++ allow $1 sssd_unit_file_t:file read_file_perms;
++ allow $1 sssd_unit_file_t:service manage_service_perms;
++
++ ps_process_pattern($1, sssd_t)
++')
++
++#######################################
++##
++## Read sssd configuration.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`sssd_read_config',`
++ gen_require(`
++ type sssd_conf_t;
++ ')
++
++ files_search_etc($1)
++ list_dirs_pattern($1, sssd_conf_t, sssd_conf_t)
++ read_files_pattern($1, sssd_conf_t, sssd_conf_t)
++')
++
++######################################
++##
++## Write sssd configuration.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`sssd_write_config',`
++ gen_require(`
++ type sssd_conf_t;
++ ')
++
++ files_search_etc($1)
++ write_files_pattern($1, sssd_conf_t, sssd_conf_t)
++')
++
++#####################################
++##
++## Write sssd configuration.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`sssd_create_config',`
++ gen_require(`
++ type sssd_conf_t;
++ ')
++
++ files_search_etc($1)
++ create_files_pattern($1, sssd_conf_t, sssd_conf_t)
++')
++
++####################################
++##
++## Manage sssd configuration.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`sssd_manage_config',`
++ gen_require(`
++ type sssd_conf_t;
++ ')
++
++ files_search_etc($1)
++ manage_files_pattern($1, sssd_conf_t, sssd_conf_t)
++')
++
++########################################
++##
+ ## Read sssd public files.
+ ##
+ ##
+@@ -52,9 +170,29 @@ interface(`sssd_read_public_files',`
+ ')
+
+ sssd_search_lib($1)
++ list_dirs_pattern($1, sssd_public_t, sssd_public_t)
+ read_files_pattern($1, sssd_public_t, sssd_public_t)
+ ')
+
++#######################################
++##
++## Manage sssd public files.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`sssd_manage_public_files',`
++ gen_require(`
++ type sssd_public_t;
++ ')
++
++ sssd_search_lib($1)
++ manage_files_pattern($1, sssd_public_t, sssd_public_t)
++')
++
+ ########################################
+ ##
+ ## Read sssd PID files.
+@@ -89,6 +227,7 @@ interface(`sssd_manage_pids',`
+ type sssd_var_run_t;
+ ')
+
++ files_search_pids($1)
+ manage_dirs_pattern($1, sssd_var_run_t, sssd_var_run_t)
+ manage_files_pattern($1, sssd_var_run_t, sssd_var_run_t)
+ ')
+@@ -128,7 +267,6 @@ interface(`sssd_dontaudit_search_lib',`
+ ')
+
+ dontaudit $1 sssd_var_lib_t:dir search_dir_perms;
+- files_search_var_lib($1)
+ ')
+
+ ########################################
+@@ -148,6 +286,7 @@ interface(`sssd_read_lib_files',`
+
+ files_search_var_lib($1)
+ read_files_pattern($1, sssd_var_lib_t, sssd_var_lib_t)
++ read_lnk_files_pattern($1, sssd_var_lib_t, sssd_var_lib_t)
+ ')
+
+ ########################################
+@@ -168,6 +307,7 @@ interface(`sssd_manage_lib_files',`
+
+ files_search_var_lib($1)
+ manage_files_pattern($1, sssd_var_lib_t, sssd_var_lib_t)
++ manage_lnk_files_pattern($1, sssd_var_lib_t, sssd_var_lib_t)
+ ')
+
+ ########################################
+@@ -193,7 +333,7 @@ interface(`sssd_dbus_chat',`
+
+ ########################################
+ ##
+-## Connect to sssd over an unix stream socket.
++## Connect to sssd over a unix stream socket.
+ ##
+ ##
+ ##
+@@ -225,21 +365,19 @@ interface(`sssd_stream_connect',`
+ ## The role to be allowed to manage the sssd domain.
+ ##
+ ##
+-##
+-##
+-## The type of the user terminal.
+-##
+-##
+ ##
+ #
+ interface(`sssd_admin',`
+ gen_require(`
+- type sssd_t, sssd_public_t;
+- type sssd_initrc_exec_t;
++ type sssd_t, sssd_public_t, sssd_initrc_exec_t;
++ type sssd_unit_file_t;
+ ')
+
+- allow $1 sssd_t:process { ptrace signal_perms getattr };
+- read_files_pattern($1, sssd_t, sssd_t)
++ allow $1 sssd_t:process signal_perms;
++ ps_process_pattern($1, sssd_t)
++ tunable_policy(`deny_ptrace',`',`
++ allow $1 sssd_t:process ptrace;
++ ')
+
+ # Allow sssd_t to restart the apache service
+ sssd_initrc_domtrans($1)
+@@ -252,4 +390,9 @@ interface(`sssd_admin',`
+ sssd_manage_lib_files($1)
+
+ admin_pattern($1, sssd_public_t)
++
++ sssd_systemctl($1)
++ admin_pattern($1, sssd_unit_file_t)
++ allow $1 sssd_unit_file_t:service all_service_perms;
++
+ ')
+diff --git a/sssd.te b/sssd.te
+index a1b61bc..4253541 100644
+--- a/sssd.te
++++ b/sssd.te
+@@ -12,11 +12,15 @@ init_daemon_domain(sssd_t, sssd_exec_t)
+ type sssd_initrc_exec_t;
+ init_script_file(sssd_initrc_exec_t)
+
++type sssd_conf_t;
++files_config_file(sssd_conf_t)
++
+ type sssd_public_t;
+ files_pid_file(sssd_public_t)
+
+ type sssd_var_lib_t;
+ files_type(sssd_var_lib_t)
++mls_trusted_object(sssd_var_lib_t)
+
+ type sssd_var_log_t;
+ logging_log_file(sssd_var_log_t)
+@@ -24,22 +28,31 @@ logging_log_file(sssd_var_log_t)
+ type sssd_var_run_t;
+ files_pid_file(sssd_var_run_t)
+
++type sssd_unit_file_t;
++systemd_unit_file(sssd_unit_file_t)
++
+ ########################################
+ #
+ # sssd local policy
+ #
+-allow sssd_t self:capability { dac_read_search dac_override kill sys_nice setgid setuid };
+-allow sssd_t self:process { setfscreate setsched sigkill signal getsched };
+-allow sssd_t self:fifo_file rw_file_perms;
++
++allow sssd_t self:capability { chown dac_read_search dac_override kill net_admin sys_nice setgid setuid sys_admin sys_resource };
++allow sssd_t self:capability2 block_suspend;
++allow sssd_t self:process { setfscreate setsched sigkill signal getsched setrlimit };
++allow sssd_t self:fifo_file rw_fifo_file_perms;
++allow sssd_t self:key manage_key_perms;
+ allow sssd_t self:unix_stream_socket { create_stream_socket_perms connectto };
+
++read_files_pattern(sssd_t, sssd_conf_t, sssd_conf_t)
++
+ manage_dirs_pattern(sssd_t, sssd_public_t, sssd_public_t)
+ manage_files_pattern(sssd_t, sssd_public_t, sssd_public_t)
+
+ manage_dirs_pattern(sssd_t, sssd_var_lib_t, sssd_var_lib_t)
+ manage_files_pattern(sssd_t, sssd_var_lib_t, sssd_var_lib_t)
++manage_lnk_files_pattern(sssd_t, sssd_var_lib_t, sssd_var_lib_t)
+ manage_sock_files_pattern(sssd_t, sssd_var_lib_t, sssd_var_lib_t)
+-files_var_lib_filetrans(sssd_t, sssd_var_lib_t, { file dir } )
++files_var_lib_filetrans(sssd_t, sssd_var_lib_t, { file dir })
+
+ manage_files_pattern(sssd_t, sssd_var_log_t, sssd_var_log_t)
+ logging_log_filetrans(sssd_t, sssd_var_log_t, file)
+@@ -48,37 +61,57 @@ manage_dirs_pattern(sssd_t, sssd_var_run_t, sssd_var_run_t)
+ manage_files_pattern(sssd_t, sssd_var_run_t, sssd_var_run_t)
+ files_pid_filetrans(sssd_t, sssd_var_run_t, { file dir })
+
++kernel_read_network_state(sssd_t)
+ kernel_read_system_state(sssd_t)
+
++corenet_udp_bind_generic_port(sssd_t)
++corenet_dontaudit_udp_bind_all_ports(sssd_t)
++corenet_tcp_connect_kerberos_password_port(sssd_t)
++
+ corecmd_exec_bin(sssd_t)
+
+ dev_read_urand(sssd_t)
++dev_read_sysfs(sssd_t)
+
+ domain_read_all_domains_state(sssd_t)
+ domain_obj_id_change_exemption(sssd_t)
+
+ files_list_tmp(sssd_t)
+ files_read_etc_files(sssd_t)
++files_read_etc_runtime_files(sssd_t)
+ files_read_usr_files(sssd_t)
++files_list_var_lib(sssd_t)
+
+ fs_list_inotifyfs(sssd_t)
+
+ selinux_validate_context(sssd_t)
+
+ seutil_read_file_contexts(sssd_t)
++# sssd wants to write /etc/selinux//logins/ for SELinux PAM module
++seutil_rw_login_config_dirs(sssd_t)
++seutil_manage_login_config_files(sssd_t)
+
+ mls_file_read_to_clearance(sssd_t)
++mls_socket_read_to_clearance(sssd_t)
++mls_socket_write_to_clearance(sssd_t)
++mls_trusted_object(sssd_t)
+
+-auth_use_nsswitch(sssd_t)
++# auth_use_nsswitch(sssd_t)
+ auth_domtrans_chk_passwd(sssd_t)
+ auth_domtrans_upd_passwd(sssd_t)
++auth_manage_cache(sssd_t)
+
+ init_read_utmp(sssd_t)
+
+ logging_send_syslog_msg(sssd_t)
+ logging_send_audit_msgs(sssd_t)
+
+-miscfiles_read_localization(sssd_t)
++miscfiles_read_generic_certs(sssd_t)
++
++sysnet_dns_name_resolve(sssd_t)
++sysnet_use_ldap(sssd_t)
++
++userdom_manage_tmp_role(system_r, sssd_t)
+
+ optional_policy(`
+ dbus_system_bus_client(sssd_t)
+@@ -87,8 +120,17 @@ optional_policy(`
+
+ optional_policy(`
+ kerberos_manage_host_rcache(sssd_t)
++ kerberos_tmp_filetrans_host_rcache(sssd_t, "host_0")
++ kerberos_read_home_content(sssd_t)
++')
++
++optional_policy(`
++ dirsrv_stream_connect(sssd_t)
+ ')
+
+ optional_policy(`
+ ldap_stream_connect(sssd_t)
+ ')
++
++userdom_home_reader(sssd_t)
++
+diff --git a/stapserver.fc b/stapserver.fc
+new file mode 100644
+index 0000000..0ccce59
+--- /dev/null
++++ b/stapserver.fc
+@@ -0,0 +1,7 @@
++/usr/bin/stap-server -- gen_context(system_u:object_r:stapserver_exec_t,s0)
++
++/var/lib/stap-server(/.*)? gen_context(system_u:object_r:stapserver_var_lib_t,s0)
++
++/var/log/stap-server(/.*)? gen_context(system_u:object_r:stapserver_log_t,s0)
++
++/var/run/stap-server(/.*)? gen_context(system_u:object_r:stapserver_var_run_t,s0)
+diff --git a/stapserver.if b/stapserver.if
+new file mode 100644
+index 0000000..80c6480
+--- /dev/null
++++ b/stapserver.if
+@@ -0,0 +1,151 @@
++
++## Instrumentation System Server
++
++########################################
++##
++## Execute stapserver in the stapserver domain.
++##
++##
++##
++## Domain allowed to transition.
++##
++##
++#
++interface(`stapserver_domtrans',`
++ gen_require(`
++ type stapserver_t, stapserver_exec_t;
++ ')
++
++ corecmd_search_bin($1)
++ domtrans_pattern($1, stapserver_exec_t, stapserver_t)
++')
++########################################
++##
++## Read stapserver's log files.
++##
++##
++##
++## Domain allowed access.
++##
++##
++##
++#
++interface(`stapserver_read_log',`
++ gen_require(`
++ type stapserver_log_t;
++ ')
++
++ logging_search_logs($1)
++ read_files_pattern($1, stapserver_log_t, stapserver_log_t)
++')
++
++########################################
++##
++## Append to stapserver log files.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`stapserver_append_log',`
++ gen_require(`
++ type stapserver_log_t;
++ ')
++
++ logging_search_logs($1)
++ append_files_pattern($1, stapserver_log_t, stapserver_log_t)
++')
++
++########################################
++##
++## Manage stapserver log files
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`stapserver_manage_log',`
++ gen_require(`
++ type stapserver_log_t;
++ ')
++
++ logging_search_logs($1)
++ manage_dirs_pattern($1, stapserver_log_t, stapserver_log_t)
++ manage_files_pattern($1, stapserver_log_t, stapserver_log_t)
++ manage_lnk_files_pattern($1, stapserver_log_t, stapserver_log_t)
++')
++########################################
++##
++## Read stapserver PID files.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`stapserver_read_pid_files',`
++ gen_require(`
++ type stapserver_var_run_t;
++ ')
++
++ files_search_pids($1)
++ allow $1 stapserver_var_run_t:file read_file_perms;
++')
++
++#######################################
++##
++## Manage stapserver lib files
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`stapserver_manage_lib',`
++ gen_require(`
++ type stapserver_var_lib_t;
++ ')
++
++ manage_dirs_pattern($1, stapserver_var_lib_t, stapserver_var_lib_t)
++ manage_files_pattern($1, stapserver_var_lib_t, stapserver_var_lib_t)
++')
++
++########################################
++##
++## All of the rules required to administrate
++## an stapserver environment
++##
++##
++##
++## Domain allowed access.
++##
++##
++##
++#
++interface(`stapserver_admin',`
++ gen_require(`
++ type stapserver_t;
++ type stapserver_log_t;
++ type stapserver_var_run_t;
++ ')
++
++ allow $1 stapserver_t:process { ptrace signal_perms };
++ ps_process_pattern($1, stapserver_t)
++
++ logging_search_logs($1)
++ admin_pattern($1, stapserver_log_t)
++
++ files_search_pids($1)
++ admin_pattern($1, stapserver_var_run_t)
++
++ optional_policy(`
++ systemd_passwd_agent_exec($1)
++ systemd_read_fifo_file_passwd_run($1)
++ ')
++')
+diff --git a/stapserver.te b/stapserver.te
+new file mode 100644
+index 0000000..b87c79c
+--- /dev/null
++++ b/stapserver.te
+@@ -0,0 +1,100 @@
++policy_module(stapserver, 1.0.0)
++
++########################################
++#
++# Declarations
++#
++
++type stapserver_t;
++type stapserver_exec_t;
++init_daemon_domain(stapserver_t, stapserver_exec_t)
++
++type stapserver_var_lib_t;
++files_type(stapserver_var_lib_t)
++
++type stapserver_log_t;
++logging_log_file(stapserver_log_t)
++
++type stapserver_var_run_t;
++files_pid_file(stapserver_var_run_t)
++
++########################################
++#
++# stapserver local policy
++#
++
++#runuser
++allow stapserver_t self:capability { setuid setgid };
++allow stapserver_t self:process setsched;
++
++allow stapserver_t self:capability { dac_override kill };
++allow stapserver_t self:process { setrlimit signal };
++
++allow stapserver_t self:fifo_file rw_fifo_file_perms;
++allow stapserver_t self:key write;
++allow stapserver_t self:unix_stream_socket create_stream_socket_perms;
++allow stapserver_t self:tcp_socket { accept listen };
++
++manage_dirs_pattern(stapserver_t, stapserver_var_lib_t, stapserver_var_lib_t)
++manage_files_pattern(stapserver_t, stapserver_var_lib_t, stapserver_var_lib_t)
++files_var_lib_filetrans(stapserver_t, stapserver_var_lib_t, dir)
++
++manage_dirs_pattern(stapserver_t, stapserver_log_t, stapserver_log_t)
++manage_files_pattern(stapserver_t, stapserver_log_t, stapserver_log_t)
++logging_log_filetrans(stapserver_t, stapserver_log_t, dir )
++
++manage_dirs_pattern(stapserver_t, stapserver_var_run_t, stapserver_var_run_t)
++manage_files_pattern(stapserver_t, stapserver_var_run_t, stapserver_var_run_t)
++files_pid_filetrans(stapserver_t, stapserver_var_run_t, dir )
++
++kernel_read_system_state(stapserver_t)
++kernel_read_kernel_sysctls(stapserver_t)
++
++corecmd_exec_bin(stapserver_t)
++corecmd_exec_shell(stapserver_t)
++
++domain_read_all_domains_state(stapserver_t)
++domain_use_interactive_fds(stapserver_t)
++
++dev_read_sysfs(stapserver_t)
++dev_read_rand(stapserver_t)
++dev_read_urand(stapserver_t)
++
++files_list_tmp(stapserver_t)
++files_read_usr_files(stapserver_t)
++files_search_kernel_modules(stapserver_t)
++
++fs_search_cgroup_dirs(stapserver_t)
++
++auth_use_nsswitch(stapserver_t)
++
++init_read_utmp(stapserver_t)
++
++logging_send_audit_msgs(stapserver_t)
++logging_send_syslog_msg(stapserver_t)
++
++#lspci
++miscfiles_read_hwdata(stapserver_t)
++
++userdom_use_user_terminals(stapserver_t)
++
++optional_policy(`
++ consoletype_exec(stapserver_t)
++')
++
++optional_policy(`
++ dbus_system_bus_client(stapserver_t)
++')
++
++optional_policy(`
++ hostname_exec(stapserver_t)
++')
++
++optional_policy(`
++ plymouthd_exec_plymouth(stapserver_t)
++')
++
++optional_policy(`
++ rpm_exec(stapserver_t)
++')
++
+diff --git a/stunnel.te b/stunnel.te
+index f646c66..a399168 100644
+--- a/stunnel.te
++++ b/stunnel.te
+@@ -40,7 +40,7 @@ allow stunnel_t self:udp_socket create_socket_perms;
+
+ allow stunnel_t stunnel_etc_t:dir list_dir_perms;
+ allow stunnel_t stunnel_etc_t:file read_file_perms;
+-allow stunnel_t stunnel_etc_t:lnk_file { getattr read };
++allow stunnel_t stunnel_etc_t:lnk_file read_lnk_file_perms;
+
+ manage_dirs_pattern(stunnel_t, stunnel_tmp_t, stunnel_tmp_t)
+ manage_files_pattern(stunnel_t, stunnel_tmp_t, stunnel_tmp_t)
+@@ -56,7 +56,6 @@ kernel_read_network_state(stunnel_t)
+
+ corecmd_exec_bin(stunnel_t)
+
+-corenet_all_recvfrom_unlabeled(stunnel_t)
+ corenet_all_recvfrom_netlabel(stunnel_t)
+ corenet_tcp_sendrecv_generic_if(stunnel_t)
+ corenet_udp_sendrecv_generic_if(stunnel_t)
+@@ -73,8 +72,6 @@ auth_use_nsswitch(stunnel_t)
+
+ logging_send_syslog_msg(stunnel_t)
+
+-miscfiles_read_localization(stunnel_t)
+-
+ sysnet_read_config(stunnel_t)
+
+ ifdef(`distro_gentoo', `
+@@ -106,7 +103,6 @@ ifdef(`distro_gentoo', `
+
+ dev_read_urand(stunnel_t)
+
+- files_read_etc_files(stunnel_t)
+ files_read_etc_runtime_files(stunnel_t)
+ files_search_home(stunnel_t)
+
+@@ -120,4 +116,5 @@ ifdef(`distro_gentoo', `
+ gen_require(`
+ type stunnel_port_t;
+ ')
++
+ allow stunnel_t stunnel_port_t:tcp_socket name_bind;
+diff --git a/svnserve.fc b/svnserve.fc
+new file mode 100644
+index 0000000..5ab0840
+--- /dev/null
++++ b/svnserve.fc
+@@ -0,0 +1,12 @@
++/etc/rc.d/init.d/svnserve -- gen_context(system_u:object_r:svnserve_initrc_exec_t,s0)
++
++/usr/bin/svnserve -- gen_context(system_u:object_r:svnserve_exec_t,s0)
++
++/lib/systemd/system/svnserve\.service -- gen_context(system_u:object_r:svnserve_unit_file_t,s0)
++/usr/lib/systemd/system/svnserve\.service -- gen_context(system_u:object_r:svnserve_unit_file_t,s0)
++
++/var/run/svnserve(/.*)? gen_context(system_u:object_r:svnserve_var_run_t,s0)
++/var/run/svnserve.pid -- gen_context(system_u:object_r:svnserve_var_run_t,s0)
++
++/var/subversion/repo(/.*)? gen_context(system_u:object_r:svnserve_content_t,s0)
++/var/lib/subversion/repo(/.*)? gen_context(system_u:object_r:svnserve_content_t,s0)
+diff --git a/svnserve.if b/svnserve.if
+new file mode 100644
+index 0000000..dd2ac36
+--- /dev/null
++++ b/svnserve.if
+@@ -0,0 +1,118 @@
++
++## policy for svnserve
++
++
++########################################
++##
++## Transition to svnserve.
++##
++##
++##
++## Domain allowed to transition.
++##
++##
++#
++interface(`svnserve_domtrans',`
++ gen_require(`
++ type svnserve_t, svnserve_exec_t;
++ ')
++
++ corecmd_search_bin($1)
++ domtrans_pattern($1, svnserve_exec_t, svnserve_t)
++')
++
++
++########################################
++##
++## Execute svnserve server in the svnserve domain.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`svnserve_initrc_domtrans',`
++ gen_require(`
++ type svnserve_initrc_exec_t;
++ ')
++
++ init_labeled_script_domtrans($1, svnserve_initrc_exec_t)
++')
++
++#######################################
++##
++## Execute svnserve server in the svnserve domain.
++##
++##
++##
++## Domain allowed to transition.
++##
++##
++#
++interface(`svnserve_systemctl',`
++ gen_require(`
++ type svnserve_t;
++ type svnserve_unit_file_t;
++ ')
++
++ systemd_exec_systemctl($1)
++ allow $1 svnserve_unit_file_t:file read_file_perms;
++ allow $1 svnserve_unit_file_t:service manage_service_perms;
++
++ ps_process_pattern($1, svnserve_t)
++')
++
++########################################
++##
++## Read svnserve PID files.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`svnserve_read_pid_files',`
++ gen_require(`
++ type svnserve_var_run_t;
++ ')
++
++ files_search_pids($1)
++ allow $1 svnserve_var_run_t:file read_file_perms;
++')
++
++
++########################################
++##
++## All of the rules required to administrate
++## an svnserve environment
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`svnserve_admin',`
++ gen_require(`
++ type svnserve_t;
++ type svnserve_var_run_t;
++ type svnserve_unit_file_t;
++ ')
++
++ allow $1 svnserve_t:process { ptrace signal_perms };
++ ps_process_pattern($1, svnserve_t)
++
++ files_search_pids($1)
++ admin_pattern($1, svnserve_var_run_t)
++
++ svnserve_systemctl($1)
++ admin_pattern($1, svnserve_unit_file_t)
++ allow $1 svnserve_unit_file_t:service all_service_perms;
++ optional_policy(`
++ systemd_passwd_agent_exec($1)
++ systemd_read_fifo_file_passwd_run($1)
++ ')
++')
++
+diff --git a/svnserve.te b/svnserve.te
+new file mode 100644
+index 0000000..ba40a17
+--- /dev/null
++++ b/svnserve.te
+@@ -0,0 +1,53 @@
++policy_module(svnserve, 1.0.0)
++
++########################################
++#
++# Declarations
++#
++
++type svnserve_t;
++type svnserve_exec_t;
++init_daemon_domain(svnserve_t, svnserve_exec_t)
++
++type svnserve_initrc_exec_t;
++init_script_file(svnserve_initrc_exec_t)
++
++type svnserve_var_run_t;
++files_pid_file(svnserve_var_run_t)
++
++type svnserve_content_t;
++files_type(svnserve_content_t)
++
++type svnserve_unit_file_t;
++systemd_unit_file(svnserve_unit_file_t)
++
++########################################
++#
++# svnserve local policy
++#
++
++allow svnserve_t self:fifo_file rw_fifo_file_perms;
++allow svnserve_t self:tcp_socket create_stream_socket_perms;
++allow svnserve_t self:unix_stream_socket create_stream_socket_perms;
++
++manage_dirs_pattern(svnserve_t, svnserve_content_t, svnserve_content_t)
++manage_files_pattern(svnserve_t, svnserve_content_t, svnserve_content_t)
++
++manage_dirs_pattern(svnserve_t, svnserve_var_run_t, svnserve_var_run_t)
++manage_files_pattern(svnserve_t, svnserve_var_run_t, svnserve_var_run_t)
++files_pid_filetrans(svnserve_t, svnserve_var_run_t, { dir file })
++
++corenet_udp_bind_generic_node(svnserve_t)
++#corenet_tcp_connect_svn_port(svnserve_t)
++#corenet_tcp_bind_svn_port(svnserve_t)
++#corenet_udp_bind_svn_port(svnserve_t)
++
++domain_use_interactive_fds(svnserve_t)
++
++files_read_etc_files(svnserve_t)
++files_read_usr_files(svnserve_t)
++
++logging_send_syslog_msg(svnserve_t)
++
++sysnet_dns_name_resolve(svnserve_t)
++
+diff --git a/sxid.te b/sxid.te
+index 8296303..50eddef 100644
+--- a/sxid.te
++++ b/sxid.te
+@@ -40,7 +40,6 @@ kernel_read_kernel_sysctls(sxid_t)
+ corecmd_exec_bin(sxid_t)
+ corecmd_exec_shell(sxid_t)
+
+-corenet_all_recvfrom_unlabeled(sxid_t)
+ corenet_all_recvfrom_netlabel(sxid_t)
+ corenet_tcp_sendrecv_generic_if(sxid_t)
+ corenet_udp_sendrecv_generic_if(sxid_t)
+@@ -66,7 +65,7 @@ fs_list_all(sxid_t)
+
+ term_dontaudit_use_console(sxid_t)
+
+-files_read_non_auth_files(sxid_t)
++files_read_non_security_files(sxid_t)
+ auth_dontaudit_getattr_shadow(sxid_t)
+
+ init_use_fds(sxid_t)
+@@ -74,15 +73,17 @@ init_use_script_ptys(sxid_t)
+
+ logging_send_syslog_msg(sxid_t)
+
+-miscfiles_read_localization(sxid_t)
+-
+-mount_exec(sxid_t)
+-
+ sysnet_read_config(sxid_t)
+
+ userdom_dontaudit_use_unpriv_user_fds(sxid_t)
+
+-cron_system_entry(sxid_t, sxid_exec_t)
++optional_policy(`
++ cron_system_entry(sxid_t, sxid_exec_t)
++')
++
++optional_policy(`
++ mount_exec(sxid_t)
++')
+
+ optional_policy(`
+ mta_send_mail(sxid_t)
+diff --git a/sysstat.fc b/sysstat.fc
+index 5d0e77b..5a92938 100644
+--- a/sysstat.fc
++++ b/sysstat.fc
+@@ -6,3 +6,4 @@
+ /var/log/atsar(/.*)? gen_context(system_u:object_r:sysstat_log_t,s0)
+ /var/log/sa(/.*)? gen_context(system_u:object_r:sysstat_log_t,s0)
+ /var/log/sysstat(/.*)? gen_context(system_u:object_r:sysstat_log_t,s0)
++/opt/sartest(/.*)? gen_context(system_u:object_r:sysstat_log_t,s0)
+diff --git a/sysstat.te b/sysstat.te
+index 0ecd8a7..b532568 100644
+--- a/sysstat.te
++++ b/sysstat.te
+@@ -18,8 +18,7 @@ logging_log_file(sysstat_log_t)
+ # Local policy
+ #
+
+-allow sysstat_t self:capability { dac_override sys_resource sys_tty_config };
+-dontaudit sysstat_t self:capability sys_admin;
++allow sysstat_t self:capability { dac_override sys_admin sys_resource sys_tty_config };
+ allow sysstat_t self:fifo_file rw_fifo_file_perms;
+
+ can_exec(sysstat_t, sysstat_exec_t)
+@@ -36,6 +35,7 @@ kernel_read_kernel_sysctls(sysstat_t)
+ kernel_read_fs_sysctls(sysstat_t)
+ kernel_read_rpc_sysctls(sysstat_t)
+
++corecmd_exec_shell(sysstat_t)
+ corecmd_exec_bin(sysstat_t)
+
+ dev_read_urand(sysstat_t)
+@@ -45,19 +45,20 @@ files_search_var(sysstat_t)
+ # for mtab
+ files_read_etc_runtime_files(sysstat_t)
+ #for fstab
+-files_read_etc_files(sysstat_t)
+
+ fs_getattr_xattr_fs(sysstat_t)
+ fs_list_inotifyfs(sysstat_t)
+
+ term_use_console(sysstat_t)
+-term_use_all_terms(sysstat_t)
++term_use_all_inherited_terms(sysstat_t)
+
+ init_use_fds(sysstat_t)
+
+ locallogin_use_fds(sysstat_t)
+
+-miscfiles_read_localization(sysstat_t)
++auth_use_nsswitch(sysstat_t)
++
++logging_send_syslog_msg(sysstat_t)
+
+ userdom_dontaudit_list_user_home_dirs(sysstat_t)
+
+@@ -65,6 +66,3 @@ optional_policy(`
+ cron_system_entry(sysstat_t, sysstat_exec_t)
+ ')
+
+-optional_policy(`
+- logging_send_syslog_msg(sysstat_t)
+-')
+diff --git a/tcpd.te b/tcpd.te
+index 7038b55..8961067 100644
+--- a/tcpd.te
++++ b/tcpd.te
+@@ -22,7 +22,6 @@ manage_dirs_pattern(tcpd_t, tcpd_tmp_t, tcpd_tmp_t)
+ manage_files_pattern(tcpd_t, tcpd_tmp_t, tcpd_tmp_t)
+ files_tmp_filetrans(tcpd_t, tcpd_tmp_t, { file dir })
+
+-corenet_all_recvfrom_unlabeled(tcpd_t)
+ corenet_all_recvfrom_netlabel(tcpd_t)
+ corenet_tcp_sendrecv_generic_if(tcpd_t)
+ corenet_tcp_sendrecv_generic_node(tcpd_t)
+@@ -39,8 +38,6 @@ files_dontaudit_search_var(tcpd_t)
+
+ logging_send_syslog_msg(tcpd_t)
+
+-miscfiles_read_localization(tcpd_t)
+-
+ sysnet_read_config(tcpd_t)
+
+ inetd_domtrans_child(tcpd_t)
+diff --git a/tcsd.if b/tcsd.if
+index 595f5a7..4e518cf 100644
+--- a/tcsd.if
++++ b/tcsd.if
+@@ -137,8 +137,11 @@ interface(`tcsd_admin',`
+ type tcsd_var_lib_t;
+ ')
+
+- allow $1 tcsd_t:process { ptrace signal_perms };
++ allow $1 tcsd_t:process signal_perms;
+ ps_process_pattern($1, tcsd_t)
++ tunable_policy(`deny_ptrace',`',`
++ allow $1 tcsd_t:process ptrace;
++ ')
+
+ tcsd_initrc_domtrans($1)
+ domain_system_change_exemption($1)
+diff --git a/tcsd.te b/tcsd.te
+index ee9f3c6..ac97168 100644
+--- a/tcsd.te
++++ b/tcsd.te
+@@ -30,7 +30,6 @@ manage_files_pattern(tcsd_t, tcsd_var_lib_t, tcsd_var_lib_t)
+ files_var_lib_filetrans(tcsd_t, tcsd_var_lib_t, { file dir })
+
+ # Accept connections on the TCS port over loopback.
+-corenet_all_recvfrom_unlabeled(tcsd_t)
+ corenet_tcp_bind_generic_node(tcsd_t)
+ corenet_tcp_bind_tcs_port(tcsd_t)
+
+@@ -38,13 +37,8 @@ dev_read_urand(tcsd_t)
+ # Access /dev/tpm0.
+ dev_rw_tpm(tcsd_t)
+
+-files_read_etc_files(tcsd_t)
+ files_read_usr_files(tcsd_t)
+
+ auth_use_nsswitch(tcsd_t)
+
+ logging_send_syslog_msg(tcsd_t)
+-
+-miscfiles_read_localization(tcsd_t)
+-
+-sysnet_dns_name_resolve(tcsd_t)
+diff --git a/telepathy.fc b/telepathy.fc
+index b07ee19..a275bd6 100644
+--- a/telepathy.fc
++++ b/telepathy.fc
+@@ -1,8 +1,11 @@
+ HOME_DIR/\.cache/\.mc_connections -- gen_context(system_u:object_r:telepathy_mission_control_cache_home_t, s0)
+-HOME_DIR/\.cache/telepathy/logger/sqlite-data-journal -- gen_context(system_u:object_r:telepathy_logger_cache_home_t,s0)
++HOME_DIR/\.cache/telepathy(/.*)? gen_context(system_u:object_r:telepathy_cache_home_t, s0)
++HOME_DIR/\.cache/telepathy/logger(/.*)? gen_context(system_u:object_r:telepathy_logger_cache_home_t,s0)
+ HOME_DIR/\.cache/telepathy/gabble(/.*)? gen_context(system_u:object_r:telepathy_gabble_cache_home_t, s0)
+ HOME_DIR/\.cache/wocky(/.*)? gen_context(system_u:object_r:telepathy_gabble_cache_home_t, s0)
+ HOME_DIR/\.mission-control(/.*)? gen_context(system_u:object_r:telepathy_mission_control_home_t, s0)
++HOME_DIR/\.local/share/telepathy(/.*)? gen_context(system_u:object_r:telepathy_data_home_t,s0)
++HOME_DIR/\.local/share/telepathy/mission-control(/.*)? gen_context(system_u:object_r:telepathy_mission_control_data_home_t, s0)
+ HOME_DIR/\.telepathy-sunshine(/.*)? gen_context(system_u:object_r:telepathy_sunshine_home_t, s0)
+ HOME_DIR/\.local/share/TpLogger(/.*)? gen_context(system_u:object_r:telepathy_logger_data_home_t,s0)
+
+diff --git a/telepathy.if b/telepathy.if
+index f09171e..95a9aa3 100644
+--- a/telepathy.if
++++ b/telepathy.if
+@@ -11,7 +11,6 @@
+ ##
+ ##
+ #
+-#
+ template(`telepathy_domain_template',`
+ gen_require(`
+ attribute telepathy_domain;
+@@ -20,19 +19,21 @@ template(`telepathy_domain_template',`
+
+ type telepathy_$1_t, telepathy_domain;
+ type telepathy_$1_exec_t, telepathy_executable;
+- userdom_user_application_domain(telepathy_$1_t, telepathy_$1_exec_t)
++ application_domain(telepathy_$1_t, telepathy_$1_exec_t)
++ ubac_constrained(telepathy_$1_t)
+
+ type telepathy_$1_tmp_t;
+ userdom_user_tmp_file(telepathy_$1_tmp_t)
+
+- auth_use_nsswitch(telepathy_$1_t)
++ kernel_read_system_state(telepathy_$1_t)
+
++ auth_use_nsswitch(telepathy_$1_t)
+ ')
+
+ #######################################
+ ##
+-## Role access for telepathy domains
+-### that executes via dbus-session
++## Role access for telepathy domains
++## that executes via dbus-session
+ ##
+ ##
+ ##
+@@ -44,8 +45,13 @@ template(`telepathy_domain_template',`
+ ## The type of the user domain.
+ ##
+ ##
++##
++##
++## User domain prefix to be used.
++##
++##
+ #
+-template(`telepathy_role', `
++template(`telepathy_role',`
+ gen_require(`
+ attribute telepathy_domain;
+ type telepathy_gabble_t, telepathy_sofiasip_t, telepathy_idle_t;
+@@ -76,6 +82,8 @@ template(`telepathy_role', `
+ dbus_session_domain($3, telepathy_sunshine_exec_t, telepathy_sunshine_t)
+ dbus_session_domain($3, telepathy_stream_engine_exec_t, telepathy_stream_engine_t)
+ dbus_session_domain($3, telepathy_msn_exec_t, telepathy_msn_t)
++
++ telepathy_dbus_chat($2)
+ ')
+
+ ########################################
+@@ -122,11 +130,6 @@ interface(`telepathy_gabble_dbus_chat', `
+ ##
+ ## Read telepathy mission control state.
+ ##
+-##
+-##
+-## Prefix to be used.
+-##
+-##
+ ##
+ ##
+ ## Domain allowed access.
+@@ -166,7 +169,7 @@ interface(`telepathy_msn_stream_connect', `
+ ## Stream connect to Telepathy Salut
+ ##
+ ##
+-##
++##
+ ## Domain allowed access.
+ ##
+ ##
+@@ -179,3 +182,130 @@ interface(`telepathy_salut_stream_connect', `
+ stream_connect_pattern($1, telepathy_salut_tmp_t, telepathy_salut_tmp_t, telepathy_salut_t)
+ files_search_tmp($1)
+ ')
++
++#######################################
++##
++## Send DBus messages to and from
++## all Telepathy domain.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`telepathy_dbus_chat',`
++ gen_require(`
++ attribute telepathy_domain;
++ class dbus send_msg;
++ ')
++
++ allow $1 telepathy_domain:dbus send_msg;
++ allow telepathy_domain $1:dbus send_msg;
++')
++
++######################################
++##
++## Execute telepathy executable
++## in the specified domain.
++##
++##
++##
++## Execute a telepathy executable
++## in the specified domain. This allows
++## the specified domain to execute any file
++## on these filesystems in the specified
++## domain.
++##
++##
++## No interprocess communication (signals, pipes,
++## etc.) is provided by this interface since
++## the domains are not owned by this module.
++##
++##
++##
++##
++## Domain allowed to transition.
++##
++##
++##
++##
++## The type of the new process.
++##
++##
++#
++interface(`telepathy_command_domtrans', `
++ gen_require(`
++ attribute telepathy_executable;
++ ')
++
++ allow $2 telepathy_executable:file entrypoint;
++ domain_transition_pattern($1, telepathy_executable, $2)
++ type_transition $1 telepathy_executable:process $2;
++
++ # needs to dbus chat with unconfined_t and unconfined_dbusd_t
++ optional_policy(`
++ telepathy_dbus_chat($1)
++ telepathy_dbus_chat($2)
++ ')
++')
++
++########################################
++##
++## Create telepathy content in the user home directory
++## with an correct label.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`telepathy_filetrans_home_content',`
++ gen_require(`
++ type telepathy_mission_control_cache_home_t;
++ type telepathy_mission_control_home_t;
++ type telepathy_logger_cache_home_t;
++ type telepathy_gabble_cache_home_t;
++ type telepathy_sunshine_home_t;
++ type telepathy_logger_data_home_t;
++ type telepathy_cache_home_t, telepathy_data_home_t;
++ type telepathy_mission_control_data_home_t;
++ ')
++
++ filetrans_pattern($1, telepathy_cache_home_t, telepathy_logger_cache_home_t, dir, "logger")
++ filetrans_pattern($1, telepathy_cache_home_t, telepathy_logger_cache_home_t, file, "sqlite-data-journal")
++ filetrans_pattern($1, telepathy_cache_home_t, telepathy_gabble_cache_home_t, dir, "gabble")
++
++ filetrans_pattern($1, telepathy_data_home_t, telepathy_mission_control_data_home_t, dir, "mission-control")
++
++ userdom_user_home_dir_filetrans($1, telepathy_mission_control_home_t, dir, ".mission-control")
++ userdom_user_home_dir_filetrans($1, telepathy_sunshine_home_t, dir, ".telepathy-sunshine")
++
++ gnome_cache_filetrans($1, telepathy_mission_control_cache_home_t, file, ".mc_connections")
++ gnome_cache_filetrans($1, telepathy_gabble_cache_home_t, dir, "gabble")
++ gnome_cache_filetrans($1, telepathy_gabble_cache_home_t, dir, "wocky")
++ gnome_cache_filetrans($1, telepathy_cache_home_t, dir, "telepathy")
++
++ gnome_data_filetrans($1, telepathy_logger_data_home_t, dir, "TpLogger")
++ gnome_data_filetrans($1, telepathy_data_home_t, dir, "telepathy")
++')
++
++######################################
++##
++## Execute telepathy in the caller domain.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`telepathy_exec',`
++ gen_require(`
++ attribute telepathy_executable;
++ ')
++
++ corecmd_search_bin($1)
++ can_exec($1, telepathy_executable)
++')
+diff --git a/telepathy.te b/telepathy.te
+index 964978b..6cc7ecd 100644
+--- a/telepathy.te
++++ b/telepathy.te
+@@ -7,16 +7,16 @@ policy_module(telepathy, 1.3.0)
+
+ ##
+ ##
+-## Allow the Telepathy connection managers
+-## to connect to any generic TCP port.
++## Allow the Telepathy connection managers
++## to connect to any generic TCP port.
+ ##
+ ##
+ gen_tunable(telepathy_tcp_connect_generic_network_ports, false)
+
+ ##
+ ##
+-## Allow the Telepathy connection managers
+-## to connect to any network port.
++## Allow the Telepathy connection managers
++## to connect to any network port.
+ ##
+ ##
+ gen_tunable(telepathy_connect_all_ports, false)
+@@ -26,12 +26,18 @@ attribute telepathy_executable;
+
+ telepathy_domain_template(gabble)
+
++type telepathy_cache_home_t;
++userdom_user_home_content(telepathy_cache_home_t)
++
+ type telepathy_gabble_cache_home_t;
+ userdom_user_home_content(telepathy_gabble_cache_home_t)
+
+ telepathy_domain_template(idle)
+ telepathy_domain_template(logger)
+
++type telepathy_data_home_t;
++userdom_user_home_content(telepathy_data_home_t)
++
+ type telepathy_logger_cache_home_t;
+ userdom_user_home_content(telepathy_logger_cache_home_t)
+
+@@ -43,6 +49,9 @@ telepathy_domain_template(mission_control)
+ type telepathy_mission_control_home_t;
+ userdom_user_home_content(telepathy_mission_control_home_t)
+
++type telepathy_mission_control_data_home_t;
++userdom_user_home_content(telepathy_mission_control_data_home_t)
++
+ type telepathy_mission_control_cache_home_t;
+ userdom_user_home_content(telepathy_mission_control_cache_home_t)
+
+@@ -67,8 +76,16 @@ manage_dirs_pattern(telepathy_gabble_t, telepathy_gabble_tmp_t, telepathy_gabble
+ manage_sock_files_pattern(telepathy_gabble_t, telepathy_gabble_tmp_t, telepathy_gabble_tmp_t)
+ files_tmp_filetrans(telepathy_gabble_t, telepathy_gabble_tmp_t, { dir sock_file })
+
++# ~/.cache/telepathy/gabble/caps-cache.db-journal
++optional_policy(`
++ manage_dirs_pattern(telepathy_gabble_t, telepathy_gabble_cache_home_t, telepathy_gabble_cache_home_t)
++ manage_files_pattern(telepathy_gabble_t, telepathy_gabble_cache_home_t, telepathy_gabble_cache_home_t)
++ filetrans_pattern(telepathy_gabble_t, telepathy_cache_home_t, telepathy_gabble_cache_home_t, dir)
++ # ~/.cache/wocky
++ gnome_cache_filetrans(telepathy_gabble_t, telepathy_gabble_cache_home_t, dir)
++')
++
+ corenet_all_recvfrom_netlabel(telepathy_gabble_t)
+-corenet_all_recvfrom_unlabeled(telepathy_gabble_t)
+ corenet_tcp_sendrecv_generic_if(telepathy_gabble_t)
+ corenet_tcp_sendrecv_generic_node(telepathy_gabble_t)
+ corenet_tcp_connect_http_port(telepathy_gabble_t)
+@@ -98,18 +115,14 @@ tunable_policy(`telepathy_tcp_connect_generic_network_ports',`
+ corenet_sendrecv_generic_client_packets(telepathy_gabble_t)
+ ')
+
+-tunable_policy(`use_nfs_home_dirs',`
+- fs_manage_nfs_dirs(telepathy_gabble_t)
+- fs_manage_nfs_files(telepathy_gabble_t)
+-')
++userdom_home_manager(telepathy_gabble_t)
+
+-tunable_policy(`use_samba_home_dirs',`
+- fs_manage_cifs_dirs(telepathy_gabble_t)
+- fs_manage_cifs_files(telepathy_gabble_t)
++optional_policy(`
++ dbus_system_bus_client(telepathy_gabble_t)
+ ')
+
+ optional_policy(`
+- dbus_system_bus_client(telepathy_gabble_t)
++ gnome_manage_home_config(telepathy_gabble_t)
+ ')
+
+ #######################################
+@@ -118,7 +131,6 @@ optional_policy(`
+ #
+
+ corenet_all_recvfrom_netlabel(telepathy_idle_t)
+-corenet_all_recvfrom_unlabeled(telepathy_idle_t)
+ corenet_tcp_sendrecv_generic_if(telepathy_idle_t)
+ corenet_tcp_sendrecv_generic_node(telepathy_idle_t)
+ corenet_tcp_connect_gatekeeper_port(telepathy_idle_t)
+@@ -127,8 +139,6 @@ corenet_sendrecv_ircd_client_packets(telepathy_idle_t)
+
+ dev_read_rand(telepathy_idle_t)
+
+-files_read_etc_files(telepathy_idle_t)
+-
+ tunable_policy(`telepathy_connect_all_ports',`
+ corenet_tcp_connect_all_ports(telepathy_idle_t)
+ corenet_tcp_sendrecv_all_ports(telepathy_idle_t)
+@@ -147,51 +157,74 @@ tunable_policy(`telepathy_tcp_connect_generic_network_ports',`
+
+ allow telepathy_logger_t self:unix_stream_socket create_socket_perms;
+
++manage_dirs_pattern(telepathy_logger_t, telepathy_logger_cache_home_t, telepathy_logger_cache_home_t)
+ manage_files_pattern(telepathy_logger_t, telepathy_logger_cache_home_t, telepathy_logger_cache_home_t)
++filetrans_pattern(telepathy_logger_t, telepathy_cache_home_t, telepathy_logger_cache_home_t, dir)
+
+ manage_dirs_pattern(telepathy_logger_t, telepathy_logger_data_home_t, telepathy_logger_data_home_t)
+ manage_files_pattern(telepathy_logger_t, telepathy_logger_data_home_t, telepathy_logger_data_home_t)
+
+-files_read_etc_files(telepathy_logger_t)
+-files_read_usr_files(telepathy_logger_t)
++optional_policy(`
++ gnome_data_filetrans(telepathy_logger_t, telepathy_logger_data_home_t, dir)
++')
++
+ files_search_pids(telepathy_logger_t)
+
+ fs_getattr_all_fs(telepathy_logger_t)
+
+-tunable_policy(`use_nfs_home_dirs',`
+- fs_manage_nfs_dirs(telepathy_logger_t)
+- fs_manage_nfs_files(telepathy_logger_t)
+-')
++userdom_home_manager(telepathy_logger_t)
+
+-tunable_policy(`use_samba_home_dirs',`
+- fs_manage_cifs_dirs(telepathy_logger_t)
+- fs_manage_cifs_files(telepathy_logger_t)
++optional_policy(`
++ # ~/.config/dconf/user
++ gnome_manage_home_config(telepathy_logger_t)
+ ')
+
+ #######################################
+ #
+ # Telepathy Mission-Control local policy.
+ #
++allow telepathy_mission_control_t self:process setsched;
+
+ manage_dirs_pattern(telepathy_mission_control_t, telepathy_mission_control_home_t, telepathy_mission_control_home_t)
+ manage_files_pattern(telepathy_mission_control_t, telepathy_mission_control_home_t, telepathy_mission_control_home_t)
+ userdom_user_home_dir_filetrans(telepathy_mission_control_t, telepathy_mission_control_home_t, { dir file })
++userdom_search_user_home_dirs(telepathy_mission_control_t)
++
++manage_dirs_pattern(telepathy_mission_control_t, { telepathy_data_home_t telepathy_mission_control_data_home_t }, { telepathy_data_home_t telepathy_mission_control_data_home_t })
++manage_files_pattern(telepathy_mission_control_t, telepathy_mission_control_data_home_t, telepathy_mission_control_data_home_t)
++filetrans_pattern(telepathy_mission_control_t, telepathy_data_home_t, telepathy_mission_control_data_home_t, { dir file })
++
++optional_policy(`
++ gnome_data_filetrans(telepathy_mission_control_t, telepathy_data_home_t, dir)
++ gnome_manage_home_config(telepathy_mission_control_t)
++')
+
+ dev_read_rand(telepathy_mission_control_t)
+
+ fs_getattr_all_fs(telepathy_mission_control_t)
+
+-files_read_etc_files(telepathy_mission_control_t)
+-files_read_usr_files(telepathy_mission_control_t)
++files_list_tmp(telepathy_mission_control_t)
++
++userdom_home_manager(telepathy_mission_control_t)
++
++optional_policy(`
++ dbus_system_bus_client(telepathy_mission_control_t)
+
+-tunable_policy(`use_nfs_home_dirs',`
+- fs_manage_nfs_dirs(telepathy_mission_control_t)
+- fs_manage_nfs_files(telepathy_mission_control_t)
++ optional_policy(`
++ devicekit_dbus_chat_power(telepathy_mission_control_t)
++ ')
++ optional_policy(`
++ gnome_dbus_chat_gkeyringd(telepathy_mission_control_t)
++ ')
++ optional_policy(`
++ networkmanager_dbus_chat(telepathy_mission_control_t)
++ ')
+ ')
+
+-tunable_policy(`use_samba_home_dirs',`
+- fs_manage_cifs_dirs(telepathy_mission_control_t)
+- fs_manage_cifs_files(telepathy_mission_control_t)
++# ~/.cache/.mc_connections.
++optional_policy(`
++ manage_files_pattern(telepathy_mission_control_t, telepathy_mission_control_cache_home_t, telepathy_mission_control_cache_home_t)
++ gnome_cache_filetrans(telepathy_mission_control_t, telepathy_mission_control_cache_home_t, file)
+ ')
+
+ #######################################
+@@ -205,11 +238,13 @@ allow telepathy_msn_t self:unix_dgram_socket { write create connect };
+ manage_dirs_pattern(telepathy_msn_t, telepathy_msn_tmp_t, telepathy_msn_tmp_t)
+ manage_files_pattern(telepathy_msn_t, telepathy_msn_tmp_t, telepathy_msn_tmp_t)
+ manage_sock_files_pattern(telepathy_msn_t, telepathy_msn_tmp_t, telepathy_msn_tmp_t)
++exec_files_pattern(telepathy_msn_t, telepathy_msn_tmp_t, telepathy_msn_tmp_t)
+ files_tmp_filetrans(telepathy_msn_t, telepathy_msn_tmp_t, { dir file sock_file })
+ userdom_user_tmp_filetrans(telepathy_msn_t, telepathy_msn_tmp_t, { dir file sock_file })
++userdom_dontaudit_setattr_user_tmp(telepathy_msn_t)
++can_exec(telepathy_msn_t, telepathy_msn_tmp_t)
+
+ corenet_all_recvfrom_netlabel(telepathy_msn_t)
+-corenet_all_recvfrom_unlabeled(telepathy_msn_t)
+ corenet_tcp_sendrecv_generic_if(telepathy_msn_t)
+ corenet_tcp_sendrecv_generic_node(telepathy_msn_t)
+ corenet_tcp_bind_generic_node(telepathy_msn_t)
+@@ -225,8 +260,7 @@ corecmd_exec_bin(telepathy_msn_t)
+ corecmd_exec_shell(telepathy_msn_t)
+ corecmd_read_bin_symlinks(telepathy_msn_t)
+
+-files_read_etc_files(telepathy_msn_t)
+-files_read_usr_files(telepathy_msn_t)
++init_read_state(telepathy_msn_t)
+
+ libs_exec_ldconfig(telepathy_msn_t)
+
+@@ -246,6 +280,10 @@ tunable_policy(`telepathy_tcp_connect_generic_network_ports',`
+ ')
+
+ optional_policy(`
++ gnome_read_gconf_home_files(telepathy_msn_t)
++')
++
++optional_policy(`
+ dbus_system_bus_client(telepathy_msn_t)
+
+ optional_policy(`
+@@ -264,7 +302,6 @@ manage_sock_files_pattern(telepathy_salut_t, telepathy_salut_tmp_t, telepathy_sa
+ files_tmp_filetrans(telepathy_salut_t, telepathy_salut_tmp_t, sock_file)
+
+ corenet_all_recvfrom_netlabel(telepathy_salut_t)
+-corenet_all_recvfrom_unlabeled(telepathy_salut_t)
+ corenet_tcp_sendrecv_generic_if(telepathy_salut_t)
+ corenet_tcp_sendrecv_generic_node(telepathy_salut_t)
+ corenet_tcp_bind_generic_node(telepathy_salut_t)
+@@ -272,8 +309,6 @@ corenet_tcp_bind_presence_port(telepathy_salut_t)
+ corenet_tcp_connect_presence_port(telepathy_salut_t)
+ corenet_sendrecv_presence_server_packets(telepathy_salut_t)
+
+-files_read_etc_files(telepathy_salut_t)
+-
+ tunable_policy(`telepathy_connect_all_ports',`
+ corenet_tcp_connect_all_ports(telepathy_salut_t)
+ corenet_tcp_sendrecv_all_ports(telepathy_salut_t)
+@@ -302,7 +337,6 @@ allow telepathy_sofiasip_t self:rawip_socket { create_socket_perms listen };
+ allow telepathy_sofiasip_t self:tcp_socket create_stream_socket_perms;
+
+ corenet_all_recvfrom_netlabel(telepathy_sofiasip_t)
+-corenet_all_recvfrom_unlabeled(telepathy_sofiasip_t)
+ corenet_tcp_sendrecv_generic_if(telepathy_sofiasip_t)
+ corenet_raw_sendrecv_generic_if(telepathy_sofiasip_t)
+ corenet_raw_sendrecv_generic_node(telepathy_sofiasip_t)
+@@ -343,9 +377,6 @@ files_tmp_filetrans(telepathy_sunshine_t, telepathy_sunshine_tmp_t, file)
+
+ corecmd_exec_bin(telepathy_sunshine_t)
+
+-files_read_etc_files(telepathy_sunshine_t)
+-files_read_usr_files(telepathy_sunshine_t)
+-
+ optional_policy(`
+ xserver_read_xdm_pid(telepathy_sunshine_t)
+ xserver_stream_connect(telepathy_sunshine_t)
+@@ -361,18 +392,33 @@ allow telepathy_domain self:fifo_file rw_fifo_file_perms;
+ allow telepathy_domain self:tcp_socket create_socket_perms;
+ allow telepathy_domain self:udp_socket create_socket_perms;
+
++manage_dirs_pattern(telepathy_domain, telepathy_cache_home_t, telepathy_cache_home_t)
++optional_policy(`
++ gnome_cache_filetrans(telepathy_domain, telepathy_cache_home_t, dir, "telepathy")
++')
++
+ dev_read_urand(telepathy_domain)
+
+-kernel_read_system_state(telepathy_domain)
++files_read_etc_files(telepathy_domain)
++files_read_usr_files(telepathy_domain)
+
++fs_getattr_all_fs(telepathy_domain)
+ fs_search_auto_mountpoints(telepathy_domain)
+-
+-miscfiles_read_localization(telepathy_domain)
++fs_rw_inherited_tmpfs_files(telepathy_domain)
+
+ optional_policy(`
+ automount_dontaudit_getattr_tmp_dirs(telepathy_domain)
+ ')
+
+ optional_policy(`
++ gnome_read_generic_cache_files(telepathy_domain)
++ gnome_write_generic_cache_files(telepathy_domain)
++')
++
++optional_policy(`
++ telepathy_dbus_chat(telepathy_domain)
++')
++
++optional_policy(`
+ xserver_rw_xdm_pipes(telepathy_domain)
+ ')
+diff --git a/telnet.if b/telnet.if
+index 58e7ec0..e4119f7 100644
+--- a/telnet.if
++++ b/telnet.if
+@@ -1 +1,19 @@
+ ## Telnet daemon
++
++########################################
++##
++## Read and write a telnetd domain pty.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`telnet_use_ptys',`
++ gen_require(`
++ type telnetd_devpts_t;
++ ')
++
++ allow $1 telnetd_devpts_t:chr_file rw_inherited_term_perms;
++')
+diff --git a/telnet.te b/telnet.te
+index 3858d35..62dca46 100644
+--- a/telnet.te
++++ b/telnet.te
+@@ -24,21 +24,20 @@ files_pid_file(telnetd_var_run_t)
+ # Local policy
+ #
+
+-allow telnetd_t self:capability { fsetid chown fowner sys_tty_config dac_override };
++allow telnetd_t self:capability { fsetid chown fowner setuid setgid sys_tty_config dac_override };
+ allow telnetd_t self:process signal_perms;
+ allow telnetd_t self:fifo_file rw_fifo_file_perms;
+ allow telnetd_t self:tcp_socket connected_stream_socket_perms;
+ allow telnetd_t self:udp_socket create_socket_perms;
+ # for identd; cjp: this should probably only be inetd_child rules?
+ allow telnetd_t self:netlink_tcpdiag_socket r_netlink_socket_perms;
+-allow telnetd_t self:capability { setuid setgid };
+
+-allow telnetd_t telnetd_devpts_t:chr_file { rw_chr_file_perms setattr };
++allow telnetd_t telnetd_devpts_t:chr_file { rw_chr_file_perms setattr_chr_file_perms };
++
+ term_create_pty(telnetd_t, telnetd_devpts_t)
+
+ manage_dirs_pattern(telnetd_t, telnetd_tmp_t, telnetd_tmp_t)
+ manage_files_pattern(telnetd_t, telnetd_tmp_t, telnetd_tmp_t)
+-files_tmp_filetrans(telnetd_t, telnetd_tmp_t, { file dir })
+
+ manage_files_pattern(telnetd_t, telnetd_var_run_t, telnetd_var_run_t)
+ files_pid_filetrans(telnetd_t, telnetd_var_run_t, file)
+@@ -47,7 +46,6 @@ kernel_read_kernel_sysctls(telnetd_t)
+ kernel_read_system_state(telnetd_t)
+ kernel_read_network_state(telnetd_t)
+
+-corenet_all_recvfrom_unlabeled(telnetd_t)
+ corenet_all_recvfrom_netlabel(telnetd_t)
+ corenet_tcp_sendrecv_generic_if(telnetd_t)
+ corenet_udp_sendrecv_generic_if(telnetd_t)
+@@ -68,7 +66,6 @@ auth_use_nsswitch(telnetd_t)
+ corecmd_search_bin(telnetd_t)
+
+ files_read_usr_files(telnetd_t)
+-files_read_etc_files(telnetd_t)
+ files_read_etc_runtime_files(telnetd_t)
+ # for identd; cjp: this should probably only be inetd_child rules?
+ files_search_home(telnetd_t)
+@@ -77,14 +74,12 @@ init_rw_utmp(telnetd_t)
+
+ logging_send_syslog_msg(telnetd_t)
+
+-miscfiles_read_localization(telnetd_t)
+-
+ seutil_read_config(telnetd_t)
+
+-remotelogin_domtrans(telnetd_t)
+-
+ userdom_search_user_home_dirs(telnetd_t)
+ userdom_setattr_user_ptys(telnetd_t)
++userdom_manage_user_tmp_files(telnetd_t)
++userdom_tmp_filetrans_user_tmp(telnetd_t, file)
+
+ tunable_policy(`use_nfs_home_dirs',`
+ fs_search_nfs(telnetd_t)
+@@ -96,5 +91,10 @@ tunable_policy(`use_samba_home_dirs',`
+
+ optional_policy(`
+ kerberos_keytab_template(telnetd, telnetd_t)
++ kerberos_tmp_filetrans_host_rcache(telnetd_t, "host_0")
+ kerberos_manage_host_rcache(telnetd_t)
+ ')
++
++optional_policy(`
++ remotelogin_domtrans(telnetd_t)
++')
+diff --git a/tftp.fc b/tftp.fc
+index 25eee43..621f343 100644
+--- a/tftp.fc
++++ b/tftp.fc
+@@ -1,3 +1,4 @@
++/etc/xinetd\.d/tftp -- gen_context(system_u:object_r:tftpd_etc_t,s0)
+
+ /usr/sbin/atftpd -- gen_context(system_u:object_r:tftpd_exec_t,s0)
+ /usr/sbin/in\.tftpd -- gen_context(system_u:object_r:tftpd_exec_t,s0)
+diff --git a/tftp.if b/tftp.if
+index 38bb312..d9fe23c 100644
+--- a/tftp.if
++++ b/tftp.if
+@@ -13,9 +13,34 @@
+ interface(`tftp_read_content',`
+ gen_require(`
+ type tftpdir_t;
++ type tftpdir_rw_t;
+ ')
+
++ list_dirs_pattern($1, tftpdir_t, tftpdir_t)
+ read_files_pattern($1, tftpdir_t, tftpdir_t)
++ read_lnk_files_pattern($1, tftpdir_t, tftpdir_t)
++
++ read_files_pattern($1, tftpdir_rw_t, tftpdir_rw_t)
++ read_lnk_files_pattern($1, tftpdir_rw_t, tftpdir_rw_t)
++')
++
++########################################
++##
++## Search tftp /var/lib directories.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`tftp_search_rw_content',`
++ gen_require(`
++ type tftpdir_rw_t;
++ ')
++
++ search_dirs_pattern($1, tftpdir_rw_t, tftpdir_rw_t)
++ files_search_var_lib($1)
+ ')
+
+ ########################################
+@@ -40,6 +65,91 @@ interface(`tftp_manage_rw_content',`
+
+ ########################################
+ ##
++## Read tftp config files.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`tftp_read_config',`
++ gen_require(`
++ type tftpd_etc_t;
++ ')
++
++ read_files_pattern($1, tftpd_etc_t, tftpd_etc_t)
++')
++
++########################################
++##
++## Manage tftp config files.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`tftp_manage_config',`
++ gen_require(`
++ type tftpd_etc_t;
++ ')
++
++ manage_files_pattern($1, tftpd_etc_t, tftpd_etc_t)
++ files_etc_filetrans($1, tftpd_etc_t, file, "tftp")
++')
++
++########################################
++##
++## Create objects in tftpdir directories
++## with specified types.
++##
++##
++##
++## Domain allowed access.
++##
++##
++##
++##
++## Private file type.
++##
++##
++##
++##
++## Class of the object being created.
++##
++##
++#
++interface(`tftp_filetrans_tftpdir',`
++ gen_require(`
++ type tftpdir_rw_t;
++ ')
++
++ filetrans_pattern($1, tftpdir_rw_t, $2, $3)
++ files_search_var_lib($1)
++')
++
++########################################
++##
++## Transition to tftp named content
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`tftp_filetrans_named_content',`
++ gen_require(`
++ type tftpd_etc_t;
++ ')
++
++ files_etc_filetrans($1, tftpd_etc_t, file, "tftp")
++')
++
++########################################
++##
+ ## All of the rules required to administrate
+ ## an tftp environment
+ ##
+@@ -55,8 +165,13 @@ interface(`tftp_admin',`
+ type tftpd_t, tftpdir_t, tftpdir_rw_t, tftpd_var_run_t;
+ ')
+
+- allow $1 tftpd_t:process { ptrace signal_perms getattr };
++ allow $1 tftpd_t:process signal_perms;
+ ps_process_pattern($1, tftpd_t)
++ tunable_policy(`deny_ptrace',`',`
++ allow $1 tftpd_t:process ptrace;
++ ')
++
++ files_list_var_lib($1)
+
+ admin_pattern($1, tftpdir_rw_t)
+
+@@ -64,4 +179,6 @@ interface(`tftp_admin',`
+
+ files_list_pids($1)
+ admin_pattern($1, tftpd_var_run_t)
++
++ tftp_manage_config($1)
+ ')
+diff --git a/tftp.te b/tftp.te
+index d50c10d..d2778d3 100644
+--- a/tftp.te
++++ b/tftp.te
+@@ -13,6 +13,13 @@ policy_module(tftp, 1.12.0)
+ ##
+ gen_tunable(tftp_anon_write, false)
+
++##
++##
++## Allow tftp to read and write files in the user home directories
++##
++##
++gen_tunable(tftp_home_dir, false)
++
+ type tftpd_t;
+ type tftpd_exec_t;
+ init_daemon_domain(tftpd_t, tftpd_exec_t)
+@@ -26,21 +33,26 @@ files_type(tftpdir_t)
+ type tftpdir_rw_t;
+ files_type(tftpdir_rw_t)
+
++type tftpd_etc_t;
++files_config_file(tftpd_etc_t)
++
+ ########################################
+ #
+ # Local policy
+ #
+
+ allow tftpd_t self:capability { setgid setuid sys_chroot };
++dontaudit tftpd_t self:capability sys_tty_config;
+ allow tftpd_t self:tcp_socket create_stream_socket_perms;
+ allow tftpd_t self:udp_socket create_socket_perms;
+ allow tftpd_t self:unix_dgram_socket create_socket_perms;
+ allow tftpd_t self:unix_stream_socket create_stream_socket_perms;
+-dontaudit tftpd_t self:capability sys_tty_config;
+
+ allow tftpd_t tftpdir_t:dir list_dir_perms;
+ allow tftpd_t tftpdir_t:file read_file_perms;
+-allow tftpd_t tftpdir_t:lnk_file { getattr read };
++allow tftpd_t tftpdir_t:lnk_file read_lnk_file_perms;
++
++read_files_pattern(tftpd_t, tftpd_etc_t, tftpd_etc_t)
+
+ manage_dirs_pattern(tftpd_t, tftpdir_rw_t, tftpdir_rw_t)
+ manage_files_pattern(tftpd_t, tftpdir_rw_t, tftpdir_rw_t)
+@@ -52,7 +64,6 @@ files_pid_filetrans(tftpd_t, tftpd_var_run_t, file)
+ kernel_read_system_state(tftpd_t)
+ kernel_read_kernel_sysctls(tftpd_t)
+
+-corenet_all_recvfrom_unlabeled(tftpd_t)
+ corenet_all_recvfrom_netlabel(tftpd_t)
+ corenet_tcp_sendrecv_generic_if(tftpd_t)
+ corenet_udp_sendrecv_generic_if(tftpd_t)
+@@ -72,7 +83,6 @@ fs_search_auto_mountpoints(tftpd_t)
+
+ domain_use_interactive_fds(tftpd_t)
+
+-files_read_etc_files(tftpd_t)
+ files_read_etc_runtime_files(tftpd_t)
+ files_read_var_files(tftpd_t)
+ files_read_var_symlinks(tftpd_t)
+@@ -82,7 +92,6 @@ auth_use_nsswitch(tftpd_t)
+
+ logging_send_syslog_msg(tftpd_t)
+
+-miscfiles_read_localization(tftpd_t)
+ miscfiles_read_public_files(tftpd_t)
+
+ userdom_dontaudit_use_unpriv_user_fds(tftpd_t)
+@@ -93,6 +102,36 @@ tunable_policy(`tftp_anon_write',`
+ miscfiles_manage_public_files(tftpd_t)
+ ')
+
++tunable_policy(`tftp_home_dir',`
++ allow tftpd_t self:capability { dac_override dac_read_search };
++
++ # allow access to /home
++ files_list_home(tftpd_t)
++ userdom_read_user_home_content_files(tftpd_t)
++ userdom_manage_user_home_content(tftpd_t)
++
++ auth_read_all_dirs_except_shadow(tftpd_t)
++ auth_read_all_files_except_shadow(tftpd_t)
++ auth_read_all_symlinks_except_shadow(tftpd_t)
++',`
++ # Needed for permissive mode, to make sure everything gets labeled correctly
++ userdom_user_home_dir_filetrans_pattern(tftpd_t, { dir file lnk_file })
++')
++
++tunable_policy(`tftp_home_dir && use_nfs_home_dirs',`
++ fs_manage_nfs_files(tftpd_t)
++ fs_read_nfs_symlinks(tftpd_t)
++')
++
++tunable_policy(`tftp_home_dir && use_samba_home_dirs',`
++ fs_manage_cifs_files(tftpd_t)
++ fs_read_cifs_symlinks(tftpd_t)
++')
++
++optional_policy(`
++ cobbler_read_lib_files(tftpd_t)
++')
++
+ optional_policy(`
+ inetd_udp_service_domain(tftpd_t, tftpd_exec_t)
+ ')
+diff --git a/tgtd.fc b/tgtd.fc
+index 8294f6f..4847b43 100644
+--- a/tgtd.fc
++++ b/tgtd.fc
+@@ -1,3 +1,4 @@
+ /etc/rc\.d/init\.d/tgtd -- gen_context(system_u:object_r:tgtd_initrc_exec_t,s0)
+ /usr/sbin/tgtd -- gen_context(system_u:object_r:tgtd_exec_t,s0)
+ /var/lib/tgtd(/.*)? gen_context(system_u:object_r:tgtd_var_lib_t,s0)
++/var/run/tgtd.* -s gen_context(system_u:object_r:tgtd_var_run_t,s0)
+diff --git a/tgtd.if b/tgtd.if
+index c2ed23a..d9e875d 100644
+--- a/tgtd.if
++++ b/tgtd.if
+@@ -44,3 +44,22 @@ interface(`tgtd_manage_semaphores',`
+
+ allow $1 tgtd_t:sem create_sem_perms;
+ ')
++
++######################################
++##
++## Connect to tgtd using a unix domain stream socket.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`tgtd_stream_connect',`
++ gen_require(`
++ type tgtd_t, tgtd_var_run_t;
++ ')
++
++ files_search_var_lib($1)
++ stream_connect_pattern($1, tgtd_var_run_t, tgtd_var_run_t, tgtd_t)
++')
+diff --git a/tgtd.te b/tgtd.te
+index 80fe75c..6e81911 100644
+--- a/tgtd.te
++++ b/tgtd.te
+@@ -21,15 +21,19 @@ files_tmpfs_file(tgtd_tmpfs_t)
+ type tgtd_var_lib_t;
+ files_type(tgtd_var_lib_t)
+
++type tgtd_var_run_t;
++files_pid_file(tgtd_var_run_t)
++
+ ########################################
+ #
+ # TGTD personal policy.
+ #
+
+ allow tgtd_t self:capability sys_resource;
++allow tgtd_t self:capability2 block_suspend;
+ allow tgtd_t self:process { setrlimit signal };
+ allow tgtd_t self:fifo_file rw_fifo_file_perms;
+-allow tgtd_t self:netlink_route_socket { create_socket_perms nlmsg_read };
++allow tgtd_t self:netlink_route_socket create_netlink_socket_perms;
+ allow tgtd_t self:shm create_shm_perms;
+ allow tgtd_t self:sem create_sem_perms;
+ allow tgtd_t self:tcp_socket create_stream_socket_perms;
+@@ -46,10 +50,15 @@ manage_dirs_pattern(tgtd_t, tgtd_var_lib_t, tgtd_var_lib_t)
+ manage_files_pattern(tgtd_t, tgtd_var_lib_t, tgtd_var_lib_t)
+ files_var_lib_filetrans(tgtd_t, tgtd_var_lib_t, { dir file })
+
++manage_dirs_pattern(tgtd_t, tgtd_var_run_t,tgtd_var_run_t)
++manage_files_pattern(tgtd_t, tgtd_var_run_t,tgtd_var_run_t)
++manage_sock_files_pattern(tgtd_t, tgtd_var_run_t,tgtd_var_run_t)
++files_pid_filetrans(tgtd_t,tgtd_var_run_t, { file sock_file })
++
++kernel_read_system_state(tgtd_t)
+ kernel_read_fs_sysctls(tgtd_t)
+
+ corenet_all_recvfrom_netlabel(tgtd_t)
+-corenet_all_recvfrom_unlabeled(tgtd_t)
+ corenet_tcp_sendrecv_generic_if(tgtd_t)
+ corenet_tcp_sendrecv_generic_node(tgtd_t)
+ corenet_tcp_sendrecv_iscsi_port(tgtd_t)
+@@ -57,10 +66,16 @@ corenet_tcp_bind_generic_node(tgtd_t)
+ corenet_tcp_bind_iscsi_port(tgtd_t)
+ corenet_sendrecv_iscsi_server_packets(tgtd_t)
+
++dev_read_sysfs(tgtd_t)
++
+ files_read_etc_files(tgtd_t)
+
++fs_read_anon_inodefs_files(tgtd_t)
++
+ storage_manage_fixed_disk(tgtd_t)
+
+ logging_send_syslog_msg(tgtd_t)
+
+-miscfiles_read_localization(tgtd_t)
++optional_policy(`
++ iscsi_manage_semaphores(tgtd_t)
++')
+diff --git a/thin.fc b/thin.fc
+new file mode 100644
+index 0000000..7f4bce8
+--- /dev/null
++++ b/thin.fc
+@@ -0,0 +1,11 @@
++/usr/bin/thin -- gen_context(system_u:object_r:thin_exec_t,s0)
++
++/usr/bin/aeolus-configserver-thinwrapper -- gen_context(system_u:object_r:thin_aeolus_configserver_exec_t,s0)
++
++/var/lib/aeolus-configserver(/.*)? gen_context(system_u:object_r:thin_aeolus_configserver_lib_t,s0)
++
++/var/log/aeolus-configserver(/.*)? gen_context(system_u:object_r:thin_aeolus_configserver_log_t,s0)
++/var/log/thin\.log.* -- gen_context(system_u:object_r:thin_log_t,s0)
++
++/var/run/aeolus-configserver(/.*)? gen_context(system_u:object_r:thin_aeolus_configserver_var_run_t,s0)
++/var/run/aeolus/thin\.pid -- gen_context(system_u:object_r:thin_var_run_t,s0)
+diff --git a/thin.if b/thin.if
+new file mode 100644
+index 0000000..d000122
+--- /dev/null
++++ b/thin.if
+@@ -0,0 +1,44 @@
++## thin policy
++
++#######################################
++##
++## Creates types and rules for a basic
++## thin daemon domain.
++##
++##
++##
++## Prefix for the domain.
++##
++##
++#
++template(`thin_domain_template',`
++ gen_require(`
++ attribute thin_domain;
++ ')
++
++ type $1_t, thin_domain;
++ type $1_exec_t;
++ init_daemon_domain($1_t, $1_exec_t)
++
++ can_exec($1_t, $1_exec_t)
++
++ kernel_read_system_state($1_t)
++')
++
++######################################
++##
++## Execute mongod in the caller domain.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`thin_exec',`
++ gen_require(`
++ type thin_exec_t;
++ ')
++
++ can_exec($1, thin_exec_t)
++')
+diff --git a/thin.te b/thin.te
+new file mode 100644
+index 0000000..2b878d8
+--- /dev/null
++++ b/thin.te
+@@ -0,0 +1,110 @@
++policy_module(thin, 1.0)
++
++########################################
++#
++# Declarations
++#
++
++attribute thin_domain;
++
++thin_domain_template(thin)
++
++type thin_log_t;
++logging_log_file(thin_log_t)
++
++type thin_var_run_t;
++files_pid_file(thin_var_run_t)
++
++thin_domain_template(thin_aeolus_configserver)
++
++type thin_aeolus_configserver_lib_t;
++files_type(thin_aeolus_configserver_lib_t)
++
++type thin_aeolus_configserver_log_t;
++logging_log_file(thin_aeolus_configserver_log_t)
++
++type thin_aeolus_configserver_var_run_t;
++files_pid_file(thin_aeolus_configserver_var_run_t)
++
++########################################
++#
++# thin_domain local policy
++#
++
++allow thin_domain self:process signal;
++
++allow thin_domain self:fifo_file rw_fifo_file_perms;
++allow thin_domain self:tcp_socket create_stream_socket_perms;
++
++# we want to stay in a new thin domain if we call thin binary from a script
++# # initrc_t@thin_test_exec_t->thin_test_t@thin_exec_t->thin_test_t
++can_exec(thin_domain, thin_exec_t)
++
++corecmd_exec_bin(thin_domain)
++corecmd_exec_shell(thin_domain)
++
++corenet_tcp_bind_generic_node(thin_domain)
++
++dev_read_rand(thin_domain)
++dev_read_urand(thin_domain)
++
++files_read_etc_files(thin_domain)
++
++auth_read_passwd(thin_domain)
++
++miscfiles_read_certs(thin_domain)
++
++files_read_usr_files(thin_domain)
++
++fs_search_auto_mountpoints(thin_domain)
++
++init_read_utmp(thin_domain)
++
++kernel_read_kernel_sysctls(thin_domain)
++
++optional_policy(`
++ sysnet_read_config(thin_domain)
++')
++
++########################################
++#
++# thin local policy
++#
++
++allow thin_t self:capability { setuid kill setgid dac_override };
++
++allow thin_t self:netlink_route_socket r_netlink_socket_perms;
++allow thin_t self:udp_socket create_socket_perms;
++allow thin_t self:unix_stream_socket create_stream_socket_perms;
++
++manage_files_pattern(thin_t, thin_log_t, thin_log_t)
++manage_dirs_pattern(thin_t, thin_log_t, thin_log_t)
++logging_log_filetrans(thin_t, thin_log_t, { file dir })
++
++manage_files_pattern(thin_t, thin_var_run_t, thin_var_run_t)
++files_pid_filetrans(thin_t, thin_var_run_t, { file })
++
++corenet_tcp_bind_ntop_port(thin_t)
++corenet_tcp_connect_postgresql_port(thin_t)
++
++
++#######################################
++#
++# thin aeolus configserver local policy
++#
++
++allow thin_aeolus_configserver_t self:capability { setuid setgid };
++
++corenet_tcp_bind_tram_port(thin_aeolus_configserver_t)
++
++manage_files_pattern(thin_aeolus_configserver_t, thin_aeolus_configserver_lib_t, thin_aeolus_configserver_lib_t)
++manage_dirs_pattern(thin_aeolus_configserver_t, thin_aeolus_configserver_lib_t, thin_aeolus_configserver_lib_t)
++files_var_lib_filetrans(thin_aeolus_configserver_t, thin_aeolus_configserver_lib_t, { file dir })
++
++manage_files_pattern(thin_aeolus_configserver_t, thin_aeolus_configserver_log_t, thin_aeolus_configserver_log_t)
++manage_dirs_pattern(thin_aeolus_configserver_t, thin_aeolus_configserver_log_t, thin_aeolus_configserver_log_t)
++logging_log_filetrans(thin_aeolus_configserver_t, thin_aeolus_configserver_log_t, { file dir })
++
++manage_files_pattern(thin_aeolus_configserver_t, thin_aeolus_configserver_var_run_t, thin_aeolus_configserver_var_run_t)
++manage_dirs_pattern(thin_aeolus_configserver_t, thin_aeolus_configserver_var_run_t, thin_aeolus_configserver_var_run_t)
++files_pid_filetrans(thin_aeolus_configserver_t, thin_aeolus_configserver_var_run_t, { dir file })
+diff --git a/thumb.fc b/thumb.fc
+new file mode 100644
+index 0000000..059e12c
+--- /dev/null
++++ b/thumb.fc
+@@ -0,0 +1,16 @@
++HOME_DIR/\.thumbnails(/.*)? gen_context(system_u:object_r:thumb_home_t,s0)
++HOME_DIR/\.cache/thumbnails(/.*)? gen_context(system_u:object_r:thumb_home_t,s0)
++HOME_DIR/missfont\.log.* gen_context(system_u:object_r:thumb_home_t,s0)
++
++/usr/bin/evince-thumbnailer -- gen_context(system_u:object_r:thumb_exec_t,s0)
++/usr/bin/gsf-office-thumbnailer -- gen_context(system_u:object_r:thumb_exec_t,s0)
++/usr/bin/gnome-thumbnail-font -- gen_context(system_u:object_r:thumb_exec_t,s0)
++/usr/bin/gnome-[^/]*-thumbnailer(.sh)? -- gen_context(system_u:object_r:thumb_exec_t,s0)
++/usr/bin/raw-thumbnailer -- gen_context(system_u:object_r:thumb_exec_t,s0)
++/usr/bin/shotwell-video-thumbnailer -- gen_context(system_u:object_r:thumb_exec_t,s0)
++/usr/bin/totem-video-thumbnailer -- gen_context(system_u:object_r:thumb_exec_t,s0)
++/usr/bin/whaaw-thumbnailer -- gen_context(system_u:object_r:thumb_exec_t,s0)
++/usr/bin/[^/]*thumbnailer -- gen_context(system_u:object_r:thumb_exec_t,s0)
++/usr/bin/ffmpegthumbnailer -- gen_context(system_u:object_r:thumb_exec_t,s0)
++
++/usr/lib/tumbler[^/]*/tumblerd -- gen_context(system_u:object_r:thumb_exec_t,s0)
+diff --git a/thumb.if b/thumb.if
+new file mode 100644
+index 0000000..9127cec
+--- /dev/null
++++ b/thumb.if
+@@ -0,0 +1,125 @@
++
++## policy for thumb
++
++########################################
++##
++## Transition to thumb.
++##
++##
++##
++## Domain allowed to transition.
++##
++##
++#
++interface(`thumb_domtrans',`
++ gen_require(`
++ type thumb_t, thumb_exec_t;
++ ')
++
++ corecmd_search_bin($1)
++ domtrans_pattern($1, thumb_exec_t, thumb_t)
++')
++
++
++########################################
++##
++## Execute thumb in the thumb domain, and
++## allow the specified role the thumb domain.
++##
++##
++##
++## Domain allowed to transition
++##
++##
++##
++##
++## The role to be allowed the thumb domain.
++##
++##
++#
++interface(`thumb_run',`
++ gen_require(`
++ type thumb_t;
++ ')
++
++ thumb_domtrans($1)
++ role $2 types thumb_t;
++
++ allow $1 thumb_t:process signal;
++')
++
++########################################
++##
++## Role access for thumb
++##
++##
++##
++## Role allowed access
++##
++##
++##
++##
++## User domain for the role
++##
++##
++#
++interface(`thumb_role',`
++ gen_require(`
++ type thumb_t;
++ class dbus send_msg;
++ ')
++
++ role $1 types thumb_t;
++
++ thumb_domtrans($2)
++
++ ps_process_pattern($2, thumb_t)
++ allow $2 thumb_t:process signal;
++ allow thumb_t $2:unix_stream_socket connectto;
++
++ allow $2 thumb_t:dbus send_msg;
++ allow thumb_t $2:dbus send_msg;
++ thumb_filetrans_home_content($2)
++')
++
++########################################
++##
++## Send and receive messages from
++## thumb over dbus.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`thumb_dbus_chat',`
++ gen_require(`
++ type thumb_t;
++ class dbus send_msg;
++ ')
++
++ allow $1 thumb_t:dbus send_msg;
++ allow thumb_t $1:dbus send_msg;
++')
++
++########################################
++##
++## Create thumb content in the user home directory
++## with an correct label.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`thumb_filetrans_home_content',`
++
++ gen_require(`
++ type thumb_home_t;
++ ')
++
++ userdom_user_home_dir_filetrans($1, thumb_home_t, dir, ".thumbnails")
++ userdom_user_home_dir_filetrans($1, thumb_home_t, file, "missfont.log")
++')
+diff --git a/thumb.te b/thumb.te
+new file mode 100644
+index 0000000..572ab5d
+--- /dev/null
++++ b/thumb.te
+@@ -0,0 +1,126 @@
++policy_module(thumb, 1.0.0)
++
++########################################
++#
++# Declarations
++#
++
++type thumb_t;
++type thumb_exec_t;
++application_domain(thumb_t, thumb_exec_t)
++ubac_constrained(thumb_t)
++userdom_home_manager(thumb_t)
++
++type thumb_tmp_t;
++files_tmp_file(thumb_tmp_t)
++ubac_constrained(thumb_tmp_t)
++
++type thumb_home_t;
++userdom_user_home_content(thumb_home_t)
++
++type thumb_tmpfs_t;
++files_tmpfs_file(thumb_tmpfs_t)
++
++########################################
++#
++# thumb local policy
++#
++
++allow thumb_t self:process { setsched signal signull setrlimit };
++
++tunable_policy(`deny_execmem',`',`
++ allow thumb_t self:process execmem;
++')
++
++allow thumb_t self:fifo_file manage_fifo_file_perms;
++allow thumb_t self:unix_stream_socket create_stream_socket_perms;
++allow thumb_t self:netlink_route_socket r_netlink_socket_perms;
++allow thumb_t self:udp_socket create_socket_perms;
++allow thumb_t self:tcp_socket create_socket_perms;
++allow thumb_t self:shm create_shm_perms;
++allow thumb_t self:sem create_sem_perms;
++
++manage_dirs_pattern(thumb_t, thumb_home_t, thumb_home_t)
++manage_files_pattern(thumb_t, thumb_home_t, thumb_home_t)
++userdom_user_home_dir_filetrans(thumb_t, thumb_home_t, dir, ".thumbnails")
++userdom_user_home_dir_filetrans(thumb_t, thumb_home_t, file, "missfont.log")
++
++manage_files_pattern(thumb_t, thumb_tmp_t, thumb_tmp_t)
++manage_dirs_pattern(thumb_t, thumb_tmp_t, thumb_tmp_t)
++manage_sock_files_pattern(thumb_t, thumb_tmp_t, thumb_tmp_t)
++exec_files_pattern(thumb_t, thumb_tmp_t, thumb_tmp_t)
++files_tmp_filetrans(thumb_t, thumb_tmp_t, { file dir sock_file })
++userdom_user_tmp_filetrans(thumb_t, thumb_tmp_t, { file dir sock_file })
++xserver_xdm_tmp_filetrans(thumb_t, thumb_tmp_t, sock_file)
++
++manage_dirs_pattern(thumb_t, thumb_tmpfs_t, thumb_tmpfs_t)
++manage_files_pattern(thumb_t, thumb_tmpfs_t, thumb_tmpfs_t)
++fs_tmpfs_filetrans(thumb_t, thumb_tmpfs_t, { dir file })
++
++can_exec(thumb_t, thumb_exec_t)
++
++kernel_read_system_state(thumb_t)
++
++domain_use_interactive_fds(thumb_t)
++
++corecmd_exec_bin(thumb_t)
++corecmd_exec_shell(thumb_t)
++
++dev_read_sysfs(thumb_t)
++dev_read_urand(thumb_t)
++dev_dontaudit_rw_dri(thumb_t)
++dev_rw_xserver_misc(thumb_t)
++
++domain_use_interactive_fds(thumb_t)
++
++files_read_usr_files(thumb_t)
++files_read_non_security_files(thumb_t)
++
++fs_getattr_all_fs(thumb_t)
++fs_read_dos_files(thumb_t)
++fs_rw_inherited_tmpfs_files(thumb_t)
++
++auth_read_passwd(thumb_t)
++
++tunable_policy(`selinuxuser_execmod',`
++ libs_legacy_use_shared_libs(thumb_t)
++')
++
++miscfiles_read_fonts(thumb_t)
++miscfiles_dontaudit_setattr_fonts_dirs(thumb_t)
++miscfiles_dontaudit_setattr_fonts_cache_dirs(thumb_t)
++
++sysnet_read_config(thumb_t)
++
++userdom_dontaudit_setattr_user_tmp(thumb_t)
++userdom_read_user_tmp_files(thumb_t)
++userdom_read_user_home_content_files(thumb_t)
++userdom_write_user_tmp_files(thumb_t)
++userdom_read_home_audio_files(thumb_t)
++userdom_home_reader(thumb_t)
++
++userdom_use_user_terminals(thumb_t)
++
++xserver_read_xdm_home_files(thumb_t)
++xserver_append_xdm_home_files(thumb_t)
++xserver_dontaudit_read_xdm_pid(thumb_t)
++xserver_dontaudit_xdm_tmp_dirs(thumb_t)
++xserver_stream_connect(thumb_t)
++xserver_use_user_fonts(thumb_t)
++
++optional_policy(`
++ dbus_dontaudit_stream_connect_session_bus(thumb_t)
++ dbus_dontaudit_chat_session_bus(thumb_t)
++')
++
++optional_policy(`
++ # .config
++ gnome_dontaudit_search_config(thumb_t)
++ gnome_append_generic_cache_files(thumb_t)
++ gnome_read_generic_data_home_files(thumb_t)
++ gnome_manage_gstreamer_home_files(thumb_t)
++ gnome_manage_gstreamer_home_dirs(thumb_t)
++ gnome_exec_gstreamer_home_files(thumb_t)
++ gnome_cache_filetrans(thumb_t, thumb_home_t, dir, "thumbnails")
++ gnome_cache_filetrans(thumb_t, thumb_home_t, file)
++')
+diff --git a/thunderbird.te b/thunderbird.te
+index bf37d98..0d863fc 100644
+--- a/thunderbird.te
++++ b/thunderbird.te
+@@ -54,7 +54,6 @@ kernel_read_system_state(thunderbird_t)
+ # Startup shellscript
+ corecmd_exec_shell(thunderbird_t)
+
+-corenet_all_recvfrom_unlabeled(thunderbird_t)
+ corenet_all_recvfrom_netlabel(thunderbird_t)
+ corenet_tcp_sendrecv_generic_if(thunderbird_t)
+ corenet_tcp_sendrecv_generic_node(thunderbird_t)
+@@ -82,7 +81,6 @@ dev_dontaudit_search_sysfs(thunderbird_t)
+
+ files_list_tmp(thunderbird_t)
+ files_read_usr_files(thunderbird_t)
+-files_read_etc_files(thunderbird_t)
+ files_read_etc_runtime_files(thunderbird_t)
+ files_read_var_files(thunderbird_t)
+ files_read_var_symlinks(thunderbird_t)
+@@ -99,7 +97,6 @@ fs_search_auto_mountpoints(thunderbird_t)
+ auth_use_nsswitch(thunderbird_t)
+
+ miscfiles_read_fonts(thunderbird_t)
+-miscfiles_read_localization(thunderbird_t)
+
+ userdom_manage_user_tmp_dirs(thunderbird_t)
+ userdom_read_user_tmp_files(thunderbird_t)
+@@ -112,17 +109,7 @@ xserver_read_xdm_tmp_files(thunderbird_t)
+ xserver_dontaudit_getattr_xdm_tmp_sockets(thunderbird_t)
+
+ # Access ~/.thunderbird
+-tunable_policy(`use_nfs_home_dirs',`
+- fs_manage_nfs_dirs(thunderbird_t)
+- fs_manage_nfs_files(thunderbird_t)
+- fs_manage_nfs_symlinks(thunderbird_t)
+-')
+-
+-tunable_policy(`use_samba_home_dirs',`
+- fs_manage_cifs_dirs(thunderbird_t)
+- fs_manage_cifs_files(thunderbird_t)
+- fs_manage_cifs_symlinks(thunderbird_t)
+-')
++userdom_home_manager(thunderbird_t)
+
+ tunable_policy(`mail_read_content && use_nfs_home_dirs',`
+ files_list_home(thunderbird_t)
+diff --git a/timidity.te b/timidity.te
+index 67b5592..ccddff5 100644
+--- a/timidity.te
++++ b/timidity.te
+@@ -39,7 +39,6 @@ kernel_read_kernel_sysctls(timidity_t)
+ # read /proc/cpuinfo
+ kernel_read_system_state(timidity_t)
+
+-corenet_all_recvfrom_unlabeled(timidity_t)
+ corenet_all_recvfrom_netlabel(timidity_t)
+ corenet_tcp_sendrecv_generic_if(timidity_t)
+ corenet_udp_sendrecv_generic_if(timidity_t)
+diff --git a/tmpreaper.te b/tmpreaper.te
+index 0521d5a..4ad0788 100644
+--- a/tmpreaper.te
++++ b/tmpreaper.te
+@@ -7,6 +7,7 @@ policy_module(tmpreaper, 1.6.0)
+
+ type tmpreaper_t;
+ type tmpreaper_exec_t;
++init_system_domain(tmpreaper_t, tmpreaper_exec_t)
+ application_domain(tmpreaper_t, tmpreaper_exec_t)
+ role system_r types tmpreaper_t;
+
+@@ -18,33 +19,47 @@ role system_r types tmpreaper_t;
+ allow tmpreaper_t self:process { fork sigchld };
+ allow tmpreaper_t self:capability { dac_override dac_read_search fowner };
+
++kernel_read_system_state(tmpreaper_t)
++
+ dev_read_urand(tmpreaper_t)
+
+ fs_getattr_xattr_fs(tmpreaper_t)
++fs_list_all(tmpreaper_t)
+
+-files_read_etc_files(tmpreaper_t)
+ files_read_var_lib_files(tmpreaper_t)
+ files_purge_tmp(tmpreaper_t)
++files_delete_all_non_security_files(tmpreaper_t)
+ # why does it need setattr?
+ files_setattr_all_tmp_dirs(tmpreaper_t)
++files_setattr_usr_dirs(tmpreaper_t)
+ files_getattr_all_dirs(tmpreaper_t)
+ files_getattr_all_files(tmpreaper_t)
++kernel_list_unlabeled(tmpreaper_t)
++kernel_delete_unlabeled(tmpreaper_t)
+
++mcs_file_read_all(tmpreaper_t)
++mcs_file_write_all(tmpreaper_t)
+ mls_file_read_all_levels(tmpreaper_t)
+ mls_file_write_all_levels(tmpreaper_t)
+
++auth_use_nsswitch(tmpreaper_t)
++
+ logging_send_syslog_msg(tmpreaper_t)
+
+-miscfiles_read_localization(tmpreaper_t)
+ miscfiles_delete_man_pages(tmpreaper_t)
+
+-cron_system_entry(tmpreaper_t, tmpreaper_exec_t)
++optional_policy(`
++ cron_system_entry(tmpreaper_t, tmpreaper_exec_t)
++')
+
+ ifdef(`distro_redhat',`
+ userdom_list_user_home_content(tmpreaper_t)
+- userdom_delete_user_home_content_dirs(tmpreaper_t)
+- userdom_delete_user_home_content_files(tmpreaper_t)
+- userdom_delete_user_home_content_symlinks(tmpreaper_t)
++ userdom_list_admin_dir(tmpreaper_t)
++ userdom_delete_all_user_home_content_dirs(tmpreaper_t)
++ userdom_delete_all_user_home_content_files(tmpreaper_t)
++ userdom_delete_all_user_home_content_sock_files(tmpreaper_t)
++ userdom_delete_all_user_home_content_symlinks(tmpreaper_t)
++ userdom_setattr_all_user_home_content_dirs(tmpreaper_t)
+ ')
+
+ optional_policy(`
+@@ -52,7 +67,9 @@ optional_policy(`
+ ')
+
+ optional_policy(`
++ apache_delete_sys_content_rw(tmpreaper_t)
+ apache_list_cache(tmpreaper_t)
++ apache_delete_cache_dirs(tmpreaper_t)
+ apache_delete_cache_files(tmpreaper_t)
+ apache_setattr_cache_dirs(tmpreaper_t)
+ ')
+@@ -66,9 +83,17 @@ optional_policy(`
+ ')
+
+ optional_policy(`
+- rpm_manage_cache(tmpreaper_t)
++ mandb_delete_cache(tmpreaper_t)
+ ')
+
+ optional_policy(`
+- unconfined_domain(tmpreaper_t)
++ sandbox_list(tmpreaper_t)
++ sandbox_delete_dirs(tmpreaper_t)
++ sandbox_delete_files(tmpreaper_t)
++ sandbox_delete_sock_files(tmpreaper_t)
++ sandbox_setattr_dirs(tmpreaper_t)
++')
++
++optional_policy(`
++ rpm_manage_cache(tmpreaper_t)
+ ')
+diff --git a/tomcat.fc b/tomcat.fc
+new file mode 100644
+index 0000000..a8385bc
+--- /dev/null
++++ b/tomcat.fc
+@@ -0,0 +1,11 @@
++/usr/lib/systemd/system/tomcat.service -- gen_context(system_u:object_r:tomcat_unit_file_t,s0)
++
++/usr/sbin/tomcat(6)? -- gen_context(system_u:object_r:tomcat_exec_t,s0)
++
++/var/cache/tomcat6?(/.*)? gen_context(system_u:object_r:tomcat_cache_t,s0)
++
++/var/lib/tomcat6?(/.*)? gen_context(system_u:object_r:tomcat_var_lib_t,s0)
++
++/var/log/tomcat6?(/.*)? gen_context(system_u:object_r:tomcat_log_t,s0)
++
++/var/run/tomcat6?\.pid -- gen_context(system_u:object_r:tomcat_var_run_t,s0)
+diff --git a/tomcat.if b/tomcat.if
+new file mode 100644
+index 0000000..9abef48
+--- /dev/null
++++ b/tomcat.if
+@@ -0,0 +1,395 @@
++
++## policy for tomcat
++
++######################################
++##
++## Creates types and rules for a basic
++## tomcat daemon domain.
++##
++##
++##
++## Prefix for the domain.
++##
++##
++#
++template(`tomcat_domain_template',`
++ gen_require(`
++ attribute tomcat_domain;
++ ')
++
++ type $1_t, tomcat_domain;
++ type $1_exec_t;
++ init_daemon_domain($1_t, $1_exec_t)
++
++ type $1_cache_t;
++ files_type($1_cache_t)
++
++ type $1_log_t;
++ logging_log_file($1_log_t)
++
++ type $1_var_lib_t;
++ files_type($1_var_lib_t)
++
++ type $1_var_run_t;
++ files_pid_file($1_var_run_t)
++
++ type $1_tmp_t;
++ files_tmp_file($1_tmp_t)
++
++ ##################################
++ #
++ # Local policy
++ #
++
++ manage_dirs_pattern($1_t, $1_cache_t, $1_cache_t)
++ manage_files_pattern($1_t, $1_cache_t, $1_cache_t)
++ manage_lnk_files_pattern($1_t, $1_cache_t, $1_cache_t)
++ files_var_filetrans($1_t, $1_cache_t, { dir file })
++
++ manage_dirs_pattern($1_t, $1_log_t, $1_log_t)
++ manage_files_pattern($1_t, $1_log_t, $1_log_t)
++ manage_lnk_files_pattern($1_t, $1_log_t, $1_log_t)
++ logging_log_filetrans($1_t, $1_log_t, { dir file })
++
++ manage_dirs_pattern($1_t, $1_var_lib_t, $1_var_lib_t)
++ manage_files_pattern($1_t, $1_var_lib_t, $1_var_lib_t)
++ manage_lnk_files_pattern($1_t, $1_var_lib_t, $1_var_lib_t)
++ files_var_lib_filetrans($1_t, $1_var_lib_t, { dir file lnk_file })
++
++ manage_dirs_pattern($1_t, $1_var_run_t, $1_var_run_t)
++ manage_files_pattern($1_t, $1_var_run_t, $1_var_run_t)
++ manage_lnk_files_pattern($1_t, $1_var_run_t, $1_var_run_t)
++ files_pid_filetrans($1_t, $1_var_run_t, { dir file lnk_file })
++
++ manage_dirs_pattern($1_t, $1_tmp_t, $1_tmp_t)
++ manage_files_pattern($1_t, $1_tmp_t, $1_tmp_t)
++ manage_fifo_files_pattern($1_t, $1_tmp_t, $1_tmp_t)
++ files_tmp_filetrans($1_t, $1_tmp_t, { file fifo_file dir })
++
++ can_exec($1_t, $1_exec_t)
++
++ kernel_read_system_state($1_t)
++
++ logging_send_syslog_msg($1_t)
++')
++
++########################################
++##
++## Transition to tomcat.
++##
++##
++##
++## Domain allowed to transition.
++##
++##
++#
++interface(`tomcat_domtrans',`
++ gen_require(`
++ type tomcat_t, tomcat_exec_t;
++ ')
++
++ corecmd_search_bin($1)
++ domtrans_pattern($1, tomcat_exec_t, tomcat_t)
++')
++
++########################################
++##
++## Search tomcat cache directories.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`tomcat_search_cache',`
++ gen_require(`
++ type tomcat_cache_t;
++ ')
++
++ allow $1 tomcat_cache_t:dir search_dir_perms;
++ files_search_var($1)
++')
++
++########################################
++##
++## Read tomcat cache files.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`tomcat_read_cache_files',`
++ gen_require(`
++ type tomcat_cache_t;
++ ')
++
++ files_search_var($1)
++ read_files_pattern($1, tomcat_cache_t, tomcat_cache_t)
++')
++
++########################################
++##
++## Create, read, write, and delete
++## tomcat cache files.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`tomcat_manage_cache_files',`
++ gen_require(`
++ type tomcat_cache_t;
++ ')
++
++ files_search_var($1)
++ manage_files_pattern($1, tomcat_cache_t, tomcat_cache_t)
++')
++
++########################################
++##
++## Manage tomcat cache dirs.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`tomcat_manage_cache_dirs',`
++ gen_require(`
++ type tomcat_cache_t;
++ ')
++
++ files_search_var($1)
++ manage_dirs_pattern($1, tomcat_cache_t, tomcat_cache_t)
++')
++
++########################################
++##
++## Read tomcat's log files.
++##
++##
++##
++## Domain allowed access.
++##
++##
++##
++#
++interface(`tomcat_read_log',`
++ gen_require(`
++ type tomcat_log_t;
++ ')
++
++ logging_search_logs($1)
++ read_files_pattern($1, tomcat_log_t, tomcat_log_t)
++')
++
++########################################
++##
++## Append to tomcat log files.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`tomcat_append_log',`
++ gen_require(`
++ type tomcat_log_t;
++ ')
++
++ logging_search_logs($1)
++ append_files_pattern($1, tomcat_log_t, tomcat_log_t)
++')
++
++########################################
++##
++## Manage tomcat log files
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`tomcat_manage_log',`
++ gen_require(`
++ type tomcat_log_t;
++ ')
++
++ logging_search_logs($1)
++ manage_dirs_pattern($1, tomcat_log_t, tomcat_log_t)
++ manage_files_pattern($1, tomcat_log_t, tomcat_log_t)
++ manage_lnk_files_pattern($1, tomcat_log_t, tomcat_log_t)
++')
++
++########################################
++##
++## Search tomcat lib directories.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`tomcat_search_lib',`
++ gen_require(`
++ type tomcat_var_lib_t;
++ ')
++
++ allow $1 tomcat_var_lib_t:dir search_dir_perms;
++ files_search_var_lib($1)
++')
++
++########################################
++##
++## Read tomcat lib files.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`tomcat_read_lib_files',`
++ gen_require(`
++ type tomcat_var_lib_t;
++ ')
++
++ files_search_var_lib($1)
++ read_files_pattern($1, tomcat_var_lib_t, tomcat_var_lib_t)
++')
++
++########################################
++##
++## Manage tomcat lib files.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`tomcat_manage_lib_files',`
++ gen_require(`
++ type tomcat_var_lib_t;
++ ')
++
++ files_search_var_lib($1)
++ manage_files_pattern($1, tomcat_var_lib_t, tomcat_var_lib_t)
++')
++
++########################################
++##
++## Manage tomcat lib directories.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`tomcat_manage_lib_dirs',`
++ gen_require(`
++ type tomcat_var_lib_t;
++ ')
++
++ files_search_var_lib($1)
++ manage_dirs_pattern($1, tomcat_var_lib_t, tomcat_var_lib_t)
++')
++
++########################################
++##
++## Read tomcat PID files.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`tomcat_read_pid_files',`
++ gen_require(`
++ type tomcat_var_run_t;
++ ')
++
++ files_search_pids($1)
++ allow $1 tomcat_var_run_t:file read_file_perms;
++')
++
++########################################
++##
++## Execute tomcat server in the tomcat domain.
++##
++##
++##
++## Domain allowed to transition.
++##
++##
++#
++interface(`tomcat_systemctl',`
++ gen_require(`
++ type tomcat_t;
++ type tomcat_unit_file_t;
++ ')
++
++ systemd_exec_systemctl($1)
++ allow $1 tomcat_unit_file_t:file read_file_perms;
++ allow $1 tomcat_unit_file_t:service manage_service_perms;
++
++ ps_process_pattern($1, tomcat_t)
++')
++
++
++########################################
++##
++## All of the rules required to administrate
++## an tomcat environment
++##
++##
++##
++## Domain allowed access.
++##
++##
++##
++#
++interface(`tomcat_admin',`
++ gen_require(`
++ type tomcat_t;
++ type tomcat_cache_t;
++ type tomcat_log_t;
++ type tomcat_var_lib_t;
++ type tomcat_var_run_t;
++ type tomcat_unit_file_t;
++ ')
++
++ allow $1 tomcat_t:process { ptrace signal_perms };
++ ps_process_pattern($1, tomcat_t)
++
++ files_search_var($1)
++ admin_pattern($1, tomcat_cache_t)
++
++ logging_search_logs($1)
++ admin_pattern($1, tomcat_log_t)
++
++ files_search_var_lib($1)
++ admin_pattern($1, tomcat_var_lib_t)
++
++ files_search_pids($1)
++ admin_pattern($1, tomcat_var_run_t)
++
++ tomcat_systemctl($1)
++ admin_pattern($1, tomcat_unit_file_t)
++ allow $1 tomcat_unit_file_t:service all_service_perms;
++ optional_policy(`
++ systemd_passwd_agent_exec($1)
++ systemd_read_fifo_file_passwd_run($1)
++ ')
++')
+diff --git a/tomcat.te b/tomcat.te
+new file mode 100644
+index 0000000..0557ffc
+--- /dev/null
++++ b/tomcat.te
+@@ -0,0 +1,71 @@
++policy_module(tomcat, 1.0.0)
++
++########################################
++#
++# Declarations
++#
++
++attribute tomcat_domain;
++
++tomcat_domain_template(tomcat)
++
++type tomcat_unit_file_t;
++systemd_unit_file(tomcat_unit_file_t)
++
++#######################################
++#
++# tomcat local policy
++#
++
++optional_policy(`
++ unconfined_domain(tomcat_t)
++')
++
++########################################
++#
++# tomcat domain local policy
++#
++
++allow tomcat_t self:process execmem;
++allow tomcat_t self:process { signal signull };
++
++allow tomcat_t self:tcp_socket { accept listen };
++allow tomcat_domain self:fifo_file rw_fifo_file_perms;
++allow tomcat_domain self:unix_stream_socket create_stream_socket_perms;
++
++# we want to stay in a new tomcat domain if we call tomcat binary from a script
++# initrc_t@tomcat_test_exec_t->tomcat_test_t@tomcat_exec_t->tomcat_test_t
++can_exec(tomcat_domain, tomcat_exec_t)
++
++kernel_read_network_state(tomcat_domain)
++
++corecmd_exec_bin(tomcat_domain)
++corecmd_exec_shell(tomcat_domain)
++
++corenet_tcp_bind_generic_node(tomcat_domain)
++corenet_udp_bind_generic_node(tomcat_domain)
++corenet_tcp_bind_http_port(tomcat_domain)
++corenet_tcp_bind_http_cache_port(tomcat_domain)
++corenet_tcp_bind_mxi_port(tomcat_domain)
++corenet_tcp_connect_http_port(tomcat_domain)
++corenet_tcp_connect_mxi_port(tomcat_domain)
++
++dev_read_rand(tomcat_domain)
++dev_read_urand(tomcat_domain)
++dev_read_sysfs(tomcat_domain)
++
++domain_use_interactive_fds(tomcat_domain)
++
++fs_getattr_all_fs(tomcat_domain)
++fs_read_hugetlbfs_files(tomcat_domain)
++
++files_read_etc_files(tomcat_domain)
++files_read_usr_files(tomcat_domain)
++
++auth_read_passwd(tomcat_domain)
++
++sysnet_dns_name_resolve(tomcat_domain)
++
++optional_policy(`
++ tomcat_search_lib(tomcat_domain)
++')
+diff --git a/tor.fc b/tor.fc
+index e2e06b2..6752bc3 100644
+--- a/tor.fc
++++ b/tor.fc
+@@ -4,6 +4,8 @@
+ /usr/bin/tor -- gen_context(system_u:object_r:tor_exec_t,s0)
+ /usr/sbin/tor -- gen_context(system_u:object_r:tor_exec_t,s0)
+
++/usr/lib/systemd/system/tor.* -- gen_context(system_u:object_r:tor_unit_file_t,s0)
++
+ /var/lib/tor(/.*)? gen_context(system_u:object_r:tor_var_lib_t,s0)
+ /var/lib/tor-data(/.*)? gen_context(system_u:object_r:tor_var_lib_t,s0)
+
+diff --git a/tor.if b/tor.if
+index 904f13e..5801347 100644
+--- a/tor.if
++++ b/tor.if
+@@ -18,6 +18,29 @@ interface(`tor_domtrans',`
+ domtrans_pattern($1, tor_exec_t, tor_t)
+ ')
+
++#######################################
++##
++## Execute tor server in the tor domain.
++##
++##
++##
++## Domain allowed to transition.
++##
++##
++#
++interface(`tor_systemctl',`
++ gen_require(`
++ type tor_t;
++ type tor_unit_file_t;
++ ')
++
++ systemd_exec_systemctl($1)
++ allow $1 tor_unit_file_t:file read_file_perms;
++ allow $1 tor_unit_file_t:service manage_service_perms;
++
++ ps_process_pattern($1, tor_t)
++')
++
+ ########################################
+ ##
+ ## All of the rules required to administrate
+@@ -40,10 +63,14 @@ interface(`tor_admin',`
+ type tor_t, tor_var_log_t, tor_etc_t;
+ type tor_var_lib_t, tor_var_run_t;
+ type tor_initrc_exec_t;
++ type tor_unit_file_t;
+ ')
+
+- allow $1 tor_t:process { ptrace signal_perms getattr };
++ allow $1 tor_t:process signal_perms;
+ ps_process_pattern($1, tor_t)
++ tunable_policy(`deny_ptrace',`',`
++ allow $1 tor_t:process ptrace;
++ ')
+
+ init_labeled_script_domtrans($1, tor_initrc_exec_t)
+ domain_system_change_exemption($1)
+@@ -61,4 +88,13 @@ interface(`tor_admin',`
+
+ files_list_pids($1)
+ admin_pattern($1, tor_var_run_t)
++
++ tor_systemctl($1)
++ admin_pattern($1, tor_unit_file_t)
++ allow $1 tor_unit_file_t:service all_service_perms;
++
++ optional_policy(`
++ systemd_passwd_agent_exec($1)
++ systemd_read_fifo_file_passwd_run($1)
++ ')
+ ')
+diff --git a/tor.te b/tor.te
+index c842cad..a655e4c 100644
+--- a/tor.te
++++ b/tor.te
+@@ -13,6 +13,13 @@ policy_module(tor, 1.8.0)
+ ##
+ gen_tunable(tor_bind_all_unreserved_ports, false)
+
++##
++##
++## Allow tor to act as a relay
++##
++##
++gen_tunable(tor_can_network_relay, false)
++
+ type tor_t;
+ type tor_exec_t;
+ init_daemon_domain(tor_t, tor_exec_t)
+@@ -36,12 +43,16 @@ logging_log_file(tor_var_log_t)
+ type tor_var_run_t;
+ files_pid_file(tor_var_run_t)
+
++type tor_unit_file_t;
++systemd_unit_file(tor_unit_file_t)
++
+ ########################################
+ #
+ # tor local policy
+ #
+
+ allow tor_t self:capability { setgid setuid sys_tty_config };
++allow tor_t self:process signal;
+ allow tor_t self:fifo_file rw_fifo_file_perms;
+ allow tor_t self:unix_stream_socket create_stream_socket_perms;
+ allow tor_t self:netlink_route_socket r_netlink_socket_perms;
+@@ -73,9 +84,10 @@ manage_sock_files_pattern(tor_t, tor_var_run_t, tor_var_run_t)
+ files_pid_filetrans(tor_t, tor_var_run_t, { dir file sock_file })
+
+ kernel_read_system_state(tor_t)
++kernel_read_net_sysctls(tor_t)
++kernel_read_kernel_sysctls(tor_t)
+
+ # networking basics
+-corenet_all_recvfrom_unlabeled(tor_t)
+ corenet_all_recvfrom_netlabel(tor_t)
+ corenet_tcp_sendrecv_generic_if(tor_t)
+ corenet_udp_sendrecv_generic_if(tor_t)
+@@ -87,6 +99,7 @@ corenet_tcp_sendrecv_all_reserved_ports(tor_t)
+ corenet_tcp_bind_generic_node(tor_t)
+ corenet_udp_bind_generic_node(tor_t)
+ corenet_tcp_bind_tor_port(tor_t)
++corenet_tcp_bind_tor_socks_port(tor_t)
+ corenet_udp_bind_dns_port(tor_t)
+ corenet_sendrecv_tor_server_packets(tor_t)
+ corenet_sendrecv_dns_server_packets(tor_t)
+@@ -95,13 +108,14 @@ corenet_tcp_connect_all_ports(tor_t)
+ corenet_sendrecv_all_client_packets(tor_t)
+ # ... especially including port 80 and other privileged ports
+ corenet_tcp_connect_all_reserved_ports(tor_t)
++corenet_udp_bind_dns_port(tor_t)
+
+ # tor uses crypto and needs random
+ dev_read_urand(tor_t)
++dev_read_sysfs(tor_t)
+
+ domain_use_interactive_fds(tor_t)
+
+-files_read_etc_files(tor_t)
+ files_read_etc_runtime_files(tor_t)
+ files_read_usr_files(tor_t)
+
+@@ -109,12 +123,16 @@ auth_use_nsswitch(tor_t)
+
+ logging_send_syslog_msg(tor_t)
+
+-miscfiles_read_localization(tor_t)
+-
+ tunable_policy(`tor_bind_all_unreserved_ports', `
+ corenet_tcp_bind_all_unreserved_ports(tor_t)
+ ')
+
++tunable_policy(`tor_can_network_relay',`
++ # allow httpd to work as a relay
++ corenet_tcp_connect_all_ephemeral_ports(tor_t)
++ corenet_tcp_bind_http_port(tor_t)
++')
++
+ optional_policy(`
+ seutil_sigchld_newrole(tor_t)
+ ')
+diff --git a/transproxy.te b/transproxy.te
+index 95cf0c0..f191f8a 100644
+--- a/transproxy.te
++++ b/transproxy.te
+@@ -29,7 +29,6 @@ kernel_read_kernel_sysctls(transproxy_t)
+ kernel_list_proc(transproxy_t)
+ kernel_read_proc_symlinks(transproxy_t)
+
+-corenet_all_recvfrom_unlabeled(transproxy_t)
+ corenet_all_recvfrom_netlabel(transproxy_t)
+ corenet_tcp_sendrecv_generic_if(transproxy_t)
+ corenet_tcp_sendrecv_generic_node(transproxy_t)
+@@ -49,8 +48,6 @@ fs_search_auto_mountpoints(transproxy_t)
+
+ logging_send_syslog_msg(transproxy_t)
+
+-miscfiles_read_localization(transproxy_t)
+-
+ sysnet_read_config(transproxy_t)
+
+ userdom_dontaudit_use_unpriv_user_fds(transproxy_t)
+diff --git a/tripwire.te b/tripwire.te
+index 2ae8b62..bfe64af 100644
+--- a/tripwire.te
++++ b/tripwire.te
+@@ -80,7 +80,7 @@ files_getattr_all_sockets(tripwire_t)
+
+ logging_send_syslog_msg(tripwire_t)
+
+-userdom_use_user_terminals(tripwire_t)
++userdom_use_inherited_user_terminals(tripwire_t)
+
+ optional_policy(`
+ cron_system_entry(tripwire_t, tripwire_exec_t)
+@@ -99,9 +99,7 @@ domain_use_interactive_fds(twadmin_t)
+
+ logging_send_syslog_msg(twadmin_t)
+
+-miscfiles_read_localization(twadmin_t)
+-
+-userdom_use_user_terminals(twadmin_t)
++userdom_use_inherited_user_terminals(twadmin_t)
+
+ ########################################
+ #
+@@ -125,9 +123,7 @@ domain_use_interactive_fds(twprint_t)
+
+ logging_send_syslog_msg(twprint_t)
+
+-miscfiles_read_localization(twprint_t)
+-
+-userdom_use_user_terminals(twprint_t)
++userdom_use_inherited_user_terminals(twprint_t)
+
+ ########################################
+ #
+@@ -141,6 +137,4 @@ files_read_all_files(siggen_t)
+
+ logging_send_syslog_msg(siggen_t)
+
+-miscfiles_read_localization(siggen_t)
+-
+-userdom_use_user_terminals(siggen_t)
++userdom_use_inherited_user_terminals(siggen_t)
+diff --git a/tuned.fc b/tuned.fc
+index 639c962..e789b2e 100644
+--- a/tuned.fc
++++ b/tuned.fc
+@@ -1,8 +1,12 @@
+ /etc/rc\.d/init\.d/tuned -- gen_context(system_u:object_r:tuned_initrc_exec_t,s0)
+
++/etc/tuned(/.)? gen_context(system_u:object_r:tuned_etc_t,s0)
++/etc/tuned/active_profile -- gen_context(system_u:object_r:tuned_rw_etc_t,s0)
++
+ /usr/sbin/tuned -- gen_context(system_u:object_r:tuned_exec_t,s0)
+
+ /var/log/tuned(/.*)? gen_context(system_u:object_r:tuned_log_t,s0)
+-/var/log/tuned\.log -- gen_context(system_u:object_r:tuned_log_t,s0)
++/var/log/tuned\.log.* -- gen_context(system_u:object_r:tuned_log_t,s0)
+
++/var/run/tuned(/.*)? gen_context(system_u:object_r:tuned_var_run_t,s0)
+ /var/run/tuned\.pid -- gen_context(system_u:object_r:tuned_var_run_t,s0)
+diff --git a/tuned.if b/tuned.if
+index 54b8605..a04f013 100644
+--- a/tuned.if
++++ b/tuned.if
+@@ -5,9 +5,9 @@
+ ## Execute a domain transition to run tuned.
+ ##
+ ##
+-##
++##
+ ## Domain allowed to transition.
+-##
++##
+ ##
+ #
+ interface(`tuned_domtrans',`
+@@ -112,18 +112,20 @@ interface(`tuned_initrc_domtrans',`
+ #
+ interface(`tuned_admin',`
+ gen_require(`
+- type tuned_t, tuned_var_run_t;
+- type tuned_initrc_exec_t;
++ type tuned_t, tuned_var_run_t, tuned_initrc_exec_t;
+ ')
+
+- allow $1 tuned_t:process { ptrace signal_perms };
++ allow $1 tuned_t:process signal_perms;
+ ps_process_pattern($1, tuned_t)
++ tunable_policy(`deny_ptrace',`',`
++ allow $1 tuned_t:process ptrace;
++ ')
+
+ tuned_initrc_domtrans($1)
+ domain_system_change_exemption($1)
+ role_transition $2 tuned_initrc_exec_t system_r;
+ allow $2 system_r;
+
+- files_search_pids($1)
++ files_list_pids($1)
+ admin_pattern($1, tuned_var_run_t)
+ ')
+diff --git a/tuned.te b/tuned.te
+index db9d2a5..edfe6ba 100644
+--- a/tuned.te
++++ b/tuned.te
+@@ -12,6 +12,12 @@ init_daemon_domain(tuned_t, tuned_exec_t)
+ type tuned_initrc_exec_t;
+ init_script_file(tuned_initrc_exec_t)
+
++type tuned_etc_t;
++files_config_file(tuned_etc_t)
++
++type tuned_rw_etc_t;
++files_config_file(tuned_rw_etc_t)
++
+ type tuned_log_t;
+ logging_log_file(tuned_log_t)
+
+@@ -22,43 +28,85 @@ files_pid_file(tuned_var_run_t)
+ #
+ # tuned local policy
+ #
+-
++allow tuned_t self:capability { sys_admin sys_nice };
+ dontaudit tuned_t self:capability { dac_override sys_tty_config };
++allow tuned_t self:process { setsched signal };
++allow tuned_t self:fifo_file rw_fifo_file_perms;
++allow tuned_t self:udp_socket create_socket_perms;
++
++read_files_pattern(tuned_t, tuned_etc_t, tuned_etc_t)
++exec_files_pattern(tuned_t, tuned_etc_t, tuned_etc_t)
++
++manage_files_pattern(tuned_t, tuned_etc_t, tuned_rw_etc_t)
++files_etc_filetrans(tuned_t, tuned_rw_etc_t, file, "active_profile")
+
+ manage_dirs_pattern(tuned_t, tuned_log_t, tuned_log_t)
+ manage_files_pattern(tuned_t, tuned_log_t, tuned_log_t)
+-logging_log_filetrans(tuned_t, tuned_log_t, file)
++logging_log_filetrans(tuned_t, tuned_log_t, file, "tuned.log")
+
+ manage_files_pattern(tuned_t, tuned_var_run_t, tuned_var_run_t)
+-files_pid_filetrans(tuned_t, tuned_var_run_t, file)
++manage_dirs_pattern(tuned_t, tuned_var_run_t, tuned_var_run_t)
++files_pid_filetrans(tuned_t, tuned_var_run_t, { dir file })
+
+ corecmd_exec_shell(tuned_t)
+ corecmd_exec_bin(tuned_t)
+
+ kernel_read_system_state(tuned_t)
+ kernel_read_network_state(tuned_t)
+-
++kernel_read_kernel_sysctls(tuned_t)
++kernel_request_load_module(tuned_t)
++kernel_rw_kernel_sysctl(tuned_t)
++kernel_rw_hotplug_sysctls(tuned_t)
++kernel_rw_vm_sysctls(tuned_t)
++kernel_setsched(tuned_t)
++
++dev_getattr_all_blk_files(tuned_t)
++dev_getattr_all_chr_files(tuned_t)
++dev_dontaudit_getattr_all(tuned_t)
+ dev_read_urand(tuned_t)
+-dev_read_sysfs(tuned_t)
++dev_rw_sysfs(tuned_t)
+ # to allow cpu tuning
+ dev_rw_netcontrol(tuned_t)
+
+-files_read_etc_files(tuned_t)
+ files_read_usr_files(tuned_t)
+ files_dontaudit_search_home(tuned_t)
++files_list_tmp(tuned_t)
++
++fs_getattr_all_fs(tuned_t)
++
++auth_use_nsswitch(tuned_t)
+
+ logging_send_syslog_msg(tuned_t)
+
+-miscfiles_read_localization(tuned_t)
++mount_read_pid_files(tuned_t)
++
++udev_read_pid_files(tuned_t)
+
+ userdom_dontaudit_search_user_home_dirs(tuned_t)
+
++optional_policy(`
++ dbus_system_bus_client(tuned_t)
++ dbus_connect_system_bus(tuned_t)
++')
++
+ # to allow disk tuning
+ optional_policy(`
+ fstools_domtrans(tuned_t)
+ ')
+
++optional_policy(`
++ gnome_dontaudit_search_config(tuned_t)
++')
++
++optional_policy(`
++ mount_domtrans(tuned_t)
++')
++
+ # to allow network interface tuning
+ optional_policy(`
+ sysnet_domtrans_ifconfig(tuned_t)
+ ')
++
++optional_policy(`
++ unconfined_dbus_send(tuned_t)
++')
+diff --git a/tvtime.te b/tvtime.te
+index 531b1f1..7455f78 100644
+--- a/tvtime.te
++++ b/tvtime.te
+@@ -67,23 +67,13 @@ files_read_etc_files(tvtime_t)
+ # X access, Home files
+ fs_search_auto_mountpoints(tvtime_t)
+
+-miscfiles_read_localization(tvtime_t)
+ miscfiles_read_fonts(tvtime_t)
+
+-userdom_use_user_terminals(tvtime_t)
++userdom_use_inherited_user_terminals(tvtime_t)
+ userdom_read_user_home_content_files(tvtime_t)
+
+ # X access, Home files
+-tunable_policy(`use_nfs_home_dirs',`
+- fs_manage_nfs_dirs(tvtime_t)
+- fs_manage_nfs_files(tvtime_t)
+- fs_manage_nfs_symlinks(tvtime_t)
+-')
+-tunable_policy(`use_samba_home_dirs',`
+- fs_manage_cifs_dirs(tvtime_t)
+- fs_manage_cifs_files(tvtime_t)
+- fs_manage_cifs_symlinks(tvtime_t)
+-')
++userdom_home_manager(tvtime_t)
+
+ optional_policy(`
+ xserver_user_x_domain_template(tvtime, tvtime_t, tvtime_tmpfs_t)
+diff --git a/tzdata.te b/tzdata.te
+index d0f2a64..9896b57 100644
+--- a/tzdata.te
++++ b/tzdata.te
+@@ -15,7 +15,7 @@ application_domain(tzdata_t, tzdata_exec_t)
+ # tzdata local policy
+ #
+
+-files_read_etc_files(tzdata_t)
++files_read_config_files(tzdata_t)
+ files_search_spool(tzdata_t)
+
+ fs_getattr_xattr_fs(tzdata_t)
+@@ -24,11 +24,10 @@ term_dontaudit_list_ptys(tzdata_t)
+
+ locallogin_dontaudit_use_fds(tzdata_t)
+
+-miscfiles_read_localization(tzdata_t)
+ miscfiles_manage_localization(tzdata_t)
+ miscfiles_etc_filetrans_localization(tzdata_t)
+
+-userdom_use_user_terminals(tzdata_t)
++userdom_use_inherited_user_terminals(tzdata_t)
+
+ # tzdata looks for /var/spool/postfix/etc/localtime.
+ optional_policy(`
+diff --git a/ucspitcp.if b/ucspitcp.if
+index c1feba4..bf82170 100644
+--- a/ucspitcp.if
++++ b/ucspitcp.if
+@@ -31,8 +31,5 @@ interface(`ucspitcp_service_domain', `
+
+ role system_r types $1;
+
+- domain_auto_trans(ucspitcp_t, $2, $1)
+- allow $1 ucspitcp_t:fd use;
+- allow $1 ucspitcp_t:process sigchld;
+- allow $1 ucspitcp_t:tcp_socket rw_stream_socket_perms;
++ domtrans_pattern(ucspitcp_t, $2, $1)
+ ')
+diff --git a/ucspitcp.te b/ucspitcp.te
+index a0794bf..a05c54c 100644
+--- a/ucspitcp.te
++++ b/ucspitcp.te
+@@ -24,7 +24,6 @@ ucspitcp_service_domain(rblsmtpd_t, rblsmtpd_exec_t)
+
+ corecmd_search_bin(rblsmtpd_t)
+
+-corenet_all_recvfrom_unlabeled(rblsmtpd_t)
+ corenet_all_recvfrom_netlabel(rblsmtpd_t)
+ corenet_tcp_sendrecv_generic_if(rblsmtpd_t)
+ corenet_udp_sendrecv_generic_if(rblsmtpd_t)
+@@ -55,7 +54,6 @@ allow ucspitcp_t self:udp_socket create_socket_perms;
+ corecmd_search_bin(ucspitcp_t)
+
+ # base networking:
+-corenet_all_recvfrom_unlabeled(ucspitcp_t)
+ corenet_all_recvfrom_netlabel(ucspitcp_t)
+ corenet_tcp_sendrecv_generic_if(ucspitcp_t)
+ corenet_udp_sendrecv_generic_if(ucspitcp_t)
+@@ -89,5 +87,7 @@ sysnet_read_config(ucspitcp_t)
+
+ optional_policy(`
+ daemontools_service_domain(ucspitcp_t, ucspitcp_exec_t)
++ daemontools_sigchld_run(ucspitcp_t)
+ daemontools_read_svc(ucspitcp_t)
+ ')
++
+diff --git a/ulogd.if b/ulogd.if
+index d23be5c..a05cd68 100644
+--- a/ulogd.if
++++ b/ulogd.if
+@@ -123,8 +123,11 @@ interface(`ulogd_admin',`
+ type ulogd_var_log_t, ulogd_initrc_exec_t;
+ ')
+
+- allow $1 ulogd_t:process { ptrace signal_perms };
++ allow $1 ulogd_t:process signal_perms;
+ ps_process_pattern($1, ulogd_t)
++ tunable_policy(`deny_ptrace',`',`
++ allow $1 ulogd_t:process ptrace;
++ ')
+
+ init_labeled_script_domtrans($1, ulogd_initrc_exec_t)
+ domain_system_change_exemption($1)
+diff --git a/ulogd.te b/ulogd.te
+index 3b953f5..d35a323 100644
+--- a/ulogd.te
++++ b/ulogd.te
+@@ -11,7 +11,7 @@ init_daemon_domain(ulogd_t, ulogd_exec_t)
+
+ # config files
+ type ulogd_etc_t;
+-files_type(ulogd_etc_t)
++files_config_file(ulogd_etc_t)
+
+ type ulogd_initrc_exec_t;
+ init_script_file(ulogd_initrc_exec_t)
+@@ -29,8 +29,13 @@ logging_log_file(ulogd_var_log_t)
+ # ulogd local policy
+ #
+
+-allow ulogd_t self:capability net_admin;
++allow ulogd_t self:capability { net_admin sys_nice };
++allow ulogd_t self:process { setsched };
+ allow ulogd_t self:netlink_nflog_socket create_socket_perms;
++allow ulogd_t self:netlink_route_socket r_netlink_socket_perms;
++allow ulogd_t self:netlink_socket create_socket_perms;
++allow ulogd_t self:tcp_socket { create_stream_socket_perms connect };
++allow ulogd_t self:udp_socket create_socket_perms;
+
+ # config files
+ read_files_pattern(ulogd_t, ulogd_etc_t, ulogd_etc_t)
+@@ -46,7 +51,6 @@ logging_log_filetrans(ulogd_t, ulogd_var_log_t, file)
+ files_read_etc_files(ulogd_t)
+ files_read_usr_files(ulogd_t)
+
+-miscfiles_read_localization(ulogd_t)
+
+ optional_policy(`
+ allow ulogd_t self:tcp_socket create_stream_socket_perms;
+diff --git a/uml.if b/uml.if
+index d2ab7cb..ddb34f1 100644
+--- a/uml.if
++++ b/uml.if
+@@ -31,9 +31,9 @@ interface(`uml_role',`
+ allow $2 uml_t:unix_dgram_socket sendto;
+ allow uml_t $2:unix_dgram_socket sendto;
+
+- # allow ps, ptrace, signal
++ # allow ps, signal
+ ps_process_pattern($2, uml_t)
+- allow $2 uml_t:process { ptrace signal_perms };
++ allow $2 uml_t:process signal_perms;
+
+ allow $2 uml_ro_t:dir list_dir_perms;
+ read_files_pattern($2, uml_ro_t, uml_ro_t)
+diff --git a/uml.te b/uml.te
+index ff094e5..4ddeb30 100644
+--- a/uml.te
++++ b/uml.te
+@@ -50,7 +50,7 @@ files_pid_file(uml_switch_var_run_t)
+ #
+
+ allow uml_t self:fifo_file rw_fifo_file_perms;
+-allow uml_t self:process { signal_perms ptrace };
++allow uml_t self:process signal_perms;
+ allow uml_t self:unix_stream_socket create_stream_socket_perms;
+ allow uml_t self:unix_dgram_socket create_socket_perms;
+ # Use the network.
+@@ -97,7 +97,6 @@ kernel_write_proc_files(uml_t)
+ # for xterm
+ corecmd_exec_bin(uml_t)
+
+-corenet_all_recvfrom_unlabeled(uml_t)
+ corenet_all_recvfrom_netlabel(uml_t)
+ corenet_tcp_sendrecv_generic_if(uml_t)
+ corenet_udp_sendrecv_generic_if(uml_t)
+@@ -131,7 +130,7 @@ seutil_use_newrole_fds(uml_t)
+ # Use the network.
+ sysnet_read_config(uml_t)
+
+-userdom_use_user_terminals(uml_t)
++userdom_use_inherited_user_terminals(uml_t)
+ userdom_attach_admin_tun_iface(uml_t)
+
+ optional_policy(`
+@@ -174,8 +173,6 @@ init_use_script_ptys(uml_switch_t)
+
+ logging_send_syslog_msg(uml_switch_t)
+
+-miscfiles_read_localization(uml_switch_t)
+-
+ userdom_dontaudit_use_unpriv_user_fds(uml_switch_t)
+ userdom_dontaudit_search_user_home_dirs(uml_switch_t)
+
+diff --git a/updfstab.te b/updfstab.te
+index ef12ed5..4bd4cea 100644
+--- a/updfstab.te
++++ b/updfstab.te
+@@ -69,8 +69,6 @@ init_use_script_ptys(updfstab_t)
+ logging_send_syslog_msg(updfstab_t)
+ logging_search_logs(updfstab_t)
+
+-miscfiles_read_localization(updfstab_t)
+-
+ seutil_read_config(updfstab_t)
+ seutil_read_default_contexts(updfstab_t)
+ seutil_read_file_contexts(updfstab_t)
+@@ -78,9 +76,8 @@ seutil_read_file_contexts(updfstab_t)
+ userdom_dontaudit_search_user_home_content(updfstab_t)
+ userdom_dontaudit_use_unpriv_user_fds(updfstab_t)
+
+-optional_policy(`
+- auth_domtrans_pam_console(updfstab_t)
+-')
++auth_use_nsswitch(updfstab_t)
++auth_domtrans_pam_console(updfstab_t)
+
+ optional_policy(`
+ init_dbus_chat_script(updfstab_t)
+diff --git a/uptime.te b/uptime.te
+index c2cf97e..d9105b0 100644
+--- a/uptime.te
++++ b/uptime.te
+@@ -13,7 +13,7 @@ type uptimed_etc_t alias etc_uptimed_t;
+ files_config_file(uptimed_etc_t)
+
+ type uptimed_spool_t;
+-files_type(uptimed_spool_t)
++files_spool_file(uptimed_spool_t)
+
+ type uptimed_var_run_t;
+ files_pid_file(uptimed_var_run_t)
+@@ -25,7 +25,7 @@ files_pid_file(uptimed_var_run_t)
+
+ dontaudit uptimed_t self:capability sys_tty_config;
+ allow uptimed_t self:process signal_perms;
+-allow uptimed_t self:fifo_file write_file_perms;
++allow uptimed_t self:fifo_file write_fifo_file_perms;
+
+ allow uptimed_t uptimed_etc_t:file read_file_perms;
+ files_search_etc(uptimed_t)
+@@ -55,8 +55,6 @@ fs_search_auto_mountpoints(uptimed_t)
+
+ logging_send_syslog_msg(uptimed_t)
+
+-miscfiles_read_localization(uptimed_t)
+-
+ userdom_dontaudit_use_unpriv_user_fds(uptimed_t)
+ userdom_dontaudit_search_user_home_dirs(uptimed_t)
+
+diff --git a/usbmodules.te b/usbmodules.te
+index 74354da..f04565f 100644
+--- a/usbmodules.te
++++ b/usbmodules.te
+@@ -34,9 +34,7 @@ init_use_fds(usbmodules_t)
+
+ miscfiles_read_hwdata(usbmodules_t)
+
+-modutils_read_module_deps(usbmodules_t)
+-
+-userdom_use_user_terminals(usbmodules_t)
++userdom_use_inherited_user_terminals(usbmodules_t)
+
+ optional_policy(`
+ hotplug_read_config(usbmodules_t)
+@@ -45,3 +43,7 @@ optional_policy(`
+ optional_policy(`
+ logging_send_syslog_msg(usbmodules_t)
+ ')
++
++optional_policy(`
++ modutils_read_module_deps(usbmodules_t)
++')
+diff --git a/usbmuxd.fc b/usbmuxd.fc
+index 40b8b8d..cd80b9b 100644
+--- a/usbmuxd.fc
++++ b/usbmuxd.fc
+@@ -1,3 +1,4 @@
+ /usr/sbin/usbmuxd -- gen_context(system_u:object_r:usbmuxd_exec_t,s0)
+
+ /var/run/usbmuxd.* gen_context(system_u:object_r:usbmuxd_var_run_t,s0)
++/usr/lib/systemd/system/usbmuxd.* -- gen_context(system_u:object_r:usbmuxd_unit_file_t,s0)
+diff --git a/usbmuxd.if b/usbmuxd.if
+index 53792d3..823ac94 100644
+--- a/usbmuxd.if
++++ b/usbmuxd.if
+@@ -37,3 +37,65 @@ interface(`usbmuxd_stream_connect',`
+ files_search_pids($1)
+ stream_connect_pattern($1, usbmuxd_var_run_t, usbmuxd_var_run_t, usbmuxd_t)
+ ')
++
++########################################
++##
++## Execute usbmuxd server in the usbmuxd domain.
++##
++##
++##
++## Domain allowed to transition.
++##
++##
++#
++interface(`usbmuxd_systemctl',`
++ gen_require(`
++ type usbmuxd_t;
++ type usbmuxd_unit_file_t;
++ ')
++
++ systemd_exec_systemctl($1)
++ allow $1 usbmuxd_unit_file_t:file read_file_perms;
++ allow $1 usbmuxd_unit_file_t:service manage_service_perms;
++
++ ps_process_pattern($1, usbmuxd_t)
++')
++
++#####################################
++##
++## All of the rules required to administrate
++## an usbmuxd environment
++##
++##
++##
++## Domain allowed access.
++##
++##
++##
++##
++## The role to be allowed to manage the usbmuxd domain.
++##
++##
++##
++#
++interface(`usbmuxd_admin',`
++ gen_require(`
++ type usbmuxd_t,usbmuxd_var_run_t;
++ type usbmuxd_unit_file_t;
++ ')
++
++ allow $1 usbmuxd_t:process { signal_perms };
++ ps_process_pattern($1, usbmuxd_t)
++
++ tunable_policy(`deny_ptrace',`',`
++ allow $1 usbmuxd_t:process ptrace;
++ ')
++ allow $2 system_r;
++
++ files_list_pids($1)
++ admin_pattern($1, usbmuxd_var_run_t)
++
++ usbmuxd_systemctl($1)
++ admin_pattern($1, usbmuxd_unit_file_t)
++ allow $1 usbmuxd_unit_file_t:service all_service_perms;
++')
+diff --git a/usbmuxd.te b/usbmuxd.te
+index 4440aa6..8c94194 100644
+--- a/usbmuxd.te
++++ b/usbmuxd.te
+@@ -7,12 +7,15 @@ policy_module(usbmuxd, 1.1.0)
+
+ type usbmuxd_t;
+ type usbmuxd_exec_t;
+-application_domain(usbmuxd_t, usbmuxd_exec_t)
++init_system_domain(usbmuxd_t, usbmuxd_exec_t)
+ role system_r types usbmuxd_t;
+
+ type usbmuxd_var_run_t;
+ files_pid_file(usbmuxd_var_run_t)
+
++type usbmuxd_unit_file_t;
++systemd_unit_file(usbmuxd_unit_file_t)
++
+ ########################################
+ #
+ # usbmuxd local policy
+@@ -33,10 +36,12 @@ kernel_read_system_state(usbmuxd_t)
+ dev_read_sysfs(usbmuxd_t)
+ dev_rw_generic_usb_dev(usbmuxd_t)
+
+-files_read_etc_files(usbmuxd_t)
+-
+-miscfiles_read_localization(usbmuxd_t)
+-
+ auth_use_nsswitch(usbmuxd_t)
+
+ logging_send_syslog_msg(usbmuxd_t)
++
++seutil_dontaudit_read_file_contexts(usbmuxd_t)
++
++optional_policy(`
++ virt_dontaudit_read_chr_dev(usbmuxd_t)
++')
+diff --git a/userhelper.fc b/userhelper.fc
+index e70b0e8..cd83b89 100644
+--- a/userhelper.fc
++++ b/userhelper.fc
+@@ -7,3 +7,4 @@
+ # /usr
+ #
+ /usr/sbin/userhelper -- gen_context(system_u:object_r:userhelper_exec_t,s0)
++/usr/bin/consolehelper -- gen_context(system_u:object_r:consolehelper_exec_t,s0)
+diff --git a/userhelper.if b/userhelper.if
+index 65baaac..3b93d32 100644
+--- a/userhelper.if
++++ b/userhelper.if
+@@ -25,6 +25,7 @@ template(`userhelper_role_template',`
+ gen_require(`
+ attribute userhelper_type;
+ type userhelper_exec_t, userhelper_conf_t;
++ class dbus send_msg;
+ ')
+
+ ########################################
+@@ -121,6 +122,9 @@ template(`userhelper_role_template',`
+ auth_manage_pam_pid($1_userhelper_t)
+ auth_manage_var_auth($1_userhelper_t)
+ auth_search_pam_console_data($1_userhelper_t)
++ auth_use_nsswitch($1_userhelper_t)
++
++ logging_send_syslog_msg($1_userhelper_t)
+
+ # Inherit descriptors from the current session.
+ init_use_fds($1_userhelper_t)
+@@ -128,7 +132,6 @@ template(`userhelper_role_template',`
+ init_manage_utmp($1_userhelper_t)
+ init_pid_filetrans_utmp($1_userhelper_t)
+
+- miscfiles_read_localization($1_userhelper_t)
+
+ seutil_read_config($1_userhelper_t)
+ seutil_read_default_contexts($1_userhelper_t)
+@@ -145,18 +148,6 @@ template(`userhelper_role_template',`
+ ')
+
+ optional_policy(`
+- logging_send_syslog_msg($1_userhelper_t)
+- ')
+-
+- optional_policy(`
+- nis_use_ypbind($1_userhelper_t)
+- ')
+-
+- optional_policy(`
+- nscd_socket_use($1_userhelper_t)
+- ')
+-
+- optional_policy(`
+ tunable_policy(`! secure_mode',`
+ #if we are not in secure mode then we can transition to sysadm_t
+ sysadm_bin_spec_domtrans($1_userhelper_t)
+@@ -255,3 +246,91 @@ interface(`userhelper_exec',`
+
+ can_exec($1, userhelper_exec_t)
+ ')
++
++#######################################
++##
++## The role template for the consolehelper module.
++##
++##
++##
++## This template creates a derived domains which are used
++## for consolehelper applications.
++##
++##
++##
++##
++## The prefix of the user domain (e.g., user
++## is the prefix for user_t).
++##
++##
++##
++##
++## The role associated with the user domain.
++##
++##
++##
++##
++## The type of the user domain.
++##
++##
++#
++template(`userhelper_console_role_template',`
++ gen_require(`
++ type consolehelper_exec_t;
++ attribute consolehelper_domain;
++ class dbus send_msg;
++ ')
++ type $1_consolehelper_t, consolehelper_domain;
++ domain_type($1_consolehelper_t)
++ domain_entry_file($1_consolehelper_t, consolehelper_exec_t)
++ role $2 types $1_consolehelper_t;
++
++ domtrans_pattern($3, consolehelper_exec_t, $1_consolehelper_t)
++
++ allow $3 $1_consolehelper_t:process signal;
++ allow $3 $1_consolehelper_t:dbus send_msg;
++ allow $1_consolehelper_t $3:dbus send_msg;
++ allow $1_consolehelper_t $3:unix_stream_socket connectto;
++
++ kernel_read_system_state($1_consolehelper_t)
++
++ auth_use_pam($1_consolehelper_t)
++
++ userdom_manage_tmpfs_role($2, $1_consolehelper_t)
++
++ optional_policy(`
++ dbus_connect_session_bus($1_consolehelper_t)
++ ')
++
++ optional_policy(`
++ shutdown_run($1_consolehelper_t, $2)
++ shutdown_send_sigchld($3)
++ ')
++
++ optional_policy(`
++ mock_run($1_consolehelper_t, $2)
++ ')
++
++ optional_policy(`
++ xserver_run_xauth($1_consolehelper_t, $2)
++ xserver_read_xdm_pid($1_consolehelper_t)
++ ')
++')
++
++########################################
++##
++## Execute the consolehelper program in the caller domain.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`userhelper_exec_console',`
++ gen_require(`
++ type consolehelper_exec_t;
++ ')
++
++ can_exec($1, consolehelper_exec_t)
++')
+diff --git a/userhelper.te b/userhelper.te
+index f25ed61..1b381f0 100644
+--- a/userhelper.te
++++ b/userhelper.te
+@@ -6,9 +6,81 @@ policy_module(userhelper, 1.7.0)
+ #
+
+ attribute userhelper_type;
++attribute consolehelper_domain;
+
+ type userhelper_conf_t;
+ files_type(userhelper_conf_t)
+
+ type userhelper_exec_t;
+ application_executable_file(userhelper_exec_t)
++
++type consolehelper_exec_t;
++application_executable_file(consolehelper_exec_t)
++
++########################################
++#
++# consolehelper local policy
++#
++
++allow consolehelper_domain self:shm create_shm_perms;
++allow consolehelper_domain self:capability { setgid setuid dac_override };
++allow consolehelper_domain self:process signal;
++
++allow consolehelper_domain userhelper_conf_t:file audit_access;
++dontaudit consolehelper_domain userhelper_conf_t:file write;
++read_files_pattern(consolehelper_domain, userhelper_conf_t, userhelper_conf_t)
++
++# Init script handling
++domain_use_interactive_fds(consolehelper_domain)
++
++# internal communication is often done using fifo and unix sockets.
++allow consolehelper_domain self:fifo_file rw_fifo_file_perms;
++allow consolehelper_domain self:unix_stream_socket create_stream_socket_perms;
++
++kernel_read_kernel_sysctls(consolehelper_domain)
++
++corecmd_exec_bin(consolehelper_domain)
++
++dev_getattr_all_chr_files(consolehelper_domain)
++dev_dontaudit_list_all_dev_nodes(consolehelper_domain)
++dev_dontaudit_getattr_all(consolehelper_domain)
++fs_getattr_all_fs(consolehelper_domain)
++fs_getattr_all_dirs(consolehelper_domain)
++
++files_read_config_files(consolehelper_domain)
++files_read_usr_files(consolehelper_domain)
++
++term_list_ptys(consolehelper_domain)
++
++auth_search_pam_console_data(consolehelper_domain)
++auth_read_pam_pid(consolehelper_domain)
++
++init_read_utmp(consolehelper_domain)
++init_telinit(consolehelper_domain)
++
++miscfiles_read_fonts(consolehelper_domain)
++
++userhelper_exec(consolehelper_domain)
++
++userdom_use_user_ptys(consolehelper_domain)
++userdom_use_user_ttys(consolehelper_domain)
++userdom_read_user_home_content_files(consolehelper_domain)
++
++optional_policy(`
++ gnome_read_gconf_home_files(consolehelper_domain)
++')
++
++optional_policy(`
++ xserver_read_home_fonts(consolehelper_domain)
++ xserver_stream_connect(consolehelper_domain)
++')
++
++tunable_policy(`use_nfs_home_dirs',`
++ files_search_mnt(consolehelper_domain)
++ fs_search_nfs(consolehelper_domain)
++')
++
++tunable_policy(`use_samba_home_dirs',`
++ files_search_mnt(consolehelper_domain)
++ fs_search_cifs(consolehelper_domain)
++')
+diff --git a/usernetctl.if b/usernetctl.if
+index d45c715..2d4f1ba 100644
+--- a/usernetctl.if
++++ b/usernetctl.if
+@@ -37,9 +37,26 @@ interface(`usernetctl_domtrans',`
+ #
+ interface(`usernetctl_run',`
+ gen_require(`
+- attribute_role usernetctl_roles;
++ type usernetctl_t;
++ #attribute_role usernetctl_roles;
+ ')
+
+- usernetctl_domtrans($1)
+- roleattribute $2 usernetctl_roles;
++ #usernetctl_domtrans($1)
++ #roleattribute $2 usernetctl_roles;
++
++ sysnet_run_ifconfig(usernetctl_t, $2)
++ sysnet_run_dhcpc(usernetctl_t, $2)
++
++ optional_policy(`
++ iptables_run(usernetctl_t, $2)
++ ')
++
++ optional_policy(`
++ modutils_run_insmod(usernetctl_t, $2)
++ ')
++
++ optional_policy(`
++ ppp_run(usernetctl_t, $2)
++ ')
++
+ ')
+diff --git a/usernetctl.te b/usernetctl.te
+index 19c70bb..8a00ab0 100644
+--- a/usernetctl.te
++++ b/usernetctl.te
+@@ -5,13 +5,14 @@ policy_module(usernetctl, 1.6.0)
+ # Declarations
+ #
+
+-attribute_role usernetctl_roles;
++#attribute_role usernetctl_roles;
+
+ type usernetctl_t;
+ type usernetctl_exec_t;
+ application_domain(usernetctl_t, usernetctl_exec_t)
+ domain_interactive_fd(usernetctl_t)
+-role usernetctl_roles types usernetctl_t;
++#role usernetctl_roles types usernetctl_t;
++role system_r types usernetctl_t;
+
+ ########################################
+ #
+@@ -42,7 +43,6 @@ corecmd_exec_shell(usernetctl_t)
+
+ domain_dontaudit_read_all_domains_state(usernetctl_t)
+
+-files_read_etc_files(usernetctl_t)
+ files_exec_etc_files(usernetctl_t)
+ files_read_etc_runtime_files(usernetctl_t)
+ files_list_pids(usernetctl_t)
+@@ -55,36 +55,36 @@ auth_use_nsswitch(usernetctl_t)
+
+ logging_send_syslog_msg(usernetctl_t)
+
+-miscfiles_read_localization(usernetctl_t)
+-
+ seutil_read_config(usernetctl_t)
+
+ sysnet_read_config(usernetctl_t)
+-sysnet_run_ifconfig(usernetctl_t, usernetctl_roles)
+-sysnet_run_dhcpc(usernetctl_t, usernetctl_roles)
+
+-userdom_use_user_terminals(usernetctl_t)
++userdom_use_inherited_user_terminals(usernetctl_t)
++
++#sysnet_run_ifconfig(usernetctl_t, usernetctl_roles)
++#sysnet_run_dhcpc(usernetctl_t, usernetctl_roles)
+
+ optional_policy(`
+- consoletype_run(usernetctl_t, usernetctl_roles)
++ #consoletype_run(usernetctl_t, usernetctl_roles)
++ consoletype_exec(usernetctl_t)
+ ')
+
+ optional_policy(`
+ hostname_exec(usernetctl_t)
+ ')
+
+-optional_policy(`
+- iptables_run(usernetctl_t, usernetctl_roles)
+-')
++#optional_policy(`
++# iptables_run(usernetctl_t, usernetctl_roles)
++#')
+
+-optional_policy(`
+- modutils_run_insmod(usernetctl_t, usernetctl_roles)
+-')
++#optional_policy(`
++# modutils_run_insmod(usernetctl_t, usernetctl_roles)
++#')
+
+ optional_policy(`
+ nis_use_ypbind(usernetctl_t)
+ ')
+
+-optional_policy(`
+- ppp_run(usernetctl_t, usernetctl_roles)
+-')
++#optional_policy(`
++# ppp_run(usernetctl_t, usernetctl_roles)
++#')
+diff --git a/uucp.if b/uucp.if
+index ebc5414..8f8ac45 100644
+--- a/uucp.if
++++ b/uucp.if
+@@ -99,8 +99,11 @@ interface(`uucp_admin',`
+ type uucpd_var_run_t;
+ ')
+
+- allow $1 uucpd_t:process { ptrace signal_perms };
++ allow $1 uucpd_t:process signal_perms;
+ ps_process_pattern($1, uucpd_t)
++ tunable_policy(`deny_ptrace',`',`
++ allow $1 uucpd_t:process ptrace;
++ ')
+
+ logging_list_logs($1)
+ admin_pattern($1, uucpd_log_t)
+diff --git a/uucp.te b/uucp.te
+index d4349e9..e338438 100644
+--- a/uucp.te
++++ b/uucp.te
+@@ -24,7 +24,7 @@ type uucpd_ro_t;
+ files_type(uucpd_ro_t)
+
+ type uucpd_spool_t;
+-files_type(uucpd_spool_t)
++files_spool_file(uucpd_spool_t)
+
+ type uucpd_log_t;
+ logging_log_file(uucpd_log_t)
+@@ -74,7 +74,6 @@ kernel_read_kernel_sysctls(uucpd_t)
+ kernel_read_system_state(uucpd_t)
+ kernel_read_network_state(uucpd_t)
+
+-corenet_all_recvfrom_unlabeled(uucpd_t)
+ corenet_all_recvfrom_netlabel(uucpd_t)
+ corenet_tcp_sendrecv_generic_if(uucpd_t)
+ corenet_udp_sendrecv_generic_if(uucpd_t)
+@@ -83,6 +82,7 @@ corenet_udp_sendrecv_generic_node(uucpd_t)
+ corenet_tcp_sendrecv_all_ports(uucpd_t)
+ corenet_udp_sendrecv_all_ports(uucpd_t)
+ corenet_tcp_connect_ssh_port(uucpd_t)
++corenet_tcp_connect_uucpd_port(uucpd_t)
+
+ dev_read_urand(uucpd_t)
+
+@@ -91,7 +91,6 @@ fs_getattr_xattr_fs(uucpd_t)
+ corecmd_exec_bin(uucpd_t)
+ corecmd_exec_shell(uucpd_t)
+
+-files_read_etc_files(uucpd_t)
+ files_search_home(uucpd_t)
+ files_search_spool(uucpd_t)
+
+@@ -101,8 +100,6 @@ auth_use_nsswitch(uucpd_t)
+
+ logging_send_syslog_msg(uucpd_t)
+
+-miscfiles_read_localization(uucpd_t)
+-
+ mta_send_mail(uucpd_t)
+
+ optional_policy(`
+@@ -125,18 +122,19 @@ optional_policy(`
+ allow uux_t self:capability { setuid setgid };
+ allow uux_t self:fifo_file write_fifo_file_perms;
+
++domtrans_pattern(uux_t, uucpd_exec_t, uucpd_t)
++
+ uucp_append_log(uux_t)
+ uucp_manage_spool(uux_t)
+
+ corecmd_exec_bin(uux_t)
+
+-files_read_etc_files(uux_t)
+
+ fs_rw_anon_inodefs_files(uux_t)
+
+-logging_send_syslog_msg(uux_t)
++auth_use_nsswitch(uux_t)
+
+-miscfiles_read_localization(uux_t)
++logging_send_syslog_msg(uux_t)
+
+ optional_policy(`
+ mta_send_mail(uux_t)
+@@ -145,5 +143,5 @@ optional_policy(`
+ ')
+
+ optional_policy(`
+- nscd_socket_use(uux_t)
++ postfix_rw_master_pipes(uux_t)
+ ')
+diff --git a/uuidd.fc b/uuidd.fc
+index a7c9381..d810232 100644
+--- a/uuidd.fc
++++ b/uuidd.fc
+@@ -1,4 +1,5 @@
+-/etc/rc\.d/init\.d/uuidd -- gen_context(system_u:object_r:uuidd_initrc_exec_t,s0)
++
++/etc/rc\.d/init\.d/uuidd -- gen_context(system_u:object_r:uuidd_initrc_exec_t,s0)
+
+ /usr/sbin/uuidd -- gen_context(system_u:object_r:uuidd_exec_t,s0)
+
+diff --git a/uuidd.if b/uuidd.if
+index 5d43bd5..879a5cb 100644
+--- a/uuidd.if
++++ b/uuidd.if
+@@ -176,6 +176,9 @@ interface(`uuidd_admin',`
+
+ allow $1 uuidd_t:process signal_perms;
+ ps_process_pattern($1, uuidd_t)
++ tunable_policy(`deny_ptrace',`',`
++ allow $1 uuidd_t:process ptrace;
++ ')
+
+ uuidd_initrc_domtrans($1)
+ domain_system_change_exemption($1)
+diff --git a/uuidd.te b/uuidd.te
+index 04589dc..33b02b5 100644
+--- a/uuidd.te
++++ b/uuidd.te
+@@ -41,4 +41,3 @@ domain_use_interactive_fds(uuidd_t)
+
+ files_read_etc_files(uuidd_t)
+
+-miscfiles_read_localization(uuidd_t)
+diff --git a/uwimap.te b/uwimap.te
+index 46d9811..f109ba3 100644
+--- a/uwimap.te
++++ b/uwimap.te
+@@ -37,7 +37,6 @@ kernel_read_kernel_sysctls(imapd_t)
+ kernel_list_proc(imapd_t)
+ kernel_read_proc_symlinks(imapd_t)
+
+-corenet_all_recvfrom_unlabeled(imapd_t)
+ corenet_all_recvfrom_netlabel(imapd_t)
+ corenet_tcp_sendrecv_generic_if(imapd_t)
+ corenet_tcp_sendrecv_generic_node(imapd_t)
+@@ -65,8 +64,6 @@ auth_domtrans_chk_passwd(imapd_t)
+
+ logging_send_syslog_msg(imapd_t)
+
+-miscfiles_read_localization(imapd_t)
+-
+ sysnet_read_config(imapd_t)
+
+ userdom_dontaudit_use_unpriv_user_fds(imapd_t)
+diff --git a/varnishd.if b/varnishd.if
+index 93975d6..bd248ce 100644
+--- a/varnishd.if
++++ b/varnishd.if
+@@ -151,12 +151,16 @@ interface(`varnishd_manage_log',`
+ #
+ interface(`varnishd_admin_varnishlog',`
+ gen_require(`
++ type varnishd_t;
+ type varnishlog_t, varnishlog_initrc_exec_t, varnishlog_log_t;
+ type varnishlog_var_run_t;
+ ')
+
+- allow $1 varnishlog_t:process { ptrace signal_perms };
++ allow $1 varnishlog_t:process signal_perms;
+ ps_process_pattern($1, varnishlog_t)
++ tunable_policy(`deny_ptrace',`',`
++ allow $1 varnishd_t:process ptrace;
++ ')
+
+ init_labeled_script_domtrans($1, varnishlog_initrc_exec_t)
+ domain_system_change_exemption($1)
+@@ -194,8 +198,11 @@ interface(`varnishd_admin',`
+ type varnishd_initrc_exec_t;
+ ')
+
+- allow $1 varnishd_t:process { ptrace signal_perms };
++ allow $1 varnishd_t:process signal_perms;
+ ps_process_pattern($1, varnishd_t)
++ tunable_policy(`deny_ptrace',`',`
++ allow $1 varnishd_t:process ptrace;
++ ')
+
+ init_labeled_script_domtrans($1, varnishd_initrc_exec_t)
+ domain_system_change_exemption($1)
+diff --git a/varnishd.te b/varnishd.te
+index f9310f3..b4dafb7 100644
+--- a/varnishd.te
++++ b/varnishd.te
+@@ -21,7 +21,7 @@ type varnishd_initrc_exec_t;
+ init_script_file(varnishd_initrc_exec_t)
+
+ type varnishd_etc_t;
+-files_type(varnishd_etc_t)
++files_config_file(varnishd_etc_t)
+
+ type varnishd_tmp_t;
+ files_tmp_file(varnishd_tmp_t)
+@@ -43,7 +43,7 @@ type varnishlog_var_run_t;
+ files_pid_file(varnishlog_var_run_t)
+
+ type varnishlog_log_t;
+-files_type(varnishlog_log_t)
++logging_log_file(varnishlog_log_t)
+
+ ########################################
+ #
+@@ -52,7 +52,7 @@ files_type(varnishlog_log_t)
+
+ allow varnishd_t self:capability { kill dac_override ipc_lock setuid setgid };
+ dontaudit varnishd_t self:capability sys_tty_config;
+-allow varnishd_t self:process signal;
++allow varnishd_t self:process { execmem signal };
+ allow varnishd_t self:fifo_file rw_fifo_file_perms;
+ allow varnishd_t self:tcp_socket create_stream_socket_perms;
+ allow varnishd_t self:udp_socket create_socket_perms;
+@@ -87,14 +87,14 @@ corenet_tcp_connect_http_port(varnishd_t)
+
+ dev_read_urand(varnishd_t)
+
++files_read_usr_files(varnishd_t)
++
+ fs_getattr_all_fs(varnishd_t)
+
+ auth_use_nsswitch(varnishd_t)
+
+ logging_send_syslog_msg(varnishd_t)
+
+-miscfiles_read_localization(varnishd_t)
+-
+ sysnet_read_config(varnishd_t)
+
+ tunable_policy(`varnishd_connect_any',`
+diff --git a/vbetool.te b/vbetool.te
+index 001c93c..f918ed2 100644
+--- a/vbetool.te
++++ b/vbetool.te
+@@ -22,6 +22,7 @@ init_system_domain(vbetool_t, vbetool_exec_t)
+ #
+
+ allow vbetool_t self:capability { dac_override sys_tty_config sys_admin };
++allow vbetool_t self:capability2 compromise_kernel;
+ allow vbetool_t self:process execmem;
+
+ dev_wx_raw_memory(vbetool_t)
+@@ -38,7 +39,6 @@ mls_file_write_all_levels(vbetool_t)
+
+ term_use_unallocated_ttys(vbetool_t)
+
+-miscfiles_read_localization(vbetool_t)
+
+ tunable_policy(`vbetool_mmap_zero_ignore',`
+ dontaudit vbetool_t self:memprotect mmap_zero;
+diff --git a/vdagent.fc b/vdagent.fc
+index 21c5f41..3ae71ae 100644
+--- a/vdagent.fc
++++ b/vdagent.fc
+@@ -1,7 +1,7 @@
+ /usr/sbin/spice-vdagentd -- gen_context(system_u:object_r:vdagent_exec_t,s0)
+
+ /var/log/spice-vdagentd(/.*)? gen_context(system_u:object_r:vdagent_log_t,s0)
+-/var/log/spice-vdagentd\.log -- gen_context(system_u:object_r:vdagent_log_t,s0)
++/var/log/spice-vdagentd\.log.* -- gen_context(system_u:object_r:vdagent_log_t,s0)
+
+ /var/run/spice-vdagentd(/.*)? gen_context(system_u:object_r:vdagent_var_run_t,s0)
+-/var/run/spice-vdagentd.\pid -- gen_context(system_u:object_r:vdagent_var_run_t,s0)
++/var/run/spice-vdagentd\.pid -- gen_context(system_u:object_r:vdagent_var_run_t,s0)
+diff --git a/vdagent.if b/vdagent.if
+index e59a074..b708678 100644
+--- a/vdagent.if
++++ b/vdagent.if
+@@ -20,39 +20,39 @@ interface(`vdagent_domtrans',`
+
+ #####################################
+ ##
+-## Getattr on vdagent executable.
++## Getattr on vdagent executable.
+ ##
+ ##
+-##
++##
+ ## Domain allowed access.
+-##
++##
+ ##
+ #
+ interface(`vdagent_getattr_exec_files',`
+- gen_require(`
+- type vdagent_exec_t;
+- ')
++ gen_require(`
++ type vdagent_exec_t;
++ ')
+
+- allow $1 vdagent_exec_t:file getattr;
++ allow $1 vdagent_exec_t:file getattr;
+ ')
+
+ #######################################
+ ##
+-## Get the attributes of vdagent logs.
++## Get the attributes of vdagent logs.
+ ##
+ ##
+-##
+-## Domain allowed access.
+-##
++##
++## Domain allowed access.
++##
+ ##
+ #
+ interface(`vdagent_getattr_log',`
+- gen_require(`
+- type vdagent_log_t;
+- ')
++ gen_require(`
++ type vdagent_log_t;
++ ')
+
+- logging_search_logs($1)
+- allow $1 vdagent_log_t:file getattr_file_perms;
++ logging_search_logs($1)
++ allow $1 vdagent_log_t:file getattr_file_perms;
+ ')
+
+ ########################################
+@@ -76,22 +76,22 @@ interface(`vdagent_read_pid_files',`
+
+ #####################################
+ ##
+-## Connect to vdagent over a unix domain
+-## stream socket.
++## Connect to vdagent over a unix domain
++## stream socket.
+ ##
+ ##
+-##
+-## Domain allowed access.
+-##
++##
++## Domain allowed access.
++##
+ ##
+ #
+ interface(`vdagent_stream_connect',`
+- gen_require(`
+- type vdagent_var_run_t, vdagent_t;
+- ')
++ gen_require(`
++ type vdagent_var_run_t, vdagent_t;
++ ')
+
+- files_search_pids($1)
+- stream_connect_pattern($1, vdagent_var_run_t, vdagent_var_run_t, vdagent_t)
++ files_search_pids($1)
++ stream_connect_pattern($1, vdagent_var_run_t, vdagent_var_run_t, vdagent_t)
+ ')
+
+ ########################################
+@@ -104,12 +104,6 @@ interface(`vdagent_stream_connect',`
+ ## Domain allowed access.
+ ##
+ ##
+-##
+-##
+-## Role allowed access.
+-##
+-##
+-##
+ #
+ interface(`vdagent_admin',`
+ gen_require(`
+@@ -118,6 +112,9 @@ interface(`vdagent_admin',`
+
+ allow $1 vdagent_t:process signal_perms;
+ ps_process_pattern($1, vdagent_t)
++ tunable_policy(`deny_ptrace',`',`
++ allow $1 vdagent_t:process ptrace;
++ ')
+
+ files_search_pids($1)
+ admin_pattern($1, vdagent_var_run_t)
+diff --git a/vdagent.te b/vdagent.te
+index 29e24e2..b1ca03a 100644
+--- a/vdagent.te
++++ b/vdagent.te
+@@ -21,6 +21,7 @@ logging_log_file(vdagent_log_t)
+ #
+
+ dontaudit vdagent_t self:capability sys_admin;
++allow vdagent_t self:process signal;
+
+ allow vdagent_t self:fifo_file rw_fifo_file_perms;
+ allow vdagent_t self:unix_stream_socket create_stream_socket_perms;
+@@ -32,7 +33,7 @@ files_pid_filetrans(vdagent_t, vdagent_var_run_t, { dir file sock_file })
+
+ manage_dirs_pattern(vdagent_t, vdagent_log_t, vdagent_log_t)
+ manage_files_pattern(vdagent_t, vdagent_log_t, vdagent_log_t)
+-logging_log_filetrans(vdagent_t, vdagent_log_t, file)
++logging_log_filetrans(vdagent_t, vdagent_log_t, { file })
+
+ dev_rw_input_dev(vdagent_t)
+ dev_read_sysfs(vdagent_t)
+@@ -40,7 +41,16 @@ dev_dontaudit_write_mtrr(vdagent_t)
+
+ files_read_etc_files(vdagent_t)
+
+-miscfiles_read_localization(vdagent_t)
++init_read_state(vdagent_t)
++
++systemd_read_logind_sessions_files(vdagent_t)
++systemd_login_read_pid_files(vdagent_t)
++
++term_use_virtio_console(vdagent_t)
++
++userdom_read_all_users_state(vdagent_t)
++
++logging_send_syslog_msg(vdagent_t)
+
+ optional_policy(`
+ consolekit_dbus_chat(vdagent_t)
+diff --git a/vhostmd.if b/vhostmd.if
+index 1f872b5..8af4bce 100644
+--- a/vhostmd.if
++++ b/vhostmd.if
+@@ -52,7 +52,7 @@ interface(`vhostmd_read_tmpfs_files',`
+ ')
+
+ allow $1 vhostmd_tmpfs_t:file read_file_perms;
+- files_search_tmp($1)
++ fs_search_tmpfs($1)
+ ')
+
+ ########################################
+@@ -90,7 +90,7 @@ interface(`vhostmd_rw_tmpfs_files',`
+ ')
+
+ rw_files_pattern($1, vhostmd_tmpfs_t, vhostmd_tmpfs_t)
+- files_search_tmp($1)
++ fs_search_tmpfs($1)
+ ')
+
+ ########################################
+@@ -109,7 +109,7 @@ interface(`vhostmd_manage_tmpfs_files',`
+ ')
+
+ manage_files_pattern($1, vhostmd_tmpfs_t, vhostmd_tmpfs_t)
+- files_search_tmp($1)
++ fs_search_tmpfs($1)
+ ')
+
+ ########################################
+@@ -146,7 +146,8 @@ interface(`vhostmd_manage_pid_files',`
+ type vhostmd_var_run_t;
+ ')
+
+- manage_files_pattern($1, vhostmd_var_run_t, vhostmd_var_run_t)
++ files_search_pids($1)
++ manage_files_pattern($1, vhostmd_var_run_t, vhostmd_var_run_t)
+ ')
+
+ ########################################
+@@ -209,8 +210,11 @@ interface(`vhostmd_admin',`
+ type vhostmd_t, vhostmd_initrc_exec_t;
+ ')
+
+- allow $1 vhostmd_t:process { ptrace signal_perms getattr };
++ allow $1 vhostmd_t:process signal_perms;
+ ps_process_pattern($1, vhostmd_t)
++ tunable_policy(`deny_ptrace',`',`
++ allow $1 vhostmd_t:process ptrace;
++ ')
+
+ vhostmd_initrc_domtrans($1)
+ domain_system_change_exemption($1)
+@@ -220,5 +224,4 @@ interface(`vhostmd_admin',`
+ vhostmd_manage_tmpfs_files($1)
+
+ vhostmd_manage_pid_files($1)
+-
+ ')
+diff --git a/vhostmd.te b/vhostmd.te
+index 32a3c13..0cbca75 100644
+--- a/vhostmd.te
++++ b/vhostmd.te
+@@ -24,8 +24,8 @@ files_pid_file(vhostmd_var_run_t)
+ #
+
+ allow vhostmd_t self:capability { dac_override ipc_lock setuid setgid };
+-allow vhostmd_t self:process { setsched getsched };
+-allow vhostmd_t self:fifo_file rw_file_perms;
++allow vhostmd_t self:process { setsched getsched signal };
++allow vhostmd_t self:fifo_file rw_fifo_file_perms;
+
+ manage_dirs_pattern(vhostmd_t, vhostmd_tmpfs_t, vhostmd_tmpfs_t)
+ manage_files_pattern(vhostmd_t, vhostmd_tmpfs_t, vhostmd_tmpfs_t)
+@@ -35,6 +35,7 @@ manage_dirs_pattern(vhostmd_t, vhostmd_var_run_t, vhostmd_var_run_t)
+ manage_files_pattern(vhostmd_t, vhostmd_var_run_t, vhostmd_var_run_t)
+ files_pid_filetrans(vhostmd_t, vhostmd_var_run_t, { file dir })
+
++kernel_read_kernel_sysctls(vhostmd_t)
+ kernel_read_system_state(vhostmd_t)
+ kernel_read_network_state(vhostmd_t)
+ kernel_write_xen_state(vhostmd_t)
+@@ -44,17 +45,21 @@ corecmd_exec_shell(vhostmd_t)
+
+ corenet_tcp_connect_soundd_port(vhostmd_t)
+
+-files_read_etc_files(vhostmd_t)
++dev_read_rand(vhostmd_t)
++dev_read_urand(vhostmd_t)
++dev_read_sysfs(vhostmd_t)
++
++# 579803
++files_list_tmp(vhostmd_t)
+ files_read_usr_files(vhostmd_t)
+
++dev_read_rand(vhostmd_t)
+ dev_read_sysfs(vhostmd_t)
+
+ auth_use_nsswitch(vhostmd_t)
+
+ logging_send_syslog_msg(vhostmd_t)
+
+-miscfiles_read_localization(vhostmd_t)
+-
+ optional_policy(`
+ hostname_exec(vhostmd_t)
+ ')
+@@ -66,6 +71,7 @@ optional_policy(`
+
+ optional_policy(`
+ virt_stream_connect(vhostmd_t)
++ virt_write_content(vhostmd_t)
+ ')
+
+ optional_policy(`
+diff --git a/virt.fc b/virt.fc
+index 2124b6a..e55e393 100644
+--- a/virt.fc
++++ b/virt.fc
+@@ -1,6 +1,14 @@
+-HOME_DIR/.virtinst(/.*)? gen_context(system_u:object_r:virt_content_t,s0)
+-HOME_DIR/VirtualMachines(/.*)? gen_context(system_u:object_r:virt_image_t,s0)
++HOME_DIR/\.libvirt(/.*)? gen_context(system_u:object_r:virt_home_t,s0)
++HOME_DIR/\.libvirt/qemu(/.*)? gen_context(system_u:object_r:svirt_home_t,s0)
++HOME_DIR/\.virtinst(/.*)? gen_context(system_u:object_r:virt_home_t,s0)
++HOME_DIR/\.cache/libvirt(/.*)? gen_context(system_u:object_r:virt_home_t,s0)
++HOME_DIR/\.cache/gnome-boxes(/.*)? gen_context(system_u:object_r:virt_home_t,s0)
++HOME_DIR/\.cache/libvirt/qemu(/.*)? gen_context(system_u:object_r:svirt_home_t,s0)
++HOME_DIR/\.config/libvirt(/.*)? gen_context(system_u:object_r:virt_home_t,s0)
++HOME_DIR/\.config/libvirt/qemu(/.*)? gen_context(system_u:object_r:svirt_home_t,s0)
++HOME_DIR/VirtualMachines(/.*)? gen_context(system_u:object_r:virt_home_t,s0)
+ HOME_DIR/VirtualMachines/isos(/.*)? gen_context(system_u:object_r:virt_content_t,s0)
++HOME_DIR/\.local/share/gnome-boxes/images(/.*)? gen_context(system_u:object_r:svirt_home_t,s0)
+
+ /etc/libvirt -d gen_context(system_u:object_r:virt_etc_t,s0)
+ /etc/libvirt/[^/]* -- gen_context(system_u:object_r:virt_etc_t,s0)
+@@ -12,18 +20,59 @@ HOME_DIR/VirtualMachines/isos(/.*)? gen_context(system_u:object_r:virt_content_t
+ /etc/xen/[^/]* -d gen_context(system_u:object_r:virt_etc_rw_t,s0)
+ /etc/xen/.*/.* gen_context(system_u:object_r:virt_etc_rw_t,s0)
+
++/usr/libexec/libvirt_lxc -- gen_context(system_u:object_r:virtd_lxc_exec_t,s0)
++/usr/libexec/qemu-bridge-helper gen_context(system_u:object_r:virt_bridgehelper_exec_t,s0)
++
++/usr/sbin/libvirt-qmf -- gen_context(system_u:object_r:virt_qmf_exec_t,s0)
+ /usr/sbin/libvirtd -- gen_context(system_u:object_r:virtd_exec_t,s0)
++/usr/bin/virsh -- gen_context(system_u:object_r:virsh_exec_t,s0)
++/usr/bin/virt-sandbox-service.* -- gen_context(system_u:object_r:virsh_exec_t,s0)
++/usr/sbin/condor_vm-gahp -- gen_context(system_u:object_r:virtd_exec_t,s0)
+
+-/var/cache/libvirt(/.*)? gen_context(system_u:object_r:svirt_cache_t,s0)
++/var/cache/libvirt(/.*)? gen_context(system_u:object_r:virt_cache_t,s0-mls_systemhigh)
+
+ /var/lib/libvirt(/.*)? gen_context(system_u:object_r:virt_var_lib_t,s0)
+ /var/lib/libvirt/boot(/.*)? gen_context(system_u:object_r:virt_content_t,s0)
+ /var/lib/libvirt/images(/.*)? gen_context(system_u:object_r:virt_image_t,s0)
+ /var/lib/libvirt/isos(/.*)? gen_context(system_u:object_r:virt_content_t,s0)
+-/var/lib/libvirt/qemu(/.*)? gen_context(system_u:object_r:svirt_var_run_t,s0)
++/var/lib/libvirt/qemu(/.*)? gen_context(system_u:object_r:qemu_var_run_t,s0-mls_systemhigh)
+
++/var/log/log(/.*)? gen_context(system_u:object_r:virt_log_t,s0)
+ /var/log/libvirt(/.*)? gen_context(system_u:object_r:virt_log_t,s0)
++/var/log/vdsm(/.*)? gen_context(system_u:object_r:virt_log_t,s0)
++/var/run/libvirtd\.pid -- gen_context(system_u:object_r:virt_var_run_t,s0)
+ /var/run/libvirt(/.*)? gen_context(system_u:object_r:virt_var_run_t,s0)
+-/var/run/libvirt/qemu(/.*)? gen_context(system_u:object_r:svirt_var_run_t,s0)
++/var/run/libvirt/qemu(/.*)? gen_context(system_u:object_r:qemu_var_run_t,s0-mls_systemhigh)
++/var/run/libvirt/lxc(/.*)? gen_context(system_u:object_r:virt_lxc_var_run_t,s0)
++/var/run/libvirt-sandbox(/.*)? gen_context(system_u:object_r:virt_lxc_var_run_t,s0)
++/var/run/vdsm(/.*)? gen_context(system_u:object_r:virt_var_run_t,s0)
+
+ /var/vdsm(/.*)? gen_context(system_u:object_r:virt_var_run_t,s0)
++
++# support for AEOLUS project
++/usr/bin/imagefactory -- gen_context(system_u:object_r:virtd_exec_t,s0)
++/usr/bin/imgfac\.py -- gen_context(system_u:object_r:virtd_exec_t,s0)
++/var/cache/oz(/.*)? gen_context(system_u:object_r:virt_cache_t,s0)
++/var/lib/imagefactory/images(/.*)? gen_context(system_u:object_r:virt_image_t,s0)
++/var/lib/oz(/.*)? gen_context(system_u:object_r:virt_var_lib_t,s0)
++/var/lib/oz/isos(/.*)? gen_context(system_u:object_r:virt_content_t,s0)
++/var/lib/vdsm(/.*)? gen_context(system_u:object_r:virt_content_t,s0)
++
++# add support vios-proxy-*
++/usr/bin/vios-proxy-host -- gen_context(system_u:object_r:virtd_exec_t,s0)
++/usr/bin/vios-proxy-guest -- gen_context(system_u:object_r:virtd_exec_t,s0)
++
++# support for nova-stack
++/usr/bin/nova-compute -- gen_context(system_u:object_r:virtd_exec_t,s0)
++/usr/bin/qemu -- gen_context(system_u:object_r:qemu_exec_t,s0)
++/usr/bin/qemu-system-.* -- gen_context(system_u:object_r:qemu_exec_t,s0)
++/usr/bin/qemu-kvm -- gen_context(system_u:object_r:qemu_exec_t,s0)
++/usr/libexec/qemu.* -- gen_context(system_u:object_r:qemu_exec_t,s0)
++
++/usr/lib/systemd/system/virt.*\.service -- gen_context(system_u:object_r:virtd_unit_file_t,s0)
++/usr/lib/systemd/system/libvirt.*\.service -- gen_context(system_u:object_r:virtd_unit_file_t,s0)
++/usr/lib/systemd/system/.*xen.*\.service -- gen_context(system_u:object_r:virtd_unit_file_t,s0)
++
++/usr/bin/qemu-ga -- gen_context(system_u:object_r:virt_qemu_ga_exec_t,s0)
++/var/run/qemu-ga\.pid -- gen_context(system_u:object_r:virt_qemu_ga_var_run_t,s0)
++/var/log/qemu-ga\.log -- gen_context(system_u:object_r:virt_qemu_ga_log_t,s0)
+diff --git a/virt.if b/virt.if
+index 6f0736b..408a20a 100644
+--- a/virt.if
++++ b/virt.if
+@@ -13,67 +13,30 @@
+ #
+ template(`virt_domain_template',`
+ gen_require(`
+- type virtd_t;
+- attribute virt_image_type;
+- attribute virt_domain;
++ attribute virt_image_type, virt_domain;
++ attribute virt_tmpfs_type;
++ attribute virt_ptynode;
++ type qemu_exec_t;
+ ')
+
+ type $1_t, virt_domain;
+- domain_type($1_t)
++ application_domain($1_t, qemu_exec_t)
+ domain_user_exemption_target($1_t)
++ mls_rangetrans_target($1_t)
++ mcs_untrusted_proc($1_t)
+ role system_r types $1_t;
+
+- type $1_devpts_t;
++ type $1_devpts_t, virt_ptynode;
+ term_pty($1_devpts_t)
+
+- type $1_tmp_t;
+- files_tmp_file($1_tmp_t)
++ kernel_read_system_state($1_t)
+
+- type $1_tmpfs_t;
+- files_tmpfs_file($1_tmpfs_t)
++ auth_read_passwd($1_t)
+
+- type $1_image_t, virt_image_type;
+- files_type($1_image_t)
+- dev_node($1_image_t)
++ logging_send_syslog_msg($1_t)
+
+- type $1_var_run_t;
+- files_pid_file($1_var_run_t)
+-
+- allow $1_t $1_devpts_t:chr_file { rw_chr_file_perms setattr };
++ allow $1_t $1_devpts_t:chr_file { rw_chr_file_perms setattr_chr_file_perms };
+ term_create_pty($1_t, $1_devpts_t)
+-
+- manage_dirs_pattern($1_t, $1_image_t, $1_image_t)
+- manage_files_pattern($1_t, $1_image_t, $1_image_t)
+- read_lnk_files_pattern($1_t, $1_image_t, $1_image_t)
+- rw_blk_files_pattern($1_t, $1_image_t, $1_image_t)
+-
+- manage_dirs_pattern($1_t, $1_tmp_t, $1_tmp_t)
+- manage_files_pattern($1_t, $1_tmp_t, $1_tmp_t)
+- manage_lnk_files_pattern($1_t, $1_tmp_t, $1_tmp_t)
+- files_tmp_filetrans($1_t, $1_tmp_t, { file dir })
+-
+- manage_dirs_pattern($1_t, $1_tmpfs_t, $1_tmpfs_t)
+- manage_files_pattern($1_t, $1_tmpfs_t, $1_tmpfs_t)
+- manage_lnk_files_pattern($1_t, $1_tmpfs_t, $1_tmpfs_t)
+- fs_tmpfs_filetrans($1_t, $1_tmpfs_t, { dir file lnk_file })
+-
+- stream_connect_pattern(virtd_t, $1_var_run_t, $1_var_run_t, virt_domain)
+- manage_dirs_pattern(virtd_t, $1_var_run_t, $1_var_run_t)
+- manage_files_pattern(virtd_t, $1_var_run_t, $1_var_run_t)
+- manage_sock_files_pattern(virtd_t, $1_var_run_t, $1_var_run_t)
+-
+- manage_dirs_pattern($1_t, $1_var_run_t, $1_var_run_t)
+- manage_files_pattern($1_t, $1_var_run_t, $1_var_run_t)
+- manage_sock_files_pattern($1_t, $1_var_run_t, $1_var_run_t)
+- manage_lnk_files_pattern($1_t, $1_var_run_t, $1_var_run_t)
+- files_pid_filetrans($1_t, $1_var_run_t, { dir file })
+- stream_connect_pattern($1_t, $1_var_run_t, $1_var_run_t, virtd_t)
+-
+- auth_use_nsswitch($1_t)
+-
+- optional_policy(`
+- xserver_rw_shm($1_t)
+- ')
+ ')
+
+ ########################################
+@@ -98,14 +61,32 @@ interface(`virt_image',`
+ dev_node($1)
+ ')
+
++#######################################
++##
++## Getattr on virt executable.
++##
++##
++##
++## Domain allowed to transition.
++##
++##
++#
++interface(`virt_getattr_exec',`
++ gen_require(`
++ type virtd_exec_t;
++ ')
++
++ allow $1 virtd_exec_t:file getattr;
++')
++
+ ########################################
+ ##
+ ## Execute a domain transition to run virt.
+ ##
+ ##
+-##
++##
+ ## Domain allowed to transition.
+-##
++##
+ ##
+ #
+ interface(`virt_domtrans',`
+@@ -116,9 +97,45 @@ interface(`virt_domtrans',`
+ domtrans_pattern($1, virtd_exec_t, virtd_t)
+ ')
+
++########################################
++##
++## Transition to virt_qmf.
++##
++##
++##
++## Domain allowed to transition.
++##
++##
++#
++interface(`virt_domtrans_qmf',`
++ gen_require(`
++ type virt_qmf_t, virt_qmf_exec_t;
++ ')
++
++ corecmd_search_bin($1)
++ domtrans_pattern($1, virt_qmf_exec_t, virt_qmf_t)
++')
++
++########################################
++##
++## Transition to virt_bridgehelper.
++##
++##
++##
++## Domain allowed to transition.
++##
++##
++interface(`virt_domtrans_bridgehelper',`
++ gen_require(`
++ type virt_bridgehelper_t, virt_bridgehelper_exec_t;
++ ')
++
++ domtrans_pattern($1, virt_bridgehelper_exec_t, virt_bridgehelper_t)
++')
++
+ #######################################
+ ##
+-## Connect to virt over an unix domain stream socket.
++## Connect to virt over a unix domain stream socket.
+ ##
+ ##
+ ##
+@@ -166,13 +183,13 @@ interface(`virt_attach_tun_iface',`
+ #
+ interface(`virt_read_config',`
+ gen_require(`
+- type virt_etc_t;
+- type virt_etc_rw_t;
++ type virt_etc_t, virt_etc_rw_t;
+ ')
+
+ files_search_etc($1)
+ read_files_pattern($1, virt_etc_t, virt_etc_t)
+ read_files_pattern($1, virt_etc_rw_t, virt_etc_rw_t)
++ read_lnk_files_pattern($1, virt_etc_rw_t, virt_etc_rw_t)
+ ')
+
+ ########################################
+@@ -187,13 +204,13 @@ interface(`virt_read_config',`
+ #
+ interface(`virt_manage_config',`
+ gen_require(`
+- type virt_etc_t;
+- type virt_etc_rw_t;
++ type virt_etc_t, virt_etc_rw_t;
+ ')
+
+ files_search_etc($1)
+ manage_files_pattern($1, virt_etc_t, virt_etc_t)
+ manage_files_pattern($1, virt_etc_rw_t, virt_etc_rw_t)
++ manage_lnk_files_pattern($1, virt_etc_rw_t, virt_etc_rw_t)
+ ')
+
+ ########################################
+@@ -233,6 +250,24 @@ interface(`virt_read_content',`
+
+ ########################################
+ ##
++## Allow domain to write virt image files
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`virt_write_content',`
++ gen_require(`
++ type virt_content_t;
++ ')
++
++ allow $1 virt_content_t:file write_file_perms;
++')
++
++########################################
++##
+ ## Read virt PID files.
+ ##
+ ##
+@@ -252,6 +287,28 @@ interface(`virt_read_pid_files',`
+
+ ########################################
+ ##
++## Manage virt pid directories.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`virt_manage_pid_dirs',`
++ gen_require(`
++ type virt_var_run_t;
++ type virt_lxc_var_run_t;
++ ')
++
++ files_search_pids($1)
++ manage_dirs_pattern($1, virt_var_run_t, virt_var_run_t)
++ manage_dirs_pattern($1, virt_lxc_var_run_t, virt_lxc_var_run_t)
++ virt_filetrans_named_content($1)
++')
++
++########################################
++##
+ ## Manage virt pid files.
+ ##
+ ##
+@@ -263,10 +320,47 @@ interface(`virt_read_pid_files',`
+ interface(`virt_manage_pid_files',`
+ gen_require(`
+ type virt_var_run_t;
++ type virt_lxc_var_run_t;
+ ')
+
+ files_search_pids($1)
+ manage_files_pattern($1, virt_var_run_t, virt_var_run_t)
++ manage_files_pattern($1, virt_lxc_var_run_t, virt_lxc_var_run_t)
++')
++
++########################################
++##
++## Create objects in the pid directory
++## with a private type with a type transition.
++##
++##
++##
++## Domain allowed access.
++##
++##
++##
++##
++## Type to which the created node will be transitioned.
++##
++##
++##
++##
++## Object class(es) (single or set including {}) for which this
++## the transition will occur.
++##
++##
++##
++##
++## The name of the object being created.
++##
++##
++#
++interface(`virt_pid_filetrans',`
++ gen_require(`
++ type virt_var_run_t;
++ ')
++
++ filetrans_pattern($1, virt_var_run_t, $2, $3, $4)
+ ')
+
+ ########################################
+@@ -310,6 +404,24 @@ interface(`virt_read_lib_files',`
+
+ ########################################
+ ##
++## Dontaudit inherited read virt lib files.
++##
++##
++##
++## Domain to not audit.
++##
++##
++#
++interface(`virt_dontaudit_read_lib_files',`
++ gen_require(`
++ type virt_var_lib_t;
++ ')
++
++ dontaudit $1 virt_var_lib_t:file read_inherited_file_perms;
++')
++
++########################################
++##
+ ## Create, read, write, and delete
+ ## virt lib files.
+ ##
+@@ -354,9 +466,9 @@ interface(`virt_read_log',`
+ ## virt log files.
+ ##
+ ##
+-##
++##
+ ## Domain allowed access.
+-##
++##
+ ##
+ #
+ interface(`virt_append_log',`
+@@ -390,6 +502,25 @@ interface(`virt_manage_log',`
+
+ ########################################
+ ##
++## Allow domain to search virt image direcories
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`virt_search_images',`
++ gen_require(`
++ attribute virt_image_type;
++ ')
++
++ virt_search_lib($1)
++ allow $1 virt_image_type:dir search_dir_perms;
++')
++
++########################################
++##
+ ## Allow domain to read virt image files
+ ##
+ ##
+@@ -410,6 +541,7 @@ interface(`virt_read_images',`
+ read_files_pattern($1, virt_image_type, virt_image_type)
+ read_lnk_files_pattern($1, virt_image_type, virt_image_type)
+ read_blk_files_pattern($1, virt_image_type, virt_image_type)
++ read_chr_files_pattern($1, virt_image_type, virt_image_type)
+
+ tunable_policy(`virt_use_nfs',`
+ fs_list_nfs($1)
+@@ -426,6 +558,42 @@ interface(`virt_read_images',`
+
+ ########################################
+ ##
++## Allow domain to read virt blk image files
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`virt_read_blk_images',`
++ gen_require(`
++ attribute virt_image_type;
++ ')
++
++ read_blk_files_pattern($1, virt_image_type, virt_image_type)
++')
++
++########################################
++##
++## Allow domain to read/write virt image chr files
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`virt_rw_chr_files',`
++ gen_require(`
++ attribute virt_image_type;
++ ')
++
++ rw_chr_files_pattern($1, virt_image_type, virt_image_type)
++')
++
++########################################
++##
+ ## Create, read, write, and delete
+ ## svirt cache files.
+ ##
+@@ -435,15 +603,15 @@ interface(`virt_read_images',`
+ ##
+ ##
+ #
+-interface(`virt_manage_svirt_cache',`
++interface(`virt_manage_cache',`
+ gen_require(`
+- type svirt_cache_t;
++ type virt_cache_t;
+ ')
+
+ files_search_var($1)
+- manage_dirs_pattern($1, svirt_cache_t, svirt_cache_t)
+- manage_files_pattern($1, svirt_cache_t, svirt_cache_t)
+- manage_lnk_files_pattern($1, svirt_cache_t, svirt_cache_t)
++ manage_dirs_pattern($1, virt_cache_t, virt_cache_t)
++ manage_files_pattern($1, virt_cache_t, virt_cache_t)
++ manage_lnk_files_pattern($1, virt_cache_t, virt_cache_t)
+ ')
+
+ ########################################
+@@ -468,18 +636,52 @@ interface(`virt_manage_images',`
+ manage_files_pattern($1, virt_image_type, virt_image_type)
+ read_lnk_files_pattern($1, virt_image_type, virt_image_type)
+ rw_blk_files_pattern($1, virt_image_type, virt_image_type)
++ rw_chr_files_pattern($1, virt_image_type, virt_image_type)
++')
+
+- tunable_policy(`virt_use_nfs',`
+- fs_manage_nfs_dirs($1)
+- fs_manage_nfs_files($1)
+- fs_read_nfs_symlinks($1)
+- ')
++#######################################
++##
++## Allow domain to manage virt image files
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`virt_manage_default_image_type',`
++ gen_require(`
++ type virt_var_lib_t;
++ type virt_image_t;
++ ')
++
++ virt_search_lib($1)
++ manage_dirs_pattern($1, virt_image_t, virt_image_t)
++ manage_files_pattern($1, virt_image_t, virt_image_t)
++ read_lnk_files_pattern($1, virt_image_t, virt_image_t)
++')
+
+- tunable_policy(`virt_use_samba',`
+- fs_manage_cifs_files($1)
+- fs_manage_cifs_files($1)
+- fs_read_cifs_symlinks($1)
++########################################
++##
++## Execute virt server in the virt domain.
++##
++##
++##
++## Domain allowed to transition.
++##
++##
++#
++interface(`virt_systemctl',`
++ gen_require(`
++ type virtd_unit_file_t;
++ type virtd_t;
+ ')
++
++ systemd_exec_systemctl($1)
++ allow $1 virtd_unit_file_t:file read_file_perms;
++ allow $1 virtd_unit_file_t:service manage_service_perms;
++
++ ps_process_pattern($1, virtd_t)
+ ')
+
+ ########################################
+@@ -502,10 +704,20 @@ interface(`virt_manage_images',`
+ interface(`virt_admin',`
+ gen_require(`
+ type virtd_t, virtd_initrc_exec_t;
++ attribute virt_domain;
++ type virt_lxc_t;
++ type virtd_unit_file_t;
+ ')
+
+- allow $1 virtd_t:process { ptrace signal_perms };
++ allow $1 virtd_t:process signal_perms;
+ ps_process_pattern($1, virtd_t)
++ tunable_policy(`deny_ptrace',`',`
++ allow $1 virtd_t:process ptrace;
++ allow $1 virt_lxc_t:process ptrace;
++ ')
++
++ allow $1 virt_lxc_t:process signal_perms;
++ ps_process_pattern($1, virt_lxc_t)
+
+ init_labeled_script_domtrans($1, virtd_initrc_exec_t)
+ domain_system_change_exemption($1)
+@@ -517,4 +729,305 @@ interface(`virt_admin',`
+ virt_manage_lib_files($1)
+
+ virt_manage_log($1)
++
++ virt_manage_images($1)
++
++ allow $1 virt_domain:process signal_perms;
++
++ virt_systemctl($1)
++ admin_pattern($1, virtd_unit_file_t)
++ allow $1 virtd_unit_file_t:service all_service_perms;
++')
++
++########################################
++##
++## Execute qemu in the svirt domain, and
++## allow the specified role the svirt domain.
++##
++##
++##
++## Domain allowed access
++##
++##
++##
++##
++## The role to be allowed the sandbox domain.
++##
++##
++##
++#
++interface(`virt_transition_svirt',`
++ gen_require(`
++ attribute virt_domain;
++ type virt_bridgehelper_t;
++ type svirt_image_t;
++ type svirt_socket_t;
++ ')
++
++ allow $1 virt_domain:process transition;
++ role $2 types virt_domain;
++ role $2 types virt_bridgehelper_t;
++ role $2 types svirt_socket_t;
++
++ allow $1 virt_domain:process { sigkill sigstop signull signal };
++ allow $1 svirt_image_t:file { relabelfrom relabelto };
++ allow $1 svirt_image_t:fifo_file { read_fifo_file_perms relabelto };
++ allow $1 svirt_image_t:sock_file { create_sock_file_perms relabelto };
++ allow $1 svirt_socket_t:unix_stream_socket create_stream_socket_perms;
++
++ optional_policy(`
++ ptchown_run(virt_domain, $2)
++ ')
++')
++
++########################################
++##
++## Do not audit attempts to write virt daemon unnamed pipes.
++##
++##
++##
++## Domain to not audit.
++##
++##
++#
++interface(`virt_dontaudit_write_pipes',`
++ gen_require(`
++ type virtd_t;
++ ')
++
++ dontaudit $1 virtd_t:fd use;
++ dontaudit $1 virtd_t:fifo_file write_fifo_file_perms;
++')
++
++########################################
++##
++## Send a sigkill to virtual machines
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`virt_kill_svirt',`
++ gen_require(`
++ attribute virt_domain;
++ ')
++
++ allow $1 virt_domain:process sigkill;
++')
++
++########################################
++##
++## Send a signal to virtual machines
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`virt_signal_svirt',`
++ gen_require(`
++ attribute virt_domain;
++ ')
++
++ allow $1 virt_domain:process signal;
++')
++
++########################################
++##
++## Manage virt home files.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`virt_manage_home_files',`
++ gen_require(`
++ type virt_home_t;
++ ')
++
++ userdom_search_user_home_dirs($1)
++ manage_files_pattern($1, virt_home_t, virt_home_t)
++')
++
++########################################
++##
++## allow domain to read
++## virt tmpfs files
++##
++##
++##
++## Domain allowed access
++##
++##
++#
++interface(`virt_read_tmpfs_files',`
++ gen_require(`
++ attribute virt_tmpfs_type;
++ ')
++
++ allow $1 virt_tmpfs_type:file read_file_perms;
++')
++
++########################################
++##
++## allow domain to manage
++## virt tmpfs files
++##
++##
++##
++## Domain allowed access
++##
++##
++#
++interface(`virt_manage_tmpfs_files',`
++ gen_require(`
++ attribute virt_tmpfs_type;
++ ')
++
++ allow $1 virt_tmpfs_type:file manage_file_perms;
++')
++
++########################################
++##
++## Create .virt directory in the user home directory
++## with an correct label.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`virt_filetrans_home_content',`
++ gen_require(`
++ type virt_home_t;
++ type svirt_home_t;
++ ')
++
++ userdom_user_home_dir_filetrans($1, virt_home_t, dir, ".libvirt")
++ userdom_user_home_dir_filetrans($1, virt_home_t, dir, ".virtinst")
++ filetrans_pattern($1, virt_home_t, svirt_home_t, dir, "qemu")
++
++ optional_policy(`
++ gnome_config_filetrans($1, virt_home_t, dir, "libvirt")
++ gnome_cache_filetrans($1, virt_home_t, dir, "libvirt")
++ gnome_cache_filetrans($1, virt_home_t, dir, "gnome-boxes")
++ gnome_data_filetrans($1, svirt_home_t, dir, "images")
++ ')
++')
++
++########################################
++##
++## Dontaudit attempts to Read virt_image_type devices.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`virt_dontaudit_read_chr_dev',`
++ gen_require(`
++ attribute virt_image_type;
++ ')
++
++ dontaudit $1 virt_image_type:chr_file read_chr_file_perms;
++')
++
++########################################
++##
++## Creates types and rules for a basic
++## virt_lxc process domain.
++##
++##
++##
++## Prefix for the domain.
++##
++##
++#
++template(`virt_lxc_domain_template',`
++ gen_require(`
++ attribute svirt_lxc_domain;
++ ')
++
++ type $1_t, svirt_lxc_domain;
++ domain_type($1_t)
++ domain_user_exemption_target($1_t)
++ mls_rangetrans_target($1_t)
++ mcs_untrusted_proc($1_t)
++ role system_r types $1_t;
++
++ kernel_read_system_state($1_t)
++')
++
++########################################
++##
++## Execute a qemu_exec_t in the callers domain
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`virt_exec_qemu',`
++ gen_require(`
++ type qemu_exec_t;
++ ')
++
++ can_exec($1, qemu_exec_t)
++')
++
++########################################
++##
++## Transition to virt named content
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`virt_filetrans_named_content',`
++ gen_require(`
++ type virt_lxc_var_run_t;
++ type virt_var_run_t;
++ ')
++
++ files_pid_filetrans($1, virt_lxc_var_run_t, dir, "libvirt-sandbox")
++ files_pid_filetrans($1, virt_var_run_t, dir, "libvirt")
++ files_pid_filetrans($1, virt_var_run_t, dir, "libguestfs")
++')
++
++########################################
++##
++## Execute qemu in the svirt domain, and
++## allow the specified role the svirt domain.
++##
++##
++##
++## Domain allowed access
++##
++##
++##
++##
++## The role to be allowed the sandbox domain.
++##
++##
++##
++#
++interface(`virt_transition_svirt_lxc',`
++ gen_require(`
++ attribute svirt_lxc_domain;
++ ')
++
++ allow $1 svirt_lxc_domain:process transition;
++ role $2 types svirt_lxc_domain;
++
++ allow svirt_lxc_domain $1:process sigchld;
+ ')
+diff --git a/virt.te b/virt.te
+index 947bbc6..d17661a 100644
+--- a/virt.te
++++ b/virt.te
+@@ -5,56 +5,104 @@ policy_module(virt, 1.5.0)
+ # Declarations
+ #
+
++attribute virsh_transition_domain;
++attribute virt_ptynode;
++attribute virt_domain;
++attribute virt_image_type;
++attribute virt_tmpfs_type;
++
++type svirt_tmp_t;
++files_tmp_file(svirt_tmp_t)
++
++type svirt_tmpfs_t, virt_tmpfs_type;
++files_tmpfs_file(svirt_tmpfs_t)
++
++type svirt_image_t, virt_image_type;
++files_type(svirt_image_t)
++dev_node(svirt_image_t)
++dev_associate_sysfs(svirt_image_t)
++
+ ##
+ ##
+-## Allow virt to use serial/parallell communication ports
++## Allow confined virtual guests to use serial/parallel communication ports
+ ##
+ ##
+ gen_tunable(virt_use_comm, false)
+
+ ##
+ ##
+-## Allow virt to read fuse files
++## Allow confined virtual guests to use executable memory and executable stack
++##
++##
++gen_tunable(virt_use_execmem, false)
++
++##
++##
++## Allow confined virtual guests to read fuse files
+ ##
+ ##
+ gen_tunable(virt_use_fusefs, false)
+
+ ##
+ ##
+-## Allow virt to manage nfs files
++## Allow confined virtual guests to manage nfs files
+ ##
+ ##
+ gen_tunable(virt_use_nfs, false)
+
+ ##
+ ##
+-## Allow virt to manage cifs files
++## Allow confined virtual guests to manage cifs files
+ ##
+ ##
+ gen_tunable(virt_use_samba, false)
+
+ ##
+ ##
+-## Allow virt to manage device configuration, (pci)
++## Allow confined virtual guests to manage device configuration, (pci)
+ ##
+ ##
+ gen_tunable(virt_use_sysfs, false)
+
+ ##
++##
++## Allow confined virtual guests to interact with the sanlock
++##
++##
++gen_tunable(virt_use_sanlock, false)
++
++##
++##
++## Allow confined virtual guests to interact with rawip sockets
++##
++##
++gen_tunable(virt_use_rawip, false)
++
++##
++##
++## Allow confined virtual guests to interact with the xserver
++##
++##
++gen_tunable(virt_use_xserver, false)
++
++##
+ ##
+-## Allow virt to use usb devices
++## Allow confined virtual guests to use usb devices
+ ##
+ ##
+ gen_tunable(virt_use_usb, true)
+
+ virt_domain_template(svirt)
+ role system_r types svirt_t;
++typealias svirt_t alias qemu_t;
+
+-type svirt_cache_t;
+-files_type(svirt_cache_t)
++virt_domain_template(svirt_tcg)
++role system_r types svirt_tcg_t;
+
+-attribute virt_domain;
+-attribute virt_image_type;
++type qemu_exec_t;
++
++type virt_cache_t alias svirt_cache_t;
++files_type(virt_cache_t)
+
+ type virt_etc_t;
+ files_config_file(virt_etc_t)
+@@ -62,26 +110,37 @@ files_config_file(virt_etc_t)
+ type virt_etc_rw_t;
+ files_type(virt_etc_rw_t)
+
++type virt_home_t;
++userdom_user_home_content(virt_home_t)
++
++type svirt_home_t;
++userdom_user_home_content(svirt_home_t)
++
+ # virt Image files
+ type virt_image_t; # customizable
+ virt_image(virt_image_t)
++files_mountpoint(virt_image_t)
+
+ # virt Image files
+ type virt_content_t; # customizable
+ virt_image(virt_content_t)
+ userdom_user_home_content(virt_content_t)
+
++type virt_tmp_t;
++files_tmp_file(virt_tmp_t)
++
+ type virt_log_t;
+ logging_log_file(virt_log_t)
++mls_trusted_object(virt_log_t)
+
+-type virt_tmp_t;
+-files_tmp_file(virt_tmp_t)
++type virt_lock_t;
++files_lock_file(virt_lock_t)
+
+ type virt_var_run_t;
+ files_pid_file(virt_var_run_t)
+
+ type virt_var_lib_t;
+-files_type(virt_var_lib_t)
++files_mountpoint(virt_var_lib_t)
+
+ type virtd_t;
+ type virtd_exec_t;
+@@ -89,9 +148,17 @@ init_daemon_domain(virtd_t, virtd_exec_t)
+ domain_obj_id_change_exemption(virtd_t)
+ domain_subj_id_change_exemption(virtd_t)
+
++type virtd_unit_file_t;
++systemd_unit_file(virtd_unit_file_t)
++
+ type virtd_initrc_exec_t;
+ init_script_file(virtd_initrc_exec_t)
+
++type qemu_var_run_t;
++typealias qemu_var_run_t alias svirt_var_run_t;
++files_pid_file(qemu_var_run_t)
++mls_trusted_object(qemu_var_run_t)
++
+ ifdef(`enable_mcs',`
+ init_ranged_daemon_domain(virtd_t, virtd_exec_t, s0 - mcs_systemhigh)
+ ')
+@@ -100,28 +167,53 @@ ifdef(`enable_mls',`
+ init_ranged_daemon_domain(virtd_t, virtd_exec_t, s0 - mls_systemhigh)
+ ')
+
++type virt_qmf_t;
++type virt_qmf_exec_t;
++init_daemon_domain(virt_qmf_t, virt_qmf_exec_t)
++
++type virt_bridgehelper_t;
++domain_type(virt_bridgehelper_t)
++
++type virt_bridgehelper_exec_t;
++domain_entry_file(virt_bridgehelper_t, virt_bridgehelper_exec_t)
++role system_r types virt_bridgehelper_t;
++
++# policy for qemu_ga
++type virt_qemu_ga_t;
++type virt_qemu_ga_exec_t;
++init_daemon_domain(virt_qemu_ga_t, virt_qemu_ga_exec_t)
++
++type virt_qemu_ga_var_run_t;
++files_pid_file(virt_qemu_ga_var_run_t)
++
++type virt_qemu_ga_log_t;
++logging_log_file(virt_qemu_ga_log_t)
++
+ ########################################
+ #
+-# svirt local policy
++# Declarations
+ #
++attribute svirt_lxc_domain;
+
+-allow svirt_t self:udp_socket create_socket_perms;
++type virtd_lxc_t;
++type virtd_lxc_exec_t;
++init_system_domain(virtd_lxc_t, virtd_lxc_exec_t)
+
+-manage_dirs_pattern(svirt_t, svirt_cache_t, svirt_cache_t)
+-manage_files_pattern(svirt_t, svirt_cache_t, svirt_cache_t)
+-files_var_filetrans(svirt_t, svirt_cache_t, { file dir })
++type virt_lxc_var_run_t;
++files_pid_file(virt_lxc_var_run_t)
++typealias virt_lxc_var_run_t alias virtd_lxc_var_run_t;
+
+-read_lnk_files_pattern(svirt_t, virt_image_t, virt_image_t)
++# virt lxc container files
++type svirt_lxc_file_t;
++files_mountpoint(svirt_lxc_file_t)
+
+-allow svirt_t svirt_image_t:dir search_dir_perms;
+-manage_dirs_pattern(svirt_t, svirt_image_t, svirt_image_t)
+-manage_files_pattern(svirt_t, svirt_image_t, svirt_image_t)
+-fs_hugetlbfs_filetrans(svirt_t, svirt_image_t, file)
++########################################
++#
++# svirt local policy
++#
+
+-list_dirs_pattern(svirt_t, virt_content_t, virt_content_t)
+-read_files_pattern(svirt_t, virt_content_t, virt_content_t)
+-dontaudit svirt_t virt_content_t:file write_file_perms;
+-dontaudit svirt_t virt_content_t:dir write;
++# it was a part of auth_use_nsswitch
++allow svirt_t self:netlink_route_socket r_netlink_socket_perms;
+
+ corenet_udp_sendrecv_generic_if(svirt_t)
+ corenet_udp_sendrecv_generic_node(svirt_t)
+@@ -131,67 +223,69 @@ corenet_udp_bind_all_ports(svirt_t)
+ corenet_tcp_bind_all_ports(svirt_t)
+ corenet_tcp_connect_all_ports(svirt_t)
+
+-dev_list_sysfs(svirt_t)
+-
+-userdom_search_user_home_content(svirt_t)
+-userdom_read_user_home_content_symlinks(svirt_t)
+-userdom_read_all_users_state(svirt_t)
+-
+-tunable_policy(`virt_use_comm',`
+- term_use_unallocated_ttys(svirt_t)
+- dev_rw_printer(svirt_t)
+-')
+-
+-tunable_policy(`virt_use_fusefs',`
+- fs_read_fusefs_files(svirt_t)
+- fs_read_fusefs_symlinks(svirt_t)
+-')
+-
+-tunable_policy(`virt_use_nfs',`
+- fs_manage_nfs_dirs(svirt_t)
+- fs_manage_nfs_files(svirt_t)
+-')
+-
+-tunable_policy(`virt_use_samba',`
+- fs_manage_cifs_dirs(svirt_t)
+- fs_manage_cifs_files(svirt_t)
++optional_policy(`
++ xen_rw_image_files(svirt_t)
+ ')
+
+-tunable_policy(`virt_use_sysfs',`
+- dev_rw_sysfs(svirt_t)
++optional_policy(`
++ nscd_use(svirt_t)
+ ')
+
+-tunable_policy(`virt_use_usb',`
+- dev_rw_usbfs(svirt_t)
+- fs_manage_dos_dirs(svirt_t)
+- fs_manage_dos_files(svirt_t)
+-')
++#######################################
++#
++# svirt_prot_exec local policy
++#
+
+-optional_policy(`
+- xen_rw_image_files(svirt_t)
+-')
++allow svirt_tcg_t self:process { execmem execstack };
++corenet_udp_sendrecv_generic_if(svirt_tcg_t)
++corenet_udp_sendrecv_generic_node(svirt_tcg_t)
++corenet_udp_sendrecv_all_ports(svirt_tcg_t)
++corenet_udp_bind_generic_node(svirt_tcg_t)
++corenet_udp_bind_all_ports(svirt_tcg_t)
++corenet_tcp_bind_all_ports(svirt_tcg_t)
++corenet_tcp_connect_all_ports(svirt_tcg_t)
+
+ ########################################
+ #
+ # virtd local policy
+ #
+
+-allow virtd_t self:capability { chown dac_override fowner ipc_lock kill mknod net_admin net_raw setpcap setuid setgid sys_admin sys_nice sys_ptrace };
+-allow virtd_t self:process { getcap getsched setcap sigkill signal signull execmem setexec setfscreate setsched };
++allow virtd_t self:capability { chown dac_override fowner ipc_lock kill mknod net_admin net_raw setpcap setuid setgid sys_admin sys_nice };
++allow virtd_t self:capability2 compromise_kernel;
++allow virtd_t self:process { getcap getsched setcap sigkill signal signull execmem setexec setfscreate setsockcreate setsched };
++ifdef(`hide_broken_symptoms',`
++ # caused by some bogus kernel code
++ dontaudit virtd_t self:capability { sys_module sys_ptrace };
++')
+
+-allow virtd_t self:fifo_file rw_fifo_file_perms;
+-allow virtd_t self:unix_stream_socket create_stream_socket_perms;
++allow virtd_t self:fifo_file { manage_fifo_file_perms relabelfrom relabelto };
++allow virtd_t self:unix_stream_socket { connectto create_stream_socket_perms };
+ allow virtd_t self:tcp_socket create_stream_socket_perms;
+-allow virtd_t self:tun_socket create_socket_perms;
++allow virtd_t self:tun_socket { create_socket_perms relabelfrom relabelto };
++allow virtd_t self:rawip_socket create_socket_perms;
++allow virtd_t self:packet_socket create_socket_perms;
+ allow virtd_t self:netlink_kobject_uevent_socket create_socket_perms;
++allow virtd_t self:netlink_route_socket create_netlink_socket_perms;
+
+-manage_dirs_pattern(virtd_t, svirt_cache_t, svirt_cache_t)
+-manage_files_pattern(virtd_t, svirt_cache_t, svirt_cache_t)
++manage_dirs_pattern(virtd_t, virt_cache_t, virt_cache_t)
++manage_files_pattern(virtd_t, virt_cache_t, virt_cache_t)
+
+ manage_dirs_pattern(virtd_t, virt_content_t, virt_content_t)
+ manage_files_pattern(virtd_t, virt_content_t, virt_content_t)
+
+ allow virtd_t virt_domain:process { getattr getsched setsched transition signal signull sigkill };
++allow virt_domain virtd_t:fd use;
++dontaudit virt_domain virtd_t:unix_stream_socket { read write };
++
++can_exec(virtd_t, qemu_exec_t)
++can_exec(virt_domain, qemu_exec_t)
++
++allow virtd_t qemu_var_run_t:file relabel_file_perms;
++manage_dirs_pattern(virtd_t, qemu_var_run_t, qemu_var_run_t)
++manage_files_pattern(virtd_t, qemu_var_run_t, qemu_var_run_t)
++manage_sock_files_pattern(virtd_t, qemu_var_run_t, qemu_var_run_t)
++stream_connect_pattern(virtd_t, qemu_var_run_t, qemu_var_run_t, virt_domain)
++filetrans_pattern(virtd_t, virt_var_run_t, qemu_var_run_t, dir, "qemu")
+
+ read_files_pattern(virtd_t, virt_etc_t, virt_etc_t)
+ read_lnk_files_pattern(virtd_t, virt_etc_t, virt_etc_t)
+@@ -202,19 +296,28 @@ manage_lnk_files_pattern(virtd_t, virt_etc_rw_t, virt_etc_rw_t)
+ filetrans_pattern(virtd_t, virt_etc_t, virt_etc_rw_t, dir)
+
+ manage_files_pattern(virtd_t, virt_image_type, virt_image_type)
++manage_chr_files_pattern(virtd_t, virt_image_type, virt_image_type)
+ manage_blk_files_pattern(virtd_t, virt_image_type, virt_image_type)
+-allow virtd_t virt_image_type:file { relabelfrom relabelto };
+-allow virtd_t virt_image_type:blk_file { relabelfrom relabelto };
+-
+-manage_dirs_pattern(virtd_t, virt_log_t, virt_log_t)
+-manage_files_pattern(virtd_t, virt_log_t, virt_log_t)
+-logging_log_filetrans(virtd_t, virt_log_t, { file dir })
++manage_lnk_files_pattern(virtd_t, virt_image_type, virt_image_type)
++allow virtd_t virt_image_type:file relabel_file_perms;
++allow virtd_t virt_image_type:blk_file relabel_blk_file_perms;
++allow virtd_t virt_image_type:chr_file relabel_chr_file_perms;
++allow virtd_t virt_ptynode:chr_file rw_term_perms;
+
+ manage_dirs_pattern(virtd_t, virt_tmp_t, virt_tmp_t)
+ manage_files_pattern(virtd_t, virt_tmp_t, virt_tmp_t)
+ files_tmp_filetrans(virtd_t, virt_tmp_t, { file dir })
+ can_exec(virtd_t, virt_tmp_t)
+
++manage_dirs_pattern(virtd_t, virt_lock_t, virt_lock_t)
++manage_files_pattern(virtd_t, virt_lock_t, virt_lock_t)
++manage_lnk_files_pattern(virtd_t, virt_lock_t, virt_lock_t)
++files_lock_filetrans(virtd_t, virt_lock_t, { dir file lnk_file })
++
++manage_dirs_pattern(virtd_t, virt_log_t, virt_log_t)
++manage_files_pattern(virtd_t, virt_log_t, virt_log_t)
++logging_log_filetrans(virtd_t, virt_log_t, { file dir })
++
+ manage_dirs_pattern(virtd_t, virt_var_lib_t, virt_var_lib_t)
+ manage_files_pattern(virtd_t, virt_var_lib_t, virt_var_lib_t)
+ manage_sock_files_pattern(virtd_t, virt_var_lib_t, virt_var_lib_t)
+@@ -225,16 +328,22 @@ manage_files_pattern(virtd_t, virt_var_run_t, virt_var_run_t)
+ manage_sock_files_pattern(virtd_t, virt_var_run_t, virt_var_run_t)
+ files_pid_filetrans(virtd_t, virt_var_run_t, { file dir })
+
++manage_dirs_pattern(virtd_t, virt_lxc_var_run_t, virt_lxc_var_run_t)
++manage_files_pattern(virtd_t, virt_lxc_var_run_t, virt_lxc_var_run_t)
++filetrans_pattern(virtd_t, virt_var_run_t, virt_lxc_var_run_t, dir, "lxc")
++stream_connect_pattern(virtd_t, virt_lxc_var_run_t, virt_lxc_var_run_t, virtd_lxc_t)
++
+ kernel_read_system_state(virtd_t)
+ kernel_read_network_state(virtd_t)
+ kernel_rw_net_sysctls(virtd_t)
++kernel_read_kernel_sysctls(virtd_t)
+ kernel_request_load_module(virtd_t)
+ kernel_search_debugfs(virtd_t)
++kernel_setsched(virtd_t)
+
+ corecmd_exec_bin(virtd_t)
+ corecmd_exec_shell(virtd_t)
+
+-corenet_all_recvfrom_unlabeled(virtd_t)
+ corenet_all_recvfrom_netlabel(virtd_t)
+ corenet_tcp_sendrecv_generic_if(virtd_t)
+ corenet_tcp_sendrecv_generic_node(virtd_t)
+@@ -247,22 +356,31 @@ corenet_tcp_connect_soundd_port(virtd_t)
+ corenet_rw_tun_tap_dev(virtd_t)
+
+ dev_rw_sysfs(virtd_t)
++dev_read_urand(virtd_t)
+ dev_read_rand(virtd_t)
+ dev_rw_kvm(virtd_t)
+ dev_getattr_all_chr_files(virtd_t)
+ dev_rw_mtrr(virtd_t)
++dev_rw_vhost(virtd_t)
++dev_setattr_generic_usb_dev(virtd_t)
++dev_relabel_generic_usb_dev(virtd_t)
+
+ # Init script handling
+ domain_use_interactive_fds(virtd_t)
+ domain_read_all_domains_state(virtd_t)
++domain_read_all_domains_state(virtd_t)
+
+ files_read_usr_files(virtd_t)
+-files_read_etc_files(virtd_t)
++files_read_usr_files(virtd_t)
+ files_read_etc_runtime_files(virtd_t)
+ files_search_all(virtd_t)
+ files_read_kernel_modules(virtd_t)
+ files_read_usr_src_files(virtd_t)
+-files_manage_etc_files(virtd_t)
++files_relabelto_system_conf_files(virtd_t)
++files_relabelfrom_system_conf_files(virtd_t)
++
++# Manages /etc/sysconfig/system-config-firewall
++files_manage_system_conf_files(virtd_t)
+
+ fs_list_auto_mountpoints(virtd_t)
+ fs_getattr_xattr_fs(virtd_t)
+@@ -270,6 +388,18 @@ fs_rw_anon_inodefs_files(virtd_t)
+ fs_list_inotifyfs(virtd_t)
+ fs_manage_cgroup_dirs(virtd_t)
+ fs_rw_cgroup_files(virtd_t)
++fs_manage_hugetlbfs_dirs(virtd_t)
++fs_rw_hugetlbfs_files(virtd_t)
++
++mls_fd_share_all_levels(virtd_t)
++mls_file_read_to_clearance(virtd_t)
++mls_file_write_to_clearance(virtd_t)
++mls_process_read_to_clearance(virtd_t)
++mls_process_write_to_clearance(virtd_t)
++mls_net_write_within_range(virtd_t)
++mls_socket_write_to_clearance(virtd_t)
++mls_socket_read_to_clearance(virtd_t)
++mls_rangetrans_source(virtd_t)
+
+ mcs_process_set_categories(virtd_t)
+
+@@ -284,7 +414,8 @@ term_use_ptmx(virtd_t)
+
+ auth_use_nsswitch(virtd_t)
+
+-miscfiles_read_localization(virtd_t)
++init_dbus_chat(virtd_t)
++
+ miscfiles_read_generic_certs(virtd_t)
+ miscfiles_read_hwdata(virtd_t)
+
+@@ -293,17 +424,36 @@ modutils_read_module_config(virtd_t)
+ modutils_manage_module_config(virtd_t)
+
+ logging_send_syslog_msg(virtd_t)
++logging_send_audit_msgs(virtd_t)
++logging_stream_connect_syslog(virtd_t)
++
++selinux_validate_context(virtd_t)
+
+ seutil_read_config(virtd_t)
+ seutil_read_default_contexts(virtd_t)
++seutil_read_file_contexts(virtd_t)
+
++sysnet_signull_ifconfig(virtd_t)
++sysnet_signal_ifconfig(virtd_t)
+ sysnet_domtrans_ifconfig(virtd_t)
+ sysnet_read_config(virtd_t)
+
++systemd_dbus_chat_logind(virtd_t)
++systemd_write_inhibit_pipes(virtd_t)
++
++userdom_list_admin_dir(virtd_t)
+ userdom_getattr_all_users(virtd_t)
+ userdom_list_user_home_content(virtd_t)
+ userdom_read_all_users_state(virtd_t)
+ userdom_read_user_home_content_files(virtd_t)
++userdom_relabel_user_home_files(virtd_t)
++userdom_setattr_user_home_content_files(virtd_t)
++manage_dirs_pattern(virtd_t, virt_home_t, virt_home_t)
++manage_files_pattern(virtd_t, virt_home_t, virt_home_t)
++manage_sock_files_pattern(virtd_t, virt_home_t, virt_home_t)
++manage_lnk_files_pattern(virtd_t, virt_home_t, virt_home_t)
++#userdom_user_home_dir_filetrans(virtd_t, virt_home_t, { dir file })
++virt_filetrans_home_content(virtd_t)
+
+ tunable_policy(`virt_use_nfs',`
+ fs_manage_nfs_dirs(virtd_t)
+@@ -322,6 +472,10 @@ optional_policy(`
+ ')
+
+ optional_policy(`
++ consoletype_exec(virtd_t)
++')
++
++optional_policy(`
+ dbus_system_bus_client(virtd_t)
+
+ optional_policy(`
+@@ -335,19 +489,34 @@ optional_policy(`
+ optional_policy(`
+ hal_dbus_chat(virtd_t)
+ ')
++
++ optional_policy(`
++ networkmanager_dbus_chat(virtd_t)
++ ')
++')
++
++optional_policy(`
++ dmidecode_domtrans(virtd_t)
+ ')
+
+ optional_policy(`
+ dnsmasq_domtrans(virtd_t)
+ dnsmasq_signal(virtd_t)
+ dnsmasq_kill(virtd_t)
+- dnsmasq_read_pid_files(virtd_t)
+ dnsmasq_signull(virtd_t)
++ dnsmasq_create_pid_dirs(virtd_t)
++ dnsmasq_filetrans_named_content_fromdir(virtd_t, virt_var_run_t);
++ dnsmasq_manage_pid_files(virtd_t)
++')
++
++optional_policy(`
++ firewalld_dbus_chat(virtd_t)
+ ')
+
+ optional_policy(`
+ iptables_domtrans(virtd_t)
+ iptables_initrc_domtrans(virtd_t)
++ iptables_systemctl(virtd_t)
+
+ # Manages /etc/sysconfig/system-config-firewall
+ iptables_manage_config(virtd_t)
+@@ -362,6 +531,12 @@ optional_policy(`
+ ')
+
+ optional_policy(`
++ # Run mount in the mount_t domain.
++ mount_domtrans(virtd_t)
++ mount_signal(virtd_t)
++')
++
++optional_policy(`
+ policykit_dbus_chat(virtd_t)
+ policykit_domtrans_auth(virtd_t)
+ policykit_domtrans_resolve(virtd_t)
+@@ -369,11 +544,11 @@ optional_policy(`
+ ')
+
+ optional_policy(`
+- qemu_domtrans(virtd_t)
+- qemu_read_state(virtd_t)
+- qemu_signal(virtd_t)
+- qemu_kill(virtd_t)
+- qemu_setsched(virtd_t)
++ qemu_exec(virtd_t)
++')
++
++optional_policy(`
++ sanlock_stream_connect(virtd_t)
+ ')
+
+ optional_policy(`
+@@ -384,6 +559,7 @@ optional_policy(`
+ kernel_read_xen_state(virtd_t)
+ kernel_write_xen_state(virtd_t)
+
++ xen_exec(virtd_t)
+ xen_stream_connect(virtd_t)
+ xen_stream_connect_xenstore(virtd_t)
+ xen_read_image_files(virtd_t)
+@@ -402,35 +578,85 @@ optional_policy(`
+ #
+ # virtual domains common policy
+ #
+-
+-allow virt_domain self:capability { dac_read_search dac_override kill };
+-allow virt_domain self:process { execmem execstack signal getsched signull };
+-allow virt_domain self:fifo_file rw_file_perms;
++allow virt_domain self:process { signal getsched signull };
++allow virt_domain self:fifo_file rw_fifo_file_perms;
+ allow virt_domain self:shm create_shm_perms;
+ allow virt_domain self:unix_stream_socket create_stream_socket_perms;
+ allow virt_domain self:unix_dgram_socket { create_socket_perms sendto };
+ allow virt_domain self:tcp_socket create_stream_socket_perms;
++allow virt_domain self:udp_socket create_socket_perms;
++
++list_dirs_pattern(virt_domain, virt_content_t, virt_content_t)
++read_files_pattern(virt_domain, virt_content_t, virt_content_t)
++dontaudit virt_domain virt_content_t:file write_file_perms;
++dontaudit virt_domain virt_content_t:dir write;
++
++userdom_search_user_home_content(virt_domain)
++userdom_read_user_home_content_symlinks(virt_domain)
++userdom_read_all_users_state(virt_domain)
++append_files_pattern(virt_domain, virt_home_t, virt_home_t)
++manage_dirs_pattern(virt_domain, svirt_home_t, svirt_home_t)
++manage_files_pattern(virt_domain, svirt_home_t, svirt_home_t)
++manage_sock_files_pattern(virt_domain, svirt_home_t, svirt_home_t)
++filetrans_pattern(virt_domain, virt_home_t, svirt_home_t, { dir sock_file file })
++stream_connect_pattern(virt_domain, svirt_home_t, svirt_home_t, virtd_t)
++
++manage_dirs_pattern(virt_domain, virt_cache_t, virt_cache_t)
++manage_files_pattern(virt_domain, virt_cache_t, virt_cache_t)
++files_var_filetrans(virt_domain, virt_cache_t, { file dir })
++
++read_lnk_files_pattern(virt_domain, virt_image_t, virt_image_t)
++
++manage_dirs_pattern(virt_domain, svirt_image_t, svirt_image_t)
++manage_files_pattern(virt_domain, svirt_image_t, svirt_image_t)
++manage_sock_files_pattern(virt_domain, svirt_image_t, svirt_image_t)
++manage_fifo_files_pattern(virt_domain, svirt_image_t, svirt_image_t)
++read_lnk_files_pattern(virt_domain, svirt_image_t, svirt_image_t)
++rw_chr_files_pattern(virt_domain, svirt_image_t, svirt_image_t)
++rw_blk_files_pattern(virt_domain, svirt_image_t, svirt_image_t)
++fs_hugetlbfs_filetrans(virt_domain, svirt_image_t, file)
++
++manage_dirs_pattern(virt_domain, svirt_tmp_t, svirt_tmp_t)
++manage_files_pattern(virt_domain, svirt_tmp_t, svirt_tmp_t)
++manage_lnk_files_pattern(virt_domain, svirt_tmp_t, svirt_tmp_t)
++files_tmp_filetrans(virt_domain, svirt_tmp_t, { file dir lnk_file })
++userdom_user_tmp_filetrans(virt_domain, svirt_tmp_t, { dir file lnk_file })
++
++manage_dirs_pattern(virt_domain, svirt_tmpfs_t, svirt_tmpfs_t)
++manage_files_pattern(virt_domain, svirt_tmpfs_t, svirt_tmpfs_t)
++manage_lnk_files_pattern(virt_domain, svirt_tmpfs_t, svirt_tmpfs_t)
++fs_tmpfs_filetrans(virt_domain, svirt_tmpfs_t, { dir file lnk_file })
++
++manage_dirs_pattern(virt_domain, qemu_var_run_t, qemu_var_run_t)
++manage_files_pattern(virt_domain, qemu_var_run_t, qemu_var_run_t)
++manage_sock_files_pattern(virt_domain, qemu_var_run_t, qemu_var_run_t)
++manage_lnk_files_pattern(virt_domain, qemu_var_run_t, qemu_var_run_t)
++files_pid_filetrans(virt_domain, qemu_var_run_t, { dir file })
++stream_connect_pattern(virt_domain, qemu_var_run_t, qemu_var_run_t, virtd_t)
++
++dontaudit virtd_t virt_domain:process { siginh noatsecure rlimitinh };
++
++dontaudit virt_domain virt_tmpfs_type:file { read write };
+
+ append_files_pattern(virt_domain, virt_log_t, virt_log_t)
+
+ append_files_pattern(virt_domain, virt_var_lib_t, virt_var_lib_t)
+
+-kernel_read_system_state(virt_domain)
+-
+ corecmd_exec_bin(virt_domain)
+ corecmd_exec_shell(virt_domain)
+
+-corenet_all_recvfrom_unlabeled(virt_domain)
+-corenet_all_recvfrom_netlabel(virt_domain)
+ corenet_tcp_sendrecv_generic_if(virt_domain)
+ corenet_tcp_sendrecv_generic_node(virt_domain)
+ corenet_tcp_sendrecv_all_ports(virt_domain)
+ corenet_tcp_bind_generic_node(virt_domain)
+ corenet_tcp_bind_vnc_port(virt_domain)
+-corenet_rw_tun_tap_dev(virt_domain)
+ corenet_tcp_bind_virt_migration_port(virt_domain)
+ corenet_tcp_connect_virt_migration_port(virt_domain)
++corenet_rw_inherited_tun_tap_dev(virt_domain)
+
++dev_list_sysfs(virt_domain)
++dev_getattr_fs(virt_domain)
++dev_read_generic_symlinks(virt_domain)
+ dev_read_rand(virt_domain)
+ dev_read_sound(virt_domain)
+ dev_read_urand(virt_domain)
+@@ -438,34 +664,627 @@ dev_write_sound(virt_domain)
+ dev_rw_ksm(virt_domain)
+ dev_rw_kvm(virt_domain)
+ dev_rw_qemu(virt_domain)
++dev_rw_inherited_vhost(virt_domain)
+
+ domain_use_interactive_fds(virt_domain)
+
+-files_read_etc_files(virt_domain)
++files_read_mnt_symlinks(virt_domain)
+ files_read_usr_files(virt_domain)
+ files_read_var_files(virt_domain)
+ files_search_all(virt_domain)
+
++fs_getattr_xattr_fs(virt_domain)
+ fs_getattr_tmpfs(virt_domain)
+ fs_rw_anon_inodefs_files(virt_domain)
+ fs_rw_tmpfs_files(virt_domain)
++fs_getattr_hugetlbfs(virt_domain)
++fs_rw_inherited_nfs_files(virt_domain)
++fs_rw_inherited_cifs_files(virt_domain)
++fs_rw_inherited_noxattr_fs_files(virt_domain)
+
+-term_use_all_terms(virt_domain)
++# I think we need these for now.
++miscfiles_read_public_files(virt_domain)
++storage_raw_read_removable_device(virt_domain)
++
++sysnet_read_config(virt_domain)
++
++term_use_all_inherited_terms(virt_domain)
+ term_getattr_pty_fs(virt_domain)
+ term_use_generic_ptys(virt_domain)
+ term_use_ptmx(virt_domain)
+
+-logging_send_syslog_msg(virt_domain)
++tunable_policy(`virt_use_execmem',`
++ allow virt_domain self:process { execmem execstack };
++')
+
+-miscfiles_read_localization(virt_domain)
++optional_policy(`
++ alsa_read_rw_config(virt_domain)
++')
+
+ optional_policy(`
+ ptchown_domtrans(virt_domain)
+ ')
+
+ optional_policy(`
++ pulseaudio_dontaudit_exec(virt_domain)
++')
++
++optional_policy(`
+ virt_read_config(virt_domain)
+ virt_read_lib_files(virt_domain)
+ virt_read_content(virt_domain)
+ virt_stream_connect(virt_domain)
++ virt_domtrans_bridgehelper(virt_domain)
++')
++
++optional_policy(`
++ xserver_rw_shm(virt_domain)
++')
++
++tunable_policy(`virt_use_comm',`
++ term_use_unallocated_ttys(virt_domain)
++ dev_rw_printer(virt_domain)
++')
++
++tunable_policy(`virt_use_fusefs',`
++ fs_manage_fusefs_dirs(virt_domain)
++ fs_manage_fusefs_files(virt_domain)
++ fs_read_fusefs_symlinks(virt_domain)
++ fs_getattr_fusefs(virt_domain)
++')
++
++tunable_policy(`virt_use_nfs',`
++ fs_manage_nfs_dirs(virt_domain)
++ fs_manage_nfs_files(virt_domain)
++ fs_manage_nfs_named_sockets(virt_domain)
++ fs_read_nfs_symlinks(virt_domain)
++ fs_getattr_nfs(virt_domain)
++')
++
++tunable_policy(`virt_use_samba',`
++ fs_manage_cifs_dirs(virt_domain)
++ fs_manage_cifs_files(virt_domain)
++ fs_manage_cifs_named_sockets(virt_domain)
++ fs_read_cifs_symlinks(virt_domain)
++ fs_getattr_cifs(virt_domain)
++')
++
++tunable_policy(`virt_use_sysfs',`
++ dev_rw_sysfs(virt_domain)
++')
++
++tunable_policy(`virt_use_usb',`
++ dev_rw_usbfs(virt_domain)
++ dev_read_sysfs(virt_domain)
++ fs_manage_dos_dirs(virt_domain)
++ fs_manage_dos_files(virt_domain)
++')
++
++optional_policy(`
++ tunable_policy(`virt_use_sanlock',`
++ sanlock_stream_connect(virt_domain)
++ ')
++')
++
++tunable_policy(`virt_use_rawip',`
++ allow virt_domain self:rawip_socket create_socket_perms;
++')
++
++optional_policy(`
++ tunable_policy(`virt_use_xserver',`
++ xserver_stream_connect(virt_domain)
++ ')
++')
++
++########################################
++#
++# xm local policy
++#
++type virsh_t;
++type virsh_exec_t;
++init_system_domain(virsh_t, virsh_exec_t)
++typealias virsh_t alias xm_t;
++typealias virsh_exec_t alias xm_exec_t;
++
++allow virsh_t self:capability { setpcap dac_override ipc_lock sys_chroot sys_nice sys_tty_config };
++allow virsh_t self:process { getcap getsched setsched setcap signal };
++allow virsh_t self:fifo_file rw_fifo_file_perms;
++allow virsh_t self:unix_stream_socket { create_stream_socket_perms connectto };
++allow virsh_t self:tcp_socket create_stream_socket_perms;
++
++ps_process_pattern(virsh_t, svirt_lxc_domain)
++
++can_exec(virsh_t, virsh_exec_t)
++virt_domtrans(virsh_t)
++virt_manage_images(virsh_t)
++virt_manage_config(virsh_t)
++virt_stream_connect(virsh_t)
++
++manage_files_pattern(virsh_t, virt_image_type, virt_image_type)
++manage_blk_files_pattern(virsh_t, virt_image_type, virt_image_type)
++manage_lnk_files_pattern(virsh_t, virt_image_type, virt_image_type)
++
++manage_dirs_pattern(virsh_t, svirt_lxc_file_t, svirt_lxc_file_t)
++manage_files_pattern(virsh_t, svirt_lxc_file_t, svirt_lxc_file_t)
++manage_chr_files_pattern(virsh_t, svirt_lxc_file_t, svirt_lxc_file_t)
++manage_lnk_files_pattern(virsh_t, svirt_lxc_file_t, svirt_lxc_file_t)
++manage_sock_files_pattern(virsh_t, svirt_lxc_file_t, svirt_lxc_file_t)
++manage_fifo_files_pattern(virsh_t, svirt_lxc_file_t, svirt_lxc_file_t)
++virt_transition_svirt_lxc(virsh_t, system_r)
++
++manage_dirs_pattern(virsh_t, virt_lxc_var_run_t, virt_lxc_var_run_t)
++manage_files_pattern(virsh_t, virt_lxc_var_run_t, virt_lxc_var_run_t)
++virt_filetrans_named_content(virsh_t)
++
++dontaudit virsh_t virt_var_lib_t:file read_inherited_file_perms;
++
++kernel_read_system_state(virsh_t)
++kernel_read_network_state(virsh_t)
++kernel_read_kernel_sysctls(virsh_t)
++kernel_read_sysctl(virsh_t)
++kernel_read_xen_state(virsh_t)
++kernel_write_xen_state(virsh_t)
++
++corecmd_exec_bin(virsh_t)
++corecmd_exec_shell(virsh_t)
++
++corenet_tcp_sendrecv_generic_if(virsh_t)
++corenet_tcp_sendrecv_generic_node(virsh_t)
++corenet_tcp_connect_soundd_port(virsh_t)
++
++dev_read_rand(virsh_t)
++dev_read_urand(virsh_t)
++dev_read_sysfs(virsh_t)
++
++files_read_etc_runtime_files(virsh_t)
++files_read_etc_files(virsh_t)
++files_read_usr_files(virsh_t)
++files_list_mnt(virsh_t)
++files_list_tmp(virsh_t)
++# Some common macros (you might be able to remove some)
++
++fs_getattr_all_fs(virsh_t)
++fs_manage_xenfs_dirs(virsh_t)
++fs_manage_xenfs_files(virsh_t)
++fs_search_auto_mountpoints(virsh_t)
++
++storage_raw_read_fixed_disk(virsh_t)
++
++term_use_all_inherited_terms(virsh_t)
++
++userdom_search_admin_dir(virsh_t)
++userdom_read_home_certs(virsh_t)
++
++init_stream_connect_script(virsh_t)
++init_rw_script_stream_sockets(virsh_t)
++init_use_fds(virsh_t)
++
++auth_read_passwd(virsh_t)
++
++logging_send_syslog_msg(virsh_t)
++
++sysnet_dns_name_resolve(virsh_t)
++
++tunable_policy(`virt_use_nfs',`
++ fs_manage_nfs_dirs(virsh_t)
++ fs_manage_nfs_files(virsh_t)
++ fs_read_nfs_symlinks(virsh_t)
+ ')
++
++tunable_policy(`virt_use_samba',`
++ fs_manage_cifs_files(virsh_t)
++ fs_manage_cifs_files(virsh_t)
++ fs_read_cifs_symlinks(virsh_t)
++')
++
++optional_policy(`
++ cron_system_entry(virsh_t, virsh_exec_t)
++')
++
++optional_policy(`
++ rhcs_domtrans_fenced(virsh_t)
++')
++
++optional_policy(`
++ rpm_exec(virsh_t)
++')
++
++optional_policy(`
++ xen_manage_image_dirs(virsh_t)
++ xen_append_log(virsh_t)
++ xen_domtrans(virsh_t)
++ xen_read_pid_files_xenstored(virsh_t)
++ xen_stream_connect(virsh_t)
++ xen_stream_connect_xenstore(virsh_t)
++')
++
++optional_policy(`
++ dbus_system_bus_client(virsh_t)
++
++ optional_policy(`
++ hal_dbus_chat(virsh_t)
++ ')
++')
++
++optional_policy(`
++ vhostmd_rw_tmpfs_files(virsh_t)
++ vhostmd_stream_connect(virsh_t)
++ vhostmd_dontaudit_rw_stream_connect(virsh_t)
++')
++
++optional_policy(`
++ ssh_basic_client_template(virsh, virsh_t, system_r)
++
++ kernel_read_xen_state(virsh_ssh_t)
++ kernel_write_xen_state(virsh_ssh_t)
++
++ dontaudit virsh_ssh_t virsh_transition_domain:fifo_file rw_inherited_fifo_file_perms;
++ files_search_tmp(virsh_ssh_t)
++
++ fs_manage_xenfs_dirs(virsh_ssh_t)
++ fs_manage_xenfs_files(virsh_ssh_t)
++
++ userdom_search_admin_dir(virsh_ssh_t)
++')
++
++########################################
++#
++# virt_lxc local policy
++#
++allow virtd_lxc_t self:capability { dac_override net_admin net_raw setpcap chown sys_admin sys_boot sys_resource };
++allow virtd_lxc_t self:capability2 compromise_kernel;
++
++allow virtd_lxc_t self:process { setexec setrlimit setsched getcap setcap signal_perms };
++allow virtd_lxc_t self:fifo_file rw_fifo_file_perms;
++allow virtd_lxc_t self:netlink_route_socket rw_netlink_socket_perms;
++allow virtd_lxc_t self:unix_stream_socket create_stream_socket_perms;
++allow virtd_lxc_t self:packet_socket create_socket_perms;
++
++allow virtd_lxc_t virt_image_type:dir mounton;
++manage_files_pattern(virtd_lxc_t, virt_image_t, virt_image_t)
++
++domtrans_pattern(virtd_t, virtd_lxc_exec_t, virtd_lxc_t)
++allow virtd_t virtd_lxc_t:process { signal signull sigkill };
++
++allow virtd_lxc_t virt_var_run_t:dir search_dir_perms;
++manage_dirs_pattern(virtd_lxc_t, virt_lxc_var_run_t, virt_lxc_var_run_t)
++manage_files_pattern(virtd_lxc_t, virt_lxc_var_run_t, virt_lxc_var_run_t)
++manage_sock_files_pattern(virtd_lxc_t, virt_lxc_var_run_t, virt_lxc_var_run_t)
++files_pid_filetrans(virtd_lxc_t, virt_lxc_var_run_t, { file dir })
++
++manage_dirs_pattern(virtd_lxc_t, svirt_lxc_file_t, svirt_lxc_file_t)
++manage_files_pattern(virtd_lxc_t, svirt_lxc_file_t, svirt_lxc_file_t)
++manage_chr_files_pattern(virtd_lxc_t, svirt_lxc_file_t, svirt_lxc_file_t)
++manage_lnk_files_pattern(virtd_lxc_t, svirt_lxc_file_t, svirt_lxc_file_t)
++manage_sock_files_pattern(virtd_lxc_t, svirt_lxc_file_t, svirt_lxc_file_t)
++manage_fifo_files_pattern(virtd_lxc_t, svirt_lxc_file_t, svirt_lxc_file_t)
++allow virtd_lxc_t svirt_lxc_file_t:dir_file_class_set { relabelto relabelfrom };
++allow virtd_lxc_t svirt_lxc_file_t:filesystem { relabelto relabelfrom };
++files_associate_rootfs(svirt_lxc_file_t)
++
++storage_manage_fixed_disk(virtd_lxc_t)
++storage_rw_fuse(virtd_lxc_t)
++
++kernel_read_all_sysctls(virtd_lxc_t)
++kernel_read_network_state(virtd_lxc_t)
++kernel_read_system_state(virtd_lxc_t)
++
++corecmd_exec_bin(virtd_lxc_t)
++corecmd_exec_shell(virtd_lxc_t)
++
++dev_relabel_all_dev_nodes(virtd_lxc_t)
++dev_rw_sysfs(virtd_lxc_t)
++dev_read_sysfs(virtd_lxc_t)
++dev_read_urand(virtd_lxc_t)
++
++domain_use_interactive_fds(virtd_lxc_t)
++
++files_search_all(virtd_lxc_t)
++files_getattr_all_files(virtd_lxc_t)
++files_read_usr_files(virtd_lxc_t)
++files_relabel_rootfs(virtd_lxc_t)
++files_mounton_non_security(virtd_lxc_t)
++files_mount_all_file_type_fs(virtd_lxc_t)
++files_unmount_all_file_type_fs(virtd_lxc_t)
++files_list_isid_type_dirs(virtd_lxc_t)
++files_root_filetrans(virtd_lxc_t, svirt_lxc_file_t, dir_file_class_set)
++
++fs_getattr_all_fs(virtd_lxc_t)
++fs_manage_tmpfs_dirs(virtd_lxc_t)
++fs_manage_tmpfs_chr_files(virtd_lxc_t)
++fs_manage_tmpfs_symlinks(virtd_lxc_t)
++fs_manage_cgroup_dirs(virtd_lxc_t)
++fs_mounton_tmpfs(virtd_lxc_t)
++fs_remount_all_fs(virtd_lxc_t)
++fs_rw_cgroup_files(virtd_lxc_t)
++fs_unmount_all_fs(virtd_lxc_t)
++fs_relabelfrom_tmpfs(virtd_lxc_t)
++
++logging_send_audit_msgs(virtd_lxc_t)
++
++selinux_mount_fs(virtd_lxc_t)
++selinux_unmount_fs(virtd_lxc_t)
++seutil_read_config(virtd_lxc_t)
++
++term_use_generic_ptys(virtd_lxc_t)
++term_use_ptmx(virtd_lxc_t)
++term_relabel_pty_fs(virtd_lxc_t)
++
++auth_use_nsswitch(virtd_lxc_t)
++
++logging_send_syslog_msg(virtd_lxc_t)
++
++seutil_domtrans_setfiles(virtd_lxc_t)
++seutil_read_default_contexts(virtd_lxc_t)
++
++selinux_get_enforce_mode(virtd_lxc_t)
++selinux_get_fs_mount(virtd_lxc_t)
++selinux_validate_context(virtd_lxc_t)
++selinux_compute_access_vector(virtd_lxc_t)
++selinux_compute_create_context(virtd_lxc_t)
++selinux_compute_relabel_context(virtd_lxc_t)
++selinux_compute_user_contexts(virtd_lxc_t)
++seutil_read_default_contexts(virtd_lxc_t)
++
++optional_policy(`
++ unconfined_domain(virtd_lxc_t)
++')
++
++########################################
++#
++# virt_lxc_domain local policy
++#
++allow svirt_lxc_domain self:capability { kill setuid setgid dac_override sys_boot ipc_lock };
++
++allow virtd_t svirt_lxc_domain:unix_stream_socket { create_stream_socket_perms connectto };
++allow virtd_t svirt_lxc_domain:process { signal_perms };
++allow virtd_lxc_t svirt_lxc_domain:process { getattr getsched setsched transition signal signull sigkill };
++allow svirt_lxc_domain virtd_lxc_t:process sigchld;
++allow svirt_lxc_domain virtd_lxc_t:fd use;
++allow svirt_lxc_domain virt_lxc_var_run_t:dir list_dir_perms;
++allow svirt_lxc_domain virt_lxc_var_run_t:file read_file_perms;
++allow svirt_lxc_domain virtd_lxc_t:unix_stream_socket { connectto rw_socket_perms };
++
++allow svirt_lxc_domain self:process { execstack execmem getattr signal_perms getsched setsched setcap setpgid };
++allow svirt_lxc_domain self:fifo_file manage_file_perms;
++allow svirt_lxc_domain self:sem create_sem_perms;
++allow svirt_lxc_domain self:shm create_shm_perms;
++allow svirt_lxc_domain self:msgq create_msgq_perms;
++allow svirt_lxc_domain self:unix_stream_socket { create_stream_socket_perms connectto };
++allow svirt_lxc_domain self:unix_dgram_socket { sendto create_socket_perms };
++
++manage_dirs_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t)
++manage_files_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t)
++manage_lnk_files_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t)
++manage_sock_files_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t)
++manage_fifo_files_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t)
++rw_chr_files_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t)
++rw_blk_files_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t)
++can_exec(svirt_lxc_domain, svirt_lxc_file_t)
++allow svirt_lxc_net_t svirt_lxc_file_t:dir mounton;
++allow svirt_lxc_net_t svirt_lxc_file_t:filesystem getattr;
++
++kernel_getattr_proc(svirt_lxc_domain)
++kernel_list_all_proc(svirt_lxc_domain)
++kernel_read_kernel_sysctls(svirt_lxc_domain)
++kernel_rw_net_sysctls(svirt_lxc_domain)
++kernel_dontaudit_search_kernel_sysctl(svirt_lxc_domain)
++
++corecmd_exec_all_executables(svirt_lxc_domain)
++
++files_dontaudit_getattr_all_dirs(svirt_lxc_domain)
++files_dontaudit_getattr_all_files(svirt_lxc_domain)
++files_dontaudit_getattr_all_symlinks(svirt_lxc_domain)
++files_dontaudit_getattr_all_pipes(svirt_lxc_domain)
++files_dontaudit_getattr_all_sockets(svirt_lxc_domain)
++files_dontaudit_list_all_mountpoints(svirt_lxc_domain)
++files_dontaudit_write_etc_runtime_files(svirt_lxc_domain)
++files_entrypoint_all_files(svirt_lxc_domain)
++files_list_var(svirt_lxc_domain)
++files_list_var_lib(svirt_lxc_domain)
++files_search_all(svirt_lxc_domain)
++files_read_config_files(svirt_lxc_domain)
++files_read_usr_files(svirt_lxc_domain)
++files_read_usr_symlinks(svirt_lxc_domain)
++files_search_locks(svirt_lxc_domain)
++
++fs_getattr_all_fs(svirt_lxc_domain)
++fs_list_inotifyfs(svirt_lxc_domain)
++fs_rw_inherited_tmpfs_files(svirt_lxc_domain)
++
++auth_dontaudit_read_passwd(svirt_lxc_domain)
++auth_dontaudit_read_login_records(svirt_lxc_domain)
++auth_dontaudit_write_login_records(svirt_lxc_domain)
++auth_search_pam_console_data(svirt_lxc_domain)
++
++clock_read_adjtime(svirt_lxc_domain)
++
++init_read_utmp(svirt_lxc_domain)
++init_dontaudit_write_utmp(svirt_lxc_domain)
++
++libs_dontaudit_setattr_lib_files(svirt_lxc_domain)
++
++miscfiles_dontaudit_setattr_fonts_cache_dirs(svirt_lxc_domain)
++miscfiles_read_fonts(svirt_lxc_domain)
++
++optional_policy(`
++ mta_dontaudit_read_spool_symlinks(svirt_lxc_domain)
++')
++
++systemd_read_unit_files(svirt_lxc_domain)
++
++optional_policy(`
++ udev_read_pid_files(svirt_lxc_domain)
++')
++
++optional_policy(`
++ apache_exec_modules(svirt_lxc_domain)
++ apache_read_sys_content(svirt_lxc_domain)
++')
++
++virt_lxc_domain_template(svirt_lxc_net)
++
++allow svirt_lxc_net_t self:capability { chown dac_read_search dac_override fowner fsetid net_raw net_admin net_bind_service sys_admin sys_nice sys_ptrace sys_resource setpcap };
++dontaudit svirt_lxc_net_t self:capability2 block_suspend;
++allow svirt_lxc_net_t self:netlink_socket create_socket_perms;
++allow svirt_lxc_net_t self:process setrlimit;
++
++allow svirt_lxc_net_t self:udp_socket create_socket_perms;
++allow svirt_lxc_net_t self:tcp_socket create_stream_socket_perms;
++allow svirt_lxc_net_t self:netlink_route_socket create_netlink_socket_perms;
++allow svirt_lxc_net_t self:packet_socket create_socket_perms;
++allow svirt_lxc_net_t self:socket create_socket_perms;
++allow svirt_lxc_net_t self:rawip_socket create_socket_perms;
++allow svirt_lxc_net_t self:netlink_tcpdiag_socket create_socket_perms;
++allow svirt_lxc_net_t self:netlink_kobject_uevent_socket create_socket_perms;
++
++kernel_read_network_state(svirt_lxc_net_t)
++kernel_read_irq_sysctls(svirt_lxc_net_t)
++
++dev_read_sysfs(svirt_lxc_net_t)
++dev_getattr_mtrr_dev(svirt_lxc_net_t)
++dev_read_rand(svirt_lxc_net_t)
++dev_read_urand(svirt_lxc_net_t)
++
++corenet_tcp_bind_generic_node(svirt_lxc_net_t)
++corenet_udp_bind_generic_node(svirt_lxc_net_t)
++corenet_tcp_sendrecv_all_ports(svirt_lxc_net_t)
++corenet_udp_sendrecv_all_ports(svirt_lxc_net_t)
++corenet_udp_bind_all_ports(svirt_lxc_net_t)
++corenet_tcp_bind_all_ports(svirt_lxc_net_t)
++corenet_tcp_connect_all_ports(svirt_lxc_net_t)
++
++files_read_kernel_modules(svirt_lxc_net_t)
++
++fs_noxattr_type(svirt_lxc_file_t)
++fs_mount_cgroup(svirt_lxc_net_t)
++fs_manage_cgroup_dirs(svirt_lxc_net_t)
++fs_manage_cgroup_files(svirt_lxc_net_t)
++
++term_pty(svirt_lxc_file_t)
++
++auth_use_nsswitch(svirt_lxc_net_t)
++
++rpm_read_db(svirt_lxc_net_t)
++
++logging_send_audit_msgs(svirt_lxc_net_t)
++
++userdom_use_inherited_user_ptys(svirt_lxc_net_t)
++
++########################################
++#
++# virt_qmf local policy
++#
++allow virt_qmf_t self:capability { sys_nice sys_tty_config };
++allow virt_qmf_t self:process { setsched signal };
++allow virt_qmf_t self:fifo_file rw_fifo_file_perms;
++allow virt_qmf_t self:unix_stream_socket create_stream_socket_perms;
++allow virt_qmf_t self:tcp_socket create_stream_socket_perms;
++allow virt_qmf_t self:netlink_route_socket create_netlink_socket_perms;
++
++can_exec(virt_qmf_t, virtd_exec_t)
++
++kernel_read_system_state(virt_qmf_t)
++kernel_read_network_state(virt_qmf_t)
++
++dev_read_sysfs(virt_qmf_t)
++dev_read_rand(virt_qmf_t)
++dev_read_urand(virt_qmf_t)
++
++corenet_tcp_connect_matahari_port(virt_qmf_t)
++
++domain_use_interactive_fds(virt_qmf_t)
++
++logging_send_syslog_msg(virt_qmf_t)
++
++sysnet_read_config(virt_qmf_t)
++
++optional_policy(`
++ dbus_read_lib_files(virt_qmf_t)
++')
++
++optional_policy(`
++ virt_stream_connect(virt_qmf_t)
++')
++
++########################################
++#
++# virt_bridgehelper local policy
++#
++allow virt_bridgehelper_t self:process { setcap getcap };
++allow virt_bridgehelper_t self:capability { setpcap setgid setuid net_admin };
++allow virt_bridgehelper_t self:tcp_socket create_stream_socket_perms;
++allow virt_bridgehelper_t self:tun_socket create_socket_perms;
++allow virt_bridgehelper_t self:unix_dgram_socket create_socket_perms;
++
++manage_files_pattern(virt_bridgehelper_t, svirt_home_t, svirt_home_t)
++
++kernel_read_network_state(virt_bridgehelper_t)
++
++corenet_rw_tun_tap_dev(virt_bridgehelper_t)
++
++userdom_use_inherited_user_ptys(virt_bridgehelper_t)
++
++#######################################
++#
++# virt_qemu_ga local policy
++#
++
++allow virt_qemu_ga_t self:capability sys_tty_config;
++
++allow virt_qemu_ga_t self:fifo_file rw_fifo_file_perms;
++allow virt_qemu_ga_t self:unix_stream_socket create_stream_socket_perms;
++
++manage_files_pattern(virt_qemu_ga_t, virt_qemu_ga_var_run_t, virt_qemu_ga_var_run_t)
++manage_dirs_pattern(virt_qemu_ga_t, virt_qemu_ga_var_run_t, virt_qemu_ga_var_run_t)
++filetrans_pattern(virt_qemu_ga_t, virt_qemu_ga_var_run_t, virt_qemu_ga_var_run_t,{ dir file } )
++
++manage_files_pattern(virt_qemu_ga_t, virt_qemu_ga_log_t, virt_qemu_ga_log_t)
++logging_log_filetrans(virt_qemu_ga_t, virt_qemu_ga_log_t, file )
++
++corecmd_exec_shell(virt_qemu_ga_t)
++corecmd_exec_bin(virt_qemu_ga_t)
++
++files_read_etc_files(virt_qemu_ga_t)
++
++dev_rw_sysfs(virt_qemu_ga_t)
++
++term_use_virtio_console(virt_qemu_ga_t)
++term_use_all_ttys(virt_qemu_ga_t)
++
++logging_send_syslog_msg(virt_qemu_ga_t)
++
++sysnet_dns_name_resolve(virt_qemu_ga_t)
++
++userdom_use_user_ptys(virt_qemu_ga_t)
++
++optional_policy(`
++ bootloader_domtrans(virt_qemu_ga_t)
++')
++
++optional_policy(`
++ dbus_system_bus_client(virt_qemu_ga_t)
++')
++
++optional_policy(`
++ cron_initrc_domtrans(virt_qemu_ga_t)
++ cron_domtrans(virt_qemu_ga_t)
++')
++
++optional_policy(`
++ devicekit_manage_pid_files(virt_qemu_ga_t)
++')
++
++optional_policy(`
++ fstools_domtrans(virt_qemu_ga_t)
++')
++
++optional_policy(`
++ shutdown_domtrans(virt_qemu_ga_t)
++')
++
++type svirt_socket_t;
++role system_r types svirt_socket_t;
++allow svirt_t svirt_socket_t:unix_stream_socket connectto;
++
++
+diff --git a/vlock.te b/vlock.te
+index 2511093..669dc13 100644
+--- a/vlock.te
++++ b/vlock.te
+@@ -47,7 +47,5 @@ init_dontaudit_rw_utmp(vlock_t)
+
+ logging_send_syslog_msg(vlock_t)
+
+-miscfiles_read_localization(vlock_t)
+-
+ userdom_dontaudit_search_user_home_dirs(vlock_t)
+-userdom_use_user_terminals(vlock_t)
++userdom_use_inherited_user_terminals(vlock_t)
+diff --git a/vmware.te b/vmware.te
+index 7d334c4..979e82f 100644
+--- a/vmware.te
++++ b/vmware.te
+@@ -68,7 +68,8 @@ ifdef(`enable_mcs',`
+ # VMWare host local policy
+ #
+
+-allow vmware_host_t self:capability { setgid setuid net_raw sys_nice sys_time sys_ptrace kill dac_override };
++allow vmware_host_t self:capability { net_admin sys_module };
++allow vmware_host_t self:capability { setgid setuid net_raw sys_nice sys_time kill dac_override };
+ dontaudit vmware_host_t self:capability sys_tty_config;
+ allow vmware_host_t self:process { execstack execmem signal_perms };
+ allow vmware_host_t self:fifo_file rw_fifo_file_perms;
+@@ -97,8 +98,8 @@ logging_log_filetrans(vmware_host_t, vmware_log_t, { file dir })
+ kernel_read_kernel_sysctls(vmware_host_t)
+ kernel_read_system_state(vmware_host_t)
+ kernel_read_network_state(vmware_host_t)
++kernel_request_load_module(vmware_host_t)
+
+-corenet_all_recvfrom_unlabeled(vmware_host_t)
+ corenet_all_recvfrom_netlabel(vmware_host_t)
+ corenet_tcp_sendrecv_generic_if(vmware_host_t)
+ corenet_udp_sendrecv_generic_if(vmware_host_t)
+@@ -122,6 +123,7 @@ dev_getattr_all_blk_files(vmware_host_t)
+ dev_read_sysfs(vmware_host_t)
+ dev_read_urand(vmware_host_t)
+ dev_rw_vmware(vmware_host_t)
++dev_rw_generic_chr_files(vmware_host_t)
+
+ domain_use_interactive_fds(vmware_host_t)
+ domain_dontaudit_read_all_domains_state(vmware_host_t)
+@@ -129,7 +131,7 @@ domain_dontaudit_read_all_domains_state(vmware_host_t)
+ files_list_tmp(vmware_host_t)
+ files_read_etc_files(vmware_host_t)
+ files_read_etc_runtime_files(vmware_host_t)
+-files_read_usr_files(vmware_host_t)
++files_read_usr_files(vmware_host_t)
+
+ fs_getattr_all_fs(vmware_host_t)
+ fs_search_auto_mountpoints(vmware_host_t)
+@@ -145,8 +147,6 @@ libs_exec_ld_so(vmware_host_t)
+
+ logging_send_syslog_msg(vmware_host_t)
+
+-miscfiles_read_localization(vmware_host_t)
+-
+ sysnet_dns_name_resolve(vmware_host_t)
+ sysnet_domtrans_ifconfig(vmware_host_t)
+
+@@ -156,11 +156,27 @@ userdom_dontaudit_search_user_home_dirs(vmware_host_t)
+ netutils_domtrans_ping(vmware_host_t)
+
+ optional_policy(`
+- hostname_exec(vmware_host_t)
++ unconfined_domain(vmware_host_t)
+ ')
+
+ optional_policy(`
++ hostname_exec(vmware_host_t)
++')
++
++optional_policy(`
+ modutils_domtrans_insmod(vmware_host_t)
++')
++
++optional_policy(`
++ samba_read_config(vmware_host_t)
++')
++
++optional_policy(`
++ seutil_sigchld_newrole(vmware_host_t)
++')
++
++optional_policy(`
++ shutdown_domtrans(vmware_host_t)
+ ')
+
+ optional_policy(`
+@@ -269,9 +285,8 @@ libs_exec_ld_so(vmware_t)
+ # Access X11 config files
+ libs_read_lib_files(vmware_t)
+
+-miscfiles_read_localization(vmware_t)
+
+-userdom_use_user_terminals(vmware_t)
++userdom_use_inherited_user_terminals(vmware_t)
+ userdom_list_user_home_dirs(vmware_t)
+ # cjp: why?
+ userdom_read_user_home_content_files(vmware_t)
+diff --git a/vnstatd.if b/vnstatd.if
+index 727fe95..47ec114 100644
+--- a/vnstatd.if
++++ b/vnstatd.if
+@@ -123,20 +123,17 @@ interface(`vnstatd_manage_lib_files',`
+ ## Domain allowed access.
+ ##
+ ##
+-##
+-##
+-## Role allowed access.
+-##
+-##
+-##
+ #
+ interface(`vnstatd_admin',`
+ gen_require(`
+ type vnstatd_t, vnstatd_var_lib_t;
+ ')
+
+- allow $1 vnstatd_t:process { ptrace signal_perms };
++ allow $1 vnstatd_t:process signal_perms;
+ ps_process_pattern($1, vnstatd_t)
++ tunable_policy(`deny_ptrace',`',`
++ allow $1 vnstatd_t:process ptrace;
++ ')
+
+ files_list_var_lib($1)
+ admin_pattern($1, vnstatd_var_lib_t)
+diff --git a/vnstatd.te b/vnstatd.te
+index 8121937..f90b43b 100644
+--- a/vnstatd.te
++++ b/vnstatd.te
+@@ -28,9 +28,13 @@ allow vnstatd_t self:process signal;
+ allow vnstatd_t self:fifo_file rw_fifo_file_perms;
+ allow vnstatd_t self:unix_stream_socket create_stream_socket_perms;
+
++manage_files_pattern(vnstatd_t, vnstatd_var_run_t, vnstatd_var_run_t)
++manage_dirs_pattern(vnstatd_t, vnstatd_var_run_t, vnstatd_var_run_t)
++files_pid_filetrans(vnstatd_t, vnstatd_var_run_t, { dir file })
++
+ manage_dirs_pattern(vnstatd_t, vnstatd_var_lib_t, vnstatd_var_lib_t)
+ manage_files_pattern(vnstatd_t, vnstatd_var_lib_t, vnstatd_var_lib_t)
+-files_var_lib_filetrans(vnstatd_t, vnstatd_var_lib_t, { dir file })
++files_var_lib_filetrans(vnstatd_t, vnstatd_var_lib_t, dir)
+
+ manage_files_pattern(vnstatd_t, vnstatd_var_run_t, vnstatd_var_run_t)
+ manage_dirs_pattern(vnstatd_t, vnstatd_var_run_t, vnstatd_var_run_t)
+@@ -47,8 +51,6 @@ fs_getattr_xattr_fs(vnstatd_t)
+
+ logging_send_syslog_msg(vnstatd_t)
+
+-miscfiles_read_localization(vnstatd_t)
+-
+ optional_policy(`
+ cron_system_entry(vnstat_t, vnstat_exec_t)
+ ')
+@@ -62,9 +64,9 @@ allow vnstat_t self:process signal;
+ allow vnstat_t self:fifo_file rw_fifo_file_perms;
+ allow vnstat_t self:unix_stream_socket create_stream_socket_perms;
+
++files_search_var_lib(vnstat_t)
+ manage_dirs_pattern(vnstat_t, vnstatd_var_lib_t, vnstatd_var_lib_t)
+ manage_files_pattern(vnstat_t, vnstatd_var_lib_t, vnstatd_var_lib_t)
+-files_var_lib_filetrans(vnstat_t, vnstatd_var_lib_t, { dir file })
+
+ kernel_read_network_state(vnstat_t)
+ kernel_read_system_state(vnstat_t)
+@@ -76,5 +78,3 @@ files_read_etc_files(vnstat_t)
+ fs_getattr_xattr_fs(vnstat_t)
+
+ logging_send_syslog_msg(vnstat_t)
+-
+-miscfiles_read_localization(vnstat_t)
+diff --git a/vpn.if b/vpn.if
+index 7b93e07..a4e2f60 100644
+--- a/vpn.if
++++ b/vpn.if
+@@ -37,11 +37,16 @@ interface(`vpn_domtrans',`
+ #
+ interface(`vpn_run',`
+ gen_require(`
+- attribute_role vpnc_roles;
++ #attribute_role vpnc_roles;
++ type vpnc_t;
+ ')
+
++ #vpn_domtrans($1)
++ #roleattribute $2 vpnc_roles;
++
+ vpn_domtrans($1)
+- roleattribute $2 vpnc_roles;
++ role $2 types vpnc_t;
++ sysnet_run_ifconfig(vpnc_t, $2)
+ ')
+
+ ########################################
+diff --git a/vpn.te b/vpn.te
+index 83a80ba..ddf48c0 100644
+--- a/vpn.te
++++ b/vpn.te
+@@ -5,13 +5,15 @@ policy_module(vpn, 1.15.0)
+ # Declarations
+ #
+
+-attribute_role vpnc_roles;
+-roleattribute system_r vpnc_roles;
++#attribute_role vpnc_roles;
++#roleattribute system_r vpnc_roles;
+
+ type vpnc_t;
+ type vpnc_exec_t;
++init_system_domain(vpnc_t, vpnc_exec_t)
+ application_domain(vpnc_t, vpnc_exec_t)
+-role vpnc_roles types vpnc_t;
++#role vpnc_roles types vpnc_t;
++role system_r types vpnc_t;
+
+ type vpnc_tmp_t;
+ files_tmp_file(vpnc_tmp_t)
+@@ -24,7 +26,7 @@ files_pid_file(vpnc_var_run_t)
+ # Local policy
+ #
+
+-allow vpnc_t self:capability { dac_read_search dac_override net_admin ipc_lock net_raw };
++allow vpnc_t self:capability { dac_read_search dac_override net_admin ipc_lock net_raw setuid };
+ allow vpnc_t self:process { getsched signal };
+ allow vpnc_t self:fifo_file rw_fifo_file_perms;
+ allow vpnc_t self:netlink_route_socket rw_netlink_socket_perms;
+@@ -51,7 +53,6 @@ kernel_read_all_sysctls(vpnc_t)
+ kernel_request_load_module(vpnc_t)
+ kernel_rw_net_sysctls(vpnc_t)
+
+-corenet_all_recvfrom_unlabeled(vpnc_t)
+ corenet_all_recvfrom_netlabel(vpnc_t)
+ corenet_tcp_sendrecv_generic_if(vpnc_t)
+ corenet_udp_sendrecv_generic_if(vpnc_t)
+@@ -80,18 +81,19 @@ domain_use_interactive_fds(vpnc_t)
+ fs_getattr_xattr_fs(vpnc_t)
+ fs_getattr_tmpfs(vpnc_t)
+
+-term_use_all_ptys(vpnc_t)
+-term_use_all_ttys(vpnc_t)
++term_use_all_inherited_ptys(vpnc_t)
++term_use_all_inherited_ttys(vpnc_t)
+
+ corecmd_exec_all_executables(vpnc_t)
+
+ files_exec_etc_files(vpnc_t)
+ files_read_etc_runtime_files(vpnc_t)
+-files_read_etc_files(vpnc_t)
+ files_dontaudit_search_home(vpnc_t)
+
+ auth_use_nsswitch(vpnc_t)
+
++init_dontaudit_use_fds(vpnc_t)
++
+ libs_exec_ld_so(vpnc_t)
+ libs_exec_lib_files(vpnc_t)
+
+@@ -100,17 +102,15 @@ locallogin_use_fds(vpnc_t)
+ logging_send_syslog_msg(vpnc_t)
+ logging_dontaudit_search_logs(vpnc_t)
+
+-miscfiles_read_localization(vpnc_t)
+-
+-seutil_dontaudit_search_config(vpnc_t)
+ seutil_use_newrole_fds(vpnc_t)
+
+-sysnet_run_ifconfig(vpnc_t, vpnc_roles)
++#sysnet_run_ifconfig(vpnc_t, vpnc_roles)
+ sysnet_etc_filetrans_config(vpnc_t)
+ sysnet_manage_config(vpnc_t)
+
+ userdom_use_all_users_fds(vpnc_t)
+-userdom_dontaudit_search_user_home_content(vpnc_t)
++userdom_read_home_certs(vpnc_t)
++userdom_search_admin_dir(vpnc_t)
+
+ optional_policy(`
+ dbus_system_bus_client(vpnc_t)
+diff --git a/w3c.te b/w3c.te
+index 1174ad8..bd7a7da 100644
+--- a/w3c.te
++++ b/w3c.te
+@@ -5,20 +5,34 @@ policy_module(w3c, 1.0.0)
+ # Declarations
+ #
+
+-apache_content_template(w3c_validator)
++
++type httpd_w3c_validator_tmp_t;
++files_tmp_file(httpd_w3c_validator_tmp_t)
+
+ ########################################
+ #
+ # Local policy
+ #
+
+-corenet_tcp_connect_ftp_port(httpd_w3c_validator_script_t)
+-corenet_tcp_sendrecv_ftp_port(httpd_w3c_validator_script_t)
+-corenet_tcp_connect_http_port(httpd_w3c_validator_script_t)
+-corenet_tcp_sendrecv_http_port(httpd_w3c_validator_script_t)
+-corenet_tcp_connect_http_cache_port(httpd_w3c_validator_script_t)
+-corenet_tcp_sendrecv_http_cache_port(httpd_w3c_validator_script_t)
++optional_policy(`
++ apache_content_template(w3c_validator)
++
++ manage_dirs_pattern(httpd_w3c_validator_script_t, httpd_w3c_validator_tmp_t, httpd_w3c_validator_tmp_t)
++ manage_files_pattern(httpd_w3c_validator_script_t, httpd_w3c_validator_tmp_t, httpd_w3c_validator_tmp_t)
++ files_tmp_filetrans(httpd_w3c_validator_script_t, httpd_w3c_validator_tmp_t, { file dir })
++
++ corenet_tcp_connect_ftp_port(httpd_w3c_validator_script_t)
++ corenet_tcp_sendrecv_ftp_port(httpd_w3c_validator_script_t)
++ corenet_tcp_connect_http_port(httpd_w3c_validator_script_t)
++ corenet_tcp_sendrecv_http_port(httpd_w3c_validator_script_t)
++ corenet_tcp_connect_http_cache_port(httpd_w3c_validator_script_t)
++ corenet_tcp_sendrecv_http_cache_port(httpd_w3c_validator_script_t)
++
++ miscfiles_read_generic_certs(httpd_w3c_validator_script_t)
+
+-miscfiles_read_generic_certs(httpd_w3c_validator_script_t)
++ sysnet_dns_name_resolve(httpd_w3c_validator_script_t)
+
+-sysnet_dns_name_resolve(httpd_w3c_validator_script_t)
++ optional_policy(`
++ apache_dontaudit_rw_tmp_files(httpd_w3c_validator_script_t)
++ ')
++')
+diff --git a/watchdog.te b/watchdog.te
+index b10bb05..f0d56b5 100644
+--- a/watchdog.te
++++ b/watchdog.te
+@@ -42,7 +42,6 @@ kernel_unmount_proc(watchdog_t)
+ corecmd_exec_shell(watchdog_t)
+
+ # cjp: why networking?
+-corenet_all_recvfrom_unlabeled(watchdog_t)
+ corenet_all_recvfrom_netlabel(watchdog_t)
+ corenet_tcp_sendrecv_generic_if(watchdog_t)
+ corenet_udp_sendrecv_generic_if(watchdog_t)
+@@ -81,8 +80,6 @@ auth_append_login_records(watchdog_t)
+
+ logging_send_syslog_msg(watchdog_t)
+
+-miscfiles_read_localization(watchdog_t)
+-
+ sysnet_read_config(watchdog_t)
+
+ userdom_dontaudit_use_unpriv_user_fds(watchdog_t)
+diff --git a/wdmd.fc b/wdmd.fc
+new file mode 100644
+index 0000000..0d6257d
+--- /dev/null
++++ b/wdmd.fc
+@@ -0,0 +1,8 @@
++
++/etc/rc\.d/init\.d/wdmd -- gen_context(system_u:object_r:wdmd_initrc_exec_t,s0)
++
++/usr/sbin/wdmd -- gen_context(system_u:object_r:wdmd_exec_t,s0)
++
++/var/run/wdmd(/.*)? gen_context(system_u:object_r:wdmd_var_run_t,s0)
++/var/run/checkquorum-timer -- gen_context(system_u:object_r:wdmd_var_run_t,s0)
++
+diff --git a/wdmd.if b/wdmd.if
+new file mode 100644
+index 0000000..d17ff39
+--- /dev/null
++++ b/wdmd.if
+@@ -0,0 +1,133 @@
++
++## watchdog multiplexing daemon
++
++########################################
++##
++## Execute a domain transition to run wdmd.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`wdmd_domtrans',`
++ gen_require(`
++ type wdmd_t, wdmd_exec_t;
++ ')
++
++ domtrans_pattern($1, wdmd_exec_t, wdmd_t)
++')
++
++
++########################################
++##
++## Execute wdmd server in the wdmd domain.
++##
++##
++##
++## The type of the process performing this action.
++##
++##
++#
++interface(`wdmd_initrc_domtrans',`
++ gen_require(`
++ type wdmd_initrc_exec_t;
++ ')
++
++ init_labeled_script_domtrans($1, wdmd_initrc_exec_t)
++')
++
++########################################
++##
++## All of the rules required to administrate
++## an wdmd environment
++##
++##
++##
++## Domain allowed access.
++##
++##
++##
++##
++## Role allowed access.
++##
++##
++##
++#
++interface(`wdmd_admin',`
++ gen_require(`
++ type wdmd_t;
++ type wdmd_initrc_exec_t;
++ ')
++
++ allow $1 wdmd_t:process signal_perms;
++ ps_process_pattern($1, wdmd_t)
++ tunable_policy(`deny_ptrace',`',`
++ allow $1 wdmd_t:process ptrace;
++ ')
++
++ wdmd_initrc_domtrans($1)
++ domain_system_change_exemption($1)
++ role_transition $2 wdmd_initrc_exec_t system_r;
++ allow $2 system_r;
++
++')
++
++######################################
++##
++## Create, read, write, and delete wdmd PID files.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`wdmd_manage_pid_files',`
++ gen_require(`
++ type wdmd_var_run_t;
++ ')
++
++ files_search_pids($1)
++ manage_files_pattern($1, wdmd_var_run_t, wdmd_var_run_t)
++')
++
++########################################
++##
++## Connect to wdmd over a unix stream socket.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`wdmd_stream_connect',`
++ gen_require(`
++ type wdmd_t, wdmd_var_run_t;
++ ')
++
++ files_search_pids($1)
++ stream_connect_pattern($1, wdmd_var_run_t, wdmd_var_run_t, wdmd_t)
++')
++
++
++####################################
++##
++## Allow the specified domain to read/write wdmd's tmpfs files.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`wdmd_rw_tmpfs',`
++ gen_require(`
++ type wdmd_tmpfs_t;
++ ')
++
++ rw_files_pattern($1, wdmd_tmpfs_t, wdmd_tmpfs_t)
++
++')
+diff --git a/wdmd.te b/wdmd.te
+new file mode 100644
+index 0000000..09b45bb
+--- /dev/null
++++ b/wdmd.te
+@@ -0,0 +1,61 @@
++policy_module(wdmd,1.0.0)
++
++########################################
++#
++# Declarations
++#
++
++type wdmd_t;
++type wdmd_exec_t;
++init_daemon_domain(wdmd_t, wdmd_exec_t)
++
++type wdmd_var_run_t;
++files_pid_file(wdmd_var_run_t)
++
++type wdmd_initrc_exec_t;
++init_script_file(wdmd_initrc_exec_t)
++
++type wdmd_tmpfs_t;
++files_tmpfs_file(wdmd_tmpfs_t)
++
++########################################
++#
++# wdmd local policy
++#
++allow wdmd_t self:capability { chown sys_nice ipc_lock };
++allow wdmd_t self:process { setsched signal };
++
++allow wdmd_t self:fifo_file rw_fifo_file_perms;
++allow wdmd_t self:unix_stream_socket create_stream_socket_perms;
++
++manage_dirs_pattern(wdmd_t, wdmd_var_run_t, wdmd_var_run_t)
++manage_files_pattern(wdmd_t, wdmd_var_run_t, wdmd_var_run_t)
++manage_sock_files_pattern(wdmd_t, wdmd_var_run_t, wdmd_var_run_t)
++files_pid_filetrans(wdmd_t, wdmd_var_run_t, { file dir sock_file })
++
++manage_dirs_pattern(wdmd_t, wdmd_tmpfs_t, wdmd_tmpfs_t)
++manage_files_pattern(wdmd_t, wdmd_tmpfs_t, wdmd_tmpfs_t)
++fs_tmpfs_filetrans(wdmd_t, wdmd_tmpfs_t, { dir file })
++
++kernel_read_system_state(wdmd_t)
++
++corecmd_exec_bin(wdmd_t)
++corecmd_exec_shell(wdmd_t)
++
++dev_read_watchdog(wdmd_t)
++dev_write_watchdog(wdmd_t)
++
++domain_use_interactive_fds(wdmd_t)
++
++fs_getattr_tmpfs(wdmd_t)
++fs_read_anon_inodefs_files(wdmd_t)
++
++auth_use_nsswitch(wdmd_t)
++
++logging_send_syslog_msg(wdmd_t)
++
++optional_policy(`
++ corosync_initrc_domtrans(wdmd_t)
++ corosync_stream_connect(wdmd_t)
++ corosync_rw_tmpfs(wdmd_t)
++')
+diff --git a/webadm.te b/webadm.te
+index 0ecc786..79a664a 100644
+--- a/webadm.te
++++ b/webadm.te
+@@ -23,12 +23,21 @@ role webadm_r;
+
+ userdom_base_user_template(webadm)
+
++type webadm_tmp_t;
++files_tmp_file(webadm_tmp_t)
++
+ ########################################
+ #
+ # webadmin local policy
+ #
+
+-allow webadm_t self:capability { dac_override dac_read_search kill sys_ptrace sys_nice };
++allow webadm_t self:capability { dac_override dac_read_search kill sys_nice };
++
++manage_dirs_pattern(webadm_t, webadm_tmp_t, webadm_tmp_t)
++manage_files_pattern(webadm_t, webadm_tmp_t, webadm_tmp_t)
++manage_lnk_files_pattern(webadm_t, webadm_tmp_t, webadm_tmp_t)
++files_tmp_filetrans(webadm_t, webadm_tmp_t, { file dir })
++can_exec(webadm_t, webadm_tmp_t)
+
+ files_dontaudit_search_all_dirs(webadm_t)
+ files_manage_generic_locks(webadm_t)
+@@ -38,10 +47,13 @@ selinux_get_enforce_mode(webadm_t)
+ seutil_domtrans_setfiles(webadm_t)
+
+ logging_send_syslog_msg(webadm_t)
++logging_send_audit_msgs(webadm_t)
+
+ userdom_dontaudit_search_user_home_dirs(webadm_t)
+
+-apache_admin(webadm_t, webadm_r)
++optional_policy(`
++ apache_admin(webadm_t, webadm_r)
++')
+
+ tunable_policy(`webadm_manage_user_files',`
+ userdom_manage_user_home_content_files(webadm_t)
+diff --git a/webalizer.te b/webalizer.te
+index 32b4f76..b00362b 100644
+--- a/webalizer.te
++++ b/webalizer.te
+@@ -59,7 +59,6 @@ files_var_lib_filetrans(webalizer_t, webalizer_var_lib_t, file)
+ kernel_read_kernel_sysctls(webalizer_t)
+ kernel_read_system_state(webalizer_t)
+
+-corenet_all_recvfrom_unlabeled(webalizer_t)
+ corenet_all_recvfrom_netlabel(webalizer_t)
+ corenet_tcp_sendrecv_generic_if(webalizer_t)
+ corenet_tcp_sendrecv_generic_node(webalizer_t)
+@@ -69,24 +68,26 @@ fs_search_auto_mountpoints(webalizer_t)
+ fs_getattr_xattr_fs(webalizer_t)
+ fs_rw_anon_inodefs_files(webalizer_t)
+
+-files_read_etc_files(webalizer_t)
+ files_read_etc_runtime_files(webalizer_t)
+
+ logging_list_logs(webalizer_t)
+ logging_send_syslog_msg(webalizer_t)
+
+-miscfiles_read_localization(webalizer_t)
++auth_use_nsswitch(webalizer_t)
++
+ miscfiles_read_public_files(webalizer_t)
+
+ sysnet_dns_name_resolve(webalizer_t)
+ sysnet_read_config(webalizer_t)
+
+-userdom_use_user_terminals(webalizer_t)
++userdom_use_inherited_user_terminals(webalizer_t)
+ userdom_use_unpriv_users_fds(webalizer_t)
+ userdom_dontaudit_search_user_home_content(webalizer_t)
+
+-apache_read_log(webalizer_t)
+-apache_manage_sys_content(webalizer_t)
++optional_policy(`
++ apache_read_log(webalizer_t)
++ apache_manage_sys_content(webalizer_t)
++')
+
+ optional_policy(`
+ cron_system_entry(webalizer_t, webalizer_exec_t)
+diff --git a/wine.fc b/wine.fc
+index 9d24449..2666317 100644
+--- a/wine.fc
++++ b/wine.fc
+@@ -2,6 +2,7 @@ HOME_DIR/cxoffice/bin/wine.+ -- gen_context(system_u:object_r:wine_exec_t,s0)
+
+ /opt/cxoffice/bin/wine.* -- gen_context(system_u:object_r:wine_exec_t,s0)
+
++/opt/google/picasa(/.*)?/Picasa3/.*exe -- gen_context(system_u:object_r:wine_exec_t,s0)
+ /opt/google/picasa(/.*)?/bin/msiexec -- gen_context(system_u:object_r:wine_exec_t,s0)
+ /opt/google/picasa(/.*)?/bin/notepad -- gen_context(system_u:object_r:wine_exec_t,s0)
+ /opt/google/picasa(/.*)?/bin/progman -- gen_context(system_u:object_r:wine_exec_t,s0)
+@@ -10,6 +11,7 @@ HOME_DIR/cxoffice/bin/wine.+ -- gen_context(system_u:object_r:wine_exec_t,s0)
+ /opt/google/picasa(/.*)?/bin/uninstaller -- gen_context(system_u:object_r:wine_exec_t,s0)
+ /opt/google/picasa(/.*)?/bin/wdi -- gen_context(system_u:object_r:wine_exec_t,s0)
+ /opt/google/picasa(/.*)?/bin/wine.* -- gen_context(system_u:object_r:wine_exec_t,s0)
++/opt/teamviewer(/.*)?/bin/wine.* -- gen_context(system_u:object_r:wine_exec_t,s0)
+
+ /opt/picasa/wine/bin/wine.* -- gen_context(system_u:object_r:wine_exec_t,s0)
+
+diff --git a/wine.if b/wine.if
+index f9a73d0..4b83bb0 100644
+--- a/wine.if
++++ b/wine.if
+@@ -10,10 +10,9 @@
+ ## for wine applications.
+ ##
+ ##
+-##
++##
+ ##
+-## The prefix of the user domain (e.g., user
+-## is the prefix for user_t).
++## The role associated with the user domain.
+ ##
+ ##
+ ##
+@@ -21,20 +20,19 @@
+ ## The type of the user domain.
+ ##
+ ##
+-##
+-##
+-## The role associated with the user domain.
+-##
+-##
+ #
+ template(`wine_role',`
+ gen_require(`
++ type wine_t;
++ type wine_home_t;
+ type wine_exec_t;
+ ')
+
+ role $1 types wine_t;
+
+ domain_auto_trans($2, wine_exec_t, wine_t)
++ # Unrestricted inheritance from the caller.
++ allow $2 wine_t:process { noatsecure siginh rlimitinh };
+ allow wine_t $2:fd use;
+ allow wine_t $2:process { sigchld signull };
+ allow wine_t $2:unix_stream_socket connectto;
+@@ -44,8 +42,7 @@ template(`wine_role',`
+ allow $2 wine_t:process signal_perms;
+
+ allow $2 wine_t:fd use;
+- allow $2 wine_t:shm { associate getattr };
+- allow $2 wine_t:shm { unix_read unix_write };
++ allow $2 wine_t:shm { associate getattr unix_read unix_write };
+ allow $2 wine_t:unix_stream_socket connectto;
+
+ # X access, Home files
+@@ -86,6 +83,7 @@ template(`wine_role',`
+ #
+ template(`wine_role_template',`
+ gen_require(`
++ type wine_t;
+ type wine_exec_t;
+ ')
+
+@@ -96,12 +94,12 @@ template(`wine_role_template',`
+ role $2 types $1_wine_t;
+
+ allow $1_wine_t self:process { execmem execstack };
+- allow $3 $1_wine_t:process { getattr ptrace noatsecure signal_perms };
++ allow $3 $1_wine_t:process { getattr noatsecure signal_perms };
+ domtrans_pattern($3, wine_exec_t, $1_wine_t)
+ corecmd_bin_domtrans($1_wine_t, $1_t)
+
+ userdom_unpriv_usertype($1, $1_wine_t)
+- userdom_manage_user_tmpfs_files($1_wine_t)
++ userdom_manage_tmpfs_role($2, $1_wine_t)
+
+ domain_mmap_low($1_wine_t)
+
+@@ -109,6 +107,10 @@ template(`wine_role_template',`
+ dontaudit $1_wine_t self:memprotect mmap_zero;
+ ')
+
++ tunable_policy(`wine_mmap_zero_ignore',`
++ dontaudit $1_wine_t self:memprotect mmap_zero;
++ ')
++
+ optional_policy(`
+ xserver_role($1_r, $1_wine_t)
+ ')
+diff --git a/wine.te b/wine.te
+index 7a17516..56fbcc2 100644
+--- a/wine.te
++++ b/wine.te
+@@ -38,7 +38,7 @@ domain_mmap_low(wine_t)
+
+ files_execmod_all_files(wine_t)
+
+-userdom_use_user_terminals(wine_t)
++userdom_use_inherited_user_terminals(wine_t)
+
+ tunable_policy(`wine_mmap_zero_ignore',`
+ dontaudit wine_t self:memprotect mmap_zero;
+@@ -53,6 +53,10 @@ optional_policy(`
+ ')
+
+ optional_policy(`
++ rtkit_scheduled(wine_t)
++')
++
++optional_policy(`
+ unconfined_domain(wine_t)
+ ')
+
+diff --git a/wireshark.te b/wireshark.te
+index fc0adf8..cf479f3 100644
+--- a/wireshark.te
++++ b/wireshark.te
+@@ -31,18 +31,19 @@ userdom_user_tmpfs_file(wireshark_tmpfs_t)
+ # Local Policy
+ #
+
+-allow wireshark_t self:capability { net_admin net_raw setgid };
++allow wireshark_t self:capability { net_admin net_raw };
+ allow wireshark_t self:process { signal getsched };
+ allow wireshark_t self:fifo_file { getattr read write };
+ allow wireshark_t self:shm destroy;
+ allow wireshark_t self:shm create_shm_perms;
+ allow wireshark_t self:netlink_route_socket { nlmsg_read create_socket_perms };
+-allow wireshark_t self:packet_socket { setopt bind ioctl getopt create read write };
++allow wireshark_t self:packet_socket { setopt bind ioctl getopt create read };
+ allow wireshark_t self:tcp_socket create_socket_perms;
+ allow wireshark_t self:udp_socket create_socket_perms;
+
+ # Re-execute itself (why?)
+ can_exec(wireshark_t, wireshark_exec_t)
++corecmd_search_bin(wireshark_t)
+
+ # /home/.wireshark
+ manage_dirs_pattern(wireshark_t, wireshark_home_t, wireshark_home_t)
+@@ -67,7 +68,6 @@ kernel_read_system_state(wireshark_t)
+ kernel_read_sysctl(wireshark_t)
+
+ corecmd_exec_bin(wireshark_t)
+-corecmd_search_bin(wireshark_t)
+
+ corenet_tcp_connect_generic_port(wireshark_t)
+ corenet_tcp_sendrecv_generic_if(wireshark_t)
+@@ -76,7 +76,6 @@ dev_read_rand(wireshark_t)
+ dev_read_sysfs(wireshark_t)
+ dev_read_urand(wireshark_t)
+
+-files_read_etc_files(wireshark_t)
+ files_read_usr_files(wireshark_t)
+
+ fs_list_inotifyfs(wireshark_t)
+@@ -84,31 +83,17 @@ fs_search_auto_mountpoints(wireshark_t)
+
+ libs_read_lib_files(wireshark_t)
+
++auth_use_nsswitch(wireshark_t)
++
+ miscfiles_read_fonts(wireshark_t)
+-miscfiles_read_localization(wireshark_t)
+
+ seutil_use_newrole_fds(wireshark_t)
+
+ sysnet_read_config(wireshark_t)
+
+ userdom_manage_user_home_content_files(wireshark_t)
+-userdom_use_user_ptys(wireshark_t)
+-
+-tunable_policy(`use_nfs_home_dirs',`
+- fs_manage_nfs_dirs(wireshark_t)
+- fs_manage_nfs_files(wireshark_t)
+- fs_manage_nfs_symlinks(wireshark_t)
+-')
+
+-tunable_policy(`use_samba_home_dirs',`
+- fs_manage_cifs_dirs(wireshark_t)
+- fs_manage_cifs_files(wireshark_t)
+- fs_manage_cifs_symlinks(wireshark_t)
+-')
+-
+-optional_policy(`
+- nscd_socket_use(wireshark_t)
+-')
++userdom_home_manager(wireshark_t)
+
+ # Manual transition from userhelper
+ optional_policy(`
+diff --git a/wm.if b/wm.if
+index b3efef7..177cf16 100644
+--- a/wm.if
++++ b/wm.if
+@@ -31,17 +31,14 @@ template(`wm_role_template',`
+ gen_require(`
+ type wm_exec_t;
+ class dbus send_msg;
++ attribute wm_domain;
+ ')
+
+- type $1_wm_t;
++ type $1_wm_t, wm_domain;
+ domain_type($1_wm_t)
+ domain_entry_file($1_wm_t, wm_exec_t)
+ role $2 types $1_wm_t;
+
+- allow $1_wm_t self:fifo_file rw_fifo_file_perms;
+- allow $1_wm_t self:process getsched;
+- allow $1_wm_t self:shm create_shm_perms;
+-
+ allow $1_wm_t $3:unix_stream_socket connectto;
+ allow $3 $1_wm_t:unix_stream_socket connectto;
+ allow $3 $1_wm_t:process { signal sigchld signull };
+@@ -50,19 +47,19 @@ template(`wm_role_template',`
+ allow $1_wm_t $3:dbus send_msg;
+ allow $3 $1_wm_t:dbus send_msg;
+
+- domtrans_pattern($3, wm_exec_t, $1_wm_t)
++ userdom_manage_home_role($2, $1_wm_t)
++ userdom_manage_tmpfs_role($2, $1_wm_t)
++ userdom_manage_tmp_role($2, $1_wm_t)
++ userdom_exec_user_tmp_files($1_wm_t)
+
+- kernel_read_system_state($1_wm_t)
++ domtrans_pattern($3, wm_exec_t, $1_wm_t)
+
+ corecmd_bin_domtrans($1_wm_t, $3)
+ corecmd_shell_domtrans($1_wm_t, $3)
+
+- dev_read_urand($1_wm_t)
+-
+- files_read_etc_files($1_wm_t)
+- files_read_usr_files($1_wm_t)
++ auth_use_nsswitch($1_wm_t)
+
+- fs_getattr_tmpfs($1_wm_t)
++ kernel_read_system_state($1_wm_t)
+
+ mls_file_read_all_levels($1_wm_t)
+ mls_file_write_all_levels($1_wm_t)
+@@ -70,22 +67,6 @@ template(`wm_role_template',`
+ mls_xwin_write_all_levels($1_wm_t)
+ mls_fd_use_all_levels($1_wm_t)
+
+- auth_use_nsswitch($1_wm_t)
+-
+- application_signull($1_wm_t)
+-
+- miscfiles_read_fonts($1_wm_t)
+- miscfiles_read_localization($1_wm_t)
+-
+- optional_policy(`
+- dbus_system_bus_client($1_wm_t)
+- dbus_session_bus_client($1_wm_t)
+- ')
+-
+- optional_policy(`
+- pulseaudio_stream_connect($1_wm_t)
+- ')
+-
+ optional_policy(`
+ xserver_role($2, $1_wm_t)
+ xserver_manage_core_devices($1_wm_t)
+diff --git a/wm.te b/wm.te
+index 19d447e..996a3d4 100644
+--- a/wm.te
++++ b/wm.te
+@@ -1,5 +1,7 @@
+ policy_module(wm, 1.2.0)
+
++attribute wm_domain;
++
+ ########################################
+ #
+ # Declarations
+@@ -7,3 +9,34 @@ policy_module(wm, 1.2.0)
+
+ type wm_exec_t;
+ corecmd_executable_file(wm_exec_t)
++
++allow wm_domain self:fifo_file rw_fifo_file_perms;
++allow wm_domain self:process getsched;
++allow wm_domain self:shm create_shm_perms;
++allow wm_domain self:unix_dgram_socket create_socket_perms;
++
++dev_read_urand(wm_domain)
++
++files_read_etc_files(wm_domain)
++files_read_usr_files(wm_domain)
++
++fs_getattr_tmpfs(wm_domain)
++
++application_signull(wm_domain)
++
++miscfiles_read_fonts(wm_domain)
++
++optional_policy(`
++ dbus_system_bus_client(wm_domain)
++ dbus_session_bus_client(wm_domain)
++')
++
++optional_policy(`
++ pulseaudio_stream_connect(wm_domain)
++')
++
++optional_policy(`
++ xserver_manage_core_devices(wm_domain)
++')
++
++
+diff --git a/xen.fc b/xen.fc
+index 1a1b374..574794d 100644
+--- a/xen.fc
++++ b/xen.fc
+@@ -1,12 +1,10 @@
+ /dev/xen/tapctrl.* -p gen_context(system_u:object_r:xenctl_t,s0)
+
+-/usr/bin/virsh -- gen_context(system_u:object_r:xm_exec_t,s0)
+-
+ /usr/sbin/blktapctrl -- gen_context(system_u:object_r:blktap_exec_t,s0)
+ /usr/sbin/evtchnd -- gen_context(system_u:object_r:evtchnd_exec_t,s0)
+ /usr/sbin/tapdisk -- gen_context(system_u:object_r:blktap_exec_t,s0)
+
+-/usr/lib/xen/bin/qemu-dm -- gen_context(system_u:object_r:qemu_dm_exec_t,s0)
++#/usr/lib/xen/bin/qemu-dm -- gen_context(system_u:object_r:qemu_dm_exec_t,s0)
+
+ ifdef(`distro_debian',`
+ /usr/lib/xen-[^/]*/bin/xenconsoled -- gen_context(system_u:object_r:xenconsoled_exec_t,s0)
+@@ -17,6 +15,7 @@ ifdef(`distro_debian',`
+ /usr/sbin/xenconsoled -- gen_context(system_u:object_r:xenconsoled_exec_t,s0)
+ /usr/sbin/xend -- gen_context(system_u:object_r:xend_exec_t,s0)
+ /usr/sbin/xenstored -- gen_context(system_u:object_r:xenstored_exec_t,s0)
++/usr/sbin/xl -- gen_context(system_u:object_r:xm_exec_t,s0)
+ /usr/sbin/xm -- gen_context(system_u:object_r:xm_exec_t,s0)
+ ')
+
+@@ -25,11 +24,11 @@ ifdef(`distro_debian',`
+ /var/lib/xend(/.*)? gen_context(system_u:object_r:xend_var_lib_t,s0)
+ /var/lib/xenstored(/.*)? gen_context(system_u:object_r:xenstored_var_lib_t,s0)
+
+-/var/log/evtchnd\.log -- gen_context(system_u:object_r:evtchnd_var_log_t,s0)
++/var/log/evtchnd\.log.* -- gen_context(system_u:object_r:evtchnd_var_log_t,s0)
+ /var/log/xen(/.*)? gen_context(system_u:object_r:xend_var_log_t,s0)
+-/var/log/xen-hotplug\.log -- gen_context(system_u:object_r:xend_var_log_t,s0)
+-/var/log/xend\.log -- gen_context(system_u:object_r:xend_var_log_t,s0)
+-/var/log/xend-debug\.log -- gen_context(system_u:object_r:xend_var_log_t,s0)
++/var/log/xen-hotplug\.log.* -- gen_context(system_u:object_r:xend_var_log_t,s0)
++/var/log/xend\.log.* -- gen_context(system_u:object_r:xend_var_log_t,s0)
++/var/log/xend-debug\.log.* -- gen_context(system_u:object_r:xend_var_log_t,s0)
+
+ /var/run/evtchnd -s gen_context(system_u:object_r:evtchnd_var_run_t,s0)
+ /var/run/evtchnd\.pid -- gen_context(system_u:object_r:evtchnd_var_run_t,s0)
+diff --git a/xen.if b/xen.if
+index 77d41b6..cc73c96 100644
+--- a/xen.if
++++ b/xen.if
+@@ -20,6 +20,25 @@ interface(`xen_domtrans',`
+
+ ########################################
+ ##
++## Allow the specified domain to execute xend
++## in the caller domain.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`xen_exec',`
++ gen_require(`
++ type xend_exec_t;
++ ')
++
++ can_exec($1, xend_exec_t)
++')
++
++########################################
++##
+ ## Inherit and use xen file descriptors.
+ ##
+ ##
+@@ -55,6 +74,26 @@ interface(`xen_dontaudit_use_fds',`
+ dontaudit $1 xend_t:fd use;
+ ')
+
++#######################################
++##
++## Read xend pid files.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`xen_read_pid_files_xenstored',`
++ gen_require(`
++ type xenstored_var_run_t;
++ ')
++
++ files_search_pids($1)
++
++ read_files_pattern($1, xenstored_var_run_t, xenstored_var_run_t)
++')
++
+ ########################################
+ ##
+ ## Read xend image files.
+@@ -87,6 +126,26 @@ interface(`xen_read_image_files',`
+ ##
+ ##
+ #
++interface(`xen_manage_image_dirs',`
++ gen_require(`
++ type xend_var_lib_t;
++ ')
++
++ files_list_var_lib($1)
++ manage_dirs_pattern($1, xend_var_lib_t, xend_var_lib_t)
++')
++
++########################################
++##
++## Allow the specified domain to read/write
++## xend image files.
++##
++##
++##
++## Domain allowed to transition.
++##
++##
++#
+ interface(`xen_rw_image_files',`
+ gen_require(`
+ type xen_image_t, xend_var_lib_t;
+@@ -161,7 +220,7 @@ interface(`xen_dontaudit_rw_unix_stream_sockets',`
+
+ ########################################
+ ##
+-## Connect to xenstored over an unix stream socket.
++## Connect to xenstored over a unix stream socket.
+ ##
+ ##
+ ##
+@@ -180,7 +239,7 @@ interface(`xen_stream_connect_xenstore',`
+
+ ########################################
+ ##
+-## Connect to xend over an unix domain stream socket.
++## Connect to xend over a unix domain stream socket.
+ ##
+ ##
+ ##
+@@ -213,14 +272,15 @@ interface(`xen_stream_connect',`
+ interface(`xen_domtrans_xm',`
+ gen_require(`
+ type xm_t, xm_exec_t;
++ attribute virsh_transition_domain;
+ ')
+-
++ typeattribute $1 virsh_transition_domain;
+ domtrans_pattern($1, xm_exec_t, xm_t)
+ ')
+
+ ########################################
+ ##
+-## Connect to xm over an unix stream socket.
++## Connect to xm over a unix stream socket.
+ ##
+ ##
+ ##
+@@ -230,7 +290,7 @@ interface(`xen_domtrans_xm',`
+ #
+ interface(`xen_stream_connect_xm',`
+ gen_require(`
+- type xm_t;
++ type xm_t, xenstored_var_run_t;
+ ')
+
+ files_search_pids($1)
+diff --git a/xen.te b/xen.te
+index 07033bb..8358a63 100644
+--- a/xen.te
++++ b/xen.te
+@@ -4,6 +4,7 @@ policy_module(xen, 1.12.0)
+ #
+ # Declarations
+ #
++attribute xm_transition_domain;
+
+ ##
+ ##
+@@ -65,6 +66,7 @@ type xen_image_t; # customizable
+ files_type(xen_image_t)
+ # xen_image_t can be assigned to blk devices
+ dev_node(xen_image_t)
++virt_image(xen_image_t)
+
+ type xenctl_t;
+ files_type(xenctl_t)
+@@ -121,11 +123,6 @@ init_daemon_domain(xenconsoled_t, xenconsoled_exec_t)
+ type xenconsoled_var_run_t;
+ files_pid_file(xenconsoled_var_run_t)
+
+-type xm_t;
+-type xm_exec_t;
+-domain_type(xm_t)
+-init_system_domain(xm_t, xm_exec_t)
+-
+ ########################################
+ #
+ # blktap local policy
+@@ -135,22 +132,21 @@ tunable_policy(`xend_run_blktap',`
+ # If yes, transition to its own domain.
+ domtrans_pattern(xend_t, blktap_exec_t, blktap_t)
+
+- allow blktap_t self:fifo_file { read write };
++',`
++ # If no, then silently refuse to run it.
++ dontaudit xend_t blktap_exec_t:file { execute execute_no_trans };
++')
+
+- dev_read_sysfs(blktap_t)
+- dev_rw_xen(blktap_t)
++allow blktap_t self:fifo_file { read write };
+
+- files_read_etc_files(blktap_t)
++dev_read_sysfs(blktap_t)
++dev_rw_xen(blktap_t)
+
+- logging_send_syslog_msg(blktap_t)
++files_read_etc_files(blktap_t)
+
+- miscfiles_read_localization(blktap_t)
++logging_send_syslog_msg(blktap_t)
+
+- xen_stream_connect_xenstore(blktap_t)
+-',`
+- # If no, then silently refuse to run it.
+- dontaudit xend_t blktap_exec_t:file { execute execute_no_trans };
+-')
++xen_stream_connect_xenstore(blktap_t)
+
+ #######################################
+ #
+@@ -170,6 +166,10 @@ files_pid_filetrans(evtchnd_t, evtchnd_var_run_t, { file sock_file dir })
+ #
+ # qemu-dm local policy
+ #
++
++# TODO: This part of policy should be removed
++# qemu-dm should run in xend_t domain
++
+ # Do we need to allow execution of qemu-dm?
+ tunable_policy(`xend_run_qemu',`
+ allow qemu_dm_t self:capability sys_resource;
+@@ -195,7 +195,6 @@ tunable_policy(`xend_run_qemu',`
+ fs_manage_xenfs_dirs(qemu_dm_t)
+ fs_manage_xenfs_files(qemu_dm_t)
+
+- miscfiles_read_localization(qemu_dm_t)
+
+ xen_stream_connect_xenstore(qemu_dm_t)
+ ',`
+@@ -208,10 +207,13 @@ tunable_policy(`xend_run_qemu',`
+ # xend local policy
+ #
+
+-allow xend_t self:capability { dac_override ipc_lock net_admin setuid sys_nice sys_tty_config net_raw };
+-dontaudit xend_t self:capability { sys_ptrace };
++allow xend_t self:capability { dac_override ipc_lock net_admin setuid sys_admin sys_nice sys_tty_config net_raw sys_rawio };
+ allow xend_t self:process { signal sigkill };
+-dontaudit xend_t self:process ptrace;
++
++# needed by qemu_dm
++allow xend_t self:capability sys_resource;
++allow xend_t self:process setrlimit;
++
+ # internal communication is often done using fifo and unix sockets.
+ allow xend_t self:fifo_file rw_fifo_file_perms;
+ allow xend_t self:unix_stream_socket create_stream_socket_perms;
+@@ -219,6 +221,7 @@ allow xend_t self:unix_dgram_socket create_socket_perms;
+ allow xend_t self:netlink_route_socket r_netlink_socket_perms;
+ allow xend_t self:tcp_socket create_stream_socket_perms;
+ allow xend_t self:packet_socket create_socket_perms;
++allow xend_t self:tun_socket create_socket_perms;
+
+ allow xend_t xen_image_t:dir list_dir_perms;
+ manage_dirs_pattern(xend_t, xen_image_t, xen_image_t)
+@@ -275,7 +278,6 @@ kernel_read_network_state(xend_t)
+ corecmd_exec_bin(xend_t)
+ corecmd_exec_shell(xend_t)
+
+-corenet_all_recvfrom_unlabeled(xend_t)
+ corenet_all_recvfrom_netlabel(xend_t)
+ corenet_tcp_sendrecv_generic_if(xend_t)
+ corenet_tcp_sendrecv_generic_node(xend_t)
+@@ -294,12 +296,13 @@ corenet_sendrecv_soundd_server_packets(xend_t)
+ corenet_rw_tun_tap_dev(xend_t)
+
+ dev_read_urand(xend_t)
++# run lsscsi
++dev_getattr_all_chr_files(xend_t)
+ dev_filetrans_xen(xend_t)
+ dev_rw_sysfs(xend_t)
+ dev_rw_xen(xend_t)
+
+ domain_dontaudit_read_all_domains_state(xend_t)
+-domain_dontaudit_ptrace_all_domains(xend_t)
+
+ files_read_etc_files(xend_t)
+ files_read_kernel_symbol_table(xend_t)
+@@ -309,7 +312,13 @@ files_etc_filetrans_etc_runtime(xend_t, file)
+ files_read_usr_files(xend_t)
+ files_read_default_symlinks(xend_t)
+
++fs_read_removable_blk_files(xend_t)
++
++storage_read_scsi_generic(xend_t)
++
++term_setattr_generic_ptys(xend_t)
+ term_getattr_all_ptys(xend_t)
++term_setattr_all_ptys(xend_t)
+ term_use_generic_ptys(xend_t)
+ term_use_ptmx(xend_t)
+ term_getattr_pty_fs(xend_t)
+@@ -320,13 +329,10 @@ locallogin_dontaudit_use_fds(xend_t)
+
+ logging_send_syslog_msg(xend_t)
+
+-lvm_domtrans(xend_t)
++auth_read_passwd(xend_t)
+
+-miscfiles_read_localization(xend_t)
+ miscfiles_read_hwdata(xend_t)
+
+-mount_domtrans(xend_t)
+-
+ sysnet_domtrans_dhcpc(xend_t)
+ sysnet_signal_dhcpc(xend_t)
+ sysnet_domtrans_ifconfig(xend_t)
+@@ -339,8 +345,6 @@ userdom_dontaudit_search_user_home_dirs(xend_t)
+
+ xen_stream_connect_xenstore(xend_t)
+
+-netutils_domtrans(xend_t)
+-
+ optional_policy(`
+ brctl_domtrans(xend_t)
+ ')
+@@ -349,6 +353,28 @@ optional_policy(`
+ consoletype_exec(xend_t)
+ ')
+
++optional_policy(`
++ lvm_domtrans(xend_t)
++')
++
++optional_policy(`
++ mount_domtrans(xend_t)
++')
++
++optional_policy(`
++ netutils_domtrans(xend_t)
++')
++
++optional_policy(`
++ ptchown_exec(xend_t)
++')
++
++optional_policy(`
++ virt_manage_default_image_type(xend_t)
++ virt_search_images(xend_t)
++ virt_read_config(xend_t)
++')
++
+ ########################################
+ #
+ # Xen console local policy
+@@ -359,7 +385,7 @@ allow xenconsoled_t self:process setrlimit;
+ allow xenconsoled_t self:unix_stream_socket create_stream_socket_perms;
+ allow xenconsoled_t self:fifo_file rw_fifo_file_perms;
+
+-allow xenconsoled_t xen_devpts_t:chr_file rw_term_perms;
++allow xenconsoled_t xen_devpts_t:chr_file { rw_term_perms setattr };
+
+ # pid file
+ manage_files_pattern(xenconsoled_t, xenconsoled_var_run_t, xenconsoled_var_run_t)
+@@ -374,8 +400,6 @@ dev_rw_xen(xenconsoled_t)
+ dev_filetrans_xen(xenconsoled_t)
+ dev_rw_sysfs(xenconsoled_t)
+
+-domain_dontaudit_ptrace_all_domains(xenconsoled_t)
+-
+ files_read_etc_files(xenconsoled_t)
+ files_read_usr_files(xenconsoled_t)
+
+@@ -390,7 +414,7 @@ term_use_console(xenconsoled_t)
+ init_use_fds(xenconsoled_t)
+ init_use_script_ptys(xenconsoled_t)
+
+-miscfiles_read_localization(xenconsoled_t)
++auth_read_passwd(xenconsoled_t)
+
+ xen_manage_log(xenconsoled_t)
+ xen_stream_connect_xenstore(xenconsoled_t)
+@@ -413,9 +437,10 @@ manage_dirs_pattern(xenstored_t, xenstored_tmp_t, xenstored_tmp_t)
+ files_tmp_filetrans(xenstored_t, xenstored_tmp_t, { file dir })
+
+ # pid file
++manage_dirs_pattern(xenstored_t, xenstored_var_run_t, xenstored_var_run_t)
+ manage_files_pattern(xenstored_t, xenstored_var_run_t, xenstored_var_run_t)
+ manage_sock_files_pattern(xenstored_t, xenstored_var_run_t, xenstored_var_run_t)
+-files_pid_filetrans(xenstored_t, xenstored_var_run_t, { file sock_file })
++files_pid_filetrans(xenstored_t, xenstored_var_run_t, { file sock_file dir })
+
+ # log files
+ manage_dirs_pattern(xenstored_t, xenstored_var_log_t, xenstored_var_log_t)
+@@ -442,111 +467,24 @@ files_read_etc_files(xenstored_t)
+
+ files_read_usr_files(xenstored_t)
+
++fs_search_xenfs(xenstored_t)
+ fs_manage_xenfs_files(xenstored_t)
+
+ term_use_generic_ptys(xenstored_t)
++term_use_console(xenconsoled_t)
+
+ init_use_fds(xenstored_t)
+ init_use_script_ptys(xenstored_t)
+
+ logging_send_syslog_msg(xenstored_t)
+
+-miscfiles_read_localization(xenstored_t)
+-
+ xen_append_log(xenstored_t)
+
+ ########################################
+ #
+-# xm local policy
+-#
+-
+-allow xm_t self:capability { dac_override ipc_lock sys_tty_config };
+-allow xm_t self:process { getsched signal };
+-
+-# internal communication is often done using fifo and unix sockets.
+-allow xm_t self:fifo_file rw_fifo_file_perms;
+-allow xm_t self:unix_stream_socket { create_stream_socket_perms connectto };
+-allow xm_t self:tcp_socket create_stream_socket_perms;
+-
+-manage_files_pattern(xm_t, xend_var_lib_t, xend_var_lib_t)
+-manage_fifo_files_pattern(xm_t, xend_var_lib_t, xend_var_lib_t)
+-manage_sock_files_pattern(xm_t, xend_var_lib_t, xend_var_lib_t)
+-files_search_var_lib(xm_t)
+-
+-allow xm_t xen_image_t:dir rw_dir_perms;
+-allow xm_t xen_image_t:file read_file_perms;
+-allow xm_t xen_image_t:blk_file read_blk_file_perms;
+-
+-kernel_read_system_state(xm_t)
+-kernel_read_kernel_sysctls(xm_t)
+-kernel_read_sysctl(xm_t)
+-kernel_read_xen_state(xm_t)
+-kernel_write_xen_state(xm_t)
+-
+-corecmd_exec_bin(xm_t)
+-corecmd_exec_shell(xm_t)
+-
+-corenet_tcp_sendrecv_generic_if(xm_t)
+-corenet_tcp_sendrecv_generic_node(xm_t)
+-corenet_tcp_connect_soundd_port(xm_t)
+-
+-dev_read_urand(xm_t)
+-dev_read_sysfs(xm_t)
+-
+-files_read_etc_runtime_files(xm_t)
+-files_read_usr_files(xm_t)
+-files_list_mnt(xm_t)
+-# Some common macros (you might be able to remove some)
+-files_read_etc_files(xm_t)
+-
+-fs_getattr_all_fs(xm_t)
+-fs_manage_xenfs_dirs(xm_t)
+-fs_manage_xenfs_files(xm_t)
+-
+-term_use_all_terms(xm_t)
+-
+-init_stream_connect_script(xm_t)
+-init_rw_script_stream_sockets(xm_t)
+-init_use_fds(xm_t)
+-
+-miscfiles_read_localization(xm_t)
+-
+-sysnet_dns_name_resolve(xm_t)
+-
+-xen_append_log(xm_t)
+-xen_stream_connect(xm_t)
+-xen_stream_connect_xenstore(xm_t)
+-
+-optional_policy(`
+- dbus_system_bus_client(xm_t)
+-
+- optional_policy(`
+- hal_dbus_chat(xm_t)
+- ')
+-')
+-
+-optional_policy(`
+- virt_domtrans(xm_t)
+- virt_manage_images(xm_t)
+- virt_manage_config(xm_t)
+- virt_stream_connect(xm_t)
+-')
+-
+-########################################
+-#
+ # SSH component local policy
+ #
+ optional_policy(`
+- ssh_basic_client_template(xm, xm_t, system_r)
+-
+- kernel_read_xen_state(xm_ssh_t)
+- kernel_write_xen_state(xm_ssh_t)
+-
+- files_search_tmp(xm_ssh_t)
+-
+- fs_manage_xenfs_dirs(xm_ssh_t)
+- fs_manage_xenfs_files(xm_ssh_t)
+-
+ #Should have a boolean wrapping these
+ fs_list_auto_mountpoints(xend_t)
+ files_search_mnt(xend_t)
+@@ -559,8 +497,4 @@ optional_policy(`
+ fs_manage_nfs_files(xend_t)
+ fs_read_nfs_symlinks(xend_t)
+ ')
+-
+- optional_policy(`
+- unconfined_domain(xend_t)
+- ')
+ ')
+diff --git a/xfs.te b/xfs.te
+index 11c1b12..fc5d128 100644
+--- a/xfs.te
++++ b/xfs.te
+@@ -37,7 +37,6 @@ files_pid_filetrans(xfs_t, xfs_var_run_t, file)
+ kernel_read_kernel_sysctls(xfs_t)
+ kernel_read_system_state(xfs_t)
+
+-corenet_all_recvfrom_unlabeled(xfs_t)
+ corenet_all_recvfrom_netlabel(xfs_t)
+ corenet_tcp_sendrecv_generic_if(xfs_t)
+ corenet_tcp_sendrecv_generic_node(xfs_t)
+@@ -57,7 +56,6 @@ fs_search_auto_mountpoints(xfs_t)
+
+ domain_use_interactive_fds(xfs_t)
+
+-files_read_etc_files(xfs_t)
+ files_read_etc_runtime_files(xfs_t)
+ files_read_usr_files(xfs_t)
+
+@@ -65,7 +63,6 @@ auth_use_nsswitch(xfs_t)
+
+ logging_send_syslog_msg(xfs_t)
+
+-miscfiles_read_localization(xfs_t)
+ miscfiles_read_fonts(xfs_t)
+
+ userdom_dontaudit_use_unpriv_user_fds(xfs_t)
+diff --git a/xguest.te b/xguest.te
+index e88b95f..3dd3d9a 100644
+--- a/xguest.te
++++ b/xguest.te
+@@ -14,7 +14,7 @@ gen_tunable(xguest_mount_media, true)
+
+ ##
+ ##
+-## Allow xguest to configure Network Manager
++## Allow xguest users to configure Network Manager and connect to apache ports
+ ##
+ ##
+ gen_tunable(xguest_connect_network, true)
+@@ -29,6 +29,7 @@ gen_tunable(xguest_use_bluetooth, true)
+ role xguest_r;
+
+ userdom_restricted_xwindows_user_template(xguest)
++sysnet_dns_name_resolve(xguest_t)
+
+ ########################################
+ #
+@@ -38,7 +39,7 @@ userdom_restricted_xwindows_user_template(xguest)
+ ifndef(`enable_mls',`
+ fs_exec_noxattr(xguest_t)
+
+- tunable_policy(`user_rw_noexattrfile',`
++ tunable_policy(`selinuxuser_rw_noexattrfile',`
+ fs_manage_noxattr_fs_files(xguest_t)
+ fs_manage_noxattr_fs_dirs(xguest_t)
+ # Write floppies
+@@ -49,11 +50,22 @@ ifndef(`enable_mls',`
+ ')
+ ')
+
++optional_policy(`
++ # Dontaudit fusermount
++ mount_dontaudit_exec_fusermount(xguest_t)
++')
++
++kernel_dontaudit_request_load_module(xguest_t)
++
++tunable_policy(`selinuxuser_execstack',`
++ allow xguest_t self:process execstack;
++')
++
+ # Allow mounting of file systems
+ optional_policy(`
+ tunable_policy(`xguest_mount_media',`
+ kernel_read_fs_sysctls(xguest_t)
+-
++ kernel_request_load_module(xguest_t)
+ files_dontaudit_getattr_boot_dirs(xguest_t)
+ files_search_mnt(xguest_t)
+
+@@ -62,10 +74,9 @@ optional_policy(`
+ fs_manage_noxattr_fs_dirs(xguest_t)
+ fs_getattr_noxattr_fs(xguest_t)
+ fs_read_noxattr_fs_symlinks(xguest_t)
++ fs_mount_fusefs(xguest_t)
+
+ auth_list_pam_console_data(xguest_t)
+-
+- init_read_utmp(xguest_t)
+ ')
+ ')
+
+@@ -76,23 +87,97 @@ optional_policy(`
+ ')
+
+ optional_policy(`
++ tunable_policy(`xguest_use_bluetooth',`
++ blueman_dbus_chat(xguest_t)
++ ')
++')
++
++
++optional_policy(`
++ chrome_role(xguest_r, xguest_t)
++')
++
++optional_policy(`
+ hal_dbus_chat(xguest_t)
+ ')
+
+ optional_policy(`
+- java_role(xguest_r, xguest_t)
++ apache_role(xguest_r, xguest_t)
++')
++
++optional_policy(`
++ gnome_role(xguest_r, xguest_t)
+ ')
+
+ optional_policy(`
+- mozilla_role(xguest_r, xguest_t)
++ gnomeclock_dontaudit_dbus_chat(xguest_t)
++')
++
++optional_policy(`
++ mozilla_run_plugin(xguest_t, xguest_r)
++')
++
++optional_policy(`
++ pcscd_read_pub_files(xguest_t)
++ pcscd_stream_connect(xguest_t)
++')
++
++optional_policy(`
++ rhsmcertd_dontaudit_dbus_chat(xguest_t)
+ ')
+
+ optional_policy(`
+ tunable_policy(`xguest_connect_network',`
+ networkmanager_dbus_chat(xguest_t)
++ networkmanager_read_lib_files(xguest_t)
++ ')
++')
++
++optional_policy(`
++ tunable_policy(`xguest_connect_network',`
++ kernel_read_network_state(xguest_t)
++
+ corenet_tcp_connect_pulseaudio_port(xguest_t)
++ corenet_tcp_sendrecv_generic_if(xguest_t)
++ corenet_raw_sendrecv_generic_if(xguest_t)
++ corenet_tcp_sendrecv_generic_node(xguest_t)
++ corenet_raw_sendrecv_generic_node(xguest_t)
++ corenet_tcp_connect_commplex_port(xguest_t)
++ corenet_tcp_sendrecv_http_port(xguest_t)
++ corenet_tcp_sendrecv_http_cache_port(xguest_t)
++ corenet_tcp_sendrecv_squid_port(xguest_t)
++ corenet_tcp_sendrecv_ftp_port(xguest_t)
++ corenet_tcp_sendrecv_ipp_port(xguest_t)
++ corenet_tcp_connect_http_port(xguest_t)
++ corenet_tcp_connect_http_cache_port(xguest_t)
++ corenet_tcp_connect_squid_port(xguest_t)
++ corenet_tcp_connect_flash_port(xguest_t)
++ corenet_tcp_connect_ftp_port(xguest_t)
+ corenet_tcp_connect_ipp_port(xguest_t)
++ corenet_tcp_connect_generic_port(xguest_t)
++ corenet_tcp_connect_soundd_port(xguest_t)
++ corenet_sendrecv_http_client_packets(xguest_t)
++ corenet_sendrecv_http_cache_client_packets(xguest_t)
++ corenet_sendrecv_squid_client_packets(xguest_t)
++ corenet_sendrecv_ftp_client_packets(xguest_t)
++ corenet_sendrecv_ipp_client_packets(xguest_t)
++ corenet_sendrecv_generic_client_packets(xguest_t)
++ # Should not need other ports
++ corenet_dontaudit_tcp_sendrecv_generic_port(xguest_t)
++ corenet_dontaudit_tcp_bind_generic_port(xguest_t)
++ corenet_tcp_connect_speech_port(xguest_t)
++ corenet_tcp_sendrecv_transproxy_port(xguest_t)
++ corenet_tcp_connect_transproxy_port(xguest_t)
+ ')
+ ')
+
+-#gen_user(xguest_u,, xguest_r, s0, s0)
++optional_policy(`
++ gen_require(`
++ type mozilla_t;
++ ')
++
++ allow xguest_t mozilla_t:process transition;
++ role xguest_r types mozilla_t;
++')
++
++gen_user(xguest_u, user, xguest_r, s0, s0)
+diff --git a/xprint.te b/xprint.te
+index 68d13e5..4fe8668 100644
+--- a/xprint.te
++++ b/xprint.te
+@@ -32,7 +32,6 @@ kernel_read_kernel_sysctls(xprint_t)
+ corecmd_exec_bin(xprint_t)
+ corecmd_exec_shell(xprint_t)
+
+-corenet_all_recvfrom_unlabeled(xprint_t)
+ corenet_all_recvfrom_netlabel(xprint_t)
+ corenet_tcp_sendrecv_generic_if(xprint_t)
+ corenet_udp_sendrecv_generic_if(xprint_t)
+@@ -58,7 +57,6 @@ fs_search_auto_mountpoints(xprint_t)
+ logging_send_syslog_msg(xprint_t)
+
+ miscfiles_read_fonts(xprint_t)
+-miscfiles_read_localization(xprint_t)
+
+ sysnet_read_config(xprint_t)
+
+diff --git a/xscreensaver.te b/xscreensaver.te
+index 1487a4e..c099b55 100644
+--- a/xscreensaver.te
++++ b/xscreensaver.te
+@@ -33,9 +33,7 @@ init_read_utmp(xscreensaver_t)
+ logging_send_audit_msgs(xscreensaver_t)
+ logging_send_syslog_msg(xscreensaver_t)
+
+-miscfiles_read_localization(xscreensaver_t)
+-
+-userdom_use_user_ptys(xscreensaver_t)
++userdom_use_inherited_user_ptys(xscreensaver_t)
+ #access to .icons and ~/.xscreensaver
+ userdom_read_user_home_content_files(xscreensaver_t)
+
+diff --git a/yam.te b/yam.te
+index 223ad43..a3267e5 100644
+--- a/yam.te
++++ b/yam.te
+@@ -58,7 +58,6 @@ corecmd_exec_bin(yam_t)
+
+ # Rsync and lftp need to network. They also set files attributes to
+ # match whats on the remote server.
+-corenet_all_recvfrom_unlabeled(yam_t)
+ corenet_all_recvfrom_netlabel(yam_t)
+ corenet_tcp_sendrecv_generic_if(yam_t)
+ corenet_tcp_sendrecv_generic_node(yam_t)
+@@ -71,7 +70,6 @@ corenet_sendrecv_rsync_client_packets(yam_t)
+ # mktemp
+ dev_read_urand(yam_t)
+
+-files_read_etc_files(yam_t)
+ files_read_etc_runtime_files(yam_t)
+ # /usr/share/createrepo/genpkgmetadata.py:
+ files_exec_usr_files(yam_t)
+@@ -83,16 +81,15 @@ fs_search_auto_mountpoints(yam_t)
+ # Content can also be on ISO image files.
+ fs_read_iso9660_files(yam_t)
+
+-logging_send_syslog_msg(yam_t)
++auth_use_nsswitch(yam_t)
+
+-miscfiles_read_localization(yam_t)
++logging_send_syslog_msg(yam_t)
+
+ seutil_read_config(yam_t)
+
+-sysnet_dns_name_resolve(yam_t)
+ sysnet_read_config(yam_t)
+
+-userdom_use_user_terminals(yam_t)
++userdom_use_inherited_user_terminals(yam_t)
+ userdom_use_unpriv_users_fds(yam_t)
+ # Reading dotfiles...
+ # cjp: ?
+diff --git a/zabbix.fc b/zabbix.fc
+index aa5a521..980c0df 100644
+--- a/zabbix.fc
++++ b/zabbix.fc
+@@ -1,8 +1,12 @@
+ /etc/rc\.d/init\.d/zabbix -- gen_context(system_u:object_r:zabbix_initrc_exec_t,s0)
+-/etc/rc\.d/init\.d/zabbix-agentd -- gen_context(system_u:object_r:zabbix_agent_initrc_exec_t,s0)
++/etc/rc\.d/init\.d/zabbix-server -- gen_context(system_u:object_r:zabbix_initrc_exec_t,s0)
++/etc/rc\.d/init\.d/zabbix-agentd -- gen_context(system_u:object_r:zabbix_agent_initrc_exec_t,s0)
+
+ /usr/(s)?bin/zabbix_server -- gen_context(system_u:object_r:zabbix_exec_t,s0)
+ /usr/(s)?bin/zabbix_agentd -- gen_context(system_u:object_r:zabbix_agent_exec_t,s0)
++/usr/sbin/zabbix_server_mysql -- gen_context(system_u:object_r:zabbix_exec_t,s0)
++/usr/sbin/zabbix_server_pgsql -- gen_context(system_u:object_r:zabbix_exec_t,s0)
++/usr/sbin/zabbix_server_sqlite3 -- gen_context(system_u:object_r:zabbix_exec_t,s0)
+
+ /var/log/zabbix(/.*)? gen_context(system_u:object_r:zabbix_log_t,s0)
+
+diff --git a/zabbix.if b/zabbix.if
+index c9981d1..38ce620 100644
+--- a/zabbix.if
++++ b/zabbix.if
+@@ -61,6 +61,26 @@ interface(`zabbix_read_log',`
+
+ ########################################
+ ##
++## Allow the specified domain to read zabbix's tmp files.
++##
++##
++##
++## Domain allowed access.
++##
++##
++##
++#
++interface(`zabbix_read_tmp',`
++ gen_require(`
++ type zabbix_tmp_t;
++ ')
++
++ files_search_tmp($1)
++ read_files_pattern($1, zabbix_tmp_t, zabbix_tmp_t)
++')
++
++########################################
++##
+ ## Allow the specified domain to append
+ ## zabbix log files.
+ ##
+@@ -110,7 +130,7 @@ interface(`zabbix_read_pid_files',`
+ #
+ interface(`zabbix_agent_tcp_connect',`
+ gen_require(`
+- type zabbix_agent_t;
++ type zabbix_t, zabbix_agent_t;
+ ')
+
+ corenet_sendrecv_zabbix_agent_client_packets($1)
+@@ -142,8 +162,11 @@ interface(`zabbix_admin',`
+ type zabbix_initrc_exec_t;
+ ')
+
+- allow $1 zabbix_t:process { ptrace signal_perms };
++ allow $1 zabbix_t:process signal_perms;
+ ps_process_pattern($1, zabbix_t)
++ tunable_policy(`deny_ptrace',`',`
++ allow $1 zabbix_t:process ptrace;
++ ')
+
+ init_labeled_script_domtrans($1, zabbix_initrc_exec_t)
+ domain_system_change_exemption($1)
+diff --git a/zabbix.te b/zabbix.te
+index 8c0bd70..24dd920 100644
+--- a/zabbix.te
++++ b/zabbix.te
+@@ -5,6 +5,13 @@ policy_module(zabbix, 1.5.0)
+ # Declarations
+ #
+
++##
++##
++## Allow zabbix to connect to unreserved ports
++##
++##
++gen_tunable(zabbix_can_network, false)
++
+ type zabbix_t;
+ type zabbix_exec_t;
+ init_daemon_domain(zabbix_t, zabbix_exec_t)
+@@ -23,6 +30,10 @@ init_script_file(zabbix_agent_initrc_exec_t)
+ type zabbix_log_t;
+ logging_log_file(zabbix_log_t)
+
++# tmp files
++type zabbix_tmp_t;
++files_tmp_file(zabbix_tmp_t)
++
+ # shared memory
+ type zabbix_tmpfs_t;
+ files_tmpfs_file(zabbix_tmpfs_t)
+@@ -36,19 +47,25 @@ files_pid_file(zabbix_var_run_t)
+ # zabbix local policy
+ #
+
+-allow zabbix_t self:capability { setuid setgid };
+-allow zabbix_t self:fifo_file rw_file_perms;
+-allow zabbix_t self:process { setsched getsched signal };
++allow zabbix_t self:capability { dac_read_search dac_override setuid setgid };
++allow zabbix_t self:process { setsched signal_perms };
++allow zabbix_t self:sem create_sem_perms;
++allow zabbix_t self:fifo_file rw_fifo_file_perms;
+ allow zabbix_t self:unix_stream_socket create_stream_socket_perms;
+ allow zabbix_t self:sem create_sem_perms;
+ allow zabbix_t self:shm create_shm_perms;
+ allow zabbix_t self:tcp_socket create_stream_socket_perms;
+
+ # log files
+-allow zabbix_t zabbix_log_t:dir setattr;
++allow zabbix_t zabbix_log_t:dir setattr_dir_perms;
+ manage_files_pattern(zabbix_t, zabbix_log_t, zabbix_log_t)
+ logging_log_filetrans(zabbix_t, zabbix_log_t, file)
+
++# tmp files
++manage_dirs_pattern(zabbix_t, zabbix_tmp_t, zabbix_tmp_t)
++manage_files_pattern(zabbix_t, zabbix_tmp_t, zabbix_tmp_t)
++files_tmp_filetrans(zabbix_t, zabbix_tmp_t, { dir file })
++
+ # shared memory
+ rw_files_pattern(zabbix_t, zabbix_tmpfs_t, zabbix_tmpfs_t)
+ fs_tmpfs_filetrans(zabbix_t, zabbix_tmpfs_t, file)
+@@ -58,26 +75,48 @@ manage_dirs_pattern(zabbix_t, zabbix_var_run_t, zabbix_var_run_t)
+ manage_files_pattern(zabbix_t, zabbix_var_run_t, zabbix_var_run_t)
+ files_pid_filetrans(zabbix_t, zabbix_var_run_t, { dir file })
+
++kernel_read_system_state(zabbix_t)
++kernel_read_kernel_sysctls(zabbix_t)
++
++corecmd_exec_bin(zabbix_t)
++corecmd_exec_shell(zabbix_t)
++
+ corenet_tcp_bind_generic_node(zabbix_t)
+ corenet_tcp_bind_zabbix_port(zabbix_t)
++# needed by zabbix-server-mysql
++corenet_tcp_connect_http_port(zabbix_t)
++# to monitor ftp urls
++corenet_tcp_connect_ftp_port(zabbix_t)
+
+-files_read_etc_files(zabbix_t)
++dev_read_urand(zabbix_t)
+
+-miscfiles_read_localization(zabbix_t)
++files_read_usr_files(zabbix_t)
++
++auth_use_nsswitch(zabbix_t)
+
+-sysnet_dns_name_resolve(zabbix_t)
+
+ zabbix_agent_tcp_connect(zabbix_t)
+
++tunable_policy(`zabbix_can_network',`
++ corenet_tcp_connect_all_ports(zabbix_t)
++')
++
+ optional_policy(`
+ mysql_stream_connect(zabbix_t)
+- mysql_tcp_connect(zabbix_t)
++')
++
++optional_policy(`
++ netutils_domtrans_ping(zabbix_t)
+ ')
+
+ optional_policy(`
+ postgresql_stream_connect(zabbix_t)
+ ')
+
++optional_policy(`
++ snmp_read_snmp_var_lib_dirs(zabbix_t)
++')
++
+ ########################################
+ #
+ # zabbix agent local policy
+@@ -121,7 +160,6 @@ domain_search_all_domains_state(zabbix_agent_t)
+ files_getattr_all_dirs(zabbix_agent_t)
+ files_getattr_all_files(zabbix_agent_t)
+ files_read_all_symlinks(zabbix_agent_t)
+-files_read_etc_files(zabbix_agent_t)
+
+ fs_getattr_all_fs(zabbix_agent_t)
+
+@@ -129,7 +167,6 @@ init_read_utmp(zabbix_agent_t)
+
+ logging_search_logs(zabbix_agent_t)
+
+-miscfiles_read_localization(zabbix_agent_t)
+
+ sysnet_dns_name_resolve(zabbix_agent_t)
+
+diff --git a/zarafa.fc b/zarafa.fc
+index 3defaa1..a451e97 100644
+--- a/zarafa.fc
++++ b/zarafa.fc
+@@ -8,19 +8,24 @@
+ /usr/bin/zarafa-server -- gen_context(system_u:object_r:zarafa_server_exec_t,s0)
+ /usr/bin/zarafa-spooler -- gen_context(system_u:object_r:zarafa_spooler_exec_t,s0)
+
+-/var/lib/zarafa-.* gen_context(system_u:object_r:zarafa_var_lib_t,s0)
++/var/lib/zarafa(/.*)? gen_context(system_u:object_r:zarafa_var_lib_t,s0)
++/var/lib/zarafa-webaccess(/.*)? gen_context(system_u:object_r:zarafa_var_lib_t,s0)
++/var/lib/zarafa-webapp(/.*)? gen_context(system_u:object_r:zarafa_var_lib_t,s0)
+
+-/var/log/zarafa/gateway\.log -- gen_context(system_u:object_r:zarafa_gateway_log_t,s0)
+-/var/log/zarafa/ical\.log -- gen_context(system_u:object_r:zarafa_ical_log_t,s0)
+-/var/log/zarafa/indexer\.log -- gen_context(system_u:object_r:zarafa_indexer_log_t,s0)
+-/var/log/zarafa/monitor\.log -- gen_context(system_u:object_r:zarafa_monitor_log_t,s0)
+-/var/log/zarafa/server\.log -- gen_context(system_u:object_r:zarafa_server_log_t,s0)
+-/var/log/zarafa/spooler\.log -- gen_context(system_u:object_r:zarafa_spooler_log_t,s0)
++/var/log/zarafa/dagent\.log.* -- gen_context(system_u:object_r:zarafa_deliver_log_t,s0)
++/var/log/zarafa/gateway\.log.* -- gen_context(system_u:object_r:zarafa_gateway_log_t,s0)
++/var/log/zarafa/ical\.log.* -- gen_context(system_u:object_r:zarafa_ical_log_t,s0)
++/var/log/zarafa/indexer\.log.* -- gen_context(system_u:object_r:zarafa_indexer_log_t,s0)
++/var/log/zarafa/monitor\.log.* -- gen_context(system_u:object_r:zarafa_monitor_log_t,s0)
++/var/log/zarafa/server\.log.* -- gen_context(system_u:object_r:zarafa_server_log_t,s0)
++/var/log/zarafa/spooler\.log.* -- gen_context(system_u:object_r:zarafa_spooler_log_t,s0)
+
+ /var/run/zarafa -s gen_context(system_u:object_r:zarafa_server_var_run_t,s0)
++/var/run/zarafa-dagent\.pid -- gen_context(system_u:object_r:zarafa_deliver_var_run_t,s0)
+ /var/run/zarafa-gateway\.pid -- gen_context(system_u:object_r:zarafa_gateway_var_run_t,s0)
+ /var/run/zarafa-ical\.pid -- gen_context(system_u:object_r:zarafa_ical_var_run_t,s0)
+-/var/run/zarafa-indexer -- gen_context(system_u:object_r:zarafa_indexer_var_run_t,s0)
++/var/run/zarafa-indexer -s gen_context(system_u:object_r:zarafa_indexer_var_run_t,s0)
++/var/run/zarafa-indexer\.pid -- gen_context(system_u:object_r:zarafa_indexer_var_run_t,s0)
+ /var/run/zarafa-monitor\.pid -- gen_context(system_u:object_r:zarafa_monitor_var_run_t,s0)
+ /var/run/zarafa-server\.pid -- gen_context(system_u:object_r:zarafa_server_var_run_t,s0)
+ /var/run/zarafa-spooler\.pid -- gen_context(system_u:object_r:zarafa_spooler_var_run_t,s0)
+diff --git a/zarafa.if b/zarafa.if
+index 21ae664..3d08962 100644
+--- a/zarafa.if
++++ b/zarafa.if
+@@ -42,6 +42,12 @@ template(`zarafa_domain_template',`
+
+ manage_files_pattern(zarafa_$1_t, zarafa_$1_log_t, zarafa_$1_log_t)
+ logging_log_filetrans(zarafa_$1_t, zarafa_$1_log_t, { file })
++
++ kernel_read_system_state(zarafa_$1_t)
++
++ auth_use_nsswitch(zarafa_$1_t)
++
++ logging_send_syslog_msg(zarafa_$1_t)
+ ')
+
+ ######################################
+@@ -118,3 +124,25 @@ interface(`zarafa_stream_connect_server',`
+ files_search_var_lib($1)
+ stream_connect_pattern($1, zarafa_server_var_run_t, zarafa_server_var_run_t, zarafa_server_t)
+ ')
++
++####################################
++##
++## Allow the specified domain to manage
++## zarafa /var/lib files.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`zarafa_manage_lib_files',`
++ gen_require(`
++ type zarafa_var_lib_t;
++ ')
++
++ files_search_var_lib($1)
++ manage_files_pattern($1, zarafa_var_lib_t, zarafa_var_lib_t)
++ manage_lnk_files_pattern($1, zarafa_var_lib_t, zarafa_var_lib_t)
++ manage_dirs_pattern($1, zarafa_var_lib_t, zarafa_var_lib_t)
++')
+diff --git a/zarafa.te b/zarafa.te
+index 91267bc..0aa9870 100644
+--- a/zarafa.te
++++ b/zarafa.te
+@@ -18,6 +18,10 @@ files_config_file(zarafa_etc_t)
+ zarafa_domain_template(gateway)
+ zarafa_domain_template(ical)
+ zarafa_domain_template(indexer)
++
++type zarafa_indexer_tmp_t;
++files_tmp_file(zarafa_indexer_tmp_t)
++
+ zarafa_domain_template(monitor)
+ zarafa_domain_template(server)
+
+@@ -48,10 +52,9 @@ auth_use_nsswitch(zarafa_deliver_t)
+ # zarafa_gateway local policy
+ #
+
+-allow zarafa_gateway_t self:capability { chown kill };
++allow zarafa_gateway_t self:capability { kill };
+ allow zarafa_gateway_t self:process setrlimit;
+
+-corenet_all_recvfrom_unlabeled(zarafa_gateway_t)
+ corenet_all_recvfrom_netlabel(zarafa_gateway_t)
+ corenet_tcp_sendrecv_generic_if(zarafa_gateway_t)
+ corenet_tcp_sendrecv_generic_node(zarafa_gateway_t)
+@@ -59,16 +62,28 @@ corenet_tcp_sendrecv_all_ports(zarafa_gateway_t)
+ corenet_tcp_bind_generic_node(zarafa_gateway_t)
+ corenet_tcp_bind_pop_port(zarafa_gateway_t)
+
+-auth_use_nsswitch(zarafa_gateway_t)
++######################################
++#
++# zarafa-indexer local policy
++#
++
++
++manage_dirs_pattern(zarafa_indexer_t, zarafa_indexer_tmp_t, zarafa_indexer_tmp_t)
++manage_files_pattern(zarafa_indexer_t, zarafa_indexer_tmp_t, zarafa_indexer_tmp_t)
++files_tmp_filetrans(zarafa_indexer_t, zarafa_indexer_tmp_t, { file dir })
++
++manage_dirs_pattern(zarafa_indexer_t, zarafa_var_lib_t, zarafa_var_lib_t)
++manage_files_pattern(zarafa_indexer_t, zarafa_var_lib_t, zarafa_var_lib_t)
++manage_lnk_files_pattern(zarafa_indexer_t, zarafa_var_lib_t, zarafa_var_lib_t)
++
++auth_use_nsswitch(zarafa_indexer_t)
+
+ #######################################
+ #
+ # zarafa-ical local policy
+ #
+
+-allow zarafa_ical_t self:capability chown;
+
+-corenet_all_recvfrom_unlabeled(zarafa_ical_t)
+ corenet_all_recvfrom_netlabel(zarafa_ical_t)
+ corenet_tcp_sendrecv_generic_if(zarafa_ical_t)
+ corenet_tcp_sendrecv_generic_node(zarafa_ical_t)
+@@ -83,7 +98,6 @@ auth_use_nsswitch(zarafa_ical_t)
+ # zarafa-monitor local policy
+ #
+
+-allow zarafa_monitor_t self:capability chown;
+
+ auth_use_nsswitch(zarafa_monitor_t)
+
+@@ -92,7 +106,7 @@ auth_use_nsswitch(zarafa_monitor_t)
+ # zarafa_server local policy
+ #
+
+-allow zarafa_server_t self:capability { chown kill net_bind_service };
++allow zarafa_server_t self:capability { kill net_bind_service };
+ allow zarafa_server_t self:process setrlimit;
+
+ manage_dirs_pattern(zarafa_server_t, zarafa_server_tmp_t, zarafa_server_tmp_t)
+@@ -101,11 +115,11 @@ files_tmp_filetrans(zarafa_server_t, zarafa_server_tmp_t, { file dir })
+
+ manage_dirs_pattern(zarafa_server_t, zarafa_var_lib_t, zarafa_var_lib_t)
+ manage_files_pattern(zarafa_server_t, zarafa_var_lib_t, zarafa_var_lib_t)
+-files_var_lib_filetrans(zarafa_server_t, zarafa_var_lib_t, { file dir })
++manage_lnk_files_pattern(zarafa_server_t, zarafa_var_lib_t, zarafa_var_lib_t)
++files_var_lib_filetrans(zarafa_server_t, zarafa_var_lib_t, { file dir lnk_file })
+
+ stream_connect_pattern(zarafa_server_t, zarafa_indexer_var_run_t, zarafa_indexer_var_run_t, zarafa_indexer_t)
+
+-corenet_all_recvfrom_unlabeled(zarafa_server_t)
+ corenet_all_recvfrom_netlabel(zarafa_server_t)
+ corenet_tcp_sendrecv_generic_if(zarafa_server_t)
+ corenet_tcp_sendrecv_generic_node(zarafa_server_t)
+@@ -135,11 +149,10 @@ optional_policy(`
+ # zarafa_spooler local policy
+ #
+
+-allow zarafa_spooler_t self:capability { chown kill };
++allow zarafa_spooler_t self:capability { kill };
+
+ can_exec(zarafa_spooler_t, zarafa_spooler_exec_t)
+
+-corenet_all_recvfrom_unlabeled(zarafa_spooler_t)
+ corenet_all_recvfrom_netlabel(zarafa_spooler_t)
+ corenet_tcp_sendrecv_generic_if(zarafa_spooler_t)
+ corenet_tcp_sendrecv_generic_node(zarafa_spooler_t)
+@@ -150,11 +163,35 @@ auth_use_nsswitch(zarafa_spooler_t)
+
+ ########################################
+ #
++# zarafa_gateway local policy
++#
++
++allow zarafa_gateway_t self:capability { kill };
++allow zarafa_gateway_t self:process setrlimit;
++
++corenet_tcp_bind_pop_port(zarafa_gateway_t)
++
++#######################################
++#
++# zarafa-ical local policy
++#
++
++
++corenet_tcp_bind_http_cache_port(zarafa_ical_t)
++
++######################################
++#
++# zarafa-monitor local policy
++#
++
++
++########################################
++#
+ # zarafa domains local policy
+ #
+
+ # bad permission on /etc/zarafa
+-allow zarafa_domain self:capability { dac_override setgid setuid };
++allow zarafa_domain self:capability { dac_override chown setgid setuid };
+ allow zarafa_domain self:process signal;
+ allow zarafa_domain self:fifo_file rw_fifo_file_perms;
+ allow zarafa_domain self:tcp_socket create_stream_socket_perms;
+@@ -164,8 +201,8 @@ stream_connect_pattern(zarafa_domain, zarafa_server_var_run_t, zarafa_server_var
+
+ read_files_pattern(zarafa_domain, zarafa_etc_t, zarafa_etc_t)
+
+-kernel_read_system_state(zarafa_domain)
++dev_read_rand(zarafa_domain)
++dev_read_urand(zarafa_domain)
+
+ files_read_etc_files(zarafa_domain)
+
+-miscfiles_read_localization(zarafa_domain)
+diff --git a/zebra.if b/zebra.if
+index 6b87605..ef64e73 100644
+--- a/zebra.if
++++ b/zebra.if
+@@ -38,8 +38,7 @@ interface(`zebra_stream_connect',`
+ ')
+
+ files_search_pids($1)
+- allow $1 zebra_var_run_t:sock_file write;
+- allow $1 zebra_t:unix_stream_socket connectto;
++ stream_connect_pattern($1, zebra_var_run_t, zebra_var_run_t, zebra_t)
+ ')
+
+ ########################################
+@@ -62,12 +61,14 @@ interface(`zebra_stream_connect',`
+ interface(`zebra_admin',`
+ gen_require(`
+ type zebra_t, zebra_tmp_t, zebra_log_t;
+- type zebra_conf_t, zebra_var_run_t;
+- type zebra_initrc_exec_t;
++ type zebra_conf_t, zebra_var_run_t, zebra_initrc_exec_t;
+ ')
+
+- allow $1 zebra_t:process { ptrace signal_perms };
++ allow $1 zebra_t:process signal_perms;
+ ps_process_pattern($1, zebra_t)
++ tunable_policy(`deny_ptrace',`',`
++ allow $1 zebra_t:process ptrace;
++ ')
+
+ init_labeled_script_domtrans($1, zebra_initrc_exec_t)
+ domain_system_change_exemption($1)
+diff --git a/zebra.te b/zebra.te
+index ade6c2c..ac46eb2 100644
+--- a/zebra.te
++++ b/zebra.te
+@@ -11,14 +11,14 @@ policy_module(zebra, 1.12.0)
+ ##
+ ##
+ #
+-gen_tunable(allow_zebra_write_config, false)
++gen_tunable(zebra_write_config, false)
+
+ type zebra_t;
+ type zebra_exec_t;
+ init_daemon_domain(zebra_t, zebra_exec_t)
+
+ type zebra_conf_t;
+-files_type(zebra_conf_t)
++files_config_file(zebra_conf_t)
+
+ type zebra_initrc_exec_t;
+ init_script_file(zebra_initrc_exec_t)
+@@ -52,7 +52,7 @@ allow zebra_t zebra_conf_t:dir list_dir_perms;
+ read_files_pattern(zebra_t, zebra_conf_t, zebra_conf_t)
+ read_lnk_files_pattern(zebra_t, zebra_conf_t, zebra_conf_t)
+
+-allow zebra_t zebra_log_t:dir setattr;
++allow zebra_t zebra_log_t:dir setattr_dir_perms;
+ manage_files_pattern(zebra_t, zebra_log_t, zebra_log_t)
+ manage_sock_files_pattern(zebra_t, zebra_log_t, zebra_log_t)
+ logging_log_filetrans(zebra_t, zebra_log_t, { sock_file file dir })
+@@ -71,7 +71,6 @@ kernel_read_network_state(zebra_t)
+ kernel_read_kernel_sysctls(zebra_t)
+ kernel_rw_net_sysctls(zebra_t)
+
+-corenet_all_recvfrom_unlabeled(zebra_t)
+ corenet_all_recvfrom_netlabel(zebra_t)
+ corenet_tcp_sendrecv_generic_if(zebra_t)
+ corenet_udp_sendrecv_generic_if(zebra_t)
+@@ -106,16 +105,16 @@ files_search_etc(zebra_t)
+ files_read_etc_files(zebra_t)
+ files_read_etc_runtime_files(zebra_t)
+
+-logging_send_syslog_msg(zebra_t)
++auth_read_passwd(zebra_t)
+
+-miscfiles_read_localization(zebra_t)
++logging_send_syslog_msg(zebra_t)
+
+ sysnet_read_config(zebra_t)
+
+ userdom_dontaudit_use_unpriv_user_fds(zebra_t)
+ userdom_dontaudit_search_user_home_dirs(zebra_t)
+
+-tunable_policy(`allow_zebra_write_config',`
++tunable_policy(`zebra_write_config',`
+ manage_files_pattern(zebra_t, zebra_conf_t, zebra_conf_t)
+ ')
+
+diff --git a/zoneminder.fc b/zoneminder.fc
+new file mode 100644
+index 0000000..e1602ec
+--- /dev/null
++++ b/zoneminder.fc
+@@ -0,0 +1,24 @@
++/etc/rc\.d/init\.d/motion -- gen_context(system_u:object_r:zoneminder_initrc_exec_t,s0)
++
++/etc/rc\.d/init\.d/zoneminder -- gen_context(system_u:object_r:zoneminder_initrc_exec_t,s0)
++
++/usr/bin/motion -- gen_context(system_u:object_r:zoneminder_exec_t,s0)
++
++/usr/bin/zmpkg.pl -- gen_context(system_u:object_r:zoneminder_exec_t,s0)
++
++/usr/libexec/zoneminder/cgi-bin(/.*)? gen_context(system_u:object_r:httpd_zoneminder_script_exec_t,s0)
++
++/var/lib/zoneminder(/.*)? gen_context(system_u:object_r:zoneminder_var_lib_t,s0)
++
++/var/motion(/.*)? gen_context(system_u:object_r:zoneminder_var_lib_t,s0)
++
++/var/log/zoneminder(/.*)? gen_context(system_u:object_r:zoneminder_log_t,s0)
++
++/var/log/motion\.log.* -- gen_context(system_u:object_r:zoneminder_log_t,s0)
++
++/var/run/motion\.pid -- gen_context(system_u:object_r:zoneminder_var_run_t,s0)
++
++/var/spool/zoneminder-upload(/.*)? gen_context(system_u:object_r:zoneminder_spool_t,s0)
++
++
++
+diff --git a/zoneminder.if b/zoneminder.if
+new file mode 100644
+index 0000000..b34b8b4
+--- /dev/null
++++ b/zoneminder.if
+@@ -0,0 +1,339 @@
++
++## policy for zoneminder
++
++
++########################################
++##
++## Transition to zoneminder.
++##
++##
++##
++## Domain allowed to transition.
++##
++##
++#
++interface(`zoneminder_domtrans',`
++ gen_require(`
++ type zoneminder_t, zoneminder_exec_t;
++ ')
++
++ corecmd_search_bin($1)
++ domtrans_pattern($1, zoneminder_exec_t, zoneminder_t)
++')
++
++
++########################################
++##
++## Execute zoneminder server in the zoneminder domain.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`zoneminder_initrc_domtrans',`
++ gen_require(`
++ type zoneminder_initrc_exec_t;
++ ')
++
++ init_labeled_script_domtrans($1, zoneminder_initrc_exec_t)
++')
++
++
++########################################
++##
++## Read zoneminder's log files.
++##
++##
++##
++## Domain allowed access.
++##
++##
++##
++#
++interface(`zoneminder_read_log',`
++ gen_require(`
++ type zoneminder_log_t;
++ ')
++
++ logging_search_logs($1)
++ read_files_pattern($1, zoneminder_log_t, zoneminder_log_t)
++')
++
++########################################
++##
++## Append to zoneminder log files.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`zoneminder_append_log',`
++ gen_require(`
++ type zoneminder_log_t;
++ ')
++
++ logging_search_logs($1)
++ append_files_pattern($1, zoneminder_log_t, zoneminder_log_t)
++')
++
++########################################
++##
++## Manage zoneminder log files
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`zoneminder_manage_log',`
++ gen_require(`
++ type zoneminder_log_t;
++ ')
++
++ logging_search_logs($1)
++ manage_dirs_pattern($1, zoneminder_log_t, zoneminder_log_t)
++ manage_files_pattern($1, zoneminder_log_t, zoneminder_log_t)
++ manage_lnk_files_pattern($1, zoneminder_log_t, zoneminder_log_t)
++')
++
++########################################
++##
++## Search zoneminder lib directories.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`zoneminder_search_lib',`
++ gen_require(`
++ type zoneminder_var_lib_t;
++ ')
++
++ allow $1 zoneminder_var_lib_t:dir search_dir_perms;
++ files_search_var_lib($1)
++')
++
++########################################
++##
++## Read zoneminder lib files.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`zoneminder_read_lib_files',`
++ gen_require(`
++ type zoneminder_var_lib_t;
++ ')
++
++ files_search_var_lib($1)
++ read_files_pattern($1, zoneminder_var_lib_t, zoneminder_var_lib_t)
++')
++
++########################################
++##
++## Manage zoneminder lib files.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`zoneminder_manage_lib_files',`
++ gen_require(`
++ type zoneminder_var_lib_t;
++ ')
++
++ files_search_var_lib($1)
++ manage_files_pattern($1, zoneminder_var_lib_t, zoneminder_var_lib_t)
++')
++
++########################################
++##
++## Manage zoneminder lib directories.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`zoneminder_manage_lib_dirs',`
++ gen_require(`
++ type zoneminder_var_lib_t;
++ ')
++
++ files_search_var_lib($1)
++ manage_dirs_pattern($1, zoneminder_var_lib_t, zoneminder_var_lib_t)
++')
++
++
++########################################
++##
++## Search zoneminder spool directories.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`zoneminder_search_spool',`
++ gen_require(`
++ type zoneminder_spool_t;
++ ')
++
++ allow $1 zoneminder_spool_t:dir search_dir_perms;
++ files_search_spool($1)
++')
++
++########################################
++##
++## Read zoneminder spool files.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`zoneminder_read_spool_files',`
++ gen_require(`
++ type zoneminder_spool_t;
++ ')
++
++ files_search_spool($1)
++ read_files_pattern($1, zoneminder_spool_t, zoneminder_spool_t)
++')
++
++########################################
++##
++## Manage zoneminder spool files.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`zoneminder_manage_spool_files',`
++ gen_require(`
++ type zoneminder_spool_t;
++ ')
++
++ files_search_spool($1)
++ manage_files_pattern($1, zoneminder_spool_t, zoneminder_spool_t)
++')
++
++########################################
++##
++## Manage zoneminder spool dirs.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`zoneminder_manage_spool_dirs',`
++ gen_require(`
++ type zoneminder_spool_t;
++ ')
++
++ files_search_spool($1)
++ manage_dirs_pattern($1, zoneminder_spool_t, zoneminder_spool_t)
++')
++
++########################################
++##
++## Connect to zoneminder over a unix stream socket.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`zoneminder_stream_connect',`
++ gen_require(`
++ type zoneminder_t, zoneminder_var_lib_t;
++ ')
++
++ files_search_pids($1)
++ stream_connect_pattern($1, zoneminder_var_lib_t, zoneminder_var_lib_t, zoneminder_t)
++')
++
++######################################
++##
++## Read/write zonerimender tmpfs files.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`zoneminder_rw_tmpfs_files',`
++ gen_require(`
++ type zoneminder_tmpfs_t;
++ ')
++
++ fs_search_tmpfs($1)
++ rw_files_pattern($1, zoneminder_tmpfs_t, zoneminder_tmpfs_t)
++')
++
++########################################
++##
++## All of the rules required to administrate
++## an zoneminder environment
++##
++##
++##
++## Domain allowed access.
++##
++##
++##
++##
++## Role allowed access.
++##
++##
++##
++#
++interface(`zoneminder_admin',`
++ gen_require(`
++ type zoneminder_t;
++ type zoneminder_initrc_exec_t;
++ type zoneminder_log_t;
++ type zoneminder_var_lib_t;
++ type zoneminder_spool_t;
++ ')
++
++ allow $1 zoneminder_t:process { ptrace signal_perms };
++ ps_process_pattern($1, zoneminder_t)
++
++ zoneminder_initrc_domtrans($1)
++ domain_system_change_exemption($1)
++ role_transition $2 zoneminder_initrc_exec_t system_r;
++ allow $2 system_r;
++
++ logging_search_logs($1)
++ admin_pattern($1, zoneminder_log_t)
++
++ files_search_var_lib($1)
++ admin_pattern($1, zoneminder_var_lib_t)
++
++ files_search_spool($1)
++ admin_pattern($1, zoneminder_spool_t)
++
++')
++
+diff --git a/zoneminder.te b/zoneminder.te
+new file mode 100644
+index 0000000..3708d3c
+--- /dev/null
++++ b/zoneminder.te
+@@ -0,0 +1,121 @@
++policy_module(zoneminder, 1.0.0)
++
++########################################
++#
++# Declarations
++#
++
++##
++##
++## Allow ZoneMinder to modify public files
++## used for public file transfer services.
++##
++##
++gen_tunable(zoneminder_anon_write, false)
++
++type zoneminder_t;
++type zoneminder_exec_t;
++init_daemon_domain(zoneminder_t, zoneminder_exec_t)
++
++type zoneminder_initrc_exec_t;
++init_script_file(zoneminder_initrc_exec_t)
++
++type zoneminder_log_t;
++logging_log_file(zoneminder_log_t)
++
++type zoneminder_tmpfs_t;
++files_tmpfs_file(zoneminder_tmpfs_t)
++
++type zoneminder_spool_t;
++files_type(zoneminder_spool_t)
++
++type zoneminder_var_lib_t;
++files_type(zoneminder_var_lib_t)
++
++type zoneminder_var_run_t;
++files_pid_file(zoneminder_var_run_t)
++
++########################################
++#
++# zoneminder local policy
++#
++allow zoneminder_t self:capability { chown dac_override };
++allow zoneminder_t self:process { signal_perms setpgid };
++allow zoneminder_t self:shm create_shm_perms;
++allow zoneminder_t self:fifo_file rw_fifo_file_perms;
++allow zoneminder_t self:unix_stream_socket { create_stream_socket_perms connectto };
++
++manage_dirs_pattern(zoneminder_t, zoneminder_log_t, zoneminder_log_t)
++manage_files_pattern(zoneminder_t, zoneminder_log_t, zoneminder_log_t)
++logging_log_filetrans(zoneminder_t, zoneminder_log_t, { dir file })
++
++manage_dirs_pattern(zoneminder_t, zoneminder_tmpfs_t, zoneminder_tmpfs_t)
++manage_files_pattern(zoneminder_t, zoneminder_tmpfs_t, zoneminder_tmpfs_t)
++manage_lnk_files_pattern(zoneminder_t, zoneminder_tmpfs_t, zoneminder_tmpfs_t)
++fs_tmpfs_filetrans(zoneminder_t, zoneminder_tmpfs_t, { dir file lnk_file })
++
++manage_dirs_pattern(zoneminder_t, zoneminder_var_lib_t, zoneminder_var_lib_t)
++manage_files_pattern(zoneminder_t, zoneminder_var_lib_t, zoneminder_var_lib_t)
++manage_sock_files_pattern(zoneminder_t, zoneminder_var_lib_t, zoneminder_var_lib_t)
++files_var_lib_filetrans(zoneminder_t, zoneminder_var_lib_t, { dir file sock_file })
++
++manage_dirs_pattern(zoneminder_t, zoneminder_var_run_t, zoneminder_var_run_t)
++manage_files_pattern(zoneminder_t, zoneminder_var_run_t, zoneminder_var_run_t)
++files_pid_filetrans(zoneminder_t, zoneminder_var_run_t, { dir file })
++
++manage_dirs_pattern(zoneminder_t, zoneminder_spool_t, zoneminder_spool_t)
++manage_files_pattern(zoneminder_t, zoneminder_spool_t, zoneminder_spool_t)
++manage_lnk_files_pattern(zoneminder_t, zoneminder_spool_t, zoneminder_spool_t)
++files_spool_filetrans(zoneminder_t, zoneminder_spool_t, { dir file })
++
++kernel_read_system_state(zoneminder_t)
++
++corecmd_exec_bin(zoneminder_t)
++corecmd_exec_shell(zoneminder_t)
++
++corenet_tcp_bind_http_cache_port(zoneminder_t)
++corenet_tcp_bind_transproxy_port(zoneminder_t)
++
++dev_read_sysfs(zoneminder_t)
++dev_read_rand(zoneminder_t)
++dev_read_urand(zoneminder_t)
++dev_read_video_dev(zoneminder_t)
++dev_write_video_dev(zoneminder_t)
++
++files_read_usr_files(zoneminder_t)
++
++auth_use_nsswitch(zoneminder_t)
++
++logging_send_syslog_msg(zoneminder_t)
++
++tunable_policy(`zoneminder_anon_write',`
++ miscfiles_manage_public_files(zoneminder_t)
++')
++
++optional_policy(`
++ mysql_stream_connect(zoneminder_t)
++')
++
++########################################
++#
++# zoneminder cgi local policy
++#
++
++optional_policy(`
++ apache_content_template(zoneminder)
++
++ # need more testing
++ #allow httpd_zoneminder_script_t self:shm create_shm_perms;
++
++ manage_sock_files_pattern(httpd_zoneminder_script_t, zoneminder_var_lib_t, zoneminder_var_lib_t)
++ zoneminder_stream_connect(httpd_zoneminder_script_t)
++
++ files_search_var_lib(httpd_zoneminder_script_t)
++
++ logging_send_syslog_msg(httpd_zoneminder_script_t)
++
++ optional_policy(`
++ mysql_stream_connect(httpd_zoneminder_script_t)
++ ')
++
++')
+diff --git a/zosremote.fc b/zosremote.fc
+index d719d0b..7a7fc61 100644
+--- a/zosremote.fc
++++ b/zosremote.fc
+@@ -1 +1,3 @@
+ /sbin/audispd-zos-remote -- gen_context(system_u:object_r:zos_remote_exec_t,s0)
++
++/usr/sbin/audispd-zos-remote -- gen_context(system_u:object_r:zos_remote_exec_t,s0)
+diff --git a/zosremote.if b/zosremote.if
+index 702e768..2a4f2cc 100644
+--- a/zosremote.if
++++ b/zosremote.if
+@@ -34,6 +34,7 @@ interface(`zosremote_domtrans',`
+ ## Role allowed access.
+ ##
+ ##
++##
+ #
+ interface(`zosremote_run',`
+ gen_require(`
+diff --git a/zosremote.te b/zosremote.te
+index f9a06d2..fade72a 100644
+--- a/zosremote.te
++++ b/zosremote.te
+@@ -16,13 +16,9 @@ logging_dispatcher_domain(zos_remote_t, zos_remote_exec_t)
+ #
+
+ allow zos_remote_t self:process signal;
+-allow zos_remote_t self:fifo_file rw_file_perms;
++allow zos_remote_t self:fifo_file rw_fifo_file_perms;
+ allow zos_remote_t self:unix_stream_socket create_stream_socket_perms;
+
+-files_read_etc_files(zos_remote_t)
+-
+ auth_use_nsswitch(zos_remote_t)
+
+-miscfiles_read_localization(zos_remote_t)
+-
+ logging_send_syslog_msg(zos_remote_t)
diff --git a/policy-rawhide.patch b/policy-rawhide.patch
deleted file mode 100644
index d9a6df5..0000000
--- a/policy-rawhide.patch
+++ /dev/null
@@ -1,148643 +0,0 @@
-diff --git a/Makefile b/Makefile
-index 39a3d40..f69289d 100644
---- a/Makefile
-+++ b/Makefile
-@@ -61,6 +61,7 @@ SEMODULE ?= $(tc_usrsbindir)/semodule
- SEMOD_PKG ?= $(tc_usrbindir)/semodule_package
- SEMOD_LNK ?= $(tc_usrbindir)/semodule_link
- SEMOD_EXP ?= $(tc_usrbindir)/semodule_expand
-+SEPOLGEN ?= $(tc_usrbindir)/sepolgen-ifgen
- LOADPOLICY ?= $(tc_usrsbindir)/load_policy
- SETFILES ?= $(tc_sbindir)/setfiles
- XMLLINT ?= $(BINDIR)/xmllint
-@@ -249,7 +250,7 @@ seusers := $(appconf)/seusers
- appdir := $(contextpath)
- user_default_contexts := $(wildcard config/appconfig-$(TYPE)/*_default_contexts)
- user_default_contexts_names := $(addprefix $(contextpath)/users/,$(subst _default_contexts,,$(notdir $(user_default_contexts))))
--appfiles := $(addprefix $(appdir)/,default_contexts default_type initrc_context failsafe_context userhelper_context removable_context dbus_contexts sepgsql_contexts x_contexts customizable_types securetty_types virtual_domain_context virtual_image_context) $(contextpath)/files/media $(fcsubspath) $(user_default_contexts_names)
-+appfiles := $(addprefix $(appdir)/,default_contexts default_type initrc_context failsafe_context userhelper_context removable_context dbus_contexts sepgsql_contexts x_contexts customizable_types securetty_types virtual_image_context virtual_domain_context lxc_contexts) $(contextpath)/files/media $(user_default_contexts_names)
- net_contexts := $(builddir)net_contexts
-
- all_layers := $(shell find $(wildcard $(moddir)/*) -maxdepth 0 -type d)
-@@ -608,15 +609,17 @@ resetlabels:
- # Clean everything
- #
- bare: clean
-- rm -f $(polxml)
-- rm -f $(layerxml)
-- rm -f $(modxml)
-- rm -f $(tunxml)
-- rm -f $(boolxml)
-- rm -f $(mod_conf)
-- rm -f $(booleans)
-- rm -fR $(htmldir)
-- rm -f $(tags)
-+ echo "hehe kde jsem asi tak"
-+ pwd
-+ #rm -f $(polxml)
-+ #rm -f $(layerxml)
-+ #rm -f $(modxml)
-+ #rm -f $(tunxml)
-+ #rm -f $(boolxml)
-+ #rm -f $(mod_conf)
-+ #rm -f $(booleans)
-+ #rm -fR $(htmldir)
-+ #rm -f $(tags)
- # don't remove these files if we're given a local root
- ifndef LOCAL_ROOT
- rm -f $(fcsort)
-diff --git a/Rules.modular b/Rules.modular
-index 313d837..ef3c532 100644
---- a/Rules.modular
-+++ b/Rules.modular
-@@ -201,6 +201,7 @@ validate: $(base_pkg) $(mod_pkgs)
- @echo "Validating policy linking."
- $(verbose) $(SEMOD_LNK) -o $(tmpdir)/test.lnk $^
- $(verbose) $(SEMOD_EXP) $(tmpdir)/test.lnk $(tmpdir)/policy.bin
-+ $(verbose) $(SEPOLGEN) -p $(tmpdir)/policy.bin -i $(poldir) -o $(tmpdir)/output
- @echo "Success."
-
- ########################################
-diff --git a/config/appconfig-mcs/virtual_domain_context b/config/appconfig-mcs/virtual_domain_context
-index d387b42..150f281 100644
---- a/config/appconfig-mcs/virtual_domain_context
-+++ b/config/appconfig-mcs/virtual_domain_context
-@@ -1 +1,2 @@
- system_u:system_r:svirt_t:s0
-+system_u:system_r:svirt_tcg_t:s0
-diff --git a/config/appconfig-standard/virtual_domain_context b/config/appconfig-standard/virtual_domain_context
-index c049e10..150f281 100644
---- a/config/appconfig-standard/virtual_domain_context
-+++ b/config/appconfig-standard/virtual_domain_context
-@@ -1 +1,2 @@
--system_u:system_r:svirt_t
-+system_u:system_r:svirt_t:s0
-+system_u:system_r:svirt_tcg_t:s0
-diff --git a/man/man8/NetworkManager_selinux.8 b/man/man8/NetworkManager_selinux.8
-new file mode 100644
-index 0000000..62a48d7
---- /dev/null
-+++ b/man/man8/NetworkManager_selinux.8
-@@ -0,0 +1,292 @@
-+.TH "NetworkManager_selinux" "8" "12-11-01" "NetworkManager" "SELinux Policy documentation for NetworkManager"
-+.SH "NAME"
-+NetworkManager_selinux \- Security Enhanced Linux Policy for the NetworkManager processes
-+.SH "DESCRIPTION"
-+
-+Security-Enhanced Linux secures the NetworkManager processes via flexible mandatory access control.
-+
-+The NetworkManager processes execute with the NetworkManager_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
-+
-+For example:
-+
-+.B ps -eZ | grep NetworkManager_t
-+
-+
-+.SH "ENTRYPOINTS"
-+
-+The NetworkManager_t SELinux type can be entered via the "NetworkManager_exec_t" file type. The default entrypoint paths for the NetworkManager_t domain are the following:"
-+
-+/usr/s?bin/NetworkManager, /usr/s?bin/wpa_supplicant, /usr/sbin/wicd, /sbin/wpa_supplicant, /usr/sbin/wpa_supplicant, /usr/sbin/nm-system-settings, /usr/sbin/NetworkManagerDispatcher
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux NetworkManager policy is very flexible allowing users to setup their NetworkManager processes in as secure a method as possible.
-+.PP
-+The following process types are defined for NetworkManager:
-+
-+.EX
-+.B NetworkManager_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
-+.SH FILE CONTEXTS
-+SELinux requires files to have an extended attribute to define the file type.
-+.PP
-+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
-+.PP
-+Policy governs the access confined processes have to these files.
-+SELinux NetworkManager policy is very flexible allowing users to setup their NetworkManager processes in as secure a method as possible.
-+.PP
-+The following file types are defined for NetworkManager:
-+
-+
-+.EX
-+.PP
-+.B NetworkManager_etc_rw_t
-+.EE
-+
-+- Set files with the NetworkManager_etc_rw_t type, if you want to treat the files as NetworkManager etc read/write content.
-+
-+
-+.EX
-+.PP
-+.B NetworkManager_etc_t
-+.EE
-+
-+- Set files with the NetworkManager_etc_t type, if you want to store NetworkManager files in the /etc directories.
-+
-+
-+.EX
-+.PP
-+.B NetworkManager_exec_t
-+.EE
-+
-+- Set files with the NetworkManager_exec_t type, if you want to transition an executable to the NetworkManager_t domain.
-+
-+
-+.EX
-+.PP
-+.B NetworkManager_initrc_exec_t
-+.EE
-+
-+- Set files with the NetworkManager_initrc_exec_t type, if you want to transition an executable to the NetworkManager_initrc_t domain.
-+
-+
-+.EX
-+.PP
-+.B NetworkManager_log_t
-+.EE
-+
-+- Set files with the NetworkManager_log_t type, if you want to treat the data as NetworkManager log data, usually stored under the /var/log directory.
-+
-+
-+.EX
-+.PP
-+.B NetworkManager_tmp_t
-+.EE
-+
-+- Set files with the NetworkManager_tmp_t type, if you want to store NetworkManager temporary files in the /tmp directories.
-+
-+
-+.EX
-+.PP
-+.B NetworkManager_unit_file_t
-+.EE
-+
-+- Set files with the NetworkManager_unit_file_t type, if you want to treat the files as NetworkManager unit content.
-+
-+
-+.EX
-+.PP
-+.B NetworkManager_var_lib_t
-+.EE
-+
-+- Set files with the NetworkManager_var_lib_t type, if you want to store the NetworkManager files under the /var/lib directory.
-+
-+
-+.EX
-+.PP
-+.B NetworkManager_var_run_t
-+.EE
-+
-+- Set files with the NetworkManager_var_run_t type, if you want to store the NetworkManager files under the /run directory.
-+
-+
-+.PP
-+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
-+.B semanage fcontext
-+command. This will modify the SELinux labeling database. You will need to use
-+.B restorecon
-+to apply the labels.
-+
-+.SH "MANAGED FILES"
-+
-+The SELinux process type NetworkManager_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
-+
-+.br
-+.B NetworkManager_etc_rw_t
-+
-+ /etc/NetworkManager/system-connections(/.*)?
-+.br
-+ /etc/NetworkManager/NetworkManager\.conf
-+.br
-+
-+.br
-+.B NetworkManager_log_t
-+
-+ /var/log/wicd.*
-+.br
-+ /var/log/wpa_supplicant.*
-+.br
-+
-+.br
-+.B NetworkManager_tmp_t
-+
-+
-+.br
-+.B NetworkManager_var_lib_t
-+
-+ /var/lib/wicd(/.*)?
-+.br
-+ /var/lib/NetworkManager(/.*)?
-+.br
-+ /etc/dhcp/wired-settings.conf
-+.br
-+ /etc/wicd/wired-settings.conf
-+.br
-+ /etc/dhcp/manager-settings.conf
-+.br
-+ /etc/wicd/manager-settings.conf
-+.br
-+ /etc/dhcp/wireless-settings.conf
-+.br
-+ /etc/wicd/wireless-settings.conf
-+.br
-+
-+.br
-+.B NetworkManager_var_run_t
-+
-+ /var/run/nm-dhclient.*
-+.br
-+ /var/run/NetworkManager(/.*)?
-+.br
-+ /var/run/wpa_supplicant(/.*)?
-+.br
-+ /var/run/NetworkManager\.pid
-+.br
-+ /var/run/nm-dns-dnsmasq\.conf
-+.br
-+ /var/run/wpa_supplicant-global
-+.br
-+
-+.br
-+.B named_cache_t
-+
-+ /var/named/data(/.*)?
-+.br
-+ /var/named/slaves(/.*)?
-+.br
-+ /var/named/dynamic(/.*)?
-+.br
-+ /var/named/chroot/var/tmp(/.*)?
-+.br
-+ /var/named/chroot/var/named/data(/.*)?
-+.br
-+ /var/named/chroot/var/named/slaves(/.*)?
-+.br
-+ /var/named/chroot/var/named/dynamic(/.*)?
-+.br
-+
-+.br
-+.B net_conf_t
-+
-+ /etc/ntpd?\.conf.*
-+.br
-+ /etc/hosts[^/]*
-+.br
-+ /etc/yp\.conf.*
-+.br
-+ /etc/denyhosts.*
-+.br
-+ /etc/hosts\.deny.*
-+.br
-+ /etc/resolv\.conf.*
-+.br
-+ /etc/ntp/step-tickers.*
-+.br
-+ /etc/sysconfig/networking(/.*)?
-+.br
-+ /etc/sysconfig/network-scripts(/.*)?
-+.br
-+ /etc/sysconfig/network-scripts/.*resolv\.conf
-+.br
-+ /etc/ethers
-+.br
-+
-+.br
-+.B pppd_var_run_t
-+
-+ /var/run/(i)?ppp.*pid[^/]*
-+.br
-+ /var/run/ppp(/.*)?
-+.br
-+ /var/run/pppd[0-9]*\.tdb
-+.br
-+
-+.br
-+.B sysfs_t
-+
-+ /sys(/.*)?
-+.br
-+
-+.br
-+.B systemd_passwd_var_run_t
-+
-+ /var/run/systemd/ask-password(/.*)?
-+.br
-+ /var/run/systemd/ask-password-block(/.*)?
-+.br
-+
-+.SH NSSWITCH DOMAIN
-+
-+.PP
-+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the NetworkManager_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
-+
-+.EX
-+.B setsebool -P authlogin_nsswitch_use_ldap 1
-+.EE
-+
-+.PP
-+If you want to allow confined applications to run with kerberos for the NetworkManager_t, you must turn on the kerberos_enabled boolean.
-+
-+.EX
-+.B setsebool -P kerberos_enabled 1
-+.EE
-+
-+.SH "COMMANDS"
-+.B semanage fcontext
-+can also be used to manipulate default file context mappings.
-+.PP
-+.B semanage permissive
-+can also be used to manipulate whether or not a process type is permissive.
-+.PP
-+.B semanage module
-+can also be used to enable/disable/install/remove policy modules.
-+
-+.PP
-+.B system-config-selinux
-+is a GUI tool available to customize SELinux policy settings.
-+
-+.SH AUTHOR
-+This manual page was auto-generated using
-+.B "sepolicy manpage"
-+by Dan Walsh.
-+
-+.SH "SEE ALSO"
-+selinux(8), NetworkManager(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
-diff --git a/man/man8/abrt_dump_oops_selinux.8 b/man/man8/abrt_dump_oops_selinux.8
-new file mode 100644
-index 0000000..c365bc5
---- /dev/null
-+++ b/man/man8/abrt_dump_oops_selinux.8
-@@ -0,0 +1,101 @@
-+.TH "abrt_dump_oops_selinux" "8" "12-11-01" "abrt_dump_oops" "SELinux Policy documentation for abrt_dump_oops"
-+.SH "NAME"
-+abrt_dump_oops_selinux \- Security Enhanced Linux Policy for the abrt_dump_oops processes
-+.SH "DESCRIPTION"
-+
-+Security-Enhanced Linux secures the abrt_dump_oops processes via flexible mandatory access control.
-+
-+The abrt_dump_oops processes execute with the abrt_dump_oops_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
-+
-+For example:
-+
-+.B ps -eZ | grep abrt_dump_oops_t
-+
-+
-+.SH "ENTRYPOINTS"
-+
-+The abrt_dump_oops_t SELinux type can be entered via the "abrt_dump_oops_exec_t" file type. The default entrypoint paths for the abrt_dump_oops_t domain are the following:"
-+
-+/usr/bin/abrt-dump-oops
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux abrt_dump_oops policy is very flexible allowing users to setup their abrt_dump_oops processes in as secure a method as possible.
-+.PP
-+The following process types are defined for abrt_dump_oops:
-+
-+.EX
-+.B abrt_dump_oops_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
-+.SH FILE CONTEXTS
-+SELinux requires files to have an extended attribute to define the file type.
-+.PP
-+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
-+.PP
-+Policy governs the access confined processes have to these files.
-+SELinux abrt_dump_oops policy is very flexible allowing users to setup their abrt_dump_oops processes in as secure a method as possible.
-+.PP
-+The following file types are defined for abrt_dump_oops:
-+
-+
-+.EX
-+.PP
-+.B abrt_dump_oops_exec_t
-+.EE
-+
-+- Set files with the abrt_dump_oops_exec_t type, if you want to transition an executable to the abrt_dump_oops_t domain.
-+
-+
-+.PP
-+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
-+.B semanage fcontext
-+command. This will modify the SELinux labeling database. You will need to use
-+.B restorecon
-+to apply the labels.
-+
-+.SH "MANAGED FILES"
-+
-+The SELinux process type abrt_dump_oops_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
-+
-+.br
-+.B abrt_var_cache_t
-+
-+ /var/cache/abrt(/.*)?
-+.br
-+ /var/spool/abrt(/.*)?
-+.br
-+ /var/cache/abrt-di(/.*)?
-+.br
-+
-+.SH NSSWITCH DOMAIN
-+
-+.SH "COMMANDS"
-+.B semanage fcontext
-+can also be used to manipulate default file context mappings.
-+.PP
-+.B semanage permissive
-+can also be used to manipulate whether or not a process type is permissive.
-+.PP
-+.B semanage module
-+can also be used to enable/disable/install/remove policy modules.
-+
-+.PP
-+.B system-config-selinux
-+is a GUI tool available to customize SELinux policy settings.
-+
-+.SH AUTHOR
-+This manual page was auto-generated using
-+.B "sepolicy manpage"
-+by Dan Walsh.
-+
-+.SH "SEE ALSO"
-+selinux(8), abrt_dump_oops(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
-+, abrt_selinux(8), abrt_selinux(8), abrt_handle_event_selinux(8), abrt_helper_selinux(8), abrt_retrace_coredump_selinux(8), abrt_retrace_worker_selinux(8), abrt_watch_log_selinux(8)
-\ No newline at end of file
-diff --git a/man/man8/abrt_handle_event_selinux.8 b/man/man8/abrt_handle_event_selinux.8
-new file mode 100644
-index 0000000..9cd4e4f
---- /dev/null
-+++ b/man/man8/abrt_handle_event_selinux.8
-@@ -0,0 +1,108 @@
-+.TH "abrt_handle_event_selinux" "8" "12-11-01" "abrt_handle_event" "SELinux Policy documentation for abrt_handle_event"
-+.SH "NAME"
-+abrt_handle_event_selinux \- Security Enhanced Linux Policy for the abrt_handle_event processes
-+.SH "DESCRIPTION"
-+
-+Security-Enhanced Linux secures the abrt_handle_event processes via flexible mandatory access control.
-+
-+The abrt_handle_event processes execute with the abrt_handle_event_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
-+
-+For example:
-+
-+.B ps -eZ | grep abrt_handle_event_t
-+
-+
-+.SH "ENTRYPOINTS"
-+
-+The abrt_handle_event_t SELinux type can be entered via the "abrt_handle_event_exec_t" file type. The default entrypoint paths for the abrt_handle_event_t domain are the following:"
-+
-+/usr/libexec/abrt-handle-event
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux abrt_handle_event policy is very flexible allowing users to setup their abrt_handle_event processes in as secure a method as possible.
-+.PP
-+The following process types are defined for abrt_handle_event:
-+
-+.EX
-+.B abrt_handle_event_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
-+.SH BOOLEANS
-+SELinux policy is customizable based on least access required. abrt_handle_event policy is extremely flexible and has several booleans that allow you to manipulate the policy and run abrt_handle_event with the tightest access possible.
-+
-+
-+.PP
-+If you want to allow ABRT to run in abrt_handle_event_t domain to handle ABRT event scripts, you must turn on the abrt_handle_event boolean.
-+
-+.EX
-+.B setsebool -P abrt_handle_event 1
-+.EE
-+
-+.PP
-+If you want to allow ABRT to run in abrt_handle_event_t domain to handle ABRT event scripts, you must turn on the abrt_handle_event boolean.
-+
-+.EX
-+.B setsebool -P abrt_handle_event 1
-+.EE
-+
-+.SH FILE CONTEXTS
-+SELinux requires files to have an extended attribute to define the file type.
-+.PP
-+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
-+.PP
-+Policy governs the access confined processes have to these files.
-+SELinux abrt_handle_event policy is very flexible allowing users to setup their abrt_handle_event processes in as secure a method as possible.
-+.PP
-+The following file types are defined for abrt_handle_event:
-+
-+
-+.EX
-+.PP
-+.B abrt_handle_event_exec_t
-+.EE
-+
-+- Set files with the abrt_handle_event_exec_t type, if you want to transition an executable to the abrt_handle_event_t domain.
-+
-+
-+.PP
-+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
-+.B semanage fcontext
-+command. This will modify the SELinux labeling database. You will need to use
-+.B restorecon
-+to apply the labels.
-+
-+.SH NSSWITCH DOMAIN
-+
-+.SH "COMMANDS"
-+.B semanage fcontext
-+can also be used to manipulate default file context mappings.
-+.PP
-+.B semanage permissive
-+can also be used to manipulate whether or not a process type is permissive.
-+.PP
-+.B semanage module
-+can also be used to enable/disable/install/remove policy modules.
-+
-+.B semanage boolean
-+can also be used to manipulate the booleans
-+
-+.PP
-+.B system-config-selinux
-+is a GUI tool available to customize SELinux policy settings.
-+
-+.SH AUTHOR
-+This manual page was auto-generated using
-+.B "sepolicy manpage"
-+by Dan Walsh.
-+
-+.SH "SEE ALSO"
-+selinux(8), abrt_handle_event(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
-+, setsebool(8), abrt_selinux(8), abrt_selinux(8), abrt_dump_oops_selinux(8), abrt_helper_selinux(8), abrt_retrace_coredump_selinux(8), abrt_retrace_worker_selinux(8), abrt_watch_log_selinux(8)
-\ No newline at end of file
-diff --git a/man/man8/abrt_helper_selinux.8 b/man/man8/abrt_helper_selinux.8
-new file mode 100644
-index 0000000..ffc4a82
---- /dev/null
-+++ b/man/man8/abrt_helper_selinux.8
-@@ -0,0 +1,115 @@
-+.TH "abrt_helper_selinux" "8" "12-11-01" "abrt_helper" "SELinux Policy documentation for abrt_helper"
-+.SH "NAME"
-+abrt_helper_selinux \- Security Enhanced Linux Policy for the abrt_helper processes
-+.SH "DESCRIPTION"
-+
-+Security-Enhanced Linux secures the abrt_helper processes via flexible mandatory access control.
-+
-+The abrt_helper processes execute with the abrt_helper_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
-+
-+For example:
-+
-+.B ps -eZ | grep abrt_helper_t
-+
-+
-+.SH "ENTRYPOINTS"
-+
-+The abrt_helper_t SELinux type can be entered via the "abrt_helper_exec_t" file type. The default entrypoint paths for the abrt_helper_t domain are the following:"
-+
-+/usr/bin/abrt-pyhook-helper
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux abrt_helper policy is very flexible allowing users to setup their abrt_helper processes in as secure a method as possible.
-+.PP
-+The following process types are defined for abrt_helper:
-+
-+.EX
-+.B abrt_helper_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
-+.SH FILE CONTEXTS
-+SELinux requires files to have an extended attribute to define the file type.
-+.PP
-+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
-+.PP
-+Policy governs the access confined processes have to these files.
-+SELinux abrt_helper policy is very flexible allowing users to setup their abrt_helper processes in as secure a method as possible.
-+.PP
-+The following file types are defined for abrt_helper:
-+
-+
-+.EX
-+.PP
-+.B abrt_helper_exec_t
-+.EE
-+
-+- Set files with the abrt_helper_exec_t type, if you want to transition an executable to the abrt_helper_t domain.
-+
-+
-+.PP
-+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
-+.B semanage fcontext
-+command. This will modify the SELinux labeling database. You will need to use
-+.B restorecon
-+to apply the labels.
-+
-+.SH "MANAGED FILES"
-+
-+The SELinux process type abrt_helper_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
-+
-+.br
-+.B abrt_var_cache_t
-+
-+ /var/cache/abrt(/.*)?
-+.br
-+ /var/spool/abrt(/.*)?
-+.br
-+ /var/cache/abrt-di(/.*)?
-+.br
-+
-+.SH NSSWITCH DOMAIN
-+
-+.PP
-+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the abrt_helper_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
-+
-+.EX
-+.B setsebool -P authlogin_nsswitch_use_ldap 1
-+.EE
-+
-+.PP
-+If you want to allow confined applications to run with kerberos for the abrt_helper_t, you must turn on the kerberos_enabled boolean.
-+
-+.EX
-+.B setsebool -P kerberos_enabled 1
-+.EE
-+
-+.SH "COMMANDS"
-+.B semanage fcontext
-+can also be used to manipulate default file context mappings.
-+.PP
-+.B semanage permissive
-+can also be used to manipulate whether or not a process type is permissive.
-+.PP
-+.B semanage module
-+can also be used to enable/disable/install/remove policy modules.
-+
-+.PP
-+.B system-config-selinux
-+is a GUI tool available to customize SELinux policy settings.
-+
-+.SH AUTHOR
-+This manual page was auto-generated using
-+.B "sepolicy manpage"
-+by Dan Walsh.
-+
-+.SH "SEE ALSO"
-+selinux(8), abrt_helper(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
-+, abrt_selinux(8), abrt_selinux(8), abrt_dump_oops_selinux(8), abrt_handle_event_selinux(8), abrt_retrace_coredump_selinux(8), abrt_retrace_worker_selinux(8), abrt_watch_log_selinux(8)
-\ No newline at end of file
-diff --git a/man/man8/abrt_retrace_coredump_selinux.8 b/man/man8/abrt_retrace_coredump_selinux.8
-new file mode 100644
-index 0000000..95c7f7f
---- /dev/null
-+++ b/man/man8/abrt_retrace_coredump_selinux.8
-@@ -0,0 +1,115 @@
-+.TH "abrt_retrace_coredump_selinux" "8" "12-11-01" "abrt_retrace_coredump" "SELinux Policy documentation for abrt_retrace_coredump"
-+.SH "NAME"
-+abrt_retrace_coredump_selinux \- Security Enhanced Linux Policy for the abrt_retrace_coredump processes
-+.SH "DESCRIPTION"
-+
-+Security-Enhanced Linux secures the abrt_retrace_coredump processes via flexible mandatory access control.
-+
-+The abrt_retrace_coredump processes execute with the abrt_retrace_coredump_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
-+
-+For example:
-+
-+.B ps -eZ | grep abrt_retrace_coredump_t
-+
-+
-+.SH "ENTRYPOINTS"
-+
-+The abrt_retrace_coredump_t SELinux type can be entered via the "abrt_retrace_coredump_exec_t" file type. The default entrypoint paths for the abrt_retrace_coredump_t domain are the following:"
-+
-+/usr/bin/coredump2packages
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux abrt_retrace_coredump policy is very flexible allowing users to setup their abrt_retrace_coredump processes in as secure a method as possible.
-+.PP
-+The following process types are defined for abrt_retrace_coredump:
-+
-+.EX
-+.B abrt_retrace_coredump_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
-+.SH FILE CONTEXTS
-+SELinux requires files to have an extended attribute to define the file type.
-+.PP
-+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
-+.PP
-+Policy governs the access confined processes have to these files.
-+SELinux abrt_retrace_coredump policy is very flexible allowing users to setup their abrt_retrace_coredump processes in as secure a method as possible.
-+.PP
-+The following file types are defined for abrt_retrace_coredump:
-+
-+
-+.EX
-+.PP
-+.B abrt_retrace_coredump_exec_t
-+.EE
-+
-+- Set files with the abrt_retrace_coredump_exec_t type, if you want to transition an executable to the abrt_retrace_coredump_t domain.
-+
-+
-+.PP
-+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
-+.B semanage fcontext
-+command. This will modify the SELinux labeling database. You will need to use
-+.B restorecon
-+to apply the labels.
-+
-+.SH "MANAGED FILES"
-+
-+The SELinux process type abrt_retrace_coredump_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
-+
-+.br
-+.B rpm_log_t
-+
-+ /var/log/yum\.log.*
-+.br
-+
-+.br
-+.B rpm_var_cache_t
-+
-+ /var/cache/yum(/.*)?
-+.br
-+ /var/spool/up2date(/.*)?
-+.br
-+ /var/cache/PackageKit(/.*)?
-+.br
-+
-+.br
-+.B rpm_var_run_t
-+
-+ /var/run/yum.*
-+.br
-+ /var/run/PackageKit(/.*)?
-+.br
-+
-+.SH NSSWITCH DOMAIN
-+
-+.SH "COMMANDS"
-+.B semanage fcontext
-+can also be used to manipulate default file context mappings.
-+.PP
-+.B semanage permissive
-+can also be used to manipulate whether or not a process type is permissive.
-+.PP
-+.B semanage module
-+can also be used to enable/disable/install/remove policy modules.
-+
-+.PP
-+.B system-config-selinux
-+is a GUI tool available to customize SELinux policy settings.
-+
-+.SH AUTHOR
-+This manual page was auto-generated using
-+.B "sepolicy manpage"
-+by Dan Walsh.
-+
-+.SH "SEE ALSO"
-+selinux(8), abrt_retrace_coredump(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
-+, abrt_selinux(8), abrt_selinux(8), abrt_dump_oops_selinux(8), abrt_handle_event_selinux(8), abrt_helper_selinux(8), abrt_retrace_worker_selinux(8), abrt_watch_log_selinux(8)
-\ No newline at end of file
-diff --git a/man/man8/abrt_retrace_worker_selinux.8 b/man/man8/abrt_retrace_worker_selinux.8
-new file mode 100644
-index 0000000..c0c182f
---- /dev/null
-+++ b/man/man8/abrt_retrace_worker_selinux.8
-@@ -0,0 +1,99 @@
-+.TH "abrt_retrace_worker_selinux" "8" "12-11-01" "abrt_retrace_worker" "SELinux Policy documentation for abrt_retrace_worker"
-+.SH "NAME"
-+abrt_retrace_worker_selinux \- Security Enhanced Linux Policy for the abrt_retrace_worker processes
-+.SH "DESCRIPTION"
-+
-+Security-Enhanced Linux secures the abrt_retrace_worker processes via flexible mandatory access control.
-+
-+The abrt_retrace_worker processes execute with the abrt_retrace_worker_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
-+
-+For example:
-+
-+.B ps -eZ | grep abrt_retrace_worker_t
-+
-+
-+.SH "ENTRYPOINTS"
-+
-+The abrt_retrace_worker_t SELinux type can be entered via the "abrt_retrace_worker_exec_t" file type. The default entrypoint paths for the abrt_retrace_worker_t domain are the following:"
-+
-+/usr/bin/abrt-retrace-worker, /usr/bin/retrace-server-worker
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux abrt_retrace_worker policy is very flexible allowing users to setup their abrt_retrace_worker processes in as secure a method as possible.
-+.PP
-+The following process types are defined for abrt_retrace_worker:
-+
-+.EX
-+.B abrt_retrace_worker_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
-+.SH FILE CONTEXTS
-+SELinux requires files to have an extended attribute to define the file type.
-+.PP
-+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
-+.PP
-+Policy governs the access confined processes have to these files.
-+SELinux abrt_retrace_worker policy is very flexible allowing users to setup their abrt_retrace_worker processes in as secure a method as possible.
-+.PP
-+The following file types are defined for abrt_retrace_worker:
-+
-+
-+.EX
-+.PP
-+.B abrt_retrace_worker_exec_t
-+.EE
-+
-+- Set files with the abrt_retrace_worker_exec_t type, if you want to transition an executable to the abrt_retrace_worker_t domain.
-+
-+
-+.PP
-+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
-+.B semanage fcontext
-+command. This will modify the SELinux labeling database. You will need to use
-+.B restorecon
-+to apply the labels.
-+
-+.SH "MANAGED FILES"
-+
-+The SELinux process type abrt_retrace_worker_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
-+
-+.br
-+.B abrt_retrace_spool_t
-+
-+ /var/spool/abrt-retrace(/.*)?
-+.br
-+ /var/spool/retrace-server(/.*)?
-+.br
-+
-+.SH NSSWITCH DOMAIN
-+
-+.SH "COMMANDS"
-+.B semanage fcontext
-+can also be used to manipulate default file context mappings.
-+.PP
-+.B semanage permissive
-+can also be used to manipulate whether or not a process type is permissive.
-+.PP
-+.B semanage module
-+can also be used to enable/disable/install/remove policy modules.
-+
-+.PP
-+.B system-config-selinux
-+is a GUI tool available to customize SELinux policy settings.
-+
-+.SH AUTHOR
-+This manual page was auto-generated using
-+.B "sepolicy manpage"
-+by Dan Walsh.
-+
-+.SH "SEE ALSO"
-+selinux(8), abrt_retrace_worker(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
-+, abrt_selinux(8), abrt_selinux(8), abrt_dump_oops_selinux(8), abrt_handle_event_selinux(8), abrt_helper_selinux(8), abrt_retrace_coredump_selinux(8), abrt_watch_log_selinux(8)
-\ No newline at end of file
-diff --git a/man/man8/abrt_selinux.8 b/man/man8/abrt_selinux.8
-new file mode 100644
-index 0000000..25121c1
---- /dev/null
-+++ b/man/man8/abrt_selinux.8
-@@ -0,0 +1,347 @@
-+.TH "abrt_selinux" "8" "12-11-01" "abrt" "SELinux Policy documentation for abrt"
-+.SH "NAME"
-+abrt_selinux \- Security Enhanced Linux Policy for the abrt processes
-+.SH "DESCRIPTION"
-+
-+Security-Enhanced Linux secures the abrt processes via flexible mandatory access control.
-+
-+The abrt processes execute with the abrt_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
-+
-+For example:
-+
-+.B ps -eZ | grep abrt_t
-+
-+
-+.SH "ENTRYPOINTS"
-+
-+The abrt_t SELinux type can be entered via the "abrt_exec_t" file type. The default entrypoint paths for the abrt_t domain are the following:"
-+
-+/usr/sbin/abrtd, /usr/sbin/abrt-dbus
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux abrt policy is very flexible allowing users to setup their abrt processes in as secure a method as possible.
-+.PP
-+The following process types are defined for abrt:
-+
-+.EX
-+.B abrt_handle_event_t, abrt_helper_t, abrt_retrace_coredump_t, abrt_t, abrt_retrace_worker_t, abrt_dump_oops_t, abrt_watch_log_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
-+.SH BOOLEANS
-+SELinux policy is customizable based on least access required. abrt policy is extremely flexible and has several booleans that allow you to manipulate the policy and run abrt with the tightest access possible.
-+
-+
-+.PP
-+If you want to allow ABRT to run in abrt_handle_event_t domain to handle ABRT event scripts, you must turn on the abrt_handle_event boolean.
-+
-+.EX
-+.B setsebool -P abrt_handle_event 1
-+.EE
-+
-+.PP
-+If you want to allow ABRT to run in abrt_handle_event_t domain to handle ABRT event scripts, you must turn on the abrt_handle_event boolean.
-+
-+.EX
-+.B setsebool -P abrt_handle_event 1
-+.EE
-+
-+.SH SHARING FILES
-+If you want to share files with multiple domains (Apache, FTP, rsync, Samba), you can set a file context of public_content_t and public_content_rw_t. These context allow any of the above domains to read the content. If you want a particular domain to write to the public_content_rw_t domain, you must set the appropriate boolean.
-+.TP
-+Allow abrt servers to read the /var/abrt directory by adding the public_content_t file type to the directory and by restoring the file type.
-+.PP
-+.B
-+semanage fcontext -a -t public_content_t "/var/abrt(/.*)?"
-+.br
-+.B restorecon -F -R -v /var/abrt
-+.pp
-+.TP
-+Allow abrt servers to read and write /var/tmp/incoming by adding the public_content_rw_t type to the directory and by restoring the file type. This also requires the allow_abrtd_anon_write boolean to be set.
-+.PP
-+.B
-+semanage fcontext -a -t public_content_rw_t "/var/abrt/incoming(/.*)?"
-+.br
-+.B restorecon -F -R -v /var/abrt/incoming
-+
-+
-+.PP
-+If you want to allow ABRT to modify public files used for public file transfer services., you must turn on the abrt_anon_write boolean.
-+
-+.EX
-+.B setsebool -P abrt_anon_write 1
-+.EE
-+
-+.PP
-+If you want to allow ABRT to modify public files used for public file transfer services., you must turn on the abrt_anon_write boolean.
-+
-+.EX
-+.B setsebool -P abrt_anon_write 1
-+.EE
-+
-+.SH FILE CONTEXTS
-+SELinux requires files to have an extended attribute to define the file type.
-+.PP
-+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
-+.PP
-+Policy governs the access confined processes have to these files.
-+SELinux abrt policy is very flexible allowing users to setup their abrt processes in as secure a method as possible.
-+.PP
-+The following file types are defined for abrt:
-+
-+
-+.EX
-+.PP
-+.B abrt_dump_oops_exec_t
-+.EE
-+
-+- Set files with the abrt_dump_oops_exec_t type, if you want to transition an executable to the abrt_dump_oops_t domain.
-+
-+
-+.EX
-+.PP
-+.B abrt_etc_t
-+.EE
-+
-+- Set files with the abrt_etc_t type, if you want to store abrt files in the /etc directories.
-+
-+
-+.EX
-+.PP
-+.B abrt_exec_t
-+.EE
-+
-+- Set files with the abrt_exec_t type, if you want to transition an executable to the abrt_t domain.
-+
-+
-+.EX
-+.PP
-+.B abrt_handle_event_exec_t
-+.EE
-+
-+- Set files with the abrt_handle_event_exec_t type, if you want to transition an executable to the abrt_handle_event_t domain.
-+
-+
-+.EX
-+.PP
-+.B abrt_helper_exec_t
-+.EE
-+
-+- Set files with the abrt_helper_exec_t type, if you want to transition an executable to the abrt_helper_t domain.
-+
-+
-+.EX
-+.PP
-+.B abrt_initrc_exec_t
-+.EE
-+
-+- Set files with the abrt_initrc_exec_t type, if you want to transition an executable to the abrt_initrc_t domain.
-+
-+
-+.EX
-+.PP
-+.B abrt_retrace_cache_t
-+.EE
-+
-+- Set files with the abrt_retrace_cache_t type, if you want to store the files under the /var/cache directory.
-+
-+
-+.EX
-+.PP
-+.B abrt_retrace_coredump_exec_t
-+.EE
-+
-+- Set files with the abrt_retrace_coredump_exec_t type, if you want to transition an executable to the abrt_retrace_coredump_t domain.
-+
-+
-+.EX
-+.PP
-+.B abrt_retrace_spool_t
-+.EE
-+
-+- Set files with the abrt_retrace_spool_t type, if you want to store the abrt retrace files under the /var/spool directory.
-+
-+
-+.EX
-+.PP
-+.B abrt_retrace_worker_exec_t
-+.EE
-+
-+- Set files with the abrt_retrace_worker_exec_t type, if you want to transition an executable to the abrt_retrace_worker_t domain.
-+
-+
-+.EX
-+.PP
-+.B abrt_tmp_t
-+.EE
-+
-+- Set files with the abrt_tmp_t type, if you want to store abrt temporary files in the /tmp directories.
-+
-+
-+.EX
-+.PP
-+.B abrt_unit_file_t
-+.EE
-+
-+- Set files with the abrt_unit_file_t type, if you want to treat the files as abrt unit content.
-+
-+
-+.EX
-+.PP
-+.B abrt_var_cache_t
-+.EE
-+
-+- Set files with the abrt_var_cache_t type, if you want to store the files under the /var/cache directory.
-+
-+
-+.EX
-+.PP
-+.B abrt_var_log_t
-+.EE
-+
-+- Set files with the abrt_var_log_t type, if you want to treat the data as abrt var log data, usually stored under the /var/log directory.
-+
-+
-+.EX
-+.PP
-+.B abrt_var_run_t
-+.EE
-+
-+- Set files with the abrt_var_run_t type, if you want to store the abrt files under the /run directory.
-+
-+
-+.EX
-+.PP
-+.B abrt_watch_log_exec_t
-+.EE
-+
-+- Set files with the abrt_watch_log_exec_t type, if you want to transition an executable to the abrt_watch_log_t domain.
-+
-+
-+.PP
-+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
-+.B semanage fcontext
-+command. This will modify the SELinux labeling database. You will need to use
-+.B restorecon
-+to apply the labels.
-+
-+.SH "MANAGED FILES"
-+
-+The SELinux process type abrt_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
-+
-+.br
-+.B abrt_etc_t
-+
-+ /etc/abrt(/.*)?
-+.br
-+
-+.br
-+.B abrt_tmp_t
-+
-+
-+.br
-+.B abrt_var_cache_t
-+
-+ /var/cache/abrt(/.*)?
-+.br
-+ /var/spool/abrt(/.*)?
-+.br
-+ /var/cache/abrt-di(/.*)?
-+.br
-+
-+.br
-+.B abrt_var_log_t
-+
-+ /var/log/abrt-logger
-+.br
-+
-+.br
-+.B abrt_var_run_t
-+
-+ /var/run/abrt(/.*)?
-+.br
-+ /var/run/abrtd?\.lock
-+.br
-+ /var/run/abrtd?\.socket
-+.br
-+ /var/run/abrt\.pid
-+.br
-+
-+.br
-+.B rpm_log_t
-+
-+ /var/log/yum\.log.*
-+.br
-+
-+.br
-+.B rpm_var_cache_t
-+
-+ /var/cache/yum(/.*)?
-+.br
-+ /var/spool/up2date(/.*)?
-+.br
-+ /var/cache/PackageKit(/.*)?
-+.br
-+
-+.br
-+.B rpm_var_run_t
-+
-+ /var/run/yum.*
-+.br
-+ /var/run/PackageKit(/.*)?
-+.br
-+
-+.br
-+.B sysfs_t
-+
-+ /sys(/.*)?
-+.br
-+
-+.SH NSSWITCH DOMAIN
-+
-+.PP
-+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the abrt_helper_t, abrt_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
-+
-+.EX
-+.B setsebool -P authlogin_nsswitch_use_ldap 1
-+.EE
-+
-+.PP
-+If you want to allow confined applications to run with kerberos for the abrt_helper_t, abrt_t, you must turn on the kerberos_enabled boolean.
-+
-+.EX
-+.B setsebool -P kerberos_enabled 1
-+.EE
-+
-+.SH "COMMANDS"
-+.B semanage fcontext
-+can also be used to manipulate default file context mappings.
-+.PP
-+.B semanage permissive
-+can also be used to manipulate whether or not a process type is permissive.
-+.PP
-+.B semanage module
-+can also be used to enable/disable/install/remove policy modules.
-+
-+.B semanage boolean
-+can also be used to manipulate the booleans
-+
-+.PP
-+.B system-config-selinux
-+is a GUI tool available to customize SELinux policy settings.
-+
-+.SH AUTHOR
-+This manual page was auto-generated using
-+.B "sepolicy manpage"
-+by Dan Walsh.
-+
-+.SH "SEE ALSO"
-+selinux(8), abrt(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
-+, setsebool(8), abrt_dump_oops_selinux(8), abrt_handle_event_selinux(8), abrt_helper_selinux(8), abrt_retrace_coredump_selinux(8), abrt_retrace_worker_selinux(8), abrt_watch_log_selinux(8)
-\ No newline at end of file
-diff --git a/man/man8/abrt_watch_log_selinux.8 b/man/man8/abrt_watch_log_selinux.8
-new file mode 100644
-index 0000000..e8ab68b
---- /dev/null
-+++ b/man/man8/abrt_watch_log_selinux.8
-@@ -0,0 +1,87 @@
-+.TH "abrt_watch_log_selinux" "8" "12-11-01" "abrt_watch_log" "SELinux Policy documentation for abrt_watch_log"
-+.SH "NAME"
-+abrt_watch_log_selinux \- Security Enhanced Linux Policy for the abrt_watch_log processes
-+.SH "DESCRIPTION"
-+
-+Security-Enhanced Linux secures the abrt_watch_log processes via flexible mandatory access control.
-+
-+The abrt_watch_log processes execute with the abrt_watch_log_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
-+
-+For example:
-+
-+.B ps -eZ | grep abrt_watch_log_t
-+
-+
-+.SH "ENTRYPOINTS"
-+
-+The abrt_watch_log_t SELinux type can be entered via the "abrt_watch_log_exec_t" file type. The default entrypoint paths for the abrt_watch_log_t domain are the following:"
-+
-+/usr/bin/abrt-watch-log
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux abrt_watch_log policy is very flexible allowing users to setup their abrt_watch_log processes in as secure a method as possible.
-+.PP
-+The following process types are defined for abrt_watch_log:
-+
-+.EX
-+.B abrt_watch_log_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
-+.SH FILE CONTEXTS
-+SELinux requires files to have an extended attribute to define the file type.
-+.PP
-+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
-+.PP
-+Policy governs the access confined processes have to these files.
-+SELinux abrt_watch_log policy is very flexible allowing users to setup their abrt_watch_log processes in as secure a method as possible.
-+.PP
-+The following file types are defined for abrt_watch_log:
-+
-+
-+.EX
-+.PP
-+.B abrt_watch_log_exec_t
-+.EE
-+
-+- Set files with the abrt_watch_log_exec_t type, if you want to transition an executable to the abrt_watch_log_t domain.
-+
-+
-+.PP
-+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
-+.B semanage fcontext
-+command. This will modify the SELinux labeling database. You will need to use
-+.B restorecon
-+to apply the labels.
-+
-+.SH NSSWITCH DOMAIN
-+
-+.SH "COMMANDS"
-+.B semanage fcontext
-+can also be used to manipulate default file context mappings.
-+.PP
-+.B semanage permissive
-+can also be used to manipulate whether or not a process type is permissive.
-+.PP
-+.B semanage module
-+can also be used to enable/disable/install/remove policy modules.
-+
-+.PP
-+.B system-config-selinux
-+is a GUI tool available to customize SELinux policy settings.
-+
-+.SH AUTHOR
-+This manual page was auto-generated using
-+.B "sepolicy manpage"
-+by Dan Walsh.
-+
-+.SH "SEE ALSO"
-+selinux(8), abrt_watch_log(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
-+, abrt_selinux(8), abrt_selinux(8), abrt_dump_oops_selinux(8), abrt_handle_event_selinux(8), abrt_helper_selinux(8), abrt_retrace_coredump_selinux(8), abrt_retrace_worker_selinux(8)
-\ No newline at end of file
-diff --git a/man/man8/accountsd_selinux.8 b/man/man8/accountsd_selinux.8
-new file mode 100644
-index 0000000..0471351
---- /dev/null
-+++ b/man/man8/accountsd_selinux.8
-@@ -0,0 +1,132 @@
-+.TH "accountsd_selinux" "8" "12-11-01" "accountsd" "SELinux Policy documentation for accountsd"
-+.SH "NAME"
-+accountsd_selinux \- Security Enhanced Linux Policy for the accountsd processes
-+.SH "DESCRIPTION"
-+
-+Security-Enhanced Linux secures the accountsd processes via flexible mandatory access control.
-+
-+The accountsd processes execute with the accountsd_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
-+
-+For example:
-+
-+.B ps -eZ | grep accountsd_t
-+
-+
-+.SH "ENTRYPOINTS"
-+
-+The accountsd_t SELinux type can be entered via the "accountsd_exec_t" file type. The default entrypoint paths for the accountsd_t domain are the following:"
-+
-+/usr/libexec/accounts-daemon
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux accountsd policy is very flexible allowing users to setup their accountsd processes in as secure a method as possible.
-+.PP
-+The following process types are defined for accountsd:
-+
-+.EX
-+.B accountsd_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
-+.SH FILE CONTEXTS
-+SELinux requires files to have an extended attribute to define the file type.
-+.PP
-+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
-+.PP
-+Policy governs the access confined processes have to these files.
-+SELinux accountsd policy is very flexible allowing users to setup their accountsd processes in as secure a method as possible.
-+.PP
-+The following file types are defined for accountsd:
-+
-+
-+.EX
-+.PP
-+.B accountsd_exec_t
-+.EE
-+
-+- Set files with the accountsd_exec_t type, if you want to transition an executable to the accountsd_t domain.
-+
-+
-+.EX
-+.PP
-+.B accountsd_unit_file_t
-+.EE
-+
-+- Set files with the accountsd_unit_file_t type, if you want to treat the files as accountsd unit content.
-+
-+
-+.EX
-+.PP
-+.B accountsd_var_lib_t
-+.EE
-+
-+- Set files with the accountsd_var_lib_t type, if you want to store the accountsd files under the /var/lib directory.
-+
-+
-+.PP
-+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
-+.B semanage fcontext
-+command. This will modify the SELinux labeling database. You will need to use
-+.B restorecon
-+to apply the labels.
-+
-+.SH "MANAGED FILES"
-+
-+The SELinux process type accountsd_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
-+
-+.br
-+.B accountsd_var_lib_t
-+
-+ /var/lib/AccountsService(/.*)?
-+.br
-+
-+.br
-+.B xdm_etc_t
-+
-+ /etc/[mg]dm(/.*)?
-+.br
-+
-+.SH NSSWITCH DOMAIN
-+
-+.PP
-+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the accountsd_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
-+
-+.EX
-+.B setsebool -P authlogin_nsswitch_use_ldap 1
-+.EE
-+
-+.PP
-+If you want to allow confined applications to run with kerberos for the accountsd_t, you must turn on the kerberos_enabled boolean.
-+
-+.EX
-+.B setsebool -P kerberos_enabled 1
-+.EE
-+
-+.SH "COMMANDS"
-+.B semanage fcontext
-+can also be used to manipulate default file context mappings.
-+.PP
-+.B semanage permissive
-+can also be used to manipulate whether or not a process type is permissive.
-+.PP
-+.B semanage module
-+can also be used to enable/disable/install/remove policy modules.
-+
-+.PP
-+.B system-config-selinux
-+is a GUI tool available to customize SELinux policy settings.
-+
-+.SH AUTHOR
-+This manual page was auto-generated using
-+.B "sepolicy manpage"
-+by Dan Walsh.
-+
-+.SH "SEE ALSO"
-+selinux(8), accountsd(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
-diff --git a/man/man8/acct_selinux.8 b/man/man8/acct_selinux.8
-new file mode 100644
-index 0000000..88dbb11
---- /dev/null
-+++ b/man/man8/acct_selinux.8
-@@ -0,0 +1,126 @@
-+.TH "acct_selinux" "8" "12-11-01" "acct" "SELinux Policy documentation for acct"
-+.SH "NAME"
-+acct_selinux \- Security Enhanced Linux Policy for the acct processes
-+.SH "DESCRIPTION"
-+
-+Security-Enhanced Linux secures the acct processes via flexible mandatory access control.
-+
-+The acct processes execute with the acct_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
-+
-+For example:
-+
-+.B ps -eZ | grep acct_t
-+
-+
-+.SH "ENTRYPOINTS"
-+
-+The acct_t SELinux type can be entered via the "acct_exec_t" file type. The default entrypoint paths for the acct_t domain are the following:"
-+
-+/etc/cron\.(daily|monthly)/acct, /sbin/accton, /usr/sbin/accton
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux acct policy is very flexible allowing users to setup their acct processes in as secure a method as possible.
-+.PP
-+The following process types are defined for acct:
-+
-+.EX
-+.B acct_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
-+.SH FILE CONTEXTS
-+SELinux requires files to have an extended attribute to define the file type.
-+.PP
-+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
-+.PP
-+Policy governs the access confined processes have to these files.
-+SELinux acct policy is very flexible allowing users to setup their acct processes in as secure a method as possible.
-+.PP
-+The following file types are defined for acct:
-+
-+
-+.EX
-+.PP
-+.B acct_data_t
-+.EE
-+
-+- Set files with the acct_data_t type, if you want to treat the files as acct content.
-+
-+
-+.EX
-+.PP
-+.B acct_exec_t
-+.EE
-+
-+- Set files with the acct_exec_t type, if you want to transition an executable to the acct_t domain.
-+
-+
-+.PP
-+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
-+.B semanage fcontext
-+command. This will modify the SELinux labeling database. You will need to use
-+.B restorecon
-+to apply the labels.
-+
-+.SH "MANAGED FILES"
-+
-+The SELinux process type acct_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
-+
-+.br
-+.B acct_data_t
-+
-+ /var/account(/.*)?
-+.br
-+ /var/log/account(/.*)?
-+.br
-+
-+.br
-+.B wtmp_t
-+
-+ /var/log/wtmp.*
-+.br
-+
-+.SH NSSWITCH DOMAIN
-+
-+.PP
-+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the acct_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
-+
-+.EX
-+.B setsebool -P authlogin_nsswitch_use_ldap 1
-+.EE
-+
-+.PP
-+If you want to allow confined applications to run with kerberos for the acct_t, you must turn on the kerberos_enabled boolean.
-+
-+.EX
-+.B setsebool -P kerberos_enabled 1
-+.EE
-+
-+.SH "COMMANDS"
-+.B semanage fcontext
-+can also be used to manipulate default file context mappings.
-+.PP
-+.B semanage permissive
-+can also be used to manipulate whether or not a process type is permissive.
-+.PP
-+.B semanage module
-+can also be used to enable/disable/install/remove policy modules.
-+
-+.PP
-+.B system-config-selinux
-+is a GUI tool available to customize SELinux policy settings.
-+
-+.SH AUTHOR
-+This manual page was auto-generated using
-+.B "sepolicy manpage"
-+by Dan Walsh.
-+
-+.SH "SEE ALSO"
-+selinux(8), acct(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
-diff --git a/man/man8/afs_bosserver_selinux.8 b/man/man8/afs_bosserver_selinux.8
-new file mode 100644
-index 0000000..4502080
---- /dev/null
-+++ b/man/man8/afs_bosserver_selinux.8
-@@ -0,0 +1,105 @@
-+.TH "afs_bosserver_selinux" "8" "12-11-01" "afs_bosserver" "SELinux Policy documentation for afs_bosserver"
-+.SH "NAME"
-+afs_bosserver_selinux \- Security Enhanced Linux Policy for the afs_bosserver processes
-+.SH "DESCRIPTION"
-+
-+Security-Enhanced Linux secures the afs_bosserver processes via flexible mandatory access control.
-+
-+The afs_bosserver processes execute with the afs_bosserver_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
-+
-+For example:
-+
-+.B ps -eZ | grep afs_bosserver_t
-+
-+
-+.SH "ENTRYPOINTS"
-+
-+The afs_bosserver_t SELinux type can be entered via the "afs_bosserver_exec_t" file type. The default entrypoint paths for the afs_bosserver_t domain are the following:"
-+
-+/usr/afs/bin/bosserver
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux afs_bosserver policy is very flexible allowing users to setup their afs_bosserver processes in as secure a method as possible.
-+.PP
-+The following process types are defined for afs_bosserver:
-+
-+.EX
-+.B afs_bosserver_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
-+.SH FILE CONTEXTS
-+SELinux requires files to have an extended attribute to define the file type.
-+.PP
-+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
-+.PP
-+Policy governs the access confined processes have to these files.
-+SELinux afs_bosserver policy is very flexible allowing users to setup their afs_bosserver processes in as secure a method as possible.
-+.PP
-+The following file types are defined for afs_bosserver:
-+
-+
-+.EX
-+.PP
-+.B afs_bosserver_exec_t
-+.EE
-+
-+- Set files with the afs_bosserver_exec_t type, if you want to transition an executable to the afs_bosserver_t domain.
-+
-+
-+.PP
-+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
-+.B semanage fcontext
-+command. This will modify the SELinux labeling database. You will need to use
-+.B restorecon
-+to apply the labels.
-+
-+.SH "MANAGED FILES"
-+
-+The SELinux process type afs_bosserver_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
-+
-+.br
-+.B afs_config_t
-+
-+ /usr/afs/etc(/.*)?
-+.br
-+ /usr/afs/local(/.*)?
-+.br
-+
-+.br
-+.B afs_logfile_t
-+
-+ /usr/afs/logs(/.*)?
-+.br
-+
-+.SH NSSWITCH DOMAIN
-+
-+.SH "COMMANDS"
-+.B semanage fcontext
-+can also be used to manipulate default file context mappings.
-+.PP
-+.B semanage permissive
-+can also be used to manipulate whether or not a process type is permissive.
-+.PP
-+.B semanage module
-+can also be used to enable/disable/install/remove policy modules.
-+
-+.PP
-+.B system-config-selinux
-+is a GUI tool available to customize SELinux policy settings.
-+
-+.SH AUTHOR
-+This manual page was auto-generated using
-+.B "sepolicy manpage"
-+by Dan Walsh.
-+
-+.SH "SEE ALSO"
-+selinux(8), afs_bosserver(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
-+, afs_selinux(8), afs_selinux(8), afs_fsserver_selinux(8), afs_kaserver_selinux(8), afs_ptserver_selinux(8), afs_vlserver_selinux(8)
-\ No newline at end of file
-diff --git a/man/man8/afs_fsserver_selinux.8 b/man/man8/afs_fsserver_selinux.8
-new file mode 100644
-index 0000000..3881562
---- /dev/null
-+++ b/man/man8/afs_fsserver_selinux.8
-@@ -0,0 +1,115 @@
-+.TH "afs_fsserver_selinux" "8" "12-11-01" "afs_fsserver" "SELinux Policy documentation for afs_fsserver"
-+.SH "NAME"
-+afs_fsserver_selinux \- Security Enhanced Linux Policy for the afs_fsserver processes
-+.SH "DESCRIPTION"
-+
-+Security-Enhanced Linux secures the afs_fsserver processes via flexible mandatory access control.
-+
-+The afs_fsserver processes execute with the afs_fsserver_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
-+
-+For example:
-+
-+.B ps -eZ | grep afs_fsserver_t
-+
-+
-+.SH "ENTRYPOINTS"
-+
-+The afs_fsserver_t SELinux type can be entered via the "afs_fsserver_exec_t" file type. The default entrypoint paths for the afs_fsserver_t domain are the following:"
-+
-+/usr/afs/bin/salvager, /usr/afs/bin/volserver, /usr/afs/bin/fileserver
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux afs_fsserver policy is very flexible allowing users to setup their afs_fsserver processes in as secure a method as possible.
-+.PP
-+The following process types are defined for afs_fsserver:
-+
-+.EX
-+.B afs_fsserver_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
-+.SH FILE CONTEXTS
-+SELinux requires files to have an extended attribute to define the file type.
-+.PP
-+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
-+.PP
-+Policy governs the access confined processes have to these files.
-+SELinux afs_fsserver policy is very flexible allowing users to setup their afs_fsserver processes in as secure a method as possible.
-+.PP
-+The following file types are defined for afs_fsserver:
-+
-+
-+.EX
-+.PP
-+.B afs_fsserver_exec_t
-+.EE
-+
-+- Set files with the afs_fsserver_exec_t type, if you want to transition an executable to the afs_fsserver_t domain.
-+
-+
-+.PP
-+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
-+.B semanage fcontext
-+command. This will modify the SELinux labeling database. You will need to use
-+.B restorecon
-+to apply the labels.
-+
-+.SH "MANAGED FILES"
-+
-+The SELinux process type afs_fsserver_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
-+
-+.br
-+.B afs_config_t
-+
-+ /usr/afs/etc(/.*)?
-+.br
-+ /usr/afs/local(/.*)?
-+.br
-+
-+.br
-+.B afs_files_t
-+
-+ /vicepa
-+.br
-+ /vicepb
-+.br
-+ /vicepc
-+.br
-+
-+.br
-+.B afs_logfile_t
-+
-+ /usr/afs/logs(/.*)?
-+.br
-+
-+.SH NSSWITCH DOMAIN
-+
-+.SH "COMMANDS"
-+.B semanage fcontext
-+can also be used to manipulate default file context mappings.
-+.PP
-+.B semanage permissive
-+can also be used to manipulate whether or not a process type is permissive.
-+.PP
-+.B semanage module
-+can also be used to enable/disable/install/remove policy modules.
-+
-+.PP
-+.B system-config-selinux
-+is a GUI tool available to customize SELinux policy settings.
-+
-+.SH AUTHOR
-+This manual page was auto-generated using
-+.B "sepolicy manpage"
-+by Dan Walsh.
-+
-+.SH "SEE ALSO"
-+selinux(8), afs_fsserver(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
-+, afs_selinux(8), afs_selinux(8), afs_bosserver_selinux(8), afs_kaserver_selinux(8), afs_ptserver_selinux(8), afs_vlserver_selinux(8)
-\ No newline at end of file
-diff --git a/man/man8/afs_kaserver_selinux.8 b/man/man8/afs_kaserver_selinux.8
-new file mode 100644
-index 0000000..248aaef
---- /dev/null
-+++ b/man/man8/afs_kaserver_selinux.8
-@@ -0,0 +1,111 @@
-+.TH "afs_kaserver_selinux" "8" "12-11-01" "afs_kaserver" "SELinux Policy documentation for afs_kaserver"
-+.SH "NAME"
-+afs_kaserver_selinux \- Security Enhanced Linux Policy for the afs_kaserver processes
-+.SH "DESCRIPTION"
-+
-+Security-Enhanced Linux secures the afs_kaserver processes via flexible mandatory access control.
-+
-+The afs_kaserver processes execute with the afs_kaserver_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
-+
-+For example:
-+
-+.B ps -eZ | grep afs_kaserver_t
-+
-+
-+.SH "ENTRYPOINTS"
-+
-+The afs_kaserver_t SELinux type can be entered via the "afs_kaserver_exec_t" file type. The default entrypoint paths for the afs_kaserver_t domain are the following:"
-+
-+/usr/afs/bin/kaserver
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux afs_kaserver policy is very flexible allowing users to setup their afs_kaserver processes in as secure a method as possible.
-+.PP
-+The following process types are defined for afs_kaserver:
-+
-+.EX
-+.B afs_kaserver_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
-+.SH FILE CONTEXTS
-+SELinux requires files to have an extended attribute to define the file type.
-+.PP
-+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
-+.PP
-+Policy governs the access confined processes have to these files.
-+SELinux afs_kaserver policy is very flexible allowing users to setup their afs_kaserver processes in as secure a method as possible.
-+.PP
-+The following file types are defined for afs_kaserver:
-+
-+
-+.EX
-+.PP
-+.B afs_kaserver_exec_t
-+.EE
-+
-+- Set files with the afs_kaserver_exec_t type, if you want to transition an executable to the afs_kaserver_t domain.
-+
-+
-+.PP
-+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
-+.B semanage fcontext
-+command. This will modify the SELinux labeling database. You will need to use
-+.B restorecon
-+to apply the labels.
-+
-+.SH "MANAGED FILES"
-+
-+The SELinux process type afs_kaserver_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
-+
-+.br
-+.B afs_config_t
-+
-+ /usr/afs/etc(/.*)?
-+.br
-+ /usr/afs/local(/.*)?
-+.br
-+
-+.br
-+.B afs_ka_db_t
-+
-+ /usr/afs/db/ka.*
-+.br
-+
-+.br
-+.B afs_logfile_t
-+
-+ /usr/afs/logs(/.*)?
-+.br
-+
-+.SH NSSWITCH DOMAIN
-+
-+.SH "COMMANDS"
-+.B semanage fcontext
-+can also be used to manipulate default file context mappings.
-+.PP
-+.B semanage permissive
-+can also be used to manipulate whether or not a process type is permissive.
-+.PP
-+.B semanage module
-+can also be used to enable/disable/install/remove policy modules.
-+
-+.PP
-+.B system-config-selinux
-+is a GUI tool available to customize SELinux policy settings.
-+
-+.SH AUTHOR
-+This manual page was auto-generated using
-+.B "sepolicy manpage"
-+by Dan Walsh.
-+
-+.SH "SEE ALSO"
-+selinux(8), afs_kaserver(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
-+, afs_selinux(8), afs_selinux(8), afs_bosserver_selinux(8), afs_fsserver_selinux(8), afs_ptserver_selinux(8), afs_vlserver_selinux(8)
-\ No newline at end of file
-diff --git a/man/man8/afs_ptserver_selinux.8 b/man/man8/afs_ptserver_selinux.8
-new file mode 100644
-index 0000000..dfd8d86
---- /dev/null
-+++ b/man/man8/afs_ptserver_selinux.8
-@@ -0,0 +1,103 @@
-+.TH "afs_ptserver_selinux" "8" "12-11-01" "afs_ptserver" "SELinux Policy documentation for afs_ptserver"
-+.SH "NAME"
-+afs_ptserver_selinux \- Security Enhanced Linux Policy for the afs_ptserver processes
-+.SH "DESCRIPTION"
-+
-+Security-Enhanced Linux secures the afs_ptserver processes via flexible mandatory access control.
-+
-+The afs_ptserver processes execute with the afs_ptserver_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
-+
-+For example:
-+
-+.B ps -eZ | grep afs_ptserver_t
-+
-+
-+.SH "ENTRYPOINTS"
-+
-+The afs_ptserver_t SELinux type can be entered via the "afs_ptserver_exec_t" file type. The default entrypoint paths for the afs_ptserver_t domain are the following:"
-+
-+/usr/afs/bin/ptserver
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux afs_ptserver policy is very flexible allowing users to setup their afs_ptserver processes in as secure a method as possible.
-+.PP
-+The following process types are defined for afs_ptserver:
-+
-+.EX
-+.B afs_ptserver_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
-+.SH FILE CONTEXTS
-+SELinux requires files to have an extended attribute to define the file type.
-+.PP
-+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
-+.PP
-+Policy governs the access confined processes have to these files.
-+SELinux afs_ptserver policy is very flexible allowing users to setup their afs_ptserver processes in as secure a method as possible.
-+.PP
-+The following file types are defined for afs_ptserver:
-+
-+
-+.EX
-+.PP
-+.B afs_ptserver_exec_t
-+.EE
-+
-+- Set files with the afs_ptserver_exec_t type, if you want to transition an executable to the afs_ptserver_t domain.
-+
-+
-+.PP
-+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
-+.B semanage fcontext
-+command. This will modify the SELinux labeling database. You will need to use
-+.B restorecon
-+to apply the labels.
-+
-+.SH "MANAGED FILES"
-+
-+The SELinux process type afs_ptserver_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
-+
-+.br
-+.B afs_logfile_t
-+
-+ /usr/afs/logs(/.*)?
-+.br
-+
-+.br
-+.B afs_pt_db_t
-+
-+ /usr/afs/db/pr.*
-+.br
-+
-+.SH NSSWITCH DOMAIN
-+
-+.SH "COMMANDS"
-+.B semanage fcontext
-+can also be used to manipulate default file context mappings.
-+.PP
-+.B semanage permissive
-+can also be used to manipulate whether or not a process type is permissive.
-+.PP
-+.B semanage module
-+can also be used to enable/disable/install/remove policy modules.
-+
-+.PP
-+.B system-config-selinux
-+is a GUI tool available to customize SELinux policy settings.
-+
-+.SH AUTHOR
-+This manual page was auto-generated using
-+.B "sepolicy manpage"
-+by Dan Walsh.
-+
-+.SH "SEE ALSO"
-+selinux(8), afs_ptserver(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
-+, afs_selinux(8), afs_selinux(8), afs_bosserver_selinux(8), afs_fsserver_selinux(8), afs_kaserver_selinux(8), afs_vlserver_selinux(8)
-\ No newline at end of file
-diff --git a/man/man8/afs_selinux.8 b/man/man8/afs_selinux.8
-new file mode 100644
-index 0000000..3d27b08
---- /dev/null
-+++ b/man/man8/afs_selinux.8
-@@ -0,0 +1,352 @@
-+.TH "afs_selinux" "8" "12-11-01" "afs" "SELinux Policy documentation for afs"
-+.SH "NAME"
-+afs_selinux \- Security Enhanced Linux Policy for the afs processes
-+.SH "DESCRIPTION"
-+
-+Security-Enhanced Linux secures the afs processes via flexible mandatory access control.
-+
-+The afs processes execute with the afs_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
-+
-+For example:
-+
-+.B ps -eZ | grep afs_t
-+
-+
-+.SH "ENTRYPOINTS"
-+
-+The afs_t SELinux type can be entered via the "afs_exec_t" file type. The default entrypoint paths for the afs_t domain are the following:"
-+
-+/usr/sbin/afsd, /usr/vice/etc/afsd
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux afs policy is very flexible allowing users to setup their afs processes in as secure a method as possible.
-+.PP
-+The following process types are defined for afs:
-+
-+.EX
-+.B afs_kaserver_t, afs_t, afs_fsserver_t, afs_bosserver_t, afs_vlserver_t, afs_ptserver_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
-+.SH FILE CONTEXTS
-+SELinux requires files to have an extended attribute to define the file type.
-+.PP
-+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
-+.PP
-+Policy governs the access confined processes have to these files.
-+SELinux afs policy is very flexible allowing users to setup their afs processes in as secure a method as possible.
-+.PP
-+The following file types are defined for afs:
-+
-+
-+.EX
-+.PP
-+.B afs_bosserver_exec_t
-+.EE
-+
-+- Set files with the afs_bosserver_exec_t type, if you want to transition an executable to the afs_bosserver_t domain.
-+
-+
-+.EX
-+.PP
-+.B afs_cache_t
-+.EE
-+
-+- Set files with the afs_cache_t type, if you want to store the files under the /var/cache directory.
-+
-+
-+.EX
-+.PP
-+.B afs_config_t
-+.EE
-+
-+- Set files with the afs_config_t type, if you want to treat the files as afs configuration data, usually stored under the /etc directory.
-+
-+
-+.EX
-+.PP
-+.B afs_dbdir_t
-+.EE
-+
-+- Set files with the afs_dbdir_t type, if you want to treat the files as afs dbdir data.
-+
-+
-+.EX
-+.PP
-+.B afs_exec_t
-+.EE
-+
-+- Set files with the afs_exec_t type, if you want to transition an executable to the afs_t domain.
-+
-+
-+.EX
-+.PP
-+.B afs_files_t
-+.EE
-+
-+- Set files with the afs_files_t type, if you want to treat the files as afs content.
-+
-+
-+.EX
-+.PP
-+.B afs_fsserver_exec_t
-+.EE
-+
-+- Set files with the afs_fsserver_exec_t type, if you want to transition an executable to the afs_fsserver_t domain.
-+
-+
-+.EX
-+.PP
-+.B afs_initrc_exec_t
-+.EE
-+
-+- Set files with the afs_initrc_exec_t type, if you want to transition an executable to the afs_initrc_t domain.
-+
-+
-+.EX
-+.PP
-+.B afs_ka_db_t
-+.EE
-+
-+- Set files with the afs_ka_db_t type, if you want to treat the files as afs ka database content.
-+
-+
-+.EX
-+.PP
-+.B afs_kaserver_exec_t
-+.EE
-+
-+- Set files with the afs_kaserver_exec_t type, if you want to transition an executable to the afs_kaserver_t domain.
-+
-+
-+.EX
-+.PP
-+.B afs_logfile_t
-+.EE
-+
-+- Set files with the afs_logfile_t type, if you want to treat the files as afs logfile data.
-+
-+
-+.EX
-+.PP
-+.B afs_pt_db_t
-+.EE
-+
-+- Set files with the afs_pt_db_t type, if you want to treat the files as afs pt database content.
-+
-+
-+.EX
-+.PP
-+.B afs_ptserver_exec_t
-+.EE
-+
-+- Set files with the afs_ptserver_exec_t type, if you want to transition an executable to the afs_ptserver_t domain.
-+
-+
-+.EX
-+.PP
-+.B afs_vl_db_t
-+.EE
-+
-+- Set files with the afs_vl_db_t type, if you want to treat the files as afs vl database content.
-+
-+
-+.EX
-+.PP
-+.B afs_vlserver_exec_t
-+.EE
-+
-+- Set files with the afs_vlserver_exec_t type, if you want to transition an executable to the afs_vlserver_t domain.
-+
-+
-+.PP
-+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
-+.B semanage fcontext
-+command. This will modify the SELinux labeling database. You will need to use
-+.B restorecon
-+to apply the labels.
-+
-+.SH PORT TYPES
-+SELinux defines port types to represent TCP and UDP ports.
-+.PP
-+You can see the types associated with a port by using the following command:
-+
-+.B semanage port -l
-+
-+.PP
-+Policy governs the access confined processes have to these ports.
-+SELinux afs policy is very flexible allowing users to setup their afs processes in as secure a method as possible.
-+.PP
-+The following port types are defined for afs:
-+
-+.EX
-+.TP 5
-+.B afs_bos_port_t
-+.TP 10
-+.EE
-+
-+
-+Default Defined Ports:
-+udp 7007
-+.EE
-+
-+.EX
-+.TP 5
-+.B afs_client_port_t
-+.TP 10
-+.EE
-+
-+
-+Default Defined Ports:
-+udp 7001
-+.EE
-+
-+.EX
-+.TP 5
-+.B afs_fs_port_t
-+.TP 10
-+.EE
-+
-+
-+Default Defined Ports:
-+tcp 2040
-+.EE
-+udp 7000,7005
-+.EE
-+
-+.EX
-+.TP 5
-+.B afs_ka_port_t
-+.TP 10
-+.EE
-+
-+
-+Default Defined Ports:
-+udp 7004
-+.EE
-+
-+.EX
-+.TP 5
-+.B afs_pt_port_t
-+.TP 10
-+.EE
-+
-+
-+Default Defined Ports:
-+udp 7002
-+.EE
-+
-+.EX
-+.TP 5
-+.B afs_vl_port_t
-+.TP 10
-+.EE
-+
-+
-+Default Defined Ports:
-+udp 7003
-+.EE
-+.SH "MANAGED FILES"
-+
-+The SELinux process type afs_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
-+
-+.br
-+.B afs_cache_t
-+
-+ /var/cache/afs(/.*)?
-+.br
-+ /usr/vice/cache(/.*)?
-+.br
-+
-+.br
-+.B etc_runtime_t
-+
-+ /[^/]+
-+.br
-+ /etc/mtab.*
-+.br
-+ /etc/blkid(/.*)?
-+.br
-+ /etc/nologin.*
-+.br
-+ /etc/\.fstab\.hal\..+
-+.br
-+ /halt
-+.br
-+ /fastboot
-+.br
-+ /poweroff
-+.br
-+ /etc/cmtab
-+.br
-+ /\.autofsck
-+.br
-+ /forcefsck
-+.br
-+ /\.suspended
-+.br
-+ /fsckoptions
-+.br
-+ /\.autorelabel
-+.br
-+ /etc/securetty
-+.br
-+ /etc/killpower
-+.br
-+ /etc/nohotplug
-+.br
-+ /etc/ioctl\.save
-+.br
-+ /etc/fstab\.REVOKE
-+.br
-+ /etc/network/ifstate
-+.br
-+ /etc/sysconfig/hwconf
-+.br
-+ /etc/ptal/ptal-printd-like
-+.br
-+ /etc/sysconfig/iptables\.save
-+.br
-+ /etc/xorg\.conf\.d/00-system-setup-keyboard\.conf
-+.br
-+ /etc/X11/xorg\.conf\.d/00-system-setup-keyboard\.conf
-+.br
-+
-+.br
-+.B unlabeled_t
-+
-+
-+.SH NSSWITCH DOMAIN
-+
-+.SH "COMMANDS"
-+.B semanage fcontext
-+can also be used to manipulate default file context mappings.
-+.PP
-+.B semanage permissive
-+can also be used to manipulate whether or not a process type is permissive.
-+.PP
-+.B semanage module
-+can also be used to enable/disable/install/remove policy modules.
-+
-+.B semanage port
-+can also be used to manipulate the port definitions
-+
-+.PP
-+.B system-config-selinux
-+is a GUI tool available to customize SELinux policy settings.
-+
-+.SH AUTHOR
-+This manual page was auto-generated using
-+.B "sepolicy manpage"
-+by Dan Walsh.
-+
-+.SH "SEE ALSO"
-+selinux(8), afs(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
-+, afs_bosserver_selinux(8), afs_fsserver_selinux(8), afs_kaserver_selinux(8), afs_ptserver_selinux(8), afs_vlserver_selinux(8)
-\ No newline at end of file
-diff --git a/man/man8/afs_vlserver_selinux.8 b/man/man8/afs_vlserver_selinux.8
-new file mode 100644
-index 0000000..fae8285
---- /dev/null
-+++ b/man/man8/afs_vlserver_selinux.8
-@@ -0,0 +1,103 @@
-+.TH "afs_vlserver_selinux" "8" "12-11-01" "afs_vlserver" "SELinux Policy documentation for afs_vlserver"
-+.SH "NAME"
-+afs_vlserver_selinux \- Security Enhanced Linux Policy for the afs_vlserver processes
-+.SH "DESCRIPTION"
-+
-+Security-Enhanced Linux secures the afs_vlserver processes via flexible mandatory access control.
-+
-+The afs_vlserver processes execute with the afs_vlserver_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
-+
-+For example:
-+
-+.B ps -eZ | grep afs_vlserver_t
-+
-+
-+.SH "ENTRYPOINTS"
-+
-+The afs_vlserver_t SELinux type can be entered via the "afs_vlserver_exec_t" file type. The default entrypoint paths for the afs_vlserver_t domain are the following:"
-+
-+/usr/afs/bin/vlserver
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux afs_vlserver policy is very flexible allowing users to setup their afs_vlserver processes in as secure a method as possible.
-+.PP
-+The following process types are defined for afs_vlserver:
-+
-+.EX
-+.B afs_vlserver_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
-+.SH FILE CONTEXTS
-+SELinux requires files to have an extended attribute to define the file type.
-+.PP
-+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
-+.PP
-+Policy governs the access confined processes have to these files.
-+SELinux afs_vlserver policy is very flexible allowing users to setup their afs_vlserver processes in as secure a method as possible.
-+.PP
-+The following file types are defined for afs_vlserver:
-+
-+
-+.EX
-+.PP
-+.B afs_vlserver_exec_t
-+.EE
-+
-+- Set files with the afs_vlserver_exec_t type, if you want to transition an executable to the afs_vlserver_t domain.
-+
-+
-+.PP
-+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
-+.B semanage fcontext
-+command. This will modify the SELinux labeling database. You will need to use
-+.B restorecon
-+to apply the labels.
-+
-+.SH "MANAGED FILES"
-+
-+The SELinux process type afs_vlserver_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
-+
-+.br
-+.B afs_logfile_t
-+
-+ /usr/afs/logs(/.*)?
-+.br
-+
-+.br
-+.B afs_vl_db_t
-+
-+ /usr/afs/db/vl.*
-+.br
-+
-+.SH NSSWITCH DOMAIN
-+
-+.SH "COMMANDS"
-+.B semanage fcontext
-+can also be used to manipulate default file context mappings.
-+.PP
-+.B semanage permissive
-+can also be used to manipulate whether or not a process type is permissive.
-+.PP
-+.B semanage module
-+can also be used to enable/disable/install/remove policy modules.
-+
-+.PP
-+.B system-config-selinux
-+is a GUI tool available to customize SELinux policy settings.
-+
-+.SH AUTHOR
-+This manual page was auto-generated using
-+.B "sepolicy manpage"
-+by Dan Walsh.
-+
-+.SH "SEE ALSO"
-+selinux(8), afs_vlserver(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
-+, afs_selinux(8), afs_selinux(8), afs_bosserver_selinux(8), afs_fsserver_selinux(8), afs_kaserver_selinux(8), afs_ptserver_selinux(8)
-\ No newline at end of file
-diff --git a/man/man8/aiccu_selinux.8 b/man/man8/aiccu_selinux.8
-new file mode 100644
-index 0000000..1c447a0
---- /dev/null
-+++ b/man/man8/aiccu_selinux.8
-@@ -0,0 +1,120 @@
-+.TH "aiccu_selinux" "8" "12-11-01" "aiccu" "SELinux Policy documentation for aiccu"
-+.SH "NAME"
-+aiccu_selinux \- Security Enhanced Linux Policy for the aiccu processes
-+.SH "DESCRIPTION"
-+
-+Security-Enhanced Linux secures the aiccu processes via flexible mandatory access control.
-+
-+The aiccu processes execute with the aiccu_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
-+
-+For example:
-+
-+.B ps -eZ | grep aiccu_t
-+
-+
-+.SH "ENTRYPOINTS"
-+
-+The aiccu_t SELinux type can be entered via the "aiccu_exec_t" file type. The default entrypoint paths for the aiccu_t domain are the following:"
-+
-+/usr/sbin/aiccu
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux aiccu policy is very flexible allowing users to setup their aiccu processes in as secure a method as possible.
-+.PP
-+The following process types are defined for aiccu:
-+
-+.EX
-+.B aiccu_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
-+.SH FILE CONTEXTS
-+SELinux requires files to have an extended attribute to define the file type.
-+.PP
-+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
-+.PP
-+Policy governs the access confined processes have to these files.
-+SELinux aiccu policy is very flexible allowing users to setup their aiccu processes in as secure a method as possible.
-+.PP
-+The following file types are defined for aiccu:
-+
-+
-+.EX
-+.PP
-+.B aiccu_etc_t
-+.EE
-+
-+- Set files with the aiccu_etc_t type, if you want to store aiccu files in the /etc directories.
-+
-+
-+.EX
-+.PP
-+.B aiccu_exec_t
-+.EE
-+
-+- Set files with the aiccu_exec_t type, if you want to transition an executable to the aiccu_t domain.
-+
-+
-+.EX
-+.PP
-+.B aiccu_initrc_exec_t
-+.EE
-+
-+- Set files with the aiccu_initrc_exec_t type, if you want to transition an executable to the aiccu_initrc_t domain.
-+
-+
-+.EX
-+.PP
-+.B aiccu_var_run_t
-+.EE
-+
-+- Set files with the aiccu_var_run_t type, if you want to store the aiccu files under the /run directory.
-+
-+
-+.PP
-+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
-+.B semanage fcontext
-+command. This will modify the SELinux labeling database. You will need to use
-+.B restorecon
-+to apply the labels.
-+
-+.SH "MANAGED FILES"
-+
-+The SELinux process type aiccu_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
-+
-+.br
-+.B aiccu_var_run_t
-+
-+ /var/run/aiccu\.pid
-+.br
-+
-+.SH NSSWITCH DOMAIN
-+
-+.SH "COMMANDS"
-+.B semanage fcontext
-+can also be used to manipulate default file context mappings.
-+.PP
-+.B semanage permissive
-+can also be used to manipulate whether or not a process type is permissive.
-+.PP
-+.B semanage module
-+can also be used to enable/disable/install/remove policy modules.
-+
-+.PP
-+.B system-config-selinux
-+is a GUI tool available to customize SELinux policy settings.
-+
-+.SH AUTHOR
-+This manual page was auto-generated using
-+.B "sepolicy manpage"
-+by Dan Walsh.
-+
-+.SH "SEE ALSO"
-+selinux(8), aiccu(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
-diff --git a/man/man8/aide_selinux.8 b/man/man8/aide_selinux.8
-new file mode 100644
-index 0000000..183ad6a
---- /dev/null
-+++ b/man/man8/aide_selinux.8
-@@ -0,0 +1,120 @@
-+.TH "aide_selinux" "8" "12-11-01" "aide" "SELinux Policy documentation for aide"
-+.SH "NAME"
-+aide_selinux \- Security Enhanced Linux Policy for the aide processes
-+.SH "DESCRIPTION"
-+
-+Security-Enhanced Linux secures the aide processes via flexible mandatory access control.
-+
-+The aide processes execute with the aide_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
-+
-+For example:
-+
-+.B ps -eZ | grep aide_t
-+
-+
-+.SH "ENTRYPOINTS"
-+
-+The aide_t SELinux type can be entered via the "aide_exec_t" file type. The default entrypoint paths for the aide_t domain are the following:"
-+
-+/usr/sbin/aide
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux aide policy is very flexible allowing users to setup their aide processes in as secure a method as possible.
-+.PP
-+The following process types are defined for aide:
-+
-+.EX
-+.B aide_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
-+.SH FILE CONTEXTS
-+SELinux requires files to have an extended attribute to define the file type.
-+.PP
-+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
-+.PP
-+Policy governs the access confined processes have to these files.
-+SELinux aide policy is very flexible allowing users to setup their aide processes in as secure a method as possible.
-+.PP
-+The following file types are defined for aide:
-+
-+
-+.EX
-+.PP
-+.B aide_db_t
-+.EE
-+
-+- Set files with the aide_db_t type, if you want to treat the files as aide database content.
-+
-+
-+.EX
-+.PP
-+.B aide_exec_t
-+.EE
-+
-+- Set files with the aide_exec_t type, if you want to transition an executable to the aide_t domain.
-+
-+
-+.EX
-+.PP
-+.B aide_log_t
-+.EE
-+
-+- Set files with the aide_log_t type, if you want to treat the data as aide log data, usually stored under the /var/log directory.
-+
-+
-+.PP
-+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
-+.B semanage fcontext
-+command. This will modify the SELinux labeling database. You will need to use
-+.B restorecon
-+to apply the labels.
-+
-+.SH "MANAGED FILES"
-+
-+The SELinux process type aide_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
-+
-+.br
-+.B aide_db_t
-+
-+ /var/lib/aide(/.*)
-+.br
-+
-+.br
-+.B aide_log_t
-+
-+ /var/log/aide(/.*)?
-+.br
-+ /var/log/aide\.log.*
-+.br
-+
-+.SH NSSWITCH DOMAIN
-+
-+.SH "COMMANDS"
-+.B semanage fcontext
-+can also be used to manipulate default file context mappings.
-+.PP
-+.B semanage permissive
-+can also be used to manipulate whether or not a process type is permissive.
-+.PP
-+.B semanage module
-+can also be used to enable/disable/install/remove policy modules.
-+
-+.PP
-+.B system-config-selinux
-+is a GUI tool available to customize SELinux policy settings.
-+
-+.SH AUTHOR
-+This manual page was auto-generated using
-+.B "sepolicy manpage"
-+by Dan Walsh.
-+
-+.SH "SEE ALSO"
-+selinux(8), aide(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
-diff --git a/man/man8/aisexec_selinux.8 b/man/man8/aisexec_selinux.8
-new file mode 100644
-index 0000000..ced319f
---- /dev/null
-+++ b/man/man8/aisexec_selinux.8
-@@ -0,0 +1,206 @@
-+.TH "aisexec_selinux" "8" "12-11-01" "aisexec" "SELinux Policy documentation for aisexec"
-+.SH "NAME"
-+aisexec_selinux \- Security Enhanced Linux Policy for the aisexec processes
-+.SH "DESCRIPTION"
-+
-+Security-Enhanced Linux secures the aisexec processes via flexible mandatory access control.
-+
-+The aisexec processes execute with the aisexec_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
-+
-+For example:
-+
-+.B ps -eZ | grep aisexec_t
-+
-+
-+.SH "ENTRYPOINTS"
-+
-+The aisexec_t SELinux type can be entered via the "aisexec_exec_t" file type. The default entrypoint paths for the aisexec_t domain are the following:"
-+
-+/usr/sbin/aisexec
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux aisexec policy is very flexible allowing users to setup their aisexec processes in as secure a method as possible.
-+.PP
-+The following process types are defined for aisexec:
-+
-+.EX
-+.B aisexec_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
-+.SH FILE CONTEXTS
-+SELinux requires files to have an extended attribute to define the file type.
-+.PP
-+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
-+.PP
-+Policy governs the access confined processes have to these files.
-+SELinux aisexec policy is very flexible allowing users to setup their aisexec processes in as secure a method as possible.
-+.PP
-+The following file types are defined for aisexec:
-+
-+
-+.EX
-+.PP
-+.B aisexec_exec_t
-+.EE
-+
-+- Set files with the aisexec_exec_t type, if you want to transition an executable to the aisexec_t domain.
-+
-+
-+.EX
-+.PP
-+.B aisexec_initrc_exec_t
-+.EE
-+
-+- Set files with the aisexec_initrc_exec_t type, if you want to transition an executable to the aisexec_initrc_t domain.
-+
-+
-+.EX
-+.PP
-+.B aisexec_tmp_t
-+.EE
-+
-+- Set files with the aisexec_tmp_t type, if you want to store aisexec temporary files in the /tmp directories.
-+
-+
-+.EX
-+.PP
-+.B aisexec_tmpfs_t
-+.EE
-+
-+- Set files with the aisexec_tmpfs_t type, if you want to store aisexec files on a tmpfs file system.
-+
-+
-+.EX
-+.PP
-+.B aisexec_var_lib_t
-+.EE
-+
-+- Set files with the aisexec_var_lib_t type, if you want to store the aisexec files under the /var/lib directory.
-+
-+
-+.EX
-+.PP
-+.B aisexec_var_log_t
-+.EE
-+
-+- Set files with the aisexec_var_log_t type, if you want to treat the data as aisexec var log data, usually stored under the /var/log directory.
-+
-+
-+.EX
-+.PP
-+.B aisexec_var_run_t
-+.EE
-+
-+- Set files with the aisexec_var_run_t type, if you want to store the aisexec files under the /run directory.
-+
-+
-+.PP
-+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
-+.B semanage fcontext
-+command. This will modify the SELinux labeling database. You will need to use
-+.B restorecon
-+to apply the labels.
-+
-+.SH "MANAGED FILES"
-+
-+The SELinux process type aisexec_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
-+
-+.br
-+.B aisexec_tmp_t
-+
-+
-+.br
-+.B aisexec_tmpfs_t
-+
-+
-+.br
-+.B aisexec_var_lib_t
-+
-+ /var/lib/openais(/.*)?
-+.br
-+
-+.br
-+.B aisexec_var_log_t
-+
-+ /var/log/cluster/aisexec\.log.*
-+.br
-+
-+.br
-+.B aisexec_var_run_t
-+
-+ /var/run/aisexec\.pid
-+.br
-+
-+.br
-+.B dlm_controld_tmpfs_t
-+
-+
-+.br
-+.B fenced_tmpfs_t
-+
-+
-+.br
-+.B gfs_controld_tmpfs_t
-+
-+
-+.br
-+.B groupd_tmpfs_t
-+
-+
-+.br
-+.B initrc_tmp_t
-+
-+
-+.br
-+.B var_lib_t
-+
-+ /opt/(.*/)?var/lib(/.*)?
-+.br
-+ /var/lib(/.*)?
-+.br
-+
-+.SH NSSWITCH DOMAIN
-+
-+.PP
-+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the aisexec_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
-+
-+.EX
-+.B setsebool -P authlogin_nsswitch_use_ldap 1
-+.EE
-+
-+.PP
-+If you want to allow confined applications to run with kerberos for the aisexec_t, you must turn on the kerberos_enabled boolean.
-+
-+.EX
-+.B setsebool -P kerberos_enabled 1
-+.EE
-+
-+.SH "COMMANDS"
-+.B semanage fcontext
-+can also be used to manipulate default file context mappings.
-+.PP
-+.B semanage permissive
-+can also be used to manipulate whether or not a process type is permissive.
-+.PP
-+.B semanage module
-+can also be used to enable/disable/install/remove policy modules.
-+
-+.PP
-+.B system-config-selinux
-+is a GUI tool available to customize SELinux policy settings.
-+
-+.SH AUTHOR
-+This manual page was auto-generated using
-+.B "sepolicy manpage"
-+by Dan Walsh.
-+
-+.SH "SEE ALSO"
-+selinux(8), aisexec(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
-diff --git a/man/man8/ajaxterm_selinux.8 b/man/man8/ajaxterm_selinux.8
-new file mode 100644
-index 0000000..2423a73
---- /dev/null
-+++ b/man/man8/ajaxterm_selinux.8
-@@ -0,0 +1,184 @@
-+.TH "ajaxterm_selinux" "8" "12-11-01" "ajaxterm" "SELinux Policy documentation for ajaxterm"
-+.SH "NAME"
-+ajaxterm_selinux \- Security Enhanced Linux Policy for the ajaxterm processes
-+.SH "DESCRIPTION"
-+
-+Security-Enhanced Linux secures the ajaxterm processes via flexible mandatory access control.
-+
-+The ajaxterm processes execute with the ajaxterm_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
-+
-+For example:
-+
-+.B ps -eZ | grep ajaxterm_t
-+
-+
-+.SH "ENTRYPOINTS"
-+
-+The ajaxterm_t SELinux type can be entered via the "ajaxterm_exec_t" file type. The default entrypoint paths for the ajaxterm_t domain are the following:"
-+
-+/usr/share/ajaxterm/ajaxterm\.py
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux ajaxterm policy is very flexible allowing users to setup their ajaxterm processes in as secure a method as possible.
-+.PP
-+The following process types are defined for ajaxterm:
-+
-+.EX
-+.B ajaxterm_ssh_t, ajaxterm_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
-+.SH FILE CONTEXTS
-+SELinux requires files to have an extended attribute to define the file type.
-+.PP
-+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
-+.PP
-+Policy governs the access confined processes have to these files.
-+SELinux ajaxterm policy is very flexible allowing users to setup their ajaxterm processes in as secure a method as possible.
-+.PP
-+The following file types are defined for ajaxterm:
-+
-+
-+.EX
-+.PP
-+.B ajaxterm_exec_t
-+.EE
-+
-+- Set files with the ajaxterm_exec_t type, if you want to transition an executable to the ajaxterm_t domain.
-+
-+
-+.EX
-+.PP
-+.B ajaxterm_initrc_exec_t
-+.EE
-+
-+- Set files with the ajaxterm_initrc_exec_t type, if you want to transition an executable to the ajaxterm_initrc_t domain.
-+
-+
-+.EX
-+.PP
-+.B ajaxterm_var_run_t
-+.EE
-+
-+- Set files with the ajaxterm_var_run_t type, if you want to store the ajaxterm files under the /run directory.
-+
-+
-+.PP
-+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
-+.B semanage fcontext
-+command. This will modify the SELinux labeling database. You will need to use
-+.B restorecon
-+to apply the labels.
-+
-+.SH PORT TYPES
-+SELinux defines port types to represent TCP and UDP ports.
-+.PP
-+You can see the types associated with a port by using the following command:
-+
-+.B semanage port -l
-+
-+.PP
-+Policy governs the access confined processes have to these ports.
-+SELinux ajaxterm policy is very flexible allowing users to setup their ajaxterm processes in as secure a method as possible.
-+.PP
-+The following port types are defined for ajaxterm:
-+
-+.EX
-+.TP 5
-+.B ajaxterm_port_t
-+.TP 10
-+.EE
-+
-+
-+Default Defined Ports:
-+tcp 8022
-+.EE
-+.SH "MANAGED FILES"
-+
-+The SELinux process type ajaxterm_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
-+
-+.br
-+.B ajaxterm_var_run_t
-+
-+ /var/run/ajaxterm\.pid
-+.br
-+
-+.br
-+.B ssh_home_t
-+
-+ /root/\.ssh(/.*)?
-+.br
-+ /var/lib/openshift/[^/]+/\.ssh(/.*)?
-+.br
-+ /var/lib/amanda/\.ssh(/.*)?
-+.br
-+ /var/lib/stickshift/[^/]+/\.ssh(/.*)?
-+.br
-+ /var/lib/gitolite/\.ssh(/.*)?
-+.br
-+ /var/lib/nocpulse/\.ssh(/.*)?
-+.br
-+ /var/lib/gitolite3/\.ssh(/.*)?
-+.br
-+ /root/\.shosts
-+.br
-+ /home/[^/]*/\.ssh(/.*)?
-+.br
-+ /home/[^/]*/\.shosts
-+.br
-+ /home/dwalsh/\.ssh(/.*)?
-+.br
-+ /home/dwalsh/\.shosts
-+.br
-+ /var/lib/xguest/home/xguest/\.ssh(/.*)?
-+.br
-+ /var/lib/xguest/home/xguest/\.shosts
-+.br
-+
-+.SH NSSWITCH DOMAIN
-+
-+.PP
-+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the ajaxterm_ssh_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
-+
-+.EX
-+.B setsebool -P authlogin_nsswitch_use_ldap 1
-+.EE
-+
-+.PP
-+If you want to allow confined applications to run with kerberos for the ajaxterm_ssh_t, you must turn on the kerberos_enabled boolean.
-+
-+.EX
-+.B setsebool -P kerberos_enabled 1
-+.EE
-+
-+.SH "COMMANDS"
-+.B semanage fcontext
-+can also be used to manipulate default file context mappings.
-+.PP
-+.B semanage permissive
-+can also be used to manipulate whether or not a process type is permissive.
-+.PP
-+.B semanage module
-+can also be used to enable/disable/install/remove policy modules.
-+
-+.B semanage port
-+can also be used to manipulate the port definitions
-+
-+.PP
-+.B system-config-selinux
-+is a GUI tool available to customize SELinux policy settings.
-+
-+.SH AUTHOR
-+This manual page was auto-generated using
-+.B "sepolicy manpage"
-+by Dan Walsh.
-+
-+.SH "SEE ALSO"
-+selinux(8), ajaxterm(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
-diff --git a/man/man8/alsa_selinux.8 b/man/man8/alsa_selinux.8
-new file mode 100644
-index 0000000..75888ee
---- /dev/null
-+++ b/man/man8/alsa_selinux.8
-@@ -0,0 +1,170 @@
-+.TH "alsa_selinux" "8" "12-11-01" "alsa" "SELinux Policy documentation for alsa"
-+.SH "NAME"
-+alsa_selinux \- Security Enhanced Linux Policy for the alsa processes
-+.SH "DESCRIPTION"
-+
-+Security-Enhanced Linux secures the alsa processes via flexible mandatory access control.
-+
-+The alsa processes execute with the alsa_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
-+
-+For example:
-+
-+.B ps -eZ | grep alsa_t
-+
-+
-+.SH "ENTRYPOINTS"
-+
-+The alsa_t SELinux type can be entered via the "alsa_exec_t" file type. The default entrypoint paths for the alsa_t domain are the following:"
-+
-+/sbin/salsa, /sbin/alsactl, /usr/bin/ainit, /bin/alsaunmute, /usr/sbin/salsa, /usr/sbin/alsactl, /usr/bin/alsaunmute
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux alsa policy is very flexible allowing users to setup their alsa processes in as secure a method as possible.
-+.PP
-+The following process types are defined for alsa:
-+
-+.EX
-+.B alsa_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
-+.SH FILE CONTEXTS
-+SELinux requires files to have an extended attribute to define the file type.
-+.PP
-+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
-+.PP
-+Policy governs the access confined processes have to these files.
-+SELinux alsa policy is very flexible allowing users to setup their alsa processes in as secure a method as possible.
-+.PP
-+The following file types are defined for alsa:
-+
-+
-+.EX
-+.PP
-+.B alsa_etc_rw_t
-+.EE
-+
-+- Set files with the alsa_etc_rw_t type, if you want to treat the files as alsa etc read/write content.
-+
-+
-+.EX
-+.PP
-+.B alsa_exec_t
-+.EE
-+
-+- Set files with the alsa_exec_t type, if you want to transition an executable to the alsa_t domain.
-+
-+
-+.EX
-+.PP
-+.B alsa_home_t
-+.EE
-+
-+- Set files with the alsa_home_t type, if you want to store alsa files in the users home directory.
-+
-+
-+.EX
-+.PP
-+.B alsa_tmp_t
-+.EE
-+
-+- Set files with the alsa_tmp_t type, if you want to store alsa temporary files in the /tmp directories.
-+
-+
-+.EX
-+.PP
-+.B alsa_unit_file_t
-+.EE
-+
-+- Set files with the alsa_unit_file_t type, if you want to treat the files as alsa unit content.
-+
-+
-+.EX
-+.PP
-+.B alsa_var_lib_t
-+.EE
-+
-+- Set files with the alsa_var_lib_t type, if you want to store the alsa files under the /var/lib directory.
-+
-+
-+.PP
-+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
-+.B semanage fcontext
-+command. This will modify the SELinux labeling database. You will need to use
-+.B restorecon
-+to apply the labels.
-+
-+.SH "MANAGED FILES"
-+
-+The SELinux process type alsa_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
-+
-+.br
-+.B alsa_etc_rw_t
-+
-+ /etc/asound(/.*)?
-+.br
-+ /etc/alsa/pcm(/.*)?
-+.br
-+ /usr/share/alsa/pcm(/.*)?
-+.br
-+ /etc/asound\.state
-+.br
-+ /etc/alsa/asound\.state
-+.br
-+ /usr/share/alsa/alsa\.conf
-+.br
-+
-+.br
-+.B alsa_tmp_t
-+
-+
-+.br
-+.B alsa_var_lib_t
-+
-+ /var/lib/alsa(/.*)?
-+.br
-+
-+.SH NSSWITCH DOMAIN
-+
-+.PP
-+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the alsa_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
-+
-+.EX
-+.B setsebool -P authlogin_nsswitch_use_ldap 1
-+.EE
-+
-+.PP
-+If you want to allow confined applications to run with kerberos for the alsa_t, you must turn on the kerberos_enabled boolean.
-+
-+.EX
-+.B setsebool -P kerberos_enabled 1
-+.EE
-+
-+.SH "COMMANDS"
-+.B semanage fcontext
-+can also be used to manipulate default file context mappings.
-+.PP
-+.B semanage permissive
-+can also be used to manipulate whether or not a process type is permissive.
-+.PP
-+.B semanage module
-+can also be used to enable/disable/install/remove policy modules.
-+
-+.PP
-+.B system-config-selinux
-+is a GUI tool available to customize SELinux policy settings.
-+
-+.SH AUTHOR
-+This manual page was auto-generated using
-+.B "sepolicy manpage"
-+by Dan Walsh.
-+
-+.SH "SEE ALSO"
-+selinux(8), alsa(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
-diff --git a/man/man8/amanda_recover_selinux.8 b/man/man8/amanda_recover_selinux.8
-new file mode 100644
-index 0000000..680559a
---- /dev/null
-+++ b/man/man8/amanda_recover_selinux.8
-@@ -0,0 +1,131 @@
-+.TH "amanda_recover_selinux" "8" "12-11-01" "amanda_recover" "SELinux Policy documentation for amanda_recover"
-+.SH "NAME"
-+amanda_recover_selinux \- Security Enhanced Linux Policy for the amanda_recover processes
-+.SH "DESCRIPTION"
-+
-+Security-Enhanced Linux secures the amanda_recover processes via flexible mandatory access control.
-+
-+The amanda_recover processes execute with the amanda_recover_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
-+
-+For example:
-+
-+.B ps -eZ | grep amanda_recover_t
-+
-+
-+.SH "ENTRYPOINTS"
-+
-+The amanda_recover_t SELinux type can be entered via the "amanda_recover_exec_t" file type. The default entrypoint paths for the amanda_recover_t domain are the following:"
-+
-+/usr/sbin/amrecover
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux amanda_recover policy is very flexible allowing users to setup their amanda_recover processes in as secure a method as possible.
-+.PP
-+The following process types are defined for amanda_recover:
-+
-+.EX
-+.B amanda_recover_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
-+.SH FILE CONTEXTS
-+SELinux requires files to have an extended attribute to define the file type.
-+.PP
-+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
-+.PP
-+Policy governs the access confined processes have to these files.
-+SELinux amanda_recover policy is very flexible allowing users to setup their amanda_recover processes in as secure a method as possible.
-+.PP
-+The following file types are defined for amanda_recover:
-+
-+
-+.EX
-+.PP
-+.B amanda_recover_dir_t
-+.EE
-+
-+- Set files with the amanda_recover_dir_t type, if you want to treat the files as amanda recover dir data.
-+
-+
-+.EX
-+.PP
-+.B amanda_recover_exec_t
-+.EE
-+
-+- Set files with the amanda_recover_exec_t type, if you want to transition an executable to the amanda_recover_t domain.
-+
-+
-+.PP
-+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
-+.B semanage fcontext
-+command. This will modify the SELinux labeling database. You will need to use
-+.B restorecon
-+to apply the labels.
-+
-+.SH "MANAGED FILES"
-+
-+The SELinux process type amanda_recover_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
-+
-+.br
-+.B amanda_log_t
-+
-+ /var/log/amanda(/.*)?
-+.br
-+ /var/lib/amanda/[^/]*/log(/.*)?
-+.br
-+
-+.br
-+.B amanda_recover_dir_t
-+
-+ /root/restore
-+.br
-+
-+.br
-+.B amanda_tmp_t
-+
-+
-+.SH NSSWITCH DOMAIN
-+
-+.PP
-+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the amanda_recover_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
-+
-+.EX
-+.B setsebool -P authlogin_nsswitch_use_ldap 1
-+.EE
-+
-+.PP
-+If you want to allow confined applications to run with kerberos for the amanda_recover_t, you must turn on the kerberos_enabled boolean.
-+
-+.EX
-+.B setsebool -P kerberos_enabled 1
-+.EE
-+
-+.SH "COMMANDS"
-+.B semanage fcontext
-+can also be used to manipulate default file context mappings.
-+.PP
-+.B semanage permissive
-+can also be used to manipulate whether or not a process type is permissive.
-+.PP
-+.B semanage module
-+can also be used to enable/disable/install/remove policy modules.
-+
-+.PP
-+.B system-config-selinux
-+is a GUI tool available to customize SELinux policy settings.
-+
-+.SH AUTHOR
-+This manual page was auto-generated using
-+.B "sepolicy manpage"
-+by Dan Walsh.
-+
-+.SH "SEE ALSO"
-+selinux(8), amanda_recover(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
-+, amanda_selinux(8), amanda_selinux(8)
-\ No newline at end of file
-diff --git a/man/man8/amanda_selinux.8 b/man/man8/amanda_selinux.8
-new file mode 100644
-index 0000000..6bdbec5
---- /dev/null
-+++ b/man/man8/amanda_selinux.8
-@@ -0,0 +1,277 @@
-+.TH "amanda_selinux" "8" "12-11-01" "amanda" "SELinux Policy documentation for amanda"
-+.SH "NAME"
-+amanda_selinux \- Security Enhanced Linux Policy for the amanda processes
-+.SH "DESCRIPTION"
-+
-+Security-Enhanced Linux secures the amanda processes via flexible mandatory access control.
-+
-+The amanda processes execute with the amanda_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
-+
-+For example:
-+
-+.B ps -eZ | grep amanda_t
-+
-+
-+.SH "ENTRYPOINTS"
-+
-+The amanda_t SELinux type can be entered via the "amanda_exec_t,amanda_inetd_exec_t" file types. The default entrypoint paths for the amanda_t domain are the following:"
-+
-+/usr/lib/amanda/.+, /usr/lib/amanda/amandad, /usr/lib/amanda/amindexd, /usr/lib/amanda/amidxtaped
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux amanda policy is very flexible allowing users to setup their amanda processes in as secure a method as possible.
-+.PP
-+The following process types are defined for amanda:
-+
-+.EX
-+.B amanda_t, amanda_recover_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
-+.SH FILE CONTEXTS
-+SELinux requires files to have an extended attribute to define the file type.
-+.PP
-+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
-+.PP
-+Policy governs the access confined processes have to these files.
-+SELinux amanda policy is very flexible allowing users to setup their amanda processes in as secure a method as possible.
-+.PP
-+The following file types are defined for amanda:
-+
-+
-+.EX
-+.PP
-+.B amanda_amandates_t
-+.EE
-+
-+- Set files with the amanda_amandates_t type, if you want to treat the files as amanda amandates data.
-+
-+
-+.EX
-+.PP
-+.B amanda_config_t
-+.EE
-+
-+- Set files with the amanda_config_t type, if you want to treat the files as amanda configuration data, usually stored under the /etc directory.
-+
-+
-+.EX
-+.PP
-+.B amanda_data_t
-+.EE
-+
-+- Set files with the amanda_data_t type, if you want to treat the files as amanda content.
-+
-+
-+.EX
-+.PP
-+.B amanda_dumpdates_t
-+.EE
-+
-+- Set files with the amanda_dumpdates_t type, if you want to treat the files as amanda dumpdates data.
-+
-+
-+.EX
-+.PP
-+.B amanda_exec_t
-+.EE
-+
-+- Set files with the amanda_exec_t type, if you want to transition an executable to the amanda_t domain.
-+
-+
-+.EX
-+.PP
-+.B amanda_gnutarlists_t
-+.EE
-+
-+- Set files with the amanda_gnutarlists_t type, if you want to treat the files as amanda gnutarlists data.
-+
-+
-+.EX
-+.PP
-+.B amanda_inetd_exec_t
-+.EE
-+
-+- Set files with the amanda_inetd_exec_t type, if you want to transition an executable to the amanda_inetd_t domain.
-+
-+
-+.EX
-+.PP
-+.B amanda_log_t
-+.EE
-+
-+- Set files with the amanda_log_t type, if you want to treat the data as amanda log data, usually stored under the /var/log directory.
-+
-+
-+.EX
-+.PP
-+.B amanda_recover_dir_t
-+.EE
-+
-+- Set files with the amanda_recover_dir_t type, if you want to treat the files as amanda recover dir data.
-+
-+
-+.EX
-+.PP
-+.B amanda_recover_exec_t
-+.EE
-+
-+- Set files with the amanda_recover_exec_t type, if you want to transition an executable to the amanda_recover_t domain.
-+
-+
-+.EX
-+.PP
-+.B amanda_tmp_t
-+.EE
-+
-+- Set files with the amanda_tmp_t type, if you want to store amanda temporary files in the /tmp directories.
-+
-+
-+.EX
-+.PP
-+.B amanda_usr_lib_t
-+.EE
-+
-+- Set files with the amanda_usr_lib_t type, if you want to treat the files as amanda usr lib data.
-+
-+
-+.EX
-+.PP
-+.B amanda_var_lib_t
-+.EE
-+
-+- Set files with the amanda_var_lib_t type, if you want to store the amanda files under the /var/lib directory.
-+
-+
-+.PP
-+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
-+.B semanage fcontext
-+command. This will modify the SELinux labeling database. You will need to use
-+.B restorecon
-+to apply the labels.
-+
-+.SH PORT TYPES
-+SELinux defines port types to represent TCP and UDP ports.
-+.PP
-+You can see the types associated with a port by using the following command:
-+
-+.B semanage port -l
-+
-+.PP
-+Policy governs the access confined processes have to these ports.
-+SELinux amanda policy is very flexible allowing users to setup their amanda processes in as secure a method as possible.
-+.PP
-+The following port types are defined for amanda:
-+
-+.EX
-+.TP 5
-+.B amanda_port_t
-+.TP 10
-+.EE
-+
-+
-+Default Defined Ports:
-+tcp 10080-10083
-+.EE
-+udp 10080-10082
-+.EE
-+.SH "MANAGED FILES"
-+
-+The SELinux process type amanda_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
-+
-+.br
-+.B amanda_amandates_t
-+
-+ /etc/amandates
-+.br
-+
-+.br
-+.B amanda_data_t
-+
-+ /etc/amanda/.*/index(/.*)?
-+.br
-+ /etc/amanda/.*/tapelist(/.*)?
-+.br
-+ /var/lib/amanda/[^/]+(/.*)?
-+.br
-+
-+.br
-+.B amanda_dumpdates_t
-+
-+ /etc/dumpdates
-+.br
-+
-+.br
-+.B amanda_gnutarlists_t
-+
-+ /var/lib/amanda/gnutar-lists(/.*)?
-+.br
-+
-+.br
-+.B amanda_log_t
-+
-+ /var/log/amanda(/.*)?
-+.br
-+ /var/lib/amanda/[^/]*/log(/.*)?
-+.br
-+
-+.br
-+.B amanda_tmp_t
-+
-+
-+.br
-+.B amanda_var_lib_t
-+
-+ /var/lib/amanda/[^/]+/index(/.*)?
-+.br
-+ /var/lib/amanda
-+.br
-+
-+.SH NSSWITCH DOMAIN
-+
-+.PP
-+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the amanda_recover_t, amanda_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
-+
-+.EX
-+.B setsebool -P authlogin_nsswitch_use_ldap 1
-+.EE
-+
-+.PP
-+If you want to allow confined applications to run with kerberos for the amanda_recover_t, amanda_t, you must turn on the kerberos_enabled boolean.
-+
-+.EX
-+.B setsebool -P kerberos_enabled 1
-+.EE
-+
-+.SH "COMMANDS"
-+.B semanage fcontext
-+can also be used to manipulate default file context mappings.
-+.PP
-+.B semanage permissive
-+can also be used to manipulate whether or not a process type is permissive.
-+.PP
-+.B semanage module
-+can also be used to enable/disable/install/remove policy modules.
-+
-+.B semanage port
-+can also be used to manipulate the port definitions
-+
-+.PP
-+.B system-config-selinux
-+is a GUI tool available to customize SELinux policy settings.
-+
-+.SH AUTHOR
-+This manual page was auto-generated using
-+.B "sepolicy manpage"
-+by Dan Walsh.
-+
-+.SH "SEE ALSO"
-+selinux(8), amanda(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
-+, amanda_recover_selinux(8)
-\ No newline at end of file
-diff --git a/man/man8/amavis_selinux.8 b/man/man8/amavis_selinux.8
-new file mode 100644
-index 0000000..28b1547
---- /dev/null
-+++ b/man/man8/amavis_selinux.8
-@@ -0,0 +1,283 @@
-+.TH "amavis_selinux" "8" "12-11-01" "amavis" "SELinux Policy documentation for amavis"
-+.SH "NAME"
-+amavis_selinux \- Security Enhanced Linux Policy for the amavis processes
-+.SH "DESCRIPTION"
-+
-+Security-Enhanced Linux secures the amavis processes via flexible mandatory access control.
-+
-+The amavis processes execute with the amavis_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
-+
-+For example:
-+
-+.B ps -eZ | grep amavis_t
-+
-+
-+.SH "ENTRYPOINTS"
-+
-+The amavis_t SELinux type can be entered via the "amavis_exec_t" file type. The default entrypoint paths for the amavis_t domain are the following:"
-+
-+/usr/sbin/amavisd.*, /usr/lib/AntiVir/antivir
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux amavis policy is very flexible allowing users to setup their amavis processes in as secure a method as possible.
-+.PP
-+The following process types are defined for amavis:
-+
-+.EX
-+.B amavis_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
-+.SH BOOLEANS
-+SELinux policy is customizable based on least access required. amavis policy is extremely flexible and has several booleans that allow you to manipulate the policy and run amavis with the tightest access possible.
-+
-+
-+.PP
-+If you want to allow amavis to use JIT compiler, you must turn on the amavis_use_jit boolean.
-+
-+.EX
-+.B setsebool -P amavis_use_jit 1
-+.EE
-+
-+.PP
-+If you want to allow amavis to use JIT compiler, you must turn on the amavis_use_jit boolean.
-+
-+.EX
-+.B setsebool -P amavis_use_jit 1
-+.EE
-+
-+.SH FILE CONTEXTS
-+SELinux requires files to have an extended attribute to define the file type.
-+.PP
-+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
-+.PP
-+Policy governs the access confined processes have to these files.
-+SELinux amavis policy is very flexible allowing users to setup their amavis processes in as secure a method as possible.
-+.PP
-+The following file types are defined for amavis:
-+
-+
-+.EX
-+.PP
-+.B amavis_etc_t
-+.EE
-+
-+- Set files with the amavis_etc_t type, if you want to store amavis files in the /etc directories.
-+
-+
-+.EX
-+.PP
-+.B amavis_exec_t
-+.EE
-+
-+- Set files with the amavis_exec_t type, if you want to transition an executable to the amavis_t domain.
-+
-+
-+.EX
-+.PP
-+.B amavis_initrc_exec_t
-+.EE
-+
-+- Set files with the amavis_initrc_exec_t type, if you want to transition an executable to the amavis_initrc_t domain.
-+
-+
-+.EX
-+.PP
-+.B amavis_quarantine_t
-+.EE
-+
-+- Set files with the amavis_quarantine_t type, if you want to treat the files as amavis quarantine data.
-+
-+
-+.EX
-+.PP
-+.B amavis_spool_t
-+.EE
-+
-+- Set files with the amavis_spool_t type, if you want to store the amavis files under the /var/spool directory.
-+
-+
-+.EX
-+.PP
-+.B amavis_tmp_t
-+.EE
-+
-+- Set files with the amavis_tmp_t type, if you want to store amavis temporary files in the /tmp directories.
-+
-+
-+.EX
-+.PP
-+.B amavis_var_lib_t
-+.EE
-+
-+- Set files with the amavis_var_lib_t type, if you want to store the amavis files under the /var/lib directory.
-+
-+
-+.EX
-+.PP
-+.B amavis_var_log_t
-+.EE
-+
-+- Set files with the amavis_var_log_t type, if you want to treat the data as amavis var log data, usually stored under the /var/log directory.
-+
-+
-+.EX
-+.PP
-+.B amavis_var_run_t
-+.EE
-+
-+- Set files with the amavis_var_run_t type, if you want to store the amavis files under the /run directory.
-+
-+
-+.PP
-+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
-+.B semanage fcontext
-+command. This will modify the SELinux labeling database. You will need to use
-+.B restorecon
-+to apply the labels.
-+
-+.SH PORT TYPES
-+SELinux defines port types to represent TCP and UDP ports.
-+.PP
-+You can see the types associated with a port by using the following command:
-+
-+.B semanage port -l
-+
-+.PP
-+Policy governs the access confined processes have to these ports.
-+SELinux amavis policy is very flexible allowing users to setup their amavis processes in as secure a method as possible.
-+.PP
-+The following port types are defined for amavis:
-+
-+.EX
-+.TP 5
-+.B amavisd_recv_port_t
-+.TP 10
-+.EE
-+
-+
-+Default Defined Ports:
-+tcp 10024
-+.EE
-+
-+.EX
-+.TP 5
-+.B amavisd_send_port_t
-+.TP 10
-+.EE
-+
-+
-+Default Defined Ports:
-+tcp 10025
-+.EE
-+.SH "MANAGED FILES"
-+
-+The SELinux process type amavis_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
-+
-+.br
-+.B amavis_quarantine_t
-+
-+ /var/virusmails(/.*)?
-+.br
-+
-+.br
-+.B amavis_spool_t
-+
-+ /var/spool/amavisd(/.*)?
-+.br
-+
-+.br
-+.B amavis_tmp_t
-+
-+
-+.br
-+.B amavis_var_lib_t
-+
-+ /var/amavis(/.*)?
-+.br
-+ /var/lib/amavis(/.*)?
-+.br
-+
-+.br
-+.B amavis_var_log_t
-+
-+ /var/log/amavisd\.log.*
-+.br
-+
-+.br
-+.B amavis_var_run_t
-+
-+ /var/run/amavis(d)?(/.*)?
-+.br
-+
-+.br
-+.B antivirus_db_t
-+
-+ /var/opt/f-secure(/.*)?
-+.br
-+
-+.br
-+.B snmpd_var_lib_t
-+
-+ /var/agentx(/.*)?
-+.br
-+ /var/lib/snmp(/.*)?
-+.br
-+ /var/net-snmp(/.*)?
-+.br
-+ /var/lib/net-snmp(/.*)?
-+.br
-+ /usr/share/snmp/mibs/\.index
-+.br
-+
-+.SH NSSWITCH DOMAIN
-+
-+.PP
-+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the amavis_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
-+
-+.EX
-+.B setsebool -P authlogin_nsswitch_use_ldap 1
-+.EE
-+
-+.PP
-+If you want to allow confined applications to run with kerberos for the amavis_t, you must turn on the kerberos_enabled boolean.
-+
-+.EX
-+.B setsebool -P kerberos_enabled 1
-+.EE
-+
-+.SH "COMMANDS"
-+.B semanage fcontext
-+can also be used to manipulate default file context mappings.
-+.PP
-+.B semanage permissive
-+can also be used to manipulate whether or not a process type is permissive.
-+.PP
-+.B semanage module
-+can also be used to enable/disable/install/remove policy modules.
-+
-+.B semanage port
-+can also be used to manipulate the port definitions
-+
-+.B semanage boolean
-+can also be used to manipulate the booleans
-+
-+.PP
-+.B system-config-selinux
-+is a GUI tool available to customize SELinux policy settings.
-+
-+.SH AUTHOR
-+This manual page was auto-generated using
-+.B "sepolicy manpage"
-+by Dan Walsh.
-+
-+.SH "SEE ALSO"
-+selinux(8), amavis(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
-+, setsebool(8)
-\ No newline at end of file
-diff --git a/man/man8/amtu_selinux.8 b/man/man8/amtu_selinux.8
-new file mode 100644
-index 0000000..96416ac
---- /dev/null
-+++ b/man/man8/amtu_selinux.8
-@@ -0,0 +1,102 @@
-+.TH "amtu_selinux" "8" "12-11-01" "amtu" "SELinux Policy documentation for amtu"
-+.SH "NAME"
-+amtu_selinux \- Security Enhanced Linux Policy for the amtu processes
-+.SH "DESCRIPTION"
-+
-+Security-Enhanced Linux secures the amtu processes via flexible mandatory access control.
-+
-+The amtu processes execute with the amtu_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
-+
-+For example:
-+
-+.B ps -eZ | grep amtu_t
-+
-+
-+.SH "ENTRYPOINTS"
-+
-+The amtu_t SELinux type can be entered via the "amtu_exec_t" file type. The default entrypoint paths for the amtu_t domain are the following:"
-+
-+/usr/bin/amtu
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux amtu policy is very flexible allowing users to setup their amtu processes in as secure a method as possible.
-+.PP
-+The following process types are defined for amtu:
-+
-+.EX
-+.B amtu_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
-+.SH FILE CONTEXTS
-+SELinux requires files to have an extended attribute to define the file type.
-+.PP
-+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
-+.PP
-+Policy governs the access confined processes have to these files.
-+SELinux amtu policy is very flexible allowing users to setup their amtu processes in as secure a method as possible.
-+.PP
-+The following file types are defined for amtu:
-+
-+
-+.EX
-+.PP
-+.B amtu_exec_t
-+.EE
-+
-+- Set files with the amtu_exec_t type, if you want to transition an executable to the amtu_t domain.
-+
-+
-+.PP
-+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
-+.B semanage fcontext
-+command. This will modify the SELinux labeling database. You will need to use
-+.B restorecon
-+to apply the labels.
-+
-+.SH "MANAGED FILES"
-+
-+The SELinux process type amtu_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
-+
-+.br
-+.B boot_t
-+
-+ /boot/.*
-+.br
-+ /vmlinuz.*
-+.br
-+ /initrd\.img.*
-+.br
-+ /boot
-+.br
-+
-+.SH NSSWITCH DOMAIN
-+
-+.SH "COMMANDS"
-+.B semanage fcontext
-+can also be used to manipulate default file context mappings.
-+.PP
-+.B semanage permissive
-+can also be used to manipulate whether or not a process type is permissive.
-+.PP
-+.B semanage module
-+can also be used to enable/disable/install/remove policy modules.
-+
-+.PP
-+.B system-config-selinux
-+is a GUI tool available to customize SELinux policy settings.
-+
-+.SH AUTHOR
-+This manual page was auto-generated using
-+.B "sepolicy manpage"
-+by Dan Walsh.
-+
-+.SH "SEE ALSO"
-+selinux(8), amtu(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
-diff --git a/man/man8/apache_selinux.8 b/man/man8/apache_selinux.8
-new file mode 100644
-index 0000000..1ff959f
---- /dev/null
-+++ b/man/man8/apache_selinux.8
-@@ -0,0 +1 @@
-+.so man8/httpd_selinux.8
-\ No newline at end of file
-diff --git a/man/man8/apcupsd_selinux.8 b/man/man8/apcupsd_selinux.8
-new file mode 100644
-index 0000000..5c83a01
---- /dev/null
-+++ b/man/man8/apcupsd_selinux.8
-@@ -0,0 +1,264 @@
-+.TH "apcupsd_selinux" "8" "12-11-01" "apcupsd" "SELinux Policy documentation for apcupsd"
-+.SH "NAME"
-+apcupsd_selinux \- Security Enhanced Linux Policy for the apcupsd processes
-+.SH "DESCRIPTION"
-+
-+Security-Enhanced Linux secures the apcupsd processes via flexible mandatory access control.
-+
-+The apcupsd processes execute with the apcupsd_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
-+
-+For example:
-+
-+.B ps -eZ | grep apcupsd_t
-+
-+
-+.SH "ENTRYPOINTS"
-+
-+The apcupsd_t SELinux type can be entered via the "apcupsd_exec_t" file type. The default entrypoint paths for the apcupsd_t domain are the following:"
-+
-+/sbin/apcupsd, /usr/sbin/apcupsd
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux apcupsd policy is very flexible allowing users to setup their apcupsd processes in as secure a method as possible.
-+.PP
-+The following process types are defined for apcupsd:
-+
-+.EX
-+.B apcupsd_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
-+.SH FILE CONTEXTS
-+SELinux requires files to have an extended attribute to define the file type.
-+.PP
-+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
-+.PP
-+Policy governs the access confined processes have to these files.
-+SELinux apcupsd policy is very flexible allowing users to setup their apcupsd processes in as secure a method as possible.
-+.PP
-+The following file types are defined for apcupsd:
-+
-+
-+.EX
-+.PP
-+.B apcupsd_exec_t
-+.EE
-+
-+- Set files with the apcupsd_exec_t type, if you want to transition an executable to the apcupsd_t domain.
-+
-+
-+.EX
-+.PP
-+.B apcupsd_initrc_exec_t
-+.EE
-+
-+- Set files with the apcupsd_initrc_exec_t type, if you want to transition an executable to the apcupsd_initrc_t domain.
-+
-+
-+.EX
-+.PP
-+.B apcupsd_lock_t
-+.EE
-+
-+- Set files with the apcupsd_lock_t type, if you want to treat the files as apcupsd lock data, stored under the /var/lock directory
-+
-+
-+.EX
-+.PP
-+.B apcupsd_log_t
-+.EE
-+
-+- Set files with the apcupsd_log_t type, if you want to treat the data as apcupsd log data, usually stored under the /var/log directory.
-+
-+
-+.EX
-+.PP
-+.B apcupsd_tmp_t
-+.EE
-+
-+- Set files with the apcupsd_tmp_t type, if you want to store apcupsd temporary files in the /tmp directories.
-+
-+
-+.EX
-+.PP
-+.B apcupsd_unit_file_t
-+.EE
-+
-+- Set files with the apcupsd_unit_file_t type, if you want to treat the files as apcupsd unit content.
-+
-+
-+.EX
-+.PP
-+.B apcupsd_var_run_t
-+.EE
-+
-+- Set files with the apcupsd_var_run_t type, if you want to store the apcupsd files under the /run directory.
-+
-+
-+.PP
-+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
-+.B semanage fcontext
-+command. This will modify the SELinux labeling database. You will need to use
-+.B restorecon
-+to apply the labels.
-+
-+.SH PORT TYPES
-+SELinux defines port types to represent TCP and UDP ports.
-+.PP
-+You can see the types associated with a port by using the following command:
-+
-+.B semanage port -l
-+
-+.PP
-+Policy governs the access confined processes have to these ports.
-+SELinux apcupsd policy is very flexible allowing users to setup their apcupsd processes in as secure a method as possible.
-+.PP
-+The following port types are defined for apcupsd:
-+
-+.EX
-+.TP 5
-+.B apcupsd_port_t
-+.TP 10
-+.EE
-+
-+
-+Default Defined Ports:
-+tcp 3551
-+.EE
-+udp 3551
-+.EE
-+.SH "MANAGED FILES"
-+
-+The SELinux process type apcupsd_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
-+
-+.br
-+.B apcupsd_lock_t
-+
-+ /var/lock/subsys/apcupsd
-+.br
-+
-+.br
-+.B apcupsd_log_t
-+
-+ /var/log/apcupsd\.events.*
-+.br
-+ /var/log/apcupsd\.status.*
-+.br
-+
-+.br
-+.B apcupsd_tmp_t
-+
-+
-+.br
-+.B apcupsd_var_run_t
-+
-+ /var/run/apcupsd\.pid
-+.br
-+
-+.br
-+.B etc_runtime_t
-+
-+ /[^/]+
-+.br
-+ /etc/mtab.*
-+.br
-+ /etc/blkid(/.*)?
-+.br
-+ /etc/nologin.*
-+.br
-+ /etc/\.fstab\.hal\..+
-+.br
-+ /halt
-+.br
-+ /fastboot
-+.br
-+ /poweroff
-+.br
-+ /etc/cmtab
-+.br
-+ /\.autofsck
-+.br
-+ /forcefsck
-+.br
-+ /\.suspended
-+.br
-+ /fsckoptions
-+.br
-+ /\.autorelabel
-+.br
-+ /etc/securetty
-+.br
-+ /etc/killpower
-+.br
-+ /etc/nohotplug
-+.br
-+ /etc/ioctl\.save
-+.br
-+ /etc/fstab\.REVOKE
-+.br
-+ /etc/network/ifstate
-+.br
-+ /etc/sysconfig/hwconf
-+.br
-+ /etc/ptal/ptal-printd-like
-+.br
-+ /etc/sysconfig/iptables\.save
-+.br
-+ /etc/xorg\.conf\.d/00-system-setup-keyboard\.conf
-+.br
-+ /etc/X11/xorg\.conf\.d/00-system-setup-keyboard\.conf
-+.br
-+
-+.br
-+.B initrc_var_run_t
-+
-+ /var/run/utmp
-+.br
-+ /var/run/random-seed
-+.br
-+ /var/run/runlevel\.dir
-+.br
-+ /var/run/setmixer_flag
-+.br
-+
-+.br
-+.B systemd_passwd_var_run_t
-+
-+ /var/run/systemd/ask-password(/.*)?
-+.br
-+ /var/run/systemd/ask-password-block(/.*)?
-+.br
-+
-+.SH NSSWITCH DOMAIN
-+
-+.SH "COMMANDS"
-+.B semanage fcontext
-+can also be used to manipulate default file context mappings.
-+.PP
-+.B semanage permissive
-+can also be used to manipulate whether or not a process type is permissive.
-+.PP
-+.B semanage module
-+can also be used to enable/disable/install/remove policy modules.
-+
-+.B semanage port
-+can also be used to manipulate the port definitions
-+
-+.PP
-+.B system-config-selinux
-+is a GUI tool available to customize SELinux policy settings.
-+
-+.SH AUTHOR
-+This manual page was auto-generated using
-+.B "sepolicy manpage"
-+by Dan Walsh.
-+
-+.SH "SEE ALSO"
-+selinux(8), apcupsd(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
-diff --git a/man/man8/apm_selinux.8 b/man/man8/apm_selinux.8
-new file mode 100644
-index 0000000..2791aca
---- /dev/null
-+++ b/man/man8/apm_selinux.8
-@@ -0,0 +1,149 @@
-+.TH "apm_selinux" "8" "12-11-01" "apm" "SELinux Policy documentation for apm"
-+.SH "NAME"
-+apm_selinux \- Security Enhanced Linux Policy for the apm processes
-+.SH "DESCRIPTION"
-+
-+Security-Enhanced Linux secures the apm processes via flexible mandatory access control.
-+
-+The apm processes execute with the apm_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
-+
-+For example:
-+
-+.B ps -eZ | grep apm_t
-+
-+
-+.SH "ENTRYPOINTS"
-+
-+The apm_t SELinux type can be entered via the "apm_exec_t" file type. The default entrypoint paths for the apm_t domain are the following:"
-+
-+/usr/bin/apm
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux apm policy is very flexible allowing users to setup their apm processes in as secure a method as possible.
-+.PP
-+The following process types are defined for apm:
-+
-+.EX
-+.B apm_t, apmd_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
-+.SH FILE CONTEXTS
-+SELinux requires files to have an extended attribute to define the file type.
-+.PP
-+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
-+.PP
-+Policy governs the access confined processes have to these files.
-+SELinux apm policy is very flexible allowing users to setup their apm processes in as secure a method as possible.
-+.PP
-+The following file types are defined for apm:
-+
-+
-+.EX
-+.PP
-+.B apm_exec_t
-+.EE
-+
-+- Set files with the apm_exec_t type, if you want to transition an executable to the apm_t domain.
-+
-+
-+.EX
-+.PP
-+.B apmd_exec_t
-+.EE
-+
-+- Set files with the apmd_exec_t type, if you want to transition an executable to the apmd_t domain.
-+
-+
-+.EX
-+.PP
-+.B apmd_lock_t
-+.EE
-+
-+- Set files with the apmd_lock_t type, if you want to treat the files as apmd lock data, stored under the /var/lock directory
-+
-+
-+.EX
-+.PP
-+.B apmd_log_t
-+.EE
-+
-+- Set files with the apmd_log_t type, if you want to treat the data as apmd log data, usually stored under the /var/log directory.
-+
-+
-+.EX
-+.PP
-+.B apmd_tmp_t
-+.EE
-+
-+- Set files with the apmd_tmp_t type, if you want to store apmd temporary files in the /tmp directories.
-+
-+
-+.EX
-+.PP
-+.B apmd_unit_file_t
-+.EE
-+
-+- Set files with the apmd_unit_file_t type, if you want to treat the files as apmd unit content.
-+
-+
-+.EX
-+.PP
-+.B apmd_var_run_t
-+.EE
-+
-+- Set files with the apmd_var_run_t type, if you want to store the apmd files under the /run directory.
-+
-+
-+.PP
-+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
-+.B semanage fcontext
-+command. This will modify the SELinux labeling database. You will need to use
-+.B restorecon
-+to apply the labels.
-+
-+.SH NSSWITCH DOMAIN
-+
-+.PP
-+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the apmd_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
-+
-+.EX
-+.B setsebool -P authlogin_nsswitch_use_ldap 1
-+.EE
-+
-+.PP
-+If you want to allow confined applications to run with kerberos for the apmd_t, you must turn on the kerberos_enabled boolean.
-+
-+.EX
-+.B setsebool -P kerberos_enabled 1
-+.EE
-+
-+.SH "COMMANDS"
-+.B semanage fcontext
-+can also be used to manipulate default file context mappings.
-+.PP
-+.B semanage permissive
-+can also be used to manipulate whether or not a process type is permissive.
-+.PP
-+.B semanage module
-+can also be used to enable/disable/install/remove policy modules.
-+
-+.PP
-+.B system-config-selinux
-+is a GUI tool available to customize SELinux policy settings.
-+
-+.SH AUTHOR
-+This manual page was auto-generated using
-+.B "sepolicy manpage"
-+by Dan Walsh.
-+
-+.SH "SEE ALSO"
-+selinux(8), apm(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
-+, apmd_selinux(8)
-\ No newline at end of file
-diff --git a/man/man8/apmd_selinux.8 b/man/man8/apmd_selinux.8
-new file mode 100644
-index 0000000..071cf38
---- /dev/null
-+++ b/man/man8/apmd_selinux.8
-@@ -0,0 +1,229 @@
-+.TH "apmd_selinux" "8" "12-11-01" "apmd" "SELinux Policy documentation for apmd"
-+.SH "NAME"
-+apmd_selinux \- Security Enhanced Linux Policy for the apmd processes
-+.SH "DESCRIPTION"
-+
-+Security-Enhanced Linux secures the apmd processes via flexible mandatory access control.
-+
-+The apmd processes execute with the apmd_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
-+
-+For example:
-+
-+.B ps -eZ | grep apmd_t
-+
-+
-+.SH "ENTRYPOINTS"
-+
-+The apmd_t SELinux type can be entered via the "apmd_exec_t" file type. The default entrypoint paths for the apmd_t domain are the following:"
-+
-+/usr/sbin/apmd, /usr/sbin/acpid, /usr/sbin/powersaved
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux apmd policy is very flexible allowing users to setup their apmd processes in as secure a method as possible.
-+.PP
-+The following process types are defined for apmd:
-+
-+.EX
-+.B apm_t, apmd_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
-+.SH FILE CONTEXTS
-+SELinux requires files to have an extended attribute to define the file type.
-+.PP
-+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
-+.PP
-+Policy governs the access confined processes have to these files.
-+SELinux apmd policy is very flexible allowing users to setup their apmd processes in as secure a method as possible.
-+.PP
-+The following file types are defined for apmd:
-+
-+
-+.EX
-+.PP
-+.B apmd_exec_t
-+.EE
-+
-+- Set files with the apmd_exec_t type, if you want to transition an executable to the apmd_t domain.
-+
-+
-+.EX
-+.PP
-+.B apmd_lock_t
-+.EE
-+
-+- Set files with the apmd_lock_t type, if you want to treat the files as apmd lock data, stored under the /var/lock directory
-+
-+
-+.EX
-+.PP
-+.B apmd_log_t
-+.EE
-+
-+- Set files with the apmd_log_t type, if you want to treat the data as apmd log data, usually stored under the /var/log directory.
-+
-+
-+.EX
-+.PP
-+.B apmd_tmp_t
-+.EE
-+
-+- Set files with the apmd_tmp_t type, if you want to store apmd temporary files in the /tmp directories.
-+
-+
-+.EX
-+.PP
-+.B apmd_unit_file_t
-+.EE
-+
-+- Set files with the apmd_unit_file_t type, if you want to treat the files as apmd unit content.
-+
-+
-+.EX
-+.PP
-+.B apmd_var_run_t
-+.EE
-+
-+- Set files with the apmd_var_run_t type, if you want to store the apmd files under the /run directory.
-+
-+
-+.PP
-+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
-+.B semanage fcontext
-+command. This will modify the SELinux labeling database. You will need to use
-+.B restorecon
-+to apply the labels.
-+
-+.SH "MANAGED FILES"
-+
-+The SELinux process type apmd_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
-+
-+.br
-+.B adjtime_t
-+
-+ /etc/adjtime
-+.br
-+
-+.br
-+.B apmd_lock_t
-+
-+
-+.br
-+.B apmd_log_t
-+
-+ /var/log/acpid.*
-+.br
-+
-+.br
-+.B apmd_tmp_t
-+
-+
-+.br
-+.B apmd_var_run_t
-+
-+ /var/run/\.?acpid\.socket
-+.br
-+ /var/run/apmd\.pid
-+.br
-+ /var/run/powersaved\.pid
-+.br
-+ /var/run/powersave_socket
-+.br
-+
-+.br
-+.B devicekit_var_log_t
-+
-+ /var/log/pm-suspend\.log.*
-+.br
-+ /var/log/pm-powersave\.log.*
-+.br
-+
-+.br
-+.B devicekit_var_run_t
-+
-+ /var/run/udisks.*
-+.br
-+ /var/run/devkit(/.*)?
-+.br
-+ /var/run/upower(/.*)?
-+.br
-+ /var/run/pm-utils(/.*)?
-+.br
-+ /var/run/DeviceKit-disks(/.*)?
-+.br
-+
-+.br
-+.B initrc_var_run_t
-+
-+ /var/run/utmp
-+.br
-+ /var/run/random-seed
-+.br
-+ /var/run/runlevel\.dir
-+.br
-+ /var/run/setmixer_flag
-+.br
-+
-+.br
-+.B sysctl_type
-+
-+
-+.br
-+.B sysfs_t
-+
-+ /sys(/.*)?
-+.br
-+
-+.br
-+.B systemd_passwd_var_run_t
-+
-+ /var/run/systemd/ask-password(/.*)?
-+.br
-+ /var/run/systemd/ask-password-block(/.*)?
-+.br
-+
-+.SH NSSWITCH DOMAIN
-+
-+.PP
-+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the apmd_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
-+
-+.EX
-+.B setsebool -P authlogin_nsswitch_use_ldap 1
-+.EE
-+
-+.PP
-+If you want to allow confined applications to run with kerberos for the apmd_t, you must turn on the kerberos_enabled boolean.
-+
-+.EX
-+.B setsebool -P kerberos_enabled 1
-+.EE
-+
-+.SH "COMMANDS"
-+.B semanage fcontext
-+can also be used to manipulate default file context mappings.
-+.PP
-+.B semanage permissive
-+can also be used to manipulate whether or not a process type is permissive.
-+.PP
-+.B semanage module
-+can also be used to enable/disable/install/remove policy modules.
-+
-+.PP
-+.B system-config-selinux
-+is a GUI tool available to customize SELinux policy settings.
-+
-+.SH AUTHOR
-+This manual page was auto-generated using
-+.B "sepolicy manpage"
-+by Dan Walsh.
-+
-+.SH "SEE ALSO"
-+selinux(8), apmd(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
-+, apm_selinux(8), apm_selinux(8)
-\ No newline at end of file
-diff --git a/man/man8/arpwatch_selinux.8 b/man/man8/arpwatch_selinux.8
-new file mode 100644
-index 0000000..d869564
---- /dev/null
-+++ b/man/man8/arpwatch_selinux.8
-@@ -0,0 +1,160 @@
-+.TH "arpwatch_selinux" "8" "12-11-01" "arpwatch" "SELinux Policy documentation for arpwatch"
-+.SH "NAME"
-+arpwatch_selinux \- Security Enhanced Linux Policy for the arpwatch processes
-+.SH "DESCRIPTION"
-+
-+Security-Enhanced Linux secures the arpwatch processes via flexible mandatory access control.
-+
-+The arpwatch processes execute with the arpwatch_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
-+
-+For example:
-+
-+.B ps -eZ | grep arpwatch_t
-+
-+
-+.SH "ENTRYPOINTS"
-+
-+The arpwatch_t SELinux type can be entered via the "arpwatch_exec_t" file type. The default entrypoint paths for the arpwatch_t domain are the following:"
-+
-+/usr/sbin/arpwatch
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux arpwatch policy is very flexible allowing users to setup their arpwatch processes in as secure a method as possible.
-+.PP
-+The following process types are defined for arpwatch:
-+
-+.EX
-+.B arpwatch_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
-+.SH FILE CONTEXTS
-+SELinux requires files to have an extended attribute to define the file type.
-+.PP
-+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
-+.PP
-+Policy governs the access confined processes have to these files.
-+SELinux arpwatch policy is very flexible allowing users to setup their arpwatch processes in as secure a method as possible.
-+.PP
-+The following file types are defined for arpwatch:
-+
-+
-+.EX
-+.PP
-+.B arpwatch_data_t
-+.EE
-+
-+- Set files with the arpwatch_data_t type, if you want to treat the files as arpwatch content.
-+
-+
-+.EX
-+.PP
-+.B arpwatch_exec_t
-+.EE
-+
-+- Set files with the arpwatch_exec_t type, if you want to transition an executable to the arpwatch_t domain.
-+
-+
-+.EX
-+.PP
-+.B arpwatch_initrc_exec_t
-+.EE
-+
-+- Set files with the arpwatch_initrc_exec_t type, if you want to transition an executable to the arpwatch_initrc_t domain.
-+
-+
-+.EX
-+.PP
-+.B arpwatch_tmp_t
-+.EE
-+
-+- Set files with the arpwatch_tmp_t type, if you want to store arpwatch temporary files in the /tmp directories.
-+
-+
-+.EX
-+.PP
-+.B arpwatch_unit_file_t
-+.EE
-+
-+- Set files with the arpwatch_unit_file_t type, if you want to treat the files as arpwatch unit content.
-+
-+
-+.EX
-+.PP
-+.B arpwatch_var_run_t
-+.EE
-+
-+- Set files with the arpwatch_var_run_t type, if you want to store the arpwatch files under the /run directory.
-+
-+
-+.PP
-+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
-+.B semanage fcontext
-+command. This will modify the SELinux labeling database. You will need to use
-+.B restorecon
-+to apply the labels.
-+
-+.SH "MANAGED FILES"
-+
-+The SELinux process type arpwatch_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
-+
-+.br
-+.B arpwatch_data_t
-+
-+ /var/arpwatch(/.*)?
-+.br
-+ /var/lib/arpwatch(/.*)?
-+.br
-+
-+.br
-+.B arpwatch_tmp_t
-+
-+
-+.br
-+.B arpwatch_var_run_t
-+
-+
-+.SH NSSWITCH DOMAIN
-+
-+.PP
-+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the arpwatch_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
-+
-+.EX
-+.B setsebool -P authlogin_nsswitch_use_ldap 1
-+.EE
-+
-+.PP
-+If you want to allow confined applications to run with kerberos for the arpwatch_t, you must turn on the kerberos_enabled boolean.
-+
-+.EX
-+.B setsebool -P kerberos_enabled 1
-+.EE
-+
-+.SH "COMMANDS"
-+.B semanage fcontext
-+can also be used to manipulate default file context mappings.
-+.PP
-+.B semanage permissive
-+can also be used to manipulate whether or not a process type is permissive.
-+.PP
-+.B semanage module
-+can also be used to enable/disable/install/remove policy modules.
-+
-+.PP
-+.B system-config-selinux
-+is a GUI tool available to customize SELinux policy settings.
-+
-+.SH AUTHOR
-+This manual page was auto-generated using
-+.B "sepolicy manpage"
-+by Dan Walsh.
-+
-+.SH "SEE ALSO"
-+selinux(8), arpwatch(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
-diff --git a/man/man8/asterisk_selinux.8 b/man/man8/asterisk_selinux.8
-new file mode 100644
-index 0000000..070e49b
---- /dev/null
-+++ b/man/man8/asterisk_selinux.8
-@@ -0,0 +1,228 @@
-+.TH "asterisk_selinux" "8" "12-11-01" "asterisk" "SELinux Policy documentation for asterisk"
-+.SH "NAME"
-+asterisk_selinux \- Security Enhanced Linux Policy for the asterisk processes
-+.SH "DESCRIPTION"
-+
-+Security-Enhanced Linux secures the asterisk processes via flexible mandatory access control.
-+
-+The asterisk processes execute with the asterisk_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
-+
-+For example:
-+
-+.B ps -eZ | grep asterisk_t
-+
-+
-+.SH "ENTRYPOINTS"
-+
-+The asterisk_t SELinux type can be entered via the "asterisk_exec_t" file type. The default entrypoint paths for the asterisk_t domain are the following:"
-+
-+/usr/sbin/asterisk
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux asterisk policy is very flexible allowing users to setup their asterisk processes in as secure a method as possible.
-+.PP
-+The following process types are defined for asterisk:
-+
-+.EX
-+.B asterisk_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
-+.SH FILE CONTEXTS
-+SELinux requires files to have an extended attribute to define the file type.
-+.PP
-+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
-+.PP
-+Policy governs the access confined processes have to these files.
-+SELinux asterisk policy is very flexible allowing users to setup their asterisk processes in as secure a method as possible.
-+.PP
-+The following file types are defined for asterisk:
-+
-+
-+.EX
-+.PP
-+.B asterisk_etc_t
-+.EE
-+
-+- Set files with the asterisk_etc_t type, if you want to store asterisk files in the /etc directories.
-+
-+
-+.EX
-+.PP
-+.B asterisk_exec_t
-+.EE
-+
-+- Set files with the asterisk_exec_t type, if you want to transition an executable to the asterisk_t domain.
-+
-+
-+.EX
-+.PP
-+.B asterisk_initrc_exec_t
-+.EE
-+
-+- Set files with the asterisk_initrc_exec_t type, if you want to transition an executable to the asterisk_initrc_t domain.
-+
-+
-+.EX
-+.PP
-+.B asterisk_log_t
-+.EE
-+
-+- Set files with the asterisk_log_t type, if you want to treat the data as asterisk log data, usually stored under the /var/log directory.
-+
-+
-+.EX
-+.PP
-+.B asterisk_spool_t
-+.EE
-+
-+- Set files with the asterisk_spool_t type, if you want to store the asterisk files under the /var/spool directory.
-+
-+
-+.EX
-+.PP
-+.B asterisk_tmp_t
-+.EE
-+
-+- Set files with the asterisk_tmp_t type, if you want to store asterisk temporary files in the /tmp directories.
-+
-+
-+.EX
-+.PP
-+.B asterisk_tmpfs_t
-+.EE
-+
-+- Set files with the asterisk_tmpfs_t type, if you want to store asterisk files on a tmpfs file system.
-+
-+
-+.EX
-+.PP
-+.B asterisk_var_lib_t
-+.EE
-+
-+- Set files with the asterisk_var_lib_t type, if you want to store the asterisk files under the /var/lib directory.
-+
-+
-+.EX
-+.PP
-+.B asterisk_var_run_t
-+.EE
-+
-+- Set files with the asterisk_var_run_t type, if you want to store the asterisk files under the /run directory.
-+
-+
-+.PP
-+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
-+.B semanage fcontext
-+command. This will modify the SELinux labeling database. You will need to use
-+.B restorecon
-+to apply the labels.
-+
-+.SH PORT TYPES
-+SELinux defines port types to represent TCP and UDP ports.
-+.PP
-+You can see the types associated with a port by using the following command:
-+
-+.B semanage port -l
-+
-+.PP
-+Policy governs the access confined processes have to these ports.
-+SELinux asterisk policy is very flexible allowing users to setup their asterisk processes in as secure a method as possible.
-+.PP
-+The following port types are defined for asterisk:
-+
-+.EX
-+.TP 5
-+.B asterisk_port_t
-+.TP 10
-+.EE
-+
-+
-+Default Defined Ports:
-+tcp 1720
-+.EE
-+udp 2427,2727,4569
-+.EE
-+.SH "MANAGED FILES"
-+
-+The SELinux process type asterisk_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
-+
-+.br
-+.B asterisk_log_t
-+
-+ /var/log/asterisk(/.*)?
-+.br
-+
-+.br
-+.B asterisk_spool_t
-+
-+ /var/spool/asterisk(/.*)?
-+.br
-+
-+.br
-+.B asterisk_tmp_t
-+
-+
-+.br
-+.B asterisk_tmpfs_t
-+
-+
-+.br
-+.B asterisk_var_lib_t
-+
-+ /var/lib/asterisk(/.*)?
-+.br
-+
-+.br
-+.B asterisk_var_run_t
-+
-+ /var/run/asterisk(/.*)?
-+.br
-+
-+.SH NSSWITCH DOMAIN
-+
-+.PP
-+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the asterisk_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
-+
-+.EX
-+.B setsebool -P authlogin_nsswitch_use_ldap 1
-+.EE
-+
-+.PP
-+If you want to allow confined applications to run with kerberos for the asterisk_t, you must turn on the kerberos_enabled boolean.
-+
-+.EX
-+.B setsebool -P kerberos_enabled 1
-+.EE
-+
-+.SH "COMMANDS"
-+.B semanage fcontext
-+can also be used to manipulate default file context mappings.
-+.PP
-+.B semanage permissive
-+can also be used to manipulate whether or not a process type is permissive.
-+.PP
-+.B semanage module
-+can also be used to enable/disable/install/remove policy modules.
-+
-+.B semanage port
-+can also be used to manipulate the port definitions
-+
-+.PP
-+.B system-config-selinux
-+is a GUI tool available to customize SELinux policy settings.
-+
-+.SH AUTHOR
-+This manual page was auto-generated using
-+.B "sepolicy manpage"
-+by Dan Walsh.
-+
-+.SH "SEE ALSO"
-+selinux(8), asterisk(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
-diff --git a/man/man8/audisp_remote_selinux.8 b/man/man8/audisp_remote_selinux.8
-new file mode 100644
-index 0000000..e4c6d66
---- /dev/null
-+++ b/man/man8/audisp_remote_selinux.8
-@@ -0,0 +1,119 @@
-+.TH "audisp_remote_selinux" "8" "12-11-01" "audisp_remote" "SELinux Policy documentation for audisp_remote"
-+.SH "NAME"
-+audisp_remote_selinux \- Security Enhanced Linux Policy for the audisp_remote processes
-+.SH "DESCRIPTION"
-+
-+Security-Enhanced Linux secures the audisp_remote processes via flexible mandatory access control.
-+
-+The audisp_remote processes execute with the audisp_remote_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
-+
-+For example:
-+
-+.B ps -eZ | grep audisp_remote_t
-+
-+
-+.SH "ENTRYPOINTS"
-+
-+The audisp_remote_t SELinux type can be entered via the "audisp_remote_exec_t" file type. The default entrypoint paths for the audisp_remote_t domain are the following:"
-+
-+/sbin/audisp-remote, /usr/sbin/audisp-remote
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux audisp_remote policy is very flexible allowing users to setup their audisp_remote processes in as secure a method as possible.
-+.PP
-+The following process types are defined for audisp_remote:
-+
-+.EX
-+.B audisp_remote_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
-+.SH FILE CONTEXTS
-+SELinux requires files to have an extended attribute to define the file type.
-+.PP
-+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
-+.PP
-+Policy governs the access confined processes have to these files.
-+SELinux audisp_remote policy is very flexible allowing users to setup their audisp_remote processes in as secure a method as possible.
-+.PP
-+The following file types are defined for audisp_remote:
-+
-+
-+.EX
-+.PP
-+.B audisp_remote_exec_t
-+.EE
-+
-+- Set files with the audisp_remote_exec_t type, if you want to transition an executable to the audisp_remote_t domain.
-+
-+
-+.PP
-+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
-+.B semanage fcontext
-+command. This will modify the SELinux labeling database. You will need to use
-+.B restorecon
-+to apply the labels.
-+
-+.SH "MANAGED FILES"
-+
-+The SELinux process type audisp_remote_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
-+
-+.br
-+.B audit_spool_t
-+
-+ /var/spool/audit(/.*)?
-+.br
-+
-+.br
-+.B systemd_passwd_var_run_t
-+
-+ /var/run/systemd/ask-password(/.*)?
-+.br
-+ /var/run/systemd/ask-password-block(/.*)?
-+.br
-+
-+.SH NSSWITCH DOMAIN
-+
-+.PP
-+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the audisp_remote_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
-+
-+.EX
-+.B setsebool -P authlogin_nsswitch_use_ldap 1
-+.EE
-+
-+.PP
-+If you want to allow confined applications to run with kerberos for the audisp_remote_t, you must turn on the kerberos_enabled boolean.
-+
-+.EX
-+.B setsebool -P kerberos_enabled 1
-+.EE
-+
-+.SH "COMMANDS"
-+.B semanage fcontext
-+can also be used to manipulate default file context mappings.
-+.PP
-+.B semanage permissive
-+can also be used to manipulate whether or not a process type is permissive.
-+.PP
-+.B semanage module
-+can also be used to enable/disable/install/remove policy modules.
-+
-+.PP
-+.B system-config-selinux
-+is a GUI tool available to customize SELinux policy settings.
-+
-+.SH AUTHOR
-+This manual page was auto-generated using
-+.B "sepolicy manpage"
-+by Dan Walsh.
-+
-+.SH "SEE ALSO"
-+selinux(8), audisp_remote(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
-+, audisp_selinux(8), audisp_selinux(8)
-\ No newline at end of file
-diff --git a/man/man8/audisp_selinux.8 b/man/man8/audisp_selinux.8
-new file mode 100644
-index 0000000..b50bbfe
---- /dev/null
-+++ b/man/man8/audisp_selinux.8
-@@ -0,0 +1,117 @@
-+.TH "audisp_selinux" "8" "12-11-01" "audisp" "SELinux Policy documentation for audisp"
-+.SH "NAME"
-+audisp_selinux \- Security Enhanced Linux Policy for the audisp processes
-+.SH "DESCRIPTION"
-+
-+Security-Enhanced Linux secures the audisp processes via flexible mandatory access control.
-+
-+The audisp processes execute with the audisp_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
-+
-+For example:
-+
-+.B ps -eZ | grep audisp_t
-+
-+
-+.SH "ENTRYPOINTS"
-+
-+The audisp_t SELinux type can be entered via the "audisp_exec_t" file type. The default entrypoint paths for the audisp_t domain are the following:"
-+
-+/sbin/audispd, /usr/sbin/audispd
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux audisp policy is very flexible allowing users to setup their audisp processes in as secure a method as possible.
-+.PP
-+The following process types are defined for audisp:
-+
-+.EX
-+.B audisp_remote_t, audisp_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
-+.SH FILE CONTEXTS
-+SELinux requires files to have an extended attribute to define the file type.
-+.PP
-+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
-+.PP
-+Policy governs the access confined processes have to these files.
-+SELinux audisp policy is very flexible allowing users to setup their audisp processes in as secure a method as possible.
-+.PP
-+The following file types are defined for audisp:
-+
-+
-+.EX
-+.PP
-+.B audisp_exec_t
-+.EE
-+
-+- Set files with the audisp_exec_t type, if you want to transition an executable to the audisp_t domain.
-+
-+
-+.EX
-+.PP
-+.B audisp_remote_exec_t
-+.EE
-+
-+- Set files with the audisp_remote_exec_t type, if you want to transition an executable to the audisp_remote_t domain.
-+
-+
-+.EX
-+.PP
-+.B audisp_var_run_t
-+.EE
-+
-+- Set files with the audisp_var_run_t type, if you want to store the audisp files under the /run directory.
-+
-+
-+.PP
-+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
-+.B semanage fcontext
-+command. This will modify the SELinux labeling database. You will need to use
-+.B restorecon
-+to apply the labels.
-+
-+.SH NSSWITCH DOMAIN
-+
-+.PP
-+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the audisp_t, audisp_remote_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
-+
-+.EX
-+.B setsebool -P authlogin_nsswitch_use_ldap 1
-+.EE
-+
-+.PP
-+If you want to allow confined applications to run with kerberos for the audisp_t, audisp_remote_t, you must turn on the kerberos_enabled boolean.
-+
-+.EX
-+.B setsebool -P kerberos_enabled 1
-+.EE
-+
-+.SH "COMMANDS"
-+.B semanage fcontext
-+can also be used to manipulate default file context mappings.
-+.PP
-+.B semanage permissive
-+can also be used to manipulate whether or not a process type is permissive.
-+.PP
-+.B semanage module
-+can also be used to enable/disable/install/remove policy modules.
-+
-+.PP
-+.B system-config-selinux
-+is a GUI tool available to customize SELinux policy settings.
-+
-+.SH AUTHOR
-+This manual page was auto-generated using
-+.B "sepolicy manpage"
-+by Dan Walsh.
-+
-+.SH "SEE ALSO"
-+selinux(8), audisp(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
-+, audisp_remote_selinux(8)
-\ No newline at end of file
-diff --git a/man/man8/auditadm_selinux.8 b/man/man8/auditadm_selinux.8
-new file mode 100644
-index 0000000..42e7075
---- /dev/null
-+++ b/man/man8/auditadm_selinux.8
-@@ -0,0 +1,242 @@
-+.TH "auditadm_selinux" "8" "auditadm" "mgrepl@redhat.com" "auditadm SELinux Policy documentation"
-+.SH "NAME"
-+auditadm_r \- \fBAudit administrator role\fP - Security Enhanced Linux Policy
-+
-+.SH DESCRIPTION
-+
-+SELinux supports Roles Based Access Control (RBAC), some Linux roles are login roles, while other roles need to be transition into.
-+
-+.I Note:
-+Examples in this man page will use the
-+.B staff_u
-+SELinux user.
-+
-+Non login roles are usually used for administrative tasks. For example, tasks that require root privileges. Roles control which types a user can run processes with. Roles often have default types assigned to them.
-+
-+The default type for the auditadm_r role is auditadm_t.
-+
-+The
-+.B newrole
-+program to transition directly to this role.
-+
-+.B newrole -r auditadm_r -t auditadm_t
-+
-+.B sudo
-+is the preferred method to do transition from one role to another. You setup sudo to transition to auditadm_r by adding a similar line to the /etc/sudoers file.
-+
-+USERNAME ALL=(ALL) ROLE=auditadm_r TYPE=auditadm_t COMMAND
-+
-+.br
-+sudo will run COMMAND as staff_u:auditadm_r:auditadm_t:LEVEL
-+
-+When using a a non login role, you need to setup SELinux so that your SELinux user can reach auditadm_r role.
-+
-+Execute the following to see all of the assigned SELinux roles:
-+
-+.B semanage user -l
-+
-+You need to add auditadm_r to the staff_u user. You could setup the staff_u user to be able to use the auditadm_r role with a command like:
-+
-+.B $ semanage user -m -R 'staff_r system_r auditadm_r' staff_u
-+
-+
-+
-+SELinux policy also controls which roles can transition to a different role.
-+You can list these rules using the following command.
-+
-+.B search --role_allow
-+
-+SELinux policy allows the sysadm_r, secadm_r, staff_r roles can transition to the auditadm_r role.
-+
-+
-+.SH "MANAGED FILES"
-+
-+The SELinux process type auditadm_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
-+
-+.br
-+.B anon_inodefs_t
-+
-+
-+.br
-+.B auditd_etc_t
-+
-+ /etc/audit(/.*)?
-+.br
-+
-+.br
-+.B auditd_log_t
-+
-+ /var/log/audit(/.*)?
-+.br
-+ /var/log/audit\.log
-+.br
-+
-+.br
-+.B auth_cache_t
-+
-+ /var/cache/coolkey(/.*)?
-+.br
-+
-+.br
-+.B cgroup_t
-+
-+ /cgroup
-+.br
-+ /sys/fs/cgroup
-+.br
-+
-+.br
-+.B chrome_sandbox_tmpfs_t
-+
-+
-+.br
-+.B games_data_t
-+
-+ /var/games(/.*)?
-+.br
-+ /var/lib/games(/.*)?
-+.br
-+
-+.br
-+.B gpg_agent_tmp_t
-+
-+ /home/[^/]*/\.gnupg/log-socket
-+.br
-+ /home/dwalsh/\.gnupg/log-socket
-+.br
-+ /var/lib/xguest/home/xguest/\.gnupg/log-socket
-+.br
-+
-+.br
-+.B mail_spool_t
-+
-+ /var/mail(/.*)?
-+.br
-+ /var/spool/imap(/.*)?
-+.br
-+ /var/spool/mail(/.*)?
-+.br
-+
-+.br
-+.B mqueue_spool_t
-+
-+ /var/spool/(client)?mqueue(/.*)?
-+.br
-+ /var/spool/mqueue\.in(/.*)?
-+.br
-+
-+.br
-+.B nfsd_rw_t
-+
-+
-+.br
-+.B noxattrfs
-+
-+ all files on file systems which do not support extended attributes
-+.br
-+
-+.br
-+.B screen_home_t
-+
-+ /root/\.screen(/.*)?
-+.br
-+ /home/[^/]*/\.screen(/.*)?
-+.br
-+ /home/[^/]*/\.screenrc
-+.br
-+ /home/dwalsh/\.screen(/.*)?
-+.br
-+ /home/dwalsh/\.screenrc
-+.br
-+ /var/lib/xguest/home/xguest/\.screen(/.*)?
-+.br
-+ /var/lib/xguest/home/xguest/\.screenrc
-+.br
-+
-+.br
-+.B security_t
-+
-+ /selinux
-+.br
-+
-+.br
-+.B usbfs_t
-+
-+
-+.br
-+.B user_fonts_cache_t
-+
-+ /root/\.fontconfig(/.*)?
-+.br
-+ /root/\.fonts/auto(/.*)?
-+.br
-+ /root/\.fonts\.cache-.*
-+.br
-+ /home/[^/]*/\.fontconfig(/.*)?
-+.br
-+ /home/[^/]*/\.fonts/auto(/.*)?
-+.br
-+ /home/[^/]*/\.fonts\.cache-.*
-+.br
-+ /home/dwalsh/\.fontconfig(/.*)?
-+.br
-+ /home/dwalsh/\.fonts/auto(/.*)?
-+.br
-+ /home/dwalsh/\.fonts\.cache-.*
-+.br
-+ /var/lib/xguest/home/xguest/\.fontconfig(/.*)?
-+.br
-+ /var/lib/xguest/home/xguest/\.fonts/auto(/.*)?
-+.br
-+ /var/lib/xguest/home/xguest/\.fonts\.cache-.*
-+.br
-+
-+.br
-+.B user_home_type
-+
-+ all user home files
-+.br
-+
-+.br
-+.B user_tmp_type
-+
-+ all user tmp files
-+.br
-+
-+.br
-+.B user_tmpfs_type
-+
-+ all user content in tmpfs file systems
-+.br
-+
-+.br
-+.B xdm_tmp_t
-+
-+ /tmp/\.X11-unix(/.*)?
-+.br
-+ /tmp/\.ICE-unix(/.*)?
-+.br
-+ /tmp/\.X0-lock
-+.br
-+
-+.SH "COMMANDS"
-+.B semanage fcontext
-+can also be used to manipulate default file context mappings.
-+.PP
-+.B semanage permissive
-+can also be used to manipulate whether or not a process type is permissive.
-+.PP
-+.B semanage module
-+can also be used to enable/disable/install/remove policy modules.
-+
-+.PP
-+.B system-config-selinux
-+is a GUI tool available to customize SELinux policy settings.
-+
-+.SH AUTHOR
-+This manual page was auto-generated using
-+.B "sepolicy manpage"
-+by Dan Walsh.
-+
-+.SH "SEE ALSO"
-+selinux(8), auditadm(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
-diff --git a/man/man8/auditctl_selinux.8 b/man/man8/auditctl_selinux.8
-new file mode 100644
-index 0000000..5fea87e
---- /dev/null
-+++ b/man/man8/auditctl_selinux.8
-@@ -0,0 +1,86 @@
-+.TH "auditctl_selinux" "8" "12-11-01" "auditctl" "SELinux Policy documentation for auditctl"
-+.SH "NAME"
-+auditctl_selinux \- Security Enhanced Linux Policy for the auditctl processes
-+.SH "DESCRIPTION"
-+
-+Security-Enhanced Linux secures the auditctl processes via flexible mandatory access control.
-+
-+The auditctl processes execute with the auditctl_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
-+
-+For example:
-+
-+.B ps -eZ | grep auditctl_t
-+
-+
-+.SH "ENTRYPOINTS"
-+
-+The auditctl_t SELinux type can be entered via the "auditctl_exec_t" file type. The default entrypoint paths for the auditctl_t domain are the following:"
-+
-+/sbin/auditctl, /usr/sbin/auditctl
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux auditctl policy is very flexible allowing users to setup their auditctl processes in as secure a method as possible.
-+.PP
-+The following process types are defined for auditctl:
-+
-+.EX
-+.B auditctl_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
-+.SH FILE CONTEXTS
-+SELinux requires files to have an extended attribute to define the file type.
-+.PP
-+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
-+.PP
-+Policy governs the access confined processes have to these files.
-+SELinux auditctl policy is very flexible allowing users to setup their auditctl processes in as secure a method as possible.
-+.PP
-+The following file types are defined for auditctl:
-+
-+
-+.EX
-+.PP
-+.B auditctl_exec_t
-+.EE
-+
-+- Set files with the auditctl_exec_t type, if you want to transition an executable to the auditctl_t domain.
-+
-+
-+.PP
-+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
-+.B semanage fcontext
-+command. This will modify the SELinux labeling database. You will need to use
-+.B restorecon
-+to apply the labels.
-+
-+.SH NSSWITCH DOMAIN
-+
-+.SH "COMMANDS"
-+.B semanage fcontext
-+can also be used to manipulate default file context mappings.
-+.PP
-+.B semanage permissive
-+can also be used to manipulate whether or not a process type is permissive.
-+.PP
-+.B semanage module
-+can also be used to enable/disable/install/remove policy modules.
-+
-+.PP
-+.B system-config-selinux
-+is a GUI tool available to customize SELinux policy settings.
-+
-+.SH AUTHOR
-+This manual page was auto-generated using
-+.B "sepolicy manpage"
-+by Dan Walsh.
-+
-+.SH "SEE ALSO"
-+selinux(8), auditctl(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
-diff --git a/man/man8/auditd_selinux.8 b/man/man8/auditd_selinux.8
-new file mode 100644
-index 0000000..d1a4a01
---- /dev/null
-+++ b/man/man8/auditd_selinux.8
-@@ -0,0 +1,201 @@
-+.TH "auditd_selinux" "8" "12-11-01" "auditd" "SELinux Policy documentation for auditd"
-+.SH "NAME"
-+auditd_selinux \- Security Enhanced Linux Policy for the auditd processes
-+.SH "DESCRIPTION"
-+
-+Security-Enhanced Linux secures the auditd processes via flexible mandatory access control.
-+
-+The auditd processes execute with the auditd_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
-+
-+For example:
-+
-+.B ps -eZ | grep auditd_t
-+
-+
-+.SH "ENTRYPOINTS"
-+
-+The auditd_t SELinux type can be entered via the "auditd_exec_t" file type. The default entrypoint paths for the auditd_t domain are the following:"
-+
-+/sbin/auditd, /usr/sbin/auditd
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux auditd policy is very flexible allowing users to setup their auditd processes in as secure a method as possible.
-+.PP
-+The following process types are defined for auditd:
-+
-+.EX
-+.B auditadm_su_t, auditadm_seunshare_t, auditadm_dbusd_t, auditadm_t, auditadm_sudo_t, auditadm_wine_t, auditadm_screen_t, auditadm_gkeyringd_t, auditd_t, auditctl_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
-+.SH FILE CONTEXTS
-+SELinux requires files to have an extended attribute to define the file type.
-+.PP
-+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
-+.PP
-+Policy governs the access confined processes have to these files.
-+SELinux auditd policy is very flexible allowing users to setup their auditd processes in as secure a method as possible.
-+.PP
-+The following file types are defined for auditd:
-+
-+
-+.EX
-+.PP
-+.B auditd_etc_t
-+.EE
-+
-+- Set files with the auditd_etc_t type, if you want to store auditd files in the /etc directories.
-+
-+
-+.EX
-+.PP
-+.B auditd_exec_t
-+.EE
-+
-+- Set files with the auditd_exec_t type, if you want to transition an executable to the auditd_t domain.
-+
-+
-+.EX
-+.PP
-+.B auditd_initrc_exec_t
-+.EE
-+
-+- Set files with the auditd_initrc_exec_t type, if you want to transition an executable to the auditd_initrc_t domain.
-+
-+
-+.EX
-+.PP
-+.B auditd_log_t
-+.EE
-+
-+- Set files with the auditd_log_t type, if you want to treat the data as auditd log data, usually stored under the /var/log directory.
-+
-+
-+.EX
-+.PP
-+.B auditd_unit_file_t
-+.EE
-+
-+- Set files with the auditd_unit_file_t type, if you want to treat the files as auditd unit content.
-+
-+
-+.EX
-+.PP
-+.B auditd_var_run_t
-+.EE
-+
-+- Set files with the auditd_var_run_t type, if you want to store the auditd files under the /run directory.
-+
-+
-+.PP
-+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
-+.B semanage fcontext
-+command. This will modify the SELinux labeling database. You will need to use
-+.B restorecon
-+to apply the labels.
-+
-+.SH PORT TYPES
-+SELinux defines port types to represent TCP and UDP ports.
-+.PP
-+You can see the types associated with a port by using the following command:
-+
-+.B semanage port -l
-+
-+.PP
-+Policy governs the access confined processes have to these ports.
-+SELinux auditd policy is very flexible allowing users to setup their auditd processes in as secure a method as possible.
-+.PP
-+The following port types are defined for auditd:
-+
-+.EX
-+.TP 5
-+.B audit_port_t
-+.TP 10
-+.EE
-+
-+
-+Default Defined Ports:
-+tcp 60
-+.EE
-+.SH "MANAGED FILES"
-+
-+The SELinux process type auditd_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
-+
-+.br
-+.B anon_inodefs_t
-+
-+
-+.br
-+.B auditd_log_t
-+
-+ /var/log/audit(/.*)?
-+.br
-+ /var/log/audit\.log
-+.br
-+
-+.br
-+.B auditd_var_run_t
-+
-+ /var/run/auditd\.pid
-+.br
-+ /var/run/auditd_sock
-+.br
-+ /var/run/audit_events
-+.br
-+
-+.br
-+.B systemd_passwd_var_run_t
-+
-+ /var/run/systemd/ask-password(/.*)?
-+.br
-+ /var/run/systemd/ask-password-block(/.*)?
-+.br
-+
-+.SH NSSWITCH DOMAIN
-+
-+.PP
-+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the auditadm_t, auditadm_gkeyringd_t, auditadm_su_t, auditd_t, auditadm_sudo_t, auditadm_screen_t, auditadm_wine_t, auditadm_seunshare_t, auditadm_dbusd_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
-+
-+.EX
-+.B setsebool -P authlogin_nsswitch_use_ldap 1
-+.EE
-+
-+.PP
-+If you want to allow confined applications to run with kerberos for the auditadm_t, auditadm_gkeyringd_t, auditadm_su_t, auditd_t, auditadm_sudo_t, auditadm_screen_t, auditadm_wine_t, auditadm_seunshare_t, auditadm_dbusd_t, you must turn on the kerberos_enabled boolean.
-+
-+.EX
-+.B setsebool -P kerberos_enabled 1
-+.EE
-+
-+.SH "COMMANDS"
-+.B semanage fcontext
-+can also be used to manipulate default file context mappings.
-+.PP
-+.B semanage permissive
-+can also be used to manipulate whether or not a process type is permissive.
-+.PP
-+.B semanage module
-+can also be used to enable/disable/install/remove policy modules.
-+
-+.B semanage port
-+can also be used to manipulate the port definitions
-+
-+.PP
-+.B system-config-selinux
-+is a GUI tool available to customize SELinux policy settings.
-+
-+.SH AUTHOR
-+This manual page was auto-generated using
-+.B "sepolicy manpage"
-+by Dan Walsh.
-+
-+.SH "SEE ALSO"
-+selinux(8), auditd(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
-+, auditadm_selinux(8), auditctl_selinux(8)
-\ No newline at end of file
-diff --git a/man/man8/authconfig_selinux.8 b/man/man8/authconfig_selinux.8
-new file mode 100644
-index 0000000..18ad01b
---- /dev/null
-+++ b/man/man8/authconfig_selinux.8
-@@ -0,0 +1,104 @@
-+.TH "authconfig_selinux" "8" "12-11-01" "authconfig" "SELinux Policy documentation for authconfig"
-+.SH "NAME"
-+authconfig_selinux \- Security Enhanced Linux Policy for the authconfig processes
-+.SH "DESCRIPTION"
-+
-+Security-Enhanced Linux secures the authconfig processes via flexible mandatory access control.
-+
-+The authconfig processes execute with the authconfig_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
-+
-+For example:
-+
-+.B ps -eZ | grep authconfig_t
-+
-+
-+.SH "ENTRYPOINTS"
-+
-+The authconfig_t SELinux type can be entered via the "filesystem_type,authconfig_exec_t,unlabeled_t,proc_type,mtrr_device_t,sysctl_type,file_type" file types. The default entrypoint paths for the authconfig_t domain are the following:"
-+
-+/usr/share/authconfig/authconfig.py, /dev/cpu/mtrr, all files on the system
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux authconfig policy is very flexible allowing users to setup their authconfig processes in as secure a method as possible.
-+.PP
-+The following process types are defined for authconfig:
-+
-+.EX
-+.B authconfig_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
-+.SH FILE CONTEXTS
-+SELinux requires files to have an extended attribute to define the file type.
-+.PP
-+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
-+.PP
-+Policy governs the access confined processes have to these files.
-+SELinux authconfig policy is very flexible allowing users to setup their authconfig processes in as secure a method as possible.
-+.PP
-+The following file types are defined for authconfig:
-+
-+
-+.EX
-+.PP
-+.B authconfig_exec_t
-+.EE
-+
-+- Set files with the authconfig_exec_t type, if you want to transition an executable to the authconfig_t domain.
-+
-+
-+.EX
-+.PP
-+.B authconfig_var_lib_t
-+.EE
-+
-+- Set files with the authconfig_var_lib_t type, if you want to store the authconfig files under the /var/lib directory.
-+
-+
-+.PP
-+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
-+.B semanage fcontext
-+command. This will modify the SELinux labeling database. You will need to use
-+.B restorecon
-+to apply the labels.
-+
-+.SH "MANAGED FILES"
-+
-+The SELinux process type authconfig_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
-+
-+.br
-+.B file_type
-+
-+ all files on the system
-+.br
-+
-+.SH NSSWITCH DOMAIN
-+
-+.SH "COMMANDS"
-+.B semanage fcontext
-+can also be used to manipulate default file context mappings.
-+.PP
-+.B semanage permissive
-+can also be used to manipulate whether or not a process type is permissive.
-+.PP
-+.B semanage module
-+can also be used to enable/disable/install/remove policy modules.
-+
-+.PP
-+.B system-config-selinux
-+is a GUI tool available to customize SELinux policy settings.
-+
-+.SH AUTHOR
-+This manual page was auto-generated using
-+.B "sepolicy manpage"
-+by Dan Walsh.
-+
-+.SH "SEE ALSO"
-+selinux(8), authconfig(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
-diff --git a/man/man8/automount_selinux.8 b/man/man8/automount_selinux.8
-new file mode 100644
-index 0000000..c7bbc5a
---- /dev/null
-+++ b/man/man8/automount_selinux.8
-@@ -0,0 +1,176 @@
-+.TH "automount_selinux" "8" "12-11-01" "automount" "SELinux Policy documentation for automount"
-+.SH "NAME"
-+automount_selinux \- Security Enhanced Linux Policy for the automount processes
-+.SH "DESCRIPTION"
-+
-+Security-Enhanced Linux secures the automount processes via flexible mandatory access control.
-+
-+The automount processes execute with the automount_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
-+
-+For example:
-+
-+.B ps -eZ | grep automount_t
-+
-+
-+.SH "ENTRYPOINTS"
-+
-+The automount_t SELinux type can be entered via the "automount_exec_t" file type. The default entrypoint paths for the automount_t domain are the following:"
-+
-+/usr/sbin/automount, /etc/apm/event\.d/autofs
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux automount policy is very flexible allowing users to setup their automount processes in as secure a method as possible.
-+.PP
-+The following process types are defined for automount:
-+
-+.EX
-+.B automount_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
-+.SH FILE CONTEXTS
-+SELinux requires files to have an extended attribute to define the file type.
-+.PP
-+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
-+.PP
-+Policy governs the access confined processes have to these files.
-+SELinux automount policy is very flexible allowing users to setup their automount processes in as secure a method as possible.
-+.PP
-+The following file types are defined for automount:
-+
-+
-+.EX
-+.PP
-+.B automount_exec_t
-+.EE
-+
-+- Set files with the automount_exec_t type, if you want to transition an executable to the automount_t domain.
-+
-+
-+.EX
-+.PP
-+.B automount_initrc_exec_t
-+.EE
-+
-+- Set files with the automount_initrc_exec_t type, if you want to transition an executable to the automount_initrc_t domain.
-+
-+
-+.EX
-+.PP
-+.B automount_keytab_t
-+.EE
-+
-+- Set files with the automount_keytab_t type, if you want to treat the files as kerberos keytab files.
-+
-+
-+.EX
-+.PP
-+.B automount_lock_t
-+.EE
-+
-+- Set files with the automount_lock_t type, if you want to treat the files as automount lock data, stored under the /var/lock directory
-+
-+
-+.EX
-+.PP
-+.B automount_tmp_t
-+.EE
-+
-+- Set files with the automount_tmp_t type, if you want to store automount temporary files in the /tmp directories.
-+
-+
-+.EX
-+.PP
-+.B automount_unit_file_t
-+.EE
-+
-+- Set files with the automount_unit_file_t type, if you want to treat the files as automount unit content.
-+
-+
-+.EX
-+.PP
-+.B automount_var_run_t
-+.EE
-+
-+- Set files with the automount_var_run_t type, if you want to store the automount files under the /run directory.
-+
-+
-+.PP
-+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
-+.B semanage fcontext
-+command. This will modify the SELinux labeling database. You will need to use
-+.B restorecon
-+to apply the labels.
-+
-+.SH "MANAGED FILES"
-+
-+The SELinux process type automount_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
-+
-+.br
-+.B automount_lock_t
-+
-+
-+.br
-+.B automount_tmp_t
-+
-+
-+.br
-+.B automount_var_run_t
-+
-+ /var/run/autofs.*
-+.br
-+
-+.br
-+.B samba_var_t
-+
-+ /var/lib/samba(/.*)?
-+.br
-+ /var/cache/samba(/.*)?
-+.br
-+ /var/spool/samba(/.*)?
-+.br
-+
-+.SH NSSWITCH DOMAIN
-+
-+.PP
-+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the automount_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
-+
-+.EX
-+.B setsebool -P authlogin_nsswitch_use_ldap 1
-+.EE
-+
-+.PP
-+If you want to allow confined applications to run with kerberos for the automount_t, you must turn on the kerberos_enabled boolean.
-+
-+.EX
-+.B setsebool -P kerberos_enabled 1
-+.EE
-+
-+.SH "COMMANDS"
-+.B semanage fcontext
-+can also be used to manipulate default file context mappings.
-+.PP
-+.B semanage permissive
-+can also be used to manipulate whether or not a process type is permissive.
-+.PP
-+.B semanage module
-+can also be used to enable/disable/install/remove policy modules.
-+
-+.PP
-+.B system-config-selinux
-+is a GUI tool available to customize SELinux policy settings.
-+
-+.SH AUTHOR
-+This manual page was auto-generated using
-+.B "sepolicy manpage"
-+by Dan Walsh.
-+
-+.SH "SEE ALSO"
-+selinux(8), automount(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
-diff --git a/man/man8/avahi_selinux.8 b/man/man8/avahi_selinux.8
-new file mode 100644
-index 0000000..e4baa1f
---- /dev/null
-+++ b/man/man8/avahi_selinux.8
-@@ -0,0 +1,196 @@
-+.TH "avahi_selinux" "8" "12-11-01" "avahi" "SELinux Policy documentation for avahi"
-+.SH "NAME"
-+avahi_selinux \- Security Enhanced Linux Policy for the avahi processes
-+.SH "DESCRIPTION"
-+
-+Security-Enhanced Linux secures the avahi processes via flexible mandatory access control.
-+
-+The avahi processes execute with the avahi_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
-+
-+For example:
-+
-+.B ps -eZ | grep avahi_t
-+
-+
-+.SH "ENTRYPOINTS"
-+
-+The avahi_t SELinux type can be entered via the "avahi_exec_t" file type. The default entrypoint paths for the avahi_t domain are the following:"
-+
-+/usr/sbin/avahi-daemon, /usr/sbin/avahi-autoipd, /usr/sbin/avahi-dnsconfd
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux avahi policy is very flexible allowing users to setup their avahi processes in as secure a method as possible.
-+.PP
-+The following process types are defined for avahi:
-+
-+.EX
-+.B avahi_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
-+.SH BOOLEANS
-+SELinux policy is customizable based on least access required. avahi policy is extremely flexible and has several booleans that allow you to manipulate the policy and run avahi with the tightest access possible.
-+
-+
-+.PP
-+If you want to allow Apache to communicate with avahi service via dbus, you must turn on the httpd_dbus_avahi boolean.
-+
-+.EX
-+.B setsebool -P httpd_dbus_avahi 1
-+.EE
-+
-+.PP
-+If you want to allow Apache to communicate with avahi service via dbus, you must turn on the httpd_dbus_avahi boolean.
-+
-+.EX
-+.B setsebool -P httpd_dbus_avahi 1
-+.EE
-+
-+.SH FILE CONTEXTS
-+SELinux requires files to have an extended attribute to define the file type.
-+.PP
-+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
-+.PP
-+Policy governs the access confined processes have to these files.
-+SELinux avahi policy is very flexible allowing users to setup their avahi processes in as secure a method as possible.
-+.PP
-+The following file types are defined for avahi:
-+
-+
-+.EX
-+.PP
-+.B avahi_exec_t
-+.EE
-+
-+- Set files with the avahi_exec_t type, if you want to transition an executable to the avahi_t domain.
-+
-+
-+.EX
-+.PP
-+.B avahi_initrc_exec_t
-+.EE
-+
-+- Set files with the avahi_initrc_exec_t type, if you want to transition an executable to the avahi_initrc_t domain.
-+
-+
-+.EX
-+.PP
-+.B avahi_unit_file_t
-+.EE
-+
-+- Set files with the avahi_unit_file_t type, if you want to treat the files as avahi unit content.
-+
-+
-+.EX
-+.PP
-+.B avahi_var_lib_t
-+.EE
-+
-+- Set files with the avahi_var_lib_t type, if you want to store the avahi files under the /var/lib directory.
-+
-+
-+.EX
-+.PP
-+.B avahi_var_run_t
-+.EE
-+
-+- Set files with the avahi_var_run_t type, if you want to store the avahi files under the /run directory.
-+
-+
-+.PP
-+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
-+.B semanage fcontext
-+command. This will modify the SELinux labeling database. You will need to use
-+.B restorecon
-+to apply the labels.
-+
-+.SH "MANAGED FILES"
-+
-+The SELinux process type avahi_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
-+
-+.br
-+.B avahi_var_lib_t
-+
-+ /var/lib/avahi-autoipd(/.*)?
-+.br
-+
-+.br
-+.B avahi_var_run_t
-+
-+ /var/run/avahi-daemon(/.*)?
-+.br
-+
-+.br
-+.B net_conf_t
-+
-+ /etc/ntpd?\.conf.*
-+.br
-+ /etc/hosts[^/]*
-+.br
-+ /etc/yp\.conf.*
-+.br
-+ /etc/denyhosts.*
-+.br
-+ /etc/hosts\.deny.*
-+.br
-+ /etc/resolv\.conf.*
-+.br
-+ /etc/ntp/step-tickers.*
-+.br
-+ /etc/sysconfig/networking(/.*)?
-+.br
-+ /etc/sysconfig/network-scripts(/.*)?
-+.br
-+ /etc/sysconfig/network-scripts/.*resolv\.conf
-+.br
-+ /etc/ethers
-+.br
-+
-+.SH NSSWITCH DOMAIN
-+
-+.PP
-+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the avahi_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
-+
-+.EX
-+.B setsebool -P authlogin_nsswitch_use_ldap 1
-+.EE
-+
-+.PP
-+If you want to allow confined applications to run with kerberos for the avahi_t, you must turn on the kerberos_enabled boolean.
-+
-+.EX
-+.B setsebool -P kerberos_enabled 1
-+.EE
-+
-+.SH "COMMANDS"
-+.B semanage fcontext
-+can also be used to manipulate default file context mappings.
-+.PP
-+.B semanage permissive
-+can also be used to manipulate whether or not a process type is permissive.
-+.PP
-+.B semanage module
-+can also be used to enable/disable/install/remove policy modules.
-+
-+.B semanage boolean
-+can also be used to manipulate the booleans
-+
-+.PP
-+.B system-config-selinux
-+is a GUI tool available to customize SELinux policy settings.
-+
-+.SH AUTHOR
-+This manual page was auto-generated using
-+.B "sepolicy manpage"
-+by Dan Walsh.
-+
-+.SH "SEE ALSO"
-+selinux(8), avahi(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
-+, setsebool(8)
-\ No newline at end of file
-diff --git a/man/man8/awstats_selinux.8 b/man/man8/awstats_selinux.8
-new file mode 100644
-index 0000000..cffff58
---- /dev/null
-+++ b/man/man8/awstats_selinux.8
-@@ -0,0 +1,116 @@
-+.TH "awstats_selinux" "8" "12-11-01" "awstats" "SELinux Policy documentation for awstats"
-+.SH "NAME"
-+awstats_selinux \- Security Enhanced Linux Policy for the awstats processes
-+.SH "DESCRIPTION"
-+
-+Security-Enhanced Linux secures the awstats processes via flexible mandatory access control.
-+
-+The awstats processes execute with the awstats_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
-+
-+For example:
-+
-+.B ps -eZ | grep awstats_t
-+
-+
-+.SH "ENTRYPOINTS"
-+
-+The awstats_t SELinux type can be entered via the "awstats_exec_t" file type. The default entrypoint paths for the awstats_t domain are the following:"
-+
-+/usr/share/awstats/tools/.+\.pl
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux awstats policy is very flexible allowing users to setup their awstats processes in as secure a method as possible.
-+.PP
-+The following process types are defined for awstats:
-+
-+.EX
-+.B awstats_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
-+.SH FILE CONTEXTS
-+SELinux requires files to have an extended attribute to define the file type.
-+.PP
-+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
-+.PP
-+Policy governs the access confined processes have to these files.
-+SELinux awstats policy is very flexible allowing users to setup their awstats processes in as secure a method as possible.
-+.PP
-+The following file types are defined for awstats:
-+
-+
-+.EX
-+.PP
-+.B awstats_exec_t
-+.EE
-+
-+- Set files with the awstats_exec_t type, if you want to transition an executable to the awstats_t domain.
-+
-+
-+.EX
-+.PP
-+.B awstats_tmp_t
-+.EE
-+
-+- Set files with the awstats_tmp_t type, if you want to store awstats temporary files in the /tmp directories.
-+
-+
-+.EX
-+.PP
-+.B awstats_var_lib_t
-+.EE
-+
-+- Set files with the awstats_var_lib_t type, if you want to store the awstats files under the /var/lib directory.
-+
-+
-+.PP
-+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
-+.B semanage fcontext
-+command. This will modify the SELinux labeling database. You will need to use
-+.B restorecon
-+to apply the labels.
-+
-+.SH "MANAGED FILES"
-+
-+The SELinux process type awstats_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
-+
-+.br
-+.B awstats_tmp_t
-+
-+
-+.br
-+.B awstats_var_lib_t
-+
-+ /var/lib/awstats(/.*)?
-+.br
-+
-+.SH NSSWITCH DOMAIN
-+
-+.SH "COMMANDS"
-+.B semanage fcontext
-+can also be used to manipulate default file context mappings.
-+.PP
-+.B semanage permissive
-+can also be used to manipulate whether or not a process type is permissive.
-+.PP
-+.B semanage module
-+can also be used to enable/disable/install/remove policy modules.
-+
-+.PP
-+.B system-config-selinux
-+is a GUI tool available to customize SELinux policy settings.
-+
-+.SH AUTHOR
-+This manual page was auto-generated using
-+.B "sepolicy manpage"
-+by Dan Walsh.
-+
-+.SH "SEE ALSO"
-+selinux(8), awstats(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
-diff --git a/man/man8/bcfg2_selinux.8 b/man/man8/bcfg2_selinux.8
-new file mode 100644
-index 0000000..792558d
---- /dev/null
-+++ b/man/man8/bcfg2_selinux.8
-@@ -0,0 +1,148 @@
-+.TH "bcfg2_selinux" "8" "12-11-01" "bcfg2" "SELinux Policy documentation for bcfg2"
-+.SH "NAME"
-+bcfg2_selinux \- Security Enhanced Linux Policy for the bcfg2 processes
-+.SH "DESCRIPTION"
-+
-+Security-Enhanced Linux secures the bcfg2 processes via flexible mandatory access control.
-+
-+The bcfg2 processes execute with the bcfg2_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
-+
-+For example:
-+
-+.B ps -eZ | grep bcfg2_t
-+
-+
-+.SH "ENTRYPOINTS"
-+
-+The bcfg2_t SELinux type can be entered via the "bcfg2_exec_t" file type. The default entrypoint paths for the bcfg2_t domain are the following:"
-+
-+/usr/sbin/bcfg2-server
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux bcfg2 policy is very flexible allowing users to setup their bcfg2 processes in as secure a method as possible.
-+.PP
-+The following process types are defined for bcfg2:
-+
-+.EX
-+.B bcfg2_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
-+.SH FILE CONTEXTS
-+SELinux requires files to have an extended attribute to define the file type.
-+.PP
-+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
-+.PP
-+Policy governs the access confined processes have to these files.
-+SELinux bcfg2 policy is very flexible allowing users to setup their bcfg2 processes in as secure a method as possible.
-+.PP
-+The following file types are defined for bcfg2:
-+
-+
-+.EX
-+.PP
-+.B bcfg2_exec_t
-+.EE
-+
-+- Set files with the bcfg2_exec_t type, if you want to transition an executable to the bcfg2_t domain.
-+
-+
-+.EX
-+.PP
-+.B bcfg2_initrc_exec_t
-+.EE
-+
-+- Set files with the bcfg2_initrc_exec_t type, if you want to transition an executable to the bcfg2_initrc_t domain.
-+
-+
-+.EX
-+.PP
-+.B bcfg2_unit_file_t
-+.EE
-+
-+- Set files with the bcfg2_unit_file_t type, if you want to treat the files as bcfg2 unit content.
-+
-+
-+.EX
-+.PP
-+.B bcfg2_var_lib_t
-+.EE
-+
-+- Set files with the bcfg2_var_lib_t type, if you want to store the bcfg2 files under the /var/lib directory.
-+
-+
-+.EX
-+.PP
-+.B bcfg2_var_run_t
-+.EE
-+
-+- Set files with the bcfg2_var_run_t type, if you want to store the bcfg2 files under the /run directory.
-+
-+
-+.PP
-+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
-+.B semanage fcontext
-+command. This will modify the SELinux labeling database. You will need to use
-+.B restorecon
-+to apply the labels.
-+
-+.SH "MANAGED FILES"
-+
-+The SELinux process type bcfg2_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
-+
-+.br
-+.B bcfg2_var_lib_t
-+
-+ /var/lib/bcfg2(/.*)?
-+.br
-+
-+.br
-+.B bcfg2_var_run_t
-+
-+ /var/run/bcfg2-server\.pid
-+.br
-+
-+.SH NSSWITCH DOMAIN
-+
-+.PP
-+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the bcfg2_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
-+
-+.EX
-+.B setsebool -P authlogin_nsswitch_use_ldap 1
-+.EE
-+
-+.PP
-+If you want to allow confined applications to run with kerberos for the bcfg2_t, you must turn on the kerberos_enabled boolean.
-+
-+.EX
-+.B setsebool -P kerberos_enabled 1
-+.EE
-+
-+.SH "COMMANDS"
-+.B semanage fcontext
-+can also be used to manipulate default file context mappings.
-+.PP
-+.B semanage permissive
-+can also be used to manipulate whether or not a process type is permissive.
-+.PP
-+.B semanage module
-+can also be used to enable/disable/install/remove policy modules.
-+
-+.PP
-+.B system-config-selinux
-+is a GUI tool available to customize SELinux policy settings.
-+
-+.SH AUTHOR
-+This manual page was auto-generated using
-+.B "sepolicy manpage"
-+by Dan Walsh.
-+
-+.SH "SEE ALSO"
-+selinux(8), bcfg2(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
-diff --git a/man/man8/bitlbee_selinux.8 b/man/man8/bitlbee_selinux.8
-new file mode 100644
-index 0000000..26fda6e
---- /dev/null
-+++ b/man/man8/bitlbee_selinux.8
-@@ -0,0 +1,178 @@
-+.TH "bitlbee_selinux" "8" "12-11-01" "bitlbee" "SELinux Policy documentation for bitlbee"
-+.SH "NAME"
-+bitlbee_selinux \- Security Enhanced Linux Policy for the bitlbee processes
-+.SH "DESCRIPTION"
-+
-+Security-Enhanced Linux secures the bitlbee processes via flexible mandatory access control.
-+
-+The bitlbee processes execute with the bitlbee_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
-+
-+For example:
-+
-+.B ps -eZ | grep bitlbee_t
-+
-+
-+.SH "ENTRYPOINTS"
-+
-+The bitlbee_t SELinux type can be entered via the "bitlbee_exec_t" file type. The default entrypoint paths for the bitlbee_t domain are the following:"
-+
-+/usr/bin/bip, /usr/sbin/bitlbee
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux bitlbee policy is very flexible allowing users to setup their bitlbee processes in as secure a method as possible.
-+.PP
-+The following process types are defined for bitlbee:
-+
-+.EX
-+.B bitlbee_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
-+.SH FILE CONTEXTS
-+SELinux requires files to have an extended attribute to define the file type.
-+.PP
-+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
-+.PP
-+Policy governs the access confined processes have to these files.
-+SELinux bitlbee policy is very flexible allowing users to setup their bitlbee processes in as secure a method as possible.
-+.PP
-+The following file types are defined for bitlbee:
-+
-+
-+.EX
-+.PP
-+.B bitlbee_conf_t
-+.EE
-+
-+- Set files with the bitlbee_conf_t type, if you want to treat the files as bitlbee configuration data, usually stored under the /etc directory.
-+
-+
-+.EX
-+.PP
-+.B bitlbee_exec_t
-+.EE
-+
-+- Set files with the bitlbee_exec_t type, if you want to transition an executable to the bitlbee_t domain.
-+
-+
-+.EX
-+.PP
-+.B bitlbee_initrc_exec_t
-+.EE
-+
-+- Set files with the bitlbee_initrc_exec_t type, if you want to transition an executable to the bitlbee_initrc_t domain.
-+
-+
-+.EX
-+.PP
-+.B bitlbee_log_t
-+.EE
-+
-+- Set files with the bitlbee_log_t type, if you want to treat the data as bitlbee log data, usually stored under the /var/log directory.
-+
-+
-+.EX
-+.PP
-+.B bitlbee_tmp_t
-+.EE
-+
-+- Set files with the bitlbee_tmp_t type, if you want to store bitlbee temporary files in the /tmp directories.
-+
-+
-+.EX
-+.PP
-+.B bitlbee_var_run_t
-+.EE
-+
-+- Set files with the bitlbee_var_run_t type, if you want to store the bitlbee files under the /run directory.
-+
-+
-+.EX
-+.PP
-+.B bitlbee_var_t
-+.EE
-+
-+- Set files with the bitlbee_var_t type, if you want to store the bit files under the /var directory.
-+
-+
-+.PP
-+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
-+.B semanage fcontext
-+command. This will modify the SELinux labeling database. You will need to use
-+.B restorecon
-+to apply the labels.
-+
-+.SH "MANAGED FILES"
-+
-+The SELinux process type bitlbee_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
-+
-+.br
-+.B bitlbee_log_t
-+
-+ /var/log/bip(/.*)?
-+.br
-+
-+.br
-+.B bitlbee_tmp_t
-+
-+
-+.br
-+.B bitlbee_var_run_t
-+
-+ /var/run/bip(/.*)?
-+.br
-+ /var/run/bitlbee\.pid
-+.br
-+ /var/run/bitlbee\.sock
-+.br
-+
-+.br
-+.B bitlbee_var_t
-+
-+ /var/lib/bitlbee(/.*)?
-+.br
-+
-+.SH NSSWITCH DOMAIN
-+
-+.PP
-+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the bitlbee_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
-+
-+.EX
-+.B setsebool -P authlogin_nsswitch_use_ldap 1
-+.EE
-+
-+.PP
-+If you want to allow confined applications to run with kerberos for the bitlbee_t, you must turn on the kerberos_enabled boolean.
-+
-+.EX
-+.B setsebool -P kerberos_enabled 1
-+.EE
-+
-+.SH "COMMANDS"
-+.B semanage fcontext
-+can also be used to manipulate default file context mappings.
-+.PP
-+.B semanage permissive
-+can also be used to manipulate whether or not a process type is permissive.
-+.PP
-+.B semanage module
-+can also be used to enable/disable/install/remove policy modules.
-+
-+.PP
-+.B system-config-selinux
-+is a GUI tool available to customize SELinux policy settings.
-+
-+.SH AUTHOR
-+This manual page was auto-generated using
-+.B "sepolicy manpage"
-+by Dan Walsh.
-+
-+.SH "SEE ALSO"
-+selinux(8), bitlbee(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
-diff --git a/man/man8/blktap_selinux.8 b/man/man8/blktap_selinux.8
-new file mode 100644
-index 0000000..8a96343
---- /dev/null
-+++ b/man/man8/blktap_selinux.8
-@@ -0,0 +1,116 @@
-+.TH "blktap_selinux" "8" "12-11-01" "blktap" "SELinux Policy documentation for blktap"
-+.SH "NAME"
-+blktap_selinux \- Security Enhanced Linux Policy for the blktap processes
-+.SH "DESCRIPTION"
-+
-+Security-Enhanced Linux secures the blktap processes via flexible mandatory access control.
-+
-+The blktap processes execute with the blktap_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
-+
-+For example:
-+
-+.B ps -eZ | grep blktap_t
-+
-+
-+.SH "ENTRYPOINTS"
-+
-+The blktap_t SELinux type can be entered via the "blktap_exec_t" file type. The default entrypoint paths for the blktap_t domain are the following:"
-+
-+/usr/sbin/tapdisk, /usr/sbin/blktapctrl
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux blktap policy is very flexible allowing users to setup their blktap processes in as secure a method as possible.
-+.PP
-+The following process types are defined for blktap:
-+
-+.EX
-+.B blktap_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
-+.SH BOOLEANS
-+SELinux policy is customizable based on least access required. blktap policy is extremely flexible and has several booleans that allow you to manipulate the policy and run blktap with the tightest access possible.
-+
-+
-+.PP
-+If you want to allow xend to run blktapctrl/tapdisk. Not required if using dedicated logical volumes for disk images, you must turn on the xend_run_blktap boolean.
-+
-+.EX
-+.B setsebool -P xend_run_blktap 1
-+.EE
-+
-+.PP
-+If you want to allow xend to run blktapctrl/tapdisk. Not required if using dedicated logical volumes for disk images, you must turn on the xend_run_blktap boolean.
-+
-+.EX
-+.B setsebool -P xend_run_blktap 1
-+.EE
-+
-+.SH FILE CONTEXTS
-+SELinux requires files to have an extended attribute to define the file type.
-+.PP
-+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
-+.PP
-+Policy governs the access confined processes have to these files.
-+SELinux blktap policy is very flexible allowing users to setup their blktap processes in as secure a method as possible.
-+.PP
-+The following file types are defined for blktap:
-+
-+
-+.EX
-+.PP
-+.B blktap_exec_t
-+.EE
-+
-+- Set files with the blktap_exec_t type, if you want to transition an executable to the blktap_t domain.
-+
-+
-+.EX
-+.PP
-+.B blktap_var_run_t
-+.EE
-+
-+- Set files with the blktap_var_run_t type, if you want to store the blktap files under the /run directory.
-+
-+
-+.PP
-+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
-+.B semanage fcontext
-+command. This will modify the SELinux labeling database. You will need to use
-+.B restorecon
-+to apply the labels.
-+
-+.SH NSSWITCH DOMAIN
-+
-+.SH "COMMANDS"
-+.B semanage fcontext
-+can also be used to manipulate default file context mappings.
-+.PP
-+.B semanage permissive
-+can also be used to manipulate whether or not a process type is permissive.
-+.PP
-+.B semanage module
-+can also be used to enable/disable/install/remove policy modules.
-+
-+.B semanage boolean
-+can also be used to manipulate the booleans
-+
-+.PP
-+.B system-config-selinux
-+is a GUI tool available to customize SELinux policy settings.
-+
-+.SH AUTHOR
-+This manual page was auto-generated using
-+.B "sepolicy manpage"
-+by Dan Walsh.
-+
-+.SH "SEE ALSO"
-+selinux(8), blktap(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
-+, setsebool(8)
-\ No newline at end of file
-diff --git a/man/man8/blueman_selinux.8 b/man/man8/blueman_selinux.8
-new file mode 100644
-index 0000000..4098061
---- /dev/null
-+++ b/man/man8/blueman_selinux.8
-@@ -0,0 +1,118 @@
-+.TH "blueman_selinux" "8" "12-11-01" "blueman" "SELinux Policy documentation for blueman"
-+.SH "NAME"
-+blueman_selinux \- Security Enhanced Linux Policy for the blueman processes
-+.SH "DESCRIPTION"
-+
-+Security-Enhanced Linux secures the blueman processes via flexible mandatory access control.
-+
-+The blueman processes execute with the blueman_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
-+
-+For example:
-+
-+.B ps -eZ | grep blueman_t
-+
-+
-+.SH "ENTRYPOINTS"
-+
-+The blueman_t SELinux type can be entered via the "blueman_exec_t" file type. The default entrypoint paths for the blueman_t domain are the following:"
-+
-+/usr/libexec/blueman-mechanism
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux blueman policy is very flexible allowing users to setup their blueman processes in as secure a method as possible.
-+.PP
-+The following process types are defined for blueman:
-+
-+.EX
-+.B blueman_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
-+.SH FILE CONTEXTS
-+SELinux requires files to have an extended attribute to define the file type.
-+.PP
-+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
-+.PP
-+Policy governs the access confined processes have to these files.
-+SELinux blueman policy is very flexible allowing users to setup their blueman processes in as secure a method as possible.
-+.PP
-+The following file types are defined for blueman:
-+
-+
-+.EX
-+.PP
-+.B blueman_exec_t
-+.EE
-+
-+- Set files with the blueman_exec_t type, if you want to transition an executable to the blueman_t domain.
-+
-+
-+.EX
-+.PP
-+.B blueman_var_lib_t
-+.EE
-+
-+- Set files with the blueman_var_lib_t type, if you want to store the blueman files under the /var/lib directory.
-+
-+
-+.PP
-+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
-+.B semanage fcontext
-+command. This will modify the SELinux labeling database. You will need to use
-+.B restorecon
-+to apply the labels.
-+
-+.SH "MANAGED FILES"
-+
-+The SELinux process type blueman_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
-+
-+.br
-+.B blueman_var_lib_t
-+
-+ /var/lib/blueman(/.*)?
-+.br
-+
-+.SH NSSWITCH DOMAIN
-+
-+.PP
-+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the blueman_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
-+
-+.EX
-+.B setsebool -P authlogin_nsswitch_use_ldap 1
-+.EE
-+
-+.PP
-+If you want to allow confined applications to run with kerberos for the blueman_t, you must turn on the kerberos_enabled boolean.
-+
-+.EX
-+.B setsebool -P kerberos_enabled 1
-+.EE
-+
-+.SH "COMMANDS"
-+.B semanage fcontext
-+can also be used to manipulate default file context mappings.
-+.PP
-+.B semanage permissive
-+can also be used to manipulate whether or not a process type is permissive.
-+.PP
-+.B semanage module
-+can also be used to enable/disable/install/remove policy modules.
-+
-+.PP
-+.B system-config-selinux
-+is a GUI tool available to customize SELinux policy settings.
-+
-+.SH AUTHOR
-+This manual page was auto-generated using
-+.B "sepolicy manpage"
-+by Dan Walsh.
-+
-+.SH "SEE ALSO"
-+selinux(8), blueman(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
-diff --git a/man/man8/bluetooth_helper_selinux.8 b/man/man8/bluetooth_helper_selinux.8
-new file mode 100644
-index 0000000..2fa6a79
---- /dev/null
-+++ b/man/man8/bluetooth_helper_selinux.8
-@@ -0,0 +1,157 @@
-+.TH "bluetooth_helper_selinux" "8" "12-11-01" "bluetooth_helper" "SELinux Policy documentation for bluetooth_helper"
-+.SH "NAME"
-+bluetooth_helper_selinux \- Security Enhanced Linux Policy for the bluetooth_helper processes
-+.SH "DESCRIPTION"
-+
-+Security-Enhanced Linux secures the bluetooth_helper processes via flexible mandatory access control.
-+
-+The bluetooth_helper processes execute with the bluetooth_helper_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
-+
-+For example:
-+
-+.B ps -eZ | grep bluetooth_helper_t
-+
-+
-+.SH "ENTRYPOINTS"
-+
-+The bluetooth_helper_t SELinux type can be entered via the "bluetooth_helper_exec_t" file type. The default entrypoint paths for the bluetooth_helper_t domain are the following:"
-+
-+/usr/bin/blue.*pin
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux bluetooth_helper policy is very flexible allowing users to setup their bluetooth_helper processes in as secure a method as possible.
-+.PP
-+The following process types are defined for bluetooth_helper:
-+
-+.EX
-+.B bluetooth_helper_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
-+.SH FILE CONTEXTS
-+SELinux requires files to have an extended attribute to define the file type.
-+.PP
-+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
-+.PP
-+Policy governs the access confined processes have to these files.
-+SELinux bluetooth_helper policy is very flexible allowing users to setup their bluetooth_helper processes in as secure a method as possible.
-+.PP
-+The following file types are defined for bluetooth_helper:
-+
-+
-+.EX
-+.PP
-+.B bluetooth_helper_exec_t
-+.EE
-+
-+- Set files with the bluetooth_helper_exec_t type, if you want to transition an executable to the bluetooth_helper_t domain.
-+
-+
-+.EX
-+.PP
-+.B bluetooth_helper_tmp_t
-+.EE
-+
-+- Set files with the bluetooth_helper_tmp_t type, if you want to store bluetooth helper temporary files in the /tmp directories.
-+
-+
-+.EX
-+.PP
-+.B bluetooth_helper_tmpfs_t
-+.EE
-+
-+- Set files with the bluetooth_helper_tmpfs_t type, if you want to store bluetooth helper files on a tmpfs file system.
-+
-+
-+.PP
-+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
-+.B semanage fcontext
-+command. This will modify the SELinux labeling database. You will need to use
-+.B restorecon
-+to apply the labels.
-+
-+.SH "MANAGED FILES"
-+
-+The SELinux process type bluetooth_helper_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
-+
-+.br
-+.B bluetooth_helper_tmp_t
-+
-+
-+.br
-+.B bluetooth_helper_tmpfs_t
-+
-+
-+.br
-+.B user_fonts_cache_t
-+
-+ /root/\.fontconfig(/.*)?
-+.br
-+ /root/\.fonts/auto(/.*)?
-+.br
-+ /root/\.fonts\.cache-.*
-+.br
-+ /home/[^/]*/\.fontconfig(/.*)?
-+.br
-+ /home/[^/]*/\.fonts/auto(/.*)?
-+.br
-+ /home/[^/]*/\.fonts\.cache-.*
-+.br
-+ /home/dwalsh/\.fontconfig(/.*)?
-+.br
-+ /home/dwalsh/\.fonts/auto(/.*)?
-+.br
-+ /home/dwalsh/\.fonts\.cache-.*
-+.br
-+ /var/lib/xguest/home/xguest/\.fontconfig(/.*)?
-+.br
-+ /var/lib/xguest/home/xguest/\.fonts/auto(/.*)?
-+.br
-+ /var/lib/xguest/home/xguest/\.fonts\.cache-.*
-+.br
-+
-+.SH NSSWITCH DOMAIN
-+
-+.PP
-+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the bluetooth_helper_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
-+
-+.EX
-+.B setsebool -P authlogin_nsswitch_use_ldap 1
-+.EE
-+
-+.PP
-+If you want to allow confined applications to run with kerberos for the bluetooth_helper_t, you must turn on the kerberos_enabled boolean.
-+
-+.EX
-+.B setsebool -P kerberos_enabled 1
-+.EE
-+
-+.SH "COMMANDS"
-+.B semanage fcontext
-+can also be used to manipulate default file context mappings.
-+.PP
-+.B semanage permissive
-+can also be used to manipulate whether or not a process type is permissive.
-+.PP
-+.B semanage module
-+can also be used to enable/disable/install/remove policy modules.
-+
-+.PP
-+.B system-config-selinux
-+is a GUI tool available to customize SELinux policy settings.
-+
-+.SH AUTHOR
-+This manual page was auto-generated using
-+.B "sepolicy manpage"
-+by Dan Walsh.
-+
-+.SH "SEE ALSO"
-+selinux(8), bluetooth_helper(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
-+, bluetooth_selinux(8), bluetooth_selinux(8)
-\ No newline at end of file
-diff --git a/man/man8/bluetooth_selinux.8 b/man/man8/bluetooth_selinux.8
-new file mode 100644
-index 0000000..3432420
---- /dev/null
-+++ b/man/man8/bluetooth_selinux.8
-@@ -0,0 +1,246 @@
-+.TH "bluetooth_selinux" "8" "12-11-01" "bluetooth" "SELinux Policy documentation for bluetooth"
-+.SH "NAME"
-+bluetooth_selinux \- Security Enhanced Linux Policy for the bluetooth processes
-+.SH "DESCRIPTION"
-+
-+Security-Enhanced Linux secures the bluetooth processes via flexible mandatory access control.
-+
-+The bluetooth processes execute with the bluetooth_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
-+
-+For example:
-+
-+.B ps -eZ | grep bluetooth_t
-+
-+
-+.SH "ENTRYPOINTS"
-+
-+The bluetooth_t SELinux type can be entered via the "bluetooth_exec_t" file type. The default entrypoint paths for the bluetooth_t domain are the following:"
-+
-+/usr/bin/dund, /usr/bin/hidd, /usr/sbin/hcid, /usr/sbin/sdpd, /usr/bin/rfcomm, /usr/sbin/hid2hci, /usr/sbin/hciattach, /usr/sbin/bluetoothd
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux bluetooth policy is very flexible allowing users to setup their bluetooth processes in as secure a method as possible.
-+.PP
-+The following process types are defined for bluetooth:
-+
-+.EX
-+.B bluetooth_helper_t, bluetooth_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
-+.SH BOOLEANS
-+SELinux policy is customizable based on least access required. bluetooth policy is extremely flexible and has several booleans that allow you to manipulate the policy and run bluetooth with the tightest access possible.
-+
-+
-+.PP
-+If you want to allow xguest to use blue tooth devices, you must turn on the xguest_use_bluetooth boolean.
-+
-+.EX
-+.B setsebool -P xguest_use_bluetooth 1
-+.EE
-+
-+.PP
-+If you want to allow xguest to use blue tooth devices, you must turn on the xguest_use_bluetooth boolean.
-+
-+.EX
-+.B setsebool -P xguest_use_bluetooth 1
-+.EE
-+
-+.SH FILE CONTEXTS
-+SELinux requires files to have an extended attribute to define the file type.
-+.PP
-+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
-+.PP
-+Policy governs the access confined processes have to these files.
-+SELinux bluetooth policy is very flexible allowing users to setup their bluetooth processes in as secure a method as possible.
-+.PP
-+The following file types are defined for bluetooth:
-+
-+
-+.EX
-+.PP
-+.B bluetooth_conf_rw_t
-+.EE
-+
-+- Set files with the bluetooth_conf_rw_t type, if you want to treat the files as bluetooth conf read/write content.
-+
-+
-+.EX
-+.PP
-+.B bluetooth_conf_t
-+.EE
-+
-+- Set files with the bluetooth_conf_t type, if you want to treat the files as bluetooth configuration data, usually stored under the /etc directory.
-+
-+
-+.EX
-+.PP
-+.B bluetooth_exec_t
-+.EE
-+
-+- Set files with the bluetooth_exec_t type, if you want to transition an executable to the bluetooth_t domain.
-+
-+
-+.EX
-+.PP
-+.B bluetooth_helper_exec_t
-+.EE
-+
-+- Set files with the bluetooth_helper_exec_t type, if you want to transition an executable to the bluetooth_helper_t domain.
-+
-+
-+.EX
-+.PP
-+.B bluetooth_helper_tmp_t
-+.EE
-+
-+- Set files with the bluetooth_helper_tmp_t type, if you want to store bluetooth helper temporary files in the /tmp directories.
-+
-+
-+.EX
-+.PP
-+.B bluetooth_helper_tmpfs_t
-+.EE
-+
-+- Set files with the bluetooth_helper_tmpfs_t type, if you want to store bluetooth helper files on a tmpfs file system.
-+
-+
-+.EX
-+.PP
-+.B bluetooth_initrc_exec_t
-+.EE
-+
-+- Set files with the bluetooth_initrc_exec_t type, if you want to transition an executable to the bluetooth_initrc_t domain.
-+
-+
-+.EX
-+.PP
-+.B bluetooth_lock_t
-+.EE
-+
-+- Set files with the bluetooth_lock_t type, if you want to treat the files as bluetooth lock data, stored under the /var/lock directory
-+
-+
-+.EX
-+.PP
-+.B bluetooth_tmp_t
-+.EE
-+
-+- Set files with the bluetooth_tmp_t type, if you want to store bluetooth temporary files in the /tmp directories.
-+
-+
-+.EX
-+.PP
-+.B bluetooth_unit_file_t
-+.EE
-+
-+- Set files with the bluetooth_unit_file_t type, if you want to treat the files as bluetooth unit content.
-+
-+
-+.EX
-+.PP
-+.B bluetooth_var_lib_t
-+.EE
-+
-+- Set files with the bluetooth_var_lib_t type, if you want to store the bluetooth files under the /var/lib directory.
-+
-+
-+.EX
-+.PP
-+.B bluetooth_var_run_t
-+.EE
-+
-+- Set files with the bluetooth_var_run_t type, if you want to store the bluetooth files under the /run directory.
-+
-+
-+.PP
-+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
-+.B semanage fcontext
-+command. This will modify the SELinux labeling database. You will need to use
-+.B restorecon
-+to apply the labels.
-+
-+.SH "MANAGED FILES"
-+
-+The SELinux process type bluetooth_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
-+
-+.br
-+.B bluetooth_conf_rw_t
-+
-+ /etc/bluetooth/link_key
-+.br
-+
-+.br
-+.B bluetooth_lock_t
-+
-+
-+.br
-+.B bluetooth_tmp_t
-+
-+
-+.br
-+.B bluetooth_var_lib_t
-+
-+ /var/lib/bluetooth(/.*)?
-+.br
-+
-+.br
-+.B bluetooth_var_run_t
-+
-+ /var/run/sdp
-+.br
-+ /var/run/bluetoothd_address
-+.br
-+
-+.br
-+.B usbfs_t
-+
-+
-+.SH NSSWITCH DOMAIN
-+
-+.PP
-+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the bluetooth_t, bluetooth_helper_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
-+
-+.EX
-+.B setsebool -P authlogin_nsswitch_use_ldap 1
-+.EE
-+
-+.PP
-+If you want to allow confined applications to run with kerberos for the bluetooth_t, bluetooth_helper_t, you must turn on the kerberos_enabled boolean.
-+
-+.EX
-+.B setsebool -P kerberos_enabled 1
-+.EE
-+
-+.SH "COMMANDS"
-+.B semanage fcontext
-+can also be used to manipulate default file context mappings.
-+.PP
-+.B semanage permissive
-+can also be used to manipulate whether or not a process type is permissive.
-+.PP
-+.B semanage module
-+can also be used to enable/disable/install/remove policy modules.
-+
-+.B semanage boolean
-+can also be used to manipulate the booleans
-+
-+.PP
-+.B system-config-selinux
-+is a GUI tool available to customize SELinux policy settings.
-+
-+.SH AUTHOR
-+This manual page was auto-generated using
-+.B "sepolicy manpage"
-+by Dan Walsh.
-+
-+.SH "SEE ALSO"
-+selinux(8), bluetooth(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
-+, setsebool(8), bluetooth_helper_selinux(8)
-\ No newline at end of file
-diff --git a/man/man8/boinc_selinux.8 b/man/man8/boinc_selinux.8
-new file mode 100644
-index 0000000..138247a
---- /dev/null
-+++ b/man/man8/boinc_selinux.8
-@@ -0,0 +1,219 @@
-+.TH "boinc_selinux" "8" "12-11-01" "boinc" "SELinux Policy documentation for boinc"
-+.SH "NAME"
-+boinc_selinux \- Security Enhanced Linux Policy for the boinc processes
-+.SH "DESCRIPTION"
-+
-+Security-Enhanced Linux secures the boinc processes via flexible mandatory access control.
-+
-+The boinc processes execute with the boinc_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
-+
-+For example:
-+
-+.B ps -eZ | grep boinc_t
-+
-+
-+.SH "ENTRYPOINTS"
-+
-+The boinc_t SELinux type can be entered via the "boinc_exec_t" file type. The default entrypoint paths for the boinc_t domain are the following:"
-+
-+/usr/bin/boinc_client
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux boinc policy is very flexible allowing users to setup their boinc processes in as secure a method as possible.
-+.PP
-+The following process types are defined for boinc:
-+
-+.EX
-+.B boinc_t, boinc_project_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
-+.SH FILE CONTEXTS
-+SELinux requires files to have an extended attribute to define the file type.
-+.PP
-+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
-+.PP
-+Policy governs the access confined processes have to these files.
-+SELinux boinc policy is very flexible allowing users to setup their boinc processes in as secure a method as possible.
-+.PP
-+The following file types are defined for boinc:
-+
-+
-+.EX
-+.PP
-+.B boinc_exec_t
-+.EE
-+
-+- Set files with the boinc_exec_t type, if you want to transition an executable to the boinc_t domain.
-+
-+
-+.EX
-+.PP
-+.B boinc_initrc_exec_t
-+.EE
-+
-+- Set files with the boinc_initrc_exec_t type, if you want to transition an executable to the boinc_initrc_t domain.
-+
-+
-+.EX
-+.PP
-+.B boinc_log_t
-+.EE
-+
-+- Set files with the boinc_log_t type, if you want to treat the data as boinc log data, usually stored under the /var/log directory.
-+
-+
-+.EX
-+.PP
-+.B boinc_project_tmp_t
-+.EE
-+
-+- Set files with the boinc_project_tmp_t type, if you want to store boinc project temporary files in the /tmp directories.
-+
-+
-+.EX
-+.PP
-+.B boinc_project_var_lib_t
-+.EE
-+
-+- Set files with the boinc_project_var_lib_t type, if you want to store the boinc project files under the /var/lib directory.
-+
-+
-+.EX
-+.PP
-+.B boinc_tmp_t
-+.EE
-+
-+- Set files with the boinc_tmp_t type, if you want to store boinc temporary files in the /tmp directories.
-+
-+
-+.EX
-+.PP
-+.B boinc_tmpfs_t
-+.EE
-+
-+- Set files with the boinc_tmpfs_t type, if you want to store boinc files on a tmpfs file system.
-+
-+
-+.EX
-+.PP
-+.B boinc_unit_file_t
-+.EE
-+
-+- Set files with the boinc_unit_file_t type, if you want to treat the files as boinc unit content.
-+
-+
-+.EX
-+.PP
-+.B boinc_var_lib_t
-+.EE
-+
-+- Set files with the boinc_var_lib_t type, if you want to store the boinc files under the /var/lib directory.
-+
-+
-+.PP
-+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
-+.B semanage fcontext
-+command. This will modify the SELinux labeling database. You will need to use
-+.B restorecon
-+to apply the labels.
-+
-+.SH PORT TYPES
-+SELinux defines port types to represent TCP and UDP ports.
-+.PP
-+You can see the types associated with a port by using the following command:
-+
-+.B semanage port -l
-+
-+.PP
-+Policy governs the access confined processes have to these ports.
-+SELinux boinc policy is very flexible allowing users to setup their boinc processes in as secure a method as possible.
-+.PP
-+The following port types are defined for boinc:
-+
-+.EX
-+.TP 5
-+.B boinc_client_ctrl_port_t
-+.TP 10
-+.EE
-+
-+
-+Default Defined Ports:
-+tcp 1043
-+.EE
-+
-+.EX
-+.TP 5
-+.B boinc_port_t
-+.TP 10
-+.EE
-+
-+
-+Default Defined Ports:
-+tcp 31416
-+.EE
-+.SH "MANAGED FILES"
-+
-+The SELinux process type boinc_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
-+
-+.br
-+.B boinc_log_t
-+
-+ /var/log/boinc\.log.*
-+.br
-+
-+.br
-+.B boinc_project_var_lib_t
-+
-+ /var/lib/boinc/slots(/.*)?
-+.br
-+ /var/lib/boinc/projects(/.*)?
-+.br
-+
-+.br
-+.B boinc_tmp_t
-+
-+
-+.br
-+.B boinc_tmpfs_t
-+
-+
-+.br
-+.B boinc_var_lib_t
-+
-+ /var/lib/boinc(/.*)?
-+.br
-+
-+.SH NSSWITCH DOMAIN
-+
-+.SH "COMMANDS"
-+.B semanage fcontext
-+can also be used to manipulate default file context mappings.
-+.PP
-+.B semanage permissive
-+can also be used to manipulate whether or not a process type is permissive.
-+.PP
-+.B semanage module
-+can also be used to enable/disable/install/remove policy modules.
-+
-+.B semanage port
-+can also be used to manipulate the port definitions
-+
-+.PP
-+.B system-config-selinux
-+is a GUI tool available to customize SELinux policy settings.
-+
-+.SH AUTHOR
-+This manual page was auto-generated using
-+.B "sepolicy manpage"
-+by Dan Walsh.
-+
-+.SH "SEE ALSO"
-+selinux(8), boinc(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
-diff --git a/man/man8/bootloader_selinux.8 b/man/man8/bootloader_selinux.8
-new file mode 100644
-index 0000000..0e127fd
---- /dev/null
-+++ b/man/man8/bootloader_selinux.8
-@@ -0,0 +1,306 @@
-+.TH "bootloader_selinux" "8" "12-11-01" "bootloader" "SELinux Policy documentation for bootloader"
-+.SH "NAME"
-+bootloader_selinux \- Security Enhanced Linux Policy for the bootloader processes
-+.SH "DESCRIPTION"
-+
-+Security-Enhanced Linux secures the bootloader processes via flexible mandatory access control.
-+
-+The bootloader processes execute with the bootloader_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
-+
-+For example:
-+
-+.B ps -eZ | grep bootloader_t
-+
-+
-+.SH "ENTRYPOINTS"
-+
-+The bootloader_t SELinux type can be entered via the "bootloader_exec_t" file type. The default entrypoint paths for the bootloader_t domain are the following:"
-+
-+/sbin/grub.*, /sbin/lilo.*, /sbin/ybin.*, /usr/sbin/grub.*, /usr/sbin/lilo.*, /usr/sbin/ybin.*, /sbin/zipl, /usr/sbin/zipl
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux bootloader policy is very flexible allowing users to setup their bootloader processes in as secure a method as possible.
-+.PP
-+The following process types are defined for bootloader:
-+
-+.EX
-+.B bootloader_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
-+.SH BOOLEANS
-+SELinux policy is customizable based on least access required. bootloader policy is extremely flexible and has several booleans that allow you to manipulate the policy and run bootloader with the tightest access possible.
-+
-+
-+.PP
-+If you want to allow the graphical login program to execute bootloader, you must turn on the xdm_exec_bootloader boolean.
-+
-+.EX
-+.B setsebool -P xdm_exec_bootloader 1
-+.EE
-+
-+.PP
-+If you want to allow the graphical login program to execute bootloader, you must turn on the xdm_exec_bootloader boolean.
-+
-+.EX
-+.B setsebool -P xdm_exec_bootloader 1
-+.EE
-+
-+.SH FILE CONTEXTS
-+SELinux requires files to have an extended attribute to define the file type.
-+.PP
-+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
-+.PP
-+Policy governs the access confined processes have to these files.
-+SELinux bootloader policy is very flexible allowing users to setup their bootloader processes in as secure a method as possible.
-+.PP
-+The following file types are defined for bootloader:
-+
-+
-+.EX
-+.PP
-+.B bootloader_etc_t
-+.EE
-+
-+- Set files with the bootloader_etc_t type, if you want to store bootloader files in the /etc directories.
-+
-+
-+.EX
-+.PP
-+.B bootloader_exec_t
-+.EE
-+
-+- Set files with the bootloader_exec_t type, if you want to transition an executable to the bootloader_t domain.
-+
-+
-+.EX
-+.PP
-+.B bootloader_tmp_t
-+.EE
-+
-+- Set files with the bootloader_tmp_t type, if you want to store bootloader temporary files in the /tmp directories.
-+
-+
-+.EX
-+.PP
-+.B bootloader_var_lib_t
-+.EE
-+
-+- Set files with the bootloader_var_lib_t type, if you want to store the bootloader files under the /var/lib directory.
-+
-+
-+.EX
-+.PP
-+.B bootloader_var_run_t
-+.EE
-+
-+- Set files with the bootloader_var_run_t type, if you want to store the bootloader files under the /run directory.
-+
-+
-+.PP
-+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
-+.B semanage fcontext
-+command. This will modify the SELinux labeling database. You will need to use
-+.B restorecon
-+to apply the labels.
-+
-+.SH "MANAGED FILES"
-+
-+The SELinux process type bootloader_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
-+
-+.br
-+.B boot_t
-+
-+ /boot/.*
-+.br
-+ /vmlinuz.*
-+.br
-+ /initrd\.img.*
-+.br
-+ /boot
-+.br
-+
-+.br
-+.B bootloader_tmp_t
-+
-+
-+.br
-+.B bootloader_var_lib_t
-+
-+ /var/lib/os-prober(/.*)?
-+.br
-+
-+.br
-+.B bootloader_var_run_t
-+
-+
-+.br
-+.B dosfs_t
-+
-+
-+.br
-+.B etc_runtime_t
-+
-+ /[^/]+
-+.br
-+ /etc/mtab.*
-+.br
-+ /etc/blkid(/.*)?
-+.br
-+ /etc/nologin.*
-+.br
-+ /etc/\.fstab\.hal\..+
-+.br
-+ /halt
-+.br
-+ /fastboot
-+.br
-+ /poweroff
-+.br
-+ /etc/cmtab
-+.br
-+ /\.autofsck
-+.br
-+ /forcefsck
-+.br
-+ /\.suspended
-+.br
-+ /fsckoptions
-+.br
-+ /\.autorelabel
-+.br
-+ /etc/securetty
-+.br
-+ /etc/killpower
-+.br
-+ /etc/nohotplug
-+.br
-+ /etc/ioctl\.save
-+.br
-+ /etc/fstab\.REVOKE
-+.br
-+ /etc/network/ifstate
-+.br
-+ /etc/sysconfig/hwconf
-+.br
-+ /etc/ptal/ptal-printd-like
-+.br
-+ /etc/sysconfig/iptables\.save
-+.br
-+ /etc/xorg\.conf\.d/00-system-setup-keyboard\.conf
-+.br
-+ /etc/X11/xorg\.conf\.d/00-system-setup-keyboard\.conf
-+.br
-+
-+.br
-+.B file_t
-+
-+
-+.br
-+.B fsadm_var_run_t
-+
-+ /var/run/blkid(/.*)?
-+.br
-+
-+.br
-+.B modules_object_t
-+
-+ /lib/modules(/.*)?
-+.br
-+ /usr/lib/modules(/.*)?
-+.br
-+
-+.br
-+.B var_log_t
-+
-+ /var/log/.*
-+.br
-+ /nsr/logs(/.*)?
-+.br
-+ /var/webmin(/.*)?
-+.br
-+ /var/log/cron[^/]*
-+.br
-+ /var/log/secure[^/]*
-+.br
-+ /opt/zimbra/log(/.*)?
-+.br
-+ /var/log/maillog[^/]*
-+.br
-+ /var/log/spooler[^/]*
-+.br
-+ /var/log/messages[^/]*
-+.br
-+ /usr/centreon/log(/.*)?
-+.br
-+ /var/spool/rsyslog(/.*)?
-+.br
-+ /var/axfrdns/log/main(/.*)?
-+.br
-+ /var/spool/bacula/log(/.*)?
-+.br
-+ /var/tinydns/log/main(/.*)?
-+.br
-+ /var/dnscache/log/main(/.*)?
-+.br
-+ /var/stockmaniac/templates_cache(/.*)?
-+.br
-+ /opt/Symantec/scspagent/IDS/system(/.*)?
-+.br
-+ /var/log
-+.br
-+ /var/log/dmesg
-+.br
-+ /var/log/syslog
-+.br
-+ /var/named/chroot/var/log
-+.br
-+
-+.SH NSSWITCH DOMAIN
-+
-+.PP
-+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the bootloader_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
-+
-+.EX
-+.B setsebool -P authlogin_nsswitch_use_ldap 1
-+.EE
-+
-+.PP
-+If you want to allow confined applications to run with kerberos for the bootloader_t, you must turn on the kerberos_enabled boolean.
-+
-+.EX
-+.B setsebool -P kerberos_enabled 1
-+.EE
-+
-+.SH "COMMANDS"
-+.B semanage fcontext
-+can also be used to manipulate default file context mappings.
-+.PP
-+.B semanage permissive
-+can also be used to manipulate whether or not a process type is permissive.
-+.PP
-+.B semanage module
-+can also be used to enable/disable/install/remove policy modules.
-+
-+.B semanage boolean
-+can also be used to manipulate the booleans
-+
-+.PP
-+.B system-config-selinux
-+is a GUI tool available to customize SELinux policy settings.
-+
-+.SH AUTHOR
-+This manual page was auto-generated using
-+.B "sepolicy manpage"
-+by Dan Walsh.
-+
-+.SH "SEE ALSO"
-+selinux(8), bootloader(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
-+, setsebool(8)
-\ No newline at end of file
-diff --git a/man/man8/brctl_selinux.8 b/man/man8/brctl_selinux.8
-new file mode 100644
-index 0000000..454e06c
---- /dev/null
-+++ b/man/man8/brctl_selinux.8
-@@ -0,0 +1,96 @@
-+.TH "brctl_selinux" "8" "12-11-01" "brctl" "SELinux Policy documentation for brctl"
-+.SH "NAME"
-+brctl_selinux \- Security Enhanced Linux Policy for the brctl processes
-+.SH "DESCRIPTION"
-+
-+Security-Enhanced Linux secures the brctl processes via flexible mandatory access control.
-+
-+The brctl processes execute with the brctl_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
-+
-+For example:
-+
-+.B ps -eZ | grep brctl_t
-+
-+
-+.SH "ENTRYPOINTS"
-+
-+The brctl_t SELinux type can be entered via the "brctl_exec_t" file type. The default entrypoint paths for the brctl_t domain are the following:"
-+
-+/usr/sbin/brctl
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux brctl policy is very flexible allowing users to setup their brctl processes in as secure a method as possible.
-+.PP
-+The following process types are defined for brctl:
-+
-+.EX
-+.B brctl_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
-+.SH FILE CONTEXTS
-+SELinux requires files to have an extended attribute to define the file type.
-+.PP
-+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
-+.PP
-+Policy governs the access confined processes have to these files.
-+SELinux brctl policy is very flexible allowing users to setup their brctl processes in as secure a method as possible.
-+.PP
-+The following file types are defined for brctl:
-+
-+
-+.EX
-+.PP
-+.B brctl_exec_t
-+.EE
-+
-+- Set files with the brctl_exec_t type, if you want to transition an executable to the brctl_t domain.
-+
-+
-+.PP
-+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
-+.B semanage fcontext
-+command. This will modify the SELinux labeling database. You will need to use
-+.B restorecon
-+to apply the labels.
-+
-+.SH "MANAGED FILES"
-+
-+The SELinux process type brctl_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
-+
-+.br
-+.B sysfs_t
-+
-+ /sys(/.*)?
-+.br
-+
-+.SH NSSWITCH DOMAIN
-+
-+.SH "COMMANDS"
-+.B semanage fcontext
-+can also be used to manipulate default file context mappings.
-+.PP
-+.B semanage permissive
-+can also be used to manipulate whether or not a process type is permissive.
-+.PP
-+.B semanage module
-+can also be used to enable/disable/install/remove policy modules.
-+
-+.PP
-+.B system-config-selinux
-+is a GUI tool available to customize SELinux policy settings.
-+
-+.SH AUTHOR
-+This manual page was auto-generated using
-+.B "sepolicy manpage"
-+by Dan Walsh.
-+
-+.SH "SEE ALSO"
-+selinux(8), brctl(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
-diff --git a/man/man8/cachefilesd_selinux.8 b/man/man8/cachefilesd_selinux.8
-new file mode 100644
-index 0000000..f337f15
---- /dev/null
-+++ b/man/man8/cachefilesd_selinux.8
-@@ -0,0 +1,112 @@
-+.TH "cachefilesd_selinux" "8" "12-11-01" "cachefilesd" "SELinux Policy documentation for cachefilesd"
-+.SH "NAME"
-+cachefilesd_selinux \- Security Enhanced Linux Policy for the cachefilesd processes
-+.SH "DESCRIPTION"
-+
-+Security-Enhanced Linux secures the cachefilesd processes via flexible mandatory access control.
-+
-+The cachefilesd processes execute with the cachefilesd_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
-+
-+For example:
-+
-+.B ps -eZ | grep cachefilesd_t
-+
-+
-+.SH "ENTRYPOINTS"
-+
-+The cachefilesd_t SELinux type can be entered via the "cachefilesd_exec_t" file type. The default entrypoint paths for the cachefilesd_t domain are the following:"
-+
-+/sbin/cachefilesd, /usr/sbin/cachefilesd
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux cachefilesd policy is very flexible allowing users to setup their cachefilesd processes in as secure a method as possible.
-+.PP
-+The following process types are defined for cachefilesd:
-+
-+.EX
-+.B cachefilesd_t, cachefiles_kernel_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
-+.SH FILE CONTEXTS
-+SELinux requires files to have an extended attribute to define the file type.
-+.PP
-+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
-+.PP
-+Policy governs the access confined processes have to these files.
-+SELinux cachefilesd policy is very flexible allowing users to setup their cachefilesd processes in as secure a method as possible.
-+.PP
-+The following file types are defined for cachefilesd:
-+
-+
-+.EX
-+.PP
-+.B cachefilesd_exec_t
-+.EE
-+
-+- Set files with the cachefilesd_exec_t type, if you want to transition an executable to the cachefilesd_t domain.
-+
-+
-+.EX
-+.PP
-+.B cachefilesd_var_run_t
-+.EE
-+
-+- Set files with the cachefilesd_var_run_t type, if you want to store the cachefilesd files under the /run directory.
-+
-+
-+.PP
-+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
-+.B semanage fcontext
-+command. This will modify the SELinux labeling database. You will need to use
-+.B restorecon
-+to apply the labels.
-+
-+.SH "MANAGED FILES"
-+
-+The SELinux process type cachefilesd_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
-+
-+.br
-+.B cachefiles_var_t
-+
-+ /var/fscache(/.*)?
-+.br
-+ /var/cache/fscache(/.*)?
-+.br
-+
-+.br
-+.B cachefilesd_var_run_t
-+
-+ /var/run/cachefilesd\.pid
-+.br
-+
-+.SH NSSWITCH DOMAIN
-+
-+.SH "COMMANDS"
-+.B semanage fcontext
-+can also be used to manipulate default file context mappings.
-+.PP
-+.B semanage permissive
-+can also be used to manipulate whether or not a process type is permissive.
-+.PP
-+.B semanage module
-+can also be used to enable/disable/install/remove policy modules.
-+
-+.PP
-+.B system-config-selinux
-+is a GUI tool available to customize SELinux policy settings.
-+
-+.SH AUTHOR
-+This manual page was auto-generated using
-+.B "sepolicy manpage"
-+by Dan Walsh.
-+
-+.SH "SEE ALSO"
-+selinux(8), cachefilesd(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
-diff --git a/man/man8/calamaris_selinux.8 b/man/man8/calamaris_selinux.8
-new file mode 100644
-index 0000000..e3eb81f
---- /dev/null
-+++ b/man/man8/calamaris_selinux.8
-@@ -0,0 +1,132 @@
-+.TH "calamaris_selinux" "8" "12-11-01" "calamaris" "SELinux Policy documentation for calamaris"
-+.SH "NAME"
-+calamaris_selinux \- Security Enhanced Linux Policy for the calamaris processes
-+.SH "DESCRIPTION"
-+
-+Security-Enhanced Linux secures the calamaris processes via flexible mandatory access control.
-+
-+The calamaris processes execute with the calamaris_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
-+
-+For example:
-+
-+.B ps -eZ | grep calamaris_t
-+
-+
-+.SH "ENTRYPOINTS"
-+
-+The calamaris_t SELinux type can be entered via the "calamaris_exec_t" file type. The default entrypoint paths for the calamaris_t domain are the following:"
-+
-+/etc/cron\.daily/calamaris
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux calamaris policy is very flexible allowing users to setup their calamaris processes in as secure a method as possible.
-+.PP
-+The following process types are defined for calamaris:
-+
-+.EX
-+.B calamaris_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
-+.SH FILE CONTEXTS
-+SELinux requires files to have an extended attribute to define the file type.
-+.PP
-+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
-+.PP
-+Policy governs the access confined processes have to these files.
-+SELinux calamaris policy is very flexible allowing users to setup their calamaris processes in as secure a method as possible.
-+.PP
-+The following file types are defined for calamaris:
-+
-+
-+.EX
-+.PP
-+.B calamaris_exec_t
-+.EE
-+
-+- Set files with the calamaris_exec_t type, if you want to transition an executable to the calamaris_t domain.
-+
-+
-+.EX
-+.PP
-+.B calamaris_log_t
-+.EE
-+
-+- Set files with the calamaris_log_t type, if you want to treat the data as calamaris log data, usually stored under the /var/log directory.
-+
-+
-+.EX
-+.PP
-+.B calamaris_www_t
-+.EE
-+
-+- Set files with the calamaris_www_t type, if you want to treat the files as calamaris www data.
-+
-+
-+.PP
-+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
-+.B semanage fcontext
-+command. This will modify the SELinux labeling database. You will need to use
-+.B restorecon
-+to apply the labels.
-+
-+.SH "MANAGED FILES"
-+
-+The SELinux process type calamaris_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
-+
-+.br
-+.B calamaris_log_t
-+
-+ /var/log/calamaris(/.*)?
-+.br
-+
-+.br
-+.B calamaris_www_t
-+
-+ /var/www/calamaris(/.*)?
-+.br
-+
-+.SH NSSWITCH DOMAIN
-+
-+.PP
-+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the calamaris_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
-+
-+.EX
-+.B setsebool -P authlogin_nsswitch_use_ldap 1
-+.EE
-+
-+.PP
-+If you want to allow confined applications to run with kerberos for the calamaris_t, you must turn on the kerberos_enabled boolean.
-+
-+.EX
-+.B setsebool -P kerberos_enabled 1
-+.EE
-+
-+.SH "COMMANDS"
-+.B semanage fcontext
-+can also be used to manipulate default file context mappings.
-+.PP
-+.B semanage permissive
-+can also be used to manipulate whether or not a process type is permissive.
-+.PP
-+.B semanage module
-+can also be used to enable/disable/install/remove policy modules.
-+
-+.PP
-+.B system-config-selinux
-+is a GUI tool available to customize SELinux policy settings.
-+
-+.SH AUTHOR
-+This manual page was auto-generated using
-+.B "sepolicy manpage"
-+by Dan Walsh.
-+
-+.SH "SEE ALSO"
-+selinux(8), calamaris(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
-diff --git a/man/man8/callweaver_selinux.8 b/man/man8/callweaver_selinux.8
-new file mode 100644
-index 0000000..b1ebf14
---- /dev/null
-+++ b/man/man8/callweaver_selinux.8
-@@ -0,0 +1,168 @@
-+.TH "callweaver_selinux" "8" "12-11-01" "callweaver" "SELinux Policy documentation for callweaver"
-+.SH "NAME"
-+callweaver_selinux \- Security Enhanced Linux Policy for the callweaver processes
-+.SH "DESCRIPTION"
-+
-+Security-Enhanced Linux secures the callweaver processes via flexible mandatory access control.
-+
-+The callweaver processes execute with the callweaver_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
-+
-+For example:
-+
-+.B ps -eZ | grep callweaver_t
-+
-+
-+.SH "ENTRYPOINTS"
-+
-+The callweaver_t SELinux type can be entered via the "callweaver_exec_t" file type. The default entrypoint paths for the callweaver_t domain are the following:"
-+
-+/usr/sbin/callweaver
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux callweaver policy is very flexible allowing users to setup their callweaver processes in as secure a method as possible.
-+.PP
-+The following process types are defined for callweaver:
-+
-+.EX
-+.B callweaver_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
-+.SH FILE CONTEXTS
-+SELinux requires files to have an extended attribute to define the file type.
-+.PP
-+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
-+.PP
-+Policy governs the access confined processes have to these files.
-+SELinux callweaver policy is very flexible allowing users to setup their callweaver processes in as secure a method as possible.
-+.PP
-+The following file types are defined for callweaver:
-+
-+
-+.EX
-+.PP
-+.B callweaver_exec_t
-+.EE
-+
-+- Set files with the callweaver_exec_t type, if you want to transition an executable to the callweaver_t domain.
-+
-+
-+.EX
-+.PP
-+.B callweaver_initrc_exec_t
-+.EE
-+
-+- Set files with the callweaver_initrc_exec_t type, if you want to transition an executable to the callweaver_initrc_t domain.
-+
-+
-+.EX
-+.PP
-+.B callweaver_log_t
-+.EE
-+
-+- Set files with the callweaver_log_t type, if you want to treat the data as callweaver log data, usually stored under the /var/log directory.
-+
-+
-+.EX
-+.PP
-+.B callweaver_spool_t
-+.EE
-+
-+- Set files with the callweaver_spool_t type, if you want to store the callweaver files under the /var/spool directory.
-+
-+
-+.EX
-+.PP
-+.B callweaver_var_lib_t
-+.EE
-+
-+- Set files with the callweaver_var_lib_t type, if you want to store the callweaver files under the /var/lib directory.
-+
-+
-+.EX
-+.PP
-+.B callweaver_var_run_t
-+.EE
-+
-+- Set files with the callweaver_var_run_t type, if you want to store the callweaver files under the /run directory.
-+
-+
-+.PP
-+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
-+.B semanage fcontext
-+command. This will modify the SELinux labeling database. You will need to use
-+.B restorecon
-+to apply the labels.
-+
-+.SH "MANAGED FILES"
-+
-+The SELinux process type callweaver_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
-+
-+.br
-+.B callweaver_log_t
-+
-+ /var/log/callweaver(/.*)?
-+.br
-+
-+.br
-+.B callweaver_spool_t
-+
-+ /var/spool/callweaver(/.*)?
-+.br
-+
-+.br
-+.B callweaver_var_lib_t
-+
-+ /var/lib/callweaver(/.*)?
-+.br
-+
-+.br
-+.B callweaver_var_run_t
-+
-+ /var/run/callweaver(/.*)?
-+.br
-+
-+.SH NSSWITCH DOMAIN
-+
-+.PP
-+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the callweaver_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
-+
-+.EX
-+.B setsebool -P authlogin_nsswitch_use_ldap 1
-+.EE
-+
-+.PP
-+If you want to allow confined applications to run with kerberos for the callweaver_t, you must turn on the kerberos_enabled boolean.
-+
-+.EX
-+.B setsebool -P kerberos_enabled 1
-+.EE
-+
-+.SH "COMMANDS"
-+.B semanage fcontext
-+can also be used to manipulate default file context mappings.
-+.PP
-+.B semanage permissive
-+can also be used to manipulate whether or not a process type is permissive.
-+.PP
-+.B semanage module
-+can also be used to enable/disable/install/remove policy modules.
-+
-+.PP
-+.B system-config-selinux
-+is a GUI tool available to customize SELinux policy settings.
-+
-+.SH AUTHOR
-+This manual page was auto-generated using
-+.B "sepolicy manpage"
-+by Dan Walsh.
-+
-+.SH "SEE ALSO"
-+selinux(8), callweaver(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
-diff --git a/man/man8/canna_selinux.8 b/man/man8/canna_selinux.8
-new file mode 100644
-index 0000000..73d7f2a
---- /dev/null
-+++ b/man/man8/canna_selinux.8
-@@ -0,0 +1,148 @@
-+.TH "canna_selinux" "8" "12-11-01" "canna" "SELinux Policy documentation for canna"
-+.SH "NAME"
-+canna_selinux \- Security Enhanced Linux Policy for the canna processes
-+.SH "DESCRIPTION"
-+
-+Security-Enhanced Linux secures the canna processes via flexible mandatory access control.
-+
-+The canna processes execute with the canna_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
-+
-+For example:
-+
-+.B ps -eZ | grep canna_t
-+
-+
-+.SH "ENTRYPOINTS"
-+
-+The canna_t SELinux type can be entered via the "canna_exec_t" file type. The default entrypoint paths for the canna_t domain are the following:"
-+
-+/usr/bin/catdic, /usr/sbin/jserver, /usr/bin/cannaping, /usr/sbin/cannaserver
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux canna policy is very flexible allowing users to setup their canna processes in as secure a method as possible.
-+.PP
-+The following process types are defined for canna:
-+
-+.EX
-+.B canna_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
-+.SH FILE CONTEXTS
-+SELinux requires files to have an extended attribute to define the file type.
-+.PP
-+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
-+.PP
-+Policy governs the access confined processes have to these files.
-+SELinux canna policy is very flexible allowing users to setup their canna processes in as secure a method as possible.
-+.PP
-+The following file types are defined for canna:
-+
-+
-+.EX
-+.PP
-+.B canna_exec_t
-+.EE
-+
-+- Set files with the canna_exec_t type, if you want to transition an executable to the canna_t domain.
-+
-+
-+.EX
-+.PP
-+.B canna_initrc_exec_t
-+.EE
-+
-+- Set files with the canna_initrc_exec_t type, if you want to transition an executable to the canna_initrc_t domain.
-+
-+
-+.EX
-+.PP
-+.B canna_log_t
-+.EE
-+
-+- Set files with the canna_log_t type, if you want to treat the data as canna log data, usually stored under the /var/log directory.
-+
-+
-+.EX
-+.PP
-+.B canna_var_lib_t
-+.EE
-+
-+- Set files with the canna_var_lib_t type, if you want to store the canna files under the /var/lib directory.
-+
-+
-+.EX
-+.PP
-+.B canna_var_run_t
-+.EE
-+
-+- Set files with the canna_var_run_t type, if you want to store the canna files under the /run directory.
-+
-+
-+.PP
-+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
-+.B semanage fcontext
-+command. This will modify the SELinux labeling database. You will need to use
-+.B restorecon
-+to apply the labels.
-+
-+.SH "MANAGED FILES"
-+
-+The SELinux process type canna_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
-+
-+.br
-+.B canna_log_t
-+
-+ /var/log/wnn(/.*)?
-+.br
-+ /var/log/canna(/.*)?
-+.br
-+
-+.br
-+.B canna_var_lib_t
-+
-+ /var/lib/wnn/dic(/.*)?
-+.br
-+ /var/lib/canna/dic(/.*)?
-+.br
-+
-+.br
-+.B canna_var_run_t
-+
-+ /var/run/wnn-unix(/.*)?
-+.br
-+ /var/run/\.iroha_unix/.*
-+.br
-+ /var/run/\.iroha_unix
-+.br
-+
-+.SH NSSWITCH DOMAIN
-+
-+.SH "COMMANDS"
-+.B semanage fcontext
-+can also be used to manipulate default file context mappings.
-+.PP
-+.B semanage permissive
-+can also be used to manipulate whether or not a process type is permissive.
-+.PP
-+.B semanage module
-+can also be used to enable/disable/install/remove policy modules.
-+
-+.PP
-+.B system-config-selinux
-+is a GUI tool available to customize SELinux policy settings.
-+
-+.SH AUTHOR
-+This manual page was auto-generated using
-+.B "sepolicy manpage"
-+by Dan Walsh.
-+
-+.SH "SEE ALSO"
-+selinux(8), canna(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
-diff --git a/man/man8/cardmgr_selinux.8 b/man/man8/cardmgr_selinux.8
-new file mode 100644
-index 0000000..8fccf2f
---- /dev/null
-+++ b/man/man8/cardmgr_selinux.8
-@@ -0,0 +1,162 @@
-+.TH "cardmgr_selinux" "8" "12-11-01" "cardmgr" "SELinux Policy documentation for cardmgr"
-+.SH "NAME"
-+cardmgr_selinux \- Security Enhanced Linux Policy for the cardmgr processes
-+.SH "DESCRIPTION"
-+
-+Security-Enhanced Linux secures the cardmgr processes via flexible mandatory access control.
-+
-+The cardmgr processes execute with the cardmgr_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
-+
-+For example:
-+
-+.B ps -eZ | grep cardmgr_t
-+
-+
-+.SH "ENTRYPOINTS"
-+
-+The cardmgr_t SELinux type can be entered via the "cardctl_exec_t,cardmgr_exec_t" file types. The default entrypoint paths for the cardmgr_t domain are the following:"
-+
-+/sbin/cardctl, /usr/sbin/cardctl, /sbin/cardmgr, /usr/sbin/cardmgr, /etc/apm/event\.d/pcmcia
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux cardmgr policy is very flexible allowing users to setup their cardmgr processes in as secure a method as possible.
-+.PP
-+The following process types are defined for cardmgr:
-+
-+.EX
-+.B cardmgr_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
-+.SH FILE CONTEXTS
-+SELinux requires files to have an extended attribute to define the file type.
-+.PP
-+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
-+.PP
-+Policy governs the access confined processes have to these files.
-+SELinux cardmgr policy is very flexible allowing users to setup their cardmgr processes in as secure a method as possible.
-+.PP
-+The following file types are defined for cardmgr:
-+
-+
-+.EX
-+.PP
-+.B cardmgr_dev_t
-+.EE
-+
-+- Set files with the cardmgr_dev_t type, if you want to treat the files as cardmgr dev data.
-+
-+
-+.EX
-+.PP
-+.B cardmgr_exec_t
-+.EE
-+
-+- Set files with the cardmgr_exec_t type, if you want to transition an executable to the cardmgr_t domain.
-+
-+
-+.EX
-+.PP
-+.B cardmgr_lnk_t
-+.EE
-+
-+- Set files with the cardmgr_lnk_t type, if you want to treat the files as cardmgr lnk data.
-+
-+
-+.EX
-+.PP
-+.B cardmgr_var_lib_t
-+.EE
-+
-+- Set files with the cardmgr_var_lib_t type, if you want to store the cardmgr files under the /var/lib directory.
-+
-+
-+.EX
-+.PP
-+.B cardmgr_var_run_t
-+.EE
-+
-+- Set files with the cardmgr_var_run_t type, if you want to store the cardmgr files under the /run directory.
-+
-+
-+.PP
-+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
-+.B semanage fcontext
-+command. This will modify the SELinux labeling database. You will need to use
-+.B restorecon
-+to apply the labels.
-+
-+.SH "MANAGED FILES"
-+
-+The SELinux process type cardmgr_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
-+
-+.br
-+.B cardmgr_var_lib_t
-+
-+
-+.br
-+.B cardmgr_var_run_t
-+
-+ /var/lib/pcmcia(/.*)?
-+.br
-+ /var/run/stab
-+.br
-+ /var/run/cardmgr\.pid
-+.br
-+
-+.br
-+.B net_conf_t
-+
-+ /etc/ntpd?\.conf.*
-+.br
-+ /etc/hosts[^/]*
-+.br
-+ /etc/yp\.conf.*
-+.br
-+ /etc/denyhosts.*
-+.br
-+ /etc/hosts\.deny.*
-+.br
-+ /etc/resolv\.conf.*
-+.br
-+ /etc/ntp/step-tickers.*
-+.br
-+ /etc/sysconfig/networking(/.*)?
-+.br
-+ /etc/sysconfig/network-scripts(/.*)?
-+.br
-+ /etc/sysconfig/network-scripts/.*resolv\.conf
-+.br
-+ /etc/ethers
-+.br
-+
-+.SH NSSWITCH DOMAIN
-+
-+.SH "COMMANDS"
-+.B semanage fcontext
-+can also be used to manipulate default file context mappings.
-+.PP
-+.B semanage permissive
-+can also be used to manipulate whether or not a process type is permissive.
-+.PP
-+.B semanage module
-+can also be used to enable/disable/install/remove policy modules.
-+
-+.PP
-+.B system-config-selinux
-+is a GUI tool available to customize SELinux policy settings.
-+
-+.SH AUTHOR
-+This manual page was auto-generated using
-+.B "sepolicy manpage"
-+by Dan Walsh.
-+
-+.SH "SEE ALSO"
-+selinux(8), cardmgr(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
-diff --git a/man/man8/ccs_selinux.8 b/man/man8/ccs_selinux.8
-new file mode 100644
-index 0000000..4859e26
---- /dev/null
-+++ b/man/man8/ccs_selinux.8
-@@ -0,0 +1,172 @@
-+.TH "ccs_selinux" "8" "12-11-01" "ccs" "SELinux Policy documentation for ccs"
-+.SH "NAME"
-+ccs_selinux \- Security Enhanced Linux Policy for the ccs processes
-+.SH "DESCRIPTION"
-+
-+Security-Enhanced Linux secures the ccs processes via flexible mandatory access control.
-+
-+The ccs processes execute with the ccs_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
-+
-+For example:
-+
-+.B ps -eZ | grep ccs_t
-+
-+
-+.SH "ENTRYPOINTS"
-+
-+The ccs_t SELinux type can be entered via the "ccs_exec_t" file type. The default entrypoint paths for the ccs_t domain are the following:"
-+
-+/sbin/ccsd, /usr/sbin/ccsd
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux ccs policy is very flexible allowing users to setup their ccs processes in as secure a method as possible.
-+.PP
-+The following process types are defined for ccs:
-+
-+.EX
-+.B ccs_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
-+.SH FILE CONTEXTS
-+SELinux requires files to have an extended attribute to define the file type.
-+.PP
-+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
-+.PP
-+Policy governs the access confined processes have to these files.
-+SELinux ccs policy is very flexible allowing users to setup their ccs processes in as secure a method as possible.
-+.PP
-+The following file types are defined for ccs:
-+
-+
-+.EX
-+.PP
-+.B ccs_exec_t
-+.EE
-+
-+- Set files with the ccs_exec_t type, if you want to transition an executable to the ccs_t domain.
-+
-+
-+.EX
-+.PP
-+.B ccs_tmp_t
-+.EE
-+
-+- Set files with the ccs_tmp_t type, if you want to store ccs temporary files in the /tmp directories.
-+
-+
-+.EX
-+.PP
-+.B ccs_tmpfs_t
-+.EE
-+
-+- Set files with the ccs_tmpfs_t type, if you want to store ccs files on a tmpfs file system.
-+
-+
-+.EX
-+.PP
-+.B ccs_var_lib_t
-+.EE
-+
-+- Set files with the ccs_var_lib_t type, if you want to store the ccs files under the /var/lib directory.
-+
-+
-+.EX
-+.PP
-+.B ccs_var_log_t
-+.EE
-+
-+- Set files with the ccs_var_log_t type, if you want to treat the data as ccs var log data, usually stored under the /var/log directory.
-+
-+
-+.EX
-+.PP
-+.B ccs_var_run_t
-+.EE
-+
-+- Set files with the ccs_var_run_t type, if you want to store the ccs files under the /run directory.
-+
-+
-+.PP
-+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
-+.B semanage fcontext
-+command. This will modify the SELinux labeling database. You will need to use
-+.B restorecon
-+to apply the labels.
-+
-+.SH "MANAGED FILES"
-+
-+The SELinux process type ccs_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
-+
-+.br
-+.B ccs_tmp_t
-+
-+
-+.br
-+.B ccs_tmpfs_t
-+
-+
-+.br
-+.B ccs_var_lib_t
-+
-+
-+.br
-+.B ccs_var_log_t
-+
-+
-+.br
-+.B ccs_var_run_t
-+
-+ /var/run/cluster/ccsd\.pid
-+.br
-+ /var/run/cluster/ccsd\.sock
-+.br
-+
-+.br
-+.B cluster_conf_t
-+
-+ /etc/cluster(/.*)?
-+.br
-+
-+.br
-+.B file_t
-+
-+
-+.br
-+.B initrc_tmp_t
-+
-+
-+.br
-+.B qpidd_tmpfs_t
-+
-+
-+.SH NSSWITCH DOMAIN
-+
-+.SH "COMMANDS"
-+.B semanage fcontext
-+can also be used to manipulate default file context mappings.
-+.PP
-+.B semanage permissive
-+can also be used to manipulate whether or not a process type is permissive.
-+.PP
-+.B semanage module
-+can also be used to enable/disable/install/remove policy modules.
-+
-+.PP
-+.B system-config-selinux
-+is a GUI tool available to customize SELinux policy settings.
-+
-+.SH AUTHOR
-+This manual page was auto-generated using
-+.B "sepolicy manpage"
-+by Dan Walsh.
-+
-+.SH "SEE ALSO"
-+selinux(8), ccs(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
-diff --git a/man/man8/cdcc_selinux.8 b/man/man8/cdcc_selinux.8
-new file mode 100644
-index 0000000..06454f9
---- /dev/null
-+++ b/man/man8/cdcc_selinux.8
-@@ -0,0 +1,128 @@
-+.TH "cdcc_selinux" "8" "12-11-01" "cdcc" "SELinux Policy documentation for cdcc"
-+.SH "NAME"
-+cdcc_selinux \- Security Enhanced Linux Policy for the cdcc processes
-+.SH "DESCRIPTION"
-+
-+Security-Enhanced Linux secures the cdcc processes via flexible mandatory access control.
-+
-+The cdcc processes execute with the cdcc_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
-+
-+For example:
-+
-+.B ps -eZ | grep cdcc_t
-+
-+
-+.SH "ENTRYPOINTS"
-+
-+The cdcc_t SELinux type can be entered via the "cdcc_exec_t" file type. The default entrypoint paths for the cdcc_t domain are the following:"
-+
-+/usr/bin/cdcc
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux cdcc policy is very flexible allowing users to setup their cdcc processes in as secure a method as possible.
-+.PP
-+The following process types are defined for cdcc:
-+
-+.EX
-+.B cdcc_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
-+.SH FILE CONTEXTS
-+SELinux requires files to have an extended attribute to define the file type.
-+.PP
-+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
-+.PP
-+Policy governs the access confined processes have to these files.
-+SELinux cdcc policy is very flexible allowing users to setup their cdcc processes in as secure a method as possible.
-+.PP
-+The following file types are defined for cdcc:
-+
-+
-+.EX
-+.PP
-+.B cdcc_exec_t
-+.EE
-+
-+- Set files with the cdcc_exec_t type, if you want to transition an executable to the cdcc_t domain.
-+
-+
-+.EX
-+.PP
-+.B cdcc_tmp_t
-+.EE
-+
-+- Set files with the cdcc_tmp_t type, if you want to store cdcc temporary files in the /tmp directories.
-+
-+
-+.PP
-+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
-+.B semanage fcontext
-+command. This will modify the SELinux labeling database. You will need to use
-+.B restorecon
-+to apply the labels.
-+
-+.SH "MANAGED FILES"
-+
-+The SELinux process type cdcc_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
-+
-+.br
-+.B cdcc_tmp_t
-+
-+
-+.br
-+.B dcc_client_map_t
-+
-+ /etc/dcc/map
-+.br
-+ /var/dcc/map
-+.br
-+ /var/lib/dcc/map
-+.br
-+ /var/run/dcc/map
-+.br
-+
-+.SH NSSWITCH DOMAIN
-+
-+.PP
-+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the cdcc_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
-+
-+.EX
-+.B setsebool -P authlogin_nsswitch_use_ldap 1
-+.EE
-+
-+.PP
-+If you want to allow confined applications to run with kerberos for the cdcc_t, you must turn on the kerberos_enabled boolean.
-+
-+.EX
-+.B setsebool -P kerberos_enabled 1
-+.EE
-+
-+.SH "COMMANDS"
-+.B semanage fcontext
-+can also be used to manipulate default file context mappings.
-+.PP
-+.B semanage permissive
-+can also be used to manipulate whether or not a process type is permissive.
-+.PP
-+.B semanage module
-+can also be used to enable/disable/install/remove policy modules.
-+
-+.PP
-+.B system-config-selinux
-+is a GUI tool available to customize SELinux policy settings.
-+
-+.SH AUTHOR
-+This manual page was auto-generated using
-+.B "sepolicy manpage"
-+by Dan Walsh.
-+
-+.SH "SEE ALSO"
-+selinux(8), cdcc(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
-diff --git a/man/man8/cdrecord_selinux.8 b/man/man8/cdrecord_selinux.8
-new file mode 100644
-index 0000000..f808c03
---- /dev/null
-+++ b/man/man8/cdrecord_selinux.8
-@@ -0,0 +1,108 @@
-+.TH "cdrecord_selinux" "8" "12-11-01" "cdrecord" "SELinux Policy documentation for cdrecord"
-+.SH "NAME"
-+cdrecord_selinux \- Security Enhanced Linux Policy for the cdrecord processes
-+.SH "DESCRIPTION"
-+
-+Security-Enhanced Linux secures the cdrecord processes via flexible mandatory access control.
-+
-+The cdrecord processes execute with the cdrecord_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
-+
-+For example:
-+
-+.B ps -eZ | grep cdrecord_t
-+
-+
-+.SH "ENTRYPOINTS"
-+
-+The cdrecord_t SELinux type can be entered via the "cdrecord_exec_t" file type. The default entrypoint paths for the cdrecord_t domain are the following:"
-+
-+/usr/bin/wodim, /usr/bin/cdrecord, /usr/bin/growisofs
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux cdrecord policy is very flexible allowing users to setup their cdrecord processes in as secure a method as possible.
-+.PP
-+The following process types are defined for cdrecord:
-+
-+.EX
-+.B cdrecord_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
-+.SH BOOLEANS
-+SELinux policy is customizable based on least access required. cdrecord policy is extremely flexible and has several booleans that allow you to manipulate the policy and run cdrecord with the tightest access possible.
-+
-+
-+.PP
-+If you want to allow cdrecord to read various content. nfs, samba, removable devices, user temp and untrusted content files, you must turn on the cdrecord_read_content boolean.
-+
-+.EX
-+.B setsebool -P cdrecord_read_content 1
-+.EE
-+
-+.PP
-+If you want to allow cdrecord to read various content. nfs, samba, removable devices, user temp and untrusted content files, you must turn on the cdrecord_read_content boolean.
-+
-+.EX
-+.B setsebool -P cdrecord_read_content 1
-+.EE
-+
-+.SH FILE CONTEXTS
-+SELinux requires files to have an extended attribute to define the file type.
-+.PP
-+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
-+.PP
-+Policy governs the access confined processes have to these files.
-+SELinux cdrecord policy is very flexible allowing users to setup their cdrecord processes in as secure a method as possible.
-+.PP
-+The following file types are defined for cdrecord:
-+
-+
-+.EX
-+.PP
-+.B cdrecord_exec_t
-+.EE
-+
-+- Set files with the cdrecord_exec_t type, if you want to transition an executable to the cdrecord_t domain.
-+
-+
-+.PP
-+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
-+.B semanage fcontext
-+command. This will modify the SELinux labeling database. You will need to use
-+.B restorecon
-+to apply the labels.
-+
-+.SH NSSWITCH DOMAIN
-+
-+.SH "COMMANDS"
-+.B semanage fcontext
-+can also be used to manipulate default file context mappings.
-+.PP
-+.B semanage permissive
-+can also be used to manipulate whether or not a process type is permissive.
-+.PP
-+.B semanage module
-+can also be used to enable/disable/install/remove policy modules.
-+
-+.B semanage boolean
-+can also be used to manipulate the booleans
-+
-+.PP
-+.B system-config-selinux
-+is a GUI tool available to customize SELinux policy settings.
-+
-+.SH AUTHOR
-+This manual page was auto-generated using
-+.B "sepolicy manpage"
-+by Dan Walsh.
-+
-+.SH "SEE ALSO"
-+selinux(8), cdrecord(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
-+, setsebool(8)
-\ No newline at end of file
-diff --git a/man/man8/certmaster_selinux.8 b/man/man8/certmaster_selinux.8
-new file mode 100644
-index 0000000..90729bf
---- /dev/null
-+++ b/man/man8/certmaster_selinux.8
-@@ -0,0 +1,208 @@
-+.TH "certmaster_selinux" "8" "12-11-01" "certmaster" "SELinux Policy documentation for certmaster"
-+.SH "NAME"
-+certmaster_selinux \- Security Enhanced Linux Policy for the certmaster processes
-+.SH "DESCRIPTION"
-+
-+Security-Enhanced Linux secures the certmaster processes via flexible mandatory access control.
-+
-+The certmaster processes execute with the certmaster_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
-+
-+For example:
-+
-+.B ps -eZ | grep certmaster_t
-+
-+
-+.SH "ENTRYPOINTS"
-+
-+The certmaster_t SELinux type can be entered via the "certmaster_exec_t" file type. The default entrypoint paths for the certmaster_t domain are the following:"
-+
-+/usr/bin/certmaster
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux certmaster policy is very flexible allowing users to setup their certmaster processes in as secure a method as possible.
-+.PP
-+The following process types are defined for certmaster:
-+
-+.EX
-+.B certmaster_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
-+.SH FILE CONTEXTS
-+SELinux requires files to have an extended attribute to define the file type.
-+.PP
-+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
-+.PP
-+Policy governs the access confined processes have to these files.
-+SELinux certmaster policy is very flexible allowing users to setup their certmaster processes in as secure a method as possible.
-+.PP
-+The following file types are defined for certmaster:
-+
-+
-+.EX
-+.PP
-+.B certmaster_etc_rw_t
-+.EE
-+
-+- Set files with the certmaster_etc_rw_t type, if you want to treat the files as certmaster etc read/write content.
-+
-+
-+.EX
-+.PP
-+.B certmaster_exec_t
-+.EE
-+
-+- Set files with the certmaster_exec_t type, if you want to transition an executable to the certmaster_t domain.
-+
-+
-+.EX
-+.PP
-+.B certmaster_initrc_exec_t
-+.EE
-+
-+- Set files with the certmaster_initrc_exec_t type, if you want to transition an executable to the certmaster_initrc_t domain.
-+
-+
-+.EX
-+.PP
-+.B certmaster_var_lib_t
-+.EE
-+
-+- Set files with the certmaster_var_lib_t type, if you want to store the certmaster files under the /var/lib directory.
-+
-+
-+.EX
-+.PP
-+.B certmaster_var_log_t
-+.EE
-+
-+- Set files with the certmaster_var_log_t type, if you want to treat the data as certmaster var log data, usually stored under the /var/log directory.
-+
-+
-+.EX
-+.PP
-+.B certmaster_var_run_t
-+.EE
-+
-+- Set files with the certmaster_var_run_t type, if you want to store the certmaster files under the /run directory.
-+
-+
-+.PP
-+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
-+.B semanage fcontext
-+command. This will modify the SELinux labeling database. You will need to use
-+.B restorecon
-+to apply the labels.
-+
-+.SH PORT TYPES
-+SELinux defines port types to represent TCP and UDP ports.
-+.PP
-+You can see the types associated with a port by using the following command:
-+
-+.B semanage port -l
-+
-+.PP
-+Policy governs the access confined processes have to these ports.
-+SELinux certmaster policy is very flexible allowing users to setup their certmaster processes in as secure a method as possible.
-+.PP
-+The following port types are defined for certmaster:
-+
-+.EX
-+.TP 5
-+.B certmaster_port_t
-+.TP 10
-+.EE
-+
-+
-+Default Defined Ports:
-+tcp 51235
-+.EE
-+.SH "MANAGED FILES"
-+
-+The SELinux process type certmaster_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
-+
-+.br
-+.B cert_t
-+
-+ /etc/pki(/.*)?
-+.br
-+ /etc/httpd/alias(/.*)?
-+.br
-+ /usr/share/ssl/certs(/.*)?
-+.br
-+ /usr/share/ssl/private(/.*)?
-+.br
-+ /var/named/chroot/etc/pki(/.*)?
-+.br
-+
-+.br
-+.B certmaster_etc_rw_t
-+
-+ /etc/certmaster(/.*)?
-+.br
-+
-+.br
-+.B certmaster_var_lib_t
-+
-+ /var/lib/certmaster(/.*)?
-+.br
-+
-+.br
-+.B certmaster_var_log_t
-+
-+ /var/log/certmaster(/.*)?
-+.br
-+
-+.br
-+.B certmaster_var_run_t
-+
-+ /var/run/certmaster.*
-+.br
-+
-+.SH NSSWITCH DOMAIN
-+
-+.PP
-+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the certmaster_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
-+
-+.EX
-+.B setsebool -P authlogin_nsswitch_use_ldap 1
-+.EE
-+
-+.PP
-+If you want to allow confined applications to run with kerberos for the certmaster_t, you must turn on the kerberos_enabled boolean.
-+
-+.EX
-+.B setsebool -P kerberos_enabled 1
-+.EE
-+
-+.SH "COMMANDS"
-+.B semanage fcontext
-+can also be used to manipulate default file context mappings.
-+.PP
-+.B semanage permissive
-+can also be used to manipulate whether or not a process type is permissive.
-+.PP
-+.B semanage module
-+can also be used to enable/disable/install/remove policy modules.
-+
-+.B semanage port
-+can also be used to manipulate the port definitions
-+
-+.PP
-+.B system-config-selinux
-+is a GUI tool available to customize SELinux policy settings.
-+
-+.SH AUTHOR
-+This manual page was auto-generated using
-+.B "sepolicy manpage"
-+by Dan Walsh.
-+
-+.SH "SEE ALSO"
-+selinux(8), certmaster(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
-diff --git a/man/man8/certmonger_selinux.8 b/man/man8/certmonger_selinux.8
-new file mode 100644
-index 0000000..17c7336
---- /dev/null
-+++ b/man/man8/certmonger_selinux.8
-@@ -0,0 +1,196 @@
-+.TH "certmonger_selinux" "8" "12-11-01" "certmonger" "SELinux Policy documentation for certmonger"
-+.SH "NAME"
-+certmonger_selinux \- Security Enhanced Linux Policy for the certmonger processes
-+.SH "DESCRIPTION"
-+
-+Security-Enhanced Linux secures the certmonger processes via flexible mandatory access control.
-+
-+The certmonger processes execute with the certmonger_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
-+
-+For example:
-+
-+.B ps -eZ | grep certmonger_t
-+
-+
-+.SH "ENTRYPOINTS"
-+
-+The certmonger_t SELinux type can be entered via the "certmonger_exec_t" file type. The default entrypoint paths for the certmonger_t domain are the following:"
-+
-+/usr/sbin/certmonger
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux certmonger policy is very flexible allowing users to setup their certmonger processes in as secure a method as possible.
-+.PP
-+The following process types are defined for certmonger:
-+
-+.EX
-+.B certmonger_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
-+.SH FILE CONTEXTS
-+SELinux requires files to have an extended attribute to define the file type.
-+.PP
-+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
-+.PP
-+Policy governs the access confined processes have to these files.
-+SELinux certmonger policy is very flexible allowing users to setup their certmonger processes in as secure a method as possible.
-+.PP
-+The following file types are defined for certmonger:
-+
-+
-+.EX
-+.PP
-+.B certmonger_exec_t
-+.EE
-+
-+- Set files with the certmonger_exec_t type, if you want to transition an executable to the certmonger_t domain.
-+
-+
-+.EX
-+.PP
-+.B certmonger_initrc_exec_t
-+.EE
-+
-+- Set files with the certmonger_initrc_exec_t type, if you want to transition an executable to the certmonger_initrc_t domain.
-+
-+
-+.EX
-+.PP
-+.B certmonger_unconfined_exec_t
-+.EE
-+
-+- Set files with the certmonger_unconfined_exec_t type, if you want to transition an executable to the certmonger_unconfined_t domain.
-+
-+
-+.EX
-+.PP
-+.B certmonger_var_lib_t
-+.EE
-+
-+- Set files with the certmonger_var_lib_t type, if you want to store the certmonger files under the /var/lib directory.
-+
-+
-+.EX
-+.PP
-+.B certmonger_var_run_t
-+.EE
-+
-+- Set files with the certmonger_var_run_t type, if you want to store the certmonger files under the /run directory.
-+
-+
-+.PP
-+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
-+.B semanage fcontext
-+command. This will modify the SELinux labeling database. You will need to use
-+.B restorecon
-+to apply the labels.
-+
-+.SH "MANAGED FILES"
-+
-+The SELinux process type certmonger_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
-+
-+.br
-+.B auth_cache_t
-+
-+ /var/cache/coolkey(/.*)?
-+.br
-+
-+.br
-+.B cert_t
-+
-+ /etc/pki(/.*)?
-+.br
-+ /etc/httpd/alias(/.*)?
-+.br
-+ /usr/share/ssl/certs(/.*)?
-+.br
-+ /usr/share/ssl/private(/.*)?
-+.br
-+ /var/named/chroot/etc/pki(/.*)?
-+.br
-+
-+.br
-+.B certmonger_var_lib_t
-+
-+ /var/lib/certmonger(/.*)?
-+.br
-+
-+.br
-+.B certmonger_var_run_t
-+
-+ /var/run/certmonger.pid
-+.br
-+
-+.br
-+.B dirsrv_config_t
-+
-+ /etc/dirsrv(/.*)?
-+.br
-+
-+.br
-+.B pki_tomcat_cert_t
-+
-+ /var/lib/pki-ca/alias(/.*)?
-+.br
-+ /var/lib/pki-kra/alias(/.*)?
-+.br
-+ /var/lib/pki-tks/alias(/.*)?
-+.br
-+ /var/lib/pki-ocsp/alias(/.*)?
-+.br
-+ /etc/pki/pki-tomcat/alias(/.*)?
-+.br
-+
-+.br
-+.B systemd_passwd_var_run_t
-+
-+ /var/run/systemd/ask-password(/.*)?
-+.br
-+ /var/run/systemd/ask-password-block(/.*)?
-+.br
-+
-+.SH NSSWITCH DOMAIN
-+
-+.PP
-+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the certmonger_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
-+
-+.EX
-+.B setsebool -P authlogin_nsswitch_use_ldap 1
-+.EE
-+
-+.PP
-+If you want to allow confined applications to run with kerberos for the certmonger_t, you must turn on the kerberos_enabled boolean.
-+
-+.EX
-+.B setsebool -P kerberos_enabled 1
-+.EE
-+
-+.SH "COMMANDS"
-+.B semanage fcontext
-+can also be used to manipulate default file context mappings.
-+.PP
-+.B semanage permissive
-+can also be used to manipulate whether or not a process type is permissive.
-+.PP
-+.B semanage module
-+can also be used to enable/disable/install/remove policy modules.
-+
-+.PP
-+.B system-config-selinux
-+is a GUI tool available to customize SELinux policy settings.
-+
-+.SH AUTHOR
-+This manual page was auto-generated using
-+.B "sepolicy manpage"
-+by Dan Walsh.
-+
-+.SH "SEE ALSO"
-+selinux(8), certmonger(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
-diff --git a/man/man8/certwatch_selinux.8 b/man/man8/certwatch_selinux.8
-new file mode 100644
-index 0000000..7655104
---- /dev/null
-+++ b/man/man8/certwatch_selinux.8
-@@ -0,0 +1,96 @@
-+.TH "certwatch_selinux" "8" "12-11-01" "certwatch" "SELinux Policy documentation for certwatch"
-+.SH "NAME"
-+certwatch_selinux \- Security Enhanced Linux Policy for the certwatch processes
-+.SH "DESCRIPTION"
-+
-+Security-Enhanced Linux secures the certwatch processes via flexible mandatory access control.
-+
-+The certwatch processes execute with the certwatch_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
-+
-+For example:
-+
-+.B ps -eZ | grep certwatch_t
-+
-+
-+.SH "ENTRYPOINTS"
-+
-+The certwatch_t SELinux type can be entered via the "certwatch_exec_t" file type. The default entrypoint paths for the certwatch_t domain are the following:"
-+
-+/usr/bin/certwatch
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux certwatch policy is very flexible allowing users to setup their certwatch processes in as secure a method as possible.
-+.PP
-+The following process types are defined for certwatch:
-+
-+.EX
-+.B certwatch_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
-+.SH FILE CONTEXTS
-+SELinux requires files to have an extended attribute to define the file type.
-+.PP
-+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
-+.PP
-+Policy governs the access confined processes have to these files.
-+SELinux certwatch policy is very flexible allowing users to setup their certwatch processes in as secure a method as possible.
-+.PP
-+The following file types are defined for certwatch:
-+
-+
-+.EX
-+.PP
-+.B certwatch_exec_t
-+.EE
-+
-+- Set files with the certwatch_exec_t type, if you want to transition an executable to the certwatch_t domain.
-+
-+
-+.PP
-+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
-+.B semanage fcontext
-+command. This will modify the SELinux labeling database. You will need to use
-+.B restorecon
-+to apply the labels.
-+
-+.SH "MANAGED FILES"
-+
-+The SELinux process type certwatch_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
-+
-+.br
-+.B auth_cache_t
-+
-+ /var/cache/coolkey(/.*)?
-+.br
-+
-+.SH NSSWITCH DOMAIN
-+
-+.SH "COMMANDS"
-+.B semanage fcontext
-+can also be used to manipulate default file context mappings.
-+.PP
-+.B semanage permissive
-+can also be used to manipulate whether or not a process type is permissive.
-+.PP
-+.B semanage module
-+can also be used to enable/disable/install/remove policy modules.
-+
-+.PP
-+.B system-config-selinux
-+is a GUI tool available to customize SELinux policy settings.
-+
-+.SH AUTHOR
-+This manual page was auto-generated using
-+.B "sepolicy manpage"
-+by Dan Walsh.
-+
-+.SH "SEE ALSO"
-+selinux(8), certwatch(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
-diff --git a/man/man8/cfengine_execd_selinux.8 b/man/man8/cfengine_execd_selinux.8
-new file mode 100644
-index 0000000..12fcf8b
---- /dev/null
-+++ b/man/man8/cfengine_execd_selinux.8
-@@ -0,0 +1,117 @@
-+.TH "cfengine_execd_selinux" "8" "12-11-01" "cfengine_execd" "SELinux Policy documentation for cfengine_execd"
-+.SH "NAME"
-+cfengine_execd_selinux \- Security Enhanced Linux Policy for the cfengine_execd processes
-+.SH "DESCRIPTION"
-+
-+Security-Enhanced Linux secures the cfengine_execd processes via flexible mandatory access control.
-+
-+The cfengine_execd processes execute with the cfengine_execd_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
-+
-+For example:
-+
-+.B ps -eZ | grep cfengine_execd_t
-+
-+
-+.SH "ENTRYPOINTS"
-+
-+The cfengine_execd_t SELinux type can be entered via the "cfengine_execd_exec_t" file type. The default entrypoint paths for the cfengine_execd_t domain are the following:"
-+
-+/usr/sbin/cf-execd
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux cfengine_execd policy is very flexible allowing users to setup their cfengine_execd processes in as secure a method as possible.
-+.PP
-+The following process types are defined for cfengine_execd:
-+
-+.EX
-+.B cfengine_execd_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
-+.SH FILE CONTEXTS
-+SELinux requires files to have an extended attribute to define the file type.
-+.PP
-+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
-+.PP
-+Policy governs the access confined processes have to these files.
-+SELinux cfengine_execd policy is very flexible allowing users to setup their cfengine_execd processes in as secure a method as possible.
-+.PP
-+The following file types are defined for cfengine_execd:
-+
-+
-+.EX
-+.PP
-+.B cfengine_execd_exec_t
-+.EE
-+
-+- Set files with the cfengine_execd_exec_t type, if you want to transition an executable to the cfengine_execd_t domain.
-+
-+
-+.PP
-+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
-+.B semanage fcontext
-+command. This will modify the SELinux labeling database. You will need to use
-+.B restorecon
-+to apply the labels.
-+
-+.SH "MANAGED FILES"
-+
-+The SELinux process type cfengine_execd_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
-+
-+.br
-+.B cfengine_var_lib_t
-+
-+ /var/cfengine(/.*)?
-+.br
-+
-+.br
-+.B cfengine_var_log_t
-+
-+ /var/cfengine/outputs(/.*)?
-+.br
-+
-+.SH NSSWITCH DOMAIN
-+
-+.PP
-+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the cfengine_execd_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
-+
-+.EX
-+.B setsebool -P authlogin_nsswitch_use_ldap 1
-+.EE
-+
-+.PP
-+If you want to allow confined applications to run with kerberos for the cfengine_execd_t, you must turn on the kerberos_enabled boolean.
-+
-+.EX
-+.B setsebool -P kerberos_enabled 1
-+.EE
-+
-+.SH "COMMANDS"
-+.B semanage fcontext
-+can also be used to manipulate default file context mappings.
-+.PP
-+.B semanage permissive
-+can also be used to manipulate whether or not a process type is permissive.
-+.PP
-+.B semanage module
-+can also be used to enable/disable/install/remove policy modules.
-+
-+.PP
-+.B system-config-selinux
-+is a GUI tool available to customize SELinux policy settings.
-+
-+.SH AUTHOR
-+This manual page was auto-generated using
-+.B "sepolicy manpage"
-+by Dan Walsh.
-+
-+.SH "SEE ALSO"
-+selinux(8), cfengine_execd(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
-+, cfengine_monitord_selinux(8), cfengine_serverd_selinux(8)
-\ No newline at end of file
-diff --git a/man/man8/cfengine_monitord_selinux.8 b/man/man8/cfengine_monitord_selinux.8
-new file mode 100644
-index 0000000..e4289e1
---- /dev/null
-+++ b/man/man8/cfengine_monitord_selinux.8
-@@ -0,0 +1,117 @@
-+.TH "cfengine_monitord_selinux" "8" "12-11-01" "cfengine_monitord" "SELinux Policy documentation for cfengine_monitord"
-+.SH "NAME"
-+cfengine_monitord_selinux \- Security Enhanced Linux Policy for the cfengine_monitord processes
-+.SH "DESCRIPTION"
-+
-+Security-Enhanced Linux secures the cfengine_monitord processes via flexible mandatory access control.
-+
-+The cfengine_monitord processes execute with the cfengine_monitord_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
-+
-+For example:
-+
-+.B ps -eZ | grep cfengine_monitord_t
-+
-+
-+.SH "ENTRYPOINTS"
-+
-+The cfengine_monitord_t SELinux type can be entered via the "cfengine_monitord_exec_t" file type. The default entrypoint paths for the cfengine_monitord_t domain are the following:"
-+
-+/usr/sbin/cf-monitord
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux cfengine_monitord policy is very flexible allowing users to setup their cfengine_monitord processes in as secure a method as possible.
-+.PP
-+The following process types are defined for cfengine_monitord:
-+
-+.EX
-+.B cfengine_monitord_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
-+.SH FILE CONTEXTS
-+SELinux requires files to have an extended attribute to define the file type.
-+.PP
-+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
-+.PP
-+Policy governs the access confined processes have to these files.
-+SELinux cfengine_monitord policy is very flexible allowing users to setup their cfengine_monitord processes in as secure a method as possible.
-+.PP
-+The following file types are defined for cfengine_monitord:
-+
-+
-+.EX
-+.PP
-+.B cfengine_monitord_exec_t
-+.EE
-+
-+- Set files with the cfengine_monitord_exec_t type, if you want to transition an executable to the cfengine_monitord_t domain.
-+
-+
-+.PP
-+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
-+.B semanage fcontext
-+command. This will modify the SELinux labeling database. You will need to use
-+.B restorecon
-+to apply the labels.
-+
-+.SH "MANAGED FILES"
-+
-+The SELinux process type cfengine_monitord_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
-+
-+.br
-+.B cfengine_var_lib_t
-+
-+ /var/cfengine(/.*)?
-+.br
-+
-+.br
-+.B cfengine_var_log_t
-+
-+ /var/cfengine/outputs(/.*)?
-+.br
-+
-+.SH NSSWITCH DOMAIN
-+
-+.PP
-+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the cfengine_monitord_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
-+
-+.EX
-+.B setsebool -P authlogin_nsswitch_use_ldap 1
-+.EE
-+
-+.PP
-+If you want to allow confined applications to run with kerberos for the cfengine_monitord_t, you must turn on the kerberos_enabled boolean.
-+
-+.EX
-+.B setsebool -P kerberos_enabled 1
-+.EE
-+
-+.SH "COMMANDS"
-+.B semanage fcontext
-+can also be used to manipulate default file context mappings.
-+.PP
-+.B semanage permissive
-+can also be used to manipulate whether or not a process type is permissive.
-+.PP
-+.B semanage module
-+can also be used to enable/disable/install/remove policy modules.
-+
-+.PP
-+.B system-config-selinux
-+is a GUI tool available to customize SELinux policy settings.
-+
-+.SH AUTHOR
-+This manual page was auto-generated using
-+.B "sepolicy manpage"
-+by Dan Walsh.
-+
-+.SH "SEE ALSO"
-+selinux(8), cfengine_monitord(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
-+, cfengine_execd_selinux(8), cfengine_serverd_selinux(8)
-\ No newline at end of file
-diff --git a/man/man8/cfengine_serverd_selinux.8 b/man/man8/cfengine_serverd_selinux.8
-new file mode 100644
-index 0000000..55e7b52
---- /dev/null
-+++ b/man/man8/cfengine_serverd_selinux.8
-@@ -0,0 +1,117 @@
-+.TH "cfengine_serverd_selinux" "8" "12-11-01" "cfengine_serverd" "SELinux Policy documentation for cfengine_serverd"
-+.SH "NAME"
-+cfengine_serverd_selinux \- Security Enhanced Linux Policy for the cfengine_serverd processes
-+.SH "DESCRIPTION"
-+
-+Security-Enhanced Linux secures the cfengine_serverd processes via flexible mandatory access control.
-+
-+The cfengine_serverd processes execute with the cfengine_serverd_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
-+
-+For example:
-+
-+.B ps -eZ | grep cfengine_serverd_t
-+
-+
-+.SH "ENTRYPOINTS"
-+
-+The cfengine_serverd_t SELinux type can be entered via the "cfengine_serverd_exec_t" file type. The default entrypoint paths for the cfengine_serverd_t domain are the following:"
-+
-+/usr/sbin/cf-serverd
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux cfengine_serverd policy is very flexible allowing users to setup their cfengine_serverd processes in as secure a method as possible.
-+.PP
-+The following process types are defined for cfengine_serverd:
-+
-+.EX
-+.B cfengine_serverd_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
-+.SH FILE CONTEXTS
-+SELinux requires files to have an extended attribute to define the file type.
-+.PP
-+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
-+.PP
-+Policy governs the access confined processes have to these files.
-+SELinux cfengine_serverd policy is very flexible allowing users to setup their cfengine_serverd processes in as secure a method as possible.
-+.PP
-+The following file types are defined for cfengine_serverd:
-+
-+
-+.EX
-+.PP
-+.B cfengine_serverd_exec_t
-+.EE
-+
-+- Set files with the cfengine_serverd_exec_t type, if you want to transition an executable to the cfengine_serverd_t domain.
-+
-+
-+.PP
-+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
-+.B semanage fcontext
-+command. This will modify the SELinux labeling database. You will need to use
-+.B restorecon
-+to apply the labels.
-+
-+.SH "MANAGED FILES"
-+
-+The SELinux process type cfengine_serverd_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
-+
-+.br
-+.B cfengine_var_lib_t
-+
-+ /var/cfengine(/.*)?
-+.br
-+
-+.br
-+.B cfengine_var_log_t
-+
-+ /var/cfengine/outputs(/.*)?
-+.br
-+
-+.SH NSSWITCH DOMAIN
-+
-+.PP
-+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the cfengine_serverd_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
-+
-+.EX
-+.B setsebool -P authlogin_nsswitch_use_ldap 1
-+.EE
-+
-+.PP
-+If you want to allow confined applications to run with kerberos for the cfengine_serverd_t, you must turn on the kerberos_enabled boolean.
-+
-+.EX
-+.B setsebool -P kerberos_enabled 1
-+.EE
-+
-+.SH "COMMANDS"
-+.B semanage fcontext
-+can also be used to manipulate default file context mappings.
-+.PP
-+.B semanage permissive
-+can also be used to manipulate whether or not a process type is permissive.
-+.PP
-+.B semanage module
-+can also be used to enable/disable/install/remove policy modules.
-+
-+.PP
-+.B system-config-selinux
-+is a GUI tool available to customize SELinux policy settings.
-+
-+.SH AUTHOR
-+This manual page was auto-generated using
-+.B "sepolicy manpage"
-+by Dan Walsh.
-+
-+.SH "SEE ALSO"
-+selinux(8), cfengine_serverd(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
-+, cfengine_execd_selinux(8), cfengine_monitord_selinux(8)
-\ No newline at end of file
-diff --git a/man/man8/cgclear_selinux.8 b/man/man8/cgclear_selinux.8
-new file mode 100644
-index 0000000..e92daea
---- /dev/null
-+++ b/man/man8/cgclear_selinux.8
-@@ -0,0 +1,112 @@
-+.TH "cgclear_selinux" "8" "12-11-01" "cgclear" "SELinux Policy documentation for cgclear"
-+.SH "NAME"
-+cgclear_selinux \- Security Enhanced Linux Policy for the cgclear processes
-+.SH "DESCRIPTION"
-+
-+Security-Enhanced Linux secures the cgclear processes via flexible mandatory access control.
-+
-+The cgclear processes execute with the cgclear_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
-+
-+For example:
-+
-+.B ps -eZ | grep cgclear_t
-+
-+
-+.SH "ENTRYPOINTS"
-+
-+The cgclear_t SELinux type can be entered via the "cgclear_exec_t" file type. The default entrypoint paths for the cgclear_t domain are the following:"
-+
-+/sbin/cgclear, /usr/sbin/cgclear
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux cgclear policy is very flexible allowing users to setup their cgclear processes in as secure a method as possible.
-+.PP
-+The following process types are defined for cgclear:
-+
-+.EX
-+.B cgclear_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
-+.SH FILE CONTEXTS
-+SELinux requires files to have an extended attribute to define the file type.
-+.PP
-+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
-+.PP
-+Policy governs the access confined processes have to these files.
-+SELinux cgclear policy is very flexible allowing users to setup their cgclear processes in as secure a method as possible.
-+.PP
-+The following file types are defined for cgclear:
-+
-+
-+.EX
-+.PP
-+.B cgclear_exec_t
-+.EE
-+
-+- Set files with the cgclear_exec_t type, if you want to transition an executable to the cgclear_t domain.
-+
-+
-+.PP
-+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
-+.B semanage fcontext
-+command. This will modify the SELinux labeling database. You will need to use
-+.B restorecon
-+to apply the labels.
-+
-+.SH "MANAGED FILES"
-+
-+The SELinux process type cgclear_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
-+
-+.br
-+.B cgroup_t
-+
-+ /cgroup
-+.br
-+ /sys/fs/cgroup
-+.br
-+
-+.SH NSSWITCH DOMAIN
-+
-+.PP
-+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the cgclear_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
-+
-+.EX
-+.B setsebool -P authlogin_nsswitch_use_ldap 1
-+.EE
-+
-+.PP
-+If you want to allow confined applications to run with kerberos for the cgclear_t, you must turn on the kerberos_enabled boolean.
-+
-+.EX
-+.B setsebool -P kerberos_enabled 1
-+.EE
-+
-+.SH "COMMANDS"
-+.B semanage fcontext
-+can also be used to manipulate default file context mappings.
-+.PP
-+.B semanage permissive
-+can also be used to manipulate whether or not a process type is permissive.
-+.PP
-+.B semanage module
-+can also be used to enable/disable/install/remove policy modules.
-+
-+.PP
-+.B system-config-selinux
-+is a GUI tool available to customize SELinux policy settings.
-+
-+.SH AUTHOR
-+This manual page was auto-generated using
-+.B "sepolicy manpage"
-+by Dan Walsh.
-+
-+.SH "SEE ALSO"
-+selinux(8), cgclear(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
-diff --git a/man/man8/cgconfig_selinux.8 b/man/man8/cgconfig_selinux.8
-new file mode 100644
-index 0000000..8e5f96c
---- /dev/null
-+++ b/man/man8/cgconfig_selinux.8
-@@ -0,0 +1,128 @@
-+.TH "cgconfig_selinux" "8" "12-11-01" "cgconfig" "SELinux Policy documentation for cgconfig"
-+.SH "NAME"
-+cgconfig_selinux \- Security Enhanced Linux Policy for the cgconfig processes
-+.SH "DESCRIPTION"
-+
-+Security-Enhanced Linux secures the cgconfig processes via flexible mandatory access control.
-+
-+The cgconfig processes execute with the cgconfig_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
-+
-+For example:
-+
-+.B ps -eZ | grep cgconfig_t
-+
-+
-+.SH "ENTRYPOINTS"
-+
-+The cgconfig_t SELinux type can be entered via the "cgconfig_exec_t" file type. The default entrypoint paths for the cgconfig_t domain are the following:"
-+
-+/sbin/cgconfigparser, /usr/sbin/cgconfigparser
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux cgconfig policy is very flexible allowing users to setup their cgconfig processes in as secure a method as possible.
-+.PP
-+The following process types are defined for cgconfig:
-+
-+.EX
-+.B cgconfig_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
-+.SH FILE CONTEXTS
-+SELinux requires files to have an extended attribute to define the file type.
-+.PP
-+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
-+.PP
-+Policy governs the access confined processes have to these files.
-+SELinux cgconfig policy is very flexible allowing users to setup their cgconfig processes in as secure a method as possible.
-+.PP
-+The following file types are defined for cgconfig:
-+
-+
-+.EX
-+.PP
-+.B cgconfig_etc_t
-+.EE
-+
-+- Set files with the cgconfig_etc_t type, if you want to store cgconfig files in the /etc directories.
-+
-+
-+.EX
-+.PP
-+.B cgconfig_exec_t
-+.EE
-+
-+- Set files with the cgconfig_exec_t type, if you want to transition an executable to the cgconfig_t domain.
-+
-+
-+.EX
-+.PP
-+.B cgconfig_initrc_exec_t
-+.EE
-+
-+- Set files with the cgconfig_initrc_exec_t type, if you want to transition an executable to the cgconfig_initrc_t domain.
-+
-+
-+.PP
-+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
-+.B semanage fcontext
-+command. This will modify the SELinux labeling database. You will need to use
-+.B restorecon
-+to apply the labels.
-+
-+.SH "MANAGED FILES"
-+
-+The SELinux process type cgconfig_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
-+
-+.br
-+.B cgroup_t
-+
-+ /cgroup
-+.br
-+ /sys/fs/cgroup
-+.br
-+
-+.SH NSSWITCH DOMAIN
-+
-+.PP
-+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the cgconfig_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
-+
-+.EX
-+.B setsebool -P authlogin_nsswitch_use_ldap 1
-+.EE
-+
-+.PP
-+If you want to allow confined applications to run with kerberos for the cgconfig_t, you must turn on the kerberos_enabled boolean.
-+
-+.EX
-+.B setsebool -P kerberos_enabled 1
-+.EE
-+
-+.SH "COMMANDS"
-+.B semanage fcontext
-+can also be used to manipulate default file context mappings.
-+.PP
-+.B semanage permissive
-+can also be used to manipulate whether or not a process type is permissive.
-+.PP
-+.B semanage module
-+can also be used to enable/disable/install/remove policy modules.
-+
-+.PP
-+.B system-config-selinux
-+is a GUI tool available to customize SELinux policy settings.
-+
-+.SH AUTHOR
-+This manual page was auto-generated using
-+.B "sepolicy manpage"
-+by Dan Walsh.
-+
-+.SH "SEE ALSO"
-+selinux(8), cgconfig(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
-diff --git a/man/man8/cgred_selinux.8 b/man/man8/cgred_selinux.8
-new file mode 100644
-index 0000000..dfaff3f
---- /dev/null
-+++ b/man/man8/cgred_selinux.8
-@@ -0,0 +1,148 @@
-+.TH "cgred_selinux" "8" "12-11-01" "cgred" "SELinux Policy documentation for cgred"
-+.SH "NAME"
-+cgred_selinux \- Security Enhanced Linux Policy for the cgred processes
-+.SH "DESCRIPTION"
-+
-+Security-Enhanced Linux secures the cgred processes via flexible mandatory access control.
-+
-+The cgred processes execute with the cgred_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
-+
-+For example:
-+
-+.B ps -eZ | grep cgred_t
-+
-+
-+.SH "ENTRYPOINTS"
-+
-+The cgred_t SELinux type can be entered via the "cgred_exec_t" file type. The default entrypoint paths for the cgred_t domain are the following:"
-+
-+/sbin/cgrulesengd, /usr/sbin/cgrulesengd
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux cgred policy is very flexible allowing users to setup their cgred processes in as secure a method as possible.
-+.PP
-+The following process types are defined for cgred:
-+
-+.EX
-+.B cgred_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
-+.SH FILE CONTEXTS
-+SELinux requires files to have an extended attribute to define the file type.
-+.PP
-+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
-+.PP
-+Policy governs the access confined processes have to these files.
-+SELinux cgred policy is very flexible allowing users to setup their cgred processes in as secure a method as possible.
-+.PP
-+The following file types are defined for cgred:
-+
-+
-+.EX
-+.PP
-+.B cgred_exec_t
-+.EE
-+
-+- Set files with the cgred_exec_t type, if you want to transition an executable to the cgred_t domain.
-+
-+
-+.EX
-+.PP
-+.B cgred_initrc_exec_t
-+.EE
-+
-+- Set files with the cgred_initrc_exec_t type, if you want to transition an executable to the cgred_initrc_t domain.
-+
-+
-+.EX
-+.PP
-+.B cgred_log_t
-+.EE
-+
-+- Set files with the cgred_log_t type, if you want to treat the data as cgred log data, usually stored under the /var/log directory.
-+
-+
-+.EX
-+.PP
-+.B cgred_var_run_t
-+.EE
-+
-+- Set files with the cgred_var_run_t type, if you want to store the cgred files under the /run directory.
-+
-+
-+.PP
-+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
-+.B semanage fcontext
-+command. This will modify the SELinux labeling database. You will need to use
-+.B restorecon
-+to apply the labels.
-+
-+.SH "MANAGED FILES"
-+
-+The SELinux process type cgred_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
-+
-+.br
-+.B cgred_log_t
-+
-+ /var/log/cgrulesengd\.log.*
-+.br
-+
-+.br
-+.B cgred_var_run_t
-+
-+ /var/run/cgred.*
-+.br
-+
-+.br
-+.B cgroup_t
-+
-+ /cgroup
-+.br
-+ /sys/fs/cgroup
-+.br
-+
-+.SH NSSWITCH DOMAIN
-+
-+.PP
-+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the cgred_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
-+
-+.EX
-+.B setsebool -P authlogin_nsswitch_use_ldap 1
-+.EE
-+
-+.PP
-+If you want to allow confined applications to run with kerberos for the cgred_t, you must turn on the kerberos_enabled boolean.
-+
-+.EX
-+.B setsebool -P kerberos_enabled 1
-+.EE
-+
-+.SH "COMMANDS"
-+.B semanage fcontext
-+can also be used to manipulate default file context mappings.
-+.PP
-+.B semanage permissive
-+can also be used to manipulate whether or not a process type is permissive.
-+.PP
-+.B semanage module
-+can also be used to enable/disable/install/remove policy modules.
-+
-+.PP
-+.B system-config-selinux
-+is a GUI tool available to customize SELinux policy settings.
-+
-+.SH AUTHOR
-+This manual page was auto-generated using
-+.B "sepolicy manpage"
-+by Dan Walsh.
-+
-+.SH "SEE ALSO"
-+selinux(8), cgred(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
-diff --git a/man/man8/checkpc_selinux.8 b/man/man8/checkpc_selinux.8
-new file mode 100644
-index 0000000..72abe95
---- /dev/null
-+++ b/man/man8/checkpc_selinux.8
-@@ -0,0 +1,112 @@
-+.TH "checkpc_selinux" "8" "12-11-01" "checkpc" "SELinux Policy documentation for checkpc"
-+.SH "NAME"
-+checkpc_selinux \- Security Enhanced Linux Policy for the checkpc processes
-+.SH "DESCRIPTION"
-+
-+Security-Enhanced Linux secures the checkpc processes via flexible mandatory access control.
-+
-+The checkpc processes execute with the checkpc_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
-+
-+For example:
-+
-+.B ps -eZ | grep checkpc_t
-+
-+
-+.SH "ENTRYPOINTS"
-+
-+The checkpc_t SELinux type can be entered via the "checkpc_exec_t" file type. The default entrypoint paths for the checkpc_t domain are the following:"
-+
-+/usr/sbin/checkpc
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux checkpc policy is very flexible allowing users to setup their checkpc processes in as secure a method as possible.
-+.PP
-+The following process types are defined for checkpc:
-+
-+.EX
-+.B checkpc_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
-+.SH FILE CONTEXTS
-+SELinux requires files to have an extended attribute to define the file type.
-+.PP
-+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
-+.PP
-+Policy governs the access confined processes have to these files.
-+SELinux checkpc policy is very flexible allowing users to setup their checkpc processes in as secure a method as possible.
-+.PP
-+The following file types are defined for checkpc:
-+
-+
-+.EX
-+.PP
-+.B checkpc_exec_t
-+.EE
-+
-+- Set files with the checkpc_exec_t type, if you want to transition an executable to the checkpc_t domain.
-+
-+
-+.EX
-+.PP
-+.B checkpc_log_t
-+.EE
-+
-+- Set files with the checkpc_log_t type, if you want to treat the data as checkpc log data, usually stored under the /var/log directory.
-+
-+
-+.PP
-+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
-+.B semanage fcontext
-+command. This will modify the SELinux labeling database. You will need to use
-+.B restorecon
-+to apply the labels.
-+
-+.SH "MANAGED FILES"
-+
-+The SELinux process type checkpc_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
-+
-+.br
-+.B checkpc_log_t
-+
-+
-+.br
-+.B print_spool_t
-+
-+ /var/spool/lpd(/.*)?
-+.br
-+ /var/spool/cups(/.*)?
-+.br
-+ /var/spool/cups-pdf(/.*)?
-+.br
-+
-+.SH NSSWITCH DOMAIN
-+
-+.SH "COMMANDS"
-+.B semanage fcontext
-+can also be used to manipulate default file context mappings.
-+.PP
-+.B semanage permissive
-+can also be used to manipulate whether or not a process type is permissive.
-+.PP
-+.B semanage module
-+can also be used to enable/disable/install/remove policy modules.
-+
-+.PP
-+.B system-config-selinux
-+is a GUI tool available to customize SELinux policy settings.
-+
-+.SH AUTHOR
-+This manual page was auto-generated using
-+.B "sepolicy manpage"
-+by Dan Walsh.
-+
-+.SH "SEE ALSO"
-+selinux(8), checkpc(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
-diff --git a/man/man8/checkpolicy_selinux.8 b/man/man8/checkpolicy_selinux.8
-new file mode 100644
-index 0000000..b3bbf2c
---- /dev/null
-+++ b/man/man8/checkpolicy_selinux.8
-@@ -0,0 +1,102 @@
-+.TH "checkpolicy_selinux" "8" "12-11-01" "checkpolicy" "SELinux Policy documentation for checkpolicy"
-+.SH "NAME"
-+checkpolicy_selinux \- Security Enhanced Linux Policy for the checkpolicy processes
-+.SH "DESCRIPTION"
-+
-+Security-Enhanced Linux secures the checkpolicy processes via flexible mandatory access control.
-+
-+The checkpolicy processes execute with the checkpolicy_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
-+
-+For example:
-+
-+.B ps -eZ | grep checkpolicy_t
-+
-+
-+.SH "ENTRYPOINTS"
-+
-+The checkpolicy_t SELinux type can be entered via the "checkpolicy_exec_t" file type. The default entrypoint paths for the checkpolicy_t domain are the following:"
-+
-+/usr/bin/checkpolicy
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux checkpolicy policy is very flexible allowing users to setup their checkpolicy processes in as secure a method as possible.
-+.PP
-+The following process types are defined for checkpolicy:
-+
-+.EX
-+.B checkpolicy_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
-+.SH FILE CONTEXTS
-+SELinux requires files to have an extended attribute to define the file type.
-+.PP
-+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
-+.PP
-+Policy governs the access confined processes have to these files.
-+SELinux checkpolicy policy is very flexible allowing users to setup their checkpolicy processes in as secure a method as possible.
-+.PP
-+The following file types are defined for checkpolicy:
-+
-+
-+.EX
-+.PP
-+.B checkpolicy_exec_t
-+.EE
-+
-+- Set files with the checkpolicy_exec_t type, if you want to transition an executable to the checkpolicy_t domain.
-+
-+
-+.PP
-+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
-+.B semanage fcontext
-+command. This will modify the SELinux labeling database. You will need to use
-+.B restorecon
-+to apply the labels.
-+
-+.SH "MANAGED FILES"
-+
-+The SELinux process type checkpolicy_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
-+
-+.br
-+.B semanage_store_t
-+
-+ /etc/selinux/([^/]*/)?policy(/.*)?
-+.br
-+ /etc/selinux/([^/]*/)?modules/(active|tmp|previous)(/.*)?
-+.br
-+ /etc/share/selinux/mls(/.*)?
-+.br
-+ /etc/share/selinux/targeted(/.*)?
-+.br
-+
-+.SH NSSWITCH DOMAIN
-+
-+.SH "COMMANDS"
-+.B semanage fcontext
-+can also be used to manipulate default file context mappings.
-+.PP
-+.B semanage permissive
-+can also be used to manipulate whether or not a process type is permissive.
-+.PP
-+.B semanage module
-+can also be used to enable/disable/install/remove policy modules.
-+
-+.PP
-+.B system-config-selinux
-+is a GUI tool available to customize SELinux policy settings.
-+
-+.SH AUTHOR
-+This manual page was auto-generated using
-+.B "sepolicy manpage"
-+by Dan Walsh.
-+
-+.SH "SEE ALSO"
-+selinux(8), checkpolicy(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
-diff --git a/man/man8/chfn_selinux.8 b/man/man8/chfn_selinux.8
-new file mode 100644
-index 0000000..9a08bac
---- /dev/null
-+++ b/man/man8/chfn_selinux.8
-@@ -0,0 +1,198 @@
-+.TH "chfn_selinux" "8" "12-11-01" "chfn" "SELinux Policy documentation for chfn"
-+.SH "NAME"
-+chfn_selinux \- Security Enhanced Linux Policy for the chfn processes
-+.SH "DESCRIPTION"
-+
-+Security-Enhanced Linux secures the chfn processes via flexible mandatory access control.
-+
-+The chfn processes execute with the chfn_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
-+
-+For example:
-+
-+.B ps -eZ | grep chfn_t
-+
-+
-+.SH "ENTRYPOINTS"
-+
-+The chfn_t SELinux type can be entered via the "chfn_exec_t" file type. The default entrypoint paths for the chfn_t domain are the following:"
-+
-+/usr/bin/chfn, /usr/bin/chsh
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux chfn policy is very flexible allowing users to setup their chfn processes in as secure a method as possible.
-+.PP
-+The following process types are defined for chfn:
-+
-+.EX
-+.B chfn_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
-+.SH FILE CONTEXTS
-+SELinux requires files to have an extended attribute to define the file type.
-+.PP
-+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
-+.PP
-+Policy governs the access confined processes have to these files.
-+SELinux chfn policy is very flexible allowing users to setup their chfn processes in as secure a method as possible.
-+.PP
-+The following file types are defined for chfn:
-+
-+
-+.EX
-+.PP
-+.B chfn_exec_t
-+.EE
-+
-+- Set files with the chfn_exec_t type, if you want to transition an executable to the chfn_t domain.
-+
-+
-+.PP
-+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
-+.B semanage fcontext
-+command. This will modify the SELinux labeling database. You will need to use
-+.B restorecon
-+to apply the labels.
-+
-+.SH "MANAGED FILES"
-+
-+The SELinux process type chfn_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
-+
-+.br
-+.B faillog_t
-+
-+ /var/log/btmp.*
-+.br
-+ /var/run/faillock(/.*)?
-+.br
-+ /var/log/faillog
-+.br
-+ /var/log/tallylog
-+.br
-+
-+.br
-+.B krb5_host_rcache_t
-+
-+ /var/cache/krb5rcache(/.*)?
-+.br
-+ /var/tmp/nfs_0
-+.br
-+ /var/tmp/DNS_25
-+.br
-+ /var/tmp/host_0
-+.br
-+ /var/tmp/imap_0
-+.br
-+ /var/tmp/HTTP_23
-+.br
-+ /var/tmp/HTTP_48
-+.br
-+ /var/tmp/ldap_55
-+.br
-+ /var/tmp/ldap_487
-+.br
-+ /var/tmp/ldapmap1_0
-+.br
-+
-+.br
-+.B lastlog_t
-+
-+ /var/log/lastlog
-+.br
-+
-+.br
-+.B passwd_file_t
-+
-+ /etc/group[-\+]?
-+.br
-+ /etc/passwd[-\+]?
-+.br
-+ /etc/passwd\.adjunct.*
-+.br
-+ /etc/ptmptmp
-+.br
-+ /etc/\.pwd\.lock
-+.br
-+ /etc/group\.lock
-+.br
-+ /etc/passwd\.OLD
-+.br
-+ /etc/passwd\.lock
-+.br
-+
-+.br
-+.B pcscd_var_run_t
-+
-+ /var/run/pcscd(/.*)?
-+.br
-+ /var/run/pcscd\.events(/.*)?
-+.br
-+ /var/run/pcscd\.pid
-+.br
-+ /var/run/pcscd\.pub
-+.br
-+ /var/run/pcscd\.comm
-+.br
-+
-+.br
-+.B security_t
-+
-+ /selinux
-+.br
-+
-+.br
-+.B user_tmp_t
-+
-+ /var/run/user(/.*)?
-+.br
-+ /tmp/gconfd-.*
-+.br
-+ /tmp/gconfd-dwalsh
-+.br
-+ /tmp/gconfd-xguest
-+.br
-+
-+.SH NSSWITCH DOMAIN
-+
-+.PP
-+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the chfn_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
-+
-+.EX
-+.B setsebool -P authlogin_nsswitch_use_ldap 1
-+.EE
-+
-+.PP
-+If you want to allow confined applications to run with kerberos for the chfn_t, you must turn on the kerberos_enabled boolean.
-+
-+.EX
-+.B setsebool -P kerberos_enabled 1
-+.EE
-+
-+.SH "COMMANDS"
-+.B semanage fcontext
-+can also be used to manipulate default file context mappings.
-+.PP
-+.B semanage permissive
-+can also be used to manipulate whether or not a process type is permissive.
-+.PP
-+.B semanage module
-+can also be used to enable/disable/install/remove policy modules.
-+
-+.PP
-+.B system-config-selinux
-+is a GUI tool available to customize SELinux policy settings.
-+
-+.SH AUTHOR
-+This manual page was auto-generated using
-+.B "sepolicy manpage"
-+by Dan Walsh.
-+
-+.SH "SEE ALSO"
-+selinux(8), chfn(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
-diff --git a/man/man8/chkpwd_selinux.8 b/man/man8/chkpwd_selinux.8
-new file mode 100644
-index 0000000..fa2035e
---- /dev/null
-+++ b/man/man8/chkpwd_selinux.8
-@@ -0,0 +1,100 @@
-+.TH "chkpwd_selinux" "8" "12-11-01" "chkpwd" "SELinux Policy documentation for chkpwd"
-+.SH "NAME"
-+chkpwd_selinux \- Security Enhanced Linux Policy for the chkpwd processes
-+.SH "DESCRIPTION"
-+
-+Security-Enhanced Linux secures the chkpwd processes via flexible mandatory access control.
-+
-+The chkpwd processes execute with the chkpwd_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
-+
-+For example:
-+
-+.B ps -eZ | grep chkpwd_t
-+
-+
-+.SH "ENTRYPOINTS"
-+
-+The chkpwd_t SELinux type can be entered via the "chkpwd_exec_t" file type. The default entrypoint paths for the chkpwd_t domain are the following:"
-+
-+/sbin/unix_chkpwd, /sbin/unix_verify, /usr/sbin/validate, /usr/sbin/unix_chkpwd, /usr/sbin/unix_verify
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux chkpwd policy is very flexible allowing users to setup their chkpwd processes in as secure a method as possible.
-+.PP
-+The following process types are defined for chkpwd:
-+
-+.EX
-+.B chkpwd_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
-+.SH FILE CONTEXTS
-+SELinux requires files to have an extended attribute to define the file type.
-+.PP
-+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
-+.PP
-+Policy governs the access confined processes have to these files.
-+SELinux chkpwd policy is very flexible allowing users to setup their chkpwd processes in as secure a method as possible.
-+.PP
-+The following file types are defined for chkpwd:
-+
-+
-+.EX
-+.PP
-+.B chkpwd_exec_t
-+.EE
-+
-+- Set files with the chkpwd_exec_t type, if you want to transition an executable to the chkpwd_t domain.
-+
-+
-+.PP
-+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
-+.B semanage fcontext
-+command. This will modify the SELinux labeling database. You will need to use
-+.B restorecon
-+to apply the labels.
-+
-+.SH NSSWITCH DOMAIN
-+
-+.PP
-+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the chkpwd_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
-+
-+.EX
-+.B setsebool -P authlogin_nsswitch_use_ldap 1
-+.EE
-+
-+.PP
-+If you want to allow confined applications to run with kerberos for the chkpwd_t, you must turn on the kerberos_enabled boolean.
-+
-+.EX
-+.B setsebool -P kerberos_enabled 1
-+.EE
-+
-+.SH "COMMANDS"
-+.B semanage fcontext
-+can also be used to manipulate default file context mappings.
-+.PP
-+.B semanage permissive
-+can also be used to manipulate whether or not a process type is permissive.
-+.PP
-+.B semanage module
-+can also be used to enable/disable/install/remove policy modules.
-+
-+.PP
-+.B system-config-selinux
-+is a GUI tool available to customize SELinux policy settings.
-+
-+.SH AUTHOR
-+This manual page was auto-generated using
-+.B "sepolicy manpage"
-+by Dan Walsh.
-+
-+.SH "SEE ALSO"
-+selinux(8), chkpwd(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
-diff --git a/man/man8/chrome_sandbox_nacl_selinux.8 b/man/man8/chrome_sandbox_nacl_selinux.8
-new file mode 100644
-index 0000000..9f1594b
---- /dev/null
-+++ b/man/man8/chrome_sandbox_nacl_selinux.8
-@@ -0,0 +1,95 @@
-+.TH "chrome_sandbox_nacl_selinux" "8" "12-11-01" "chrome_sandbox_nacl" "SELinux Policy documentation for chrome_sandbox_nacl"
-+.SH "NAME"
-+chrome_sandbox_nacl_selinux \- Security Enhanced Linux Policy for the chrome_sandbox_nacl processes
-+.SH "DESCRIPTION"
-+
-+Security-Enhanced Linux secures the chrome_sandbox_nacl processes via flexible mandatory access control.
-+
-+The chrome_sandbox_nacl processes execute with the chrome_sandbox_nacl_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
-+
-+For example:
-+
-+.B ps -eZ | grep chrome_sandbox_nacl_t
-+
-+
-+.SH "ENTRYPOINTS"
-+
-+The chrome_sandbox_nacl_t SELinux type can be entered via the "bin_t,chrome_sandbox_nacl_exec_t" file types. The default entrypoint paths for the chrome_sandbox_nacl_t domain are the following:"
-+
-+/bin/.*, /opt/(.*/)?bin(/.*)?, /usr/(.*/)?Bin(/.*)?, /usr/(.*/)?bin(/.*)?, /usr/(.*/)?sbin(/.*)?, /opt/(.*/)?sbin(/.*)?, /opt/(.*/)?libexec(/.*)?, /sbin/.*, /usr/lib(.*/)?bin(/.*)?, /usr/lib(.*/)?sbin(/.*)?, /etc/gdm/[^/]+, /root/bin(/.*)?, /etc/gdm/[^/]+/.*, /etc/cron.daily(/.*)?, /etc/cron.weekly(/.*)?, /etc/cron.hourly(/.*)?, /etc/cron.monthly(/.*)?, /usr/lib/.*/program(/.*)?, /usr/lib/.*/scripts(/.*)?, /usr/lib/[^/]*/run-mozilla\.sh, /usr/lib/[^/]*/mozilla-xremote-client, /usr/lib/[^/]*thunderbird[^/]*/thunderbird, /usr/lib/[^/]*thunderbird[^/]*/open-browser\.sh, /usr/lib/[^/]*thunderbird[^/]*/thunderbird-bin, /lib/udev/[^/]*, /etc/auto\.[^/]*, /etc/avahi/.*\.action, /usr/lib/qt.*/bin(/.*)?, /usr/lib/yp/.+, /var/ftp/bin(/.*)?, /usr/Brother(/.*)?, /usr/Printer(/.*)?, /usr/libexec(/.*)?, /lib/upstart(/.*)?, /etc/kde/env(/.*)?, /etc/profile.d(/.*)?, /var/mailman.*/bin(/.*)?, /etc/lxdm/Pre.*, /etc/hotplug/.*rc, /usr/lib/cups(/.*)?, /etc/hotplug/.*agent, /usr/Brother/(.*/)?inf/setup.*, /usr/Brother/(.*/)?inf/brprintconf.*, /usr/lib/dpkg/.+, /etc/lxdm/Post.*, /usr/lib/udev/[^/]*, /var/qmail/bin(/.*)?, /usr/lib/xfce4(/.*)?, /usr/lib/fence(/.*)?, /etc/X11/xinit(/.*)?, /lib/readahead(/.*)?, /etc/netplug\.d(/.*)?, /usr/lib/gimp/.*/plug-ins(/.*)?, /usr/lib/ipsec/.*, /etc/ppp/ip-up\..*, /usr/bin/pingus.*, /etc/cipe/ip-up.*, /usr/lib/dracut(/.*)?, /etc/pm/power\.d(/.*)?, /etc/pm/sleep\.d(/.*)?, /etc/redhat-lsb(/.*)?, /usr/lib/tuned/.*/.*\.sh, /usr/lib/xen/bin(/.*)?, /usr/lib/upstart(/.*)?, /usr/lib/courier(/.*)?, /etc/xen/scripts(/.*)?, /usr/share/tucan.*/tucan.py, /usr/lib/mailman.*/bin(/.*)?, /usr/lib/mailman.*/mail(/.*)?, /etc/ppp/ipv6-up\..*, /etc/ppp/ip-down\..*, /etc/cipe/ip-down.*, /usr/share/hplip/[^/]*, /usr/lib/news/bin(/.*)?, /usr/lib/pm-utils(/.*)?, /etc/vmware-tools(/.*)?, /etc/kde/shutdown(/.*)?, /etc/acpi/actions(/.*)?, /etc/pki/tls/misc(/.*)?, /usr/lib/jvm/java(.*/)bin(/.*), /usr/lib/tumbler-[^/]*/tumblerd, /usr/lib/readahead(/.*)?, /opt/google/chrome(/.*)?, /etc/munin/plugins(/.*)?, /usr/lib/bluetooth(/.*)?, /usr/lib/debug/bin(/.*)?, /usr/lib/xulrunner[^/]*/updater, /usr/lib/xulrunner[^/]*/crashreporter, /usr/lib/xulrunner[^/]*/xulrunner[^/]*, /usr/lib/ruby/gems(/.*)?/helper-scripts(/.*)?, /usr/share/debconf/.+, /etc/ppp/ipv6-down\..*, /usr/share/cluster/.*\.sh, /usr/share/sectool/.*\.py, /usr/share/ssl/misc(/.*)?, /usr/share/e16/misc(/.*)?, /usr/lib/ccache/bin(/.*)?, /etc/racoon/scripts(/.*)?, /usr/lib/debug/sbin(/.*)?, /usr/lib/ruby/gems/.*/agents(/.*)?, /usr/share/mc/extfs/.*, /usr/lib/apt/methods.+, /usr/lib/portage/bin(/.*)?, /usr/lib/MailScanner(/.*)?, /etc/mcelog/triggers(/.*)?, /etc/dhcp/dhclient\.d(/.*)?, /emul/ia32-linux/bin(/.*)?, /usr/lib/libreoffice(/.*)?/bin(/.*)?, /emul/ia32-linux/usr(/.*)?/bin(/.*)?, /emul/ia32-linux/usr(/.*)?/Bin(/.*)?, /emul/ia32-linux/usr(/.*)?/sbin(/.*)?, /usr/lib/thunderbird.*/mozilla-xremote-client, /usr/lib/cyrus-imapd/.*, /usr/share/createrepo(/.*)?, /emul/ia32-linux/sbin(/.*)?, /usr/share/virtualbox/.*\.sh, /usr/share/wicd/daemon(/.*)?, /usr/share/hal/scripts(/.*)?, /lib/security/pam_krb5(/.*)?, /opt/google/talkplugin(/.*)?, /etc/PackageKit/events(/.*)?, /usr/lib/debug/usr/bin(/.*)?, /usr/lib/vmware-tools/(s)?bin64(/.*)?, /usr/lib/vmware-tools/(s)?bin32(/.*)?, /etc/gdm/XKeepsCrashing[^/]*, /usr/lib/oracle/xe/apps(/.*)?, /usr/share/Modules/init(/.*)?, /usr/share/smolt/client(/.*)?, /usr/lib/nagios/plugins(/.*)?, /usr/lib/debug/usr/sbin(/.*)?, /usr/share/apr-0/build/[^/]+\.sh, /usr/lib/emacsen-common/.*, /usr/share/ajaxterm/qweb.py.*, /var/lib/asterisk/agi-bin(/.*)?, /usr/share/shorewall-perl(/.*)?, /usr/share/shorewall-lite(/.*)?, /usr/linuxprinter/filters(/.*)?, /usr/lib/netsaint/plugins(/.*)?, /usr/lib/chromium-browser(/.*)?, /usr/share/turboprint/lib(/.*)?, /usr/lib/nfs-utils/scripts(/.*)?, /usr/share/shorewall6-lite(/.*)?, /usr/share/shorewall-shell(/.*)?, /usr/share/vhostmd/scripts(/.*)?, /usr/lib/debug/usr/libexec(/.*)?, /etc/ConsoleKit/run-seat\.d(/.*)?, /usr/lib/nspluginwrapper/np.*, /usr/share/sandbox/sandboxX.sh, /usr/lib/ConsoleKit/scripts(/.*)?, /usr/share/ajaxterm/ajaxterm.py.*, /usr/lib/pgsql/test/regress/.*\.sh, /usr/share/denyhosts/scripts(/.*)?, /usr/share/denyhosts/plugins(/.*)?, /emul/ia32-linux/usr/libexec(/.*)?, /usr/lib/mediawiki/math/texvc.*, /usr/share/PackageKit/helpers(/.*)?, /etc/ConsoleKit/run-session\.d(/.*)?, /etc/hotplug\.d/default/default.*, /usr/lib/systemd/system-sleep/(.*)?, /opt/gutenprint/cups/lib/filter(/.*)?, /usr/share/system-config-network(/netconfig)?/[^/]+\.py, /usr/lib/ConsoleKit/run-session\.d(/.*)?, /etc/sysconfig/network-scripts/net.*, /etc/sysconfig/network-scripts/ifup.*, /etc/sysconfig/network-scripts/init.*, /usr/share/kde4/apps/kajongg/kajongg.py, /etc/sysconfig/network-scripts/ifdown.*, /opt/OpenPrinting-Gutenprint/cups/lib/filter(/.*)?, /usr/share/gedit-2/plugins/externaltools/tools(/.*)?, /bin, /sbin, /usr/bin, /dev/MAKEDEV, /var/qmail/rc, /var/qmail/bin, /etc/mail/make, /bin/mountpoint, /usr/lib/rpm/rpmq, /usr/lib/rpm/rpmv, /usr/lib/rpm/rpmd, /usr/lib/rpm/rpmk, /lib/udev/scsi_id, /sbin/mkfs\.cramfs, /etc/xen/qemu-ifup, /etc/lxdm/Xsession, /etc/sysconfig/init, /usr/bin/mountpoint, /etc/apcupsd/commok, /usr/lib/sftp-server, /etc/sysconfig/crond, /etc/lxdm/LoginReady, /usr/sbin/mkfs\.cramfs, /usr/lib/udev/scsi_id, /etc/X11/xdm/Xsetup_0, /etc/init\.d/functions, /etc/apcupsd/changeme, /usr/lib/iscan/network, /etc/apcupsd/onbattery, /usr/lib/yaboot/addnote, /etc/sysconfig/libvirtd, /etc/apcupsd/apccontrol, /etc/apcupsd/offbattery, /usr/lib/wicd/monitor\.py, /etc/X11/xdm/TakeConsole, /etc/X11/xdm/GiveConsole, /etc/apcupsd/commfailure, /usr/lib/misc/sftp-server, /etc/sysconfig/netconsole, /lib/udev/devices/MAKEDEV, /var/lib/iscan/interpreter, /etc/rc\.d/init\.d/functions, /etc/apcupsd/masterconnect, /etc/apcupsd/mastertimeout, /usr/share/pydict/pydict\.py, /usr/share/clamav/clamd-gen, /sbin/insmod_ksymoops_clean, /etc/mgetty\+sendfax/new_fax, /usr/lib/xfce4/panel/migrate, /usr/lib/xfce4/panel/wrapper, /etc/sysconfig/readonly-root, /usr/lib/vte/gnome-pty-helper, /usr/lib/udev/devices/MAKEDEV, /usr/lib/xfce4/xfconf/xfconfd, /usr/share/cvs/contrib/rcs2log, /usr/share/hwbrowser/hwbrowser, /usr/X11R6/lib/X11/xkb/xkbcomp, /usr/lib/virtualbox/VBoxManage, /usr/share/cluster/SAPInstance, /usr/share/cluster/checkquorum, /usr/share/shorewall/getparams, /usr/share/apr-0/build/libtool, /usr/share/cluster/SAPDatabase, /etc/hotplug/hotplug\.functions, /usr/share/texmf/web2c/mktexdir, /usr/share/texmf/web2c/mktexnam, /usr/share/texmf/web2c/mktexupd, /usr/share/shorewall/configpath, /usr/sbin/insmod_ksymoops_clean, /etc/mcelog/cache-error-trigger, /usr/share/shorewall/compiler\.pl, /usr/share/dayplanner/dayplanner, /usr/libexec/openssh/sftp-server, /usr/share/texmf/texconfig/tcfmgr, /usr/share/clamav/freshclam-sleep, /usr/share/cluster/svclib_nfslock, /usr/share/cluster/ocf-shellfuncs, /usr/lib/xfce4/exo-1/exo-helper-1, /usr/share/pwlib/make/ptlib-config, /usr/share/fedora-usermgmt/wrapper, /usr/share/printconf/util/print\.py, /usr/lib/xfce4/xfwm4/helper-dialog, /etc/pki/tls/certs/make-dummy-cert, /usr/share/rhn/rhn_applet/applet\.py, /usr/share/authconfig/authconfig\.py, /usr/share/spamassassin/sa-update\.cron, /usr/share/gnucash/finance-quote-check, /usr/share/cluster/fence_scsi_check\.pl, /usr/share/selinux/devel/policygentool, /usr/share/switchdesk/switchdesk-gui\.py, /usr/share/authconfig/authconfig-tui\.py, /usr/share/authconfig/authconfig-gtk\.py, /usr/share/gnucash/finance-quote-helper, /usr/share/gitolite/hooks/common/update, /usr/lib/xfce4/exo-1/exo-compose-mail-1, /usr/share/system-config-services/gui\.py, /lib/security/pam_krb5/pam_krb5_storetmp, /usr/share/system-config-netboot/pxeos\.py, /usr/lib/xfce4/session/balou-export-theme, /usr/share/system-config-selinux/polgen\.py, /usr/share/system-config-nfs/nfs-export\.py, /usr/share/system-config-printer/applet\.py, /usr/share/PackageKit/pk-upgrade-distro\.sh, /usr/lib/xfce4/session/balou-install-theme, /usr/share/system-config-netboot/pxeboot\.py, /usr/lib/xfce4/session/xfsm-shutdown-helper, /usr/share/rhn/rhn_applet/needed-packages\.py, /usr/lib/security/pam_krb5/pam_krb5_storetmp, /usr/share/system-logviewer/system-logviewer\.py, /usr/share/system-config-network/neat-control\.py, /usr/share/system-config-services/serviceconf\.py, /usr/share/hal/device-manager/hal-device-manager, /usr/share/system-config-lvm/system-config-lvm\.py, /usr/share/system-config-nfs/system-config-nfs\.py, /usr/share/system-config-mouse/system-config-mouse, /usr/share/system-config-httpd/system-config-httpd, /usr/share/system-config-users/system-config-users, /usr/share/system-config-date/system-config-date\.py, /usr/share/doc/ghc/html/libraries/gen_contents_index, /usr/share/gitolite/hooks/gitolite-admin/post-update, /usr/share/system-config-samba/system-config-samba\.py, /usr/share/system-config-display/system-config-display, /usr/share/system-config-keyboard/system-config-keyboard, /usr/share/system-config-language/system-config-language, /usr/share/system-config-services/system-config-services, /usr/share/system-config-selinux/system-config-selinux\.py, /usr/share/system-config-netboot/system-config-netboot\.py, /usr/share/system-config-soundcard/system-config-soundcard, /usr/share/system-config-rootpassword/system-config-rootpassword, /usr/share/system-config-securitylevel/system-config-securitylevel\.py, /opt/google/chrome/nacl_helper_bootstrap, /usr/lib/chromium-browser/nacl_helper_bootstrap
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux chrome_sandbox_nacl policy is very flexible allowing users to setup their chrome_sandbox_nacl processes in as secure a method as possible.
-+.PP
-+The following process types are defined for chrome_sandbox_nacl:
-+
-+.EX
-+.B chrome_sandbox_nacl_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
-+.SH FILE CONTEXTS
-+SELinux requires files to have an extended attribute to define the file type.
-+.PP
-+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
-+.PP
-+Policy governs the access confined processes have to these files.
-+SELinux chrome_sandbox_nacl policy is very flexible allowing users to setup their chrome_sandbox_nacl processes in as secure a method as possible.
-+.PP
-+The following file types are defined for chrome_sandbox_nacl:
-+
-+
-+.EX
-+.PP
-+.B chrome_sandbox_nacl_exec_t
-+.EE
-+
-+- Set files with the chrome_sandbox_nacl_exec_t type, if you want to transition an executable to the chrome_sandbox_nacl_t domain.
-+
-+
-+.PP
-+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
-+.B semanage fcontext
-+command. This will modify the SELinux labeling database. You will need to use
-+.B restorecon
-+to apply the labels.
-+
-+.SH "MANAGED FILES"
-+
-+The SELinux process type chrome_sandbox_nacl_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
-+
-+.br
-+.B chrome_sandbox_tmpfs_t
-+
-+
-+.SH NSSWITCH DOMAIN
-+
-+.SH "COMMANDS"
-+.B semanage fcontext
-+can also be used to manipulate default file context mappings.
-+.PP
-+.B semanage permissive
-+can also be used to manipulate whether or not a process type is permissive.
-+.PP
-+.B semanage module
-+can also be used to enable/disable/install/remove policy modules.
-+
-+.PP
-+.B system-config-selinux
-+is a GUI tool available to customize SELinux policy settings.
-+
-+.SH AUTHOR
-+This manual page was auto-generated using
-+.B "sepolicy manpage"
-+by Dan Walsh.
-+
-+.SH "SEE ALSO"
-+selinux(8), chrome_sandbox_nacl(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
-+, chrome_sandbox_selinux(8), chrome_sandbox_selinux(8)
-\ No newline at end of file
-diff --git a/man/man8/chrome_sandbox_selinux.8 b/man/man8/chrome_sandbox_selinux.8
-new file mode 100644
-index 0000000..42c38de
---- /dev/null
-+++ b/man/man8/chrome_sandbox_selinux.8
-@@ -0,0 +1,206 @@
-+.TH "chrome_sandbox_selinux" "8" "12-11-01" "chrome_sandbox" "SELinux Policy documentation for chrome_sandbox"
-+.SH "NAME"
-+chrome_sandbox_selinux \- Security Enhanced Linux Policy for the chrome_sandbox processes
-+.SH "DESCRIPTION"
-+
-+Security-Enhanced Linux secures the chrome_sandbox processes via flexible mandatory access control.
-+
-+The chrome_sandbox processes execute with the chrome_sandbox_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
-+
-+For example:
-+
-+.B ps -eZ | grep chrome_sandbox_t
-+
-+
-+.SH "ENTRYPOINTS"
-+
-+The chrome_sandbox_t SELinux type can be entered via the "chrome_sandbox_exec_t" file type. The default entrypoint paths for the chrome_sandbox_t domain are the following:"
-+
-+/opt/google/chrome/chrome-sandbox, /usr/lib/chromium-browser/chrome-sandbox
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux chrome_sandbox policy is very flexible allowing users to setup their chrome_sandbox processes in as secure a method as possible.
-+.PP
-+The following process types are defined for chrome_sandbox:
-+
-+.EX
-+.B chrome_sandbox_t, chrome_sandbox_nacl_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
-+.SH BOOLEANS
-+SELinux policy is customizable based on least access required. chrome_sandbox policy is extremely flexible and has several booleans that allow you to manipulate the policy and run chrome_sandbox with the tightest access possible.
-+
-+
-+.PP
-+If you want to allow unconfined users to transition to the chrome sandbox domains when running chrome-sandbox, you must turn on the unconfined_chrome_sandbox_transition boolean.
-+
-+.EX
-+.B setsebool -P unconfined_chrome_sandbox_transition 1
-+.EE
-+
-+.PP
-+If you want to allow unconfined users to transition to the chrome sandbox domains when running chrome-sandbox, you must turn on the unconfined_chrome_sandbox_transition boolean.
-+
-+.EX
-+.B setsebool -P unconfined_chrome_sandbox_transition 1
-+.EE
-+
-+.SH FILE CONTEXTS
-+SELinux requires files to have an extended attribute to define the file type.
-+.PP
-+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
-+.PP
-+Policy governs the access confined processes have to these files.
-+SELinux chrome_sandbox policy is very flexible allowing users to setup their chrome_sandbox processes in as secure a method as possible.
-+.PP
-+The following file types are defined for chrome_sandbox:
-+
-+
-+.EX
-+.PP
-+.B chrome_sandbox_exec_t
-+.EE
-+
-+- Set files with the chrome_sandbox_exec_t type, if you want to transition an executable to the chrome_sandbox_t domain.
-+
-+
-+.EX
-+.PP
-+.B chrome_sandbox_nacl_exec_t
-+.EE
-+
-+- Set files with the chrome_sandbox_nacl_exec_t type, if you want to transition an executable to the chrome_sandbox_nacl_t domain.
-+
-+
-+.EX
-+.PP
-+.B chrome_sandbox_tmp_t
-+.EE
-+
-+- Set files with the chrome_sandbox_tmp_t type, if you want to store chrome sandbox temporary files in the /tmp directories.
-+
-+
-+.EX
-+.PP
-+.B chrome_sandbox_tmpfs_t
-+.EE
-+
-+- Set files with the chrome_sandbox_tmpfs_t type, if you want to store chrome sandbox files on a tmpfs file system.
-+
-+
-+.PP
-+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
-+.B semanage fcontext
-+command. This will modify the SELinux labeling database. You will need to use
-+.B restorecon
-+to apply the labels.
-+
-+.SH "MANAGED FILES"
-+
-+The SELinux process type chrome_sandbox_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
-+
-+.br
-+.B cgroup_t
-+
-+ /cgroup
-+.br
-+ /sys/fs/cgroup
-+.br
-+
-+.br
-+.B chrome_sandbox_tmp_t
-+
-+
-+.br
-+.B chrome_sandbox_tmpfs_t
-+
-+
-+.br
-+.B home_cert_t
-+
-+ /root/\.pki(/.*)?
-+.br
-+ /root/\.cert(/.*)?
-+.br
-+ /home/[^/]*/.kde/share/apps/networkmanagement/certificates(/.*)?
-+.br
-+ /home/[^/]*/\.pki(/.*)?
-+.br
-+ /home/[^/]*/\.cert(/.*)?
-+.br
-+ /home/dwalsh/.kde/share/apps/networkmanagement/certificates(/.*)?
-+.br
-+ /home/dwalsh/\.pki(/.*)?
-+.br
-+ /home/dwalsh/\.cert(/.*)?
-+.br
-+ /var/lib/xguest/home/xguest/.kde/share/apps/networkmanagement/certificates(/.*)?
-+.br
-+ /var/lib/xguest/home/xguest/\.pki(/.*)?
-+.br
-+ /var/lib/xguest/home/xguest/\.cert(/.*)?
-+.br
-+
-+.br
-+.B user_fonts_cache_t
-+
-+ /root/\.fontconfig(/.*)?
-+.br
-+ /root/\.fonts/auto(/.*)?
-+.br
-+ /root/\.fonts\.cache-.*
-+.br
-+ /home/[^/]*/\.fontconfig(/.*)?
-+.br
-+ /home/[^/]*/\.fonts/auto(/.*)?
-+.br
-+ /home/[^/]*/\.fonts\.cache-.*
-+.br
-+ /home/dwalsh/\.fontconfig(/.*)?
-+.br
-+ /home/dwalsh/\.fonts/auto(/.*)?
-+.br
-+ /home/dwalsh/\.fonts\.cache-.*
-+.br
-+ /var/lib/xguest/home/xguest/\.fontconfig(/.*)?
-+.br
-+ /var/lib/xguest/home/xguest/\.fonts/auto(/.*)?
-+.br
-+ /var/lib/xguest/home/xguest/\.fonts\.cache-.*
-+.br
-+
-+.SH NSSWITCH DOMAIN
-+
-+.SH "COMMANDS"
-+.B semanage fcontext
-+can also be used to manipulate default file context mappings.
-+.PP
-+.B semanage permissive
-+can also be used to manipulate whether or not a process type is permissive.
-+.PP
-+.B semanage module
-+can also be used to enable/disable/install/remove policy modules.
-+
-+.B semanage boolean
-+can also be used to manipulate the booleans
-+
-+.PP
-+.B system-config-selinux
-+is a GUI tool available to customize SELinux policy settings.
-+
-+.SH AUTHOR
-+This manual page was auto-generated using
-+.B "sepolicy manpage"
-+by Dan Walsh.
-+
-+.SH "SEE ALSO"
-+selinux(8), chrome_sandbox(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
-+, setsebool(8), chrome_sandbox_nacl_selinux(8)
-\ No newline at end of file
-diff --git a/man/man8/chronyd_selinux.8 b/man/man8/chronyd_selinux.8
-new file mode 100644
-index 0000000..2e165b5
---- /dev/null
-+++ b/man/man8/chronyd_selinux.8
-@@ -0,0 +1,216 @@
-+.TH "chronyd_selinux" "8" "12-11-01" "chronyd" "SELinux Policy documentation for chronyd"
-+.SH "NAME"
-+chronyd_selinux \- Security Enhanced Linux Policy for the chronyd processes
-+.SH "DESCRIPTION"
-+
-+Security-Enhanced Linux secures the chronyd processes via flexible mandatory access control.
-+
-+The chronyd processes execute with the chronyd_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
-+
-+For example:
-+
-+.B ps -eZ | grep chronyd_t
-+
-+
-+.SH "ENTRYPOINTS"
-+
-+The chronyd_t SELinux type can be entered via the "chronyd_exec_t" file type. The default entrypoint paths for the chronyd_t domain are the following:"
-+
-+/usr/sbin/chronyd
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux chronyd policy is very flexible allowing users to setup their chronyd processes in as secure a method as possible.
-+.PP
-+The following process types are defined for chronyd:
-+
-+.EX
-+.B chronyd_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
-+.SH FILE CONTEXTS
-+SELinux requires files to have an extended attribute to define the file type.
-+.PP
-+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
-+.PP
-+Policy governs the access confined processes have to these files.
-+SELinux chronyd policy is very flexible allowing users to setup their chronyd processes in as secure a method as possible.
-+.PP
-+The following file types are defined for chronyd:
-+
-+
-+.EX
-+.PP
-+.B chronyd_exec_t
-+.EE
-+
-+- Set files with the chronyd_exec_t type, if you want to transition an executable to the chronyd_t domain.
-+
-+
-+.EX
-+.PP
-+.B chronyd_initrc_exec_t
-+.EE
-+
-+- Set files with the chronyd_initrc_exec_t type, if you want to transition an executable to the chronyd_initrc_t domain.
-+
-+
-+.EX
-+.PP
-+.B chronyd_keys_t
-+.EE
-+
-+- Set files with the chronyd_keys_t type, if you want to treat the files as chronyd keys data.
-+
-+
-+.EX
-+.PP
-+.B chronyd_tmpfs_t
-+.EE
-+
-+- Set files with the chronyd_tmpfs_t type, if you want to store chronyd files on a tmpfs file system.
-+
-+
-+.EX
-+.PP
-+.B chronyd_unit_file_t
-+.EE
-+
-+- Set files with the chronyd_unit_file_t type, if you want to treat the files as chronyd unit content.
-+
-+
-+.EX
-+.PP
-+.B chronyd_var_lib_t
-+.EE
-+
-+- Set files with the chronyd_var_lib_t type, if you want to store the chronyd files under the /var/lib directory.
-+
-+
-+.EX
-+.PP
-+.B chronyd_var_log_t
-+.EE
-+
-+- Set files with the chronyd_var_log_t type, if you want to treat the data as chronyd var log data, usually stored under the /var/log directory.
-+
-+
-+.EX
-+.PP
-+.B chronyd_var_run_t
-+.EE
-+
-+- Set files with the chronyd_var_run_t type, if you want to store the chronyd files under the /run directory.
-+
-+
-+.PP
-+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
-+.B semanage fcontext
-+command. This will modify the SELinux labeling database. You will need to use
-+.B restorecon
-+to apply the labels.
-+
-+.SH PORT TYPES
-+SELinux defines port types to represent TCP and UDP ports.
-+.PP
-+You can see the types associated with a port by using the following command:
-+
-+.B semanage port -l
-+
-+.PP
-+Policy governs the access confined processes have to these ports.
-+SELinux chronyd policy is very flexible allowing users to setup their chronyd processes in as secure a method as possible.
-+.PP
-+The following port types are defined for chronyd:
-+
-+.EX
-+.TP 5
-+.B chronyd_port_t
-+.TP 10
-+.EE
-+
-+
-+Default Defined Ports:
-+udp 323
-+.EE
-+.SH "MANAGED FILES"
-+
-+The SELinux process type chronyd_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
-+
-+.br
-+.B chronyd_tmpfs_t
-+
-+
-+.br
-+.B chronyd_var_lib_t
-+
-+ /var/lib/chrony(/.*)?
-+.br
-+
-+.br
-+.B chronyd_var_log_t
-+
-+ /var/log/chrony(/.*)?
-+.br
-+
-+.br
-+.B chronyd_var_run_t
-+
-+ /var/run/chronyd(/.*)
-+.br
-+ /var/run/chronyd\.pid
-+.br
-+ /var/run/chronyd\.sock
-+.br
-+
-+.br
-+.B gpsd_tmpfs_t
-+
-+
-+.SH NSSWITCH DOMAIN
-+
-+.PP
-+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the chronyd_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
-+
-+.EX
-+.B setsebool -P authlogin_nsswitch_use_ldap 1
-+.EE
-+
-+.PP
-+If you want to allow confined applications to run with kerberos for the chronyd_t, you must turn on the kerberos_enabled boolean.
-+
-+.EX
-+.B setsebool -P kerberos_enabled 1
-+.EE
-+
-+.SH "COMMANDS"
-+.B semanage fcontext
-+can also be used to manipulate default file context mappings.
-+.PP
-+.B semanage permissive
-+can also be used to manipulate whether or not a process type is permissive.
-+.PP
-+.B semanage module
-+can also be used to enable/disable/install/remove policy modules.
-+
-+.B semanage port
-+can also be used to manipulate the port definitions
-+
-+.PP
-+.B system-config-selinux
-+is a GUI tool available to customize SELinux policy settings.
-+
-+.SH AUTHOR
-+This manual page was auto-generated using
-+.B "sepolicy manpage"
-+by Dan Walsh.
-+
-+.SH "SEE ALSO"
-+selinux(8), chronyd(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
-diff --git a/man/man8/ciped_selinux.8 b/man/man8/ciped_selinux.8
-new file mode 100644
-index 0000000..7e19c9b
---- /dev/null
-+++ b/man/man8/ciped_selinux.8
-@@ -0,0 +1,86 @@
-+.TH "ciped_selinux" "8" "12-11-01" "ciped" "SELinux Policy documentation for ciped"
-+.SH "NAME"
-+ciped_selinux \- Security Enhanced Linux Policy for the ciped processes
-+.SH "DESCRIPTION"
-+
-+Security-Enhanced Linux secures the ciped processes via flexible mandatory access control.
-+
-+The ciped processes execute with the ciped_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
-+
-+For example:
-+
-+.B ps -eZ | grep ciped_t
-+
-+
-+.SH "ENTRYPOINTS"
-+
-+The ciped_t SELinux type can be entered via the "ciped_exec_t" file type. The default entrypoint paths for the ciped_t domain are the following:"
-+
-+/usr/sbin/ciped.*
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux ciped policy is very flexible allowing users to setup their ciped processes in as secure a method as possible.
-+.PP
-+The following process types are defined for ciped:
-+
-+.EX
-+.B ciped_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
-+.SH FILE CONTEXTS
-+SELinux requires files to have an extended attribute to define the file type.
-+.PP
-+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
-+.PP
-+Policy governs the access confined processes have to these files.
-+SELinux ciped policy is very flexible allowing users to setup their ciped processes in as secure a method as possible.
-+.PP
-+The following file types are defined for ciped:
-+
-+
-+.EX
-+.PP
-+.B ciped_exec_t
-+.EE
-+
-+- Set files with the ciped_exec_t type, if you want to transition an executable to the ciped_t domain.
-+
-+
-+.PP
-+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
-+.B semanage fcontext
-+command. This will modify the SELinux labeling database. You will need to use
-+.B restorecon
-+to apply the labels.
-+
-+.SH NSSWITCH DOMAIN
-+
-+.SH "COMMANDS"
-+.B semanage fcontext
-+can also be used to manipulate default file context mappings.
-+.PP
-+.B semanage permissive
-+can also be used to manipulate whether or not a process type is permissive.
-+.PP
-+.B semanage module
-+can also be used to enable/disable/install/remove policy modules.
-+
-+.PP
-+.B system-config-selinux
-+is a GUI tool available to customize SELinux policy settings.
-+
-+.SH AUTHOR
-+This manual page was auto-generated using
-+.B "sepolicy manpage"
-+by Dan Walsh.
-+
-+.SH "SEE ALSO"
-+selinux(8), ciped(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
-diff --git a/man/man8/clamd_selinux.8 b/man/man8/clamd_selinux.8
-new file mode 100644
-index 0000000..26f026b
---- /dev/null
-+++ b/man/man8/clamd_selinux.8
-@@ -0,0 +1,284 @@
-+.TH "clamd_selinux" "8" "12-11-01" "clamd" "SELinux Policy documentation for clamd"
-+.SH "NAME"
-+clamd_selinux \- Security Enhanced Linux Policy for the clamd processes
-+.SH "DESCRIPTION"
-+
-+Security-Enhanced Linux secures the clamd processes via flexible mandatory access control.
-+
-+The clamd processes execute with the clamd_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
-+
-+For example:
-+
-+.B ps -eZ | grep clamd_t
-+
-+
-+.SH "ENTRYPOINTS"
-+
-+The clamd_t SELinux type can be entered via the "clamd_exec_t" file type. The default entrypoint paths for the clamd_t domain are the following:"
-+
-+/usr/sbin/clamd, /usr/sbin/clamav-milter
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux clamd policy is very flexible allowing users to setup their clamd processes in as secure a method as possible.
-+.PP
-+The following process types are defined for clamd:
-+
-+.EX
-+.B clamd_t, clamscan_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
-+.SH BOOLEANS
-+SELinux policy is customizable based on least access required. clamd policy is extremely flexible and has several booleans that allow you to manipulate the policy and run clamd with the tightest access possible.
-+
-+
-+.PP
-+If you want to allow clamd to use JIT compiler, you must turn on the clamd_use_jit boolean.
-+
-+.EX
-+.B setsebool -P clamd_use_jit 1
-+.EE
-+
-+.PP
-+If you want to allow clamscan to non security files on a system, you must turn on the clamscan_can_scan_system boolean.
-+
-+.EX
-+.B setsebool -P clamscan_can_scan_system 1
-+.EE
-+
-+.PP
-+If you want to allow clamscan to read user content, you must turn on the clamscan_read_user_content boolean.
-+
-+.EX
-+.B setsebool -P clamscan_read_user_content 1
-+.EE
-+
-+.PP
-+If you want to allow clamd to use JIT compiler, you must turn on the clamd_use_jit boolean.
-+
-+.EX
-+.B setsebool -P clamd_use_jit 1
-+.EE
-+
-+.PP
-+If you want to allow clamscan to non security files on a system, you must turn on the clamscan_can_scan_system boolean.
-+
-+.EX
-+.B setsebool -P clamscan_can_scan_system 1
-+.EE
-+
-+.PP
-+If you want to allow clamscan to read user content, you must turn on the clamscan_read_user_content boolean.
-+
-+.EX
-+.B setsebool -P clamscan_read_user_content 1
-+.EE
-+
-+.SH FILE CONTEXTS
-+SELinux requires files to have an extended attribute to define the file type.
-+.PP
-+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
-+.PP
-+Policy governs the access confined processes have to these files.
-+SELinux clamd policy is very flexible allowing users to setup their clamd processes in as secure a method as possible.
-+.PP
-+The following file types are defined for clamd:
-+
-+
-+.EX
-+.PP
-+.B clamd_etc_t
-+.EE
-+
-+- Set files with the clamd_etc_t type, if you want to store clamd files in the /etc directories.
-+
-+
-+.EX
-+.PP
-+.B clamd_exec_t
-+.EE
-+
-+- Set files with the clamd_exec_t type, if you want to transition an executable to the clamd_t domain.
-+
-+
-+.EX
-+.PP
-+.B clamd_initrc_exec_t
-+.EE
-+
-+- Set files with the clamd_initrc_exec_t type, if you want to transition an executable to the clamd_initrc_t domain.
-+
-+
-+.EX
-+.PP
-+.B clamd_tmp_t
-+.EE
-+
-+- Set files with the clamd_tmp_t type, if you want to store clamd temporary files in the /tmp directories.
-+
-+
-+.EX
-+.PP
-+.B clamd_unit_file_t
-+.EE
-+
-+- Set files with the clamd_unit_file_t type, if you want to treat the files as clamd unit content.
-+
-+
-+.EX
-+.PP
-+.B clamd_var_lib_t
-+.EE
-+
-+- Set files with the clamd_var_lib_t type, if you want to store the clamd files under the /var/lib directory.
-+
-+
-+.EX
-+.PP
-+.B clamd_var_log_t
-+.EE
-+
-+- Set files with the clamd_var_log_t type, if you want to treat the data as clamd var log data, usually stored under the /var/log directory.
-+
-+
-+.EX
-+.PP
-+.B clamd_var_run_t
-+.EE
-+
-+- Set files with the clamd_var_run_t type, if you want to store the clamd files under the /run directory.
-+
-+
-+.PP
-+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
-+.B semanage fcontext
-+command. This will modify the SELinux labeling database. You will need to use
-+.B restorecon
-+to apply the labels.
-+
-+.SH PORT TYPES
-+SELinux defines port types to represent TCP and UDP ports.
-+.PP
-+You can see the types associated with a port by using the following command:
-+
-+.B semanage port -l
-+
-+.PP
-+Policy governs the access confined processes have to these ports.
-+SELinux clamd policy is very flexible allowing users to setup their clamd processes in as secure a method as possible.
-+.PP
-+The following port types are defined for clamd:
-+
-+.EX
-+.TP 5
-+.B clamd_port_t
-+.TP 10
-+.EE
-+
-+
-+Default Defined Ports:
-+tcp 3310
-+.EE
-+.SH "MANAGED FILES"
-+
-+The SELinux process type clamd_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
-+
-+.br
-+.B amavis_spool_t
-+
-+ /var/spool/amavisd(/.*)?
-+.br
-+
-+.br
-+.B antivirus_db_t
-+
-+ /var/opt/f-secure(/.*)?
-+.br
-+
-+.br
-+.B clamd_tmp_t
-+
-+
-+.br
-+.B clamd_var_lib_t
-+
-+ /var/clamav(/.*)?
-+.br
-+ /var/lib/clamd.*
-+.br
-+ /var/lib/clamav(/.*)?
-+.br
-+
-+.br
-+.B clamd_var_log_t
-+
-+ /var/log/clamd.*
-+.br
-+ /var/log/clamav.*
-+.br
-+
-+.br
-+.B clamd_var_run_t
-+
-+ /var/run/clamd.*
-+.br
-+ /var/run/clamav.*
-+.br
-+ /var/run/amavis(d)?/clamd\.pid
-+.br
-+ /var/spool/MailScanner(/.*)?
-+.br
-+ /var/spool/amavisd/clamd\.sock
-+.br
-+
-+.SH NSSWITCH DOMAIN
-+
-+.PP
-+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the clamd_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
-+
-+.EX
-+.B setsebool -P authlogin_nsswitch_use_ldap 1
-+.EE
-+
-+.PP
-+If you want to allow confined applications to run with kerberos for the clamd_t, you must turn on the kerberos_enabled boolean.
-+
-+.EX
-+.B setsebool -P kerberos_enabled 1
-+.EE
-+
-+.SH "COMMANDS"
-+.B semanage fcontext
-+can also be used to manipulate default file context mappings.
-+.PP
-+.B semanage permissive
-+can also be used to manipulate whether or not a process type is permissive.
-+.PP
-+.B semanage module
-+can also be used to enable/disable/install/remove policy modules.
-+
-+.B semanage port
-+can also be used to manipulate the port definitions
-+
-+.B semanage boolean
-+can also be used to manipulate the booleans
-+
-+.PP
-+.B system-config-selinux
-+is a GUI tool available to customize SELinux policy settings.
-+
-+.SH AUTHOR
-+This manual page was auto-generated using
-+.B "sepolicy manpage"
-+by Dan Walsh.
-+
-+.SH "SEE ALSO"
-+selinux(8), clamd(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
-+, setsebool(8), clamscan_selinux(8)
-\ No newline at end of file
-diff --git a/man/man8/clamscan_selinux.8 b/man/man8/clamscan_selinux.8
-new file mode 100644
-index 0000000..d29a7f2
---- /dev/null
-+++ b/man/man8/clamscan_selinux.8
-@@ -0,0 +1,160 @@
-+.TH "clamscan_selinux" "8" "12-11-01" "clamscan" "SELinux Policy documentation for clamscan"
-+.SH "NAME"
-+clamscan_selinux \- Security Enhanced Linux Policy for the clamscan processes
-+.SH "DESCRIPTION"
-+
-+Security-Enhanced Linux secures the clamscan processes via flexible mandatory access control.
-+
-+The clamscan processes execute with the clamscan_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
-+
-+For example:
-+
-+.B ps -eZ | grep clamscan_t
-+
-+
-+.SH "ENTRYPOINTS"
-+
-+The clamscan_t SELinux type can be entered via the "clamscan_exec_t" file type. The default entrypoint paths for the clamscan_t domain are the following:"
-+
-+/usr/bin/clamscan, /usr/bin/clamdscan
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux clamscan policy is very flexible allowing users to setup their clamscan processes in as secure a method as possible.
-+.PP
-+The following process types are defined for clamscan:
-+
-+.EX
-+.B clamscan_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
-+.SH BOOLEANS
-+SELinux policy is customizable based on least access required. clamscan policy is extremely flexible and has several booleans that allow you to manipulate the policy and run clamscan with the tightest access possible.
-+
-+
-+.PP
-+If you want to allow clamscan to non security files on a system, you must turn on the clamscan_can_scan_system boolean.
-+
-+.EX
-+.B setsebool -P clamscan_can_scan_system 1
-+.EE
-+
-+.PP
-+If you want to allow clamscan to read user content, you must turn on the clamscan_read_user_content boolean.
-+
-+.EX
-+.B setsebool -P clamscan_read_user_content 1
-+.EE
-+
-+.PP
-+If you want to allow clamscan to non security files on a system, you must turn on the clamscan_can_scan_system boolean.
-+
-+.EX
-+.B setsebool -P clamscan_can_scan_system 1
-+.EE
-+
-+.PP
-+If you want to allow clamscan to read user content, you must turn on the clamscan_read_user_content boolean.
-+
-+.EX
-+.B setsebool -P clamscan_read_user_content 1
-+.EE
-+
-+.SH FILE CONTEXTS
-+SELinux requires files to have an extended attribute to define the file type.
-+.PP
-+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
-+.PP
-+Policy governs the access confined processes have to these files.
-+SELinux clamscan policy is very flexible allowing users to setup their clamscan processes in as secure a method as possible.
-+.PP
-+The following file types are defined for clamscan:
-+
-+
-+.EX
-+.PP
-+.B clamscan_exec_t
-+.EE
-+
-+- Set files with the clamscan_exec_t type, if you want to transition an executable to the clamscan_t domain.
-+
-+
-+.EX
-+.PP
-+.B clamscan_tmp_t
-+.EE
-+
-+- Set files with the clamscan_tmp_t type, if you want to store clamscan temporary files in the /tmp directories.
-+
-+
-+.PP
-+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
-+.B semanage fcontext
-+command. This will modify the SELinux labeling database. You will need to use
-+.B restorecon
-+to apply the labels.
-+
-+.SH "MANAGED FILES"
-+
-+The SELinux process type clamscan_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
-+
-+.br
-+.B amavis_spool_t
-+
-+ /var/spool/amavisd(/.*)?
-+.br
-+
-+.br
-+.B antivirus_db_t
-+
-+ /var/opt/f-secure(/.*)?
-+.br
-+
-+.br
-+.B clamd_var_lib_t
-+
-+ /var/clamav(/.*)?
-+.br
-+ /var/lib/clamd.*
-+.br
-+ /var/lib/clamav(/.*)?
-+.br
-+
-+.br
-+.B clamscan_tmp_t
-+
-+
-+.SH NSSWITCH DOMAIN
-+
-+.SH "COMMANDS"
-+.B semanage fcontext
-+can also be used to manipulate default file context mappings.
-+.PP
-+.B semanage permissive
-+can also be used to manipulate whether or not a process type is permissive.
-+.PP
-+.B semanage module
-+can also be used to enable/disable/install/remove policy modules.
-+
-+.B semanage boolean
-+can also be used to manipulate the booleans
-+
-+.PP
-+.B system-config-selinux
-+is a GUI tool available to customize SELinux policy settings.
-+
-+.SH AUTHOR
-+This manual page was auto-generated using
-+.B "sepolicy manpage"
-+by Dan Walsh.
-+
-+.SH "SEE ALSO"
-+selinux(8), clamscan(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
-+, setsebool(8)
-\ No newline at end of file
-diff --git a/man/man8/clogd_selinux.8 b/man/man8/clogd_selinux.8
-new file mode 100644
-index 0000000..376c775
---- /dev/null
-+++ b/man/man8/clogd_selinux.8
-@@ -0,0 +1,116 @@
-+.TH "clogd_selinux" "8" "12-11-01" "clogd" "SELinux Policy documentation for clogd"
-+.SH "NAME"
-+clogd_selinux \- Security Enhanced Linux Policy for the clogd processes
-+.SH "DESCRIPTION"
-+
-+Security-Enhanced Linux secures the clogd processes via flexible mandatory access control.
-+
-+The clogd processes execute with the clogd_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
-+
-+For example:
-+
-+.B ps -eZ | grep clogd_t
-+
-+
-+.SH "ENTRYPOINTS"
-+
-+The clogd_t SELinux type can be entered via the "clogd_exec_t" file type. The default entrypoint paths for the clogd_t domain are the following:"
-+
-+/usr/sbin/clogd
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux clogd policy is very flexible allowing users to setup their clogd processes in as secure a method as possible.
-+.PP
-+The following process types are defined for clogd:
-+
-+.EX
-+.B clogd_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
-+.SH FILE CONTEXTS
-+SELinux requires files to have an extended attribute to define the file type.
-+.PP
-+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
-+.PP
-+Policy governs the access confined processes have to these files.
-+SELinux clogd policy is very flexible allowing users to setup their clogd processes in as secure a method as possible.
-+.PP
-+The following file types are defined for clogd:
-+
-+
-+.EX
-+.PP
-+.B clogd_exec_t
-+.EE
-+
-+- Set files with the clogd_exec_t type, if you want to transition an executable to the clogd_t domain.
-+
-+
-+.EX
-+.PP
-+.B clogd_tmpfs_t
-+.EE
-+
-+- Set files with the clogd_tmpfs_t type, if you want to store clogd files on a tmpfs file system.
-+
-+
-+.EX
-+.PP
-+.B clogd_var_run_t
-+.EE
-+
-+- Set files with the clogd_var_run_t type, if you want to store the clogd files under the /run directory.
-+
-+
-+.PP
-+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
-+.B semanage fcontext
-+command. This will modify the SELinux labeling database. You will need to use
-+.B restorecon
-+to apply the labels.
-+
-+.SH "MANAGED FILES"
-+
-+The SELinux process type clogd_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
-+
-+.br
-+.B clogd_tmpfs_t
-+
-+
-+.br
-+.B clogd_var_run_t
-+
-+ /var/run/clogd\.pid
-+.br
-+
-+.SH NSSWITCH DOMAIN
-+
-+.SH "COMMANDS"
-+.B semanage fcontext
-+can also be used to manipulate default file context mappings.
-+.PP
-+.B semanage permissive
-+can also be used to manipulate whether or not a process type is permissive.
-+.PP
-+.B semanage module
-+can also be used to enable/disable/install/remove policy modules.
-+
-+.PP
-+.B system-config-selinux
-+is a GUI tool available to customize SELinux policy settings.
-+
-+.SH AUTHOR
-+This manual page was auto-generated using
-+.B "sepolicy manpage"
-+by Dan Walsh.
-+
-+.SH "SEE ALSO"
-+selinux(8), clogd(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
-diff --git a/man/man8/clvmd_selinux.8 b/man/man8/clvmd_selinux.8
-new file mode 100644
-index 0000000..6c83943
---- /dev/null
-+++ b/man/man8/clvmd_selinux.8
-@@ -0,0 +1,142 @@
-+.TH "clvmd_selinux" "8" "12-11-01" "clvmd" "SELinux Policy documentation for clvmd"
-+.SH "NAME"
-+clvmd_selinux \- Security Enhanced Linux Policy for the clvmd processes
-+.SH "DESCRIPTION"
-+
-+Security-Enhanced Linux secures the clvmd processes via flexible mandatory access control.
-+
-+The clvmd processes execute with the clvmd_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
-+
-+For example:
-+
-+.B ps -eZ | grep clvmd_t
-+
-+
-+.SH "ENTRYPOINTS"
-+
-+The clvmd_t SELinux type can be entered via the "clvmd_exec_t" file type. The default entrypoint paths for the clvmd_t domain are the following:"
-+
-+/usr/sbin/clvmd
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux clvmd policy is very flexible allowing users to setup their clvmd processes in as secure a method as possible.
-+.PP
-+The following process types are defined for clvmd:
-+
-+.EX
-+.B clvmd_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
-+.SH FILE CONTEXTS
-+SELinux requires files to have an extended attribute to define the file type.
-+.PP
-+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
-+.PP
-+Policy governs the access confined processes have to these files.
-+SELinux clvmd policy is very flexible allowing users to setup their clvmd processes in as secure a method as possible.
-+.PP
-+The following file types are defined for clvmd:
-+
-+
-+.EX
-+.PP
-+.B clvmd_exec_t
-+.EE
-+
-+- Set files with the clvmd_exec_t type, if you want to transition an executable to the clvmd_t domain.
-+
-+
-+.EX
-+.PP
-+.B clvmd_initrc_exec_t
-+.EE
-+
-+- Set files with the clvmd_initrc_exec_t type, if you want to transition an executable to the clvmd_initrc_t domain.
-+
-+
-+.EX
-+.PP
-+.B clvmd_tmpfs_t
-+.EE
-+
-+- Set files with the clvmd_tmpfs_t type, if you want to store clvmd files on a tmpfs file system.
-+
-+
-+.EX
-+.PP
-+.B clvmd_var_run_t
-+.EE
-+
-+- Set files with the clvmd_var_run_t type, if you want to store the clvmd files under the /run directory.
-+
-+
-+.PP
-+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
-+.B semanage fcontext
-+command. This will modify the SELinux labeling database. You will need to use
-+.B restorecon
-+to apply the labels.
-+
-+.SH "MANAGED FILES"
-+
-+The SELinux process type clvmd_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
-+
-+.br
-+.B anon_inodefs_t
-+
-+
-+.br
-+.B clvmd_tmpfs_t
-+
-+
-+.br
-+.B clvmd_var_run_t
-+
-+ /var/run/clvmd\.pid
-+.br
-+
-+.SH NSSWITCH DOMAIN
-+
-+.PP
-+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the clvmd_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
-+
-+.EX
-+.B setsebool -P authlogin_nsswitch_use_ldap 1
-+.EE
-+
-+.PP
-+If you want to allow confined applications to run with kerberos for the clvmd_t, you must turn on the kerberos_enabled boolean.
-+
-+.EX
-+.B setsebool -P kerberos_enabled 1
-+.EE
-+
-+.SH "COMMANDS"
-+.B semanage fcontext
-+can also be used to manipulate default file context mappings.
-+.PP
-+.B semanage permissive
-+can also be used to manipulate whether or not a process type is permissive.
-+.PP
-+.B semanage module
-+can also be used to enable/disable/install/remove policy modules.
-+
-+.PP
-+.B system-config-selinux
-+is a GUI tool available to customize SELinux policy settings.
-+
-+.SH AUTHOR
-+This manual page was auto-generated using
-+.B "sepolicy manpage"
-+by Dan Walsh.
-+
-+.SH "SEE ALSO"
-+selinux(8), clvmd(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
-diff --git a/man/man8/cmirrord_selinux.8 b/man/man8/cmirrord_selinux.8
-new file mode 100644
-index 0000000..529b7f4
---- /dev/null
-+++ b/man/man8/cmirrord_selinux.8
-@@ -0,0 +1,124 @@
-+.TH "cmirrord_selinux" "8" "12-11-01" "cmirrord" "SELinux Policy documentation for cmirrord"
-+.SH "NAME"
-+cmirrord_selinux \- Security Enhanced Linux Policy for the cmirrord processes
-+.SH "DESCRIPTION"
-+
-+Security-Enhanced Linux secures the cmirrord processes via flexible mandatory access control.
-+
-+The cmirrord processes execute with the cmirrord_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
-+
-+For example:
-+
-+.B ps -eZ | grep cmirrord_t
-+
-+
-+.SH "ENTRYPOINTS"
-+
-+The cmirrord_t SELinux type can be entered via the "cmirrord_exec_t" file type. The default entrypoint paths for the cmirrord_t domain are the following:"
-+
-+/usr/sbin/cmirrord
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux cmirrord policy is very flexible allowing users to setup their cmirrord processes in as secure a method as possible.
-+.PP
-+The following process types are defined for cmirrord:
-+
-+.EX
-+.B cmirrord_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
-+.SH FILE CONTEXTS
-+SELinux requires files to have an extended attribute to define the file type.
-+.PP
-+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
-+.PP
-+Policy governs the access confined processes have to these files.
-+SELinux cmirrord policy is very flexible allowing users to setup their cmirrord processes in as secure a method as possible.
-+.PP
-+The following file types are defined for cmirrord:
-+
-+
-+.EX
-+.PP
-+.B cmirrord_exec_t
-+.EE
-+
-+- Set files with the cmirrord_exec_t type, if you want to transition an executable to the cmirrord_t domain.
-+
-+
-+.EX
-+.PP
-+.B cmirrord_initrc_exec_t
-+.EE
-+
-+- Set files with the cmirrord_initrc_exec_t type, if you want to transition an executable to the cmirrord_initrc_t domain.
-+
-+
-+.EX
-+.PP
-+.B cmirrord_tmpfs_t
-+.EE
-+
-+- Set files with the cmirrord_tmpfs_t type, if you want to store cmirrord files on a tmpfs file system.
-+
-+
-+.EX
-+.PP
-+.B cmirrord_var_run_t
-+.EE
-+
-+- Set files with the cmirrord_var_run_t type, if you want to store the cmirrord files under the /run directory.
-+
-+
-+.PP
-+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
-+.B semanage fcontext
-+command. This will modify the SELinux labeling database. You will need to use
-+.B restorecon
-+to apply the labels.
-+
-+.SH "MANAGED FILES"
-+
-+The SELinux process type cmirrord_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
-+
-+.br
-+.B cmirrord_tmpfs_t
-+
-+
-+.br
-+.B cmirrord_var_run_t
-+
-+ /var/run/cmirrord\.pid
-+.br
-+
-+.SH NSSWITCH DOMAIN
-+
-+.SH "COMMANDS"
-+.B semanage fcontext
-+can also be used to manipulate default file context mappings.
-+.PP
-+.B semanage permissive
-+can also be used to manipulate whether or not a process type is permissive.
-+.PP
-+.B semanage module
-+can also be used to enable/disable/install/remove policy modules.
-+
-+.PP
-+.B system-config-selinux
-+is a GUI tool available to customize SELinux policy settings.
-+
-+.SH AUTHOR
-+This manual page was auto-generated using
-+.B "sepolicy manpage"
-+by Dan Walsh.
-+
-+.SH "SEE ALSO"
-+selinux(8), cmirrord(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
-diff --git a/man/man8/cobblerd_selinux.8 b/man/man8/cobblerd_selinux.8
-new file mode 100644
-index 0000000..d1680db
---- /dev/null
-+++ b/man/man8/cobblerd_selinux.8
-@@ -0,0 +1,391 @@
-+.TH "cobblerd_selinux" "8" "12-11-01" "cobblerd" "SELinux Policy documentation for cobblerd"
-+.SH "NAME"
-+cobblerd_selinux \- Security Enhanced Linux Policy for the cobblerd processes
-+.SH "DESCRIPTION"
-+
-+Security-Enhanced Linux secures the cobblerd processes via flexible mandatory access control.
-+
-+The cobblerd processes execute with the cobblerd_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
-+
-+For example:
-+
-+.B ps -eZ | grep cobblerd_t
-+
-+
-+.SH "ENTRYPOINTS"
-+
-+The cobblerd_t SELinux type can be entered via the "cobblerd_exec_t" file type. The default entrypoint paths for the cobblerd_t domain are the following:"
-+
-+/usr/bin/cobblerd
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux cobblerd policy is very flexible allowing users to setup their cobblerd processes in as secure a method as possible.
-+.PP
-+The following process types are defined for cobblerd:
-+
-+.EX
-+.B cobblerd_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
-+.SH BOOLEANS
-+SELinux policy is customizable based on least access required. cobblerd policy is extremely flexible and has several booleans that allow you to manipulate the policy and run cobblerd with the tightest access possible.
-+
-+
-+.PP
-+If you want to allow Cobbler to access nfs file systems, you must turn on the cobbler_use_nfs boolean.
-+
-+.EX
-+.B setsebool -P cobbler_use_nfs 1
-+.EE
-+
-+.PP
-+If you want to allow Cobbler to connect to the network using TCP, you must turn on the cobbler_can_network_connect boolean.
-+
-+.EX
-+.B setsebool -P cobbler_can_network_connect 1
-+.EE
-+
-+.PP
-+If you want to allow HTTPD scripts and modules to connect to cobbler over the network, you must turn on the httpd_can_network_connect_cobbler boolean.
-+
-+.EX
-+.B setsebool -P httpd_can_network_connect_cobbler 1
-+.EE
-+
-+.PP
-+If you want to allow Cobbler to access cifs file systems, you must turn on the cobbler_use_cifs boolean.
-+
-+.EX
-+.B setsebool -P cobbler_use_cifs 1
-+.EE
-+
-+.PP
-+If you want to allow Cobbler to access nfs file systems, you must turn on the cobbler_use_nfs boolean.
-+
-+.EX
-+.B setsebool -P cobbler_use_nfs 1
-+.EE
-+
-+.PP
-+If you want to allow Cobbler to connect to the network using TCP, you must turn on the cobbler_can_network_connect boolean.
-+
-+.EX
-+.B setsebool -P cobbler_can_network_connect 1
-+.EE
-+
-+.PP
-+If you want to allow HTTPD scripts and modules to connect to cobbler over the network, you must turn on the httpd_can_network_connect_cobbler boolean.
-+
-+.EX
-+.B setsebool -P httpd_can_network_connect_cobbler 1
-+.EE
-+
-+.PP
-+If you want to allow Cobbler to access cifs file systems, you must turn on the cobbler_use_cifs boolean.
-+
-+.EX
-+.B setsebool -P cobbler_use_cifs 1
-+.EE
-+
-+.SH SHARING FILES
-+If you want to share files with multiple domains (Apache, FTP, rsync, Samba), you can set a file context of public_content_t and public_content_rw_t. These context allow any of the above domains to read the content. If you want a particular domain to write to the public_content_rw_t domain, you must set the appropriate boolean.
-+.TP
-+Allow cobblerd servers to read the /var/cobblerd directory by adding the public_content_t file type to the directory and by restoring the file type.
-+.PP
-+.B
-+semanage fcontext -a -t public_content_t "/var/cobblerd(/.*)?"
-+.br
-+.B restorecon -F -R -v /var/cobblerd
-+.pp
-+.TP
-+Allow cobblerd servers to read and write /var/tmp/incoming by adding the public_content_rw_t type to the directory and by restoring the file type. This also requires the allow_cobblerdd_anon_write boolean to be set.
-+.PP
-+.B
-+semanage fcontext -a -t public_content_rw_t "/var/cobblerd/incoming(/.*)?"
-+.br
-+.B restorecon -F -R -v /var/cobblerd/incoming
-+
-+
-+.PP
-+If you want to allow Cobbler to modify public files used for public file transfer services., you must turn on the cobbler_anon_write boolean.
-+
-+.EX
-+.B setsebool -P cobbler_anon_write 1
-+.EE
-+
-+.PP
-+If you want to allow Cobbler to modify public files used for public file transfer services., you must turn on the cobbler_anon_write boolean.
-+
-+.EX
-+.B setsebool -P cobbler_anon_write 1
-+.EE
-+
-+.SH FILE CONTEXTS
-+SELinux requires files to have an extended attribute to define the file type.
-+.PP
-+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
-+.PP
-+Policy governs the access confined processes have to these files.
-+SELinux cobblerd policy is very flexible allowing users to setup their cobblerd processes in as secure a method as possible.
-+.PP
-+The following file types are defined for cobblerd:
-+
-+
-+.EX
-+.PP
-+.B cobblerd_exec_t
-+.EE
-+
-+- Set files with the cobblerd_exec_t type, if you want to transition an executable to the cobblerd_t domain.
-+
-+
-+.EX
-+.PP
-+.B cobblerd_initrc_exec_t
-+.EE
-+
-+- Set files with the cobblerd_initrc_exec_t type, if you want to transition an executable to the cobblerd_initrc_t domain.
-+
-+
-+.EX
-+.PP
-+.B cobblerd_unit_file_t
-+.EE
-+
-+- Set files with the cobblerd_unit_file_t type, if you want to treat the files as cobblerd unit content.
-+
-+
-+.PP
-+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
-+.B semanage fcontext
-+command. This will modify the SELinux labeling database. You will need to use
-+.B restorecon
-+to apply the labels.
-+
-+.SH PORT TYPES
-+SELinux defines port types to represent TCP and UDP ports.
-+.PP
-+You can see the types associated with a port by using the following command:
-+
-+.B semanage port -l
-+
-+.PP
-+Policy governs the access confined processes have to these ports.
-+SELinux cobblerd policy is very flexible allowing users to setup their cobblerd processes in as secure a method as possible.
-+.PP
-+The following port types are defined for cobblerd:
-+
-+.EX
-+.TP 5
-+.B cobbler_port_t
-+.TP 10
-+.EE
-+
-+
-+Default Defined Ports:
-+tcp 25151
-+.EE
-+.SH "MANAGED FILES"
-+
-+The SELinux process type cobblerd_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
-+
-+.br
-+.B cobbler_tmp_t
-+
-+
-+.br
-+.B cobbler_var_lib_t
-+
-+ /var/lib/cobbler(/.*)?
-+.br
-+ /var/www/cobbler/pub(/.*)?
-+.br
-+ /var/lib/tftpboot/etc(/.*)?
-+.br
-+ /var/lib/tftpboot/ppc(/.*)?
-+.br
-+ /var/lib/tftpboot/grub(/.*)?
-+.br
-+ /var/www/cobbler/links(/.*)?
-+.br
-+ /var/lib/tftpboot/s390x(/.*)?
-+.br
-+ /var/www/cobbler/images(/.*)?
-+.br
-+ /var/lib/tftpboot/images(/.*)?
-+.br
-+ /var/www/cobbler/rendered(/.*)?
-+.br
-+ /var/www/cobbler/ks_mirror(/.*)?
-+.br
-+ /var/www/cobbler/localmirror(/.*)?
-+.br
-+ /var/www/cobbler/repo_mirror(/.*)?
-+.br
-+ /var/lib/tftpboot/pxelinux\.cfg(/.*)?
-+.br
-+ /var/lib/tftpboot/yaboot
-+.br
-+ /var/lib/tftpboot/memdisk
-+.br
-+ /var/lib/tftpboot/menu\.c32
-+.br
-+ /var/lib/tftpboot/pxelinux\.0
-+.br
-+
-+.br
-+.B cobbler_var_log_t
-+
-+ /var/log/cobbler(/.*)?
-+.br
-+
-+.br
-+.B dhcp_etc_t
-+
-+ /etc/dhcpc.*
-+.br
-+ /etc/dhcp3(/.*)?
-+.br
-+ /etc/dhcpd(6)?\.conf
-+.br
-+ /etc/dhcp3?/dhclient.*
-+.br
-+ /etc/dhclient.*conf
-+.br
-+ /etc/dhcp/dhcpd(6)?\.conf
-+.br
-+ /etc/dhclient-script
-+.br
-+
-+.br
-+.B dnsmasq_etc_t
-+
-+ /etc/dnsmasq\.conf
-+.br
-+
-+.br
-+.B httpd_cobbler_rw_content_t
-+
-+
-+.br
-+.B named_conf_t
-+
-+ /etc/rndc.*
-+.br
-+ /etc/unbound(/.*)?
-+.br
-+ /var/named/chroot(/.*)?
-+.br
-+ /etc/named\.rfc1912.zones
-+.br
-+ /var/named/chroot/etc/named\.rfc1912.zones
-+.br
-+ /etc/named\.conf
-+.br
-+ /var/named/named\.ca
-+.br
-+ /etc/named\.root\.hints
-+.br
-+ /var/named/chroot/etc/named\.conf
-+.br
-+ /etc/named\.caching-nameserver\.conf
-+.br
-+ /var/named/chroot/var/named/named\.ca
-+.br
-+ /var/named/chroot/etc/named\.root\.hints
-+.br
-+ /var/named/chroot/etc/named\.caching-nameserver\.conf
-+.br
-+
-+.br
-+.B named_zone_t
-+
-+ /var/named(/.*)?
-+.br
-+ /var/named/chroot/var/named(/.*)?
-+.br
-+
-+.br
-+.B net_conf_t
-+
-+ /etc/ntpd?\.conf.*
-+.br
-+ /etc/hosts[^/]*
-+.br
-+ /etc/yp\.conf.*
-+.br
-+ /etc/denyhosts.*
-+.br
-+ /etc/hosts\.deny.*
-+.br
-+ /etc/resolv\.conf.*
-+.br
-+ /etc/ntp/step-tickers.*
-+.br
-+ /etc/sysconfig/networking(/.*)?
-+.br
-+ /etc/sysconfig/network-scripts(/.*)?
-+.br
-+ /etc/sysconfig/network-scripts/.*resolv\.conf
-+.br
-+ /etc/ethers
-+.br
-+
-+.br
-+.B rsync_etc_t
-+
-+ /etc/rsyncd\.conf
-+.br
-+
-+.br
-+.B systemd_passwd_var_run_t
-+
-+ /var/run/systemd/ask-password(/.*)?
-+.br
-+ /var/run/systemd/ask-password-block(/.*)?
-+.br
-+
-+.br
-+.B tftpd_etc_t
-+
-+ /etc/xinetd\.d/tftp
-+.br
-+
-+.SH NSSWITCH DOMAIN
-+
-+.SH "COMMANDS"
-+.B semanage fcontext
-+can also be used to manipulate default file context mappings.
-+.PP
-+.B semanage permissive
-+can also be used to manipulate whether or not a process type is permissive.
-+.PP
-+.B semanage module
-+can also be used to enable/disable/install/remove policy modules.
-+
-+.B semanage port
-+can also be used to manipulate the port definitions
-+
-+.B semanage boolean
-+can also be used to manipulate the booleans
-+
-+.PP
-+.B system-config-selinux
-+is a GUI tool available to customize SELinux policy settings.
-+
-+.SH AUTHOR
-+This manual page was auto-generated using
-+.B "sepolicy manpage"
-+by Dan Walsh.
-+
-+.SH "SEE ALSO"
-+selinux(8), cobblerd(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
-+, setsebool(8)
-\ No newline at end of file
-diff --git a/man/man8/collectd_selinux.8 b/man/man8/collectd_selinux.8
-new file mode 100644
-index 0000000..8593a45
---- /dev/null
-+++ b/man/man8/collectd_selinux.8
-@@ -0,0 +1,156 @@
-+.TH "collectd_selinux" "8" "12-11-01" "collectd" "SELinux Policy documentation for collectd"
-+.SH "NAME"
-+collectd_selinux \- Security Enhanced Linux Policy for the collectd processes
-+.SH "DESCRIPTION"
-+
-+Security-Enhanced Linux secures the collectd processes via flexible mandatory access control.
-+
-+The collectd processes execute with the collectd_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
-+
-+For example:
-+
-+.B ps -eZ | grep collectd_t
-+
-+
-+.SH "ENTRYPOINTS"
-+
-+The collectd_t SELinux type can be entered via the "collectd_exec_t" file type. The default entrypoint paths for the collectd_t domain are the following:"
-+
-+/usr/sbin/collectd
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux collectd policy is very flexible allowing users to setup their collectd processes in as secure a method as possible.
-+.PP
-+The following process types are defined for collectd:
-+
-+.EX
-+.B collectd_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
-+.SH BOOLEANS
-+SELinux policy is customizable based on least access required. collectd policy is extremely flexible and has several booleans that allow you to manipulate the policy and run collectd with the tightest access possible.
-+
-+
-+.PP
-+If you want to allow collectd to connect to the network using TCP, you must turn on the collectd_can_network_connect boolean.
-+
-+.EX
-+.B setsebool -P collectd_can_network_connect 1
-+.EE
-+
-+.PP
-+If you want to allow collectd to connect to the network using TCP, you must turn on the collectd_can_network_connect boolean.
-+
-+.EX
-+.B setsebool -P collectd_can_network_connect 1
-+.EE
-+
-+.SH FILE CONTEXTS
-+SELinux requires files to have an extended attribute to define the file type.
-+.PP
-+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
-+.PP
-+Policy governs the access confined processes have to these files.
-+SELinux collectd policy is very flexible allowing users to setup their collectd processes in as secure a method as possible.
-+.PP
-+The following file types are defined for collectd:
-+
-+
-+.EX
-+.PP
-+.B collectd_exec_t
-+.EE
-+
-+- Set files with the collectd_exec_t type, if you want to transition an executable to the collectd_t domain.
-+
-+
-+.EX
-+.PP
-+.B collectd_initrc_exec_t
-+.EE
-+
-+- Set files with the collectd_initrc_exec_t type, if you want to transition an executable to the collectd_initrc_t domain.
-+
-+
-+.EX
-+.PP
-+.B collectd_unit_file_t
-+.EE
-+
-+- Set files with the collectd_unit_file_t type, if you want to treat the files as collectd unit content.
-+
-+
-+.EX
-+.PP
-+.B collectd_var_lib_t
-+.EE
-+
-+- Set files with the collectd_var_lib_t type, if you want to store the collectd files under the /var/lib directory.
-+
-+
-+.EX
-+.PP
-+.B collectd_var_run_t
-+.EE
-+
-+- Set files with the collectd_var_run_t type, if you want to store the collectd files under the /run directory.
-+
-+
-+.PP
-+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
-+.B semanage fcontext
-+command. This will modify the SELinux labeling database. You will need to use
-+.B restorecon
-+to apply the labels.
-+
-+.SH "MANAGED FILES"
-+
-+The SELinux process type collectd_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
-+
-+.br
-+.B collectd_var_lib_t
-+
-+ /var/lib/collectd(/.*)?
-+.br
-+
-+.br
-+.B collectd_var_run_t
-+
-+ /var/run/collectd\.pid
-+.br
-+
-+.SH NSSWITCH DOMAIN
-+
-+.SH "COMMANDS"
-+.B semanage fcontext
-+can also be used to manipulate default file context mappings.
-+.PP
-+.B semanage permissive
-+can also be used to manipulate whether or not a process type is permissive.
-+.PP
-+.B semanage module
-+can also be used to enable/disable/install/remove policy modules.
-+
-+.B semanage boolean
-+can also be used to manipulate the booleans
-+
-+.PP
-+.B system-config-selinux
-+is a GUI tool available to customize SELinux policy settings.
-+
-+.SH AUTHOR
-+This manual page was auto-generated using
-+.B "sepolicy manpage"
-+by Dan Walsh.
-+
-+.SH "SEE ALSO"
-+selinux(8), collectd(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
-+, setsebool(8)
-\ No newline at end of file
-diff --git a/man/man8/colord_selinux.8 b/man/man8/colord_selinux.8
-new file mode 100644
-index 0000000..5f598b7
---- /dev/null
-+++ b/man/man8/colord_selinux.8
-@@ -0,0 +1,164 @@
-+.TH "colord_selinux" "8" "12-11-01" "colord" "SELinux Policy documentation for colord"
-+.SH "NAME"
-+colord_selinux \- Security Enhanced Linux Policy for the colord processes
-+.SH "DESCRIPTION"
-+
-+Security-Enhanced Linux secures the colord processes via flexible mandatory access control.
-+
-+The colord processes execute with the colord_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
-+
-+For example:
-+
-+.B ps -eZ | grep colord_t
-+
-+
-+.SH "ENTRYPOINTS"
-+
-+The colord_t SELinux type can be entered via the "colord_exec_t" file type. The default entrypoint paths for the colord_t domain are the following:"
-+
-+/usr/libexec/colord, /usr/libexec/colord-sane
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux colord policy is very flexible allowing users to setup their colord processes in as secure a method as possible.
-+.PP
-+The following process types are defined for colord:
-+
-+.EX
-+.B colord_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
-+.SH FILE CONTEXTS
-+SELinux requires files to have an extended attribute to define the file type.
-+.PP
-+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
-+.PP
-+Policy governs the access confined processes have to these files.
-+SELinux colord policy is very flexible allowing users to setup their colord processes in as secure a method as possible.
-+.PP
-+The following file types are defined for colord:
-+
-+
-+.EX
-+.PP
-+.B colord_exec_t
-+.EE
-+
-+- Set files with the colord_exec_t type, if you want to transition an executable to the colord_t domain.
-+
-+
-+.EX
-+.PP
-+.B colord_tmp_t
-+.EE
-+
-+- Set files with the colord_tmp_t type, if you want to store colord temporary files in the /tmp directories.
-+
-+
-+.EX
-+.PP
-+.B colord_tmpfs_t
-+.EE
-+
-+- Set files with the colord_tmpfs_t type, if you want to store colord files on a tmpfs file system.
-+
-+
-+.EX
-+.PP
-+.B colord_unit_file_t
-+.EE
-+
-+- Set files with the colord_unit_file_t type, if you want to treat the files as colord unit content.
-+
-+
-+.EX
-+.PP
-+.B colord_var_lib_t
-+.EE
-+
-+- Set files with the colord_var_lib_t type, if you want to store the colord files under the /var/lib directory.
-+
-+
-+.PP
-+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
-+.B semanage fcontext
-+command. This will modify the SELinux labeling database. You will need to use
-+.B restorecon
-+to apply the labels.
-+
-+.SH "MANAGED FILES"
-+
-+The SELinux process type colord_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
-+
-+.br
-+.B colord_tmp_t
-+
-+
-+.br
-+.B colord_tmpfs_t
-+
-+
-+.br
-+.B colord_var_lib_t
-+
-+ /var/lib/color(/.*)?
-+.br
-+ /var/lib/colord(/.*)?
-+.br
-+
-+.br
-+.B user_tmpfs_t
-+
-+ /dev/shm/mono.*
-+.br
-+ /dev/shm/pulse-shm.*
-+.br
-+
-+.br
-+.B zoneminder_tmpfs_t
-+
-+
-+.SH NSSWITCH DOMAIN
-+
-+.PP
-+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the colord_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
-+
-+.EX
-+.B setsebool -P authlogin_nsswitch_use_ldap 1
-+.EE
-+
-+.PP
-+If you want to allow confined applications to run with kerberos for the colord_t, you must turn on the kerberos_enabled boolean.
-+
-+.EX
-+.B setsebool -P kerberos_enabled 1
-+.EE
-+
-+.SH "COMMANDS"
-+.B semanage fcontext
-+can also be used to manipulate default file context mappings.
-+.PP
-+.B semanage permissive
-+can also be used to manipulate whether or not a process type is permissive.
-+.PP
-+.B semanage module
-+can also be used to enable/disable/install/remove policy modules.
-+
-+.PP
-+.B system-config-selinux
-+is a GUI tool available to customize SELinux policy settings.
-+
-+.SH AUTHOR
-+This manual page was auto-generated using
-+.B "sepolicy manpage"
-+by Dan Walsh.
-+
-+.SH "SEE ALSO"
-+selinux(8), colord(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
-diff --git a/man/man8/comsat_selinux.8 b/man/man8/comsat_selinux.8
-new file mode 100644
-index 0000000..1301fea
---- /dev/null
-+++ b/man/man8/comsat_selinux.8
-@@ -0,0 +1,154 @@
-+.TH "comsat_selinux" "8" "12-11-01" "comsat" "SELinux Policy documentation for comsat"
-+.SH "NAME"
-+comsat_selinux \- Security Enhanced Linux Policy for the comsat processes
-+.SH "DESCRIPTION"
-+
-+Security-Enhanced Linux secures the comsat processes via flexible mandatory access control.
-+
-+The comsat processes execute with the comsat_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
-+
-+For example:
-+
-+.B ps -eZ | grep comsat_t
-+
-+
-+.SH "ENTRYPOINTS"
-+
-+The comsat_t SELinux type can be entered via the "comsat_exec_t" file type. The default entrypoint paths for the comsat_t domain are the following:"
-+
-+/usr/sbin/in\.comsat
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux comsat policy is very flexible allowing users to setup their comsat processes in as secure a method as possible.
-+.PP
-+The following process types are defined for comsat:
-+
-+.EX
-+.B comsat_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
-+.SH FILE CONTEXTS
-+SELinux requires files to have an extended attribute to define the file type.
-+.PP
-+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
-+.PP
-+Policy governs the access confined processes have to these files.
-+SELinux comsat policy is very flexible allowing users to setup their comsat processes in as secure a method as possible.
-+.PP
-+The following file types are defined for comsat:
-+
-+
-+.EX
-+.PP
-+.B comsat_exec_t
-+.EE
-+
-+- Set files with the comsat_exec_t type, if you want to transition an executable to the comsat_t domain.
-+
-+
-+.EX
-+.PP
-+.B comsat_tmp_t
-+.EE
-+
-+- Set files with the comsat_tmp_t type, if you want to store comsat temporary files in the /tmp directories.
-+
-+
-+.EX
-+.PP
-+.B comsat_var_run_t
-+.EE
-+
-+- Set files with the comsat_var_run_t type, if you want to store the comsat files under the /run directory.
-+
-+
-+.PP
-+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
-+.B semanage fcontext
-+command. This will modify the SELinux labeling database. You will need to use
-+.B restorecon
-+to apply the labels.
-+
-+.SH PORT TYPES
-+SELinux defines port types to represent TCP and UDP ports.
-+.PP
-+You can see the types associated with a port by using the following command:
-+
-+.B semanage port -l
-+
-+.PP
-+Policy governs the access confined processes have to these ports.
-+SELinux comsat policy is very flexible allowing users to setup their comsat processes in as secure a method as possible.
-+.PP
-+The following port types are defined for comsat:
-+
-+.EX
-+.TP 5
-+.B comsat_port_t
-+.TP 10
-+.EE
-+
-+
-+Default Defined Ports:
-+udp 512
-+.EE
-+.SH "MANAGED FILES"
-+
-+The SELinux process type comsat_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
-+
-+.br
-+.B comsat_tmp_t
-+
-+
-+.br
-+.B comsat_var_run_t
-+
-+
-+.SH NSSWITCH DOMAIN
-+
-+.PP
-+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the comsat_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
-+
-+.EX
-+.B setsebool -P authlogin_nsswitch_use_ldap 1
-+.EE
-+
-+.PP
-+If you want to allow confined applications to run with kerberos for the comsat_t, you must turn on the kerberos_enabled boolean.
-+
-+.EX
-+.B setsebool -P kerberos_enabled 1
-+.EE
-+
-+.SH "COMMANDS"
-+.B semanage fcontext
-+can also be used to manipulate default file context mappings.
-+.PP
-+.B semanage permissive
-+can also be used to manipulate whether or not a process type is permissive.
-+.PP
-+.B semanage module
-+can also be used to enable/disable/install/remove policy modules.
-+
-+.B semanage port
-+can also be used to manipulate the port definitions
-+
-+.PP
-+.B system-config-selinux
-+is a GUI tool available to customize SELinux policy settings.
-+
-+.SH AUTHOR
-+This manual page was auto-generated using
-+.B "sepolicy manpage"
-+by Dan Walsh.
-+
-+.SH "SEE ALSO"
-+selinux(8), comsat(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
-diff --git a/man/man8/condor_collector_selinux.8 b/man/man8/condor_collector_selinux.8
-new file mode 100644
-index 0000000..7b32989
---- /dev/null
-+++ b/man/man8/condor_collector_selinux.8
-@@ -0,0 +1,133 @@
-+.TH "condor_collector_selinux" "8" "12-11-01" "condor_collector" "SELinux Policy documentation for condor_collector"
-+.SH "NAME"
-+condor_collector_selinux \- Security Enhanced Linux Policy for the condor_collector processes
-+.SH "DESCRIPTION"
-+
-+Security-Enhanced Linux secures the condor_collector processes via flexible mandatory access control.
-+
-+The condor_collector processes execute with the condor_collector_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
-+
-+For example:
-+
-+.B ps -eZ | grep condor_collector_t
-+
-+
-+.SH "ENTRYPOINTS"
-+
-+The condor_collector_t SELinux type can be entered via the "condor_collector_exec_t" file type. The default entrypoint paths for the condor_collector_t domain are the following:"
-+
-+/usr/sbin/condor_collector
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux condor_collector policy is very flexible allowing users to setup their condor_collector processes in as secure a method as possible.
-+.PP
-+The following process types are defined for condor_collector:
-+
-+.EX
-+.B condor_collector_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
-+.SH FILE CONTEXTS
-+SELinux requires files to have an extended attribute to define the file type.
-+.PP
-+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
-+.PP
-+Policy governs the access confined processes have to these files.
-+SELinux condor_collector policy is very flexible allowing users to setup their condor_collector processes in as secure a method as possible.
-+.PP
-+The following file types are defined for condor_collector:
-+
-+
-+.EX
-+.PP
-+.B condor_collector_exec_t
-+.EE
-+
-+- Set files with the condor_collector_exec_t type, if you want to transition an executable to the condor_collector_t domain.
-+
-+
-+.PP
-+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
-+.B semanage fcontext
-+command. This will modify the SELinux labeling database. You will need to use
-+.B restorecon
-+to apply the labels.
-+
-+.SH "MANAGED FILES"
-+
-+The SELinux process type condor_collector_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
-+
-+.br
-+.B condor_log_t
-+
-+ /var/log/condor(/.*)?
-+.br
-+
-+.br
-+.B condor_var_lib_t
-+
-+ /var/lib/condor(/.*)?
-+.br
-+ /var/lib/condor/spool(/.*)?
-+.br
-+ /var/lib/condor/execute(/.*)?
-+.br
-+
-+.br
-+.B condor_var_lock_t
-+
-+ /var/lock/condor(/.*)?
-+.br
-+
-+.br
-+.B condor_var_run_t
-+
-+ /var/run/condor(/.*)?
-+.br
-+
-+.SH NSSWITCH DOMAIN
-+
-+.PP
-+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the condor_collector_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
-+
-+.EX
-+.B setsebool -P authlogin_nsswitch_use_ldap 1
-+.EE
-+
-+.PP
-+If you want to allow confined applications to run with kerberos for the condor_collector_t, you must turn on the kerberos_enabled boolean.
-+
-+.EX
-+.B setsebool -P kerberos_enabled 1
-+.EE
-+
-+.SH "COMMANDS"
-+.B semanage fcontext
-+can also be used to manipulate default file context mappings.
-+.PP
-+.B semanage permissive
-+can also be used to manipulate whether or not a process type is permissive.
-+.PP
-+.B semanage module
-+can also be used to enable/disable/install/remove policy modules.
-+
-+.PP
-+.B system-config-selinux
-+is a GUI tool available to customize SELinux policy settings.
-+
-+.SH AUTHOR
-+This manual page was auto-generated using
-+.B "sepolicy manpage"
-+by Dan Walsh.
-+
-+.SH "SEE ALSO"
-+selinux(8), condor_collector(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
-+, condor_master_selinux(8), condor_negotiator_selinux(8), condor_procd_selinux(8), condor_schedd_selinux(8), condor_startd_selinux(8)
-\ No newline at end of file
-diff --git a/man/man8/condor_master_selinux.8 b/man/man8/condor_master_selinux.8
-new file mode 100644
-index 0000000..fa4e2d5
---- /dev/null
-+++ b/man/man8/condor_master_selinux.8
-@@ -0,0 +1,119 @@
-+.TH "condor_master_selinux" "8" "12-11-01" "condor_master" "SELinux Policy documentation for condor_master"
-+.SH "NAME"
-+condor_master_selinux \- Security Enhanced Linux Policy for the condor_master processes
-+.SH "DESCRIPTION"
-+
-+Security-Enhanced Linux secures the condor_master processes via flexible mandatory access control.
-+
-+The condor_master processes execute with the condor_master_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
-+
-+For example:
-+
-+.B ps -eZ | grep condor_master_t
-+
-+
-+.SH "ENTRYPOINTS"
-+
-+The condor_master_t SELinux type can be entered via the "condor_master_exec_t" file type. The default entrypoint paths for the condor_master_t domain are the following:"
-+
-+/usr/sbin/condor_master
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux condor_master policy is very flexible allowing users to setup their condor_master processes in as secure a method as possible.
-+.PP
-+The following process types are defined for condor_master:
-+
-+.EX
-+.B condor_master_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
-+.SH FILE CONTEXTS
-+SELinux requires files to have an extended attribute to define the file type.
-+.PP
-+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
-+.PP
-+Policy governs the access confined processes have to these files.
-+SELinux condor_master policy is very flexible allowing users to setup their condor_master processes in as secure a method as possible.
-+.PP
-+The following file types are defined for condor_master:
-+
-+
-+.EX
-+.PP
-+.B condor_master_exec_t
-+.EE
-+
-+- Set files with the condor_master_exec_t type, if you want to transition an executable to the condor_master_t domain.
-+
-+
-+.PP
-+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
-+.B semanage fcontext
-+command. This will modify the SELinux labeling database. You will need to use
-+.B restorecon
-+to apply the labels.
-+
-+.SH "MANAGED FILES"
-+
-+The SELinux process type condor_master_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
-+
-+.br
-+.B condor_log_t
-+
-+ /var/log/condor(/.*)?
-+.br
-+
-+.br
-+.B condor_var_lib_t
-+
-+ /var/lib/condor(/.*)?
-+.br
-+ /var/lib/condor/spool(/.*)?
-+.br
-+ /var/lib/condor/execute(/.*)?
-+.br
-+
-+.br
-+.B condor_var_lock_t
-+
-+ /var/lock/condor(/.*)?
-+.br
-+
-+.br
-+.B condor_var_run_t
-+
-+ /var/run/condor(/.*)?
-+.br
-+
-+.SH NSSWITCH DOMAIN
-+
-+.SH "COMMANDS"
-+.B semanage fcontext
-+can also be used to manipulate default file context mappings.
-+.PP
-+.B semanage permissive
-+can also be used to manipulate whether or not a process type is permissive.
-+.PP
-+.B semanage module
-+can also be used to enable/disable/install/remove policy modules.
-+
-+.PP
-+.B system-config-selinux
-+is a GUI tool available to customize SELinux policy settings.
-+
-+.SH AUTHOR
-+This manual page was auto-generated using
-+.B "sepolicy manpage"
-+by Dan Walsh.
-+
-+.SH "SEE ALSO"
-+selinux(8), condor_master(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
-+, condor_collector_selinux(8), condor_negotiator_selinux(8), condor_procd_selinux(8), condor_schedd_selinux(8), condor_startd_selinux(8)
-\ No newline at end of file
-diff --git a/man/man8/condor_negotiator_selinux.8 b/man/man8/condor_negotiator_selinux.8
-new file mode 100644
-index 0000000..9116018
---- /dev/null
-+++ b/man/man8/condor_negotiator_selinux.8
-@@ -0,0 +1,133 @@
-+.TH "condor_negotiator_selinux" "8" "12-11-01" "condor_negotiator" "SELinux Policy documentation for condor_negotiator"
-+.SH "NAME"
-+condor_negotiator_selinux \- Security Enhanced Linux Policy for the condor_negotiator processes
-+.SH "DESCRIPTION"
-+
-+Security-Enhanced Linux secures the condor_negotiator processes via flexible mandatory access control.
-+
-+The condor_negotiator processes execute with the condor_negotiator_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
-+
-+For example:
-+
-+.B ps -eZ | grep condor_negotiator_t
-+
-+
-+.SH "ENTRYPOINTS"
-+
-+The condor_negotiator_t SELinux type can be entered via the "condor_negotiator_exec_t" file type. The default entrypoint paths for the condor_negotiator_t domain are the following:"
-+
-+/usr/sbin/condor_negotiator
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux condor_negotiator policy is very flexible allowing users to setup their condor_negotiator processes in as secure a method as possible.
-+.PP
-+The following process types are defined for condor_negotiator:
-+
-+.EX
-+.B condor_negotiator_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
-+.SH FILE CONTEXTS
-+SELinux requires files to have an extended attribute to define the file type.
-+.PP
-+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
-+.PP
-+Policy governs the access confined processes have to these files.
-+SELinux condor_negotiator policy is very flexible allowing users to setup their condor_negotiator processes in as secure a method as possible.
-+.PP
-+The following file types are defined for condor_negotiator:
-+
-+
-+.EX
-+.PP
-+.B condor_negotiator_exec_t
-+.EE
-+
-+- Set files with the condor_negotiator_exec_t type, if you want to transition an executable to the condor_negotiator_t domain.
-+
-+
-+.PP
-+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
-+.B semanage fcontext
-+command. This will modify the SELinux labeling database. You will need to use
-+.B restorecon
-+to apply the labels.
-+
-+.SH "MANAGED FILES"
-+
-+The SELinux process type condor_negotiator_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
-+
-+.br
-+.B condor_log_t
-+
-+ /var/log/condor(/.*)?
-+.br
-+
-+.br
-+.B condor_var_lib_t
-+
-+ /var/lib/condor(/.*)?
-+.br
-+ /var/lib/condor/spool(/.*)?
-+.br
-+ /var/lib/condor/execute(/.*)?
-+.br
-+
-+.br
-+.B condor_var_lock_t
-+
-+ /var/lock/condor(/.*)?
-+.br
-+
-+.br
-+.B condor_var_run_t
-+
-+ /var/run/condor(/.*)?
-+.br
-+
-+.SH NSSWITCH DOMAIN
-+
-+.PP
-+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the condor_negotiator_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
-+
-+.EX
-+.B setsebool -P authlogin_nsswitch_use_ldap 1
-+.EE
-+
-+.PP
-+If you want to allow confined applications to run with kerberos for the condor_negotiator_t, you must turn on the kerberos_enabled boolean.
-+
-+.EX
-+.B setsebool -P kerberos_enabled 1
-+.EE
-+
-+.SH "COMMANDS"
-+.B semanage fcontext
-+can also be used to manipulate default file context mappings.
-+.PP
-+.B semanage permissive
-+can also be used to manipulate whether or not a process type is permissive.
-+.PP
-+.B semanage module
-+can also be used to enable/disable/install/remove policy modules.
-+
-+.PP
-+.B system-config-selinux
-+is a GUI tool available to customize SELinux policy settings.
-+
-+.SH AUTHOR
-+This manual page was auto-generated using
-+.B "sepolicy manpage"
-+by Dan Walsh.
-+
-+.SH "SEE ALSO"
-+selinux(8), condor_negotiator(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
-+, condor_collector_selinux(8), condor_master_selinux(8), condor_procd_selinux(8), condor_schedd_selinux(8), condor_startd_selinux(8)
-\ No newline at end of file
-diff --git a/man/man8/condor_procd_selinux.8 b/man/man8/condor_procd_selinux.8
-new file mode 100644
-index 0000000..d3e5176
---- /dev/null
-+++ b/man/man8/condor_procd_selinux.8
-@@ -0,0 +1,133 @@
-+.TH "condor_procd_selinux" "8" "12-11-01" "condor_procd" "SELinux Policy documentation for condor_procd"
-+.SH "NAME"
-+condor_procd_selinux \- Security Enhanced Linux Policy for the condor_procd processes
-+.SH "DESCRIPTION"
-+
-+Security-Enhanced Linux secures the condor_procd processes via flexible mandatory access control.
-+
-+The condor_procd processes execute with the condor_procd_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
-+
-+For example:
-+
-+.B ps -eZ | grep condor_procd_t
-+
-+
-+.SH "ENTRYPOINTS"
-+
-+The condor_procd_t SELinux type can be entered via the "condor_procd_exec_t" file type. The default entrypoint paths for the condor_procd_t domain are the following:"
-+
-+/usr/sbin/condor_procd
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux condor_procd policy is very flexible allowing users to setup their condor_procd processes in as secure a method as possible.
-+.PP
-+The following process types are defined for condor_procd:
-+
-+.EX
-+.B condor_procd_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
-+.SH FILE CONTEXTS
-+SELinux requires files to have an extended attribute to define the file type.
-+.PP
-+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
-+.PP
-+Policy governs the access confined processes have to these files.
-+SELinux condor_procd policy is very flexible allowing users to setup their condor_procd processes in as secure a method as possible.
-+.PP
-+The following file types are defined for condor_procd:
-+
-+
-+.EX
-+.PP
-+.B condor_procd_exec_t
-+.EE
-+
-+- Set files with the condor_procd_exec_t type, if you want to transition an executable to the condor_procd_t domain.
-+
-+
-+.PP
-+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
-+.B semanage fcontext
-+command. This will modify the SELinux labeling database. You will need to use
-+.B restorecon
-+to apply the labels.
-+
-+.SH "MANAGED FILES"
-+
-+The SELinux process type condor_procd_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
-+
-+.br
-+.B condor_log_t
-+
-+ /var/log/condor(/.*)?
-+.br
-+
-+.br
-+.B condor_var_lib_t
-+
-+ /var/lib/condor(/.*)?
-+.br
-+ /var/lib/condor/spool(/.*)?
-+.br
-+ /var/lib/condor/execute(/.*)?
-+.br
-+
-+.br
-+.B condor_var_lock_t
-+
-+ /var/lock/condor(/.*)?
-+.br
-+
-+.br
-+.B condor_var_run_t
-+
-+ /var/run/condor(/.*)?
-+.br
-+
-+.SH NSSWITCH DOMAIN
-+
-+.PP
-+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the condor_procd_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
-+
-+.EX
-+.B setsebool -P authlogin_nsswitch_use_ldap 1
-+.EE
-+
-+.PP
-+If you want to allow confined applications to run with kerberos for the condor_procd_t, you must turn on the kerberos_enabled boolean.
-+
-+.EX
-+.B setsebool -P kerberos_enabled 1
-+.EE
-+
-+.SH "COMMANDS"
-+.B semanage fcontext
-+can also be used to manipulate default file context mappings.
-+.PP
-+.B semanage permissive
-+can also be used to manipulate whether or not a process type is permissive.
-+.PP
-+.B semanage module
-+can also be used to enable/disable/install/remove policy modules.
-+
-+.PP
-+.B system-config-selinux
-+is a GUI tool available to customize SELinux policy settings.
-+
-+.SH AUTHOR
-+This manual page was auto-generated using
-+.B "sepolicy manpage"
-+by Dan Walsh.
-+
-+.SH "SEE ALSO"
-+selinux(8), condor_procd(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
-+, condor_collector_selinux(8), condor_master_selinux(8), condor_negotiator_selinux(8), condor_schedd_selinux(8), condor_startd_selinux(8)
-\ No newline at end of file
-diff --git a/man/man8/condor_schedd_selinux.8 b/man/man8/condor_schedd_selinux.8
-new file mode 100644
-index 0000000..4b28875
---- /dev/null
-+++ b/man/man8/condor_schedd_selinux.8
-@@ -0,0 +1,145 @@
-+.TH "condor_schedd_selinux" "8" "12-11-01" "condor_schedd" "SELinux Policy documentation for condor_schedd"
-+.SH "NAME"
-+condor_schedd_selinux \- Security Enhanced Linux Policy for the condor_schedd processes
-+.SH "DESCRIPTION"
-+
-+Security-Enhanced Linux secures the condor_schedd processes via flexible mandatory access control.
-+
-+The condor_schedd processes execute with the condor_schedd_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
-+
-+For example:
-+
-+.B ps -eZ | grep condor_schedd_t
-+
-+
-+.SH "ENTRYPOINTS"
-+
-+The condor_schedd_t SELinux type can be entered via the "condor_schedd_exec_t" file type. The default entrypoint paths for the condor_schedd_t domain are the following:"
-+
-+/usr/sbin/condor_schedd
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux condor_schedd policy is very flexible allowing users to setup their condor_schedd processes in as secure a method as possible.
-+.PP
-+The following process types are defined for condor_schedd:
-+
-+.EX
-+.B condor_schedd_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
-+.SH FILE CONTEXTS
-+SELinux requires files to have an extended attribute to define the file type.
-+.PP
-+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
-+.PP
-+Policy governs the access confined processes have to these files.
-+SELinux condor_schedd policy is very flexible allowing users to setup their condor_schedd processes in as secure a method as possible.
-+.PP
-+The following file types are defined for condor_schedd:
-+
-+
-+.EX
-+.PP
-+.B condor_schedd_exec_t
-+.EE
-+
-+- Set files with the condor_schedd_exec_t type, if you want to transition an executable to the condor_schedd_t domain.
-+
-+
-+.EX
-+.PP
-+.B condor_schedd_tmp_t
-+.EE
-+
-+- Set files with the condor_schedd_tmp_t type, if you want to store condor schedd temporary files in the /tmp directories.
-+
-+
-+.PP
-+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
-+.B semanage fcontext
-+command. This will modify the SELinux labeling database. You will need to use
-+.B restorecon
-+to apply the labels.
-+
-+.SH "MANAGED FILES"
-+
-+The SELinux process type condor_schedd_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
-+
-+.br
-+.B condor_log_t
-+
-+ /var/log/condor(/.*)?
-+.br
-+
-+.br
-+.B condor_schedd_tmp_t
-+
-+
-+.br
-+.B condor_var_lib_t
-+
-+ /var/lib/condor(/.*)?
-+.br
-+ /var/lib/condor/spool(/.*)?
-+.br
-+ /var/lib/condor/execute(/.*)?
-+.br
-+
-+.br
-+.B condor_var_lock_t
-+
-+ /var/lock/condor(/.*)?
-+.br
-+
-+.br
-+.B condor_var_run_t
-+
-+ /var/run/condor(/.*)?
-+.br
-+
-+.SH NSSWITCH DOMAIN
-+
-+.PP
-+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the condor_schedd_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
-+
-+.EX
-+.B setsebool -P authlogin_nsswitch_use_ldap 1
-+.EE
-+
-+.PP
-+If you want to allow confined applications to run with kerberos for the condor_schedd_t, you must turn on the kerberos_enabled boolean.
-+
-+.EX
-+.B setsebool -P kerberos_enabled 1
-+.EE
-+
-+.SH "COMMANDS"
-+.B semanage fcontext
-+can also be used to manipulate default file context mappings.
-+.PP
-+.B semanage permissive
-+can also be used to manipulate whether or not a process type is permissive.
-+.PP
-+.B semanage module
-+can also be used to enable/disable/install/remove policy modules.
-+
-+.PP
-+.B system-config-selinux
-+is a GUI tool available to customize SELinux policy settings.
-+
-+.SH AUTHOR
-+This manual page was auto-generated using
-+.B "sepolicy manpage"
-+by Dan Walsh.
-+
-+.SH "SEE ALSO"
-+selinux(8), condor_schedd(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
-+, condor_collector_selinux(8), condor_master_selinux(8), condor_negotiator_selinux(8), condor_procd_selinux(8), condor_startd_selinux(8)
-\ No newline at end of file
-diff --git a/man/man8/condor_startd_selinux.8 b/man/man8/condor_startd_selinux.8
-new file mode 100644
-index 0000000..0413677
---- /dev/null
-+++ b/man/man8/condor_startd_selinux.8
-@@ -0,0 +1,189 @@
-+.TH "condor_startd_selinux" "8" "12-11-01" "condor_startd" "SELinux Policy documentation for condor_startd"
-+.SH "NAME"
-+condor_startd_selinux \- Security Enhanced Linux Policy for the condor_startd processes
-+.SH "DESCRIPTION"
-+
-+Security-Enhanced Linux secures the condor_startd processes via flexible mandatory access control.
-+
-+The condor_startd processes execute with the condor_startd_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
-+
-+For example:
-+
-+.B ps -eZ | grep condor_startd_t
-+
-+
-+.SH "ENTRYPOINTS"
-+
-+The condor_startd_t SELinux type can be entered via the "condor_startd_exec_t" file type. The default entrypoint paths for the condor_startd_t domain are the following:"
-+
-+/usr/sbin/condor_startd, /usr/sbin/condor_starter
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux condor_startd policy is very flexible allowing users to setup their condor_startd processes in as secure a method as possible.
-+.PP
-+The following process types are defined for condor_startd:
-+
-+.EX
-+.B condor_startd_ssh_t, condor_startd_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
-+.SH FILE CONTEXTS
-+SELinux requires files to have an extended attribute to define the file type.
-+.PP
-+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
-+.PP
-+Policy governs the access confined processes have to these files.
-+SELinux condor_startd policy is very flexible allowing users to setup their condor_startd processes in as secure a method as possible.
-+.PP
-+The following file types are defined for condor_startd:
-+
-+
-+.EX
-+.PP
-+.B condor_startd_exec_t
-+.EE
-+
-+- Set files with the condor_startd_exec_t type, if you want to transition an executable to the condor_startd_t domain.
-+
-+
-+.EX
-+.PP
-+.B condor_startd_tmp_t
-+.EE
-+
-+- Set files with the condor_startd_tmp_t type, if you want to store condor startd temporary files in the /tmp directories.
-+
-+
-+.EX
-+.PP
-+.B condor_startd_tmpfs_t
-+.EE
-+
-+- Set files with the condor_startd_tmpfs_t type, if you want to store condor startd files on a tmpfs file system.
-+
-+
-+.PP
-+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
-+.B semanage fcontext
-+command. This will modify the SELinux labeling database. You will need to use
-+.B restorecon
-+to apply the labels.
-+
-+.SH "MANAGED FILES"
-+
-+The SELinux process type condor_startd_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
-+
-+.br
-+.B condor_log_t
-+
-+ /var/log/condor(/.*)?
-+.br
-+
-+.br
-+.B condor_startd_tmp_t
-+
-+
-+.br
-+.B condor_startd_tmpfs_t
-+
-+
-+.br
-+.B condor_var_lib_t
-+
-+ /var/lib/condor(/.*)?
-+.br
-+ /var/lib/condor/spool(/.*)?
-+.br
-+ /var/lib/condor/execute(/.*)?
-+.br
-+
-+.br
-+.B condor_var_lock_t
-+
-+ /var/lock/condor(/.*)?
-+.br
-+
-+.br
-+.B condor_var_run_t
-+
-+ /var/run/condor(/.*)?
-+.br
-+
-+.br
-+.B ssh_home_t
-+
-+ /root/\.ssh(/.*)?
-+.br
-+ /var/lib/openshift/[^/]+/\.ssh(/.*)?
-+.br
-+ /var/lib/amanda/\.ssh(/.*)?
-+.br
-+ /var/lib/stickshift/[^/]+/\.ssh(/.*)?
-+.br
-+ /var/lib/gitolite/\.ssh(/.*)?
-+.br
-+ /var/lib/nocpulse/\.ssh(/.*)?
-+.br
-+ /var/lib/gitolite3/\.ssh(/.*)?
-+.br
-+ /root/\.shosts
-+.br
-+ /home/[^/]*/\.ssh(/.*)?
-+.br
-+ /home/[^/]*/\.shosts
-+.br
-+ /home/dwalsh/\.ssh(/.*)?
-+.br
-+ /home/dwalsh/\.shosts
-+.br
-+ /var/lib/xguest/home/xguest/\.ssh(/.*)?
-+.br
-+ /var/lib/xguest/home/xguest/\.shosts
-+.br
-+
-+.SH NSSWITCH DOMAIN
-+
-+.PP
-+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the condor_startd_t, condor_startd_ssh_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
-+
-+.EX
-+.B setsebool -P authlogin_nsswitch_use_ldap 1
-+.EE
-+
-+.PP
-+If you want to allow confined applications to run with kerberos for the condor_startd_t, condor_startd_ssh_t, you must turn on the kerberos_enabled boolean.
-+
-+.EX
-+.B setsebool -P kerberos_enabled 1
-+.EE
-+
-+.SH "COMMANDS"
-+.B semanage fcontext
-+can also be used to manipulate default file context mappings.
-+.PP
-+.B semanage permissive
-+can also be used to manipulate whether or not a process type is permissive.
-+.PP
-+.B semanage module
-+can also be used to enable/disable/install/remove policy modules.
-+
-+.PP
-+.B system-config-selinux
-+is a GUI tool available to customize SELinux policy settings.
-+
-+.SH AUTHOR
-+This manual page was auto-generated using
-+.B "sepolicy manpage"
-+by Dan Walsh.
-+
-+.SH "SEE ALSO"
-+selinux(8), condor_startd(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
-+, condor_collector_selinux(8), condor_master_selinux(8), condor_negotiator_selinux(8), condor_procd_selinux(8), condor_schedd_selinux(8)
-\ No newline at end of file
-diff --git a/man/man8/consolekit_selinux.8 b/man/man8/consolekit_selinux.8
-new file mode 100644
-index 0000000..5721e3a
---- /dev/null
-+++ b/man/man8/consolekit_selinux.8
-@@ -0,0 +1,212 @@
-+.TH "consolekit_selinux" "8" "12-11-01" "consolekit" "SELinux Policy documentation for consolekit"
-+.SH "NAME"
-+consolekit_selinux \- Security Enhanced Linux Policy for the consolekit processes
-+.SH "DESCRIPTION"
-+
-+Security-Enhanced Linux secures the consolekit processes via flexible mandatory access control.
-+
-+The consolekit processes execute with the consolekit_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
-+
-+For example:
-+
-+.B ps -eZ | grep consolekit_t
-+
-+
-+.SH "ENTRYPOINTS"
-+
-+The consolekit_t SELinux type can be entered via the "consolekit_exec_t" file type. The default entrypoint paths for the consolekit_t domain are the following:"
-+
-+/usr/sbin/console-kit-daemon
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux consolekit policy is very flexible allowing users to setup their consolekit processes in as secure a method as possible.
-+.PP
-+The following process types are defined for consolekit:
-+
-+.EX
-+.B consolekit_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
-+.SH FILE CONTEXTS
-+SELinux requires files to have an extended attribute to define the file type.
-+.PP
-+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
-+.PP
-+Policy governs the access confined processes have to these files.
-+SELinux consolekit policy is very flexible allowing users to setup their consolekit processes in as secure a method as possible.
-+.PP
-+The following file types are defined for consolekit:
-+
-+
-+.EX
-+.PP
-+.B consolekit_exec_t
-+.EE
-+
-+- Set files with the consolekit_exec_t type, if you want to transition an executable to the consolekit_t domain.
-+
-+
-+.EX
-+.PP
-+.B consolekit_log_t
-+.EE
-+
-+- Set files with the consolekit_log_t type, if you want to treat the data as consolekit log data, usually stored under the /var/log directory.
-+
-+
-+.EX
-+.PP
-+.B consolekit_tmpfs_t
-+.EE
-+
-+- Set files with the consolekit_tmpfs_t type, if you want to store consolekit files on a tmpfs file system.
-+
-+
-+.EX
-+.PP
-+.B consolekit_unit_file_t
-+.EE
-+
-+- Set files with the consolekit_unit_file_t type, if you want to treat the files as consolekit unit content.
-+
-+
-+.EX
-+.PP
-+.B consolekit_var_run_t
-+.EE
-+
-+- Set files with the consolekit_var_run_t type, if you want to store the consolekit files under the /run directory.
-+
-+
-+.PP
-+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
-+.B semanage fcontext
-+command. This will modify the SELinux labeling database. You will need to use
-+.B restorecon
-+to apply the labels.
-+
-+.SH "MANAGED FILES"
-+
-+The SELinux process type consolekit_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
-+
-+.br
-+.B consolekit_log_t
-+
-+ /var/log/ConsoleKit(/.*)?
-+.br
-+
-+.br
-+.B consolekit_var_run_t
-+
-+ /var/run/ConsoleKit(/.*)?
-+.br
-+ /var/run/consolekit\.pid
-+.br
-+ /var/run/console-kit-daemon\.pid
-+.br
-+
-+.br
-+.B initrc_var_run_t
-+
-+ /var/run/utmp
-+.br
-+ /var/run/random-seed
-+.br
-+ /var/run/runlevel\.dir
-+.br
-+ /var/run/setmixer_flag
-+.br
-+
-+.br
-+.B pam_var_console_t
-+
-+ /var/run/console(/.*)?
-+.br
-+
-+.br
-+.B systemd_passwd_var_run_t
-+
-+ /var/run/systemd/ask-password(/.*)?
-+.br
-+ /var/run/systemd/ask-password-block(/.*)?
-+.br
-+
-+.br
-+.B user_fonts_cache_t
-+
-+ /root/\.fontconfig(/.*)?
-+.br
-+ /root/\.fonts/auto(/.*)?
-+.br
-+ /root/\.fonts\.cache-.*
-+.br
-+ /home/[^/]*/\.fontconfig(/.*)?
-+.br
-+ /home/[^/]*/\.fonts/auto(/.*)?
-+.br
-+ /home/[^/]*/\.fonts\.cache-.*
-+.br
-+ /home/dwalsh/\.fontconfig(/.*)?
-+.br
-+ /home/dwalsh/\.fonts/auto(/.*)?
-+.br
-+ /home/dwalsh/\.fonts\.cache-.*
-+.br
-+ /var/lib/xguest/home/xguest/\.fontconfig(/.*)?
-+.br
-+ /var/lib/xguest/home/xguest/\.fonts/auto(/.*)?
-+.br
-+ /var/lib/xguest/home/xguest/\.fonts\.cache-.*
-+.br
-+
-+.br
-+.B wtmp_t
-+
-+ /var/log/wtmp.*
-+.br
-+
-+.SH NSSWITCH DOMAIN
-+
-+.PP
-+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the consolekit_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
-+
-+.EX
-+.B setsebool -P authlogin_nsswitch_use_ldap 1
-+.EE
-+
-+.PP
-+If you want to allow confined applications to run with kerberos for the consolekit_t, you must turn on the kerberos_enabled boolean.
-+
-+.EX
-+.B setsebool -P kerberos_enabled 1
-+.EE
-+
-+.SH "COMMANDS"
-+.B semanage fcontext
-+can also be used to manipulate default file context mappings.
-+.PP
-+.B semanage permissive
-+can also be used to manipulate whether or not a process type is permissive.
-+.PP
-+.B semanage module
-+can also be used to enable/disable/install/remove policy modules.
-+
-+.PP
-+.B system-config-selinux
-+is a GUI tool available to customize SELinux policy settings.
-+
-+.SH AUTHOR
-+This manual page was auto-generated using
-+.B "sepolicy manpage"
-+by Dan Walsh.
-+
-+.SH "SEE ALSO"
-+selinux(8), consolekit(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
-diff --git a/man/man8/consoletype_selinux.8 b/man/man8/consoletype_selinux.8
-new file mode 100644
-index 0000000..aa2a4e4
---- /dev/null
-+++ b/man/man8/consoletype_selinux.8
-@@ -0,0 +1,94 @@
-+.TH "consoletype_selinux" "8" "12-11-01" "consoletype" "SELinux Policy documentation for consoletype"
-+.SH "NAME"
-+consoletype_selinux \- Security Enhanced Linux Policy for the consoletype processes
-+.SH "DESCRIPTION"
-+
-+Security-Enhanced Linux secures the consoletype processes via flexible mandatory access control.
-+
-+The consoletype processes execute with the consoletype_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
-+
-+For example:
-+
-+.B ps -eZ | grep consoletype_t
-+
-+
-+.SH "ENTRYPOINTS"
-+
-+The consoletype_t SELinux type can be entered via the "consoletype_exec_t" file type. The default entrypoint paths for the consoletype_t domain are the following:"
-+
-+/sbin/consoletype, /usr/sbin/consoletype
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux consoletype policy is very flexible allowing users to setup their consoletype processes in as secure a method as possible.
-+.PP
-+The following process types are defined for consoletype:
-+
-+.EX
-+.B consoletype_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
-+.SH FILE CONTEXTS
-+SELinux requires files to have an extended attribute to define the file type.
-+.PP
-+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
-+.PP
-+Policy governs the access confined processes have to these files.
-+SELinux consoletype policy is very flexible allowing users to setup their consoletype processes in as secure a method as possible.
-+.PP
-+The following file types are defined for consoletype:
-+
-+
-+.EX
-+.PP
-+.B consoletype_exec_t
-+.EE
-+
-+- Set files with the consoletype_exec_t type, if you want to transition an executable to the consoletype_t domain.
-+
-+
-+.PP
-+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
-+.B semanage fcontext
-+command. This will modify the SELinux labeling database. You will need to use
-+.B restorecon
-+to apply the labels.
-+
-+.SH "MANAGED FILES"
-+
-+The SELinux process type consoletype_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
-+
-+.br
-+.B nfs_t
-+
-+
-+.SH NSSWITCH DOMAIN
-+
-+.SH "COMMANDS"
-+.B semanage fcontext
-+can also be used to manipulate default file context mappings.
-+.PP
-+.B semanage permissive
-+can also be used to manipulate whether or not a process type is permissive.
-+.PP
-+.B semanage module
-+can also be used to enable/disable/install/remove policy modules.
-+
-+.PP
-+.B system-config-selinux
-+is a GUI tool available to customize SELinux policy settings.
-+
-+.SH AUTHOR
-+This manual page was auto-generated using
-+.B "sepolicy manpage"
-+by Dan Walsh.
-+
-+.SH "SEE ALSO"
-+selinux(8), consoletype(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
-diff --git a/man/man8/corosync_selinux.8 b/man/man8/corosync_selinux.8
-new file mode 100644
-index 0000000..9f327ae
---- /dev/null
-+++ b/man/man8/corosync_selinux.8
-@@ -0,0 +1,270 @@
-+.TH "corosync_selinux" "8" "12-11-01" "corosync" "SELinux Policy documentation for corosync"
-+.SH "NAME"
-+corosync_selinux \- Security Enhanced Linux Policy for the corosync processes
-+.SH "DESCRIPTION"
-+
-+Security-Enhanced Linux secures the corosync processes via flexible mandatory access control.
-+
-+The corosync processes execute with the corosync_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
-+
-+For example:
-+
-+.B ps -eZ | grep corosync_t
-+
-+
-+.SH "ENTRYPOINTS"
-+
-+The corosync_t SELinux type can be entered via the "corosync_exec_t" file type. The default entrypoint paths for the corosync_t domain are the following:"
-+
-+/usr/sbin/corosync, /usr/sbin/ccs_tool, /usr/sbin/cman_tool, /usr/sbin/corosync-notifyd
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux corosync policy is very flexible allowing users to setup their corosync processes in as secure a method as possible.
-+.PP
-+The following process types are defined for corosync:
-+
-+.EX
-+.B corosync_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
-+.SH FILE CONTEXTS
-+SELinux requires files to have an extended attribute to define the file type.
-+.PP
-+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
-+.PP
-+Policy governs the access confined processes have to these files.
-+SELinux corosync policy is very flexible allowing users to setup their corosync processes in as secure a method as possible.
-+.PP
-+The following file types are defined for corosync:
-+
-+
-+.EX
-+.PP
-+.B corosync_exec_t
-+.EE
-+
-+- Set files with the corosync_exec_t type, if you want to transition an executable to the corosync_t domain.
-+
-+
-+.EX
-+.PP
-+.B corosync_initrc_exec_t
-+.EE
-+
-+- Set files with the corosync_initrc_exec_t type, if you want to transition an executable to the corosync_initrc_t domain.
-+
-+
-+.EX
-+.PP
-+.B corosync_tmp_t
-+.EE
-+
-+- Set files with the corosync_tmp_t type, if you want to store corosync temporary files in the /tmp directories.
-+
-+
-+.EX
-+.PP
-+.B corosync_tmpfs_t
-+.EE
-+
-+- Set files with the corosync_tmpfs_t type, if you want to store corosync files on a tmpfs file system.
-+
-+
-+.EX
-+.PP
-+.B corosync_unit_file_t
-+.EE
-+
-+- Set files with the corosync_unit_file_t type, if you want to treat the files as corosync unit content.
-+
-+
-+.EX
-+.PP
-+.B corosync_var_lib_t
-+.EE
-+
-+- Set files with the corosync_var_lib_t type, if you want to store the corosync files under the /var/lib directory.
-+
-+
-+.EX
-+.PP
-+.B corosync_var_log_t
-+.EE
-+
-+- Set files with the corosync_var_log_t type, if you want to treat the data as corosync var log data, usually stored under the /var/log directory.
-+
-+
-+.EX
-+.PP
-+.B corosync_var_run_t
-+.EE
-+
-+- Set files with the corosync_var_run_t type, if you want to store the corosync files under the /run directory.
-+
-+
-+.PP
-+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
-+.B semanage fcontext
-+command. This will modify the SELinux labeling database. You will need to use
-+.B restorecon
-+to apply the labels.
-+
-+.SH "MANAGED FILES"
-+
-+The SELinux process type corosync_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
-+
-+.br
-+.B cluster_tmpfs
-+
-+
-+.br
-+.B cluster_var_lib_t
-+
-+ /var/lib/cluster(/.*)?
-+.br
-+
-+.br
-+.B clvmd_tmpfs_t
-+
-+
-+.br
-+.B cmirrord_tmpfs_t
-+
-+
-+.br
-+.B corosync_tmp_t
-+
-+
-+.br
-+.B corosync_tmpfs_t
-+
-+
-+.br
-+.B corosync_var_lib_t
-+
-+ /var/lib/corosync(/.*)?
-+.br
-+
-+.br
-+.B corosync_var_log_t
-+
-+ /var/log/cluster/corosync\.log.*
-+.br
-+
-+.br
-+.B corosync_var_run_t
-+
-+ /var/run/cman_.*
-+.br
-+ /var/run/rsctmp(/.*)?
-+.br
-+ /var/run/corosync\.pid
-+.br
-+
-+.br
-+.B initrc_state_t
-+
-+
-+.br
-+.B initrc_tmp_t
-+
-+
-+.br
-+.B qpidd_tmpfs_t
-+
-+
-+.br
-+.B rgmanager_tmpfs_t
-+
-+
-+.br
-+.B rgmanager_var_lib_t
-+
-+ /usr/lib(64)?/heartbeat(/.*)?
-+.br
-+ /var/lib/heartbeat(/.*)?
-+.br
-+
-+.br
-+.B rgmanager_var_run_t
-+
-+ /var/run/heartbeat(/.*)?
-+.br
-+ /var/run/cpglockd\.pid
-+.br
-+ /var/run/rgmanager\.pid
-+.br
-+ /var/run/cluster/rgmanager\.sk
-+.br
-+
-+.br
-+.B tmpfs_t
-+
-+ /dev/shm
-+.br
-+ /lib/udev/devices/shm
-+.br
-+ /usr/lib/udev/devices/shm
-+.br
-+
-+.br
-+.B user_tmpfs_t
-+
-+ /dev/shm/mono.*
-+.br
-+ /dev/shm/pulse-shm.*
-+.br
-+
-+.br
-+.B var_lib_t
-+
-+ /opt/(.*/)?var/lib(/.*)?
-+.br
-+ /var/lib(/.*)?
-+.br
-+
-+.SH NSSWITCH DOMAIN
-+
-+.PP
-+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the corosync_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
-+
-+.EX
-+.B setsebool -P authlogin_nsswitch_use_ldap 1
-+.EE
-+
-+.PP
-+If you want to allow confined applications to run with kerberos for the corosync_t, you must turn on the kerberos_enabled boolean.
-+
-+.EX
-+.B setsebool -P kerberos_enabled 1
-+.EE
-+
-+.SH "COMMANDS"
-+.B semanage fcontext
-+can also be used to manipulate default file context mappings.
-+.PP
-+.B semanage permissive
-+can also be used to manipulate whether or not a process type is permissive.
-+.PP
-+.B semanage module
-+can also be used to enable/disable/install/remove policy modules.
-+
-+.PP
-+.B system-config-selinux
-+is a GUI tool available to customize SELinux policy settings.
-+
-+.SH AUTHOR
-+This manual page was auto-generated using
-+.B "sepolicy manpage"
-+by Dan Walsh.
-+
-+.SH "SEE ALSO"
-+selinux(8), corosync(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
-diff --git a/man/man8/couchdb_selinux.8 b/man/man8/couchdb_selinux.8
-new file mode 100644
-index 0000000..c703391
---- /dev/null
-+++ b/man/man8/couchdb_selinux.8
-@@ -0,0 +1,202 @@
-+.TH "couchdb_selinux" "8" "12-11-01" "couchdb" "SELinux Policy documentation for couchdb"
-+.SH "NAME"
-+couchdb_selinux \- Security Enhanced Linux Policy for the couchdb processes
-+.SH "DESCRIPTION"
-+
-+Security-Enhanced Linux secures the couchdb processes via flexible mandatory access control.
-+
-+The couchdb processes execute with the couchdb_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
-+
-+For example:
-+
-+.B ps -eZ | grep couchdb_t
-+
-+
-+.SH "ENTRYPOINTS"
-+
-+The couchdb_t SELinux type can be entered via the "couchdb_exec_t" file type. The default entrypoint paths for the couchdb_t domain are the following:"
-+
-+/usr/bin/couchdb
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux couchdb policy is very flexible allowing users to setup their couchdb processes in as secure a method as possible.
-+.PP
-+The following process types are defined for couchdb:
-+
-+.EX
-+.B couchdb_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
-+.SH FILE CONTEXTS
-+SELinux requires files to have an extended attribute to define the file type.
-+.PP
-+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
-+.PP
-+Policy governs the access confined processes have to these files.
-+SELinux couchdb policy is very flexible allowing users to setup their couchdb processes in as secure a method as possible.
-+.PP
-+The following file types are defined for couchdb:
-+
-+
-+.EX
-+.PP
-+.B couchdb_etc_t
-+.EE
-+
-+- Set files with the couchdb_etc_t type, if you want to store couchdb files in the /etc directories.
-+
-+
-+.EX
-+.PP
-+.B couchdb_exec_t
-+.EE
-+
-+- Set files with the couchdb_exec_t type, if you want to transition an executable to the couchdb_t domain.
-+
-+
-+.EX
-+.PP
-+.B couchdb_log_t
-+.EE
-+
-+- Set files with the couchdb_log_t type, if you want to treat the data as couchdb log data, usually stored under the /var/log directory.
-+
-+
-+.EX
-+.PP
-+.B couchdb_tmp_t
-+.EE
-+
-+- Set files with the couchdb_tmp_t type, if you want to store couchdb temporary files in the /tmp directories.
-+
-+
-+.EX
-+.PP
-+.B couchdb_unit_file_t
-+.EE
-+
-+- Set files with the couchdb_unit_file_t type, if you want to treat the files as couchdb unit content.
-+
-+
-+.EX
-+.PP
-+.B couchdb_var_lib_t
-+.EE
-+
-+- Set files with the couchdb_var_lib_t type, if you want to store the couchdb files under the /var/lib directory.
-+
-+
-+.EX
-+.PP
-+.B couchdb_var_run_t
-+.EE
-+
-+- Set files with the couchdb_var_run_t type, if you want to store the couchdb files under the /run directory.
-+
-+
-+.PP
-+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
-+.B semanage fcontext
-+command. This will modify the SELinux labeling database. You will need to use
-+.B restorecon
-+to apply the labels.
-+
-+.SH PORT TYPES
-+SELinux defines port types to represent TCP and UDP ports.
-+.PP
-+You can see the types associated with a port by using the following command:
-+
-+.B semanage port -l
-+
-+.PP
-+Policy governs the access confined processes have to these ports.
-+SELinux couchdb policy is very flexible allowing users to setup their couchdb processes in as secure a method as possible.
-+.PP
-+The following port types are defined for couchdb:
-+
-+.EX
-+.TP 5
-+.B couchdb_port_t
-+.TP 10
-+.EE
-+
-+
-+Default Defined Ports:
-+tcp 5984
-+.EE
-+udp 5984
-+.EE
-+.SH "MANAGED FILES"
-+
-+The SELinux process type couchdb_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
-+
-+.br
-+.B couchdb_log_t
-+
-+ /var/log/couchdb(/.*)?
-+.br
-+
-+.br
-+.B couchdb_tmp_t
-+
-+
-+.br
-+.B couchdb_var_lib_t
-+
-+ /var/lib/couchdb(/.*)?
-+.br
-+
-+.br
-+.B couchdb_var_run_t
-+
-+ /var/run/couchdb(/.*)?
-+.br
-+
-+.SH NSSWITCH DOMAIN
-+
-+.PP
-+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the couchdb_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
-+
-+.EX
-+.B setsebool -P authlogin_nsswitch_use_ldap 1
-+.EE
-+
-+.PP
-+If you want to allow confined applications to run with kerberos for the couchdb_t, you must turn on the kerberos_enabled boolean.
-+
-+.EX
-+.B setsebool -P kerberos_enabled 1
-+.EE
-+
-+.SH "COMMANDS"
-+.B semanage fcontext
-+can also be used to manipulate default file context mappings.
-+.PP
-+.B semanage permissive
-+can also be used to manipulate whether or not a process type is permissive.
-+.PP
-+.B semanage module
-+can also be used to enable/disable/install/remove policy modules.
-+
-+.B semanage port
-+can also be used to manipulate the port definitions
-+
-+.PP
-+.B system-config-selinux
-+is a GUI tool available to customize SELinux policy settings.
-+
-+.SH AUTHOR
-+This manual page was auto-generated using
-+.B "sepolicy manpage"
-+by Dan Walsh.
-+
-+.SH "SEE ALSO"
-+selinux(8), couchdb(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
-diff --git a/man/man8/courier_authdaemon_selinux.8 b/man/man8/courier_authdaemon_selinux.8
-new file mode 100644
-index 0000000..f5cc833
---- /dev/null
-+++ b/man/man8/courier_authdaemon_selinux.8
-@@ -0,0 +1,137 @@
-+.TH "courier_authdaemon_selinux" "8" "12-11-01" "courier_authdaemon" "SELinux Policy documentation for courier_authdaemon"
-+.SH "NAME"
-+courier_authdaemon_selinux \- Security Enhanced Linux Policy for the courier_authdaemon processes
-+.SH "DESCRIPTION"
-+
-+Security-Enhanced Linux secures the courier_authdaemon processes via flexible mandatory access control.
-+
-+The courier_authdaemon processes execute with the courier_authdaemon_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
-+
-+For example:
-+
-+.B ps -eZ | grep courier_authdaemon_t
-+
-+
-+.SH "ENTRYPOINTS"
-+
-+The courier_authdaemon_t SELinux type can be entered via the "courier_authdaemon_exec_t" file type. The default entrypoint paths for the courier_authdaemon_t domain are the following:"
-+
-+/usr/lib/courier/authlib/.*, /usr/sbin/authdaemond
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux courier_authdaemon policy is very flexible allowing users to setup their courier_authdaemon processes in as secure a method as possible.
-+.PP
-+The following process types are defined for courier_authdaemon:
-+
-+.EX
-+.B courier_authdaemon_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
-+.SH FILE CONTEXTS
-+SELinux requires files to have an extended attribute to define the file type.
-+.PP
-+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
-+.PP
-+Policy governs the access confined processes have to these files.
-+SELinux courier_authdaemon policy is very flexible allowing users to setup their courier_authdaemon processes in as secure a method as possible.
-+.PP
-+The following file types are defined for courier_authdaemon:
-+
-+
-+.EX
-+.PP
-+.B courier_authdaemon_exec_t
-+.EE
-+
-+- Set files with the courier_authdaemon_exec_t type, if you want to transition an executable to the courier_authdaemon_t domain.
-+
-+
-+.PP
-+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
-+.B semanage fcontext
-+command. This will modify the SELinux labeling database. You will need to use
-+.B restorecon
-+to apply the labels.
-+
-+.SH "MANAGED FILES"
-+
-+The SELinux process type courier_authdaemon_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
-+
-+.br
-+.B courier_var_run_t
-+
-+ /var/run/courier(/.*)?
-+.br
-+
-+.br
-+.B faillog_t
-+
-+ /var/log/btmp.*
-+.br
-+ /var/run/faillock(/.*)?
-+.br
-+ /var/log/faillog
-+.br
-+ /var/log/tallylog
-+.br
-+
-+.br
-+.B pcscd_var_run_t
-+
-+ /var/run/pcscd(/.*)?
-+.br
-+ /var/run/pcscd\.events(/.*)?
-+.br
-+ /var/run/pcscd\.pid
-+.br
-+ /var/run/pcscd\.pub
-+.br
-+ /var/run/pcscd\.comm
-+.br
-+
-+.SH NSSWITCH DOMAIN
-+
-+.PP
-+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the courier_authdaemon_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
-+
-+.EX
-+.B setsebool -P authlogin_nsswitch_use_ldap 1
-+.EE
-+
-+.PP
-+If you want to allow confined applications to run with kerberos for the courier_authdaemon_t, you must turn on the kerberos_enabled boolean.
-+
-+.EX
-+.B setsebool -P kerberos_enabled 1
-+.EE
-+
-+.SH "COMMANDS"
-+.B semanage fcontext
-+can also be used to manipulate default file context mappings.
-+.PP
-+.B semanage permissive
-+can also be used to manipulate whether or not a process type is permissive.
-+.PP
-+.B semanage module
-+can also be used to enable/disable/install/remove policy modules.
-+
-+.PP
-+.B system-config-selinux
-+is a GUI tool available to customize SELinux policy settings.
-+
-+.SH AUTHOR
-+This manual page was auto-generated using
-+.B "sepolicy manpage"
-+by Dan Walsh.
-+
-+.SH "SEE ALSO"
-+selinux(8), courier_authdaemon(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
-+, courier_pcp_selinux(8), courier_pop_selinux(8), courier_sqwebmail_selinux(8), courier_tcpd_selinux(8)
-\ No newline at end of file
-diff --git a/man/man8/courier_pcp_selinux.8 b/man/man8/courier_pcp_selinux.8
-new file mode 100644
-index 0000000..526d096
---- /dev/null
-+++ b/man/man8/courier_pcp_selinux.8
-@@ -0,0 +1,97 @@
-+.TH "courier_pcp_selinux" "8" "12-11-01" "courier_pcp" "SELinux Policy documentation for courier_pcp"
-+.SH "NAME"
-+courier_pcp_selinux \- Security Enhanced Linux Policy for the courier_pcp processes
-+.SH "DESCRIPTION"
-+
-+Security-Enhanced Linux secures the courier_pcp processes via flexible mandatory access control.
-+
-+The courier_pcp processes execute with the courier_pcp_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
-+
-+For example:
-+
-+.B ps -eZ | grep courier_pcp_t
-+
-+
-+.SH "ENTRYPOINTS"
-+
-+The courier_pcp_t SELinux type can be entered via the "courier_pcp_exec_t" file type. The default entrypoint paths for the courier_pcp_t domain are the following:"
-+
-+/usr/lib/courier/courier/pcpd
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux courier_pcp policy is very flexible allowing users to setup their courier_pcp processes in as secure a method as possible.
-+.PP
-+The following process types are defined for courier_pcp:
-+
-+.EX
-+.B courier_pcp_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
-+.SH FILE CONTEXTS
-+SELinux requires files to have an extended attribute to define the file type.
-+.PP
-+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
-+.PP
-+Policy governs the access confined processes have to these files.
-+SELinux courier_pcp policy is very flexible allowing users to setup their courier_pcp processes in as secure a method as possible.
-+.PP
-+The following file types are defined for courier_pcp:
-+
-+
-+.EX
-+.PP
-+.B courier_pcp_exec_t
-+.EE
-+
-+- Set files with the courier_pcp_exec_t type, if you want to transition an executable to the courier_pcp_t domain.
-+
-+
-+.PP
-+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
-+.B semanage fcontext
-+command. This will modify the SELinux labeling database. You will need to use
-+.B restorecon
-+to apply the labels.
-+
-+.SH "MANAGED FILES"
-+
-+The SELinux process type courier_pcp_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
-+
-+.br
-+.B courier_var_run_t
-+
-+ /var/run/courier(/.*)?
-+.br
-+
-+.SH NSSWITCH DOMAIN
-+
-+.SH "COMMANDS"
-+.B semanage fcontext
-+can also be used to manipulate default file context mappings.
-+.PP
-+.B semanage permissive
-+can also be used to manipulate whether or not a process type is permissive.
-+.PP
-+.B semanage module
-+can also be used to enable/disable/install/remove policy modules.
-+
-+.PP
-+.B system-config-selinux
-+is a GUI tool available to customize SELinux policy settings.
-+
-+.SH AUTHOR
-+This manual page was auto-generated using
-+.B "sepolicy manpage"
-+by Dan Walsh.
-+
-+.SH "SEE ALSO"
-+selinux(8), courier_pcp(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
-+, courier_authdaemon_selinux(8), courier_pop_selinux(8), courier_sqwebmail_selinux(8), courier_tcpd_selinux(8)
-\ No newline at end of file
-diff --git a/man/man8/courier_pop_selinux.8 b/man/man8/courier_pop_selinux.8
-new file mode 100644
-index 0000000..5652da7
---- /dev/null
-+++ b/man/man8/courier_pop_selinux.8
-@@ -0,0 +1,107 @@
-+.TH "courier_pop_selinux" "8" "12-11-01" "courier_pop" "SELinux Policy documentation for courier_pop"
-+.SH "NAME"
-+courier_pop_selinux \- Security Enhanced Linux Policy for the courier_pop processes
-+.SH "DESCRIPTION"
-+
-+Security-Enhanced Linux secures the courier_pop processes via flexible mandatory access control.
-+
-+The courier_pop processes execute with the courier_pop_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
-+
-+For example:
-+
-+.B ps -eZ | grep courier_pop_t
-+
-+
-+.SH "ENTRYPOINTS"
-+
-+The courier_pop_t SELinux type can be entered via the "courier_pop_exec_t" file type. The default entrypoint paths for the courier_pop_t domain are the following:"
-+
-+/usr/lib/courier/courier/courierpop.*, /usr/bin/imapd, /usr/lib/courier/imapd, /usr/lib/courier/pop3d, /usr/lib/courier/courier/imaplogin
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux courier_pop policy is very flexible allowing users to setup their courier_pop processes in as secure a method as possible.
-+.PP
-+The following process types are defined for courier_pop:
-+
-+.EX
-+.B courier_pop_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
-+.SH FILE CONTEXTS
-+SELinux requires files to have an extended attribute to define the file type.
-+.PP
-+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
-+.PP
-+Policy governs the access confined processes have to these files.
-+SELinux courier_pop policy is very flexible allowing users to setup their courier_pop processes in as secure a method as possible.
-+.PP
-+The following file types are defined for courier_pop:
-+
-+
-+.EX
-+.PP
-+.B courier_pop_exec_t
-+.EE
-+
-+- Set files with the courier_pop_exec_t type, if you want to transition an executable to the courier_pop_t domain.
-+
-+
-+.PP
-+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
-+.B semanage fcontext
-+command. This will modify the SELinux labeling database. You will need to use
-+.B restorecon
-+to apply the labels.
-+
-+.SH "MANAGED FILES"
-+
-+The SELinux process type courier_pop_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
-+
-+.br
-+.B courier_var_run_t
-+
-+ /var/run/courier(/.*)?
-+.br
-+
-+.br
-+.B user_home_t
-+
-+ /home/[^/]*/.+
-+.br
-+ /home/dwalsh/.+
-+.br
-+ /var/lib/xguest/home/xguest/.+
-+.br
-+
-+.SH NSSWITCH DOMAIN
-+
-+.SH "COMMANDS"
-+.B semanage fcontext
-+can also be used to manipulate default file context mappings.
-+.PP
-+.B semanage permissive
-+can also be used to manipulate whether or not a process type is permissive.
-+.PP
-+.B semanage module
-+can also be used to enable/disable/install/remove policy modules.
-+
-+.PP
-+.B system-config-selinux
-+is a GUI tool available to customize SELinux policy settings.
-+
-+.SH AUTHOR
-+This manual page was auto-generated using
-+.B "sepolicy manpage"
-+by Dan Walsh.
-+
-+.SH "SEE ALSO"
-+selinux(8), courier_pop(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
-+, courier_authdaemon_selinux(8), courier_pcp_selinux(8), courier_sqwebmail_selinux(8), courier_tcpd_selinux(8)
-\ No newline at end of file
-diff --git a/man/man8/courier_sqwebmail_selinux.8 b/man/man8/courier_sqwebmail_selinux.8
-new file mode 100644
-index 0000000..6151335
---- /dev/null
-+++ b/man/man8/courier_sqwebmail_selinux.8
-@@ -0,0 +1,97 @@
-+.TH "courier_sqwebmail_selinux" "8" "12-11-01" "courier_sqwebmail" "SELinux Policy documentation for courier_sqwebmail"
-+.SH "NAME"
-+courier_sqwebmail_selinux \- Security Enhanced Linux Policy for the courier_sqwebmail processes
-+.SH "DESCRIPTION"
-+
-+Security-Enhanced Linux secures the courier_sqwebmail processes via flexible mandatory access control.
-+
-+The courier_sqwebmail processes execute with the courier_sqwebmail_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
-+
-+For example:
-+
-+.B ps -eZ | grep courier_sqwebmail_t
-+
-+
-+.SH "ENTRYPOINTS"
-+
-+The courier_sqwebmail_t SELinux type can be entered via the "courier_sqwebmail_exec_t" file type. The default entrypoint paths for the courier_sqwebmail_t domain are the following:"
-+
-+
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux courier_sqwebmail policy is very flexible allowing users to setup their courier_sqwebmail processes in as secure a method as possible.
-+.PP
-+The following process types are defined for courier_sqwebmail:
-+
-+.EX
-+.B courier_sqwebmail_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
-+.SH FILE CONTEXTS
-+SELinux requires files to have an extended attribute to define the file type.
-+.PP
-+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
-+.PP
-+Policy governs the access confined processes have to these files.
-+SELinux courier_sqwebmail policy is very flexible allowing users to setup their courier_sqwebmail processes in as secure a method as possible.
-+.PP
-+The following file types are defined for courier_sqwebmail:
-+
-+
-+.EX
-+.PP
-+.B courier_sqwebmail_exec_t
-+.EE
-+
-+- Set files with the courier_sqwebmail_exec_t type, if you want to transition an executable to the courier_sqwebmail_t domain.
-+
-+
-+.PP
-+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
-+.B semanage fcontext
-+command. This will modify the SELinux labeling database. You will need to use
-+.B restorecon
-+to apply the labels.
-+
-+.SH "MANAGED FILES"
-+
-+The SELinux process type courier_sqwebmail_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
-+
-+.br
-+.B courier_var_run_t
-+
-+ /var/run/courier(/.*)?
-+.br
-+
-+.SH NSSWITCH DOMAIN
-+
-+.SH "COMMANDS"
-+.B semanage fcontext
-+can also be used to manipulate default file context mappings.
-+.PP
-+.B semanage permissive
-+can also be used to manipulate whether or not a process type is permissive.
-+.PP
-+.B semanage module
-+can also be used to enable/disable/install/remove policy modules.
-+
-+.PP
-+.B system-config-selinux
-+is a GUI tool available to customize SELinux policy settings.
-+
-+.SH AUTHOR
-+This manual page was auto-generated using
-+.B "sepolicy manpage"
-+by Dan Walsh.
-+
-+.SH "SEE ALSO"
-+selinux(8), courier_sqwebmail(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
-+, courier_authdaemon_selinux(8), courier_pcp_selinux(8), courier_pop_selinux(8), courier_tcpd_selinux(8)
-\ No newline at end of file
-diff --git a/man/man8/courier_tcpd_selinux.8 b/man/man8/courier_tcpd_selinux.8
-new file mode 100644
-index 0000000..6794aff
---- /dev/null
-+++ b/man/man8/courier_tcpd_selinux.8
-@@ -0,0 +1,105 @@
-+.TH "courier_tcpd_selinux" "8" "12-11-01" "courier_tcpd" "SELinux Policy documentation for courier_tcpd"
-+.SH "NAME"
-+courier_tcpd_selinux \- Security Enhanced Linux Policy for the courier_tcpd processes
-+.SH "DESCRIPTION"
-+
-+Security-Enhanced Linux secures the courier_tcpd processes via flexible mandatory access control.
-+
-+The courier_tcpd processes execute with the courier_tcpd_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
-+
-+For example:
-+
-+.B ps -eZ | grep courier_tcpd_t
-+
-+
-+.SH "ENTRYPOINTS"
-+
-+The courier_tcpd_t SELinux type can be entered via the "courier_tcpd_exec_t" file type. The default entrypoint paths for the courier_tcpd_t domain are the following:"
-+
-+/usr/sbin/couriertcpd
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux courier_tcpd policy is very flexible allowing users to setup their courier_tcpd processes in as secure a method as possible.
-+.PP
-+The following process types are defined for courier_tcpd:
-+
-+.EX
-+.B courier_tcpd_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
-+.SH FILE CONTEXTS
-+SELinux requires files to have an extended attribute to define the file type.
-+.PP
-+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
-+.PP
-+Policy governs the access confined processes have to these files.
-+SELinux courier_tcpd policy is very flexible allowing users to setup their courier_tcpd processes in as secure a method as possible.
-+.PP
-+The following file types are defined for courier_tcpd:
-+
-+
-+.EX
-+.PP
-+.B courier_tcpd_exec_t
-+.EE
-+
-+- Set files with the courier_tcpd_exec_t type, if you want to transition an executable to the courier_tcpd_t domain.
-+
-+
-+.PP
-+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
-+.B semanage fcontext
-+command. This will modify the SELinux labeling database. You will need to use
-+.B restorecon
-+to apply the labels.
-+
-+.SH "MANAGED FILES"
-+
-+The SELinux process type courier_tcpd_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
-+
-+.br
-+.B courier_var_lib_t
-+
-+ /var/lib/courier(/.*)?
-+.br
-+ /var/lib/courier-imap(/.*)?
-+.br
-+
-+.br
-+.B courier_var_run_t
-+
-+ /var/run/courier(/.*)?
-+.br
-+
-+.SH NSSWITCH DOMAIN
-+
-+.SH "COMMANDS"
-+.B semanage fcontext
-+can also be used to manipulate default file context mappings.
-+.PP
-+.B semanage permissive
-+can also be used to manipulate whether or not a process type is permissive.
-+.PP
-+.B semanage module
-+can also be used to enable/disable/install/remove policy modules.
-+
-+.PP
-+.B system-config-selinux
-+is a GUI tool available to customize SELinux policy settings.
-+
-+.SH AUTHOR
-+This manual page was auto-generated using
-+.B "sepolicy manpage"
-+by Dan Walsh.
-+
-+.SH "SEE ALSO"
-+selinux(8), courier_tcpd(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
-+, courier_authdaemon_selinux(8), courier_pcp_selinux(8), courier_pop_selinux(8), courier_sqwebmail_selinux(8)
-\ No newline at end of file
-diff --git a/man/man8/cpucontrol_selinux.8 b/man/man8/cpucontrol_selinux.8
-new file mode 100644
-index 0000000..f81f173
---- /dev/null
-+++ b/man/man8/cpucontrol_selinux.8
-@@ -0,0 +1,94 @@
-+.TH "cpucontrol_selinux" "8" "12-11-01" "cpucontrol" "SELinux Policy documentation for cpucontrol"
-+.SH "NAME"
-+cpucontrol_selinux \- Security Enhanced Linux Policy for the cpucontrol processes
-+.SH "DESCRIPTION"
-+
-+Security-Enhanced Linux secures the cpucontrol processes via flexible mandatory access control.
-+
-+The cpucontrol processes execute with the cpucontrol_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
-+
-+For example:
-+
-+.B ps -eZ | grep cpucontrol_t
-+
-+
-+.SH "ENTRYPOINTS"
-+
-+The cpucontrol_t SELinux type can be entered via the "cpucontrol_exec_t" file type. The default entrypoint paths for the cpucontrol_t domain are the following:"
-+
-+/sbin/microcode_ctl, /usr/sbin/microcode_ctl
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux cpucontrol policy is very flexible allowing users to setup their cpucontrol processes in as secure a method as possible.
-+.PP
-+The following process types are defined for cpucontrol:
-+
-+.EX
-+.B cpucontrol_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
-+.SH FILE CONTEXTS
-+SELinux requires files to have an extended attribute to define the file type.
-+.PP
-+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
-+.PP
-+Policy governs the access confined processes have to these files.
-+SELinux cpucontrol policy is very flexible allowing users to setup their cpucontrol processes in as secure a method as possible.
-+.PP
-+The following file types are defined for cpucontrol:
-+
-+
-+.EX
-+.PP
-+.B cpucontrol_conf_t
-+.EE
-+
-+- Set files with the cpucontrol_conf_t type, if you want to treat the files as cpucontrol configuration data, usually stored under the /etc directory.
-+
-+
-+.EX
-+.PP
-+.B cpucontrol_exec_t
-+.EE
-+
-+- Set files with the cpucontrol_exec_t type, if you want to transition an executable to the cpucontrol_t domain.
-+
-+
-+.PP
-+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
-+.B semanage fcontext
-+command. This will modify the SELinux labeling database. You will need to use
-+.B restorecon
-+to apply the labels.
-+
-+.SH NSSWITCH DOMAIN
-+
-+.SH "COMMANDS"
-+.B semanage fcontext
-+can also be used to manipulate default file context mappings.
-+.PP
-+.B semanage permissive
-+can also be used to manipulate whether or not a process type is permissive.
-+.PP
-+.B semanage module
-+can also be used to enable/disable/install/remove policy modules.
-+
-+.PP
-+.B system-config-selinux
-+is a GUI tool available to customize SELinux policy settings.
-+
-+.SH AUTHOR
-+This manual page was auto-generated using
-+.B "sepolicy manpage"
-+by Dan Walsh.
-+
-+.SH "SEE ALSO"
-+selinux(8), cpucontrol(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
-diff --git a/man/man8/cpufreqselector_selinux.8 b/man/man8/cpufreqselector_selinux.8
-new file mode 100644
-index 0000000..764592d
---- /dev/null
-+++ b/man/man8/cpufreqselector_selinux.8
-@@ -0,0 +1,96 @@
-+.TH "cpufreqselector_selinux" "8" "12-11-01" "cpufreqselector" "SELinux Policy documentation for cpufreqselector"
-+.SH "NAME"
-+cpufreqselector_selinux \- Security Enhanced Linux Policy for the cpufreqselector processes
-+.SH "DESCRIPTION"
-+
-+Security-Enhanced Linux secures the cpufreqselector processes via flexible mandatory access control.
-+
-+The cpufreqselector processes execute with the cpufreqselector_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
-+
-+For example:
-+
-+.B ps -eZ | grep cpufreqselector_t
-+
-+
-+.SH "ENTRYPOINTS"
-+
-+The cpufreqselector_t SELinux type can be entered via the "cpufreqselector_exec_t" file type. The default entrypoint paths for the cpufreqselector_t domain are the following:"
-+
-+/usr/bin/cpufreq-selector
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux cpufreqselector policy is very flexible allowing users to setup their cpufreqselector processes in as secure a method as possible.
-+.PP
-+The following process types are defined for cpufreqselector:
-+
-+.EX
-+.B cpufreqselector_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
-+.SH FILE CONTEXTS
-+SELinux requires files to have an extended attribute to define the file type.
-+.PP
-+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
-+.PP
-+Policy governs the access confined processes have to these files.
-+SELinux cpufreqselector policy is very flexible allowing users to setup their cpufreqselector processes in as secure a method as possible.
-+.PP
-+The following file types are defined for cpufreqselector:
-+
-+
-+.EX
-+.PP
-+.B cpufreqselector_exec_t
-+.EE
-+
-+- Set files with the cpufreqselector_exec_t type, if you want to transition an executable to the cpufreqselector_t domain.
-+
-+
-+.PP
-+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
-+.B semanage fcontext
-+command. This will modify the SELinux labeling database. You will need to use
-+.B restorecon
-+to apply the labels.
-+
-+.SH "MANAGED FILES"
-+
-+The SELinux process type cpufreqselector_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
-+
-+.br
-+.B sysfs_t
-+
-+ /sys(/.*)?
-+.br
-+
-+.SH NSSWITCH DOMAIN
-+
-+.SH "COMMANDS"
-+.B semanage fcontext
-+can also be used to manipulate default file context mappings.
-+.PP
-+.B semanage permissive
-+can also be used to manipulate whether or not a process type is permissive.
-+.PP
-+.B semanage module
-+can also be used to enable/disable/install/remove policy modules.
-+
-+.PP
-+.B system-config-selinux
-+is a GUI tool available to customize SELinux policy settings.
-+
-+.SH AUTHOR
-+This manual page was auto-generated using
-+.B "sepolicy manpage"
-+by Dan Walsh.
-+
-+.SH "SEE ALSO"
-+selinux(8), cpufreqselector(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
-diff --git a/man/man8/cpuspeed_selinux.8 b/man/man8/cpuspeed_selinux.8
-new file mode 100644
-index 0000000..ec9dfce
---- /dev/null
-+++ b/man/man8/cpuspeed_selinux.8
-@@ -0,0 +1,110 @@
-+.TH "cpuspeed_selinux" "8" "12-11-01" "cpuspeed" "SELinux Policy documentation for cpuspeed"
-+.SH "NAME"
-+cpuspeed_selinux \- Security Enhanced Linux Policy for the cpuspeed processes
-+.SH "DESCRIPTION"
-+
-+Security-Enhanced Linux secures the cpuspeed processes via flexible mandatory access control.
-+
-+The cpuspeed processes execute with the cpuspeed_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
-+
-+For example:
-+
-+.B ps -eZ | grep cpuspeed_t
-+
-+
-+.SH "ENTRYPOINTS"
-+
-+The cpuspeed_t SELinux type can be entered via the "cpuspeed_exec_t" file type. The default entrypoint paths for the cpuspeed_t domain are the following:"
-+
-+/usr/sbin/cpufreqd, /usr/sbin/cpuspeed, /usr/sbin/powernowd
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux cpuspeed policy is very flexible allowing users to setup their cpuspeed processes in as secure a method as possible.
-+.PP
-+The following process types are defined for cpuspeed:
-+
-+.EX
-+.B cpuspeed_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
-+.SH FILE CONTEXTS
-+SELinux requires files to have an extended attribute to define the file type.
-+.PP
-+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
-+.PP
-+Policy governs the access confined processes have to these files.
-+SELinux cpuspeed policy is very flexible allowing users to setup their cpuspeed processes in as secure a method as possible.
-+.PP
-+The following file types are defined for cpuspeed:
-+
-+
-+.EX
-+.PP
-+.B cpuspeed_exec_t
-+.EE
-+
-+- Set files with the cpuspeed_exec_t type, if you want to transition an executable to the cpuspeed_t domain.
-+
-+
-+.EX
-+.PP
-+.B cpuspeed_var_run_t
-+.EE
-+
-+- Set files with the cpuspeed_var_run_t type, if you want to store the cpuspeed files under the /run directory.
-+
-+
-+.PP
-+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
-+.B semanage fcontext
-+command. This will modify the SELinux labeling database. You will need to use
-+.B restorecon
-+to apply the labels.
-+
-+.SH "MANAGED FILES"
-+
-+The SELinux process type cpuspeed_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
-+
-+.br
-+.B cpuspeed_var_run_t
-+
-+ /var/run/cpufreqd\.pid
-+.br
-+
-+.br
-+.B sysfs_t
-+
-+ /sys(/.*)?
-+.br
-+
-+.SH NSSWITCH DOMAIN
-+
-+.SH "COMMANDS"
-+.B semanage fcontext
-+can also be used to manipulate default file context mappings.
-+.PP
-+.B semanage permissive
-+can also be used to manipulate whether or not a process type is permissive.
-+.PP
-+.B semanage module
-+can also be used to enable/disable/install/remove policy modules.
-+
-+.PP
-+.B system-config-selinux
-+is a GUI tool available to customize SELinux policy settings.
-+
-+.SH AUTHOR
-+This manual page was auto-generated using
-+.B "sepolicy manpage"
-+by Dan Walsh.
-+
-+.SH "SEE ALSO"
-+selinux(8), cpuspeed(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
-diff --git a/man/man8/crack_selinux.8 b/man/man8/crack_selinux.8
-new file mode 100644
-index 0000000..49919a6
---- /dev/null
-+++ b/man/man8/crack_selinux.8
-@@ -0,0 +1,120 @@
-+.TH "crack_selinux" "8" "12-11-01" "crack" "SELinux Policy documentation for crack"
-+.SH "NAME"
-+crack_selinux \- Security Enhanced Linux Policy for the crack processes
-+.SH "DESCRIPTION"
-+
-+Security-Enhanced Linux secures the crack processes via flexible mandatory access control.
-+
-+The crack processes execute with the crack_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
-+
-+For example:
-+
-+.B ps -eZ | grep crack_t
-+
-+
-+.SH "ENTRYPOINTS"
-+
-+The crack_t SELinux type can be entered via the "crack_exec_t" file type. The default entrypoint paths for the crack_t domain are the following:"
-+
-+/usr/sbin/crack_[a-z]*, /usr/sbin/cracklib-[a-z]*
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux crack policy is very flexible allowing users to setup their crack processes in as secure a method as possible.
-+.PP
-+The following process types are defined for crack:
-+
-+.EX
-+.B crack_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
-+.SH FILE CONTEXTS
-+SELinux requires files to have an extended attribute to define the file type.
-+.PP
-+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
-+.PP
-+Policy governs the access confined processes have to these files.
-+SELinux crack policy is very flexible allowing users to setup their crack processes in as secure a method as possible.
-+.PP
-+The following file types are defined for crack:
-+
-+
-+.EX
-+.PP
-+.B crack_db_t
-+.EE
-+
-+- Set files with the crack_db_t type, if you want to treat the files as crack database content.
-+
-+
-+.EX
-+.PP
-+.B crack_exec_t
-+.EE
-+
-+- Set files with the crack_exec_t type, if you want to transition an executable to the crack_t domain.
-+
-+
-+.EX
-+.PP
-+.B crack_tmp_t
-+.EE
-+
-+- Set files with the crack_tmp_t type, if you want to store crack temporary files in the /tmp directories.
-+
-+
-+.PP
-+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
-+.B semanage fcontext
-+command. This will modify the SELinux labeling database. You will need to use
-+.B restorecon
-+to apply the labels.
-+
-+.SH "MANAGED FILES"
-+
-+The SELinux process type crack_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
-+
-+.br
-+.B crack_db_t
-+
-+ /usr/share/cracklib(/.*)?
-+.br
-+ /var/cache/cracklib(/.*)?
-+.br
-+ /usr/lib/cracklib_dict.*
-+.br
-+
-+.br
-+.B crack_tmp_t
-+
-+
-+.SH NSSWITCH DOMAIN
-+
-+.SH "COMMANDS"
-+.B semanage fcontext
-+can also be used to manipulate default file context mappings.
-+.PP
-+.B semanage permissive
-+can also be used to manipulate whether or not a process type is permissive.
-+.PP
-+.B semanage module
-+can also be used to enable/disable/install/remove policy modules.
-+
-+.PP
-+.B system-config-selinux
-+is a GUI tool available to customize SELinux policy settings.
-+
-+.SH AUTHOR
-+This manual page was auto-generated using
-+.B "sepolicy manpage"
-+by Dan Walsh.
-+
-+.SH "SEE ALSO"
-+selinux(8), crack(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
-diff --git a/man/man8/crond_selinux.8 b/man/man8/crond_selinux.8
-new file mode 100644
-index 0000000..0f4955a
---- /dev/null
-+++ b/man/man8/crond_selinux.8
-@@ -0,0 +1,310 @@
-+.TH "crond_selinux" "8" "12-11-01" "crond" "SELinux Policy documentation for crond"
-+.SH "NAME"
-+crond_selinux \- Security Enhanced Linux Policy for the crond processes
-+.SH "DESCRIPTION"
-+
-+Security-Enhanced Linux secures the crond processes via flexible mandatory access control.
-+
-+The crond processes execute with the crond_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
-+
-+For example:
-+
-+.B ps -eZ | grep crond_t
-+
-+
-+.SH "ENTRYPOINTS"
-+
-+The crond_t SELinux type can be entered via the "crond_exec_t" file type. The default entrypoint paths for the crond_t domain are the following:"
-+
-+/usr/sbin/cron(d)?, /usr/sbin/atd, /usr/sbin/fcron
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux crond policy is very flexible allowing users to setup their crond processes in as secure a method as possible.
-+.PP
-+The following process types are defined for crond:
-+
-+.EX
-+.B crond_t, cronjob_t, crontab_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
-+.SH BOOLEANS
-+SELinux policy is customizable based on least access required. crond policy is extremely flexible and has several booleans that allow you to manipulate the policy and run crond with the tightest access possible.
-+
-+
-+.PP
-+If you want to enable extra rules in the cron domain to support fcron, you must turn on the fcron_crond boolean.
-+
-+.EX
-+.B setsebool -P fcron_crond 1
-+.EE
-+
-+.PP
-+If you want to allow system cron jobs to relabel filesystem for restoring file contexts, you must turn on the cron_can_relabel boolean.
-+
-+.EX
-+.B setsebool -P cron_can_relabel 1
-+.EE
-+
-+.PP
-+If you want to enable extra rules in the cron domain to support fcron, you must turn on the fcron_crond boolean.
-+
-+.EX
-+.B setsebool -P fcron_crond 1
-+.EE
-+
-+.PP
-+If you want to allow system cron jobs to relabel filesystem for restoring file contexts, you must turn on the cron_can_relabel boolean.
-+
-+.EX
-+.B setsebool -P cron_can_relabel 1
-+.EE
-+
-+.SH FILE CONTEXTS
-+SELinux requires files to have an extended attribute to define the file type.
-+.PP
-+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
-+.PP
-+Policy governs the access confined processes have to these files.
-+SELinux crond policy is very flexible allowing users to setup their crond processes in as secure a method as possible.
-+.PP
-+The following file types are defined for crond:
-+
-+
-+.EX
-+.PP
-+.B crond_exec_t
-+.EE
-+
-+- Set files with the crond_exec_t type, if you want to transition an executable to the crond_t domain.
-+
-+
-+.EX
-+.PP
-+.B crond_initrc_exec_t
-+.EE
-+
-+- Set files with the crond_initrc_exec_t type, if you want to transition an executable to the crond_initrc_t domain.
-+
-+
-+.EX
-+.PP
-+.B crond_tmp_t
-+.EE
-+
-+- Set files with the crond_tmp_t type, if you want to store crond temporary files in the /tmp directories.
-+
-+
-+.EX
-+.PP
-+.B crond_unit_file_t
-+.EE
-+
-+- Set files with the crond_unit_file_t type, if you want to treat the files as crond unit content.
-+
-+
-+.EX
-+.PP
-+.B crond_var_run_t
-+.EE
-+
-+- Set files with the crond_var_run_t type, if you want to store the crond files under the /run directory.
-+
-+
-+.PP
-+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
-+.B semanage fcontext
-+command. This will modify the SELinux labeling database. You will need to use
-+.B restorecon
-+to apply the labels.
-+
-+.SH "MANAGED FILES"
-+
-+The SELinux process type crond_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
-+
-+.br
-+.B cgroup_t
-+
-+ /cgroup
-+.br
-+ /sys/fs/cgroup
-+.br
-+
-+.br
-+.B cron_log_t
-+
-+ /var/log/rpmpkgs.*
-+.br
-+
-+.br
-+.B cron_spool_t
-+
-+ /var/spool/fcron
-+.br
-+ /var/spool/cron/crontabs
-+.br
-+
-+.br
-+.B crond_tmp_t
-+
-+
-+.br
-+.B crond_var_run_t
-+
-+ /var/run/.*cron.*
-+.br
-+ /var/run/crond?\.pid
-+.br
-+ /var/run/crond?\.reboot
-+.br
-+ /var/run/atd\.pid
-+.br
-+ /var/run/fcron\.pid
-+.br
-+ /var/run/fcron\.fifo
-+.br
-+ /var/run/anacron\.pid
-+.br
-+
-+.br
-+.B faillog_t
-+
-+ /var/log/btmp.*
-+.br
-+ /var/run/faillock(/.*)?
-+.br
-+ /var/log/faillog
-+.br
-+ /var/log/tallylog
-+.br
-+
-+.br
-+.B initrc_var_run_t
-+
-+ /var/run/utmp
-+.br
-+ /var/run/random-seed
-+.br
-+ /var/run/runlevel\.dir
-+.br
-+ /var/run/setmixer_flag
-+.br
-+
-+.br
-+.B pcscd_var_run_t
-+
-+ /var/run/pcscd(/.*)?
-+.br
-+ /var/run/pcscd\.events(/.*)?
-+.br
-+ /var/run/pcscd\.pid
-+.br
-+ /var/run/pcscd\.pub
-+.br
-+ /var/run/pcscd\.comm
-+.br
-+
-+.br
-+.B rpm_log_t
-+
-+ /var/log/yum\.log.*
-+.br
-+
-+.br
-+.B security_t
-+
-+ /selinux
-+.br
-+
-+.br
-+.B system_cron_spool_t
-+
-+ /etc/cron\.d(/.*)?
-+.br
-+ /var/spool/anacron(/.*)?
-+.br
-+ /etc/crontab
-+.br
-+ /var/spool/fcron/systab
-+.br
-+ /var/spool/fcron/new\.systab
-+.br
-+ /var/spool/fcron/systab\.orig
-+.br
-+
-+.br
-+.B user_cron_spool_t
-+
-+ /var/spool/at(/.*)?
-+.br
-+ /var/spool/cron
-+.br
-+
-+.br
-+.B var_auth_t
-+
-+ /var/ace(/.*)?
-+.br
-+ /var/rsa(/.*)?
-+.br
-+ /var/lib/abl(/.*)?
-+.br
-+ /var/lib/rsa(/.*)?
-+.br
-+ /var/lib/pam_ssh(/.*)?
-+.br
-+ /var/run/pam_ssh(/.*)?
-+.br
-+ /var/lib/pam_shield(/.*)?
-+.br
-+ /var/lib/google-authenticator(/.*)?
-+.br
-+
-+.SH NSSWITCH DOMAIN
-+
-+.PP
-+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the crontab_t, crond_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
-+
-+.EX
-+.B setsebool -P authlogin_nsswitch_use_ldap 1
-+.EE
-+
-+.PP
-+If you want to allow confined applications to run with kerberos for the crontab_t, crond_t, you must turn on the kerberos_enabled boolean.
-+
-+.EX
-+.B setsebool -P kerberos_enabled 1
-+.EE
-+
-+.SH "COMMANDS"
-+.B semanage fcontext
-+can also be used to manipulate default file context mappings.
-+.PP
-+.B semanage permissive
-+can also be used to manipulate whether or not a process type is permissive.
-+.PP
-+.B semanage module
-+can also be used to enable/disable/install/remove policy modules.
-+
-+.B semanage boolean
-+can also be used to manipulate the booleans
-+
-+.PP
-+.B system-config-selinux
-+is a GUI tool available to customize SELinux policy settings.
-+
-+.SH AUTHOR
-+This manual page was auto-generated using
-+.B "sepolicy manpage"
-+by Dan Walsh.
-+
-+.SH "SEE ALSO"
-+selinux(8), crond(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
-+, setsebool(8), crontab_selinux(8)
-\ No newline at end of file
-diff --git a/man/man8/crontab_selinux.8 b/man/man8/crontab_selinux.8
-new file mode 100644
-index 0000000..8d67b77
---- /dev/null
-+++ b/man/man8/crontab_selinux.8
-@@ -0,0 +1,190 @@
-+.TH "crontab_selinux" "8" "12-11-01" "crontab" "SELinux Policy documentation for crontab"
-+.SH "NAME"
-+crontab_selinux \- Security Enhanced Linux Policy for the crontab processes
-+.SH "DESCRIPTION"
-+
-+Security-Enhanced Linux secures the crontab processes via flexible mandatory access control.
-+
-+The crontab processes execute with the crontab_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
-+
-+For example:
-+
-+.B ps -eZ | grep crontab_t
-+
-+
-+.SH "ENTRYPOINTS"
-+
-+The crontab_t SELinux type can be entered via the "crontab_exec_t" file type. The default entrypoint paths for the crontab_t domain are the following:"
-+
-+/usr/bin/(f)?crontab, /usr/bin/at, /usr/sbin/fcronsighup
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux crontab policy is very flexible allowing users to setup their crontab processes in as secure a method as possible.
-+.PP
-+The following process types are defined for crontab:
-+
-+.EX
-+.B crontab_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
-+.SH FILE CONTEXTS
-+SELinux requires files to have an extended attribute to define the file type.
-+.PP
-+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
-+.PP
-+Policy governs the access confined processes have to these files.
-+SELinux crontab policy is very flexible allowing users to setup their crontab processes in as secure a method as possible.
-+.PP
-+The following file types are defined for crontab:
-+
-+
-+.EX
-+.PP
-+.B crontab_exec_t
-+.EE
-+
-+- Set files with the crontab_exec_t type, if you want to transition an executable to the crontab_t domain.
-+
-+
-+.EX
-+.PP
-+.B crontab_tmp_t
-+.EE
-+
-+- Set files with the crontab_tmp_t type, if you want to store crontab temporary files in the /tmp directories.
-+
-+
-+.PP
-+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
-+.B semanage fcontext
-+command. This will modify the SELinux labeling database. You will need to use
-+.B restorecon
-+to apply the labels.
-+
-+.SH "MANAGED FILES"
-+
-+The SELinux process type crontab_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
-+
-+.br
-+.B cgroup_t
-+
-+ /cgroup
-+.br
-+ /sys/fs/cgroup
-+.br
-+
-+.br
-+.B crontab_tmp_t
-+
-+
-+.br
-+.B faillog_t
-+
-+ /var/log/btmp.*
-+.br
-+ /var/run/faillock(/.*)?
-+.br
-+ /var/log/faillog
-+.br
-+ /var/log/tallylog
-+.br
-+
-+.br
-+.B pcscd_var_run_t
-+
-+ /var/run/pcscd(/.*)?
-+.br
-+ /var/run/pcscd\.events(/.*)?
-+.br
-+ /var/run/pcscd\.pid
-+.br
-+ /var/run/pcscd\.pub
-+.br
-+ /var/run/pcscd\.comm
-+.br
-+
-+.br
-+.B user_cron_spool_t
-+
-+ /var/spool/at(/.*)?
-+.br
-+ /var/spool/cron
-+.br
-+
-+.br
-+.B user_tmp_t
-+
-+ /var/run/user(/.*)?
-+.br
-+ /tmp/gconfd-.*
-+.br
-+ /tmp/gconfd-dwalsh
-+.br
-+ /tmp/gconfd-xguest
-+.br
-+
-+.br
-+.B var_auth_t
-+
-+ /var/ace(/.*)?
-+.br
-+ /var/rsa(/.*)?
-+.br
-+ /var/lib/abl(/.*)?
-+.br
-+ /var/lib/rsa(/.*)?
-+.br
-+ /var/lib/pam_ssh(/.*)?
-+.br
-+ /var/run/pam_ssh(/.*)?
-+.br
-+ /var/lib/pam_shield(/.*)?
-+.br
-+ /var/lib/google-authenticator(/.*)?
-+.br
-+
-+.SH NSSWITCH DOMAIN
-+
-+.PP
-+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the crontab_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
-+
-+.EX
-+.B setsebool -P authlogin_nsswitch_use_ldap 1
-+.EE
-+
-+.PP
-+If you want to allow confined applications to run with kerberos for the crontab_t, you must turn on the kerberos_enabled boolean.
-+
-+.EX
-+.B setsebool -P kerberos_enabled 1
-+.EE
-+
-+.SH "COMMANDS"
-+.B semanage fcontext
-+can also be used to manipulate default file context mappings.
-+.PP
-+.B semanage permissive
-+can also be used to manipulate whether or not a process type is permissive.
-+.PP
-+.B semanage module
-+can also be used to enable/disable/install/remove policy modules.
-+
-+.PP
-+.B system-config-selinux
-+is a GUI tool available to customize SELinux policy settings.
-+
-+.SH AUTHOR
-+This manual page was auto-generated using
-+.B "sepolicy manpage"
-+by Dan Walsh.
-+
-+.SH "SEE ALSO"
-+selinux(8), crontab(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
-diff --git a/man/man8/ctdbd_selinux.8 b/man/man8/ctdbd_selinux.8
-new file mode 100644
-index 0000000..33d0469
---- /dev/null
-+++ b/man/man8/ctdbd_selinux.8
-@@ -0,0 +1,232 @@
-+.TH "ctdbd_selinux" "8" "12-11-01" "ctdbd" "SELinux Policy documentation for ctdbd"
-+.SH "NAME"
-+ctdbd_selinux \- Security Enhanced Linux Policy for the ctdbd processes
-+.SH "DESCRIPTION"
-+
-+Security-Enhanced Linux secures the ctdbd processes via flexible mandatory access control.
-+
-+The ctdbd processes execute with the ctdbd_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
-+
-+For example:
-+
-+.B ps -eZ | grep ctdbd_t
-+
-+
-+.SH "ENTRYPOINTS"
-+
-+The ctdbd_t SELinux type can be entered via the "ctdbd_exec_t" file type. The default entrypoint paths for the ctdbd_t domain are the following:"
-+
-+/usr/sbin/ctdbd
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux ctdbd policy is very flexible allowing users to setup their ctdbd processes in as secure a method as possible.
-+.PP
-+The following process types are defined for ctdbd:
-+
-+.EX
-+.B ctdbd_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
-+.SH FILE CONTEXTS
-+SELinux requires files to have an extended attribute to define the file type.
-+.PP
-+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
-+.PP
-+Policy governs the access confined processes have to these files.
-+SELinux ctdbd policy is very flexible allowing users to setup their ctdbd processes in as secure a method as possible.
-+.PP
-+The following file types are defined for ctdbd:
-+
-+
-+.EX
-+.PP
-+.B ctdbd_exec_t
-+.EE
-+
-+- Set files with the ctdbd_exec_t type, if you want to transition an executable to the ctdbd_t domain.
-+
-+
-+.EX
-+.PP
-+.B ctdbd_initrc_exec_t
-+.EE
-+
-+- Set files with the ctdbd_initrc_exec_t type, if you want to transition an executable to the ctdbd_initrc_t domain.
-+
-+
-+.EX
-+.PP
-+.B ctdbd_log_t
-+.EE
-+
-+- Set files with the ctdbd_log_t type, if you want to treat the data as ctdbd log data, usually stored under the /var/log directory.
-+
-+
-+.EX
-+.PP
-+.B ctdbd_spool_t
-+.EE
-+
-+- Set files with the ctdbd_spool_t type, if you want to store the ctdbd files under the /var/spool directory.
-+
-+
-+.EX
-+.PP
-+.B ctdbd_tmp_t
-+.EE
-+
-+- Set files with the ctdbd_tmp_t type, if you want to store ctdbd temporary files in the /tmp directories.
-+
-+
-+.EX
-+.PP
-+.B ctdbd_var_lib_t
-+.EE
-+
-+- Set files with the ctdbd_var_lib_t type, if you want to store the ctdbd files under the /var/lib directory.
-+
-+
-+.EX
-+.PP
-+.B ctdbd_var_run_t
-+.EE
-+
-+- Set files with the ctdbd_var_run_t type, if you want to store the ctdbd files under the /run directory.
-+
-+
-+.PP
-+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
-+.B semanage fcontext
-+command. This will modify the SELinux labeling database. You will need to use
-+.B restorecon
-+to apply the labels.
-+
-+.SH PORT TYPES
-+SELinux defines port types to represent TCP and UDP ports.
-+.PP
-+You can see the types associated with a port by using the following command:
-+
-+.B semanage port -l
-+
-+.PP
-+Policy governs the access confined processes have to these ports.
-+SELinux ctdbd policy is very flexible allowing users to setup their ctdbd processes in as secure a method as possible.
-+.PP
-+The following port types are defined for ctdbd:
-+
-+.EX
-+.TP 5
-+.B ctdb_port_t
-+.TP 10
-+.EE
-+
-+
-+Default Defined Ports:
-+tcp 4379
-+.EE
-+udp 4379
-+.EE
-+.SH "MANAGED FILES"
-+
-+The SELinux process type ctdbd_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
-+
-+.br
-+.B ctdbd_log_t
-+
-+ /var/log/log\.ctdb
-+.br
-+
-+.br
-+.B ctdbd_spool_t
-+
-+ /var/spool/ctdb(/.*)?
-+.br
-+
-+.br
-+.B ctdbd_tmp_t
-+
-+
-+.br
-+.B ctdbd_var_lib_t
-+
-+ /etc/ctdb(/.*)?
-+.br
-+ /var/ctdb(/.*)?
-+.br
-+ /var/ctdbd(/.*)?
-+.br
-+ /var/lib/ctdbd(/.*)?
-+.br
-+
-+.br
-+.B ctdbd_var_run_t
-+
-+ /var/run/ctdbd(/.*)?
-+.br
-+
-+.br
-+.B samba_var_t
-+
-+ /var/lib/samba(/.*)?
-+.br
-+ /var/cache/samba(/.*)?
-+.br
-+ /var/spool/samba(/.*)?
-+.br
-+
-+.br
-+.B systemd_passwd_var_run_t
-+
-+ /var/run/systemd/ask-password(/.*)?
-+.br
-+ /var/run/systemd/ask-password-block(/.*)?
-+.br
-+
-+.SH NSSWITCH DOMAIN
-+
-+.PP
-+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the ctdbd_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
-+
-+.EX
-+.B setsebool -P authlogin_nsswitch_use_ldap 1
-+.EE
-+
-+.PP
-+If you want to allow confined applications to run with kerberos for the ctdbd_t, you must turn on the kerberos_enabled boolean.
-+
-+.EX
-+.B setsebool -P kerberos_enabled 1
-+.EE
-+
-+.SH "COMMANDS"
-+.B semanage fcontext
-+can also be used to manipulate default file context mappings.
-+.PP
-+.B semanage permissive
-+can also be used to manipulate whether or not a process type is permissive.
-+.PP
-+.B semanage module
-+can also be used to enable/disable/install/remove policy modules.
-+
-+.B semanage port
-+can also be used to manipulate the port definitions
-+
-+.PP
-+.B system-config-selinux
-+is a GUI tool available to customize SELinux policy settings.
-+
-+.SH AUTHOR
-+This manual page was auto-generated using
-+.B "sepolicy manpage"
-+by Dan Walsh.
-+
-+.SH "SEE ALSO"
-+selinux(8), ctdbd(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
-diff --git a/man/man8/cups_pdf_selinux.8 b/man/man8/cups_pdf_selinux.8
-new file mode 100644
-index 0000000..da4a09b
---- /dev/null
-+++ b/man/man8/cups_pdf_selinux.8
-@@ -0,0 +1,151 @@
-+.TH "cups_pdf_selinux" "8" "12-11-01" "cups_pdf" "SELinux Policy documentation for cups_pdf"
-+.SH "NAME"
-+cups_pdf_selinux \- Security Enhanced Linux Policy for the cups_pdf processes
-+.SH "DESCRIPTION"
-+
-+Security-Enhanced Linux secures the cups_pdf processes via flexible mandatory access control.
-+
-+The cups_pdf processes execute with the cups_pdf_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
-+
-+For example:
-+
-+.B ps -eZ | grep cups_pdf_t
-+
-+
-+.SH "ENTRYPOINTS"
-+
-+The cups_pdf_t SELinux type can be entered via the "cups_pdf_exec_t" file type. The default entrypoint paths for the cups_pdf_t domain are the following:"
-+
-+/usr/lib/cups/backend/cups-pdf
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux cups_pdf policy is very flexible allowing users to setup their cups_pdf processes in as secure a method as possible.
-+.PP
-+The following process types are defined for cups_pdf:
-+
-+.EX
-+.B cups_pdf_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
-+.SH FILE CONTEXTS
-+SELinux requires files to have an extended attribute to define the file type.
-+.PP
-+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
-+.PP
-+Policy governs the access confined processes have to these files.
-+SELinux cups_pdf policy is very flexible allowing users to setup their cups_pdf processes in as secure a method as possible.
-+.PP
-+The following file types are defined for cups_pdf:
-+
-+
-+.EX
-+.PP
-+.B cups_pdf_exec_t
-+.EE
-+
-+- Set files with the cups_pdf_exec_t type, if you want to transition an executable to the cups_pdf_t domain.
-+
-+
-+.EX
-+.PP
-+.B cups_pdf_tmp_t
-+.EE
-+
-+- Set files with the cups_pdf_tmp_t type, if you want to store cups pdf temporary files in the /tmp directories.
-+
-+
-+.PP
-+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
-+.B semanage fcontext
-+command. This will modify the SELinux labeling database. You will need to use
-+.B restorecon
-+to apply the labels.
-+
-+.SH "MANAGED FILES"
-+
-+The SELinux process type cups_pdf_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
-+
-+.br
-+.B anon_inodefs_t
-+
-+
-+.br
-+.B cups_pdf_tmp_t
-+
-+
-+.br
-+.B cupsd_log_t
-+
-+ /var/log/cups(/.*)?
-+.br
-+ /usr/Brother/fax/.*\.log.*
-+.br
-+ /var/log/turboprint.*
-+.br
-+
-+.br
-+.B print_spool_t
-+
-+ /var/spool/lpd(/.*)?
-+.br
-+ /var/spool/cups(/.*)?
-+.br
-+ /var/spool/cups-pdf(/.*)?
-+.br
-+
-+.br
-+.B user_home_t
-+
-+ /home/[^/]*/.+
-+.br
-+ /home/dwalsh/.+
-+.br
-+ /var/lib/xguest/home/xguest/.+
-+.br
-+
-+.SH NSSWITCH DOMAIN
-+
-+.PP
-+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the cups_pdf_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
-+
-+.EX
-+.B setsebool -P authlogin_nsswitch_use_ldap 1
-+.EE
-+
-+.PP
-+If you want to allow confined applications to run with kerberos for the cups_pdf_t, you must turn on the kerberos_enabled boolean.
-+
-+.EX
-+.B setsebool -P kerberos_enabled 1
-+.EE
-+
-+.SH "COMMANDS"
-+.B semanage fcontext
-+can also be used to manipulate default file context mappings.
-+.PP
-+.B semanage permissive
-+can also be used to manipulate whether or not a process type is permissive.
-+.PP
-+.B semanage module
-+can also be used to enable/disable/install/remove policy modules.
-+
-+.PP
-+.B system-config-selinux
-+is a GUI tool available to customize SELinux policy settings.
-+
-+.SH AUTHOR
-+This manual page was auto-generated using
-+.B "sepolicy manpage"
-+by Dan Walsh.
-+
-+.SH "SEE ALSO"
-+selinux(8), cups_pdf(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
-+, cupsd_selinux(8), cupsd_config_selinux(8), cupsd_lpd_selinux(8)
-\ No newline at end of file
-diff --git a/man/man8/cupsd_config_selinux.8 b/man/man8/cupsd_config_selinux.8
-new file mode 100644
-index 0000000..a3e48d3
---- /dev/null
-+++ b/man/man8/cupsd_config_selinux.8
-@@ -0,0 +1,207 @@
-+.TH "cupsd_config_selinux" "8" "12-11-01" "cupsd_config" "SELinux Policy documentation for cupsd_config"
-+.SH "NAME"
-+cupsd_config_selinux \- Security Enhanced Linux Policy for the cupsd_config processes
-+.SH "DESCRIPTION"
-+
-+Security-Enhanced Linux secures the cupsd_config processes via flexible mandatory access control.
-+
-+The cupsd_config processes execute with the cupsd_config_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
-+
-+For example:
-+
-+.B ps -eZ | grep cupsd_config_t
-+
-+
-+.SH "ENTRYPOINTS"
-+
-+The cupsd_config_t SELinux type can be entered via the "cupsd_config_exec_t" file type. The default entrypoint paths for the cupsd_config_t domain are the following:"
-+
-+/usr/sbin/hal_lpadmin, /usr/libexec/hal_lpadmin, /usr/bin/cups-config-daemon, /usr/sbin/printconf-backend, /lib/udev/udev-configure-printer, /usr/lib/udev/udev-configure-printer, /usr/libexec/cups-pk-helper-mechanism
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux cupsd_config policy is very flexible allowing users to setup their cupsd_config processes in as secure a method as possible.
-+.PP
-+The following process types are defined for cupsd_config:
-+
-+.EX
-+.B cupsd_config_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
-+.SH FILE CONTEXTS
-+SELinux requires files to have an extended attribute to define the file type.
-+.PP
-+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
-+.PP
-+Policy governs the access confined processes have to these files.
-+SELinux cupsd_config policy is very flexible allowing users to setup their cupsd_config processes in as secure a method as possible.
-+.PP
-+The following file types are defined for cupsd_config:
-+
-+
-+.EX
-+.PP
-+.B cupsd_config_exec_t
-+.EE
-+
-+- Set files with the cupsd_config_exec_t type, if you want to transition an executable to the cupsd_config_t domain.
-+
-+
-+.EX
-+.PP
-+.B cupsd_config_var_run_t
-+.EE
-+
-+- Set files with the cupsd_config_var_run_t type, if you want to store the cupsd config files under the /run directory.
-+
-+
-+.PP
-+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
-+.B semanage fcontext
-+command. This will modify the SELinux labeling database. You will need to use
-+.B restorecon
-+to apply the labels.
-+
-+.SH "MANAGED FILES"
-+
-+The SELinux process type cupsd_config_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
-+
-+.br
-+.B cupsd_config_var_run_t
-+
-+ /var/run/udev-configure-printer(/.*)?
-+.br
-+
-+.br
-+.B cupsd_etc_t
-+
-+ /etc/cups(/.*)?
-+.br
-+ /usr/share/cups(/.*)?
-+.br
-+
-+.br
-+.B cupsd_log_t
-+
-+ /var/log/cups(/.*)?
-+.br
-+ /usr/Brother/fax/.*\.log.*
-+.br
-+ /var/log/turboprint.*
-+.br
-+
-+.br
-+.B cupsd_rw_etc_t
-+
-+ /etc/printcap.*
-+.br
-+ /etc/cups/ppd(/.*)?
-+.br
-+ /usr/Brother/(.*/)?inf(/.*)?
-+.br
-+ /usr/Printer/(.*/)?inf(/.*)?
-+.br
-+ /usr/lib/bjlib(/.*)?
-+.br
-+ /var/lib/iscan(/.*)?
-+.br
-+ /var/cache/cups(/.*)?
-+.br
-+ /etc/cups/certs/.*
-+.br
-+ /etc/opt/Brother/(.*/)?inf(/.*)?
-+.br
-+ /etc/cups/lpoptions.*
-+.br
-+ /var/cache/foomatic(/.*)?
-+.br
-+ /etc/cups/cupsd\.conf.*
-+.br
-+ /var/lib/cups/certs/.*
-+.br
-+ /opt/gutenprint/ppds(/.*)?
-+.br
-+ /opt/brother/Printers(.*/)?inf(/.*)?
-+.br
-+ /etc/cups/classes\.conf.*
-+.br
-+ /etc/cups/printers\.conf.*
-+.br
-+ /etc/cups/subscriptions.*
-+.br
-+ /usr/local/linuxprinter/ppd(/.*)?
-+.br
-+ /var/cache/alchemist/printconf.*
-+.br
-+ /etc/alchemist/namespace/printconf(/.*)?
-+.br
-+ /etc/cups/certs
-+.br
-+ /etc/cups/ppds\.dat
-+.br
-+ /var/lib/cups/certs
-+.br
-+ /usr/share/foomatic/db/oldprinterids
-+.br
-+
-+.br
-+.B cupsd_tmp_t
-+
-+
-+.br
-+.B user_tmp_t
-+
-+ /var/run/user(/.*)?
-+.br
-+ /tmp/gconfd-.*
-+.br
-+ /tmp/gconfd-dwalsh
-+.br
-+ /tmp/gconfd-xguest
-+.br
-+
-+.SH NSSWITCH DOMAIN
-+
-+.PP
-+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the cupsd_config_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
-+
-+.EX
-+.B setsebool -P authlogin_nsswitch_use_ldap 1
-+.EE
-+
-+.PP
-+If you want to allow confined applications to run with kerberos for the cupsd_config_t, you must turn on the kerberos_enabled boolean.
-+
-+.EX
-+.B setsebool -P kerberos_enabled 1
-+.EE
-+
-+.SH "COMMANDS"
-+.B semanage fcontext
-+can also be used to manipulate default file context mappings.
-+.PP
-+.B semanage permissive
-+can also be used to manipulate whether or not a process type is permissive.
-+.PP
-+.B semanage module
-+can also be used to enable/disable/install/remove policy modules.
-+
-+.PP
-+.B system-config-selinux
-+is a GUI tool available to customize SELinux policy settings.
-+
-+.SH AUTHOR
-+This manual page was auto-generated using
-+.B "sepolicy manpage"
-+by Dan Walsh.
-+
-+.SH "SEE ALSO"
-+selinux(8), cupsd_config(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
-+, cupsd_selinux(8), cupsd_selinux(8), cupsd_lpd_selinux(8)
-\ No newline at end of file
-diff --git a/man/man8/cupsd_lpd_selinux.8 b/man/man8/cupsd_lpd_selinux.8
-new file mode 100644
-index 0000000..73ded99
---- /dev/null
-+++ b/man/man8/cupsd_lpd_selinux.8
-@@ -0,0 +1,129 @@
-+.TH "cupsd_lpd_selinux" "8" "12-11-01" "cupsd_lpd" "SELinux Policy documentation for cupsd_lpd"
-+.SH "NAME"
-+cupsd_lpd_selinux \- Security Enhanced Linux Policy for the cupsd_lpd processes
-+.SH "DESCRIPTION"
-+
-+Security-Enhanced Linux secures the cupsd_lpd processes via flexible mandatory access control.
-+
-+The cupsd_lpd processes execute with the cupsd_lpd_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
-+
-+For example:
-+
-+.B ps -eZ | grep cupsd_lpd_t
-+
-+
-+.SH "ENTRYPOINTS"
-+
-+The cupsd_lpd_t SELinux type can be entered via the "cupsd_lpd_exec_t" file type. The default entrypoint paths for the cupsd_lpd_t domain are the following:"
-+
-+/usr/lib/cups/daemon/cups-lpd
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux cupsd_lpd policy is very flexible allowing users to setup their cupsd_lpd processes in as secure a method as possible.
-+.PP
-+The following process types are defined for cupsd_lpd:
-+
-+.EX
-+.B cupsd_lpd_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
-+.SH FILE CONTEXTS
-+SELinux requires files to have an extended attribute to define the file type.
-+.PP
-+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
-+.PP
-+Policy governs the access confined processes have to these files.
-+SELinux cupsd_lpd policy is very flexible allowing users to setup their cupsd_lpd processes in as secure a method as possible.
-+.PP
-+The following file types are defined for cupsd_lpd:
-+
-+
-+.EX
-+.PP
-+.B cupsd_lpd_exec_t
-+.EE
-+
-+- Set files with the cupsd_lpd_exec_t type, if you want to transition an executable to the cupsd_lpd_t domain.
-+
-+
-+.EX
-+.PP
-+.B cupsd_lpd_tmp_t
-+.EE
-+
-+- Set files with the cupsd_lpd_tmp_t type, if you want to store cupsd lpd temporary files in the /tmp directories.
-+
-+
-+.EX
-+.PP
-+.B cupsd_lpd_var_run_t
-+.EE
-+
-+- Set files with the cupsd_lpd_var_run_t type, if you want to store the cupsd lpd files under the /run directory.
-+
-+
-+.PP
-+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
-+.B semanage fcontext
-+command. This will modify the SELinux labeling database. You will need to use
-+.B restorecon
-+to apply the labels.
-+
-+.SH "MANAGED FILES"
-+
-+The SELinux process type cupsd_lpd_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
-+
-+.br
-+.B cupsd_lpd_tmp_t
-+
-+
-+.br
-+.B cupsd_lpd_var_run_t
-+
-+
-+.SH NSSWITCH DOMAIN
-+
-+.PP
-+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the cupsd_lpd_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
-+
-+.EX
-+.B setsebool -P authlogin_nsswitch_use_ldap 1
-+.EE
-+
-+.PP
-+If you want to allow confined applications to run with kerberos for the cupsd_lpd_t, you must turn on the kerberos_enabled boolean.
-+
-+.EX
-+.B setsebool -P kerberos_enabled 1
-+.EE
-+
-+.SH "COMMANDS"
-+.B semanage fcontext
-+can also be used to manipulate default file context mappings.
-+.PP
-+.B semanage permissive
-+can also be used to manipulate whether or not a process type is permissive.
-+.PP
-+.B semanage module
-+can also be used to enable/disable/install/remove policy modules.
-+
-+.PP
-+.B system-config-selinux
-+is a GUI tool available to customize SELinux policy settings.
-+
-+.SH AUTHOR
-+This manual page was auto-generated using
-+.B "sepolicy manpage"
-+by Dan Walsh.
-+
-+.SH "SEE ALSO"
-+selinux(8), cupsd_lpd(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
-+, cupsd_selinux(8), cupsd_selinux(8), cupsd_config_selinux(8)
-\ No newline at end of file
-diff --git a/man/man8/cupsd_selinux.8 b/man/man8/cupsd_selinux.8
-new file mode 100644
-index 0000000..89d22a6
---- /dev/null
-+++ b/man/man8/cupsd_selinux.8
-@@ -0,0 +1,387 @@
-+.TH "cupsd_selinux" "8" "12-11-01" "cupsd" "SELinux Policy documentation for cupsd"
-+.SH "NAME"
-+cupsd_selinux \- Security Enhanced Linux Policy for the cupsd processes
-+.SH "DESCRIPTION"
-+
-+Security-Enhanced Linux secures the cupsd processes via flexible mandatory access control.
-+
-+The cupsd processes execute with the cupsd_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
-+
-+For example:
-+
-+.B ps -eZ | grep cupsd_t
-+
-+
-+.SH "ENTRYPOINTS"
-+
-+The cupsd_t SELinux type can be entered via the "cupsd_exec_t" file type. The default entrypoint paths for the cupsd_t domain are the following:"
-+
-+/usr/sbin/cupsd
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux cupsd policy is very flexible allowing users to setup their cupsd processes in as secure a method as possible.
-+.PP
-+The following process types are defined for cupsd:
-+
-+.EX
-+.B cupsd_t, cupsd_config_t, cupsd_lpd_t, cups_pdf_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
-+.SH FILE CONTEXTS
-+SELinux requires files to have an extended attribute to define the file type.
-+.PP
-+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
-+.PP
-+Policy governs the access confined processes have to these files.
-+SELinux cupsd policy is very flexible allowing users to setup their cupsd processes in as secure a method as possible.
-+.PP
-+The following file types are defined for cupsd:
-+
-+
-+.EX
-+.PP
-+.B cupsd_config_exec_t
-+.EE
-+
-+- Set files with the cupsd_config_exec_t type, if you want to transition an executable to the cupsd_config_t domain.
-+
-+
-+.EX
-+.PP
-+.B cupsd_config_var_run_t
-+.EE
-+
-+- Set files with the cupsd_config_var_run_t type, if you want to store the cupsd config files under the /run directory.
-+
-+
-+.EX
-+.PP
-+.B cupsd_etc_t
-+.EE
-+
-+- Set files with the cupsd_etc_t type, if you want to store cupsd files in the /etc directories.
-+
-+
-+.EX
-+.PP
-+.B cupsd_exec_t
-+.EE
-+
-+- Set files with the cupsd_exec_t type, if you want to transition an executable to the cupsd_t domain.
-+
-+
-+.EX
-+.PP
-+.B cupsd_initrc_exec_t
-+.EE
-+
-+- Set files with the cupsd_initrc_exec_t type, if you want to transition an executable to the cupsd_initrc_t domain.
-+
-+
-+.EX
-+.PP
-+.B cupsd_interface_t
-+.EE
-+
-+- Set files with the cupsd_interface_t type, if you want to treat the files as cupsd interface data.
-+
-+
-+.EX
-+.PP
-+.B cupsd_lock_t
-+.EE
-+
-+- Set files with the cupsd_lock_t type, if you want to treat the files as cupsd lock data, stored under the /var/lock directory
-+
-+
-+.EX
-+.PP
-+.B cupsd_log_t
-+.EE
-+
-+- Set files with the cupsd_log_t type, if you want to treat the data as cupsd log data, usually stored under the /var/log directory.
-+
-+
-+.EX
-+.PP
-+.B cupsd_lpd_exec_t
-+.EE
-+
-+- Set files with the cupsd_lpd_exec_t type, if you want to transition an executable to the cupsd_lpd_t domain.
-+
-+
-+.EX
-+.PP
-+.B cupsd_lpd_tmp_t
-+.EE
-+
-+- Set files with the cupsd_lpd_tmp_t type, if you want to store cupsd lpd temporary files in the /tmp directories.
-+
-+
-+.EX
-+.PP
-+.B cupsd_lpd_var_run_t
-+.EE
-+
-+- Set files with the cupsd_lpd_var_run_t type, if you want to store the cupsd lpd files under the /run directory.
-+
-+
-+.EX
-+.PP
-+.B cupsd_rw_etc_t
-+.EE
-+
-+- Set files with the cupsd_rw_etc_t type, if you want to store cupsd rw files in the /etc directories.
-+
-+
-+.EX
-+.PP
-+.B cupsd_tmp_t
-+.EE
-+
-+- Set files with the cupsd_tmp_t type, if you want to store cupsd temporary files in the /tmp directories.
-+
-+
-+.EX
-+.PP
-+.B cupsd_unit_file_t
-+.EE
-+
-+- Set files with the cupsd_unit_file_t type, if you want to treat the files as cupsd unit content.
-+
-+
-+.EX
-+.PP
-+.B cupsd_var_run_t
-+.EE
-+
-+- Set files with the cupsd_var_run_t type, if you want to store the cupsd files under the /run directory.
-+
-+
-+.PP
-+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
-+.B semanage fcontext
-+command. This will modify the SELinux labeling database. You will need to use
-+.B restorecon
-+to apply the labels.
-+
-+.SH "MANAGED FILES"
-+
-+The SELinux process type cupsd_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
-+
-+.br
-+.B cupsd_interface_t
-+
-+ /etc/cups/interfaces(/.*)?
-+.br
-+
-+.br
-+.B cupsd_lock_t
-+
-+
-+.br
-+.B cupsd_log_t
-+
-+ /var/log/cups(/.*)?
-+.br
-+ /usr/Brother/fax/.*\.log.*
-+.br
-+ /var/log/turboprint.*
-+.br
-+
-+.br
-+.B cupsd_rw_etc_t
-+
-+ /etc/printcap.*
-+.br
-+ /etc/cups/ppd(/.*)?
-+.br
-+ /usr/Brother/(.*/)?inf(/.*)?
-+.br
-+ /usr/Printer/(.*/)?inf(/.*)?
-+.br
-+ /usr/lib/bjlib(/.*)?
-+.br
-+ /var/lib/iscan(/.*)?
-+.br
-+ /var/cache/cups(/.*)?
-+.br
-+ /etc/cups/certs/.*
-+.br
-+ /etc/opt/Brother/(.*/)?inf(/.*)?
-+.br
-+ /etc/cups/lpoptions.*
-+.br
-+ /var/cache/foomatic(/.*)?
-+.br
-+ /etc/cups/cupsd\.conf.*
-+.br
-+ /var/lib/cups/certs/.*
-+.br
-+ /opt/gutenprint/ppds(/.*)?
-+.br
-+ /opt/brother/Printers(.*/)?inf(/.*)?
-+.br
-+ /etc/cups/classes\.conf.*
-+.br
-+ /etc/cups/printers\.conf.*
-+.br
-+ /etc/cups/subscriptions.*
-+.br
-+ /usr/local/linuxprinter/ppd(/.*)?
-+.br
-+ /var/cache/alchemist/printconf.*
-+.br
-+ /etc/alchemist/namespace/printconf(/.*)?
-+.br
-+ /etc/cups/certs
-+.br
-+ /etc/cups/ppds\.dat
-+.br
-+ /var/lib/cups/certs
-+.br
-+ /usr/share/foomatic/db/oldprinterids
-+.br
-+
-+.br
-+.B cupsd_tmp_t
-+
-+
-+.br
-+.B cupsd_var_run_t
-+
-+ /var/ccpd(/.*)?
-+.br
-+ /var/ekpd(/.*)?
-+.br
-+ /var/run/cups(/.*)?
-+.br
-+ /var/turboprint(/.*)?
-+.br
-+
-+.br
-+.B faillog_t
-+
-+ /var/log/btmp.*
-+.br
-+ /var/run/faillock(/.*)?
-+.br
-+ /var/log/faillog
-+.br
-+ /var/log/tallylog
-+.br
-+
-+.br
-+.B krb5_host_rcache_t
-+
-+ /var/cache/krb5rcache(/.*)?
-+.br
-+ /var/tmp/nfs_0
-+.br
-+ /var/tmp/DNS_25
-+.br
-+ /var/tmp/host_0
-+.br
-+ /var/tmp/imap_0
-+.br
-+ /var/tmp/HTTP_23
-+.br
-+ /var/tmp/HTTP_48
-+.br
-+ /var/tmp/ldap_55
-+.br
-+ /var/tmp/ldap_487
-+.br
-+ /var/tmp/ldapmap1_0
-+.br
-+
-+.br
-+.B pcscd_var_run_t
-+
-+ /var/run/pcscd(/.*)?
-+.br
-+ /var/run/pcscd\.events(/.*)?
-+.br
-+ /var/run/pcscd\.pid
-+.br
-+ /var/run/pcscd\.pub
-+.br
-+ /var/run/pcscd\.comm
-+.br
-+
-+.br
-+.B print_spool_t
-+
-+ /var/spool/lpd(/.*)?
-+.br
-+ /var/spool/cups(/.*)?
-+.br
-+ /var/spool/cups-pdf(/.*)?
-+.br
-+
-+.br
-+.B samba_var_t
-+
-+ /var/lib/samba(/.*)?
-+.br
-+ /var/cache/samba(/.*)?
-+.br
-+ /var/spool/samba(/.*)?
-+.br
-+
-+.br
-+.B security_t
-+
-+ /selinux
-+.br
-+
-+.br
-+.B usbfs_t
-+
-+
-+.SH NSSWITCH DOMAIN
-+
-+.PP
-+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the cups_pdf_t, cupsd_config_t, cupsd_lpd_t, cupsd_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
-+
-+.EX
-+.B setsebool -P authlogin_nsswitch_use_ldap 1
-+.EE
-+
-+.PP
-+If you want to allow confined applications to run with kerberos for the cups_pdf_t, cupsd_config_t, cupsd_lpd_t, cupsd_t, you must turn on the kerberos_enabled boolean.
-+
-+.EX
-+.B setsebool -P kerberos_enabled 1
-+.EE
-+
-+.SH "COMMANDS"
-+.B semanage fcontext
-+can also be used to manipulate default file context mappings.
-+.PP
-+.B semanage permissive
-+can also be used to manipulate whether or not a process type is permissive.
-+.PP
-+.B semanage module
-+can also be used to enable/disable/install/remove policy modules.
-+
-+.PP
-+.B system-config-selinux
-+is a GUI tool available to customize SELinux policy settings.
-+
-+.SH AUTHOR
-+This manual page was auto-generated using
-+.B "sepolicy manpage"
-+by Dan Walsh.
-+
-+.SH "SEE ALSO"
-+selinux(8), cupsd(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
-+, cups_pdf_selinux(8), cupsd_config_selinux(8), cupsd_lpd_selinux(8)
-\ No newline at end of file
-diff --git a/man/man8/cvs_selinux.8 b/man/man8/cvs_selinux.8
-new file mode 100644
-index 0000000..c477853
---- /dev/null
-+++ b/man/man8/cvs_selinux.8
-@@ -0,0 +1,236 @@
-+.TH "cvs_selinux" "8" "12-11-01" "cvs" "SELinux Policy documentation for cvs"
-+.SH "NAME"
-+cvs_selinux \- Security Enhanced Linux Policy for the cvs processes
-+.SH "DESCRIPTION"
-+
-+Security-Enhanced Linux secures the cvs processes via flexible mandatory access control.
-+
-+The cvs processes execute with the cvs_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
-+
-+For example:
-+
-+.B ps -eZ | grep cvs_t
-+
-+
-+.SH "ENTRYPOINTS"
-+
-+The cvs_t SELinux type can be entered via the "cvs_exec_t" file type. The default entrypoint paths for the cvs_t domain are the following:"
-+
-+/usr/bin/cvs
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux cvs policy is very flexible allowing users to setup their cvs processes in as secure a method as possible.
-+.PP
-+The following process types are defined for cvs:
-+
-+.EX
-+.B cvs_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
-+.SH BOOLEANS
-+SELinux policy is customizable based on least access required. cvs policy is extremely flexible and has several booleans that allow you to manipulate the policy and run cvs with the tightest access possible.
-+
-+
-+.PP
-+If you want to allow cvs daemon to read shadow, you must turn on the cvs_read_shadow boolean.
-+
-+.EX
-+.B setsebool -P cvs_read_shadow 1
-+.EE
-+
-+.PP
-+If you want to allow cvs daemon to read shadow, you must turn on the cvs_read_shadow boolean.
-+
-+.EX
-+.B setsebool -P cvs_read_shadow 1
-+.EE
-+
-+.SH FILE CONTEXTS
-+SELinux requires files to have an extended attribute to define the file type.
-+.PP
-+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
-+.PP
-+Policy governs the access confined processes have to these files.
-+SELinux cvs policy is very flexible allowing users to setup their cvs processes in as secure a method as possible.
-+.PP
-+The following file types are defined for cvs:
-+
-+
-+.EX
-+.PP
-+.B cvs_data_t
-+.EE
-+
-+- Set files with the cvs_data_t type, if you want to treat the files as cvs content.
-+
-+
-+.EX
-+.PP
-+.B cvs_exec_t
-+.EE
-+
-+- Set files with the cvs_exec_t type, if you want to transition an executable to the cvs_t domain.
-+
-+
-+.EX
-+.PP
-+.B cvs_initrc_exec_t
-+.EE
-+
-+- Set files with the cvs_initrc_exec_t type, if you want to transition an executable to the cvs_initrc_t domain.
-+
-+
-+.EX
-+.PP
-+.B cvs_keytab_t
-+.EE
-+
-+- Set files with the cvs_keytab_t type, if you want to treat the files as kerberos keytab files.
-+
-+
-+.EX
-+.PP
-+.B cvs_tmp_t
-+.EE
-+
-+- Set files with the cvs_tmp_t type, if you want to store cvs temporary files in the /tmp directories.
-+
-+
-+.EX
-+.PP
-+.B cvs_var_run_t
-+.EE
-+
-+- Set files with the cvs_var_run_t type, if you want to store the cvs files under the /run directory.
-+
-+
-+.PP
-+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
-+.B semanage fcontext
-+command. This will modify the SELinux labeling database. You will need to use
-+.B restorecon
-+to apply the labels.
-+
-+.SH PORT TYPES
-+SELinux defines port types to represent TCP and UDP ports.
-+.PP
-+You can see the types associated with a port by using the following command:
-+
-+.B semanage port -l
-+
-+.PP
-+Policy governs the access confined processes have to these ports.
-+SELinux cvs policy is very flexible allowing users to setup their cvs processes in as secure a method as possible.
-+.PP
-+The following port types are defined for cvs:
-+
-+.EX
-+.TP 5
-+.B cvs_port_t
-+.TP 10
-+.EE
-+
-+
-+Default Defined Ports:
-+tcp 2401
-+.EE
-+udp 2401
-+.EE
-+.SH "MANAGED FILES"
-+
-+The SELinux process type cvs_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
-+
-+.br
-+.B cvs_data_t
-+
-+ /opt/cvs(/.*)?
-+.br
-+ /var/cvs(/.*)?
-+.br
-+
-+.br
-+.B cvs_tmp_t
-+
-+
-+.br
-+.B cvs_var_run_t
-+
-+
-+.br
-+.B faillog_t
-+
-+ /var/log/btmp.*
-+.br
-+ /var/run/faillock(/.*)?
-+.br
-+ /var/log/faillog
-+.br
-+ /var/log/tallylog
-+.br
-+
-+.br
-+.B pcscd_var_run_t
-+
-+ /var/run/pcscd(/.*)?
-+.br
-+ /var/run/pcscd\.events(/.*)?
-+.br
-+ /var/run/pcscd\.pid
-+.br
-+ /var/run/pcscd\.pub
-+.br
-+ /var/run/pcscd\.comm
-+.br
-+
-+.SH NSSWITCH DOMAIN
-+
-+.PP
-+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the cvs_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
-+
-+.EX
-+.B setsebool -P authlogin_nsswitch_use_ldap 1
-+.EE
-+
-+.PP
-+If you want to allow confined applications to run with kerberos for the cvs_t, you must turn on the kerberos_enabled boolean.
-+
-+.EX
-+.B setsebool -P kerberos_enabled 1
-+.EE
-+
-+.SH "COMMANDS"
-+.B semanage fcontext
-+can also be used to manipulate default file context mappings.
-+.PP
-+.B semanage permissive
-+can also be used to manipulate whether or not a process type is permissive.
-+.PP
-+.B semanage module
-+can also be used to enable/disable/install/remove policy modules.
-+
-+.B semanage port
-+can also be used to manipulate the port definitions
-+
-+.B semanage boolean
-+can also be used to manipulate the booleans
-+
-+.PP
-+.B system-config-selinux
-+is a GUI tool available to customize SELinux policy settings.
-+
-+.SH AUTHOR
-+This manual page was auto-generated using
-+.B "sepolicy manpage"
-+by Dan Walsh.
-+
-+.SH "SEE ALSO"
-+selinux(8), cvs(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
-+, setsebool(8)
-\ No newline at end of file
-diff --git a/man/man8/cyphesis_selinux.8 b/man/man8/cyphesis_selinux.8
-new file mode 100644
-index 0000000..247c016
---- /dev/null
-+++ b/man/man8/cyphesis_selinux.8
-@@ -0,0 +1,154 @@
-+.TH "cyphesis_selinux" "8" "12-11-01" "cyphesis" "SELinux Policy documentation for cyphesis"
-+.SH "NAME"
-+cyphesis_selinux \- Security Enhanced Linux Policy for the cyphesis processes
-+.SH "DESCRIPTION"
-+
-+Security-Enhanced Linux secures the cyphesis processes via flexible mandatory access control.
-+
-+The cyphesis processes execute with the cyphesis_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
-+
-+For example:
-+
-+.B ps -eZ | grep cyphesis_t
-+
-+
-+.SH "ENTRYPOINTS"
-+
-+The cyphesis_t SELinux type can be entered via the "cyphesis_exec_t" file type. The default entrypoint paths for the cyphesis_t domain are the following:"
-+
-+/usr/bin/cyphesis
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux cyphesis policy is very flexible allowing users to setup their cyphesis processes in as secure a method as possible.
-+.PP
-+The following process types are defined for cyphesis:
-+
-+.EX
-+.B cyphesis_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
-+.SH FILE CONTEXTS
-+SELinux requires files to have an extended attribute to define the file type.
-+.PP
-+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
-+.PP
-+Policy governs the access confined processes have to these files.
-+SELinux cyphesis policy is very flexible allowing users to setup their cyphesis processes in as secure a method as possible.
-+.PP
-+The following file types are defined for cyphesis:
-+
-+
-+.EX
-+.PP
-+.B cyphesis_exec_t
-+.EE
-+
-+- Set files with the cyphesis_exec_t type, if you want to transition an executable to the cyphesis_t domain.
-+
-+
-+.EX
-+.PP
-+.B cyphesis_log_t
-+.EE
-+
-+- Set files with the cyphesis_log_t type, if you want to treat the data as cyphesis log data, usually stored under the /var/log directory.
-+
-+
-+.EX
-+.PP
-+.B cyphesis_tmp_t
-+.EE
-+
-+- Set files with the cyphesis_tmp_t type, if you want to store cyphesis temporary files in the /tmp directories.
-+
-+
-+.EX
-+.PP
-+.B cyphesis_var_run_t
-+.EE
-+
-+- Set files with the cyphesis_var_run_t type, if you want to store the cyphesis files under the /run directory.
-+
-+
-+.PP
-+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
-+.B semanage fcontext
-+command. This will modify the SELinux labeling database. You will need to use
-+.B restorecon
-+to apply the labels.
-+
-+.SH PORT TYPES
-+SELinux defines port types to represent TCP and UDP ports.
-+.PP
-+You can see the types associated with a port by using the following command:
-+
-+.B semanage port -l
-+
-+.PP
-+Policy governs the access confined processes have to these ports.
-+SELinux cyphesis policy is very flexible allowing users to setup their cyphesis processes in as secure a method as possible.
-+.PP
-+The following port types are defined for cyphesis:
-+
-+.EX
-+.TP 5
-+.B cyphesis_port_t
-+.TP 10
-+.EE
-+
-+
-+Default Defined Ports:
-+tcp 6767,6769,6780-6799
-+.EE
-+udp 32771
-+.EE
-+.SH "MANAGED FILES"
-+
-+The SELinux process type cyphesis_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
-+
-+.br
-+.B cyphesis_log_t
-+
-+ /var/log/cyphesis(/.*)?
-+.br
-+
-+.br
-+.B cyphesis_var_run_t
-+
-+ /var/run/cyphesis(/.*)?
-+.br
-+
-+.SH NSSWITCH DOMAIN
-+
-+.SH "COMMANDS"
-+.B semanage fcontext
-+can also be used to manipulate default file context mappings.
-+.PP
-+.B semanage permissive
-+can also be used to manipulate whether or not a process type is permissive.
-+.PP
-+.B semanage module
-+can also be used to enable/disable/install/remove policy modules.
-+
-+.B semanage port
-+can also be used to manipulate the port definitions
-+
-+.PP
-+.B system-config-selinux
-+is a GUI tool available to customize SELinux policy settings.
-+
-+.SH AUTHOR
-+This manual page was auto-generated using
-+.B "sepolicy manpage"
-+by Dan Walsh.
-+
-+.SH "SEE ALSO"
-+selinux(8), cyphesis(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
-diff --git a/man/man8/cyrus_selinux.8 b/man/man8/cyrus_selinux.8
-new file mode 100644
-index 0000000..96f6359
---- /dev/null
-+++ b/man/man8/cyrus_selinux.8
-@@ -0,0 +1,170 @@
-+.TH "cyrus_selinux" "8" "12-11-01" "cyrus" "SELinux Policy documentation for cyrus"
-+.SH "NAME"
-+cyrus_selinux \- Security Enhanced Linux Policy for the cyrus processes
-+.SH "DESCRIPTION"
-+
-+Security-Enhanced Linux secures the cyrus processes via flexible mandatory access control.
-+
-+The cyrus processes execute with the cyrus_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
-+
-+For example:
-+
-+.B ps -eZ | grep cyrus_t
-+
-+
-+.SH "ENTRYPOINTS"
-+
-+The cyrus_t SELinux type can be entered via the "cyrus_exec_t" file type. The default entrypoint paths for the cyrus_t domain are the following:"
-+
-+/usr/lib/cyrus/master, /usr/lib/cyrus-imapd/cyrus-master
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux cyrus policy is very flexible allowing users to setup their cyrus processes in as secure a method as possible.
-+.PP
-+The following process types are defined for cyrus:
-+
-+.EX
-+.B cyrus_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
-+.SH FILE CONTEXTS
-+SELinux requires files to have an extended attribute to define the file type.
-+.PP
-+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
-+.PP
-+Policy governs the access confined processes have to these files.
-+SELinux cyrus policy is very flexible allowing users to setup their cyrus processes in as secure a method as possible.
-+.PP
-+The following file types are defined for cyrus:
-+
-+
-+.EX
-+.PP
-+.B cyrus_exec_t
-+.EE
-+
-+- Set files with the cyrus_exec_t type, if you want to transition an executable to the cyrus_t domain.
-+
-+
-+.EX
-+.PP
-+.B cyrus_initrc_exec_t
-+.EE
-+
-+- Set files with the cyrus_initrc_exec_t type, if you want to transition an executable to the cyrus_initrc_t domain.
-+
-+
-+.EX
-+.PP
-+.B cyrus_keytab_t
-+.EE
-+
-+- Set files with the cyrus_keytab_t type, if you want to treat the files as kerberos keytab files.
-+
-+
-+.EX
-+.PP
-+.B cyrus_tmp_t
-+.EE
-+
-+- Set files with the cyrus_tmp_t type, if you want to store cyrus temporary files in the /tmp directories.
-+
-+
-+.EX
-+.PP
-+.B cyrus_var_lib_t
-+.EE
-+
-+- Set files with the cyrus_var_lib_t type, if you want to store the cyrus files under the /var/lib directory.
-+
-+
-+.EX
-+.PP
-+.B cyrus_var_run_t
-+.EE
-+
-+- Set files with the cyrus_var_run_t type, if you want to store the cyrus files under the /run directory.
-+
-+
-+.PP
-+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
-+.B semanage fcontext
-+command. This will modify the SELinux labeling database. You will need to use
-+.B restorecon
-+to apply the labels.
-+
-+.SH "MANAGED FILES"
-+
-+The SELinux process type cyrus_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
-+
-+.br
-+.B cyrus_tmp_t
-+
-+
-+.br
-+.B cyrus_var_lib_t
-+
-+ /var/imap(/.*)?
-+.br
-+ /var/lib/imap(/.*)?
-+.br
-+
-+.br
-+.B cyrus_var_run_t
-+
-+
-+.br
-+.B mail_spool_t
-+
-+ /var/mail(/.*)?
-+.br
-+ /var/spool/imap(/.*)?
-+.br
-+ /var/spool/mail(/.*)?
-+.br
-+
-+.SH NSSWITCH DOMAIN
-+
-+.PP
-+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the cyrus_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
-+
-+.EX
-+.B setsebool -P authlogin_nsswitch_use_ldap 1
-+.EE
-+
-+.PP
-+If you want to allow confined applications to run with kerberos for the cyrus_t, you must turn on the kerberos_enabled boolean.
-+
-+.EX
-+.B setsebool -P kerberos_enabled 1
-+.EE
-+
-+.SH "COMMANDS"
-+.B semanage fcontext
-+can also be used to manipulate default file context mappings.
-+.PP
-+.B semanage permissive
-+can also be used to manipulate whether or not a process type is permissive.
-+.PP
-+.B semanage module
-+can also be used to enable/disable/install/remove policy modules.
-+
-+.PP
-+.B system-config-selinux
-+is a GUI tool available to customize SELinux policy settings.
-+
-+.SH AUTHOR
-+This manual page was auto-generated using
-+.B "sepolicy manpage"
-+by Dan Walsh.
-+
-+.SH "SEE ALSO"
-+selinux(8), cyrus(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
-diff --git a/man/man8/dbadm_selinux.8 b/man/man8/dbadm_selinux.8
-new file mode 100644
-index 0000000..db93ad7
---- /dev/null
-+++ b/man/man8/dbadm_selinux.8
-@@ -0,0 +1,225 @@
-+.TH "dbadm_selinux" "8" "dbadm" "mgrepl@redhat.com" "dbadm SELinux Policy documentation"
-+.SH "NAME"
-+dbadm_r \- \fBDatabase administrator role\fP - Security Enhanced Linux Policy
-+
-+.SH DESCRIPTION
-+
-+SELinux supports Roles Based Access Control (RBAC), some Linux roles are login roles, while other roles need to be transition into.
-+
-+.I Note:
-+Examples in this man page will use the
-+.B staff_u
-+SELinux user.
-+
-+Non login roles are usually used for administrative tasks. For example, tasks that require root privileges. Roles control which types a user can run processes with. Roles often have default types assigned to them.
-+
-+The default type for the dbadm_r role is dbadm_t.
-+
-+The
-+.B newrole
-+program to transition directly to this role.
-+
-+.B newrole -r dbadm_r -t dbadm_t
-+
-+.B sudo
-+is the preferred method to do transition from one role to another. You setup sudo to transition to dbadm_r by adding a similar line to the /etc/sudoers file.
-+
-+USERNAME ALL=(ALL) ROLE=dbadm_r TYPE=dbadm_t COMMAND
-+
-+.br
-+sudo will run COMMAND as staff_u:dbadm_r:dbadm_t:LEVEL
-+
-+When using a a non login role, you need to setup SELinux so that your SELinux user can reach dbadm_r role.
-+
-+Execute the following to see all of the assigned SELinux roles:
-+
-+.B semanage user -l
-+
-+You need to add dbadm_r to the staff_u user. You could setup the staff_u user to be able to use the dbadm_r role with a command like:
-+
-+.B $ semanage user -m -R 'staff_r system_r dbadm_r' staff_u
-+
-+
-+.SH BOOLEANS
-+SELinux policy is customizable based on least access required. dbadm policy is extremely flexible and has several booleans that allow you to manipulate the policy and run dbadm with the tightest access possible.
-+
-+
-+.PP
-+If you want to allow database admins to execute DML statement, you must turn on the postgresql_selinux_unconfined_dbadm boolean.
-+
-+.EX
-+.B setsebool -P postgresql_selinux_unconfined_dbadm 1
-+.EE
-+
-+.PP
-+If you want to allow dbadm to manage files in users home directories, you must turn on the dbadm_manage_user_files boolean.
-+
-+.EX
-+.B setsebool -P dbadm_manage_user_files 1
-+.EE
-+
-+.PP
-+If you want to allow dbadm to read files in users home directories, you must turn on the dbadm_read_user_files boolean.
-+
-+.EX
-+.B setsebool -P dbadm_read_user_files 1
-+.EE
-+
-+.PP
-+If you want to allow database admins to execute DML statement, you must turn on the postgresql_selinux_unconfined_dbadm boolean.
-+
-+.EX
-+.B setsebool -P postgresql_selinux_unconfined_dbadm 1
-+.EE
-+
-+.PP
-+If you want to allow dbadm to manage files in users home directories, you must turn on the dbadm_manage_user_files boolean.
-+
-+.EX
-+.B setsebool -P dbadm_manage_user_files 1
-+.EE
-+
-+.PP
-+If you want to allow dbadm to read files in users home directories, you must turn on the dbadm_read_user_files boolean.
-+
-+.EX
-+.B setsebool -P dbadm_read_user_files 1
-+.EE
-+
-+.SH "MANAGED FILES"
-+
-+The SELinux process type dbadm_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
-+
-+.br
-+.B mysqld_db_t
-+
-+ /var/lib/mysql(/.*)?
-+.br
-+
-+.br
-+.B mysqld_etc_t
-+
-+ /etc/mysql(/.*)?
-+.br
-+ /etc/my\.cnf
-+.br
-+
-+.br
-+.B mysqld_home_t
-+
-+ /root/\.my\.cnf
-+.br
-+ /home/[^/]*/\.my\.cnf
-+.br
-+ /home/dwalsh/\.my\.cnf
-+.br
-+ /var/lib/xguest/home/xguest/\.my\.cnf
-+.br
-+
-+.br
-+.B mysqld_log_t
-+
-+ /var/log/mysql.*
-+.br
-+
-+.br
-+.B mysqld_tmp_t
-+
-+
-+.br
-+.B mysqld_unit_file_t
-+
-+ /usr/lib/systemd/system/mysqld.*
-+.br
-+
-+.br
-+.B mysqld_var_run_t
-+
-+ /var/run/mysqld(/.*)?
-+.br
-+ /var/lib/mysql/mysql\.sock
-+.br
-+
-+.br
-+.B postgresql_db_t
-+
-+ /var/lib/pgsql(/.*)?
-+.br
-+ /var/lib/sepgsql(/.*)?
-+.br
-+ /var/lib/postgres(ql)?(/.*)?
-+.br
-+ /usr/share/jonas/pgsql(/.*)?
-+.br
-+ /usr/lib/pgsql/test/regress(/.*)?
-+.br
-+
-+.br
-+.B postgresql_etc_t
-+
-+ /etc/postgresql(/.*)?
-+.br
-+ /etc/sysconfig/pgsql(/.*)?
-+.br
-+
-+.br
-+.B postgresql_log_t
-+
-+ /var/lib/pgsql/.*\.log
-+.br
-+ /var/log/rhdb/rhdb(/.*)?
-+.br
-+ /var/log/postgresql(/.*)?
-+.br
-+ /var/log/postgres\.log.*
-+.br
-+ /var/lib/pgsql/logfile(/.*)?
-+.br
-+ /var/log/sepostgresql\.log.*
-+.br
-+ /var/lib/sepgsql/pgstartup\.log
-+.br
-+
-+.br
-+.B postgresql_tmp_t
-+
-+
-+.br
-+.B postgresql_var_run_t
-+
-+ /var/run/postgresql(/.*)?
-+.br
-+
-+.br
-+.B systemd_passwd_var_run_t
-+
-+ /var/run/systemd/ask-password(/.*)?
-+.br
-+ /var/run/systemd/ask-password-block(/.*)?
-+.br
-+
-+.SH "COMMANDS"
-+.B semanage fcontext
-+can also be used to manipulate default file context mappings.
-+.PP
-+.B semanage permissive
-+can also be used to manipulate whether or not a process type is permissive.
-+.PP
-+.B semanage module
-+can also be used to enable/disable/install/remove policy modules.
-+
-+.B semanage boolean
-+can also be used to manipulate the booleans
-+
-+.PP
-+.B system-config-selinux
-+is a GUI tool available to customize SELinux policy settings.
-+
-+.SH AUTHOR
-+This manual page was auto-generated using
-+.B "sepolicy manpage"
-+by Dan Walsh.
-+
-+.SH "SEE ALSO"
-+selinux(8), dbadm(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
-+, setsebool(8)
-\ No newline at end of file
-diff --git a/man/man8/dbskkd_selinux.8 b/man/man8/dbskkd_selinux.8
-new file mode 100644
-index 0000000..be5dff8
---- /dev/null
-+++ b/man/man8/dbskkd_selinux.8
-@@ -0,0 +1,154 @@
-+.TH "dbskkd_selinux" "8" "12-11-01" "dbskkd" "SELinux Policy documentation for dbskkd"
-+.SH "NAME"
-+dbskkd_selinux \- Security Enhanced Linux Policy for the dbskkd processes
-+.SH "DESCRIPTION"
-+
-+Security-Enhanced Linux secures the dbskkd processes via flexible mandatory access control.
-+
-+The dbskkd processes execute with the dbskkd_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
-+
-+For example:
-+
-+.B ps -eZ | grep dbskkd_t
-+
-+
-+.SH "ENTRYPOINTS"
-+
-+The dbskkd_t SELinux type can be entered via the "dbskkd_exec_t" file type. The default entrypoint paths for the dbskkd_t domain are the following:"
-+
-+/usr/sbin/dbskkd-cdb
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux dbskkd policy is very flexible allowing users to setup their dbskkd processes in as secure a method as possible.
-+.PP
-+The following process types are defined for dbskkd:
-+
-+.EX
-+.B dbskkd_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
-+.SH FILE CONTEXTS
-+SELinux requires files to have an extended attribute to define the file type.
-+.PP
-+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
-+.PP
-+Policy governs the access confined processes have to these files.
-+SELinux dbskkd policy is very flexible allowing users to setup their dbskkd processes in as secure a method as possible.
-+.PP
-+The following file types are defined for dbskkd:
-+
-+
-+.EX
-+.PP
-+.B dbskkd_exec_t
-+.EE
-+
-+- Set files with the dbskkd_exec_t type, if you want to transition an executable to the dbskkd_t domain.
-+
-+
-+.EX
-+.PP
-+.B dbskkd_tmp_t
-+.EE
-+
-+- Set files with the dbskkd_tmp_t type, if you want to store dbskkd temporary files in the /tmp directories.
-+
-+
-+.EX
-+.PP
-+.B dbskkd_var_run_t
-+.EE
-+
-+- Set files with the dbskkd_var_run_t type, if you want to store the dbskkd files under the /run directory.
-+
-+
-+.PP
-+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
-+.B semanage fcontext
-+command. This will modify the SELinux labeling database. You will need to use
-+.B restorecon
-+to apply the labels.
-+
-+.SH PORT TYPES
-+SELinux defines port types to represent TCP and UDP ports.
-+.PP
-+You can see the types associated with a port by using the following command:
-+
-+.B semanage port -l
-+
-+.PP
-+Policy governs the access confined processes have to these ports.
-+SELinux dbskkd policy is very flexible allowing users to setup their dbskkd processes in as secure a method as possible.
-+.PP
-+The following port types are defined for dbskkd:
-+
-+.EX
-+.TP 5
-+.B dbskkd_port_t
-+.TP 10
-+.EE
-+
-+
-+Default Defined Ports:
-+tcp 1178
-+.EE
-+.SH "MANAGED FILES"
-+
-+The SELinux process type dbskkd_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
-+
-+.br
-+.B dbskkd_tmp_t
-+
-+
-+.br
-+.B dbskkd_var_run_t
-+
-+
-+.SH NSSWITCH DOMAIN
-+
-+.PP
-+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the dbskkd_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
-+
-+.EX
-+.B setsebool -P authlogin_nsswitch_use_ldap 1
-+.EE
-+
-+.PP
-+If you want to allow confined applications to run with kerberos for the dbskkd_t, you must turn on the kerberos_enabled boolean.
-+
-+.EX
-+.B setsebool -P kerberos_enabled 1
-+.EE
-+
-+.SH "COMMANDS"
-+.B semanage fcontext
-+can also be used to manipulate default file context mappings.
-+.PP
-+.B semanage permissive
-+can also be used to manipulate whether or not a process type is permissive.
-+.PP
-+.B semanage module
-+can also be used to enable/disable/install/remove policy modules.
-+
-+.B semanage port
-+can also be used to manipulate the port definitions
-+
-+.PP
-+.B system-config-selinux
-+is a GUI tool available to customize SELinux policy settings.
-+
-+.SH AUTHOR
-+This manual page was auto-generated using
-+.B "sepolicy manpage"
-+by Dan Walsh.
-+
-+.SH "SEE ALSO"
-+selinux(8), dbskkd(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
-diff --git a/man/man8/dcc_client_selinux.8 b/man/man8/dcc_client_selinux.8
-new file mode 100644
-index 0000000..bba5677
---- /dev/null
-+++ b/man/man8/dcc_client_selinux.8
-@@ -0,0 +1,147 @@
-+.TH "dcc_client_selinux" "8" "12-11-01" "dcc_client" "SELinux Policy documentation for dcc_client"
-+.SH "NAME"
-+dcc_client_selinux \- Security Enhanced Linux Policy for the dcc_client processes
-+.SH "DESCRIPTION"
-+
-+Security-Enhanced Linux secures the dcc_client processes via flexible mandatory access control.
-+
-+The dcc_client processes execute with the dcc_client_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
-+
-+For example:
-+
-+.B ps -eZ | grep dcc_client_t
-+
-+
-+.SH "ENTRYPOINTS"
-+
-+The dcc_client_t SELinux type can be entered via the "dcc_client_exec_t" file type. The default entrypoint paths for the dcc_client_t domain are the following:"
-+
-+/usr/bin/dccproc
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux dcc_client policy is very flexible allowing users to setup their dcc_client processes in as secure a method as possible.
-+.PP
-+The following process types are defined for dcc_client:
-+
-+.EX
-+.B dcc_client_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
-+.SH FILE CONTEXTS
-+SELinux requires files to have an extended attribute to define the file type.
-+.PP
-+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
-+.PP
-+Policy governs the access confined processes have to these files.
-+SELinux dcc_client policy is very flexible allowing users to setup their dcc_client processes in as secure a method as possible.
-+.PP
-+The following file types are defined for dcc_client:
-+
-+
-+.EX
-+.PP
-+.B dcc_client_exec_t
-+.EE
-+
-+- Set files with the dcc_client_exec_t type, if you want to transition an executable to the dcc_client_t domain.
-+
-+
-+.EX
-+.PP
-+.B dcc_client_map_t
-+.EE
-+
-+- Set files with the dcc_client_map_t type, if you want to treat the files as dcc client map data.
-+
-+
-+.EX
-+.PP
-+.B dcc_client_tmp_t
-+.EE
-+
-+- Set files with the dcc_client_tmp_t type, if you want to store dcc client temporary files in the /tmp directories.
-+
-+
-+.PP
-+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
-+.B semanage fcontext
-+command. This will modify the SELinux labeling database. You will need to use
-+.B restorecon
-+to apply the labels.
-+
-+.SH "MANAGED FILES"
-+
-+The SELinux process type dcc_client_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
-+
-+.br
-+.B dcc_client_map_t
-+
-+ /etc/dcc/map
-+.br
-+ /var/dcc/map
-+.br
-+ /var/lib/dcc/map
-+.br
-+ /var/run/dcc/map
-+.br
-+
-+.br
-+.B dcc_client_tmp_t
-+
-+
-+.br
-+.B dcc_var_t
-+
-+ /etc/dcc(/.*)?
-+.br
-+ /var/dcc(/.*)?
-+.br
-+ /var/lib/dcc(/.*)?
-+.br
-+
-+.SH NSSWITCH DOMAIN
-+
-+.PP
-+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the dcc_client_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
-+
-+.EX
-+.B setsebool -P authlogin_nsswitch_use_ldap 1
-+.EE
-+
-+.PP
-+If you want to allow confined applications to run with kerberos for the dcc_client_t, you must turn on the kerberos_enabled boolean.
-+
-+.EX
-+.B setsebool -P kerberos_enabled 1
-+.EE
-+
-+.SH "COMMANDS"
-+.B semanage fcontext
-+can also be used to manipulate default file context mappings.
-+.PP
-+.B semanage permissive
-+can also be used to manipulate whether or not a process type is permissive.
-+.PP
-+.B semanage module
-+can also be used to enable/disable/install/remove policy modules.
-+
-+.PP
-+.B system-config-selinux
-+is a GUI tool available to customize SELinux policy settings.
-+
-+.SH AUTHOR
-+This manual page was auto-generated using
-+.B "sepolicy manpage"
-+by Dan Walsh.
-+
-+.SH "SEE ALSO"
-+selinux(8), dcc_client(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
-+, dcc_dbclean_selinux(8), dccd_selinux(8), dccifd_selinux(8), dccm_selinux(8)
-\ No newline at end of file
-diff --git a/man/man8/dcc_dbclean_selinux.8 b/man/man8/dcc_dbclean_selinux.8
-new file mode 100644
-index 0000000..e4168aa
---- /dev/null
-+++ b/man/man8/dcc_dbclean_selinux.8
-@@ -0,0 +1,139 @@
-+.TH "dcc_dbclean_selinux" "8" "12-11-01" "dcc_dbclean" "SELinux Policy documentation for dcc_dbclean"
-+.SH "NAME"
-+dcc_dbclean_selinux \- Security Enhanced Linux Policy for the dcc_dbclean processes
-+.SH "DESCRIPTION"
-+
-+Security-Enhanced Linux secures the dcc_dbclean processes via flexible mandatory access control.
-+
-+The dcc_dbclean processes execute with the dcc_dbclean_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
-+
-+For example:
-+
-+.B ps -eZ | grep dcc_dbclean_t
-+
-+
-+.SH "ENTRYPOINTS"
-+
-+The dcc_dbclean_t SELinux type can be entered via the "dcc_dbclean_exec_t" file type. The default entrypoint paths for the dcc_dbclean_t domain are the following:"
-+
-+/usr/libexec/dcc/dbclean
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux dcc_dbclean policy is very flexible allowing users to setup their dcc_dbclean processes in as secure a method as possible.
-+.PP
-+The following process types are defined for dcc_dbclean:
-+
-+.EX
-+.B dcc_dbclean_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
-+.SH FILE CONTEXTS
-+SELinux requires files to have an extended attribute to define the file type.
-+.PP
-+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
-+.PP
-+Policy governs the access confined processes have to these files.
-+SELinux dcc_dbclean policy is very flexible allowing users to setup their dcc_dbclean processes in as secure a method as possible.
-+.PP
-+The following file types are defined for dcc_dbclean:
-+
-+
-+.EX
-+.PP
-+.B dcc_dbclean_exec_t
-+.EE
-+
-+- Set files with the dcc_dbclean_exec_t type, if you want to transition an executable to the dcc_dbclean_t domain.
-+
-+
-+.EX
-+.PP
-+.B dcc_dbclean_tmp_t
-+.EE
-+
-+- Set files with the dcc_dbclean_tmp_t type, if you want to store dcc dbclean temporary files in the /tmp directories.
-+
-+
-+.PP
-+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
-+.B semanage fcontext
-+command. This will modify the SELinux labeling database. You will need to use
-+.B restorecon
-+to apply the labels.
-+
-+.SH "MANAGED FILES"
-+
-+The SELinux process type dcc_dbclean_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
-+
-+.br
-+.B dcc_client_map_t
-+
-+ /etc/dcc/map
-+.br
-+ /var/dcc/map
-+.br
-+ /var/lib/dcc/map
-+.br
-+ /var/run/dcc/map
-+.br
-+
-+.br
-+.B dcc_dbclean_tmp_t
-+
-+
-+.br
-+.B dcc_var_t
-+
-+ /etc/dcc(/.*)?
-+.br
-+ /var/dcc(/.*)?
-+.br
-+ /var/lib/dcc(/.*)?
-+.br
-+
-+.SH NSSWITCH DOMAIN
-+
-+.PP
-+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the dcc_dbclean_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
-+
-+.EX
-+.B setsebool -P authlogin_nsswitch_use_ldap 1
-+.EE
-+
-+.PP
-+If you want to allow confined applications to run with kerberos for the dcc_dbclean_t, you must turn on the kerberos_enabled boolean.
-+
-+.EX
-+.B setsebool -P kerberos_enabled 1
-+.EE
-+
-+.SH "COMMANDS"
-+.B semanage fcontext
-+can also be used to manipulate default file context mappings.
-+.PP
-+.B semanage permissive
-+can also be used to manipulate whether or not a process type is permissive.
-+.PP
-+.B semanage module
-+can also be used to enable/disable/install/remove policy modules.
-+
-+.PP
-+.B system-config-selinux
-+is a GUI tool available to customize SELinux policy settings.
-+
-+.SH AUTHOR
-+This manual page was auto-generated using
-+.B "sepolicy manpage"
-+by Dan Walsh.
-+
-+.SH "SEE ALSO"
-+selinux(8), dcc_dbclean(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
-+, dcc_client_selinux(8), dccd_selinux(8), dccifd_selinux(8), dccm_selinux(8)
-\ No newline at end of file
-diff --git a/man/man8/dccd_selinux.8 b/man/man8/dccd_selinux.8
-new file mode 100644
-index 0000000..ea14c8d
---- /dev/null
-+++ b/man/man8/dccd_selinux.8
-@@ -0,0 +1,190 @@
-+.TH "dccd_selinux" "8" "12-11-01" "dccd" "SELinux Policy documentation for dccd"
-+.SH "NAME"
-+dccd_selinux \- Security Enhanced Linux Policy for the dccd processes
-+.SH "DESCRIPTION"
-+
-+Security-Enhanced Linux secures the dccd processes via flexible mandatory access control.
-+
-+The dccd processes execute with the dccd_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
-+
-+For example:
-+
-+.B ps -eZ | grep dccd_t
-+
-+
-+.SH "ENTRYPOINTS"
-+
-+The dccd_t SELinux type can be entered via the "dccd_exec_t" file type. The default entrypoint paths for the dccd_t domain are the following:"
-+
-+/usr/libexec/dcc/dccd
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux dccd policy is very flexible allowing users to setup their dccd processes in as secure a method as possible.
-+.PP
-+The following process types are defined for dccd:
-+
-+.EX
-+.B dccm_t, dcc_client_t, dcc_dbclean_t, dccifd_t, dccd_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
-+.SH FILE CONTEXTS
-+SELinux requires files to have an extended attribute to define the file type.
-+.PP
-+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
-+.PP
-+Policy governs the access confined processes have to these files.
-+SELinux dccd policy is very flexible allowing users to setup their dccd processes in as secure a method as possible.
-+.PP
-+The following file types are defined for dccd:
-+
-+
-+.EX
-+.PP
-+.B dccd_exec_t
-+.EE
-+
-+- Set files with the dccd_exec_t type, if you want to transition an executable to the dccd_t domain.
-+
-+
-+.EX
-+.PP
-+.B dccd_tmp_t
-+.EE
-+
-+- Set files with the dccd_tmp_t type, if you want to store dccd temporary files in the /tmp directories.
-+
-+
-+.EX
-+.PP
-+.B dccd_var_run_t
-+.EE
-+
-+- Set files with the dccd_var_run_t type, if you want to store the dccd files under the /run directory.
-+
-+
-+.PP
-+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
-+.B semanage fcontext
-+command. This will modify the SELinux labeling database. You will need to use
-+.B restorecon
-+to apply the labels.
-+
-+.SH PORT TYPES
-+SELinux defines port types to represent TCP and UDP ports.
-+.PP
-+You can see the types associated with a port by using the following command:
-+
-+.B semanage port -l
-+
-+.PP
-+Policy governs the access confined processes have to these ports.
-+SELinux dccd policy is very flexible allowing users to setup their dccd processes in as secure a method as possible.
-+.PP
-+The following port types are defined for dccd:
-+
-+.EX
-+.TP 5
-+.B dcc_port_t
-+.TP 10
-+.EE
-+
-+
-+Default Defined Ports:
-+udp 6276,6277
-+.EE
-+
-+.EX
-+.TP 5
-+.B dccm_port_t
-+.TP 10
-+.EE
-+
-+
-+Default Defined Ports:
-+tcp 5679
-+.EE
-+udp 5679
-+.EE
-+.SH "MANAGED FILES"
-+
-+The SELinux process type dccd_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
-+
-+.br
-+.B dcc_client_map_t
-+
-+ /etc/dcc/map
-+.br
-+ /var/dcc/map
-+.br
-+ /var/lib/dcc/map
-+.br
-+ /var/run/dcc/map
-+.br
-+
-+.br
-+.B dcc_var_t
-+
-+ /etc/dcc(/.*)?
-+.br
-+ /var/dcc(/.*)?
-+.br
-+ /var/lib/dcc(/.*)?
-+.br
-+
-+.br
-+.B dccd_tmp_t
-+
-+
-+.br
-+.B dccd_var_run_t
-+
-+
-+.SH NSSWITCH DOMAIN
-+
-+.PP
-+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the dccifd_t, dccm_t, dcc_client_t, dcc_dbclean_t, dccd_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
-+
-+.EX
-+.B setsebool -P authlogin_nsswitch_use_ldap 1
-+.EE
-+
-+.PP
-+If you want to allow confined applications to run with kerberos for the dccifd_t, dccm_t, dcc_client_t, dcc_dbclean_t, dccd_t, you must turn on the kerberos_enabled boolean.
-+
-+.EX
-+.B setsebool -P kerberos_enabled 1
-+.EE
-+
-+.SH "COMMANDS"
-+.B semanage fcontext
-+can also be used to manipulate default file context mappings.
-+.PP
-+.B semanage permissive
-+can also be used to manipulate whether or not a process type is permissive.
-+.PP
-+.B semanage module
-+can also be used to enable/disable/install/remove policy modules.
-+
-+.B semanage port
-+can also be used to manipulate the port definitions
-+
-+.PP
-+.B system-config-selinux
-+is a GUI tool available to customize SELinux policy settings.
-+
-+.SH AUTHOR
-+This manual page was auto-generated using
-+.B "sepolicy manpage"
-+by Dan Walsh.
-+
-+.SH "SEE ALSO"
-+selinux(8), dccd(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
-+, dcc_client_selinux(8), dcc_dbclean_selinux(8), dccifd_selinux(8), dccm_selinux(8)
-\ No newline at end of file
-diff --git a/man/man8/dccifd_selinux.8 b/man/man8/dccifd_selinux.8
-new file mode 100644
-index 0000000..3c8baf4
---- /dev/null
-+++ b/man/man8/dccifd_selinux.8
-@@ -0,0 +1,154 @@
-+.TH "dccifd_selinux" "8" "12-11-01" "dccifd" "SELinux Policy documentation for dccifd"
-+.SH "NAME"
-+dccifd_selinux \- Security Enhanced Linux Policy for the dccifd processes
-+.SH "DESCRIPTION"
-+
-+Security-Enhanced Linux secures the dccifd processes via flexible mandatory access control.
-+
-+The dccifd processes execute with the dccifd_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
-+
-+For example:
-+
-+.B ps -eZ | grep dccifd_t
-+
-+
-+.SH "ENTRYPOINTS"
-+
-+The dccifd_t SELinux type can be entered via the "dccifd_exec_t" file type. The default entrypoint paths for the dccifd_t domain are the following:"
-+
-+/usr/libexec/dcc/dccifd
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux dccifd policy is very flexible allowing users to setup their dccifd processes in as secure a method as possible.
-+.PP
-+The following process types are defined for dccifd:
-+
-+.EX
-+.B dccifd_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
-+.SH FILE CONTEXTS
-+SELinux requires files to have an extended attribute to define the file type.
-+.PP
-+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
-+.PP
-+Policy governs the access confined processes have to these files.
-+SELinux dccifd policy is very flexible allowing users to setup their dccifd processes in as secure a method as possible.
-+.PP
-+The following file types are defined for dccifd:
-+
-+
-+.EX
-+.PP
-+.B dccifd_exec_t
-+.EE
-+
-+- Set files with the dccifd_exec_t type, if you want to transition an executable to the dccifd_t domain.
-+
-+
-+.EX
-+.PP
-+.B dccifd_tmp_t
-+.EE
-+
-+- Set files with the dccifd_tmp_t type, if you want to store dccifd temporary files in the /tmp directories.
-+
-+
-+.EX
-+.PP
-+.B dccifd_var_run_t
-+.EE
-+
-+- Set files with the dccifd_var_run_t type, if you want to store the dccifd files under the /run directory.
-+
-+
-+.PP
-+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
-+.B semanage fcontext
-+command. This will modify the SELinux labeling database. You will need to use
-+.B restorecon
-+to apply the labels.
-+
-+.SH "MANAGED FILES"
-+
-+The SELinux process type dccifd_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
-+
-+.br
-+.B dcc_client_map_t
-+
-+ /etc/dcc/map
-+.br
-+ /var/dcc/map
-+.br
-+ /var/lib/dcc/map
-+.br
-+ /var/run/dcc/map
-+.br
-+
-+.br
-+.B dcc_var_t
-+
-+ /etc/dcc(/.*)?
-+.br
-+ /var/dcc(/.*)?
-+.br
-+ /var/lib/dcc(/.*)?
-+.br
-+
-+.br
-+.B dccifd_tmp_t
-+
-+
-+.br
-+.B dccifd_var_run_t
-+
-+ /etc/dcc/dccifd
-+.br
-+ /var/run/dcc/dccifd
-+.br
-+
-+.SH NSSWITCH DOMAIN
-+
-+.PP
-+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the dccifd_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
-+
-+.EX
-+.B setsebool -P authlogin_nsswitch_use_ldap 1
-+.EE
-+
-+.PP
-+If you want to allow confined applications to run with kerberos for the dccifd_t, you must turn on the kerberos_enabled boolean.
-+
-+.EX
-+.B setsebool -P kerberos_enabled 1
-+.EE
-+
-+.SH "COMMANDS"
-+.B semanage fcontext
-+can also be used to manipulate default file context mappings.
-+.PP
-+.B semanage permissive
-+can also be used to manipulate whether or not a process type is permissive.
-+.PP
-+.B semanage module
-+can also be used to enable/disable/install/remove policy modules.
-+
-+.PP
-+.B system-config-selinux
-+is a GUI tool available to customize SELinux policy settings.
-+
-+.SH AUTHOR
-+This manual page was auto-generated using
-+.B "sepolicy manpage"
-+by Dan Walsh.
-+
-+.SH "SEE ALSO"
-+selinux(8), dccifd(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
-diff --git a/man/man8/dccm_selinux.8 b/man/man8/dccm_selinux.8
-new file mode 100644
-index 0000000..58a004a
---- /dev/null
-+++ b/man/man8/dccm_selinux.8
-@@ -0,0 +1,178 @@
-+.TH "dccm_selinux" "8" "12-11-01" "dccm" "SELinux Policy documentation for dccm"
-+.SH "NAME"
-+dccm_selinux \- Security Enhanced Linux Policy for the dccm processes
-+.SH "DESCRIPTION"
-+
-+Security-Enhanced Linux secures the dccm processes via flexible mandatory access control.
-+
-+The dccm processes execute with the dccm_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
-+
-+For example:
-+
-+.B ps -eZ | grep dccm_t
-+
-+
-+.SH "ENTRYPOINTS"
-+
-+The dccm_t SELinux type can be entered via the "dccm_exec_t" file type. The default entrypoint paths for the dccm_t domain are the following:"
-+
-+/usr/libexec/dcc/dccm
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux dccm policy is very flexible allowing users to setup their dccm processes in as secure a method as possible.
-+.PP
-+The following process types are defined for dccm:
-+
-+.EX
-+.B dccm_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
-+.SH FILE CONTEXTS
-+SELinux requires files to have an extended attribute to define the file type.
-+.PP
-+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
-+.PP
-+Policy governs the access confined processes have to these files.
-+SELinux dccm policy is very flexible allowing users to setup their dccm processes in as secure a method as possible.
-+.PP
-+The following file types are defined for dccm:
-+
-+
-+.EX
-+.PP
-+.B dccm_exec_t
-+.EE
-+
-+- Set files with the dccm_exec_t type, if you want to transition an executable to the dccm_t domain.
-+
-+
-+.EX
-+.PP
-+.B dccm_tmp_t
-+.EE
-+
-+- Set files with the dccm_tmp_t type, if you want to store dccm temporary files in the /tmp directories.
-+
-+
-+.EX
-+.PP
-+.B dccm_var_run_t
-+.EE
-+
-+- Set files with the dccm_var_run_t type, if you want to store the dccm files under the /run directory.
-+
-+
-+.PP
-+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
-+.B semanage fcontext
-+command. This will modify the SELinux labeling database. You will need to use
-+.B restorecon
-+to apply the labels.
-+
-+.SH PORT TYPES
-+SELinux defines port types to represent TCP and UDP ports.
-+.PP
-+You can see the types associated with a port by using the following command:
-+
-+.B semanage port -l
-+
-+.PP
-+Policy governs the access confined processes have to these ports.
-+SELinux dccm policy is very flexible allowing users to setup their dccm processes in as secure a method as possible.
-+.PP
-+The following port types are defined for dccm:
-+
-+.EX
-+.TP 5
-+.B dccm_port_t
-+.TP 10
-+.EE
-+
-+
-+Default Defined Ports:
-+tcp 5679
-+.EE
-+udp 5679
-+.EE
-+.SH "MANAGED FILES"
-+
-+The SELinux process type dccm_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
-+
-+.br
-+.B dcc_client_map_t
-+
-+ /etc/dcc/map
-+.br
-+ /var/dcc/map
-+.br
-+ /var/lib/dcc/map
-+.br
-+ /var/run/dcc/map
-+.br
-+
-+.br
-+.B dcc_var_t
-+
-+ /etc/dcc(/.*)?
-+.br
-+ /var/dcc(/.*)?
-+.br
-+ /var/lib/dcc(/.*)?
-+.br
-+
-+.br
-+.B dccm_tmp_t
-+
-+
-+.br
-+.B dccm_var_run_t
-+
-+
-+.SH NSSWITCH DOMAIN
-+
-+.PP
-+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the dccm_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
-+
-+.EX
-+.B setsebool -P authlogin_nsswitch_use_ldap 1
-+.EE
-+
-+.PP
-+If you want to allow confined applications to run with kerberos for the dccm_t, you must turn on the kerberos_enabled boolean.
-+
-+.EX
-+.B setsebool -P kerberos_enabled 1
-+.EE
-+
-+.SH "COMMANDS"
-+.B semanage fcontext
-+can also be used to manipulate default file context mappings.
-+.PP
-+.B semanage permissive
-+can also be used to manipulate whether or not a process type is permissive.
-+.PP
-+.B semanage module
-+can also be used to enable/disable/install/remove policy modules.
-+
-+.B semanage port
-+can also be used to manipulate the port definitions
-+
-+.PP
-+.B system-config-selinux
-+is a GUI tool available to customize SELinux policy settings.
-+
-+.SH AUTHOR
-+This manual page was auto-generated using
-+.B "sepolicy manpage"
-+by Dan Walsh.
-+
-+.SH "SEE ALSO"
-+selinux(8), dccm(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
-diff --git a/man/man8/dcerpcd_selinux.8 b/man/man8/dcerpcd_selinux.8
-new file mode 100644
-index 0000000..857f141
---- /dev/null
-+++ b/man/man8/dcerpcd_selinux.8
-@@ -0,0 +1,124 @@
-+.TH "dcerpcd_selinux" "8" "12-11-01" "dcerpcd" "SELinux Policy documentation for dcerpcd"
-+.SH "NAME"
-+dcerpcd_selinux \- Security Enhanced Linux Policy for the dcerpcd processes
-+.SH "DESCRIPTION"
-+
-+Security-Enhanced Linux secures the dcerpcd processes via flexible mandatory access control.
-+
-+The dcerpcd processes execute with the dcerpcd_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
-+
-+For example:
-+
-+.B ps -eZ | grep dcerpcd_t
-+
-+
-+.SH "ENTRYPOINTS"
-+
-+The dcerpcd_t SELinux type can be entered via the "dcerpcd_exec_t" file type. The default entrypoint paths for the dcerpcd_t domain are the following:"
-+
-+/usr/sbin/dcerpcd
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux dcerpcd policy is very flexible allowing users to setup their dcerpcd processes in as secure a method as possible.
-+.PP
-+The following process types are defined for dcerpcd:
-+
-+.EX
-+.B dcerpcd_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
-+.SH FILE CONTEXTS
-+SELinux requires files to have an extended attribute to define the file type.
-+.PP
-+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
-+.PP
-+Policy governs the access confined processes have to these files.
-+SELinux dcerpcd policy is very flexible allowing users to setup their dcerpcd processes in as secure a method as possible.
-+.PP
-+The following file types are defined for dcerpcd:
-+
-+
-+.EX
-+.PP
-+.B dcerpcd_exec_t
-+.EE
-+
-+- Set files with the dcerpcd_exec_t type, if you want to transition an executable to the dcerpcd_t domain.
-+
-+
-+.EX
-+.PP
-+.B dcerpcd_var_lib_t
-+.EE
-+
-+- Set files with the dcerpcd_var_lib_t type, if you want to store the dcerpcd files under the /var/lib directory.
-+
-+
-+.EX
-+.PP
-+.B dcerpcd_var_run_t
-+.EE
-+
-+- Set files with the dcerpcd_var_run_t type, if you want to store the dcerpcd files under the /run directory.
-+
-+
-+.EX
-+.PP
-+.B dcerpcd_var_socket_t
-+.EE
-+
-+- Set files with the dcerpcd_var_socket_t type, if you want to treat the files as dcerpcd var socket data.
-+
-+
-+.PP
-+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
-+.B semanage fcontext
-+command. This will modify the SELinux labeling database. You will need to use
-+.B restorecon
-+to apply the labels.
-+
-+.SH "MANAGED FILES"
-+
-+The SELinux process type dcerpcd_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
-+
-+.br
-+.B dcerpcd_var_lib_t
-+
-+ /var/lib/likewise-open/run/rpcdep.dat
-+.br
-+
-+.br
-+.B dcerpcd_var_run_t
-+
-+
-+.SH NSSWITCH DOMAIN
-+
-+.SH "COMMANDS"
-+.B semanage fcontext
-+can also be used to manipulate default file context mappings.
-+.PP
-+.B semanage permissive
-+can also be used to manipulate whether or not a process type is permissive.
-+.PP
-+.B semanage module
-+can also be used to enable/disable/install/remove policy modules.
-+
-+.PP
-+.B system-config-selinux
-+is a GUI tool available to customize SELinux policy settings.
-+
-+.SH AUTHOR
-+This manual page was auto-generated using
-+.B "sepolicy manpage"
-+by Dan Walsh.
-+
-+.SH "SEE ALSO"
-+selinux(8), dcerpcd(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
-diff --git a/man/man8/ddclient_selinux.8 b/man/man8/ddclient_selinux.8
-new file mode 100644
-index 0000000..43a6aa0
---- /dev/null
-+++ b/man/man8/ddclient_selinux.8
-@@ -0,0 +1,176 @@
-+.TH "ddclient_selinux" "8" "12-11-01" "ddclient" "SELinux Policy documentation for ddclient"
-+.SH "NAME"
-+ddclient_selinux \- Security Enhanced Linux Policy for the ddclient processes
-+.SH "DESCRIPTION"
-+
-+Security-Enhanced Linux secures the ddclient processes via flexible mandatory access control.
-+
-+The ddclient processes execute with the ddclient_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
-+
-+For example:
-+
-+.B ps -eZ | grep ddclient_t
-+
-+
-+.SH "ENTRYPOINTS"
-+
-+The ddclient_t SELinux type can be entered via the "ddclient_exec_t" file type. The default entrypoint paths for the ddclient_t domain are the following:"
-+
-+/usr/sbin/ddtcd, /usr/sbin/ddclient
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux ddclient policy is very flexible allowing users to setup their ddclient processes in as secure a method as possible.
-+.PP
-+The following process types are defined for ddclient:
-+
-+.EX
-+.B ddclient_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
-+.SH FILE CONTEXTS
-+SELinux requires files to have an extended attribute to define the file type.
-+.PP
-+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
-+.PP
-+Policy governs the access confined processes have to these files.
-+SELinux ddclient policy is very flexible allowing users to setup their ddclient processes in as secure a method as possible.
-+.PP
-+The following file types are defined for ddclient:
-+
-+
-+.EX
-+.PP
-+.B ddclient_etc_t
-+.EE
-+
-+- Set files with the ddclient_etc_t type, if you want to store ddclient files in the /etc directories.
-+
-+
-+.EX
-+.PP
-+.B ddclient_exec_t
-+.EE
-+
-+- Set files with the ddclient_exec_t type, if you want to transition an executable to the ddclient_t domain.
-+
-+
-+.EX
-+.PP
-+.B ddclient_initrc_exec_t
-+.EE
-+
-+- Set files with the ddclient_initrc_exec_t type, if you want to transition an executable to the ddclient_initrc_t domain.
-+
-+
-+.EX
-+.PP
-+.B ddclient_log_t
-+.EE
-+
-+- Set files with the ddclient_log_t type, if you want to treat the data as ddclient log data, usually stored under the /var/log directory.
-+
-+
-+.EX
-+.PP
-+.B ddclient_tmp_t
-+.EE
-+
-+- Set files with the ddclient_tmp_t type, if you want to store ddclient temporary files in the /tmp directories.
-+
-+
-+.EX
-+.PP
-+.B ddclient_var_lib_t
-+.EE
-+
-+- Set files with the ddclient_var_lib_t type, if you want to store the ddclient files under the /var/lib directory.
-+
-+
-+.EX
-+.PP
-+.B ddclient_var_run_t
-+.EE
-+
-+- Set files with the ddclient_var_run_t type, if you want to store the ddclient files under the /run directory.
-+
-+
-+.EX
-+.PP
-+.B ddclient_var_t
-+.EE
-+
-+- Set files with the ddclient_var_t type, if you want to store the ddcl files under the /var directory.
-+
-+
-+.PP
-+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
-+.B semanage fcontext
-+command. This will modify the SELinux labeling database. You will need to use
-+.B restorecon
-+to apply the labels.
-+
-+.SH "MANAGED FILES"
-+
-+The SELinux process type ddclient_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
-+
-+.br
-+.B ddclient_log_t
-+
-+ /var/log/ddtcd\.log.*
-+.br
-+
-+.br
-+.B ddclient_tmp_t
-+
-+
-+.br
-+.B ddclient_var_lib_t
-+
-+ /var/lib/ddt-client(/.*)?
-+.br
-+
-+.br
-+.B ddclient_var_run_t
-+
-+ /var/run/ddtcd\.pid
-+.br
-+ /var/run/ddclient\.pid
-+.br
-+
-+.br
-+.B ddclient_var_t
-+
-+ /var/cache/ddclient(/.*)?
-+.br
-+
-+.SH NSSWITCH DOMAIN
-+
-+.SH "COMMANDS"
-+.B semanage fcontext
-+can also be used to manipulate default file context mappings.
-+.PP
-+.B semanage permissive
-+can also be used to manipulate whether or not a process type is permissive.
-+.PP
-+.B semanage module
-+can also be used to enable/disable/install/remove policy modules.
-+
-+.PP
-+.B system-config-selinux
-+is a GUI tool available to customize SELinux policy settings.
-+
-+.SH AUTHOR
-+This manual page was auto-generated using
-+.B "sepolicy manpage"
-+by Dan Walsh.
-+
-+.SH "SEE ALSO"
-+selinux(8), ddclient(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
-diff --git a/man/man8/deltacloudd_selinux.8 b/man/man8/deltacloudd_selinux.8
-new file mode 100644
-index 0000000..c0b2b2f
---- /dev/null
-+++ b/man/man8/deltacloudd_selinux.8
-@@ -0,0 +1,142 @@
-+.TH "deltacloudd_selinux" "8" "12-11-01" "deltacloudd" "SELinux Policy documentation for deltacloudd"
-+.SH "NAME"
-+deltacloudd_selinux \- Security Enhanced Linux Policy for the deltacloudd processes
-+.SH "DESCRIPTION"
-+
-+Security-Enhanced Linux secures the deltacloudd processes via flexible mandatory access control.
-+
-+The deltacloudd processes execute with the deltacloudd_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
-+
-+For example:
-+
-+.B ps -eZ | grep deltacloudd_t
-+
-+
-+.SH "ENTRYPOINTS"
-+
-+The deltacloudd_t SELinux type can be entered via the "deltacloudd_exec_t" file type. The default entrypoint paths for the deltacloudd_t domain are the following:"
-+
-+/usr/bin/deltacloudd
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux deltacloudd policy is very flexible allowing users to setup their deltacloudd processes in as secure a method as possible.
-+.PP
-+The following process types are defined for deltacloudd:
-+
-+.EX
-+.B deltacloudd_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
-+.SH FILE CONTEXTS
-+SELinux requires files to have an extended attribute to define the file type.
-+.PP
-+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
-+.PP
-+Policy governs the access confined processes have to these files.
-+SELinux deltacloudd policy is very flexible allowing users to setup their deltacloudd processes in as secure a method as possible.
-+.PP
-+The following file types are defined for deltacloudd:
-+
-+
-+.EX
-+.PP
-+.B deltacloudd_exec_t
-+.EE
-+
-+- Set files with the deltacloudd_exec_t type, if you want to transition an executable to the deltacloudd_t domain.
-+
-+
-+.EX
-+.PP
-+.B deltacloudd_log_t
-+.EE
-+
-+- Set files with the deltacloudd_log_t type, if you want to treat the data as deltacloudd log data, usually stored under the /var/log directory.
-+
-+
-+.EX
-+.PP
-+.B deltacloudd_tmp_t
-+.EE
-+
-+- Set files with the deltacloudd_tmp_t type, if you want to store deltacloudd temporary files in the /tmp directories.
-+
-+
-+.EX
-+.PP
-+.B deltacloudd_var_run_t
-+.EE
-+
-+- Set files with the deltacloudd_var_run_t type, if you want to store the deltacloudd files under the /run directory.
-+
-+
-+.PP
-+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
-+.B semanage fcontext
-+command. This will modify the SELinux labeling database. You will need to use
-+.B restorecon
-+to apply the labels.
-+
-+.SH "MANAGED FILES"
-+
-+The SELinux process type deltacloudd_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
-+
-+.br
-+.B deltacloudd_log_t
-+
-+ /var/log/deltacloud-core(/.*)?
-+.br
-+
-+.br
-+.B deltacloudd_tmp_t
-+
-+
-+.br
-+.B deltacloudd_var_run_t
-+
-+
-+.SH NSSWITCH DOMAIN
-+
-+.PP
-+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the deltacloudd_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
-+
-+.EX
-+.B setsebool -P authlogin_nsswitch_use_ldap 1
-+.EE
-+
-+.PP
-+If you want to allow confined applications to run with kerberos for the deltacloudd_t, you must turn on the kerberos_enabled boolean.
-+
-+.EX
-+.B setsebool -P kerberos_enabled 1
-+.EE
-+
-+.SH "COMMANDS"
-+.B semanage fcontext
-+can also be used to manipulate default file context mappings.
-+.PP
-+.B semanage permissive
-+can also be used to manipulate whether or not a process type is permissive.
-+.PP
-+.B semanage module
-+can also be used to enable/disable/install/remove policy modules.
-+
-+.PP
-+.B system-config-selinux
-+is a GUI tool available to customize SELinux policy settings.
-+
-+.SH AUTHOR
-+This manual page was auto-generated using
-+.B "sepolicy manpage"
-+by Dan Walsh.
-+
-+.SH "SEE ALSO"
-+selinux(8), deltacloudd(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
-diff --git a/man/man8/denyhosts_selinux.8 b/man/man8/denyhosts_selinux.8
-new file mode 100644
-index 0000000..ec75026
---- /dev/null
-+++ b/man/man8/denyhosts_selinux.8
-@@ -0,0 +1,174 @@
-+.TH "denyhosts_selinux" "8" "12-11-01" "denyhosts" "SELinux Policy documentation for denyhosts"
-+.SH "NAME"
-+denyhosts_selinux \- Security Enhanced Linux Policy for the denyhosts processes
-+.SH "DESCRIPTION"
-+
-+Security-Enhanced Linux secures the denyhosts processes via flexible mandatory access control.
-+
-+The denyhosts processes execute with the denyhosts_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
-+
-+For example:
-+
-+.B ps -eZ | grep denyhosts_t
-+
-+
-+.SH "ENTRYPOINTS"
-+
-+The denyhosts_t SELinux type can be entered via the "denyhosts_exec_t" file type. The default entrypoint paths for the denyhosts_t domain are the following:"
-+
-+/usr/bin/denyhosts\.py
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux denyhosts policy is very flexible allowing users to setup their denyhosts processes in as secure a method as possible.
-+.PP
-+The following process types are defined for denyhosts:
-+
-+.EX
-+.B denyhosts_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
-+.SH FILE CONTEXTS
-+SELinux requires files to have an extended attribute to define the file type.
-+.PP
-+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
-+.PP
-+Policy governs the access confined processes have to these files.
-+SELinux denyhosts policy is very flexible allowing users to setup their denyhosts processes in as secure a method as possible.
-+.PP
-+The following file types are defined for denyhosts:
-+
-+
-+.EX
-+.PP
-+.B denyhosts_exec_t
-+.EE
-+
-+- Set files with the denyhosts_exec_t type, if you want to transition an executable to the denyhosts_t domain.
-+
-+
-+.EX
-+.PP
-+.B denyhosts_initrc_exec_t
-+.EE
-+
-+- Set files with the denyhosts_initrc_exec_t type, if you want to transition an executable to the denyhosts_initrc_t domain.
-+
-+
-+.EX
-+.PP
-+.B denyhosts_var_lib_t
-+.EE
-+
-+- Set files with the denyhosts_var_lib_t type, if you want to store the denyhosts files under the /var/lib directory.
-+
-+
-+.EX
-+.PP
-+.B denyhosts_var_lock_t
-+.EE
-+
-+- Set files with the denyhosts_var_lock_t type, if you want to treat the files as denyhosts var lock data, stored under the /var/lock directory
-+
-+
-+.EX
-+.PP
-+.B denyhosts_var_log_t
-+.EE
-+
-+- Set files with the denyhosts_var_log_t type, if you want to treat the data as denyhosts var log data, usually stored under the /var/log directory.
-+
-+
-+.PP
-+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
-+.B semanage fcontext
-+command. This will modify the SELinux labeling database. You will need to use
-+.B restorecon
-+to apply the labels.
-+
-+.SH "MANAGED FILES"
-+
-+The SELinux process type denyhosts_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
-+
-+.br
-+.B denyhosts_var_lib_t
-+
-+ /var/lib/denyhosts(/.*)?
-+.br
-+
-+.br
-+.B denyhosts_var_lock_t
-+
-+ /var/lock/subsys/denyhosts
-+.br
-+
-+.br
-+.B net_conf_t
-+
-+ /etc/ntpd?\.conf.*
-+.br
-+ /etc/hosts[^/]*
-+.br
-+ /etc/yp\.conf.*
-+.br
-+ /etc/denyhosts.*
-+.br
-+ /etc/hosts\.deny.*
-+.br
-+ /etc/resolv\.conf.*
-+.br
-+ /etc/ntp/step-tickers.*
-+.br
-+ /etc/sysconfig/networking(/.*)?
-+.br
-+ /etc/sysconfig/network-scripts(/.*)?
-+.br
-+ /etc/sysconfig/network-scripts/.*resolv\.conf
-+.br
-+ /etc/ethers
-+.br
-+
-+.SH NSSWITCH DOMAIN
-+
-+.PP
-+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the denyhosts_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
-+
-+.EX
-+.B setsebool -P authlogin_nsswitch_use_ldap 1
-+.EE
-+
-+.PP
-+If you want to allow confined applications to run with kerberos for the denyhosts_t, you must turn on the kerberos_enabled boolean.
-+
-+.EX
-+.B setsebool -P kerberos_enabled 1
-+.EE
-+
-+.SH "COMMANDS"
-+.B semanage fcontext
-+can also be used to manipulate default file context mappings.
-+.PP
-+.B semanage permissive
-+can also be used to manipulate whether or not a process type is permissive.
-+.PP
-+.B semanage module
-+can also be used to enable/disable/install/remove policy modules.
-+
-+.PP
-+.B system-config-selinux
-+is a GUI tool available to customize SELinux policy settings.
-+
-+.SH AUTHOR
-+This manual page was auto-generated using
-+.B "sepolicy manpage"
-+by Dan Walsh.
-+
-+.SH "SEE ALSO"
-+selinux(8), denyhosts(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
-diff --git a/man/man8/depmod_selinux.8 b/man/man8/depmod_selinux.8
-new file mode 100644
-index 0000000..86e670e
---- /dev/null
-+++ b/man/man8/depmod_selinux.8
-@@ -0,0 +1,112 @@
-+.TH "depmod_selinux" "8" "12-11-01" "depmod" "SELinux Policy documentation for depmod"
-+.SH "NAME"
-+depmod_selinux \- Security Enhanced Linux Policy for the depmod processes
-+.SH "DESCRIPTION"
-+
-+Security-Enhanced Linux secures the depmod processes via flexible mandatory access control.
-+
-+The depmod processes execute with the depmod_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
-+
-+For example:
-+
-+.B ps -eZ | grep depmod_t
-+
-+
-+.SH "ENTRYPOINTS"
-+
-+The depmod_t SELinux type can be entered via the "depmod_exec_t" file type. The default entrypoint paths for the depmod_t domain are the following:"
-+
-+/sbin/depmod.*, /usr/sbin/depmod.*
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux depmod policy is very flexible allowing users to setup their depmod processes in as secure a method as possible.
-+.PP
-+The following process types are defined for depmod:
-+
-+.EX
-+.B depmod_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
-+.SH FILE CONTEXTS
-+SELinux requires files to have an extended attribute to define the file type.
-+.PP
-+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
-+.PP
-+Policy governs the access confined processes have to these files.
-+SELinux depmod policy is very flexible allowing users to setup their depmod processes in as secure a method as possible.
-+.PP
-+The following file types are defined for depmod:
-+
-+
-+.EX
-+.PP
-+.B depmod_exec_t
-+.EE
-+
-+- Set files with the depmod_exec_t type, if you want to transition an executable to the depmod_t domain.
-+
-+
-+.PP
-+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
-+.B semanage fcontext
-+command. This will modify the SELinux labeling database. You will need to use
-+.B restorecon
-+to apply the labels.
-+
-+.SH "MANAGED FILES"
-+
-+The SELinux process type depmod_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
-+
-+.br
-+.B modules_dep_t
-+
-+ /lib/modules/[^/]+/modules\..+
-+.br
-+
-+.br
-+.B rpm_script_tmp_t
-+
-+
-+.br
-+.B user_tmp_t
-+
-+ /var/run/user(/.*)?
-+.br
-+ /tmp/gconfd-.*
-+.br
-+ /tmp/gconfd-dwalsh
-+.br
-+ /tmp/gconfd-xguest
-+.br
-+
-+.SH NSSWITCH DOMAIN
-+
-+.SH "COMMANDS"
-+.B semanage fcontext
-+can also be used to manipulate default file context mappings.
-+.PP
-+.B semanage permissive
-+can also be used to manipulate whether or not a process type is permissive.
-+.PP
-+.B semanage module
-+can also be used to enable/disable/install/remove policy modules.
-+
-+.PP
-+.B system-config-selinux
-+is a GUI tool available to customize SELinux policy settings.
-+
-+.SH AUTHOR
-+This manual page was auto-generated using
-+.B "sepolicy manpage"
-+by Dan Walsh.
-+
-+.SH "SEE ALSO"
-+selinux(8), depmod(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
-diff --git a/man/man8/devicekit_disk_selinux.8 b/man/man8/devicekit_disk_selinux.8
-new file mode 100644
-index 0000000..cbce236
---- /dev/null
-+++ b/man/man8/devicekit_disk_selinux.8
-@@ -0,0 +1,163 @@
-+.TH "devicekit_disk_selinux" "8" "12-11-01" "devicekit_disk" "SELinux Policy documentation for devicekit_disk"
-+.SH "NAME"
-+devicekit_disk_selinux \- Security Enhanced Linux Policy for the devicekit_disk processes
-+.SH "DESCRIPTION"
-+
-+Security-Enhanced Linux secures the devicekit_disk processes via flexible mandatory access control.
-+
-+The devicekit_disk processes execute with the devicekit_disk_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
-+
-+For example:
-+
-+.B ps -eZ | grep devicekit_disk_t
-+
-+
-+.SH "ENTRYPOINTS"
-+
-+The devicekit_disk_t SELinux type can be entered via the "devicekit_disk_exec_t" file type. The default entrypoint paths for the devicekit_disk_t domain are the following:"
-+
-+/lib/udisks2/udisksd, /lib/udev/udisks-part-id, /usr/lib/udisks2/udisksd, /usr/libexec/udisks-daemon, /usr/lib/udev/udisks-part-id, /usr/lib/udisks/udisks-daemon, /usr/libexec/devkit-disks-daemon
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux devicekit_disk policy is very flexible allowing users to setup their devicekit_disk processes in as secure a method as possible.
-+.PP
-+The following process types are defined for devicekit_disk:
-+
-+.EX
-+.B devicekit_disk_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
-+.SH FILE CONTEXTS
-+SELinux requires files to have an extended attribute to define the file type.
-+.PP
-+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
-+.PP
-+Policy governs the access confined processes have to these files.
-+SELinux devicekit_disk policy is very flexible allowing users to setup their devicekit_disk processes in as secure a method as possible.
-+.PP
-+The following file types are defined for devicekit_disk:
-+
-+
-+.EX
-+.PP
-+.B devicekit_disk_exec_t
-+.EE
-+
-+- Set files with the devicekit_disk_exec_t type, if you want to transition an executable to the devicekit_disk_t domain.
-+
-+
-+.PP
-+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
-+.B semanage fcontext
-+command. This will modify the SELinux labeling database. You will need to use
-+.B restorecon
-+to apply the labels.
-+
-+.SH "MANAGED FILES"
-+
-+The SELinux process type devicekit_disk_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
-+
-+.br
-+.B device_t
-+
-+ /dev/.*
-+.br
-+ /lib/udev/devices(/.*)?
-+.br
-+ /usr/lib/udev/devices(/.*)?
-+.br
-+ /dev
-+.br
-+ /etc/udev/devices
-+.br
-+ /var/named/chroot/dev
-+.br
-+ /var/spool/postfix/dev
-+.br
-+
-+.br
-+.B devicekit_tmp_t
-+
-+
-+.br
-+.B devicekit_var_lib_t
-+
-+ /var/lib/udisks.*
-+.br
-+ /var/lib/upower(/.*)?
-+.br
-+ /var/lib/DeviceKit-.*
-+.br
-+
-+.br
-+.B devicekit_var_run_t
-+
-+ /var/run/udisks.*
-+.br
-+ /var/run/devkit(/.*)?
-+.br
-+ /var/run/upower(/.*)?
-+.br
-+ /var/run/pm-utils(/.*)?
-+.br
-+ /var/run/DeviceKit-disks(/.*)?
-+.br
-+
-+.br
-+.B sysfs_t
-+
-+ /sys(/.*)?
-+.br
-+
-+.br
-+.B virt_image_type
-+
-+ all virtual image files
-+.br
-+
-+.SH NSSWITCH DOMAIN
-+
-+.PP
-+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the devicekit_disk_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
-+
-+.EX
-+.B setsebool -P authlogin_nsswitch_use_ldap 1
-+.EE
-+
-+.PP
-+If you want to allow confined applications to run with kerberos for the devicekit_disk_t, you must turn on the kerberos_enabled boolean.
-+
-+.EX
-+.B setsebool -P kerberos_enabled 1
-+.EE
-+
-+.SH "COMMANDS"
-+.B semanage fcontext
-+can also be used to manipulate default file context mappings.
-+.PP
-+.B semanage permissive
-+can also be used to manipulate whether or not a process type is permissive.
-+.PP
-+.B semanage module
-+can also be used to enable/disable/install/remove policy modules.
-+
-+.PP
-+.B system-config-selinux
-+is a GUI tool available to customize SELinux policy settings.
-+
-+.SH AUTHOR
-+This manual page was auto-generated using
-+.B "sepolicy manpage"
-+by Dan Walsh.
-+
-+.SH "SEE ALSO"
-+selinux(8), devicekit_disk(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
-+, devicekit_selinux(8), devicekit_selinux(8), devicekit_power_selinux(8)
-\ No newline at end of file
-diff --git a/man/man8/devicekit_power_selinux.8 b/man/man8/devicekit_power_selinux.8
-new file mode 100644
-index 0000000..ef9c4c3
---- /dev/null
-+++ b/man/man8/devicekit_power_selinux.8
-@@ -0,0 +1,193 @@
-+.TH "devicekit_power_selinux" "8" "12-11-01" "devicekit_power" "SELinux Policy documentation for devicekit_power"
-+.SH "NAME"
-+devicekit_power_selinux \- Security Enhanced Linux Policy for the devicekit_power processes
-+.SH "DESCRIPTION"
-+
-+Security-Enhanced Linux secures the devicekit_power processes via flexible mandatory access control.
-+
-+The devicekit_power processes execute with the devicekit_power_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
-+
-+For example:
-+
-+.B ps -eZ | grep devicekit_power_t
-+
-+
-+.SH "ENTRYPOINTS"
-+
-+The devicekit_power_t SELinux type can be entered via the "devicekit_power_exec_t" file type. The default entrypoint paths for the devicekit_power_t domain are the following:"
-+
-+/usr/libexec/upowerd, /usr/libexec/devkit-power-daemon
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux devicekit_power policy is very flexible allowing users to setup their devicekit_power processes in as secure a method as possible.
-+.PP
-+The following process types are defined for devicekit_power:
-+
-+.EX
-+.B devicekit_power_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
-+.SH FILE CONTEXTS
-+SELinux requires files to have an extended attribute to define the file type.
-+.PP
-+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
-+.PP
-+Policy governs the access confined processes have to these files.
-+SELinux devicekit_power policy is very flexible allowing users to setup their devicekit_power processes in as secure a method as possible.
-+.PP
-+The following file types are defined for devicekit_power:
-+
-+
-+.EX
-+.PP
-+.B devicekit_power_exec_t
-+.EE
-+
-+- Set files with the devicekit_power_exec_t type, if you want to transition an executable to the devicekit_power_t domain.
-+
-+
-+.PP
-+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
-+.B semanage fcontext
-+command. This will modify the SELinux labeling database. You will need to use
-+.B restorecon
-+to apply the labels.
-+
-+.SH "MANAGED FILES"
-+
-+The SELinux process type devicekit_power_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
-+
-+.br
-+.B config_home_t
-+
-+ /root/\.kde(/.*)?
-+.br
-+ /root/\.xine(/.*)?
-+.br
-+ /root/\.config(/.*)?
-+.br
-+ /var/run/user/[^/]*/dconf(/.*)?
-+.br
-+ /root/\.Xdefaults
-+.br
-+ /home/[^/]*/\.kde(/.*)?
-+.br
-+ /home/[^/]*/\.xine(/.*)?
-+.br
-+ /home/[^/]*/\.config(/.*)?
-+.br
-+ /home/[^/]*/\.Xdefaults
-+.br
-+ /home/dwalsh/\.kde(/.*)?
-+.br
-+ /home/dwalsh/\.xine(/.*)?
-+.br
-+ /home/dwalsh/\.config(/.*)?
-+.br
-+ /home/dwalsh/\.Xdefaults
-+.br
-+ /var/lib/xguest/home/xguest/\.kde(/.*)?
-+.br
-+ /var/lib/xguest/home/xguest/\.xine(/.*)?
-+.br
-+ /var/lib/xguest/home/xguest/\.config(/.*)?
-+.br
-+ /var/lib/xguest/home/xguest/\.Xdefaults
-+.br
-+
-+.br
-+.B devicekit_tmp_t
-+
-+
-+.br
-+.B devicekit_var_lib_t
-+
-+ /var/lib/udisks.*
-+.br
-+ /var/lib/upower(/.*)?
-+.br
-+ /var/lib/DeviceKit-.*
-+.br
-+
-+.br
-+.B devicekit_var_log_t
-+
-+ /var/log/pm-suspend\.log.*
-+.br
-+ /var/log/pm-powersave\.log.*
-+.br
-+
-+.br
-+.B devicekit_var_run_t
-+
-+ /var/run/udisks.*
-+.br
-+ /var/run/devkit(/.*)?
-+.br
-+ /var/run/upower(/.*)?
-+.br
-+ /var/run/pm-utils(/.*)?
-+.br
-+ /var/run/DeviceKit-disks(/.*)?
-+.br
-+
-+.br
-+.B sysfs_t
-+
-+ /sys(/.*)?
-+.br
-+
-+.br
-+.B systemd_passwd_var_run_t
-+
-+ /var/run/systemd/ask-password(/.*)?
-+.br
-+ /var/run/systemd/ask-password-block(/.*)?
-+.br
-+
-+.SH NSSWITCH DOMAIN
-+
-+.PP
-+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the devicekit_power_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
-+
-+.EX
-+.B setsebool -P authlogin_nsswitch_use_ldap 1
-+.EE
-+
-+.PP
-+If you want to allow confined applications to run with kerberos for the devicekit_power_t, you must turn on the kerberos_enabled boolean.
-+
-+.EX
-+.B setsebool -P kerberos_enabled 1
-+.EE
-+
-+.SH "COMMANDS"
-+.B semanage fcontext
-+can also be used to manipulate default file context mappings.
-+.PP
-+.B semanage permissive
-+can also be used to manipulate whether or not a process type is permissive.
-+.PP
-+.B semanage module
-+can also be used to enable/disable/install/remove policy modules.
-+
-+.PP
-+.B system-config-selinux
-+is a GUI tool available to customize SELinux policy settings.
-+
-+.SH AUTHOR
-+This manual page was auto-generated using
-+.B "sepolicy manpage"
-+by Dan Walsh.
-+
-+.SH "SEE ALSO"
-+selinux(8), devicekit_power(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
-+, devicekit_selinux(8), devicekit_selinux(8), devicekit_disk_selinux(8)
-\ No newline at end of file
-diff --git a/man/man8/devicekit_selinux.8 b/man/man8/devicekit_selinux.8
-new file mode 100644
-index 0000000..94f8331
---- /dev/null
-+++ b/man/man8/devicekit_selinux.8
-@@ -0,0 +1,167 @@
-+.TH "devicekit_selinux" "8" "12-11-01" "devicekit" "SELinux Policy documentation for devicekit"
-+.SH "NAME"
-+devicekit_selinux \- Security Enhanced Linux Policy for the devicekit processes
-+.SH "DESCRIPTION"
-+
-+Security-Enhanced Linux secures the devicekit processes via flexible mandatory access control.
-+
-+The devicekit processes execute with the devicekit_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
-+
-+For example:
-+
-+.B ps -eZ | grep devicekit_t
-+
-+
-+.SH "ENTRYPOINTS"
-+
-+The devicekit_t SELinux type can be entered via the "devicekit_exec_t" file type. The default entrypoint paths for the devicekit_t domain are the following:"
-+
-+/usr/libexec/devkit-daemon
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux devicekit policy is very flexible allowing users to setup their devicekit processes in as secure a method as possible.
-+.PP
-+The following process types are defined for devicekit:
-+
-+.EX
-+.B devicekit_power_t, devicekit_disk_t, devicekit_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
-+.SH FILE CONTEXTS
-+SELinux requires files to have an extended attribute to define the file type.
-+.PP
-+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
-+.PP
-+Policy governs the access confined processes have to these files.
-+SELinux devicekit policy is very flexible allowing users to setup their devicekit processes in as secure a method as possible.
-+.PP
-+The following file types are defined for devicekit:
-+
-+
-+.EX
-+.PP
-+.B devicekit_disk_exec_t
-+.EE
-+
-+- Set files with the devicekit_disk_exec_t type, if you want to transition an executable to the devicekit_disk_t domain.
-+
-+
-+.EX
-+.PP
-+.B devicekit_exec_t
-+.EE
-+
-+- Set files with the devicekit_exec_t type, if you want to transition an executable to the devicekit_t domain.
-+
-+
-+.EX
-+.PP
-+.B devicekit_power_exec_t
-+.EE
-+
-+- Set files with the devicekit_power_exec_t type, if you want to transition an executable to the devicekit_power_t domain.
-+
-+
-+.EX
-+.PP
-+.B devicekit_tmp_t
-+.EE
-+
-+- Set files with the devicekit_tmp_t type, if you want to store devicekit temporary files in the /tmp directories.
-+
-+
-+.EX
-+.PP
-+.B devicekit_var_lib_t
-+.EE
-+
-+- Set files with the devicekit_var_lib_t type, if you want to store the devicekit files under the /var/lib directory.
-+
-+
-+.EX
-+.PP
-+.B devicekit_var_log_t
-+.EE
-+
-+- Set files with the devicekit_var_log_t type, if you want to treat the data as devicekit var log data, usually stored under the /var/log directory.
-+
-+
-+.EX
-+.PP
-+.B devicekit_var_run_t
-+.EE
-+
-+- Set files with the devicekit_var_run_t type, if you want to store the devicekit files under the /run directory.
-+
-+
-+.PP
-+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
-+.B semanage fcontext
-+command. This will modify the SELinux labeling database. You will need to use
-+.B restorecon
-+to apply the labels.
-+
-+.SH "MANAGED FILES"
-+
-+The SELinux process type devicekit_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
-+
-+.br
-+.B devicekit_var_run_t
-+
-+ /var/run/udisks.*
-+.br
-+ /var/run/devkit(/.*)?
-+.br
-+ /var/run/upower(/.*)?
-+.br
-+ /var/run/pm-utils(/.*)?
-+.br
-+ /var/run/DeviceKit-disks(/.*)?
-+.br
-+
-+.SH NSSWITCH DOMAIN
-+
-+.PP
-+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the devicekit_disk_t, devicekit_power_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
-+
-+.EX
-+.B setsebool -P authlogin_nsswitch_use_ldap 1
-+.EE
-+
-+.PP
-+If you want to allow confined applications to run with kerberos for the devicekit_disk_t, devicekit_power_t, you must turn on the kerberos_enabled boolean.
-+
-+.EX
-+.B setsebool -P kerberos_enabled 1
-+.EE
-+
-+.SH "COMMANDS"
-+.B semanage fcontext
-+can also be used to manipulate default file context mappings.
-+.PP
-+.B semanage permissive
-+can also be used to manipulate whether or not a process type is permissive.
-+.PP
-+.B semanage module
-+can also be used to enable/disable/install/remove policy modules.
-+
-+.PP
-+.B system-config-selinux
-+is a GUI tool available to customize SELinux policy settings.
-+
-+.SH AUTHOR
-+This manual page was auto-generated using
-+.B "sepolicy manpage"
-+by Dan Walsh.
-+
-+.SH "SEE ALSO"
-+selinux(8), devicekit(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
-+, devicekit_disk_selinux(8), devicekit_power_selinux(8)
-\ No newline at end of file
-diff --git a/man/man8/dhcpc_selinux.8 b/man/man8/dhcpc_selinux.8
-new file mode 100644
-index 0000000..b0c446f
---- /dev/null
-+++ b/man/man8/dhcpc_selinux.8
-@@ -0,0 +1,256 @@
-+.TH "dhcpc_selinux" "8" "12-11-01" "dhcpc" "SELinux Policy documentation for dhcpc"
-+.SH "NAME"
-+dhcpc_selinux \- Security Enhanced Linux Policy for the dhcpc processes
-+.SH "DESCRIPTION"
-+
-+Security-Enhanced Linux secures the dhcpc processes via flexible mandatory access control.
-+
-+The dhcpc processes execute with the dhcpc_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
-+
-+For example:
-+
-+.B ps -eZ | grep dhcpc_t
-+
-+
-+.SH "ENTRYPOINTS"
-+
-+The dhcpc_t SELinux type can be entered via the "dhcpc_exec_t" file type. The default entrypoint paths for the dhcpc_t domain are the following:"
-+
-+/sbin/dhclient.*, /usr/sbin/dhclient.*, /sbin/pump, /sbin/dhcdbd, /sbin/dhcpcd, /usr/sbin/pump, /usr/sbin/dhcdbd, /usr/sbin/dhcpcd
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux dhcpc policy is very flexible allowing users to setup their dhcpc processes in as secure a method as possible.
-+.PP
-+The following process types are defined for dhcpc:
-+
-+.EX
-+.B dhcpc_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
-+.SH BOOLEANS
-+SELinux policy is customizable based on least access required. dhcpc policy is extremely flexible and has several booleans that allow you to manipulate the policy and run dhcpc with the tightest access possible.
-+
-+
-+.PP
-+If you want to allow dhcpc client applications to execute iptables commands, you must turn on the dhcpc_exec_iptables boolean.
-+
-+.EX
-+.B setsebool -P dhcpc_exec_iptables 1
-+.EE
-+
-+.PP
-+If you want to allow dhcpc client applications to execute iptables commands, you must turn on the dhcpc_exec_iptables boolean.
-+
-+.EX
-+.B setsebool -P dhcpc_exec_iptables 1
-+.EE
-+
-+.SH FILE CONTEXTS
-+SELinux requires files to have an extended attribute to define the file type.
-+.PP
-+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
-+.PP
-+Policy governs the access confined processes have to these files.
-+SELinux dhcpc policy is very flexible allowing users to setup their dhcpc processes in as secure a method as possible.
-+.PP
-+The following file types are defined for dhcpc:
-+
-+
-+.EX
-+.PP
-+.B dhcpc_exec_t
-+.EE
-+
-+- Set files with the dhcpc_exec_t type, if you want to transition an executable to the dhcpc_t domain.
-+
-+
-+.EX
-+.PP
-+.B dhcpc_helper_exec_t
-+.EE
-+
-+- Set files with the dhcpc_helper_exec_t type, if you want to transition an executable to the dhcpc_helper_t domain.
-+
-+
-+.EX
-+.PP
-+.B dhcpc_state_t
-+.EE
-+
-+- Set files with the dhcpc_state_t type, if you want to treat the files as dhcpc state data.
-+
-+
-+.EX
-+.PP
-+.B dhcpc_tmp_t
-+.EE
-+
-+- Set files with the dhcpc_tmp_t type, if you want to store dhcpc temporary files in the /tmp directories.
-+
-+
-+.EX
-+.PP
-+.B dhcpc_var_run_t
-+.EE
-+
-+- Set files with the dhcpc_var_run_t type, if you want to store the dhcpc files under the /run directory.
-+
-+
-+.PP
-+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
-+.B semanage fcontext
-+command. This will modify the SELinux labeling database. You will need to use
-+.B restorecon
-+to apply the labels.
-+
-+.SH PORT TYPES
-+SELinux defines port types to represent TCP and UDP ports.
-+.PP
-+You can see the types associated with a port by using the following command:
-+
-+.B semanage port -l
-+
-+.PP
-+Policy governs the access confined processes have to these ports.
-+SELinux dhcpc policy is very flexible allowing users to setup their dhcpc processes in as secure a method as possible.
-+.PP
-+The following port types are defined for dhcpc:
-+
-+.EX
-+.TP 5
-+.B dhcpc_port_t
-+.TP 10
-+.EE
-+
-+
-+Default Defined Ports:
-+tcp 68,546
-+.EE
-+udp 68,546
-+.EE
-+.SH "MANAGED FILES"
-+
-+The SELinux process type dhcpc_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
-+
-+.br
-+.B dhcpc_state_t
-+
-+ /var/lib/dhcp3?/dhclient.*
-+.br
-+ /var/lib/dhcpcd(/.*)?
-+.br
-+ /var/lib/dhclient(/.*)?
-+.br
-+ /var/lib/wifiroamd(/.*)?
-+.br
-+
-+.br
-+.B dhcpc_tmp_t
-+
-+
-+.br
-+.B dhcpc_var_run_t
-+
-+ /var/run/dhcpcd(/.*)?
-+.br
-+ /var/run/dhclient.*
-+.br
-+
-+.br
-+.B initrc_var_run_t
-+
-+ /var/run/utmp
-+.br
-+ /var/run/random-seed
-+.br
-+ /var/run/runlevel\.dir
-+.br
-+ /var/run/setmixer_flag
-+.br
-+
-+.br
-+.B net_conf_t
-+
-+ /etc/ntpd?\.conf.*
-+.br
-+ /etc/hosts[^/]*
-+.br
-+ /etc/yp\.conf.*
-+.br
-+ /etc/denyhosts.*
-+.br
-+ /etc/hosts\.deny.*
-+.br
-+ /etc/resolv\.conf.*
-+.br
-+ /etc/ntp/step-tickers.*
-+.br
-+ /etc/sysconfig/networking(/.*)?
-+.br
-+ /etc/sysconfig/network-scripts(/.*)?
-+.br
-+ /etc/sysconfig/network-scripts/.*resolv\.conf
-+.br
-+ /etc/ethers
-+.br
-+
-+.br
-+.B systemd_passwd_var_run_t
-+
-+ /var/run/systemd/ask-password(/.*)?
-+.br
-+ /var/run/systemd/ask-password-block(/.*)?
-+.br
-+
-+.SH NSSWITCH DOMAIN
-+
-+.PP
-+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the dhcpc_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
-+
-+.EX
-+.B setsebool -P authlogin_nsswitch_use_ldap 1
-+.EE
-+
-+.PP
-+If you want to allow confined applications to run with kerberos for the dhcpc_t, you must turn on the kerberos_enabled boolean.
-+
-+.EX
-+.B setsebool -P kerberos_enabled 1
-+.EE
-+
-+.SH "COMMANDS"
-+.B semanage fcontext
-+can also be used to manipulate default file context mappings.
-+.PP
-+.B semanage permissive
-+can also be used to manipulate whether or not a process type is permissive.
-+.PP
-+.B semanage module
-+can also be used to enable/disable/install/remove policy modules.
-+
-+.B semanage port
-+can also be used to manipulate the port definitions
-+
-+.B semanage boolean
-+can also be used to manipulate the booleans
-+
-+.PP
-+.B system-config-selinux
-+is a GUI tool available to customize SELinux policy settings.
-+
-+.SH AUTHOR
-+This manual page was auto-generated using
-+.B "sepolicy manpage"
-+by Dan Walsh.
-+
-+.SH "SEE ALSO"
-+selinux(8), dhcpc(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
-+, setsebool(8)
-\ No newline at end of file
-diff --git a/man/man8/dhcpd_selinux.8 b/man/man8/dhcpd_selinux.8
-new file mode 100644
-index 0000000..73cc04d
---- /dev/null
-+++ b/man/man8/dhcpd_selinux.8
-@@ -0,0 +1,239 @@
-+.TH "dhcpd_selinux" "8" "12-11-01" "dhcpd" "SELinux Policy documentation for dhcpd"
-+.SH "NAME"
-+dhcpd_selinux \- Security Enhanced Linux Policy for the dhcpd processes
-+.SH "DESCRIPTION"
-+
-+Security-Enhanced Linux secures the dhcpd processes via flexible mandatory access control.
-+
-+The dhcpd processes execute with the dhcpd_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
-+
-+For example:
-+
-+.B ps -eZ | grep dhcpd_t
-+
-+
-+.SH "ENTRYPOINTS"
-+
-+The dhcpd_t SELinux type can be entered via the "dhcpd_exec_t" file type. The default entrypoint paths for the dhcpd_t domain are the following:"
-+
-+/usr/sbin/dhcpd.*
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux dhcpd policy is very flexible allowing users to setup their dhcpd processes in as secure a method as possible.
-+.PP
-+The following process types are defined for dhcpd:
-+
-+.EX
-+.B dhcpc_t, dhcpd_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
-+.SH BOOLEANS
-+SELinux policy is customizable based on least access required. dhcpd policy is extremely flexible and has several booleans that allow you to manipulate the policy and run dhcpd with the tightest access possible.
-+
-+
-+.PP
-+If you want to allow DHCP daemon to use LDAP backends, you must turn on the dhcpd_use_ldap boolean.
-+
-+.EX
-+.B setsebool -P dhcpd_use_ldap 1
-+.EE
-+
-+.PP
-+If you want to allow dhcpc client applications to execute iptables commands, you must turn on the dhcpc_exec_iptables boolean.
-+
-+.EX
-+.B setsebool -P dhcpc_exec_iptables 1
-+.EE
-+
-+.PP
-+If you want to allow DHCP daemon to use LDAP backends, you must turn on the dhcpd_use_ldap boolean.
-+
-+.EX
-+.B setsebool -P dhcpd_use_ldap 1
-+.EE
-+
-+.PP
-+If you want to allow dhcpc client applications to execute iptables commands, you must turn on the dhcpc_exec_iptables boolean.
-+
-+.EX
-+.B setsebool -P dhcpc_exec_iptables 1
-+.EE
-+
-+.SH FILE CONTEXTS
-+SELinux requires files to have an extended attribute to define the file type.
-+.PP
-+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
-+.PP
-+Policy governs the access confined processes have to these files.
-+SELinux dhcpd policy is very flexible allowing users to setup their dhcpd processes in as secure a method as possible.
-+.PP
-+The following file types are defined for dhcpd:
-+
-+
-+.EX
-+.PP
-+.B dhcpd_exec_t
-+.EE
-+
-+- Set files with the dhcpd_exec_t type, if you want to transition an executable to the dhcpd_t domain.
-+
-+
-+.EX
-+.PP
-+.B dhcpd_initrc_exec_t
-+.EE
-+
-+- Set files with the dhcpd_initrc_exec_t type, if you want to transition an executable to the dhcpd_initrc_t domain.
-+
-+
-+.EX
-+.PP
-+.B dhcpd_state_t
-+.EE
-+
-+- Set files with the dhcpd_state_t type, if you want to treat the files as dhcpd state data.
-+
-+
-+.EX
-+.PP
-+.B dhcpd_tmp_t
-+.EE
-+
-+- Set files with the dhcpd_tmp_t type, if you want to store dhcpd temporary files in the /tmp directories.
-+
-+
-+.EX
-+.PP
-+.B dhcpd_unit_file_t
-+.EE
-+
-+- Set files with the dhcpd_unit_file_t type, if you want to treat the files as dhcpd unit content.
-+
-+
-+.EX
-+.PP
-+.B dhcpd_var_run_t
-+.EE
-+
-+- Set files with the dhcpd_var_run_t type, if you want to store the dhcpd files under the /run directory.
-+
-+
-+.PP
-+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
-+.B semanage fcontext
-+command. This will modify the SELinux labeling database. You will need to use
-+.B restorecon
-+to apply the labels.
-+
-+.SH PORT TYPES
-+SELinux defines port types to represent TCP and UDP ports.
-+.PP
-+You can see the types associated with a port by using the following command:
-+
-+.B semanage port -l
-+
-+.PP
-+Policy governs the access confined processes have to these ports.
-+SELinux dhcpd policy is very flexible allowing users to setup their dhcpd processes in as secure a method as possible.
-+.PP
-+The following port types are defined for dhcpd:
-+
-+.EX
-+.TP 5
-+.B dhcpc_port_t
-+.TP 10
-+.EE
-+
-+
-+Default Defined Ports:
-+tcp 68,546
-+.EE
-+udp 68,546
-+.EE
-+
-+.EX
-+.TP 5
-+.B dhcpd_port_t
-+.TP 10
-+.EE
-+
-+
-+Default Defined Ports:
-+tcp 547,548,647,847,7911
-+.EE
-+udp 67,547,548,647,847
-+.EE
-+.SH "MANAGED FILES"
-+
-+The SELinux process type dhcpd_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
-+
-+.br
-+.B dhcpd_state_t
-+
-+ /var/lib/dhcp(3)?/dhcpd\.leases.*
-+.br
-+ /var/lib/dhcpd(/.*)?
-+.br
-+
-+.br
-+.B dhcpd_tmp_t
-+
-+
-+.br
-+.B dhcpd_var_run_t
-+
-+ /var/run/dhcpd(6)?\.pid
-+.br
-+
-+.SH NSSWITCH DOMAIN
-+
-+.PP
-+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the dhcpd_t, dhcpc_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
-+
-+.EX
-+.B setsebool -P authlogin_nsswitch_use_ldap 1
-+.EE
-+
-+.PP
-+If you want to allow confined applications to run with kerberos for the dhcpd_t, dhcpc_t, you must turn on the kerberos_enabled boolean.
-+
-+.EX
-+.B setsebool -P kerberos_enabled 1
-+.EE
-+
-+.SH "COMMANDS"
-+.B semanage fcontext
-+can also be used to manipulate default file context mappings.
-+.PP
-+.B semanage permissive
-+can also be used to manipulate whether or not a process type is permissive.
-+.PP
-+.B semanage module
-+can also be used to enable/disable/install/remove policy modules.
-+
-+.B semanage port
-+can also be used to manipulate the port definitions
-+
-+.B semanage boolean
-+can also be used to manipulate the booleans
-+
-+.PP
-+.B system-config-selinux
-+is a GUI tool available to customize SELinux policy settings.
-+
-+.SH AUTHOR
-+This manual page was auto-generated using
-+.B "sepolicy manpage"
-+by Dan Walsh.
-+
-+.SH "SEE ALSO"
-+selinux(8), dhcpd(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
-+, setsebool(8), dhcpc_selinux(8)
-\ No newline at end of file
-diff --git a/man/man8/dictd_selinux.8 b/man/man8/dictd_selinux.8
-new file mode 100644
-index 0000000..cb1309a
---- /dev/null
-+++ b/man/man8/dictd_selinux.8
-@@ -0,0 +1,168 @@
-+.TH "dictd_selinux" "8" "12-11-01" "dictd" "SELinux Policy documentation for dictd"
-+.SH "NAME"
-+dictd_selinux \- Security Enhanced Linux Policy for the dictd processes
-+.SH "DESCRIPTION"
-+
-+Security-Enhanced Linux secures the dictd processes via flexible mandatory access control.
-+
-+The dictd processes execute with the dictd_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
-+
-+For example:
-+
-+.B ps -eZ | grep dictd_t
-+
-+
-+.SH "ENTRYPOINTS"
-+
-+The dictd_t SELinux type can be entered via the "dictd_exec_t" file type. The default entrypoint paths for the dictd_t domain are the following:"
-+
-+/usr/sbin/dictd
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux dictd policy is very flexible allowing users to setup their dictd processes in as secure a method as possible.
-+.PP
-+The following process types are defined for dictd:
-+
-+.EX
-+.B dictd_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
-+.SH FILE CONTEXTS
-+SELinux requires files to have an extended attribute to define the file type.
-+.PP
-+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
-+.PP
-+Policy governs the access confined processes have to these files.
-+SELinux dictd policy is very flexible allowing users to setup their dictd processes in as secure a method as possible.
-+.PP
-+The following file types are defined for dictd:
-+
-+
-+.EX
-+.PP
-+.B dictd_etc_t
-+.EE
-+
-+- Set files with the dictd_etc_t type, if you want to store dictd files in the /etc directories.
-+
-+
-+.EX
-+.PP
-+.B dictd_exec_t
-+.EE
-+
-+- Set files with the dictd_exec_t type, if you want to transition an executable to the dictd_t domain.
-+
-+
-+.EX
-+.PP
-+.B dictd_initrc_exec_t
-+.EE
-+
-+- Set files with the dictd_initrc_exec_t type, if you want to transition an executable to the dictd_initrc_t domain.
-+
-+
-+.EX
-+.PP
-+.B dictd_var_lib_t
-+.EE
-+
-+- Set files with the dictd_var_lib_t type, if you want to store the dictd files under the /var/lib directory.
-+
-+
-+.EX
-+.PP
-+.B dictd_var_run_t
-+.EE
-+
-+- Set files with the dictd_var_run_t type, if you want to store the dictd files under the /run directory.
-+
-+
-+.PP
-+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
-+.B semanage fcontext
-+command. This will modify the SELinux labeling database. You will need to use
-+.B restorecon
-+to apply the labels.
-+
-+.SH PORT TYPES
-+SELinux defines port types to represent TCP and UDP ports.
-+.PP
-+You can see the types associated with a port by using the following command:
-+
-+.B semanage port -l
-+
-+.PP
-+Policy governs the access confined processes have to these ports.
-+SELinux dictd policy is very flexible allowing users to setup their dictd processes in as secure a method as possible.
-+.PP
-+The following port types are defined for dictd:
-+
-+.EX
-+.TP 5
-+.B dict_port_t
-+.TP 10
-+.EE
-+
-+
-+Default Defined Ports:
-+tcp 2628
-+.EE
-+.SH "MANAGED FILES"
-+
-+The SELinux process type dictd_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
-+
-+.br
-+.B dictd_var_run_t
-+
-+ /var/run/dictd\.pid
-+.br
-+
-+.SH NSSWITCH DOMAIN
-+
-+.PP
-+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the dictd_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
-+
-+.EX
-+.B setsebool -P authlogin_nsswitch_use_ldap 1
-+.EE
-+
-+.PP
-+If you want to allow confined applications to run with kerberos for the dictd_t, you must turn on the kerberos_enabled boolean.
-+
-+.EX
-+.B setsebool -P kerberos_enabled 1
-+.EE
-+
-+.SH "COMMANDS"
-+.B semanage fcontext
-+can also be used to manipulate default file context mappings.
-+.PP
-+.B semanage permissive
-+can also be used to manipulate whether or not a process type is permissive.
-+.PP
-+.B semanage module
-+can also be used to enable/disable/install/remove policy modules.
-+
-+.B semanage port
-+can also be used to manipulate the port definitions
-+
-+.PP
-+.B system-config-selinux
-+is a GUI tool available to customize SELinux policy settings.
-+
-+.SH AUTHOR
-+This manual page was auto-generated using
-+.B "sepolicy manpage"
-+by Dan Walsh.
-+
-+.SH "SEE ALSO"
-+selinux(8), dictd(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
-diff --git a/man/man8/dirsrv_selinux.8 b/man/man8/dirsrv_selinux.8
-new file mode 100644
-index 0000000..301dd74
---- /dev/null
-+++ b/man/man8/dirsrv_selinux.8
-@@ -0,0 +1,333 @@
-+.TH "dirsrv_selinux" "8" "12-11-01" "dirsrv" "SELinux Policy documentation for dirsrv"
-+.SH "NAME"
-+dirsrv_selinux \- Security Enhanced Linux Policy for the dirsrv processes
-+.SH "DESCRIPTION"
-+
-+Security-Enhanced Linux secures the dirsrv processes via flexible mandatory access control.
-+
-+The dirsrv processes execute with the dirsrv_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
-+
-+For example:
-+
-+.B ps -eZ | grep dirsrv_t
-+
-+
-+.SH "ENTRYPOINTS"
-+
-+The dirsrv_t SELinux type can be entered via the "dirsrv_exec_t" file type. The default entrypoint paths for the dirsrv_t domain are the following:"
-+
-+/usr/sbin/ns-slapd
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux dirsrv policy is very flexible allowing users to setup their dirsrv processes in as secure a method as possible.
-+.PP
-+The following process types are defined for dirsrv:
-+
-+.EX
-+.B dirsrvadmin_unconfined_script_t, dirsrv_snmp_t, dirsrvadmin_t, dirsrv_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
-+.SH FILE CONTEXTS
-+SELinux requires files to have an extended attribute to define the file type.
-+.PP
-+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
-+.PP
-+Policy governs the access confined processes have to these files.
-+SELinux dirsrv policy is very flexible allowing users to setup their dirsrv processes in as secure a method as possible.
-+.PP
-+The following file types are defined for dirsrv:
-+
-+
-+.EX
-+.PP
-+.B dirsrv_config_t
-+.EE
-+
-+- Set files with the dirsrv_config_t type, if you want to treat the files as dirsrv configuration data, usually stored under the /etc directory.
-+
-+
-+.EX
-+.PP
-+.B dirsrv_exec_t
-+.EE
-+
-+- Set files with the dirsrv_exec_t type, if you want to transition an executable to the dirsrv_t domain.
-+
-+
-+.EX
-+.PP
-+.B dirsrv_share_t
-+.EE
-+
-+- Set files with the dirsrv_share_t type, if you want to treat the files as dirsrv share data.
-+
-+
-+.EX
-+.PP
-+.B dirsrv_snmp_exec_t
-+.EE
-+
-+- Set files with the dirsrv_snmp_exec_t type, if you want to transition an executable to the dirsrv_snmp_t domain.
-+
-+
-+.EX
-+.PP
-+.B dirsrv_snmp_var_log_t
-+.EE
-+
-+- Set files with the dirsrv_snmp_var_log_t type, if you want to treat the data as dirsrv snmp var log data, usually stored under the /var/log directory.
-+
-+
-+.EX
-+.PP
-+.B dirsrv_snmp_var_run_t
-+.EE
-+
-+- Set files with the dirsrv_snmp_var_run_t type, if you want to store the dirsrv snmp files under the /run directory.
-+
-+
-+.EX
-+.PP
-+.B dirsrv_tmp_t
-+.EE
-+
-+- Set files with the dirsrv_tmp_t type, if you want to store dirsrv temporary files in the /tmp directories.
-+
-+
-+.EX
-+.PP
-+.B dirsrv_tmpfs_t
-+.EE
-+
-+- Set files with the dirsrv_tmpfs_t type, if you want to store dirsrv files on a tmpfs file system.
-+
-+
-+.EX
-+.PP
-+.B dirsrv_var_lib_t
-+.EE
-+
-+- Set files with the dirsrv_var_lib_t type, if you want to store the dirsrv files under the /var/lib directory.
-+
-+
-+.EX
-+.PP
-+.B dirsrv_var_lock_t
-+.EE
-+
-+- Set files with the dirsrv_var_lock_t type, if you want to treat the files as dirsrv var lock data, stored under the /var/lock directory
-+
-+
-+.EX
-+.PP
-+.B dirsrv_var_log_t
-+.EE
-+
-+- Set files with the dirsrv_var_log_t type, if you want to treat the data as dirsrv var log data, usually stored under the /var/log directory.
-+
-+
-+.EX
-+.PP
-+.B dirsrv_var_run_t
-+.EE
-+
-+- Set files with the dirsrv_var_run_t type, if you want to store the dirsrv files under the /run directory.
-+
-+
-+.EX
-+.PP
-+.B dirsrvadmin_config_t
-+.EE
-+
-+- Set files with the dirsrvadmin_config_t type, if you want to treat the files as dirsrvadmin configuration data, usually stored under the /etc directory.
-+
-+
-+.EX
-+.PP
-+.B dirsrvadmin_exec_t
-+.EE
-+
-+- Set files with the dirsrvadmin_exec_t type, if you want to transition an executable to the dirsrvadmin_t domain.
-+
-+
-+.EX
-+.PP
-+.B dirsrvadmin_lock_t
-+.EE
-+
-+- Set files with the dirsrvadmin_lock_t type, if you want to treat the files as dirsrvadmin lock data, stored under the /var/lock directory
-+
-+
-+.EX
-+.PP
-+.B dirsrvadmin_tmp_t
-+.EE
-+
-+- Set files with the dirsrvadmin_tmp_t type, if you want to store dirsrvadmin temporary files in the /tmp directories.
-+
-+
-+.EX
-+.PP
-+.B dirsrvadmin_unconfined_script_exec_t
-+.EE
-+
-+- Set files with the dirsrvadmin_unconfined_script_exec_t type, if you want to transition an executable to the dirsrvadmin_unconfined_script_t domain.
-+
-+
-+.PP
-+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
-+.B semanage fcontext
-+command. This will modify the SELinux labeling database. You will need to use
-+.B restorecon
-+to apply the labels.
-+
-+.SH "MANAGED FILES"
-+
-+The SELinux process type dirsrv_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
-+
-+.br
-+.B dirsrv_config_t
-+
-+ /etc/dirsrv(/.*)?
-+.br
-+
-+.br
-+.B dirsrv_tmp_t
-+
-+
-+.br
-+.B dirsrv_tmpfs_t
-+
-+
-+.br
-+.B dirsrv_var_lib_t
-+
-+ /var/lib/dirsrv(/.*)?
-+.br
-+
-+.br
-+.B dirsrv_var_lock_t
-+
-+ /var/lock/dirsrv(/.*)?
-+.br
-+
-+.br
-+.B dirsrv_var_log_t
-+
-+ /var/log/dirsrv(/.*)?
-+.br
-+
-+.br
-+.B dirsrv_var_run_t
-+
-+ /var/run/dirsrv(/.*)?
-+.br
-+
-+.br
-+.B faillog_t
-+
-+ /var/log/btmp.*
-+.br
-+ /var/run/faillock(/.*)?
-+.br
-+ /var/log/faillog
-+.br
-+ /var/log/tallylog
-+.br
-+
-+.br
-+.B krb5_host_rcache_t
-+
-+ /var/cache/krb5rcache(/.*)?
-+.br
-+ /var/tmp/nfs_0
-+.br
-+ /var/tmp/DNS_25
-+.br
-+ /var/tmp/host_0
-+.br
-+ /var/tmp/imap_0
-+.br
-+ /var/tmp/HTTP_23
-+.br
-+ /var/tmp/HTTP_48
-+.br
-+ /var/tmp/ldap_55
-+.br
-+ /var/tmp/ldap_487
-+.br
-+ /var/tmp/ldapmap1_0
-+.br
-+
-+.br
-+.B lastlog_t
-+
-+ /var/log/lastlog
-+.br
-+
-+.br
-+.B pcscd_var_run_t
-+
-+ /var/run/pcscd(/.*)?
-+.br
-+ /var/run/pcscd\.events(/.*)?
-+.br
-+ /var/run/pcscd\.pid
-+.br
-+ /var/run/pcscd\.pub
-+.br
-+ /var/run/pcscd\.comm
-+.br
-+
-+.br
-+.B security_t
-+
-+ /selinux
-+.br
-+
-+.SH NSSWITCH DOMAIN
-+
-+.PP
-+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the dirsrv_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
-+
-+.EX
-+.B setsebool -P authlogin_nsswitch_use_ldap 1
-+.EE
-+
-+.PP
-+If you want to allow confined applications to run with kerberos for the dirsrv_t, you must turn on the kerberos_enabled boolean.
-+
-+.EX
-+.B setsebool -P kerberos_enabled 1
-+.EE
-+
-+.SH "COMMANDS"
-+.B semanage fcontext
-+can also be used to manipulate default file context mappings.
-+.PP
-+.B semanage permissive
-+can also be used to manipulate whether or not a process type is permissive.
-+.PP
-+.B semanage module
-+can also be used to enable/disable/install/remove policy modules.
-+
-+.PP
-+.B system-config-selinux
-+is a GUI tool available to customize SELinux policy settings.
-+
-+.SH AUTHOR
-+This manual page was auto-generated using
-+.B "sepolicy manpage"
-+by Dan Walsh.
-+
-+.SH "SEE ALSO"
-+selinux(8), dirsrv(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
-+, dirsrv_snmp_selinux(8), dirsrvadmin_selinux(8), dirsrvadmin_unconfined_script_selinux(8)
-\ No newline at end of file
-diff --git a/man/man8/dirsrv_snmp_selinux.8 b/man/man8/dirsrv_snmp_selinux.8
-new file mode 100644
-index 0000000..658d718
---- /dev/null
-+++ b/man/man8/dirsrv_snmp_selinux.8
-@@ -0,0 +1,137 @@
-+.TH "dirsrv_snmp_selinux" "8" "12-11-01" "dirsrv_snmp" "SELinux Policy documentation for dirsrv_snmp"
-+.SH "NAME"
-+dirsrv_snmp_selinux \- Security Enhanced Linux Policy for the dirsrv_snmp processes
-+.SH "DESCRIPTION"
-+
-+Security-Enhanced Linux secures the dirsrv_snmp processes via flexible mandatory access control.
-+
-+The dirsrv_snmp processes execute with the dirsrv_snmp_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
-+
-+For example:
-+
-+.B ps -eZ | grep dirsrv_snmp_t
-+
-+
-+.SH "ENTRYPOINTS"
-+
-+The dirsrv_snmp_t SELinux type can be entered via the "dirsrv_snmp_exec_t" file type. The default entrypoint paths for the dirsrv_snmp_t domain are the following:"
-+
-+/usr/sbin/ldap-agent-bin
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux dirsrv_snmp policy is very flexible allowing users to setup their dirsrv_snmp processes in as secure a method as possible.
-+.PP
-+The following process types are defined for dirsrv_snmp:
-+
-+.EX
-+.B dirsrv_snmp_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
-+.SH FILE CONTEXTS
-+SELinux requires files to have an extended attribute to define the file type.
-+.PP
-+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
-+.PP
-+Policy governs the access confined processes have to these files.
-+SELinux dirsrv_snmp policy is very flexible allowing users to setup their dirsrv_snmp processes in as secure a method as possible.
-+.PP
-+The following file types are defined for dirsrv_snmp:
-+
-+
-+.EX
-+.PP
-+.B dirsrv_snmp_exec_t
-+.EE
-+
-+- Set files with the dirsrv_snmp_exec_t type, if you want to transition an executable to the dirsrv_snmp_t domain.
-+
-+
-+.EX
-+.PP
-+.B dirsrv_snmp_var_log_t
-+.EE
-+
-+- Set files with the dirsrv_snmp_var_log_t type, if you want to treat the data as dirsrv snmp var log data, usually stored under the /var/log directory.
-+
-+
-+.EX
-+.PP
-+.B dirsrv_snmp_var_run_t
-+.EE
-+
-+- Set files with the dirsrv_snmp_var_run_t type, if you want to store the dirsrv snmp files under the /run directory.
-+
-+
-+.PP
-+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
-+.B semanage fcontext
-+command. This will modify the SELinux labeling database. You will need to use
-+.B restorecon
-+to apply the labels.
-+
-+.SH "MANAGED FILES"
-+
-+The SELinux process type dirsrv_snmp_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
-+
-+.br
-+.B dirsrv_snmp_var_log_t
-+
-+ /var/log/dirsrv/ldap-agent.log.*
-+.br
-+
-+.br
-+.B dirsrv_snmp_var_run_t
-+
-+ /var/run/ldap-agent\.pid
-+.br
-+
-+.br
-+.B dirsrv_tmpfs_t
-+
-+
-+.br
-+.B snmpd_var_lib_t
-+
-+ /var/agentx(/.*)?
-+.br
-+ /var/lib/snmp(/.*)?
-+.br
-+ /var/net-snmp(/.*)?
-+.br
-+ /var/lib/net-snmp(/.*)?
-+.br
-+ /usr/share/snmp/mibs/\.index
-+.br
-+
-+.SH NSSWITCH DOMAIN
-+
-+.SH "COMMANDS"
-+.B semanage fcontext
-+can also be used to manipulate default file context mappings.
-+.PP
-+.B semanage permissive
-+can also be used to manipulate whether or not a process type is permissive.
-+.PP
-+.B semanage module
-+can also be used to enable/disable/install/remove policy modules.
-+
-+.PP
-+.B system-config-selinux
-+is a GUI tool available to customize SELinux policy settings.
-+
-+.SH AUTHOR
-+This manual page was auto-generated using
-+.B "sepolicy manpage"
-+by Dan Walsh.
-+
-+.SH "SEE ALSO"
-+selinux(8), dirsrv_snmp(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
-+, dirsrv_selinux(8), dirsrv_selinux(8), dirsrvadmin_selinux(8), dirsrvadmin_unconfined_script_selinux(8)
-\ No newline at end of file
-diff --git a/man/man8/dirsrvadmin_selinux.8 b/man/man8/dirsrvadmin_selinux.8
-new file mode 100644
-index 0000000..02df63f
---- /dev/null
-+++ b/man/man8/dirsrvadmin_selinux.8
-@@ -0,0 +1,127 @@
-+.TH "dirsrvadmin_selinux" "8" "12-11-01" "dirsrvadmin" "SELinux Policy documentation for dirsrvadmin"
-+.SH "NAME"
-+dirsrvadmin_selinux \- Security Enhanced Linux Policy for the dirsrvadmin processes
-+.SH "DESCRIPTION"
-+
-+Security-Enhanced Linux secures the dirsrvadmin processes via flexible mandatory access control.
-+
-+The dirsrvadmin processes execute with the dirsrvadmin_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
-+
-+For example:
-+
-+.B ps -eZ | grep dirsrvadmin_t
-+
-+
-+.SH "ENTRYPOINTS"
-+
-+The dirsrvadmin_t SELinux type can be entered via the "shell_exec_t,dirsrvadmin_exec_t" file types. The default entrypoint paths for the dirsrvadmin_t domain are the following:"
-+
-+/bin/d?ash, /bin/zsh.*, /bin/ksh.*, /usr/bin/d?ash, /usr/bin/ksh.*, /usr/bin/zsh.*, /bin/esh, /bin/mksh, /bin/sash, /bin/tcsh, /bin/yash, /bin/bash, /bin/fish, /bin/bash2, /usr/bin/esh, /usr/bin/mksh, /usr/bin/sash, /usr/bin/bash, /usr/bin/fish, /usr/bin/tcsh, /usr/bin/yash, /sbin/nologin, /usr/sbin/sesh, /usr/bin/bash2, /usr/sbin/smrsh, /usr/bin/scponly, /usr/sbin/nologin, /usr/libexec/sesh, /usr/sbin/scponlyc, /usr/bin/git-shell, /usr/libexec/git-core/git-shell, /usr/sbin/stop-ds-admin, /usr/sbin/start-ds-admin, /usr/sbin/restart-ds-admin
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux dirsrvadmin policy is very flexible allowing users to setup their dirsrvadmin processes in as secure a method as possible.
-+.PP
-+The following process types are defined for dirsrvadmin:
-+
-+.EX
-+.B dirsrvadmin_unconfined_script_t, dirsrvadmin_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
-+.SH FILE CONTEXTS
-+SELinux requires files to have an extended attribute to define the file type.
-+.PP
-+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
-+.PP
-+Policy governs the access confined processes have to these files.
-+SELinux dirsrvadmin policy is very flexible allowing users to setup their dirsrvadmin processes in as secure a method as possible.
-+.PP
-+The following file types are defined for dirsrvadmin:
-+
-+
-+.EX
-+.PP
-+.B dirsrvadmin_config_t
-+.EE
-+
-+- Set files with the dirsrvadmin_config_t type, if you want to treat the files as dirsrvadmin configuration data, usually stored under the /etc directory.
-+
-+
-+.EX
-+.PP
-+.B dirsrvadmin_exec_t
-+.EE
-+
-+- Set files with the dirsrvadmin_exec_t type, if you want to transition an executable to the dirsrvadmin_t domain.
-+
-+
-+.EX
-+.PP
-+.B dirsrvadmin_lock_t
-+.EE
-+
-+- Set files with the dirsrvadmin_lock_t type, if you want to treat the files as dirsrvadmin lock data, stored under the /var/lock directory
-+
-+
-+.EX
-+.PP
-+.B dirsrvadmin_tmp_t
-+.EE
-+
-+- Set files with the dirsrvadmin_tmp_t type, if you want to store dirsrvadmin temporary files in the /tmp directories.
-+
-+
-+.EX
-+.PP
-+.B dirsrvadmin_unconfined_script_exec_t
-+.EE
-+
-+- Set files with the dirsrvadmin_unconfined_script_exec_t type, if you want to transition an executable to the dirsrvadmin_unconfined_script_t domain.
-+
-+
-+.PP
-+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
-+.B semanage fcontext
-+command. This will modify the SELinux labeling database. You will need to use
-+.B restorecon
-+to apply the labels.
-+
-+.SH "MANAGED FILES"
-+
-+The SELinux process type dirsrvadmin_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
-+
-+.br
-+.B dirsrvadmin_tmp_t
-+
-+
-+.SH NSSWITCH DOMAIN
-+
-+.SH "COMMANDS"
-+.B semanage fcontext
-+can also be used to manipulate default file context mappings.
-+.PP
-+.B semanage permissive
-+can also be used to manipulate whether or not a process type is permissive.
-+.PP
-+.B semanage module
-+can also be used to enable/disable/install/remove policy modules.
-+
-+.PP
-+.B system-config-selinux
-+is a GUI tool available to customize SELinux policy settings.
-+
-+.SH AUTHOR
-+This manual page was auto-generated using
-+.B "sepolicy manpage"
-+by Dan Walsh.
-+
-+.SH "SEE ALSO"
-+selinux(8), dirsrvadmin(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
-+, dirsrv_selinux(8), dirsrvadmin_unconfined_script_selinux(8)
-\ No newline at end of file
-diff --git a/man/man8/dirsrvadmin_unconfined_script_selinux.8 b/man/man8/dirsrvadmin_unconfined_script_selinux.8
-new file mode 100644
-index 0000000..bd60dd5
---- /dev/null
-+++ b/man/man8/dirsrvadmin_unconfined_script_selinux.8
-@@ -0,0 +1,127 @@
-+.TH "dirsrvadmin_unconfined_script_selinux" "8" "12-11-01" "dirsrvadmin_unconfined_script" "SELinux Policy documentation for dirsrvadmin_unconfined_script"
-+.SH "NAME"
-+dirsrvadmin_unconfined_script_selinux \- Security Enhanced Linux Policy for the dirsrvadmin_unconfined_script processes
-+.SH "DESCRIPTION"
-+
-+Security-Enhanced Linux secures the dirsrvadmin_unconfined_script processes via flexible mandatory access control.
-+
-+The dirsrvadmin_unconfined_script processes execute with the dirsrvadmin_unconfined_script_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
-+
-+For example:
-+
-+.B ps -eZ | grep dirsrvadmin_unconfined_script_t
-+
-+
-+.SH "ENTRYPOINTS"
-+
-+The dirsrvadmin_unconfined_script_t SELinux type can be entered via the "dirsrvadmin_unconfined_script_exec_t,shell_exec_t" file types. The default entrypoint paths for the dirsrvadmin_unconfined_script_t domain are the following:"
-+
-+/usr/lib/dirsrv/cgi-bin/ds_create, /usr/lib/dirsrv/cgi-bin/ds_remove, /bin/d?ash, /bin/zsh.*, /bin/ksh.*, /usr/bin/d?ash, /usr/bin/ksh.*, /usr/bin/zsh.*, /bin/esh, /bin/mksh, /bin/sash, /bin/tcsh, /bin/yash, /bin/bash, /bin/fish, /bin/bash2, /usr/bin/esh, /usr/bin/mksh, /usr/bin/sash, /usr/bin/bash, /usr/bin/fish, /usr/bin/tcsh, /usr/bin/yash, /sbin/nologin, /usr/sbin/sesh, /usr/bin/bash2, /usr/sbin/smrsh, /usr/bin/scponly, /usr/sbin/nologin, /usr/libexec/sesh, /usr/sbin/scponlyc, /usr/bin/git-shell, /usr/libexec/git-core/git-shell
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux dirsrvadmin_unconfined_script policy is very flexible allowing users to setup their dirsrvadmin_unconfined_script processes in as secure a method as possible.
-+.PP
-+The following process types are defined for dirsrvadmin_unconfined_script:
-+
-+.EX
-+.B dirsrvadmin_unconfined_script_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
-+.SH FILE CONTEXTS
-+SELinux requires files to have an extended attribute to define the file type.
-+.PP
-+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
-+.PP
-+Policy governs the access confined processes have to these files.
-+SELinux dirsrvadmin_unconfined_script policy is very flexible allowing users to setup their dirsrvadmin_unconfined_script processes in as secure a method as possible.
-+.PP
-+The following file types are defined for dirsrvadmin_unconfined_script:
-+
-+
-+.EX
-+.PP
-+.B dirsrvadmin_unconfined_script_exec_t
-+.EE
-+
-+- Set files with the dirsrvadmin_unconfined_script_exec_t type, if you want to transition an executable to the dirsrvadmin_unconfined_script_t domain.
-+
-+
-+.PP
-+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
-+.B semanage fcontext
-+command. This will modify the SELinux labeling database. You will need to use
-+.B restorecon
-+to apply the labels.
-+
-+.SH "MANAGED FILES"
-+
-+The SELinux process type dirsrvadmin_unconfined_script_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
-+
-+.br
-+.B dirsrv_config_t
-+
-+ /etc/dirsrv(/.*)?
-+.br
-+
-+.br
-+.B dirsrv_var_lib_t
-+
-+ /var/lib/dirsrv(/.*)?
-+.br
-+
-+.br
-+.B dirsrv_var_log_t
-+
-+ /var/log/dirsrv(/.*)?
-+.br
-+
-+.br
-+.B dirsrv_var_run_t
-+
-+ /var/run/dirsrv(/.*)?
-+.br
-+
-+.br
-+.B dirsrvadmin_config_t
-+
-+ /etc/dirsrv/dsgw(/.*)?
-+.br
-+ /etc/dirsrv/admin-serv(/.*)?
-+.br
-+
-+.br
-+.B dirsrvadmin_tmp_t
-+
-+
-+.SH NSSWITCH DOMAIN
-+
-+.SH "COMMANDS"
-+.B semanage fcontext
-+can also be used to manipulate default file context mappings.
-+.PP
-+.B semanage permissive
-+can also be used to manipulate whether or not a process type is permissive.
-+.PP
-+.B semanage module
-+can also be used to enable/disable/install/remove policy modules.
-+
-+.PP
-+.B system-config-selinux
-+is a GUI tool available to customize SELinux policy settings.
-+
-+.SH AUTHOR
-+This manual page was auto-generated using
-+.B "sepolicy manpage"
-+by Dan Walsh.
-+
-+.SH "SEE ALSO"
-+selinux(8), dirsrvadmin_unconfined_script(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
-+, dirsrv_selinux(8), dirsrvadmin_selinux(8), dirsrvadmin_selinux(8)
-\ No newline at end of file
-diff --git a/man/man8/disk_munin_plugin_selinux.8 b/man/man8/disk_munin_plugin_selinux.8
-new file mode 100644
-index 0000000..1679709
---- /dev/null
-+++ b/man/man8/disk_munin_plugin_selinux.8
-@@ -0,0 +1,114 @@
-+.TH "disk_munin_plugin_selinux" "8" "12-11-01" "disk_munin_plugin" "SELinux Policy documentation for disk_munin_plugin"
-+.SH "NAME"
-+disk_munin_plugin_selinux \- Security Enhanced Linux Policy for the disk_munin_plugin processes
-+.SH "DESCRIPTION"
-+
-+Security-Enhanced Linux secures the disk_munin_plugin processes via flexible mandatory access control.
-+
-+The disk_munin_plugin processes execute with the disk_munin_plugin_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
-+
-+For example:
-+
-+.B ps -eZ | grep disk_munin_plugin_t
-+
-+
-+.SH "ENTRYPOINTS"
-+
-+The disk_munin_plugin_t SELinux type can be entered via the "disk_munin_plugin_exec_t" file type. The default entrypoint paths for the disk_munin_plugin_t domain are the following:"
-+
-+/usr/share/munin/plugins/df.*, /usr/share/munin/plugins/smart_.*, /usr/share/munin/plugins/hddtemp.*, /usr/share/munin/plugins/diskstat.*
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux disk_munin_plugin policy is very flexible allowing users to setup their disk_munin_plugin processes in as secure a method as possible.
-+.PP
-+The following process types are defined for disk_munin_plugin:
-+
-+.EX
-+.B disk_munin_plugin_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
-+.SH FILE CONTEXTS
-+SELinux requires files to have an extended attribute to define the file type.
-+.PP
-+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
-+.PP
-+Policy governs the access confined processes have to these files.
-+SELinux disk_munin_plugin policy is very flexible allowing users to setup their disk_munin_plugin processes in as secure a method as possible.
-+.PP
-+The following file types are defined for disk_munin_plugin:
-+
-+
-+.EX
-+.PP
-+.B disk_munin_plugin_exec_t
-+.EE
-+
-+- Set files with the disk_munin_plugin_exec_t type, if you want to transition an executable to the disk_munin_plugin_t domain.
-+
-+
-+.EX
-+.PP
-+.B disk_munin_plugin_tmp_t
-+.EE
-+
-+- Set files with the disk_munin_plugin_tmp_t type, if you want to store disk munin plugin temporary files in the /tmp directories.
-+
-+
-+.PP
-+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
-+.B semanage fcontext
-+command. This will modify the SELinux labeling database. You will need to use
-+.B restorecon
-+to apply the labels.
-+
-+.SH "MANAGED FILES"
-+
-+The SELinux process type disk_munin_plugin_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
-+
-+.br
-+.B disk_munin_plugin_tmp_t
-+
-+
-+.br
-+.B munin_plugin_state_t
-+
-+ /var/lib/munin/plugin-state(/.*)?
-+.br
-+
-+.br
-+.B munin_var_lib_t
-+
-+ /var/lib/munin(/.*)?
-+.br
-+
-+.SH NSSWITCH DOMAIN
-+
-+.SH "COMMANDS"
-+.B semanage fcontext
-+can also be used to manipulate default file context mappings.
-+.PP
-+.B semanage permissive
-+can also be used to manipulate whether or not a process type is permissive.
-+.PP
-+.B semanage module
-+can also be used to enable/disable/install/remove policy modules.
-+
-+.PP
-+.B system-config-selinux
-+is a GUI tool available to customize SELinux policy settings.
-+
-+.SH AUTHOR
-+This manual page was auto-generated using
-+.B "sepolicy manpage"
-+by Dan Walsh.
-+
-+.SH "SEE ALSO"
-+selinux(8), disk_munin_plugin(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
-diff --git a/man/man8/dkim_milter_selinux.8 b/man/man8/dkim_milter_selinux.8
-new file mode 100644
-index 0000000..813e538
---- /dev/null
-+++ b/man/man8/dkim_milter_selinux.8
-@@ -0,0 +1,132 @@
-+.TH "dkim_milter_selinux" "8" "12-11-01" "dkim_milter" "SELinux Policy documentation for dkim_milter"
-+.SH "NAME"
-+dkim_milter_selinux \- Security Enhanced Linux Policy for the dkim_milter processes
-+.SH "DESCRIPTION"
-+
-+Security-Enhanced Linux secures the dkim_milter processes via flexible mandatory access control.
-+
-+The dkim_milter processes execute with the dkim_milter_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
-+
-+For example:
-+
-+.B ps -eZ | grep dkim_milter_t
-+
-+
-+.SH "ENTRYPOINTS"
-+
-+The dkim_milter_t SELinux type can be entered via the "dkim_milter_exec_t" file type. The default entrypoint paths for the dkim_milter_t domain are the following:"
-+
-+/usr/sbin/opendkim, /usr/sbin/dkim-filter
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux dkim_milter policy is very flexible allowing users to setup their dkim_milter processes in as secure a method as possible.
-+.PP
-+The following process types are defined for dkim_milter:
-+
-+.EX
-+.B dkim_milter_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
-+.SH FILE CONTEXTS
-+SELinux requires files to have an extended attribute to define the file type.
-+.PP
-+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
-+.PP
-+Policy governs the access confined processes have to these files.
-+SELinux dkim_milter policy is very flexible allowing users to setup their dkim_milter processes in as secure a method as possible.
-+.PP
-+The following file types are defined for dkim_milter:
-+
-+
-+.EX
-+.PP
-+.B dkim_milter_data_t
-+.EE
-+
-+- Set files with the dkim_milter_data_t type, if you want to treat the files as dkim milter content.
-+
-+
-+.EX
-+.PP
-+.B dkim_milter_exec_t
-+.EE
-+
-+- Set files with the dkim_milter_exec_t type, if you want to transition an executable to the dkim_milter_t domain.
-+
-+
-+.EX
-+.PP
-+.B dkim_milter_private_key_t
-+.EE
-+
-+- Set files with the dkim_milter_private_key_t type, if you want to treat the files as dkim milter private key data.
-+
-+
-+.PP
-+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
-+.B semanage fcontext
-+command. This will modify the SELinux labeling database. You will need to use
-+.B restorecon
-+to apply the labels.
-+
-+.SH "MANAGED FILES"
-+
-+The SELinux process type dkim_milter_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
-+
-+.br
-+.B dkim_milter_data_t
-+
-+ /var/run/opendkim(/.*)?
-+.br
-+ /var/spool/opendkim(/.*)?
-+.br
-+ /var/lib/dkim-milter(/.*)?
-+.br
-+ /var/run/dkim-milter(/.*)?
-+.br
-+
-+.SH NSSWITCH DOMAIN
-+
-+.PP
-+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the dkim_milter_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
-+
-+.EX
-+.B setsebool -P authlogin_nsswitch_use_ldap 1
-+.EE
-+
-+.PP
-+If you want to allow confined applications to run with kerberos for the dkim_milter_t, you must turn on the kerberos_enabled boolean.
-+
-+.EX
-+.B setsebool -P kerberos_enabled 1
-+.EE
-+
-+.SH "COMMANDS"
-+.B semanage fcontext
-+can also be used to manipulate default file context mappings.
-+.PP
-+.B semanage permissive
-+can also be used to manipulate whether or not a process type is permissive.
-+.PP
-+.B semanage module
-+can also be used to enable/disable/install/remove policy modules.
-+
-+.PP
-+.B system-config-selinux
-+is a GUI tool available to customize SELinux policy settings.
-+
-+.SH AUTHOR
-+This manual page was auto-generated using
-+.B "sepolicy manpage"
-+by Dan Walsh.
-+
-+.SH "SEE ALSO"
-+selinux(8), dkim_milter(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
-diff --git a/man/man8/dlm_controld_selinux.8 b/man/man8/dlm_controld_selinux.8
-new file mode 100644
-index 0000000..25e4869
---- /dev/null
-+++ b/man/man8/dlm_controld_selinux.8
-@@ -0,0 +1,168 @@
-+.TH "dlm_controld_selinux" "8" "12-11-01" "dlm_controld" "SELinux Policy documentation for dlm_controld"
-+.SH "NAME"
-+dlm_controld_selinux \- Security Enhanced Linux Policy for the dlm_controld processes
-+.SH "DESCRIPTION"
-+
-+Security-Enhanced Linux secures the dlm_controld processes via flexible mandatory access control.
-+
-+The dlm_controld processes execute with the dlm_controld_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
-+
-+For example:
-+
-+.B ps -eZ | grep dlm_controld_t
-+
-+
-+.SH "ENTRYPOINTS"
-+
-+The dlm_controld_t SELinux type can be entered via the "dlm_controld_exec_t" file type. The default entrypoint paths for the dlm_controld_t domain are the following:"
-+
-+/usr/sbin/dlm_controld
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux dlm_controld policy is very flexible allowing users to setup their dlm_controld processes in as secure a method as possible.
-+.PP
-+The following process types are defined for dlm_controld:
-+
-+.EX
-+.B dlm_controld_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
-+.SH FILE CONTEXTS
-+SELinux requires files to have an extended attribute to define the file type.
-+.PP
-+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
-+.PP
-+Policy governs the access confined processes have to these files.
-+SELinux dlm_controld policy is very flexible allowing users to setup their dlm_controld processes in as secure a method as possible.
-+.PP
-+The following file types are defined for dlm_controld:
-+
-+
-+.EX
-+.PP
-+.B dlm_controld_exec_t
-+.EE
-+
-+- Set files with the dlm_controld_exec_t type, if you want to transition an executable to the dlm_controld_t domain.
-+
-+
-+.EX
-+.PP
-+.B dlm_controld_tmpfs_t
-+.EE
-+
-+- Set files with the dlm_controld_tmpfs_t type, if you want to store dlm controld files on a tmpfs file system.
-+
-+
-+.EX
-+.PP
-+.B dlm_controld_var_log_t
-+.EE
-+
-+- Set files with the dlm_controld_var_log_t type, if you want to treat the data as dlm controld var log data, usually stored under the /var/log directory.
-+
-+
-+.EX
-+.PP
-+.B dlm_controld_var_run_t
-+.EE
-+
-+- Set files with the dlm_controld_var_run_t type, if you want to store the dlm controld files under the /run directory.
-+
-+
-+.PP
-+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
-+.B semanage fcontext
-+command. This will modify the SELinux labeling database. You will need to use
-+.B restorecon
-+to apply the labels.
-+
-+.SH "MANAGED FILES"
-+
-+The SELinux process type dlm_controld_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
-+
-+.br
-+.B cluster_var_lib_t
-+
-+ /var/lib/cluster(/.*)?
-+.br
-+
-+.br
-+.B configfs_t
-+
-+
-+.br
-+.B corosync_tmpfs_t
-+
-+
-+.br
-+.B dlm_controld_tmpfs_t
-+
-+
-+.br
-+.B dlm_controld_var_log_t
-+
-+ /var/log/cluster/dlm_controld\.log.*
-+.br
-+
-+.br
-+.B dlm_controld_var_run_t
-+
-+ /var/run/dlm_controld\.pid
-+.br
-+
-+.br
-+.B initrc_tmp_t
-+
-+
-+.br
-+.B sysfs_t
-+
-+ /sys(/.*)?
-+.br
-+
-+.SH NSSWITCH DOMAIN
-+
-+.PP
-+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the dlm_controld_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
-+
-+.EX
-+.B setsebool -P authlogin_nsswitch_use_ldap 1
-+.EE
-+
-+.PP
-+If you want to allow confined applications to run with kerberos for the dlm_controld_t, you must turn on the kerberos_enabled boolean.
-+
-+.EX
-+.B setsebool -P kerberos_enabled 1
-+.EE
-+
-+.SH "COMMANDS"
-+.B semanage fcontext
-+can also be used to manipulate default file context mappings.
-+.PP
-+.B semanage permissive
-+can also be used to manipulate whether or not a process type is permissive.
-+.PP
-+.B semanage module
-+can also be used to enable/disable/install/remove policy modules.
-+
-+.PP
-+.B system-config-selinux
-+is a GUI tool available to customize SELinux policy settings.
-+
-+.SH AUTHOR
-+This manual page was auto-generated using
-+.B "sepolicy manpage"
-+by Dan Walsh.
-+
-+.SH "SEE ALSO"
-+selinux(8), dlm_controld(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
-diff --git a/man/man8/dmesg_selinux.8 b/man/man8/dmesg_selinux.8
-new file mode 100644
-index 0000000..c7d7b6d
---- /dev/null
-+++ b/man/man8/dmesg_selinux.8
-@@ -0,0 +1,136 @@
-+.TH "dmesg_selinux" "8" "12-11-01" "dmesg" "SELinux Policy documentation for dmesg"
-+.SH "NAME"
-+dmesg_selinux \- Security Enhanced Linux Policy for the dmesg processes
-+.SH "DESCRIPTION"
-+
-+Security-Enhanced Linux secures the dmesg processes via flexible mandatory access control.
-+
-+The dmesg processes execute with the dmesg_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
-+
-+For example:
-+
-+.B ps -eZ | grep dmesg_t
-+
-+
-+.SH "ENTRYPOINTS"
-+
-+The dmesg_t SELinux type can be entered via the "dmesg_exec_t" file type. The default entrypoint paths for the dmesg_t domain are the following:"
-+
-+/bin/dmesg, /usr/bin/dmesg
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux dmesg policy is very flexible allowing users to setup their dmesg processes in as secure a method as possible.
-+.PP
-+The following process types are defined for dmesg:
-+
-+.EX
-+.B dmesg_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
-+.SH FILE CONTEXTS
-+SELinux requires files to have an extended attribute to define the file type.
-+.PP
-+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
-+.PP
-+Policy governs the access confined processes have to these files.
-+SELinux dmesg policy is very flexible allowing users to setup their dmesg processes in as secure a method as possible.
-+.PP
-+The following file types are defined for dmesg:
-+
-+
-+.EX
-+.PP
-+.B dmesg_exec_t
-+.EE
-+
-+- Set files with the dmesg_exec_t type, if you want to transition an executable to the dmesg_t domain.
-+
-+
-+.PP
-+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
-+.B semanage fcontext
-+command. This will modify the SELinux labeling database. You will need to use
-+.B restorecon
-+to apply the labels.
-+
-+.SH "MANAGED FILES"
-+
-+The SELinux process type dmesg_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
-+
-+.br
-+.B var_log_t
-+
-+ /var/log/.*
-+.br
-+ /nsr/logs(/.*)?
-+.br
-+ /var/webmin(/.*)?
-+.br
-+ /var/log/cron[^/]*
-+.br
-+ /var/log/secure[^/]*
-+.br
-+ /opt/zimbra/log(/.*)?
-+.br
-+ /var/log/maillog[^/]*
-+.br
-+ /var/log/spooler[^/]*
-+.br
-+ /var/log/messages[^/]*
-+.br
-+ /usr/centreon/log(/.*)?
-+.br
-+ /var/spool/rsyslog(/.*)?
-+.br
-+ /var/axfrdns/log/main(/.*)?
-+.br
-+ /var/spool/bacula/log(/.*)?
-+.br
-+ /var/tinydns/log/main(/.*)?
-+.br
-+ /var/dnscache/log/main(/.*)?
-+.br
-+ /var/stockmaniac/templates_cache(/.*)?
-+.br
-+ /opt/Symantec/scspagent/IDS/system(/.*)?
-+.br
-+ /var/log
-+.br
-+ /var/log/dmesg
-+.br
-+ /var/log/syslog
-+.br
-+ /var/named/chroot/var/log
-+.br
-+
-+.SH NSSWITCH DOMAIN
-+
-+.SH "COMMANDS"
-+.B semanage fcontext
-+can also be used to manipulate default file context mappings.
-+.PP
-+.B semanage permissive
-+can also be used to manipulate whether or not a process type is permissive.
-+.PP
-+.B semanage module
-+can also be used to enable/disable/install/remove policy modules.
-+
-+.PP
-+.B system-config-selinux
-+is a GUI tool available to customize SELinux policy settings.
-+
-+.SH AUTHOR
-+This manual page was auto-generated using
-+.B "sepolicy manpage"
-+by Dan Walsh.
-+
-+.SH "SEE ALSO"
-+selinux(8), dmesg(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
-diff --git a/man/man8/dmidecode_selinux.8 b/man/man8/dmidecode_selinux.8
-new file mode 100644
-index 0000000..e29cd1c
---- /dev/null
-+++ b/man/man8/dmidecode_selinux.8
-@@ -0,0 +1,86 @@
-+.TH "dmidecode_selinux" "8" "12-11-01" "dmidecode" "SELinux Policy documentation for dmidecode"
-+.SH "NAME"
-+dmidecode_selinux \- Security Enhanced Linux Policy for the dmidecode processes
-+.SH "DESCRIPTION"
-+
-+Security-Enhanced Linux secures the dmidecode processes via flexible mandatory access control.
-+
-+The dmidecode processes execute with the dmidecode_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
-+
-+For example:
-+
-+.B ps -eZ | grep dmidecode_t
-+
-+
-+.SH "ENTRYPOINTS"
-+
-+The dmidecode_t SELinux type can be entered via the "dmidecode_exec_t" file type. The default entrypoint paths for the dmidecode_t domain are the following:"
-+
-+/usr/sbin/dmidecode, /usr/sbin/ownership, /usr/sbin/vpddecode
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux dmidecode policy is very flexible allowing users to setup their dmidecode processes in as secure a method as possible.
-+.PP
-+The following process types are defined for dmidecode:
-+
-+.EX
-+.B dmidecode_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
-+.SH FILE CONTEXTS
-+SELinux requires files to have an extended attribute to define the file type.
-+.PP
-+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
-+.PP
-+Policy governs the access confined processes have to these files.
-+SELinux dmidecode policy is very flexible allowing users to setup their dmidecode processes in as secure a method as possible.
-+.PP
-+The following file types are defined for dmidecode:
-+
-+
-+.EX
-+.PP
-+.B dmidecode_exec_t
-+.EE
-+
-+- Set files with the dmidecode_exec_t type, if you want to transition an executable to the dmidecode_t domain.
-+
-+
-+.PP
-+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
-+.B semanage fcontext
-+command. This will modify the SELinux labeling database. You will need to use
-+.B restorecon
-+to apply the labels.
-+
-+.SH NSSWITCH DOMAIN
-+
-+.SH "COMMANDS"
-+.B semanage fcontext
-+can also be used to manipulate default file context mappings.
-+.PP
-+.B semanage permissive
-+can also be used to manipulate whether or not a process type is permissive.
-+.PP
-+.B semanage module
-+can also be used to enable/disable/install/remove policy modules.
-+
-+.PP
-+.B system-config-selinux
-+is a GUI tool available to customize SELinux policy settings.
-+
-+.SH AUTHOR
-+This manual page was auto-generated using
-+.B "sepolicy manpage"
-+by Dan Walsh.
-+
-+.SH "SEE ALSO"
-+selinux(8), dmidecode(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
-diff --git a/man/man8/dnsmasq_selinux.8 b/man/man8/dnsmasq_selinux.8
-new file mode 100644
-index 0000000..5a65f36
---- /dev/null
-+++ b/man/man8/dnsmasq_selinux.8
-@@ -0,0 +1,200 @@
-+.TH "dnsmasq_selinux" "8" "12-11-01" "dnsmasq" "SELinux Policy documentation for dnsmasq"
-+.SH "NAME"
-+dnsmasq_selinux \- Security Enhanced Linux Policy for the dnsmasq processes
-+.SH "DESCRIPTION"
-+
-+Security-Enhanced Linux secures the dnsmasq processes via flexible mandatory access control.
-+
-+The dnsmasq processes execute with the dnsmasq_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
-+
-+For example:
-+
-+.B ps -eZ | grep dnsmasq_t
-+
-+
-+.SH "ENTRYPOINTS"
-+
-+The dnsmasq_t SELinux type can be entered via the "dnsmasq_exec_t" file type. The default entrypoint paths for the dnsmasq_t domain are the following:"
-+
-+/usr/sbin/dnsmasq
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux dnsmasq policy is very flexible allowing users to setup their dnsmasq processes in as secure a method as possible.
-+.PP
-+The following process types are defined for dnsmasq:
-+
-+.EX
-+.B dnsmasq_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
-+.SH FILE CONTEXTS
-+SELinux requires files to have an extended attribute to define the file type.
-+.PP
-+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
-+.PP
-+Policy governs the access confined processes have to these files.
-+SELinux dnsmasq policy is very flexible allowing users to setup their dnsmasq processes in as secure a method as possible.
-+.PP
-+The following file types are defined for dnsmasq:
-+
-+
-+.EX
-+.PP
-+.B dnsmasq_etc_t
-+.EE
-+
-+- Set files with the dnsmasq_etc_t type, if you want to store dnsmasq files in the /etc directories.
-+
-+
-+.EX
-+.PP
-+.B dnsmasq_exec_t
-+.EE
-+
-+- Set files with the dnsmasq_exec_t type, if you want to transition an executable to the dnsmasq_t domain.
-+
-+
-+.EX
-+.PP
-+.B dnsmasq_initrc_exec_t
-+.EE
-+
-+- Set files with the dnsmasq_initrc_exec_t type, if you want to transition an executable to the dnsmasq_initrc_t domain.
-+
-+
-+.EX
-+.PP
-+.B dnsmasq_lease_t
-+.EE
-+
-+- Set files with the dnsmasq_lease_t type, if you want to treat the files as dnsmasq lease data.
-+
-+
-+.EX
-+.PP
-+.B dnsmasq_unit_file_t
-+.EE
-+
-+- Set files with the dnsmasq_unit_file_t type, if you want to treat the files as dnsmasq unit content.
-+
-+
-+.EX
-+.PP
-+.B dnsmasq_var_log_t
-+.EE
-+
-+- Set files with the dnsmasq_var_log_t type, if you want to treat the data as dnsmasq var log data, usually stored under the /var/log directory.
-+
-+
-+.EX
-+.PP
-+.B dnsmasq_var_run_t
-+.EE
-+
-+- Set files with the dnsmasq_var_run_t type, if you want to store the dnsmasq files under the /run directory.
-+
-+
-+.PP
-+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
-+.B semanage fcontext
-+command. This will modify the SELinux labeling database. You will need to use
-+.B restorecon
-+to apply the labels.
-+
-+.SH "MANAGED FILES"
-+
-+The SELinux process type dnsmasq_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
-+
-+.br
-+.B crond_var_run_t
-+
-+ /var/run/.*cron.*
-+.br
-+ /var/run/crond?\.pid
-+.br
-+ /var/run/crond?\.reboot
-+.br
-+ /var/run/atd\.pid
-+.br
-+ /var/run/fcron\.pid
-+.br
-+ /var/run/fcron\.fifo
-+.br
-+ /var/run/anacron\.pid
-+.br
-+
-+.br
-+.B dnsmasq_lease_t
-+
-+ /var/lib/dnsmasq(/.*)?
-+.br
-+ /var/lib/misc/dnsmasq\.leases
-+.br
-+
-+.br
-+.B dnsmasq_var_log_t
-+
-+ /var/log/dnsmasq.*
-+.br
-+
-+.br
-+.B dnsmasq_var_run_t
-+
-+ /var/run/libvirt/network(/.*)?
-+.br
-+ /var/run/dnsmasq\.pid
-+.br
-+
-+.br
-+.B virt_var_lib_t
-+
-+ /var/lib/oz(/.*)?
-+.br
-+ /var/lib/libvirt(/.*)?
-+.br
-+
-+.SH NSSWITCH DOMAIN
-+
-+.PP
-+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the dnsmasq_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
-+
-+.EX
-+.B setsebool -P authlogin_nsswitch_use_ldap 1
-+.EE
-+
-+.PP
-+If you want to allow confined applications to run with kerberos for the dnsmasq_t, you must turn on the kerberos_enabled boolean.
-+
-+.EX
-+.B setsebool -P kerberos_enabled 1
-+.EE
-+
-+.SH "COMMANDS"
-+.B semanage fcontext
-+can also be used to manipulate default file context mappings.
-+.PP
-+.B semanage permissive
-+can also be used to manipulate whether or not a process type is permissive.
-+.PP
-+.B semanage module
-+can also be used to enable/disable/install/remove policy modules.
-+
-+.PP
-+.B system-config-selinux
-+is a GUI tool available to customize SELinux policy settings.
-+
-+.SH AUTHOR
-+This manual page was auto-generated using
-+.B "sepolicy manpage"
-+by Dan Walsh.
-+
-+.SH "SEE ALSO"
-+selinux(8), dnsmasq(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
-diff --git a/man/man8/dnssec_trigger_selinux.8 b/man/man8/dnssec_trigger_selinux.8
-new file mode 100644
-index 0000000..d5478bf
---- /dev/null
-+++ b/man/man8/dnssec_trigger_selinux.8
-@@ -0,0 +1,130 @@
-+.TH "dnssec_trigger_selinux" "8" "12-11-01" "dnssec_trigger" "SELinux Policy documentation for dnssec_trigger"
-+.SH "NAME"
-+dnssec_trigger_selinux \- Security Enhanced Linux Policy for the dnssec_trigger processes
-+.SH "DESCRIPTION"
-+
-+Security-Enhanced Linux secures the dnssec_trigger processes via flexible mandatory access control.
-+
-+The dnssec_trigger processes execute with the dnssec_trigger_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
-+
-+For example:
-+
-+.B ps -eZ | grep dnssec_trigger_t
-+
-+
-+.SH "ENTRYPOINTS"
-+
-+The dnssec_trigger_t SELinux type can be entered via the "dnssec_trigger_exec_t" file type. The default entrypoint paths for the dnssec_trigger_t domain are the following:"
-+
-+/usr/sbin/dnssec-triggerd
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux dnssec_trigger policy is very flexible allowing users to setup their dnssec_trigger processes in as secure a method as possible.
-+.PP
-+The following process types are defined for dnssec_trigger:
-+
-+.EX
-+.B dnssec_trigger_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
-+.SH FILE CONTEXTS
-+SELinux requires files to have an extended attribute to define the file type.
-+.PP
-+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
-+.PP
-+Policy governs the access confined processes have to these files.
-+SELinux dnssec_trigger policy is very flexible allowing users to setup their dnssec_trigger processes in as secure a method as possible.
-+.PP
-+The following file types are defined for dnssec_trigger:
-+
-+
-+.EX
-+.PP
-+.B dnssec_trigger_exec_t
-+.EE
-+
-+- Set files with the dnssec_trigger_exec_t type, if you want to transition an executable to the dnssec_trigger_t domain.
-+
-+
-+.EX
-+.PP
-+.B dnssec_trigger_var_run_t
-+.EE
-+
-+- Set files with the dnssec_trigger_var_run_t type, if you want to store the dnssec trigger files under the /run directory.
-+
-+
-+.PP
-+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
-+.B semanage fcontext
-+command. This will modify the SELinux labeling database. You will need to use
-+.B restorecon
-+to apply the labels.
-+
-+.SH "MANAGED FILES"
-+
-+The SELinux process type dnssec_trigger_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
-+
-+.br
-+.B dnssec_trigger_var_run_t
-+
-+ /var/run/dnssec.*
-+.br
-+
-+.br
-+.B net_conf_t
-+
-+ /etc/ntpd?\.conf.*
-+.br
-+ /etc/hosts[^/]*
-+.br
-+ /etc/yp\.conf.*
-+.br
-+ /etc/denyhosts.*
-+.br
-+ /etc/hosts\.deny.*
-+.br
-+ /etc/resolv\.conf.*
-+.br
-+ /etc/ntp/step-tickers.*
-+.br
-+ /etc/sysconfig/networking(/.*)?
-+.br
-+ /etc/sysconfig/network-scripts(/.*)?
-+.br
-+ /etc/sysconfig/network-scripts/.*resolv\.conf
-+.br
-+ /etc/ethers
-+.br
-+
-+.SH NSSWITCH DOMAIN
-+
-+.SH "COMMANDS"
-+.B semanage fcontext
-+can also be used to manipulate default file context mappings.
-+.PP
-+.B semanage permissive
-+can also be used to manipulate whether or not a process type is permissive.
-+.PP
-+.B semanage module
-+can also be used to enable/disable/install/remove policy modules.
-+
-+.PP
-+.B system-config-selinux
-+is a GUI tool available to customize SELinux policy settings.
-+
-+.SH AUTHOR
-+This manual page was auto-generated using
-+.B "sepolicy manpage"
-+by Dan Walsh.
-+
-+.SH "SEE ALSO"
-+selinux(8), dnssec_trigger(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
-diff --git a/man/man8/dovecot_auth_selinux.8 b/man/man8/dovecot_auth_selinux.8
-new file mode 100644
-index 0000000..6411b0a
---- /dev/null
-+++ b/man/man8/dovecot_auth_selinux.8
-@@ -0,0 +1,155 @@
-+.TH "dovecot_auth_selinux" "8" "12-11-01" "dovecot_auth" "SELinux Policy documentation for dovecot_auth"
-+.SH "NAME"
-+dovecot_auth_selinux \- Security Enhanced Linux Policy for the dovecot_auth processes
-+.SH "DESCRIPTION"
-+
-+Security-Enhanced Linux secures the dovecot_auth processes via flexible mandatory access control.
-+
-+The dovecot_auth processes execute with the dovecot_auth_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
-+
-+For example:
-+
-+.B ps -eZ | grep dovecot_auth_t
-+
-+
-+.SH "ENTRYPOINTS"
-+
-+The dovecot_auth_t SELinux type can be entered via the "dovecot_auth_exec_t" file type. The default entrypoint paths for the dovecot_auth_t domain are the following:"
-+
-+/usr/libexec/dovecot/auth, /usr/libexec/dovecot/dovecot-auth
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux dovecot_auth policy is very flexible allowing users to setup their dovecot_auth processes in as secure a method as possible.
-+.PP
-+The following process types are defined for dovecot_auth:
-+
-+.EX
-+.B dovecot_auth_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
-+.SH FILE CONTEXTS
-+SELinux requires files to have an extended attribute to define the file type.
-+.PP
-+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
-+.PP
-+Policy governs the access confined processes have to these files.
-+SELinux dovecot_auth policy is very flexible allowing users to setup their dovecot_auth processes in as secure a method as possible.
-+.PP
-+The following file types are defined for dovecot_auth:
-+
-+
-+.EX
-+.PP
-+.B dovecot_auth_exec_t
-+.EE
-+
-+- Set files with the dovecot_auth_exec_t type, if you want to transition an executable to the dovecot_auth_t domain.
-+
-+
-+.EX
-+.PP
-+.B dovecot_auth_tmp_t
-+.EE
-+
-+- Set files with the dovecot_auth_tmp_t type, if you want to store dovecot auth temporary files in the /tmp directories.
-+
-+
-+.PP
-+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
-+.B semanage fcontext
-+command. This will modify the SELinux labeling database. You will need to use
-+.B restorecon
-+to apply the labels.
-+
-+.SH "MANAGED FILES"
-+
-+The SELinux process type dovecot_auth_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
-+
-+.br
-+.B dovecot_auth_tmp_t
-+
-+
-+.br
-+.B faillog_t
-+
-+ /var/log/btmp.*
-+.br
-+ /var/run/faillock(/.*)?
-+.br
-+ /var/log/faillog
-+.br
-+ /var/log/tallylog
-+.br
-+
-+.br
-+.B initrc_var_run_t
-+
-+ /var/run/utmp
-+.br
-+ /var/run/random-seed
-+.br
-+ /var/run/runlevel\.dir
-+.br
-+ /var/run/setmixer_flag
-+.br
-+
-+.br
-+.B pcscd_var_run_t
-+
-+ /var/run/pcscd(/.*)?
-+.br
-+ /var/run/pcscd\.events(/.*)?
-+.br
-+ /var/run/pcscd\.pid
-+.br
-+ /var/run/pcscd\.pub
-+.br
-+ /var/run/pcscd\.comm
-+.br
-+
-+.SH NSSWITCH DOMAIN
-+
-+.PP
-+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the dovecot_auth_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
-+
-+.EX
-+.B setsebool -P authlogin_nsswitch_use_ldap 1
-+.EE
-+
-+.PP
-+If you want to allow confined applications to run with kerberos for the dovecot_auth_t, you must turn on the kerberos_enabled boolean.
-+
-+.EX
-+.B setsebool -P kerberos_enabled 1
-+.EE
-+
-+.SH "COMMANDS"
-+.B semanage fcontext
-+can also be used to manipulate default file context mappings.
-+.PP
-+.B semanage permissive
-+can also be used to manipulate whether or not a process type is permissive.
-+.PP
-+.B semanage module
-+can also be used to enable/disable/install/remove policy modules.
-+
-+.PP
-+.B system-config-selinux
-+is a GUI tool available to customize SELinux policy settings.
-+
-+.SH AUTHOR
-+This manual page was auto-generated using
-+.B "sepolicy manpage"
-+by Dan Walsh.
-+
-+.SH "SEE ALSO"
-+selinux(8), dovecot_auth(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
-+, dovecot_selinux(8), dovecot_selinux(8), dovecot_deliver_selinux(8)
-\ No newline at end of file
-diff --git a/man/man8/dovecot_deliver_selinux.8 b/man/man8/dovecot_deliver_selinux.8
-new file mode 100644
-index 0000000..fa12a80
---- /dev/null
-+++ b/man/man8/dovecot_deliver_selinux.8
-@@ -0,0 +1,157 @@
-+.TH "dovecot_deliver_selinux" "8" "12-11-01" "dovecot_deliver" "SELinux Policy documentation for dovecot_deliver"
-+.SH "NAME"
-+dovecot_deliver_selinux \- Security Enhanced Linux Policy for the dovecot_deliver processes
-+.SH "DESCRIPTION"
-+
-+Security-Enhanced Linux secures the dovecot_deliver processes via flexible mandatory access control.
-+
-+The dovecot_deliver processes execute with the dovecot_deliver_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
-+
-+For example:
-+
-+.B ps -eZ | grep dovecot_deliver_t
-+
-+
-+.SH "ENTRYPOINTS"
-+
-+The dovecot_deliver_t SELinux type can be entered via the "dovecot_deliver_exec_t" file type. The default entrypoint paths for the dovecot_deliver_t domain are the following:"
-+
-+/usr/libexec/dovecot/deliver, /usr/libexec/dovecot/dovecot-lda
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux dovecot_deliver policy is very flexible allowing users to setup their dovecot_deliver processes in as secure a method as possible.
-+.PP
-+The following process types are defined for dovecot_deliver:
-+
-+.EX
-+.B dovecot_deliver_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
-+.SH FILE CONTEXTS
-+SELinux requires files to have an extended attribute to define the file type.
-+.PP
-+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
-+.PP
-+Policy governs the access confined processes have to these files.
-+SELinux dovecot_deliver policy is very flexible allowing users to setup their dovecot_deliver processes in as secure a method as possible.
-+.PP
-+The following file types are defined for dovecot_deliver:
-+
-+
-+.EX
-+.PP
-+.B dovecot_deliver_exec_t
-+.EE
-+
-+- Set files with the dovecot_deliver_exec_t type, if you want to transition an executable to the dovecot_deliver_t domain.
-+
-+
-+.EX
-+.PP
-+.B dovecot_deliver_tmp_t
-+.EE
-+
-+- Set files with the dovecot_deliver_tmp_t type, if you want to store dovecot deliver temporary files in the /tmp directories.
-+
-+
-+.PP
-+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
-+.B semanage fcontext
-+command. This will modify the SELinux labeling database. You will need to use
-+.B restorecon
-+to apply the labels.
-+
-+.SH "MANAGED FILES"
-+
-+The SELinux process type dovecot_deliver_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
-+
-+.br
-+.B data_home_t
-+
-+ /root/\.local/share(/.*)?
-+.br
-+ /home/[^/]*/\.local/share(/.*)?
-+.br
-+ /home/dwalsh/\.local/share(/.*)?
-+.br
-+ /var/lib/xguest/home/xguest/\.local/share(/.*)?
-+.br
-+
-+.br
-+.B dovecot_deliver_tmp_t
-+
-+
-+.br
-+.B dovecot_spool_t
-+
-+ /var/spool/dovecot(/.*)?
-+.br
-+
-+.br
-+.B mail_home_rw_t
-+
-+ /root/Maildir(/.*)?
-+.br
-+ /home/[^/]*/Maildir(/.*)?
-+.br
-+ /home/dwalsh/Maildir(/.*)?
-+.br
-+ /var/lib/xguest/home/xguest/Maildir(/.*)?
-+.br
-+
-+.br
-+.B user_home_t
-+
-+ /home/[^/]*/.+
-+.br
-+ /home/dwalsh/.+
-+.br
-+ /var/lib/xguest/home/xguest/.+
-+.br
-+
-+.SH NSSWITCH DOMAIN
-+
-+.PP
-+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the dovecot_deliver_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
-+
-+.EX
-+.B setsebool -P authlogin_nsswitch_use_ldap 1
-+.EE
-+
-+.PP
-+If you want to allow confined applications to run with kerberos for the dovecot_deliver_t, you must turn on the kerberos_enabled boolean.
-+
-+.EX
-+.B setsebool -P kerberos_enabled 1
-+.EE
-+
-+.SH "COMMANDS"
-+.B semanage fcontext
-+can also be used to manipulate default file context mappings.
-+.PP
-+.B semanage permissive
-+can also be used to manipulate whether or not a process type is permissive.
-+.PP
-+.B semanage module
-+can also be used to enable/disable/install/remove policy modules.
-+
-+.PP
-+.B system-config-selinux
-+is a GUI tool available to customize SELinux policy settings.
-+
-+.SH AUTHOR
-+This manual page was auto-generated using
-+.B "sepolicy manpage"
-+by Dan Walsh.
-+
-+.SH "SEE ALSO"
-+selinux(8), dovecot_deliver(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
-+, dovecot_selinux(8), dovecot_selinux(8), dovecot_auth_selinux(8)
-\ No newline at end of file
-diff --git a/man/man8/dovecot_selinux.8 b/man/man8/dovecot_selinux.8
-new file mode 100644
-index 0000000..d61a836
---- /dev/null
-+++ b/man/man8/dovecot_selinux.8
-@@ -0,0 +1,317 @@
-+.TH "dovecot_selinux" "8" "12-11-01" "dovecot" "SELinux Policy documentation for dovecot"
-+.SH "NAME"
-+dovecot_selinux \- Security Enhanced Linux Policy for the dovecot processes
-+.SH "DESCRIPTION"
-+
-+Security-Enhanced Linux secures the dovecot processes via flexible mandatory access control.
-+
-+The dovecot processes execute with the dovecot_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
-+
-+For example:
-+
-+.B ps -eZ | grep dovecot_t
-+
-+
-+.SH "ENTRYPOINTS"
-+
-+The dovecot_t SELinux type can be entered via the "dovecot_exec_t" file type. The default entrypoint paths for the dovecot_t domain are the following:"
-+
-+/usr/sbin/dovecot
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux dovecot policy is very flexible allowing users to setup their dovecot processes in as secure a method as possible.
-+.PP
-+The following process types are defined for dovecot:
-+
-+.EX
-+.B dovecot_deliver_t, dovecot_auth_t, dovecot_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
-+.SH FILE CONTEXTS
-+SELinux requires files to have an extended attribute to define the file type.
-+.PP
-+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
-+.PP
-+Policy governs the access confined processes have to these files.
-+SELinux dovecot policy is very flexible allowing users to setup their dovecot processes in as secure a method as possible.
-+.PP
-+The following file types are defined for dovecot:
-+
-+
-+.EX
-+.PP
-+.B dovecot_auth_exec_t
-+.EE
-+
-+- Set files with the dovecot_auth_exec_t type, if you want to transition an executable to the dovecot_auth_t domain.
-+
-+
-+.EX
-+.PP
-+.B dovecot_auth_tmp_t
-+.EE
-+
-+- Set files with the dovecot_auth_tmp_t type, if you want to store dovecot auth temporary files in the /tmp directories.
-+
-+
-+.EX
-+.PP
-+.B dovecot_cert_t
-+.EE
-+
-+- Set files with the dovecot_cert_t type, if you want to treat the files as dovecot certificate data.
-+
-+
-+.EX
-+.PP
-+.B dovecot_deliver_exec_t
-+.EE
-+
-+- Set files with the dovecot_deliver_exec_t type, if you want to transition an executable to the dovecot_deliver_t domain.
-+
-+
-+.EX
-+.PP
-+.B dovecot_deliver_tmp_t
-+.EE
-+
-+- Set files with the dovecot_deliver_tmp_t type, if you want to store dovecot deliver temporary files in the /tmp directories.
-+
-+
-+.EX
-+.PP
-+.B dovecot_etc_t
-+.EE
-+
-+- Set files with the dovecot_etc_t type, if you want to store dovecot files in the /etc directories.
-+
-+
-+.EX
-+.PP
-+.B dovecot_exec_t
-+.EE
-+
-+- Set files with the dovecot_exec_t type, if you want to transition an executable to the dovecot_t domain.
-+
-+
-+.EX
-+.PP
-+.B dovecot_initrc_exec_t
-+.EE
-+
-+- Set files with the dovecot_initrc_exec_t type, if you want to transition an executable to the dovecot_initrc_t domain.
-+
-+
-+.EX
-+.PP
-+.B dovecot_passwd_t
-+.EE
-+
-+- Set files with the dovecot_passwd_t type, if you want to treat the files as dovecot passwd data.
-+
-+
-+.EX
-+.PP
-+.B dovecot_spool_t
-+.EE
-+
-+- Set files with the dovecot_spool_t type, if you want to store the dovecot files under the /var/spool directory.
-+
-+
-+.EX
-+.PP
-+.B dovecot_t_keytab_t
-+.EE
-+
-+- Set files with the dovecot_t_keytab_t type, if you want to treat the files as kerberos keytab files.
-+
-+
-+.EX
-+.PP
-+.B dovecot_tmp_t
-+.EE
-+
-+- Set files with the dovecot_tmp_t type, if you want to store dovecot temporary files in the /tmp directories.
-+
-+
-+.EX
-+.PP
-+.B dovecot_var_lib_t
-+.EE
-+
-+- Set files with the dovecot_var_lib_t type, if you want to store the dovecot files under the /var/lib directory.
-+
-+
-+.EX
-+.PP
-+.B dovecot_var_log_t
-+.EE
-+
-+- Set files with the dovecot_var_log_t type, if you want to treat the data as dovecot var log data, usually stored under the /var/log directory.
-+
-+
-+.EX
-+.PP
-+.B dovecot_var_run_t
-+.EE
-+
-+- Set files with the dovecot_var_run_t type, if you want to store the dovecot files under the /run directory.
-+
-+
-+.PP
-+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
-+.B semanage fcontext
-+command. This will modify the SELinux labeling database. You will need to use
-+.B restorecon
-+to apply the labels.
-+
-+.SH "MANAGED FILES"
-+
-+The SELinux process type dovecot_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
-+
-+.br
-+.B data_home_t
-+
-+ /root/\.local/share(/.*)?
-+.br
-+ /home/[^/]*/\.local/share(/.*)?
-+.br
-+ /home/dwalsh/\.local/share(/.*)?
-+.br
-+ /var/lib/xguest/home/xguest/\.local/share(/.*)?
-+.br
-+
-+.br
-+.B dovecot_spool_t
-+
-+ /var/spool/dovecot(/.*)?
-+.br
-+
-+.br
-+.B dovecot_tmp_t
-+
-+
-+.br
-+.B dovecot_var_lib_t
-+
-+ /var/lib/dovecot(/.*)?
-+.br
-+ /var/run/dovecot/login/ssl-parameters.dat
-+.br
-+
-+.br
-+.B dovecot_var_log_t
-+
-+ /var/log/dovecot(/.*)?
-+.br
-+ /var/log/dovecot\.log.*
-+.br
-+
-+.br
-+.B dovecot_var_run_t
-+
-+ /var/run/dovecot(-login)?(/.*)?
-+.br
-+
-+.br
-+.B krb5_host_rcache_t
-+
-+ /var/cache/krb5rcache(/.*)?
-+.br
-+ /var/tmp/nfs_0
-+.br
-+ /var/tmp/DNS_25
-+.br
-+ /var/tmp/host_0
-+.br
-+ /var/tmp/imap_0
-+.br
-+ /var/tmp/HTTP_23
-+.br
-+ /var/tmp/HTTP_48
-+.br
-+ /var/tmp/ldap_55
-+.br
-+ /var/tmp/ldap_487
-+.br
-+ /var/tmp/ldapmap1_0
-+.br
-+
-+.br
-+.B mail_home_rw_t
-+
-+ /root/Maildir(/.*)?
-+.br
-+ /home/[^/]*/Maildir(/.*)?
-+.br
-+ /home/dwalsh/Maildir(/.*)?
-+.br
-+ /var/lib/xguest/home/xguest/Maildir(/.*)?
-+.br
-+
-+.br
-+.B mail_spool_t
-+
-+ /var/mail(/.*)?
-+.br
-+ /var/spool/imap(/.*)?
-+.br
-+ /var/spool/mail(/.*)?
-+.br
-+
-+.br
-+.B user_home_t
-+
-+ /home/[^/]*/.+
-+.br
-+ /home/dwalsh/.+
-+.br
-+ /var/lib/xguest/home/xguest/.+
-+.br
-+
-+.SH NSSWITCH DOMAIN
-+
-+.PP
-+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the dovecot_auth_t, dovecot_t, dovecot_deliver_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
-+
-+.EX
-+.B setsebool -P authlogin_nsswitch_use_ldap 1
-+.EE
-+
-+.PP
-+If you want to allow confined applications to run with kerberos for the dovecot_auth_t, dovecot_t, dovecot_deliver_t, you must turn on the kerberos_enabled boolean.
-+
-+.EX
-+.B setsebool -P kerberos_enabled 1
-+.EE
-+
-+.SH "COMMANDS"
-+.B semanage fcontext
-+can also be used to manipulate default file context mappings.
-+.PP
-+.B semanage permissive
-+can also be used to manipulate whether or not a process type is permissive.
-+.PP
-+.B semanage module
-+can also be used to enable/disable/install/remove policy modules.
-+
-+.PP
-+.B system-config-selinux
-+is a GUI tool available to customize SELinux policy settings.
-+
-+.SH AUTHOR
-+This manual page was auto-generated using
-+.B "sepolicy manpage"
-+by Dan Walsh.
-+
-+.SH "SEE ALSO"
-+selinux(8), dovecot(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
-+, dovecot_auth_selinux(8), dovecot_deliver_selinux(8)
-\ No newline at end of file
-diff --git a/man/man8/drbd_selinux.8 b/man/man8/drbd_selinux.8
-new file mode 100644
-index 0000000..0306d2e
---- /dev/null
-+++ b/man/man8/drbd_selinux.8
-@@ -0,0 +1,116 @@
-+.TH "drbd_selinux" "8" "12-11-01" "drbd" "SELinux Policy documentation for drbd"
-+.SH "NAME"
-+drbd_selinux \- Security Enhanced Linux Policy for the drbd processes
-+.SH "DESCRIPTION"
-+
-+Security-Enhanced Linux secures the drbd processes via flexible mandatory access control.
-+
-+The drbd processes execute with the drbd_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
-+
-+For example:
-+
-+.B ps -eZ | grep drbd_t
-+
-+
-+.SH "ENTRYPOINTS"
-+
-+The drbd_t SELinux type can be entered via the "drbd_exec_t" file type. The default entrypoint paths for the drbd_t domain are the following:"
-+
-+/usr/lib/ocf/resource.\d/linbit/drbd, /sbin/drbdadm, /sbin/drbdsetup, /usr/sbin/drbdadm, /usr/sbin/drbdsetup
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux drbd policy is very flexible allowing users to setup their drbd processes in as secure a method as possible.
-+.PP
-+The following process types are defined for drbd:
-+
-+.EX
-+.B drbd_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
-+.SH FILE CONTEXTS
-+SELinux requires files to have an extended attribute to define the file type.
-+.PP
-+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
-+.PP
-+Policy governs the access confined processes have to these files.
-+SELinux drbd policy is very flexible allowing users to setup their drbd processes in as secure a method as possible.
-+.PP
-+The following file types are defined for drbd:
-+
-+
-+.EX
-+.PP
-+.B drbd_exec_t
-+.EE
-+
-+- Set files with the drbd_exec_t type, if you want to transition an executable to the drbd_t domain.
-+
-+
-+.EX
-+.PP
-+.B drbd_lock_t
-+.EE
-+
-+- Set files with the drbd_lock_t type, if you want to treat the files as drbd lock data, stored under the /var/lock directory
-+
-+
-+.EX
-+.PP
-+.B drbd_var_lib_t
-+.EE
-+
-+- Set files with the drbd_var_lib_t type, if you want to store the drbd files under the /var/lib directory.
-+
-+
-+.PP
-+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
-+.B semanage fcontext
-+command. This will modify the SELinux labeling database. You will need to use
-+.B restorecon
-+to apply the labels.
-+
-+.SH "MANAGED FILES"
-+
-+The SELinux process type drbd_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
-+
-+.br
-+.B drbd_lock_t
-+
-+
-+.br
-+.B drbd_var_lib_t
-+
-+ /var/lib/drbd(/.*)?
-+.br
-+
-+.SH NSSWITCH DOMAIN
-+
-+.SH "COMMANDS"
-+.B semanage fcontext
-+can also be used to manipulate default file context mappings.
-+.PP
-+.B semanage permissive
-+can also be used to manipulate whether or not a process type is permissive.
-+.PP
-+.B semanage module
-+can also be used to enable/disable/install/remove policy modules.
-+
-+.PP
-+.B system-config-selinux
-+is a GUI tool available to customize SELinux policy settings.
-+
-+.SH AUTHOR
-+This manual page was auto-generated using
-+.B "sepolicy manpage"
-+by Dan Walsh.
-+
-+.SH "SEE ALSO"
-+selinux(8), drbd(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
-diff --git a/man/man8/dspam_selinux.8 b/man/man8/dspam_selinux.8
-new file mode 100644
-index 0000000..64cf453
---- /dev/null
-+++ b/man/man8/dspam_selinux.8
-@@ -0,0 +1,166 @@
-+.TH "dspam_selinux" "8" "12-11-01" "dspam" "SELinux Policy documentation for dspam"
-+.SH "NAME"
-+dspam_selinux \- Security Enhanced Linux Policy for the dspam processes
-+.SH "DESCRIPTION"
-+
-+Security-Enhanced Linux secures the dspam processes via flexible mandatory access control.
-+
-+The dspam processes execute with the dspam_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
-+
-+For example:
-+
-+.B ps -eZ | grep dspam_t
-+
-+
-+.SH "ENTRYPOINTS"
-+
-+The dspam_t SELinux type can be entered via the "dspam_exec_t" file type. The default entrypoint paths for the dspam_t domain are the following:"
-+
-+/usr/bin/dspam
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux dspam policy is very flexible allowing users to setup their dspam processes in as secure a method as possible.
-+.PP
-+The following process types are defined for dspam:
-+
-+.EX
-+.B dspam_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
-+.SH FILE CONTEXTS
-+SELinux requires files to have an extended attribute to define the file type.
-+.PP
-+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
-+.PP
-+Policy governs the access confined processes have to these files.
-+SELinux dspam policy is very flexible allowing users to setup their dspam processes in as secure a method as possible.
-+.PP
-+The following file types are defined for dspam:
-+
-+
-+.EX
-+.PP
-+.B dspam_exec_t
-+.EE
-+
-+- Set files with the dspam_exec_t type, if you want to transition an executable to the dspam_t domain.
-+
-+
-+.EX
-+.PP
-+.B dspam_initrc_exec_t
-+.EE
-+
-+- Set files with the dspam_initrc_exec_t type, if you want to transition an executable to the dspam_initrc_t domain.
-+
-+
-+.EX
-+.PP
-+.B dspam_log_t
-+.EE
-+
-+- Set files with the dspam_log_t type, if you want to treat the data as dspam log data, usually stored under the /var/log directory.
-+
-+
-+.EX
-+.PP
-+.B dspam_tmp_t
-+.EE
-+
-+- Set files with the dspam_tmp_t type, if you want to store dspam temporary files in the /tmp directories.
-+
-+
-+.EX
-+.PP
-+.B dspam_var_lib_t
-+.EE
-+
-+- Set files with the dspam_var_lib_t type, if you want to store the dspam files under the /var/lib directory.
-+
-+
-+.EX
-+.PP
-+.B dspam_var_run_t
-+.EE
-+
-+- Set files with the dspam_var_run_t type, if you want to store the dspam files under the /run directory.
-+
-+
-+.PP
-+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
-+.B semanage fcontext
-+command. This will modify the SELinux labeling database. You will need to use
-+.B restorecon
-+to apply the labels.
-+
-+.SH "MANAGED FILES"
-+
-+The SELinux process type dspam_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
-+
-+.br
-+.B dspam_log_t
-+
-+ /var/log/dspam(/.*)?
-+.br
-+
-+.br
-+.B dspam_var_lib_t
-+
-+ /var/lib/dspam(/.*)?
-+.br
-+
-+.br
-+.B dspam_var_run_t
-+
-+ /var/run/dspam(/.*)?
-+.br
-+
-+.br
-+.B httpd_dspam_rw_content_t
-+
-+
-+.SH NSSWITCH DOMAIN
-+
-+.PP
-+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the dspam_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
-+
-+.EX
-+.B setsebool -P authlogin_nsswitch_use_ldap 1
-+.EE
-+
-+.PP
-+If you want to allow confined applications to run with kerberos for the dspam_t, you must turn on the kerberos_enabled boolean.
-+
-+.EX
-+.B setsebool -P kerberos_enabled 1
-+.EE
-+
-+.SH "COMMANDS"
-+.B semanage fcontext
-+can also be used to manipulate default file context mappings.
-+.PP
-+.B semanage permissive
-+can also be used to manipulate whether or not a process type is permissive.
-+.PP
-+.B semanage module
-+can also be used to enable/disable/install/remove policy modules.
-+
-+.PP
-+.B system-config-selinux
-+is a GUI tool available to customize SELinux policy settings.
-+
-+.SH AUTHOR
-+This manual page was auto-generated using
-+.B "sepolicy manpage"
-+by Dan Walsh.
-+
-+.SH "SEE ALSO"
-+selinux(8), dspam(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
-diff --git a/man/man8/entropyd_selinux.8 b/man/man8/entropyd_selinux.8
-new file mode 100644
-index 0000000..0035e75
---- /dev/null
-+++ b/man/man8/entropyd_selinux.8
-@@ -0,0 +1,142 @@
-+.TH "entropyd_selinux" "8" "12-11-01" "entropyd" "SELinux Policy documentation for entropyd"
-+.SH "NAME"
-+entropyd_selinux \- Security Enhanced Linux Policy for the entropyd processes
-+.SH "DESCRIPTION"
-+
-+Security-Enhanced Linux secures the entropyd processes via flexible mandatory access control.
-+
-+The entropyd processes execute with the entropyd_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
-+
-+For example:
-+
-+.B ps -eZ | grep entropyd_t
-+
-+
-+.SH "ENTRYPOINTS"
-+
-+The entropyd_t SELinux type can be entered via the "entropyd_exec_t" file type. The default entrypoint paths for the entropyd_t domain are the following:"
-+
-+/usr/sbin/haveged, /usr/sbin/audio-entropyd
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux entropyd policy is very flexible allowing users to setup their entropyd processes in as secure a method as possible.
-+.PP
-+The following process types are defined for entropyd:
-+
-+.EX
-+.B entropyd_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
-+.SH BOOLEANS
-+SELinux policy is customizable based on least access required. entropyd policy is extremely flexible and has several booleans that allow you to manipulate the policy and run entropyd with the tightest access possible.
-+
-+
-+.PP
-+If you want to allow the use of the audio devices as the source for the entropy feeds, you must turn on the entropyd_use_audio boolean.
-+
-+.EX
-+.B setsebool -P entropyd_use_audio 1
-+.EE
-+
-+.PP
-+If you want to allow the use of the audio devices as the source for the entropy feeds, you must turn on the entropyd_use_audio boolean.
-+
-+.EX
-+.B setsebool -P entropyd_use_audio 1
-+.EE
-+
-+.SH FILE CONTEXTS
-+SELinux requires files to have an extended attribute to define the file type.
-+.PP
-+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
-+.PP
-+Policy governs the access confined processes have to these files.
-+SELinux entropyd policy is very flexible allowing users to setup their entropyd processes in as secure a method as possible.
-+.PP
-+The following file types are defined for entropyd:
-+
-+
-+.EX
-+.PP
-+.B entropyd_exec_t
-+.EE
-+
-+- Set files with the entropyd_exec_t type, if you want to transition an executable to the entropyd_t domain.
-+
-+
-+.EX
-+.PP
-+.B entropyd_var_run_t
-+.EE
-+
-+- Set files with the entropyd_var_run_t type, if you want to store the entropyd files under the /run directory.
-+
-+
-+.PP
-+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
-+.B semanage fcontext
-+command. This will modify the SELinux labeling database. You will need to use
-+.B restorecon
-+to apply the labels.
-+
-+.SH "MANAGED FILES"
-+
-+The SELinux process type entropyd_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
-+
-+.br
-+.B entropyd_var_run_t
-+
-+ /var/run/haveged\.pid
-+.br
-+ /var/run/audio-entropyd\.pid
-+.br
-+
-+.SH NSSWITCH DOMAIN
-+
-+.PP
-+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the entropyd_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
-+
-+.EX
-+.B setsebool -P authlogin_nsswitch_use_ldap 1
-+.EE
-+
-+.PP
-+If you want to allow confined applications to run with kerberos for the entropyd_t, you must turn on the kerberos_enabled boolean.
-+
-+.EX
-+.B setsebool -P kerberos_enabled 1
-+.EE
-+
-+.SH "COMMANDS"
-+.B semanage fcontext
-+can also be used to manipulate default file context mappings.
-+.PP
-+.B semanage permissive
-+can also be used to manipulate whether or not a process type is permissive.
-+.PP
-+.B semanage module
-+can also be used to enable/disable/install/remove policy modules.
-+
-+.B semanage boolean
-+can also be used to manipulate the booleans
-+
-+.PP
-+.B system-config-selinux
-+is a GUI tool available to customize SELinux policy settings.
-+
-+.SH AUTHOR
-+This manual page was auto-generated using
-+.B "sepolicy manpage"
-+by Dan Walsh.
-+
-+.SH "SEE ALSO"
-+selinux(8), entropyd(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
-+, setsebool(8)
-\ No newline at end of file
-diff --git a/man/man8/eventlogd_selinux.8 b/man/man8/eventlogd_selinux.8
-new file mode 100644
-index 0000000..755e81c
---- /dev/null
-+++ b/man/man8/eventlogd_selinux.8
-@@ -0,0 +1,126 @@
-+.TH "eventlogd_selinux" "8" "12-11-01" "eventlogd" "SELinux Policy documentation for eventlogd"
-+.SH "NAME"
-+eventlogd_selinux \- Security Enhanced Linux Policy for the eventlogd processes
-+.SH "DESCRIPTION"
-+
-+Security-Enhanced Linux secures the eventlogd processes via flexible mandatory access control.
-+
-+The eventlogd processes execute with the eventlogd_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
-+
-+For example:
-+
-+.B ps -eZ | grep eventlogd_t
-+
-+
-+.SH "ENTRYPOINTS"
-+
-+The eventlogd_t SELinux type can be entered via the "eventlogd_exec_t" file type. The default entrypoint paths for the eventlogd_t domain are the following:"
-+
-+/usr/sbin/eventlogd
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux eventlogd policy is very flexible allowing users to setup their eventlogd processes in as secure a method as possible.
-+.PP
-+The following process types are defined for eventlogd:
-+
-+.EX
-+.B eventlogd_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
-+.SH FILE CONTEXTS
-+SELinux requires files to have an extended attribute to define the file type.
-+.PP
-+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
-+.PP
-+Policy governs the access confined processes have to these files.
-+SELinux eventlogd policy is very flexible allowing users to setup their eventlogd processes in as secure a method as possible.
-+.PP
-+The following file types are defined for eventlogd:
-+
-+
-+.EX
-+.PP
-+.B eventlogd_exec_t
-+.EE
-+
-+- Set files with the eventlogd_exec_t type, if you want to transition an executable to the eventlogd_t domain.
-+
-+
-+.EX
-+.PP
-+.B eventlogd_var_lib_t
-+.EE
-+
-+- Set files with the eventlogd_var_lib_t type, if you want to store the eventlogd files under the /var/lib directory.
-+
-+
-+.EX
-+.PP
-+.B eventlogd_var_run_t
-+.EE
-+
-+- Set files with the eventlogd_var_run_t type, if you want to store the eventlogd files under the /run directory.
-+
-+
-+.EX
-+.PP
-+.B eventlogd_var_socket_t
-+.EE
-+
-+- Set files with the eventlogd_var_socket_t type, if you want to treat the files as eventlogd var socket data.
-+
-+
-+.PP
-+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
-+.B semanage fcontext
-+command. This will modify the SELinux labeling database. You will need to use
-+.B restorecon
-+to apply the labels.
-+
-+.SH "MANAGED FILES"
-+
-+The SELinux process type eventlogd_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
-+
-+.br
-+.B eventlogd_var_lib_t
-+
-+ /var/lib/likewise-open/db/lwi_events.db
-+.br
-+
-+.br
-+.B eventlogd_var_run_t
-+
-+ /var/run/eventlogd.pid
-+.br
-+
-+.SH NSSWITCH DOMAIN
-+
-+.SH "COMMANDS"
-+.B semanage fcontext
-+can also be used to manipulate default file context mappings.
-+.PP
-+.B semanage permissive
-+can also be used to manipulate whether or not a process type is permissive.
-+.PP
-+.B semanage module
-+can also be used to enable/disable/install/remove policy modules.
-+
-+.PP
-+.B system-config-selinux
-+is a GUI tool available to customize SELinux policy settings.
-+
-+.SH AUTHOR
-+This manual page was auto-generated using
-+.B "sepolicy manpage"
-+by Dan Walsh.
-+
-+.SH "SEE ALSO"
-+selinux(8), eventlogd(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
-diff --git a/man/man8/evtchnd_selinux.8 b/man/man8/evtchnd_selinux.8
-new file mode 100644
-index 0000000..85b3690
---- /dev/null
-+++ b/man/man8/evtchnd_selinux.8
-@@ -0,0 +1,120 @@
-+.TH "evtchnd_selinux" "8" "12-11-01" "evtchnd" "SELinux Policy documentation for evtchnd"
-+.SH "NAME"
-+evtchnd_selinux \- Security Enhanced Linux Policy for the evtchnd processes
-+.SH "DESCRIPTION"
-+
-+Security-Enhanced Linux secures the evtchnd processes via flexible mandatory access control.
-+
-+The evtchnd processes execute with the evtchnd_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
-+
-+For example:
-+
-+.B ps -eZ | grep evtchnd_t
-+
-+
-+.SH "ENTRYPOINTS"
-+
-+The evtchnd_t SELinux type can be entered via the "evtchnd_exec_t" file type. The default entrypoint paths for the evtchnd_t domain are the following:"
-+
-+/usr/sbin/evtchnd
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux evtchnd policy is very flexible allowing users to setup their evtchnd processes in as secure a method as possible.
-+.PP
-+The following process types are defined for evtchnd:
-+
-+.EX
-+.B evtchnd_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
-+.SH FILE CONTEXTS
-+SELinux requires files to have an extended attribute to define the file type.
-+.PP
-+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
-+.PP
-+Policy governs the access confined processes have to these files.
-+SELinux evtchnd policy is very flexible allowing users to setup their evtchnd processes in as secure a method as possible.
-+.PP
-+The following file types are defined for evtchnd:
-+
-+
-+.EX
-+.PP
-+.B evtchnd_exec_t
-+.EE
-+
-+- Set files with the evtchnd_exec_t type, if you want to transition an executable to the evtchnd_t domain.
-+
-+
-+.EX
-+.PP
-+.B evtchnd_var_log_t
-+.EE
-+
-+- Set files with the evtchnd_var_log_t type, if you want to treat the data as evtchnd var log data, usually stored under the /var/log directory.
-+
-+
-+.EX
-+.PP
-+.B evtchnd_var_run_t
-+.EE
-+
-+- Set files with the evtchnd_var_run_t type, if you want to store the evtchnd files under the /run directory.
-+
-+
-+.PP
-+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
-+.B semanage fcontext
-+command. This will modify the SELinux labeling database. You will need to use
-+.B restorecon
-+to apply the labels.
-+
-+.SH "MANAGED FILES"
-+
-+The SELinux process type evtchnd_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
-+
-+.br
-+.B evtchnd_var_log_t
-+
-+ /var/log/evtchnd\.log.*
-+.br
-+
-+.br
-+.B evtchnd_var_run_t
-+
-+ /var/run/evtchnd
-+.br
-+ /var/run/evtchnd\.pid
-+.br
-+
-+.SH NSSWITCH DOMAIN
-+
-+.SH "COMMANDS"
-+.B semanage fcontext
-+can also be used to manipulate default file context mappings.
-+.PP
-+.B semanage permissive
-+can also be used to manipulate whether or not a process type is permissive.
-+.PP
-+.B semanage module
-+can also be used to enable/disable/install/remove policy modules.
-+
-+.PP
-+.B system-config-selinux
-+is a GUI tool available to customize SELinux policy settings.
-+
-+.SH AUTHOR
-+This manual page was auto-generated using
-+.B "sepolicy manpage"
-+by Dan Walsh.
-+
-+.SH "SEE ALSO"
-+selinux(8), evtchnd(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
-diff --git a/man/man8/exim_selinux.8 b/man/man8/exim_selinux.8
-new file mode 100644
-index 0000000..f156767
---- /dev/null
-+++ b/man/man8/exim_selinux.8
-@@ -0,0 +1,270 @@
-+.TH "exim_selinux" "8" "12-11-01" "exim" "SELinux Policy documentation for exim"
-+.SH "NAME"
-+exim_selinux \- Security Enhanced Linux Policy for the exim processes
-+.SH "DESCRIPTION"
-+
-+Security-Enhanced Linux secures the exim processes via flexible mandatory access control.
-+
-+The exim processes execute with the exim_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
-+
-+For example:
-+
-+.B ps -eZ | grep exim_t
-+
-+
-+.SH "ENTRYPOINTS"
-+
-+The exim_t SELinux type can be entered via the "exim_exec_t" file type. The default entrypoint paths for the exim_t domain are the following:"
-+
-+/usr/sbin/exim[0-9]?, /usr/sbin/exim_tidydb
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux exim policy is very flexible allowing users to setup their exim processes in as secure a method as possible.
-+.PP
-+The following process types are defined for exim:
-+
-+.EX
-+.B exim_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
-+.SH BOOLEANS
-+SELinux policy is customizable based on least access required. exim policy is extremely flexible and has several booleans that allow you to manipulate the policy and run exim with the tightest access possible.
-+
-+
-+.PP
-+If you want to allow exim to connect to databases (postgres, mysql), you must turn on the exim_can_connect_db boolean.
-+
-+.EX
-+.B setsebool -P exim_can_connect_db 1
-+.EE
-+
-+.PP
-+If you want to allow exim to create, read, write, and delete unprivileged user files, you must turn on the exim_manage_user_files boolean.
-+
-+.EX
-+.B setsebool -P exim_manage_user_files 1
-+.EE
-+
-+.PP
-+If you want to allow exim to read unprivileged user files, you must turn on the exim_read_user_files boolean.
-+
-+.EX
-+.B setsebool -P exim_read_user_files 1
-+.EE
-+
-+.PP
-+If you want to allow exim to connect to databases (postgres, mysql), you must turn on the exim_can_connect_db boolean.
-+
-+.EX
-+.B setsebool -P exim_can_connect_db 1
-+.EE
-+
-+.PP
-+If you want to allow exim to create, read, write, and delete unprivileged user files, you must turn on the exim_manage_user_files boolean.
-+
-+.EX
-+.B setsebool -P exim_manage_user_files 1
-+.EE
-+
-+.PP
-+If you want to allow exim to read unprivileged user files, you must turn on the exim_read_user_files boolean.
-+
-+.EX
-+.B setsebool -P exim_read_user_files 1
-+.EE
-+
-+.SH FILE CONTEXTS
-+SELinux requires files to have an extended attribute to define the file type.
-+.PP
-+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
-+.PP
-+Policy governs the access confined processes have to these files.
-+SELinux exim policy is very flexible allowing users to setup their exim processes in as secure a method as possible.
-+.PP
-+The following file types are defined for exim:
-+
-+
-+.EX
-+.PP
-+.B exim_exec_t
-+.EE
-+
-+- Set files with the exim_exec_t type, if you want to transition an executable to the exim_t domain.
-+
-+
-+.EX
-+.PP
-+.B exim_initrc_exec_t
-+.EE
-+
-+- Set files with the exim_initrc_exec_t type, if you want to transition an executable to the exim_initrc_t domain.
-+
-+
-+.EX
-+.PP
-+.B exim_keytab_t
-+.EE
-+
-+- Set files with the exim_keytab_t type, if you want to treat the files as kerberos keytab files.
-+
-+
-+.EX
-+.PP
-+.B exim_log_t
-+.EE
-+
-+- Set files with the exim_log_t type, if you want to treat the data as exim log data, usually stored under the /var/log directory.
-+
-+
-+.EX
-+.PP
-+.B exim_spool_t
-+.EE
-+
-+- Set files with the exim_spool_t type, if you want to store the exim files under the /var/spool directory.
-+
-+
-+.EX
-+.PP
-+.B exim_tmp_t
-+.EE
-+
-+- Set files with the exim_tmp_t type, if you want to store exim temporary files in the /tmp directories.
-+
-+
-+.EX
-+.PP
-+.B exim_var_run_t
-+.EE
-+
-+- Set files with the exim_var_run_t type, if you want to store the exim files under the /run directory.
-+
-+
-+.PP
-+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
-+.B semanage fcontext
-+command. This will modify the SELinux labeling database. You will need to use
-+.B restorecon
-+to apply the labels.
-+
-+.SH "MANAGED FILES"
-+
-+The SELinux process type exim_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
-+
-+.br
-+.B arpwatch_tmp_t
-+
-+
-+.br
-+.B dovecot_spool_t
-+
-+ /var/spool/dovecot(/.*)?
-+.br
-+
-+.br
-+.B exim_log_t
-+
-+ /var/log/exim[0-9]?(/.*)?
-+.br
-+
-+.br
-+.B exim_spool_t
-+
-+ /var/spool/exim[0-9]?(/.*)?
-+.br
-+
-+.br
-+.B exim_tmp_t
-+
-+
-+.br
-+.B exim_var_run_t
-+
-+ /var/run/exim[0-9]?\.pid
-+.br
-+
-+.br
-+.B mail_home_rw_t
-+
-+ /root/Maildir(/.*)?
-+.br
-+ /home/[^/]*/Maildir(/.*)?
-+.br
-+ /home/dwalsh/Maildir(/.*)?
-+.br
-+ /var/lib/xguest/home/xguest/Maildir(/.*)?
-+.br
-+
-+.br
-+.B mail_spool_t
-+
-+ /var/mail(/.*)?
-+.br
-+ /var/spool/imap(/.*)?
-+.br
-+ /var/spool/mail(/.*)?
-+.br
-+
-+.br
-+.B sendmail_tmp_t
-+
-+
-+.br
-+.B user_home_t
-+
-+ /home/[^/]*/.+
-+.br
-+ /home/dwalsh/.+
-+.br
-+ /var/lib/xguest/home/xguest/.+
-+.br
-+
-+.SH NSSWITCH DOMAIN
-+
-+.PP
-+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the exim_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
-+
-+.EX
-+.B setsebool -P authlogin_nsswitch_use_ldap 1
-+.EE
-+
-+.PP
-+If you want to allow confined applications to run with kerberos for the exim_t, you must turn on the kerberos_enabled boolean.
-+
-+.EX
-+.B setsebool -P kerberos_enabled 1
-+.EE
-+
-+.SH "COMMANDS"
-+.B semanage fcontext
-+can also be used to manipulate default file context mappings.
-+.PP
-+.B semanage permissive
-+can also be used to manipulate whether or not a process type is permissive.
-+.PP
-+.B semanage module
-+can also be used to enable/disable/install/remove policy modules.
-+
-+.B semanage boolean
-+can also be used to manipulate the booleans
-+
-+.PP
-+.B system-config-selinux
-+is a GUI tool available to customize SELinux policy settings.
-+
-+.SH AUTHOR
-+This manual page was auto-generated using
-+.B "sepolicy manpage"
-+by Dan Walsh.
-+
-+.SH "SEE ALSO"
-+selinux(8), exim(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
-+, setsebool(8)
-\ No newline at end of file
-diff --git a/man/man8/fail2ban_client_selinux.8 b/man/man8/fail2ban_client_selinux.8
-new file mode 100644
-index 0000000..965514d
---- /dev/null
-+++ b/man/man8/fail2ban_client_selinux.8
-@@ -0,0 +1,87 @@
-+.TH "fail2ban_client_selinux" "8" "12-11-01" "fail2ban_client" "SELinux Policy documentation for fail2ban_client"
-+.SH "NAME"
-+fail2ban_client_selinux \- Security Enhanced Linux Policy for the fail2ban_client processes
-+.SH "DESCRIPTION"
-+
-+Security-Enhanced Linux secures the fail2ban_client processes via flexible mandatory access control.
-+
-+The fail2ban_client processes execute with the fail2ban_client_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
-+
-+For example:
-+
-+.B ps -eZ | grep fail2ban_client_t
-+
-+
-+.SH "ENTRYPOINTS"
-+
-+The fail2ban_client_t SELinux type can be entered via the "fail2ban_client_exec_t" file type. The default entrypoint paths for the fail2ban_client_t domain are the following:"
-+
-+
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux fail2ban_client policy is very flexible allowing users to setup their fail2ban_client processes in as secure a method as possible.
-+.PP
-+The following process types are defined for fail2ban_client:
-+
-+.EX
-+.B fail2ban_client_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
-+.SH FILE CONTEXTS
-+SELinux requires files to have an extended attribute to define the file type.
-+.PP
-+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
-+.PP
-+Policy governs the access confined processes have to these files.
-+SELinux fail2ban_client policy is very flexible allowing users to setup their fail2ban_client processes in as secure a method as possible.
-+.PP
-+The following file types are defined for fail2ban_client:
-+
-+
-+.EX
-+.PP
-+.B fail2ban_client_exec_t
-+.EE
-+
-+- Set files with the fail2ban_client_exec_t type, if you want to transition an executable to the fail2ban_client_t domain.
-+
-+
-+.PP
-+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
-+.B semanage fcontext
-+command. This will modify the SELinux labeling database. You will need to use
-+.B restorecon
-+to apply the labels.
-+
-+.SH NSSWITCH DOMAIN
-+
-+.SH "COMMANDS"
-+.B semanage fcontext
-+can also be used to manipulate default file context mappings.
-+.PP
-+.B semanage permissive
-+can also be used to manipulate whether or not a process type is permissive.
-+.PP
-+.B semanage module
-+can also be used to enable/disable/install/remove policy modules.
-+
-+.PP
-+.B system-config-selinux
-+is a GUI tool available to customize SELinux policy settings.
-+
-+.SH AUTHOR
-+This manual page was auto-generated using
-+.B "sepolicy manpage"
-+by Dan Walsh.
-+
-+.SH "SEE ALSO"
-+selinux(8), fail2ban_client(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
-+, fail2ban_selinux(8), fail2ban_selinux(8)
-\ No newline at end of file
-diff --git a/man/man8/fail2ban_selinux.8 b/man/man8/fail2ban_selinux.8
-new file mode 100644
-index 0000000..d71d700
---- /dev/null
-+++ b/man/man8/fail2ban_selinux.8
-@@ -0,0 +1,201 @@
-+.TH "fail2ban_selinux" "8" "12-11-01" "fail2ban" "SELinux Policy documentation for fail2ban"
-+.SH "NAME"
-+fail2ban_selinux \- Security Enhanced Linux Policy for the fail2ban processes
-+.SH "DESCRIPTION"
-+
-+Security-Enhanced Linux secures the fail2ban processes via flexible mandatory access control.
-+
-+The fail2ban processes execute with the fail2ban_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
-+
-+For example:
-+
-+.B ps -eZ | grep fail2ban_t
-+
-+
-+.SH "ENTRYPOINTS"
-+
-+The fail2ban_t SELinux type can be entered via the "fail2ban_exec_t" file type. The default entrypoint paths for the fail2ban_t domain are the following:"
-+
-+/usr/bin/fail2ban, /usr/bin/fail2ban-server
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux fail2ban policy is very flexible allowing users to setup their fail2ban processes in as secure a method as possible.
-+.PP
-+The following process types are defined for fail2ban:
-+
-+.EX
-+.B fail2ban_client_t, fail2ban_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
-+.SH FILE CONTEXTS
-+SELinux requires files to have an extended attribute to define the file type.
-+.PP
-+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
-+.PP
-+Policy governs the access confined processes have to these files.
-+SELinux fail2ban policy is very flexible allowing users to setup their fail2ban processes in as secure a method as possible.
-+.PP
-+The following file types are defined for fail2ban:
-+
-+
-+.EX
-+.PP
-+.B fail2ban_client_exec_t
-+.EE
-+
-+- Set files with the fail2ban_client_exec_t type, if you want to transition an executable to the fail2ban_client_t domain.
-+
-+
-+.EX
-+.PP
-+.B fail2ban_exec_t
-+.EE
-+
-+- Set files with the fail2ban_exec_t type, if you want to transition an executable to the fail2ban_t domain.
-+
-+
-+.EX
-+.PP
-+.B fail2ban_initrc_exec_t
-+.EE
-+
-+- Set files with the fail2ban_initrc_exec_t type, if you want to transition an executable to the fail2ban_initrc_t domain.
-+
-+
-+.EX
-+.PP
-+.B fail2ban_log_t
-+.EE
-+
-+- Set files with the fail2ban_log_t type, if you want to treat the data as fail2ban log data, usually stored under the /var/log directory.
-+
-+
-+.EX
-+.PP
-+.B fail2ban_tmp_t
-+.EE
-+
-+- Set files with the fail2ban_tmp_t type, if you want to store fail2ban temporary files in the /tmp directories.
-+
-+
-+.EX
-+.PP
-+.B fail2ban_var_lib_t
-+.EE
-+
-+- Set files with the fail2ban_var_lib_t type, if you want to store the fail2ban files under the /var/lib directory.
-+
-+
-+.EX
-+.PP
-+.B fail2ban_var_run_t
-+.EE
-+
-+- Set files with the fail2ban_var_run_t type, if you want to store the fail2ban files under the /run directory.
-+
-+
-+.PP
-+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
-+.B semanage fcontext
-+command. This will modify the SELinux labeling database. You will need to use
-+.B restorecon
-+to apply the labels.
-+
-+.SH "MANAGED FILES"
-+
-+The SELinux process type fail2ban_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
-+
-+.br
-+.B fail2ban_log_t
-+
-+ /var/log/fail2ban\.log.*
-+.br
-+
-+.br
-+.B fail2ban_tmp_t
-+
-+
-+.br
-+.B fail2ban_var_lib_t
-+
-+ /var/lib/fail2ban(/.*)?
-+.br
-+
-+.br
-+.B fail2ban_var_run_t
-+
-+ /var/run/fail2ban.*
-+.br
-+
-+.br
-+.B net_conf_t
-+
-+ /etc/ntpd?\.conf.*
-+.br
-+ /etc/hosts[^/]*
-+.br
-+ /etc/yp\.conf.*
-+.br
-+ /etc/denyhosts.*
-+.br
-+ /etc/hosts\.deny.*
-+.br
-+ /etc/resolv\.conf.*
-+.br
-+ /etc/ntp/step-tickers.*
-+.br
-+ /etc/sysconfig/networking(/.*)?
-+.br
-+ /etc/sysconfig/network-scripts(/.*)?
-+.br
-+ /etc/sysconfig/network-scripts/.*resolv\.conf
-+.br
-+ /etc/ethers
-+.br
-+
-+.SH NSSWITCH DOMAIN
-+
-+.PP
-+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the fail2ban_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
-+
-+.EX
-+.B setsebool -P authlogin_nsswitch_use_ldap 1
-+.EE
-+
-+.PP
-+If you want to allow confined applications to run with kerberos for the fail2ban_t, you must turn on the kerberos_enabled boolean.
-+
-+.EX
-+.B setsebool -P kerberos_enabled 1
-+.EE
-+
-+.SH "COMMANDS"
-+.B semanage fcontext
-+can also be used to manipulate default file context mappings.
-+.PP
-+.B semanage permissive
-+can also be used to manipulate whether or not a process type is permissive.
-+.PP
-+.B semanage module
-+can also be used to enable/disable/install/remove policy modules.
-+
-+.PP
-+.B system-config-selinux
-+is a GUI tool available to customize SELinux policy settings.
-+
-+.SH AUTHOR
-+This manual page was auto-generated using
-+.B "sepolicy manpage"
-+by Dan Walsh.
-+
-+.SH "SEE ALSO"
-+selinux(8), fail2ban(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
-+, fail2ban_client_selinux(8)
-\ No newline at end of file
-diff --git a/man/man8/fcoemon_selinux.8 b/man/man8/fcoemon_selinux.8
-new file mode 100644
-index 0000000..f5a355c
---- /dev/null
-+++ b/man/man8/fcoemon_selinux.8
-@@ -0,0 +1,106 @@
-+.TH "fcoemon_selinux" "8" "12-11-01" "fcoemon" "SELinux Policy documentation for fcoemon"
-+.SH "NAME"
-+fcoemon_selinux \- Security Enhanced Linux Policy for the fcoemon processes
-+.SH "DESCRIPTION"
-+
-+Security-Enhanced Linux secures the fcoemon processes via flexible mandatory access control.
-+
-+The fcoemon processes execute with the fcoemon_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
-+
-+For example:
-+
-+.B ps -eZ | grep fcoemon_t
-+
-+
-+.SH "ENTRYPOINTS"
-+
-+The fcoemon_t SELinux type can be entered via the "fcoemon_exec_t" file type. The default entrypoint paths for the fcoemon_t domain are the following:"
-+
-+/usr/sbin/fcoemon
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux fcoemon policy is very flexible allowing users to setup their fcoemon processes in as secure a method as possible.
-+.PP
-+The following process types are defined for fcoemon:
-+
-+.EX
-+.B fcoemon_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
-+.SH FILE CONTEXTS
-+SELinux requires files to have an extended attribute to define the file type.
-+.PP
-+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
-+.PP
-+Policy governs the access confined processes have to these files.
-+SELinux fcoemon policy is very flexible allowing users to setup their fcoemon processes in as secure a method as possible.
-+.PP
-+The following file types are defined for fcoemon:
-+
-+
-+.EX
-+.PP
-+.B fcoemon_exec_t
-+.EE
-+
-+- Set files with the fcoemon_exec_t type, if you want to transition an executable to the fcoemon_t domain.
-+
-+
-+.EX
-+.PP
-+.B fcoemon_var_run_t
-+.EE
-+
-+- Set files with the fcoemon_var_run_t type, if you want to store the fcoemon files under the /run directory.
-+
-+
-+.PP
-+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
-+.B semanage fcontext
-+command. This will modify the SELinux labeling database. You will need to use
-+.B restorecon
-+to apply the labels.
-+
-+.SH "MANAGED FILES"
-+
-+The SELinux process type fcoemon_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
-+
-+.br
-+.B fcoemon_var_run_t
-+
-+ /var/run/fcm(/.*)?
-+.br
-+ /var/run/fcoemon\.pid
-+.br
-+
-+.SH NSSWITCH DOMAIN
-+
-+.SH "COMMANDS"
-+.B semanage fcontext
-+can also be used to manipulate default file context mappings.
-+.PP
-+.B semanage permissive
-+can also be used to manipulate whether or not a process type is permissive.
-+.PP
-+.B semanage module
-+can also be used to enable/disable/install/remove policy modules.
-+
-+.PP
-+.B system-config-selinux
-+is a GUI tool available to customize SELinux policy settings.
-+
-+.SH AUTHOR
-+This manual page was auto-generated using
-+.B "sepolicy manpage"
-+by Dan Walsh.
-+
-+.SH "SEE ALSO"
-+selinux(8), fcoemon(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
-diff --git a/man/man8/fenced_selinux.8 b/man/man8/fenced_selinux.8
-new file mode 100644
-index 0000000..fa89bb1
---- /dev/null
-+++ b/man/man8/fenced_selinux.8
-@@ -0,0 +1,230 @@
-+.TH "fenced_selinux" "8" "12-11-01" "fenced" "SELinux Policy documentation for fenced"
-+.SH "NAME"
-+fenced_selinux \- Security Enhanced Linux Policy for the fenced processes
-+.SH "DESCRIPTION"
-+
-+Security-Enhanced Linux secures the fenced processes via flexible mandatory access control.
-+
-+The fenced processes execute with the fenced_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
-+
-+For example:
-+
-+.B ps -eZ | grep fenced_t
-+
-+
-+.SH "ENTRYPOINTS"
-+
-+The fenced_t SELinux type can be entered via the "fenced_exec_t" file type. The default entrypoint paths for the fenced_t domain are the following:"
-+
-+/usr/sbin/fenced, /usr/sbin/fence_node, /usr/sbin/fence_tool, /usr/sbin/fence_virtd
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux fenced policy is very flexible allowing users to setup their fenced processes in as secure a method as possible.
-+.PP
-+The following process types are defined for fenced:
-+
-+.EX
-+.B fenced_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
-+.SH BOOLEANS
-+SELinux policy is customizable based on least access required. fenced policy is extremely flexible and has several booleans that allow you to manipulate the policy and run fenced with the tightest access possible.
-+
-+
-+.PP
-+If you want to allow fenced domain to connect to the network using TCP, you must turn on the fenced_can_network_connect boolean.
-+
-+.EX
-+.B setsebool -P fenced_can_network_connect 1
-+.EE
-+
-+.PP
-+If you want to allow fenced domain to execute ssh, you must turn on the fenced_can_ssh boolean.
-+
-+.EX
-+.B setsebool -P fenced_can_ssh 1
-+.EE
-+
-+.PP
-+If you want to allow fenced domain to connect to the network using TCP, you must turn on the fenced_can_network_connect boolean.
-+
-+.EX
-+.B setsebool -P fenced_can_network_connect 1
-+.EE
-+
-+.PP
-+If you want to allow fenced domain to execute ssh, you must turn on the fenced_can_ssh boolean.
-+
-+.EX
-+.B setsebool -P fenced_can_ssh 1
-+.EE
-+
-+.SH FILE CONTEXTS
-+SELinux requires files to have an extended attribute to define the file type.
-+.PP
-+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
-+.PP
-+Policy governs the access confined processes have to these files.
-+SELinux fenced policy is very flexible allowing users to setup their fenced processes in as secure a method as possible.
-+.PP
-+The following file types are defined for fenced:
-+
-+
-+.EX
-+.PP
-+.B fenced_exec_t
-+.EE
-+
-+- Set files with the fenced_exec_t type, if you want to transition an executable to the fenced_t domain.
-+
-+
-+.EX
-+.PP
-+.B fenced_lock_t
-+.EE
-+
-+- Set files with the fenced_lock_t type, if you want to treat the files as fenced lock data, stored under the /var/lock directory
-+
-+
-+.EX
-+.PP
-+.B fenced_tmp_t
-+.EE
-+
-+- Set files with the fenced_tmp_t type, if you want to store fenced temporary files in the /tmp directories.
-+
-+
-+.EX
-+.PP
-+.B fenced_tmpfs_t
-+.EE
-+
-+- Set files with the fenced_tmpfs_t type, if you want to store fenced files on a tmpfs file system.
-+
-+
-+.EX
-+.PP
-+.B fenced_var_log_t
-+.EE
-+
-+- Set files with the fenced_var_log_t type, if you want to treat the data as fenced var log data, usually stored under the /var/log directory.
-+
-+
-+.EX
-+.PP
-+.B fenced_var_run_t
-+.EE
-+
-+- Set files with the fenced_var_run_t type, if you want to store the fenced files under the /run directory.
-+
-+
-+.PP
-+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
-+.B semanage fcontext
-+command. This will modify the SELinux labeling database. You will need to use
-+.B restorecon
-+to apply the labels.
-+
-+.SH "MANAGED FILES"
-+
-+The SELinux process type fenced_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
-+
-+.br
-+.B cluster_var_lib_t
-+
-+ /var/lib/cluster(/.*)?
-+.br
-+
-+.br
-+.B fenced_lock_t
-+
-+ /var/lock/fence_manual\.lock
-+.br
-+
-+.br
-+.B fenced_tmp_t
-+
-+
-+.br
-+.B fenced_tmpfs_t
-+
-+
-+.br
-+.B fenced_var_log_t
-+
-+ /var/log/cluster/fenced\.log.*
-+.br
-+
-+.br
-+.B fenced_var_run_t
-+
-+ /var/run/fence.*
-+.br
-+ /var/run/cluster/fence_scsi.*
-+.br
-+ /var/run/cluster/fenced_override
-+.br
-+
-+.br
-+.B snmpd_var_lib_t
-+
-+ /var/agentx(/.*)?
-+.br
-+ /var/lib/snmp(/.*)?
-+.br
-+ /var/net-snmp(/.*)?
-+.br
-+ /var/lib/net-snmp(/.*)?
-+.br
-+ /usr/share/snmp/mibs/\.index
-+.br
-+
-+.SH NSSWITCH DOMAIN
-+
-+.PP
-+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the fenced_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
-+
-+.EX
-+.B setsebool -P authlogin_nsswitch_use_ldap 1
-+.EE
-+
-+.PP
-+If you want to allow confined applications to run with kerberos for the fenced_t, you must turn on the kerberos_enabled boolean.
-+
-+.EX
-+.B setsebool -P kerberos_enabled 1
-+.EE
-+
-+.SH "COMMANDS"
-+.B semanage fcontext
-+can also be used to manipulate default file context mappings.
-+.PP
-+.B semanage permissive
-+can also be used to manipulate whether or not a process type is permissive.
-+.PP
-+.B semanage module
-+can also be used to enable/disable/install/remove policy modules.
-+
-+.B semanage boolean
-+can also be used to manipulate the booleans
-+
-+.PP
-+.B system-config-selinux
-+is a GUI tool available to customize SELinux policy settings.
-+
-+.SH AUTHOR
-+This manual page was auto-generated using
-+.B "sepolicy manpage"
-+by Dan Walsh.
-+
-+.SH "SEE ALSO"
-+selinux(8), fenced(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
-+, setsebool(8)
-\ No newline at end of file
-diff --git a/man/man8/fetchmail_selinux.8 b/man/man8/fetchmail_selinux.8
-new file mode 100644
-index 0000000..ae8394b
---- /dev/null
-+++ b/man/man8/fetchmail_selinux.8
-@@ -0,0 +1,144 @@
-+.TH "fetchmail_selinux" "8" "12-11-01" "fetchmail" "SELinux Policy documentation for fetchmail"
-+.SH "NAME"
-+fetchmail_selinux \- Security Enhanced Linux Policy for the fetchmail processes
-+.SH "DESCRIPTION"
-+
-+Security-Enhanced Linux secures the fetchmail processes via flexible mandatory access control.
-+
-+The fetchmail processes execute with the fetchmail_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
-+
-+For example:
-+
-+.B ps -eZ | grep fetchmail_t
-+
-+
-+.SH "ENTRYPOINTS"
-+
-+The fetchmail_t SELinux type can be entered via the "fetchmail_exec_t" file type. The default entrypoint paths for the fetchmail_t domain are the following:"
-+
-+/usr/bin/fetchmail
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux fetchmail policy is very flexible allowing users to setup their fetchmail processes in as secure a method as possible.
-+.PP
-+The following process types are defined for fetchmail:
-+
-+.EX
-+.B fetchmail_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
-+.SH FILE CONTEXTS
-+SELinux requires files to have an extended attribute to define the file type.
-+.PP
-+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
-+.PP
-+Policy governs the access confined processes have to these files.
-+SELinux fetchmail policy is very flexible allowing users to setup their fetchmail processes in as secure a method as possible.
-+.PP
-+The following file types are defined for fetchmail:
-+
-+
-+.EX
-+.PP
-+.B fetchmail_etc_t
-+.EE
-+
-+- Set files with the fetchmail_etc_t type, if you want to store fetchmail files in the /etc directories.
-+
-+
-+.EX
-+.PP
-+.B fetchmail_exec_t
-+.EE
-+
-+- Set files with the fetchmail_exec_t type, if you want to transition an executable to the fetchmail_t domain.
-+
-+
-+.EX
-+.PP
-+.B fetchmail_home_t
-+.EE
-+
-+- Set files with the fetchmail_home_t type, if you want to store fetchmail files in the users home directory.
-+
-+
-+.EX
-+.PP
-+.B fetchmail_uidl_cache_t
-+.EE
-+
-+- Set files with the fetchmail_uidl_cache_t type, if you want to store the files under the /var/cache directory.
-+
-+
-+.EX
-+.PP
-+.B fetchmail_var_run_t
-+.EE
-+
-+- Set files with the fetchmail_var_run_t type, if you want to store the fetchmail files under the /run directory.
-+
-+
-+.PP
-+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
-+.B semanage fcontext
-+command. This will modify the SELinux labeling database. You will need to use
-+.B restorecon
-+to apply the labels.
-+
-+.SH "MANAGED FILES"
-+
-+The SELinux process type fetchmail_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
-+
-+.br
-+.B fetchmail_uidl_cache_t
-+
-+ /var/lib/fetchmail(/.*)?
-+.br
-+ /var/mail/\.fetchmail-UIDL-cache
-+.br
-+
-+.br
-+.B fetchmail_var_run_t
-+
-+ /var/run/fetchmail/.*
-+.br
-+
-+.br
-+.B sendmail_log_t
-+
-+ /var/log/mail(/.*)?
-+.br
-+ /var/log/sendmail\.st
-+.br
-+
-+.SH NSSWITCH DOMAIN
-+
-+.SH "COMMANDS"
-+.B semanage fcontext
-+can also be used to manipulate default file context mappings.
-+.PP
-+.B semanage permissive
-+can also be used to manipulate whether or not a process type is permissive.
-+.PP
-+.B semanage module
-+can also be used to enable/disable/install/remove policy modules.
-+
-+.PP
-+.B system-config-selinux
-+is a GUI tool available to customize SELinux policy settings.
-+
-+.SH AUTHOR
-+This manual page was auto-generated using
-+.B "sepolicy manpage"
-+by Dan Walsh.
-+
-+.SH "SEE ALSO"
-+selinux(8), fetchmail(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
-diff --git a/man/man8/fingerd_selinux.8 b/man/man8/fingerd_selinux.8
-new file mode 100644
-index 0000000..5dedb48
---- /dev/null
-+++ b/man/man8/fingerd_selinux.8
-@@ -0,0 +1,164 @@
-+.TH "fingerd_selinux" "8" "12-11-01" "fingerd" "SELinux Policy documentation for fingerd"
-+.SH "NAME"
-+fingerd_selinux \- Security Enhanced Linux Policy for the fingerd processes
-+.SH "DESCRIPTION"
-+
-+Security-Enhanced Linux secures the fingerd processes via flexible mandatory access control.
-+
-+The fingerd processes execute with the fingerd_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
-+
-+For example:
-+
-+.B ps -eZ | grep fingerd_t
-+
-+
-+.SH "ENTRYPOINTS"
-+
-+The fingerd_t SELinux type can be entered via the "fingerd_exec_t" file type. The default entrypoint paths for the fingerd_t domain are the following:"
-+
-+/usr/sbin/[cef]fingerd, /etc/cron\.weekly/(c)?fingerd, /usr/sbin/in\.fingerd
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux fingerd policy is very flexible allowing users to setup their fingerd processes in as secure a method as possible.
-+.PP
-+The following process types are defined for fingerd:
-+
-+.EX
-+.B fingerd_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
-+.SH FILE CONTEXTS
-+SELinux requires files to have an extended attribute to define the file type.
-+.PP
-+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
-+.PP
-+Policy governs the access confined processes have to these files.
-+SELinux fingerd policy is very flexible allowing users to setup their fingerd processes in as secure a method as possible.
-+.PP
-+The following file types are defined for fingerd:
-+
-+
-+.EX
-+.PP
-+.B fingerd_etc_t
-+.EE
-+
-+- Set files with the fingerd_etc_t type, if you want to store fingerd files in the /etc directories.
-+
-+
-+.EX
-+.PP
-+.B fingerd_exec_t
-+.EE
-+
-+- Set files with the fingerd_exec_t type, if you want to transition an executable to the fingerd_t domain.
-+
-+
-+.EX
-+.PP
-+.B fingerd_log_t
-+.EE
-+
-+- Set files with the fingerd_log_t type, if you want to treat the data as fingerd log data, usually stored under the /var/log directory.
-+
-+
-+.EX
-+.PP
-+.B fingerd_var_run_t
-+.EE
-+
-+- Set files with the fingerd_var_run_t type, if you want to store the fingerd files under the /run directory.
-+
-+
-+.PP
-+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
-+.B semanage fcontext
-+command. This will modify the SELinux labeling database. You will need to use
-+.B restorecon
-+to apply the labels.
-+
-+.SH PORT TYPES
-+SELinux defines port types to represent TCP and UDP ports.
-+.PP
-+You can see the types associated with a port by using the following command:
-+
-+.B semanage port -l
-+
-+.PP
-+Policy governs the access confined processes have to these ports.
-+SELinux fingerd policy is very flexible allowing users to setup their fingerd processes in as secure a method as possible.
-+.PP
-+The following port types are defined for fingerd:
-+
-+.EX
-+.TP 5
-+.B fingerd_port_t
-+.TP 10
-+.EE
-+
-+
-+Default Defined Ports:
-+tcp 79
-+.EE
-+.SH "MANAGED FILES"
-+
-+The SELinux process type fingerd_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
-+
-+.br
-+.B fingerd_log_t
-+
-+ /var/log/cfingerd\.log.*
-+.br
-+
-+.br
-+.B fingerd_var_run_t
-+
-+
-+.SH NSSWITCH DOMAIN
-+
-+.PP
-+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the fingerd_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
-+
-+.EX
-+.B setsebool -P authlogin_nsswitch_use_ldap 1
-+.EE
-+
-+.PP
-+If you want to allow confined applications to run with kerberos for the fingerd_t, you must turn on the kerberos_enabled boolean.
-+
-+.EX
-+.B setsebool -P kerberos_enabled 1
-+.EE
-+
-+.SH "COMMANDS"
-+.B semanage fcontext
-+can also be used to manipulate default file context mappings.
-+.PP
-+.B semanage permissive
-+can also be used to manipulate whether or not a process type is permissive.
-+.PP
-+.B semanage module
-+can also be used to enable/disable/install/remove policy modules.
-+
-+.B semanage port
-+can also be used to manipulate the port definitions
-+
-+.PP
-+.B system-config-selinux
-+is a GUI tool available to customize SELinux policy settings.
-+
-+.SH AUTHOR
-+This manual page was auto-generated using
-+.B "sepolicy manpage"
-+by Dan Walsh.
-+
-+.SH "SEE ALSO"
-+selinux(8), fingerd(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
-diff --git a/man/man8/firewalld_selinux.8 b/man/man8/firewalld_selinux.8
-new file mode 100644
-index 0000000..fc13038
---- /dev/null
-+++ b/man/man8/firewalld_selinux.8
-@@ -0,0 +1,159 @@
-+.TH "firewalld_selinux" "8" "12-11-01" "firewalld" "SELinux Policy documentation for firewalld"
-+.SH "NAME"
-+firewalld_selinux \- Security Enhanced Linux Policy for the firewalld processes
-+.SH "DESCRIPTION"
-+
-+Security-Enhanced Linux secures the firewalld processes via flexible mandatory access control.
-+
-+The firewalld processes execute with the firewalld_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
-+
-+For example:
-+
-+.B ps -eZ | grep firewalld_t
-+
-+
-+.SH "ENTRYPOINTS"
-+
-+The firewalld_t SELinux type can be entered via the "firewalld_exec_t" file type. The default entrypoint paths for the firewalld_t domain are the following:"
-+
-+/usr/sbin/firewalld
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux firewalld policy is very flexible allowing users to setup their firewalld processes in as secure a method as possible.
-+.PP
-+The following process types are defined for firewalld:
-+
-+.EX
-+.B firewallgui_t, firewalld_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
-+.SH FILE CONTEXTS
-+SELinux requires files to have an extended attribute to define the file type.
-+.PP
-+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
-+.PP
-+Policy governs the access confined processes have to these files.
-+SELinux firewalld policy is very flexible allowing users to setup their firewalld processes in as secure a method as possible.
-+.PP
-+The following file types are defined for firewalld:
-+
-+
-+.EX
-+.PP
-+.B firewalld_etc_rw_t
-+.EE
-+
-+- Set files with the firewalld_etc_rw_t type, if you want to treat the files as firewalld etc read/write content.
-+
-+
-+.EX
-+.PP
-+.B firewalld_exec_t
-+.EE
-+
-+- Set files with the firewalld_exec_t type, if you want to transition an executable to the firewalld_t domain.
-+
-+
-+.EX
-+.PP
-+.B firewalld_initrc_exec_t
-+.EE
-+
-+- Set files with the firewalld_initrc_exec_t type, if you want to transition an executable to the firewalld_initrc_t domain.
-+
-+
-+.EX
-+.PP
-+.B firewalld_unit_file_t
-+.EE
-+
-+- Set files with the firewalld_unit_file_t type, if you want to treat the files as firewalld unit content.
-+
-+
-+.EX
-+.PP
-+.B firewalld_var_log_t
-+.EE
-+
-+- Set files with the firewalld_var_log_t type, if you want to treat the data as firewalld var log data, usually stored under the /var/log directory.
-+
-+
-+.EX
-+.PP
-+.B firewalld_var_run_t
-+.EE
-+
-+- Set files with the firewalld_var_run_t type, if you want to store the firewalld files under the /run directory.
-+
-+
-+.PP
-+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
-+.B semanage fcontext
-+command. This will modify the SELinux labeling database. You will need to use
-+.B restorecon
-+to apply the labels.
-+
-+.SH "MANAGED FILES"
-+
-+The SELinux process type firewalld_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
-+
-+.br
-+.B firewalld_etc_rw_t
-+
-+ /etc/firewalld(/.*)?
-+.br
-+
-+.br
-+.B firewalld_var_run_t
-+
-+ /var/run/firewalld(/.*)?
-+.br
-+ /var/run/firewalld\.pid
-+.br
-+
-+.SH NSSWITCH DOMAIN
-+
-+.PP
-+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the firewallgui_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
-+
-+.EX
-+.B setsebool -P authlogin_nsswitch_use_ldap 1
-+.EE
-+
-+.PP
-+If you want to allow confined applications to run with kerberos for the firewallgui_t, you must turn on the kerberos_enabled boolean.
-+
-+.EX
-+.B setsebool -P kerberos_enabled 1
-+.EE
-+
-+.SH "COMMANDS"
-+.B semanage fcontext
-+can also be used to manipulate default file context mappings.
-+.PP
-+.B semanage permissive
-+can also be used to manipulate whether or not a process type is permissive.
-+.PP
-+.B semanage module
-+can also be used to enable/disable/install/remove policy modules.
-+
-+.PP
-+.B system-config-selinux
-+is a GUI tool available to customize SELinux policy settings.
-+
-+.SH AUTHOR
-+This manual page was auto-generated using
-+.B "sepolicy manpage"
-+by Dan Walsh.
-+
-+.SH "SEE ALSO"
-+selinux(8), firewalld(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
-+, firewallgui_selinux(8)
-\ No newline at end of file
-diff --git a/man/man8/firewallgui_selinux.8 b/man/man8/firewallgui_selinux.8
-new file mode 100644
-index 0000000..ab4f40b
---- /dev/null
-+++ b/man/man8/firewallgui_selinux.8
-@@ -0,0 +1,138 @@
-+.TH "firewallgui_selinux" "8" "12-11-01" "firewallgui" "SELinux Policy documentation for firewallgui"
-+.SH "NAME"
-+firewallgui_selinux \- Security Enhanced Linux Policy for the firewallgui processes
-+.SH "DESCRIPTION"
-+
-+Security-Enhanced Linux secures the firewallgui processes via flexible mandatory access control.
-+
-+The firewallgui processes execute with the firewallgui_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
-+
-+For example:
-+
-+.B ps -eZ | grep firewallgui_t
-+
-+
-+.SH "ENTRYPOINTS"
-+
-+The firewallgui_t SELinux type can be entered via the "firewallgui_exec_t" file type. The default entrypoint paths for the firewallgui_t domain are the following:"
-+
-+/usr/share/system-config-firewall/system-config-firewall-mechanism.py
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux firewallgui policy is very flexible allowing users to setup their firewallgui processes in as secure a method as possible.
-+.PP
-+The following process types are defined for firewallgui:
-+
-+.EX
-+.B firewallgui_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
-+.SH FILE CONTEXTS
-+SELinux requires files to have an extended attribute to define the file type.
-+.PP
-+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
-+.PP
-+Policy governs the access confined processes have to these files.
-+SELinux firewallgui policy is very flexible allowing users to setup their firewallgui processes in as secure a method as possible.
-+.PP
-+The following file types are defined for firewallgui:
-+
-+
-+.EX
-+.PP
-+.B firewallgui_exec_t
-+.EE
-+
-+- Set files with the firewallgui_exec_t type, if you want to transition an executable to the firewallgui_t domain.
-+
-+
-+.EX
-+.PP
-+.B firewallgui_tmp_t
-+.EE
-+
-+- Set files with the firewallgui_tmp_t type, if you want to store firewallgui temporary files in the /tmp directories.
-+
-+
-+.PP
-+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
-+.B semanage fcontext
-+command. This will modify the SELinux labeling database. You will need to use
-+.B restorecon
-+to apply the labels.
-+
-+.SH "MANAGED FILES"
-+
-+The SELinux process type firewallgui_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
-+
-+.br
-+.B firewallgui_tmp_t
-+
-+
-+.br
-+.B system_conf_t
-+
-+ /etc/sysctl\.conf(\.old)?
-+.br
-+ /etc/sysconfig/ip6?tables.*
-+.br
-+ /etc/sysconfig/ipvsadm.*
-+.br
-+ /etc/sysconfig/ebtables.*
-+.br
-+ /etc/sysconfig/system-config-firewall.*
-+.br
-+
-+.br
-+.B systemd_passwd_var_run_t
-+
-+ /var/run/systemd/ask-password(/.*)?
-+.br
-+ /var/run/systemd/ask-password-block(/.*)?
-+.br
-+
-+.SH NSSWITCH DOMAIN
-+
-+.PP
-+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the firewallgui_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
-+
-+.EX
-+.B setsebool -P authlogin_nsswitch_use_ldap 1
-+.EE
-+
-+.PP
-+If you want to allow confined applications to run with kerberos for the firewallgui_t, you must turn on the kerberos_enabled boolean.
-+
-+.EX
-+.B setsebool -P kerberos_enabled 1
-+.EE
-+
-+.SH "COMMANDS"
-+.B semanage fcontext
-+can also be used to manipulate default file context mappings.
-+.PP
-+.B semanage permissive
-+can also be used to manipulate whether or not a process type is permissive.
-+.PP
-+.B semanage module
-+can also be used to enable/disable/install/remove policy modules.
-+
-+.PP
-+.B system-config-selinux
-+is a GUI tool available to customize SELinux policy settings.
-+
-+.SH AUTHOR
-+This manual page was auto-generated using
-+.B "sepolicy manpage"
-+by Dan Walsh.
-+
-+.SH "SEE ALSO"
-+selinux(8), firewallgui(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
-diff --git a/man/man8/firstboot_selinux.8 b/man/man8/firstboot_selinux.8
-new file mode 100644
-index 0000000..53e6593
---- /dev/null
-+++ b/man/man8/firstboot_selinux.8
-@@ -0,0 +1,104 @@
-+.TH "firstboot_selinux" "8" "12-11-01" "firstboot" "SELinux Policy documentation for firstboot"
-+.SH "NAME"
-+firstboot_selinux \- Security Enhanced Linux Policy for the firstboot processes
-+.SH "DESCRIPTION"
-+
-+Security-Enhanced Linux secures the firstboot processes via flexible mandatory access control.
-+
-+The firstboot processes execute with the firstboot_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
-+
-+For example:
-+
-+.B ps -eZ | grep firstboot_t
-+
-+
-+.SH "ENTRYPOINTS"
-+
-+The firstboot_t SELinux type can be entered via the "firstboot_exec_t,filesystem_type,unlabeled_t,proc_type,mtrr_device_t,sysctl_type,file_type" file types. The default entrypoint paths for the firstboot_t domain are the following:"
-+
-+/usr/sbin/firstboot, /usr/share/firstboot/firstboot\.py, /dev/cpu/mtrr, all files on the system
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux firstboot policy is very flexible allowing users to setup their firstboot processes in as secure a method as possible.
-+.PP
-+The following process types are defined for firstboot:
-+
-+.EX
-+.B firstboot_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
-+.SH FILE CONTEXTS
-+SELinux requires files to have an extended attribute to define the file type.
-+.PP
-+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
-+.PP
-+Policy governs the access confined processes have to these files.
-+SELinux firstboot policy is very flexible allowing users to setup their firstboot processes in as secure a method as possible.
-+.PP
-+The following file types are defined for firstboot:
-+
-+
-+.EX
-+.PP
-+.B firstboot_etc_t
-+.EE
-+
-+- Set files with the firstboot_etc_t type, if you want to store firstboot files in the /etc directories.
-+
-+
-+.EX
-+.PP
-+.B firstboot_exec_t
-+.EE
-+
-+- Set files with the firstboot_exec_t type, if you want to transition an executable to the firstboot_t domain.
-+
-+
-+.PP
-+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
-+.B semanage fcontext
-+command. This will modify the SELinux labeling database. You will need to use
-+.B restorecon
-+to apply the labels.
-+
-+.SH "MANAGED FILES"
-+
-+The SELinux process type firstboot_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
-+
-+.br
-+.B file_type
-+
-+ all files on the system
-+.br
-+
-+.SH NSSWITCH DOMAIN
-+
-+.SH "COMMANDS"
-+.B semanage fcontext
-+can also be used to manipulate default file context mappings.
-+.PP
-+.B semanage permissive
-+can also be used to manipulate whether or not a process type is permissive.
-+.PP
-+.B semanage module
-+can also be used to enable/disable/install/remove policy modules.
-+
-+.PP
-+.B system-config-selinux
-+is a GUI tool available to customize SELinux policy settings.
-+
-+.SH AUTHOR
-+This manual page was auto-generated using
-+.B "sepolicy manpage"
-+by Dan Walsh.
-+
-+.SH "SEE ALSO"
-+selinux(8), firstboot(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
-diff --git a/man/man8/foghorn_selinux.8 b/man/man8/foghorn_selinux.8
-new file mode 100644
-index 0000000..f17a60b
---- /dev/null
-+++ b/man/man8/foghorn_selinux.8
-@@ -0,0 +1,146 @@
-+.TH "foghorn_selinux" "8" "12-11-01" "foghorn" "SELinux Policy documentation for foghorn"
-+.SH "NAME"
-+foghorn_selinux \- Security Enhanced Linux Policy for the foghorn processes
-+.SH "DESCRIPTION"
-+
-+Security-Enhanced Linux secures the foghorn processes via flexible mandatory access control.
-+
-+The foghorn processes execute with the foghorn_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
-+
-+For example:
-+
-+.B ps -eZ | grep foghorn_t
-+
-+
-+.SH "ENTRYPOINTS"
-+
-+The foghorn_t SELinux type can be entered via the "foghorn_exec_t" file type. The default entrypoint paths for the foghorn_t domain are the following:"
-+
-+/usr/sbin/foghorn
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux foghorn policy is very flexible allowing users to setup their foghorn processes in as secure a method as possible.
-+.PP
-+The following process types are defined for foghorn:
-+
-+.EX
-+.B foghorn_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
-+.SH FILE CONTEXTS
-+SELinux requires files to have an extended attribute to define the file type.
-+.PP
-+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
-+.PP
-+Policy governs the access confined processes have to these files.
-+SELinux foghorn policy is very flexible allowing users to setup their foghorn processes in as secure a method as possible.
-+.PP
-+The following file types are defined for foghorn:
-+
-+
-+.EX
-+.PP
-+.B foghorn_exec_t
-+.EE
-+
-+- Set files with the foghorn_exec_t type, if you want to transition an executable to the foghorn_t domain.
-+
-+
-+.EX
-+.PP
-+.B foghorn_tmpfs_t
-+.EE
-+
-+- Set files with the foghorn_tmpfs_t type, if you want to store foghorn files on a tmpfs file system.
-+
-+
-+.EX
-+.PP
-+.B foghorn_var_log_t
-+.EE
-+
-+- Set files with the foghorn_var_log_t type, if you want to treat the data as foghorn var log data, usually stored under the /var/log directory.
-+
-+
-+.EX
-+.PP
-+.B foghorn_var_run_t
-+.EE
-+
-+- Set files with the foghorn_var_run_t type, if you want to store the foghorn files under the /run directory.
-+
-+
-+.PP
-+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
-+.B semanage fcontext
-+command. This will modify the SELinux labeling database. You will need to use
-+.B restorecon
-+to apply the labels.
-+
-+.SH "MANAGED FILES"
-+
-+The SELinux process type foghorn_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
-+
-+.br
-+.B cluster_var_lib_t
-+
-+ /var/lib/cluster(/.*)?
-+.br
-+
-+.br
-+.B foghorn_tmpfs_t
-+
-+
-+.br
-+.B foghorn_var_log_t
-+
-+
-+.br
-+.B foghorn_var_run_t
-+
-+
-+.SH NSSWITCH DOMAIN
-+
-+.PP
-+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the foghorn_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
-+
-+.EX
-+.B setsebool -P authlogin_nsswitch_use_ldap 1
-+.EE
-+
-+.PP
-+If you want to allow confined applications to run with kerberos for the foghorn_t, you must turn on the kerberos_enabled boolean.
-+
-+.EX
-+.B setsebool -P kerberos_enabled 1
-+.EE
-+
-+.SH "COMMANDS"
-+.B semanage fcontext
-+can also be used to manipulate default file context mappings.
-+.PP
-+.B semanage permissive
-+can also be used to manipulate whether or not a process type is permissive.
-+.PP
-+.B semanage module
-+can also be used to enable/disable/install/remove policy modules.
-+
-+.PP
-+.B system-config-selinux
-+is a GUI tool available to customize SELinux policy settings.
-+
-+.SH AUTHOR
-+This manual page was auto-generated using
-+.B "sepolicy manpage"
-+by Dan Walsh.
-+
-+.SH "SEE ALSO"
-+selinux(8), foghorn(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
-diff --git a/man/man8/fprintd_selinux.8 b/man/man8/fprintd_selinux.8
-new file mode 100644
-index 0000000..68cee10
---- /dev/null
-+++ b/man/man8/fprintd_selinux.8
-@@ -0,0 +1,118 @@
-+.TH "fprintd_selinux" "8" "12-11-01" "fprintd" "SELinux Policy documentation for fprintd"
-+.SH "NAME"
-+fprintd_selinux \- Security Enhanced Linux Policy for the fprintd processes
-+.SH "DESCRIPTION"
-+
-+Security-Enhanced Linux secures the fprintd processes via flexible mandatory access control.
-+
-+The fprintd processes execute with the fprintd_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
-+
-+For example:
-+
-+.B ps -eZ | grep fprintd_t
-+
-+
-+.SH "ENTRYPOINTS"
-+
-+The fprintd_t SELinux type can be entered via the "fprintd_exec_t" file type. The default entrypoint paths for the fprintd_t domain are the following:"
-+
-+/usr/libexec/fprintd
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux fprintd policy is very flexible allowing users to setup their fprintd processes in as secure a method as possible.
-+.PP
-+The following process types are defined for fprintd:
-+
-+.EX
-+.B fprintd_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
-+.SH FILE CONTEXTS
-+SELinux requires files to have an extended attribute to define the file type.
-+.PP
-+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
-+.PP
-+Policy governs the access confined processes have to these files.
-+SELinux fprintd policy is very flexible allowing users to setup their fprintd processes in as secure a method as possible.
-+.PP
-+The following file types are defined for fprintd:
-+
-+
-+.EX
-+.PP
-+.B fprintd_exec_t
-+.EE
-+
-+- Set files with the fprintd_exec_t type, if you want to transition an executable to the fprintd_t domain.
-+
-+
-+.EX
-+.PP
-+.B fprintd_var_lib_t
-+.EE
-+
-+- Set files with the fprintd_var_lib_t type, if you want to store the fprintd files under the /var/lib directory.
-+
-+
-+.PP
-+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
-+.B semanage fcontext
-+command. This will modify the SELinux labeling database. You will need to use
-+.B restorecon
-+to apply the labels.
-+
-+.SH "MANAGED FILES"
-+
-+The SELinux process type fprintd_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
-+
-+.br
-+.B fprintd_var_lib_t
-+
-+ /var/lib/fprint(/.*)?
-+.br
-+
-+.SH NSSWITCH DOMAIN
-+
-+.PP
-+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the fprintd_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
-+
-+.EX
-+.B setsebool -P authlogin_nsswitch_use_ldap 1
-+.EE
-+
-+.PP
-+If you want to allow confined applications to run with kerberos for the fprintd_t, you must turn on the kerberos_enabled boolean.
-+
-+.EX
-+.B setsebool -P kerberos_enabled 1
-+.EE
-+
-+.SH "COMMANDS"
-+.B semanage fcontext
-+can also be used to manipulate default file context mappings.
-+.PP
-+.B semanage permissive
-+can also be used to manipulate whether or not a process type is permissive.
-+.PP
-+.B semanage module
-+can also be used to enable/disable/install/remove policy modules.
-+
-+.PP
-+.B system-config-selinux
-+is a GUI tool available to customize SELinux policy settings.
-+
-+.SH AUTHOR
-+This manual page was auto-generated using
-+.B "sepolicy manpage"
-+by Dan Walsh.
-+
-+.SH "SEE ALSO"
-+selinux(8), fprintd(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
-diff --git a/man/man8/freshclam_selinux.8 b/man/man8/freshclam_selinux.8
-new file mode 100644
-index 0000000..9ccf034
---- /dev/null
-+++ b/man/man8/freshclam_selinux.8
-@@ -0,0 +1,164 @@
-+.TH "freshclam_selinux" "8" "12-11-01" "freshclam" "SELinux Policy documentation for freshclam"
-+.SH "NAME"
-+freshclam_selinux \- Security Enhanced Linux Policy for the freshclam processes
-+.SH "DESCRIPTION"
-+
-+Security-Enhanced Linux secures the freshclam processes via flexible mandatory access control.
-+
-+The freshclam processes execute with the freshclam_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
-+
-+For example:
-+
-+.B ps -eZ | grep freshclam_t
-+
-+
-+.SH "ENTRYPOINTS"
-+
-+The freshclam_t SELinux type can be entered via the "freshclam_exec_t" file type. The default entrypoint paths for the freshclam_t domain are the following:"
-+
-+/usr/bin/freshclam
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux freshclam policy is very flexible allowing users to setup their freshclam processes in as secure a method as possible.
-+.PP
-+The following process types are defined for freshclam:
-+
-+.EX
-+.B freshclam_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
-+.SH FILE CONTEXTS
-+SELinux requires files to have an extended attribute to define the file type.
-+.PP
-+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
-+.PP
-+Policy governs the access confined processes have to these files.
-+SELinux freshclam policy is very flexible allowing users to setup their freshclam processes in as secure a method as possible.
-+.PP
-+The following file types are defined for freshclam:
-+
-+
-+.EX
-+.PP
-+.B freshclam_exec_t
-+.EE
-+
-+- Set files with the freshclam_exec_t type, if you want to transition an executable to the freshclam_t domain.
-+
-+
-+.EX
-+.PP
-+.B freshclam_var_log_t
-+.EE
-+
-+- Set files with the freshclam_var_log_t type, if you want to treat the data as freshclam var log data, usually stored under the /var/log directory.
-+
-+
-+.PP
-+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
-+.B semanage fcontext
-+command. This will modify the SELinux labeling database. You will need to use
-+.B restorecon
-+to apply the labels.
-+
-+.SH "MANAGED FILES"
-+
-+The SELinux process type freshclam_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
-+
-+.br
-+.B amavis_spool_t
-+
-+ /var/spool/amavisd(/.*)?
-+.br
-+
-+.br
-+.B antivirus_db_t
-+
-+ /var/opt/f-secure(/.*)?
-+.br
-+
-+.br
-+.B clamd_var_lib_t
-+
-+ /var/clamav(/.*)?
-+.br
-+ /var/lib/clamd.*
-+.br
-+ /var/lib/clamav(/.*)?
-+.br
-+
-+.br
-+.B clamd_var_run_t
-+
-+ /var/run/clamd.*
-+.br
-+ /var/run/clamav.*
-+.br
-+ /var/run/amavis(d)?/clamd\.pid
-+.br
-+ /var/spool/MailScanner(/.*)?
-+.br
-+ /var/spool/amavisd/clamd\.sock
-+.br
-+
-+.br
-+.B freshclam_var_log_t
-+
-+ /var/log/freshclam.*
-+.br
-+ /var/log/clamav/freshclam.*
-+.br
-+
-+.br
-+.B systemd_passwd_var_run_t
-+
-+ /var/run/systemd/ask-password(/.*)?
-+.br
-+ /var/run/systemd/ask-password-block(/.*)?
-+.br
-+
-+.SH NSSWITCH DOMAIN
-+
-+.PP
-+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the freshclam_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
-+
-+.EX
-+.B setsebool -P authlogin_nsswitch_use_ldap 1
-+.EE
-+
-+.PP
-+If you want to allow confined applications to run with kerberos for the freshclam_t, you must turn on the kerberos_enabled boolean.
-+
-+.EX
-+.B setsebool -P kerberos_enabled 1
-+.EE
-+
-+.SH "COMMANDS"
-+.B semanage fcontext
-+can also be used to manipulate default file context mappings.
-+.PP
-+.B semanage permissive
-+can also be used to manipulate whether or not a process type is permissive.
-+.PP
-+.B semanage module
-+can also be used to enable/disable/install/remove policy modules.
-+
-+.PP
-+.B system-config-selinux
-+is a GUI tool available to customize SELinux policy settings.
-+
-+.SH AUTHOR
-+This manual page was auto-generated using
-+.B "sepolicy manpage"
-+by Dan Walsh.
-+
-+.SH "SEE ALSO"
-+selinux(8), freshclam(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
-diff --git a/man/man8/fsadm_selinux.8 b/man/man8/fsadm_selinux.8
-new file mode 100644
-index 0000000..7bcfdaf
---- /dev/null
-+++ b/man/man8/fsadm_selinux.8
-@@ -0,0 +1,258 @@
-+.TH "fsadm_selinux" "8" "12-11-01" "fsadm" "SELinux Policy documentation for fsadm"
-+.SH "NAME"
-+fsadm_selinux \- Security Enhanced Linux Policy for the fsadm processes
-+.SH "DESCRIPTION"
-+
-+Security-Enhanced Linux secures the fsadm processes via flexible mandatory access control.
-+
-+The fsadm processes execute with the fsadm_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
-+
-+For example:
-+
-+.B ps -eZ | grep fsadm_t
-+
-+
-+.SH "ENTRYPOINTS"
-+
-+The fsadm_t SELinux type can be entered via the "fsadm_exec_t" file type. The default entrypoint paths for the fsadm_t domain are the following:"
-+
-+/sbin/fsck.*, /sbin/jfs_.*, /sbin/mkfs.*, /sbin/swapon.*, /sbin/resize.*fs, /sbin/losetup.*, /usr/sbin/fsck.*, /usr/sbin/jfs_.*, /usr/sbin/mkfs.*, /sbin/reiserfs(ck|tune), /usr/sbin/swapon.*, /usr/sbin/resize.*fs, /usr/sbin/losetup.*, /usr/sbin/reiserfs(ck|tune), /sbin/dump, /sbin/blkid, /sbin/fdisk, /sbin/partx, /sbin/cfdisk, /sbin/e2fsck, /sbin/e4fsck, /sbin/findfs, /sbin/hdparm, /sbin/lsraid, /sbin/mke2fs, /sbin/mke4fs, /sbin/mkraid, /sbin/parted, /sbin/sfdisk, /usr/bin/raw, /sbin/dosfsck, /sbin/e2label, /sbin/mkdosfs, /sbin/tune2fs, /sbin/blockdev, /sbin/dumpe2fs, /usr/sbin/dump, /sbin/partprobe, /sbin/raidstart, /sbin/scsi_info, /usr/sbin/blkid, /usr/sbin/fdisk, /usr/sbin/partx, /sbin/mkreiserfs, /usr/sbin/cfdisk, /usr/sbin/e2fsck, /usr/sbin/e4fsck, /usr/sbin/findfs, /usr/sbin/hdparm, /usr/sbin/lsraid, /usr/sbin/mke2fs, /usr/sbin/mke4fs, /usr/sbin/mkraid, /usr/sbin/parted, /usr/sbin/sfdisk, /sbin/install-mbr, /sbin/raidautorun, /usr/bin/syslinux, /usr/sbin/dosfsck, /usr/sbin/e2label, /usr/sbin/mkdosfs, /usr/sbin/tune2fs, /sbin/make_reiser4, /usr/sbin/blockdev, /usr/sbin/dumpe2fs, /usr/sbin/smartctl, /usr/sbin/partprobe, /usr/sbin/raidstart, /usr/sbin/scsi_info, /usr/sbin/mkreiserfs, /usr/sbin/clubufflush, /usr/sbin/install-mbr, /usr/sbin/raidautorun, /usr/sbin/make_reiser4, /usr/bin/partition_uuid, /usr/bin/scsi_unique_id, /usr/lib/systemd/systemd-fsck
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux fsadm policy is very flexible allowing users to setup their fsadm processes in as secure a method as possible.
-+.PP
-+The following process types are defined for fsadm:
-+
-+.EX
-+.B fsadm_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
-+.SH FILE CONTEXTS
-+SELinux requires files to have an extended attribute to define the file type.
-+.PP
-+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
-+.PP
-+Policy governs the access confined processes have to these files.
-+SELinux fsadm policy is very flexible allowing users to setup their fsadm processes in as secure a method as possible.
-+.PP
-+The following file types are defined for fsadm:
-+
-+
-+.EX
-+.PP
-+.B fsadm_exec_t
-+.EE
-+
-+- Set files with the fsadm_exec_t type, if you want to transition an executable to the fsadm_t domain.
-+
-+
-+.EX
-+.PP
-+.B fsadm_log_t
-+.EE
-+
-+- Set files with the fsadm_log_t type, if you want to treat the data as fsadm log data, usually stored under the /var/log directory.
-+
-+
-+.EX
-+.PP
-+.B fsadm_tmp_t
-+.EE
-+
-+- Set files with the fsadm_tmp_t type, if you want to store fsadm temporary files in the /tmp directories.
-+
-+
-+.EX
-+.PP
-+.B fsadm_var_run_t
-+.EE
-+
-+- Set files with the fsadm_var_run_t type, if you want to store the fsadm files under the /run directory.
-+
-+
-+.PP
-+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
-+.B semanage fcontext
-+command. This will modify the SELinux labeling database. You will need to use
-+.B restorecon
-+to apply the labels.
-+
-+.SH "MANAGED FILES"
-+
-+The SELinux process type fsadm_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
-+
-+.br
-+.B amanda_dumpdates_t
-+
-+ /etc/dumpdates
-+.br
-+
-+.br
-+.B cifs_t
-+
-+
-+.br
-+.B etc_runtime_t
-+
-+ /[^/]+
-+.br
-+ /etc/mtab.*
-+.br
-+ /etc/blkid(/.*)?
-+.br
-+ /etc/nologin.*
-+.br
-+ /etc/\.fstab\.hal\..+
-+.br
-+ /halt
-+.br
-+ /fastboot
-+.br
-+ /poweroff
-+.br
-+ /etc/cmtab
-+.br
-+ /\.autofsck
-+.br
-+ /forcefsck
-+.br
-+ /\.suspended
-+.br
-+ /fsckoptions
-+.br
-+ /\.autorelabel
-+.br
-+ /etc/securetty
-+.br
-+ /etc/killpower
-+.br
-+ /etc/nohotplug
-+.br
-+ /etc/ioctl\.save
-+.br
-+ /etc/fstab\.REVOKE
-+.br
-+ /etc/network/ifstate
-+.br
-+ /etc/sysconfig/hwconf
-+.br
-+ /etc/ptal/ptal-printd-like
-+.br
-+ /etc/sysconfig/iptables\.save
-+.br
-+ /etc/xorg\.conf\.d/00-system-setup-keyboard\.conf
-+.br
-+ /etc/X11/xorg\.conf\.d/00-system-setup-keyboard\.conf
-+.br
-+
-+.br
-+.B fsadm_log_t
-+
-+ /var/log/fsck(/.*)?
-+.br
-+
-+.br
-+.B fsadm_tmp_t
-+
-+
-+.br
-+.B fsadm_var_run_t
-+
-+ /var/run/blkid(/.*)?
-+.br
-+
-+.br
-+.B hugetlbfs_t
-+
-+ /dev/hugepages
-+.br
-+ /lib/udev/devices/hugepages
-+.br
-+ /usr/lib/udev/devices/hugepages
-+.br
-+
-+.br
-+.B livecd_tmp_t
-+
-+
-+.br
-+.B lost_found_t
-+
-+ /lost\+found
-+.br
-+ /var/lost\+found
-+.br
-+ /usr/lost\+found
-+.br
-+ /tmp/lost\+found
-+.br
-+ /boot/lost\+found
-+.br
-+ /var/tmp/lost\+found
-+.br
-+ /home/lost\+found
-+.br
-+
-+.br
-+.B nfs_t
-+
-+
-+.br
-+.B swapfile_t
-+
-+
-+.br
-+.B sysfs_t
-+
-+ /sys(/.*)?
-+.br
-+
-+.br
-+.B tmpfs_t
-+
-+ /dev/shm
-+.br
-+ /lib/udev/devices/shm
-+.br
-+ /usr/lib/udev/devices/shm
-+.br
-+
-+.br
-+.B xen_image_t
-+
-+ /xen(/.*)?
-+.br
-+ /var/lib/xen/images(/.*)?
-+.br
-+
-+.SH NSSWITCH DOMAIN
-+
-+.SH "COMMANDS"
-+.B semanage fcontext
-+can also be used to manipulate default file context mappings.
-+.PP
-+.B semanage permissive
-+can also be used to manipulate whether or not a process type is permissive.
-+.PP
-+.B semanage module
-+can also be used to enable/disable/install/remove policy modules.
-+
-+.PP
-+.B system-config-selinux
-+is a GUI tool available to customize SELinux policy settings.
-+
-+.SH AUTHOR
-+This manual page was auto-generated using
-+.B "sepolicy manpage"
-+by Dan Walsh.
-+
-+.SH "SEE ALSO"
-+selinux(8), fsadm(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
-diff --git a/man/man8/fsdaemon_selinux.8 b/man/man8/fsdaemon_selinux.8
-new file mode 100644
-index 0000000..d181d7d
---- /dev/null
-+++ b/man/man8/fsdaemon_selinux.8
-@@ -0,0 +1,124 @@
-+.TH "fsdaemon_selinux" "8" "12-11-01" "fsdaemon" "SELinux Policy documentation for fsdaemon"
-+.SH "NAME"
-+fsdaemon_selinux \- Security Enhanced Linux Policy for the fsdaemon processes
-+.SH "DESCRIPTION"
-+
-+Security-Enhanced Linux secures the fsdaemon processes via flexible mandatory access control.
-+
-+The fsdaemon processes execute with the fsdaemon_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
-+
-+For example:
-+
-+.B ps -eZ | grep fsdaemon_t
-+
-+
-+.SH "ENTRYPOINTS"
-+
-+The fsdaemon_t SELinux type can be entered via the "fsdaemon_exec_t" file type. The default entrypoint paths for the fsdaemon_t domain are the following:"
-+
-+/usr/sbin/smartd
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux fsdaemon policy is very flexible allowing users to setup their fsdaemon processes in as secure a method as possible.
-+.PP
-+The following process types are defined for fsdaemon:
-+
-+.EX
-+.B fsdaemon_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
-+.SH FILE CONTEXTS
-+SELinux requires files to have an extended attribute to define the file type.
-+.PP
-+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
-+.PP
-+Policy governs the access confined processes have to these files.
-+SELinux fsdaemon policy is very flexible allowing users to setup their fsdaemon processes in as secure a method as possible.
-+.PP
-+The following file types are defined for fsdaemon:
-+
-+
-+.EX
-+.PP
-+.B fsdaemon_exec_t
-+.EE
-+
-+- Set files with the fsdaemon_exec_t type, if you want to transition an executable to the fsdaemon_t domain.
-+
-+
-+.EX
-+.PP
-+.B fsdaemon_initrc_exec_t
-+.EE
-+
-+- Set files with the fsdaemon_initrc_exec_t type, if you want to transition an executable to the fsdaemon_initrc_t domain.
-+
-+
-+.EX
-+.PP
-+.B fsdaemon_tmp_t
-+.EE
-+
-+- Set files with the fsdaemon_tmp_t type, if you want to store fsdaemon temporary files in the /tmp directories.
-+
-+
-+.EX
-+.PP
-+.B fsdaemon_var_run_t
-+.EE
-+
-+- Set files with the fsdaemon_var_run_t type, if you want to store the fsdaemon files under the /run directory.
-+
-+
-+.PP
-+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
-+.B semanage fcontext
-+command. This will modify the SELinux labeling database. You will need to use
-+.B restorecon
-+to apply the labels.
-+
-+.SH "MANAGED FILES"
-+
-+The SELinux process type fsdaemon_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
-+
-+.br
-+.B fsdaemon_tmp_t
-+
-+
-+.br
-+.B fsdaemon_var_run_t
-+
-+ /var/run/smartd\.pid
-+.br
-+
-+.SH NSSWITCH DOMAIN
-+
-+.SH "COMMANDS"
-+.B semanage fcontext
-+can also be used to manipulate default file context mappings.
-+.PP
-+.B semanage permissive
-+can also be used to manipulate whether or not a process type is permissive.
-+.PP
-+.B semanage module
-+can also be used to enable/disable/install/remove policy modules.
-+
-+.PP
-+.B system-config-selinux
-+is a GUI tool available to customize SELinux policy settings.
-+
-+.SH AUTHOR
-+This manual page was auto-generated using
-+.B "sepolicy manpage"
-+by Dan Walsh.
-+
-+.SH "SEE ALSO"
-+selinux(8), fsdaemon(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
-diff --git a/man/man8/ftpd_selinux.8 b/man/man8/ftpd_selinux.8
-index 5bebd82..8460714 100644
---- a/man/man8/ftpd_selinux.8
-+++ b/man/man8/ftpd_selinux.8
-@@ -1,65 +1,608 @@
--.TH "ftpd_selinux" "8" "17 Jan 2005" "dwalsh@redhat.com" "ftpd SELinux policy documentation"
-+.TH "ftpd_selinux" "8" "12-11-01" "ftpd" "SELinux Policy documentation for ftpd"
- .SH "NAME"
--.PP
--ftpd_selinux \- Security-Enhanced Linux policy for ftp daemons.
-+ftpd_selinux \- Security Enhanced Linux Policy for the ftpd processes
- .SH "DESCRIPTION"
-+
-+Security-Enhanced Linux secures the ftpd processes via flexible mandatory access control.
-+
-+The ftpd processes execute with the ftpd_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
-+
-+For example:
-+
-+.B ps -eZ | grep ftpd_t
-+
-+
-+.SH "ENTRYPOINTS"
-+
-+The ftpd_t SELinux type can be entered via the "ftpd_exec_t" file type. The default entrypoint paths for the ftpd_t domain are the following:"
-+
-+/usr/sbin/ftpwho, /usr/sbin/vsftpd, /usr/sbin/in\.ftpd, /usr/sbin/proftpd, /usr/sbin/muddleftpd, /usr/kerberos/sbin/ftpd, /etc/cron\.monthly/proftpd
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
- .PP
--Security-Enhanced Linux provides security for ftp daemons via flexible mandatory access control.
--.SH FILE_CONTEXTS
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
- .PP
--SELinux requires files to have a file type. File types may be specified with semanage and are restored with restorecon. Policy governs the access that daemons have to files.
--.TP
--Allow ftp servers to read the /var/ftp directory by adding the public_content_t file type to the directory and by restoring the file type.
-+Policy governs the access confined processes have to files.
-+SELinux ftpd policy is very flexible allowing users to setup their ftpd processes in as secure a method as possible.
- .PP
--.B
--semanage fcontext -a -t public_content_t "/var/ftp(/.*)?"
--.TP
--.B
--restorecon -F -R -v /var/ftp
--.TP
--Allow ftp servers to read and write /var/tmp/incoming by adding the public_content_rw_t type to the directory and by restoring the file type. This also requires the allow_ftpd_anon_write boolean to be set.
-+The following process types are defined for ftpd:
-+
-+.EX
-+.B ftpd_t, ftpdctl_t
-+.EE
- .PP
--.B
--semanage fcontext -a -t public_content_rw_t "/var/ftp/incoming(/.*)?"
--.TP
--.B
--restorecon -F -R -v /var/ftp/incoming
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-
- .SH BOOLEANS
-+SELinux policy is customizable based on least access required. ftpd policy is extremely flexible and has several booleans that allow you to manipulate the policy and run ftpd with the tightest access possible.
-+
-+
- .PP
--SELinux policy is based on least privilege required and may also be customizable by setting a boolean with setsebool.
--.TP
--Allow ftp servers to read and write files with the public_content_rw_t file type.
-+If you want to allow ftp servers to use nfs used for public file transfer services, you must turn on the ftpd_use_nfs boolean.
-+
-+.EX
-+.B setsebool -P ftpd_use_nfs 1
-+.EE
-+
- .PP
--.B
--setsebool -P allow_ftpd_anon_write on
--.TP
--Allow ftp servers to read or write files in the user home directories.
-+If you want to allow httpd to act as a FTP server by listening on the ftp port, you must turn on the httpd_enable_ftp_server boolean.
-+
-+.EX
-+.B setsebool -P httpd_enable_ftp_server 1
-+.EE
-+
- .PP
--.B
--setsebool -P ftp_home_dir on
--.TP
--Allow ftp servers to read or write all files on the system.
-+If you want to allow ftp servers to use bind to all unreserved ports for passive mode, you must turn on the ftpd_use_passive_mode boolean.
-+
-+.EX
-+.B setsebool -P ftpd_use_passive_mode 1
-+.EE
-+
- .PP
--.B
--setsebool -P allow_ftpd_full_access on
-+If you want to allow httpd to act as a FTP client connecting to the ftp port and ephemeral ports, you must turn on the httpd_can_connect_ftp boolean.
-+
-+.EX
-+.B setsebool -P httpd_can_connect_ftp 1
-+.EE
-+
-+.PP
-+If you want to allow ftp to read and write files in the user home directories, you must turn on the ftp_home_dir boolean.
-+
-+.EX
-+.B setsebool -P ftp_home_dir 1
-+.EE
-+
-+.PP
-+If you want to allow ftp servers to connect to mysql database ports, you must turn on the ftpd_connect_db boolean.
-+
-+.EX
-+.B setsebool -P ftpd_connect_db 1
-+.EE
-+
-+.PP
-+If you want to allow ftp servers to use cifs used for public file transfer services, you must turn on the ftpd_use_cifs boolean.
-+
-+.EX
-+.B setsebool -P ftpd_use_cifs 1
-+.EE
-+
-+.PP
-+If you want to allow sftp-internal to read and write files in the user home directories, you must turn on the sftpd_enable_homedirs boolean.
-+
-+.EX
-+.B setsebool -P sftpd_enable_homedirs 1
-+.EE
-+
-+.PP
-+If you want to allow internal-sftp to read and write files in the user ssh home directories, you must turn on the sftpd_write_ssh_home boolean.
-+
-+.EX
-+.B setsebool -P sftpd_write_ssh_home 1
-+.EE
-+
-+.PP
-+If you want to allow tftp to read and write files in the user home directories, you must turn on the tftp_home_dir boolean.
-+
-+.EX
-+.B setsebool -P tftp_home_dir 1
-+.EE
-+
-+.PP
-+If you want to allow sftp-internal to login to local users and read/write all files on the system, governed by DAC, you must turn on the sftpd_full_access boolean.
-+
-+.EX
-+.B setsebool -P sftpd_full_access 1
-+.EE
-+
-+.PP
-+If you want to allow ftp servers to connect to all ports > 1023, you must turn on the ftpd_connect_all_unreserved boolean.
-+
-+.EX
-+.B setsebool -P ftpd_connect_all_unreserved 1
-+.EE
-+
-+.PP
-+If you want to allow ftp servers to login to local users and read/write all files on the system, governed by DAC, you must turn on the ftpd_full_access boolean.
-+
-+.EX
-+.B setsebool -P ftpd_full_access 1
-+.EE
-+
-+.PP
-+If you want to allow ftp servers to use nfs used for public file transfer services, you must turn on the ftpd_use_nfs boolean.
-+
-+.EX
-+.B setsebool -P ftpd_use_nfs 1
-+.EE
-+
-+.PP
-+If you want to allow httpd to act as a FTP server by listening on the ftp port, you must turn on the httpd_enable_ftp_server boolean.
-+
-+.EX
-+.B setsebool -P httpd_enable_ftp_server 1
-+.EE
-+
-+.PP
-+If you want to allow ftp servers to use bind to all unreserved ports for passive mode, you must turn on the ftpd_use_passive_mode boolean.
-+
-+.EX
-+.B setsebool -P ftpd_use_passive_mode 1
-+.EE
-+
-+.PP
-+If you want to allow httpd to act as a FTP client connecting to the ftp port and ephemeral ports, you must turn on the httpd_can_connect_ftp boolean.
-+
-+.EX
-+.B setsebool -P httpd_can_connect_ftp 1
-+.EE
-+
-+.PP
-+If you want to allow ftp to read and write files in the user home directories, you must turn on the ftp_home_dir boolean.
-+
-+.EX
-+.B setsebool -P ftp_home_dir 1
-+.EE
-+
-+.PP
-+If you want to allow ftp servers to connect to mysql database ports, you must turn on the ftpd_connect_db boolean.
-+
-+.EX
-+.B setsebool -P ftpd_connect_db 1
-+.EE
-+
-+.PP
-+If you want to allow ftp servers to use cifs used for public file transfer services, you must turn on the ftpd_use_cifs boolean.
-+
-+.EX
-+.B setsebool -P ftpd_use_cifs 1
-+.EE
-+
-+.PP
-+If you want to allow sftp-internal to read and write files in the user home directories, you must turn on the sftpd_enable_homedirs boolean.
-+
-+.EX
-+.B setsebool -P sftpd_enable_homedirs 1
-+.EE
-+
-+.PP
-+If you want to allow internal-sftp to read and write files in the user ssh home directories, you must turn on the sftpd_write_ssh_home boolean.
-+
-+.EX
-+.B setsebool -P sftpd_write_ssh_home 1
-+.EE
-+
-+.PP
-+If you want to allow tftp to read and write files in the user home directories, you must turn on the tftp_home_dir boolean.
-+
-+.EX
-+.B setsebool -P tftp_home_dir 1
-+.EE
-+
-+.PP
-+If you want to allow sftp-internal to login to local users and read/write all files on the system, governed by DAC, you must turn on the sftpd_full_access boolean.
-+
-+.EX
-+.B setsebool -P sftpd_full_access 1
-+.EE
-+
-+.PP
-+If you want to allow ftp servers to connect to all ports > 1023, you must turn on the ftpd_connect_all_unreserved boolean.
-+
-+.EX
-+.B setsebool -P ftpd_connect_all_unreserved 1
-+.EE
-+
-+.PP
-+If you want to allow ftp servers to login to local users and read/write all files on the system, governed by DAC, you must turn on the ftpd_full_access boolean.
-+
-+.EX
-+.B setsebool -P ftpd_full_access 1
-+.EE
-+
-+.SH SHARING FILES
-+If you want to share files with multiple domains (Apache, FTP, rsync, Samba), you can set a file context of public_content_t and public_content_rw_t. These context allow any of the above domains to read the content. If you want a particular domain to write to the public_content_rw_t domain, you must set the appropriate boolean.
- .TP
--Allow ftp servers to use cifs for public file transfer services.
-+Allow ftpd servers to read the /var/ftpd directory by adding the public_content_t file type to the directory and by restoring the file type.
- .PP
- .B
--setsebool -P allow_ftpd_use_cifs on
-+semanage fcontext -a -t public_content_t "/var/ftpd(/.*)?"
-+.br
-+.B restorecon -F -R -v /var/ftpd
-+.pp
- .TP
--Allow ftp servers to use nfs for public file transfer services.
-+Allow ftpd servers to read and write /var/tmp/incoming by adding the public_content_rw_t type to the directory and by restoring the file type. This also requires the allow_ftpdd_anon_write boolean to be set.
- .PP
- .B
--setsebool -P allow_ftpd_use_nfs on
--.TP
--system-config-selinux is a GUI tool available to customize SELinux policy settings.
--.SH AUTHOR
-+semanage fcontext -a -t public_content_rw_t "/var/ftpd/incoming(/.*)?"
-+.br
-+.B restorecon -F -R -v /var/ftpd/incoming
-+
-+
- .PP
--This manual page was written by Dan Walsh .
-+If you want to allow anon internal-sftp to upload files, used for public file transfer services. Directories must be labeled public_content_rw_t., you must turn on the sftpd_anon_write boolean.
-
--.SH "SEE ALSO"
-+.EX
-+.B setsebool -P sftpd_anon_write 1
-+.EE
-+
-+.PP
-+If you want to allow ftp servers to upload files, used for public file transfer services. Directories must be labeled public_content_rw_t., you must turn on the ftpd_anon_write boolean.
-+
-+.EX
-+.B setsebool -P ftpd_anon_write 1
-+.EE
-+
-+.PP
-+If you want to allow tftp to modify public files used for public file transfer services., you must turn on the tftp_anon_write boolean.
-+
-+.EX
-+.B setsebool -P tftp_anon_write 1
-+.EE
-+
-+.PP
-+If you want to allow anon internal-sftp to upload files, used for public file transfer services. Directories must be labeled public_content_rw_t., you must turn on the sftpd_anon_write boolean.
-+
-+.EX
-+.B setsebool -P sftpd_anon_write 1
-+.EE
-+
-+.PP
-+If you want to allow ftp servers to upload files, used for public file transfer services. Directories must be labeled public_content_rw_t., you must turn on the ftpd_anon_write boolean.
-+
-+.EX
-+.B setsebool -P ftpd_anon_write 1
-+.EE
-+
-+.PP
-+If you want to allow tftp to modify public files used for public file transfer services., you must turn on the tftp_anon_write boolean.
-+
-+.EX
-+.B setsebool -P tftp_anon_write 1
-+.EE
-+
-+.SH FILE CONTEXTS
-+SELinux requires files to have an extended attribute to define the file type.
-+.PP
-+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
-+.PP
-+Policy governs the access confined processes have to these files.
-+SELinux ftpd policy is very flexible allowing users to setup their ftpd processes in as secure a method as possible.
-+.PP
-+The following file types are defined for ftpd:
-+
-+
-+.EX
-+.PP
-+.B ftpd_etc_t
-+.EE
-+
-+- Set files with the ftpd_etc_t type, if you want to store ftpd files in the /etc directories.
-+
-+
-+.EX
-+.PP
-+.B ftpd_exec_t
-+.EE
-+
-+- Set files with the ftpd_exec_t type, if you want to transition an executable to the ftpd_t domain.
-+
-+
-+.EX
-+.PP
-+.B ftpd_initrc_exec_t
-+.EE
-+
-+- Set files with the ftpd_initrc_exec_t type, if you want to transition an executable to the ftpd_initrc_t domain.
-+
-+
-+.EX
-+.PP
-+.B ftpd_keytab_t
-+.EE
-+
-+- Set files with the ftpd_keytab_t type, if you want to treat the files as kerberos keytab files.
-+
-+
-+.EX
-+.PP
-+.B ftpd_lock_t
-+.EE
-+
-+- Set files with the ftpd_lock_t type, if you want to treat the files as ftpd lock data, stored under the /var/lock directory
-+
-+
-+.EX
-+.PP
-+.B ftpd_tmp_t
-+.EE
-+
-+- Set files with the ftpd_tmp_t type, if you want to store ftpd temporary files in the /tmp directories.
-+
-+
-+.EX
-+.PP
-+.B ftpd_tmpfs_t
-+.EE
-+
-+- Set files with the ftpd_tmpfs_t type, if you want to store ftpd files on a tmpfs file system.
-+
-+
-+.EX
-+.PP
-+.B ftpd_unit_file_t
-+.EE
-+
-+- Set files with the ftpd_unit_file_t type, if you want to treat the files as ftpd unit content.
-+
-+
-+.EX
-+.PP
-+.B ftpd_var_run_t
-+.EE
-+
-+- Set files with the ftpd_var_run_t type, if you want to store the ftpd files under the /run directory.
-+
-+
-+.EX
-+.PP
-+.B ftpdctl_exec_t
-+.EE
-+
-+- Set files with the ftpdctl_exec_t type, if you want to transition an executable to the ftpdctl_t domain.
-+
-+
-+.EX
-+.PP
-+.B ftpdctl_tmp_t
-+.EE
-+
-+- Set files with the ftpdctl_tmp_t type, if you want to store ftpdctl temporary files in the /tmp directories.
-+
-+
-+.PP
-+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
-+.B semanage fcontext
-+command. This will modify the SELinux labeling database. You will need to use
-+.B restorecon
-+to apply the labels.
-+
-+.SH PORT TYPES
-+SELinux defines port types to represent TCP and UDP ports.
-+.PP
-+You can see the types associated with a port by using the following command:
-+
-+.B semanage port -l
-+
-+.PP
-+Policy governs the access confined processes have to these ports.
-+SELinux ftpd policy is very flexible allowing users to setup their ftpd processes in as secure a method as possible.
-+.PP
-+The following port types are defined for ftpd:
-+
-+.EX
-+.TP 5
-+.B ftp_data_port_t
-+.TP 10
-+.EE
-+
-+
-+Default Defined Ports:
-+tcp 20
-+.EE
-+
-+.EX
-+.TP 5
-+.B ftp_port_t
-+.TP 10
-+.EE
-+
-+
-+Default Defined Ports:
-+tcp 21,990
-+.EE
-+udp 990
-+.EE
-+.SH "MANAGED FILES"
-+
-+The SELinux process type ftpd_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
-+
-+.br
-+.B faillog_t
-+
-+ /var/log/btmp.*
-+.br
-+ /var/run/faillock(/.*)?
-+.br
-+ /var/log/faillog
-+.br
-+ /var/log/tallylog
-+.br
-+
-+.br
-+.B ftpd_lock_t
-+
-+
-+.br
-+.B ftpd_tmp_t
-+
-+
-+.br
-+.B ftpd_tmpfs_t
-+
-+
-+.br
-+.B ftpd_var_run_t
-+
-+ /var/run/proftpd.*
-+.br
-+
-+.br
-+.B initrc_var_run_t
-+
-+ /var/run/utmp
-+.br
-+ /var/run/random-seed
-+.br
-+ /var/run/runlevel\.dir
-+.br
-+ /var/run/setmixer_flag
-+.br
-+
-+.br
-+.B krb5_host_rcache_t
-+
-+ /var/cache/krb5rcache(/.*)?
-+.br
-+ /var/tmp/nfs_0
-+.br
-+ /var/tmp/DNS_25
-+.br
-+ /var/tmp/host_0
-+.br
-+ /var/tmp/imap_0
-+.br
-+ /var/tmp/HTTP_23
-+.br
-+ /var/tmp/HTTP_48
-+.br
-+ /var/tmp/ldap_55
-+.br
-+ /var/tmp/ldap_487
-+.br
-+ /var/tmp/ldapmap1_0
-+.br
-+
-+.br
-+.B lastlog_t
-+
-+ /var/log/lastlog
-+.br
-+
-+.br
-+.B pcscd_var_run_t
-+
-+ /var/run/pcscd(/.*)?
-+.br
-+ /var/run/pcscd\.events(/.*)?
-+.br
-+ /var/run/pcscd\.pid
-+.br
-+ /var/run/pcscd\.pub
-+.br
-+ /var/run/pcscd\.comm
-+.br
-+
-+.br
-+.B security_t
-+
-+ /selinux
-+.br
-+
-+.br
-+.B var_auth_t
-+
-+ /var/ace(/.*)?
-+.br
-+ /var/rsa(/.*)?
-+.br
-+ /var/lib/abl(/.*)?
-+.br
-+ /var/lib/rsa(/.*)?
-+.br
-+ /var/lib/pam_ssh(/.*)?
-+.br
-+ /var/run/pam_ssh(/.*)?
-+.br
-+ /var/lib/pam_shield(/.*)?
-+.br
-+ /var/lib/google-authenticator(/.*)?
-+.br
-+
-+.br
-+.B wtmp_t
-+
-+ /var/log/wtmp.*
-+.br
-+
-+.br
-+.B xferlog_t
-+
-+ /var/log/vsftpd.*
-+.br
-+ /var/log/xferlog.*
-+.br
-+ /var/log/proftpd(/.*)?
-+.br
-+ /var/log/xferreport.*
-+.br
-+ /var/log/muddleftpd\.log.*
-+.br
-+ /usr/libexec/webmin/vsftpd/webalizer/xfer_log
-+.br
-+
-+.SH NSSWITCH DOMAIN
-+
-+.PP
-+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the ftpd_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
-+
-+.EX
-+.B setsebool -P authlogin_nsswitch_use_ldap 1
-+.EE
-+
-+.PP
-+If you want to allow confined applications to run with kerberos for the ftpd_t, you must turn on the kerberos_enabled boolean.
-+
-+.EX
-+.B setsebool -P kerberos_enabled 1
-+.EE
-+
-+.SH "COMMANDS"
-+.B semanage fcontext
-+can also be used to manipulate default file context mappings.
- .PP
-+.B semanage permissive
-+can also be used to manipulate whether or not a process type is permissive.
-+.PP
-+.B semanage module
-+can also be used to enable/disable/install/remove policy modules.
-+
-+.B semanage port
-+can also be used to manipulate the port definitions
-
--selinux(8), ftpd(8), setsebool(8), semanage(8), restorecon(8)
-+.B semanage boolean
-+can also be used to manipulate the booleans
-+
-+.PP
-+.B system-config-selinux
-+is a GUI tool available to customize SELinux policy settings.
-+
-+.SH AUTHOR
-+This manual page was auto-generated using
-+.B "sepolicy manpage"
-+by Dan Walsh.
-+
-+.SH "SEE ALSO"
-+selinux(8), ftpd(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
-+, setsebool(8), ftpdctl_selinux(8)
-\ No newline at end of file
-diff --git a/man/man8/ftpdctl_selinux.8 b/man/man8/ftpdctl_selinux.8
-new file mode 100644
-index 0000000..c926027
---- /dev/null
-+++ b/man/man8/ftpdctl_selinux.8
-@@ -0,0 +1,95 @@
-+.TH "ftpdctl_selinux" "8" "12-11-01" "ftpdctl" "SELinux Policy documentation for ftpdctl"
-+.SH "NAME"
-+ftpdctl_selinux \- Security Enhanced Linux Policy for the ftpdctl processes
-+.SH "DESCRIPTION"
-+
-+Security-Enhanced Linux secures the ftpdctl processes via flexible mandatory access control.
-+
-+The ftpdctl processes execute with the ftpdctl_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
-+
-+For example:
-+
-+.B ps -eZ | grep ftpdctl_t
-+
-+
-+.SH "ENTRYPOINTS"
-+
-+The ftpdctl_t SELinux type can be entered via the "ftpdctl_exec_t" file type. The default entrypoint paths for the ftpdctl_t domain are the following:"
-+
-+/usr/bin/ftpdctl
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux ftpdctl policy is very flexible allowing users to setup their ftpdctl processes in as secure a method as possible.
-+.PP
-+The following process types are defined for ftpdctl:
-+
-+.EX
-+.B ftpdctl_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
-+.SH FILE CONTEXTS
-+SELinux requires files to have an extended attribute to define the file type.
-+.PP
-+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
-+.PP
-+Policy governs the access confined processes have to these files.
-+SELinux ftpdctl policy is very flexible allowing users to setup their ftpdctl processes in as secure a method as possible.
-+.PP
-+The following file types are defined for ftpdctl:
-+
-+
-+.EX
-+.PP
-+.B ftpdctl_exec_t
-+.EE
-+
-+- Set files with the ftpdctl_exec_t type, if you want to transition an executable to the ftpdctl_t domain.
-+
-+
-+.EX
-+.PP
-+.B ftpdctl_tmp_t
-+.EE
-+
-+- Set files with the ftpdctl_tmp_t type, if you want to store ftpdctl temporary files in the /tmp directories.
-+
-+
-+.PP
-+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
-+.B semanage fcontext
-+command. This will modify the SELinux labeling database. You will need to use
-+.B restorecon
-+to apply the labels.
-+
-+.SH NSSWITCH DOMAIN
-+
-+.SH "COMMANDS"
-+.B semanage fcontext
-+can also be used to manipulate default file context mappings.
-+.PP
-+.B semanage permissive
-+can also be used to manipulate whether or not a process type is permissive.
-+.PP
-+.B semanage module
-+can also be used to enable/disable/install/remove policy modules.
-+
-+.PP
-+.B system-config-selinux
-+is a GUI tool available to customize SELinux policy settings.
-+
-+.SH AUTHOR
-+This manual page was auto-generated using
-+.B "sepolicy manpage"
-+by Dan Walsh.
-+
-+.SH "SEE ALSO"
-+selinux(8), ftpdctl(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
-+, ftpd_selinux(8)
-\ No newline at end of file
-diff --git a/man/man8/games_selinux.8 b/man/man8/games_selinux.8
-new file mode 100644
-index 0000000..3e88bfa
---- /dev/null
-+++ b/man/man8/games_selinux.8
-@@ -0,0 +1,178 @@
-+.TH "games_selinux" "8" "12-11-01" "games" "SELinux Policy documentation for games"
-+.SH "NAME"
-+games_selinux \- Security Enhanced Linux Policy for the games processes
-+.SH "DESCRIPTION"
-+
-+Security-Enhanced Linux secures the games processes via flexible mandatory access control.
-+
-+The games processes execute with the games_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
-+
-+For example:
-+
-+.B ps -eZ | grep games_t
-+
-+
-+.SH "ENTRYPOINTS"
-+
-+The games_t SELinux type can be entered via the "games_exec_t" file type. The default entrypoint paths for the games_t domain are the following:"
-+
-+/usr/games/.*, /usr/lib/games(/.*)?, /usr/bin/civclient.*, /usr/bin/civserver.*, /usr/bin/sol, /usr/bin/micq, /usr/bin/kolf, /usr/bin/kpat, /usr/bin/gnect, /usr/bin/gtali, /usr/bin/iagno, /usr/bin/ksame, /usr/bin/ktron, /usr/bin/kwin4, /usr/bin/lskat, /usr/bin/gataxx, /usr/bin/glines, /usr/bin/klines, /usr/bin/kmines, /usr/bin/kpoker, /usr/bin/ksnake, /usr/bin/gnomine, /usr/bin/gnotski, /usr/bin/katomic, /usr/bin/kbounce, /usr/bin/kshisen, /usr/bin/ksirtet, /usr/bin/gnibbles, /usr/bin/gnobots2, /usr/bin/mahjongg, /usr/bin/atlantik, /usr/bin/kenolaba, /usr/bin/klickety, /usr/bin/konquest, /usr/bin/kreversi, /usr/bin/ksokoban, /usr/bin/blackjack, /usr/bin/gnotravex, /usr/bin/kblackbox, /usr/bin/kfouleggs, /usr/bin/kmahjongg, /usr/bin/kwin4proc, /usr/bin/lskatproc, /usr/bin/Maelstrom, /usr/bin/same-gnome, /usr/bin/kasteroids, /usr/bin/ksmiletris, /usr/bin/kspaceduel, /usr/bin/ktuberling, /usr/bin/kbackgammon, /usr/bin/kbattleship, /usr/bin/kgoldrunner, /usr/bin/gnome-stones, /usr/bin/kjumpingcube
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux games policy is very flexible allowing users to setup their games processes in as secure a method as possible.
-+.PP
-+The following process types are defined for games:
-+
-+.EX
-+.B games_t, games_srv_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
-+.SH FILE CONTEXTS
-+SELinux requires files to have an extended attribute to define the file type.
-+.PP
-+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
-+.PP
-+Policy governs the access confined processes have to these files.
-+SELinux games policy is very flexible allowing users to setup their games processes in as secure a method as possible.
-+.PP
-+The following file types are defined for games:
-+
-+
-+.EX
-+.PP
-+.B games_data_t
-+.EE
-+
-+- Set files with the games_data_t type, if you want to treat the files as games content.
-+
-+
-+.EX
-+.PP
-+.B games_exec_t
-+.EE
-+
-+- Set files with the games_exec_t type, if you want to transition an executable to the games_t domain.
-+
-+
-+.EX
-+.PP
-+.B games_srv_var_run_t
-+.EE
-+
-+- Set files with the games_srv_var_run_t type, if you want to store the games srv files under the /run directory.
-+
-+
-+.EX
-+.PP
-+.B games_tmp_t
-+.EE
-+
-+- Set files with the games_tmp_t type, if you want to store games temporary files in the /tmp directories.
-+
-+
-+.EX
-+.PP
-+.B games_tmpfs_t
-+.EE
-+
-+- Set files with the games_tmpfs_t type, if you want to store games files on a tmpfs file system.
-+
-+
-+.PP
-+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
-+.B semanage fcontext
-+command. This will modify the SELinux labeling database. You will need to use
-+.B restorecon
-+to apply the labels.
-+
-+.SH "MANAGED FILES"
-+
-+The SELinux process type games_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
-+
-+.br
-+.B games_data_t
-+
-+ /var/games(/.*)?
-+.br
-+ /var/lib/games(/.*)?
-+.br
-+
-+.br
-+.B games_tmp_t
-+
-+
-+.br
-+.B games_tmpfs_t
-+
-+
-+.br
-+.B user_fonts_cache_t
-+
-+ /root/\.fontconfig(/.*)?
-+.br
-+ /root/\.fonts/auto(/.*)?
-+.br
-+ /root/\.fonts\.cache-.*
-+.br
-+ /home/[^/]*/\.fontconfig(/.*)?
-+.br
-+ /home/[^/]*/\.fonts/auto(/.*)?
-+.br
-+ /home/[^/]*/\.fonts\.cache-.*
-+.br
-+ /home/dwalsh/\.fontconfig(/.*)?
-+.br
-+ /home/dwalsh/\.fonts/auto(/.*)?
-+.br
-+ /home/dwalsh/\.fonts\.cache-.*
-+.br
-+ /var/lib/xguest/home/xguest/\.fontconfig(/.*)?
-+.br
-+ /var/lib/xguest/home/xguest/\.fonts/auto(/.*)?
-+.br
-+ /var/lib/xguest/home/xguest/\.fonts\.cache-.*
-+.br
-+
-+.br
-+.B user_tmp_t
-+
-+ /var/run/user(/.*)?
-+.br
-+ /tmp/gconfd-.*
-+.br
-+ /tmp/gconfd-dwalsh
-+.br
-+ /tmp/gconfd-xguest
-+.br
-+
-+.SH NSSWITCH DOMAIN
-+
-+.SH "COMMANDS"
-+.B semanage fcontext
-+can also be used to manipulate default file context mappings.
-+.PP
-+.B semanage permissive
-+can also be used to manipulate whether or not a process type is permissive.
-+.PP
-+.B semanage module
-+can also be used to enable/disable/install/remove policy modules.
-+
-+.PP
-+.B system-config-selinux
-+is a GUI tool available to customize SELinux policy settings.
-+
-+.SH AUTHOR
-+This manual page was auto-generated using
-+.B "sepolicy manpage"
-+by Dan Walsh.
-+
-+.SH "SEE ALSO"
-+selinux(8), games(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
-diff --git a/man/man8/gconfd_selinux.8 b/man/man8/gconfd_selinux.8
-new file mode 100644
-index 0000000..18de510
---- /dev/null
-+++ b/man/man8/gconfd_selinux.8
-@@ -0,0 +1,129 @@
-+.TH "gconfd_selinux" "8" "12-11-01" "gconfd" "SELinux Policy documentation for gconfd"
-+.SH "NAME"
-+gconfd_selinux \- Security Enhanced Linux Policy for the gconfd processes
-+.SH "DESCRIPTION"
-+
-+Security-Enhanced Linux secures the gconfd processes via flexible mandatory access control.
-+
-+The gconfd processes execute with the gconfd_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
-+
-+For example:
-+
-+.B ps -eZ | grep gconfd_t
-+
-+
-+.SH "ENTRYPOINTS"
-+
-+The gconfd_t SELinux type can be entered via the "gconfd_exec_t" file type. The default entrypoint paths for the gconfd_t domain are the following:"
-+
-+
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux gconfd policy is very flexible allowing users to setup their gconfd processes in as secure a method as possible.
-+.PP
-+The following process types are defined for gconfd:
-+
-+.EX
-+.B gconfdefaultsm_t, gconfd_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
-+.SH FILE CONTEXTS
-+SELinux requires files to have an extended attribute to define the file type.
-+.PP
-+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
-+.PP
-+Policy governs the access confined processes have to these files.
-+SELinux gconfd policy is very flexible allowing users to setup their gconfd processes in as secure a method as possible.
-+.PP
-+The following file types are defined for gconfd:
-+
-+
-+.EX
-+.PP
-+.B gconfd_exec_t
-+.EE
-+
-+- Set files with the gconfd_exec_t type, if you want to transition an executable to the gconfd_t domain.
-+
-+
-+.EX
-+.PP
-+.B gconfdefaultsm_exec_t
-+.EE
-+
-+- Set files with the gconfdefaultsm_exec_t type, if you want to transition an executable to the gconfdefaultsm_t domain.
-+
-+
-+.PP
-+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
-+.B semanage fcontext
-+command. This will modify the SELinux labeling database. You will need to use
-+.B restorecon
-+to apply the labels.
-+
-+.SH "MANAGED FILES"
-+
-+The SELinux process type gconfd_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
-+
-+.br
-+.B gconf_home_t
-+
-+ /root/\.local.*
-+.br
-+ /root/\.gconf(d)?(/.*)?
-+.br
-+ /home/[^/]*/\.local.*
-+.br
-+ /home/[^/]*/\.gconf(d)?(/.*)?
-+.br
-+ /home/dwalsh/\.local.*
-+.br
-+ /home/dwalsh/\.gconf(d)?(/.*)?
-+.br
-+ /var/lib/xguest/home/xguest/\.local.*
-+.br
-+ /var/lib/xguest/home/xguest/\.gconf(d)?(/.*)?
-+.br
-+
-+.br
-+.B gconf_tmp_t
-+
-+ /tmp/gconfd-.*/.*
-+.br
-+ /tmp/gconfd-dwalsh/.*
-+.br
-+ /tmp/gconfd-xguest/.*
-+.br
-+
-+.SH NSSWITCH DOMAIN
-+
-+.SH "COMMANDS"
-+.B semanage fcontext
-+can also be used to manipulate default file context mappings.
-+.PP
-+.B semanage permissive
-+can also be used to manipulate whether or not a process type is permissive.
-+.PP
-+.B semanage module
-+can also be used to enable/disable/install/remove policy modules.
-+
-+.PP
-+.B system-config-selinux
-+is a GUI tool available to customize SELinux policy settings.
-+
-+.SH AUTHOR
-+This manual page was auto-generated using
-+.B "sepolicy manpage"
-+by Dan Walsh.
-+
-+.SH "SEE ALSO"
-+selinux(8), gconfd(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
-+, gconfdefaultsm_selinux(8)
-\ No newline at end of file
-diff --git a/man/man8/gconfdefaultsm_selinux.8 b/man/man8/gconfdefaultsm_selinux.8
-new file mode 100644
-index 0000000..a13ef31
---- /dev/null
-+++ b/man/man8/gconfdefaultsm_selinux.8
-@@ -0,0 +1,117 @@
-+.TH "gconfdefaultsm_selinux" "8" "12-11-01" "gconfdefaultsm" "SELinux Policy documentation for gconfdefaultsm"
-+.SH "NAME"
-+gconfdefaultsm_selinux \- Security Enhanced Linux Policy for the gconfdefaultsm processes
-+.SH "DESCRIPTION"
-+
-+Security-Enhanced Linux secures the gconfdefaultsm processes via flexible mandatory access control.
-+
-+The gconfdefaultsm processes execute with the gconfdefaultsm_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
-+
-+For example:
-+
-+.B ps -eZ | grep gconfdefaultsm_t
-+
-+
-+.SH "ENTRYPOINTS"
-+
-+The gconfdefaultsm_t SELinux type can be entered via the "gconfdefaultsm_exec_t" file type. The default entrypoint paths for the gconfdefaultsm_t domain are the following:"
-+
-+/usr/libexec/gconf-defaults-mechanism
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux gconfdefaultsm policy is very flexible allowing users to setup their gconfdefaultsm processes in as secure a method as possible.
-+.PP
-+The following process types are defined for gconfdefaultsm:
-+
-+.EX
-+.B gconfdefaultsm_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
-+.SH FILE CONTEXTS
-+SELinux requires files to have an extended attribute to define the file type.
-+.PP
-+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
-+.PP
-+Policy governs the access confined processes have to these files.
-+SELinux gconfdefaultsm policy is very flexible allowing users to setup their gconfdefaultsm processes in as secure a method as possible.
-+.PP
-+The following file types are defined for gconfdefaultsm:
-+
-+
-+.EX
-+.PP
-+.B gconfdefaultsm_exec_t
-+.EE
-+
-+- Set files with the gconfdefaultsm_exec_t type, if you want to transition an executable to the gconfdefaultsm_t domain.
-+
-+
-+.PP
-+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
-+.B semanage fcontext
-+command. This will modify the SELinux labeling database. You will need to use
-+.B restorecon
-+to apply the labels.
-+
-+.SH "MANAGED FILES"
-+
-+The SELinux process type gconfdefaultsm_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
-+
-+.br
-+.B gconf_etc_t
-+
-+ /etc/gconf(/.*)?
-+.br
-+
-+.br
-+.B gconf_home_t
-+
-+ /root/\.local.*
-+.br
-+ /root/\.gconf(d)?(/.*)?
-+.br
-+ /home/[^/]*/\.local.*
-+.br
-+ /home/[^/]*/\.gconf(d)?(/.*)?
-+.br
-+ /home/dwalsh/\.local.*
-+.br
-+ /home/dwalsh/\.gconf(d)?(/.*)?
-+.br
-+ /var/lib/xguest/home/xguest/\.local.*
-+.br
-+ /var/lib/xguest/home/xguest/\.gconf(d)?(/.*)?
-+.br
-+
-+.SH NSSWITCH DOMAIN
-+
-+.SH "COMMANDS"
-+.B semanage fcontext
-+can also be used to manipulate default file context mappings.
-+.PP
-+.B semanage permissive
-+can also be used to manipulate whether or not a process type is permissive.
-+.PP
-+.B semanage module
-+can also be used to enable/disable/install/remove policy modules.
-+
-+.PP
-+.B system-config-selinux
-+is a GUI tool available to customize SELinux policy settings.
-+
-+.SH AUTHOR
-+This manual page was auto-generated using
-+.B "sepolicy manpage"
-+by Dan Walsh.
-+
-+.SH "SEE ALSO"
-+selinux(8), gconfdefaultsm(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
-+, gconfd_selinux(8)
-\ No newline at end of file
-diff --git a/man/man8/getty_selinux.8 b/man/man8/getty_selinux.8
-new file mode 100644
-index 0000000..d3c311a
---- /dev/null
-+++ b/man/man8/getty_selinux.8
-@@ -0,0 +1,212 @@
-+.TH "getty_selinux" "8" "12-11-01" "getty" "SELinux Policy documentation for getty"
-+.SH "NAME"
-+getty_selinux \- Security Enhanced Linux Policy for the getty processes
-+.SH "DESCRIPTION"
-+
-+Security-Enhanced Linux secures the getty processes via flexible mandatory access control.
-+
-+The getty processes execute with the getty_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
-+
-+For example:
-+
-+.B ps -eZ | grep getty_t
-+
-+
-+.SH "ENTRYPOINTS"
-+
-+The getty_t SELinux type can be entered via the "getty_exec_t" file type. The default entrypoint paths for the getty_t domain are the following:"
-+
-+/sbin/.*getty, /usr/sbin/.*getty
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux getty policy is very flexible allowing users to setup their getty processes in as secure a method as possible.
-+.PP
-+The following process types are defined for getty:
-+
-+.EX
-+.B getty_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
-+.SH FILE CONTEXTS
-+SELinux requires files to have an extended attribute to define the file type.
-+.PP
-+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
-+.PP
-+Policy governs the access confined processes have to these files.
-+SELinux getty policy is very flexible allowing users to setup their getty processes in as secure a method as possible.
-+.PP
-+The following file types are defined for getty:
-+
-+
-+.EX
-+.PP
-+.B getty_etc_t
-+.EE
-+
-+- Set files with the getty_etc_t type, if you want to store getty files in the /etc directories.
-+
-+
-+.EX
-+.PP
-+.B getty_exec_t
-+.EE
-+
-+- Set files with the getty_exec_t type, if you want to transition an executable to the getty_t domain.
-+
-+
-+.EX
-+.PP
-+.B getty_lock_t
-+.EE
-+
-+- Set files with the getty_lock_t type, if you want to treat the files as getty lock data, stored under the /var/lock directory
-+
-+
-+.EX
-+.PP
-+.B getty_log_t
-+.EE
-+
-+- Set files with the getty_log_t type, if you want to treat the data as getty log data, usually stored under the /var/log directory.
-+
-+
-+.EX
-+.PP
-+.B getty_tmp_t
-+.EE
-+
-+- Set files with the getty_tmp_t type, if you want to store getty temporary files in the /tmp directories.
-+
-+
-+.EX
-+.PP
-+.B getty_unit_file_t
-+.EE
-+
-+- Set files with the getty_unit_file_t type, if you want to treat the files as getty unit content.
-+
-+
-+.EX
-+.PP
-+.B getty_var_run_t
-+.EE
-+
-+- Set files with the getty_var_run_t type, if you want to store the getty files under the /run directory.
-+
-+
-+.PP
-+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
-+.B semanage fcontext
-+command. This will modify the SELinux labeling database. You will need to use
-+.B restorecon
-+to apply the labels.
-+
-+.SH "MANAGED FILES"
-+
-+The SELinux process type getty_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
-+
-+.br
-+.B getty_lock_t
-+
-+
-+.br
-+.B getty_log_t
-+
-+ /var/log/mgetty\.log.*
-+.br
-+ /var/log/vgetty\.log\..*
-+.br
-+
-+.br
-+.B getty_tmp_t
-+
-+
-+.br
-+.B getty_var_run_t
-+
-+ /var/spool/fax(/.*)?
-+.br
-+ /var/spool/voice(/.*)?
-+.br
-+ /var/run/mgetty\.pid.*
-+.br
-+
-+.br
-+.B initrc_var_run_t
-+
-+ /var/run/utmp
-+.br
-+ /var/run/random-seed
-+.br
-+ /var/run/runlevel\.dir
-+.br
-+ /var/run/setmixer_flag
-+.br
-+
-+.br
-+.B var_run_t
-+
-+ /run/.*
-+.br
-+ /var/run/.*
-+.br
-+ /run
-+.br
-+ /var/run
-+.br
-+ /var/run
-+.br
-+ /var/spool/postfix/pid
-+.br
-+
-+.br
-+.B wtmp_t
-+
-+ /var/log/wtmp.*
-+.br
-+
-+.SH NSSWITCH DOMAIN
-+
-+.PP
-+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the getty_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
-+
-+.EX
-+.B setsebool -P authlogin_nsswitch_use_ldap 1
-+.EE
-+
-+.PP
-+If you want to allow confined applications to run with kerberos for the getty_t, you must turn on the kerberos_enabled boolean.
-+
-+.EX
-+.B setsebool -P kerberos_enabled 1
-+.EE
-+
-+.SH "COMMANDS"
-+.B semanage fcontext
-+can also be used to manipulate default file context mappings.
-+.PP
-+.B semanage permissive
-+can also be used to manipulate whether or not a process type is permissive.
-+.PP
-+.B semanage module
-+can also be used to enable/disable/install/remove policy modules.
-+
-+.PP
-+.B system-config-selinux
-+is a GUI tool available to customize SELinux policy settings.
-+
-+.SH AUTHOR
-+This manual page was auto-generated using
-+.B "sepolicy manpage"
-+by Dan Walsh.
-+
-+.SH "SEE ALSO"
-+selinux(8), getty(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
-diff --git a/man/man8/gfs_controld_selinux.8 b/man/man8/gfs_controld_selinux.8
-new file mode 100644
-index 0000000..d464731
---- /dev/null
-+++ b/man/man8/gfs_controld_selinux.8
-@@ -0,0 +1,160 @@
-+.TH "gfs_controld_selinux" "8" "12-11-01" "gfs_controld" "SELinux Policy documentation for gfs_controld"
-+.SH "NAME"
-+gfs_controld_selinux \- Security Enhanced Linux Policy for the gfs_controld processes
-+.SH "DESCRIPTION"
-+
-+Security-Enhanced Linux secures the gfs_controld processes via flexible mandatory access control.
-+
-+The gfs_controld processes execute with the gfs_controld_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
-+
-+For example:
-+
-+.B ps -eZ | grep gfs_controld_t
-+
-+
-+.SH "ENTRYPOINTS"
-+
-+The gfs_controld_t SELinux type can be entered via the "gfs_controld_exec_t" file type. The default entrypoint paths for the gfs_controld_t domain are the following:"
-+
-+/usr/sbin/gfs_controld
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux gfs_controld policy is very flexible allowing users to setup their gfs_controld processes in as secure a method as possible.
-+.PP
-+The following process types are defined for gfs_controld:
-+
-+.EX
-+.B gfs_controld_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
-+.SH FILE CONTEXTS
-+SELinux requires files to have an extended attribute to define the file type.
-+.PP
-+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
-+.PP
-+Policy governs the access confined processes have to these files.
-+SELinux gfs_controld policy is very flexible allowing users to setup their gfs_controld processes in as secure a method as possible.
-+.PP
-+The following file types are defined for gfs_controld:
-+
-+
-+.EX
-+.PP
-+.B gfs_controld_exec_t
-+.EE
-+
-+- Set files with the gfs_controld_exec_t type, if you want to transition an executable to the gfs_controld_t domain.
-+
-+
-+.EX
-+.PP
-+.B gfs_controld_tmpfs_t
-+.EE
-+
-+- Set files with the gfs_controld_tmpfs_t type, if you want to store gfs controld files on a tmpfs file system.
-+
-+
-+.EX
-+.PP
-+.B gfs_controld_var_log_t
-+.EE
-+
-+- Set files with the gfs_controld_var_log_t type, if you want to treat the data as gfs controld var log data, usually stored under the /var/log directory.
-+
-+
-+.EX
-+.PP
-+.B gfs_controld_var_run_t
-+.EE
-+
-+- Set files with the gfs_controld_var_run_t type, if you want to store the gfs controld files under the /run directory.
-+
-+
-+.PP
-+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
-+.B semanage fcontext
-+command. This will modify the SELinux labeling database. You will need to use
-+.B restorecon
-+to apply the labels.
-+
-+.SH "MANAGED FILES"
-+
-+The SELinux process type gfs_controld_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
-+
-+.br
-+.B cluster_var_lib_t
-+
-+ /var/lib/cluster(/.*)?
-+.br
-+
-+.br
-+.B gfs_controld_tmpfs_t
-+
-+
-+.br
-+.B gfs_controld_var_log_t
-+
-+ /var/log/cluster/gfs_controld\.log.*
-+.br
-+
-+.br
-+.B gfs_controld_var_run_t
-+
-+ /var/run/gfs_controld\.pid
-+.br
-+
-+.br
-+.B initrc_tmp_t
-+
-+
-+.br
-+.B sysfs_t
-+
-+ /sys(/.*)?
-+.br
-+
-+.SH NSSWITCH DOMAIN
-+
-+.PP
-+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the gfs_controld_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
-+
-+.EX
-+.B setsebool -P authlogin_nsswitch_use_ldap 1
-+.EE
-+
-+.PP
-+If you want to allow confined applications to run with kerberos for the gfs_controld_t, you must turn on the kerberos_enabled boolean.
-+
-+.EX
-+.B setsebool -P kerberos_enabled 1
-+.EE
-+
-+.SH "COMMANDS"
-+.B semanage fcontext
-+can also be used to manipulate default file context mappings.
-+.PP
-+.B semanage permissive
-+can also be used to manipulate whether or not a process type is permissive.
-+.PP
-+.B semanage module
-+can also be used to enable/disable/install/remove policy modules.
-+
-+.PP
-+.B system-config-selinux
-+is a GUI tool available to customize SELinux policy settings.
-+
-+.SH AUTHOR
-+This manual page was auto-generated using
-+.B "sepolicy manpage"
-+by Dan Walsh.
-+
-+.SH "SEE ALSO"
-+selinux(8), gfs_controld(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
-diff --git a/man/man8/git_selinux.8 b/man/man8/git_selinux.8
-deleted file mode 100644
-index e9c43b1..0000000
---- a/man/man8/git_selinux.8
-+++ /dev/null
-@@ -1,109 +0,0 @@
--.TH "git_selinux" "8" "27 May 2010" "domg472@gmail.com" "Git SELinux policy documentation"
--.de EX
--.nf
--.ft CW
--..
--.de EE
--.ft R
--.fi
--..
--.SH "NAME"
--git_selinux \- Security Enhanced Linux Policy for the Git daemon.
--.SH "DESCRIPTION"
--Security-Enhanced Linux secures the Git server via flexible mandatory access
--control.
--.SH FILE_CONTEXTS
--SELinux requires files to have an extended attribute to define the file type.
--Policy governs the access daemons have to these files.
--SELinux Git policy is very flexible allowing users to setup their web services in as secure a method as possible.
--.PP
--The following file contexts types are by default defined for Git:
--.EX
--git_system_content_t
--.EE
--- Set files with git_system_content_t if you want the Git system daemon to read the file, and if you want the file to be modifiable and executable by all "Git shell" users.
--.EX
--git_session_content_t
--.EE
--- Set files with git_session_content_t if you want the Git session and system daemon to read the file, and if you want the file to be modifiable and executable by all users. Note that "Git shell" users may not interact with this type.
--.SH BOOLEANS
--SELinux policy is customizable based on least access required. Git policy is extremely flexible and has several booleans that allow you to manipulate the policy and run Git with the tightest access possible.
--.PP
--Allow the Git system daemon to search user home directories so that it can find git session content. This is useful if you want the Git system daemon to host users personal repositories.
--.EX
--sudo setsebool -P git_system_enable_homedirs 1
--.EE
--.PP
--Allow the Git system daemon to read system shared repositories on NFS shares.
--.EX
--sudo setsebool -P git_system_use_nfs 1
--.EE
--.PP
--Allow the Git system daemon to read system shared repositories on Samba shares.
--.EX
--sudo setsebool -P git_system_use_cifs 1
--.EE
--.PP
--Allow the Git session daemon to read users personal repositories on NFS mounted home directories.
--.EX
--sudo setsebool -P use_nfs_home_dirs 1
--.EE
--.PP
--Allow the Git session daemon to read users personal repositories on Samba mounted home directories.
--.EX
--sudo setsebool -P use_samba_home_dirs 1
--.EE
--.PP
--To also allow Git system daemon to read users personal repositories on NFS and Samba mounted home directories you must also allow the Git system daemon to search home directories so that it can find the repositories.
--.EX
--sudo setsebool -P git_system_enable_homedirs 1
--.EE
--.PP
--To allow the Git System daemon mass hosting of users personal repositories you can allow the Git daemon to listen to any unreserved ports.
--.EX
--sudo setsebool -P git_session_bind_all_unreserved_ports 1
--.EE
--.SH GIT_SHELL
--The Git policy by default provides a restricted user environment to be used with "Git shell". This default git_shell_u SELinux user can modify and execute generic Git system content (generic system shared respositories with type git_system_content_t).
--.PP
--To add a new Linux user and map him to this Git shell user domain automatically:
--.EX
--sudo useradd -Z git_shell_u joe
--.EE
--.SH ADVANCED_SYSTEM_SHARED_REPOSITORY_AND GIT_SHELL_RESTRICTIONS
--Alternatively Git SELinux policy can be used to restrict "Git shell" users to git system shared repositories. The policy allows for the creation of new types of Git system content and Git shell user environment. The policy allows for delegation of types of "Git shell" environments to types of Git system content.
--.PP
--To add a new Git system repository type, for example "project1" create a file named project1.te and add to it:
--.EX
--policy_module(project1, 1.0.0)
--git_content_template(project1)
--.EE
--Next create a file named project1.fc and add a file context specification for the new repository type to it:
--.EX
--/srv/git/project1\.git(/.*)? gen_context(system_u:object_r:git_project1_content_t,s0)
--.EE
--Build a binary representation of this source policy module, load it into the policy store and restore the context of the repository:
--.EX
--make -f /usr/share/selinux/devel/Makefile project.pp
--sudo semodule -i project1.pp
--sudo restorecon -R -v /srv/git/project1
--.EE
--To create a "Git shell" domain that can interact with this repository create a file named project1user.te in the same directory as where the source policy for the Git systemm content type is and add the following:
--.EX
--policy_module(project1user, 1.0.0)
--git_role_template(project1user)
--git_content_delegation(project1user_t, git_project1_content_t)
--gen_user(project1user_u, user, project1user_r, s0, s0)
--.EE
--Build a binary representation of this source policy module, load it into the policy store and map Linux users to the new project1user_u SELinux user:
--.EX
--make -f /usr/share/selinux/devel/Makefile project1user.pp
--sudo semodule -i project1user.pp
--sudo useradd -Z project1user_u jane
--.EE
--.PP
--system-config-selinux is a GUI tool available to customize SELinux policy settings.
--.SH AUTHOR
--This manual page was written by Dominick Grift .
--.SH "SEE ALSO"
--selinux(8), git(8), chcon(1), semodule(8), setsebool(8)
-diff --git a/man/man8/git_shell_selinux.8 b/man/man8/git_shell_selinux.8
-new file mode 100644
-index 0000000..f991f0f
---- /dev/null
-+++ b/man/man8/git_shell_selinux.8
-@@ -0,0 +1,133 @@
-+.TH "git_shell_selinux" "8" "git_shell" "mgrepl@redhat.com" "git_shell SELinux Policy documentation"
-+.SH "NAME"
-+git_shell_u \- \fBgit_shell user role\fP - Security Enhanced Linux Policy
-+
-+.SH DESCRIPTION
-+
-+\fBgit_shell_u\fP is an SELinux User defined in the SELinux
-+policy. SELinux users have default roles, \fBgit_shell_r\fP. The
-+default role has a default type, \fBgit_shell_t\fP, associated with it.
-+
-+The SELinux user will usually login to a system with a context that looks like:
-+
-+.B git_shell_u:git_shell_r:git_shell_t:s0-s0:c0.c1023
-+
-+Linux users are automatically assigned an SELinux users at login.
-+Login programs use the SELinux User to assign initial context to the user's shell.
-+
-+SELinux policy uses the context to control the user's access.
-+
-+By default all users are assigned to the SELinux user via the \fB__default__\fP flag
-+
-+On Targeted policy systems the \fB__default__\fP user is assigned to the \fBunconfined_u\fP SELinux user.
-+
-+You can list all Linux User to SELinux user mapping using:
-+
-+.B semanage login -l
-+
-+If you wanted to change the default user mapping to use the git_shell_u user, you would execute:
-+
-+.B semanage login -m -s git_shell_u __default__
-+
-+
-+.SH USER DESCRIPTION
-+
-+The SELinux user git_shell_u is defined in policy as a unprivileged user. SELinux prevents unprivileged users from doing administration tasks without transitioning to a different role.
-+
-+.SH SUDO
-+
-+.SH X WINDOWS LOGIN
-+
-+The SELinux user git_shell_u is not able to X Windows login.
-+
-+.SH NETWORK
-+
-+.TP
-+The SELinux user git_shell_u is able to connect to the following tcp ports.
-+
-+.B dns_port_t: 53
-+
-+.B ocsp_port_t: 9080
-+
-+.B kerberos_port_t: 88,750,4444
-+
-+.TP
-+The SELinux user git_shell_u is able to connect to the following tcp ports.
-+
-+.B dns_port_t: 53
-+
-+.B ocsp_port_t: 9080
-+
-+.B kerberos_port_t: 88,750,4444
-+
-+.SH HOME_EXEC
-+
-+The SELinux user git_shell_u is able execute home content files.
-+
-+.SH TRANSITIONS
-+
-+Three things can happen when git_shell_t attempts to execute a program.
-+
-+\fB1.\fP SELinux Policy can deny git_shell_t from executing the program.
-+
-+.TP
-+
-+\fB2.\fP SELinux Policy can allow git_shell_t to execute the program in the current user type.
-+
-+Execute the following to see the types that the SELinux user git_shell_t can execute without transitioning:
-+
-+.B search -A -s git_shell_t -c file -p execute_no_trans
-+
-+.TP
-+
-+\fB3.\fP SELinux can allow git_shell_t to execute the program and transition to a new type.
-+
-+Execute the following to see the types that the SELinux user git_shell_t can execute and transition:
-+
-+.B $ search -A -s git_shell_t -c process -p transition
-+
-+
-+.SH "MANAGED FILES"
-+
-+The SELinux process type git_shell_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
-+
-+.br
-+.B alsa_home_t
-+
-+ /home/[^/]*/\.asoundrc
-+.br
-+ /home/dwalsh/\.asoundrc
-+.br
-+ /var/lib/xguest/home/xguest/\.asoundrc
-+.br
-+
-+.br
-+.B git_sys_content_t
-+
-+ /srv/git(/.*)?
-+.br
-+ /var/lib/git(/.*)?
-+.br
-+
-+.SH "COMMANDS"
-+.B semanage fcontext
-+can also be used to manipulate default file context mappings.
-+.PP
-+.B semanage permissive
-+can also be used to manipulate whether or not a process type is permissive.
-+.PP
-+.B semanage module
-+can also be used to enable/disable/install/remove policy modules.
-+
-+.PP
-+.B system-config-selinux
-+is a GUI tool available to customize SELinux policy settings.
-+
-+.SH AUTHOR
-+This manual page was auto-generated using
-+.B "sepolicy manpage"
-+by Dan Walsh.
-+
-+.SH "SEE ALSO"
-+selinux(8), git_shell(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
-+, gitosis_selinux(8)
-\ No newline at end of file
-diff --git a/man/man8/gitosis_selinux.8 b/man/man8/gitosis_selinux.8
-new file mode 100644
-index 0000000..56b4bdf
---- /dev/null
-+++ b/man/man8/gitosis_selinux.8
-@@ -0,0 +1,128 @@
-+.TH "gitosis_selinux" "8" "12-11-01" "gitosis" "SELinux Policy documentation for gitosis"
-+.SH "NAME"
-+gitosis_selinux \- Security Enhanced Linux Policy for the gitosis processes
-+.SH "DESCRIPTION"
-+
-+Security-Enhanced Linux secures the gitosis processes via flexible mandatory access control.
-+
-+The gitosis processes execute with the gitosis_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
-+
-+For example:
-+
-+.B ps -eZ | grep gitosis_t
-+
-+
-+.SH "ENTRYPOINTS"
-+
-+The gitosis_t SELinux type can be entered via the "gitosis_exec_t" file type. The default entrypoint paths for the gitosis_t domain are the following:"
-+
-+/usr/bin/gitosis-serve, /usr/bin/gl-auth-command
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux gitosis policy is very flexible allowing users to setup their gitosis processes in as secure a method as possible.
-+.PP
-+The following process types are defined for gitosis:
-+
-+.EX
-+.B gitosis_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
-+.SH BOOLEANS
-+SELinux policy is customizable based on least access required. gitosis policy is extremely flexible and has several booleans that allow you to manipulate the policy and run gitosis with the tightest access possible.
-+
-+
-+.PP
-+If you want to allow gitisis daemon to send mail, you must turn on the gitosis_can_sendmail boolean.
-+
-+.EX
-+.B setsebool -P gitosis_can_sendmail 1
-+.EE
-+
-+.PP
-+If you want to allow gitisis daemon to send mail, you must turn on the gitosis_can_sendmail boolean.
-+
-+.EX
-+.B setsebool -P gitosis_can_sendmail 1
-+.EE
-+
-+.SH FILE CONTEXTS
-+SELinux requires files to have an extended attribute to define the file type.
-+.PP
-+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
-+.PP
-+Policy governs the access confined processes have to these files.
-+SELinux gitosis policy is very flexible allowing users to setup their gitosis processes in as secure a method as possible.
-+.PP
-+The following file types are defined for gitosis:
-+
-+
-+.EX
-+.PP
-+.B gitosis_exec_t
-+.EE
-+
-+- Set files with the gitosis_exec_t type, if you want to transition an executable to the gitosis_t domain.
-+
-+
-+.EX
-+.PP
-+.B gitosis_var_lib_t
-+.EE
-+
-+- Set files with the gitosis_var_lib_t type, if you want to store the gitosis files under the /var/lib directory.
-+
-+
-+.PP
-+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
-+.B semanage fcontext
-+command. This will modify the SELinux labeling database. You will need to use
-+.B restorecon
-+to apply the labels.
-+
-+.SH "MANAGED FILES"
-+
-+The SELinux process type gitosis_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
-+
-+.br
-+.B gitosis_var_lib_t
-+
-+ /var/lib/gitosis(/.*)?
-+.br
-+ /var/lib/gitolite(3)?(/.*)?
-+.br
-+
-+.SH NSSWITCH DOMAIN
-+
-+.SH "COMMANDS"
-+.B semanage fcontext
-+can also be used to manipulate default file context mappings.
-+.PP
-+.B semanage permissive
-+can also be used to manipulate whether or not a process type is permissive.
-+.PP
-+.B semanage module
-+can also be used to enable/disable/install/remove policy modules.
-+
-+.B semanage boolean
-+can also be used to manipulate the booleans
-+
-+.PP
-+.B system-config-selinux
-+is a GUI tool available to customize SELinux policy settings.
-+
-+.SH AUTHOR
-+This manual page was auto-generated using
-+.B "sepolicy manpage"
-+by Dan Walsh.
-+
-+.SH "SEE ALSO"
-+selinux(8), gitosis(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
-+, setsebool(8)
-\ No newline at end of file
-diff --git a/man/man8/glance_api_selinux.8 b/man/man8/glance_api_selinux.8
-new file mode 100644
-index 0000000..f7a5295
---- /dev/null
-+++ b/man/man8/glance_api_selinux.8
-@@ -0,0 +1,121 @@
-+.TH "glance_api_selinux" "8" "12-11-01" "glance_api" "SELinux Policy documentation for glance_api"
-+.SH "NAME"
-+glance_api_selinux \- Security Enhanced Linux Policy for the glance_api processes
-+.SH "DESCRIPTION"
-+
-+Security-Enhanced Linux secures the glance_api processes via flexible mandatory access control.
-+
-+The glance_api processes execute with the glance_api_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
-+
-+For example:
-+
-+.B ps -eZ | grep glance_api_t
-+
-+
-+.SH "ENTRYPOINTS"
-+
-+The glance_api_t SELinux type can be entered via the "glance_api_exec_t" file type. The default entrypoint paths for the glance_api_t domain are the following:"
-+
-+/usr/bin/glance-api
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux glance_api policy is very flexible allowing users to setup their glance_api processes in as secure a method as possible.
-+.PP
-+The following process types are defined for glance_api:
-+
-+.EX
-+.B glance_api_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
-+.SH FILE CONTEXTS
-+SELinux requires files to have an extended attribute to define the file type.
-+.PP
-+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
-+.PP
-+Policy governs the access confined processes have to these files.
-+SELinux glance_api policy is very flexible allowing users to setup their glance_api processes in as secure a method as possible.
-+.PP
-+The following file types are defined for glance_api:
-+
-+
-+.EX
-+.PP
-+.B glance_api_exec_t
-+.EE
-+
-+- Set files with the glance_api_exec_t type, if you want to transition an executable to the glance_api_t domain.
-+
-+
-+.EX
-+.PP
-+.B glance_api_initrc_exec_t
-+.EE
-+
-+- Set files with the glance_api_initrc_exec_t type, if you want to transition an executable to the glance_api_initrc_t domain.
-+
-+
-+.PP
-+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
-+.B semanage fcontext
-+command. This will modify the SELinux labeling database. You will need to use
-+.B restorecon
-+to apply the labels.
-+
-+.SH "MANAGED FILES"
-+
-+The SELinux process type glance_api_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
-+
-+.br
-+.B glance_log_t
-+
-+ /var/log/glance(/.*)?
-+.br
-+
-+.br
-+.B glance_tmp_t
-+
-+
-+.br
-+.B glance_var_lib_t
-+
-+ /var/lib/glance(/.*)?
-+.br
-+
-+.br
-+.B glance_var_run_t
-+
-+ /var/run/glance(/.*)?
-+.br
-+
-+.SH NSSWITCH DOMAIN
-+
-+.SH "COMMANDS"
-+.B semanage fcontext
-+can also be used to manipulate default file context mappings.
-+.PP
-+.B semanage permissive
-+can also be used to manipulate whether or not a process type is permissive.
-+.PP
-+.B semanage module
-+can also be used to enable/disable/install/remove policy modules.
-+
-+.PP
-+.B system-config-selinux
-+is a GUI tool available to customize SELinux policy settings.
-+
-+.SH AUTHOR
-+This manual page was auto-generated using
-+.B "sepolicy manpage"
-+by Dan Walsh.
-+
-+.SH "SEE ALSO"
-+selinux(8), glance_api(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
-+, glance_registry_selinux(8)
-\ No newline at end of file
-diff --git a/man/man8/glance_registry_selinux.8 b/man/man8/glance_registry_selinux.8
-new file mode 100644
-index 0000000..1846d51
---- /dev/null
-+++ b/man/man8/glance_registry_selinux.8
-@@ -0,0 +1,157 @@
-+.TH "glance_registry_selinux" "8" "12-11-01" "glance_registry" "SELinux Policy documentation for glance_registry"
-+.SH "NAME"
-+glance_registry_selinux \- Security Enhanced Linux Policy for the glance_registry processes
-+.SH "DESCRIPTION"
-+
-+Security-Enhanced Linux secures the glance_registry processes via flexible mandatory access control.
-+
-+The glance_registry processes execute with the glance_registry_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
-+
-+For example:
-+
-+.B ps -eZ | grep glance_registry_t
-+
-+
-+.SH "ENTRYPOINTS"
-+
-+The glance_registry_t SELinux type can be entered via the "glance_registry_exec_t" file type. The default entrypoint paths for the glance_registry_t domain are the following:"
-+
-+/usr/bin/glance-registry
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux glance_registry policy is very flexible allowing users to setup their glance_registry processes in as secure a method as possible.
-+.PP
-+The following process types are defined for glance_registry:
-+
-+.EX
-+.B glance_registry_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
-+.SH FILE CONTEXTS
-+SELinux requires files to have an extended attribute to define the file type.
-+.PP
-+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
-+.PP
-+Policy governs the access confined processes have to these files.
-+SELinux glance_registry policy is very flexible allowing users to setup their glance_registry processes in as secure a method as possible.
-+.PP
-+The following file types are defined for glance_registry:
-+
-+
-+.EX
-+.PP
-+.B glance_registry_exec_t
-+.EE
-+
-+- Set files with the glance_registry_exec_t type, if you want to transition an executable to the glance_registry_t domain.
-+
-+
-+.EX
-+.PP
-+.B glance_registry_initrc_exec_t
-+.EE
-+
-+- Set files with the glance_registry_initrc_exec_t type, if you want to transition an executable to the glance_registry_initrc_t domain.
-+
-+
-+.EX
-+.PP
-+.B glance_registry_tmp_t
-+.EE
-+
-+- Set files with the glance_registry_tmp_t type, if you want to store glance registry temporary files in the /tmp directories.
-+
-+
-+.PP
-+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
-+.B semanage fcontext
-+command. This will modify the SELinux labeling database. You will need to use
-+.B restorecon
-+to apply the labels.
-+
-+.SH PORT TYPES
-+SELinux defines port types to represent TCP and UDP ports.
-+.PP
-+You can see the types associated with a port by using the following command:
-+
-+.B semanage port -l
-+
-+.PP
-+Policy governs the access confined processes have to these ports.
-+SELinux glance_registry policy is very flexible allowing users to setup their glance_registry processes in as secure a method as possible.
-+.PP
-+The following port types are defined for glance_registry:
-+
-+.EX
-+.TP 5
-+.B glance_registry_port_t
-+.TP 10
-+.EE
-+
-+
-+Default Defined Ports:
-+tcp 9191
-+.EE
-+udp 9191
-+.EE
-+.SH "MANAGED FILES"
-+
-+The SELinux process type glance_registry_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
-+
-+.br
-+.B glance_log_t
-+
-+ /var/log/glance(/.*)?
-+.br
-+
-+.br
-+.B glance_registry_tmp_t
-+
-+
-+.br
-+.B glance_var_lib_t
-+
-+ /var/lib/glance(/.*)?
-+.br
-+
-+.br
-+.B glance_var_run_t
-+
-+ /var/run/glance(/.*)?
-+.br
-+
-+.SH NSSWITCH DOMAIN
-+
-+.SH "COMMANDS"
-+.B semanage fcontext
-+can also be used to manipulate default file context mappings.
-+.PP
-+.B semanage permissive
-+can also be used to manipulate whether or not a process type is permissive.
-+.PP
-+.B semanage module
-+can also be used to enable/disable/install/remove policy modules.
-+
-+.B semanage port
-+can also be used to manipulate the port definitions
-+
-+.PP
-+.B system-config-selinux
-+is a GUI tool available to customize SELinux policy settings.
-+
-+.SH AUTHOR
-+This manual page was auto-generated using
-+.B "sepolicy manpage"
-+by Dan Walsh.
-+
-+.SH "SEE ALSO"
-+selinux(8), glance_registry(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
-+, glance_api_selinux(8)
-\ No newline at end of file
-diff --git a/man/man8/glusterd_selinux.8 b/man/man8/glusterd_selinux.8
-new file mode 100644
-index 0000000..b54fc9a
---- /dev/null
-+++ b/man/man8/glusterd_selinux.8
-@@ -0,0 +1,182 @@
-+.TH "glusterd_selinux" "8" "12-11-01" "glusterd" "SELinux Policy documentation for glusterd"
-+.SH "NAME"
-+glusterd_selinux \- Security Enhanced Linux Policy for the glusterd processes
-+.SH "DESCRIPTION"
-+
-+Security-Enhanced Linux secures the glusterd processes via flexible mandatory access control.
-+
-+The glusterd processes execute with the glusterd_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
-+
-+For example:
-+
-+.B ps -eZ | grep glusterd_t
-+
-+
-+.SH "ENTRYPOINTS"
-+
-+The glusterd_t SELinux type can be entered via the "glusterd_exec_t" file type. The default entrypoint paths for the glusterd_t domain are the following:"
-+
-+/opt/glusterfs/[^/]+/sbin/glusterfsd, /usr/sbin/glusterfsd
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux glusterd policy is very flexible allowing users to setup their glusterd processes in as secure a method as possible.
-+.PP
-+The following process types are defined for glusterd:
-+
-+.EX
-+.B glusterd_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
-+.SH FILE CONTEXTS
-+SELinux requires files to have an extended attribute to define the file type.
-+.PP
-+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
-+.PP
-+Policy governs the access confined processes have to these files.
-+SELinux glusterd policy is very flexible allowing users to setup their glusterd processes in as secure a method as possible.
-+.PP
-+The following file types are defined for glusterd:
-+
-+
-+.EX
-+.PP
-+.B glusterd_etc_t
-+.EE
-+
-+- Set files with the glusterd_etc_t type, if you want to store glusterd files in the /etc directories.
-+
-+
-+.EX
-+.PP
-+.B glusterd_exec_t
-+.EE
-+
-+- Set files with the glusterd_exec_t type, if you want to transition an executable to the glusterd_t domain.
-+
-+
-+.EX
-+.PP
-+.B glusterd_initrc_exec_t
-+.EE
-+
-+- Set files with the glusterd_initrc_exec_t type, if you want to transition an executable to the glusterd_initrc_t domain.
-+
-+
-+.EX
-+.PP
-+.B glusterd_log_t
-+.EE
-+
-+- Set files with the glusterd_log_t type, if you want to treat the data as glusterd log data, usually stored under the /var/log directory.
-+
-+
-+.EX
-+.PP
-+.B glusterd_tmp_t
-+.EE
-+
-+- Set files with the glusterd_tmp_t type, if you want to store glusterd temporary files in the /tmp directories.
-+
-+
-+.EX
-+.PP
-+.B glusterd_var_lib_t
-+.EE
-+
-+- Set files with the glusterd_var_lib_t type, if you want to store the glusterd files under the /var/lib directory.
-+
-+
-+.EX
-+.PP
-+.B glusterd_var_run_t
-+.EE
-+
-+- Set files with the glusterd_var_run_t type, if you want to store the glusterd files under the /run directory.
-+
-+
-+.PP
-+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
-+.B semanage fcontext
-+command. This will modify the SELinux labeling database. You will need to use
-+.B restorecon
-+to apply the labels.
-+
-+.SH "MANAGED FILES"
-+
-+The SELinux process type glusterd_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
-+
-+.br
-+.B glusterd_etc_t
-+
-+ /etc/glusterd(/.*)?
-+.br
-+ /etc/glusterfs(/.*)?
-+.br
-+
-+.br
-+.B glusterd_log_t
-+
-+ /var/log/glusterfs(/.*)?
-+.br
-+
-+.br
-+.B glusterd_tmp_t
-+
-+
-+.br
-+.B glusterd_var_lib_t
-+
-+
-+.br
-+.B glusterd_var_run_t
-+
-+ /var/run/glusterd(/.*)?
-+.br
-+ /var/run/glusterd\.pid
-+.br
-+
-+.SH NSSWITCH DOMAIN
-+
-+.PP
-+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the glusterd_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
-+
-+.EX
-+.B setsebool -P authlogin_nsswitch_use_ldap 1
-+.EE
-+
-+.PP
-+If you want to allow confined applications to run with kerberos for the glusterd_t, you must turn on the kerberos_enabled boolean.
-+
-+.EX
-+.B setsebool -P kerberos_enabled 1
-+.EE
-+
-+.SH "COMMANDS"
-+.B semanage fcontext
-+can also be used to manipulate default file context mappings.
-+.PP
-+.B semanage permissive
-+can also be used to manipulate whether or not a process type is permissive.
-+.PP
-+.B semanage module
-+can also be used to enable/disable/install/remove policy modules.
-+
-+.PP
-+.B system-config-selinux
-+is a GUI tool available to customize SELinux policy settings.
-+
-+.SH AUTHOR
-+This manual page was auto-generated using
-+.B "sepolicy manpage"
-+by Dan Walsh.
-+
-+.SH "SEE ALSO"
-+selinux(8), glusterd(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
-diff --git a/man/man8/gnomeclock_selinux.8 b/man/man8/gnomeclock_selinux.8
-new file mode 100644
-index 0000000..3f491fb
---- /dev/null
-+++ b/man/man8/gnomeclock_selinux.8
-@@ -0,0 +1,144 @@
-+.TH "gnomeclock_selinux" "8" "12-11-01" "gnomeclock" "SELinux Policy documentation for gnomeclock"
-+.SH "NAME"
-+gnomeclock_selinux \- Security Enhanced Linux Policy for the gnomeclock processes
-+.SH "DESCRIPTION"
-+
-+Security-Enhanced Linux secures the gnomeclock processes via flexible mandatory access control.
-+
-+The gnomeclock processes execute with the gnomeclock_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
-+
-+For example:
-+
-+.B ps -eZ | grep gnomeclock_t
-+
-+
-+.SH "ENTRYPOINTS"
-+
-+The gnomeclock_t SELinux type can be entered via the "gnomeclock_exec_t" file type. The default entrypoint paths for the gnomeclock_t domain are the following:"
-+
-+/usr/libexec/kde(3|4)/kcmdatetimehelper, /usr/lib/systemd/systemd-timedated, /usr/libexec/gsd-datetime-mechanism, /usr/libexec/gnome-clock-applet-mechanism
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux gnomeclock policy is very flexible allowing users to setup their gnomeclock processes in as secure a method as possible.
-+.PP
-+The following process types are defined for gnomeclock:
-+
-+.EX
-+.B gnomeclock_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
-+.SH FILE CONTEXTS
-+SELinux requires files to have an extended attribute to define the file type.
-+.PP
-+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
-+.PP
-+Policy governs the access confined processes have to these files.
-+SELinux gnomeclock policy is very flexible allowing users to setup their gnomeclock processes in as secure a method as possible.
-+.PP
-+The following file types are defined for gnomeclock:
-+
-+
-+.EX
-+.PP
-+.B gnomeclock_exec_t
-+.EE
-+
-+- Set files with the gnomeclock_exec_t type, if you want to transition an executable to the gnomeclock_t domain.
-+
-+
-+.PP
-+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
-+.B semanage fcontext
-+command. This will modify the SELinux labeling database. You will need to use
-+.B restorecon
-+to apply the labels.
-+
-+.SH "MANAGED FILES"
-+
-+The SELinux process type gnomeclock_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
-+
-+.br
-+.B config_usr_t
-+
-+ /usr/share/config(/.*)?
-+.br
-+
-+.br
-+.B locale_t
-+
-+ /etc/locale.conf
-+.br
-+ /usr/lib/locale(/.*)?
-+.br
-+ /usr/share/locale(/.*)?
-+.br
-+ /usr/share/zoneinfo(/.*)?
-+.br
-+ /usr/share/X11/locale(/.*)?
-+.br
-+ /etc/timezone
-+.br
-+ /etc/localtime
-+.br
-+ /etc/sysconfig/clock
-+.br
-+ /etc/avahi/etc/localtime
-+.br
-+ /var/empty/sshd/etc/localtime
-+.br
-+ /var/spool/postfix/etc/localtime
-+.br
-+
-+.br
-+.B systemd_passwd_var_run_t
-+
-+ /var/run/systemd/ask-password(/.*)?
-+.br
-+ /var/run/systemd/ask-password-block(/.*)?
-+.br
-+
-+.SH NSSWITCH DOMAIN
-+
-+.PP
-+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the gnomeclock_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
-+
-+.EX
-+.B setsebool -P authlogin_nsswitch_use_ldap 1
-+.EE
-+
-+.PP
-+If you want to allow confined applications to run with kerberos for the gnomeclock_t, you must turn on the kerberos_enabled boolean.
-+
-+.EX
-+.B setsebool -P kerberos_enabled 1
-+.EE
-+
-+.SH "COMMANDS"
-+.B semanage fcontext
-+can also be used to manipulate default file context mappings.
-+.PP
-+.B semanage permissive
-+can also be used to manipulate whether or not a process type is permissive.
-+.PP
-+.B semanage module
-+can also be used to enable/disable/install/remove policy modules.
-+
-+.PP
-+.B system-config-selinux
-+is a GUI tool available to customize SELinux policy settings.
-+
-+.SH AUTHOR
-+This manual page was auto-generated using
-+.B "sepolicy manpage"
-+by Dan Walsh.
-+
-+.SH "SEE ALSO"
-+selinux(8), gnomeclock(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
-diff --git a/man/man8/gnomesystemmm_selinux.8 b/man/man8/gnomesystemmm_selinux.8
-new file mode 100644
-index 0000000..a1956e7
---- /dev/null
-+++ b/man/man8/gnomesystemmm_selinux.8
-@@ -0,0 +1,96 @@
-+.TH "gnomesystemmm_selinux" "8" "12-11-01" "gnomesystemmm" "SELinux Policy documentation for gnomesystemmm"
-+.SH "NAME"
-+gnomesystemmm_selinux \- Security Enhanced Linux Policy for the gnomesystemmm processes
-+.SH "DESCRIPTION"
-+
-+Security-Enhanced Linux secures the gnomesystemmm processes via flexible mandatory access control.
-+
-+The gnomesystemmm processes execute with the gnomesystemmm_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
-+
-+For example:
-+
-+.B ps -eZ | grep gnomesystemmm_t
-+
-+
-+.SH "ENTRYPOINTS"
-+
-+The gnomesystemmm_t SELinux type can be entered via the "gnomesystemmm_exec_t" file type. The default entrypoint paths for the gnomesystemmm_t domain are the following:"
-+
-+/usr/libexec/kde(3|4)/ksysguardprocesslist_helper, /usr/libexec/gnome-system-monitor-mechanism
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux gnomesystemmm policy is very flexible allowing users to setup their gnomesystemmm processes in as secure a method as possible.
-+.PP
-+The following process types are defined for gnomesystemmm:
-+
-+.EX
-+.B gnomesystemmm_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
-+.SH FILE CONTEXTS
-+SELinux requires files to have an extended attribute to define the file type.
-+.PP
-+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
-+.PP
-+Policy governs the access confined processes have to these files.
-+SELinux gnomesystemmm policy is very flexible allowing users to setup their gnomesystemmm processes in as secure a method as possible.
-+.PP
-+The following file types are defined for gnomesystemmm:
-+
-+
-+.EX
-+.PP
-+.B gnomesystemmm_exec_t
-+.EE
-+
-+- Set files with the gnomesystemmm_exec_t type, if you want to transition an executable to the gnomesystemmm_t domain.
-+
-+
-+.PP
-+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
-+.B semanage fcontext
-+command. This will modify the SELinux labeling database. You will need to use
-+.B restorecon
-+to apply the labels.
-+
-+.SH "MANAGED FILES"
-+
-+The SELinux process type gnomesystemmm_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
-+
-+.br
-+.B config_usr_t
-+
-+ /usr/share/config(/.*)?
-+.br
-+
-+.SH NSSWITCH DOMAIN
-+
-+.SH "COMMANDS"
-+.B semanage fcontext
-+can also be used to manipulate default file context mappings.
-+.PP
-+.B semanage permissive
-+can also be used to manipulate whether or not a process type is permissive.
-+.PP
-+.B semanage module
-+can also be used to enable/disable/install/remove policy modules.
-+
-+.PP
-+.B system-config-selinux
-+is a GUI tool available to customize SELinux policy settings.
-+
-+.SH AUTHOR
-+This manual page was auto-generated using
-+.B "sepolicy manpage"
-+by Dan Walsh.
-+
-+.SH "SEE ALSO"
-+selinux(8), gnomesystemmm(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
-diff --git a/man/man8/gpg_agent_selinux.8 b/man/man8/gpg_agent_selinux.8
-new file mode 100644
-index 0000000..c5861f9
---- /dev/null
-+++ b/man/man8/gpg_agent_selinux.8
-@@ -0,0 +1,144 @@
-+.TH "gpg_agent_selinux" "8" "12-11-01" "gpg_agent" "SELinux Policy documentation for gpg_agent"
-+.SH "NAME"
-+gpg_agent_selinux \- Security Enhanced Linux Policy for the gpg_agent processes
-+.SH "DESCRIPTION"
-+
-+Security-Enhanced Linux secures the gpg_agent processes via flexible mandatory access control.
-+
-+The gpg_agent processes execute with the gpg_agent_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
-+
-+For example:
-+
-+.B ps -eZ | grep gpg_agent_t
-+
-+
-+.SH "ENTRYPOINTS"
-+
-+The gpg_agent_t SELinux type can be entered via the "gpg_agent_exec_t" file type. The default entrypoint paths for the gpg_agent_t domain are the following:"
-+
-+/usr/bin/gpg-agent
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux gpg_agent policy is very flexible allowing users to setup their gpg_agent processes in as secure a method as possible.
-+.PP
-+The following process types are defined for gpg_agent:
-+
-+.EX
-+.B gpg_agent_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
-+.SH BOOLEANS
-+SELinux policy is customizable based on least access required. gpg_agent policy is extremely flexible and has several booleans that allow you to manipulate the policy and run gpg_agent with the tightest access possible.
-+
-+
-+.PP
-+If you want to allow usage of the gpg-agent --write-env-file option. This also allows gpg-agent to manage user files, you must turn on the gpg_agent_env_file boolean.
-+
-+.EX
-+.B setsebool -P gpg_agent_env_file 1
-+.EE
-+
-+.PP
-+If you want to allow usage of the gpg-agent --write-env-file option. This also allows gpg-agent to manage user files, you must turn on the gpg_agent_env_file boolean.
-+
-+.EX
-+.B setsebool -P gpg_agent_env_file 1
-+.EE
-+
-+.SH FILE CONTEXTS
-+SELinux requires files to have an extended attribute to define the file type.
-+.PP
-+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
-+.PP
-+Policy governs the access confined processes have to these files.
-+SELinux gpg_agent policy is very flexible allowing users to setup their gpg_agent processes in as secure a method as possible.
-+.PP
-+The following file types are defined for gpg_agent:
-+
-+
-+.EX
-+.PP
-+.B gpg_agent_exec_t
-+.EE
-+
-+- Set files with the gpg_agent_exec_t type, if you want to transition an executable to the gpg_agent_t domain.
-+
-+
-+.EX
-+.PP
-+.B gpg_agent_tmp_t
-+.EE
-+
-+- Set files with the gpg_agent_tmp_t type, if you want to store gpg agent temporary files in the /tmp directories.
-+
-+
-+.PP
-+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
-+.B semanage fcontext
-+command. This will modify the SELinux labeling database. You will need to use
-+.B restorecon
-+to apply the labels.
-+
-+.SH "MANAGED FILES"
-+
-+The SELinux process type gpg_agent_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
-+
-+.br
-+.B gpg_agent_tmp_t
-+
-+ /home/[^/]*/\.gnupg/log-socket
-+.br
-+ /home/dwalsh/\.gnupg/log-socket
-+.br
-+ /var/lib/xguest/home/xguest/\.gnupg/log-socket
-+.br
-+
-+.br
-+.B gpg_secret_t
-+
-+ /root/\.gnupg(/.+)?
-+.br
-+ /etc/mail/spamassassin/sa-update-keys(/.*)?
-+.br
-+ /home/[^/]*/\.gnupg(/.+)?
-+.br
-+ /home/dwalsh/\.gnupg(/.+)?
-+.br
-+ /var/lib/xguest/home/xguest/\.gnupg(/.+)?
-+.br
-+
-+.SH NSSWITCH DOMAIN
-+
-+.SH "COMMANDS"
-+.B semanage fcontext
-+can also be used to manipulate default file context mappings.
-+.PP
-+.B semanage permissive
-+can also be used to manipulate whether or not a process type is permissive.
-+.PP
-+.B semanage module
-+can also be used to enable/disable/install/remove policy modules.
-+
-+.B semanage boolean
-+can also be used to manipulate the booleans
-+
-+.PP
-+.B system-config-selinux
-+is a GUI tool available to customize SELinux policy settings.
-+
-+.SH AUTHOR
-+This manual page was auto-generated using
-+.B "sepolicy manpage"
-+by Dan Walsh.
-+
-+.SH "SEE ALSO"
-+selinux(8), gpg_agent(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
-+, setsebool(8), gpg_selinux(8), gpg_selinux(8), gpg_helper_selinux(8)
-\ No newline at end of file
-diff --git a/man/man8/gpg_helper_selinux.8 b/man/man8/gpg_helper_selinux.8
-new file mode 100644
-index 0000000..b331e87
---- /dev/null
-+++ b/man/man8/gpg_helper_selinux.8
-@@ -0,0 +1,101 @@
-+.TH "gpg_helper_selinux" "8" "12-11-01" "gpg_helper" "SELinux Policy documentation for gpg_helper"
-+.SH "NAME"
-+gpg_helper_selinux \- Security Enhanced Linux Policy for the gpg_helper processes
-+.SH "DESCRIPTION"
-+
-+Security-Enhanced Linux secures the gpg_helper processes via flexible mandatory access control.
-+
-+The gpg_helper processes execute with the gpg_helper_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
-+
-+For example:
-+
-+.B ps -eZ | grep gpg_helper_t
-+
-+
-+.SH "ENTRYPOINTS"
-+
-+The gpg_helper_t SELinux type can be entered via the "gpg_helper_exec_t" file type. The default entrypoint paths for the gpg_helper_t domain are the following:"
-+
-+/usr/lib/gnupg/gpgkeys.*
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux gpg_helper policy is very flexible allowing users to setup their gpg_helper processes in as secure a method as possible.
-+.PP
-+The following process types are defined for gpg_helper:
-+
-+.EX
-+.B gpg_helper_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
-+.SH FILE CONTEXTS
-+SELinux requires files to have an extended attribute to define the file type.
-+.PP
-+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
-+.PP
-+Policy governs the access confined processes have to these files.
-+SELinux gpg_helper policy is very flexible allowing users to setup their gpg_helper processes in as secure a method as possible.
-+.PP
-+The following file types are defined for gpg_helper:
-+
-+
-+.EX
-+.PP
-+.B gpg_helper_exec_t
-+.EE
-+
-+- Set files with the gpg_helper_exec_t type, if you want to transition an executable to the gpg_helper_t domain.
-+
-+
-+.PP
-+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
-+.B semanage fcontext
-+command. This will modify the SELinux labeling database. You will need to use
-+.B restorecon
-+to apply the labels.
-+
-+.SH NSSWITCH DOMAIN
-+
-+.PP
-+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the gpg_helper_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
-+
-+.EX
-+.B setsebool -P authlogin_nsswitch_use_ldap 1
-+.EE
-+
-+.PP
-+If you want to allow confined applications to run with kerberos for the gpg_helper_t, you must turn on the kerberos_enabled boolean.
-+
-+.EX
-+.B setsebool -P kerberos_enabled 1
-+.EE
-+
-+.SH "COMMANDS"
-+.B semanage fcontext
-+can also be used to manipulate default file context mappings.
-+.PP
-+.B semanage permissive
-+can also be used to manipulate whether or not a process type is permissive.
-+.PP
-+.B semanage module
-+can also be used to enable/disable/install/remove policy modules.
-+
-+.PP
-+.B system-config-selinux
-+is a GUI tool available to customize SELinux policy settings.
-+
-+.SH AUTHOR
-+This manual page was auto-generated using
-+.B "sepolicy manpage"
-+by Dan Walsh.
-+
-+.SH "SEE ALSO"
-+selinux(8), gpg_helper(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
-+, gpg_selinux(8), gpg_selinux(8), gpg_agent_selinux(8)
-\ No newline at end of file
-diff --git a/man/man8/gpg_selinux.8 b/man/man8/gpg_selinux.8
-new file mode 100644
-index 0000000..4748f85
---- /dev/null
-+++ b/man/man8/gpg_selinux.8
-@@ -0,0 +1,361 @@
-+.TH "gpg_selinux" "8" "12-11-01" "gpg" "SELinux Policy documentation for gpg"
-+.SH "NAME"
-+gpg_selinux \- Security Enhanced Linux Policy for the gpg processes
-+.SH "DESCRIPTION"
-+
-+Security-Enhanced Linux secures the gpg processes via flexible mandatory access control.
-+
-+The gpg processes execute with the gpg_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
-+
-+For example:
-+
-+.B ps -eZ | grep gpg_t
-+
-+
-+.SH "ENTRYPOINTS"
-+
-+The gpg_t SELinux type can be entered via the "gpg_exec_t" file type. The default entrypoint paths for the gpg_t domain are the following:"
-+
-+/usr/bin/gpg(2)?, /usr/lib/gnupg/.*, /usr/bin/gpgsm
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux gpg policy is very flexible allowing users to setup their gpg processes in as secure a method as possible.
-+.PP
-+The following process types are defined for gpg:
-+
-+.EX
-+.B gpg_t, gpg_pinentry_t, gpg_helper_t, gpg_web_t, gpg_agent_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
-+.SH BOOLEANS
-+SELinux policy is customizable based on least access required. gpg policy is extremely flexible and has several booleans that allow you to manipulate the policy and run gpg with the tightest access possible.
-+
-+
-+.PP
-+If you want to allow httpd to run gpg, you must turn on the httpd_use_gpg boolean.
-+
-+.EX
-+.B setsebool -P httpd_use_gpg 1
-+.EE
-+
-+.PP
-+If you want to allow usage of the gpg-agent --write-env-file option. This also allows gpg-agent to manage user files, you must turn on the gpg_agent_env_file boolean.
-+
-+.EX
-+.B setsebool -P gpg_agent_env_file 1
-+.EE
-+
-+.PP
-+If you want to allow httpd to run gpg, you must turn on the httpd_use_gpg boolean.
-+
-+.EX
-+.B setsebool -P httpd_use_gpg 1
-+.EE
-+
-+.PP
-+If you want to allow usage of the gpg-agent --write-env-file option. This also allows gpg-agent to manage user files, you must turn on the gpg_agent_env_file boolean.
-+
-+.EX
-+.B setsebool -P gpg_agent_env_file 1
-+.EE
-+
-+.SH SHARING FILES
-+If you want to share files with multiple domains (Apache, FTP, rsync, Samba), you can set a file context of public_content_t and public_content_rw_t. These context allow any of the above domains to read the content. If you want a particular domain to write to the public_content_rw_t domain, you must set the appropriate boolean.
-+.TP
-+Allow gpg servers to read the /var/gpg directory by adding the public_content_t file type to the directory and by restoring the file type.
-+.PP
-+.B
-+semanage fcontext -a -t public_content_t "/var/gpg(/.*)?"
-+.br
-+.B restorecon -F -R -v /var/gpg
-+.pp
-+.TP
-+Allow gpg servers to read and write /var/tmp/incoming by adding the public_content_rw_t type to the directory and by restoring the file type. This also requires the allow_gpgd_anon_write boolean to be set.
-+.PP
-+.B
-+semanage fcontext -a -t public_content_rw_t "/var/gpg/incoming(/.*)?"
-+.br
-+.B restorecon -F -R -v /var/gpg/incoming
-+
-+
-+.PP
-+If you want to allow gpg web domain to modify public files used for public file transfer services., you must turn on the gpg_web_anon_write boolean.
-+
-+.EX
-+.B setsebool -P gpg_web_anon_write 1
-+.EE
-+
-+.PP
-+If you want to allow gpg web domain to modify public files used for public file transfer services., you must turn on the gpg_web_anon_write boolean.
-+
-+.EX
-+.B setsebool -P gpg_web_anon_write 1
-+.EE
-+
-+.SH FILE CONTEXTS
-+SELinux requires files to have an extended attribute to define the file type.
-+.PP
-+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
-+.PP
-+Policy governs the access confined processes have to these files.
-+SELinux gpg policy is very flexible allowing users to setup their gpg processes in as secure a method as possible.
-+.PP
-+The following file types are defined for gpg:
-+
-+
-+.EX
-+.PP
-+.B gpg_agent_exec_t
-+.EE
-+
-+- Set files with the gpg_agent_exec_t type, if you want to transition an executable to the gpg_agent_t domain.
-+
-+
-+.EX
-+.PP
-+.B gpg_agent_tmp_t
-+.EE
-+
-+- Set files with the gpg_agent_tmp_t type, if you want to store gpg agent temporary files in the /tmp directories.
-+
-+
-+.EX
-+.PP
-+.B gpg_exec_t
-+.EE
-+
-+- Set files with the gpg_exec_t type, if you want to transition an executable to the gpg_t domain.
-+
-+
-+.EX
-+.PP
-+.B gpg_helper_exec_t
-+.EE
-+
-+- Set files with the gpg_helper_exec_t type, if you want to transition an executable to the gpg_helper_t domain.
-+
-+
-+.EX
-+.PP
-+.B gpg_pinentry_tmp_t
-+.EE
-+
-+- Set files with the gpg_pinentry_tmp_t type, if you want to store gpg pinentry temporary files in the /tmp directories.
-+
-+
-+.EX
-+.PP
-+.B gpg_pinentry_tmpfs_t
-+.EE
-+
-+- Set files with the gpg_pinentry_tmpfs_t type, if you want to store gpg pinentry files on a tmpfs file system.
-+
-+
-+.EX
-+.PP
-+.B gpg_secret_t
-+.EE
-+
-+- Set files with the gpg_secret_t type, if you want to treat the files as gpg se secret data.
-+
-+
-+.PP
-+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
-+.B semanage fcontext
-+command. This will modify the SELinux labeling database. You will need to use
-+.B restorecon
-+to apply the labels.
-+
-+.SH "MANAGED FILES"
-+
-+The SELinux process type gpg_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
-+
-+.br
-+.B etc_mail_t
-+
-+ /etc/mail(/.*)?
-+.br
-+
-+.br
-+.B gpg_agent_tmp_t
-+
-+ /home/[^/]*/\.gnupg/log-socket
-+.br
-+ /home/dwalsh/\.gnupg/log-socket
-+.br
-+ /var/lib/xguest/home/xguest/\.gnupg/log-socket
-+.br
-+
-+.br
-+.B gpg_secret_t
-+
-+ /root/\.gnupg(/.+)?
-+.br
-+ /etc/mail/spamassassin/sa-update-keys(/.*)?
-+.br
-+ /home/[^/]*/\.gnupg(/.+)?
-+.br
-+ /home/dwalsh/\.gnupg(/.+)?
-+.br
-+ /var/lib/xguest/home/xguest/\.gnupg(/.+)?
-+.br
-+
-+.br
-+.B mozilla_home_t
-+
-+ /home/[^/]*/\.java(/.*)?
-+.br
-+ /home/[^/]*/\.adobe(/.*)?
-+.br
-+ /home/[^/]*/\.gnash(/.*)?
-+.br
-+ /home/[^/]*/\.galeon(/.*)?
-+.br
-+ /home/[^/]*/\.spicec(/.*)?
-+.br
-+ /home/[^/]*/\.mozilla(/.*)?
-+.br
-+ /home/[^/]*/\.phoenix(/.*)?
-+.br
-+ /home/[^/]*/\.netscape(/.*)?
-+.br
-+ /home/[^/]*/\.ICAClient(/.*)?
-+.br
-+ /home/[^/]*/\.macromedia(/.*)?
-+.br
-+ /home/[^/]*/\.thunderbird(/.*)?
-+.br
-+ /home/[^/]*/\.gcjwebplugin(/.*)?
-+.br
-+ /home/[^/]*/\.icedteaplugin(/.*)?
-+.br
-+ /home/[^/]*/zimbrauserdata(/.*)?
-+.br
-+ /home/[^/]*/\.config/chromium(/.*)?
-+.br
-+ /home/dwalsh/\.java(/.*)?
-+.br
-+ /home/dwalsh/\.adobe(/.*)?
-+.br
-+ /home/dwalsh/\.gnash(/.*)?
-+.br
-+ /home/dwalsh/\.galeon(/.*)?
-+.br
-+ /home/dwalsh/\.spicec(/.*)?
-+.br
-+ /home/dwalsh/\.mozilla(/.*)?
-+.br
-+ /home/dwalsh/\.phoenix(/.*)?
-+.br
-+ /home/dwalsh/\.netscape(/.*)?
-+.br
-+ /home/dwalsh/\.ICAClient(/.*)?
-+.br
-+ /home/dwalsh/\.macromedia(/.*)?
-+.br
-+ /home/dwalsh/\.thunderbird(/.*)?
-+.br
-+ /home/dwalsh/\.gcjwebplugin(/.*)?
-+.br
-+ /home/dwalsh/\.icedteaplugin(/.*)?
-+.br
-+ /home/dwalsh/zimbrauserdata(/.*)?
-+.br
-+ /home/dwalsh/\.config/chromium(/.*)?
-+.br
-+ /var/lib/xguest/home/xguest/\.java(/.*)?
-+.br
-+ /var/lib/xguest/home/xguest/\.adobe(/.*)?
-+.br
-+ /var/lib/xguest/home/xguest/\.gnash(/.*)?
-+.br
-+ /var/lib/xguest/home/xguest/\.galeon(/.*)?
-+.br
-+ /var/lib/xguest/home/xguest/\.spicec(/.*)?
-+.br
-+ /var/lib/xguest/home/xguest/\.mozilla(/.*)?
-+.br
-+ /var/lib/xguest/home/xguest/\.phoenix(/.*)?
-+.br
-+ /var/lib/xguest/home/xguest/\.netscape(/.*)?
-+.br
-+ /var/lib/xguest/home/xguest/\.ICAClient(/.*)?
-+.br
-+ /var/lib/xguest/home/xguest/\.macromedia(/.*)?
-+.br
-+ /var/lib/xguest/home/xguest/\.thunderbird(/.*)?
-+.br
-+ /var/lib/xguest/home/xguest/\.gcjwebplugin(/.*)?
-+.br
-+ /var/lib/xguest/home/xguest/\.icedteaplugin(/.*)?
-+.br
-+ /var/lib/xguest/home/xguest/zimbrauserdata(/.*)?
-+.br
-+ /var/lib/xguest/home/xguest/\.config/chromium(/.*)?
-+.br
-+
-+.br
-+.B user_home_t
-+
-+ /home/[^/]*/.+
-+.br
-+ /home/dwalsh/.+
-+.br
-+ /var/lib/xguest/home/xguest/.+
-+.br
-+
-+.br
-+.B user_tmp_type
-+
-+ all user tmp files
-+.br
-+
-+.SH NSSWITCH DOMAIN
-+
-+.PP
-+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the gpg_t, gpg_helper_t, gpg_pinentry_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
-+
-+.EX
-+.B setsebool -P authlogin_nsswitch_use_ldap 1
-+.EE
-+
-+.PP
-+If you want to allow confined applications to run with kerberos for the gpg_t, gpg_helper_t, gpg_pinentry_t, you must turn on the kerberos_enabled boolean.
-+
-+.EX
-+.B setsebool -P kerberos_enabled 1
-+.EE
-+
-+.SH "COMMANDS"
-+.B semanage fcontext
-+can also be used to manipulate default file context mappings.
-+.PP
-+.B semanage permissive
-+can also be used to manipulate whether or not a process type is permissive.
-+.PP
-+.B semanage module
-+can also be used to enable/disable/install/remove policy modules.
-+
-+.B semanage boolean
-+can also be used to manipulate the booleans
-+
-+.PP
-+.B system-config-selinux
-+is a GUI tool available to customize SELinux policy settings.
-+
-+.SH AUTHOR
-+This manual page was auto-generated using
-+.B "sepolicy manpage"
-+by Dan Walsh.
-+
-+.SH "SEE ALSO"
-+selinux(8), gpg(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
-+, setsebool(8), gpg_agent_selinux(8), gpg_helper_selinux(8)
-\ No newline at end of file
-diff --git a/man/man8/gpm_selinux.8 b/man/man8/gpm_selinux.8
-new file mode 100644
-index 0000000..6c04bf7
---- /dev/null
-+++ b/man/man8/gpm_selinux.8
-@@ -0,0 +1,130 @@
-+.TH "gpm_selinux" "8" "12-11-01" "gpm" "SELinux Policy documentation for gpm"
-+.SH "NAME"
-+gpm_selinux \- Security Enhanced Linux Policy for the gpm processes
-+.SH "DESCRIPTION"
-+
-+Security-Enhanced Linux secures the gpm processes via flexible mandatory access control.
-+
-+The gpm processes execute with the gpm_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
-+
-+For example:
-+
-+.B ps -eZ | grep gpm_t
-+
-+
-+.SH "ENTRYPOINTS"
-+
-+The gpm_t SELinux type can be entered via the "gpm_exec_t" file type. The default entrypoint paths for the gpm_t domain are the following:"
-+
-+/usr/sbin/gpm
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux gpm policy is very flexible allowing users to setup their gpm processes in as secure a method as possible.
-+.PP
-+The following process types are defined for gpm:
-+
-+.EX
-+.B gpm_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
-+.SH FILE CONTEXTS
-+SELinux requires files to have an extended attribute to define the file type.
-+.PP
-+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
-+.PP
-+Policy governs the access confined processes have to these files.
-+SELinux gpm policy is very flexible allowing users to setup their gpm processes in as secure a method as possible.
-+.PP
-+The following file types are defined for gpm:
-+
-+
-+.EX
-+.PP
-+.B gpm_conf_t
-+.EE
-+
-+- Set files with the gpm_conf_t type, if you want to treat the files as gpm configuration data, usually stored under the /etc directory.
-+
-+
-+.EX
-+.PP
-+.B gpm_exec_t
-+.EE
-+
-+- Set files with the gpm_exec_t type, if you want to transition an executable to the gpm_t domain.
-+
-+
-+.EX
-+.PP
-+.B gpm_tmp_t
-+.EE
-+
-+- Set files with the gpm_tmp_t type, if you want to store gpm temporary files in the /tmp directories.
-+
-+
-+.EX
-+.PP
-+.B gpm_var_run_t
-+.EE
-+
-+- Set files with the gpm_var_run_t type, if you want to store the gpm files under the /run directory.
-+
-+
-+.EX
-+.PP
-+.B gpmctl_t
-+.EE
-+
-+- Set files with the gpmctl_t type, if you want to treat the files as gpmctl data.
-+
-+
-+.PP
-+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
-+.B semanage fcontext
-+command. This will modify the SELinux labeling database. You will need to use
-+.B restorecon
-+to apply the labels.
-+
-+.SH "MANAGED FILES"
-+
-+The SELinux process type gpm_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
-+
-+.br
-+.B gpm_tmp_t
-+
-+
-+.br
-+.B gpm_var_run_t
-+
-+
-+.SH NSSWITCH DOMAIN
-+
-+.SH "COMMANDS"
-+.B semanage fcontext
-+can also be used to manipulate default file context mappings.
-+.PP
-+.B semanage permissive
-+can also be used to manipulate whether or not a process type is permissive.
-+.PP
-+.B semanage module
-+can also be used to enable/disable/install/remove policy modules.
-+
-+.PP
-+.B system-config-selinux
-+is a GUI tool available to customize SELinux policy settings.
-+
-+.SH AUTHOR
-+This manual page was auto-generated using
-+.B "sepolicy manpage"
-+by Dan Walsh.
-+
-+.SH "SEE ALSO"
-+selinux(8), gpm(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
-diff --git a/man/man8/gpsd_selinux.8 b/man/man8/gpsd_selinux.8
-new file mode 100644
-index 0000000..9c4572e
---- /dev/null
-+++ b/man/man8/gpsd_selinux.8
-@@ -0,0 +1,174 @@
-+.TH "gpsd_selinux" "8" "12-11-01" "gpsd" "SELinux Policy documentation for gpsd"
-+.SH "NAME"
-+gpsd_selinux \- Security Enhanced Linux Policy for the gpsd processes
-+.SH "DESCRIPTION"
-+
-+Security-Enhanced Linux secures the gpsd processes via flexible mandatory access control.
-+
-+The gpsd processes execute with the gpsd_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
-+
-+For example:
-+
-+.B ps -eZ | grep gpsd_t
-+
-+
-+.SH "ENTRYPOINTS"
-+
-+The gpsd_t SELinux type can be entered via the "gpsd_exec_t" file type. The default entrypoint paths for the gpsd_t domain are the following:"
-+
-+/usr/sbin/gpsd
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux gpsd policy is very flexible allowing users to setup their gpsd processes in as secure a method as possible.
-+.PP
-+The following process types are defined for gpsd:
-+
-+.EX
-+.B gpsd_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
-+.SH FILE CONTEXTS
-+SELinux requires files to have an extended attribute to define the file type.
-+.PP
-+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
-+.PP
-+Policy governs the access confined processes have to these files.
-+SELinux gpsd policy is very flexible allowing users to setup their gpsd processes in as secure a method as possible.
-+.PP
-+The following file types are defined for gpsd:
-+
-+
-+.EX
-+.PP
-+.B gpsd_exec_t
-+.EE
-+
-+- Set files with the gpsd_exec_t type, if you want to transition an executable to the gpsd_t domain.
-+
-+
-+.EX
-+.PP
-+.B gpsd_initrc_exec_t
-+.EE
-+
-+- Set files with the gpsd_initrc_exec_t type, if you want to transition an executable to the gpsd_initrc_t domain.
-+
-+
-+.EX
-+.PP
-+.B gpsd_tmpfs_t
-+.EE
-+
-+- Set files with the gpsd_tmpfs_t type, if you want to store gpsd files on a tmpfs file system.
-+
-+
-+.EX
-+.PP
-+.B gpsd_var_run_t
-+.EE
-+
-+- Set files with the gpsd_var_run_t type, if you want to store the gpsd files under the /run directory.
-+
-+
-+.PP
-+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
-+.B semanage fcontext
-+command. This will modify the SELinux labeling database. You will need to use
-+.B restorecon
-+to apply the labels.
-+
-+.SH PORT TYPES
-+SELinux defines port types to represent TCP and UDP ports.
-+.PP
-+You can see the types associated with a port by using the following command:
-+
-+.B semanage port -l
-+
-+.PP
-+Policy governs the access confined processes have to these ports.
-+SELinux gpsd policy is very flexible allowing users to setup their gpsd processes in as secure a method as possible.
-+.PP
-+The following port types are defined for gpsd:
-+
-+.EX
-+.TP 5
-+.B gpsd_port_t
-+.TP 10
-+.EE
-+
-+
-+Default Defined Ports:
-+tcp 2947
-+.EE
-+.SH "MANAGED FILES"
-+
-+The SELinux process type gpsd_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
-+
-+.br
-+.B chronyd_tmpfs_t
-+
-+
-+.br
-+.B gpsd_tmpfs_t
-+
-+
-+.br
-+.B gpsd_var_run_t
-+
-+ /var/run/gpsd\.pid
-+.br
-+ /var/run/gpsd\.sock
-+.br
-+
-+.br
-+.B ntpd_tmpfs_t
-+
-+
-+.SH NSSWITCH DOMAIN
-+
-+.PP
-+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the gpsd_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
-+
-+.EX
-+.B setsebool -P authlogin_nsswitch_use_ldap 1
-+.EE
-+
-+.PP
-+If you want to allow confined applications to run with kerberos for the gpsd_t, you must turn on the kerberos_enabled boolean.
-+
-+.EX
-+.B setsebool -P kerberos_enabled 1
-+.EE
-+
-+.SH "COMMANDS"
-+.B semanage fcontext
-+can also be used to manipulate default file context mappings.
-+.PP
-+.B semanage permissive
-+can also be used to manipulate whether or not a process type is permissive.
-+.PP
-+.B semanage module
-+can also be used to enable/disable/install/remove policy modules.
-+
-+.B semanage port
-+can also be used to manipulate the port definitions
-+
-+.PP
-+.B system-config-selinux
-+is a GUI tool available to customize SELinux policy settings.
-+
-+.SH AUTHOR
-+This manual page was auto-generated using
-+.B "sepolicy manpage"
-+by Dan Walsh.
-+
-+.SH "SEE ALSO"
-+selinux(8), gpsd(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
-diff --git a/man/man8/greylist_milter_selinux.8 b/man/man8/greylist_milter_selinux.8
-new file mode 100644
-index 0000000..848aace
---- /dev/null
-+++ b/man/man8/greylist_milter_selinux.8
-@@ -0,0 +1,126 @@
-+.TH "greylist_milter_selinux" "8" "12-11-01" "greylist_milter" "SELinux Policy documentation for greylist_milter"
-+.SH "NAME"
-+greylist_milter_selinux \- Security Enhanced Linux Policy for the greylist_milter processes
-+.SH "DESCRIPTION"
-+
-+Security-Enhanced Linux secures the greylist_milter processes via flexible mandatory access control.
-+
-+The greylist_milter processes execute with the greylist_milter_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
-+
-+For example:
-+
-+.B ps -eZ | grep greylist_milter_t
-+
-+
-+.SH "ENTRYPOINTS"
-+
-+The greylist_milter_t SELinux type can be entered via the "greylist_milter_exec_t" file type. The default entrypoint paths for the greylist_milter_t domain are the following:"
-+
-+/usr/sbin/sqlgrey, /usr/sbin/milter-greylist
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux greylist_milter policy is very flexible allowing users to setup their greylist_milter processes in as secure a method as possible.
-+.PP
-+The following process types are defined for greylist_milter:
-+
-+.EX
-+.B greylist_milter_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
-+.SH FILE CONTEXTS
-+SELinux requires files to have an extended attribute to define the file type.
-+.PP
-+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
-+.PP
-+Policy governs the access confined processes have to these files.
-+SELinux greylist_milter policy is very flexible allowing users to setup their greylist_milter processes in as secure a method as possible.
-+.PP
-+The following file types are defined for greylist_milter:
-+
-+
-+.EX
-+.PP
-+.B greylist_milter_data_t
-+.EE
-+
-+- Set files with the greylist_milter_data_t type, if you want to treat the files as greylist milter content.
-+
-+
-+.EX
-+.PP
-+.B greylist_milter_exec_t
-+.EE
-+
-+- Set files with the greylist_milter_exec_t type, if you want to transition an executable to the greylist_milter_t domain.
-+
-+
-+.PP
-+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
-+.B semanage fcontext
-+command. This will modify the SELinux labeling database. You will need to use
-+.B restorecon
-+to apply the labels.
-+
-+.SH "MANAGED FILES"
-+
-+The SELinux process type greylist_milter_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
-+
-+.br
-+.B greylist_milter_data_t
-+
-+ /var/lib/sqlgrey(/.*)?
-+.br
-+ /var/lib/milter-greylist(/.*)?
-+.br
-+ /var/run/milter-greylist(/.*)?
-+.br
-+ /var/run/sqlgrey\.pid
-+.br
-+ /var/run/milter-greylist\.pid
-+.br
-+
-+.SH NSSWITCH DOMAIN
-+
-+.PP
-+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the greylist_milter_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
-+
-+.EX
-+.B setsebool -P authlogin_nsswitch_use_ldap 1
-+.EE
-+
-+.PP
-+If you want to allow confined applications to run with kerberos for the greylist_milter_t, you must turn on the kerberos_enabled boolean.
-+
-+.EX
-+.B setsebool -P kerberos_enabled 1
-+.EE
-+
-+.SH "COMMANDS"
-+.B semanage fcontext
-+can also be used to manipulate default file context mappings.
-+.PP
-+.B semanage permissive
-+can also be used to manipulate whether or not a process type is permissive.
-+.PP
-+.B semanage module
-+can also be used to enable/disable/install/remove policy modules.
-+
-+.PP
-+.B system-config-selinux
-+is a GUI tool available to customize SELinux policy settings.
-+
-+.SH AUTHOR
-+This manual page was auto-generated using
-+.B "sepolicy manpage"
-+by Dan Walsh.
-+
-+.SH "SEE ALSO"
-+selinux(8), greylist_milter(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
-diff --git a/man/man8/groupadd_selinux.8 b/man/man8/groupadd_selinux.8
-new file mode 100644
-index 0000000..929fc9a
---- /dev/null
-+++ b/man/man8/groupadd_selinux.8
-@@ -0,0 +1,176 @@
-+.TH "groupadd_selinux" "8" "12-11-01" "groupadd" "SELinux Policy documentation for groupadd"
-+.SH "NAME"
-+groupadd_selinux \- Security Enhanced Linux Policy for the groupadd processes
-+.SH "DESCRIPTION"
-+
-+Security-Enhanced Linux secures the groupadd processes via flexible mandatory access control.
-+
-+The groupadd processes execute with the groupadd_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
-+
-+For example:
-+
-+.B ps -eZ | grep groupadd_t
-+
-+
-+.SH "ENTRYPOINTS"
-+
-+The groupadd_t SELinux type can be entered via the "groupadd_exec_t" file type. The default entrypoint paths for the groupadd_t domain are the following:"
-+
-+/usr/bin/gpasswd, /usr/sbin/gpasswd, /usr/sbin/groupadd, /usr/sbin/groupdel, /usr/sbin/groupmod
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux groupadd policy is very flexible allowing users to setup their groupadd processes in as secure a method as possible.
-+.PP
-+The following process types are defined for groupadd:
-+
-+.EX
-+.B groupadd_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
-+.SH FILE CONTEXTS
-+SELinux requires files to have an extended attribute to define the file type.
-+.PP
-+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
-+.PP
-+Policy governs the access confined processes have to these files.
-+SELinux groupadd policy is very flexible allowing users to setup their groupadd processes in as secure a method as possible.
-+.PP
-+The following file types are defined for groupadd:
-+
-+
-+.EX
-+.PP
-+.B groupadd_exec_t
-+.EE
-+
-+- Set files with the groupadd_exec_t type, if you want to transition an executable to the groupadd_t domain.
-+
-+
-+.PP
-+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
-+.B semanage fcontext
-+command. This will modify the SELinux labeling database. You will need to use
-+.B restorecon
-+to apply the labels.
-+
-+.SH "MANAGED FILES"
-+
-+The SELinux process type groupadd_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
-+
-+.br
-+.B faillog_t
-+
-+ /var/log/btmp.*
-+.br
-+ /var/run/faillock(/.*)?
-+.br
-+ /var/log/faillog
-+.br
-+ /var/log/tallylog
-+.br
-+
-+.br
-+.B lastlog_t
-+
-+ /var/log/lastlog
-+.br
-+
-+.br
-+.B passwd_file_t
-+
-+ /etc/group[-\+]?
-+.br
-+ /etc/passwd[-\+]?
-+.br
-+ /etc/passwd\.adjunct.*
-+.br
-+ /etc/ptmptmp
-+.br
-+ /etc/\.pwd\.lock
-+.br
-+ /etc/group\.lock
-+.br
-+ /etc/passwd\.OLD
-+.br
-+ /etc/passwd\.lock
-+.br
-+
-+.br
-+.B pcscd_var_run_t
-+
-+ /var/run/pcscd(/.*)?
-+.br
-+ /var/run/pcscd\.events(/.*)?
-+.br
-+ /var/run/pcscd\.pid
-+.br
-+ /var/run/pcscd\.pub
-+.br
-+ /var/run/pcscd\.comm
-+.br
-+
-+.br
-+.B security_t
-+
-+ /selinux
-+.br
-+
-+.br
-+.B shadow_t
-+
-+ /etc/shadow.*
-+.br
-+ /etc/gshadow.*
-+.br
-+ /var/db/shadow.*
-+.br
-+ /etc/security/opasswd
-+.br
-+ /etc/security/opasswd\.old
-+.br
-+
-+.SH NSSWITCH DOMAIN
-+
-+.PP
-+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the groupadd_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
-+
-+.EX
-+.B setsebool -P authlogin_nsswitch_use_ldap 1
-+.EE
-+
-+.PP
-+If you want to allow confined applications to run with kerberos for the groupadd_t, you must turn on the kerberos_enabled boolean.
-+
-+.EX
-+.B setsebool -P kerberos_enabled 1
-+.EE
-+
-+.SH "COMMANDS"
-+.B semanage fcontext
-+can also be used to manipulate default file context mappings.
-+.PP
-+.B semanage permissive
-+can also be used to manipulate whether or not a process type is permissive.
-+.PP
-+.B semanage module
-+can also be used to enable/disable/install/remove policy modules.
-+
-+.PP
-+.B system-config-selinux
-+is a GUI tool available to customize SELinux policy settings.
-+
-+.SH AUTHOR
-+This manual page was auto-generated using
-+.B "sepolicy manpage"
-+by Dan Walsh.
-+
-+.SH "SEE ALSO"
-+selinux(8), groupadd(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
-diff --git a/man/man8/groupd_selinux.8 b/man/man8/groupd_selinux.8
-new file mode 100644
-index 0000000..88f7928
---- /dev/null
-+++ b/man/man8/groupd_selinux.8
-@@ -0,0 +1,153 @@
-+.TH "groupd_selinux" "8" "12-11-01" "groupd" "SELinux Policy documentation for groupd"
-+.SH "NAME"
-+groupd_selinux \- Security Enhanced Linux Policy for the groupd processes
-+.SH "DESCRIPTION"
-+
-+Security-Enhanced Linux secures the groupd processes via flexible mandatory access control.
-+
-+The groupd processes execute with the groupd_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
-+
-+For example:
-+
-+.B ps -eZ | grep groupd_t
-+
-+
-+.SH "ENTRYPOINTS"
-+
-+The groupd_t SELinux type can be entered via the "groupd_exec_t" file type. The default entrypoint paths for the groupd_t domain are the following:"
-+
-+/usr/sbin/groupd
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux groupd policy is very flexible allowing users to setup their groupd processes in as secure a method as possible.
-+.PP
-+The following process types are defined for groupd:
-+
-+.EX
-+.B groupadd_t, groupd_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
-+.SH FILE CONTEXTS
-+SELinux requires files to have an extended attribute to define the file type.
-+.PP
-+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
-+.PP
-+Policy governs the access confined processes have to these files.
-+SELinux groupd policy is very flexible allowing users to setup their groupd processes in as secure a method as possible.
-+.PP
-+The following file types are defined for groupd:
-+
-+
-+.EX
-+.PP
-+.B groupd_exec_t
-+.EE
-+
-+- Set files with the groupd_exec_t type, if you want to transition an executable to the groupd_t domain.
-+
-+
-+.EX
-+.PP
-+.B groupd_tmpfs_t
-+.EE
-+
-+- Set files with the groupd_tmpfs_t type, if you want to store groupd files on a tmpfs file system.
-+
-+
-+.EX
-+.PP
-+.B groupd_var_log_t
-+.EE
-+
-+- Set files with the groupd_var_log_t type, if you want to treat the data as groupd var log data, usually stored under the /var/log directory.
-+
-+
-+.EX
-+.PP
-+.B groupd_var_run_t
-+.EE
-+
-+- Set files with the groupd_var_run_t type, if you want to store the groupd files under the /run directory.
-+
-+
-+.PP
-+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
-+.B semanage fcontext
-+command. This will modify the SELinux labeling database. You will need to use
-+.B restorecon
-+to apply the labels.
-+
-+.SH "MANAGED FILES"
-+
-+The SELinux process type groupd_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
-+
-+.br
-+.B cluster_var_lib_t
-+
-+ /var/lib/cluster(/.*)?
-+.br
-+
-+.br
-+.B groupd_tmpfs_t
-+
-+
-+.br
-+.B groupd_var_log_t
-+
-+
-+.br
-+.B groupd_var_run_t
-+
-+ /var/run/groupd\.pid
-+.br
-+
-+.br
-+.B initrc_tmp_t
-+
-+
-+.SH NSSWITCH DOMAIN
-+
-+.PP
-+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the groupd_t, groupadd_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
-+
-+.EX
-+.B setsebool -P authlogin_nsswitch_use_ldap 1
-+.EE
-+
-+.PP
-+If you want to allow confined applications to run with kerberos for the groupd_t, groupadd_t, you must turn on the kerberos_enabled boolean.
-+
-+.EX
-+.B setsebool -P kerberos_enabled 1
-+.EE
-+
-+.SH "COMMANDS"
-+.B semanage fcontext
-+can also be used to manipulate default file context mappings.
-+.PP
-+.B semanage permissive
-+can also be used to manipulate whether or not a process type is permissive.
-+.PP
-+.B semanage module
-+can also be used to enable/disable/install/remove policy modules.
-+
-+.PP
-+.B system-config-selinux
-+is a GUI tool available to customize SELinux policy settings.
-+
-+.SH AUTHOR
-+This manual page was auto-generated using
-+.B "sepolicy manpage"
-+by Dan Walsh.
-+
-+.SH "SEE ALSO"
-+selinux(8), groupd(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
-+, groupadd_selinux(8)
-\ No newline at end of file
-diff --git a/man/man8/gssd_selinux.8 b/man/man8/gssd_selinux.8
-new file mode 100644
-index 0000000..071e84c
---- /dev/null
-+++ b/man/man8/gssd_selinux.8
-@@ -0,0 +1,204 @@
-+.TH "gssd_selinux" "8" "12-11-01" "gssd" "SELinux Policy documentation for gssd"
-+.SH "NAME"
-+gssd_selinux \- Security Enhanced Linux Policy for the gssd processes
-+.SH "DESCRIPTION"
-+
-+Security-Enhanced Linux secures the gssd processes via flexible mandatory access control.
-+
-+The gssd processes execute with the gssd_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
-+
-+For example:
-+
-+.B ps -eZ | grep gssd_t
-+
-+
-+.SH "ENTRYPOINTS"
-+
-+The gssd_t SELinux type can be entered via the "gssd_exec_t" file type. The default entrypoint paths for the gssd_t domain are the following:"
-+
-+/usr/sbin/rpc\.gssd, /usr/sbin/rpc\.svcgssd
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux gssd policy is very flexible allowing users to setup their gssd processes in as secure a method as possible.
-+.PP
-+The following process types are defined for gssd:
-+
-+.EX
-+.B gssd_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
-+.SH BOOLEANS
-+SELinux policy is customizable based on least access required. gssd policy is extremely flexible and has several booleans that allow you to manipulate the policy and run gssd with the tightest access possible.
-+
-+
-+.PP
-+If you want to allow gssd to read temp directory. For access to kerberos tgt, you must turn on the gssd_read_tmp boolean.
-+
-+.EX
-+.B setsebool -P gssd_read_tmp 1
-+.EE
-+
-+.PP
-+If you want to allow gssd to read temp directory. For access to kerberos tgt, you must turn on the gssd_read_tmp boolean.
-+
-+.EX
-+.B setsebool -P gssd_read_tmp 1
-+.EE
-+
-+.SH FILE CONTEXTS
-+SELinux requires files to have an extended attribute to define the file type.
-+.PP
-+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
-+.PP
-+Policy governs the access confined processes have to these files.
-+SELinux gssd policy is very flexible allowing users to setup their gssd processes in as secure a method as possible.
-+.PP
-+The following file types are defined for gssd:
-+
-+
-+.EX
-+.PP
-+.B gssd_exec_t
-+.EE
-+
-+- Set files with the gssd_exec_t type, if you want to transition an executable to the gssd_t domain.
-+
-+
-+.EX
-+.PP
-+.B gssd_keytab_t
-+.EE
-+
-+- Set files with the gssd_keytab_t type, if you want to treat the files as kerberos keytab files.
-+
-+
-+.EX
-+.PP
-+.B gssd_tmp_t
-+.EE
-+
-+- Set files with the gssd_tmp_t type, if you want to store gssd temporary files in the /tmp directories.
-+
-+
-+.PP
-+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
-+.B semanage fcontext
-+command. This will modify the SELinux labeling database. You will need to use
-+.B restorecon
-+to apply the labels.
-+
-+.SH "MANAGED FILES"
-+
-+The SELinux process type gssd_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
-+
-+.br
-+.B auth_cache_t
-+
-+ /var/cache/coolkey(/.*)?
-+.br
-+
-+.br
-+.B gssd_tmp_t
-+
-+
-+.br
-+.B krb5_host_rcache_t
-+
-+ /var/cache/krb5rcache(/.*)?
-+.br
-+ /var/tmp/nfs_0
-+.br
-+ /var/tmp/DNS_25
-+.br
-+ /var/tmp/host_0
-+.br
-+ /var/tmp/imap_0
-+.br
-+ /var/tmp/HTTP_23
-+.br
-+ /var/tmp/HTTP_48
-+.br
-+ /var/tmp/ldap_55
-+.br
-+ /var/tmp/ldap_487
-+.br
-+ /var/tmp/ldapmap1_0
-+.br
-+
-+.br
-+.B user_tmp_t
-+
-+ /var/run/user(/.*)?
-+.br
-+ /tmp/gconfd-.*
-+.br
-+ /tmp/gconfd-dwalsh
-+.br
-+ /tmp/gconfd-xguest
-+.br
-+
-+.br
-+.B var_lib_nfs_t
-+
-+ /var/lib/nfs(/.*)?
-+.br
-+
-+.br
-+.B xdm_tmp_t
-+
-+ /tmp/\.X11-unix(/.*)?
-+.br
-+ /tmp/\.ICE-unix(/.*)?
-+.br
-+ /tmp/\.X0-lock
-+.br
-+
-+.SH NSSWITCH DOMAIN
-+
-+.PP
-+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the gssd_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
-+
-+.EX
-+.B setsebool -P authlogin_nsswitch_use_ldap 1
-+.EE
-+
-+.PP
-+If you want to allow confined applications to run with kerberos for the gssd_t, you must turn on the kerberos_enabled boolean.
-+
-+.EX
-+.B setsebool -P kerberos_enabled 1
-+.EE
-+
-+.SH "COMMANDS"
-+.B semanage fcontext
-+can also be used to manipulate default file context mappings.
-+.PP
-+.B semanage permissive
-+can also be used to manipulate whether or not a process type is permissive.
-+.PP
-+.B semanage module
-+can also be used to enable/disable/install/remove policy modules.
-+
-+.B semanage boolean
-+can also be used to manipulate the booleans
-+
-+.PP
-+.B system-config-selinux
-+is a GUI tool available to customize SELinux policy settings.
-+
-+.SH AUTHOR
-+This manual page was auto-generated using
-+.B "sepolicy manpage"
-+by Dan Walsh.
-+
-+.SH "SEE ALSO"
-+selinux(8), gssd(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
-+, setsebool(8)
-\ No newline at end of file
-diff --git a/man/man8/guest_selinux.8 b/man/man8/guest_selinux.8
-new file mode 100644
-index 0000000..dc5e824
---- /dev/null
-+++ b/man/man8/guest_selinux.8
-@@ -0,0 +1,241 @@
-+.TH "guest_selinux" "8" "guest" "mgrepl@redhat.com" "guest SELinux Policy documentation"
-+.SH "NAME"
-+guest_u \- \fBLeast privledge terminal user role\fP - Security Enhanced Linux Policy
-+
-+.SH DESCRIPTION
-+
-+\fBguest_u\fP is an SELinux User defined in the SELinux
-+policy. SELinux users have default roles, \fBguest_r\fP. The
-+default role has a default type, \fBguest_t\fP, associated with it.
-+
-+The SELinux user will usually login to a system with a context that looks like:
-+
-+.B guest_u:guest_r:guest_t:s0-s0:c0.c1023
-+
-+Linux users are automatically assigned an SELinux users at login.
-+Login programs use the SELinux User to assign initial context to the user's shell.
-+
-+SELinux policy uses the context to control the user's access.
-+
-+By default all users are assigned to the SELinux user via the \fB__default__\fP flag
-+
-+On Targeted policy systems the \fB__default__\fP user is assigned to the \fBunconfined_u\fP SELinux user.
-+
-+You can list all Linux User to SELinux user mapping using:
-+
-+.B semanage login -l
-+
-+If you wanted to change the default user mapping to use the guest_u user, you would execute:
-+
-+.B semanage login -m -s guest_u __default__
-+
-+
-+If you want to map the one Linux user (joe) to the SELinux user guest, you would execute:
-+
-+.B $ semanage login -a -s guest_u joe
-+
-+
-+.SH USER DESCRIPTION
-+
-+The SELinux user guest_u is defined in policy as a unprivileged user. SELinux prevents unprivileged users from doing administration tasks without transitioning to a different role.
-+
-+.SH SUDO
-+
-+.SH X WINDOWS LOGIN
-+
-+The SELinux user guest_u is not able to X Windows login.
-+
-+.SH NETWORK
-+
-+.TP
-+The SELinux user guest_u is able to connect to the following tcp ports.
-+
-+.B dns_port_t: 53
-+
-+.B ocsp_port_t: 9080
-+
-+.B kerberos_port_t: 88,750,4444
-+
-+.TP
-+The SELinux user guest_u is able to connect to the following tcp ports.
-+
-+.B dns_port_t: 53
-+
-+.B ocsp_port_t: 9080
-+
-+.B kerberos_port_t: 88,750,4444
-+
-+.SH BOOLEANS
-+SELinux policy is customizable based on least access required. guest policy is extremely flexible and has several booleans that allow you to manipulate the policy and run guest with the tightest access possible.
-+
-+
-+.PP
-+If you want to allow xguest users to mount removable media, you must turn on the xguest_mount_media boolean.
-+
-+.EX
-+.B setsebool -P xguest_mount_media 1
-+.EE
-+
-+.PP
-+If you want to allow xguest users to configure Network Manager and connect to apache ports, you must turn on the xguest_connect_network boolean.
-+
-+.EX
-+.B setsebool -P xguest_connect_network 1
-+.EE
-+
-+.PP
-+If you want to allow xguest to use blue tooth devices, you must turn on the xguest_use_bluetooth boolean.
-+
-+.EX
-+.B setsebool -P xguest_use_bluetooth 1
-+.EE
-+
-+.PP
-+If you want to allow xguest users to mount removable media, you must turn on the xguest_mount_media boolean.
-+
-+.EX
-+.B setsebool -P xguest_mount_media 1
-+.EE
-+
-+.PP
-+If you want to allow xguest users to configure Network Manager and connect to apache ports, you must turn on the xguest_connect_network boolean.
-+
-+.EX
-+.B setsebool -P xguest_connect_network 1
-+.EE
-+
-+.PP
-+If you want to allow xguest to use blue tooth devices, you must turn on the xguest_use_bluetooth boolean.
-+
-+.EX
-+.B setsebool -P xguest_use_bluetooth 1
-+.EE
-+
-+.SH HOME_EXEC
-+
-+The SELinux user guest_u is able execute home content files.
-+
-+.SH TRANSITIONS
-+
-+Three things can happen when guest_t attempts to execute a program.
-+
-+\fB1.\fP SELinux Policy can deny guest_t from executing the program.
-+
-+.TP
-+
-+\fB2.\fP SELinux Policy can allow guest_t to execute the program in the current user type.
-+
-+Execute the following to see the types that the SELinux user guest_t can execute without transitioning:
-+
-+.B search -A -s guest_t -c file -p execute_no_trans
-+
-+.TP
-+
-+\fB3.\fP SELinux can allow guest_t to execute the program and transition to a new type.
-+
-+Execute the following to see the types that the SELinux user guest_t can execute and transition:
-+
-+.B $ search -A -s guest_t -c process -p transition
-+
-+
-+.SH "MANAGED FILES"
-+
-+The SELinux process type guest_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
-+
-+.br
-+.B anon_inodefs_t
-+
-+
-+.br
-+.B auth_cache_t
-+
-+ /var/cache/coolkey(/.*)?
-+.br
-+
-+.br
-+.B httpd_user_content_t
-+
-+ /home/[^/]*/((www)|(web)|(public_html))(/.+)?
-+.br
-+ /home/dwalsh/((www)|(web)|(public_html))(/.+)?
-+.br
-+ /var/lib/xguest/home/xguest/((www)|(web)|(public_html))(/.+)?
-+.br
-+
-+.br
-+.B httpd_user_htaccess_t
-+
-+ /home/[^/]*/((www)|(web)|(public_html))(/.*)?/\.htaccess
-+.br
-+ /home/dwalsh/((www)|(web)|(public_html))(/.*)?/\.htaccess
-+.br
-+ /var/lib/xguest/home/xguest/((www)|(web)|(public_html))(/.*)?/\.htaccess
-+.br
-+
-+.br
-+.B httpd_user_ra_content_t
-+
-+ /home/[^/]*/((www)|(web)|(public_html))(/.*)?/logs(/.*)?
-+.br
-+ /home/dwalsh/((www)|(web)|(public_html))(/.*)?/logs(/.*)?
-+.br
-+ /var/lib/xguest/home/xguest/((www)|(web)|(public_html))(/.*)?/logs(/.*)?
-+.br
-+
-+.br
-+.B httpd_user_rw_content_t
-+
-+
-+.br
-+.B httpd_user_script_exec_t
-+
-+ /home/[^/]*/((www)|(web)|(public_html))/cgi-bin(/.+)?
-+.br
-+ /home/dwalsh/((www)|(web)|(public_html))/cgi-bin(/.+)?
-+.br
-+ /var/lib/xguest/home/xguest/((www)|(web)|(public_html))/cgi-bin(/.+)?
-+.br
-+
-+.br
-+.B user_home_type
-+
-+ all user home files
-+.br
-+
-+.br
-+.B user_tmp_type
-+
-+ all user tmp files
-+.br
-+
-+.br
-+.B user_tmpfs_type
-+
-+ all user content in tmpfs file systems
-+.br
-+
-+.SH "COMMANDS"
-+.B semanage fcontext
-+can also be used to manipulate default file context mappings.
-+.PP
-+.B semanage permissive
-+can also be used to manipulate whether or not a process type is permissive.
-+.PP
-+.B semanage module
-+can also be used to enable/disable/install/remove policy modules.
-+
-+.B semanage boolean
-+can also be used to manipulate the booleans
-+
-+.PP
-+.B system-config-selinux
-+is a GUI tool available to customize SELinux policy settings.
-+
-+.SH AUTHOR
-+This manual page was auto-generated using
-+.B "sepolicy manpage"
-+by Dan Walsh.
-+
-+.SH "SEE ALSO"
-+selinux(8), guest(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
-+, setsebool(8)
-\ No newline at end of file
-diff --git a/man/man8/hddtemp_selinux.8 b/man/man8/hddtemp_selinux.8
-new file mode 100644
-index 0000000..3f4d9a5
---- /dev/null
-+++ b/man/man8/hddtemp_selinux.8
-@@ -0,0 +1,128 @@
-+.TH "hddtemp_selinux" "8" "12-11-01" "hddtemp" "SELinux Policy documentation for hddtemp"
-+.SH "NAME"
-+hddtemp_selinux \- Security Enhanced Linux Policy for the hddtemp processes
-+.SH "DESCRIPTION"
-+
-+Security-Enhanced Linux secures the hddtemp processes via flexible mandatory access control.
-+
-+The hddtemp processes execute with the hddtemp_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
-+
-+For example:
-+
-+.B ps -eZ | grep hddtemp_t
-+
-+
-+.SH "ENTRYPOINTS"
-+
-+The hddtemp_t SELinux type can be entered via the "hddtemp_exec_t" file type. The default entrypoint paths for the hddtemp_t domain are the following:"
-+
-+/usr/sbin/hddtemp
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux hddtemp policy is very flexible allowing users to setup their hddtemp processes in as secure a method as possible.
-+.PP
-+The following process types are defined for hddtemp:
-+
-+.EX
-+.B hddtemp_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
-+.SH FILE CONTEXTS
-+SELinux requires files to have an extended attribute to define the file type.
-+.PP
-+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
-+.PP
-+Policy governs the access confined processes have to these files.
-+SELinux hddtemp policy is very flexible allowing users to setup their hddtemp processes in as secure a method as possible.
-+.PP
-+The following file types are defined for hddtemp:
-+
-+
-+.EX
-+.PP
-+.B hddtemp_etc_t
-+.EE
-+
-+- Set files with the hddtemp_etc_t type, if you want to store hddtemp files in the /etc directories.
-+
-+
-+.EX
-+.PP
-+.B hddtemp_exec_t
-+.EE
-+
-+- Set files with the hddtemp_exec_t type, if you want to transition an executable to the hddtemp_t domain.
-+
-+
-+.EX
-+.PP
-+.B hddtemp_initrc_exec_t
-+.EE
-+
-+- Set files with the hddtemp_initrc_exec_t type, if you want to transition an executable to the hddtemp_initrc_t domain.
-+
-+
-+.PP
-+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
-+.B semanage fcontext
-+command. This will modify the SELinux labeling database. You will need to use
-+.B restorecon
-+to apply the labels.
-+
-+.SH PORT TYPES
-+SELinux defines port types to represent TCP and UDP ports.
-+.PP
-+You can see the types associated with a port by using the following command:
-+
-+.B semanage port -l
-+
-+.PP
-+Policy governs the access confined processes have to these ports.
-+SELinux hddtemp policy is very flexible allowing users to setup their hddtemp processes in as secure a method as possible.
-+.PP
-+The following port types are defined for hddtemp:
-+
-+.EX
-+.TP 5
-+.B hddtemp_port_t
-+.TP 10
-+.EE
-+
-+
-+Default Defined Ports:
-+tcp 7634
-+.EE
-+.SH NSSWITCH DOMAIN
-+
-+.SH "COMMANDS"
-+.B semanage fcontext
-+can also be used to manipulate default file context mappings.
-+.PP
-+.B semanage permissive
-+can also be used to manipulate whether or not a process type is permissive.
-+.PP
-+.B semanage module
-+can also be used to enable/disable/install/remove policy modules.
-+
-+.B semanage port
-+can also be used to manipulate the port definitions
-+
-+.PP
-+.B system-config-selinux
-+is a GUI tool available to customize SELinux policy settings.
-+
-+.SH AUTHOR
-+This manual page was auto-generated using
-+.B "sepolicy manpage"
-+by Dan Walsh.
-+
-+.SH "SEE ALSO"
-+selinux(8), hddtemp(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
-diff --git a/man/man8/hostname_selinux.8 b/man/man8/hostname_selinux.8
-new file mode 100644
-index 0000000..5de0695
---- /dev/null
-+++ b/man/man8/hostname_selinux.8
-@@ -0,0 +1,86 @@
-+.TH "hostname_selinux" "8" "12-11-01" "hostname" "SELinux Policy documentation for hostname"
-+.SH "NAME"
-+hostname_selinux \- Security Enhanced Linux Policy for the hostname processes
-+.SH "DESCRIPTION"
-+
-+Security-Enhanced Linux secures the hostname processes via flexible mandatory access control.
-+
-+The hostname processes execute with the hostname_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
-+
-+For example:
-+
-+.B ps -eZ | grep hostname_t
-+
-+
-+.SH "ENTRYPOINTS"
-+
-+The hostname_t SELinux type can be entered via the "hostname_exec_t" file type. The default entrypoint paths for the hostname_t domain are the following:"
-+
-+/bin/hostname, /usr/bin/hostname
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux hostname policy is very flexible allowing users to setup their hostname processes in as secure a method as possible.
-+.PP
-+The following process types are defined for hostname:
-+
-+.EX
-+.B hostname_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
-+.SH FILE CONTEXTS
-+SELinux requires files to have an extended attribute to define the file type.
-+.PP
-+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
-+.PP
-+Policy governs the access confined processes have to these files.
-+SELinux hostname policy is very flexible allowing users to setup their hostname processes in as secure a method as possible.
-+.PP
-+The following file types are defined for hostname:
-+
-+
-+.EX
-+.PP
-+.B hostname_exec_t
-+.EE
-+
-+- Set files with the hostname_exec_t type, if you want to transition an executable to the hostname_t domain.
-+
-+
-+.PP
-+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
-+.B semanage fcontext
-+command. This will modify the SELinux labeling database. You will need to use
-+.B restorecon
-+to apply the labels.
-+
-+.SH NSSWITCH DOMAIN
-+
-+.SH "COMMANDS"
-+.B semanage fcontext
-+can also be used to manipulate default file context mappings.
-+.PP
-+.B semanage permissive
-+can also be used to manipulate whether or not a process type is permissive.
-+.PP
-+.B semanage module
-+can also be used to enable/disable/install/remove policy modules.
-+
-+.PP
-+.B system-config-selinux
-+is a GUI tool available to customize SELinux policy settings.
-+
-+.SH AUTHOR
-+This manual page was auto-generated using
-+.B "sepolicy manpage"
-+by Dan Walsh.
-+
-+.SH "SEE ALSO"
-+selinux(8), hostname(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
-diff --git a/man/man8/hplip_selinux.8 b/man/man8/hplip_selinux.8
-new file mode 100644
-index 0000000..d23889a
---- /dev/null
-+++ b/man/man8/hplip_selinux.8
-@@ -0,0 +1,198 @@
-+.TH "hplip_selinux" "8" "12-11-01" "hplip" "SELinux Policy documentation for hplip"
-+.SH "NAME"
-+hplip_selinux \- Security Enhanced Linux Policy for the hplip processes
-+.SH "DESCRIPTION"
-+
-+Security-Enhanced Linux secures the hplip processes via flexible mandatory access control.
-+
-+The hplip processes execute with the hplip_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
-+
-+For example:
-+
-+.B ps -eZ | grep hplip_t
-+
-+
-+.SH "ENTRYPOINTS"
-+
-+The hplip_t SELinux type can be entered via the "hplip_exec_t" file type. The default entrypoint paths for the hplip_t domain are the following:"
-+
-+/usr/sbin/hp-[^/]+, /usr/share/hplip/.*\.py, /usr/lib/cups/backend/hp.*, /usr/bin/hpijs, /usr/sbin/hpiod
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux hplip policy is very flexible allowing users to setup their hplip processes in as secure a method as possible.
-+.PP
-+The following process types are defined for hplip:
-+
-+.EX
-+.B hplip_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
-+.SH FILE CONTEXTS
-+SELinux requires files to have an extended attribute to define the file type.
-+.PP
-+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
-+.PP
-+Policy governs the access confined processes have to these files.
-+SELinux hplip policy is very flexible allowing users to setup their hplip processes in as secure a method as possible.
-+.PP
-+The following file types are defined for hplip:
-+
-+
-+.EX
-+.PP
-+.B hplip_etc_t
-+.EE
-+
-+- Set files with the hplip_etc_t type, if you want to store hplip files in the /etc directories.
-+
-+
-+.EX
-+.PP
-+.B hplip_exec_t
-+.EE
-+
-+- Set files with the hplip_exec_t type, if you want to transition an executable to the hplip_t domain.
-+
-+
-+.EX
-+.PP
-+.B hplip_tmp_t
-+.EE
-+
-+- Set files with the hplip_tmp_t type, if you want to store hplip temporary files in the /tmp directories.
-+
-+
-+.EX
-+.PP
-+.B hplip_var_lib_t
-+.EE
-+
-+- Set files with the hplip_var_lib_t type, if you want to store the hplip files under the /var/lib directory.
-+
-+
-+.EX
-+.PP
-+.B hplip_var_log_t
-+.EE
-+
-+- Set files with the hplip_var_log_t type, if you want to treat the data as hplip var log data, usually stored under the /var/log directory.
-+
-+
-+.EX
-+.PP
-+.B hplip_var_run_t
-+.EE
-+
-+- Set files with the hplip_var_run_t type, if you want to store the hplip files under the /run directory.
-+
-+
-+.PP
-+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
-+.B semanage fcontext
-+command. This will modify the SELinux labeling database. You will need to use
-+.B restorecon
-+to apply the labels.
-+
-+.SH PORT TYPES
-+SELinux defines port types to represent TCP and UDP ports.
-+.PP
-+You can see the types associated with a port by using the following command:
-+
-+.B semanage port -l
-+
-+.PP
-+Policy governs the access confined processes have to these ports.
-+SELinux hplip policy is very flexible allowing users to setup their hplip processes in as secure a method as possible.
-+.PP
-+The following port types are defined for hplip:
-+
-+.EX
-+.TP 5
-+.B hplip_port_t
-+.TP 10
-+.EE
-+
-+
-+Default Defined Ports:
-+tcp 1782,2207,2208,8290,50000,50002,8292,9100,9101,9102,9220,9221,9222,9280,9281,9282,9290,9291
-+.EE
-+.SH "MANAGED FILES"
-+
-+The SELinux process type hplip_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
-+
-+.br
-+.B anon_inodefs_t
-+
-+
-+.br
-+.B cupsd_tmp_t
-+
-+
-+.br
-+.B hplip_var_lib_t
-+
-+ /var/lib/hp(/.*)?
-+.br
-+
-+.br
-+.B hplip_var_log_t
-+
-+ /var/log/hp(/.*)?
-+.br
-+
-+.br
-+.B hplip_var_run_t
-+
-+ /var/run/hp.*\.pid
-+.br
-+ /var/run/hp.*\.port
-+.br
-+
-+.br
-+.B print_spool_t
-+
-+ /var/spool/lpd(/.*)?
-+.br
-+ /var/spool/cups(/.*)?
-+.br
-+ /var/spool/cups-pdf(/.*)?
-+.br
-+
-+.br
-+.B usbfs_t
-+
-+
-+.SH NSSWITCH DOMAIN
-+
-+.SH "COMMANDS"
-+.B semanage fcontext
-+can also be used to manipulate default file context mappings.
-+.PP
-+.B semanage permissive
-+can also be used to manipulate whether or not a process type is permissive.
-+.PP
-+.B semanage module
-+can also be used to enable/disable/install/remove policy modules.
-+
-+.B semanage port
-+can also be used to manipulate the port definitions
-+
-+.PP
-+.B system-config-selinux
-+is a GUI tool available to customize SELinux policy settings.
-+
-+.SH AUTHOR
-+This manual page was auto-generated using
-+.B "sepolicy manpage"
-+by Dan Walsh.
-+
-+.SH "SEE ALSO"
-+selinux(8), hplip(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
-diff --git a/man/man8/httpd_apcupsd_cgi_script_selinux.8 b/man/man8/httpd_apcupsd_cgi_script_selinux.8
-new file mode 100644
-index 0000000..b70ebe0
---- /dev/null
-+++ b/man/man8/httpd_apcupsd_cgi_script_selinux.8
-@@ -0,0 +1,95 @@
-+.TH "httpd_apcupsd_cgi_script_selinux" "8" "12-11-01" "httpd_apcupsd_cgi_script" "SELinux Policy documentation for httpd_apcupsd_cgi_script"
-+.SH "NAME"
-+httpd_apcupsd_cgi_script_selinux \- Security Enhanced Linux Policy for the httpd_apcupsd_cgi_script processes
-+.SH "DESCRIPTION"
-+
-+Security-Enhanced Linux secures the httpd_apcupsd_cgi_script processes via flexible mandatory access control.
-+
-+The httpd_apcupsd_cgi_script processes execute with the httpd_apcupsd_cgi_script_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
-+
-+For example:
-+
-+.B ps -eZ | grep httpd_apcupsd_cgi_script_t
-+
-+
-+.SH "ENTRYPOINTS"
-+
-+The httpd_apcupsd_cgi_script_t SELinux type can be entered via the "shell_exec_t,httpd_apcupsd_cgi_script_exec_t,httpd_apcupsd_cgi_script_exec_t" file types. The default entrypoint paths for the httpd_apcupsd_cgi_script_t domain are the following:"
-+
-+/bin/d?ash, /bin/zsh.*, /bin/ksh.*, /usr/bin/d?ash, /usr/bin/ksh.*, /usr/bin/zsh.*, /bin/esh, /bin/mksh, /bin/sash, /bin/tcsh, /bin/yash, /bin/bash, /bin/fish, /bin/bash2, /usr/bin/esh, /usr/bin/mksh, /usr/bin/sash, /usr/bin/bash, /usr/bin/fish, /usr/bin/tcsh, /usr/bin/yash, /sbin/nologin, /usr/sbin/sesh, /usr/bin/bash2, /usr/sbin/smrsh, /usr/bin/scponly, /usr/sbin/nologin, /usr/libexec/sesh, /usr/sbin/scponlyc, /usr/bin/git-shell, /usr/libexec/git-core/git-shell, /var/www/cgi-bin/apcgui(/.*)?, /var/www/apcupsd/multimon\.cgi, /var/www/apcupsd/upsimage\.cgi, /var/www/apcupsd/upsstats\.cgi, /var/www/apcupsd/upsfstats\.cgi, /var/www/cgi-bin/apcgui(/.*)?, /var/www/apcupsd/multimon\.cgi, /var/www/apcupsd/upsimage\.cgi, /var/www/apcupsd/upsstats\.cgi, /var/www/apcupsd/upsfstats\.cgi
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux httpd_apcupsd_cgi_script policy is very flexible allowing users to setup their httpd_apcupsd_cgi_script processes in as secure a method as possible.
-+.PP
-+The following process types are defined for httpd_apcupsd_cgi_script:
-+
-+.EX
-+.B httpd_apcupsd_cgi_script_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
-+.SH FILE CONTEXTS
-+SELinux requires files to have an extended attribute to define the file type.
-+.PP
-+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
-+.PP
-+Policy governs the access confined processes have to these files.
-+SELinux httpd_apcupsd_cgi_script policy is very flexible allowing users to setup their httpd_apcupsd_cgi_script processes in as secure a method as possible.
-+.PP
-+The following file types are defined for httpd_apcupsd_cgi_script:
-+
-+
-+.EX
-+.PP
-+.B httpd_apcupsd_cgi_script_exec_t
-+.EE
-+
-+- Set files with the httpd_apcupsd_cgi_script_exec_t type, if you want to transition an executable to the httpd_apcupsd_cgi_script_t domain.
-+
-+
-+.PP
-+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
-+.B semanage fcontext
-+command. This will modify the SELinux labeling database. You will need to use
-+.B restorecon
-+to apply the labels.
-+
-+.SH "MANAGED FILES"
-+
-+The SELinux process type httpd_apcupsd_cgi_script_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
-+
-+.br
-+.B httpd_apcupsd_cgi_rw_content_t
-+
-+
-+.SH NSSWITCH DOMAIN
-+
-+.SH "COMMANDS"
-+.B semanage fcontext
-+can also be used to manipulate default file context mappings.
-+.PP
-+.B semanage permissive
-+can also be used to manipulate whether or not a process type is permissive.
-+.PP
-+.B semanage module
-+can also be used to enable/disable/install/remove policy modules.
-+
-+.PP
-+.B system-config-selinux
-+is a GUI tool available to customize SELinux policy settings.
-+
-+.SH AUTHOR
-+This manual page was auto-generated using
-+.B "sepolicy manpage"
-+by Dan Walsh.
-+
-+.SH "SEE ALSO"
-+selinux(8), httpd_apcupsd_cgi_script(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
-+, httpd_selinux(8), httpd_selinux(8), httpd_awstats_script_selinux(8), httpd_bugzilla_script_selinux(8), httpd_cobbler_script_selinux(8), httpd_collectd_script_selinux(8), httpd_cvs_script_selinux(8), httpd_dirsrvadmin_script_selinux(8), httpd_dspam_script_selinux(8), httpd_git_script_selinux(8), httpd_helper_selinux(8), httpd_man2html_script_selinux(8), httpd_mediawiki_script_selinux(8), httpd_mojomojo_script_selinux(8), httpd_munin_script_selinux(8), httpd_nagios_script_selinux(8), httpd_nutups_cgi_script_selinux(8), httpd_openshift_script_selinux(8), httpd_passwd_selinux(8), httpd_php_selinux(8), httpd_prewikka_script_selinux(8), httpd_rotatelogs_selinux(8), httpd_smokeping_cgi_script_selinux(8), httpd_squid_script_selinux(8), httpd_suexec_selinux(8), httpd_sys_script_selinux(8), httpd_user_script_selinux(8), httpd_w3c_validator_script_selinux(8), httpd_zoneminder_script_selinux(8)
-\ No newline at end of file
-diff --git a/man/man8/httpd_awstats_script_selinux.8 b/man/man8/httpd_awstats_script_selinux.8
-new file mode 100644
-index 0000000..d03827d
---- /dev/null
-+++ b/man/man8/httpd_awstats_script_selinux.8
-@@ -0,0 +1,99 @@
-+.TH "httpd_awstats_script_selinux" "8" "12-11-01" "httpd_awstats_script" "SELinux Policy documentation for httpd_awstats_script"
-+.SH "NAME"
-+httpd_awstats_script_selinux \- Security Enhanced Linux Policy for the httpd_awstats_script processes
-+.SH "DESCRIPTION"
-+
-+Security-Enhanced Linux secures the httpd_awstats_script processes via flexible mandatory access control.
-+
-+The httpd_awstats_script processes execute with the httpd_awstats_script_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
-+
-+For example:
-+
-+.B ps -eZ | grep httpd_awstats_script_t
-+
-+
-+.SH "ENTRYPOINTS"
-+
-+The httpd_awstats_script_t SELinux type can be entered via the "shell_exec_t,httpd_awstats_script_exec_t,httpd_awstats_script_exec_t" file types. The default entrypoint paths for the httpd_awstats_script_t domain are the following:"
-+
-+/bin/d?ash, /bin/zsh.*, /bin/ksh.*, /usr/bin/d?ash, /usr/bin/ksh.*, /usr/bin/zsh.*, /bin/esh, /bin/mksh, /bin/sash, /bin/tcsh, /bin/yash, /bin/bash, /bin/fish, /bin/bash2, /usr/bin/esh, /usr/bin/mksh, /usr/bin/sash, /usr/bin/bash, /usr/bin/fish, /usr/bin/tcsh, /usr/bin/yash, /sbin/nologin, /usr/sbin/sesh, /usr/bin/bash2, /usr/sbin/smrsh, /usr/bin/scponly, /usr/sbin/nologin, /usr/libexec/sesh, /usr/sbin/scponlyc, /usr/bin/git-shell, /usr/libexec/git-core/git-shell, /usr/share/awstats/wwwroot/cgi-bin(/.*)?, /usr/share/awstats/wwwroot/cgi-bin(/.*)?
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux httpd_awstats_script policy is very flexible allowing users to setup their httpd_awstats_script processes in as secure a method as possible.
-+.PP
-+The following process types are defined for httpd_awstats_script:
-+
-+.EX
-+.B httpd_awstats_script_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
-+.SH FILE CONTEXTS
-+SELinux requires files to have an extended attribute to define the file type.
-+.PP
-+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
-+.PP
-+Policy governs the access confined processes have to these files.
-+SELinux httpd_awstats_script policy is very flexible allowing users to setup their httpd_awstats_script processes in as secure a method as possible.
-+.PP
-+The following file types are defined for httpd_awstats_script:
-+
-+
-+.EX
-+.PP
-+.B httpd_awstats_script_exec_t
-+.EE
-+
-+- Set files with the httpd_awstats_script_exec_t type, if you want to transition an executable to the httpd_awstats_script_t domain.
-+
-+
-+.PP
-+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
-+.B semanage fcontext
-+command. This will modify the SELinux labeling database. You will need to use
-+.B restorecon
-+to apply the labels.
-+
-+.SH "MANAGED FILES"
-+
-+The SELinux process type httpd_awstats_script_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
-+
-+.br
-+.B awstats_tmp_t
-+
-+
-+.br
-+.B httpd_awstats_rw_content_t
-+
-+
-+.SH NSSWITCH DOMAIN
-+
-+.SH "COMMANDS"
-+.B semanage fcontext
-+can also be used to manipulate default file context mappings.
-+.PP
-+.B semanage permissive
-+can also be used to manipulate whether or not a process type is permissive.
-+.PP
-+.B semanage module
-+can also be used to enable/disable/install/remove policy modules.
-+
-+.PP
-+.B system-config-selinux
-+is a GUI tool available to customize SELinux policy settings.
-+
-+.SH AUTHOR
-+This manual page was auto-generated using
-+.B "sepolicy manpage"
-+by Dan Walsh.
-+
-+.SH "SEE ALSO"
-+selinux(8), httpd_awstats_script(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
-+, httpd_selinux(8), httpd_selinux(8), httpd_apcupsd_cgi_script_selinux(8), httpd_bugzilla_script_selinux(8), httpd_cobbler_script_selinux(8), httpd_collectd_script_selinux(8), httpd_cvs_script_selinux(8), httpd_dirsrvadmin_script_selinux(8), httpd_dspam_script_selinux(8), httpd_git_script_selinux(8), httpd_helper_selinux(8), httpd_man2html_script_selinux(8), httpd_mediawiki_script_selinux(8), httpd_mojomojo_script_selinux(8), httpd_munin_script_selinux(8), httpd_nagios_script_selinux(8), httpd_nutups_cgi_script_selinux(8), httpd_openshift_script_selinux(8), httpd_passwd_selinux(8), httpd_php_selinux(8), httpd_prewikka_script_selinux(8), httpd_rotatelogs_selinux(8), httpd_smokeping_cgi_script_selinux(8), httpd_squid_script_selinux(8), httpd_suexec_selinux(8), httpd_sys_script_selinux(8), httpd_user_script_selinux(8), httpd_w3c_validator_script_selinux(8), httpd_zoneminder_script_selinux(8)
-\ No newline at end of file
-diff --git a/man/man8/httpd_bugzilla_script_selinux.8 b/man/man8/httpd_bugzilla_script_selinux.8
-new file mode 100644
-index 0000000..84e7a1b
---- /dev/null
-+++ b/man/man8/httpd_bugzilla_script_selinux.8
-@@ -0,0 +1,101 @@
-+.TH "httpd_bugzilla_script_selinux" "8" "12-11-01" "httpd_bugzilla_script" "SELinux Policy documentation for httpd_bugzilla_script"
-+.SH "NAME"
-+httpd_bugzilla_script_selinux \- Security Enhanced Linux Policy for the httpd_bugzilla_script processes
-+.SH "DESCRIPTION"
-+
-+Security-Enhanced Linux secures the httpd_bugzilla_script processes via flexible mandatory access control.
-+
-+The httpd_bugzilla_script processes execute with the httpd_bugzilla_script_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
-+
-+For example:
-+
-+.B ps -eZ | grep httpd_bugzilla_script_t
-+
-+
-+.SH "ENTRYPOINTS"
-+
-+The httpd_bugzilla_script_t SELinux type can be entered via the "httpd_bugzilla_script_exec_t,shell_exec_t,httpd_bugzilla_script_exec_t" file types. The default entrypoint paths for the httpd_bugzilla_script_t domain are the following:"
-+
-+/usr/share/bugzilla(/.*)?, /bin/d?ash, /bin/zsh.*, /bin/ksh.*, /usr/bin/d?ash, /usr/bin/ksh.*, /usr/bin/zsh.*, /bin/esh, /bin/mksh, /bin/sash, /bin/tcsh, /bin/yash, /bin/bash, /bin/fish, /bin/bash2, /usr/bin/esh, /usr/bin/mksh, /usr/bin/sash, /usr/bin/bash, /usr/bin/fish, /usr/bin/tcsh, /usr/bin/yash, /sbin/nologin, /usr/sbin/sesh, /usr/bin/bash2, /usr/sbin/smrsh, /usr/bin/scponly, /usr/sbin/nologin, /usr/libexec/sesh, /usr/sbin/scponlyc, /usr/bin/git-shell, /usr/libexec/git-core/git-shell, /usr/share/bugzilla(/.*)?
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux httpd_bugzilla_script policy is very flexible allowing users to setup their httpd_bugzilla_script processes in as secure a method as possible.
-+.PP
-+The following process types are defined for httpd_bugzilla_script:
-+
-+.EX
-+.B httpd_bugzilla_script_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
-+.SH FILE CONTEXTS
-+SELinux requires files to have an extended attribute to define the file type.
-+.PP
-+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
-+.PP
-+Policy governs the access confined processes have to these files.
-+SELinux httpd_bugzilla_script policy is very flexible allowing users to setup their httpd_bugzilla_script processes in as secure a method as possible.
-+.PP
-+The following file types are defined for httpd_bugzilla_script:
-+
-+
-+.EX
-+.PP
-+.B httpd_bugzilla_script_exec_t
-+.EE
-+
-+- Set files with the httpd_bugzilla_script_exec_t type, if you want to transition an executable to the httpd_bugzilla_script_t domain.
-+
-+
-+.PP
-+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
-+.B semanage fcontext
-+command. This will modify the SELinux labeling database. You will need to use
-+.B restorecon
-+to apply the labels.
-+
-+.SH "MANAGED FILES"
-+
-+The SELinux process type httpd_bugzilla_script_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
-+
-+.br
-+.B httpd_bugzilla_rw_content_t
-+
-+ /var/lib/bugzilla(/.*)?
-+.br
-+
-+.br
-+.B httpd_bugzilla_tmp_t
-+
-+
-+.SH NSSWITCH DOMAIN
-+
-+.SH "COMMANDS"
-+.B semanage fcontext
-+can also be used to manipulate default file context mappings.
-+.PP
-+.B semanage permissive
-+can also be used to manipulate whether or not a process type is permissive.
-+.PP
-+.B semanage module
-+can also be used to enable/disable/install/remove policy modules.
-+
-+.PP
-+.B system-config-selinux
-+is a GUI tool available to customize SELinux policy settings.
-+
-+.SH AUTHOR
-+This manual page was auto-generated using
-+.B "sepolicy manpage"
-+by Dan Walsh.
-+
-+.SH "SEE ALSO"
-+selinux(8), httpd_bugzilla_script(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
-+, httpd_selinux(8), httpd_selinux(8), httpd_apcupsd_cgi_script_selinux(8), httpd_awstats_script_selinux(8), httpd_cobbler_script_selinux(8), httpd_collectd_script_selinux(8), httpd_cvs_script_selinux(8), httpd_dirsrvadmin_script_selinux(8), httpd_dspam_script_selinux(8), httpd_git_script_selinux(8), httpd_helper_selinux(8), httpd_man2html_script_selinux(8), httpd_mediawiki_script_selinux(8), httpd_mojomojo_script_selinux(8), httpd_munin_script_selinux(8), httpd_nagios_script_selinux(8), httpd_nutups_cgi_script_selinux(8), httpd_openshift_script_selinux(8), httpd_passwd_selinux(8), httpd_php_selinux(8), httpd_prewikka_script_selinux(8), httpd_rotatelogs_selinux(8), httpd_smokeping_cgi_script_selinux(8), httpd_squid_script_selinux(8), httpd_suexec_selinux(8), httpd_sys_script_selinux(8), httpd_user_script_selinux(8), httpd_w3c_validator_script_selinux(8), httpd_zoneminder_script_selinux(8)
-\ No newline at end of file
-diff --git a/man/man8/httpd_cobbler_script_selinux.8 b/man/man8/httpd_cobbler_script_selinux.8
-new file mode 100644
-index 0000000..9a182d6
---- /dev/null
-+++ b/man/man8/httpd_cobbler_script_selinux.8
-@@ -0,0 +1,95 @@
-+.TH "httpd_cobbler_script_selinux" "8" "12-11-01" "httpd_cobbler_script" "SELinux Policy documentation for httpd_cobbler_script"
-+.SH "NAME"
-+httpd_cobbler_script_selinux \- Security Enhanced Linux Policy for the httpd_cobbler_script processes
-+.SH "DESCRIPTION"
-+
-+Security-Enhanced Linux secures the httpd_cobbler_script processes via flexible mandatory access control.
-+
-+The httpd_cobbler_script processes execute with the httpd_cobbler_script_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
-+
-+For example:
-+
-+.B ps -eZ | grep httpd_cobbler_script_t
-+
-+
-+.SH "ENTRYPOINTS"
-+
-+The httpd_cobbler_script_t SELinux type can be entered via the "httpd_cobbler_script_exec_t,shell_exec_t,httpd_cobbler_script_exec_t" file types. The default entrypoint paths for the httpd_cobbler_script_t domain are the following:"
-+
-+/bin/d?ash, /bin/zsh.*, /bin/ksh.*, /usr/bin/d?ash, /usr/bin/ksh.*, /usr/bin/zsh.*, /bin/esh, /bin/mksh, /bin/sash, /bin/tcsh, /bin/yash, /bin/bash, /bin/fish, /bin/bash2, /usr/bin/esh, /usr/bin/mksh, /usr/bin/sash, /usr/bin/bash, /usr/bin/fish, /usr/bin/tcsh, /usr/bin/yash, /sbin/nologin, /usr/sbin/sesh, /usr/bin/bash2, /usr/sbin/smrsh, /usr/bin/scponly, /usr/sbin/nologin, /usr/libexec/sesh, /usr/sbin/scponlyc, /usr/bin/git-shell, /usr/libexec/git-core/git-shell
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux httpd_cobbler_script policy is very flexible allowing users to setup their httpd_cobbler_script processes in as secure a method as possible.
-+.PP
-+The following process types are defined for httpd_cobbler_script:
-+
-+.EX
-+.B httpd_cobbler_script_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
-+.SH FILE CONTEXTS
-+SELinux requires files to have an extended attribute to define the file type.
-+.PP
-+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
-+.PP
-+Policy governs the access confined processes have to these files.
-+SELinux httpd_cobbler_script policy is very flexible allowing users to setup their httpd_cobbler_script processes in as secure a method as possible.
-+.PP
-+The following file types are defined for httpd_cobbler_script:
-+
-+
-+.EX
-+.PP
-+.B httpd_cobbler_script_exec_t
-+.EE
-+
-+- Set files with the httpd_cobbler_script_exec_t type, if you want to transition an executable to the httpd_cobbler_script_t domain.
-+
-+
-+.PP
-+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
-+.B semanage fcontext
-+command. This will modify the SELinux labeling database. You will need to use
-+.B restorecon
-+to apply the labels.
-+
-+.SH "MANAGED FILES"
-+
-+The SELinux process type httpd_cobbler_script_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
-+
-+.br
-+.B httpd_cobbler_rw_content_t
-+
-+
-+.SH NSSWITCH DOMAIN
-+
-+.SH "COMMANDS"
-+.B semanage fcontext
-+can also be used to manipulate default file context mappings.
-+.PP
-+.B semanage permissive
-+can also be used to manipulate whether or not a process type is permissive.
-+.PP
-+.B semanage module
-+can also be used to enable/disable/install/remove policy modules.
-+
-+.PP
-+.B system-config-selinux
-+is a GUI tool available to customize SELinux policy settings.
-+
-+.SH AUTHOR
-+This manual page was auto-generated using
-+.B "sepolicy manpage"
-+by Dan Walsh.
-+
-+.SH "SEE ALSO"
-+selinux(8), httpd_cobbler_script(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
-+, httpd_selinux(8), httpd_selinux(8), httpd_apcupsd_cgi_script_selinux(8), httpd_awstats_script_selinux(8), httpd_bugzilla_script_selinux(8), httpd_collectd_script_selinux(8), httpd_cvs_script_selinux(8), httpd_dirsrvadmin_script_selinux(8), httpd_dspam_script_selinux(8), httpd_git_script_selinux(8), httpd_helper_selinux(8), httpd_man2html_script_selinux(8), httpd_mediawiki_script_selinux(8), httpd_mojomojo_script_selinux(8), httpd_munin_script_selinux(8), httpd_nagios_script_selinux(8), httpd_nutups_cgi_script_selinux(8), httpd_openshift_script_selinux(8), httpd_passwd_selinux(8), httpd_php_selinux(8), httpd_prewikka_script_selinux(8), httpd_rotatelogs_selinux(8), httpd_smokeping_cgi_script_selinux(8), httpd_squid_script_selinux(8), httpd_suexec_selinux(8), httpd_sys_script_selinux(8), httpd_user_script_selinux(8), httpd_w3c_validator_script_selinux(8), httpd_zoneminder_script_selinux(8)
-\ No newline at end of file
-diff --git a/man/man8/httpd_collectd_script_selinux.8 b/man/man8/httpd_collectd_script_selinux.8
-new file mode 100644
-index 0000000..8b345d1
---- /dev/null
-+++ b/man/man8/httpd_collectd_script_selinux.8
-@@ -0,0 +1,95 @@
-+.TH "httpd_collectd_script_selinux" "8" "12-11-01" "httpd_collectd_script" "SELinux Policy documentation for httpd_collectd_script"
-+.SH "NAME"
-+httpd_collectd_script_selinux \- Security Enhanced Linux Policy for the httpd_collectd_script processes
-+.SH "DESCRIPTION"
-+
-+Security-Enhanced Linux secures the httpd_collectd_script processes via flexible mandatory access control.
-+
-+The httpd_collectd_script processes execute with the httpd_collectd_script_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
-+
-+For example:
-+
-+.B ps -eZ | grep httpd_collectd_script_t
-+
-+
-+.SH "ENTRYPOINTS"
-+
-+The httpd_collectd_script_t SELinux type can be entered via the "shell_exec_t,httpd_collectd_script_exec_t,httpd_collectd_script_exec_t" file types. The default entrypoint paths for the httpd_collectd_script_t domain are the following:"
-+
-+/bin/d?ash, /bin/zsh.*, /bin/ksh.*, /usr/bin/d?ash, /usr/bin/ksh.*, /usr/bin/zsh.*, /bin/esh, /bin/mksh, /bin/sash, /bin/tcsh, /bin/yash, /bin/bash, /bin/fish, /bin/bash2, /usr/bin/esh, /usr/bin/mksh, /usr/bin/sash, /usr/bin/bash, /usr/bin/fish, /usr/bin/tcsh, /usr/bin/yash, /sbin/nologin, /usr/sbin/sesh, /usr/bin/bash2, /usr/sbin/smrsh, /usr/bin/scponly, /usr/sbin/nologin, /usr/libexec/sesh, /usr/sbin/scponlyc, /usr/bin/git-shell, /usr/libexec/git-core/git-shell, /usr/share/collectd/collection3/bin/.*\.cgi, /usr/share/collectd/collection3/bin/.*\.cgi
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux httpd_collectd_script policy is very flexible allowing users to setup their httpd_collectd_script processes in as secure a method as possible.
-+.PP
-+The following process types are defined for httpd_collectd_script:
-+
-+.EX
-+.B httpd_collectd_script_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
-+.SH FILE CONTEXTS
-+SELinux requires files to have an extended attribute to define the file type.
-+.PP
-+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
-+.PP
-+Policy governs the access confined processes have to these files.
-+SELinux httpd_collectd_script policy is very flexible allowing users to setup their httpd_collectd_script processes in as secure a method as possible.
-+.PP
-+The following file types are defined for httpd_collectd_script:
-+
-+
-+.EX
-+.PP
-+.B httpd_collectd_script_exec_t
-+.EE
-+
-+- Set files with the httpd_collectd_script_exec_t type, if you want to transition an executable to the httpd_collectd_script_t domain.
-+
-+
-+.PP
-+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
-+.B semanage fcontext
-+command. This will modify the SELinux labeling database. You will need to use
-+.B restorecon
-+to apply the labels.
-+
-+.SH "MANAGED FILES"
-+
-+The SELinux process type httpd_collectd_script_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
-+
-+.br
-+.B httpd_collectd_rw_content_t
-+
-+
-+.SH NSSWITCH DOMAIN
-+
-+.SH "COMMANDS"
-+.B semanage fcontext
-+can also be used to manipulate default file context mappings.
-+.PP
-+.B semanage permissive
-+can also be used to manipulate whether or not a process type is permissive.
-+.PP
-+.B semanage module
-+can also be used to enable/disable/install/remove policy modules.
-+
-+.PP
-+.B system-config-selinux
-+is a GUI tool available to customize SELinux policy settings.
-+
-+.SH AUTHOR
-+This manual page was auto-generated using
-+.B "sepolicy manpage"
-+by Dan Walsh.
-+
-+.SH "SEE ALSO"
-+selinux(8), httpd_collectd_script(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
-+, httpd_selinux(8), httpd_selinux(8), httpd_apcupsd_cgi_script_selinux(8), httpd_awstats_script_selinux(8), httpd_bugzilla_script_selinux(8), httpd_cobbler_script_selinux(8), httpd_cvs_script_selinux(8), httpd_dirsrvadmin_script_selinux(8), httpd_dspam_script_selinux(8), httpd_git_script_selinux(8), httpd_helper_selinux(8), httpd_man2html_script_selinux(8), httpd_mediawiki_script_selinux(8), httpd_mojomojo_script_selinux(8), httpd_munin_script_selinux(8), httpd_nagios_script_selinux(8), httpd_nutups_cgi_script_selinux(8), httpd_openshift_script_selinux(8), httpd_passwd_selinux(8), httpd_php_selinux(8), httpd_prewikka_script_selinux(8), httpd_rotatelogs_selinux(8), httpd_smokeping_cgi_script_selinux(8), httpd_squid_script_selinux(8), httpd_suexec_selinux(8), httpd_sys_script_selinux(8), httpd_user_script_selinux(8), httpd_w3c_validator_script_selinux(8), httpd_zoneminder_script_selinux(8)
-\ No newline at end of file
-diff --git a/man/man8/httpd_cvs_script_selinux.8 b/man/man8/httpd_cvs_script_selinux.8
-new file mode 100644
-index 0000000..4c09121
---- /dev/null
-+++ b/man/man8/httpd_cvs_script_selinux.8
-@@ -0,0 +1,99 @@
-+.TH "httpd_cvs_script_selinux" "8" "12-11-01" "httpd_cvs_script" "SELinux Policy documentation for httpd_cvs_script"
-+.SH "NAME"
-+httpd_cvs_script_selinux \- Security Enhanced Linux Policy for the httpd_cvs_script processes
-+.SH "DESCRIPTION"
-+
-+Security-Enhanced Linux secures the httpd_cvs_script processes via flexible mandatory access control.
-+
-+The httpd_cvs_script processes execute with the httpd_cvs_script_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
-+
-+For example:
-+
-+.B ps -eZ | grep httpd_cvs_script_t
-+
-+
-+.SH "ENTRYPOINTS"
-+
-+The httpd_cvs_script_t SELinux type can be entered via the "shell_exec_t,httpd_cvs_script_exec_t,httpd_cvs_script_exec_t" file types. The default entrypoint paths for the httpd_cvs_script_t domain are the following:"
-+
-+/bin/d?ash, /bin/zsh.*, /bin/ksh.*, /usr/bin/d?ash, /usr/bin/ksh.*, /usr/bin/zsh.*, /bin/esh, /bin/mksh, /bin/sash, /bin/tcsh, /bin/yash, /bin/bash, /bin/fish, /bin/bash2, /usr/bin/esh, /usr/bin/mksh, /usr/bin/sash, /usr/bin/bash, /usr/bin/fish, /usr/bin/tcsh, /usr/bin/yash, /sbin/nologin, /usr/sbin/sesh, /usr/bin/bash2, /usr/sbin/smrsh, /usr/bin/scponly, /usr/sbin/nologin, /usr/libexec/sesh, /usr/sbin/scponlyc, /usr/bin/git-shell, /usr/libexec/git-core/git-shell, /var/www/cgi-bin/cvsweb\.cgi, /usr/share/cvsweb/cvsweb\.cgi, /var/www/cgi-bin/cvsweb\.cgi, /usr/share/cvsweb/cvsweb\.cgi
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux httpd_cvs_script policy is very flexible allowing users to setup their httpd_cvs_script processes in as secure a method as possible.
-+.PP
-+The following process types are defined for httpd_cvs_script:
-+
-+.EX
-+.B httpd_cvs_script_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
-+.SH FILE CONTEXTS
-+SELinux requires files to have an extended attribute to define the file type.
-+.PP
-+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
-+.PP
-+Policy governs the access confined processes have to these files.
-+SELinux httpd_cvs_script policy is very flexible allowing users to setup their httpd_cvs_script processes in as secure a method as possible.
-+.PP
-+The following file types are defined for httpd_cvs_script:
-+
-+
-+.EX
-+.PP
-+.B httpd_cvs_script_exec_t
-+.EE
-+
-+- Set files with the httpd_cvs_script_exec_t type, if you want to transition an executable to the httpd_cvs_script_t domain.
-+
-+
-+.PP
-+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
-+.B semanage fcontext
-+command. This will modify the SELinux labeling database. You will need to use
-+.B restorecon
-+to apply the labels.
-+
-+.SH "MANAGED FILES"
-+
-+The SELinux process type httpd_cvs_script_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
-+
-+.br
-+.B cvs_tmp_t
-+
-+
-+.br
-+.B httpd_cvs_rw_content_t
-+
-+
-+.SH NSSWITCH DOMAIN
-+
-+.SH "COMMANDS"
-+.B semanage fcontext
-+can also be used to manipulate default file context mappings.
-+.PP
-+.B semanage permissive
-+can also be used to manipulate whether or not a process type is permissive.
-+.PP
-+.B semanage module
-+can also be used to enable/disable/install/remove policy modules.
-+
-+.PP
-+.B system-config-selinux
-+is a GUI tool available to customize SELinux policy settings.
-+
-+.SH AUTHOR
-+This manual page was auto-generated using
-+.B "sepolicy manpage"
-+by Dan Walsh.
-+
-+.SH "SEE ALSO"
-+selinux(8), httpd_cvs_script(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
-+, httpd_selinux(8), httpd_selinux(8), httpd_apcupsd_cgi_script_selinux(8), httpd_awstats_script_selinux(8), httpd_bugzilla_script_selinux(8), httpd_cobbler_script_selinux(8), httpd_collectd_script_selinux(8), httpd_dirsrvadmin_script_selinux(8), httpd_dspam_script_selinux(8), httpd_git_script_selinux(8), httpd_helper_selinux(8), httpd_man2html_script_selinux(8), httpd_mediawiki_script_selinux(8), httpd_mojomojo_script_selinux(8), httpd_munin_script_selinux(8), httpd_nagios_script_selinux(8), httpd_nutups_cgi_script_selinux(8), httpd_openshift_script_selinux(8), httpd_passwd_selinux(8), httpd_php_selinux(8), httpd_prewikka_script_selinux(8), httpd_rotatelogs_selinux(8), httpd_smokeping_cgi_script_selinux(8), httpd_squid_script_selinux(8), httpd_suexec_selinux(8), httpd_sys_script_selinux(8), httpd_user_script_selinux(8), httpd_w3c_validator_script_selinux(8), httpd_zoneminder_script_selinux(8)
-\ No newline at end of file
-diff --git a/man/man8/httpd_dirsrvadmin_script_selinux.8 b/man/man8/httpd_dirsrvadmin_script_selinux.8
-new file mode 100644
-index 0000000..8523dac
---- /dev/null
-+++ b/man/man8/httpd_dirsrvadmin_script_selinux.8
-@@ -0,0 +1,137 @@
-+.TH "httpd_dirsrvadmin_script_selinux" "8" "12-11-01" "httpd_dirsrvadmin_script" "SELinux Policy documentation for httpd_dirsrvadmin_script"
-+.SH "NAME"
-+httpd_dirsrvadmin_script_selinux \- Security Enhanced Linux Policy for the httpd_dirsrvadmin_script processes
-+.SH "DESCRIPTION"
-+
-+Security-Enhanced Linux secures the httpd_dirsrvadmin_script processes via flexible mandatory access control.
-+
-+The httpd_dirsrvadmin_script processes execute with the httpd_dirsrvadmin_script_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
-+
-+For example:
-+
-+.B ps -eZ | grep httpd_dirsrvadmin_script_t
-+
-+
-+.SH "ENTRYPOINTS"
-+
-+The httpd_dirsrvadmin_script_t SELinux type can be entered via the "httpd_dirsrvadmin_script_exec_t,shell_exec_t,httpd_dirsrvadmin_script_exec_t" file types. The default entrypoint paths for the httpd_dirsrvadmin_script_t domain are the following:"
-+
-+/usr/lib/dirsrv/cgi-bin(/.*)?, /usr/lib/dirsrv/dsgw-cgi-bin(/.*)?, /bin/d?ash, /bin/zsh.*, /bin/ksh.*, /usr/bin/d?ash, /usr/bin/ksh.*, /usr/bin/zsh.*, /bin/esh, /bin/mksh, /bin/sash, /bin/tcsh, /bin/yash, /bin/bash, /bin/fish, /bin/bash2, /usr/bin/esh, /usr/bin/mksh, /usr/bin/sash, /usr/bin/bash, /usr/bin/fish, /usr/bin/tcsh, /usr/bin/yash, /sbin/nologin, /usr/sbin/sesh, /usr/bin/bash2, /usr/sbin/smrsh, /usr/bin/scponly, /usr/sbin/nologin, /usr/libexec/sesh, /usr/sbin/scponlyc, /usr/bin/git-shell, /usr/libexec/git-core/git-shell, /usr/lib/dirsrv/cgi-bin(/.*)?, /usr/lib/dirsrv/dsgw-cgi-bin(/.*)?
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux httpd_dirsrvadmin_script policy is very flexible allowing users to setup their httpd_dirsrvadmin_script processes in as secure a method as possible.
-+.PP
-+The following process types are defined for httpd_dirsrvadmin_script:
-+
-+.EX
-+.B httpd_dirsrvadmin_script_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
-+.SH FILE CONTEXTS
-+SELinux requires files to have an extended attribute to define the file type.
-+.PP
-+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
-+.PP
-+Policy governs the access confined processes have to these files.
-+SELinux httpd_dirsrvadmin_script policy is very flexible allowing users to setup their httpd_dirsrvadmin_script processes in as secure a method as possible.
-+.PP
-+The following file types are defined for httpd_dirsrvadmin_script:
-+
-+
-+.EX
-+.PP
-+.B httpd_dirsrvadmin_script_exec_t
-+.EE
-+
-+- Set files with the httpd_dirsrvadmin_script_exec_t type, if you want to transition an executable to the httpd_dirsrvadmin_script_t domain.
-+
-+
-+.PP
-+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
-+.B semanage fcontext
-+command. This will modify the SELinux labeling database. You will need to use
-+.B restorecon
-+to apply the labels.
-+
-+.SH "MANAGED FILES"
-+
-+The SELinux process type httpd_dirsrvadmin_script_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
-+
-+.br
-+.B dirsrv_config_t
-+
-+ /etc/dirsrv(/.*)?
-+.br
-+
-+.br
-+.B dirsrv_var_lib_t
-+
-+ /var/lib/dirsrv(/.*)?
-+.br
-+
-+.br
-+.B dirsrv_var_log_t
-+
-+ /var/log/dirsrv(/.*)?
-+.br
-+
-+.br
-+.B dirsrv_var_run_t
-+
-+ /var/run/dirsrv(/.*)?
-+.br
-+
-+.br
-+.B dirsrvadmin_config_t
-+
-+ /etc/dirsrv/dsgw(/.*)?
-+.br
-+ /etc/dirsrv/admin-serv(/.*)?
-+.br
-+
-+.br
-+.B dirsrvadmin_lock_t
-+
-+ /var/lock/subsys/dirsrv
-+.br
-+
-+.br
-+.B dirsrvadmin_tmp_t
-+
-+
-+.br
-+.B httpd_dirsrvadmin_rw_content_t
-+
-+
-+.SH NSSWITCH DOMAIN
-+
-+.SH "COMMANDS"
-+.B semanage fcontext
-+can also be used to manipulate default file context mappings.
-+.PP
-+.B semanage permissive
-+can also be used to manipulate whether or not a process type is permissive.
-+.PP
-+.B semanage module
-+can also be used to enable/disable/install/remove policy modules.
-+
-+.PP
-+.B system-config-selinux
-+is a GUI tool available to customize SELinux policy settings.
-+
-+.SH AUTHOR
-+This manual page was auto-generated using
-+.B "sepolicy manpage"
-+by Dan Walsh.
-+
-+.SH "SEE ALSO"
-+selinux(8), httpd_dirsrvadmin_script(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
-+, httpd_selinux(8), httpd_selinux(8), httpd_apcupsd_cgi_script_selinux(8), httpd_awstats_script_selinux(8), httpd_bugzilla_script_selinux(8), httpd_cobbler_script_selinux(8), httpd_collectd_script_selinux(8), httpd_cvs_script_selinux(8), httpd_dspam_script_selinux(8), httpd_git_script_selinux(8), httpd_helper_selinux(8), httpd_man2html_script_selinux(8), httpd_mediawiki_script_selinux(8), httpd_mojomojo_script_selinux(8), httpd_munin_script_selinux(8), httpd_nagios_script_selinux(8), httpd_nutups_cgi_script_selinux(8), httpd_openshift_script_selinux(8), httpd_passwd_selinux(8), httpd_php_selinux(8), httpd_prewikka_script_selinux(8), httpd_rotatelogs_selinux(8), httpd_smokeping_cgi_script_selinux(8), httpd_squid_script_selinux(8), httpd_suexec_selinux(8), httpd_sys_script_selinux(8), httpd_user_script_selinux(8), httpd_w3c_validator_script_selinux(8), httpd_zoneminder_script_selinux(8)
-\ No newline at end of file
-diff --git a/man/man8/httpd_dspam_script_selinux.8 b/man/man8/httpd_dspam_script_selinux.8
-new file mode 100644
-index 0000000..09ee1ed
---- /dev/null
-+++ b/man/man8/httpd_dspam_script_selinux.8
-@@ -0,0 +1,95 @@
-+.TH "httpd_dspam_script_selinux" "8" "12-11-01" "httpd_dspam_script" "SELinux Policy documentation for httpd_dspam_script"
-+.SH "NAME"
-+httpd_dspam_script_selinux \- Security Enhanced Linux Policy for the httpd_dspam_script processes
-+.SH "DESCRIPTION"
-+
-+Security-Enhanced Linux secures the httpd_dspam_script processes via flexible mandatory access control.
-+
-+The httpd_dspam_script processes execute with the httpd_dspam_script_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
-+
-+For example:
-+
-+.B ps -eZ | grep httpd_dspam_script_t
-+
-+
-+.SH "ENTRYPOINTS"
-+
-+The httpd_dspam_script_t SELinux type can be entered via the "httpd_dspam_script_exec_t,shell_exec_t,httpd_dspam_script_exec_t" file types. The default entrypoint paths for the httpd_dspam_script_t domain are the following:"
-+
-+/usr/share/dspam-web/dspam\.cgi, /bin/d?ash, /bin/zsh.*, /bin/ksh.*, /usr/bin/d?ash, /usr/bin/ksh.*, /usr/bin/zsh.*, /bin/esh, /bin/mksh, /bin/sash, /bin/tcsh, /bin/yash, /bin/bash, /bin/fish, /bin/bash2, /usr/bin/esh, /usr/bin/mksh, /usr/bin/sash, /usr/bin/bash, /usr/bin/fish, /usr/bin/tcsh, /usr/bin/yash, /sbin/nologin, /usr/sbin/sesh, /usr/bin/bash2, /usr/sbin/smrsh, /usr/bin/scponly, /usr/sbin/nologin, /usr/libexec/sesh, /usr/sbin/scponlyc, /usr/bin/git-shell, /usr/libexec/git-core/git-shell, /usr/share/dspam-web/dspam\.cgi
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux httpd_dspam_script policy is very flexible allowing users to setup their httpd_dspam_script processes in as secure a method as possible.
-+.PP
-+The following process types are defined for httpd_dspam_script:
-+
-+.EX
-+.B httpd_dspam_script_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
-+.SH FILE CONTEXTS
-+SELinux requires files to have an extended attribute to define the file type.
-+.PP
-+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
-+.PP
-+Policy governs the access confined processes have to these files.
-+SELinux httpd_dspam_script policy is very flexible allowing users to setup their httpd_dspam_script processes in as secure a method as possible.
-+.PP
-+The following file types are defined for httpd_dspam_script:
-+
-+
-+.EX
-+.PP
-+.B httpd_dspam_script_exec_t
-+.EE
-+
-+- Set files with the httpd_dspam_script_exec_t type, if you want to transition an executable to the httpd_dspam_script_t domain.
-+
-+
-+.PP
-+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
-+.B semanage fcontext
-+command. This will modify the SELinux labeling database. You will need to use
-+.B restorecon
-+to apply the labels.
-+
-+.SH "MANAGED FILES"
-+
-+The SELinux process type httpd_dspam_script_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
-+
-+.br
-+.B httpd_dspam_rw_content_t
-+
-+
-+.SH NSSWITCH DOMAIN
-+
-+.SH "COMMANDS"
-+.B semanage fcontext
-+can also be used to manipulate default file context mappings.
-+.PP
-+.B semanage permissive
-+can also be used to manipulate whether or not a process type is permissive.
-+.PP
-+.B semanage module
-+can also be used to enable/disable/install/remove policy modules.
-+
-+.PP
-+.B system-config-selinux
-+is a GUI tool available to customize SELinux policy settings.
-+
-+.SH AUTHOR
-+This manual page was auto-generated using
-+.B "sepolicy manpage"
-+by Dan Walsh.
-+
-+.SH "SEE ALSO"
-+selinux(8), httpd_dspam_script(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
-+, httpd_selinux(8), httpd_selinux(8), httpd_apcupsd_cgi_script_selinux(8), httpd_awstats_script_selinux(8), httpd_bugzilla_script_selinux(8), httpd_cobbler_script_selinux(8), httpd_collectd_script_selinux(8), httpd_cvs_script_selinux(8), httpd_dirsrvadmin_script_selinux(8), httpd_git_script_selinux(8), httpd_helper_selinux(8), httpd_man2html_script_selinux(8), httpd_mediawiki_script_selinux(8), httpd_mojomojo_script_selinux(8), httpd_munin_script_selinux(8), httpd_nagios_script_selinux(8), httpd_nutups_cgi_script_selinux(8), httpd_openshift_script_selinux(8), httpd_passwd_selinux(8), httpd_php_selinux(8), httpd_prewikka_script_selinux(8), httpd_rotatelogs_selinux(8), httpd_smokeping_cgi_script_selinux(8), httpd_squid_script_selinux(8), httpd_suexec_selinux(8), httpd_sys_script_selinux(8), httpd_user_script_selinux(8), httpd_w3c_validator_script_selinux(8), httpd_zoneminder_script_selinux(8)
-\ No newline at end of file
-diff --git a/man/man8/httpd_git_script_selinux.8 b/man/man8/httpd_git_script_selinux.8
-new file mode 100644
-index 0000000..3518b85
---- /dev/null
-+++ b/man/man8/httpd_git_script_selinux.8
-@@ -0,0 +1,113 @@
-+.TH "httpd_git_script_selinux" "8" "12-11-01" "httpd_git_script" "SELinux Policy documentation for httpd_git_script"
-+.SH "NAME"
-+httpd_git_script_selinux \- Security Enhanced Linux Policy for the httpd_git_script processes
-+.SH "DESCRIPTION"
-+
-+Security-Enhanced Linux secures the httpd_git_script processes via flexible mandatory access control.
-+
-+The httpd_git_script processes execute with the httpd_git_script_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
-+
-+For example:
-+
-+.B ps -eZ | grep httpd_git_script_t
-+
-+
-+.SH "ENTRYPOINTS"
-+
-+The httpd_git_script_t SELinux type can be entered via the "shell_exec_t,httpd_git_script_exec_t,httpd_git_script_exec_t" file types. The default entrypoint paths for the httpd_git_script_t domain are the following:"
-+
-+/bin/d?ash, /bin/zsh.*, /bin/ksh.*, /usr/bin/d?ash, /usr/bin/ksh.*, /usr/bin/zsh.*, /bin/esh, /bin/mksh, /bin/sash, /bin/tcsh, /bin/yash, /bin/bash, /bin/fish, /bin/bash2, /usr/bin/esh, /usr/bin/mksh, /usr/bin/sash, /usr/bin/bash, /usr/bin/fish, /usr/bin/tcsh, /usr/bin/yash, /sbin/nologin, /usr/sbin/sesh, /usr/bin/bash2, /usr/sbin/smrsh, /usr/bin/scponly, /usr/sbin/nologin, /usr/libexec/sesh, /usr/sbin/scponlyc, /usr/bin/git-shell, /usr/libexec/git-core/git-shell, /var/www/cgi-bin/cgit, /var/www/git/gitweb\.cgi, /var/www/gitweb-caching/gitweb\.cgi, /var/www/cgi-bin/cgit, /var/www/git/gitweb\.cgi, /var/www/gitweb-caching/gitweb\.cgi
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux httpd_git_script policy is very flexible allowing users to setup their httpd_git_script processes in as secure a method as possible.
-+.PP
-+The following process types are defined for httpd_git_script:
-+
-+.EX
-+.B httpd_git_script_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
-+.SH FILE CONTEXTS
-+SELinux requires files to have an extended attribute to define the file type.
-+.PP
-+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
-+.PP
-+Policy governs the access confined processes have to these files.
-+SELinux httpd_git_script policy is very flexible allowing users to setup their httpd_git_script processes in as secure a method as possible.
-+.PP
-+The following file types are defined for httpd_git_script:
-+
-+
-+.EX
-+.PP
-+.B httpd_git_script_exec_t
-+.EE
-+
-+- Set files with the httpd_git_script_exec_t type, if you want to transition an executable to the httpd_git_script_t domain.
-+
-+
-+.PP
-+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
-+.B semanage fcontext
-+command. This will modify the SELinux labeling database. You will need to use
-+.B restorecon
-+to apply the labels.
-+
-+.SH "MANAGED FILES"
-+
-+The SELinux process type httpd_git_script_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
-+
-+.br
-+.B httpd_git_rw_content_t
-+
-+ /var/cache/cgit(/.*)?
-+.br
-+ /var/cache/gitweb-caching(/.*)?
-+.br
-+
-+.SH NSSWITCH DOMAIN
-+
-+.PP
-+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the httpd_git_script_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
-+
-+.EX
-+.B setsebool -P authlogin_nsswitch_use_ldap 1
-+.EE
-+
-+.PP
-+If you want to allow confined applications to run with kerberos for the httpd_git_script_t, you must turn on the kerberos_enabled boolean.
-+
-+.EX
-+.B setsebool -P kerberos_enabled 1
-+.EE
-+
-+.SH "COMMANDS"
-+.B semanage fcontext
-+can also be used to manipulate default file context mappings.
-+.PP
-+.B semanage permissive
-+can also be used to manipulate whether or not a process type is permissive.
-+.PP
-+.B semanage module
-+can also be used to enable/disable/install/remove policy modules.
-+
-+.PP
-+.B system-config-selinux
-+is a GUI tool available to customize SELinux policy settings.
-+
-+.SH AUTHOR
-+This manual page was auto-generated using
-+.B "sepolicy manpage"
-+by Dan Walsh.
-+
-+.SH "SEE ALSO"
-+selinux(8), httpd_git_script(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
-+, httpd_selinux(8), httpd_selinux(8), httpd_apcupsd_cgi_script_selinux(8), httpd_awstats_script_selinux(8), httpd_bugzilla_script_selinux(8), httpd_cobbler_script_selinux(8), httpd_collectd_script_selinux(8), httpd_cvs_script_selinux(8), httpd_dirsrvadmin_script_selinux(8), httpd_dspam_script_selinux(8), httpd_helper_selinux(8), httpd_man2html_script_selinux(8), httpd_mediawiki_script_selinux(8), httpd_mojomojo_script_selinux(8), httpd_munin_script_selinux(8), httpd_nagios_script_selinux(8), httpd_nutups_cgi_script_selinux(8), httpd_openshift_script_selinux(8), httpd_passwd_selinux(8), httpd_php_selinux(8), httpd_prewikka_script_selinux(8), httpd_rotatelogs_selinux(8), httpd_smokeping_cgi_script_selinux(8), httpd_squid_script_selinux(8), httpd_suexec_selinux(8), httpd_sys_script_selinux(8), httpd_user_script_selinux(8), httpd_w3c_validator_script_selinux(8), httpd_zoneminder_script_selinux(8)
-\ No newline at end of file
-diff --git a/man/man8/httpd_helper_selinux.8 b/man/man8/httpd_helper_selinux.8
-new file mode 100644
-index 0000000..3f124b1
---- /dev/null
-+++ b/man/man8/httpd_helper_selinux.8
-@@ -0,0 +1,87 @@
-+.TH "httpd_helper_selinux" "8" "12-11-01" "httpd_helper" "SELinux Policy documentation for httpd_helper"
-+.SH "NAME"
-+httpd_helper_selinux \- Security Enhanced Linux Policy for the httpd_helper processes
-+.SH "DESCRIPTION"
-+
-+Security-Enhanced Linux secures the httpd_helper processes via flexible mandatory access control.
-+
-+The httpd_helper processes execute with the httpd_helper_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
-+
-+For example:
-+
-+.B ps -eZ | grep httpd_helper_t
-+
-+
-+.SH "ENTRYPOINTS"
-+
-+The httpd_helper_t SELinux type can be entered via the "httpd_helper_exec_t" file type. The default entrypoint paths for the httpd_helper_t domain are the following:"
-+
-+/usr/bin/htsslpass
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux httpd_helper policy is very flexible allowing users to setup their httpd_helper processes in as secure a method as possible.
-+.PP
-+The following process types are defined for httpd_helper:
-+
-+.EX
-+.B httpd_helper_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
-+.SH FILE CONTEXTS
-+SELinux requires files to have an extended attribute to define the file type.
-+.PP
-+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
-+.PP
-+Policy governs the access confined processes have to these files.
-+SELinux httpd_helper policy is very flexible allowing users to setup their httpd_helper processes in as secure a method as possible.
-+.PP
-+The following file types are defined for httpd_helper:
-+
-+
-+.EX
-+.PP
-+.B httpd_helper_exec_t
-+.EE
-+
-+- Set files with the httpd_helper_exec_t type, if you want to transition an executable to the httpd_helper_t domain.
-+
-+
-+.PP
-+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
-+.B semanage fcontext
-+command. This will modify the SELinux labeling database. You will need to use
-+.B restorecon
-+to apply the labels.
-+
-+.SH NSSWITCH DOMAIN
-+
-+.SH "COMMANDS"
-+.B semanage fcontext
-+can also be used to manipulate default file context mappings.
-+.PP
-+.B semanage permissive
-+can also be used to manipulate whether or not a process type is permissive.
-+.PP
-+.B semanage module
-+can also be used to enable/disable/install/remove policy modules.
-+
-+.PP
-+.B system-config-selinux
-+is a GUI tool available to customize SELinux policy settings.
-+
-+.SH AUTHOR
-+This manual page was auto-generated using
-+.B "sepolicy manpage"
-+by Dan Walsh.
-+
-+.SH "SEE ALSO"
-+selinux(8), httpd_helper(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
-+, httpd_selinux(8), httpd_selinux(8), httpd_apcupsd_cgi_script_selinux(8), httpd_awstats_script_selinux(8), httpd_bugzilla_script_selinux(8), httpd_cobbler_script_selinux(8), httpd_collectd_script_selinux(8), httpd_cvs_script_selinux(8), httpd_dirsrvadmin_script_selinux(8), httpd_dspam_script_selinux(8), httpd_git_script_selinux(8), httpd_man2html_script_selinux(8), httpd_mediawiki_script_selinux(8), httpd_mojomojo_script_selinux(8), httpd_munin_script_selinux(8), httpd_nagios_script_selinux(8), httpd_nutups_cgi_script_selinux(8), httpd_openshift_script_selinux(8), httpd_passwd_selinux(8), httpd_php_selinux(8), httpd_prewikka_script_selinux(8), httpd_rotatelogs_selinux(8), httpd_smokeping_cgi_script_selinux(8), httpd_squid_script_selinux(8), httpd_suexec_selinux(8), httpd_sys_script_selinux(8), httpd_user_script_selinux(8), httpd_w3c_validator_script_selinux(8), httpd_zoneminder_script_selinux(8)
-\ No newline at end of file
-diff --git a/man/man8/httpd_man2html_script_selinux.8 b/man/man8/httpd_man2html_script_selinux.8
-new file mode 100644
-index 0000000..e3292a9
---- /dev/null
-+++ b/man/man8/httpd_man2html_script_selinux.8
-@@ -0,0 +1,109 @@
-+.TH "httpd_man2html_script_selinux" "8" "12-11-01" "httpd_man2html_script" "SELinux Policy documentation for httpd_man2html_script"
-+.SH "NAME"
-+httpd_man2html_script_selinux \- Security Enhanced Linux Policy for the httpd_man2html_script processes
-+.SH "DESCRIPTION"
-+
-+Security-Enhanced Linux secures the httpd_man2html_script processes via flexible mandatory access control.
-+
-+The httpd_man2html_script processes execute with the httpd_man2html_script_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
-+
-+For example:
-+
-+.B ps -eZ | grep httpd_man2html_script_t
-+
-+
-+.SH "ENTRYPOINTS"
-+
-+The httpd_man2html_script_t SELinux type can be entered via the "shell_exec_t,httpd_man2html_script_exec_t,httpd_man2html_script_exec_t" file types. The default entrypoint paths for the httpd_man2html_script_t domain are the following:"
-+
-+/bin/d?ash, /bin/zsh.*, /bin/ksh.*, /usr/bin/d?ash, /usr/bin/ksh.*, /usr/bin/zsh.*, /bin/esh, /bin/mksh, /bin/sash, /bin/tcsh, /bin/yash, /bin/bash, /bin/fish, /bin/bash2, /usr/bin/esh, /usr/bin/mksh, /usr/bin/sash, /usr/bin/bash, /usr/bin/fish, /usr/bin/tcsh, /usr/bin/yash, /sbin/nologin, /usr/sbin/sesh, /usr/bin/bash2, /usr/sbin/smrsh, /usr/bin/scponly, /usr/sbin/nologin, /usr/libexec/sesh, /usr/sbin/scponlyc, /usr/bin/git-shell, /usr/libexec/git-core/git-shell, /usr/lib/man2html/cgi-bin/man/mansec, /usr/lib/man2html/cgi-bin/man/man2html, /usr/lib/man2html/cgi-bin/man/manwhatis, /usr/lib/man2html/cgi-bin/man/mansec, /usr/lib/man2html/cgi-bin/man/man2html, /usr/lib/man2html/cgi-bin/man/manwhatis
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux httpd_man2html_script policy is very flexible allowing users to setup their httpd_man2html_script processes in as secure a method as possible.
-+.PP
-+The following process types are defined for httpd_man2html_script:
-+
-+.EX
-+.B httpd_man2html_script_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
-+.SH FILE CONTEXTS
-+SELinux requires files to have an extended attribute to define the file type.
-+.PP
-+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
-+.PP
-+Policy governs the access confined processes have to these files.
-+SELinux httpd_man2html_script policy is very flexible allowing users to setup their httpd_man2html_script processes in as secure a method as possible.
-+.PP
-+The following file types are defined for httpd_man2html_script:
-+
-+
-+.EX
-+.PP
-+.B httpd_man2html_script_cache_t
-+.EE
-+
-+- Set files with the httpd_man2html_script_cache_t type, if you want to store the files under the /var/cache directory.
-+
-+
-+.EX
-+.PP
-+.B httpd_man2html_script_exec_t
-+.EE
-+
-+- Set files with the httpd_man2html_script_exec_t type, if you want to transition an executable to the httpd_man2html_script_t domain.
-+
-+
-+.PP
-+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
-+.B semanage fcontext
-+command. This will modify the SELinux labeling database. You will need to use
-+.B restorecon
-+to apply the labels.
-+
-+.SH "MANAGED FILES"
-+
-+The SELinux process type httpd_man2html_script_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
-+
-+.br
-+.B httpd_man2html_rw_content_t
-+
-+
-+.br
-+.B httpd_man2html_script_cache_t
-+
-+ /var/cache/man2html(/.*)?
-+.br
-+
-+.SH NSSWITCH DOMAIN
-+
-+.SH "COMMANDS"
-+.B semanage fcontext
-+can also be used to manipulate default file context mappings.
-+.PP
-+.B semanage permissive
-+can also be used to manipulate whether or not a process type is permissive.
-+.PP
-+.B semanage module
-+can also be used to enable/disable/install/remove policy modules.
-+
-+.PP
-+.B system-config-selinux
-+is a GUI tool available to customize SELinux policy settings.
-+
-+.SH AUTHOR
-+This manual page was auto-generated using
-+.B "sepolicy manpage"
-+by Dan Walsh.
-+
-+.SH "SEE ALSO"
-+selinux(8), httpd_man2html_script(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
-+, httpd_selinux(8), httpd_selinux(8), httpd_apcupsd_cgi_script_selinux(8), httpd_awstats_script_selinux(8), httpd_bugzilla_script_selinux(8), httpd_cobbler_script_selinux(8), httpd_collectd_script_selinux(8), httpd_cvs_script_selinux(8), httpd_dirsrvadmin_script_selinux(8), httpd_dspam_script_selinux(8), httpd_git_script_selinux(8), httpd_helper_selinux(8), httpd_mediawiki_script_selinux(8), httpd_mojomojo_script_selinux(8), httpd_munin_script_selinux(8), httpd_nagios_script_selinux(8), httpd_nutups_cgi_script_selinux(8), httpd_openshift_script_selinux(8), httpd_passwd_selinux(8), httpd_php_selinux(8), httpd_prewikka_script_selinux(8), httpd_rotatelogs_selinux(8), httpd_smokeping_cgi_script_selinux(8), httpd_squid_script_selinux(8), httpd_suexec_selinux(8), httpd_sys_script_selinux(8), httpd_user_script_selinux(8), httpd_w3c_validator_script_selinux(8), httpd_zoneminder_script_selinux(8)
-\ No newline at end of file
-diff --git a/man/man8/httpd_mediawiki_script_selinux.8 b/man/man8/httpd_mediawiki_script_selinux.8
-new file mode 100644
-index 0000000..eaf2b98
---- /dev/null
-+++ b/man/man8/httpd_mediawiki_script_selinux.8
-@@ -0,0 +1,97 @@
-+.TH "httpd_mediawiki_script_selinux" "8" "12-11-01" "httpd_mediawiki_script" "SELinux Policy documentation for httpd_mediawiki_script"
-+.SH "NAME"
-+httpd_mediawiki_script_selinux \- Security Enhanced Linux Policy for the httpd_mediawiki_script processes
-+.SH "DESCRIPTION"
-+
-+Security-Enhanced Linux secures the httpd_mediawiki_script processes via flexible mandatory access control.
-+
-+The httpd_mediawiki_script processes execute with the httpd_mediawiki_script_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
-+
-+For example:
-+
-+.B ps -eZ | grep httpd_mediawiki_script_t
-+
-+
-+.SH "ENTRYPOINTS"
-+
-+The httpd_mediawiki_script_t SELinux type can be entered via the "httpd_mediawiki_script_exec_t,shell_exec_t,httpd_mediawiki_script_exec_t" file types. The default entrypoint paths for the httpd_mediawiki_script_t domain are the following:"
-+
-+/usr/lib/mediawiki/math/texvc, /usr/lib/mediawiki/math/texvc_tex, /usr/lib/mediawiki/math/texvc_tes, /bin/d?ash, /bin/zsh.*, /bin/ksh.*, /usr/bin/d?ash, /usr/bin/ksh.*, /usr/bin/zsh.*, /bin/esh, /bin/mksh, /bin/sash, /bin/tcsh, /bin/yash, /bin/bash, /bin/fish, /bin/bash2, /usr/bin/esh, /usr/bin/mksh, /usr/bin/sash, /usr/bin/bash, /usr/bin/fish, /usr/bin/tcsh, /usr/bin/yash, /sbin/nologin, /usr/sbin/sesh, /usr/bin/bash2, /usr/sbin/smrsh, /usr/bin/scponly, /usr/sbin/nologin, /usr/libexec/sesh, /usr/sbin/scponlyc, /usr/bin/git-shell, /usr/libexec/git-core/git-shell, /usr/lib/mediawiki/math/texvc, /usr/lib/mediawiki/math/texvc_tex, /usr/lib/mediawiki/math/texvc_tes
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux httpd_mediawiki_script policy is very flexible allowing users to setup their httpd_mediawiki_script processes in as secure a method as possible.
-+.PP
-+The following process types are defined for httpd_mediawiki_script:
-+
-+.EX
-+.B httpd_mediawiki_script_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
-+.SH FILE CONTEXTS
-+SELinux requires files to have an extended attribute to define the file type.
-+.PP
-+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
-+.PP
-+Policy governs the access confined processes have to these files.
-+SELinux httpd_mediawiki_script policy is very flexible allowing users to setup their httpd_mediawiki_script processes in as secure a method as possible.
-+.PP
-+The following file types are defined for httpd_mediawiki_script:
-+
-+
-+.EX
-+.PP
-+.B httpd_mediawiki_script_exec_t
-+.EE
-+
-+- Set files with the httpd_mediawiki_script_exec_t type, if you want to transition an executable to the httpd_mediawiki_script_t domain.
-+
-+
-+.PP
-+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
-+.B semanage fcontext
-+command. This will modify the SELinux labeling database. You will need to use
-+.B restorecon
-+to apply the labels.
-+
-+.SH "MANAGED FILES"
-+
-+The SELinux process type httpd_mediawiki_script_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
-+
-+.br
-+.B httpd_mediawiki_rw_content_t
-+
-+ /var/www/wiki(/.*)?
-+.br
-+
-+.SH NSSWITCH DOMAIN
-+
-+.SH "COMMANDS"
-+.B semanage fcontext
-+can also be used to manipulate default file context mappings.
-+.PP
-+.B semanage permissive
-+can also be used to manipulate whether or not a process type is permissive.
-+.PP
-+.B semanage module
-+can also be used to enable/disable/install/remove policy modules.
-+
-+.PP
-+.B system-config-selinux
-+is a GUI tool available to customize SELinux policy settings.
-+
-+.SH AUTHOR
-+This manual page was auto-generated using
-+.B "sepolicy manpage"
-+by Dan Walsh.
-+
-+.SH "SEE ALSO"
-+selinux(8), httpd_mediawiki_script(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
-+, httpd_selinux(8), httpd_selinux(8), httpd_apcupsd_cgi_script_selinux(8), httpd_awstats_script_selinux(8), httpd_bugzilla_script_selinux(8), httpd_cobbler_script_selinux(8), httpd_collectd_script_selinux(8), httpd_cvs_script_selinux(8), httpd_dirsrvadmin_script_selinux(8), httpd_dspam_script_selinux(8), httpd_git_script_selinux(8), httpd_helper_selinux(8), httpd_man2html_script_selinux(8), httpd_mojomojo_script_selinux(8), httpd_munin_script_selinux(8), httpd_nagios_script_selinux(8), httpd_nutups_cgi_script_selinux(8), httpd_openshift_script_selinux(8), httpd_passwd_selinux(8), httpd_php_selinux(8), httpd_prewikka_script_selinux(8), httpd_rotatelogs_selinux(8), httpd_smokeping_cgi_script_selinux(8), httpd_squid_script_selinux(8), httpd_suexec_selinux(8), httpd_sys_script_selinux(8), httpd_user_script_selinux(8), httpd_w3c_validator_script_selinux(8), httpd_zoneminder_script_selinux(8)
-\ No newline at end of file
-diff --git a/man/man8/httpd_mojomojo_script_selinux.8 b/man/man8/httpd_mojomojo_script_selinux.8
-new file mode 100644
-index 0000000..8ff95bf
---- /dev/null
-+++ b/man/man8/httpd_mojomojo_script_selinux.8
-@@ -0,0 +1,101 @@
-+.TH "httpd_mojomojo_script_selinux" "8" "12-11-01" "httpd_mojomojo_script" "SELinux Policy documentation for httpd_mojomojo_script"
-+.SH "NAME"
-+httpd_mojomojo_script_selinux \- Security Enhanced Linux Policy for the httpd_mojomojo_script processes
-+.SH "DESCRIPTION"
-+
-+Security-Enhanced Linux secures the httpd_mojomojo_script processes via flexible mandatory access control.
-+
-+The httpd_mojomojo_script processes execute with the httpd_mojomojo_script_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
-+
-+For example:
-+
-+.B ps -eZ | grep httpd_mojomojo_script_t
-+
-+
-+.SH "ENTRYPOINTS"
-+
-+The httpd_mojomojo_script_t SELinux type can be entered via the "httpd_mojomojo_script_exec_t,shell_exec_t,httpd_mojomojo_script_exec_t" file types. The default entrypoint paths for the httpd_mojomojo_script_t domain are the following:"
-+
-+/usr/bin/mojomojo_fastcgi\.pl, /bin/d?ash, /bin/zsh.*, /bin/ksh.*, /usr/bin/d?ash, /usr/bin/ksh.*, /usr/bin/zsh.*, /bin/esh, /bin/mksh, /bin/sash, /bin/tcsh, /bin/yash, /bin/bash, /bin/fish, /bin/bash2, /usr/bin/esh, /usr/bin/mksh, /usr/bin/sash, /usr/bin/bash, /usr/bin/fish, /usr/bin/tcsh, /usr/bin/yash, /sbin/nologin, /usr/sbin/sesh, /usr/bin/bash2, /usr/sbin/smrsh, /usr/bin/scponly, /usr/sbin/nologin, /usr/libexec/sesh, /usr/sbin/scponlyc, /usr/bin/git-shell, /usr/libexec/git-core/git-shell, /usr/bin/mojomojo_fastcgi\.pl
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux httpd_mojomojo_script policy is very flexible allowing users to setup their httpd_mojomojo_script processes in as secure a method as possible.
-+.PP
-+The following process types are defined for httpd_mojomojo_script:
-+
-+.EX
-+.B httpd_mojomojo_script_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
-+.SH FILE CONTEXTS
-+SELinux requires files to have an extended attribute to define the file type.
-+.PP
-+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
-+.PP
-+Policy governs the access confined processes have to these files.
-+SELinux httpd_mojomojo_script policy is very flexible allowing users to setup their httpd_mojomojo_script processes in as secure a method as possible.
-+.PP
-+The following file types are defined for httpd_mojomojo_script:
-+
-+
-+.EX
-+.PP
-+.B httpd_mojomojo_script_exec_t
-+.EE
-+
-+- Set files with the httpd_mojomojo_script_exec_t type, if you want to transition an executable to the httpd_mojomojo_script_t domain.
-+
-+
-+.PP
-+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
-+.B semanage fcontext
-+command. This will modify the SELinux labeling database. You will need to use
-+.B restorecon
-+to apply the labels.
-+
-+.SH "MANAGED FILES"
-+
-+The SELinux process type httpd_mojomojo_script_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
-+
-+.br
-+.B httpd_mojomojo_rw_content_t
-+
-+ /var/lib/mojomojo(/.*)?
-+.br
-+
-+.br
-+.B httpd_mojomojo_tmp_t
-+
-+
-+.SH NSSWITCH DOMAIN
-+
-+.SH "COMMANDS"
-+.B semanage fcontext
-+can also be used to manipulate default file context mappings.
-+.PP
-+.B semanage permissive
-+can also be used to manipulate whether or not a process type is permissive.
-+.PP
-+.B semanage module
-+can also be used to enable/disable/install/remove policy modules.
-+
-+.PP
-+.B system-config-selinux
-+is a GUI tool available to customize SELinux policy settings.
-+
-+.SH AUTHOR
-+This manual page was auto-generated using
-+.B "sepolicy manpage"
-+by Dan Walsh.
-+
-+.SH "SEE ALSO"
-+selinux(8), httpd_mojomojo_script(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
-+, httpd_selinux(8), httpd_selinux(8), httpd_apcupsd_cgi_script_selinux(8), httpd_awstats_script_selinux(8), httpd_bugzilla_script_selinux(8), httpd_cobbler_script_selinux(8), httpd_collectd_script_selinux(8), httpd_cvs_script_selinux(8), httpd_dirsrvadmin_script_selinux(8), httpd_dspam_script_selinux(8), httpd_git_script_selinux(8), httpd_helper_selinux(8), httpd_man2html_script_selinux(8), httpd_mediawiki_script_selinux(8), httpd_munin_script_selinux(8), httpd_nagios_script_selinux(8), httpd_nutups_cgi_script_selinux(8), httpd_openshift_script_selinux(8), httpd_passwd_selinux(8), httpd_php_selinux(8), httpd_prewikka_script_selinux(8), httpd_rotatelogs_selinux(8), httpd_smokeping_cgi_script_selinux(8), httpd_squid_script_selinux(8), httpd_suexec_selinux(8), httpd_sys_script_selinux(8), httpd_user_script_selinux(8), httpd_w3c_validator_script_selinux(8), httpd_zoneminder_script_selinux(8)
-\ No newline at end of file
-diff --git a/man/man8/httpd_munin_script_selinux.8 b/man/man8/httpd_munin_script_selinux.8
-new file mode 100644
-index 0000000..df7ae1a
---- /dev/null
-+++ b/man/man8/httpd_munin_script_selinux.8
-@@ -0,0 +1,95 @@
-+.TH "httpd_munin_script_selinux" "8" "12-11-01" "httpd_munin_script" "SELinux Policy documentation for httpd_munin_script"
-+.SH "NAME"
-+httpd_munin_script_selinux \- Security Enhanced Linux Policy for the httpd_munin_script processes
-+.SH "DESCRIPTION"
-+
-+Security-Enhanced Linux secures the httpd_munin_script processes via flexible mandatory access control.
-+
-+The httpd_munin_script processes execute with the httpd_munin_script_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
-+
-+For example:
-+
-+.B ps -eZ | grep httpd_munin_script_t
-+
-+
-+.SH "ENTRYPOINTS"
-+
-+The httpd_munin_script_t SELinux type can be entered via the "httpd_munin_script_exec_t,shell_exec_t,httpd_munin_script_exec_t" file types. The default entrypoint paths for the httpd_munin_script_t domain are the following:"
-+
-+/var/www/html/munin/cgi(/.*)?, /bin/d?ash, /bin/zsh.*, /bin/ksh.*, /usr/bin/d?ash, /usr/bin/ksh.*, /usr/bin/zsh.*, /bin/esh, /bin/mksh, /bin/sash, /bin/tcsh, /bin/yash, /bin/bash, /bin/fish, /bin/bash2, /usr/bin/esh, /usr/bin/mksh, /usr/bin/sash, /usr/bin/bash, /usr/bin/fish, /usr/bin/tcsh, /usr/bin/yash, /sbin/nologin, /usr/sbin/sesh, /usr/bin/bash2, /usr/sbin/smrsh, /usr/bin/scponly, /usr/sbin/nologin, /usr/libexec/sesh, /usr/sbin/scponlyc, /usr/bin/git-shell, /usr/libexec/git-core/git-shell, /var/www/html/munin/cgi(/.*)?
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux httpd_munin_script policy is very flexible allowing users to setup their httpd_munin_script processes in as secure a method as possible.
-+.PP
-+The following process types are defined for httpd_munin_script:
-+
-+.EX
-+.B httpd_munin_script_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
-+.SH FILE CONTEXTS
-+SELinux requires files to have an extended attribute to define the file type.
-+.PP
-+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
-+.PP
-+Policy governs the access confined processes have to these files.
-+SELinux httpd_munin_script policy is very flexible allowing users to setup their httpd_munin_script processes in as secure a method as possible.
-+.PP
-+The following file types are defined for httpd_munin_script:
-+
-+
-+.EX
-+.PP
-+.B httpd_munin_script_exec_t
-+.EE
-+
-+- Set files with the httpd_munin_script_exec_t type, if you want to transition an executable to the httpd_munin_script_t domain.
-+
-+
-+.PP
-+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
-+.B semanage fcontext
-+command. This will modify the SELinux labeling database. You will need to use
-+.B restorecon
-+to apply the labels.
-+
-+.SH "MANAGED FILES"
-+
-+The SELinux process type httpd_munin_script_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
-+
-+.br
-+.B httpd_munin_rw_content_t
-+
-+
-+.SH NSSWITCH DOMAIN
-+
-+.SH "COMMANDS"
-+.B semanage fcontext
-+can also be used to manipulate default file context mappings.
-+.PP
-+.B semanage permissive
-+can also be used to manipulate whether or not a process type is permissive.
-+.PP
-+.B semanage module
-+can also be used to enable/disable/install/remove policy modules.
-+
-+.PP
-+.B system-config-selinux
-+is a GUI tool available to customize SELinux policy settings.
-+
-+.SH AUTHOR
-+This manual page was auto-generated using
-+.B "sepolicy manpage"
-+by Dan Walsh.
-+
-+.SH "SEE ALSO"
-+selinux(8), httpd_munin_script(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
-+, httpd_selinux(8), httpd_selinux(8), httpd_apcupsd_cgi_script_selinux(8), httpd_awstats_script_selinux(8), httpd_bugzilla_script_selinux(8), httpd_cobbler_script_selinux(8), httpd_collectd_script_selinux(8), httpd_cvs_script_selinux(8), httpd_dirsrvadmin_script_selinux(8), httpd_dspam_script_selinux(8), httpd_git_script_selinux(8), httpd_helper_selinux(8), httpd_man2html_script_selinux(8), httpd_mediawiki_script_selinux(8), httpd_mojomojo_script_selinux(8), httpd_nagios_script_selinux(8), httpd_nutups_cgi_script_selinux(8), httpd_openshift_script_selinux(8), httpd_passwd_selinux(8), httpd_php_selinux(8), httpd_prewikka_script_selinux(8), httpd_rotatelogs_selinux(8), httpd_smokeping_cgi_script_selinux(8), httpd_squid_script_selinux(8), httpd_suexec_selinux(8), httpd_sys_script_selinux(8), httpd_user_script_selinux(8), httpd_w3c_validator_script_selinux(8), httpd_zoneminder_script_selinux(8)
-\ No newline at end of file
-diff --git a/man/man8/httpd_nagios_script_selinux.8 b/man/man8/httpd_nagios_script_selinux.8
-new file mode 100644
-index 0000000..8bdd9ee
---- /dev/null
-+++ b/man/man8/httpd_nagios_script_selinux.8
-@@ -0,0 +1,95 @@
-+.TH "httpd_nagios_script_selinux" "8" "12-11-01" "httpd_nagios_script" "SELinux Policy documentation for httpd_nagios_script"
-+.SH "NAME"
-+httpd_nagios_script_selinux \- Security Enhanced Linux Policy for the httpd_nagios_script processes
-+.SH "DESCRIPTION"
-+
-+Security-Enhanced Linux secures the httpd_nagios_script processes via flexible mandatory access control.
-+
-+The httpd_nagios_script processes execute with the httpd_nagios_script_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
-+
-+For example:
-+
-+.B ps -eZ | grep httpd_nagios_script_t
-+
-+
-+.SH "ENTRYPOINTS"
-+
-+The httpd_nagios_script_t SELinux type can be entered via the "httpd_nagios_script_exec_t,shell_exec_t,httpd_nagios_script_exec_t" file types. The default entrypoint paths for the httpd_nagios_script_t domain are the following:"
-+
-+/usr/lib/nagios/cgi(/.*)?, /usr/lib/cgi-bin/nagios(/.+)?, /usr/lib/nagios/cgi-bin(/.*)?, /usr/lib/cgi-bin/netsaint(/.*)?, /bin/d?ash, /bin/zsh.*, /bin/ksh.*, /usr/bin/d?ash, /usr/bin/ksh.*, /usr/bin/zsh.*, /bin/esh, /bin/mksh, /bin/sash, /bin/tcsh, /bin/yash, /bin/bash, /bin/fish, /bin/bash2, /usr/bin/esh, /usr/bin/mksh, /usr/bin/sash, /usr/bin/bash, /usr/bin/fish, /usr/bin/tcsh, /usr/bin/yash, /sbin/nologin, /usr/sbin/sesh, /usr/bin/bash2, /usr/sbin/smrsh, /usr/bin/scponly, /usr/sbin/nologin, /usr/libexec/sesh, /usr/sbin/scponlyc, /usr/bin/git-shell, /usr/libexec/git-core/git-shell, /usr/lib/nagios/cgi(/.*)?, /usr/lib/cgi-bin/nagios(/.+)?, /usr/lib/nagios/cgi-bin(/.*)?, /usr/lib/cgi-bin/netsaint(/.*)?
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux httpd_nagios_script policy is very flexible allowing users to setup their httpd_nagios_script processes in as secure a method as possible.
-+.PP
-+The following process types are defined for httpd_nagios_script:
-+
-+.EX
-+.B httpd_nagios_script_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
-+.SH FILE CONTEXTS
-+SELinux requires files to have an extended attribute to define the file type.
-+.PP
-+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
-+.PP
-+Policy governs the access confined processes have to these files.
-+SELinux httpd_nagios_script policy is very flexible allowing users to setup their httpd_nagios_script processes in as secure a method as possible.
-+.PP
-+The following file types are defined for httpd_nagios_script:
-+
-+
-+.EX
-+.PP
-+.B httpd_nagios_script_exec_t
-+.EE
-+
-+- Set files with the httpd_nagios_script_exec_t type, if you want to transition an executable to the httpd_nagios_script_t domain.
-+
-+
-+.PP
-+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
-+.B semanage fcontext
-+command. This will modify the SELinux labeling database. You will need to use
-+.B restorecon
-+to apply the labels.
-+
-+.SH "MANAGED FILES"
-+
-+The SELinux process type httpd_nagios_script_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
-+
-+.br
-+.B httpd_nagios_rw_content_t
-+
-+
-+.SH NSSWITCH DOMAIN
-+
-+.SH "COMMANDS"
-+.B semanage fcontext
-+can also be used to manipulate default file context mappings.
-+.PP
-+.B semanage permissive
-+can also be used to manipulate whether or not a process type is permissive.
-+.PP
-+.B semanage module
-+can also be used to enable/disable/install/remove policy modules.
-+
-+.PP
-+.B system-config-selinux
-+is a GUI tool available to customize SELinux policy settings.
-+
-+.SH AUTHOR
-+This manual page was auto-generated using
-+.B "sepolicy manpage"
-+by Dan Walsh.
-+
-+.SH "SEE ALSO"
-+selinux(8), httpd_nagios_script(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
-+, httpd_selinux(8), httpd_selinux(8), httpd_apcupsd_cgi_script_selinux(8), httpd_awstats_script_selinux(8), httpd_bugzilla_script_selinux(8), httpd_cobbler_script_selinux(8), httpd_collectd_script_selinux(8), httpd_cvs_script_selinux(8), httpd_dirsrvadmin_script_selinux(8), httpd_dspam_script_selinux(8), httpd_git_script_selinux(8), httpd_helper_selinux(8), httpd_man2html_script_selinux(8), httpd_mediawiki_script_selinux(8), httpd_mojomojo_script_selinux(8), httpd_munin_script_selinux(8), httpd_nutups_cgi_script_selinux(8), httpd_openshift_script_selinux(8), httpd_passwd_selinux(8), httpd_php_selinux(8), httpd_prewikka_script_selinux(8), httpd_rotatelogs_selinux(8), httpd_smokeping_cgi_script_selinux(8), httpd_squid_script_selinux(8), httpd_suexec_selinux(8), httpd_sys_script_selinux(8), httpd_user_script_selinux(8), httpd_w3c_validator_script_selinux(8), httpd_zoneminder_script_selinux(8)
-\ No newline at end of file
-diff --git a/man/man8/httpd_nutups_cgi_script_selinux.8 b/man/man8/httpd_nutups_cgi_script_selinux.8
-new file mode 100644
-index 0000000..6f120e5
---- /dev/null
-+++ b/man/man8/httpd_nutups_cgi_script_selinux.8
-@@ -0,0 +1,95 @@
-+.TH "httpd_nutups_cgi_script_selinux" "8" "12-11-01" "httpd_nutups_cgi_script" "SELinux Policy documentation for httpd_nutups_cgi_script"
-+.SH "NAME"
-+httpd_nutups_cgi_script_selinux \- Security Enhanced Linux Policy for the httpd_nutups_cgi_script processes
-+.SH "DESCRIPTION"
-+
-+Security-Enhanced Linux secures the httpd_nutups_cgi_script processes via flexible mandatory access control.
-+
-+The httpd_nutups_cgi_script processes execute with the httpd_nutups_cgi_script_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
-+
-+For example:
-+
-+.B ps -eZ | grep httpd_nutups_cgi_script_t
-+
-+
-+.SH "ENTRYPOINTS"
-+
-+The httpd_nutups_cgi_script_t SELinux type can be entered via the "shell_exec_t,httpd_nutups_cgi_script_exec_t,httpd_nutups_cgi_script_exec_t" file types. The default entrypoint paths for the httpd_nutups_cgi_script_t domain are the following:"
-+
-+/bin/d?ash, /bin/zsh.*, /bin/ksh.*, /usr/bin/d?ash, /usr/bin/ksh.*, /usr/bin/zsh.*, /bin/esh, /bin/mksh, /bin/sash, /bin/tcsh, /bin/yash, /bin/bash, /bin/fish, /bin/bash2, /usr/bin/esh, /usr/bin/mksh, /usr/bin/sash, /usr/bin/bash, /usr/bin/fish, /usr/bin/tcsh, /usr/bin/yash, /sbin/nologin, /usr/sbin/sesh, /usr/bin/bash2, /usr/sbin/smrsh, /usr/bin/scponly, /usr/sbin/nologin, /usr/libexec/sesh, /usr/sbin/scponlyc, /usr/bin/git-shell, /usr/libexec/git-core/git-shell, /var/www/nut-cgi-bin/upsset\.cgi, /var/www/nut-cgi-bin/upsimage\.cgi, /var/www/nut-cgi-bin/upsstats\.cgi, /var/www/nut-cgi-bin/upsset\.cgi, /var/www/nut-cgi-bin/upsimage\.cgi, /var/www/nut-cgi-bin/upsstats\.cgi
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux httpd_nutups_cgi_script policy is very flexible allowing users to setup their httpd_nutups_cgi_script processes in as secure a method as possible.
-+.PP
-+The following process types are defined for httpd_nutups_cgi_script:
-+
-+.EX
-+.B httpd_nutups_cgi_script_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
-+.SH FILE CONTEXTS
-+SELinux requires files to have an extended attribute to define the file type.
-+.PP
-+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
-+.PP
-+Policy governs the access confined processes have to these files.
-+SELinux httpd_nutups_cgi_script policy is very flexible allowing users to setup their httpd_nutups_cgi_script processes in as secure a method as possible.
-+.PP
-+The following file types are defined for httpd_nutups_cgi_script:
-+
-+
-+.EX
-+.PP
-+.B httpd_nutups_cgi_script_exec_t
-+.EE
-+
-+- Set files with the httpd_nutups_cgi_script_exec_t type, if you want to transition an executable to the httpd_nutups_cgi_script_t domain.
-+
-+
-+.PP
-+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
-+.B semanage fcontext
-+command. This will modify the SELinux labeling database. You will need to use
-+.B restorecon
-+to apply the labels.
-+
-+.SH "MANAGED FILES"
-+
-+The SELinux process type httpd_nutups_cgi_script_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
-+
-+.br
-+.B httpd_nutups_cgi_rw_content_t
-+
-+
-+.SH NSSWITCH DOMAIN
-+
-+.SH "COMMANDS"
-+.B semanage fcontext
-+can also be used to manipulate default file context mappings.
-+.PP
-+.B semanage permissive
-+can also be used to manipulate whether or not a process type is permissive.
-+.PP
-+.B semanage module
-+can also be used to enable/disable/install/remove policy modules.
-+
-+.PP
-+.B system-config-selinux
-+is a GUI tool available to customize SELinux policy settings.
-+
-+.SH AUTHOR
-+This manual page was auto-generated using
-+.B "sepolicy manpage"
-+by Dan Walsh.
-+
-+.SH "SEE ALSO"
-+selinux(8), httpd_nutups_cgi_script(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
-+, httpd_selinux(8), httpd_selinux(8), httpd_apcupsd_cgi_script_selinux(8), httpd_awstats_script_selinux(8), httpd_bugzilla_script_selinux(8), httpd_cobbler_script_selinux(8), httpd_collectd_script_selinux(8), httpd_cvs_script_selinux(8), httpd_dirsrvadmin_script_selinux(8), httpd_dspam_script_selinux(8), httpd_git_script_selinux(8), httpd_helper_selinux(8), httpd_man2html_script_selinux(8), httpd_mediawiki_script_selinux(8), httpd_mojomojo_script_selinux(8), httpd_munin_script_selinux(8), httpd_nagios_script_selinux(8), httpd_openshift_script_selinux(8), httpd_passwd_selinux(8), httpd_php_selinux(8), httpd_prewikka_script_selinux(8), httpd_rotatelogs_selinux(8), httpd_smokeping_cgi_script_selinux(8), httpd_squid_script_selinux(8), httpd_suexec_selinux(8), httpd_sys_script_selinux(8), httpd_user_script_selinux(8), httpd_w3c_validator_script_selinux(8), httpd_zoneminder_script_selinux(8)
-\ No newline at end of file
-diff --git a/man/man8/httpd_openshift_script_selinux.8 b/man/man8/httpd_openshift_script_selinux.8
-new file mode 100644
-index 0000000..e19d72d
---- /dev/null
-+++ b/man/man8/httpd_openshift_script_selinux.8
-@@ -0,0 +1,95 @@
-+.TH "httpd_openshift_script_selinux" "8" "12-11-01" "httpd_openshift_script" "SELinux Policy documentation for httpd_openshift_script"
-+.SH "NAME"
-+httpd_openshift_script_selinux \- Security Enhanced Linux Policy for the httpd_openshift_script processes
-+.SH "DESCRIPTION"
-+
-+Security-Enhanced Linux secures the httpd_openshift_script processes via flexible mandatory access control.
-+
-+The httpd_openshift_script processes execute with the httpd_openshift_script_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
-+
-+For example:
-+
-+.B ps -eZ | grep httpd_openshift_script_t
-+
-+
-+.SH "ENTRYPOINTS"
-+
-+The httpd_openshift_script_t SELinux type can be entered via the "httpd_openshift_script_exec_t,shell_exec_t,httpd_openshift_script_exec_t" file types. The default entrypoint paths for the httpd_openshift_script_t domain are the following:"
-+
-+/usr/bin/(oo|rhc)-restorer-wrapper.sh, /bin/d?ash, /bin/zsh.*, /bin/ksh.*, /usr/bin/d?ash, /usr/bin/ksh.*, /usr/bin/zsh.*, /bin/esh, /bin/mksh, /bin/sash, /bin/tcsh, /bin/yash, /bin/bash, /bin/fish, /bin/bash2, /usr/bin/esh, /usr/bin/mksh, /usr/bin/sash, /usr/bin/bash, /usr/bin/fish, /usr/bin/tcsh, /usr/bin/yash, /sbin/nologin, /usr/sbin/sesh, /usr/bin/bash2, /usr/sbin/smrsh, /usr/bin/scponly, /usr/sbin/nologin, /usr/libexec/sesh, /usr/sbin/scponlyc, /usr/bin/git-shell, /usr/libexec/git-core/git-shell, /usr/bin/(oo|rhc)-restorer-wrapper.sh
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux httpd_openshift_script policy is very flexible allowing users to setup their httpd_openshift_script processes in as secure a method as possible.
-+.PP
-+The following process types are defined for httpd_openshift_script:
-+
-+.EX
-+.B httpd_openshift_script_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
-+.SH FILE CONTEXTS
-+SELinux requires files to have an extended attribute to define the file type.
-+.PP
-+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
-+.PP
-+Policy governs the access confined processes have to these files.
-+SELinux httpd_openshift_script policy is very flexible allowing users to setup their httpd_openshift_script processes in as secure a method as possible.
-+.PP
-+The following file types are defined for httpd_openshift_script:
-+
-+
-+.EX
-+.PP
-+.B httpd_openshift_script_exec_t
-+.EE
-+
-+- Set files with the httpd_openshift_script_exec_t type, if you want to transition an executable to the httpd_openshift_script_t domain.
-+
-+
-+.PP
-+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
-+.B semanage fcontext
-+command. This will modify the SELinux labeling database. You will need to use
-+.B restorecon
-+to apply the labels.
-+
-+.SH "MANAGED FILES"
-+
-+The SELinux process type httpd_openshift_script_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
-+
-+.br
-+.B httpd_openshift_rw_content_t
-+
-+
-+.SH NSSWITCH DOMAIN
-+
-+.SH "COMMANDS"
-+.B semanage fcontext
-+can also be used to manipulate default file context mappings.
-+.PP
-+.B semanage permissive
-+can also be used to manipulate whether or not a process type is permissive.
-+.PP
-+.B semanage module
-+can also be used to enable/disable/install/remove policy modules.
-+
-+.PP
-+.B system-config-selinux
-+is a GUI tool available to customize SELinux policy settings.
-+
-+.SH AUTHOR
-+This manual page was auto-generated using
-+.B "sepolicy manpage"
-+by Dan Walsh.
-+
-+.SH "SEE ALSO"
-+selinux(8), httpd_openshift_script(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
-+, httpd_selinux(8), httpd_selinux(8), httpd_apcupsd_cgi_script_selinux(8), httpd_awstats_script_selinux(8), httpd_bugzilla_script_selinux(8), httpd_cobbler_script_selinux(8), httpd_collectd_script_selinux(8), httpd_cvs_script_selinux(8), httpd_dirsrvadmin_script_selinux(8), httpd_dspam_script_selinux(8), httpd_git_script_selinux(8), httpd_helper_selinux(8), httpd_man2html_script_selinux(8), httpd_mediawiki_script_selinux(8), httpd_mojomojo_script_selinux(8), httpd_munin_script_selinux(8), httpd_nagios_script_selinux(8), httpd_nutups_cgi_script_selinux(8), httpd_passwd_selinux(8), httpd_php_selinux(8), httpd_prewikka_script_selinux(8), httpd_rotatelogs_selinux(8), httpd_smokeping_cgi_script_selinux(8), httpd_squid_script_selinux(8), httpd_suexec_selinux(8), httpd_sys_script_selinux(8), httpd_user_script_selinux(8), httpd_w3c_validator_script_selinux(8), httpd_zoneminder_script_selinux(8)
-\ No newline at end of file
-diff --git a/man/man8/httpd_passwd_selinux.8 b/man/man8/httpd_passwd_selinux.8
-new file mode 100644
-index 0000000..11ff56f
---- /dev/null
-+++ b/man/man8/httpd_passwd_selinux.8
-@@ -0,0 +1,113 @@
-+.TH "httpd_passwd_selinux" "8" "12-11-01" "httpd_passwd" "SELinux Policy documentation for httpd_passwd"
-+.SH "NAME"
-+httpd_passwd_selinux \- Security Enhanced Linux Policy for the httpd_passwd processes
-+.SH "DESCRIPTION"
-+
-+Security-Enhanced Linux secures the httpd_passwd processes via flexible mandatory access control.
-+
-+The httpd_passwd processes execute with the httpd_passwd_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
-+
-+For example:
-+
-+.B ps -eZ | grep httpd_passwd_t
-+
-+
-+.SH "ENTRYPOINTS"
-+
-+The httpd_passwd_t SELinux type can be entered via the "httpd_passwd_exec_t" file type. The default entrypoint paths for the httpd_passwd_t domain are the following:"
-+
-+/usr/libexec/httpd-ssl-pass-dialog
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux httpd_passwd policy is very flexible allowing users to setup their httpd_passwd processes in as secure a method as possible.
-+.PP
-+The following process types are defined for httpd_passwd:
-+
-+.EX
-+.B httpd_passwd_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
-+.SH FILE CONTEXTS
-+SELinux requires files to have an extended attribute to define the file type.
-+.PP
-+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
-+.PP
-+Policy governs the access confined processes have to these files.
-+SELinux httpd_passwd policy is very flexible allowing users to setup their httpd_passwd processes in as secure a method as possible.
-+.PP
-+The following file types are defined for httpd_passwd:
-+
-+
-+.EX
-+.PP
-+.B httpd_passwd_exec_t
-+.EE
-+
-+- Set files with the httpd_passwd_exec_t type, if you want to transition an executable to the httpd_passwd_t domain.
-+
-+
-+.PP
-+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
-+.B semanage fcontext
-+command. This will modify the SELinux labeling database. You will need to use
-+.B restorecon
-+to apply the labels.
-+
-+.SH "MANAGED FILES"
-+
-+The SELinux process type httpd_passwd_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
-+
-+.br
-+.B systemd_passwd_var_run_t
-+
-+ /var/run/systemd/ask-password(/.*)?
-+.br
-+ /var/run/systemd/ask-password-block(/.*)?
-+.br
-+
-+.SH NSSWITCH DOMAIN
-+
-+.PP
-+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the httpd_passwd_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
-+
-+.EX
-+.B setsebool -P authlogin_nsswitch_use_ldap 1
-+.EE
-+
-+.PP
-+If you want to allow confined applications to run with kerberos for the httpd_passwd_t, you must turn on the kerberos_enabled boolean.
-+
-+.EX
-+.B setsebool -P kerberos_enabled 1
-+.EE
-+
-+.SH "COMMANDS"
-+.B semanage fcontext
-+can also be used to manipulate default file context mappings.
-+.PP
-+.B semanage permissive
-+can also be used to manipulate whether or not a process type is permissive.
-+.PP
-+.B semanage module
-+can also be used to enable/disable/install/remove policy modules.
-+
-+.PP
-+.B system-config-selinux
-+is a GUI tool available to customize SELinux policy settings.
-+
-+.SH AUTHOR
-+This manual page was auto-generated using
-+.B "sepolicy manpage"
-+by Dan Walsh.
-+
-+.SH "SEE ALSO"
-+selinux(8), httpd_passwd(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
-+, httpd_selinux(8), httpd_selinux(8), httpd_apcupsd_cgi_script_selinux(8), httpd_awstats_script_selinux(8), httpd_bugzilla_script_selinux(8), httpd_cobbler_script_selinux(8), httpd_collectd_script_selinux(8), httpd_cvs_script_selinux(8), httpd_dirsrvadmin_script_selinux(8), httpd_dspam_script_selinux(8), httpd_git_script_selinux(8), httpd_helper_selinux(8), httpd_man2html_script_selinux(8), httpd_mediawiki_script_selinux(8), httpd_mojomojo_script_selinux(8), httpd_munin_script_selinux(8), httpd_nagios_script_selinux(8), httpd_nutups_cgi_script_selinux(8), httpd_openshift_script_selinux(8), httpd_php_selinux(8), httpd_prewikka_script_selinux(8), httpd_rotatelogs_selinux(8), httpd_smokeping_cgi_script_selinux(8), httpd_squid_script_selinux(8), httpd_suexec_selinux(8), httpd_sys_script_selinux(8), httpd_user_script_selinux(8), httpd_w3c_validator_script_selinux(8), httpd_zoneminder_script_selinux(8)
-\ No newline at end of file
-diff --git a/man/man8/httpd_php_selinux.8 b/man/man8/httpd_php_selinux.8
-new file mode 100644
-index 0000000..6690ac0
---- /dev/null
-+++ b/man/man8/httpd_php_selinux.8
-@@ -0,0 +1,117 @@
-+.TH "httpd_php_selinux" "8" "12-11-01" "httpd_php" "SELinux Policy documentation for httpd_php"
-+.SH "NAME"
-+httpd_php_selinux \- Security Enhanced Linux Policy for the httpd_php processes
-+.SH "DESCRIPTION"
-+
-+Security-Enhanced Linux secures the httpd_php processes via flexible mandatory access control.
-+
-+The httpd_php processes execute with the httpd_php_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
-+
-+For example:
-+
-+.B ps -eZ | grep httpd_php_t
-+
-+
-+.SH "ENTRYPOINTS"
-+
-+The httpd_php_t SELinux type can be entered via the "httpd_php_exec_t" file type. The default entrypoint paths for the httpd_php_t domain are the following:"
-+
-+
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux httpd_php policy is very flexible allowing users to setup their httpd_php processes in as secure a method as possible.
-+.PP
-+The following process types are defined for httpd_php:
-+
-+.EX
-+.B httpd_php_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
-+.SH FILE CONTEXTS
-+SELinux requires files to have an extended attribute to define the file type.
-+.PP
-+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
-+.PP
-+Policy governs the access confined processes have to these files.
-+SELinux httpd_php policy is very flexible allowing users to setup their httpd_php processes in as secure a method as possible.
-+.PP
-+The following file types are defined for httpd_php:
-+
-+
-+.EX
-+.PP
-+.B httpd_php_exec_t
-+.EE
-+
-+- Set files with the httpd_php_exec_t type, if you want to transition an executable to the httpd_php_t domain.
-+
-+
-+.EX
-+.PP
-+.B httpd_php_tmp_t
-+.EE
-+
-+- Set files with the httpd_php_tmp_t type, if you want to store httpd php temporary files in the /tmp directories.
-+
-+
-+.PP
-+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
-+.B semanage fcontext
-+command. This will modify the SELinux labeling database. You will need to use
-+.B restorecon
-+to apply the labels.
-+
-+.SH "MANAGED FILES"
-+
-+The SELinux process type httpd_php_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
-+
-+.br
-+.B httpd_php_tmp_t
-+
-+
-+.SH NSSWITCH DOMAIN
-+
-+.PP
-+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the httpd_php_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
-+
-+.EX
-+.B setsebool -P authlogin_nsswitch_use_ldap 1
-+.EE
-+
-+.PP
-+If you want to allow confined applications to run with kerberos for the httpd_php_t, you must turn on the kerberos_enabled boolean.
-+
-+.EX
-+.B setsebool -P kerberos_enabled 1
-+.EE
-+
-+.SH "COMMANDS"
-+.B semanage fcontext
-+can also be used to manipulate default file context mappings.
-+.PP
-+.B semanage permissive
-+can also be used to manipulate whether or not a process type is permissive.
-+.PP
-+.B semanage module
-+can also be used to enable/disable/install/remove policy modules.
-+
-+.PP
-+.B system-config-selinux
-+is a GUI tool available to customize SELinux policy settings.
-+
-+.SH AUTHOR
-+This manual page was auto-generated using
-+.B "sepolicy manpage"
-+by Dan Walsh.
-+
-+.SH "SEE ALSO"
-+selinux(8), httpd_php(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
-+, httpd_selinux(8), httpd_selinux(8), httpd_apcupsd_cgi_script_selinux(8), httpd_awstats_script_selinux(8), httpd_bugzilla_script_selinux(8), httpd_cobbler_script_selinux(8), httpd_collectd_script_selinux(8), httpd_cvs_script_selinux(8), httpd_dirsrvadmin_script_selinux(8), httpd_dspam_script_selinux(8), httpd_git_script_selinux(8), httpd_helper_selinux(8), httpd_man2html_script_selinux(8), httpd_mediawiki_script_selinux(8), httpd_mojomojo_script_selinux(8), httpd_munin_script_selinux(8), httpd_nagios_script_selinux(8), httpd_nutups_cgi_script_selinux(8), httpd_openshift_script_selinux(8), httpd_passwd_selinux(8), httpd_prewikka_script_selinux(8), httpd_rotatelogs_selinux(8), httpd_smokeping_cgi_script_selinux(8), httpd_squid_script_selinux(8), httpd_suexec_selinux(8), httpd_sys_script_selinux(8), httpd_user_script_selinux(8), httpd_w3c_validator_script_selinux(8), httpd_zoneminder_script_selinux(8)
-\ No newline at end of file
-diff --git a/man/man8/httpd_prewikka_script_selinux.8 b/man/man8/httpd_prewikka_script_selinux.8
-new file mode 100644
-index 0000000..8b729f1
---- /dev/null
-+++ b/man/man8/httpd_prewikka_script_selinux.8
-@@ -0,0 +1,109 @@
-+.TH "httpd_prewikka_script_selinux" "8" "12-11-01" "httpd_prewikka_script" "SELinux Policy documentation for httpd_prewikka_script"
-+.SH "NAME"
-+httpd_prewikka_script_selinux \- Security Enhanced Linux Policy for the httpd_prewikka_script processes
-+.SH "DESCRIPTION"
-+
-+Security-Enhanced Linux secures the httpd_prewikka_script processes via flexible mandatory access control.
-+
-+The httpd_prewikka_script processes execute with the httpd_prewikka_script_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
-+
-+For example:
-+
-+.B ps -eZ | grep httpd_prewikka_script_t
-+
-+
-+.SH "ENTRYPOINTS"
-+
-+The httpd_prewikka_script_t SELinux type can be entered via the "shell_exec_t,httpd_prewikka_script_exec_t,httpd_prewikka_script_exec_t" file types. The default entrypoint paths for the httpd_prewikka_script_t domain are the following:"
-+
-+/bin/d?ash, /bin/zsh.*, /bin/ksh.*, /usr/bin/d?ash, /usr/bin/ksh.*, /usr/bin/zsh.*, /bin/esh, /bin/mksh, /bin/sash, /bin/tcsh, /bin/yash, /bin/bash, /bin/fish, /bin/bash2, /usr/bin/esh, /usr/bin/mksh, /usr/bin/sash, /usr/bin/bash, /usr/bin/fish, /usr/bin/tcsh, /usr/bin/yash, /sbin/nologin, /usr/sbin/sesh, /usr/bin/bash2, /usr/sbin/smrsh, /usr/bin/scponly, /usr/sbin/nologin, /usr/libexec/sesh, /usr/sbin/scponlyc, /usr/bin/git-shell, /usr/libexec/git-core/git-shell, /usr/share/prewikka/cgi-bin(/.*)?, /usr/share/prewikka/cgi-bin(/.*)?
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux httpd_prewikka_script policy is very flexible allowing users to setup their httpd_prewikka_script processes in as secure a method as possible.
-+.PP
-+The following process types are defined for httpd_prewikka_script:
-+
-+.EX
-+.B httpd_prewikka_script_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
-+.SH FILE CONTEXTS
-+SELinux requires files to have an extended attribute to define the file type.
-+.PP
-+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
-+.PP
-+Policy governs the access confined processes have to these files.
-+SELinux httpd_prewikka_script policy is very flexible allowing users to setup their httpd_prewikka_script processes in as secure a method as possible.
-+.PP
-+The following file types are defined for httpd_prewikka_script:
-+
-+
-+.EX
-+.PP
-+.B httpd_prewikka_script_exec_t
-+.EE
-+
-+- Set files with the httpd_prewikka_script_exec_t type, if you want to transition an executable to the httpd_prewikka_script_t domain.
-+
-+
-+.PP
-+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
-+.B semanage fcontext
-+command. This will modify the SELinux labeling database. You will need to use
-+.B restorecon
-+to apply the labels.
-+
-+.SH "MANAGED FILES"
-+
-+The SELinux process type httpd_prewikka_script_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
-+
-+.br
-+.B httpd_prewikka_rw_content_t
-+
-+
-+.SH NSSWITCH DOMAIN
-+
-+.PP
-+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the httpd_prewikka_script_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
-+
-+.EX
-+.B setsebool -P authlogin_nsswitch_use_ldap 1
-+.EE
-+
-+.PP
-+If you want to allow confined applications to run with kerberos for the httpd_prewikka_script_t, you must turn on the kerberos_enabled boolean.
-+
-+.EX
-+.B setsebool -P kerberos_enabled 1
-+.EE
-+
-+.SH "COMMANDS"
-+.B semanage fcontext
-+can also be used to manipulate default file context mappings.
-+.PP
-+.B semanage permissive
-+can also be used to manipulate whether or not a process type is permissive.
-+.PP
-+.B semanage module
-+can also be used to enable/disable/install/remove policy modules.
-+
-+.PP
-+.B system-config-selinux
-+is a GUI tool available to customize SELinux policy settings.
-+
-+.SH AUTHOR
-+This manual page was auto-generated using
-+.B "sepolicy manpage"
-+by Dan Walsh.
-+
-+.SH "SEE ALSO"
-+selinux(8), httpd_prewikka_script(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
-+, httpd_selinux(8), httpd_selinux(8), httpd_apcupsd_cgi_script_selinux(8), httpd_awstats_script_selinux(8), httpd_bugzilla_script_selinux(8), httpd_cobbler_script_selinux(8), httpd_collectd_script_selinux(8), httpd_cvs_script_selinux(8), httpd_dirsrvadmin_script_selinux(8), httpd_dspam_script_selinux(8), httpd_git_script_selinux(8), httpd_helper_selinux(8), httpd_man2html_script_selinux(8), httpd_mediawiki_script_selinux(8), httpd_mojomojo_script_selinux(8), httpd_munin_script_selinux(8), httpd_nagios_script_selinux(8), httpd_nutups_cgi_script_selinux(8), httpd_openshift_script_selinux(8), httpd_passwd_selinux(8), httpd_php_selinux(8), httpd_rotatelogs_selinux(8), httpd_smokeping_cgi_script_selinux(8), httpd_squid_script_selinux(8), httpd_suexec_selinux(8), httpd_sys_script_selinux(8), httpd_user_script_selinux(8), httpd_w3c_validator_script_selinux(8), httpd_zoneminder_script_selinux(8)
-\ No newline at end of file
-diff --git a/man/man8/httpd_rotatelogs_selinux.8 b/man/man8/httpd_rotatelogs_selinux.8
-new file mode 100644
-index 0000000..bbe80c8
---- /dev/null
-+++ b/man/man8/httpd_rotatelogs_selinux.8
-@@ -0,0 +1,121 @@
-+.TH "httpd_rotatelogs_selinux" "8" "12-11-01" "httpd_rotatelogs" "SELinux Policy documentation for httpd_rotatelogs"
-+.SH "NAME"
-+httpd_rotatelogs_selinux \- Security Enhanced Linux Policy for the httpd_rotatelogs processes
-+.SH "DESCRIPTION"
-+
-+Security-Enhanced Linux secures the httpd_rotatelogs processes via flexible mandatory access control.
-+
-+The httpd_rotatelogs processes execute with the httpd_rotatelogs_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
-+
-+For example:
-+
-+.B ps -eZ | grep httpd_rotatelogs_t
-+
-+
-+.SH "ENTRYPOINTS"
-+
-+The httpd_rotatelogs_t SELinux type can be entered via the "httpd_rotatelogs_exec_t" file type. The default entrypoint paths for the httpd_rotatelogs_t domain are the following:"
-+
-+/usr/sbin/rotatelogs
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux httpd_rotatelogs policy is very flexible allowing users to setup their httpd_rotatelogs processes in as secure a method as possible.
-+.PP
-+The following process types are defined for httpd_rotatelogs:
-+
-+.EX
-+.B httpd_rotatelogs_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
-+.SH FILE CONTEXTS
-+SELinux requires files to have an extended attribute to define the file type.
-+.PP
-+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
-+.PP
-+Policy governs the access confined processes have to these files.
-+SELinux httpd_rotatelogs policy is very flexible allowing users to setup their httpd_rotatelogs processes in as secure a method as possible.
-+.PP
-+The following file types are defined for httpd_rotatelogs:
-+
-+
-+.EX
-+.PP
-+.B httpd_rotatelogs_exec_t
-+.EE
-+
-+- Set files with the httpd_rotatelogs_exec_t type, if you want to transition an executable to the httpd_rotatelogs_t domain.
-+
-+
-+.PP
-+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
-+.B semanage fcontext
-+command. This will modify the SELinux labeling database. You will need to use
-+.B restorecon
-+to apply the labels.
-+
-+.SH "MANAGED FILES"
-+
-+The SELinux process type httpd_rotatelogs_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
-+
-+.br
-+.B httpd_log_t
-+
-+ /var/www(/.*)?/logs(/.*)?
-+.br
-+ /var/log/cacti(/.*)?
-+.br
-+ /var/log/httpd(/.*)?
-+.br
-+ /var/log/apache(2)?(/.*)?
-+.br
-+ /var/log/cherokee(/.*)?
-+.br
-+ /var/log/lighttpd(/.*)?
-+.br
-+ /var/log/suphp\.log.*
-+.br
-+ /var/log/apache-ssl(2)?(/.*)?
-+.br
-+ /var/log/cgiwrap\.log.*
-+.br
-+ /var/www/stickshift/[^/]*/log(/.*)?
-+.br
-+ /var/log/roundcubemail(/.*)?
-+.br
-+ /var/log/dirsrv/admin-serv(/.*)?
-+.br
-+ /etc/httpd/logs
-+.br
-+
-+.SH NSSWITCH DOMAIN
-+
-+.SH "COMMANDS"
-+.B semanage fcontext
-+can also be used to manipulate default file context mappings.
-+.PP
-+.B semanage permissive
-+can also be used to manipulate whether or not a process type is permissive.
-+.PP
-+.B semanage module
-+can also be used to enable/disable/install/remove policy modules.
-+
-+.PP
-+.B system-config-selinux
-+is a GUI tool available to customize SELinux policy settings.
-+
-+.SH AUTHOR
-+This manual page was auto-generated using
-+.B "sepolicy manpage"
-+by Dan Walsh.
-+
-+.SH "SEE ALSO"
-+selinux(8), httpd_rotatelogs(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
-+, httpd_selinux(8), httpd_selinux(8), httpd_apcupsd_cgi_script_selinux(8), httpd_awstats_script_selinux(8), httpd_bugzilla_script_selinux(8), httpd_cobbler_script_selinux(8), httpd_collectd_script_selinux(8), httpd_cvs_script_selinux(8), httpd_dirsrvadmin_script_selinux(8), httpd_dspam_script_selinux(8), httpd_git_script_selinux(8), httpd_helper_selinux(8), httpd_man2html_script_selinux(8), httpd_mediawiki_script_selinux(8), httpd_mojomojo_script_selinux(8), httpd_munin_script_selinux(8), httpd_nagios_script_selinux(8), httpd_nutups_cgi_script_selinux(8), httpd_openshift_script_selinux(8), httpd_passwd_selinux(8), httpd_php_selinux(8), httpd_prewikka_script_selinux(8), httpd_smokeping_cgi_script_selinux(8), httpd_squid_script_selinux(8), httpd_suexec_selinux(8), httpd_sys_script_selinux(8), httpd_user_script_selinux(8), httpd_w3c_validator_script_selinux(8), httpd_zoneminder_script_selinux(8)
-\ No newline at end of file
-diff --git a/man/man8/httpd_selinux.8 b/man/man8/httpd_selinux.8
-index 16e8b13..d05f08b 100644
---- a/man/man8/httpd_selinux.8
-+++ b/man/man8/httpd_selinux.8
-@@ -1,120 +1,2164 @@
--.TH "httpd_selinux" "8" "17 Jan 2005" "dwalsh@redhat.com" "httpd Selinux Policy documentation"
--.de EX
--.nf
--.ft CW
--..
--.de EE
--.ft R
--.fi
--..
-+.TH "httpd_selinux" "8" "12-11-01" "httpd" "SELinux Policy documentation for httpd"
- .SH "NAME"
--httpd_selinux \- Security Enhanced Linux Policy for the httpd daemon
-+httpd_selinux \- Security Enhanced Linux Policy for the httpd processes
- .SH "DESCRIPTION"
-
--Security-Enhanced Linux secures the httpd server via flexible mandatory access
--control.
--.SH FILE_CONTEXTS
--SELinux requires files to have an extended attribute to define the file type.
--Policy governs the access daemons have to these files.
--SELinux httpd policy is very flexible allowing users to setup their web services in as secure a method as possible.
--.PP
--The following file contexts types are defined for httpd:
-+Security-Enhanced Linux secures the httpd processes via flexible mandatory access control.
-+
-+The httpd processes execute with the httpd_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
-+
-+For example:
-+
-+.B ps -eZ | grep httpd_t
-+
-+
-+.SH "ENTRYPOINTS"
-+
-+The httpd_t SELinux type can be entered via the "httpd_exec_t" file type. The default entrypoint paths for the httpd_t domain are the following:"
-+
-+/usr/sbin/httpd(\.worker)?, /usr/sbin/apache(2)?, /usr/lib/apache-ssl/.+, /usr/sbin/apache-ssl(2)?, /usr/share/jetty/bin/jetty.sh, /usr/sbin/cherokee, /usr/sbin/lighttpd, /usr/sbin/httpd\.event, /usr/bin/mongrel_rails
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux httpd policy is very flexible allowing users to setup their httpd processes in as secure a method as possible.
-+.PP
-+The following process types are defined for httpd:
-+
-+.EX
-+.B httpd_collectd_script_t, httpd_cvs_script_t, httpd_rotatelogs_t, httpd_bugzilla_script_t, httpd_smokeping_cgi_script_t, httpd_nagios_script_t, httpd_dirsrvadmin_script_t, httpd_suexec_t, httpd_mojomojo_script_t, httpd_php_t, httpd_w3c_validator_script_t, httpd_user_script_t, httpd_awstats_script_t, httpd_apcupsd_cgi_script_t, httpd_nutups_cgi_script_t, httpd_munin_script_t, httpd_zoneminder_script_t, httpd_openshift_script_t, httpd_sys_script_t, httpd_dspam_script_t, httpd_prewikka_script_t, httpd_git_script_t, httpd_t, httpd_man2html_script_t, httpd_passwd_t, httpd_helper_t, httpd_squid_script_t, httpd_cobbler_script_t, httpd_mediawiki_script_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
-+.SH BOOLEANS
-+SELinux policy is customizable based on least access required. httpd policy is extremely flexible and has several booleans that allow you to manipulate the policy and run httpd with the tightest access possible.
-+
-+
-+.PP
-+If you want to allow httpd processes to manage IPA content, you must turn on the httpd_manage_ipa boolean.
-+
-+.EX
-+.B setsebool -P httpd_manage_ipa 1
-+.EE
-+
-+.PP
-+If you want to allow Apache to run in stickshift mode, not transition to passenger, you must turn on the httpd_run_stickshift boolean.
-+
-+.EX
-+.B setsebool -P httpd_run_stickshift 1
-+.EE
-+
-+.PP
-+If you want to allow httpd to access FUSE file systems, you must turn on the httpd_use_fusefs boolean.
-+
-+.EX
-+.B setsebool -P httpd_use_fusefs 1
-+.EE
-+
-+.PP
-+If you want to allow httpd to access openstack ports, you must turn on the httpd_use_openstack boolean.
-+
-+.EX
-+.B setsebool -P httpd_use_openstack 1
-+.EE
-+
-+.PP
-+If you want to allow httpd to connect to the ldap port, you must turn on the httpd_can_connect_ldap boolean.
-+
-+.EX
-+.B setsebool -P httpd_can_connect_ldap 1
-+.EE
-+
-+.PP
-+If you want to allow httpd daemon to change its resource limits, you must turn on the httpd_setrlimit boolean.
-+
-+.EX
-+.B setsebool -P httpd_setrlimit 1
-+.EE
-+
-+.PP
-+If you want to allow httpd to communicate with oddjob to start up a service, you must turn on the httpd_use_oddjob boolean.
-+
-+.EX
-+.B setsebool -P httpd_use_oddjob 1
-+.EE
-+
-+.PP
-+If you want to allow httpd to act as a FTP server by listening on the ftp port, you must turn on the httpd_enable_ftp_server boolean.
-+
-+.EX
-+.B setsebool -P httpd_enable_ftp_server 1
-+.EE
-+
-+.PP
-+If you want to allow httpd to access nfs file systems, you must turn on the httpd_use_nfs boolean.
-+
-+.EX
-+.B setsebool -P httpd_use_nfs 1
-+.EE
-+
-+.PP
-+If you want to allow httpd to act as a relay, you must turn on the httpd_can_network_relay boolean.
-+
-+.EX
-+.B setsebool -P httpd_can_network_relay 1
-+.EE
-+
-+.PP
-+If you want to allow http daemon to check spam, you must turn on the httpd_can_check_spam boolean.
-+
-+.EX
-+.B setsebool -P httpd_can_check_spam 1
-+.EE
-+
-+.PP
-+If you want to unify HTTPD to communicate with the terminal. Needed for entering the passphrase for certificates at the terminal, you must turn on the httpd_tty_comm boolean.
-+
-+.EX
-+.B setsebool -P httpd_tty_comm 1
-+.EE
-+
-+.PP
-+If you want to unify HTTPD handling of all content files, you must turn on the httpd_unified boolean.
-+
-+.EX
-+.B setsebool -P httpd_unified 1
-+.EE
-+
-+.PP
-+If you want to allow httpd to connect to memcache server, you must turn on the httpd_can_network_memcache boolean.
-+
-+.EX
-+.B setsebool -P httpd_can_network_memcache 1
-+.EE
-+
-+.PP
-+If you want to allow HTTPD to connect to port 80 for graceful shutdown, you must turn on the httpd_graceful_shutdown boolean.
-+
-+.EX
-+.B setsebool -P httpd_graceful_shutdown 1
-+.EE
-+
-+.PP
-+If you want to allow httpd to run gpg, you must turn on the httpd_use_gpg boolean.
-+
-+.EX
-+.B setsebool -P httpd_use_gpg 1
-+.EE
-+
-+.PP
-+If you want to allow httpd to use built in scripting (usually php), you must turn on the httpd_builtin_scripting boolean.
-+
-+.EX
-+.B setsebool -P httpd_builtin_scripting 1
-+.EE
-+
-+.PP
-+If you want to allow http daemon to send mail, you must turn on the httpd_can_sendmail boolean.
-+
-+.EX
-+.B setsebool -P httpd_can_sendmail 1
-+.EE
-+
-+.PP
-+If you want to allow httpd cgi support, you must turn on the httpd_enable_cgi boolean.
-+
-+.EX
-+.B setsebool -P httpd_enable_cgi 1
-+.EE
-+
-+.PP
-+If you want to allow Apache to use mod_auth_pam, you must turn on the httpd_mod_auth_pam boolean.
-+
-+.EX
-+.B setsebool -P httpd_mod_auth_pam 1
-+.EE
-+
-+.PP
-+If you want to allow httpd to read user content, you must turn on the httpd_read_user_content boolean.
-+
-+.EX
-+.B setsebool -P httpd_read_user_content 1
-+.EE
-+
-+.PP
-+If you want to allow Apache to query NS records, you must turn on the httpd_verify_dns boolean.
-+
-+.EX
-+.B setsebool -P httpd_verify_dns 1
-+.EE
-+
-+.PP
-+If you want to allow BIND to bind apache port, you must turn on the named_bind_http_port boolean.
-+
-+.EX
-+.B setsebool -P named_bind_http_port 1
-+.EE
-+
-+.PP
-+If you want to allow httpd to act as a FTP client connecting to the ftp port and ephemeral ports, you must turn on the httpd_can_connect_ftp boolean.
-+
-+.EX
-+.B setsebool -P httpd_can_connect_ftp 1
-+.EE
-+
-+.PP
-+If you want to allow HTTPD scripts and modules to connect to cobbler over the network, you must turn on the httpd_can_network_connect_cobbler boolean.
-+
-+.EX
-+.B setsebool -P httpd_can_network_connect_cobbler 1
-+.EE
-+
-+.PP
-+If you want to allow Apache to use mod_auth_ntlm_winbind, you must turn on the httpd_mod_auth_ntlm_winbind boolean.
-+
-+.EX
-+.B setsebool -P httpd_mod_auth_ntlm_winbind 1
-+.EE
-+
-+.PP
-+If you want to allow Apache to communicate with avahi service via dbus, you must turn on the httpd_dbus_avahi boolean.
-+
-+.EX
-+.B setsebool -P httpd_dbus_avahi 1
-+.EE
-+
-+.PP
-+If you want to allow httpd to read home directories, you must turn on the httpd_enable_homedirs boolean.
-+
-+.EX
-+.B setsebool -P httpd_enable_homedirs 1
-+.EE
-+
-+.PP
-+If you want to allow HTTPD to run SSI executables in the same domain as system CGI scripts, you must turn on the httpd_ssi_exec boolean.
-+
-+.EX
-+.B setsebool -P httpd_ssi_exec 1
-+.EE
-+
-+.PP
-+If you want to allow Apache to execute tmp content, you must turn on the httpd_tmp_exec boolean.
-+
-+.EX
-+.B setsebool -P httpd_tmp_exec 1
-+.EE
-+
-+.PP
-+If you want to allow httpd to access cifs file systems, you must turn on the httpd_use_cifs boolean.
-+
-+.EX
-+.B setsebool -P httpd_use_cifs 1
-+.EE
-+
-+.PP
-+If you want to allow httpd scripts and modules execmem/execstack, you must turn on the httpd_execmem boolean.
-+
-+.EX
-+.B setsebool -P httpd_execmem 1
-+.EE
-+
-+.PP
-+If you want to allow http daemon to connect to zabbix, you must turn on the httpd_can_connect_zabbix boolean.
-+
-+.EX
-+.B setsebool -P httpd_can_connect_zabbix 1
-+.EE
-+
-+.PP
-+If you want to allow HTTPD scripts and modules to connect to the network using TCP, you must turn on the httpd_can_network_connect boolean.
-+
-+.EX
-+.B setsebool -P httpd_can_network_connect 1
-+.EE
-+
-+.PP
-+If you want to allow HTTPD scripts and modules to connect to databases over the network, you must turn on the httpd_can_network_connect_db boolean.
-+
-+.EX
-+.B setsebool -P httpd_can_network_connect_db 1
-+.EE
-+
-+.PP
-+If you want to allow httpd processes to manage IPA content, you must turn on the httpd_manage_ipa boolean.
-+
-+.EX
-+.B setsebool -P httpd_manage_ipa 1
-+.EE
-+
-+.PP
-+If you want to allow Apache to run in stickshift mode, not transition to passenger, you must turn on the httpd_run_stickshift boolean.
-+
-+.EX
-+.B setsebool -P httpd_run_stickshift 1
-+.EE
-+
-+.PP
-+If you want to allow httpd to access FUSE file systems, you must turn on the httpd_use_fusefs boolean.
-+
-+.EX
-+.B setsebool -P httpd_use_fusefs 1
-+.EE
-+
-+.PP
-+If you want to allow httpd to access openstack ports, you must turn on the httpd_use_openstack boolean.
-+
-+.EX
-+.B setsebool -P httpd_use_openstack 1
-+.EE
-+
-+.PP
-+If you want to allow httpd to connect to the ldap port, you must turn on the httpd_can_connect_ldap boolean.
-+
-+.EX
-+.B setsebool -P httpd_can_connect_ldap 1
-+.EE
-+
-+.PP
-+If you want to allow httpd daemon to change its resource limits, you must turn on the httpd_setrlimit boolean.
-+
-+.EX
-+.B setsebool -P httpd_setrlimit 1
-+.EE
-+
-+.PP
-+If you want to allow httpd to communicate with oddjob to start up a service, you must turn on the httpd_use_oddjob boolean.
-+
-+.EX
-+.B setsebool -P httpd_use_oddjob 1
-+.EE
-+
-+.PP
-+If you want to allow httpd to act as a FTP server by listening on the ftp port, you must turn on the httpd_enable_ftp_server boolean.
-+
-+.EX
-+.B setsebool -P httpd_enable_ftp_server 1
-+.EE
-+
-+.PP
-+If you want to allow httpd to access nfs file systems, you must turn on the httpd_use_nfs boolean.
-+
-+.EX
-+.B setsebool -P httpd_use_nfs 1
-+.EE
-+
-+.PP
-+If you want to allow httpd to act as a relay, you must turn on the httpd_can_network_relay boolean.
-+
-+.EX
-+.B setsebool -P httpd_can_network_relay 1
-+.EE
-+
-+.PP
-+If you want to allow http daemon to check spam, you must turn on the httpd_can_check_spam boolean.
-+
-+.EX
-+.B setsebool -P httpd_can_check_spam 1
-+.EE
-+
-+.PP
-+If you want to unify HTTPD to communicate with the terminal. Needed for entering the passphrase for certificates at the terminal, you must turn on the httpd_tty_comm boolean.
-+
-+.EX
-+.B setsebool -P httpd_tty_comm 1
-+.EE
-+
-+.PP
-+If you want to unify HTTPD handling of all content files, you must turn on the httpd_unified boolean.
-+
-+.EX
-+.B setsebool -P httpd_unified 1
-+.EE
-+
-+.PP
-+If you want to allow httpd to connect to memcache server, you must turn on the httpd_can_network_memcache boolean.
-+
-+.EX
-+.B setsebool -P httpd_can_network_memcache 1
-+.EE
-+
-+.PP
-+If you want to allow HTTPD to connect to port 80 for graceful shutdown, you must turn on the httpd_graceful_shutdown boolean.
-+
-+.EX
-+.B setsebool -P httpd_graceful_shutdown 1
-+.EE
-+
-+.PP
-+If you want to allow httpd to run gpg, you must turn on the httpd_use_gpg boolean.
-+
-+.EX
-+.B setsebool -P httpd_use_gpg 1
-+.EE
-+
-+.PP
-+If you want to allow httpd to use built in scripting (usually php), you must turn on the httpd_builtin_scripting boolean.
-+
-+.EX
-+.B setsebool -P httpd_builtin_scripting 1
-+.EE
-+
-+.PP
-+If you want to allow http daemon to send mail, you must turn on the httpd_can_sendmail boolean.
-+
-+.EX
-+.B setsebool -P httpd_can_sendmail 1
-+.EE
-+
-+.PP
-+If you want to allow httpd cgi support, you must turn on the httpd_enable_cgi boolean.
-+
-+.EX
-+.B setsebool -P httpd_enable_cgi 1
-+.EE
-+
-+.PP
-+If you want to allow Apache to use mod_auth_pam, you must turn on the httpd_mod_auth_pam boolean.
-+
-+.EX
-+.B setsebool -P httpd_mod_auth_pam 1
-+.EE
-+
-+.PP
-+If you want to allow httpd to read user content, you must turn on the httpd_read_user_content boolean.
-+
-+.EX
-+.B setsebool -P httpd_read_user_content 1
-+.EE
-+
-+.PP
-+If you want to allow Apache to query NS records, you must turn on the httpd_verify_dns boolean.
-+
-+.EX
-+.B setsebool -P httpd_verify_dns 1
-+.EE
-+
-+.PP
-+If you want to allow BIND to bind apache port, you must turn on the named_bind_http_port boolean.
-+
-+.EX
-+.B setsebool -P named_bind_http_port 1
-+.EE
-+
-+.PP
-+If you want to allow httpd to act as a FTP client connecting to the ftp port and ephemeral ports, you must turn on the httpd_can_connect_ftp boolean.
-+
-+.EX
-+.B setsebool -P httpd_can_connect_ftp 1
-+.EE
-+
-+.PP
-+If you want to allow HTTPD scripts and modules to connect to cobbler over the network, you must turn on the httpd_can_network_connect_cobbler boolean.
-+
-+.EX
-+.B setsebool -P httpd_can_network_connect_cobbler 1
-+.EE
-+
-+.PP
-+If you want to allow Apache to use mod_auth_ntlm_winbind, you must turn on the httpd_mod_auth_ntlm_winbind boolean.
-+
-+.EX
-+.B setsebool -P httpd_mod_auth_ntlm_winbind 1
-+.EE
-+
-+.PP
-+If you want to allow Apache to communicate with avahi service via dbus, you must turn on the httpd_dbus_avahi boolean.
-+
-+.EX
-+.B setsebool -P httpd_dbus_avahi 1
-+.EE
-+
-+.PP
-+If you want to allow httpd to read home directories, you must turn on the httpd_enable_homedirs boolean.
-+
-+.EX
-+.B setsebool -P httpd_enable_homedirs 1
-+.EE
-+
-+.PP
-+If you want to allow HTTPD to run SSI executables in the same domain as system CGI scripts, you must turn on the httpd_ssi_exec boolean.
-+
-+.EX
-+.B setsebool -P httpd_ssi_exec 1
-+.EE
-+
-+.PP
-+If you want to allow Apache to execute tmp content, you must turn on the httpd_tmp_exec boolean.
-+
-+.EX
-+.B setsebool -P httpd_tmp_exec 1
-+.EE
-+
-+.PP
-+If you want to allow httpd to access cifs file systems, you must turn on the httpd_use_cifs boolean.
-+
-+.EX
-+.B setsebool -P httpd_use_cifs 1
-+.EE
-+
-+.PP
-+If you want to allow httpd scripts and modules execmem/execstack, you must turn on the httpd_execmem boolean.
-+
-+.EX
-+.B setsebool -P httpd_execmem 1
-+.EE
-+
-+.PP
-+If you want to allow http daemon to connect to zabbix, you must turn on the httpd_can_connect_zabbix boolean.
-+
-+.EX
-+.B setsebool -P httpd_can_connect_zabbix 1
-+.EE
-+
-+.PP
-+If you want to allow HTTPD scripts and modules to connect to the network using TCP, you must turn on the httpd_can_network_connect boolean.
-+
-+.EX
-+.B setsebool -P httpd_can_network_connect 1
-+.EE
-+
-+.PP
-+If you want to allow HTTPD scripts and modules to connect to databases over the network, you must turn on the httpd_can_network_connect_db boolean.
-+
-+.EX
-+.B setsebool -P httpd_can_network_connect_db 1
-+.EE
-+
-+.SH SHARING FILES
-+If you want to share files with multiple domains (Apache, FTP, rsync, Samba), you can set a file context of public_content_t and public_content_rw_t. These context allow any of the above domains to read the content. If you want a particular domain to write to the public_content_rw_t domain, you must set the appropriate boolean.
-+.TP
-+Allow httpd servers to read the /var/httpd directory by adding the public_content_t file type to the directory and by restoring the file type.
-+.PP
-+.B
-+semanage fcontext -a -t public_content_t "/var/httpd(/.*)?"
-+.br
-+.B restorecon -F -R -v /var/httpd
-+.pp
-+.TP
-+Allow httpd servers to read and write /var/tmp/incoming by adding the public_content_rw_t type to the directory and by restoring the file type. This also requires the allow_httpdd_anon_write boolean to be set.
-+.PP
-+.B
-+semanage fcontext -a -t public_content_rw_t "/var/httpd/incoming(/.*)?"
-+.br
-+.B restorecon -F -R -v /var/httpd/incoming
-+
-+
-+.PP
-+If you want to allow Apache to modify public files used for public file transfer services. Directories/Files must be labeled public_content_rw_t., you must turn on the httpd_anon_write boolean.
-+
-+.EX
-+.B setsebool -P httpd_anon_write 1
-+.EE
-+
-+.PP
-+If you want to allow apache scripts to write to public content, directories/files must be labeled public_rw_content_t., you must turn on the httpd_sys_script_anon_write boolean.
-+
-+.EX
-+.B setsebool -P httpd_sys_script_anon_write 1
-+.EE
-+
-+.PP
-+If you want to allow Apache to modify public files used for public file transfer services. Directories/Files must be labeled public_content_rw_t., you must turn on the httpd_anon_write boolean.
-+
-+.EX
-+.B setsebool -P httpd_anon_write 1
-+.EE
-+
-+.PP
-+If you want to allow apache scripts to write to public content, directories/files must be labeled public_rw_content_t., you must turn on the httpd_sys_script_anon_write boolean.
-+
-+.EX
-+.B setsebool -P httpd_sys_script_anon_write 1
-+.EE
-+
-+.SH FILE CONTEXTS
-+SELinux requires files to have an extended attribute to define the file type.
-+.PP
-+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
-+.PP
-+Policy governs the access confined processes have to these files.
-+SELinux httpd policy is very flexible allowing users to setup their httpd processes in as secure a method as possible.
-+.PP
-+The following file types are defined for httpd:
-+
-+
-+.EX
-+.PP
-+.B httpd_apcupsd_cgi_content_t
-+.EE
-+
-+- Set files with the httpd_apcupsd_cgi_content_t type, if you want to treat the files as httpd apcupsd cgi content.
-+
-+
-+.EX
-+.PP
-+.B httpd_apcupsd_cgi_htaccess_t
-+.EE
-+
-+- Set files with the httpd_apcupsd_cgi_htaccess_t type, if you want to treat the file as a httpd apcupsd cgi access file.
-+
-+
-+.EX
-+.PP
-+.B httpd_apcupsd_cgi_ra_content_t
-+.EE
-+
-+- Set files with the httpd_apcupsd_cgi_ra_content_t type, if you want to treat the files as httpd apcupsd cgi read/append content.
-+
-+
-+.EX
-+.PP
-+.B httpd_apcupsd_cgi_rw_content_t
-+.EE
-+
-+- Set files with the httpd_apcupsd_cgi_rw_content_t type, if you want to treat the files as httpd apcupsd cgi read/write content.
-+
-+
-+.EX
-+.PP
-+.B httpd_apcupsd_cgi_script_exec_t
-+.EE
-+
-+- Set files with the httpd_apcupsd_cgi_script_exec_t type, if you want to transition an executable to the httpd_apcupsd_cgi_script_t domain.
-+
-+
-+.EX
-+.PP
-+.B httpd_awstats_content_t
-+.EE
-+
-+- Set files with the httpd_awstats_content_t type, if you want to treat the files as httpd awstats content.
-+
-+
-+.EX
-+.PP
-+.B httpd_awstats_htaccess_t
-+.EE
-+
-+- Set files with the httpd_awstats_htaccess_t type, if you want to treat the file as a httpd awstats access file.
-+
-+
-+.EX
-+.PP
-+.B httpd_awstats_ra_content_t
-+.EE
-+
-+- Set files with the httpd_awstats_ra_content_t type, if you want to treat the files as httpd awstats read/append content.
-+
-+
-+.EX
-+.PP
-+.B httpd_awstats_rw_content_t
-+.EE
-+
-+- Set files with the httpd_awstats_rw_content_t type, if you want to treat the files as httpd awstats read/write content.
-+
-+
-+.EX
-+.PP
-+.B httpd_awstats_script_exec_t
-+.EE
-+
-+- Set files with the httpd_awstats_script_exec_t type, if you want to transition an executable to the httpd_awstats_script_t domain.
-+
-+
-+.EX
-+.PP
-+.B httpd_bugzilla_content_t
-+.EE
-+
-+- Set files with the httpd_bugzilla_content_t type, if you want to treat the files as httpd bugzilla content.
-+
-+
-+.EX
-+.PP
-+.B httpd_bugzilla_htaccess_t
-+.EE
-+
-+- Set files with the httpd_bugzilla_htaccess_t type, if you want to treat the file as a httpd bugzilla access file.
-+
-+
-+.EX
-+.PP
-+.B httpd_bugzilla_ra_content_t
-+.EE
-+
-+- Set files with the httpd_bugzilla_ra_content_t type, if you want to treat the files as httpd bugzilla read/append content.
-+
-+
-+.EX
-+.PP
-+.B httpd_bugzilla_rw_content_t
-+.EE
-+
-+- Set files with the httpd_bugzilla_rw_content_t type, if you want to treat the files as httpd bugzilla read/write content.
-+
-+
-+.EX
-+.PP
-+.B httpd_bugzilla_script_exec_t
-+.EE
-+
-+- Set files with the httpd_bugzilla_script_exec_t type, if you want to transition an executable to the httpd_bugzilla_script_t domain.
-+
-+
-+.EX
-+.PP
-+.B httpd_bugzilla_tmp_t
-+.EE
-+
-+- Set files with the httpd_bugzilla_tmp_t type, if you want to store httpd bugzilla temporary files in the /tmp directories.
-+
-+
-+.EX
-+.PP
-+.B httpd_cache_t
-+.EE
-+
-+- Set files with the httpd_cache_t type, if you want to store the files under the /var/cache directory.
-+
-+
-+.EX
-+.PP
-+.B httpd_cobbler_content_t
-+.EE
-+
-+- Set files with the httpd_cobbler_content_t type, if you want to treat the files as httpd cobbler content.
-+
-+
-+.EX
-+.PP
-+.B httpd_cobbler_htaccess_t
-+.EE
-+
-+- Set files with the httpd_cobbler_htaccess_t type, if you want to treat the file as a httpd cobbler access file.
-+
-+
-+.EX
-+.PP
-+.B httpd_cobbler_ra_content_t
-+.EE
-+
-+- Set files with the httpd_cobbler_ra_content_t type, if you want to treat the files as httpd cobbler read/append content.
-+
-+
-+.EX
-+.PP
-+.B httpd_cobbler_rw_content_t
-+.EE
-+
-+- Set files with the httpd_cobbler_rw_content_t type, if you want to treat the files as httpd cobbler read/write content.
-+
-+
-+.EX
-+.PP
-+.B httpd_cobbler_script_exec_t
-+.EE
-+
-+- Set files with the httpd_cobbler_script_exec_t type, if you want to transition an executable to the httpd_cobbler_script_t domain.
-+
-+
-+.EX
-+.PP
-+.B httpd_collectd_content_t
-+.EE
-+
-+- Set files with the httpd_collectd_content_t type, if you want to treat the files as httpd collectd content.
-+
-+
-+.EX
-+.PP
-+.B httpd_collectd_htaccess_t
-+.EE
-+
-+- Set files with the httpd_collectd_htaccess_t type, if you want to treat the file as a httpd collectd access file.
-+
-+
-+.EX
-+.PP
-+.B httpd_collectd_ra_content_t
-+.EE
-+
-+- Set files with the httpd_collectd_ra_content_t type, if you want to treat the files as httpd collectd read/append content.
-+
-+
-+.EX
-+.PP
-+.B httpd_collectd_rw_content_t
-+.EE
-+
-+- Set files with the httpd_collectd_rw_content_t type, if you want to treat the files as httpd collectd read/write content.
-+
-+
-+.EX
-+.PP
-+.B httpd_collectd_script_exec_t
-+.EE
-+
-+- Set files with the httpd_collectd_script_exec_t type, if you want to transition an executable to the httpd_collectd_script_t domain.
-+
-+
-+.EX
-+.PP
-+.B httpd_config_t
-+.EE
-+
-+- Set files with the httpd_config_t type, if you want to treat the files as httpd configuration data, usually stored under the /etc directory.
-+
-+
-+.EX
-+.PP
-+.B httpd_cvs_content_t
-+.EE
-+
-+- Set files with the httpd_cvs_content_t type, if you want to treat the files as httpd cvs content.
-+
-+
-+.EX
-+.PP
-+.B httpd_cvs_htaccess_t
-+.EE
-+
-+- Set files with the httpd_cvs_htaccess_t type, if you want to treat the file as a httpd cvs access file.
-+
-+
-+.EX
-+.PP
-+.B httpd_cvs_ra_content_t
-+.EE
-+
-+- Set files with the httpd_cvs_ra_content_t type, if you want to treat the files as httpd cvs read/append content.
-+
-+
-+.EX
-+.PP
-+.B httpd_cvs_rw_content_t
-+.EE
-+
-+- Set files with the httpd_cvs_rw_content_t type, if you want to treat the files as httpd cvs read/write content.
-+
-+
-+.EX
-+.PP
-+.B httpd_cvs_script_exec_t
-+.EE
-+
-+- Set files with the httpd_cvs_script_exec_t type, if you want to transition an executable to the httpd_cvs_script_t domain.
-+
-+
-+.EX
-+.PP
-+.B httpd_dirsrvadmin_content_t
-+.EE
-+
-+- Set files with the httpd_dirsrvadmin_content_t type, if you want to treat the files as httpd dirsrvadmin content.
-+
-+
-+.EX
-+.PP
-+.B httpd_dirsrvadmin_htaccess_t
-+.EE
-+
-+- Set files with the httpd_dirsrvadmin_htaccess_t type, if you want to treat the file as a httpd dirsrvadmin access file.
-+
-+
-+.EX
-+.PP
-+.B httpd_dirsrvadmin_ra_content_t
-+.EE
-+
-+- Set files with the httpd_dirsrvadmin_ra_content_t type, if you want to treat the files as httpd dirsrvadmin read/append content.
-+
-+
-+.EX
-+.PP
-+.B httpd_dirsrvadmin_rw_content_t
-+.EE
-+
-+- Set files with the httpd_dirsrvadmin_rw_content_t type, if you want to treat the files as httpd dirsrvadmin read/write content.
-+
-+
-+.EX
-+.PP
-+.B httpd_dirsrvadmin_script_exec_t
-+.EE
-+
-+- Set files with the httpd_dirsrvadmin_script_exec_t type, if you want to transition an executable to the httpd_dirsrvadmin_script_t domain.
-+
-+
-+.EX
-+.PP
-+.B httpd_dspam_content_t
-+.EE
-+
-+- Set files with the httpd_dspam_content_t type, if you want to treat the files as httpd dspam content.
-+
-+
-+.EX
-+.PP
-+.B httpd_dspam_htaccess_t
-+.EE
-+
-+- Set files with the httpd_dspam_htaccess_t type, if you want to treat the file as a httpd dspam access file.
-+
-+
-+.EX
-+.PP
-+.B httpd_dspam_ra_content_t
-+.EE
-+
-+- Set files with the httpd_dspam_ra_content_t type, if you want to treat the files as httpd dspam read/append content.
-+
-+
-+.EX
-+.PP
-+.B httpd_dspam_rw_content_t
-+.EE
-+
-+- Set files with the httpd_dspam_rw_content_t type, if you want to treat the files as httpd dspam read/write content.
-+
-+
-+.EX
-+.PP
-+.B httpd_dspam_script_exec_t
-+.EE
-+
-+- Set files with the httpd_dspam_script_exec_t type, if you want to transition an executable to the httpd_dspam_script_t domain.
-+
-+
-+.EX
-+.PP
-+.B httpd_exec_t
-+.EE
-+
-+- Set files with the httpd_exec_t type, if you want to transition an executable to the httpd_t domain.
-+
-+
-+.EX
-+.PP
-+.B httpd_git_content_t
-+.EE
-+
-+- Set files with the httpd_git_content_t type, if you want to treat the files as httpd git content.
-+
-+
-+.EX
-+.PP
-+.B httpd_git_htaccess_t
-+.EE
-+
-+- Set files with the httpd_git_htaccess_t type, if you want to treat the file as a httpd git access file.
-+
-+
-+.EX
-+.PP
-+.B httpd_git_ra_content_t
-+.EE
-+
-+- Set files with the httpd_git_ra_content_t type, if you want to treat the files as httpd git read/append content.
-+
-+
-+.EX
-+.PP
-+.B httpd_git_rw_content_t
-+.EE
-+
-+- Set files with the httpd_git_rw_content_t type, if you want to treat the files as httpd git read/write content.
-+
-+
-+.EX
-+.PP
-+.B httpd_git_script_exec_t
-+.EE
-+
-+- Set files with the httpd_git_script_exec_t type, if you want to transition an executable to the httpd_git_script_t domain.
-+
-+
-+.EX
-+.PP
-+.B httpd_helper_exec_t
-+.EE
-+
-+- Set files with the httpd_helper_exec_t type, if you want to transition an executable to the httpd_helper_t domain.
-+
-+
-+.EX
-+.PP
-+.B httpd_initrc_exec_t
-+.EE
-+
-+- Set files with the httpd_initrc_exec_t type, if you want to transition an executable to the httpd_initrc_t domain.
-+
-+
-+.EX
-+.PP
-+.B httpd_keytab_t
-+.EE
-+
-+- Set files with the httpd_keytab_t type, if you want to treat the files as kerberos keytab files.
-+
-+
-+.EX
-+.PP
-+.B httpd_lock_t
-+.EE
-+
-+- Set files with the httpd_lock_t type, if you want to treat the files as httpd lock data, stored under the /var/lock directory
-+
-+
-+.EX
-+.PP
-+.B httpd_log_t
-+.EE
-+
-+- Set files with the httpd_log_t type, if you want to treat the data as httpd log data, usually stored under the /var/log directory.
-+
-+
-+.EX
-+.PP
-+.B httpd_man2html_content_t
-+.EE
-+
-+- Set files with the httpd_man2html_content_t type, if you want to treat the files as httpd man2html content.
-+
-+
-+.EX
-+.PP
-+.B httpd_man2html_htaccess_t
-+.EE
-+
-+- Set files with the httpd_man2html_htaccess_t type, if you want to treat the file as a httpd man2html access file.
-+
-+
-+.EX
-+.PP
-+.B httpd_man2html_ra_content_t
-+.EE
-+
-+- Set files with the httpd_man2html_ra_content_t type, if you want to treat the files as httpd man2html read/append content.
-+
-+
-+.EX
-+.PP
-+.B httpd_man2html_rw_content_t
-+.EE
-+
-+- Set files with the httpd_man2html_rw_content_t type, if you want to treat the files as httpd man2html read/write content.
-+
-+
-+.EX
-+.PP
-+.B httpd_man2html_script_cache_t
-+.EE
-+
-+- Set files with the httpd_man2html_script_cache_t type, if you want to store the files under the /var/cache directory.
-+
-+
-+.EX
-+.PP
-+.B httpd_man2html_script_exec_t
-+.EE
-+
-+- Set files with the httpd_man2html_script_exec_t type, if you want to transition an executable to the httpd_man2html_script_t domain.
-+
-+
-+.EX
-+.PP
-+.B httpd_mediawiki_content_t
-+.EE
-+
-+- Set files with the httpd_mediawiki_content_t type, if you want to treat the files as httpd mediawiki content.
-+
-+
-+.EX
-+.PP
-+.B httpd_mediawiki_htaccess_t
-+.EE
-+
-+- Set files with the httpd_mediawiki_htaccess_t type, if you want to treat the file as a httpd mediawiki access file.
-+
-+
-+.EX
-+.PP
-+.B httpd_mediawiki_ra_content_t
-+.EE
-+
-+- Set files with the httpd_mediawiki_ra_content_t type, if you want to treat the files as httpd mediawiki read/append content.
-+
-+
-+.EX
-+.PP
-+.B httpd_mediawiki_rw_content_t
-+.EE
-+
-+- Set files with the httpd_mediawiki_rw_content_t type, if you want to treat the files as httpd mediawiki read/write content.
-+
-+
-+.EX
-+.PP
-+.B httpd_mediawiki_script_exec_t
-+.EE
-+
-+- Set files with the httpd_mediawiki_script_exec_t type, if you want to transition an executable to the httpd_mediawiki_script_t domain.
-+
-+
-+.EX
-+.PP
-+.B httpd_modules_t
-+.EE
-+
-+- Set files with the httpd_modules_t type, if you want to treat the files as httpd modules.
-+
-+
-+.EX
-+.PP
-+.B httpd_mojomojo_content_t
-+.EE
-+
-+- Set files with the httpd_mojomojo_content_t type, if you want to treat the files as httpd mojomojo content.
-+
-+
-+.EX
-+.PP
-+.B httpd_mojomojo_htaccess_t
-+.EE
-+
-+- Set files with the httpd_mojomojo_htaccess_t type, if you want to treat the file as a httpd mojomojo access file.
-+
-+
-+.EX
-+.PP
-+.B httpd_mojomojo_ra_content_t
-+.EE
-+
-+- Set files with the httpd_mojomojo_ra_content_t type, if you want to treat the files as httpd mojomojo read/append content.
-+
-+
-+.EX
-+.PP
-+.B httpd_mojomojo_rw_content_t
-+.EE
-+
-+- Set files with the httpd_mojomojo_rw_content_t type, if you want to treat the files as httpd mojomojo read/write content.
-+
-+
-+.EX
-+.PP
-+.B httpd_mojomojo_script_exec_t
-+.EE
-+
-+- Set files with the httpd_mojomojo_script_exec_t type, if you want to transition an executable to the httpd_mojomojo_script_t domain.
-+
-+
-+.EX
-+.PP
-+.B httpd_mojomojo_tmp_t
-+.EE
-+
-+- Set files with the httpd_mojomojo_tmp_t type, if you want to store httpd mojomojo temporary files in the /tmp directories.
-+
-+
-+.EX
-+.PP
-+.B httpd_munin_content_t
-+.EE
-+
-+- Set files with the httpd_munin_content_t type, if you want to treat the files as httpd munin content.
-+
-+
-+.EX
-+.PP
-+.B httpd_munin_htaccess_t
-+.EE
-+
-+- Set files with the httpd_munin_htaccess_t type, if you want to treat the file as a httpd munin access file.
-+
-+
-+.EX
-+.PP
-+.B httpd_munin_ra_content_t
-+.EE
-+
-+- Set files with the httpd_munin_ra_content_t type, if you want to treat the files as httpd munin read/append content.
-+
-+
-+.EX
-+.PP
-+.B httpd_munin_rw_content_t
-+.EE
-+
-+- Set files with the httpd_munin_rw_content_t type, if you want to treat the files as httpd munin read/write content.
-+
-+
-+.EX
-+.PP
-+.B httpd_munin_script_exec_t
-+.EE
-+
-+- Set files with the httpd_munin_script_exec_t type, if you want to transition an executable to the httpd_munin_script_t domain.
-+
-+
-+.EX
-+.PP
-+.B httpd_nagios_content_t
-+.EE
-+
-+- Set files with the httpd_nagios_content_t type, if you want to treat the files as httpd nagios content.
-+
-+
-+.EX
-+.PP
-+.B httpd_nagios_htaccess_t
-+.EE
-+
-+- Set files with the httpd_nagios_htaccess_t type, if you want to treat the file as a httpd nagios access file.
-+
-+
-+.EX
-+.PP
-+.B httpd_nagios_ra_content_t
-+.EE
-+
-+- Set files with the httpd_nagios_ra_content_t type, if you want to treat the files as httpd nagios read/append content.
-+
-+
-+.EX
-+.PP
-+.B httpd_nagios_rw_content_t
-+.EE
-+
-+- Set files with the httpd_nagios_rw_content_t type, if you want to treat the files as httpd nagios read/write content.
-+
-+
-+.EX
-+.PP
-+.B httpd_nagios_script_exec_t
-+.EE
-+
-+- Set files with the httpd_nagios_script_exec_t type, if you want to transition an executable to the httpd_nagios_script_t domain.
-+
-+
-+.EX
-+.PP
-+.B httpd_nutups_cgi_content_t
-+.EE
-+
-+- Set files with the httpd_nutups_cgi_content_t type, if you want to treat the files as httpd nutups cgi content.
-+
-+
-+.EX
-+.PP
-+.B httpd_nutups_cgi_htaccess_t
-+.EE
-+
-+- Set files with the httpd_nutups_cgi_htaccess_t type, if you want to treat the file as a httpd nutups cgi access file.
-+
-+
-+.EX
-+.PP
-+.B httpd_nutups_cgi_ra_content_t
-+.EE
-+
-+- Set files with the httpd_nutups_cgi_ra_content_t type, if you want to treat the files as httpd nutups cgi read/append content.
-+
-+
-+.EX
-+.PP
-+.B httpd_nutups_cgi_rw_content_t
-+.EE
-+
-+- Set files with the httpd_nutups_cgi_rw_content_t type, if you want to treat the files as httpd nutups cgi read/write content.
-+
-+
-+.EX
-+.PP
-+.B httpd_nutups_cgi_script_exec_t
-+.EE
-+
-+- Set files with the httpd_nutups_cgi_script_exec_t type, if you want to transition an executable to the httpd_nutups_cgi_script_t domain.
-+
-+
-+.EX
-+.PP
-+.B httpd_openshift_content_t
-+.EE
-+
-+- Set files with the httpd_openshift_content_t type, if you want to treat the files as httpd openshift content.
-+
-+
-+.EX
-+.PP
-+.B httpd_openshift_htaccess_t
-+.EE
-+
-+- Set files with the httpd_openshift_htaccess_t type, if you want to treat the file as a httpd openshift access file.
-+
-+
-+.EX
-+.PP
-+.B httpd_openshift_ra_content_t
-+.EE
-+
-+- Set files with the httpd_openshift_ra_content_t type, if you want to treat the files as httpd openshift read/append content.
-+
-+
-+.EX
-+.PP
-+.B httpd_openshift_rw_content_t
-+.EE
-+
-+- Set files with the httpd_openshift_rw_content_t type, if you want to treat the files as httpd openshift read/write content.
-+
-+
-+.EX
-+.PP
-+.B httpd_openshift_script_exec_t
-+.EE
-+
-+- Set files with the httpd_openshift_script_exec_t type, if you want to transition an executable to the httpd_openshift_script_t domain.
-+
-+
-+.EX
-+.PP
-+.B httpd_passwd_exec_t
-+.EE
-+
-+- Set files with the httpd_passwd_exec_t type, if you want to transition an executable to the httpd_passwd_t domain.
-+
-+
-+.EX
-+.PP
-+.B httpd_php_exec_t
-+.EE
-+
-+- Set files with the httpd_php_exec_t type, if you want to transition an executable to the httpd_php_t domain.
-+
-+
-+.EX
-+.PP
-+.B httpd_php_tmp_t
-+.EE
-+
-+- Set files with the httpd_php_tmp_t type, if you want to store httpd php temporary files in the /tmp directories.
-+
-+
-+.EX
-+.PP
-+.B httpd_prewikka_content_t
-+.EE
-+
-+- Set files with the httpd_prewikka_content_t type, if you want to treat the files as httpd prewikka content.
-+
-+
-+.EX
-+.PP
-+.B httpd_prewikka_htaccess_t
-+.EE
-+
-+- Set files with the httpd_prewikka_htaccess_t type, if you want to treat the file as a httpd prewikka access file.
-+
-+
-+.EX
-+.PP
-+.B httpd_prewikka_ra_content_t
-+.EE
-+
-+- Set files with the httpd_prewikka_ra_content_t type, if you want to treat the files as httpd prewikka read/append content.
-+
-+
-+.EX
-+.PP
-+.B httpd_prewikka_rw_content_t
-+.EE
-+
-+- Set files with the httpd_prewikka_rw_content_t type, if you want to treat the files as httpd prewikka read/write content.
-+
-+
-+.EX
-+.PP
-+.B httpd_prewikka_script_exec_t
-+.EE
-+
-+- Set files with the httpd_prewikka_script_exec_t type, if you want to transition an executable to the httpd_prewikka_script_t domain.
-+
-+
-+.EX
-+.PP
-+.B httpd_rotatelogs_exec_t
-+.EE
-+
-+- Set files with the httpd_rotatelogs_exec_t type, if you want to transition an executable to the httpd_rotatelogs_t domain.
-+
-+
-+.EX
-+.PP
-+.B httpd_smokeping_cgi_content_t
-+.EE
-+
-+- Set files with the httpd_smokeping_cgi_content_t type, if you want to treat the files as httpd smokeping cgi content.
-+
-+
-+.EX
-+.PP
-+.B httpd_smokeping_cgi_htaccess_t
-+.EE
-+
-+- Set files with the httpd_smokeping_cgi_htaccess_t type, if you want to treat the file as a httpd smokeping cgi access file.
-+
-+
-+.EX
-+.PP
-+.B httpd_smokeping_cgi_ra_content_t
-+.EE
-+
-+- Set files with the httpd_smokeping_cgi_ra_content_t type, if you want to treat the files as httpd smokeping cgi read/append content.
-+
-+
-+.EX
-+.PP
-+.B httpd_smokeping_cgi_rw_content_t
-+.EE
-+
-+- Set files with the httpd_smokeping_cgi_rw_content_t type, if you want to treat the files as httpd smokeping cgi read/write content.
-+
-+
-+.EX
-+.PP
-+.B httpd_smokeping_cgi_script_exec_t
-+.EE
-+
-+- Set files with the httpd_smokeping_cgi_script_exec_t type, if you want to transition an executable to the httpd_smokeping_cgi_script_t domain.
-+
-+
-+.EX
-+.PP
-+.B httpd_squid_content_t
-+.EE
-+
-+- Set files with the httpd_squid_content_t type, if you want to treat the files as httpd squid content.
-+
-+
-+.EX
-+.PP
-+.B httpd_squid_htaccess_t
-+.EE
-+
-+- Set files with the httpd_squid_htaccess_t type, if you want to treat the file as a httpd squid access file.
-+
-+
-+.EX
-+.PP
-+.B httpd_squid_ra_content_t
-+.EE
-+
-+- Set files with the httpd_squid_ra_content_t type, if you want to treat the files as httpd squid read/append content.
-+
-+
-+.EX
-+.PP
-+.B httpd_squid_rw_content_t
-+.EE
-+
-+- Set files with the httpd_squid_rw_content_t type, if you want to treat the files as httpd squid read/write content.
-+
-+
-+.EX
-+.PP
-+.B httpd_squid_script_exec_t
-+.EE
-+
-+- Set files with the httpd_squid_script_exec_t type, if you want to transition an executable to the httpd_squid_script_t domain.
-+
-+
-+.EX
-+.PP
-+.B httpd_squirrelmail_t
-+.EE
-+
-+- Set files with the httpd_squirrelmail_t type, if you want to treat the files as httpd squirrelmail data.
-+
-+
-+.EX
-+.PP
-+.B httpd_suexec_exec_t
-+.EE
-+
-+- Set files with the httpd_suexec_exec_t type, if you want to transition an executable to the httpd_suexec_t domain.
-+
-+
- .EX
--httpd_sys_content_t
--.EE
--- Set files with httpd_sys_content_t if you want httpd_sys_script_exec_t scripts and the daemon to read the file, and disallow other non sys scripts from access.
-+.PP
-+.B httpd_suexec_tmp_t
-+.EE
-+
-+- Set files with the httpd_suexec_tmp_t type, if you want to store httpd suexec temporary files in the /tmp directories.
-+
-+
- .EX
--httpd_sys_script_exec_t
--.EE
--- Set cgi scripts with httpd_sys_script_exec_t to allow them to run with access to all sys types.
-+.PP
-+.B httpd_sys_content_t
-+.EE
-+
-+- Set files with the httpd_sys_content_t type, if you want to treat the files as httpd sys content.
-+
-+
- .EX
--httpd_sys_content_rw_t
-+.PP
-+.B httpd_sys_htaccess_t
- .EE
--- Set files with httpd_sys_content_rw_t if you want httpd_sys_script_exec_t scripts and the daemon to read/write the data, and disallow other non sys scripts from access.
-+
-+- Set files with the httpd_sys_htaccess_t type, if you want to treat the file as a httpd sys access file.
-+
-+
- .EX
--httpd_sys_content_ra_t
-+.PP
-+.B httpd_sys_ra_content_t
- .EE
--- Set files with httpd_sys_content_ra_t if you want httpd_sys_script_exec_t scripts and the daemon to read/append to the file, and disallow other non sys scripts from access.
-+
-+- Set files with the httpd_sys_ra_content_t type, if you want to treat the files as httpd sys read/append content.
-+
-+
- .EX
--httpd_unconfined_script_exec_t
--.EE
--- Set cgi scripts with httpd_unconfined_script_exec_t to allow them to run without any SELinux protection. This should only be used for a very complex httpd scripts, after exhausting all other options. It is better to use this script rather than turning off SELinux protection for httpd.
-+.PP
-+.B httpd_sys_rw_content_t
-+.EE
-
--.SH NOTE
--With certain policies you can define additional file contexts based on roles like user or staff. httpd_user_script_exec_t can be defined where it would only have access to "user" contexts.
-+- Set files with the httpd_sys_rw_content_t type, if you want to treat the files as httpd sys read/write content.
-
--.SH SHARING FILES
--If you want to share files with multiple domains (Apache, FTP, rsync, Samba), you can set a file context of public_content_t and public_content_rw_t. These context allow any of the above domains to read the content. If you want a particular domain to write to the public_content_rw_t domain, you must set the appropriate boolean. allow_DOMAIN_anon_write. So for httpd you would execute:
-
- .EX
--setsebool -P allow_httpd_anon_write=1
-+.PP
-+.B httpd_sys_script_exec_t
- .EE
-
--or
-+- Set files with the httpd_sys_script_exec_t type, if you want to transition an executable to the httpd_sys_script_t domain.
-+
-
- .EX
--setsebool -P allow_httpd_sys_script_anon_write=1
-+.PP
-+.B httpd_tmp_t
- .EE
-
--.SH BOOLEANS
--SELinux policy is customizable based on least access required. SELinux can be setup to prevent certain http scripts from working. httpd policy is extremely flexible and has several booleans that allow you to manipulate the policy and run httpd with the tightest access possible.
-+- Set files with the httpd_tmp_t type, if you want to store httpd temporary files in the /tmp directories.
-+
-+
-+.EX
-+.PP
-+.B httpd_tmpfs_t
-+.EE
-+
-+- Set files with the httpd_tmpfs_t type, if you want to store httpd files on a tmpfs file system.
-+
-+
-+.EX
-+.PP
-+.B httpd_unit_file_t
-+.EE
-+
-+- Set files with the httpd_unit_file_t type, if you want to treat the files as httpd unit content.
-+
-+
-+.EX
-+.PP
-+.B httpd_user_content_t
-+.EE
-+
-+- Set files with the httpd_user_content_t type, if you want to treat the files as httpd user content.
-+
-+
-+.EX
-+.PP
-+.B httpd_user_htaccess_t
-+.EE
-+
-+- Set files with the httpd_user_htaccess_t type, if you want to treat the file as a httpd user access file.
-+
-+
-+.EX
-+.PP
-+.B httpd_user_ra_content_t
-+.EE
-+
-+- Set files with the httpd_user_ra_content_t type, if you want to treat the files as httpd user read/append content.
-+
-+
-+.EX
-+.PP
-+.B httpd_user_rw_content_t
-+.EE
-+
-+- Set files with the httpd_user_rw_content_t type, if you want to treat the files as httpd user read/write content.
-+
-+
-+.EX
-+.PP
-+.B httpd_user_script_exec_t
-+.EE
-+
-+- Set files with the httpd_user_script_exec_t type, if you want to transition an executable to the httpd_user_script_t domain.
-+
-+
-+.EX
- .PP
--httpd can be setup to allow cgi scripts to be executed, set httpd_enable_cgi to allow this
-+.B httpd_var_lib_t
-+.EE
-+
-+- Set files with the httpd_var_lib_t type, if you want to store the httpd files under the /var/lib directory.
-+
-
- .EX
--setsebool -P httpd_enable_cgi 1
-+.PP
-+.B httpd_var_run_t
- .EE
-
-+- Set files with the httpd_var_run_t type, if you want to store the httpd files under the /run directory.
-+
-+
-+.EX
- .PP
--SELinux policy for httpd can be setup to not allowed to access users home directories. If you want to allow access to users home directories you need to set the httpd_enable_homedirs boolean and change the context of the files that you want people to access off the home dir.
-+.B httpd_w3c_validator_content_t
-+.EE
-+
-+- Set files with the httpd_w3c_validator_content_t type, if you want to treat the files as httpd w3c validator content.
-+
-
- .EX
--setsebool -P httpd_enable_homedirs 1
--chcon -R -t httpd_sys_content_t ~user/public_html
-+.PP
-+.B httpd_w3c_validator_htaccess_t
- .EE
-
-+- Set files with the httpd_w3c_validator_htaccess_t type, if you want to treat the file as a httpd w3c validator access file.
-+
-+
-+.EX
- .PP
--SELinux policy for httpd can be setup to not allow access to the controlling terminal. In most cases this is preferred, because an intruder might be able to use the access to the terminal to gain privileges. But in certain situations httpd needs to prompt for a password to open a certificate file, in these cases, terminal access is required. Set the httpd_tty_comm boolean to allow terminal access.
-+.B httpd_w3c_validator_ra_content_t
-+.EE
-+
-+- Set files with the httpd_w3c_validator_ra_content_t type, if you want to treat the files as httpd w3c validator read/append content.
-+
-
- .EX
--setsebool -P httpd_tty_comm 1
-+.PP
-+.B httpd_w3c_validator_rw_content_t
- .EE
-
-+- Set files with the httpd_w3c_validator_rw_content_t type, if you want to treat the files as httpd w3c validator read/write content.
-+
-+
-+.EX
- .PP
--httpd can be configured to not differentiate file controls based on context, i.e. all files labeled as httpd context can be read/write/execute. Setting this boolean to false allows you to setup the security policy such that one httpd service can not interfere with another.
-+.B httpd_w3c_validator_script_exec_t
-+.EE
-+
-+- Set files with the httpd_w3c_validator_script_exec_t type, if you want to transition an executable to the httpd_w3c_validator_script_t domain.
-+
-
- .EX
--setsebool -P httpd_unified 0
-+.PP
-+.B httpd_w3c_validator_tmp_t
- .EE
-
-+- Set files with the httpd_w3c_validator_tmp_t type, if you want to store httpd w3c validator temporary files in the /tmp directories.
-+
-+
-+.EX
- .PP
--SELinu policy for httpd can be configured to turn on sending email. This is a security feature, since it would prevent a vulnerabiltiy in http from causing a spam attack. I certain situations, you may want http modules to send mail. You can turn on the httpd_send_mail boolean.
-+.B httpd_zoneminder_content_t
-+.EE
-+
-+- Set files with the httpd_zoneminder_content_t type, if you want to treat the files as httpd zoneminder content.
-+
-
- .EX
--setsebool -P httpd_can_sendmail 1
- .PP
--httpd can be configured to turn off internal scripting (PHP). PHP and other
--loadable modules run under the same context as httpd. Therefore several policy rules allow httpd greater access to the system then is needed if you only use external cgi scripts.
-+.B httpd_zoneminder_htaccess_t
-+.EE
-+
-+- Set files with the httpd_zoneminder_htaccess_t type, if you want to treat the file as a httpd zoneminder access file.
-+
-
- .EX
--setsebool -P httpd_builtin_scripting 0
-+.PP
-+.B httpd_zoneminder_ra_content_t
- .EE
-
-+- Set files with the httpd_zoneminder_ra_content_t type, if you want to treat the files as httpd zoneminder read/append content.
-+
-+
-+.EX
- .PP
--SELinux policy can be setup such that httpd scripts are not allowed to connect out to the network.
--This would prevent a hacker from breaking into you httpd server and attacking
--other machines. If you need scripts to be able to connect you can set the httpd_can_network_connect boolean on.
-+.B httpd_zoneminder_rw_content_t
-+.EE
-+
-+- Set files with the httpd_zoneminder_rw_content_t type, if you want to treat the files as httpd zoneminder read/write content.
-+
-
- .EX
--setsebool -P httpd_can_network_connect 1
-+.PP
-+.B httpd_zoneminder_script_exec_t
- .EE
-
-+- Set files with the httpd_zoneminder_script_exec_t type, if you want to transition an executable to the httpd_zoneminder_script_t domain.
-+
-+
- .PP
--system-config-selinux is a GUI tool available to customize SELinux policy settings.
--.SH AUTHOR
--This manual page was written by Dan Walsh .
-+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
-+.B semanage fcontext
-+command. This will modify the SELinux labeling database. You will need to use
-+.B restorecon
-+to apply the labels.
-
--.SH "SEE ALSO"
--selinux(8), httpd(8), chcon(1), setsebool(8)
-+.SH PORT TYPES
-+SELinux defines port types to represent TCP and UDP ports.
-+.PP
-+You can see the types associated with a port by using the following command:
-+
-+.B semanage port -l
-+
-+.PP
-+Policy governs the access confined processes have to these ports.
-+SELinux httpd policy is very flexible allowing users to setup their httpd processes in as secure a method as possible.
-+.PP
-+The following port types are defined for httpd:
-+
-+.EX
-+.TP 5
-+.B http_cache_port_t
-+.TP 10
-+.EE
-
-
-+Default Defined Ports:
-+tcp 8080,8118,10001-10010
-+.EE
-+udp 3130
-+.EE
-+
-+.EX
-+.TP 5
-+.B http_port_t
-+.TP 10
-+.EE
-+
-+
-+Default Defined Ports:
-+tcp 80,81,443,488,8008,8009,8443
-+.EE
-+.SH "MANAGED FILES"
-+
-+The SELinux process type httpd_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
-+
-+.br
-+.B abrt_retrace_spool_t
-+
-+ /var/spool/abrt-retrace(/.*)?
-+.br
-+ /var/spool/retrace-server(/.*)?
-+.br
-+
-+.br
-+.B dirsrv_config_t
-+
-+ /etc/dirsrv(/.*)?
-+.br
-+
-+.br
-+.B dirsrv_var_log_t
-+
-+ /var/log/dirsrv(/.*)?
-+.br
-+
-+.br
-+.B dirsrv_var_run_t
-+
-+ /var/run/dirsrv(/.*)?
-+.br
-+
-+.br
-+.B dirsrvadmin_config_t
-+
-+ /etc/dirsrv/dsgw(/.*)?
-+.br
-+ /etc/dirsrv/admin-serv(/.*)?
-+.br
-+
-+.br
-+.B dirsrvadmin_tmp_t
-+
-+
-+.br
-+.B httpd_apcupsd_cgi_rw_content_t
-+
-+
-+.br
-+.B httpd_awstats_rw_content_t
-+
-+
-+.br
-+.B httpd_bugzilla_rw_content_t
-+
-+ /var/lib/bugzilla(/.*)?
-+.br
-+
-+.br
-+.B httpd_cache_t
-+
-+ /var/cache/rt3(/.*)?
-+.br
-+ /var/cache/ssl.*\.sem
-+.br
-+ /var/cache/mod_.*
-+.br
-+ /var/cache/php-.*
-+.br
-+ /var/cache/httpd(/.*)?
-+.br
-+ /var/cache/mason(/.*)?
-+.br
-+ /var/cache/mod_ssl(/.*)?
-+.br
-+ /var/cache/lighttpd(/.*)?
-+.br
-+ /var/cache/mediawiki(/.*)?
-+.br
-+ /var/cache/mod_proxy(/.*)?
-+.br
-+ /var/cache/mod_gnutls(/.*)?
-+.br
-+ /var/cache/php-mmcache(/.*)?
-+.br
-+ /var/cache/php-eaccelerator(/.*)?
-+.br
-+
-+.br
-+.B httpd_cobbler_rw_content_t
-+
-+
-+.br
-+.B httpd_collectd_rw_content_t
-+
-+
-+.br
-+.B httpd_cvs_rw_content_t
-+
-+
-+.br
-+.B httpd_dirsrvadmin_rw_content_t
-+
-+
-+.br
-+.B httpd_dspam_rw_content_t
-+
-+
-+.br
-+.B httpd_git_rw_content_t
-+
-+ /var/cache/cgit(/.*)?
-+.br
-+ /var/cache/gitweb-caching(/.*)?
-+.br
-+
-+.br
-+.B httpd_lock_t
-+
-+
-+.br
-+.B httpd_man2html_rw_content_t
-+
-+
-+.br
-+.B httpd_mediawiki_rw_content_t
-+
-+ /var/www/wiki(/.*)?
-+.br
-+
-+.br
-+.B httpd_mojomojo_rw_content_t
-+
-+ /var/lib/mojomojo(/.*)?
-+.br
-+
-+.br
-+.B httpd_munin_rw_content_t
-+
-+
-+.br
-+.B httpd_nagios_rw_content_t
-+
-+
-+.br
-+.B httpd_nutups_cgi_rw_content_t
-+
-+
-+.br
-+.B httpd_openshift_rw_content_t
-+
-+
-+.br
-+.B httpd_prewikka_rw_content_t
-+
-+
-+.br
-+.B httpd_smokeping_cgi_rw_content_t
-+
-+
-+.br
-+.B httpd_squid_rw_content_t
-+
-+
-+.br
-+.B httpd_squirrelmail_t
-+
-+ /var/lib/squirrelmail/prefs(/.*)?
-+.br
-+
-+.br
-+.B httpd_sys_rw_content_t
-+
-+ /etc/drupal.*
-+.br
-+ /var/lib/svn(/.*)?
-+.br
-+ /var/www/svn(/.*)?
-+.br
-+ /etc/mock/koji(/.*)?
-+.br
-+ /var/www/html/[^/]*/sites/default/files(/.*)?
-+.br
-+ /var/www/html/[^/]*/sites/default/settings\.php
-+.br
-+ /var/lib/drupal.*
-+.br
-+ /etc/zabbix/web(/.*)?
-+.br
-+ /var/spool/gosa(/.*)?
-+.br
-+ /etc/WebCalendar(/.*)?
-+.br
-+ /var/lib/dokuwiki(/.*)?
-+.br
-+ /var/spool/viewvc(/.*)?
-+.br
-+ /var/lib/pootle/po(/.*)?
-+.br
-+ /var/www/moodledata(/.*)?
-+.br
-+ /var/www/gallery/albums(/.*)?
-+.br
-+ /var/www/html/wp-content(/.*)?
-+.br
-+ /usr/share/wordpress-mu/wp-content(/.*)?
-+.br
-+ /usr/share/wordpress/wp-content/uploads(/.*)?
-+.br
-+ /usr/share/wordpress/wp-content/upgrade(/.*)?
-+.br
-+ /etc/owncloud/config\.php
-+.br
-+ /var/www/html/configuration\.php
-+.br
-+
-+.br
-+.B httpd_tmp_t
-+
-+ /var/run/user/apache(/.*)?
-+.br
-+
-+.br
-+.B httpd_tmpfs_t
-+
-+
-+.br
-+.B httpd_user_rw_content_t
-+
-+
-+.br
-+.B httpd_var_lib_t
-+
-+ /var/lib/dav(/.*)?
-+.br
-+ /var/lib/php(/.*)?
-+.br
-+ /var/lib/httpd(/.*)?
-+.br
-+ /var/lib/cherokee(/.*)?
-+.br
-+ /var/lib/lighttpd(/.*)?
-+.br
-+ /var/lib/rt3/data/RT-Shredder(/.*)?
-+.br
-+
-+.br
-+.B httpd_var_run_t
-+
-+ /var/run/mod_.*
-+.br
-+ /var/run/wsgi.*
-+.br
-+ /var/run/httpd.*
-+.br
-+ /var/run/apache.*
-+.br
-+ /var/run/lighttpd(/.*)?
-+.br
-+ /var/lib/php/session(/.*)?
-+.br
-+ /var/run/dirsrv/admin-serv.*
-+.br
-+ /opt/dirsrv/var/run/dirsrv/dsgw/cookies(/.*)?
-+.br
-+ /var/run/gcache_port
-+.br
-+ /var/run/cherokee\.pid
-+.br
-+
-+.br
-+.B httpd_w3c_validator_rw_content_t
-+
-+
-+.br
-+.B httpd_zoneminder_rw_content_t
-+
-+
-+.br
-+.B jetty_cache_t
-+
-+ /var/cache/jetty(/.*)?
-+.br
-+
-+.br
-+.B jetty_log_t
-+
-+ /var/log/jetty(/.*)?
-+.br
-+
-+.br
-+.B jetty_var_lib_t
-+
-+ /var/lib/jetty(/.*)?
-+.br
-+
-+.br
-+.B jetty_var_run_t
-+
-+ /var/run/jetty(/.*)?
-+.br
-+
-+.br
-+.B krb5_host_rcache_t
-+
-+ /var/cache/krb5rcache(/.*)?
-+.br
-+ /var/tmp/nfs_0
-+.br
-+ /var/tmp/DNS_25
-+.br
-+ /var/tmp/host_0
-+.br
-+ /var/tmp/imap_0
-+.br
-+ /var/tmp/HTTP_23
-+.br
-+ /var/tmp/HTTP_48
-+.br
-+ /var/tmp/ldap_55
-+.br
-+ /var/tmp/ldap_487
-+.br
-+ /var/tmp/ldapmap1_0
-+.br
-+
-+.br
-+.B passenger_tmp_t
-+
-+
-+.br
-+.B passenger_var_run_t
-+
-+ /var/run/passenger(/.*)?
-+.br
-+
-+.br
-+.B pki_apache_config
-+
-+
-+.br
-+.B pki_apache_var_lib
-+
-+
-+.br
-+.B pki_apache_var_log
-+
-+
-+.br
-+.B squirrelmail_spool_t
-+
-+ /var/spool/squirrelmail(/.*)?
-+.br
-+
-+.br
-+.B systemd_passwd_var_run_t
-+
-+ /var/run/systemd/ask-password(/.*)?
-+.br
-+ /var/run/systemd/ask-password-block(/.*)?
-+.br
-+
-+.br
-+.B zarafa_var_lib_t
-+
-+ /var/lib/zarafa(/.*)?
-+.br
-+ /var/lib/zarafa-webaccess(/.*)?
-+.br
-+
-+.SH NSSWITCH DOMAIN
-+
-+.PP
-+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the httpd_prewikka_script_t, httpd_passwd_t, httpd_t, httpd_php_t, httpd_git_script_t, httpd_suexec_t, httpd_sys_script_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
-+
-+.EX
-+.B setsebool -P authlogin_nsswitch_use_ldap 1
-+.EE
-+
-+.PP
-+If you want to allow confined applications to run with kerberos for the httpd_prewikka_script_t, httpd_passwd_t, httpd_t, httpd_php_t, httpd_git_script_t, httpd_suexec_t, httpd_sys_script_t, you must turn on the kerberos_enabled boolean.
-+
-+.EX
-+.B setsebool -P kerberos_enabled 1
-+.EE
-+
-+.SH "COMMANDS"
-+.B semanage fcontext
-+can also be used to manipulate default file context mappings.
-+.PP
-+.B semanage permissive
-+can also be used to manipulate whether or not a process type is permissive.
-+.PP
-+.B semanage module
-+can also be used to enable/disable/install/remove policy modules.
-+
-+.B semanage port
-+can also be used to manipulate the port definitions
-+
-+.B semanage boolean
-+can also be used to manipulate the booleans
-+
-+.PP
-+.B system-config-selinux
-+is a GUI tool available to customize SELinux policy settings.
-+
-+.SH AUTHOR
-+This manual page was auto-generated using
-+.B "sepolicy manpage"
-+by Dan Walsh.
-+
-+.SH "SEE ALSO"
-+selinux(8), httpd(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
-+, setsebool(8), httpd_apcupsd_cgi_script_selinux(8), httpd_awstats_script_selinux(8), httpd_bugzilla_script_selinux(8), httpd_cobbler_script_selinux(8), httpd_collectd_script_selinux(8), httpd_cvs_script_selinux(8), httpd_dirsrvadmin_script_selinux(8), httpd_dspam_script_selinux(8), httpd_git_script_selinux(8), httpd_helper_selinux(8), httpd_man2html_script_selinux(8), httpd_mediawiki_script_selinux(8), httpd_mojomojo_script_selinux(8), httpd_munin_script_selinux(8), httpd_nagios_script_selinux(8), httpd_nutups_cgi_script_selinux(8), httpd_openshift_script_selinux(8), httpd_passwd_selinux(8), httpd_php_selinux(8), httpd_prewikka_script_selinux(8), httpd_rotatelogs_selinux(8), httpd_smokeping_cgi_script_selinux(8), httpd_squid_script_selinux(8), httpd_suexec_selinux(8), httpd_sys_script_selinux(8), httpd_user_script_selinux(8), httpd_w3c_validator_script_selinux(8), httpd_zoneminder_script_selinux(8)
-\ No newline at end of file
-diff --git a/man/man8/httpd_smokeping_cgi_script_selinux.8 b/man/man8/httpd_smokeping_cgi_script_selinux.8
-new file mode 100644
-index 0000000..d4560e5
---- /dev/null
-+++ b/man/man8/httpd_smokeping_cgi_script_selinux.8
-@@ -0,0 +1,101 @@
-+.TH "httpd_smokeping_cgi_script_selinux" "8" "12-11-01" "httpd_smokeping_cgi_script" "SELinux Policy documentation for httpd_smokeping_cgi_script"
-+.SH "NAME"
-+httpd_smokeping_cgi_script_selinux \- Security Enhanced Linux Policy for the httpd_smokeping_cgi_script processes
-+.SH "DESCRIPTION"
-+
-+Security-Enhanced Linux secures the httpd_smokeping_cgi_script processes via flexible mandatory access control.
-+
-+The httpd_smokeping_cgi_script processes execute with the httpd_smokeping_cgi_script_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
-+
-+For example:
-+
-+.B ps -eZ | grep httpd_smokeping_cgi_script_t
-+
-+
-+.SH "ENTRYPOINTS"
-+
-+The httpd_smokeping_cgi_script_t SELinux type can be entered via the "shell_exec_t,httpd_smokeping_cgi_script_exec_t,httpd_smokeping_cgi_script_exec_t" file types. The default entrypoint paths for the httpd_smokeping_cgi_script_t domain are the following:"
-+
-+/bin/d?ash, /bin/zsh.*, /bin/ksh.*, /usr/bin/d?ash, /usr/bin/ksh.*, /usr/bin/zsh.*, /bin/esh, /bin/mksh, /bin/sash, /bin/tcsh, /bin/yash, /bin/bash, /bin/fish, /bin/bash2, /usr/bin/esh, /usr/bin/mksh, /usr/bin/sash, /usr/bin/bash, /usr/bin/fish, /usr/bin/tcsh, /usr/bin/yash, /sbin/nologin, /usr/sbin/sesh, /usr/bin/bash2, /usr/sbin/smrsh, /usr/bin/scponly, /usr/sbin/nologin, /usr/libexec/sesh, /usr/sbin/scponlyc, /usr/bin/git-shell, /usr/libexec/git-core/git-shell, /usr/share/smokeping/cgi(/.*)?, /usr/share/smokeping/cgi(/.*)?
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux httpd_smokeping_cgi_script policy is very flexible allowing users to setup their httpd_smokeping_cgi_script processes in as secure a method as possible.
-+.PP
-+The following process types are defined for httpd_smokeping_cgi_script:
-+
-+.EX
-+.B httpd_smokeping_cgi_script_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
-+.SH FILE CONTEXTS
-+SELinux requires files to have an extended attribute to define the file type.
-+.PP
-+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
-+.PP
-+Policy governs the access confined processes have to these files.
-+SELinux httpd_smokeping_cgi_script policy is very flexible allowing users to setup their httpd_smokeping_cgi_script processes in as secure a method as possible.
-+.PP
-+The following file types are defined for httpd_smokeping_cgi_script:
-+
-+
-+.EX
-+.PP
-+.B httpd_smokeping_cgi_script_exec_t
-+.EE
-+
-+- Set files with the httpd_smokeping_cgi_script_exec_t type, if you want to transition an executable to the httpd_smokeping_cgi_script_t domain.
-+
-+
-+.PP
-+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
-+.B semanage fcontext
-+command. This will modify the SELinux labeling database. You will need to use
-+.B restorecon
-+to apply the labels.
-+
-+.SH "MANAGED FILES"
-+
-+The SELinux process type httpd_smokeping_cgi_script_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
-+
-+.br
-+.B httpd_smokeping_cgi_rw_content_t
-+
-+
-+.br
-+.B smokeping_var_lib_t
-+
-+ /var/lib/smokeping(/.*)?
-+.br
-+
-+.SH NSSWITCH DOMAIN
-+
-+.SH "COMMANDS"
-+.B semanage fcontext
-+can also be used to manipulate default file context mappings.
-+.PP
-+.B semanage permissive
-+can also be used to manipulate whether or not a process type is permissive.
-+.PP
-+.B semanage module
-+can also be used to enable/disable/install/remove policy modules.
-+
-+.PP
-+.B system-config-selinux
-+is a GUI tool available to customize SELinux policy settings.
-+
-+.SH AUTHOR
-+This manual page was auto-generated using
-+.B "sepolicy manpage"
-+by Dan Walsh.
-+
-+.SH "SEE ALSO"
-+selinux(8), httpd_smokeping_cgi_script(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
-+, httpd_selinux(8), httpd_selinux(8), httpd_apcupsd_cgi_script_selinux(8), httpd_awstats_script_selinux(8), httpd_bugzilla_script_selinux(8), httpd_cobbler_script_selinux(8), httpd_collectd_script_selinux(8), httpd_cvs_script_selinux(8), httpd_dirsrvadmin_script_selinux(8), httpd_dspam_script_selinux(8), httpd_git_script_selinux(8), httpd_helper_selinux(8), httpd_man2html_script_selinux(8), httpd_mediawiki_script_selinux(8), httpd_mojomojo_script_selinux(8), httpd_munin_script_selinux(8), httpd_nagios_script_selinux(8), httpd_nutups_cgi_script_selinux(8), httpd_openshift_script_selinux(8), httpd_passwd_selinux(8), httpd_php_selinux(8), httpd_prewikka_script_selinux(8), httpd_rotatelogs_selinux(8), httpd_squid_script_selinux(8), httpd_suexec_selinux(8), httpd_sys_script_selinux(8), httpd_user_script_selinux(8), httpd_w3c_validator_script_selinux(8), httpd_zoneminder_script_selinux(8)
-\ No newline at end of file
-diff --git a/man/man8/httpd_squid_script_selinux.8 b/man/man8/httpd_squid_script_selinux.8
-new file mode 100644
-index 0000000..fa0892f
---- /dev/null
-+++ b/man/man8/httpd_squid_script_selinux.8
-@@ -0,0 +1,95 @@
-+.TH "httpd_squid_script_selinux" "8" "12-11-01" "httpd_squid_script" "SELinux Policy documentation for httpd_squid_script"
-+.SH "NAME"
-+httpd_squid_script_selinux \- Security Enhanced Linux Policy for the httpd_squid_script processes
-+.SH "DESCRIPTION"
-+
-+Security-Enhanced Linux secures the httpd_squid_script processes via flexible mandatory access control.
-+
-+The httpd_squid_script processes execute with the httpd_squid_script_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
-+
-+For example:
-+
-+.B ps -eZ | grep httpd_squid_script_t
-+
-+
-+.SH "ENTRYPOINTS"
-+
-+The httpd_squid_script_t SELinux type can be entered via the "httpd_squid_script_exec_t,shell_exec_t,httpd_squid_script_exec_t" file types. The default entrypoint paths for the httpd_squid_script_t domain are the following:"
-+
-+/usr/share/lightsquid/cgi(/.*)?, /usr/lib/squid/cachemgr\.cgi, /bin/d?ash, /bin/zsh.*, /bin/ksh.*, /usr/bin/d?ash, /usr/bin/ksh.*, /usr/bin/zsh.*, /bin/esh, /bin/mksh, /bin/sash, /bin/tcsh, /bin/yash, /bin/bash, /bin/fish, /bin/bash2, /usr/bin/esh, /usr/bin/mksh, /usr/bin/sash, /usr/bin/bash, /usr/bin/fish, /usr/bin/tcsh, /usr/bin/yash, /sbin/nologin, /usr/sbin/sesh, /usr/bin/bash2, /usr/sbin/smrsh, /usr/bin/scponly, /usr/sbin/nologin, /usr/libexec/sesh, /usr/sbin/scponlyc, /usr/bin/git-shell, /usr/libexec/git-core/git-shell, /usr/share/lightsquid/cgi(/.*)?, /usr/lib/squid/cachemgr\.cgi
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux httpd_squid_script policy is very flexible allowing users to setup their httpd_squid_script processes in as secure a method as possible.
-+.PP
-+The following process types are defined for httpd_squid_script:
-+
-+.EX
-+.B httpd_squid_script_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
-+.SH FILE CONTEXTS
-+SELinux requires files to have an extended attribute to define the file type.
-+.PP
-+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
-+.PP
-+Policy governs the access confined processes have to these files.
-+SELinux httpd_squid_script policy is very flexible allowing users to setup their httpd_squid_script processes in as secure a method as possible.
-+.PP
-+The following file types are defined for httpd_squid_script:
-+
-+
-+.EX
-+.PP
-+.B httpd_squid_script_exec_t
-+.EE
-+
-+- Set files with the httpd_squid_script_exec_t type, if you want to transition an executable to the httpd_squid_script_t domain.
-+
-+
-+.PP
-+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
-+.B semanage fcontext
-+command. This will modify the SELinux labeling database. You will need to use
-+.B restorecon
-+to apply the labels.
-+
-+.SH "MANAGED FILES"
-+
-+The SELinux process type httpd_squid_script_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
-+
-+.br
-+.B httpd_squid_rw_content_t
-+
-+
-+.SH NSSWITCH DOMAIN
-+
-+.SH "COMMANDS"
-+.B semanage fcontext
-+can also be used to manipulate default file context mappings.
-+.PP
-+.B semanage permissive
-+can also be used to manipulate whether or not a process type is permissive.
-+.PP
-+.B semanage module
-+can also be used to enable/disable/install/remove policy modules.
-+
-+.PP
-+.B system-config-selinux
-+is a GUI tool available to customize SELinux policy settings.
-+
-+.SH AUTHOR
-+This manual page was auto-generated using
-+.B "sepolicy manpage"
-+by Dan Walsh.
-+
-+.SH "SEE ALSO"
-+selinux(8), httpd_squid_script(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
-+, httpd_selinux(8), httpd_selinux(8), httpd_apcupsd_cgi_script_selinux(8), httpd_awstats_script_selinux(8), httpd_bugzilla_script_selinux(8), httpd_cobbler_script_selinux(8), httpd_collectd_script_selinux(8), httpd_cvs_script_selinux(8), httpd_dirsrvadmin_script_selinux(8), httpd_dspam_script_selinux(8), httpd_git_script_selinux(8), httpd_helper_selinux(8), httpd_man2html_script_selinux(8), httpd_mediawiki_script_selinux(8), httpd_mojomojo_script_selinux(8), httpd_munin_script_selinux(8), httpd_nagios_script_selinux(8), httpd_nutups_cgi_script_selinux(8), httpd_openshift_script_selinux(8), httpd_passwd_selinux(8), httpd_php_selinux(8), httpd_prewikka_script_selinux(8), httpd_rotatelogs_selinux(8), httpd_smokeping_cgi_script_selinux(8), httpd_suexec_selinux(8), httpd_sys_script_selinux(8), httpd_user_script_selinux(8), httpd_w3c_validator_script_selinux(8), httpd_zoneminder_script_selinux(8)
-\ No newline at end of file
-diff --git a/man/man8/httpd_suexec_selinux.8 b/man/man8/httpd_suexec_selinux.8
-new file mode 100644
-index 0000000..2f8bbb0
---- /dev/null
-+++ b/man/man8/httpd_suexec_selinux.8
-@@ -0,0 +1,117 @@
-+.TH "httpd_suexec_selinux" "8" "12-11-01" "httpd_suexec" "SELinux Policy documentation for httpd_suexec"
-+.SH "NAME"
-+httpd_suexec_selinux \- Security Enhanced Linux Policy for the httpd_suexec processes
-+.SH "DESCRIPTION"
-+
-+Security-Enhanced Linux secures the httpd_suexec processes via flexible mandatory access control.
-+
-+The httpd_suexec processes execute with the httpd_suexec_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
-+
-+For example:
-+
-+.B ps -eZ | grep httpd_suexec_t
-+
-+
-+.SH "ENTRYPOINTS"
-+
-+The httpd_suexec_t SELinux type can be entered via the "httpd_suexec_exec_t" file type. The default entrypoint paths for the httpd_suexec_t domain are the following:"
-+
-+/usr/lib/apache(2)?/suexec(2)?, /usr/lib/cgi-bin/(nph-)?cgiwrap(d)?, /usr/sbin/suexec
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux httpd_suexec policy is very flexible allowing users to setup their httpd_suexec processes in as secure a method as possible.
-+.PP
-+The following process types are defined for httpd_suexec:
-+
-+.EX
-+.B httpd_suexec_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
-+.SH FILE CONTEXTS
-+SELinux requires files to have an extended attribute to define the file type.
-+.PP
-+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
-+.PP
-+Policy governs the access confined processes have to these files.
-+SELinux httpd_suexec policy is very flexible allowing users to setup their httpd_suexec processes in as secure a method as possible.
-+.PP
-+The following file types are defined for httpd_suexec:
-+
-+
-+.EX
-+.PP
-+.B httpd_suexec_exec_t
-+.EE
-+
-+- Set files with the httpd_suexec_exec_t type, if you want to transition an executable to the httpd_suexec_t domain.
-+
-+
-+.EX
-+.PP
-+.B httpd_suexec_tmp_t
-+.EE
-+
-+- Set files with the httpd_suexec_tmp_t type, if you want to store httpd suexec temporary files in the /tmp directories.
-+
-+
-+.PP
-+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
-+.B semanage fcontext
-+command. This will modify the SELinux labeling database. You will need to use
-+.B restorecon
-+to apply the labels.
-+
-+.SH "MANAGED FILES"
-+
-+The SELinux process type httpd_suexec_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
-+
-+.br
-+.B httpd_suexec_tmp_t
-+
-+
-+.SH NSSWITCH DOMAIN
-+
-+.PP
-+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the httpd_suexec_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
-+
-+.EX
-+.B setsebool -P authlogin_nsswitch_use_ldap 1
-+.EE
-+
-+.PP
-+If you want to allow confined applications to run with kerberos for the httpd_suexec_t, you must turn on the kerberos_enabled boolean.
-+
-+.EX
-+.B setsebool -P kerberos_enabled 1
-+.EE
-+
-+.SH "COMMANDS"
-+.B semanage fcontext
-+can also be used to manipulate default file context mappings.
-+.PP
-+.B semanage permissive
-+can also be used to manipulate whether or not a process type is permissive.
-+.PP
-+.B semanage module
-+can also be used to enable/disable/install/remove policy modules.
-+
-+.PP
-+.B system-config-selinux
-+is a GUI tool available to customize SELinux policy settings.
-+
-+.SH AUTHOR
-+This manual page was auto-generated using
-+.B "sepolicy manpage"
-+by Dan Walsh.
-+
-+.SH "SEE ALSO"
-+selinux(8), httpd_suexec(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
-+, httpd_selinux(8), httpd_selinux(8), httpd_apcupsd_cgi_script_selinux(8), httpd_awstats_script_selinux(8), httpd_bugzilla_script_selinux(8), httpd_cobbler_script_selinux(8), httpd_collectd_script_selinux(8), httpd_cvs_script_selinux(8), httpd_dirsrvadmin_script_selinux(8), httpd_dspam_script_selinux(8), httpd_git_script_selinux(8), httpd_helper_selinux(8), httpd_man2html_script_selinux(8), httpd_mediawiki_script_selinux(8), httpd_mojomojo_script_selinux(8), httpd_munin_script_selinux(8), httpd_nagios_script_selinux(8), httpd_nutups_cgi_script_selinux(8), httpd_openshift_script_selinux(8), httpd_passwd_selinux(8), httpd_php_selinux(8), httpd_prewikka_script_selinux(8), httpd_rotatelogs_selinux(8), httpd_smokeping_cgi_script_selinux(8), httpd_squid_script_selinux(8), httpd_sys_script_selinux(8), httpd_user_script_selinux(8), httpd_w3c_validator_script_selinux(8), httpd_zoneminder_script_selinux(8)
-\ No newline at end of file
-diff --git a/man/man8/httpd_sys_script_selinux.8 b/man/man8/httpd_sys_script_selinux.8
-new file mode 100644
-index 0000000..566f6fa
---- /dev/null
-+++ b/man/man8/httpd_sys_script_selinux.8
-@@ -0,0 +1,190 @@
-+.TH "httpd_sys_script_selinux" "8" "12-11-01" "httpd_sys_script" "SELinux Policy documentation for httpd_sys_script"
-+.SH "NAME"
-+httpd_sys_script_selinux \- Security Enhanced Linux Policy for the httpd_sys_script processes
-+.SH "DESCRIPTION"
-+
-+Security-Enhanced Linux secures the httpd_sys_script processes via flexible mandatory access control.
-+
-+The httpd_sys_script processes execute with the httpd_sys_script_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
-+
-+For example:
-+
-+.B ps -eZ | grep httpd_sys_script_t
-+
-+
-+.SH "ENTRYPOINTS"
-+
-+The httpd_sys_script_t SELinux type can be entered via the "httpd_sys_script_exec_t,httpd_sys_content_t,cifs_t,shell_exec_t,nfs_t,httpd_sys_script_exec_t" file types. The default entrypoint paths for the httpd_sys_script_t domain are the following:"
-+
-+/usr/.*\.cgi, /opt/.*\.cgi, /var/www/[^/]*/cgi-bin(/.*)?, /var/www/perl(/.*)?, /var/www/html/[^/]*/cgi-bin(/.*)?, /usr/lib/cgi-bin(/.*)?, /var/www/cgi-bin(/.*)?, /var/www/svn/hooks(/.*)?, /usr/share/wordpress/.*\.php, /usr/share/wordpress/wp-includes/.*\.php, /usr/share/mythtv/mythweather/scripts(/.*)?, /usr/share/mythweb/mythweb\.pl, /usr/share/wordpress-mu/wp-config\.php, /srv/([^/]*/)?www(/.*)?, /var/www(/.*)?, /etc/htdig(/.*)?, /srv/gallery2(/.*)?, /var/lib/trac(/.*)?, /var/lib/htdig(/.*)?, /var/www/icons(/.*)?, /usr/share/htdig(/.*)?, /usr/share/drupal.*, /var/www/svn/conf(/.*)?, /usr/share/icecast(/.*)?, /usr/share/mythweb(/.*)?, /var/lib/cacti/rra(/.*)?, /usr/share/ntop/html(/.*)?, /usr/share/mythtv/data(/.*)?, /usr/share/doc/ghc/html(/.*)?, /usr/share/openca/htdocs(/.*)?, /usr/share/selinux-policy[^/]*/html(/.*)?, /bin/d?ash, /bin/zsh.*, /bin/ksh.*, /usr/bin/d?ash, /usr/bin/ksh.*, /usr/bin/zsh.*, /bin/esh, /bin/mksh, /bin/sash, /bin/tcsh, /bin/yash, /bin/bash, /bin/fish, /bin/bash2, /usr/bin/esh, /usr/bin/mksh, /usr/bin/sash, /usr/bin/bash, /usr/bin/fish, /usr/bin/tcsh, /usr/bin/yash, /sbin/nologin, /usr/sbin/sesh, /usr/bin/bash2, /usr/sbin/smrsh, /usr/bin/scponly, /usr/sbin/nologin, /usr/libexec/sesh, /usr/sbin/scponlyc, /usr/bin/git-shell, /usr/libexec/git-core/git-shell, /usr/.*\.cgi, /opt/.*\.cgi, /var/www/[^/]*/cgi-bin(/.*)?, /var/www/perl(/.*)?, /var/www/html/[^/]*/cgi-bin(/.*)?, /usr/lib/cgi-bin(/.*)?, /var/www/cgi-bin(/.*)?, /var/www/svn/hooks(/.*)?, /usr/share/wordpress/.*\.php, /usr/share/wordpress/wp-includes/.*\.php, /usr/share/mythtv/mythweather/scripts(/.*)?, /usr/share/mythweb/mythweb\.pl, /usr/share/wordpress-mu/wp-config\.php
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux httpd_sys_script policy is very flexible allowing users to setup their httpd_sys_script processes in as secure a method as possible.
-+.PP
-+The following process types are defined for httpd_sys_script:
-+
-+.EX
-+.B httpd_sys_script_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
-+.SH SHARING FILES
-+If you want to share files with multiple domains (Apache, FTP, rsync, Samba), you can set a file context of public_content_t and public_content_rw_t. These context allow any of the above domains to read the content. If you want a particular domain to write to the public_content_rw_t domain, you must set the appropriate boolean.
-+.TP
-+Allow httpd_sys_script servers to read the /var/httpd_sys_script directory by adding the public_content_t file type to the directory and by restoring the file type.
-+.PP
-+.B
-+semanage fcontext -a -t public_content_t "/var/httpd_sys_script(/.*)?"
-+.br
-+.B restorecon -F -R -v /var/httpd_sys_script
-+.pp
-+.TP
-+Allow httpd_sys_script servers to read and write /var/tmp/incoming by adding the public_content_rw_t type to the directory and by restoring the file type. This also requires the allow_httpd_sys_scriptd_anon_write boolean to be set.
-+.PP
-+.B
-+semanage fcontext -a -t public_content_rw_t "/var/httpd_sys_script/incoming(/.*)?"
-+.br
-+.B restorecon -F -R -v /var/httpd_sys_script/incoming
-+
-+
-+.PP
-+If you want to allow apache scripts to write to public content, directories/files must be labeled public_rw_content_t., you must turn on the httpd_sys_script_anon_write boolean.
-+
-+.EX
-+.B setsebool -P httpd_sys_script_anon_write 1
-+.EE
-+
-+.PP
-+If you want to allow apache scripts to write to public content, directories/files must be labeled public_rw_content_t., you must turn on the httpd_sys_script_anon_write boolean.
-+
-+.EX
-+.B setsebool -P httpd_sys_script_anon_write 1
-+.EE
-+
-+.SH FILE CONTEXTS
-+SELinux requires files to have an extended attribute to define the file type.
-+.PP
-+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
-+.PP
-+Policy governs the access confined processes have to these files.
-+SELinux httpd_sys_script policy is very flexible allowing users to setup their httpd_sys_script processes in as secure a method as possible.
-+.PP
-+The following file types are defined for httpd_sys_script:
-+
-+
-+.EX
-+.PP
-+.B httpd_sys_script_exec_t
-+.EE
-+
-+- Set files with the httpd_sys_script_exec_t type, if you want to transition an executable to the httpd_sys_script_t domain.
-+
-+
-+.PP
-+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
-+.B semanage fcontext
-+command. This will modify the SELinux labeling database. You will need to use
-+.B restorecon
-+to apply the labels.
-+
-+.SH "MANAGED FILES"
-+
-+The SELinux process type httpd_sys_script_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
-+
-+.br
-+.B httpd_sys_rw_content_t
-+
-+ /etc/drupal.*
-+.br
-+ /var/lib/svn(/.*)?
-+.br
-+ /var/www/svn(/.*)?
-+.br
-+ /etc/mock/koji(/.*)?
-+.br
-+ /var/www/html/[^/]*/sites/default/files(/.*)?
-+.br
-+ /var/www/html/[^/]*/sites/default/settings\.php
-+.br
-+ /var/lib/drupal.*
-+.br
-+ /etc/zabbix/web(/.*)?
-+.br
-+ /var/spool/gosa(/.*)?
-+.br
-+ /etc/WebCalendar(/.*)?
-+.br
-+ /var/lib/dokuwiki(/.*)?
-+.br
-+ /var/spool/viewvc(/.*)?
-+.br
-+ /var/lib/pootle/po(/.*)?
-+.br
-+ /var/www/moodledata(/.*)?
-+.br
-+ /var/www/gallery/albums(/.*)?
-+.br
-+ /var/www/html/wp-content(/.*)?
-+.br
-+ /usr/share/wordpress-mu/wp-content(/.*)?
-+.br
-+ /usr/share/wordpress/wp-content/uploads(/.*)?
-+.br
-+ /usr/share/wordpress/wp-content/upgrade(/.*)?
-+.br
-+ /etc/owncloud/config\.php
-+.br
-+ /var/www/html/configuration\.php
-+.br
-+
-+.br
-+.B httpd_tmp_t
-+
-+ /var/run/user/apache(/.*)?
-+.br
-+
-+.SH NSSWITCH DOMAIN
-+
-+.PP
-+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the httpd_sys_script_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
-+
-+.EX
-+.B setsebool -P authlogin_nsswitch_use_ldap 1
-+.EE
-+
-+.PP
-+If you want to allow confined applications to run with kerberos for the httpd_sys_script_t, you must turn on the kerberos_enabled boolean.
-+
-+.EX
-+.B setsebool -P kerberos_enabled 1
-+.EE
-+
-+.SH "COMMANDS"
-+.B semanage fcontext
-+can also be used to manipulate default file context mappings.
-+.PP
-+.B semanage permissive
-+can also be used to manipulate whether or not a process type is permissive.
-+.PP
-+.B semanage module
-+can also be used to enable/disable/install/remove policy modules.
-+
-+.PP
-+.B system-config-selinux
-+is a GUI tool available to customize SELinux policy settings.
-+
-+.SH AUTHOR
-+This manual page was auto-generated using
-+.B "sepolicy manpage"
-+by Dan Walsh.
-+
-+.SH "SEE ALSO"
-+selinux(8), httpd_sys_script(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
-+, httpd_selinux(8), httpd_selinux(8), httpd_apcupsd_cgi_script_selinux(8), httpd_awstats_script_selinux(8), httpd_bugzilla_script_selinux(8), httpd_cobbler_script_selinux(8), httpd_collectd_script_selinux(8), httpd_cvs_script_selinux(8), httpd_dirsrvadmin_script_selinux(8), httpd_dspam_script_selinux(8), httpd_git_script_selinux(8), httpd_helper_selinux(8), httpd_man2html_script_selinux(8), httpd_mediawiki_script_selinux(8), httpd_mojomojo_script_selinux(8), httpd_munin_script_selinux(8), httpd_nagios_script_selinux(8), httpd_nutups_cgi_script_selinux(8), httpd_openshift_script_selinux(8), httpd_passwd_selinux(8), httpd_php_selinux(8), httpd_prewikka_script_selinux(8), httpd_rotatelogs_selinux(8), httpd_smokeping_cgi_script_selinux(8), httpd_squid_script_selinux(8), httpd_suexec_selinux(8), httpd_user_script_selinux(8), httpd_w3c_validator_script_selinux(8), httpd_zoneminder_script_selinux(8)
-\ No newline at end of file
-diff --git a/man/man8/httpd_user_script_selinux.8 b/man/man8/httpd_user_script_selinux.8
-new file mode 100644
-index 0000000..4764520
---- /dev/null
-+++ b/man/man8/httpd_user_script_selinux.8
-@@ -0,0 +1,95 @@
-+.TH "httpd_user_script_selinux" "8" "12-11-01" "httpd_user_script" "SELinux Policy documentation for httpd_user_script"
-+.SH "NAME"
-+httpd_user_script_selinux \- Security Enhanced Linux Policy for the httpd_user_script processes
-+.SH "DESCRIPTION"
-+
-+Security-Enhanced Linux secures the httpd_user_script processes via flexible mandatory access control.
-+
-+The httpd_user_script processes execute with the httpd_user_script_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
-+
-+For example:
-+
-+.B ps -eZ | grep httpd_user_script_t
-+
-+
-+.SH "ENTRYPOINTS"
-+
-+The httpd_user_script_t SELinux type can be entered via the "shell_exec_t,httpd_user_script_exec_t,httpd_user_script_exec_t" file types. The default entrypoint paths for the httpd_user_script_t domain are the following:"
-+
-+/bin/d?ash, /bin/zsh.*, /bin/ksh.*, /usr/bin/d?ash, /usr/bin/ksh.*, /usr/bin/zsh.*, /bin/esh, /bin/mksh, /bin/sash, /bin/tcsh, /bin/yash, /bin/bash, /bin/fish, /bin/bash2, /usr/bin/esh, /usr/bin/mksh, /usr/bin/sash, /usr/bin/bash, /usr/bin/fish, /usr/bin/tcsh, /usr/bin/yash, /sbin/nologin, /usr/sbin/sesh, /usr/bin/bash2, /usr/sbin/smrsh, /usr/bin/scponly, /usr/sbin/nologin, /usr/libexec/sesh, /usr/sbin/scponlyc, /usr/bin/git-shell, /usr/libexec/git-core/git-shell, /home/[^/]*/((www)|(web)|(public_html))/cgi-bin(/.+)?, /home/dwalsh/((www)|(web)|(public_html))/cgi-bin(/.+)?, /var/lib/xguest/home/xguest/((www)|(web)|(public_html))/cgi-bin(/.+)?, /home/[^/]*/((www)|(web)|(public_html))/cgi-bin(/.+)?, /home/dwalsh/((www)|(web)|(public_html))/cgi-bin(/.+)?, /var/lib/xguest/home/xguest/((www)|(web)|(public_html))/cgi-bin(/.+)?
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux httpd_user_script policy is very flexible allowing users to setup their httpd_user_script processes in as secure a method as possible.
-+.PP
-+The following process types are defined for httpd_user_script:
-+
-+.EX
-+.B httpd_user_script_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
-+.SH FILE CONTEXTS
-+SELinux requires files to have an extended attribute to define the file type.
-+.PP
-+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
-+.PP
-+Policy governs the access confined processes have to these files.
-+SELinux httpd_user_script policy is very flexible allowing users to setup their httpd_user_script processes in as secure a method as possible.
-+.PP
-+The following file types are defined for httpd_user_script:
-+
-+
-+.EX
-+.PP
-+.B httpd_user_script_exec_t
-+.EE
-+
-+- Set files with the httpd_user_script_exec_t type, if you want to transition an executable to the httpd_user_script_t domain.
-+
-+
-+.PP
-+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
-+.B semanage fcontext
-+command. This will modify the SELinux labeling database. You will need to use
-+.B restorecon
-+to apply the labels.
-+
-+.SH "MANAGED FILES"
-+
-+The SELinux process type httpd_user_script_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
-+
-+.br
-+.B httpd_user_rw_content_t
-+
-+
-+.SH NSSWITCH DOMAIN
-+
-+.SH "COMMANDS"
-+.B semanage fcontext
-+can also be used to manipulate default file context mappings.
-+.PP
-+.B semanage permissive
-+can also be used to manipulate whether or not a process type is permissive.
-+.PP
-+.B semanage module
-+can also be used to enable/disable/install/remove policy modules.
-+
-+.PP
-+.B system-config-selinux
-+is a GUI tool available to customize SELinux policy settings.
-+
-+.SH AUTHOR
-+This manual page was auto-generated using
-+.B "sepolicy manpage"
-+by Dan Walsh.
-+
-+.SH "SEE ALSO"
-+selinux(8), httpd_user_script(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
-+, httpd_selinux(8), httpd_selinux(8), httpd_apcupsd_cgi_script_selinux(8), httpd_awstats_script_selinux(8), httpd_bugzilla_script_selinux(8), httpd_cobbler_script_selinux(8), httpd_collectd_script_selinux(8), httpd_cvs_script_selinux(8), httpd_dirsrvadmin_script_selinux(8), httpd_dspam_script_selinux(8), httpd_git_script_selinux(8), httpd_helper_selinux(8), httpd_man2html_script_selinux(8), httpd_mediawiki_script_selinux(8), httpd_mojomojo_script_selinux(8), httpd_munin_script_selinux(8), httpd_nagios_script_selinux(8), httpd_nutups_cgi_script_selinux(8), httpd_openshift_script_selinux(8), httpd_passwd_selinux(8), httpd_php_selinux(8), httpd_prewikka_script_selinux(8), httpd_rotatelogs_selinux(8), httpd_smokeping_cgi_script_selinux(8), httpd_squid_script_selinux(8), httpd_suexec_selinux(8), httpd_sys_script_selinux(8), httpd_w3c_validator_script_selinux(8), httpd_zoneminder_script_selinux(8)
-\ No newline at end of file
-diff --git a/man/man8/httpd_w3c_validator_script_selinux.8 b/man/man8/httpd_w3c_validator_script_selinux.8
-new file mode 100644
-index 0000000..1191c99
---- /dev/null
-+++ b/man/man8/httpd_w3c_validator_script_selinux.8
-@@ -0,0 +1,99 @@
-+.TH "httpd_w3c_validator_script_selinux" "8" "12-11-01" "httpd_w3c_validator_script" "SELinux Policy documentation for httpd_w3c_validator_script"
-+.SH "NAME"
-+httpd_w3c_validator_script_selinux \- Security Enhanced Linux Policy for the httpd_w3c_validator_script processes
-+.SH "DESCRIPTION"
-+
-+Security-Enhanced Linux secures the httpd_w3c_validator_script processes via flexible mandatory access control.
-+
-+The httpd_w3c_validator_script processes execute with the httpd_w3c_validator_script_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
-+
-+For example:
-+
-+.B ps -eZ | grep httpd_w3c_validator_script_t
-+
-+
-+.SH "ENTRYPOINTS"
-+
-+The httpd_w3c_validator_script_t SELinux type can be entered via the "shell_exec_t,httpd_w3c_validator_script_exec_t,httpd_w3c_validator_script_exec_t" file types. The default entrypoint paths for the httpd_w3c_validator_script_t domain are the following:"
-+
-+/bin/d?ash, /bin/zsh.*, /bin/ksh.*, /usr/bin/d?ash, /usr/bin/ksh.*, /usr/bin/zsh.*, /bin/esh, /bin/mksh, /bin/sash, /bin/tcsh, /bin/yash, /bin/bash, /bin/fish, /bin/bash2, /usr/bin/esh, /usr/bin/mksh, /usr/bin/sash, /usr/bin/bash, /usr/bin/fish, /usr/bin/tcsh, /usr/bin/yash, /sbin/nologin, /usr/sbin/sesh, /usr/bin/bash2, /usr/sbin/smrsh, /usr/bin/scponly, /usr/sbin/nologin, /usr/libexec/sesh, /usr/sbin/scponlyc, /usr/bin/git-shell, /usr/libexec/git-core/git-shell, /usr/share/w3c-markup-validator/cgi-bin(/.*)?, /usr/lib/cgi-bin/check, /usr/share/w3c-markup-validator/cgi-bin(/.*)?, /usr/lib/cgi-bin/check
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux httpd_w3c_validator_script policy is very flexible allowing users to setup their httpd_w3c_validator_script processes in as secure a method as possible.
-+.PP
-+The following process types are defined for httpd_w3c_validator_script:
-+
-+.EX
-+.B httpd_w3c_validator_script_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
-+.SH FILE CONTEXTS
-+SELinux requires files to have an extended attribute to define the file type.
-+.PP
-+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
-+.PP
-+Policy governs the access confined processes have to these files.
-+SELinux httpd_w3c_validator_script policy is very flexible allowing users to setup their httpd_w3c_validator_script processes in as secure a method as possible.
-+.PP
-+The following file types are defined for httpd_w3c_validator_script:
-+
-+
-+.EX
-+.PP
-+.B httpd_w3c_validator_script_exec_t
-+.EE
-+
-+- Set files with the httpd_w3c_validator_script_exec_t type, if you want to transition an executable to the httpd_w3c_validator_script_t domain.
-+
-+
-+.PP
-+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
-+.B semanage fcontext
-+command. This will modify the SELinux labeling database. You will need to use
-+.B restorecon
-+to apply the labels.
-+
-+.SH "MANAGED FILES"
-+
-+The SELinux process type httpd_w3c_validator_script_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
-+
-+.br
-+.B httpd_w3c_validator_rw_content_t
-+
-+
-+.br
-+.B httpd_w3c_validator_tmp_t
-+
-+
-+.SH NSSWITCH DOMAIN
-+
-+.SH "COMMANDS"
-+.B semanage fcontext
-+can also be used to manipulate default file context mappings.
-+.PP
-+.B semanage permissive
-+can also be used to manipulate whether or not a process type is permissive.
-+.PP
-+.B semanage module
-+can also be used to enable/disable/install/remove policy modules.
-+
-+.PP
-+.B system-config-selinux
-+is a GUI tool available to customize SELinux policy settings.
-+
-+.SH AUTHOR
-+This manual page was auto-generated using
-+.B "sepolicy manpage"
-+by Dan Walsh.
-+
-+.SH "SEE ALSO"
-+selinux(8), httpd_w3c_validator_script(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
-+, httpd_selinux(8), httpd_selinux(8), httpd_apcupsd_cgi_script_selinux(8), httpd_awstats_script_selinux(8), httpd_bugzilla_script_selinux(8), httpd_cobbler_script_selinux(8), httpd_collectd_script_selinux(8), httpd_cvs_script_selinux(8), httpd_dirsrvadmin_script_selinux(8), httpd_dspam_script_selinux(8), httpd_git_script_selinux(8), httpd_helper_selinux(8), httpd_man2html_script_selinux(8), httpd_mediawiki_script_selinux(8), httpd_mojomojo_script_selinux(8), httpd_munin_script_selinux(8), httpd_nagios_script_selinux(8), httpd_nutups_cgi_script_selinux(8), httpd_openshift_script_selinux(8), httpd_passwd_selinux(8), httpd_php_selinux(8), httpd_prewikka_script_selinux(8), httpd_rotatelogs_selinux(8), httpd_smokeping_cgi_script_selinux(8), httpd_squid_script_selinux(8), httpd_suexec_selinux(8), httpd_sys_script_selinux(8), httpd_user_script_selinux(8), httpd_zoneminder_script_selinux(8)
-\ No newline at end of file
-diff --git a/man/man8/httpd_zoneminder_script_selinux.8 b/man/man8/httpd_zoneminder_script_selinux.8
-new file mode 100644
-index 0000000..9666a60
---- /dev/null
-+++ b/man/man8/httpd_zoneminder_script_selinux.8
-@@ -0,0 +1,95 @@
-+.TH "httpd_zoneminder_script_selinux" "8" "12-11-01" "httpd_zoneminder_script" "SELinux Policy documentation for httpd_zoneminder_script"
-+.SH "NAME"
-+httpd_zoneminder_script_selinux \- Security Enhanced Linux Policy for the httpd_zoneminder_script processes
-+.SH "DESCRIPTION"
-+
-+Security-Enhanced Linux secures the httpd_zoneminder_script processes via flexible mandatory access control.
-+
-+The httpd_zoneminder_script processes execute with the httpd_zoneminder_script_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
-+
-+For example:
-+
-+.B ps -eZ | grep httpd_zoneminder_script_t
-+
-+
-+.SH "ENTRYPOINTS"
-+
-+The httpd_zoneminder_script_t SELinux type can be entered via the "httpd_zoneminder_script_exec_t,shell_exec_t,httpd_zoneminder_script_exec_t" file types. The default entrypoint paths for the httpd_zoneminder_script_t domain are the following:"
-+
-+/usr/libexec/zoneminder/cgi-bin(/.*)?, /bin/d?ash, /bin/zsh.*, /bin/ksh.*, /usr/bin/d?ash, /usr/bin/ksh.*, /usr/bin/zsh.*, /bin/esh, /bin/mksh, /bin/sash, /bin/tcsh, /bin/yash, /bin/bash, /bin/fish, /bin/bash2, /usr/bin/esh, /usr/bin/mksh, /usr/bin/sash, /usr/bin/bash, /usr/bin/fish, /usr/bin/tcsh, /usr/bin/yash, /sbin/nologin, /usr/sbin/sesh, /usr/bin/bash2, /usr/sbin/smrsh, /usr/bin/scponly, /usr/sbin/nologin, /usr/libexec/sesh, /usr/sbin/scponlyc, /usr/bin/git-shell, /usr/libexec/git-core/git-shell, /usr/libexec/zoneminder/cgi-bin(/.*)?
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux httpd_zoneminder_script policy is very flexible allowing users to setup their httpd_zoneminder_script processes in as secure a method as possible.
-+.PP
-+The following process types are defined for httpd_zoneminder_script:
-+
-+.EX
-+.B httpd_zoneminder_script_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
-+.SH FILE CONTEXTS
-+SELinux requires files to have an extended attribute to define the file type.
-+.PP
-+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
-+.PP
-+Policy governs the access confined processes have to these files.
-+SELinux httpd_zoneminder_script policy is very flexible allowing users to setup their httpd_zoneminder_script processes in as secure a method as possible.
-+.PP
-+The following file types are defined for httpd_zoneminder_script:
-+
-+
-+.EX
-+.PP
-+.B httpd_zoneminder_script_exec_t
-+.EE
-+
-+- Set files with the httpd_zoneminder_script_exec_t type, if you want to transition an executable to the httpd_zoneminder_script_t domain.
-+
-+
-+.PP
-+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
-+.B semanage fcontext
-+command. This will modify the SELinux labeling database. You will need to use
-+.B restorecon
-+to apply the labels.
-+
-+.SH "MANAGED FILES"
-+
-+The SELinux process type httpd_zoneminder_script_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
-+
-+.br
-+.B httpd_zoneminder_rw_content_t
-+
-+
-+.SH NSSWITCH DOMAIN
-+
-+.SH "COMMANDS"
-+.B semanage fcontext
-+can also be used to manipulate default file context mappings.
-+.PP
-+.B semanage permissive
-+can also be used to manipulate whether or not a process type is permissive.
-+.PP
-+.B semanage module
-+can also be used to enable/disable/install/remove policy modules.
-+
-+.PP
-+.B system-config-selinux
-+is a GUI tool available to customize SELinux policy settings.
-+
-+.SH AUTHOR
-+This manual page was auto-generated using
-+.B "sepolicy manpage"
-+by Dan Walsh.
-+
-+.SH "SEE ALSO"
-+selinux(8), httpd_zoneminder_script(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
-+, httpd_selinux(8), httpd_selinux(8), httpd_apcupsd_cgi_script_selinux(8), httpd_awstats_script_selinux(8), httpd_bugzilla_script_selinux(8), httpd_cobbler_script_selinux(8), httpd_collectd_script_selinux(8), httpd_cvs_script_selinux(8), httpd_dirsrvadmin_script_selinux(8), httpd_dspam_script_selinux(8), httpd_git_script_selinux(8), httpd_helper_selinux(8), httpd_man2html_script_selinux(8), httpd_mediawiki_script_selinux(8), httpd_mojomojo_script_selinux(8), httpd_munin_script_selinux(8), httpd_nagios_script_selinux(8), httpd_nutups_cgi_script_selinux(8), httpd_openshift_script_selinux(8), httpd_passwd_selinux(8), httpd_php_selinux(8), httpd_prewikka_script_selinux(8), httpd_rotatelogs_selinux(8), httpd_smokeping_cgi_script_selinux(8), httpd_squid_script_selinux(8), httpd_suexec_selinux(8), httpd_sys_script_selinux(8), httpd_user_script_selinux(8), httpd_w3c_validator_script_selinux(8)
-\ No newline at end of file
-diff --git a/man/man8/hwclock_selinux.8 b/man/man8/hwclock_selinux.8
-new file mode 100644
-index 0000000..5f81eee
---- /dev/null
-+++ b/man/man8/hwclock_selinux.8
-@@ -0,0 +1,110 @@
-+.TH "hwclock_selinux" "8" "12-11-01" "hwclock" "SELinux Policy documentation for hwclock"
-+.SH "NAME"
-+hwclock_selinux \- Security Enhanced Linux Policy for the hwclock processes
-+.SH "DESCRIPTION"
-+
-+Security-Enhanced Linux secures the hwclock processes via flexible mandatory access control.
-+
-+The hwclock processes execute with the hwclock_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
-+
-+For example:
-+
-+.B ps -eZ | grep hwclock_t
-+
-+
-+.SH "ENTRYPOINTS"
-+
-+The hwclock_t SELinux type can be entered via the "hwclock_exec_t" file type. The default entrypoint paths for the hwclock_t domain are the following:"
-+
-+/sbin/hwclock, /usr/sbin/hwclock
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux hwclock policy is very flexible allowing users to setup their hwclock processes in as secure a method as possible.
-+.PP
-+The following process types are defined for hwclock:
-+
-+.EX
-+.B hwclock_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
-+.SH FILE CONTEXTS
-+SELinux requires files to have an extended attribute to define the file type.
-+.PP
-+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
-+.PP
-+Policy governs the access confined processes have to these files.
-+SELinux hwclock policy is very flexible allowing users to setup their hwclock processes in as secure a method as possible.
-+.PP
-+The following file types are defined for hwclock:
-+
-+
-+.EX
-+.PP
-+.B hwclock_exec_t
-+.EE
-+
-+- Set files with the hwclock_exec_t type, if you want to transition an executable to the hwclock_t domain.
-+
-+
-+.PP
-+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
-+.B semanage fcontext
-+command. This will modify the SELinux labeling database. You will need to use
-+.B restorecon
-+to apply the labels.
-+
-+.SH "MANAGED FILES"
-+
-+The SELinux process type hwclock_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
-+
-+.br
-+.B adjtime_t
-+
-+ /etc/adjtime
-+.br
-+
-+.SH NSSWITCH DOMAIN
-+
-+.PP
-+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the hwclock_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
-+
-+.EX
-+.B setsebool -P authlogin_nsswitch_use_ldap 1
-+.EE
-+
-+.PP
-+If you want to allow confined applications to run with kerberos for the hwclock_t, you must turn on the kerberos_enabled boolean.
-+
-+.EX
-+.B setsebool -P kerberos_enabled 1
-+.EE
-+
-+.SH "COMMANDS"
-+.B semanage fcontext
-+can also be used to manipulate default file context mappings.
-+.PP
-+.B semanage permissive
-+can also be used to manipulate whether or not a process type is permissive.
-+.PP
-+.B semanage module
-+can also be used to enable/disable/install/remove policy modules.
-+
-+.PP
-+.B system-config-selinux
-+is a GUI tool available to customize SELinux policy settings.
-+
-+.SH AUTHOR
-+This manual page was auto-generated using
-+.B "sepolicy manpage"
-+by Dan Walsh.
-+
-+.SH "SEE ALSO"
-+selinux(8), hwclock(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
-diff --git a/man/man8/iceauth_selinux.8 b/man/man8/iceauth_selinux.8
-new file mode 100644
-index 0000000..2459ffa
---- /dev/null
-+++ b/man/man8/iceauth_selinux.8
-@@ -0,0 +1,118 @@
-+.TH "iceauth_selinux" "8" "12-11-01" "iceauth" "SELinux Policy documentation for iceauth"
-+.SH "NAME"
-+iceauth_selinux \- Security Enhanced Linux Policy for the iceauth processes
-+.SH "DESCRIPTION"
-+
-+Security-Enhanced Linux secures the iceauth processes via flexible mandatory access control.
-+
-+The iceauth processes execute with the iceauth_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
-+
-+For example:
-+
-+.B ps -eZ | grep iceauth_t
-+
-+
-+.SH "ENTRYPOINTS"
-+
-+The iceauth_t SELinux type can be entered via the "iceauth_exec_t" file type. The default entrypoint paths for the iceauth_t domain are the following:"
-+
-+/usr/bin/iceauth, /usr/X11R6/bin/iceauth
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux iceauth policy is very flexible allowing users to setup their iceauth processes in as secure a method as possible.
-+.PP
-+The following process types are defined for iceauth:
-+
-+.EX
-+.B iceauth_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
-+.SH FILE CONTEXTS
-+SELinux requires files to have an extended attribute to define the file type.
-+.PP
-+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
-+.PP
-+Policy governs the access confined processes have to these files.
-+SELinux iceauth policy is very flexible allowing users to setup their iceauth processes in as secure a method as possible.
-+.PP
-+The following file types are defined for iceauth:
-+
-+
-+.EX
-+.PP
-+.B iceauth_exec_t
-+.EE
-+
-+- Set files with the iceauth_exec_t type, if you want to transition an executable to the iceauth_t domain.
-+
-+
-+.EX
-+.PP
-+.B iceauth_home_t
-+.EE
-+
-+- Set files with the iceauth_home_t type, if you want to store iceauth files in the users home directory.
-+
-+
-+.PP
-+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
-+.B semanage fcontext
-+command. This will modify the SELinux labeling database. You will need to use
-+.B restorecon
-+to apply the labels.
-+
-+.SH "MANAGED FILES"
-+
-+The SELinux process type iceauth_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
-+
-+.br
-+.B iceauth_home_t
-+
-+ /root/\.DCOP.*
-+.br
-+ /root/\.ICEauthority.*
-+.br
-+ /home/[^/]*/\.DCOP.*
-+.br
-+ /home/[^/]*/\.ICEauthority.*
-+.br
-+ /home/dwalsh/\.DCOP.*
-+.br
-+ /home/dwalsh/\.ICEauthority.*
-+.br
-+ /var/lib/xguest/home/xguest/\.DCOP.*
-+.br
-+ /var/lib/xguest/home/xguest/\.ICEauthority.*
-+.br
-+
-+.SH NSSWITCH DOMAIN
-+
-+.SH "COMMANDS"
-+.B semanage fcontext
-+can also be used to manipulate default file context mappings.
-+.PP
-+.B semanage permissive
-+can also be used to manipulate whether or not a process type is permissive.
-+.PP
-+.B semanage module
-+can also be used to enable/disable/install/remove policy modules.
-+
-+.PP
-+.B system-config-selinux
-+is a GUI tool available to customize SELinux policy settings.
-+
-+.SH AUTHOR
-+This manual page was auto-generated using
-+.B "sepolicy manpage"
-+by Dan Walsh.
-+
-+.SH "SEE ALSO"
-+selinux(8), iceauth(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
-diff --git a/man/man8/icecast_selinux.8 b/man/man8/icecast_selinux.8
-new file mode 100644
-index 0000000..f0455d7
---- /dev/null
-+++ b/man/man8/icecast_selinux.8
-@@ -0,0 +1,162 @@
-+.TH "icecast_selinux" "8" "12-11-01" "icecast" "SELinux Policy documentation for icecast"
-+.SH "NAME"
-+icecast_selinux \- Security Enhanced Linux Policy for the icecast processes
-+.SH "DESCRIPTION"
-+
-+Security-Enhanced Linux secures the icecast processes via flexible mandatory access control.
-+
-+The icecast processes execute with the icecast_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
-+
-+For example:
-+
-+.B ps -eZ | grep icecast_t
-+
-+
-+.SH "ENTRYPOINTS"
-+
-+The icecast_t SELinux type can be entered via the "icecast_exec_t" file type. The default entrypoint paths for the icecast_t domain are the following:"
-+
-+/usr/bin/icecast
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux icecast policy is very flexible allowing users to setup their icecast processes in as secure a method as possible.
-+.PP
-+The following process types are defined for icecast:
-+
-+.EX
-+.B icecast_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
-+.SH BOOLEANS
-+SELinux policy is customizable based on least access required. icecast policy is extremely flexible and has several booleans that allow you to manipulate the policy and run icecast with the tightest access possible.
-+
-+
-+.PP
-+If you want to allow icecast to connect to all ports, not just sound ports, you must turn on the icecast_connect_any boolean.
-+
-+.EX
-+.B setsebool -P icecast_connect_any 1
-+.EE
-+
-+.PP
-+If you want to allow icecast to connect to all ports, not just sound ports, you must turn on the icecast_connect_any boolean.
-+
-+.EX
-+.B setsebool -P icecast_connect_any 1
-+.EE
-+
-+.SH FILE CONTEXTS
-+SELinux requires files to have an extended attribute to define the file type.
-+.PP
-+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
-+.PP
-+Policy governs the access confined processes have to these files.
-+SELinux icecast policy is very flexible allowing users to setup their icecast processes in as secure a method as possible.
-+.PP
-+The following file types are defined for icecast:
-+
-+
-+.EX
-+.PP
-+.B icecast_exec_t
-+.EE
-+
-+- Set files with the icecast_exec_t type, if you want to transition an executable to the icecast_t domain.
-+
-+
-+.EX
-+.PP
-+.B icecast_initrc_exec_t
-+.EE
-+
-+- Set files with the icecast_initrc_exec_t type, if you want to transition an executable to the icecast_initrc_t domain.
-+
-+
-+.EX
-+.PP
-+.B icecast_log_t
-+.EE
-+
-+- Set files with the icecast_log_t type, if you want to treat the data as icecast log data, usually stored under the /var/log directory.
-+
-+
-+.EX
-+.PP
-+.B icecast_var_run_t
-+.EE
-+
-+- Set files with the icecast_var_run_t type, if you want to store the icecast files under the /run directory.
-+
-+
-+.PP
-+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
-+.B semanage fcontext
-+command. This will modify the SELinux labeling database. You will need to use
-+.B restorecon
-+to apply the labels.
-+
-+.SH "MANAGED FILES"
-+
-+The SELinux process type icecast_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
-+
-+.br
-+.B icecast_log_t
-+
-+ /var/log/icecast(/.*)?
-+.br
-+
-+.br
-+.B icecast_var_run_t
-+
-+ /var/run/icecast(/.*)?
-+.br
-+
-+.SH NSSWITCH DOMAIN
-+
-+.PP
-+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the icecast_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
-+
-+.EX
-+.B setsebool -P authlogin_nsswitch_use_ldap 1
-+.EE
-+
-+.PP
-+If you want to allow confined applications to run with kerberos for the icecast_t, you must turn on the kerberos_enabled boolean.
-+
-+.EX
-+.B setsebool -P kerberos_enabled 1
-+.EE
-+
-+.SH "COMMANDS"
-+.B semanage fcontext
-+can also be used to manipulate default file context mappings.
-+.PP
-+.B semanage permissive
-+can also be used to manipulate whether or not a process type is permissive.
-+.PP
-+.B semanage module
-+can also be used to enable/disable/install/remove policy modules.
-+
-+.B semanage boolean
-+can also be used to manipulate the booleans
-+
-+.PP
-+.B system-config-selinux
-+is a GUI tool available to customize SELinux policy settings.
-+
-+.SH AUTHOR
-+This manual page was auto-generated using
-+.B "sepolicy manpage"
-+by Dan Walsh.
-+
-+.SH "SEE ALSO"
-+selinux(8), icecast(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
-+, setsebool(8)
-\ No newline at end of file
-diff --git a/man/man8/ifconfig_selinux.8 b/man/man8/ifconfig_selinux.8
-new file mode 100644
-index 0000000..955a7ad
---- /dev/null
-+++ b/man/man8/ifconfig_selinux.8
-@@ -0,0 +1,114 @@
-+.TH "ifconfig_selinux" "8" "12-11-01" "ifconfig" "SELinux Policy documentation for ifconfig"
-+.SH "NAME"
-+ifconfig_selinux \- Security Enhanced Linux Policy for the ifconfig processes
-+.SH "DESCRIPTION"
-+
-+Security-Enhanced Linux secures the ifconfig processes via flexible mandatory access control.
-+
-+The ifconfig processes execute with the ifconfig_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
-+
-+For example:
-+
-+.B ps -eZ | grep ifconfig_t
-+
-+
-+.SH "ENTRYPOINTS"
-+
-+The ifconfig_t SELinux type can be entered via the "ifconfig_exec_t" file type. The default entrypoint paths for the ifconfig_t domain are the following:"
-+
-+/bin/ip, /sbin/ip, /sbin/tc, /usr/bin/ip, /usr/sbin/ip, /usr/sbin/tc, /sbin/ethtool, /sbin/ifconfig, /sbin/iwconfig, /sbin/mii-tool, /usr/sbin/ethtool, /usr/sbin/ifconfig, /usr/sbin/iwconfig, /usr/sbin/mii-tool, /sbin/ipx_configure, /sbin/ipx_interface, /sbin/ipx_internal_net, /usr/sbin/ipx_configure, /usr/sbin/ipx_interface, /usr/sbin/ipx_internal_net
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux ifconfig policy is very flexible allowing users to setup their ifconfig processes in as secure a method as possible.
-+.PP
-+The following process types are defined for ifconfig:
-+
-+.EX
-+.B ifconfig_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
-+.SH FILE CONTEXTS
-+SELinux requires files to have an extended attribute to define the file type.
-+.PP
-+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
-+.PP
-+Policy governs the access confined processes have to these files.
-+SELinux ifconfig policy is very flexible allowing users to setup their ifconfig processes in as secure a method as possible.
-+.PP
-+The following file types are defined for ifconfig:
-+
-+
-+.EX
-+.PP
-+.B ifconfig_exec_t
-+.EE
-+
-+- Set files with the ifconfig_exec_t type, if you want to transition an executable to the ifconfig_t domain.
-+
-+
-+.PP
-+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
-+.B semanage fcontext
-+command. This will modify the SELinux labeling database. You will need to use
-+.B restorecon
-+to apply the labels.
-+
-+.SH "MANAGED FILES"
-+
-+The SELinux process type ifconfig_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
-+
-+.br
-+.B ipsec_var_run_t
-+
-+ /var/racoon(/.*)?
-+.br
-+ /var/run/pluto(/.*)?
-+.br
-+ /var/run/racoon\.pid
-+.br
-+
-+.SH NSSWITCH DOMAIN
-+
-+.PP
-+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the ifconfig_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
-+
-+.EX
-+.B setsebool -P authlogin_nsswitch_use_ldap 1
-+.EE
-+
-+.PP
-+If you want to allow confined applications to run with kerberos for the ifconfig_t, you must turn on the kerberos_enabled boolean.
-+
-+.EX
-+.B setsebool -P kerberos_enabled 1
-+.EE
-+
-+.SH "COMMANDS"
-+.B semanage fcontext
-+can also be used to manipulate default file context mappings.
-+.PP
-+.B semanage permissive
-+can also be used to manipulate whether or not a process type is permissive.
-+.PP
-+.B semanage module
-+can also be used to enable/disable/install/remove policy modules.
-+
-+.PP
-+.B system-config-selinux
-+is a GUI tool available to customize SELinux policy settings.
-+
-+.SH AUTHOR
-+This manual page was auto-generated using
-+.B "sepolicy manpage"
-+by Dan Walsh.
-+
-+.SH "SEE ALSO"
-+selinux(8), ifconfig(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
-diff --git a/man/man8/inetd_child_selinux.8 b/man/man8/inetd_child_selinux.8
-new file mode 100644
-index 0000000..8239b51
---- /dev/null
-+++ b/man/man8/inetd_child_selinux.8
-@@ -0,0 +1,157 @@
-+.TH "inetd_child_selinux" "8" "12-11-01" "inetd_child" "SELinux Policy documentation for inetd_child"
-+.SH "NAME"
-+inetd_child_selinux \- Security Enhanced Linux Policy for the inetd_child processes
-+.SH "DESCRIPTION"
-+
-+Security-Enhanced Linux secures the inetd_child processes via flexible mandatory access control.
-+
-+The inetd_child processes execute with the inetd_child_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
-+
-+For example:
-+
-+.B ps -eZ | grep inetd_child_t
-+
-+
-+.SH "ENTRYPOINTS"
-+
-+The inetd_child_t SELinux type can be entered via the "inetd_child_exec_t" file type. The default entrypoint paths for the inetd_child_t domain are the following:"
-+
-+/usr/sbin/in\..*d, /usr/local/lib/pysieved/pysieved.*\.py, /usr/sbin/identd
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux inetd_child policy is very flexible allowing users to setup their inetd_child processes in as secure a method as possible.
-+.PP
-+The following process types are defined for inetd_child:
-+
-+.EX
-+.B inetd_child_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
-+.SH FILE CONTEXTS
-+SELinux requires files to have an extended attribute to define the file type.
-+.PP
-+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
-+.PP
-+Policy governs the access confined processes have to these files.
-+SELinux inetd_child policy is very flexible allowing users to setup their inetd_child processes in as secure a method as possible.
-+.PP
-+The following file types are defined for inetd_child:
-+
-+
-+.EX
-+.PP
-+.B inetd_child_exec_t
-+.EE
-+
-+- Set files with the inetd_child_exec_t type, if you want to transition an executable to the inetd_child_t domain.
-+
-+
-+.EX
-+.PP
-+.B inetd_child_tmp_t
-+.EE
-+
-+- Set files with the inetd_child_tmp_t type, if you want to store inetd child temporary files in the /tmp directories.
-+
-+
-+.EX
-+.PP
-+.B inetd_child_var_run_t
-+.EE
-+
-+- Set files with the inetd_child_var_run_t type, if you want to store the inetd child files under the /run directory.
-+
-+
-+.PP
-+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
-+.B semanage fcontext
-+command. This will modify the SELinux labeling database. You will need to use
-+.B restorecon
-+to apply the labels.
-+
-+.SH PORT TYPES
-+SELinux defines port types to represent TCP and UDP ports.
-+.PP
-+You can see the types associated with a port by using the following command:
-+
-+.B semanage port -l
-+
-+.PP
-+Policy governs the access confined processes have to these ports.
-+SELinux inetd_child policy is very flexible allowing users to setup their inetd_child processes in as secure a method as possible.
-+.PP
-+The following port types are defined for inetd_child:
-+
-+.EX
-+.TP 5
-+.B inetd_child_port_t
-+.TP 10
-+.EE
-+
-+
-+Default Defined Ports:
-+tcp 1,9,13,19,512,543,544,891,892,2105,5666
-+.EE
-+udp 1,9,13,19,891,892
-+.EE
-+.SH "MANAGED FILES"
-+
-+The SELinux process type inetd_child_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
-+
-+.br
-+.B inetd_child_tmp_t
-+
-+
-+.br
-+.B inetd_child_var_run_t
-+
-+
-+.SH NSSWITCH DOMAIN
-+
-+.PP
-+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the inetd_child_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
-+
-+.EX
-+.B setsebool -P authlogin_nsswitch_use_ldap 1
-+.EE
-+
-+.PP
-+If you want to allow confined applications to run with kerberos for the inetd_child_t, you must turn on the kerberos_enabled boolean.
-+
-+.EX
-+.B setsebool -P kerberos_enabled 1
-+.EE
-+
-+.SH "COMMANDS"
-+.B semanage fcontext
-+can also be used to manipulate default file context mappings.
-+.PP
-+.B semanage permissive
-+can also be used to manipulate whether or not a process type is permissive.
-+.PP
-+.B semanage module
-+can also be used to enable/disable/install/remove policy modules.
-+
-+.B semanage port
-+can also be used to manipulate the port definitions
-+
-+.PP
-+.B system-config-selinux
-+is a GUI tool available to customize SELinux policy settings.
-+
-+.SH AUTHOR
-+This manual page was auto-generated using
-+.B "sepolicy manpage"
-+by Dan Walsh.
-+
-+.SH "SEE ALSO"
-+selinux(8), inetd_child(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
-+, inetd_selinux(8), inetd_selinux(8)
-\ No newline at end of file
-diff --git a/man/man8/inetd_selinux.8 b/man/man8/inetd_selinux.8
-new file mode 100644
-index 0000000..3f605ab
---- /dev/null
-+++ b/man/man8/inetd_selinux.8
-@@ -0,0 +1,203 @@
-+.TH "inetd_selinux" "8" "12-11-01" "inetd" "SELinux Policy documentation for inetd"
-+.SH "NAME"
-+inetd_selinux \- Security Enhanced Linux Policy for the inetd processes
-+.SH "DESCRIPTION"
-+
-+Security-Enhanced Linux secures the inetd processes via flexible mandatory access control.
-+
-+The inetd processes execute with the inetd_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
-+
-+For example:
-+
-+.B ps -eZ | grep inetd_t
-+
-+
-+.SH "ENTRYPOINTS"
-+
-+The inetd_t SELinux type can be entered via the "inetd_exec_t" file type. The default entrypoint paths for the inetd_t domain are the following:"
-+
-+/usr/sbin/inetd, /usr/sbin/xinetd, /usr/sbin/rlinetd
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux inetd policy is very flexible allowing users to setup their inetd processes in as secure a method as possible.
-+.PP
-+The following process types are defined for inetd:
-+
-+.EX
-+.B inetd_t, inetd_child_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
-+.SH FILE CONTEXTS
-+SELinux requires files to have an extended attribute to define the file type.
-+.PP
-+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
-+.PP
-+Policy governs the access confined processes have to these files.
-+SELinux inetd policy is very flexible allowing users to setup their inetd processes in as secure a method as possible.
-+.PP
-+The following file types are defined for inetd:
-+
-+
-+.EX
-+.PP
-+.B inetd_child_exec_t
-+.EE
-+
-+- Set files with the inetd_child_exec_t type, if you want to transition an executable to the inetd_child_t domain.
-+
-+
-+.EX
-+.PP
-+.B inetd_child_tmp_t
-+.EE
-+
-+- Set files with the inetd_child_tmp_t type, if you want to store inetd child temporary files in the /tmp directories.
-+
-+
-+.EX
-+.PP
-+.B inetd_child_var_run_t
-+.EE
-+
-+- Set files with the inetd_child_var_run_t type, if you want to store the inetd child files under the /run directory.
-+
-+
-+.EX
-+.PP
-+.B inetd_exec_t
-+.EE
-+
-+- Set files with the inetd_exec_t type, if you want to transition an executable to the inetd_t domain.
-+
-+
-+.EX
-+.PP
-+.B inetd_log_t
-+.EE
-+
-+- Set files with the inetd_log_t type, if you want to treat the data as inetd log data, usually stored under the /var/log directory.
-+
-+
-+.EX
-+.PP
-+.B inetd_tmp_t
-+.EE
-+
-+- Set files with the inetd_tmp_t type, if you want to store inetd temporary files in the /tmp directories.
-+
-+
-+.EX
-+.PP
-+.B inetd_var_run_t
-+.EE
-+
-+- Set files with the inetd_var_run_t type, if you want to store the inetd files under the /run directory.
-+
-+
-+.PP
-+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
-+.B semanage fcontext
-+command. This will modify the SELinux labeling database. You will need to use
-+.B restorecon
-+to apply the labels.
-+
-+.SH PORT TYPES
-+SELinux defines port types to represent TCP and UDP ports.
-+.PP
-+You can see the types associated with a port by using the following command:
-+
-+.B semanage port -l
-+
-+.PP
-+Policy governs the access confined processes have to these ports.
-+SELinux inetd policy is very flexible allowing users to setup their inetd processes in as secure a method as possible.
-+.PP
-+The following port types are defined for inetd:
-+
-+.EX
-+.TP 5
-+.B inetd_child_port_t
-+.TP 10
-+.EE
-+
-+
-+Default Defined Ports:
-+tcp 1,9,13,19,512,543,544,891,892,2105,5666
-+.EE
-+udp 1,9,13,19,891,892
-+.EE
-+.SH "MANAGED FILES"
-+
-+The SELinux process type inetd_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
-+
-+.br
-+.B inetd_log_t
-+
-+ /var/log/(x)?inetd\.log.*
-+.br
-+
-+.br
-+.B inetd_tmp_t
-+
-+
-+.br
-+.B inetd_var_run_t
-+
-+ /var/run/(x)?inetd\.pid
-+.br
-+
-+.br
-+.B security_t
-+
-+ /selinux
-+.br
-+
-+.SH NSSWITCH DOMAIN
-+
-+.PP
-+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the inetd_t, inetd_child_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
-+
-+.EX
-+.B setsebool -P authlogin_nsswitch_use_ldap 1
-+.EE
-+
-+.PP
-+If you want to allow confined applications to run with kerberos for the inetd_t, inetd_child_t, you must turn on the kerberos_enabled boolean.
-+
-+.EX
-+.B setsebool -P kerberos_enabled 1
-+.EE
-+
-+.SH "COMMANDS"
-+.B semanage fcontext
-+can also be used to manipulate default file context mappings.
-+.PP
-+.B semanage permissive
-+can also be used to manipulate whether or not a process type is permissive.
-+.PP
-+.B semanage module
-+can also be used to enable/disable/install/remove policy modules.
-+
-+.B semanage port
-+can also be used to manipulate the port definitions
-+
-+.PP
-+.B system-config-selinux
-+is a GUI tool available to customize SELinux policy settings.
-+
-+.SH AUTHOR
-+This manual page was auto-generated using
-+.B "sepolicy manpage"
-+by Dan Walsh.
-+
-+.SH "SEE ALSO"
-+selinux(8), inetd(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
-+, inetd_child_selinux(8)
-\ No newline at end of file
-diff --git a/man/man8/init_selinux.8 b/man/man8/init_selinux.8
-new file mode 100644
-index 0000000..d772d9a
---- /dev/null
-+++ b/man/man8/init_selinux.8
-@@ -0,0 +1,465 @@
-+.TH "init_selinux" "8" "12-11-01" "init" "SELinux Policy documentation for init"
-+.SH "NAME"
-+init_selinux \- Security Enhanced Linux Policy for the init processes
-+.SH "DESCRIPTION"
-+
-+Security-Enhanced Linux secures the init processes via flexible mandatory access control.
-+
-+The init processes execute with the init_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
-+
-+For example:
-+
-+.B ps -eZ | grep init_t
-+
-+
-+.SH "ENTRYPOINTS"
-+
-+The init_t SELinux type can be entered via the "init_exec_t" file type. The default entrypoint paths for the init_t domain are the following:"
-+
-+/sbin/init(ng)?, /usr/sbin/init(ng)?, /usr/lib/systemd/[^/]*, /usr/lib/systemd/system-generators/[^/]*, /bin/systemd, /sbin/upstart, /usr/bin/systemd, /usr/sbin/upstart
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux init policy is very flexible allowing users to setup their init processes in as secure a method as possible.
-+.PP
-+The following process types are defined for init:
-+
-+.EX
-+.B initrc_t, init_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
-+.SH FILE CONTEXTS
-+SELinux requires files to have an extended attribute to define the file type.
-+.PP
-+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
-+.PP
-+Policy governs the access confined processes have to these files.
-+SELinux init policy is very flexible allowing users to setup their init processes in as secure a method as possible.
-+.PP
-+The following file types are defined for init:
-+
-+
-+.EX
-+.PP
-+.B init_exec_t
-+.EE
-+
-+- Set files with the init_exec_t type, if you want to transition an executable to the init_t domain.
-+
-+
-+.EX
-+.PP
-+.B init_var_lib_t
-+.EE
-+
-+- Set files with the init_var_lib_t type, if you want to store the init files under the /var/lib directory.
-+
-+
-+.EX
-+.PP
-+.B init_var_run_t
-+.EE
-+
-+- Set files with the init_var_run_t type, if you want to store the init files under the /run directory.
-+
-+
-+.EX
-+.PP
-+.B initctl_t
-+.EE
-+
-+- Set files with the initctl_t type, if you want to treat the files as initctl data.
-+
-+
-+.EX
-+.PP
-+.B initrc_devpts_t
-+.EE
-+
-+- Set files with the initrc_devpts_t type, if you want to treat the files as initrc devpts data.
-+
-+
-+.EX
-+.PP
-+.B initrc_exec_t
-+.EE
-+
-+- Set files with the initrc_exec_t type, if you want to transition an executable to the initrc_t domain.
-+
-+
-+.EX
-+.PP
-+.B initrc_state_t
-+.EE
-+
-+- Set files with the initrc_state_t type, if you want to treat the files as initrc state data.
-+
-+
-+.EX
-+.PP
-+.B initrc_tmp_t
-+.EE
-+
-+- Set files with the initrc_tmp_t type, if you want to store initrc temporary files in the /tmp directories.
-+
-+
-+.EX
-+.PP
-+.B initrc_var_log_t
-+.EE
-+
-+- Set files with the initrc_var_log_t type, if you want to treat the data as initrc var log data, usually stored under the /var/log directory.
-+
-+
-+.EX
-+.PP
-+.B initrc_var_run_t
-+.EE
-+
-+- Set files with the initrc_var_run_t type, if you want to store the initrc files under the /run directory.
-+
-+
-+.PP
-+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
-+.B semanage fcontext
-+command. This will modify the SELinux labeling database. You will need to use
-+.B restorecon
-+to apply the labels.
-+
-+.SH "MANAGED FILES"
-+
-+The SELinux process type init_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
-+
-+.br
-+.B binfmt_misc_fs_t
-+
-+
-+.br
-+.B boolean_type
-+
-+
-+.br
-+.B cgroup_t
-+
-+ /cgroup
-+.br
-+ /sys/fs/cgroup
-+.br
-+
-+.br
-+.B consolekit_log_t
-+
-+ /var/log/ConsoleKit(/.*)?
-+.br
-+
-+.br
-+.B device_t
-+
-+ /dev/.*
-+.br
-+ /lib/udev/devices(/.*)?
-+.br
-+ /usr/lib/udev/devices(/.*)?
-+.br
-+ /dev
-+.br
-+ /etc/udev/devices
-+.br
-+ /var/named/chroot/dev
-+.br
-+ /var/spool/postfix/dev
-+.br
-+
-+.br
-+.B etc_runtime_t
-+
-+ /[^/]+
-+.br
-+ /etc/mtab.*
-+.br
-+ /etc/blkid(/.*)?
-+.br
-+ /etc/nologin.*
-+.br
-+ /etc/\.fstab\.hal\..+
-+.br
-+ /halt
-+.br
-+ /fastboot
-+.br
-+ /poweroff
-+.br
-+ /etc/cmtab
-+.br
-+ /\.autofsck
-+.br
-+ /forcefsck
-+.br
-+ /\.suspended
-+.br
-+ /fsckoptions
-+.br
-+ /\.autorelabel
-+.br
-+ /etc/securetty
-+.br
-+ /etc/killpower
-+.br
-+ /etc/nohotplug
-+.br
-+ /etc/ioctl\.save
-+.br
-+ /etc/fstab\.REVOKE
-+.br
-+ /etc/network/ifstate
-+.br
-+ /etc/sysconfig/hwconf
-+.br
-+ /etc/ptal/ptal-printd-like
-+.br
-+ /etc/sysconfig/iptables\.save
-+.br
-+ /etc/xorg\.conf\.d/00-system-setup-keyboard\.conf
-+.br
-+ /etc/X11/xorg\.conf\.d/00-system-setup-keyboard\.conf
-+.br
-+
-+.br
-+.B init_var_lib_t
-+
-+
-+.br
-+.B init_var_run_t
-+
-+ /var/run/systemd(/.*)?
-+.br
-+
-+.br
-+.B initrc_state_t
-+
-+
-+.br
-+.B initrc_var_run_t
-+
-+ /var/run/utmp
-+.br
-+ /var/run/random-seed
-+.br
-+ /var/run/runlevel\.dir
-+.br
-+ /var/run/setmixer_flag
-+.br
-+
-+.br
-+.B ld_so_cache_t
-+
-+ /etc/ld\.so\.cache
-+.br
-+ /etc/ld\.so\.cache~
-+.br
-+ /etc/ld\.so\.preload
-+.br
-+ /etc/ld\.so\.preload~
-+.br
-+
-+.br
-+.B locale_t
-+
-+ /etc/locale.conf
-+.br
-+ /usr/lib/locale(/.*)?
-+.br
-+ /usr/share/locale(/.*)?
-+.br
-+ /usr/share/zoneinfo(/.*)?
-+.br
-+ /usr/share/X11/locale(/.*)?
-+.br
-+ /etc/timezone
-+.br
-+ /etc/localtime
-+.br
-+ /etc/sysconfig/clock
-+.br
-+ /etc/avahi/etc/localtime
-+.br
-+ /var/empty/sshd/etc/localtime
-+.br
-+ /var/spool/postfix/etc/localtime
-+.br
-+
-+.br
-+.B machineid_t
-+
-+ /etc/machine-id
-+.br
-+ /var/run/systemd/machine-id
-+.br
-+
-+.br
-+.B print_spool_t
-+
-+ /var/spool/lpd(/.*)?
-+.br
-+ /var/spool/cups(/.*)?
-+.br
-+ /var/spool/cups-pdf(/.*)?
-+.br
-+
-+.br
-+.B random_seed_t
-+
-+ /var/lib/random-seed
-+.br
-+ /usr/var/lib/random-seed
-+.br
-+
-+.br
-+.B sysfs_t
-+
-+ /sys(/.*)?
-+.br
-+
-+.br
-+.B systemd_passwd_var_run_t
-+
-+ /var/run/systemd/ask-password(/.*)?
-+.br
-+ /var/run/systemd/ask-password-block(/.*)?
-+.br
-+
-+.br
-+.B systemd_unit_file_type
-+
-+
-+.br
-+.B tmpfs_t
-+
-+ /dev/shm
-+.br
-+ /lib/udev/devices/shm
-+.br
-+ /usr/lib/udev/devices/shm
-+.br
-+
-+.br
-+.B var_lib_t
-+
-+ /opt/(.*/)?var/lib(/.*)?
-+.br
-+ /var/lib(/.*)?
-+.br
-+
-+.br
-+.B var_log_t
-+
-+ /var/log/.*
-+.br
-+ /nsr/logs(/.*)?
-+.br
-+ /var/webmin(/.*)?
-+.br
-+ /var/log/cron[^/]*
-+.br
-+ /var/log/secure[^/]*
-+.br
-+ /opt/zimbra/log(/.*)?
-+.br
-+ /var/log/maillog[^/]*
-+.br
-+ /var/log/spooler[^/]*
-+.br
-+ /var/log/messages[^/]*
-+.br
-+ /usr/centreon/log(/.*)?
-+.br
-+ /var/spool/rsyslog(/.*)?
-+.br
-+ /var/axfrdns/log/main(/.*)?
-+.br
-+ /var/spool/bacula/log(/.*)?
-+.br
-+ /var/tinydns/log/main(/.*)?
-+.br
-+ /var/dnscache/log/main(/.*)?
-+.br
-+ /var/stockmaniac/templates_cache(/.*)?
-+.br
-+ /opt/Symantec/scspagent/IDS/system(/.*)?
-+.br
-+ /var/log
-+.br
-+ /var/log/dmesg
-+.br
-+ /var/log/syslog
-+.br
-+ /var/named/chroot/var/log
-+.br
-+
-+.br
-+.B var_run_t
-+
-+ /run/.*
-+.br
-+ /var/run/.*
-+.br
-+ /run
-+.br
-+ /var/run
-+.br
-+ /var/run
-+.br
-+ /var/spool/postfix/pid
-+.br
-+
-+.br
-+.B wtmp_t
-+
-+ /var/log/wtmp.*
-+.br
-+
-+.SH NSSWITCH DOMAIN
-+
-+.PP
-+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the init_t, initrc_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
-+
-+.EX
-+.B setsebool -P authlogin_nsswitch_use_ldap 1
-+.EE
-+
-+.PP
-+If you want to allow confined applications to run with kerberos for the init_t, initrc_t, you must turn on the kerberos_enabled boolean.
-+
-+.EX
-+.B setsebool -P kerberos_enabled 1
-+.EE
-+
-+.SH "COMMANDS"
-+.B semanage fcontext
-+can also be used to manipulate default file context mappings.
-+.PP
-+.B semanage permissive
-+can also be used to manipulate whether or not a process type is permissive.
-+.PP
-+.B semanage module
-+can also be used to enable/disable/install/remove policy modules.
-+
-+.PP
-+.B system-config-selinux
-+is a GUI tool available to customize SELinux policy settings.
-+
-+.SH AUTHOR
-+This manual page was auto-generated using
-+.B "sepolicy manpage"
-+by Dan Walsh.
-+
-+.SH "SEE ALSO"
-+selinux(8), init(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
-+, initrc_selinux(8)
-\ No newline at end of file
-diff --git a/man/man8/initrc_selinux.8 b/man/man8/initrc_selinux.8
-new file mode 100644
-index 0000000..6dc8740
---- /dev/null
-+++ b/man/man8/initrc_selinux.8
-@@ -0,0 +1,815 @@
-+.TH "initrc_selinux" "8" "12-11-01" "initrc" "SELinux Policy documentation for initrc"
-+.SH "NAME"
-+initrc_selinux \- Security Enhanced Linux Policy for the initrc processes
-+.SH "DESCRIPTION"
-+
-+Security-Enhanced Linux secures the initrc processes via flexible mandatory access control.
-+
-+The initrc processes execute with the initrc_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
-+
-+For example:
-+
-+.B ps -eZ | grep initrc_t
-+
-+
-+.SH "ENTRYPOINTS"
-+
-+The initrc_t SELinux type can be entered via the "glance_api_initrc_exec_t,slapd_initrc_exec_t,clamd_initrc_exec_t,ntop_initrc_exec_t,ntpd_initrc_exec_t,syslogd_initrc_exec_t,ulogd_initrc_exec_t,nscd_initrc_exec_t,bluetooth_initrc_exec_t,chronyd_initrc_exec_t,polipo_initrc_exec_t,boinc_initrc_exec_t,openvpn_initrc_exec_t,nfsd_initrc_exec_t,denyhosts_initrc_exec_t,cgconfig_initrc_exec_t,ddclient_initrc_exec_t,dictd_initrc_exec_t,mongod_initrc_exec_t,ricci_initrc_exec_t,automount_initrc_exec_t,innd_initrc_exec_t,pingd_initrc_exec_t,roundup_initrc_exec_t,zoneminder_initrc_exec_t,certmonger_initrc_exec_t,snort_initrc_exec_t,iwhd_initrc_exec_t,snmpd_initrc_exec_t,radiusd_initrc_exec_t,dhcpd_initrc_exec_t,lircd_initrc_exec_t,cyrus_initrc_exec_t,varnishd_initrc_exec_t,virtd_initrc_exec_t,aiccu_initrc_exec_t,mysqlmanagerd_initrc_exec_t,zabbix_agent_initrc_exec_t,varnishlog_initrc_exec_t,piranha_pulse_initrc_exec_t,glance_registry_initrc_exec_t,collectd_initrc_exec_t,puppetmaster_initrc_exec_t,dovecot_initrc_exec_t,zebra_initrc_exec_t,lldpad_initrc_exec_t,httpd_initrc_exec_t,kdump_initrc_exec_t,munin_initrc_exec_t,soundd_initrc_exec_t,bin_t,uuidd_initrc_exec_t,postfix_initrc_exec_t,ctdbd_initrc_exec_t,glusterd_initrc_exec_t,saslauthd_initrc_exec_t,postgresql_initrc_exec_t,kerberos_initrc_exec_t,apcupsd_initrc_exec_t,cupsd_initrc_exec_t,ksmtuned_initrc_exec_t,tuned_initrc_exec_t,exim_initrc_exec_t,fsdaemon_initrc_exec_t,tgtd_initrc_exec_t,ftpd_initrc_exec_t,ajaxterm_initrc_exec_t,hddtemp_initrc_exec_t,tcsd_initrc_exec_t,rhsmcertd_initrc_exec_t,svnserve_initrc_exec_t,shorewall_initrc_exec_t,aisexec_initrc_exec_t,auditd_initrc_exec_t,likewise_initrc_exec_t,cfengine_initrc_exec_t,initrc_exec_t,wdmd_initrc_exec_t,postgrey_initrc_exec_t,avahi_initrc_exec_t,gpsd_initrc_exec_t,privoxy_initrc_exec_t,pki_ra_script_exec_t,shell_exec_t,nagios_initrc_exec_t,rgmanager_initrc_exec_t,tor_initrc_exec_t,radvd_initrc_exec_t,cgred_initrc_exec_t,abrt_initrc_exec_t,ipsec_initrc_exec_t,puppet_initrc_exec_t,named_initrc_exec_t,squid_initrc_exec_t,cvs_initrc_exec_t,psad_initrc_exec_t,pppd_initrc_exec_t,afs_initrc_exec_t,canna_initrc_exec_t,firewalld_initrc_exec_t,spamd_initrc_exec_t,nis_initrc_exec_t,samba_initrc_exec_t,pacemaker_initrc_exec_t,mpd_initrc_exec_t,amavis_initrc_exec_t,arpwatch_initrc_exec_t,qpidd_initrc_exec_t,smokeping_initrc_exec_t,bcfg2_initrc_exec_t,callweaver_initrc_exec_t,pki_tps_script_exec_t,pads_initrc_exec_t,mscan_initrc_exec_t,isnsd_initrc_exec_t,rwho_initrc_exec_t,l2tpd_initrc_exec_t,portreserve_initrc_exec_t,NetworkManager_initrc_exec_t,icecast_initrc_exec_t,jabberd_initrc_exec_t,rpcd_initrc_exec_t,vhostmd_initrc_exec_t,nslcd_initrc_exec_t,certmaster_initrc_exec_t,slpd_initrc_exec_t,mysqld_initrc_exec_t,memcached_initrc_exec_t,crond_initrc_exec_t,asterisk_initrc_exec_t,fail2ban_initrc_exec_t,corosync_initrc_exec_t,sssd_initrc_exec_t,zabbix_initrc_exec_t,ypbind_initrc_exec_t,sshd_initrc_exec_t,clvmd_initrc_exec_t,dspam_initrc_exec_t,dhcpc_helper_exec_t,setrans_initrc_exec_t,cmirrord_initrc_exec_t,rngd_initrc_exec_t,prelude_initrc_exec_t,iptables_initrc_exec_t,sendmail_initrc_exec_t,rpcbind_initrc_exec_t,cobblerd_initrc_exec_t,dnsmasq_initrc_exec_t,bitlbee_initrc_exec_t,sanlock_initrc_exec_t" file types. The default entrypoint paths for the initrc_t domain are the following:"
-+
-+/etc/rc\.d/init\.d/openstack-glance-api, /etc/rc\.d/init\.d/slapd, /etc/rc\.d/init\.d/clamd-wrapper, /etc/rc\.d/init\.d/ntpd, /etc/rc\.d/init\.d/rsyslog, /etc/rc\.d/init\.d/ulogd, /etc/rc\.d/init\.d/nscd, /etc/rc\.d/init\.d/dund, /etc/rc\.d/init\.d/pand, /etc/rc\.d/init\.d/bluetooth, /etc/rc\.d/init\.d/chronyd, /etc/rc\.d/init\.d/polipo, /etc/rc\.d/init\.d/boinc-client, /etc/rc\.d/init\.d/openvpn, /etc/rc\.d/init\.d/nfs, /etc/rc\.d/init\.d/denyhosts, /etc/rc\.d/init\.d/cgconfig, /etc/rc\.d/init\.d/ddclient, /etc/rc\.d/init\.d/dictd, /etc/rc\.d/init\.d/mongod, /etc/rc\.d/init\.d/ricci, /etc/rc\.d/init\.d/autofs, /etc/rc\.d/init\.d/innd, /etc/rc\.d/init\.d/whatsup-pingd, /etc/rc\.d/init\.d/roundup, /etc/rc\.d/init\.d/motion, /etc/rc\.d/init\.d/zoneminder, /etc/rc\.d/init\.d/certmonger, /etc/rc\.d/init\.d/snortd, /etc/rc\.d/init\.d/iwhd, /etc/rc\.d/init\.d/snmpd, /etc/rc\.d/init\.d/snmptrapd, /etc/rc\.d/init\.d/radiusd, /etc/rc\.d/init\.d/dhcpd(6)?, /etc/rc\.d/init\.d/lirc, /etc/rc\.d/init\.d/cyrus, /etc/rc\.d/init\.d/varnish, /etc/rc\.d/init\.d/libvirtd, /etc/rc\.d/init\.d/aiccu, /etc/rc\.d/init\.d/mysqlmanager, /etc/rc\.d/init\.d/zabbix-agentd, /etc/rc\.d/init\.d/varnishlog, /etc/rc\.d/init\.d/varnishncsa, /etc/rc\.d/init\.d/pulse, /etc/rc\.d/init\.d/openstack-glance-registry, /etc/rc\.d/init\.d/collectd, /etc/rc\.d/init\.d/puppetmaster, /etc/rc\.d/init\.d/dovecot, /etc/rc\.d/init\.d/bgpd, /etc/rc\.d/init\.d/ripd, /etc/rc\.d/init\.d/ospfd, /etc/rc\.d/init\.d/zebra, /etc/rc\.d/init\.d/ospf6d, /etc/rc\.d/init\.d/ripngd, /etc/rc\.d/init\.d/lldpad, /etc/init\.d/cherokee, /etc/rc\.d/init\.d/httpd, /etc/rc\.d/init\.d/lighttpd, /etc/rc\.d/init\.d/kdump, /etc/rc\.d/init\.d/munin-node, /etc/rc\.d/init\.d/nasd, /bin/.*, /opt/(.*/)?bin(/.*)?, /usr/(.*/)?Bin(/.*)?, /usr/(.*/)?bin(/.*)?, /usr/(.*/)?sbin(/.*)?, /opt/(.*/)?sbin(/.*)?, /opt/(.*/)?libexec(/.*)?, /sbin/.*, /usr/lib(.*/)?bin(/.*)?, /usr/lib(.*/)?sbin(/.*)?, /etc/gdm/[^/]+, /root/bin(/.*)?, /etc/gdm/[^/]+/.*, /etc/cron.daily(/.*)?, /etc/cron.weekly(/.*)?, /etc/cron.hourly(/.*)?, /etc/cron.monthly(/.*)?, /usr/lib/.*/program(/.*)?, /usr/lib/.*/scripts(/.*)?, /usr/lib/[^/]*/run-mozilla\.sh, /usr/lib/[^/]*/mozilla-xremote-client, /usr/lib/[^/]*thunderbird[^/]*/thunderbird, /usr/lib/[^/]*thunderbird[^/]*/open-browser\.sh, /usr/lib/[^/]*thunderbird[^/]*/thunderbird-bin, /lib/udev/[^/]*, /etc/auto\.[^/]*, /etc/avahi/.*\.action, /usr/lib/qt.*/bin(/.*)?, /usr/lib/yp/.+, /var/ftp/bin(/.*)?, /usr/Brother(/.*)?, /usr/Printer(/.*)?, /usr/libexec(/.*)?, /lib/upstart(/.*)?, /etc/kde/env(/.*)?, /etc/profile.d(/.*)?, /var/mailman.*/bin(/.*)?, /etc/lxdm/Pre.*, /etc/hotplug/.*rc, /usr/lib/cups(/.*)?, /etc/hotplug/.*agent, /usr/Brother/(.*/)?inf/setup.*, /usr/Brother/(.*/)?inf/brprintconf.*, /usr/lib/dpkg/.+, /etc/lxdm/Post.*, /usr/lib/udev/[^/]*, /var/qmail/bin(/.*)?, /usr/lib/xfce4(/.*)?, /usr/lib/fence(/.*)?, /etc/X11/xinit(/.*)?, /lib/readahead(/.*)?, /etc/netplug\.d(/.*)?, /usr/lib/gimp/.*/plug-ins(/.*)?, /usr/lib/ipsec/.*, /etc/ppp/ip-up\..*, /usr/bin/pingus.*, /etc/cipe/ip-up.*, /usr/lib/dracut(/.*)?, /etc/pm/power\.d(/.*)?, /etc/pm/sleep\.d(/.*)?, /etc/redhat-lsb(/.*)?, /usr/lib/tuned/.*/.*\.sh, /usr/lib/xen/bin(/.*)?, /usr/lib/upstart(/.*)?, /usr/lib/courier(/.*)?, /etc/xen/scripts(/.*)?, /usr/share/tucan.*/tucan.py, /usr/lib/mailman.*/bin(/.*)?, /usr/lib/mailman.*/mail(/.*)?, /etc/ppp/ipv6-up\..*, /etc/ppp/ip-down\..*, /etc/cipe/ip-down.*, /usr/share/hplip/[^/]*, /usr/lib/news/bin(/.*)?, /usr/lib/pm-utils(/.*)?, /etc/vmware-tools(/.*)?, /etc/kde/shutdown(/.*)?, /etc/acpi/actions(/.*)?, /etc/pki/tls/misc(/.*)?, /usr/lib/jvm/java(.*/)bin(/.*), /usr/lib/tumbler-[^/]*/tumblerd, /usr/lib/readahead(/.*)?, /opt/google/chrome(/.*)?, /etc/munin/plugins(/.*)?, /usr/lib/bluetooth(/.*)?, /usr/lib/debug/bin(/.*)?, /usr/lib/xulrunner[^/]*/updater, /usr/lib/xulrunner[^/]*/crashreporter, /usr/lib/xulrunner[^/]*/xulrunner[^/]*, /usr/lib/ruby/gems(/.*)?/helper-scripts(/.*)?, /usr/share/debconf/.+, /etc/ppp/ipv6-down\..*, /usr/share/cluster/.*\.sh, /usr/share/sectool/.*\.py, /usr/share/ssl/misc(/.*)?, /usr/share/e16/misc(/.*)?, /usr/lib/ccache/bin(/.*)?, /etc/racoon/scripts(/.*)?, /usr/lib/debug/sbin(/.*)?, /usr/lib/ruby/gems/.*/agents(/.*)?, /usr/share/mc/extfs/.*, /usr/lib/apt/methods.+, /usr/lib/portage/bin(/.*)?, /usr/lib/MailScanner(/.*)?, /etc/mcelog/triggers(/.*)?, /etc/dhcp/dhclient\.d(/.*)?, /emul/ia32-linux/bin(/.*)?, /usr/lib/libreoffice(/.*)?/bin(/.*)?, /emul/ia32-linux/usr(/.*)?/bin(/.*)?, /emul/ia32-linux/usr(/.*)?/Bin(/.*)?, /emul/ia32-linux/usr(/.*)?/sbin(/.*)?, /usr/lib/thunderbird.*/mozilla-xremote-client, /usr/lib/cyrus-imapd/.*, /usr/share/createrepo(/.*)?, /emul/ia32-linux/sbin(/.*)?, /usr/share/virtualbox/.*\.sh, /usr/share/wicd/daemon(/.*)?, /usr/share/hal/scripts(/.*)?, /lib/security/pam_krb5(/.*)?, /opt/google/talkplugin(/.*)?, /etc/PackageKit/events(/.*)?, /usr/lib/debug/usr/bin(/.*)?, /usr/lib/vmware-tools/(s)?bin64(/.*)?, /usr/lib/vmware-tools/(s)?bin32(/.*)?, /etc/gdm/XKeepsCrashing[^/]*, /usr/lib/oracle/xe/apps(/.*)?, /usr/share/Modules/init(/.*)?, /usr/share/smolt/client(/.*)?, /usr/lib/nagios/plugins(/.*)?, /usr/lib/debug/usr/sbin(/.*)?, /usr/share/apr-0/build/[^/]+\.sh, /usr/lib/emacsen-common/.*, /usr/share/ajaxterm/qweb.py.*, /var/lib/asterisk/agi-bin(/.*)?, /usr/share/shorewall-perl(/.*)?, /usr/share/shorewall-lite(/.*)?, /usr/linuxprinter/filters(/.*)?, /usr/lib/netsaint/plugins(/.*)?, /usr/lib/chromium-browser(/.*)?, /usr/share/turboprint/lib(/.*)?, /usr/lib/nfs-utils/scripts(/.*)?, /usr/share/shorewall6-lite(/.*)?, /usr/share/shorewall-shell(/.*)?, /usr/share/vhostmd/scripts(/.*)?, /usr/lib/debug/usr/libexec(/.*)?, /etc/ConsoleKit/run-seat\.d(/.*)?, /usr/lib/nspluginwrapper/np.*, /usr/share/sandbox/sandboxX.sh, /usr/lib/ConsoleKit/scripts(/.*)?, /usr/share/ajaxterm/ajaxterm.py.*, /usr/lib/pgsql/test/regress/.*\.sh, /usr/share/denyhosts/scripts(/.*)?, /usr/share/denyhosts/plugins(/.*)?, /emul/ia32-linux/usr/libexec(/.*)?, /usr/lib/mediawiki/math/texvc.*, /usr/share/PackageKit/helpers(/.*)?, /etc/ConsoleKit/run-session\.d(/.*)?, /etc/hotplug\.d/default/default.*, /usr/lib/systemd/system-sleep/(.*)?, /opt/gutenprint/cups/lib/filter(/.*)?, /usr/share/system-config-network(/netconfig)?/[^/]+\.py, /usr/lib/ConsoleKit/run-session\.d(/.*)?, /etc/sysconfig/network-scripts/net.*, /etc/sysconfig/network-scripts/ifup.*, /etc/sysconfig/network-scripts/init.*, /usr/share/kde4/apps/kajongg/kajongg.py, /etc/sysconfig/network-scripts/ifdown.*, /opt/OpenPrinting-Gutenprint/cups/lib/filter(/.*)?, /usr/share/gedit-2/plugins/externaltools/tools(/.*)?, /bin, /sbin, /usr/bin, /dev/MAKEDEV, /var/qmail/rc, /var/qmail/bin, /etc/mail/make, /bin/mountpoint, /usr/lib/rpm/rpmq, /usr/lib/rpm/rpmv, /usr/lib/rpm/rpmd, /usr/lib/rpm/rpmk, /lib/udev/scsi_id, /sbin/mkfs\.cramfs, /etc/xen/qemu-ifup, /etc/lxdm/Xsession, /etc/sysconfig/init, /usr/bin/mountpoint, /etc/apcupsd/commok, /usr/lib/sftp-server, /etc/sysconfig/crond, /etc/lxdm/LoginReady, /usr/sbin/mkfs\.cramfs, /usr/lib/udev/scsi_id, /etc/X11/xdm/Xsetup_0, /etc/init\.d/functions, /etc/apcupsd/changeme, /usr/lib/iscan/network, /etc/apcupsd/onbattery, /usr/lib/yaboot/addnote, /etc/sysconfig/libvirtd, /etc/apcupsd/apccontrol, /etc/apcupsd/offbattery, /usr/lib/wicd/monitor\.py, /etc/X11/xdm/TakeConsole, /etc/X11/xdm/GiveConsole, /etc/apcupsd/commfailure, /usr/lib/misc/sftp-server, /etc/sysconfig/netconsole, /lib/udev/devices/MAKEDEV, /var/lib/iscan/interpreter, /etc/rc\.d/init\.d/functions, /etc/apcupsd/masterconnect, /etc/apcupsd/mastertimeout, /usr/share/pydict/pydict\.py, /usr/share/clamav/clamd-gen, /sbin/insmod_ksymoops_clean, /etc/mgetty\+sendfax/new_fax, /usr/lib/xfce4/panel/migrate, /usr/lib/xfce4/panel/wrapper, /etc/sysconfig/readonly-root, /usr/lib/vte/gnome-pty-helper, /usr/lib/udev/devices/MAKEDEV, /usr/lib/xfce4/xfconf/xfconfd, /usr/share/cvs/contrib/rcs2log, /usr/share/hwbrowser/hwbrowser, /usr/X11R6/lib/X11/xkb/xkbcomp, /usr/lib/virtualbox/VBoxManage, /usr/share/cluster/SAPInstance, /usr/share/cluster/checkquorum, /usr/share/shorewall/getparams, /usr/share/apr-0/build/libtool, /usr/share/cluster/SAPDatabase, /etc/hotplug/hotplug\.functions, /usr/share/texmf/web2c/mktexdir, /usr/share/texmf/web2c/mktexnam, /usr/share/texmf/web2c/mktexupd, /usr/share/shorewall/configpath, /usr/sbin/insmod_ksymoops_clean, /etc/mcelog/cache-error-trigger, /usr/share/shorewall/compiler\.pl, /usr/share/dayplanner/dayplanner, /usr/libexec/openssh/sftp-server, /usr/share/texmf/texconfig/tcfmgr, /usr/share/clamav/freshclam-sleep, /usr/share/cluster/svclib_nfslock, /usr/share/cluster/ocf-shellfuncs, /usr/lib/xfce4/exo-1/exo-helper-1, /usr/share/pwlib/make/ptlib-config, /usr/share/fedora-usermgmt/wrapper, /usr/share/printconf/util/print\.py, /usr/lib/xfce4/xfwm4/helper-dialog, /etc/pki/tls/certs/make-dummy-cert, /usr/share/rhn/rhn_applet/applet\.py, /usr/share/authconfig/authconfig\.py, /usr/share/spamassassin/sa-update\.cron, /usr/share/gnucash/finance-quote-check, /usr/share/cluster/fence_scsi_check\.pl, /usr/share/selinux/devel/policygentool, /usr/share/switchdesk/switchdesk-gui\.py, /usr/share/authconfig/authconfig-tui\.py, /usr/share/authconfig/authconfig-gtk\.py, /usr/share/gnucash/finance-quote-helper, /usr/share/gitolite/hooks/common/update, /usr/lib/xfce4/exo-1/exo-compose-mail-1, /usr/share/system-config-services/gui\.py, /lib/security/pam_krb5/pam_krb5_storetmp, /usr/share/system-config-netboot/pxeos\.py, /usr/lib/xfce4/session/balou-export-theme, /usr/share/system-config-selinux/polgen\.py, /usr/share/system-config-nfs/nfs-export\.py, /usr/share/system-config-printer/applet\.py, /usr/share/PackageKit/pk-upgrade-distro\.sh, /usr/lib/xfce4/session/balou-install-theme, /usr/share/system-config-netboot/pxeboot\.py, /usr/lib/xfce4/session/xfsm-shutdown-helper, /usr/share/rhn/rhn_applet/needed-packages\.py, /usr/lib/security/pam_krb5/pam_krb5_storetmp, /usr/share/system-logviewer/system-logviewer\.py, /usr/share/system-config-network/neat-control\.py, /usr/share/system-config-services/serviceconf\.py, /usr/share/hal/device-manager/hal-device-manager, /usr/share/system-config-lvm/system-config-lvm\.py, /usr/share/system-config-nfs/system-config-nfs\.py, /usr/share/system-config-mouse/system-config-mouse, /usr/share/system-config-httpd/system-config-httpd, /usr/share/system-config-users/system-config-users, /usr/share/system-config-date/system-config-date\.py, /usr/share/doc/ghc/html/libraries/gen_contents_index, /usr/share/gitolite/hooks/gitolite-admin/post-update, /usr/share/system-config-samba/system-config-samba\.py, /usr/share/system-config-display/system-config-display, /usr/share/system-config-keyboard/system-config-keyboard, /usr/share/system-config-language/system-config-language, /usr/share/system-config-services/system-config-services, /usr/share/system-config-selinux/system-config-selinux\.py, /usr/share/system-config-netboot/system-config-netboot\.py, /usr/share/system-config-soundcard/system-config-soundcard, /usr/share/system-config-rootpassword/system-config-rootpassword, /usr/share/system-config-securitylevel/system-config-securitylevel\.py, /etc/rc\.d/init\.d/uuidd, /etc/rc\.d/init\.d/postfix, /etc/rc\.d/init\.d/ctdb, /usr/sbin/glusterd, /etc/rc\.d/init\.d/glusterd, /etc/rc\.d/init\.d/sasl, /etc/rc\.d/init\.d/(se)?postgresql, /etc/rc\.d/init\.d/kprop, /etc/rc\.d/init\.d/kadmind, /etc/rc\.d/init\.d/krb524d, /etc/rc\.d/init\.d/krb5kdc, /etc/rc\.d/init\.d/apcupsd, /etc/rc\.d/init\.d/cups, /etc/rc\.d/init\.d/ksmtuned, /etc/rc\.d/init\.d/tuned, /etc/rc\.d/init\.d/exim, /etc/rc\.d/init\.d/smartd, /etc/rc\.d/init\.d/tgtd, /etc/rc\.d/init\.d/vsftpd, /etc/rc\.d/init\.d/proftpd, /etc/rc\.d/init\.d/ajaxterm, /etc/rc\.d/init\.d/hddtemp, /etc/rc\.d/init\.d/tcsd, /etc/rc\.d/init\.d/rhsmcertd, /etc/rc.d/init.d/svnserve, /etc/rc\.d/init\.d/shorewall, /etc/rc\.d/init\.d/shorewall-lite, /etc/rc\.d/init\.d/openais, /etc/rc\.d/init\.d/auditd, /etc/rc\.d/init\.d/lwiod, /etc/rc\.d/init\.d/lwsmd, /etc/rc\.d/init\.d/lsassd, /etc/rc\.d/init\.d/lwregd, /etc/rc\.d/init\.d/dcerpcd, /etc/rc\.d/init\.d/srvsvcd, /etc/rc\.d/init\.d/eventlogd, /etc/rc\.d/init\.d/netlogond, /etc/rc\.d/init\.d/cf-execd, /etc/rc\.d/init\.d/cf-serverd, /etc/rc\.d/init\.d/cf-monitord, /etc/init\.d/.*, /etc/rc\.d/rc\.[^/]+, /etc/rc\.d/init\.d/.*, /opt/nfast/sbin/init.d-ncipher, /usr/libexec/dcc/stop-.*, /usr/libexec/dcc/start-.*, /usr/lib/systemd/fedora[^/]*, /opt/nfast/scripts/init.d/(.*), /etc/rc\.d/rc, /etc/X11/prefdm, /usr/sbin/startx, /usr/bin/sepg_ctl, /usr/sbin/apachectl, /usr/sbin/ldap-agent, /usr/sbin/start-dirsrv, /usr/sbin/open_init_pty, /usr/sbin/restart-dirsrv, /etc/sysconfig/network-scripts/ifup-ipsec, /usr/share/system-config-services/system-config-services-mechanism\.py, /etc/rc\.d/init\.d/wdmd, /etc/rc\.d/init\.d/postgrey, /etc/rc\.d/init\.d/avahi.*, /etc/rc\.d/init\.d/gpsd, /etc/rc\.d/init\.d/privoxy, /bin/d?ash, /bin/zsh.*, /bin/ksh.*, /usr/bin/d?ash, /usr/bin/ksh.*, /usr/bin/zsh.*, /bin/esh, /bin/mksh, /bin/sash, /bin/tcsh, /bin/yash, /bin/bash, /bin/fish, /bin/bash2, /usr/bin/esh, /usr/bin/mksh, /usr/bin/sash, /usr/bin/bash, /usr/bin/fish, /usr/bin/tcsh, /usr/bin/yash, /sbin/nologin, /usr/sbin/sesh, /usr/bin/bash2, /usr/sbin/smrsh, /usr/bin/scponly, /usr/sbin/nologin, /usr/libexec/sesh, /usr/sbin/scponlyc, /usr/bin/git-shell, /usr/libexec/git-core/git-shell, /etc/rc\.d/init\.d/nrpe, /etc/rc\.d/init\.d/nagios, /etc/rc\.d/init\.d/cpglockd, /etc/rc\.d/init\.d/rgmanager, /etc/rc\.d/init\.d/heartbeat, /etc/rc\.d/init\.d/tor, /etc/rc\.d/init\.d/radvd, /etc/rc\.d/init\.d/cgred, /etc/rc\.d/init\.d/abrt, /etc/rc\.d/init\.d/ipsec, /etc/rc\.d/init\.d/racoon, /etc/rc\.d/init\.d/puppet, /etc/rc\.d/init\.d/named, /etc/rc\.d/init\.d/unbound, /etc/rc\.d/init\.d/squid, /etc/rc\.d/init\.d/psad, /etc/ppp/(auth|ip(v6|x)?)-(up|down), /etc/rc\.d/init\.d/ppp, /etc/rc\.d/init\.d/afs, /etc/rc\.d/init\.d/openafs-client, /etc/rc\.d/init\.d/canna, /etc/rc\.d/init\.d/firewalld, /etc/rc\.d/init\.d/mimedefang.*, /etc/rc\.d/init\.d/spamd, /etc/rc\.d/init\.d/spampd, /etc/rc\.d/init\.d/pyzord, /etc/rc\.d/init\.d/ypserv, /etc/rc\.d/init\.d/ypxfrd, /etc/rc\.d/init\.d/yppasswd, /etc/rc\.d/init\.d/nmb, /etc/rc\.d/init\.d/smb, /etc/rc\.d/init\.d/winbind, /etc/rc\.d/init\.d/pacemaker, /etc/rc\.d/init\.d/mpd, /etc/rc\.d/init\.d/amavis, /etc/rc\.d/init\.d/amavisd-snmp, /etc/rc\.d/init\.d/arpwatch, /etc/rc\.d/init\.d/qpidd, /etc/rc\.d/init\.d/smokeping, /etc/rc\.d/init\.d/bcfg2, /etc/rc\.d/init\.d/callweaver, /etc/rc\.d/init\.d/pads, /etc/rc\.d/init\.d/MailScanner, /etc/rc\.d/init\.d/isnsd, /etc/rc\.d/init\.d/rwhod, /etc/rc\.d/init\.d/xl2tpd, /etc/rc\.d/init\.d/prol2tpd, /etc/rc\.d/init\.d/openl2tpd, /etc/rc\.d/init\.d/portreserve, /usr/libexec/nm-dispatcher.action, /etc/NetworkManager/dispatcher\.d(/.*)?, /etc/rc\.d/init\.d/wicd, /etc/rc\.d/init\.d/icecast, /etc/rc\.d/init\.d/jabberd, /etc/rc\.d/init\.d/nfslock, /etc/rc\.d/init\.d/rpcidmapd, /etc/rc.d/init.d/vhostmd, /etc/rc\.d/init\.d/nslcd, /etc/rc\.d/init\.d/certmaster, /etc/rc\.d/init\.d/slpd, /etc/rc\.d/init\.d/mysqld, /etc/rc\.d/init\.d/memcached, /etc/rc\.d/init\.d/atd, /etc/rc\.d/init\.d/asterisk, /etc/rc\.d/init\.d/fail2ban, /etc/rc\.d/init\.d/corosync, /etc/rc\.d/init\.d/sssd, /etc/rc\.d/init\.d/zabbix, /etc/rc\.d/init\.d/zabbix-server, /etc/rc\.d/init\.d/ypbind, /etc/rc\.d/init\.d/sshd, /etc/rc\.d/init\.d/dspam, /etc/firestarter/firestarter\.sh, /etc/rc\.d/init\.d/mcstrans, /etc/rc\.d/init\.d/cmirrord, /etc/rc\.d/init\.d/rngd, /etc/rc\.d/init\.d/prelude-lml, /etc/rc\.d/init\.d/prelude-manager, /etc/rc\.d/init\.d/prelude-correlator, /etc/rc\.d/init\.d/ip6?tables, /etc/rc\.d/init\.d/ebtables, /etc/rc\.d/init\.d/sendmail, /etc/rc\.d/init\.d/rpcbind, /etc/rc\.d/init\.d/cobblerd, /etc/rc\.d/init\.d/dnsmasq, /etc/rc\.d/init\.d/bitlbee, /etc/rc\.d/init\.d/sanlock
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux initrc policy is very flexible allowing users to setup their initrc processes in as secure a method as possible.
-+.PP
-+The following process types are defined for initrc:
-+
-+.EX
-+.B initrc_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
-+.SH FILE CONTEXTS
-+SELinux requires files to have an extended attribute to define the file type.
-+.PP
-+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
-+.PP
-+Policy governs the access confined processes have to these files.
-+SELinux initrc policy is very flexible allowing users to setup their initrc processes in as secure a method as possible.
-+.PP
-+The following file types are defined for initrc:
-+
-+
-+.EX
-+.PP
-+.B initrc_devpts_t
-+.EE
-+
-+- Set files with the initrc_devpts_t type, if you want to treat the files as initrc devpts data.
-+
-+
-+.EX
-+.PP
-+.B initrc_exec_t
-+.EE
-+
-+- Set files with the initrc_exec_t type, if you want to transition an executable to the initrc_t domain.
-+
-+
-+.EX
-+.PP
-+.B initrc_state_t
-+.EE
-+
-+- Set files with the initrc_state_t type, if you want to treat the files as initrc state data.
-+
-+
-+.EX
-+.PP
-+.B initrc_tmp_t
-+.EE
-+
-+- Set files with the initrc_tmp_t type, if you want to store initrc temporary files in the /tmp directories.
-+
-+
-+.EX
-+.PP
-+.B initrc_var_log_t
-+.EE
-+
-+- Set files with the initrc_var_log_t type, if you want to treat the data as initrc var log data, usually stored under the /var/log directory.
-+
-+
-+.EX
-+.PP
-+.B initrc_var_run_t
-+.EE
-+
-+- Set files with the initrc_var_run_t type, if you want to store the initrc files under the /run directory.
-+
-+
-+.PP
-+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
-+.B semanage fcontext
-+command. This will modify the SELinux labeling database. You will need to use
-+.B restorecon
-+to apply the labels.
-+
-+.SH "MANAGED FILES"
-+
-+The SELinux process type initrc_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
-+
-+.br
-+.B abrt_var_run_t
-+
-+ /var/run/abrt(/.*)?
-+.br
-+ /var/run/abrtd?\.lock
-+.br
-+ /var/run/abrtd?\.socket
-+.br
-+ /var/run/abrt\.pid
-+.br
-+
-+.br
-+.B alsa_etc_rw_t
-+
-+ /etc/asound(/.*)?
-+.br
-+ /etc/alsa/pcm(/.*)?
-+.br
-+ /usr/share/alsa/pcm(/.*)?
-+.br
-+ /etc/asound\.state
-+.br
-+ /etc/alsa/asound\.state
-+.br
-+ /usr/share/alsa/alsa\.conf
-+.br
-+
-+.br
-+.B binfmt_misc_fs_t
-+
-+
-+.br
-+.B boot_t
-+
-+ /boot/.*
-+.br
-+ /vmlinuz.*
-+.br
-+ /initrd\.img.*
-+.br
-+ /boot
-+.br
-+
-+.br
-+.B cert_t
-+
-+ /etc/pki(/.*)?
-+.br
-+ /etc/httpd/alias(/.*)?
-+.br
-+ /usr/share/ssl/certs(/.*)?
-+.br
-+ /usr/share/ssl/private(/.*)?
-+.br
-+ /var/named/chroot/etc/pki(/.*)?
-+.br
-+
-+.br
-+.B cgroup_t
-+
-+ /cgroup
-+.br
-+ /sys/fs/cgroup
-+.br
-+
-+.br
-+.B consolekit_log_t
-+
-+ /var/log/ConsoleKit(/.*)?
-+.br
-+
-+.br
-+.B cupsd_log_t
-+
-+ /var/log/cups(/.*)?
-+.br
-+ /usr/Brother/fax/.*\.log.*
-+.br
-+ /var/log/turboprint.*
-+.br
-+
-+.br
-+.B cyrus_var_lib_t
-+
-+ /var/imap(/.*)?
-+.br
-+ /var/lib/imap(/.*)?
-+.br
-+
-+.br
-+.B device_t
-+
-+ /dev/.*
-+.br
-+ /lib/udev/devices(/.*)?
-+.br
-+ /usr/lib/udev/devices(/.*)?
-+.br
-+ /dev
-+.br
-+ /etc/udev/devices
-+.br
-+ /var/named/chroot/dev
-+.br
-+ /var/spool/postfix/dev
-+.br
-+
-+.br
-+.B dhcp_etc_t
-+
-+ /etc/dhcpc.*
-+.br
-+ /etc/dhcp3(/.*)?
-+.br
-+ /etc/dhcpd(6)?\.conf
-+.br
-+ /etc/dhcp3?/dhclient.*
-+.br
-+ /etc/dhclient.*conf
-+.br
-+ /etc/dhcp/dhcpd(6)?\.conf
-+.br
-+ /etc/dhclient-script
-+.br
-+
-+.br
-+.B dhcpc_state_t
-+
-+ /var/lib/dhcp3?/dhclient.*
-+.br
-+ /var/lib/dhcpcd(/.*)?
-+.br
-+ /var/lib/dhclient(/.*)?
-+.br
-+ /var/lib/wifiroamd(/.*)?
-+.br
-+
-+.br
-+.B dirsrv_var_run_t
-+
-+ /var/run/dirsrv(/.*)?
-+.br
-+
-+.br
-+.B etc_aliases_t
-+
-+ /etc/mail/aliases.*
-+.br
-+ /etc/postfix/aliases.*
-+.br
-+ /etc/aliases
-+.br
-+ /etc/aliases\.db
-+.br
-+
-+.br
-+.B etc_mail_t
-+
-+ /etc/mail(/.*)?
-+.br
-+
-+.br
-+.B etc_runtime_t
-+
-+ /[^/]+
-+.br
-+ /etc/mtab.*
-+.br
-+ /etc/blkid(/.*)?
-+.br
-+ /etc/nologin.*
-+.br
-+ /etc/\.fstab\.hal\..+
-+.br
-+ /halt
-+.br
-+ /fastboot
-+.br
-+ /poweroff
-+.br
-+ /etc/cmtab
-+.br
-+ /\.autofsck
-+.br
-+ /forcefsck
-+.br
-+ /\.suspended
-+.br
-+ /fsckoptions
-+.br
-+ /\.autorelabel
-+.br
-+ /etc/securetty
-+.br
-+ /etc/killpower
-+.br
-+ /etc/nohotplug
-+.br
-+ /etc/ioctl\.save
-+.br
-+ /etc/fstab\.REVOKE
-+.br
-+ /etc/network/ifstate
-+.br
-+ /etc/sysconfig/hwconf
-+.br
-+ /etc/ptal/ptal-printd-like
-+.br
-+ /etc/sysconfig/iptables\.save
-+.br
-+ /etc/xorg\.conf\.d/00-system-setup-keyboard\.conf
-+.br
-+ /etc/X11/xorg\.conf\.d/00-system-setup-keyboard\.conf
-+.br
-+
-+.br
-+.B exports_t
-+
-+ /etc/exports
-+.br
-+
-+.br
-+.B faillog_t
-+
-+ /var/log/btmp.*
-+.br
-+ /var/run/faillock(/.*)?
-+.br
-+ /var/log/faillog
-+.br
-+ /var/log/tallylog
-+.br
-+
-+.br
-+.B fonts_t
-+
-+ /usr/share/fonts(/.*)?
-+.br
-+ /usr/share/X11/fonts(/.*)?
-+.br
-+ /usr/X11R6/lib/X11/fonts(/.*)?
-+.br
-+ /usr/share/ghostscript/fonts(/.*)?
-+.br
-+
-+.br
-+.B gconf_etc_t
-+
-+ /etc/gconf(/.*)?
-+.br
-+
-+.br
-+.B glance_var_run_t
-+
-+ /var/run/glance(/.*)?
-+.br
-+
-+.br
-+.B initrc_state_t
-+
-+
-+.br
-+.B initrc_tmp_t
-+
-+
-+.br
-+.B initrc_var_log_t
-+
-+
-+.br
-+.B initrc_var_run_t
-+
-+ /var/run/utmp
-+.br
-+ /var/run/random-seed
-+.br
-+ /var/run/runlevel\.dir
-+.br
-+ /var/run/setmixer_flag
-+.br
-+
-+.br
-+.B ipsec_var_run_t
-+
-+ /var/racoon(/.*)?
-+.br
-+ /var/run/pluto(/.*)?
-+.br
-+ /var/run/racoon\.pid
-+.br
-+
-+.br
-+.B lastlog_t
-+
-+ /var/log/lastlog
-+.br
-+
-+.br
-+.B ld_so_cache_t
-+
-+ /etc/ld\.so\.cache
-+.br
-+ /etc/ld\.so\.cache~
-+.br
-+ /etc/ld\.so\.preload
-+.br
-+ /etc/ld\.so\.preload~
-+.br
-+
-+.br
-+.B locale_t
-+
-+ /etc/locale.conf
-+.br
-+ /usr/lib/locale(/.*)?
-+.br
-+ /usr/share/locale(/.*)?
-+.br
-+ /usr/share/zoneinfo(/.*)?
-+.br
-+ /usr/share/X11/locale(/.*)?
-+.br
-+ /etc/timezone
-+.br
-+ /etc/localtime
-+.br
-+ /etc/sysconfig/clock
-+.br
-+ /etc/avahi/etc/localtime
-+.br
-+ /var/empty/sshd/etc/localtime
-+.br
-+ /var/spool/postfix/etc/localtime
-+.br
-+
-+.br
-+.B lockfile
-+
-+
-+.br
-+.B mdadm_var_run_t
-+
-+ /dev/.mdadm\.map
-+.br
-+ /dev/md/.*
-+.br
-+ /var/run/mdadm(/.*)?
-+.br
-+
-+.br
-+.B mnt_t
-+
-+ /mnt(/[^/]*)
-+.br
-+ /mnt(/[^/]*)?
-+.br
-+ /rhev(/[^/]*)?
-+.br
-+ /media(/[^/]*)
-+.br
-+ /media(/[^/]*)?
-+.br
-+ /media/\.hal-.*
-+.br
-+ /var/run/media(/[^/]*)?
-+.br
-+ /net
-+.br
-+ /afs
-+.br
-+ /rhev
-+.br
-+ /misc
-+.br
-+
-+.br
-+.B mysqld_log_t
-+
-+ /var/log/mysql.*
-+.br
-+
-+.br
-+.B named_conf_t
-+
-+ /etc/rndc.*
-+.br
-+ /etc/unbound(/.*)?
-+.br
-+ /var/named/chroot(/.*)?
-+.br
-+ /etc/named\.rfc1912.zones
-+.br
-+ /var/named/chroot/etc/named\.rfc1912.zones
-+.br
-+ /etc/named\.conf
-+.br
-+ /var/named/named\.ca
-+.br
-+ /etc/named\.root\.hints
-+.br
-+ /var/named/chroot/etc/named\.conf
-+.br
-+ /etc/named\.caching-nameserver\.conf
-+.br
-+ /var/named/chroot/var/named/named\.ca
-+.br
-+ /var/named/chroot/etc/named\.root\.hints
-+.br
-+ /var/named/chroot/etc/named\.caching-nameserver\.conf
-+.br
-+
-+.br
-+.B net_conf_t
-+
-+ /etc/ntpd?\.conf.*
-+.br
-+ /etc/hosts[^/]*
-+.br
-+ /etc/yp\.conf.*
-+.br
-+ /etc/denyhosts.*
-+.br
-+ /etc/hosts\.deny.*
-+.br
-+ /etc/resolv\.conf.*
-+.br
-+ /etc/ntp/step-tickers.*
-+.br
-+ /etc/sysconfig/networking(/.*)?
-+.br
-+ /etc/sysconfig/network-scripts(/.*)?
-+.br
-+ /etc/sysconfig/network-scripts/.*resolv\.conf
-+.br
-+ /etc/ethers
-+.br
-+
-+.br
-+.B postgresql_db_t
-+
-+ /var/lib/pgsql(/.*)?
-+.br
-+ /var/lib/sepgsql(/.*)?
-+.br
-+ /var/lib/postgres(ql)?(/.*)?
-+.br
-+ /usr/share/jonas/pgsql(/.*)?
-+.br
-+ /usr/lib/pgsql/test/regress(/.*)?
-+.br
-+
-+.br
-+.B psad_var_log_t
-+
-+ /var/log/psad(/.*)?
-+.br
-+
-+.br
-+.B qpidd_var_run_t
-+
-+ /var/run/qpidd(/.*)?
-+.br
-+ /var/run/qpidd\.pid
-+.br
-+
-+.br
-+.B quota_flag_t
-+
-+ /var/lib/quota(/.*)?
-+.br
-+
-+.br
-+.B ricci_var_lib_t
-+
-+ /var/lib/ricci(/.*)?
-+.br
-+
-+.br
-+.B samba_etc_t
-+
-+ /etc/samba(/.*)?
-+.br
-+
-+.br
-+.B sanlock_var_run_t
-+
-+ /var/run/sanlock(/.*)?
-+.br
-+
-+.br
-+.B squid_log_t
-+
-+ /var/log/squid(/.*)?
-+.br
-+ /var/log/squidGuard(/.*)?
-+.br
-+
-+.br
-+.B svc_svc_t
-+
-+ /service/.*
-+.br
-+ /var/axfrdns(/.*)?
-+.br
-+ /var/tinydns(/.*)?
-+.br
-+ /var/service/.*
-+.br
-+ /var/dnscache(/.*)?
-+.br
-+ /var/qmail/supervise(/.*)?
-+.br
-+ /service
-+.br
-+
-+.br
-+.B sysctl_type
-+
-+
-+.br
-+.B sysfs_t
-+
-+ /sys(/.*)?
-+.br
-+
-+.br
-+.B system_conf_t
-+
-+ /etc/sysctl\.conf(\.old)?
-+.br
-+ /etc/sysconfig/ip6?tables.*
-+.br
-+ /etc/sysconfig/ipvsadm.*
-+.br
-+ /etc/sysconfig/ebtables.*
-+.br
-+ /etc/sysconfig/system-config-firewall.*
-+.br
-+
-+.br
-+.B system_dbusd_var_lib_t
-+
-+ /var/lib/dbus(/.*)?
-+.br
-+
-+.br
-+.B systemd_passwd_var_run_t
-+
-+ /var/run/systemd/ask-password(/.*)?
-+.br
-+ /var/run/systemd/ask-password-block(/.*)?
-+.br
-+
-+.br
-+.B udev_rules_t
-+
-+ /etc/udev/rules.d(/.*)?
-+.br
-+
-+.br
-+.B udev_var_run_t
-+
-+ /dev/\.udev(/.*)?
-+.br
-+ /var/run/udev(/.*)?
-+.br
-+ /var/run/libgpod(/.*)?
-+.br
-+ /var/run/PackageKit/udev(/.*)?
-+.br
-+ /dev/\.udevdb
-+.br
-+ /dev/udev\.tbl
-+.br
-+
-+.br
-+.B var_lib_nfs_t
-+
-+ /var/lib/nfs(/.*)?
-+.br
-+
-+.br
-+.B var_lib_t
-+
-+ /opt/(.*/)?var/lib(/.*)?
-+.br
-+ /var/lib(/.*)?
-+.br
-+
-+.br
-+.B var_log_t
-+
-+ /var/log/.*
-+.br
-+ /nsr/logs(/.*)?
-+.br
-+ /var/webmin(/.*)?
-+.br
-+ /var/log/cron[^/]*
-+.br
-+ /var/log/secure[^/]*
-+.br
-+ /opt/zimbra/log(/.*)?
-+.br
-+ /var/log/maillog[^/]*
-+.br
-+ /var/log/spooler[^/]*
-+.br
-+ /var/log/messages[^/]*
-+.br
-+ /usr/centreon/log(/.*)?
-+.br
-+ /var/spool/rsyslog(/.*)?
-+.br
-+ /var/axfrdns/log/main(/.*)?
-+.br
-+ /var/spool/bacula/log(/.*)?
-+.br
-+ /var/tinydns/log/main(/.*)?
-+.br
-+ /var/dnscache/log/main(/.*)?
-+.br
-+ /var/stockmaniac/templates_cache(/.*)?
-+.br
-+ /opt/Symantec/scspagent/IDS/system(/.*)?
-+.br
-+ /var/log
-+.br
-+ /var/log/dmesg
-+.br
-+ /var/log/syslog
-+.br
-+ /var/named/chroot/var/log
-+.br
-+
-+.br
-+.B var_spool_t
-+
-+ /var/spool(/.*)?
-+.br
-+
-+.br
-+.B virt_cache_t
-+
-+ /var/cache/oz(/.*)?
-+.br
-+ /var/cache/libvirt(/.*)?
-+.br
-+
-+.br
-+.B virt_var_lib_t
-+
-+ /var/lib/oz(/.*)?
-+.br
-+ /var/lib/libvirt(/.*)?
-+.br
-+
-+.br
-+.B wdmd_var_run_t
-+
-+ /var/run/wdmd(/.*)?
-+.br
-+
-+.br
-+.B wtmp_t
-+
-+ /var/log/wtmp.*
-+.br
-+
-+.SH NSSWITCH DOMAIN
-+
-+.PP
-+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the initrc_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
-+
-+.EX
-+.B setsebool -P authlogin_nsswitch_use_ldap 1
-+.EE
-+
-+.PP
-+If you want to allow confined applications to run with kerberos for the initrc_t, you must turn on the kerberos_enabled boolean.
-+
-+.EX
-+.B setsebool -P kerberos_enabled 1
-+.EE
-+
-+.SH "COMMANDS"
-+.B semanage fcontext
-+can also be used to manipulate default file context mappings.
-+.PP
-+.B semanage permissive
-+can also be used to manipulate whether or not a process type is permissive.
-+.PP
-+.B semanage module
-+can also be used to enable/disable/install/remove policy modules.
-+
-+.PP
-+.B system-config-selinux
-+is a GUI tool available to customize SELinux policy settings.
-+
-+.SH AUTHOR
-+This manual page was auto-generated using
-+.B "sepolicy manpage"
-+by Dan Walsh.
-+
-+.SH "SEE ALSO"
-+selinux(8), initrc(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
-+, init_selinux(8)
-\ No newline at end of file
-diff --git a/man/man8/innd_selinux.8 b/man/man8/innd_selinux.8
-new file mode 100644
-index 0000000..e89f4a3
---- /dev/null
-+++ b/man/man8/innd_selinux.8
-@@ -0,0 +1,182 @@
-+.TH "innd_selinux" "8" "12-11-01" "innd" "SELinux Policy documentation for innd"
-+.SH "NAME"
-+innd_selinux \- Security Enhanced Linux Policy for the innd processes
-+.SH "DESCRIPTION"
-+
-+Security-Enhanced Linux secures the innd processes via flexible mandatory access control.
-+
-+The innd processes execute with the innd_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
-+
-+For example:
-+
-+.B ps -eZ | grep innd_t
-+
-+
-+.SH "ENTRYPOINTS"
-+
-+The innd_t SELinux type can be entered via the "innd_exec_t" file type. The default entrypoint paths for the innd_t domain are the following:"
-+
-+/usr/sbin/innd.*, /usr/bin/suck, /etc/news/boot, /usr/bin/inews, /usr/bin/rnews, /usr/bin/rpost, /usr/sbin/in\.nnrpd, /usr/lib/news/bin/sm, /usr/lib/news/bin/innd, /usr/lib/news/bin/inews, /usr/lib/news/bin/inndf, /usr/lib/news/bin/nnrpd, /usr/lib/news/bin/rnews, /usr/lib/news/bin/expire, /usr/lib/news/bin/fastrm, /usr/lib/news/bin/shlock, /usr/lib/news/bin/actsync, /usr/lib/news/bin/archive, /usr/lib/news/bin/batcher, /usr/lib/news/bin/ctlinnd, /usr/lib/news/bin/getlist, /usr/lib/news/bin/innfeed, /usr/lib/news/bin/innxmit, /usr/lib/news/bin/makedbz, /usr/lib/news/bin/nntpget, /usr/lib/news/bin/buffchan, /usr/lib/news/bin/convdate, /usr/lib/news/bin/cvtbatch, /usr/lib/news/bin/filechan, /usr/lib/news/bin/overchan, /usr/lib/news/bin/inndstart, /usr/lib/news/bin/innxbatch, /usr/lib/news/bin/expireover, /usr/lib/news/bin/innconfval, /usr/lib/news/bin/shrinkfile, /usr/lib/news/bin/grephistory, /usr/lib/news/bin/makehistory, /usr/lib/news/bin/newsrequeue, /usr/lib/news/bin/ovdb_recover, /usr/lib/news/bin/prunehistory, /usr/lib/news/bin/startinnfeed
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux innd policy is very flexible allowing users to setup their innd processes in as secure a method as possible.
-+.PP
-+The following process types are defined for innd:
-+
-+.EX
-+.B innd_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
-+.SH FILE CONTEXTS
-+SELinux requires files to have an extended attribute to define the file type.
-+.PP
-+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
-+.PP
-+Policy governs the access confined processes have to these files.
-+SELinux innd policy is very flexible allowing users to setup their innd processes in as secure a method as possible.
-+.PP
-+The following file types are defined for innd:
-+
-+
-+.EX
-+.PP
-+.B innd_etc_t
-+.EE
-+
-+- Set files with the innd_etc_t type, if you want to store innd files in the /etc directories.
-+
-+
-+.EX
-+.PP
-+.B innd_exec_t
-+.EE
-+
-+- Set files with the innd_exec_t type, if you want to transition an executable to the innd_t domain.
-+
-+
-+.EX
-+.PP
-+.B innd_initrc_exec_t
-+.EE
-+
-+- Set files with the innd_initrc_exec_t type, if you want to transition an executable to the innd_initrc_t domain.
-+
-+
-+.EX
-+.PP
-+.B innd_log_t
-+.EE
-+
-+- Set files with the innd_log_t type, if you want to treat the data as innd log data, usually stored under the /var/log directory.
-+
-+
-+.EX
-+.PP
-+.B innd_var_lib_t
-+.EE
-+
-+- Set files with the innd_var_lib_t type, if you want to store the innd files under the /var/lib directory.
-+
-+
-+.EX
-+.PP
-+.B innd_var_run_t
-+.EE
-+
-+- Set files with the innd_var_run_t type, if you want to store the innd files under the /run directory.
-+
-+
-+.PP
-+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
-+.B semanage fcontext
-+command. This will modify the SELinux labeling database. You will need to use
-+.B restorecon
-+to apply the labels.
-+
-+.SH PORT TYPES
-+SELinux defines port types to represent TCP and UDP ports.
-+.PP
-+You can see the types associated with a port by using the following command:
-+
-+.B semanage port -l
-+
-+.PP
-+Policy governs the access confined processes have to these ports.
-+SELinux innd policy is very flexible allowing users to setup their innd processes in as secure a method as possible.
-+.PP
-+The following port types are defined for innd:
-+
-+.EX
-+.TP 5
-+.B innd_port_t
-+.TP 10
-+.EE
-+
-+
-+Default Defined Ports:
-+tcp 119
-+.EE
-+.SH "MANAGED FILES"
-+
-+The SELinux process type innd_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
-+
-+.br
-+.B innd_log_t
-+
-+ /var/log/news(/.*)?
-+.br
-+
-+.br
-+.B innd_var_lib_t
-+
-+ /var/lib/news(/.*)?
-+.br
-+
-+.br
-+.B innd_var_run_t
-+
-+ /var/run/innd(/.*)?
-+.br
-+ /var/run/news(/.*)?
-+.br
-+
-+.br
-+.B news_spool_t
-+
-+ /var/spool/news(/.*)?
-+.br
-+
-+.SH NSSWITCH DOMAIN
-+
-+.SH "COMMANDS"
-+.B semanage fcontext
-+can also be used to manipulate default file context mappings.
-+.PP
-+.B semanage permissive
-+can also be used to manipulate whether or not a process type is permissive.
-+.PP
-+.B semanage module
-+can also be used to enable/disable/install/remove policy modules.
-+
-+.B semanage port
-+can also be used to manipulate the port definitions
-+
-+.PP
-+.B system-config-selinux
-+is a GUI tool available to customize SELinux policy settings.
-+
-+.SH AUTHOR
-+This manual page was auto-generated using
-+.B "sepolicy manpage"
-+by Dan Walsh.
-+
-+.SH "SEE ALSO"
-+selinux(8), innd(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
-diff --git a/man/man8/insmod_selinux.8 b/man/man8/insmod_selinux.8
-new file mode 100644
-index 0000000..58787ca
---- /dev/null
-+++ b/man/man8/insmod_selinux.8
-@@ -0,0 +1,194 @@
-+.TH "insmod_selinux" "8" "12-11-01" "insmod" "SELinux Policy documentation for insmod"
-+.SH "NAME"
-+insmod_selinux \- Security Enhanced Linux Policy for the insmod processes
-+.SH "DESCRIPTION"
-+
-+Security-Enhanced Linux secures the insmod processes via flexible mandatory access control.
-+
-+The insmod processes execute with the insmod_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
-+
-+For example:
-+
-+.B ps -eZ | grep insmod_t
-+
-+
-+.SH "ENTRYPOINTS"
-+
-+The insmod_t SELinux type can be entered via the "insmod_exec_t" file type. The default entrypoint paths for the insmod_t domain are the following:"
-+
-+/sbin/rmmod.*, /sbin/insmod.*, /sbin/modprobe.*, /usr/sbin/rmmod.*, /usr/sbin/insmod.*, /usr/sbin/modprobe.*, /usr/bin/kmod
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux insmod policy is very flexible allowing users to setup their insmod processes in as secure a method as possible.
-+.PP
-+The following process types are defined for insmod:
-+
-+.EX
-+.B insmod_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
-+.SH BOOLEANS
-+SELinux policy is customizable based on least access required. insmod policy is extremely flexible and has several booleans that allow you to manipulate the policy and run insmod with the tightest access possible.
-+
-+
-+.PP
-+If you want to allow pppd to load kernel modules for certain modems, you must turn on the pppd_can_insmod boolean.
-+
-+.EX
-+.B setsebool -P pppd_can_insmod 1
-+.EE
-+
-+.PP
-+If you want to disable kernel module loading, you must turn on the secure_mode_insmod boolean.
-+
-+.EX
-+.B setsebool -P secure_mode_insmod 1
-+.EE
-+
-+.PP
-+If you want to allow pppd to load kernel modules for certain modems, you must turn on the pppd_can_insmod boolean.
-+
-+.EX
-+.B setsebool -P pppd_can_insmod 1
-+.EE
-+
-+.PP
-+If you want to disable kernel module loading, you must turn on the secure_mode_insmod boolean.
-+
-+.EX
-+.B setsebool -P secure_mode_insmod 1
-+.EE
-+
-+.SH FILE CONTEXTS
-+SELinux requires files to have an extended attribute to define the file type.
-+.PP
-+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
-+.PP
-+Policy governs the access confined processes have to these files.
-+SELinux insmod policy is very flexible allowing users to setup their insmod processes in as secure a method as possible.
-+.PP
-+The following file types are defined for insmod:
-+
-+
-+.EX
-+.PP
-+.B insmod_exec_t
-+.EE
-+
-+- Set files with the insmod_exec_t type, if you want to transition an executable to the insmod_t domain.
-+
-+
-+.EX
-+.PP
-+.B insmod_tmpfs_t
-+.EE
-+
-+- Set files with the insmod_tmpfs_t type, if you want to store insmod files on a tmpfs file system.
-+
-+
-+.PP
-+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
-+.B semanage fcontext
-+command. This will modify the SELinux labeling database. You will need to use
-+.B restorecon
-+to apply the labels.
-+
-+.SH "MANAGED FILES"
-+
-+The SELinux process type insmod_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
-+
-+.br
-+.B initrc_tmp_t
-+
-+
-+.br
-+.B insmod_tmpfs_t
-+
-+
-+.br
-+.B kdumpctl_tmp_t
-+
-+
-+.br
-+.B modules_dep_t
-+
-+ /lib/modules/[^/]+/modules\..+
-+.br
-+
-+.br
-+.B modules_object_t
-+
-+ /lib/modules(/.*)?
-+.br
-+ /usr/lib/modules(/.*)?
-+.br
-+
-+.br
-+.B mtrr_device_t
-+
-+ /dev/cpu/mtrr
-+.br
-+
-+.br
-+.B ramfs_t
-+
-+
-+.br
-+.B rpm_script_tmp_t
-+
-+
-+.br
-+.B sysfs_t
-+
-+ /sys(/.*)?
-+.br
-+
-+.SH NSSWITCH DOMAIN
-+
-+.PP
-+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the insmod_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
-+
-+.EX
-+.B setsebool -P authlogin_nsswitch_use_ldap 1
-+.EE
-+
-+.PP
-+If you want to allow confined applications to run with kerberos for the insmod_t, you must turn on the kerberos_enabled boolean.
-+
-+.EX
-+.B setsebool -P kerberos_enabled 1
-+.EE
-+
-+.SH "COMMANDS"
-+.B semanage fcontext
-+can also be used to manipulate default file context mappings.
-+.PP
-+.B semanage permissive
-+can also be used to manipulate whether or not a process type is permissive.
-+.PP
-+.B semanage module
-+can also be used to enable/disable/install/remove policy modules.
-+
-+.B semanage boolean
-+can also be used to manipulate the booleans
-+
-+.PP
-+.B system-config-selinux
-+is a GUI tool available to customize SELinux policy settings.
-+
-+.SH AUTHOR
-+This manual page was auto-generated using
-+.B "sepolicy manpage"
-+by Dan Walsh.
-+
-+.SH "SEE ALSO"
-+selinux(8), insmod(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
-+, setsebool(8)
-\ No newline at end of file
-diff --git a/man/man8/ipsec_mgmt_selinux.8 b/man/man8/ipsec_mgmt_selinux.8
-new file mode 100644
-index 0000000..d3feccd
---- /dev/null
-+++ b/man/man8/ipsec_mgmt_selinux.8
-@@ -0,0 +1,189 @@
-+.TH "ipsec_mgmt_selinux" "8" "12-11-01" "ipsec_mgmt" "SELinux Policy documentation for ipsec_mgmt"
-+.SH "NAME"
-+ipsec_mgmt_selinux \- Security Enhanced Linux Policy for the ipsec_mgmt processes
-+.SH "DESCRIPTION"
-+
-+Security-Enhanced Linux secures the ipsec_mgmt processes via flexible mandatory access control.
-+
-+The ipsec_mgmt processes execute with the ipsec_mgmt_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
-+
-+For example:
-+
-+.B ps -eZ | grep ipsec_mgmt_t
-+
-+
-+.SH "ENTRYPOINTS"
-+
-+The ipsec_mgmt_t SELinux type can be entered via the "shell_exec_t,ipsec_mgmt_exec_t" file types. The default entrypoint paths for the ipsec_mgmt_t domain are the following:"
-+
-+/bin/d?ash, /bin/zsh.*, /bin/ksh.*, /usr/bin/d?ash, /usr/bin/ksh.*, /usr/bin/zsh.*, /bin/esh, /bin/mksh, /bin/sash, /bin/tcsh, /bin/yash, /bin/bash, /bin/fish, /bin/bash2, /usr/bin/esh, /usr/bin/mksh, /usr/bin/sash, /usr/bin/bash, /usr/bin/fish, /usr/bin/tcsh, /usr/bin/yash, /sbin/nologin, /usr/sbin/sesh, /usr/bin/bash2, /usr/sbin/smrsh, /usr/bin/scponly, /usr/sbin/nologin, /usr/libexec/sesh, /usr/sbin/scponlyc, /usr/bin/git-shell, /usr/libexec/git-core/git-shell, /usr/sbin/ipsec, /usr/lib/ipsec/_plutorun, /usr/lib/ipsec/_plutoload, /usr/libexec/ipsec/_plutorun, /usr/libexec/ipsec/_plutoload, /usr/libexec/nm-openswan-service
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux ipsec_mgmt policy is very flexible allowing users to setup their ipsec_mgmt processes in as secure a method as possible.
-+.PP
-+The following process types are defined for ipsec_mgmt:
-+
-+.EX
-+.B ipsec_mgmt_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
-+.SH FILE CONTEXTS
-+SELinux requires files to have an extended attribute to define the file type.
-+.PP
-+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
-+.PP
-+Policy governs the access confined processes have to these files.
-+SELinux ipsec_mgmt policy is very flexible allowing users to setup their ipsec_mgmt processes in as secure a method as possible.
-+.PP
-+The following file types are defined for ipsec_mgmt:
-+
-+
-+.EX
-+.PP
-+.B ipsec_mgmt_exec_t
-+.EE
-+
-+- Set files with the ipsec_mgmt_exec_t type, if you want to transition an executable to the ipsec_mgmt_t domain.
-+
-+
-+.EX
-+.PP
-+.B ipsec_mgmt_lock_t
-+.EE
-+
-+- Set files with the ipsec_mgmt_lock_t type, if you want to treat the files as ipsec mgmt lock data, stored under the /var/lock directory
-+
-+
-+.EX
-+.PP
-+.B ipsec_mgmt_var_run_t
-+.EE
-+
-+- Set files with the ipsec_mgmt_var_run_t type, if you want to store the ipsec mgmt files under the /run directory.
-+
-+
-+.PP
-+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
-+.B semanage fcontext
-+command. This will modify the SELinux labeling database. You will need to use
-+.B restorecon
-+to apply the labels.
-+
-+.SH "MANAGED FILES"
-+
-+The SELinux process type ipsec_mgmt_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
-+
-+.br
-+.B ipsec_key_file_t
-+
-+ /etc/ipsec\.d(/.*)?
-+.br
-+ /etc/racoon/certs(/.*)?
-+.br
-+ /etc/ipsec\.secrets
-+.br
-+ /etc/racoon/psk\.txt
-+.br
-+
-+.br
-+.B ipsec_log_t
-+
-+ /var/log/pluto\.log
-+.br
-+
-+.br
-+.B ipsec_mgmt_lock_t
-+
-+ /var/lock/subsys/ipsec
-+.br
-+
-+.br
-+.B ipsec_mgmt_var_run_t
-+
-+
-+.br
-+.B ipsec_tmp_t
-+
-+
-+.br
-+.B ipsec_var_run_t
-+
-+ /var/racoon(/.*)?
-+.br
-+ /var/run/pluto(/.*)?
-+.br
-+ /var/run/racoon\.pid
-+.br
-+
-+.br
-+.B net_conf_t
-+
-+ /etc/ntpd?\.conf.*
-+.br
-+ /etc/hosts[^/]*
-+.br
-+ /etc/yp\.conf.*
-+.br
-+ /etc/denyhosts.*
-+.br
-+ /etc/hosts\.deny.*
-+.br
-+ /etc/resolv\.conf.*
-+.br
-+ /etc/ntp/step-tickers.*
-+.br
-+ /etc/sysconfig/networking(/.*)?
-+.br
-+ /etc/sysconfig/network-scripts(/.*)?
-+.br
-+ /etc/sysconfig/network-scripts/.*resolv\.conf
-+.br
-+ /etc/ethers
-+.br
-+
-+.SH NSSWITCH DOMAIN
-+
-+.PP
-+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the ipsec_mgmt_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
-+
-+.EX
-+.B setsebool -P authlogin_nsswitch_use_ldap 1
-+.EE
-+
-+.PP
-+If you want to allow confined applications to run with kerberos for the ipsec_mgmt_t, you must turn on the kerberos_enabled boolean.
-+
-+.EX
-+.B setsebool -P kerberos_enabled 1
-+.EE
-+
-+.SH "COMMANDS"
-+.B semanage fcontext
-+can also be used to manipulate default file context mappings.
-+.PP
-+.B semanage permissive
-+can also be used to manipulate whether or not a process type is permissive.
-+.PP
-+.B semanage module
-+can also be used to enable/disable/install/remove policy modules.
-+
-+.PP
-+.B system-config-selinux
-+is a GUI tool available to customize SELinux policy settings.
-+
-+.SH AUTHOR
-+This manual page was auto-generated using
-+.B "sepolicy manpage"
-+by Dan Walsh.
-+
-+.SH "SEE ALSO"
-+selinux(8), ipsec_mgmt(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
-+, ipsec_selinux(8), ipsec_selinux(8)
-\ No newline at end of file
-diff --git a/man/man8/ipsec_selinux.8 b/man/man8/ipsec_selinux.8
-new file mode 100644
-index 0000000..2c1a0c0
---- /dev/null
-+++ b/man/man8/ipsec_selinux.8
-@@ -0,0 +1,263 @@
-+.TH "ipsec_selinux" "8" "12-11-01" "ipsec" "SELinux Policy documentation for ipsec"
-+.SH "NAME"
-+ipsec_selinux \- Security Enhanced Linux Policy for the ipsec processes
-+.SH "DESCRIPTION"
-+
-+Security-Enhanced Linux secures the ipsec processes via flexible mandatory access control.
-+
-+The ipsec processes execute with the ipsec_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
-+
-+For example:
-+
-+.B ps -eZ | grep ipsec_t
-+
-+
-+.SH "ENTRYPOINTS"
-+
-+The ipsec_t SELinux type can be entered via the "ipsec_exec_t" file type. The default entrypoint paths for the ipsec_t domain are the following:"
-+
-+/usr/lib/ipsec/spi, /usr/lib/ipsec/pluto, /usr/lib/ipsec/eroute, /usr/libexec/ipsec/spi, /usr/libexec/ipsec/pluto, /usr/lib/ipsec/klipsdebug, /usr/libexec/ipsec/eroute, /usr/libexec/ipsec/klipsdebug
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux ipsec policy is very flexible allowing users to setup their ipsec processes in as secure a method as possible.
-+.PP
-+The following process types are defined for ipsec:
-+
-+.EX
-+.B ipsec_t, ipsec_mgmt_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
-+.SH FILE CONTEXTS
-+SELinux requires files to have an extended attribute to define the file type.
-+.PP
-+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
-+.PP
-+Policy governs the access confined processes have to these files.
-+SELinux ipsec policy is very flexible allowing users to setup their ipsec processes in as secure a method as possible.
-+.PP
-+The following file types are defined for ipsec:
-+
-+
-+.EX
-+.PP
-+.B ipsec_conf_file_t
-+.EE
-+
-+- Set files with the ipsec_conf_file_t type, if you want to treat the files as ipsec conf content.
-+
-+
-+.EX
-+.PP
-+.B ipsec_exec_t
-+.EE
-+
-+- Set files with the ipsec_exec_t type, if you want to transition an executable to the ipsec_t domain.
-+
-+
-+.EX
-+.PP
-+.B ipsec_initrc_exec_t
-+.EE
-+
-+- Set files with the ipsec_initrc_exec_t type, if you want to transition an executable to the ipsec_initrc_t domain.
-+
-+
-+.EX
-+.PP
-+.B ipsec_key_file_t
-+.EE
-+
-+- Set files with the ipsec_key_file_t type, if you want to treat the files as ipsec key content.
-+
-+
-+.EX
-+.PP
-+.B ipsec_log_t
-+.EE
-+
-+- Set files with the ipsec_log_t type, if you want to treat the data as ipsec log data, usually stored under the /var/log directory.
-+
-+
-+.EX
-+.PP
-+.B ipsec_mgmt_exec_t
-+.EE
-+
-+- Set files with the ipsec_mgmt_exec_t type, if you want to transition an executable to the ipsec_mgmt_t domain.
-+
-+
-+.EX
-+.PP
-+.B ipsec_mgmt_lock_t
-+.EE
-+
-+- Set files with the ipsec_mgmt_lock_t type, if you want to treat the files as ipsec mgmt lock data, stored under the /var/lock directory
-+
-+
-+.EX
-+.PP
-+.B ipsec_mgmt_var_run_t
-+.EE
-+
-+- Set files with the ipsec_mgmt_var_run_t type, if you want to store the ipsec mgmt files under the /run directory.
-+
-+
-+.EX
-+.PP
-+.B ipsec_tmp_t
-+.EE
-+
-+- Set files with the ipsec_tmp_t type, if you want to store ipsec temporary files in the /tmp directories.
-+
-+
-+.EX
-+.PP
-+.B ipsec_var_run_t
-+.EE
-+
-+- Set files with the ipsec_var_run_t type, if you want to store the ipsec files under the /run directory.
-+
-+
-+.PP
-+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
-+.B semanage fcontext
-+command. This will modify the SELinux labeling database. You will need to use
-+.B restorecon
-+to apply the labels.
-+
-+.SH PORT TYPES
-+SELinux defines port types to represent TCP and UDP ports.
-+.PP
-+You can see the types associated with a port by using the following command:
-+
-+.B semanage port -l
-+
-+.PP
-+Policy governs the access confined processes have to these ports.
-+SELinux ipsec policy is very flexible allowing users to setup their ipsec processes in as secure a method as possible.
-+.PP
-+The following port types are defined for ipsec:
-+
-+.EX
-+.TP 5
-+.B ipsecnat_port_t
-+.TP 10
-+.EE
-+
-+
-+Default Defined Ports:
-+tcp 4500
-+.EE
-+udp 4500
-+.EE
-+.SH "MANAGED FILES"
-+
-+The SELinux process type ipsec_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
-+
-+.br
-+.B ipsec_key_file_t
-+
-+ /etc/ipsec\.d(/.*)?
-+.br
-+ /etc/racoon/certs(/.*)?
-+.br
-+ /etc/ipsec\.secrets
-+.br
-+ /etc/racoon/psk\.txt
-+.br
-+
-+.br
-+.B ipsec_tmp_t
-+
-+
-+.br
-+.B ipsec_var_run_t
-+
-+ /var/racoon(/.*)?
-+.br
-+ /var/run/pluto(/.*)?
-+.br
-+ /var/run/racoon\.pid
-+.br
-+
-+.br
-+.B net_conf_t
-+
-+ /etc/ntpd?\.conf.*
-+.br
-+ /etc/hosts[^/]*
-+.br
-+ /etc/yp\.conf.*
-+.br
-+ /etc/denyhosts.*
-+.br
-+ /etc/hosts\.deny.*
-+.br
-+ /etc/resolv\.conf.*
-+.br
-+ /etc/ntp/step-tickers.*
-+.br
-+ /etc/sysconfig/networking(/.*)?
-+.br
-+ /etc/sysconfig/network-scripts(/.*)?
-+.br
-+ /etc/sysconfig/network-scripts/.*resolv\.conf
-+.br
-+ /etc/ethers
-+.br
-+
-+.br
-+.B security_t
-+
-+ /selinux
-+.br
-+
-+.SH NSSWITCH DOMAIN
-+
-+.PP
-+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the ipsec_t, ipsec_mgmt_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
-+
-+.EX
-+.B setsebool -P authlogin_nsswitch_use_ldap 1
-+.EE
-+
-+.PP
-+If you want to allow confined applications to run with kerberos for the ipsec_t, ipsec_mgmt_t, you must turn on the kerberos_enabled boolean.
-+
-+.EX
-+.B setsebool -P kerberos_enabled 1
-+.EE
-+
-+.SH "COMMANDS"
-+.B semanage fcontext
-+can also be used to manipulate default file context mappings.
-+.PP
-+.B semanage permissive
-+can also be used to manipulate whether or not a process type is permissive.
-+.PP
-+.B semanage module
-+can also be used to enable/disable/install/remove policy modules.
-+
-+.B semanage port
-+can also be used to manipulate the port definitions
-+
-+.PP
-+.B system-config-selinux
-+is a GUI tool available to customize SELinux policy settings.
-+
-+.SH AUTHOR
-+This manual page was auto-generated using
-+.B "sepolicy manpage"
-+by Dan Walsh.
-+
-+.SH "SEE ALSO"
-+selinux(8), ipsec(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
-+, ipsec_mgmt_selinux(8)
-\ No newline at end of file
-diff --git a/man/man8/iptables_selinux.8 b/man/man8/iptables_selinux.8
-new file mode 100644
-index 0000000..66ccd4a
---- /dev/null
-+++ b/man/man8/iptables_selinux.8
-@@ -0,0 +1,258 @@
-+.TH "iptables_selinux" "8" "12-11-01" "iptables" "SELinux Policy documentation for iptables"
-+.SH "NAME"
-+iptables_selinux \- Security Enhanced Linux Policy for the iptables processes
-+.SH "DESCRIPTION"
-+
-+Security-Enhanced Linux secures the iptables processes via flexible mandatory access control.
-+
-+The iptables processes execute with the iptables_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
-+
-+For example:
-+
-+.B ps -eZ | grep iptables_t
-+
-+
-+.SH "ENTRYPOINTS"
-+
-+The iptables_t SELinux type can be entered via the "iptables_exec_t" file type. The default entrypoint paths for the iptables_t domain are the following:"
-+
-+/sbin/ip6?tables, /sbin/ip6?tables-multi, /sbin/ip6?tables-restore, /usr/sbin/ip6?tables, /usr/sbin/ip6?tables-multi, /usr/sbin/ip6?tables-restore, /sbin/ipchains.*, /usr/sbin/ipchains.*, /sbin/ipvsadm, /sbin/ebtables, /usr/sbin/ipvsadm, /sbin/ipvsadm-save, /usr/sbin/ebtables, /sbin/xtables-multi, /sbin/ipvsadm-restore, /sbin/ebtables-restore, /usr/sbin/ipvsadm-save, /usr/sbin/xtables-multi, /usr/sbin/ipvsadm-restore, /usr/sbin/ebtables-restore
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux iptables policy is very flexible allowing users to setup their iptables processes in as secure a method as possible.
-+.PP
-+The following process types are defined for iptables:
-+
-+.EX
-+.B iptables_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
-+.SH BOOLEANS
-+SELinux policy is customizable based on least access required. iptables policy is extremely flexible and has several booleans that allow you to manipulate the policy and run iptables with the tightest access possible.
-+
-+
-+.PP
-+If you want to allow dhcpc client applications to execute iptables commands, you must turn on the dhcpc_exec_iptables boolean.
-+
-+.EX
-+.B setsebool -P dhcpc_exec_iptables 1
-+.EE
-+
-+.PP
-+If you want to allow dhcpc client applications to execute iptables commands, you must turn on the dhcpc_exec_iptables boolean.
-+
-+.EX
-+.B setsebool -P dhcpc_exec_iptables 1
-+.EE
-+
-+.SH FILE CONTEXTS
-+SELinux requires files to have an extended attribute to define the file type.
-+.PP
-+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
-+.PP
-+Policy governs the access confined processes have to these files.
-+SELinux iptables policy is very flexible allowing users to setup their iptables processes in as secure a method as possible.
-+.PP
-+The following file types are defined for iptables:
-+
-+
-+.EX
-+.PP
-+.B iptables_exec_t
-+.EE
-+
-+- Set files with the iptables_exec_t type, if you want to transition an executable to the iptables_t domain.
-+
-+
-+.EX
-+.PP
-+.B iptables_initrc_exec_t
-+.EE
-+
-+- Set files with the iptables_initrc_exec_t type, if you want to transition an executable to the iptables_initrc_t domain.
-+
-+
-+.EX
-+.PP
-+.B iptables_tmp_t
-+.EE
-+
-+- Set files with the iptables_tmp_t type, if you want to store iptables temporary files in the /tmp directories.
-+
-+
-+.EX
-+.PP
-+.B iptables_unit_file_t
-+.EE
-+
-+- Set files with the iptables_unit_file_t type, if you want to treat the files as iptables unit content.
-+
-+
-+.EX
-+.PP
-+.B iptables_var_run_t
-+.EE
-+
-+- Set files with the iptables_var_run_t type, if you want to store the iptables files under the /run directory.
-+
-+
-+.PP
-+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
-+.B semanage fcontext
-+command. This will modify the SELinux labeling database. You will need to use
-+.B restorecon
-+to apply the labels.
-+
-+.SH "MANAGED FILES"
-+
-+The SELinux process type iptables_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
-+
-+.br
-+.B etc_runtime_t
-+
-+ /[^/]+
-+.br
-+ /etc/mtab.*
-+.br
-+ /etc/blkid(/.*)?
-+.br
-+ /etc/nologin.*
-+.br
-+ /etc/\.fstab\.hal\..+
-+.br
-+ /halt
-+.br
-+ /fastboot
-+.br
-+ /poweroff
-+.br
-+ /etc/cmtab
-+.br
-+ /\.autofsck
-+.br
-+ /forcefsck
-+.br
-+ /\.suspended
-+.br
-+ /fsckoptions
-+.br
-+ /\.autorelabel
-+.br
-+ /etc/securetty
-+.br
-+ /etc/killpower
-+.br
-+ /etc/nohotplug
-+.br
-+ /etc/ioctl\.save
-+.br
-+ /etc/fstab\.REVOKE
-+.br
-+ /etc/network/ifstate
-+.br
-+ /etc/sysconfig/hwconf
-+.br
-+ /etc/ptal/ptal-printd-like
-+.br
-+ /etc/sysconfig/iptables\.save
-+.br
-+ /etc/xorg\.conf\.d/00-system-setup-keyboard\.conf
-+.br
-+ /etc/X11/xorg\.conf\.d/00-system-setup-keyboard\.conf
-+.br
-+
-+.br
-+.B initrc_tmp_t
-+
-+
-+.br
-+.B iptables_tmp_t
-+
-+
-+.br
-+.B iptables_var_run_t
-+
-+
-+.br
-+.B psad_tmp_t
-+
-+
-+.br
-+.B psad_var_log_t
-+
-+ /var/log/psad(/.*)?
-+.br
-+
-+.br
-+.B shorewall_var_lib_t
-+
-+ /var/lib/shorewall(/.*)?
-+.br
-+ /var/lib/shorewall6(/.*)?
-+.br
-+ /var/lib/shorewall-lite(/.*)?
-+.br
-+
-+.br
-+.B system_conf_t
-+
-+ /etc/sysctl\.conf(\.old)?
-+.br
-+ /etc/sysconfig/ip6?tables.*
-+.br
-+ /etc/sysconfig/ipvsadm.*
-+.br
-+ /etc/sysconfig/ebtables.*
-+.br
-+ /etc/sysconfig/system-config-firewall.*
-+.br
-+
-+.SH NSSWITCH DOMAIN
-+
-+.PP
-+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the iptables_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
-+
-+.EX
-+.B setsebool -P authlogin_nsswitch_use_ldap 1
-+.EE
-+
-+.PP
-+If you want to allow confined applications to run with kerberos for the iptables_t, you must turn on the kerberos_enabled boolean.
-+
-+.EX
-+.B setsebool -P kerberos_enabled 1
-+.EE
-+
-+.SH "COMMANDS"
-+.B semanage fcontext
-+can also be used to manipulate default file context mappings.
-+.PP
-+.B semanage permissive
-+can also be used to manipulate whether or not a process type is permissive.
-+.PP
-+.B semanage module
-+can also be used to enable/disable/install/remove policy modules.
-+
-+.B semanage boolean
-+can also be used to manipulate the booleans
-+
-+.PP
-+.B system-config-selinux
-+is a GUI tool available to customize SELinux policy settings.
-+
-+.SH AUTHOR
-+This manual page was auto-generated using
-+.B "sepolicy manpage"
-+by Dan Walsh.
-+
-+.SH "SEE ALSO"
-+selinux(8), iptables(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
-+, setsebool(8)
-\ No newline at end of file
-diff --git a/man/man8/irc_selinux.8 b/man/man8/irc_selinux.8
-new file mode 100644
-index 0000000..8ca561c
---- /dev/null
-+++ b/man/man8/irc_selinux.8
-@@ -0,0 +1,146 @@
-+.TH "irc_selinux" "8" "12-11-01" "irc" "SELinux Policy documentation for irc"
-+.SH "NAME"
-+irc_selinux \- Security Enhanced Linux Policy for the irc processes
-+.SH "DESCRIPTION"
-+
-+Security-Enhanced Linux secures the irc processes via flexible mandatory access control.
-+
-+The irc processes execute with the irc_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
-+
-+For example:
-+
-+.B ps -eZ | grep irc_t
-+
-+
-+.SH "ENTRYPOINTS"
-+
-+The irc_t SELinux type can be entered via the "irc_exec_t" file type. The default entrypoint paths for the irc_t domain are the following:"
-+
-+/usr/bin/[st]irc, /usr/bin/ircII, /usr/bin/tinyirc
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux irc policy is very flexible allowing users to setup their irc processes in as secure a method as possible.
-+.PP
-+The following process types are defined for irc:
-+
-+.EX
-+.B irc_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
-+.SH FILE CONTEXTS
-+SELinux requires files to have an extended attribute to define the file type.
-+.PP
-+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
-+.PP
-+Policy governs the access confined processes have to these files.
-+SELinux irc policy is very flexible allowing users to setup their irc processes in as secure a method as possible.
-+.PP
-+The following file types are defined for irc:
-+
-+
-+.EX
-+.PP
-+.B irc_exec_t
-+.EE
-+
-+- Set files with the irc_exec_t type, if you want to transition an executable to the irc_t domain.
-+
-+
-+.EX
-+.PP
-+.B irc_home_t
-+.EE
-+
-+- Set files with the irc_home_t type, if you want to store irc files in the users home directory.
-+
-+
-+.EX
-+.PP
-+.B irc_tmp_t
-+.EE
-+
-+- Set files with the irc_tmp_t type, if you want to store irc temporary files in the /tmp directories.
-+
-+
-+.PP
-+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
-+.B semanage fcontext
-+command. This will modify the SELinux labeling database. You will need to use
-+.B restorecon
-+to apply the labels.
-+
-+.SH PORT TYPES
-+SELinux defines port types to represent TCP and UDP ports.
-+.PP
-+You can see the types associated with a port by using the following command:
-+
-+.B semanage port -l
-+
-+.PP
-+Policy governs the access confined processes have to these ports.
-+SELinux irc policy is very flexible allowing users to setup their irc processes in as secure a method as possible.
-+.PP
-+The following port types are defined for irc:
-+
-+.EX
-+.TP 5
-+.B ircd_port_t
-+.TP 10
-+.EE
-+
-+
-+Default Defined Ports:
-+tcp 6667,6697
-+.EE
-+.SH "MANAGED FILES"
-+
-+The SELinux process type irc_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
-+
-+.br
-+.B irc_home_t
-+
-+ /home/[^/]*/\.ircmotd
-+.br
-+ /home/dwalsh/\.ircmotd
-+.br
-+ /var/lib/xguest/home/xguest/\.ircmotd
-+.br
-+
-+.br
-+.B irc_tmp_t
-+
-+
-+.SH NSSWITCH DOMAIN
-+
-+.SH "COMMANDS"
-+.B semanage fcontext
-+can also be used to manipulate default file context mappings.
-+.PP
-+.B semanage permissive
-+can also be used to manipulate whether or not a process type is permissive.
-+.PP
-+.B semanage module
-+can also be used to enable/disable/install/remove policy modules.
-+
-+.B semanage port
-+can also be used to manipulate the port definitions
-+
-+.PP
-+.B system-config-selinux
-+is a GUI tool available to customize SELinux policy settings.
-+
-+.SH AUTHOR
-+This manual page was auto-generated using
-+.B "sepolicy manpage"
-+by Dan Walsh.
-+
-+.SH "SEE ALSO"
-+selinux(8), irc(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
-diff --git a/man/man8/irqbalance_selinux.8 b/man/man8/irqbalance_selinux.8
-new file mode 100644
-index 0000000..e967562
---- /dev/null
-+++ b/man/man8/irqbalance_selinux.8
-@@ -0,0 +1,102 @@
-+.TH "irqbalance_selinux" "8" "12-11-01" "irqbalance" "SELinux Policy documentation for irqbalance"
-+.SH "NAME"
-+irqbalance_selinux \- Security Enhanced Linux Policy for the irqbalance processes
-+.SH "DESCRIPTION"
-+
-+Security-Enhanced Linux secures the irqbalance processes via flexible mandatory access control.
-+
-+The irqbalance processes execute with the irqbalance_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
-+
-+For example:
-+
-+.B ps -eZ | grep irqbalance_t
-+
-+
-+.SH "ENTRYPOINTS"
-+
-+The irqbalance_t SELinux type can be entered via the "irqbalance_exec_t" file type. The default entrypoint paths for the irqbalance_t domain are the following:"
-+
-+/usr/sbin/irqbalance
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux irqbalance policy is very flexible allowing users to setup their irqbalance processes in as secure a method as possible.
-+.PP
-+The following process types are defined for irqbalance:
-+
-+.EX
-+.B irqbalance_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
-+.SH FILE CONTEXTS
-+SELinux requires files to have an extended attribute to define the file type.
-+.PP
-+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
-+.PP
-+Policy governs the access confined processes have to these files.
-+SELinux irqbalance policy is very flexible allowing users to setup their irqbalance processes in as secure a method as possible.
-+.PP
-+The following file types are defined for irqbalance:
-+
-+
-+.EX
-+.PP
-+.B irqbalance_exec_t
-+.EE
-+
-+- Set files with the irqbalance_exec_t type, if you want to transition an executable to the irqbalance_t domain.
-+
-+
-+.EX
-+.PP
-+.B irqbalance_var_run_t
-+.EE
-+
-+- Set files with the irqbalance_var_run_t type, if you want to store the irqbalance files under the /run directory.
-+
-+
-+.PP
-+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
-+.B semanage fcontext
-+command. This will modify the SELinux labeling database. You will need to use
-+.B restorecon
-+to apply the labels.
-+
-+.SH "MANAGED FILES"
-+
-+The SELinux process type irqbalance_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
-+
-+.br
-+.B irqbalance_var_run_t
-+
-+
-+.SH NSSWITCH DOMAIN
-+
-+.SH "COMMANDS"
-+.B semanage fcontext
-+can also be used to manipulate default file context mappings.
-+.PP
-+.B semanage permissive
-+can also be used to manipulate whether or not a process type is permissive.
-+.PP
-+.B semanage module
-+can also be used to enable/disable/install/remove policy modules.
-+
-+.PP
-+.B system-config-selinux
-+is a GUI tool available to customize SELinux policy settings.
-+
-+.SH AUTHOR
-+This manual page was auto-generated using
-+.B "sepolicy manpage"
-+by Dan Walsh.
-+
-+.SH "SEE ALSO"
-+selinux(8), irqbalance(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
-diff --git a/man/man8/irssi_selinux.8 b/man/man8/irssi_selinux.8
-new file mode 100644
-index 0000000..36617d8
---- /dev/null
-+++ b/man/man8/irssi_selinux.8
-@@ -0,0 +1,158 @@
-+.TH "irssi_selinux" "8" "12-11-01" "irssi" "SELinux Policy documentation for irssi"
-+.SH "NAME"
-+irssi_selinux \- Security Enhanced Linux Policy for the irssi processes
-+.SH "DESCRIPTION"
-+
-+Security-Enhanced Linux secures the irssi processes via flexible mandatory access control.
-+
-+The irssi processes execute with the irssi_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
-+
-+For example:
-+
-+.B ps -eZ | grep irssi_t
-+
-+
-+.SH "ENTRYPOINTS"
-+
-+The irssi_t SELinux type can be entered via the "irssi_exec_t" file type. The default entrypoint paths for the irssi_t domain are the following:"
-+
-+/usr/bin/irssi
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux irssi policy is very flexible allowing users to setup their irssi processes in as secure a method as possible.
-+.PP
-+The following process types are defined for irssi:
-+
-+.EX
-+.B irssi_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
-+.SH BOOLEANS
-+SELinux policy is customizable based on least access required. irssi policy is extremely flexible and has several booleans that allow you to manipulate the policy and run irssi with the tightest access possible.
-+
-+
-+.PP
-+If you want to allow the Irssi IRC Client to connect to any port, and to bind to any unreserved port, you must turn on the irssi_use_full_network boolean.
-+
-+.EX
-+.B setsebool -P irssi_use_full_network 1
-+.EE
-+
-+.PP
-+If you want to allow the Irssi IRC Client to connect to any port, and to bind to any unreserved port, you must turn on the irssi_use_full_network boolean.
-+
-+.EX
-+.B setsebool -P irssi_use_full_network 1
-+.EE
-+
-+.SH FILE CONTEXTS
-+SELinux requires files to have an extended attribute to define the file type.
-+.PP
-+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
-+.PP
-+Policy governs the access confined processes have to these files.
-+SELinux irssi policy is very flexible allowing users to setup their irssi processes in as secure a method as possible.
-+.PP
-+The following file types are defined for irssi:
-+
-+
-+.EX
-+.PP
-+.B irssi_etc_t
-+.EE
-+
-+- Set files with the irssi_etc_t type, if you want to store irssi files in the /etc directories.
-+
-+
-+.EX
-+.PP
-+.B irssi_exec_t
-+.EE
-+
-+- Set files with the irssi_exec_t type, if you want to transition an executable to the irssi_t domain.
-+
-+
-+.EX
-+.PP
-+.B irssi_home_t
-+.EE
-+
-+- Set files with the irssi_home_t type, if you want to store irssi files in the users home directory.
-+
-+
-+.PP
-+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
-+.B semanage fcontext
-+command. This will modify the SELinux labeling database. You will need to use
-+.B restorecon
-+to apply the labels.
-+
-+.SH "MANAGED FILES"
-+
-+The SELinux process type irssi_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
-+
-+.br
-+.B irssi_home_t
-+
-+ /home/[^/]*/\.irssi(/.*)?
-+.br
-+ /home/[^/]*/irclogs(/.*)?
-+.br
-+ /home/dwalsh/\.irssi(/.*)?
-+.br
-+ /home/dwalsh/irclogs(/.*)?
-+.br
-+ /var/lib/xguest/home/xguest/\.irssi(/.*)?
-+.br
-+ /var/lib/xguest/home/xguest/irclogs(/.*)?
-+.br
-+
-+.SH NSSWITCH DOMAIN
-+
-+.PP
-+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the irssi_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
-+
-+.EX
-+.B setsebool -P authlogin_nsswitch_use_ldap 1
-+.EE
-+
-+.PP
-+If you want to allow confined applications to run with kerberos for the irssi_t, you must turn on the kerberos_enabled boolean.
-+
-+.EX
-+.B setsebool -P kerberos_enabled 1
-+.EE
-+
-+.SH "COMMANDS"
-+.B semanage fcontext
-+can also be used to manipulate default file context mappings.
-+.PP
-+.B semanage permissive
-+can also be used to manipulate whether or not a process type is permissive.
-+.PP
-+.B semanage module
-+can also be used to enable/disable/install/remove policy modules.
-+
-+.B semanage boolean
-+can also be used to manipulate the booleans
-+
-+.PP
-+.B system-config-selinux
-+is a GUI tool available to customize SELinux policy settings.
-+
-+.SH AUTHOR
-+This manual page was auto-generated using
-+.B "sepolicy manpage"
-+by Dan Walsh.
-+
-+.SH "SEE ALSO"
-+selinux(8), irssi(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
-+, setsebool(8)
-\ No newline at end of file
-diff --git a/man/man8/iscsid_selinux.8 b/man/man8/iscsid_selinux.8
-new file mode 100644
-index 0000000..4e63ee8
---- /dev/null
-+++ b/man/man8/iscsid_selinux.8
-@@ -0,0 +1,160 @@
-+.TH "iscsid_selinux" "8" "12-11-01" "iscsid" "SELinux Policy documentation for iscsid"
-+.SH "NAME"
-+iscsid_selinux \- Security Enhanced Linux Policy for the iscsid processes
-+.SH "DESCRIPTION"
-+
-+Security-Enhanced Linux secures the iscsid processes via flexible mandatory access control.
-+
-+The iscsid processes execute with the iscsid_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
-+
-+For example:
-+
-+.B ps -eZ | grep iscsid_t
-+
-+
-+.SH "ENTRYPOINTS"
-+
-+The iscsid_t SELinux type can be entered via the "iscsid_exec_t" file type. The default entrypoint paths for the iscsid_t domain are the following:"
-+
-+/sbin/iscsid, /sbin/iscsiuio, /usr/sbin/iscsid, /usr/sbin/iscsiuio, /sbin/brcm_iscsiuio, /usr/sbin/brcm_iscsiuio
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux iscsid policy is very flexible allowing users to setup their iscsid processes in as secure a method as possible.
-+.PP
-+The following process types are defined for iscsid:
-+
-+.EX
-+.B iscsid_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
-+.SH FILE CONTEXTS
-+SELinux requires files to have an extended attribute to define the file type.
-+.PP
-+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
-+.PP
-+Policy governs the access confined processes have to these files.
-+SELinux iscsid policy is very flexible allowing users to setup their iscsid processes in as secure a method as possible.
-+.PP
-+The following file types are defined for iscsid:
-+
-+
-+.EX
-+.PP
-+.B iscsid_exec_t
-+.EE
-+
-+- Set files with the iscsid_exec_t type, if you want to transition an executable to the iscsid_t domain.
-+
-+
-+.PP
-+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
-+.B semanage fcontext
-+command. This will modify the SELinux labeling database. You will need to use
-+.B restorecon
-+to apply the labels.
-+
-+.SH PORT TYPES
-+SELinux defines port types to represent TCP and UDP ports.
-+.PP
-+You can see the types associated with a port by using the following command:
-+
-+.B semanage port -l
-+
-+.PP
-+Policy governs the access confined processes have to these ports.
-+SELinux iscsid policy is very flexible allowing users to setup their iscsid processes in as secure a method as possible.
-+.PP
-+The following port types are defined for iscsid:
-+
-+.EX
-+.TP 5
-+.B iscsi_port_t
-+.TP 10
-+.EE
-+
-+
-+Default Defined Ports:
-+tcp 3260
-+.EE
-+.SH "MANAGED FILES"
-+
-+The SELinux process type iscsid_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
-+
-+.br
-+.B iscsi_lock_t
-+
-+ /var/lock/iscsi(/.*)?
-+.br
-+
-+.br
-+.B iscsi_log_t
-+
-+ /var/log/iscsiuio\.log.*
-+.br
-+ /var/log/brcm-iscsi\.log.*
-+.br
-+
-+.br
-+.B iscsi_tmp_t
-+
-+
-+.br
-+.B iscsi_var_run_t
-+
-+ /var/run/iscsid\.pid
-+.br
-+
-+.br
-+.B sysfs_t
-+
-+ /sys(/.*)?
-+.br
-+
-+.SH NSSWITCH DOMAIN
-+
-+.PP
-+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the iscsid_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
-+
-+.EX
-+.B setsebool -P authlogin_nsswitch_use_ldap 1
-+.EE
-+
-+.PP
-+If you want to allow confined applications to run with kerberos for the iscsid_t, you must turn on the kerberos_enabled boolean.
-+
-+.EX
-+.B setsebool -P kerberos_enabled 1
-+.EE
-+
-+.SH "COMMANDS"
-+.B semanage fcontext
-+can also be used to manipulate default file context mappings.
-+.PP
-+.B semanage permissive
-+can also be used to manipulate whether or not a process type is permissive.
-+.PP
-+.B semanage module
-+can also be used to enable/disable/install/remove policy modules.
-+
-+.B semanage port
-+can also be used to manipulate the port definitions
-+
-+.PP
-+.B system-config-selinux
-+is a GUI tool available to customize SELinux policy settings.
-+
-+.SH AUTHOR
-+This manual page was auto-generated using
-+.B "sepolicy manpage"
-+by Dan Walsh.
-+
-+.SH "SEE ALSO"
-+selinux(8), iscsid(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
-diff --git a/man/man8/isnsd_selinux.8 b/man/man8/isnsd_selinux.8
-new file mode 100644
-index 0000000..9811117
---- /dev/null
-+++ b/man/man8/isnsd_selinux.8
-@@ -0,0 +1,156 @@
-+.TH "isnsd_selinux" "8" "12-11-01" "isnsd" "SELinux Policy documentation for isnsd"
-+.SH "NAME"
-+isnsd_selinux \- Security Enhanced Linux Policy for the isnsd processes
-+.SH "DESCRIPTION"
-+
-+Security-Enhanced Linux secures the isnsd processes via flexible mandatory access control.
-+
-+The isnsd processes execute with the isnsd_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
-+
-+For example:
-+
-+.B ps -eZ | grep isnsd_t
-+
-+
-+.SH "ENTRYPOINTS"
-+
-+The isnsd_t SELinux type can be entered via the "isnsd_exec_t" file type. The default entrypoint paths for the isnsd_t domain are the following:"
-+
-+/usr/sbin/isnsd
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux isnsd policy is very flexible allowing users to setup their isnsd processes in as secure a method as possible.
-+.PP
-+The following process types are defined for isnsd:
-+
-+.EX
-+.B isnsd_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
-+.SH FILE CONTEXTS
-+SELinux requires files to have an extended attribute to define the file type.
-+.PP
-+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
-+.PP
-+Policy governs the access confined processes have to these files.
-+SELinux isnsd policy is very flexible allowing users to setup their isnsd processes in as secure a method as possible.
-+.PP
-+The following file types are defined for isnsd:
-+
-+
-+.EX
-+.PP
-+.B isnsd_exec_t
-+.EE
-+
-+- Set files with the isnsd_exec_t type, if you want to transition an executable to the isnsd_t domain.
-+
-+
-+.EX
-+.PP
-+.B isnsd_initrc_exec_t
-+.EE
-+
-+- Set files with the isnsd_initrc_exec_t type, if you want to transition an executable to the isnsd_initrc_t domain.
-+
-+
-+.EX
-+.PP
-+.B isnsd_var_lib_t
-+.EE
-+
-+- Set files with the isnsd_var_lib_t type, if you want to store the isnsd files under the /var/lib directory.
-+
-+
-+.EX
-+.PP
-+.B isnsd_var_run_t
-+.EE
-+
-+- Set files with the isnsd_var_run_t type, if you want to store the isnsd files under the /run directory.
-+
-+
-+.PP
-+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
-+.B semanage fcontext
-+command. This will modify the SELinux labeling database. You will need to use
-+.B restorecon
-+to apply the labels.
-+
-+.SH PORT TYPES
-+SELinux defines port types to represent TCP and UDP ports.
-+.PP
-+You can see the types associated with a port by using the following command:
-+
-+.B semanage port -l
-+
-+.PP
-+Policy governs the access confined processes have to these ports.
-+SELinux isnsd policy is very flexible allowing users to setup their isnsd processes in as secure a method as possible.
-+.PP
-+The following port types are defined for isnsd:
-+
-+.EX
-+.TP 5
-+.B isns_port_t
-+.TP 10
-+.EE
-+
-+
-+Default Defined Ports:
-+tcp 3205
-+.EE
-+udp 3205
-+.EE
-+.SH "MANAGED FILES"
-+
-+The SELinux process type isnsd_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
-+
-+.br
-+.B isnsd_var_lib_t
-+
-+ /var/lib/isns(/.*)?
-+.br
-+
-+.br
-+.B isnsd_var_run_t
-+
-+ /var/run/isnsctl
-+.br
-+ /var/run/isnsd\.pid
-+.br
-+
-+.SH NSSWITCH DOMAIN
-+
-+.SH "COMMANDS"
-+.B semanage fcontext
-+can also be used to manipulate default file context mappings.
-+.PP
-+.B semanage permissive
-+can also be used to manipulate whether or not a process type is permissive.
-+.PP
-+.B semanage module
-+can also be used to enable/disable/install/remove policy modules.
-+
-+.B semanage port
-+can also be used to manipulate the port definitions
-+
-+.PP
-+.B system-config-selinux
-+is a GUI tool available to customize SELinux policy settings.
-+
-+.SH AUTHOR
-+This manual page was auto-generated using
-+.B "sepolicy manpage"
-+by Dan Walsh.
-+
-+.SH "SEE ALSO"
-+selinux(8), isnsd(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
-diff --git a/man/man8/iwhd_selinux.8 b/man/man8/iwhd_selinux.8
-new file mode 100644
-index 0000000..cea1bb7
---- /dev/null
-+++ b/man/man8/iwhd_selinux.8
-@@ -0,0 +1,140 @@
-+.TH "iwhd_selinux" "8" "12-11-01" "iwhd" "SELinux Policy documentation for iwhd"
-+.SH "NAME"
-+iwhd_selinux \- Security Enhanced Linux Policy for the iwhd processes
-+.SH "DESCRIPTION"
-+
-+Security-Enhanced Linux secures the iwhd processes via flexible mandatory access control.
-+
-+The iwhd processes execute with the iwhd_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
-+
-+For example:
-+
-+.B ps -eZ | grep iwhd_t
-+
-+
-+.SH "ENTRYPOINTS"
-+
-+The iwhd_t SELinux type can be entered via the "iwhd_exec_t" file type. The default entrypoint paths for the iwhd_t domain are the following:"
-+
-+/usr/bin/iwhd
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux iwhd policy is very flexible allowing users to setup their iwhd processes in as secure a method as possible.
-+.PP
-+The following process types are defined for iwhd:
-+
-+.EX
-+.B iwhd_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
-+.SH FILE CONTEXTS
-+SELinux requires files to have an extended attribute to define the file type.
-+.PP
-+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
-+.PP
-+Policy governs the access confined processes have to these files.
-+SELinux iwhd policy is very flexible allowing users to setup their iwhd processes in as secure a method as possible.
-+.PP
-+The following file types are defined for iwhd:
-+
-+
-+.EX
-+.PP
-+.B iwhd_exec_t
-+.EE
-+
-+- Set files with the iwhd_exec_t type, if you want to transition an executable to the iwhd_t domain.
-+
-+
-+.EX
-+.PP
-+.B iwhd_initrc_exec_t
-+.EE
-+
-+- Set files with the iwhd_initrc_exec_t type, if you want to transition an executable to the iwhd_initrc_t domain.
-+
-+
-+.EX
-+.PP
-+.B iwhd_log_t
-+.EE
-+
-+- Set files with the iwhd_log_t type, if you want to treat the data as iwhd log data, usually stored under the /var/log directory.
-+
-+
-+.EX
-+.PP
-+.B iwhd_var_lib_t
-+.EE
-+
-+- Set files with the iwhd_var_lib_t type, if you want to store the iwhd files under the /var/lib directory.
-+
-+
-+.EX
-+.PP
-+.B iwhd_var_run_t
-+.EE
-+
-+- Set files with the iwhd_var_run_t type, if you want to store the iwhd files under the /run directory.
-+
-+
-+.PP
-+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
-+.B semanage fcontext
-+command. This will modify the SELinux labeling database. You will need to use
-+.B restorecon
-+to apply the labels.
-+
-+.SH "MANAGED FILES"
-+
-+The SELinux process type iwhd_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
-+
-+.br
-+.B iwhd_log_t
-+
-+ /var/log/iwhd\.log.*
-+.br
-+
-+.br
-+.B iwhd_var_lib_t
-+
-+ /var/lib/iwhd(/.*)?
-+.br
-+
-+.br
-+.B iwhd_var_run_t
-+
-+ /var/run/iwhd\.pid
-+.br
-+
-+.SH NSSWITCH DOMAIN
-+
-+.SH "COMMANDS"
-+.B semanage fcontext
-+can also be used to manipulate default file context mappings.
-+.PP
-+.B semanage permissive
-+can also be used to manipulate whether or not a process type is permissive.
-+.PP
-+.B semanage module
-+can also be used to enable/disable/install/remove policy modules.
-+
-+.PP
-+.B system-config-selinux
-+is a GUI tool available to customize SELinux policy settings.
-+
-+.SH AUTHOR
-+This manual page was auto-generated using
-+.B "sepolicy manpage"
-+by Dan Walsh.
-+
-+.SH "SEE ALSO"
-+selinux(8), iwhd(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
-diff --git a/man/man8/jabberd_router_selinux.8 b/man/man8/jabberd_router_selinux.8
-new file mode 100644
-index 0000000..6c57f11
---- /dev/null
-+++ b/man/man8/jabberd_router_selinux.8
-@@ -0,0 +1,97 @@
-+.TH "jabberd_router_selinux" "8" "12-11-01" "jabberd_router" "SELinux Policy documentation for jabberd_router"
-+.SH "NAME"
-+jabberd_router_selinux \- Security Enhanced Linux Policy for the jabberd_router processes
-+.SH "DESCRIPTION"
-+
-+Security-Enhanced Linux secures the jabberd_router processes via flexible mandatory access control.
-+
-+The jabberd_router processes execute with the jabberd_router_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
-+
-+For example:
-+
-+.B ps -eZ | grep jabberd_router_t
-+
-+
-+.SH "ENTRYPOINTS"
-+
-+The jabberd_router_t SELinux type can be entered via the "jabberd_router_exec_t" file type. The default entrypoint paths for the jabberd_router_t domain are the following:"
-+
-+/usr/bin/c2s, /usr/bin/router
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux jabberd_router policy is very flexible allowing users to setup their jabberd_router processes in as secure a method as possible.
-+.PP
-+The following process types are defined for jabberd_router:
-+
-+.EX
-+.B jabberd_router_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
-+.SH FILE CONTEXTS
-+SELinux requires files to have an extended attribute to define the file type.
-+.PP
-+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
-+.PP
-+Policy governs the access confined processes have to these files.
-+SELinux jabberd_router policy is very flexible allowing users to setup their jabberd_router processes in as secure a method as possible.
-+.PP
-+The following file types are defined for jabberd_router:
-+
-+
-+.EX
-+.PP
-+.B jabberd_router_exec_t
-+.EE
-+
-+- Set files with the jabberd_router_exec_t type, if you want to transition an executable to the jabberd_router_t domain.
-+
-+
-+.PP
-+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
-+.B semanage fcontext
-+command. This will modify the SELinux labeling database. You will need to use
-+.B restorecon
-+to apply the labels.
-+
-+.SH "MANAGED FILES"
-+
-+The SELinux process type jabberd_router_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
-+
-+.br
-+.B jabberd_var_lib_t
-+
-+ /var/lib/jabberd(/.*)?
-+.br
-+
-+.SH NSSWITCH DOMAIN
-+
-+.SH "COMMANDS"
-+.B semanage fcontext
-+can also be used to manipulate default file context mappings.
-+.PP
-+.B semanage permissive
-+can also be used to manipulate whether or not a process type is permissive.
-+.PP
-+.B semanage module
-+can also be used to enable/disable/install/remove policy modules.
-+
-+.PP
-+.B system-config-selinux
-+is a GUI tool available to customize SELinux policy settings.
-+
-+.SH AUTHOR
-+This manual page was auto-generated using
-+.B "sepolicy manpage"
-+by Dan Walsh.
-+
-+.SH "SEE ALSO"
-+selinux(8), jabberd_router(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
-+, jabberd_selinux(8), jabberd_selinux(8)
-\ No newline at end of file
-diff --git a/man/man8/jabberd_selinux.8 b/man/man8/jabberd_selinux.8
-new file mode 100644
-index 0000000..520a42b
---- /dev/null
-+++ b/man/man8/jabberd_selinux.8
-@@ -0,0 +1,169 @@
-+.TH "jabberd_selinux" "8" "12-11-01" "jabberd" "SELinux Policy documentation for jabberd"
-+.SH "NAME"
-+jabberd_selinux \- Security Enhanced Linux Policy for the jabberd processes
-+.SH "DESCRIPTION"
-+
-+Security-Enhanced Linux secures the jabberd processes via flexible mandatory access control.
-+
-+The jabberd processes execute with the jabberd_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
-+
-+For example:
-+
-+.B ps -eZ | grep jabberd_t
-+
-+
-+.SH "ENTRYPOINTS"
-+
-+The jabberd_t SELinux type can be entered via the "jabberd_exec_t" file type. The default entrypoint paths for the jabberd_t domain are the following:"
-+
-+/usr/bin/sm, /usr/bin/s2s
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux jabberd policy is very flexible allowing users to setup their jabberd processes in as secure a method as possible.
-+.PP
-+The following process types are defined for jabberd:
-+
-+.EX
-+.B jabberd_router_t, jabberd_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
-+.SH FILE CONTEXTS
-+SELinux requires files to have an extended attribute to define the file type.
-+.PP
-+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
-+.PP
-+Policy governs the access confined processes have to these files.
-+SELinux jabberd policy is very flexible allowing users to setup their jabberd processes in as secure a method as possible.
-+.PP
-+The following file types are defined for jabberd:
-+
-+
-+.EX
-+.PP
-+.B jabberd_exec_t
-+.EE
-+
-+- Set files with the jabberd_exec_t type, if you want to transition an executable to the jabberd_t domain.
-+
-+
-+.EX
-+.PP
-+.B jabberd_initrc_exec_t
-+.EE
-+
-+- Set files with the jabberd_initrc_exec_t type, if you want to transition an executable to the jabberd_initrc_t domain.
-+
-+
-+.EX
-+.PP
-+.B jabberd_router_exec_t
-+.EE
-+
-+- Set files with the jabberd_router_exec_t type, if you want to transition an executable to the jabberd_router_t domain.
-+
-+
-+.EX
-+.PP
-+.B jabberd_var_lib_t
-+.EE
-+
-+- Set files with the jabberd_var_lib_t type, if you want to store the jabberd files under the /var/lib directory.
-+
-+
-+.PP
-+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
-+.B semanage fcontext
-+command. This will modify the SELinux labeling database. You will need to use
-+.B restorecon
-+to apply the labels.
-+
-+.SH PORT TYPES
-+SELinux defines port types to represent TCP and UDP ports.
-+.PP
-+You can see the types associated with a port by using the following command:
-+
-+.B semanage port -l
-+
-+.PP
-+Policy governs the access confined processes have to these ports.
-+SELinux jabberd policy is very flexible allowing users to setup their jabberd processes in as secure a method as possible.
-+.PP
-+The following port types are defined for jabberd:
-+
-+.EX
-+.TP 5
-+.B jabber_client_port_t
-+.TP 10
-+.EE
-+
-+
-+Default Defined Ports:
-+tcp 5222,5223
-+.EE
-+
-+.EX
-+.TP 5
-+.B jabber_interserver_port_t
-+.TP 10
-+.EE
-+
-+
-+Default Defined Ports:
-+tcp 5269
-+.EE
-+
-+.EX
-+.TP 5
-+.B jabber_router_port_t
-+.TP 10
-+.EE
-+
-+
-+Default Defined Ports:
-+tcp 5347
-+.EE
-+.SH "MANAGED FILES"
-+
-+The SELinux process type jabberd_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
-+
-+.br
-+.B jabberd_var_lib_t
-+
-+ /var/lib/jabberd(/.*)?
-+.br
-+
-+.SH NSSWITCH DOMAIN
-+
-+.SH "COMMANDS"
-+.B semanage fcontext
-+can also be used to manipulate default file context mappings.
-+.PP
-+.B semanage permissive
-+can also be used to manipulate whether or not a process type is permissive.
-+.PP
-+.B semanage module
-+can also be used to enable/disable/install/remove policy modules.
-+
-+.B semanage port
-+can also be used to manipulate the port definitions
-+
-+.PP
-+.B system-config-selinux
-+is a GUI tool available to customize SELinux policy settings.
-+
-+.SH AUTHOR
-+This manual page was auto-generated using
-+.B "sepolicy manpage"
-+by Dan Walsh.
-+
-+.SH "SEE ALSO"
-+selinux(8), jabberd(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
-+, jabberd_router_selinux(8)
-\ No newline at end of file
-diff --git a/man/man8/jockey_selinux.8 b/man/man8/jockey_selinux.8
-new file mode 100644
-index 0000000..2615dc1
---- /dev/null
-+++ b/man/man8/jockey_selinux.8
-@@ -0,0 +1,120 @@
-+.TH "jockey_selinux" "8" "12-11-01" "jockey" "SELinux Policy documentation for jockey"
-+.SH "NAME"
-+jockey_selinux \- Security Enhanced Linux Policy for the jockey processes
-+.SH "DESCRIPTION"
-+
-+Security-Enhanced Linux secures the jockey processes via flexible mandatory access control.
-+
-+The jockey processes execute with the jockey_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
-+
-+For example:
-+
-+.B ps -eZ | grep jockey_t
-+
-+
-+.SH "ENTRYPOINTS"
-+
-+The jockey_t SELinux type can be entered via the "jockey_exec_t" file type. The default entrypoint paths for the jockey_t domain are the following:"
-+
-+/usr/share/jockey/jockey-backend
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux jockey policy is very flexible allowing users to setup their jockey processes in as secure a method as possible.
-+.PP
-+The following process types are defined for jockey:
-+
-+.EX
-+.B jockey_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
-+.SH FILE CONTEXTS
-+SELinux requires files to have an extended attribute to define the file type.
-+.PP
-+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
-+.PP
-+Policy governs the access confined processes have to these files.
-+SELinux jockey policy is very flexible allowing users to setup their jockey processes in as secure a method as possible.
-+.PP
-+The following file types are defined for jockey:
-+
-+
-+.EX
-+.PP
-+.B jockey_cache_t
-+.EE
-+
-+- Set files with the jockey_cache_t type, if you want to store the files under the /var/cache directory.
-+
-+
-+.EX
-+.PP
-+.B jockey_exec_t
-+.EE
-+
-+- Set files with the jockey_exec_t type, if you want to transition an executable to the jockey_t domain.
-+
-+
-+.EX
-+.PP
-+.B jockey_var_log_t
-+.EE
-+
-+- Set files with the jockey_var_log_t type, if you want to treat the data as jockey var log data, usually stored under the /var/log directory.
-+
-+
-+.PP
-+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
-+.B semanage fcontext
-+command. This will modify the SELinux labeling database. You will need to use
-+.B restorecon
-+to apply the labels.
-+
-+.SH "MANAGED FILES"
-+
-+The SELinux process type jockey_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
-+
-+.br
-+.B jockey_cache_t
-+
-+ /var/cache/jockey(/.*)?
-+.br
-+
-+.br
-+.B jockey_var_log_t
-+
-+ /var/log/jockey(/.*)?
-+.br
-+ /var/log/jockey\.log.*
-+.br
-+
-+.SH NSSWITCH DOMAIN
-+
-+.SH "COMMANDS"
-+.B semanage fcontext
-+can also be used to manipulate default file context mappings.
-+.PP
-+.B semanage permissive
-+can also be used to manipulate whether or not a process type is permissive.
-+.PP
-+.B semanage module
-+can also be used to enable/disable/install/remove policy modules.
-+
-+.PP
-+.B system-config-selinux
-+is a GUI tool available to customize SELinux policy settings.
-+
-+.SH AUTHOR
-+This manual page was auto-generated using
-+.B "sepolicy manpage"
-+by Dan Walsh.
-+
-+.SH "SEE ALSO"
-+selinux(8), jockey(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
-diff --git a/man/man8/kadmind_selinux.8 b/man/man8/kadmind_selinux.8
-new file mode 100644
-index 0000000..f4e852a
---- /dev/null
-+++ b/man/man8/kadmind_selinux.8
-@@ -0,0 +1,162 @@
-+.TH "kadmind_selinux" "8" "12-11-01" "kadmind" "SELinux Policy documentation for kadmind"
-+.SH "NAME"
-+kadmind_selinux \- Security Enhanced Linux Policy for the kadmind processes
-+.SH "DESCRIPTION"
-+
-+Security-Enhanced Linux secures the kadmind processes via flexible mandatory access control.
-+
-+The kadmind processes execute with the kadmind_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
-+
-+For example:
-+
-+.B ps -eZ | grep kadmind_t
-+
-+
-+.SH "ENTRYPOINTS"
-+
-+The kadmind_t SELinux type can be entered via the "kadmind_exec_t" file type. The default entrypoint paths for the kadmind_t domain are the following:"
-+
-+/usr/(kerberos/)?sbin/kadmind, /usr/kerberos/sbin/kadmin\.local
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux kadmind policy is very flexible allowing users to setup their kadmind processes in as secure a method as possible.
-+.PP
-+The following process types are defined for kadmind:
-+
-+.EX
-+.B kadmind_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
-+.SH FILE CONTEXTS
-+SELinux requires files to have an extended attribute to define the file type.
-+.PP
-+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
-+.PP
-+Policy governs the access confined processes have to these files.
-+SELinux kadmind policy is very flexible allowing users to setup their kadmind processes in as secure a method as possible.
-+.PP
-+The following file types are defined for kadmind:
-+
-+
-+.EX
-+.PP
-+.B kadmind_exec_t
-+.EE
-+
-+- Set files with the kadmind_exec_t type, if you want to transition an executable to the kadmind_t domain.
-+
-+
-+.EX
-+.PP
-+.B kadmind_log_t
-+.EE
-+
-+- Set files with the kadmind_log_t type, if you want to treat the data as kadmind log data, usually stored under the /var/log directory.
-+
-+
-+.EX
-+.PP
-+.B kadmind_tmp_t
-+.EE
-+
-+- Set files with the kadmind_tmp_t type, if you want to store kadmind temporary files in the /tmp directories.
-+
-+
-+.EX
-+.PP
-+.B kadmind_var_run_t
-+.EE
-+
-+- Set files with the kadmind_var_run_t type, if you want to store the kadmind files under the /run directory.
-+
-+
-+.PP
-+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
-+.B semanage fcontext
-+command. This will modify the SELinux labeling database. You will need to use
-+.B restorecon
-+to apply the labels.
-+
-+.SH "MANAGED FILES"
-+
-+The SELinux process type kadmind_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
-+
-+.br
-+.B kadmind_log_t
-+
-+ /var/log/kadmin(d)?\.log.*
-+.br
-+
-+.br
-+.B kadmind_tmp_t
-+
-+
-+.br
-+.B kadmind_var_run_t
-+
-+
-+.br
-+.B krb5kdc_conf_t
-+
-+ /etc/krb5kdc(/.*)?
-+.br
-+ /usr/var/krb5kdc(/.*)?
-+.br
-+ /var/kerberos/krb5kdc(/.*)?
-+.br
-+
-+.br
-+.B krb5kdc_lock_t
-+
-+ /var/kerberos/krb5kdc/principal.*\.ok
-+.br
-+ /var/kerberos/krb5kdc/from_master.*
-+.br
-+
-+.br
-+.B krb5kdc_principal_t
-+
-+ /etc/krb5kdc/principal.*
-+.br
-+ /usr/var/krb5kdc/principal.*
-+.br
-+ /var/kerberos/krb5kdc/principal.*
-+.br
-+
-+.br
-+.B security_t
-+
-+ /selinux
-+.br
-+
-+.SH NSSWITCH DOMAIN
-+
-+.SH "COMMANDS"
-+.B semanage fcontext
-+can also be used to manipulate default file context mappings.
-+.PP
-+.B semanage permissive
-+can also be used to manipulate whether or not a process type is permissive.
-+.PP
-+.B semanage module
-+can also be used to enable/disable/install/remove policy modules.
-+
-+.PP
-+.B system-config-selinux
-+is a GUI tool available to customize SELinux policy settings.
-+
-+.SH AUTHOR
-+This manual page was auto-generated using
-+.B "sepolicy manpage"
-+by Dan Walsh.
-+
-+.SH "SEE ALSO"
-+selinux(8), kadmind(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
-diff --git a/man/man8/kdump_selinux.8 b/man/man8/kdump_selinux.8
-new file mode 100644
-index 0000000..5b31590
---- /dev/null
-+++ b/man/man8/kdump_selinux.8
-@@ -0,0 +1,157 @@
-+.TH "kdump_selinux" "8" "12-11-01" "kdump" "SELinux Policy documentation for kdump"
-+.SH "NAME"
-+kdump_selinux \- Security Enhanced Linux Policy for the kdump processes
-+.SH "DESCRIPTION"
-+
-+Security-Enhanced Linux secures the kdump processes via flexible mandatory access control.
-+
-+The kdump processes execute with the kdump_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
-+
-+For example:
-+
-+.B ps -eZ | grep kdump_t
-+
-+
-+.SH "ENTRYPOINTS"
-+
-+The kdump_t SELinux type can be entered via the "kdump_exec_t" file type. The default entrypoint paths for the kdump_t domain are the following:"
-+
-+/sbin/kdump, /sbin/kexec, /usr/sbin/kdump, /usr/sbin/kexec
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux kdump policy is very flexible allowing users to setup their kdump processes in as secure a method as possible.
-+.PP
-+The following process types are defined for kdump:
-+
-+.EX
-+.B kdumpgui_t, kdumpctl_t, kdump_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
-+.SH FILE CONTEXTS
-+SELinux requires files to have an extended attribute to define the file type.
-+.PP
-+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
-+.PP
-+Policy governs the access confined processes have to these files.
-+SELinux kdump policy is very flexible allowing users to setup their kdump processes in as secure a method as possible.
-+.PP
-+The following file types are defined for kdump:
-+
-+
-+.EX
-+.PP
-+.B kdump_etc_t
-+.EE
-+
-+- Set files with the kdump_etc_t type, if you want to store kdump files in the /etc directories.
-+
-+
-+.EX
-+.PP
-+.B kdump_exec_t
-+.EE
-+
-+- Set files with the kdump_exec_t type, if you want to transition an executable to the kdump_t domain.
-+
-+
-+.EX
-+.PP
-+.B kdump_initrc_exec_t
-+.EE
-+
-+- Set files with the kdump_initrc_exec_t type, if you want to transition an executable to the kdump_initrc_t domain.
-+
-+
-+.EX
-+.PP
-+.B kdump_unit_file_t
-+.EE
-+
-+- Set files with the kdump_unit_file_t type, if you want to treat the files as kdump unit content.
-+
-+
-+.EX
-+.PP
-+.B kdumpctl_exec_t
-+.EE
-+
-+- Set files with the kdumpctl_exec_t type, if you want to transition an executable to the kdumpctl_t domain.
-+
-+
-+.EX
-+.PP
-+.B kdumpctl_tmp_t
-+.EE
-+
-+- Set files with the kdumpctl_tmp_t type, if you want to store kdumpctl temporary files in the /tmp directories.
-+
-+
-+.EX
-+.PP
-+.B kdumpgui_exec_t
-+.EE
-+
-+- Set files with the kdumpgui_exec_t type, if you want to transition an executable to the kdumpgui_t domain.
-+
-+
-+.EX
-+.PP
-+.B kdumpgui_tmp_t
-+.EE
-+
-+- Set files with the kdumpgui_tmp_t type, if you want to store kdumpgui temporary files in the /tmp directories.
-+
-+
-+.PP
-+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
-+.B semanage fcontext
-+command. This will modify the SELinux labeling database. You will need to use
-+.B restorecon
-+to apply the labels.
-+
-+.SH NSSWITCH DOMAIN
-+
-+.PP
-+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the kdumpgui_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
-+
-+.EX
-+.B setsebool -P authlogin_nsswitch_use_ldap 1
-+.EE
-+
-+.PP
-+If you want to allow confined applications to run with kerberos for the kdumpgui_t, you must turn on the kerberos_enabled boolean.
-+
-+.EX
-+.B setsebool -P kerberos_enabled 1
-+.EE
-+
-+.SH "COMMANDS"
-+.B semanage fcontext
-+can also be used to manipulate default file context mappings.
-+.PP
-+.B semanage permissive
-+can also be used to manipulate whether or not a process type is permissive.
-+.PP
-+.B semanage module
-+can also be used to enable/disable/install/remove policy modules.
-+
-+.PP
-+.B system-config-selinux
-+is a GUI tool available to customize SELinux policy settings.
-+
-+.SH AUTHOR
-+This manual page was auto-generated using
-+.B "sepolicy manpage"
-+by Dan Walsh.
-+
-+.SH "SEE ALSO"
-+selinux(8), kdump(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
-+, kdumpctl_selinux(8), kdumpgui_selinux(8)
-\ No newline at end of file
-diff --git a/man/man8/kdumpctl_selinux.8 b/man/man8/kdumpctl_selinux.8
-new file mode 100644
-index 0000000..64c0c6f
---- /dev/null
-+++ b/man/man8/kdumpctl_selinux.8
-@@ -0,0 +1,169 @@
-+.TH "kdumpctl_selinux" "8" "12-11-01" "kdumpctl" "SELinux Policy documentation for kdumpctl"
-+.SH "NAME"
-+kdumpctl_selinux \- Security Enhanced Linux Policy for the kdumpctl processes
-+.SH "DESCRIPTION"
-+
-+Security-Enhanced Linux secures the kdumpctl processes via flexible mandatory access control.
-+
-+The kdumpctl processes execute with the kdumpctl_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
-+
-+For example:
-+
-+.B ps -eZ | grep kdumpctl_t
-+
-+
-+.SH "ENTRYPOINTS"
-+
-+The kdumpctl_t SELinux type can be entered via the "kdumpctl_exec_t" file type. The default entrypoint paths for the kdumpctl_t domain are the following:"
-+
-+/usr/bin/kdumpctl
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux kdumpctl policy is very flexible allowing users to setup their kdumpctl processes in as secure a method as possible.
-+.PP
-+The following process types are defined for kdumpctl:
-+
-+.EX
-+.B kdumpctl_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
-+.SH FILE CONTEXTS
-+SELinux requires files to have an extended attribute to define the file type.
-+.PP
-+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
-+.PP
-+Policy governs the access confined processes have to these files.
-+SELinux kdumpctl policy is very flexible allowing users to setup their kdumpctl processes in as secure a method as possible.
-+.PP
-+The following file types are defined for kdumpctl:
-+
-+
-+.EX
-+.PP
-+.B kdumpctl_exec_t
-+.EE
-+
-+- Set files with the kdumpctl_exec_t type, if you want to transition an executable to the kdumpctl_t domain.
-+
-+
-+.EX
-+.PP
-+.B kdumpctl_tmp_t
-+.EE
-+
-+- Set files with the kdumpctl_tmp_t type, if you want to store kdumpctl temporary files in the /tmp directories.
-+
-+
-+.PP
-+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
-+.B semanage fcontext
-+command. This will modify the SELinux labeling database. You will need to use
-+.B restorecon
-+to apply the labels.
-+
-+.SH "MANAGED FILES"
-+
-+The SELinux process type kdumpctl_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
-+
-+.br
-+.B boot_t
-+
-+ /boot/.*
-+.br
-+ /vmlinuz.*
-+.br
-+ /initrd\.img.*
-+.br
-+ /boot
-+.br
-+
-+.br
-+.B kdumpctl_tmp_t
-+
-+
-+.br
-+.B systemd_passwd_var_run_t
-+
-+ /var/run/systemd/ask-password(/.*)?
-+.br
-+ /var/run/systemd/ask-password-block(/.*)?
-+.br
-+
-+.br
-+.B var_log_t
-+
-+ /var/log/.*
-+.br
-+ /nsr/logs(/.*)?
-+.br
-+ /var/webmin(/.*)?
-+.br
-+ /var/log/cron[^/]*
-+.br
-+ /var/log/secure[^/]*
-+.br
-+ /opt/zimbra/log(/.*)?
-+.br
-+ /var/log/maillog[^/]*
-+.br
-+ /var/log/spooler[^/]*
-+.br
-+ /var/log/messages[^/]*
-+.br
-+ /usr/centreon/log(/.*)?
-+.br
-+ /var/spool/rsyslog(/.*)?
-+.br
-+ /var/axfrdns/log/main(/.*)?
-+.br
-+ /var/spool/bacula/log(/.*)?
-+.br
-+ /var/tinydns/log/main(/.*)?
-+.br
-+ /var/dnscache/log/main(/.*)?
-+.br
-+ /var/stockmaniac/templates_cache(/.*)?
-+.br
-+ /opt/Symantec/scspagent/IDS/system(/.*)?
-+.br
-+ /var/log
-+.br
-+ /var/log/dmesg
-+.br
-+ /var/log/syslog
-+.br
-+ /var/named/chroot/var/log
-+.br
-+
-+.SH NSSWITCH DOMAIN
-+
-+.SH "COMMANDS"
-+.B semanage fcontext
-+can also be used to manipulate default file context mappings.
-+.PP
-+.B semanage permissive
-+can also be used to manipulate whether or not a process type is permissive.
-+.PP
-+.B semanage module
-+can also be used to enable/disable/install/remove policy modules.
-+
-+.PP
-+.B system-config-selinux
-+is a GUI tool available to customize SELinux policy settings.
-+
-+.SH AUTHOR
-+This manual page was auto-generated using
-+.B "sepolicy manpage"
-+by Dan Walsh.
-+
-+.SH "SEE ALSO"
-+selinux(8), kdumpctl(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
-+, kdump_selinux(8)
-\ No newline at end of file
-diff --git a/man/man8/kdumpgui_selinux.8 b/man/man8/kdumpgui_selinux.8
-new file mode 100644
-index 0000000..cdb1f42
---- /dev/null
-+++ b/man/man8/kdumpgui_selinux.8
-@@ -0,0 +1,197 @@
-+.TH "kdumpgui_selinux" "8" "12-11-01" "kdumpgui" "SELinux Policy documentation for kdumpgui"
-+.SH "NAME"
-+kdumpgui_selinux \- Security Enhanced Linux Policy for the kdumpgui processes
-+.SH "DESCRIPTION"
-+
-+Security-Enhanced Linux secures the kdumpgui processes via flexible mandatory access control.
-+
-+The kdumpgui processes execute with the kdumpgui_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
-+
-+For example:
-+
-+.B ps -eZ | grep kdumpgui_t
-+
-+
-+.SH "ENTRYPOINTS"
-+
-+The kdumpgui_t SELinux type can be entered via the "kdumpgui_exec_t" file type. The default entrypoint paths for the kdumpgui_t domain are the following:"
-+
-+/usr/share/system-config-kdump/system-config-kdump-backend\.py
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux kdumpgui policy is very flexible allowing users to setup their kdumpgui processes in as secure a method as possible.
-+.PP
-+The following process types are defined for kdumpgui:
-+
-+.EX
-+.B kdumpgui_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
-+.SH FILE CONTEXTS
-+SELinux requires files to have an extended attribute to define the file type.
-+.PP
-+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
-+.PP
-+Policy governs the access confined processes have to these files.
-+SELinux kdumpgui policy is very flexible allowing users to setup their kdumpgui processes in as secure a method as possible.
-+.PP
-+The following file types are defined for kdumpgui:
-+
-+
-+.EX
-+.PP
-+.B kdumpgui_exec_t
-+.EE
-+
-+- Set files with the kdumpgui_exec_t type, if you want to transition an executable to the kdumpgui_t domain.
-+
-+
-+.EX
-+.PP
-+.B kdumpgui_tmp_t
-+.EE
-+
-+- Set files with the kdumpgui_tmp_t type, if you want to store kdumpgui temporary files in the /tmp directories.
-+
-+
-+.PP
-+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
-+.B semanage fcontext
-+command. This will modify the SELinux labeling database. You will need to use
-+.B restorecon
-+to apply the labels.
-+
-+.SH "MANAGED FILES"
-+
-+The SELinux process type kdumpgui_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
-+
-+.br
-+.B boot_t
-+
-+ /boot/.*
-+.br
-+ /vmlinuz.*
-+.br
-+ /initrd\.img.*
-+.br
-+ /boot
-+.br
-+
-+.br
-+.B etc_runtime_t
-+
-+ /[^/]+
-+.br
-+ /etc/mtab.*
-+.br
-+ /etc/blkid(/.*)?
-+.br
-+ /etc/nologin.*
-+.br
-+ /etc/\.fstab\.hal\..+
-+.br
-+ /halt
-+.br
-+ /fastboot
-+.br
-+ /poweroff
-+.br
-+ /etc/cmtab
-+.br
-+ /\.autofsck
-+.br
-+ /forcefsck
-+.br
-+ /\.suspended
-+.br
-+ /fsckoptions
-+.br
-+ /\.autorelabel
-+.br
-+ /etc/securetty
-+.br
-+ /etc/killpower
-+.br
-+ /etc/nohotplug
-+.br
-+ /etc/ioctl\.save
-+.br
-+ /etc/fstab\.REVOKE
-+.br
-+ /etc/network/ifstate
-+.br
-+ /etc/sysconfig/hwconf
-+.br
-+ /etc/ptal/ptal-printd-like
-+.br
-+ /etc/sysconfig/iptables\.save
-+.br
-+ /etc/xorg\.conf\.d/00-system-setup-keyboard\.conf
-+.br
-+ /etc/X11/xorg\.conf\.d/00-system-setup-keyboard\.conf
-+.br
-+
-+.br
-+.B kdump_etc_t
-+
-+ /etc/kdump\.conf
-+.br
-+
-+.br
-+.B kdumpgui_tmp_t
-+
-+
-+.br
-+.B systemd_passwd_var_run_t
-+
-+ /var/run/systemd/ask-password(/.*)?
-+.br
-+ /var/run/systemd/ask-password-block(/.*)?
-+.br
-+
-+.SH NSSWITCH DOMAIN
-+
-+.PP
-+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the kdumpgui_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
-+
-+.EX
-+.B setsebool -P authlogin_nsswitch_use_ldap 1
-+.EE
-+
-+.PP
-+If you want to allow confined applications to run with kerberos for the kdumpgui_t, you must turn on the kerberos_enabled boolean.
-+
-+.EX
-+.B setsebool -P kerberos_enabled 1
-+.EE
-+
-+.SH "COMMANDS"
-+.B semanage fcontext
-+can also be used to manipulate default file context mappings.
-+.PP
-+.B semanage permissive
-+can also be used to manipulate whether or not a process type is permissive.
-+.PP
-+.B semanage module
-+can also be used to enable/disable/install/remove policy modules.
-+
-+.PP
-+.B system-config-selinux
-+is a GUI tool available to customize SELinux policy settings.
-+
-+.SH AUTHOR
-+This manual page was auto-generated using
-+.B "sepolicy manpage"
-+by Dan Walsh.
-+
-+.SH "SEE ALSO"
-+selinux(8), kdumpgui(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
-+, kdump_selinux(8)
-\ No newline at end of file
-diff --git a/man/man8/kerberos_selinux.8 b/man/man8/kerberos_selinux.8
-deleted file mode 100644
-index a8f81c8..0000000
---- a/man/man8/kerberos_selinux.8
-+++ /dev/null
-@@ -1,28 +0,0 @@
--.TH "kerberos_selinux" "8" "17 Jan 2005" "dwalsh@redhat.com" "kerberos Selinux Policy documentation"
--.de EX
--.nf
--.ft CW
--..
--.de EE
--.ft R
--.fi
--..
--.SH "NAME"
--kerberos_selinux \- Security Enhanced Linux Policy for Kerberos.
--.SH "DESCRIPTION"
--
--Security-Enhanced Linux secures the system via flexible mandatory access
--control. SELinux policy can be configured to deny Kerberos access to confined applications, since it requires daemons to be allowed greater access to certain secure files and additional access to the network.
--.SH BOOLEANS
--.PP
--You must set the allow_kerberos boolean to allow your system to work properly in a Kerberos environment.
--.EX
--setsebool -P allow_kerberos 1
--.EE
--.PP
--system-config-selinux is a GUI tool available to customize SELinux policy settings.
--.SH AUTHOR
--This manual page was written by Dan Walsh .
--
--.SH "SEE ALSO"
--selinux(8), kerberos(1), chcon(1), setsebool(8)
-diff --git a/man/man8/keyboardd_selinux.8 b/man/man8/keyboardd_selinux.8
-new file mode 100644
-index 0000000..d16fc27
---- /dev/null
-+++ b/man/man8/keyboardd_selinux.8
-@@ -0,0 +1,144 @@
-+.TH "keyboardd_selinux" "8" "12-11-01" "keyboardd" "SELinux Policy documentation for keyboardd"
-+.SH "NAME"
-+keyboardd_selinux \- Security Enhanced Linux Policy for the keyboardd processes
-+.SH "DESCRIPTION"
-+
-+Security-Enhanced Linux secures the keyboardd processes via flexible mandatory access control.
-+
-+The keyboardd processes execute with the keyboardd_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
-+
-+For example:
-+
-+.B ps -eZ | grep keyboardd_t
-+
-+
-+.SH "ENTRYPOINTS"
-+
-+The keyboardd_t SELinux type can be entered via the "keyboardd_exec_t" file type. The default entrypoint paths for the keyboardd_t domain are the following:"
-+
-+/usr/bin/system-setup-keyboard
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux keyboardd policy is very flexible allowing users to setup their keyboardd processes in as secure a method as possible.
-+.PP
-+The following process types are defined for keyboardd:
-+
-+.EX
-+.B keyboardd_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
-+.SH FILE CONTEXTS
-+SELinux requires files to have an extended attribute to define the file type.
-+.PP
-+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
-+.PP
-+Policy governs the access confined processes have to these files.
-+SELinux keyboardd policy is very flexible allowing users to setup their keyboardd processes in as secure a method as possible.
-+.PP
-+The following file types are defined for keyboardd:
-+
-+
-+.EX
-+.PP
-+.B keyboardd_exec_t
-+.EE
-+
-+- Set files with the keyboardd_exec_t type, if you want to transition an executable to the keyboardd_t domain.
-+
-+
-+.PP
-+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
-+.B semanage fcontext
-+command. This will modify the SELinux labeling database. You will need to use
-+.B restorecon
-+to apply the labels.
-+
-+.SH "MANAGED FILES"
-+
-+The SELinux process type keyboardd_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
-+
-+.br
-+.B etc_runtime_t
-+
-+ /[^/]+
-+.br
-+ /etc/mtab.*
-+.br
-+ /etc/blkid(/.*)?
-+.br
-+ /etc/nologin.*
-+.br
-+ /etc/\.fstab\.hal\..+
-+.br
-+ /halt
-+.br
-+ /fastboot
-+.br
-+ /poweroff
-+.br
-+ /etc/cmtab
-+.br
-+ /\.autofsck
-+.br
-+ /forcefsck
-+.br
-+ /\.suspended
-+.br
-+ /fsckoptions
-+.br
-+ /\.autorelabel
-+.br
-+ /etc/securetty
-+.br
-+ /etc/killpower
-+.br
-+ /etc/nohotplug
-+.br
-+ /etc/ioctl\.save
-+.br
-+ /etc/fstab\.REVOKE
-+.br
-+ /etc/network/ifstate
-+.br
-+ /etc/sysconfig/hwconf
-+.br
-+ /etc/ptal/ptal-printd-like
-+.br
-+ /etc/sysconfig/iptables\.save
-+.br
-+ /etc/xorg\.conf\.d/00-system-setup-keyboard\.conf
-+.br
-+ /etc/X11/xorg\.conf\.d/00-system-setup-keyboard\.conf
-+.br
-+
-+.SH NSSWITCH DOMAIN
-+
-+.SH "COMMANDS"
-+.B semanage fcontext
-+can also be used to manipulate default file context mappings.
-+.PP
-+.B semanage permissive
-+can also be used to manipulate whether or not a process type is permissive.
-+.PP
-+.B semanage module
-+can also be used to enable/disable/install/remove policy modules.
-+
-+.PP
-+.B system-config-selinux
-+is a GUI tool available to customize SELinux policy settings.
-+
-+.SH AUTHOR
-+This manual page was auto-generated using
-+.B "sepolicy manpage"
-+by Dan Walsh.
-+
-+.SH "SEE ALSO"
-+selinux(8), keyboardd(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
-diff --git a/man/man8/keystone_selinux.8 b/man/man8/keystone_selinux.8
-new file mode 100644
-index 0000000..92a2ad3
---- /dev/null
-+++ b/man/man8/keystone_selinux.8
-@@ -0,0 +1,242 @@
-+.TH "keystone_selinux" "8" "12-11-01" "keystone" "SELinux Policy documentation for keystone"
-+.SH "NAME"
-+keystone_selinux \- Security Enhanced Linux Policy for the keystone processes
-+.SH "DESCRIPTION"
-+
-+Security-Enhanced Linux secures the keystone processes via flexible mandatory access control.
-+
-+The keystone processes execute with the keystone_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
-+
-+For example:
-+
-+.B ps -eZ | grep keystone_t
-+
-+
-+.SH "ENTRYPOINTS"
-+
-+The keystone_t SELinux type can be entered via the "keystone_exec_t" file type. The default entrypoint paths for the keystone_t domain are the following:"
-+
-+/usr/bin/keystone-all
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux keystone policy is very flexible allowing users to setup their keystone processes in as secure a method as possible.
-+.PP
-+The following process types are defined for keystone:
-+
-+.EX
-+.B keystone_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
-+.SH FILE CONTEXTS
-+SELinux requires files to have an extended attribute to define the file type.
-+.PP
-+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
-+.PP
-+Policy governs the access confined processes have to these files.
-+SELinux keystone policy is very flexible allowing users to setup their keystone processes in as secure a method as possible.
-+.PP
-+The following file types are defined for keystone:
-+
-+
-+.EX
-+.PP
-+.B keystone_exec_t
-+.EE
-+
-+- Set files with the keystone_exec_t type, if you want to transition an executable to the keystone_t domain.
-+
-+
-+.EX
-+.PP
-+.B keystone_log_t
-+.EE
-+
-+- Set files with the keystone_log_t type, if you want to treat the data as keystone log data, usually stored under the /var/log directory.
-+
-+
-+.EX
-+.PP
-+.B keystone_tmp_t
-+.EE
-+
-+- Set files with the keystone_tmp_t type, if you want to store keystone temporary files in the /tmp directories.
-+
-+
-+.EX
-+.PP
-+.B keystone_unit_file_t
-+.EE
-+
-+- Set files with the keystone_unit_file_t type, if you want to treat the files as keystone unit content.
-+
-+
-+.EX
-+.PP
-+.B keystone_var_lib_t
-+.EE
-+
-+- Set files with the keystone_var_lib_t type, if you want to store the keystone files under the /var/lib directory.
-+
-+
-+.PP
-+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
-+.B semanage fcontext
-+command. This will modify the SELinux labeling database. You will need to use
-+.B restorecon
-+to apply the labels.
-+
-+.SH PORT TYPES
-+SELinux defines port types to represent TCP and UDP ports.
-+.PP
-+You can see the types associated with a port by using the following command:
-+
-+.B semanage port -l
-+
-+.PP
-+Policy governs the access confined processes have to these ports.
-+SELinux keystone policy is very flexible allowing users to setup their keystone processes in as secure a method as possible.
-+.PP
-+The following port types are defined for keystone:
-+
-+.EX
-+.TP 5
-+.B keystone_port_t
-+.TP 10
-+.EE
-+
-+
-+Default Defined Ports:
-+tcp 5000
-+.EE
-+udp 5000
-+.EE
-+.SH "MANAGED FILES"
-+
-+The SELinux process type keystone_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
-+
-+.br
-+.B faillog_t
-+
-+ /var/log/btmp.*
-+.br
-+ /var/run/faillock(/.*)?
-+.br
-+ /var/log/faillog
-+.br
-+ /var/log/tallylog
-+.br
-+
-+.br
-+.B keystone_log_t
-+
-+ /var/log/keystone(/.*)?
-+.br
-+
-+.br
-+.B keystone_tmp_t
-+
-+
-+.br
-+.B keystone_var_lib_t
-+
-+ /var/lib/keystone(/.*)?
-+.br
-+
-+.br
-+.B krb5_host_rcache_t
-+
-+ /var/cache/krb5rcache(/.*)?
-+.br
-+ /var/tmp/nfs_0
-+.br
-+ /var/tmp/DNS_25
-+.br
-+ /var/tmp/host_0
-+.br
-+ /var/tmp/imap_0
-+.br
-+ /var/tmp/HTTP_23
-+.br
-+ /var/tmp/HTTP_48
-+.br
-+ /var/tmp/ldap_55
-+.br
-+ /var/tmp/ldap_487
-+.br
-+ /var/tmp/ldapmap1_0
-+.br
-+
-+.br
-+.B lastlog_t
-+
-+ /var/log/lastlog
-+.br
-+
-+.br
-+.B pcscd_var_run_t
-+
-+ /var/run/pcscd(/.*)?
-+.br
-+ /var/run/pcscd\.events(/.*)?
-+.br
-+ /var/run/pcscd\.pid
-+.br
-+ /var/run/pcscd\.pub
-+.br
-+ /var/run/pcscd\.comm
-+.br
-+
-+.br
-+.B security_t
-+
-+ /selinux
-+.br
-+
-+.SH NSSWITCH DOMAIN
-+
-+.PP
-+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the keystone_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
-+
-+.EX
-+.B setsebool -P authlogin_nsswitch_use_ldap 1
-+.EE
-+
-+.PP
-+If you want to allow confined applications to run with kerberos for the keystone_t, you must turn on the kerberos_enabled boolean.
-+
-+.EX
-+.B setsebool -P kerberos_enabled 1
-+.EE
-+
-+.SH "COMMANDS"
-+.B semanage fcontext
-+can also be used to manipulate default file context mappings.
-+.PP
-+.B semanage permissive
-+can also be used to manipulate whether or not a process type is permissive.
-+.PP
-+.B semanage module
-+can also be used to enable/disable/install/remove policy modules.
-+
-+.B semanage port
-+can also be used to manipulate the port definitions
-+
-+.PP
-+.B system-config-selinux
-+is a GUI tool available to customize SELinux policy settings.
-+
-+.SH AUTHOR
-+This manual page was auto-generated using
-+.B "sepolicy manpage"
-+by Dan Walsh.
-+
-+.SH "SEE ALSO"
-+selinux(8), keystone(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
-diff --git a/man/man8/kismet_selinux.8 b/man/man8/kismet_selinux.8
-new file mode 100644
-index 0000000..74f62b3
---- /dev/null
-+++ b/man/man8/kismet_selinux.8
-@@ -0,0 +1,188 @@
-+.TH "kismet_selinux" "8" "12-11-01" "kismet" "SELinux Policy documentation for kismet"
-+.SH "NAME"
-+kismet_selinux \- Security Enhanced Linux Policy for the kismet processes
-+.SH "DESCRIPTION"
-+
-+Security-Enhanced Linux secures the kismet processes via flexible mandatory access control.
-+
-+The kismet processes execute with the kismet_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
-+
-+For example:
-+
-+.B ps -eZ | grep kismet_t
-+
-+
-+.SH "ENTRYPOINTS"
-+
-+The kismet_t SELinux type can be entered via the "kismet_exec_t" file type. The default entrypoint paths for the kismet_t domain are the following:"
-+
-+/usr/bin/kismet
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux kismet policy is very flexible allowing users to setup their kismet processes in as secure a method as possible.
-+.PP
-+The following process types are defined for kismet:
-+
-+.EX
-+.B kismet_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
-+.SH FILE CONTEXTS
-+SELinux requires files to have an extended attribute to define the file type.
-+.PP
-+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
-+.PP
-+Policy governs the access confined processes have to these files.
-+SELinux kismet policy is very flexible allowing users to setup their kismet processes in as secure a method as possible.
-+.PP
-+The following file types are defined for kismet:
-+
-+
-+.EX
-+.PP
-+.B kismet_exec_t
-+.EE
-+
-+- Set files with the kismet_exec_t type, if you want to transition an executable to the kismet_t domain.
-+
-+
-+.EX
-+.PP
-+.B kismet_home_t
-+.EE
-+
-+- Set files with the kismet_home_t type, if you want to store kismet files in the users home directory.
-+
-+
-+.EX
-+.PP
-+.B kismet_log_t
-+.EE
-+
-+- Set files with the kismet_log_t type, if you want to treat the data as kismet log data, usually stored under the /var/log directory.
-+
-+
-+.EX
-+.PP
-+.B kismet_tmp_t
-+.EE
-+
-+- Set files with the kismet_tmp_t type, if you want to store kismet temporary files in the /tmp directories.
-+
-+
-+.EX
-+.PP
-+.B kismet_tmpfs_t
-+.EE
-+
-+- Set files with the kismet_tmpfs_t type, if you want to store kismet files on a tmpfs file system.
-+
-+
-+.EX
-+.PP
-+.B kismet_var_lib_t
-+.EE
-+
-+- Set files with the kismet_var_lib_t type, if you want to store the kismet files under the /var/lib directory.
-+
-+
-+.EX
-+.PP
-+.B kismet_var_run_t
-+.EE
-+
-+- Set files with the kismet_var_run_t type, if you want to store the kismet files under the /run directory.
-+
-+
-+.PP
-+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
-+.B semanage fcontext
-+command. This will modify the SELinux labeling database. You will need to use
-+.B restorecon
-+to apply the labels.
-+
-+.SH "MANAGED FILES"
-+
-+The SELinux process type kismet_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
-+
-+.br
-+.B kismet_home_t
-+
-+ /home/[^/]*/\.kismet(/.*)?
-+.br
-+ /home/dwalsh/\.kismet(/.*)?
-+.br
-+ /var/lib/xguest/home/xguest/\.kismet(/.*)?
-+.br
-+
-+.br
-+.B kismet_log_t
-+
-+ /var/log/kismet(/.*)?
-+.br
-+
-+.br
-+.B kismet_tmp_t
-+
-+
-+.br
-+.B kismet_tmpfs_t
-+
-+
-+.br
-+.B kismet_var_lib_t
-+
-+ /var/lib/kismet(/.*)?
-+.br
-+
-+.br
-+.B kismet_var_run_t
-+
-+ /var/run/kismet_server.pid
-+.br
-+
-+.SH NSSWITCH DOMAIN
-+
-+.PP
-+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the kismet_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
-+
-+.EX
-+.B setsebool -P authlogin_nsswitch_use_ldap 1
-+.EE
-+
-+.PP
-+If you want to allow confined applications to run with kerberos for the kismet_t, you must turn on the kerberos_enabled boolean.
-+
-+.EX
-+.B setsebool -P kerberos_enabled 1
-+.EE
-+
-+.SH "COMMANDS"
-+.B semanage fcontext
-+can also be used to manipulate default file context mappings.
-+.PP
-+.B semanage permissive
-+can also be used to manipulate whether or not a process type is permissive.
-+.PP
-+.B semanage module
-+can also be used to enable/disable/install/remove policy modules.
-+
-+.PP
-+.B system-config-selinux
-+is a GUI tool available to customize SELinux policy settings.
-+
-+.SH AUTHOR
-+This manual page was auto-generated using
-+.B "sepolicy manpage"
-+by Dan Walsh.
-+
-+.SH "SEE ALSO"
-+selinux(8), kismet(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
-diff --git a/man/man8/klogd_selinux.8 b/man/man8/klogd_selinux.8
-new file mode 100644
-index 0000000..729c100
---- /dev/null
-+++ b/man/man8/klogd_selinux.8
-@@ -0,0 +1,116 @@
-+.TH "klogd_selinux" "8" "12-11-01" "klogd" "SELinux Policy documentation for klogd"
-+.SH "NAME"
-+klogd_selinux \- Security Enhanced Linux Policy for the klogd processes
-+.SH "DESCRIPTION"
-+
-+Security-Enhanced Linux secures the klogd processes via flexible mandatory access control.
-+
-+The klogd processes execute with the klogd_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
-+
-+For example:
-+
-+.B ps -eZ | grep klogd_t
-+
-+
-+.SH "ENTRYPOINTS"
-+
-+The klogd_t SELinux type can be entered via the "klogd_exec_t" file type. The default entrypoint paths for the klogd_t domain are the following:"
-+
-+/sbin/klogd, /sbin/rklogd, /usr/sbin/klogd, /usr/sbin/rklogd
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux klogd policy is very flexible allowing users to setup their klogd processes in as secure a method as possible.
-+.PP
-+The following process types are defined for klogd:
-+
-+.EX
-+.B klogd_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
-+.SH FILE CONTEXTS
-+SELinux requires files to have an extended attribute to define the file type.
-+.PP
-+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
-+.PP
-+Policy governs the access confined processes have to these files.
-+SELinux klogd policy is very flexible allowing users to setup their klogd processes in as secure a method as possible.
-+.PP
-+The following file types are defined for klogd:
-+
-+
-+.EX
-+.PP
-+.B klogd_exec_t
-+.EE
-+
-+- Set files with the klogd_exec_t type, if you want to transition an executable to the klogd_t domain.
-+
-+
-+.EX
-+.PP
-+.B klogd_tmp_t
-+.EE
-+
-+- Set files with the klogd_tmp_t type, if you want to store klogd temporary files in the /tmp directories.
-+
-+
-+.EX
-+.PP
-+.B klogd_var_run_t
-+.EE
-+
-+- Set files with the klogd_var_run_t type, if you want to store the klogd files under the /run directory.
-+
-+
-+.PP
-+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
-+.B semanage fcontext
-+command. This will modify the SELinux labeling database. You will need to use
-+.B restorecon
-+to apply the labels.
-+
-+.SH "MANAGED FILES"
-+
-+The SELinux process type klogd_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
-+
-+.br
-+.B klogd_tmp_t
-+
-+
-+.br
-+.B klogd_var_run_t
-+
-+ /var/run/klogd\.pid
-+.br
-+
-+.SH NSSWITCH DOMAIN
-+
-+.SH "COMMANDS"
-+.B semanage fcontext
-+can also be used to manipulate default file context mappings.
-+.PP
-+.B semanage permissive
-+can also be used to manipulate whether or not a process type is permissive.
-+.PP
-+.B semanage module
-+can also be used to enable/disable/install/remove policy modules.
-+
-+.PP
-+.B system-config-selinux
-+is a GUI tool available to customize SELinux policy settings.
-+
-+.SH AUTHOR
-+This manual page was auto-generated using
-+.B "sepolicy manpage"
-+by Dan Walsh.
-+
-+.SH "SEE ALSO"
-+selinux(8), klogd(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
-diff --git a/man/man8/kpropd_selinux.8 b/man/man8/kpropd_selinux.8
-new file mode 100644
-index 0000000..37b1a4f
---- /dev/null
-+++ b/man/man8/kpropd_selinux.8
-@@ -0,0 +1,168 @@
-+.TH "kpropd_selinux" "8" "12-11-01" "kpropd" "SELinux Policy documentation for kpropd"
-+.SH "NAME"
-+kpropd_selinux \- Security Enhanced Linux Policy for the kpropd processes
-+.SH "DESCRIPTION"
-+
-+Security-Enhanced Linux secures the kpropd processes via flexible mandatory access control.
-+
-+The kpropd processes execute with the kpropd_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
-+
-+For example:
-+
-+.B ps -eZ | grep kpropd_t
-+
-+
-+.SH "ENTRYPOINTS"
-+
-+The kpropd_t SELinux type can be entered via the "kpropd_exec_t" file type. The default entrypoint paths for the kpropd_t domain are the following:"
-+
-+/usr/sbin/kpropd, /usr/kerberos/sbin/kpropd
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux kpropd policy is very flexible allowing users to setup their kpropd processes in as secure a method as possible.
-+.PP
-+The following process types are defined for kpropd:
-+
-+.EX
-+.B kpropd_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
-+.SH FILE CONTEXTS
-+SELinux requires files to have an extended attribute to define the file type.
-+.PP
-+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
-+.PP
-+Policy governs the access confined processes have to these files.
-+SELinux kpropd policy is very flexible allowing users to setup their kpropd processes in as secure a method as possible.
-+.PP
-+The following file types are defined for kpropd:
-+
-+
-+.EX
-+.PP
-+.B kpropd_exec_t
-+.EE
-+
-+- Set files with the kpropd_exec_t type, if you want to transition an executable to the kpropd_t domain.
-+
-+
-+.PP
-+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
-+.B semanage fcontext
-+command. This will modify the SELinux labeling database. You will need to use
-+.B restorecon
-+to apply the labels.
-+
-+.SH PORT TYPES
-+SELinux defines port types to represent TCP and UDP ports.
-+.PP
-+You can see the types associated with a port by using the following command:
-+
-+.B semanage port -l
-+
-+.PP
-+Policy governs the access confined processes have to these ports.
-+SELinux kpropd policy is very flexible allowing users to setup their kpropd processes in as secure a method as possible.
-+.PP
-+The following port types are defined for kpropd:
-+
-+.EX
-+.TP 5
-+.B kprop_port_t
-+.TP 10
-+.EE
-+
-+
-+Default Defined Ports:
-+tcp 754
-+.EE
-+.SH "MANAGED FILES"
-+
-+The SELinux process type kpropd_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
-+
-+.br
-+.B krb5_host_rcache_t
-+
-+ /var/cache/krb5rcache(/.*)?
-+.br
-+ /var/tmp/nfs_0
-+.br
-+ /var/tmp/DNS_25
-+.br
-+ /var/tmp/host_0
-+.br
-+ /var/tmp/imap_0
-+.br
-+ /var/tmp/HTTP_23
-+.br
-+ /var/tmp/HTTP_48
-+.br
-+ /var/tmp/ldap_55
-+.br
-+ /var/tmp/ldap_487
-+.br
-+ /var/tmp/ldapmap1_0
-+.br
-+
-+.br
-+.B krb5kdc_lock_t
-+
-+ /var/kerberos/krb5kdc/principal.*\.ok
-+.br
-+ /var/kerberos/krb5kdc/from_master.*
-+.br
-+
-+.br
-+.B krb5kdc_principal_t
-+
-+ /etc/krb5kdc/principal.*
-+.br
-+ /usr/var/krb5kdc/principal.*
-+.br
-+ /var/kerberos/krb5kdc/principal.*
-+.br
-+
-+.br
-+.B krb5kdc_tmp_t
-+
-+
-+.br
-+.B security_t
-+
-+ /selinux
-+.br
-+
-+.SH NSSWITCH DOMAIN
-+
-+.SH "COMMANDS"
-+.B semanage fcontext
-+can also be used to manipulate default file context mappings.
-+.PP
-+.B semanage permissive
-+can also be used to manipulate whether or not a process type is permissive.
-+.PP
-+.B semanage module
-+can also be used to enable/disable/install/remove policy modules.
-+
-+.B semanage port
-+can also be used to manipulate the port definitions
-+
-+.PP
-+.B system-config-selinux
-+is a GUI tool available to customize SELinux policy settings.
-+
-+.SH AUTHOR
-+This manual page was auto-generated using
-+.B "sepolicy manpage"
-+by Dan Walsh.
-+
-+.SH "SEE ALSO"
-+selinux(8), kpropd(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
-diff --git a/man/man8/krb5kdc_selinux.8 b/man/man8/krb5kdc_selinux.8
-new file mode 100644
-index 0000000..5b1f8f4
---- /dev/null
-+++ b/man/man8/krb5kdc_selinux.8
-@@ -0,0 +1,176 @@
-+.TH "krb5kdc_selinux" "8" "12-11-01" "krb5kdc" "SELinux Policy documentation for krb5kdc"
-+.SH "NAME"
-+krb5kdc_selinux \- Security Enhanced Linux Policy for the krb5kdc processes
-+.SH "DESCRIPTION"
-+
-+Security-Enhanced Linux secures the krb5kdc processes via flexible mandatory access control.
-+
-+The krb5kdc processes execute with the krb5kdc_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
-+
-+For example:
-+
-+.B ps -eZ | grep krb5kdc_t
-+
-+
-+.SH "ENTRYPOINTS"
-+
-+The krb5kdc_t SELinux type can be entered via the "krb5kdc_exec_t" file type. The default entrypoint paths for the krb5kdc_t domain are the following:"
-+
-+/usr/(kerberos/)?sbin/krb5kdc
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux krb5kdc policy is very flexible allowing users to setup their krb5kdc processes in as secure a method as possible.
-+.PP
-+The following process types are defined for krb5kdc:
-+
-+.EX
-+.B krb5kdc_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
-+.SH FILE CONTEXTS
-+SELinux requires files to have an extended attribute to define the file type.
-+.PP
-+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
-+.PP
-+Policy governs the access confined processes have to these files.
-+SELinux krb5kdc policy is very flexible allowing users to setup their krb5kdc processes in as secure a method as possible.
-+.PP
-+The following file types are defined for krb5kdc:
-+
-+
-+.EX
-+.PP
-+.B krb5kdc_conf_t
-+.EE
-+
-+- Set files with the krb5kdc_conf_t type, if you want to treat the files as krb5kdc configuration data, usually stored under the /etc directory.
-+
-+
-+.EX
-+.PP
-+.B krb5kdc_exec_t
-+.EE
-+
-+- Set files with the krb5kdc_exec_t type, if you want to transition an executable to the krb5kdc_t domain.
-+
-+
-+.EX
-+.PP
-+.B krb5kdc_lock_t
-+.EE
-+
-+- Set files with the krb5kdc_lock_t type, if you want to treat the files as krb5kdc lock data, stored under the /var/lock directory
-+
-+
-+.EX
-+.PP
-+.B krb5kdc_log_t
-+.EE
-+
-+- Set files with the krb5kdc_log_t type, if you want to treat the data as krb5kdc log data, usually stored under the /var/log directory.
-+
-+
-+.EX
-+.PP
-+.B krb5kdc_principal_t
-+.EE
-+
-+- Set files with the krb5kdc_principal_t type, if you want to treat the files as krb5kdc principal data.
-+
-+
-+.EX
-+.PP
-+.B krb5kdc_tmp_t
-+.EE
-+
-+- Set files with the krb5kdc_tmp_t type, if you want to store krb5kdc temporary files in the /tmp directories.
-+
-+
-+.EX
-+.PP
-+.B krb5kdc_var_run_t
-+.EE
-+
-+- Set files with the krb5kdc_var_run_t type, if you want to store the krb5kdc files under the /run directory.
-+
-+
-+.PP
-+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
-+.B semanage fcontext
-+command. This will modify the SELinux labeling database. You will need to use
-+.B restorecon
-+to apply the labels.
-+
-+.SH "MANAGED FILES"
-+
-+The SELinux process type krb5kdc_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
-+
-+.br
-+.B krb5kdc_lock_t
-+
-+ /var/kerberos/krb5kdc/principal.*\.ok
-+.br
-+ /var/kerberos/krb5kdc/from_master.*
-+.br
-+
-+.br
-+.B krb5kdc_log_t
-+
-+ /var/log/krb5kdc\.log.*
-+.br
-+
-+.br
-+.B krb5kdc_principal_t
-+
-+ /etc/krb5kdc/principal.*
-+.br
-+ /usr/var/krb5kdc/principal.*
-+.br
-+ /var/kerberos/krb5kdc/principal.*
-+.br
-+
-+.br
-+.B krb5kdc_tmp_t
-+
-+
-+.br
-+.B krb5kdc_var_run_t
-+
-+
-+.br
-+.B security_t
-+
-+ /selinux
-+.br
-+
-+.SH NSSWITCH DOMAIN
-+
-+.SH "COMMANDS"
-+.B semanage fcontext
-+can also be used to manipulate default file context mappings.
-+.PP
-+.B semanage permissive
-+can also be used to manipulate whether or not a process type is permissive.
-+.PP
-+.B semanage module
-+can also be used to enable/disable/install/remove policy modules.
-+
-+.PP
-+.B system-config-selinux
-+is a GUI tool available to customize SELinux policy settings.
-+
-+.SH AUTHOR
-+This manual page was auto-generated using
-+.B "sepolicy manpage"
-+by Dan Walsh.
-+
-+.SH "SEE ALSO"
-+selinux(8), krb5kdc(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
-diff --git a/man/man8/ksmtuned_selinux.8 b/man/man8/ksmtuned_selinux.8
-new file mode 100644
-index 0000000..dba373c
---- /dev/null
-+++ b/man/man8/ksmtuned_selinux.8
-@@ -0,0 +1,146 @@
-+.TH "ksmtuned_selinux" "8" "12-11-01" "ksmtuned" "SELinux Policy documentation for ksmtuned"
-+.SH "NAME"
-+ksmtuned_selinux \- Security Enhanced Linux Policy for the ksmtuned processes
-+.SH "DESCRIPTION"
-+
-+Security-Enhanced Linux secures the ksmtuned processes via flexible mandatory access control.
-+
-+The ksmtuned processes execute with the ksmtuned_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
-+
-+For example:
-+
-+.B ps -eZ | grep ksmtuned_t
-+
-+
-+.SH "ENTRYPOINTS"
-+
-+The ksmtuned_t SELinux type can be entered via the "ksmtuned_exec_t" file type. The default entrypoint paths for the ksmtuned_t domain are the following:"
-+
-+/usr/sbin/ksmtuned
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux ksmtuned policy is very flexible allowing users to setup their ksmtuned processes in as secure a method as possible.
-+.PP
-+The following process types are defined for ksmtuned:
-+
-+.EX
-+.B ksmtuned_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
-+.SH FILE CONTEXTS
-+SELinux requires files to have an extended attribute to define the file type.
-+.PP
-+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
-+.PP
-+Policy governs the access confined processes have to these files.
-+SELinux ksmtuned policy is very flexible allowing users to setup their ksmtuned processes in as secure a method as possible.
-+.PP
-+The following file types are defined for ksmtuned:
-+
-+
-+.EX
-+.PP
-+.B ksmtuned_exec_t
-+.EE
-+
-+- Set files with the ksmtuned_exec_t type, if you want to transition an executable to the ksmtuned_t domain.
-+
-+
-+.EX
-+.PP
-+.B ksmtuned_initrc_exec_t
-+.EE
-+
-+- Set files with the ksmtuned_initrc_exec_t type, if you want to transition an executable to the ksmtuned_initrc_t domain.
-+
-+
-+.EX
-+.PP
-+.B ksmtuned_log_t
-+.EE
-+
-+- Set files with the ksmtuned_log_t type, if you want to treat the data as ksmtuned log data, usually stored under the /var/log directory.
-+
-+
-+.EX
-+.PP
-+.B ksmtuned_var_run_t
-+.EE
-+
-+- Set files with the ksmtuned_var_run_t type, if you want to store the ksmtuned files under the /run directory.
-+
-+
-+.PP
-+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
-+.B semanage fcontext
-+command. This will modify the SELinux labeling database. You will need to use
-+.B restorecon
-+to apply the labels.
-+
-+.SH "MANAGED FILES"
-+
-+The SELinux process type ksmtuned_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
-+
-+.br
-+.B ksmtuned_log_t
-+
-+ /var/log/ksmtuned.*
-+.br
-+
-+.br
-+.B ksmtuned_var_run_t
-+
-+ /var/run/ksmtune\.pid
-+.br
-+
-+.br
-+.B sysfs_t
-+
-+ /sys(/.*)?
-+.br
-+
-+.SH NSSWITCH DOMAIN
-+
-+.PP
-+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the ksmtuned_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
-+
-+.EX
-+.B setsebool -P authlogin_nsswitch_use_ldap 1
-+.EE
-+
-+.PP
-+If you want to allow confined applications to run with kerberos for the ksmtuned_t, you must turn on the kerberos_enabled boolean.
-+
-+.EX
-+.B setsebool -P kerberos_enabled 1
-+.EE
-+
-+.SH "COMMANDS"
-+.B semanage fcontext
-+can also be used to manipulate default file context mappings.
-+.PP
-+.B semanage permissive
-+can also be used to manipulate whether or not a process type is permissive.
-+.PP
-+.B semanage module
-+can also be used to enable/disable/install/remove policy modules.
-+
-+.PP
-+.B system-config-selinux
-+is a GUI tool available to customize SELinux policy settings.
-+
-+.SH AUTHOR
-+This manual page was auto-generated using
-+.B "sepolicy manpage"
-+by Dan Walsh.
-+
-+.SH "SEE ALSO"
-+selinux(8), ksmtuned(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
-diff --git a/man/man8/ktalkd_selinux.8 b/man/man8/ktalkd_selinux.8
-new file mode 100644
-index 0000000..090a1a6
---- /dev/null
-+++ b/man/man8/ktalkd_selinux.8
-@@ -0,0 +1,168 @@
-+.TH "ktalkd_selinux" "8" "12-11-01" "ktalkd" "SELinux Policy documentation for ktalkd"
-+.SH "NAME"
-+ktalkd_selinux \- Security Enhanced Linux Policy for the ktalkd processes
-+.SH "DESCRIPTION"
-+
-+Security-Enhanced Linux secures the ktalkd processes via flexible mandatory access control.
-+
-+The ktalkd processes execute with the ktalkd_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
-+
-+For example:
-+
-+.B ps -eZ | grep ktalkd_t
-+
-+
-+.SH "ENTRYPOINTS"
-+
-+The ktalkd_t SELinux type can be entered via the "ktalkd_exec_t" file type. The default entrypoint paths for the ktalkd_t domain are the following:"
-+
-+/usr/bin/ktalkd, /usr/sbin/in\.talkd, /usr/sbin/in\.ntalkd
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux ktalkd policy is very flexible allowing users to setup their ktalkd processes in as secure a method as possible.
-+.PP
-+The following process types are defined for ktalkd:
-+
-+.EX
-+.B ktalkd_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
-+.SH FILE CONTEXTS
-+SELinux requires files to have an extended attribute to define the file type.
-+.PP
-+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
-+.PP
-+Policy governs the access confined processes have to these files.
-+SELinux ktalkd policy is very flexible allowing users to setup their ktalkd processes in as secure a method as possible.
-+.PP
-+The following file types are defined for ktalkd:
-+
-+
-+.EX
-+.PP
-+.B ktalkd_exec_t
-+.EE
-+
-+- Set files with the ktalkd_exec_t type, if you want to transition an executable to the ktalkd_t domain.
-+
-+
-+.EX
-+.PP
-+.B ktalkd_log_t
-+.EE
-+
-+- Set files with the ktalkd_log_t type, if you want to treat the data as ktalkd log data, usually stored under the /var/log directory.
-+
-+
-+.EX
-+.PP
-+.B ktalkd_tmp_t
-+.EE
-+
-+- Set files with the ktalkd_tmp_t type, if you want to store ktalkd temporary files in the /tmp directories.
-+
-+
-+.EX
-+.PP
-+.B ktalkd_var_run_t
-+.EE
-+
-+- Set files with the ktalkd_var_run_t type, if you want to store the ktalkd files under the /run directory.
-+
-+
-+.PP
-+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
-+.B semanage fcontext
-+command. This will modify the SELinux labeling database. You will need to use
-+.B restorecon
-+to apply the labels.
-+
-+.SH PORT TYPES
-+SELinux defines port types to represent TCP and UDP ports.
-+.PP
-+You can see the types associated with a port by using the following command:
-+
-+.B semanage port -l
-+
-+.PP
-+Policy governs the access confined processes have to these ports.
-+SELinux ktalkd policy is very flexible allowing users to setup their ktalkd processes in as secure a method as possible.
-+.PP
-+The following port types are defined for ktalkd:
-+
-+.EX
-+.TP 5
-+.B ktalkd_port_t
-+.TP 10
-+.EE
-+
-+
-+Default Defined Ports:
-+udp 517,518
-+.EE
-+.SH "MANAGED FILES"
-+
-+The SELinux process type ktalkd_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
-+
-+.br
-+.B ktalkd_log_t
-+
-+ /var/log/talkd.*
-+.br
-+
-+.br
-+.B ktalkd_tmp_t
-+
-+
-+.br
-+.B ktalkd_var_run_t
-+
-+
-+.SH NSSWITCH DOMAIN
-+
-+.PP
-+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the ktalkd_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
-+
-+.EX
-+.B setsebool -P authlogin_nsswitch_use_ldap 1
-+.EE
-+
-+.PP
-+If you want to allow confined applications to run with kerberos for the ktalkd_t, you must turn on the kerberos_enabled boolean.
-+
-+.EX
-+.B setsebool -P kerberos_enabled 1
-+.EE
-+
-+.SH "COMMANDS"
-+.B semanage fcontext
-+can also be used to manipulate default file context mappings.
-+.PP
-+.B semanage permissive
-+can also be used to manipulate whether or not a process type is permissive.
-+.PP
-+.B semanage module
-+can also be used to enable/disable/install/remove policy modules.
-+
-+.B semanage port
-+can also be used to manipulate the port definitions
-+
-+.PP
-+.B system-config-selinux
-+is a GUI tool available to customize SELinux policy settings.
-+
-+.SH AUTHOR
-+This manual page was auto-generated using
-+.B "sepolicy manpage"
-+by Dan Walsh.
-+
-+.SH "SEE ALSO"
-+selinux(8), ktalkd(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
-diff --git a/man/man8/l2tpd_selinux.8 b/man/man8/l2tpd_selinux.8
-new file mode 100644
-index 0000000..d28edaa
---- /dev/null
-+++ b/man/man8/l2tpd_selinux.8
-@@ -0,0 +1,158 @@
-+.TH "l2tpd_selinux" "8" "12-11-01" "l2tpd" "SELinux Policy documentation for l2tpd"
-+.SH "NAME"
-+l2tpd_selinux \- Security Enhanced Linux Policy for the l2tpd processes
-+.SH "DESCRIPTION"
-+
-+Security-Enhanced Linux secures the l2tpd processes via flexible mandatory access control.
-+
-+The l2tpd processes execute with the l2tpd_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
-+
-+For example:
-+
-+.B ps -eZ | grep l2tpd_t
-+
-+
-+.SH "ENTRYPOINTS"
-+
-+The l2tpd_t SELinux type can be entered via the "l2tpd_exec_t" file type. The default entrypoint paths for the l2tpd_t domain are the following:"
-+
-+/usr/sbin/xl2tpd, /usr/sbin/prol2tpd, /usr/sbin/openl2tpd
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux l2tpd policy is very flexible allowing users to setup their l2tpd processes in as secure a method as possible.
-+.PP
-+The following process types are defined for l2tpd:
-+
-+.EX
-+.B l2tpd_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
-+.SH FILE CONTEXTS
-+SELinux requires files to have an extended attribute to define the file type.
-+.PP
-+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
-+.PP
-+Policy governs the access confined processes have to these files.
-+SELinux l2tpd policy is very flexible allowing users to setup their l2tpd processes in as secure a method as possible.
-+.PP
-+The following file types are defined for l2tpd:
-+
-+
-+.EX
-+.PP
-+.B l2tpd_exec_t
-+.EE
-+
-+- Set files with the l2tpd_exec_t type, if you want to transition an executable to the l2tpd_t domain.
-+
-+
-+.EX
-+.PP
-+.B l2tpd_initrc_exec_t
-+.EE
-+
-+- Set files with the l2tpd_initrc_exec_t type, if you want to transition an executable to the l2tpd_initrc_t domain.
-+
-+
-+.EX
-+.PP
-+.B l2tpd_tmp_t
-+.EE
-+
-+- Set files with the l2tpd_tmp_t type, if you want to store l2tpd temporary files in the /tmp directories.
-+
-+
-+.EX
-+.PP
-+.B l2tpd_var_run_t
-+.EE
-+
-+- Set files with the l2tpd_var_run_t type, if you want to store the l2tpd files under the /run directory.
-+
-+
-+.PP
-+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
-+.B semanage fcontext
-+command. This will modify the SELinux labeling database. You will need to use
-+.B restorecon
-+to apply the labels.
-+
-+.SH PORT TYPES
-+SELinux defines port types to represent TCP and UDP ports.
-+.PP
-+You can see the types associated with a port by using the following command:
-+
-+.B semanage port -l
-+
-+.PP
-+Policy governs the access confined processes have to these ports.
-+SELinux l2tpd policy is very flexible allowing users to setup their l2tpd processes in as secure a method as possible.
-+.PP
-+The following port types are defined for l2tpd:
-+
-+.EX
-+.TP 5
-+.B l2tp_port_t
-+.TP 10
-+.EE
-+
-+
-+Default Defined Ports:
-+tcp 1701
-+.EE
-+udp 1701
-+.EE
-+.SH "MANAGED FILES"
-+
-+The SELinux process type l2tpd_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
-+
-+.br
-+.B l2tpd_var_run_t
-+
-+ /var/run/xl2tpd(/.*)?
-+.br
-+ /var/run/prol2tpd(/.*)?
-+.br
-+ /var/run/xl2tpd\.pid
-+.br
-+ /var/run/prol2tpd\.ctl
-+.br
-+ /var/run/prol2tpd\.pid
-+.br
-+ /var/run/openl2tpd\.pid
-+.br
-+
-+.SH NSSWITCH DOMAIN
-+
-+.SH "COMMANDS"
-+.B semanage fcontext
-+can also be used to manipulate default file context mappings.
-+.PP
-+.B semanage permissive
-+can also be used to manipulate whether or not a process type is permissive.
-+.PP
-+.B semanage module
-+can also be used to enable/disable/install/remove policy modules.
-+
-+.B semanage port
-+can also be used to manipulate the port definitions
-+
-+.PP
-+.B system-config-selinux
-+is a GUI tool available to customize SELinux policy settings.
-+
-+.SH AUTHOR
-+This manual page was auto-generated using
-+.B "sepolicy manpage"
-+by Dan Walsh.
-+
-+.SH "SEE ALSO"
-+selinux(8), l2tpd(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
-diff --git a/man/man8/ldconfig_selinux.8 b/man/man8/ldconfig_selinux.8
-new file mode 100644
-index 0000000..ff3b691
---- /dev/null
-+++ b/man/man8/ldconfig_selinux.8
-@@ -0,0 +1,158 @@
-+.TH "ldconfig_selinux" "8" "12-11-01" "ldconfig" "SELinux Policy documentation for ldconfig"
-+.SH "NAME"
-+ldconfig_selinux \- Security Enhanced Linux Policy for the ldconfig processes
-+.SH "DESCRIPTION"
-+
-+Security-Enhanced Linux secures the ldconfig processes via flexible mandatory access control.
-+
-+The ldconfig processes execute with the ldconfig_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
-+
-+For example:
-+
-+.B ps -eZ | grep ldconfig_t
-+
-+
-+.SH "ENTRYPOINTS"
-+
-+The ldconfig_t SELinux type can be entered via the "ldconfig_exec_t" file type. The default entrypoint paths for the ldconfig_t domain are the following:"
-+
-+/sbin/ldconfig, /usr/sbin/ldconfig
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux ldconfig policy is very flexible allowing users to setup their ldconfig processes in as secure a method as possible.
-+.PP
-+The following process types are defined for ldconfig:
-+
-+.EX
-+.B ldconfig_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
-+.SH FILE CONTEXTS
-+SELinux requires files to have an extended attribute to define the file type.
-+.PP
-+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
-+.PP
-+Policy governs the access confined processes have to these files.
-+SELinux ldconfig policy is very flexible allowing users to setup their ldconfig processes in as secure a method as possible.
-+.PP
-+The following file types are defined for ldconfig:
-+
-+
-+.EX
-+.PP
-+.B ldconfig_cache_t
-+.EE
-+
-+- Set files with the ldconfig_cache_t type, if you want to store the files under the /var/cache directory.
-+
-+
-+.EX
-+.PP
-+.B ldconfig_exec_t
-+.EE
-+
-+- Set files with the ldconfig_exec_t type, if you want to transition an executable to the ldconfig_t domain.
-+
-+
-+.EX
-+.PP
-+.B ldconfig_tmp_t
-+.EE
-+
-+- Set files with the ldconfig_tmp_t type, if you want to store ldconfig temporary files in the /tmp directories.
-+
-+
-+.PP
-+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
-+.B semanage fcontext
-+command. This will modify the SELinux labeling database. You will need to use
-+.B restorecon
-+to apply the labels.
-+
-+.SH "MANAGED FILES"
-+
-+The SELinux process type ldconfig_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
-+
-+.br
-+.B kdumpctl_tmp_t
-+
-+
-+.br
-+.B ld_so_cache_t
-+
-+ /etc/ld\.so\.cache
-+.br
-+ /etc/ld\.so\.cache~
-+.br
-+ /etc/ld\.so\.preload
-+.br
-+ /etc/ld\.so\.preload~
-+.br
-+
-+.br
-+.B ldconfig_cache_t
-+
-+ /var/cache/ldconfig(/.*)?
-+.br
-+
-+.br
-+.B ldconfig_tmp_t
-+
-+
-+.br
-+.B rpm_script_tmp_t
-+
-+
-+.br
-+.B user_home_t
-+
-+ /home/[^/]*/.+
-+.br
-+ /home/dwalsh/.+
-+.br
-+ /var/lib/xguest/home/xguest/.+
-+.br
-+
-+.br
-+.B user_tmp_t
-+
-+ /var/run/user(/.*)?
-+.br
-+ /tmp/gconfd-.*
-+.br
-+ /tmp/gconfd-dwalsh
-+.br
-+ /tmp/gconfd-xguest
-+.br
-+
-+.SH NSSWITCH DOMAIN
-+
-+.SH "COMMANDS"
-+.B semanage fcontext
-+can also be used to manipulate default file context mappings.
-+.PP
-+.B semanage permissive
-+can also be used to manipulate whether or not a process type is permissive.
-+.PP
-+.B semanage module
-+can also be used to enable/disable/install/remove policy modules.
-+
-+.PP
-+.B system-config-selinux
-+is a GUI tool available to customize SELinux policy settings.
-+
-+.SH AUTHOR
-+This manual page was auto-generated using
-+.B "sepolicy manpage"
-+by Dan Walsh.
-+
-+.SH "SEE ALSO"
-+selinux(8), ldconfig(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
-diff --git a/man/man8/libvirt_selinux.8 b/man/man8/libvirt_selinux.8
-new file mode 100644
-index 0000000..ee560da
---- /dev/null
-+++ b/man/man8/libvirt_selinux.8
-@@ -0,0 +1 @@
-+.so man8/virtd_selinux.8
-\ No newline at end of file
-diff --git a/man/man8/lircd_selinux.8 b/man/man8/lircd_selinux.8
-new file mode 100644
-index 0000000..4f9932c
---- /dev/null
-+++ b/man/man8/lircd_selinux.8
-@@ -0,0 +1,160 @@
-+.TH "lircd_selinux" "8" "12-11-01" "lircd" "SELinux Policy documentation for lircd"
-+.SH "NAME"
-+lircd_selinux \- Security Enhanced Linux Policy for the lircd processes
-+.SH "DESCRIPTION"
-+
-+Security-Enhanced Linux secures the lircd processes via flexible mandatory access control.
-+
-+The lircd processes execute with the lircd_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
-+
-+For example:
-+
-+.B ps -eZ | grep lircd_t
-+
-+
-+.SH "ENTRYPOINTS"
-+
-+The lircd_t SELinux type can be entered via the "lircd_exec_t" file type. The default entrypoint paths for the lircd_t domain are the following:"
-+
-+/usr/sbin/lircd
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux lircd policy is very flexible allowing users to setup their lircd processes in as secure a method as possible.
-+.PP
-+The following process types are defined for lircd:
-+
-+.EX
-+.B lircd_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
-+.SH FILE CONTEXTS
-+SELinux requires files to have an extended attribute to define the file type.
-+.PP
-+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
-+.PP
-+Policy governs the access confined processes have to these files.
-+SELinux lircd policy is very flexible allowing users to setup their lircd processes in as secure a method as possible.
-+.PP
-+The following file types are defined for lircd:
-+
-+
-+.EX
-+.PP
-+.B lircd_etc_t
-+.EE
-+
-+- Set files with the lircd_etc_t type, if you want to store lircd files in the /etc directories.
-+
-+
-+.EX
-+.PP
-+.B lircd_exec_t
-+.EE
-+
-+- Set files with the lircd_exec_t type, if you want to transition an executable to the lircd_t domain.
-+
-+
-+.EX
-+.PP
-+.B lircd_initrc_exec_t
-+.EE
-+
-+- Set files with the lircd_initrc_exec_t type, if you want to transition an executable to the lircd_initrc_t domain.
-+
-+
-+.EX
-+.PP
-+.B lircd_var_run_t
-+.EE
-+
-+- Set files with the lircd_var_run_t type, if you want to store the lircd files under the /run directory.
-+
-+
-+.PP
-+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
-+.B semanage fcontext
-+command. This will modify the SELinux labeling database. You will need to use
-+.B restorecon
-+to apply the labels.
-+
-+.SH PORT TYPES
-+SELinux defines port types to represent TCP and UDP ports.
-+.PP
-+You can see the types associated with a port by using the following command:
-+
-+.B semanage port -l
-+
-+.PP
-+Policy governs the access confined processes have to these ports.
-+SELinux lircd policy is very flexible allowing users to setup their lircd processes in as secure a method as possible.
-+.PP
-+The following port types are defined for lircd:
-+
-+.EX
-+.TP 5
-+.B lirc_port_t
-+.TP 10
-+.EE
-+
-+
-+Default Defined Ports:
-+tcp 8765
-+.EE
-+.SH "MANAGED FILES"
-+
-+The SELinux process type lircd_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
-+
-+.br
-+.B lircd_var_run_t
-+
-+ /var/run/lirc(/.*)?
-+.br
-+ /var/run/lircd(/.*)?
-+.br
-+ /var/run/lircd\.pid
-+.br
-+
-+.br
-+.B var_lock_t
-+
-+ /var/lock(/.*)?
-+.br
-+ /run/lock(/.*)?
-+.br
-+ /var/lock
-+.br
-+
-+.SH NSSWITCH DOMAIN
-+
-+.SH "COMMANDS"
-+.B semanage fcontext
-+can also be used to manipulate default file context mappings.
-+.PP
-+.B semanage permissive
-+can also be used to manipulate whether or not a process type is permissive.
-+.PP
-+.B semanage module
-+can also be used to enable/disable/install/remove policy modules.
-+
-+.B semanage port
-+can also be used to manipulate the port definitions
-+
-+.PP
-+.B system-config-selinux
-+is a GUI tool available to customize SELinux policy settings.
-+
-+.SH AUTHOR
-+This manual page was auto-generated using
-+.B "sepolicy manpage"
-+by Dan Walsh.
-+
-+.SH "SEE ALSO"
-+selinux(8), lircd(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
-diff --git a/man/man8/livecd_selinux.8 b/man/man8/livecd_selinux.8
-new file mode 100644
-index 0000000..d7d48dd
---- /dev/null
-+++ b/man/man8/livecd_selinux.8
-@@ -0,0 +1,104 @@
-+.TH "livecd_selinux" "8" "12-11-01" "livecd" "SELinux Policy documentation for livecd"
-+.SH "NAME"
-+livecd_selinux \- Security Enhanced Linux Policy for the livecd processes
-+.SH "DESCRIPTION"
-+
-+Security-Enhanced Linux secures the livecd processes via flexible mandatory access control.
-+
-+The livecd processes execute with the livecd_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
-+
-+For example:
-+
-+.B ps -eZ | grep livecd_t
-+
-+
-+.SH "ENTRYPOINTS"
-+
-+The livecd_t SELinux type can be entered via the "filesystem_type,unlabeled_t,proc_type,mtrr_device_t,sysctl_type,file_type,livecd_exec_t" file types. The default entrypoint paths for the livecd_t domain are the following:"
-+
-+/dev/cpu/mtrr, all files on the system, /usr/bin/livecd-creator
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux livecd policy is very flexible allowing users to setup their livecd processes in as secure a method as possible.
-+.PP
-+The following process types are defined for livecd:
-+
-+.EX
-+.B livecd_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
-+.SH FILE CONTEXTS
-+SELinux requires files to have an extended attribute to define the file type.
-+.PP
-+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
-+.PP
-+Policy governs the access confined processes have to these files.
-+SELinux livecd policy is very flexible allowing users to setup their livecd processes in as secure a method as possible.
-+.PP
-+The following file types are defined for livecd:
-+
-+
-+.EX
-+.PP
-+.B livecd_exec_t
-+.EE
-+
-+- Set files with the livecd_exec_t type, if you want to transition an executable to the livecd_t domain.
-+
-+
-+.EX
-+.PP
-+.B livecd_tmp_t
-+.EE
-+
-+- Set files with the livecd_tmp_t type, if you want to store livecd temporary files in the /tmp directories.
-+
-+
-+.PP
-+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
-+.B semanage fcontext
-+command. This will modify the SELinux labeling database. You will need to use
-+.B restorecon
-+to apply the labels.
-+
-+.SH "MANAGED FILES"
-+
-+The SELinux process type livecd_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
-+
-+.br
-+.B file_type
-+
-+ all files on the system
-+.br
-+
-+.SH NSSWITCH DOMAIN
-+
-+.SH "COMMANDS"
-+.B semanage fcontext
-+can also be used to manipulate default file context mappings.
-+.PP
-+.B semanage permissive
-+can also be used to manipulate whether or not a process type is permissive.
-+.PP
-+.B semanage module
-+can also be used to enable/disable/install/remove policy modules.
-+
-+.PP
-+.B system-config-selinux
-+is a GUI tool available to customize SELinux policy settings.
-+
-+.SH AUTHOR
-+This manual page was auto-generated using
-+.B "sepolicy manpage"
-+by Dan Walsh.
-+
-+.SH "SEE ALSO"
-+selinux(8), livecd(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
-diff --git a/man/man8/lldpad_selinux.8 b/man/man8/lldpad_selinux.8
-new file mode 100644
-index 0000000..3cbeec5
---- /dev/null
-+++ b/man/man8/lldpad_selinux.8
-@@ -0,0 +1,138 @@
-+.TH "lldpad_selinux" "8" "12-11-01" "lldpad" "SELinux Policy documentation for lldpad"
-+.SH "NAME"
-+lldpad_selinux \- Security Enhanced Linux Policy for the lldpad processes
-+.SH "DESCRIPTION"
-+
-+Security-Enhanced Linux secures the lldpad processes via flexible mandatory access control.
-+
-+The lldpad processes execute with the lldpad_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
-+
-+For example:
-+
-+.B ps -eZ | grep lldpad_t
-+
-+
-+.SH "ENTRYPOINTS"
-+
-+The lldpad_t SELinux type can be entered via the "lldpad_exec_t" file type. The default entrypoint paths for the lldpad_t domain are the following:"
-+
-+/usr/sbin/lldpad
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux lldpad policy is very flexible allowing users to setup their lldpad processes in as secure a method as possible.
-+.PP
-+The following process types are defined for lldpad:
-+
-+.EX
-+.B lldpad_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
-+.SH FILE CONTEXTS
-+SELinux requires files to have an extended attribute to define the file type.
-+.PP
-+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
-+.PP
-+Policy governs the access confined processes have to these files.
-+SELinux lldpad policy is very flexible allowing users to setup their lldpad processes in as secure a method as possible.
-+.PP
-+The following file types are defined for lldpad:
-+
-+
-+.EX
-+.PP
-+.B lldpad_exec_t
-+.EE
-+
-+- Set files with the lldpad_exec_t type, if you want to transition an executable to the lldpad_t domain.
-+
-+
-+.EX
-+.PP
-+.B lldpad_initrc_exec_t
-+.EE
-+
-+- Set files with the lldpad_initrc_exec_t type, if you want to transition an executable to the lldpad_initrc_t domain.
-+
-+
-+.EX
-+.PP
-+.B lldpad_tmpfs_t
-+.EE
-+
-+- Set files with the lldpad_tmpfs_t type, if you want to store lldpad files on a tmpfs file system.
-+
-+
-+.EX
-+.PP
-+.B lldpad_var_lib_t
-+.EE
-+
-+- Set files with the lldpad_var_lib_t type, if you want to store the lldpad files under the /var/lib directory.
-+
-+
-+.EX
-+.PP
-+.B lldpad_var_run_t
-+.EE
-+
-+- Set files with the lldpad_var_run_t type, if you want to store the lldpad files under the /run directory.
-+
-+
-+.PP
-+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
-+.B semanage fcontext
-+command. This will modify the SELinux labeling database. You will need to use
-+.B restorecon
-+to apply the labels.
-+
-+.SH "MANAGED FILES"
-+
-+The SELinux process type lldpad_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
-+
-+.br
-+.B lldpad_tmpfs_t
-+
-+
-+.br
-+.B lldpad_var_lib_t
-+
-+ /var/lib/lldpad(/.*)?
-+.br
-+
-+.br
-+.B lldpad_var_run_t
-+
-+ /var/run/lldpad\.pid
-+.br
-+
-+.SH NSSWITCH DOMAIN
-+
-+.SH "COMMANDS"
-+.B semanage fcontext
-+can also be used to manipulate default file context mappings.
-+.PP
-+.B semanage permissive
-+can also be used to manipulate whether or not a process type is permissive.
-+.PP
-+.B semanage module
-+can also be used to enable/disable/install/remove policy modules.
-+
-+.PP
-+.B system-config-selinux
-+is a GUI tool available to customize SELinux policy settings.
-+
-+.SH AUTHOR
-+This manual page was auto-generated using
-+.B "sepolicy manpage"
-+by Dan Walsh.
-+
-+.SH "SEE ALSO"
-+selinux(8), lldpad(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
-diff --git a/man/man8/load_policy_selinux.8 b/man/man8/load_policy_selinux.8
-new file mode 100644
-index 0000000..30c76e6
---- /dev/null
-+++ b/man/man8/load_policy_selinux.8
-@@ -0,0 +1,95 @@
-+.TH "load_policy_selinux" "8" "12-11-01" "load_policy" "SELinux Policy documentation for load_policy"
-+.SH "NAME"
-+load_policy_selinux \- Security Enhanced Linux Policy for the load_policy processes
-+.SH "DESCRIPTION"
-+
-+Security-Enhanced Linux secures the load_policy processes via flexible mandatory access control.
-+
-+The load_policy processes execute with the load_policy_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
-+
-+For example:
-+
-+.B ps -eZ | grep load_policy_t
-+
-+
-+.SH "ENTRYPOINTS"
-+
-+The load_policy_t SELinux type can be entered via the "load_policy_exec_t" file type. The default entrypoint paths for the load_policy_t domain are the following:"
-+
-+/sbin/load_policy, /usr/sbin/load_policy
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux load_policy policy is very flexible allowing users to setup their load_policy processes in as secure a method as possible.
-+.PP
-+The following process types are defined for load_policy:
-+
-+.EX
-+.B load_policy_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
-+.SH FILE CONTEXTS
-+SELinux requires files to have an extended attribute to define the file type.
-+.PP
-+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
-+.PP
-+Policy governs the access confined processes have to these files.
-+SELinux load_policy policy is very flexible allowing users to setup their load_policy processes in as secure a method as possible.
-+.PP
-+The following file types are defined for load_policy:
-+
-+
-+.EX
-+.PP
-+.B load_policy_exec_t
-+.EE
-+
-+- Set files with the load_policy_exec_t type, if you want to transition an executable to the load_policy_t domain.
-+
-+
-+.PP
-+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
-+.B semanage fcontext
-+command. This will modify the SELinux labeling database. You will need to use
-+.B restorecon
-+to apply the labels.
-+
-+.SH "MANAGED FILES"
-+
-+The SELinux process type load_policy_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
-+
-+.br
-+.B boolean_type
-+
-+
-+.SH NSSWITCH DOMAIN
-+
-+.SH "COMMANDS"
-+.B semanage fcontext
-+can also be used to manipulate default file context mappings.
-+.PP
-+.B semanage permissive
-+can also be used to manipulate whether or not a process type is permissive.
-+.PP
-+.B semanage module
-+can also be used to enable/disable/install/remove policy modules.
-+
-+.PP
-+.B system-config-selinux
-+is a GUI tool available to customize SELinux policy settings.
-+
-+.SH AUTHOR
-+This manual page was auto-generated using
-+.B "sepolicy manpage"
-+by Dan Walsh.
-+
-+.SH "SEE ALSO"
-+selinux(8), load_policy(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
-+, loadkeys_selinux(8)
-\ No newline at end of file
-diff --git a/man/man8/loadkeys_selinux.8 b/man/man8/loadkeys_selinux.8
-new file mode 100644
-index 0000000..3c43c48
---- /dev/null
-+++ b/man/man8/loadkeys_selinux.8
-@@ -0,0 +1,86 @@
-+.TH "loadkeys_selinux" "8" "12-11-01" "loadkeys" "SELinux Policy documentation for loadkeys"
-+.SH "NAME"
-+loadkeys_selinux \- Security Enhanced Linux Policy for the loadkeys processes
-+.SH "DESCRIPTION"
-+
-+Security-Enhanced Linux secures the loadkeys processes via flexible mandatory access control.
-+
-+The loadkeys processes execute with the loadkeys_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
-+
-+For example:
-+
-+.B ps -eZ | grep loadkeys_t
-+
-+
-+.SH "ENTRYPOINTS"
-+
-+The loadkeys_t SELinux type can be entered via the "loadkeys_exec_t" file type. The default entrypoint paths for the loadkeys_t domain are the following:"
-+
-+/usr/bin/unikeys, /usr/bin/loadkeys
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux loadkeys policy is very flexible allowing users to setup their loadkeys processes in as secure a method as possible.
-+.PP
-+The following process types are defined for loadkeys:
-+
-+.EX
-+.B loadkeys_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
-+.SH FILE CONTEXTS
-+SELinux requires files to have an extended attribute to define the file type.
-+.PP
-+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
-+.PP
-+Policy governs the access confined processes have to these files.
-+SELinux loadkeys policy is very flexible allowing users to setup their loadkeys processes in as secure a method as possible.
-+.PP
-+The following file types are defined for loadkeys:
-+
-+
-+.EX
-+.PP
-+.B loadkeys_exec_t
-+.EE
-+
-+- Set files with the loadkeys_exec_t type, if you want to transition an executable to the loadkeys_t domain.
-+
-+
-+.PP
-+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
-+.B semanage fcontext
-+command. This will modify the SELinux labeling database. You will need to use
-+.B restorecon
-+to apply the labels.
-+
-+.SH NSSWITCH DOMAIN
-+
-+.SH "COMMANDS"
-+.B semanage fcontext
-+can also be used to manipulate default file context mappings.
-+.PP
-+.B semanage permissive
-+can also be used to manipulate whether or not a process type is permissive.
-+.PP
-+.B semanage module
-+can also be used to enable/disable/install/remove policy modules.
-+
-+.PP
-+.B system-config-selinux
-+is a GUI tool available to customize SELinux policy settings.
-+
-+.SH AUTHOR
-+This manual page was auto-generated using
-+.B "sepolicy manpage"
-+by Dan Walsh.
-+
-+.SH "SEE ALSO"
-+selinux(8), loadkeys(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
-diff --git a/man/man8/locate_selinux.8 b/man/man8/locate_selinux.8
-new file mode 100644
-index 0000000..1ab1c6b
---- /dev/null
-+++ b/man/man8/locate_selinux.8
-@@ -0,0 +1,126 @@
-+.TH "locate_selinux" "8" "12-11-01" "locate" "SELinux Policy documentation for locate"
-+.SH "NAME"
-+locate_selinux \- Security Enhanced Linux Policy for the locate processes
-+.SH "DESCRIPTION"
-+
-+Security-Enhanced Linux secures the locate processes via flexible mandatory access control.
-+
-+The locate processes execute with the locate_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
-+
-+For example:
-+
-+.B ps -eZ | grep locate_t
-+
-+
-+.SH "ENTRYPOINTS"
-+
-+The locate_t SELinux type can be entered via the "locate_exec_t" file type. The default entrypoint paths for the locate_t domain are the following:"
-+
-+/usr/bin/updatedb
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux locate policy is very flexible allowing users to setup their locate processes in as secure a method as possible.
-+.PP
-+The following process types are defined for locate:
-+
-+.EX
-+.B locate_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
-+.SH FILE CONTEXTS
-+SELinux requires files to have an extended attribute to define the file type.
-+.PP
-+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
-+.PP
-+Policy governs the access confined processes have to these files.
-+SELinux locate policy is very flexible allowing users to setup their locate processes in as secure a method as possible.
-+.PP
-+The following file types are defined for locate:
-+
-+
-+.EX
-+.PP
-+.B locate_exec_t
-+.EE
-+
-+- Set files with the locate_exec_t type, if you want to transition an executable to the locate_t domain.
-+
-+
-+.EX
-+.PP
-+.B locate_log_t
-+.EE
-+
-+- Set files with the locate_log_t type, if you want to treat the data as locate log data, usually stored under the /var/log directory.
-+
-+
-+.EX
-+.PP
-+.B locate_var_lib_t
-+.EE
-+
-+- Set files with the locate_var_lib_t type, if you want to store the locate files under the /var/lib directory.
-+
-+
-+.PP
-+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
-+.B semanage fcontext
-+command. This will modify the SELinux labeling database. You will need to use
-+.B restorecon
-+to apply the labels.
-+
-+.SH "MANAGED FILES"
-+
-+The SELinux process type locate_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
-+
-+.br
-+.B locate_var_lib_t
-+
-+ /var/lib/[sm]locate(/.*)?
-+.br
-+
-+.SH NSSWITCH DOMAIN
-+
-+.PP
-+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the locate_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
-+
-+.EX
-+.B setsebool -P authlogin_nsswitch_use_ldap 1
-+.EE
-+
-+.PP
-+If you want to allow confined applications to run with kerberos for the locate_t, you must turn on the kerberos_enabled boolean.
-+
-+.EX
-+.B setsebool -P kerberos_enabled 1
-+.EE
-+
-+.SH "COMMANDS"
-+.B semanage fcontext
-+can also be used to manipulate default file context mappings.
-+.PP
-+.B semanage permissive
-+can also be used to manipulate whether or not a process type is permissive.
-+.PP
-+.B semanage module
-+can also be used to enable/disable/install/remove policy modules.
-+
-+.PP
-+.B system-config-selinux
-+is a GUI tool available to customize SELinux policy settings.
-+
-+.SH AUTHOR
-+This manual page was auto-generated using
-+.B "sepolicy manpage"
-+by Dan Walsh.
-+
-+.SH "SEE ALSO"
-+selinux(8), locate(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
-diff --git a/man/man8/lockdev_selinux.8 b/man/man8/lockdev_selinux.8
-new file mode 100644
-index 0000000..8c5a3fe
---- /dev/null
-+++ b/man/man8/lockdev_selinux.8
-@@ -0,0 +1,102 @@
-+.TH "lockdev_selinux" "8" "12-11-01" "lockdev" "SELinux Policy documentation for lockdev"
-+.SH "NAME"
-+lockdev_selinux \- Security Enhanced Linux Policy for the lockdev processes
-+.SH "DESCRIPTION"
-+
-+Security-Enhanced Linux secures the lockdev processes via flexible mandatory access control.
-+
-+The lockdev processes execute with the lockdev_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
-+
-+For example:
-+
-+.B ps -eZ | grep lockdev_t
-+
-+
-+.SH "ENTRYPOINTS"
-+
-+The lockdev_t SELinux type can be entered via the "lockdev_exec_t" file type. The default entrypoint paths for the lockdev_t domain are the following:"
-+
-+/usr/sbin/lockdev
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux lockdev policy is very flexible allowing users to setup their lockdev processes in as secure a method as possible.
-+.PP
-+The following process types are defined for lockdev:
-+
-+.EX
-+.B lockdev_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
-+.SH FILE CONTEXTS
-+SELinux requires files to have an extended attribute to define the file type.
-+.PP
-+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
-+.PP
-+Policy governs the access confined processes have to these files.
-+SELinux lockdev policy is very flexible allowing users to setup their lockdev processes in as secure a method as possible.
-+.PP
-+The following file types are defined for lockdev:
-+
-+
-+.EX
-+.PP
-+.B lockdev_exec_t
-+.EE
-+
-+- Set files with the lockdev_exec_t type, if you want to transition an executable to the lockdev_t domain.
-+
-+
-+.EX
-+.PP
-+.B lockdev_lock_t
-+.EE
-+
-+- Set files with the lockdev_lock_t type, if you want to treat the files as lockdev lock data, stored under the /var/lock directory
-+
-+
-+.PP
-+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
-+.B semanage fcontext
-+command. This will modify the SELinux labeling database. You will need to use
-+.B restorecon
-+to apply the labels.
-+
-+.SH "MANAGED FILES"
-+
-+The SELinux process type lockdev_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
-+
-+.br
-+.B lockdev_lock_t
-+
-+
-+.SH NSSWITCH DOMAIN
-+
-+.SH "COMMANDS"
-+.B semanage fcontext
-+can also be used to manipulate default file context mappings.
-+.PP
-+.B semanage permissive
-+can also be used to manipulate whether or not a process type is permissive.
-+.PP
-+.B semanage module
-+can also be used to enable/disable/install/remove policy modules.
-+
-+.PP
-+.B system-config-selinux
-+is a GUI tool available to customize SELinux policy settings.
-+
-+.SH AUTHOR
-+This manual page was auto-generated using
-+.B "sepolicy manpage"
-+by Dan Walsh.
-+
-+.SH "SEE ALSO"
-+selinux(8), lockdev(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
-diff --git a/man/man8/logadm_selinux.8 b/man/man8/logadm_selinux.8
-new file mode 100644
-index 0000000..9e18695
---- /dev/null
-+++ b/man/man8/logadm_selinux.8
-@@ -0,0 +1,161 @@
-+.TH "logadm_selinux" "8" "logadm" "mgrepl@redhat.com" "logadm SELinux Policy documentation"
-+.SH "NAME"
-+logadm_r \- \fBLog administrator role\fP - Security Enhanced Linux Policy
-+
-+.SH DESCRIPTION
-+
-+SELinux supports Roles Based Access Control (RBAC), some Linux roles are login roles, while other roles need to be transition into.
-+
-+.I Note:
-+Examples in this man page will use the
-+.B staff_u
-+SELinux user.
-+
-+Non login roles are usually used for administrative tasks. For example, tasks that require root privileges. Roles control which types a user can run processes with. Roles often have default types assigned to them.
-+
-+The default type for the logadm_r role is logadm_t.
-+
-+The
-+.B newrole
-+program to transition directly to this role.
-+
-+.B newrole -r logadm_r -t logadm_t
-+
-+.B sudo
-+is the preferred method to do transition from one role to another. You setup sudo to transition to logadm_r by adding a similar line to the /etc/sudoers file.
-+
-+USERNAME ALL=(ALL) ROLE=logadm_r TYPE=logadm_t COMMAND
-+
-+.br
-+sudo will run COMMAND as staff_u:logadm_r:logadm_t:LEVEL
-+
-+When using a a non login role, you need to setup SELinux so that your SELinux user can reach logadm_r role.
-+
-+Execute the following to see all of the assigned SELinux roles:
-+
-+.B semanage user -l
-+
-+You need to add logadm_r to the staff_u user. You could setup the staff_u user to be able to use the logadm_r role with a command like:
-+
-+.B $ semanage user -m -R 'staff_r system_r logadm_r' staff_u
-+
-+
-+.SH "MANAGED FILES"
-+
-+The SELinux process type logadm_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
-+
-+.br
-+.B auditd_etc_t
-+
-+ /etc/audit(/.*)?
-+.br
-+
-+.br
-+.B auditd_log_t
-+
-+ /var/log/audit(/.*)?
-+.br
-+ /var/log/audit\.log
-+.br
-+
-+.br
-+.B auditd_unit_file_t
-+
-+ /usr/lib/systemd/system/auditd.*
-+.br
-+
-+.br
-+.B auditd_var_run_t
-+
-+ /var/run/auditd\.pid
-+.br
-+ /var/run/auditd_sock
-+.br
-+ /var/run/audit_events
-+.br
-+
-+.br
-+.B klogd_tmp_t
-+
-+
-+.br
-+.B klogd_var_run_t
-+
-+ /var/run/klogd\.pid
-+.br
-+
-+.br
-+.B logfile
-+
-+ all log files
-+.br
-+
-+.br
-+.B syslog_conf_t
-+
-+ /etc/syslog.conf
-+.br
-+ /etc/rsyslog.conf
-+.br
-+
-+.br
-+.B syslogd_tmp_t
-+
-+
-+.br
-+.B syslogd_var_lib_t
-+
-+ /var/lib/r?syslog(/.*)?
-+.br
-+ /var/lib/syslog-ng(/.*)?
-+.br
-+ /var/lib/syslog-ng.persist
-+.br
-+
-+.br
-+.B syslogd_var_run_t
-+
-+ /var/run/log(/.*)?
-+.br
-+ /var/run/syslog-ng.ctl
-+.br
-+ /var/log/syslog-ng(/.*)?
-+.br
-+ /var/run/syslog-ng(/.*)?
-+.br
-+ /var/run/systemd/journal(/.*)?
-+.br
-+ /var/run/metalog\.pid
-+.br
-+ /var/run/syslogd\.pid
-+.br
-+
-+.br
-+.B systemd_passwd_var_run_t
-+
-+ /var/run/systemd/ask-password(/.*)?
-+.br
-+ /var/run/systemd/ask-password-block(/.*)?
-+.br
-+
-+.SH "COMMANDS"
-+.B semanage fcontext
-+can also be used to manipulate default file context mappings.
-+.PP
-+.B semanage permissive
-+can also be used to manipulate whether or not a process type is permissive.
-+.PP
-+.B semanage module
-+can also be used to enable/disable/install/remove policy modules.
-+
-+.PP
-+.B system-config-selinux
-+is a GUI tool available to customize SELinux policy settings.
-+
-+.SH AUTHOR
-+This manual page was auto-generated using
-+.B "sepolicy manpage"
-+by Dan Walsh.
-+
-+.SH "SEE ALSO"
-+selinux(8), logadm(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
-diff --git a/man/man8/logrotate_selinux.8 b/man/man8/logrotate_selinux.8
-new file mode 100644
-index 0000000..b7cec54
---- /dev/null
-+++ b/man/man8/logrotate_selinux.8
-@@ -0,0 +1,198 @@
-+.TH "logrotate_selinux" "8" "12-11-01" "logrotate" "SELinux Policy documentation for logrotate"
-+.SH "NAME"
-+logrotate_selinux \- Security Enhanced Linux Policy for the logrotate processes
-+.SH "DESCRIPTION"
-+
-+Security-Enhanced Linux secures the logrotate processes via flexible mandatory access control.
-+
-+The logrotate processes execute with the logrotate_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
-+
-+For example:
-+
-+.B ps -eZ | grep logrotate_t
-+
-+
-+.SH "ENTRYPOINTS"
-+
-+The logrotate_t SELinux type can be entered via the "logrotate_exec_t" file type. The default entrypoint paths for the logrotate_t domain are the following:"
-+
-+/etc/cron\.(daily|weekly)/sysklogd, /usr/sbin/logrotate
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux logrotate policy is very flexible allowing users to setup their logrotate processes in as secure a method as possible.
-+.PP
-+The following process types are defined for logrotate:
-+
-+.EX
-+.B logrotate_t, logrotate_mail_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
-+.SH FILE CONTEXTS
-+SELinux requires files to have an extended attribute to define the file type.
-+.PP
-+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
-+.PP
-+Policy governs the access confined processes have to these files.
-+SELinux logrotate policy is very flexible allowing users to setup their logrotate processes in as secure a method as possible.
-+.PP
-+The following file types are defined for logrotate:
-+
-+
-+.EX
-+.PP
-+.B logrotate_exec_t
-+.EE
-+
-+- Set files with the logrotate_exec_t type, if you want to transition an executable to the logrotate_t domain.
-+
-+
-+.EX
-+.PP
-+.B logrotate_lock_t
-+.EE
-+
-+- Set files with the logrotate_lock_t type, if you want to treat the files as logrotate lock data, stored under the /var/lock directory
-+
-+
-+.EX
-+.PP
-+.B logrotate_mail_tmp_t
-+.EE
-+
-+- Set files with the logrotate_mail_tmp_t type, if you want to store logrotate mail temporary files in the /tmp directories.
-+
-+
-+.EX
-+.PP
-+.B logrotate_tmp_t
-+.EE
-+
-+- Set files with the logrotate_tmp_t type, if you want to store logrotate temporary files in the /tmp directories.
-+
-+
-+.EX
-+.PP
-+.B logrotate_var_lib_t
-+.EE
-+
-+- Set files with the logrotate_var_lib_t type, if you want to store the logrotate files under the /var/lib directory.
-+
-+
-+.PP
-+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
-+.B semanage fcontext
-+command. This will modify the SELinux labeling database. You will need to use
-+.B restorecon
-+to apply the labels.
-+
-+.SH "MANAGED FILES"
-+
-+The SELinux process type logrotate_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
-+
-+.br
-+.B abrt_var_cache_t
-+
-+ /var/cache/abrt(/.*)?
-+.br
-+ /var/spool/abrt(/.*)?
-+.br
-+ /var/cache/abrt-di(/.*)?
-+.br
-+
-+.br
-+.B logfile
-+
-+ all log files
-+.br
-+
-+.br
-+.B logrotate_lock_t
-+
-+
-+.br
-+.B logrotate_tmp_t
-+
-+
-+.br
-+.B logrotate_var_lib_t
-+
-+ /var/lib/logrotate\.status
-+.br
-+
-+.br
-+.B named_cache_t
-+
-+ /var/named/data(/.*)?
-+.br
-+ /var/named/slaves(/.*)?
-+.br
-+ /var/named/dynamic(/.*)?
-+.br
-+ /var/named/chroot/var/tmp(/.*)?
-+.br
-+ /var/named/chroot/var/named/data(/.*)?
-+.br
-+ /var/named/chroot/var/named/slaves(/.*)?
-+.br
-+ /var/named/chroot/var/named/dynamic(/.*)?
-+.br
-+
-+.br
-+.B systemd_passwd_var_run_t
-+
-+ /var/run/systemd/ask-password(/.*)?
-+.br
-+ /var/run/systemd/ask-password-block(/.*)?
-+.br
-+
-+.br
-+.B var_spool_t
-+
-+ /var/spool(/.*)?
-+.br
-+
-+.SH NSSWITCH DOMAIN
-+
-+.PP
-+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the logrotate_t, logrotate_mail_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
-+
-+.EX
-+.B setsebool -P authlogin_nsswitch_use_ldap 1
-+.EE
-+
-+.PP
-+If you want to allow confined applications to run with kerberos for the logrotate_t, logrotate_mail_t, you must turn on the kerberos_enabled boolean.
-+
-+.EX
-+.B setsebool -P kerberos_enabled 1
-+.EE
-+
-+.SH "COMMANDS"
-+.B semanage fcontext
-+can also be used to manipulate default file context mappings.
-+.PP
-+.B semanage permissive
-+can also be used to manipulate whether or not a process type is permissive.
-+.PP
-+.B semanage module
-+can also be used to enable/disable/install/remove policy modules.
-+
-+.PP
-+.B system-config-selinux
-+is a GUI tool available to customize SELinux policy settings.
-+
-+.SH AUTHOR
-+This manual page was auto-generated using
-+.B "sepolicy manpage"
-+by Dan Walsh.
-+
-+.SH "SEE ALSO"
-+selinux(8), logrotate(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
-diff --git a/man/man8/logwatch_selinux.8 b/man/man8/logwatch_selinux.8
-new file mode 100644
-index 0000000..bc7bf81
---- /dev/null
-+++ b/man/man8/logwatch_selinux.8
-@@ -0,0 +1,170 @@
-+.TH "logwatch_selinux" "8" "12-11-01" "logwatch" "SELinux Policy documentation for logwatch"
-+.SH "NAME"
-+logwatch_selinux \- Security Enhanced Linux Policy for the logwatch processes
-+.SH "DESCRIPTION"
-+
-+Security-Enhanced Linux secures the logwatch processes via flexible mandatory access control.
-+
-+The logwatch processes execute with the logwatch_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
-+
-+For example:
-+
-+.B ps -eZ | grep logwatch_t
-+
-+
-+.SH "ENTRYPOINTS"
-+
-+The logwatch_t SELinux type can be entered via the "logwatch_exec_t" file type. The default entrypoint paths for the logwatch_t domain are the following:"
-+
-+/usr/sbin/epylog, /usr/sbin/logcheck, /usr/share/logwatch/scripts/logwatch\.pl
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux logwatch policy is very flexible allowing users to setup their logwatch processes in as secure a method as possible.
-+.PP
-+The following process types are defined for logwatch:
-+
-+.EX
-+.B logwatch_t, logwatch_mail_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
-+.SH FILE CONTEXTS
-+SELinux requires files to have an extended attribute to define the file type.
-+.PP
-+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
-+.PP
-+Policy governs the access confined processes have to these files.
-+SELinux logwatch policy is very flexible allowing users to setup their logwatch processes in as secure a method as possible.
-+.PP
-+The following file types are defined for logwatch:
-+
-+
-+.EX
-+.PP
-+.B logwatch_cache_t
-+.EE
-+
-+- Set files with the logwatch_cache_t type, if you want to store the files under the /var/cache directory.
-+
-+
-+.EX
-+.PP
-+.B logwatch_exec_t
-+.EE
-+
-+- Set files with the logwatch_exec_t type, if you want to transition an executable to the logwatch_t domain.
-+
-+
-+.EX
-+.PP
-+.B logwatch_lock_t
-+.EE
-+
-+- Set files with the logwatch_lock_t type, if you want to treat the files as logwatch lock data, stored under the /var/lock directory
-+
-+
-+.EX
-+.PP
-+.B logwatch_mail_tmp_t
-+.EE
-+
-+- Set files with the logwatch_mail_tmp_t type, if you want to store logwatch mail temporary files in the /tmp directories.
-+
-+
-+.EX
-+.PP
-+.B logwatch_tmp_t
-+.EE
-+
-+- Set files with the logwatch_tmp_t type, if you want to store logwatch temporary files in the /tmp directories.
-+
-+
-+.EX
-+.PP
-+.B logwatch_var_run_t
-+.EE
-+
-+- Set files with the logwatch_var_run_t type, if you want to store the logwatch files under the /run directory.
-+
-+
-+.PP
-+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
-+.B semanage fcontext
-+command. This will modify the SELinux labeling database. You will need to use
-+.B restorecon
-+to apply the labels.
-+
-+.SH "MANAGED FILES"
-+
-+The SELinux process type logwatch_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
-+
-+.br
-+.B logwatch_cache_t
-+
-+ /var/lib/epylog(/.*)?
-+.br
-+ /var/lib/logcheck(/.*)?
-+.br
-+ /var/cache/logwatch(/.*)?
-+.br
-+
-+.br
-+.B logwatch_lock_t
-+
-+ /var/log/logcheck/.+
-+.br
-+
-+.br
-+.B logwatch_tmp_t
-+
-+
-+.br
-+.B logwatch_var_run_t
-+
-+ /var/run/epylog\.pid
-+.br
-+
-+.SH NSSWITCH DOMAIN
-+
-+.PP
-+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the logwatch_mail_t, logwatch_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
-+
-+.EX
-+.B setsebool -P authlogin_nsswitch_use_ldap 1
-+.EE
-+
-+.PP
-+If you want to allow confined applications to run with kerberos for the logwatch_mail_t, logwatch_t, you must turn on the kerberos_enabled boolean.
-+
-+.EX
-+.B setsebool -P kerberos_enabled 1
-+.EE
-+
-+.SH "COMMANDS"
-+.B semanage fcontext
-+can also be used to manipulate default file context mappings.
-+.PP
-+.B semanage permissive
-+can also be used to manipulate whether or not a process type is permissive.
-+.PP
-+.B semanage module
-+can also be used to enable/disable/install/remove policy modules.
-+
-+.PP
-+.B system-config-selinux
-+is a GUI tool available to customize SELinux policy settings.
-+
-+.SH AUTHOR
-+This manual page was auto-generated using
-+.B "sepolicy manpage"
-+by Dan Walsh.
-+
-+.SH "SEE ALSO"
-+selinux(8), logwatch(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
-diff --git a/man/man8/lpd_selinux.8 b/man/man8/lpd_selinux.8
-new file mode 100644
-index 0000000..0b08fa7
---- /dev/null
-+++ b/man/man8/lpd_selinux.8
-@@ -0,0 +1,164 @@
-+.TH "lpd_selinux" "8" "12-11-01" "lpd" "SELinux Policy documentation for lpd"
-+.SH "NAME"
-+lpd_selinux \- Security Enhanced Linux Policy for the lpd processes
-+.SH "DESCRIPTION"
-+
-+Security-Enhanced Linux secures the lpd processes via flexible mandatory access control.
-+
-+The lpd processes execute with the lpd_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
-+
-+For example:
-+
-+.B ps -eZ | grep lpd_t
-+
-+
-+.SH "ENTRYPOINTS"
-+
-+The lpd_t SELinux type can be entered via the "lpd_exec_t" file type. The default entrypoint paths for the lpd_t domain are the following:"
-+
-+/usr/sbin/lpd
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux lpd policy is very flexible allowing users to setup their lpd processes in as secure a method as possible.
-+.PP
-+The following process types are defined for lpd:
-+
-+.EX
-+.B lpd_t, lpr_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
-+.SH BOOLEANS
-+SELinux policy is customizable based on least access required. lpd policy is extremely flexible and has several booleans that allow you to manipulate the policy and run lpd with the tightest access possible.
-+
-+
-+.PP
-+If you want to use lpd server instead of cups, you must turn on the use_lpd_server boolean.
-+
-+.EX
-+.B setsebool -P use_lpd_server 1
-+.EE
-+
-+.PP
-+If you want to use lpd server instead of cups, you must turn on the use_lpd_server boolean.
-+
-+.EX
-+.B setsebool -P use_lpd_server 1
-+.EE
-+
-+.SH FILE CONTEXTS
-+SELinux requires files to have an extended attribute to define the file type.
-+.PP
-+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
-+.PP
-+Policy governs the access confined processes have to these files.
-+SELinux lpd policy is very flexible allowing users to setup their lpd processes in as secure a method as possible.
-+.PP
-+The following file types are defined for lpd:
-+
-+
-+.EX
-+.PP
-+.B lpd_exec_t
-+.EE
-+
-+- Set files with the lpd_exec_t type, if you want to transition an executable to the lpd_t domain.
-+
-+
-+.EX
-+.PP
-+.B lpd_tmp_t
-+.EE
-+
-+- Set files with the lpd_tmp_t type, if you want to store lpd temporary files in the /tmp directories.
-+
-+
-+.EX
-+.PP
-+.B lpd_var_run_t
-+.EE
-+
-+- Set files with the lpd_var_run_t type, if you want to store the lpd files under the /run directory.
-+
-+
-+.PP
-+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
-+.B semanage fcontext
-+command. This will modify the SELinux labeling database. You will need to use
-+.B restorecon
-+to apply the labels.
-+
-+.SH "MANAGED FILES"
-+
-+The SELinux process type lpd_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
-+
-+.br
-+.B lpd_tmp_t
-+
-+
-+.br
-+.B lpd_var_run_t
-+
-+ /var/run/lprng(/.*)?
-+.br
-+ /var/spool/turboprint(/.*)?
-+.br
-+
-+.br
-+.B print_spool_t
-+
-+ /var/spool/lpd(/.*)?
-+.br
-+ /var/spool/cups(/.*)?
-+.br
-+ /var/spool/cups-pdf(/.*)?
-+.br
-+
-+.SH NSSWITCH DOMAIN
-+
-+.PP
-+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the lpr_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
-+
-+.EX
-+.B setsebool -P authlogin_nsswitch_use_ldap 1
-+.EE
-+
-+.PP
-+If you want to allow confined applications to run with kerberos for the lpr_t, you must turn on the kerberos_enabled boolean.
-+
-+.EX
-+.B setsebool -P kerberos_enabled 1
-+.EE
-+
-+.SH "COMMANDS"
-+.B semanage fcontext
-+can also be used to manipulate default file context mappings.
-+.PP
-+.B semanage permissive
-+can also be used to manipulate whether or not a process type is permissive.
-+.PP
-+.B semanage module
-+can also be used to enable/disable/install/remove policy modules.
-+
-+.B semanage boolean
-+can also be used to manipulate the booleans
-+
-+.PP
-+.B system-config-selinux
-+is a GUI tool available to customize SELinux policy settings.
-+
-+.SH AUTHOR
-+This manual page was auto-generated using
-+.B "sepolicy manpage"
-+by Dan Walsh.
-+
-+.SH "SEE ALSO"
-+selinux(8), lpd(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
-+, setsebool(8), lpr_selinux(8)
-\ No newline at end of file
-diff --git a/man/man8/lpr_selinux.8 b/man/man8/lpr_selinux.8
-new file mode 100644
-index 0000000..2aa3249
---- /dev/null
-+++ b/man/man8/lpr_selinux.8
-@@ -0,0 +1,108 @@
-+.TH "lpr_selinux" "8" "12-11-01" "lpr" "SELinux Policy documentation for lpr"
-+.SH "NAME"
-+lpr_selinux \- Security Enhanced Linux Policy for the lpr processes
-+.SH "DESCRIPTION"
-+
-+Security-Enhanced Linux secures the lpr processes via flexible mandatory access control.
-+
-+The lpr processes execute with the lpr_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
-+
-+For example:
-+
-+.B ps -eZ | grep lpr_t
-+
-+
-+.SH "ENTRYPOINTS"
-+
-+The lpr_t SELinux type can be entered via the "lpr_exec_t" file type. The default entrypoint paths for the lpr_t domain are the following:"
-+
-+/usr/bin/lp(\.cups)?, /usr/bin/lpq(\.cups)?, /usr/bin/lpr(\.cups)?, /usr/bin/lprm(\.cups)?, /usr/sbin/lpc(\.cups)?, /usr/bin/cancel(\.cups)?, /usr/bin/lpstat(\.cups)?, /opt/gutenprint/s?bin(/.*)?, /usr/linuxprinter/bin/l?lpr, /usr/sbin/accept, /usr/sbin/lpinfo, /usr/sbin/lpmove, /usr/sbin/lpadmin, /usr/bin/lpoptions
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux lpr policy is very flexible allowing users to setup their lpr processes in as secure a method as possible.
-+.PP
-+The following process types are defined for lpr:
-+
-+.EX
-+.B lpr_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
-+.SH FILE CONTEXTS
-+SELinux requires files to have an extended attribute to define the file type.
-+.PP
-+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
-+.PP
-+Policy governs the access confined processes have to these files.
-+SELinux lpr policy is very flexible allowing users to setup their lpr processes in as secure a method as possible.
-+.PP
-+The following file types are defined for lpr:
-+
-+
-+.EX
-+.PP
-+.B lpr_exec_t
-+.EE
-+
-+- Set files with the lpr_exec_t type, if you want to transition an executable to the lpr_t domain.
-+
-+
-+.EX
-+.PP
-+.B lpr_tmp_t
-+.EE
-+
-+- Set files with the lpr_tmp_t type, if you want to store lpr temporary files in the /tmp directories.
-+
-+
-+.PP
-+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
-+.B semanage fcontext
-+command. This will modify the SELinux labeling database. You will need to use
-+.B restorecon
-+to apply the labels.
-+
-+.SH NSSWITCH DOMAIN
-+
-+.PP
-+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the lpr_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
-+
-+.EX
-+.B setsebool -P authlogin_nsswitch_use_ldap 1
-+.EE
-+
-+.PP
-+If you want to allow confined applications to run with kerberos for the lpr_t, you must turn on the kerberos_enabled boolean.
-+
-+.EX
-+.B setsebool -P kerberos_enabled 1
-+.EE
-+
-+.SH "COMMANDS"
-+.B semanage fcontext
-+can also be used to manipulate default file context mappings.
-+.PP
-+.B semanage permissive
-+can also be used to manipulate whether or not a process type is permissive.
-+.PP
-+.B semanage module
-+can also be used to enable/disable/install/remove policy modules.
-+
-+.PP
-+.B system-config-selinux
-+is a GUI tool available to customize SELinux policy settings.
-+
-+.SH AUTHOR
-+This manual page was auto-generated using
-+.B "sepolicy manpage"
-+by Dan Walsh.
-+
-+.SH "SEE ALSO"
-+selinux(8), lpr(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
-diff --git a/man/man8/lsassd_selinux.8 b/man/man8/lsassd_selinux.8
-new file mode 100644
-index 0000000..9b130b2
---- /dev/null
-+++ b/man/man8/lsassd_selinux.8
-@@ -0,0 +1,264 @@
-+.TH "lsassd_selinux" "8" "12-11-01" "lsassd" "SELinux Policy documentation for lsassd"
-+.SH "NAME"
-+lsassd_selinux \- Security Enhanced Linux Policy for the lsassd processes
-+.SH "DESCRIPTION"
-+
-+Security-Enhanced Linux secures the lsassd processes via flexible mandatory access control.
-+
-+The lsassd processes execute with the lsassd_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
-+
-+For example:
-+
-+.B ps -eZ | grep lsassd_t
-+
-+
-+.SH "ENTRYPOINTS"
-+
-+The lsassd_t SELinux type can be entered via the "lsassd_exec_t" file type. The default entrypoint paths for the lsassd_t domain are the following:"
-+
-+/usr/sbin/lsassd
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux lsassd policy is very flexible allowing users to setup their lsassd processes in as secure a method as possible.
-+.PP
-+The following process types are defined for lsassd:
-+
-+.EX
-+.B lsassd_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
-+.SH FILE CONTEXTS
-+SELinux requires files to have an extended attribute to define the file type.
-+.PP
-+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
-+.PP
-+Policy governs the access confined processes have to these files.
-+SELinux lsassd policy is very flexible allowing users to setup their lsassd processes in as secure a method as possible.
-+.PP
-+The following file types are defined for lsassd:
-+
-+
-+.EX
-+.PP
-+.B lsassd_exec_t
-+.EE
-+
-+- Set files with the lsassd_exec_t type, if you want to transition an executable to the lsassd_t domain.
-+
-+
-+.EX
-+.PP
-+.B lsassd_tmp_t
-+.EE
-+
-+- Set files with the lsassd_tmp_t type, if you want to store lsassd temporary files in the /tmp directories.
-+
-+
-+.EX
-+.PP
-+.B lsassd_var_lib_t
-+.EE
-+
-+- Set files with the lsassd_var_lib_t type, if you want to store the lsassd files under the /var/lib directory.
-+
-+
-+.EX
-+.PP
-+.B lsassd_var_run_t
-+.EE
-+
-+- Set files with the lsassd_var_run_t type, if you want to store the lsassd files under the /run directory.
-+
-+
-+.EX
-+.PP
-+.B lsassd_var_socket_t
-+.EE
-+
-+- Set files with the lsassd_var_socket_t type, if you want to treat the files as lsassd var socket data.
-+
-+
-+.PP
-+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
-+.B semanage fcontext
-+command. This will modify the SELinux labeling database. You will need to use
-+.B restorecon
-+to apply the labels.
-+
-+.SH "MANAGED FILES"
-+
-+The SELinux process type lsassd_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
-+
-+.br
-+.B etc_runtime_t
-+
-+ /[^/]+
-+.br
-+ /etc/mtab.*
-+.br
-+ /etc/blkid(/.*)?
-+.br
-+ /etc/nologin.*
-+.br
-+ /etc/\.fstab\.hal\..+
-+.br
-+ /halt
-+.br
-+ /fastboot
-+.br
-+ /poweroff
-+.br
-+ /etc/cmtab
-+.br
-+ /\.autofsck
-+.br
-+ /forcefsck
-+.br
-+ /\.suspended
-+.br
-+ /fsckoptions
-+.br
-+ /\.autorelabel
-+.br
-+ /etc/securetty
-+.br
-+ /etc/killpower
-+.br
-+ /etc/nohotplug
-+.br
-+ /etc/ioctl\.save
-+.br
-+ /etc/fstab\.REVOKE
-+.br
-+ /etc/network/ifstate
-+.br
-+ /etc/sysconfig/hwconf
-+.br
-+ /etc/ptal/ptal-printd-like
-+.br
-+ /etc/sysconfig/iptables\.save
-+.br
-+ /etc/xorg\.conf\.d/00-system-setup-keyboard\.conf
-+.br
-+ /etc/X11/xorg\.conf\.d/00-system-setup-keyboard\.conf
-+.br
-+
-+.br
-+.B etc_t
-+
-+ /etc/.*
-+.br
-+ /var/db/.*\.db
-+.br
-+ /usr/etc(/.*)?
-+.br
-+ /var/ftp/etc(/.*)?
-+.br
-+ /var/lib/openshift/.limits.d(/.*)?
-+.br
-+ /var/lib/openshift/.openshift-proxy.d(/.*)?
-+.br
-+ /var/lib/openshift/.stickshift-proxy.d(/.*)?
-+.br
-+ /var/lib/stickshift/.limits.d(/.*)?
-+.br
-+ /var/lib/stickshift/.stickshift-proxy.d(/.*)?
-+.br
-+ /var/named/chroot/etc(/.*)?
-+.br
-+ /etc/ipsec\.d/examples(/.*)?
-+.br
-+ /var/spool/postfix/etc(/.*)?
-+.br
-+ /etc
-+.br
-+ /etc/cups/client\.conf
-+.br
-+
-+.br
-+.B krb5_keytab_t
-+
-+ /etc/krb5\.keytab
-+.br
-+ /etc/krb5kdc/kadm5\.keytab
-+.br
-+ /var/kerberos/krb5kdc/kadm5\.keytab
-+.br
-+
-+.br
-+.B likewise_etc_t
-+
-+ /etc/likewise-open(/.*)?
-+.br
-+
-+.br
-+.B lsassd_tmp_t
-+
-+
-+.br
-+.B lsassd_var_lib_t
-+
-+ /var/lib/likewise-open/lsasd\.err
-+.br
-+ /var/lib/likewise-open/db/sam\.db
-+.br
-+ /var/lib/likewise-open/krb5ccr_lsass
-+.br
-+ /var/lib/likewise-open/db/lsass-adcache\.db
-+.br
-+ /var/lib/likewise-open/db/lsass-adstate\.filedb
-+.br
-+
-+.br
-+.B lsassd_var_run_t
-+
-+ /var/run/lsassd.pid
-+.br
-+
-+.br
-+.B security_t
-+
-+ /selinux
-+.br
-+
-+.br
-+.B user_home_t
-+
-+ /home/[^/]*/.+
-+.br
-+ /home/dwalsh/.+
-+.br
-+ /var/lib/xguest/home/xguest/.+
-+.br
-+
-+.SH NSSWITCH DOMAIN
-+
-+.SH "COMMANDS"
-+.B semanage fcontext
-+can also be used to manipulate default file context mappings.
-+.PP
-+.B semanage permissive
-+can also be used to manipulate whether or not a process type is permissive.
-+.PP
-+.B semanage module
-+can also be used to enable/disable/install/remove policy modules.
-+
-+.PP
-+.B system-config-selinux
-+is a GUI tool available to customize SELinux policy settings.
-+
-+.SH AUTHOR
-+This manual page was auto-generated using
-+.B "sepolicy manpage"
-+by Dan Walsh.
-+
-+.SH "SEE ALSO"
-+selinux(8), lsassd(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
-diff --git a/man/man8/lvm_selinux.8 b/man/man8/lvm_selinux.8
-new file mode 100644
-index 0000000..9793bb8
---- /dev/null
-+++ b/man/man8/lvm_selinux.8
-@@ -0,0 +1,236 @@
-+.TH "lvm_selinux" "8" "12-11-01" "lvm" "SELinux Policy documentation for lvm"
-+.SH "NAME"
-+lvm_selinux \- Security Enhanced Linux Policy for the lvm processes
-+.SH "DESCRIPTION"
-+
-+Security-Enhanced Linux secures the lvm processes via flexible mandatory access control.
-+
-+The lvm processes execute with the lvm_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
-+
-+For example:
-+
-+.B ps -eZ | grep lvm_t
-+
-+
-+.SH "ENTRYPOINTS"
-+
-+The lvm_t SELinux type can be entered via the "lvm_exec_t" file type. The default entrypoint paths for the lvm_t domain are the following:"
-+
-+/lib/lvm-10/.*, /lib/lvm-200/.*, /usr/lib/lvm-10/.*, /usr/lib/lvm-200/.*, /sbin/lvm, /sbin/lvs, /sbin/pvs, /sbin/vgs, /sbin/vgck, /sbin/dmraid, /sbin/kpartx, /sbin/lvmsar, /sbin/lvscan, /sbin/pvdata, /sbin/pvmove, /sbin/pvscan, /sbin/vgscan, /sbin/dmsetup, /sbin/e2fsadm, /sbin/lvmetad, /sbin/lvmsadc, /sbin/vgmerge, /sbin/vgsplit, /usr/sbin/lvm, /usr/sbin/lvs, /usr/sbin/pvs, /usr/sbin/vgs, /sbin/lvchange, /sbin/lvcreate, /sbin/lvextend, /sbin/lvreduce, /sbin/lvremove, /sbin/lvrename, /sbin/lvresize, /sbin/pvchange, /sbin/pvcreate, /sbin/pvremove, /sbin/vgchange, /sbin/vgcreate, /sbin/vgexport, /sbin/vgextend, /sbin/vgimport, /sbin/vgreduce, /sbin/vgremove, /sbin/vgrename, /usr/sbin/vgck, /sbin/lvdisplay, /sbin/lvmchange, /sbin/pvdisplay, /sbin/vgdisplay, /sbin/vgmknodes, /sbin/vgwrapper, /sbin/cryptsetup, /sbin/lvm\.static, /sbin/multipathd, /usr/sbin/dmraid, /usr/sbin/kpartx, /usr/sbin/lvmsar, /usr/sbin/lvscan, /usr/sbin/pvdata, /usr/sbin/pvmove, /usr/sbin/pvscan, /usr/sbin/vgscan, /sbin/mount\.crypt, /sbin/lvmdiskscan, /sbin/vgcfgbackup, /usr/sbin/dmsetup, /usr/sbin/e2fsadm, /usr/sbin/lvmetad, /usr/sbin/lvmsadc, /usr/sbin/vgmerge, /usr/sbin/vgsplit, /sbin/vgcfgrestore, /usr/sbin/dmeventd, /usr/sbin/lvchange, /usr/sbin/lvcreate, /usr/sbin/lvextend, /usr/sbin/lvreduce, /usr/sbin/lvremove, /usr/sbin/lvrename, /usr/sbin/lvresize, /usr/sbin/pvchange, /usr/sbin/pvcreate, /usr/sbin/pvremove, /usr/sbin/vgchange, /usr/sbin/vgcreate, /usr/sbin/vgexport, /usr/sbin/vgextend, /usr/sbin/vgimport, /usr/sbin/vgreduce, /usr/sbin/vgremove, /usr/sbin/vgrename, /sbin/lvmiopversion, /sbin/vgscan\.static, /usr/sbin/lvdisplay, /usr/sbin/lvmchange, /usr/sbin/pvdisplay, /usr/sbin/vgdisplay, /usr/sbin/vgmknodes, /usr/sbin/vgwrapper, /sbin/dmsetup\.static, /usr/sbin/cryptsetup, /usr/sbin/lvm\.static, /usr/sbin/multipathd, /sbin/vgchange\.static, /usr/sbin/lvmdiskscan, /usr/sbin/mount\.crypt, /usr/sbin/vgcfgbackup, /sbin/multipath\.static, /usr/sbin/vgcfgrestore, /usr/sbin/lvmiopversion, /usr/sbin/vgscan\.static, /usr/sbin/dmsetup\.static, /usr/sbin/vgchange\.static, /usr/sbin/multipath\.static, /lib/udev/udisks-lvm-pv-export, /usr/lib/udev/udisks-lvm-pv-export, /usr/lib/systemd/systemd-cryptsetup
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux lvm policy is very flexible allowing users to setup their lvm processes in as secure a method as possible.
-+.PP
-+The following process types are defined for lvm:
-+
-+.EX
-+.B lvm_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
-+.SH FILE CONTEXTS
-+SELinux requires files to have an extended attribute to define the file type.
-+.PP
-+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
-+.PP
-+Policy governs the access confined processes have to these files.
-+SELinux lvm policy is very flexible allowing users to setup their lvm processes in as secure a method as possible.
-+.PP
-+The following file types are defined for lvm:
-+
-+
-+.EX
-+.PP
-+.B lvm_etc_t
-+.EE
-+
-+- Set files with the lvm_etc_t type, if you want to store lvm files in the /etc directories.
-+
-+
-+.EX
-+.PP
-+.B lvm_exec_t
-+.EE
-+
-+- Set files with the lvm_exec_t type, if you want to transition an executable to the lvm_t domain.
-+
-+
-+.EX
-+.PP
-+.B lvm_lock_t
-+.EE
-+
-+- Set files with the lvm_lock_t type, if you want to treat the files as lvm lock data, stored under the /var/lock directory
-+
-+
-+.EX
-+.PP
-+.B lvm_metadata_t
-+.EE
-+
-+- Set files with the lvm_metadata_t type, if you want to treat the files as lvm metadata data.
-+
-+
-+.EX
-+.PP
-+.B lvm_tmp_t
-+.EE
-+
-+- Set files with the lvm_tmp_t type, if you want to store lvm temporary files in the /tmp directories.
-+
-+
-+.EX
-+.PP
-+.B lvm_var_lib_t
-+.EE
-+
-+- Set files with the lvm_var_lib_t type, if you want to store the lvm files under the /var/lib directory.
-+
-+
-+.EX
-+.PP
-+.B lvm_var_run_t
-+.EE
-+
-+- Set files with the lvm_var_run_t type, if you want to store the lvm files under the /run directory.
-+
-+
-+.PP
-+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
-+.B semanage fcontext
-+command. This will modify the SELinux labeling database. You will need to use
-+.B restorecon
-+to apply the labels.
-+
-+.SH "MANAGED FILES"
-+
-+The SELinux process type lvm_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
-+
-+.br
-+.B anon_inodefs_t
-+
-+
-+.br
-+.B device_t
-+
-+ /dev/.*
-+.br
-+ /lib/udev/devices(/.*)?
-+.br
-+ /usr/lib/udev/devices(/.*)?
-+.br
-+ /dev
-+.br
-+ /etc/udev/devices
-+.br
-+ /var/named/chroot/dev
-+.br
-+ /var/spool/postfix/dev
-+.br
-+
-+.br
-+.B lvm_lock_t
-+
-+ /etc/lvm/lock(/.*)?
-+.br
-+ /var/lock/lvm(/.*)?
-+.br
-+
-+.br
-+.B lvm_metadata_t
-+
-+ /etc/lvmtab(/.*)?
-+.br
-+ /etc/lvmtab\.d(/.*)?
-+.br
-+ /etc/lvm/cache(/.*)?
-+.br
-+ /etc/lvm/backup(/.*)?
-+.br
-+ /etc/lvm/archive(/.*)?
-+.br
-+ /var/cache/multipathd(/.*)?
-+.br
-+ /etc/lvm/\.cache
-+.br
-+
-+.br
-+.B lvm_tmp_t
-+
-+
-+.br
-+.B lvm_var_lib_t
-+
-+ /var/lib/multipath(/.*)?
-+.br
-+
-+.br
-+.B lvm_var_run_t
-+
-+ /var/run/lvm(/.*)?
-+.br
-+ /var/run/dmevent.*
-+.br
-+ /var/run/multipathd\.sock
-+.br
-+
-+.br
-+.B rpm_script_tmp_t
-+
-+
-+.br
-+.B security_t
-+
-+ /selinux
-+.br
-+
-+.br
-+.B sysfs_t
-+
-+ /sys(/.*)?
-+.br
-+
-+.br
-+.B systemd_passwd_var_run_t
-+
-+ /var/run/systemd/ask-password(/.*)?
-+.br
-+ /var/run/systemd/ask-password-block(/.*)?
-+.br
-+
-+.br
-+.B virt_image_type
-+
-+ all virtual image files
-+.br
-+
-+.SH NSSWITCH DOMAIN
-+
-+.SH "COMMANDS"
-+.B semanage fcontext
-+can also be used to manipulate default file context mappings.
-+.PP
-+.B semanage permissive
-+can also be used to manipulate whether or not a process type is permissive.
-+.PP
-+.B semanage module
-+can also be used to enable/disable/install/remove policy modules.
-+
-+.PP
-+.B system-config-selinux
-+is a GUI tool available to customize SELinux policy settings.
-+
-+.SH AUTHOR
-+This manual page was auto-generated using
-+.B "sepolicy manpage"
-+by Dan Walsh.
-+
-+.SH "SEE ALSO"
-+selinux(8), lvm(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
-diff --git a/man/man8/lwiod_selinux.8 b/man/man8/lwiod_selinux.8
-new file mode 100644
-index 0000000..249014f
---- /dev/null
-+++ b/man/man8/lwiod_selinux.8
-@@ -0,0 +1,130 @@
-+.TH "lwiod_selinux" "8" "12-11-01" "lwiod" "SELinux Policy documentation for lwiod"
-+.SH "NAME"
-+lwiod_selinux \- Security Enhanced Linux Policy for the lwiod processes
-+.SH "DESCRIPTION"
-+
-+Security-Enhanced Linux secures the lwiod processes via flexible mandatory access control.
-+
-+The lwiod processes execute with the lwiod_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
-+
-+For example:
-+
-+.B ps -eZ | grep lwiod_t
-+
-+
-+.SH "ENTRYPOINTS"
-+
-+The lwiod_t SELinux type can be entered via the "lwiod_exec_t" file type. The default entrypoint paths for the lwiod_t domain are the following:"
-+
-+/usr/sbin/lwiod
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux lwiod policy is very flexible allowing users to setup their lwiod processes in as secure a method as possible.
-+.PP
-+The following process types are defined for lwiod:
-+
-+.EX
-+.B lwiod_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
-+.SH FILE CONTEXTS
-+SELinux requires files to have an extended attribute to define the file type.
-+.PP
-+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
-+.PP
-+Policy governs the access confined processes have to these files.
-+SELinux lwiod policy is very flexible allowing users to setup their lwiod processes in as secure a method as possible.
-+.PP
-+The following file types are defined for lwiod:
-+
-+
-+.EX
-+.PP
-+.B lwiod_exec_t
-+.EE
-+
-+- Set files with the lwiod_exec_t type, if you want to transition an executable to the lwiod_t domain.
-+
-+
-+.EX
-+.PP
-+.B lwiod_var_lib_t
-+.EE
-+
-+- Set files with the lwiod_var_lib_t type, if you want to store the lwiod files under the /var/lib directory.
-+
-+
-+.EX
-+.PP
-+.B lwiod_var_run_t
-+.EE
-+
-+- Set files with the lwiod_var_run_t type, if you want to store the lwiod files under the /run directory.
-+
-+
-+.EX
-+.PP
-+.B lwiod_var_socket_t
-+.EE
-+
-+- Set files with the lwiod_var_socket_t type, if you want to treat the files as lwiod var socket data.
-+
-+
-+.PP
-+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
-+.B semanage fcontext
-+command. This will modify the SELinux labeling database. You will need to use
-+.B restorecon
-+to apply the labels.
-+
-+.SH "MANAGED FILES"
-+
-+The SELinux process type lwiod_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
-+
-+.br
-+.B krb5_conf_t
-+
-+ /etc/krb5\.conf
-+.br
-+
-+.br
-+.B lwiod_var_lib_t
-+
-+
-+.br
-+.B lwiod_var_run_t
-+
-+ /var/run/lwiod.pid
-+.br
-+
-+.SH NSSWITCH DOMAIN
-+
-+.SH "COMMANDS"
-+.B semanage fcontext
-+can also be used to manipulate default file context mappings.
-+.PP
-+.B semanage permissive
-+can also be used to manipulate whether or not a process type is permissive.
-+.PP
-+.B semanage module
-+can also be used to enable/disable/install/remove policy modules.
-+
-+.PP
-+.B system-config-selinux
-+is a GUI tool available to customize SELinux policy settings.
-+
-+.SH AUTHOR
-+This manual page was auto-generated using
-+.B "sepolicy manpage"
-+by Dan Walsh.
-+
-+.SH "SEE ALSO"
-+selinux(8), lwiod(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
-diff --git a/man/man8/lwregd_selinux.8 b/man/man8/lwregd_selinux.8
-new file mode 100644
-index 0000000..9bc985a
---- /dev/null
-+++ b/man/man8/lwregd_selinux.8
-@@ -0,0 +1,128 @@
-+.TH "lwregd_selinux" "8" "12-11-01" "lwregd" "SELinux Policy documentation for lwregd"
-+.SH "NAME"
-+lwregd_selinux \- Security Enhanced Linux Policy for the lwregd processes
-+.SH "DESCRIPTION"
-+
-+Security-Enhanced Linux secures the lwregd processes via flexible mandatory access control.
-+
-+The lwregd processes execute with the lwregd_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
-+
-+For example:
-+
-+.B ps -eZ | grep lwregd_t
-+
-+
-+.SH "ENTRYPOINTS"
-+
-+The lwregd_t SELinux type can be entered via the "lwregd_exec_t" file type. The default entrypoint paths for the lwregd_t domain are the following:"
-+
-+/usr/sbin/lwregd
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux lwregd policy is very flexible allowing users to setup their lwregd processes in as secure a method as possible.
-+.PP
-+The following process types are defined for lwregd:
-+
-+.EX
-+.B lwregd_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
-+.SH FILE CONTEXTS
-+SELinux requires files to have an extended attribute to define the file type.
-+.PP
-+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
-+.PP
-+Policy governs the access confined processes have to these files.
-+SELinux lwregd policy is very flexible allowing users to setup their lwregd processes in as secure a method as possible.
-+.PP
-+The following file types are defined for lwregd:
-+
-+
-+.EX
-+.PP
-+.B lwregd_exec_t
-+.EE
-+
-+- Set files with the lwregd_exec_t type, if you want to transition an executable to the lwregd_t domain.
-+
-+
-+.EX
-+.PP
-+.B lwregd_var_lib_t
-+.EE
-+
-+- Set files with the lwregd_var_lib_t type, if you want to store the lwregd files under the /var/lib directory.
-+
-+
-+.EX
-+.PP
-+.B lwregd_var_run_t
-+.EE
-+
-+- Set files with the lwregd_var_run_t type, if you want to store the lwregd files under the /run directory.
-+
-+
-+.EX
-+.PP
-+.B lwregd_var_socket_t
-+.EE
-+
-+- Set files with the lwregd_var_socket_t type, if you want to treat the files as lwregd var socket data.
-+
-+
-+.PP
-+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
-+.B semanage fcontext
-+command. This will modify the SELinux labeling database. You will need to use
-+.B restorecon
-+to apply the labels.
-+
-+.SH "MANAGED FILES"
-+
-+The SELinux process type lwregd_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
-+
-+.br
-+.B lwregd_var_lib_t
-+
-+ /var/lib/likewise-open/regsd\.err
-+.br
-+ /var/lib/likewise-open/db/registry\.db
-+.br
-+
-+.br
-+.B lwregd_var_run_t
-+
-+ /var/run/lwregd.pid
-+.br
-+
-+.SH NSSWITCH DOMAIN
-+
-+.SH "COMMANDS"
-+.B semanage fcontext
-+can also be used to manipulate default file context mappings.
-+.PP
-+.B semanage permissive
-+can also be used to manipulate whether or not a process type is permissive.
-+.PP
-+.B semanage module
-+can also be used to enable/disable/install/remove policy modules.
-+
-+.PP
-+.B system-config-selinux
-+is a GUI tool available to customize SELinux policy settings.
-+
-+.SH AUTHOR
-+This manual page was auto-generated using
-+.B "sepolicy manpage"
-+by Dan Walsh.
-+
-+.SH "SEE ALSO"
-+selinux(8), lwregd(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
-diff --git a/man/man8/lwsmd_selinux.8 b/man/man8/lwsmd_selinux.8
-new file mode 100644
-index 0000000..82a32da
---- /dev/null
-+++ b/man/man8/lwsmd_selinux.8
-@@ -0,0 +1,122 @@
-+.TH "lwsmd_selinux" "8" "12-11-01" "lwsmd" "SELinux Policy documentation for lwsmd"
-+.SH "NAME"
-+lwsmd_selinux \- Security Enhanced Linux Policy for the lwsmd processes
-+.SH "DESCRIPTION"
-+
-+Security-Enhanced Linux secures the lwsmd processes via flexible mandatory access control.
-+
-+The lwsmd processes execute with the lwsmd_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
-+
-+For example:
-+
-+.B ps -eZ | grep lwsmd_t
-+
-+
-+.SH "ENTRYPOINTS"
-+
-+The lwsmd_t SELinux type can be entered via the "lwsmd_exec_t" file type. The default entrypoint paths for the lwsmd_t domain are the following:"
-+
-+/usr/sbin/lwsmd
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux lwsmd policy is very flexible allowing users to setup their lwsmd processes in as secure a method as possible.
-+.PP
-+The following process types are defined for lwsmd:
-+
-+.EX
-+.B lwsmd_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
-+.SH FILE CONTEXTS
-+SELinux requires files to have an extended attribute to define the file type.
-+.PP
-+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
-+.PP
-+Policy governs the access confined processes have to these files.
-+SELinux lwsmd policy is very flexible allowing users to setup their lwsmd processes in as secure a method as possible.
-+.PP
-+The following file types are defined for lwsmd:
-+
-+
-+.EX
-+.PP
-+.B lwsmd_exec_t
-+.EE
-+
-+- Set files with the lwsmd_exec_t type, if you want to transition an executable to the lwsmd_t domain.
-+
-+
-+.EX
-+.PP
-+.B lwsmd_var_lib_t
-+.EE
-+
-+- Set files with the lwsmd_var_lib_t type, if you want to store the lwsmd files under the /var/lib directory.
-+
-+
-+.EX
-+.PP
-+.B lwsmd_var_run_t
-+.EE
-+
-+- Set files with the lwsmd_var_run_t type, if you want to store the lwsmd files under the /run directory.
-+
-+
-+.EX
-+.PP
-+.B lwsmd_var_socket_t
-+.EE
-+
-+- Set files with the lwsmd_var_socket_t type, if you want to treat the files as lwsmd var socket data.
-+
-+
-+.PP
-+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
-+.B semanage fcontext
-+command. This will modify the SELinux labeling database. You will need to use
-+.B restorecon
-+to apply the labels.
-+
-+.SH "MANAGED FILES"
-+
-+The SELinux process type lwsmd_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
-+
-+.br
-+.B lwsmd_var_lib_t
-+
-+
-+.br
-+.B lwsmd_var_run_t
-+
-+
-+.SH NSSWITCH DOMAIN
-+
-+.SH "COMMANDS"
-+.B semanage fcontext
-+can also be used to manipulate default file context mappings.
-+.PP
-+.B semanage permissive
-+can also be used to manipulate whether or not a process type is permissive.
-+.PP
-+.B semanage module
-+can also be used to enable/disable/install/remove policy modules.
-+
-+.PP
-+.B system-config-selinux
-+is a GUI tool available to customize SELinux policy settings.
-+
-+.SH AUTHOR
-+This manual page was auto-generated using
-+.B "sepolicy manpage"
-+by Dan Walsh.
-+
-+.SH "SEE ALSO"
-+selinux(8), lwsmd(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
-diff --git a/man/man8/mail_munin_plugin_selinux.8 b/man/man8/mail_munin_plugin_selinux.8
-new file mode 100644
-index 0000000..fc8cf0a
---- /dev/null
-+++ b/man/man8/mail_munin_plugin_selinux.8
-@@ -0,0 +1,115 @@
-+.TH "mail_munin_plugin_selinux" "8" "12-11-01" "mail_munin_plugin" "SELinux Policy documentation for mail_munin_plugin"
-+.SH "NAME"
-+mail_munin_plugin_selinux \- Security Enhanced Linux Policy for the mail_munin_plugin processes
-+.SH "DESCRIPTION"
-+
-+Security-Enhanced Linux secures the mail_munin_plugin processes via flexible mandatory access control.
-+
-+The mail_munin_plugin processes execute with the mail_munin_plugin_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
-+
-+For example:
-+
-+.B ps -eZ | grep mail_munin_plugin_t
-+
-+
-+.SH "ENTRYPOINTS"
-+
-+The mail_munin_plugin_t SELinux type can be entered via the "mail_munin_plugin_exec_t" file type. The default entrypoint paths for the mail_munin_plugin_t domain are the following:"
-+
-+/usr/share/munin/plugins/qmail.*, /usr/share/munin/plugins/exim_mail.*, /usr/share/munin/plugins/sendmail_.*, /usr/share/munin/plugins/courier_mta_.*, /usr/share/munin/plugins/postfix_mail.*, /usr/share/munin/plugins/mailman, /usr/share/munin/plugins/mailscanner
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux mail_munin_plugin policy is very flexible allowing users to setup their mail_munin_plugin processes in as secure a method as possible.
-+.PP
-+The following process types are defined for mail_munin_plugin:
-+
-+.EX
-+.B mail_munin_plugin_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
-+.SH FILE CONTEXTS
-+SELinux requires files to have an extended attribute to define the file type.
-+.PP
-+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
-+.PP
-+Policy governs the access confined processes have to these files.
-+SELinux mail_munin_plugin policy is very flexible allowing users to setup their mail_munin_plugin processes in as secure a method as possible.
-+.PP
-+The following file types are defined for mail_munin_plugin:
-+
-+
-+.EX
-+.PP
-+.B mail_munin_plugin_exec_t
-+.EE
-+
-+- Set files with the mail_munin_plugin_exec_t type, if you want to transition an executable to the mail_munin_plugin_t domain.
-+
-+
-+.EX
-+.PP
-+.B mail_munin_plugin_tmp_t
-+.EE
-+
-+- Set files with the mail_munin_plugin_tmp_t type, if you want to store mail munin plugin temporary files in the /tmp directories.
-+
-+
-+.PP
-+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
-+.B semanage fcontext
-+command. This will modify the SELinux labeling database. You will need to use
-+.B restorecon
-+to apply the labels.
-+
-+.SH "MANAGED FILES"
-+
-+The SELinux process type mail_munin_plugin_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
-+
-+.br
-+.B mail_munin_plugin_tmp_t
-+
-+
-+.br
-+.B munin_plugin_state_t
-+
-+ /var/lib/munin/plugin-state(/.*)?
-+.br
-+
-+.br
-+.B munin_var_lib_t
-+
-+ /var/lib/munin(/.*)?
-+.br
-+
-+.SH NSSWITCH DOMAIN
-+
-+.SH "COMMANDS"
-+.B semanage fcontext
-+can also be used to manipulate default file context mappings.
-+.PP
-+.B semanage permissive
-+can also be used to manipulate whether or not a process type is permissive.
-+.PP
-+.B semanage module
-+can also be used to enable/disable/install/remove policy modules.
-+
-+.PP
-+.B system-config-selinux
-+is a GUI tool available to customize SELinux policy settings.
-+
-+.SH AUTHOR
-+This manual page was auto-generated using
-+.B "sepolicy manpage"
-+by Dan Walsh.
-+
-+.SH "SEE ALSO"
-+selinux(8), mail_munin_plugin(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
-+, mailman_cgi_selinux(8), mailman_mail_selinux(8), mailman_queue_selinux(8)
-\ No newline at end of file
-diff --git a/man/man8/mailman_cgi_selinux.8 b/man/man8/mailman_cgi_selinux.8
-new file mode 100644
-index 0000000..3314d81
---- /dev/null
-+++ b/man/man8/mailman_cgi_selinux.8
-@@ -0,0 +1,145 @@
-+.TH "mailman_cgi_selinux" "8" "12-11-01" "mailman_cgi" "SELinux Policy documentation for mailman_cgi"
-+.SH "NAME"
-+mailman_cgi_selinux \- Security Enhanced Linux Policy for the mailman_cgi processes
-+.SH "DESCRIPTION"
-+
-+Security-Enhanced Linux secures the mailman_cgi processes via flexible mandatory access control.
-+
-+The mailman_cgi processes execute with the mailman_cgi_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
-+
-+For example:
-+
-+.B ps -eZ | grep mailman_cgi_t
-+
-+
-+.SH "ENTRYPOINTS"
-+
-+The mailman_cgi_t SELinux type can be entered via the "mailman_cgi_exec_t" file type. The default entrypoint paths for the mailman_cgi_t domain are the following:"
-+
-+/usr/lib/mailman.*/cgi-bin/.*
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux mailman_cgi policy is very flexible allowing users to setup their mailman_cgi processes in as secure a method as possible.
-+.PP
-+The following process types are defined for mailman_cgi:
-+
-+.EX
-+.B mailman_cgi_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
-+.SH FILE CONTEXTS
-+SELinux requires files to have an extended attribute to define the file type.
-+.PP
-+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
-+.PP
-+Policy governs the access confined processes have to these files.
-+SELinux mailman_cgi policy is very flexible allowing users to setup their mailman_cgi processes in as secure a method as possible.
-+.PP
-+The following file types are defined for mailman_cgi:
-+
-+
-+.EX
-+.PP
-+.B mailman_cgi_exec_t
-+.EE
-+
-+- Set files with the mailman_cgi_exec_t type, if you want to transition an executable to the mailman_cgi_t domain.
-+
-+
-+.EX
-+.PP
-+.B mailman_cgi_tmp_t
-+.EE
-+
-+- Set files with the mailman_cgi_tmp_t type, if you want to store mailman cgi temporary files in the /tmp directories.
-+
-+
-+.PP
-+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
-+.B semanage fcontext
-+command. This will modify the SELinux labeling database. You will need to use
-+.B restorecon
-+to apply the labels.
-+
-+.SH "MANAGED FILES"
-+
-+The SELinux process type mailman_cgi_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
-+
-+.br
-+.B mailman_archive_t
-+
-+ /var/lib/mailman.*/archives(/.*)?
-+.br
-+
-+.br
-+.B mailman_cgi_tmp_t
-+
-+
-+.br
-+.B mailman_data_t
-+
-+ /etc/mailman.*
-+.br
-+ /var/lib/mailman.*
-+.br
-+ /var/spool/mailman.*
-+.br
-+
-+.br
-+.B mailman_lock_t
-+
-+ /var/lock/mailman.*
-+.br
-+
-+.br
-+.B mailman_log_t
-+
-+ /var/log/mailman.*
-+.br
-+
-+.SH NSSWITCH DOMAIN
-+
-+.PP
-+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the mailman_cgi_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
-+
-+.EX
-+.B setsebool -P authlogin_nsswitch_use_ldap 1
-+.EE
-+
-+.PP
-+If you want to allow confined applications to run with kerberos for the mailman_cgi_t, you must turn on the kerberos_enabled boolean.
-+
-+.EX
-+.B setsebool -P kerberos_enabled 1
-+.EE
-+
-+.SH "COMMANDS"
-+.B semanage fcontext
-+can also be used to manipulate default file context mappings.
-+.PP
-+.B semanage permissive
-+can also be used to manipulate whether or not a process type is permissive.
-+.PP
-+.B semanage module
-+can also be used to enable/disable/install/remove policy modules.
-+
-+.PP
-+.B system-config-selinux
-+is a GUI tool available to customize SELinux policy settings.
-+
-+.SH AUTHOR
-+This manual page was auto-generated using
-+.B "sepolicy manpage"
-+by Dan Walsh.
-+
-+.SH "SEE ALSO"
-+selinux(8), mailman_cgi(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
-+, mailman_mail_selinux(8), mailman_queue_selinux(8)
-\ No newline at end of file
-diff --git a/man/man8/mailman_mail_selinux.8 b/man/man8/mailman_mail_selinux.8
-new file mode 100644
-index 0000000..e86936f
---- /dev/null
-+++ b/man/man8/mailman_mail_selinux.8
-@@ -0,0 +1,155 @@
-+.TH "mailman_mail_selinux" "8" "12-11-01" "mailman_mail" "SELinux Policy documentation for mailman_mail"
-+.SH "NAME"
-+mailman_mail_selinux \- Security Enhanced Linux Policy for the mailman_mail processes
-+.SH "DESCRIPTION"
-+
-+Security-Enhanced Linux secures the mailman_mail processes via flexible mandatory access control.
-+
-+The mailman_mail processes execute with the mailman_mail_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
-+
-+For example:
-+
-+.B ps -eZ | grep mailman_mail_t
-+
-+
-+.SH "ENTRYPOINTS"
-+
-+The mailman_mail_t SELinux type can be entered via the "mailman_mail_exec_t" file type. The default entrypoint paths for the mailman_mail_t domain are the following:"
-+
-+/usr/lib/mailman.*/mail/mailman, /usr/lib/mailman.*/bin/mailmanctl, /usr/lib/mailman.*/scripts/mailman, /usr/lib/mailman.*/bin/mm-handler.*, /usr/share/doc/mailman.*/mm-handler.*
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux mailman_mail policy is very flexible allowing users to setup their mailman_mail processes in as secure a method as possible.
-+.PP
-+The following process types are defined for mailman_mail:
-+
-+.EX
-+.B mailman_mail_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
-+.SH FILE CONTEXTS
-+SELinux requires files to have an extended attribute to define the file type.
-+.PP
-+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
-+.PP
-+Policy governs the access confined processes have to these files.
-+SELinux mailman_mail policy is very flexible allowing users to setup their mailman_mail processes in as secure a method as possible.
-+.PP
-+The following file types are defined for mailman_mail:
-+
-+
-+.EX
-+.PP
-+.B mailman_mail_exec_t
-+.EE
-+
-+- Set files with the mailman_mail_exec_t type, if you want to transition an executable to the mailman_mail_t domain.
-+
-+
-+.EX
-+.PP
-+.B mailman_mail_tmp_t
-+.EE
-+
-+- Set files with the mailman_mail_tmp_t type, if you want to store mailman mail temporary files in the /tmp directories.
-+
-+
-+.PP
-+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
-+.B semanage fcontext
-+command. This will modify the SELinux labeling database. You will need to use
-+.B restorecon
-+to apply the labels.
-+
-+.SH "MANAGED FILES"
-+
-+The SELinux process type mailman_mail_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
-+
-+.br
-+.B anon_inodefs_t
-+
-+
-+.br
-+.B mailman_archive_t
-+
-+ /var/lib/mailman.*/archives(/.*)?
-+.br
-+
-+.br
-+.B mailman_data_t
-+
-+ /etc/mailman.*
-+.br
-+ /var/lib/mailman.*
-+.br
-+ /var/spool/mailman.*
-+.br
-+
-+.br
-+.B mailman_lock_t
-+
-+ /var/lock/mailman.*
-+.br
-+
-+.br
-+.B mailman_log_t
-+
-+ /var/log/mailman.*
-+.br
-+
-+.br
-+.B mailman_mail_tmp_t
-+
-+
-+.br
-+.B mailman_var_run_t
-+
-+ /var/run/mailman.*
-+.br
-+
-+.SH NSSWITCH DOMAIN
-+
-+.PP
-+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the mailman_mail_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
-+
-+.EX
-+.B setsebool -P authlogin_nsswitch_use_ldap 1
-+.EE
-+
-+.PP
-+If you want to allow confined applications to run with kerberos for the mailman_mail_t, you must turn on the kerberos_enabled boolean.
-+
-+.EX
-+.B setsebool -P kerberos_enabled 1
-+.EE
-+
-+.SH "COMMANDS"
-+.B semanage fcontext
-+can also be used to manipulate default file context mappings.
-+.PP
-+.B semanage permissive
-+can also be used to manipulate whether or not a process type is permissive.
-+.PP
-+.B semanage module
-+can also be used to enable/disable/install/remove policy modules.
-+
-+.PP
-+.B system-config-selinux
-+is a GUI tool available to customize SELinux policy settings.
-+
-+.SH AUTHOR
-+This manual page was auto-generated using
-+.B "sepolicy manpage"
-+by Dan Walsh.
-+
-+.SH "SEE ALSO"
-+selinux(8), mailman_mail(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
-+, mailman_cgi_selinux(8), mailman_queue_selinux(8)
-\ No newline at end of file
-diff --git a/man/man8/mailman_queue_selinux.8 b/man/man8/mailman_queue_selinux.8
-new file mode 100644
-index 0000000..b1d3963
---- /dev/null
-+++ b/man/man8/mailman_queue_selinux.8
-@@ -0,0 +1,171 @@
-+.TH "mailman_queue_selinux" "8" "12-11-01" "mailman_queue" "SELinux Policy documentation for mailman_queue"
-+.SH "NAME"
-+mailman_queue_selinux \- Security Enhanced Linux Policy for the mailman_queue processes
-+.SH "DESCRIPTION"
-+
-+Security-Enhanced Linux secures the mailman_queue processes via flexible mandatory access control.
-+
-+The mailman_queue processes execute with the mailman_queue_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
-+
-+For example:
-+
-+.B ps -eZ | grep mailman_queue_t
-+
-+
-+.SH "ENTRYPOINTS"
-+
-+The mailman_queue_t SELinux type can be entered via the "mailman_queue_exec_t" file type. The default entrypoint paths for the mailman_queue_t domain are the following:"
-+
-+/usr/lib/mailman.*/cron/.*, /usr/lib/mailman.*/bin/qrunner
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux mailman_queue policy is very flexible allowing users to setup their mailman_queue processes in as secure a method as possible.
-+.PP
-+The following process types are defined for mailman_queue:
-+
-+.EX
-+.B mailman_queue_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
-+.SH FILE CONTEXTS
-+SELinux requires files to have an extended attribute to define the file type.
-+.PP
-+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
-+.PP
-+Policy governs the access confined processes have to these files.
-+SELinux mailman_queue policy is very flexible allowing users to setup their mailman_queue processes in as secure a method as possible.
-+.PP
-+The following file types are defined for mailman_queue:
-+
-+
-+.EX
-+.PP
-+.B mailman_queue_exec_t
-+.EE
-+
-+- Set files with the mailman_queue_exec_t type, if you want to transition an executable to the mailman_queue_t domain.
-+
-+
-+.EX
-+.PP
-+.B mailman_queue_tmp_t
-+.EE
-+
-+- Set files with the mailman_queue_tmp_t type, if you want to store mailman queue temporary files in the /tmp directories.
-+
-+
-+.PP
-+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
-+.B semanage fcontext
-+command. This will modify the SELinux labeling database. You will need to use
-+.B restorecon
-+to apply the labels.
-+
-+.SH "MANAGED FILES"
-+
-+The SELinux process type mailman_queue_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
-+
-+.br
-+.B faillog_t
-+
-+ /var/log/btmp.*
-+.br
-+ /var/run/faillock(/.*)?
-+.br
-+ /var/log/faillog
-+.br
-+ /var/log/tallylog
-+.br
-+
-+.br
-+.B mailman_archive_t
-+
-+ /var/lib/mailman.*/archives(/.*)?
-+.br
-+
-+.br
-+.B mailman_data_t
-+
-+ /etc/mailman.*
-+.br
-+ /var/lib/mailman.*
-+.br
-+ /var/spool/mailman.*
-+.br
-+
-+.br
-+.B mailman_lock_t
-+
-+ /var/lock/mailman.*
-+.br
-+
-+.br
-+.B mailman_log_t
-+
-+ /var/log/mailman.*
-+.br
-+
-+.br
-+.B mailman_queue_tmp_t
-+
-+
-+.br
-+.B pcscd_var_run_t
-+
-+ /var/run/pcscd(/.*)?
-+.br
-+ /var/run/pcscd\.events(/.*)?
-+.br
-+ /var/run/pcscd\.pid
-+.br
-+ /var/run/pcscd\.pub
-+.br
-+ /var/run/pcscd\.comm
-+.br
-+
-+.SH NSSWITCH DOMAIN
-+
-+.PP
-+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the mailman_queue_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
-+
-+.EX
-+.B setsebool -P authlogin_nsswitch_use_ldap 1
-+.EE
-+
-+.PP
-+If you want to allow confined applications to run with kerberos for the mailman_queue_t, you must turn on the kerberos_enabled boolean.
-+
-+.EX
-+.B setsebool -P kerberos_enabled 1
-+.EE
-+
-+.SH "COMMANDS"
-+.B semanage fcontext
-+can also be used to manipulate default file context mappings.
-+.PP
-+.B semanage permissive
-+can also be used to manipulate whether or not a process type is permissive.
-+.PP
-+.B semanage module
-+can also be used to enable/disable/install/remove policy modules.
-+
-+.PP
-+.B system-config-selinux
-+is a GUI tool available to customize SELinux policy settings.
-+
-+.SH AUTHOR
-+This manual page was auto-generated using
-+.B "sepolicy manpage"
-+by Dan Walsh.
-+
-+.SH "SEE ALSO"
-+selinux(8), mailman_queue(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
-+, mailman_cgi_selinux(8), mailman_mail_selinux(8)
-\ No newline at end of file
-diff --git a/man/man8/mandb_selinux.8 b/man/man8/mandb_selinux.8
-new file mode 100644
-index 0000000..962bcc4
---- /dev/null
-+++ b/man/man8/mandb_selinux.8
-@@ -0,0 +1,104 @@
-+.TH "mandb_selinux" "8" "12-11-01" "mandb" "SELinux Policy documentation for mandb"
-+.SH "NAME"
-+mandb_selinux \- Security Enhanced Linux Policy for the mandb processes
-+.SH "DESCRIPTION"
-+
-+Security-Enhanced Linux secures the mandb processes via flexible mandatory access control.
-+
-+The mandb processes execute with the mandb_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
-+
-+For example:
-+
-+.B ps -eZ | grep mandb_t
-+
-+
-+.SH "ENTRYPOINTS"
-+
-+The mandb_t SELinux type can be entered via the "mandb_exec_t" file type. The default entrypoint paths for the mandb_t domain are the following:"
-+
-+/usr/bin/mandb
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux mandb policy is very flexible allowing users to setup their mandb processes in as secure a method as possible.
-+.PP
-+The following process types are defined for mandb:
-+
-+.EX
-+.B mandb_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
-+.SH FILE CONTEXTS
-+SELinux requires files to have an extended attribute to define the file type.
-+.PP
-+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
-+.PP
-+Policy governs the access confined processes have to these files.
-+SELinux mandb policy is very flexible allowing users to setup their mandb processes in as secure a method as possible.
-+.PP
-+The following file types are defined for mandb:
-+
-+
-+.EX
-+.PP
-+.B mandb_cache_t
-+.EE
-+
-+- Set files with the mandb_cache_t type, if you want to store the files under the /var/cache directory.
-+
-+
-+.EX
-+.PP
-+.B mandb_exec_t
-+.EE
-+
-+- Set files with the mandb_exec_t type, if you want to transition an executable to the mandb_t domain.
-+
-+
-+.PP
-+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
-+.B semanage fcontext
-+command. This will modify the SELinux labeling database. You will need to use
-+.B restorecon
-+to apply the labels.
-+
-+.SH "MANAGED FILES"
-+
-+The SELinux process type mandb_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
-+
-+.br
-+.B mandb_cache_t
-+
-+ /var/cache/man(/.*)?
-+.br
-+
-+.SH NSSWITCH DOMAIN
-+
-+.SH "COMMANDS"
-+.B semanage fcontext
-+can also be used to manipulate default file context mappings.
-+.PP
-+.B semanage permissive
-+can also be used to manipulate whether or not a process type is permissive.
-+.PP
-+.B semanage module
-+can also be used to enable/disable/install/remove policy modules.
-+
-+.PP
-+.B system-config-selinux
-+is a GUI tool available to customize SELinux policy settings.
-+
-+.SH AUTHOR
-+This manual page was auto-generated using
-+.B "sepolicy manpage"
-+by Dan Walsh.
-+
-+.SH "SEE ALSO"
-+selinux(8), mandb(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
-diff --git a/man/man8/mcelog_selinux.8 b/man/man8/mcelog_selinux.8
-new file mode 100644
-index 0000000..5259ce7
---- /dev/null
-+++ b/man/man8/mcelog_selinux.8
-@@ -0,0 +1,124 @@
-+.TH "mcelog_selinux" "8" "12-11-01" "mcelog" "SELinux Policy documentation for mcelog"
-+.SH "NAME"
-+mcelog_selinux \- Security Enhanced Linux Policy for the mcelog processes
-+.SH "DESCRIPTION"
-+
-+Security-Enhanced Linux secures the mcelog processes via flexible mandatory access control.
-+
-+The mcelog processes execute with the mcelog_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
-+
-+For example:
-+
-+.B ps -eZ | grep mcelog_t
-+
-+
-+.SH "ENTRYPOINTS"
-+
-+The mcelog_t SELinux type can be entered via the "mcelog_exec_t" file type. The default entrypoint paths for the mcelog_t domain are the following:"
-+
-+/usr/sbin/mcelog
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux mcelog policy is very flexible allowing users to setup their mcelog processes in as secure a method as possible.
-+.PP
-+The following process types are defined for mcelog:
-+
-+.EX
-+.B mcelog_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
-+.SH FILE CONTEXTS
-+SELinux requires files to have an extended attribute to define the file type.
-+.PP
-+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
-+.PP
-+Policy governs the access confined processes have to these files.
-+SELinux mcelog policy is very flexible allowing users to setup their mcelog processes in as secure a method as possible.
-+.PP
-+The following file types are defined for mcelog:
-+
-+
-+.EX
-+.PP
-+.B mcelog_exec_t
-+.EE
-+
-+- Set files with the mcelog_exec_t type, if you want to transition an executable to the mcelog_t domain.
-+
-+
-+.EX
-+.PP
-+.B mcelog_log_t
-+.EE
-+
-+- Set files with the mcelog_log_t type, if you want to treat the data as mcelog log data, usually stored under the /var/log directory.
-+
-+
-+.EX
-+.PP
-+.B mcelog_var_run_t
-+.EE
-+
-+- Set files with the mcelog_var_run_t type, if you want to store the mcelog files under the /run directory.
-+
-+
-+.PP
-+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
-+.B semanage fcontext
-+command. This will modify the SELinux labeling database. You will need to use
-+.B restorecon
-+to apply the labels.
-+
-+.SH "MANAGED FILES"
-+
-+The SELinux process type mcelog_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
-+
-+.br
-+.B mcelog_log_t
-+
-+ /var/log/mcelog.*
-+.br
-+
-+.br
-+.B mcelog_var_run_t
-+
-+ /var/run/mcelog.*
-+.br
-+
-+.br
-+.B sysfs_t
-+
-+ /sys(/.*)?
-+.br
-+
-+.SH NSSWITCH DOMAIN
-+
-+.SH "COMMANDS"
-+.B semanage fcontext
-+can also be used to manipulate default file context mappings.
-+.PP
-+.B semanage permissive
-+can also be used to manipulate whether or not a process type is permissive.
-+.PP
-+.B semanage module
-+can also be used to enable/disable/install/remove policy modules.
-+
-+.PP
-+.B system-config-selinux
-+is a GUI tool available to customize SELinux policy settings.
-+
-+.SH AUTHOR
-+This manual page was auto-generated using
-+.B "sepolicy manpage"
-+by Dan Walsh.
-+
-+.SH "SEE ALSO"
-+selinux(8), mcelog(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
-diff --git a/man/man8/mdadm_selinux.8 b/man/man8/mdadm_selinux.8
-new file mode 100644
-index 0000000..e023488
---- /dev/null
-+++ b/man/man8/mdadm_selinux.8
-@@ -0,0 +1,128 @@
-+.TH "mdadm_selinux" "8" "12-11-01" "mdadm" "SELinux Policy documentation for mdadm"
-+.SH "NAME"
-+mdadm_selinux \- Security Enhanced Linux Policy for the mdadm processes
-+.SH "DESCRIPTION"
-+
-+Security-Enhanced Linux secures the mdadm processes via flexible mandatory access control.
-+
-+The mdadm processes execute with the mdadm_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
-+
-+For example:
-+
-+.B ps -eZ | grep mdadm_t
-+
-+
-+.SH "ENTRYPOINTS"
-+
-+The mdadm_t SELinux type can be entered via the "mdadm_exec_t" file type. The default entrypoint paths for the mdadm_t domain are the following:"
-+
-+/sbin/mdadm, /sbin/mdmpd, /usr/sbin/mdadm, /usr/sbin/mdmpd, /usr/sbin/iprdump, /usr/sbin/iprinit, /usr/sbin/iprupdate, /usr/sbin/raid-check
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux mdadm policy is very flexible allowing users to setup their mdadm processes in as secure a method as possible.
-+.PP
-+The following process types are defined for mdadm:
-+
-+.EX
-+.B mdadm_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
-+.SH FILE CONTEXTS
-+SELinux requires files to have an extended attribute to define the file type.
-+.PP
-+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
-+.PP
-+Policy governs the access confined processes have to these files.
-+SELinux mdadm policy is very flexible allowing users to setup their mdadm processes in as secure a method as possible.
-+.PP
-+The following file types are defined for mdadm:
-+
-+
-+.EX
-+.PP
-+.B mdadm_exec_t
-+.EE
-+
-+- Set files with the mdadm_exec_t type, if you want to transition an executable to the mdadm_t domain.
-+
-+
-+.EX
-+.PP
-+.B mdadm_var_run_t
-+.EE
-+
-+- Set files with the mdadm_var_run_t type, if you want to store the mdadm files under the /run directory.
-+
-+
-+.PP
-+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
-+.B semanage fcontext
-+command. This will modify the SELinux labeling database. You will need to use
-+.B restorecon
-+to apply the labels.
-+
-+.SH "MANAGED FILES"
-+
-+The SELinux process type mdadm_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
-+
-+.br
-+.B mdadm_var_run_t
-+
-+ /dev/.mdadm\.map
-+.br
-+ /dev/md/.*
-+.br
-+ /var/run/mdadm(/.*)?
-+.br
-+
-+.br
-+.B sysfs_t
-+
-+ /sys(/.*)?
-+.br
-+
-+.SH NSSWITCH DOMAIN
-+
-+.PP
-+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the mdadm_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
-+
-+.EX
-+.B setsebool -P authlogin_nsswitch_use_ldap 1
-+.EE
-+
-+.PP
-+If you want to allow confined applications to run with kerberos for the mdadm_t, you must turn on the kerberos_enabled boolean.
-+
-+.EX
-+.B setsebool -P kerberos_enabled 1
-+.EE
-+
-+.SH "COMMANDS"
-+.B semanage fcontext
-+can also be used to manipulate default file context mappings.
-+.PP
-+.B semanage permissive
-+can also be used to manipulate whether or not a process type is permissive.
-+.PP
-+.B semanage module
-+can also be used to enable/disable/install/remove policy modules.
-+
-+.PP
-+.B system-config-selinux
-+is a GUI tool available to customize SELinux policy settings.
-+
-+.SH AUTHOR
-+This manual page was auto-generated using
-+.B "sepolicy manpage"
-+by Dan Walsh.
-+
-+.SH "SEE ALSO"
-+selinux(8), mdadm(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
-diff --git a/man/man8/memcached_selinux.8 b/man/man8/memcached_selinux.8
-new file mode 100644
-index 0000000..f286679
---- /dev/null
-+++ b/man/man8/memcached_selinux.8
-@@ -0,0 +1,178 @@
-+.TH "memcached_selinux" "8" "12-11-01" "memcached" "SELinux Policy documentation for memcached"
-+.SH "NAME"
-+memcached_selinux \- Security Enhanced Linux Policy for the memcached processes
-+.SH "DESCRIPTION"
-+
-+Security-Enhanced Linux secures the memcached processes via flexible mandatory access control.
-+
-+The memcached processes execute with the memcached_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
-+
-+For example:
-+
-+.B ps -eZ | grep memcached_t
-+
-+
-+.SH "ENTRYPOINTS"
-+
-+The memcached_t SELinux type can be entered via the "memcached_exec_t" file type. The default entrypoint paths for the memcached_t domain are the following:"
-+
-+/usr/bin/memcached
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux memcached policy is very flexible allowing users to setup their memcached processes in as secure a method as possible.
-+.PP
-+The following process types are defined for memcached:
-+
-+.EX
-+.B memcached_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
-+.SH BOOLEANS
-+SELinux policy is customizable based on least access required. memcached policy is extremely flexible and has several booleans that allow you to manipulate the policy and run memcached with the tightest access possible.
-+
-+
-+.PP
-+If you want to allow httpd to connect to memcache server, you must turn on the httpd_can_network_memcache boolean.
-+
-+.EX
-+.B setsebool -P httpd_can_network_memcache 1
-+.EE
-+
-+.PP
-+If you want to allow httpd to connect to memcache server, you must turn on the httpd_can_network_memcache boolean.
-+
-+.EX
-+.B setsebool -P httpd_can_network_memcache 1
-+.EE
-+
-+.SH FILE CONTEXTS
-+SELinux requires files to have an extended attribute to define the file type.
-+.PP
-+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
-+.PP
-+Policy governs the access confined processes have to these files.
-+SELinux memcached policy is very flexible allowing users to setup their memcached processes in as secure a method as possible.
-+.PP
-+The following file types are defined for memcached:
-+
-+
-+.EX
-+.PP
-+.B memcached_exec_t
-+.EE
-+
-+- Set files with the memcached_exec_t type, if you want to transition an executable to the memcached_t domain.
-+
-+
-+.EX
-+.PP
-+.B memcached_initrc_exec_t
-+.EE
-+
-+- Set files with the memcached_initrc_exec_t type, if you want to transition an executable to the memcached_initrc_t domain.
-+
-+
-+.EX
-+.PP
-+.B memcached_var_run_t
-+.EE
-+
-+- Set files with the memcached_var_run_t type, if you want to store the memcached files under the /run directory.
-+
-+
-+.PP
-+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
-+.B semanage fcontext
-+command. This will modify the SELinux labeling database. You will need to use
-+.B restorecon
-+to apply the labels.
-+
-+.SH PORT TYPES
-+SELinux defines port types to represent TCP and UDP ports.
-+.PP
-+You can see the types associated with a port by using the following command:
-+
-+.B semanage port -l
-+
-+.PP
-+Policy governs the access confined processes have to these ports.
-+SELinux memcached policy is very flexible allowing users to setup their memcached processes in as secure a method as possible.
-+.PP
-+The following port types are defined for memcached:
-+
-+.EX
-+.TP 5
-+.B memcache_port_t
-+.TP 10
-+.EE
-+
-+
-+Default Defined Ports:
-+tcp 11211
-+.EE
-+udp 11211
-+.EE
-+.SH "MANAGED FILES"
-+
-+The SELinux process type memcached_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
-+
-+.br
-+.B memcached_var_run_t
-+
-+ /var/run/memcached(/.*)?
-+.br
-+ /var/run/ipa_memcached(/.*)?
-+.br
-+
-+.SH NSSWITCH DOMAIN
-+
-+.PP
-+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the memcached_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
-+
-+.EX
-+.B setsebool -P authlogin_nsswitch_use_ldap 1
-+.EE
-+
-+.PP
-+If you want to allow confined applications to run with kerberos for the memcached_t, you must turn on the kerberos_enabled boolean.
-+
-+.EX
-+.B setsebool -P kerberos_enabled 1
-+.EE
-+
-+.SH "COMMANDS"
-+.B semanage fcontext
-+can also be used to manipulate default file context mappings.
-+.PP
-+.B semanage permissive
-+can also be used to manipulate whether or not a process type is permissive.
-+.PP
-+.B semanage module
-+can also be used to enable/disable/install/remove policy modules.
-+
-+.B semanage port
-+can also be used to manipulate the port definitions
-+
-+.B semanage boolean
-+can also be used to manipulate the booleans
-+
-+.PP
-+.B system-config-selinux
-+is a GUI tool available to customize SELinux policy settings.
-+
-+.SH AUTHOR
-+This manual page was auto-generated using
-+.B "sepolicy manpage"
-+by Dan Walsh.
-+
-+.SH "SEE ALSO"
-+selinux(8), memcached(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
-+, setsebool(8)
-\ No newline at end of file
-diff --git a/man/man8/mencoder_selinux.8 b/man/man8/mencoder_selinux.8
-new file mode 100644
-index 0000000..70bc6e1
---- /dev/null
-+++ b/man/man8/mencoder_selinux.8
-@@ -0,0 +1,100 @@
-+.TH "mencoder_selinux" "8" "12-11-01" "mencoder" "SELinux Policy documentation for mencoder"
-+.SH "NAME"
-+mencoder_selinux \- Security Enhanced Linux Policy for the mencoder processes
-+.SH "DESCRIPTION"
-+
-+Security-Enhanced Linux secures the mencoder processes via flexible mandatory access control.
-+
-+The mencoder processes execute with the mencoder_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
-+
-+For example:
-+
-+.B ps -eZ | grep mencoder_t
-+
-+
-+.SH "ENTRYPOINTS"
-+
-+The mencoder_t SELinux type can be entered via the "mencoder_exec_t" file type. The default entrypoint paths for the mencoder_t domain are the following:"
-+
-+/usr/bin/mencoder
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux mencoder policy is very flexible allowing users to setup their mencoder processes in as secure a method as possible.
-+.PP
-+The following process types are defined for mencoder:
-+
-+.EX
-+.B mencoder_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
-+.SH FILE CONTEXTS
-+SELinux requires files to have an extended attribute to define the file type.
-+.PP
-+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
-+.PP
-+Policy governs the access confined processes have to these files.
-+SELinux mencoder policy is very flexible allowing users to setup their mencoder processes in as secure a method as possible.
-+.PP
-+The following file types are defined for mencoder:
-+
-+
-+.EX
-+.PP
-+.B mencoder_exec_t
-+.EE
-+
-+- Set files with the mencoder_exec_t type, if you want to transition an executable to the mencoder_t domain.
-+
-+
-+.PP
-+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
-+.B semanage fcontext
-+command. This will modify the SELinux labeling database. You will need to use
-+.B restorecon
-+to apply the labels.
-+
-+.SH "MANAGED FILES"
-+
-+The SELinux process type mencoder_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
-+
-+.br
-+.B mplayer_home_t
-+
-+ /home/[^/]*/\.mplayer(/.*)?
-+.br
-+ /home/dwalsh/\.mplayer(/.*)?
-+.br
-+ /var/lib/xguest/home/xguest/\.mplayer(/.*)?
-+.br
-+
-+.SH NSSWITCH DOMAIN
-+
-+.SH "COMMANDS"
-+.B semanage fcontext
-+can also be used to manipulate default file context mappings.
-+.PP
-+.B semanage permissive
-+can also be used to manipulate whether or not a process type is permissive.
-+.PP
-+.B semanage module
-+can also be used to enable/disable/install/remove policy modules.
-+
-+.PP
-+.B system-config-selinux
-+is a GUI tool available to customize SELinux policy settings.
-+
-+.SH AUTHOR
-+This manual page was auto-generated using
-+.B "sepolicy manpage"
-+by Dan Walsh.
-+
-+.SH "SEE ALSO"
-+selinux(8), mencoder(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
-diff --git a/man/man8/mock_build_selinux.8 b/man/man8/mock_build_selinux.8
-new file mode 100644
-index 0000000..82e2f70
---- /dev/null
-+++ b/man/man8/mock_build_selinux.8
-@@ -0,0 +1,129 @@
-+.TH "mock_build_selinux" "8" "12-11-01" "mock_build" "SELinux Policy documentation for mock_build"
-+.SH "NAME"
-+mock_build_selinux \- Security Enhanced Linux Policy for the mock_build processes
-+.SH "DESCRIPTION"
-+
-+Security-Enhanced Linux secures the mock_build processes via flexible mandatory access control.
-+
-+The mock_build processes execute with the mock_build_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
-+
-+For example:
-+
-+.B ps -eZ | grep mock_build_t
-+
-+
-+.SH "ENTRYPOINTS"
-+
-+The mock_build_t SELinux type can be entered via the "mock_var_lib_t,mock_build_exec_t,mock_tmp_t" file types. The default entrypoint paths for the mock_build_t domain are the following:"
-+
-+/var/lib/mock(/.*)?
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux mock_build policy is very flexible allowing users to setup their mock_build processes in as secure a method as possible.
-+.PP
-+The following process types are defined for mock_build:
-+
-+.EX
-+.B mock_build_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
-+.SH FILE CONTEXTS
-+SELinux requires files to have an extended attribute to define the file type.
-+.PP
-+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
-+.PP
-+Policy governs the access confined processes have to these files.
-+SELinux mock_build policy is very flexible allowing users to setup their mock_build processes in as secure a method as possible.
-+.PP
-+The following file types are defined for mock_build:
-+
-+
-+.EX
-+.PP
-+.B mock_build_exec_t
-+.EE
-+
-+- Set files with the mock_build_exec_t type, if you want to transition an executable to the mock_build_t domain.
-+
-+
-+.PP
-+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
-+.B semanage fcontext
-+command. This will modify the SELinux labeling database. You will need to use
-+.B restorecon
-+to apply the labels.
-+
-+.SH "MANAGED FILES"
-+
-+The SELinux process type mock_build_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
-+
-+.br
-+.B mock_cache_t
-+
-+ /var/cache/mock(/.*)?
-+.br
-+
-+.br
-+.B mock_tmp_t
-+
-+
-+.br
-+.B mock_var_lib_t
-+
-+ /var/lib/mock(/.*)?
-+.br
-+
-+.br
-+.B systemd_passwd_var_run_t
-+
-+ /var/run/systemd/ask-password(/.*)?
-+.br
-+ /var/run/systemd/ask-password-block(/.*)?
-+.br
-+
-+.SH NSSWITCH DOMAIN
-+
-+.PP
-+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the mock_build_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
-+
-+.EX
-+.B setsebool -P authlogin_nsswitch_use_ldap 1
-+.EE
-+
-+.PP
-+If you want to allow confined applications to run with kerberos for the mock_build_t, you must turn on the kerberos_enabled boolean.
-+
-+.EX
-+.B setsebool -P kerberos_enabled 1
-+.EE
-+
-+.SH "COMMANDS"
-+.B semanage fcontext
-+can also be used to manipulate default file context mappings.
-+.PP
-+.B semanage permissive
-+can also be used to manipulate whether or not a process type is permissive.
-+.PP
-+.B semanage module
-+can also be used to enable/disable/install/remove policy modules.
-+
-+.PP
-+.B system-config-selinux
-+is a GUI tool available to customize SELinux policy settings.
-+
-+.SH AUTHOR
-+This manual page was auto-generated using
-+.B "sepolicy manpage"
-+by Dan Walsh.
-+
-+.SH "SEE ALSO"
-+selinux(8), mock_build(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
-+, mock_selinux(8), mock_selinux(8)
-\ No newline at end of file
-diff --git a/man/man8/mock_selinux.8 b/man/man8/mock_selinux.8
-new file mode 100644
-index 0000000..d8f798e
---- /dev/null
-+++ b/man/man8/mock_selinux.8
-@@ -0,0 +1,190 @@
-+.TH "mock_selinux" "8" "12-11-01" "mock" "SELinux Policy documentation for mock"
-+.SH "NAME"
-+mock_selinux \- Security Enhanced Linux Policy for the mock processes
-+.SH "DESCRIPTION"
-+
-+Security-Enhanced Linux secures the mock processes via flexible mandatory access control.
-+
-+The mock processes execute with the mock_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
-+
-+For example:
-+
-+.B ps -eZ | grep mock_t
-+
-+
-+.SH "ENTRYPOINTS"
-+
-+The mock_t SELinux type can be entered via the "mock_exec_t" file type. The default entrypoint paths for the mock_t domain are the following:"
-+
-+/usr/sbin/mock
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux mock policy is very flexible allowing users to setup their mock processes in as secure a method as possible.
-+.PP
-+The following process types are defined for mock:
-+
-+.EX
-+.B mock_t, mock_build_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
-+.SH BOOLEANS
-+SELinux policy is customizable based on least access required. mock policy is extremely flexible and has several booleans that allow you to manipulate the policy and run mock with the tightest access possible.
-+
-+
-+.PP
-+If you want to allow mock to read files in home directories, you must turn on the mock_enable_homedirs boolean.
-+
-+.EX
-+.B setsebool -P mock_enable_homedirs 1
-+.EE
-+
-+.PP
-+If you want to allow mock to read files in home directories, you must turn on the mock_enable_homedirs boolean.
-+
-+.EX
-+.B setsebool -P mock_enable_homedirs 1
-+.EE
-+
-+.SH FILE CONTEXTS
-+SELinux requires files to have an extended attribute to define the file type.
-+.PP
-+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
-+.PP
-+Policy governs the access confined processes have to these files.
-+SELinux mock policy is very flexible allowing users to setup their mock processes in as secure a method as possible.
-+.PP
-+The following file types are defined for mock:
-+
-+
-+.EX
-+.PP
-+.B mock_build_exec_t
-+.EE
-+
-+- Set files with the mock_build_exec_t type, if you want to transition an executable to the mock_build_t domain.
-+
-+
-+.EX
-+.PP
-+.B mock_cache_t
-+.EE
-+
-+- Set files with the mock_cache_t type, if you want to store the files under the /var/cache directory.
-+
-+
-+.EX
-+.PP
-+.B mock_etc_t
-+.EE
-+
-+- Set files with the mock_etc_t type, if you want to store mock files in the /etc directories.
-+
-+
-+.EX
-+.PP
-+.B mock_exec_t
-+.EE
-+
-+- Set files with the mock_exec_t type, if you want to transition an executable to the mock_t domain.
-+
-+
-+.EX
-+.PP
-+.B mock_tmp_t
-+.EE
-+
-+- Set files with the mock_tmp_t type, if you want to store mock temporary files in the /tmp directories.
-+
-+
-+.EX
-+.PP
-+.B mock_var_lib_t
-+.EE
-+
-+- Set files with the mock_var_lib_t type, if you want to store the mock files under the /var/lib directory.
-+
-+
-+.PP
-+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
-+.B semanage fcontext
-+command. This will modify the SELinux labeling database. You will need to use
-+.B restorecon
-+to apply the labels.
-+
-+.SH "MANAGED FILES"
-+
-+The SELinux process type mock_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
-+
-+.br
-+.B mock_cache_t
-+
-+ /var/cache/mock(/.*)?
-+.br
-+
-+.br
-+.B mock_tmp_t
-+
-+
-+.br
-+.B mock_var_lib_t
-+
-+ /var/lib/mock(/.*)?
-+.br
-+
-+.br
-+.B systemd_passwd_var_run_t
-+
-+ /var/run/systemd/ask-password(/.*)?
-+.br
-+ /var/run/systemd/ask-password-block(/.*)?
-+.br
-+
-+.SH NSSWITCH DOMAIN
-+
-+.PP
-+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the mock_t, mock_build_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
-+
-+.EX
-+.B setsebool -P authlogin_nsswitch_use_ldap 1
-+.EE
-+
-+.PP
-+If you want to allow confined applications to run with kerberos for the mock_t, mock_build_t, you must turn on the kerberos_enabled boolean.
-+
-+.EX
-+.B setsebool -P kerberos_enabled 1
-+.EE
-+
-+.SH "COMMANDS"
-+.B semanage fcontext
-+can also be used to manipulate default file context mappings.
-+.PP
-+.B semanage permissive
-+can also be used to manipulate whether or not a process type is permissive.
-+.PP
-+.B semanage module
-+can also be used to enable/disable/install/remove policy modules.
-+
-+.B semanage boolean
-+can also be used to manipulate the booleans
-+
-+.PP
-+.B system-config-selinux
-+is a GUI tool available to customize SELinux policy settings.
-+
-+.SH AUTHOR
-+This manual page was auto-generated using
-+.B "sepolicy manpage"
-+by Dan Walsh.
-+
-+.SH "SEE ALSO"
-+selinux(8), mock(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
-+, setsebool(8), mock_build_selinux(8)
-\ No newline at end of file
-diff --git a/man/man8/modemmanager_selinux.8 b/man/man8/modemmanager_selinux.8
-new file mode 100644
-index 0000000..97ff255
---- /dev/null
-+++ b/man/man8/modemmanager_selinux.8
-@@ -0,0 +1,86 @@
-+.TH "modemmanager_selinux" "8" "12-11-01" "modemmanager" "SELinux Policy documentation for modemmanager"
-+.SH "NAME"
-+modemmanager_selinux \- Security Enhanced Linux Policy for the modemmanager processes
-+.SH "DESCRIPTION"
-+
-+Security-Enhanced Linux secures the modemmanager processes via flexible mandatory access control.
-+
-+The modemmanager processes execute with the modemmanager_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
-+
-+For example:
-+
-+.B ps -eZ | grep modemmanager_t
-+
-+
-+.SH "ENTRYPOINTS"
-+
-+The modemmanager_t SELinux type can be entered via the "modemmanager_exec_t" file type. The default entrypoint paths for the modemmanager_t domain are the following:"
-+
-+/usr/sbin/modem-manager
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux modemmanager policy is very flexible allowing users to setup their modemmanager processes in as secure a method as possible.
-+.PP
-+The following process types are defined for modemmanager:
-+
-+.EX
-+.B modemmanager_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
-+.SH FILE CONTEXTS
-+SELinux requires files to have an extended attribute to define the file type.
-+.PP
-+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
-+.PP
-+Policy governs the access confined processes have to these files.
-+SELinux modemmanager policy is very flexible allowing users to setup their modemmanager processes in as secure a method as possible.
-+.PP
-+The following file types are defined for modemmanager:
-+
-+
-+.EX
-+.PP
-+.B modemmanager_exec_t
-+.EE
-+
-+- Set files with the modemmanager_exec_t type, if you want to transition an executable to the modemmanager_t domain.
-+
-+
-+.PP
-+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
-+.B semanage fcontext
-+command. This will modify the SELinux labeling database. You will need to use
-+.B restorecon
-+to apply the labels.
-+
-+.SH NSSWITCH DOMAIN
-+
-+.SH "COMMANDS"
-+.B semanage fcontext
-+can also be used to manipulate default file context mappings.
-+.PP
-+.B semanage permissive
-+can also be used to manipulate whether or not a process type is permissive.
-+.PP
-+.B semanage module
-+can also be used to enable/disable/install/remove policy modules.
-+
-+.PP
-+.B system-config-selinux
-+is a GUI tool available to customize SELinux policy settings.
-+
-+.SH AUTHOR
-+This manual page was auto-generated using
-+.B "sepolicy manpage"
-+by Dan Walsh.
-+
-+.SH "SEE ALSO"
-+selinux(8), modemmanager(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
-diff --git a/man/man8/mongod_selinux.8 b/man/man8/mongod_selinux.8
-new file mode 100644
-index 0000000..a9bc3c3
---- /dev/null
-+++ b/man/man8/mongod_selinux.8
-@@ -0,0 +1,186 @@
-+.TH "mongod_selinux" "8" "12-11-01" "mongod" "SELinux Policy documentation for mongod"
-+.SH "NAME"
-+mongod_selinux \- Security Enhanced Linux Policy for the mongod processes
-+.SH "DESCRIPTION"
-+
-+Security-Enhanced Linux secures the mongod processes via flexible mandatory access control.
-+
-+The mongod processes execute with the mongod_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
-+
-+For example:
-+
-+.B ps -eZ | grep mongod_t
-+
-+
-+.SH "ENTRYPOINTS"
-+
-+The mongod_t SELinux type can be entered via the "mongod_exec_t" file type. The default entrypoint paths for the mongod_t domain are the following:"
-+
-+/usr/bin/mongod, /usr/share/aeolus-conductor/dbomatic/dbomatic
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux mongod policy is very flexible allowing users to setup their mongod processes in as secure a method as possible.
-+.PP
-+The following process types are defined for mongod:
-+
-+.EX
-+.B mongod_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
-+.SH FILE CONTEXTS
-+SELinux requires files to have an extended attribute to define the file type.
-+.PP
-+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
-+.PP
-+Policy governs the access confined processes have to these files.
-+SELinux mongod policy is very flexible allowing users to setup their mongod processes in as secure a method as possible.
-+.PP
-+The following file types are defined for mongod:
-+
-+
-+.EX
-+.PP
-+.B mongod_exec_t
-+.EE
-+
-+- Set files with the mongod_exec_t type, if you want to transition an executable to the mongod_t domain.
-+
-+
-+.EX
-+.PP
-+.B mongod_initrc_exec_t
-+.EE
-+
-+- Set files with the mongod_initrc_exec_t type, if you want to transition an executable to the mongod_initrc_t domain.
-+
-+
-+.EX
-+.PP
-+.B mongod_log_t
-+.EE
-+
-+- Set files with the mongod_log_t type, if you want to treat the data as mongod log data, usually stored under the /var/log directory.
-+
-+
-+.EX
-+.PP
-+.B mongod_tmp_t
-+.EE
-+
-+- Set files with the mongod_tmp_t type, if you want to store mongod temporary files in the /tmp directories.
-+
-+
-+.EX
-+.PP
-+.B mongod_var_lib_t
-+.EE
-+
-+- Set files with the mongod_var_lib_t type, if you want to store the mongod files under the /var/lib directory.
-+
-+
-+.EX
-+.PP
-+.B mongod_var_run_t
-+.EE
-+
-+- Set files with the mongod_var_run_t type, if you want to store the mongod files under the /run directory.
-+
-+
-+.PP
-+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
-+.B semanage fcontext
-+command. This will modify the SELinux labeling database. You will need to use
-+.B restorecon
-+to apply the labels.
-+
-+.SH PORT TYPES
-+SELinux defines port types to represent TCP and UDP ports.
-+.PP
-+You can see the types associated with a port by using the following command:
-+
-+.B semanage port -l
-+
-+.PP
-+Policy governs the access confined processes have to these ports.
-+SELinux mongod policy is very flexible allowing users to setup their mongod processes in as secure a method as possible.
-+.PP
-+The following port types are defined for mongod:
-+
-+.EX
-+.TP 5
-+.B mongod_port_t
-+.TP 10
-+.EE
-+
-+
-+Default Defined Ports:
-+tcp 27017
-+.EE
-+.SH "MANAGED FILES"
-+
-+The SELinux process type mongod_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
-+
-+.br
-+.B mongod_log_t
-+
-+ /var/log/mongo(/.*)?
-+.br
-+ /var/log/mongodb(/.*)?
-+.br
-+ /var/log/mongo/mongod\.log.*
-+.br
-+ /var/log/aeolus-conductor/dbomatic\.log.*
-+.br
-+
-+.br
-+.B mongod_tmp_t
-+
-+
-+.br
-+.B mongod_var_lib_t
-+
-+ /var/lib/mongodb(/.*)?
-+.br
-+
-+.br
-+.B mongod_var_run_t
-+
-+ /var/run/mongodb(/.*)?
-+.br
-+ /var/run/aeolus/dbomatic\.pid
-+.br
-+
-+.SH NSSWITCH DOMAIN
-+
-+.SH "COMMANDS"
-+.B semanage fcontext
-+can also be used to manipulate default file context mappings.
-+.PP
-+.B semanage permissive
-+can also be used to manipulate whether or not a process type is permissive.
-+.PP
-+.B semanage module
-+can also be used to enable/disable/install/remove policy modules.
-+
-+.B semanage port
-+can also be used to manipulate the port definitions
-+
-+.PP
-+.B system-config-selinux
-+is a GUI tool available to customize SELinux policy settings.
-+
-+.SH AUTHOR
-+This manual page was auto-generated using
-+.B "sepolicy manpage"
-+by Dan Walsh.
-+
-+.SH "SEE ALSO"
-+selinux(8), mongod(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
-diff --git a/man/man8/mount_ecryptfs_selinux.8 b/man/man8/mount_ecryptfs_selinux.8
-new file mode 100644
-index 0000000..47e1952
---- /dev/null
-+++ b/man/man8/mount_ecryptfs_selinux.8
-@@ -0,0 +1,125 @@
-+.TH "mount_ecryptfs_selinux" "8" "12-11-01" "mount_ecryptfs" "SELinux Policy documentation for mount_ecryptfs"
-+.SH "NAME"
-+mount_ecryptfs_selinux \- Security Enhanced Linux Policy for the mount_ecryptfs processes
-+.SH "DESCRIPTION"
-+
-+Security-Enhanced Linux secures the mount_ecryptfs processes via flexible mandatory access control.
-+
-+The mount_ecryptfs processes execute with the mount_ecryptfs_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
-+
-+For example:
-+
-+.B ps -eZ | grep mount_ecryptfs_t
-+
-+
-+.SH "ENTRYPOINTS"
-+
-+The mount_ecryptfs_t SELinux type can be entered via the "mount_ecryptfs_exec_t" file type. The default entrypoint paths for the mount_ecryptfs_t domain are the following:"
-+
-+/usr/sbin/mount\.ecryptfs, /usr/sbin/umount\.ecryptfs, /usr/sbin/mount\.ecryptfs_private, /usr/sbin/umount\.ecryptfs_private
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux mount_ecryptfs policy is very flexible allowing users to setup their mount_ecryptfs processes in as secure a method as possible.
-+.PP
-+The following process types are defined for mount_ecryptfs:
-+
-+.EX
-+.B mount_ecryptfs_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
-+.SH FILE CONTEXTS
-+SELinux requires files to have an extended attribute to define the file type.
-+.PP
-+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
-+.PP
-+Policy governs the access confined processes have to these files.
-+SELinux mount_ecryptfs policy is very flexible allowing users to setup their mount_ecryptfs processes in as secure a method as possible.
-+.PP
-+The following file types are defined for mount_ecryptfs:
-+
-+
-+.EX
-+.PP
-+.B mount_ecryptfs_exec_t
-+.EE
-+
-+- Set files with the mount_ecryptfs_exec_t type, if you want to transition an executable to the mount_ecryptfs_t domain.
-+
-+
-+.EX
-+.PP
-+.B mount_ecryptfs_tmpfs_t
-+.EE
-+
-+- Set files with the mount_ecryptfs_tmpfs_t type, if you want to store mount ecryptfs files on a tmpfs file system.
-+
-+
-+.PP
-+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
-+.B semanage fcontext
-+command. This will modify the SELinux labeling database. You will need to use
-+.B restorecon
-+to apply the labels.
-+
-+.SH "MANAGED FILES"
-+
-+The SELinux process type mount_ecryptfs_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
-+
-+.br
-+.B mount_ecryptfs_tmpfs_t
-+
-+
-+.br
-+.B user_tmpfs_t
-+
-+ /dev/shm/mono.*
-+.br
-+ /dev/shm/pulse-shm.*
-+.br
-+
-+.SH NSSWITCH DOMAIN
-+
-+.PP
-+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the mount_ecryptfs_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
-+
-+.EX
-+.B setsebool -P authlogin_nsswitch_use_ldap 1
-+.EE
-+
-+.PP
-+If you want to allow confined applications to run with kerberos for the mount_ecryptfs_t, you must turn on the kerberos_enabled boolean.
-+
-+.EX
-+.B setsebool -P kerberos_enabled 1
-+.EE
-+
-+.SH "COMMANDS"
-+.B semanage fcontext
-+can also be used to manipulate default file context mappings.
-+.PP
-+.B semanage permissive
-+can also be used to manipulate whether or not a process type is permissive.
-+.PP
-+.B semanage module
-+can also be used to enable/disable/install/remove policy modules.
-+
-+.PP
-+.B system-config-selinux
-+is a GUI tool available to customize SELinux policy settings.
-+
-+.SH AUTHOR
-+This manual page was auto-generated using
-+.B "sepolicy manpage"
-+by Dan Walsh.
-+
-+.SH "SEE ALSO"
-+selinux(8), mount_ecryptfs(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
-+, mount_selinux(8), mount_selinux(8)
-\ No newline at end of file
-diff --git a/man/man8/mount_selinux.8 b/man/man8/mount_selinux.8
-new file mode 100644
-index 0000000..1f6de58
---- /dev/null
-+++ b/man/man8/mount_selinux.8
-@@ -0,0 +1,242 @@
-+.TH "mount_selinux" "8" "12-11-01" "mount" "SELinux Policy documentation for mount"
-+.SH "NAME"
-+mount_selinux \- Security Enhanced Linux Policy for the mount processes
-+.SH "DESCRIPTION"
-+
-+Security-Enhanced Linux secures the mount processes via flexible mandatory access control.
-+
-+The mount processes execute with the mount_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
-+
-+For example:
-+
-+.B ps -eZ | grep mount_t
-+
-+
-+.SH "ENTRYPOINTS"
-+
-+The mount_t SELinux type can be entered via the "mount_exec_t,fusermount_exec_t" file types. The default entrypoint paths for the mount_t domain are the following:"
-+
-+/bin/mount.*, /bin/umount.*, /sbin/mount.*, /sbin/umount.*, /usr/bin/mount.*, /usr/bin/umount.*, /usr/sbin/mount.*, /usr/sbin/umount.*, /bin/fusermount, /usr/bin/fusermount
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux mount policy is very flexible allowing users to setup their mount processes in as secure a method as possible.
-+.PP
-+The following process types are defined for mount:
-+
-+.EX
-+.B mount_t, mount_ecryptfs_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
-+.SH BOOLEANS
-+SELinux policy is customizable based on least access required. mount policy is extremely flexible and has several booleans that allow you to manipulate the policy and run mount with the tightest access possible.
-+
-+
-+.PP
-+If you want to allow xguest users to mount removable media, you must turn on the xguest_mount_media boolean.
-+
-+.EX
-+.B setsebool -P xguest_mount_media 1
-+.EE
-+
-+.PP
-+If you want to allow the mount command to mount any directory or file, you must turn on the mount_anyfile boolean.
-+
-+.EX
-+.B setsebool -P mount_anyfile 1
-+.EE
-+
-+.PP
-+If you want to allow xguest users to mount removable media, you must turn on the xguest_mount_media boolean.
-+
-+.EX
-+.B setsebool -P xguest_mount_media 1
-+.EE
-+
-+.PP
-+If you want to allow the mount command to mount any directory or file, you must turn on the mount_anyfile boolean.
-+
-+.EX
-+.B setsebool -P mount_anyfile 1
-+.EE
-+
-+.SH FILE CONTEXTS
-+SELinux requires files to have an extended attribute to define the file type.
-+.PP
-+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
-+.PP
-+Policy governs the access confined processes have to these files.
-+SELinux mount policy is very flexible allowing users to setup their mount processes in as secure a method as possible.
-+.PP
-+The following file types are defined for mount:
-+
-+
-+.EX
-+.PP
-+.B mount_ecryptfs_exec_t
-+.EE
-+
-+- Set files with the mount_ecryptfs_exec_t type, if you want to transition an executable to the mount_ecryptfs_t domain.
-+
-+
-+.EX
-+.PP
-+.B mount_ecryptfs_tmpfs_t
-+.EE
-+
-+- Set files with the mount_ecryptfs_tmpfs_t type, if you want to store mount ecryptfs files on a tmpfs file system.
-+
-+
-+.EX
-+.PP
-+.B mount_exec_t
-+.EE
-+
-+- Set files with the mount_exec_t type, if you want to transition an executable to the mount_t domain.
-+
-+
-+.EX
-+.PP
-+.B mount_loopback_t
-+.EE
-+
-+- Set files with the mount_loopback_t type, if you want to treat the files as mount loopback data.
-+
-+
-+.EX
-+.PP
-+.B mount_tmp_t
-+.EE
-+
-+- Set files with the mount_tmp_t type, if you want to store mount temporary files in the /tmp directories.
-+
-+
-+.EX
-+.PP
-+.B mount_var_run_t
-+.EE
-+
-+- Set files with the mount_var_run_t type, if you want to store the mount files under the /run directory.
-+
-+
-+.PP
-+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
-+.B semanage fcontext
-+command. This will modify the SELinux labeling database. You will need to use
-+.B restorecon
-+to apply the labels.
-+
-+.SH "MANAGED FILES"
-+
-+The SELinux process type mount_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
-+
-+.br
-+.B etc_runtime_t
-+
-+ /[^/]+
-+.br
-+ /etc/mtab.*
-+.br
-+ /etc/blkid(/.*)?
-+.br
-+ /etc/nologin.*
-+.br
-+ /etc/\.fstab\.hal\..+
-+.br
-+ /halt
-+.br
-+ /fastboot
-+.br
-+ /poweroff
-+.br
-+ /etc/cmtab
-+.br
-+ /\.autofsck
-+.br
-+ /forcefsck
-+.br
-+ /\.suspended
-+.br
-+ /fsckoptions
-+.br
-+ /\.autorelabel
-+.br
-+ /etc/securetty
-+.br
-+ /etc/killpower
-+.br
-+ /etc/nohotplug
-+.br
-+ /etc/ioctl\.save
-+.br
-+ /etc/fstab\.REVOKE
-+.br
-+ /etc/network/ifstate
-+.br
-+ /etc/sysconfig/hwconf
-+.br
-+ /etc/ptal/ptal-printd-like
-+.br
-+ /etc/sysconfig/iptables\.save
-+.br
-+ /etc/xorg\.conf\.d/00-system-setup-keyboard\.conf
-+.br
-+ /etc/X11/xorg\.conf\.d/00-system-setup-keyboard\.conf
-+.br
-+
-+.br
-+.B nfsd_fs_t
-+
-+
-+.br
-+.B non_security_file_type
-+
-+
-+.SH NSSWITCH DOMAIN
-+
-+.PP
-+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the mount_t, mount_ecryptfs_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
-+
-+.EX
-+.B setsebool -P authlogin_nsswitch_use_ldap 1
-+.EE
-+
-+.PP
-+If you want to allow confined applications to run with kerberos for the mount_t, mount_ecryptfs_t, you must turn on the kerberos_enabled boolean.
-+
-+.EX
-+.B setsebool -P kerberos_enabled 1
-+.EE
-+
-+.SH "COMMANDS"
-+.B semanage fcontext
-+can also be used to manipulate default file context mappings.
-+.PP
-+.B semanage permissive
-+can also be used to manipulate whether or not a process type is permissive.
-+.PP
-+.B semanage module
-+can also be used to enable/disable/install/remove policy modules.
-+
-+.B semanage boolean
-+can also be used to manipulate the booleans
-+
-+.PP
-+.B system-config-selinux
-+is a GUI tool available to customize SELinux policy settings.
-+
-+.SH AUTHOR
-+This manual page was auto-generated using
-+.B "sepolicy manpage"
-+by Dan Walsh.
-+
-+.SH "SEE ALSO"
-+selinux(8), mount(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
-+, setsebool(8), mount_ecryptfs_selinux(8)
-\ No newline at end of file
-diff --git a/man/man8/mozilla_plugin_config_selinux.8 b/man/man8/mozilla_plugin_config_selinux.8
-new file mode 100644
-index 0000000..ad663f1
---- /dev/null
-+++ b/man/man8/mozilla_plugin_config_selinux.8
-@@ -0,0 +1,233 @@
-+.TH "mozilla_plugin_config_selinux" "8" "12-11-01" "mozilla_plugin_config" "SELinux Policy documentation for mozilla_plugin_config"
-+.SH "NAME"
-+mozilla_plugin_config_selinux \- Security Enhanced Linux Policy for the mozilla_plugin_config processes
-+.SH "DESCRIPTION"
-+
-+Security-Enhanced Linux secures the mozilla_plugin_config processes via flexible mandatory access control.
-+
-+The mozilla_plugin_config processes execute with the mozilla_plugin_config_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
-+
-+For example:
-+
-+.B ps -eZ | grep mozilla_plugin_config_t
-+
-+
-+.SH "ENTRYPOINTS"
-+
-+The mozilla_plugin_config_t SELinux type can be entered via the "mozilla_plugin_config_exec_t" file type. The default entrypoint paths for the mozilla_plugin_config_t domain are the following:"
-+
-+/usr/lib/nspluginwrapper/plugin-config
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux mozilla_plugin_config policy is very flexible allowing users to setup their mozilla_plugin_config processes in as secure a method as possible.
-+.PP
-+The following process types are defined for mozilla_plugin_config:
-+
-+.EX
-+.B mozilla_plugin_config_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
-+.SH FILE CONTEXTS
-+SELinux requires files to have an extended attribute to define the file type.
-+.PP
-+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
-+.PP
-+Policy governs the access confined processes have to these files.
-+SELinux mozilla_plugin_config policy is very flexible allowing users to setup their mozilla_plugin_config processes in as secure a method as possible.
-+.PP
-+The following file types are defined for mozilla_plugin_config:
-+
-+
-+.EX
-+.PP
-+.B mozilla_plugin_config_exec_t
-+.EE
-+
-+- Set files with the mozilla_plugin_config_exec_t type, if you want to transition an executable to the mozilla_plugin_config_t domain.
-+
-+
-+.PP
-+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
-+.B semanage fcontext
-+command. This will modify the SELinux labeling database. You will need to use
-+.B restorecon
-+to apply the labels.
-+
-+.SH "MANAGED FILES"
-+
-+The SELinux process type mozilla_plugin_config_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
-+
-+.br
-+.B mozilla_home_t
-+
-+ /home/[^/]*/\.java(/.*)?
-+.br
-+ /home/[^/]*/\.adobe(/.*)?
-+.br
-+ /home/[^/]*/\.gnash(/.*)?
-+.br
-+ /home/[^/]*/\.galeon(/.*)?
-+.br
-+ /home/[^/]*/\.spicec(/.*)?
-+.br
-+ /home/[^/]*/\.mozilla(/.*)?
-+.br
-+ /home/[^/]*/\.phoenix(/.*)?
-+.br
-+ /home/[^/]*/\.netscape(/.*)?
-+.br
-+ /home/[^/]*/\.ICAClient(/.*)?
-+.br
-+ /home/[^/]*/\.macromedia(/.*)?
-+.br
-+ /home/[^/]*/\.thunderbird(/.*)?
-+.br
-+ /home/[^/]*/\.gcjwebplugin(/.*)?
-+.br
-+ /home/[^/]*/\.icedteaplugin(/.*)?
-+.br
-+ /home/[^/]*/zimbrauserdata(/.*)?
-+.br
-+ /home/[^/]*/\.config/chromium(/.*)?
-+.br
-+ /home/dwalsh/\.java(/.*)?
-+.br
-+ /home/dwalsh/\.adobe(/.*)?
-+.br
-+ /home/dwalsh/\.gnash(/.*)?
-+.br
-+ /home/dwalsh/\.galeon(/.*)?
-+.br
-+ /home/dwalsh/\.spicec(/.*)?
-+.br
-+ /home/dwalsh/\.mozilla(/.*)?
-+.br
-+ /home/dwalsh/\.phoenix(/.*)?
-+.br
-+ /home/dwalsh/\.netscape(/.*)?
-+.br
-+ /home/dwalsh/\.ICAClient(/.*)?
-+.br
-+ /home/dwalsh/\.macromedia(/.*)?
-+.br
-+ /home/dwalsh/\.thunderbird(/.*)?
-+.br
-+ /home/dwalsh/\.gcjwebplugin(/.*)?
-+.br
-+ /home/dwalsh/\.icedteaplugin(/.*)?
-+.br
-+ /home/dwalsh/zimbrauserdata(/.*)?
-+.br
-+ /home/dwalsh/\.config/chromium(/.*)?
-+.br
-+ /var/lib/xguest/home/xguest/\.java(/.*)?
-+.br
-+ /var/lib/xguest/home/xguest/\.adobe(/.*)?
-+.br
-+ /var/lib/xguest/home/xguest/\.gnash(/.*)?
-+.br
-+ /var/lib/xguest/home/xguest/\.galeon(/.*)?
-+.br
-+ /var/lib/xguest/home/xguest/\.spicec(/.*)?
-+.br
-+ /var/lib/xguest/home/xguest/\.mozilla(/.*)?
-+.br
-+ /var/lib/xguest/home/xguest/\.phoenix(/.*)?
-+.br
-+ /var/lib/xguest/home/xguest/\.netscape(/.*)?
-+.br
-+ /var/lib/xguest/home/xguest/\.ICAClient(/.*)?
-+.br
-+ /var/lib/xguest/home/xguest/\.macromedia(/.*)?
-+.br
-+ /var/lib/xguest/home/xguest/\.thunderbird(/.*)?
-+.br
-+ /var/lib/xguest/home/xguest/\.gcjwebplugin(/.*)?
-+.br
-+ /var/lib/xguest/home/xguest/\.icedteaplugin(/.*)?
-+.br
-+ /var/lib/xguest/home/xguest/zimbrauserdata(/.*)?
-+.br
-+ /var/lib/xguest/home/xguest/\.config/chromium(/.*)?
-+.br
-+
-+.br
-+.B mozilla_plugin_rw_t
-+
-+ /usr/lib/mozilla/plugins-wrapped(/.*)?
-+.br
-+
-+.br
-+.B user_fonts_cache_t
-+
-+ /root/\.fontconfig(/.*)?
-+.br
-+ /root/\.fonts/auto(/.*)?
-+.br
-+ /root/\.fonts\.cache-.*
-+.br
-+ /home/[^/]*/\.fontconfig(/.*)?
-+.br
-+ /home/[^/]*/\.fonts/auto(/.*)?
-+.br
-+ /home/[^/]*/\.fonts\.cache-.*
-+.br
-+ /home/dwalsh/\.fontconfig(/.*)?
-+.br
-+ /home/dwalsh/\.fonts/auto(/.*)?
-+.br
-+ /home/dwalsh/\.fonts\.cache-.*
-+.br
-+ /var/lib/xguest/home/xguest/\.fontconfig(/.*)?
-+.br
-+ /var/lib/xguest/home/xguest/\.fonts/auto(/.*)?
-+.br
-+ /var/lib/xguest/home/xguest/\.fonts\.cache-.*
-+.br
-+
-+.SH NSSWITCH DOMAIN
-+
-+.PP
-+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the mozilla_plugin_config_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
-+
-+.EX
-+.B setsebool -P authlogin_nsswitch_use_ldap 1
-+.EE
-+
-+.PP
-+If you want to allow confined applications to run with kerberos for the mozilla_plugin_config_t, you must turn on the kerberos_enabled boolean.
-+
-+.EX
-+.B setsebool -P kerberos_enabled 1
-+.EE
-+
-+.SH "COMMANDS"
-+.B semanage fcontext
-+can also be used to manipulate default file context mappings.
-+.PP
-+.B semanage permissive
-+can also be used to manipulate whether or not a process type is permissive.
-+.PP
-+.B semanage module
-+can also be used to enable/disable/install/remove policy modules.
-+
-+.PP
-+.B system-config-selinux
-+is a GUI tool available to customize SELinux policy settings.
-+
-+.SH AUTHOR
-+This manual page was auto-generated using
-+.B "sepolicy manpage"
-+by Dan Walsh.
-+
-+.SH "SEE ALSO"
-+selinux(8), mozilla_plugin_config(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
-+, mozilla_selinux(8), mozilla_selinux(8), mozilla_plugin_selinux(8), mozilla_plugin_selinux(8)
-\ No newline at end of file
-diff --git a/man/man8/mozilla_plugin_selinux.8 b/man/man8/mozilla_plugin_selinux.8
-new file mode 100644
-index 0000000..a873bb4
---- /dev/null
-+++ b/man/man8/mozilla_plugin_selinux.8
-@@ -0,0 +1,392 @@
-+.TH "mozilla_plugin_selinux" "8" "12-11-01" "mozilla_plugin" "SELinux Policy documentation for mozilla_plugin"
-+.SH "NAME"
-+mozilla_plugin_selinux \- Security Enhanced Linux Policy for the mozilla_plugin processes
-+.SH "DESCRIPTION"
-+
-+Security-Enhanced Linux secures the mozilla_plugin processes via flexible mandatory access control.
-+
-+The mozilla_plugin processes execute with the mozilla_plugin_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
-+
-+For example:
-+
-+.B ps -eZ | grep mozilla_plugin_t
-+
-+
-+.SH "ENTRYPOINTS"
-+
-+The mozilla_plugin_t SELinux type can be entered via the "mozilla_plugin_exec_t" file type. The default entrypoint paths for the mozilla_plugin_t domain are the following:"
-+
-+/usr/lib/xulrunner[^/]*/plugin-container, /usr/lib/nspluginwrapper/npviewer.bin, /usr/bin/nspluginscan, /usr/bin/nspluginviewer
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux mozilla_plugin policy is very flexible allowing users to setup their mozilla_plugin processes in as secure a method as possible.
-+.PP
-+The following process types are defined for mozilla_plugin:
-+
-+.EX
-+.B mozilla_plugin_config_t, mozilla_plugin_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
-+.SH BOOLEANS
-+SELinux policy is customizable based on least access required. mozilla_plugin policy is extremely flexible and has several booleans that allow you to manipulate the policy and run mozilla_plugin with the tightest access possible.
-+
-+
-+.PP
-+If you want to allow mozilla plugin domain to connect to the network using TCP, you must turn on the mozilla_plugin_can_network_connect boolean.
-+
-+.EX
-+.B setsebool -P mozilla_plugin_can_network_connect 1
-+.EE
-+
-+.PP
-+If you want to allow mozilla_plugins to create random content in the users home directory, you must turn on the mozilla_plugin_enable_homedirs boolean.
-+
-+.EX
-+.B setsebool -P mozilla_plugin_enable_homedirs 1
-+.EE
-+
-+.PP
-+If you want to allow unconfined users to transition to the Mozilla plugin domain when running xulrunner plugin-container, you must turn on the unconfined_mozilla_plugin_transition boolean.
-+
-+.EX
-+.B setsebool -P unconfined_mozilla_plugin_transition 1
-+.EE
-+
-+.PP
-+If you want to allow mozilla plugin domain to connect to the network using TCP, you must turn on the mozilla_plugin_can_network_connect boolean.
-+
-+.EX
-+.B setsebool -P mozilla_plugin_can_network_connect 1
-+.EE
-+
-+.PP
-+If you want to allow mozilla_plugins to create random content in the users home directory, you must turn on the mozilla_plugin_enable_homedirs boolean.
-+
-+.EX
-+.B setsebool -P mozilla_plugin_enable_homedirs 1
-+.EE
-+
-+.PP
-+If you want to allow unconfined users to transition to the Mozilla plugin domain when running xulrunner plugin-container, you must turn on the unconfined_mozilla_plugin_transition boolean.
-+
-+.EX
-+.B setsebool -P unconfined_mozilla_plugin_transition 1
-+.EE
-+
-+.SH FILE CONTEXTS
-+SELinux requires files to have an extended attribute to define the file type.
-+.PP
-+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
-+.PP
-+Policy governs the access confined processes have to these files.
-+SELinux mozilla_plugin policy is very flexible allowing users to setup their mozilla_plugin processes in as secure a method as possible.
-+.PP
-+The following file types are defined for mozilla_plugin:
-+
-+
-+.EX
-+.PP
-+.B mozilla_plugin_config_exec_t
-+.EE
-+
-+- Set files with the mozilla_plugin_config_exec_t type, if you want to transition an executable to the mozilla_plugin_config_t domain.
-+
-+
-+.EX
-+.PP
-+.B mozilla_plugin_exec_t
-+.EE
-+
-+- Set files with the mozilla_plugin_exec_t type, if you want to transition an executable to the mozilla_plugin_t domain.
-+
-+
-+.EX
-+.PP
-+.B mozilla_plugin_rw_t
-+.EE
-+
-+- Set files with the mozilla_plugin_rw_t type, if you want to treat the files as mozilla plugin read/write content.
-+
-+
-+.EX
-+.PP
-+.B mozilla_plugin_tmp_t
-+.EE
-+
-+- Set files with the mozilla_plugin_tmp_t type, if you want to store mozilla plugin temporary files in the /tmp directories.
-+
-+
-+.EX
-+.PP
-+.B mozilla_plugin_tmpfs_t
-+.EE
-+
-+- Set files with the mozilla_plugin_tmpfs_t type, if you want to store mozilla plugin files on a tmpfs file system.
-+
-+
-+.PP
-+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
-+.B semanage fcontext
-+command. This will modify the SELinux labeling database. You will need to use
-+.B restorecon
-+to apply the labels.
-+
-+.SH "MANAGED FILES"
-+
-+The SELinux process type mozilla_plugin_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
-+
-+.br
-+.B gnome_home_type
-+
-+
-+.br
-+.B home_cert_t
-+
-+ /root/\.pki(/.*)?
-+.br
-+ /root/\.cert(/.*)?
-+.br
-+ /home/[^/]*/.kde/share/apps/networkmanagement/certificates(/.*)?
-+.br
-+ /home/[^/]*/\.pki(/.*)?
-+.br
-+ /home/[^/]*/\.cert(/.*)?
-+.br
-+ /home/dwalsh/.kde/share/apps/networkmanagement/certificates(/.*)?
-+.br
-+ /home/dwalsh/\.pki(/.*)?
-+.br
-+ /home/dwalsh/\.cert(/.*)?
-+.br
-+ /var/lib/xguest/home/xguest/.kde/share/apps/networkmanagement/certificates(/.*)?
-+.br
-+ /var/lib/xguest/home/xguest/\.pki(/.*)?
-+.br
-+ /var/lib/xguest/home/xguest/\.cert(/.*)?
-+.br
-+
-+.br
-+.B mozilla_home_t
-+
-+ /home/[^/]*/\.java(/.*)?
-+.br
-+ /home/[^/]*/\.adobe(/.*)?
-+.br
-+ /home/[^/]*/\.gnash(/.*)?
-+.br
-+ /home/[^/]*/\.galeon(/.*)?
-+.br
-+ /home/[^/]*/\.spicec(/.*)?
-+.br
-+ /home/[^/]*/\.mozilla(/.*)?
-+.br
-+ /home/[^/]*/\.phoenix(/.*)?
-+.br
-+ /home/[^/]*/\.netscape(/.*)?
-+.br
-+ /home/[^/]*/\.ICAClient(/.*)?
-+.br
-+ /home/[^/]*/\.macromedia(/.*)?
-+.br
-+ /home/[^/]*/\.thunderbird(/.*)?
-+.br
-+ /home/[^/]*/\.gcjwebplugin(/.*)?
-+.br
-+ /home/[^/]*/\.icedteaplugin(/.*)?
-+.br
-+ /home/[^/]*/zimbrauserdata(/.*)?
-+.br
-+ /home/[^/]*/\.config/chromium(/.*)?
-+.br
-+ /home/dwalsh/\.java(/.*)?
-+.br
-+ /home/dwalsh/\.adobe(/.*)?
-+.br
-+ /home/dwalsh/\.gnash(/.*)?
-+.br
-+ /home/dwalsh/\.galeon(/.*)?
-+.br
-+ /home/dwalsh/\.spicec(/.*)?
-+.br
-+ /home/dwalsh/\.mozilla(/.*)?
-+.br
-+ /home/dwalsh/\.phoenix(/.*)?
-+.br
-+ /home/dwalsh/\.netscape(/.*)?
-+.br
-+ /home/dwalsh/\.ICAClient(/.*)?
-+.br
-+ /home/dwalsh/\.macromedia(/.*)?
-+.br
-+ /home/dwalsh/\.thunderbird(/.*)?
-+.br
-+ /home/dwalsh/\.gcjwebplugin(/.*)?
-+.br
-+ /home/dwalsh/\.icedteaplugin(/.*)?
-+.br
-+ /home/dwalsh/zimbrauserdata(/.*)?
-+.br
-+ /home/dwalsh/\.config/chromium(/.*)?
-+.br
-+ /var/lib/xguest/home/xguest/\.java(/.*)?
-+.br
-+ /var/lib/xguest/home/xguest/\.adobe(/.*)?
-+.br
-+ /var/lib/xguest/home/xguest/\.gnash(/.*)?
-+.br
-+ /var/lib/xguest/home/xguest/\.galeon(/.*)?
-+.br
-+ /var/lib/xguest/home/xguest/\.spicec(/.*)?
-+.br
-+ /var/lib/xguest/home/xguest/\.mozilla(/.*)?
-+.br
-+ /var/lib/xguest/home/xguest/\.phoenix(/.*)?
-+.br
-+ /var/lib/xguest/home/xguest/\.netscape(/.*)?
-+.br
-+ /var/lib/xguest/home/xguest/\.ICAClient(/.*)?
-+.br
-+ /var/lib/xguest/home/xguest/\.macromedia(/.*)?
-+.br
-+ /var/lib/xguest/home/xguest/\.thunderbird(/.*)?
-+.br
-+ /var/lib/xguest/home/xguest/\.gcjwebplugin(/.*)?
-+.br
-+ /var/lib/xguest/home/xguest/\.icedteaplugin(/.*)?
-+.br
-+ /var/lib/xguest/home/xguest/zimbrauserdata(/.*)?
-+.br
-+ /var/lib/xguest/home/xguest/\.config/chromium(/.*)?
-+.br
-+
-+.br
-+.B mozilla_plugin_tmp_t
-+
-+
-+.br
-+.B mozilla_plugin_tmpfs_t
-+
-+
-+.br
-+.B mplayer_home_t
-+
-+ /home/[^/]*/\.mplayer(/.*)?
-+.br
-+ /home/dwalsh/\.mplayer(/.*)?
-+.br
-+ /var/lib/xguest/home/xguest/\.mplayer(/.*)?
-+.br
-+
-+.br
-+.B pulseaudio_home_t
-+
-+ /root/\.pulse(/.*)?
-+.br
-+ /root/\.esd_auth
-+.br
-+ /root/\.pulse-cookie
-+.br
-+ /home/[^/]*/\.pulse(/.*)?
-+.br
-+ /home/[^/]*/\.esd_auth
-+.br
-+ /home/[^/]*/\.pulse-cookie
-+.br
-+ /home/dwalsh/\.pulse(/.*)?
-+.br
-+ /home/dwalsh/\.esd_auth
-+.br
-+ /home/dwalsh/\.pulse-cookie
-+.br
-+ /var/lib/xguest/home/xguest/\.pulse(/.*)?
-+.br
-+ /var/lib/xguest/home/xguest/\.esd_auth
-+.br
-+ /var/lib/xguest/home/xguest/\.pulse-cookie
-+.br
-+
-+.br
-+.B user_fonts_cache_t
-+
-+ /root/\.fontconfig(/.*)?
-+.br
-+ /root/\.fonts/auto(/.*)?
-+.br
-+ /root/\.fonts\.cache-.*
-+.br
-+ /home/[^/]*/\.fontconfig(/.*)?
-+.br
-+ /home/[^/]*/\.fonts/auto(/.*)?
-+.br
-+ /home/[^/]*/\.fonts\.cache-.*
-+.br
-+ /home/dwalsh/\.fontconfig(/.*)?
-+.br
-+ /home/dwalsh/\.fonts/auto(/.*)?
-+.br
-+ /home/dwalsh/\.fonts\.cache-.*
-+.br
-+ /var/lib/xguest/home/xguest/\.fontconfig(/.*)?
-+.br
-+ /var/lib/xguest/home/xguest/\.fonts/auto(/.*)?
-+.br
-+ /var/lib/xguest/home/xguest/\.fonts\.cache-.*
-+.br
-+
-+.br
-+.B user_tmpfs_t
-+
-+ /dev/shm/mono.*
-+.br
-+ /dev/shm/pulse-shm.*
-+.br
-+
-+.SH NSSWITCH DOMAIN
-+
-+.PP
-+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the mozilla_plugin_config_t, mozilla_plugin_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
-+
-+.EX
-+.B setsebool -P authlogin_nsswitch_use_ldap 1
-+.EE
-+
-+.PP
-+If you want to allow confined applications to run with kerberos for the mozilla_plugin_config_t, mozilla_plugin_t, you must turn on the kerberos_enabled boolean.
-+
-+.EX
-+.B setsebool -P kerberos_enabled 1
-+.EE
-+
-+.SH "COMMANDS"
-+.B semanage fcontext
-+can also be used to manipulate default file context mappings.
-+.PP
-+.B semanage permissive
-+can also be used to manipulate whether or not a process type is permissive.
-+.PP
-+.B semanage module
-+can also be used to enable/disable/install/remove policy modules.
-+
-+.B semanage boolean
-+can also be used to manipulate the booleans
-+
-+.PP
-+.B system-config-selinux
-+is a GUI tool available to customize SELinux policy settings.
-+
-+.SH AUTHOR
-+This manual page was auto-generated using
-+.B "sepolicy manpage"
-+by Dan Walsh.
-+
-+.SH "SEE ALSO"
-+selinux(8), mozilla_plugin(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
-+, setsebool(8), mozilla_selinux(8), mozilla_selinux(8), mozilla_plugin_config_selinux(8)
-\ No newline at end of file
-diff --git a/man/man8/mozilla_selinux.8 b/man/man8/mozilla_selinux.8
-new file mode 100644
-index 0000000..5c7618a
---- /dev/null
-+++ b/man/man8/mozilla_selinux.8
-@@ -0,0 +1,422 @@
-+.TH "mozilla_selinux" "8" "12-11-01" "mozilla" "SELinux Policy documentation for mozilla"
-+.SH "NAME"
-+mozilla_selinux \- Security Enhanced Linux Policy for the mozilla processes
-+.SH "DESCRIPTION"
-+
-+Security-Enhanced Linux secures the mozilla processes via flexible mandatory access control.
-+
-+The mozilla processes execute with the mozilla_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
-+
-+For example:
-+
-+.B ps -eZ | grep mozilla_t
-+
-+
-+.SH "ENTRYPOINTS"
-+
-+The mozilla_t SELinux type can be entered via the "mozilla_exec_t" file type. The default entrypoint paths for the mozilla_t domain are the following:"
-+
-+/usr/lib/[^/]*firefox[^/]*/firefox, /usr/lib/[^/]*firefox[^/]*/firefox-bin, /usr/lib/mozilla[^/]*/reg.+, /usr/lib/mozilla[^/]*/mozilla-.*, /usr/lib/firefox[^/]*/mozilla-.*, /usr/bin/mozilla-[0-9].*, /usr/lib/netscape/.+/communicator/communicator-smotif\.real, /usr/bin/mozilla-bin-[0-9].*, /usr/bin/mozilla, /usr/bin/netscape, /usr/bin/epiphany, /usr/bin/epiphany-bin, /usr/lib/galeon/galeon, /usr/bin/mozilla-snapshot, /usr/lib/netscape/base-4/wrapper
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux mozilla policy is very flexible allowing users to setup their mozilla processes in as secure a method as possible.
-+.PP
-+The following process types are defined for mozilla:
-+
-+.EX
-+.B mozilla_t, mozilla_plugin_config_t, mozilla_plugin_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
-+.SH BOOLEANS
-+SELinux policy is customizable based on least access required. mozilla policy is extremely flexible and has several booleans that allow you to manipulate the policy and run mozilla with the tightest access possible.
-+
-+
-+.PP
-+If you want to allow mozilla plugin domain to connect to the network using TCP, you must turn on the mozilla_plugin_can_network_connect boolean.
-+
-+.EX
-+.B setsebool -P mozilla_plugin_can_network_connect 1
-+.EE
-+
-+.PP
-+If you want to allow confined web browsers to read home directory content, you must turn on the mozilla_read_content boolean.
-+
-+.EX
-+.B setsebool -P mozilla_read_content 1
-+.EE
-+
-+.PP
-+If you want to allow mozilla_plugins to create random content in the users home directory, you must turn on the mozilla_plugin_enable_homedirs boolean.
-+
-+.EX
-+.B setsebool -P mozilla_plugin_enable_homedirs 1
-+.EE
-+
-+.PP
-+If you want to allow unconfined users to transition to the Mozilla plugin domain when running xulrunner plugin-container, you must turn on the unconfined_mozilla_plugin_transition boolean.
-+
-+.EX
-+.B setsebool -P unconfined_mozilla_plugin_transition 1
-+.EE
-+
-+.PP
-+If you want to allow mozilla plugin domain to connect to the network using TCP, you must turn on the mozilla_plugin_can_network_connect boolean.
-+
-+.EX
-+.B setsebool -P mozilla_plugin_can_network_connect 1
-+.EE
-+
-+.PP
-+If you want to allow confined web browsers to read home directory content, you must turn on the mozilla_read_content boolean.
-+
-+.EX
-+.B setsebool -P mozilla_read_content 1
-+.EE
-+
-+.PP
-+If you want to allow mozilla_plugins to create random content in the users home directory, you must turn on the mozilla_plugin_enable_homedirs boolean.
-+
-+.EX
-+.B setsebool -P mozilla_plugin_enable_homedirs 1
-+.EE
-+
-+.PP
-+If you want to allow unconfined users to transition to the Mozilla plugin domain when running xulrunner plugin-container, you must turn on the unconfined_mozilla_plugin_transition boolean.
-+
-+.EX
-+.B setsebool -P unconfined_mozilla_plugin_transition 1
-+.EE
-+
-+.SH FILE CONTEXTS
-+SELinux requires files to have an extended attribute to define the file type.
-+.PP
-+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
-+.PP
-+Policy governs the access confined processes have to these files.
-+SELinux mozilla policy is very flexible allowing users to setup their mozilla processes in as secure a method as possible.
-+.PP
-+The following file types are defined for mozilla:
-+
-+
-+.EX
-+.PP
-+.B mozilla_conf_t
-+.EE
-+
-+- Set files with the mozilla_conf_t type, if you want to treat the files as mozilla configuration data, usually stored under the /etc directory.
-+
-+
-+.EX
-+.PP
-+.B mozilla_exec_t
-+.EE
-+
-+- Set files with the mozilla_exec_t type, if you want to transition an executable to the mozilla_t domain.
-+
-+
-+.EX
-+.PP
-+.B mozilla_home_t
-+.EE
-+
-+- Set files with the mozilla_home_t type, if you want to store mozilla files in the users home directory.
-+
-+
-+.EX
-+.PP
-+.B mozilla_plugin_config_exec_t
-+.EE
-+
-+- Set files with the mozilla_plugin_config_exec_t type, if you want to transition an executable to the mozilla_plugin_config_t domain.
-+
-+
-+.EX
-+.PP
-+.B mozilla_plugin_exec_t
-+.EE
-+
-+- Set files with the mozilla_plugin_exec_t type, if you want to transition an executable to the mozilla_plugin_t domain.
-+
-+
-+.EX
-+.PP
-+.B mozilla_plugin_rw_t
-+.EE
-+
-+- Set files with the mozilla_plugin_rw_t type, if you want to treat the files as mozilla plugin read/write content.
-+
-+
-+.EX
-+.PP
-+.B mozilla_plugin_tmp_t
-+.EE
-+
-+- Set files with the mozilla_plugin_tmp_t type, if you want to store mozilla plugin temporary files in the /tmp directories.
-+
-+
-+.EX
-+.PP
-+.B mozilla_plugin_tmpfs_t
-+.EE
-+
-+- Set files with the mozilla_plugin_tmpfs_t type, if you want to store mozilla plugin files on a tmpfs file system.
-+
-+
-+.EX
-+.PP
-+.B mozilla_tmp_t
-+.EE
-+
-+- Set files with the mozilla_tmp_t type, if you want to store mozilla temporary files in the /tmp directories.
-+
-+
-+.EX
-+.PP
-+.B mozilla_tmpfs_t
-+.EE
-+
-+- Set files with the mozilla_tmpfs_t type, if you want to store mozilla files on a tmpfs file system.
-+
-+
-+.PP
-+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
-+.B semanage fcontext
-+command. This will modify the SELinux labeling database. You will need to use
-+.B restorecon
-+to apply the labels.
-+
-+.SH "MANAGED FILES"
-+
-+The SELinux process type mozilla_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
-+
-+.br
-+.B gconf_home_t
-+
-+ /root/\.local.*
-+.br
-+ /root/\.gconf(d)?(/.*)?
-+.br
-+ /home/[^/]*/\.local.*
-+.br
-+ /home/[^/]*/\.gconf(d)?(/.*)?
-+.br
-+ /home/dwalsh/\.local.*
-+.br
-+ /home/dwalsh/\.gconf(d)?(/.*)?
-+.br
-+ /var/lib/xguest/home/xguest/\.local.*
-+.br
-+ /var/lib/xguest/home/xguest/\.gconf(d)?(/.*)?
-+.br
-+
-+.br
-+.B gnome_home_type
-+
-+
-+.br
-+.B mozilla_home_t
-+
-+ /home/[^/]*/\.java(/.*)?
-+.br
-+ /home/[^/]*/\.adobe(/.*)?
-+.br
-+ /home/[^/]*/\.gnash(/.*)?
-+.br
-+ /home/[^/]*/\.galeon(/.*)?
-+.br
-+ /home/[^/]*/\.spicec(/.*)?
-+.br
-+ /home/[^/]*/\.mozilla(/.*)?
-+.br
-+ /home/[^/]*/\.phoenix(/.*)?
-+.br
-+ /home/[^/]*/\.netscape(/.*)?
-+.br
-+ /home/[^/]*/\.ICAClient(/.*)?
-+.br
-+ /home/[^/]*/\.macromedia(/.*)?
-+.br
-+ /home/[^/]*/\.thunderbird(/.*)?
-+.br
-+ /home/[^/]*/\.gcjwebplugin(/.*)?
-+.br
-+ /home/[^/]*/\.icedteaplugin(/.*)?
-+.br
-+ /home/[^/]*/zimbrauserdata(/.*)?
-+.br
-+ /home/[^/]*/\.config/chromium(/.*)?
-+.br
-+ /home/dwalsh/\.java(/.*)?
-+.br
-+ /home/dwalsh/\.adobe(/.*)?
-+.br
-+ /home/dwalsh/\.gnash(/.*)?
-+.br
-+ /home/dwalsh/\.galeon(/.*)?
-+.br
-+ /home/dwalsh/\.spicec(/.*)?
-+.br
-+ /home/dwalsh/\.mozilla(/.*)?
-+.br
-+ /home/dwalsh/\.phoenix(/.*)?
-+.br
-+ /home/dwalsh/\.netscape(/.*)?
-+.br
-+ /home/dwalsh/\.ICAClient(/.*)?
-+.br
-+ /home/dwalsh/\.macromedia(/.*)?
-+.br
-+ /home/dwalsh/\.thunderbird(/.*)?
-+.br
-+ /home/dwalsh/\.gcjwebplugin(/.*)?
-+.br
-+ /home/dwalsh/\.icedteaplugin(/.*)?
-+.br
-+ /home/dwalsh/zimbrauserdata(/.*)?
-+.br
-+ /home/dwalsh/\.config/chromium(/.*)?
-+.br
-+ /var/lib/xguest/home/xguest/\.java(/.*)?
-+.br
-+ /var/lib/xguest/home/xguest/\.adobe(/.*)?
-+.br
-+ /var/lib/xguest/home/xguest/\.gnash(/.*)?
-+.br
-+ /var/lib/xguest/home/xguest/\.galeon(/.*)?
-+.br
-+ /var/lib/xguest/home/xguest/\.spicec(/.*)?
-+.br
-+ /var/lib/xguest/home/xguest/\.mozilla(/.*)?
-+.br
-+ /var/lib/xguest/home/xguest/\.phoenix(/.*)?
-+.br
-+ /var/lib/xguest/home/xguest/\.netscape(/.*)?
-+.br
-+ /var/lib/xguest/home/xguest/\.ICAClient(/.*)?
-+.br
-+ /var/lib/xguest/home/xguest/\.macromedia(/.*)?
-+.br
-+ /var/lib/xguest/home/xguest/\.thunderbird(/.*)?
-+.br
-+ /var/lib/xguest/home/xguest/\.gcjwebplugin(/.*)?
-+.br
-+ /var/lib/xguest/home/xguest/\.icedteaplugin(/.*)?
-+.br
-+ /var/lib/xguest/home/xguest/zimbrauserdata(/.*)?
-+.br
-+ /var/lib/xguest/home/xguest/\.config/chromium(/.*)?
-+.br
-+
-+.br
-+.B mozilla_tmp_t
-+
-+
-+.br
-+.B mozilla_tmpfs_t
-+
-+
-+.br
-+.B pulseaudio_home_t
-+
-+ /root/\.pulse(/.*)?
-+.br
-+ /root/\.esd_auth
-+.br
-+ /root/\.pulse-cookie
-+.br
-+ /home/[^/]*/\.pulse(/.*)?
-+.br
-+ /home/[^/]*/\.esd_auth
-+.br
-+ /home/[^/]*/\.pulse-cookie
-+.br
-+ /home/dwalsh/\.pulse(/.*)?
-+.br
-+ /home/dwalsh/\.esd_auth
-+.br
-+ /home/dwalsh/\.pulse-cookie
-+.br
-+ /var/lib/xguest/home/xguest/\.pulse(/.*)?
-+.br
-+ /var/lib/xguest/home/xguest/\.esd_auth
-+.br
-+ /var/lib/xguest/home/xguest/\.pulse-cookie
-+.br
-+
-+.br
-+.B user_fonts_cache_t
-+
-+ /root/\.fontconfig(/.*)?
-+.br
-+ /root/\.fonts/auto(/.*)?
-+.br
-+ /root/\.fonts\.cache-.*
-+.br
-+ /home/[^/]*/\.fontconfig(/.*)?
-+.br
-+ /home/[^/]*/\.fonts/auto(/.*)?
-+.br
-+ /home/[^/]*/\.fonts\.cache-.*
-+.br
-+ /home/dwalsh/\.fontconfig(/.*)?
-+.br
-+ /home/dwalsh/\.fonts/auto(/.*)?
-+.br
-+ /home/dwalsh/\.fonts\.cache-.*
-+.br
-+ /var/lib/xguest/home/xguest/\.fontconfig(/.*)?
-+.br
-+ /var/lib/xguest/home/xguest/\.fonts/auto(/.*)?
-+.br
-+ /var/lib/xguest/home/xguest/\.fonts\.cache-.*
-+.br
-+
-+.SH NSSWITCH DOMAIN
-+
-+.PP
-+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the mozilla_plugin_config_t, mozilla_t, mozilla_plugin_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
-+
-+.EX
-+.B setsebool -P authlogin_nsswitch_use_ldap 1
-+.EE
-+
-+.PP
-+If you want to allow confined applications to run with kerberos for the mozilla_plugin_config_t, mozilla_t, mozilla_plugin_t, you must turn on the kerberos_enabled boolean.
-+
-+.EX
-+.B setsebool -P kerberos_enabled 1
-+.EE
-+
-+.SH "COMMANDS"
-+.B semanage fcontext
-+can also be used to manipulate default file context mappings.
-+.PP
-+.B semanage permissive
-+can also be used to manipulate whether or not a process type is permissive.
-+.PP
-+.B semanage module
-+can also be used to enable/disable/install/remove policy modules.
-+
-+.B semanage boolean
-+can also be used to manipulate the booleans
-+
-+.PP
-+.B system-config-selinux
-+is a GUI tool available to customize SELinux policy settings.
-+
-+.SH AUTHOR
-+This manual page was auto-generated using
-+.B "sepolicy manpage"
-+by Dan Walsh.
-+
-+.SH "SEE ALSO"
-+selinux(8), mozilla(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
-+, setsebool(8), mozilla_plugin_selinux(8), mozilla_plugin_config_selinux(8)
-\ No newline at end of file
-diff --git a/man/man8/mpd_selinux.8 b/man/man8/mpd_selinux.8
-new file mode 100644
-index 0000000..ee3fb08
---- /dev/null
-+++ b/man/man8/mpd_selinux.8
-@@ -0,0 +1,296 @@
-+.TH "mpd_selinux" "8" "12-11-01" "mpd" "SELinux Policy documentation for mpd"
-+.SH "NAME"
-+mpd_selinux \- Security Enhanced Linux Policy for the mpd processes
-+.SH "DESCRIPTION"
-+
-+Security-Enhanced Linux secures the mpd processes via flexible mandatory access control.
-+
-+The mpd processes execute with the mpd_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
-+
-+For example:
-+
-+.B ps -eZ | grep mpd_t
-+
-+
-+.SH "ENTRYPOINTS"
-+
-+The mpd_t SELinux type can be entered via the "mpd_exec_t" file type. The default entrypoint paths for the mpd_t domain are the following:"
-+
-+/usr/bin/mpd
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux mpd policy is very flexible allowing users to setup their mpd processes in as secure a method as possible.
-+.PP
-+The following process types are defined for mpd:
-+
-+.EX
-+.B mpd_t, mplayer_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
-+.SH BOOLEANS
-+SELinux policy is customizable based on least access required. mpd policy is extremely flexible and has several booleans that allow you to manipulate the policy and run mpd with the tightest access possible.
-+
-+
-+.PP
-+If you want to allow mplayer executable stack, you must turn on the mplayer_execstack boolean.
-+
-+.EX
-+.B setsebool -P mplayer_execstack 1
-+.EE
-+
-+.PP
-+If you want to allow all daemons to write corefiles to /, you must turn on the daemons_dump_core boolean.
-+
-+.EX
-+.B setsebool -P daemons_dump_core 1
-+.EE
-+
-+.PP
-+If you want to allow gssd to read temp directory. For access to kerberos tgt, you must turn on the gssd_read_tmp boolean.
-+
-+.EX
-+.B setsebool -P gssd_read_tmp 1
-+.EE
-+
-+.PP
-+If you want to allow Apache to execute tmp content, you must turn on the httpd_tmp_exec boolean.
-+
-+.EX
-+.B setsebool -P httpd_tmp_exec 1
-+.EE
-+
-+.PP
-+If you want to allow video playing tools to run unconfined, you must turn on the unconfined_mplayer boolean.
-+
-+.EX
-+.B setsebool -P unconfined_mplayer 1
-+.EE
-+
-+.PP
-+If you want to allow mplayer executable stack, you must turn on the mplayer_execstack boolean.
-+
-+.EX
-+.B setsebool -P mplayer_execstack 1
-+.EE
-+
-+.PP
-+If you want to allow all daemons to write corefiles to /, you must turn on the daemons_dump_core boolean.
-+
-+.EX
-+.B setsebool -P daemons_dump_core 1
-+.EE
-+
-+.PP
-+If you want to allow gssd to read temp directory. For access to kerberos tgt, you must turn on the gssd_read_tmp boolean.
-+
-+.EX
-+.B setsebool -P gssd_read_tmp 1
-+.EE
-+
-+.PP
-+If you want to allow Apache to execute tmp content, you must turn on the httpd_tmp_exec boolean.
-+
-+.EX
-+.B setsebool -P httpd_tmp_exec 1
-+.EE
-+
-+.PP
-+If you want to allow video playing tools to run unconfined, you must turn on the unconfined_mplayer boolean.
-+
-+.EX
-+.B setsebool -P unconfined_mplayer 1
-+.EE
-+
-+.SH FILE CONTEXTS
-+SELinux requires files to have an extended attribute to define the file type.
-+.PP
-+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
-+.PP
-+Policy governs the access confined processes have to these files.
-+SELinux mpd policy is very flexible allowing users to setup their mpd processes in as secure a method as possible.
-+.PP
-+The following file types are defined for mpd:
-+
-+
-+.EX
-+.PP
-+.B mpd_data_t
-+.EE
-+
-+- Set files with the mpd_data_t type, if you want to treat the files as mpd content.
-+
-+
-+.EX
-+.PP
-+.B mpd_etc_t
-+.EE
-+
-+- Set files with the mpd_etc_t type, if you want to store mpd files in the /etc directories.
-+
-+
-+.EX
-+.PP
-+.B mpd_exec_t
-+.EE
-+
-+- Set files with the mpd_exec_t type, if you want to transition an executable to the mpd_t domain.
-+
-+
-+.EX
-+.PP
-+.B mpd_initrc_exec_t
-+.EE
-+
-+- Set files with the mpd_initrc_exec_t type, if you want to transition an executable to the mpd_initrc_t domain.
-+
-+
-+.EX
-+.PP
-+.B mpd_log_t
-+.EE
-+
-+- Set files with the mpd_log_t type, if you want to treat the data as mpd log data, usually stored under the /var/log directory.
-+
-+
-+.EX
-+.PP
-+.B mpd_tmp_t
-+.EE
-+
-+- Set files with the mpd_tmp_t type, if you want to store mpd temporary files in the /tmp directories.
-+
-+
-+.EX
-+.PP
-+.B mpd_tmpfs_t
-+.EE
-+
-+- Set files with the mpd_tmpfs_t type, if you want to store mpd files on a tmpfs file system.
-+
-+
-+.EX
-+.PP
-+.B mpd_var_lib_t
-+.EE
-+
-+- Set files with the mpd_var_lib_t type, if you want to store the mpd files under the /var/lib directory.
-+
-+
-+.PP
-+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
-+.B semanage fcontext
-+command. This will modify the SELinux labeling database. You will need to use
-+.B restorecon
-+to apply the labels.
-+
-+.SH PORT TYPES
-+SELinux defines port types to represent TCP and UDP ports.
-+.PP
-+You can see the types associated with a port by using the following command:
-+
-+.B semanage port -l
-+
-+.PP
-+Policy governs the access confined processes have to these ports.
-+SELinux mpd policy is very flexible allowing users to setup their mpd processes in as secure a method as possible.
-+.PP
-+The following port types are defined for mpd:
-+
-+.EX
-+.TP 5
-+.B mpd_port_t
-+.TP 10
-+.EE
-+
-+
-+Default Defined Ports:
-+tcp 6600
-+.EE
-+.SH "MANAGED FILES"
-+
-+The SELinux process type mpd_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
-+
-+.br
-+.B anon_inodefs_t
-+
-+
-+.br
-+.B mpd_data_t
-+
-+ /var/lib/mpd/music(/.*)?
-+.br
-+ /var/lib/mpd/playlists(/.*)?
-+.br
-+
-+.br
-+.B mpd_log_t
-+
-+ /var/log/mpd(/.*)?
-+.br
-+
-+.br
-+.B mpd_tmp_t
-+
-+
-+.br
-+.B mpd_tmpfs_t
-+
-+
-+.br
-+.B mpd_var_lib_t
-+
-+ /var/lib/mpd(/.*)?
-+.br
-+
-+.SH NSSWITCH DOMAIN
-+
-+.PP
-+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the mpd_t, mplayer_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
-+
-+.EX
-+.B setsebool -P authlogin_nsswitch_use_ldap 1
-+.EE
-+
-+.PP
-+If you want to allow confined applications to run with kerberos for the mpd_t, mplayer_t, you must turn on the kerberos_enabled boolean.
-+
-+.EX
-+.B setsebool -P kerberos_enabled 1
-+.EE
-+
-+.SH "COMMANDS"
-+.B semanage fcontext
-+can also be used to manipulate default file context mappings.
-+.PP
-+.B semanage permissive
-+can also be used to manipulate whether or not a process type is permissive.
-+.PP
-+.B semanage module
-+can also be used to enable/disable/install/remove policy modules.
-+
-+.B semanage port
-+can also be used to manipulate the port definitions
-+
-+.B semanage boolean
-+can also be used to manipulate the booleans
-+
-+.PP
-+.B system-config-selinux
-+is a GUI tool available to customize SELinux policy settings.
-+
-+.SH AUTHOR
-+This manual page was auto-generated using
-+.B "sepolicy manpage"
-+by Dan Walsh.
-+
-+.SH "SEE ALSO"
-+selinux(8), mpd(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
-+, setsebool(8), mplayer_selinux(8)
-\ No newline at end of file
-diff --git a/man/man8/mplayer_selinux.8 b/man/man8/mplayer_selinux.8
-new file mode 100644
-index 0000000..5be39fe
---- /dev/null
-+++ b/man/man8/mplayer_selinux.8
-@@ -0,0 +1,206 @@
-+.TH "mplayer_selinux" "8" "12-11-01" "mplayer" "SELinux Policy documentation for mplayer"
-+.SH "NAME"
-+mplayer_selinux \- Security Enhanced Linux Policy for the mplayer processes
-+.SH "DESCRIPTION"
-+
-+Security-Enhanced Linux secures the mplayer processes via flexible mandatory access control.
-+
-+The mplayer processes execute with the mplayer_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
-+
-+For example:
-+
-+.B ps -eZ | grep mplayer_t
-+
-+
-+.SH "ENTRYPOINTS"
-+
-+The mplayer_t SELinux type can be entered via the "mplayer_exec_t" file type. The default entrypoint paths for the mplayer_t domain are the following:"
-+
-+/usr/bin/vlc, /usr/bin/xine, /usr/bin/mplayer
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux mplayer policy is very flexible allowing users to setup their mplayer processes in as secure a method as possible.
-+.PP
-+The following process types are defined for mplayer:
-+
-+.EX
-+.B mplayer_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
-+.SH BOOLEANS
-+SELinux policy is customizable based on least access required. mplayer policy is extremely flexible and has several booleans that allow you to manipulate the policy and run mplayer with the tightest access possible.
-+
-+
-+.PP
-+If you want to allow mplayer executable stack, you must turn on the mplayer_execstack boolean.
-+
-+.EX
-+.B setsebool -P mplayer_execstack 1
-+.EE
-+
-+.PP
-+If you want to allow video playing tools to run unconfined, you must turn on the unconfined_mplayer boolean.
-+
-+.EX
-+.B setsebool -P unconfined_mplayer 1
-+.EE
-+
-+.PP
-+If you want to allow mplayer executable stack, you must turn on the mplayer_execstack boolean.
-+
-+.EX
-+.B setsebool -P mplayer_execstack 1
-+.EE
-+
-+.PP
-+If you want to allow video playing tools to run unconfined, you must turn on the unconfined_mplayer boolean.
-+
-+.EX
-+.B setsebool -P unconfined_mplayer 1
-+.EE
-+
-+.SH FILE CONTEXTS
-+SELinux requires files to have an extended attribute to define the file type.
-+.PP
-+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
-+.PP
-+Policy governs the access confined processes have to these files.
-+SELinux mplayer policy is very flexible allowing users to setup their mplayer processes in as secure a method as possible.
-+.PP
-+The following file types are defined for mplayer:
-+
-+
-+.EX
-+.PP
-+.B mplayer_etc_t
-+.EE
-+
-+- Set files with the mplayer_etc_t type, if you want to store mplayer files in the /etc directories.
-+
-+
-+.EX
-+.PP
-+.B mplayer_exec_t
-+.EE
-+
-+- Set files with the mplayer_exec_t type, if you want to transition an executable to the mplayer_t domain.
-+
-+
-+.EX
-+.PP
-+.B mplayer_home_t
-+.EE
-+
-+- Set files with the mplayer_home_t type, if you want to store mplayer files in the users home directory.
-+
-+
-+.EX
-+.PP
-+.B mplayer_tmpfs_t
-+.EE
-+
-+- Set files with the mplayer_tmpfs_t type, if you want to store mplayer files on a tmpfs file system.
-+
-+
-+.PP
-+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
-+.B semanage fcontext
-+command. This will modify the SELinux labeling database. You will need to use
-+.B restorecon
-+to apply the labels.
-+
-+.SH "MANAGED FILES"
-+
-+The SELinux process type mplayer_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
-+
-+.br
-+.B mplayer_home_t
-+
-+ /home/[^/]*/\.mplayer(/.*)?
-+.br
-+ /home/dwalsh/\.mplayer(/.*)?
-+.br
-+ /var/lib/xguest/home/xguest/\.mplayer(/.*)?
-+.br
-+
-+.br
-+.B mplayer_tmpfs_t
-+
-+
-+.br
-+.B user_fonts_cache_t
-+
-+ /root/\.fontconfig(/.*)?
-+.br
-+ /root/\.fonts/auto(/.*)?
-+.br
-+ /root/\.fonts\.cache-.*
-+.br
-+ /home/[^/]*/\.fontconfig(/.*)?
-+.br
-+ /home/[^/]*/\.fonts/auto(/.*)?
-+.br
-+ /home/[^/]*/\.fonts\.cache-.*
-+.br
-+ /home/dwalsh/\.fontconfig(/.*)?
-+.br
-+ /home/dwalsh/\.fonts/auto(/.*)?
-+.br
-+ /home/dwalsh/\.fonts\.cache-.*
-+.br
-+ /var/lib/xguest/home/xguest/\.fontconfig(/.*)?
-+.br
-+ /var/lib/xguest/home/xguest/\.fonts/auto(/.*)?
-+.br
-+ /var/lib/xguest/home/xguest/\.fonts\.cache-.*
-+.br
-+
-+.SH NSSWITCH DOMAIN
-+
-+.PP
-+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the mplayer_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
-+
-+.EX
-+.B setsebool -P authlogin_nsswitch_use_ldap 1
-+.EE
-+
-+.PP
-+If you want to allow confined applications to run with kerberos for the mplayer_t, you must turn on the kerberos_enabled boolean.
-+
-+.EX
-+.B setsebool -P kerberos_enabled 1
-+.EE
-+
-+.SH "COMMANDS"
-+.B semanage fcontext
-+can also be used to manipulate default file context mappings.
-+.PP
-+.B semanage permissive
-+can also be used to manipulate whether or not a process type is permissive.
-+.PP
-+.B semanage module
-+can also be used to enable/disable/install/remove policy modules.
-+
-+.B semanage boolean
-+can also be used to manipulate the booleans
-+
-+.PP
-+.B system-config-selinux
-+is a GUI tool available to customize SELinux policy settings.
-+
-+.SH AUTHOR
-+This manual page was auto-generated using
-+.B "sepolicy manpage"
-+by Dan Walsh.
-+
-+.SH "SEE ALSO"
-+selinux(8), mplayer(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
-+, setsebool(8)
-\ No newline at end of file
-diff --git a/man/man8/mrtg_selinux.8 b/man/man8/mrtg_selinux.8
-new file mode 100644
-index 0000000..f49743b
---- /dev/null
-+++ b/man/man8/mrtg_selinux.8
-@@ -0,0 +1,210 @@
-+.TH "mrtg_selinux" "8" "12-11-01" "mrtg" "SELinux Policy documentation for mrtg"
-+.SH "NAME"
-+mrtg_selinux \- Security Enhanced Linux Policy for the mrtg processes
-+.SH "DESCRIPTION"
-+
-+Security-Enhanced Linux secures the mrtg processes via flexible mandatory access control.
-+
-+The mrtg processes execute with the mrtg_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
-+
-+For example:
-+
-+.B ps -eZ | grep mrtg_t
-+
-+
-+.SH "ENTRYPOINTS"
-+
-+The mrtg_t SELinux type can be entered via the "mrtg_exec_t" file type. The default entrypoint paths for the mrtg_t domain are the following:"
-+
-+/usr/bin/mrtg
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux mrtg policy is very flexible allowing users to setup their mrtg processes in as secure a method as possible.
-+.PP
-+The following process types are defined for mrtg:
-+
-+.EX
-+.B mrtg_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
-+.SH FILE CONTEXTS
-+SELinux requires files to have an extended attribute to define the file type.
-+.PP
-+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
-+.PP
-+Policy governs the access confined processes have to these files.
-+SELinux mrtg policy is very flexible allowing users to setup their mrtg processes in as secure a method as possible.
-+.PP
-+The following file types are defined for mrtg:
-+
-+
-+.EX
-+.PP
-+.B mrtg_etc_t
-+.EE
-+
-+- Set files with the mrtg_etc_t type, if you want to store mrtg files in the /etc directories.
-+
-+
-+.EX
-+.PP
-+.B mrtg_exec_t
-+.EE
-+
-+- Set files with the mrtg_exec_t type, if you want to transition an executable to the mrtg_t domain.
-+
-+
-+.EX
-+.PP
-+.B mrtg_lock_t
-+.EE
-+
-+- Set files with the mrtg_lock_t type, if you want to treat the files as mrtg lock data, stored under the /var/lock directory
-+
-+
-+.EX
-+.PP
-+.B mrtg_log_t
-+.EE
-+
-+- Set files with the mrtg_log_t type, if you want to treat the data as mrtg log data, usually stored under the /var/log directory.
-+
-+
-+.EX
-+.PP
-+.B mrtg_var_lib_t
-+.EE
-+
-+- Set files with the mrtg_var_lib_t type, if you want to store the mrtg files under the /var/lib directory.
-+
-+
-+.EX
-+.PP
-+.B mrtg_var_run_t
-+.EE
-+
-+- Set files with the mrtg_var_run_t type, if you want to store the mrtg files under the /run directory.
-+
-+
-+.PP
-+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
-+.B semanage fcontext
-+command. This will modify the SELinux labeling database. You will need to use
-+.B restorecon
-+to apply the labels.
-+
-+.SH "MANAGED FILES"
-+
-+The SELinux process type mrtg_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
-+
-+.br
-+.B httpd_sys_content_t
-+
-+ /srv/([^/]*/)?www(/.*)?
-+.br
-+ /var/www(/.*)?
-+.br
-+ /etc/htdig(/.*)?
-+.br
-+ /srv/gallery2(/.*)?
-+.br
-+ /var/lib/trac(/.*)?
-+.br
-+ /var/lib/htdig(/.*)?
-+.br
-+ /var/www/icons(/.*)?
-+.br
-+ /usr/share/htdig(/.*)?
-+.br
-+ /usr/share/drupal.*
-+.br
-+ /var/www/svn/conf(/.*)?
-+.br
-+ /usr/share/icecast(/.*)?
-+.br
-+ /usr/share/mythweb(/.*)?
-+.br
-+ /var/lib/cacti/rra(/.*)?
-+.br
-+ /usr/share/ntop/html(/.*)?
-+.br
-+ /usr/share/mythtv/data(/.*)?
-+.br
-+ /usr/share/doc/ghc/html(/.*)?
-+.br
-+ /usr/share/openca/htdocs(/.*)?
-+.br
-+ /usr/share/selinux-policy[^/]*/html(/.*)?
-+.br
-+
-+.br
-+.B mrtg_lock_t
-+
-+ /var/lock/mrtg(/.*)?
-+.br
-+ /etc/mrtg/mrtg\.ok
-+.br
-+
-+.br
-+.B mrtg_log_t
-+
-+ /var/log/mrtg(/.*)?
-+.br
-+
-+.br
-+.B mrtg_var_lib_t
-+
-+ /var/lib/mrtg(/.*)?
-+.br
-+
-+.br
-+.B mrtg_var_run_t
-+
-+ /var/run/mrtg\.pid
-+.br
-+
-+.SH NSSWITCH DOMAIN
-+
-+.PP
-+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the mrtg_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
-+
-+.EX
-+.B setsebool -P authlogin_nsswitch_use_ldap 1
-+.EE
-+
-+.PP
-+If you want to allow confined applications to run with kerberos for the mrtg_t, you must turn on the kerberos_enabled boolean.
-+
-+.EX
-+.B setsebool -P kerberos_enabled 1
-+.EE
-+
-+.SH "COMMANDS"
-+.B semanage fcontext
-+can also be used to manipulate default file context mappings.
-+.PP
-+.B semanage permissive
-+can also be used to manipulate whether or not a process type is permissive.
-+.PP
-+.B semanage module
-+can also be used to enable/disable/install/remove policy modules.
-+
-+.PP
-+.B system-config-selinux
-+is a GUI tool available to customize SELinux policy settings.
-+
-+.SH AUTHOR
-+This manual page was auto-generated using
-+.B "sepolicy manpage"
-+by Dan Walsh.
-+
-+.SH "SEE ALSO"
-+selinux(8), mrtg(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
-diff --git a/man/man8/mscan_selinux.8 b/man/man8/mscan_selinux.8
-new file mode 100644
-index 0000000..3349daa
---- /dev/null
-+++ b/man/man8/mscan_selinux.8
-@@ -0,0 +1,204 @@
-+.TH "mscan_selinux" "8" "12-11-01" "mscan" "SELinux Policy documentation for mscan"
-+.SH "NAME"
-+mscan_selinux \- Security Enhanced Linux Policy for the mscan processes
-+.SH "DESCRIPTION"
-+
-+Security-Enhanced Linux secures the mscan processes via flexible mandatory access control.
-+
-+The mscan processes execute with the mscan_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
-+
-+For example:
-+
-+.B ps -eZ | grep mscan_t
-+
-+
-+.SH "ENTRYPOINTS"
-+
-+The mscan_t SELinux type can be entered via the "mscan_exec_t" file type. The default entrypoint paths for the mscan_t domain are the following:"
-+
-+/usr/sbin/MailScanner
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux mscan policy is very flexible allowing users to setup their mscan processes in as secure a method as possible.
-+.PP
-+The following process types are defined for mscan:
-+
-+.EX
-+.B mscan_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
-+.SH BOOLEANS
-+SELinux policy is customizable based on least access required. mscan policy is extremely flexible and has several booleans that allow you to manipulate the policy and run mscan with the tightest access possible.
-+
-+
-+.PP
-+If you want to allow clamscan to non security files on a system, you must turn on the clamscan_can_scan_system boolean.
-+
-+.EX
-+.B setsebool -P clamscan_can_scan_system 1
-+.EE
-+
-+.PP
-+If you want to allow clamscan to read user content, you must turn on the clamscan_read_user_content boolean.
-+
-+.EX
-+.B setsebool -P clamscan_read_user_content 1
-+.EE
-+
-+.PP
-+If you want to allow clamscan to non security files on a system, you must turn on the clamscan_can_scan_system boolean.
-+
-+.EX
-+.B setsebool -P clamscan_can_scan_system 1
-+.EE
-+
-+.PP
-+If you want to allow clamscan to read user content, you must turn on the clamscan_read_user_content boolean.
-+
-+.EX
-+.B setsebool -P clamscan_read_user_content 1
-+.EE
-+
-+.SH FILE CONTEXTS
-+SELinux requires files to have an extended attribute to define the file type.
-+.PP
-+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
-+.PP
-+Policy governs the access confined processes have to these files.
-+SELinux mscan policy is very flexible allowing users to setup their mscan processes in as secure a method as possible.
-+.PP
-+The following file types are defined for mscan:
-+
-+
-+.EX
-+.PP
-+.B mscan_etc_t
-+.EE
-+
-+- Set files with the mscan_etc_t type, if you want to store mscan files in the /etc directories.
-+
-+
-+.EX
-+.PP
-+.B mscan_exec_t
-+.EE
-+
-+- Set files with the mscan_exec_t type, if you want to transition an executable to the mscan_t domain.
-+
-+
-+.EX
-+.PP
-+.B mscan_initrc_exec_t
-+.EE
-+
-+- Set files with the mscan_initrc_exec_t type, if you want to transition an executable to the mscan_initrc_t domain.
-+
-+
-+.EX
-+.PP
-+.B mscan_tmp_t
-+.EE
-+
-+- Set files with the mscan_tmp_t type, if you want to store mscan temporary files in the /tmp directories.
-+
-+
-+.EX
-+.PP
-+.B mscan_var_run_t
-+.EE
-+
-+- Set files with the mscan_var_run_t type, if you want to store the mscan files under the /run directory.
-+
-+
-+.PP
-+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
-+.B semanage fcontext
-+command. This will modify the SELinux labeling database. You will need to use
-+.B restorecon
-+to apply the labels.
-+
-+.SH "MANAGED FILES"
-+
-+The SELinux process type mscan_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
-+
-+.br
-+.B clamd_var_run_t
-+
-+ /var/run/clamd.*
-+.br
-+ /var/run/clamav.*
-+.br
-+ /var/run/amavis(d)?/clamd\.pid
-+.br
-+ /var/spool/MailScanner(/.*)?
-+.br
-+ /var/spool/amavisd/clamd\.sock
-+.br
-+
-+.br
-+.B mqueue_spool_t
-+
-+ /var/spool/(client)?mqueue(/.*)?
-+.br
-+ /var/spool/mqueue\.in(/.*)?
-+.br
-+
-+.br
-+.B mscan_tmp_t
-+
-+
-+.br
-+.B mscan_var_run_t
-+
-+ /var/run/MailScanner\.pid
-+.br
-+
-+.SH NSSWITCH DOMAIN
-+
-+.PP
-+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the mscan_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
-+
-+.EX
-+.B setsebool -P authlogin_nsswitch_use_ldap 1
-+.EE
-+
-+.PP
-+If you want to allow confined applications to run with kerberos for the mscan_t, you must turn on the kerberos_enabled boolean.
-+
-+.EX
-+.B setsebool -P kerberos_enabled 1
-+.EE
-+
-+.SH "COMMANDS"
-+.B semanage fcontext
-+can also be used to manipulate default file context mappings.
-+.PP
-+.B semanage permissive
-+can also be used to manipulate whether or not a process type is permissive.
-+.PP
-+.B semanage module
-+can also be used to enable/disable/install/remove policy modules.
-+
-+.B semanage boolean
-+can also be used to manipulate the booleans
-+
-+.PP
-+.B system-config-selinux
-+is a GUI tool available to customize SELinux policy settings.
-+
-+.SH AUTHOR
-+This manual page was auto-generated using
-+.B "sepolicy manpage"
-+by Dan Walsh.
-+
-+.SH "SEE ALSO"
-+selinux(8), mscan(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
-+, setsebool(8)
-\ No newline at end of file
-diff --git a/man/man8/munin_selinux.8 b/man/man8/munin_selinux.8
-new file mode 100644
-index 0000000..4e6e830
---- /dev/null
-+++ b/man/man8/munin_selinux.8
-@@ -0,0 +1,222 @@
-+.TH "munin_selinux" "8" "12-11-01" "munin" "SELinux Policy documentation for munin"
-+.SH "NAME"
-+munin_selinux \- Security Enhanced Linux Policy for the munin processes
-+.SH "DESCRIPTION"
-+
-+Security-Enhanced Linux secures the munin processes via flexible mandatory access control.
-+
-+The munin processes execute with the munin_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
-+
-+For example:
-+
-+.B ps -eZ | grep munin_t
-+
-+
-+.SH "ENTRYPOINTS"
-+
-+The munin_t SELinux type can be entered via the "munin_exec_t" file type. The default entrypoint paths for the munin_t domain are the following:"
-+
-+/usr/bin/munin-.*, /usr/sbin/munin-.*, /usr/share/munin/munin-.*, /usr/share/munin/plugins/.*
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux munin policy is very flexible allowing users to setup their munin processes in as secure a method as possible.
-+.PP
-+The following process types are defined for munin:
-+
-+.EX
-+.B munin_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
-+.SH FILE CONTEXTS
-+SELinux requires files to have an extended attribute to define the file type.
-+.PP
-+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
-+.PP
-+Policy governs the access confined processes have to these files.
-+SELinux munin policy is very flexible allowing users to setup their munin processes in as secure a method as possible.
-+.PP
-+The following file types are defined for munin:
-+
-+
-+.EX
-+.PP
-+.B munin_etc_t
-+.EE
-+
-+- Set files with the munin_etc_t type, if you want to store munin files in the /etc directories.
-+
-+
-+.EX
-+.PP
-+.B munin_exec_t
-+.EE
-+
-+- Set files with the munin_exec_t type, if you want to transition an executable to the munin_t domain.
-+
-+
-+.EX
-+.PP
-+.B munin_initrc_exec_t
-+.EE
-+
-+- Set files with the munin_initrc_exec_t type, if you want to transition an executable to the munin_initrc_t domain.
-+
-+
-+.EX
-+.PP
-+.B munin_log_t
-+.EE
-+
-+- Set files with the munin_log_t type, if you want to treat the data as munin log data, usually stored under the /var/log directory.
-+
-+
-+.EX
-+.PP
-+.B munin_plugin_state_t
-+.EE
-+
-+- Set files with the munin_plugin_state_t type, if you want to treat the files as munin plugin state data.
-+
-+
-+.EX
-+.PP
-+.B munin_tmp_t
-+.EE
-+
-+- Set files with the munin_tmp_t type, if you want to store munin temporary files in the /tmp directories.
-+
-+
-+.EX
-+.PP
-+.B munin_var_lib_t
-+.EE
-+
-+- Set files with the munin_var_lib_t type, if you want to store the munin files under the /var/lib directory.
-+
-+
-+.EX
-+.PP
-+.B munin_var_run_t
-+.EE
-+
-+- Set files with the munin_var_run_t type, if you want to store the munin files under the /run directory.
-+
-+
-+.PP
-+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
-+.B semanage fcontext
-+command. This will modify the SELinux labeling database. You will need to use
-+.B restorecon
-+to apply the labels.
-+
-+.SH PORT TYPES
-+SELinux defines port types to represent TCP and UDP ports.
-+.PP
-+You can see the types associated with a port by using the following command:
-+
-+.B semanage port -l
-+
-+.PP
-+Policy governs the access confined processes have to these ports.
-+SELinux munin policy is very flexible allowing users to setup their munin processes in as secure a method as possible.
-+.PP
-+The following port types are defined for munin:
-+
-+.EX
-+.TP 5
-+.B munin_port_t
-+.TP 10
-+.EE
-+
-+
-+Default Defined Ports:
-+tcp 4949
-+.EE
-+udp 4949
-+.EE
-+.SH "MANAGED FILES"
-+
-+The SELinux process type munin_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
-+
-+.br
-+.B httpd_munin_content_t
-+
-+ /var/www/html/munin(/.*)?
-+.br
-+
-+.br
-+.B munin_log_t
-+
-+ /var/log/munin.*
-+.br
-+
-+.br
-+.B munin_plugin_state_t
-+
-+ /var/lib/munin/plugin-state(/.*)?
-+.br
-+
-+.br
-+.B munin_tmp_t
-+
-+
-+.br
-+.B munin_var_lib_t
-+
-+ /var/lib/munin(/.*)?
-+.br
-+
-+.br
-+.B munin_var_run_t
-+
-+ /var/run/munin(/.*)?
-+.br
-+
-+.SH NSSWITCH DOMAIN
-+
-+.PP
-+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the munin_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
-+
-+.EX
-+.B setsebool -P authlogin_nsswitch_use_ldap 1
-+.EE
-+
-+.PP
-+If you want to allow confined applications to run with kerberos for the munin_t, you must turn on the kerberos_enabled boolean.
-+
-+.EX
-+.B setsebool -P kerberos_enabled 1
-+.EE
-+
-+.SH "COMMANDS"
-+.B semanage fcontext
-+can also be used to manipulate default file context mappings.
-+.PP
-+.B semanage permissive
-+can also be used to manipulate whether or not a process type is permissive.
-+.PP
-+.B semanage module
-+can also be used to enable/disable/install/remove policy modules.
-+
-+.B semanage port
-+can also be used to manipulate the port definitions
-+
-+.PP
-+.B system-config-selinux
-+is a GUI tool available to customize SELinux policy settings.
-+
-+.SH AUTHOR
-+This manual page was auto-generated using
-+.B "sepolicy manpage"
-+by Dan Walsh.
-+
-+.SH "SEE ALSO"
-+selinux(8), munin(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
-diff --git a/man/man8/mysqld_safe_selinux.8 b/man/man8/mysqld_safe_selinux.8
-new file mode 100644
-index 0000000..33c4086
---- /dev/null
-+++ b/man/man8/mysqld_safe_selinux.8
-@@ -0,0 +1,111 @@
-+.TH "mysqld_safe_selinux" "8" "12-11-01" "mysqld_safe" "SELinux Policy documentation for mysqld_safe"
-+.SH "NAME"
-+mysqld_safe_selinux \- Security Enhanced Linux Policy for the mysqld_safe processes
-+.SH "DESCRIPTION"
-+
-+Security-Enhanced Linux secures the mysqld_safe processes via flexible mandatory access control.
-+
-+The mysqld_safe processes execute with the mysqld_safe_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
-+
-+For example:
-+
-+.B ps -eZ | grep mysqld_safe_t
-+
-+
-+.SH "ENTRYPOINTS"
-+
-+The mysqld_safe_t SELinux type can be entered via the "mysqld_safe_exec_t" file type. The default entrypoint paths for the mysqld_safe_t domain are the following:"
-+
-+/usr/bin/mysqld_safe
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux mysqld_safe policy is very flexible allowing users to setup their mysqld_safe processes in as secure a method as possible.
-+.PP
-+The following process types are defined for mysqld_safe:
-+
-+.EX
-+.B mysqld_safe_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
-+.SH FILE CONTEXTS
-+SELinux requires files to have an extended attribute to define the file type.
-+.PP
-+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
-+.PP
-+Policy governs the access confined processes have to these files.
-+SELinux mysqld_safe policy is very flexible allowing users to setup their mysqld_safe processes in as secure a method as possible.
-+.PP
-+The following file types are defined for mysqld_safe:
-+
-+
-+.EX
-+.PP
-+.B mysqld_safe_exec_t
-+.EE
-+
-+- Set files with the mysqld_safe_exec_t type, if you want to transition an executable to the mysqld_safe_t domain.
-+
-+
-+.PP
-+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
-+.B semanage fcontext
-+command. This will modify the SELinux labeling database. You will need to use
-+.B restorecon
-+to apply the labels.
-+
-+.SH "MANAGED FILES"
-+
-+The SELinux process type mysqld_safe_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
-+
-+.br
-+.B mysqld_db_t
-+
-+ /var/lib/mysql(/.*)?
-+.br
-+
-+.br
-+.B mysqld_log_t
-+
-+ /var/log/mysql.*
-+.br
-+
-+.br
-+.B mysqld_var_run_t
-+
-+ /var/run/mysqld(/.*)?
-+.br
-+ /var/lib/mysql/mysql\.sock
-+.br
-+
-+.SH NSSWITCH DOMAIN
-+
-+.SH "COMMANDS"
-+.B semanage fcontext
-+can also be used to manipulate default file context mappings.
-+.PP
-+.B semanage permissive
-+can also be used to manipulate whether or not a process type is permissive.
-+.PP
-+.B semanage module
-+can also be used to enable/disable/install/remove policy modules.
-+
-+.PP
-+.B system-config-selinux
-+is a GUI tool available to customize SELinux policy settings.
-+
-+.SH AUTHOR
-+This manual page was auto-generated using
-+.B "sepolicy manpage"
-+by Dan Walsh.
-+
-+.SH "SEE ALSO"
-+selinux(8), mysqld_safe(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
-+, mysqld_selinux(8), mysqld_selinux(8)
-\ No newline at end of file
-diff --git a/man/man8/mysqld_selinux.8 b/man/man8/mysqld_selinux.8
-new file mode 100644
-index 0000000..4a21c03
---- /dev/null
-+++ b/man/man8/mysqld_selinux.8
-@@ -0,0 +1,283 @@
-+.TH "mysqld_selinux" "8" "12-11-01" "mysqld" "SELinux Policy documentation for mysqld"
-+.SH "NAME"
-+mysqld_selinux \- Security Enhanced Linux Policy for the mysqld processes
-+.SH "DESCRIPTION"
-+
-+Security-Enhanced Linux secures the mysqld processes via flexible mandatory access control.
-+
-+The mysqld processes execute with the mysqld_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
-+
-+For example:
-+
-+.B ps -eZ | grep mysqld_t
-+
-+
-+.SH "ENTRYPOINTS"
-+
-+The mysqld_t SELinux type can be entered via the "mysqld_exec_t" file type. The default entrypoint paths for the mysqld_t domain are the following:"
-+
-+/usr/sbin/mysqld(-max)?, /usr/sbin/ndbd, /usr/libexec/mysqld, /usr/bin/mysql_upgrade
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux mysqld policy is very flexible allowing users to setup their mysqld processes in as secure a method as possible.
-+.PP
-+The following process types are defined for mysqld:
-+
-+.EX
-+.B mysqld_safe_t, mysqlmanagerd_t, mysqld_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
-+.SH BOOLEANS
-+SELinux policy is customizable based on least access required. mysqld policy is extremely flexible and has several booleans that allow you to manipulate the policy and run mysqld with the tightest access possible.
-+
-+
-+.PP
-+If you want to allow mysqld to connect to all ports, you must turn on the mysql_connect_any boolean.
-+
-+.EX
-+.B setsebool -P mysql_connect_any 1
-+.EE
-+
-+.PP
-+If you want to allow users to connect to the local mysql server, you must turn on the selinuxuser_mysql_connect_enabled boolean.
-+
-+.EX
-+.B setsebool -P selinuxuser_mysql_connect_enabled 1
-+.EE
-+
-+.PP
-+If you want to allow mysqld to connect to all ports, you must turn on the mysql_connect_any boolean.
-+
-+.EX
-+.B setsebool -P mysql_connect_any 1
-+.EE
-+
-+.PP
-+If you want to allow users to connect to the local mysql server, you must turn on the selinuxuser_mysql_connect_enabled boolean.
-+
-+.EX
-+.B setsebool -P selinuxuser_mysql_connect_enabled 1
-+.EE
-+
-+.SH FILE CONTEXTS
-+SELinux requires files to have an extended attribute to define the file type.
-+.PP
-+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
-+.PP
-+Policy governs the access confined processes have to these files.
-+SELinux mysqld policy is very flexible allowing users to setup their mysqld processes in as secure a method as possible.
-+.PP
-+The following file types are defined for mysqld:
-+
-+
-+.EX
-+.PP
-+.B mysqld_db_t
-+.EE
-+
-+- Set files with the mysqld_db_t type, if you want to treat the files as mysqld database content.
-+
-+
-+.EX
-+.PP
-+.B mysqld_etc_t
-+.EE
-+
-+- Set files with the mysqld_etc_t type, if you want to store mysqld files in the /etc directories.
-+
-+
-+.EX
-+.PP
-+.B mysqld_exec_t
-+.EE
-+
-+- Set files with the mysqld_exec_t type, if you want to transition an executable to the mysqld_t domain.
-+
-+
-+.EX
-+.PP
-+.B mysqld_home_t
-+.EE
-+
-+- Set files with the mysqld_home_t type, if you want to store mysqld files in the users home directory.
-+
-+
-+.EX
-+.PP
-+.B mysqld_initrc_exec_t
-+.EE
-+
-+- Set files with the mysqld_initrc_exec_t type, if you want to transition an executable to the mysqld_initrc_t domain.
-+
-+
-+.EX
-+.PP
-+.B mysqld_log_t
-+.EE
-+
-+- Set files with the mysqld_log_t type, if you want to treat the data as mysqld log data, usually stored under the /var/log directory.
-+
-+
-+.EX
-+.PP
-+.B mysqld_safe_exec_t
-+.EE
-+
-+- Set files with the mysqld_safe_exec_t type, if you want to transition an executable to the mysqld_safe_t domain.
-+
-+
-+.EX
-+.PP
-+.B mysqld_tmp_t
-+.EE
-+
-+- Set files with the mysqld_tmp_t type, if you want to store mysqld temporary files in the /tmp directories.
-+
-+
-+.EX
-+.PP
-+.B mysqld_unit_file_t
-+.EE
-+
-+- Set files with the mysqld_unit_file_t type, if you want to treat the files as mysqld unit content.
-+
-+
-+.EX
-+.PP
-+.B mysqld_var_run_t
-+.EE
-+
-+- Set files with the mysqld_var_run_t type, if you want to store the mysqld files under the /run directory.
-+
-+
-+.PP
-+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
-+.B semanage fcontext
-+command. This will modify the SELinux labeling database. You will need to use
-+.B restorecon
-+to apply the labels.
-+
-+.SH PORT TYPES
-+SELinux defines port types to represent TCP and UDP ports.
-+.PP
-+You can see the types associated with a port by using the following command:
-+
-+.B semanage port -l
-+
-+.PP
-+Policy governs the access confined processes have to these ports.
-+SELinux mysqld policy is very flexible allowing users to setup their mysqld processes in as secure a method as possible.
-+.PP
-+The following port types are defined for mysqld:
-+
-+.EX
-+.TP 5
-+.B mysqld_port_t
-+.TP 10
-+.EE
-+
-+
-+Default Defined Ports:
-+tcp 1186,3306,63132-63164
-+.EE
-+
-+.EX
-+.TP 5
-+.B mysqlmanagerd_port_t
-+.TP 10
-+.EE
-+
-+
-+Default Defined Ports:
-+tcp 2273
-+.EE
-+.SH "MANAGED FILES"
-+
-+The SELinux process type mysqld_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
-+
-+.br
-+.B hugetlbfs_t
-+
-+ /dev/hugepages
-+.br
-+ /lib/udev/devices/hugepages
-+.br
-+ /usr/lib/udev/devices/hugepages
-+.br
-+
-+.br
-+.B mysqld_db_t
-+
-+ /var/lib/mysql(/.*)?
-+.br
-+
-+.br
-+.B mysqld_log_t
-+
-+ /var/log/mysql.*
-+.br
-+
-+.br
-+.B mysqld_tmp_t
-+
-+
-+.br
-+.B mysqld_var_run_t
-+
-+ /var/run/mysqld(/.*)?
-+.br
-+ /var/lib/mysql/mysql\.sock
-+.br
-+
-+.SH NSSWITCH DOMAIN
-+
-+.PP
-+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the mysqld_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
-+
-+.EX
-+.B setsebool -P authlogin_nsswitch_use_ldap 1
-+.EE
-+
-+.PP
-+If you want to allow confined applications to run with kerberos for the mysqld_t, you must turn on the kerberos_enabled boolean.
-+
-+.EX
-+.B setsebool -P kerberos_enabled 1
-+.EE
-+
-+.SH "COMMANDS"
-+.B semanage fcontext
-+can also be used to manipulate default file context mappings.
-+.PP
-+.B semanage permissive
-+can also be used to manipulate whether or not a process type is permissive.
-+.PP
-+.B semanage module
-+can also be used to enable/disable/install/remove policy modules.
-+
-+.B semanage port
-+can also be used to manipulate the port definitions
-+
-+.B semanage boolean
-+can also be used to manipulate the booleans
-+
-+.PP
-+.B system-config-selinux
-+is a GUI tool available to customize SELinux policy settings.
-+
-+.SH AUTHOR
-+This manual page was auto-generated using
-+.B "sepolicy manpage"
-+by Dan Walsh.
-+
-+.SH "SEE ALSO"
-+selinux(8), mysqld(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
-+, setsebool(8), mysqld_safe_selinux(8), mysqlmanagerd_selinux(8)
-\ No newline at end of file
-diff --git a/man/man8/mysqlmanagerd_selinux.8 b/man/man8/mysqlmanagerd_selinux.8
-new file mode 100644
-index 0000000..1634a0c
---- /dev/null
-+++ b/man/man8/mysqlmanagerd_selinux.8
-@@ -0,0 +1,138 @@
-+.TH "mysqlmanagerd_selinux" "8" "12-11-01" "mysqlmanagerd" "SELinux Policy documentation for mysqlmanagerd"
-+.SH "NAME"
-+mysqlmanagerd_selinux \- Security Enhanced Linux Policy for the mysqlmanagerd processes
-+.SH "DESCRIPTION"
-+
-+Security-Enhanced Linux secures the mysqlmanagerd processes via flexible mandatory access control.
-+
-+The mysqlmanagerd processes execute with the mysqlmanagerd_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
-+
-+For example:
-+
-+.B ps -eZ | grep mysqlmanagerd_t
-+
-+
-+.SH "ENTRYPOINTS"
-+
-+The mysqlmanagerd_t SELinux type can be entered via the "mysqlmanagerd_exec_t" file type. The default entrypoint paths for the mysqlmanagerd_t domain are the following:"
-+
-+/usr/sbin/mysqlmanager
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux mysqlmanagerd policy is very flexible allowing users to setup their mysqlmanagerd processes in as secure a method as possible.
-+.PP
-+The following process types are defined for mysqlmanagerd:
-+
-+.EX
-+.B mysqlmanagerd_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
-+.SH FILE CONTEXTS
-+SELinux requires files to have an extended attribute to define the file type.
-+.PP
-+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
-+.PP
-+Policy governs the access confined processes have to these files.
-+SELinux mysqlmanagerd policy is very flexible allowing users to setup their mysqlmanagerd processes in as secure a method as possible.
-+.PP
-+The following file types are defined for mysqlmanagerd:
-+
-+
-+.EX
-+.PP
-+.B mysqlmanagerd_exec_t
-+.EE
-+
-+- Set files with the mysqlmanagerd_exec_t type, if you want to transition an executable to the mysqlmanagerd_t domain.
-+
-+
-+.EX
-+.PP
-+.B mysqlmanagerd_initrc_exec_t
-+.EE
-+
-+- Set files with the mysqlmanagerd_initrc_exec_t type, if you want to transition an executable to the mysqlmanagerd_initrc_t domain.
-+
-+
-+.EX
-+.PP
-+.B mysqlmanagerd_var_run_t
-+.EE
-+
-+- Set files with the mysqlmanagerd_var_run_t type, if you want to store the mysqlmanagerd files under the /run directory.
-+
-+
-+.PP
-+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
-+.B semanage fcontext
-+command. This will modify the SELinux labeling database. You will need to use
-+.B restorecon
-+to apply the labels.
-+
-+.SH PORT TYPES
-+SELinux defines port types to represent TCP and UDP ports.
-+.PP
-+You can see the types associated with a port by using the following command:
-+
-+.B semanage port -l
-+
-+.PP
-+Policy governs the access confined processes have to these ports.
-+SELinux mysqlmanagerd policy is very flexible allowing users to setup their mysqlmanagerd processes in as secure a method as possible.
-+.PP
-+The following port types are defined for mysqlmanagerd:
-+
-+.EX
-+.TP 5
-+.B mysqlmanagerd_port_t
-+.TP 10
-+.EE
-+
-+
-+Default Defined Ports:
-+tcp 2273
-+.EE
-+.SH "MANAGED FILES"
-+
-+The SELinux process type mysqlmanagerd_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
-+
-+.br
-+.B mysqlmanagerd_var_run_t
-+
-+ /var/run/mysqld/mysqlmanager.*
-+.br
-+
-+.SH NSSWITCH DOMAIN
-+
-+.SH "COMMANDS"
-+.B semanage fcontext
-+can also be used to manipulate default file context mappings.
-+.PP
-+.B semanage permissive
-+can also be used to manipulate whether or not a process type is permissive.
-+.PP
-+.B semanage module
-+can also be used to enable/disable/install/remove policy modules.
-+
-+.B semanage port
-+can also be used to manipulate the port definitions
-+
-+.PP
-+.B system-config-selinux
-+is a GUI tool available to customize SELinux policy settings.
-+
-+.SH AUTHOR
-+This manual page was auto-generated using
-+.B "sepolicy manpage"
-+by Dan Walsh.
-+
-+.SH "SEE ALSO"
-+selinux(8), mysqlmanagerd(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
-diff --git a/man/man8/nagios_admin_plugin_selinux.8 b/man/man8/nagios_admin_plugin_selinux.8
-new file mode 100644
-index 0000000..505d3a1
---- /dev/null
-+++ b/man/man8/nagios_admin_plugin_selinux.8
-@@ -0,0 +1,87 @@
-+.TH "nagios_admin_plugin_selinux" "8" "12-11-01" "nagios_admin_plugin" "SELinux Policy documentation for nagios_admin_plugin"
-+.SH "NAME"
-+nagios_admin_plugin_selinux \- Security Enhanced Linux Policy for the nagios_admin_plugin processes
-+.SH "DESCRIPTION"
-+
-+Security-Enhanced Linux secures the nagios_admin_plugin processes via flexible mandatory access control.
-+
-+The nagios_admin_plugin processes execute with the nagios_admin_plugin_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
-+
-+For example:
-+
-+.B ps -eZ | grep nagios_admin_plugin_t
-+
-+
-+.SH "ENTRYPOINTS"
-+
-+The nagios_admin_plugin_t SELinux type can be entered via the "nagios_admin_plugin_exec_t" file type. The default entrypoint paths for the nagios_admin_plugin_t domain are the following:"
-+
-+/usr/lib/nagios/plugins/check_file_age
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux nagios_admin_plugin policy is very flexible allowing users to setup their nagios_admin_plugin processes in as secure a method as possible.
-+.PP
-+The following process types are defined for nagios_admin_plugin:
-+
-+.EX
-+.B nagios_admin_plugin_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
-+.SH FILE CONTEXTS
-+SELinux requires files to have an extended attribute to define the file type.
-+.PP
-+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
-+.PP
-+Policy governs the access confined processes have to these files.
-+SELinux nagios_admin_plugin policy is very flexible allowing users to setup their nagios_admin_plugin processes in as secure a method as possible.
-+.PP
-+The following file types are defined for nagios_admin_plugin:
-+
-+
-+.EX
-+.PP
-+.B nagios_admin_plugin_exec_t
-+.EE
-+
-+- Set files with the nagios_admin_plugin_exec_t type, if you want to transition an executable to the nagios_admin_plugin_t domain.
-+
-+
-+.PP
-+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
-+.B semanage fcontext
-+command. This will modify the SELinux labeling database. You will need to use
-+.B restorecon
-+to apply the labels.
-+
-+.SH NSSWITCH DOMAIN
-+
-+.SH "COMMANDS"
-+.B semanage fcontext
-+can also be used to manipulate default file context mappings.
-+.PP
-+.B semanage permissive
-+can also be used to manipulate whether or not a process type is permissive.
-+.PP
-+.B semanage module
-+can also be used to enable/disable/install/remove policy modules.
-+
-+.PP
-+.B system-config-selinux
-+is a GUI tool available to customize SELinux policy settings.
-+
-+.SH AUTHOR
-+This manual page was auto-generated using
-+.B "sepolicy manpage"
-+by Dan Walsh.
-+
-+.SH "SEE ALSO"
-+selinux(8), nagios_admin_plugin(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
-+, nagios_selinux(8), nagios_selinux(8), nagios_checkdisk_plugin_selinux(8), nagios_eventhandler_plugin_selinux(8), nagios_mail_plugin_selinux(8), nagios_services_plugin_selinux(8), nagios_system_plugin_selinux(8), nagios_unconfined_plugin_selinux(8)
-\ No newline at end of file
-diff --git a/man/man8/nagios_checkdisk_plugin_selinux.8 b/man/man8/nagios_checkdisk_plugin_selinux.8
-new file mode 100644
-index 0000000..9ccef93
---- /dev/null
-+++ b/man/man8/nagios_checkdisk_plugin_selinux.8
-@@ -0,0 +1,87 @@
-+.TH "nagios_checkdisk_plugin_selinux" "8" "12-11-01" "nagios_checkdisk_plugin" "SELinux Policy documentation for nagios_checkdisk_plugin"
-+.SH "NAME"
-+nagios_checkdisk_plugin_selinux \- Security Enhanced Linux Policy for the nagios_checkdisk_plugin processes
-+.SH "DESCRIPTION"
-+
-+Security-Enhanced Linux secures the nagios_checkdisk_plugin processes via flexible mandatory access control.
-+
-+The nagios_checkdisk_plugin processes execute with the nagios_checkdisk_plugin_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
-+
-+For example:
-+
-+.B ps -eZ | grep nagios_checkdisk_plugin_t
-+
-+
-+.SH "ENTRYPOINTS"
-+
-+The nagios_checkdisk_plugin_t SELinux type can be entered via the "nagios_checkdisk_plugin_exec_t" file type. The default entrypoint paths for the nagios_checkdisk_plugin_t domain are the following:"
-+
-+/usr/lib/nagios/plugins/check_disk, /usr/lib/nagios/plugins/check_disk_smb, /usr/lib/nagios/plugins/check_ide_smart, /usr/lib/nagios/plugins/check_linux_raid
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux nagios_checkdisk_plugin policy is very flexible allowing users to setup their nagios_checkdisk_plugin processes in as secure a method as possible.
-+.PP
-+The following process types are defined for nagios_checkdisk_plugin:
-+
-+.EX
-+.B nagios_checkdisk_plugin_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
-+.SH FILE CONTEXTS
-+SELinux requires files to have an extended attribute to define the file type.
-+.PP
-+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
-+.PP
-+Policy governs the access confined processes have to these files.
-+SELinux nagios_checkdisk_plugin policy is very flexible allowing users to setup their nagios_checkdisk_plugin processes in as secure a method as possible.
-+.PP
-+The following file types are defined for nagios_checkdisk_plugin:
-+
-+
-+.EX
-+.PP
-+.B nagios_checkdisk_plugin_exec_t
-+.EE
-+
-+- Set files with the nagios_checkdisk_plugin_exec_t type, if you want to transition an executable to the nagios_checkdisk_plugin_t domain.
-+
-+
-+.PP
-+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
-+.B semanage fcontext
-+command. This will modify the SELinux labeling database. You will need to use
-+.B restorecon
-+to apply the labels.
-+
-+.SH NSSWITCH DOMAIN
-+
-+.SH "COMMANDS"
-+.B semanage fcontext
-+can also be used to manipulate default file context mappings.
-+.PP
-+.B semanage permissive
-+can also be used to manipulate whether or not a process type is permissive.
-+.PP
-+.B semanage module
-+can also be used to enable/disable/install/remove policy modules.
-+
-+.PP
-+.B system-config-selinux
-+is a GUI tool available to customize SELinux policy settings.
-+
-+.SH AUTHOR
-+This manual page was auto-generated using
-+.B "sepolicy manpage"
-+by Dan Walsh.
-+
-+.SH "SEE ALSO"
-+selinux(8), nagios_checkdisk_plugin(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
-+, nagios_selinux(8), nagios_selinux(8), nagios_admin_plugin_selinux(8), nagios_eventhandler_plugin_selinux(8), nagios_mail_plugin_selinux(8), nagios_services_plugin_selinux(8), nagios_system_plugin_selinux(8), nagios_unconfined_plugin_selinux(8)
-\ No newline at end of file
-diff --git a/man/man8/nagios_eventhandler_plugin_selinux.8 b/man/man8/nagios_eventhandler_plugin_selinux.8
-new file mode 100644
-index 0000000..507c175
---- /dev/null
-+++ b/man/man8/nagios_eventhandler_plugin_selinux.8
-@@ -0,0 +1,111 @@
-+.TH "nagios_eventhandler_plugin_selinux" "8" "12-11-01" "nagios_eventhandler_plugin" "SELinux Policy documentation for nagios_eventhandler_plugin"
-+.SH "NAME"
-+nagios_eventhandler_plugin_selinux \- Security Enhanced Linux Policy for the nagios_eventhandler_plugin processes
-+.SH "DESCRIPTION"
-+
-+Security-Enhanced Linux secures the nagios_eventhandler_plugin processes via flexible mandatory access control.
-+
-+The nagios_eventhandler_plugin processes execute with the nagios_eventhandler_plugin_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
-+
-+For example:
-+
-+.B ps -eZ | grep nagios_eventhandler_plugin_t
-+
-+
-+.SH "ENTRYPOINTS"
-+
-+The nagios_eventhandler_plugin_t SELinux type can be entered via the "nagios_eventhandler_plugin_exec_t" file type. The default entrypoint paths for the nagios_eventhandler_plugin_t domain are the following:"
-+
-+/usr/lib/nagios/plugins/eventhandlers(/.*)
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux nagios_eventhandler_plugin policy is very flexible allowing users to setup their nagios_eventhandler_plugin processes in as secure a method as possible.
-+.PP
-+The following process types are defined for nagios_eventhandler_plugin:
-+
-+.EX
-+.B nagios_eventhandler_plugin_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
-+.SH FILE CONTEXTS
-+SELinux requires files to have an extended attribute to define the file type.
-+.PP
-+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
-+.PP
-+Policy governs the access confined processes have to these files.
-+SELinux nagios_eventhandler_plugin policy is very flexible allowing users to setup their nagios_eventhandler_plugin processes in as secure a method as possible.
-+.PP
-+The following file types are defined for nagios_eventhandler_plugin:
-+
-+
-+.EX
-+.PP
-+.B nagios_eventhandler_plugin_exec_t
-+.EE
-+
-+- Set files with the nagios_eventhandler_plugin_exec_t type, if you want to transition an executable to the nagios_eventhandler_plugin_t domain.
-+
-+
-+.EX
-+.PP
-+.B nagios_eventhandler_plugin_tmp_t
-+.EE
-+
-+- Set files with the nagios_eventhandler_plugin_tmp_t type, if you want to store nagios eventhandler plugin temporary files in the /tmp directories.
-+
-+
-+.PP
-+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
-+.B semanage fcontext
-+command. This will modify the SELinux labeling database. You will need to use
-+.B restorecon
-+to apply the labels.
-+
-+.SH "MANAGED FILES"
-+
-+The SELinux process type nagios_eventhandler_plugin_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
-+
-+.br
-+.B nagios_eventhandler_plugin_tmp_t
-+
-+
-+.br
-+.B systemd_passwd_var_run_t
-+
-+ /var/run/systemd/ask-password(/.*)?
-+.br
-+ /var/run/systemd/ask-password-block(/.*)?
-+.br
-+
-+.SH NSSWITCH DOMAIN
-+
-+.SH "COMMANDS"
-+.B semanage fcontext
-+can also be used to manipulate default file context mappings.
-+.PP
-+.B semanage permissive
-+can also be used to manipulate whether or not a process type is permissive.
-+.PP
-+.B semanage module
-+can also be used to enable/disable/install/remove policy modules.
-+
-+.PP
-+.B system-config-selinux
-+is a GUI tool available to customize SELinux policy settings.
-+
-+.SH AUTHOR
-+This manual page was auto-generated using
-+.B "sepolicy manpage"
-+by Dan Walsh.
-+
-+.SH "SEE ALSO"
-+selinux(8), nagios_eventhandler_plugin(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
-+, nagios_selinux(8), nagios_selinux(8), nagios_admin_plugin_selinux(8), nagios_checkdisk_plugin_selinux(8), nagios_mail_plugin_selinux(8), nagios_services_plugin_selinux(8), nagios_system_plugin_selinux(8), nagios_unconfined_plugin_selinux(8)
-\ No newline at end of file
-diff --git a/man/man8/nagios_mail_plugin_selinux.8 b/man/man8/nagios_mail_plugin_selinux.8
-new file mode 100644
-index 0000000..0140264
---- /dev/null
-+++ b/man/man8/nagios_mail_plugin_selinux.8
-@@ -0,0 +1,87 @@
-+.TH "nagios_mail_plugin_selinux" "8" "12-11-01" "nagios_mail_plugin" "SELinux Policy documentation for nagios_mail_plugin"
-+.SH "NAME"
-+nagios_mail_plugin_selinux \- Security Enhanced Linux Policy for the nagios_mail_plugin processes
-+.SH "DESCRIPTION"
-+
-+Security-Enhanced Linux secures the nagios_mail_plugin processes via flexible mandatory access control.
-+
-+The nagios_mail_plugin processes execute with the nagios_mail_plugin_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
-+
-+For example:
-+
-+.B ps -eZ | grep nagios_mail_plugin_t
-+
-+
-+.SH "ENTRYPOINTS"
-+
-+The nagios_mail_plugin_t SELinux type can be entered via the "nagios_mail_plugin_exec_t" file type. The default entrypoint paths for the nagios_mail_plugin_t domain are the following:"
-+
-+/usr/lib/nagios/plugins/check_mailq
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux nagios_mail_plugin policy is very flexible allowing users to setup their nagios_mail_plugin processes in as secure a method as possible.
-+.PP
-+The following process types are defined for nagios_mail_plugin:
-+
-+.EX
-+.B nagios_mail_plugin_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
-+.SH FILE CONTEXTS
-+SELinux requires files to have an extended attribute to define the file type.
-+.PP
-+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
-+.PP
-+Policy governs the access confined processes have to these files.
-+SELinux nagios_mail_plugin policy is very flexible allowing users to setup their nagios_mail_plugin processes in as secure a method as possible.
-+.PP
-+The following file types are defined for nagios_mail_plugin:
-+
-+
-+.EX
-+.PP
-+.B nagios_mail_plugin_exec_t
-+.EE
-+
-+- Set files with the nagios_mail_plugin_exec_t type, if you want to transition an executable to the nagios_mail_plugin_t domain.
-+
-+
-+.PP
-+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
-+.B semanage fcontext
-+command. This will modify the SELinux labeling database. You will need to use
-+.B restorecon
-+to apply the labels.
-+
-+.SH NSSWITCH DOMAIN
-+
-+.SH "COMMANDS"
-+.B semanage fcontext
-+can also be used to manipulate default file context mappings.
-+.PP
-+.B semanage permissive
-+can also be used to manipulate whether or not a process type is permissive.
-+.PP
-+.B semanage module
-+can also be used to enable/disable/install/remove policy modules.
-+
-+.PP
-+.B system-config-selinux
-+is a GUI tool available to customize SELinux policy settings.
-+
-+.SH AUTHOR
-+This manual page was auto-generated using
-+.B "sepolicy manpage"
-+by Dan Walsh.
-+
-+.SH "SEE ALSO"
-+selinux(8), nagios_mail_plugin(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
-+, nagios_selinux(8), nagios_selinux(8), nagios_admin_plugin_selinux(8), nagios_checkdisk_plugin_selinux(8), nagios_eventhandler_plugin_selinux(8), nagios_services_plugin_selinux(8), nagios_system_plugin_selinux(8), nagios_unconfined_plugin_selinux(8)
-\ No newline at end of file
-diff --git a/man/man8/nagios_selinux.8 b/man/man8/nagios_selinux.8
-new file mode 100644
-index 0000000..2208671
---- /dev/null
-+++ b/man/man8/nagios_selinux.8
-@@ -0,0 +1,257 @@
-+.TH "nagios_selinux" "8" "12-11-01" "nagios" "SELinux Policy documentation for nagios"
-+.SH "NAME"
-+nagios_selinux \- Security Enhanced Linux Policy for the nagios processes
-+.SH "DESCRIPTION"
-+
-+Security-Enhanced Linux secures the nagios processes via flexible mandatory access control.
-+
-+The nagios processes execute with the nagios_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
-+
-+For example:
-+
-+.B ps -eZ | grep nagios_t
-+
-+
-+.SH "ENTRYPOINTS"
-+
-+The nagios_t SELinux type can be entered via the "nagios_exec_t" file type. The default entrypoint paths for the nagios_t domain are the following:"
-+
-+/usr/s?bin/nagios
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux nagios policy is very flexible allowing users to setup their nagios processes in as secure a method as possible.
-+.PP
-+The following process types are defined for nagios:
-+
-+.EX
-+.B nagios_t, nagios_mail_plugin_t, nagios_checkdisk_plugin_t, nagios_services_plugin_t, nagios_eventhandler_plugin_t, nagios_system_plugin_t, nagios_unconfined_plugin_t, nagios_admin_plugin_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
-+.SH FILE CONTEXTS
-+SELinux requires files to have an extended attribute to define the file type.
-+.PP
-+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
-+.PP
-+Policy governs the access confined processes have to these files.
-+SELinux nagios policy is very flexible allowing users to setup their nagios processes in as secure a method as possible.
-+.PP
-+The following file types are defined for nagios:
-+
-+
-+.EX
-+.PP
-+.B nagios_admin_plugin_exec_t
-+.EE
-+
-+- Set files with the nagios_admin_plugin_exec_t type, if you want to transition an executable to the nagios_admin_plugin_t domain.
-+
-+
-+.EX
-+.PP
-+.B nagios_checkdisk_plugin_exec_t
-+.EE
-+
-+- Set files with the nagios_checkdisk_plugin_exec_t type, if you want to transition an executable to the nagios_checkdisk_plugin_t domain.
-+
-+
-+.EX
-+.PP
-+.B nagios_etc_t
-+.EE
-+
-+- Set files with the nagios_etc_t type, if you want to store nagios files in the /etc directories.
-+
-+
-+.EX
-+.PP
-+.B nagios_eventhandler_plugin_exec_t
-+.EE
-+
-+- Set files with the nagios_eventhandler_plugin_exec_t type, if you want to transition an executable to the nagios_eventhandler_plugin_t domain.
-+
-+
-+.EX
-+.PP
-+.B nagios_eventhandler_plugin_tmp_t
-+.EE
-+
-+- Set files with the nagios_eventhandler_plugin_tmp_t type, if you want to store nagios eventhandler plugin temporary files in the /tmp directories.
-+
-+
-+.EX
-+.PP
-+.B nagios_exec_t
-+.EE
-+
-+- Set files with the nagios_exec_t type, if you want to transition an executable to the nagios_t domain.
-+
-+
-+.EX
-+.PP
-+.B nagios_initrc_exec_t
-+.EE
-+
-+- Set files with the nagios_initrc_exec_t type, if you want to transition an executable to the nagios_initrc_t domain.
-+
-+
-+.EX
-+.PP
-+.B nagios_log_t
-+.EE
-+
-+- Set files with the nagios_log_t type, if you want to treat the data as nagios log data, usually stored under the /var/log directory.
-+
-+
-+.EX
-+.PP
-+.B nagios_mail_plugin_exec_t
-+.EE
-+
-+- Set files with the nagios_mail_plugin_exec_t type, if you want to transition an executable to the nagios_mail_plugin_t domain.
-+
-+
-+.EX
-+.PP
-+.B nagios_services_plugin_exec_t
-+.EE
-+
-+- Set files with the nagios_services_plugin_exec_t type, if you want to transition an executable to the nagios_services_plugin_t domain.
-+
-+
-+.EX
-+.PP
-+.B nagios_spool_t
-+.EE
-+
-+- Set files with the nagios_spool_t type, if you want to store the nagios files under the /var/spool directory.
-+
-+
-+.EX
-+.PP
-+.B nagios_system_plugin_exec_t
-+.EE
-+
-+- Set files with the nagios_system_plugin_exec_t type, if you want to transition an executable to the nagios_system_plugin_t domain.
-+
-+
-+.EX
-+.PP
-+.B nagios_system_plugin_tmp_t
-+.EE
-+
-+- Set files with the nagios_system_plugin_tmp_t type, if you want to store nagios system plugin temporary files in the /tmp directories.
-+
-+
-+.EX
-+.PP
-+.B nagios_tmp_t
-+.EE
-+
-+- Set files with the nagios_tmp_t type, if you want to store nagios temporary files in the /tmp directories.
-+
-+
-+.EX
-+.PP
-+.B nagios_unconfined_plugin_exec_t
-+.EE
-+
-+- Set files with the nagios_unconfined_plugin_exec_t type, if you want to transition an executable to the nagios_unconfined_plugin_t domain.
-+
-+
-+.EX
-+.PP
-+.B nagios_var_lib_t
-+.EE
-+
-+- Set files with the nagios_var_lib_t type, if you want to store the nagios files under the /var/lib directory.
-+
-+
-+.EX
-+.PP
-+.B nagios_var_run_t
-+.EE
-+
-+- Set files with the nagios_var_run_t type, if you want to store the nagios files under the /run directory.
-+
-+
-+.PP
-+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
-+.B semanage fcontext
-+command. This will modify the SELinux labeling database. You will need to use
-+.B restorecon
-+to apply the labels.
-+
-+.SH "MANAGED FILES"
-+
-+The SELinux process type nagios_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
-+
-+.br
-+.B nagios_log_t
-+
-+ /var/log/nagios(/.*)?
-+.br
-+ /var/log/netsaint(/.*)?
-+.br
-+
-+.br
-+.B nagios_tmp_t
-+
-+
-+.br
-+.B nagios_var_lib_t
-+
-+ /usr/lib/pnp4nagios(/.*)?
-+.br
-+
-+.br
-+.B nagios_var_run_t
-+
-+ /var/run/nagios.*
-+.br
-+
-+.SH NSSWITCH DOMAIN
-+
-+.PP
-+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the nagios_services_plugin_t, nagios_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
-+
-+.EX
-+.B setsebool -P authlogin_nsswitch_use_ldap 1
-+.EE
-+
-+.PP
-+If you want to allow confined applications to run with kerberos for the nagios_services_plugin_t, nagios_t, you must turn on the kerberos_enabled boolean.
-+
-+.EX
-+.B setsebool -P kerberos_enabled 1
-+.EE
-+
-+.SH "COMMANDS"
-+.B semanage fcontext
-+can also be used to manipulate default file context mappings.
-+.PP
-+.B semanage permissive
-+can also be used to manipulate whether or not a process type is permissive.
-+.PP
-+.B semanage module
-+can also be used to enable/disable/install/remove policy modules.
-+
-+.PP
-+.B system-config-selinux
-+is a GUI tool available to customize SELinux policy settings.
-+
-+.SH AUTHOR
-+This manual page was auto-generated using
-+.B "sepolicy manpage"
-+by Dan Walsh.
-+
-+.SH "SEE ALSO"
-+selinux(8), nagios(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
-+, nagios_admin_plugin_selinux(8), nagios_checkdisk_plugin_selinux(8), nagios_eventhandler_plugin_selinux(8), nagios_mail_plugin_selinux(8), nagios_services_plugin_selinux(8), nagios_system_plugin_selinux(8), nagios_unconfined_plugin_selinux(8)
-\ No newline at end of file
-diff --git a/man/man8/nagios_services_plugin_selinux.8 b/man/man8/nagios_services_plugin_selinux.8
-new file mode 100644
-index 0000000..4b2f93e
---- /dev/null
-+++ b/man/man8/nagios_services_plugin_selinux.8
-@@ -0,0 +1,101 @@
-+.TH "nagios_services_plugin_selinux" "8" "12-11-01" "nagios_services_plugin" "SELinux Policy documentation for nagios_services_plugin"
-+.SH "NAME"
-+nagios_services_plugin_selinux \- Security Enhanced Linux Policy for the nagios_services_plugin processes
-+.SH "DESCRIPTION"
-+
-+Security-Enhanced Linux secures the nagios_services_plugin processes via flexible mandatory access control.
-+
-+The nagios_services_plugin processes execute with the nagios_services_plugin_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
-+
-+For example:
-+
-+.B ps -eZ | grep nagios_services_plugin_t
-+
-+
-+.SH "ENTRYPOINTS"
-+
-+The nagios_services_plugin_t SELinux type can be entered via the "nagios_services_plugin_exec_t" file type. The default entrypoint paths for the nagios_services_plugin_t domain are the following:"
-+
-+/usr/lib/nagios/plugins/check_ntp.*, /usr/lib/nagios/plugins/check_snmp.*, /usr/lib/nagios/plugins/check_nt, /usr/lib/nagios/plugins/check_dig, /usr/lib/nagios/plugins/check_dns, /usr/lib/nagios/plugins/check_rpc, /usr/lib/nagios/plugins/check_tcp, /usr/lib/nagios/plugins/check_sip, /usr/lib/nagios/plugins/check_ssh, /usr/lib/nagios/plugins/check_ups, /usr/lib/nagios/plugins/check_dhcp, /usr/lib/nagios/plugins/check_game, /usr/lib/nagios/plugins/check_hpjd, /usr/lib/nagios/plugins/check_http, /usr/lib/nagios/plugins/check_icmp, /usr/lib/nagios/plugins/check_ircd, /usr/lib/nagios/plugins/check_ldap, /usr/lib/nagios/plugins/check_nrpe, /usr/lib/nagios/plugins/check_ping, /usr/lib/nagios/plugins/check_real, /usr/lib/nagios/plugins/check_time, /usr/lib/nagios/plugins/check_smtp, /usr/lib/nagios/plugins/check_dummy, /usr/lib/nagios/plugins/check_fping, /usr/lib/nagios/plugins/check_mysql, /usr/lib/nagios/plugins/check_pgsql, /usr/lib/nagios/plugins/check_breeze, /usr/lib/nagios/plugins/check_oracle, /usr/lib/nagios/plugins/check_radius, /usr/lib/nagios/plugins/check_cluster, /usr/lib/nagios/plugins/check_mysql_query
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux nagios_services_plugin policy is very flexible allowing users to setup their nagios_services_plugin processes in as secure a method as possible.
-+.PP
-+The following process types are defined for nagios_services_plugin:
-+
-+.EX
-+.B nagios_services_plugin_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
-+.SH FILE CONTEXTS
-+SELinux requires files to have an extended attribute to define the file type.
-+.PP
-+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
-+.PP
-+Policy governs the access confined processes have to these files.
-+SELinux nagios_services_plugin policy is very flexible allowing users to setup their nagios_services_plugin processes in as secure a method as possible.
-+.PP
-+The following file types are defined for nagios_services_plugin:
-+
-+
-+.EX
-+.PP
-+.B nagios_services_plugin_exec_t
-+.EE
-+
-+- Set files with the nagios_services_plugin_exec_t type, if you want to transition an executable to the nagios_services_plugin_t domain.
-+
-+
-+.PP
-+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
-+.B semanage fcontext
-+command. This will modify the SELinux labeling database. You will need to use
-+.B restorecon
-+to apply the labels.
-+
-+.SH NSSWITCH DOMAIN
-+
-+.PP
-+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the nagios_services_plugin_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
-+
-+.EX
-+.B setsebool -P authlogin_nsswitch_use_ldap 1
-+.EE
-+
-+.PP
-+If you want to allow confined applications to run with kerberos for the nagios_services_plugin_t, you must turn on the kerberos_enabled boolean.
-+
-+.EX
-+.B setsebool -P kerberos_enabled 1
-+.EE
-+
-+.SH "COMMANDS"
-+.B semanage fcontext
-+can also be used to manipulate default file context mappings.
-+.PP
-+.B semanage permissive
-+can also be used to manipulate whether or not a process type is permissive.
-+.PP
-+.B semanage module
-+can also be used to enable/disable/install/remove policy modules.
-+
-+.PP
-+.B system-config-selinux
-+is a GUI tool available to customize SELinux policy settings.
-+
-+.SH AUTHOR
-+This manual page was auto-generated using
-+.B "sepolicy manpage"
-+by Dan Walsh.
-+
-+.SH "SEE ALSO"
-+selinux(8), nagios_services_plugin(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
-+, nagios_selinux(8), nagios_selinux(8), nagios_admin_plugin_selinux(8), nagios_checkdisk_plugin_selinux(8), nagios_eventhandler_plugin_selinux(8), nagios_mail_plugin_selinux(8), nagios_system_plugin_selinux(8), nagios_unconfined_plugin_selinux(8)
-\ No newline at end of file
-diff --git a/man/man8/nagios_system_plugin_selinux.8 b/man/man8/nagios_system_plugin_selinux.8
-new file mode 100644
-index 0000000..0005f14
---- /dev/null
-+++ b/man/man8/nagios_system_plugin_selinux.8
-@@ -0,0 +1,103 @@
-+.TH "nagios_system_plugin_selinux" "8" "12-11-01" "nagios_system_plugin" "SELinux Policy documentation for nagios_system_plugin"
-+.SH "NAME"
-+nagios_system_plugin_selinux \- Security Enhanced Linux Policy for the nagios_system_plugin processes
-+.SH "DESCRIPTION"
-+
-+Security-Enhanced Linux secures the nagios_system_plugin processes via flexible mandatory access control.
-+
-+The nagios_system_plugin processes execute with the nagios_system_plugin_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
-+
-+For example:
-+
-+.B ps -eZ | grep nagios_system_plugin_t
-+
-+
-+.SH "ENTRYPOINTS"
-+
-+The nagios_system_plugin_t SELinux type can be entered via the "nagios_system_plugin_exec_t" file type. The default entrypoint paths for the nagios_system_plugin_t domain are the following:"
-+
-+/usr/lib/nagios/plugins/check_log, /usr/lib/nagios/plugins/check_load, /usr/lib/nagios/plugins/check_mrtg, /usr/lib/nagios/plugins/check_swap, /usr/lib/nagios/plugins/check_wave, /usr/lib/nagios/plugins/check_procs, /usr/lib/nagios/plugins/check_users, /usr/lib/nagios/plugins/check_flexlm, /usr/lib/nagios/plugins/check_nagios, /usr/lib/nagios/plugins/check_nwstat, /usr/lib/nagios/plugins/check_overcr, /usr/lib/nagios/plugins/check_sensors, /usr/lib/nagios/plugins/check_ifstatus, /usr/lib/nagios/plugins/check_mrtgtraf, /usr/lib/nagios/plugins/check_ifoperstatus
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux nagios_system_plugin policy is very flexible allowing users to setup their nagios_system_plugin processes in as secure a method as possible.
-+.PP
-+The following process types are defined for nagios_system_plugin:
-+
-+.EX
-+.B nagios_system_plugin_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
-+.SH FILE CONTEXTS
-+SELinux requires files to have an extended attribute to define the file type.
-+.PP
-+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
-+.PP
-+Policy governs the access confined processes have to these files.
-+SELinux nagios_system_plugin policy is very flexible allowing users to setup their nagios_system_plugin processes in as secure a method as possible.
-+.PP
-+The following file types are defined for nagios_system_plugin:
-+
-+
-+.EX
-+.PP
-+.B nagios_system_plugin_exec_t
-+.EE
-+
-+- Set files with the nagios_system_plugin_exec_t type, if you want to transition an executable to the nagios_system_plugin_t domain.
-+
-+
-+.EX
-+.PP
-+.B nagios_system_plugin_tmp_t
-+.EE
-+
-+- Set files with the nagios_system_plugin_tmp_t type, if you want to store nagios system plugin temporary files in the /tmp directories.
-+
-+
-+.PP
-+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
-+.B semanage fcontext
-+command. This will modify the SELinux labeling database. You will need to use
-+.B restorecon
-+to apply the labels.
-+
-+.SH "MANAGED FILES"
-+
-+The SELinux process type nagios_system_plugin_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
-+
-+.br
-+.B nagios_system_plugin_tmp_t
-+
-+
-+.SH NSSWITCH DOMAIN
-+
-+.SH "COMMANDS"
-+.B semanage fcontext
-+can also be used to manipulate default file context mappings.
-+.PP
-+.B semanage permissive
-+can also be used to manipulate whether or not a process type is permissive.
-+.PP
-+.B semanage module
-+can also be used to enable/disable/install/remove policy modules.
-+
-+.PP
-+.B system-config-selinux
-+is a GUI tool available to customize SELinux policy settings.
-+
-+.SH AUTHOR
-+This manual page was auto-generated using
-+.B "sepolicy manpage"
-+by Dan Walsh.
-+
-+.SH "SEE ALSO"
-+selinux(8), nagios_system_plugin(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
-+, nagios_selinux(8), nagios_selinux(8), nagios_admin_plugin_selinux(8), nagios_checkdisk_plugin_selinux(8), nagios_eventhandler_plugin_selinux(8), nagios_mail_plugin_selinux(8), nagios_services_plugin_selinux(8), nagios_unconfined_plugin_selinux(8)
-\ No newline at end of file
-diff --git a/man/man8/nagios_unconfined_plugin_selinux.8 b/man/man8/nagios_unconfined_plugin_selinux.8
-new file mode 100644
-index 0000000..ccf2eed
---- /dev/null
-+++ b/man/man8/nagios_unconfined_plugin_selinux.8
-@@ -0,0 +1,87 @@
-+.TH "nagios_unconfined_plugin_selinux" "8" "12-11-01" "nagios_unconfined_plugin" "SELinux Policy documentation for nagios_unconfined_plugin"
-+.SH "NAME"
-+nagios_unconfined_plugin_selinux \- Security Enhanced Linux Policy for the nagios_unconfined_plugin processes
-+.SH "DESCRIPTION"
-+
-+Security-Enhanced Linux secures the nagios_unconfined_plugin processes via flexible mandatory access control.
-+
-+The nagios_unconfined_plugin processes execute with the nagios_unconfined_plugin_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
-+
-+For example:
-+
-+.B ps -eZ | grep nagios_unconfined_plugin_t
-+
-+
-+.SH "ENTRYPOINTS"
-+
-+The nagios_unconfined_plugin_t SELinux type can be entered via the "nagios_unconfined_plugin_exec_t" file type. The default entrypoint paths for the nagios_unconfined_plugin_t domain are the following:"
-+
-+/usr/lib/nagios/plugins/check_by_ssh
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux nagios_unconfined_plugin policy is very flexible allowing users to setup their nagios_unconfined_plugin processes in as secure a method as possible.
-+.PP
-+The following process types are defined for nagios_unconfined_plugin:
-+
-+.EX
-+.B nagios_unconfined_plugin_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
-+.SH FILE CONTEXTS
-+SELinux requires files to have an extended attribute to define the file type.
-+.PP
-+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
-+.PP
-+Policy governs the access confined processes have to these files.
-+SELinux nagios_unconfined_plugin policy is very flexible allowing users to setup their nagios_unconfined_plugin processes in as secure a method as possible.
-+.PP
-+The following file types are defined for nagios_unconfined_plugin:
-+
-+
-+.EX
-+.PP
-+.B nagios_unconfined_plugin_exec_t
-+.EE
-+
-+- Set files with the nagios_unconfined_plugin_exec_t type, if you want to transition an executable to the nagios_unconfined_plugin_t domain.
-+
-+
-+.PP
-+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
-+.B semanage fcontext
-+command. This will modify the SELinux labeling database. You will need to use
-+.B restorecon
-+to apply the labels.
-+
-+.SH NSSWITCH DOMAIN
-+
-+.SH "COMMANDS"
-+.B semanage fcontext
-+can also be used to manipulate default file context mappings.
-+.PP
-+.B semanage permissive
-+can also be used to manipulate whether or not a process type is permissive.
-+.PP
-+.B semanage module
-+can also be used to enable/disable/install/remove policy modules.
-+
-+.PP
-+.B system-config-selinux
-+is a GUI tool available to customize SELinux policy settings.
-+
-+.SH AUTHOR
-+This manual page was auto-generated using
-+.B "sepolicy manpage"
-+by Dan Walsh.
-+
-+.SH "SEE ALSO"
-+selinux(8), nagios_unconfined_plugin(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
-+, nagios_selinux(8), nagios_selinux(8), nagios_admin_plugin_selinux(8), nagios_checkdisk_plugin_selinux(8), nagios_eventhandler_plugin_selinux(8), nagios_mail_plugin_selinux(8), nagios_services_plugin_selinux(8), nagios_system_plugin_selinux(8)
-\ No newline at end of file
-diff --git a/man/man8/named_selinux.8 b/man/man8/named_selinux.8
-index fce0b48..8d2debb 100644
---- a/man/man8/named_selinux.8
-+++ b/man/man8/named_selinux.8
-@@ -1,30 +1,288 @@
--.TH "named_selinux" "8" "17 Jan 2005" "dwalsh@redhat.com" "named Selinux Policy documentation"
--.de EX
--.nf
--.ft CW
--..
--.de EE
--.ft R
--.fi
--..
-+.TH "named_selinux" "8" "12-11-01" "named" "SELinux Policy documentation for named"
- .SH "NAME"
--named_selinux \- Security Enhanced Linux Policy for the Internet Name server (named) daemon
-+named_selinux \- Security Enhanced Linux Policy for the named processes
- .SH "DESCRIPTION"
-
--Security-Enhanced Linux secures the named server via flexible mandatory access
--control.
-+Security-Enhanced Linux secures the named processes via flexible mandatory access control.
-+
-+The named processes execute with the named_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
-+
-+For example:
-+
-+.B ps -eZ | grep named_t
-+
-+
-+.SH "ENTRYPOINTS"
-+
-+The named_t SELinux type can be entered via the "named_exec_t,named_checkconf_exec_t" file types. The default entrypoint paths for the named_t domain are the following:"
-+
-+/usr/sbin/named, /usr/sbin/lwresd, /usr/sbin/unbound, /usr/sbin/named-checkconf
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux named policy is very flexible allowing users to setup their named processes in as secure a method as possible.
-+.PP
-+The following process types are defined for named:
-+
-+.EX
-+.B named_t, namespace_init_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
- .SH BOOLEANS
--SELinux policy is customizable based on least access required. So by
--default SELinux policy does not allow named to write master zone files. If you want to have named update the master zone files you need to set the named_write_master_zones boolean.
-+SELinux policy is customizable based on least access required. named policy is extremely flexible and has several booleans that allow you to manipulate the policy and run named with the tightest access possible.
-+
-+
-+.PP
-+If you want to allow BIND to write the master zone files. Generally this is used for dynamic DNS or zone transfers, you must turn on the named_write_master_zones boolean.
-+
- .EX
--setsebool -P named_write_master_zones 1
-+.B setsebool -P named_write_master_zones 1
- .EE
-+
- .PP
--system-config-selinux is a GUI tool available to customize SELinux policy settings.
--.SH AUTHOR
--This manual page was written by Dan Walsh .
-+If you want to allow BIND to bind apache port, you must turn on the named_bind_http_port boolean.
-+
-+.EX
-+.B setsebool -P named_bind_http_port 1
-+.EE
-+
-+.PP
-+If you want to allow BIND to write the master zone files. Generally this is used for dynamic DNS or zone transfers, you must turn on the named_write_master_zones boolean.
-+
-+.EX
-+.B setsebool -P named_write_master_zones 1
-+.EE
-+
-+.PP
-+If you want to allow BIND to bind apache port, you must turn on the named_bind_http_port boolean.
-+
-+.EX
-+.B setsebool -P named_bind_http_port 1
-+.EE
-+
-+.SH FILE CONTEXTS
-+SELinux requires files to have an extended attribute to define the file type.
-+.PP
-+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
-+.PP
-+Policy governs the access confined processes have to these files.
-+SELinux named policy is very flexible allowing users to setup their named processes in as secure a method as possible.
-+.PP
-+The following file types are defined for named:
-+
-+
-+.EX
-+.PP
-+.B named_cache_t
-+.EE
-+
-+- Set files with the named_cache_t type, if you want to store the files under the /var/cache directory.
-+
-+
-+.EX
-+.PP
-+.B named_checkconf_exec_t
-+.EE
-+
-+- Set files with the named_checkconf_exec_t type, if you want to transition an executable to the named_checkconf_t domain.
-+
-+
-+.EX
-+.PP
-+.B named_conf_t
-+.EE
-+
-+- Set files with the named_conf_t type, if you want to treat the files as named configuration data, usually stored under the /etc directory.
-+
-+
-+.EX
-+.PP
-+.B named_exec_t
-+.EE
-+
-+- Set files with the named_exec_t type, if you want to transition an executable to the named_t domain.
-+
-+
-+.EX
-+.PP
-+.B named_initrc_exec_t
-+.EE
-+
-+- Set files with the named_initrc_exec_t type, if you want to transition an executable to the named_initrc_t domain.
-
--.SH "SEE ALSO"
--selinux(8), named(8), chcon(1), setsebool(8)
-
-+.EX
-+.PP
-+.B named_keytab_t
-+.EE
-+
-+- Set files with the named_keytab_t type, if you want to treat the files as kerberos keytab files.
-+
-+
-+.EX
-+.PP
-+.B named_log_t
-+.EE
-+
-+- Set files with the named_log_t type, if you want to treat the data as named log data, usually stored under the /var/log directory.
-+
-+
-+.EX
-+.PP
-+.B named_tmp_t
-+.EE
-+
-+- Set files with the named_tmp_t type, if you want to store named temporary files in the /tmp directories.
-+
-+
-+.EX
-+.PP
-+.B named_unit_file_t
-+.EE
-+
-+- Set files with the named_unit_file_t type, if you want to treat the files as named unit content.
-+
-+
-+.EX
-+.PP
-+.B named_var_run_t
-+.EE
-+
-+- Set files with the named_var_run_t type, if you want to store the named files under the /run directory.
-+
-+
-+.EX
-+.PP
-+.B named_zone_t
-+.EE
-+
-+- Set files with the named_zone_t type, if you want to treat the files as named zone data.
-
-+
-+.PP
-+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
-+.B semanage fcontext
-+command. This will modify the SELinux labeling database. You will need to use
-+.B restorecon
-+to apply the labels.
-+
-+.SH "MANAGED FILES"
-+
-+The SELinux process type named_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
-+
-+.br
-+.B krb5_host_rcache_t
-+
-+ /var/cache/krb5rcache(/.*)?
-+.br
-+ /var/tmp/nfs_0
-+.br
-+ /var/tmp/DNS_25
-+.br
-+ /var/tmp/host_0
-+.br
-+ /var/tmp/imap_0
-+.br
-+ /var/tmp/HTTP_23
-+.br
-+ /var/tmp/HTTP_48
-+.br
-+ /var/tmp/ldap_55
-+.br
-+ /var/tmp/ldap_487
-+.br
-+ /var/tmp/ldapmap1_0
-+.br
-+
-+.br
-+.B named_cache_t
-+
-+ /var/named/data(/.*)?
-+.br
-+ /var/named/slaves(/.*)?
-+.br
-+ /var/named/dynamic(/.*)?
-+.br
-+ /var/named/chroot/var/tmp(/.*)?
-+.br
-+ /var/named/chroot/var/named/data(/.*)?
-+.br
-+ /var/named/chroot/var/named/slaves(/.*)?
-+.br
-+ /var/named/chroot/var/named/dynamic(/.*)?
-+.br
-+
-+.br
-+.B named_log_t
-+
-+ /var/log/named.*
-+.br
-+ /var/named/chroot/var/log/named.*
-+.br
-+
-+.br
-+.B named_tmp_t
-+
-+
-+.br
-+.B named_var_run_t
-+
-+ /var/run/bind(/.*)?
-+.br
-+ /var/run/named(/.*)?
-+.br
-+ /var/run/unbound(/.*)?
-+.br
-+ /var/named/chroot/var/run/named.*
-+.br
-+ /var/run/ndc
-+.br
-+
-+.SH NSSWITCH DOMAIN
-+
-+.PP
-+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the namespace_init_t, named_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
-+
-+.EX
-+.B setsebool -P authlogin_nsswitch_use_ldap 1
-+.EE
-+
-+.PP
-+If you want to allow confined applications to run with kerberos for the namespace_init_t, named_t, you must turn on the kerberos_enabled boolean.
-+
-+.EX
-+.B setsebool -P kerberos_enabled 1
-+.EE
-+
-+.SH "COMMANDS"
-+.B semanage fcontext
-+can also be used to manipulate default file context mappings.
-+.PP
-+.B semanage permissive
-+can also be used to manipulate whether or not a process type is permissive.
-+.PP
-+.B semanage module
-+can also be used to enable/disable/install/remove policy modules.
-+
-+.B semanage boolean
-+can also be used to manipulate the booleans
-+
-+.PP
-+.B system-config-selinux
-+is a GUI tool available to customize SELinux policy settings.
-+
-+.SH AUTHOR
-+This manual page was auto-generated using
-+.B "sepolicy manpage"
-+by Dan Walsh.
-+
-+.SH "SEE ALSO"
-+selinux(8), named(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
-+, setsebool(8), namespace_init_selinux(8)
-\ No newline at end of file
-diff --git a/man/man8/namespace_init_selinux.8 b/man/man8/namespace_init_selinux.8
-new file mode 100644
-index 0000000..9d3197d
---- /dev/null
-+++ b/man/man8/namespace_init_selinux.8
-@@ -0,0 +1,120 @@
-+.TH "namespace_init_selinux" "8" "12-11-01" "namespace_init" "SELinux Policy documentation for namespace_init"
-+.SH "NAME"
-+namespace_init_selinux \- Security Enhanced Linux Policy for the namespace_init processes
-+.SH "DESCRIPTION"
-+
-+Security-Enhanced Linux secures the namespace_init processes via flexible mandatory access control.
-+
-+The namespace_init processes execute with the namespace_init_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
-+
-+For example:
-+
-+.B ps -eZ | grep namespace_init_t
-+
-+
-+.SH "ENTRYPOINTS"
-+
-+The namespace_init_t SELinux type can be entered via the "namespace_init_exec_t" file type. The default entrypoint paths for the namespace_init_t domain are the following:"
-+
-+/etc/security/namespace.init
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux namespace_init policy is very flexible allowing users to setup their namespace_init processes in as secure a method as possible.
-+.PP
-+The following process types are defined for namespace_init:
-+
-+.EX
-+.B namespace_init_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
-+.SH FILE CONTEXTS
-+SELinux requires files to have an extended attribute to define the file type.
-+.PP
-+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
-+.PP
-+Policy governs the access confined processes have to these files.
-+SELinux namespace_init policy is very flexible allowing users to setup their namespace_init processes in as secure a method as possible.
-+.PP
-+The following file types are defined for namespace_init:
-+
-+
-+.EX
-+.PP
-+.B namespace_init_exec_t
-+.EE
-+
-+- Set files with the namespace_init_exec_t type, if you want to transition an executable to the namespace_init_t domain.
-+
-+
-+.PP
-+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
-+.B semanage fcontext
-+command. This will modify the SELinux labeling database. You will need to use
-+.B restorecon
-+to apply the labels.
-+
-+.SH "MANAGED FILES"
-+
-+The SELinux process type namespace_init_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
-+
-+.br
-+.B security_t
-+
-+ /selinux
-+.br
-+
-+.br
-+.B user_home_t
-+
-+ /home/[^/]*/.+
-+.br
-+ /home/dwalsh/.+
-+.br
-+ /var/lib/xguest/home/xguest/.+
-+.br
-+
-+.SH NSSWITCH DOMAIN
-+
-+.PP
-+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the namespace_init_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
-+
-+.EX
-+.B setsebool -P authlogin_nsswitch_use_ldap 1
-+.EE
-+
-+.PP
-+If you want to allow confined applications to run with kerberos for the namespace_init_t, you must turn on the kerberos_enabled boolean.
-+
-+.EX
-+.B setsebool -P kerberos_enabled 1
-+.EE
-+
-+.SH "COMMANDS"
-+.B semanage fcontext
-+can also be used to manipulate default file context mappings.
-+.PP
-+.B semanage permissive
-+can also be used to manipulate whether or not a process type is permissive.
-+.PP
-+.B semanage module
-+can also be used to enable/disable/install/remove policy modules.
-+
-+.PP
-+.B system-config-selinux
-+is a GUI tool available to customize SELinux policy settings.
-+
-+.SH AUTHOR
-+This manual page was auto-generated using
-+.B "sepolicy manpage"
-+by Dan Walsh.
-+
-+.SH "SEE ALSO"
-+selinux(8), namespace_init(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
-diff --git a/man/man8/ncftool_selinux.8 b/man/man8/ncftool_selinux.8
-new file mode 100644
-index 0000000..2b164c1
---- /dev/null
-+++ b/man/man8/ncftool_selinux.8
-@@ -0,0 +1,138 @@
-+.TH "ncftool_selinux" "8" "12-11-01" "ncftool" "SELinux Policy documentation for ncftool"
-+.SH "NAME"
-+ncftool_selinux \- Security Enhanced Linux Policy for the ncftool processes
-+.SH "DESCRIPTION"
-+
-+Security-Enhanced Linux secures the ncftool processes via flexible mandatory access control.
-+
-+The ncftool processes execute with the ncftool_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
-+
-+For example:
-+
-+.B ps -eZ | grep ncftool_t
-+
-+
-+.SH "ENTRYPOINTS"
-+
-+The ncftool_t SELinux type can be entered via the "ncftool_exec_t" file type. The default entrypoint paths for the ncftool_t domain are the following:"
-+
-+/usr/bin/ncftool
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux ncftool policy is very flexible allowing users to setup their ncftool processes in as secure a method as possible.
-+.PP
-+The following process types are defined for ncftool:
-+
-+.EX
-+.B ncftool_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
-+.SH FILE CONTEXTS
-+SELinux requires files to have an extended attribute to define the file type.
-+.PP
-+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
-+.PP
-+Policy governs the access confined processes have to these files.
-+SELinux ncftool policy is very flexible allowing users to setup their ncftool processes in as secure a method as possible.
-+.PP
-+The following file types are defined for ncftool:
-+
-+
-+.EX
-+.PP
-+.B ncftool_exec_t
-+.EE
-+
-+- Set files with the ncftool_exec_t type, if you want to transition an executable to the ncftool_t domain.
-+
-+
-+.PP
-+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
-+.B semanage fcontext
-+command. This will modify the SELinux labeling database. You will need to use
-+.B restorecon
-+to apply the labels.
-+
-+.SH "MANAGED FILES"
-+
-+The SELinux process type ncftool_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
-+
-+.br
-+.B net_conf_t
-+
-+ /etc/ntpd?\.conf.*
-+.br
-+ /etc/hosts[^/]*
-+.br
-+ /etc/yp\.conf.*
-+.br
-+ /etc/denyhosts.*
-+.br
-+ /etc/hosts\.deny.*
-+.br
-+ /etc/resolv\.conf.*
-+.br
-+ /etc/ntp/step-tickers.*
-+.br
-+ /etc/sysconfig/networking(/.*)?
-+.br
-+ /etc/sysconfig/network-scripts(/.*)?
-+.br
-+ /etc/sysconfig/network-scripts/.*resolv\.conf
-+.br
-+ /etc/ethers
-+.br
-+
-+.br
-+.B system_conf_t
-+
-+ /etc/sysctl\.conf(\.old)?
-+.br
-+ /etc/sysconfig/ip6?tables.*
-+.br
-+ /etc/sysconfig/ipvsadm.*
-+.br
-+ /etc/sysconfig/ebtables.*
-+.br
-+ /etc/sysconfig/system-config-firewall.*
-+.br
-+
-+.br
-+.B systemd_passwd_var_run_t
-+
-+ /var/run/systemd/ask-password(/.*)?
-+.br
-+ /var/run/systemd/ask-password-block(/.*)?
-+.br
-+
-+.SH NSSWITCH DOMAIN
-+
-+.SH "COMMANDS"
-+.B semanage fcontext
-+can also be used to manipulate default file context mappings.
-+.PP
-+.B semanage permissive
-+can also be used to manipulate whether or not a process type is permissive.
-+.PP
-+.B semanage module
-+can also be used to enable/disable/install/remove policy modules.
-+
-+.PP
-+.B system-config-selinux
-+is a GUI tool available to customize SELinux policy settings.
-+
-+.SH AUTHOR
-+This manual page was auto-generated using
-+.B "sepolicy manpage"
-+by Dan Walsh.
-+
-+.SH "SEE ALSO"
-+selinux(8), ncftool(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
-diff --git a/man/man8/ndc_selinux.8 b/man/man8/ndc_selinux.8
-new file mode 100644
-index 0000000..3fbc319
---- /dev/null
-+++ b/man/man8/ndc_selinux.8
-@@ -0,0 +1,100 @@
-+.TH "ndc_selinux" "8" "12-11-01" "ndc" "SELinux Policy documentation for ndc"
-+.SH "NAME"
-+ndc_selinux \- Security Enhanced Linux Policy for the ndc processes
-+.SH "DESCRIPTION"
-+
-+Security-Enhanced Linux secures the ndc processes via flexible mandatory access control.
-+
-+The ndc processes execute with the ndc_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
-+
-+For example:
-+
-+.B ps -eZ | grep ndc_t
-+
-+
-+.SH "ENTRYPOINTS"
-+
-+The ndc_t SELinux type can be entered via the "ndc_exec_t" file type. The default entrypoint paths for the ndc_t domain are the following:"
-+
-+/usr/sbin/r?ndc
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux ndc policy is very flexible allowing users to setup their ndc processes in as secure a method as possible.
-+.PP
-+The following process types are defined for ndc:
-+
-+.EX
-+.B ndc_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
-+.SH FILE CONTEXTS
-+SELinux requires files to have an extended attribute to define the file type.
-+.PP
-+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
-+.PP
-+Policy governs the access confined processes have to these files.
-+SELinux ndc policy is very flexible allowing users to setup their ndc processes in as secure a method as possible.
-+.PP
-+The following file types are defined for ndc:
-+
-+
-+.EX
-+.PP
-+.B ndc_exec_t
-+.EE
-+
-+- Set files with the ndc_exec_t type, if you want to transition an executable to the ndc_t domain.
-+
-+
-+.PP
-+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
-+.B semanage fcontext
-+command. This will modify the SELinux labeling database. You will need to use
-+.B restorecon
-+to apply the labels.
-+
-+.SH NSSWITCH DOMAIN
-+
-+.PP
-+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the ndc_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
-+
-+.EX
-+.B setsebool -P authlogin_nsswitch_use_ldap 1
-+.EE
-+
-+.PP
-+If you want to allow confined applications to run with kerberos for the ndc_t, you must turn on the kerberos_enabled boolean.
-+
-+.EX
-+.B setsebool -P kerberos_enabled 1
-+.EE
-+
-+.SH "COMMANDS"
-+.B semanage fcontext
-+can also be used to manipulate default file context mappings.
-+.PP
-+.B semanage permissive
-+can also be used to manipulate whether or not a process type is permissive.
-+.PP
-+.B semanage module
-+can also be used to enable/disable/install/remove policy modules.
-+
-+.PP
-+.B system-config-selinux
-+is a GUI tool available to customize SELinux policy settings.
-+
-+.SH AUTHOR
-+This manual page was auto-generated using
-+.B "sepolicy manpage"
-+by Dan Walsh.
-+
-+.SH "SEE ALSO"
-+selinux(8), ndc(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
-diff --git a/man/man8/netlabel_mgmt_selinux.8 b/man/man8/netlabel_mgmt_selinux.8
-new file mode 100644
-index 0000000..9ee6f73
---- /dev/null
-+++ b/man/man8/netlabel_mgmt_selinux.8
-@@ -0,0 +1,86 @@
-+.TH "netlabel_mgmt_selinux" "8" "12-11-01" "netlabel_mgmt" "SELinux Policy documentation for netlabel_mgmt"
-+.SH "NAME"
-+netlabel_mgmt_selinux \- Security Enhanced Linux Policy for the netlabel_mgmt processes
-+.SH "DESCRIPTION"
-+
-+Security-Enhanced Linux secures the netlabel_mgmt processes via flexible mandatory access control.
-+
-+The netlabel_mgmt processes execute with the netlabel_mgmt_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
-+
-+For example:
-+
-+.B ps -eZ | grep netlabel_mgmt_t
-+
-+
-+.SH "ENTRYPOINTS"
-+
-+The netlabel_mgmt_t SELinux type can be entered via the "netlabel_mgmt_exec_t" file type. The default entrypoint paths for the netlabel_mgmt_t domain are the following:"
-+
-+/sbin/netlabelctl, /usr/sbin/netlabelctl
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux netlabel_mgmt policy is very flexible allowing users to setup their netlabel_mgmt processes in as secure a method as possible.
-+.PP
-+The following process types are defined for netlabel_mgmt:
-+
-+.EX
-+.B netlabel_mgmt_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
-+.SH FILE CONTEXTS
-+SELinux requires files to have an extended attribute to define the file type.
-+.PP
-+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
-+.PP
-+Policy governs the access confined processes have to these files.
-+SELinux netlabel_mgmt policy is very flexible allowing users to setup their netlabel_mgmt processes in as secure a method as possible.
-+.PP
-+The following file types are defined for netlabel_mgmt:
-+
-+
-+.EX
-+.PP
-+.B netlabel_mgmt_exec_t
-+.EE
-+
-+- Set files with the netlabel_mgmt_exec_t type, if you want to transition an executable to the netlabel_mgmt_t domain.
-+
-+
-+.PP
-+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
-+.B semanage fcontext
-+command. This will modify the SELinux labeling database. You will need to use
-+.B restorecon
-+to apply the labels.
-+
-+.SH NSSWITCH DOMAIN
-+
-+.SH "COMMANDS"
-+.B semanage fcontext
-+can also be used to manipulate default file context mappings.
-+.PP
-+.B semanage permissive
-+can also be used to manipulate whether or not a process type is permissive.
-+.PP
-+.B semanage module
-+can also be used to enable/disable/install/remove policy modules.
-+
-+.PP
-+.B system-config-selinux
-+is a GUI tool available to customize SELinux policy settings.
-+
-+.SH AUTHOR
-+This manual page was auto-generated using
-+.B "sepolicy manpage"
-+by Dan Walsh.
-+
-+.SH "SEE ALSO"
-+selinux(8), netlabel_mgmt(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
-diff --git a/man/man8/netlogond_selinux.8 b/man/man8/netlogond_selinux.8
-new file mode 100644
-index 0000000..56dbd55
---- /dev/null
-+++ b/man/man8/netlogond_selinux.8
-@@ -0,0 +1,134 @@
-+.TH "netlogond_selinux" "8" "12-11-01" "netlogond" "SELinux Policy documentation for netlogond"
-+.SH "NAME"
-+netlogond_selinux \- Security Enhanced Linux Policy for the netlogond processes
-+.SH "DESCRIPTION"
-+
-+Security-Enhanced Linux secures the netlogond processes via flexible mandatory access control.
-+
-+The netlogond processes execute with the netlogond_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
-+
-+For example:
-+
-+.B ps -eZ | grep netlogond_t
-+
-+
-+.SH "ENTRYPOINTS"
-+
-+The netlogond_t SELinux type can be entered via the "netlogond_exec_t" file type. The default entrypoint paths for the netlogond_t domain are the following:"
-+
-+/usr/sbin/netlogond
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux netlogond policy is very flexible allowing users to setup their netlogond processes in as secure a method as possible.
-+.PP
-+The following process types are defined for netlogond:
-+
-+.EX
-+.B netlogond_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
-+.SH FILE CONTEXTS
-+SELinux requires files to have an extended attribute to define the file type.
-+.PP
-+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
-+.PP
-+Policy governs the access confined processes have to these files.
-+SELinux netlogond policy is very flexible allowing users to setup their netlogond processes in as secure a method as possible.
-+.PP
-+The following file types are defined for netlogond:
-+
-+
-+.EX
-+.PP
-+.B netlogond_exec_t
-+.EE
-+
-+- Set files with the netlogond_exec_t type, if you want to transition an executable to the netlogond_t domain.
-+
-+
-+.EX
-+.PP
-+.B netlogond_var_lib_t
-+.EE
-+
-+- Set files with the netlogond_var_lib_t type, if you want to store the netlogond files under the /var/lib directory.
-+
-+
-+.EX
-+.PP
-+.B netlogond_var_run_t
-+.EE
-+
-+- Set files with the netlogond_var_run_t type, if you want to store the netlogond files under the /run directory.
-+
-+
-+.EX
-+.PP
-+.B netlogond_var_socket_t
-+.EE
-+
-+- Set files with the netlogond_var_socket_t type, if you want to treat the files as netlogond var socket data.
-+
-+
-+.PP
-+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
-+.B semanage fcontext
-+command. This will modify the SELinux labeling database. You will need to use
-+.B restorecon
-+to apply the labels.
-+
-+.SH "MANAGED FILES"
-+
-+The SELinux process type netlogond_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
-+
-+.br
-+.B likewise_etc_t
-+
-+ /etc/likewise-open(/.*)?
-+.br
-+
-+.br
-+.B netlogond_var_lib_t
-+
-+ /var/lib/likewise-open/krb5-affinity.conf
-+.br
-+ /var/lib/likewise-open/LWNetsd\.err
-+.br
-+
-+.br
-+.B netlogond_var_run_t
-+
-+ /var/run/netlogond.pid
-+.br
-+
-+.SH NSSWITCH DOMAIN
-+
-+.SH "COMMANDS"
-+.B semanage fcontext
-+can also be used to manipulate default file context mappings.
-+.PP
-+.B semanage permissive
-+can also be used to manipulate whether or not a process type is permissive.
-+.PP
-+.B semanage module
-+can also be used to enable/disable/install/remove policy modules.
-+
-+.PP
-+.B system-config-selinux
-+is a GUI tool available to customize SELinux policy settings.
-+
-+.SH AUTHOR
-+This manual page was auto-generated using
-+.B "sepolicy manpage"
-+by Dan Walsh.
-+
-+.SH "SEE ALSO"
-+selinux(8), netlogond(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
-diff --git a/man/man8/netutils_selinux.8 b/man/man8/netutils_selinux.8
-new file mode 100644
-index 0000000..0c0688f
---- /dev/null
-+++ b/man/man8/netutils_selinux.8
-@@ -0,0 +1,116 @@
-+.TH "netutils_selinux" "8" "12-11-01" "netutils" "SELinux Policy documentation for netutils"
-+.SH "NAME"
-+netutils_selinux \- Security Enhanced Linux Policy for the netutils processes
-+.SH "DESCRIPTION"
-+
-+Security-Enhanced Linux secures the netutils processes via flexible mandatory access control.
-+
-+The netutils processes execute with the netutils_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
-+
-+For example:
-+
-+.B ps -eZ | grep netutils_t
-+
-+
-+.SH "ENTRYPOINTS"
-+
-+The netutils_t SELinux type can be entered via the "netutils_exec_t" file type. The default entrypoint paths for the netutils_t domain are the following:"
-+
-+/sbin/arping, /usr/sbin/arping, /usr/sbin/tcpdump
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux netutils policy is very flexible allowing users to setup their netutils processes in as secure a method as possible.
-+.PP
-+The following process types are defined for netutils:
-+
-+.EX
-+.B netutils_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
-+.SH FILE CONTEXTS
-+SELinux requires files to have an extended attribute to define the file type.
-+.PP
-+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
-+.PP
-+Policy governs the access confined processes have to these files.
-+SELinux netutils policy is very flexible allowing users to setup their netutils processes in as secure a method as possible.
-+.PP
-+The following file types are defined for netutils:
-+
-+
-+.EX
-+.PP
-+.B netutils_exec_t
-+.EE
-+
-+- Set files with the netutils_exec_t type, if you want to transition an executable to the netutils_t domain.
-+
-+
-+.EX
-+.PP
-+.B netutils_tmp_t
-+.EE
-+
-+- Set files with the netutils_tmp_t type, if you want to store netutils temporary files in the /tmp directories.
-+
-+
-+.PP
-+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
-+.B semanage fcontext
-+command. This will modify the SELinux labeling database. You will need to use
-+.B restorecon
-+to apply the labels.
-+
-+.SH "MANAGED FILES"
-+
-+The SELinux process type netutils_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
-+
-+.br
-+.B netutils_tmp_t
-+
-+
-+.SH NSSWITCH DOMAIN
-+
-+.PP
-+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the netutils_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
-+
-+.EX
-+.B setsebool -P authlogin_nsswitch_use_ldap 1
-+.EE
-+
-+.PP
-+If you want to allow confined applications to run with kerberos for the netutils_t, you must turn on the kerberos_enabled boolean.
-+
-+.EX
-+.B setsebool -P kerberos_enabled 1
-+.EE
-+
-+.SH "COMMANDS"
-+.B semanage fcontext
-+can also be used to manipulate default file context mappings.
-+.PP
-+.B semanage permissive
-+can also be used to manipulate whether or not a process type is permissive.
-+.PP
-+.B semanage module
-+can also be used to enable/disable/install/remove policy modules.
-+
-+.PP
-+.B system-config-selinux
-+is a GUI tool available to customize SELinux policy settings.
-+
-+.SH AUTHOR
-+This manual page was auto-generated using
-+.B "sepolicy manpage"
-+by Dan Walsh.
-+
-+.SH "SEE ALSO"
-+selinux(8), netutils(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
-diff --git a/man/man8/newrole_selinux.8 b/man/man8/newrole_selinux.8
-new file mode 100644
-index 0000000..fc68433
---- /dev/null
-+++ b/man/man8/newrole_selinux.8
-@@ -0,0 +1,178 @@
-+.TH "newrole_selinux" "8" "12-11-01" "newrole" "SELinux Policy documentation for newrole"
-+.SH "NAME"
-+newrole_selinux \- Security Enhanced Linux Policy for the newrole processes
-+.SH "DESCRIPTION"
-+
-+Security-Enhanced Linux secures the newrole processes via flexible mandatory access control.
-+
-+The newrole processes execute with the newrole_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
-+
-+For example:
-+
-+.B ps -eZ | grep newrole_t
-+
-+
-+.SH "ENTRYPOINTS"
-+
-+The newrole_t SELinux type can be entered via the "newrole_exec_t" file type. The default entrypoint paths for the newrole_t domain are the following:"
-+
-+/usr/bin/newrole
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux newrole policy is very flexible allowing users to setup their newrole processes in as secure a method as possible.
-+.PP
-+The following process types are defined for newrole:
-+
-+.EX
-+.B newrole_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
-+.SH FILE CONTEXTS
-+SELinux requires files to have an extended attribute to define the file type.
-+.PP
-+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
-+.PP
-+Policy governs the access confined processes have to these files.
-+SELinux newrole policy is very flexible allowing users to setup their newrole processes in as secure a method as possible.
-+.PP
-+The following file types are defined for newrole:
-+
-+
-+.EX
-+.PP
-+.B newrole_exec_t
-+.EE
-+
-+- Set files with the newrole_exec_t type, if you want to transition an executable to the newrole_t domain.
-+
-+
-+.PP
-+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
-+.B semanage fcontext
-+command. This will modify the SELinux labeling database. You will need to use
-+.B restorecon
-+to apply the labels.
-+
-+.SH "MANAGED FILES"
-+
-+The SELinux process type newrole_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
-+
-+.br
-+.B faillog_t
-+
-+ /var/log/btmp.*
-+.br
-+ /var/run/faillock(/.*)?
-+.br
-+ /var/log/faillog
-+.br
-+ /var/log/tallylog
-+.br
-+
-+.br
-+.B initrc_var_run_t
-+
-+ /var/run/utmp
-+.br
-+ /var/run/random-seed
-+.br
-+ /var/run/runlevel\.dir
-+.br
-+ /var/run/setmixer_flag
-+.br
-+
-+.br
-+.B krb5_host_rcache_t
-+
-+ /var/cache/krb5rcache(/.*)?
-+.br
-+ /var/tmp/nfs_0
-+.br
-+ /var/tmp/DNS_25
-+.br
-+ /var/tmp/host_0
-+.br
-+ /var/tmp/imap_0
-+.br
-+ /var/tmp/HTTP_23
-+.br
-+ /var/tmp/HTTP_48
-+.br
-+ /var/tmp/ldap_55
-+.br
-+ /var/tmp/ldap_487
-+.br
-+ /var/tmp/ldapmap1_0
-+.br
-+
-+.br
-+.B lastlog_t
-+
-+ /var/log/lastlog
-+.br
-+
-+.br
-+.B pcscd_var_run_t
-+
-+ /var/run/pcscd(/.*)?
-+.br
-+ /var/run/pcscd\.events(/.*)?
-+.br
-+ /var/run/pcscd\.pid
-+.br
-+ /var/run/pcscd\.pub
-+.br
-+ /var/run/pcscd\.comm
-+.br
-+
-+.br
-+.B security_t
-+
-+ /selinux
-+.br
-+
-+.SH NSSWITCH DOMAIN
-+
-+.PP
-+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the newrole_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
-+
-+.EX
-+.B setsebool -P authlogin_nsswitch_use_ldap 1
-+.EE
-+
-+.PP
-+If you want to allow confined applications to run with kerberos for the newrole_t, you must turn on the kerberos_enabled boolean.
-+
-+.EX
-+.B setsebool -P kerberos_enabled 1
-+.EE
-+
-+.SH "COMMANDS"
-+.B semanage fcontext
-+can also be used to manipulate default file context mappings.
-+.PP
-+.B semanage permissive
-+can also be used to manipulate whether or not a process type is permissive.
-+.PP
-+.B semanage module
-+can also be used to enable/disable/install/remove policy modules.
-+
-+.PP
-+.B system-config-selinux
-+is a GUI tool available to customize SELinux policy settings.
-+
-+.SH AUTHOR
-+This manual page was auto-generated using
-+.B "sepolicy manpage"
-+by Dan Walsh.
-+
-+.SH "SEE ALSO"
-+selinux(8), newrole(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
-diff --git a/man/man8/nfs_selinux.8 b/man/man8/nfs_selinux.8
-deleted file mode 100644
-index 8e30c4c..0000000
---- a/man/man8/nfs_selinux.8
-+++ /dev/null
-@@ -1,31 +0,0 @@
--.TH "nfs_selinux" "8" "9 Feb 2009" "dwalsh@redhat.com" "NFS SELinux Policy documentation"
--.SH "NAME"
--nfs_selinux \- Security Enhanced Linux Policy for NFS
--.SH "DESCRIPTION"
--
--Security Enhanced Linux secures the NFS server via flexible mandatory access
--control.
--.SH BOOLEANS
--SELinux policy is customizable based on the least level of access required. SELinux can be configured to not allow NFS to share files. If you want to share NFS partitions, and only allow read-only access to those NFS partitions, turn the nfs_export_all_ro boolean on:
--
--.TP
--setsebool -P nfs_export_all_ro 1
--.TP
--If you want to share files read/write you must set the nfs_export_all_rw boolean.
--.TP
--setsebool -P nfs_export_all_rw 1
--
--.TP
--These booleans are not required when files to be shared are labeled with the public_content_t or public_content_rw_t types. NFS can share files labeled with the public_content_t or public_content_rw_t types even if the nfs_export_all_ro and nfs_export_all_rw booleans are off.
--
--.TP
--If you want to use a remote NFS server for the home directories on this machine, you must set the use_nfs_home_dirs boolean:
--.TP
--setsebool -P use_nfs_home_dirs 1
--.TP
--system-config-selinux is a GUI tool available to customize SELinux policy settings.
--.SH AUTHOR
--This manual page was written by Dan Walsh .
--
--.SH "SEE ALSO"
--selinux(8), chcon(1), setsebool(8)
-diff --git a/man/man8/nfsd_selinux.8 b/man/man8/nfsd_selinux.8
-new file mode 100644
-index 0000000..72cf8db
---- /dev/null
-+++ b/man/man8/nfsd_selinux.8
-@@ -0,0 +1,447 @@
-+.TH "nfsd_selinux" "8" "12-11-01" "nfsd" "SELinux Policy documentation for nfsd"
-+.SH "NAME"
-+nfsd_selinux \- Security Enhanced Linux Policy for the nfsd processes
-+.SH "DESCRIPTION"
-+
-+Security-Enhanced Linux secures the nfsd processes via flexible mandatory access control.
-+
-+The nfsd processes execute with the nfsd_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
-+
-+For example:
-+
-+.B ps -eZ | grep nfsd_t
-+
-+
-+.SH "ENTRYPOINTS"
-+
-+The nfsd_t SELinux type can be entered via the "nfsd_exec_t" file type. The default entrypoint paths for the nfsd_t domain are the following:"
-+
-+/usr/sbin/rpc\.nfsd, /usr/sbin/rpc\.mountd
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux nfsd policy is very flexible allowing users to setup their nfsd processes in as secure a method as possible.
-+.PP
-+The following process types are defined for nfsd:
-+
-+.EX
-+.B nfsd_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
-+.SH BOOLEANS
-+SELinux policy is customizable based on least access required. nfsd policy is extremely flexible and has several booleans that allow you to manipulate the policy and run nfsd with the tightest access possible.
-+
-+
-+.PP
-+If you want to allow ftp servers to use nfs used for public file transfer services, you must turn on the ftpd_use_nfs boolean.
-+
-+.EX
-+.B setsebool -P ftpd_use_nfs 1
-+.EE
-+
-+.PP
-+If you want to allow httpd to access nfs file systems, you must turn on the httpd_use_nfs boolean.
-+
-+.EX
-+.B setsebool -P httpd_use_nfs 1
-+.EE
-+
-+.PP
-+If you want to allow any files/directories to be exported read/only via NFS, you must turn on the nfs_export_all_ro boolean.
-+
-+.EX
-+.B setsebool -P nfs_export_all_ro 1
-+.EE
-+
-+.PP
-+If you want to allow confined virtual guests to manage nfs files, you must turn on the virt_use_nfs boolean.
-+
-+.EX
-+.B setsebool -P virt_use_nfs 1
-+.EE
-+
-+.PP
-+If you want to allow sge to access nfs file systems, you must turn on the sge_use_nfs boolean.
-+
-+.EX
-+.B setsebool -P sge_use_nfs 1
-+.EE
-+
-+.PP
-+If you want to allow Cobbler to access nfs file systems, you must turn on the cobbler_use_nfs boolean.
-+
-+.EX
-+.B setsebool -P cobbler_use_nfs 1
-+.EE
-+
-+.PP
-+If you want to determine whether Git system daemon can access nfs file systems, you must turn on the git_system_use_nfs boolean.
-+
-+.EX
-+.B setsebool -P git_system_use_nfs 1
-+.EE
-+
-+.PP
-+If you want to allow rsync servers to share nfs files systems, you must turn on the rsync_use_nfs boolean.
-+
-+.EX
-+.B setsebool -P rsync_use_nfs 1
-+.EE
-+
-+.PP
-+If you want to allow samba to export NFS volumes, you must turn on the samba_share_nfs boolean.
-+
-+.EX
-+.B setsebool -P samba_share_nfs 1
-+.EE
-+
-+.PP
-+If you want to allow xen to manage nfs files, you must turn on the xen_use_nfs boolean.
-+
-+.EX
-+.B setsebool -P xen_use_nfs 1
-+.EE
-+
-+.PP
-+If you want to determine whether Polipo can access nfs file systems, you must turn on the polipo_use_nfs boolean.
-+
-+.EX
-+.B setsebool -P polipo_use_nfs 1
-+.EE
-+
-+.PP
-+If you want to allow any files/directories to be exported read/write via NFS, you must turn on the nfs_export_all_rw boolean.
-+
-+.EX
-+.B setsebool -P nfs_export_all_rw 1
-+.EE
-+
-+.PP
-+If you want to allow sanlock to manage nfs files, you must turn on the sanlock_use_nfs boolean.
-+
-+.EX
-+.B setsebool -P sanlock_use_nfs 1
-+.EE
-+
-+.PP
-+If you want to determine whether Git CGI can access nfs file systems, you must turn on the git_cgi_use_nfs boolean.
-+
-+.EX
-+.B setsebool -P git_cgi_use_nfs 1
-+.EE
-+
-+.PP
-+If you want to support NFS home directories, you must turn on the use_nfs_home_dirs boolean.
-+
-+.EX
-+.B setsebool -P use_nfs_home_dirs 1
-+.EE
-+
-+.PP
-+If you want to allow ftp servers to use nfs used for public file transfer services, you must turn on the ftpd_use_nfs boolean.
-+
-+.EX
-+.B setsebool -P ftpd_use_nfs 1
-+.EE
-+
-+.PP
-+If you want to allow httpd to access nfs file systems, you must turn on the httpd_use_nfs boolean.
-+
-+.EX
-+.B setsebool -P httpd_use_nfs 1
-+.EE
-+
-+.PP
-+If you want to allow any files/directories to be exported read/only via NFS, you must turn on the nfs_export_all_ro boolean.
-+
-+.EX
-+.B setsebool -P nfs_export_all_ro 1
-+.EE
-+
-+.PP
-+If you want to allow confined virtual guests to manage nfs files, you must turn on the virt_use_nfs boolean.
-+
-+.EX
-+.B setsebool -P virt_use_nfs 1
-+.EE
-+
-+.PP
-+If you want to allow sge to access nfs file systems, you must turn on the sge_use_nfs boolean.
-+
-+.EX
-+.B setsebool -P sge_use_nfs 1
-+.EE
-+
-+.PP
-+If you want to allow Cobbler to access nfs file systems, you must turn on the cobbler_use_nfs boolean.
-+
-+.EX
-+.B setsebool -P cobbler_use_nfs 1
-+.EE
-+
-+.PP
-+If you want to determine whether Git system daemon can access nfs file systems, you must turn on the git_system_use_nfs boolean.
-+
-+.EX
-+.B setsebool -P git_system_use_nfs 1
-+.EE
-+
-+.PP
-+If you want to allow rsync servers to share nfs files systems, you must turn on the rsync_use_nfs boolean.
-+
-+.EX
-+.B setsebool -P rsync_use_nfs 1
-+.EE
-+
-+.PP
-+If you want to allow samba to export NFS volumes, you must turn on the samba_share_nfs boolean.
-+
-+.EX
-+.B setsebool -P samba_share_nfs 1
-+.EE
-+
-+.PP
-+If you want to allow xen to manage nfs files, you must turn on the xen_use_nfs boolean.
-+
-+.EX
-+.B setsebool -P xen_use_nfs 1
-+.EE
-+
-+.PP
-+If you want to determine whether Polipo can access nfs file systems, you must turn on the polipo_use_nfs boolean.
-+
-+.EX
-+.B setsebool -P polipo_use_nfs 1
-+.EE
-+
-+.PP
-+If you want to allow any files/directories to be exported read/write via NFS, you must turn on the nfs_export_all_rw boolean.
-+
-+.EX
-+.B setsebool -P nfs_export_all_rw 1
-+.EE
-+
-+.PP
-+If you want to allow sanlock to manage nfs files, you must turn on the sanlock_use_nfs boolean.
-+
-+.EX
-+.B setsebool -P sanlock_use_nfs 1
-+.EE
-+
-+.PP
-+If you want to determine whether Git CGI can access nfs file systems, you must turn on the git_cgi_use_nfs boolean.
-+
-+.EX
-+.B setsebool -P git_cgi_use_nfs 1
-+.EE
-+
-+.PP
-+If you want to support NFS home directories, you must turn on the use_nfs_home_dirs boolean.
-+
-+.EX
-+.B setsebool -P use_nfs_home_dirs 1
-+.EE
-+
-+.SH SHARING FILES
-+If you want to share files with multiple domains (Apache, FTP, rsync, Samba), you can set a file context of public_content_t and public_content_rw_t. These context allow any of the above domains to read the content. If you want a particular domain to write to the public_content_rw_t domain, you must set the appropriate boolean.
-+.TP
-+Allow nfsd servers to read the /var/nfsd directory by adding the public_content_t file type to the directory and by restoring the file type.
-+.PP
-+.B
-+semanage fcontext -a -t public_content_t "/var/nfsd(/.*)?"
-+.br
-+.B restorecon -F -R -v /var/nfsd
-+.pp
-+.TP
-+Allow nfsd servers to read and write /var/tmp/incoming by adding the public_content_rw_t type to the directory and by restoring the file type. This also requires the allow_nfsdd_anon_write boolean to be set.
-+.PP
-+.B
-+semanage fcontext -a -t public_content_rw_t "/var/nfsd/incoming(/.*)?"
-+.br
-+.B restorecon -F -R -v /var/nfsd/incoming
-+
-+
-+.PP
-+If you want to allow nfs servers to modify public files used for public file transfer services. Files/Directories must be labeled public_content_rw_t., you must turn on the nfsd_anon_write boolean.
-+
-+.EX
-+.B setsebool -P nfsd_anon_write 1
-+.EE
-+
-+.PP
-+If you want to allow nfs servers to modify public files used for public file transfer services. Files/Directories must be labeled public_content_rw_t., you must turn on the nfsd_anon_write boolean.
-+
-+.EX
-+.B setsebool -P nfsd_anon_write 1
-+.EE
-+
-+.SH FILE CONTEXTS
-+SELinux requires files to have an extended attribute to define the file type.
-+.PP
-+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
-+.PP
-+Policy governs the access confined processes have to these files.
-+SELinux nfsd policy is very flexible allowing users to setup their nfsd processes in as secure a method as possible.
-+.PP
-+The following file types are defined for nfsd:
-+
-+
-+.EX
-+.PP
-+.B nfsd_exec_t
-+.EE
-+
-+- Set files with the nfsd_exec_t type, if you want to transition an executable to the nfsd_t domain.
-+
-+
-+.EX
-+.PP
-+.B nfsd_initrc_exec_t
-+.EE
-+
-+- Set files with the nfsd_initrc_exec_t type, if you want to transition an executable to the nfsd_initrc_t domain.
-+
-+
-+.EX
-+.PP
-+.B nfsd_ro_t
-+.EE
-+
-+- Set files with the nfsd_ro_t type, if you want to treat the files as nfsd read/only content.
-+
-+
-+.EX
-+.PP
-+.B nfsd_rw_t
-+.EE
-+
-+- Set files with the nfsd_rw_t type, if you want to treat the files as nfsd read/write content.
-+
-+
-+.EX
-+.PP
-+.B nfsd_unit_file_t
-+.EE
-+
-+- Set files with the nfsd_unit_file_t type, if you want to treat the files as nfsd unit content.
-+
-+
-+.PP
-+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
-+.B semanage fcontext
-+command. This will modify the SELinux labeling database. You will need to use
-+.B restorecon
-+to apply the labels.
-+
-+.SH PORT TYPES
-+SELinux defines port types to represent TCP and UDP ports.
-+.PP
-+You can see the types associated with a port by using the following command:
-+
-+.B semanage port -l
-+
-+.PP
-+Policy governs the access confined processes have to these ports.
-+SELinux nfsd policy is very flexible allowing users to setup their nfsd processes in as secure a method as possible.
-+.PP
-+The following port types are defined for nfsd:
-+
-+.EX
-+.TP 5
-+.B nfs_port_t
-+.TP 10
-+.EE
-+
-+
-+Default Defined Ports:
-+tcp 2049,20048-20049
-+.EE
-+udp 2049,20048-20049
-+.EE
-+.SH "MANAGED FILES"
-+
-+The SELinux process type nfsd_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
-+
-+.br
-+.B mount_var_run_t
-+
-+ /run/mount(/.*)?
-+.br
-+ /dev/\.mount(/.*)?
-+.br
-+ /var/run/mount(/.*)?
-+.br
-+ /var/run/davfs2(/.*)?
-+.br
-+ /var/cache/davfs2(/.*)?
-+.br
-+
-+.br
-+.B nfsd_fs_t
-+
-+
-+.br
-+.B var_lib_nfs_t
-+
-+ /var/lib/nfs(/.*)?
-+.br
-+
-+.br
-+.B var_lib_t
-+
-+ /opt/(.*/)?var/lib(/.*)?
-+.br
-+ /var/lib(/.*)?
-+.br
-+
-+.SH NSSWITCH DOMAIN
-+
-+.PP
-+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the nfsd_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
-+
-+.EX
-+.B setsebool -P authlogin_nsswitch_use_ldap 1
-+.EE
-+
-+.PP
-+If you want to allow confined applications to run with kerberos for the nfsd_t, you must turn on the kerberos_enabled boolean.
-+
-+.EX
-+.B setsebool -P kerberos_enabled 1
-+.EE
-+
-+.SH "COMMANDS"
-+.B semanage fcontext
-+can also be used to manipulate default file context mappings.
-+.PP
-+.B semanage permissive
-+can also be used to manipulate whether or not a process type is permissive.
-+.PP
-+.B semanage module
-+can also be used to enable/disable/install/remove policy modules.
-+
-+.B semanage port
-+can also be used to manipulate the port definitions
-+
-+.B semanage boolean
-+can also be used to manipulate the booleans
-+
-+.PP
-+.B system-config-selinux
-+is a GUI tool available to customize SELinux policy settings.
-+
-+.SH AUTHOR
-+This manual page was auto-generated using
-+.B "sepolicy manpage"
-+by Dan Walsh.
-+
-+.SH "SEE ALSO"
-+selinux(8), nfsd(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
-+, setsebool(8)
-\ No newline at end of file
-diff --git a/man/man8/nis_selinux.8 b/man/man8/nis_selinux.8
-deleted file mode 100644
-index 6271c95..0000000
---- a/man/man8/nis_selinux.8
-+++ /dev/null
-@@ -1 +0,0 @@
--.so man8/ypbind_selinux.8
-diff --git a/man/man8/nmbd_selinux.8 b/man/man8/nmbd_selinux.8
-new file mode 100644
-index 0000000..d15f44d
---- /dev/null
-+++ b/man/man8/nmbd_selinux.8
-@@ -0,0 +1,170 @@
-+.TH "nmbd_selinux" "8" "12-11-01" "nmbd" "SELinux Policy documentation for nmbd"
-+.SH "NAME"
-+nmbd_selinux \- Security Enhanced Linux Policy for the nmbd processes
-+.SH "DESCRIPTION"
-+
-+Security-Enhanced Linux secures the nmbd processes via flexible mandatory access control.
-+
-+The nmbd processes execute with the nmbd_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
-+
-+For example:
-+
-+.B ps -eZ | grep nmbd_t
-+
-+
-+.SH "ENTRYPOINTS"
-+
-+The nmbd_t SELinux type can be entered via the "nmbd_exec_t" file type. The default entrypoint paths for the nmbd_t domain are the following:"
-+
-+/usr/sbin/nmbd
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux nmbd policy is very flexible allowing users to setup their nmbd processes in as secure a method as possible.
-+.PP
-+The following process types are defined for nmbd:
-+
-+.EX
-+.B nmbd_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
-+.SH FILE CONTEXTS
-+SELinux requires files to have an extended attribute to define the file type.
-+.PP
-+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
-+.PP
-+Policy governs the access confined processes have to these files.
-+SELinux nmbd policy is very flexible allowing users to setup their nmbd processes in as secure a method as possible.
-+.PP
-+The following file types are defined for nmbd:
-+
-+
-+.EX
-+.PP
-+.B nmbd_exec_t
-+.EE
-+
-+- Set files with the nmbd_exec_t type, if you want to transition an executable to the nmbd_t domain.
-+
-+
-+.EX
-+.PP
-+.B nmbd_var_run_t
-+.EE
-+
-+- Set files with the nmbd_var_run_t type, if you want to store the nmbd files under the /run directory.
-+
-+
-+.PP
-+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
-+.B semanage fcontext
-+command. This will modify the SELinux labeling database. You will need to use
-+.B restorecon
-+to apply the labels.
-+
-+.SH PORT TYPES
-+SELinux defines port types to represent TCP and UDP ports.
-+.PP
-+You can see the types associated with a port by using the following command:
-+
-+.B semanage port -l
-+
-+.PP
-+Policy governs the access confined processes have to these ports.
-+SELinux nmbd policy is very flexible allowing users to setup their nmbd processes in as secure a method as possible.
-+.PP
-+The following port types are defined for nmbd:
-+
-+.EX
-+.TP 5
-+.B nmbd_port_t
-+.TP 10
-+.EE
-+
-+
-+Default Defined Ports:
-+udp 137,138
-+.EE
-+.SH "MANAGED FILES"
-+
-+The SELinux process type nmbd_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
-+
-+.br
-+.B nmbd_var_run_t
-+
-+ /var/run/nmbd(/.*)?
-+.br
-+ /var/run/samba/nmbd(/.*)?
-+.br
-+ /var/run/samba/nmbd\.pid
-+.br
-+ /var/run/samba/messages\.tdb
-+.br
-+ /var/run/samba/namelist\.debug
-+.br
-+ /var/run/samba/unexpected\.tdb
-+.br
-+
-+.br
-+.B samba_log_t
-+
-+ /var/log/samba(/.*)?
-+.br
-+
-+.br
-+.B samba_var_t
-+
-+ /var/lib/samba(/.*)?
-+.br
-+ /var/cache/samba(/.*)?
-+.br
-+ /var/spool/samba(/.*)?
-+.br
-+
-+.SH NSSWITCH DOMAIN
-+
-+.PP
-+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the nmbd_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
-+
-+.EX
-+.B setsebool -P authlogin_nsswitch_use_ldap 1
-+.EE
-+
-+.PP
-+If you want to allow confined applications to run with kerberos for the nmbd_t, you must turn on the kerberos_enabled boolean.
-+
-+.EX
-+.B setsebool -P kerberos_enabled 1
-+.EE
-+
-+.SH "COMMANDS"
-+.B semanage fcontext
-+can also be used to manipulate default file context mappings.
-+.PP
-+.B semanage permissive
-+can also be used to manipulate whether or not a process type is permissive.
-+.PP
-+.B semanage module
-+can also be used to enable/disable/install/remove policy modules.
-+
-+.B semanage port
-+can also be used to manipulate the port definitions
-+
-+.PP
-+.B system-config-selinux
-+is a GUI tool available to customize SELinux policy settings.
-+
-+.SH AUTHOR
-+This manual page was auto-generated using
-+.B "sepolicy manpage"
-+by Dan Walsh.
-+
-+.SH "SEE ALSO"
-+selinux(8), nmbd(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
-diff --git a/man/man8/nova_ajax_selinux.8 b/man/man8/nova_ajax_selinux.8
-new file mode 100644
-index 0000000..f57b656
---- /dev/null
-+++ b/man/man8/nova_ajax_selinux.8
-@@ -0,0 +1,129 @@
-+.TH "nova_ajax_selinux" "8" "12-11-01" "nova_ajax" "SELinux Policy documentation for nova_ajax"
-+.SH "NAME"
-+nova_ajax_selinux \- Security Enhanced Linux Policy for the nova_ajax processes
-+.SH "DESCRIPTION"
-+
-+Security-Enhanced Linux secures the nova_ajax processes via flexible mandatory access control.
-+
-+The nova_ajax processes execute with the nova_ajax_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
-+
-+For example:
-+
-+.B ps -eZ | grep nova_ajax_t
-+
-+
-+.SH "ENTRYPOINTS"
-+
-+The nova_ajax_t SELinux type can be entered via the "nova_ajax_exec_t" file type. The default entrypoint paths for the nova_ajax_t domain are the following:"
-+
-+/usr/bin/nova-ajax-console-proxy
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux nova_ajax policy is very flexible allowing users to setup their nova_ajax processes in as secure a method as possible.
-+.PP
-+The following process types are defined for nova_ajax:
-+
-+.EX
-+.B nova_ajax_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
-+.SH FILE CONTEXTS
-+SELinux requires files to have an extended attribute to define the file type.
-+.PP
-+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
-+.PP
-+Policy governs the access confined processes have to these files.
-+SELinux nova_ajax policy is very flexible allowing users to setup their nova_ajax processes in as secure a method as possible.
-+.PP
-+The following file types are defined for nova_ajax:
-+
-+
-+.EX
-+.PP
-+.B nova_ajax_exec_t
-+.EE
-+
-+- Set files with the nova_ajax_exec_t type, if you want to transition an executable to the nova_ajax_t domain.
-+
-+
-+.EX
-+.PP
-+.B nova_ajax_tmp_t
-+.EE
-+
-+- Set files with the nova_ajax_tmp_t type, if you want to store nova ajax temporary files in the /tmp directories.
-+
-+
-+.EX
-+.PP
-+.B nova_ajax_unit_file_t
-+.EE
-+
-+- Set files with the nova_ajax_unit_file_t type, if you want to treat the files as nova ajax unit content.
-+
-+
-+.PP
-+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
-+.B semanage fcontext
-+command. This will modify the SELinux labeling database. You will need to use
-+.B restorecon
-+to apply the labels.
-+
-+.SH "MANAGED FILES"
-+
-+The SELinux process type nova_ajax_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
-+
-+.br
-+.B nova_ajax_tmp_t
-+
-+
-+.br
-+.B nova_log_t
-+
-+ /var/log/nova(/.*)?
-+.br
-+
-+.br
-+.B nova_var_lib_t
-+
-+ /var/lib/nova(/.*)?
-+.br
-+
-+.br
-+.B nova_var_run_t
-+
-+ /var/run/nova(/.*)?
-+.br
-+
-+.SH NSSWITCH DOMAIN
-+
-+.SH "COMMANDS"
-+.B semanage fcontext
-+can also be used to manipulate default file context mappings.
-+.PP
-+.B semanage permissive
-+can also be used to manipulate whether or not a process type is permissive.
-+.PP
-+.B semanage module
-+can also be used to enable/disable/install/remove policy modules.
-+
-+.PP
-+.B system-config-selinux
-+is a GUI tool available to customize SELinux policy settings.
-+
-+.SH AUTHOR
-+This manual page was auto-generated using
-+.B "sepolicy manpage"
-+by Dan Walsh.
-+
-+.SH "SEE ALSO"
-+selinux(8), nova_ajax(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
-+, nova_api_selinux(8), nova_cert_selinux(8), nova_compute_selinux(8), nova_console_selinux(8), nova_direct_selinux(8), nova_network_selinux(8), nova_objectstore_selinux(8), nova_scheduler_selinux(8), nova_vncproxy_selinux(8), nova_volume_selinux(8)
-\ No newline at end of file
-diff --git a/man/man8/nova_api_selinux.8 b/man/man8/nova_api_selinux.8
-new file mode 100644
-index 0000000..094a9ae
---- /dev/null
-+++ b/man/man8/nova_api_selinux.8
-@@ -0,0 +1,129 @@
-+.TH "nova_api_selinux" "8" "12-11-01" "nova_api" "SELinux Policy documentation for nova_api"
-+.SH "NAME"
-+nova_api_selinux \- Security Enhanced Linux Policy for the nova_api processes
-+.SH "DESCRIPTION"
-+
-+Security-Enhanced Linux secures the nova_api processes via flexible mandatory access control.
-+
-+The nova_api processes execute with the nova_api_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
-+
-+For example:
-+
-+.B ps -eZ | grep nova_api_t
-+
-+
-+.SH "ENTRYPOINTS"
-+
-+The nova_api_t SELinux type can be entered via the "nova_api_exec_t" file type. The default entrypoint paths for the nova_api_t domain are the following:"
-+
-+/usr/bin/nova-api, /usr//bin/nova-api-metadata
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux nova_api policy is very flexible allowing users to setup their nova_api processes in as secure a method as possible.
-+.PP
-+The following process types are defined for nova_api:
-+
-+.EX
-+.B nova_api_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
-+.SH FILE CONTEXTS
-+SELinux requires files to have an extended attribute to define the file type.
-+.PP
-+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
-+.PP
-+Policy governs the access confined processes have to these files.
-+SELinux nova_api policy is very flexible allowing users to setup their nova_api processes in as secure a method as possible.
-+.PP
-+The following file types are defined for nova_api:
-+
-+
-+.EX
-+.PP
-+.B nova_api_exec_t
-+.EE
-+
-+- Set files with the nova_api_exec_t type, if you want to transition an executable to the nova_api_t domain.
-+
-+
-+.EX
-+.PP
-+.B nova_api_tmp_t
-+.EE
-+
-+- Set files with the nova_api_tmp_t type, if you want to store nova api temporary files in the /tmp directories.
-+
-+
-+.EX
-+.PP
-+.B nova_api_unit_file_t
-+.EE
-+
-+- Set files with the nova_api_unit_file_t type, if you want to treat the files as nova api unit content.
-+
-+
-+.PP
-+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
-+.B semanage fcontext
-+command. This will modify the SELinux labeling database. You will need to use
-+.B restorecon
-+to apply the labels.
-+
-+.SH "MANAGED FILES"
-+
-+The SELinux process type nova_api_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
-+
-+.br
-+.B nova_api_tmp_t
-+
-+
-+.br
-+.B nova_log_t
-+
-+ /var/log/nova(/.*)?
-+.br
-+
-+.br
-+.B nova_var_lib_t
-+
-+ /var/lib/nova(/.*)?
-+.br
-+
-+.br
-+.B nova_var_run_t
-+
-+ /var/run/nova(/.*)?
-+.br
-+
-+.SH NSSWITCH DOMAIN
-+
-+.SH "COMMANDS"
-+.B semanage fcontext
-+can also be used to manipulate default file context mappings.
-+.PP
-+.B semanage permissive
-+can also be used to manipulate whether or not a process type is permissive.
-+.PP
-+.B semanage module
-+can also be used to enable/disable/install/remove policy modules.
-+
-+.PP
-+.B system-config-selinux
-+is a GUI tool available to customize SELinux policy settings.
-+
-+.SH AUTHOR
-+This manual page was auto-generated using
-+.B "sepolicy manpage"
-+by Dan Walsh.
-+
-+.SH "SEE ALSO"
-+selinux(8), nova_api(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
-+, nova_ajax_selinux(8), nova_cert_selinux(8), nova_compute_selinux(8), nova_console_selinux(8), nova_direct_selinux(8), nova_network_selinux(8), nova_objectstore_selinux(8), nova_scheduler_selinux(8), nova_vncproxy_selinux(8), nova_volume_selinux(8)
-\ No newline at end of file
-diff --git a/man/man8/nova_cert_selinux.8 b/man/man8/nova_cert_selinux.8
-new file mode 100644
-index 0000000..252fa7f
---- /dev/null
-+++ b/man/man8/nova_cert_selinux.8
-@@ -0,0 +1,143 @@
-+.TH "nova_cert_selinux" "8" "12-11-01" "nova_cert" "SELinux Policy documentation for nova_cert"
-+.SH "NAME"
-+nova_cert_selinux \- Security Enhanced Linux Policy for the nova_cert processes
-+.SH "DESCRIPTION"
-+
-+Security-Enhanced Linux secures the nova_cert processes via flexible mandatory access control.
-+
-+The nova_cert processes execute with the nova_cert_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
-+
-+For example:
-+
-+.B ps -eZ | grep nova_cert_t
-+
-+
-+.SH "ENTRYPOINTS"
-+
-+The nova_cert_t SELinux type can be entered via the "nova_cert_exec_t" file type. The default entrypoint paths for the nova_cert_t domain are the following:"
-+
-+/usr/bin/nova-cert
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux nova_cert policy is very flexible allowing users to setup their nova_cert processes in as secure a method as possible.
-+.PP
-+The following process types are defined for nova_cert:
-+
-+.EX
-+.B nova_cert_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
-+.SH FILE CONTEXTS
-+SELinux requires files to have an extended attribute to define the file type.
-+.PP
-+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
-+.PP
-+Policy governs the access confined processes have to these files.
-+SELinux nova_cert policy is very flexible allowing users to setup their nova_cert processes in as secure a method as possible.
-+.PP
-+The following file types are defined for nova_cert:
-+
-+
-+.EX
-+.PP
-+.B nova_cert_exec_t
-+.EE
-+
-+- Set files with the nova_cert_exec_t type, if you want to transition an executable to the nova_cert_t domain.
-+
-+
-+.EX
-+.PP
-+.B nova_cert_tmp_t
-+.EE
-+
-+- Set files with the nova_cert_tmp_t type, if you want to store nova cert temporary files in the /tmp directories.
-+
-+
-+.EX
-+.PP
-+.B nova_cert_unit_file_t
-+.EE
-+
-+- Set files with the nova_cert_unit_file_t type, if you want to treat the files as nova cert unit content.
-+
-+
-+.PP
-+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
-+.B semanage fcontext
-+command. This will modify the SELinux labeling database. You will need to use
-+.B restorecon
-+to apply the labels.
-+
-+.SH "MANAGED FILES"
-+
-+The SELinux process type nova_cert_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
-+
-+.br
-+.B nova_cert_tmp_t
-+
-+
-+.br
-+.B nova_log_t
-+
-+ /var/log/nova(/.*)?
-+.br
-+
-+.br
-+.B nova_var_lib_t
-+
-+ /var/lib/nova(/.*)?
-+.br
-+
-+.br
-+.B nova_var_run_t
-+
-+ /var/run/nova(/.*)?
-+.br
-+
-+.SH NSSWITCH DOMAIN
-+
-+.PP
-+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the nova_cert_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
-+
-+.EX
-+.B setsebool -P authlogin_nsswitch_use_ldap 1
-+.EE
-+
-+.PP
-+If you want to allow confined applications to run with kerberos for the nova_cert_t, you must turn on the kerberos_enabled boolean.
-+
-+.EX
-+.B setsebool -P kerberos_enabled 1
-+.EE
-+
-+.SH "COMMANDS"
-+.B semanage fcontext
-+can also be used to manipulate default file context mappings.
-+.PP
-+.B semanage permissive
-+can also be used to manipulate whether or not a process type is permissive.
-+.PP
-+.B semanage module
-+can also be used to enable/disable/install/remove policy modules.
-+
-+.PP
-+.B system-config-selinux
-+is a GUI tool available to customize SELinux policy settings.
-+
-+.SH AUTHOR
-+This manual page was auto-generated using
-+.B "sepolicy manpage"
-+by Dan Walsh.
-+
-+.SH "SEE ALSO"
-+selinux(8), nova_cert(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
-+, nova_ajax_selinux(8), nova_api_selinux(8), nova_compute_selinux(8), nova_console_selinux(8), nova_direct_selinux(8), nova_network_selinux(8), nova_objectstore_selinux(8), nova_scheduler_selinux(8), nova_vncproxy_selinux(8), nova_volume_selinux(8)
-\ No newline at end of file
-diff --git a/man/man8/nova_compute_selinux.8 b/man/man8/nova_compute_selinux.8
-new file mode 100644
-index 0000000..cd73723
---- /dev/null
-+++ b/man/man8/nova_compute_selinux.8
-@@ -0,0 +1,129 @@
-+.TH "nova_compute_selinux" "8" "12-11-01" "nova_compute" "SELinux Policy documentation for nova_compute"
-+.SH "NAME"
-+nova_compute_selinux \- Security Enhanced Linux Policy for the nova_compute processes
-+.SH "DESCRIPTION"
-+
-+Security-Enhanced Linux secures the nova_compute processes via flexible mandatory access control.
-+
-+The nova_compute processes execute with the nova_compute_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
-+
-+For example:
-+
-+.B ps -eZ | grep nova_compute_t
-+
-+
-+.SH "ENTRYPOINTS"
-+
-+The nova_compute_t SELinux type can be entered via the "nova_compute_exec_t" file type. The default entrypoint paths for the nova_compute_t domain are the following:"
-+
-+
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux nova_compute policy is very flexible allowing users to setup their nova_compute processes in as secure a method as possible.
-+.PP
-+The following process types are defined for nova_compute:
-+
-+.EX
-+.B nova_compute_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
-+.SH FILE CONTEXTS
-+SELinux requires files to have an extended attribute to define the file type.
-+.PP
-+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
-+.PP
-+Policy governs the access confined processes have to these files.
-+SELinux nova_compute policy is very flexible allowing users to setup their nova_compute processes in as secure a method as possible.
-+.PP
-+The following file types are defined for nova_compute:
-+
-+
-+.EX
-+.PP
-+.B nova_compute_exec_t
-+.EE
-+
-+- Set files with the nova_compute_exec_t type, if you want to transition an executable to the nova_compute_t domain.
-+
-+
-+.EX
-+.PP
-+.B nova_compute_tmp_t
-+.EE
-+
-+- Set files with the nova_compute_tmp_t type, if you want to store nova compute temporary files in the /tmp directories.
-+
-+
-+.EX
-+.PP
-+.B nova_compute_unit_file_t
-+.EE
-+
-+- Set files with the nova_compute_unit_file_t type, if you want to treat the files as nova compute unit content.
-+
-+
-+.PP
-+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
-+.B semanage fcontext
-+command. This will modify the SELinux labeling database. You will need to use
-+.B restorecon
-+to apply the labels.
-+
-+.SH "MANAGED FILES"
-+
-+The SELinux process type nova_compute_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
-+
-+.br
-+.B nova_compute_tmp_t
-+
-+
-+.br
-+.B nova_log_t
-+
-+ /var/log/nova(/.*)?
-+.br
-+
-+.br
-+.B nova_var_lib_t
-+
-+ /var/lib/nova(/.*)?
-+.br
-+
-+.br
-+.B nova_var_run_t
-+
-+ /var/run/nova(/.*)?
-+.br
-+
-+.SH NSSWITCH DOMAIN
-+
-+.SH "COMMANDS"
-+.B semanage fcontext
-+can also be used to manipulate default file context mappings.
-+.PP
-+.B semanage permissive
-+can also be used to manipulate whether or not a process type is permissive.
-+.PP
-+.B semanage module
-+can also be used to enable/disable/install/remove policy modules.
-+
-+.PP
-+.B system-config-selinux
-+is a GUI tool available to customize SELinux policy settings.
-+
-+.SH AUTHOR
-+This manual page was auto-generated using
-+.B "sepolicy manpage"
-+by Dan Walsh.
-+
-+.SH "SEE ALSO"
-+selinux(8), nova_compute(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
-+, nova_ajax_selinux(8), nova_api_selinux(8), nova_cert_selinux(8), nova_console_selinux(8), nova_direct_selinux(8), nova_network_selinux(8), nova_objectstore_selinux(8), nova_scheduler_selinux(8), nova_vncproxy_selinux(8), nova_volume_selinux(8)
-\ No newline at end of file
-diff --git a/man/man8/nova_console_selinux.8 b/man/man8/nova_console_selinux.8
-new file mode 100644
-index 0000000..3ac720b
---- /dev/null
-+++ b/man/man8/nova_console_selinux.8
-@@ -0,0 +1,143 @@
-+.TH "nova_console_selinux" "8" "12-11-01" "nova_console" "SELinux Policy documentation for nova_console"
-+.SH "NAME"
-+nova_console_selinux \- Security Enhanced Linux Policy for the nova_console processes
-+.SH "DESCRIPTION"
-+
-+Security-Enhanced Linux secures the nova_console processes via flexible mandatory access control.
-+
-+The nova_console processes execute with the nova_console_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
-+
-+For example:
-+
-+.B ps -eZ | grep nova_console_t
-+
-+
-+.SH "ENTRYPOINTS"
-+
-+The nova_console_t SELinux type can be entered via the "nova_console_exec_t" file type. The default entrypoint paths for the nova_console_t domain are the following:"
-+
-+/usr/bin/nova-console.*
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux nova_console policy is very flexible allowing users to setup their nova_console processes in as secure a method as possible.
-+.PP
-+The following process types are defined for nova_console:
-+
-+.EX
-+.B nova_console_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
-+.SH FILE CONTEXTS
-+SELinux requires files to have an extended attribute to define the file type.
-+.PP
-+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
-+.PP
-+Policy governs the access confined processes have to these files.
-+SELinux nova_console policy is very flexible allowing users to setup their nova_console processes in as secure a method as possible.
-+.PP
-+The following file types are defined for nova_console:
-+
-+
-+.EX
-+.PP
-+.B nova_console_exec_t
-+.EE
-+
-+- Set files with the nova_console_exec_t type, if you want to transition an executable to the nova_console_t domain.
-+
-+
-+.EX
-+.PP
-+.B nova_console_tmp_t
-+.EE
-+
-+- Set files with the nova_console_tmp_t type, if you want to store nova console temporary files in the /tmp directories.
-+
-+
-+.EX
-+.PP
-+.B nova_console_unit_file_t
-+.EE
-+
-+- Set files with the nova_console_unit_file_t type, if you want to treat the files as nova console unit content.
-+
-+
-+.PP
-+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
-+.B semanage fcontext
-+command. This will modify the SELinux labeling database. You will need to use
-+.B restorecon
-+to apply the labels.
-+
-+.SH "MANAGED FILES"
-+
-+The SELinux process type nova_console_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
-+
-+.br
-+.B nova_console_tmp_t
-+
-+
-+.br
-+.B nova_log_t
-+
-+ /var/log/nova(/.*)?
-+.br
-+
-+.br
-+.B nova_var_lib_t
-+
-+ /var/lib/nova(/.*)?
-+.br
-+
-+.br
-+.B nova_var_run_t
-+
-+ /var/run/nova(/.*)?
-+.br
-+
-+.SH NSSWITCH DOMAIN
-+
-+.PP
-+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the nova_console_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
-+
-+.EX
-+.B setsebool -P authlogin_nsswitch_use_ldap 1
-+.EE
-+
-+.PP
-+If you want to allow confined applications to run with kerberos for the nova_console_t, you must turn on the kerberos_enabled boolean.
-+
-+.EX
-+.B setsebool -P kerberos_enabled 1
-+.EE
-+
-+.SH "COMMANDS"
-+.B semanage fcontext
-+can also be used to manipulate default file context mappings.
-+.PP
-+.B semanage permissive
-+can also be used to manipulate whether or not a process type is permissive.
-+.PP
-+.B semanage module
-+can also be used to enable/disable/install/remove policy modules.
-+
-+.PP
-+.B system-config-selinux
-+is a GUI tool available to customize SELinux policy settings.
-+
-+.SH AUTHOR
-+This manual page was auto-generated using
-+.B "sepolicy manpage"
-+by Dan Walsh.
-+
-+.SH "SEE ALSO"
-+selinux(8), nova_console(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
-+, nova_ajax_selinux(8), nova_api_selinux(8), nova_cert_selinux(8), nova_compute_selinux(8), nova_direct_selinux(8), nova_network_selinux(8), nova_objectstore_selinux(8), nova_scheduler_selinux(8), nova_vncproxy_selinux(8), nova_volume_selinux(8)
-\ No newline at end of file
-diff --git a/man/man8/nova_direct_selinux.8 b/man/man8/nova_direct_selinux.8
-new file mode 100644
-index 0000000..7739204
---- /dev/null
-+++ b/man/man8/nova_direct_selinux.8
-@@ -0,0 +1,129 @@
-+.TH "nova_direct_selinux" "8" "12-11-01" "nova_direct" "SELinux Policy documentation for nova_direct"
-+.SH "NAME"
-+nova_direct_selinux \- Security Enhanced Linux Policy for the nova_direct processes
-+.SH "DESCRIPTION"
-+
-+Security-Enhanced Linux secures the nova_direct processes via flexible mandatory access control.
-+
-+The nova_direct processes execute with the nova_direct_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
-+
-+For example:
-+
-+.B ps -eZ | grep nova_direct_t
-+
-+
-+.SH "ENTRYPOINTS"
-+
-+The nova_direct_t SELinux type can be entered via the "nova_direct_exec_t" file type. The default entrypoint paths for the nova_direct_t domain are the following:"
-+
-+/usr/bin/nova-direct-api
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux nova_direct policy is very flexible allowing users to setup their nova_direct processes in as secure a method as possible.
-+.PP
-+The following process types are defined for nova_direct:
-+
-+.EX
-+.B nova_direct_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
-+.SH FILE CONTEXTS
-+SELinux requires files to have an extended attribute to define the file type.
-+.PP
-+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
-+.PP
-+Policy governs the access confined processes have to these files.
-+SELinux nova_direct policy is very flexible allowing users to setup their nova_direct processes in as secure a method as possible.
-+.PP
-+The following file types are defined for nova_direct:
-+
-+
-+.EX
-+.PP
-+.B nova_direct_exec_t
-+.EE
-+
-+- Set files with the nova_direct_exec_t type, if you want to transition an executable to the nova_direct_t domain.
-+
-+
-+.EX
-+.PP
-+.B nova_direct_tmp_t
-+.EE
-+
-+- Set files with the nova_direct_tmp_t type, if you want to store nova direct temporary files in the /tmp directories.
-+
-+
-+.EX
-+.PP
-+.B nova_direct_unit_file_t
-+.EE
-+
-+- Set files with the nova_direct_unit_file_t type, if you want to treat the files as nova direct unit content.
-+
-+
-+.PP
-+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
-+.B semanage fcontext
-+command. This will modify the SELinux labeling database. You will need to use
-+.B restorecon
-+to apply the labels.
-+
-+.SH "MANAGED FILES"
-+
-+The SELinux process type nova_direct_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
-+
-+.br
-+.B nova_direct_tmp_t
-+
-+
-+.br
-+.B nova_log_t
-+
-+ /var/log/nova(/.*)?
-+.br
-+
-+.br
-+.B nova_var_lib_t
-+
-+ /var/lib/nova(/.*)?
-+.br
-+
-+.br
-+.B nova_var_run_t
-+
-+ /var/run/nova(/.*)?
-+.br
-+
-+.SH NSSWITCH DOMAIN
-+
-+.SH "COMMANDS"
-+.B semanage fcontext
-+can also be used to manipulate default file context mappings.
-+.PP
-+.B semanage permissive
-+can also be used to manipulate whether or not a process type is permissive.
-+.PP
-+.B semanage module
-+can also be used to enable/disable/install/remove policy modules.
-+
-+.PP
-+.B system-config-selinux
-+is a GUI tool available to customize SELinux policy settings.
-+
-+.SH AUTHOR
-+This manual page was auto-generated using
-+.B "sepolicy manpage"
-+by Dan Walsh.
-+
-+.SH "SEE ALSO"
-+selinux(8), nova_direct(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
-+, nova_ajax_selinux(8), nova_api_selinux(8), nova_cert_selinux(8), nova_compute_selinux(8), nova_console_selinux(8), nova_network_selinux(8), nova_objectstore_selinux(8), nova_scheduler_selinux(8), nova_vncproxy_selinux(8), nova_volume_selinux(8)
-\ No newline at end of file
-diff --git a/man/man8/nova_network_selinux.8 b/man/man8/nova_network_selinux.8
-new file mode 100644
-index 0000000..953274d
---- /dev/null
-+++ b/man/man8/nova_network_selinux.8
-@@ -0,0 +1,129 @@
-+.TH "nova_network_selinux" "8" "12-11-01" "nova_network" "SELinux Policy documentation for nova_network"
-+.SH "NAME"
-+nova_network_selinux \- Security Enhanced Linux Policy for the nova_network processes
-+.SH "DESCRIPTION"
-+
-+Security-Enhanced Linux secures the nova_network processes via flexible mandatory access control.
-+
-+The nova_network processes execute with the nova_network_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
-+
-+For example:
-+
-+.B ps -eZ | grep nova_network_t
-+
-+
-+.SH "ENTRYPOINTS"
-+
-+The nova_network_t SELinux type can be entered via the "nova_network_exec_t" file type. The default entrypoint paths for the nova_network_t domain are the following:"
-+
-+/usr/bin/nova-network
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux nova_network policy is very flexible allowing users to setup their nova_network processes in as secure a method as possible.
-+.PP
-+The following process types are defined for nova_network:
-+
-+.EX
-+.B nova_network_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
-+.SH FILE CONTEXTS
-+SELinux requires files to have an extended attribute to define the file type.
-+.PP
-+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
-+.PP
-+Policy governs the access confined processes have to these files.
-+SELinux nova_network policy is very flexible allowing users to setup their nova_network processes in as secure a method as possible.
-+.PP
-+The following file types are defined for nova_network:
-+
-+
-+.EX
-+.PP
-+.B nova_network_exec_t
-+.EE
-+
-+- Set files with the nova_network_exec_t type, if you want to transition an executable to the nova_network_t domain.
-+
-+
-+.EX
-+.PP
-+.B nova_network_tmp_t
-+.EE
-+
-+- Set files with the nova_network_tmp_t type, if you want to store nova network temporary files in the /tmp directories.
-+
-+
-+.EX
-+.PP
-+.B nova_network_unit_file_t
-+.EE
-+
-+- Set files with the nova_network_unit_file_t type, if you want to treat the files as nova network unit content.
-+
-+
-+.PP
-+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
-+.B semanage fcontext
-+command. This will modify the SELinux labeling database. You will need to use
-+.B restorecon
-+to apply the labels.
-+
-+.SH "MANAGED FILES"
-+
-+The SELinux process type nova_network_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
-+
-+.br
-+.B nova_log_t
-+
-+ /var/log/nova(/.*)?
-+.br
-+
-+.br
-+.B nova_network_tmp_t
-+
-+
-+.br
-+.B nova_var_lib_t
-+
-+ /var/lib/nova(/.*)?
-+.br
-+
-+.br
-+.B nova_var_run_t
-+
-+ /var/run/nova(/.*)?
-+.br
-+
-+.SH NSSWITCH DOMAIN
-+
-+.SH "COMMANDS"
-+.B semanage fcontext
-+can also be used to manipulate default file context mappings.
-+.PP
-+.B semanage permissive
-+can also be used to manipulate whether or not a process type is permissive.
-+.PP
-+.B semanage module
-+can also be used to enable/disable/install/remove policy modules.
-+
-+.PP
-+.B system-config-selinux
-+is a GUI tool available to customize SELinux policy settings.
-+
-+.SH AUTHOR
-+This manual page was auto-generated using
-+.B "sepolicy manpage"
-+by Dan Walsh.
-+
-+.SH "SEE ALSO"
-+selinux(8), nova_network(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
-+, nova_ajax_selinux(8), nova_api_selinux(8), nova_cert_selinux(8), nova_compute_selinux(8), nova_console_selinux(8), nova_direct_selinux(8), nova_objectstore_selinux(8), nova_scheduler_selinux(8), nova_vncproxy_selinux(8), nova_volume_selinux(8)
-\ No newline at end of file
-diff --git a/man/man8/nova_objectstore_selinux.8 b/man/man8/nova_objectstore_selinux.8
-new file mode 100644
-index 0000000..449bba7
---- /dev/null
-+++ b/man/man8/nova_objectstore_selinux.8
-@@ -0,0 +1,129 @@
-+.TH "nova_objectstore_selinux" "8" "12-11-01" "nova_objectstore" "SELinux Policy documentation for nova_objectstore"
-+.SH "NAME"
-+nova_objectstore_selinux \- Security Enhanced Linux Policy for the nova_objectstore processes
-+.SH "DESCRIPTION"
-+
-+Security-Enhanced Linux secures the nova_objectstore processes via flexible mandatory access control.
-+
-+The nova_objectstore processes execute with the nova_objectstore_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
-+
-+For example:
-+
-+.B ps -eZ | grep nova_objectstore_t
-+
-+
-+.SH "ENTRYPOINTS"
-+
-+The nova_objectstore_t SELinux type can be entered via the "nova_objectstore_exec_t" file type. The default entrypoint paths for the nova_objectstore_t domain are the following:"
-+
-+/usr/bin/nova-objectstore
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux nova_objectstore policy is very flexible allowing users to setup their nova_objectstore processes in as secure a method as possible.
-+.PP
-+The following process types are defined for nova_objectstore:
-+
-+.EX
-+.B nova_objectstore_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
-+.SH FILE CONTEXTS
-+SELinux requires files to have an extended attribute to define the file type.
-+.PP
-+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
-+.PP
-+Policy governs the access confined processes have to these files.
-+SELinux nova_objectstore policy is very flexible allowing users to setup their nova_objectstore processes in as secure a method as possible.
-+.PP
-+The following file types are defined for nova_objectstore:
-+
-+
-+.EX
-+.PP
-+.B nova_objectstore_exec_t
-+.EE
-+
-+- Set files with the nova_objectstore_exec_t type, if you want to transition an executable to the nova_objectstore_t domain.
-+
-+
-+.EX
-+.PP
-+.B nova_objectstore_tmp_t
-+.EE
-+
-+- Set files with the nova_objectstore_tmp_t type, if you want to store nova objectstore temporary files in the /tmp directories.
-+
-+
-+.EX
-+.PP
-+.B nova_objectstore_unit_file_t
-+.EE
-+
-+- Set files with the nova_objectstore_unit_file_t type, if you want to treat the files as nova objectstore unit content.
-+
-+
-+.PP
-+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
-+.B semanage fcontext
-+command. This will modify the SELinux labeling database. You will need to use
-+.B restorecon
-+to apply the labels.
-+
-+.SH "MANAGED FILES"
-+
-+The SELinux process type nova_objectstore_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
-+
-+.br
-+.B nova_log_t
-+
-+ /var/log/nova(/.*)?
-+.br
-+
-+.br
-+.B nova_objectstore_tmp_t
-+
-+
-+.br
-+.B nova_var_lib_t
-+
-+ /var/lib/nova(/.*)?
-+.br
-+
-+.br
-+.B nova_var_run_t
-+
-+ /var/run/nova(/.*)?
-+.br
-+
-+.SH NSSWITCH DOMAIN
-+
-+.SH "COMMANDS"
-+.B semanage fcontext
-+can also be used to manipulate default file context mappings.
-+.PP
-+.B semanage permissive
-+can also be used to manipulate whether or not a process type is permissive.
-+.PP
-+.B semanage module
-+can also be used to enable/disable/install/remove policy modules.
-+
-+.PP
-+.B system-config-selinux
-+is a GUI tool available to customize SELinux policy settings.
-+
-+.SH AUTHOR
-+This manual page was auto-generated using
-+.B "sepolicy manpage"
-+by Dan Walsh.
-+
-+.SH "SEE ALSO"
-+selinux(8), nova_objectstore(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
-+, nova_ajax_selinux(8), nova_api_selinux(8), nova_cert_selinux(8), nova_compute_selinux(8), nova_console_selinux(8), nova_direct_selinux(8), nova_network_selinux(8), nova_scheduler_selinux(8), nova_vncproxy_selinux(8), nova_volume_selinux(8)
-\ No newline at end of file
-diff --git a/man/man8/nova_scheduler_selinux.8 b/man/man8/nova_scheduler_selinux.8
-new file mode 100644
-index 0000000..ef40436
---- /dev/null
-+++ b/man/man8/nova_scheduler_selinux.8
-@@ -0,0 +1,129 @@
-+.TH "nova_scheduler_selinux" "8" "12-11-01" "nova_scheduler" "SELinux Policy documentation for nova_scheduler"
-+.SH "NAME"
-+nova_scheduler_selinux \- Security Enhanced Linux Policy for the nova_scheduler processes
-+.SH "DESCRIPTION"
-+
-+Security-Enhanced Linux secures the nova_scheduler processes via flexible mandatory access control.
-+
-+The nova_scheduler processes execute with the nova_scheduler_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
-+
-+For example:
-+
-+.B ps -eZ | grep nova_scheduler_t
-+
-+
-+.SH "ENTRYPOINTS"
-+
-+The nova_scheduler_t SELinux type can be entered via the "nova_scheduler_exec_t" file type. The default entrypoint paths for the nova_scheduler_t domain are the following:"
-+
-+/usr/bin/nova-scheduler
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux nova_scheduler policy is very flexible allowing users to setup their nova_scheduler processes in as secure a method as possible.
-+.PP
-+The following process types are defined for nova_scheduler:
-+
-+.EX
-+.B nova_scheduler_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
-+.SH FILE CONTEXTS
-+SELinux requires files to have an extended attribute to define the file type.
-+.PP
-+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
-+.PP
-+Policy governs the access confined processes have to these files.
-+SELinux nova_scheduler policy is very flexible allowing users to setup their nova_scheduler processes in as secure a method as possible.
-+.PP
-+The following file types are defined for nova_scheduler:
-+
-+
-+.EX
-+.PP
-+.B nova_scheduler_exec_t
-+.EE
-+
-+- Set files with the nova_scheduler_exec_t type, if you want to transition an executable to the nova_scheduler_t domain.
-+
-+
-+.EX
-+.PP
-+.B nova_scheduler_tmp_t
-+.EE
-+
-+- Set files with the nova_scheduler_tmp_t type, if you want to store nova scheduler temporary files in the /tmp directories.
-+
-+
-+.EX
-+.PP
-+.B nova_scheduler_unit_file_t
-+.EE
-+
-+- Set files with the nova_scheduler_unit_file_t type, if you want to treat the files as nova scheduler unit content.
-+
-+
-+.PP
-+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
-+.B semanage fcontext
-+command. This will modify the SELinux labeling database. You will need to use
-+.B restorecon
-+to apply the labels.
-+
-+.SH "MANAGED FILES"
-+
-+The SELinux process type nova_scheduler_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
-+
-+.br
-+.B nova_log_t
-+
-+ /var/log/nova(/.*)?
-+.br
-+
-+.br
-+.B nova_scheduler_tmp_t
-+
-+
-+.br
-+.B nova_var_lib_t
-+
-+ /var/lib/nova(/.*)?
-+.br
-+
-+.br
-+.B nova_var_run_t
-+
-+ /var/run/nova(/.*)?
-+.br
-+
-+.SH NSSWITCH DOMAIN
-+
-+.SH "COMMANDS"
-+.B semanage fcontext
-+can also be used to manipulate default file context mappings.
-+.PP
-+.B semanage permissive
-+can also be used to manipulate whether or not a process type is permissive.
-+.PP
-+.B semanage module
-+can also be used to enable/disable/install/remove policy modules.
-+
-+.PP
-+.B system-config-selinux
-+is a GUI tool available to customize SELinux policy settings.
-+
-+.SH AUTHOR
-+This manual page was auto-generated using
-+.B "sepolicy manpage"
-+by Dan Walsh.
-+
-+.SH "SEE ALSO"
-+selinux(8), nova_scheduler(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
-+, nova_ajax_selinux(8), nova_api_selinux(8), nova_cert_selinux(8), nova_compute_selinux(8), nova_console_selinux(8), nova_direct_selinux(8), nova_network_selinux(8), nova_objectstore_selinux(8), nova_vncproxy_selinux(8), nova_volume_selinux(8)
-\ No newline at end of file
-diff --git a/man/man8/nova_vncproxy_selinux.8 b/man/man8/nova_vncproxy_selinux.8
-new file mode 100644
-index 0000000..452fe26
---- /dev/null
-+++ b/man/man8/nova_vncproxy_selinux.8
-@@ -0,0 +1,129 @@
-+.TH "nova_vncproxy_selinux" "8" "12-11-01" "nova_vncproxy" "SELinux Policy documentation for nova_vncproxy"
-+.SH "NAME"
-+nova_vncproxy_selinux \- Security Enhanced Linux Policy for the nova_vncproxy processes
-+.SH "DESCRIPTION"
-+
-+Security-Enhanced Linux secures the nova_vncproxy processes via flexible mandatory access control.
-+
-+The nova_vncproxy processes execute with the nova_vncproxy_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
-+
-+For example:
-+
-+.B ps -eZ | grep nova_vncproxy_t
-+
-+
-+.SH "ENTRYPOINTS"
-+
-+The nova_vncproxy_t SELinux type can be entered via the "nova_vncproxy_exec_t" file type. The default entrypoint paths for the nova_vncproxy_t domain are the following:"
-+
-+/usr/bin/nova-vncproxy, /usr/bin/nova-xvpvncproxy
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux nova_vncproxy policy is very flexible allowing users to setup their nova_vncproxy processes in as secure a method as possible.
-+.PP
-+The following process types are defined for nova_vncproxy:
-+
-+.EX
-+.B nova_vncproxy_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
-+.SH FILE CONTEXTS
-+SELinux requires files to have an extended attribute to define the file type.
-+.PP
-+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
-+.PP
-+Policy governs the access confined processes have to these files.
-+SELinux nova_vncproxy policy is very flexible allowing users to setup their nova_vncproxy processes in as secure a method as possible.
-+.PP
-+The following file types are defined for nova_vncproxy:
-+
-+
-+.EX
-+.PP
-+.B nova_vncproxy_exec_t
-+.EE
-+
-+- Set files with the nova_vncproxy_exec_t type, if you want to transition an executable to the nova_vncproxy_t domain.
-+
-+
-+.EX
-+.PP
-+.B nova_vncproxy_tmp_t
-+.EE
-+
-+- Set files with the nova_vncproxy_tmp_t type, if you want to store nova vncproxy temporary files in the /tmp directories.
-+
-+
-+.EX
-+.PP
-+.B nova_vncproxy_unit_file_t
-+.EE
-+
-+- Set files with the nova_vncproxy_unit_file_t type, if you want to treat the files as nova vncproxy unit content.
-+
-+
-+.PP
-+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
-+.B semanage fcontext
-+command. This will modify the SELinux labeling database. You will need to use
-+.B restorecon
-+to apply the labels.
-+
-+.SH "MANAGED FILES"
-+
-+The SELinux process type nova_vncproxy_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
-+
-+.br
-+.B nova_log_t
-+
-+ /var/log/nova(/.*)?
-+.br
-+
-+.br
-+.B nova_var_lib_t
-+
-+ /var/lib/nova(/.*)?
-+.br
-+
-+.br
-+.B nova_var_run_t
-+
-+ /var/run/nova(/.*)?
-+.br
-+
-+.br
-+.B nova_vncproxy_tmp_t
-+
-+
-+.SH NSSWITCH DOMAIN
-+
-+.SH "COMMANDS"
-+.B semanage fcontext
-+can also be used to manipulate default file context mappings.
-+.PP
-+.B semanage permissive
-+can also be used to manipulate whether or not a process type is permissive.
-+.PP
-+.B semanage module
-+can also be used to enable/disable/install/remove policy modules.
-+
-+.PP
-+.B system-config-selinux
-+is a GUI tool available to customize SELinux policy settings.
-+
-+.SH AUTHOR
-+This manual page was auto-generated using
-+.B "sepolicy manpage"
-+by Dan Walsh.
-+
-+.SH "SEE ALSO"
-+selinux(8), nova_vncproxy(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
-+, nova_ajax_selinux(8), nova_api_selinux(8), nova_cert_selinux(8), nova_compute_selinux(8), nova_console_selinux(8), nova_direct_selinux(8), nova_network_selinux(8), nova_objectstore_selinux(8), nova_scheduler_selinux(8), nova_volume_selinux(8)
-\ No newline at end of file
-diff --git a/man/man8/nova_volume_selinux.8 b/man/man8/nova_volume_selinux.8
-new file mode 100644
-index 0000000..b39d068
---- /dev/null
-+++ b/man/man8/nova_volume_selinux.8
-@@ -0,0 +1,129 @@
-+.TH "nova_volume_selinux" "8" "12-11-01" "nova_volume" "SELinux Policy documentation for nova_volume"
-+.SH "NAME"
-+nova_volume_selinux \- Security Enhanced Linux Policy for the nova_volume processes
-+.SH "DESCRIPTION"
-+
-+Security-Enhanced Linux secures the nova_volume processes via flexible mandatory access control.
-+
-+The nova_volume processes execute with the nova_volume_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
-+
-+For example:
-+
-+.B ps -eZ | grep nova_volume_t
-+
-+
-+.SH "ENTRYPOINTS"
-+
-+The nova_volume_t SELinux type can be entered via the "nova_volume_exec_t" file type. The default entrypoint paths for the nova_volume_t domain are the following:"
-+
-+/usr/bin/nova-volume
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux nova_volume policy is very flexible allowing users to setup their nova_volume processes in as secure a method as possible.
-+.PP
-+The following process types are defined for nova_volume:
-+
-+.EX
-+.B nova_volume_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
-+.SH FILE CONTEXTS
-+SELinux requires files to have an extended attribute to define the file type.
-+.PP
-+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
-+.PP
-+Policy governs the access confined processes have to these files.
-+SELinux nova_volume policy is very flexible allowing users to setup their nova_volume processes in as secure a method as possible.
-+.PP
-+The following file types are defined for nova_volume:
-+
-+
-+.EX
-+.PP
-+.B nova_volume_exec_t
-+.EE
-+
-+- Set files with the nova_volume_exec_t type, if you want to transition an executable to the nova_volume_t domain.
-+
-+
-+.EX
-+.PP
-+.B nova_volume_tmp_t
-+.EE
-+
-+- Set files with the nova_volume_tmp_t type, if you want to store nova volume temporary files in the /tmp directories.
-+
-+
-+.EX
-+.PP
-+.B nova_volume_unit_file_t
-+.EE
-+
-+- Set files with the nova_volume_unit_file_t type, if you want to treat the files as nova volume unit content.
-+
-+
-+.PP
-+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
-+.B semanage fcontext
-+command. This will modify the SELinux labeling database. You will need to use
-+.B restorecon
-+to apply the labels.
-+
-+.SH "MANAGED FILES"
-+
-+The SELinux process type nova_volume_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
-+
-+.br
-+.B nova_log_t
-+
-+ /var/log/nova(/.*)?
-+.br
-+
-+.br
-+.B nova_var_lib_t
-+
-+ /var/lib/nova(/.*)?
-+.br
-+
-+.br
-+.B nova_var_run_t
-+
-+ /var/run/nova(/.*)?
-+.br
-+
-+.br
-+.B nova_volume_tmp_t
-+
-+
-+.SH NSSWITCH DOMAIN
-+
-+.SH "COMMANDS"
-+.B semanage fcontext
-+can also be used to manipulate default file context mappings.
-+.PP
-+.B semanage permissive
-+can also be used to manipulate whether or not a process type is permissive.
-+.PP
-+.B semanage module
-+can also be used to enable/disable/install/remove policy modules.
-+
-+.PP
-+.B system-config-selinux
-+is a GUI tool available to customize SELinux policy settings.
-+
-+.SH AUTHOR
-+This manual page was auto-generated using
-+.B "sepolicy manpage"
-+by Dan Walsh.
-+
-+.SH "SEE ALSO"
-+selinux(8), nova_volume(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
-+, nova_ajax_selinux(8), nova_api_selinux(8), nova_cert_selinux(8), nova_compute_selinux(8), nova_console_selinux(8), nova_direct_selinux(8), nova_network_selinux(8), nova_objectstore_selinux(8), nova_scheduler_selinux(8), nova_vncproxy_selinux(8)
-\ No newline at end of file
-diff --git a/man/man8/nrpe_selinux.8 b/man/man8/nrpe_selinux.8
-new file mode 100644
-index 0000000..f91aa56
---- /dev/null
-+++ b/man/man8/nrpe_selinux.8
-@@ -0,0 +1,124 @@
-+.TH "nrpe_selinux" "8" "12-11-01" "nrpe" "SELinux Policy documentation for nrpe"
-+.SH "NAME"
-+nrpe_selinux \- Security Enhanced Linux Policy for the nrpe processes
-+.SH "DESCRIPTION"
-+
-+Security-Enhanced Linux secures the nrpe processes via flexible mandatory access control.
-+
-+The nrpe processes execute with the nrpe_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
-+
-+For example:
-+
-+.B ps -eZ | grep nrpe_t
-+
-+
-+.SH "ENTRYPOINTS"
-+
-+The nrpe_t SELinux type can be entered via the "nrpe_exec_t" file type. The default entrypoint paths for the nrpe_t domain are the following:"
-+
-+/usr/s?bin/nrpe
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux nrpe policy is very flexible allowing users to setup their nrpe processes in as secure a method as possible.
-+.PP
-+The following process types are defined for nrpe:
-+
-+.EX
-+.B nrpe_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
-+.SH FILE CONTEXTS
-+SELinux requires files to have an extended attribute to define the file type.
-+.PP
-+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
-+.PP
-+Policy governs the access confined processes have to these files.
-+SELinux nrpe policy is very flexible allowing users to setup their nrpe processes in as secure a method as possible.
-+.PP
-+The following file types are defined for nrpe:
-+
-+
-+.EX
-+.PP
-+.B nrpe_etc_t
-+.EE
-+
-+- Set files with the nrpe_etc_t type, if you want to store nrpe files in the /etc directories.
-+
-+
-+.EX
-+.PP
-+.B nrpe_exec_t
-+.EE
-+
-+- Set files with the nrpe_exec_t type, if you want to transition an executable to the nrpe_t domain.
-+
-+
-+.EX
-+.PP
-+.B nrpe_var_run_t
-+.EE
-+
-+- Set files with the nrpe_var_run_t type, if you want to store the nrpe files under the /run directory.
-+
-+
-+.PP
-+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
-+.B semanage fcontext
-+command. This will modify the SELinux labeling database. You will need to use
-+.B restorecon
-+to apply the labels.
-+
-+.SH "MANAGED FILES"
-+
-+The SELinux process type nrpe_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
-+
-+.br
-+.B nrpe_var_run_t
-+
-+
-+.SH NSSWITCH DOMAIN
-+
-+.PP
-+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the nrpe_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
-+
-+.EX
-+.B setsebool -P authlogin_nsswitch_use_ldap 1
-+.EE
-+
-+.PP
-+If you want to allow confined applications to run with kerberos for the nrpe_t, you must turn on the kerberos_enabled boolean.
-+
-+.EX
-+.B setsebool -P kerberos_enabled 1
-+.EE
-+
-+.SH "COMMANDS"
-+.B semanage fcontext
-+can also be used to manipulate default file context mappings.
-+.PP
-+.B semanage permissive
-+can also be used to manipulate whether or not a process type is permissive.
-+.PP
-+.B semanage module
-+can also be used to enable/disable/install/remove policy modules.
-+
-+.PP
-+.B system-config-selinux
-+is a GUI tool available to customize SELinux policy settings.
-+
-+.SH AUTHOR
-+This manual page was auto-generated using
-+.B "sepolicy manpage"
-+by Dan Walsh.
-+
-+.SH "SEE ALSO"
-+selinux(8), nrpe(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
-diff --git a/man/man8/nscd_selinux.8 b/man/man8/nscd_selinux.8
-new file mode 100644
-index 0000000..2d79417
---- /dev/null
-+++ b/man/man8/nscd_selinux.8
-@@ -0,0 +1,184 @@
-+.TH "nscd_selinux" "8" "12-11-01" "nscd" "SELinux Policy documentation for nscd"
-+.SH "NAME"
-+nscd_selinux \- Security Enhanced Linux Policy for the nscd processes
-+.SH "DESCRIPTION"
-+
-+Security-Enhanced Linux secures the nscd processes via flexible mandatory access control.
-+
-+The nscd processes execute with the nscd_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
-+
-+For example:
-+
-+.B ps -eZ | grep nscd_t
-+
-+
-+.SH "ENTRYPOINTS"
-+
-+The nscd_t SELinux type can be entered via the "nscd_exec_t" file type. The default entrypoint paths for the nscd_t domain are the following:"
-+
-+/usr/sbin/nscd
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux nscd policy is very flexible allowing users to setup their nscd processes in as secure a method as possible.
-+.PP
-+The following process types are defined for nscd:
-+
-+.EX
-+.B nscd_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
-+.SH BOOLEANS
-+SELinux policy is customizable based on least access required. nscd policy is extremely flexible and has several booleans that allow you to manipulate the policy and run nscd with the tightest access possible.
-+
-+
-+.PP
-+If you want to allow confined applications to use nscd shared memory, you must turn on the nscd_use_shm boolean.
-+
-+.EX
-+.B setsebool -P nscd_use_shm 1
-+.EE
-+
-+.PP
-+If you want to allow confined applications to use nscd shared memory, you must turn on the nscd_use_shm boolean.
-+
-+.EX
-+.B setsebool -P nscd_use_shm 1
-+.EE
-+
-+.SH FILE CONTEXTS
-+SELinux requires files to have an extended attribute to define the file type.
-+.PP
-+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
-+.PP
-+Policy governs the access confined processes have to these files.
-+SELinux nscd policy is very flexible allowing users to setup their nscd processes in as secure a method as possible.
-+.PP
-+The following file types are defined for nscd:
-+
-+
-+.EX
-+.PP
-+.B nscd_exec_t
-+.EE
-+
-+- Set files with the nscd_exec_t type, if you want to transition an executable to the nscd_t domain.
-+
-+
-+.EX
-+.PP
-+.B nscd_initrc_exec_t
-+.EE
-+
-+- Set files with the nscd_initrc_exec_t type, if you want to transition an executable to the nscd_initrc_t domain.
-+
-+
-+.EX
-+.PP
-+.B nscd_log_t
-+.EE
-+
-+- Set files with the nscd_log_t type, if you want to treat the data as nscd log data, usually stored under the /var/log directory.
-+
-+
-+.EX
-+.PP
-+.B nscd_unit_file_t
-+.EE
-+
-+- Set files with the nscd_unit_file_t type, if you want to treat the files as nscd unit content.
-+
-+
-+.EX
-+.PP
-+.B nscd_var_run_t
-+.EE
-+
-+- Set files with the nscd_var_run_t type, if you want to store the nscd files under the /run directory.
-+
-+
-+.PP
-+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
-+.B semanage fcontext
-+command. This will modify the SELinux labeling database. You will need to use
-+.B restorecon
-+to apply the labels.
-+
-+.SH "MANAGED FILES"
-+
-+The SELinux process type nscd_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
-+
-+.br
-+.B nscd_log_t
-+
-+ /var/log/nscd\.log.*
-+.br
-+
-+.br
-+.B nscd_var_run_t
-+
-+ /var/db/nscd(/.*)?
-+.br
-+ /var/run/nscd(/.*)?
-+.br
-+ /var/cache/nscd(/.*)?
-+.br
-+ /var/run/nscd\.pid
-+.br
-+ /var/run/\.nscd_socket
-+.br
-+
-+.br
-+.B security_t
-+
-+ /selinux
-+.br
-+
-+.SH NSSWITCH DOMAIN
-+
-+.PP
-+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the nscd_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
-+
-+.EX
-+.B setsebool -P authlogin_nsswitch_use_ldap 1
-+.EE
-+
-+.PP
-+If you want to allow confined applications to run with kerberos for the nscd_t, you must turn on the kerberos_enabled boolean.
-+
-+.EX
-+.B setsebool -P kerberos_enabled 1
-+.EE
-+
-+.SH "COMMANDS"
-+.B semanage fcontext
-+can also be used to manipulate default file context mappings.
-+.PP
-+.B semanage permissive
-+can also be used to manipulate whether or not a process type is permissive.
-+.PP
-+.B semanage module
-+can also be used to enable/disable/install/remove policy modules.
-+
-+.B semanage boolean
-+can also be used to manipulate the booleans
-+
-+.PP
-+.B system-config-selinux
-+is a GUI tool available to customize SELinux policy settings.
-+
-+.SH AUTHOR
-+This manual page was auto-generated using
-+.B "sepolicy manpage"
-+by Dan Walsh.
-+
-+.SH "SEE ALSO"
-+selinux(8), nscd(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
-+, setsebool(8)
-\ No newline at end of file
-diff --git a/man/man8/nslcd_selinux.8 b/man/man8/nslcd_selinux.8
-new file mode 100644
-index 0000000..a01b48c
---- /dev/null
-+++ b/man/man8/nslcd_selinux.8
-@@ -0,0 +1,134 @@
-+.TH "nslcd_selinux" "8" "12-11-01" "nslcd" "SELinux Policy documentation for nslcd"
-+.SH "NAME"
-+nslcd_selinux \- Security Enhanced Linux Policy for the nslcd processes
-+.SH "DESCRIPTION"
-+
-+Security-Enhanced Linux secures the nslcd processes via flexible mandatory access control.
-+
-+The nslcd processes execute with the nslcd_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
-+
-+For example:
-+
-+.B ps -eZ | grep nslcd_t
-+
-+
-+.SH "ENTRYPOINTS"
-+
-+The nslcd_t SELinux type can be entered via the "nslcd_exec_t" file type. The default entrypoint paths for the nslcd_t domain are the following:"
-+
-+/usr/sbin/nslcd
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux nslcd policy is very flexible allowing users to setup their nslcd processes in as secure a method as possible.
-+.PP
-+The following process types are defined for nslcd:
-+
-+.EX
-+.B nslcd_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
-+.SH FILE CONTEXTS
-+SELinux requires files to have an extended attribute to define the file type.
-+.PP
-+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
-+.PP
-+Policy governs the access confined processes have to these files.
-+SELinux nslcd policy is very flexible allowing users to setup their nslcd processes in as secure a method as possible.
-+.PP
-+The following file types are defined for nslcd:
-+
-+
-+.EX
-+.PP
-+.B nslcd_conf_t
-+.EE
-+
-+- Set files with the nslcd_conf_t type, if you want to treat the files as nslcd configuration data, usually stored under the /etc directory.
-+
-+
-+.EX
-+.PP
-+.B nslcd_exec_t
-+.EE
-+
-+- Set files with the nslcd_exec_t type, if you want to transition an executable to the nslcd_t domain.
-+
-+
-+.EX
-+.PP
-+.B nslcd_initrc_exec_t
-+.EE
-+
-+- Set files with the nslcd_initrc_exec_t type, if you want to transition an executable to the nslcd_initrc_t domain.
-+
-+
-+.EX
-+.PP
-+.B nslcd_var_run_t
-+.EE
-+
-+- Set files with the nslcd_var_run_t type, if you want to store the nslcd files under the /run directory.
-+
-+
-+.PP
-+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
-+.B semanage fcontext
-+command. This will modify the SELinux labeling database. You will need to use
-+.B restorecon
-+to apply the labels.
-+
-+.SH "MANAGED FILES"
-+
-+The SELinux process type nslcd_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
-+
-+.br
-+.B nslcd_var_run_t
-+
-+ /var/run/nslcd(/.*)?
-+.br
-+
-+.SH NSSWITCH DOMAIN
-+
-+.PP
-+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the nslcd_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
-+
-+.EX
-+.B setsebool -P authlogin_nsswitch_use_ldap 1
-+.EE
-+
-+.PP
-+If you want to allow confined applications to run with kerberos for the nslcd_t, you must turn on the kerberos_enabled boolean.
-+
-+.EX
-+.B setsebool -P kerberos_enabled 1
-+.EE
-+
-+.SH "COMMANDS"
-+.B semanage fcontext
-+can also be used to manipulate default file context mappings.
-+.PP
-+.B semanage permissive
-+can also be used to manipulate whether or not a process type is permissive.
-+.PP
-+.B semanage module
-+can also be used to enable/disable/install/remove policy modules.
-+
-+.PP
-+.B system-config-selinux
-+is a GUI tool available to customize SELinux policy settings.
-+
-+.SH AUTHOR
-+This manual page was auto-generated using
-+.B "sepolicy manpage"
-+by Dan Walsh.
-+
-+.SH "SEE ALSO"
-+selinux(8), nslcd(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
-diff --git a/man/man8/ntop_selinux.8 b/man/man8/ntop_selinux.8
-new file mode 100644
-index 0000000..ea60031
---- /dev/null
-+++ b/man/man8/ntop_selinux.8
-@@ -0,0 +1,188 @@
-+.TH "ntop_selinux" "8" "12-11-01" "ntop" "SELinux Policy documentation for ntop"
-+.SH "NAME"
-+ntop_selinux \- Security Enhanced Linux Policy for the ntop processes
-+.SH "DESCRIPTION"
-+
-+Security-Enhanced Linux secures the ntop processes via flexible mandatory access control.
-+
-+The ntop processes execute with the ntop_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
-+
-+For example:
-+
-+.B ps -eZ | grep ntop_t
-+
-+
-+.SH "ENTRYPOINTS"
-+
-+The ntop_t SELinux type can be entered via the "ntop_exec_t" file type. The default entrypoint paths for the ntop_t domain are the following:"
-+
-+/usr/bin/ntop
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux ntop policy is very flexible allowing users to setup their ntop processes in as secure a method as possible.
-+.PP
-+The following process types are defined for ntop:
-+
-+.EX
-+.B ntop_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
-+.SH FILE CONTEXTS
-+SELinux requires files to have an extended attribute to define the file type.
-+.PP
-+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
-+.PP
-+Policy governs the access confined processes have to these files.
-+SELinux ntop policy is very flexible allowing users to setup their ntop processes in as secure a method as possible.
-+.PP
-+The following file types are defined for ntop:
-+
-+
-+.EX
-+.PP
-+.B ntop_etc_t
-+.EE
-+
-+- Set files with the ntop_etc_t type, if you want to store ntop files in the /etc directories.
-+
-+
-+.EX
-+.PP
-+.B ntop_exec_t
-+.EE
-+
-+- Set files with the ntop_exec_t type, if you want to transition an executable to the ntop_t domain.
-+
-+
-+.EX
-+.PP
-+.B ntop_initrc_exec_t
-+.EE
-+
-+- Set files with the ntop_initrc_exec_t type, if you want to transition an executable to the ntop_initrc_t domain.
-+
-+
-+.EX
-+.PP
-+.B ntop_tmp_t
-+.EE
-+
-+- Set files with the ntop_tmp_t type, if you want to store ntop temporary files in the /tmp directories.
-+
-+
-+.EX
-+.PP
-+.B ntop_var_lib_t
-+.EE
-+
-+- Set files with the ntop_var_lib_t type, if you want to store the ntop files under the /var/lib directory.
-+
-+
-+.EX
-+.PP
-+.B ntop_var_run_t
-+.EE
-+
-+- Set files with the ntop_var_run_t type, if you want to store the ntop files under the /run directory.
-+
-+
-+.PP
-+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
-+.B semanage fcontext
-+command. This will modify the SELinux labeling database. You will need to use
-+.B restorecon
-+to apply the labels.
-+
-+.SH PORT TYPES
-+SELinux defines port types to represent TCP and UDP ports.
-+.PP
-+You can see the types associated with a port by using the following command:
-+
-+.B semanage port -l
-+
-+.PP
-+Policy governs the access confined processes have to these ports.
-+SELinux ntop policy is very flexible allowing users to setup their ntop processes in as secure a method as possible.
-+.PP
-+The following port types are defined for ntop:
-+
-+.EX
-+.TP 5
-+.B ntop_port_t
-+.TP 10
-+.EE
-+
-+
-+Default Defined Ports:
-+tcp 3000-3001
-+.EE
-+udp 3000-3001
-+.EE
-+.SH "MANAGED FILES"
-+
-+The SELinux process type ntop_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
-+
-+.br
-+.B ntop_tmp_t
-+
-+
-+.br
-+.B ntop_var_lib_t
-+
-+ /var/lib/ntop(/.*)?
-+.br
-+
-+.br
-+.B ntop_var_run_t
-+
-+ /var/run/ntop\.pid
-+.br
-+
-+.SH NSSWITCH DOMAIN
-+
-+.PP
-+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the ntop_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
-+
-+.EX
-+.B setsebool -P authlogin_nsswitch_use_ldap 1
-+.EE
-+
-+.PP
-+If you want to allow confined applications to run with kerberos for the ntop_t, you must turn on the kerberos_enabled boolean.
-+
-+.EX
-+.B setsebool -P kerberos_enabled 1
-+.EE
-+
-+.SH "COMMANDS"
-+.B semanage fcontext
-+can also be used to manipulate default file context mappings.
-+.PP
-+.B semanage permissive
-+can also be used to manipulate whether or not a process type is permissive.
-+.PP
-+.B semanage module
-+can also be used to enable/disable/install/remove policy modules.
-+
-+.B semanage port
-+can also be used to manipulate the port definitions
-+
-+.PP
-+.B system-config-selinux
-+is a GUI tool available to customize SELinux policy settings.
-+
-+.SH AUTHOR
-+This manual page was auto-generated using
-+.B "sepolicy manpage"
-+by Dan Walsh.
-+
-+.SH "SEE ALSO"
-+selinux(8), ntop(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
-diff --git a/man/man8/ntpd_selinux.8 b/man/man8/ntpd_selinux.8
-new file mode 100644
-index 0000000..d93b729
---- /dev/null
-+++ b/man/man8/ntpd_selinux.8
-@@ -0,0 +1,240 @@
-+.TH "ntpd_selinux" "8" "12-11-01" "ntpd" "SELinux Policy documentation for ntpd"
-+.SH "NAME"
-+ntpd_selinux \- Security Enhanced Linux Policy for the ntpd processes
-+.SH "DESCRIPTION"
-+
-+Security-Enhanced Linux secures the ntpd processes via flexible mandatory access control.
-+
-+The ntpd processes execute with the ntpd_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
-+
-+For example:
-+
-+.B ps -eZ | grep ntpd_t
-+
-+
-+.SH "ENTRYPOINTS"
-+
-+The ntpd_t SELinux type can be entered via the "ntpd_exec_t,ntpdate_exec_t" file types. The default entrypoint paths for the ntpd_t domain are the following:"
-+
-+/etc/cron\.(daily|weekly)/ntp-simple, /etc/cron\.(daily|weekly)/ntp-server, /usr/sbin/ntpd, /usr/sbin/ntpdate
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux ntpd policy is very flexible allowing users to setup their ntpd processes in as secure a method as possible.
-+.PP
-+The following process types are defined for ntpd:
-+
-+.EX
-+.B ntpd_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
-+.SH FILE CONTEXTS
-+SELinux requires files to have an extended attribute to define the file type.
-+.PP
-+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
-+.PP
-+Policy governs the access confined processes have to these files.
-+SELinux ntpd policy is very flexible allowing users to setup their ntpd processes in as secure a method as possible.
-+.PP
-+The following file types are defined for ntpd:
-+
-+
-+.EX
-+.PP
-+.B ntpd_exec_t
-+.EE
-+
-+- Set files with the ntpd_exec_t type, if you want to transition an executable to the ntpd_t domain.
-+
-+
-+.EX
-+.PP
-+.B ntpd_initrc_exec_t
-+.EE
-+
-+- Set files with the ntpd_initrc_exec_t type, if you want to transition an executable to the ntpd_initrc_t domain.
-+
-+
-+.EX
-+.PP
-+.B ntpd_key_t
-+.EE
-+
-+- Set files with the ntpd_key_t type, if you want to treat the files as ntpd key data.
-+
-+
-+.EX
-+.PP
-+.B ntpd_log_t
-+.EE
-+
-+- Set files with the ntpd_log_t type, if you want to treat the data as ntpd log data, usually stored under the /var/log directory.
-+
-+
-+.EX
-+.PP
-+.B ntpd_tmp_t
-+.EE
-+
-+- Set files with the ntpd_tmp_t type, if you want to store ntpd temporary files in the /tmp directories.
-+
-+
-+.EX
-+.PP
-+.B ntpd_tmpfs_t
-+.EE
-+
-+- Set files with the ntpd_tmpfs_t type, if you want to store ntpd files on a tmpfs file system.
-+
-+
-+.EX
-+.PP
-+.B ntpd_unit_file_t
-+.EE
-+
-+- Set files with the ntpd_unit_file_t type, if you want to treat the files as ntpd unit content.
-+
-+
-+.EX
-+.PP
-+.B ntpd_var_run_t
-+.EE
-+
-+- Set files with the ntpd_var_run_t type, if you want to store the ntpd files under the /run directory.
-+
-+
-+.EX
-+.PP
-+.B ntpdate_exec_t
-+.EE
-+
-+- Set files with the ntpdate_exec_t type, if you want to transition an executable to the ntpdate_t domain.
-+
-+
-+.PP
-+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
-+.B semanage fcontext
-+command. This will modify the SELinux labeling database. You will need to use
-+.B restorecon
-+to apply the labels.
-+
-+.SH PORT TYPES
-+SELinux defines port types to represent TCP and UDP ports.
-+.PP
-+You can see the types associated with a port by using the following command:
-+
-+.B semanage port -l
-+
-+.PP
-+Policy governs the access confined processes have to these ports.
-+SELinux ntpd policy is very flexible allowing users to setup their ntpd processes in as secure a method as possible.
-+.PP
-+The following port types are defined for ntpd:
-+
-+.EX
-+.TP 5
-+.B ntp_port_t
-+.TP 10
-+.EE
-+
-+
-+Default Defined Ports:
-+udp 123
-+.EE
-+.SH "MANAGED FILES"
-+
-+The SELinux process type ntpd_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
-+
-+.br
-+.B gpsd_tmpfs_t
-+
-+
-+.br
-+.B ntp_drift_t
-+
-+ /var/lib/ntp(/.*)?
-+.br
-+ /etc/ntp/data(/.*)?
-+.br
-+
-+.br
-+.B ntpd_log_t
-+
-+ /var/log/ntp.*
-+.br
-+ /var/log/xntpd.*
-+.br
-+ /var/log/ntpstats(/.*)?
-+.br
-+
-+.br
-+.B ntpd_tmp_t
-+
-+
-+.br
-+.B ntpd_tmpfs_t
-+
-+
-+.br
-+.B ntpd_var_run_t
-+
-+ /var/run/ntpd\.pid
-+.br
-+
-+.br
-+.B tmpfs_t
-+
-+ /dev/shm
-+.br
-+ /lib/udev/devices/shm
-+.br
-+ /usr/lib/udev/devices/shm
-+.br
-+
-+.SH NSSWITCH DOMAIN
-+
-+.PP
-+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the ntpd_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
-+
-+.EX
-+.B setsebool -P authlogin_nsswitch_use_ldap 1
-+.EE
-+
-+.PP
-+If you want to allow confined applications to run with kerberos for the ntpd_t, you must turn on the kerberos_enabled boolean.
-+
-+.EX
-+.B setsebool -P kerberos_enabled 1
-+.EE
-+
-+.SH "COMMANDS"
-+.B semanage fcontext
-+can also be used to manipulate default file context mappings.
-+.PP
-+.B semanage permissive
-+can also be used to manipulate whether or not a process type is permissive.
-+.PP
-+.B semanage module
-+can also be used to enable/disable/install/remove policy modules.
-+
-+.B semanage port
-+can also be used to manipulate the port definitions
-+
-+.PP
-+.B system-config-selinux
-+is a GUI tool available to customize SELinux policy settings.
-+
-+.SH AUTHOR
-+This manual page was auto-generated using
-+.B "sepolicy manpage"
-+by Dan Walsh.
-+
-+.SH "SEE ALSO"
-+selinux(8), ntpd(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
-diff --git a/man/man8/numad_selinux.8 b/man/man8/numad_selinux.8
-new file mode 100644
-index 0000000..4602514
---- /dev/null
-+++ b/man/man8/numad_selinux.8
-@@ -0,0 +1,126 @@
-+.TH "numad_selinux" "8" "12-11-01" "numad" "SELinux Policy documentation for numad"
-+.SH "NAME"
-+numad_selinux \- Security Enhanced Linux Policy for the numad processes
-+.SH "DESCRIPTION"
-+
-+Security-Enhanced Linux secures the numad processes via flexible mandatory access control.
-+
-+The numad processes execute with the numad_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
-+
-+For example:
-+
-+.B ps -eZ | grep numad_t
-+
-+
-+.SH "ENTRYPOINTS"
-+
-+The numad_t SELinux type can be entered via the "numad_exec_t" file type. The default entrypoint paths for the numad_t domain are the following:"
-+
-+/usr/bin/numad
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux numad policy is very flexible allowing users to setup their numad processes in as secure a method as possible.
-+.PP
-+The following process types are defined for numad:
-+
-+.EX
-+.B numad_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
-+.SH FILE CONTEXTS
-+SELinux requires files to have an extended attribute to define the file type.
-+.PP
-+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
-+.PP
-+Policy governs the access confined processes have to these files.
-+SELinux numad policy is very flexible allowing users to setup their numad processes in as secure a method as possible.
-+.PP
-+The following file types are defined for numad:
-+
-+
-+.EX
-+.PP
-+.B numad_exec_t
-+.EE
-+
-+- Set files with the numad_exec_t type, if you want to transition an executable to the numad_t domain.
-+
-+
-+.EX
-+.PP
-+.B numad_unit_file_t
-+.EE
-+
-+- Set files with the numad_unit_file_t type, if you want to treat the files as numad unit content.
-+
-+
-+.EX
-+.PP
-+.B numad_var_log_t
-+.EE
-+
-+- Set files with the numad_var_log_t type, if you want to treat the data as numad var log data, usually stored under the /var/log directory.
-+
-+
-+.EX
-+.PP
-+.B numad_var_run_t
-+.EE
-+
-+- Set files with the numad_var_run_t type, if you want to store the numad files under the /run directory.
-+
-+
-+.PP
-+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
-+.B semanage fcontext
-+command. This will modify the SELinux labeling database. You will need to use
-+.B restorecon
-+to apply the labels.
-+
-+.SH "MANAGED FILES"
-+
-+The SELinux process type numad_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
-+
-+.br
-+.B numad_var_log_t
-+
-+ /var/log/numad\.log.*
-+.br
-+
-+.br
-+.B numad_var_run_t
-+
-+ /var/run/numad\.pid
-+.br
-+
-+.SH NSSWITCH DOMAIN
-+
-+.SH "COMMANDS"
-+.B semanage fcontext
-+can also be used to manipulate default file context mappings.
-+.PP
-+.B semanage permissive
-+can also be used to manipulate whether or not a process type is permissive.
-+.PP
-+.B semanage module
-+can also be used to enable/disable/install/remove policy modules.
-+
-+.PP
-+.B system-config-selinux
-+is a GUI tool available to customize SELinux policy settings.
-+
-+.SH AUTHOR
-+This manual page was auto-generated using
-+.B "sepolicy manpage"
-+by Dan Walsh.
-+
-+.SH "SEE ALSO"
-+selinux(8), numad(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
-diff --git a/man/man8/nut_upsd_selinux.8 b/man/man8/nut_upsd_selinux.8
-new file mode 100644
-index 0000000..f9abfb2
---- /dev/null
-+++ b/man/man8/nut_upsd_selinux.8
-@@ -0,0 +1,119 @@
-+.TH "nut_upsd_selinux" "8" "12-11-01" "nut_upsd" "SELinux Policy documentation for nut_upsd"
-+.SH "NAME"
-+nut_upsd_selinux \- Security Enhanced Linux Policy for the nut_upsd processes
-+.SH "DESCRIPTION"
-+
-+Security-Enhanced Linux secures the nut_upsd processes via flexible mandatory access control.
-+
-+The nut_upsd processes execute with the nut_upsd_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
-+
-+For example:
-+
-+.B ps -eZ | grep nut_upsd_t
-+
-+
-+.SH "ENTRYPOINTS"
-+
-+The nut_upsd_t SELinux type can be entered via the "nut_upsd_exec_t" file type. The default entrypoint paths for the nut_upsd_t domain are the following:"
-+
-+/usr/sbin/upsd
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux nut_upsd policy is very flexible allowing users to setup their nut_upsd processes in as secure a method as possible.
-+.PP
-+The following process types are defined for nut_upsd:
-+
-+.EX
-+.B nut_upsd_t, nut_upsmon_t, nut_upsdrvctl_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
-+.SH FILE CONTEXTS
-+SELinux requires files to have an extended attribute to define the file type.
-+.PP
-+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
-+.PP
-+Policy governs the access confined processes have to these files.
-+SELinux nut_upsd policy is very flexible allowing users to setup their nut_upsd processes in as secure a method as possible.
-+.PP
-+The following file types are defined for nut_upsd:
-+
-+
-+.EX
-+.PP
-+.B nut_upsd_exec_t
-+.EE
-+
-+- Set files with the nut_upsd_exec_t type, if you want to transition an executable to the nut_upsd_t domain.
-+
-+
-+.EX
-+.PP
-+.B nut_upsdrvctl_exec_t
-+.EE
-+
-+- Set files with the nut_upsdrvctl_exec_t type, if you want to transition an executable to the nut_upsdrvctl_t domain.
-+
-+
-+.PP
-+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
-+.B semanage fcontext
-+command. This will modify the SELinux labeling database. You will need to use
-+.B restorecon
-+to apply the labels.
-+
-+.SH "MANAGED FILES"
-+
-+The SELinux process type nut_upsd_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
-+
-+.br
-+.B nut_var_run_t
-+
-+ /var/run/nut(/.*)?
-+.br
-+
-+.SH NSSWITCH DOMAIN
-+
-+.PP
-+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the nut_upsmon_t, nut_upsdrvctl_t, nut_upsd_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
-+
-+.EX
-+.B setsebool -P authlogin_nsswitch_use_ldap 1
-+.EE
-+
-+.PP
-+If you want to allow confined applications to run with kerberos for the nut_upsmon_t, nut_upsdrvctl_t, nut_upsd_t, you must turn on the kerberos_enabled boolean.
-+
-+.EX
-+.B setsebool -P kerberos_enabled 1
-+.EE
-+
-+.SH "COMMANDS"
-+.B semanage fcontext
-+can also be used to manipulate default file context mappings.
-+.PP
-+.B semanage permissive
-+can also be used to manipulate whether or not a process type is permissive.
-+.PP
-+.B semanage module
-+can also be used to enable/disable/install/remove policy modules.
-+
-+.PP
-+.B system-config-selinux
-+is a GUI tool available to customize SELinux policy settings.
-+
-+.SH AUTHOR
-+This manual page was auto-generated using
-+.B "sepolicy manpage"
-+by Dan Walsh.
-+
-+.SH "SEE ALSO"
-+selinux(8), nut_upsd(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
-+, nut_upsdrvctl_selinux(8), nut_upsmon_selinux(8)
-\ No newline at end of file
-diff --git a/man/man8/nut_upsdrvctl_selinux.8 b/man/man8/nut_upsdrvctl_selinux.8
-new file mode 100644
-index 0000000..fbe671e
---- /dev/null
-+++ b/man/man8/nut_upsdrvctl_selinux.8
-@@ -0,0 +1,111 @@
-+.TH "nut_upsdrvctl_selinux" "8" "12-11-01" "nut_upsdrvctl" "SELinux Policy documentation for nut_upsdrvctl"
-+.SH "NAME"
-+nut_upsdrvctl_selinux \- Security Enhanced Linux Policy for the nut_upsdrvctl processes
-+.SH "DESCRIPTION"
-+
-+Security-Enhanced Linux secures the nut_upsdrvctl processes via flexible mandatory access control.
-+
-+The nut_upsdrvctl processes execute with the nut_upsdrvctl_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
-+
-+For example:
-+
-+.B ps -eZ | grep nut_upsdrvctl_t
-+
-+
-+.SH "ENTRYPOINTS"
-+
-+The nut_upsdrvctl_t SELinux type can be entered via the "nut_upsdrvctl_exec_t" file type. The default entrypoint paths for the nut_upsdrvctl_t domain are the following:"
-+
-+/sbin/upsdrvctl, /usr/sbin/upsdrvctl
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux nut_upsdrvctl policy is very flexible allowing users to setup their nut_upsdrvctl processes in as secure a method as possible.
-+.PP
-+The following process types are defined for nut_upsdrvctl:
-+
-+.EX
-+.B nut_upsdrvctl_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
-+.SH FILE CONTEXTS
-+SELinux requires files to have an extended attribute to define the file type.
-+.PP
-+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
-+.PP
-+Policy governs the access confined processes have to these files.
-+SELinux nut_upsdrvctl policy is very flexible allowing users to setup their nut_upsdrvctl processes in as secure a method as possible.
-+.PP
-+The following file types are defined for nut_upsdrvctl:
-+
-+
-+.EX
-+.PP
-+.B nut_upsdrvctl_exec_t
-+.EE
-+
-+- Set files with the nut_upsdrvctl_exec_t type, if you want to transition an executable to the nut_upsdrvctl_t domain.
-+
-+
-+.PP
-+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
-+.B semanage fcontext
-+command. This will modify the SELinux labeling database. You will need to use
-+.B restorecon
-+to apply the labels.
-+
-+.SH "MANAGED FILES"
-+
-+The SELinux process type nut_upsdrvctl_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
-+
-+.br
-+.B nut_var_run_t
-+
-+ /var/run/nut(/.*)?
-+.br
-+
-+.SH NSSWITCH DOMAIN
-+
-+.PP
-+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the nut_upsdrvctl_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
-+
-+.EX
-+.B setsebool -P authlogin_nsswitch_use_ldap 1
-+.EE
-+
-+.PP
-+If you want to allow confined applications to run with kerberos for the nut_upsdrvctl_t, you must turn on the kerberos_enabled boolean.
-+
-+.EX
-+.B setsebool -P kerberos_enabled 1
-+.EE
-+
-+.SH "COMMANDS"
-+.B semanage fcontext
-+can also be used to manipulate default file context mappings.
-+.PP
-+.B semanage permissive
-+can also be used to manipulate whether or not a process type is permissive.
-+.PP
-+.B semanage module
-+can also be used to enable/disable/install/remove policy modules.
-+
-+.PP
-+.B system-config-selinux
-+is a GUI tool available to customize SELinux policy settings.
-+
-+.SH AUTHOR
-+This manual page was auto-generated using
-+.B "sepolicy manpage"
-+by Dan Walsh.
-+
-+.SH "SEE ALSO"
-+selinux(8), nut_upsdrvctl(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
-+, nut_upsd_selinux(8), nut_upsd_selinux(8), nut_upsmon_selinux(8)
-\ No newline at end of file
-diff --git a/man/man8/nut_upsmon_selinux.8 b/man/man8/nut_upsmon_selinux.8
-new file mode 100644
-index 0000000..8abe28c
---- /dev/null
-+++ b/man/man8/nut_upsmon_selinux.8
-@@ -0,0 +1,185 @@
-+.TH "nut_upsmon_selinux" "8" "12-11-01" "nut_upsmon" "SELinux Policy documentation for nut_upsmon"
-+.SH "NAME"
-+nut_upsmon_selinux \- Security Enhanced Linux Policy for the nut_upsmon processes
-+.SH "DESCRIPTION"
-+
-+Security-Enhanced Linux secures the nut_upsmon processes via flexible mandatory access control.
-+
-+The nut_upsmon processes execute with the nut_upsmon_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
-+
-+For example:
-+
-+.B ps -eZ | grep nut_upsmon_t
-+
-+
-+.SH "ENTRYPOINTS"
-+
-+The nut_upsmon_t SELinux type can be entered via the "nut_upsmon_exec_t" file type. The default entrypoint paths for the nut_upsmon_t domain are the following:"
-+
-+/usr/sbin/upsmon
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux nut_upsmon policy is very flexible allowing users to setup their nut_upsmon processes in as secure a method as possible.
-+.PP
-+The following process types are defined for nut_upsmon:
-+
-+.EX
-+.B nut_upsmon_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
-+.SH FILE CONTEXTS
-+SELinux requires files to have an extended attribute to define the file type.
-+.PP
-+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
-+.PP
-+Policy governs the access confined processes have to these files.
-+SELinux nut_upsmon policy is very flexible allowing users to setup their nut_upsmon processes in as secure a method as possible.
-+.PP
-+The following file types are defined for nut_upsmon:
-+
-+
-+.EX
-+.PP
-+.B nut_upsmon_exec_t
-+.EE
-+
-+- Set files with the nut_upsmon_exec_t type, if you want to transition an executable to the nut_upsmon_t domain.
-+
-+
-+.PP
-+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
-+.B semanage fcontext
-+command. This will modify the SELinux labeling database. You will need to use
-+.B restorecon
-+to apply the labels.
-+
-+.SH "MANAGED FILES"
-+
-+The SELinux process type nut_upsmon_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
-+
-+.br
-+.B etc_runtime_t
-+
-+ /[^/]+
-+.br
-+ /etc/mtab.*
-+.br
-+ /etc/blkid(/.*)?
-+.br
-+ /etc/nologin.*
-+.br
-+ /etc/\.fstab\.hal\..+
-+.br
-+ /halt
-+.br
-+ /fastboot
-+.br
-+ /poweroff
-+.br
-+ /etc/cmtab
-+.br
-+ /\.autofsck
-+.br
-+ /forcefsck
-+.br
-+ /\.suspended
-+.br
-+ /fsckoptions
-+.br
-+ /\.autorelabel
-+.br
-+ /etc/securetty
-+.br
-+ /etc/killpower
-+.br
-+ /etc/nohotplug
-+.br
-+ /etc/ioctl\.save
-+.br
-+ /etc/fstab\.REVOKE
-+.br
-+ /etc/network/ifstate
-+.br
-+ /etc/sysconfig/hwconf
-+.br
-+ /etc/ptal/ptal-printd-like
-+.br
-+ /etc/sysconfig/iptables\.save
-+.br
-+ /etc/xorg\.conf\.d/00-system-setup-keyboard\.conf
-+.br
-+ /etc/X11/xorg\.conf\.d/00-system-setup-keyboard\.conf
-+.br
-+
-+.br
-+.B initrc_var_run_t
-+
-+ /var/run/utmp
-+.br
-+ /var/run/random-seed
-+.br
-+ /var/run/runlevel\.dir
-+.br
-+ /var/run/setmixer_flag
-+.br
-+
-+.br
-+.B nut_var_run_t
-+
-+ /var/run/nut(/.*)?
-+.br
-+
-+.br
-+.B systemd_passwd_var_run_t
-+
-+ /var/run/systemd/ask-password(/.*)?
-+.br
-+ /var/run/systemd/ask-password-block(/.*)?
-+.br
-+
-+.SH NSSWITCH DOMAIN
-+
-+.PP
-+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the nut_upsmon_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
-+
-+.EX
-+.B setsebool -P authlogin_nsswitch_use_ldap 1
-+.EE
-+
-+.PP
-+If you want to allow confined applications to run with kerberos for the nut_upsmon_t, you must turn on the kerberos_enabled boolean.
-+
-+.EX
-+.B setsebool -P kerberos_enabled 1
-+.EE
-+
-+.SH "COMMANDS"
-+.B semanage fcontext
-+can also be used to manipulate default file context mappings.
-+.PP
-+.B semanage permissive
-+can also be used to manipulate whether or not a process type is permissive.
-+.PP
-+.B semanage module
-+can also be used to enable/disable/install/remove policy modules.
-+
-+.PP
-+.B system-config-selinux
-+is a GUI tool available to customize SELinux policy settings.
-+
-+.SH AUTHOR
-+This manual page was auto-generated using
-+.B "sepolicy manpage"
-+by Dan Walsh.
-+
-+.SH "SEE ALSO"
-+selinux(8), nut_upsmon(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
-+, nut_upsd_selinux(8), nut_upsdrvctl_selinux(8)
-\ No newline at end of file
-diff --git a/man/man8/nx_server_selinux.8 b/man/man8/nx_server_selinux.8
-new file mode 100644
-index 0000000..e551b42
---- /dev/null
-+++ b/man/man8/nx_server_selinux.8
-@@ -0,0 +1,129 @@
-+.TH "nx_server_selinux" "8" "nx_server" "mgrepl@redhat.com" "nx_server SELinux Policy documentation"
-+.SH "NAME"
-+nx_server_r \- \fBnx_server user role\fP - Security Enhanced Linux Policy
-+
-+.SH DESCRIPTION
-+
-+SELinux supports Roles Based Access Control (RBAC), some Linux roles are login roles, while other roles need to be transition into.
-+
-+.I Note:
-+Examples in this man page will use the
-+.B staff_u
-+SELinux user.
-+
-+Non login roles are usually used for administrative tasks. For example, tasks that require root privileges. Roles control which types a user can run processes with. Roles often have default types assigned to them.
-+
-+The default type for the nx_server_r role is nx_server_t.
-+
-+The
-+.B newrole
-+program to transition directly to this role.
-+
-+.B newrole -r nx_server_r -t nx_server_t
-+
-+.B sudo
-+is the preferred method to do transition from one role to another. You setup sudo to transition to nx_server_r by adding a similar line to the /etc/sudoers file.
-+
-+USERNAME ALL=(ALL) ROLE=nx_server_r TYPE=nx_server_t COMMAND
-+
-+.br
-+sudo will run COMMAND as staff_u:nx_server_r:nx_server_t:LEVEL
-+
-+When using a a non login role, you need to setup SELinux so that your SELinux user can reach nx_server_r role.
-+
-+Execute the following to see all of the assigned SELinux roles:
-+
-+.B semanage user -l
-+
-+You need to add nx_server_r to the staff_u user. You could setup the staff_u user to be able to use the nx_server_r role with a command like:
-+
-+.B $ semanage user -m -R 'staff_r system_r nx_server_r' staff_u
-+
-+
-+.SH "MANAGED FILES"
-+
-+The SELinux process type nx_server_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
-+
-+.br
-+.B nx_server_home_ssh_t
-+
-+ /opt/NX/home/nx/\.ssh(/.*)?
-+.br
-+ /usr/NX/home/nx/\.ssh(/.*)?
-+.br
-+ /var/lib/nxserver/home/.ssh(/.*)?
-+.br
-+
-+.br
-+.B nx_server_tmp_t
-+
-+
-+.br
-+.B nx_server_var_lib_t
-+
-+ /opt/NX/home(/.*)?
-+.br
-+ /usr/NX/home(/.*)?
-+.br
-+ /var/lib/nxserver(/.*)?
-+.br
-+
-+.br
-+.B nx_server_var_run_t
-+
-+ /opt/NX/var(/.*)?
-+.br
-+
-+.br
-+.B ssh_home_t
-+
-+ /root/\.ssh(/.*)?
-+.br
-+ /var/lib/openshift/[^/]+/\.ssh(/.*)?
-+.br
-+ /var/lib/amanda/\.ssh(/.*)?
-+.br
-+ /var/lib/stickshift/[^/]+/\.ssh(/.*)?
-+.br
-+ /var/lib/gitolite/\.ssh(/.*)?
-+.br
-+ /var/lib/nocpulse/\.ssh(/.*)?
-+.br
-+ /var/lib/gitolite3/\.ssh(/.*)?
-+.br
-+ /root/\.shosts
-+.br
-+ /home/[^/]*/\.ssh(/.*)?
-+.br
-+ /home/[^/]*/\.shosts
-+.br
-+ /home/dwalsh/\.ssh(/.*)?
-+.br
-+ /home/dwalsh/\.shosts
-+.br
-+ /var/lib/xguest/home/xguest/\.ssh(/.*)?
-+.br
-+ /var/lib/xguest/home/xguest/\.shosts
-+.br
-+
-+.SH "COMMANDS"
-+.B semanage fcontext
-+can also be used to manipulate default file context mappings.
-+.PP
-+.B semanage permissive
-+can also be used to manipulate whether or not a process type is permissive.
-+.PP
-+.B semanage module
-+can also be used to enable/disable/install/remove policy modules.
-+
-+.PP
-+.B system-config-selinux
-+is a GUI tool available to customize SELinux policy settings.
-+
-+.SH AUTHOR
-+This manual page was auto-generated using
-+.B "sepolicy manpage"
-+by Dan Walsh.
-+
-+.SH "SEE ALSO"
-+selinux(8), nx_server(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
-diff --git a/man/man8/obex_selinux.8 b/man/man8/obex_selinux.8
-new file mode 100644
-index 0000000..516eea1
---- /dev/null
-+++ b/man/man8/obex_selinux.8
-@@ -0,0 +1,86 @@
-+.TH "obex_selinux" "8" "12-11-01" "obex" "SELinux Policy documentation for obex"
-+.SH "NAME"
-+obex_selinux \- Security Enhanced Linux Policy for the obex processes
-+.SH "DESCRIPTION"
-+
-+Security-Enhanced Linux secures the obex processes via flexible mandatory access control.
-+
-+The obex processes execute with the obex_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
-+
-+For example:
-+
-+.B ps -eZ | grep obex_t
-+
-+
-+.SH "ENTRYPOINTS"
-+
-+The obex_t SELinux type can be entered via the "obex_exec_t" file type. The default entrypoint paths for the obex_t domain are the following:"
-+
-+/usr/bin/obex-data-server
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux obex policy is very flexible allowing users to setup their obex processes in as secure a method as possible.
-+.PP
-+The following process types are defined for obex:
-+
-+.EX
-+.B obex_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
-+.SH FILE CONTEXTS
-+SELinux requires files to have an extended attribute to define the file type.
-+.PP
-+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
-+.PP
-+Policy governs the access confined processes have to these files.
-+SELinux obex policy is very flexible allowing users to setup their obex processes in as secure a method as possible.
-+.PP
-+The following file types are defined for obex:
-+
-+
-+.EX
-+.PP
-+.B obex_exec_t
-+.EE
-+
-+- Set files with the obex_exec_t type, if you want to transition an executable to the obex_t domain.
-+
-+
-+.PP
-+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
-+.B semanage fcontext
-+command. This will modify the SELinux labeling database. You will need to use
-+.B restorecon
-+to apply the labels.
-+
-+.SH NSSWITCH DOMAIN
-+
-+.SH "COMMANDS"
-+.B semanage fcontext
-+can also be used to manipulate default file context mappings.
-+.PP
-+.B semanage permissive
-+can also be used to manipulate whether or not a process type is permissive.
-+.PP
-+.B semanage module
-+can also be used to enable/disable/install/remove policy modules.
-+
-+.PP
-+.B system-config-selinux
-+is a GUI tool available to customize SELinux policy settings.
-+
-+.SH AUTHOR
-+This manual page was auto-generated using
-+.B "sepolicy manpage"
-+by Dan Walsh.
-+
-+.SH "SEE ALSO"
-+selinux(8), obex(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
-diff --git a/man/man8/oddjob_mkhomedir_selinux.8 b/man/man8/oddjob_mkhomedir_selinux.8
-new file mode 100644
-index 0000000..a049201
---- /dev/null
-+++ b/man/man8/oddjob_mkhomedir_selinux.8
-@@ -0,0 +1,117 @@
-+.TH "oddjob_mkhomedir_selinux" "8" "12-11-01" "oddjob_mkhomedir" "SELinux Policy documentation for oddjob_mkhomedir"
-+.SH "NAME"
-+oddjob_mkhomedir_selinux \- Security Enhanced Linux Policy for the oddjob_mkhomedir processes
-+.SH "DESCRIPTION"
-+
-+Security-Enhanced Linux secures the oddjob_mkhomedir processes via flexible mandatory access control.
-+
-+The oddjob_mkhomedir processes execute with the oddjob_mkhomedir_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
-+
-+For example:
-+
-+.B ps -eZ | grep oddjob_mkhomedir_t
-+
-+
-+.SH "ENTRYPOINTS"
-+
-+The oddjob_mkhomedir_t SELinux type can be entered via the "oddjob_mkhomedir_exec_t" file type. The default entrypoint paths for the oddjob_mkhomedir_t domain are the following:"
-+
-+/usr/lib/oddjob/mkhomedir, /usr/sbin/mkhomedir_helper, /usr/libexec/oddjob/mkhomedir
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux oddjob_mkhomedir policy is very flexible allowing users to setup their oddjob_mkhomedir processes in as secure a method as possible.
-+.PP
-+The following process types are defined for oddjob_mkhomedir:
-+
-+.EX
-+.B oddjob_mkhomedir_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
-+.SH FILE CONTEXTS
-+SELinux requires files to have an extended attribute to define the file type.
-+.PP
-+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
-+.PP
-+Policy governs the access confined processes have to these files.
-+SELinux oddjob_mkhomedir policy is very flexible allowing users to setup their oddjob_mkhomedir processes in as secure a method as possible.
-+.PP
-+The following file types are defined for oddjob_mkhomedir:
-+
-+
-+.EX
-+.PP
-+.B oddjob_mkhomedir_exec_t
-+.EE
-+
-+- Set files with the oddjob_mkhomedir_exec_t type, if you want to transition an executable to the oddjob_mkhomedir_t domain.
-+
-+
-+.PP
-+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
-+.B semanage fcontext
-+command. This will modify the SELinux labeling database. You will need to use
-+.B restorecon
-+to apply the labels.
-+
-+.SH "MANAGED FILES"
-+
-+The SELinux process type oddjob_mkhomedir_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
-+
-+.br
-+.B security_t
-+
-+ /selinux
-+.br
-+
-+.br
-+.B user_home_type
-+
-+ all user home files
-+.br
-+
-+.SH NSSWITCH DOMAIN
-+
-+.PP
-+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the oddjob_mkhomedir_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
-+
-+.EX
-+.B setsebool -P authlogin_nsswitch_use_ldap 1
-+.EE
-+
-+.PP
-+If you want to allow confined applications to run with kerberos for the oddjob_mkhomedir_t, you must turn on the kerberos_enabled boolean.
-+
-+.EX
-+.B setsebool -P kerberos_enabled 1
-+.EE
-+
-+.SH "COMMANDS"
-+.B semanage fcontext
-+can also be used to manipulate default file context mappings.
-+.PP
-+.B semanage permissive
-+can also be used to manipulate whether or not a process type is permissive.
-+.PP
-+.B semanage module
-+can also be used to enable/disable/install/remove policy modules.
-+
-+.PP
-+.B system-config-selinux
-+is a GUI tool available to customize SELinux policy settings.
-+
-+.SH AUTHOR
-+This manual page was auto-generated using
-+.B "sepolicy manpage"
-+by Dan Walsh.
-+
-+.SH "SEE ALSO"
-+selinux(8), oddjob_mkhomedir(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
-+, oddjob_selinux(8), oddjob_selinux(8)
-\ No newline at end of file
-diff --git a/man/man8/oddjob_selinux.8 b/man/man8/oddjob_selinux.8
-new file mode 100644
-index 0000000..da2bce8
---- /dev/null
-+++ b/man/man8/oddjob_selinux.8
-@@ -0,0 +1,154 @@
-+.TH "oddjob_selinux" "8" "12-11-01" "oddjob" "SELinux Policy documentation for oddjob"
-+.SH "NAME"
-+oddjob_selinux \- Security Enhanced Linux Policy for the oddjob processes
-+.SH "DESCRIPTION"
-+
-+Security-Enhanced Linux secures the oddjob processes via flexible mandatory access control.
-+
-+The oddjob processes execute with the oddjob_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
-+
-+For example:
-+
-+.B ps -eZ | grep oddjob_t
-+
-+
-+.SH "ENTRYPOINTS"
-+
-+The oddjob_t SELinux type can be entered via the "oddjob_exec_t" file type. The default entrypoint paths for the oddjob_t domain are the following:"
-+
-+/usr/sbin/oddjobd
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux oddjob policy is very flexible allowing users to setup their oddjob processes in as secure a method as possible.
-+.PP
-+The following process types are defined for oddjob:
-+
-+.EX
-+.B oddjob_mkhomedir_t, oddjob_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
-+.SH BOOLEANS
-+SELinux policy is customizable based on least access required. oddjob policy is extremely flexible and has several booleans that allow you to manipulate the policy and run oddjob with the tightest access possible.
-+
-+
-+.PP
-+If you want to allow httpd to communicate with oddjob to start up a service, you must turn on the httpd_use_oddjob boolean.
-+
-+.EX
-+.B setsebool -P httpd_use_oddjob 1
-+.EE
-+
-+.PP
-+If you want to allow httpd to communicate with oddjob to start up a service, you must turn on the httpd_use_oddjob boolean.
-+
-+.EX
-+.B setsebool -P httpd_use_oddjob 1
-+.EE
-+
-+.SH FILE CONTEXTS
-+SELinux requires files to have an extended attribute to define the file type.
-+.PP
-+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
-+.PP
-+Policy governs the access confined processes have to these files.
-+SELinux oddjob policy is very flexible allowing users to setup their oddjob processes in as secure a method as possible.
-+.PP
-+The following file types are defined for oddjob:
-+
-+
-+.EX
-+.PP
-+.B oddjob_exec_t
-+.EE
-+
-+- Set files with the oddjob_exec_t type, if you want to transition an executable to the oddjob_t domain.
-+
-+
-+.EX
-+.PP
-+.B oddjob_mkhomedir_exec_t
-+.EE
-+
-+- Set files with the oddjob_mkhomedir_exec_t type, if you want to transition an executable to the oddjob_mkhomedir_t domain.
-+
-+
-+.EX
-+.PP
-+.B oddjob_var_run_t
-+.EE
-+
-+- Set files with the oddjob_var_run_t type, if you want to store the oddjob files under the /run directory.
-+
-+
-+.PP
-+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
-+.B semanage fcontext
-+command. This will modify the SELinux labeling database. You will need to use
-+.B restorecon
-+to apply the labels.
-+
-+.SH "MANAGED FILES"
-+
-+The SELinux process type oddjob_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
-+
-+.br
-+.B oddjob_var_run_t
-+
-+ /var/run/oddjobd\.pid
-+.br
-+
-+.br
-+.B security_t
-+
-+ /selinux
-+.br
-+
-+.SH NSSWITCH DOMAIN
-+
-+.PP
-+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the oddjob_mkhomedir_t, oddjob_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
-+
-+.EX
-+.B setsebool -P authlogin_nsswitch_use_ldap 1
-+.EE
-+
-+.PP
-+If you want to allow confined applications to run with kerberos for the oddjob_mkhomedir_t, oddjob_t, you must turn on the kerberos_enabled boolean.
-+
-+.EX
-+.B setsebool -P kerberos_enabled 1
-+.EE
-+
-+.SH "COMMANDS"
-+.B semanage fcontext
-+can also be used to manipulate default file context mappings.
-+.PP
-+.B semanage permissive
-+can also be used to manipulate whether or not a process type is permissive.
-+.PP
-+.B semanage module
-+can also be used to enable/disable/install/remove policy modules.
-+
-+.B semanage boolean
-+can also be used to manipulate the booleans
-+
-+.PP
-+.B system-config-selinux
-+is a GUI tool available to customize SELinux policy settings.
-+
-+.SH AUTHOR
-+This manual page was auto-generated using
-+.B "sepolicy manpage"
-+by Dan Walsh.
-+
-+.SH "SEE ALSO"
-+selinux(8), oddjob(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
-+, setsebool(8), oddjob_mkhomedir_selinux(8)
-\ No newline at end of file
-diff --git a/man/man8/openct_selinux.8 b/man/man8/openct_selinux.8
-new file mode 100644
-index 0000000..7a5ded1
---- /dev/null
-+++ b/man/man8/openct_selinux.8
-@@ -0,0 +1,108 @@
-+.TH "openct_selinux" "8" "12-11-01" "openct" "SELinux Policy documentation for openct"
-+.SH "NAME"
-+openct_selinux \- Security Enhanced Linux Policy for the openct processes
-+.SH "DESCRIPTION"
-+
-+Security-Enhanced Linux secures the openct processes via flexible mandatory access control.
-+
-+The openct processes execute with the openct_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
-+
-+For example:
-+
-+.B ps -eZ | grep openct_t
-+
-+
-+.SH "ENTRYPOINTS"
-+
-+The openct_t SELinux type can be entered via the "openct_exec_t" file type. The default entrypoint paths for the openct_t domain are the following:"
-+
-+/usr/sbin/ifdhandler, /usr/sbin/openct-control
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux openct policy is very flexible allowing users to setup their openct processes in as secure a method as possible.
-+.PP
-+The following process types are defined for openct:
-+
-+.EX
-+.B openct_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
-+.SH FILE CONTEXTS
-+SELinux requires files to have an extended attribute to define the file type.
-+.PP
-+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
-+.PP
-+Policy governs the access confined processes have to these files.
-+SELinux openct policy is very flexible allowing users to setup their openct processes in as secure a method as possible.
-+.PP
-+The following file types are defined for openct:
-+
-+
-+.EX
-+.PP
-+.B openct_exec_t
-+.EE
-+
-+- Set files with the openct_exec_t type, if you want to transition an executable to the openct_t domain.
-+
-+
-+.EX
-+.PP
-+.B openct_var_run_t
-+.EE
-+
-+- Set files with the openct_var_run_t type, if you want to store the openct files under the /run directory.
-+
-+
-+.PP
-+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
-+.B semanage fcontext
-+command. This will modify the SELinux labeling database. You will need to use
-+.B restorecon
-+to apply the labels.
-+
-+.SH "MANAGED FILES"
-+
-+The SELinux process type openct_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
-+
-+.br
-+.B openct_var_run_t
-+
-+ /var/run/openct(/.*)?
-+.br
-+
-+.br
-+.B usbfs_t
-+
-+
-+.SH NSSWITCH DOMAIN
-+
-+.SH "COMMANDS"
-+.B semanage fcontext
-+can also be used to manipulate default file context mappings.
-+.PP
-+.B semanage permissive
-+can also be used to manipulate whether or not a process type is permissive.
-+.PP
-+.B semanage module
-+can also be used to enable/disable/install/remove policy modules.
-+
-+.PP
-+.B system-config-selinux
-+is a GUI tool available to customize SELinux policy settings.
-+
-+.SH AUTHOR
-+This manual page was auto-generated using
-+.B "sepolicy manpage"
-+by Dan Walsh.
-+
-+.SH "SEE ALSO"
-+selinux(8), openct(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
-diff --git a/man/man8/openshift_cgroup_read_selinux.8 b/man/man8/openshift_cgroup_read_selinux.8
-new file mode 100644
-index 0000000..535b556
---- /dev/null
-+++ b/man/man8/openshift_cgroup_read_selinux.8
-@@ -0,0 +1,87 @@
-+.TH "openshift_cgroup_read_selinux" "8" "12-11-01" "openshift_cgroup_read" "SELinux Policy documentation for openshift_cgroup_read"
-+.SH "NAME"
-+openshift_cgroup_read_selinux \- Security Enhanced Linux Policy for the openshift_cgroup_read processes
-+.SH "DESCRIPTION"
-+
-+Security-Enhanced Linux secures the openshift_cgroup_read processes via flexible mandatory access control.
-+
-+The openshift_cgroup_read processes execute with the openshift_cgroup_read_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
-+
-+For example:
-+
-+.B ps -eZ | grep openshift_cgroup_read_t
-+
-+
-+.SH "ENTRYPOINTS"
-+
-+The openshift_cgroup_read_t SELinux type can be entered via the "openshift_cgroup_read_exec_t" file type. The default entrypoint paths for the openshift_cgroup_read_t domain are the following:"
-+
-+/usr/bin/(oo|rhc)-cgroup-read
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux openshift_cgroup_read policy is very flexible allowing users to setup their openshift_cgroup_read processes in as secure a method as possible.
-+.PP
-+The following process types are defined for openshift_cgroup_read:
-+
-+.EX
-+.B openshift_cgroup_read_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
-+.SH FILE CONTEXTS
-+SELinux requires files to have an extended attribute to define the file type.
-+.PP
-+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
-+.PP
-+Policy governs the access confined processes have to these files.
-+SELinux openshift_cgroup_read policy is very flexible allowing users to setup their openshift_cgroup_read processes in as secure a method as possible.
-+.PP
-+The following file types are defined for openshift_cgroup_read:
-+
-+
-+.EX
-+.PP
-+.B openshift_cgroup_read_exec_t
-+.EE
-+
-+- Set files with the openshift_cgroup_read_exec_t type, if you want to transition an executable to the openshift_cgroup_read_t domain.
-+
-+
-+.PP
-+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
-+.B semanage fcontext
-+command. This will modify the SELinux labeling database. You will need to use
-+.B restorecon
-+to apply the labels.
-+
-+.SH NSSWITCH DOMAIN
-+
-+.SH "COMMANDS"
-+.B semanage fcontext
-+can also be used to manipulate default file context mappings.
-+.PP
-+.B semanage permissive
-+can also be used to manipulate whether or not a process type is permissive.
-+.PP
-+.B semanage module
-+can also be used to enable/disable/install/remove policy modules.
-+
-+.PP
-+.B system-config-selinux
-+is a GUI tool available to customize SELinux policy settings.
-+
-+.SH AUTHOR
-+This manual page was auto-generated using
-+.B "sepolicy manpage"
-+by Dan Walsh.
-+
-+.SH "SEE ALSO"
-+selinux(8), openshift_cgroup_read(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
-+, openshift_initrc_selinux(8)
-\ No newline at end of file
-diff --git a/man/man8/openshift_initrc_selinux.8 b/man/man8/openshift_initrc_selinux.8
-new file mode 100644
-index 0000000..43101f1
---- /dev/null
-+++ b/man/man8/openshift_initrc_selinux.8
-@@ -0,0 +1,105 @@
-+.TH "openshift_initrc_selinux" "8" "12-11-01" "openshift_initrc" "SELinux Policy documentation for openshift_initrc"
-+.SH "NAME"
-+openshift_initrc_selinux \- Security Enhanced Linux Policy for the openshift_initrc processes
-+.SH "DESCRIPTION"
-+
-+Security-Enhanced Linux secures the openshift_initrc processes via flexible mandatory access control.
-+
-+The openshift_initrc processes execute with the openshift_initrc_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
-+
-+For example:
-+
-+.B ps -eZ | grep openshift_initrc_t
-+
-+
-+.SH "ENTRYPOINTS"
-+
-+The openshift_initrc_t SELinux type can be entered via the "filesystem_type,openshift_initrc_exec_t,unlabeled_t,proc_type,mtrr_device_t,sysctl_type,file_type" file types. The default entrypoint paths for the openshift_initrc_t domain are the following:"
-+
-+/usr/bin/(oo|rhc)-restorer, /etc/rc\.d/init\.d/libra, /usr/sbin/mcollectived, /usr/bin/oo-admin-ctl-gears, /etc/rc\.d/init\.d/mcollective, /dev/cpu/mtrr, all files on the system
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux openshift_initrc policy is very flexible allowing users to setup their openshift_initrc processes in as secure a method as possible.
-+.PP
-+The following process types are defined for openshift_initrc:
-+
-+.EX
-+.B openshift_initrc_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
-+.SH FILE CONTEXTS
-+SELinux requires files to have an extended attribute to define the file type.
-+.PP
-+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
-+.PP
-+Policy governs the access confined processes have to these files.
-+SELinux openshift_initrc policy is very flexible allowing users to setup their openshift_initrc processes in as secure a method as possible.
-+.PP
-+The following file types are defined for openshift_initrc:
-+
-+
-+.EX
-+.PP
-+.B openshift_initrc_exec_t
-+.EE
-+
-+- Set files with the openshift_initrc_exec_t type, if you want to transition an executable to the openshift_initrc_t domain.
-+
-+
-+.EX
-+.PP
-+.B openshift_initrc_tmp_t
-+.EE
-+
-+- Set files with the openshift_initrc_tmp_t type, if you want to store openshift initrc temporary files in the /tmp directories.
-+
-+
-+.PP
-+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
-+.B semanage fcontext
-+command. This will modify the SELinux labeling database. You will need to use
-+.B restorecon
-+to apply the labels.
-+
-+.SH "MANAGED FILES"
-+
-+The SELinux process type openshift_initrc_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
-+
-+.br
-+.B file_type
-+
-+ all files on the system
-+.br
-+
-+.SH NSSWITCH DOMAIN
-+
-+.SH "COMMANDS"
-+.B semanage fcontext
-+can also be used to manipulate default file context mappings.
-+.PP
-+.B semanage permissive
-+can also be used to manipulate whether or not a process type is permissive.
-+.PP
-+.B semanage module
-+can also be used to enable/disable/install/remove policy modules.
-+
-+.PP
-+.B system-config-selinux
-+is a GUI tool available to customize SELinux policy settings.
-+
-+.SH AUTHOR
-+This manual page was auto-generated using
-+.B "sepolicy manpage"
-+by Dan Walsh.
-+
-+.SH "SEE ALSO"
-+selinux(8), openshift_initrc(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
-+, openshift_cgroup_read_selinux(8)
-\ No newline at end of file
-diff --git a/man/man8/openvpn_selinux.8 b/man/man8/openvpn_selinux.8
-new file mode 100644
-index 0000000..266266d
---- /dev/null
-+++ b/man/man8/openvpn_selinux.8
-@@ -0,0 +1,314 @@
-+.TH "openvpn_selinux" "8" "12-11-01" "openvpn" "SELinux Policy documentation for openvpn"
-+.SH "NAME"
-+openvpn_selinux \- Security Enhanced Linux Policy for the openvpn processes
-+.SH "DESCRIPTION"
-+
-+Security-Enhanced Linux secures the openvpn processes via flexible mandatory access control.
-+
-+The openvpn processes execute with the openvpn_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
-+
-+For example:
-+
-+.B ps -eZ | grep openvpn_t
-+
-+
-+.SH "ENTRYPOINTS"
-+
-+The openvpn_t SELinux type can be entered via the "openvpn_exec_t" file type. The default entrypoint paths for the openvpn_t domain are the following:"
-+
-+/usr/sbin/openvpn
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux openvpn policy is very flexible allowing users to setup their openvpn processes in as secure a method as possible.
-+.PP
-+The following process types are defined for openvpn:
-+
-+.EX
-+.B openvpn_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
-+.SH BOOLEANS
-+SELinux policy is customizable based on least access required. openvpn policy is extremely flexible and has several booleans that allow you to manipulate the policy and run openvpn with the tightest access possible.
-+
-+
-+.PP
-+If you want to allow openvpn to read home directories, you must turn on the openvpn_enable_homedirs boolean.
-+
-+.EX
-+.B setsebool -P openvpn_enable_homedirs 1
-+.EE
-+
-+.PP
-+If you want to allow openvpn to read home directories, you must turn on the openvpn_enable_homedirs boolean.
-+
-+.EX
-+.B setsebool -P openvpn_enable_homedirs 1
-+.EE
-+
-+.SH FILE CONTEXTS
-+SELinux requires files to have an extended attribute to define the file type.
-+.PP
-+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
-+.PP
-+Policy governs the access confined processes have to these files.
-+SELinux openvpn policy is very flexible allowing users to setup their openvpn processes in as secure a method as possible.
-+.PP
-+The following file types are defined for openvpn:
-+
-+
-+.EX
-+.PP
-+.B openvpn_etc_rw_t
-+.EE
-+
-+- Set files with the openvpn_etc_rw_t type, if you want to treat the files as openvpn etc read/write content.
-+
-+
-+.EX
-+.PP
-+.B openvpn_etc_t
-+.EE
-+
-+- Set files with the openvpn_etc_t type, if you want to store openvpn files in the /etc directories.
-+
-+
-+.EX
-+.PP
-+.B openvpn_exec_t
-+.EE
-+
-+- Set files with the openvpn_exec_t type, if you want to transition an executable to the openvpn_t domain.
-+
-+
-+.EX
-+.PP
-+.B openvpn_initrc_exec_t
-+.EE
-+
-+- Set files with the openvpn_initrc_exec_t type, if you want to transition an executable to the openvpn_initrc_t domain.
-+
-+
-+.EX
-+.PP
-+.B openvpn_tmp_t
-+.EE
-+
-+- Set files with the openvpn_tmp_t type, if you want to store openvpn temporary files in the /tmp directories.
-+
-+
-+.EX
-+.PP
-+.B openvpn_var_log_t
-+.EE
-+
-+- Set files with the openvpn_var_log_t type, if you want to treat the data as openvpn var log data, usually stored under the /var/log directory.
-+
-+
-+.EX
-+.PP
-+.B openvpn_var_run_t
-+.EE
-+
-+- Set files with the openvpn_var_run_t type, if you want to store the openvpn files under the /run directory.
-+
-+
-+.PP
-+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
-+.B semanage fcontext
-+command. This will modify the SELinux labeling database. You will need to use
-+.B restorecon
-+to apply the labels.
-+
-+.SH PORT TYPES
-+SELinux defines port types to represent TCP and UDP ports.
-+.PP
-+You can see the types associated with a port by using the following command:
-+
-+.B semanage port -l
-+
-+.PP
-+Policy governs the access confined processes have to these ports.
-+SELinux openvpn policy is very flexible allowing users to setup their openvpn processes in as secure a method as possible.
-+.PP
-+The following port types are defined for openvpn:
-+
-+.EX
-+.TP 5
-+.B openvpn_port_t
-+.TP 10
-+.EE
-+
-+
-+Default Defined Ports:
-+tcp 1194
-+.EE
-+udp 1194
-+.EE
-+.SH "MANAGED FILES"
-+
-+The SELinux process type openvpn_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
-+
-+.br
-+.B faillog_t
-+
-+ /var/log/btmp.*
-+.br
-+ /var/run/faillock(/.*)?
-+.br
-+ /var/log/faillog
-+.br
-+ /var/log/tallylog
-+.br
-+
-+.br
-+.B krb5_host_rcache_t
-+
-+ /var/cache/krb5rcache(/.*)?
-+.br
-+ /var/tmp/nfs_0
-+.br
-+ /var/tmp/DNS_25
-+.br
-+ /var/tmp/host_0
-+.br
-+ /var/tmp/imap_0
-+.br
-+ /var/tmp/HTTP_23
-+.br
-+ /var/tmp/HTTP_48
-+.br
-+ /var/tmp/ldap_55
-+.br
-+ /var/tmp/ldap_487
-+.br
-+ /var/tmp/ldapmap1_0
-+.br
-+
-+.br
-+.B lastlog_t
-+
-+ /var/log/lastlog
-+.br
-+
-+.br
-+.B net_conf_t
-+
-+ /etc/ntpd?\.conf.*
-+.br
-+ /etc/hosts[^/]*
-+.br
-+ /etc/yp\.conf.*
-+.br
-+ /etc/denyhosts.*
-+.br
-+ /etc/hosts\.deny.*
-+.br
-+ /etc/resolv\.conf.*
-+.br
-+ /etc/ntp/step-tickers.*
-+.br
-+ /etc/sysconfig/networking(/.*)?
-+.br
-+ /etc/sysconfig/network-scripts(/.*)?
-+.br
-+ /etc/sysconfig/network-scripts/.*resolv\.conf
-+.br
-+ /etc/ethers
-+.br
-+
-+.br
-+.B openvpn_etc_rw_t
-+
-+ /etc/openvpn/ipp.txt
-+.br
-+
-+.br
-+.B openvpn_tmp_t
-+
-+
-+.br
-+.B openvpn_var_log_t
-+
-+ /var/log/openvpn.*
-+.br
-+
-+.br
-+.B openvpn_var_run_t
-+
-+ /var/run/openvpn(/.*)?
-+.br
-+ /var/run/openvpn\.client.*
-+.br
-+
-+.br
-+.B pcscd_var_run_t
-+
-+ /var/run/pcscd(/.*)?
-+.br
-+ /var/run/pcscd\.events(/.*)?
-+.br
-+ /var/run/pcscd\.pid
-+.br
-+ /var/run/pcscd\.pub
-+.br
-+ /var/run/pcscd\.comm
-+.br
-+
-+.br
-+.B security_t
-+
-+ /selinux
-+.br
-+
-+.SH NSSWITCH DOMAIN
-+
-+.PP
-+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the openvpn_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
-+
-+.EX
-+.B setsebool -P authlogin_nsswitch_use_ldap 1
-+.EE
-+
-+.PP
-+If you want to allow confined applications to run with kerberos for the openvpn_t, you must turn on the kerberos_enabled boolean.
-+
-+.EX
-+.B setsebool -P kerberos_enabled 1
-+.EE
-+
-+.SH "COMMANDS"
-+.B semanage fcontext
-+can also be used to manipulate default file context mappings.
-+.PP
-+.B semanage permissive
-+can also be used to manipulate whether or not a process type is permissive.
-+.PP
-+.B semanage module
-+can also be used to enable/disable/install/remove policy modules.
-+
-+.B semanage port
-+can also be used to manipulate the port definitions
-+
-+.B semanage boolean
-+can also be used to manipulate the booleans
-+
-+.PP
-+.B system-config-selinux
-+is a GUI tool available to customize SELinux policy settings.
-+
-+.SH AUTHOR
-+This manual page was auto-generated using
-+.B "sepolicy manpage"
-+by Dan Walsh.
-+
-+.SH "SEE ALSO"
-+selinux(8), openvpn(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
-+, setsebool(8)
-\ No newline at end of file
-diff --git a/man/man8/pacemaker_selinux.8 b/man/man8/pacemaker_selinux.8
-new file mode 100644
-index 0000000..30da0ee
---- /dev/null
-+++ b/man/man8/pacemaker_selinux.8
-@@ -0,0 +1,150 @@
-+.TH "pacemaker_selinux" "8" "12-11-01" "pacemaker" "SELinux Policy documentation for pacemaker"
-+.SH "NAME"
-+pacemaker_selinux \- Security Enhanced Linux Policy for the pacemaker processes
-+.SH "DESCRIPTION"
-+
-+Security-Enhanced Linux secures the pacemaker processes via flexible mandatory access control.
-+
-+The pacemaker processes execute with the pacemaker_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
-+
-+For example:
-+
-+.B ps -eZ | grep pacemaker_t
-+
-+
-+.SH "ENTRYPOINTS"
-+
-+The pacemaker_t SELinux type can be entered via the "pacemaker_exec_t" file type. The default entrypoint paths for the pacemaker_t domain are the following:"
-+
-+/usr/sbin/pacemakerd
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux pacemaker policy is very flexible allowing users to setup their pacemaker processes in as secure a method as possible.
-+.PP
-+The following process types are defined for pacemaker:
-+
-+.EX
-+.B pacemaker_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
-+.SH FILE CONTEXTS
-+SELinux requires files to have an extended attribute to define the file type.
-+.PP
-+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
-+.PP
-+Policy governs the access confined processes have to these files.
-+SELinux pacemaker policy is very flexible allowing users to setup their pacemaker processes in as secure a method as possible.
-+.PP
-+The following file types are defined for pacemaker:
-+
-+
-+.EX
-+.PP
-+.B pacemaker_exec_t
-+.EE
-+
-+- Set files with the pacemaker_exec_t type, if you want to transition an executable to the pacemaker_t domain.
-+
-+
-+.EX
-+.PP
-+.B pacemaker_initrc_exec_t
-+.EE
-+
-+- Set files with the pacemaker_initrc_exec_t type, if you want to transition an executable to the pacemaker_initrc_t domain.
-+
-+
-+.EX
-+.PP
-+.B pacemaker_unit_file_t
-+.EE
-+
-+- Set files with the pacemaker_unit_file_t type, if you want to treat the files as pacemaker unit content.
-+
-+
-+.EX
-+.PP
-+.B pacemaker_var_lib_t
-+.EE
-+
-+- Set files with the pacemaker_var_lib_t type, if you want to store the pacemaker files under the /var/lib directory.
-+
-+
-+.EX
-+.PP
-+.B pacemaker_var_run_t
-+.EE
-+
-+- Set files with the pacemaker_var_run_t type, if you want to store the pacemaker files under the /run directory.
-+
-+
-+.PP
-+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
-+.B semanage fcontext
-+command. This will modify the SELinux labeling database. You will need to use
-+.B restorecon
-+to apply the labels.
-+
-+.SH "MANAGED FILES"
-+
-+The SELinux process type pacemaker_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
-+
-+.br
-+.B pacemaker_var_lib_t
-+
-+ /var/lib/pengine(/.*)?
-+.br
-+ /var/lib/heartbeat/crm(/.*)?
-+.br
-+
-+.br
-+.B pacemaker_var_run_t
-+
-+ /var/run/crm(/.*)?
-+.br
-+
-+.SH NSSWITCH DOMAIN
-+
-+.PP
-+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the pacemaker_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
-+
-+.EX
-+.B setsebool -P authlogin_nsswitch_use_ldap 1
-+.EE
-+
-+.PP
-+If you want to allow confined applications to run with kerberos for the pacemaker_t, you must turn on the kerberos_enabled boolean.
-+
-+.EX
-+.B setsebool -P kerberos_enabled 1
-+.EE
-+
-+.SH "COMMANDS"
-+.B semanage fcontext
-+can also be used to manipulate default file context mappings.
-+.PP
-+.B semanage permissive
-+can also be used to manipulate whether or not a process type is permissive.
-+.PP
-+.B semanage module
-+can also be used to enable/disable/install/remove policy modules.
-+
-+.PP
-+.B system-config-selinux
-+is a GUI tool available to customize SELinux policy settings.
-+
-+.SH AUTHOR
-+This manual page was auto-generated using
-+.B "sepolicy manpage"
-+by Dan Walsh.
-+
-+.SH "SEE ALSO"
-+selinux(8), pacemaker(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
-diff --git a/man/man8/pads_selinux.8 b/man/man8/pads_selinux.8
-new file mode 100644
-index 0000000..4402702
---- /dev/null
-+++ b/man/man8/pads_selinux.8
-@@ -0,0 +1,140 @@
-+.TH "pads_selinux" "8" "12-11-01" "pads" "SELinux Policy documentation for pads"
-+.SH "NAME"
-+pads_selinux \- Security Enhanced Linux Policy for the pads processes
-+.SH "DESCRIPTION"
-+
-+Security-Enhanced Linux secures the pads processes via flexible mandatory access control.
-+
-+The pads processes execute with the pads_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
-+
-+For example:
-+
-+.B ps -eZ | grep pads_t
-+
-+
-+.SH "ENTRYPOINTS"
-+
-+The pads_t SELinux type can be entered via the "pads_exec_t" file type. The default entrypoint paths for the pads_t domain are the following:"
-+
-+/usr/bin/pads
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux pads policy is very flexible allowing users to setup their pads processes in as secure a method as possible.
-+.PP
-+The following process types are defined for pads:
-+
-+.EX
-+.B pads_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
-+.SH FILE CONTEXTS
-+SELinux requires files to have an extended attribute to define the file type.
-+.PP
-+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
-+.PP
-+Policy governs the access confined processes have to these files.
-+SELinux pads policy is very flexible allowing users to setup their pads processes in as secure a method as possible.
-+.PP
-+The following file types are defined for pads:
-+
-+
-+.EX
-+.PP
-+.B pads_config_t
-+.EE
-+
-+- Set files with the pads_config_t type, if you want to treat the files as pads configuration data, usually stored under the /etc directory.
-+
-+
-+.EX
-+.PP
-+.B pads_exec_t
-+.EE
-+
-+- Set files with the pads_exec_t type, if you want to transition an executable to the pads_t domain.
-+
-+
-+.EX
-+.PP
-+.B pads_initrc_exec_t
-+.EE
-+
-+- Set files with the pads_initrc_exec_t type, if you want to transition an executable to the pads_initrc_t domain.
-+
-+
-+.EX
-+.PP
-+.B pads_var_run_t
-+.EE
-+
-+- Set files with the pads_var_run_t type, if you want to store the pads files under the /run directory.
-+
-+
-+.PP
-+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
-+.B semanage fcontext
-+command. This will modify the SELinux labeling database. You will need to use
-+.B restorecon
-+to apply the labels.
-+
-+.SH "MANAGED FILES"
-+
-+The SELinux process type pads_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
-+
-+.br
-+.B pads_config_t
-+
-+ /etc/pads-assets.csv
-+.br
-+ /etc/pads\.conf
-+.br
-+ /etc/pads-ether-codes
-+.br
-+ /etc/pads-signature-list
-+.br
-+
-+.br
-+.B pads_var_run_t
-+
-+ /var/run/pads\.pid
-+.br
-+
-+.br
-+.B prelude_spool_t
-+
-+ /var/spool/prelude(/.*)?
-+.br
-+ /var/spool/prelude-manager(/.*)?
-+.br
-+
-+.SH NSSWITCH DOMAIN
-+
-+.SH "COMMANDS"
-+.B semanage fcontext
-+can also be used to manipulate default file context mappings.
-+.PP
-+.B semanage permissive
-+can also be used to manipulate whether or not a process type is permissive.
-+.PP
-+.B semanage module
-+can also be used to enable/disable/install/remove policy modules.
-+
-+.PP
-+.B system-config-selinux
-+is a GUI tool available to customize SELinux policy settings.
-+
-+.SH AUTHOR
-+This manual page was auto-generated using
-+.B "sepolicy manpage"
-+by Dan Walsh.
-+
-+.SH "SEE ALSO"
-+selinux(8), pads(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
-diff --git a/man/man8/pam_console_selinux.8 b/man/man8/pam_console_selinux.8
-new file mode 100644
-index 0000000..efb2cc6
---- /dev/null
-+++ b/man/man8/pam_console_selinux.8
-@@ -0,0 +1,101 @@
-+.TH "pam_console_selinux" "8" "12-11-01" "pam_console" "SELinux Policy documentation for pam_console"
-+.SH "NAME"
-+pam_console_selinux \- Security Enhanced Linux Policy for the pam_console processes
-+.SH "DESCRIPTION"
-+
-+Security-Enhanced Linux secures the pam_console processes via flexible mandatory access control.
-+
-+The pam_console processes execute with the pam_console_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
-+
-+For example:
-+
-+.B ps -eZ | grep pam_console_t
-+
-+
-+.SH "ENTRYPOINTS"
-+
-+The pam_console_t SELinux type can be entered via the "pam_console_exec_t" file type. The default entrypoint paths for the pam_console_t domain are the following:"
-+
-+/sbin/pam_console_apply, /usr/sbin/pam_console_apply
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux pam_console policy is very flexible allowing users to setup their pam_console processes in as secure a method as possible.
-+.PP
-+The following process types are defined for pam_console:
-+
-+.EX
-+.B pam_console_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
-+.SH FILE CONTEXTS
-+SELinux requires files to have an extended attribute to define the file type.
-+.PP
-+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
-+.PP
-+Policy governs the access confined processes have to these files.
-+SELinux pam_console policy is very flexible allowing users to setup their pam_console processes in as secure a method as possible.
-+.PP
-+The following file types are defined for pam_console:
-+
-+
-+.EX
-+.PP
-+.B pam_console_exec_t
-+.EE
-+
-+- Set files with the pam_console_exec_t type, if you want to transition an executable to the pam_console_t domain.
-+
-+
-+.PP
-+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
-+.B semanage fcontext
-+command. This will modify the SELinux labeling database. You will need to use
-+.B restorecon
-+to apply the labels.
-+
-+.SH NSSWITCH DOMAIN
-+
-+.PP
-+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the pam_console_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
-+
-+.EX
-+.B setsebool -P authlogin_nsswitch_use_ldap 1
-+.EE
-+
-+.PP
-+If you want to allow confined applications to run with kerberos for the pam_console_t, you must turn on the kerberos_enabled boolean.
-+
-+.EX
-+.B setsebool -P kerberos_enabled 1
-+.EE
-+
-+.SH "COMMANDS"
-+.B semanage fcontext
-+can also be used to manipulate default file context mappings.
-+.PP
-+.B semanage permissive
-+can also be used to manipulate whether or not a process type is permissive.
-+.PP
-+.B semanage module
-+can also be used to enable/disable/install/remove policy modules.
-+
-+.PP
-+.B system-config-selinux
-+is a GUI tool available to customize SELinux policy settings.
-+
-+.SH AUTHOR
-+This manual page was auto-generated using
-+.B "sepolicy manpage"
-+by Dan Walsh.
-+
-+.SH "SEE ALSO"
-+selinux(8), pam_console(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
-+, pam_timestamp_selinux(8)
-\ No newline at end of file
-diff --git a/man/man8/pam_timestamp_selinux.8 b/man/man8/pam_timestamp_selinux.8
-new file mode 100644
-index 0000000..b2e35ab
---- /dev/null
-+++ b/man/man8/pam_timestamp_selinux.8
-@@ -0,0 +1,117 @@
-+.TH "pam_timestamp_selinux" "8" "12-11-01" "pam_timestamp" "SELinux Policy documentation for pam_timestamp"
-+.SH "NAME"
-+pam_timestamp_selinux \- Security Enhanced Linux Policy for the pam_timestamp processes
-+.SH "DESCRIPTION"
-+
-+Security-Enhanced Linux secures the pam_timestamp processes via flexible mandatory access control.
-+
-+The pam_timestamp processes execute with the pam_timestamp_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
-+
-+For example:
-+
-+.B ps -eZ | grep pam_timestamp_t
-+
-+
-+.SH "ENTRYPOINTS"
-+
-+The pam_timestamp_t SELinux type can be entered via the "pam_timestamp_exec_t" file type. The default entrypoint paths for the pam_timestamp_t domain are the following:"
-+
-+/sbin/pam_timestamp_check, /usr/sbin/pam_timestamp_check
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux pam_timestamp policy is very flexible allowing users to setup their pam_timestamp processes in as secure a method as possible.
-+.PP
-+The following process types are defined for pam_timestamp:
-+
-+.EX
-+.B pam_timestamp_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
-+.SH FILE CONTEXTS
-+SELinux requires files to have an extended attribute to define the file type.
-+.PP
-+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
-+.PP
-+Policy governs the access confined processes have to these files.
-+SELinux pam_timestamp policy is very flexible allowing users to setup their pam_timestamp processes in as secure a method as possible.
-+.PP
-+The following file types are defined for pam_timestamp:
-+
-+
-+.EX
-+.PP
-+.B pam_timestamp_exec_t
-+.EE
-+
-+- Set files with the pam_timestamp_exec_t type, if you want to transition an executable to the pam_timestamp_t domain.
-+
-+
-+.EX
-+.PP
-+.B pam_timestamp_tmp_t
-+.EE
-+
-+- Set files with the pam_timestamp_tmp_t type, if you want to store pam timestamp temporary files in the /tmp directories.
-+
-+
-+.PP
-+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
-+.B semanage fcontext
-+command. This will modify the SELinux labeling database. You will need to use
-+.B restorecon
-+to apply the labels.
-+
-+.SH "MANAGED FILES"
-+
-+The SELinux process type pam_timestamp_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
-+
-+.br
-+.B pam_timestamp_tmp_t
-+
-+
-+.SH NSSWITCH DOMAIN
-+
-+.PP
-+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the pam_timestamp_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
-+
-+.EX
-+.B setsebool -P authlogin_nsswitch_use_ldap 1
-+.EE
-+
-+.PP
-+If you want to allow confined applications to run with kerberos for the pam_timestamp_t, you must turn on the kerberos_enabled boolean.
-+
-+.EX
-+.B setsebool -P kerberos_enabled 1
-+.EE
-+
-+.SH "COMMANDS"
-+.B semanage fcontext
-+can also be used to manipulate default file context mappings.
-+.PP
-+.B semanage permissive
-+can also be used to manipulate whether or not a process type is permissive.
-+.PP
-+.B semanage module
-+can also be used to enable/disable/install/remove policy modules.
-+
-+.PP
-+.B system-config-selinux
-+is a GUI tool available to customize SELinux policy settings.
-+
-+.SH AUTHOR
-+This manual page was auto-generated using
-+.B "sepolicy manpage"
-+by Dan Walsh.
-+
-+.SH "SEE ALSO"
-+selinux(8), pam_timestamp(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
-+, pam_console_selinux(8)
-\ No newline at end of file
-diff --git a/man/man8/passenger_selinux.8 b/man/man8/passenger_selinux.8
-new file mode 100644
-index 0000000..c07e89a
---- /dev/null
-+++ b/man/man8/passenger_selinux.8
-@@ -0,0 +1,166 @@
-+.TH "passenger_selinux" "8" "12-11-01" "passenger" "SELinux Policy documentation for passenger"
-+.SH "NAME"
-+passenger_selinux \- Security Enhanced Linux Policy for the passenger processes
-+.SH "DESCRIPTION"
-+
-+Security-Enhanced Linux secures the passenger processes via flexible mandatory access control.
-+
-+The passenger processes execute with the passenger_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
-+
-+For example:
-+
-+.B ps -eZ | grep passenger_t
-+
-+
-+.SH "ENTRYPOINTS"
-+
-+The passenger_t SELinux type can be entered via the "passenger_exec_t" file type. The default entrypoint paths for the passenger_t domain are the following:"
-+
-+/usr/lib/gems/.*/Passenger.*, /usr/lib/gems/.*/ApplicationPoolServerExecutable, /usr/share/gems/.*/Passenger.*, /usr/share/gems/.*/ApplicationPoolServerExecutable
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux passenger policy is very flexible allowing users to setup their passenger processes in as secure a method as possible.
-+.PP
-+The following process types are defined for passenger:
-+
-+.EX
-+.B passenger_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
-+.SH FILE CONTEXTS
-+SELinux requires files to have an extended attribute to define the file type.
-+.PP
-+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
-+.PP
-+Policy governs the access confined processes have to these files.
-+SELinux passenger policy is very flexible allowing users to setup their passenger processes in as secure a method as possible.
-+.PP
-+The following file types are defined for passenger:
-+
-+
-+.EX
-+.PP
-+.B passenger_exec_t
-+.EE
-+
-+- Set files with the passenger_exec_t type, if you want to transition an executable to the passenger_t domain.
-+
-+
-+.EX
-+.PP
-+.B passenger_log_t
-+.EE
-+
-+- Set files with the passenger_log_t type, if you want to treat the data as passenger log data, usually stored under the /var/log directory.
-+
-+
-+.EX
-+.PP
-+.B passenger_tmp_t
-+.EE
-+
-+- Set files with the passenger_tmp_t type, if you want to store passenger temporary files in the /tmp directories.
-+
-+
-+.EX
-+.PP
-+.B passenger_var_lib_t
-+.EE
-+
-+- Set files with the passenger_var_lib_t type, if you want to store the passenger files under the /var/lib directory.
-+
-+
-+.EX
-+.PP
-+.B passenger_var_run_t
-+.EE
-+
-+- Set files with the passenger_var_run_t type, if you want to store the passenger files under the /run directory.
-+
-+
-+.PP
-+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
-+.B semanage fcontext
-+command. This will modify the SELinux labeling database. You will need to use
-+.B restorecon
-+to apply the labels.
-+
-+.SH "MANAGED FILES"
-+
-+The SELinux process type passenger_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
-+
-+.br
-+.B passenger_log_t
-+
-+ /var/log/passenger.*
-+.br
-+ /var/log/passenger(/.*)?
-+.br
-+
-+.br
-+.B passenger_tmp_t
-+
-+
-+.br
-+.B passenger_var_lib_t
-+
-+ /var/lib/passenger(/.*)?
-+.br
-+
-+.br
-+.B passenger_var_run_t
-+
-+ /var/run/passenger(/.*)?
-+.br
-+
-+.br
-+.B puppet_var_lib_t
-+
-+ /var/lib/puppet(/.*)?
-+.br
-+
-+.SH NSSWITCH DOMAIN
-+
-+.PP
-+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the passenger_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
-+
-+.EX
-+.B setsebool -P authlogin_nsswitch_use_ldap 1
-+.EE
-+
-+.PP
-+If you want to allow confined applications to run with kerberos for the passenger_t, you must turn on the kerberos_enabled boolean.
-+
-+.EX
-+.B setsebool -P kerberos_enabled 1
-+.EE
-+
-+.SH "COMMANDS"
-+.B semanage fcontext
-+can also be used to manipulate default file context mappings.
-+.PP
-+.B semanage permissive
-+can also be used to manipulate whether or not a process type is permissive.
-+.PP
-+.B semanage module
-+can also be used to enable/disable/install/remove policy modules.
-+
-+.PP
-+.B system-config-selinux
-+is a GUI tool available to customize SELinux policy settings.
-+
-+.SH AUTHOR
-+This manual page was auto-generated using
-+.B "sepolicy manpage"
-+by Dan Walsh.
-+
-+.SH "SEE ALSO"
-+selinux(8), passenger(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
-diff --git a/man/man8/passwd_selinux.8 b/man/man8/passwd_selinux.8
-new file mode 100644
-index 0000000..af4b9b1
---- /dev/null
-+++ b/man/man8/passwd_selinux.8
-@@ -0,0 +1,208 @@
-+.TH "passwd_selinux" "8" "12-11-01" "passwd" "SELinux Policy documentation for passwd"
-+.SH "NAME"
-+passwd_selinux \- Security Enhanced Linux Policy for the passwd processes
-+.SH "DESCRIPTION"
-+
-+Security-Enhanced Linux secures the passwd processes via flexible mandatory access control.
-+
-+The passwd processes execute with the passwd_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
-+
-+For example:
-+
-+.B ps -eZ | grep passwd_t
-+
-+
-+.SH "ENTRYPOINTS"
-+
-+The passwd_t SELinux type can be entered via the "passwd_exec_t" file type. The default entrypoint paths for the passwd_t domain are the following:"
-+
-+/usr/bin/chage, /usr/bin/passwd
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux passwd policy is very flexible allowing users to setup their passwd processes in as secure a method as possible.
-+.PP
-+The following process types are defined for passwd:
-+
-+.EX
-+.B passwd_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
-+.SH FILE CONTEXTS
-+SELinux requires files to have an extended attribute to define the file type.
-+.PP
-+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
-+.PP
-+Policy governs the access confined processes have to these files.
-+SELinux passwd policy is very flexible allowing users to setup their passwd processes in as secure a method as possible.
-+.PP
-+The following file types are defined for passwd:
-+
-+
-+.EX
-+.PP
-+.B passwd_exec_t
-+.EE
-+
-+- Set files with the passwd_exec_t type, if you want to transition an executable to the passwd_t domain.
-+
-+
-+.EX
-+.PP
-+.B passwd_file_t
-+.EE
-+
-+- Set files with the passwd_file_t type, if you want to treat the files as passwd content.
-+
-+
-+.PP
-+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
-+.B semanage fcontext
-+command. This will modify the SELinux labeling database. You will need to use
-+.B restorecon
-+to apply the labels.
-+
-+.SH "MANAGED FILES"
-+
-+The SELinux process type passwd_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
-+
-+.br
-+.B faillog_t
-+
-+ /var/log/btmp.*
-+.br
-+ /var/run/faillock(/.*)?
-+.br
-+ /var/log/faillog
-+.br
-+ /var/log/tallylog
-+.br
-+
-+.br
-+.B krb5_host_rcache_t
-+
-+ /var/cache/krb5rcache(/.*)?
-+.br
-+ /var/tmp/nfs_0
-+.br
-+ /var/tmp/DNS_25
-+.br
-+ /var/tmp/host_0
-+.br
-+ /var/tmp/imap_0
-+.br
-+ /var/tmp/HTTP_23
-+.br
-+ /var/tmp/HTTP_48
-+.br
-+ /var/tmp/ldap_55
-+.br
-+ /var/tmp/ldap_487
-+.br
-+ /var/tmp/ldapmap1_0
-+.br
-+
-+.br
-+.B lastlog_t
-+
-+ /var/log/lastlog
-+.br
-+
-+.br
-+.B passwd_file_t
-+
-+ /etc/group[-\+]?
-+.br
-+ /etc/passwd[-\+]?
-+.br
-+ /etc/passwd\.adjunct.*
-+.br
-+ /etc/ptmptmp
-+.br
-+ /etc/\.pwd\.lock
-+.br
-+ /etc/group\.lock
-+.br
-+ /etc/passwd\.OLD
-+.br
-+ /etc/passwd\.lock
-+.br
-+
-+.br
-+.B pcscd_var_run_t
-+
-+ /var/run/pcscd(/.*)?
-+.br
-+ /var/run/pcscd\.events(/.*)?
-+.br
-+ /var/run/pcscd\.pid
-+.br
-+ /var/run/pcscd\.pub
-+.br
-+ /var/run/pcscd\.comm
-+.br
-+
-+.br
-+.B security_t
-+
-+ /selinux
-+.br
-+
-+.br
-+.B shadow_t
-+
-+ /etc/shadow.*
-+.br
-+ /etc/gshadow.*
-+.br
-+ /var/db/shadow.*
-+.br
-+ /etc/security/opasswd
-+.br
-+ /etc/security/opasswd\.old
-+.br
-+
-+.SH NSSWITCH DOMAIN
-+
-+.PP
-+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the passwd_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
-+
-+.EX
-+.B setsebool -P authlogin_nsswitch_use_ldap 1
-+.EE
-+
-+.PP
-+If you want to allow confined applications to run with kerberos for the passwd_t, you must turn on the kerberos_enabled boolean.
-+
-+.EX
-+.B setsebool -P kerberos_enabled 1
-+.EE
-+
-+.SH "COMMANDS"
-+.B semanage fcontext
-+can also be used to manipulate default file context mappings.
-+.PP
-+.B semanage permissive
-+can also be used to manipulate whether or not a process type is permissive.
-+.PP
-+.B semanage module
-+can also be used to enable/disable/install/remove policy modules.
-+
-+.PP
-+.B system-config-selinux
-+is a GUI tool available to customize SELinux policy settings.
-+
-+.SH AUTHOR
-+This manual page was auto-generated using
-+.B "sepolicy manpage"
-+by Dan Walsh.
-+
-+.SH "SEE ALSO"
-+selinux(8), passwd(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
-diff --git a/man/man8/pcscd_selinux.8 b/man/man8/pcscd_selinux.8
-new file mode 100644
-index 0000000..41e4f5f
---- /dev/null
-+++ b/man/man8/pcscd_selinux.8
-@@ -0,0 +1,116 @@
-+.TH "pcscd_selinux" "8" "12-11-01" "pcscd" "SELinux Policy documentation for pcscd"
-+.SH "NAME"
-+pcscd_selinux \- Security Enhanced Linux Policy for the pcscd processes
-+.SH "DESCRIPTION"
-+
-+Security-Enhanced Linux secures the pcscd processes via flexible mandatory access control.
-+
-+The pcscd processes execute with the pcscd_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
-+
-+For example:
-+
-+.B ps -eZ | grep pcscd_t
-+
-+
-+.SH "ENTRYPOINTS"
-+
-+The pcscd_t SELinux type can be entered via the "pcscd_exec_t" file type. The default entrypoint paths for the pcscd_t domain are the following:"
-+
-+/usr/sbin/pcscd
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux pcscd policy is very flexible allowing users to setup their pcscd processes in as secure a method as possible.
-+.PP
-+The following process types are defined for pcscd:
-+
-+.EX
-+.B pcscd_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
-+.SH FILE CONTEXTS
-+SELinux requires files to have an extended attribute to define the file type.
-+.PP
-+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
-+.PP
-+Policy governs the access confined processes have to these files.
-+SELinux pcscd policy is very flexible allowing users to setup their pcscd processes in as secure a method as possible.
-+.PP
-+The following file types are defined for pcscd:
-+
-+
-+.EX
-+.PP
-+.B pcscd_exec_t
-+.EE
-+
-+- Set files with the pcscd_exec_t type, if you want to transition an executable to the pcscd_t domain.
-+
-+
-+.EX
-+.PP
-+.B pcscd_var_run_t
-+.EE
-+
-+- Set files with the pcscd_var_run_t type, if you want to store the pcscd files under the /run directory.
-+
-+
-+.PP
-+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
-+.B semanage fcontext
-+command. This will modify the SELinux labeling database. You will need to use
-+.B restorecon
-+to apply the labels.
-+
-+.SH "MANAGED FILES"
-+
-+The SELinux process type pcscd_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
-+
-+.br
-+.B pcscd_var_run_t
-+
-+ /var/run/pcscd(/.*)?
-+.br
-+ /var/run/pcscd\.events(/.*)?
-+.br
-+ /var/run/pcscd\.pid
-+.br
-+ /var/run/pcscd\.pub
-+.br
-+ /var/run/pcscd\.comm
-+.br
-+
-+.br
-+.B usbfs_t
-+
-+
-+.SH NSSWITCH DOMAIN
-+
-+.SH "COMMANDS"
-+.B semanage fcontext
-+can also be used to manipulate default file context mappings.
-+.PP
-+.B semanage permissive
-+can also be used to manipulate whether or not a process type is permissive.
-+.PP
-+.B semanage module
-+can also be used to enable/disable/install/remove policy modules.
-+
-+.PP
-+.B system-config-selinux
-+is a GUI tool available to customize SELinux policy settings.
-+
-+.SH AUTHOR
-+This manual page was auto-generated using
-+.B "sepolicy manpage"
-+by Dan Walsh.
-+
-+.SH "SEE ALSO"
-+selinux(8), pcscd(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
-diff --git a/man/man8/pegasus_selinux.8 b/man/man8/pegasus_selinux.8
-new file mode 100644
-index 0000000..39479f4
---- /dev/null
-+++ b/man/man8/pegasus_selinux.8
-@@ -0,0 +1,279 @@
-+.TH "pegasus_selinux" "8" "12-11-01" "pegasus" "SELinux Policy documentation for pegasus"
-+.SH "NAME"
-+pegasus_selinux \- Security Enhanced Linux Policy for the pegasus processes
-+.SH "DESCRIPTION"
-+
-+Security-Enhanced Linux secures the pegasus processes via flexible mandatory access control.
-+
-+The pegasus processes execute with the pegasus_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
-+
-+For example:
-+
-+.B ps -eZ | grep pegasus_t
-+
-+
-+.SH "ENTRYPOINTS"
-+
-+The pegasus_t SELinux type can be entered via the "pegasus_exec_t" file type. The default entrypoint paths for the pegasus_t domain are the following:"
-+
-+/usr/sbin/cimserver, /usr/sbin/init_repository
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux pegasus policy is very flexible allowing users to setup their pegasus processes in as secure a method as possible.
-+.PP
-+The following process types are defined for pegasus:
-+
-+.EX
-+.B pegasus_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
-+.SH FILE CONTEXTS
-+SELinux requires files to have an extended attribute to define the file type.
-+.PP
-+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
-+.PP
-+Policy governs the access confined processes have to these files.
-+SELinux pegasus policy is very flexible allowing users to setup their pegasus processes in as secure a method as possible.
-+.PP
-+The following file types are defined for pegasus:
-+
-+
-+.EX
-+.PP
-+.B pegasus_cache_t
-+.EE
-+
-+- Set files with the pegasus_cache_t type, if you want to store the files under the /var/cache directory.
-+
-+
-+.EX
-+.PP
-+.B pegasus_conf_t
-+.EE
-+
-+- Set files with the pegasus_conf_t type, if you want to treat the files as pegasus configuration data, usually stored under the /etc directory.
-+
-+
-+.EX
-+.PP
-+.B pegasus_data_t
-+.EE
-+
-+- Set files with the pegasus_data_t type, if you want to treat the files as pegasus content.
-+
-+
-+.EX
-+.PP
-+.B pegasus_exec_t
-+.EE
-+
-+- Set files with the pegasus_exec_t type, if you want to transition an executable to the pegasus_t domain.
-+
-+
-+.EX
-+.PP
-+.B pegasus_mof_t
-+.EE
-+
-+- Set files with the pegasus_mof_t type, if you want to treat the files as pegasus mof data.
-+
-+
-+.EX
-+.PP
-+.B pegasus_tmp_t
-+.EE
-+
-+- Set files with the pegasus_tmp_t type, if you want to store pegasus temporary files in the /tmp directories.
-+
-+
-+.EX
-+.PP
-+.B pegasus_var_run_t
-+.EE
-+
-+- Set files with the pegasus_var_run_t type, if you want to store the pegasus files under the /run directory.
-+
-+
-+.PP
-+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
-+.B semanage fcontext
-+command. This will modify the SELinux labeling database. You will need to use
-+.B restorecon
-+to apply the labels.
-+
-+.SH PORT TYPES
-+SELinux defines port types to represent TCP and UDP ports.
-+.PP
-+You can see the types associated with a port by using the following command:
-+
-+.B semanage port -l
-+
-+.PP
-+Policy governs the access confined processes have to these ports.
-+SELinux pegasus policy is very flexible allowing users to setup their pegasus processes in as secure a method as possible.
-+.PP
-+The following port types are defined for pegasus:
-+
-+.EX
-+.TP 5
-+.B pegasus_http_port_t
-+.TP 10
-+.EE
-+
-+
-+Default Defined Ports:
-+tcp 5988
-+.EE
-+
-+.EX
-+.TP 5
-+.B pegasus_https_port_t
-+.TP 10
-+.EE
-+
-+
-+Default Defined Ports:
-+tcp 5989
-+.EE
-+.SH "MANAGED FILES"
-+
-+The SELinux process type pegasus_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
-+
-+.br
-+.B faillog_t
-+
-+ /var/log/btmp.*
-+.br
-+ /var/run/faillock(/.*)?
-+.br
-+ /var/log/faillog
-+.br
-+ /var/log/tallylog
-+.br
-+
-+.br
-+.B initrc_var_run_t
-+
-+ /var/run/utmp
-+.br
-+ /var/run/random-seed
-+.br
-+ /var/run/runlevel\.dir
-+.br
-+ /var/run/setmixer_flag
-+.br
-+
-+.br
-+.B pcscd_var_run_t
-+
-+ /var/run/pcscd(/.*)?
-+.br
-+ /var/run/pcscd\.events(/.*)?
-+.br
-+ /var/run/pcscd\.pid
-+.br
-+ /var/run/pcscd\.pub
-+.br
-+ /var/run/pcscd\.comm
-+.br
-+
-+.br
-+.B pegasus_cache_t
-+
-+
-+.br
-+.B pegasus_data_t
-+
-+ /var/lib/Pegasus(/.*)?
-+.br
-+ /etc/Pegasus/pegasus_current\.conf
-+.br
-+
-+.br
-+.B pegasus_tmp_t
-+
-+
-+.br
-+.B pegasus_var_run_t
-+
-+ /var/run/tog-pegasus(/.*)?
-+.br
-+
-+.br
-+.B samba_etc_t
-+
-+ /etc/samba(/.*)?
-+.br
-+
-+.br
-+.B virt_etc_rw_t
-+
-+ /etc/xen/.*/.*
-+.br
-+ /etc/xen/[^/]*
-+.br
-+ /etc/libvirt/.*/.*
-+.br
-+ /etc/libvirt/[^/]*
-+.br
-+
-+.br
-+.B virt_etc_t
-+
-+ /etc/xen/[^/]*
-+.br
-+ /etc/libvirt/[^/]*
-+.br
-+ /etc/xen
-+.br
-+ /etc/libvirt
-+.br
-+
-+.SH NSSWITCH DOMAIN
-+
-+.PP
-+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the pegasus_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
-+
-+.EX
-+.B setsebool -P authlogin_nsswitch_use_ldap 1
-+.EE
-+
-+.PP
-+If you want to allow confined applications to run with kerberos for the pegasus_t, you must turn on the kerberos_enabled boolean.
-+
-+.EX
-+.B setsebool -P kerberos_enabled 1
-+.EE
-+
-+.SH "COMMANDS"
-+.B semanage fcontext
-+can also be used to manipulate default file context mappings.
-+.PP
-+.B semanage permissive
-+can also be used to manipulate whether or not a process type is permissive.
-+.PP
-+.B semanage module
-+can also be used to enable/disable/install/remove policy modules.
-+
-+.B semanage port
-+can also be used to manipulate the port definitions
-+
-+.PP
-+.B system-config-selinux
-+is a GUI tool available to customize SELinux policy settings.
-+
-+.SH AUTHOR
-+This manual page was auto-generated using
-+.B "sepolicy manpage"
-+by Dan Walsh.
-+
-+.SH "SEE ALSO"
-+selinux(8), pegasus(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
-diff --git a/man/man8/phpfpm_selinux.8 b/man/man8/phpfpm_selinux.8
-new file mode 100644
-index 0000000..ae94dbd
---- /dev/null
-+++ b/man/man8/phpfpm_selinux.8
-@@ -0,0 +1,140 @@
-+.TH "phpfpm_selinux" "8" "12-11-01" "phpfpm" "SELinux Policy documentation for phpfpm"
-+.SH "NAME"
-+phpfpm_selinux \- Security Enhanced Linux Policy for the phpfpm processes
-+.SH "DESCRIPTION"
-+
-+Security-Enhanced Linux secures the phpfpm processes via flexible mandatory access control.
-+
-+The phpfpm processes execute with the phpfpm_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
-+
-+For example:
-+
-+.B ps -eZ | grep phpfpm_t
-+
-+
-+.SH "ENTRYPOINTS"
-+
-+The phpfpm_t SELinux type can be entered via the "phpfpm_exec_t" file type. The default entrypoint paths for the phpfpm_t domain are the following:"
-+
-+/usr/sbin/php-fpm
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux phpfpm policy is very flexible allowing users to setup their phpfpm processes in as secure a method as possible.
-+.PP
-+The following process types are defined for phpfpm:
-+
-+.EX
-+.B phpfpm_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
-+.SH FILE CONTEXTS
-+SELinux requires files to have an extended attribute to define the file type.
-+.PP
-+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
-+.PP
-+Policy governs the access confined processes have to these files.
-+SELinux phpfpm policy is very flexible allowing users to setup their phpfpm processes in as secure a method as possible.
-+.PP
-+The following file types are defined for phpfpm:
-+
-+
-+.EX
-+.PP
-+.B phpfpm_exec_t
-+.EE
-+
-+- Set files with the phpfpm_exec_t type, if you want to transition an executable to the phpfpm_t domain.
-+
-+
-+.EX
-+.PP
-+.B phpfpm_log_t
-+.EE
-+
-+- Set files with the phpfpm_log_t type, if you want to treat the data as phpfpm log data, usually stored under the /var/log directory.
-+
-+
-+.EX
-+.PP
-+.B phpfpm_unit_file_t
-+.EE
-+
-+- Set files with the phpfpm_unit_file_t type, if you want to treat the files as phpfpm unit content.
-+
-+
-+.EX
-+.PP
-+.B phpfpm_var_run_t
-+.EE
-+
-+- Set files with the phpfpm_var_run_t type, if you want to store the phpfpm files under the /run directory.
-+
-+
-+.PP
-+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
-+.B semanage fcontext
-+command. This will modify the SELinux labeling database. You will need to use
-+.B restorecon
-+to apply the labels.
-+
-+.SH "MANAGED FILES"
-+
-+The SELinux process type phpfpm_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
-+
-+.br
-+.B phpfpm_log_t
-+
-+ /var/log/php-fpm(/.*)?
-+.br
-+
-+.br
-+.B phpfpm_var_run_t
-+
-+ /var/run/php-fpm(/.*)?
-+.br
-+
-+.SH NSSWITCH DOMAIN
-+
-+.PP
-+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the phpfpm_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
-+
-+.EX
-+.B setsebool -P authlogin_nsswitch_use_ldap 1
-+.EE
-+
-+.PP
-+If you want to allow confined applications to run with kerberos for the phpfpm_t, you must turn on the kerberos_enabled boolean.
-+
-+.EX
-+.B setsebool -P kerberos_enabled 1
-+.EE
-+
-+.SH "COMMANDS"
-+.B semanage fcontext
-+can also be used to manipulate default file context mappings.
-+.PP
-+.B semanage permissive
-+can also be used to manipulate whether or not a process type is permissive.
-+.PP
-+.B semanage module
-+can also be used to enable/disable/install/remove policy modules.
-+
-+.PP
-+.B system-config-selinux
-+is a GUI tool available to customize SELinux policy settings.
-+
-+.SH AUTHOR
-+This manual page was auto-generated using
-+.B "sepolicy manpage"
-+by Dan Walsh.
-+
-+.SH "SEE ALSO"
-+selinux(8), phpfpm(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
-diff --git a/man/man8/ping_selinux.8 b/man/man8/ping_selinux.8
-new file mode 100644
-index 0000000..7210530
---- /dev/null
-+++ b/man/man8/ping_selinux.8
-@@ -0,0 +1,180 @@
-+.TH "ping_selinux" "8" "12-11-01" "ping" "SELinux Policy documentation for ping"
-+.SH "NAME"
-+ping_selinux \- Security Enhanced Linux Policy for the ping processes
-+.SH "DESCRIPTION"
-+
-+Security-Enhanced Linux secures the ping processes via flexible mandatory access control.
-+
-+The ping processes execute with the ping_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
-+
-+For example:
-+
-+.B ps -eZ | grep ping_t
-+
-+
-+.SH "ENTRYPOINTS"
-+
-+The ping_t SELinux type can be entered via the "ping_exec_t" file type. The default entrypoint paths for the ping_t domain are the following:"
-+
-+/bin/ping.*, /usr/bin/ping.*, /usr/sbin/fping.*, /usr/sbin/hping2, /usr/sbin/send_arp
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux ping policy is very flexible allowing users to setup their ping processes in as secure a method as possible.
-+.PP
-+The following process types are defined for ping:
-+
-+.EX
-+.B ping_t, pingd_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
-+.SH BOOLEANS
-+SELinux policy is customizable based on least access required. ping policy is extremely flexible and has several booleans that allow you to manipulate the policy and run ping with the tightest access possible.
-+
-+
-+.PP
-+If you want to allow confined users the ability to execute the ping and traceroute commands, you must turn on the selinuxuser_ping boolean.
-+
-+.EX
-+.B setsebool -P selinuxuser_ping 1
-+.EE
-+
-+.PP
-+If you want to allow confined users the ability to execute the ping and traceroute commands, you must turn on the selinuxuser_ping boolean.
-+
-+.EX
-+.B setsebool -P selinuxuser_ping 1
-+.EE
-+
-+.SH FILE CONTEXTS
-+SELinux requires files to have an extended attribute to define the file type.
-+.PP
-+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
-+.PP
-+Policy governs the access confined processes have to these files.
-+SELinux ping policy is very flexible allowing users to setup their ping processes in as secure a method as possible.
-+.PP
-+The following file types are defined for ping:
-+
-+
-+.EX
-+.PP
-+.B ping_exec_t
-+.EE
-+
-+- Set files with the ping_exec_t type, if you want to transition an executable to the ping_t domain.
-+
-+
-+.EX
-+.PP
-+.B pingd_etc_t
-+.EE
-+
-+- Set files with the pingd_etc_t type, if you want to store pingd files in the /etc directories.
-+
-+
-+.EX
-+.PP
-+.B pingd_exec_t
-+.EE
-+
-+- Set files with the pingd_exec_t type, if you want to transition an executable to the pingd_t domain.
-+
-+
-+.EX
-+.PP
-+.B pingd_initrc_exec_t
-+.EE
-+
-+- Set files with the pingd_initrc_exec_t type, if you want to transition an executable to the pingd_initrc_t domain.
-+
-+
-+.EX
-+.PP
-+.B pingd_modules_t
-+.EE
-+
-+- Set files with the pingd_modules_t type, if you want to treat the files as pingd modules.
-+
-+
-+.PP
-+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
-+.B semanage fcontext
-+command. This will modify the SELinux labeling database. You will need to use
-+.B restorecon
-+to apply the labels.
-+
-+.SH PORT TYPES
-+SELinux defines port types to represent TCP and UDP ports.
-+.PP
-+You can see the types associated with a port by using the following command:
-+
-+.B semanage port -l
-+
-+.PP
-+Policy governs the access confined processes have to these ports.
-+SELinux ping policy is very flexible allowing users to setup their ping processes in as secure a method as possible.
-+.PP
-+The following port types are defined for ping:
-+
-+.EX
-+.TP 5
-+.B pingd_port_t
-+.TP 10
-+.EE
-+
-+
-+Default Defined Ports:
-+tcp 9125
-+.EE
-+.SH NSSWITCH DOMAIN
-+
-+.PP
-+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the pingd_t, ping_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
-+
-+.EX
-+.B setsebool -P authlogin_nsswitch_use_ldap 1
-+.EE
-+
-+.PP
-+If you want to allow confined applications to run with kerberos for the pingd_t, ping_t, you must turn on the kerberos_enabled boolean.
-+
-+.EX
-+.B setsebool -P kerberos_enabled 1
-+.EE
-+
-+.SH "COMMANDS"
-+.B semanage fcontext
-+can also be used to manipulate default file context mappings.
-+.PP
-+.B semanage permissive
-+can also be used to manipulate whether or not a process type is permissive.
-+.PP
-+.B semanage module
-+can also be used to enable/disable/install/remove policy modules.
-+
-+.B semanage port
-+can also be used to manipulate the port definitions
-+
-+.B semanage boolean
-+can also be used to manipulate the booleans
-+
-+.PP
-+.B system-config-selinux
-+is a GUI tool available to customize SELinux policy settings.
-+
-+.SH AUTHOR
-+This manual page was auto-generated using
-+.B "sepolicy manpage"
-+by Dan Walsh.
-+
-+.SH "SEE ALSO"
-+selinux(8), ping(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
-+, setsebool(8), pingd_selinux(8)
-\ No newline at end of file
-diff --git a/man/man8/pingd_selinux.8 b/man/man8/pingd_selinux.8
-new file mode 100644
-index 0000000..4fc7233
---- /dev/null
-+++ b/man/man8/pingd_selinux.8
-@@ -0,0 +1,172 @@
-+.TH "pingd_selinux" "8" "12-11-01" "pingd" "SELinux Policy documentation for pingd"
-+.SH "NAME"
-+pingd_selinux \- Security Enhanced Linux Policy for the pingd processes
-+.SH "DESCRIPTION"
-+
-+Security-Enhanced Linux secures the pingd processes via flexible mandatory access control.
-+
-+The pingd processes execute with the pingd_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
-+
-+For example:
-+
-+.B ps -eZ | grep pingd_t
-+
-+
-+.SH "ENTRYPOINTS"
-+
-+The pingd_t SELinux type can be entered via the "pingd_exec_t" file type. The default entrypoint paths for the pingd_t domain are the following:"
-+
-+/usr/sbin/pingd
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux pingd policy is very flexible allowing users to setup their pingd processes in as secure a method as possible.
-+.PP
-+The following process types are defined for pingd:
-+
-+.EX
-+.B ping_t, pingd_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
-+.SH BOOLEANS
-+SELinux policy is customizable based on least access required. pingd policy is extremely flexible and has several booleans that allow you to manipulate the policy and run pingd with the tightest access possible.
-+
-+
-+.PP
-+If you want to allow confined users the ability to execute the ping and traceroute commands, you must turn on the selinuxuser_ping boolean.
-+
-+.EX
-+.B setsebool -P selinuxuser_ping 1
-+.EE
-+
-+.PP
-+If you want to allow confined users the ability to execute the ping and traceroute commands, you must turn on the selinuxuser_ping boolean.
-+
-+.EX
-+.B setsebool -P selinuxuser_ping 1
-+.EE
-+
-+.SH FILE CONTEXTS
-+SELinux requires files to have an extended attribute to define the file type.
-+.PP
-+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
-+.PP
-+Policy governs the access confined processes have to these files.
-+SELinux pingd policy is very flexible allowing users to setup their pingd processes in as secure a method as possible.
-+.PP
-+The following file types are defined for pingd:
-+
-+
-+.EX
-+.PP
-+.B pingd_etc_t
-+.EE
-+
-+- Set files with the pingd_etc_t type, if you want to store pingd files in the /etc directories.
-+
-+
-+.EX
-+.PP
-+.B pingd_exec_t
-+.EE
-+
-+- Set files with the pingd_exec_t type, if you want to transition an executable to the pingd_t domain.
-+
-+
-+.EX
-+.PP
-+.B pingd_initrc_exec_t
-+.EE
-+
-+- Set files with the pingd_initrc_exec_t type, if you want to transition an executable to the pingd_initrc_t domain.
-+
-+
-+.EX
-+.PP
-+.B pingd_modules_t
-+.EE
-+
-+- Set files with the pingd_modules_t type, if you want to treat the files as pingd modules.
-+
-+
-+.PP
-+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
-+.B semanage fcontext
-+command. This will modify the SELinux labeling database. You will need to use
-+.B restorecon
-+to apply the labels.
-+
-+.SH PORT TYPES
-+SELinux defines port types to represent TCP and UDP ports.
-+.PP
-+You can see the types associated with a port by using the following command:
-+
-+.B semanage port -l
-+
-+.PP
-+Policy governs the access confined processes have to these ports.
-+SELinux pingd policy is very flexible allowing users to setup their pingd processes in as secure a method as possible.
-+.PP
-+The following port types are defined for pingd:
-+
-+.EX
-+.TP 5
-+.B pingd_port_t
-+.TP 10
-+.EE
-+
-+
-+Default Defined Ports:
-+tcp 9125
-+.EE
-+.SH NSSWITCH DOMAIN
-+
-+.PP
-+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the pingd_t, ping_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
-+
-+.EX
-+.B setsebool -P authlogin_nsswitch_use_ldap 1
-+.EE
-+
-+.PP
-+If you want to allow confined applications to run with kerberos for the pingd_t, ping_t, you must turn on the kerberos_enabled boolean.
-+
-+.EX
-+.B setsebool -P kerberos_enabled 1
-+.EE
-+
-+.SH "COMMANDS"
-+.B semanage fcontext
-+can also be used to manipulate default file context mappings.
-+.PP
-+.B semanage permissive
-+can also be used to manipulate whether or not a process type is permissive.
-+.PP
-+.B semanage module
-+can also be used to enable/disable/install/remove policy modules.
-+
-+.B semanage port
-+can also be used to manipulate the port definitions
-+
-+.B semanage boolean
-+can also be used to manipulate the booleans
-+
-+.PP
-+.B system-config-selinux
-+is a GUI tool available to customize SELinux policy settings.
-+
-+.SH AUTHOR
-+This manual page was auto-generated using
-+.B "sepolicy manpage"
-+by Dan Walsh.
-+
-+.SH "SEE ALSO"
-+selinux(8), pingd(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
-+, setsebool(8), ping_selinux(8), ping_selinux(8)
-\ No newline at end of file
-diff --git a/man/man8/piranha_fos_selinux.8 b/man/man8/piranha_fos_selinux.8
-new file mode 100644
-index 0000000..99093e6
---- /dev/null
-+++ b/man/man8/piranha_fos_selinux.8
-@@ -0,0 +1,119 @@
-+.TH "piranha_fos_selinux" "8" "12-11-01" "piranha_fos" "SELinux Policy documentation for piranha_fos"
-+.SH "NAME"
-+piranha_fos_selinux \- Security Enhanced Linux Policy for the piranha_fos processes
-+.SH "DESCRIPTION"
-+
-+Security-Enhanced Linux secures the piranha_fos processes via flexible mandatory access control.
-+
-+The piranha_fos processes execute with the piranha_fos_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
-+
-+For example:
-+
-+.B ps -eZ | grep piranha_fos_t
-+
-+
-+.SH "ENTRYPOINTS"
-+
-+The piranha_fos_t SELinux type can be entered via the "piranha_fos_exec_t" file type. The default entrypoint paths for the piranha_fos_t domain are the following:"
-+
-+/usr/sbin/fos
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux piranha_fos policy is very flexible allowing users to setup their piranha_fos processes in as secure a method as possible.
-+.PP
-+The following process types are defined for piranha_fos:
-+
-+.EX
-+.B piranha_fos_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
-+.SH FILE CONTEXTS
-+SELinux requires files to have an extended attribute to define the file type.
-+.PP
-+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
-+.PP
-+Policy governs the access confined processes have to these files.
-+SELinux piranha_fos policy is very flexible allowing users to setup their piranha_fos processes in as secure a method as possible.
-+.PP
-+The following file types are defined for piranha_fos:
-+
-+
-+.EX
-+.PP
-+.B piranha_fos_exec_t
-+.EE
-+
-+- Set files with the piranha_fos_exec_t type, if you want to transition an executable to the piranha_fos_t domain.
-+
-+
-+.EX
-+.PP
-+.B piranha_fos_var_run_t
-+.EE
-+
-+- Set files with the piranha_fos_var_run_t type, if you want to store the piranha fos files under the /run directory.
-+
-+
-+.PP
-+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
-+.B semanage fcontext
-+command. This will modify the SELinux labeling database. You will need to use
-+.B restorecon
-+to apply the labels.
-+
-+.SH "MANAGED FILES"
-+
-+The SELinux process type piranha_fos_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
-+
-+.br
-+.B piranha_fos_var_run_t
-+
-+ /var/run/fos\.pid
-+.br
-+
-+.SH NSSWITCH DOMAIN
-+
-+.PP
-+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the piranha_fos_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
-+
-+.EX
-+.B setsebool -P authlogin_nsswitch_use_ldap 1
-+.EE
-+
-+.PP
-+If you want to allow confined applications to run with kerberos for the piranha_fos_t, you must turn on the kerberos_enabled boolean.
-+
-+.EX
-+.B setsebool -P kerberos_enabled 1
-+.EE
-+
-+.SH "COMMANDS"
-+.B semanage fcontext
-+can also be used to manipulate default file context mappings.
-+.PP
-+.B semanage permissive
-+can also be used to manipulate whether or not a process type is permissive.
-+.PP
-+.B semanage module
-+can also be used to enable/disable/install/remove policy modules.
-+
-+.PP
-+.B system-config-selinux
-+is a GUI tool available to customize SELinux policy settings.
-+
-+.SH AUTHOR
-+This manual page was auto-generated using
-+.B "sepolicy manpage"
-+by Dan Walsh.
-+
-+.SH "SEE ALSO"
-+selinux(8), piranha_fos(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
-+, piranha_lvs_selinux(8), piranha_pulse_selinux(8), piranha_web_selinux(8)
-\ No newline at end of file
-diff --git a/man/man8/piranha_lvs_selinux.8 b/man/man8/piranha_lvs_selinux.8
-new file mode 100644
-index 0000000..4792eec
---- /dev/null
-+++ b/man/man8/piranha_lvs_selinux.8
-@@ -0,0 +1,140 @@
-+.TH "piranha_lvs_selinux" "8" "12-11-01" "piranha_lvs" "SELinux Policy documentation for piranha_lvs"
-+.SH "NAME"
-+piranha_lvs_selinux \- Security Enhanced Linux Policy for the piranha_lvs processes
-+.SH "DESCRIPTION"
-+
-+Security-Enhanced Linux secures the piranha_lvs processes via flexible mandatory access control.
-+
-+The piranha_lvs processes execute with the piranha_lvs_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
-+
-+For example:
-+
-+.B ps -eZ | grep piranha_lvs_t
-+
-+
-+.SH "ENTRYPOINTS"
-+
-+The piranha_lvs_t SELinux type can be entered via the "piranha_lvs_exec_t" file type. The default entrypoint paths for the piranha_lvs_t domain are the following:"
-+
-+/usr/sbin/lvsd
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux piranha_lvs policy is very flexible allowing users to setup their piranha_lvs processes in as secure a method as possible.
-+.PP
-+The following process types are defined for piranha_lvs:
-+
-+.EX
-+.B piranha_lvs_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
-+.SH BOOLEANS
-+SELinux policy is customizable based on least access required. piranha_lvs policy is extremely flexible and has several booleans that allow you to manipulate the policy and run piranha_lvs with the tightest access possible.
-+
-+
-+.PP
-+If you want to allow piranha-lvs domain to connect to the network using TCP, you must turn on the piranha_lvs_can_network_connect boolean.
-+
-+.EX
-+.B setsebool -P piranha_lvs_can_network_connect 1
-+.EE
-+
-+.PP
-+If you want to allow piranha-lvs domain to connect to the network using TCP, you must turn on the piranha_lvs_can_network_connect boolean.
-+
-+.EX
-+.B setsebool -P piranha_lvs_can_network_connect 1
-+.EE
-+
-+.SH FILE CONTEXTS
-+SELinux requires files to have an extended attribute to define the file type.
-+.PP
-+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
-+.PP
-+Policy governs the access confined processes have to these files.
-+SELinux piranha_lvs policy is very flexible allowing users to setup their piranha_lvs processes in as secure a method as possible.
-+.PP
-+The following file types are defined for piranha_lvs:
-+
-+
-+.EX
-+.PP
-+.B piranha_lvs_exec_t
-+.EE
-+
-+- Set files with the piranha_lvs_exec_t type, if you want to transition an executable to the piranha_lvs_t domain.
-+
-+
-+.EX
-+.PP
-+.B piranha_lvs_var_run_t
-+.EE
-+
-+- Set files with the piranha_lvs_var_run_t type, if you want to store the piranha lvs files under the /run directory.
-+
-+
-+.PP
-+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
-+.B semanage fcontext
-+command. This will modify the SELinux labeling database. You will need to use
-+.B restorecon
-+to apply the labels.
-+
-+.SH "MANAGED FILES"
-+
-+The SELinux process type piranha_lvs_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
-+
-+.br
-+.B piranha_lvs_var_run_t
-+
-+ /var/run/lvs\.pid
-+.br
-+
-+.SH NSSWITCH DOMAIN
-+
-+.PP
-+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the piranha_lvs_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
-+
-+.EX
-+.B setsebool -P authlogin_nsswitch_use_ldap 1
-+.EE
-+
-+.PP
-+If you want to allow confined applications to run with kerberos for the piranha_lvs_t, you must turn on the kerberos_enabled boolean.
-+
-+.EX
-+.B setsebool -P kerberos_enabled 1
-+.EE
-+
-+.SH "COMMANDS"
-+.B semanage fcontext
-+can also be used to manipulate default file context mappings.
-+.PP
-+.B semanage permissive
-+can also be used to manipulate whether or not a process type is permissive.
-+.PP
-+.B semanage module
-+can also be used to enable/disable/install/remove policy modules.
-+
-+.B semanage boolean
-+can also be used to manipulate the booleans
-+
-+.PP
-+.B system-config-selinux
-+is a GUI tool available to customize SELinux policy settings.
-+
-+.SH AUTHOR
-+This manual page was auto-generated using
-+.B "sepolicy manpage"
-+by Dan Walsh.
-+
-+.SH "SEE ALSO"
-+selinux(8), piranha_lvs(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
-+, setsebool(8), piranha_fos_selinux(8), piranha_pulse_selinux(8), piranha_web_selinux(8)
-\ No newline at end of file
-diff --git a/man/man8/piranha_pulse_selinux.8 b/man/man8/piranha_pulse_selinux.8
-new file mode 100644
-index 0000000..2c470f5
---- /dev/null
-+++ b/man/man8/piranha_pulse_selinux.8
-@@ -0,0 +1,151 @@
-+.TH "piranha_pulse_selinux" "8" "12-11-01" "piranha_pulse" "SELinux Policy documentation for piranha_pulse"
-+.SH "NAME"
-+piranha_pulse_selinux \- Security Enhanced Linux Policy for the piranha_pulse processes
-+.SH "DESCRIPTION"
-+
-+Security-Enhanced Linux secures the piranha_pulse processes via flexible mandatory access control.
-+
-+The piranha_pulse processes execute with the piranha_pulse_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
-+
-+For example:
-+
-+.B ps -eZ | grep piranha_pulse_t
-+
-+
-+.SH "ENTRYPOINTS"
-+
-+The piranha_pulse_t SELinux type can be entered via the "piranha_pulse_exec_t" file type. The default entrypoint paths for the piranha_pulse_t domain are the following:"
-+
-+/usr/sbin/pulse
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux piranha_pulse policy is very flexible allowing users to setup their piranha_pulse processes in as secure a method as possible.
-+.PP
-+The following process types are defined for piranha_pulse:
-+
-+.EX
-+.B piranha_pulse_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
-+.SH FILE CONTEXTS
-+SELinux requires files to have an extended attribute to define the file type.
-+.PP
-+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
-+.PP
-+Policy governs the access confined processes have to these files.
-+SELinux piranha_pulse policy is very flexible allowing users to setup their piranha_pulse processes in as secure a method as possible.
-+.PP
-+The following file types are defined for piranha_pulse:
-+
-+
-+.EX
-+.PP
-+.B piranha_pulse_exec_t
-+.EE
-+
-+- Set files with the piranha_pulse_exec_t type, if you want to transition an executable to the piranha_pulse_t domain.
-+
-+
-+.EX
-+.PP
-+.B piranha_pulse_initrc_exec_t
-+.EE
-+
-+- Set files with the piranha_pulse_initrc_exec_t type, if you want to transition an executable to the piranha_pulse_initrc_t domain.
-+
-+
-+.EX
-+.PP
-+.B piranha_pulse_var_run_t
-+.EE
-+
-+- Set files with the piranha_pulse_var_run_t type, if you want to store the piranha pulse files under the /run directory.
-+
-+
-+.PP
-+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
-+.B semanage fcontext
-+command. This will modify the SELinux labeling database. You will need to use
-+.B restorecon
-+to apply the labels.
-+
-+.SH "MANAGED FILES"
-+
-+The SELinux process type piranha_pulse_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
-+
-+.br
-+.B piranha_pulse_var_run_t
-+
-+ /var/run/pulse\.pid
-+.br
-+
-+.br
-+.B samba_etc_t
-+
-+ /etc/samba(/.*)?
-+.br
-+
-+.br
-+.B samba_var_t
-+
-+ /var/lib/samba(/.*)?
-+.br
-+ /var/cache/samba(/.*)?
-+.br
-+ /var/spool/samba(/.*)?
-+.br
-+
-+.br
-+.B systemd_passwd_var_run_t
-+
-+ /var/run/systemd/ask-password(/.*)?
-+.br
-+ /var/run/systemd/ask-password-block(/.*)?
-+.br
-+
-+.SH NSSWITCH DOMAIN
-+
-+.PP
-+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the piranha_pulse_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
-+
-+.EX
-+.B setsebool -P authlogin_nsswitch_use_ldap 1
-+.EE
-+
-+.PP
-+If you want to allow confined applications to run with kerberos for the piranha_pulse_t, you must turn on the kerberos_enabled boolean.
-+
-+.EX
-+.B setsebool -P kerberos_enabled 1
-+.EE
-+
-+.SH "COMMANDS"
-+.B semanage fcontext
-+can also be used to manipulate default file context mappings.
-+.PP
-+.B semanage permissive
-+can also be used to manipulate whether or not a process type is permissive.
-+.PP
-+.B semanage module
-+can also be used to enable/disable/install/remove policy modules.
-+
-+.PP
-+.B system-config-selinux
-+is a GUI tool available to customize SELinux policy settings.
-+
-+.SH AUTHOR
-+This manual page was auto-generated using
-+.B "sepolicy manpage"
-+by Dan Walsh.
-+
-+.SH "SEE ALSO"
-+selinux(8), piranha_pulse(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
-+, piranha_fos_selinux(8), piranha_lvs_selinux(8), piranha_web_selinux(8)
-\ No newline at end of file
-diff --git a/man/man8/piranha_web_selinux.8 b/man/man8/piranha_web_selinux.8
-new file mode 100644
-index 0000000..c0ce2c7
---- /dev/null
-+++ b/man/man8/piranha_web_selinux.8
-@@ -0,0 +1,177 @@
-+.TH "piranha_web_selinux" "8" "12-11-01" "piranha_web" "SELinux Policy documentation for piranha_web"
-+.SH "NAME"
-+piranha_web_selinux \- Security Enhanced Linux Policy for the piranha_web processes
-+.SH "DESCRIPTION"
-+
-+Security-Enhanced Linux secures the piranha_web processes via flexible mandatory access control.
-+
-+The piranha_web processes execute with the piranha_web_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
-+
-+For example:
-+
-+.B ps -eZ | grep piranha_web_t
-+
-+
-+.SH "ENTRYPOINTS"
-+
-+The piranha_web_t SELinux type can be entered via the "piranha_web_exec_t" file type. The default entrypoint paths for the piranha_web_t domain are the following:"
-+
-+/usr/sbin/piranha_gui
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux piranha_web policy is very flexible allowing users to setup their piranha_web processes in as secure a method as possible.
-+.PP
-+The following process types are defined for piranha_web:
-+
-+.EX
-+.B piranha_web_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
-+.SH FILE CONTEXTS
-+SELinux requires files to have an extended attribute to define the file type.
-+.PP
-+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
-+.PP
-+Policy governs the access confined processes have to these files.
-+SELinux piranha_web policy is very flexible allowing users to setup their piranha_web processes in as secure a method as possible.
-+.PP
-+The following file types are defined for piranha_web:
-+
-+
-+.EX
-+.PP
-+.B piranha_web_conf_t
-+.EE
-+
-+- Set files with the piranha_web_conf_t type, if you want to treat the files as piranha web configuration data, usually stored under the /etc directory.
-+
-+
-+.EX
-+.PP
-+.B piranha_web_data_t
-+.EE
-+
-+- Set files with the piranha_web_data_t type, if you want to treat the files as piranha web content.
-+
-+
-+.EX
-+.PP
-+.B piranha_web_exec_t
-+.EE
-+
-+- Set files with the piranha_web_exec_t type, if you want to transition an executable to the piranha_web_t domain.
-+
-+
-+.EX
-+.PP
-+.B piranha_web_tmp_t
-+.EE
-+
-+- Set files with the piranha_web_tmp_t type, if you want to store piranha web temporary files in the /tmp directories.
-+
-+
-+.EX
-+.PP
-+.B piranha_web_tmpfs_t
-+.EE
-+
-+- Set files with the piranha_web_tmpfs_t type, if you want to store piranha web files on a tmpfs file system.
-+
-+
-+.EX
-+.PP
-+.B piranha_web_var_run_t
-+.EE
-+
-+- Set files with the piranha_web_var_run_t type, if you want to store the piranha web files under the /run directory.
-+
-+
-+.PP
-+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
-+.B semanage fcontext
-+command. This will modify the SELinux labeling database. You will need to use
-+.B restorecon
-+to apply the labels.
-+
-+.SH "MANAGED FILES"
-+
-+The SELinux process type piranha_web_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
-+
-+.br
-+.B piranha_etc_rw_t
-+
-+ /etc/piranha/lvs\.cf
-+.br
-+
-+.br
-+.B piranha_log_t
-+
-+ /var/log/piranha(/.*)?
-+.br
-+
-+.br
-+.B piranha_web_data_t
-+
-+ /var/lib/luci(/.*)?
-+.br
-+
-+.br
-+.B piranha_web_tmp_t
-+
-+
-+.br
-+.B piranha_web_tmpfs_t
-+
-+
-+.br
-+.B piranha_web_var_run_t
-+
-+ /var/run/piranha-httpd\.pid
-+.br
-+
-+.SH NSSWITCH DOMAIN
-+
-+.PP
-+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the piranha_web_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
-+
-+.EX
-+.B setsebool -P authlogin_nsswitch_use_ldap 1
-+.EE
-+
-+.PP
-+If you want to allow confined applications to run with kerberos for the piranha_web_t, you must turn on the kerberos_enabled boolean.
-+
-+.EX
-+.B setsebool -P kerberos_enabled 1
-+.EE
-+
-+.SH "COMMANDS"
-+.B semanage fcontext
-+can also be used to manipulate default file context mappings.
-+.PP
-+.B semanage permissive
-+can also be used to manipulate whether or not a process type is permissive.
-+.PP
-+.B semanage module
-+can also be used to enable/disable/install/remove policy modules.
-+
-+.PP
-+.B system-config-selinux
-+is a GUI tool available to customize SELinux policy settings.
-+
-+.SH AUTHOR
-+This manual page was auto-generated using
-+.B "sepolicy manpage"
-+by Dan Walsh.
-+
-+.SH "SEE ALSO"
-+selinux(8), piranha_web(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
-+, piranha_fos_selinux(8), piranha_lvs_selinux(8), piranha_pulse_selinux(8)
-\ No newline at end of file
-diff --git a/man/man8/pkcsslotd_selinux.8 b/man/man8/pkcsslotd_selinux.8
-new file mode 100644
-index 0000000..a7bf1c6
---- /dev/null
-+++ b/man/man8/pkcsslotd_selinux.8
-@@ -0,0 +1,148 @@
-+.TH "pkcsslotd_selinux" "8" "12-11-01" "pkcsslotd" "SELinux Policy documentation for pkcsslotd"
-+.SH "NAME"
-+pkcsslotd_selinux \- Security Enhanced Linux Policy for the pkcsslotd processes
-+.SH "DESCRIPTION"
-+
-+Security-Enhanced Linux secures the pkcsslotd processes via flexible mandatory access control.
-+
-+The pkcsslotd processes execute with the pkcsslotd_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
-+
-+For example:
-+
-+.B ps -eZ | grep pkcsslotd_t
-+
-+
-+.SH "ENTRYPOINTS"
-+
-+The pkcsslotd_t SELinux type can be entered via the "pkcsslotd_exec_t" file type. The default entrypoint paths for the pkcsslotd_t domain are the following:"
-+
-+/usr/sbin/pkcsslotd
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux pkcsslotd policy is very flexible allowing users to setup their pkcsslotd processes in as secure a method as possible.
-+.PP
-+The following process types are defined for pkcsslotd:
-+
-+.EX
-+.B pkcsslotd_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
-+.SH FILE CONTEXTS
-+SELinux requires files to have an extended attribute to define the file type.
-+.PP
-+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
-+.PP
-+Policy governs the access confined processes have to these files.
-+SELinux pkcsslotd policy is very flexible allowing users to setup their pkcsslotd processes in as secure a method as possible.
-+.PP
-+The following file types are defined for pkcsslotd:
-+
-+
-+.EX
-+.PP
-+.B pkcsslotd_exec_t
-+.EE
-+
-+- Set files with the pkcsslotd_exec_t type, if you want to transition an executable to the pkcsslotd_t domain.
-+
-+
-+.EX
-+.PP
-+.B pkcsslotd_tmp_t
-+.EE
-+
-+- Set files with the pkcsslotd_tmp_t type, if you want to store pkcsslotd temporary files in the /tmp directories.
-+
-+
-+.EX
-+.PP
-+.B pkcsslotd_tmpfs_t
-+.EE
-+
-+- Set files with the pkcsslotd_tmpfs_t type, if you want to store pkcsslotd files on a tmpfs file system.
-+
-+
-+.EX
-+.PP
-+.B pkcsslotd_unit_file_t
-+.EE
-+
-+- Set files with the pkcsslotd_unit_file_t type, if you want to treat the files as pkcsslotd unit content.
-+
-+
-+.EX
-+.PP
-+.B pkcsslotd_var_lib_t
-+.EE
-+
-+- Set files with the pkcsslotd_var_lib_t type, if you want to store the pkcsslotd files under the /var/lib directory.
-+
-+
-+.EX
-+.PP
-+.B pkcsslotd_var_run_t
-+.EE
-+
-+- Set files with the pkcsslotd_var_run_t type, if you want to store the pkcsslotd files under the /run directory.
-+
-+
-+.PP
-+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
-+.B semanage fcontext
-+command. This will modify the SELinux labeling database. You will need to use
-+.B restorecon
-+to apply the labels.
-+
-+.SH "MANAGED FILES"
-+
-+The SELinux process type pkcsslotd_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
-+
-+.br
-+.B pkcsslotd_tmp_t
-+
-+
-+.br
-+.B pkcsslotd_tmpfs_t
-+
-+
-+.br
-+.B pkcsslotd_var_lib_t
-+
-+ /var/lib/opencryptoki(/.*)?
-+.br
-+
-+.br
-+.B pkcsslotd_var_run_t
-+
-+
-+.SH NSSWITCH DOMAIN
-+
-+.SH "COMMANDS"
-+.B semanage fcontext
-+can also be used to manipulate default file context mappings.
-+.PP
-+.B semanage permissive
-+can also be used to manipulate whether or not a process type is permissive.
-+.PP
-+.B semanage module
-+can also be used to enable/disable/install/remove policy modules.
-+
-+.PP
-+.B system-config-selinux
-+is a GUI tool available to customize SELinux policy settings.
-+
-+.SH AUTHOR
-+This manual page was auto-generated using
-+.B "sepolicy manpage"
-+by Dan Walsh.
-+
-+.SH "SEE ALSO"
-+selinux(8), pkcsslotd(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
-diff --git a/man/man8/pki_ra_selinux.8 b/man/man8/pki_ra_selinux.8
-new file mode 100644
-index 0000000..565c3d5
---- /dev/null
-+++ b/man/man8/pki_ra_selinux.8
-@@ -0,0 +1,241 @@
-+.TH "pki_ra_selinux" "8" "12-11-01" "pki_ra" "SELinux Policy documentation for pki_ra"
-+.SH "NAME"
-+pki_ra_selinux \- Security Enhanced Linux Policy for the pki_ra processes
-+.SH "DESCRIPTION"
-+
-+Security-Enhanced Linux secures the pki_ra processes via flexible mandatory access control.
-+
-+The pki_ra processes execute with the pki_ra_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
-+
-+For example:
-+
-+.B ps -eZ | grep pki_ra_t
-+
-+
-+.SH "ENTRYPOINTS"
-+
-+The pki_ra_t SELinux type can be entered via the "httpd_exec_t,pki_ra_exec_t" file types. The default entrypoint paths for the pki_ra_t domain are the following:"
-+
-+/usr/sbin/httpd(\.worker)?, /usr/sbin/apache(2)?, /usr/lib/apache-ssl/.+, /usr/sbin/apache-ssl(2)?, /usr/share/jetty/bin/jetty.sh, /usr/sbin/cherokee, /usr/sbin/lighttpd, /usr/sbin/httpd\.event, /usr/bin/mongrel_rails, /var/lib/pki-ra/pki-ra
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux pki_ra policy is very flexible allowing users to setup their pki_ra processes in as secure a method as possible.
-+.PP
-+The following process types are defined for pki_ra:
-+
-+.EX
-+.B pki_ra_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
-+.SH FILE CONTEXTS
-+SELinux requires files to have an extended attribute to define the file type.
-+.PP
-+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
-+.PP
-+Policy governs the access confined processes have to these files.
-+SELinux pki_ra policy is very flexible allowing users to setup their pki_ra processes in as secure a method as possible.
-+.PP
-+The following file types are defined for pki_ra:
-+
-+
-+.EX
-+.PP
-+.B pki_ra_etc_rw_t
-+.EE
-+
-+- Set files with the pki_ra_etc_rw_t type, if you want to treat the files as pki ra etc read/write content.
-+
-+
-+.EX
-+.PP
-+.B pki_ra_exec_t
-+.EE
-+
-+- Set files with the pki_ra_exec_t type, if you want to transition an executable to the pki_ra_t domain.
-+
-+
-+.EX
-+.PP
-+.B pki_ra_lock_t
-+.EE
-+
-+- Set files with the pki_ra_lock_t type, if you want to treat the files as pki ra lock data, stored under the /var/lock directory
-+
-+
-+.EX
-+.PP
-+.B pki_ra_log_t
-+.EE
-+
-+- Set files with the pki_ra_log_t type, if you want to treat the data as pki ra log data, usually stored under the /var/log directory.
-+
-+
-+.EX
-+.PP
-+.B pki_ra_script_exec_t
-+.EE
-+
-+- Set files with the pki_ra_script_exec_t type, if you want to transition an executable to the pki_ra_script_t domain.
-+
-+
-+.EX
-+.PP
-+.B pki_ra_tomcat_exec_t
-+.EE
-+
-+- Set files with the pki_ra_tomcat_exec_t type, if you want to transition an executable to the pki_ra_tomcat_t domain.
-+
-+
-+.EX
-+.PP
-+.B pki_ra_var_lib_t
-+.EE
-+
-+- Set files with the pki_ra_var_lib_t type, if you want to store the pki ra files under the /var/lib directory.
-+
-+
-+.EX
-+.PP
-+.B pki_ra_var_run_t
-+.EE
-+
-+- Set files with the pki_ra_var_run_t type, if you want to store the pki ra files under the /run directory.
-+
-+
-+.PP
-+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
-+.B semanage fcontext
-+command. This will modify the SELinux labeling database. You will need to use
-+.B restorecon
-+to apply the labels.
-+
-+.SH PORT TYPES
-+SELinux defines port types to represent TCP and UDP ports.
-+.PP
-+You can see the types associated with a port by using the following command:
-+
-+.B semanage port -l
-+
-+.PP
-+Policy governs the access confined processes have to these ports.
-+SELinux pki_ra policy is very flexible allowing users to setup their pki_ra processes in as secure a method as possible.
-+.PP
-+The following port types are defined for pki_ra:
-+
-+.EX
-+.TP 5
-+.B pki_ra_port_t
-+.TP 10
-+.EE
-+
-+
-+Default Defined Ports:
-+tcp 12888-12889
-+.EE
-+.SH "MANAGED FILES"
-+
-+The SELinux process type pki_ra_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
-+
-+.br
-+.B mail_spool_t
-+
-+ /var/mail(/.*)?
-+.br
-+ /var/spool/imap(/.*)?
-+.br
-+ /var/spool/mail(/.*)?
-+.br
-+
-+.br
-+.B mqueue_spool_t
-+
-+ /var/spool/(client)?mqueue(/.*)?
-+.br
-+ /var/spool/mqueue\.in(/.*)?
-+.br
-+
-+.br
-+.B pki_common_t
-+
-+ /opt/nfast(/.*)?
-+.br
-+
-+.br
-+.B pki_ra_etc_rw_t
-+
-+ /etc/pki-ra(/.*)?
-+.br
-+ /etc/sysconfig/pki/ra(/.*)?
-+.br
-+
-+.br
-+.B pki_ra_lock_t
-+
-+
-+.br
-+.B pki_ra_log_t
-+
-+ /var/log/pki-ra(/.*)?
-+.br
-+
-+.br
-+.B pki_ra_var_lib_t
-+
-+ /var/lib/pki-ra(/.*)?
-+.br
-+
-+.br
-+.B pki_ra_var_run_t
-+
-+ /var/run/pki/ra(/.*)?
-+.br
-+
-+.SH NSSWITCH DOMAIN
-+
-+.PP
-+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the pki_ra_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
-+
-+.EX
-+.B setsebool -P authlogin_nsswitch_use_ldap 1
-+.EE
-+
-+.PP
-+If you want to allow confined applications to run with kerberos for the pki_ra_t, you must turn on the kerberos_enabled boolean.
-+
-+.EX
-+.B setsebool -P kerberos_enabled 1
-+.EE
-+
-+.SH "COMMANDS"
-+.B semanage fcontext
-+can also be used to manipulate default file context mappings.
-+.PP
-+.B semanage permissive
-+can also be used to manipulate whether or not a process type is permissive.
-+.PP
-+.B semanage module
-+can also be used to enable/disable/install/remove policy modules.
-+
-+.B semanage port
-+can also be used to manipulate the port definitions
-+
-+.PP
-+.B system-config-selinux
-+is a GUI tool available to customize SELinux policy settings.
-+
-+.SH AUTHOR
-+This manual page was auto-generated using
-+.B "sepolicy manpage"
-+by Dan Walsh.
-+
-+.SH "SEE ALSO"
-+selinux(8), pki_ra(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
-+, pki_tomcat_selinux(8), pki_tps_selinux(8)
-\ No newline at end of file
-diff --git a/man/man8/pki_tomcat_selinux.8 b/man/man8/pki_tomcat_selinux.8
-new file mode 100644
-index 0000000..47e7c89
---- /dev/null
-+++ b/man/man8/pki_tomcat_selinux.8
-@@ -0,0 +1,273 @@
-+.TH "pki_tomcat_selinux" "8" "12-11-01" "pki_tomcat" "SELinux Policy documentation for pki_tomcat"
-+.SH "NAME"
-+pki_tomcat_selinux \- Security Enhanced Linux Policy for the pki_tomcat processes
-+.SH "DESCRIPTION"
-+
-+Security-Enhanced Linux secures the pki_tomcat processes via flexible mandatory access control.
-+
-+The pki_tomcat processes execute with the pki_tomcat_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
-+
-+For example:
-+
-+.B ps -eZ | grep pki_tomcat_t
-+
-+
-+.SH "ENTRYPOINTS"
-+
-+The pki_tomcat_t SELinux type can be entered via the "pki_tomcat_exec_t" file type. The default entrypoint paths for the pki_tomcat_t domain are the following:"
-+
-+/usr/bin/pkidaemon
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux pki_tomcat policy is very flexible allowing users to setup their pki_tomcat processes in as secure a method as possible.
-+.PP
-+The following process types are defined for pki_tomcat:
-+
-+.EX
-+.B pki_tomcat_t, pki_tomcat_script_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
-+.SH FILE CONTEXTS
-+SELinux requires files to have an extended attribute to define the file type.
-+.PP
-+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
-+.PP
-+Policy governs the access confined processes have to these files.
-+SELinux pki_tomcat policy is very flexible allowing users to setup their pki_tomcat processes in as secure a method as possible.
-+.PP
-+The following file types are defined for pki_tomcat:
-+
-+
-+.EX
-+.PP
-+.B pki_tomcat_cache_t
-+.EE
-+
-+- Set files with the pki_tomcat_cache_t type, if you want to store the files under the /var/cache directory.
-+
-+
-+.EX
-+.PP
-+.B pki_tomcat_cert_t
-+.EE
-+
-+- Set files with the pki_tomcat_cert_t type, if you want to treat the files as pki tomcat certificate data.
-+
-+
-+.EX
-+.PP
-+.B pki_tomcat_etc_rw_t
-+.EE
-+
-+- Set files with the pki_tomcat_etc_rw_t type, if you want to treat the files as pki tomcat etc read/write content.
-+
-+
-+.EX
-+.PP
-+.B pki_tomcat_exec_t
-+.EE
-+
-+- Set files with the pki_tomcat_exec_t type, if you want to transition an executable to the pki_tomcat_t domain.
-+
-+
-+.EX
-+.PP
-+.B pki_tomcat_lock_t
-+.EE
-+
-+- Set files with the pki_tomcat_lock_t type, if you want to treat the files as pki tomcat lock data, stored under the /var/lock directory
-+
-+
-+.EX
-+.PP
-+.B pki_tomcat_log_t
-+.EE
-+
-+- Set files with the pki_tomcat_log_t type, if you want to treat the data as pki tomcat log data, usually stored under the /var/log directory.
-+
-+
-+.EX
-+.PP
-+.B pki_tomcat_tmp_t
-+.EE
-+
-+- Set files with the pki_tomcat_tmp_t type, if you want to store pki tomcat temporary files in the /tmp directories.
-+
-+
-+.EX
-+.PP
-+.B pki_tomcat_unit_file_t
-+.EE
-+
-+- Set files with the pki_tomcat_unit_file_t type, if you want to treat the files as pki tomcat unit content.
-+
-+
-+.EX
-+.PP
-+.B pki_tomcat_var_lib_t
-+.EE
-+
-+- Set files with the pki_tomcat_var_lib_t type, if you want to store the pki tomcat files under the /var/lib directory.
-+
-+
-+.EX
-+.PP
-+.B pki_tomcat_var_run_t
-+.EE
-+
-+- Set files with the pki_tomcat_var_run_t type, if you want to store the pki tomcat files under the /run directory.
-+
-+
-+.PP
-+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
-+.B semanage fcontext
-+command. This will modify the SELinux labeling database. You will need to use
-+.B restorecon
-+to apply the labels.
-+
-+.SH "MANAGED FILES"
-+
-+The SELinux process type pki_tomcat_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
-+
-+.br
-+.B dirsrv_var_lib_t
-+
-+ /var/lib/dirsrv(/.*)?
-+.br
-+
-+.br
-+.B pki_common_t
-+
-+ /opt/nfast(/.*)?
-+.br
-+
-+.br
-+.B pki_tomcat_cache_t
-+
-+
-+.br
-+.B pki_tomcat_cert_t
-+
-+ /var/lib/pki-ca/alias(/.*)?
-+.br
-+ /var/lib/pki-kra/alias(/.*)?
-+.br
-+ /var/lib/pki-tks/alias(/.*)?
-+.br
-+ /var/lib/pki-ocsp/alias(/.*)?
-+.br
-+ /etc/pki/pki-tomcat/alias(/.*)?
-+.br
-+
-+.br
-+.B pki_tomcat_etc_rw_t
-+
-+ /etc/pki-ca(/.*)?
-+.br
-+ /etc/pki-kra(/.*)?
-+.br
-+ /etc/pki-tks(/.*)?
-+.br
-+ /etc/pki-ocsp(/.*)?
-+.br
-+ /etc/pki/pki-tomcat(/.*)?
-+.br
-+ /etc/sysconfig/pki/tomcat(/.*)?
-+.br
-+
-+.br
-+.B pki_tomcat_lock_t
-+
-+ /var/lock/subsys/pkidaemon
-+.br
-+
-+.br
-+.B pki_tomcat_log_t
-+
-+ /var/log/pki-ca(/.*)?
-+.br
-+ /var/log/pki-kra(/.*)?
-+.br
-+ /var/log/pki-tks(/.*)?
-+.br
-+ /var/log/pki-ocsp(/.*)?
-+.br
-+ /var/log/pki/pki-tomcat(/.*)?
-+.br
-+
-+.br
-+.B pki_tomcat_tmp_t
-+
-+
-+.br
-+.B pki_tomcat_var_lib_t
-+
-+ /var/lib/pki-ca(/.*)?
-+.br
-+ /var/lib/pki-kra(/.*)?
-+.br
-+ /var/lib/pki-tks(/.*)?
-+.br
-+ /var/lib/pki-ocsp(/.*)?
-+.br
-+ /var/lib/pki/pki-tomcat(/.*)?
-+.br
-+
-+.br
-+.B pki_tomcat_var_run_t
-+
-+ /var/run/pki-ca.pid
-+.br
-+ /var/run/pki-kra.pid
-+.br
-+ /var/run/pki-tks.pid
-+.br
-+ /var/run/pki-ocsp.pid
-+.br
-+ /var/run/pki/tomcat(/.*)?
-+.br
-+
-+.br
-+.B user_tmp_t
-+
-+ /var/run/user(/.*)?
-+.br
-+ /tmp/gconfd-.*
-+.br
-+ /tmp/gconfd-dwalsh
-+.br
-+ /tmp/gconfd-xguest
-+.br
-+
-+.SH NSSWITCH DOMAIN
-+
-+.SH "COMMANDS"
-+.B semanage fcontext
-+can also be used to manipulate default file context mappings.
-+.PP
-+.B semanage permissive
-+can also be used to manipulate whether or not a process type is permissive.
-+.PP
-+.B semanage module
-+can also be used to enable/disable/install/remove policy modules.
-+
-+.PP
-+.B system-config-selinux
-+is a GUI tool available to customize SELinux policy settings.
-+
-+.SH AUTHOR
-+This manual page was auto-generated using
-+.B "sepolicy manpage"
-+by Dan Walsh.
-+
-+.SH "SEE ALSO"
-+selinux(8), pki_tomcat(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
-+, pki_ra_selinux(8), pki_tps_selinux(8)
-\ No newline at end of file
-diff --git a/man/man8/pki_tps_selinux.8 b/man/man8/pki_tps_selinux.8
-new file mode 100644
-index 0000000..8fecac8
---- /dev/null
-+++ b/man/man8/pki_tps_selinux.8
-@@ -0,0 +1,223 @@
-+.TH "pki_tps_selinux" "8" "12-11-01" "pki_tps" "SELinux Policy documentation for pki_tps"
-+.SH "NAME"
-+pki_tps_selinux \- Security Enhanced Linux Policy for the pki_tps processes
-+.SH "DESCRIPTION"
-+
-+Security-Enhanced Linux secures the pki_tps processes via flexible mandatory access control.
-+
-+The pki_tps processes execute with the pki_tps_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
-+
-+For example:
-+
-+.B ps -eZ | grep pki_tps_t
-+
-+
-+.SH "ENTRYPOINTS"
-+
-+The pki_tps_t SELinux type can be entered via the "httpd_exec_t,pki_tps_exec_t" file types. The default entrypoint paths for the pki_tps_t domain are the following:"
-+
-+/usr/sbin/httpd(\.worker)?, /usr/sbin/apache(2)?, /usr/lib/apache-ssl/.+, /usr/sbin/apache-ssl(2)?, /usr/share/jetty/bin/jetty.sh, /usr/sbin/cherokee, /usr/sbin/lighttpd, /usr/sbin/httpd\.event, /usr/bin/mongrel_rails, /var/lib/pki-tps/pki-tps
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux pki_tps policy is very flexible allowing users to setup their pki_tps processes in as secure a method as possible.
-+.PP
-+The following process types are defined for pki_tps:
-+
-+.EX
-+.B pki_tps_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
-+.SH FILE CONTEXTS
-+SELinux requires files to have an extended attribute to define the file type.
-+.PP
-+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
-+.PP
-+Policy governs the access confined processes have to these files.
-+SELinux pki_tps policy is very flexible allowing users to setup their pki_tps processes in as secure a method as possible.
-+.PP
-+The following file types are defined for pki_tps:
-+
-+
-+.EX
-+.PP
-+.B pki_tps_etc_rw_t
-+.EE
-+
-+- Set files with the pki_tps_etc_rw_t type, if you want to treat the files as pki tps etc read/write content.
-+
-+
-+.EX
-+.PP
-+.B pki_tps_exec_t
-+.EE
-+
-+- Set files with the pki_tps_exec_t type, if you want to transition an executable to the pki_tps_t domain.
-+
-+
-+.EX
-+.PP
-+.B pki_tps_lock_t
-+.EE
-+
-+- Set files with the pki_tps_lock_t type, if you want to treat the files as pki tps lock data, stored under the /var/lock directory
-+
-+
-+.EX
-+.PP
-+.B pki_tps_log_t
-+.EE
-+
-+- Set files with the pki_tps_log_t type, if you want to treat the data as pki tps log data, usually stored under the /var/log directory.
-+
-+
-+.EX
-+.PP
-+.B pki_tps_script_exec_t
-+.EE
-+
-+- Set files with the pki_tps_script_exec_t type, if you want to transition an executable to the pki_tps_script_t domain.
-+
-+
-+.EX
-+.PP
-+.B pki_tps_tomcat_exec_t
-+.EE
-+
-+- Set files with the pki_tps_tomcat_exec_t type, if you want to transition an executable to the pki_tps_tomcat_t domain.
-+
-+
-+.EX
-+.PP
-+.B pki_tps_var_lib_t
-+.EE
-+
-+- Set files with the pki_tps_var_lib_t type, if you want to store the pki tps files under the /var/lib directory.
-+
-+
-+.EX
-+.PP
-+.B pki_tps_var_run_t
-+.EE
-+
-+- Set files with the pki_tps_var_run_t type, if you want to store the pki tps files under the /run directory.
-+
-+
-+.PP
-+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
-+.B semanage fcontext
-+command. This will modify the SELinux labeling database. You will need to use
-+.B restorecon
-+to apply the labels.
-+
-+.SH PORT TYPES
-+SELinux defines port types to represent TCP and UDP ports.
-+.PP
-+You can see the types associated with a port by using the following command:
-+
-+.B semanage port -l
-+
-+.PP
-+Policy governs the access confined processes have to these ports.
-+SELinux pki_tps policy is very flexible allowing users to setup their pki_tps processes in as secure a method as possible.
-+.PP
-+The following port types are defined for pki_tps:
-+
-+.EX
-+.TP 5
-+.B pki_tps_port_t
-+.TP 10
-+.EE
-+
-+
-+Default Defined Ports:
-+tcp 7888-7889
-+.EE
-+.SH "MANAGED FILES"
-+
-+The SELinux process type pki_tps_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
-+
-+.br
-+.B pki_common_t
-+
-+ /opt/nfast(/.*)?
-+.br
-+
-+.br
-+.B pki_tps_etc_rw_t
-+
-+ /etc/pki-tps(/.*)?
-+.br
-+ /etc/sysconfig/pki/tps(/.*)?
-+.br
-+
-+.br
-+.B pki_tps_lock_t
-+
-+
-+.br
-+.B pki_tps_log_t
-+
-+ /var/log/pki-tps(/.*)?
-+.br
-+
-+.br
-+.B pki_tps_var_lib_t
-+
-+ /var/lib/pki-tps(/.*)?
-+.br
-+
-+.br
-+.B pki_tps_var_run_t
-+
-+ /var/run/pki/tps(/.*)?
-+.br
-+
-+.SH NSSWITCH DOMAIN
-+
-+.PP
-+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the pki_tps_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
-+
-+.EX
-+.B setsebool -P authlogin_nsswitch_use_ldap 1
-+.EE
-+
-+.PP
-+If you want to allow confined applications to run with kerberos for the pki_tps_t, you must turn on the kerberos_enabled boolean.
-+
-+.EX
-+.B setsebool -P kerberos_enabled 1
-+.EE
-+
-+.SH "COMMANDS"
-+.B semanage fcontext
-+can also be used to manipulate default file context mappings.
-+.PP
-+.B semanage permissive
-+can also be used to manipulate whether or not a process type is permissive.
-+.PP
-+.B semanage module
-+can also be used to enable/disable/install/remove policy modules.
-+
-+.B semanage port
-+can also be used to manipulate the port definitions
-+
-+.PP
-+.B system-config-selinux
-+is a GUI tool available to customize SELinux policy settings.
-+
-+.SH AUTHOR
-+This manual page was auto-generated using
-+.B "sepolicy manpage"
-+by Dan Walsh.
-+
-+.SH "SEE ALSO"
-+selinux(8), pki_tps(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
-+, pki_ra_selinux(8), pki_tomcat_selinux(8)
-\ No newline at end of file
-diff --git a/man/man8/plymouth_selinux.8 b/man/man8/plymouth_selinux.8
-new file mode 100644
-index 0000000..fd43c97
---- /dev/null
-+++ b/man/man8/plymouth_selinux.8
-@@ -0,0 +1,127 @@
-+.TH "plymouth_selinux" "8" "12-11-01" "plymouth" "SELinux Policy documentation for plymouth"
-+.SH "NAME"
-+plymouth_selinux \- Security Enhanced Linux Policy for the plymouth processes
-+.SH "DESCRIPTION"
-+
-+Security-Enhanced Linux secures the plymouth processes via flexible mandatory access control.
-+
-+The plymouth processes execute with the plymouth_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
-+
-+For example:
-+
-+.B ps -eZ | grep plymouth_t
-+
-+
-+.SH "ENTRYPOINTS"
-+
-+The plymouth_t SELinux type can be entered via the "plymouth_exec_t" file type. The default entrypoint paths for the plymouth_t domain are the following:"
-+
-+/bin/plymouth, /usr/bin/plymouth
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux plymouth policy is very flexible allowing users to setup their plymouth processes in as secure a method as possible.
-+.PP
-+The following process types are defined for plymouth:
-+
-+.EX
-+.B plymouth_t, plymouthd_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
-+.SH FILE CONTEXTS
-+SELinux requires files to have an extended attribute to define the file type.
-+.PP
-+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
-+.PP
-+Policy governs the access confined processes have to these files.
-+SELinux plymouth policy is very flexible allowing users to setup their plymouth processes in as secure a method as possible.
-+.PP
-+The following file types are defined for plymouth:
-+
-+
-+.EX
-+.PP
-+.B plymouth_exec_t
-+.EE
-+
-+- Set files with the plymouth_exec_t type, if you want to transition an executable to the plymouth_t domain.
-+
-+
-+.EX
-+.PP
-+.B plymouthd_exec_t
-+.EE
-+
-+- Set files with the plymouthd_exec_t type, if you want to transition an executable to the plymouthd_t domain.
-+
-+
-+.EX
-+.PP
-+.B plymouthd_spool_t
-+.EE
-+
-+- Set files with the plymouthd_spool_t type, if you want to store the plymouthd files under the /var/spool directory.
-+
-+
-+.EX
-+.PP
-+.B plymouthd_var_lib_t
-+.EE
-+
-+- Set files with the plymouthd_var_lib_t type, if you want to store the plymouthd files under the /var/lib directory.
-+
-+
-+.EX
-+.PP
-+.B plymouthd_var_log_t
-+.EE
-+
-+- Set files with the plymouthd_var_log_t type, if you want to treat the data as plymouthd var log data, usually stored under the /var/log directory.
-+
-+
-+.EX
-+.PP
-+.B plymouthd_var_run_t
-+.EE
-+
-+- Set files with the plymouthd_var_run_t type, if you want to store the plymouthd files under the /run directory.
-+
-+
-+.PP
-+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
-+.B semanage fcontext
-+command. This will modify the SELinux labeling database. You will need to use
-+.B restorecon
-+to apply the labels.
-+
-+.SH NSSWITCH DOMAIN
-+
-+.SH "COMMANDS"
-+.B semanage fcontext
-+can also be used to manipulate default file context mappings.
-+.PP
-+.B semanage permissive
-+can also be used to manipulate whether or not a process type is permissive.
-+.PP
-+.B semanage module
-+can also be used to enable/disable/install/remove policy modules.
-+
-+.PP
-+.B system-config-selinux
-+is a GUI tool available to customize SELinux policy settings.
-+
-+.SH AUTHOR
-+This manual page was auto-generated using
-+.B "sepolicy manpage"
-+by Dan Walsh.
-+
-+.SH "SEE ALSO"
-+selinux(8), plymouth(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
-+, plymouthd_selinux(8)
-\ No newline at end of file
-diff --git a/man/man8/plymouthd_selinux.8 b/man/man8/plymouthd_selinux.8
-new file mode 100644
-index 0000000..8ddb343
---- /dev/null
-+++ b/man/man8/plymouthd_selinux.8
-@@ -0,0 +1,159 @@
-+.TH "plymouthd_selinux" "8" "12-11-01" "plymouthd" "SELinux Policy documentation for plymouthd"
-+.SH "NAME"
-+plymouthd_selinux \- Security Enhanced Linux Policy for the plymouthd processes
-+.SH "DESCRIPTION"
-+
-+Security-Enhanced Linux secures the plymouthd processes via flexible mandatory access control.
-+
-+The plymouthd processes execute with the plymouthd_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
-+
-+For example:
-+
-+.B ps -eZ | grep plymouthd_t
-+
-+
-+.SH "ENTRYPOINTS"
-+
-+The plymouthd_t SELinux type can be entered via the "plymouthd_exec_t" file type. The default entrypoint paths for the plymouthd_t domain are the following:"
-+
-+/sbin/plymouthd, /usr/sbin/plymouthd
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux plymouthd policy is very flexible allowing users to setup their plymouthd processes in as secure a method as possible.
-+.PP
-+The following process types are defined for plymouthd:
-+
-+.EX
-+.B plymouth_t, plymouthd_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
-+.SH FILE CONTEXTS
-+SELinux requires files to have an extended attribute to define the file type.
-+.PP
-+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
-+.PP
-+Policy governs the access confined processes have to these files.
-+SELinux plymouthd policy is very flexible allowing users to setup their plymouthd processes in as secure a method as possible.
-+.PP
-+The following file types are defined for plymouthd:
-+
-+
-+.EX
-+.PP
-+.B plymouthd_exec_t
-+.EE
-+
-+- Set files with the plymouthd_exec_t type, if you want to transition an executable to the plymouthd_t domain.
-+
-+
-+.EX
-+.PP
-+.B plymouthd_spool_t
-+.EE
-+
-+- Set files with the plymouthd_spool_t type, if you want to store the plymouthd files under the /var/spool directory.
-+
-+
-+.EX
-+.PP
-+.B plymouthd_var_lib_t
-+.EE
-+
-+- Set files with the plymouthd_var_lib_t type, if you want to store the plymouthd files under the /var/lib directory.
-+
-+
-+.EX
-+.PP
-+.B plymouthd_var_log_t
-+.EE
-+
-+- Set files with the plymouthd_var_log_t type, if you want to treat the data as plymouthd var log data, usually stored under the /var/log directory.
-+
-+
-+.EX
-+.PP
-+.B plymouthd_var_run_t
-+.EE
-+
-+- Set files with the plymouthd_var_run_t type, if you want to store the plymouthd files under the /run directory.
-+
-+
-+.PP
-+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
-+.B semanage fcontext
-+command. This will modify the SELinux labeling database. You will need to use
-+.B restorecon
-+to apply the labels.
-+
-+.SH "MANAGED FILES"
-+
-+The SELinux process type plymouthd_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
-+
-+.br
-+.B fonts_cache_t
-+
-+ /var/cache/fontconfig(/.*)?
-+.br
-+
-+.br
-+.B plymouthd_spool_t
-+
-+ /var/spool/plymouth(/.*)?
-+.br
-+
-+.br
-+.B plymouthd_var_lib_t
-+
-+ /var/lib/plymouth(/.*)?
-+.br
-+
-+.br
-+.B plymouthd_var_log_t
-+
-+ /var/log/boot\.log
-+.br
-+
-+.br
-+.B plymouthd_var_run_t
-+
-+ /var/run/plymouth(/.*)?
-+.br
-+
-+.br
-+.B xdm_spool_t
-+
-+ /var/spool/[mg]dm(/.*)?
-+.br
-+
-+.SH NSSWITCH DOMAIN
-+
-+.SH "COMMANDS"
-+.B semanage fcontext
-+can also be used to manipulate default file context mappings.
-+.PP
-+.B semanage permissive
-+can also be used to manipulate whether or not a process type is permissive.
-+.PP
-+.B semanage module
-+can also be used to enable/disable/install/remove policy modules.
-+
-+.PP
-+.B system-config-selinux
-+is a GUI tool available to customize SELinux policy settings.
-+
-+.SH AUTHOR
-+This manual page was auto-generated using
-+.B "sepolicy manpage"
-+by Dan Walsh.
-+
-+.SH "SEE ALSO"
-+selinux(8), plymouthd(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
-+, plymouth_selinux(8), plymouth_selinux(8)
-\ No newline at end of file
-diff --git a/man/man8/podsleuth_selinux.8 b/man/man8/podsleuth_selinux.8
-new file mode 100644
-index 0000000..5da1a9f
---- /dev/null
-+++ b/man/man8/podsleuth_selinux.8
-@@ -0,0 +1,128 @@
-+.TH "podsleuth_selinux" "8" "12-11-01" "podsleuth" "SELinux Policy documentation for podsleuth"
-+.SH "NAME"
-+podsleuth_selinux \- Security Enhanced Linux Policy for the podsleuth processes
-+.SH "DESCRIPTION"
-+
-+Security-Enhanced Linux secures the podsleuth processes via flexible mandatory access control.
-+
-+The podsleuth processes execute with the podsleuth_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
-+
-+For example:
-+
-+.B ps -eZ | grep podsleuth_t
-+
-+
-+.SH "ENTRYPOINTS"
-+
-+The podsleuth_t SELinux type can be entered via the "podsleuth_exec_t" file type. The default entrypoint paths for the podsleuth_t domain are the following:"
-+
-+/usr/bin/podsleuth, /usr/libexec/hal-podsleuth
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux podsleuth policy is very flexible allowing users to setup their podsleuth processes in as secure a method as possible.
-+.PP
-+The following process types are defined for podsleuth:
-+
-+.EX
-+.B podsleuth_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
-+.SH FILE CONTEXTS
-+SELinux requires files to have an extended attribute to define the file type.
-+.PP
-+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
-+.PP
-+Policy governs the access confined processes have to these files.
-+SELinux podsleuth policy is very flexible allowing users to setup their podsleuth processes in as secure a method as possible.
-+.PP
-+The following file types are defined for podsleuth:
-+
-+
-+.EX
-+.PP
-+.B podsleuth_cache_t
-+.EE
-+
-+- Set files with the podsleuth_cache_t type, if you want to store the files under the /var/cache directory.
-+
-+
-+.EX
-+.PP
-+.B podsleuth_exec_t
-+.EE
-+
-+- Set files with the podsleuth_exec_t type, if you want to transition an executable to the podsleuth_t domain.
-+
-+
-+.EX
-+.PP
-+.B podsleuth_tmp_t
-+.EE
-+
-+- Set files with the podsleuth_tmp_t type, if you want to store podsleuth temporary files in the /tmp directories.
-+
-+
-+.EX
-+.PP
-+.B podsleuth_tmpfs_t
-+.EE
-+
-+- Set files with the podsleuth_tmpfs_t type, if you want to store podsleuth files on a tmpfs file system.
-+
-+
-+.PP
-+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
-+.B semanage fcontext
-+command. This will modify the SELinux labeling database. You will need to use
-+.B restorecon
-+to apply the labels.
-+
-+.SH "MANAGED FILES"
-+
-+The SELinux process type podsleuth_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
-+
-+.br
-+.B podsleuth_cache_t
-+
-+ /var/cache/podsleuth(/.*)?
-+.br
-+
-+.br
-+.B podsleuth_tmp_t
-+
-+
-+.br
-+.B podsleuth_tmpfs_t
-+
-+
-+.SH NSSWITCH DOMAIN
-+
-+.SH "COMMANDS"
-+.B semanage fcontext
-+can also be used to manipulate default file context mappings.
-+.PP
-+.B semanage permissive
-+can also be used to manipulate whether or not a process type is permissive.
-+.PP
-+.B semanage module
-+can also be used to enable/disable/install/remove policy modules.
-+
-+.PP
-+.B system-config-selinux
-+is a GUI tool available to customize SELinux policy settings.
-+
-+.SH AUTHOR
-+This manual page was auto-generated using
-+.B "sepolicy manpage"
-+by Dan Walsh.
-+
-+.SH "SEE ALSO"
-+selinux(8), podsleuth(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
-diff --git a/man/man8/policykit_auth_selinux.8 b/man/man8/policykit_auth_selinux.8
-new file mode 100644
-index 0000000..8e1e635
---- /dev/null
-+++ b/man/man8/policykit_auth_selinux.8
-@@ -0,0 +1,207 @@
-+.TH "policykit_auth_selinux" "8" "12-11-01" "policykit_auth" "SELinux Policy documentation for policykit_auth"
-+.SH "NAME"
-+policykit_auth_selinux \- Security Enhanced Linux Policy for the policykit_auth processes
-+.SH "DESCRIPTION"
-+
-+Security-Enhanced Linux secures the policykit_auth processes via flexible mandatory access control.
-+
-+The policykit_auth processes execute with the policykit_auth_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
-+
-+For example:
-+
-+.B ps -eZ | grep policykit_auth_t
-+
-+
-+.SH "ENTRYPOINTS"
-+
-+The policykit_auth_t SELinux type can be entered via the "policykit_auth_exec_t" file type. The default entrypoint paths for the policykit_auth_t domain are the following:"
-+
-+/usr/libexec/polkit-read-auth-helper, /usr/lib/polkit-1/polkit-agent-helper-1, /usr/lib/policykit/polkit-read-auth-helper, /usr/libexec/polkit-1/polkit-agent-helper-1
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux policykit_auth policy is very flexible allowing users to setup their policykit_auth processes in as secure a method as possible.
-+.PP
-+The following process types are defined for policykit_auth:
-+
-+.EX
-+.B policykit_auth_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
-+.SH FILE CONTEXTS
-+SELinux requires files to have an extended attribute to define the file type.
-+.PP
-+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
-+.PP
-+Policy governs the access confined processes have to these files.
-+SELinux policykit_auth policy is very flexible allowing users to setup their policykit_auth processes in as secure a method as possible.
-+.PP
-+The following file types are defined for policykit_auth:
-+
-+
-+.EX
-+.PP
-+.B policykit_auth_exec_t
-+.EE
-+
-+- Set files with the policykit_auth_exec_t type, if you want to transition an executable to the policykit_auth_t domain.
-+
-+
-+.PP
-+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
-+.B semanage fcontext
-+command. This will modify the SELinux labeling database. You will need to use
-+.B restorecon
-+to apply the labels.
-+
-+.SH "MANAGED FILES"
-+
-+The SELinux process type policykit_auth_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
-+
-+.br
-+.B faillog_t
-+
-+ /var/log/btmp.*
-+.br
-+ /var/run/faillock(/.*)?
-+.br
-+ /var/log/faillog
-+.br
-+ /var/log/tallylog
-+.br
-+
-+.br
-+.B krb5_host_rcache_t
-+
-+ /var/cache/krb5rcache(/.*)?
-+.br
-+ /var/tmp/nfs_0
-+.br
-+ /var/tmp/DNS_25
-+.br
-+ /var/tmp/host_0
-+.br
-+ /var/tmp/imap_0
-+.br
-+ /var/tmp/HTTP_23
-+.br
-+ /var/tmp/HTTP_48
-+.br
-+ /var/tmp/ldap_55
-+.br
-+ /var/tmp/ldap_487
-+.br
-+ /var/tmp/ldapmap1_0
-+.br
-+
-+.br
-+.B pcscd_var_run_t
-+
-+ /var/run/pcscd(/.*)?
-+.br
-+ /var/run/pcscd\.events(/.*)?
-+.br
-+ /var/run/pcscd\.pid
-+.br
-+ /var/run/pcscd\.pub
-+.br
-+ /var/run/pcscd\.comm
-+.br
-+
-+.br
-+.B policykit_reload_t
-+
-+ /var/lib/misc/PolicyKit.reload
-+.br
-+
-+.br
-+.B policykit_tmp_t
-+
-+
-+.br
-+.B policykit_var_lib_t
-+
-+ /var/lib/polkit-1(/.*)?
-+.br
-+ /var/lib/PolicyKit(/.*)?
-+.br
-+ /var/lib/PolicyKit-public(/.*)?
-+.br
-+
-+.br
-+.B policykit_var_run_t
-+
-+ /var/run/PolicyKit(/.*)?
-+.br
-+
-+.br
-+.B security_t
-+
-+ /selinux
-+.br
-+
-+.br
-+.B var_auth_t
-+
-+ /var/ace(/.*)?
-+.br
-+ /var/rsa(/.*)?
-+.br
-+ /var/lib/abl(/.*)?
-+.br
-+ /var/lib/rsa(/.*)?
-+.br
-+ /var/lib/pam_ssh(/.*)?
-+.br
-+ /var/run/pam_ssh(/.*)?
-+.br
-+ /var/lib/pam_shield(/.*)?
-+.br
-+ /var/lib/google-authenticator(/.*)?
-+.br
-+
-+.SH NSSWITCH DOMAIN
-+
-+.PP
-+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the policykit_auth_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
-+
-+.EX
-+.B setsebool -P authlogin_nsswitch_use_ldap 1
-+.EE
-+
-+.PP
-+If you want to allow confined applications to run with kerberos for the policykit_auth_t, you must turn on the kerberos_enabled boolean.
-+
-+.EX
-+.B setsebool -P kerberos_enabled 1
-+.EE
-+
-+.SH "COMMANDS"
-+.B semanage fcontext
-+can also be used to manipulate default file context mappings.
-+.PP
-+.B semanage permissive
-+can also be used to manipulate whether or not a process type is permissive.
-+.PP
-+.B semanage module
-+can also be used to enable/disable/install/remove policy modules.
-+
-+.PP
-+.B system-config-selinux
-+is a GUI tool available to customize SELinux policy settings.
-+
-+.SH AUTHOR
-+This manual page was auto-generated using
-+.B "sepolicy manpage"
-+by Dan Walsh.
-+
-+.SH "SEE ALSO"
-+selinux(8), policykit_auth(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
-+, policykit_selinux(8), policykit_selinux(8), policykit_grant_selinux(8), policykit_resolve_selinux(8)
-\ No newline at end of file
-diff --git a/man/man8/policykit_grant_selinux.8 b/man/man8/policykit_grant_selinux.8
-new file mode 100644
-index 0000000..236cec7
---- /dev/null
-+++ b/man/man8/policykit_grant_selinux.8
-@@ -0,0 +1,157 @@
-+.TH "policykit_grant_selinux" "8" "12-11-01" "policykit_grant" "SELinux Policy documentation for policykit_grant"
-+.SH "NAME"
-+policykit_grant_selinux \- Security Enhanced Linux Policy for the policykit_grant processes
-+.SH "DESCRIPTION"
-+
-+Security-Enhanced Linux secures the policykit_grant processes via flexible mandatory access control.
-+
-+The policykit_grant processes execute with the policykit_grant_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
-+
-+For example:
-+
-+.B ps -eZ | grep policykit_grant_t
-+
-+
-+.SH "ENTRYPOINTS"
-+
-+The policykit_grant_t SELinux type can be entered via the "policykit_grant_exec_t" file type. The default entrypoint paths for the policykit_grant_t domain are the following:"
-+
-+/usr/libexec/polkit-grant-helper.*, /usr/lib/policykit/polkit-grant-helper.*
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux policykit_grant policy is very flexible allowing users to setup their policykit_grant processes in as secure a method as possible.
-+.PP
-+The following process types are defined for policykit_grant:
-+
-+.EX
-+.B policykit_grant_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
-+.SH FILE CONTEXTS
-+SELinux requires files to have an extended attribute to define the file type.
-+.PP
-+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
-+.PP
-+Policy governs the access confined processes have to these files.
-+SELinux policykit_grant policy is very flexible allowing users to setup their policykit_grant processes in as secure a method as possible.
-+.PP
-+The following file types are defined for policykit_grant:
-+
-+
-+.EX
-+.PP
-+.B policykit_grant_exec_t
-+.EE
-+
-+- Set files with the policykit_grant_exec_t type, if you want to transition an executable to the policykit_grant_t domain.
-+
-+
-+.PP
-+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
-+.B semanage fcontext
-+command. This will modify the SELinux labeling database. You will need to use
-+.B restorecon
-+to apply the labels.
-+
-+.SH "MANAGED FILES"
-+
-+The SELinux process type policykit_grant_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
-+
-+.br
-+.B faillog_t
-+
-+ /var/log/btmp.*
-+.br
-+ /var/run/faillock(/.*)?
-+.br
-+ /var/log/faillog
-+.br
-+ /var/log/tallylog
-+.br
-+
-+.br
-+.B pcscd_var_run_t
-+
-+ /var/run/pcscd(/.*)?
-+.br
-+ /var/run/pcscd\.events(/.*)?
-+.br
-+ /var/run/pcscd\.pid
-+.br
-+ /var/run/pcscd\.pub
-+.br
-+ /var/run/pcscd\.comm
-+.br
-+
-+.br
-+.B policykit_reload_t
-+
-+ /var/lib/misc/PolicyKit.reload
-+.br
-+
-+.br
-+.B policykit_var_lib_t
-+
-+ /var/lib/polkit-1(/.*)?
-+.br
-+ /var/lib/PolicyKit(/.*)?
-+.br
-+ /var/lib/PolicyKit-public(/.*)?
-+.br
-+
-+.br
-+.B policykit_var_run_t
-+
-+ /var/run/PolicyKit(/.*)?
-+.br
-+
-+.br
-+.B system_cronjob_var_lib_t
-+
-+
-+.SH NSSWITCH DOMAIN
-+
-+.PP
-+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the policykit_grant_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
-+
-+.EX
-+.B setsebool -P authlogin_nsswitch_use_ldap 1
-+.EE
-+
-+.PP
-+If you want to allow confined applications to run with kerberos for the policykit_grant_t, you must turn on the kerberos_enabled boolean.
-+
-+.EX
-+.B setsebool -P kerberos_enabled 1
-+.EE
-+
-+.SH "COMMANDS"
-+.B semanage fcontext
-+can also be used to manipulate default file context mappings.
-+.PP
-+.B semanage permissive
-+can also be used to manipulate whether or not a process type is permissive.
-+.PP
-+.B semanage module
-+can also be used to enable/disable/install/remove policy modules.
-+
-+.PP
-+.B system-config-selinux
-+is a GUI tool available to customize SELinux policy settings.
-+
-+.SH AUTHOR
-+This manual page was auto-generated using
-+.B "sepolicy manpage"
-+by Dan Walsh.
-+
-+.SH "SEE ALSO"
-+selinux(8), policykit_grant(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
-+, policykit_selinux(8), policykit_selinux(8), policykit_auth_selinux(8), policykit_resolve_selinux(8)
-\ No newline at end of file
-diff --git a/man/man8/policykit_resolve_selinux.8 b/man/man8/policykit_resolve_selinux.8
-new file mode 100644
-index 0000000..103c687
---- /dev/null
-+++ b/man/man8/policykit_resolve_selinux.8
-@@ -0,0 +1,101 @@
-+.TH "policykit_resolve_selinux" "8" "12-11-01" "policykit_resolve" "SELinux Policy documentation for policykit_resolve"
-+.SH "NAME"
-+policykit_resolve_selinux \- Security Enhanced Linux Policy for the policykit_resolve processes
-+.SH "DESCRIPTION"
-+
-+Security-Enhanced Linux secures the policykit_resolve processes via flexible mandatory access control.
-+
-+The policykit_resolve processes execute with the policykit_resolve_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
-+
-+For example:
-+
-+.B ps -eZ | grep policykit_resolve_t
-+
-+
-+.SH "ENTRYPOINTS"
-+
-+The policykit_resolve_t SELinux type can be entered via the "policykit_resolve_exec_t" file type. The default entrypoint paths for the policykit_resolve_t domain are the following:"
-+
-+/usr/libexec/polkit-resolve-exe-helper.*, /usr/lib/policykit/polkit-resolve-exe-helper.*
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux policykit_resolve policy is very flexible allowing users to setup their policykit_resolve processes in as secure a method as possible.
-+.PP
-+The following process types are defined for policykit_resolve:
-+
-+.EX
-+.B policykit_resolve_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
-+.SH FILE CONTEXTS
-+SELinux requires files to have an extended attribute to define the file type.
-+.PP
-+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
-+.PP
-+Policy governs the access confined processes have to these files.
-+SELinux policykit_resolve policy is very flexible allowing users to setup their policykit_resolve processes in as secure a method as possible.
-+.PP
-+The following file types are defined for policykit_resolve:
-+
-+
-+.EX
-+.PP
-+.B policykit_resolve_exec_t
-+.EE
-+
-+- Set files with the policykit_resolve_exec_t type, if you want to transition an executable to the policykit_resolve_t domain.
-+
-+
-+.PP
-+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
-+.B semanage fcontext
-+command. This will modify the SELinux labeling database. You will need to use
-+.B restorecon
-+to apply the labels.
-+
-+.SH NSSWITCH DOMAIN
-+
-+.PP
-+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the policykit_resolve_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
-+
-+.EX
-+.B setsebool -P authlogin_nsswitch_use_ldap 1
-+.EE
-+
-+.PP
-+If you want to allow confined applications to run with kerberos for the policykit_resolve_t, you must turn on the kerberos_enabled boolean.
-+
-+.EX
-+.B setsebool -P kerberos_enabled 1
-+.EE
-+
-+.SH "COMMANDS"
-+.B semanage fcontext
-+can also be used to manipulate default file context mappings.
-+.PP
-+.B semanage permissive
-+can also be used to manipulate whether or not a process type is permissive.
-+.PP
-+.B semanage module
-+can also be used to enable/disable/install/remove policy modules.
-+
-+.PP
-+.B system-config-selinux
-+is a GUI tool available to customize SELinux policy settings.
-+
-+.SH AUTHOR
-+This manual page was auto-generated using
-+.B "sepolicy manpage"
-+by Dan Walsh.
-+
-+.SH "SEE ALSO"
-+selinux(8), policykit_resolve(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
-+, policykit_selinux(8), policykit_selinux(8), policykit_auth_selinux(8), policykit_grant_selinux(8)
-\ No newline at end of file
-diff --git a/man/man8/policykit_selinux.8 b/man/man8/policykit_selinux.8
-new file mode 100644
-index 0000000..62bd2e6
---- /dev/null
-+++ b/man/man8/policykit_selinux.8
-@@ -0,0 +1,213 @@
-+.TH "policykit_selinux" "8" "12-11-01" "policykit" "SELinux Policy documentation for policykit"
-+.SH "NAME"
-+policykit_selinux \- Security Enhanced Linux Policy for the policykit processes
-+.SH "DESCRIPTION"
-+
-+Security-Enhanced Linux secures the policykit processes via flexible mandatory access control.
-+
-+The policykit processes execute with the policykit_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
-+
-+For example:
-+
-+.B ps -eZ | grep policykit_t
-+
-+
-+.SH "ENTRYPOINTS"
-+
-+The policykit_t SELinux type can be entered via the "policykit_exec_t" file type. The default entrypoint paths for the policykit_t domain are the following:"
-+
-+/usr/libexec/polkitd.*, /usr/libexec/polkit-1/polkitd.*, /usr/lib/polkit-1/polkitd, /usr/lib/policykit/polkitd
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux policykit policy is very flexible allowing users to setup their policykit processes in as secure a method as possible.
-+.PP
-+The following process types are defined for policykit:
-+
-+.EX
-+.B policykit_grant_t, policykit_auth_t, policykit_t, policykit_resolve_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
-+.SH FILE CONTEXTS
-+SELinux requires files to have an extended attribute to define the file type.
-+.PP
-+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
-+.PP
-+Policy governs the access confined processes have to these files.
-+SELinux policykit policy is very flexible allowing users to setup their policykit processes in as secure a method as possible.
-+.PP
-+The following file types are defined for policykit:
-+
-+
-+.EX
-+.PP
-+.B policykit_auth_exec_t
-+.EE
-+
-+- Set files with the policykit_auth_exec_t type, if you want to transition an executable to the policykit_auth_t domain.
-+
-+
-+.EX
-+.PP
-+.B policykit_exec_t
-+.EE
-+
-+- Set files with the policykit_exec_t type, if you want to transition an executable to the policykit_t domain.
-+
-+
-+.EX
-+.PP
-+.B policykit_grant_exec_t
-+.EE
-+
-+- Set files with the policykit_grant_exec_t type, if you want to transition an executable to the policykit_grant_t domain.
-+
-+
-+.EX
-+.PP
-+.B policykit_reload_t
-+.EE
-+
-+- Set files with the policykit_reload_t type, if you want to treat the files as policykit reload data.
-+
-+
-+.EX
-+.PP
-+.B policykit_resolve_exec_t
-+.EE
-+
-+- Set files with the policykit_resolve_exec_t type, if you want to transition an executable to the policykit_resolve_t domain.
-+
-+
-+.EX
-+.PP
-+.B policykit_tmp_t
-+.EE
-+
-+- Set files with the policykit_tmp_t type, if you want to store policykit temporary files in the /tmp directories.
-+
-+
-+.EX
-+.PP
-+.B policykit_var_lib_t
-+.EE
-+
-+- Set files with the policykit_var_lib_t type, if you want to store the policykit files under the /var/lib directory.
-+
-+
-+.EX
-+.PP
-+.B policykit_var_run_t
-+.EE
-+
-+- Set files with the policykit_var_run_t type, if you want to store the policykit files under the /run directory.
-+
-+
-+.PP
-+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
-+.B semanage fcontext
-+command. This will modify the SELinux labeling database. You will need to use
-+.B restorecon
-+to apply the labels.
-+
-+.SH "MANAGED FILES"
-+
-+The SELinux process type policykit_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
-+
-+.br
-+.B krb5_host_rcache_t
-+
-+ /var/cache/krb5rcache(/.*)?
-+.br
-+ /var/tmp/nfs_0
-+.br
-+ /var/tmp/DNS_25
-+.br
-+ /var/tmp/host_0
-+.br
-+ /var/tmp/imap_0
-+.br
-+ /var/tmp/HTTP_23
-+.br
-+ /var/tmp/HTTP_48
-+.br
-+ /var/tmp/ldap_55
-+.br
-+ /var/tmp/ldap_487
-+.br
-+ /var/tmp/ldapmap1_0
-+.br
-+
-+.br
-+.B policykit_reload_t
-+
-+ /var/lib/misc/PolicyKit.reload
-+.br
-+
-+.br
-+.B policykit_var_lib_t
-+
-+ /var/lib/polkit-1(/.*)?
-+.br
-+ /var/lib/PolicyKit(/.*)?
-+.br
-+ /var/lib/PolicyKit-public(/.*)?
-+.br
-+
-+.br
-+.B policykit_var_run_t
-+
-+ /var/run/PolicyKit(/.*)?
-+.br
-+
-+.br
-+.B security_t
-+
-+ /selinux
-+.br
-+
-+.SH NSSWITCH DOMAIN
-+
-+.PP
-+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the policykit_grant_t, policykit_auth_t, policykit_t, policykit_resolve_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
-+
-+.EX
-+.B setsebool -P authlogin_nsswitch_use_ldap 1
-+.EE
-+
-+.PP
-+If you want to allow confined applications to run with kerberos for the policykit_grant_t, policykit_auth_t, policykit_t, policykit_resolve_t, you must turn on the kerberos_enabled boolean.
-+
-+.EX
-+.B setsebool -P kerberos_enabled 1
-+.EE
-+
-+.SH "COMMANDS"
-+.B semanage fcontext
-+can also be used to manipulate default file context mappings.
-+.PP
-+.B semanage permissive
-+can also be used to manipulate whether or not a process type is permissive.
-+.PP
-+.B semanage module
-+can also be used to enable/disable/install/remove policy modules.
-+
-+.PP
-+.B system-config-selinux
-+is a GUI tool available to customize SELinux policy settings.
-+
-+.SH AUTHOR
-+This manual page was auto-generated using
-+.B "sepolicy manpage"
-+by Dan Walsh.
-+
-+.SH "SEE ALSO"
-+selinux(8), policykit(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
-+, policykit_auth_selinux(8), policykit_grant_selinux(8), policykit_resolve_selinux(8)
-\ No newline at end of file
-diff --git a/man/man8/polipo_selinux.8 b/man/man8/polipo_selinux.8
-new file mode 100644
-index 0000000..47a11ed
---- /dev/null
-+++ b/man/man8/polipo_selinux.8
-@@ -0,0 +1,264 @@
-+.TH "polipo_selinux" "8" "12-11-01" "polipo" "SELinux Policy documentation for polipo"
-+.SH "NAME"
-+polipo_selinux \- Security Enhanced Linux Policy for the polipo processes
-+.SH "DESCRIPTION"
-+
-+Security-Enhanced Linux secures the polipo processes via flexible mandatory access control.
-+
-+The polipo processes execute with the polipo_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
-+
-+For example:
-+
-+.B ps -eZ | grep polipo_t
-+
-+
-+.SH "ENTRYPOINTS"
-+
-+The polipo_t SELinux type can be entered via the "polipo_exec_t" file type. The default entrypoint paths for the polipo_t domain are the following:"
-+
-+/usr/bin/polipo
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux polipo policy is very flexible allowing users to setup their polipo processes in as secure a method as possible.
-+.PP
-+The following process types are defined for polipo:
-+
-+.EX
-+.B polipo_t, polipo_session_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
-+.SH BOOLEANS
-+SELinux policy is customizable based on least access required. polipo policy is extremely flexible and has several booleans that allow you to manipulate the policy and run polipo with the tightest access possible.
-+
-+
-+.PP
-+If you want to determine whether calling user domains can execute Polipo daemon in the polipo_session_t domain, you must turn on the polipo_session_users boolean.
-+
-+.EX
-+.B setsebool -P polipo_session_users 1
-+.EE
-+
-+.PP
-+If you want to determine whether Polipo can access nfs file systems, you must turn on the polipo_use_nfs boolean.
-+
-+.EX
-+.B setsebool -P polipo_use_nfs 1
-+.EE
-+
-+.PP
-+If you want to determine whether polipo can access cifs file systems, you must turn on the polipo_use_cifs boolean.
-+
-+.EX
-+.B setsebool -P polipo_use_cifs 1
-+.EE
-+
-+.PP
-+If you want to determine whether Polipo session daemon can bind tcp sockets to all unreserved ports, you must turn on the polipo_session_bind_all_unreserved_ports boolean.
-+
-+.EX
-+.B setsebool -P polipo_session_bind_all_unreserved_ports 1
-+.EE
-+
-+.PP
-+If you want to allow polipo to connect to all ports > 1023, you must turn on the polipo_connect_all_unreserved boolean.
-+
-+.EX
-+.B setsebool -P polipo_connect_all_unreserved 1
-+.EE
-+
-+.PP
-+If you want to determine whether calling user domains can execute Polipo daemon in the polipo_session_t domain, you must turn on the polipo_session_users boolean.
-+
-+.EX
-+.B setsebool -P polipo_session_users 1
-+.EE
-+
-+.PP
-+If you want to determine whether Polipo can access nfs file systems, you must turn on the polipo_use_nfs boolean.
-+
-+.EX
-+.B setsebool -P polipo_use_nfs 1
-+.EE
-+
-+.PP
-+If you want to determine whether polipo can access cifs file systems, you must turn on the polipo_use_cifs boolean.
-+
-+.EX
-+.B setsebool -P polipo_use_cifs 1
-+.EE
-+
-+.PP
-+If you want to determine whether Polipo session daemon can bind tcp sockets to all unreserved ports, you must turn on the polipo_session_bind_all_unreserved_ports boolean.
-+
-+.EX
-+.B setsebool -P polipo_session_bind_all_unreserved_ports 1
-+.EE
-+
-+.PP
-+If you want to allow polipo to connect to all ports > 1023, you must turn on the polipo_connect_all_unreserved boolean.
-+
-+.EX
-+.B setsebool -P polipo_connect_all_unreserved 1
-+.EE
-+
-+.SH FILE CONTEXTS
-+SELinux requires files to have an extended attribute to define the file type.
-+.PP
-+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
-+.PP
-+Policy governs the access confined processes have to these files.
-+SELinux polipo policy is very flexible allowing users to setup their polipo processes in as secure a method as possible.
-+.PP
-+The following file types are defined for polipo:
-+
-+
-+.EX
-+.PP
-+.B polipo_cache_home_t
-+.EE
-+
-+- Set files with the polipo_cache_home_t type, if you want to store polipo cache files in the users home directory.
-+
-+
-+.EX
-+.PP
-+.B polipo_cache_t
-+.EE
-+
-+- Set files with the polipo_cache_t type, if you want to store the files under the /var/cache directory.
-+
-+
-+.EX
-+.PP
-+.B polipo_config_home_t
-+.EE
-+
-+- Set files with the polipo_config_home_t type, if you want to store polipo config files in the users home directory.
-+
-+
-+.EX
-+.PP
-+.B polipo_etc_t
-+.EE
-+
-+- Set files with the polipo_etc_t type, if you want to store polipo files in the /etc directories.
-+
-+
-+.EX
-+.PP
-+.B polipo_exec_t
-+.EE
-+
-+- Set files with the polipo_exec_t type, if you want to transition an executable to the polipo_t domain.
-+
-+
-+.EX
-+.PP
-+.B polipo_initrc_exec_t
-+.EE
-+
-+- Set files with the polipo_initrc_exec_t type, if you want to transition an executable to the polipo_initrc_t domain.
-+
-+
-+.EX
-+.PP
-+.B polipo_log_t
-+.EE
-+
-+- Set files with the polipo_log_t type, if you want to treat the data as polipo log data, usually stored under the /var/log directory.
-+
-+
-+.EX
-+.PP
-+.B polipo_pid_t
-+.EE
-+
-+- Set files with the polipo_pid_t type, if you want to store the polipo files under the /run directory.
-+
-+
-+.EX
-+.PP
-+.B polipo_unit_file_t
-+.EE
-+
-+- Set files with the polipo_unit_file_t type, if you want to treat the files as polipo unit content.
-+
-+
-+.PP
-+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
-+.B semanage fcontext
-+command. This will modify the SELinux labeling database. You will need to use
-+.B restorecon
-+to apply the labels.
-+
-+.SH "MANAGED FILES"
-+
-+The SELinux process type polipo_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
-+
-+.br
-+.B polipo_cache_t
-+
-+ /var/cache/polipo(/.*)?
-+.br
-+
-+.br
-+.B polipo_log_t
-+
-+ /var/log/polipo.*
-+.br
-+
-+.br
-+.B polipo_pid_t
-+
-+ /var/run/polipo(/.*)?
-+.br
-+
-+.SH NSSWITCH DOMAIN
-+
-+.PP
-+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the polipo_t, polipo_session_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
-+
-+.EX
-+.B setsebool -P authlogin_nsswitch_use_ldap 1
-+.EE
-+
-+.PP
-+If you want to allow confined applications to run with kerberos for the polipo_t, polipo_session_t, you must turn on the kerberos_enabled boolean.
-+
-+.EX
-+.B setsebool -P kerberos_enabled 1
-+.EE
-+
-+.SH "COMMANDS"
-+.B semanage fcontext
-+can also be used to manipulate default file context mappings.
-+.PP
-+.B semanage permissive
-+can also be used to manipulate whether or not a process type is permissive.
-+.PP
-+.B semanage module
-+can also be used to enable/disable/install/remove policy modules.
-+
-+.B semanage boolean
-+can also be used to manipulate the booleans
-+
-+.PP
-+.B system-config-selinux
-+is a GUI tool available to customize SELinux policy settings.
-+
-+.SH AUTHOR
-+This manual page was auto-generated using
-+.B "sepolicy manpage"
-+by Dan Walsh.
-+
-+.SH "SEE ALSO"
-+selinux(8), polipo(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
-+, setsebool(8)
-\ No newline at end of file
-diff --git a/man/man8/portmap_helper_selinux.8 b/man/man8/portmap_helper_selinux.8
-new file mode 100644
-index 0000000..8e59c47
---- /dev/null
-+++ b/man/man8/portmap_helper_selinux.8
-@@ -0,0 +1,125 @@
-+.TH "portmap_helper_selinux" "8" "12-11-01" "portmap_helper" "SELinux Policy documentation for portmap_helper"
-+.SH "NAME"
-+portmap_helper_selinux \- Security Enhanced Linux Policy for the portmap_helper processes
-+.SH "DESCRIPTION"
-+
-+Security-Enhanced Linux secures the portmap_helper processes via flexible mandatory access control.
-+
-+The portmap_helper processes execute with the portmap_helper_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
-+
-+For example:
-+
-+.B ps -eZ | grep portmap_helper_t
-+
-+
-+.SH "ENTRYPOINTS"
-+
-+The portmap_helper_t SELinux type can be entered via the "portmap_helper_exec_t" file type. The default entrypoint paths for the portmap_helper_t domain are the following:"
-+
-+/usr/sbin/pmap_set, /usr/sbin/pmap_dump
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux portmap_helper policy is very flexible allowing users to setup their portmap_helper processes in as secure a method as possible.
-+.PP
-+The following process types are defined for portmap_helper:
-+
-+.EX
-+.B portmap_helper_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
-+.SH FILE CONTEXTS
-+SELinux requires files to have an extended attribute to define the file type.
-+.PP
-+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
-+.PP
-+Policy governs the access confined processes have to these files.
-+SELinux portmap_helper policy is very flexible allowing users to setup their portmap_helper processes in as secure a method as possible.
-+.PP
-+The following file types are defined for portmap_helper:
-+
-+
-+.EX
-+.PP
-+.B portmap_helper_exec_t
-+.EE
-+
-+- Set files with the portmap_helper_exec_t type, if you want to transition an executable to the portmap_helper_t domain.
-+
-+
-+.PP
-+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
-+.B semanage fcontext
-+command. This will modify the SELinux labeling database. You will need to use
-+.B restorecon
-+to apply the labels.
-+
-+.SH "MANAGED FILES"
-+
-+The SELinux process type portmap_helper_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
-+
-+.br
-+.B initrc_var_run_t
-+
-+ /var/run/utmp
-+.br
-+ /var/run/random-seed
-+.br
-+ /var/run/runlevel\.dir
-+.br
-+ /var/run/setmixer_flag
-+.br
-+
-+.br
-+.B portmap_var_run_t
-+
-+ /var/run/portmap\.upgrade-state
-+.br
-+
-+.br
-+.B var_run_t
-+
-+ /run/.*
-+.br
-+ /var/run/.*
-+.br
-+ /run
-+.br
-+ /var/run
-+.br
-+ /var/run
-+.br
-+ /var/spool/postfix/pid
-+.br
-+
-+.SH NSSWITCH DOMAIN
-+
-+.SH "COMMANDS"
-+.B semanage fcontext
-+can also be used to manipulate default file context mappings.
-+.PP
-+.B semanage permissive
-+can also be used to manipulate whether or not a process type is permissive.
-+.PP
-+.B semanage module
-+can also be used to enable/disable/install/remove policy modules.
-+
-+.PP
-+.B system-config-selinux
-+is a GUI tool available to customize SELinux policy settings.
-+
-+.SH AUTHOR
-+This manual page was auto-generated using
-+.B "sepolicy manpage"
-+by Dan Walsh.
-+
-+.SH "SEE ALSO"
-+selinux(8), portmap_helper(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
-+, portmap_selinux(8), portmap_selinux(8)
-\ No newline at end of file
-diff --git a/man/man8/portmap_selinux.8 b/man/man8/portmap_selinux.8
-new file mode 100644
-index 0000000..6c4bbc4
---- /dev/null
-+++ b/man/man8/portmap_selinux.8
-@@ -0,0 +1,188 @@
-+.TH "portmap_selinux" "8" "12-11-01" "portmap" "SELinux Policy documentation for portmap"
-+.SH "NAME"
-+portmap_selinux \- Security Enhanced Linux Policy for the portmap processes
-+.SH "DESCRIPTION"
-+
-+Security-Enhanced Linux secures the portmap processes via flexible mandatory access control.
-+
-+The portmap processes execute with the portmap_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
-+
-+For example:
-+
-+.B ps -eZ | grep portmap_t
-+
-+
-+.SH "ENTRYPOINTS"
-+
-+The portmap_t SELinux type can be entered via the "portmap_exec_t" file type. The default entrypoint paths for the portmap_t domain are the following:"
-+
-+/sbin/portmap, /usr/sbin/portmap
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux portmap policy is very flexible allowing users to setup their portmap processes in as secure a method as possible.
-+.PP
-+The following process types are defined for portmap:
-+
-+.EX
-+.B portmap_helper_t, portmap_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
-+.SH BOOLEANS
-+SELinux policy is customizable based on least access required. portmap policy is extremely flexible and has several booleans that allow you to manipulate the policy and run portmap with the tightest access possible.
-+
-+
-+.PP
-+If you want to allow samba to act as a portmapper, you must turn on the samba_portmapper boolean.
-+
-+.EX
-+.B setsebool -P samba_portmapper 1
-+.EE
-+
-+.PP
-+If you want to allow samba to act as a portmapper, you must turn on the samba_portmapper boolean.
-+
-+.EX
-+.B setsebool -P samba_portmapper 1
-+.EE
-+
-+.SH FILE CONTEXTS
-+SELinux requires files to have an extended attribute to define the file type.
-+.PP
-+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
-+.PP
-+Policy governs the access confined processes have to these files.
-+SELinux portmap policy is very flexible allowing users to setup their portmap processes in as secure a method as possible.
-+.PP
-+The following file types are defined for portmap:
-+
-+
-+.EX
-+.PP
-+.B portmap_exec_t
-+.EE
-+
-+- Set files with the portmap_exec_t type, if you want to transition an executable to the portmap_t domain.
-+
-+
-+.EX
-+.PP
-+.B portmap_helper_exec_t
-+.EE
-+
-+- Set files with the portmap_helper_exec_t type, if you want to transition an executable to the portmap_helper_t domain.
-+
-+
-+.EX
-+.PP
-+.B portmap_tmp_t
-+.EE
-+
-+- Set files with the portmap_tmp_t type, if you want to store portmap temporary files in the /tmp directories.
-+
-+
-+.EX
-+.PP
-+.B portmap_var_run_t
-+.EE
-+
-+- Set files with the portmap_var_run_t type, if you want to store the portmap files under the /run directory.
-+
-+
-+.PP
-+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
-+.B semanage fcontext
-+command. This will modify the SELinux labeling database. You will need to use
-+.B restorecon
-+to apply the labels.
-+
-+.SH PORT TYPES
-+SELinux defines port types to represent TCP and UDP ports.
-+.PP
-+You can see the types associated with a port by using the following command:
-+
-+.B semanage port -l
-+
-+.PP
-+Policy governs the access confined processes have to these ports.
-+SELinux portmap policy is very flexible allowing users to setup their portmap processes in as secure a method as possible.
-+.PP
-+The following port types are defined for portmap:
-+
-+.EX
-+.TP 5
-+.B portmap_port_t
-+.TP 10
-+.EE
-+
-+
-+Default Defined Ports:
-+tcp 111
-+.EE
-+udp 111
-+.EE
-+.SH "MANAGED FILES"
-+
-+The SELinux process type portmap_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
-+
-+.br
-+.B portmap_tmp_t
-+
-+
-+.br
-+.B portmap_var_run_t
-+
-+ /var/run/portmap\.upgrade-state
-+.br
-+
-+.SH NSSWITCH DOMAIN
-+
-+.PP
-+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the portmap_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
-+
-+.EX
-+.B setsebool -P authlogin_nsswitch_use_ldap 1
-+.EE
-+
-+.PP
-+If you want to allow confined applications to run with kerberos for the portmap_t, you must turn on the kerberos_enabled boolean.
-+
-+.EX
-+.B setsebool -P kerberos_enabled 1
-+.EE
-+
-+.SH "COMMANDS"
-+.B semanage fcontext
-+can also be used to manipulate default file context mappings.
-+.PP
-+.B semanage permissive
-+can also be used to manipulate whether or not a process type is permissive.
-+.PP
-+.B semanage module
-+can also be used to enable/disable/install/remove policy modules.
-+
-+.B semanage port
-+can also be used to manipulate the port definitions
-+
-+.B semanage boolean
-+can also be used to manipulate the booleans
-+
-+.PP
-+.B system-config-selinux
-+is a GUI tool available to customize SELinux policy settings.
-+
-+.SH AUTHOR
-+This manual page was auto-generated using
-+.B "sepolicy manpage"
-+by Dan Walsh.
-+
-+.SH "SEE ALSO"
-+selinux(8), portmap(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
-+, setsebool(8), portmap_helper_selinux(8)
-\ No newline at end of file
-diff --git a/man/man8/portreserve_selinux.8 b/man/man8/portreserve_selinux.8
-new file mode 100644
-index 0000000..af478cb
---- /dev/null
-+++ b/man/man8/portreserve_selinux.8
-@@ -0,0 +1,120 @@
-+.TH "portreserve_selinux" "8" "12-11-01" "portreserve" "SELinux Policy documentation for portreserve"
-+.SH "NAME"
-+portreserve_selinux \- Security Enhanced Linux Policy for the portreserve processes
-+.SH "DESCRIPTION"
-+
-+Security-Enhanced Linux secures the portreserve processes via flexible mandatory access control.
-+
-+The portreserve processes execute with the portreserve_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
-+
-+For example:
-+
-+.B ps -eZ | grep portreserve_t
-+
-+
-+.SH "ENTRYPOINTS"
-+
-+The portreserve_t SELinux type can be entered via the "portreserve_exec_t" file type. The default entrypoint paths for the portreserve_t domain are the following:"
-+
-+/sbin/portreserve, /usr/sbin/portreserve
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux portreserve policy is very flexible allowing users to setup their portreserve processes in as secure a method as possible.
-+.PP
-+The following process types are defined for portreserve:
-+
-+.EX
-+.B portreserve_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
-+.SH FILE CONTEXTS
-+SELinux requires files to have an extended attribute to define the file type.
-+.PP
-+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
-+.PP
-+Policy governs the access confined processes have to these files.
-+SELinux portreserve policy is very flexible allowing users to setup their portreserve processes in as secure a method as possible.
-+.PP
-+The following file types are defined for portreserve:
-+
-+
-+.EX
-+.PP
-+.B portreserve_etc_t
-+.EE
-+
-+- Set files with the portreserve_etc_t type, if you want to store portreserve files in the /etc directories.
-+
-+
-+.EX
-+.PP
-+.B portreserve_exec_t
-+.EE
-+
-+- Set files with the portreserve_exec_t type, if you want to transition an executable to the portreserve_t domain.
-+
-+
-+.EX
-+.PP
-+.B portreserve_initrc_exec_t
-+.EE
-+
-+- Set files with the portreserve_initrc_exec_t type, if you want to transition an executable to the portreserve_initrc_t domain.
-+
-+
-+.EX
-+.PP
-+.B portreserve_var_run_t
-+.EE
-+
-+- Set files with the portreserve_var_run_t type, if you want to store the portreserve files under the /run directory.
-+
-+
-+.PP
-+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
-+.B semanage fcontext
-+command. This will modify the SELinux labeling database. You will need to use
-+.B restorecon
-+to apply the labels.
-+
-+.SH "MANAGED FILES"
-+
-+The SELinux process type portreserve_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
-+
-+.br
-+.B portreserve_var_run_t
-+
-+ /var/run/portreserve(/.*)?
-+.br
-+
-+.SH NSSWITCH DOMAIN
-+
-+.SH "COMMANDS"
-+.B semanage fcontext
-+can also be used to manipulate default file context mappings.
-+.PP
-+.B semanage permissive
-+can also be used to manipulate whether or not a process type is permissive.
-+.PP
-+.B semanage module
-+can also be used to enable/disable/install/remove policy modules.
-+
-+.PP
-+.B system-config-selinux
-+is a GUI tool available to customize SELinux policy settings.
-+
-+.SH AUTHOR
-+This manual page was auto-generated using
-+.B "sepolicy manpage"
-+by Dan Walsh.
-+
-+.SH "SEE ALSO"
-+selinux(8), portreserve(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
-diff --git a/man/man8/postfix_bounce_selinux.8 b/man/man8/postfix_bounce_selinux.8
-new file mode 100644
-index 0000000..c0a0f25
---- /dev/null
-+++ b/man/man8/postfix_bounce_selinux.8
-@@ -0,0 +1,149 @@
-+.TH "postfix_bounce_selinux" "8" "12-11-01" "postfix_bounce" "SELinux Policy documentation for postfix_bounce"
-+.SH "NAME"
-+postfix_bounce_selinux \- Security Enhanced Linux Policy for the postfix_bounce processes
-+.SH "DESCRIPTION"
-+
-+Security-Enhanced Linux secures the postfix_bounce processes via flexible mandatory access control.
-+
-+The postfix_bounce processes execute with the postfix_bounce_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
-+
-+For example:
-+
-+.B ps -eZ | grep postfix_bounce_t
-+
-+
-+.SH "ENTRYPOINTS"
-+
-+The postfix_bounce_t SELinux type can be entered via the "postfix_bounce_exec_t" file type. The default entrypoint paths for the postfix_bounce_t domain are the following:"
-+
-+/usr/libexec/postfix/bounce
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux postfix_bounce policy is very flexible allowing users to setup their postfix_bounce processes in as secure a method as possible.
-+.PP
-+The following process types are defined for postfix_bounce:
-+
-+.EX
-+.B postfix_bounce_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
-+.SH FILE CONTEXTS
-+SELinux requires files to have an extended attribute to define the file type.
-+.PP
-+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
-+.PP
-+Policy governs the access confined processes have to these files.
-+SELinux postfix_bounce policy is very flexible allowing users to setup their postfix_bounce processes in as secure a method as possible.
-+.PP
-+The following file types are defined for postfix_bounce:
-+
-+
-+.EX
-+.PP
-+.B postfix_bounce_exec_t
-+.EE
-+
-+- Set files with the postfix_bounce_exec_t type, if you want to transition an executable to the postfix_bounce_t domain.
-+
-+
-+.EX
-+.PP
-+.B postfix_bounce_tmp_t
-+.EE
-+
-+- Set files with the postfix_bounce_tmp_t type, if you want to store postfix bounce temporary files in the /tmp directories.
-+
-+
-+.PP
-+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
-+.B semanage fcontext
-+command. This will modify the SELinux labeling database. You will need to use
-+.B restorecon
-+to apply the labels.
-+
-+.SH "MANAGED FILES"
-+
-+The SELinux process type postfix_bounce_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
-+
-+.br
-+.B anon_inodefs_t
-+
-+
-+.br
-+.B postfix_bounce_tmp_t
-+
-+
-+.br
-+.B postfix_spool_bounce_t
-+
-+ /var/spool/postfix/bounce(/.*)?
-+.br
-+
-+.br
-+.B postfix_spool_maildrop_t
-+
-+ /var/spool/postfix/defer(/.*)?
-+.br
-+ /var/spool/postfix/deferred(/.*)?
-+.br
-+ /var/spool/postfix/maildrop(/.*)?
-+.br
-+
-+.br
-+.B postfix_spool_t
-+
-+ /var/spool/postfix.*
-+.br
-+
-+.br
-+.B postfix_var_run_t
-+
-+ /var/spool/postfix/pid/.*
-+.br
-+
-+.SH NSSWITCH DOMAIN
-+
-+.PP
-+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the postfix_bounce_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
-+
-+.EX
-+.B setsebool -P authlogin_nsswitch_use_ldap 1
-+.EE
-+
-+.PP
-+If you want to allow confined applications to run with kerberos for the postfix_bounce_t, you must turn on the kerberos_enabled boolean.
-+
-+.EX
-+.B setsebool -P kerberos_enabled 1
-+.EE
-+
-+.SH "COMMANDS"
-+.B semanage fcontext
-+can also be used to manipulate default file context mappings.
-+.PP
-+.B semanage permissive
-+can also be used to manipulate whether or not a process type is permissive.
-+.PP
-+.B semanage module
-+can also be used to enable/disable/install/remove policy modules.
-+
-+.PP
-+.B system-config-selinux
-+is a GUI tool available to customize SELinux policy settings.
-+
-+.SH AUTHOR
-+This manual page was auto-generated using
-+.B "sepolicy manpage"
-+by Dan Walsh.
-+
-+.SH "SEE ALSO"
-+selinux(8), postfix_bounce(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
-+, postfix_cleanup_selinux(8), postfix_local_selinux(8), postfix_map_selinux(8), postfix_master_selinux(8), postfix_pickup_selinux(8), postfix_pipe_selinux(8), postfix_postdrop_selinux(8), postfix_postqueue_selinux(8), postfix_qmgr_selinux(8), postfix_showq_selinux(8), postfix_smtp_selinux(8), postfix_smtpd_selinux(8), postfix_virtual_selinux(8)
-\ No newline at end of file
-diff --git a/man/man8/postfix_cleanup_selinux.8 b/man/man8/postfix_cleanup_selinux.8
-new file mode 100644
-index 0000000..615ab43
---- /dev/null
-+++ b/man/man8/postfix_cleanup_selinux.8
-@@ -0,0 +1,133 @@
-+.TH "postfix_cleanup_selinux" "8" "12-11-01" "postfix_cleanup" "SELinux Policy documentation for postfix_cleanup"
-+.SH "NAME"
-+postfix_cleanup_selinux \- Security Enhanced Linux Policy for the postfix_cleanup processes
-+.SH "DESCRIPTION"
-+
-+Security-Enhanced Linux secures the postfix_cleanup processes via flexible mandatory access control.
-+
-+The postfix_cleanup processes execute with the postfix_cleanup_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
-+
-+For example:
-+
-+.B ps -eZ | grep postfix_cleanup_t
-+
-+
-+.SH "ENTRYPOINTS"
-+
-+The postfix_cleanup_t SELinux type can be entered via the "postfix_cleanup_exec_t" file type. The default entrypoint paths for the postfix_cleanup_t domain are the following:"
-+
-+/usr/libexec/postfix/cleanup
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux postfix_cleanup policy is very flexible allowing users to setup their postfix_cleanup processes in as secure a method as possible.
-+.PP
-+The following process types are defined for postfix_cleanup:
-+
-+.EX
-+.B postfix_cleanup_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
-+.SH FILE CONTEXTS
-+SELinux requires files to have an extended attribute to define the file type.
-+.PP
-+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
-+.PP
-+Policy governs the access confined processes have to these files.
-+SELinux postfix_cleanup policy is very flexible allowing users to setup their postfix_cleanup processes in as secure a method as possible.
-+.PP
-+The following file types are defined for postfix_cleanup:
-+
-+
-+.EX
-+.PP
-+.B postfix_cleanup_exec_t
-+.EE
-+
-+- Set files with the postfix_cleanup_exec_t type, if you want to transition an executable to the postfix_cleanup_t domain.
-+
-+
-+.EX
-+.PP
-+.B postfix_cleanup_tmp_t
-+.EE
-+
-+- Set files with the postfix_cleanup_tmp_t type, if you want to store postfix cleanup temporary files in the /tmp directories.
-+
-+
-+.PP
-+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
-+.B semanage fcontext
-+command. This will modify the SELinux labeling database. You will need to use
-+.B restorecon
-+to apply the labels.
-+
-+.SH "MANAGED FILES"
-+
-+The SELinux process type postfix_cleanup_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
-+
-+.br
-+.B anon_inodefs_t
-+
-+
-+.br
-+.B postfix_cleanup_tmp_t
-+
-+
-+.br
-+.B postfix_spool_t
-+
-+ /var/spool/postfix.*
-+.br
-+
-+.br
-+.B postfix_var_run_t
-+
-+ /var/spool/postfix/pid/.*
-+.br
-+
-+.SH NSSWITCH DOMAIN
-+
-+.PP
-+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the postfix_cleanup_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
-+
-+.EX
-+.B setsebool -P authlogin_nsswitch_use_ldap 1
-+.EE
-+
-+.PP
-+If you want to allow confined applications to run with kerberos for the postfix_cleanup_t, you must turn on the kerberos_enabled boolean.
-+
-+.EX
-+.B setsebool -P kerberos_enabled 1
-+.EE
-+
-+.SH "COMMANDS"
-+.B semanage fcontext
-+can also be used to manipulate default file context mappings.
-+.PP
-+.B semanage permissive
-+can also be used to manipulate whether or not a process type is permissive.
-+.PP
-+.B semanage module
-+can also be used to enable/disable/install/remove policy modules.
-+
-+.PP
-+.B system-config-selinux
-+is a GUI tool available to customize SELinux policy settings.
-+
-+.SH AUTHOR
-+This manual page was auto-generated using
-+.B "sepolicy manpage"
-+by Dan Walsh.
-+
-+.SH "SEE ALSO"
-+selinux(8), postfix_cleanup(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
-+, postfix_bounce_selinux(8), postfix_local_selinux(8), postfix_map_selinux(8), postfix_master_selinux(8), postfix_pickup_selinux(8), postfix_pipe_selinux(8), postfix_postdrop_selinux(8), postfix_postqueue_selinux(8), postfix_qmgr_selinux(8), postfix_showq_selinux(8), postfix_smtp_selinux(8), postfix_smtpd_selinux(8), postfix_virtual_selinux(8)
-\ No newline at end of file
-diff --git a/man/man8/postfix_local_selinux.8 b/man/man8/postfix_local_selinux.8
-new file mode 100644
-index 0000000..6e24730
---- /dev/null
-+++ b/man/man8/postfix_local_selinux.8
-@@ -0,0 +1,212 @@
-+.TH "postfix_local_selinux" "8" "12-11-01" "postfix_local" "SELinux Policy documentation for postfix_local"
-+.SH "NAME"
-+postfix_local_selinux \- Security Enhanced Linux Policy for the postfix_local processes
-+.SH "DESCRIPTION"
-+
-+Security-Enhanced Linux secures the postfix_local processes via flexible mandatory access control.
-+
-+The postfix_local processes execute with the postfix_local_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
-+
-+For example:
-+
-+.B ps -eZ | grep postfix_local_t
-+
-+
-+.SH "ENTRYPOINTS"
-+
-+The postfix_local_t SELinux type can be entered via the "postfix_local_exec_t" file type. The default entrypoint paths for the postfix_local_t domain are the following:"
-+
-+/usr/libexec/postfix/local
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux postfix_local policy is very flexible allowing users to setup their postfix_local processes in as secure a method as possible.
-+.PP
-+The following process types are defined for postfix_local:
-+
-+.EX
-+.B postfix_local_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
-+.SH BOOLEANS
-+SELinux policy is customizable based on least access required. postfix_local policy is extremely flexible and has several booleans that allow you to manipulate the policy and run postfix_local with the tightest access possible.
-+
-+
-+.PP
-+If you want to allow postfix_local domain full write access to mail_spool directories, you must turn on the postfix_local_write_mail_spool boolean.
-+
-+.EX
-+.B setsebool -P postfix_local_write_mail_spool 1
-+.EE
-+
-+.PP
-+If you want to allow postfix_local domain full write access to mail_spool directories, you must turn on the postfix_local_write_mail_spool boolean.
-+
-+.EX
-+.B setsebool -P postfix_local_write_mail_spool 1
-+.EE
-+
-+.SH FILE CONTEXTS
-+SELinux requires files to have an extended attribute to define the file type.
-+.PP
-+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
-+.PP
-+Policy governs the access confined processes have to these files.
-+SELinux postfix_local policy is very flexible allowing users to setup their postfix_local processes in as secure a method as possible.
-+.PP
-+The following file types are defined for postfix_local:
-+
-+
-+.EX
-+.PP
-+.B postfix_local_exec_t
-+.EE
-+
-+- Set files with the postfix_local_exec_t type, if you want to transition an executable to the postfix_local_t domain.
-+
-+
-+.EX
-+.PP
-+.B postfix_local_tmp_t
-+.EE
-+
-+- Set files with the postfix_local_tmp_t type, if you want to store postfix local temporary files in the /tmp directories.
-+
-+
-+.PP
-+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
-+.B semanage fcontext
-+command. This will modify the SELinux labeling database. You will need to use
-+.B restorecon
-+to apply the labels.
-+
-+.SH "MANAGED FILES"
-+
-+The SELinux process type postfix_local_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
-+
-+.br
-+.B anon_inodefs_t
-+
-+
-+.br
-+.B dovecot_spool_t
-+
-+ /var/spool/dovecot(/.*)?
-+.br
-+
-+.br
-+.B mail_home_rw_t
-+
-+ /root/Maildir(/.*)?
-+.br
-+ /home/[^/]*/Maildir(/.*)?
-+.br
-+ /home/dwalsh/Maildir(/.*)?
-+.br
-+ /var/lib/xguest/home/xguest/Maildir(/.*)?
-+.br
-+
-+.br
-+.B mail_spool_t
-+
-+ /var/mail(/.*)?
-+.br
-+ /var/spool/imap(/.*)?
-+.br
-+ /var/spool/mail(/.*)?
-+.br
-+
-+.br
-+.B mailman_data_t
-+
-+ /etc/mailman.*
-+.br
-+ /var/lib/mailman.*
-+.br
-+ /var/spool/mailman.*
-+.br
-+
-+.br
-+.B postfix_local_tmp_t
-+
-+
-+.br
-+.B postfix_spool_maildrop_t
-+
-+ /var/spool/postfix/defer(/.*)?
-+.br
-+ /var/spool/postfix/deferred(/.*)?
-+.br
-+ /var/spool/postfix/maildrop(/.*)?
-+.br
-+
-+.br
-+.B postfix_spool_t
-+
-+ /var/spool/postfix.*
-+.br
-+
-+.br
-+.B postfix_var_run_t
-+
-+ /var/spool/postfix/pid/.*
-+.br
-+
-+.br
-+.B user_home_t
-+
-+ /home/[^/]*/.+
-+.br
-+ /home/dwalsh/.+
-+.br
-+ /var/lib/xguest/home/xguest/.+
-+.br
-+
-+.SH NSSWITCH DOMAIN
-+
-+.PP
-+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the postfix_local_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
-+
-+.EX
-+.B setsebool -P authlogin_nsswitch_use_ldap 1
-+.EE
-+
-+.PP
-+If you want to allow confined applications to run with kerberos for the postfix_local_t, you must turn on the kerberos_enabled boolean.
-+
-+.EX
-+.B setsebool -P kerberos_enabled 1
-+.EE
-+
-+.SH "COMMANDS"
-+.B semanage fcontext
-+can also be used to manipulate default file context mappings.
-+.PP
-+.B semanage permissive
-+can also be used to manipulate whether or not a process type is permissive.
-+.PP
-+.B semanage module
-+can also be used to enable/disable/install/remove policy modules.
-+
-+.B semanage boolean
-+can also be used to manipulate the booleans
-+
-+.PP
-+.B system-config-selinux
-+is a GUI tool available to customize SELinux policy settings.
-+
-+.SH AUTHOR
-+This manual page was auto-generated using
-+.B "sepolicy manpage"
-+by Dan Walsh.
-+
-+.SH "SEE ALSO"
-+selinux(8), postfix_local(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
-+, setsebool(8), postfix_bounce_selinux(8), postfix_cleanup_selinux(8), postfix_map_selinux(8), postfix_master_selinux(8), postfix_pickup_selinux(8), postfix_pipe_selinux(8), postfix_postdrop_selinux(8), postfix_postqueue_selinux(8), postfix_qmgr_selinux(8), postfix_showq_selinux(8), postfix_smtp_selinux(8), postfix_smtpd_selinux(8), postfix_virtual_selinux(8)
-\ No newline at end of file
-diff --git a/man/man8/postfix_map_selinux.8 b/man/man8/postfix_map_selinux.8
-new file mode 100644
-index 0000000..f1b2f03
---- /dev/null
-+++ b/man/man8/postfix_map_selinux.8
-@@ -0,0 +1,133 @@
-+.TH "postfix_map_selinux" "8" "12-11-01" "postfix_map" "SELinux Policy documentation for postfix_map"
-+.SH "NAME"
-+postfix_map_selinux \- Security Enhanced Linux Policy for the postfix_map processes
-+.SH "DESCRIPTION"
-+
-+Security-Enhanced Linux secures the postfix_map processes via flexible mandatory access control.
-+
-+The postfix_map processes execute with the postfix_map_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
-+
-+For example:
-+
-+.B ps -eZ | grep postfix_map_t
-+
-+
-+.SH "ENTRYPOINTS"
-+
-+The postfix_map_t SELinux type can be entered via the "postfix_map_exec_t" file type. The default entrypoint paths for the postfix_map_t domain are the following:"
-+
-+/usr/sbin/postmap
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux postfix_map policy is very flexible allowing users to setup their postfix_map processes in as secure a method as possible.
-+.PP
-+The following process types are defined for postfix_map:
-+
-+.EX
-+.B postfix_map_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
-+.SH FILE CONTEXTS
-+SELinux requires files to have an extended attribute to define the file type.
-+.PP
-+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
-+.PP
-+Policy governs the access confined processes have to these files.
-+SELinux postfix_map policy is very flexible allowing users to setup their postfix_map processes in as secure a method as possible.
-+.PP
-+The following file types are defined for postfix_map:
-+
-+
-+.EX
-+.PP
-+.B postfix_map_exec_t
-+.EE
-+
-+- Set files with the postfix_map_exec_t type, if you want to transition an executable to the postfix_map_t domain.
-+
-+
-+.EX
-+.PP
-+.B postfix_map_tmp_t
-+.EE
-+
-+- Set files with the postfix_map_tmp_t type, if you want to store postfix map temporary files in the /tmp directories.
-+
-+
-+.PP
-+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
-+.B semanage fcontext
-+command. This will modify the SELinux labeling database. You will need to use
-+.B restorecon
-+to apply the labels.
-+
-+.SH "MANAGED FILES"
-+
-+The SELinux process type postfix_map_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
-+
-+.br
-+.B mailman_data_t
-+
-+ /etc/mailman.*
-+.br
-+ /var/lib/mailman.*
-+.br
-+ /var/spool/mailman.*
-+.br
-+
-+.br
-+.B postfix_etc_t
-+
-+ /etc/postfix.*
-+.br
-+
-+.br
-+.B postfix_map_tmp_t
-+
-+
-+.SH NSSWITCH DOMAIN
-+
-+.PP
-+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the postfix_map_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
-+
-+.EX
-+.B setsebool -P authlogin_nsswitch_use_ldap 1
-+.EE
-+
-+.PP
-+If you want to allow confined applications to run with kerberos for the postfix_map_t, you must turn on the kerberos_enabled boolean.
-+
-+.EX
-+.B setsebool -P kerberos_enabled 1
-+.EE
-+
-+.SH "COMMANDS"
-+.B semanage fcontext
-+can also be used to manipulate default file context mappings.
-+.PP
-+.B semanage permissive
-+can also be used to manipulate whether or not a process type is permissive.
-+.PP
-+.B semanage module
-+can also be used to enable/disable/install/remove policy modules.
-+
-+.PP
-+.B system-config-selinux
-+is a GUI tool available to customize SELinux policy settings.
-+
-+.SH AUTHOR
-+This manual page was auto-generated using
-+.B "sepolicy manpage"
-+by Dan Walsh.
-+
-+.SH "SEE ALSO"
-+selinux(8), postfix_map(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
-+, postfix_bounce_selinux(8), postfix_cleanup_selinux(8), postfix_local_selinux(8), postfix_master_selinux(8), postfix_pickup_selinux(8), postfix_pipe_selinux(8), postfix_postdrop_selinux(8), postfix_postqueue_selinux(8), postfix_qmgr_selinux(8), postfix_showq_selinux(8), postfix_smtp_selinux(8), postfix_smtpd_selinux(8), postfix_virtual_selinux(8)
-\ No newline at end of file
-diff --git a/man/man8/postfix_master_selinux.8 b/man/man8/postfix_master_selinux.8
-new file mode 100644
-index 0000000..feb9a1e
---- /dev/null
-+++ b/man/man8/postfix_master_selinux.8
-@@ -0,0 +1,177 @@
-+.TH "postfix_master_selinux" "8" "12-11-01" "postfix_master" "SELinux Policy documentation for postfix_master"
-+.SH "NAME"
-+postfix_master_selinux \- Security Enhanced Linux Policy for the postfix_master processes
-+.SH "DESCRIPTION"
-+
-+Security-Enhanced Linux secures the postfix_master processes via flexible mandatory access control.
-+
-+The postfix_master processes execute with the postfix_master_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
-+
-+For example:
-+
-+.B ps -eZ | grep postfix_master_t
-+
-+
-+.SH "ENTRYPOINTS"
-+
-+The postfix_master_t SELinux type can be entered via the "postfix_master_exec_t" file type. The default entrypoint paths for the postfix_master_t domain are the following:"
-+
-+/usr/sbin/postcat, /usr/sbin/postfix, /usr/sbin/postlog, /usr/sbin/postkick, /usr/sbin/postlock, /usr/sbin/postalias, /usr/sbin/postsuper, /usr/libexec/postfix/master
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux postfix_master policy is very flexible allowing users to setup their postfix_master processes in as secure a method as possible.
-+.PP
-+The following process types are defined for postfix_master:
-+
-+.EX
-+.B postfix_master_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
-+.SH FILE CONTEXTS
-+SELinux requires files to have an extended attribute to define the file type.
-+.PP
-+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
-+.PP
-+Policy governs the access confined processes have to these files.
-+SELinux postfix_master policy is very flexible allowing users to setup their postfix_master processes in as secure a method as possible.
-+.PP
-+The following file types are defined for postfix_master:
-+
-+
-+.EX
-+.PP
-+.B postfix_master_exec_t
-+.EE
-+
-+- Set files with the postfix_master_exec_t type, if you want to transition an executable to the postfix_master_t domain.
-+
-+
-+.PP
-+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
-+.B semanage fcontext
-+command. This will modify the SELinux labeling database. You will need to use
-+.B restorecon
-+to apply the labels.
-+
-+.SH "MANAGED FILES"
-+
-+The SELinux process type postfix_master_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
-+
-+.br
-+.B anon_inodefs_t
-+
-+
-+.br
-+.B etc_aliases_t
-+
-+ /etc/mail/aliases.*
-+.br
-+ /etc/postfix/aliases.*
-+.br
-+ /etc/aliases
-+.br
-+ /etc/aliases\.db
-+.br
-+
-+.br
-+.B mailman_data_t
-+
-+ /etc/mailman.*
-+.br
-+ /var/lib/mailman.*
-+.br
-+ /var/spool/mailman.*
-+.br
-+
-+.br
-+.B postfix_data_t
-+
-+ /var/lib/postfix.*
-+.br
-+
-+.br
-+.B postfix_etc_t
-+
-+ /etc/postfix.*
-+.br
-+
-+.br
-+.B postfix_prng_t
-+
-+ /etc/postfix/prng_exch
-+.br
-+
-+.br
-+.B postfix_spool_flush_t
-+
-+ /var/spool/postfix/flush(/.*)?
-+.br
-+
-+.br
-+.B postfix_spool_maildrop_t
-+
-+ /var/spool/postfix/defer(/.*)?
-+.br
-+ /var/spool/postfix/deferred(/.*)?
-+.br
-+ /var/spool/postfix/maildrop(/.*)?
-+.br
-+
-+.br
-+.B postfix_spool_t
-+
-+ /var/spool/postfix.*
-+.br
-+
-+.br
-+.B postfix_var_run_t
-+
-+ /var/spool/postfix/pid/.*
-+.br
-+
-+.SH NSSWITCH DOMAIN
-+
-+.PP
-+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the postfix_master_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
-+
-+.EX
-+.B setsebool -P authlogin_nsswitch_use_ldap 1
-+.EE
-+
-+.PP
-+If you want to allow confined applications to run with kerberos for the postfix_master_t, you must turn on the kerberos_enabled boolean.
-+
-+.EX
-+.B setsebool -P kerberos_enabled 1
-+.EE
-+
-+.SH "COMMANDS"
-+.B semanage fcontext
-+can also be used to manipulate default file context mappings.
-+.PP
-+.B semanage permissive
-+can also be used to manipulate whether or not a process type is permissive.
-+.PP
-+.B semanage module
-+can also be used to enable/disable/install/remove policy modules.
-+
-+.PP
-+.B system-config-selinux
-+is a GUI tool available to customize SELinux policy settings.
-+
-+.SH AUTHOR
-+This manual page was auto-generated using
-+.B "sepolicy manpage"
-+by Dan Walsh.
-+
-+.SH "SEE ALSO"
-+selinux(8), postfix_master(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
-+, postfix_bounce_selinux(8), postfix_cleanup_selinux(8), postfix_local_selinux(8), postfix_map_selinux(8), postfix_pickup_selinux(8), postfix_pipe_selinux(8), postfix_postdrop_selinux(8), postfix_postqueue_selinux(8), postfix_qmgr_selinux(8), postfix_showq_selinux(8), postfix_smtp_selinux(8), postfix_smtpd_selinux(8), postfix_virtual_selinux(8)
-\ No newline at end of file
-diff --git a/man/man8/postfix_pickup_selinux.8 b/man/man8/postfix_pickup_selinux.8
-new file mode 100644
-index 0000000..4db315f
---- /dev/null
-+++ b/man/man8/postfix_pickup_selinux.8
-@@ -0,0 +1,127 @@
-+.TH "postfix_pickup_selinux" "8" "12-11-01" "postfix_pickup" "SELinux Policy documentation for postfix_pickup"
-+.SH "NAME"
-+postfix_pickup_selinux \- Security Enhanced Linux Policy for the postfix_pickup processes
-+.SH "DESCRIPTION"
-+
-+Security-Enhanced Linux secures the postfix_pickup processes via flexible mandatory access control.
-+
-+The postfix_pickup processes execute with the postfix_pickup_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
-+
-+For example:
-+
-+.B ps -eZ | grep postfix_pickup_t
-+
-+
-+.SH "ENTRYPOINTS"
-+
-+The postfix_pickup_t SELinux type can be entered via the "postfix_pickup_exec_t" file type. The default entrypoint paths for the postfix_pickup_t domain are the following:"
-+
-+/usr/libexec/postfix/pickup
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux postfix_pickup policy is very flexible allowing users to setup their postfix_pickup processes in as secure a method as possible.
-+.PP
-+The following process types are defined for postfix_pickup:
-+
-+.EX
-+.B postfix_pickup_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
-+.SH FILE CONTEXTS
-+SELinux requires files to have an extended attribute to define the file type.
-+.PP
-+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
-+.PP
-+Policy governs the access confined processes have to these files.
-+SELinux postfix_pickup policy is very flexible allowing users to setup their postfix_pickup processes in as secure a method as possible.
-+.PP
-+The following file types are defined for postfix_pickup:
-+
-+
-+.EX
-+.PP
-+.B postfix_pickup_exec_t
-+.EE
-+
-+- Set files with the postfix_pickup_exec_t type, if you want to transition an executable to the postfix_pickup_t domain.
-+
-+
-+.EX
-+.PP
-+.B postfix_pickup_tmp_t
-+.EE
-+
-+- Set files with the postfix_pickup_tmp_t type, if you want to store postfix pickup temporary files in the /tmp directories.
-+
-+
-+.PP
-+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
-+.B semanage fcontext
-+command. This will modify the SELinux labeling database. You will need to use
-+.B restorecon
-+to apply the labels.
-+
-+.SH "MANAGED FILES"
-+
-+The SELinux process type postfix_pickup_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
-+
-+.br
-+.B anon_inodefs_t
-+
-+
-+.br
-+.B postfix_pickup_tmp_t
-+
-+
-+.br
-+.B postfix_var_run_t
-+
-+ /var/spool/postfix/pid/.*
-+.br
-+
-+.SH NSSWITCH DOMAIN
-+
-+.PP
-+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the postfix_pickup_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
-+
-+.EX
-+.B setsebool -P authlogin_nsswitch_use_ldap 1
-+.EE
-+
-+.PP
-+If you want to allow confined applications to run with kerberos for the postfix_pickup_t, you must turn on the kerberos_enabled boolean.
-+
-+.EX
-+.B setsebool -P kerberos_enabled 1
-+.EE
-+
-+.SH "COMMANDS"
-+.B semanage fcontext
-+can also be used to manipulate default file context mappings.
-+.PP
-+.B semanage permissive
-+can also be used to manipulate whether or not a process type is permissive.
-+.PP
-+.B semanage module
-+can also be used to enable/disable/install/remove policy modules.
-+
-+.PP
-+.B system-config-selinux
-+is a GUI tool available to customize SELinux policy settings.
-+
-+.SH AUTHOR
-+This manual page was auto-generated using
-+.B "sepolicy manpage"
-+by Dan Walsh.
-+
-+.SH "SEE ALSO"
-+selinux(8), postfix_pickup(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
-+, postfix_bounce_selinux(8), postfix_cleanup_selinux(8), postfix_local_selinux(8), postfix_map_selinux(8), postfix_master_selinux(8), postfix_pipe_selinux(8), postfix_postdrop_selinux(8), postfix_postqueue_selinux(8), postfix_qmgr_selinux(8), postfix_showq_selinux(8), postfix_smtp_selinux(8), postfix_smtpd_selinux(8), postfix_virtual_selinux(8)
-\ No newline at end of file
-diff --git a/man/man8/postfix_pipe_selinux.8 b/man/man8/postfix_pipe_selinux.8
-new file mode 100644
-index 0000000..0fc0351
---- /dev/null
-+++ b/man/man8/postfix_pipe_selinux.8
-@@ -0,0 +1,143 @@
-+.TH "postfix_pipe_selinux" "8" "12-11-01" "postfix_pipe" "SELinux Policy documentation for postfix_pipe"
-+.SH "NAME"
-+postfix_pipe_selinux \- Security Enhanced Linux Policy for the postfix_pipe processes
-+.SH "DESCRIPTION"
-+
-+Security-Enhanced Linux secures the postfix_pipe processes via flexible mandatory access control.
-+
-+The postfix_pipe processes execute with the postfix_pipe_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
-+
-+For example:
-+
-+.B ps -eZ | grep postfix_pipe_t
-+
-+
-+.SH "ENTRYPOINTS"
-+
-+The postfix_pipe_t SELinux type can be entered via the "postfix_pipe_exec_t" file type. The default entrypoint paths for the postfix_pipe_t domain are the following:"
-+
-+/usr/libexec/postfix/pipe
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux postfix_pipe policy is very flexible allowing users to setup their postfix_pipe processes in as secure a method as possible.
-+.PP
-+The following process types are defined for postfix_pipe:
-+
-+.EX
-+.B postfix_pipe_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
-+.SH FILE CONTEXTS
-+SELinux requires files to have an extended attribute to define the file type.
-+.PP
-+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
-+.PP
-+Policy governs the access confined processes have to these files.
-+SELinux postfix_pipe policy is very flexible allowing users to setup their postfix_pipe processes in as secure a method as possible.
-+.PP
-+The following file types are defined for postfix_pipe:
-+
-+
-+.EX
-+.PP
-+.B postfix_pipe_exec_t
-+.EE
-+
-+- Set files with the postfix_pipe_exec_t type, if you want to transition an executable to the postfix_pipe_t domain.
-+
-+
-+.EX
-+.PP
-+.B postfix_pipe_tmp_t
-+.EE
-+
-+- Set files with the postfix_pipe_tmp_t type, if you want to store postfix pipe temporary files in the /tmp directories.
-+
-+
-+.PP
-+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
-+.B semanage fcontext
-+command. This will modify the SELinux labeling database. You will need to use
-+.B restorecon
-+to apply the labels.
-+
-+.SH "MANAGED FILES"
-+
-+The SELinux process type postfix_pipe_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
-+
-+.br
-+.B anon_inodefs_t
-+
-+
-+.br
-+.B mail_spool_t
-+
-+ /var/mail(/.*)?
-+.br
-+ /var/spool/imap(/.*)?
-+.br
-+ /var/spool/mail(/.*)?
-+.br
-+
-+.br
-+.B postfix_pipe_tmp_t
-+
-+
-+.br
-+.B postfix_spool_t
-+
-+ /var/spool/postfix.*
-+.br
-+
-+.br
-+.B postfix_var_run_t
-+
-+ /var/spool/postfix/pid/.*
-+.br
-+
-+.SH NSSWITCH DOMAIN
-+
-+.PP
-+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the postfix_pipe_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
-+
-+.EX
-+.B setsebool -P authlogin_nsswitch_use_ldap 1
-+.EE
-+
-+.PP
-+If you want to allow confined applications to run with kerberos for the postfix_pipe_t, you must turn on the kerberos_enabled boolean.
-+
-+.EX
-+.B setsebool -P kerberos_enabled 1
-+.EE
-+
-+.SH "COMMANDS"
-+.B semanage fcontext
-+can also be used to manipulate default file context mappings.
-+.PP
-+.B semanage permissive
-+can also be used to manipulate whether or not a process type is permissive.
-+.PP
-+.B semanage module
-+can also be used to enable/disable/install/remove policy modules.
-+
-+.PP
-+.B system-config-selinux
-+is a GUI tool available to customize SELinux policy settings.
-+
-+.SH AUTHOR
-+This manual page was auto-generated using
-+.B "sepolicy manpage"
-+by Dan Walsh.
-+
-+.SH "SEE ALSO"
-+selinux(8), postfix_pipe(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
-+, postfix_bounce_selinux(8), postfix_cleanup_selinux(8), postfix_local_selinux(8), postfix_map_selinux(8), postfix_master_selinux(8), postfix_pickup_selinux(8), postfix_postdrop_selinux(8), postfix_postqueue_selinux(8), postfix_qmgr_selinux(8), postfix_showq_selinux(8), postfix_smtp_selinux(8), postfix_smtpd_selinux(8), postfix_virtual_selinux(8)
-\ No newline at end of file
-diff --git a/man/man8/postfix_postdrop_selinux.8 b/man/man8/postfix_postdrop_selinux.8
-new file mode 100644
-index 0000000..e6877f7
---- /dev/null
-+++ b/man/man8/postfix_postdrop_selinux.8
-@@ -0,0 +1,137 @@
-+.TH "postfix_postdrop_selinux" "8" "12-11-01" "postfix_postdrop" "SELinux Policy documentation for postfix_postdrop"
-+.SH "NAME"
-+postfix_postdrop_selinux \- Security Enhanced Linux Policy for the postfix_postdrop processes
-+.SH "DESCRIPTION"
-+
-+Security-Enhanced Linux secures the postfix_postdrop processes via flexible mandatory access control.
-+
-+The postfix_postdrop processes execute with the postfix_postdrop_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
-+
-+For example:
-+
-+.B ps -eZ | grep postfix_postdrop_t
-+
-+
-+.SH "ENTRYPOINTS"
-+
-+The postfix_postdrop_t SELinux type can be entered via the "postfix_postdrop_exec_t" file type. The default entrypoint paths for the postfix_postdrop_t domain are the following:"
-+
-+/usr/sbin/postdrop
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux postfix_postdrop policy is very flexible allowing users to setup their postfix_postdrop processes in as secure a method as possible.
-+.PP
-+The following process types are defined for postfix_postdrop:
-+
-+.EX
-+.B postfix_postdrop_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
-+.SH FILE CONTEXTS
-+SELinux requires files to have an extended attribute to define the file type.
-+.PP
-+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
-+.PP
-+Policy governs the access confined processes have to these files.
-+SELinux postfix_postdrop policy is very flexible allowing users to setup their postfix_postdrop processes in as secure a method as possible.
-+.PP
-+The following file types are defined for postfix_postdrop:
-+
-+
-+.EX
-+.PP
-+.B postfix_postdrop_exec_t
-+.EE
-+
-+- Set files with the postfix_postdrop_exec_t type, if you want to transition an executable to the postfix_postdrop_t domain.
-+
-+
-+.PP
-+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
-+.B semanage fcontext
-+command. This will modify the SELinux labeling database. You will need to use
-+.B restorecon
-+to apply the labels.
-+
-+.SH "MANAGED FILES"
-+
-+The SELinux process type postfix_postdrop_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
-+
-+.br
-+.B anon_inodefs_t
-+
-+
-+.br
-+.B arpwatch_tmp_t
-+
-+
-+.br
-+.B postfix_spool_maildrop_t
-+
-+ /var/spool/postfix/defer(/.*)?
-+.br
-+ /var/spool/postfix/deferred(/.*)?
-+.br
-+ /var/spool/postfix/maildrop(/.*)?
-+.br
-+
-+.br
-+.B postfix_var_run_t
-+
-+ /var/spool/postfix/pid/.*
-+.br
-+
-+.br
-+.B uucpd_spool_t
-+
-+ /var/spool/uucp(/.*)?
-+.br
-+ /var/spool/uucppublic(/.*)?
-+.br
-+
-+.SH NSSWITCH DOMAIN
-+
-+.PP
-+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the postfix_postdrop_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
-+
-+.EX
-+.B setsebool -P authlogin_nsswitch_use_ldap 1
-+.EE
-+
-+.PP
-+If you want to allow confined applications to run with kerberos for the postfix_postdrop_t, you must turn on the kerberos_enabled boolean.
-+
-+.EX
-+.B setsebool -P kerberos_enabled 1
-+.EE
-+
-+.SH "COMMANDS"
-+.B semanage fcontext
-+can also be used to manipulate default file context mappings.
-+.PP
-+.B semanage permissive
-+can also be used to manipulate whether or not a process type is permissive.
-+.PP
-+.B semanage module
-+can also be used to enable/disable/install/remove policy modules.
-+
-+.PP
-+.B system-config-selinux
-+is a GUI tool available to customize SELinux policy settings.
-+
-+.SH AUTHOR
-+This manual page was auto-generated using
-+.B "sepolicy manpage"
-+by Dan Walsh.
-+
-+.SH "SEE ALSO"
-+selinux(8), postfix_postdrop(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
-+, postfix_bounce_selinux(8), postfix_cleanup_selinux(8), postfix_local_selinux(8), postfix_map_selinux(8), postfix_master_selinux(8), postfix_pickup_selinux(8), postfix_pipe_selinux(8), postfix_postqueue_selinux(8), postfix_qmgr_selinux(8), postfix_showq_selinux(8), postfix_smtp_selinux(8), postfix_smtpd_selinux(8), postfix_virtual_selinux(8)
-\ No newline at end of file
-diff --git a/man/man8/postfix_postqueue_selinux.8 b/man/man8/postfix_postqueue_selinux.8
-new file mode 100644
-index 0000000..7b40ff1
---- /dev/null
-+++ b/man/man8/postfix_postqueue_selinux.8
-@@ -0,0 +1,119 @@
-+.TH "postfix_postqueue_selinux" "8" "12-11-01" "postfix_postqueue" "SELinux Policy documentation for postfix_postqueue"
-+.SH "NAME"
-+postfix_postqueue_selinux \- Security Enhanced Linux Policy for the postfix_postqueue processes
-+.SH "DESCRIPTION"
-+
-+Security-Enhanced Linux secures the postfix_postqueue processes via flexible mandatory access control.
-+
-+The postfix_postqueue processes execute with the postfix_postqueue_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
-+
-+For example:
-+
-+.B ps -eZ | grep postfix_postqueue_t
-+
-+
-+.SH "ENTRYPOINTS"
-+
-+The postfix_postqueue_t SELinux type can be entered via the "postfix_postqueue_exec_t" file type. The default entrypoint paths for the postfix_postqueue_t domain are the following:"
-+
-+/usr/sbin/postqueue
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux postfix_postqueue policy is very flexible allowing users to setup their postfix_postqueue processes in as secure a method as possible.
-+.PP
-+The following process types are defined for postfix_postqueue:
-+
-+.EX
-+.B postfix_postqueue_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
-+.SH FILE CONTEXTS
-+SELinux requires files to have an extended attribute to define the file type.
-+.PP
-+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
-+.PP
-+Policy governs the access confined processes have to these files.
-+SELinux postfix_postqueue policy is very flexible allowing users to setup their postfix_postqueue processes in as secure a method as possible.
-+.PP
-+The following file types are defined for postfix_postqueue:
-+
-+
-+.EX
-+.PP
-+.B postfix_postqueue_exec_t
-+.EE
-+
-+- Set files with the postfix_postqueue_exec_t type, if you want to transition an executable to the postfix_postqueue_t domain.
-+
-+
-+.PP
-+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
-+.B semanage fcontext
-+command. This will modify the SELinux labeling database. You will need to use
-+.B restorecon
-+to apply the labels.
-+
-+.SH "MANAGED FILES"
-+
-+The SELinux process type postfix_postqueue_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
-+
-+.br
-+.B anon_inodefs_t
-+
-+
-+.br
-+.B arpwatch_tmp_t
-+
-+
-+.br
-+.B postfix_var_run_t
-+
-+ /var/spool/postfix/pid/.*
-+.br
-+
-+.SH NSSWITCH DOMAIN
-+
-+.PP
-+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the postfix_postqueue_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
-+
-+.EX
-+.B setsebool -P authlogin_nsswitch_use_ldap 1
-+.EE
-+
-+.PP
-+If you want to allow confined applications to run with kerberos for the postfix_postqueue_t, you must turn on the kerberos_enabled boolean.
-+
-+.EX
-+.B setsebool -P kerberos_enabled 1
-+.EE
-+
-+.SH "COMMANDS"
-+.B semanage fcontext
-+can also be used to manipulate default file context mappings.
-+.PP
-+.B semanage permissive
-+can also be used to manipulate whether or not a process type is permissive.
-+.PP
-+.B semanage module
-+can also be used to enable/disable/install/remove policy modules.
-+
-+.PP
-+.B system-config-selinux
-+is a GUI tool available to customize SELinux policy settings.
-+
-+.SH AUTHOR
-+This manual page was auto-generated using
-+.B "sepolicy manpage"
-+by Dan Walsh.
-+
-+.SH "SEE ALSO"
-+selinux(8), postfix_postqueue(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
-+, postfix_bounce_selinux(8), postfix_cleanup_selinux(8), postfix_local_selinux(8), postfix_map_selinux(8), postfix_master_selinux(8), postfix_pickup_selinux(8), postfix_pipe_selinux(8), postfix_postdrop_selinux(8), postfix_qmgr_selinux(8), postfix_showq_selinux(8), postfix_smtp_selinux(8), postfix_smtpd_selinux(8), postfix_virtual_selinux(8)
-\ No newline at end of file
-diff --git a/man/man8/postfix_qmgr_selinux.8 b/man/man8/postfix_qmgr_selinux.8
-new file mode 100644
-index 0000000..0cdebf4
---- /dev/null
-+++ b/man/man8/postfix_qmgr_selinux.8
-@@ -0,0 +1,143 @@
-+.TH "postfix_qmgr_selinux" "8" "12-11-01" "postfix_qmgr" "SELinux Policy documentation for postfix_qmgr"
-+.SH "NAME"
-+postfix_qmgr_selinux \- Security Enhanced Linux Policy for the postfix_qmgr processes
-+.SH "DESCRIPTION"
-+
-+Security-Enhanced Linux secures the postfix_qmgr processes via flexible mandatory access control.
-+
-+The postfix_qmgr processes execute with the postfix_qmgr_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
-+
-+For example:
-+
-+.B ps -eZ | grep postfix_qmgr_t
-+
-+
-+.SH "ENTRYPOINTS"
-+
-+The postfix_qmgr_t SELinux type can be entered via the "postfix_qmgr_exec_t" file type. The default entrypoint paths for the postfix_qmgr_t domain are the following:"
-+
-+/usr/libexec/postfix/(n)?qmgr
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux postfix_qmgr policy is very flexible allowing users to setup their postfix_qmgr processes in as secure a method as possible.
-+.PP
-+The following process types are defined for postfix_qmgr:
-+
-+.EX
-+.B postfix_qmgr_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
-+.SH FILE CONTEXTS
-+SELinux requires files to have an extended attribute to define the file type.
-+.PP
-+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
-+.PP
-+Policy governs the access confined processes have to these files.
-+SELinux postfix_qmgr policy is very flexible allowing users to setup their postfix_qmgr processes in as secure a method as possible.
-+.PP
-+The following file types are defined for postfix_qmgr:
-+
-+
-+.EX
-+.PP
-+.B postfix_qmgr_exec_t
-+.EE
-+
-+- Set files with the postfix_qmgr_exec_t type, if you want to transition an executable to the postfix_qmgr_t domain.
-+
-+
-+.EX
-+.PP
-+.B postfix_qmgr_tmp_t
-+.EE
-+
-+- Set files with the postfix_qmgr_tmp_t type, if you want to store postfix qmgr temporary files in the /tmp directories.
-+
-+
-+.PP
-+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
-+.B semanage fcontext
-+command. This will modify the SELinux labeling database. You will need to use
-+.B restorecon
-+to apply the labels.
-+
-+.SH "MANAGED FILES"
-+
-+The SELinux process type postfix_qmgr_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
-+
-+.br
-+.B anon_inodefs_t
-+
-+
-+.br
-+.B postfix_qmgr_tmp_t
-+
-+
-+.br
-+.B postfix_spool_maildrop_t
-+
-+ /var/spool/postfix/defer(/.*)?
-+.br
-+ /var/spool/postfix/deferred(/.*)?
-+.br
-+ /var/spool/postfix/maildrop(/.*)?
-+.br
-+
-+.br
-+.B postfix_spool_t
-+
-+ /var/spool/postfix.*
-+.br
-+
-+.br
-+.B postfix_var_run_t
-+
-+ /var/spool/postfix/pid/.*
-+.br
-+
-+.SH NSSWITCH DOMAIN
-+
-+.PP
-+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the postfix_qmgr_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
-+
-+.EX
-+.B setsebool -P authlogin_nsswitch_use_ldap 1
-+.EE
-+
-+.PP
-+If you want to allow confined applications to run with kerberos for the postfix_qmgr_t, you must turn on the kerberos_enabled boolean.
-+
-+.EX
-+.B setsebool -P kerberos_enabled 1
-+.EE
-+
-+.SH "COMMANDS"
-+.B semanage fcontext
-+can also be used to manipulate default file context mappings.
-+.PP
-+.B semanage permissive
-+can also be used to manipulate whether or not a process type is permissive.
-+.PP
-+.B semanage module
-+can also be used to enable/disable/install/remove policy modules.
-+
-+.PP
-+.B system-config-selinux
-+is a GUI tool available to customize SELinux policy settings.
-+
-+.SH AUTHOR
-+This manual page was auto-generated using
-+.B "sepolicy manpage"
-+by Dan Walsh.
-+
-+.SH "SEE ALSO"
-+selinux(8), postfix_qmgr(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
-+, postfix_bounce_selinux(8), postfix_cleanup_selinux(8), postfix_local_selinux(8), postfix_map_selinux(8), postfix_master_selinux(8), postfix_pickup_selinux(8), postfix_pipe_selinux(8), postfix_postdrop_selinux(8), postfix_postqueue_selinux(8), postfix_showq_selinux(8), postfix_smtp_selinux(8), postfix_smtpd_selinux(8), postfix_virtual_selinux(8)
-\ No newline at end of file
-diff --git a/man/man8/postfix_showq_selinux.8 b/man/man8/postfix_showq_selinux.8
-new file mode 100644
-index 0000000..06cde29
---- /dev/null
-+++ b/man/man8/postfix_showq_selinux.8
-@@ -0,0 +1,115 @@
-+.TH "postfix_showq_selinux" "8" "12-11-01" "postfix_showq" "SELinux Policy documentation for postfix_showq"
-+.SH "NAME"
-+postfix_showq_selinux \- Security Enhanced Linux Policy for the postfix_showq processes
-+.SH "DESCRIPTION"
-+
-+Security-Enhanced Linux secures the postfix_showq processes via flexible mandatory access control.
-+
-+The postfix_showq processes execute with the postfix_showq_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
-+
-+For example:
-+
-+.B ps -eZ | grep postfix_showq_t
-+
-+
-+.SH "ENTRYPOINTS"
-+
-+The postfix_showq_t SELinux type can be entered via the "postfix_showq_exec_t" file type. The default entrypoint paths for the postfix_showq_t domain are the following:"
-+
-+/usr/libexec/postfix/showq
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux postfix_showq policy is very flexible allowing users to setup their postfix_showq processes in as secure a method as possible.
-+.PP
-+The following process types are defined for postfix_showq:
-+
-+.EX
-+.B postfix_showq_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
-+.SH FILE CONTEXTS
-+SELinux requires files to have an extended attribute to define the file type.
-+.PP
-+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
-+.PP
-+Policy governs the access confined processes have to these files.
-+SELinux postfix_showq policy is very flexible allowing users to setup their postfix_showq processes in as secure a method as possible.
-+.PP
-+The following file types are defined for postfix_showq:
-+
-+
-+.EX
-+.PP
-+.B postfix_showq_exec_t
-+.EE
-+
-+- Set files with the postfix_showq_exec_t type, if you want to transition an executable to the postfix_showq_t domain.
-+
-+
-+.PP
-+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
-+.B semanage fcontext
-+command. This will modify the SELinux labeling database. You will need to use
-+.B restorecon
-+to apply the labels.
-+
-+.SH "MANAGED FILES"
-+
-+The SELinux process type postfix_showq_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
-+
-+.br
-+.B anon_inodefs_t
-+
-+
-+.br
-+.B postfix_var_run_t
-+
-+ /var/spool/postfix/pid/.*
-+.br
-+
-+.SH NSSWITCH DOMAIN
-+
-+.PP
-+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the postfix_showq_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
-+
-+.EX
-+.B setsebool -P authlogin_nsswitch_use_ldap 1
-+.EE
-+
-+.PP
-+If you want to allow confined applications to run with kerberos for the postfix_showq_t, you must turn on the kerberos_enabled boolean.
-+
-+.EX
-+.B setsebool -P kerberos_enabled 1
-+.EE
-+
-+.SH "COMMANDS"
-+.B semanage fcontext
-+can also be used to manipulate default file context mappings.
-+.PP
-+.B semanage permissive
-+can also be used to manipulate whether or not a process type is permissive.
-+.PP
-+.B semanage module
-+can also be used to enable/disable/install/remove policy modules.
-+
-+.PP
-+.B system-config-selinux
-+is a GUI tool available to customize SELinux policy settings.
-+
-+.SH AUTHOR
-+This manual page was auto-generated using
-+.B "sepolicy manpage"
-+by Dan Walsh.
-+
-+.SH "SEE ALSO"
-+selinux(8), postfix_showq(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
-+, postfix_bounce_selinux(8), postfix_cleanup_selinux(8), postfix_local_selinux(8), postfix_map_selinux(8), postfix_master_selinux(8), postfix_pickup_selinux(8), postfix_pipe_selinux(8), postfix_postdrop_selinux(8), postfix_postqueue_selinux(8), postfix_qmgr_selinux(8), postfix_smtp_selinux(8), postfix_smtpd_selinux(8), postfix_virtual_selinux(8)
-\ No newline at end of file
-diff --git a/man/man8/postfix_smtp_selinux.8 b/man/man8/postfix_smtp_selinux.8
-new file mode 100644
-index 0000000..d10b079
---- /dev/null
-+++ b/man/man8/postfix_smtp_selinux.8
-@@ -0,0 +1,165 @@
-+.TH "postfix_smtp_selinux" "8" "12-11-01" "postfix_smtp" "SELinux Policy documentation for postfix_smtp"
-+.SH "NAME"
-+postfix_smtp_selinux \- Security Enhanced Linux Policy for the postfix_smtp processes
-+.SH "DESCRIPTION"
-+
-+Security-Enhanced Linux secures the postfix_smtp processes via flexible mandatory access control.
-+
-+The postfix_smtp processes execute with the postfix_smtp_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
-+
-+For example:
-+
-+.B ps -eZ | grep postfix_smtp_t
-+
-+
-+.SH "ENTRYPOINTS"
-+
-+The postfix_smtp_t SELinux type can be entered via the "postfix_smtp_exec_t" file type. The default entrypoint paths for the postfix_smtp_t domain are the following:"
-+
-+/usr/libexec/postfix/lmtp, /usr/libexec/postfix/smtp, /usr/libexec/postfix/scache
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux postfix_smtp policy is very flexible allowing users to setup their postfix_smtp processes in as secure a method as possible.
-+.PP
-+The following process types are defined for postfix_smtp:
-+
-+.EX
-+.B postfix_smtpd_t, postfix_smtp_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
-+.SH FILE CONTEXTS
-+SELinux requires files to have an extended attribute to define the file type.
-+.PP
-+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
-+.PP
-+Policy governs the access confined processes have to these files.
-+SELinux postfix_smtp policy is very flexible allowing users to setup their postfix_smtp processes in as secure a method as possible.
-+.PP
-+The following file types are defined for postfix_smtp:
-+
-+
-+.EX
-+.PP
-+.B postfix_smtp_exec_t
-+.EE
-+
-+- Set files with the postfix_smtp_exec_t type, if you want to transition an executable to the postfix_smtp_t domain.
-+
-+
-+.EX
-+.PP
-+.B postfix_smtp_tmp_t
-+.EE
-+
-+- Set files with the postfix_smtp_tmp_t type, if you want to store postfix smtp temporary files in the /tmp directories.
-+
-+
-+.EX
-+.PP
-+.B postfix_smtpd_exec_t
-+.EE
-+
-+- Set files with the postfix_smtpd_exec_t type, if you want to transition an executable to the postfix_smtpd_t domain.
-+
-+
-+.EX
-+.PP
-+.B postfix_smtpd_tmp_t
-+.EE
-+
-+- Set files with the postfix_smtpd_tmp_t type, if you want to store postfix smtpd temporary files in the /tmp directories.
-+
-+
-+.PP
-+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
-+.B semanage fcontext
-+command. This will modify the SELinux labeling database. You will need to use
-+.B restorecon
-+to apply the labels.
-+
-+.SH "MANAGED FILES"
-+
-+The SELinux process type postfix_smtp_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
-+
-+.br
-+.B anon_inodefs_t
-+
-+
-+.br
-+.B postfix_prng_t
-+
-+ /etc/postfix/prng_exch
-+.br
-+
-+.br
-+.B postfix_smtp_tmp_t
-+
-+
-+.br
-+.B postfix_spool_maildrop_t
-+
-+ /var/spool/postfix/defer(/.*)?
-+.br
-+ /var/spool/postfix/deferred(/.*)?
-+.br
-+ /var/spool/postfix/maildrop(/.*)?
-+.br
-+
-+.br
-+.B postfix_spool_t
-+
-+ /var/spool/postfix.*
-+.br
-+
-+.br
-+.B postfix_var_run_t
-+
-+ /var/spool/postfix/pid/.*
-+.br
-+
-+.SH NSSWITCH DOMAIN
-+
-+.PP
-+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the postfix_smtpd_t, postfix_smtp_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
-+
-+.EX
-+.B setsebool -P authlogin_nsswitch_use_ldap 1
-+.EE
-+
-+.PP
-+If you want to allow confined applications to run with kerberos for the postfix_smtpd_t, postfix_smtp_t, you must turn on the kerberos_enabled boolean.
-+
-+.EX
-+.B setsebool -P kerberos_enabled 1
-+.EE
-+
-+.SH "COMMANDS"
-+.B semanage fcontext
-+can also be used to manipulate default file context mappings.
-+.PP
-+.B semanage permissive
-+can also be used to manipulate whether or not a process type is permissive.
-+.PP
-+.B semanage module
-+can also be used to enable/disable/install/remove policy modules.
-+
-+.PP
-+.B system-config-selinux
-+is a GUI tool available to customize SELinux policy settings.
-+
-+.SH AUTHOR
-+This manual page was auto-generated using
-+.B "sepolicy manpage"
-+by Dan Walsh.
-+
-+.SH "SEE ALSO"
-+selinux(8), postfix_smtp(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
-+, postfix_bounce_selinux(8), postfix_cleanup_selinux(8), postfix_local_selinux(8), postfix_map_selinux(8), postfix_master_selinux(8), postfix_pickup_selinux(8), postfix_pipe_selinux(8), postfix_postdrop_selinux(8), postfix_postqueue_selinux(8), postfix_qmgr_selinux(8), postfix_showq_selinux(8), postfix_smtpd_selinux(8), postfix_virtual_selinux(8)
-\ No newline at end of file
-diff --git a/man/man8/postfix_smtpd_selinux.8 b/man/man8/postfix_smtpd_selinux.8
-new file mode 100644
-index 0000000..45ad26e
---- /dev/null
-+++ b/man/man8/postfix_smtpd_selinux.8
-@@ -0,0 +1,139 @@
-+.TH "postfix_smtpd_selinux" "8" "12-11-01" "postfix_smtpd" "SELinux Policy documentation for postfix_smtpd"
-+.SH "NAME"
-+postfix_smtpd_selinux \- Security Enhanced Linux Policy for the postfix_smtpd processes
-+.SH "DESCRIPTION"
-+
-+Security-Enhanced Linux secures the postfix_smtpd processes via flexible mandatory access control.
-+
-+The postfix_smtpd processes execute with the postfix_smtpd_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
-+
-+For example:
-+
-+.B ps -eZ | grep postfix_smtpd_t
-+
-+
-+.SH "ENTRYPOINTS"
-+
-+The postfix_smtpd_t SELinux type can be entered via the "postfix_smtpd_exec_t" file type. The default entrypoint paths for the postfix_smtpd_t domain are the following:"
-+
-+/usr/libexec/postfix/smtpd
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux postfix_smtpd policy is very flexible allowing users to setup their postfix_smtpd processes in as secure a method as possible.
-+.PP
-+The following process types are defined for postfix_smtpd:
-+
-+.EX
-+.B postfix_smtpd_t, postfix_smtp_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
-+.SH FILE CONTEXTS
-+SELinux requires files to have an extended attribute to define the file type.
-+.PP
-+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
-+.PP
-+Policy governs the access confined processes have to these files.
-+SELinux postfix_smtpd policy is very flexible allowing users to setup their postfix_smtpd processes in as secure a method as possible.
-+.PP
-+The following file types are defined for postfix_smtpd:
-+
-+
-+.EX
-+.PP
-+.B postfix_smtpd_exec_t
-+.EE
-+
-+- Set files with the postfix_smtpd_exec_t type, if you want to transition an executable to the postfix_smtpd_t domain.
-+
-+
-+.EX
-+.PP
-+.B postfix_smtpd_tmp_t
-+.EE
-+
-+- Set files with the postfix_smtpd_tmp_t type, if you want to store postfix smtpd temporary files in the /tmp directories.
-+
-+
-+.PP
-+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
-+.B semanage fcontext
-+command. This will modify the SELinux labeling database. You will need to use
-+.B restorecon
-+to apply the labels.
-+
-+.SH "MANAGED FILES"
-+
-+The SELinux process type postfix_smtpd_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
-+
-+.br
-+.B anon_inodefs_t
-+
-+
-+.br
-+.B postfix_prng_t
-+
-+ /etc/postfix/prng_exch
-+.br
-+
-+.br
-+.B postfix_smtpd_tmp_t
-+
-+
-+.br
-+.B postfix_spool_t
-+
-+ /var/spool/postfix.*
-+.br
-+
-+.br
-+.B postfix_var_run_t
-+
-+ /var/spool/postfix/pid/.*
-+.br
-+
-+.SH NSSWITCH DOMAIN
-+
-+.PP
-+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the postfix_smtpd_t, postfix_smtp_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
-+
-+.EX
-+.B setsebool -P authlogin_nsswitch_use_ldap 1
-+.EE
-+
-+.PP
-+If you want to allow confined applications to run with kerberos for the postfix_smtpd_t, postfix_smtp_t, you must turn on the kerberos_enabled boolean.
-+
-+.EX
-+.B setsebool -P kerberos_enabled 1
-+.EE
-+
-+.SH "COMMANDS"
-+.B semanage fcontext
-+can also be used to manipulate default file context mappings.
-+.PP
-+.B semanage permissive
-+can also be used to manipulate whether or not a process type is permissive.
-+.PP
-+.B semanage module
-+can also be used to enable/disable/install/remove policy modules.
-+
-+.PP
-+.B system-config-selinux
-+is a GUI tool available to customize SELinux policy settings.
-+
-+.SH AUTHOR
-+This manual page was auto-generated using
-+.B "sepolicy manpage"
-+by Dan Walsh.
-+
-+.SH "SEE ALSO"
-+selinux(8), postfix_smtpd(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
-+, postfix_bounce_selinux(8), postfix_cleanup_selinux(8), postfix_local_selinux(8), postfix_map_selinux(8), postfix_master_selinux(8), postfix_pickup_selinux(8), postfix_pipe_selinux(8), postfix_postdrop_selinux(8), postfix_postqueue_selinux(8), postfix_qmgr_selinux(8), postfix_showq_selinux(8), postfix_smtp_selinux(8), postfix_smtp_selinux(8), postfix_virtual_selinux(8)
-\ No newline at end of file
-diff --git a/man/man8/postfix_virtual_selinux.8 b/man/man8/postfix_virtual_selinux.8
-new file mode 100644
-index 0000000..c58fbd2
---- /dev/null
-+++ b/man/man8/postfix_virtual_selinux.8
-@@ -0,0 +1,165 @@
-+.TH "postfix_virtual_selinux" "8" "12-11-01" "postfix_virtual" "SELinux Policy documentation for postfix_virtual"
-+.SH "NAME"
-+postfix_virtual_selinux \- Security Enhanced Linux Policy for the postfix_virtual processes
-+.SH "DESCRIPTION"
-+
-+Security-Enhanced Linux secures the postfix_virtual processes via flexible mandatory access control.
-+
-+The postfix_virtual processes execute with the postfix_virtual_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
-+
-+For example:
-+
-+.B ps -eZ | grep postfix_virtual_t
-+
-+
-+.SH "ENTRYPOINTS"
-+
-+The postfix_virtual_t SELinux type can be entered via the "postfix_virtual_exec_t" file type. The default entrypoint paths for the postfix_virtual_t domain are the following:"
-+
-+/usr/libexec/postfix/virtual
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux postfix_virtual policy is very flexible allowing users to setup their postfix_virtual processes in as secure a method as possible.
-+.PP
-+The following process types are defined for postfix_virtual:
-+
-+.EX
-+.B postfix_virtual_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
-+.SH FILE CONTEXTS
-+SELinux requires files to have an extended attribute to define the file type.
-+.PP
-+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
-+.PP
-+Policy governs the access confined processes have to these files.
-+SELinux postfix_virtual policy is very flexible allowing users to setup their postfix_virtual processes in as secure a method as possible.
-+.PP
-+The following file types are defined for postfix_virtual:
-+
-+
-+.EX
-+.PP
-+.B postfix_virtual_exec_t
-+.EE
-+
-+- Set files with the postfix_virtual_exec_t type, if you want to transition an executable to the postfix_virtual_t domain.
-+
-+
-+.EX
-+.PP
-+.B postfix_virtual_tmp_t
-+.EE
-+
-+- Set files with the postfix_virtual_tmp_t type, if you want to store postfix virtual temporary files in the /tmp directories.
-+
-+
-+.PP
-+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
-+.B semanage fcontext
-+command. This will modify the SELinux labeling database. You will need to use
-+.B restorecon
-+to apply the labels.
-+
-+.SH "MANAGED FILES"
-+
-+The SELinux process type postfix_virtual_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
-+
-+.br
-+.B anon_inodefs_t
-+
-+
-+.br
-+.B dovecot_spool_t
-+
-+ /var/spool/dovecot(/.*)?
-+.br
-+
-+.br
-+.B mail_spool_t
-+
-+ /var/mail(/.*)?
-+.br
-+ /var/spool/imap(/.*)?
-+.br
-+ /var/spool/mail(/.*)?
-+.br
-+
-+.br
-+.B postfix_spool_t
-+
-+ /var/spool/postfix.*
-+.br
-+
-+.br
-+.B postfix_var_run_t
-+
-+ /var/spool/postfix/pid/.*
-+.br
-+
-+.br
-+.B postfix_virtual_tmp_t
-+
-+
-+.br
-+.B user_home_t
-+
-+ /home/[^/]*/.+
-+.br
-+ /home/dwalsh/.+
-+.br
-+ /var/lib/xguest/home/xguest/.+
-+.br
-+
-+.br
-+.B user_home_type
-+
-+ all user home files
-+.br
-+
-+.SH NSSWITCH DOMAIN
-+
-+.PP
-+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the postfix_virtual_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
-+
-+.EX
-+.B setsebool -P authlogin_nsswitch_use_ldap 1
-+.EE
-+
-+.PP
-+If you want to allow confined applications to run with kerberos for the postfix_virtual_t, you must turn on the kerberos_enabled boolean.
-+
-+.EX
-+.B setsebool -P kerberos_enabled 1
-+.EE
-+
-+.SH "COMMANDS"
-+.B semanage fcontext
-+can also be used to manipulate default file context mappings.
-+.PP
-+.B semanage permissive
-+can also be used to manipulate whether or not a process type is permissive.
-+.PP
-+.B semanage module
-+can also be used to enable/disable/install/remove policy modules.
-+
-+.PP
-+.B system-config-selinux
-+is a GUI tool available to customize SELinux policy settings.
-+
-+.SH AUTHOR
-+This manual page was auto-generated using
-+.B "sepolicy manpage"
-+by Dan Walsh.
-+
-+.SH "SEE ALSO"
-+selinux(8), postfix_virtual(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
-+, postfix_bounce_selinux(8), postfix_cleanup_selinux(8), postfix_local_selinux(8), postfix_map_selinux(8), postfix_master_selinux(8), postfix_pickup_selinux(8), postfix_pipe_selinux(8), postfix_postdrop_selinux(8), postfix_postqueue_selinux(8), postfix_qmgr_selinux(8), postfix_showq_selinux(8), postfix_smtp_selinux(8), postfix_smtpd_selinux(8)
-\ No newline at end of file
-diff --git a/man/man8/postgresql_selinux.8 b/man/man8/postgresql_selinux.8
-new file mode 100644
-index 0000000..375c37b
---- /dev/null
-+++ b/man/man8/postgresql_selinux.8
-@@ -0,0 +1,382 @@
-+.TH "postgresql_selinux" "8" "12-11-01" "postgresql" "SELinux Policy documentation for postgresql"
-+.SH "NAME"
-+postgresql_selinux \- Security Enhanced Linux Policy for the postgresql processes
-+.SH "DESCRIPTION"
-+
-+Security-Enhanced Linux secures the postgresql processes via flexible mandatory access control.
-+
-+The postgresql processes execute with the postgresql_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
-+
-+For example:
-+
-+.B ps -eZ | grep postgresql_t
-+
-+
-+.SH "ENTRYPOINTS"
-+
-+The postgresql_t SELinux type can be entered via the "postgresql_exec_t" file type. The default entrypoint paths for the postgresql_t domain are the following:"
-+
-+/usr/bin/(se)?postgres, /usr/bin/initdb(\.sepgsql)?, /usr/lib/postgresql/bin/.*, /usr/lib/pgsql/test/regress/pg_regress
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux postgresql policy is very flexible allowing users to setup their postgresql processes in as secure a method as possible.
-+.PP
-+The following process types are defined for postgresql:
-+
-+.EX
-+.B postgresql_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
-+.SH BOOLEANS
-+SELinux policy is customizable based on least access required. postgresql policy is extremely flexible and has several booleans that allow you to manipulate the policy and run postgresql with the tightest access possible.
-+
-+
-+.PP
-+If you want to allow transmit client label to foreign database, you must turn on the postgresql_selinux_transmit_client_label boolean.
-+
-+.EX
-+.B setsebool -P postgresql_selinux_transmit_client_label 1
-+.EE
-+
-+.PP
-+If you want to allow database admins to execute DML statement, you must turn on the postgresql_selinux_unconfined_dbadm boolean.
-+
-+.EX
-+.B setsebool -P postgresql_selinux_unconfined_dbadm 1
-+.EE
-+
-+.PP
-+If you want to allow postgresql to use ssh and rsync for point-in-time recovery, you must turn on the postgresql_can_rsync boolean.
-+
-+.EX
-+.B setsebool -P postgresql_can_rsync 1
-+.EE
-+
-+.PP
-+If you want to allow users to connect to PostgreSQL, you must turn on the selinuxuser_postgresql_connect_enabled boolean.
-+
-+.EX
-+.B setsebool -P selinuxuser_postgresql_connect_enabled 1
-+.EE
-+
-+.PP
-+If you want to allow unprivileged users to execute DDL statement, you must turn on the postgresql_selinux_users_ddl boolean.
-+
-+.EX
-+.B setsebool -P postgresql_selinux_users_ddl 1
-+.EE
-+
-+.PP
-+If you want to allow transmit client label to foreign database, you must turn on the postgresql_selinux_transmit_client_label boolean.
-+
-+.EX
-+.B setsebool -P postgresql_selinux_transmit_client_label 1
-+.EE
-+
-+.PP
-+If you want to allow database admins to execute DML statement, you must turn on the postgresql_selinux_unconfined_dbadm boolean.
-+
-+.EX
-+.B setsebool -P postgresql_selinux_unconfined_dbadm 1
-+.EE
-+
-+.PP
-+If you want to allow postgresql to use ssh and rsync for point-in-time recovery, you must turn on the postgresql_can_rsync boolean.
-+
-+.EX
-+.B setsebool -P postgresql_can_rsync 1
-+.EE
-+
-+.PP
-+If you want to allow users to connect to PostgreSQL, you must turn on the selinuxuser_postgresql_connect_enabled boolean.
-+
-+.EX
-+.B setsebool -P selinuxuser_postgresql_connect_enabled 1
-+.EE
-+
-+.PP
-+If you want to allow unprivileged users to execute DDL statement, you must turn on the postgresql_selinux_users_ddl boolean.
-+
-+.EX
-+.B setsebool -P postgresql_selinux_users_ddl 1
-+.EE
-+
-+.SH FILE CONTEXTS
-+SELinux requires files to have an extended attribute to define the file type.
-+.PP
-+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
-+.PP
-+Policy governs the access confined processes have to these files.
-+SELinux postgresql policy is very flexible allowing users to setup their postgresql processes in as secure a method as possible.
-+.PP
-+The following file types are defined for postgresql:
-+
-+
-+.EX
-+.PP
-+.B postgresql_db_t
-+.EE
-+
-+- Set files with the postgresql_db_t type, if you want to treat the files as postgresql database content.
-+
-+
-+.EX
-+.PP
-+.B postgresql_etc_t
-+.EE
-+
-+- Set files with the postgresql_etc_t type, if you want to store postgresql files in the /etc directories.
-+
-+
-+.EX
-+.PP
-+.B postgresql_exec_t
-+.EE
-+
-+- Set files with the postgresql_exec_t type, if you want to transition an executable to the postgresql_t domain.
-+
-+
-+.EX
-+.PP
-+.B postgresql_initrc_exec_t
-+.EE
-+
-+- Set files with the postgresql_initrc_exec_t type, if you want to transition an executable to the postgresql_initrc_t domain.
-+
-+
-+.EX
-+.PP
-+.B postgresql_lock_t
-+.EE
-+
-+- Set files with the postgresql_lock_t type, if you want to treat the files as postgresql lock data, stored under the /var/lock directory
-+
-+
-+.EX
-+.PP
-+.B postgresql_log_t
-+.EE
-+
-+- Set files with the postgresql_log_t type, if you want to treat the data as postgresql log data, usually stored under the /var/log directory.
-+
-+
-+.EX
-+.PP
-+.B postgresql_tmp_t
-+.EE
-+
-+- Set files with the postgresql_tmp_t type, if you want to store postgresql temporary files in the /tmp directories.
-+
-+
-+.EX
-+.PP
-+.B postgresql_var_run_t
-+.EE
-+
-+- Set files with the postgresql_var_run_t type, if you want to store the postgresql files under the /run directory.
-+
-+
-+.PP
-+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
-+.B semanage fcontext
-+command. This will modify the SELinux labeling database. You will need to use
-+.B restorecon
-+to apply the labels.
-+
-+.SH PORT TYPES
-+SELinux defines port types to represent TCP and UDP ports.
-+.PP
-+You can see the types associated with a port by using the following command:
-+
-+.B semanage port -l
-+
-+.PP
-+Policy governs the access confined processes have to these ports.
-+SELinux postgresql policy is very flexible allowing users to setup their postgresql processes in as secure a method as possible.
-+.PP
-+The following port types are defined for postgresql:
-+
-+.EX
-+.TP 5
-+.B postgresql_port_t
-+.TP 10
-+.EE
-+
-+
-+Default Defined Ports:
-+tcp 5432
-+.EE
-+.SH "MANAGED FILES"
-+
-+The SELinux process type postgresql_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
-+
-+.br
-+.B faillog_t
-+
-+ /var/log/btmp.*
-+.br
-+ /var/run/faillock(/.*)?
-+.br
-+ /var/log/faillog
-+.br
-+ /var/log/tallylog
-+.br
-+
-+.br
-+.B hugetlbfs_t
-+
-+ /dev/hugepages
-+.br
-+ /lib/udev/devices/hugepages
-+.br
-+ /usr/lib/udev/devices/hugepages
-+.br
-+
-+.br
-+.B krb5_host_rcache_t
-+
-+ /var/cache/krb5rcache(/.*)?
-+.br
-+ /var/tmp/nfs_0
-+.br
-+ /var/tmp/DNS_25
-+.br
-+ /var/tmp/host_0
-+.br
-+ /var/tmp/imap_0
-+.br
-+ /var/tmp/HTTP_23
-+.br
-+ /var/tmp/HTTP_48
-+.br
-+ /var/tmp/ldap_55
-+.br
-+ /var/tmp/ldap_487
-+.br
-+ /var/tmp/ldapmap1_0
-+.br
-+
-+.br
-+.B lastlog_t
-+
-+ /var/log/lastlog
-+.br
-+
-+.br
-+.B pcscd_var_run_t
-+
-+ /var/run/pcscd(/.*)?
-+.br
-+ /var/run/pcscd\.events(/.*)?
-+.br
-+ /var/run/pcscd\.pid
-+.br
-+ /var/run/pcscd\.pub
-+.br
-+ /var/run/pcscd\.comm
-+.br
-+
-+.br
-+.B postgresql_db_t
-+
-+ /var/lib/pgsql(/.*)?
-+.br
-+ /var/lib/sepgsql(/.*)?
-+.br
-+ /var/lib/postgres(ql)?(/.*)?
-+.br
-+ /usr/share/jonas/pgsql(/.*)?
-+.br
-+ /usr/lib/pgsql/test/regress(/.*)?
-+.br
-+
-+.br
-+.B postgresql_lock_t
-+
-+
-+.br
-+.B postgresql_log_t
-+
-+ /var/lib/pgsql/.*\.log
-+.br
-+ /var/log/rhdb/rhdb(/.*)?
-+.br
-+ /var/log/postgresql(/.*)?
-+.br
-+ /var/log/postgres\.log.*
-+.br
-+ /var/lib/pgsql/logfile(/.*)?
-+.br
-+ /var/log/sepostgresql\.log.*
-+.br
-+ /var/lib/sepgsql/pgstartup\.log
-+.br
-+
-+.br
-+.B postgresql_tmp_t
-+
-+
-+.br
-+.B postgresql_var_run_t
-+
-+ /var/run/postgresql(/.*)?
-+.br
-+
-+.br
-+.B security_t
-+
-+ /selinux
-+.br
-+
-+.SH NSSWITCH DOMAIN
-+
-+.PP
-+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the postgresql_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
-+
-+.EX
-+.B setsebool -P authlogin_nsswitch_use_ldap 1
-+.EE
-+
-+.PP
-+If you want to allow confined applications to run with kerberos for the postgresql_t, you must turn on the kerberos_enabled boolean.
-+
-+.EX
-+.B setsebool -P kerberos_enabled 1
-+.EE
-+
-+.SH "COMMANDS"
-+.B semanage fcontext
-+can also be used to manipulate default file context mappings.
-+.PP
-+.B semanage permissive
-+can also be used to manipulate whether or not a process type is permissive.
-+.PP
-+.B semanage module
-+can also be used to enable/disable/install/remove policy modules.
-+
-+.B semanage port
-+can also be used to manipulate the port definitions
-+
-+.B semanage boolean
-+can also be used to manipulate the booleans
-+
-+.PP
-+.B system-config-selinux
-+is a GUI tool available to customize SELinux policy settings.
-+
-+.SH AUTHOR
-+This manual page was auto-generated using
-+.B "sepolicy manpage"
-+by Dan Walsh.
-+
-+.SH "SEE ALSO"
-+selinux(8), postgresql(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
-+, setsebool(8)
-\ No newline at end of file
-diff --git a/man/man8/postgrey_selinux.8 b/man/man8/postgrey_selinux.8
-new file mode 100644
-index 0000000..0959a17
---- /dev/null
-+++ b/man/man8/postgrey_selinux.8
-@@ -0,0 +1,180 @@
-+.TH "postgrey_selinux" "8" "12-11-01" "postgrey" "SELinux Policy documentation for postgrey"
-+.SH "NAME"
-+postgrey_selinux \- Security Enhanced Linux Policy for the postgrey processes
-+.SH "DESCRIPTION"
-+
-+Security-Enhanced Linux secures the postgrey processes via flexible mandatory access control.
-+
-+The postgrey processes execute with the postgrey_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
-+
-+For example:
-+
-+.B ps -eZ | grep postgrey_t
-+
-+
-+.SH "ENTRYPOINTS"
-+
-+The postgrey_t SELinux type can be entered via the "postgrey_exec_t" file type. The default entrypoint paths for the postgrey_t domain are the following:"
-+
-+/usr/sbin/postgrey
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux postgrey policy is very flexible allowing users to setup their postgrey processes in as secure a method as possible.
-+.PP
-+The following process types are defined for postgrey:
-+
-+.EX
-+.B postgrey_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
-+.SH FILE CONTEXTS
-+SELinux requires files to have an extended attribute to define the file type.
-+.PP
-+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
-+.PP
-+Policy governs the access confined processes have to these files.
-+SELinux postgrey policy is very flexible allowing users to setup their postgrey processes in as secure a method as possible.
-+.PP
-+The following file types are defined for postgrey:
-+
-+
-+.EX
-+.PP
-+.B postgrey_etc_t
-+.EE
-+
-+- Set files with the postgrey_etc_t type, if you want to store postgrey files in the /etc directories.
-+
-+
-+.EX
-+.PP
-+.B postgrey_exec_t
-+.EE
-+
-+- Set files with the postgrey_exec_t type, if you want to transition an executable to the postgrey_t domain.
-+
-+
-+.EX
-+.PP
-+.B postgrey_initrc_exec_t
-+.EE
-+
-+- Set files with the postgrey_initrc_exec_t type, if you want to transition an executable to the postgrey_initrc_t domain.
-+
-+
-+.EX
-+.PP
-+.B postgrey_spool_t
-+.EE
-+
-+- Set files with the postgrey_spool_t type, if you want to store the postgrey files under the /var/spool directory.
-+
-+
-+.EX
-+.PP
-+.B postgrey_var_lib_t
-+.EE
-+
-+- Set files with the postgrey_var_lib_t type, if you want to store the postgrey files under the /var/lib directory.
-+
-+
-+.EX
-+.PP
-+.B postgrey_var_run_t
-+.EE
-+
-+- Set files with the postgrey_var_run_t type, if you want to store the postgrey files under the /run directory.
-+
-+
-+.PP
-+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
-+.B semanage fcontext
-+command. This will modify the SELinux labeling database. You will need to use
-+.B restorecon
-+to apply the labels.
-+
-+.SH PORT TYPES
-+SELinux defines port types to represent TCP and UDP ports.
-+.PP
-+You can see the types associated with a port by using the following command:
-+
-+.B semanage port -l
-+
-+.PP
-+Policy governs the access confined processes have to these ports.
-+SELinux postgrey policy is very flexible allowing users to setup their postgrey processes in as secure a method as possible.
-+.PP
-+The following port types are defined for postgrey:
-+
-+.EX
-+.TP 5
-+.B postgrey_port_t
-+.TP 10
-+.EE
-+
-+
-+Default Defined Ports:
-+tcp 60000
-+.EE
-+.SH "MANAGED FILES"
-+
-+The SELinux process type postgrey_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
-+
-+.br
-+.B postfix_spool_type
-+
-+
-+.br
-+.B postgrey_spool_t
-+
-+ /var/spool/postfix/postgrey(/.*)?
-+.br
-+
-+.br
-+.B postgrey_var_lib_t
-+
-+ /var/lib/postgrey(/.*)?
-+.br
-+
-+.br
-+.B postgrey_var_run_t
-+
-+ /var/run/postgrey(/.*)?
-+.br
-+ /var/run/postgrey\.pid
-+.br
-+
-+.SH NSSWITCH DOMAIN
-+
-+.SH "COMMANDS"
-+.B semanage fcontext
-+can also be used to manipulate default file context mappings.
-+.PP
-+.B semanage permissive
-+can also be used to manipulate whether or not a process type is permissive.
-+.PP
-+.B semanage module
-+can also be used to enable/disable/install/remove policy modules.
-+
-+.B semanage port
-+can also be used to manipulate the port definitions
-+
-+.PP
-+.B system-config-selinux
-+is a GUI tool available to customize SELinux policy settings.
-+
-+.SH AUTHOR
-+This manual page was auto-generated using
-+.B "sepolicy manpage"
-+by Dan Walsh.
-+
-+.SH "SEE ALSO"
-+selinux(8), postgrey(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
-diff --git a/man/man8/pppd_selinux.8 b/man/man8/pppd_selinux.8
-new file mode 100644
-index 0000000..be38983
---- /dev/null
-+++ b/man/man8/pppd_selinux.8
-@@ -0,0 +1,362 @@
-+.TH "pppd_selinux" "8" "12-11-01" "pppd" "SELinux Policy documentation for pppd"
-+.SH "NAME"
-+pppd_selinux \- Security Enhanced Linux Policy for the pppd processes
-+.SH "DESCRIPTION"
-+
-+Security-Enhanced Linux secures the pppd processes via flexible mandatory access control.
-+
-+The pppd processes execute with the pppd_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
-+
-+For example:
-+
-+.B ps -eZ | grep pppd_t
-+
-+
-+.SH "ENTRYPOINTS"
-+
-+The pppd_t SELinux type can be entered via the "pppd_exec_t" file type. The default entrypoint paths for the pppd_t domain are the following:"
-+
-+/usr/sbin/pppd, /sbin/ppp-watch, /usr/sbin/ipppd, /sbin/pppoe-server, /usr/sbin/ppp-watch, /usr/sbin/pppoe-server
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux pppd policy is very flexible allowing users to setup their pppd processes in as secure a method as possible.
-+.PP
-+The following process types are defined for pppd:
-+
-+.EX
-+.B pppd_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
-+.SH BOOLEANS
-+SELinux policy is customizable based on least access required. pppd policy is extremely flexible and has several booleans that allow you to manipulate the policy and run pppd with the tightest access possible.
-+
-+
-+.PP
-+If you want to allow pppd to load kernel modules for certain modems, you must turn on the pppd_can_insmod boolean.
-+
-+.EX
-+.B setsebool -P pppd_can_insmod 1
-+.EE
-+
-+.PP
-+If you want to allow pppd to be run for a regular user, you must turn on the pppd_for_user boolean.
-+
-+.EX
-+.B setsebool -P pppd_for_user 1
-+.EE
-+
-+.PP
-+If you want to allow pppd to load kernel modules for certain modems, you must turn on the pppd_can_insmod boolean.
-+
-+.EX
-+.B setsebool -P pppd_can_insmod 1
-+.EE
-+
-+.PP
-+If you want to allow pppd to be run for a regular user, you must turn on the pppd_for_user boolean.
-+
-+.EX
-+.B setsebool -P pppd_for_user 1
-+.EE
-+
-+.SH FILE CONTEXTS
-+SELinux requires files to have an extended attribute to define the file type.
-+.PP
-+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
-+.PP
-+Policy governs the access confined processes have to these files.
-+SELinux pppd policy is very flexible allowing users to setup their pppd processes in as secure a method as possible.
-+.PP
-+The following file types are defined for pppd:
-+
-+
-+.EX
-+.PP
-+.B pppd_etc_rw_t
-+.EE
-+
-+- Set files with the pppd_etc_rw_t type, if you want to treat the files as pppd etc read/write content.
-+
-+
-+.EX
-+.PP
-+.B pppd_etc_t
-+.EE
-+
-+- Set files with the pppd_etc_t type, if you want to store pppd files in the /etc directories.
-+
-+
-+.EX
-+.PP
-+.B pppd_exec_t
-+.EE
-+
-+- Set files with the pppd_exec_t type, if you want to transition an executable to the pppd_t domain.
-+
-+
-+.EX
-+.PP
-+.B pppd_initrc_exec_t
-+.EE
-+
-+- Set files with the pppd_initrc_exec_t type, if you want to transition an executable to the pppd_initrc_t domain.
-+
-+
-+.EX
-+.PP
-+.B pppd_lock_t
-+.EE
-+
-+- Set files with the pppd_lock_t type, if you want to treat the files as pppd lock data, stored under the /var/lock directory
-+
-+
-+.EX
-+.PP
-+.B pppd_log_t
-+.EE
-+
-+- Set files with the pppd_log_t type, if you want to treat the data as pppd log data, usually stored under the /var/log directory.
-+
-+
-+.EX
-+.PP
-+.B pppd_secret_t
-+.EE
-+
-+- Set files with the pppd_secret_t type, if you want to treat the files as pppd se secret data.
-+
-+
-+.EX
-+.PP
-+.B pppd_tmp_t
-+.EE
-+
-+- Set files with the pppd_tmp_t type, if you want to store pppd temporary files in the /tmp directories.
-+
-+
-+.EX
-+.PP
-+.B pppd_unit_file_t
-+.EE
-+
-+- Set files with the pppd_unit_file_t type, if you want to treat the files as pppd unit content.
-+
-+
-+.EX
-+.PP
-+.B pppd_var_run_t
-+.EE
-+
-+- Set files with the pppd_var_run_t type, if you want to store the pppd files under the /run directory.
-+
-+
-+.PP
-+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
-+.B semanage fcontext
-+command. This will modify the SELinux labeling database. You will need to use
-+.B restorecon
-+to apply the labels.
-+
-+.SH "MANAGED FILES"
-+
-+The SELinux process type pppd_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
-+
-+.br
-+.B etc_runtime_t
-+
-+ /[^/]+
-+.br
-+ /etc/mtab.*
-+.br
-+ /etc/blkid(/.*)?
-+.br
-+ /etc/nologin.*
-+.br
-+ /etc/\.fstab\.hal\..+
-+.br
-+ /halt
-+.br
-+ /fastboot
-+.br
-+ /poweroff
-+.br
-+ /etc/cmtab
-+.br
-+ /\.autofsck
-+.br
-+ /forcefsck
-+.br
-+ /\.suspended
-+.br
-+ /fsckoptions
-+.br
-+ /\.autorelabel
-+.br
-+ /etc/securetty
-+.br
-+ /etc/killpower
-+.br
-+ /etc/nohotplug
-+.br
-+ /etc/ioctl\.save
-+.br
-+ /etc/fstab\.REVOKE
-+.br
-+ /etc/network/ifstate
-+.br
-+ /etc/sysconfig/hwconf
-+.br
-+ /etc/ptal/ptal-printd-like
-+.br
-+ /etc/sysconfig/iptables\.save
-+.br
-+ /etc/xorg\.conf\.d/00-system-setup-keyboard\.conf
-+.br
-+ /etc/X11/xorg\.conf\.d/00-system-setup-keyboard\.conf
-+.br
-+
-+.br
-+.B faillog_t
-+
-+ /var/log/btmp.*
-+.br
-+ /var/run/faillock(/.*)?
-+.br
-+ /var/log/faillog
-+.br
-+ /var/log/tallylog
-+.br
-+
-+.br
-+.B net_conf_t
-+
-+ /etc/ntpd?\.conf.*
-+.br
-+ /etc/hosts[^/]*
-+.br
-+ /etc/yp\.conf.*
-+.br
-+ /etc/denyhosts.*
-+.br
-+ /etc/hosts\.deny.*
-+.br
-+ /etc/resolv\.conf.*
-+.br
-+ /etc/ntp/step-tickers.*
-+.br
-+ /etc/sysconfig/networking(/.*)?
-+.br
-+ /etc/sysconfig/network-scripts(/.*)?
-+.br
-+ /etc/sysconfig/network-scripts/.*resolv\.conf
-+.br
-+ /etc/ethers
-+.br
-+
-+.br
-+.B pcscd_var_run_t
-+
-+ /var/run/pcscd(/.*)?
-+.br
-+ /var/run/pcscd\.events(/.*)?
-+.br
-+ /var/run/pcscd\.pid
-+.br
-+ /var/run/pcscd\.pub
-+.br
-+ /var/run/pcscd\.comm
-+.br
-+
-+.br
-+.B pppd_etc_rw_t
-+
-+ /etc/ppp(/.*)?
-+.br
-+ /etc/ppp/peers(/.*)?
-+.br
-+ /etc/ppp/resolv\.conf
-+.br
-+
-+.br
-+.B pppd_lock_t
-+
-+ /var/lock/ppp(/.*)?
-+.br
-+
-+.br
-+.B pppd_log_t
-+
-+ /var/log/ppp(/.*)?
-+.br
-+ /var/log/ppp-connect-errors.*
-+.br
-+
-+.br
-+.B pppd_tmp_t
-+
-+
-+.br
-+.B pppd_var_run_t
-+
-+ /var/run/(i)?ppp.*pid[^/]*
-+.br
-+ /var/run/ppp(/.*)?
-+.br
-+ /var/run/pppd[0-9]*\.tdb
-+.br
-+
-+.br
-+.B wtmp_t
-+
-+ /var/log/wtmp.*
-+.br
-+
-+.SH NSSWITCH DOMAIN
-+
-+.PP
-+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the pppd_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
-+
-+.EX
-+.B setsebool -P authlogin_nsswitch_use_ldap 1
-+.EE
-+
-+.PP
-+If you want to allow confined applications to run with kerberos for the pppd_t, you must turn on the kerberos_enabled boolean.
-+
-+.EX
-+.B setsebool -P kerberos_enabled 1
-+.EE
-+
-+.SH "COMMANDS"
-+.B semanage fcontext
-+can also be used to manipulate default file context mappings.
-+.PP
-+.B semanage permissive
-+can also be used to manipulate whether or not a process type is permissive.
-+.PP
-+.B semanage module
-+can also be used to enable/disable/install/remove policy modules.
-+
-+.B semanage boolean
-+can also be used to manipulate the booleans
-+
-+.PP
-+.B system-config-selinux
-+is a GUI tool available to customize SELinux policy settings.
-+
-+.SH AUTHOR
-+This manual page was auto-generated using
-+.B "sepolicy manpage"
-+by Dan Walsh.
-+
-+.SH "SEE ALSO"
-+selinux(8), pppd(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
-+, setsebool(8)
-\ No newline at end of file
-diff --git a/man/man8/pptp_selinux.8 b/man/man8/pptp_selinux.8
-new file mode 100644
-index 0000000..ff95294
---- /dev/null
-+++ b/man/man8/pptp_selinux.8
-@@ -0,0 +1,158 @@
-+.TH "pptp_selinux" "8" "12-11-01" "pptp" "SELinux Policy documentation for pptp"
-+.SH "NAME"
-+pptp_selinux \- Security Enhanced Linux Policy for the pptp processes
-+.SH "DESCRIPTION"
-+
-+Security-Enhanced Linux secures the pptp processes via flexible mandatory access control.
-+
-+The pptp processes execute with the pptp_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
-+
-+For example:
-+
-+.B ps -eZ | grep pptp_t
-+
-+
-+.SH "ENTRYPOINTS"
-+
-+The pptp_t SELinux type can be entered via the "pptp_exec_t" file type. The default entrypoint paths for the pptp_t domain are the following:"
-+
-+/usr/sbin/pptp
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux pptp policy is very flexible allowing users to setup their pptp processes in as secure a method as possible.
-+.PP
-+The following process types are defined for pptp:
-+
-+.EX
-+.B pptp_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
-+.SH FILE CONTEXTS
-+SELinux requires files to have an extended attribute to define the file type.
-+.PP
-+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
-+.PP
-+Policy governs the access confined processes have to these files.
-+SELinux pptp policy is very flexible allowing users to setup their pptp processes in as secure a method as possible.
-+.PP
-+The following file types are defined for pptp:
-+
-+
-+.EX
-+.PP
-+.B pptp_exec_t
-+.EE
-+
-+- Set files with the pptp_exec_t type, if you want to transition an executable to the pptp_t domain.
-+
-+
-+.EX
-+.PP
-+.B pptp_log_t
-+.EE
-+
-+- Set files with the pptp_log_t type, if you want to treat the data as pptp log data, usually stored under the /var/log directory.
-+
-+
-+.EX
-+.PP
-+.B pptp_var_run_t
-+.EE
-+
-+- Set files with the pptp_var_run_t type, if you want to store the pptp files under the /run directory.
-+
-+
-+.PP
-+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
-+.B semanage fcontext
-+command. This will modify the SELinux labeling database. You will need to use
-+.B restorecon
-+to apply the labels.
-+
-+.SH PORT TYPES
-+SELinux defines port types to represent TCP and UDP ports.
-+.PP
-+You can see the types associated with a port by using the following command:
-+
-+.B semanage port -l
-+
-+.PP
-+Policy governs the access confined processes have to these ports.
-+SELinux pptp policy is very flexible allowing users to setup their pptp processes in as secure a method as possible.
-+.PP
-+The following port types are defined for pptp:
-+
-+.EX
-+.TP 5
-+.B pptp_port_t
-+.TP 10
-+.EE
-+
-+
-+Default Defined Ports:
-+tcp 1723
-+.EE
-+udp 1723
-+.EE
-+.SH "MANAGED FILES"
-+
-+The SELinux process type pptp_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
-+
-+.br
-+.B pptp_log_t
-+
-+
-+.br
-+.B pptp_var_run_t
-+
-+ /var/run/pptp(/.*)?
-+.br
-+
-+.SH NSSWITCH DOMAIN
-+
-+.PP
-+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the pptp_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
-+
-+.EX
-+.B setsebool -P authlogin_nsswitch_use_ldap 1
-+.EE
-+
-+.PP
-+If you want to allow confined applications to run with kerberos for the pptp_t, you must turn on the kerberos_enabled boolean.
-+
-+.EX
-+.B setsebool -P kerberos_enabled 1
-+.EE
-+
-+.SH "COMMANDS"
-+.B semanage fcontext
-+can also be used to manipulate default file context mappings.
-+.PP
-+.B semanage permissive
-+can also be used to manipulate whether or not a process type is permissive.
-+.PP
-+.B semanage module
-+can also be used to enable/disable/install/remove policy modules.
-+
-+.B semanage port
-+can also be used to manipulate the port definitions
-+
-+.PP
-+.B system-config-selinux
-+is a GUI tool available to customize SELinux policy settings.
-+
-+.SH AUTHOR
-+This manual page was auto-generated using
-+.B "sepolicy manpage"
-+by Dan Walsh.
-+
-+.SH "SEE ALSO"
-+selinux(8), pptp(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
-diff --git a/man/man8/prelink_cron_system_selinux.8 b/man/man8/prelink_cron_system_selinux.8
-new file mode 100644
-index 0000000..b622f23
---- /dev/null
-+++ b/man/man8/prelink_cron_system_selinux.8
-@@ -0,0 +1,129 @@
-+.TH "prelink_cron_system_selinux" "8" "12-11-01" "prelink_cron_system" "SELinux Policy documentation for prelink_cron_system"
-+.SH "NAME"
-+prelink_cron_system_selinux \- Security Enhanced Linux Policy for the prelink_cron_system processes
-+.SH "DESCRIPTION"
-+
-+Security-Enhanced Linux secures the prelink_cron_system processes via flexible mandatory access control.
-+
-+The prelink_cron_system processes execute with the prelink_cron_system_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
-+
-+For example:
-+
-+.B ps -eZ | grep prelink_cron_system_t
-+
-+
-+.SH "ENTRYPOINTS"
-+
-+The prelink_cron_system_t SELinux type can be entered via the "prelink_cron_system_exec_t" file type. The default entrypoint paths for the prelink_cron_system_t domain are the following:"
-+
-+/etc/cron\.daily/prelink
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux prelink_cron_system policy is very flexible allowing users to setup their prelink_cron_system processes in as secure a method as possible.
-+.PP
-+The following process types are defined for prelink_cron_system:
-+
-+.EX
-+.B prelink_cron_system_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
-+.SH FILE CONTEXTS
-+SELinux requires files to have an extended attribute to define the file type.
-+.PP
-+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
-+.PP
-+Policy governs the access confined processes have to these files.
-+SELinux prelink_cron_system policy is very flexible allowing users to setup their prelink_cron_system processes in as secure a method as possible.
-+.PP
-+The following file types are defined for prelink_cron_system:
-+
-+
-+.EX
-+.PP
-+.B prelink_cron_system_exec_t
-+.EE
-+
-+- Set files with the prelink_cron_system_exec_t type, if you want to transition an executable to the prelink_cron_system_t domain.
-+
-+
-+.PP
-+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
-+.B semanage fcontext
-+command. This will modify the SELinux labeling database. You will need to use
-+.B restorecon
-+to apply the labels.
-+
-+.SH "MANAGED FILES"
-+
-+The SELinux process type prelink_cron_system_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
-+
-+.br
-+.B prelink_log_t
-+
-+ /var/log/prelink(/.*)?
-+.br
-+ /var/log/prelink\.log.*
-+.br
-+
-+.br
-+.B prelink_var_lib_t
-+
-+ /var/lib/prelink(/.*)?
-+.br
-+ /var/lib/misc/prelink.*
-+.br
-+
-+.br
-+.B systemd_passwd_var_run_t
-+
-+ /var/run/systemd/ask-password(/.*)?
-+.br
-+ /var/run/systemd/ask-password-block(/.*)?
-+.br
-+
-+.SH NSSWITCH DOMAIN
-+
-+.PP
-+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the prelink_cron_system_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
-+
-+.EX
-+.B setsebool -P authlogin_nsswitch_use_ldap 1
-+.EE
-+
-+.PP
-+If you want to allow confined applications to run with kerberos for the prelink_cron_system_t, you must turn on the kerberos_enabled boolean.
-+
-+.EX
-+.B setsebool -P kerberos_enabled 1
-+.EE
-+
-+.SH "COMMANDS"
-+.B semanage fcontext
-+can also be used to manipulate default file context mappings.
-+.PP
-+.B semanage permissive
-+can also be used to manipulate whether or not a process type is permissive.
-+.PP
-+.B semanage module
-+can also be used to enable/disable/install/remove policy modules.
-+
-+.PP
-+.B system-config-selinux
-+is a GUI tool available to customize SELinux policy settings.
-+
-+.SH AUTHOR
-+This manual page was auto-generated using
-+.B "sepolicy manpage"
-+by Dan Walsh.
-+
-+.SH "SEE ALSO"
-+selinux(8), prelink_cron_system(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
-+, prelink_selinux(8), prelink_selinux(8)
-\ No newline at end of file
-diff --git a/man/man8/prelink_selinux.8 b/man/man8/prelink_selinux.8
-new file mode 100644
-index 0000000..9c74265
---- /dev/null
-+++ b/man/man8/prelink_selinux.8
-@@ -0,0 +1,765 @@
-+.TH "prelink_selinux" "8" "12-11-01" "prelink" "SELinux Policy documentation for prelink"
-+.SH "NAME"
-+prelink_selinux \- Security Enhanced Linux Policy for the prelink processes
-+.SH "DESCRIPTION"
-+
-+Security-Enhanced Linux secures the prelink processes via flexible mandatory access control.
-+
-+The prelink processes execute with the prelink_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
-+
-+For example:
-+
-+.B ps -eZ | grep prelink_t
-+
-+
-+.SH "ENTRYPOINTS"
-+
-+The prelink_t SELinux type can be entered via the "prelink_exec_t" file type. The default entrypoint paths for the prelink_t domain are the following:"
-+
-+/usr/sbin/prelink(\.bin)?
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux prelink policy is very flexible allowing users to setup their prelink processes in as secure a method as possible.
-+.PP
-+The following process types are defined for prelink:
-+
-+.EX
-+.B prelink_cron_system_t, prelink_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
-+.SH FILE CONTEXTS
-+SELinux requires files to have an extended attribute to define the file type.
-+.PP
-+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
-+.PP
-+Policy governs the access confined processes have to these files.
-+SELinux prelink policy is very flexible allowing users to setup their prelink processes in as secure a method as possible.
-+.PP
-+The following file types are defined for prelink:
-+
-+
-+.EX
-+.PP
-+.B prelink_cache_t
-+.EE
-+
-+- Set files with the prelink_cache_t type, if you want to store the files under the /var/cache directory.
-+
-+
-+.EX
-+.PP
-+.B prelink_cron_system_exec_t
-+.EE
-+
-+- Set files with the prelink_cron_system_exec_t type, if you want to transition an executable to the prelink_cron_system_t domain.
-+
-+
-+.EX
-+.PP
-+.B prelink_exec_t
-+.EE
-+
-+- Set files with the prelink_exec_t type, if you want to transition an executable to the prelink_t domain.
-+
-+
-+.EX
-+.PP
-+.B prelink_log_t
-+.EE
-+
-+- Set files with the prelink_log_t type, if you want to treat the data as prelink log data, usually stored under the /var/log directory.
-+
-+
-+.EX
-+.PP
-+.B prelink_tmp_t
-+.EE
-+
-+- Set files with the prelink_tmp_t type, if you want to store prelink temporary files in the /tmp directories.
-+
-+
-+.EX
-+.PP
-+.B prelink_tmpfs_t
-+.EE
-+
-+- Set files with the prelink_tmpfs_t type, if you want to store prelink files on a tmpfs file system.
-+
-+
-+.EX
-+.PP
-+.B prelink_var_lib_t
-+.EE
-+
-+- Set files with the prelink_var_lib_t type, if you want to store the prelink files under the /var/lib directory.
-+
-+
-+.PP
-+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
-+.B semanage fcontext
-+command. This will modify the SELinux labeling database. You will need to use
-+.B restorecon
-+to apply the labels.
-+
-+.SH "MANAGED FILES"
-+
-+The SELinux process type prelink_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
-+
-+.br
-+.B exec_type
-+
-+
-+.br
-+.B ld_so_t
-+
-+ /usr/(.*/)?lib(/.*)?/ld-[^/]*\.so(\.[^/]*)*
-+.br
-+ /lib/ld-[^/]*\.so(\.[^/]*)*
-+.br
-+ /usr/lib/ld-[^/]*\.so(\.[^/]*)*
-+.br
-+ /var/ftp/lib/ld[^/]*\.so(\.[^/]*)*
-+.br
-+ /emul/ia32-linux/lib(/.*)?/ld-[^/]*\.so(\.[^/]*)*
-+.br
-+ /emul/ia32-linux/usr(/.*)?/lib(/.*)?/ld-[^/]*\.so(\.[^/]*)*
-+.br
-+ /var/spool/postfix/lib/ld.*\.so.*
-+.br
-+
-+.br
-+.B lib_t
-+
-+ /lib/.*
-+.br
-+ /opt/.*\.so(\.[^/]*)*
-+.br
-+ /usr/.*\.so(\.[^/]*)*
-+.br
-+ /opt/(.*/)?lib(/.*)?
-+.br
-+ /usr/(.*/)?lib(/.*)?
-+.br
-+ /opt/(.*/)?jre/.+\.jar
-+.br
-+ /opt/(.*/)?java/.+\.jar
-+.br
-+ /usr/(.*/)?java/.+\.jar
-+.br
-+ /usr/(.*/)?java/.+\.jsa
-+.br
-+ /usr/lib/.*
-+.br
-+ /usr/lib/.*/program(/.*)?\.so
-+.br
-+ /var/ftp/lib(/.*)?
-+.br
-+ /opt/Acrobat[5-9]/Reader/intellinux/plugins/.*\.api
-+.br
-+ /opt/ibm/java.*/jre/.+\.jar
-+.br
-+ /usr/lib/pgsql/.*\.so.*
-+.br
-+ /usr/lib/xfce4/.*\.so.*
-+.br
-+ /opt/Adobe/Reader.?/Reader/intellinux/SPPlugins/.*\.ap[il]
-+.br
-+ /emul/ia32-linux/lib(/.*)?
-+.br
-+ /emul/ia32-linux/usr(/.*)?/lib(/.*)?
-+.br
-+ /emul/ia32-linux/usr(/.*)?/java/.*\.jar
-+.br
-+ /emul/ia32-linux/usr(/.*)?/java/.*\.jsa
-+.br
-+ /emul/ia32-linux/usr(/.*)?/java/.+\.so(\.[^/]*)*
-+.br
-+ /var/spool/postfix/lib(/.*)?
-+.br
-+ /var/spool/postfix/usr(/.*)?
-+.br
-+ /var/mailman/pythonlib(/.*)?/.+\.so(\..*)?
-+.br
-+ /var/spool/postfix/lib64(/.*)?
-+.br
-+ /usr/lib/nspluginwrapper/np.*\.so
-+.br
-+ /usr/lib/pgsql/test/regress/.*\.so.*
-+.br
-+ /usr/share/hplip/prnt/plugins(/.*)?
-+.br
-+ /var/lib/spamassassin/compiled/.*\.so.*
-+.br
-+ /lib
-+.br
-+ /lib64
-+.br
-+ /usr/lib
-+.br
-+ /etc/ppp/plugins/rp-pppoe\.so
-+.br
-+ /usr/share/rhn/rhn_applet/eggtrayiconmodule\.so
-+.br
-+
-+.br
-+.B mozilla_plugin_rw_t
-+
-+ /usr/lib/mozilla/plugins-wrapped(/.*)?
-+.br
-+
-+.br
-+.B prelink_cache_t
-+
-+ /etc/prelink\.cache
-+.br
-+
-+.br
-+.B prelink_object
-+
-+
-+.br
-+.B prelink_tmp_t
-+
-+
-+.br
-+.B prelink_tmpfs_t
-+
-+
-+.br
-+.B prelink_var_lib_t
-+
-+ /var/lib/prelink(/.*)?
-+.br
-+ /var/lib/misc/prelink.*
-+.br
-+
-+.br
-+.B rpm_tmp_t
-+
-+
-+.br
-+.B textrel_shlib_t
-+
-+ /usr/(.*/)?nprhapengine\.so.*
-+.br
-+ /usr/(.*/)?nvidia/.+\.so(\..*)?
-+.br
-+ /usr/(.*/)?java/.+\.so(\.[^/]*)*
-+.br
-+ /opt/(.*/)?jre.*/.+\.so(\.[^/]*)*
-+.br
-+ /usr/(.*/)?jre.*/.*\.so(\.[^/]*)*
-+.br
-+ /opt/(.*/)?oracle/(.*/)?libnnz.*\.so
-+.br
-+ /opt/(.*/)?/RealPlayer/.+\.so(\.[^/]*)*
-+.br
-+ /usr/(.*/)?/RealPlayer/.+\.so(\.[^/]*)*
-+.br
-+ /usr/(.*/)?/HelixPlayer/.+\.so(\.[^/]*)*
-+.br
-+ /usr/(.*/)?lib(64)?(/.*)?/nvidia/.+\.so(\..*)?
-+.br
-+ /usr/(.*/)?intellinux/SPPlugins/ADMPlugin\.apl
-+.br
-+ /usr/(.*/)?pcsc/drivers(/.*)?/lib(cm2020|cm4000|SCR24x)\.so(\.[^/]*)*
-+.br
-+ /opt/cx.*/lib/wine/.+\.so
-+.br
-+ /usr/lib.*/libmpg123\.so(\.[^/]*)*
-+.br
-+ /usr/lib(/.*)?/nvidia/.+\.so(\..*)?
-+.br
-+ /usr/lib(/.*)?/libnvidia.+\.so(\.[^/]*)*
-+.br
-+ /usr/lib(/.*)?/nvidia_drv.*\.so(\.[^/]*)*
-+.br
-+ /usr/lib/.*/nprhapengine\.so.*
-+.br
-+ /usr/lib/.*/libflashplayer\.so.*
-+.br
-+ /usr/lib/(sse2/)?libfame-.*\.so.*
-+.br
-+ /usr/lib/.*/program/libsoffice\.so
-+.br
-+ /usr/lib/.*/program/libsts645li\.so
-+.br
-+ /usr/lib/.*/program/libwrp645li\.so
-+.br
-+ /usr/lib/.*/program/libswd680li\.so
-+.br
-+ /usr/lib/.*/program/libsvx680li\.so
-+.br
-+ /usr/lib/.*/program/libicudata\.so.*
-+.br
-+ /usr/lib/(.*/)?jre.*/.*\.so(\.[^/]*)*
-+.br
-+ /usr/lib/.*/program/librecentfile\.so
-+.br
-+ /usr/lib/.*/program/libcomphelp4gcc3\.so
-+.br
-+ /usr/lib/.*/program/libvclplug_gen645li\.so
-+.br
-+ /usr/lib/(virtualbox(-ose)?/)?(components/)?VBox.*\.so
-+.br
-+ /opt/Adobe.*/libcurl\.so
-+.br
-+ /opt/Adobe(/.*?)/nppdf\.so
-+.br
-+ /usr/Adobe/.*\.api
-+.br
-+ /opt/matlab.*\.so(\.[^/]*)*
-+.br
-+ /usr/matlab.*\.so(\.[^/]*)*
-+.br
-+ /usr/Adobe/(.*/)?intellinux/nppdf\.so
-+.br
-+ /usr/Adobe/(.*/)?intellinux/sidecars/*
-+.br
-+ /usr/Adobe/(.*/)?lib/[^/]*\.so(\.[^/]*)*
-+.br
-+ /usr/matlab.*/bin/glnx86/libmwlapack\.so
-+.br
-+ /usr/matlab.*/sys/os/glnx86/libtermcap\.so
-+.br
-+ /usr/matlab.*/bin/glnx86/(libmw(lapack|mathutil|services)|lapack|libmkl)\.so
-+.br
-+ /opt/google/.*\.so.*
-+.br
-+ /opt/altera9.1/quartus/linux/libccl_err\.so
-+.br
-+ /usr/lib/dri/.+\.so
-+.br
-+ /usr/lib/nsr/(.*/)?.*\.so
-+.br
-+ /opt/ibm/java.*/jre/.+\.so(\.[^/]*)*
-+.br
-+ /opt/ibm/java.*/jre/bin/.+\.so(\.[^/]*)*
-+.br
-+ /opt/netbeans(.*/)?jdk.*/linux/.+\.so(\.[^/]*)*
-+.br
-+ /usr/lib/wine/.+\.so
-+.br
-+ /usr/lib/sse2/.*\.so.*
-+.br
-+ /usr/lib/i686/.*\.so.*
-+.br
-+ /usr/lib/libav.*\.so(\.[^/]*)*
-+.br
-+ /usr/acroread/(.*/)?intellinux/nppdf\.so
-+.br
-+ /usr/acroread/(.*/)?lib/[^/]*\.so(\.[^/]*)*
-+.br
-+ /usr/lib/libADM.*\.so.*
-+.br
-+ /opt/lampp/lib/.*\.so.*
-+.br
-+ /usr/lib/libGTL.*\.so.*
-+.br
-+ /usr/lib/win32/.*\.so(\.[^/]*)*
-+.br
-+ /usr/lib/fglrx/.*\.so(\.[^/]*)*
-+.br
-+ /usr/lib/nvidia.*\.so(\.[^/]*)*
-+.br
-+ /opt/VirtualBox(/.*)?/VBox.*\.so
-+.br
-+ /usr/lib/python.*/site-packages/pymedia/muxer\.so
-+.br
-+ /usr/lib/libmyth[^/]+\.so.*
-+.br
-+ /usr/lib/midori/.*\.so(\.[^/]*)*
-+.br
-+ /usr/lib/cedega/.+\.so(\.[^/]*)*
-+.br
-+ /usr/lib/libADM5.*\.so(\.[^/]*)*
-+.br
-+ /usr/lib/vmware/(.*/)?VmPerl\.so
-+.br
-+ /usr/lib/oracle/.*/lib/libnnz10\.so
-+.br
-+ /usr/lib/oracle/.*/lib/libnnz.*\.so
-+.br
-+ /usr/lib/oracle/.*/lib/libclntsh\.so(\.[^/]*)*
-+.br
-+ /usr/lib/python2.4/site-packages/M2Crypto/__m2crypto\.so
-+.br
-+ /usr/lib/libjs\.so.*
-+.br
-+ /usr/lib/libGL\.so(\.[^/]*)*
-+.br
-+ /usr/libmpg123\.so(\.[^/]*)*
-+.br
-+ /usr/lib/libnnz11.so(\.[^/]*)*
-+.br
-+ /opt/local/matlab.*\.so(\.[^/]*)*
-+.br
-+ /opt/lgtonmc/bin/.*\.so(\.[0-9])?
-+.br
-+ /usr/lib/allegro/(.*/)?alleg-vga\.so
-+.br
-+ /usr/lib/jvm/java(.*/)bin(/.*)?/.*\.so
-+.br
-+ /usr/lib/firefox-[^/]*/plugins/nppdf.so
-+.br
-+ /opt/Adobe/Reader.?/Reader/intellinux/plug_ins/.*\.api
-+.br
-+ /usr/lib/firefox-[^/]*/extensions(/.*)?/libqfaservices.so
-+.br
-+ /usr/lib/acroread/.+\.api
-+.br
-+ /usr/google-earth/.*\.so.*
-+.br
-+ /opt/google-earth/.*\.so.*
-+.br
-+ /usr/lib/acroread/(.*/)?nppdf\.so
-+.br
-+ /usr/lib/acroread/(.*/)?sidecars/*
-+.br
-+ /usr/lib/acroread/(.*/)?ADMPlugin\.apl
-+.br
-+ /usr/lib/acroread/(.*/)?lib/[^/]*\.so(\.[^/]*)*
-+.br
-+ /usr/lib/libFLAC\.so.*
-+.br
-+ /usr/lib/libgpac\.so.*
-+.br
-+ /opt/google/picasa/.*\.dll
-+.br
-+ /opt/google/picasa/.*\.yti
-+.br
-+ /opt/google/chrome/.*\.so.*
-+.br
-+ /usr/lib/libzvbi\.so(\.[^/]*)*
-+.br
-+ /usr/lib/libx264\.so(\.[^/]*)*
-+.br
-+ /usr/lib/ati-fglrx/.+\.so(\..*)?
-+.br
-+ /usr/lib/gstreamer-.*/[^/]*\.so.*
-+.br
-+ /usr/lib/ICAClient/.*\.so(\.[^/]*)*
-+.br
-+ /usr/lib/vmware/lib(/.*)?/HConfig\.so
-+.br
-+ /usr/lib/codecs/drv[1-9c]\.so(\.[^/]*)*
-+.br
-+ /usr/lib/vmware/lib(/.*)?/libgdk-x11-.*\.so.*
-+.br
-+ /usr/lib/vmware/lib(/.*)?/libvmware-gksu.*\.so.*
-+.br
-+ /usr/lib/libmpeg2\.so.*
-+.br
-+ /usr/lib/valgrind/vg.*\.so
-+.br
-+ /usr/lib/virtualbox/.*\.so
-+.br
-+ /usr/lib/libglide3-v[0-9]*\.so.*
-+.br
-+ /usr/lib/libglide3\.so.*
-+.br
-+ /usr/lib/libHermes\.so.*
-+.br
-+ /usr/lib/libdvdcss\.so.*
-+.br
-+ /usr/lib/libGLcore\.so.*
-+.br
-+ /usr/lib/googleearth/.*\.so.*
-+.br
-+ /usr/NX/lib/libjpeg\.so.*
-+.br
-+ /usr/lib/nx/libjpeg\.so.*
-+.br
-+ /usr/lib/libswscale\.so.*
-+.br
-+ /usr/lib/libmp3lame\.so.*
-+.br
-+ /usr/lib/nmm/liba52\.so.*
-+.br
-+ /usr/lib/dri/fglrx_dri.so.*
-+.br
-+ /usr/lib/xine/plugins/.+\.so
-+.br
-+ /usr/lib/google-earth/.*\.so.*
-+.br
-+ /usr/lib/helix/codecs/[^/]*\.so
-+.br
-+ /usr/lib/xorg/libGL\.so(\.[^/]*)*
-+.br
-+ /usr/X11R6/lib/libGL\.so.*
-+.br
-+ /usr/NX/lib/libXcomp\.so.*
-+.br
-+ /usr/lib/nx/libXcomp\.so.*
-+.br
-+ /usr/lib/libxvidcore\.so.*
-+.br
-+ /usr/lib/libpostproc\.so.*
-+.br
-+ /opt/lampp/lib/libct\.so.*
-+.br
-+ /opt/google/talkplugin/.*\.so.*
-+.br
-+ /usr/lib/helix/plugins/[^/]*\.so
-+.br
-+ /usr/lib/libatiadlxx\.so(\.[^/]*)*
-+.br
-+ /opt/VBoxGuestAdditions.*/lib/VBox.*\.so
-+.br
-+ /usr/lib/mythtv/filters/.*\.so.*
-+.br
-+ /usr/lib/libtfmessbsp\.so(\.[^/]*)*
-+.br
-+ /usr/lib/sse2/libx264\.so(\.[^/]*)*
-+.br
-+ /usr/lib/nvidia-graphics(-[^/]*/)?libXvMCNVIDIA\.so.*
-+.br
-+ /usr/lib/nvidia-graphics(-[^/]*/)?libnvidia.*\.so(\.[^/]*)*
-+.br
-+ /usr/lib/nvidia-graphics(-[^/]*/)?libGL(core)?\.so(\.[^/]*)*
-+.br
-+ /usr/lib/libsipphoneapi\.so.*
-+.br
-+ /usr/lib/libfglrx_gamma\.so.*
-+.br
-+ /usr/lib/xorg/modules/dri/.+\.so
-+.br
-+ /usr/lib/chromium-browser/.*\.so
-+.br
-+ /usr/lib/catalyst/libGL\.so(\.[^/]*)*
-+.br
-+ /usr/lib/yafaray/libDarkSky.so
-+.br
-+ /usr/X11R6/lib/modules/dri/.+\.so
-+.br
-+ /opt/real/RealPlayer/codecs(/.*)?
-+.br
-+ /usr/lib/libcncpmslld328\.so(\.[^/]*)*
-+.br
-+ /opt/real/RealPlayer/plugins(/.*)?
-+.br
-+ /usr/lib/libkmplayercommon\.so.*
-+.br
-+ /usr/lib/libjavascriptcoregtk[^/]*\.so.*
-+.br
-+ /usr/games/darwinia/lib/libSDL.*\.so.*
-+.br
-+ /usr/lib/altivec/libavcodec\.so(\.[^/]*)*
-+.br
-+ /usr/lib/xorg/modules/glesx\.so(\.[^/]*)*
-+.br
-+ /usr/X11R6/lib/libXvMCNVIDIA\.so.*
-+.br
-+ /usr/lib/sane/libsane-epkowa\.so.*
-+.br
-+ /opt/AutoScan/usr/lib/libvte\.so.*
-+.br
-+ /usr/X11R6/lib/libfglrx_gamma\.so.*
-+.br
-+ /usr/lib/nero/plug-ins/libMP3\.so(\.[^/]*)*
-+.br
-+ /usr/lib/vdpau/libvdpau_nvidia\.so.*
-+.br
-+ /usr/lib/ADM_plugins/videoFilter/.*\.so(\.[^/]*)*
-+.br
-+ /opt/Unify/SQLBase/libgptsblmsui11\.so.*
-+.br
-+ /usr/share/squeezeboxserver/CPAN/arch/.+\.so
-+.br
-+ /opt/f-secure/fspms/libexec/librapi\.so(\.[^/]*)*
-+.br
-+ /usr/lib/xorg/modules/extensions/nvidia(-[^/]*)?/libglx\.so(\.[^/]*)*
-+.br
-+ /opt/Komodo-Edit-5/lib/python/lib/python2.6/lib-dynload/.*\.so(\.[^/]*)*
-+.br
-+ /usr/lib/xorg/modules/drivers/fglrx_drv\.so(\.[^/]*)*
-+.br
-+ /usr/lib/xorg/modules/extensions/libglx\.so(\.[^/]*)*
-+.br
-+ /usr/x11R6/lib/modules/extensions/libglx\.so(\.[^/]*)*
-+.br
-+ /usr/bin/bsnes
-+.br
-+ /usr/lib/VBoxVMM\.so
-+.br
-+ /usr/lib/valgrind/hp2ps
-+.br
-+ /usr/lib/libmlib_jai\.so
-+.br
-+ /usr/lib/valgrind/stage2
-+.br
-+ /lib/security/pam_poldi\.so
-+.br
-+ /usr/lib/libg\+\+\.so\.2\.7\.2\.8
-+.br
-+ /usr/lib/ladspa/gsm_1215\.so
-+.br
-+ /usr/lib/ladspa/sc1_1425\.so
-+.br
-+ /usr/lib/ladspa/sc2_1426\.so
-+.br
-+ /usr/lib/ladspa/sc3_1427\.so
-+.br
-+ /usr/lib/ladspa/sc4_1882\.so
-+.br
-+ /usr/lib/ladspa/se4_1883\.so
-+.br
-+ /usr/lib/libdivxdecore\.so\.0
-+.br
-+ /usr/lib/libdivxencore\.so\.0
-+.br
-+ /usr/lib/libstdc\+\+\.so\.2\.7\.2\.8
-+.br
-+ /usr/lib/ladspa/gverb_1216\.so
-+.br
-+ /usr/lib/security/pam_poldi\.so
-+.br
-+ /usr/lib/ladspa/fm_osc_1415\.so
-+.br
-+ /usr/zend/lib/apache2/libphp5\.so
-+.br
-+ /usr/lib/mozilla/plugins/nppdf\.so
-+.br
-+ /usr/lib/ladspa/notch_iir_1894\.so
-+.br
-+ /usr/lib/xchat/plugins/systray\.so
-+.br
-+ /usr/lib/ocaml/stublibs/dllnums\.so
-+.br
-+ /usr/lib/vlc/codec/libdmo_plugin\.so
-+.br
-+ /usr/lib/ladspa/butterworth_1902\.so
-+.br
-+ /usr/lib/ladspa/lowpass_iir_1891\.so
-+.br
-+ /usr/lib/ladspa/pitch_scale_1193\.so
-+.br
-+ /usr/lib/ladspa/pitch_scale_1194\.so
-+.br
-+ /usr/lib/ladspa/analogue_osc_1416\.so
-+.br
-+ /usr/lib/ladspa/bandpass_iir_1892\.so
-+.br
-+ /usr/lib/ladspa/highpass_iir_1890\.so
-+.br
-+ /usr/Zend/lib/ZendExtensionManager\.so
-+.br
-+ /opt/cisco-vpnclient/lib/libvpnapi\.so
-+.br
-+ /usr/lib/firefox/plugins/libractrl\.so
-+.br
-+ /usr/lib/ladspa/hermes_filter_1200\.so
-+.br
-+ /usr/lib/ladspa/bandpass_a_iir_1893\.so
-+.br
-+ /usr/lib/octagaplayer/libapplication\.so
-+.br
-+ /usr/lib/mozilla/plugins/libvlcplugin\.so
-+.br
-+ /usr/lib/vlc/codec/librealvideo_plugin\.so
-+.br
-+ /usr/lib/vlc/codec/librealaudio_plugin\.so
-+.br
-+ /usr/lib/xorg/modules/drivers/nvidia_drv\.o
-+.br
-+ /opt/novell/groupwise/client/lib/libgwapijni\.so\.1
-+.br
-+ /usr/lib/vlc/video_chroma/libi420_rgb_mmx_plugin\.so
-+.br
-+ /home/[^/]*/.*/plugins/nppdf\.so.*
-+.br
-+ /home/dwalsh/.*/plugins/nppdf\.so.*
-+.br
-+ /var/lib/xguest/home/xguest/.*/plugins/nppdf\.so.*
-+.br
-+
-+.br
-+.B user_home_type
-+
-+ all user home files
-+.br
-+
-+.br
-+.B usr_t
-+
-+ /usr/.*
-+.br
-+ /opt/.*
-+.br
-+ /emul/.*
-+.br
-+ /export(/.*)?
-+.br
-+ /usr/doc(/.*)?/lib(/.*)?
-+.br
-+ /usr/inclu.e(/.*)?
-+.br
-+ /usr/share/doc(/.*)?/README.*
-+.br
-+ /usr
-+.br
-+ /opt
-+.br
-+ /emul
-+.br
-+
-+.br
-+.B var_t
-+
-+ /nsr(/.*)?
-+.br
-+ /var/.*
-+.br
-+ /srv/.*
-+.br
-+ /var
-+.br
-+ /srv
-+.br
-+
-+.SH NSSWITCH DOMAIN
-+
-+.PP
-+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the prelink_cron_system_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
-+
-+.EX
-+.B setsebool -P authlogin_nsswitch_use_ldap 1
-+.EE
-+
-+.PP
-+If you want to allow confined applications to run with kerberos for the prelink_cron_system_t, you must turn on the kerberos_enabled boolean.
-+
-+.EX
-+.B setsebool -P kerberos_enabled 1
-+.EE
-+
-+.SH "COMMANDS"
-+.B semanage fcontext
-+can also be used to manipulate default file context mappings.
-+.PP
-+.B semanage permissive
-+can also be used to manipulate whether or not a process type is permissive.
-+.PP
-+.B semanage module
-+can also be used to enable/disable/install/remove policy modules.
-+
-+.PP
-+.B system-config-selinux
-+is a GUI tool available to customize SELinux policy settings.
-+
-+.SH AUTHOR
-+This manual page was auto-generated using
-+.B "sepolicy manpage"
-+by Dan Walsh.
-+
-+.SH "SEE ALSO"
-+selinux(8), prelink(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
-+, prelink_cron_system_selinux(8)
-\ No newline at end of file
-diff --git a/man/man8/prelude_audisp_selinux.8 b/man/man8/prelude_audisp_selinux.8
-new file mode 100644
-index 0000000..18ba823
---- /dev/null
-+++ b/man/man8/prelude_audisp_selinux.8
-@@ -0,0 +1,107 @@
-+.TH "prelude_audisp_selinux" "8" "12-11-01" "prelude_audisp" "SELinux Policy documentation for prelude_audisp"
-+.SH "NAME"
-+prelude_audisp_selinux \- Security Enhanced Linux Policy for the prelude_audisp processes
-+.SH "DESCRIPTION"
-+
-+Security-Enhanced Linux secures the prelude_audisp processes via flexible mandatory access control.
-+
-+The prelude_audisp processes execute with the prelude_audisp_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
-+
-+For example:
-+
-+.B ps -eZ | grep prelude_audisp_t
-+
-+
-+.SH "ENTRYPOINTS"
-+
-+The prelude_audisp_t SELinux type can be entered via the "prelude_audisp_exec_t" file type. The default entrypoint paths for the prelude_audisp_t domain are the following:"
-+
-+/sbin/audisp-prelude, /usr/sbin/audisp-prelude
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux prelude_audisp policy is very flexible allowing users to setup their prelude_audisp processes in as secure a method as possible.
-+.PP
-+The following process types are defined for prelude_audisp:
-+
-+.EX
-+.B prelude_audisp_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
-+.SH FILE CONTEXTS
-+SELinux requires files to have an extended attribute to define the file type.
-+.PP
-+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
-+.PP
-+Policy governs the access confined processes have to these files.
-+SELinux prelude_audisp policy is very flexible allowing users to setup their prelude_audisp processes in as secure a method as possible.
-+.PP
-+The following file types are defined for prelude_audisp:
-+
-+
-+.EX
-+.PP
-+.B prelude_audisp_exec_t
-+.EE
-+
-+- Set files with the prelude_audisp_exec_t type, if you want to transition an executable to the prelude_audisp_t domain.
-+
-+
-+.EX
-+.PP
-+.B prelude_audisp_var_run_t
-+.EE
-+
-+- Set files with the prelude_audisp_var_run_t type, if you want to store the prelude audisp files under the /run directory.
-+
-+
-+.PP
-+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
-+.B semanage fcontext
-+command. This will modify the SELinux labeling database. You will need to use
-+.B restorecon
-+to apply the labels.
-+
-+.SH "MANAGED FILES"
-+
-+The SELinux process type prelude_audisp_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
-+
-+.br
-+.B prelude_spool_t
-+
-+ /var/spool/prelude(/.*)?
-+.br
-+ /var/spool/prelude-manager(/.*)?
-+.br
-+
-+.SH NSSWITCH DOMAIN
-+
-+.SH "COMMANDS"
-+.B semanage fcontext
-+can also be used to manipulate default file context mappings.
-+.PP
-+.B semanage permissive
-+can also be used to manipulate whether or not a process type is permissive.
-+.PP
-+.B semanage module
-+can also be used to enable/disable/install/remove policy modules.
-+
-+.PP
-+.B system-config-selinux
-+is a GUI tool available to customize SELinux policy settings.
-+
-+.SH AUTHOR
-+This manual page was auto-generated using
-+.B "sepolicy manpage"
-+by Dan Walsh.
-+
-+.SH "SEE ALSO"
-+selinux(8), prelude_audisp(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
-+, prelude_selinux(8), prelude_selinux(8), prelude_correlator_selinux(8), prelude_lml_selinux(8)
-\ No newline at end of file
-diff --git a/man/man8/prelude_correlator_selinux.8 b/man/man8/prelude_correlator_selinux.8
-new file mode 100644
-index 0000000..54cfb46
---- /dev/null
-+++ b/man/man8/prelude_correlator_selinux.8
-@@ -0,0 +1,107 @@
-+.TH "prelude_correlator_selinux" "8" "12-11-01" "prelude_correlator" "SELinux Policy documentation for prelude_correlator"
-+.SH "NAME"
-+prelude_correlator_selinux \- Security Enhanced Linux Policy for the prelude_correlator processes
-+.SH "DESCRIPTION"
-+
-+Security-Enhanced Linux secures the prelude_correlator processes via flexible mandatory access control.
-+
-+The prelude_correlator processes execute with the prelude_correlator_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
-+
-+For example:
-+
-+.B ps -eZ | grep prelude_correlator_t
-+
-+
-+.SH "ENTRYPOINTS"
-+
-+The prelude_correlator_t SELinux type can be entered via the "prelude_correlator_exec_t" file type. The default entrypoint paths for the prelude_correlator_t domain are the following:"
-+
-+/usr/bin/prelude-correlator
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux prelude_correlator policy is very flexible allowing users to setup their prelude_correlator processes in as secure a method as possible.
-+.PP
-+The following process types are defined for prelude_correlator:
-+
-+.EX
-+.B prelude_correlator_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
-+.SH FILE CONTEXTS
-+SELinux requires files to have an extended attribute to define the file type.
-+.PP
-+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
-+.PP
-+Policy governs the access confined processes have to these files.
-+SELinux prelude_correlator policy is very flexible allowing users to setup their prelude_correlator processes in as secure a method as possible.
-+.PP
-+The following file types are defined for prelude_correlator:
-+
-+
-+.EX
-+.PP
-+.B prelude_correlator_config_t
-+.EE
-+
-+- Set files with the prelude_correlator_config_t type, if you want to treat the files as prelude correlator configuration data, usually stored under the /etc directory.
-+
-+
-+.EX
-+.PP
-+.B prelude_correlator_exec_t
-+.EE
-+
-+- Set files with the prelude_correlator_exec_t type, if you want to transition an executable to the prelude_correlator_t domain.
-+
-+
-+.PP
-+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
-+.B semanage fcontext
-+command. This will modify the SELinux labeling database. You will need to use
-+.B restorecon
-+to apply the labels.
-+
-+.SH "MANAGED FILES"
-+
-+The SELinux process type prelude_correlator_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
-+
-+.br
-+.B prelude_spool_t
-+
-+ /var/spool/prelude(/.*)?
-+.br
-+ /var/spool/prelude-manager(/.*)?
-+.br
-+
-+.SH NSSWITCH DOMAIN
-+
-+.SH "COMMANDS"
-+.B semanage fcontext
-+can also be used to manipulate default file context mappings.
-+.PP
-+.B semanage permissive
-+can also be used to manipulate whether or not a process type is permissive.
-+.PP
-+.B semanage module
-+can also be used to enable/disable/install/remove policy modules.
-+
-+.PP
-+.B system-config-selinux
-+is a GUI tool available to customize SELinux policy settings.
-+
-+.SH AUTHOR
-+This manual page was auto-generated using
-+.B "sepolicy manpage"
-+by Dan Walsh.
-+
-+.SH "SEE ALSO"
-+selinux(8), prelude_correlator(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
-+, prelude_selinux(8), prelude_selinux(8), prelude_audisp_selinux(8), prelude_lml_selinux(8)
-\ No newline at end of file
-diff --git a/man/man8/prelude_lml_selinux.8 b/man/man8/prelude_lml_selinux.8
-new file mode 100644
-index 0000000..9d345c5
---- /dev/null
-+++ b/man/man8/prelude_lml_selinux.8
-@@ -0,0 +1,149 @@
-+.TH "prelude_lml_selinux" "8" "12-11-01" "prelude_lml" "SELinux Policy documentation for prelude_lml"
-+.SH "NAME"
-+prelude_lml_selinux \- Security Enhanced Linux Policy for the prelude_lml processes
-+.SH "DESCRIPTION"
-+
-+Security-Enhanced Linux secures the prelude_lml processes via flexible mandatory access control.
-+
-+The prelude_lml processes execute with the prelude_lml_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
-+
-+For example:
-+
-+.B ps -eZ | grep prelude_lml_t
-+
-+
-+.SH "ENTRYPOINTS"
-+
-+The prelude_lml_t SELinux type can be entered via the "prelude_lml_exec_t" file type. The default entrypoint paths for the prelude_lml_t domain are the following:"
-+
-+/usr/bin/prelude-lml
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux prelude_lml policy is very flexible allowing users to setup their prelude_lml processes in as secure a method as possible.
-+.PP
-+The following process types are defined for prelude_lml:
-+
-+.EX
-+.B prelude_lml_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
-+.SH FILE CONTEXTS
-+SELinux requires files to have an extended attribute to define the file type.
-+.PP
-+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
-+.PP
-+Policy governs the access confined processes have to these files.
-+SELinux prelude_lml policy is very flexible allowing users to setup their prelude_lml processes in as secure a method as possible.
-+.PP
-+The following file types are defined for prelude_lml:
-+
-+
-+.EX
-+.PP
-+.B prelude_lml_exec_t
-+.EE
-+
-+- Set files with the prelude_lml_exec_t type, if you want to transition an executable to the prelude_lml_t domain.
-+
-+
-+.EX
-+.PP
-+.B prelude_lml_tmp_t
-+.EE
-+
-+- Set files with the prelude_lml_tmp_t type, if you want to store prelude lml temporary files in the /tmp directories.
-+
-+
-+.EX
-+.PP
-+.B prelude_lml_var_run_t
-+.EE
-+
-+- Set files with the prelude_lml_var_run_t type, if you want to store the prelude lml files under the /run directory.
-+
-+
-+.PP
-+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
-+.B semanage fcontext
-+command. This will modify the SELinux labeling database. You will need to use
-+.B restorecon
-+to apply the labels.
-+
-+.SH "MANAGED FILES"
-+
-+The SELinux process type prelude_lml_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
-+
-+.br
-+.B anon_inodefs_t
-+
-+
-+.br
-+.B prelude_lml_tmp_t
-+
-+
-+.br
-+.B prelude_lml_var_run_t
-+
-+ /var/run/prelude-lml.pid
-+.br
-+
-+.br
-+.B prelude_spool_t
-+
-+ /var/spool/prelude(/.*)?
-+.br
-+ /var/spool/prelude-manager(/.*)?
-+.br
-+
-+.br
-+.B prelude_var_lib_t
-+
-+ /var/lib/prelude-lml(/.*)?
-+.br
-+
-+.SH NSSWITCH DOMAIN
-+
-+.PP
-+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the prelude_lml_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
-+
-+.EX
-+.B setsebool -P authlogin_nsswitch_use_ldap 1
-+.EE
-+
-+.PP
-+If you want to allow confined applications to run with kerberos for the prelude_lml_t, you must turn on the kerberos_enabled boolean.
-+
-+.EX
-+.B setsebool -P kerberos_enabled 1
-+.EE
-+
-+.SH "COMMANDS"
-+.B semanage fcontext
-+can also be used to manipulate default file context mappings.
-+.PP
-+.B semanage permissive
-+can also be used to manipulate whether or not a process type is permissive.
-+.PP
-+.B semanage module
-+can also be used to enable/disable/install/remove policy modules.
-+
-+.PP
-+.B system-config-selinux
-+is a GUI tool available to customize SELinux policy settings.
-+
-+.SH AUTHOR
-+This manual page was auto-generated using
-+.B "sepolicy manpage"
-+by Dan Walsh.
-+
-+.SH "SEE ALSO"
-+selinux(8), prelude_lml(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
-+, prelude_selinux(8), prelude_selinux(8), prelude_audisp_selinux(8), prelude_correlator_selinux(8)
-\ No newline at end of file
-diff --git a/man/man8/prelude_selinux.8 b/man/man8/prelude_selinux.8
-new file mode 100644
-index 0000000..8ad755d
---- /dev/null
-+++ b/man/man8/prelude_selinux.8
-@@ -0,0 +1,259 @@
-+.TH "prelude_selinux" "8" "12-11-01" "prelude" "SELinux Policy documentation for prelude"
-+.SH "NAME"
-+prelude_selinux \- Security Enhanced Linux Policy for the prelude processes
-+.SH "DESCRIPTION"
-+
-+Security-Enhanced Linux secures the prelude processes via flexible mandatory access control.
-+
-+The prelude processes execute with the prelude_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
-+
-+For example:
-+
-+.B ps -eZ | grep prelude_t
-+
-+
-+.SH "ENTRYPOINTS"
-+
-+The prelude_t SELinux type can be entered via the "prelude_exec_t" file type. The default entrypoint paths for the prelude_t domain are the following:"
-+
-+/usr/bin/prelude-manager
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux prelude policy is very flexible allowing users to setup their prelude processes in as secure a method as possible.
-+.PP
-+The following process types are defined for prelude:
-+
-+.EX
-+.B prelude_lml_t, prelude_t, prelude_audisp_t, prelude_correlator_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
-+.SH FILE CONTEXTS
-+SELinux requires files to have an extended attribute to define the file type.
-+.PP
-+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
-+.PP
-+Policy governs the access confined processes have to these files.
-+SELinux prelude policy is very flexible allowing users to setup their prelude processes in as secure a method as possible.
-+.PP
-+The following file types are defined for prelude:
-+
-+
-+.EX
-+.PP
-+.B prelude_audisp_exec_t
-+.EE
-+
-+- Set files with the prelude_audisp_exec_t type, if you want to transition an executable to the prelude_audisp_t domain.
-+
-+
-+.EX
-+.PP
-+.B prelude_audisp_var_run_t
-+.EE
-+
-+- Set files with the prelude_audisp_var_run_t type, if you want to store the prelude audisp files under the /run directory.
-+
-+
-+.EX
-+.PP
-+.B prelude_correlator_config_t
-+.EE
-+
-+- Set files with the prelude_correlator_config_t type, if you want to treat the files as prelude correlator configuration data, usually stored under the /etc directory.
-+
-+
-+.EX
-+.PP
-+.B prelude_correlator_exec_t
-+.EE
-+
-+- Set files with the prelude_correlator_exec_t type, if you want to transition an executable to the prelude_correlator_t domain.
-+
-+
-+.EX
-+.PP
-+.B prelude_exec_t
-+.EE
-+
-+- Set files with the prelude_exec_t type, if you want to transition an executable to the prelude_t domain.
-+
-+
-+.EX
-+.PP
-+.B prelude_initrc_exec_t
-+.EE
-+
-+- Set files with the prelude_initrc_exec_t type, if you want to transition an executable to the prelude_initrc_t domain.
-+
-+
-+.EX
-+.PP
-+.B prelude_lml_exec_t
-+.EE
-+
-+- Set files with the prelude_lml_exec_t type, if you want to transition an executable to the prelude_lml_t domain.
-+
-+
-+.EX
-+.PP
-+.B prelude_lml_tmp_t
-+.EE
-+
-+- Set files with the prelude_lml_tmp_t type, if you want to store prelude lml temporary files in the /tmp directories.
-+
-+
-+.EX
-+.PP
-+.B prelude_lml_var_run_t
-+.EE
-+
-+- Set files with the prelude_lml_var_run_t type, if you want to store the prelude lml files under the /run directory.
-+
-+
-+.EX
-+.PP
-+.B prelude_log_t
-+.EE
-+
-+- Set files with the prelude_log_t type, if you want to treat the data as prelude log data, usually stored under the /var/log directory.
-+
-+
-+.EX
-+.PP
-+.B prelude_spool_t
-+.EE
-+
-+- Set files with the prelude_spool_t type, if you want to store the prelude files under the /var/spool directory.
-+
-+
-+.EX
-+.PP
-+.B prelude_var_lib_t
-+.EE
-+
-+- Set files with the prelude_var_lib_t type, if you want to store the prelude files under the /var/lib directory.
-+
-+
-+.EX
-+.PP
-+.B prelude_var_run_t
-+.EE
-+
-+- Set files with the prelude_var_run_t type, if you want to store the prelude files under the /run directory.
-+
-+
-+.PP
-+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
-+.B semanage fcontext
-+command. This will modify the SELinux labeling database. You will need to use
-+.B restorecon
-+to apply the labels.
-+
-+.SH PORT TYPES
-+SELinux defines port types to represent TCP and UDP ports.
-+.PP
-+You can see the types associated with a port by using the following command:
-+
-+.B semanage port -l
-+
-+.PP
-+Policy governs the access confined processes have to these ports.
-+SELinux prelude policy is very flexible allowing users to setup their prelude processes in as secure a method as possible.
-+.PP
-+The following port types are defined for prelude:
-+
-+.EX
-+.TP 5
-+.B prelude_port_t
-+.TP 10
-+.EE
-+
-+
-+Default Defined Ports:
-+tcp 4690
-+.EE
-+udp 4690
-+.EE
-+.SH "MANAGED FILES"
-+
-+The SELinux process type prelude_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
-+
-+.br
-+.B anon_inodefs_t
-+
-+
-+.br
-+.B prelude_log_t
-+
-+ /var/log/prelude.*
-+.br
-+
-+.br
-+.B prelude_spool_t
-+
-+ /var/spool/prelude(/.*)?
-+.br
-+ /var/spool/prelude-manager(/.*)?
-+.br
-+
-+.br
-+.B prelude_var_lib_t
-+
-+ /var/lib/prelude-lml(/.*)?
-+.br
-+
-+.br
-+.B prelude_var_run_t
-+
-+ /var/run/prelude-manager(/.*)?
-+.br
-+
-+.SH NSSWITCH DOMAIN
-+
-+.PP
-+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the prelude_lml_t, prelude_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
-+
-+.EX
-+.B setsebool -P authlogin_nsswitch_use_ldap 1
-+.EE
-+
-+.PP
-+If you want to allow confined applications to run with kerberos for the prelude_lml_t, prelude_t, you must turn on the kerberos_enabled boolean.
-+
-+.EX
-+.B setsebool -P kerberos_enabled 1
-+.EE
-+
-+.SH "COMMANDS"
-+.B semanage fcontext
-+can also be used to manipulate default file context mappings.
-+.PP
-+.B semanage permissive
-+can also be used to manipulate whether or not a process type is permissive.
-+.PP
-+.B semanage module
-+can also be used to enable/disable/install/remove policy modules.
-+
-+.B semanage port
-+can also be used to manipulate the port definitions
-+
-+.PP
-+.B system-config-selinux
-+is a GUI tool available to customize SELinux policy settings.
-+
-+.SH AUTHOR
-+This manual page was auto-generated using
-+.B "sepolicy manpage"
-+by Dan Walsh.
-+
-+.SH "SEE ALSO"
-+selinux(8), prelude(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
-+, prelude_audisp_selinux(8), prelude_correlator_selinux(8), prelude_lml_selinux(8)
-\ No newline at end of file
-diff --git a/man/man8/privoxy_selinux.8 b/man/man8/privoxy_selinux.8
-new file mode 100644
-index 0000000..f7a88d0
---- /dev/null
-+++ b/man/man8/privoxy_selinux.8
-@@ -0,0 +1,174 @@
-+.TH "privoxy_selinux" "8" "12-11-01" "privoxy" "SELinux Policy documentation for privoxy"
-+.SH "NAME"
-+privoxy_selinux \- Security Enhanced Linux Policy for the privoxy processes
-+.SH "DESCRIPTION"
-+
-+Security-Enhanced Linux secures the privoxy processes via flexible mandatory access control.
-+
-+The privoxy processes execute with the privoxy_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
-+
-+For example:
-+
-+.B ps -eZ | grep privoxy_t
-+
-+
-+.SH "ENTRYPOINTS"
-+
-+The privoxy_t SELinux type can be entered via the "privoxy_exec_t" file type. The default entrypoint paths for the privoxy_t domain are the following:"
-+
-+/usr/sbin/privoxy
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux privoxy policy is very flexible allowing users to setup their privoxy processes in as secure a method as possible.
-+.PP
-+The following process types are defined for privoxy:
-+
-+.EX
-+.B privoxy_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
-+.SH BOOLEANS
-+SELinux policy is customizable based on least access required. privoxy policy is extremely flexible and has several booleans that allow you to manipulate the policy and run privoxy with the tightest access possible.
-+
-+
-+.PP
-+If you want to allow privoxy to connect to all ports, not just HTTP, FTP, and Gopher ports, you must turn on the privoxy_connect_any boolean.
-+
-+.EX
-+.B setsebool -P privoxy_connect_any 1
-+.EE
-+
-+.PP
-+If you want to allow privoxy to connect to all ports, not just HTTP, FTP, and Gopher ports, you must turn on the privoxy_connect_any boolean.
-+
-+.EX
-+.B setsebool -P privoxy_connect_any 1
-+.EE
-+
-+.SH FILE CONTEXTS
-+SELinux requires files to have an extended attribute to define the file type.
-+.PP
-+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
-+.PP
-+Policy governs the access confined processes have to these files.
-+SELinux privoxy policy is very flexible allowing users to setup their privoxy processes in as secure a method as possible.
-+.PP
-+The following file types are defined for privoxy:
-+
-+
-+.EX
-+.PP
-+.B privoxy_etc_rw_t
-+.EE
-+
-+- Set files with the privoxy_etc_rw_t type, if you want to treat the files as privoxy etc read/write content.
-+
-+
-+.EX
-+.PP
-+.B privoxy_exec_t
-+.EE
-+
-+- Set files with the privoxy_exec_t type, if you want to transition an executable to the privoxy_t domain.
-+
-+
-+.EX
-+.PP
-+.B privoxy_initrc_exec_t
-+.EE
-+
-+- Set files with the privoxy_initrc_exec_t type, if you want to transition an executable to the privoxy_initrc_t domain.
-+
-+
-+.EX
-+.PP
-+.B privoxy_log_t
-+.EE
-+
-+- Set files with the privoxy_log_t type, if you want to treat the data as privoxy log data, usually stored under the /var/log directory.
-+
-+
-+.EX
-+.PP
-+.B privoxy_var_run_t
-+.EE
-+
-+- Set files with the privoxy_var_run_t type, if you want to store the privoxy files under the /run directory.
-+
-+
-+.PP
-+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
-+.B semanage fcontext
-+command. This will modify the SELinux labeling database. You will need to use
-+.B restorecon
-+to apply the labels.
-+
-+.SH "MANAGED FILES"
-+
-+The SELinux process type privoxy_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
-+
-+.br
-+.B privoxy_etc_rw_t
-+
-+ /etc/privoxy/[^/]*\.action
-+.br
-+
-+.br
-+.B privoxy_log_t
-+
-+ /var/log/privoxy(/.*)?
-+.br
-+
-+.br
-+.B privoxy_var_run_t
-+
-+
-+.SH NSSWITCH DOMAIN
-+
-+.PP
-+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the privoxy_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
-+
-+.EX
-+.B setsebool -P authlogin_nsswitch_use_ldap 1
-+.EE
-+
-+.PP
-+If you want to allow confined applications to run with kerberos for the privoxy_t, you must turn on the kerberos_enabled boolean.
-+
-+.EX
-+.B setsebool -P kerberos_enabled 1
-+.EE
-+
-+.SH "COMMANDS"
-+.B semanage fcontext
-+can also be used to manipulate default file context mappings.
-+.PP
-+.B semanage permissive
-+can also be used to manipulate whether or not a process type is permissive.
-+.PP
-+.B semanage module
-+can also be used to enable/disable/install/remove policy modules.
-+
-+.B semanage boolean
-+can also be used to manipulate the booleans
-+
-+.PP
-+.B system-config-selinux
-+is a GUI tool available to customize SELinux policy settings.
-+
-+.SH AUTHOR
-+This manual page was auto-generated using
-+.B "sepolicy manpage"
-+by Dan Walsh.
-+
-+.SH "SEE ALSO"
-+selinux(8), privoxy(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
-+, setsebool(8)
-\ No newline at end of file
-diff --git a/man/man8/procmail_selinux.8 b/man/man8/procmail_selinux.8
-new file mode 100644
-index 0000000..12bd0d0
---- /dev/null
-+++ b/man/man8/procmail_selinux.8
-@@ -0,0 +1,180 @@
-+.TH "procmail_selinux" "8" "12-11-01" "procmail" "SELinux Policy documentation for procmail"
-+.SH "NAME"
-+procmail_selinux \- Security Enhanced Linux Policy for the procmail processes
-+.SH "DESCRIPTION"
-+
-+Security-Enhanced Linux secures the procmail processes via flexible mandatory access control.
-+
-+The procmail processes execute with the procmail_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
-+
-+For example:
-+
-+.B ps -eZ | grep procmail_t
-+
-+
-+.SH "ENTRYPOINTS"
-+
-+The procmail_t SELinux type can be entered via the "procmail_exec_t" file type. The default entrypoint paths for the procmail_t domain are the following:"
-+
-+/usr/bin/procmail
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux procmail policy is very flexible allowing users to setup their procmail processes in as secure a method as possible.
-+.PP
-+The following process types are defined for procmail:
-+
-+.EX
-+.B procmail_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
-+.SH FILE CONTEXTS
-+SELinux requires files to have an extended attribute to define the file type.
-+.PP
-+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
-+.PP
-+Policy governs the access confined processes have to these files.
-+SELinux procmail policy is very flexible allowing users to setup their procmail processes in as secure a method as possible.
-+.PP
-+The following file types are defined for procmail:
-+
-+
-+.EX
-+.PP
-+.B procmail_exec_t
-+.EE
-+
-+- Set files with the procmail_exec_t type, if you want to transition an executable to the procmail_t domain.
-+
-+
-+.EX
-+.PP
-+.B procmail_home_t
-+.EE
-+
-+- Set files with the procmail_home_t type, if you want to store procmail files in the users home directory.
-+
-+
-+.EX
-+.PP
-+.B procmail_log_t
-+.EE
-+
-+- Set files with the procmail_log_t type, if you want to treat the data as procmail log data, usually stored under the /var/log directory.
-+
-+
-+.EX
-+.PP
-+.B procmail_tmp_t
-+.EE
-+
-+- Set files with the procmail_tmp_t type, if you want to store procmail temporary files in the /tmp directories.
-+
-+
-+.PP
-+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
-+.B semanage fcontext
-+command. This will modify the SELinux labeling database. You will need to use
-+.B restorecon
-+to apply the labels.
-+
-+.SH "MANAGED FILES"
-+
-+The SELinux process type procmail_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
-+
-+.br
-+.B anon_inodefs_t
-+
-+
-+.br
-+.B data_home_t
-+
-+ /root/\.local/share(/.*)?
-+.br
-+ /home/[^/]*/\.local/share(/.*)?
-+.br
-+ /home/dwalsh/\.local/share(/.*)?
-+.br
-+ /var/lib/xguest/home/xguest/\.local/share(/.*)?
-+.br
-+
-+.br
-+.B mail_home_rw_t
-+
-+ /root/Maildir(/.*)?
-+.br
-+ /home/[^/]*/Maildir(/.*)?
-+.br
-+ /home/dwalsh/Maildir(/.*)?
-+.br
-+ /var/lib/xguest/home/xguest/Maildir(/.*)?
-+.br
-+
-+.br
-+.B mail_spool_t
-+
-+ /var/mail(/.*)?
-+.br
-+ /var/spool/imap(/.*)?
-+.br
-+ /var/spool/mail(/.*)?
-+.br
-+
-+.br
-+.B procmail_tmp_t
-+
-+
-+.br
-+.B user_home_t
-+
-+ /home/[^/]*/.+
-+.br
-+ /home/dwalsh/.+
-+.br
-+ /var/lib/xguest/home/xguest/.+
-+.br
-+
-+.SH NSSWITCH DOMAIN
-+
-+.PP
-+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the procmail_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
-+
-+.EX
-+.B setsebool -P authlogin_nsswitch_use_ldap 1
-+.EE
-+
-+.PP
-+If you want to allow confined applications to run with kerberos for the procmail_t, you must turn on the kerberos_enabled boolean.
-+
-+.EX
-+.B setsebool -P kerberos_enabled 1
-+.EE
-+
-+.SH "COMMANDS"
-+.B semanage fcontext
-+can also be used to manipulate default file context mappings.
-+.PP
-+.B semanage permissive
-+can also be used to manipulate whether or not a process type is permissive.
-+.PP
-+.B semanage module
-+can also be used to enable/disable/install/remove policy modules.
-+
-+.PP
-+.B system-config-selinux
-+is a GUI tool available to customize SELinux policy settings.
-+
-+.SH AUTHOR
-+This manual page was auto-generated using
-+.B "sepolicy manpage"
-+by Dan Walsh.
-+
-+.SH "SEE ALSO"
-+selinux(8), procmail(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
-diff --git a/man/man8/psad_selinux.8 b/man/man8/psad_selinux.8
-new file mode 100644
-index 0000000..ce2de13
---- /dev/null
-+++ b/man/man8/psad_selinux.8
-@@ -0,0 +1,168 @@
-+.TH "psad_selinux" "8" "12-11-01" "psad" "SELinux Policy documentation for psad"
-+.SH "NAME"
-+psad_selinux \- Security Enhanced Linux Policy for the psad processes
-+.SH "DESCRIPTION"
-+
-+Security-Enhanced Linux secures the psad processes via flexible mandatory access control.
-+
-+The psad processes execute with the psad_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
-+
-+For example:
-+
-+.B ps -eZ | grep psad_t
-+
-+
-+.SH "ENTRYPOINTS"
-+
-+The psad_t SELinux type can be entered via the "psad_exec_t" file type. The default entrypoint paths for the psad_t domain are the following:"
-+
-+/usr/sbin/psad
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux psad policy is very flexible allowing users to setup their psad processes in as secure a method as possible.
-+.PP
-+The following process types are defined for psad:
-+
-+.EX
-+.B psad_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
-+.SH FILE CONTEXTS
-+SELinux requires files to have an extended attribute to define the file type.
-+.PP
-+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
-+.PP
-+Policy governs the access confined processes have to these files.
-+SELinux psad policy is very flexible allowing users to setup their psad processes in as secure a method as possible.
-+.PP
-+The following file types are defined for psad:
-+
-+
-+.EX
-+.PP
-+.B psad_etc_t
-+.EE
-+
-+- Set files with the psad_etc_t type, if you want to store psad files in the /etc directories.
-+
-+
-+.EX
-+.PP
-+.B psad_exec_t
-+.EE
-+
-+- Set files with the psad_exec_t type, if you want to transition an executable to the psad_t domain.
-+
-+
-+.EX
-+.PP
-+.B psad_initrc_exec_t
-+.EE
-+
-+- Set files with the psad_initrc_exec_t type, if you want to transition an executable to the psad_initrc_t domain.
-+
-+
-+.EX
-+.PP
-+.B psad_tmp_t
-+.EE
-+
-+- Set files with the psad_tmp_t type, if you want to store psad temporary files in the /tmp directories.
-+
-+
-+.EX
-+.PP
-+.B psad_var_lib_t
-+.EE
-+
-+- Set files with the psad_var_lib_t type, if you want to store the psad files under the /var/lib directory.
-+
-+
-+.EX
-+.PP
-+.B psad_var_log_t
-+.EE
-+
-+- Set files with the psad_var_log_t type, if you want to treat the data as psad var log data, usually stored under the /var/log directory.
-+
-+
-+.EX
-+.PP
-+.B psad_var_run_t
-+.EE
-+
-+- Set files with the psad_var_run_t type, if you want to store the psad files under the /run directory.
-+
-+
-+.PP
-+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
-+.B semanage fcontext
-+command. This will modify the SELinux labeling database. You will need to use
-+.B restorecon
-+to apply the labels.
-+
-+.SH "MANAGED FILES"
-+
-+The SELinux process type psad_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
-+
-+.br
-+.B psad_tmp_t
-+
-+
-+.br
-+.B psad_var_log_t
-+
-+ /var/log/psad(/.*)?
-+.br
-+
-+.br
-+.B psad_var_run_t
-+
-+ /var/run/psad(/.*)?
-+.br
-+
-+.SH NSSWITCH DOMAIN
-+
-+.PP
-+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the psad_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
-+
-+.EX
-+.B setsebool -P authlogin_nsswitch_use_ldap 1
-+.EE
-+
-+.PP
-+If you want to allow confined applications to run with kerberos for the psad_t, you must turn on the kerberos_enabled boolean.
-+
-+.EX
-+.B setsebool -P kerberos_enabled 1
-+.EE
-+
-+.SH "COMMANDS"
-+.B semanage fcontext
-+can also be used to manipulate default file context mappings.
-+.PP
-+.B semanage permissive
-+can also be used to manipulate whether or not a process type is permissive.
-+.PP
-+.B semanage module
-+can also be used to enable/disable/install/remove policy modules.
-+
-+.PP
-+.B system-config-selinux
-+is a GUI tool available to customize SELinux policy settings.
-+
-+.SH AUTHOR
-+This manual page was auto-generated using
-+.B "sepolicy manpage"
-+by Dan Walsh.
-+
-+.SH "SEE ALSO"
-+selinux(8), psad(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
-diff --git a/man/man8/ptal_selinux.8 b/man/man8/ptal_selinux.8
-new file mode 100644
-index 0000000..aa2365a
---- /dev/null
-+++ b/man/man8/ptal_selinux.8
-@@ -0,0 +1,140 @@
-+.TH "ptal_selinux" "8" "12-11-01" "ptal" "SELinux Policy documentation for ptal"
-+.SH "NAME"
-+ptal_selinux \- Security Enhanced Linux Policy for the ptal processes
-+.SH "DESCRIPTION"
-+
-+Security-Enhanced Linux secures the ptal processes via flexible mandatory access control.
-+
-+The ptal processes execute with the ptal_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
-+
-+For example:
-+
-+.B ps -eZ | grep ptal_t
-+
-+
-+.SH "ENTRYPOINTS"
-+
-+The ptal_t SELinux type can be entered via the "ptal_exec_t" file type. The default entrypoint paths for the ptal_t domain are the following:"
-+
-+/usr/sbin/ptal-mlcd, /usr/sbin/ptal-printd, /usr/sbin/ptal-photod
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux ptal policy is very flexible allowing users to setup their ptal processes in as secure a method as possible.
-+.PP
-+The following process types are defined for ptal:
-+
-+.EX
-+.B ptal_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
-+.SH FILE CONTEXTS
-+SELinux requires files to have an extended attribute to define the file type.
-+.PP
-+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
-+.PP
-+Policy governs the access confined processes have to these files.
-+SELinux ptal policy is very flexible allowing users to setup their ptal processes in as secure a method as possible.
-+.PP
-+The following file types are defined for ptal:
-+
-+
-+.EX
-+.PP
-+.B ptal_etc_t
-+.EE
-+
-+- Set files with the ptal_etc_t type, if you want to store ptal files in the /etc directories.
-+
-+
-+.EX
-+.PP
-+.B ptal_exec_t
-+.EE
-+
-+- Set files with the ptal_exec_t type, if you want to transition an executable to the ptal_t domain.
-+
-+
-+.EX
-+.PP
-+.B ptal_var_run_t
-+.EE
-+
-+- Set files with the ptal_var_run_t type, if you want to store the ptal files under the /run directory.
-+
-+
-+.PP
-+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
-+.B semanage fcontext
-+command. This will modify the SELinux labeling database. You will need to use
-+.B restorecon
-+to apply the labels.
-+
-+.SH PORT TYPES
-+SELinux defines port types to represent TCP and UDP ports.
-+.PP
-+You can see the types associated with a port by using the following command:
-+
-+.B semanage port -l
-+
-+.PP
-+Policy governs the access confined processes have to these ports.
-+SELinux ptal policy is very flexible allowing users to setup their ptal processes in as secure a method as possible.
-+.PP
-+The following port types are defined for ptal:
-+
-+.EX
-+.TP 5
-+.B ptal_port_t
-+.TP 10
-+.EE
-+
-+
-+Default Defined Ports:
-+tcp 5703
-+.EE
-+.SH "MANAGED FILES"
-+
-+The SELinux process type ptal_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
-+
-+.br
-+.B ptal_var_run_t
-+
-+ /var/run/ptal-mlcd(/.*)?
-+.br
-+ /var/run/ptal-printd(/.*)?
-+.br
-+
-+.SH NSSWITCH DOMAIN
-+
-+.SH "COMMANDS"
-+.B semanage fcontext
-+can also be used to manipulate default file context mappings.
-+.PP
-+.B semanage permissive
-+can also be used to manipulate whether or not a process type is permissive.
-+.PP
-+.B semanage module
-+can also be used to enable/disable/install/remove policy modules.
-+
-+.B semanage port
-+can also be used to manipulate the port definitions
-+
-+.PP
-+.B system-config-selinux
-+is a GUI tool available to customize SELinux policy settings.
-+
-+.SH AUTHOR
-+This manual page was auto-generated using
-+.B "sepolicy manpage"
-+by Dan Walsh.
-+
-+.SH "SEE ALSO"
-+selinux(8), ptal(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
-diff --git a/man/man8/ptchown_selinux.8 b/man/man8/ptchown_selinux.8
-new file mode 100644
-index 0000000..31e96e1
---- /dev/null
-+++ b/man/man8/ptchown_selinux.8
-@@ -0,0 +1,94 @@
-+.TH "ptchown_selinux" "8" "12-11-01" "ptchown" "SELinux Policy documentation for ptchown"
-+.SH "NAME"
-+ptchown_selinux \- Security Enhanced Linux Policy for the ptchown processes
-+.SH "DESCRIPTION"
-+
-+Security-Enhanced Linux secures the ptchown processes via flexible mandatory access control.
-+
-+The ptchown processes execute with the ptchown_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
-+
-+For example:
-+
-+.B ps -eZ | grep ptchown_t
-+
-+
-+.SH "ENTRYPOINTS"
-+
-+The ptchown_t SELinux type can be entered via the "ptchown_exec_t" file type. The default entrypoint paths for the ptchown_t domain are the following:"
-+
-+/usr/libexec/pt_chown
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux ptchown policy is very flexible allowing users to setup their ptchown processes in as secure a method as possible.
-+.PP
-+The following process types are defined for ptchown:
-+
-+.EX
-+.B ptchown_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
-+.SH FILE CONTEXTS
-+SELinux requires files to have an extended attribute to define the file type.
-+.PP
-+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
-+.PP
-+Policy governs the access confined processes have to these files.
-+SELinux ptchown policy is very flexible allowing users to setup their ptchown processes in as secure a method as possible.
-+.PP
-+The following file types are defined for ptchown:
-+
-+
-+.EX
-+.PP
-+.B ptchown_exec_t
-+.EE
-+
-+- Set files with the ptchown_exec_t type, if you want to transition an executable to the ptchown_t domain.
-+
-+
-+.PP
-+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
-+.B semanage fcontext
-+command. This will modify the SELinux labeling database. You will need to use
-+.B restorecon
-+to apply the labels.
-+
-+.SH "MANAGED FILES"
-+
-+The SELinux process type ptchown_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
-+
-+.br
-+.B anon_inodefs_t
-+
-+
-+.SH NSSWITCH DOMAIN
-+
-+.SH "COMMANDS"
-+.B semanage fcontext
-+can also be used to manipulate default file context mappings.
-+.PP
-+.B semanage permissive
-+can also be used to manipulate whether or not a process type is permissive.
-+.PP
-+.B semanage module
-+can also be used to enable/disable/install/remove policy modules.
-+
-+.PP
-+.B system-config-selinux
-+is a GUI tool available to customize SELinux policy settings.
-+
-+.SH AUTHOR
-+This manual page was auto-generated using
-+.B "sepolicy manpage"
-+by Dan Walsh.
-+
-+.SH "SEE ALSO"
-+selinux(8), ptchown(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
-diff --git a/man/man8/publicfile_selinux.8 b/man/man8/publicfile_selinux.8
-new file mode 100644
-index 0000000..6021aa7
---- /dev/null
-+++ b/man/man8/publicfile_selinux.8
-@@ -0,0 +1,94 @@
-+.TH "publicfile_selinux" "8" "12-11-01" "publicfile" "SELinux Policy documentation for publicfile"
-+.SH "NAME"
-+publicfile_selinux \- Security Enhanced Linux Policy for the publicfile processes
-+.SH "DESCRIPTION"
-+
-+Security-Enhanced Linux secures the publicfile processes via flexible mandatory access control.
-+
-+The publicfile processes execute with the publicfile_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
-+
-+For example:
-+
-+.B ps -eZ | grep publicfile_t
-+
-+
-+.SH "ENTRYPOINTS"
-+
-+The publicfile_t SELinux type can be entered via the "publicfile_exec_t" file type. The default entrypoint paths for the publicfile_t domain are the following:"
-+
-+/usr/bin/ftpd, /usr/bin/httpd
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux publicfile policy is very flexible allowing users to setup their publicfile processes in as secure a method as possible.
-+.PP
-+The following process types are defined for publicfile:
-+
-+.EX
-+.B publicfile_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
-+.SH FILE CONTEXTS
-+SELinux requires files to have an extended attribute to define the file type.
-+.PP
-+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
-+.PP
-+Policy governs the access confined processes have to these files.
-+SELinux publicfile policy is very flexible allowing users to setup their publicfile processes in as secure a method as possible.
-+.PP
-+The following file types are defined for publicfile:
-+
-+
-+.EX
-+.PP
-+.B publicfile_content_t
-+.EE
-+
-+- Set files with the publicfile_content_t type, if you want to treat the files as publicfile content.
-+
-+
-+.EX
-+.PP
-+.B publicfile_exec_t
-+.EE
-+
-+- Set files with the publicfile_exec_t type, if you want to transition an executable to the publicfile_t domain.
-+
-+
-+.PP
-+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
-+.B semanage fcontext
-+command. This will modify the SELinux labeling database. You will need to use
-+.B restorecon
-+to apply the labels.
-+
-+.SH NSSWITCH DOMAIN
-+
-+.SH "COMMANDS"
-+.B semanage fcontext
-+can also be used to manipulate default file context mappings.
-+.PP
-+.B semanage permissive
-+can also be used to manipulate whether or not a process type is permissive.
-+.PP
-+.B semanage module
-+can also be used to enable/disable/install/remove policy modules.
-+
-+.PP
-+.B system-config-selinux
-+is a GUI tool available to customize SELinux policy settings.
-+
-+.SH AUTHOR
-+This manual page was auto-generated using
-+.B "sepolicy manpage"
-+by Dan Walsh.
-+
-+.SH "SEE ALSO"
-+selinux(8), publicfile(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
-diff --git a/man/man8/pulseaudio_selinux.8 b/man/man8/pulseaudio_selinux.8
-new file mode 100644
-index 0000000..f889102
---- /dev/null
-+++ b/man/man8/pulseaudio_selinux.8
-@@ -0,0 +1,300 @@
-+.TH "pulseaudio_selinux" "8" "12-11-01" "pulseaudio" "SELinux Policy documentation for pulseaudio"
-+.SH "NAME"
-+pulseaudio_selinux \- Security Enhanced Linux Policy for the pulseaudio processes
-+.SH "DESCRIPTION"
-+
-+Security-Enhanced Linux secures the pulseaudio processes via flexible mandatory access control.
-+
-+The pulseaudio processes execute with the pulseaudio_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
-+
-+For example:
-+
-+.B ps -eZ | grep pulseaudio_t
-+
-+
-+.SH "ENTRYPOINTS"
-+
-+The pulseaudio_t SELinux type can be entered via the "pulseaudio_exec_t" file type. The default entrypoint paths for the pulseaudio_t domain are the following:"
-+
-+/usr/bin/pulseaudio
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux pulseaudio policy is very flexible allowing users to setup their pulseaudio processes in as secure a method as possible.
-+.PP
-+The following process types are defined for pulseaudio:
-+
-+.EX
-+.B pulseaudio_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
-+.SH FILE CONTEXTS
-+SELinux requires files to have an extended attribute to define the file type.
-+.PP
-+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
-+.PP
-+Policy governs the access confined processes have to these files.
-+SELinux pulseaudio policy is very flexible allowing users to setup their pulseaudio processes in as secure a method as possible.
-+.PP
-+The following file types are defined for pulseaudio:
-+
-+
-+.EX
-+.PP
-+.B pulseaudio_exec_t
-+.EE
-+
-+- Set files with the pulseaudio_exec_t type, if you want to transition an executable to the pulseaudio_t domain.
-+
-+
-+.EX
-+.PP
-+.B pulseaudio_home_t
-+.EE
-+
-+- Set files with the pulseaudio_home_t type, if you want to store pulseaudio files in the users home directory.
-+
-+
-+.EX
-+.PP
-+.B pulseaudio_tmpfs_t
-+.EE
-+
-+- Set files with the pulseaudio_tmpfs_t type, if you want to store pulseaudio files on a tmpfs file system.
-+
-+
-+.EX
-+.PP
-+.B pulseaudio_var_lib_t
-+.EE
-+
-+- Set files with the pulseaudio_var_lib_t type, if you want to store the pulseaudio files under the /var/lib directory.
-+
-+
-+.EX
-+.PP
-+.B pulseaudio_var_run_t
-+.EE
-+
-+- Set files with the pulseaudio_var_run_t type, if you want to store the pulseaudio files under the /run directory.
-+
-+
-+.PP
-+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
-+.B semanage fcontext
-+command. This will modify the SELinux labeling database. You will need to use
-+.B restorecon
-+to apply the labels.
-+
-+.SH PORT TYPES
-+SELinux defines port types to represent TCP and UDP ports.
-+.PP
-+You can see the types associated with a port by using the following command:
-+
-+.B semanage port -l
-+
-+.PP
-+Policy governs the access confined processes have to these ports.
-+SELinux pulseaudio policy is very flexible allowing users to setup their pulseaudio processes in as secure a method as possible.
-+.PP
-+The following port types are defined for pulseaudio:
-+
-+.EX
-+.TP 5
-+.B pulseaudio_port_t
-+.TP 10
-+.EE
-+
-+
-+Default Defined Ports:
-+tcp 4713
-+.EE
-+udp 4713
-+.EE
-+.SH "MANAGED FILES"
-+
-+The SELinux process type pulseaudio_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
-+
-+.br
-+.B anon_inodefs_t
-+
-+
-+.br
-+.B gstreamer_home_t
-+
-+ /var/run/user/[^/]*/\.orc(/.*)?
-+.br
-+ /root/\.gstreamer-.*
-+.br
-+ /home/[^/]*/\.orc(/.*)?
-+.br
-+ /home/[^/]*/\.gstreamer-.*
-+.br
-+ /home/[^/]*/\.grl-bookmarks
-+.br
-+ /home/[^/]*/\.grl-bookmarks
-+.br
-+ /home/[^/]*/\.grl-metadata-store
-+.br
-+ /home/dwalsh/\.orc(/.*)?
-+.br
-+ /home/dwalsh/\.gstreamer-.*
-+.br
-+ /home/dwalsh/\.grl-bookmarks
-+.br
-+ /home/dwalsh/\.grl-bookmarks
-+.br
-+ /home/dwalsh/\.grl-metadata-store
-+.br
-+ /var/lib/xguest/home/xguest/\.orc(/.*)?
-+.br
-+ /var/lib/xguest/home/xguest/\.gstreamer-.*
-+.br
-+ /var/lib/xguest/home/xguest/\.grl-bookmarks
-+.br
-+ /var/lib/xguest/home/xguest/\.grl-bookmarks
-+.br
-+ /var/lib/xguest/home/xguest/\.grl-metadata-store
-+.br
-+
-+.br
-+.B pulseaudio_home_t
-+
-+ /root/\.pulse(/.*)?
-+.br
-+ /root/\.esd_auth
-+.br
-+ /root/\.pulse-cookie
-+.br
-+ /home/[^/]*/\.pulse(/.*)?
-+.br
-+ /home/[^/]*/\.esd_auth
-+.br
-+ /home/[^/]*/\.pulse-cookie
-+.br
-+ /home/dwalsh/\.pulse(/.*)?
-+.br
-+ /home/dwalsh/\.esd_auth
-+.br
-+ /home/dwalsh/\.pulse-cookie
-+.br
-+ /var/lib/xguest/home/xguest/\.pulse(/.*)?
-+.br
-+ /var/lib/xguest/home/xguest/\.esd_auth
-+.br
-+ /var/lib/xguest/home/xguest/\.pulse-cookie
-+.br
-+
-+.br
-+.B pulseaudio_var_lib_t
-+
-+ /var/lib/pulse(/.*)?
-+.br
-+
-+.br
-+.B pulseaudio_var_run_t
-+
-+ /var/run/pulse(/.*)?
-+.br
-+
-+.br
-+.B user_fonts_cache_t
-+
-+ /root/\.fontconfig(/.*)?
-+.br
-+ /root/\.fonts/auto(/.*)?
-+.br
-+ /root/\.fonts\.cache-.*
-+.br
-+ /home/[^/]*/\.fontconfig(/.*)?
-+.br
-+ /home/[^/]*/\.fonts/auto(/.*)?
-+.br
-+ /home/[^/]*/\.fonts\.cache-.*
-+.br
-+ /home/dwalsh/\.fontconfig(/.*)?
-+.br
-+ /home/dwalsh/\.fonts/auto(/.*)?
-+.br
-+ /home/dwalsh/\.fonts\.cache-.*
-+.br
-+ /var/lib/xguest/home/xguest/\.fontconfig(/.*)?
-+.br
-+ /var/lib/xguest/home/xguest/\.fonts/auto(/.*)?
-+.br
-+ /var/lib/xguest/home/xguest/\.fonts\.cache-.*
-+.br
-+
-+.br
-+.B user_tmp_type
-+
-+ all user tmp files
-+.br
-+
-+.br
-+.B user_tmpfs_type
-+
-+ all user content in tmpfs file systems
-+.br
-+
-+.br
-+.B virt_tmpfs_type
-+
-+
-+.br
-+.B xdm_tmp_t
-+
-+ /tmp/\.X11-unix(/.*)?
-+.br
-+ /tmp/\.ICE-unix(/.*)?
-+.br
-+ /tmp/\.X0-lock
-+.br
-+
-+.SH NSSWITCH DOMAIN
-+
-+.PP
-+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the pulseaudio_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
-+
-+.EX
-+.B setsebool -P authlogin_nsswitch_use_ldap 1
-+.EE
-+
-+.PP
-+If you want to allow confined applications to run with kerberos for the pulseaudio_t, you must turn on the kerberos_enabled boolean.
-+
-+.EX
-+.B setsebool -P kerberos_enabled 1
-+.EE
-+
-+.SH "COMMANDS"
-+.B semanage fcontext
-+can also be used to manipulate default file context mappings.
-+.PP
-+.B semanage permissive
-+can also be used to manipulate whether or not a process type is permissive.
-+.PP
-+.B semanage module
-+can also be used to enable/disable/install/remove policy modules.
-+
-+.B semanage port
-+can also be used to manipulate the port definitions
-+
-+.PP
-+.B system-config-selinux
-+is a GUI tool available to customize SELinux policy settings.
-+
-+.SH AUTHOR
-+This manual page was auto-generated using
-+.B "sepolicy manpage"
-+by Dan Walsh.
-+
-+.SH "SEE ALSO"
-+selinux(8), pulseaudio(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
-diff --git a/man/man8/puppet_selinux.8 b/man/man8/puppet_selinux.8
-new file mode 100644
-index 0000000..1e449cb
---- /dev/null
-+++ b/man/man8/puppet_selinux.8
-@@ -0,0 +1,368 @@
-+.TH "puppet_selinux" "8" "12-11-01" "puppet" "SELinux Policy documentation for puppet"
-+.SH "NAME"
-+puppet_selinux \- Security Enhanced Linux Policy for the puppet processes
-+.SH "DESCRIPTION"
-+
-+Security-Enhanced Linux secures the puppet processes via flexible mandatory access control.
-+
-+The puppet processes execute with the puppet_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
-+
-+For example:
-+
-+.B ps -eZ | grep puppet_t
-+
-+
-+.SH "ENTRYPOINTS"
-+
-+The puppet_t SELinux type can be entered via the "puppet_exec_t" file type. The default entrypoint paths for the puppet_t domain are the following:"
-+
-+/usr/sbin/puppetd
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux puppet policy is very flexible allowing users to setup their puppet processes in as secure a method as possible.
-+.PP
-+The following process types are defined for puppet:
-+
-+.EX
-+.B puppet_t, puppetmaster_t, puppetca_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
-+.SH BOOLEANS
-+SELinux policy is customizable based on least access required. puppet policy is extremely flexible and has several booleans that allow you to manipulate the policy and run puppet with the tightest access possible.
-+
-+
-+.PP
-+If you want to allow Puppet master to use connect to MySQL and PostgreSQL database, you must turn on the puppetmaster_use_db boolean.
-+
-+.EX
-+.B setsebool -P puppetmaster_use_db 1
-+.EE
-+
-+.PP
-+If you want to allow Puppet client to manage all file types, you must turn on the puppet_manage_all_files boolean.
-+
-+.EX
-+.B setsebool -P puppet_manage_all_files 1
-+.EE
-+
-+.PP
-+If you want to allow Puppet master to use connect to MySQL and PostgreSQL database, you must turn on the puppetmaster_use_db boolean.
-+
-+.EX
-+.B setsebool -P puppetmaster_use_db 1
-+.EE
-+
-+.PP
-+If you want to allow Puppet client to manage all file types, you must turn on the puppet_manage_all_files boolean.
-+
-+.EX
-+.B setsebool -P puppet_manage_all_files 1
-+.EE
-+
-+.SH FILE CONTEXTS
-+SELinux requires files to have an extended attribute to define the file type.
-+.PP
-+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
-+.PP
-+Policy governs the access confined processes have to these files.
-+SELinux puppet policy is very flexible allowing users to setup their puppet processes in as secure a method as possible.
-+.PP
-+The following file types are defined for puppet:
-+
-+
-+.EX
-+.PP
-+.B puppet_etc_t
-+.EE
-+
-+- Set files with the puppet_etc_t type, if you want to store puppet files in the /etc directories.
-+
-+
-+.EX
-+.PP
-+.B puppet_exec_t
-+.EE
-+
-+- Set files with the puppet_exec_t type, if you want to transition an executable to the puppet_t domain.
-+
-+
-+.EX
-+.PP
-+.B puppet_initrc_exec_t
-+.EE
-+
-+- Set files with the puppet_initrc_exec_t type, if you want to transition an executable to the puppet_initrc_t domain.
-+
-+
-+.EX
-+.PP
-+.B puppet_log_t
-+.EE
-+
-+- Set files with the puppet_log_t type, if you want to treat the data as puppet log data, usually stored under the /var/log directory.
-+
-+
-+.EX
-+.PP
-+.B puppet_tmp_t
-+.EE
-+
-+- Set files with the puppet_tmp_t type, if you want to store puppet temporary files in the /tmp directories.
-+
-+
-+.EX
-+.PP
-+.B puppet_var_lib_t
-+.EE
-+
-+- Set files with the puppet_var_lib_t type, if you want to store the puppet files under the /var/lib directory.
-+
-+
-+.EX
-+.PP
-+.B puppet_var_run_t
-+.EE
-+
-+- Set files with the puppet_var_run_t type, if you want to store the puppet files under the /run directory.
-+
-+
-+.EX
-+.PP
-+.B puppetca_exec_t
-+.EE
-+
-+- Set files with the puppetca_exec_t type, if you want to transition an executable to the puppetca_t domain.
-+
-+
-+.EX
-+.PP
-+.B puppetmaster_exec_t
-+.EE
-+
-+- Set files with the puppetmaster_exec_t type, if you want to transition an executable to the puppetmaster_t domain.
-+
-+
-+.EX
-+.PP
-+.B puppetmaster_initrc_exec_t
-+.EE
-+
-+- Set files with the puppetmaster_initrc_exec_t type, if you want to transition an executable to the puppetmaster_initrc_t domain.
-+
-+
-+.EX
-+.PP
-+.B puppetmaster_tmp_t
-+.EE
-+
-+- Set files with the puppetmaster_tmp_t type, if you want to store puppetmaster temporary files in the /tmp directories.
-+
-+
-+.PP
-+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
-+.B semanage fcontext
-+command. This will modify the SELinux labeling database. You will need to use
-+.B restorecon
-+to apply the labels.
-+
-+.SH PORT TYPES
-+SELinux defines port types to represent TCP and UDP ports.
-+.PP
-+You can see the types associated with a port by using the following command:
-+
-+.B semanage port -l
-+
-+.PP
-+Policy governs the access confined processes have to these ports.
-+SELinux puppet policy is very flexible allowing users to setup their puppet processes in as secure a method as possible.
-+.PP
-+The following port types are defined for puppet:
-+
-+.EX
-+.TP 5
-+.B puppet_port_t
-+.TP 10
-+.EE
-+
-+
-+Default Defined Ports:
-+tcp 8140
-+.EE
-+.SH "MANAGED FILES"
-+
-+The SELinux process type puppet_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
-+
-+.br
-+.B boolean_type
-+
-+
-+.br
-+.B configfile
-+
-+
-+.br
-+.B etc_t
-+
-+ /etc/.*
-+.br
-+ /var/db/.*\.db
-+.br
-+ /usr/etc(/.*)?
-+.br
-+ /var/ftp/etc(/.*)?
-+.br
-+ /var/lib/openshift/.limits.d(/.*)?
-+.br
-+ /var/lib/openshift/.openshift-proxy.d(/.*)?
-+.br
-+ /var/lib/openshift/.stickshift-proxy.d(/.*)?
-+.br
-+ /var/lib/stickshift/.limits.d(/.*)?
-+.br
-+ /var/lib/stickshift/.stickshift-proxy.d(/.*)?
-+.br
-+ /var/named/chroot/etc(/.*)?
-+.br
-+ /etc/ipsec\.d/examples(/.*)?
-+.br
-+ /var/spool/postfix/etc(/.*)?
-+.br
-+ /etc
-+.br
-+ /etc/cups/client\.conf
-+.br
-+
-+.br
-+.B krb5_host_rcache_t
-+
-+ /var/cache/krb5rcache(/.*)?
-+.br
-+ /var/tmp/nfs_0
-+.br
-+ /var/tmp/DNS_25
-+.br
-+ /var/tmp/host_0
-+.br
-+ /var/tmp/imap_0
-+.br
-+ /var/tmp/HTTP_23
-+.br
-+ /var/tmp/HTTP_48
-+.br
-+ /var/tmp/ldap_55
-+.br
-+ /var/tmp/ldap_487
-+.br
-+ /var/tmp/ldapmap1_0
-+.br
-+
-+.br
-+.B krb5_keytab_t
-+
-+ /etc/krb5\.keytab
-+.br
-+ /etc/krb5kdc/kadm5\.keytab
-+.br
-+ /var/kerberos/krb5kdc/kadm5\.keytab
-+.br
-+
-+.br
-+.B puppet_tmp_t
-+
-+
-+.br
-+.B puppet_var_lib_t
-+
-+ /var/lib/puppet(/.*)?
-+.br
-+
-+.br
-+.B puppet_var_run_t
-+
-+ /var/run/puppet(/.*)?
-+.br
-+
-+.br
-+.B rpm_log_t
-+
-+ /var/log/yum\.log.*
-+.br
-+
-+.br
-+.B rpm_var_lib_t
-+
-+ /var/lib/rpm(/.*)?
-+.br
-+ /var/lib/yum(/.*)?
-+.br
-+ /var/lib/PackageKit(/.*)?
-+.br
-+ /var/lib/alternatives(/.*)?
-+.br
-+
-+.br
-+.B var_t
-+
-+ /nsr(/.*)?
-+.br
-+ /var/.*
-+.br
-+ /srv/.*
-+.br
-+ /var
-+.br
-+ /srv
-+.br
-+
-+.SH NSSWITCH DOMAIN
-+
-+.PP
-+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the puppetmaster_t, puppet_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
-+
-+.EX
-+.B setsebool -P authlogin_nsswitch_use_ldap 1
-+.EE
-+
-+.PP
-+If you want to allow confined applications to run with kerberos for the puppetmaster_t, puppet_t, you must turn on the kerberos_enabled boolean.
-+
-+.EX
-+.B setsebool -P kerberos_enabled 1
-+.EE
-+
-+.SH "COMMANDS"
-+.B semanage fcontext
-+can also be used to manipulate default file context mappings.
-+.PP
-+.B semanage permissive
-+can also be used to manipulate whether or not a process type is permissive.
-+.PP
-+.B semanage module
-+can also be used to enable/disable/install/remove policy modules.
-+
-+.B semanage port
-+can also be used to manipulate the port definitions
-+
-+.B semanage boolean
-+can also be used to manipulate the booleans
-+
-+.PP
-+.B system-config-selinux
-+is a GUI tool available to customize SELinux policy settings.
-+
-+.SH AUTHOR
-+This manual page was auto-generated using
-+.B "sepolicy manpage"
-+by Dan Walsh.
-+
-+.SH "SEE ALSO"
-+selinux(8), puppet(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
-+, setsebool(8), puppetca_selinux(8), puppetmaster_selinux(8)
-\ No newline at end of file
-diff --git a/man/man8/puppetca_selinux.8 b/man/man8/puppetca_selinux.8
-new file mode 100644
-index 0000000..b0b4381
---- /dev/null
-+++ b/man/man8/puppetca_selinux.8
-@@ -0,0 +1,103 @@
-+.TH "puppetca_selinux" "8" "12-11-01" "puppetca" "SELinux Policy documentation for puppetca"
-+.SH "NAME"
-+puppetca_selinux \- Security Enhanced Linux Policy for the puppetca processes
-+.SH "DESCRIPTION"
-+
-+Security-Enhanced Linux secures the puppetca processes via flexible mandatory access control.
-+
-+The puppetca processes execute with the puppetca_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
-+
-+For example:
-+
-+.B ps -eZ | grep puppetca_t
-+
-+
-+.SH "ENTRYPOINTS"
-+
-+The puppetca_t SELinux type can be entered via the "puppetca_exec_t" file type. The default entrypoint paths for the puppetca_t domain are the following:"
-+
-+/usr/sbin/puppetca
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux puppetca policy is very flexible allowing users to setup their puppetca processes in as secure a method as possible.
-+.PP
-+The following process types are defined for puppetca:
-+
-+.EX
-+.B puppetca_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
-+.SH FILE CONTEXTS
-+SELinux requires files to have an extended attribute to define the file type.
-+.PP
-+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
-+.PP
-+Policy governs the access confined processes have to these files.
-+SELinux puppetca policy is very flexible allowing users to setup their puppetca processes in as secure a method as possible.
-+.PP
-+The following file types are defined for puppetca:
-+
-+
-+.EX
-+.PP
-+.B puppetca_exec_t
-+.EE
-+
-+- Set files with the puppetca_exec_t type, if you want to transition an executable to the puppetca_t domain.
-+
-+
-+.PP
-+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
-+.B semanage fcontext
-+command. This will modify the SELinux labeling database. You will need to use
-+.B restorecon
-+to apply the labels.
-+
-+.SH "MANAGED FILES"
-+
-+The SELinux process type puppetca_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
-+
-+.br
-+.B puppet_var_lib_t
-+
-+ /var/lib/puppet(/.*)?
-+.br
-+
-+.br
-+.B security_t
-+
-+ /selinux
-+.br
-+
-+.SH NSSWITCH DOMAIN
-+
-+.SH "COMMANDS"
-+.B semanage fcontext
-+can also be used to manipulate default file context mappings.
-+.PP
-+.B semanage permissive
-+can also be used to manipulate whether or not a process type is permissive.
-+.PP
-+.B semanage module
-+can also be used to enable/disable/install/remove policy modules.
-+
-+.PP
-+.B system-config-selinux
-+is a GUI tool available to customize SELinux policy settings.
-+
-+.SH AUTHOR
-+This manual page was auto-generated using
-+.B "sepolicy manpage"
-+by Dan Walsh.
-+
-+.SH "SEE ALSO"
-+selinux(8), puppetca(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
-+, puppet_selinux(8)
-\ No newline at end of file
-diff --git a/man/man8/puppetmaster_selinux.8 b/man/man8/puppetmaster_selinux.8
-new file mode 100644
-index 0000000..83d8f60
---- /dev/null
-+++ b/man/man8/puppetmaster_selinux.8
-@@ -0,0 +1,170 @@
-+.TH "puppetmaster_selinux" "8" "12-11-01" "puppetmaster" "SELinux Policy documentation for puppetmaster"
-+.SH "NAME"
-+puppetmaster_selinux \- Security Enhanced Linux Policy for the puppetmaster processes
-+.SH "DESCRIPTION"
-+
-+Security-Enhanced Linux secures the puppetmaster processes via flexible mandatory access control.
-+
-+The puppetmaster processes execute with the puppetmaster_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
-+
-+For example:
-+
-+.B ps -eZ | grep puppetmaster_t
-+
-+
-+.SH "ENTRYPOINTS"
-+
-+The puppetmaster_t SELinux type can be entered via the "puppetmaster_exec_t" file type. The default entrypoint paths for the puppetmaster_t domain are the following:"
-+
-+/usr/sbin/puppetmasterd
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux puppetmaster policy is very flexible allowing users to setup their puppetmaster processes in as secure a method as possible.
-+.PP
-+The following process types are defined for puppetmaster:
-+
-+.EX
-+.B puppetmaster_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
-+.SH BOOLEANS
-+SELinux policy is customizable based on least access required. puppetmaster policy is extremely flexible and has several booleans that allow you to manipulate the policy and run puppetmaster with the tightest access possible.
-+
-+
-+.PP
-+If you want to allow Puppet master to use connect to MySQL and PostgreSQL database, you must turn on the puppetmaster_use_db boolean.
-+
-+.EX
-+.B setsebool -P puppetmaster_use_db 1
-+.EE
-+
-+.PP
-+If you want to allow Puppet master to use connect to MySQL and PostgreSQL database, you must turn on the puppetmaster_use_db boolean.
-+
-+.EX
-+.B setsebool -P puppetmaster_use_db 1
-+.EE
-+
-+.SH FILE CONTEXTS
-+SELinux requires files to have an extended attribute to define the file type.
-+.PP
-+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
-+.PP
-+Policy governs the access confined processes have to these files.
-+SELinux puppetmaster policy is very flexible allowing users to setup their puppetmaster processes in as secure a method as possible.
-+.PP
-+The following file types are defined for puppetmaster:
-+
-+
-+.EX
-+.PP
-+.B puppetmaster_exec_t
-+.EE
-+
-+- Set files with the puppetmaster_exec_t type, if you want to transition an executable to the puppetmaster_t domain.
-+
-+
-+.EX
-+.PP
-+.B puppetmaster_initrc_exec_t
-+.EE
-+
-+- Set files with the puppetmaster_initrc_exec_t type, if you want to transition an executable to the puppetmaster_initrc_t domain.
-+
-+
-+.EX
-+.PP
-+.B puppetmaster_tmp_t
-+.EE
-+
-+- Set files with the puppetmaster_tmp_t type, if you want to store puppetmaster temporary files in the /tmp directories.
-+
-+
-+.PP
-+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
-+.B semanage fcontext
-+command. This will modify the SELinux labeling database. You will need to use
-+.B restorecon
-+to apply the labels.
-+
-+.SH "MANAGED FILES"
-+
-+The SELinux process type puppetmaster_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
-+
-+.br
-+.B puppet_log_t
-+
-+ /var/log/puppet(/.*)?
-+.br
-+
-+.br
-+.B puppet_var_lib_t
-+
-+ /var/lib/puppet(/.*)?
-+.br
-+
-+.br
-+.B puppet_var_run_t
-+
-+ /var/run/puppet(/.*)?
-+.br
-+
-+.br
-+.B puppetmaster_tmp_t
-+
-+
-+.br
-+.B security_t
-+
-+ /selinux
-+.br
-+
-+.SH NSSWITCH DOMAIN
-+
-+.PP
-+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the puppetmaster_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
-+
-+.EX
-+.B setsebool -P authlogin_nsswitch_use_ldap 1
-+.EE
-+
-+.PP
-+If you want to allow confined applications to run with kerberos for the puppetmaster_t, you must turn on the kerberos_enabled boolean.
-+
-+.EX
-+.B setsebool -P kerberos_enabled 1
-+.EE
-+
-+.SH "COMMANDS"
-+.B semanage fcontext
-+can also be used to manipulate default file context mappings.
-+.PP
-+.B semanage permissive
-+can also be used to manipulate whether or not a process type is permissive.
-+.PP
-+.B semanage module
-+can also be used to enable/disable/install/remove policy modules.
-+
-+.B semanage boolean
-+can also be used to manipulate the booleans
-+
-+.PP
-+.B system-config-selinux
-+is a GUI tool available to customize SELinux policy settings.
-+
-+.SH AUTHOR
-+This manual page was auto-generated using
-+.B "sepolicy manpage"
-+by Dan Walsh.
-+
-+.SH "SEE ALSO"
-+selinux(8), puppetmaster(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
-+, setsebool(8), puppet_selinux(8)
-\ No newline at end of file
-diff --git a/man/man8/pwauth_selinux.8 b/man/man8/pwauth_selinux.8
-new file mode 100644
-index 0000000..ce82d8a
---- /dev/null
-+++ b/man/man8/pwauth_selinux.8
-@@ -0,0 +1,118 @@
-+.TH "pwauth_selinux" "8" "12-11-01" "pwauth" "SELinux Policy documentation for pwauth"
-+.SH "NAME"
-+pwauth_selinux \- Security Enhanced Linux Policy for the pwauth processes
-+.SH "DESCRIPTION"
-+
-+Security-Enhanced Linux secures the pwauth processes via flexible mandatory access control.
-+
-+The pwauth processes execute with the pwauth_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
-+
-+For example:
-+
-+.B ps -eZ | grep pwauth_t
-+
-+
-+.SH "ENTRYPOINTS"
-+
-+The pwauth_t SELinux type can be entered via the "pwauth_exec_t" file type. The default entrypoint paths for the pwauth_t domain are the following:"
-+
-+/usr/bin/pwauth
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux pwauth policy is very flexible allowing users to setup their pwauth processes in as secure a method as possible.
-+.PP
-+The following process types are defined for pwauth:
-+
-+.EX
-+.B pwauth_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
-+.SH FILE CONTEXTS
-+SELinux requires files to have an extended attribute to define the file type.
-+.PP
-+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
-+.PP
-+Policy governs the access confined processes have to these files.
-+SELinux pwauth policy is very flexible allowing users to setup their pwauth processes in as secure a method as possible.
-+.PP
-+The following file types are defined for pwauth:
-+
-+
-+.EX
-+.PP
-+.B pwauth_exec_t
-+.EE
-+
-+- Set files with the pwauth_exec_t type, if you want to transition an executable to the pwauth_t domain.
-+
-+
-+.EX
-+.PP
-+.B pwauth_var_run_t
-+.EE
-+
-+- Set files with the pwauth_var_run_t type, if you want to store the pwauth files under the /run directory.
-+
-+
-+.PP
-+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
-+.B semanage fcontext
-+command. This will modify the SELinux labeling database. You will need to use
-+.B restorecon
-+to apply the labels.
-+
-+.SH "MANAGED FILES"
-+
-+The SELinux process type pwauth_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
-+
-+.br
-+.B pwauth_var_run_t
-+
-+ /var/run/pwauth.lock
-+.br
-+
-+.SH NSSWITCH DOMAIN
-+
-+.PP
-+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the pwauth_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
-+
-+.EX
-+.B setsebool -P authlogin_nsswitch_use_ldap 1
-+.EE
-+
-+.PP
-+If you want to allow confined applications to run with kerberos for the pwauth_t, you must turn on the kerberos_enabled boolean.
-+
-+.EX
-+.B setsebool -P kerberos_enabled 1
-+.EE
-+
-+.SH "COMMANDS"
-+.B semanage fcontext
-+can also be used to manipulate default file context mappings.
-+.PP
-+.B semanage permissive
-+can also be used to manipulate whether or not a process type is permissive.
-+.PP
-+.B semanage module
-+can also be used to enable/disable/install/remove policy modules.
-+
-+.PP
-+.B system-config-selinux
-+is a GUI tool available to customize SELinux policy settings.
-+
-+.SH AUTHOR
-+This manual page was auto-generated using
-+.B "sepolicy manpage"
-+by Dan Walsh.
-+
-+.SH "SEE ALSO"
-+selinux(8), pwauth(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
-diff --git a/man/man8/pyicqt_selinux.8 b/man/man8/pyicqt_selinux.8
-new file mode 100644
-index 0000000..d92e759
---- /dev/null
-+++ b/man/man8/pyicqt_selinux.8
-@@ -0,0 +1,146 @@
-+.TH "pyicqt_selinux" "8" "12-11-01" "pyicqt" "SELinux Policy documentation for pyicqt"
-+.SH "NAME"
-+pyicqt_selinux \- Security Enhanced Linux Policy for the pyicqt processes
-+.SH "DESCRIPTION"
-+
-+Security-Enhanced Linux secures the pyicqt processes via flexible mandatory access control.
-+
-+The pyicqt processes execute with the pyicqt_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
-+
-+For example:
-+
-+.B ps -eZ | grep pyicqt_t
-+
-+
-+.SH "ENTRYPOINTS"
-+
-+The pyicqt_t SELinux type can be entered via the "pyicqt_exec_t" file type. The default entrypoint paths for the pyicqt_t domain are the following:"
-+
-+/usr/share/pyicq-t/PyICQt\.py
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux pyicqt policy is very flexible allowing users to setup their pyicqt processes in as secure a method as possible.
-+.PP
-+The following process types are defined for pyicqt:
-+
-+.EX
-+.B pyicqt_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
-+.SH FILE CONTEXTS
-+SELinux requires files to have an extended attribute to define the file type.
-+.PP
-+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
-+.PP
-+Policy governs the access confined processes have to these files.
-+SELinux pyicqt policy is very flexible allowing users to setup their pyicqt processes in as secure a method as possible.
-+.PP
-+The following file types are defined for pyicqt:
-+
-+
-+.EX
-+.PP
-+.B pyicqt_exec_t
-+.EE
-+
-+- Set files with the pyicqt_exec_t type, if you want to transition an executable to the pyicqt_t domain.
-+
-+
-+.EX
-+.PP
-+.B pyicqt_log_t
-+.EE
-+
-+- Set files with the pyicqt_log_t type, if you want to treat the data as pyicqt log data, usually stored under the /var/log directory.
-+
-+
-+.EX
-+.PP
-+.B pyicqt_var_run_t
-+.EE
-+
-+- Set files with the pyicqt_var_run_t type, if you want to store the pyicqt files under the /run directory.
-+
-+
-+.EX
-+.PP
-+.B pyicqt_var_spool_t
-+.EE
-+
-+- Set files with the pyicqt_var_spool_t type, if you want to store the pyicqt var files under the /var/spool directory.
-+
-+
-+.PP
-+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
-+.B semanage fcontext
-+command. This will modify the SELinux labeling database. You will need to use
-+.B restorecon
-+to apply the labels.
-+
-+.SH "MANAGED FILES"
-+
-+The SELinux process type pyicqt_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
-+
-+.br
-+.B pyicqt_log_t
-+
-+ /var/log/pyicq-t\.log.*
-+.br
-+
-+.br
-+.B pyicqt_var_run_t
-+
-+ /var/run/pyicq-t(/.*)?
-+.br
-+
-+.br
-+.B pyicqt_var_spool_t
-+
-+ /var/spool/pyicq-t(/.*)?
-+.br
-+
-+.SH NSSWITCH DOMAIN
-+
-+.PP
-+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the pyicqt_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
-+
-+.EX
-+.B setsebool -P authlogin_nsswitch_use_ldap 1
-+.EE
-+
-+.PP
-+If you want to allow confined applications to run with kerberos for the pyicqt_t, you must turn on the kerberos_enabled boolean.
-+
-+.EX
-+.B setsebool -P kerberos_enabled 1
-+.EE
-+
-+.SH "COMMANDS"
-+.B semanage fcontext
-+can also be used to manipulate default file context mappings.
-+.PP
-+.B semanage permissive
-+can also be used to manipulate whether or not a process type is permissive.
-+.PP
-+.B semanage module
-+can also be used to enable/disable/install/remove policy modules.
-+
-+.PP
-+.B system-config-selinux
-+is a GUI tool available to customize SELinux policy settings.
-+
-+.SH AUTHOR
-+This manual page was auto-generated using
-+.B "sepolicy manpage"
-+by Dan Walsh.
-+
-+.SH "SEE ALSO"
-+selinux(8), pyicqt(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
-diff --git a/man/man8/qdiskd_selinux.8 b/man/man8/qdiskd_selinux.8
-new file mode 100644
-index 0000000..e6e2867
---- /dev/null
-+++ b/man/man8/qdiskd_selinux.8
-@@ -0,0 +1,164 @@
-+.TH "qdiskd_selinux" "8" "12-11-01" "qdiskd" "SELinux Policy documentation for qdiskd"
-+.SH "NAME"
-+qdiskd_selinux \- Security Enhanced Linux Policy for the qdiskd processes
-+.SH "DESCRIPTION"
-+
-+Security-Enhanced Linux secures the qdiskd processes via flexible mandatory access control.
-+
-+The qdiskd processes execute with the qdiskd_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
-+
-+For example:
-+
-+.B ps -eZ | grep qdiskd_t
-+
-+
-+.SH "ENTRYPOINTS"
-+
-+The qdiskd_t SELinux type can be entered via the "qdiskd_exec_t" file type. The default entrypoint paths for the qdiskd_t domain are the following:"
-+
-+/usr/sbin/qdiskd
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux qdiskd policy is very flexible allowing users to setup their qdiskd processes in as secure a method as possible.
-+.PP
-+The following process types are defined for qdiskd:
-+
-+.EX
-+.B qdiskd_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
-+.SH FILE CONTEXTS
-+SELinux requires files to have an extended attribute to define the file type.
-+.PP
-+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
-+.PP
-+Policy governs the access confined processes have to these files.
-+SELinux qdiskd policy is very flexible allowing users to setup their qdiskd processes in as secure a method as possible.
-+.PP
-+The following file types are defined for qdiskd:
-+
-+
-+.EX
-+.PP
-+.B qdiskd_exec_t
-+.EE
-+
-+- Set files with the qdiskd_exec_t type, if you want to transition an executable to the qdiskd_t domain.
-+
-+
-+.EX
-+.PP
-+.B qdiskd_tmpfs_t
-+.EE
-+
-+- Set files with the qdiskd_tmpfs_t type, if you want to store qdiskd files on a tmpfs file system.
-+
-+
-+.EX
-+.PP
-+.B qdiskd_var_lib_t
-+.EE
-+
-+- Set files with the qdiskd_var_lib_t type, if you want to store the qdiskd files under the /var/lib directory.
-+
-+
-+.EX
-+.PP
-+.B qdiskd_var_log_t
-+.EE
-+
-+- Set files with the qdiskd_var_log_t type, if you want to treat the data as qdiskd var log data, usually stored under the /var/log directory.
-+
-+
-+.EX
-+.PP
-+.B qdiskd_var_run_t
-+.EE
-+
-+- Set files with the qdiskd_var_run_t type, if you want to store the qdiskd files under the /run directory.
-+
-+
-+.PP
-+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
-+.B semanage fcontext
-+command. This will modify the SELinux labeling database. You will need to use
-+.B restorecon
-+to apply the labels.
-+
-+.SH "MANAGED FILES"
-+
-+The SELinux process type qdiskd_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
-+
-+.br
-+.B cluster_var_lib_t
-+
-+ /var/lib/cluster(/.*)?
-+.br
-+
-+.br
-+.B qdiskd_tmpfs_t
-+
-+
-+.br
-+.B qdiskd_var_lib_t
-+
-+ /var/lib/qdiskd(/.*)?
-+.br
-+
-+.br
-+.B qdiskd_var_log_t
-+
-+ /var/log/cluster/qdiskd\.log.*
-+.br
-+
-+.br
-+.B qdiskd_var_run_t
-+
-+ /var/run/qdiskd\.pid
-+.br
-+
-+.SH NSSWITCH DOMAIN
-+
-+.PP
-+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the qdiskd_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
-+
-+.EX
-+.B setsebool -P authlogin_nsswitch_use_ldap 1
-+.EE
-+
-+.PP
-+If you want to allow confined applications to run with kerberos for the qdiskd_t, you must turn on the kerberos_enabled boolean.
-+
-+.EX
-+.B setsebool -P kerberos_enabled 1
-+.EE
-+
-+.SH "COMMANDS"
-+.B semanage fcontext
-+can also be used to manipulate default file context mappings.
-+.PP
-+.B semanage permissive
-+can also be used to manipulate whether or not a process type is permissive.
-+.PP
-+.B semanage module
-+can also be used to enable/disable/install/remove policy modules.
-+
-+.PP
-+.B system-config-selinux
-+is a GUI tool available to customize SELinux policy settings.
-+
-+.SH AUTHOR
-+This manual page was auto-generated using
-+.B "sepolicy manpage"
-+by Dan Walsh.
-+
-+.SH "SEE ALSO"
-+selinux(8), qdiskd(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
-diff --git a/man/man8/qemu_dm_selinux.8 b/man/man8/qemu_dm_selinux.8
-new file mode 100644
-index 0000000..a367e12
---- /dev/null
-+++ b/man/man8/qemu_dm_selinux.8
-@@ -0,0 +1,94 @@
-+.TH "qemu_dm_selinux" "8" "12-11-01" "qemu_dm" "SELinux Policy documentation for qemu_dm"
-+.SH "NAME"
-+qemu_dm_selinux \- Security Enhanced Linux Policy for the qemu_dm processes
-+.SH "DESCRIPTION"
-+
-+Security-Enhanced Linux secures the qemu_dm processes via flexible mandatory access control.
-+
-+The qemu_dm processes execute with the qemu_dm_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
-+
-+For example:
-+
-+.B ps -eZ | grep qemu_dm_t
-+
-+
-+.SH "ENTRYPOINTS"
-+
-+The qemu_dm_t SELinux type can be entered via the "qemu_dm_exec_t" file type. The default entrypoint paths for the qemu_dm_t domain are the following:"
-+
-+
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux qemu_dm policy is very flexible allowing users to setup their qemu_dm processes in as secure a method as possible.
-+.PP
-+The following process types are defined for qemu_dm:
-+
-+.EX
-+.B qemu_dm_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
-+.SH FILE CONTEXTS
-+SELinux requires files to have an extended attribute to define the file type.
-+.PP
-+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
-+.PP
-+Policy governs the access confined processes have to these files.
-+SELinux qemu_dm policy is very flexible allowing users to setup their qemu_dm processes in as secure a method as possible.
-+.PP
-+The following file types are defined for qemu_dm:
-+
-+
-+.EX
-+.PP
-+.B qemu_dm_exec_t
-+.EE
-+
-+- Set files with the qemu_dm_exec_t type, if you want to transition an executable to the qemu_dm_t domain.
-+
-+
-+.PP
-+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
-+.B semanage fcontext
-+command. This will modify the SELinux labeling database. You will need to use
-+.B restorecon
-+to apply the labels.
-+
-+.SH "MANAGED FILES"
-+
-+The SELinux process type qemu_dm_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
-+
-+.br
-+.B xenfs_t
-+
-+
-+.SH NSSWITCH DOMAIN
-+
-+.SH "COMMANDS"
-+.B semanage fcontext
-+can also be used to manipulate default file context mappings.
-+.PP
-+.B semanage permissive
-+can also be used to manipulate whether or not a process type is permissive.
-+.PP
-+.B semanage module
-+can also be used to enable/disable/install/remove policy modules.
-+
-+.PP
-+.B system-config-selinux
-+is a GUI tool available to customize SELinux policy settings.
-+
-+.SH AUTHOR
-+This manual page was auto-generated using
-+.B "sepolicy manpage"
-+by Dan Walsh.
-+
-+.SH "SEE ALSO"
-+selinux(8), qemu_dm(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
-diff --git a/man/man8/qmail_clean_selinux.8 b/man/man8/qmail_clean_selinux.8
-new file mode 100644
-index 0000000..4688dbf
---- /dev/null
-+++ b/man/man8/qmail_clean_selinux.8
-@@ -0,0 +1,87 @@
-+.TH "qmail_clean_selinux" "8" "12-11-01" "qmail_clean" "SELinux Policy documentation for qmail_clean"
-+.SH "NAME"
-+qmail_clean_selinux \- Security Enhanced Linux Policy for the qmail_clean processes
-+.SH "DESCRIPTION"
-+
-+Security-Enhanced Linux secures the qmail_clean processes via flexible mandatory access control.
-+
-+The qmail_clean processes execute with the qmail_clean_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
-+
-+For example:
-+
-+.B ps -eZ | grep qmail_clean_t
-+
-+
-+.SH "ENTRYPOINTS"
-+
-+The qmail_clean_t SELinux type can be entered via the "qmail_clean_exec_t" file type. The default entrypoint paths for the qmail_clean_t domain are the following:"
-+
-+/var/qmail/bin/qmail-clean
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux qmail_clean policy is very flexible allowing users to setup their qmail_clean processes in as secure a method as possible.
-+.PP
-+The following process types are defined for qmail_clean:
-+
-+.EX
-+.B qmail_clean_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
-+.SH FILE CONTEXTS
-+SELinux requires files to have an extended attribute to define the file type.
-+.PP
-+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
-+.PP
-+Policy governs the access confined processes have to these files.
-+SELinux qmail_clean policy is very flexible allowing users to setup their qmail_clean processes in as secure a method as possible.
-+.PP
-+The following file types are defined for qmail_clean:
-+
-+
-+.EX
-+.PP
-+.B qmail_clean_exec_t
-+.EE
-+
-+- Set files with the qmail_clean_exec_t type, if you want to transition an executable to the qmail_clean_t domain.
-+
-+
-+.PP
-+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
-+.B semanage fcontext
-+command. This will modify the SELinux labeling database. You will need to use
-+.B restorecon
-+to apply the labels.
-+
-+.SH NSSWITCH DOMAIN
-+
-+.SH "COMMANDS"
-+.B semanage fcontext
-+can also be used to manipulate default file context mappings.
-+.PP
-+.B semanage permissive
-+can also be used to manipulate whether or not a process type is permissive.
-+.PP
-+.B semanage module
-+can also be used to enable/disable/install/remove policy modules.
-+
-+.PP
-+.B system-config-selinux
-+is a GUI tool available to customize SELinux policy settings.
-+
-+.SH AUTHOR
-+This manual page was auto-generated using
-+.B "sepolicy manpage"
-+by Dan Walsh.
-+
-+.SH "SEE ALSO"
-+selinux(8), qmail_clean(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
-+, qmail_inject_selinux(8), qmail_local_selinux(8), qmail_lspawn_selinux(8), qmail_queue_selinux(8), qmail_remote_selinux(8), qmail_rspawn_selinux(8), qmail_send_selinux(8), qmail_smtpd_selinux(8), qmail_splogger_selinux(8), qmail_start_selinux(8), qmail_tcp_env_selinux(8)
-\ No newline at end of file
-diff --git a/man/man8/qmail_inject_selinux.8 b/man/man8/qmail_inject_selinux.8
-new file mode 100644
-index 0000000..b61fe99
---- /dev/null
-+++ b/man/man8/qmail_inject_selinux.8
-@@ -0,0 +1,95 @@
-+.TH "qmail_inject_selinux" "8" "12-11-01" "qmail_inject" "SELinux Policy documentation for qmail_inject"
-+.SH "NAME"
-+qmail_inject_selinux \- Security Enhanced Linux Policy for the qmail_inject processes
-+.SH "DESCRIPTION"
-+
-+Security-Enhanced Linux secures the qmail_inject processes via flexible mandatory access control.
-+
-+The qmail_inject processes execute with the qmail_inject_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
-+
-+For example:
-+
-+.B ps -eZ | grep qmail_inject_t
-+
-+
-+.SH "ENTRYPOINTS"
-+
-+The qmail_inject_t SELinux type can be entered via the "qmail_inject_exec_t" file type. The default entrypoint paths for the qmail_inject_t domain are the following:"
-+
-+/var/qmail/bin/qmail-inject
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux qmail_inject policy is very flexible allowing users to setup their qmail_inject processes in as secure a method as possible.
-+.PP
-+The following process types are defined for qmail_inject:
-+
-+.EX
-+.B qmail_inject_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
-+.SH FILE CONTEXTS
-+SELinux requires files to have an extended attribute to define the file type.
-+.PP
-+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
-+.PP
-+Policy governs the access confined processes have to these files.
-+SELinux qmail_inject policy is very flexible allowing users to setup their qmail_inject processes in as secure a method as possible.
-+.PP
-+The following file types are defined for qmail_inject:
-+
-+
-+.EX
-+.PP
-+.B qmail_inject_exec_t
-+.EE
-+
-+- Set files with the qmail_inject_exec_t type, if you want to transition an executable to the qmail_inject_t domain.
-+
-+
-+.PP
-+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
-+.B semanage fcontext
-+command. This will modify the SELinux labeling database. You will need to use
-+.B restorecon
-+to apply the labels.
-+
-+.SH "MANAGED FILES"
-+
-+The SELinux process type qmail_inject_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
-+
-+.br
-+.B arpwatch_tmp_t
-+
-+
-+.SH NSSWITCH DOMAIN
-+
-+.SH "COMMANDS"
-+.B semanage fcontext
-+can also be used to manipulate default file context mappings.
-+.PP
-+.B semanage permissive
-+can also be used to manipulate whether or not a process type is permissive.
-+.PP
-+.B semanage module
-+can also be used to enable/disable/install/remove policy modules.
-+
-+.PP
-+.B system-config-selinux
-+is a GUI tool available to customize SELinux policy settings.
-+
-+.SH AUTHOR
-+This manual page was auto-generated using
-+.B "sepolicy manpage"
-+by Dan Walsh.
-+
-+.SH "SEE ALSO"
-+selinux(8), qmail_inject(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
-+, qmail_clean_selinux(8), qmail_local_selinux(8), qmail_lspawn_selinux(8), qmail_queue_selinux(8), qmail_remote_selinux(8), qmail_rspawn_selinux(8), qmail_send_selinux(8), qmail_smtpd_selinux(8), qmail_splogger_selinux(8), qmail_start_selinux(8), qmail_tcp_env_selinux(8)
-\ No newline at end of file
-diff --git a/man/man8/qmail_local_selinux.8 b/man/man8/qmail_local_selinux.8
-new file mode 100644
-index 0000000..923074e
---- /dev/null
-+++ b/man/man8/qmail_local_selinux.8
-@@ -0,0 +1,151 @@
-+.TH "qmail_local_selinux" "8" "12-11-01" "qmail_local" "SELinux Policy documentation for qmail_local"
-+.SH "NAME"
-+qmail_local_selinux \- Security Enhanced Linux Policy for the qmail_local processes
-+.SH "DESCRIPTION"
-+
-+Security-Enhanced Linux secures the qmail_local processes via flexible mandatory access control.
-+
-+The qmail_local processes execute with the qmail_local_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
-+
-+For example:
-+
-+.B ps -eZ | grep qmail_local_t
-+
-+
-+.SH "ENTRYPOINTS"
-+
-+The qmail_local_t SELinux type can be entered via the "qmail_local_exec_t" file type. The default entrypoint paths for the qmail_local_t domain are the following:"
-+
-+/var/qmail/bin/qmail-local
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux qmail_local policy is very flexible allowing users to setup their qmail_local processes in as secure a method as possible.
-+.PP
-+The following process types are defined for qmail_local:
-+
-+.EX
-+.B qmail_local_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
-+.SH FILE CONTEXTS
-+SELinux requires files to have an extended attribute to define the file type.
-+.PP
-+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
-+.PP
-+Policy governs the access confined processes have to these files.
-+SELinux qmail_local policy is very flexible allowing users to setup their qmail_local processes in as secure a method as possible.
-+.PP
-+The following file types are defined for qmail_local:
-+
-+
-+.EX
-+.PP
-+.B qmail_local_exec_t
-+.EE
-+
-+- Set files with the qmail_local_exec_t type, if you want to transition an executable to the qmail_local_t domain.
-+
-+
-+.PP
-+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
-+.B semanage fcontext
-+command. This will modify the SELinux labeling database. You will need to use
-+.B restorecon
-+to apply the labels.
-+
-+.SH "MANAGED FILES"
-+
-+The SELinux process type qmail_local_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
-+
-+.br
-+.B dovecot_spool_t
-+
-+ /var/spool/dovecot(/.*)?
-+.br
-+
-+.br
-+.B mail_home_rw_t
-+
-+ /root/Maildir(/.*)?
-+.br
-+ /home/[^/]*/Maildir(/.*)?
-+.br
-+ /home/dwalsh/Maildir(/.*)?
-+.br
-+ /var/lib/xguest/home/xguest/Maildir(/.*)?
-+.br
-+
-+.br
-+.B mail_spool_t
-+
-+ /var/mail(/.*)?
-+.br
-+ /var/spool/imap(/.*)?
-+.br
-+ /var/spool/mail(/.*)?
-+.br
-+
-+.br
-+.B qmail_alias_home_t
-+
-+ /var/qmail/alias(/.*)?
-+.br
-+ /var/qmail/alias
-+.br
-+
-+.br
-+.B user_home_t
-+
-+ /home/[^/]*/.+
-+.br
-+ /home/dwalsh/.+
-+.br
-+ /var/lib/xguest/home/xguest/.+
-+.br
-+
-+.SH NSSWITCH DOMAIN
-+
-+.PP
-+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the qmail_local_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
-+
-+.EX
-+.B setsebool -P authlogin_nsswitch_use_ldap 1
-+.EE
-+
-+.PP
-+If you want to allow confined applications to run with kerberos for the qmail_local_t, you must turn on the kerberos_enabled boolean.
-+
-+.EX
-+.B setsebool -P kerberos_enabled 1
-+.EE
-+
-+.SH "COMMANDS"
-+.B semanage fcontext
-+can also be used to manipulate default file context mappings.
-+.PP
-+.B semanage permissive
-+can also be used to manipulate whether or not a process type is permissive.
-+.PP
-+.B semanage module
-+can also be used to enable/disable/install/remove policy modules.
-+
-+.PP
-+.B system-config-selinux
-+is a GUI tool available to customize SELinux policy settings.
-+
-+.SH AUTHOR
-+This manual page was auto-generated using
-+.B "sepolicy manpage"
-+by Dan Walsh.
-+
-+.SH "SEE ALSO"
-+selinux(8), qmail_local(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
-+, qmail_clean_selinux(8), qmail_inject_selinux(8), qmail_lspawn_selinux(8), qmail_queue_selinux(8), qmail_remote_selinux(8), qmail_rspawn_selinux(8), qmail_send_selinux(8), qmail_smtpd_selinux(8), qmail_splogger_selinux(8), qmail_start_selinux(8), qmail_tcp_env_selinux(8)
-\ No newline at end of file
-diff --git a/man/man8/qmail_lspawn_selinux.8 b/man/man8/qmail_lspawn_selinux.8
-new file mode 100644
-index 0000000..7ac2a16
---- /dev/null
-+++ b/man/man8/qmail_lspawn_selinux.8
-@@ -0,0 +1,119 @@
-+.TH "qmail_lspawn_selinux" "8" "12-11-01" "qmail_lspawn" "SELinux Policy documentation for qmail_lspawn"
-+.SH "NAME"
-+qmail_lspawn_selinux \- Security Enhanced Linux Policy for the qmail_lspawn processes
-+.SH "DESCRIPTION"
-+
-+Security-Enhanced Linux secures the qmail_lspawn processes via flexible mandatory access control.
-+
-+The qmail_lspawn processes execute with the qmail_lspawn_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
-+
-+For example:
-+
-+.B ps -eZ | grep qmail_lspawn_t
-+
-+
-+.SH "ENTRYPOINTS"
-+
-+The qmail_lspawn_t SELinux type can be entered via the "qmail_lspawn_exec_t" file type. The default entrypoint paths for the qmail_lspawn_t domain are the following:"
-+
-+/var/qmail/bin/qmail-lspawn
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux qmail_lspawn policy is very flexible allowing users to setup their qmail_lspawn processes in as secure a method as possible.
-+.PP
-+The following process types are defined for qmail_lspawn:
-+
-+.EX
-+.B qmail_lspawn_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
-+.SH FILE CONTEXTS
-+SELinux requires files to have an extended attribute to define the file type.
-+.PP
-+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
-+.PP
-+Policy governs the access confined processes have to these files.
-+SELinux qmail_lspawn policy is very flexible allowing users to setup their qmail_lspawn processes in as secure a method as possible.
-+.PP
-+The following file types are defined for qmail_lspawn:
-+
-+
-+.EX
-+.PP
-+.B qmail_lspawn_exec_t
-+.EE
-+
-+- Set files with the qmail_lspawn_exec_t type, if you want to transition an executable to the qmail_lspawn_t domain.
-+
-+
-+.PP
-+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
-+.B semanage fcontext
-+command. This will modify the SELinux labeling database. You will need to use
-+.B restorecon
-+to apply the labels.
-+
-+.SH "MANAGED FILES"
-+
-+The SELinux process type qmail_lspawn_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
-+
-+.br
-+.B dovecot_spool_t
-+
-+ /var/spool/dovecot(/.*)?
-+.br
-+
-+.br
-+.B mail_home_rw_t
-+
-+ /root/Maildir(/.*)?
-+.br
-+ /home/[^/]*/Maildir(/.*)?
-+.br
-+ /home/dwalsh/Maildir(/.*)?
-+.br
-+ /var/lib/xguest/home/xguest/Maildir(/.*)?
-+.br
-+
-+.br
-+.B user_home_t
-+
-+ /home/[^/]*/.+
-+.br
-+ /home/dwalsh/.+
-+.br
-+ /var/lib/xguest/home/xguest/.+
-+.br
-+
-+.SH NSSWITCH DOMAIN
-+
-+.SH "COMMANDS"
-+.B semanage fcontext
-+can also be used to manipulate default file context mappings.
-+.PP
-+.B semanage permissive
-+can also be used to manipulate whether or not a process type is permissive.
-+.PP
-+.B semanage module
-+can also be used to enable/disable/install/remove policy modules.
-+
-+.PP
-+.B system-config-selinux
-+is a GUI tool available to customize SELinux policy settings.
-+
-+.SH AUTHOR
-+This manual page was auto-generated using
-+.B "sepolicy manpage"
-+by Dan Walsh.
-+
-+.SH "SEE ALSO"
-+selinux(8), qmail_lspawn(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
-+, qmail_clean_selinux(8), qmail_inject_selinux(8), qmail_local_selinux(8), qmail_queue_selinux(8), qmail_remote_selinux(8), qmail_rspawn_selinux(8), qmail_send_selinux(8), qmail_smtpd_selinux(8), qmail_splogger_selinux(8), qmail_start_selinux(8), qmail_tcp_env_selinux(8)
-\ No newline at end of file
-diff --git a/man/man8/qmail_queue_selinux.8 b/man/man8/qmail_queue_selinux.8
-new file mode 100644
-index 0000000..473dcd0
---- /dev/null
-+++ b/man/man8/qmail_queue_selinux.8
-@@ -0,0 +1,101 @@
-+.TH "qmail_queue_selinux" "8" "12-11-01" "qmail_queue" "SELinux Policy documentation for qmail_queue"
-+.SH "NAME"
-+qmail_queue_selinux \- Security Enhanced Linux Policy for the qmail_queue processes
-+.SH "DESCRIPTION"
-+
-+Security-Enhanced Linux secures the qmail_queue processes via flexible mandatory access control.
-+
-+The qmail_queue processes execute with the qmail_queue_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
-+
-+For example:
-+
-+.B ps -eZ | grep qmail_queue_t
-+
-+
-+.SH "ENTRYPOINTS"
-+
-+The qmail_queue_t SELinux type can be entered via the "qmail_queue_exec_t" file type. The default entrypoint paths for the qmail_queue_t domain are the following:"
-+
-+/var/qmail/bin/qmail-queue
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux qmail_queue policy is very flexible allowing users to setup their qmail_queue processes in as secure a method as possible.
-+.PP
-+The following process types are defined for qmail_queue:
-+
-+.EX
-+.B qmail_queue_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
-+.SH FILE CONTEXTS
-+SELinux requires files to have an extended attribute to define the file type.
-+.PP
-+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
-+.PP
-+Policy governs the access confined processes have to these files.
-+SELinux qmail_queue policy is very flexible allowing users to setup their qmail_queue processes in as secure a method as possible.
-+.PP
-+The following file types are defined for qmail_queue:
-+
-+
-+.EX
-+.PP
-+.B qmail_queue_exec_t
-+.EE
-+
-+- Set files with the qmail_queue_exec_t type, if you want to transition an executable to the qmail_queue_t domain.
-+
-+
-+.PP
-+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
-+.B semanage fcontext
-+command. This will modify the SELinux labeling database. You will need to use
-+.B restorecon
-+to apply the labels.
-+
-+.SH "MANAGED FILES"
-+
-+The SELinux process type qmail_queue_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
-+
-+.br
-+.B arpwatch_tmp_t
-+
-+
-+.br
-+.B qmail_spool_t
-+
-+ /var/qmail/queue(/.*)?
-+.br
-+
-+.SH NSSWITCH DOMAIN
-+
-+.SH "COMMANDS"
-+.B semanage fcontext
-+can also be used to manipulate default file context mappings.
-+.PP
-+.B semanage permissive
-+can also be used to manipulate whether or not a process type is permissive.
-+.PP
-+.B semanage module
-+can also be used to enable/disable/install/remove policy modules.
-+
-+.PP
-+.B system-config-selinux
-+is a GUI tool available to customize SELinux policy settings.
-+
-+.SH AUTHOR
-+This manual page was auto-generated using
-+.B "sepolicy manpage"
-+by Dan Walsh.
-+
-+.SH "SEE ALSO"
-+selinux(8), qmail_queue(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
-+, qmail_clean_selinux(8), qmail_inject_selinux(8), qmail_local_selinux(8), qmail_lspawn_selinux(8), qmail_remote_selinux(8), qmail_rspawn_selinux(8), qmail_send_selinux(8), qmail_smtpd_selinux(8), qmail_splogger_selinux(8), qmail_start_selinux(8), qmail_tcp_env_selinux(8)
-\ No newline at end of file
-diff --git a/man/man8/qmail_remote_selinux.8 b/man/man8/qmail_remote_selinux.8
-new file mode 100644
-index 0000000..0760c51
---- /dev/null
-+++ b/man/man8/qmail_remote_selinux.8
-@@ -0,0 +1,97 @@
-+.TH "qmail_remote_selinux" "8" "12-11-01" "qmail_remote" "SELinux Policy documentation for qmail_remote"
-+.SH "NAME"
-+qmail_remote_selinux \- Security Enhanced Linux Policy for the qmail_remote processes
-+.SH "DESCRIPTION"
-+
-+Security-Enhanced Linux secures the qmail_remote processes via flexible mandatory access control.
-+
-+The qmail_remote processes execute with the qmail_remote_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
-+
-+For example:
-+
-+.B ps -eZ | grep qmail_remote_t
-+
-+
-+.SH "ENTRYPOINTS"
-+
-+The qmail_remote_t SELinux type can be entered via the "qmail_remote_exec_t" file type. The default entrypoint paths for the qmail_remote_t domain are the following:"
-+
-+/var/qmail/bin/qmail-remote
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux qmail_remote policy is very flexible allowing users to setup their qmail_remote processes in as secure a method as possible.
-+.PP
-+The following process types are defined for qmail_remote:
-+
-+.EX
-+.B qmail_remote_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
-+.SH FILE CONTEXTS
-+SELinux requires files to have an extended attribute to define the file type.
-+.PP
-+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
-+.PP
-+Policy governs the access confined processes have to these files.
-+SELinux qmail_remote policy is very flexible allowing users to setup their qmail_remote processes in as secure a method as possible.
-+.PP
-+The following file types are defined for qmail_remote:
-+
-+
-+.EX
-+.PP
-+.B qmail_remote_exec_t
-+.EE
-+
-+- Set files with the qmail_remote_exec_t type, if you want to transition an executable to the qmail_remote_t domain.
-+
-+
-+.PP
-+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
-+.B semanage fcontext
-+command. This will modify the SELinux labeling database. You will need to use
-+.B restorecon
-+to apply the labels.
-+
-+.SH "MANAGED FILES"
-+
-+The SELinux process type qmail_remote_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
-+
-+.br
-+.B qmail_spool_t
-+
-+ /var/qmail/queue(/.*)?
-+.br
-+
-+.SH NSSWITCH DOMAIN
-+
-+.SH "COMMANDS"
-+.B semanage fcontext
-+can also be used to manipulate default file context mappings.
-+.PP
-+.B semanage permissive
-+can also be used to manipulate whether or not a process type is permissive.
-+.PP
-+.B semanage module
-+can also be used to enable/disable/install/remove policy modules.
-+
-+.PP
-+.B system-config-selinux
-+is a GUI tool available to customize SELinux policy settings.
-+
-+.SH AUTHOR
-+This manual page was auto-generated using
-+.B "sepolicy manpage"
-+by Dan Walsh.
-+
-+.SH "SEE ALSO"
-+selinux(8), qmail_remote(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
-+, qmail_clean_selinux(8), qmail_inject_selinux(8), qmail_local_selinux(8), qmail_lspawn_selinux(8), qmail_queue_selinux(8), qmail_rspawn_selinux(8), qmail_send_selinux(8), qmail_smtpd_selinux(8), qmail_splogger_selinux(8), qmail_start_selinux(8), qmail_tcp_env_selinux(8)
-\ No newline at end of file
-diff --git a/man/man8/qmail_rspawn_selinux.8 b/man/man8/qmail_rspawn_selinux.8
-new file mode 100644
-index 0000000..5c8ef31
---- /dev/null
-+++ b/man/man8/qmail_rspawn_selinux.8
-@@ -0,0 +1,97 @@
-+.TH "qmail_rspawn_selinux" "8" "12-11-01" "qmail_rspawn" "SELinux Policy documentation for qmail_rspawn"
-+.SH "NAME"
-+qmail_rspawn_selinux \- Security Enhanced Linux Policy for the qmail_rspawn processes
-+.SH "DESCRIPTION"
-+
-+Security-Enhanced Linux secures the qmail_rspawn processes via flexible mandatory access control.
-+
-+The qmail_rspawn processes execute with the qmail_rspawn_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
-+
-+For example:
-+
-+.B ps -eZ | grep qmail_rspawn_t
-+
-+
-+.SH "ENTRYPOINTS"
-+
-+The qmail_rspawn_t SELinux type can be entered via the "qmail_rspawn_exec_t" file type. The default entrypoint paths for the qmail_rspawn_t domain are the following:"
-+
-+/var/qmail/bin/qmail-rspawn
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux qmail_rspawn policy is very flexible allowing users to setup their qmail_rspawn processes in as secure a method as possible.
-+.PP
-+The following process types are defined for qmail_rspawn:
-+
-+.EX
-+.B qmail_rspawn_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
-+.SH FILE CONTEXTS
-+SELinux requires files to have an extended attribute to define the file type.
-+.PP
-+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
-+.PP
-+Policy governs the access confined processes have to these files.
-+SELinux qmail_rspawn policy is very flexible allowing users to setup their qmail_rspawn processes in as secure a method as possible.
-+.PP
-+The following file types are defined for qmail_rspawn:
-+
-+
-+.EX
-+.PP
-+.B qmail_rspawn_exec_t
-+.EE
-+
-+- Set files with the qmail_rspawn_exec_t type, if you want to transition an executable to the qmail_rspawn_t domain.
-+
-+
-+.PP
-+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
-+.B semanage fcontext
-+command. This will modify the SELinux labeling database. You will need to use
-+.B restorecon
-+to apply the labels.
-+
-+.SH "MANAGED FILES"
-+
-+The SELinux process type qmail_rspawn_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
-+
-+.br
-+.B qmail_spool_t
-+
-+ /var/qmail/queue(/.*)?
-+.br
-+
-+.SH NSSWITCH DOMAIN
-+
-+.SH "COMMANDS"
-+.B semanage fcontext
-+can also be used to manipulate default file context mappings.
-+.PP
-+.B semanage permissive
-+can also be used to manipulate whether or not a process type is permissive.
-+.PP
-+.B semanage module
-+can also be used to enable/disable/install/remove policy modules.
-+
-+.PP
-+.B system-config-selinux
-+is a GUI tool available to customize SELinux policy settings.
-+
-+.SH AUTHOR
-+This manual page was auto-generated using
-+.B "sepolicy manpage"
-+by Dan Walsh.
-+
-+.SH "SEE ALSO"
-+selinux(8), qmail_rspawn(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
-+, qmail_clean_selinux(8), qmail_inject_selinux(8), qmail_local_selinux(8), qmail_lspawn_selinux(8), qmail_queue_selinux(8), qmail_remote_selinux(8), qmail_send_selinux(8), qmail_smtpd_selinux(8), qmail_splogger_selinux(8), qmail_start_selinux(8), qmail_tcp_env_selinux(8)
-\ No newline at end of file
-diff --git a/man/man8/qmail_send_selinux.8 b/man/man8/qmail_send_selinux.8
-new file mode 100644
-index 0000000..2dd46dd
---- /dev/null
-+++ b/man/man8/qmail_send_selinux.8
-@@ -0,0 +1,97 @@
-+.TH "qmail_send_selinux" "8" "12-11-01" "qmail_send" "SELinux Policy documentation for qmail_send"
-+.SH "NAME"
-+qmail_send_selinux \- Security Enhanced Linux Policy for the qmail_send processes
-+.SH "DESCRIPTION"
-+
-+Security-Enhanced Linux secures the qmail_send processes via flexible mandatory access control.
-+
-+The qmail_send processes execute with the qmail_send_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
-+
-+For example:
-+
-+.B ps -eZ | grep qmail_send_t
-+
-+
-+.SH "ENTRYPOINTS"
-+
-+The qmail_send_t SELinux type can be entered via the "qmail_send_exec_t" file type. The default entrypoint paths for the qmail_send_t domain are the following:"
-+
-+/var/qmail/bin/qmail-send
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux qmail_send policy is very flexible allowing users to setup their qmail_send processes in as secure a method as possible.
-+.PP
-+The following process types are defined for qmail_send:
-+
-+.EX
-+.B qmail_send_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
-+.SH FILE CONTEXTS
-+SELinux requires files to have an extended attribute to define the file type.
-+.PP
-+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
-+.PP
-+Policy governs the access confined processes have to these files.
-+SELinux qmail_send policy is very flexible allowing users to setup their qmail_send processes in as secure a method as possible.
-+.PP
-+The following file types are defined for qmail_send:
-+
-+
-+.EX
-+.PP
-+.B qmail_send_exec_t
-+.EE
-+
-+- Set files with the qmail_send_exec_t type, if you want to transition an executable to the qmail_send_t domain.
-+
-+
-+.PP
-+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
-+.B semanage fcontext
-+command. This will modify the SELinux labeling database. You will need to use
-+.B restorecon
-+to apply the labels.
-+
-+.SH "MANAGED FILES"
-+
-+The SELinux process type qmail_send_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
-+
-+.br
-+.B qmail_spool_t
-+
-+ /var/qmail/queue(/.*)?
-+.br
-+
-+.SH NSSWITCH DOMAIN
-+
-+.SH "COMMANDS"
-+.B semanage fcontext
-+can also be used to manipulate default file context mappings.
-+.PP
-+.B semanage permissive
-+can also be used to manipulate whether or not a process type is permissive.
-+.PP
-+.B semanage module
-+can also be used to enable/disable/install/remove policy modules.
-+
-+.PP
-+.B system-config-selinux
-+is a GUI tool available to customize SELinux policy settings.
-+
-+.SH AUTHOR
-+This manual page was auto-generated using
-+.B "sepolicy manpage"
-+by Dan Walsh.
-+
-+.SH "SEE ALSO"
-+selinux(8), qmail_send(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
-+, qmail_clean_selinux(8), qmail_inject_selinux(8), qmail_local_selinux(8), qmail_lspawn_selinux(8), qmail_queue_selinux(8), qmail_remote_selinux(8), qmail_rspawn_selinux(8), qmail_smtpd_selinux(8), qmail_splogger_selinux(8), qmail_start_selinux(8), qmail_tcp_env_selinux(8)
-\ No newline at end of file
-diff --git a/man/man8/qmail_smtpd_selinux.8 b/man/man8/qmail_smtpd_selinux.8
-new file mode 100644
-index 0000000..9e7c3d8
---- /dev/null
-+++ b/man/man8/qmail_smtpd_selinux.8
-@@ -0,0 +1,87 @@
-+.TH "qmail_smtpd_selinux" "8" "12-11-01" "qmail_smtpd" "SELinux Policy documentation for qmail_smtpd"
-+.SH "NAME"
-+qmail_smtpd_selinux \- Security Enhanced Linux Policy for the qmail_smtpd processes
-+.SH "DESCRIPTION"
-+
-+Security-Enhanced Linux secures the qmail_smtpd processes via flexible mandatory access control.
-+
-+The qmail_smtpd processes execute with the qmail_smtpd_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
-+
-+For example:
-+
-+.B ps -eZ | grep qmail_smtpd_t
-+
-+
-+.SH "ENTRYPOINTS"
-+
-+The qmail_smtpd_t SELinux type can be entered via the "qmail_smtpd_exec_t" file type. The default entrypoint paths for the qmail_smtpd_t domain are the following:"
-+
-+/var/qmail/bin/qmail-smtpd
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux qmail_smtpd policy is very flexible allowing users to setup their qmail_smtpd processes in as secure a method as possible.
-+.PP
-+The following process types are defined for qmail_smtpd:
-+
-+.EX
-+.B qmail_smtpd_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
-+.SH FILE CONTEXTS
-+SELinux requires files to have an extended attribute to define the file type.
-+.PP
-+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
-+.PP
-+Policy governs the access confined processes have to these files.
-+SELinux qmail_smtpd policy is very flexible allowing users to setup their qmail_smtpd processes in as secure a method as possible.
-+.PP
-+The following file types are defined for qmail_smtpd:
-+
-+
-+.EX
-+.PP
-+.B qmail_smtpd_exec_t
-+.EE
-+
-+- Set files with the qmail_smtpd_exec_t type, if you want to transition an executable to the qmail_smtpd_t domain.
-+
-+
-+.PP
-+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
-+.B semanage fcontext
-+command. This will modify the SELinux labeling database. You will need to use
-+.B restorecon
-+to apply the labels.
-+
-+.SH NSSWITCH DOMAIN
-+
-+.SH "COMMANDS"
-+.B semanage fcontext
-+can also be used to manipulate default file context mappings.
-+.PP
-+.B semanage permissive
-+can also be used to manipulate whether or not a process type is permissive.
-+.PP
-+.B semanage module
-+can also be used to enable/disable/install/remove policy modules.
-+
-+.PP
-+.B system-config-selinux
-+is a GUI tool available to customize SELinux policy settings.
-+
-+.SH AUTHOR
-+This manual page was auto-generated using
-+.B "sepolicy manpage"
-+by Dan Walsh.
-+
-+.SH "SEE ALSO"
-+selinux(8), qmail_smtpd(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
-+, qmail_clean_selinux(8), qmail_inject_selinux(8), qmail_local_selinux(8), qmail_lspawn_selinux(8), qmail_queue_selinux(8), qmail_remote_selinux(8), qmail_rspawn_selinux(8), qmail_send_selinux(8), qmail_splogger_selinux(8), qmail_start_selinux(8), qmail_tcp_env_selinux(8)
-\ No newline at end of file
-diff --git a/man/man8/qmail_splogger_selinux.8 b/man/man8/qmail_splogger_selinux.8
-new file mode 100644
-index 0000000..4598efb
---- /dev/null
-+++ b/man/man8/qmail_splogger_selinux.8
-@@ -0,0 +1,87 @@
-+.TH "qmail_splogger_selinux" "8" "12-11-01" "qmail_splogger" "SELinux Policy documentation for qmail_splogger"
-+.SH "NAME"
-+qmail_splogger_selinux \- Security Enhanced Linux Policy for the qmail_splogger processes
-+.SH "DESCRIPTION"
-+
-+Security-Enhanced Linux secures the qmail_splogger processes via flexible mandatory access control.
-+
-+The qmail_splogger processes execute with the qmail_splogger_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
-+
-+For example:
-+
-+.B ps -eZ | grep qmail_splogger_t
-+
-+
-+.SH "ENTRYPOINTS"
-+
-+The qmail_splogger_t SELinux type can be entered via the "qmail_splogger_exec_t" file type. The default entrypoint paths for the qmail_splogger_t domain are the following:"
-+
-+/var/qmail/bin/splogger
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux qmail_splogger policy is very flexible allowing users to setup their qmail_splogger processes in as secure a method as possible.
-+.PP
-+The following process types are defined for qmail_splogger:
-+
-+.EX
-+.B qmail_splogger_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
-+.SH FILE CONTEXTS
-+SELinux requires files to have an extended attribute to define the file type.
-+.PP
-+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
-+.PP
-+Policy governs the access confined processes have to these files.
-+SELinux qmail_splogger policy is very flexible allowing users to setup their qmail_splogger processes in as secure a method as possible.
-+.PP
-+The following file types are defined for qmail_splogger:
-+
-+
-+.EX
-+.PP
-+.B qmail_splogger_exec_t
-+.EE
-+
-+- Set files with the qmail_splogger_exec_t type, if you want to transition an executable to the qmail_splogger_t domain.
-+
-+
-+.PP
-+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
-+.B semanage fcontext
-+command. This will modify the SELinux labeling database. You will need to use
-+.B restorecon
-+to apply the labels.
-+
-+.SH NSSWITCH DOMAIN
-+
-+.SH "COMMANDS"
-+.B semanage fcontext
-+can also be used to manipulate default file context mappings.
-+.PP
-+.B semanage permissive
-+can also be used to manipulate whether or not a process type is permissive.
-+.PP
-+.B semanage module
-+can also be used to enable/disable/install/remove policy modules.
-+
-+.PP
-+.B system-config-selinux
-+is a GUI tool available to customize SELinux policy settings.
-+
-+.SH AUTHOR
-+This manual page was auto-generated using
-+.B "sepolicy manpage"
-+by Dan Walsh.
-+
-+.SH "SEE ALSO"
-+selinux(8), qmail_splogger(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
-+, qmail_clean_selinux(8), qmail_inject_selinux(8), qmail_local_selinux(8), qmail_lspawn_selinux(8), qmail_queue_selinux(8), qmail_remote_selinux(8), qmail_rspawn_selinux(8), qmail_send_selinux(8), qmail_smtpd_selinux(8), qmail_start_selinux(8), qmail_tcp_env_selinux(8)
-\ No newline at end of file
-diff --git a/man/man8/qmail_start_selinux.8 b/man/man8/qmail_start_selinux.8
-new file mode 100644
-index 0000000..ff8236b
---- /dev/null
-+++ b/man/man8/qmail_start_selinux.8
-@@ -0,0 +1,87 @@
-+.TH "qmail_start_selinux" "8" "12-11-01" "qmail_start" "SELinux Policy documentation for qmail_start"
-+.SH "NAME"
-+qmail_start_selinux \- Security Enhanced Linux Policy for the qmail_start processes
-+.SH "DESCRIPTION"
-+
-+Security-Enhanced Linux secures the qmail_start processes via flexible mandatory access control.
-+
-+The qmail_start processes execute with the qmail_start_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
-+
-+For example:
-+
-+.B ps -eZ | grep qmail_start_t
-+
-+
-+.SH "ENTRYPOINTS"
-+
-+The qmail_start_t SELinux type can be entered via the "qmail_start_exec_t" file type. The default entrypoint paths for the qmail_start_t domain are the following:"
-+
-+/var/qmail/bin/qmail-start
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux qmail_start policy is very flexible allowing users to setup their qmail_start processes in as secure a method as possible.
-+.PP
-+The following process types are defined for qmail_start:
-+
-+.EX
-+.B qmail_start_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
-+.SH FILE CONTEXTS
-+SELinux requires files to have an extended attribute to define the file type.
-+.PP
-+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
-+.PP
-+Policy governs the access confined processes have to these files.
-+SELinux qmail_start policy is very flexible allowing users to setup their qmail_start processes in as secure a method as possible.
-+.PP
-+The following file types are defined for qmail_start:
-+
-+
-+.EX
-+.PP
-+.B qmail_start_exec_t
-+.EE
-+
-+- Set files with the qmail_start_exec_t type, if you want to transition an executable to the qmail_start_t domain.
-+
-+
-+.PP
-+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
-+.B semanage fcontext
-+command. This will modify the SELinux labeling database. You will need to use
-+.B restorecon
-+to apply the labels.
-+
-+.SH NSSWITCH DOMAIN
-+
-+.SH "COMMANDS"
-+.B semanage fcontext
-+can also be used to manipulate default file context mappings.
-+.PP
-+.B semanage permissive
-+can also be used to manipulate whether or not a process type is permissive.
-+.PP
-+.B semanage module
-+can also be used to enable/disable/install/remove policy modules.
-+
-+.PP
-+.B system-config-selinux
-+is a GUI tool available to customize SELinux policy settings.
-+
-+.SH AUTHOR
-+This manual page was auto-generated using
-+.B "sepolicy manpage"
-+by Dan Walsh.
-+
-+.SH "SEE ALSO"
-+selinux(8), qmail_start(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
-+, qmail_clean_selinux(8), qmail_inject_selinux(8), qmail_local_selinux(8), qmail_lspawn_selinux(8), qmail_queue_selinux(8), qmail_remote_selinux(8), qmail_rspawn_selinux(8), qmail_send_selinux(8), qmail_smtpd_selinux(8), qmail_splogger_selinux(8), qmail_tcp_env_selinux(8)
-\ No newline at end of file
-diff --git a/man/man8/qmail_tcp_env_selinux.8 b/man/man8/qmail_tcp_env_selinux.8
-new file mode 100644
-index 0000000..86b82a0
---- /dev/null
-+++ b/man/man8/qmail_tcp_env_selinux.8
-@@ -0,0 +1,87 @@
-+.TH "qmail_tcp_env_selinux" "8" "12-11-01" "qmail_tcp_env" "SELinux Policy documentation for qmail_tcp_env"
-+.SH "NAME"
-+qmail_tcp_env_selinux \- Security Enhanced Linux Policy for the qmail_tcp_env processes
-+.SH "DESCRIPTION"
-+
-+Security-Enhanced Linux secures the qmail_tcp_env processes via flexible mandatory access control.
-+
-+The qmail_tcp_env processes execute with the qmail_tcp_env_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
-+
-+For example:
-+
-+.B ps -eZ | grep qmail_tcp_env_t
-+
-+
-+.SH "ENTRYPOINTS"
-+
-+The qmail_tcp_env_t SELinux type can be entered via the "qmail_tcp_env_exec_t" file type. The default entrypoint paths for the qmail_tcp_env_t domain are the following:"
-+
-+/var/qmail/bin/tcp-env
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux qmail_tcp_env policy is very flexible allowing users to setup their qmail_tcp_env processes in as secure a method as possible.
-+.PP
-+The following process types are defined for qmail_tcp_env:
-+
-+.EX
-+.B qmail_tcp_env_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
-+.SH FILE CONTEXTS
-+SELinux requires files to have an extended attribute to define the file type.
-+.PP
-+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
-+.PP
-+Policy governs the access confined processes have to these files.
-+SELinux qmail_tcp_env policy is very flexible allowing users to setup their qmail_tcp_env processes in as secure a method as possible.
-+.PP
-+The following file types are defined for qmail_tcp_env:
-+
-+
-+.EX
-+.PP
-+.B qmail_tcp_env_exec_t
-+.EE
-+
-+- Set files with the qmail_tcp_env_exec_t type, if you want to transition an executable to the qmail_tcp_env_t domain.
-+
-+
-+.PP
-+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
-+.B semanage fcontext
-+command. This will modify the SELinux labeling database. You will need to use
-+.B restorecon
-+to apply the labels.
-+
-+.SH NSSWITCH DOMAIN
-+
-+.SH "COMMANDS"
-+.B semanage fcontext
-+can also be used to manipulate default file context mappings.
-+.PP
-+.B semanage permissive
-+can also be used to manipulate whether or not a process type is permissive.
-+.PP
-+.B semanage module
-+can also be used to enable/disable/install/remove policy modules.
-+
-+.PP
-+.B system-config-selinux
-+is a GUI tool available to customize SELinux policy settings.
-+
-+.SH AUTHOR
-+This manual page was auto-generated using
-+.B "sepolicy manpage"
-+by Dan Walsh.
-+
-+.SH "SEE ALSO"
-+selinux(8), qmail_tcp_env(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
-+, qmail_clean_selinux(8), qmail_inject_selinux(8), qmail_local_selinux(8), qmail_lspawn_selinux(8), qmail_queue_selinux(8), qmail_remote_selinux(8), qmail_rspawn_selinux(8), qmail_send_selinux(8), qmail_smtpd_selinux(8), qmail_splogger_selinux(8), qmail_start_selinux(8)
-\ No newline at end of file
-diff --git a/man/man8/qpidd_selinux.8 b/man/man8/qpidd_selinux.8
-new file mode 100644
-index 0000000..0d185be
---- /dev/null
-+++ b/man/man8/qpidd_selinux.8
-@@ -0,0 +1,140 @@
-+.TH "qpidd_selinux" "8" "12-11-01" "qpidd" "SELinux Policy documentation for qpidd"
-+.SH "NAME"
-+qpidd_selinux \- Security Enhanced Linux Policy for the qpidd processes
-+.SH "DESCRIPTION"
-+
-+Security-Enhanced Linux secures the qpidd processes via flexible mandatory access control.
-+
-+The qpidd processes execute with the qpidd_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
-+
-+For example:
-+
-+.B ps -eZ | grep qpidd_t
-+
-+
-+.SH "ENTRYPOINTS"
-+
-+The qpidd_t SELinux type can be entered via the "qpidd_exec_t" file type. The default entrypoint paths for the qpidd_t domain are the following:"
-+
-+/usr/sbin/qpidd
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux qpidd policy is very flexible allowing users to setup their qpidd processes in as secure a method as possible.
-+.PP
-+The following process types are defined for qpidd:
-+
-+.EX
-+.B qpidd_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
-+.SH FILE CONTEXTS
-+SELinux requires files to have an extended attribute to define the file type.
-+.PP
-+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
-+.PP
-+Policy governs the access confined processes have to these files.
-+SELinux qpidd policy is very flexible allowing users to setup their qpidd processes in as secure a method as possible.
-+.PP
-+The following file types are defined for qpidd:
-+
-+
-+.EX
-+.PP
-+.B qpidd_exec_t
-+.EE
-+
-+- Set files with the qpidd_exec_t type, if you want to transition an executable to the qpidd_t domain.
-+
-+
-+.EX
-+.PP
-+.B qpidd_initrc_exec_t
-+.EE
-+
-+- Set files with the qpidd_initrc_exec_t type, if you want to transition an executable to the qpidd_initrc_t domain.
-+
-+
-+.EX
-+.PP
-+.B qpidd_tmpfs_t
-+.EE
-+
-+- Set files with the qpidd_tmpfs_t type, if you want to store qpidd files on a tmpfs file system.
-+
-+
-+.EX
-+.PP
-+.B qpidd_var_lib_t
-+.EE
-+
-+- Set files with the qpidd_var_lib_t type, if you want to store the qpidd files under the /var/lib directory.
-+
-+
-+.EX
-+.PP
-+.B qpidd_var_run_t
-+.EE
-+
-+- Set files with the qpidd_var_run_t type, if you want to store the qpidd files under the /run directory.
-+
-+
-+.PP
-+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
-+.B semanage fcontext
-+command. This will modify the SELinux labeling database. You will need to use
-+.B restorecon
-+to apply the labels.
-+
-+.SH "MANAGED FILES"
-+
-+The SELinux process type qpidd_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
-+
-+.br
-+.B qpidd_tmpfs_t
-+
-+
-+.br
-+.B qpidd_var_lib_t
-+
-+ /var/lib/qpidd(/.*)?
-+.br
-+
-+.br
-+.B qpidd_var_run_t
-+
-+ /var/run/qpidd(/.*)?
-+.br
-+ /var/run/qpidd\.pid
-+.br
-+
-+.SH NSSWITCH DOMAIN
-+
-+.SH "COMMANDS"
-+.B semanage fcontext
-+can also be used to manipulate default file context mappings.
-+.PP
-+.B semanage permissive
-+can also be used to manipulate whether or not a process type is permissive.
-+.PP
-+.B semanage module
-+can also be used to enable/disable/install/remove policy modules.
-+
-+.PP
-+.B system-config-selinux
-+is a GUI tool available to customize SELinux policy settings.
-+
-+.SH AUTHOR
-+This manual page was auto-generated using
-+.B "sepolicy manpage"
-+by Dan Walsh.
-+
-+.SH "SEE ALSO"
-+selinux(8), qpidd(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
-diff --git a/man/man8/quantum_selinux.8 b/man/man8/quantum_selinux.8
-new file mode 100644
-index 0000000..7ccd16b
---- /dev/null
-+++ b/man/man8/quantum_selinux.8
-@@ -0,0 +1,178 @@
-+.TH "quantum_selinux" "8" "12-11-01" "quantum" "SELinux Policy documentation for quantum"
-+.SH "NAME"
-+quantum_selinux \- Security Enhanced Linux Policy for the quantum processes
-+.SH "DESCRIPTION"
-+
-+Security-Enhanced Linux secures the quantum processes via flexible mandatory access control.
-+
-+The quantum processes execute with the quantum_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
-+
-+For example:
-+
-+.B ps -eZ | grep quantum_t
-+
-+
-+.SH "ENTRYPOINTS"
-+
-+The quantum_t SELinux type can be entered via the "quantum_exec_t" file type. The default entrypoint paths for the quantum_t domain are the following:"
-+
-+/usr/bin/quantum-server, /usr/bin/quantum-ryu-agent, /usr/bin/quantum-openvswitch-agent, /usr/bin/quantum-linuxbridge-agent
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux quantum policy is very flexible allowing users to setup their quantum processes in as secure a method as possible.
-+.PP
-+The following process types are defined for quantum:
-+
-+.EX
-+.B quantum_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
-+.SH FILE CONTEXTS
-+SELinux requires files to have an extended attribute to define the file type.
-+.PP
-+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
-+.PP
-+Policy governs the access confined processes have to these files.
-+SELinux quantum policy is very flexible allowing users to setup their quantum processes in as secure a method as possible.
-+.PP
-+The following file types are defined for quantum:
-+
-+
-+.EX
-+.PP
-+.B quantum_exec_t
-+.EE
-+
-+- Set files with the quantum_exec_t type, if you want to transition an executable to the quantum_t domain.
-+
-+
-+.EX
-+.PP
-+.B quantum_log_t
-+.EE
-+
-+- Set files with the quantum_log_t type, if you want to treat the data as quantum log data, usually stored under the /var/log directory.
-+
-+
-+.EX
-+.PP
-+.B quantum_tmp_t
-+.EE
-+
-+- Set files with the quantum_tmp_t type, if you want to store quantum temporary files in the /tmp directories.
-+
-+
-+.EX
-+.PP
-+.B quantum_unit_file_t
-+.EE
-+
-+- Set files with the quantum_unit_file_t type, if you want to treat the files as quantum unit content.
-+
-+
-+.EX
-+.PP
-+.B quantum_var_lib_t
-+.EE
-+
-+- Set files with the quantum_var_lib_t type, if you want to store the quantum files under the /var/lib directory.
-+
-+
-+.PP
-+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
-+.B semanage fcontext
-+command. This will modify the SELinux labeling database. You will need to use
-+.B restorecon
-+to apply the labels.
-+
-+.SH PORT TYPES
-+SELinux defines port types to represent TCP and UDP ports.
-+.PP
-+You can see the types associated with a port by using the following command:
-+
-+.B semanage port -l
-+
-+.PP
-+Policy governs the access confined processes have to these ports.
-+SELinux quantum policy is very flexible allowing users to setup their quantum processes in as secure a method as possible.
-+.PP
-+The following port types are defined for quantum:
-+
-+.EX
-+.TP 5
-+.B quantum_port_t
-+.TP 10
-+.EE
-+
-+
-+Default Defined Ports:
-+tcp 9696
-+.EE
-+.SH "MANAGED FILES"
-+
-+The SELinux process type quantum_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
-+
-+.br
-+.B quantum_log_t
-+
-+ /var/log/quantum(/.*)?
-+.br
-+
-+.br
-+.B quantum_tmp_t
-+
-+
-+.br
-+.B quantum_var_lib_t
-+
-+ /var/lib/quantum(/.*)?
-+.br
-+
-+.SH NSSWITCH DOMAIN
-+
-+.PP
-+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the quantum_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
-+
-+.EX
-+.B setsebool -P authlogin_nsswitch_use_ldap 1
-+.EE
-+
-+.PP
-+If you want to allow confined applications to run with kerberos for the quantum_t, you must turn on the kerberos_enabled boolean.
-+
-+.EX
-+.B setsebool -P kerberos_enabled 1
-+.EE
-+
-+.SH "COMMANDS"
-+.B semanage fcontext
-+can also be used to manipulate default file context mappings.
-+.PP
-+.B semanage permissive
-+can also be used to manipulate whether or not a process type is permissive.
-+.PP
-+.B semanage module
-+can also be used to enable/disable/install/remove policy modules.
-+
-+.B semanage port
-+can also be used to manipulate the port definitions
-+
-+.PP
-+.B system-config-selinux
-+is a GUI tool available to customize SELinux policy settings.
-+
-+.SH AUTHOR
-+This manual page was auto-generated using
-+.B "sepolicy manpage"
-+by Dan Walsh.
-+
-+.SH "SEE ALSO"
-+selinux(8), quantum(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
-diff --git a/man/man8/quota_nld_selinux.8 b/man/man8/quota_nld_selinux.8
-new file mode 100644
-index 0000000..e8c53e4
---- /dev/null
-+++ b/man/man8/quota_nld_selinux.8
-@@ -0,0 +1,119 @@
-+.TH "quota_nld_selinux" "8" "12-11-01" "quota_nld" "SELinux Policy documentation for quota_nld"
-+.SH "NAME"
-+quota_nld_selinux \- Security Enhanced Linux Policy for the quota_nld processes
-+.SH "DESCRIPTION"
-+
-+Security-Enhanced Linux secures the quota_nld processes via flexible mandatory access control.
-+
-+The quota_nld processes execute with the quota_nld_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
-+
-+For example:
-+
-+.B ps -eZ | grep quota_nld_t
-+
-+
-+.SH "ENTRYPOINTS"
-+
-+The quota_nld_t SELinux type can be entered via the "quota_nld_exec_t" file type. The default entrypoint paths for the quota_nld_t domain are the following:"
-+
-+/usr/sbin/quota_nld
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux quota_nld policy is very flexible allowing users to setup their quota_nld processes in as secure a method as possible.
-+.PP
-+The following process types are defined for quota_nld:
-+
-+.EX
-+.B quota_nld_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
-+.SH FILE CONTEXTS
-+SELinux requires files to have an extended attribute to define the file type.
-+.PP
-+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
-+.PP
-+Policy governs the access confined processes have to these files.
-+SELinux quota_nld policy is very flexible allowing users to setup their quota_nld processes in as secure a method as possible.
-+.PP
-+The following file types are defined for quota_nld:
-+
-+
-+.EX
-+.PP
-+.B quota_nld_exec_t
-+.EE
-+
-+- Set files with the quota_nld_exec_t type, if you want to transition an executable to the quota_nld_t domain.
-+
-+
-+.EX
-+.PP
-+.B quota_nld_var_run_t
-+.EE
-+
-+- Set files with the quota_nld_var_run_t type, if you want to store the quota nld files under the /run directory.
-+
-+
-+.PP
-+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
-+.B semanage fcontext
-+command. This will modify the SELinux labeling database. You will need to use
-+.B restorecon
-+to apply the labels.
-+
-+.SH "MANAGED FILES"
-+
-+The SELinux process type quota_nld_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
-+
-+.br
-+.B quota_nld_var_run_t
-+
-+ /var/run/quota_nld\.pid
-+.br
-+
-+.SH NSSWITCH DOMAIN
-+
-+.PP
-+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the quota_nld_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
-+
-+.EX
-+.B setsebool -P authlogin_nsswitch_use_ldap 1
-+.EE
-+
-+.PP
-+If you want to allow confined applications to run with kerberos for the quota_nld_t, you must turn on the kerberos_enabled boolean.
-+
-+.EX
-+.B setsebool -P kerberos_enabled 1
-+.EE
-+
-+.SH "COMMANDS"
-+.B semanage fcontext
-+can also be used to manipulate default file context mappings.
-+.PP
-+.B semanage permissive
-+can also be used to manipulate whether or not a process type is permissive.
-+.PP
-+.B semanage module
-+can also be used to enable/disable/install/remove policy modules.
-+
-+.PP
-+.B system-config-selinux
-+is a GUI tool available to customize SELinux policy settings.
-+
-+.SH AUTHOR
-+This manual page was auto-generated using
-+.B "sepolicy manpage"
-+by Dan Walsh.
-+
-+.SH "SEE ALSO"
-+selinux(8), quota_nld(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
-+, quota_selinux(8), quota_selinux(8)
-\ No newline at end of file
-diff --git a/man/man8/quota_selinux.8 b/man/man8/quota_selinux.8
-new file mode 100644
-index 0000000..f6b1bff
---- /dev/null
-+++ b/man/man8/quota_selinux.8
-@@ -0,0 +1,163 @@
-+.TH "quota_selinux" "8" "12-11-01" "quota" "SELinux Policy documentation for quota"
-+.SH "NAME"
-+quota_selinux \- Security Enhanced Linux Policy for the quota processes
-+.SH "DESCRIPTION"
-+
-+Security-Enhanced Linux secures the quota processes via flexible mandatory access control.
-+
-+The quota processes execute with the quota_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
-+
-+For example:
-+
-+.B ps -eZ | grep quota_t
-+
-+
-+.SH "ENTRYPOINTS"
-+
-+The quota_t SELinux type can be entered via the "quota_exec_t" file type. The default entrypoint paths for the quota_t domain are the following:"
-+
-+/sbin/quota(check|on), /usr/sbin/quota(check|on), /usr/sbin/convertquota
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux quota policy is very flexible allowing users to setup their quota processes in as secure a method as possible.
-+.PP
-+The following process types are defined for quota:
-+
-+.EX
-+.B quota_t, quota_nld_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
-+.SH FILE CONTEXTS
-+SELinux requires files to have an extended attribute to define the file type.
-+.PP
-+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
-+.PP
-+Policy governs the access confined processes have to these files.
-+SELinux quota policy is very flexible allowing users to setup their quota processes in as secure a method as possible.
-+.PP
-+The following file types are defined for quota:
-+
-+
-+.EX
-+.PP
-+.B quota_db_t
-+.EE
-+
-+- Set files with the quota_db_t type, if you want to treat the files as quota database content.
-+
-+
-+.EX
-+.PP
-+.B quota_exec_t
-+.EE
-+
-+- Set files with the quota_exec_t type, if you want to transition an executable to the quota_t domain.
-+
-+
-+.EX
-+.PP
-+.B quota_flag_t
-+.EE
-+
-+- Set files with the quota_flag_t type, if you want to treat the files as quota flag data.
-+
-+
-+.EX
-+.PP
-+.B quota_nld_exec_t
-+.EE
-+
-+- Set files with the quota_nld_exec_t type, if you want to transition an executable to the quota_nld_t domain.
-+
-+
-+.EX
-+.PP
-+.B quota_nld_var_run_t
-+.EE
-+
-+- Set files with the quota_nld_var_run_t type, if you want to store the quota nld files under the /run directory.
-+
-+
-+.PP
-+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
-+.B semanage fcontext
-+command. This will modify the SELinux labeling database. You will need to use
-+.B restorecon
-+to apply the labels.
-+
-+.SH "MANAGED FILES"
-+
-+The SELinux process type quota_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
-+
-+.br
-+.B quota_db_t
-+
-+ /a?quota\.(user|group)
-+.br
-+ /etc/a?quota\.(user|group)
-+.br
-+ /var/a?quota\.(user|group)
-+.br
-+ /boot/a?quota\.(user|group)
-+.br
-+ /var/spool/(.*/)?a?quota\.(user|group)
-+.br
-+ /var/lib/openshift/a?quota\.(user|group)
-+.br
-+ /var/lib/stickshift/a?quota\.(user|group)
-+.br
-+ /home/[^/]*/a?quota\.(user|group)
-+.br
-+ /home/a?quota\.(user|group)
-+.br
-+ /home/dwalsh/a?quota\.(user|group)
-+.br
-+ /var/lib/xguest/home/xguest/a?quota\.(user|group)
-+.br
-+
-+.SH NSSWITCH DOMAIN
-+
-+.PP
-+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the quota_nld_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
-+
-+.EX
-+.B setsebool -P authlogin_nsswitch_use_ldap 1
-+.EE
-+
-+.PP
-+If you want to allow confined applications to run with kerberos for the quota_nld_t, you must turn on the kerberos_enabled boolean.
-+
-+.EX
-+.B setsebool -P kerberos_enabled 1
-+.EE
-+
-+.SH "COMMANDS"
-+.B semanage fcontext
-+can also be used to manipulate default file context mappings.
-+.PP
-+.B semanage permissive
-+can also be used to manipulate whether or not a process type is permissive.
-+.PP
-+.B semanage module
-+can also be used to enable/disable/install/remove policy modules.
-+
-+.PP
-+.B system-config-selinux
-+is a GUI tool available to customize SELinux policy settings.
-+
-+.SH AUTHOR
-+This manual page was auto-generated using
-+.B "sepolicy manpage"
-+by Dan Walsh.
-+
-+.SH "SEE ALSO"
-+selinux(8), quota(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
-+, quota_nld_selinux(8)
-\ No newline at end of file
-diff --git a/man/man8/rabbitmq_beam_selinux.8 b/man/man8/rabbitmq_beam_selinux.8
-new file mode 100644
-index 0000000..01bdf1a
---- /dev/null
-+++ b/man/man8/rabbitmq_beam_selinux.8
-@@ -0,0 +1,103 @@
-+.TH "rabbitmq_beam_selinux" "8" "12-11-01" "rabbitmq_beam" "SELinux Policy documentation for rabbitmq_beam"
-+.SH "NAME"
-+rabbitmq_beam_selinux \- Security Enhanced Linux Policy for the rabbitmq_beam processes
-+.SH "DESCRIPTION"
-+
-+Security-Enhanced Linux secures the rabbitmq_beam processes via flexible mandatory access control.
-+
-+The rabbitmq_beam processes execute with the rabbitmq_beam_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
-+
-+For example:
-+
-+.B ps -eZ | grep rabbitmq_beam_t
-+
-+
-+.SH "ENTRYPOINTS"
-+
-+The rabbitmq_beam_t SELinux type can be entered via the "rabbitmq_beam_exec_t" file type. The default entrypoint paths for the rabbitmq_beam_t domain are the following:"
-+
-+/usr/lib64/erlang/erts-5.8.5/bin/beam.*
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux rabbitmq_beam policy is very flexible allowing users to setup their rabbitmq_beam processes in as secure a method as possible.
-+.PP
-+The following process types are defined for rabbitmq_beam:
-+
-+.EX
-+.B rabbitmq_beam_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
-+.SH FILE CONTEXTS
-+SELinux requires files to have an extended attribute to define the file type.
-+.PP
-+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
-+.PP
-+Policy governs the access confined processes have to these files.
-+SELinux rabbitmq_beam policy is very flexible allowing users to setup their rabbitmq_beam processes in as secure a method as possible.
-+.PP
-+The following file types are defined for rabbitmq_beam:
-+
-+
-+.EX
-+.PP
-+.B rabbitmq_beam_exec_t
-+.EE
-+
-+- Set files with the rabbitmq_beam_exec_t type, if you want to transition an executable to the rabbitmq_beam_t domain.
-+
-+
-+.PP
-+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
-+.B semanage fcontext
-+command. This will modify the SELinux labeling database. You will need to use
-+.B restorecon
-+to apply the labels.
-+
-+.SH "MANAGED FILES"
-+
-+The SELinux process type rabbitmq_beam_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
-+
-+.br
-+.B rabbitmq_var_lib_t
-+
-+ /var/lib/rabbitmq(/.*)?
-+.br
-+
-+.br
-+.B rabbitmq_var_log_t
-+
-+ /var/log/rabbitmq(/.*)?
-+.br
-+
-+.SH NSSWITCH DOMAIN
-+
-+.SH "COMMANDS"
-+.B semanage fcontext
-+can also be used to manipulate default file context mappings.
-+.PP
-+.B semanage permissive
-+can also be used to manipulate whether or not a process type is permissive.
-+.PP
-+.B semanage module
-+can also be used to enable/disable/install/remove policy modules.
-+
-+.PP
-+.B system-config-selinux
-+is a GUI tool available to customize SELinux policy settings.
-+
-+.SH AUTHOR
-+This manual page was auto-generated using
-+.B "sepolicy manpage"
-+by Dan Walsh.
-+
-+.SH "SEE ALSO"
-+selinux(8), rabbitmq_beam(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
-+, rabbitmq_epmd_selinux(8)
-\ No newline at end of file
-diff --git a/man/man8/rabbitmq_epmd_selinux.8 b/man/man8/rabbitmq_epmd_selinux.8
-new file mode 100644
-index 0000000..5151b32
---- /dev/null
-+++ b/man/man8/rabbitmq_epmd_selinux.8
-@@ -0,0 +1,97 @@
-+.TH "rabbitmq_epmd_selinux" "8" "12-11-01" "rabbitmq_epmd" "SELinux Policy documentation for rabbitmq_epmd"
-+.SH "NAME"
-+rabbitmq_epmd_selinux \- Security Enhanced Linux Policy for the rabbitmq_epmd processes
-+.SH "DESCRIPTION"
-+
-+Security-Enhanced Linux secures the rabbitmq_epmd processes via flexible mandatory access control.
-+
-+The rabbitmq_epmd processes execute with the rabbitmq_epmd_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
-+
-+For example:
-+
-+.B ps -eZ | grep rabbitmq_epmd_t
-+
-+
-+.SH "ENTRYPOINTS"
-+
-+The rabbitmq_epmd_t SELinux type can be entered via the "rabbitmq_epmd_exec_t" file type. The default entrypoint paths for the rabbitmq_epmd_t domain are the following:"
-+
-+/usr/lib64/erlang/erts-5.8.5/bin/epmd
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux rabbitmq_epmd policy is very flexible allowing users to setup their rabbitmq_epmd processes in as secure a method as possible.
-+.PP
-+The following process types are defined for rabbitmq_epmd:
-+
-+.EX
-+.B rabbitmq_epmd_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
-+.SH FILE CONTEXTS
-+SELinux requires files to have an extended attribute to define the file type.
-+.PP
-+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
-+.PP
-+Policy governs the access confined processes have to these files.
-+SELinux rabbitmq_epmd policy is very flexible allowing users to setup their rabbitmq_epmd processes in as secure a method as possible.
-+.PP
-+The following file types are defined for rabbitmq_epmd:
-+
-+
-+.EX
-+.PP
-+.B rabbitmq_epmd_exec_t
-+.EE
-+
-+- Set files with the rabbitmq_epmd_exec_t type, if you want to transition an executable to the rabbitmq_epmd_t domain.
-+
-+
-+.PP
-+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
-+.B semanage fcontext
-+command. This will modify the SELinux labeling database. You will need to use
-+.B restorecon
-+to apply the labels.
-+
-+.SH "MANAGED FILES"
-+
-+The SELinux process type rabbitmq_epmd_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
-+
-+.br
-+.B rabbitmq_var_log_t
-+
-+ /var/log/rabbitmq(/.*)?
-+.br
-+
-+.SH NSSWITCH DOMAIN
-+
-+.SH "COMMANDS"
-+.B semanage fcontext
-+can also be used to manipulate default file context mappings.
-+.PP
-+.B semanage permissive
-+can also be used to manipulate whether or not a process type is permissive.
-+.PP
-+.B semanage module
-+can also be used to enable/disable/install/remove policy modules.
-+
-+.PP
-+.B system-config-selinux
-+is a GUI tool available to customize SELinux policy settings.
-+
-+.SH AUTHOR
-+This manual page was auto-generated using
-+.B "sepolicy manpage"
-+by Dan Walsh.
-+
-+.SH "SEE ALSO"
-+selinux(8), rabbitmq_epmd(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
-+, rabbitmq_beam_selinux(8)
-\ No newline at end of file
-diff --git a/man/man8/racoon_selinux.8 b/man/man8/racoon_selinux.8
-new file mode 100644
-index 0000000..58f53af
---- /dev/null
-+++ b/man/man8/racoon_selinux.8
-@@ -0,0 +1,210 @@
-+.TH "racoon_selinux" "8" "12-11-01" "racoon" "SELinux Policy documentation for racoon"
-+.SH "NAME"
-+racoon_selinux \- Security Enhanced Linux Policy for the racoon processes
-+.SH "DESCRIPTION"
-+
-+Security-Enhanced Linux secures the racoon processes via flexible mandatory access control.
-+
-+The racoon processes execute with the racoon_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
-+
-+For example:
-+
-+.B ps -eZ | grep racoon_t
-+
-+
-+.SH "ENTRYPOINTS"
-+
-+The racoon_t SELinux type can be entered via the "racoon_exec_t" file type. The default entrypoint paths for the racoon_t domain are the following:"
-+
-+/usr/sbin/racoon
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux racoon policy is very flexible allowing users to setup their racoon processes in as secure a method as possible.
-+.PP
-+The following process types are defined for racoon:
-+
-+.EX
-+.B racoon_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
-+.SH BOOLEANS
-+SELinux policy is customizable based on least access required. racoon policy is extremely flexible and has several booleans that allow you to manipulate the policy and run racoon with the tightest access possible.
-+
-+
-+.PP
-+If you want to allow racoon to read shadow, you must turn on the racoon_read_shadow boolean.
-+
-+.EX
-+.B setsebool -P racoon_read_shadow 1
-+.EE
-+
-+.PP
-+If you want to allow racoon to read shadow, you must turn on the racoon_read_shadow boolean.
-+
-+.EX
-+.B setsebool -P racoon_read_shadow 1
-+.EE
-+
-+.SH FILE CONTEXTS
-+SELinux requires files to have an extended attribute to define the file type.
-+.PP
-+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
-+.PP
-+Policy governs the access confined processes have to these files.
-+SELinux racoon policy is very flexible allowing users to setup their racoon processes in as secure a method as possible.
-+.PP
-+The following file types are defined for racoon:
-+
-+
-+.EX
-+.PP
-+.B racoon_exec_t
-+.EE
-+
-+- Set files with the racoon_exec_t type, if you want to transition an executable to the racoon_t domain.
-+
-+
-+.EX
-+.PP
-+.B racoon_tmp_t
-+.EE
-+
-+- Set files with the racoon_tmp_t type, if you want to store racoon temporary files in the /tmp directories.
-+
-+
-+.PP
-+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
-+.B semanage fcontext
-+command. This will modify the SELinux labeling database. You will need to use
-+.B restorecon
-+to apply the labels.
-+
-+.SH "MANAGED FILES"
-+
-+The SELinux process type racoon_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
-+
-+.br
-+.B faillog_t
-+
-+ /var/log/btmp.*
-+.br
-+ /var/run/faillock(/.*)?
-+.br
-+ /var/log/faillog
-+.br
-+ /var/log/tallylog
-+.br
-+
-+.br
-+.B ipsec_var_run_t
-+
-+ /var/racoon(/.*)?
-+.br
-+ /var/run/pluto(/.*)?
-+.br
-+ /var/run/racoon\.pid
-+.br
-+
-+.br
-+.B krb5_host_rcache_t
-+
-+ /var/cache/krb5rcache(/.*)?
-+.br
-+ /var/tmp/nfs_0
-+.br
-+ /var/tmp/DNS_25
-+.br
-+ /var/tmp/host_0
-+.br
-+ /var/tmp/imap_0
-+.br
-+ /var/tmp/HTTP_23
-+.br
-+ /var/tmp/HTTP_48
-+.br
-+ /var/tmp/ldap_55
-+.br
-+ /var/tmp/ldap_487
-+.br
-+ /var/tmp/ldapmap1_0
-+.br
-+
-+.br
-+.B lastlog_t
-+
-+ /var/log/lastlog
-+.br
-+
-+.br
-+.B pcscd_var_run_t
-+
-+ /var/run/pcscd(/.*)?
-+.br
-+ /var/run/pcscd\.events(/.*)?
-+.br
-+ /var/run/pcscd\.pid
-+.br
-+ /var/run/pcscd\.pub
-+.br
-+ /var/run/pcscd\.comm
-+.br
-+
-+.br
-+.B racoon_tmp_t
-+
-+
-+.br
-+.B security_t
-+
-+ /selinux
-+.br
-+
-+.SH NSSWITCH DOMAIN
-+
-+.PP
-+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the racoon_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
-+
-+.EX
-+.B setsebool -P authlogin_nsswitch_use_ldap 1
-+.EE
-+
-+.PP
-+If you want to allow confined applications to run with kerberos for the racoon_t, you must turn on the kerberos_enabled boolean.
-+
-+.EX
-+.B setsebool -P kerberos_enabled 1
-+.EE
-+
-+.SH "COMMANDS"
-+.B semanage fcontext
-+can also be used to manipulate default file context mappings.
-+.PP
-+.B semanage permissive
-+can also be used to manipulate whether or not a process type is permissive.
-+.PP
-+.B semanage module
-+can also be used to enable/disable/install/remove policy modules.
-+
-+.B semanage boolean
-+can also be used to manipulate the booleans
-+
-+.PP
-+.B system-config-selinux
-+is a GUI tool available to customize SELinux policy settings.
-+
-+.SH AUTHOR
-+This manual page was auto-generated using
-+.B "sepolicy manpage"
-+by Dan Walsh.
-+
-+.SH "SEE ALSO"
-+selinux(8), racoon(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
-+, setsebool(8)
-\ No newline at end of file
-diff --git a/man/man8/radiusd_selinux.8 b/man/man8/radiusd_selinux.8
-new file mode 100644
-index 0000000..2a14d47
---- /dev/null
-+++ b/man/man8/radiusd_selinux.8
-@@ -0,0 +1,264 @@
-+.TH "radiusd_selinux" "8" "12-11-01" "radiusd" "SELinux Policy documentation for radiusd"
-+.SH "NAME"
-+radiusd_selinux \- Security Enhanced Linux Policy for the radiusd processes
-+.SH "DESCRIPTION"
-+
-+Security-Enhanced Linux secures the radiusd processes via flexible mandatory access control.
-+
-+The radiusd processes execute with the radiusd_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
-+
-+For example:
-+
-+.B ps -eZ | grep radiusd_t
-+
-+
-+.SH "ENTRYPOINTS"
-+
-+The radiusd_t SELinux type can be entered via the "radiusd_exec_t" file type. The default entrypoint paths for the radiusd_t domain are the following:"
-+
-+/etc/cron\.(daily|monthly)/radiusd, /etc/cron\.(daily|weekly|monthly)/freeradius, /usr/sbin/radiusd, /usr/sbin/freeradius
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux radiusd policy is very flexible allowing users to setup their radiusd processes in as secure a method as possible.
-+.PP
-+The following process types are defined for radiusd:
-+
-+.EX
-+.B radiusd_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
-+.SH BOOLEANS
-+SELinux policy is customizable based on least access required. radiusd policy is extremely flexible and has several booleans that allow you to manipulate the policy and run radiusd with the tightest access possible.
-+
-+
-+.PP
-+If you want to allow users to login using a radius server, you must turn on the authlogin_radius boolean.
-+
-+.EX
-+.B setsebool -P authlogin_radius 1
-+.EE
-+
-+.PP
-+If you want to allow users to login using a radius server, you must turn on the authlogin_radius boolean.
-+
-+.EX
-+.B setsebool -P authlogin_radius 1
-+.EE
-+
-+.SH FILE CONTEXTS
-+SELinux requires files to have an extended attribute to define the file type.
-+.PP
-+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
-+.PP
-+Policy governs the access confined processes have to these files.
-+SELinux radiusd policy is very flexible allowing users to setup their radiusd processes in as secure a method as possible.
-+.PP
-+The following file types are defined for radiusd:
-+
-+
-+.EX
-+.PP
-+.B radiusd_etc_rw_t
-+.EE
-+
-+- Set files with the radiusd_etc_rw_t type, if you want to treat the files as radiusd etc read/write content.
-+
-+
-+.EX
-+.PP
-+.B radiusd_etc_t
-+.EE
-+
-+- Set files with the radiusd_etc_t type, if you want to store radiusd files in the /etc directories.
-+
-+
-+.EX
-+.PP
-+.B radiusd_exec_t
-+.EE
-+
-+- Set files with the radiusd_exec_t type, if you want to transition an executable to the radiusd_t domain.
-+
-+
-+.EX
-+.PP
-+.B radiusd_initrc_exec_t
-+.EE
-+
-+- Set files with the radiusd_initrc_exec_t type, if you want to transition an executable to the radiusd_initrc_t domain.
-+
-+
-+.EX
-+.PP
-+.B radiusd_log_t
-+.EE
-+
-+- Set files with the radiusd_log_t type, if you want to treat the data as radiusd log data, usually stored under the /var/log directory.
-+
-+
-+.EX
-+.PP
-+.B radiusd_var_lib_t
-+.EE
-+
-+- Set files with the radiusd_var_lib_t type, if you want to store the radiusd files under the /var/lib directory.
-+
-+
-+.EX
-+.PP
-+.B radiusd_var_run_t
-+.EE
-+
-+- Set files with the radiusd_var_run_t type, if you want to store the radiusd files under the /run directory.
-+
-+
-+.PP
-+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
-+.B semanage fcontext
-+command. This will modify the SELinux labeling database. You will need to use
-+.B restorecon
-+to apply the labels.
-+
-+.SH PORT TYPES
-+SELinux defines port types to represent TCP and UDP ports.
-+.PP
-+You can see the types associated with a port by using the following command:
-+
-+.B semanage port -l
-+
-+.PP
-+Policy governs the access confined processes have to these ports.
-+SELinux radiusd policy is very flexible allowing users to setup their radiusd processes in as secure a method as possible.
-+.PP
-+The following port types are defined for radiusd:
-+
-+.EX
-+.TP 5
-+.B radius_port_t
-+.TP 10
-+.EE
-+
-+
-+Default Defined Ports:
-+udp 1645,1812
-+.EE
-+.SH "MANAGED FILES"
-+
-+The SELinux process type radiusd_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
-+
-+.br
-+.B faillog_t
-+
-+ /var/log/btmp.*
-+.br
-+ /var/run/faillock(/.*)?
-+.br
-+ /var/log/faillog
-+.br
-+ /var/log/tallylog
-+.br
-+
-+.br
-+.B pcscd_var_run_t
-+
-+ /var/run/pcscd(/.*)?
-+.br
-+ /var/run/pcscd\.events(/.*)?
-+.br
-+ /var/run/pcscd\.pid
-+.br
-+ /var/run/pcscd\.pub
-+.br
-+ /var/run/pcscd\.comm
-+.br
-+
-+.br
-+.B radiusd_etc_rw_t
-+
-+ /etc/raddb/db\.daily
-+.br
-+
-+.br
-+.B radiusd_log_t
-+
-+ /var/log/radius(/.*)?
-+.br
-+ /var/log/radwtmp.*
-+.br
-+ /var/log/radacct(/.*)?
-+.br
-+ /var/log/radius\.log.*
-+.br
-+ /var/log/freeradius(/.*)?
-+.br
-+ /var/log/radiusd-freeradius(/.*)?
-+.br
-+ /var/log/radutmp
-+.br
-+
-+.br
-+.B radiusd_var_lib_t
-+
-+ /var/lib/radiousd(/.*)?
-+.br
-+
-+.br
-+.B radiusd_var_run_t
-+
-+ /var/run/radiusd(/.*)?
-+.br
-+ /var/run/radiusd\.pid
-+.br
-+
-+.SH NSSWITCH DOMAIN
-+
-+.PP
-+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the radiusd_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
-+
-+.EX
-+.B setsebool -P authlogin_nsswitch_use_ldap 1
-+.EE
-+
-+.PP
-+If you want to allow confined applications to run with kerberos for the radiusd_t, you must turn on the kerberos_enabled boolean.
-+
-+.EX
-+.B setsebool -P kerberos_enabled 1
-+.EE
-+
-+.SH "COMMANDS"
-+.B semanage fcontext
-+can also be used to manipulate default file context mappings.
-+.PP
-+.B semanage permissive
-+can also be used to manipulate whether or not a process type is permissive.
-+.PP
-+.B semanage module
-+can also be used to enable/disable/install/remove policy modules.
-+
-+.B semanage port
-+can also be used to manipulate the port definitions
-+
-+.B semanage boolean
-+can also be used to manipulate the booleans
-+
-+.PP
-+.B system-config-selinux
-+is a GUI tool available to customize SELinux policy settings.
-+
-+.SH AUTHOR
-+This manual page was auto-generated using
-+.B "sepolicy manpage"
-+by Dan Walsh.
-+
-+.SH "SEE ALSO"
-+selinux(8), radiusd(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
-+, setsebool(8)
-\ No newline at end of file
-diff --git a/man/man8/radvd_selinux.8 b/man/man8/radvd_selinux.8
-new file mode 100644
-index 0000000..1fba22f
---- /dev/null
-+++ b/man/man8/radvd_selinux.8
-@@ -0,0 +1,136 @@
-+.TH "radvd_selinux" "8" "12-11-01" "radvd" "SELinux Policy documentation for radvd"
-+.SH "NAME"
-+radvd_selinux \- Security Enhanced Linux Policy for the radvd processes
-+.SH "DESCRIPTION"
-+
-+Security-Enhanced Linux secures the radvd processes via flexible mandatory access control.
-+
-+The radvd processes execute with the radvd_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
-+
-+For example:
-+
-+.B ps -eZ | grep radvd_t
-+
-+
-+.SH "ENTRYPOINTS"
-+
-+The radvd_t SELinux type can be entered via the "radvd_exec_t" file type. The default entrypoint paths for the radvd_t domain are the following:"
-+
-+/usr/sbin/radvd
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux radvd policy is very flexible allowing users to setup their radvd processes in as secure a method as possible.
-+.PP
-+The following process types are defined for radvd:
-+
-+.EX
-+.B radvd_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
-+.SH FILE CONTEXTS
-+SELinux requires files to have an extended attribute to define the file type.
-+.PP
-+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
-+.PP
-+Policy governs the access confined processes have to these files.
-+SELinux radvd policy is very flexible allowing users to setup their radvd processes in as secure a method as possible.
-+.PP
-+The following file types are defined for radvd:
-+
-+
-+.EX
-+.PP
-+.B radvd_etc_t
-+.EE
-+
-+- Set files with the radvd_etc_t type, if you want to store radvd files in the /etc directories.
-+
-+
-+.EX
-+.PP
-+.B radvd_exec_t
-+.EE
-+
-+- Set files with the radvd_exec_t type, if you want to transition an executable to the radvd_t domain.
-+
-+
-+.EX
-+.PP
-+.B radvd_initrc_exec_t
-+.EE
-+
-+- Set files with the radvd_initrc_exec_t type, if you want to transition an executable to the radvd_initrc_t domain.
-+
-+
-+.EX
-+.PP
-+.B radvd_var_run_t
-+.EE
-+
-+- Set files with the radvd_var_run_t type, if you want to store the radvd files under the /run directory.
-+
-+
-+.PP
-+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
-+.B semanage fcontext
-+command. This will modify the SELinux labeling database. You will need to use
-+.B restorecon
-+to apply the labels.
-+
-+.SH "MANAGED FILES"
-+
-+The SELinux process type radvd_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
-+
-+.br
-+.B radvd_var_run_t
-+
-+ /var/run/radvd(/.*)?
-+.br
-+ /var/run/radvd\.pid
-+.br
-+
-+.SH NSSWITCH DOMAIN
-+
-+.PP
-+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the radvd_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
-+
-+.EX
-+.B setsebool -P authlogin_nsswitch_use_ldap 1
-+.EE
-+
-+.PP
-+If you want to allow confined applications to run with kerberos for the radvd_t, you must turn on the kerberos_enabled boolean.
-+
-+.EX
-+.B setsebool -P kerberos_enabled 1
-+.EE
-+
-+.SH "COMMANDS"
-+.B semanage fcontext
-+can also be used to manipulate default file context mappings.
-+.PP
-+.B semanage permissive
-+can also be used to manipulate whether or not a process type is permissive.
-+.PP
-+.B semanage module
-+can also be used to enable/disable/install/remove policy modules.
-+
-+.PP
-+.B system-config-selinux
-+is a GUI tool available to customize SELinux policy settings.
-+
-+.SH AUTHOR
-+This manual page was auto-generated using
-+.B "sepolicy manpage"
-+by Dan Walsh.
-+
-+.SH "SEE ALSO"
-+selinux(8), radvd(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
-diff --git a/man/man8/rdisc_selinux.8 b/man/man8/rdisc_selinux.8
-new file mode 100644
-index 0000000..436b9f8
---- /dev/null
-+++ b/man/man8/rdisc_selinux.8
-@@ -0,0 +1,86 @@
-+.TH "rdisc_selinux" "8" "12-11-01" "rdisc" "SELinux Policy documentation for rdisc"
-+.SH "NAME"
-+rdisc_selinux \- Security Enhanced Linux Policy for the rdisc processes
-+.SH "DESCRIPTION"
-+
-+Security-Enhanced Linux secures the rdisc processes via flexible mandatory access control.
-+
-+The rdisc processes execute with the rdisc_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
-+
-+For example:
-+
-+.B ps -eZ | grep rdisc_t
-+
-+
-+.SH "ENTRYPOINTS"
-+
-+The rdisc_t SELinux type can be entered via the "rdisc_exec_t" file type. The default entrypoint paths for the rdisc_t domain are the following:"
-+
-+/sbin/rdisc, /usr/sbin/rdisc
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux rdisc policy is very flexible allowing users to setup their rdisc processes in as secure a method as possible.
-+.PP
-+The following process types are defined for rdisc:
-+
-+.EX
-+.B rdisc_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
-+.SH FILE CONTEXTS
-+SELinux requires files to have an extended attribute to define the file type.
-+.PP
-+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
-+.PP
-+Policy governs the access confined processes have to these files.
-+SELinux rdisc policy is very flexible allowing users to setup their rdisc processes in as secure a method as possible.
-+.PP
-+The following file types are defined for rdisc:
-+
-+
-+.EX
-+.PP
-+.B rdisc_exec_t
-+.EE
-+
-+- Set files with the rdisc_exec_t type, if you want to transition an executable to the rdisc_t domain.
-+
-+
-+.PP
-+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
-+.B semanage fcontext
-+command. This will modify the SELinux labeling database. You will need to use
-+.B restorecon
-+to apply the labels.
-+
-+.SH NSSWITCH DOMAIN
-+
-+.SH "COMMANDS"
-+.B semanage fcontext
-+can also be used to manipulate default file context mappings.
-+.PP
-+.B semanage permissive
-+can also be used to manipulate whether or not a process type is permissive.
-+.PP
-+.B semanage module
-+can also be used to enable/disable/install/remove policy modules.
-+
-+.PP
-+.B system-config-selinux
-+is a GUI tool available to customize SELinux policy settings.
-+
-+.SH AUTHOR
-+This manual page was auto-generated using
-+.B "sepolicy manpage"
-+by Dan Walsh.
-+
-+.SH "SEE ALSO"
-+selinux(8), rdisc(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
-diff --git a/man/man8/readahead_selinux.8 b/man/man8/readahead_selinux.8
-new file mode 100644
-index 0000000..56587b5
---- /dev/null
-+++ b/man/man8/readahead_selinux.8
-@@ -0,0 +1,180 @@
-+.TH "readahead_selinux" "8" "12-11-01" "readahead" "SELinux Policy documentation for readahead"
-+.SH "NAME"
-+readahead_selinux \- Security Enhanced Linux Policy for the readahead processes
-+.SH "DESCRIPTION"
-+
-+Security-Enhanced Linux secures the readahead processes via flexible mandatory access control.
-+
-+The readahead processes execute with the readahead_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
-+
-+For example:
-+
-+.B ps -eZ | grep readahead_t
-+
-+
-+.SH "ENTRYPOINTS"
-+
-+The readahead_t SELinux type can be entered via the "readahead_exec_t" file type. The default entrypoint paths for the readahead_t domain are the following:"
-+
-+/sbin/readahead.*, /usr/sbin/readahead.*, /usr/lib/systemd/systemd-readahead.*
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux readahead policy is very flexible allowing users to setup their readahead processes in as secure a method as possible.
-+.PP
-+The following process types are defined for readahead:
-+
-+.EX
-+.B readahead_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
-+.SH FILE CONTEXTS
-+SELinux requires files to have an extended attribute to define the file type.
-+.PP
-+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
-+.PP
-+Policy governs the access confined processes have to these files.
-+SELinux readahead policy is very flexible allowing users to setup their readahead processes in as secure a method as possible.
-+.PP
-+The following file types are defined for readahead:
-+
-+
-+.EX
-+.PP
-+.B readahead_exec_t
-+.EE
-+
-+- Set files with the readahead_exec_t type, if you want to transition an executable to the readahead_t domain.
-+
-+
-+.EX
-+.PP
-+.B readahead_var_lib_t
-+.EE
-+
-+- Set files with the readahead_var_lib_t type, if you want to store the readahead files under the /var/lib directory.
-+
-+
-+.EX
-+.PP
-+.B readahead_var_run_t
-+.EE
-+
-+- Set files with the readahead_var_run_t type, if you want to store the readahead files under the /run directory.
-+
-+
-+.PP
-+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
-+.B semanage fcontext
-+command. This will modify the SELinux labeling database. You will need to use
-+.B restorecon
-+to apply the labels.
-+
-+.SH "MANAGED FILES"
-+
-+The SELinux process type readahead_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
-+
-+.br
-+.B etc_runtime_t
-+
-+ /[^/]+
-+.br
-+ /etc/mtab.*
-+.br
-+ /etc/blkid(/.*)?
-+.br
-+ /etc/nologin.*
-+.br
-+ /etc/\.fstab\.hal\..+
-+.br
-+ /halt
-+.br
-+ /fastboot
-+.br
-+ /poweroff
-+.br
-+ /etc/cmtab
-+.br
-+ /\.autofsck
-+.br
-+ /forcefsck
-+.br
-+ /\.suspended
-+.br
-+ /fsckoptions
-+.br
-+ /\.autorelabel
-+.br
-+ /etc/securetty
-+.br
-+ /etc/killpower
-+.br
-+ /etc/nohotplug
-+.br
-+ /etc/ioctl\.save
-+.br
-+ /etc/fstab\.REVOKE
-+.br
-+ /etc/network/ifstate
-+.br
-+ /etc/sysconfig/hwconf
-+.br
-+ /etc/ptal/ptal-printd-like
-+.br
-+ /etc/sysconfig/iptables\.save
-+.br
-+ /etc/xorg\.conf\.d/00-system-setup-keyboard\.conf
-+.br
-+ /etc/X11/xorg\.conf\.d/00-system-setup-keyboard\.conf
-+.br
-+
-+.br
-+.B readahead_var_lib_t
-+
-+ /var/lib/readahead(/.*)?
-+.br
-+
-+.br
-+.B readahead_var_run_t
-+
-+ /dev/\.systemd/readahead(/.*)?
-+.br
-+ /var/run/systemd/readahead(/.*)?
-+.br
-+
-+.br
-+.B sysfs_t
-+
-+ /sys(/.*)?
-+.br
-+
-+.SH NSSWITCH DOMAIN
-+
-+.SH "COMMANDS"
-+.B semanage fcontext
-+can also be used to manipulate default file context mappings.
-+.PP
-+.B semanage permissive
-+can also be used to manipulate whether or not a process type is permissive.
-+.PP
-+.B semanage module
-+can also be used to enable/disable/install/remove policy modules.
-+
-+.PP
-+.B system-config-selinux
-+is a GUI tool available to customize SELinux policy settings.
-+
-+.SH AUTHOR
-+This manual page was auto-generated using
-+.B "sepolicy manpage"
-+by Dan Walsh.
-+
-+.SH "SEE ALSO"
-+selinux(8), readahead(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
-diff --git a/man/man8/realmd_selinux.8 b/man/man8/realmd_selinux.8
-new file mode 100644
-index 0000000..926344d
---- /dev/null
-+++ b/man/man8/realmd_selinux.8
-@@ -0,0 +1,166 @@
-+.TH "realmd_selinux" "8" "12-11-01" "realmd" "SELinux Policy documentation for realmd"
-+.SH "NAME"
-+realmd_selinux \- Security Enhanced Linux Policy for the realmd processes
-+.SH "DESCRIPTION"
-+
-+Security-Enhanced Linux secures the realmd processes via flexible mandatory access control.
-+
-+The realmd processes execute with the realmd_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
-+
-+For example:
-+
-+.B ps -eZ | grep realmd_t
-+
-+
-+.SH "ENTRYPOINTS"
-+
-+The realmd_t SELinux type can be entered via the "realmd_exec_t" file type. The default entrypoint paths for the realmd_t domain are the following:"
-+
-+/usr/lib/realmd/realmd
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux realmd policy is very flexible allowing users to setup their realmd processes in as secure a method as possible.
-+.PP
-+The following process types are defined for realmd:
-+
-+.EX
-+.B realmd_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
-+.SH FILE CONTEXTS
-+SELinux requires files to have an extended attribute to define the file type.
-+.PP
-+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
-+.PP
-+Policy governs the access confined processes have to these files.
-+SELinux realmd policy is very flexible allowing users to setup their realmd processes in as secure a method as possible.
-+.PP
-+The following file types are defined for realmd:
-+
-+
-+.EX
-+.PP
-+.B realmd_exec_t
-+.EE
-+
-+- Set files with the realmd_exec_t type, if you want to transition an executable to the realmd_t domain.
-+
-+
-+.PP
-+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
-+.B semanage fcontext
-+command. This will modify the SELinux labeling database. You will need to use
-+.B restorecon
-+to apply the labels.
-+
-+.SH "MANAGED FILES"
-+
-+The SELinux process type realmd_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
-+
-+.br
-+.B cache_home_t
-+
-+ /root/\.cache(/.*)?
-+.br
-+ /home/[^/]*/\.nv(/.*)?
-+.br
-+ /home/[^/]*/\.cache(/.*)?
-+.br
-+ /home/dwalsh/\.nv(/.*)?
-+.br
-+ /home/dwalsh/\.cache(/.*)?
-+.br
-+ /var/lib/xguest/home/xguest/\.nv(/.*)?
-+.br
-+ /var/lib/xguest/home/xguest/\.cache(/.*)?
-+.br
-+
-+.br
-+.B krb5_keytab_t
-+
-+ /etc/krb5\.keytab
-+.br
-+ /etc/krb5kdc/kadm5\.keytab
-+.br
-+ /var/kerberos/krb5kdc/kadm5\.keytab
-+.br
-+
-+.br
-+.B samba_etc_t
-+
-+ /etc/samba(/.*)?
-+.br
-+
-+.br
-+.B sssd_conf_t
-+
-+ /etc/sssd(/.*)?
-+.br
-+
-+.br
-+.B sssd_public_t
-+
-+ /var/lib/sss/mc(/.*)?
-+.br
-+ /var/lib/sss/pubconf(/.*)?
-+.br
-+
-+.br
-+.B sssd_var_lib_t
-+
-+ /var/lib/sss(/.*)?
-+.br
-+
-+.br
-+.B systemd_passwd_var_run_t
-+
-+ /var/run/systemd/ask-password(/.*)?
-+.br
-+ /var/run/systemd/ask-password-block(/.*)?
-+.br
-+
-+.SH NSSWITCH DOMAIN
-+
-+.PP
-+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the realmd_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
-+
-+.EX
-+.B setsebool -P authlogin_nsswitch_use_ldap 1
-+.EE
-+
-+.PP
-+If you want to allow confined applications to run with kerberos for the realmd_t, you must turn on the kerberos_enabled boolean.
-+
-+.EX
-+.B setsebool -P kerberos_enabled 1
-+.EE
-+
-+.SH "COMMANDS"
-+.B semanage fcontext
-+can also be used to manipulate default file context mappings.
-+.PP
-+.B semanage permissive
-+can also be used to manipulate whether or not a process type is permissive.
-+.PP
-+.B semanage module
-+can also be used to enable/disable/install/remove policy modules.
-+
-+.PP
-+.B system-config-selinux
-+is a GUI tool available to customize SELinux policy settings.
-+
-+.SH AUTHOR
-+This manual page was auto-generated using
-+.B "sepolicy manpage"
-+by Dan Walsh.
-+
-+.SH "SEE ALSO"
-+selinux(8), realmd(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
-diff --git a/man/man8/regex_milter_selinux.8 b/man/man8/regex_milter_selinux.8
-new file mode 100644
-index 0000000..6b0d3db
---- /dev/null
-+++ b/man/man8/regex_milter_selinux.8
-@@ -0,0 +1,118 @@
-+.TH "regex_milter_selinux" "8" "12-11-01" "regex_milter" "SELinux Policy documentation for regex_milter"
-+.SH "NAME"
-+regex_milter_selinux \- Security Enhanced Linux Policy for the regex_milter processes
-+.SH "DESCRIPTION"
-+
-+Security-Enhanced Linux secures the regex_milter processes via flexible mandatory access control.
-+
-+The regex_milter processes execute with the regex_milter_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
-+
-+For example:
-+
-+.B ps -eZ | grep regex_milter_t
-+
-+
-+.SH "ENTRYPOINTS"
-+
-+The regex_milter_t SELinux type can be entered via the "regex_milter_exec_t" file type. The default entrypoint paths for the regex_milter_t domain are the following:"
-+
-+/usr/sbin/milter-regex
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux regex_milter policy is very flexible allowing users to setup their regex_milter processes in as secure a method as possible.
-+.PP
-+The following process types are defined for regex_milter:
-+
-+.EX
-+.B regex_milter_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
-+.SH FILE CONTEXTS
-+SELinux requires files to have an extended attribute to define the file type.
-+.PP
-+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
-+.PP
-+Policy governs the access confined processes have to these files.
-+SELinux regex_milter policy is very flexible allowing users to setup their regex_milter processes in as secure a method as possible.
-+.PP
-+The following file types are defined for regex_milter:
-+
-+
-+.EX
-+.PP
-+.B regex_milter_data_t
-+.EE
-+
-+- Set files with the regex_milter_data_t type, if you want to treat the files as regex milter content.
-+
-+
-+.EX
-+.PP
-+.B regex_milter_exec_t
-+.EE
-+
-+- Set files with the regex_milter_exec_t type, if you want to transition an executable to the regex_milter_t domain.
-+
-+
-+.PP
-+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
-+.B semanage fcontext
-+command. This will modify the SELinux labeling database. You will need to use
-+.B restorecon
-+to apply the labels.
-+
-+.SH "MANAGED FILES"
-+
-+The SELinux process type regex_milter_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
-+
-+.br
-+.B regex_milter_data_t
-+
-+ /var/spool/milter-regex(/.*)?
-+.br
-+
-+.SH NSSWITCH DOMAIN
-+
-+.PP
-+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the regex_milter_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
-+
-+.EX
-+.B setsebool -P authlogin_nsswitch_use_ldap 1
-+.EE
-+
-+.PP
-+If you want to allow confined applications to run with kerberos for the regex_milter_t, you must turn on the kerberos_enabled boolean.
-+
-+.EX
-+.B setsebool -P kerberos_enabled 1
-+.EE
-+
-+.SH "COMMANDS"
-+.B semanage fcontext
-+can also be used to manipulate default file context mappings.
-+.PP
-+.B semanage permissive
-+can also be used to manipulate whether or not a process type is permissive.
-+.PP
-+.B semanage module
-+can also be used to enable/disable/install/remove policy modules.
-+
-+.PP
-+.B system-config-selinux
-+is a GUI tool available to customize SELinux policy settings.
-+
-+.SH AUTHOR
-+This manual page was auto-generated using
-+.B "sepolicy manpage"
-+by Dan Walsh.
-+
-+.SH "SEE ALSO"
-+selinux(8), regex_milter(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
-diff --git a/man/man8/restorecond_selinux.8 b/man/man8/restorecond_selinux.8
-new file mode 100644
-index 0000000..0810458
---- /dev/null
-+++ b/man/man8/restorecond_selinux.8
-@@ -0,0 +1,124 @@
-+.TH "restorecond_selinux" "8" "12-11-01" "restorecond" "SELinux Policy documentation for restorecond"
-+.SH "NAME"
-+restorecond_selinux \- Security Enhanced Linux Policy for the restorecond processes
-+.SH "DESCRIPTION"
-+
-+Security-Enhanced Linux secures the restorecond processes via flexible mandatory access control.
-+
-+The restorecond processes execute with the restorecond_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
-+
-+For example:
-+
-+.B ps -eZ | grep restorecond_t
-+
-+
-+.SH "ENTRYPOINTS"
-+
-+The restorecond_t SELinux type can be entered via the "restorecond_exec_t" file type. The default entrypoint paths for the restorecond_t domain are the following:"
-+
-+/usr/sbin/restorecond
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux restorecond policy is very flexible allowing users to setup their restorecond processes in as secure a method as possible.
-+.PP
-+The following process types are defined for restorecond:
-+
-+.EX
-+.B restorecond_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
-+.SH FILE CONTEXTS
-+SELinux requires files to have an extended attribute to define the file type.
-+.PP
-+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
-+.PP
-+Policy governs the access confined processes have to these files.
-+SELinux restorecond policy is very flexible allowing users to setup their restorecond processes in as secure a method as possible.
-+.PP
-+The following file types are defined for restorecond:
-+
-+
-+.EX
-+.PP
-+.B restorecond_exec_t
-+.EE
-+
-+- Set files with the restorecond_exec_t type, if you want to transition an executable to the restorecond_t domain.
-+
-+
-+.EX
-+.PP
-+.B restorecond_var_run_t
-+.EE
-+
-+- Set files with the restorecond_var_run_t type, if you want to store the restorecond files under the /run directory.
-+
-+
-+.PP
-+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
-+.B semanage fcontext
-+command. This will modify the SELinux labeling database. You will need to use
-+.B restorecon
-+to apply the labels.
-+
-+.SH "MANAGED FILES"
-+
-+The SELinux process type restorecond_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
-+
-+.br
-+.B restorecond_var_run_t
-+
-+ /var/run/restorecond\.pid
-+.br
-+
-+.br
-+.B security_t
-+
-+ /selinux
-+.br
-+
-+.SH NSSWITCH DOMAIN
-+
-+.PP
-+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the restorecond_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
-+
-+.EX
-+.B setsebool -P authlogin_nsswitch_use_ldap 1
-+.EE
-+
-+.PP
-+If you want to allow confined applications to run with kerberos for the restorecond_t, you must turn on the kerberos_enabled boolean.
-+
-+.EX
-+.B setsebool -P kerberos_enabled 1
-+.EE
-+
-+.SH "COMMANDS"
-+.B semanage fcontext
-+can also be used to manipulate default file context mappings.
-+.PP
-+.B semanage permissive
-+can also be used to manipulate whether or not a process type is permissive.
-+.PP
-+.B semanage module
-+can also be used to enable/disable/install/remove policy modules.
-+
-+.PP
-+.B system-config-selinux
-+is a GUI tool available to customize SELinux policy settings.
-+
-+.SH AUTHOR
-+This manual page was auto-generated using
-+.B "sepolicy manpage"
-+by Dan Walsh.
-+
-+.SH "SEE ALSO"
-+selinux(8), restorecond(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
-diff --git a/man/man8/rgmanager_selinux.8 b/man/man8/rgmanager_selinux.8
-new file mode 100644
-index 0000000..feb0254
---- /dev/null
-+++ b/man/man8/rgmanager_selinux.8
-@@ -0,0 +1,276 @@
-+.TH "rgmanager_selinux" "8" "12-11-01" "rgmanager" "SELinux Policy documentation for rgmanager"
-+.SH "NAME"
-+rgmanager_selinux \- Security Enhanced Linux Policy for the rgmanager processes
-+.SH "DESCRIPTION"
-+
-+Security-Enhanced Linux secures the rgmanager processes via flexible mandatory access control.
-+
-+The rgmanager processes execute with the rgmanager_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
-+
-+For example:
-+
-+.B ps -eZ | grep rgmanager_t
-+
-+
-+.SH "ENTRYPOINTS"
-+
-+The rgmanager_t SELinux type can be entered via the "rgmanager_exec_t" file type. The default entrypoint paths for the rgmanager_t domain are the following:"
-+
-+/usr/lib(64)?/heartbeat/heartbeat, /usr/sbin/cpglockd, /usr/sbin/rgmanager
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux rgmanager policy is very flexible allowing users to setup their rgmanager processes in as secure a method as possible.
-+.PP
-+The following process types are defined for rgmanager:
-+
-+.EX
-+.B rgmanager_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
-+.SH BOOLEANS
-+SELinux policy is customizable based on least access required. rgmanager policy is extremely flexible and has several booleans that allow you to manipulate the policy and run rgmanager with the tightest access possible.
-+
-+
-+.PP
-+If you want to allow rgmanager domain to connect to the network using TCP, you must turn on the rgmanager_can_network_connect boolean.
-+
-+.EX
-+.B setsebool -P rgmanager_can_network_connect 1
-+.EE
-+
-+.PP
-+If you want to allow rgmanager domain to connect to the network using TCP, you must turn on the rgmanager_can_network_connect boolean.
-+
-+.EX
-+.B setsebool -P rgmanager_can_network_connect 1
-+.EE
-+
-+.SH FILE CONTEXTS
-+SELinux requires files to have an extended attribute to define the file type.
-+.PP
-+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
-+.PP
-+Policy governs the access confined processes have to these files.
-+SELinux rgmanager policy is very flexible allowing users to setup their rgmanager processes in as secure a method as possible.
-+.PP
-+The following file types are defined for rgmanager:
-+
-+
-+.EX
-+.PP
-+.B rgmanager_exec_t
-+.EE
-+
-+- Set files with the rgmanager_exec_t type, if you want to transition an executable to the rgmanager_t domain.
-+
-+
-+.EX
-+.PP
-+.B rgmanager_initrc_exec_t
-+.EE
-+
-+- Set files with the rgmanager_initrc_exec_t type, if you want to transition an executable to the rgmanager_initrc_t domain.
-+
-+
-+.EX
-+.PP
-+.B rgmanager_tmp_t
-+.EE
-+
-+- Set files with the rgmanager_tmp_t type, if you want to store rgmanager temporary files in the /tmp directories.
-+
-+
-+.EX
-+.PP
-+.B rgmanager_tmpfs_t
-+.EE
-+
-+- Set files with the rgmanager_tmpfs_t type, if you want to store rgmanager files on a tmpfs file system.
-+
-+
-+.EX
-+.PP
-+.B rgmanager_var_lib_t
-+.EE
-+
-+- Set files with the rgmanager_var_lib_t type, if you want to store the rgmanager files under the /var/lib directory.
-+
-+
-+.EX
-+.PP
-+.B rgmanager_var_log_t
-+.EE
-+
-+- Set files with the rgmanager_var_log_t type, if you want to treat the data as rgmanager var log data, usually stored under the /var/log directory.
-+
-+
-+.EX
-+.PP
-+.B rgmanager_var_run_t
-+.EE
-+
-+- Set files with the rgmanager_var_run_t type, if you want to store the rgmanager files under the /run directory.
-+
-+
-+.PP
-+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
-+.B semanage fcontext
-+command. This will modify the SELinux labeling database. You will need to use
-+.B restorecon
-+to apply the labels.
-+
-+.SH "MANAGED FILES"
-+
-+The SELinux process type rgmanager_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
-+
-+.br
-+.B cluster_conf_t
-+
-+ /etc/cluster(/.*)?
-+.br
-+
-+.br
-+.B file_t
-+
-+
-+.br
-+.B mnt_t
-+
-+ /mnt(/[^/]*)
-+.br
-+ /mnt(/[^/]*)?
-+.br
-+ /rhev(/[^/]*)?
-+.br
-+ /media(/[^/]*)
-+.br
-+ /media(/[^/]*)?
-+.br
-+ /media/\.hal-.*
-+.br
-+ /var/run/media(/[^/]*)?
-+.br
-+ /net
-+.br
-+ /afs
-+.br
-+ /rhev
-+.br
-+ /misc
-+.br
-+
-+.br
-+.B rgmanager_tmp_t
-+
-+
-+.br
-+.B rgmanager_tmpfs_t
-+
-+
-+.br
-+.B rgmanager_var_lib_t
-+
-+ /usr/lib(64)?/heartbeat(/.*)?
-+.br
-+ /var/lib/heartbeat(/.*)?
-+.br
-+
-+.br
-+.B rgmanager_var_log_t
-+
-+ /var/log/cluster/cpglockd\.log.*
-+.br
-+ /var/log/cluster/rgmanager\.log.*
-+.br
-+
-+.br
-+.B rgmanager_var_run_t
-+
-+ /var/run/heartbeat(/.*)?
-+.br
-+ /var/run/cpglockd\.pid
-+.br
-+ /var/run/rgmanager\.pid
-+.br
-+ /var/run/cluster/rgmanager\.sk
-+.br
-+
-+.br
-+.B samba_etc_t
-+
-+ /etc/samba(/.*)?
-+.br
-+
-+.br
-+.B samba_var_t
-+
-+ /var/lib/samba(/.*)?
-+.br
-+ /var/cache/samba(/.*)?
-+.br
-+ /var/spool/samba(/.*)?
-+.br
-+
-+.br
-+.B systemd_passwd_var_run_t
-+
-+ /var/run/systemd/ask-password(/.*)?
-+.br
-+ /var/run/systemd/ask-password-block(/.*)?
-+.br
-+
-+.br
-+.B var_lib_nfs_t
-+
-+ /var/lib/nfs(/.*)?
-+.br
-+
-+.SH NSSWITCH DOMAIN
-+
-+.PP
-+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the rgmanager_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
-+
-+.EX
-+.B setsebool -P authlogin_nsswitch_use_ldap 1
-+.EE
-+
-+.PP
-+If you want to allow confined applications to run with kerberos for the rgmanager_t, you must turn on the kerberos_enabled boolean.
-+
-+.EX
-+.B setsebool -P kerberos_enabled 1
-+.EE
-+
-+.SH "COMMANDS"
-+.B semanage fcontext
-+can also be used to manipulate default file context mappings.
-+.PP
-+.B semanage permissive
-+can also be used to manipulate whether or not a process type is permissive.
-+.PP
-+.B semanage module
-+can also be used to enable/disable/install/remove policy modules.
-+
-+.B semanage boolean
-+can also be used to manipulate the booleans
-+
-+.PP
-+.B system-config-selinux
-+is a GUI tool available to customize SELinux policy settings.
-+
-+.SH AUTHOR
-+This manual page was auto-generated using
-+.B "sepolicy manpage"
-+by Dan Walsh.
-+
-+.SH "SEE ALSO"
-+selinux(8), rgmanager(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
-+, setsebool(8)
-\ No newline at end of file
-diff --git a/man/man8/rhev_agentd_selinux.8 b/man/man8/rhev_agentd_selinux.8
-new file mode 100644
-index 0000000..5550bd3
---- /dev/null
-+++ b/man/man8/rhev_agentd_selinux.8
-@@ -0,0 +1,152 @@
-+.TH "rhev_agentd_selinux" "8" "12-11-01" "rhev_agentd" "SELinux Policy documentation for rhev_agentd"
-+.SH "NAME"
-+rhev_agentd_selinux \- Security Enhanced Linux Policy for the rhev_agentd processes
-+.SH "DESCRIPTION"
-+
-+Security-Enhanced Linux secures the rhev_agentd processes via flexible mandatory access control.
-+
-+The rhev_agentd processes execute with the rhev_agentd_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
-+
-+For example:
-+
-+.B ps -eZ | grep rhev_agentd_t
-+
-+
-+.SH "ENTRYPOINTS"
-+
-+The rhev_agentd_t SELinux type can be entered via the "rhev_agentd_exec_t" file type. The default entrypoint paths for the rhev_agentd_t domain are the following:"
-+
-+/usr/share/ovirt-guest-agent, /usr/share/rhev-agent/rhev-agentd\.py
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux rhev_agentd policy is very flexible allowing users to setup their rhev_agentd processes in as secure a method as possible.
-+.PP
-+The following process types are defined for rhev_agentd:
-+
-+.EX
-+.B rhev_agentd_t, rhev_agentd_consolehelper_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
-+.SH FILE CONTEXTS
-+SELinux requires files to have an extended attribute to define the file type.
-+.PP
-+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
-+.PP
-+Policy governs the access confined processes have to these files.
-+SELinux rhev_agentd policy is very flexible allowing users to setup their rhev_agentd processes in as secure a method as possible.
-+.PP
-+The following file types are defined for rhev_agentd:
-+
-+
-+.EX
-+.PP
-+.B rhev_agentd_exec_t
-+.EE
-+
-+- Set files with the rhev_agentd_exec_t type, if you want to transition an executable to the rhev_agentd_t domain.
-+
-+
-+.EX
-+.PP
-+.B rhev_agentd_log_t
-+.EE
-+
-+- Set files with the rhev_agentd_log_t type, if you want to treat the data as rhev agentd log data, usually stored under the /var/log directory.
-+
-+
-+.EX
-+.PP
-+.B rhev_agentd_tmp_t
-+.EE
-+
-+- Set files with the rhev_agentd_tmp_t type, if you want to store rhev agentd temporary files in the /tmp directories.
-+
-+
-+.EX
-+.PP
-+.B rhev_agentd_unit_file_t
-+.EE
-+
-+- Set files with the rhev_agentd_unit_file_t type, if you want to treat the files as rhev agentd unit content.
-+
-+
-+.EX
-+.PP
-+.B rhev_agentd_var_run_t
-+.EE
-+
-+- Set files with the rhev_agentd_var_run_t type, if you want to store the rhev agentd files under the /run directory.
-+
-+
-+.PP
-+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
-+.B semanage fcontext
-+command. This will modify the SELinux labeling database. You will need to use
-+.B restorecon
-+to apply the labels.
-+
-+.SH "MANAGED FILES"
-+
-+The SELinux process type rhev_agentd_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
-+
-+.br
-+.B rhev_agentd_log_t
-+
-+ /var/log/rhev-agent(/.*)?
-+.br
-+
-+.br
-+.B rhev_agentd_tmp_t
-+
-+
-+.br
-+.B rhev_agentd_var_run_t
-+
-+ /var/run/rhev-agentd\.pid
-+.br
-+
-+.SH NSSWITCH DOMAIN
-+
-+.PP
-+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the rhev_agentd_t, rhev_agentd_consolehelper_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
-+
-+.EX
-+.B setsebool -P authlogin_nsswitch_use_ldap 1
-+.EE
-+
-+.PP
-+If you want to allow confined applications to run with kerberos for the rhev_agentd_t, rhev_agentd_consolehelper_t, you must turn on the kerberos_enabled boolean.
-+
-+.EX
-+.B setsebool -P kerberos_enabled 1
-+.EE
-+
-+.SH "COMMANDS"
-+.B semanage fcontext
-+can also be used to manipulate default file context mappings.
-+.PP
-+.B semanage permissive
-+can also be used to manipulate whether or not a process type is permissive.
-+.PP
-+.B semanage module
-+can also be used to enable/disable/install/remove policy modules.
-+
-+.PP
-+.B system-config-selinux
-+is a GUI tool available to customize SELinux policy settings.
-+
-+.SH AUTHOR
-+This manual page was auto-generated using
-+.B "sepolicy manpage"
-+by Dan Walsh.
-+
-+.SH "SEE ALSO"
-+selinux(8), rhev_agentd(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
-diff --git a/man/man8/rhgb_selinux.8 b/man/man8/rhgb_selinux.8
-new file mode 100644
-index 0000000..a384089
---- /dev/null
-+++ b/man/man8/rhgb_selinux.8
-@@ -0,0 +1,106 @@
-+.TH "rhgb_selinux" "8" "12-11-01" "rhgb" "SELinux Policy documentation for rhgb"
-+.SH "NAME"
-+rhgb_selinux \- Security Enhanced Linux Policy for the rhgb processes
-+.SH "DESCRIPTION"
-+
-+Security-Enhanced Linux secures the rhgb processes via flexible mandatory access control.
-+
-+The rhgb processes execute with the rhgb_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
-+
-+For example:
-+
-+.B ps -eZ | grep rhgb_t
-+
-+
-+.SH "ENTRYPOINTS"
-+
-+The rhgb_t SELinux type can be entered via the "rhgb_exec_t" file type. The default entrypoint paths for the rhgb_t domain are the following:"
-+
-+/usr/bin/rhgb
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux rhgb policy is very flexible allowing users to setup their rhgb processes in as secure a method as possible.
-+.PP
-+The following process types are defined for rhgb:
-+
-+.EX
-+.B rhgb_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
-+.SH FILE CONTEXTS
-+SELinux requires files to have an extended attribute to define the file type.
-+.PP
-+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
-+.PP
-+Policy governs the access confined processes have to these files.
-+SELinux rhgb policy is very flexible allowing users to setup their rhgb processes in as secure a method as possible.
-+.PP
-+The following file types are defined for rhgb:
-+
-+
-+.EX
-+.PP
-+.B rhgb_exec_t
-+.EE
-+
-+- Set files with the rhgb_exec_t type, if you want to transition an executable to the rhgb_t domain.
-+
-+
-+.EX
-+.PP
-+.B rhgb_tmpfs_t
-+.EE
-+
-+- Set files with the rhgb_tmpfs_t type, if you want to store rhgb files on a tmpfs file system.
-+
-+
-+.PP
-+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
-+.B semanage fcontext
-+command. This will modify the SELinux labeling database. You will need to use
-+.B restorecon
-+to apply the labels.
-+
-+.SH "MANAGED FILES"
-+
-+The SELinux process type rhgb_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
-+
-+.br
-+.B ramfs_t
-+
-+
-+.br
-+.B rhgb_tmpfs_t
-+
-+
-+.SH NSSWITCH DOMAIN
-+
-+.SH "COMMANDS"
-+.B semanage fcontext
-+can also be used to manipulate default file context mappings.
-+.PP
-+.B semanage permissive
-+can also be used to manipulate whether or not a process type is permissive.
-+.PP
-+.B semanage module
-+can also be used to enable/disable/install/remove policy modules.
-+
-+.PP
-+.B system-config-selinux
-+is a GUI tool available to customize SELinux policy settings.
-+
-+.SH AUTHOR
-+This manual page was auto-generated using
-+.B "sepolicy manpage"
-+by Dan Walsh.
-+
-+.SH "SEE ALSO"
-+selinux(8), rhgb(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
-diff --git a/man/man8/rhsmcertd_selinux.8 b/man/man8/rhsmcertd_selinux.8
-new file mode 100644
-index 0000000..7350aa2
---- /dev/null
-+++ b/man/man8/rhsmcertd_selinux.8
-@@ -0,0 +1,164 @@
-+.TH "rhsmcertd_selinux" "8" "12-11-01" "rhsmcertd" "SELinux Policy documentation for rhsmcertd"
-+.SH "NAME"
-+rhsmcertd_selinux \- Security Enhanced Linux Policy for the rhsmcertd processes
-+.SH "DESCRIPTION"
-+
-+Security-Enhanced Linux secures the rhsmcertd processes via flexible mandatory access control.
-+
-+The rhsmcertd processes execute with the rhsmcertd_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
-+
-+For example:
-+
-+.B ps -eZ | grep rhsmcertd_t
-+
-+
-+.SH "ENTRYPOINTS"
-+
-+The rhsmcertd_t SELinux type can be entered via the "rhsmcertd_exec_t" file type. The default entrypoint paths for the rhsmcertd_t domain are the following:"
-+
-+/usr/bin/rhsmcertd
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux rhsmcertd policy is very flexible allowing users to setup their rhsmcertd processes in as secure a method as possible.
-+.PP
-+The following process types are defined for rhsmcertd:
-+
-+.EX
-+.B rhsmcertd_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
-+.SH FILE CONTEXTS
-+SELinux requires files to have an extended attribute to define the file type.
-+.PP
-+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
-+.PP
-+Policy governs the access confined processes have to these files.
-+SELinux rhsmcertd policy is very flexible allowing users to setup their rhsmcertd processes in as secure a method as possible.
-+.PP
-+The following file types are defined for rhsmcertd:
-+
-+
-+.EX
-+.PP
-+.B rhsmcertd_exec_t
-+.EE
-+
-+- Set files with the rhsmcertd_exec_t type, if you want to transition an executable to the rhsmcertd_t domain.
-+
-+
-+.EX
-+.PP
-+.B rhsmcertd_initrc_exec_t
-+.EE
-+
-+- Set files with the rhsmcertd_initrc_exec_t type, if you want to transition an executable to the rhsmcertd_initrc_t domain.
-+
-+
-+.EX
-+.PP
-+.B rhsmcertd_lock_t
-+.EE
-+
-+- Set files with the rhsmcertd_lock_t type, if you want to treat the files as rhsmcertd lock data, stored under the /var/lock directory
-+
-+
-+.EX
-+.PP
-+.B rhsmcertd_log_t
-+.EE
-+
-+- Set files with the rhsmcertd_log_t type, if you want to treat the data as rhsmcertd log data, usually stored under the /var/log directory.
-+
-+
-+.EX
-+.PP
-+.B rhsmcertd_var_lib_t
-+.EE
-+
-+- Set files with the rhsmcertd_var_lib_t type, if you want to store the rhsmcertd files under the /var/lib directory.
-+
-+
-+.EX
-+.PP
-+.B rhsmcertd_var_run_t
-+.EE
-+
-+- Set files with the rhsmcertd_var_run_t type, if you want to store the rhsmcertd files under the /run directory.
-+
-+
-+.PP
-+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
-+.B semanage fcontext
-+command. This will modify the SELinux labeling database. You will need to use
-+.B restorecon
-+to apply the labels.
-+
-+.SH "MANAGED FILES"
-+
-+The SELinux process type rhsmcertd_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
-+
-+.br
-+.B rhsmcertd_lock_t
-+
-+ /var/lock/subsys/rhsmcertd
-+.br
-+
-+.br
-+.B rhsmcertd_log_t
-+
-+ /var/log/rhsm(/.*)?
-+.br
-+
-+.br
-+.B rhsmcertd_var_lib_t
-+
-+ /var/lib/rhsm(/.*)?
-+.br
-+
-+.br
-+.B rhsmcertd_var_run_t
-+
-+ /var/run/rhsm(/.*)?
-+.br
-+
-+.br
-+.B var_lock_t
-+
-+ /var/lock(/.*)?
-+.br
-+ /run/lock(/.*)?
-+.br
-+ /var/lock
-+.br
-+
-+.SH NSSWITCH DOMAIN
-+
-+.SH "COMMANDS"
-+.B semanage fcontext
-+can also be used to manipulate default file context mappings.
-+.PP
-+.B semanage permissive
-+can also be used to manipulate whether or not a process type is permissive.
-+.PP
-+.B semanage module
-+can also be used to enable/disable/install/remove policy modules.
-+
-+.PP
-+.B system-config-selinux
-+is a GUI tool available to customize SELinux policy settings.
-+
-+.SH AUTHOR
-+This manual page was auto-generated using
-+.B "sepolicy manpage"
-+by Dan Walsh.
-+
-+.SH "SEE ALSO"
-+selinux(8), rhsmcertd(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
-diff --git a/man/man8/ricci_modcluster_selinux.8 b/man/man8/ricci_modcluster_selinux.8
-new file mode 100644
-index 0000000..bbe6e5e
---- /dev/null
-+++ b/man/man8/ricci_modcluster_selinux.8
-@@ -0,0 +1,187 @@
-+.TH "ricci_modcluster_selinux" "8" "12-11-01" "ricci_modcluster" "SELinux Policy documentation for ricci_modcluster"
-+.SH "NAME"
-+ricci_modcluster_selinux \- Security Enhanced Linux Policy for the ricci_modcluster processes
-+.SH "DESCRIPTION"
-+
-+Security-Enhanced Linux secures the ricci_modcluster processes via flexible mandatory access control.
-+
-+The ricci_modcluster processes execute with the ricci_modcluster_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
-+
-+For example:
-+
-+.B ps -eZ | grep ricci_modcluster_t
-+
-+
-+.SH "ENTRYPOINTS"
-+
-+The ricci_modcluster_t SELinux type can be entered via the "ricci_modcluster_exec_t" file type. The default entrypoint paths for the ricci_modcluster_t domain are the following:"
-+
-+/usr/libexec/modcluster
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux ricci_modcluster policy is very flexible allowing users to setup their ricci_modcluster processes in as secure a method as possible.
-+.PP
-+The following process types are defined for ricci_modcluster:
-+
-+.EX
-+.B ricci_modclusterd_t, ricci_modcluster_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
-+.SH FILE CONTEXTS
-+SELinux requires files to have an extended attribute to define the file type.
-+.PP
-+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
-+.PP
-+Policy governs the access confined processes have to these files.
-+SELinux ricci_modcluster policy is very flexible allowing users to setup their ricci_modcluster processes in as secure a method as possible.
-+.PP
-+The following file types are defined for ricci_modcluster:
-+
-+
-+.EX
-+.PP
-+.B ricci_modcluster_exec_t
-+.EE
-+
-+- Set files with the ricci_modcluster_exec_t type, if you want to transition an executable to the ricci_modcluster_t domain.
-+
-+
-+.EX
-+.PP
-+.B ricci_modcluster_var_lib_t
-+.EE
-+
-+- Set files with the ricci_modcluster_var_lib_t type, if you want to store the ricci modcluster files under the /var/lib directory.
-+
-+
-+.EX
-+.PP
-+.B ricci_modcluster_var_log_t
-+.EE
-+
-+- Set files with the ricci_modcluster_var_log_t type, if you want to treat the data as ricci modcluster var log data, usually stored under the /var/log directory.
-+
-+
-+.EX
-+.PP
-+.B ricci_modcluster_var_run_t
-+.EE
-+
-+- Set files with the ricci_modcluster_var_run_t type, if you want to store the ricci modcluster files under the /run directory.
-+
-+
-+.EX
-+.PP
-+.B ricci_modclusterd_exec_t
-+.EE
-+
-+- Set files with the ricci_modclusterd_exec_t type, if you want to transition an executable to the ricci_modclusterd_t domain.
-+
-+
-+.EX
-+.PP
-+.B ricci_modclusterd_tmpfs_t
-+.EE
-+
-+- Set files with the ricci_modclusterd_tmpfs_t type, if you want to store ricci modclusterd files on a tmpfs file system.
-+
-+
-+.PP
-+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
-+.B semanage fcontext
-+command. This will modify the SELinux labeling database. You will need to use
-+.B restorecon
-+to apply the labels.
-+
-+.SH PORT TYPES
-+SELinux defines port types to represent TCP and UDP ports.
-+.PP
-+You can see the types associated with a port by using the following command:
-+
-+.B semanage port -l
-+
-+.PP
-+Policy governs the access confined processes have to these ports.
-+SELinux ricci_modcluster policy is very flexible allowing users to setup their ricci_modcluster processes in as secure a method as possible.
-+.PP
-+The following port types are defined for ricci_modcluster:
-+
-+.EX
-+.TP 5
-+.B ricci_modcluster_port_t
-+.TP 10
-+.EE
-+
-+
-+Default Defined Ports:
-+tcp 16851
-+.EE
-+udp 16851
-+.EE
-+.SH "MANAGED FILES"
-+
-+The SELinux process type ricci_modcluster_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
-+
-+.br
-+.B cluster_conf_t
-+
-+ /etc/cluster(/.*)?
-+.br
-+
-+.br
-+.B systemd_passwd_var_run_t
-+
-+ /var/run/systemd/ask-password(/.*)?
-+.br
-+ /var/run/systemd/ask-password-block(/.*)?
-+.br
-+
-+.SH NSSWITCH DOMAIN
-+
-+.PP
-+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the ricci_modcluster_t, ricci_modclusterd_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
-+
-+.EX
-+.B setsebool -P authlogin_nsswitch_use_ldap 1
-+.EE
-+
-+.PP
-+If you want to allow confined applications to run with kerberos for the ricci_modcluster_t, ricci_modclusterd_t, you must turn on the kerberos_enabled boolean.
-+
-+.EX
-+.B setsebool -P kerberos_enabled 1
-+.EE
-+
-+.SH "COMMANDS"
-+.B semanage fcontext
-+can also be used to manipulate default file context mappings.
-+.PP
-+.B semanage permissive
-+can also be used to manipulate whether or not a process type is permissive.
-+.PP
-+.B semanage module
-+can also be used to enable/disable/install/remove policy modules.
-+
-+.B semanage port
-+can also be used to manipulate the port definitions
-+
-+.PP
-+.B system-config-selinux
-+is a GUI tool available to customize SELinux policy settings.
-+
-+.SH AUTHOR
-+This manual page was auto-generated using
-+.B "sepolicy manpage"
-+by Dan Walsh.
-+
-+.SH "SEE ALSO"
-+selinux(8), ricci_modcluster(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
-+, ricci_selinux(8), ricci_selinux(8), ricci_modclusterd_selinux(8), ricci_modlog_selinux(8), ricci_modrpm_selinux(8), ricci_modservice_selinux(8), ricci_modstorage_selinux(8)
-\ No newline at end of file
-diff --git a/man/man8/ricci_modclusterd_selinux.8 b/man/man8/ricci_modclusterd_selinux.8
-new file mode 100644
-index 0000000..7d43326
---- /dev/null
-+++ b/man/man8/ricci_modclusterd_selinux.8
-@@ -0,0 +1,159 @@
-+.TH "ricci_modclusterd_selinux" "8" "12-11-01" "ricci_modclusterd" "SELinux Policy documentation for ricci_modclusterd"
-+.SH "NAME"
-+ricci_modclusterd_selinux \- Security Enhanced Linux Policy for the ricci_modclusterd processes
-+.SH "DESCRIPTION"
-+
-+Security-Enhanced Linux secures the ricci_modclusterd processes via flexible mandatory access control.
-+
-+The ricci_modclusterd processes execute with the ricci_modclusterd_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
-+
-+For example:
-+
-+.B ps -eZ | grep ricci_modclusterd_t
-+
-+
-+.SH "ENTRYPOINTS"
-+
-+The ricci_modclusterd_t SELinux type can be entered via the "ricci_modclusterd_exec_t" file type. The default entrypoint paths for the ricci_modclusterd_t domain are the following:"
-+
-+/usr/sbin/modclusterd
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux ricci_modclusterd policy is very flexible allowing users to setup their ricci_modclusterd processes in as secure a method as possible.
-+.PP
-+The following process types are defined for ricci_modclusterd:
-+
-+.EX
-+.B ricci_modclusterd_t, ricci_modcluster_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
-+.SH FILE CONTEXTS
-+SELinux requires files to have an extended attribute to define the file type.
-+.PP
-+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
-+.PP
-+Policy governs the access confined processes have to these files.
-+SELinux ricci_modclusterd policy is very flexible allowing users to setup their ricci_modclusterd processes in as secure a method as possible.
-+.PP
-+The following file types are defined for ricci_modclusterd:
-+
-+
-+.EX
-+.PP
-+.B ricci_modclusterd_exec_t
-+.EE
-+
-+- Set files with the ricci_modclusterd_exec_t type, if you want to transition an executable to the ricci_modclusterd_t domain.
-+
-+
-+.EX
-+.PP
-+.B ricci_modclusterd_tmpfs_t
-+.EE
-+
-+- Set files with the ricci_modclusterd_tmpfs_t type, if you want to store ricci modclusterd files on a tmpfs file system.
-+
-+
-+.PP
-+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
-+.B semanage fcontext
-+command. This will modify the SELinux labeling database. You will need to use
-+.B restorecon
-+to apply the labels.
-+
-+.SH PORT TYPES
-+SELinux defines port types to represent TCP and UDP ports.
-+.PP
-+You can see the types associated with a port by using the following command:
-+
-+.B semanage port -l
-+
-+.PP
-+Policy governs the access confined processes have to these ports.
-+SELinux ricci_modclusterd policy is very flexible allowing users to setup their ricci_modclusterd processes in as secure a method as possible.
-+.PP
-+The following port types are defined for ricci_modclusterd:
-+
-+.EX
-+.TP 5
-+.B ricci_modcluster_port_t
-+.TP 10
-+.EE
-+
-+
-+Default Defined Ports:
-+tcp 16851
-+.EE
-+udp 16851
-+.EE
-+.SH "MANAGED FILES"
-+
-+The SELinux process type ricci_modclusterd_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
-+
-+.br
-+.B ricci_modcluster_var_log_t
-+
-+ /var/log/clumond\.log.*
-+.br
-+
-+.br
-+.B ricci_modcluster_var_run_t
-+
-+ /var/run/clumond\.sock
-+.br
-+ /var/run/modclusterd\.pid
-+.br
-+
-+.br
-+.B ricci_modclusterd_tmpfs_t
-+
-+
-+.SH NSSWITCH DOMAIN
-+
-+.PP
-+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the ricci_modcluster_t, ricci_modclusterd_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
-+
-+.EX
-+.B setsebool -P authlogin_nsswitch_use_ldap 1
-+.EE
-+
-+.PP
-+If you want to allow confined applications to run with kerberos for the ricci_modcluster_t, ricci_modclusterd_t, you must turn on the kerberos_enabled boolean.
-+
-+.EX
-+.B setsebool -P kerberos_enabled 1
-+.EE
-+
-+.SH "COMMANDS"
-+.B semanage fcontext
-+can also be used to manipulate default file context mappings.
-+.PP
-+.B semanage permissive
-+can also be used to manipulate whether or not a process type is permissive.
-+.PP
-+.B semanage module
-+can also be used to enable/disable/install/remove policy modules.
-+
-+.B semanage port
-+can also be used to manipulate the port definitions
-+
-+.PP
-+.B system-config-selinux
-+is a GUI tool available to customize SELinux policy settings.
-+
-+.SH AUTHOR
-+This manual page was auto-generated using
-+.B "sepolicy manpage"
-+by Dan Walsh.
-+
-+.SH "SEE ALSO"
-+selinux(8), ricci_modclusterd(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
-+, ricci_selinux(8), ricci_selinux(8), ricci_modcluster_selinux(8), ricci_modcluster_selinux(8), ricci_modlog_selinux(8), ricci_modrpm_selinux(8), ricci_modservice_selinux(8), ricci_modstorage_selinux(8)
-\ No newline at end of file
-diff --git a/man/man8/ricci_modlog_selinux.8 b/man/man8/ricci_modlog_selinux.8
-new file mode 100644
-index 0000000..f0ca4e5
---- /dev/null
-+++ b/man/man8/ricci_modlog_selinux.8
-@@ -0,0 +1,87 @@
-+.TH "ricci_modlog_selinux" "8" "12-11-01" "ricci_modlog" "SELinux Policy documentation for ricci_modlog"
-+.SH "NAME"
-+ricci_modlog_selinux \- Security Enhanced Linux Policy for the ricci_modlog processes
-+.SH "DESCRIPTION"
-+
-+Security-Enhanced Linux secures the ricci_modlog processes via flexible mandatory access control.
-+
-+The ricci_modlog processes execute with the ricci_modlog_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
-+
-+For example:
-+
-+.B ps -eZ | grep ricci_modlog_t
-+
-+
-+.SH "ENTRYPOINTS"
-+
-+The ricci_modlog_t SELinux type can be entered via the "ricci_modlog_exec_t" file type. The default entrypoint paths for the ricci_modlog_t domain are the following:"
-+
-+/usr/libexec/ricci-modlog
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux ricci_modlog policy is very flexible allowing users to setup their ricci_modlog processes in as secure a method as possible.
-+.PP
-+The following process types are defined for ricci_modlog:
-+
-+.EX
-+.B ricci_modlog_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
-+.SH FILE CONTEXTS
-+SELinux requires files to have an extended attribute to define the file type.
-+.PP
-+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
-+.PP
-+Policy governs the access confined processes have to these files.
-+SELinux ricci_modlog policy is very flexible allowing users to setup their ricci_modlog processes in as secure a method as possible.
-+.PP
-+The following file types are defined for ricci_modlog:
-+
-+
-+.EX
-+.PP
-+.B ricci_modlog_exec_t
-+.EE
-+
-+- Set files with the ricci_modlog_exec_t type, if you want to transition an executable to the ricci_modlog_t domain.
-+
-+
-+.PP
-+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
-+.B semanage fcontext
-+command. This will modify the SELinux labeling database. You will need to use
-+.B restorecon
-+to apply the labels.
-+
-+.SH NSSWITCH DOMAIN
-+
-+.SH "COMMANDS"
-+.B semanage fcontext
-+can also be used to manipulate default file context mappings.
-+.PP
-+.B semanage permissive
-+can also be used to manipulate whether or not a process type is permissive.
-+.PP
-+.B semanage module
-+can also be used to enable/disable/install/remove policy modules.
-+
-+.PP
-+.B system-config-selinux
-+is a GUI tool available to customize SELinux policy settings.
-+
-+.SH AUTHOR
-+This manual page was auto-generated using
-+.B "sepolicy manpage"
-+by Dan Walsh.
-+
-+.SH "SEE ALSO"
-+selinux(8), ricci_modlog(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
-+, ricci_selinux(8), ricci_selinux(8), ricci_modcluster_selinux(8), ricci_modclusterd_selinux(8), ricci_modrpm_selinux(8), ricci_modservice_selinux(8), ricci_modstorage_selinux(8)
-\ No newline at end of file
-diff --git a/man/man8/ricci_modrpm_selinux.8 b/man/man8/ricci_modrpm_selinux.8
-new file mode 100644
-index 0000000..123f519
---- /dev/null
-+++ b/man/man8/ricci_modrpm_selinux.8
-@@ -0,0 +1,87 @@
-+.TH "ricci_modrpm_selinux" "8" "12-11-01" "ricci_modrpm" "SELinux Policy documentation for ricci_modrpm"
-+.SH "NAME"
-+ricci_modrpm_selinux \- Security Enhanced Linux Policy for the ricci_modrpm processes
-+.SH "DESCRIPTION"
-+
-+Security-Enhanced Linux secures the ricci_modrpm processes via flexible mandatory access control.
-+
-+The ricci_modrpm processes execute with the ricci_modrpm_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
-+
-+For example:
-+
-+.B ps -eZ | grep ricci_modrpm_t
-+
-+
-+.SH "ENTRYPOINTS"
-+
-+The ricci_modrpm_t SELinux type can be entered via the "ricci_modrpm_exec_t" file type. The default entrypoint paths for the ricci_modrpm_t domain are the following:"
-+
-+/usr/libexec/ricci-modrpm
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux ricci_modrpm policy is very flexible allowing users to setup their ricci_modrpm processes in as secure a method as possible.
-+.PP
-+The following process types are defined for ricci_modrpm:
-+
-+.EX
-+.B ricci_modrpm_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
-+.SH FILE CONTEXTS
-+SELinux requires files to have an extended attribute to define the file type.
-+.PP
-+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
-+.PP
-+Policy governs the access confined processes have to these files.
-+SELinux ricci_modrpm policy is very flexible allowing users to setup their ricci_modrpm processes in as secure a method as possible.
-+.PP
-+The following file types are defined for ricci_modrpm:
-+
-+
-+.EX
-+.PP
-+.B ricci_modrpm_exec_t
-+.EE
-+
-+- Set files with the ricci_modrpm_exec_t type, if you want to transition an executable to the ricci_modrpm_t domain.
-+
-+
-+.PP
-+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
-+.B semanage fcontext
-+command. This will modify the SELinux labeling database. You will need to use
-+.B restorecon
-+to apply the labels.
-+
-+.SH NSSWITCH DOMAIN
-+
-+.SH "COMMANDS"
-+.B semanage fcontext
-+can also be used to manipulate default file context mappings.
-+.PP
-+.B semanage permissive
-+can also be used to manipulate whether or not a process type is permissive.
-+.PP
-+.B semanage module
-+can also be used to enable/disable/install/remove policy modules.
-+
-+.PP
-+.B system-config-selinux
-+is a GUI tool available to customize SELinux policy settings.
-+
-+.SH AUTHOR
-+This manual page was auto-generated using
-+.B "sepolicy manpage"
-+by Dan Walsh.
-+
-+.SH "SEE ALSO"
-+selinux(8), ricci_modrpm(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
-+, ricci_selinux(8), ricci_selinux(8), ricci_modcluster_selinux(8), ricci_modclusterd_selinux(8), ricci_modlog_selinux(8), ricci_modservice_selinux(8), ricci_modstorage_selinux(8)
-\ No newline at end of file
-diff --git a/man/man8/ricci_modservice_selinux.8 b/man/man8/ricci_modservice_selinux.8
-new file mode 100644
-index 0000000..4c964e3
---- /dev/null
-+++ b/man/man8/ricci_modservice_selinux.8
-@@ -0,0 +1,87 @@
-+.TH "ricci_modservice_selinux" "8" "12-11-01" "ricci_modservice" "SELinux Policy documentation for ricci_modservice"
-+.SH "NAME"
-+ricci_modservice_selinux \- Security Enhanced Linux Policy for the ricci_modservice processes
-+.SH "DESCRIPTION"
-+
-+Security-Enhanced Linux secures the ricci_modservice processes via flexible mandatory access control.
-+
-+The ricci_modservice processes execute with the ricci_modservice_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
-+
-+For example:
-+
-+.B ps -eZ | grep ricci_modservice_t
-+
-+
-+.SH "ENTRYPOINTS"
-+
-+The ricci_modservice_t SELinux type can be entered via the "ricci_modservice_exec_t" file type. The default entrypoint paths for the ricci_modservice_t domain are the following:"
-+
-+/usr/libexec/ricci-modservice
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux ricci_modservice policy is very flexible allowing users to setup their ricci_modservice processes in as secure a method as possible.
-+.PP
-+The following process types are defined for ricci_modservice:
-+
-+.EX
-+.B ricci_modservice_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
-+.SH FILE CONTEXTS
-+SELinux requires files to have an extended attribute to define the file type.
-+.PP
-+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
-+.PP
-+Policy governs the access confined processes have to these files.
-+SELinux ricci_modservice policy is very flexible allowing users to setup their ricci_modservice processes in as secure a method as possible.
-+.PP
-+The following file types are defined for ricci_modservice:
-+
-+
-+.EX
-+.PP
-+.B ricci_modservice_exec_t
-+.EE
-+
-+- Set files with the ricci_modservice_exec_t type, if you want to transition an executable to the ricci_modservice_t domain.
-+
-+
-+.PP
-+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
-+.B semanage fcontext
-+command. This will modify the SELinux labeling database. You will need to use
-+.B restorecon
-+to apply the labels.
-+
-+.SH NSSWITCH DOMAIN
-+
-+.SH "COMMANDS"
-+.B semanage fcontext
-+can also be used to manipulate default file context mappings.
-+.PP
-+.B semanage permissive
-+can also be used to manipulate whether or not a process type is permissive.
-+.PP
-+.B semanage module
-+can also be used to enable/disable/install/remove policy modules.
-+
-+.PP
-+.B system-config-selinux
-+is a GUI tool available to customize SELinux policy settings.
-+
-+.SH AUTHOR
-+This manual page was auto-generated using
-+.B "sepolicy manpage"
-+by Dan Walsh.
-+
-+.SH "SEE ALSO"
-+selinux(8), ricci_modservice(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
-+, ricci_selinux(8), ricci_selinux(8), ricci_modcluster_selinux(8), ricci_modclusterd_selinux(8), ricci_modlog_selinux(8), ricci_modrpm_selinux(8), ricci_modstorage_selinux(8)
-\ No newline at end of file
-diff --git a/man/man8/ricci_modstorage_selinux.8 b/man/man8/ricci_modstorage_selinux.8
-new file mode 100644
-index 0000000..d9a4baa
---- /dev/null
-+++ b/man/man8/ricci_modstorage_selinux.8
-@@ -0,0 +1,157 @@
-+.TH "ricci_modstorage_selinux" "8" "12-11-01" "ricci_modstorage" "SELinux Policy documentation for ricci_modstorage"
-+.SH "NAME"
-+ricci_modstorage_selinux \- Security Enhanced Linux Policy for the ricci_modstorage processes
-+.SH "DESCRIPTION"
-+
-+Security-Enhanced Linux secures the ricci_modstorage processes via flexible mandatory access control.
-+
-+The ricci_modstorage processes execute with the ricci_modstorage_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
-+
-+For example:
-+
-+.B ps -eZ | grep ricci_modstorage_t
-+
-+
-+.SH "ENTRYPOINTS"
-+
-+The ricci_modstorage_t SELinux type can be entered via the "ricci_modstorage_exec_t" file type. The default entrypoint paths for the ricci_modstorage_t domain are the following:"
-+
-+/usr/libexec/ricci-modstorage
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux ricci_modstorage policy is very flexible allowing users to setup their ricci_modstorage processes in as secure a method as possible.
-+.PP
-+The following process types are defined for ricci_modstorage:
-+
-+.EX
-+.B ricci_modstorage_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
-+.SH FILE CONTEXTS
-+SELinux requires files to have an extended attribute to define the file type.
-+.PP
-+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
-+.PP
-+Policy governs the access confined processes have to these files.
-+SELinux ricci_modstorage policy is very flexible allowing users to setup their ricci_modstorage processes in as secure a method as possible.
-+.PP
-+The following file types are defined for ricci_modstorage:
-+
-+
-+.EX
-+.PP
-+.B ricci_modstorage_exec_t
-+.EE
-+
-+- Set files with the ricci_modstorage_exec_t type, if you want to transition an executable to the ricci_modstorage_t domain.
-+
-+
-+.EX
-+.PP
-+.B ricci_modstorage_lock_t
-+.EE
-+
-+- Set files with the ricci_modstorage_lock_t type, if you want to treat the files as ricci modstorage lock data, stored under the /var/lock directory
-+
-+
-+.PP
-+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
-+.B semanage fcontext
-+command. This will modify the SELinux labeling database. You will need to use
-+.B restorecon
-+to apply the labels.
-+
-+.SH "MANAGED FILES"
-+
-+The SELinux process type ricci_modstorage_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
-+
-+.br
-+.B default_t
-+
-+ /.*
-+.br
-+
-+.br
-+.B etc_t
-+
-+ /etc/.*
-+.br
-+ /var/db/.*\.db
-+.br
-+ /usr/etc(/.*)?
-+.br
-+ /var/ftp/etc(/.*)?
-+.br
-+ /var/lib/openshift/.limits.d(/.*)?
-+.br
-+ /var/lib/openshift/.openshift-proxy.d(/.*)?
-+.br
-+ /var/lib/openshift/.stickshift-proxy.d(/.*)?
-+.br
-+ /var/lib/stickshift/.limits.d(/.*)?
-+.br
-+ /var/lib/stickshift/.stickshift-proxy.d(/.*)?
-+.br
-+ /var/named/chroot/etc(/.*)?
-+.br
-+ /etc/ipsec\.d/examples(/.*)?
-+.br
-+ /var/spool/postfix/etc(/.*)?
-+.br
-+ /etc
-+.br
-+ /etc/cups/client\.conf
-+.br
-+
-+.br
-+.B lvm_etc_t
-+
-+ /etc/lvm(/.*)?
-+.br
-+
-+.SH NSSWITCH DOMAIN
-+
-+.PP
-+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the ricci_modstorage_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
-+
-+.EX
-+.B setsebool -P authlogin_nsswitch_use_ldap 1
-+.EE
-+
-+.PP
-+If you want to allow confined applications to run with kerberos for the ricci_modstorage_t, you must turn on the kerberos_enabled boolean.
-+
-+.EX
-+.B setsebool -P kerberos_enabled 1
-+.EE
-+
-+.SH "COMMANDS"
-+.B semanage fcontext
-+can also be used to manipulate default file context mappings.
-+.PP
-+.B semanage permissive
-+can also be used to manipulate whether or not a process type is permissive.
-+.PP
-+.B semanage module
-+can also be used to enable/disable/install/remove policy modules.
-+
-+.PP
-+.B system-config-selinux
-+is a GUI tool available to customize SELinux policy settings.
-+
-+.SH AUTHOR
-+This manual page was auto-generated using
-+.B "sepolicy manpage"
-+by Dan Walsh.
-+
-+.SH "SEE ALSO"
-+selinux(8), ricci_modstorage(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
-+, ricci_selinux(8), ricci_selinux(8), ricci_modcluster_selinux(8), ricci_modclusterd_selinux(8), ricci_modlog_selinux(8), ricci_modrpm_selinux(8), ricci_modservice_selinux(8)
-\ No newline at end of file
-diff --git a/man/man8/ricci_selinux.8 b/man/man8/ricci_selinux.8
-new file mode 100644
-index 0000000..77e1008
---- /dev/null
-+++ b/man/man8/ricci_selinux.8
-@@ -0,0 +1,394 @@
-+.TH "ricci_selinux" "8" "12-11-01" "ricci" "SELinux Policy documentation for ricci"
-+.SH "NAME"
-+ricci_selinux \- Security Enhanced Linux Policy for the ricci processes
-+.SH "DESCRIPTION"
-+
-+Security-Enhanced Linux secures the ricci processes via flexible mandatory access control.
-+
-+The ricci processes execute with the ricci_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
-+
-+For example:
-+
-+.B ps -eZ | grep ricci_t
-+
-+
-+.SH "ENTRYPOINTS"
-+
-+The ricci_t SELinux type can be entered via the "ricci_exec_t,bin_t" file types. The default entrypoint paths for the ricci_t domain are the following:"
-+
-+/usr/sbin/ricci, /bin/.*, /opt/(.*/)?bin(/.*)?, /usr/(.*/)?Bin(/.*)?, /usr/(.*/)?bin(/.*)?, /usr/(.*/)?sbin(/.*)?, /opt/(.*/)?sbin(/.*)?, /opt/(.*/)?libexec(/.*)?, /sbin/.*, /usr/lib(.*/)?bin(/.*)?, /usr/lib(.*/)?sbin(/.*)?, /etc/gdm/[^/]+, /root/bin(/.*)?, /etc/gdm/[^/]+/.*, /etc/cron.daily(/.*)?, /etc/cron.weekly(/.*)?, /etc/cron.hourly(/.*)?, /etc/cron.monthly(/.*)?, /usr/lib/.*/program(/.*)?, /usr/lib/.*/scripts(/.*)?, /usr/lib/[^/]*/run-mozilla\.sh, /usr/lib/[^/]*/mozilla-xremote-client, /usr/lib/[^/]*thunderbird[^/]*/thunderbird, /usr/lib/[^/]*thunderbird[^/]*/open-browser\.sh, /usr/lib/[^/]*thunderbird[^/]*/thunderbird-bin, /lib/udev/[^/]*, /etc/auto\.[^/]*, /etc/avahi/.*\.action, /usr/lib/qt.*/bin(/.*)?, /usr/lib/yp/.+, /var/ftp/bin(/.*)?, /usr/Brother(/.*)?, /usr/Printer(/.*)?, /usr/libexec(/.*)?, /lib/upstart(/.*)?, /etc/kde/env(/.*)?, /etc/profile.d(/.*)?, /var/mailman.*/bin(/.*)?, /etc/lxdm/Pre.*, /etc/hotplug/.*rc, /usr/lib/cups(/.*)?, /etc/hotplug/.*agent, /usr/Brother/(.*/)?inf/setup.*, /usr/Brother/(.*/)?inf/brprintconf.*, /usr/lib/dpkg/.+, /etc/lxdm/Post.*, /usr/lib/udev/[^/]*, /var/qmail/bin(/.*)?, /usr/lib/xfce4(/.*)?, /usr/lib/fence(/.*)?, /etc/X11/xinit(/.*)?, /lib/readahead(/.*)?, /etc/netplug\.d(/.*)?, /usr/lib/gimp/.*/plug-ins(/.*)?, /usr/lib/ipsec/.*, /etc/ppp/ip-up\..*, /usr/bin/pingus.*, /etc/cipe/ip-up.*, /usr/lib/dracut(/.*)?, /etc/pm/power\.d(/.*)?, /etc/pm/sleep\.d(/.*)?, /etc/redhat-lsb(/.*)?, /usr/lib/tuned/.*/.*\.sh, /usr/lib/xen/bin(/.*)?, /usr/lib/upstart(/.*)?, /usr/lib/courier(/.*)?, /etc/xen/scripts(/.*)?, /usr/share/tucan.*/tucan.py, /usr/lib/mailman.*/bin(/.*)?, /usr/lib/mailman.*/mail(/.*)?, /etc/ppp/ipv6-up\..*, /etc/ppp/ip-down\..*, /etc/cipe/ip-down.*, /usr/share/hplip/[^/]*, /usr/lib/news/bin(/.*)?, /usr/lib/pm-utils(/.*)?, /etc/vmware-tools(/.*)?, /etc/kde/shutdown(/.*)?, /etc/acpi/actions(/.*)?, /etc/pki/tls/misc(/.*)?, /usr/lib/jvm/java(.*/)bin(/.*), /usr/lib/tumbler-[^/]*/tumblerd, /usr/lib/readahead(/.*)?, /opt/google/chrome(/.*)?, /etc/munin/plugins(/.*)?, /usr/lib/bluetooth(/.*)?, /usr/lib/debug/bin(/.*)?, /usr/lib/xulrunner[^/]*/updater, /usr/lib/xulrunner[^/]*/crashreporter, /usr/lib/xulrunner[^/]*/xulrunner[^/]*, /usr/lib/ruby/gems(/.*)?/helper-scripts(/.*)?, /usr/share/debconf/.+, /etc/ppp/ipv6-down\..*, /usr/share/cluster/.*\.sh, /usr/share/sectool/.*\.py, /usr/share/ssl/misc(/.*)?, /usr/share/e16/misc(/.*)?, /usr/lib/ccache/bin(/.*)?, /etc/racoon/scripts(/.*)?, /usr/lib/debug/sbin(/.*)?, /usr/lib/ruby/gems/.*/agents(/.*)?, /usr/share/mc/extfs/.*, /usr/lib/apt/methods.+, /usr/lib/portage/bin(/.*)?, /usr/lib/MailScanner(/.*)?, /etc/mcelog/triggers(/.*)?, /etc/dhcp/dhclient\.d(/.*)?, /emul/ia32-linux/bin(/.*)?, /usr/lib/libreoffice(/.*)?/bin(/.*)?, /emul/ia32-linux/usr(/.*)?/bin(/.*)?, /emul/ia32-linux/usr(/.*)?/Bin(/.*)?, /emul/ia32-linux/usr(/.*)?/sbin(/.*)?, /usr/lib/thunderbird.*/mozilla-xremote-client, /usr/lib/cyrus-imapd/.*, /usr/share/createrepo(/.*)?, /emul/ia32-linux/sbin(/.*)?, /usr/share/virtualbox/.*\.sh, /usr/share/wicd/daemon(/.*)?, /usr/share/hal/scripts(/.*)?, /lib/security/pam_krb5(/.*)?, /opt/google/talkplugin(/.*)?, /etc/PackageKit/events(/.*)?, /usr/lib/debug/usr/bin(/.*)?, /usr/lib/vmware-tools/(s)?bin64(/.*)?, /usr/lib/vmware-tools/(s)?bin32(/.*)?, /etc/gdm/XKeepsCrashing[^/]*, /usr/lib/oracle/xe/apps(/.*)?, /usr/share/Modules/init(/.*)?, /usr/share/smolt/client(/.*)?, /usr/lib/nagios/plugins(/.*)?, /usr/lib/debug/usr/sbin(/.*)?, /usr/share/apr-0/build/[^/]+\.sh, /usr/lib/emacsen-common/.*, /usr/share/ajaxterm/qweb.py.*, /var/lib/asterisk/agi-bin(/.*)?, /usr/share/shorewall-perl(/.*)?, /usr/share/shorewall-lite(/.*)?, /usr/linuxprinter/filters(/.*)?, /usr/lib/netsaint/plugins(/.*)?, /usr/lib/chromium-browser(/.*)?, /usr/share/turboprint/lib(/.*)?, /usr/lib/nfs-utils/scripts(/.*)?, /usr/share/shorewall6-lite(/.*)?, /usr/share/shorewall-shell(/.*)?, /usr/share/vhostmd/scripts(/.*)?, /usr/lib/debug/usr/libexec(/.*)?, /etc/ConsoleKit/run-seat\.d(/.*)?, /usr/lib/nspluginwrapper/np.*, /usr/share/sandbox/sandboxX.sh, /usr/lib/ConsoleKit/scripts(/.*)?, /usr/share/ajaxterm/ajaxterm.py.*, /usr/lib/pgsql/test/regress/.*\.sh, /usr/share/denyhosts/scripts(/.*)?, /usr/share/denyhosts/plugins(/.*)?, /emul/ia32-linux/usr/libexec(/.*)?, /usr/lib/mediawiki/math/texvc.*, /usr/share/PackageKit/helpers(/.*)?, /etc/ConsoleKit/run-session\.d(/.*)?, /etc/hotplug\.d/default/default.*, /usr/lib/systemd/system-sleep/(.*)?, /opt/gutenprint/cups/lib/filter(/.*)?, /usr/share/system-config-network(/netconfig)?/[^/]+\.py, /usr/lib/ConsoleKit/run-session\.d(/.*)?, /etc/sysconfig/network-scripts/net.*, /etc/sysconfig/network-scripts/ifup.*, /etc/sysconfig/network-scripts/init.*, /usr/share/kde4/apps/kajongg/kajongg.py, /etc/sysconfig/network-scripts/ifdown.*, /opt/OpenPrinting-Gutenprint/cups/lib/filter(/.*)?, /usr/share/gedit-2/plugins/externaltools/tools(/.*)?, /bin, /sbin, /usr/bin, /dev/MAKEDEV, /var/qmail/rc, /var/qmail/bin, /etc/mail/make, /bin/mountpoint, /usr/lib/rpm/rpmq, /usr/lib/rpm/rpmv, /usr/lib/rpm/rpmd, /usr/lib/rpm/rpmk, /lib/udev/scsi_id, /sbin/mkfs\.cramfs, /etc/xen/qemu-ifup, /etc/lxdm/Xsession, /etc/sysconfig/init, /usr/bin/mountpoint, /etc/apcupsd/commok, /usr/lib/sftp-server, /etc/sysconfig/crond, /etc/lxdm/LoginReady, /usr/sbin/mkfs\.cramfs, /usr/lib/udev/scsi_id, /etc/X11/xdm/Xsetup_0, /etc/init\.d/functions, /etc/apcupsd/changeme, /usr/lib/iscan/network, /etc/apcupsd/onbattery, /usr/lib/yaboot/addnote, /etc/sysconfig/libvirtd, /etc/apcupsd/apccontrol, /etc/apcupsd/offbattery, /usr/lib/wicd/monitor\.py, /etc/X11/xdm/TakeConsole, /etc/X11/xdm/GiveConsole, /etc/apcupsd/commfailure, /usr/lib/misc/sftp-server, /etc/sysconfig/netconsole, /lib/udev/devices/MAKEDEV, /var/lib/iscan/interpreter, /etc/rc\.d/init\.d/functions, /etc/apcupsd/masterconnect, /etc/apcupsd/mastertimeout, /usr/share/pydict/pydict\.py, /usr/share/clamav/clamd-gen, /sbin/insmod_ksymoops_clean, /etc/mgetty\+sendfax/new_fax, /usr/lib/xfce4/panel/migrate, /usr/lib/xfce4/panel/wrapper, /etc/sysconfig/readonly-root, /usr/lib/vte/gnome-pty-helper, /usr/lib/udev/devices/MAKEDEV, /usr/lib/xfce4/xfconf/xfconfd, /usr/share/cvs/contrib/rcs2log, /usr/share/hwbrowser/hwbrowser, /usr/X11R6/lib/X11/xkb/xkbcomp, /usr/lib/virtualbox/VBoxManage, /usr/share/cluster/SAPInstance, /usr/share/cluster/checkquorum, /usr/share/shorewall/getparams, /usr/share/apr-0/build/libtool, /usr/share/cluster/SAPDatabase, /etc/hotplug/hotplug\.functions, /usr/share/texmf/web2c/mktexdir, /usr/share/texmf/web2c/mktexnam, /usr/share/texmf/web2c/mktexupd, /usr/share/shorewall/configpath, /usr/sbin/insmod_ksymoops_clean, /etc/mcelog/cache-error-trigger, /usr/share/shorewall/compiler\.pl, /usr/share/dayplanner/dayplanner, /usr/libexec/openssh/sftp-server, /usr/share/texmf/texconfig/tcfmgr, /usr/share/clamav/freshclam-sleep, /usr/share/cluster/svclib_nfslock, /usr/share/cluster/ocf-shellfuncs, /usr/lib/xfce4/exo-1/exo-helper-1, /usr/share/pwlib/make/ptlib-config, /usr/share/fedora-usermgmt/wrapper, /usr/share/printconf/util/print\.py, /usr/lib/xfce4/xfwm4/helper-dialog, /etc/pki/tls/certs/make-dummy-cert, /usr/share/rhn/rhn_applet/applet\.py, /usr/share/authconfig/authconfig\.py, /usr/share/spamassassin/sa-update\.cron, /usr/share/gnucash/finance-quote-check, /usr/share/cluster/fence_scsi_check\.pl, /usr/share/selinux/devel/policygentool, /usr/share/switchdesk/switchdesk-gui\.py, /usr/share/authconfig/authconfig-tui\.py, /usr/share/authconfig/authconfig-gtk\.py, /usr/share/gnucash/finance-quote-helper, /usr/share/gitolite/hooks/common/update, /usr/lib/xfce4/exo-1/exo-compose-mail-1, /usr/share/system-config-services/gui\.py, /lib/security/pam_krb5/pam_krb5_storetmp, /usr/share/system-config-netboot/pxeos\.py, /usr/lib/xfce4/session/balou-export-theme, /usr/share/system-config-selinux/polgen\.py, /usr/share/system-config-nfs/nfs-export\.py, /usr/share/system-config-printer/applet\.py, /usr/share/PackageKit/pk-upgrade-distro\.sh, /usr/lib/xfce4/session/balou-install-theme, /usr/share/system-config-netboot/pxeboot\.py, /usr/lib/xfce4/session/xfsm-shutdown-helper, /usr/share/rhn/rhn_applet/needed-packages\.py, /usr/lib/security/pam_krb5/pam_krb5_storetmp, /usr/share/system-logviewer/system-logviewer\.py, /usr/share/system-config-network/neat-control\.py, /usr/share/system-config-services/serviceconf\.py, /usr/share/hal/device-manager/hal-device-manager, /usr/share/system-config-lvm/system-config-lvm\.py, /usr/share/system-config-nfs/system-config-nfs\.py, /usr/share/system-config-mouse/system-config-mouse, /usr/share/system-config-httpd/system-config-httpd, /usr/share/system-config-users/system-config-users, /usr/share/system-config-date/system-config-date\.py, /usr/share/doc/ghc/html/libraries/gen_contents_index, /usr/share/gitolite/hooks/gitolite-admin/post-update, /usr/share/system-config-samba/system-config-samba\.py, /usr/share/system-config-display/system-config-display, /usr/share/system-config-keyboard/system-config-keyboard, /usr/share/system-config-language/system-config-language, /usr/share/system-config-services/system-config-services, /usr/share/system-config-selinux/system-config-selinux\.py, /usr/share/system-config-netboot/system-config-netboot\.py, /usr/share/system-config-soundcard/system-config-soundcard, /usr/share/system-config-rootpassword/system-config-rootpassword, /usr/share/system-config-securitylevel/system-config-securitylevel\.py
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux ricci policy is very flexible allowing users to setup their ricci processes in as secure a method as possible.
-+.PP
-+The following process types are defined for ricci:
-+
-+.EX
-+.B ricci_t, ricci_modservice_t, ricci_modstorage_t, ricci_modclusterd_t, ricci_modlog_t, ricci_modrpm_t, ricci_modcluster_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
-+.SH FILE CONTEXTS
-+SELinux requires files to have an extended attribute to define the file type.
-+.PP
-+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
-+.PP
-+Policy governs the access confined processes have to these files.
-+SELinux ricci policy is very flexible allowing users to setup their ricci processes in as secure a method as possible.
-+.PP
-+The following file types are defined for ricci:
-+
-+
-+.EX
-+.PP
-+.B ricci_exec_t
-+.EE
-+
-+- Set files with the ricci_exec_t type, if you want to transition an executable to the ricci_t domain.
-+
-+
-+.EX
-+.PP
-+.B ricci_initrc_exec_t
-+.EE
-+
-+- Set files with the ricci_initrc_exec_t type, if you want to transition an executable to the ricci_initrc_t domain.
-+
-+
-+.EX
-+.PP
-+.B ricci_modcluster_exec_t
-+.EE
-+
-+- Set files with the ricci_modcluster_exec_t type, if you want to transition an executable to the ricci_modcluster_t domain.
-+
-+
-+.EX
-+.PP
-+.B ricci_modcluster_var_lib_t
-+.EE
-+
-+- Set files with the ricci_modcluster_var_lib_t type, if you want to store the ricci modcluster files under the /var/lib directory.
-+
-+
-+.EX
-+.PP
-+.B ricci_modcluster_var_log_t
-+.EE
-+
-+- Set files with the ricci_modcluster_var_log_t type, if you want to treat the data as ricci modcluster var log data, usually stored under the /var/log directory.
-+
-+
-+.EX
-+.PP
-+.B ricci_modcluster_var_run_t
-+.EE
-+
-+- Set files with the ricci_modcluster_var_run_t type, if you want to store the ricci modcluster files under the /run directory.
-+
-+
-+.EX
-+.PP
-+.B ricci_modclusterd_exec_t
-+.EE
-+
-+- Set files with the ricci_modclusterd_exec_t type, if you want to transition an executable to the ricci_modclusterd_t domain.
-+
-+
-+.EX
-+.PP
-+.B ricci_modclusterd_tmpfs_t
-+.EE
-+
-+- Set files with the ricci_modclusterd_tmpfs_t type, if you want to store ricci modclusterd files on a tmpfs file system.
-+
-+
-+.EX
-+.PP
-+.B ricci_modlog_exec_t
-+.EE
-+
-+- Set files with the ricci_modlog_exec_t type, if you want to transition an executable to the ricci_modlog_t domain.
-+
-+
-+.EX
-+.PP
-+.B ricci_modrpm_exec_t
-+.EE
-+
-+- Set files with the ricci_modrpm_exec_t type, if you want to transition an executable to the ricci_modrpm_t domain.
-+
-+
-+.EX
-+.PP
-+.B ricci_modservice_exec_t
-+.EE
-+
-+- Set files with the ricci_modservice_exec_t type, if you want to transition an executable to the ricci_modservice_t domain.
-+
-+
-+.EX
-+.PP
-+.B ricci_modstorage_exec_t
-+.EE
-+
-+- Set files with the ricci_modstorage_exec_t type, if you want to transition an executable to the ricci_modstorage_t domain.
-+
-+
-+.EX
-+.PP
-+.B ricci_modstorage_lock_t
-+.EE
-+
-+- Set files with the ricci_modstorage_lock_t type, if you want to treat the files as ricci modstorage lock data, stored under the /var/lock directory
-+
-+
-+.EX
-+.PP
-+.B ricci_tmp_t
-+.EE
-+
-+- Set files with the ricci_tmp_t type, if you want to store ricci temporary files in the /tmp directories.
-+
-+
-+.EX
-+.PP
-+.B ricci_var_lib_t
-+.EE
-+
-+- Set files with the ricci_var_lib_t type, if you want to store the ricci files under the /var/lib directory.
-+
-+
-+.EX
-+.PP
-+.B ricci_var_log_t
-+.EE
-+
-+- Set files with the ricci_var_log_t type, if you want to treat the data as ricci var log data, usually stored under the /var/log directory.
-+
-+
-+.EX
-+.PP
-+.B ricci_var_run_t
-+.EE
-+
-+- Set files with the ricci_var_run_t type, if you want to store the ricci files under the /run directory.
-+
-+
-+.PP
-+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
-+.B semanage fcontext
-+command. This will modify the SELinux labeling database. You will need to use
-+.B restorecon
-+to apply the labels.
-+
-+.SH PORT TYPES
-+SELinux defines port types to represent TCP and UDP ports.
-+.PP
-+You can see the types associated with a port by using the following command:
-+
-+.B semanage port -l
-+
-+.PP
-+Policy governs the access confined processes have to these ports.
-+SELinux ricci policy is very flexible allowing users to setup their ricci processes in as secure a method as possible.
-+.PP
-+The following port types are defined for ricci:
-+
-+.EX
-+.TP 5
-+.B ricci_modcluster_port_t
-+.TP 10
-+.EE
-+
-+
-+Default Defined Ports:
-+tcp 16851
-+.EE
-+udp 16851
-+.EE
-+
-+.EX
-+.TP 5
-+.B ricci_port_t
-+.TP 10
-+.EE
-+
-+
-+Default Defined Ports:
-+tcp 11111
-+.EE
-+udp 11111
-+.EE
-+.SH "MANAGED FILES"
-+
-+The SELinux process type ricci_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
-+
-+.br
-+.B etc_runtime_t
-+
-+ /[^/]+
-+.br
-+ /etc/mtab.*
-+.br
-+ /etc/blkid(/.*)?
-+.br
-+ /etc/nologin.*
-+.br
-+ /etc/\.fstab\.hal\..+
-+.br
-+ /halt
-+.br
-+ /fastboot
-+.br
-+ /poweroff
-+.br
-+ /etc/cmtab
-+.br
-+ /\.autofsck
-+.br
-+ /forcefsck
-+.br
-+ /\.suspended
-+.br
-+ /fsckoptions
-+.br
-+ /\.autorelabel
-+.br
-+ /etc/securetty
-+.br
-+ /etc/killpower
-+.br
-+ /etc/nohotplug
-+.br
-+ /etc/ioctl\.save
-+.br
-+ /etc/fstab\.REVOKE
-+.br
-+ /etc/network/ifstate
-+.br
-+ /etc/sysconfig/hwconf
-+.br
-+ /etc/ptal/ptal-printd-like
-+.br
-+ /etc/sysconfig/iptables\.save
-+.br
-+ /etc/xorg\.conf\.d/00-system-setup-keyboard\.conf
-+.br
-+ /etc/X11/xorg\.conf\.d/00-system-setup-keyboard\.conf
-+.br
-+
-+.br
-+.B faillog_t
-+
-+ /var/log/btmp.*
-+.br
-+ /var/run/faillock(/.*)?
-+.br
-+ /var/log/faillog
-+.br
-+ /var/log/tallylog
-+.br
-+
-+.br
-+.B initrc_var_run_t
-+
-+ /var/run/utmp
-+.br
-+ /var/run/random-seed
-+.br
-+ /var/run/runlevel\.dir
-+.br
-+ /var/run/setmixer_flag
-+.br
-+
-+.br
-+.B pcscd_var_run_t
-+
-+ /var/run/pcscd(/.*)?
-+.br
-+ /var/run/pcscd\.events(/.*)?
-+.br
-+ /var/run/pcscd\.pid
-+.br
-+ /var/run/pcscd\.pub
-+.br
-+ /var/run/pcscd\.comm
-+.br
-+
-+.br
-+.B ricci_tmp_t
-+
-+
-+.br
-+.B ricci_var_lib_t
-+
-+ /var/lib/ricci(/.*)?
-+.br
-+
-+.br
-+.B ricci_var_log_t
-+
-+
-+.br
-+.B ricci_var_run_t
-+
-+ /var/run/ricci\.pid
-+.br
-+
-+.br
-+.B systemd_passwd_var_run_t
-+
-+ /var/run/systemd/ask-password(/.*)?
-+.br
-+ /var/run/systemd/ask-password-block(/.*)?
-+.br
-+
-+.SH NSSWITCH DOMAIN
-+
-+.PP
-+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the ricci_modstorage_t, ricci_modcluster_t, ricci_modclusterd_t, ricci_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
-+
-+.EX
-+.B setsebool -P authlogin_nsswitch_use_ldap 1
-+.EE
-+
-+.PP
-+If you want to allow confined applications to run with kerberos for the ricci_modstorage_t, ricci_modcluster_t, ricci_modclusterd_t, ricci_t, you must turn on the kerberos_enabled boolean.
-+
-+.EX
-+.B setsebool -P kerberos_enabled 1
-+.EE
-+
-+.SH "COMMANDS"
-+.B semanage fcontext
-+can also be used to manipulate default file context mappings.
-+.PP
-+.B semanage permissive
-+can also be used to manipulate whether or not a process type is permissive.
-+.PP
-+.B semanage module
-+can also be used to enable/disable/install/remove policy modules.
-+
-+.B semanage port
-+can also be used to manipulate the port definitions
-+
-+.PP
-+.B system-config-selinux
-+is a GUI tool available to customize SELinux policy settings.
-+
-+.SH AUTHOR
-+This manual page was auto-generated using
-+.B "sepolicy manpage"
-+by Dan Walsh.
-+
-+.SH "SEE ALSO"
-+selinux(8), ricci(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
-+, ricci_modcluster_selinux(8), ricci_modclusterd_selinux(8), ricci_modlog_selinux(8), ricci_modrpm_selinux(8), ricci_modservice_selinux(8), ricci_modstorage_selinux(8)
-\ No newline at end of file
-diff --git a/man/man8/rlogind_selinux.8 b/man/man8/rlogind_selinux.8
-new file mode 100644
-index 0000000..436ab6e
---- /dev/null
-+++ b/man/man8/rlogind_selinux.8
-@@ -0,0 +1,328 @@
-+.TH "rlogind_selinux" "8" "12-11-01" "rlogind" "SELinux Policy documentation for rlogind"
-+.SH "NAME"
-+rlogind_selinux \- Security Enhanced Linux Policy for the rlogind processes
-+.SH "DESCRIPTION"
-+
-+Security-Enhanced Linux secures the rlogind processes via flexible mandatory access control.
-+
-+The rlogind processes execute with the rlogind_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
-+
-+For example:
-+
-+.B ps -eZ | grep rlogind_t
-+
-+
-+.SH "ENTRYPOINTS"
-+
-+The rlogind_t SELinux type can be entered via the "rlogind_exec_t" file type. The default entrypoint paths for the rlogind_t domain are the following:"
-+
-+/usr/lib/telnetlogin, /usr/sbin/in\.rlogind, /usr/kerberos/sbin/klogind
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux rlogind policy is very flexible allowing users to setup their rlogind processes in as secure a method as possible.
-+.PP
-+The following process types are defined for rlogind:
-+
-+.EX
-+.B rlogind_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
-+.SH FILE CONTEXTS
-+SELinux requires files to have an extended attribute to define the file type.
-+.PP
-+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
-+.PP
-+Policy governs the access confined processes have to these files.
-+SELinux rlogind policy is very flexible allowing users to setup their rlogind processes in as secure a method as possible.
-+.PP
-+The following file types are defined for rlogind:
-+
-+
-+.EX
-+.PP
-+.B rlogind_exec_t
-+.EE
-+
-+- Set files with the rlogind_exec_t type, if you want to transition an executable to the rlogind_t domain.
-+
-+
-+.EX
-+.PP
-+.B rlogind_home_t
-+.EE
-+
-+- Set files with the rlogind_home_t type, if you want to store rlogind files in the users home directory.
-+
-+
-+.EX
-+.PP
-+.B rlogind_keytab_t
-+.EE
-+
-+- Set files with the rlogind_keytab_t type, if you want to treat the files as kerberos keytab files.
-+
-+
-+.EX
-+.PP
-+.B rlogind_tmp_t
-+.EE
-+
-+- Set files with the rlogind_tmp_t type, if you want to store rlogind temporary files in the /tmp directories.
-+
-+
-+.EX
-+.PP
-+.B rlogind_var_run_t
-+.EE
-+
-+- Set files with the rlogind_var_run_t type, if you want to store the rlogind files under the /run directory.
-+
-+
-+.PP
-+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
-+.B semanage fcontext
-+command. This will modify the SELinux labeling database. You will need to use
-+.B restorecon
-+to apply the labels.
-+
-+.SH PORT TYPES
-+SELinux defines port types to represent TCP and UDP ports.
-+.PP
-+You can see the types associated with a port by using the following command:
-+
-+.B semanage port -l
-+
-+.PP
-+Policy governs the access confined processes have to these ports.
-+SELinux rlogind policy is very flexible allowing users to setup their rlogind processes in as secure a method as possible.
-+.PP
-+The following port types are defined for rlogind:
-+
-+.EX
-+.TP 5
-+.B rlogind_port_t
-+.TP 10
-+.EE
-+
-+
-+Default Defined Ports:
-+tcp 513
-+.EE
-+.SH "MANAGED FILES"
-+
-+The SELinux process type rlogind_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
-+
-+.br
-+.B auth_cache_t
-+
-+ /var/cache/coolkey(/.*)?
-+.br
-+
-+.br
-+.B auth_home_t
-+
-+ /root/\.google_authenticator
-+.br
-+ /root/\.google_authenticator~
-+.br
-+ /home/[^/]*/\.google_authenticator
-+.br
-+ /home/[^/]*/\.google_authenticator~
-+.br
-+ /home/dwalsh/\.google_authenticator
-+.br
-+ /home/dwalsh/\.google_authenticator~
-+.br
-+ /var/lib/xguest/home/xguest/\.google_authenticator
-+.br
-+ /var/lib/xguest/home/xguest/\.google_authenticator~
-+.br
-+
-+.br
-+.B cgroup_t
-+
-+ /cgroup
-+.br
-+ /sys/fs/cgroup
-+.br
-+
-+.br
-+.B faillog_t
-+
-+ /var/log/btmp.*
-+.br
-+ /var/run/faillock(/.*)?
-+.br
-+ /var/log/faillog
-+.br
-+ /var/log/tallylog
-+.br
-+
-+.br
-+.B initrc_var_run_t
-+
-+ /var/run/utmp
-+.br
-+ /var/run/random-seed
-+.br
-+ /var/run/runlevel\.dir
-+.br
-+ /var/run/setmixer_flag
-+.br
-+
-+.br
-+.B krb5_host_rcache_t
-+
-+ /var/cache/krb5rcache(/.*)?
-+.br
-+ /var/tmp/nfs_0
-+.br
-+ /var/tmp/DNS_25
-+.br
-+ /var/tmp/host_0
-+.br
-+ /var/tmp/imap_0
-+.br
-+ /var/tmp/HTTP_23
-+.br
-+ /var/tmp/HTTP_48
-+.br
-+ /var/tmp/ldap_55
-+.br
-+ /var/tmp/ldap_487
-+.br
-+ /var/tmp/ldapmap1_0
-+.br
-+
-+.br
-+.B lastlog_t
-+
-+ /var/log/lastlog
-+.br
-+
-+.br
-+.B pam_var_run_t
-+
-+ /var/(db|lib|adm)/sudo(/.*)?
-+.br
-+ /var/run/sudo(/.*)?
-+.br
-+ /var/run/sepermit(/.*)?
-+.br
-+ /var/run/pam_mount(/.*)?
-+.br
-+
-+.br
-+.B pcscd_var_run_t
-+
-+ /var/run/pcscd(/.*)?
-+.br
-+ /var/run/pcscd\.events(/.*)?
-+.br
-+ /var/run/pcscd\.pid
-+.br
-+ /var/run/pcscd\.pub
-+.br
-+ /var/run/pcscd\.comm
-+.br
-+
-+.br
-+.B rlogind_tmp_t
-+
-+
-+.br
-+.B rlogind_var_run_t
-+
-+
-+.br
-+.B security_t
-+
-+ /selinux
-+.br
-+
-+.br
-+.B user_tmp_t
-+
-+ /var/run/user(/.*)?
-+.br
-+ /tmp/gconfd-.*
-+.br
-+ /tmp/gconfd-dwalsh
-+.br
-+ /tmp/gconfd-xguest
-+.br
-+
-+.br
-+.B var_auth_t
-+
-+ /var/ace(/.*)?
-+.br
-+ /var/rsa(/.*)?
-+.br
-+ /var/lib/abl(/.*)?
-+.br
-+ /var/lib/rsa(/.*)?
-+.br
-+ /var/lib/pam_ssh(/.*)?
-+.br
-+ /var/run/pam_ssh(/.*)?
-+.br
-+ /var/lib/pam_shield(/.*)?
-+.br
-+ /var/lib/google-authenticator(/.*)?
-+.br
-+
-+.br
-+.B wtmp_t
-+
-+ /var/log/wtmp.*
-+.br
-+
-+.SH NSSWITCH DOMAIN
-+
-+.PP
-+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the rlogind_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
-+
-+.EX
-+.B setsebool -P authlogin_nsswitch_use_ldap 1
-+.EE
-+
-+.PP
-+If you want to allow confined applications to run with kerberos for the rlogind_t, you must turn on the kerberos_enabled boolean.
-+
-+.EX
-+.B setsebool -P kerberos_enabled 1
-+.EE
-+
-+.SH "COMMANDS"
-+.B semanage fcontext
-+can also be used to manipulate default file context mappings.
-+.PP
-+.B semanage permissive
-+can also be used to manipulate whether or not a process type is permissive.
-+.PP
-+.B semanage module
-+can also be used to enable/disable/install/remove policy modules.
-+
-+.B semanage port
-+can also be used to manipulate the port definitions
-+
-+.PP
-+.B system-config-selinux
-+is a GUI tool available to customize SELinux policy settings.
-+
-+.SH AUTHOR
-+This manual page was auto-generated using
-+.B "sepolicy manpage"
-+by Dan Walsh.
-+
-+.SH "SEE ALSO"
-+selinux(8), rlogind(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
-diff --git a/man/man8/rngd_selinux.8 b/man/man8/rngd_selinux.8
-new file mode 100644
-index 0000000..bd28b6f
---- /dev/null
-+++ b/man/man8/rngd_selinux.8
-@@ -0,0 +1,102 @@
-+.TH "rngd_selinux" "8" "12-11-01" "rngd" "SELinux Policy documentation for rngd"
-+.SH "NAME"
-+rngd_selinux \- Security Enhanced Linux Policy for the rngd processes
-+.SH "DESCRIPTION"
-+
-+Security-Enhanced Linux secures the rngd processes via flexible mandatory access control.
-+
-+The rngd processes execute with the rngd_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
-+
-+For example:
-+
-+.B ps -eZ | grep rngd_t
-+
-+
-+.SH "ENTRYPOINTS"
-+
-+The rngd_t SELinux type can be entered via the "rngd_exec_t" file type. The default entrypoint paths for the rngd_t domain are the following:"
-+
-+/usr/sbin/rngd
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux rngd policy is very flexible allowing users to setup their rngd processes in as secure a method as possible.
-+.PP
-+The following process types are defined for rngd:
-+
-+.EX
-+.B rngd_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
-+.SH FILE CONTEXTS
-+SELinux requires files to have an extended attribute to define the file type.
-+.PP
-+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
-+.PP
-+Policy governs the access confined processes have to these files.
-+SELinux rngd policy is very flexible allowing users to setup their rngd processes in as secure a method as possible.
-+.PP
-+The following file types are defined for rngd:
-+
-+
-+.EX
-+.PP
-+.B rngd_exec_t
-+.EE
-+
-+- Set files with the rngd_exec_t type, if you want to transition an executable to the rngd_t domain.
-+
-+
-+.EX
-+.PP
-+.B rngd_initrc_exec_t
-+.EE
-+
-+- Set files with the rngd_initrc_exec_t type, if you want to transition an executable to the rngd_initrc_t domain.
-+
-+
-+.EX
-+.PP
-+.B rngd_unit_file_t
-+.EE
-+
-+- Set files with the rngd_unit_file_t type, if you want to treat the files as rngd unit content.
-+
-+
-+.PP
-+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
-+.B semanage fcontext
-+command. This will modify the SELinux labeling database. You will need to use
-+.B restorecon
-+to apply the labels.
-+
-+.SH NSSWITCH DOMAIN
-+
-+.SH "COMMANDS"
-+.B semanage fcontext
-+can also be used to manipulate default file context mappings.
-+.PP
-+.B semanage permissive
-+can also be used to manipulate whether or not a process type is permissive.
-+.PP
-+.B semanage module
-+can also be used to enable/disable/install/remove policy modules.
-+
-+.PP
-+.B system-config-selinux
-+is a GUI tool available to customize SELinux policy settings.
-+
-+.SH AUTHOR
-+This manual page was auto-generated using
-+.B "sepolicy manpage"
-+by Dan Walsh.
-+
-+.SH "SEE ALSO"
-+selinux(8), rngd(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
-diff --git a/man/man8/roundup_selinux.8 b/man/man8/roundup_selinux.8
-new file mode 100644
-index 0000000..22ad9ee
---- /dev/null
-+++ b/man/man8/roundup_selinux.8
-@@ -0,0 +1,124 @@
-+.TH "roundup_selinux" "8" "12-11-01" "roundup" "SELinux Policy documentation for roundup"
-+.SH "NAME"
-+roundup_selinux \- Security Enhanced Linux Policy for the roundup processes
-+.SH "DESCRIPTION"
-+
-+Security-Enhanced Linux secures the roundup processes via flexible mandatory access control.
-+
-+The roundup processes execute with the roundup_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
-+
-+For example:
-+
-+.B ps -eZ | grep roundup_t
-+
-+
-+.SH "ENTRYPOINTS"
-+
-+The roundup_t SELinux type can be entered via the "roundup_exec_t" file type. The default entrypoint paths for the roundup_t domain are the following:"
-+
-+/usr/bin/roundup-server
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux roundup policy is very flexible allowing users to setup their roundup processes in as secure a method as possible.
-+.PP
-+The following process types are defined for roundup:
-+
-+.EX
-+.B roundup_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
-+.SH FILE CONTEXTS
-+SELinux requires files to have an extended attribute to define the file type.
-+.PP
-+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
-+.PP
-+Policy governs the access confined processes have to these files.
-+SELinux roundup policy is very flexible allowing users to setup their roundup processes in as secure a method as possible.
-+.PP
-+The following file types are defined for roundup:
-+
-+
-+.EX
-+.PP
-+.B roundup_exec_t
-+.EE
-+
-+- Set files with the roundup_exec_t type, if you want to transition an executable to the roundup_t domain.
-+
-+
-+.EX
-+.PP
-+.B roundup_initrc_exec_t
-+.EE
-+
-+- Set files with the roundup_initrc_exec_t type, if you want to transition an executable to the roundup_initrc_t domain.
-+
-+
-+.EX
-+.PP
-+.B roundup_var_lib_t
-+.EE
-+
-+- Set files with the roundup_var_lib_t type, if you want to store the roundup files under the /var/lib directory.
-+
-+
-+.EX
-+.PP
-+.B roundup_var_run_t
-+.EE
-+
-+- Set files with the roundup_var_run_t type, if you want to store the roundup files under the /run directory.
-+
-+
-+.PP
-+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
-+.B semanage fcontext
-+command. This will modify the SELinux labeling database. You will need to use
-+.B restorecon
-+to apply the labels.
-+
-+.SH "MANAGED FILES"
-+
-+The SELinux process type roundup_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
-+
-+.br
-+.B roundup_var_lib_t
-+
-+ /var/lib/roundup(/.*)?
-+.br
-+
-+.br
-+.B roundup_var_run_t
-+
-+
-+.SH NSSWITCH DOMAIN
-+
-+.SH "COMMANDS"
-+.B semanage fcontext
-+can also be used to manipulate default file context mappings.
-+.PP
-+.B semanage permissive
-+can also be used to manipulate whether or not a process type is permissive.
-+.PP
-+.B semanage module
-+can also be used to enable/disable/install/remove policy modules.
-+
-+.PP
-+.B system-config-selinux
-+is a GUI tool available to customize SELinux policy settings.
-+
-+.SH AUTHOR
-+This manual page was auto-generated using
-+.B "sepolicy manpage"
-+by Dan Walsh.
-+
-+.SH "SEE ALSO"
-+selinux(8), roundup(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
-diff --git a/man/man8/rpcbind_selinux.8 b/man/man8/rpcbind_selinux.8
-new file mode 100644
-index 0000000..9f38f73
---- /dev/null
-+++ b/man/man8/rpcbind_selinux.8
-@@ -0,0 +1,130 @@
-+.TH "rpcbind_selinux" "8" "12-11-01" "rpcbind" "SELinux Policy documentation for rpcbind"
-+.SH "NAME"
-+rpcbind_selinux \- Security Enhanced Linux Policy for the rpcbind processes
-+.SH "DESCRIPTION"
-+
-+Security-Enhanced Linux secures the rpcbind processes via flexible mandatory access control.
-+
-+The rpcbind processes execute with the rpcbind_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
-+
-+For example:
-+
-+.B ps -eZ | grep rpcbind_t
-+
-+
-+.SH "ENTRYPOINTS"
-+
-+The rpcbind_t SELinux type can be entered via the "rpcbind_exec_t" file type. The default entrypoint paths for the rpcbind_t domain are the following:"
-+
-+/sbin/rpcbind, /usr/sbin/rpcbind
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux rpcbind policy is very flexible allowing users to setup their rpcbind processes in as secure a method as possible.
-+.PP
-+The following process types are defined for rpcbind:
-+
-+.EX
-+.B rpcbind_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
-+.SH FILE CONTEXTS
-+SELinux requires files to have an extended attribute to define the file type.
-+.PP
-+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
-+.PP
-+Policy governs the access confined processes have to these files.
-+SELinux rpcbind policy is very flexible allowing users to setup their rpcbind processes in as secure a method as possible.
-+.PP
-+The following file types are defined for rpcbind:
-+
-+
-+.EX
-+.PP
-+.B rpcbind_exec_t
-+.EE
-+
-+- Set files with the rpcbind_exec_t type, if you want to transition an executable to the rpcbind_t domain.
-+
-+
-+.EX
-+.PP
-+.B rpcbind_initrc_exec_t
-+.EE
-+
-+- Set files with the rpcbind_initrc_exec_t type, if you want to transition an executable to the rpcbind_initrc_t domain.
-+
-+
-+.EX
-+.PP
-+.B rpcbind_var_lib_t
-+.EE
-+
-+- Set files with the rpcbind_var_lib_t type, if you want to store the rpcbind files under the /var/lib directory.
-+
-+
-+.EX
-+.PP
-+.B rpcbind_var_run_t
-+.EE
-+
-+- Set files with the rpcbind_var_run_t type, if you want to store the rpcbind files under the /run directory.
-+
-+
-+.PP
-+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
-+.B semanage fcontext
-+command. This will modify the SELinux labeling database. You will need to use
-+.B restorecon
-+to apply the labels.
-+
-+.SH "MANAGED FILES"
-+
-+The SELinux process type rpcbind_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
-+
-+.br
-+.B rpcbind_var_lib_t
-+
-+ /var/lib/rpcbind(/.*)?
-+.br
-+ /var/cache/rpcbind(/.*)?
-+.br
-+
-+.br
-+.B rpcbind_var_run_t
-+
-+ /var/run/rpc.statd\.pid
-+.br
-+ /var/run/rpcbind.*
-+.br
-+
-+.SH NSSWITCH DOMAIN
-+
-+.SH "COMMANDS"
-+.B semanage fcontext
-+can also be used to manipulate default file context mappings.
-+.PP
-+.B semanage permissive
-+can also be used to manipulate whether or not a process type is permissive.
-+.PP
-+.B semanage module
-+can also be used to enable/disable/install/remove policy modules.
-+
-+.PP
-+.B system-config-selinux
-+is a GUI tool available to customize SELinux policy settings.
-+
-+.SH AUTHOR
-+This manual page was auto-generated using
-+.B "sepolicy manpage"
-+by Dan Walsh.
-+
-+.SH "SEE ALSO"
-+selinux(8), rpcbind(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
-diff --git a/man/man8/rpcd_selinux.8 b/man/man8/rpcd_selinux.8
-new file mode 100644
-index 0000000..054ef5a
---- /dev/null
-+++ b/man/man8/rpcd_selinux.8
-@@ -0,0 +1,181 @@
-+.TH "rpcd_selinux" "8" "12-11-01" "rpcd" "SELinux Policy documentation for rpcd"
-+.SH "NAME"
-+rpcd_selinux \- Security Enhanced Linux Policy for the rpcd processes
-+.SH "DESCRIPTION"
-+
-+Security-Enhanced Linux secures the rpcd processes via flexible mandatory access control.
-+
-+The rpcd processes execute with the rpcd_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
-+
-+For example:
-+
-+.B ps -eZ | grep rpcd_t
-+
-+
-+.SH "ENTRYPOINTS"
-+
-+The rpcd_t SELinux type can be entered via the "rpcd_exec_t" file type. The default entrypoint paths for the rpcd_t domain are the following:"
-+
-+/sbin/rpc\..*, /usr/sbin/rpc\..*, /sbin/sm-notify, /usr/sbin/sm-notify, /usr/sbin/rpc\.idmapd, /usr/sbin/rpc\.rquotad
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux rpcd policy is very flexible allowing users to setup their rpcd processes in as secure a method as possible.
-+.PP
-+The following process types are defined for rpcd:
-+
-+.EX
-+.B rpcd_t, rpcbind_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
-+.SH FILE CONTEXTS
-+SELinux requires files to have an extended attribute to define the file type.
-+.PP
-+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
-+.PP
-+Policy governs the access confined processes have to these files.
-+SELinux rpcd policy is very flexible allowing users to setup their rpcd processes in as secure a method as possible.
-+.PP
-+The following file types are defined for rpcd:
-+
-+
-+.EX
-+.PP
-+.B rpcd_exec_t
-+.EE
-+
-+- Set files with the rpcd_exec_t type, if you want to transition an executable to the rpcd_t domain.
-+
-+
-+.EX
-+.PP
-+.B rpcd_initrc_exec_t
-+.EE
-+
-+- Set files with the rpcd_initrc_exec_t type, if you want to transition an executable to the rpcd_initrc_t domain.
-+
-+
-+.EX
-+.PP
-+.B rpcd_unit_file_t
-+.EE
-+
-+- Set files with the rpcd_unit_file_t type, if you want to treat the files as rpcd unit content.
-+
-+
-+.EX
-+.PP
-+.B rpcd_var_run_t
-+.EE
-+
-+- Set files with the rpcd_var_run_t type, if you want to store the rpcd files under the /run directory.
-+
-+
-+.PP
-+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
-+.B semanage fcontext
-+command. This will modify the SELinux labeling database. You will need to use
-+.B restorecon
-+to apply the labels.
-+
-+.SH "MANAGED FILES"
-+
-+The SELinux process type rpcd_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
-+
-+.br
-+.B quota_db_t
-+
-+ /a?quota\.(user|group)
-+.br
-+ /etc/a?quota\.(user|group)
-+.br
-+ /var/a?quota\.(user|group)
-+.br
-+ /boot/a?quota\.(user|group)
-+.br
-+ /var/spool/(.*/)?a?quota\.(user|group)
-+.br
-+ /var/lib/openshift/a?quota\.(user|group)
-+.br
-+ /var/lib/stickshift/a?quota\.(user|group)
-+.br
-+ /home/[^/]*/a?quota\.(user|group)
-+.br
-+ /home/a?quota\.(user|group)
-+.br
-+ /home/dwalsh/a?quota\.(user|group)
-+.br
-+ /var/lib/xguest/home/xguest/a?quota\.(user|group)
-+.br
-+
-+.br
-+.B rgmanager_tmp_t
-+
-+
-+.br
-+.B rpcd_var_run_t
-+
-+ /var/run/rpc\.statd(/.*)?
-+.br
-+ /var/run/rpc\.statd\.pid
-+.br
-+
-+.br
-+.B var_lib_nfs_t
-+
-+ /var/lib/nfs(/.*)?
-+.br
-+
-+.br
-+.B var_lib_t
-+
-+ /opt/(.*/)?var/lib(/.*)?
-+.br
-+ /var/lib(/.*)?
-+.br
-+
-+.SH NSSWITCH DOMAIN
-+
-+.PP
-+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the rpcd_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
-+
-+.EX
-+.B setsebool -P authlogin_nsswitch_use_ldap 1
-+.EE
-+
-+.PP
-+If you want to allow confined applications to run with kerberos for the rpcd_t, you must turn on the kerberos_enabled boolean.
-+
-+.EX
-+.B setsebool -P kerberos_enabled 1
-+.EE
-+
-+.SH "COMMANDS"
-+.B semanage fcontext
-+can also be used to manipulate default file context mappings.
-+.PP
-+.B semanage permissive
-+can also be used to manipulate whether or not a process type is permissive.
-+.PP
-+.B semanage module
-+can also be used to enable/disable/install/remove policy modules.
-+
-+.PP
-+.B system-config-selinux
-+is a GUI tool available to customize SELinux policy settings.
-+
-+.SH AUTHOR
-+This manual page was auto-generated using
-+.B "sepolicy manpage"
-+by Dan Walsh.
-+
-+.SH "SEE ALSO"
-+selinux(8), rpcd(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
-+, rpcbind_selinux(8)
-\ No newline at end of file
-diff --git a/man/man8/rpm_script_selinux.8 b/man/man8/rpm_script_selinux.8
-new file mode 100644
-index 0000000..3a3d1db
---- /dev/null
-+++ b/man/man8/rpm_script_selinux.8
-@@ -0,0 +1,127 @@
-+.TH "rpm_script_selinux" "8" "12-11-01" "rpm_script" "SELinux Policy documentation for rpm_script"
-+.SH "NAME"
-+rpm_script_selinux \- Security Enhanced Linux Policy for the rpm_script processes
-+.SH "DESCRIPTION"
-+
-+Security-Enhanced Linux secures the rpm_script processes via flexible mandatory access control.
-+
-+The rpm_script processes execute with the rpm_script_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
-+
-+For example:
-+
-+.B ps -eZ | grep rpm_script_t
-+
-+
-+.SH "ENTRYPOINTS"
-+
-+The rpm_script_t SELinux type can be entered via the "filesystem_type,unlabeled_t,proc_type,bin_t,ldconfig_exec_t,mtrr_device_t,shell_exec_t,sysctl_type,file_type" file types. The default entrypoint paths for the rpm_script_t domain are the following:"
-+
-+/bin/.*, /opt/(.*/)?bin(/.*)?, /usr/(.*/)?Bin(/.*)?, /usr/(.*/)?bin(/.*)?, /usr/(.*/)?sbin(/.*)?, /opt/(.*/)?sbin(/.*)?, /opt/(.*/)?libexec(/.*)?, /sbin/.*, /usr/lib(.*/)?bin(/.*)?, /usr/lib(.*/)?sbin(/.*)?, /etc/gdm/[^/]+, /root/bin(/.*)?, /etc/gdm/[^/]+/.*, /etc/cron.daily(/.*)?, /etc/cron.weekly(/.*)?, /etc/cron.hourly(/.*)?, /etc/cron.monthly(/.*)?, /usr/lib/.*/program(/.*)?, /usr/lib/.*/scripts(/.*)?, /usr/lib/[^/]*/run-mozilla\.sh, /usr/lib/[^/]*/mozilla-xremote-client, /usr/lib/[^/]*thunderbird[^/]*/thunderbird, /usr/lib/[^/]*thunderbird[^/]*/open-browser\.sh, /usr/lib/[^/]*thunderbird[^/]*/thunderbird-bin, /lib/udev/[^/]*, /etc/auto\.[^/]*, /etc/avahi/.*\.action, /usr/lib/qt.*/bin(/.*)?, /usr/lib/yp/.+, /var/ftp/bin(/.*)?, /usr/Brother(/.*)?, /usr/Printer(/.*)?, /usr/libexec(/.*)?, /lib/upstart(/.*)?, /etc/kde/env(/.*)?, /etc/profile.d(/.*)?, /var/mailman.*/bin(/.*)?, /etc/lxdm/Pre.*, /etc/hotplug/.*rc, /usr/lib/cups(/.*)?, /etc/hotplug/.*agent, /usr/Brother/(.*/)?inf/setup.*, /usr/Brother/(.*/)?inf/brprintconf.*, /usr/lib/dpkg/.+, /etc/lxdm/Post.*, /usr/lib/udev/[^/]*, /var/qmail/bin(/.*)?, /usr/lib/xfce4(/.*)?, /usr/lib/fence(/.*)?, /etc/X11/xinit(/.*)?, /lib/readahead(/.*)?, /etc/netplug\.d(/.*)?, /usr/lib/gimp/.*/plug-ins(/.*)?, /usr/lib/ipsec/.*, /etc/ppp/ip-up\..*, /usr/bin/pingus.*, /etc/cipe/ip-up.*, /usr/lib/dracut(/.*)?, /etc/pm/power\.d(/.*)?, /etc/pm/sleep\.d(/.*)?, /etc/redhat-lsb(/.*)?, /usr/lib/tuned/.*/.*\.sh, /usr/lib/xen/bin(/.*)?, /usr/lib/upstart(/.*)?, /usr/lib/courier(/.*)?, /etc/xen/scripts(/.*)?, /usr/share/tucan.*/tucan.py, /usr/lib/mailman.*/bin(/.*)?, /usr/lib/mailman.*/mail(/.*)?, /etc/ppp/ipv6-up\..*, /etc/ppp/ip-down\..*, /etc/cipe/ip-down.*, /usr/share/hplip/[^/]*, /usr/lib/news/bin(/.*)?, /usr/lib/pm-utils(/.*)?, /etc/vmware-tools(/.*)?, /etc/kde/shutdown(/.*)?, /etc/acpi/actions(/.*)?, /etc/pki/tls/misc(/.*)?, /usr/lib/jvm/java(.*/)bin(/.*), /usr/lib/tumbler-[^/]*/tumblerd, /usr/lib/readahead(/.*)?, /opt/google/chrome(/.*)?, /etc/munin/plugins(/.*)?, /usr/lib/bluetooth(/.*)?, /usr/lib/debug/bin(/.*)?, /usr/lib/xulrunner[^/]*/updater, /usr/lib/xulrunner[^/]*/crashreporter, /usr/lib/xulrunner[^/]*/xulrunner[^/]*, /usr/lib/ruby/gems(/.*)?/helper-scripts(/.*)?, /usr/share/debconf/.+, /etc/ppp/ipv6-down\..*, /usr/share/cluster/.*\.sh, /usr/share/sectool/.*\.py, /usr/share/ssl/misc(/.*)?, /usr/share/e16/misc(/.*)?, /usr/lib/ccache/bin(/.*)?, /etc/racoon/scripts(/.*)?, /usr/lib/debug/sbin(/.*)?, /usr/lib/ruby/gems/.*/agents(/.*)?, /usr/share/mc/extfs/.*, /usr/lib/apt/methods.+, /usr/lib/portage/bin(/.*)?, /usr/lib/MailScanner(/.*)?, /etc/mcelog/triggers(/.*)?, /etc/dhcp/dhclient\.d(/.*)?, /emul/ia32-linux/bin(/.*)?, /usr/lib/libreoffice(/.*)?/bin(/.*)?, /emul/ia32-linux/usr(/.*)?/bin(/.*)?, /emul/ia32-linux/usr(/.*)?/Bin(/.*)?, /emul/ia32-linux/usr(/.*)?/sbin(/.*)?, /usr/lib/thunderbird.*/mozilla-xremote-client, /usr/lib/cyrus-imapd/.*, /usr/share/createrepo(/.*)?, /emul/ia32-linux/sbin(/.*)?, /usr/share/virtualbox/.*\.sh, /usr/share/wicd/daemon(/.*)?, /usr/share/hal/scripts(/.*)?, /lib/security/pam_krb5(/.*)?, /opt/google/talkplugin(/.*)?, /etc/PackageKit/events(/.*)?, /usr/lib/debug/usr/bin(/.*)?, /usr/lib/vmware-tools/(s)?bin64(/.*)?, /usr/lib/vmware-tools/(s)?bin32(/.*)?, /etc/gdm/XKeepsCrashing[^/]*, /usr/lib/oracle/xe/apps(/.*)?, /usr/share/Modules/init(/.*)?, /usr/share/smolt/client(/.*)?, /usr/lib/nagios/plugins(/.*)?, /usr/lib/debug/usr/sbin(/.*)?, /usr/share/apr-0/build/[^/]+\.sh, /usr/lib/emacsen-common/.*, /usr/share/ajaxterm/qweb.py.*, /var/lib/asterisk/agi-bin(/.*)?, /usr/share/shorewall-perl(/.*)?, /usr/share/shorewall-lite(/.*)?, /usr/linuxprinter/filters(/.*)?, /usr/lib/netsaint/plugins(/.*)?, /usr/lib/chromium-browser(/.*)?, /usr/share/turboprint/lib(/.*)?, /usr/lib/nfs-utils/scripts(/.*)?, /usr/share/shorewall6-lite(/.*)?, /usr/share/shorewall-shell(/.*)?, /usr/share/vhostmd/scripts(/.*)?, /usr/lib/debug/usr/libexec(/.*)?, /etc/ConsoleKit/run-seat\.d(/.*)?, /usr/lib/nspluginwrapper/np.*, /usr/share/sandbox/sandboxX.sh, /usr/lib/ConsoleKit/scripts(/.*)?, /usr/share/ajaxterm/ajaxterm.py.*, /usr/lib/pgsql/test/regress/.*\.sh, /usr/share/denyhosts/scripts(/.*)?, /usr/share/denyhosts/plugins(/.*)?, /emul/ia32-linux/usr/libexec(/.*)?, /usr/lib/mediawiki/math/texvc.*, /usr/share/PackageKit/helpers(/.*)?, /etc/ConsoleKit/run-session\.d(/.*)?, /etc/hotplug\.d/default/default.*, /usr/lib/systemd/system-sleep/(.*)?, /opt/gutenprint/cups/lib/filter(/.*)?, /usr/share/system-config-network(/netconfig)?/[^/]+\.py, /usr/lib/ConsoleKit/run-session\.d(/.*)?, /etc/sysconfig/network-scripts/net.*, /etc/sysconfig/network-scripts/ifup.*, /etc/sysconfig/network-scripts/init.*, /usr/share/kde4/apps/kajongg/kajongg.py, /etc/sysconfig/network-scripts/ifdown.*, /opt/OpenPrinting-Gutenprint/cups/lib/filter(/.*)?, /usr/share/gedit-2/plugins/externaltools/tools(/.*)?, /bin, /sbin, /usr/bin, /dev/MAKEDEV, /var/qmail/rc, /var/qmail/bin, /etc/mail/make, /bin/mountpoint, /usr/lib/rpm/rpmq, /usr/lib/rpm/rpmv, /usr/lib/rpm/rpmd, /usr/lib/rpm/rpmk, /lib/udev/scsi_id, /sbin/mkfs\.cramfs, /etc/xen/qemu-ifup, /etc/lxdm/Xsession, /etc/sysconfig/init, /usr/bin/mountpoint, /etc/apcupsd/commok, /usr/lib/sftp-server, /etc/sysconfig/crond, /etc/lxdm/LoginReady, /usr/sbin/mkfs\.cramfs, /usr/lib/udev/scsi_id, /etc/X11/xdm/Xsetup_0, /etc/init\.d/functions, /etc/apcupsd/changeme, /usr/lib/iscan/network, /etc/apcupsd/onbattery, /usr/lib/yaboot/addnote, /etc/sysconfig/libvirtd, /etc/apcupsd/apccontrol, /etc/apcupsd/offbattery, /usr/lib/wicd/monitor\.py, /etc/X11/xdm/TakeConsole, /etc/X11/xdm/GiveConsole, /etc/apcupsd/commfailure, /usr/lib/misc/sftp-server, /etc/sysconfig/netconsole, /lib/udev/devices/MAKEDEV, /var/lib/iscan/interpreter, /etc/rc\.d/init\.d/functions, /etc/apcupsd/masterconnect, /etc/apcupsd/mastertimeout, /usr/share/pydict/pydict\.py, /usr/share/clamav/clamd-gen, /sbin/insmod_ksymoops_clean, /etc/mgetty\+sendfax/new_fax, /usr/lib/xfce4/panel/migrate, /usr/lib/xfce4/panel/wrapper, /etc/sysconfig/readonly-root, /usr/lib/vte/gnome-pty-helper, /usr/lib/udev/devices/MAKEDEV, /usr/lib/xfce4/xfconf/xfconfd, /usr/share/cvs/contrib/rcs2log, /usr/share/hwbrowser/hwbrowser, /usr/X11R6/lib/X11/xkb/xkbcomp, /usr/lib/virtualbox/VBoxManage, /usr/share/cluster/SAPInstance, /usr/share/cluster/checkquorum, /usr/share/shorewall/getparams, /usr/share/apr-0/build/libtool, /usr/share/cluster/SAPDatabase, /etc/hotplug/hotplug\.functions, /usr/share/texmf/web2c/mktexdir, /usr/share/texmf/web2c/mktexnam, /usr/share/texmf/web2c/mktexupd, /usr/share/shorewall/configpath, /usr/sbin/insmod_ksymoops_clean, /etc/mcelog/cache-error-trigger, /usr/share/shorewall/compiler\.pl, /usr/share/dayplanner/dayplanner, /usr/libexec/openssh/sftp-server, /usr/share/texmf/texconfig/tcfmgr, /usr/share/clamav/freshclam-sleep, /usr/share/cluster/svclib_nfslock, /usr/share/cluster/ocf-shellfuncs, /usr/lib/xfce4/exo-1/exo-helper-1, /usr/share/pwlib/make/ptlib-config, /usr/share/fedora-usermgmt/wrapper, /usr/share/printconf/util/print\.py, /usr/lib/xfce4/xfwm4/helper-dialog, /etc/pki/tls/certs/make-dummy-cert, /usr/share/rhn/rhn_applet/applet\.py, /usr/share/authconfig/authconfig\.py, /usr/share/spamassassin/sa-update\.cron, /usr/share/gnucash/finance-quote-check, /usr/share/cluster/fence_scsi_check\.pl, /usr/share/selinux/devel/policygentool, /usr/share/switchdesk/switchdesk-gui\.py, /usr/share/authconfig/authconfig-tui\.py, /usr/share/authconfig/authconfig-gtk\.py, /usr/share/gnucash/finance-quote-helper, /usr/share/gitolite/hooks/common/update, /usr/lib/xfce4/exo-1/exo-compose-mail-1, /usr/share/system-config-services/gui\.py, /lib/security/pam_krb5/pam_krb5_storetmp, /usr/share/system-config-netboot/pxeos\.py, /usr/lib/xfce4/session/balou-export-theme, /usr/share/system-config-selinux/polgen\.py, /usr/share/system-config-nfs/nfs-export\.py, /usr/share/system-config-printer/applet\.py, /usr/share/PackageKit/pk-upgrade-distro\.sh, /usr/lib/xfce4/session/balou-install-theme, /usr/share/system-config-netboot/pxeboot\.py, /usr/lib/xfce4/session/xfsm-shutdown-helper, /usr/share/rhn/rhn_applet/needed-packages\.py, /usr/lib/security/pam_krb5/pam_krb5_storetmp, /usr/share/system-logviewer/system-logviewer\.py, /usr/share/system-config-network/neat-control\.py, /usr/share/system-config-services/serviceconf\.py, /usr/share/hal/device-manager/hal-device-manager, /usr/share/system-config-lvm/system-config-lvm\.py, /usr/share/system-config-nfs/system-config-nfs\.py, /usr/share/system-config-mouse/system-config-mouse, /usr/share/system-config-httpd/system-config-httpd, /usr/share/system-config-users/system-config-users, /usr/share/system-config-date/system-config-date\.py, /usr/share/doc/ghc/html/libraries/gen_contents_index, /usr/share/gitolite/hooks/gitolite-admin/post-update, /usr/share/system-config-samba/system-config-samba\.py, /usr/share/system-config-display/system-config-display, /usr/share/system-config-keyboard/system-config-keyboard, /usr/share/system-config-language/system-config-language, /usr/share/system-config-services/system-config-services, /usr/share/system-config-selinux/system-config-selinux\.py, /usr/share/system-config-netboot/system-config-netboot\.py, /usr/share/system-config-soundcard/system-config-soundcard, /usr/share/system-config-rootpassword/system-config-rootpassword, /usr/share/system-config-securitylevel/system-config-securitylevel\.py, /sbin/ldconfig, /usr/sbin/ldconfig, /dev/cpu/mtrr, /bin/d?ash, /bin/zsh.*, /bin/ksh.*, /usr/bin/d?ash, /usr/bin/ksh.*, /usr/bin/zsh.*, /bin/esh, /bin/mksh, /bin/sash, /bin/tcsh, /bin/yash, /bin/bash, /bin/fish, /bin/bash2, /usr/bin/esh, /usr/bin/mksh, /usr/bin/sash, /usr/bin/bash, /usr/bin/fish, /usr/bin/tcsh, /usr/bin/yash, /sbin/nologin, /usr/sbin/sesh, /usr/bin/bash2, /usr/sbin/smrsh, /usr/bin/scponly, /usr/sbin/nologin, /usr/libexec/sesh, /usr/sbin/scponlyc, /usr/bin/git-shell, /usr/libexec/git-core/git-shell, all files on the system
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux rpm_script policy is very flexible allowing users to setup their rpm_script processes in as secure a method as possible.
-+.PP
-+The following process types are defined for rpm_script:
-+
-+.EX
-+.B rpm_script_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
-+.SH FILE CONTEXTS
-+SELinux requires files to have an extended attribute to define the file type.
-+.PP
-+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
-+.PP
-+Policy governs the access confined processes have to these files.
-+SELinux rpm_script policy is very flexible allowing users to setup their rpm_script processes in as secure a method as possible.
-+.PP
-+The following file types are defined for rpm_script:
-+
-+
-+.EX
-+.PP
-+.B rpm_script_exec_t
-+.EE
-+
-+- Set files with the rpm_script_exec_t type, if you want to transition an executable to the rpm_script_t domain.
-+
-+
-+.EX
-+.PP
-+.B rpm_script_tmp_t
-+.EE
-+
-+- Set files with the rpm_script_tmp_t type, if you want to store rpm script temporary files in the /tmp directories.
-+
-+
-+.EX
-+.PP
-+.B rpm_script_tmpfs_t
-+.EE
-+
-+- Set files with the rpm_script_tmpfs_t type, if you want to store rpm script files on a tmpfs file system.
-+
-+
-+.PP
-+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
-+.B semanage fcontext
-+command. This will modify the SELinux labeling database. You will need to use
-+.B restorecon
-+to apply the labels.
-+
-+.SH "MANAGED FILES"
-+
-+The SELinux process type rpm_script_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
-+
-+.br
-+.B file_type
-+
-+ all files on the system
-+.br
-+
-+.SH NSSWITCH DOMAIN
-+
-+.PP
-+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the rpm_script_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
-+
-+.EX
-+.B setsebool -P authlogin_nsswitch_use_ldap 1
-+.EE
-+
-+.PP
-+If you want to allow confined applications to run with kerberos for the rpm_script_t, you must turn on the kerberos_enabled boolean.
-+
-+.EX
-+.B setsebool -P kerberos_enabled 1
-+.EE
-+
-+.SH "COMMANDS"
-+.B semanage fcontext
-+can also be used to manipulate default file context mappings.
-+.PP
-+.B semanage permissive
-+can also be used to manipulate whether or not a process type is permissive.
-+.PP
-+.B semanage module
-+can also be used to enable/disable/install/remove policy modules.
-+
-+.PP
-+.B system-config-selinux
-+is a GUI tool available to customize SELinux policy settings.
-+
-+.SH AUTHOR
-+This manual page was auto-generated using
-+.B "sepolicy manpage"
-+by Dan Walsh.
-+
-+.SH "SEE ALSO"
-+selinux(8), rpm_script(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
-+, rpm_selinux(8), rpm_selinux(8)
-\ No newline at end of file
-diff --git a/man/man8/rpm_selinux.8 b/man/man8/rpm_selinux.8
-new file mode 100644
-index 0000000..0b6f8e2
---- /dev/null
-+++ b/man/man8/rpm_selinux.8
-@@ -0,0 +1,191 @@
-+.TH "rpm_selinux" "8" "12-11-01" "rpm" "SELinux Policy documentation for rpm"
-+.SH "NAME"
-+rpm_selinux \- Security Enhanced Linux Policy for the rpm processes
-+.SH "DESCRIPTION"
-+
-+Security-Enhanced Linux secures the rpm processes via flexible mandatory access control.
-+
-+The rpm processes execute with the rpm_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
-+
-+For example:
-+
-+.B ps -eZ | grep rpm_t
-+
-+
-+.SH "ENTRYPOINTS"
-+
-+The rpm_t SELinux type can be entered via the "rpm_exec_t,debuginfo_exec_t,filesystem_type,rpm_script_exec_t,unlabeled_t,proc_type,mtrr_device_t,sysctl_type,file_type" file types. The default entrypoint paths for the rpm_t domain are the following:"
-+
-+/usr/libexec/yumDBUSBackend.py, /bin/rpm, /usr/bin/dnf, /usr/bin/rpm, /usr/bin/yum, /usr/bin/zif, /usr/sbin/pup, /usr/bin/smart, /usr/sbin/bcfg2, /usr/sbin/pirut, /usr/bin/apt-get, /usr/sbin/up2date, /usr/sbin/synaptic, /usr/bin/apt-shell, /usr/sbin/rhn_check, /usr/sbin/rhnreg_ks, /usr/sbin/packagekitd, /usr/sbin/yum-updatesd, /usr/libexec/packagekitd, /usr/bin/package-cleanup, /usr/bin/fedora-rmdevelrpms, /usr/bin/rpmdev-rmdevelrpms, /usr/sbin/system-install-packages, /usr/share/yumex/yum_childtask\.py, /usr/sbin/yum-complete-transaction, /usr/share/yumex/yumex-yum-backend, /usr/bin/debuginfo-install, /dev/cpu/mtrr, all files on the system
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux rpm policy is very flexible allowing users to setup their rpm processes in as secure a method as possible.
-+.PP
-+The following process types are defined for rpm:
-+
-+.EX
-+.B rpm_t, rpm_script_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
-+.SH FILE CONTEXTS
-+SELinux requires files to have an extended attribute to define the file type.
-+.PP
-+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
-+.PP
-+Policy governs the access confined processes have to these files.
-+SELinux rpm policy is very flexible allowing users to setup their rpm processes in as secure a method as possible.
-+.PP
-+The following file types are defined for rpm:
-+
-+
-+.EX
-+.PP
-+.B rpm_exec_t
-+.EE
-+
-+- Set files with the rpm_exec_t type, if you want to transition an executable to the rpm_t domain.
-+
-+
-+.EX
-+.PP
-+.B rpm_file_t
-+.EE
-+
-+- Set files with the rpm_file_t type, if you want to treat the files as rpm content.
-+
-+
-+.EX
-+.PP
-+.B rpm_log_t
-+.EE
-+
-+- Set files with the rpm_log_t type, if you want to treat the data as rpm log data, usually stored under the /var/log directory.
-+
-+
-+.EX
-+.PP
-+.B rpm_script_exec_t
-+.EE
-+
-+- Set files with the rpm_script_exec_t type, if you want to transition an executable to the rpm_script_t domain.
-+
-+
-+.EX
-+.PP
-+.B rpm_script_tmp_t
-+.EE
-+
-+- Set files with the rpm_script_tmp_t type, if you want to store rpm script temporary files in the /tmp directories.
-+
-+
-+.EX
-+.PP
-+.B rpm_script_tmpfs_t
-+.EE
-+
-+- Set files with the rpm_script_tmpfs_t type, if you want to store rpm script files on a tmpfs file system.
-+
-+
-+.EX
-+.PP
-+.B rpm_tmp_t
-+.EE
-+
-+- Set files with the rpm_tmp_t type, if you want to store rpm temporary files in the /tmp directories.
-+
-+
-+.EX
-+.PP
-+.B rpm_tmpfs_t
-+.EE
-+
-+- Set files with the rpm_tmpfs_t type, if you want to store rpm files on a tmpfs file system.
-+
-+
-+.EX
-+.PP
-+.B rpm_var_cache_t
-+.EE
-+
-+- Set files with the rpm_var_cache_t type, if you want to store the files under the /var/cache directory.
-+
-+
-+.EX
-+.PP
-+.B rpm_var_lib_t
-+.EE
-+
-+- Set files with the rpm_var_lib_t type, if you want to store the rpm files under the /var/lib directory.
-+
-+
-+.EX
-+.PP
-+.B rpm_var_run_t
-+.EE
-+
-+- Set files with the rpm_var_run_t type, if you want to store the rpm files under the /run directory.
-+
-+
-+.PP
-+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
-+.B semanage fcontext
-+command. This will modify the SELinux labeling database. You will need to use
-+.B restorecon
-+to apply the labels.
-+
-+.SH "MANAGED FILES"
-+
-+The SELinux process type rpm_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
-+
-+.br
-+.B file_type
-+
-+ all files on the system
-+.br
-+
-+.SH NSSWITCH DOMAIN
-+
-+.PP
-+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the rpm_script_t, rpm_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
-+
-+.EX
-+.B setsebool -P authlogin_nsswitch_use_ldap 1
-+.EE
-+
-+.PP
-+If you want to allow confined applications to run with kerberos for the rpm_script_t, rpm_t, you must turn on the kerberos_enabled boolean.
-+
-+.EX
-+.B setsebool -P kerberos_enabled 1
-+.EE
-+
-+.SH "COMMANDS"
-+.B semanage fcontext
-+can also be used to manipulate default file context mappings.
-+.PP
-+.B semanage permissive
-+can also be used to manipulate whether or not a process type is permissive.
-+.PP
-+.B semanage module
-+can also be used to enable/disable/install/remove policy modules.
-+
-+.PP
-+.B system-config-selinux
-+is a GUI tool available to customize SELinux policy settings.
-+
-+.SH AUTHOR
-+This manual page was auto-generated using
-+.B "sepolicy manpage"
-+by Dan Walsh.
-+
-+.SH "SEE ALSO"
-+selinux(8), rpm(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
-+, rpm_script_selinux(8)
-\ No newline at end of file
-diff --git a/man/man8/rshd_selinux.8 b/man/man8/rshd_selinux.8
-new file mode 100644
-index 0000000..8958739
---- /dev/null
-+++ b/man/man8/rshd_selinux.8
-@@ -0,0 +1,302 @@
-+.TH "rshd_selinux" "8" "12-11-01" "rshd" "SELinux Policy documentation for rshd"
-+.SH "NAME"
-+rshd_selinux \- Security Enhanced Linux Policy for the rshd processes
-+.SH "DESCRIPTION"
-+
-+Security-Enhanced Linux secures the rshd processes via flexible mandatory access control.
-+
-+The rshd processes execute with the rshd_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
-+
-+For example:
-+
-+.B ps -eZ | grep rshd_t
-+
-+
-+.SH "ENTRYPOINTS"
-+
-+The rshd_t SELinux type can be entered via the "rshd_exec_t" file type. The default entrypoint paths for the rshd_t domain are the following:"
-+
-+/usr/sbin/in\.rshd, /usr/sbin/in\.rexecd, /usr/kerberos/sbin/kshd
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux rshd policy is very flexible allowing users to setup their rshd processes in as secure a method as possible.
-+.PP
-+The following process types are defined for rshd:
-+
-+.EX
-+.B rshd_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
-+.SH FILE CONTEXTS
-+SELinux requires files to have an extended attribute to define the file type.
-+.PP
-+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
-+.PP
-+Policy governs the access confined processes have to these files.
-+SELinux rshd policy is very flexible allowing users to setup their rshd processes in as secure a method as possible.
-+.PP
-+The following file types are defined for rshd:
-+
-+
-+.EX
-+.PP
-+.B rshd_exec_t
-+.EE
-+
-+- Set files with the rshd_exec_t type, if you want to transition an executable to the rshd_t domain.
-+
-+
-+.EX
-+.PP
-+.B rshd_keytab_t
-+.EE
-+
-+- Set files with the rshd_keytab_t type, if you want to treat the files as kerberos keytab files.
-+
-+
-+.PP
-+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
-+.B semanage fcontext
-+command. This will modify the SELinux labeling database. You will need to use
-+.B restorecon
-+to apply the labels.
-+
-+.SH PORT TYPES
-+SELinux defines port types to represent TCP and UDP ports.
-+.PP
-+You can see the types associated with a port by using the following command:
-+
-+.B semanage port -l
-+
-+.PP
-+Policy governs the access confined processes have to these ports.
-+SELinux rshd policy is very flexible allowing users to setup their rshd processes in as secure a method as possible.
-+.PP
-+The following port types are defined for rshd:
-+
-+.EX
-+.TP 5
-+.B rsh_port_t
-+.TP 10
-+.EE
-+
-+
-+Default Defined Ports:
-+tcp 514
-+.EE
-+.SH "MANAGED FILES"
-+
-+The SELinux process type rshd_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
-+
-+.br
-+.B auth_cache_t
-+
-+ /var/cache/coolkey(/.*)?
-+.br
-+
-+.br
-+.B auth_home_t
-+
-+ /root/\.google_authenticator
-+.br
-+ /root/\.google_authenticator~
-+.br
-+ /home/[^/]*/\.google_authenticator
-+.br
-+ /home/[^/]*/\.google_authenticator~
-+.br
-+ /home/dwalsh/\.google_authenticator
-+.br
-+ /home/dwalsh/\.google_authenticator~
-+.br
-+ /var/lib/xguest/home/xguest/\.google_authenticator
-+.br
-+ /var/lib/xguest/home/xguest/\.google_authenticator~
-+.br
-+
-+.br
-+.B cgroup_t
-+
-+ /cgroup
-+.br
-+ /sys/fs/cgroup
-+.br
-+
-+.br
-+.B faillog_t
-+
-+ /var/log/btmp.*
-+.br
-+ /var/run/faillock(/.*)?
-+.br
-+ /var/log/faillog
-+.br
-+ /var/log/tallylog
-+.br
-+
-+.br
-+.B initrc_var_run_t
-+
-+ /var/run/utmp
-+.br
-+ /var/run/random-seed
-+.br
-+ /var/run/runlevel\.dir
-+.br
-+ /var/run/setmixer_flag
-+.br
-+
-+.br
-+.B krb5_host_rcache_t
-+
-+ /var/cache/krb5rcache(/.*)?
-+.br
-+ /var/tmp/nfs_0
-+.br
-+ /var/tmp/DNS_25
-+.br
-+ /var/tmp/host_0
-+.br
-+ /var/tmp/imap_0
-+.br
-+ /var/tmp/HTTP_23
-+.br
-+ /var/tmp/HTTP_48
-+.br
-+ /var/tmp/ldap_55
-+.br
-+ /var/tmp/ldap_487
-+.br
-+ /var/tmp/ldapmap1_0
-+.br
-+
-+.br
-+.B lastlog_t
-+
-+ /var/log/lastlog
-+.br
-+
-+.br
-+.B pam_var_run_t
-+
-+ /var/(db|lib|adm)/sudo(/.*)?
-+.br
-+ /var/run/sudo(/.*)?
-+.br
-+ /var/run/sepermit(/.*)?
-+.br
-+ /var/run/pam_mount(/.*)?
-+.br
-+
-+.br
-+.B pcscd_var_run_t
-+
-+ /var/run/pcscd(/.*)?
-+.br
-+ /var/run/pcscd\.events(/.*)?
-+.br
-+ /var/run/pcscd\.pid
-+.br
-+ /var/run/pcscd\.pub
-+.br
-+ /var/run/pcscd\.comm
-+.br
-+
-+.br
-+.B security_t
-+
-+ /selinux
-+.br
-+
-+.br
-+.B user_tmp_t
-+
-+ /var/run/user(/.*)?
-+.br
-+ /tmp/gconfd-.*
-+.br
-+ /tmp/gconfd-dwalsh
-+.br
-+ /tmp/gconfd-xguest
-+.br
-+
-+.br
-+.B user_tmp_type
-+
-+ all user tmp files
-+.br
-+
-+.br
-+.B var_auth_t
-+
-+ /var/ace(/.*)?
-+.br
-+ /var/rsa(/.*)?
-+.br
-+ /var/lib/abl(/.*)?
-+.br
-+ /var/lib/rsa(/.*)?
-+.br
-+ /var/lib/pam_ssh(/.*)?
-+.br
-+ /var/run/pam_ssh(/.*)?
-+.br
-+ /var/lib/pam_shield(/.*)?
-+.br
-+ /var/lib/google-authenticator(/.*)?
-+.br
-+
-+.br
-+.B wtmp_t
-+
-+ /var/log/wtmp.*
-+.br
-+
-+.SH NSSWITCH DOMAIN
-+
-+.PP
-+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the rshd_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
-+
-+.EX
-+.B setsebool -P authlogin_nsswitch_use_ldap 1
-+.EE
-+
-+.PP
-+If you want to allow confined applications to run with kerberos for the rshd_t, you must turn on the kerberos_enabled boolean.
-+
-+.EX
-+.B setsebool -P kerberos_enabled 1
-+.EE
-+
-+.SH "COMMANDS"
-+.B semanage fcontext
-+can also be used to manipulate default file context mappings.
-+.PP
-+.B semanage permissive
-+can also be used to manipulate whether or not a process type is permissive.
-+.PP
-+.B semanage module
-+can also be used to enable/disable/install/remove policy modules.
-+
-+.B semanage port
-+can also be used to manipulate the port definitions
-+
-+.PP
-+.B system-config-selinux
-+is a GUI tool available to customize SELinux policy settings.
-+
-+.SH AUTHOR
-+This manual page was auto-generated using
-+.B "sepolicy manpage"
-+by Dan Walsh.
-+
-+.SH "SEE ALSO"
-+selinux(8), rshd(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
-diff --git a/man/man8/rssh_chroot_helper_selinux.8 b/man/man8/rssh_chroot_helper_selinux.8
-new file mode 100644
-index 0000000..42e38a6
---- /dev/null
-+++ b/man/man8/rssh_chroot_helper_selinux.8
-@@ -0,0 +1,101 @@
-+.TH "rssh_chroot_helper_selinux" "8" "12-11-01" "rssh_chroot_helper" "SELinux Policy documentation for rssh_chroot_helper"
-+.SH "NAME"
-+rssh_chroot_helper_selinux \- Security Enhanced Linux Policy for the rssh_chroot_helper processes
-+.SH "DESCRIPTION"
-+
-+Security-Enhanced Linux secures the rssh_chroot_helper processes via flexible mandatory access control.
-+
-+The rssh_chroot_helper processes execute with the rssh_chroot_helper_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
-+
-+For example:
-+
-+.B ps -eZ | grep rssh_chroot_helper_t
-+
-+
-+.SH "ENTRYPOINTS"
-+
-+The rssh_chroot_helper_t SELinux type can be entered via the "rssh_chroot_helper_exec_t" file type. The default entrypoint paths for the rssh_chroot_helper_t domain are the following:"
-+
-+/usr/libexec/rssh_chroot_helper
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux rssh_chroot_helper policy is very flexible allowing users to setup their rssh_chroot_helper processes in as secure a method as possible.
-+.PP
-+The following process types are defined for rssh_chroot_helper:
-+
-+.EX
-+.B rssh_chroot_helper_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
-+.SH FILE CONTEXTS
-+SELinux requires files to have an extended attribute to define the file type.
-+.PP
-+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
-+.PP
-+Policy governs the access confined processes have to these files.
-+SELinux rssh_chroot_helper policy is very flexible allowing users to setup their rssh_chroot_helper processes in as secure a method as possible.
-+.PP
-+The following file types are defined for rssh_chroot_helper:
-+
-+
-+.EX
-+.PP
-+.B rssh_chroot_helper_exec_t
-+.EE
-+
-+- Set files with the rssh_chroot_helper_exec_t type, if you want to transition an executable to the rssh_chroot_helper_t domain.
-+
-+
-+.PP
-+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
-+.B semanage fcontext
-+command. This will modify the SELinux labeling database. You will need to use
-+.B restorecon
-+to apply the labels.
-+
-+.SH NSSWITCH DOMAIN
-+
-+.PP
-+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the rssh_chroot_helper_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
-+
-+.EX
-+.B setsebool -P authlogin_nsswitch_use_ldap 1
-+.EE
-+
-+.PP
-+If you want to allow confined applications to run with kerberos for the rssh_chroot_helper_t, you must turn on the kerberos_enabled boolean.
-+
-+.EX
-+.B setsebool -P kerberos_enabled 1
-+.EE
-+
-+.SH "COMMANDS"
-+.B semanage fcontext
-+can also be used to manipulate default file context mappings.
-+.PP
-+.B semanage permissive
-+can also be used to manipulate whether or not a process type is permissive.
-+.PP
-+.B semanage module
-+can also be used to enable/disable/install/remove policy modules.
-+
-+.PP
-+.B system-config-selinux
-+is a GUI tool available to customize SELinux policy settings.
-+
-+.SH AUTHOR
-+This manual page was auto-generated using
-+.B "sepolicy manpage"
-+by Dan Walsh.
-+
-+.SH "SEE ALSO"
-+selinux(8), rssh_chroot_helper(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
-+, rssh_selinux(8), rssh_selinux(8)
-\ No newline at end of file
-diff --git a/man/man8/rssh_selinux.8 b/man/man8/rssh_selinux.8
-new file mode 100644
-index 0000000..f418ac6
---- /dev/null
-+++ b/man/man8/rssh_selinux.8
-@@ -0,0 +1,133 @@
-+.TH "rssh_selinux" "8" "12-11-01" "rssh" "SELinux Policy documentation for rssh"
-+.SH "NAME"
-+rssh_selinux \- Security Enhanced Linux Policy for the rssh processes
-+.SH "DESCRIPTION"
-+
-+Security-Enhanced Linux secures the rssh processes via flexible mandatory access control.
-+
-+The rssh processes execute with the rssh_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
-+
-+For example:
-+
-+.B ps -eZ | grep rssh_t
-+
-+
-+.SH "ENTRYPOINTS"
-+
-+The rssh_t SELinux type can be entered via the "rssh_exec_t" file type. The default entrypoint paths for the rssh_t domain are the following:"
-+
-+/usr/bin/rssh
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux rssh policy is very flexible allowing users to setup their rssh processes in as secure a method as possible.
-+.PP
-+The following process types are defined for rssh:
-+
-+.EX
-+.B rssh_t, rssh_chroot_helper_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
-+.SH FILE CONTEXTS
-+SELinux requires files to have an extended attribute to define the file type.
-+.PP
-+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
-+.PP
-+Policy governs the access confined processes have to these files.
-+SELinux rssh policy is very flexible allowing users to setup their rssh processes in as secure a method as possible.
-+.PP
-+The following file types are defined for rssh:
-+
-+
-+.EX
-+.PP
-+.B rssh_chroot_helper_exec_t
-+.EE
-+
-+- Set files with the rssh_chroot_helper_exec_t type, if you want to transition an executable to the rssh_chroot_helper_t domain.
-+
-+
-+.EX
-+.PP
-+.B rssh_exec_t
-+.EE
-+
-+- Set files with the rssh_exec_t type, if you want to transition an executable to the rssh_t domain.
-+
-+
-+.EX
-+.PP
-+.B rssh_ro_t
-+.EE
-+
-+- Set files with the rssh_ro_t type, if you want to treat the files as rssh read/only content.
-+
-+
-+.EX
-+.PP
-+.B rssh_rw_t
-+.EE
-+
-+- Set files with the rssh_rw_t type, if you want to treat the files as rssh read/write content.
-+
-+
-+.PP
-+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
-+.B semanage fcontext
-+command. This will modify the SELinux labeling database. You will need to use
-+.B restorecon
-+to apply the labels.
-+
-+.SH "MANAGED FILES"
-+
-+The SELinux process type rssh_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
-+
-+.br
-+.B rssh_rw_t
-+
-+
-+.SH NSSWITCH DOMAIN
-+
-+.PP
-+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the rssh_chroot_helper_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
-+
-+.EX
-+.B setsebool -P authlogin_nsswitch_use_ldap 1
-+.EE
-+
-+.PP
-+If you want to allow confined applications to run with kerberos for the rssh_chroot_helper_t, you must turn on the kerberos_enabled boolean.
-+
-+.EX
-+.B setsebool -P kerberos_enabled 1
-+.EE
-+
-+.SH "COMMANDS"
-+.B semanage fcontext
-+can also be used to manipulate default file context mappings.
-+.PP
-+.B semanage permissive
-+can also be used to manipulate whether or not a process type is permissive.
-+.PP
-+.B semanage module
-+can also be used to enable/disable/install/remove policy modules.
-+
-+.PP
-+.B system-config-selinux
-+is a GUI tool available to customize SELinux policy settings.
-+
-+.SH AUTHOR
-+This manual page was auto-generated using
-+.B "sepolicy manpage"
-+by Dan Walsh.
-+
-+.SH "SEE ALSO"
-+selinux(8), rssh(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
-+, rssh_chroot_helper_selinux(8)
-\ No newline at end of file
-diff --git a/man/man8/rsync_selinux.8 b/man/man8/rsync_selinux.8
-index ad9ccf5..bf0928c 100644
---- a/man/man8/rsync_selinux.8
-+++ b/man/man8/rsync_selinux.8
-@@ -1,52 +1,299 @@
--.TH "rsync_selinux" "8" "17 Jan 2005" "dwalsh@redhat.com" "rsync Selinux Policy documentation"
--.de EX
--.nf
--.ft CW
--..
--.de EE
--.ft R
--.fi
--..
-+.TH "rsync_selinux" "8" "12-11-01" "rsync" "SELinux Policy documentation for rsync"
- .SH "NAME"
--rsync_selinux \- Security Enhanced Linux Policy for the rsync daemon
-+rsync_selinux \- Security Enhanced Linux Policy for the rsync processes
- .SH "DESCRIPTION"
-
--Security-Enhanced Linux secures the rsync server via flexible mandatory access
--control.
--.SH FILE_CONTEXTS
--SELinux requires files to have an extended attribute to define the file type.
--Policy governs the access daemons have to these files.
--If you want to share files using the rsync daemon, you must label the files and directories public_content_t. So if you created a special directory /var/rsync, you
--would need to label the directory with the chcon tool.
--.TP
--chcon -t public_content_t /var/rsync
--.TP
--.TP
--To make this change permanent (survive a relabel), use the semanage command to add the change to file context configuration:
-+Security-Enhanced Linux secures the rsync processes via flexible mandatory access control.
-+
-+The rsync processes execute with the rsync_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
-+
-+For example:
-+
-+.B ps -eZ | grep rsync_t
-+
-+
-+.SH "ENTRYPOINTS"
-+
-+The rsync_t SELinux type can be entered via the "rsync_exec_t" file type. The default entrypoint paths for the rsync_t domain are the following:"
-+
-+/usr/bin/rsync
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux rsync policy is very flexible allowing users to setup their rsync processes in as secure a method as possible.
-+.PP
-+The following process types are defined for rsync:
-+
-+.EX
-+.B rsync_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
-+.SH BOOLEANS
-+SELinux policy is customizable based on least access required. rsync policy is extremely flexible and has several booleans that allow you to manipulate the policy and run rsync with the tightest access possible.
-+
-+
-+.PP
-+If you want to allow postgresql to use ssh and rsync for point-in-time recovery, you must turn on the postgresql_can_rsync boolean.
-+
-+.EX
-+.B setsebool -P postgresql_can_rsync 1
-+.EE
-+
-+.PP
-+If you want to allow rsync to export any files/directories read only, you must turn on the rsync_export_all_ro boolean.
-+
-+.EX
-+.B setsebool -P rsync_export_all_ro 1
-+.EE
-+
-+.PP
-+If you want to allow rsync servers to share nfs files systems, you must turn on the rsync_use_nfs boolean.
-+
-+.EX
-+.B setsebool -P rsync_use_nfs 1
-+.EE
-+
-+.PP
-+If you want to allow rsync servers to share cifs files systems, you must turn on the rsync_use_cifs boolean.
-+
-+.EX
-+.B setsebool -P rsync_use_cifs 1
-+.EE
-+
-+.PP
-+If you want to allow rsync to run as a client, you must turn on the rsync_client boolean.
-+
-+.EX
-+.B setsebool -P rsync_client 1
-+.EE
-+
-+.PP
-+If you want to allow postgresql to use ssh and rsync for point-in-time recovery, you must turn on the postgresql_can_rsync boolean.
-+
-+.EX
-+.B setsebool -P postgresql_can_rsync 1
-+.EE
-+
-+.PP
-+If you want to allow rsync to export any files/directories read only, you must turn on the rsync_export_all_ro boolean.
-+
-+.EX
-+.B setsebool -P rsync_export_all_ro 1
-+.EE
-+
-+.PP
-+If you want to allow rsync servers to share nfs files systems, you must turn on the rsync_use_nfs boolean.
-+
-+.EX
-+.B setsebool -P rsync_use_nfs 1
-+.EE
-+
-+.PP
-+If you want to allow rsync servers to share cifs files systems, you must turn on the rsync_use_cifs boolean.
-+
-+.EX
-+.B setsebool -P rsync_use_cifs 1
-+.EE
-+
-+.PP
-+If you want to allow rsync to run as a client, you must turn on the rsync_client boolean.
-+
-+.EX
-+.B setsebool -P rsync_client 1
-+.EE
-+
-+.SH SHARING FILES
-+If you want to share files with multiple domains (Apache, FTP, rsync, Samba), you can set a file context of public_content_t and public_content_rw_t. These context allow any of the above domains to read the content. If you want a particular domain to write to the public_content_rw_t domain, you must set the appropriate boolean.
- .TP
-+Allow rsync servers to read the /var/rsync directory by adding the public_content_t file type to the directory and by restoring the file type.
-+.PP
-+.B
- semanage fcontext -a -t public_content_t "/var/rsync(/.*)?"
-+.br
-+.B restorecon -F -R -v /var/rsync
-+.pp
- .TP
--This command adds the following entry to /etc/selinux/POLICYTYPE/contexts/files/file_contexts.local:
--.TP
--/var/rsync(/.*)? system_u:object_r:publix_content_t:s0
--.TP
--Run the restorecon command to apply the changes:
--.TP
--restorecon -R -v /var/rsync/
-+Allow rsync servers to read and write /var/tmp/incoming by adding the public_content_rw_t type to the directory and by restoring the file type. This also requires the allow_rsyncd_anon_write boolean to be set.
-+.PP
-+.B
-+semanage fcontext -a -t public_content_rw_t "/var/rsync/incoming(/.*)?"
-+.br
-+.B restorecon -F -R -v /var/rsync/incoming
-+
-+
-+.PP
-+If you want to allow rsync to modify public files used for public file transfer services. Files/Directories must be labeled public_content_rw_t., you must turn on the rsync_anon_write boolean.
-+
-+.EX
-+.B setsebool -P rsync_anon_write 1
- .EE
-
--.SH SHARING FILES
--If you want to share files with multiple domains (Apache, FTP, rsync, Samba), you can set a file context of public_content_t and public_content_rw_t. These context allow any of the above domains to read the content. If you want a particular domain to write to the public_content_rw_t domain, you must set the appropriate boolean. allow_DOMAIN_anon_write. So for rsync you would execute:
-+.PP
-+If you want to allow rsync to modify public files used for public file transfer services. Files/Directories must be labeled public_content_rw_t., you must turn on the rsync_anon_write boolean.
-
- .EX
--setsebool -P allow_rsync_anon_write=1
-+.B setsebool -P rsync_anon_write 1
- .EE
-
--.SH BOOLEANS
--.TP
--system-config-selinux is a GUI tool available to customize SELinux policy settings.
--.SH AUTHOR
--This manual page was written by Dan Walsh .
-+.SH FILE CONTEXTS
-+SELinux requires files to have an extended attribute to define the file type.
-+.PP
-+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
-+.PP
-+Policy governs the access confined processes have to these files.
-+SELinux rsync policy is very flexible allowing users to setup their rsync processes in as secure a method as possible.
-+.PP
-+The following file types are defined for rsync:
-+
-+
-+.EX
-+.PP
-+.B rsync_data_t
-+.EE
-+
-+- Set files with the rsync_data_t type, if you want to treat the files as rsync content.
-+
-+
-+.EX
-+.PP
-+.B rsync_etc_t
-+.EE
-+
-+- Set files with the rsync_etc_t type, if you want to store rsync files in the /etc directories.
-+
-+
-+.EX
-+.PP
-+.B rsync_exec_t
-+.EE
-+
-+- Set files with the rsync_exec_t type, if you want to transition an executable to the rsync_t domain.
-+
-+
-+.EX
-+.PP
-+.B rsync_log_t
-+.EE
-+
-+- Set files with the rsync_log_t type, if you want to treat the data as rsync log data, usually stored under the /var/log directory.
-+
-+
-+.EX
-+.PP
-+.B rsync_tmp_t
-+.EE
-+
-+- Set files with the rsync_tmp_t type, if you want to store rsync temporary files in the /tmp directories.
-+
-+
-+.EX
-+.PP
-+.B rsync_var_run_t
-+.EE
-+
-+- Set files with the rsync_var_run_t type, if you want to store the rsync files under the /run directory.
-+
-+
-+.PP
-+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
-+.B semanage fcontext
-+command. This will modify the SELinux labeling database. You will need to use
-+.B restorecon
-+to apply the labels.
-+
-+.SH PORT TYPES
-+SELinux defines port types to represent TCP and UDP ports.
-+.PP
-+You can see the types associated with a port by using the following command:
-+
-+.B semanage port -l
-+
-+.PP
-+Policy governs the access confined processes have to these ports.
-+SELinux rsync policy is very flexible allowing users to setup their rsync processes in as secure a method as possible.
-+.PP
-+The following port types are defined for rsync:
-+
-+.EX
-+.TP 5
-+.B rsync_port_t
-+.TP 10
-+.EE
-+
-+
-+Default Defined Ports:
-+tcp 873
-+.EE
-+udp 873
-+.EE
-+.SH "MANAGED FILES"
-+
-+The SELinux process type rsync_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
-+
-+.br
-+.B rsync_log_t
-+
-+ /var/log/rsync\.log.*
-+.br
-+
-+.br
-+.B rsync_tmp_t
-+
-+
-+.br
-+.B rsync_var_run_t
-+
-+ /var/run/rsyncd\.lock
-+.br
-+
-+.SH NSSWITCH DOMAIN
-+
-+.PP
-+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the rsync_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
-+
-+.EX
-+.B setsebool -P authlogin_nsswitch_use_ldap 1
-+.EE
-+
-+.PP
-+If you want to allow confined applications to run with kerberos for the rsync_t, you must turn on the kerberos_enabled boolean.
-+
-+.EX
-+.B setsebool -P kerberos_enabled 1
-+.EE
-+
-+.SH "COMMANDS"
-+.B semanage fcontext
-+can also be used to manipulate default file context mappings.
-+.PP
-+.B semanage permissive
-+can also be used to manipulate whether or not a process type is permissive.
-+.PP
-+.B semanage module
-+can also be used to enable/disable/install/remove policy modules.
-+
-+.B semanage port
-+can also be used to manipulate the port definitions
-+
-+.B semanage boolean
-+can also be used to manipulate the booleans
-+
-+.PP
-+.B system-config-selinux
-+is a GUI tool available to customize SELinux policy settings.
-+
-+.SH AUTHOR
-+This manual page was auto-generated using
-+.B "sepolicy manpage"
-+by Dan Walsh.
-
- .SH "SEE ALSO"
--selinux(8), rsync(1), chcon(1), setsebool(8), semanage(8)
-+selinux(8), rsync(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
-+, setsebool(8)
-\ No newline at end of file
-diff --git a/man/man8/rtkit_daemon_selinux.8 b/man/man8/rtkit_daemon_selinux.8
-new file mode 100644
-index 0000000..0e3bbbc
---- /dev/null
-+++ b/man/man8/rtkit_daemon_selinux.8
-@@ -0,0 +1,108 @@
-+.TH "rtkit_daemon_selinux" "8" "12-11-01" "rtkit_daemon" "SELinux Policy documentation for rtkit_daemon"
-+.SH "NAME"
-+rtkit_daemon_selinux \- Security Enhanced Linux Policy for the rtkit_daemon processes
-+.SH "DESCRIPTION"
-+
-+Security-Enhanced Linux secures the rtkit_daemon processes via flexible mandatory access control.
-+
-+The rtkit_daemon processes execute with the rtkit_daemon_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
-+
-+For example:
-+
-+.B ps -eZ | grep rtkit_daemon_t
-+
-+
-+.SH "ENTRYPOINTS"
-+
-+The rtkit_daemon_t SELinux type can be entered via the "rtkit_daemon_exec_t" file type. The default entrypoint paths for the rtkit_daemon_t domain are the following:"
-+
-+/usr/libexec/rtkit-daemon
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux rtkit_daemon policy is very flexible allowing users to setup their rtkit_daemon processes in as secure a method as possible.
-+.PP
-+The following process types are defined for rtkit_daemon:
-+
-+.EX
-+.B rtkit_daemon_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
-+.SH FILE CONTEXTS
-+SELinux requires files to have an extended attribute to define the file type.
-+.PP
-+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
-+.PP
-+Policy governs the access confined processes have to these files.
-+SELinux rtkit_daemon policy is very flexible allowing users to setup their rtkit_daemon processes in as secure a method as possible.
-+.PP
-+The following file types are defined for rtkit_daemon:
-+
-+
-+.EX
-+.PP
-+.B rtkit_daemon_exec_t
-+.EE
-+
-+- Set files with the rtkit_daemon_exec_t type, if you want to transition an executable to the rtkit_daemon_t domain.
-+
-+
-+.PP
-+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
-+.B semanage fcontext
-+command. This will modify the SELinux labeling database. You will need to use
-+.B restorecon
-+to apply the labels.
-+
-+.SH "MANAGED FILES"
-+
-+The SELinux process type rtkit_daemon_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
-+
-+.br
-+.B anon_inodefs_t
-+
-+
-+.SH NSSWITCH DOMAIN
-+
-+.PP
-+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the rtkit_daemon_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
-+
-+.EX
-+.B setsebool -P authlogin_nsswitch_use_ldap 1
-+.EE
-+
-+.PP
-+If you want to allow confined applications to run with kerberos for the rtkit_daemon_t, you must turn on the kerberos_enabled boolean.
-+
-+.EX
-+.B setsebool -P kerberos_enabled 1
-+.EE
-+
-+.SH "COMMANDS"
-+.B semanage fcontext
-+can also be used to manipulate default file context mappings.
-+.PP
-+.B semanage permissive
-+can also be used to manipulate whether or not a process type is permissive.
-+.PP
-+.B semanage module
-+can also be used to enable/disable/install/remove policy modules.
-+
-+.PP
-+.B system-config-selinux
-+is a GUI tool available to customize SELinux policy settings.
-+
-+.SH AUTHOR
-+This manual page was auto-generated using
-+.B "sepolicy manpage"
-+by Dan Walsh.
-+
-+.SH "SEE ALSO"
-+selinux(8), rtkit_daemon(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
-diff --git a/man/man8/run_init_selinux.8 b/man/man8/run_init_selinux.8
-new file mode 100644
-index 0000000..69e4288
---- /dev/null
-+++ b/man/man8/run_init_selinux.8
-@@ -0,0 +1,148 @@
-+.TH "run_init_selinux" "8" "12-11-01" "run_init" "SELinux Policy documentation for run_init"
-+.SH "NAME"
-+run_init_selinux \- Security Enhanced Linux Policy for the run_init processes
-+.SH "DESCRIPTION"
-+
-+Security-Enhanced Linux secures the run_init processes via flexible mandatory access control.
-+
-+The run_init processes execute with the run_init_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
-+
-+For example:
-+
-+.B ps -eZ | grep run_init_t
-+
-+
-+.SH "ENTRYPOINTS"
-+
-+The run_init_t SELinux type can be entered via the "run_init_exec_t" file type. The default entrypoint paths for the run_init_t domain are the following:"
-+
-+/usr/sbin/run_init
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux run_init policy is very flexible allowing users to setup their run_init processes in as secure a method as possible.
-+.PP
-+The following process types are defined for run_init:
-+
-+.EX
-+.B run_init_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
-+.SH FILE CONTEXTS
-+SELinux requires files to have an extended attribute to define the file type.
-+.PP
-+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
-+.PP
-+Policy governs the access confined processes have to these files.
-+SELinux run_init policy is very flexible allowing users to setup their run_init processes in as secure a method as possible.
-+.PP
-+The following file types are defined for run_init:
-+
-+
-+.EX
-+.PP
-+.B run_init_exec_t
-+.EE
-+
-+- Set files with the run_init_exec_t type, if you want to transition an executable to the run_init_t domain.
-+
-+
-+.PP
-+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
-+.B semanage fcontext
-+command. This will modify the SELinux labeling database. You will need to use
-+.B restorecon
-+to apply the labels.
-+
-+.SH "MANAGED FILES"
-+
-+The SELinux process type run_init_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
-+
-+.br
-+.B faillog_t
-+
-+ /var/log/btmp.*
-+.br
-+ /var/run/faillock(/.*)?
-+.br
-+ /var/log/faillog
-+.br
-+ /var/log/tallylog
-+.br
-+
-+.br
-+.B initrc_var_run_t
-+
-+ /var/run/utmp
-+.br
-+ /var/run/random-seed
-+.br
-+ /var/run/runlevel\.dir
-+.br
-+ /var/run/setmixer_flag
-+.br
-+
-+.br
-+.B pcscd_var_run_t
-+
-+ /var/run/pcscd(/.*)?
-+.br
-+ /var/run/pcscd\.events(/.*)?
-+.br
-+ /var/run/pcscd\.pid
-+.br
-+ /var/run/pcscd\.pub
-+.br
-+ /var/run/pcscd\.comm
-+.br
-+
-+.br
-+.B security_t
-+
-+ /selinux
-+.br
-+
-+.SH NSSWITCH DOMAIN
-+
-+.PP
-+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the run_init_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
-+
-+.EX
-+.B setsebool -P authlogin_nsswitch_use_ldap 1
-+.EE
-+
-+.PP
-+If you want to allow confined applications to run with kerberos for the run_init_t, you must turn on the kerberos_enabled boolean.
-+
-+.EX
-+.B setsebool -P kerberos_enabled 1
-+.EE
-+
-+.SH "COMMANDS"
-+.B semanage fcontext
-+can also be used to manipulate default file context mappings.
-+.PP
-+.B semanage permissive
-+can also be used to manipulate whether or not a process type is permissive.
-+.PP
-+.B semanage module
-+can also be used to enable/disable/install/remove policy modules.
-+
-+.PP
-+.B system-config-selinux
-+is a GUI tool available to customize SELinux policy settings.
-+
-+.SH AUTHOR
-+This manual page was auto-generated using
-+.B "sepolicy manpage"
-+by Dan Walsh.
-+
-+.SH "SEE ALSO"
-+selinux(8), run_init(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
-diff --git a/man/man8/rwho_selinux.8 b/man/man8/rwho_selinux.8
-new file mode 100644
-index 0000000..6044f11
---- /dev/null
-+++ b/man/man8/rwho_selinux.8
-@@ -0,0 +1,152 @@
-+.TH "rwho_selinux" "8" "12-11-01" "rwho" "SELinux Policy documentation for rwho"
-+.SH "NAME"
-+rwho_selinux \- Security Enhanced Linux Policy for the rwho processes
-+.SH "DESCRIPTION"
-+
-+Security-Enhanced Linux secures the rwho processes via flexible mandatory access control.
-+
-+The rwho processes execute with the rwho_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
-+
-+For example:
-+
-+.B ps -eZ | grep rwho_t
-+
-+
-+.SH "ENTRYPOINTS"
-+
-+The rwho_t SELinux type can be entered via the "rwho_exec_t" file type. The default entrypoint paths for the rwho_t domain are the following:"
-+
-+/usr/sbin/rwhod
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux rwho policy is very flexible allowing users to setup their rwho processes in as secure a method as possible.
-+.PP
-+The following process types are defined for rwho:
-+
-+.EX
-+.B rwho_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
-+.SH FILE CONTEXTS
-+SELinux requires files to have an extended attribute to define the file type.
-+.PP
-+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
-+.PP
-+Policy governs the access confined processes have to these files.
-+SELinux rwho policy is very flexible allowing users to setup their rwho processes in as secure a method as possible.
-+.PP
-+The following file types are defined for rwho:
-+
-+
-+.EX
-+.PP
-+.B rwho_exec_t
-+.EE
-+
-+- Set files with the rwho_exec_t type, if you want to transition an executable to the rwho_t domain.
-+
-+
-+.EX
-+.PP
-+.B rwho_initrc_exec_t
-+.EE
-+
-+- Set files with the rwho_initrc_exec_t type, if you want to transition an executable to the rwho_initrc_t domain.
-+
-+
-+.EX
-+.PP
-+.B rwho_log_t
-+.EE
-+
-+- Set files with the rwho_log_t type, if you want to treat the data as rwho log data, usually stored under the /var/log directory.
-+
-+
-+.EX
-+.PP
-+.B rwho_spool_t
-+.EE
-+
-+- Set files with the rwho_spool_t type, if you want to store the rwho files under the /var/spool directory.
-+
-+
-+.PP
-+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
-+.B semanage fcontext
-+command. This will modify the SELinux labeling database. You will need to use
-+.B restorecon
-+to apply the labels.
-+
-+.SH PORT TYPES
-+SELinux defines port types to represent TCP and UDP ports.
-+.PP
-+You can see the types associated with a port by using the following command:
-+
-+.B semanage port -l
-+
-+.PP
-+Policy governs the access confined processes have to these ports.
-+SELinux rwho policy is very flexible allowing users to setup their rwho processes in as secure a method as possible.
-+.PP
-+The following port types are defined for rwho:
-+
-+.EX
-+.TP 5
-+.B rwho_port_t
-+.TP 10
-+.EE
-+
-+
-+Default Defined Ports:
-+udp 513
-+.EE
-+.SH "MANAGED FILES"
-+
-+The SELinux process type rwho_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
-+
-+.br
-+.B rwho_log_t
-+
-+ /var/log/rwhod(/.*)?
-+.br
-+
-+.br
-+.B rwho_spool_t
-+
-+ /var/spool/rwho(/.*)?
-+.br
-+
-+.SH NSSWITCH DOMAIN
-+
-+.SH "COMMANDS"
-+.B semanage fcontext
-+can also be used to manipulate default file context mappings.
-+.PP
-+.B semanage permissive
-+can also be used to manipulate whether or not a process type is permissive.
-+.PP
-+.B semanage module
-+can also be used to enable/disable/install/remove policy modules.
-+
-+.B semanage port
-+can also be used to manipulate the port definitions
-+
-+.PP
-+.B system-config-selinux
-+is a GUI tool available to customize SELinux policy settings.
-+
-+.SH AUTHOR
-+This manual page was auto-generated using
-+.B "sepolicy manpage"
-+by Dan Walsh.
-+
-+.SH "SEE ALSO"
-+selinux(8), rwho(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
-diff --git a/man/man8/samba_net_selinux.8 b/man/man8/samba_net_selinux.8
-new file mode 100644
-index 0000000..2b5c346
---- /dev/null
-+++ b/man/man8/samba_net_selinux.8
-@@ -0,0 +1,155 @@
-+.TH "samba_net_selinux" "8" "12-11-01" "samba_net" "SELinux Policy documentation for samba_net"
-+.SH "NAME"
-+samba_net_selinux \- Security Enhanced Linux Policy for the samba_net processes
-+.SH "DESCRIPTION"
-+
-+Security-Enhanced Linux secures the samba_net processes via flexible mandatory access control.
-+
-+The samba_net processes execute with the samba_net_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
-+
-+For example:
-+
-+.B ps -eZ | grep samba_net_t
-+
-+
-+.SH "ENTRYPOINTS"
-+
-+The samba_net_t SELinux type can be entered via the "samba_net_exec_t" file type. The default entrypoint paths for the samba_net_t domain are the following:"
-+
-+/usr/bin/net
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux samba_net policy is very flexible allowing users to setup their samba_net processes in as secure a method as possible.
-+.PP
-+The following process types are defined for samba_net:
-+
-+.EX
-+.B samba_net_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
-+.SH FILE CONTEXTS
-+SELinux requires files to have an extended attribute to define the file type.
-+.PP
-+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
-+.PP
-+Policy governs the access confined processes have to these files.
-+SELinux samba_net policy is very flexible allowing users to setup their samba_net processes in as secure a method as possible.
-+.PP
-+The following file types are defined for samba_net:
-+
-+
-+.EX
-+.PP
-+.B samba_net_exec_t
-+.EE
-+
-+- Set files with the samba_net_exec_t type, if you want to transition an executable to the samba_net_t domain.
-+
-+
-+.EX
-+.PP
-+.B samba_net_tmp_t
-+.EE
-+
-+- Set files with the samba_net_tmp_t type, if you want to store samba net temporary files in the /tmp directories.
-+
-+
-+.PP
-+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
-+.B semanage fcontext
-+command. This will modify the SELinux labeling database. You will need to use
-+.B restorecon
-+to apply the labels.
-+
-+.SH "MANAGED FILES"
-+
-+The SELinux process type samba_net_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
-+
-+.br
-+.B auth_cache_t
-+
-+ /var/cache/coolkey(/.*)?
-+.br
-+
-+.br
-+.B krb5_keytab_t
-+
-+ /etc/krb5\.keytab
-+.br
-+ /etc/krb5kdc/kadm5\.keytab
-+.br
-+ /var/kerberos/krb5kdc/kadm5\.keytab
-+.br
-+
-+.br
-+.B samba_net_tmp_t
-+
-+
-+.br
-+.B samba_secrets_t
-+
-+ /etc/samba/smbpasswd
-+.br
-+ /etc/samba/passdb\.tdb
-+.br
-+ /etc/samba/MACHINE\.SID
-+.br
-+ /etc/samba/secrets\.tdb
-+.br
-+
-+.br
-+.B samba_var_t
-+
-+ /var/lib/samba(/.*)?
-+.br
-+ /var/cache/samba(/.*)?
-+.br
-+ /var/spool/samba(/.*)?
-+.br
-+
-+.SH NSSWITCH DOMAIN
-+
-+.PP
-+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the samba_net_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
-+
-+.EX
-+.B setsebool -P authlogin_nsswitch_use_ldap 1
-+.EE
-+
-+.PP
-+If you want to allow confined applications to run with kerberos for the samba_net_t, you must turn on the kerberos_enabled boolean.
-+
-+.EX
-+.B setsebool -P kerberos_enabled 1
-+.EE
-+
-+.SH "COMMANDS"
-+.B semanage fcontext
-+can also be used to manipulate default file context mappings.
-+.PP
-+.B semanage permissive
-+can also be used to manipulate whether or not a process type is permissive.
-+.PP
-+.B semanage module
-+can also be used to enable/disable/install/remove policy modules.
-+
-+.PP
-+.B system-config-selinux
-+is a GUI tool available to customize SELinux policy settings.
-+
-+.SH AUTHOR
-+This manual page was auto-generated using
-+.B "sepolicy manpage"
-+by Dan Walsh.
-+
-+.SH "SEE ALSO"
-+selinux(8), samba_net(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
-+, samba_unconfined_script_selinux(8), sambagui_selinux(8)
-\ No newline at end of file
-diff --git a/man/man8/samba_selinux.8 b/man/man8/samba_selinux.8
-index ca702c7..234a9c7 100644
---- a/man/man8/samba_selinux.8
-+++ b/man/man8/samba_selinux.8
-@@ -1,56 +1 @@
--.TH "samba_selinux" "8" "17 Jan 2005" "dwalsh@redhat.com" "Samba Selinux Policy documentation"
--.SH "NAME"
--samba_selinux \- Security Enhanced Linux Policy for Samba
--.SH "DESCRIPTION"
--
--Security-Enhanced Linux secures the Samba server via flexible mandatory access
--control.
--.SH FILE_CONTEXTS
--SELinux requires files to have an extended attribute to define the file type.
--Policy governs the access daemons have to these files.
--If you want to share files other than home directories, those files must be
--labeled samba_share_t. So if you created a special directory /var/eng, you
--would need to label the directory with the chcon tool.
--.TP
--chcon -t samba_share_t /var/eng
--.TP
--To make this change permanent (survive a relabel), use the semanage command to add the change to file context configuration:
--.TP
--semanage fcontext -a -t samba_share_t "/var/eng(/.*)?"
--.TP
--This command adds the following entry to /etc/selinux/POLICYTYPE/contexts/files/file_contexts.local:
--.TP
--/var/eng(/.*)? system_u:object_r:samba_share_t:s0
--.TP
--Run the restorecon command to apply the changes:
--.TP
--restorecon -R -v /var/eng/
--
--.SH SHARING FILES
--If you want to share files with multiple domains (Apache, FTP, rsync, Samba), you can set a file context of public_content_t and public_content_rw_t. These context allow any of the above domains to read the content. If you want a particular domain to write to the public_content_rw_t domain, you must set the appropriate boolean. allow_DOMAIN_anon_write. So for samba you would execute:
--
--setsebool -P allow_smbd_anon_write=1
--
--.SH BOOLEANS
--.br
--SELinux policy is customizable based on least access required. So by
--default SELinux policy turns off SELinux sharing of home directories and
--the use of Samba shares from a remote machine as a home directory.
--.TP
--If you are setting up this machine as a Samba server and wish to share the home directories, you need to set the samba_enable_home_dirs boolean.
--.br
--
--setsebool -P samba_enable_home_dirs 1
--.TP
--If you want to use a remote Samba server for the home directories on this machine, you must set the use_samba_home_dirs boolean.
--.br
--
--setsebool -P use_samba_home_dirs 1
--.TP
--system-config-selinux is a GUI tool available to customize SELinux policy settings.
--
--.SH AUTHOR
--This manual page was written by Dan Walsh .
--
--.SH "SEE ALSO"
--selinux(8), samba(7), chcon(1), setsebool(8), semanage(8)
-+.so man8/smbd_selinux.8
-\ No newline at end of file
-diff --git a/man/man8/samba_unconfined_script_selinux.8 b/man/man8/samba_unconfined_script_selinux.8
-new file mode 100644
-index 0000000..293e93e
---- /dev/null
-+++ b/man/man8/samba_unconfined_script_selinux.8
-@@ -0,0 +1,87 @@
-+.TH "samba_unconfined_script_selinux" "8" "12-11-01" "samba_unconfined_script" "SELinux Policy documentation for samba_unconfined_script"
-+.SH "NAME"
-+samba_unconfined_script_selinux \- Security Enhanced Linux Policy for the samba_unconfined_script processes
-+.SH "DESCRIPTION"
-+
-+Security-Enhanced Linux secures the samba_unconfined_script processes via flexible mandatory access control.
-+
-+The samba_unconfined_script processes execute with the samba_unconfined_script_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
-+
-+For example:
-+
-+.B ps -eZ | grep samba_unconfined_script_t
-+
-+
-+.SH "ENTRYPOINTS"
-+
-+The samba_unconfined_script_t SELinux type can be entered via the "shell_exec_t,samba_unconfined_script_exec_t" file types. The default entrypoint paths for the samba_unconfined_script_t domain are the following:"
-+
-+/bin/d?ash, /bin/zsh.*, /bin/ksh.*, /usr/bin/d?ash, /usr/bin/ksh.*, /usr/bin/zsh.*, /bin/esh, /bin/mksh, /bin/sash, /bin/tcsh, /bin/yash, /bin/bash, /bin/fish, /bin/bash2, /usr/bin/esh, /usr/bin/mksh, /usr/bin/sash, /usr/bin/bash, /usr/bin/fish, /usr/bin/tcsh, /usr/bin/yash, /sbin/nologin, /usr/sbin/sesh, /usr/bin/bash2, /usr/sbin/smrsh, /usr/bin/scponly, /usr/sbin/nologin, /usr/libexec/sesh, /usr/sbin/scponlyc, /usr/bin/git-shell, /usr/libexec/git-core/git-shell, /var/lib/samba/scripts(/.*)?
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux samba_unconfined_script policy is very flexible allowing users to setup their samba_unconfined_script processes in as secure a method as possible.
-+.PP
-+The following process types are defined for samba_unconfined_script:
-+
-+.EX
-+.B samba_unconfined_script_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
-+.SH FILE CONTEXTS
-+SELinux requires files to have an extended attribute to define the file type.
-+.PP
-+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
-+.PP
-+Policy governs the access confined processes have to these files.
-+SELinux samba_unconfined_script policy is very flexible allowing users to setup their samba_unconfined_script processes in as secure a method as possible.
-+.PP
-+The following file types are defined for samba_unconfined_script:
-+
-+
-+.EX
-+.PP
-+.B samba_unconfined_script_exec_t
-+.EE
-+
-+- Set files with the samba_unconfined_script_exec_t type, if you want to transition an executable to the samba_unconfined_script_t domain.
-+
-+
-+.PP
-+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
-+.B semanage fcontext
-+command. This will modify the SELinux labeling database. You will need to use
-+.B restorecon
-+to apply the labels.
-+
-+.SH NSSWITCH DOMAIN
-+
-+.SH "COMMANDS"
-+.B semanage fcontext
-+can also be used to manipulate default file context mappings.
-+.PP
-+.B semanage permissive
-+can also be used to manipulate whether or not a process type is permissive.
-+.PP
-+.B semanage module
-+can also be used to enable/disable/install/remove policy modules.
-+
-+.PP
-+.B system-config-selinux
-+is a GUI tool available to customize SELinux policy settings.
-+
-+.SH AUTHOR
-+This manual page was auto-generated using
-+.B "sepolicy manpage"
-+by Dan Walsh.
-+
-+.SH "SEE ALSO"
-+selinux(8), samba_unconfined_script(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
-+, samba_net_selinux(8), sambagui_selinux(8)
-\ No newline at end of file
-diff --git a/man/man8/sambagui_selinux.8 b/man/man8/sambagui_selinux.8
-new file mode 100644
-index 0000000..3c17297
---- /dev/null
-+++ b/man/man8/sambagui_selinux.8
-@@ -0,0 +1,128 @@
-+.TH "sambagui_selinux" "8" "12-11-01" "sambagui" "SELinux Policy documentation for sambagui"
-+.SH "NAME"
-+sambagui_selinux \- Security Enhanced Linux Policy for the sambagui processes
-+.SH "DESCRIPTION"
-+
-+Security-Enhanced Linux secures the sambagui processes via flexible mandatory access control.
-+
-+The sambagui processes execute with the sambagui_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
-+
-+For example:
-+
-+.B ps -eZ | grep sambagui_t
-+
-+
-+.SH "ENTRYPOINTS"
-+
-+The sambagui_t SELinux type can be entered via the "sambagui_exec_t" file type. The default entrypoint paths for the sambagui_t domain are the following:"
-+
-+/usr/share/system-config-samba/system-config-samba-mechanism.py
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux sambagui policy is very flexible allowing users to setup their sambagui processes in as secure a method as possible.
-+.PP
-+The following process types are defined for sambagui:
-+
-+.EX
-+.B sambagui_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
-+.SH FILE CONTEXTS
-+SELinux requires files to have an extended attribute to define the file type.
-+.PP
-+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
-+.PP
-+Policy governs the access confined processes have to these files.
-+SELinux sambagui policy is very flexible allowing users to setup their sambagui processes in as secure a method as possible.
-+.PP
-+The following file types are defined for sambagui:
-+
-+
-+.EX
-+.PP
-+.B sambagui_exec_t
-+.EE
-+
-+- Set files with the sambagui_exec_t type, if you want to transition an executable to the sambagui_t domain.
-+
-+
-+.PP
-+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
-+.B semanage fcontext
-+command. This will modify the SELinux labeling database. You will need to use
-+.B restorecon
-+to apply the labels.
-+
-+.SH "MANAGED FILES"
-+
-+The SELinux process type sambagui_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
-+
-+.br
-+.B samba_etc_t
-+
-+ /etc/samba(/.*)?
-+.br
-+
-+.br
-+.B samba_var_t
-+
-+ /var/lib/samba(/.*)?
-+.br
-+ /var/cache/samba(/.*)?
-+.br
-+ /var/spool/samba(/.*)?
-+.br
-+
-+.br
-+.B systemd_passwd_var_run_t
-+
-+ /var/run/systemd/ask-password(/.*)?
-+.br
-+ /var/run/systemd/ask-password-block(/.*)?
-+.br
-+
-+.SH NSSWITCH DOMAIN
-+
-+.PP
-+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the sambagui_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
-+
-+.EX
-+.B setsebool -P authlogin_nsswitch_use_ldap 1
-+.EE
-+
-+.PP
-+If you want to allow confined applications to run with kerberos for the sambagui_t, you must turn on the kerberos_enabled boolean.
-+
-+.EX
-+.B setsebool -P kerberos_enabled 1
-+.EE
-+
-+.SH "COMMANDS"
-+.B semanage fcontext
-+can also be used to manipulate default file context mappings.
-+.PP
-+.B semanage permissive
-+can also be used to manipulate whether or not a process type is permissive.
-+.PP
-+.B semanage module
-+can also be used to enable/disable/install/remove policy modules.
-+
-+.PP
-+.B system-config-selinux
-+is a GUI tool available to customize SELinux policy settings.
-+
-+.SH AUTHOR
-+This manual page was auto-generated using
-+.B "sepolicy manpage"
-+by Dan Walsh.
-+
-+.SH "SEE ALSO"
-+selinux(8), sambagui(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
-diff --git a/man/man8/sandbox_selinux.8 b/man/man8/sandbox_selinux.8
-new file mode 100644
-index 0000000..ee32f27
---- /dev/null
-+++ b/man/man8/sandbox_selinux.8
-@@ -0,0 +1,192 @@
-+.TH "sandbox_selinux" "8" "12-11-01" "sandbox" "SELinux Policy documentation for sandbox"
-+.SH "NAME"
-+sandbox_selinux \- Security Enhanced Linux Policy for the sandbox processes
-+.SH "DESCRIPTION"
-+
-+Security-Enhanced Linux secures the sandbox processes via flexible mandatory access control.
-+
-+The sandbox processes execute with the sandbox_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
-+
-+For example:
-+
-+.B ps -eZ | grep sandbox_t
-+
-+
-+.SH "ENTRYPOINTS"
-+
-+The sandbox_t SELinux type can be entered via the "file_type" file type. The default entrypoint paths for the sandbox_t domain are the following:"
-+
-+all files on the system
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux sandbox policy is very flexible allowing users to setup their sandbox processes in as secure a method as possible.
-+.PP
-+The following process types are defined for sandbox:
-+
-+.EX
-+.B sandbox_x_client_t, sandbox_net_client_t, sandbox_xserver_t, sandbox_x_t, sandbox_web_client_t, sandbox_min_t, sandbox_net_t, sandbox_web_t, sandbox_min_client_t, sandbox_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
-+.SH BOOLEANS
-+SELinux policy is customizable based on least access required. sandbox policy is extremely flexible and has several booleans that allow you to manipulate the policy and run sandbox with the tightest access possible.
-+
-+
-+.PP
-+If you want to allow unconfined users to transition to the chrome sandbox domains when running chrome-sandbox, you must turn on the unconfined_chrome_sandbox_transition boolean.
-+
-+.EX
-+.B setsebool -P unconfined_chrome_sandbox_transition 1
-+.EE
-+
-+.PP
-+If you want to allow unconfined users to transition to the chrome sandbox domains when running chrome-sandbox, you must turn on the unconfined_chrome_sandbox_transition boolean.
-+
-+.EX
-+.B setsebool -P unconfined_chrome_sandbox_transition 1
-+.EE
-+
-+.SH FILE CONTEXTS
-+SELinux requires files to have an extended attribute to define the file type.
-+.PP
-+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
-+.PP
-+Policy governs the access confined processes have to these files.
-+SELinux sandbox policy is very flexible allowing users to setup their sandbox processes in as secure a method as possible.
-+.PP
-+The following file types are defined for sandbox:
-+
-+
-+.EX
-+.PP
-+.B sandbox_devpts_t
-+.EE
-+
-+- Set files with the sandbox_devpts_t type, if you want to treat the files as sandbox devpts data.
-+
-+
-+.EX
-+.PP
-+.B sandbox_exec_t
-+.EE
-+
-+- Set files with the sandbox_exec_t type, if you want to transition an executable to the sandbox_t domain.
-+
-+
-+.EX
-+.PP
-+.B sandbox_file_t
-+.EE
-+
-+- Set files with the sandbox_file_t type, if you want to treat the files as sandbox content.
-+
-+
-+.EX
-+.PP
-+.B sandbox_min_client_tmpfs_t
-+.EE
-+
-+- Set files with the sandbox_min_client_tmpfs_t type, if you want to store sandbox min client files on a tmpfs file system.
-+
-+
-+.EX
-+.PP
-+.B sandbox_net_client_tmpfs_t
-+.EE
-+
-+- Set files with the sandbox_net_client_tmpfs_t type, if you want to store sandbox net client files on a tmpfs file system.
-+
-+
-+.EX
-+.PP
-+.B sandbox_web_client_tmpfs_t
-+.EE
-+
-+- Set files with the sandbox_web_client_tmpfs_t type, if you want to store sandbox web client files on a tmpfs file system.
-+
-+
-+.EX
-+.PP
-+.B sandbox_x_client_tmpfs_t
-+.EE
-+
-+- Set files with the sandbox_x_client_tmpfs_t type, if you want to store sandbox x client files on a tmpfs file system.
-+
-+
-+.EX
-+.PP
-+.B sandbox_xserver_tmpfs_t
-+.EE
-+
-+- Set files with the sandbox_xserver_tmpfs_t type, if you want to store sandbox xserver files on a tmpfs file system.
-+
-+
-+.PP
-+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
-+.B semanage fcontext
-+command. This will modify the SELinux labeling database. You will need to use
-+.B restorecon
-+to apply the labels.
-+
-+.SH "MANAGED FILES"
-+
-+The SELinux process type sandbox_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
-+
-+.br
-+.B sandbox_file_t
-+
-+
-+.br
-+.B sandbox_tmpfs_type
-+
-+ all sandbox content in tmpfs file systems
-+.br
-+
-+.SH NSSWITCH DOMAIN
-+
-+.PP
-+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the sandbox_min_t, sandbox_net_t, sandbox_web_client_t, sandbox_xserver_t, sandbox_web_t, sandbox_x_client_t, sandbox_x_t, sandbox_net_client_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
-+
-+.EX
-+.B setsebool -P authlogin_nsswitch_use_ldap 1
-+.EE
-+
-+.PP
-+If you want to allow confined applications to run with kerberos for the sandbox_min_t, sandbox_net_t, sandbox_web_client_t, sandbox_xserver_t, sandbox_web_t, sandbox_x_client_t, sandbox_x_t, sandbox_net_client_t, you must turn on the kerberos_enabled boolean.
-+
-+.EX
-+.B setsebool -P kerberos_enabled 1
-+.EE
-+
-+.SH "COMMANDS"
-+.B semanage fcontext
-+can also be used to manipulate default file context mappings.
-+.PP
-+.B semanage permissive
-+can also be used to manipulate whether or not a process type is permissive.
-+.PP
-+.B semanage module
-+can also be used to enable/disable/install/remove policy modules.
-+
-+.B semanage boolean
-+can also be used to manipulate the booleans
-+
-+.PP
-+.B system-config-selinux
-+is a GUI tool available to customize SELinux policy settings.
-+
-+.SH AUTHOR
-+This manual page was auto-generated using
-+.B "sepolicy manpage"
-+by Dan Walsh.
-+
-+.SH "SEE ALSO"
-+selinux(8), sandbox(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
-+, setsebool(8)
-\ No newline at end of file
-diff --git a/man/man8/sanlock_selinux.8 b/man/man8/sanlock_selinux.8
-new file mode 100644
-index 0000000..91bbc31
---- /dev/null
-+++ b/man/man8/sanlock_selinux.8
-@@ -0,0 +1,220 @@
-+.TH "sanlock_selinux" "8" "12-11-01" "sanlock" "SELinux Policy documentation for sanlock"
-+.SH "NAME"
-+sanlock_selinux \- Security Enhanced Linux Policy for the sanlock processes
-+.SH "DESCRIPTION"
-+
-+Security-Enhanced Linux secures the sanlock processes via flexible mandatory access control.
-+
-+The sanlock processes execute with the sanlock_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
-+
-+For example:
-+
-+.B ps -eZ | grep sanlock_t
-+
-+
-+.SH "ENTRYPOINTS"
-+
-+The sanlock_t SELinux type can be entered via the "sanlock_exec_t" file type. The default entrypoint paths for the sanlock_t domain are the following:"
-+
-+/usr/sbin/sanlock
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux sanlock policy is very flexible allowing users to setup their sanlock processes in as secure a method as possible.
-+.PP
-+The following process types are defined for sanlock:
-+
-+.EX
-+.B sanlock_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
-+.SH BOOLEANS
-+SELinux policy is customizable based on least access required. sanlock policy is extremely flexible and has several booleans that allow you to manipulate the policy and run sanlock with the tightest access possible.
-+
-+
-+.PP
-+If you want to allow sanlock to read/write fuse files, you must turn on the sanlock_use_fusefs boolean.
-+
-+.EX
-+.B setsebool -P sanlock_use_fusefs 1
-+.EE
-+
-+.PP
-+If you want to allow sanlock to manage cifs files, you must turn on the sanlock_use_samba boolean.
-+
-+.EX
-+.B setsebool -P sanlock_use_samba 1
-+.EE
-+
-+.PP
-+If you want to allow confined virtual guests to interact with the sanlock, you must turn on the virt_use_sanlock boolean.
-+
-+.EX
-+.B setsebool -P virt_use_sanlock 1
-+.EE
-+
-+.PP
-+If you want to allow sanlock to manage nfs files, you must turn on the sanlock_use_nfs boolean.
-+
-+.EX
-+.B setsebool -P sanlock_use_nfs 1
-+.EE
-+
-+.PP
-+If you want to allow sanlock to read/write fuse files, you must turn on the sanlock_use_fusefs boolean.
-+
-+.EX
-+.B setsebool -P sanlock_use_fusefs 1
-+.EE
-+
-+.PP
-+If you want to allow sanlock to manage cifs files, you must turn on the sanlock_use_samba boolean.
-+
-+.EX
-+.B setsebool -P sanlock_use_samba 1
-+.EE
-+
-+.PP
-+If you want to allow confined virtual guests to interact with the sanlock, you must turn on the virt_use_sanlock boolean.
-+
-+.EX
-+.B setsebool -P virt_use_sanlock 1
-+.EE
-+
-+.PP
-+If you want to allow sanlock to manage nfs files, you must turn on the sanlock_use_nfs boolean.
-+
-+.EX
-+.B setsebool -P sanlock_use_nfs 1
-+.EE
-+
-+.SH FILE CONTEXTS
-+SELinux requires files to have an extended attribute to define the file type.
-+.PP
-+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
-+.PP
-+Policy governs the access confined processes have to these files.
-+SELinux sanlock policy is very flexible allowing users to setup their sanlock processes in as secure a method as possible.
-+.PP
-+The following file types are defined for sanlock:
-+
-+
-+.EX
-+.PP
-+.B sanlock_exec_t
-+.EE
-+
-+- Set files with the sanlock_exec_t type, if you want to transition an executable to the sanlock_t domain.
-+
-+
-+.EX
-+.PP
-+.B sanlock_initrc_exec_t
-+.EE
-+
-+- Set files with the sanlock_initrc_exec_t type, if you want to transition an executable to the sanlock_initrc_t domain.
-+
-+
-+.EX
-+.PP
-+.B sanlock_log_t
-+.EE
-+
-+- Set files with the sanlock_log_t type, if you want to treat the data as sanlock log data, usually stored under the /var/log directory.
-+
-+
-+.EX
-+.PP
-+.B sanlock_unit_file_t
-+.EE
-+
-+- Set files with the sanlock_unit_file_t type, if you want to treat the files as sanlock unit content.
-+
-+
-+.EX
-+.PP
-+.B sanlock_var_run_t
-+.EE
-+
-+- Set files with the sanlock_var_run_t type, if you want to store the sanlock files under the /run directory.
-+
-+
-+.PP
-+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
-+.B semanage fcontext
-+command. This will modify the SELinux labeling database. You will need to use
-+.B restorecon
-+to apply the labels.
-+
-+.SH "MANAGED FILES"
-+
-+The SELinux process type sanlock_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
-+
-+.br
-+.B sanlock_log_t
-+
-+ /var/log/sanlock\.log.*
-+.br
-+
-+.br
-+.B sanlock_var_run_t
-+
-+ /var/run/sanlock(/.*)?
-+.br
-+
-+.br
-+.B virt_var_lib_t
-+
-+ /var/lib/oz(/.*)?
-+.br
-+ /var/lib/libvirt(/.*)?
-+.br
-+
-+.SH NSSWITCH DOMAIN
-+
-+.PP
-+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the sanlock_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
-+
-+.EX
-+.B setsebool -P authlogin_nsswitch_use_ldap 1
-+.EE
-+
-+.PP
-+If you want to allow confined applications to run with kerberos for the sanlock_t, you must turn on the kerberos_enabled boolean.
-+
-+.EX
-+.B setsebool -P kerberos_enabled 1
-+.EE
-+
-+.SH "COMMANDS"
-+.B semanage fcontext
-+can also be used to manipulate default file context mappings.
-+.PP
-+.B semanage permissive
-+can also be used to manipulate whether or not a process type is permissive.
-+.PP
-+.B semanage module
-+can also be used to enable/disable/install/remove policy modules.
-+
-+.B semanage boolean
-+can also be used to manipulate the booleans
-+
-+.PP
-+.B system-config-selinux
-+is a GUI tool available to customize SELinux policy settings.
-+
-+.SH AUTHOR
-+This manual page was auto-generated using
-+.B "sepolicy manpage"
-+by Dan Walsh.
-+
-+.SH "SEE ALSO"
-+selinux(8), sanlock(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
-+, setsebool(8)
-\ No newline at end of file
-diff --git a/man/man8/saslauthd_selinux.8 b/man/man8/saslauthd_selinux.8
-new file mode 100644
-index 0000000..da990ec
---- /dev/null
-+++ b/man/man8/saslauthd_selinux.8
-@@ -0,0 +1,220 @@
-+.TH "saslauthd_selinux" "8" "12-11-01" "saslauthd" "SELinux Policy documentation for saslauthd"
-+.SH "NAME"
-+saslauthd_selinux \- Security Enhanced Linux Policy for the saslauthd processes
-+.SH "DESCRIPTION"
-+
-+Security-Enhanced Linux secures the saslauthd processes via flexible mandatory access control.
-+
-+The saslauthd processes execute with the saslauthd_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
-+
-+For example:
-+
-+.B ps -eZ | grep saslauthd_t
-+
-+
-+.SH "ENTRYPOINTS"
-+
-+The saslauthd_t SELinux type can be entered via the "saslauthd_exec_t" file type. The default entrypoint paths for the saslauthd_t domain are the following:"
-+
-+/usr/sbin/saslauthd
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux saslauthd policy is very flexible allowing users to setup their saslauthd processes in as secure a method as possible.
-+.PP
-+The following process types are defined for saslauthd:
-+
-+.EX
-+.B saslauthd_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
-+.SH BOOLEANS
-+SELinux policy is customizable based on least access required. saslauthd policy is extremely flexible and has several booleans that allow you to manipulate the policy and run saslauthd with the tightest access possible.
-+
-+
-+.PP
-+If you want to allow sasl to read shadow, you must turn on the saslauthd_read_shadow boolean.
-+
-+.EX
-+.B setsebool -P saslauthd_read_shadow 1
-+.EE
-+
-+.PP
-+If you want to allow sasl to read shadow, you must turn on the saslauthd_read_shadow boolean.
-+
-+.EX
-+.B setsebool -P saslauthd_read_shadow 1
-+.EE
-+
-+.SH FILE CONTEXTS
-+SELinux requires files to have an extended attribute to define the file type.
-+.PP
-+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
-+.PP
-+Policy governs the access confined processes have to these files.
-+SELinux saslauthd policy is very flexible allowing users to setup their saslauthd processes in as secure a method as possible.
-+.PP
-+The following file types are defined for saslauthd:
-+
-+
-+.EX
-+.PP
-+.B saslauthd_exec_t
-+.EE
-+
-+- Set files with the saslauthd_exec_t type, if you want to transition an executable to the saslauthd_t domain.
-+
-+
-+.EX
-+.PP
-+.B saslauthd_initrc_exec_t
-+.EE
-+
-+- Set files with the saslauthd_initrc_exec_t type, if you want to transition an executable to the saslauthd_initrc_t domain.
-+
-+
-+.EX
-+.PP
-+.B saslauthd_keytab_t
-+.EE
-+
-+- Set files with the saslauthd_keytab_t type, if you want to treat the files as kerberos keytab files.
-+
-+
-+.EX
-+.PP
-+.B saslauthd_var_run_t
-+.EE
-+
-+- Set files with the saslauthd_var_run_t type, if you want to store the saslauthd files under the /run directory.
-+
-+
-+.PP
-+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
-+.B semanage fcontext
-+command. This will modify the SELinux labeling database. You will need to use
-+.B restorecon
-+to apply the labels.
-+
-+.SH "MANAGED FILES"
-+
-+The SELinux process type saslauthd_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
-+
-+.br
-+.B faillog_t
-+
-+ /var/log/btmp.*
-+.br
-+ /var/run/faillock(/.*)?
-+.br
-+ /var/log/faillog
-+.br
-+ /var/log/tallylog
-+.br
-+
-+.br
-+.B krb5_host_rcache_t
-+
-+ /var/cache/krb5rcache(/.*)?
-+.br
-+ /var/tmp/nfs_0
-+.br
-+ /var/tmp/DNS_25
-+.br
-+ /var/tmp/host_0
-+.br
-+ /var/tmp/imap_0
-+.br
-+ /var/tmp/HTTP_23
-+.br
-+ /var/tmp/HTTP_48
-+.br
-+ /var/tmp/ldap_55
-+.br
-+ /var/tmp/ldap_487
-+.br
-+ /var/tmp/ldapmap1_0
-+.br
-+
-+.br
-+.B lastlog_t
-+
-+ /var/log/lastlog
-+.br
-+
-+.br
-+.B pcscd_var_run_t
-+
-+ /var/run/pcscd(/.*)?
-+.br
-+ /var/run/pcscd\.events(/.*)?
-+.br
-+ /var/run/pcscd\.pid
-+.br
-+ /var/run/pcscd\.pub
-+.br
-+ /var/run/pcscd\.comm
-+.br
-+
-+.br
-+.B saslauthd_var_run_t
-+
-+ /var/lib/sasl2(/.*)?
-+.br
-+ /var/run/saslauthd(/.*)?
-+.br
-+
-+.br
-+.B security_t
-+
-+ /selinux
-+.br
-+
-+.SH NSSWITCH DOMAIN
-+
-+.PP
-+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the saslauthd_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
-+
-+.EX
-+.B setsebool -P authlogin_nsswitch_use_ldap 1
-+.EE
-+
-+.PP
-+If you want to allow confined applications to run with kerberos for the saslauthd_t, you must turn on the kerberos_enabled boolean.
-+
-+.EX
-+.B setsebool -P kerberos_enabled 1
-+.EE
-+
-+.SH "COMMANDS"
-+.B semanage fcontext
-+can also be used to manipulate default file context mappings.
-+.PP
-+.B semanage permissive
-+can also be used to manipulate whether or not a process type is permissive.
-+.PP
-+.B semanage module
-+can also be used to enable/disable/install/remove policy modules.
-+
-+.B semanage boolean
-+can also be used to manipulate the booleans
-+
-+.PP
-+.B system-config-selinux
-+is a GUI tool available to customize SELinux policy settings.
-+
-+.SH AUTHOR
-+This manual page was auto-generated using
-+.B "sepolicy manpage"
-+by Dan Walsh.
-+
-+.SH "SEE ALSO"
-+selinux(8), saslauthd(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
-+, setsebool(8)
-\ No newline at end of file
-diff --git a/man/man8/sblim_gatherd_selinux.8 b/man/man8/sblim_gatherd_selinux.8
-new file mode 100644
-index 0000000..85b84c9
---- /dev/null
-+++ b/man/man8/sblim_gatherd_selinux.8
-@@ -0,0 +1,97 @@
-+.TH "sblim_gatherd_selinux" "8" "12-11-01" "sblim_gatherd" "SELinux Policy documentation for sblim_gatherd"
-+.SH "NAME"
-+sblim_gatherd_selinux \- Security Enhanced Linux Policy for the sblim_gatherd processes
-+.SH "DESCRIPTION"
-+
-+Security-Enhanced Linux secures the sblim_gatherd processes via flexible mandatory access control.
-+
-+The sblim_gatherd processes execute with the sblim_gatherd_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
-+
-+For example:
-+
-+.B ps -eZ | grep sblim_gatherd_t
-+
-+
-+.SH "ENTRYPOINTS"
-+
-+The sblim_gatherd_t SELinux type can be entered via the "sblim_gatherd_exec_t" file type. The default entrypoint paths for the sblim_gatherd_t domain are the following:"
-+
-+/usr/sbin/gatherd
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux sblim_gatherd policy is very flexible allowing users to setup their sblim_gatherd processes in as secure a method as possible.
-+.PP
-+The following process types are defined for sblim_gatherd:
-+
-+.EX
-+.B sblim_gatherd_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
-+.SH FILE CONTEXTS
-+SELinux requires files to have an extended attribute to define the file type.
-+.PP
-+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
-+.PP
-+Policy governs the access confined processes have to these files.
-+SELinux sblim_gatherd policy is very flexible allowing users to setup their sblim_gatherd processes in as secure a method as possible.
-+.PP
-+The following file types are defined for sblim_gatherd:
-+
-+
-+.EX
-+.PP
-+.B sblim_gatherd_exec_t
-+.EE
-+
-+- Set files with the sblim_gatherd_exec_t type, if you want to transition an executable to the sblim_gatherd_t domain.
-+
-+
-+.PP
-+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
-+.B semanage fcontext
-+command. This will modify the SELinux labeling database. You will need to use
-+.B restorecon
-+to apply the labels.
-+
-+.SH "MANAGED FILES"
-+
-+The SELinux process type sblim_gatherd_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
-+
-+.br
-+.B sblim_var_run_t
-+
-+ /var/run/gather(/.*)?
-+.br
-+
-+.SH NSSWITCH DOMAIN
-+
-+.SH "COMMANDS"
-+.B semanage fcontext
-+can also be used to manipulate default file context mappings.
-+.PP
-+.B semanage permissive
-+can also be used to manipulate whether or not a process type is permissive.
-+.PP
-+.B semanage module
-+can also be used to enable/disable/install/remove policy modules.
-+
-+.PP
-+.B system-config-selinux
-+is a GUI tool available to customize SELinux policy settings.
-+
-+.SH AUTHOR
-+This manual page was auto-generated using
-+.B "sepolicy manpage"
-+by Dan Walsh.
-+
-+.SH "SEE ALSO"
-+selinux(8), sblim_gatherd(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
-+, sblim_reposd_selinux(8)
-\ No newline at end of file
-diff --git a/man/man8/sblim_reposd_selinux.8 b/man/man8/sblim_reposd_selinux.8
-new file mode 100644
-index 0000000..10407e3
---- /dev/null
-+++ b/man/man8/sblim_reposd_selinux.8
-@@ -0,0 +1,97 @@
-+.TH "sblim_reposd_selinux" "8" "12-11-01" "sblim_reposd" "SELinux Policy documentation for sblim_reposd"
-+.SH "NAME"
-+sblim_reposd_selinux \- Security Enhanced Linux Policy for the sblim_reposd processes
-+.SH "DESCRIPTION"
-+
-+Security-Enhanced Linux secures the sblim_reposd processes via flexible mandatory access control.
-+
-+The sblim_reposd processes execute with the sblim_reposd_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
-+
-+For example:
-+
-+.B ps -eZ | grep sblim_reposd_t
-+
-+
-+.SH "ENTRYPOINTS"
-+
-+The sblim_reposd_t SELinux type can be entered via the "sblim_reposd_exec_t" file type. The default entrypoint paths for the sblim_reposd_t domain are the following:"
-+
-+/usr/sbin/reposd
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux sblim_reposd policy is very flexible allowing users to setup their sblim_reposd processes in as secure a method as possible.
-+.PP
-+The following process types are defined for sblim_reposd:
-+
-+.EX
-+.B sblim_reposd_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
-+.SH FILE CONTEXTS
-+SELinux requires files to have an extended attribute to define the file type.
-+.PP
-+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
-+.PP
-+Policy governs the access confined processes have to these files.
-+SELinux sblim_reposd policy is very flexible allowing users to setup their sblim_reposd processes in as secure a method as possible.
-+.PP
-+The following file types are defined for sblim_reposd:
-+
-+
-+.EX
-+.PP
-+.B sblim_reposd_exec_t
-+.EE
-+
-+- Set files with the sblim_reposd_exec_t type, if you want to transition an executable to the sblim_reposd_t domain.
-+
-+
-+.PP
-+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
-+.B semanage fcontext
-+command. This will modify the SELinux labeling database. You will need to use
-+.B restorecon
-+to apply the labels.
-+
-+.SH "MANAGED FILES"
-+
-+The SELinux process type sblim_reposd_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
-+
-+.br
-+.B sblim_var_run_t
-+
-+ /var/run/gather(/.*)?
-+.br
-+
-+.SH NSSWITCH DOMAIN
-+
-+.SH "COMMANDS"
-+.B semanage fcontext
-+can also be used to manipulate default file context mappings.
-+.PP
-+.B semanage permissive
-+can also be used to manipulate whether or not a process type is permissive.
-+.PP
-+.B semanage module
-+can also be used to enable/disable/install/remove policy modules.
-+
-+.PP
-+.B system-config-selinux
-+is a GUI tool available to customize SELinux policy settings.
-+
-+.SH AUTHOR
-+This manual page was auto-generated using
-+.B "sepolicy manpage"
-+by Dan Walsh.
-+
-+.SH "SEE ALSO"
-+selinux(8), sblim_reposd(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
-+, sblim_gatherd_selinux(8)
-\ No newline at end of file
-diff --git a/man/man8/secadm_selinux.8 b/man/man8/secadm_selinux.8
-new file mode 100644
-index 0000000..bb8258d
---- /dev/null
-+++ b/man/man8/secadm_selinux.8
-@@ -0,0 +1,332 @@
-+.TH "secadm_selinux" "8" "secadm" "mgrepl@redhat.com" "secadm SELinux Policy documentation"
-+.SH "NAME"
-+secadm_r \- \fBSecurity administrator role\fP - Security Enhanced Linux Policy
-+
-+.SH DESCRIPTION
-+
-+SELinux supports Roles Based Access Control (RBAC), some Linux roles are login roles, while other roles need to be transition into.
-+
-+.I Note:
-+Examples in this man page will use the
-+.B staff_u
-+SELinux user.
-+
-+Non login roles are usually used for administrative tasks. For example, tasks that require root privileges. Roles control which types a user can run processes with. Roles often have default types assigned to them.
-+
-+The default type for the secadm_r role is secadm_t.
-+
-+The
-+.B newrole
-+program to transition directly to this role.
-+
-+.B newrole -r secadm_r -t secadm_t
-+
-+.B sudo
-+is the preferred method to do transition from one role to another. You setup sudo to transition to secadm_r by adding a similar line to the /etc/sudoers file.
-+
-+USERNAME ALL=(ALL) ROLE=secadm_r TYPE=secadm_t COMMAND
-+
-+.br
-+sudo will run COMMAND as staff_u:secadm_r:secadm_t:LEVEL
-+
-+When using a a non login role, you need to setup SELinux so that your SELinux user can reach secadm_r role.
-+
-+Execute the following to see all of the assigned SELinux roles:
-+
-+.B semanage user -l
-+
-+You need to add secadm_r to the staff_u user. You could setup the staff_u user to be able to use the secadm_r role with a command like:
-+
-+.B $ semanage user -m -R 'staff_r system_r secadm_r' staff_u
-+
-+
-+
-+SELinux policy also controls which roles can transition to a different role.
-+You can list these rules using the following command.
-+
-+.B search --role_allow
-+
-+SELinux policy allows the sysadm_r, staff_r, auditadm_r roles can transition to the secadm_r role.
-+
-+
-+.SH "MANAGED FILES"
-+
-+The SELinux process type secadm_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
-+
-+.br
-+.B anon_inodefs_t
-+
-+
-+.br
-+.B auth_cache_t
-+
-+ /var/cache/coolkey(/.*)?
-+.br
-+
-+.br
-+.B boolean_type
-+
-+
-+.br
-+.B cgroup_t
-+
-+ /cgroup
-+.br
-+ /sys/fs/cgroup
-+.br
-+
-+.br
-+.B chrome_sandbox_tmpfs_t
-+
-+
-+.br
-+.B default_context_t
-+
-+ /etc/selinux/([^/]*/)?contexts(/.*)?
-+.br
-+ /root/\.default_contexts
-+.br
-+
-+.br
-+.B etc_runtime_t
-+
-+ /[^/]+
-+.br
-+ /etc/mtab.*
-+.br
-+ /etc/blkid(/.*)?
-+.br
-+ /etc/nologin.*
-+.br
-+ /etc/\.fstab\.hal\..+
-+.br
-+ /halt
-+.br
-+ /fastboot
-+.br
-+ /poweroff
-+.br
-+ /etc/cmtab
-+.br
-+ /\.autofsck
-+.br
-+ /forcefsck
-+.br
-+ /\.suspended
-+.br
-+ /fsckoptions
-+.br
-+ /\.autorelabel
-+.br
-+ /etc/securetty
-+.br
-+ /etc/killpower
-+.br
-+ /etc/nohotplug
-+.br
-+ /etc/ioctl\.save
-+.br
-+ /etc/fstab\.REVOKE
-+.br
-+ /etc/network/ifstate
-+.br
-+ /etc/sysconfig/hwconf
-+.br
-+ /etc/ptal/ptal-printd-like
-+.br
-+ /etc/sysconfig/iptables\.save
-+.br
-+ /etc/xorg\.conf\.d/00-system-setup-keyboard\.conf
-+.br
-+ /etc/X11/xorg\.conf\.d/00-system-setup-keyboard\.conf
-+.br
-+
-+.br
-+.B file_context_t
-+
-+ /etc/selinux/([^/]*/)?contexts/files(/.*)?
-+.br
-+
-+.br
-+.B games_data_t
-+
-+ /var/games(/.*)?
-+.br
-+ /var/lib/games(/.*)?
-+.br
-+
-+.br
-+.B gpg_agent_tmp_t
-+
-+ /home/[^/]*/\.gnupg/log-socket
-+.br
-+ /home/dwalsh/\.gnupg/log-socket
-+.br
-+ /var/lib/xguest/home/xguest/\.gnupg/log-socket
-+.br
-+
-+.br
-+.B mail_spool_t
-+
-+ /var/mail(/.*)?
-+.br
-+ /var/spool/imap(/.*)?
-+.br
-+ /var/spool/mail(/.*)?
-+.br
-+
-+.br
-+.B mqueue_spool_t
-+
-+ /var/spool/(client)?mqueue(/.*)?
-+.br
-+ /var/spool/mqueue\.in(/.*)?
-+.br
-+
-+.br
-+.B nfsd_rw_t
-+
-+
-+.br
-+.B noxattrfs
-+
-+ all files on file systems which do not support extended attributes
-+.br
-+
-+.br
-+.B screen_home_t
-+
-+ /root/\.screen(/.*)?
-+.br
-+ /home/[^/]*/\.screen(/.*)?
-+.br
-+ /home/[^/]*/\.screenrc
-+.br
-+ /home/dwalsh/\.screen(/.*)?
-+.br
-+ /home/dwalsh/\.screenrc
-+.br
-+ /var/lib/xguest/home/xguest/\.screen(/.*)?
-+.br
-+ /var/lib/xguest/home/xguest/\.screenrc
-+.br
-+
-+.br
-+.B selinux_config_t
-+
-+ /etc/selinux(/.*)?
-+.br
-+ /etc/selinux/([^/]*/)?seusers
-+.br
-+ /etc/selinux/([^/]*/)?users(/.*)?
-+.br
-+ /etc/selinux/([^/]*/)?setrans\.conf
-+.br
-+
-+.br
-+.B selinux_login_config_t
-+
-+ /etc/selinux/([^/]*/)?logins(/.*)?
-+.br
-+
-+.br
-+.B semanage_store_t
-+
-+ /etc/selinux/([^/]*/)?policy(/.*)?
-+.br
-+ /etc/selinux/([^/]*/)?modules/(active|tmp|previous)(/.*)?
-+.br
-+ /etc/share/selinux/mls(/.*)?
-+.br
-+ /etc/share/selinux/targeted(/.*)?
-+.br
-+
-+.br
-+.B systemd_passwd_var_run_t
-+
-+ /var/run/systemd/ask-password(/.*)?
-+.br
-+ /var/run/systemd/ask-password-block(/.*)?
-+.br
-+
-+.br
-+.B usbfs_t
-+
-+
-+.br
-+.B user_fonts_cache_t
-+
-+ /root/\.fontconfig(/.*)?
-+.br
-+ /root/\.fonts/auto(/.*)?
-+.br
-+ /root/\.fonts\.cache-.*
-+.br
-+ /home/[^/]*/\.fontconfig(/.*)?
-+.br
-+ /home/[^/]*/\.fonts/auto(/.*)?
-+.br
-+ /home/[^/]*/\.fonts\.cache-.*
-+.br
-+ /home/dwalsh/\.fontconfig(/.*)?
-+.br
-+ /home/dwalsh/\.fonts/auto(/.*)?
-+.br
-+ /home/dwalsh/\.fonts\.cache-.*
-+.br
-+ /var/lib/xguest/home/xguest/\.fontconfig(/.*)?
-+.br
-+ /var/lib/xguest/home/xguest/\.fonts/auto(/.*)?
-+.br
-+ /var/lib/xguest/home/xguest/\.fonts\.cache-.*
-+.br
-+
-+.br
-+.B user_home_type
-+
-+ all user home files
-+.br
-+
-+.br
-+.B user_tmp_type
-+
-+ all user tmp files
-+.br
-+
-+.br
-+.B user_tmpfs_type
-+
-+ all user content in tmpfs file systems
-+.br
-+
-+.br
-+.B xdm_tmp_t
-+
-+ /tmp/\.X11-unix(/.*)?
-+.br
-+ /tmp/\.ICE-unix(/.*)?
-+.br
-+ /tmp/\.X0-lock
-+.br
-+
-+.SH "COMMANDS"
-+.B semanage fcontext
-+can also be used to manipulate default file context mappings.
-+.PP
-+.B semanage permissive
-+can also be used to manipulate whether or not a process type is permissive.
-+.PP
-+.B semanage module
-+can also be used to enable/disable/install/remove policy modules.
-+
-+.PP
-+.B system-config-selinux
-+is a GUI tool available to customize SELinux policy settings.
-+
-+.SH AUTHOR
-+This manual page was auto-generated using
-+.B "sepolicy manpage"
-+by Dan Walsh.
-+
-+.SH "SEE ALSO"
-+selinux(8), secadm(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
-diff --git a/man/man8/sectoolm_selinux.8 b/man/man8/sectoolm_selinux.8
-new file mode 100644
-index 0000000..145e360
---- /dev/null
-+++ b/man/man8/sectoolm_selinux.8
-@@ -0,0 +1,126 @@
-+.TH "sectoolm_selinux" "8" "12-11-01" "sectoolm" "SELinux Policy documentation for sectoolm"
-+.SH "NAME"
-+sectoolm_selinux \- Security Enhanced Linux Policy for the sectoolm processes
-+.SH "DESCRIPTION"
-+
-+Security-Enhanced Linux secures the sectoolm processes via flexible mandatory access control.
-+
-+The sectoolm processes execute with the sectoolm_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
-+
-+For example:
-+
-+.B ps -eZ | grep sectoolm_t
-+
-+
-+.SH "ENTRYPOINTS"
-+
-+The sectoolm_t SELinux type can be entered via the "sectoolm_exec_t" file type. The default entrypoint paths for the sectoolm_t domain are the following:"
-+
-+/usr/libexec/sectool-mechanism\.py
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux sectoolm policy is very flexible allowing users to setup their sectoolm processes in as secure a method as possible.
-+.PP
-+The following process types are defined for sectoolm:
-+
-+.EX
-+.B sectoolm_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
-+.SH FILE CONTEXTS
-+SELinux requires files to have an extended attribute to define the file type.
-+.PP
-+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
-+.PP
-+Policy governs the access confined processes have to these files.
-+SELinux sectoolm policy is very flexible allowing users to setup their sectoolm processes in as secure a method as possible.
-+.PP
-+The following file types are defined for sectoolm:
-+
-+
-+.EX
-+.PP
-+.B sectoolm_exec_t
-+.EE
-+
-+- Set files with the sectoolm_exec_t type, if you want to transition an executable to the sectoolm_t domain.
-+
-+
-+.PP
-+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
-+.B semanage fcontext
-+command. This will modify the SELinux labeling database. You will need to use
-+.B restorecon
-+to apply the labels.
-+
-+.SH "MANAGED FILES"
-+
-+The SELinux process type sectoolm_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
-+
-+.br
-+.B sectool_tmp_t
-+
-+
-+.br
-+.B sectool_var_lib_t
-+
-+ /var/lib/sectool(/.*)?
-+.br
-+
-+.br
-+.B sectool_var_log_t
-+
-+ /var/log/sectool\.log.*
-+.br
-+
-+.br
-+.B security_t
-+
-+ /selinux
-+.br
-+
-+.SH NSSWITCH DOMAIN
-+
-+.PP
-+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the sectoolm_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
-+
-+.EX
-+.B setsebool -P authlogin_nsswitch_use_ldap 1
-+.EE
-+
-+.PP
-+If you want to allow confined applications to run with kerberos for the sectoolm_t, you must turn on the kerberos_enabled boolean.
-+
-+.EX
-+.B setsebool -P kerberos_enabled 1
-+.EE
-+
-+.SH "COMMANDS"
-+.B semanage fcontext
-+can also be used to manipulate default file context mappings.
-+.PP
-+.B semanage permissive
-+can also be used to manipulate whether or not a process type is permissive.
-+.PP
-+.B semanage module
-+can also be used to enable/disable/install/remove policy modules.
-+
-+.PP
-+.B system-config-selinux
-+is a GUI tool available to customize SELinux policy settings.
-+
-+.SH AUTHOR
-+This manual page was auto-generated using
-+.B "sepolicy manpage"
-+by Dan Walsh.
-+
-+.SH "SEE ALSO"
-+selinux(8), sectoolm(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
-diff --git a/man/man8/selinux_munin_plugin_selinux.8 b/man/man8/selinux_munin_plugin_selinux.8
-new file mode 100644
-index 0000000..d4bbce9
---- /dev/null
-+++ b/man/man8/selinux_munin_plugin_selinux.8
-@@ -0,0 +1,108 @@
-+.TH "selinux_munin_plugin_selinux" "8" "12-11-01" "selinux_munin_plugin" "SELinux Policy documentation for selinux_munin_plugin"
-+.SH "NAME"
-+selinux_munin_plugin_selinux \- Security Enhanced Linux Policy for the selinux_munin_plugin processes
-+.SH "DESCRIPTION"
-+
-+Security-Enhanced Linux secures the selinux_munin_plugin processes via flexible mandatory access control.
-+
-+The selinux_munin_plugin processes execute with the selinux_munin_plugin_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
-+
-+For example:
-+
-+.B ps -eZ | grep selinux_munin_plugin_t
-+
-+
-+.SH "ENTRYPOINTS"
-+
-+The selinux_munin_plugin_t SELinux type can be entered via the "selinux_munin_plugin_exec_t" file type. The default entrypoint paths for the selinux_munin_plugin_t domain are the following:"
-+
-+/usr/share/munin/plugins/selinux_avcstat
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux selinux_munin_plugin policy is very flexible allowing users to setup their selinux_munin_plugin processes in as secure a method as possible.
-+.PP
-+The following process types are defined for selinux_munin_plugin:
-+
-+.EX
-+.B selinux_munin_plugin_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
-+.SH FILE CONTEXTS
-+SELinux requires files to have an extended attribute to define the file type.
-+.PP
-+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
-+.PP
-+Policy governs the access confined processes have to these files.
-+SELinux selinux_munin_plugin policy is very flexible allowing users to setup their selinux_munin_plugin processes in as secure a method as possible.
-+.PP
-+The following file types are defined for selinux_munin_plugin:
-+
-+
-+.EX
-+.PP
-+.B selinux_munin_plugin_exec_t
-+.EE
-+
-+- Set files with the selinux_munin_plugin_exec_t type, if you want to transition an executable to the selinux_munin_plugin_t domain.
-+
-+
-+.EX
-+.PP
-+.B selinux_munin_plugin_tmp_t
-+.EE
-+
-+- Set files with the selinux_munin_plugin_tmp_t type, if you want to store selinux munin plugin temporary files in the /tmp directories.
-+
-+
-+.PP
-+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
-+.B semanage fcontext
-+command. This will modify the SELinux labeling database. You will need to use
-+.B restorecon
-+to apply the labels.
-+
-+.SH "MANAGED FILES"
-+
-+The SELinux process type selinux_munin_plugin_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
-+
-+.br
-+.B munin_plugin_state_t
-+
-+ /var/lib/munin/plugin-state(/.*)?
-+.br
-+
-+.br
-+.B selinux_munin_plugin_tmp_t
-+
-+
-+.SH NSSWITCH DOMAIN
-+
-+.SH "COMMANDS"
-+.B semanage fcontext
-+can also be used to manipulate default file context mappings.
-+.PP
-+.B semanage permissive
-+can also be used to manipulate whether or not a process type is permissive.
-+.PP
-+.B semanage module
-+can also be used to enable/disable/install/remove policy modules.
-+
-+.PP
-+.B system-config-selinux
-+is a GUI tool available to customize SELinux policy settings.
-+
-+.SH AUTHOR
-+This manual page was auto-generated using
-+.B "sepolicy manpage"
-+by Dan Walsh.
-+
-+.SH "SEE ALSO"
-+selinux(8), selinux_munin_plugin(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
-diff --git a/man/man8/semanage_selinux.8 b/man/man8/semanage_selinux.8
-new file mode 100644
-index 0000000..d6f6031
---- /dev/null
-+++ b/man/man8/semanage_selinux.8
-@@ -0,0 +1,214 @@
-+.TH "semanage_selinux" "8" "12-11-01" "semanage" "SELinux Policy documentation for semanage"
-+.SH "NAME"
-+semanage_selinux \- Security Enhanced Linux Policy for the semanage processes
-+.SH "DESCRIPTION"
-+
-+Security-Enhanced Linux secures the semanage processes via flexible mandatory access control.
-+
-+The semanage processes execute with the semanage_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
-+
-+For example:
-+
-+.B ps -eZ | grep semanage_t
-+
-+
-+.SH "ENTRYPOINTS"
-+
-+The semanage_t SELinux type can be entered via the "semanage_exec_t" file type. The default entrypoint paths for the semanage_t domain are the following:"
-+
-+/usr/sbin/semanage, /usr/sbin/semodule, /usr/share/system-config-selinux/system-config-selinux-dbus\.py
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux semanage policy is very flexible allowing users to setup their semanage processes in as secure a method as possible.
-+.PP
-+The following process types are defined for semanage:
-+
-+.EX
-+.B semanage_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
-+.SH FILE CONTEXTS
-+SELinux requires files to have an extended attribute to define the file type.
-+.PP
-+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
-+.PP
-+Policy governs the access confined processes have to these files.
-+SELinux semanage policy is very flexible allowing users to setup their semanage processes in as secure a method as possible.
-+.PP
-+The following file types are defined for semanage:
-+
-+
-+.EX
-+.PP
-+.B semanage_exec_t
-+.EE
-+
-+- Set files with the semanage_exec_t type, if you want to transition an executable to the semanage_t domain.
-+
-+
-+.EX
-+.PP
-+.B semanage_read_lock_t
-+.EE
-+
-+- Set files with the semanage_read_lock_t type, if you want to treat the files as semanage read lock data, stored under the /var/lock directory
-+
-+
-+.EX
-+.PP
-+.B semanage_store_t
-+.EE
-+
-+- Set files with the semanage_store_t type, if you want to treat the files as semanage store data.
-+
-+
-+.EX
-+.PP
-+.B semanage_tmp_t
-+.EE
-+
-+- Set files with the semanage_tmp_t type, if you want to store semanage temporary files in the /tmp directories.
-+
-+
-+.EX
-+.PP
-+.B semanage_trans_lock_t
-+.EE
-+
-+- Set files with the semanage_trans_lock_t type, if you want to treat the files as semanage trans lock data, stored under the /var/lock directory
-+
-+
-+.EX
-+.PP
-+.B semanage_var_lib_t
-+.EE
-+
-+- Set files with the semanage_var_lib_t type, if you want to store the semanage files under the /var/lib directory.
-+
-+
-+.PP
-+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
-+.B semanage fcontext
-+command. This will modify the SELinux labeling database. You will need to use
-+.B restorecon
-+to apply the labels.
-+
-+.SH "MANAGED FILES"
-+
-+The SELinux process type semanage_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
-+
-+.br
-+.B boolean_type
-+
-+
-+.br
-+.B default_context_t
-+
-+ /etc/selinux/([^/]*/)?contexts(/.*)?
-+.br
-+ /root/\.default_contexts
-+.br
-+
-+.br
-+.B file_context_t
-+
-+ /etc/selinux/([^/]*/)?contexts/files(/.*)?
-+.br
-+
-+.br
-+.B mock_var_lib_t
-+
-+ /var/lib/mock(/.*)?
-+.br
-+
-+.br
-+.B selinux_config_t
-+
-+ /etc/selinux(/.*)?
-+.br
-+ /etc/selinux/([^/]*/)?seusers
-+.br
-+ /etc/selinux/([^/]*/)?users(/.*)?
-+.br
-+ /etc/selinux/([^/]*/)?setrans\.conf
-+.br
-+
-+.br
-+.B semanage_read_lock_t
-+
-+ /etc/selinux/([^/]*/)?modules/semanage\.read\.LOCK
-+.br
-+
-+.br
-+.B semanage_store_t
-+
-+ /etc/selinux/([^/]*/)?policy(/.*)?
-+.br
-+ /etc/selinux/([^/]*/)?modules/(active|tmp|previous)(/.*)?
-+.br
-+ /etc/share/selinux/mls(/.*)?
-+.br
-+ /etc/share/selinux/targeted(/.*)?
-+.br
-+
-+.br
-+.B semanage_tmp_t
-+
-+
-+.br
-+.B semanage_trans_lock_t
-+
-+ /etc/selinux/([^/]*/)?modules/semanage\.trans\.LOCK
-+.br
-+
-+.br
-+.B semanage_var_lib_t
-+
-+ /var/lib/selinux(/.*)?
-+.br
-+
-+.SH NSSWITCH DOMAIN
-+
-+.PP
-+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the semanage_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
-+
-+.EX
-+.B setsebool -P authlogin_nsswitch_use_ldap 1
-+.EE
-+
-+.PP
-+If you want to allow confined applications to run with kerberos for the semanage_t, you must turn on the kerberos_enabled boolean.
-+
-+.EX
-+.B setsebool -P kerberos_enabled 1
-+.EE
-+
-+.SH "COMMANDS"
-+.B semanage fcontext
-+can also be used to manipulate default file context mappings.
-+.PP
-+.B semanage permissive
-+can also be used to manipulate whether or not a process type is permissive.
-+.PP
-+.B semanage module
-+can also be used to enable/disable/install/remove policy modules.
-+
-+.PP
-+.B system-config-selinux
-+is a GUI tool available to customize SELinux policy settings.
-+
-+.SH AUTHOR
-+This manual page was auto-generated using
-+.B "sepolicy manpage"
-+by Dan Walsh.
-+
-+.SH "SEE ALSO"
-+selinux(8), semanage(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
-diff --git a/man/man8/sendmail_selinux.8 b/man/man8/sendmail_selinux.8
-new file mode 100644
-index 0000000..b44a2e8
---- /dev/null
-+++ b/man/man8/sendmail_selinux.8
-@@ -0,0 +1,290 @@
-+.TH "sendmail_selinux" "8" "12-11-01" "sendmail" "SELinux Policy documentation for sendmail"
-+.SH "NAME"
-+sendmail_selinux \- Security Enhanced Linux Policy for the sendmail processes
-+.SH "DESCRIPTION"
-+
-+Security-Enhanced Linux secures the sendmail processes via flexible mandatory access control.
-+
-+The sendmail processes execute with the sendmail_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
-+
-+For example:
-+
-+.B ps -eZ | grep sendmail_t
-+
-+
-+.SH "ENTRYPOINTS"
-+
-+The sendmail_t SELinux type can be entered via the "mta_exec_type,sendmail_exec_t" file types. The default entrypoint paths for the sendmail_t domain are the following:"
-+
-+/bin/mail(x)?, /usr/bin/mail(x)?, /usr/sbin/sendmail(\.sendmail)?, /usr/bin/esmtp, /usr/sbin/rmail, /usr/sbin/ssmtp, /usr/lib/sendmail, /var/qmail/bin/sendmail, /usr/sbin/sendmail\.postfix, /usr/lib/courier/bin/sendmail
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux sendmail policy is very flexible allowing users to setup their sendmail processes in as secure a method as possible.
-+.PP
-+The following process types are defined for sendmail:
-+
-+.EX
-+.B sendmail_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
-+.SH BOOLEANS
-+SELinux policy is customizable based on least access required. sendmail policy is extremely flexible and has several booleans that allow you to manipulate the policy and run sendmail with the tightest access possible.
-+
-+
-+.PP
-+If you want to allow http daemon to send mail, you must turn on the httpd_can_sendmail boolean.
-+
-+.EX
-+.B setsebool -P httpd_can_sendmail 1
-+.EE
-+
-+.PP
-+If you want to allow gitisis daemon to send mail, you must turn on the gitosis_can_sendmail boolean.
-+
-+.EX
-+.B setsebool -P gitosis_can_sendmail 1
-+.EE
-+
-+.PP
-+If you want to allow syslogd daemon to send mail, you must turn on the logging_syslogd_can_sendmail boolean.
-+
-+.EX
-+.B setsebool -P logging_syslogd_can_sendmail 1
-+.EE
-+
-+.PP
-+If you want to allow http daemon to send mail, you must turn on the httpd_can_sendmail boolean.
-+
-+.EX
-+.B setsebool -P httpd_can_sendmail 1
-+.EE
-+
-+.PP
-+If you want to allow gitisis daemon to send mail, you must turn on the gitosis_can_sendmail boolean.
-+
-+.EX
-+.B setsebool -P gitosis_can_sendmail 1
-+.EE
-+
-+.PP
-+If you want to allow syslogd daemon to send mail, you must turn on the logging_syslogd_can_sendmail boolean.
-+
-+.EX
-+.B setsebool -P logging_syslogd_can_sendmail 1
-+.EE
-+
-+.SH FILE CONTEXTS
-+SELinux requires files to have an extended attribute to define the file type.
-+.PP
-+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
-+.PP
-+Policy governs the access confined processes have to these files.
-+SELinux sendmail policy is very flexible allowing users to setup their sendmail processes in as secure a method as possible.
-+.PP
-+The following file types are defined for sendmail:
-+
-+
-+.EX
-+.PP
-+.B sendmail_exec_t
-+.EE
-+
-+- Set files with the sendmail_exec_t type, if you want to transition an executable to the sendmail_t domain.
-+
-+
-+.EX
-+.PP
-+.B sendmail_initrc_exec_t
-+.EE
-+
-+- Set files with the sendmail_initrc_exec_t type, if you want to transition an executable to the sendmail_initrc_t domain.
-+
-+
-+.EX
-+.PP
-+.B sendmail_keytab_t
-+.EE
-+
-+- Set files with the sendmail_keytab_t type, if you want to treat the files as kerberos keytab files.
-+
-+
-+.EX
-+.PP
-+.B sendmail_log_t
-+.EE
-+
-+- Set files with the sendmail_log_t type, if you want to treat the data as sendmail log data, usually stored under the /var/log directory.
-+
-+
-+.EX
-+.PP
-+.B sendmail_tmp_t
-+.EE
-+
-+- Set files with the sendmail_tmp_t type, if you want to store sendmail temporary files in the /tmp directories.
-+
-+
-+.EX
-+.PP
-+.B sendmail_var_run_t
-+.EE
-+
-+- Set files with the sendmail_var_run_t type, if you want to store the sendmail files under the /run directory.
-+
-+
-+.PP
-+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
-+.B semanage fcontext
-+command. This will modify the SELinux labeling database. You will need to use
-+.B restorecon
-+to apply the labels.
-+
-+.SH "MANAGED FILES"
-+
-+The SELinux process type sendmail_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
-+
-+.br
-+.B anon_inodefs_t
-+
-+
-+.br
-+.B dovecot_spool_t
-+
-+ /var/spool/dovecot(/.*)?
-+.br
-+
-+.br
-+.B etc_aliases_t
-+
-+ /etc/mail/aliases.*
-+.br
-+ /etc/postfix/aliases.*
-+.br
-+ /etc/aliases
-+.br
-+ /etc/aliases\.db
-+.br
-+
-+.br
-+.B exim_spool_t
-+
-+ /var/spool/exim[0-9]?(/.*)?
-+.br
-+
-+.br
-+.B initrc_tmp_t
-+
-+
-+.br
-+.B mail_home_rw_t
-+
-+ /root/Maildir(/.*)?
-+.br
-+ /home/[^/]*/Maildir(/.*)?
-+.br
-+ /home/dwalsh/Maildir(/.*)?
-+.br
-+ /var/lib/xguest/home/xguest/Maildir(/.*)?
-+.br
-+
-+.br
-+.B mail_spool_t
-+
-+ /var/mail(/.*)?
-+.br
-+ /var/spool/imap(/.*)?
-+.br
-+ /var/spool/mail(/.*)?
-+.br
-+
-+.br
-+.B mqueue_spool_t
-+
-+ /var/spool/(client)?mqueue(/.*)?
-+.br
-+ /var/spool/mqueue\.in(/.*)?
-+.br
-+
-+.br
-+.B procmail_tmp_t
-+
-+
-+.br
-+.B sendmail_log_t
-+
-+ /var/log/mail(/.*)?
-+.br
-+ /var/log/sendmail\.st
-+.br
-+
-+.br
-+.B sendmail_tmp_t
-+
-+
-+.br
-+.B sendmail_var_run_t
-+
-+ /var/run/sendmail\.pid
-+.br
-+ /var/run/sm-client\.pid
-+.br
-+
-+.br
-+.B user_home_t
-+
-+ /home/[^/]*/.+
-+.br
-+ /home/dwalsh/.+
-+.br
-+ /var/lib/xguest/home/xguest/.+
-+.br
-+
-+.SH NSSWITCH DOMAIN
-+
-+.PP
-+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the sendmail_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
-+
-+.EX
-+.B setsebool -P authlogin_nsswitch_use_ldap 1
-+.EE
-+
-+.PP
-+If you want to allow confined applications to run with kerberos for the sendmail_t, you must turn on the kerberos_enabled boolean.
-+
-+.EX
-+.B setsebool -P kerberos_enabled 1
-+.EE
-+
-+.SH "COMMANDS"
-+.B semanage fcontext
-+can also be used to manipulate default file context mappings.
-+.PP
-+.B semanage permissive
-+can also be used to manipulate whether or not a process type is permissive.
-+.PP
-+.B semanage module
-+can also be used to enable/disable/install/remove policy modules.
-+
-+.B semanage boolean
-+can also be used to manipulate the booleans
-+
-+.PP
-+.B system-config-selinux
-+is a GUI tool available to customize SELinux policy settings.
-+
-+.SH AUTHOR
-+This manual page was auto-generated using
-+.B "sepolicy manpage"
-+by Dan Walsh.
-+
-+.SH "SEE ALSO"
-+selinux(8), sendmail(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
-+, setsebool(8)
-\ No newline at end of file
-diff --git a/man/man8/sensord_selinux.8 b/man/man8/sensord_selinux.8
-new file mode 100644
-index 0000000..8969289
---- /dev/null
-+++ b/man/man8/sensord_selinux.8
-@@ -0,0 +1,112 @@
-+.TH "sensord_selinux" "8" "12-11-01" "sensord" "SELinux Policy documentation for sensord"
-+.SH "NAME"
-+sensord_selinux \- Security Enhanced Linux Policy for the sensord processes
-+.SH "DESCRIPTION"
-+
-+Security-Enhanced Linux secures the sensord processes via flexible mandatory access control.
-+
-+The sensord processes execute with the sensord_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
-+
-+For example:
-+
-+.B ps -eZ | grep sensord_t
-+
-+
-+.SH "ENTRYPOINTS"
-+
-+The sensord_t SELinux type can be entered via the "sensord_exec_t" file type. The default entrypoint paths for the sensord_t domain are the following:"
-+
-+/usr/sbin/sensord
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux sensord policy is very flexible allowing users to setup their sensord processes in as secure a method as possible.
-+.PP
-+The following process types are defined for sensord:
-+
-+.EX
-+.B sensord_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
-+.SH FILE CONTEXTS
-+SELinux requires files to have an extended attribute to define the file type.
-+.PP
-+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
-+.PP
-+Policy governs the access confined processes have to these files.
-+SELinux sensord policy is very flexible allowing users to setup their sensord processes in as secure a method as possible.
-+.PP
-+The following file types are defined for sensord:
-+
-+
-+.EX
-+.PP
-+.B sensord_exec_t
-+.EE
-+
-+- Set files with the sensord_exec_t type, if you want to transition an executable to the sensord_t domain.
-+
-+
-+.EX
-+.PP
-+.B sensord_unit_file_t
-+.EE
-+
-+- Set files with the sensord_unit_file_t type, if you want to treat the files as sensord unit content.
-+
-+
-+.EX
-+.PP
-+.B sensord_var_run_t
-+.EE
-+
-+- Set files with the sensord_var_run_t type, if you want to store the sensord files under the /run directory.
-+
-+
-+.PP
-+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
-+.B semanage fcontext
-+command. This will modify the SELinux labeling database. You will need to use
-+.B restorecon
-+to apply the labels.
-+
-+.SH "MANAGED FILES"
-+
-+The SELinux process type sensord_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
-+
-+.br
-+.B sensord_var_run_t
-+
-+ /var/run/sensord\.pid
-+.br
-+
-+.SH NSSWITCH DOMAIN
-+
-+.SH "COMMANDS"
-+.B semanage fcontext
-+can also be used to manipulate default file context mappings.
-+.PP
-+.B semanage permissive
-+can also be used to manipulate whether or not a process type is permissive.
-+.PP
-+.B semanage module
-+can also be used to enable/disable/install/remove policy modules.
-+
-+.PP
-+.B system-config-selinux
-+is a GUI tool available to customize SELinux policy settings.
-+
-+.SH AUTHOR
-+This manual page was auto-generated using
-+.B "sepolicy manpage"
-+by Dan Walsh.
-+
-+.SH "SEE ALSO"
-+selinux(8), sensord(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
-diff --git a/man/man8/services_munin_plugin_selinux.8 b/man/man8/services_munin_plugin_selinux.8
-new file mode 100644
-index 0000000..6e5c075
---- /dev/null
-+++ b/man/man8/services_munin_plugin_selinux.8
-@@ -0,0 +1,108 @@
-+.TH "services_munin_plugin_selinux" "8" "12-11-01" "services_munin_plugin" "SELinux Policy documentation for services_munin_plugin"
-+.SH "NAME"
-+services_munin_plugin_selinux \- Security Enhanced Linux Policy for the services_munin_plugin processes
-+.SH "DESCRIPTION"
-+
-+Security-Enhanced Linux secures the services_munin_plugin processes via flexible mandatory access control.
-+
-+The services_munin_plugin processes execute with the services_munin_plugin_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
-+
-+For example:
-+
-+.B ps -eZ | grep services_munin_plugin_t
-+
-+
-+.SH "ENTRYPOINTS"
-+
-+The services_munin_plugin_t SELinux type can be entered via the "services_munin_plugin_exec_t" file type. The default entrypoint paths for the services_munin_plugin_t domain are the following:"
-+
-+/usr/share/munin/plugins/nut.*, /usr/share/munin/plugins/ntp_.*, /usr/share/munin/plugins/snmp_.*, /usr/share/munin/plugins/mysql_.*, /usr/share/munin/plugins/slapd_.*, /usr/share/munin/plugins/squid_.*, /usr/share/munin/plugins/apache_.*, /usr/share/munin/plugins/tomcat_.*, /usr/share/munin/plugins/varnish_.*, /usr/share/munin/plugins/asterisk_.*, /usr/share/munin/plugins/postgres_.*, /usr/share/munin/plugins/named, /usr/share/munin/plugins/ping_, /usr/share/munin/plugins/samba, /usr/share/munin/plugins/lpstat, /usr/share/munin/plugins/openvpn, /usr/share/munin/plugins/fail2ban, /usr/share/munin/plugins/http_loadtime
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux services_munin_plugin policy is very flexible allowing users to setup their services_munin_plugin processes in as secure a method as possible.
-+.PP
-+The following process types are defined for services_munin_plugin:
-+
-+.EX
-+.B services_munin_plugin_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
-+.SH FILE CONTEXTS
-+SELinux requires files to have an extended attribute to define the file type.
-+.PP
-+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
-+.PP
-+Policy governs the access confined processes have to these files.
-+SELinux services_munin_plugin policy is very flexible allowing users to setup their services_munin_plugin processes in as secure a method as possible.
-+.PP
-+The following file types are defined for services_munin_plugin:
-+
-+
-+.EX
-+.PP
-+.B services_munin_plugin_exec_t
-+.EE
-+
-+- Set files with the services_munin_plugin_exec_t type, if you want to transition an executable to the services_munin_plugin_t domain.
-+
-+
-+.EX
-+.PP
-+.B services_munin_plugin_tmp_t
-+.EE
-+
-+- Set files with the services_munin_plugin_tmp_t type, if you want to store services munin plugin temporary files in the /tmp directories.
-+
-+
-+.PP
-+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
-+.B semanage fcontext
-+command. This will modify the SELinux labeling database. You will need to use
-+.B restorecon
-+to apply the labels.
-+
-+.SH "MANAGED FILES"
-+
-+The SELinux process type services_munin_plugin_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
-+
-+.br
-+.B munin_plugin_state_t
-+
-+ /var/lib/munin/plugin-state(/.*)?
-+.br
-+
-+.br
-+.B services_munin_plugin_tmp_t
-+
-+
-+.SH NSSWITCH DOMAIN
-+
-+.SH "COMMANDS"
-+.B semanage fcontext
-+can also be used to manipulate default file context mappings.
-+.PP
-+.B semanage permissive
-+can also be used to manipulate whether or not a process type is permissive.
-+.PP
-+.B semanage module
-+can also be used to enable/disable/install/remove policy modules.
-+
-+.PP
-+.B system-config-selinux
-+is a GUI tool available to customize SELinux policy settings.
-+
-+.SH AUTHOR
-+This manual page was auto-generated using
-+.B "sepolicy manpage"
-+by Dan Walsh.
-+
-+.SH "SEE ALSO"
-+selinux(8), services_munin_plugin(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
-diff --git a/man/man8/setfiles_selinux.8 b/man/man8/setfiles_selinux.8
-new file mode 100644
-index 0000000..19b8e3f
---- /dev/null
-+++ b/man/man8/setfiles_selinux.8
-@@ -0,0 +1,102 @@
-+.TH "setfiles_selinux" "8" "12-11-01" "setfiles" "SELinux Policy documentation for setfiles"
-+.SH "NAME"
-+setfiles_selinux \- Security Enhanced Linux Policy for the setfiles processes
-+.SH "DESCRIPTION"
-+
-+Security-Enhanced Linux secures the setfiles processes via flexible mandatory access control.
-+
-+The setfiles processes execute with the setfiles_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
-+
-+For example:
-+
-+.B ps -eZ | grep setfiles_t
-+
-+
-+.SH "ENTRYPOINTS"
-+
-+The setfiles_t SELinux type can be entered via the "setfiles_exec_t" file type. The default entrypoint paths for the setfiles_t domain are the following:"
-+
-+/sbin/setfiles.*, /usr/sbin/setfiles.*, /sbin/restorecon, /usr/sbin/restorecon
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux setfiles policy is very flexible allowing users to setup their setfiles processes in as secure a method as possible.
-+.PP
-+The following process types are defined for setfiles:
-+
-+.EX
-+.B setfiles_mac_t, setfiles_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
-+.SH FILE CONTEXTS
-+SELinux requires files to have an extended attribute to define the file type.
-+.PP
-+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
-+.PP
-+Policy governs the access confined processes have to these files.
-+SELinux setfiles policy is very flexible allowing users to setup their setfiles processes in as secure a method as possible.
-+.PP
-+The following file types are defined for setfiles:
-+
-+
-+.EX
-+.PP
-+.B setfiles_exec_t
-+.EE
-+
-+- Set files with the setfiles_exec_t type, if you want to transition an executable to the setfiles_t domain.
-+
-+
-+.PP
-+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
-+.B semanage fcontext
-+command. This will modify the SELinux labeling database. You will need to use
-+.B restorecon
-+to apply the labels.
-+
-+.SH "MANAGED FILES"
-+
-+The SELinux process type setfiles_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
-+
-+.br
-+.B security_t
-+
-+ /selinux
-+.br
-+
-+.br
-+.B user_home_type
-+
-+ all user home files
-+.br
-+
-+.SH NSSWITCH DOMAIN
-+
-+.SH "COMMANDS"
-+.B semanage fcontext
-+can also be used to manipulate default file context mappings.
-+.PP
-+.B semanage permissive
-+can also be used to manipulate whether or not a process type is permissive.
-+.PP
-+.B semanage module
-+can also be used to enable/disable/install/remove policy modules.
-+
-+.PP
-+.B system-config-selinux
-+is a GUI tool available to customize SELinux policy settings.
-+
-+.SH AUTHOR
-+This manual page was auto-generated using
-+.B "sepolicy manpage"
-+by Dan Walsh.
-+
-+.SH "SEE ALSO"
-+selinux(8), setfiles(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
-diff --git a/man/man8/setkey_selinux.8 b/man/man8/setkey_selinux.8
-new file mode 100644
-index 0000000..d2623ac
---- /dev/null
-+++ b/man/man8/setkey_selinux.8
-@@ -0,0 +1,86 @@
-+.TH "setkey_selinux" "8" "12-11-01" "setkey" "SELinux Policy documentation for setkey"
-+.SH "NAME"
-+setkey_selinux \- Security Enhanced Linux Policy for the setkey processes
-+.SH "DESCRIPTION"
-+
-+Security-Enhanced Linux secures the setkey processes via flexible mandatory access control.
-+
-+The setkey processes execute with the setkey_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
-+
-+For example:
-+
-+.B ps -eZ | grep setkey_t
-+
-+
-+.SH "ENTRYPOINTS"
-+
-+The setkey_t SELinux type can be entered via the "setkey_exec_t" file type. The default entrypoint paths for the setkey_t domain are the following:"
-+
-+/sbin/setkey, /usr/sbin/setkey
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux setkey policy is very flexible allowing users to setup their setkey processes in as secure a method as possible.
-+.PP
-+The following process types are defined for setkey:
-+
-+.EX
-+.B setkey_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
-+.SH FILE CONTEXTS
-+SELinux requires files to have an extended attribute to define the file type.
-+.PP
-+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
-+.PP
-+Policy governs the access confined processes have to these files.
-+SELinux setkey policy is very flexible allowing users to setup their setkey processes in as secure a method as possible.
-+.PP
-+The following file types are defined for setkey:
-+
-+
-+.EX
-+.PP
-+.B setkey_exec_t
-+.EE
-+
-+- Set files with the setkey_exec_t type, if you want to transition an executable to the setkey_t domain.
-+
-+
-+.PP
-+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
-+.B semanage fcontext
-+command. This will modify the SELinux labeling database. You will need to use
-+.B restorecon
-+to apply the labels.
-+
-+.SH NSSWITCH DOMAIN
-+
-+.SH "COMMANDS"
-+.B semanage fcontext
-+can also be used to manipulate default file context mappings.
-+.PP
-+.B semanage permissive
-+can also be used to manipulate whether or not a process type is permissive.
-+.PP
-+.B semanage module
-+can also be used to enable/disable/install/remove policy modules.
-+
-+.PP
-+.B system-config-selinux
-+is a GUI tool available to customize SELinux policy settings.
-+
-+.SH AUTHOR
-+This manual page was auto-generated using
-+.B "sepolicy manpage"
-+by Dan Walsh.
-+
-+.SH "SEE ALSO"
-+selinux(8), setkey(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
-diff --git a/man/man8/setrans_selinux.8 b/man/man8/setrans_selinux.8
-new file mode 100644
-index 0000000..e0a6cbb
---- /dev/null
-+++ b/man/man8/setrans_selinux.8
-@@ -0,0 +1,120 @@
-+.TH "setrans_selinux" "8" "12-11-01" "setrans" "SELinux Policy documentation for setrans"
-+.SH "NAME"
-+setrans_selinux \- Security Enhanced Linux Policy for the setrans processes
-+.SH "DESCRIPTION"
-+
-+Security-Enhanced Linux secures the setrans processes via flexible mandatory access control.
-+
-+The setrans processes execute with the setrans_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
-+
-+For example:
-+
-+.B ps -eZ | grep setrans_t
-+
-+
-+.SH "ENTRYPOINTS"
-+
-+The setrans_t SELinux type can be entered via the "setrans_exec_t" file type. The default entrypoint paths for the setrans_t domain are the following:"
-+
-+/sbin/mcstransd, /usr/sbin/mcstransd
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux setrans policy is very flexible allowing users to setup their setrans processes in as secure a method as possible.
-+.PP
-+The following process types are defined for setrans:
-+
-+.EX
-+.B setrans_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
-+.SH FILE CONTEXTS
-+SELinux requires files to have an extended attribute to define the file type.
-+.PP
-+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
-+.PP
-+Policy governs the access confined processes have to these files.
-+SELinux setrans policy is very flexible allowing users to setup their setrans processes in as secure a method as possible.
-+.PP
-+The following file types are defined for setrans:
-+
-+
-+.EX
-+.PP
-+.B setrans_exec_t
-+.EE
-+
-+- Set files with the setrans_exec_t type, if you want to transition an executable to the setrans_t domain.
-+
-+
-+.EX
-+.PP
-+.B setrans_initrc_exec_t
-+.EE
-+
-+- Set files with the setrans_initrc_exec_t type, if you want to transition an executable to the setrans_initrc_t domain.
-+
-+
-+.EX
-+.PP
-+.B setrans_var_run_t
-+.EE
-+
-+- Set files with the setrans_var_run_t type, if you want to store the setrans files under the /run directory.
-+
-+
-+.PP
-+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
-+.B semanage fcontext
-+command. This will modify the SELinux labeling database. You will need to use
-+.B restorecon
-+to apply the labels.
-+
-+.SH "MANAGED FILES"
-+
-+The SELinux process type setrans_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
-+
-+.br
-+.B security_t
-+
-+ /selinux
-+.br
-+
-+.br
-+.B setrans_var_run_t
-+
-+ /var/run/setrans(/.*)?
-+.br
-+ /var/run/mcstransd\.pid
-+.br
-+
-+.SH NSSWITCH DOMAIN
-+
-+.SH "COMMANDS"
-+.B semanage fcontext
-+can also be used to manipulate default file context mappings.
-+.PP
-+.B semanage permissive
-+can also be used to manipulate whether or not a process type is permissive.
-+.PP
-+.B semanage module
-+can also be used to enable/disable/install/remove policy modules.
-+
-+.PP
-+.B system-config-selinux
-+is a GUI tool available to customize SELinux policy settings.
-+
-+.SH AUTHOR
-+This manual page was auto-generated using
-+.B "sepolicy manpage"
-+by Dan Walsh.
-+
-+.SH "SEE ALSO"
-+selinux(8), setrans(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
-diff --git a/man/man8/setroubleshoot_fixit_selinux.8 b/man/man8/setroubleshoot_fixit_selinux.8
-new file mode 100644
-index 0000000..a0089bb
---- /dev/null
-+++ b/man/man8/setroubleshoot_fixit_selinux.8
-@@ -0,0 +1,101 @@
-+.TH "setroubleshoot_fixit_selinux" "8" "12-11-01" "setroubleshoot_fixit" "SELinux Policy documentation for setroubleshoot_fixit"
-+.SH "NAME"
-+setroubleshoot_fixit_selinux \- Security Enhanced Linux Policy for the setroubleshoot_fixit processes
-+.SH "DESCRIPTION"
-+
-+Security-Enhanced Linux secures the setroubleshoot_fixit processes via flexible mandatory access control.
-+
-+The setroubleshoot_fixit processes execute with the setroubleshoot_fixit_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
-+
-+For example:
-+
-+.B ps -eZ | grep setroubleshoot_fixit_t
-+
-+
-+.SH "ENTRYPOINTS"
-+
-+The setroubleshoot_fixit_t SELinux type can be entered via the "setroubleshoot_fixit_exec_t" file type. The default entrypoint paths for the setroubleshoot_fixit_t domain are the following:"
-+
-+/usr/share/setroubleshoot/SetroubleshootFixit\.py*
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux setroubleshoot_fixit policy is very flexible allowing users to setup their setroubleshoot_fixit processes in as secure a method as possible.
-+.PP
-+The following process types are defined for setroubleshoot_fixit:
-+
-+.EX
-+.B setroubleshoot_fixit_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
-+.SH FILE CONTEXTS
-+SELinux requires files to have an extended attribute to define the file type.
-+.PP
-+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
-+.PP
-+Policy governs the access confined processes have to these files.
-+SELinux setroubleshoot_fixit policy is very flexible allowing users to setup their setroubleshoot_fixit processes in as secure a method as possible.
-+.PP
-+The following file types are defined for setroubleshoot_fixit:
-+
-+
-+.EX
-+.PP
-+.B setroubleshoot_fixit_exec_t
-+.EE
-+
-+- Set files with the setroubleshoot_fixit_exec_t type, if you want to transition an executable to the setroubleshoot_fixit_t domain.
-+
-+
-+.PP
-+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
-+.B semanage fcontext
-+command. This will modify the SELinux labeling database. You will need to use
-+.B restorecon
-+to apply the labels.
-+
-+.SH NSSWITCH DOMAIN
-+
-+.PP
-+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the setroubleshoot_fixit_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
-+
-+.EX
-+.B setsebool -P authlogin_nsswitch_use_ldap 1
-+.EE
-+
-+.PP
-+If you want to allow confined applications to run with kerberos for the setroubleshoot_fixit_t, you must turn on the kerberos_enabled boolean.
-+
-+.EX
-+.B setsebool -P kerberos_enabled 1
-+.EE
-+
-+.SH "COMMANDS"
-+.B semanage fcontext
-+can also be used to manipulate default file context mappings.
-+.PP
-+.B semanage permissive
-+can also be used to manipulate whether or not a process type is permissive.
-+.PP
-+.B semanage module
-+can also be used to enable/disable/install/remove policy modules.
-+
-+.PP
-+.B system-config-selinux
-+is a GUI tool available to customize SELinux policy settings.
-+
-+.SH AUTHOR
-+This manual page was auto-generated using
-+.B "sepolicy manpage"
-+by Dan Walsh.
-+
-+.SH "SEE ALSO"
-+selinux(8), setroubleshoot_fixit(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
-+, setroubleshootd_selinux(8)
-\ No newline at end of file
-diff --git a/man/man8/setroubleshootd_selinux.8 b/man/man8/setroubleshootd_selinux.8
-new file mode 100644
-index 0000000..66279d7
---- /dev/null
-+++ b/man/man8/setroubleshootd_selinux.8
-@@ -0,0 +1,129 @@
-+.TH "setroubleshootd_selinux" "8" "12-11-01" "setroubleshootd" "SELinux Policy documentation for setroubleshootd"
-+.SH "NAME"
-+setroubleshootd_selinux \- Security Enhanced Linux Policy for the setroubleshootd processes
-+.SH "DESCRIPTION"
-+
-+Security-Enhanced Linux secures the setroubleshootd processes via flexible mandatory access control.
-+
-+The setroubleshootd processes execute with the setroubleshootd_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
-+
-+For example:
-+
-+.B ps -eZ | grep setroubleshootd_t
-+
-+
-+.SH "ENTRYPOINTS"
-+
-+The setroubleshootd_t SELinux type can be entered via the "setroubleshootd_exec_t" file type. The default entrypoint paths for the setroubleshootd_t domain are the following:"
-+
-+/usr/sbin/setroubleshootd
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux setroubleshootd policy is very flexible allowing users to setup their setroubleshootd processes in as secure a method as possible.
-+.PP
-+The following process types are defined for setroubleshootd:
-+
-+.EX
-+.B setroubleshoot_fixit_t, setroubleshootd_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
-+.SH FILE CONTEXTS
-+SELinux requires files to have an extended attribute to define the file type.
-+.PP
-+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
-+.PP
-+Policy governs the access confined processes have to these files.
-+SELinux setroubleshootd policy is very flexible allowing users to setup their setroubleshootd processes in as secure a method as possible.
-+.PP
-+The following file types are defined for setroubleshootd:
-+
-+
-+.EX
-+.PP
-+.B setroubleshootd_exec_t
-+.EE
-+
-+- Set files with the setroubleshootd_exec_t type, if you want to transition an executable to the setroubleshootd_t domain.
-+
-+
-+.PP
-+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
-+.B semanage fcontext
-+command. This will modify the SELinux labeling database. You will need to use
-+.B restorecon
-+to apply the labels.
-+
-+.SH "MANAGED FILES"
-+
-+The SELinux process type setroubleshootd_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
-+
-+.br
-+.B security_t
-+
-+ /selinux
-+.br
-+
-+.br
-+.B setroubleshoot_var_lib_t
-+
-+ /var/lib/setroubleshoot(/.*)?
-+.br
-+
-+.br
-+.B setroubleshoot_var_log_t
-+
-+ /var/log/setroubleshoot(/.*)?
-+.br
-+
-+.br
-+.B setroubleshoot_var_run_t
-+
-+ /var/run/setroubleshoot(/.*)?
-+.br
-+
-+.SH NSSWITCH DOMAIN
-+
-+.PP
-+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the setroubleshootd_t, setroubleshoot_fixit_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
-+
-+.EX
-+.B setsebool -P authlogin_nsswitch_use_ldap 1
-+.EE
-+
-+.PP
-+If you want to allow confined applications to run with kerberos for the setroubleshootd_t, setroubleshoot_fixit_t, you must turn on the kerberos_enabled boolean.
-+
-+.EX
-+.B setsebool -P kerberos_enabled 1
-+.EE
-+
-+.SH "COMMANDS"
-+.B semanage fcontext
-+can also be used to manipulate default file context mappings.
-+.PP
-+.B semanage permissive
-+can also be used to manipulate whether or not a process type is permissive.
-+.PP
-+.B semanage module
-+can also be used to enable/disable/install/remove policy modules.
-+
-+.PP
-+.B system-config-selinux
-+is a GUI tool available to customize SELinux policy settings.
-+
-+.SH AUTHOR
-+This manual page was auto-generated using
-+.B "sepolicy manpage"
-+by Dan Walsh.
-+
-+.SH "SEE ALSO"
-+selinux(8), setroubleshootd(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
-+, setroubleshoot_fixit_selinux(8)
-\ No newline at end of file
-diff --git a/man/man8/setsebool_selinux.8 b/man/man8/setsebool_selinux.8
-new file mode 100644
-index 0000000..f7ac281
---- /dev/null
-+++ b/man/man8/setsebool_selinux.8
-@@ -0,0 +1,162 @@
-+.TH "setsebool_selinux" "8" "12-11-01" "setsebool" "SELinux Policy documentation for setsebool"
-+.SH "NAME"
-+setsebool_selinux \- Security Enhanced Linux Policy for the setsebool processes
-+.SH "DESCRIPTION"
-+
-+Security-Enhanced Linux secures the setsebool processes via flexible mandatory access control.
-+
-+The setsebool processes execute with the setsebool_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
-+
-+For example:
-+
-+.B ps -eZ | grep setsebool_t
-+
-+
-+.SH "ENTRYPOINTS"
-+
-+The setsebool_t SELinux type can be entered via the "setsebool_exec_t" file type. The default entrypoint paths for the setsebool_t domain are the following:"
-+
-+/usr/sbin/setsebool
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux setsebool policy is very flexible allowing users to setup their setsebool processes in as secure a method as possible.
-+.PP
-+The following process types are defined for setsebool:
-+
-+.EX
-+.B setsebool_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
-+.SH FILE CONTEXTS
-+SELinux requires files to have an extended attribute to define the file type.
-+.PP
-+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
-+.PP
-+Policy governs the access confined processes have to these files.
-+SELinux setsebool policy is very flexible allowing users to setup their setsebool processes in as secure a method as possible.
-+.PP
-+The following file types are defined for setsebool:
-+
-+
-+.EX
-+.PP
-+.B setsebool_exec_t
-+.EE
-+
-+- Set files with the setsebool_exec_t type, if you want to transition an executable to the setsebool_t domain.
-+
-+
-+.PP
-+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
-+.B semanage fcontext
-+command. This will modify the SELinux labeling database. You will need to use
-+.B restorecon
-+to apply the labels.
-+
-+.SH "MANAGED FILES"
-+
-+The SELinux process type setsebool_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
-+
-+.br
-+.B boolean_type
-+
-+
-+.br
-+.B default_context_t
-+
-+ /etc/selinux/([^/]*/)?contexts(/.*)?
-+.br
-+ /root/\.default_contexts
-+.br
-+
-+.br
-+.B file_context_t
-+
-+ /etc/selinux/([^/]*/)?contexts/files(/.*)?
-+.br
-+
-+.br
-+.B selinux_config_t
-+
-+ /etc/selinux(/.*)?
-+.br
-+ /etc/selinux/([^/]*/)?seusers
-+.br
-+ /etc/selinux/([^/]*/)?users(/.*)?
-+.br
-+ /etc/selinux/([^/]*/)?setrans\.conf
-+.br
-+
-+.br
-+.B semanage_read_lock_t
-+
-+ /etc/selinux/([^/]*/)?modules/semanage\.read\.LOCK
-+.br
-+
-+.br
-+.B semanage_store_t
-+
-+ /etc/selinux/([^/]*/)?policy(/.*)?
-+.br
-+ /etc/selinux/([^/]*/)?modules/(active|tmp|previous)(/.*)?
-+.br
-+ /etc/share/selinux/mls(/.*)?
-+.br
-+ /etc/share/selinux/targeted(/.*)?
-+.br
-+
-+.br
-+.B semanage_tmp_t
-+
-+
-+.br
-+.B semanage_trans_lock_t
-+
-+ /etc/selinux/([^/]*/)?modules/semanage\.trans\.LOCK
-+.br
-+
-+.SH NSSWITCH DOMAIN
-+
-+.PP
-+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the setsebool_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
-+
-+.EX
-+.B setsebool -P authlogin_nsswitch_use_ldap 1
-+.EE
-+
-+.PP
-+If you want to allow confined applications to run with kerberos for the setsebool_t, you must turn on the kerberos_enabled boolean.
-+
-+.EX
-+.B setsebool -P kerberos_enabled 1
-+.EE
-+
-+.SH "COMMANDS"
-+.B semanage fcontext
-+can also be used to manipulate default file context mappings.
-+.PP
-+.B semanage permissive
-+can also be used to manipulate whether or not a process type is permissive.
-+.PP
-+.B semanage module
-+can also be used to enable/disable/install/remove policy modules.
-+
-+.PP
-+.B system-config-selinux
-+is a GUI tool available to customize SELinux policy settings.
-+
-+.SH AUTHOR
-+This manual page was auto-generated using
-+.B "sepolicy manpage"
-+by Dan Walsh.
-+
-+.SH "SEE ALSO"
-+selinux(8), setsebool(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
-diff --git a/man/man8/sge_execd_selinux.8 b/man/man8/sge_execd_selinux.8
-new file mode 100644
-index 0000000..169d466
---- /dev/null
-+++ b/man/man8/sge_execd_selinux.8
-@@ -0,0 +1,115 @@
-+.TH "sge_execd_selinux" "8" "12-11-01" "sge_execd" "SELinux Policy documentation for sge_execd"
-+.SH "NAME"
-+sge_execd_selinux \- Security Enhanced Linux Policy for the sge_execd processes
-+.SH "DESCRIPTION"
-+
-+Security-Enhanced Linux secures the sge_execd processes via flexible mandatory access control.
-+
-+The sge_execd processes execute with the sge_execd_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
-+
-+For example:
-+
-+.B ps -eZ | grep sge_execd_t
-+
-+
-+.SH "ENTRYPOINTS"
-+
-+The sge_execd_t SELinux type can be entered via the "sge_execd_exec_t" file type. The default entrypoint paths for the sge_execd_t domain are the following:"
-+
-+/usr/bin/sge_execd
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux sge_execd policy is very flexible allowing users to setup their sge_execd processes in as secure a method as possible.
-+.PP
-+The following process types are defined for sge_execd:
-+
-+.EX
-+.B sge_execd_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
-+.SH FILE CONTEXTS
-+SELinux requires files to have an extended attribute to define the file type.
-+.PP
-+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
-+.PP
-+Policy governs the access confined processes have to these files.
-+SELinux sge_execd policy is very flexible allowing users to setup their sge_execd processes in as secure a method as possible.
-+.PP
-+The following file types are defined for sge_execd:
-+
-+
-+.EX
-+.PP
-+.B sge_execd_exec_t
-+.EE
-+
-+- Set files with the sge_execd_exec_t type, if you want to transition an executable to the sge_execd_t domain.
-+
-+
-+.PP
-+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
-+.B semanage fcontext
-+command. This will modify the SELinux labeling database. You will need to use
-+.B restorecon
-+to apply the labels.
-+
-+.SH "MANAGED FILES"
-+
-+The SELinux process type sge_execd_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
-+
-+.br
-+.B sge_spool_t
-+
-+ /var/spool/gridengine(/.*)?
-+.br
-+
-+.br
-+.B sge_tmp_t
-+
-+
-+.SH NSSWITCH DOMAIN
-+
-+.PP
-+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the sge_execd_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
-+
-+.EX
-+.B setsebool -P authlogin_nsswitch_use_ldap 1
-+.EE
-+
-+.PP
-+If you want to allow confined applications to run with kerberos for the sge_execd_t, you must turn on the kerberos_enabled boolean.
-+
-+.EX
-+.B setsebool -P kerberos_enabled 1
-+.EE
-+
-+.SH "COMMANDS"
-+.B semanage fcontext
-+can also be used to manipulate default file context mappings.
-+.PP
-+.B semanage permissive
-+can also be used to manipulate whether or not a process type is permissive.
-+.PP
-+.B semanage module
-+can also be used to enable/disable/install/remove policy modules.
-+
-+.PP
-+.B system-config-selinux
-+is a GUI tool available to customize SELinux policy settings.
-+
-+.SH AUTHOR
-+This manual page was auto-generated using
-+.B "sepolicy manpage"
-+by Dan Walsh.
-+
-+.SH "SEE ALSO"
-+selinux(8), sge_execd(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
-+, sge_job_selinux(8), sge_shepherd_selinux(8)
-\ No newline at end of file
-diff --git a/man/man8/sge_job_selinux.8 b/man/man8/sge_job_selinux.8
-new file mode 100644
-index 0000000..e017c54
---- /dev/null
-+++ b/man/man8/sge_job_selinux.8
-@@ -0,0 +1,147 @@
-+.TH "sge_job_selinux" "8" "12-11-01" "sge_job" "SELinux Policy documentation for sge_job"
-+.SH "NAME"
-+sge_job_selinux \- Security Enhanced Linux Policy for the sge_job processes
-+.SH "DESCRIPTION"
-+
-+Security-Enhanced Linux secures the sge_job processes via flexible mandatory access control.
-+
-+The sge_job processes execute with the sge_job_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
-+
-+For example:
-+
-+.B ps -eZ | grep sge_job_t
-+
-+
-+.SH "ENTRYPOINTS"
-+
-+The sge_job_t SELinux type can be entered via the "shell_exec_t,sge_job_exec_t" file types. The default entrypoint paths for the sge_job_t domain are the following:"
-+
-+/bin/d?ash, /bin/zsh.*, /bin/ksh.*, /usr/bin/d?ash, /usr/bin/ksh.*, /usr/bin/zsh.*, /bin/esh, /bin/mksh, /bin/sash, /bin/tcsh, /bin/yash, /bin/bash, /bin/fish, /bin/bash2, /usr/bin/esh, /usr/bin/mksh, /usr/bin/sash, /usr/bin/bash, /usr/bin/fish, /usr/bin/tcsh, /usr/bin/yash, /sbin/nologin, /usr/sbin/sesh, /usr/bin/bash2, /usr/sbin/smrsh, /usr/bin/scponly, /usr/sbin/nologin, /usr/libexec/sesh, /usr/sbin/scponlyc, /usr/bin/git-shell, /usr/libexec/git-core/git-shell
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux sge_job policy is very flexible allowing users to setup their sge_job processes in as secure a method as possible.
-+.PP
-+The following process types are defined for sge_job:
-+
-+.EX
-+.B sge_job_ssh_t, sge_job_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
-+.SH FILE CONTEXTS
-+SELinux requires files to have an extended attribute to define the file type.
-+.PP
-+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
-+.PP
-+Policy governs the access confined processes have to these files.
-+SELinux sge_job policy is very flexible allowing users to setup their sge_job processes in as secure a method as possible.
-+.PP
-+The following file types are defined for sge_job:
-+
-+
-+.EX
-+.PP
-+.B sge_job_exec_t
-+.EE
-+
-+- Set files with the sge_job_exec_t type, if you want to transition an executable to the sge_job_t domain.
-+
-+
-+.PP
-+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
-+.B semanage fcontext
-+command. This will modify the SELinux labeling database. You will need to use
-+.B restorecon
-+to apply the labels.
-+
-+.SH "MANAGED FILES"
-+
-+The SELinux process type sge_job_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
-+
-+.br
-+.B sge_spool_t
-+
-+ /var/spool/gridengine(/.*)?
-+.br
-+
-+.br
-+.B sge_tmp_t
-+
-+
-+.br
-+.B ssh_home_t
-+
-+ /root/\.ssh(/.*)?
-+.br
-+ /var/lib/openshift/[^/]+/\.ssh(/.*)?
-+.br
-+ /var/lib/amanda/\.ssh(/.*)?
-+.br
-+ /var/lib/stickshift/[^/]+/\.ssh(/.*)?
-+.br
-+ /var/lib/gitolite/\.ssh(/.*)?
-+.br
-+ /var/lib/nocpulse/\.ssh(/.*)?
-+.br
-+ /var/lib/gitolite3/\.ssh(/.*)?
-+.br
-+ /root/\.shosts
-+.br
-+ /home/[^/]*/\.ssh(/.*)?
-+.br
-+ /home/[^/]*/\.shosts
-+.br
-+ /home/dwalsh/\.ssh(/.*)?
-+.br
-+ /home/dwalsh/\.shosts
-+.br
-+ /var/lib/xguest/home/xguest/\.ssh(/.*)?
-+.br
-+ /var/lib/xguest/home/xguest/\.shosts
-+.br
-+
-+.SH NSSWITCH DOMAIN
-+
-+.PP
-+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the sge_job_ssh_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
-+
-+.EX
-+.B setsebool -P authlogin_nsswitch_use_ldap 1
-+.EE
-+
-+.PP
-+If you want to allow confined applications to run with kerberos for the sge_job_ssh_t, you must turn on the kerberos_enabled boolean.
-+
-+.EX
-+.B setsebool -P kerberos_enabled 1
-+.EE
-+
-+.SH "COMMANDS"
-+.B semanage fcontext
-+can also be used to manipulate default file context mappings.
-+.PP
-+.B semanage permissive
-+can also be used to manipulate whether or not a process type is permissive.
-+.PP
-+.B semanage module
-+can also be used to enable/disable/install/remove policy modules.
-+
-+.PP
-+.B system-config-selinux
-+is a GUI tool available to customize SELinux policy settings.
-+
-+.SH AUTHOR
-+This manual page was auto-generated using
-+.B "sepolicy manpage"
-+by Dan Walsh.
-+
-+.SH "SEE ALSO"
-+selinux(8), sge_job(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
-+, sge_execd_selinux(8), sge_shepherd_selinux(8)
-\ No newline at end of file
-diff --git a/man/man8/sge_shepherd_selinux.8 b/man/man8/sge_shepherd_selinux.8
-new file mode 100644
-index 0000000..9a14e7d
---- /dev/null
-+++ b/man/man8/sge_shepherd_selinux.8
-@@ -0,0 +1,101 @@
-+.TH "sge_shepherd_selinux" "8" "12-11-01" "sge_shepherd" "SELinux Policy documentation for sge_shepherd"
-+.SH "NAME"
-+sge_shepherd_selinux \- Security Enhanced Linux Policy for the sge_shepherd processes
-+.SH "DESCRIPTION"
-+
-+Security-Enhanced Linux secures the sge_shepherd processes via flexible mandatory access control.
-+
-+The sge_shepherd processes execute with the sge_shepherd_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
-+
-+For example:
-+
-+.B ps -eZ | grep sge_shepherd_t
-+
-+
-+.SH "ENTRYPOINTS"
-+
-+The sge_shepherd_t SELinux type can be entered via the "sge_shepherd_exec_t" file type. The default entrypoint paths for the sge_shepherd_t domain are the following:"
-+
-+/usr/bin/sge_shepherd
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux sge_shepherd policy is very flexible allowing users to setup their sge_shepherd processes in as secure a method as possible.
-+.PP
-+The following process types are defined for sge_shepherd:
-+
-+.EX
-+.B sge_shepherd_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
-+.SH FILE CONTEXTS
-+SELinux requires files to have an extended attribute to define the file type.
-+.PP
-+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
-+.PP
-+Policy governs the access confined processes have to these files.
-+SELinux sge_shepherd policy is very flexible allowing users to setup their sge_shepherd processes in as secure a method as possible.
-+.PP
-+The following file types are defined for sge_shepherd:
-+
-+
-+.EX
-+.PP
-+.B sge_shepherd_exec_t
-+.EE
-+
-+- Set files with the sge_shepherd_exec_t type, if you want to transition an executable to the sge_shepherd_t domain.
-+
-+
-+.PP
-+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
-+.B semanage fcontext
-+command. This will modify the SELinux labeling database. You will need to use
-+.B restorecon
-+to apply the labels.
-+
-+.SH "MANAGED FILES"
-+
-+The SELinux process type sge_shepherd_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
-+
-+.br
-+.B sge_spool_t
-+
-+ /var/spool/gridengine(/.*)?
-+.br
-+
-+.br
-+.B sge_tmp_t
-+
-+
-+.SH NSSWITCH DOMAIN
-+
-+.SH "COMMANDS"
-+.B semanage fcontext
-+can also be used to manipulate default file context mappings.
-+.PP
-+.B semanage permissive
-+can also be used to manipulate whether or not a process type is permissive.
-+.PP
-+.B semanage module
-+can also be used to enable/disable/install/remove policy modules.
-+
-+.PP
-+.B system-config-selinux
-+is a GUI tool available to customize SELinux policy settings.
-+
-+.SH AUTHOR
-+This manual page was auto-generated using
-+.B "sepolicy manpage"
-+by Dan Walsh.
-+
-+.SH "SEE ALSO"
-+selinux(8), sge_shepherd(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
-+, sge_execd_selinux(8), sge_job_selinux(8)
-\ No newline at end of file
-diff --git a/man/man8/shorewall_selinux.8 b/man/man8/shorewall_selinux.8
-new file mode 100644
-index 0000000..ef276fc
---- /dev/null
-+++ b/man/man8/shorewall_selinux.8
-@@ -0,0 +1,190 @@
-+.TH "shorewall_selinux" "8" "12-11-01" "shorewall" "SELinux Policy documentation for shorewall"
-+.SH "NAME"
-+shorewall_selinux \- Security Enhanced Linux Policy for the shorewall processes
-+.SH "DESCRIPTION"
-+
-+Security-Enhanced Linux secures the shorewall processes via flexible mandatory access control.
-+
-+The shorewall processes execute with the shorewall_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
-+
-+For example:
-+
-+.B ps -eZ | grep shorewall_t
-+
-+
-+.SH "ENTRYPOINTS"
-+
-+The shorewall_t SELinux type can be entered via the "shorewall_var_lib_t,shorewall_exec_t" file types. The default entrypoint paths for the shorewall_t domain are the following:"
-+
-+/var/lib/shorewall(/.*)?, /var/lib/shorewall6(/.*)?, /var/lib/shorewall-lite(/.*)?, /sbin/shorewall6?, /usr/sbin/shorewall6?, /sbin/shorewall-lite, /usr/sbin/shorewall-lite
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux shorewall policy is very flexible allowing users to setup their shorewall processes in as secure a method as possible.
-+.PP
-+The following process types are defined for shorewall:
-+
-+.EX
-+.B shorewall_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
-+.SH FILE CONTEXTS
-+SELinux requires files to have an extended attribute to define the file type.
-+.PP
-+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
-+.PP
-+Policy governs the access confined processes have to these files.
-+SELinux shorewall policy is very flexible allowing users to setup their shorewall processes in as secure a method as possible.
-+.PP
-+The following file types are defined for shorewall:
-+
-+
-+.EX
-+.PP
-+.B shorewall_etc_t
-+.EE
-+
-+- Set files with the shorewall_etc_t type, if you want to store shorewall files in the /etc directories.
-+
-+
-+.EX
-+.PP
-+.B shorewall_exec_t
-+.EE
-+
-+- Set files with the shorewall_exec_t type, if you want to transition an executable to the shorewall_t domain.
-+
-+
-+.EX
-+.PP
-+.B shorewall_initrc_exec_t
-+.EE
-+
-+- Set files with the shorewall_initrc_exec_t type, if you want to transition an executable to the shorewall_initrc_t domain.
-+
-+
-+.EX
-+.PP
-+.B shorewall_lock_t
-+.EE
-+
-+- Set files with the shorewall_lock_t type, if you want to treat the files as shorewall lock data, stored under the /var/lock directory
-+
-+
-+.EX
-+.PP
-+.B shorewall_log_t
-+.EE
-+
-+- Set files with the shorewall_log_t type, if you want to treat the data as shorewall log data, usually stored under the /var/log directory.
-+
-+
-+.EX
-+.PP
-+.B shorewall_tmp_t
-+.EE
-+
-+- Set files with the shorewall_tmp_t type, if you want to store shorewall temporary files in the /tmp directories.
-+
-+
-+.EX
-+.PP
-+.B shorewall_var_lib_t
-+.EE
-+
-+- Set files with the shorewall_var_lib_t type, if you want to store the shorewall files under the /var/lib directory.
-+
-+
-+.PP
-+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
-+.B semanage fcontext
-+command. This will modify the SELinux labeling database. You will need to use
-+.B restorecon
-+to apply the labels.
-+
-+.SH "MANAGED FILES"
-+
-+The SELinux process type shorewall_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
-+
-+.br
-+.B initrc_var_run_t
-+
-+ /var/run/utmp
-+.br
-+ /var/run/random-seed
-+.br
-+ /var/run/runlevel\.dir
-+.br
-+ /var/run/setmixer_flag
-+.br
-+
-+.br
-+.B shorewall_lock_t
-+
-+ /var/lock/subsys/shorewall
-+.br
-+
-+.br
-+.B shorewall_log_t
-+
-+ /var/log/shorewall.*
-+.br
-+
-+.br
-+.B shorewall_tmp_t
-+
-+
-+.br
-+.B shorewall_var_lib_t
-+
-+ /var/lib/shorewall(/.*)?
-+.br
-+ /var/lib/shorewall6(/.*)?
-+.br
-+ /var/lib/shorewall-lite(/.*)?
-+.br
-+
-+.SH NSSWITCH DOMAIN
-+
-+.PP
-+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the shorewall_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
-+
-+.EX
-+.B setsebool -P authlogin_nsswitch_use_ldap 1
-+.EE
-+
-+.PP
-+If you want to allow confined applications to run with kerberos for the shorewall_t, you must turn on the kerberos_enabled boolean.
-+
-+.EX
-+.B setsebool -P kerberos_enabled 1
-+.EE
-+
-+.SH "COMMANDS"
-+.B semanage fcontext
-+can also be used to manipulate default file context mappings.
-+.PP
-+.B semanage permissive
-+can also be used to manipulate whether or not a process type is permissive.
-+.PP
-+.B semanage module
-+can also be used to enable/disable/install/remove policy modules.
-+
-+.PP
-+.B system-config-selinux
-+is a GUI tool available to customize SELinux policy settings.
-+
-+.SH AUTHOR
-+This manual page was auto-generated using
-+.B "sepolicy manpage"
-+by Dan Walsh.
-+
-+.SH "SEE ALSO"
-+selinux(8), shorewall(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
-diff --git a/man/man8/showmount_selinux.8 b/man/man8/showmount_selinux.8
-new file mode 100644
-index 0000000..906e450
---- /dev/null
-+++ b/man/man8/showmount_selinux.8
-@@ -0,0 +1,86 @@
-+.TH "showmount_selinux" "8" "12-11-01" "showmount" "SELinux Policy documentation for showmount"
-+.SH "NAME"
-+showmount_selinux \- Security Enhanced Linux Policy for the showmount processes
-+.SH "DESCRIPTION"
-+
-+Security-Enhanced Linux secures the showmount processes via flexible mandatory access control.
-+
-+The showmount processes execute with the showmount_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
-+
-+For example:
-+
-+.B ps -eZ | grep showmount_t
-+
-+
-+.SH "ENTRYPOINTS"
-+
-+The showmount_t SELinux type can be entered via the "showmount_exec_t" file type. The default entrypoint paths for the showmount_t domain are the following:"
-+
-+/usr/sbin/showmount
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux showmount policy is very flexible allowing users to setup their showmount processes in as secure a method as possible.
-+.PP
-+The following process types are defined for showmount:
-+
-+.EX
-+.B showmount_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
-+.SH FILE CONTEXTS
-+SELinux requires files to have an extended attribute to define the file type.
-+.PP
-+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
-+.PP
-+Policy governs the access confined processes have to these files.
-+SELinux showmount policy is very flexible allowing users to setup their showmount processes in as secure a method as possible.
-+.PP
-+The following file types are defined for showmount:
-+
-+
-+.EX
-+.PP
-+.B showmount_exec_t
-+.EE
-+
-+- Set files with the showmount_exec_t type, if you want to transition an executable to the showmount_t domain.
-+
-+
-+.PP
-+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
-+.B semanage fcontext
-+command. This will modify the SELinux labeling database. You will need to use
-+.B restorecon
-+to apply the labels.
-+
-+.SH NSSWITCH DOMAIN
-+
-+.SH "COMMANDS"
-+.B semanage fcontext
-+can also be used to manipulate default file context mappings.
-+.PP
-+.B semanage permissive
-+can also be used to manipulate whether or not a process type is permissive.
-+.PP
-+.B semanage module
-+can also be used to enable/disable/install/remove policy modules.
-+
-+.PP
-+.B system-config-selinux
-+is a GUI tool available to customize SELinux policy settings.
-+
-+.SH AUTHOR
-+This manual page was auto-generated using
-+.B "sepolicy manpage"
-+by Dan Walsh.
-+
-+.SH "SEE ALSO"
-+selinux(8), showmount(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
-diff --git a/man/man8/shutdown_selinux.8 b/man/man8/shutdown_selinux.8
-new file mode 100644
-index 0000000..f54ff0c
---- /dev/null
-+++ b/man/man8/shutdown_selinux.8
-@@ -0,0 +1,180 @@
-+.TH "shutdown_selinux" "8" "12-11-01" "shutdown" "SELinux Policy documentation for shutdown"
-+.SH "NAME"
-+shutdown_selinux \- Security Enhanced Linux Policy for the shutdown processes
-+.SH "DESCRIPTION"
-+
-+Security-Enhanced Linux secures the shutdown processes via flexible mandatory access control.
-+
-+The shutdown processes execute with the shutdown_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
-+
-+For example:
-+
-+.B ps -eZ | grep shutdown_t
-+
-+
-+.SH "ENTRYPOINTS"
-+
-+The shutdown_t SELinux type can be entered via the "shutdown_exec_t" file type. The default entrypoint paths for the shutdown_t domain are the following:"
-+
-+/sbin/shutdown, /usr/sbin/shutdown, /lib/upstart/shutdown, /usr/lib/upstart/shutdown
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux shutdown policy is very flexible allowing users to setup their shutdown processes in as secure a method as possible.
-+.PP
-+The following process types are defined for shutdown:
-+
-+.EX
-+.B shutdown_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
-+.SH BOOLEANS
-+SELinux policy is customizable based on least access required. shutdown policy is extremely flexible and has several booleans that allow you to manipulate the policy and run shutdown with the tightest access possible.
-+
-+
-+.PP
-+If you want to allow HTTPD to connect to port 80 for graceful shutdown, you must turn on the httpd_graceful_shutdown boolean.
-+
-+.EX
-+.B setsebool -P httpd_graceful_shutdown 1
-+.EE
-+
-+.PP
-+If you want to allow HTTPD to connect to port 80 for graceful shutdown, you must turn on the httpd_graceful_shutdown boolean.
-+
-+.EX
-+.B setsebool -P httpd_graceful_shutdown 1
-+.EE
-+
-+.SH FILE CONTEXTS
-+SELinux requires files to have an extended attribute to define the file type.
-+.PP
-+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
-+.PP
-+Policy governs the access confined processes have to these files.
-+SELinux shutdown policy is very flexible allowing users to setup their shutdown processes in as secure a method as possible.
-+.PP
-+The following file types are defined for shutdown:
-+
-+
-+.EX
-+.PP
-+.B shutdown_etc_t
-+.EE
-+
-+- Set files with the shutdown_etc_t type, if you want to store shutdown files in the /etc directories.
-+
-+
-+.EX
-+.PP
-+.B shutdown_exec_t
-+.EE
-+
-+- Set files with the shutdown_exec_t type, if you want to transition an executable to the shutdown_t domain.
-+
-+
-+.EX
-+.PP
-+.B shutdown_var_run_t
-+.EE
-+
-+- Set files with the shutdown_var_run_t type, if you want to store the shutdown files under the /run directory.
-+
-+
-+.PP
-+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
-+.B semanage fcontext
-+command. This will modify the SELinux labeling database. You will need to use
-+.B restorecon
-+to apply the labels.
-+
-+.SH "MANAGED FILES"
-+
-+The SELinux process type shutdown_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
-+
-+.br
-+.B initrc_var_run_t
-+
-+ /var/run/utmp
-+.br
-+ /var/run/random-seed
-+.br
-+ /var/run/runlevel\.dir
-+.br
-+ /var/run/setmixer_flag
-+.br
-+
-+.br
-+.B shutdown_etc_t
-+
-+ /etc/nologin
-+.br
-+
-+.br
-+.B shutdown_var_run_t
-+
-+ /var/run/shutdown\.pid
-+.br
-+
-+.br
-+.B systemd_passwd_var_run_t
-+
-+ /var/run/systemd/ask-password(/.*)?
-+.br
-+ /var/run/systemd/ask-password-block(/.*)?
-+.br
-+
-+.br
-+.B wtmp_t
-+
-+ /var/log/wtmp.*
-+.br
-+
-+.SH NSSWITCH DOMAIN
-+
-+.PP
-+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the shutdown_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
-+
-+.EX
-+.B setsebool -P authlogin_nsswitch_use_ldap 1
-+.EE
-+
-+.PP
-+If you want to allow confined applications to run with kerberos for the shutdown_t, you must turn on the kerberos_enabled boolean.
-+
-+.EX
-+.B setsebool -P kerberos_enabled 1
-+.EE
-+
-+.SH "COMMANDS"
-+.B semanage fcontext
-+can also be used to manipulate default file context mappings.
-+.PP
-+.B semanage permissive
-+can also be used to manipulate whether or not a process type is permissive.
-+.PP
-+.B semanage module
-+can also be used to enable/disable/install/remove policy modules.
-+
-+.B semanage boolean
-+can also be used to manipulate the booleans
-+
-+.PP
-+.B system-config-selinux
-+is a GUI tool available to customize SELinux policy settings.
-+
-+.SH AUTHOR
-+This manual page was auto-generated using
-+.B "sepolicy manpage"
-+by Dan Walsh.
-+
-+.SH "SEE ALSO"
-+selinux(8), shutdown(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
-+, setsebool(8)
-\ No newline at end of file
-diff --git a/man/man8/slapd_selinux.8 b/man/man8/slapd_selinux.8
-new file mode 100644
-index 0000000..b4a9ee2
---- /dev/null
-+++ b/man/man8/slapd_selinux.8
-@@ -0,0 +1,274 @@
-+.TH "slapd_selinux" "8" "12-11-01" "slapd" "SELinux Policy documentation for slapd"
-+.SH "NAME"
-+slapd_selinux \- Security Enhanced Linux Policy for the slapd processes
-+.SH "DESCRIPTION"
-+
-+Security-Enhanced Linux secures the slapd processes via flexible mandatory access control.
-+
-+The slapd processes execute with the slapd_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
-+
-+For example:
-+
-+.B ps -eZ | grep slapd_t
-+
-+
-+.SH "ENTRYPOINTS"
-+
-+The slapd_t SELinux type can be entered via the "slapd_exec_t" file type. The default entrypoint paths for the slapd_t domain are the following:"
-+
-+/usr/sbin/slapd
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux slapd policy is very flexible allowing users to setup their slapd processes in as secure a method as possible.
-+.PP
-+The following process types are defined for slapd:
-+
-+.EX
-+.B slapd_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
-+.SH FILE CONTEXTS
-+SELinux requires files to have an extended attribute to define the file type.
-+.PP
-+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
-+.PP
-+Policy governs the access confined processes have to these files.
-+SELinux slapd policy is very flexible allowing users to setup their slapd processes in as secure a method as possible.
-+.PP
-+The following file types are defined for slapd:
-+
-+
-+.EX
-+.PP
-+.B slapd_cert_t
-+.EE
-+
-+- Set files with the slapd_cert_t type, if you want to treat the files as slapd certificate data.
-+
-+
-+.EX
-+.PP
-+.B slapd_db_t
-+.EE
-+
-+- Set files with the slapd_db_t type, if you want to treat the files as slapd database content.
-+
-+
-+.EX
-+.PP
-+.B slapd_etc_t
-+.EE
-+
-+- Set files with the slapd_etc_t type, if you want to store slapd files in the /etc directories.
-+
-+
-+.EX
-+.PP
-+.B slapd_exec_t
-+.EE
-+
-+- Set files with the slapd_exec_t type, if you want to transition an executable to the slapd_t domain.
-+
-+
-+.EX
-+.PP
-+.B slapd_initrc_exec_t
-+.EE
-+
-+- Set files with the slapd_initrc_exec_t type, if you want to transition an executable to the slapd_initrc_t domain.
-+
-+
-+.EX
-+.PP
-+.B slapd_keytab_t
-+.EE
-+
-+- Set files with the slapd_keytab_t type, if you want to treat the files as kerberos keytab files.
-+
-+
-+.EX
-+.PP
-+.B slapd_lock_t
-+.EE
-+
-+- Set files with the slapd_lock_t type, if you want to treat the files as slapd lock data, stored under the /var/lock directory
-+
-+
-+.EX
-+.PP
-+.B slapd_log_t
-+.EE
-+
-+- Set files with the slapd_log_t type, if you want to treat the data as slapd log data, usually stored under the /var/log directory.
-+
-+
-+.EX
-+.PP
-+.B slapd_replog_t
-+.EE
-+
-+- Set files with the slapd_replog_t type, if you want to treat the files as slapd replog data.
-+
-+
-+.EX
-+.PP
-+.B slapd_tmp_t
-+.EE
-+
-+- Set files with the slapd_tmp_t type, if you want to store slapd temporary files in the /tmp directories.
-+
-+
-+.EX
-+.PP
-+.B slapd_tmpfs_t
-+.EE
-+
-+- Set files with the slapd_tmpfs_t type, if you want to store slapd files on a tmpfs file system.
-+
-+
-+.EX
-+.PP
-+.B slapd_unit_file_t
-+.EE
-+
-+- Set files with the slapd_unit_file_t type, if you want to treat the files as slapd unit content.
-+
-+
-+.EX
-+.PP
-+.B slapd_var_run_t
-+.EE
-+
-+- Set files with the slapd_var_run_t type, if you want to store the slapd files under the /run directory.
-+
-+
-+.PP
-+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
-+.B semanage fcontext
-+command. This will modify the SELinux labeling database. You will need to use
-+.B restorecon
-+to apply the labels.
-+
-+.SH "MANAGED FILES"
-+
-+The SELinux process type slapd_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
-+
-+.br
-+.B auth_cache_t
-+
-+ /var/cache/coolkey(/.*)?
-+.br
-+
-+.br
-+.B krb5_host_rcache_t
-+
-+ /var/cache/krb5rcache(/.*)?
-+.br
-+ /var/tmp/nfs_0
-+.br
-+ /var/tmp/DNS_25
-+.br
-+ /var/tmp/host_0
-+.br
-+ /var/tmp/imap_0
-+.br
-+ /var/tmp/HTTP_23
-+.br
-+ /var/tmp/HTTP_48
-+.br
-+ /var/tmp/ldap_55
-+.br
-+ /var/tmp/ldap_487
-+.br
-+ /var/tmp/ldapmap1_0
-+.br
-+
-+.br
-+.B slapd_db_t
-+
-+ /var/lib/ldap(/.*)?
-+.br
-+ /etc/openldap/slapd\.d(/.*)?
-+.br
-+
-+.br
-+.B slapd_lock_t
-+
-+
-+.br
-+.B slapd_log_t
-+
-+
-+.br
-+.B slapd_replog_t
-+
-+ /var/lib/ldap/replog(/.*)?
-+.br
-+
-+.br
-+.B slapd_tmp_t
-+
-+
-+.br
-+.B slapd_tmpfs_t
-+
-+
-+.br
-+.B slapd_var_run_t
-+
-+ /var/run/slapd.*
-+.br
-+ /var/run/openldap(/.*)?
-+.br
-+ /var/run/ldapi
-+.br
-+ /var/run/slapd\.pid
-+.br
-+ /var/run/slapd\.args
-+.br
-+
-+.SH NSSWITCH DOMAIN
-+
-+.PP
-+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the slapd_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
-+
-+.EX
-+.B setsebool -P authlogin_nsswitch_use_ldap 1
-+.EE
-+
-+.PP
-+If you want to allow confined applications to run with kerberos for the slapd_t, you must turn on the kerberos_enabled boolean.
-+
-+.EX
-+.B setsebool -P kerberos_enabled 1
-+.EE
-+
-+.SH "COMMANDS"
-+.B semanage fcontext
-+can also be used to manipulate default file context mappings.
-+.PP
-+.B semanage permissive
-+can also be used to manipulate whether or not a process type is permissive.
-+.PP
-+.B semanage module
-+can also be used to enable/disable/install/remove policy modules.
-+
-+.PP
-+.B system-config-selinux
-+is a GUI tool available to customize SELinux policy settings.
-+
-+.SH AUTHOR
-+This manual page was auto-generated using
-+.B "sepolicy manpage"
-+by Dan Walsh.
-+
-+.SH "SEE ALSO"
-+selinux(8), slapd(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
-diff --git a/man/man8/slpd_selinux.8 b/man/man8/slpd_selinux.8
-new file mode 100644
-index 0000000..0387935
---- /dev/null
-+++ b/man/man8/slpd_selinux.8
-@@ -0,0 +1,140 @@
-+.TH "slpd_selinux" "8" "12-11-01" "slpd" "SELinux Policy documentation for slpd"
-+.SH "NAME"
-+slpd_selinux \- Security Enhanced Linux Policy for the slpd processes
-+.SH "DESCRIPTION"
-+
-+Security-Enhanced Linux secures the slpd processes via flexible mandatory access control.
-+
-+The slpd processes execute with the slpd_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
-+
-+For example:
-+
-+.B ps -eZ | grep slpd_t
-+
-+
-+.SH "ENTRYPOINTS"
-+
-+The slpd_t SELinux type can be entered via the "slpd_exec_t" file type. The default entrypoint paths for the slpd_t domain are the following:"
-+
-+/usr/sbin/slpd
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux slpd policy is very flexible allowing users to setup their slpd processes in as secure a method as possible.
-+.PP
-+The following process types are defined for slpd:
-+
-+.EX
-+.B slpd_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
-+.SH FILE CONTEXTS
-+SELinux requires files to have an extended attribute to define the file type.
-+.PP
-+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
-+.PP
-+Policy governs the access confined processes have to these files.
-+SELinux slpd policy is very flexible allowing users to setup their slpd processes in as secure a method as possible.
-+.PP
-+The following file types are defined for slpd:
-+
-+
-+.EX
-+.PP
-+.B slpd_exec_t
-+.EE
-+
-+- Set files with the slpd_exec_t type, if you want to transition an executable to the slpd_t domain.
-+
-+
-+.EX
-+.PP
-+.B slpd_initrc_exec_t
-+.EE
-+
-+- Set files with the slpd_initrc_exec_t type, if you want to transition an executable to the slpd_initrc_t domain.
-+
-+
-+.EX
-+.PP
-+.B slpd_var_log_t
-+.EE
-+
-+- Set files with the slpd_var_log_t type, if you want to treat the data as slpd var log data, usually stored under the /var/log directory.
-+
-+
-+.EX
-+.PP
-+.B slpd_var_run_t
-+.EE
-+
-+- Set files with the slpd_var_run_t type, if you want to store the slpd files under the /run directory.
-+
-+
-+.PP
-+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
-+.B semanage fcontext
-+command. This will modify the SELinux labeling database. You will need to use
-+.B restorecon
-+to apply the labels.
-+
-+.SH "MANAGED FILES"
-+
-+The SELinux process type slpd_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
-+
-+.br
-+.B slpd_var_log_t
-+
-+ /var/log/slpd\.log
-+.br
-+
-+.br
-+.B slpd_var_run_t
-+
-+ /var/run/slpd\.pid
-+.br
-+
-+.SH NSSWITCH DOMAIN
-+
-+.PP
-+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the slpd_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
-+
-+.EX
-+.B setsebool -P authlogin_nsswitch_use_ldap 1
-+.EE
-+
-+.PP
-+If you want to allow confined applications to run with kerberos for the slpd_t, you must turn on the kerberos_enabled boolean.
-+
-+.EX
-+.B setsebool -P kerberos_enabled 1
-+.EE
-+
-+.SH "COMMANDS"
-+.B semanage fcontext
-+can also be used to manipulate default file context mappings.
-+.PP
-+.B semanage permissive
-+can also be used to manipulate whether or not a process type is permissive.
-+.PP
-+.B semanage module
-+can also be used to enable/disable/install/remove policy modules.
-+
-+.PP
-+.B system-config-selinux
-+is a GUI tool available to customize SELinux policy settings.
-+
-+.SH AUTHOR
-+This manual page was auto-generated using
-+.B "sepolicy manpage"
-+by Dan Walsh.
-+
-+.SH "SEE ALSO"
-+selinux(8), slpd(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
-diff --git a/man/man8/smbcontrol_selinux.8 b/man/man8/smbcontrol_selinux.8
-new file mode 100644
-index 0000000..1b75541
---- /dev/null
-+++ b/man/man8/smbcontrol_selinux.8
-@@ -0,0 +1,100 @@
-+.TH "smbcontrol_selinux" "8" "12-11-01" "smbcontrol" "SELinux Policy documentation for smbcontrol"
-+.SH "NAME"
-+smbcontrol_selinux \- Security Enhanced Linux Policy for the smbcontrol processes
-+.SH "DESCRIPTION"
-+
-+Security-Enhanced Linux secures the smbcontrol processes via flexible mandatory access control.
-+
-+The smbcontrol processes execute with the smbcontrol_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
-+
-+For example:
-+
-+.B ps -eZ | grep smbcontrol_t
-+
-+
-+.SH "ENTRYPOINTS"
-+
-+The smbcontrol_t SELinux type can be entered via the "smbcontrol_exec_t" file type. The default entrypoint paths for the smbcontrol_t domain are the following:"
-+
-+/usr/bin/smbcontrol
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux smbcontrol policy is very flexible allowing users to setup their smbcontrol processes in as secure a method as possible.
-+.PP
-+The following process types are defined for smbcontrol:
-+
-+.EX
-+.B smbcontrol_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
-+.SH FILE CONTEXTS
-+SELinux requires files to have an extended attribute to define the file type.
-+.PP
-+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
-+.PP
-+Policy governs the access confined processes have to these files.
-+SELinux smbcontrol policy is very flexible allowing users to setup their smbcontrol processes in as secure a method as possible.
-+.PP
-+The following file types are defined for smbcontrol:
-+
-+
-+.EX
-+.PP
-+.B smbcontrol_exec_t
-+.EE
-+
-+- Set files with the smbcontrol_exec_t type, if you want to transition an executable to the smbcontrol_t domain.
-+
-+
-+.PP
-+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
-+.B semanage fcontext
-+command. This will modify the SELinux labeling database. You will need to use
-+.B restorecon
-+to apply the labels.
-+
-+.SH "MANAGED FILES"
-+
-+The SELinux process type smbcontrol_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
-+
-+.br
-+.B samba_var_t
-+
-+ /var/lib/samba(/.*)?
-+.br
-+ /var/cache/samba(/.*)?
-+.br
-+ /var/spool/samba(/.*)?
-+.br
-+
-+.SH NSSWITCH DOMAIN
-+
-+.SH "COMMANDS"
-+.B semanage fcontext
-+can also be used to manipulate default file context mappings.
-+.PP
-+.B semanage permissive
-+can also be used to manipulate whether or not a process type is permissive.
-+.PP
-+.B semanage module
-+can also be used to enable/disable/install/remove policy modules.
-+
-+.PP
-+.B system-config-selinux
-+is a GUI tool available to customize SELinux policy settings.
-+
-+.SH AUTHOR
-+This manual page was auto-generated using
-+.B "sepolicy manpage"
-+by Dan Walsh.
-+
-+.SH "SEE ALSO"
-+selinux(8), smbcontrol(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
-diff --git a/man/man8/smbd_selinux.8 b/man/man8/smbd_selinux.8
-new file mode 100644
-index 0000000..9794fdc
---- /dev/null
-+++ b/man/man8/smbd_selinux.8
-@@ -0,0 +1,421 @@
-+.TH "smbd_selinux" "8" "12-11-01" "smbd" "SELinux Policy documentation for smbd"
-+.SH "NAME"
-+smbd_selinux \- Security Enhanced Linux Policy for the smbd processes
-+.SH "DESCRIPTION"
-+
-+Security-Enhanced Linux secures the smbd processes via flexible mandatory access control.
-+
-+The smbd processes execute with the smbd_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
-+
-+For example:
-+
-+.B ps -eZ | grep smbd_t
-+
-+
-+.SH "ENTRYPOINTS"
-+
-+The smbd_t SELinux type can be entered via the "smbd_exec_t" file type. The default entrypoint paths for the smbd_t domain are the following:"
-+
-+/usr/sbin/smbd
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux smbd policy is very flexible allowing users to setup their smbd processes in as secure a method as possible.
-+.PP
-+The following process types are defined for smbd:
-+
-+.EX
-+.B smbcontrol_t, smbmount_t, smbd_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
-+.SH BOOLEANS
-+SELinux policy is customizable based on least access required. smbd policy is extremely flexible and has several booleans that allow you to manipulate the policy and run smbd with the tightest access possible.
-+
-+
-+.PP
-+If you want to allow samba to export ntfs/fusefs volumes, you must turn on the samba_share_fusefs boolean.
-+
-+.EX
-+.B setsebool -P samba_share_fusefs 1
-+.EE
-+
-+.PP
-+If you want to allow samba to share any file/directory read only, you must turn on the samba_export_all_ro boolean.
-+
-+.EX
-+.B setsebool -P samba_export_all_ro 1
-+.EE
-+
-+.PP
-+If you want to allow confined virtual guests to manage cifs files, you must turn on the virt_use_samba boolean.
-+
-+.EX
-+.B setsebool -P virt_use_samba 1
-+.EE
-+
-+.PP
-+If you want to allow samba to create new home directories (e.g. via PAM), you must turn on the samba_create_home_dirs boolean.
-+
-+.EX
-+.B setsebool -P samba_create_home_dirs 1
-+.EE
-+
-+.PP
-+If you want to allow samba to share users home directories, you must turn on the samba_enable_home_dirs boolean.
-+
-+.EX
-+.B setsebool -P samba_enable_home_dirs 1
-+.EE
-+
-+.PP
-+If you want to allow samba to export NFS volumes, you must turn on the samba_share_nfs boolean.
-+
-+.EX
-+.B setsebool -P samba_share_nfs 1
-+.EE
-+
-+.PP
-+If you want to allow sanlock to manage cifs files, you must turn on the sanlock_use_samba boolean.
-+
-+.EX
-+.B setsebool -P sanlock_use_samba 1
-+.EE
-+
-+.PP
-+If you want to allow samba to run unconfined scripts, you must turn on the samba_run_unconfined boolean.
-+
-+.EX
-+.B setsebool -P samba_run_unconfined 1
-+.EE
-+
-+.PP
-+If you want to allow samba to act as the domain controller, add users, groups and change passwords, you must turn on the samba_domain_controller boolean.
-+
-+.EX
-+.B setsebool -P samba_domain_controller 1
-+.EE
-+
-+.PP
-+If you want to allow samba to share any file/directory read/write, you must turn on the samba_export_all_rw boolean.
-+
-+.EX
-+.B setsebool -P samba_export_all_rw 1
-+.EE
-+
-+.PP
-+If you want to allow samba to act as a portmapper, you must turn on the samba_portmapper boolean.
-+
-+.EX
-+.B setsebool -P samba_portmapper 1
-+.EE
-+
-+.PP
-+If you want to support SAMBA home directories, you must turn on the use_samba_home_dirs boolean.
-+
-+.EX
-+.B setsebool -P use_samba_home_dirs 1
-+.EE
-+
-+.SH SHARING FILES
-+If you want to share files with multiple domains (Apache, FTP, rsync, Samba), you can set a file context of public_content_t and public_content_rw_t. These context allow any of the above domains to read the content. If you want a particular domain to write to the public_content_rw_t domain, you must set the appropriate boolean.
-+.TP
-+Allow smbd servers to read the /var/smbd directory by adding the public_content_t file type to the directory and by restoring the file type.
-+.PP
-+.B
-+semanage fcontext -a -t public_content_t "/var/smbd(/.*)?"
-+.br
-+.B restorecon -F -R -v /var/smbd
-+.pp
-+.TP
-+Allow smbd servers to read and write /var/tmp/incoming by adding the public_content_rw_t type to the directory and by restoring the file type. This also requires the allow_smbdd_anon_write boolean to be set.
-+.PP
-+.B
-+semanage fcontext -a -t public_content_rw_t "/var/smbd/incoming(/.*)?"
-+.br
-+.B restorecon -F -R -v /var/smbd/incoming
-+
-+
-+.PP
-+If you want to allow samba to modify public files used for public file transfer services. Files/Directories must be labeled public_content_rw_t., you must turn on the smbd_anon_write boolean.
-+
-+.EX
-+.B setsebool -P smbd_anon_write 1
-+.EE
-+
-+.PP
-+If you want to allow samba to modify public files used for public file transfer services. Files/Directories must be labeled public_content_rw_t., you must turn on the smbd_anon_write boolean.
-+
-+.EX
-+.B setsebool -P smbd_anon_write 1
-+.EE
-+
-+.SH FILE CONTEXTS
-+SELinux requires files to have an extended attribute to define the file type.
-+.PP
-+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
-+.PP
-+Policy governs the access confined processes have to these files.
-+SELinux smbd policy is very flexible allowing users to setup their smbd processes in as secure a method as possible.
-+.PP
-+The following file types are defined for smbd:
-+
-+
-+.EX
-+.PP
-+.B smbd_exec_t
-+.EE
-+
-+- Set files with the smbd_exec_t type, if you want to transition an executable to the smbd_t domain.
-+
-+
-+.EX
-+.PP
-+.B smbd_keytab_t
-+.EE
-+
-+- Set files with the smbd_keytab_t type, if you want to treat the files as kerberos keytab files.
-+
-+
-+.EX
-+.PP
-+.B smbd_tmp_t
-+.EE
-+
-+- Set files with the smbd_tmp_t type, if you want to store smbd temporary files in the /tmp directories.
-+
-+
-+.EX
-+.PP
-+.B smbd_var_run_t
-+.EE
-+
-+- Set files with the smbd_var_run_t type, if you want to store the smbd files under the /run directory.
-+
-+
-+.PP
-+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
-+.B semanage fcontext
-+command. This will modify the SELinux labeling database. You will need to use
-+.B restorecon
-+to apply the labels.
-+
-+.SH PORT TYPES
-+SELinux defines port types to represent TCP and UDP ports.
-+.PP
-+You can see the types associated with a port by using the following command:
-+
-+.B semanage port -l
-+
-+.PP
-+Policy governs the access confined processes have to these ports.
-+SELinux smbd policy is very flexible allowing users to setup their smbd processes in as secure a method as possible.
-+.PP
-+The following port types are defined for smbd:
-+
-+.EX
-+.TP 5
-+.B smbd_port_t
-+.TP 10
-+.EE
-+
-+
-+Default Defined Ports:
-+tcp 137-139,445
-+.EE
-+.SH "MANAGED FILES"
-+
-+The SELinux process type smbd_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
-+
-+.br
-+.B auth_cache_t
-+
-+ /var/cache/coolkey(/.*)?
-+.br
-+
-+.br
-+.B ctdbd_var_lib_t
-+
-+ /etc/ctdb(/.*)?
-+.br
-+ /var/ctdb(/.*)?
-+.br
-+ /var/ctdbd(/.*)?
-+.br
-+ /var/lib/ctdbd(/.*)?
-+.br
-+
-+.br
-+.B faillog_t
-+
-+ /var/log/btmp.*
-+.br
-+ /var/run/faillock(/.*)?
-+.br
-+ /var/log/faillog
-+.br
-+ /var/log/tallylog
-+.br
-+
-+.br
-+.B initrc_var_run_t
-+
-+ /var/run/utmp
-+.br
-+ /var/run/random-seed
-+.br
-+ /var/run/runlevel\.dir
-+.br
-+ /var/run/setmixer_flag
-+.br
-+
-+.br
-+.B nmbd_var_run_t
-+
-+ /var/run/nmbd(/.*)?
-+.br
-+ /var/run/samba/nmbd(/.*)?
-+.br
-+ /var/run/samba/nmbd\.pid
-+.br
-+ /var/run/samba/messages\.tdb
-+.br
-+ /var/run/samba/namelist\.debug
-+.br
-+ /var/run/samba/unexpected\.tdb
-+.br
-+
-+.br
-+.B pcscd_var_run_t
-+
-+ /var/run/pcscd(/.*)?
-+.br
-+ /var/run/pcscd\.events(/.*)?
-+.br
-+ /var/run/pcscd\.pid
-+.br
-+ /var/run/pcscd\.pub
-+.br
-+ /var/run/pcscd\.comm
-+.br
-+
-+.br
-+.B samba_etc_t
-+
-+ /etc/samba(/.*)?
-+.br
-+
-+.br
-+.B samba_log_t
-+
-+ /var/log/samba(/.*)?
-+.br
-+
-+.br
-+.B samba_secrets_t
-+
-+ /etc/samba/smbpasswd
-+.br
-+ /etc/samba/passdb\.tdb
-+.br
-+ /etc/samba/MACHINE\.SID
-+.br
-+ /etc/samba/secrets\.tdb
-+.br
-+
-+.br
-+.B samba_share_t
-+
-+ use this label for random content that will be shared using samba
-+.br
-+
-+.br
-+.B samba_var_t
-+
-+ /var/lib/samba(/.*)?
-+.br
-+ /var/cache/samba(/.*)?
-+.br
-+ /var/spool/samba(/.*)?
-+.br
-+
-+.br
-+.B smbd_tmp_t
-+
-+
-+.br
-+.B smbd_var_run_t
-+
-+ /var/run/samba(/.*)?
-+.br
-+ /var/run/samba/smbd\.pid
-+.br
-+ /var/run/samba/brlock\.tdb
-+.br
-+ /var/run/samba/locking\.tdb
-+.br
-+ /var/run/samba/gencache\.tdb
-+.br
-+ /var/run/samba/sessionid\.tdb
-+.br
-+ /var/run/samba/share_info\.tdb
-+.br
-+ /var/run/samba/connections\.tdb
-+.br
-+
-+.br
-+.B wtmp_t
-+
-+ /var/log/wtmp.*
-+.br
-+
-+.SH NSSWITCH DOMAIN
-+
-+.PP
-+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the smbmount_t, smbd_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
-+
-+.EX
-+.B setsebool -P authlogin_nsswitch_use_ldap 1
-+.EE
-+
-+.PP
-+If you want to allow confined applications to run with kerberos for the smbmount_t, smbd_t, you must turn on the kerberos_enabled boolean.
-+
-+.EX
-+.B setsebool -P kerberos_enabled 1
-+.EE
-+
-+.SH "COMMANDS"
-+.B semanage fcontext
-+can also be used to manipulate default file context mappings.
-+.PP
-+.B semanage permissive
-+can also be used to manipulate whether or not a process type is permissive.
-+.PP
-+.B semanage module
-+can also be used to enable/disable/install/remove policy modules.
-+
-+.B semanage port
-+can also be used to manipulate the port definitions
-+
-+.B semanage boolean
-+can also be used to manipulate the booleans
-+
-+.PP
-+.B system-config-selinux
-+is a GUI tool available to customize SELinux policy settings.
-+
-+.SH AUTHOR
-+This manual page was auto-generated using
-+.B "sepolicy manpage"
-+by Dan Walsh.
-+
-+.SH "SEE ALSO"
-+selinux(8), smbd(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
-+, setsebool(8), smbcontrol_selinux(8), smbmount_selinux(8)
-\ No newline at end of file
-diff --git a/man/man8/smbmount_selinux.8 b/man/man8/smbmount_selinux.8
-new file mode 100644
-index 0000000..33aaac3
---- /dev/null
-+++ b/man/man8/smbmount_selinux.8
-@@ -0,0 +1,186 @@
-+.TH "smbmount_selinux" "8" "12-11-01" "smbmount" "SELinux Policy documentation for smbmount"
-+.SH "NAME"
-+smbmount_selinux \- Security Enhanced Linux Policy for the smbmount processes
-+.SH "DESCRIPTION"
-+
-+Security-Enhanced Linux secures the smbmount processes via flexible mandatory access control.
-+
-+The smbmount processes execute with the smbmount_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
-+
-+For example:
-+
-+.B ps -eZ | grep smbmount_t
-+
-+
-+.SH "ENTRYPOINTS"
-+
-+The smbmount_t SELinux type can be entered via the "smbmount_exec_t" file type. The default entrypoint paths for the smbmount_t domain are the following:"
-+
-+/usr/bin/smbmnt, /usr/bin/smbmount
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux smbmount policy is very flexible allowing users to setup their smbmount processes in as secure a method as possible.
-+.PP
-+The following process types are defined for smbmount:
-+
-+.EX
-+.B smbmount_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
-+.SH FILE CONTEXTS
-+SELinux requires files to have an extended attribute to define the file type.
-+.PP
-+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
-+.PP
-+Policy governs the access confined processes have to these files.
-+SELinux smbmount policy is very flexible allowing users to setup their smbmount processes in as secure a method as possible.
-+.PP
-+The following file types are defined for smbmount:
-+
-+
-+.EX
-+.PP
-+.B smbmount_exec_t
-+.EE
-+
-+- Set files with the smbmount_exec_t type, if you want to transition an executable to the smbmount_t domain.
-+
-+
-+.PP
-+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
-+.B semanage fcontext
-+command. This will modify the SELinux labeling database. You will need to use
-+.B restorecon
-+to apply the labels.
-+
-+.SH "MANAGED FILES"
-+
-+The SELinux process type smbmount_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
-+
-+.br
-+.B etc_runtime_t
-+
-+ /[^/]+
-+.br
-+ /etc/mtab.*
-+.br
-+ /etc/blkid(/.*)?
-+.br
-+ /etc/nologin.*
-+.br
-+ /etc/\.fstab\.hal\..+
-+.br
-+ /halt
-+.br
-+ /fastboot
-+.br
-+ /poweroff
-+.br
-+ /etc/cmtab
-+.br
-+ /\.autofsck
-+.br
-+ /forcefsck
-+.br
-+ /\.suspended
-+.br
-+ /fsckoptions
-+.br
-+ /\.autorelabel
-+.br
-+ /etc/securetty
-+.br
-+ /etc/killpower
-+.br
-+ /etc/nohotplug
-+.br
-+ /etc/ioctl\.save
-+.br
-+ /etc/fstab\.REVOKE
-+.br
-+ /etc/network/ifstate
-+.br
-+ /etc/sysconfig/hwconf
-+.br
-+ /etc/ptal/ptal-printd-like
-+.br
-+ /etc/sysconfig/iptables\.save
-+.br
-+ /etc/xorg\.conf\.d/00-system-setup-keyboard\.conf
-+.br
-+ /etc/X11/xorg\.conf\.d/00-system-setup-keyboard\.conf
-+.br
-+
-+.br
-+.B samba_log_t
-+
-+ /var/log/samba(/.*)?
-+.br
-+
-+.br
-+.B samba_secrets_t
-+
-+ /etc/samba/smbpasswd
-+.br
-+ /etc/samba/passdb\.tdb
-+.br
-+ /etc/samba/MACHINE\.SID
-+.br
-+ /etc/samba/secrets\.tdb
-+.br
-+
-+.br
-+.B samba_var_t
-+
-+ /var/lib/samba(/.*)?
-+.br
-+ /var/cache/samba(/.*)?
-+.br
-+ /var/spool/samba(/.*)?
-+.br
-+
-+.SH NSSWITCH DOMAIN
-+
-+.PP
-+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the smbmount_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
-+
-+.EX
-+.B setsebool -P authlogin_nsswitch_use_ldap 1
-+.EE
-+
-+.PP
-+If you want to allow confined applications to run with kerberos for the smbmount_t, you must turn on the kerberos_enabled boolean.
-+
-+.EX
-+.B setsebool -P kerberos_enabled 1
-+.EE
-+
-+.SH "COMMANDS"
-+.B semanage fcontext
-+can also be used to manipulate default file context mappings.
-+.PP
-+.B semanage permissive
-+can also be used to manipulate whether or not a process type is permissive.
-+.PP
-+.B semanage module
-+can also be used to enable/disable/install/remove policy modules.
-+
-+.PP
-+.B system-config-selinux
-+is a GUI tool available to customize SELinux policy settings.
-+
-+.SH AUTHOR
-+This manual page was auto-generated using
-+.B "sepolicy manpage"
-+by Dan Walsh.
-+
-+.SH "SEE ALSO"
-+selinux(8), smbmount(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
-diff --git a/man/man8/smokeping_selinux.8 b/man/man8/smokeping_selinux.8
-new file mode 100644
-index 0000000..63d78f7
---- /dev/null
-+++ b/man/man8/smokeping_selinux.8
-@@ -0,0 +1,140 @@
-+.TH "smokeping_selinux" "8" "12-11-01" "smokeping" "SELinux Policy documentation for smokeping"
-+.SH "NAME"
-+smokeping_selinux \- Security Enhanced Linux Policy for the smokeping processes
-+.SH "DESCRIPTION"
-+
-+Security-Enhanced Linux secures the smokeping processes via flexible mandatory access control.
-+
-+The smokeping processes execute with the smokeping_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
-+
-+For example:
-+
-+.B ps -eZ | grep smokeping_t
-+
-+
-+.SH "ENTRYPOINTS"
-+
-+The smokeping_t SELinux type can be entered via the "smokeping_exec_t" file type. The default entrypoint paths for the smokeping_t domain are the following:"
-+
-+/usr/sbin/smokeping
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux smokeping policy is very flexible allowing users to setup their smokeping processes in as secure a method as possible.
-+.PP
-+The following process types are defined for smokeping:
-+
-+.EX
-+.B smokeping_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
-+.SH FILE CONTEXTS
-+SELinux requires files to have an extended attribute to define the file type.
-+.PP
-+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
-+.PP
-+Policy governs the access confined processes have to these files.
-+SELinux smokeping policy is very flexible allowing users to setup their smokeping processes in as secure a method as possible.
-+.PP
-+The following file types are defined for smokeping:
-+
-+
-+.EX
-+.PP
-+.B smokeping_exec_t
-+.EE
-+
-+- Set files with the smokeping_exec_t type, if you want to transition an executable to the smokeping_t domain.
-+
-+
-+.EX
-+.PP
-+.B smokeping_initrc_exec_t
-+.EE
-+
-+- Set files with the smokeping_initrc_exec_t type, if you want to transition an executable to the smokeping_initrc_t domain.
-+
-+
-+.EX
-+.PP
-+.B smokeping_var_lib_t
-+.EE
-+
-+- Set files with the smokeping_var_lib_t type, if you want to store the smokeping files under the /var/lib directory.
-+
-+
-+.EX
-+.PP
-+.B smokeping_var_run_t
-+.EE
-+
-+- Set files with the smokeping_var_run_t type, if you want to store the smokeping files under the /run directory.
-+
-+
-+.PP
-+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
-+.B semanage fcontext
-+command. This will modify the SELinux labeling database. You will need to use
-+.B restorecon
-+to apply the labels.
-+
-+.SH "MANAGED FILES"
-+
-+The SELinux process type smokeping_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
-+
-+.br
-+.B smokeping_var_lib_t
-+
-+ /var/lib/smokeping(/.*)?
-+.br
-+
-+.br
-+.B smokeping_var_run_t
-+
-+ /var/run/smokeping(/.*)?
-+.br
-+
-+.SH NSSWITCH DOMAIN
-+
-+.PP
-+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the smokeping_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
-+
-+.EX
-+.B setsebool -P authlogin_nsswitch_use_ldap 1
-+.EE
-+
-+.PP
-+If you want to allow confined applications to run with kerberos for the smokeping_t, you must turn on the kerberos_enabled boolean.
-+
-+.EX
-+.B setsebool -P kerberos_enabled 1
-+.EE
-+
-+.SH "COMMANDS"
-+.B semanage fcontext
-+can also be used to manipulate default file context mappings.
-+.PP
-+.B semanage permissive
-+can also be used to manipulate whether or not a process type is permissive.
-+.PP
-+.B semanage module
-+can also be used to enable/disable/install/remove policy modules.
-+
-+.PP
-+.B system-config-selinux
-+is a GUI tool available to customize SELinux policy settings.
-+
-+.SH AUTHOR
-+This manual page was auto-generated using
-+.B "sepolicy manpage"
-+by Dan Walsh.
-+
-+.SH "SEE ALSO"
-+selinux(8), smokeping(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
-diff --git a/man/man8/smoltclient_selinux.8 b/man/man8/smoltclient_selinux.8
-new file mode 100644
-index 0000000..088e814
---- /dev/null
-+++ b/man/man8/smoltclient_selinux.8
-@@ -0,0 +1,116 @@
-+.TH "smoltclient_selinux" "8" "12-11-01" "smoltclient" "SELinux Policy documentation for smoltclient"
-+.SH "NAME"
-+smoltclient_selinux \- Security Enhanced Linux Policy for the smoltclient processes
-+.SH "DESCRIPTION"
-+
-+Security-Enhanced Linux secures the smoltclient processes via flexible mandatory access control.
-+
-+The smoltclient processes execute with the smoltclient_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
-+
-+For example:
-+
-+.B ps -eZ | grep smoltclient_t
-+
-+
-+.SH "ENTRYPOINTS"
-+
-+The smoltclient_t SELinux type can be entered via the "smoltclient_exec_t" file type. The default entrypoint paths for the smoltclient_t domain are the following:"
-+
-+/usr/share/smolt/client/sendProfile.py
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux smoltclient policy is very flexible allowing users to setup their smoltclient processes in as secure a method as possible.
-+.PP
-+The following process types are defined for smoltclient:
-+
-+.EX
-+.B smoltclient_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
-+.SH FILE CONTEXTS
-+SELinux requires files to have an extended attribute to define the file type.
-+.PP
-+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
-+.PP
-+Policy governs the access confined processes have to these files.
-+SELinux smoltclient policy is very flexible allowing users to setup their smoltclient processes in as secure a method as possible.
-+.PP
-+The following file types are defined for smoltclient:
-+
-+
-+.EX
-+.PP
-+.B smoltclient_exec_t
-+.EE
-+
-+- Set files with the smoltclient_exec_t type, if you want to transition an executable to the smoltclient_t domain.
-+
-+
-+.EX
-+.PP
-+.B smoltclient_tmp_t
-+.EE
-+
-+- Set files with the smoltclient_tmp_t type, if you want to store smoltclient temporary files in the /tmp directories.
-+
-+
-+.PP
-+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
-+.B semanage fcontext
-+command. This will modify the SELinux labeling database. You will need to use
-+.B restorecon
-+to apply the labels.
-+
-+.SH "MANAGED FILES"
-+
-+The SELinux process type smoltclient_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
-+
-+.br
-+.B smoltclient_tmp_t
-+
-+
-+.SH NSSWITCH DOMAIN
-+
-+.PP
-+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the smoltclient_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
-+
-+.EX
-+.B setsebool -P authlogin_nsswitch_use_ldap 1
-+.EE
-+
-+.PP
-+If you want to allow confined applications to run with kerberos for the smoltclient_t, you must turn on the kerberos_enabled boolean.
-+
-+.EX
-+.B setsebool -P kerberos_enabled 1
-+.EE
-+
-+.SH "COMMANDS"
-+.B semanage fcontext
-+can also be used to manipulate default file context mappings.
-+.PP
-+.B semanage permissive
-+can also be used to manipulate whether or not a process type is permissive.
-+.PP
-+.B semanage module
-+can also be used to enable/disable/install/remove policy modules.
-+
-+.PP
-+.B system-config-selinux
-+is a GUI tool available to customize SELinux policy settings.
-+
-+.SH AUTHOR
-+This manual page was auto-generated using
-+.B "sepolicy manpage"
-+by Dan Walsh.
-+
-+.SH "SEE ALSO"
-+selinux(8), smoltclient(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
-diff --git a/man/man8/snmpd_selinux.8 b/man/man8/snmpd_selinux.8
-new file mode 100644
-index 0000000..2987987
---- /dev/null
-+++ b/man/man8/snmpd_selinux.8
-@@ -0,0 +1,194 @@
-+.TH "snmpd_selinux" "8" "12-11-01" "snmpd" "SELinux Policy documentation for snmpd"
-+.SH "NAME"
-+snmpd_selinux \- Security Enhanced Linux Policy for the snmpd processes
-+.SH "DESCRIPTION"
-+
-+Security-Enhanced Linux secures the snmpd processes via flexible mandatory access control.
-+
-+The snmpd processes execute with the snmpd_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
-+
-+For example:
-+
-+.B ps -eZ | grep snmpd_t
-+
-+
-+.SH "ENTRYPOINTS"
-+
-+The snmpd_t SELinux type can be entered via the "snmpd_exec_t" file type. The default entrypoint paths for the snmpd_t domain are the following:"
-+
-+/usr/sbin/snmp(trap)?d
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux snmpd policy is very flexible allowing users to setup their snmpd processes in as secure a method as possible.
-+.PP
-+The following process types are defined for snmpd:
-+
-+.EX
-+.B snmpd_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
-+.SH FILE CONTEXTS
-+SELinux requires files to have an extended attribute to define the file type.
-+.PP
-+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
-+.PP
-+Policy governs the access confined processes have to these files.
-+SELinux snmpd policy is very flexible allowing users to setup their snmpd processes in as secure a method as possible.
-+.PP
-+The following file types are defined for snmpd:
-+
-+
-+.EX
-+.PP
-+.B snmpd_exec_t
-+.EE
-+
-+- Set files with the snmpd_exec_t type, if you want to transition an executable to the snmpd_t domain.
-+
-+
-+.EX
-+.PP
-+.B snmpd_initrc_exec_t
-+.EE
-+
-+- Set files with the snmpd_initrc_exec_t type, if you want to transition an executable to the snmpd_initrc_t domain.
-+
-+
-+.EX
-+.PP
-+.B snmpd_log_t
-+.EE
-+
-+- Set files with the snmpd_log_t type, if you want to treat the data as snmpd log data, usually stored under the /var/log directory.
-+
-+
-+.EX
-+.PP
-+.B snmpd_var_lib_t
-+.EE
-+
-+- Set files with the snmpd_var_lib_t type, if you want to store the snmpd files under the /var/lib directory.
-+
-+
-+.EX
-+.PP
-+.B snmpd_var_run_t
-+.EE
-+
-+- Set files with the snmpd_var_run_t type, if you want to store the snmpd files under the /run directory.
-+
-+
-+.PP
-+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
-+.B semanage fcontext
-+command. This will modify the SELinux labeling database. You will need to use
-+.B restorecon
-+to apply the labels.
-+
-+.SH PORT TYPES
-+SELinux defines port types to represent TCP and UDP ports.
-+.PP
-+You can see the types associated with a port by using the following command:
-+
-+.B semanage port -l
-+
-+.PP
-+Policy governs the access confined processes have to these ports.
-+SELinux snmpd policy is very flexible allowing users to setup their snmpd processes in as secure a method as possible.
-+.PP
-+The following port types are defined for snmpd:
-+
-+.EX
-+.TP 5
-+.B snmp_port_t
-+.TP 10
-+.EE
-+
-+
-+Default Defined Ports:
-+tcp 161-162,199,1161
-+.EE
-+udp 161-162
-+.EE
-+.SH "MANAGED FILES"
-+
-+The SELinux process type snmpd_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
-+
-+.br
-+.B snmpd_log_t
-+
-+ /var/log/snmpd\.log.*
-+.br
-+
-+.br
-+.B snmpd_var_lib_t
-+
-+ /var/agentx(/.*)?
-+.br
-+ /var/lib/snmp(/.*)?
-+.br
-+ /var/net-snmp(/.*)?
-+.br
-+ /var/lib/net-snmp(/.*)?
-+.br
-+ /usr/share/snmp/mibs/\.index
-+.br
-+
-+.br
-+.B snmpd_var_run_t
-+
-+ /var/run/snmpd(/.*)?
-+.br
-+ /var/run/net-snmpd(/.*)?
-+.br
-+ /var/run/snmpd\.pid
-+.br
-+
-+.SH NSSWITCH DOMAIN
-+
-+.PP
-+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the snmpd_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
-+
-+.EX
-+.B setsebool -P authlogin_nsswitch_use_ldap 1
-+.EE
-+
-+.PP
-+If you want to allow confined applications to run with kerberos for the snmpd_t, you must turn on the kerberos_enabled boolean.
-+
-+.EX
-+.B setsebool -P kerberos_enabled 1
-+.EE
-+
-+.SH "COMMANDS"
-+.B semanage fcontext
-+can also be used to manipulate default file context mappings.
-+.PP
-+.B semanage permissive
-+can also be used to manipulate whether or not a process type is permissive.
-+.PP
-+.B semanage module
-+can also be used to enable/disable/install/remove policy modules.
-+
-+.B semanage port
-+can also be used to manipulate the port definitions
-+
-+.PP
-+.B system-config-selinux
-+is a GUI tool available to customize SELinux policy settings.
-+
-+.SH AUTHOR
-+This manual page was auto-generated using
-+.B "sepolicy manpage"
-+by Dan Walsh.
-+
-+.SH "SEE ALSO"
-+selinux(8), snmpd(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
-diff --git a/man/man8/snort_selinux.8 b/man/man8/snort_selinux.8
-new file mode 100644
-index 0000000..6c1bac3
---- /dev/null
-+++ b/man/man8/snort_selinux.8
-@@ -0,0 +1,154 @@
-+.TH "snort_selinux" "8" "12-11-01" "snort" "SELinux Policy documentation for snort"
-+.SH "NAME"
-+snort_selinux \- Security Enhanced Linux Policy for the snort processes
-+.SH "DESCRIPTION"
-+
-+Security-Enhanced Linux secures the snort processes via flexible mandatory access control.
-+
-+The snort processes execute with the snort_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
-+
-+For example:
-+
-+.B ps -eZ | grep snort_t
-+
-+
-+.SH "ENTRYPOINTS"
-+
-+The snort_t SELinux type can be entered via the "snort_exec_t" file type. The default entrypoint paths for the snort_t domain are the following:"
-+
-+/usr/s?bin/snort, /usr/sbin/snort-plain
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux snort policy is very flexible allowing users to setup their snort processes in as secure a method as possible.
-+.PP
-+The following process types are defined for snort:
-+
-+.EX
-+.B snort_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
-+.SH FILE CONTEXTS
-+SELinux requires files to have an extended attribute to define the file type.
-+.PP
-+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
-+.PP
-+Policy governs the access confined processes have to these files.
-+SELinux snort policy is very flexible allowing users to setup their snort processes in as secure a method as possible.
-+.PP
-+The following file types are defined for snort:
-+
-+
-+.EX
-+.PP
-+.B snort_etc_t
-+.EE
-+
-+- Set files with the snort_etc_t type, if you want to store snort files in the /etc directories.
-+
-+
-+.EX
-+.PP
-+.B snort_exec_t
-+.EE
-+
-+- Set files with the snort_exec_t type, if you want to transition an executable to the snort_t domain.
-+
-+
-+.EX
-+.PP
-+.B snort_initrc_exec_t
-+.EE
-+
-+- Set files with the snort_initrc_exec_t type, if you want to transition an executable to the snort_initrc_t domain.
-+
-+
-+.EX
-+.PP
-+.B snort_log_t
-+.EE
-+
-+- Set files with the snort_log_t type, if you want to treat the data as snort log data, usually stored under the /var/log directory.
-+
-+
-+.EX
-+.PP
-+.B snort_tmp_t
-+.EE
-+
-+- Set files with the snort_tmp_t type, if you want to store snort temporary files in the /tmp directories.
-+
-+
-+.EX
-+.PP
-+.B snort_var_run_t
-+.EE
-+
-+- Set files with the snort_var_run_t type, if you want to store the snort files under the /run directory.
-+
-+
-+.PP
-+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
-+.B semanage fcontext
-+command. This will modify the SELinux labeling database. You will need to use
-+.B restorecon
-+to apply the labels.
-+
-+.SH "MANAGED FILES"
-+
-+The SELinux process type snort_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
-+
-+.br
-+.B prelude_spool_t
-+
-+ /var/spool/prelude(/.*)?
-+.br
-+ /var/spool/prelude-manager(/.*)?
-+.br
-+
-+.br
-+.B snort_log_t
-+
-+ /var/log/snort(/.*)?
-+.br
-+
-+.br
-+.B snort_tmp_t
-+
-+
-+.br
-+.B snort_var_run_t
-+
-+ /var/run/snort.*
-+.br
-+
-+.SH NSSWITCH DOMAIN
-+
-+.SH "COMMANDS"
-+.B semanage fcontext
-+can also be used to manipulate default file context mappings.
-+.PP
-+.B semanage permissive
-+can also be used to manipulate whether or not a process type is permissive.
-+.PP
-+.B semanage module
-+can also be used to enable/disable/install/remove policy modules.
-+
-+.PP
-+.B system-config-selinux
-+is a GUI tool available to customize SELinux policy settings.
-+
-+.SH AUTHOR
-+This manual page was auto-generated using
-+.B "sepolicy manpage"
-+by Dan Walsh.
-+
-+.SH "SEE ALSO"
-+selinux(8), snort(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
-diff --git a/man/man8/sosreport_selinux.8 b/man/man8/sosreport_selinux.8
-new file mode 100644
-index 0000000..b4723c2
---- /dev/null
-+++ b/man/man8/sosreport_selinux.8
-@@ -0,0 +1,206 @@
-+.TH "sosreport_selinux" "8" "12-11-01" "sosreport" "SELinux Policy documentation for sosreport"
-+.SH "NAME"
-+sosreport_selinux \- Security Enhanced Linux Policy for the sosreport processes
-+.SH "DESCRIPTION"
-+
-+Security-Enhanced Linux secures the sosreport processes via flexible mandatory access control.
-+
-+The sosreport processes execute with the sosreport_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
-+
-+For example:
-+
-+.B ps -eZ | grep sosreport_t
-+
-+
-+.SH "ENTRYPOINTS"
-+
-+The sosreport_t SELinux type can be entered via the "sosreport_exec_t" file type. The default entrypoint paths for the sosreport_t domain are the following:"
-+
-+/usr/sbin/sosreport
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux sosreport policy is very flexible allowing users to setup their sosreport processes in as secure a method as possible.
-+.PP
-+The following process types are defined for sosreport:
-+
-+.EX
-+.B sosreport_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
-+.SH FILE CONTEXTS
-+SELinux requires files to have an extended attribute to define the file type.
-+.PP
-+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
-+.PP
-+Policy governs the access confined processes have to these files.
-+SELinux sosreport policy is very flexible allowing users to setup their sosreport processes in as secure a method as possible.
-+.PP
-+The following file types are defined for sosreport:
-+
-+
-+.EX
-+.PP
-+.B sosreport_exec_t
-+.EE
-+
-+- Set files with the sosreport_exec_t type, if you want to transition an executable to the sosreport_t domain.
-+
-+
-+.EX
-+.PP
-+.B sosreport_tmp_t
-+.EE
-+
-+- Set files with the sosreport_tmp_t type, if you want to store sosreport temporary files in the /tmp directories.
-+
-+
-+.EX
-+.PP
-+.B sosreport_tmpfs_t
-+.EE
-+
-+- Set files with the sosreport_tmpfs_t type, if you want to store sosreport files on a tmpfs file system.
-+
-+
-+.PP
-+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
-+.B semanage fcontext
-+command. This will modify the SELinux labeling database. You will need to use
-+.B restorecon
-+to apply the labels.
-+
-+.SH "MANAGED FILES"
-+
-+The SELinux process type sosreport_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
-+
-+.br
-+.B abrt_var_cache_t
-+
-+ /var/cache/abrt(/.*)?
-+.br
-+ /var/spool/abrt(/.*)?
-+.br
-+ /var/cache/abrt-di(/.*)?
-+.br
-+
-+.br
-+.B abrt_var_run_t
-+
-+ /var/run/abrt(/.*)?
-+.br
-+ /var/run/abrtd?\.lock
-+.br
-+ /var/run/abrtd?\.socket
-+.br
-+ /var/run/abrt\.pid
-+.br
-+
-+.br
-+.B etc_runtime_t
-+
-+ /[^/]+
-+.br
-+ /etc/mtab.*
-+.br
-+ /etc/blkid(/.*)?
-+.br
-+ /etc/nologin.*
-+.br
-+ /etc/\.fstab\.hal\..+
-+.br
-+ /halt
-+.br
-+ /fastboot
-+.br
-+ /poweroff
-+.br
-+ /etc/cmtab
-+.br
-+ /\.autofsck
-+.br
-+ /forcefsck
-+.br
-+ /\.suspended
-+.br
-+ /fsckoptions
-+.br
-+ /\.autorelabel
-+.br
-+ /etc/securetty
-+.br
-+ /etc/killpower
-+.br
-+ /etc/nohotplug
-+.br
-+ /etc/ioctl\.save
-+.br
-+ /etc/fstab\.REVOKE
-+.br
-+ /etc/network/ifstate
-+.br
-+ /etc/sysconfig/hwconf
-+.br
-+ /etc/ptal/ptal-printd-like
-+.br
-+ /etc/sysconfig/iptables\.save
-+.br
-+ /etc/xorg\.conf\.d/00-system-setup-keyboard\.conf
-+.br
-+ /etc/X11/xorg\.conf\.d/00-system-setup-keyboard\.conf
-+.br
-+
-+.br
-+.B sosreport_tmp_t
-+
-+ /.ismount-test-file
-+.br
-+
-+.br
-+.B sosreport_tmpfs_t
-+
-+
-+.SH NSSWITCH DOMAIN
-+
-+.PP
-+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the sosreport_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
-+
-+.EX
-+.B setsebool -P authlogin_nsswitch_use_ldap 1
-+.EE
-+
-+.PP
-+If you want to allow confined applications to run with kerberos for the sosreport_t, you must turn on the kerberos_enabled boolean.
-+
-+.EX
-+.B setsebool -P kerberos_enabled 1
-+.EE
-+
-+.SH "COMMANDS"
-+.B semanage fcontext
-+can also be used to manipulate default file context mappings.
-+.PP
-+.B semanage permissive
-+can also be used to manipulate whether or not a process type is permissive.
-+.PP
-+.B semanage module
-+can also be used to enable/disable/install/remove policy modules.
-+
-+.PP
-+.B system-config-selinux
-+is a GUI tool available to customize SELinux policy settings.
-+
-+.SH AUTHOR
-+This manual page was auto-generated using
-+.B "sepolicy manpage"
-+by Dan Walsh.
-+
-+.SH "SEE ALSO"
-+selinux(8), sosreport(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
-diff --git a/man/man8/soundd_selinux.8 b/man/man8/soundd_selinux.8
-new file mode 100644
-index 0000000..4f05705
---- /dev/null
-+++ b/man/man8/soundd_selinux.8
-@@ -0,0 +1,186 @@
-+.TH "soundd_selinux" "8" "12-11-01" "soundd" "SELinux Policy documentation for soundd"
-+.SH "NAME"
-+soundd_selinux \- Security Enhanced Linux Policy for the soundd processes
-+.SH "DESCRIPTION"
-+
-+Security-Enhanced Linux secures the soundd processes via flexible mandatory access control.
-+
-+The soundd processes execute with the soundd_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
-+
-+For example:
-+
-+.B ps -eZ | grep soundd_t
-+
-+
-+.SH "ENTRYPOINTS"
-+
-+The soundd_t SELinux type can be entered via the "soundd_exec_t" file type. The default entrypoint paths for the soundd_t domain are the following:"
-+
-+/usr/bin/nasd, /usr/sbin/yiff, /usr/bin/gpe-soundserver
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux soundd policy is very flexible allowing users to setup their soundd processes in as secure a method as possible.
-+.PP
-+The following process types are defined for soundd:
-+
-+.EX
-+.B soundd_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
-+.SH FILE CONTEXTS
-+SELinux requires files to have an extended attribute to define the file type.
-+.PP
-+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
-+.PP
-+Policy governs the access confined processes have to these files.
-+SELinux soundd policy is very flexible allowing users to setup their soundd processes in as secure a method as possible.
-+.PP
-+The following file types are defined for soundd:
-+
-+
-+.EX
-+.PP
-+.B soundd_etc_t
-+.EE
-+
-+- Set files with the soundd_etc_t type, if you want to store soundd files in the /etc directories.
-+
-+
-+.EX
-+.PP
-+.B soundd_exec_t
-+.EE
-+
-+- Set files with the soundd_exec_t type, if you want to transition an executable to the soundd_t domain.
-+
-+
-+.EX
-+.PP
-+.B soundd_initrc_exec_t
-+.EE
-+
-+- Set files with the soundd_initrc_exec_t type, if you want to transition an executable to the soundd_initrc_t domain.
-+
-+
-+.EX
-+.PP
-+.B soundd_state_t
-+.EE
-+
-+- Set files with the soundd_state_t type, if you want to treat the files as soundd state data.
-+
-+
-+.EX
-+.PP
-+.B soundd_tmp_t
-+.EE
-+
-+- Set files with the soundd_tmp_t type, if you want to store soundd temporary files in the /tmp directories.
-+
-+
-+.EX
-+.PP
-+.B soundd_tmpfs_t
-+.EE
-+
-+- Set files with the soundd_tmpfs_t type, if you want to store soundd files on a tmpfs file system.
-+
-+
-+.EX
-+.PP
-+.B soundd_var_run_t
-+.EE
-+
-+- Set files with the soundd_var_run_t type, if you want to store the soundd files under the /run directory.
-+
-+
-+.PP
-+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
-+.B semanage fcontext
-+command. This will modify the SELinux labeling database. You will need to use
-+.B restorecon
-+to apply the labels.
-+
-+.SH PORT TYPES
-+SELinux defines port types to represent TCP and UDP ports.
-+.PP
-+You can see the types associated with a port by using the following command:
-+
-+.B semanage port -l
-+
-+.PP
-+Policy governs the access confined processes have to these ports.
-+SELinux soundd policy is very flexible allowing users to setup their soundd processes in as secure a method as possible.
-+.PP
-+The following port types are defined for soundd:
-+
-+.EX
-+.TP 5
-+.B soundd_port_t
-+.TP 10
-+.EE
-+
-+
-+Default Defined Ports:
-+tcp 8000,9433,16001
-+.EE
-+.SH "MANAGED FILES"
-+
-+The SELinux process type soundd_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
-+
-+.br
-+.B soundd_state_t
-+
-+ /var/state/yiff(/.*)?
-+.br
-+
-+.br
-+.B soundd_tmp_t
-+
-+
-+.br
-+.B soundd_tmpfs_t
-+
-+
-+.br
-+.B soundd_var_run_t
-+
-+ /var/run/nasd(/.*)?
-+.br
-+ /var/run/yiff-[0-9]+\.pid
-+.br
-+
-+.SH NSSWITCH DOMAIN
-+
-+.SH "COMMANDS"
-+.B semanage fcontext
-+can also be used to manipulate default file context mappings.
-+.PP
-+.B semanage permissive
-+can also be used to manipulate whether or not a process type is permissive.
-+.PP
-+.B semanage module
-+can also be used to enable/disable/install/remove policy modules.
-+
-+.B semanage port
-+can also be used to manipulate the port definitions
-+
-+.PP
-+.B system-config-selinux
-+is a GUI tool available to customize SELinux policy settings.
-+
-+.SH AUTHOR
-+This manual page was auto-generated using
-+.B "sepolicy manpage"
-+by Dan Walsh.
-+
-+.SH "SEE ALSO"
-+selinux(8), soundd(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
-diff --git a/man/man8/spamass_milter_selinux.8 b/man/man8/spamass_milter_selinux.8
-new file mode 100644
-index 0000000..8dd4096
---- /dev/null
-+++ b/man/man8/spamass_milter_selinux.8
-@@ -0,0 +1,132 @@
-+.TH "spamass_milter_selinux" "8" "12-11-01" "spamass_milter" "SELinux Policy documentation for spamass_milter"
-+.SH "NAME"
-+spamass_milter_selinux \- Security Enhanced Linux Policy for the spamass_milter processes
-+.SH "DESCRIPTION"
-+
-+Security-Enhanced Linux secures the spamass_milter processes via flexible mandatory access control.
-+
-+The spamass_milter processes execute with the spamass_milter_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
-+
-+For example:
-+
-+.B ps -eZ | grep spamass_milter_t
-+
-+
-+.SH "ENTRYPOINTS"
-+
-+The spamass_milter_t SELinux type can be entered via the "spamass_milter_exec_t" file type. The default entrypoint paths for the spamass_milter_t domain are the following:"
-+
-+/usr/sbin/spamass-milter
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux spamass_milter policy is very flexible allowing users to setup their spamass_milter processes in as secure a method as possible.
-+.PP
-+The following process types are defined for spamass_milter:
-+
-+.EX
-+.B spamass_milter_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
-+.SH FILE CONTEXTS
-+SELinux requires files to have an extended attribute to define the file type.
-+.PP
-+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
-+.PP
-+Policy governs the access confined processes have to these files.
-+SELinux spamass_milter policy is very flexible allowing users to setup their spamass_milter processes in as secure a method as possible.
-+.PP
-+The following file types are defined for spamass_milter:
-+
-+
-+.EX
-+.PP
-+.B spamass_milter_data_t
-+.EE
-+
-+- Set files with the spamass_milter_data_t type, if you want to treat the files as spamass milter content.
-+
-+
-+.EX
-+.PP
-+.B spamass_milter_exec_t
-+.EE
-+
-+- Set files with the spamass_milter_exec_t type, if you want to transition an executable to the spamass_milter_t domain.
-+
-+
-+.EX
-+.PP
-+.B spamass_milter_state_t
-+.EE
-+
-+- Set files with the spamass_milter_state_t type, if you want to treat the files as spamass milter state data.
-+
-+
-+.PP
-+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
-+.B semanage fcontext
-+command. This will modify the SELinux labeling database. You will need to use
-+.B restorecon
-+to apply the labels.
-+
-+.SH "MANAGED FILES"
-+
-+The SELinux process type spamass_milter_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
-+
-+.br
-+.B spamass_milter_data_t
-+
-+ /var/run/spamass(/.*)?
-+.br
-+ /var/run/spamass-milter(/.*)?
-+.br
-+ /var/spool/postfix/spamass(/.*)?
-+.br
-+ /var/run/spamass-milter\.pid
-+.br
-+
-+.SH NSSWITCH DOMAIN
-+
-+.PP
-+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the spamass_milter_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
-+
-+.EX
-+.B setsebool -P authlogin_nsswitch_use_ldap 1
-+.EE
-+
-+.PP
-+If you want to allow confined applications to run with kerberos for the spamass_milter_t, you must turn on the kerberos_enabled boolean.
-+
-+.EX
-+.B setsebool -P kerberos_enabled 1
-+.EE
-+
-+.SH "COMMANDS"
-+.B semanage fcontext
-+can also be used to manipulate default file context mappings.
-+.PP
-+.B semanage permissive
-+can also be used to manipulate whether or not a process type is permissive.
-+.PP
-+.B semanage module
-+can also be used to enable/disable/install/remove policy modules.
-+
-+.PP
-+.B system-config-selinux
-+is a GUI tool available to customize SELinux policy settings.
-+
-+.SH AUTHOR
-+This manual page was auto-generated using
-+.B "sepolicy manpage"
-+by Dan Walsh.
-+
-+.SH "SEE ALSO"
-+selinux(8), spamass_milter(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
-diff --git a/man/man8/spamc_selinux.8 b/man/man8/spamc_selinux.8
-new file mode 100644
-index 0000000..ee04299
---- /dev/null
-+++ b/man/man8/spamc_selinux.8
-@@ -0,0 +1,172 @@
-+.TH "spamc_selinux" "8" "12-11-01" "spamc" "SELinux Policy documentation for spamc"
-+.SH "NAME"
-+spamc_selinux \- Security Enhanced Linux Policy for the spamc processes
-+.SH "DESCRIPTION"
-+
-+Security-Enhanced Linux secures the spamc processes via flexible mandatory access control.
-+
-+The spamc processes execute with the spamc_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
-+
-+For example:
-+
-+.B ps -eZ | grep spamc_t
-+
-+
-+.SH "ENTRYPOINTS"
-+
-+The spamc_t SELinux type can be entered via the "spamc_exec_t" file type. The default entrypoint paths for the spamc_t domain are the following:"
-+
-+/usr/bin/razor.*, /usr/bin/spamc, /usr/bin/pyzor, /usr/bin/sa-learn, /usr/bin/spamassassin
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux spamc policy is very flexible allowing users to setup their spamc processes in as secure a method as possible.
-+.PP
-+The following process types are defined for spamc:
-+
-+.EX
-+.B spamc_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
-+.SH FILE CONTEXTS
-+SELinux requires files to have an extended attribute to define the file type.
-+.PP
-+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
-+.PP
-+Policy governs the access confined processes have to these files.
-+SELinux spamc policy is very flexible allowing users to setup their spamc processes in as secure a method as possible.
-+.PP
-+The following file types are defined for spamc:
-+
-+
-+.EX
-+.PP
-+.B spamc_exec_t
-+.EE
-+
-+- Set files with the spamc_exec_t type, if you want to transition an executable to the spamc_t domain.
-+
-+
-+.EX
-+.PP
-+.B spamc_home_t
-+.EE
-+
-+- Set files with the spamc_home_t type, if you want to store spamc files in the users home directory.
-+
-+
-+.EX
-+.PP
-+.B spamc_tmp_t
-+.EE
-+
-+- Set files with the spamc_tmp_t type, if you want to store spamc temporary files in the /tmp directories.
-+
-+
-+.PP
-+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
-+.B semanage fcontext
-+command. This will modify the SELinux labeling database. You will need to use
-+.B restorecon
-+to apply the labels.
-+
-+.SH "MANAGED FILES"
-+
-+The SELinux process type spamc_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
-+
-+.br
-+.B amavis_spool_t
-+
-+ /var/spool/amavisd(/.*)?
-+.br
-+
-+.br
-+.B spamass_milter_state_t
-+
-+ /var/lib/spamass-milter(/.*)?
-+.br
-+
-+.br
-+.B spamc_home_t
-+
-+ /root/\.pyzor(/.*)?
-+.br
-+ /root/\.spamd(/.*)?
-+.br
-+ /root/\.razor(/.*)?
-+.br
-+ /root/\.spamassassin(/.*)?
-+.br
-+ /home/[^/]*/\.pyzor(/.*)?
-+.br
-+ /home/[^/]*/\.spamd(/.*)?
-+.br
-+ /home/[^/]*/\.razor(/.*)?
-+.br
-+ /home/[^/]*/\.spamassassin(/.*)?
-+.br
-+ /home/dwalsh/\.pyzor(/.*)?
-+.br
-+ /home/dwalsh/\.spamd(/.*)?
-+.br
-+ /home/dwalsh/\.razor(/.*)?
-+.br
-+ /home/dwalsh/\.spamassassin(/.*)?
-+.br
-+ /var/lib/xguest/home/xguest/\.pyzor(/.*)?
-+.br
-+ /var/lib/xguest/home/xguest/\.spamd(/.*)?
-+.br
-+ /var/lib/xguest/home/xguest/\.razor(/.*)?
-+.br
-+ /var/lib/xguest/home/xguest/\.spamassassin(/.*)?
-+.br
-+
-+.br
-+.B spamc_tmp_t
-+
-+
-+.SH NSSWITCH DOMAIN
-+
-+.PP
-+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the spamc_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
-+
-+.EX
-+.B setsebool -P authlogin_nsswitch_use_ldap 1
-+.EE
-+
-+.PP
-+If you want to allow confined applications to run with kerberos for the spamc_t, you must turn on the kerberos_enabled boolean.
-+
-+.EX
-+.B setsebool -P kerberos_enabled 1
-+.EE
-+
-+.SH "COMMANDS"
-+.B semanage fcontext
-+can also be used to manipulate default file context mappings.
-+.PP
-+.B semanage permissive
-+can also be used to manipulate whether or not a process type is permissive.
-+.PP
-+.B semanage module
-+can also be used to enable/disable/install/remove policy modules.
-+
-+.PP
-+.B system-config-selinux
-+is a GUI tool available to customize SELinux policy settings.
-+
-+.SH AUTHOR
-+This manual page was auto-generated using
-+.B "sepolicy manpage"
-+by Dan Walsh.
-+
-+.SH "SEE ALSO"
-+selinux(8), spamc(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
-diff --git a/man/man8/spamd_selinux.8 b/man/man8/spamd_selinux.8
-new file mode 100644
-index 0000000..11a86c5
---- /dev/null
-+++ b/man/man8/spamd_selinux.8
-@@ -0,0 +1,378 @@
-+.TH "spamd_selinux" "8" "12-11-01" "spamd" "SELinux Policy documentation for spamd"
-+.SH "NAME"
-+spamd_selinux \- Security Enhanced Linux Policy for the spamd processes
-+.SH "DESCRIPTION"
-+
-+Security-Enhanced Linux secures the spamd processes via flexible mandatory access control.
-+
-+The spamd processes execute with the spamd_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
-+
-+For example:
-+
-+.B ps -eZ | grep spamd_t
-+
-+
-+.SH "ENTRYPOINTS"
-+
-+The spamd_t SELinux type can be entered via the "spamd_exec_t" file type. The default entrypoint paths for the spamd_t domain are the following:"
-+
-+/usr/bin/spamd, /usr/sbin/spamd, /usr/bin/pyzord, /usr/sbin/spampd, /usr/bin/mimedefang, /usr/bin/mimedefang-multiplexor
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux spamd policy is very flexible allowing users to setup their spamd processes in as secure a method as possible.
-+.PP
-+The following process types are defined for spamd:
-+
-+.EX
-+.B spamc_t, spamd_t, spamd_update_t, spamass_milter_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
-+.SH BOOLEANS
-+SELinux policy is customizable based on least access required. spamd policy is extremely flexible and has several booleans that allow you to manipulate the policy and run spamd with the tightest access possible.
-+
-+
-+.PP
-+If you want to allow user spamassassin clients to use the network, you must turn on the spamassassin_can_network boolean.
-+
-+.EX
-+.B setsebool -P spamassassin_can_network 1
-+.EE
-+
-+.PP
-+If you want to allow spamd to read/write user home directories, you must turn on the spamd_enable_home_dirs boolean.
-+
-+.EX
-+.B setsebool -P spamd_enable_home_dirs 1
-+.EE
-+
-+.PP
-+If you want to allow http daemon to check spam, you must turn on the httpd_can_check_spam boolean.
-+
-+.EX
-+.B setsebool -P httpd_can_check_spam 1
-+.EE
-+
-+.PP
-+If you want to allow user spamassassin clients to use the network, you must turn on the spamassassin_can_network boolean.
-+
-+.EX
-+.B setsebool -P spamassassin_can_network 1
-+.EE
-+
-+.PP
-+If you want to allow spamd to read/write user home directories, you must turn on the spamd_enable_home_dirs boolean.
-+
-+.EX
-+.B setsebool -P spamd_enable_home_dirs 1
-+.EE
-+
-+.PP
-+If you want to allow http daemon to check spam, you must turn on the httpd_can_check_spam boolean.
-+
-+.EX
-+.B setsebool -P httpd_can_check_spam 1
-+.EE
-+
-+.SH FILE CONTEXTS
-+SELinux requires files to have an extended attribute to define the file type.
-+.PP
-+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
-+.PP
-+Policy governs the access confined processes have to these files.
-+SELinux spamd policy is very flexible allowing users to setup their spamd processes in as secure a method as possible.
-+.PP
-+The following file types are defined for spamd:
-+
-+
-+.EX
-+.PP
-+.B spamd_compiled_t
-+.EE
-+
-+- Set files with the spamd_compiled_t type, if you want to treat the files as spamd compiled data.
-+
-+
-+.EX
-+.PP
-+.B spamd_etc_t
-+.EE
-+
-+- Set files with the spamd_etc_t type, if you want to store spamd files in the /etc directories.
-+
-+
-+.EX
-+.PP
-+.B spamd_exec_t
-+.EE
-+
-+- Set files with the spamd_exec_t type, if you want to transition an executable to the spamd_t domain.
-+
-+
-+.EX
-+.PP
-+.B spamd_initrc_exec_t
-+.EE
-+
-+- Set files with the spamd_initrc_exec_t type, if you want to transition an executable to the spamd_initrc_t domain.
-+
-+
-+.EX
-+.PP
-+.B spamd_log_t
-+.EE
-+
-+- Set files with the spamd_log_t type, if you want to treat the data as spamd log data, usually stored under the /var/log directory.
-+
-+
-+.EX
-+.PP
-+.B spamd_spool_t
-+.EE
-+
-+- Set files with the spamd_spool_t type, if you want to store the spamd files under the /var/spool directory.
-+
-+
-+.EX
-+.PP
-+.B spamd_tmp_t
-+.EE
-+
-+- Set files with the spamd_tmp_t type, if you want to store spamd temporary files in the /tmp directories.
-+
-+
-+.EX
-+.PP
-+.B spamd_update_exec_t
-+.EE
-+
-+- Set files with the spamd_update_exec_t type, if you want to transition an executable to the spamd_update_t domain.
-+
-+
-+.EX
-+.PP
-+.B spamd_var_lib_t
-+.EE
-+
-+- Set files with the spamd_var_lib_t type, if you want to store the spamd files under the /var/lib directory.
-+
-+
-+.EX
-+.PP
-+.B spamd_var_run_t
-+.EE
-+
-+- Set files with the spamd_var_run_t type, if you want to store the spamd files under the /run directory.
-+
-+
-+.PP
-+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
-+.B semanage fcontext
-+command. This will modify the SELinux labeling database. You will need to use
-+.B restorecon
-+to apply the labels.
-+
-+.SH PORT TYPES
-+SELinux defines port types to represent TCP and UDP ports.
-+.PP
-+You can see the types associated with a port by using the following command:
-+
-+.B semanage port -l
-+
-+.PP
-+Policy governs the access confined processes have to these ports.
-+SELinux spamd policy is very flexible allowing users to setup their spamd processes in as secure a method as possible.
-+.PP
-+The following port types are defined for spamd:
-+
-+.EX
-+.TP 5
-+.B spamd_port_t
-+.TP 10
-+.EE
-+
-+
-+Default Defined Ports:
-+tcp 783,10026,10027
-+.EE
-+.SH "MANAGED FILES"
-+
-+The SELinux process type spamd_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
-+
-+.br
-+.B amavis_var_lib_t
-+
-+ /var/amavis(/.*)?
-+.br
-+ /var/lib/amavis(/.*)?
-+.br
-+
-+.br
-+.B exim_spool_t
-+
-+ /var/spool/exim[0-9]?(/.*)?
-+.br
-+
-+.br
-+.B spamass_milter_state_t
-+
-+ /var/lib/spamass-milter(/.*)?
-+.br
-+
-+.br
-+.B spamc_home_t
-+
-+ /root/\.pyzor(/.*)?
-+.br
-+ /root/\.spamd(/.*)?
-+.br
-+ /root/\.razor(/.*)?
-+.br
-+ /root/\.spamassassin(/.*)?
-+.br
-+ /home/[^/]*/\.pyzor(/.*)?
-+.br
-+ /home/[^/]*/\.spamd(/.*)?
-+.br
-+ /home/[^/]*/\.razor(/.*)?
-+.br
-+ /home/[^/]*/\.spamassassin(/.*)?
-+.br
-+ /home/dwalsh/\.pyzor(/.*)?
-+.br
-+ /home/dwalsh/\.spamd(/.*)?
-+.br
-+ /home/dwalsh/\.razor(/.*)?
-+.br
-+ /home/dwalsh/\.spamassassin(/.*)?
-+.br
-+ /var/lib/xguest/home/xguest/\.pyzor(/.*)?
-+.br
-+ /var/lib/xguest/home/xguest/\.spamd(/.*)?
-+.br
-+ /var/lib/xguest/home/xguest/\.razor(/.*)?
-+.br
-+ /var/lib/xguest/home/xguest/\.spamassassin(/.*)?
-+.br
-+
-+.br
-+.B spamd_compiled_t
-+
-+ /var/lib/spamassassin/compiled(/.*)?
-+.br
-+
-+.br
-+.B spamd_etc_t
-+
-+ /etc/pyzor(/.*)?
-+.br
-+ /etc/razor(/.*)?
-+.br
-+
-+.br
-+.B spamd_log_t
-+
-+ /var/log/spamd\.log.*
-+.br
-+ /var/log/pyzord\.log.*
-+.br
-+ /var/log/razor-agent\.log.*
-+.br
-+ /var/log/mimedefang
-+.br
-+
-+.br
-+.B spamd_spool_t
-+
-+ /var/spool/spamd(/.*)?
-+.br
-+ /var/spool/spampd(/.*)?
-+.br
-+ /var/spool/spamassassin(/.*)?
-+.br
-+
-+.br
-+.B spamd_tmp_t
-+
-+
-+.br
-+.B spamd_var_lib_t
-+
-+ /var/lib/razor(/.*)?
-+.br
-+ /var/lib/pyzord(/.*)?
-+.br
-+ /var/lib/spamassassin(/.*)?
-+.br
-+
-+.br
-+.B spamd_var_run_t
-+
-+ /var/run/spamassassin(/.*)?
-+.br
-+ /var/spool/MIMEDefang(/.*)?
-+.br
-+ /var/spool/MD-Quarantine(/.*)?
-+.br
-+
-+.br
-+.B user_home_t
-+
-+ /home/[^/]*/.+
-+.br
-+ /home/dwalsh/.+
-+.br
-+ /var/lib/xguest/home/xguest/.+
-+.br
-+
-+.SH NSSWITCH DOMAIN
-+
-+.PP
-+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the spamc_t, spamd_update_t, spamd_t, spamass_milter_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
-+
-+.EX
-+.B setsebool -P authlogin_nsswitch_use_ldap 1
-+.EE
-+
-+.PP
-+If you want to allow confined applications to run with kerberos for the spamc_t, spamd_update_t, spamd_t, spamass_milter_t, you must turn on the kerberos_enabled boolean.
-+
-+.EX
-+.B setsebool -P kerberos_enabled 1
-+.EE
-+
-+.SH "COMMANDS"
-+.B semanage fcontext
-+can also be used to manipulate default file context mappings.
-+.PP
-+.B semanage permissive
-+can also be used to manipulate whether or not a process type is permissive.
-+.PP
-+.B semanage module
-+can also be used to enable/disable/install/remove policy modules.
-+
-+.B semanage port
-+can also be used to manipulate the port definitions
-+
-+.B semanage boolean
-+can also be used to manipulate the booleans
-+
-+.PP
-+.B system-config-selinux
-+is a GUI tool available to customize SELinux policy settings.
-+
-+.SH AUTHOR
-+This manual page was auto-generated using
-+.B "sepolicy manpage"
-+by Dan Walsh.
-+
-+.SH "SEE ALSO"
-+selinux(8), spamd(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
-+, setsebool(8), spamass_milter_selinux(8), spamc_selinux(8), spamd_update_selinux(8)
-\ No newline at end of file
-diff --git a/man/man8/spamd_update_selinux.8 b/man/man8/spamd_update_selinux.8
-new file mode 100644
-index 0000000..099d75a
---- /dev/null
-+++ b/man/man8/spamd_update_selinux.8
-@@ -0,0 +1,119 @@
-+.TH "spamd_update_selinux" "8" "12-11-01" "spamd_update" "SELinux Policy documentation for spamd_update"
-+.SH "NAME"
-+spamd_update_selinux \- Security Enhanced Linux Policy for the spamd_update processes
-+.SH "DESCRIPTION"
-+
-+Security-Enhanced Linux secures the spamd_update processes via flexible mandatory access control.
-+
-+The spamd_update processes execute with the spamd_update_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
-+
-+For example:
-+
-+.B ps -eZ | grep spamd_update_t
-+
-+
-+.SH "ENTRYPOINTS"
-+
-+The spamd_update_t SELinux type can be entered via the "spamd_update_exec_t" file type. The default entrypoint paths for the spamd_update_t domain are the following:"
-+
-+/usr/bin/sa-update
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux spamd_update policy is very flexible allowing users to setup their spamd_update processes in as secure a method as possible.
-+.PP
-+The following process types are defined for spamd_update:
-+
-+.EX
-+.B spamd_update_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
-+.SH FILE CONTEXTS
-+SELinux requires files to have an extended attribute to define the file type.
-+.PP
-+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
-+.PP
-+Policy governs the access confined processes have to these files.
-+SELinux spamd_update policy is very flexible allowing users to setup their spamd_update processes in as secure a method as possible.
-+.PP
-+The following file types are defined for spamd_update:
-+
-+
-+.EX
-+.PP
-+.B spamd_update_exec_t
-+.EE
-+
-+- Set files with the spamd_update_exec_t type, if you want to transition an executable to the spamd_update_t domain.
-+
-+
-+.PP
-+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
-+.B semanage fcontext
-+command. This will modify the SELinux labeling database. You will need to use
-+.B restorecon
-+to apply the labels.
-+
-+.SH "MANAGED FILES"
-+
-+The SELinux process type spamd_update_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
-+
-+.br
-+.B spamd_tmp_t
-+
-+
-+.br
-+.B spamd_var_lib_t
-+
-+ /var/lib/razor(/.*)?
-+.br
-+ /var/lib/pyzord(/.*)?
-+.br
-+ /var/lib/spamassassin(/.*)?
-+.br
-+
-+.SH NSSWITCH DOMAIN
-+
-+.PP
-+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the spamd_update_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
-+
-+.EX
-+.B setsebool -P authlogin_nsswitch_use_ldap 1
-+.EE
-+
-+.PP
-+If you want to allow confined applications to run with kerberos for the spamd_update_t, you must turn on the kerberos_enabled boolean.
-+
-+.EX
-+.B setsebool -P kerberos_enabled 1
-+.EE
-+
-+.SH "COMMANDS"
-+.B semanage fcontext
-+can also be used to manipulate default file context mappings.
-+.PP
-+.B semanage permissive
-+can also be used to manipulate whether or not a process type is permissive.
-+.PP
-+.B semanage module
-+can also be used to enable/disable/install/remove policy modules.
-+
-+.PP
-+.B system-config-selinux
-+is a GUI tool available to customize SELinux policy settings.
-+
-+.SH AUTHOR
-+This manual page was auto-generated using
-+.B "sepolicy manpage"
-+by Dan Walsh.
-+
-+.SH "SEE ALSO"
-+selinux(8), spamd_update(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
-+, spamd_selinux(8), spamd_selinux(8)
-\ No newline at end of file
-diff --git a/man/man8/squid_cron_selinux.8 b/man/man8/squid_cron_selinux.8
-new file mode 100644
-index 0000000..cf792c9
---- /dev/null
-+++ b/man/man8/squid_cron_selinux.8
-@@ -0,0 +1,103 @@
-+.TH "squid_cron_selinux" "8" "12-11-01" "squid_cron" "SELinux Policy documentation for squid_cron"
-+.SH "NAME"
-+squid_cron_selinux \- Security Enhanced Linux Policy for the squid_cron processes
-+.SH "DESCRIPTION"
-+
-+Security-Enhanced Linux secures the squid_cron processes via flexible mandatory access control.
-+
-+The squid_cron processes execute with the squid_cron_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
-+
-+For example:
-+
-+.B ps -eZ | grep squid_cron_t
-+
-+
-+.SH "ENTRYPOINTS"
-+
-+The squid_cron_t SELinux type can be entered via the "squid_cron_exec_t" file type. The default entrypoint paths for the squid_cron_t domain are the following:"
-+
-+/usr/sbin/lightparser.pl
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux squid_cron policy is very flexible allowing users to setup their squid_cron processes in as secure a method as possible.
-+.PP
-+The following process types are defined for squid_cron:
-+
-+.EX
-+.B squid_cron_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
-+.SH FILE CONTEXTS
-+SELinux requires files to have an extended attribute to define the file type.
-+.PP
-+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
-+.PP
-+Policy governs the access confined processes have to these files.
-+SELinux squid_cron policy is very flexible allowing users to setup their squid_cron processes in as secure a method as possible.
-+.PP
-+The following file types are defined for squid_cron:
-+
-+
-+.EX
-+.PP
-+.B squid_cron_exec_t
-+.EE
-+
-+- Set files with the squid_cron_exec_t type, if you want to transition an executable to the squid_cron_t domain.
-+
-+
-+.PP
-+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
-+.B semanage fcontext
-+command. This will modify the SELinux labeling database. You will need to use
-+.B restorecon
-+to apply the labels.
-+
-+.SH "MANAGED FILES"
-+
-+The SELinux process type squid_cron_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
-+
-+.br
-+.B squid_cache_t
-+
-+ /var/squidGuard(/.*)?
-+.br
-+ /var/lightsquid(/.*)?
-+.br
-+ /var/cache/squid(/.*)?
-+.br
-+ /var/spool/squid(/.*)?
-+.br
-+
-+.SH NSSWITCH DOMAIN
-+
-+.SH "COMMANDS"
-+.B semanage fcontext
-+can also be used to manipulate default file context mappings.
-+.PP
-+.B semanage permissive
-+can also be used to manipulate whether or not a process type is permissive.
-+.PP
-+.B semanage module
-+can also be used to enable/disable/install/remove policy modules.
-+
-+.PP
-+.B system-config-selinux
-+is a GUI tool available to customize SELinux policy settings.
-+
-+.SH AUTHOR
-+This manual page was auto-generated using
-+.B "sepolicy manpage"
-+by Dan Walsh.
-+
-+.SH "SEE ALSO"
-+selinux(8), squid_cron(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
-+, squid_selinux(8), squid_selinux(8)
-\ No newline at end of file
-diff --git a/man/man8/squid_selinux.8 b/man/man8/squid_selinux.8
-new file mode 100644
-index 0000000..be4c9e5
---- /dev/null
-+++ b/man/man8/squid_selinux.8
-@@ -0,0 +1,316 @@
-+.TH "squid_selinux" "8" "12-11-01" "squid" "SELinux Policy documentation for squid"
-+.SH "NAME"
-+squid_selinux \- Security Enhanced Linux Policy for the squid processes
-+.SH "DESCRIPTION"
-+
-+Security-Enhanced Linux secures the squid processes via flexible mandatory access control.
-+
-+The squid processes execute with the squid_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
-+
-+For example:
-+
-+.B ps -eZ | grep squid_t
-+
-+
-+.SH "ENTRYPOINTS"
-+
-+The squid_t SELinux type can be entered via the "squid_exec_t" file type. The default entrypoint paths for the squid_t domain are the following:"
-+
-+/usr/sbin/squid
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux squid policy is very flexible allowing users to setup their squid processes in as secure a method as possible.
-+.PP
-+The following process types are defined for squid:
-+
-+.EX
-+.B squid_t, squid_cron_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
-+.SH BOOLEANS
-+SELinux policy is customizable based on least access required. squid policy is extremely flexible and has several booleans that allow you to manipulate the policy and run squid with the tightest access possible.
-+
-+
-+.PP
-+If you want to allow squid to connect to all ports, not just HTTP, FTP, and Gopher ports, you must turn on the squid_connect_any boolean.
-+
-+.EX
-+.B setsebool -P squid_connect_any 1
-+.EE
-+
-+.PP
-+If you want to allow squid to run as a transparent proxy (TPROXY), you must turn on the squid_use_tproxy boolean.
-+
-+.EX
-+.B setsebool -P squid_use_tproxy 1
-+.EE
-+
-+.PP
-+If you want to allow squid to connect to all ports, not just HTTP, FTP, and Gopher ports, you must turn on the squid_connect_any boolean.
-+
-+.EX
-+.B setsebool -P squid_connect_any 1
-+.EE
-+
-+.PP
-+If you want to allow squid to run as a transparent proxy (TPROXY), you must turn on the squid_use_tproxy boolean.
-+
-+.EX
-+.B setsebool -P squid_use_tproxy 1
-+.EE
-+
-+.SH FILE CONTEXTS
-+SELinux requires files to have an extended attribute to define the file type.
-+.PP
-+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
-+.PP
-+Policy governs the access confined processes have to these files.
-+SELinux squid policy is very flexible allowing users to setup their squid processes in as secure a method as possible.
-+.PP
-+The following file types are defined for squid:
-+
-+
-+.EX
-+.PP
-+.B squid_cache_t
-+.EE
-+
-+- Set files with the squid_cache_t type, if you want to store the files under the /var/cache directory.
-+
-+
-+.EX
-+.PP
-+.B squid_conf_t
-+.EE
-+
-+- Set files with the squid_conf_t type, if you want to treat the files as squid configuration data, usually stored under the /etc directory.
-+
-+
-+.EX
-+.PP
-+.B squid_cron_exec_t
-+.EE
-+
-+- Set files with the squid_cron_exec_t type, if you want to transition an executable to the squid_cron_t domain.
-+
-+
-+.EX
-+.PP
-+.B squid_exec_t
-+.EE
-+
-+- Set files with the squid_exec_t type, if you want to transition an executable to the squid_t domain.
-+
-+
-+.EX
-+.PP
-+.B squid_initrc_exec_t
-+.EE
-+
-+- Set files with the squid_initrc_exec_t type, if you want to transition an executable to the squid_initrc_t domain.
-+
-+
-+.EX
-+.PP
-+.B squid_log_t
-+.EE
-+
-+- Set files with the squid_log_t type, if you want to treat the data as squid log data, usually stored under the /var/log directory.
-+
-+
-+.EX
-+.PP
-+.B squid_tmp_t
-+.EE
-+
-+- Set files with the squid_tmp_t type, if you want to store squid temporary files in the /tmp directories.
-+
-+
-+.EX
-+.PP
-+.B squid_tmpfs_t
-+.EE
-+
-+- Set files with the squid_tmpfs_t type, if you want to store squid files on a tmpfs file system.
-+
-+
-+.EX
-+.PP
-+.B squid_var_run_t
-+.EE
-+
-+- Set files with the squid_var_run_t type, if you want to store the squid files under the /run directory.
-+
-+
-+.PP
-+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
-+.B semanage fcontext
-+command. This will modify the SELinux labeling database. You will need to use
-+.B restorecon
-+to apply the labels.
-+
-+.SH PORT TYPES
-+SELinux defines port types to represent TCP and UDP ports.
-+.PP
-+You can see the types associated with a port by using the following command:
-+
-+.B semanage port -l
-+
-+.PP
-+Policy governs the access confined processes have to these ports.
-+SELinux squid policy is very flexible allowing users to setup their squid processes in as secure a method as possible.
-+.PP
-+The following port types are defined for squid:
-+
-+.EX
-+.TP 5
-+.B squid_port_t
-+.TP 10
-+.EE
-+
-+
-+Default Defined Ports:
-+tcp 3128,3401,4827
-+.EE
-+udp 3401,4827
-+.EE
-+.SH "MANAGED FILES"
-+
-+The SELinux process type squid_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
-+
-+.br
-+.B faillog_t
-+
-+ /var/log/btmp.*
-+.br
-+ /var/run/faillock(/.*)?
-+.br
-+ /var/log/faillog
-+.br
-+ /var/log/tallylog
-+.br
-+
-+.br
-+.B krb5_host_rcache_t
-+
-+ /var/cache/krb5rcache(/.*)?
-+.br
-+ /var/tmp/nfs_0
-+.br
-+ /var/tmp/DNS_25
-+.br
-+ /var/tmp/host_0
-+.br
-+ /var/tmp/imap_0
-+.br
-+ /var/tmp/HTTP_23
-+.br
-+ /var/tmp/HTTP_48
-+.br
-+ /var/tmp/ldap_55
-+.br
-+ /var/tmp/ldap_487
-+.br
-+ /var/tmp/ldapmap1_0
-+.br
-+
-+.br
-+.B pcscd_var_run_t
-+
-+ /var/run/pcscd(/.*)?
-+.br
-+ /var/run/pcscd\.events(/.*)?
-+.br
-+ /var/run/pcscd\.pid
-+.br
-+ /var/run/pcscd\.pub
-+.br
-+ /var/run/pcscd\.comm
-+.br
-+
-+.br
-+.B squid_cache_t
-+
-+ /var/squidGuard(/.*)?
-+.br
-+ /var/lightsquid(/.*)?
-+.br
-+ /var/cache/squid(/.*)?
-+.br
-+ /var/spool/squid(/.*)?
-+.br
-+
-+.br
-+.B squid_log_t
-+
-+ /var/log/squid(/.*)?
-+.br
-+ /var/log/squidGuard(/.*)?
-+.br
-+
-+.br
-+.B squid_tmp_t
-+
-+
-+.br
-+.B squid_tmpfs_t
-+
-+
-+.br
-+.B squid_var_run_t
-+
-+ /var/run/squid\.pid
-+.br
-+
-+.SH NSSWITCH DOMAIN
-+
-+.PP
-+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the squid_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
-+
-+.EX
-+.B setsebool -P authlogin_nsswitch_use_ldap 1
-+.EE
-+
-+.PP
-+If you want to allow confined applications to run with kerberos for the squid_t, you must turn on the kerberos_enabled boolean.
-+
-+.EX
-+.B setsebool -P kerberos_enabled 1
-+.EE
-+
-+.SH "COMMANDS"
-+.B semanage fcontext
-+can also be used to manipulate default file context mappings.
-+.PP
-+.B semanage permissive
-+can also be used to manipulate whether or not a process type is permissive.
-+.PP
-+.B semanage module
-+can also be used to enable/disable/install/remove policy modules.
-+
-+.B semanage port
-+can also be used to manipulate the port definitions
-+
-+.B semanage boolean
-+can also be used to manipulate the booleans
-+
-+.PP
-+.B system-config-selinux
-+is a GUI tool available to customize SELinux policy settings.
-+
-+.SH AUTHOR
-+This manual page was auto-generated using
-+.B "sepolicy manpage"
-+by Dan Walsh.
-+
-+.SH "SEE ALSO"
-+selinux(8), squid(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
-+, setsebool(8), squid_cron_selinux(8)
-\ No newline at end of file
-diff --git a/man/man8/srvsvcd_selinux.8 b/man/man8/srvsvcd_selinux.8
-new file mode 100644
-index 0000000..4699f35
---- /dev/null
-+++ b/man/man8/srvsvcd_selinux.8
-@@ -0,0 +1,124 @@
-+.TH "srvsvcd_selinux" "8" "12-11-01" "srvsvcd" "SELinux Policy documentation for srvsvcd"
-+.SH "NAME"
-+srvsvcd_selinux \- Security Enhanced Linux Policy for the srvsvcd processes
-+.SH "DESCRIPTION"
-+
-+Security-Enhanced Linux secures the srvsvcd processes via flexible mandatory access control.
-+
-+The srvsvcd processes execute with the srvsvcd_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
-+
-+For example:
-+
-+.B ps -eZ | grep srvsvcd_t
-+
-+
-+.SH "ENTRYPOINTS"
-+
-+The srvsvcd_t SELinux type can be entered via the "srvsvcd_exec_t" file type. The default entrypoint paths for the srvsvcd_t domain are the following:"
-+
-+/usr/sbin/srvsvcd
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux srvsvcd policy is very flexible allowing users to setup their srvsvcd processes in as secure a method as possible.
-+.PP
-+The following process types are defined for srvsvcd:
-+
-+.EX
-+.B srvsvcd_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
-+.SH FILE CONTEXTS
-+SELinux requires files to have an extended attribute to define the file type.
-+.PP
-+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
-+.PP
-+Policy governs the access confined processes have to these files.
-+SELinux srvsvcd policy is very flexible allowing users to setup their srvsvcd processes in as secure a method as possible.
-+.PP
-+The following file types are defined for srvsvcd:
-+
-+
-+.EX
-+.PP
-+.B srvsvcd_exec_t
-+.EE
-+
-+- Set files with the srvsvcd_exec_t type, if you want to transition an executable to the srvsvcd_t domain.
-+
-+
-+.EX
-+.PP
-+.B srvsvcd_var_lib_t
-+.EE
-+
-+- Set files with the srvsvcd_var_lib_t type, if you want to store the srvsvcd files under the /var/lib directory.
-+
-+
-+.EX
-+.PP
-+.B srvsvcd_var_run_t
-+.EE
-+
-+- Set files with the srvsvcd_var_run_t type, if you want to store the srvsvcd files under the /run directory.
-+
-+
-+.EX
-+.PP
-+.B srvsvcd_var_socket_t
-+.EE
-+
-+- Set files with the srvsvcd_var_socket_t type, if you want to treat the files as srvsvcd var socket data.
-+
-+
-+.PP
-+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
-+.B semanage fcontext
-+command. This will modify the SELinux labeling database. You will need to use
-+.B restorecon
-+to apply the labels.
-+
-+.SH "MANAGED FILES"
-+
-+The SELinux process type srvsvcd_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
-+
-+.br
-+.B srvsvcd_var_lib_t
-+
-+
-+.br
-+.B srvsvcd_var_run_t
-+
-+ /var/run/srvsvcd.pid
-+.br
-+
-+.SH NSSWITCH DOMAIN
-+
-+.SH "COMMANDS"
-+.B semanage fcontext
-+can also be used to manipulate default file context mappings.
-+.PP
-+.B semanage permissive
-+can also be used to manipulate whether or not a process type is permissive.
-+.PP
-+.B semanage module
-+can also be used to enable/disable/install/remove policy modules.
-+
-+.PP
-+.B system-config-selinux
-+is a GUI tool available to customize SELinux policy settings.
-+
-+.SH AUTHOR
-+This manual page was auto-generated using
-+.B "sepolicy manpage"
-+by Dan Walsh.
-+
-+.SH "SEE ALSO"
-+selinux(8), srvsvcd(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
-diff --git a/man/man8/ssh_keygen_selinux.8 b/man/man8/ssh_keygen_selinux.8
-new file mode 100644
-index 0000000..33a275f
---- /dev/null
-+++ b/man/man8/ssh_keygen_selinux.8
-@@ -0,0 +1,155 @@
-+.TH "ssh_keygen_selinux" "8" "12-11-01" "ssh_keygen" "SELinux Policy documentation for ssh_keygen"
-+.SH "NAME"
-+ssh_keygen_selinux \- Security Enhanced Linux Policy for the ssh_keygen processes
-+.SH "DESCRIPTION"
-+
-+Security-Enhanced Linux secures the ssh_keygen processes via flexible mandatory access control.
-+
-+The ssh_keygen processes execute with the ssh_keygen_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
-+
-+For example:
-+
-+.B ps -eZ | grep ssh_keygen_t
-+
-+
-+.SH "ENTRYPOINTS"
-+
-+The ssh_keygen_t SELinux type can be entered via the "ssh_keygen_exec_t" file type. The default entrypoint paths for the ssh_keygen_t domain are the following:"
-+
-+/usr/bin/ssh-keygen
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux ssh_keygen policy is very flexible allowing users to setup their ssh_keygen processes in as secure a method as possible.
-+.PP
-+The following process types are defined for ssh_keygen:
-+
-+.EX
-+.B ssh_keygen_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
-+.SH FILE CONTEXTS
-+SELinux requires files to have an extended attribute to define the file type.
-+.PP
-+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
-+.PP
-+Policy governs the access confined processes have to these files.
-+SELinux ssh_keygen policy is very flexible allowing users to setup their ssh_keygen processes in as secure a method as possible.
-+.PP
-+The following file types are defined for ssh_keygen:
-+
-+
-+.EX
-+.PP
-+.B ssh_keygen_exec_t
-+.EE
-+
-+- Set files with the ssh_keygen_exec_t type, if you want to transition an executable to the ssh_keygen_t domain.
-+
-+
-+.PP
-+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
-+.B semanage fcontext
-+command. This will modify the SELinux labeling database. You will need to use
-+.B restorecon
-+to apply the labels.
-+
-+.SH "MANAGED FILES"
-+
-+The SELinux process type ssh_keygen_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
-+
-+.br
-+.B ssh_home_t
-+
-+ /root/\.ssh(/.*)?
-+.br
-+ /var/lib/openshift/[^/]+/\.ssh(/.*)?
-+.br
-+ /var/lib/amanda/\.ssh(/.*)?
-+.br
-+ /var/lib/stickshift/[^/]+/\.ssh(/.*)?
-+.br
-+ /var/lib/gitolite/\.ssh(/.*)?
-+.br
-+ /var/lib/nocpulse/\.ssh(/.*)?
-+.br
-+ /var/lib/gitolite3/\.ssh(/.*)?
-+.br
-+ /root/\.shosts
-+.br
-+ /home/[^/]*/\.ssh(/.*)?
-+.br
-+ /home/[^/]*/\.shosts
-+.br
-+ /home/dwalsh/\.ssh(/.*)?
-+.br
-+ /home/dwalsh/\.shosts
-+.br
-+ /var/lib/xguest/home/xguest/\.ssh(/.*)?
-+.br
-+ /var/lib/xguest/home/xguest/\.shosts
-+.br
-+
-+.br
-+.B sshd_key_t
-+
-+ /etc/ssh/ssh_host_key.pub
-+.br
-+ /etc/ssh/ssh_host_dsa_key.pub
-+.br
-+ /etc/ssh/ssh_host_rsa_key.pub
-+.br
-+ /etc/ssh/primes
-+.br
-+ /etc/ssh/ssh_host_key
-+.br
-+ /etc/ssh/ssh_host_dsa_key
-+.br
-+ /etc/ssh/ssh_host_rsa_key
-+.br
-+
-+.SH NSSWITCH DOMAIN
-+
-+.PP
-+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the ssh_keygen_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
-+
-+.EX
-+.B setsebool -P authlogin_nsswitch_use_ldap 1
-+.EE
-+
-+.PP
-+If you want to allow confined applications to run with kerberos for the ssh_keygen_t, you must turn on the kerberos_enabled boolean.
-+
-+.EX
-+.B setsebool -P kerberos_enabled 1
-+.EE
-+
-+.SH "COMMANDS"
-+.B semanage fcontext
-+can also be used to manipulate default file context mappings.
-+.PP
-+.B semanage permissive
-+can also be used to manipulate whether or not a process type is permissive.
-+.PP
-+.B semanage module
-+can also be used to enable/disable/install/remove policy modules.
-+
-+.PP
-+.B system-config-selinux
-+is a GUI tool available to customize SELinux policy settings.
-+
-+.SH AUTHOR
-+This manual page was auto-generated using
-+.B "sepolicy manpage"
-+by Dan Walsh.
-+
-+.SH "SEE ALSO"
-+selinux(8), ssh_keygen(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
-+, ssh_selinux(8), ssh_selinux(8), ssh_keysign_selinux(8), sshd_selinux(8)
-\ No newline at end of file
-diff --git a/man/man8/ssh_keysign_selinux.8 b/man/man8/ssh_keysign_selinux.8
-new file mode 100644
-index 0000000..1a657dc
---- /dev/null
-+++ b/man/man8/ssh_keysign_selinux.8
-@@ -0,0 +1,108 @@
-+.TH "ssh_keysign_selinux" "8" "12-11-01" "ssh_keysign" "SELinux Policy documentation for ssh_keysign"
-+.SH "NAME"
-+ssh_keysign_selinux \- Security Enhanced Linux Policy for the ssh_keysign processes
-+.SH "DESCRIPTION"
-+
-+Security-Enhanced Linux secures the ssh_keysign processes via flexible mandatory access control.
-+
-+The ssh_keysign processes execute with the ssh_keysign_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
-+
-+For example:
-+
-+.B ps -eZ | grep ssh_keysign_t
-+
-+
-+.SH "ENTRYPOINTS"
-+
-+The ssh_keysign_t SELinux type can be entered via the "ssh_keysign_exec_t" file type. The default entrypoint paths for the ssh_keysign_t domain are the following:"
-+
-+/usr/libexec/openssh/ssh-keysign
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux ssh_keysign policy is very flexible allowing users to setup their ssh_keysign processes in as secure a method as possible.
-+.PP
-+The following process types are defined for ssh_keysign:
-+
-+.EX
-+.B ssh_keysign_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
-+.SH BOOLEANS
-+SELinux policy is customizable based on least access required. ssh_keysign policy is extremely flexible and has several booleans that allow you to manipulate the policy and run ssh_keysign with the tightest access possible.
-+
-+
-+.PP
-+If you want to allow host key based authentication, you must turn on the ssh_keysign boolean.
-+
-+.EX
-+.B setsebool -P ssh_keysign 1
-+.EE
-+
-+.PP
-+If you want to allow host key based authentication, you must turn on the ssh_keysign boolean.
-+
-+.EX
-+.B setsebool -P ssh_keysign 1
-+.EE
-+
-+.SH FILE CONTEXTS
-+SELinux requires files to have an extended attribute to define the file type.
-+.PP
-+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
-+.PP
-+Policy governs the access confined processes have to these files.
-+SELinux ssh_keysign policy is very flexible allowing users to setup their ssh_keysign processes in as secure a method as possible.
-+.PP
-+The following file types are defined for ssh_keysign:
-+
-+
-+.EX
-+.PP
-+.B ssh_keysign_exec_t
-+.EE
-+
-+- Set files with the ssh_keysign_exec_t type, if you want to transition an executable to the ssh_keysign_t domain.
-+
-+
-+.PP
-+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
-+.B semanage fcontext
-+command. This will modify the SELinux labeling database. You will need to use
-+.B restorecon
-+to apply the labels.
-+
-+.SH NSSWITCH DOMAIN
-+
-+.SH "COMMANDS"
-+.B semanage fcontext
-+can also be used to manipulate default file context mappings.
-+.PP
-+.B semanage permissive
-+can also be used to manipulate whether or not a process type is permissive.
-+.PP
-+.B semanage module
-+can also be used to enable/disable/install/remove policy modules.
-+
-+.B semanage boolean
-+can also be used to manipulate the booleans
-+
-+.PP
-+.B system-config-selinux
-+is a GUI tool available to customize SELinux policy settings.
-+
-+.SH AUTHOR
-+This manual page was auto-generated using
-+.B "sepolicy manpage"
-+by Dan Walsh.
-+
-+.SH "SEE ALSO"
-+selinux(8), ssh_keysign(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
-+, setsebool(8), ssh_selinux(8), ssh_selinux(8), ssh_keygen_selinux(8), sshd_selinux(8)
-\ No newline at end of file
-diff --git a/man/man8/ssh_selinux.8 b/man/man8/ssh_selinux.8
-new file mode 100644
-index 0000000..4f02c5d
---- /dev/null
-+++ b/man/man8/ssh_selinux.8
-@@ -0,0 +1,400 @@
-+.TH "ssh_selinux" "8" "12-11-01" "ssh" "SELinux Policy documentation for ssh"
-+.SH "NAME"
-+ssh_selinux \- Security Enhanced Linux Policy for the ssh processes
-+.SH "DESCRIPTION"
-+
-+Security-Enhanced Linux secures the ssh processes via flexible mandatory access control.
-+
-+The ssh processes execute with the ssh_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
-+
-+For example:
-+
-+.B ps -eZ | grep ssh_t
-+
-+
-+.SH "ENTRYPOINTS"
-+
-+The ssh_t SELinux type can be entered via the "ssh_exec_t" file type. The default entrypoint paths for the ssh_t domain are the following:"
-+
-+/usr/bin/ssh
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux ssh policy is very flexible allowing users to setup their ssh processes in as secure a method as possible.
-+.PP
-+The following process types are defined for ssh:
-+
-+.EX
-+.B sshd_sandbox_t, ssh_keysign_t, ssh_keygen_t, ssh_t, sshd_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
-+.SH BOOLEANS
-+SELinux policy is customizable based on least access required. ssh policy is extremely flexible and has several booleans that allow you to manipulate the policy and run ssh with the tightest access possible.
-+
-+
-+.PP
-+If you want to allow user to use ssh chroot environment, you must turn on the selinuxuser_use_ssh_chroot boolean.
-+
-+.EX
-+.B setsebool -P selinuxuser_use_ssh_chroot 1
-+.EE
-+
-+.PP
-+If you want to allow host key based authentication, you must turn on the ssh_keysign boolean.
-+
-+.EX
-+.B setsebool -P ssh_keysign 1
-+.EE
-+
-+.PP
-+If you want to allow ssh with chroot env to read and write files in the user home directories, you must turn on the ssh_chroot_rw_homedirs boolean.
-+
-+.EX
-+.B setsebool -P ssh_chroot_rw_homedirs 1
-+.EE
-+
-+.PP
-+If you want to allow fenced domain to execute ssh, you must turn on the fenced_can_ssh boolean.
-+
-+.EX
-+.B setsebool -P fenced_can_ssh 1
-+.EE
-+
-+.PP
-+If you want to allow internal-sftp to read and write files in the user ssh home directories, you must turn on the sftpd_write_ssh_home boolean.
-+
-+.EX
-+.B setsebool -P sftpd_write_ssh_home 1
-+.EE
-+
-+.PP
-+If you want to allow ssh logins as sysadm_r:sysadm_t, you must turn on the ssh_sysadm_login boolean.
-+
-+.EX
-+.B setsebool -P ssh_sysadm_login 1
-+.EE
-+
-+.PP
-+If you want to allow user to use ssh chroot environment, you must turn on the selinuxuser_use_ssh_chroot boolean.
-+
-+.EX
-+.B setsebool -P selinuxuser_use_ssh_chroot 1
-+.EE
-+
-+.PP
-+If you want to allow host key based authentication, you must turn on the ssh_keysign boolean.
-+
-+.EX
-+.B setsebool -P ssh_keysign 1
-+.EE
-+
-+.PP
-+If you want to allow ssh with chroot env to read and write files in the user home directories, you must turn on the ssh_chroot_rw_homedirs boolean.
-+
-+.EX
-+.B setsebool -P ssh_chroot_rw_homedirs 1
-+.EE
-+
-+.PP
-+If you want to allow fenced domain to execute ssh, you must turn on the fenced_can_ssh boolean.
-+
-+.EX
-+.B setsebool -P fenced_can_ssh 1
-+.EE
-+
-+.PP
-+If you want to allow internal-sftp to read and write files in the user ssh home directories, you must turn on the sftpd_write_ssh_home boolean.
-+
-+.EX
-+.B setsebool -P sftpd_write_ssh_home 1
-+.EE
-+
-+.PP
-+If you want to allow ssh logins as sysadm_r:sysadm_t, you must turn on the ssh_sysadm_login boolean.
-+
-+.EX
-+.B setsebool -P ssh_sysadm_login 1
-+.EE
-+
-+.SH FILE CONTEXTS
-+SELinux requires files to have an extended attribute to define the file type.
-+.PP
-+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
-+.PP
-+Policy governs the access confined processes have to these files.
-+SELinux ssh policy is very flexible allowing users to setup their ssh processes in as secure a method as possible.
-+.PP
-+The following file types are defined for ssh:
-+
-+
-+.EX
-+.PP
-+.B ssh_agent_exec_t
-+.EE
-+
-+- Set files with the ssh_agent_exec_t type, if you want to transition an executable to the ssh_agent_t domain.
-+
-+
-+.EX
-+.PP
-+.B ssh_agent_tmp_t
-+.EE
-+
-+- Set files with the ssh_agent_tmp_t type, if you want to store ssh agent temporary files in the /tmp directories.
-+
-+
-+.EX
-+.PP
-+.B ssh_exec_t
-+.EE
-+
-+- Set files with the ssh_exec_t type, if you want to transition an executable to the ssh_t domain.
-+
-+
-+.EX
-+.PP
-+.B ssh_home_t
-+.EE
-+
-+- Set files with the ssh_home_t type, if you want to store ssh files in the users home directory.
-+
-+
-+.EX
-+.PP
-+.B ssh_keygen_exec_t
-+.EE
-+
-+- Set files with the ssh_keygen_exec_t type, if you want to transition an executable to the ssh_keygen_t domain.
-+
-+
-+.EX
-+.PP
-+.B ssh_keysign_exec_t
-+.EE
-+
-+- Set files with the ssh_keysign_exec_t type, if you want to transition an executable to the ssh_keysign_t domain.
-+
-+
-+.EX
-+.PP
-+.B ssh_tmpfs_t
-+.EE
-+
-+- Set files with the ssh_tmpfs_t type, if you want to store ssh files on a tmpfs file system.
-+
-+
-+.EX
-+.PP
-+.B sshd_exec_t
-+.EE
-+
-+- Set files with the sshd_exec_t type, if you want to transition an executable to the sshd_t domain.
-+
-+
-+.EX
-+.PP
-+.B sshd_initrc_exec_t
-+.EE
-+
-+- Set files with the sshd_initrc_exec_t type, if you want to transition an executable to the sshd_initrc_t domain.
-+
-+
-+.EX
-+.PP
-+.B sshd_key_t
-+.EE
-+
-+- Set files with the sshd_key_t type, if you want to treat the files as sshd key data.
-+
-+
-+.EX
-+.PP
-+.B sshd_keytab_t
-+.EE
-+
-+- Set files with the sshd_keytab_t type, if you want to treat the files as kerberos keytab files.
-+
-+
-+.EX
-+.PP
-+.B sshd_tmpfs_t
-+.EE
-+
-+- Set files with the sshd_tmpfs_t type, if you want to store sshd files on a tmpfs file system.
-+
-+
-+.EX
-+.PP
-+.B sshd_var_run_t
-+.EE
-+
-+- Set files with the sshd_var_run_t type, if you want to store the sshd files under the /run directory.
-+
-+
-+.PP
-+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
-+.B semanage fcontext
-+command. This will modify the SELinux labeling database. You will need to use
-+.B restorecon
-+to apply the labels.
-+
-+.SH PORT TYPES
-+SELinux defines port types to represent TCP and UDP ports.
-+.PP
-+You can see the types associated with a port by using the following command:
-+
-+.B semanage port -l
-+
-+.PP
-+Policy governs the access confined processes have to these ports.
-+SELinux ssh policy is very flexible allowing users to setup their ssh processes in as secure a method as possible.
-+.PP
-+The following port types are defined for ssh:
-+
-+.EX
-+.TP 5
-+.B ssh_port_t
-+.TP 10
-+.EE
-+
-+
-+Default Defined Ports:
-+tcp 22
-+.EE
-+.SH "MANAGED FILES"
-+
-+The SELinux process type ssh_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
-+
-+.br
-+.B ssh_home_t
-+
-+ /root/\.ssh(/.*)?
-+.br
-+ /var/lib/openshift/[^/]+/\.ssh(/.*)?
-+.br
-+ /var/lib/amanda/\.ssh(/.*)?
-+.br
-+ /var/lib/stickshift/[^/]+/\.ssh(/.*)?
-+.br
-+ /var/lib/gitolite/\.ssh(/.*)?
-+.br
-+ /var/lib/nocpulse/\.ssh(/.*)?
-+.br
-+ /var/lib/gitolite3/\.ssh(/.*)?
-+.br
-+ /root/\.shosts
-+.br
-+ /home/[^/]*/\.ssh(/.*)?
-+.br
-+ /home/[^/]*/\.shosts
-+.br
-+ /home/dwalsh/\.ssh(/.*)?
-+.br
-+ /home/dwalsh/\.shosts
-+.br
-+ /var/lib/xguest/home/xguest/\.ssh(/.*)?
-+.br
-+ /var/lib/xguest/home/xguest/\.shosts
-+.br
-+
-+.br
-+.B ssh_tmpfs_t
-+
-+
-+.br
-+.B user_fonts_cache_t
-+
-+ /root/\.fontconfig(/.*)?
-+.br
-+ /root/\.fonts/auto(/.*)?
-+.br
-+ /root/\.fonts\.cache-.*
-+.br
-+ /home/[^/]*/\.fontconfig(/.*)?
-+.br
-+ /home/[^/]*/\.fonts/auto(/.*)?
-+.br
-+ /home/[^/]*/\.fonts\.cache-.*
-+.br
-+ /home/dwalsh/\.fontconfig(/.*)?
-+.br
-+ /home/dwalsh/\.fonts/auto(/.*)?
-+.br
-+ /home/dwalsh/\.fonts\.cache-.*
-+.br
-+ /var/lib/xguest/home/xguest/\.fontconfig(/.*)?
-+.br
-+ /var/lib/xguest/home/xguest/\.fonts/auto(/.*)?
-+.br
-+ /var/lib/xguest/home/xguest/\.fonts\.cache-.*
-+.br
-+
-+.br
-+.B user_tmp_t
-+
-+ /var/run/user(/.*)?
-+.br
-+ /tmp/gconfd-.*
-+.br
-+ /tmp/gconfd-dwalsh
-+.br
-+ /tmp/gconfd-xguest
-+.br
-+
-+.br
-+.B user_tmp_type
-+
-+ all user tmp files
-+.br
-+
-+.SH NSSWITCH DOMAIN
-+
-+.PP
-+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the ssh_keygen_t, sshd_t, ssh_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
-+
-+.EX
-+.B setsebool -P authlogin_nsswitch_use_ldap 1
-+.EE
-+
-+.PP
-+If you want to allow confined applications to run with kerberos for the ssh_keygen_t, sshd_t, ssh_t, you must turn on the kerberos_enabled boolean.
-+
-+.EX
-+.B setsebool -P kerberos_enabled 1
-+.EE
-+
-+.SH "COMMANDS"
-+.B semanage fcontext
-+can also be used to manipulate default file context mappings.
-+.PP
-+.B semanage permissive
-+can also be used to manipulate whether or not a process type is permissive.
-+.PP
-+.B semanage module
-+can also be used to enable/disable/install/remove policy modules.
-+
-+.B semanage port
-+can also be used to manipulate the port definitions
-+
-+.B semanage boolean
-+can also be used to manipulate the booleans
-+
-+.PP
-+.B system-config-selinux
-+is a GUI tool available to customize SELinux policy settings.
-+
-+.SH AUTHOR
-+This manual page was auto-generated using
-+.B "sepolicy manpage"
-+by Dan Walsh.
-+
-+.SH "SEE ALSO"
-+selinux(8), ssh(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
-+, setsebool(8), ssh_keygen_selinux(8), ssh_keysign_selinux(8), sshd_selinux(8)
-\ No newline at end of file
-diff --git a/man/man8/sshd_selinux.8 b/man/man8/sshd_selinux.8
-new file mode 100644
-index 0000000..887086e
---- /dev/null
-+++ b/man/man8/sshd_selinux.8
-@@ -0,0 +1,508 @@
-+.TH "sshd_selinux" "8" "12-11-01" "sshd" "SELinux Policy documentation for sshd"
-+.SH "NAME"
-+sshd_selinux \- Security Enhanced Linux Policy for the sshd processes
-+.SH "DESCRIPTION"
-+
-+Security-Enhanced Linux secures the sshd processes via flexible mandatory access control.
-+
-+The sshd processes execute with the sshd_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
-+
-+For example:
-+
-+.B ps -eZ | grep sshd_t
-+
-+
-+.SH "ENTRYPOINTS"
-+
-+The sshd_t SELinux type can be entered via the "sshd_exec_t" file type. The default entrypoint paths for the sshd_t domain are the following:"
-+
-+/usr/sbin/sshd
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux sshd policy is very flexible allowing users to setup their sshd processes in as secure a method as possible.
-+.PP
-+The following process types are defined for sshd:
-+
-+.EX
-+.B sshd_sandbox_t, ssh_keysign_t, ssh_keygen_t, ssh_t, sshd_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
-+.SH BOOLEANS
-+SELinux policy is customizable based on least access required. sshd policy is extremely flexible and has several booleans that allow you to manipulate the policy and run sshd with the tightest access possible.
-+
-+
-+.PP
-+If you want to allow user to use ssh chroot environment, you must turn on the selinuxuser_use_ssh_chroot boolean.
-+
-+.EX
-+.B setsebool -P selinuxuser_use_ssh_chroot 1
-+.EE
-+
-+.PP
-+If you want to allow host key based authentication, you must turn on the ssh_keysign boolean.
-+
-+.EX
-+.B setsebool -P ssh_keysign 1
-+.EE
-+
-+.PP
-+If you want to allow ssh with chroot env to read and write files in the user home directories, you must turn on the ssh_chroot_rw_homedirs boolean.
-+
-+.EX
-+.B setsebool -P ssh_chroot_rw_homedirs 1
-+.EE
-+
-+.PP
-+If you want to allow fenced domain to execute ssh, you must turn on the fenced_can_ssh boolean.
-+
-+.EX
-+.B setsebool -P fenced_can_ssh 1
-+.EE
-+
-+.PP
-+If you want to allow internal-sftp to read and write files in the user ssh home directories, you must turn on the sftpd_write_ssh_home boolean.
-+
-+.EX
-+.B setsebool -P sftpd_write_ssh_home 1
-+.EE
-+
-+.PP
-+If you want to allow ssh logins as sysadm_r:sysadm_t, you must turn on the ssh_sysadm_login boolean.
-+
-+.EX
-+.B setsebool -P ssh_sysadm_login 1
-+.EE
-+
-+.PP
-+If you want to allow user to use ssh chroot environment, you must turn on the selinuxuser_use_ssh_chroot boolean.
-+
-+.EX
-+.B setsebool -P selinuxuser_use_ssh_chroot 1
-+.EE
-+
-+.PP
-+If you want to allow host key based authentication, you must turn on the ssh_keysign boolean.
-+
-+.EX
-+.B setsebool -P ssh_keysign 1
-+.EE
-+
-+.PP
-+If you want to allow ssh with chroot env to read and write files in the user home directories, you must turn on the ssh_chroot_rw_homedirs boolean.
-+
-+.EX
-+.B setsebool -P ssh_chroot_rw_homedirs 1
-+.EE
-+
-+.PP
-+If you want to allow fenced domain to execute ssh, you must turn on the fenced_can_ssh boolean.
-+
-+.EX
-+.B setsebool -P fenced_can_ssh 1
-+.EE
-+
-+.PP
-+If you want to allow internal-sftp to read and write files in the user ssh home directories, you must turn on the sftpd_write_ssh_home boolean.
-+
-+.EX
-+.B setsebool -P sftpd_write_ssh_home 1
-+.EE
-+
-+.PP
-+If you want to allow ssh logins as sysadm_r:sysadm_t, you must turn on the ssh_sysadm_login boolean.
-+
-+.EX
-+.B setsebool -P ssh_sysadm_login 1
-+.EE
-+
-+.SH FILE CONTEXTS
-+SELinux requires files to have an extended attribute to define the file type.
-+.PP
-+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
-+.PP
-+Policy governs the access confined processes have to these files.
-+SELinux sshd policy is very flexible allowing users to setup their sshd processes in as secure a method as possible.
-+.PP
-+The following file types are defined for sshd:
-+
-+
-+.EX
-+.PP
-+.B sshd_exec_t
-+.EE
-+
-+- Set files with the sshd_exec_t type, if you want to transition an executable to the sshd_t domain.
-+
-+
-+.EX
-+.PP
-+.B sshd_initrc_exec_t
-+.EE
-+
-+- Set files with the sshd_initrc_exec_t type, if you want to transition an executable to the sshd_initrc_t domain.
-+
-+
-+.EX
-+.PP
-+.B sshd_key_t
-+.EE
-+
-+- Set files with the sshd_key_t type, if you want to treat the files as sshd key data.
-+
-+
-+.EX
-+.PP
-+.B sshd_keytab_t
-+.EE
-+
-+- Set files with the sshd_keytab_t type, if you want to treat the files as kerberos keytab files.
-+
-+
-+.EX
-+.PP
-+.B sshd_tmpfs_t
-+.EE
-+
-+- Set files with the sshd_tmpfs_t type, if you want to store sshd files on a tmpfs file system.
-+
-+
-+.EX
-+.PP
-+.B sshd_var_run_t
-+.EE
-+
-+- Set files with the sshd_var_run_t type, if you want to store the sshd files under the /run directory.
-+
-+
-+.PP
-+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
-+.B semanage fcontext
-+command. This will modify the SELinux labeling database. You will need to use
-+.B restorecon
-+to apply the labels.
-+
-+.SH PORT TYPES
-+SELinux defines port types to represent TCP and UDP ports.
-+.PP
-+You can see the types associated with a port by using the following command:
-+
-+.B semanage port -l
-+
-+.PP
-+Policy governs the access confined processes have to these ports.
-+SELinux sshd policy is very flexible allowing users to setup their sshd processes in as secure a method as possible.
-+.PP
-+The following port types are defined for sshd:
-+
-+.EX
-+.TP 5
-+.B ssh_port_t
-+.TP 10
-+.EE
-+
-+
-+Default Defined Ports:
-+tcp 22
-+.EE
-+.SH "MANAGED FILES"
-+
-+The SELinux process type sshd_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
-+
-+.br
-+.B auth_cache_t
-+
-+ /var/cache/coolkey(/.*)?
-+.br
-+
-+.br
-+.B auth_home_t
-+
-+ /root/\.google_authenticator
-+.br
-+ /root/\.google_authenticator~
-+.br
-+ /home/[^/]*/\.google_authenticator
-+.br
-+ /home/[^/]*/\.google_authenticator~
-+.br
-+ /home/dwalsh/\.google_authenticator
-+.br
-+ /home/dwalsh/\.google_authenticator~
-+.br
-+ /var/lib/xguest/home/xguest/\.google_authenticator
-+.br
-+ /var/lib/xguest/home/xguest/\.google_authenticator~
-+.br
-+
-+.br
-+.B cgroup_t
-+
-+ /cgroup
-+.br
-+ /sys/fs/cgroup
-+.br
-+
-+.br
-+.B condor_var_lib_t
-+
-+ /var/lib/condor(/.*)?
-+.br
-+ /var/lib/condor/spool(/.*)?
-+.br
-+ /var/lib/condor/execute(/.*)?
-+.br
-+
-+.br
-+.B faillog_t
-+
-+ /var/log/btmp.*
-+.br
-+ /var/run/faillock(/.*)?
-+.br
-+ /var/log/faillog
-+.br
-+ /var/log/tallylog
-+.br
-+
-+.br
-+.B gitosis_var_lib_t
-+
-+ /var/lib/gitosis(/.*)?
-+.br
-+ /var/lib/gitolite(3)?(/.*)?
-+.br
-+
-+.br
-+.B initrc_var_run_t
-+
-+ /var/run/utmp
-+.br
-+ /var/run/random-seed
-+.br
-+ /var/run/runlevel\.dir
-+.br
-+ /var/run/setmixer_flag
-+.br
-+
-+.br
-+.B krb5_host_rcache_t
-+
-+ /var/cache/krb5rcache(/.*)?
-+.br
-+ /var/tmp/nfs_0
-+.br
-+ /var/tmp/DNS_25
-+.br
-+ /var/tmp/host_0
-+.br
-+ /var/tmp/imap_0
-+.br
-+ /var/tmp/HTTP_23
-+.br
-+ /var/tmp/HTTP_48
-+.br
-+ /var/tmp/ldap_55
-+.br
-+ /var/tmp/ldap_487
-+.br
-+ /var/tmp/ldapmap1_0
-+.br
-+
-+.br
-+.B lastlog_t
-+
-+ /var/log/lastlog
-+.br
-+
-+.br
-+.B openshift_tmp_t
-+
-+ /var/lib/openshift/.*/\.tmp(/.*)?
-+.br
-+ /var/lib/openshift/.*/\.sandbox(/.*)?
-+.br
-+ /var/lib/stickshift/.*/\.tmp(/.*)?
-+.br
-+ /var/lib/stickshift/.*/\.sandbox(/.*)?
-+.br
-+
-+.br
-+.B pam_var_run_t
-+
-+ /var/(db|lib|adm)/sudo(/.*)?
-+.br
-+ /var/run/sudo(/.*)?
-+.br
-+ /var/run/sepermit(/.*)?
-+.br
-+ /var/run/pam_mount(/.*)?
-+.br
-+
-+.br
-+.B pcscd_var_run_t
-+
-+ /var/run/pcscd(/.*)?
-+.br
-+ /var/run/pcscd\.events(/.*)?
-+.br
-+ /var/run/pcscd\.pid
-+.br
-+ /var/run/pcscd\.pub
-+.br
-+ /var/run/pcscd\.comm
-+.br
-+
-+.br
-+.B security_t
-+
-+ /selinux
-+.br
-+
-+.br
-+.B ssh_home_t
-+
-+ /root/\.ssh(/.*)?
-+.br
-+ /var/lib/openshift/[^/]+/\.ssh(/.*)?
-+.br
-+ /var/lib/amanda/\.ssh(/.*)?
-+.br
-+ /var/lib/stickshift/[^/]+/\.ssh(/.*)?
-+.br
-+ /var/lib/gitolite/\.ssh(/.*)?
-+.br
-+ /var/lib/nocpulse/\.ssh(/.*)?
-+.br
-+ /var/lib/gitolite3/\.ssh(/.*)?
-+.br
-+ /root/\.shosts
-+.br
-+ /home/[^/]*/\.ssh(/.*)?
-+.br
-+ /home/[^/]*/\.shosts
-+.br
-+ /home/dwalsh/\.ssh(/.*)?
-+.br
-+ /home/dwalsh/\.shosts
-+.br
-+ /var/lib/xguest/home/xguest/\.ssh(/.*)?
-+.br
-+ /var/lib/xguest/home/xguest/\.shosts
-+.br
-+
-+.br
-+.B sshd_tmpfs_t
-+
-+
-+.br
-+.B sshd_var_run_t
-+
-+ /var/run/sshd\.pid
-+.br
-+ /var/run/sshd\.init\.pid
-+.br
-+
-+.br
-+.B systemd_passwd_var_run_t
-+
-+ /var/run/systemd/ask-password(/.*)?
-+.br
-+ /var/run/systemd/ask-password-block(/.*)?
-+.br
-+
-+.br
-+.B user_tmp_t
-+
-+ /var/run/user(/.*)?
-+.br
-+ /tmp/gconfd-.*
-+.br
-+ /tmp/gconfd-dwalsh
-+.br
-+ /tmp/gconfd-xguest
-+.br
-+
-+.br
-+.B user_tmp_type
-+
-+ all user tmp files
-+.br
-+
-+.br
-+.B var_auth_t
-+
-+ /var/ace(/.*)?
-+.br
-+ /var/rsa(/.*)?
-+.br
-+ /var/lib/abl(/.*)?
-+.br
-+ /var/lib/rsa(/.*)?
-+.br
-+ /var/lib/pam_ssh(/.*)?
-+.br
-+ /var/run/pam_ssh(/.*)?
-+.br
-+ /var/lib/pam_shield(/.*)?
-+.br
-+ /var/lib/google-authenticator(/.*)?
-+.br
-+
-+.br
-+.B wtmp_t
-+
-+ /var/log/wtmp.*
-+.br
-+
-+.SH NSSWITCH DOMAIN
-+
-+.PP
-+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the ssh_keygen_t, sshd_t, ssh_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
-+
-+.EX
-+.B setsebool -P authlogin_nsswitch_use_ldap 1
-+.EE
-+
-+.PP
-+If you want to allow confined applications to run with kerberos for the ssh_keygen_t, sshd_t, ssh_t, you must turn on the kerberos_enabled boolean.
-+
-+.EX
-+.B setsebool -P kerberos_enabled 1
-+.EE
-+
-+.SH "COMMANDS"
-+.B semanage fcontext
-+can also be used to manipulate default file context mappings.
-+.PP
-+.B semanage permissive
-+can also be used to manipulate whether or not a process type is permissive.
-+.PP
-+.B semanage module
-+can also be used to enable/disable/install/remove policy modules.
-+
-+.B semanage port
-+can also be used to manipulate the port definitions
-+
-+.B semanage boolean
-+can also be used to manipulate the booleans
-+
-+.PP
-+.B system-config-selinux
-+is a GUI tool available to customize SELinux policy settings.
-+
-+.SH AUTHOR
-+This manual page was auto-generated using
-+.B "sepolicy manpage"
-+by Dan Walsh.
-+
-+.SH "SEE ALSO"
-+selinux(8), sshd(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
-+, setsebool(8), ssh_selinux(8), ssh_selinux(8), ssh_keygen_selinux(8), ssh_keysign_selinux(8)
-\ No newline at end of file
-diff --git a/man/man8/sssd_selinux.8 b/man/man8/sssd_selinux.8
-new file mode 100644
-index 0000000..29b2b6f
---- /dev/null
-+++ b/man/man8/sssd_selinux.8
-@@ -0,0 +1,260 @@
-+.TH "sssd_selinux" "8" "12-11-01" "sssd" "SELinux Policy documentation for sssd"
-+.SH "NAME"
-+sssd_selinux \- Security Enhanced Linux Policy for the sssd processes
-+.SH "DESCRIPTION"
-+
-+Security-Enhanced Linux secures the sssd processes via flexible mandatory access control.
-+
-+The sssd processes execute with the sssd_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
-+
-+For example:
-+
-+.B ps -eZ | grep sssd_t
-+
-+
-+.SH "ENTRYPOINTS"
-+
-+The sssd_t SELinux type can be entered via the "sssd_exec_t" file type. The default entrypoint paths for the sssd_t domain are the following:"
-+
-+/usr/sbin/sssd
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux sssd policy is very flexible allowing users to setup their sssd processes in as secure a method as possible.
-+.PP
-+The following process types are defined for sssd:
-+
-+.EX
-+.B sssd_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
-+.SH FILE CONTEXTS
-+SELinux requires files to have an extended attribute to define the file type.
-+.PP
-+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
-+.PP
-+Policy governs the access confined processes have to these files.
-+SELinux sssd policy is very flexible allowing users to setup their sssd processes in as secure a method as possible.
-+.PP
-+The following file types are defined for sssd:
-+
-+
-+.EX
-+.PP
-+.B sssd_conf_t
-+.EE
-+
-+- Set files with the sssd_conf_t type, if you want to treat the files as sssd configuration data, usually stored under the /etc directory.
-+
-+
-+.EX
-+.PP
-+.B sssd_exec_t
-+.EE
-+
-+- Set files with the sssd_exec_t type, if you want to transition an executable to the sssd_t domain.
-+
-+
-+.EX
-+.PP
-+.B sssd_initrc_exec_t
-+.EE
-+
-+- Set files with the sssd_initrc_exec_t type, if you want to transition an executable to the sssd_initrc_t domain.
-+
-+
-+.EX
-+.PP
-+.B sssd_public_t
-+.EE
-+
-+- Set files with the sssd_public_t type, if you want to treat the files as sssd public data.
-+
-+
-+.EX
-+.PP
-+.B sssd_unit_file_t
-+.EE
-+
-+- Set files with the sssd_unit_file_t type, if you want to treat the files as sssd unit content.
-+
-+
-+.EX
-+.PP
-+.B sssd_var_lib_t
-+.EE
-+
-+- Set files with the sssd_var_lib_t type, if you want to store the sssd files under the /var/lib directory.
-+
-+
-+.EX
-+.PP
-+.B sssd_var_log_t
-+.EE
-+
-+- Set files with the sssd_var_log_t type, if you want to treat the data as sssd var log data, usually stored under the /var/log directory.
-+
-+
-+.EX
-+.PP
-+.B sssd_var_run_t
-+.EE
-+
-+- Set files with the sssd_var_run_t type, if you want to store the sssd files under the /run directory.
-+
-+
-+.PP
-+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
-+.B semanage fcontext
-+command. This will modify the SELinux labeling database. You will need to use
-+.B restorecon
-+to apply the labels.
-+
-+.SH "MANAGED FILES"
-+
-+The SELinux process type sssd_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
-+
-+.br
-+.B auth_cache_t
-+
-+ /var/cache/coolkey(/.*)?
-+.br
-+
-+.br
-+.B faillog_t
-+
-+ /var/log/btmp.*
-+.br
-+ /var/run/faillock(/.*)?
-+.br
-+ /var/log/faillog
-+.br
-+ /var/log/tallylog
-+.br
-+
-+.br
-+.B krb5_host_rcache_t
-+
-+ /var/cache/krb5rcache(/.*)?
-+.br
-+ /var/tmp/nfs_0
-+.br
-+ /var/tmp/DNS_25
-+.br
-+ /var/tmp/host_0
-+.br
-+ /var/tmp/imap_0
-+.br
-+ /var/tmp/HTTP_23
-+.br
-+ /var/tmp/HTTP_48
-+.br
-+ /var/tmp/ldap_55
-+.br
-+ /var/tmp/ldap_487
-+.br
-+ /var/tmp/ldapmap1_0
-+.br
-+
-+.br
-+.B pcscd_var_run_t
-+
-+ /var/run/pcscd(/.*)?
-+.br
-+ /var/run/pcscd\.events(/.*)?
-+.br
-+ /var/run/pcscd\.pid
-+.br
-+ /var/run/pcscd\.pub
-+.br
-+ /var/run/pcscd\.comm
-+.br
-+
-+.br
-+.B security_t
-+
-+ /selinux
-+.br
-+
-+.br
-+.B selinux_login_config_t
-+
-+ /etc/selinux/([^/]*/)?logins(/.*)?
-+.br
-+
-+.br
-+.B sssd_public_t
-+
-+ /var/lib/sss/mc(/.*)?
-+.br
-+ /var/lib/sss/pubconf(/.*)?
-+.br
-+
-+.br
-+.B sssd_var_lib_t
-+
-+ /var/lib/sss(/.*)?
-+.br
-+
-+.br
-+.B sssd_var_log_t
-+
-+ /var/log/sssd(/.*)?
-+.br
-+
-+.br
-+.B sssd_var_run_t
-+
-+ /var/run/sssd.pid
-+.br
-+
-+.br
-+.B user_tmp_type
-+
-+ all user tmp files
-+.br
-+
-+.SH NSSWITCH DOMAIN
-+
-+.PP
-+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the sssd_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
-+
-+.EX
-+.B setsebool -P authlogin_nsswitch_use_ldap 1
-+.EE
-+
-+.PP
-+If you want to allow confined applications to run with kerberos for the sssd_t, you must turn on the kerberos_enabled boolean.
-+
-+.EX
-+.B setsebool -P kerberos_enabled 1
-+.EE
-+
-+.SH "COMMANDS"
-+.B semanage fcontext
-+can also be used to manipulate default file context mappings.
-+.PP
-+.B semanage permissive
-+can also be used to manipulate whether or not a process type is permissive.
-+.PP
-+.B semanage module
-+can also be used to enable/disable/install/remove policy modules.
-+
-+.PP
-+.B system-config-selinux
-+is a GUI tool available to customize SELinux policy settings.
-+
-+.SH AUTHOR
-+This manual page was auto-generated using
-+.B "sepolicy manpage"
-+by Dan Walsh.
-+
-+.SH "SEE ALSO"
-+selinux(8), sssd(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
-diff --git a/man/man8/staff_selinux.8 b/man/man8/staff_selinux.8
-new file mode 100644
-index 0000000..44df6b6
---- /dev/null
-+++ b/man/man8/staff_selinux.8
-@@ -0,0 +1,583 @@
-+.TH "staff_selinux" "8" "staff" "mgrepl@redhat.com" "staff SELinux Policy documentation"
-+.SH "NAME"
-+staff_u \- \fBAdministrator's unprivileged user\fP - Security Enhanced Linux Policy
-+
-+.SH DESCRIPTION
-+
-+\fBstaff_u\fP is an SELinux User defined in the SELinux
-+policy. SELinux users have default roles, \fBstaff_r\fP. The
-+default role has a default type, \fBstaff_t\fP, associated with it.
-+
-+The SELinux user will usually login to a system with a context that looks like:
-+
-+.B staff_u:staff_r:staff_t:s0-s0:c0.c1023
-+
-+Linux users are automatically assigned an SELinux users at login.
-+Login programs use the SELinux User to assign initial context to the user's shell.
-+
-+SELinux policy uses the context to control the user's access.
-+
-+By default all users are assigned to the SELinux user via the \fB__default__\fP flag
-+
-+On Targeted policy systems the \fB__default__\fP user is assigned to the \fBunconfined_u\fP SELinux user.
-+
-+You can list all Linux User to SELinux user mapping using:
-+
-+.B semanage login -l
-+
-+If you wanted to change the default user mapping to use the staff_u user, you would execute:
-+
-+.B semanage login -m -s staff_u __default__
-+
-+
-+If you want to map the one Linux user (joe) to the SELinux user staff, you would execute:
-+
-+.B $ semanage login -a -s staff_u joe
-+
-+
-+.SH USER DESCRIPTION
-+
-+The SELinux user staff_u is defined in policy as a unprivileged user. SELinux prevents unprivileged users from doing administration tasks without transitioning to a different role.
-+
-+.SH SUDO
-+
-+The SELinux user staff can execute sudo.
-+
-+You can set up sudo to allow staff to transition to an administrative domain:
-+
-+Add one or more of the following record to sudoers using visudo.
-+
-+
-+USERNAME ALL=(ALL) ROLE=auditadm_r TYPE=auditadm_t COMMAND
-+.br
-+sudo will run COMMAND as staff_u:auditadm_r:auditadm_t:LEVEL
-+
-+You might also need to add one or more of these new roles to your SELinux user record.
-+
-+List the SELinux roles your SELinux user can reach by executing:
-+
-+.B $ semanage user -l |grep selinux_name
-+
-+Modify the roles list and add staff_r to this list.
-+
-+.B $ semanage user -m -R 'staff_r auditadm_r dbadm_r logadm_r secadm_r sysadm_r unconfined_r webadm_r' staff_u
-+
-+For more details you can see semanage man page.
-+
-+
-+USERNAME ALL=(ALL) ROLE=dbadm_r TYPE=dbadm_t COMMAND
-+.br
-+sudo will run COMMAND as staff_u:dbadm_r:dbadm_t:LEVEL
-+
-+You might also need to add one or more of these new roles to your SELinux user record.
-+
-+List the SELinux roles your SELinux user can reach by executing:
-+
-+.B $ semanage user -l |grep selinux_name
-+
-+Modify the roles list and add staff_r to this list.
-+
-+.B $ semanage user -m -R 'staff_r auditadm_r dbadm_r logadm_r secadm_r sysadm_r unconfined_r webadm_r' staff_u
-+
-+For more details you can see semanage man page.
-+
-+
-+USERNAME ALL=(ALL) ROLE=logadm_r TYPE=logadm_t COMMAND
-+.br
-+sudo will run COMMAND as staff_u:logadm_r:logadm_t:LEVEL
-+
-+You might also need to add one or more of these new roles to your SELinux user record.
-+
-+List the SELinux roles your SELinux user can reach by executing:
-+
-+.B $ semanage user -l |grep selinux_name
-+
-+Modify the roles list and add staff_r to this list.
-+
-+.B $ semanage user -m -R 'staff_r auditadm_r dbadm_r logadm_r secadm_r sysadm_r unconfined_r webadm_r' staff_u
-+
-+For more details you can see semanage man page.
-+
-+
-+USERNAME ALL=(ALL) ROLE=secadm_r TYPE=secadm_t COMMAND
-+.br
-+sudo will run COMMAND as staff_u:secadm_r:secadm_t:LEVEL
-+
-+You might also need to add one or more of these new roles to your SELinux user record.
-+
-+List the SELinux roles your SELinux user can reach by executing:
-+
-+.B $ semanage user -l |grep selinux_name
-+
-+Modify the roles list and add staff_r to this list.
-+
-+.B $ semanage user -m -R 'staff_r auditadm_r dbadm_r logadm_r secadm_r sysadm_r unconfined_r webadm_r' staff_u
-+
-+For more details you can see semanage man page.
-+
-+
-+USERNAME ALL=(ALL) ROLE=sysadm_r TYPE=sysadm_t COMMAND
-+.br
-+sudo will run COMMAND as staff_u:sysadm_r:sysadm_t:LEVEL
-+
-+You might also need to add one or more of these new roles to your SELinux user record.
-+
-+List the SELinux roles your SELinux user can reach by executing:
-+
-+.B $ semanage user -l |grep selinux_name
-+
-+Modify the roles list and add staff_r to this list.
-+
-+.B $ semanage user -m -R 'staff_r auditadm_r dbadm_r logadm_r secadm_r sysadm_r unconfined_r webadm_r' staff_u
-+
-+For more details you can see semanage man page.
-+
-+
-+USERNAME ALL=(ALL) ROLE=unconfined_r TYPE=unconfined_t COMMAND
-+.br
-+sudo will run COMMAND as staff_u:unconfined_r:unconfined_t:LEVEL
-+
-+You might also need to add one or more of these new roles to your SELinux user record.
-+
-+List the SELinux roles your SELinux user can reach by executing:
-+
-+.B $ semanage user -l |grep selinux_name
-+
-+Modify the roles list and add staff_r to this list.
-+
-+.B $ semanage user -m -R 'staff_r auditadm_r dbadm_r logadm_r secadm_r sysadm_r unconfined_r webadm_r' staff_u
-+
-+For more details you can see semanage man page.
-+
-+
-+USERNAME ALL=(ALL) ROLE=webadm_r TYPE=webadm_t COMMAND
-+.br
-+sudo will run COMMAND as staff_u:webadm_r:webadm_t:LEVEL
-+
-+You might also need to add one or more of these new roles to your SELinux user record.
-+
-+List the SELinux roles your SELinux user can reach by executing:
-+
-+.B $ semanage user -l |grep selinux_name
-+
-+Modify the roles list and add staff_r to this list.
-+
-+.B $ semanage user -m -R 'staff_r auditadm_r dbadm_r logadm_r secadm_r sysadm_r unconfined_r webadm_r' staff_u
-+
-+For more details you can see semanage man page.
-+
-+
-+The SELinux type staff_t is not allowed to execute sudo.
-+
-+.SH X WINDOWS LOGIN
-+
-+The SELinux user staff_u is able to X Windows login.
-+
-+.SH NETWORK
-+
-+.TP
-+The SELinux user staff_u is able to listen on the following tcp ports.
-+
-+.B xserver_port_t: 6000-6020
-+
-+.TP
-+The SELinux user staff_u is able to connect to the following tcp ports.
-+
-+.B all ports
-+
-+.TP
-+The SELinux user staff_u is able to listen on the following udp ports.
-+
-+.B ephemeral_port_t: 32768-61000
-+
-+.B all ports with out defined types
-+
-+.TP
-+The SELinux user staff_u is able to connect to the following tcp ports.
-+
-+.B all ports
-+
-+.SH BOOLEANS
-+SELinux policy is customizable based on least access required. staff policy is extremely flexible and has several booleans that allow you to manipulate the policy and run staff with the tightest access possible.
-+
-+
-+.PP
-+If you want to allow staff user to create and transition to svirt domains, you must turn on the staff_use_svirt boolean.
-+
-+.EX
-+.B setsebool -P staff_use_svirt 1
-+.EE
-+
-+.PP
-+If you want to allow staff user to create and transition to svirt domains, you must turn on the staff_use_svirt boolean.
-+
-+.EX
-+.B setsebool -P staff_use_svirt 1
-+.EE
-+
-+.SH HOME_EXEC
-+
-+The SELinux user staff_u is able execute home content files.
-+
-+.SH TRANSITIONS
-+
-+Three things can happen when staff_t attempts to execute a program.
-+
-+\fB1.\fP SELinux Policy can deny staff_t from executing the program.
-+
-+.TP
-+
-+\fB2.\fP SELinux Policy can allow staff_t to execute the program in the current user type.
-+
-+Execute the following to see the types that the SELinux user staff_t can execute without transitioning:
-+
-+.B search -A -s staff_t -c file -p execute_no_trans
-+
-+.TP
-+
-+\fB3.\fP SELinux can allow staff_t to execute the program and transition to a new type.
-+
-+Execute the following to see the types that the SELinux user staff_t can execute and transition:
-+
-+.B $ search -A -s staff_t -c process -p transition
-+
-+
-+.SH "MANAGED FILES"
-+
-+The SELinux process type staff_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
-+
-+.br
-+.B anon_inodefs_t
-+
-+
-+.br
-+.B auth_cache_t
-+
-+ /var/cache/coolkey(/.*)?
-+.br
-+
-+.br
-+.B bluetooth_helper_tmp_t
-+
-+
-+.br
-+.B bluetooth_helper_tmpfs_t
-+
-+
-+.br
-+.B cgroup_t
-+
-+ /cgroup
-+.br
-+ /sys/fs/cgroup
-+.br
-+
-+.br
-+.B chrome_sandbox_tmpfs_t
-+
-+
-+.br
-+.B games_data_t
-+
-+ /var/games(/.*)?
-+.br
-+ /var/lib/games(/.*)?
-+.br
-+
-+.br
-+.B gpg_agent_tmp_t
-+
-+ /home/[^/]*/\.gnupg/log-socket
-+.br
-+ /home/dwalsh/\.gnupg/log-socket
-+.br
-+ /var/lib/xguest/home/xguest/\.gnupg/log-socket
-+.br
-+
-+.br
-+.B httpd_user_content_t
-+
-+ /home/[^/]*/((www)|(web)|(public_html))(/.+)?
-+.br
-+ /home/dwalsh/((www)|(web)|(public_html))(/.+)?
-+.br
-+ /var/lib/xguest/home/xguest/((www)|(web)|(public_html))(/.+)?
-+.br
-+
-+.br
-+.B httpd_user_htaccess_t
-+
-+ /home/[^/]*/((www)|(web)|(public_html))(/.*)?/\.htaccess
-+.br
-+ /home/dwalsh/((www)|(web)|(public_html))(/.*)?/\.htaccess
-+.br
-+ /var/lib/xguest/home/xguest/((www)|(web)|(public_html))(/.*)?/\.htaccess
-+.br
-+
-+.br
-+.B httpd_user_ra_content_t
-+
-+ /home/[^/]*/((www)|(web)|(public_html))(/.*)?/logs(/.*)?
-+.br
-+ /home/dwalsh/((www)|(web)|(public_html))(/.*)?/logs(/.*)?
-+.br
-+ /var/lib/xguest/home/xguest/((www)|(web)|(public_html))(/.*)?/logs(/.*)?
-+.br
-+
-+.br
-+.B httpd_user_rw_content_t
-+
-+
-+.br
-+.B httpd_user_script_exec_t
-+
-+ /home/[^/]*/((www)|(web)|(public_html))/cgi-bin(/.+)?
-+.br
-+ /home/dwalsh/((www)|(web)|(public_html))/cgi-bin(/.+)?
-+.br
-+ /var/lib/xguest/home/xguest/((www)|(web)|(public_html))/cgi-bin(/.+)?
-+.br
-+
-+.br
-+.B iceauth_home_t
-+
-+ /root/\.DCOP.*
-+.br
-+ /root/\.ICEauthority.*
-+.br
-+ /home/[^/]*/\.DCOP.*
-+.br
-+ /home/[^/]*/\.ICEauthority.*
-+.br
-+ /home/dwalsh/\.DCOP.*
-+.br
-+ /home/dwalsh/\.ICEauthority.*
-+.br
-+ /var/lib/xguest/home/xguest/\.DCOP.*
-+.br
-+ /var/lib/xguest/home/xguest/\.ICEauthority.*
-+.br
-+
-+.br
-+.B mail_spool_t
-+
-+ /var/mail(/.*)?
-+.br
-+ /var/spool/imap(/.*)?
-+.br
-+ /var/spool/mail(/.*)?
-+.br
-+
-+.br
-+.B mqueue_spool_t
-+
-+ /var/spool/(client)?mqueue(/.*)?
-+.br
-+ /var/spool/mqueue\.in(/.*)?
-+.br
-+
-+.br
-+.B nfsd_rw_t
-+
-+
-+.br
-+.B noxattrfs
-+
-+ all files on file systems which do not support extended attributes
-+.br
-+
-+.br
-+.B sandbox_file_t
-+
-+
-+.br
-+.B sandbox_tmpfs_type
-+
-+ all sandbox content in tmpfs file systems
-+.br
-+
-+.br
-+.B screen_home_t
-+
-+ /root/\.screen(/.*)?
-+.br
-+ /home/[^/]*/\.screen(/.*)?
-+.br
-+ /home/[^/]*/\.screenrc
-+.br
-+ /home/dwalsh/\.screen(/.*)?
-+.br
-+ /home/dwalsh/\.screenrc
-+.br
-+ /var/lib/xguest/home/xguest/\.screen(/.*)?
-+.br
-+ /var/lib/xguest/home/xguest/\.screenrc
-+.br
-+
-+.br
-+.B security_t
-+
-+ /selinux
-+.br
-+
-+.br
-+.B systemd_passwd_var_run_t
-+
-+ /var/run/systemd/ask-password(/.*)?
-+.br
-+ /var/run/systemd/ask-password-block(/.*)?
-+.br
-+
-+.br
-+.B usbfs_t
-+
-+
-+.br
-+.B user_fonts_cache_t
-+
-+ /root/\.fontconfig(/.*)?
-+.br
-+ /root/\.fonts/auto(/.*)?
-+.br
-+ /root/\.fonts\.cache-.*
-+.br
-+ /home/[^/]*/\.fontconfig(/.*)?
-+.br
-+ /home/[^/]*/\.fonts/auto(/.*)?
-+.br
-+ /home/[^/]*/\.fonts\.cache-.*
-+.br
-+ /home/dwalsh/\.fontconfig(/.*)?
-+.br
-+ /home/dwalsh/\.fonts/auto(/.*)?
-+.br
-+ /home/dwalsh/\.fonts\.cache-.*
-+.br
-+ /var/lib/xguest/home/xguest/\.fontconfig(/.*)?
-+.br
-+ /var/lib/xguest/home/xguest/\.fonts/auto(/.*)?
-+.br
-+ /var/lib/xguest/home/xguest/\.fonts\.cache-.*
-+.br
-+
-+.br
-+.B user_fonts_t
-+
-+ /root/\.fonts(/.*)?
-+.br
-+ /tmp/\.font-unix(/.*)?
-+.br
-+ /home/[^/]*/\.fonts(/.*)?
-+.br
-+ /home/dwalsh/\.fonts(/.*)?
-+.br
-+ /var/lib/xguest/home/xguest/\.fonts(/.*)?
-+.br
-+
-+.br
-+.B user_home_type
-+
-+ all user home files
-+.br
-+
-+.br
-+.B user_tmp_type
-+
-+ all user tmp files
-+.br
-+
-+.br
-+.B user_tmpfs_type
-+
-+ all user content in tmpfs file systems
-+.br
-+
-+.br
-+.B virt_image_type
-+
-+ all virtual image files
-+.br
-+
-+.br
-+.B xauth_home_t
-+
-+ /root/\.xauth.*
-+.br
-+ /root/\.Xauth.*
-+.br
-+ /root/\.serverauth.*
-+.br
-+ /root/\.Xauthority.*
-+.br
-+ /var/lib/pqsql/\.xauth.*
-+.br
-+ /var/lib/pqsql/\.Xauthority.*
-+.br
-+ /var/lib/nxserver/home/\.xauth.*
-+.br
-+ /var/lib/nxserver/home/\.Xauthority.*
-+.br
-+ /home/[^/]*/\.xauth.*
-+.br
-+ /home/[^/]*/\.Xauth.*
-+.br
-+ /home/[^/]*/\.serverauth.*
-+.br
-+ /home/[^/]*/\.Xauthority.*
-+.br
-+ /home/dwalsh/\.xauth.*
-+.br
-+ /home/dwalsh/\.Xauth.*
-+.br
-+ /home/dwalsh/\.serverauth.*
-+.br
-+ /home/dwalsh/\.Xauthority.*
-+.br
-+ /var/lib/xguest/home/xguest/\.xauth.*
-+.br
-+ /var/lib/xguest/home/xguest/\.Xauth.*
-+.br
-+ /var/lib/xguest/home/xguest/\.serverauth.*
-+.br
-+ /var/lib/xguest/home/xguest/\.Xauthority.*
-+.br
-+
-+.br
-+.B xdm_tmp_t
-+
-+ /tmp/\.X11-unix(/.*)?
-+.br
-+ /tmp/\.ICE-unix(/.*)?
-+.br
-+ /tmp/\.X0-lock
-+.br
-+
-+.br
-+.B xserver_tmpfs_t
-+
-+
-+.SH "COMMANDS"
-+.B semanage fcontext
-+can also be used to manipulate default file context mappings.
-+.PP
-+.B semanage permissive
-+can also be used to manipulate whether or not a process type is permissive.
-+.PP
-+.B semanage module
-+can also be used to enable/disable/install/remove policy modules.
-+
-+.B semanage boolean
-+can also be used to manipulate the booleans
-+
-+.PP
-+.B system-config-selinux
-+is a GUI tool available to customize SELinux policy settings.
-+
-+.SH AUTHOR
-+This manual page was auto-generated using
-+.B "sepolicy manpage"
-+by Dan Walsh.
-+
-+.SH "SEE ALSO"
-+selinux(8), staff(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
-+, setsebool(8)
-\ No newline at end of file
-diff --git a/man/man8/stapserver_selinux.8 b/man/man8/stapserver_selinux.8
-new file mode 100644
-index 0000000..1d7061b
---- /dev/null
-+++ b/man/man8/stapserver_selinux.8
-@@ -0,0 +1,146 @@
-+.TH "stapserver_selinux" "8" "12-11-01" "stapserver" "SELinux Policy documentation for stapserver"
-+.SH "NAME"
-+stapserver_selinux \- Security Enhanced Linux Policy for the stapserver processes
-+.SH "DESCRIPTION"
-+
-+Security-Enhanced Linux secures the stapserver processes via flexible mandatory access control.
-+
-+The stapserver processes execute with the stapserver_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
-+
-+For example:
-+
-+.B ps -eZ | grep stapserver_t
-+
-+
-+.SH "ENTRYPOINTS"
-+
-+The stapserver_t SELinux type can be entered via the "stapserver_exec_t" file type. The default entrypoint paths for the stapserver_t domain are the following:"
-+
-+/usr/bin/stap-server
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux stapserver policy is very flexible allowing users to setup their stapserver processes in as secure a method as possible.
-+.PP
-+The following process types are defined for stapserver:
-+
-+.EX
-+.B stapserver_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
-+.SH FILE CONTEXTS
-+SELinux requires files to have an extended attribute to define the file type.
-+.PP
-+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
-+.PP
-+Policy governs the access confined processes have to these files.
-+SELinux stapserver policy is very flexible allowing users to setup their stapserver processes in as secure a method as possible.
-+.PP
-+The following file types are defined for stapserver:
-+
-+
-+.EX
-+.PP
-+.B stapserver_exec_t
-+.EE
-+
-+- Set files with the stapserver_exec_t type, if you want to transition an executable to the stapserver_t domain.
-+
-+
-+.EX
-+.PP
-+.B stapserver_log_t
-+.EE
-+
-+- Set files with the stapserver_log_t type, if you want to treat the data as stapserver log data, usually stored under the /var/log directory.
-+
-+
-+.EX
-+.PP
-+.B stapserver_var_lib_t
-+.EE
-+
-+- Set files with the stapserver_var_lib_t type, if you want to store the stapserver files under the /var/lib directory.
-+
-+
-+.EX
-+.PP
-+.B stapserver_var_run_t
-+.EE
-+
-+- Set files with the stapserver_var_run_t type, if you want to store the stapserver files under the /run directory.
-+
-+
-+.PP
-+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
-+.B semanage fcontext
-+command. This will modify the SELinux labeling database. You will need to use
-+.B restorecon
-+to apply the labels.
-+
-+.SH "MANAGED FILES"
-+
-+The SELinux process type stapserver_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
-+
-+.br
-+.B stapserver_log_t
-+
-+ /var/log/stap-server(/.*)?
-+.br
-+
-+.br
-+.B stapserver_var_lib_t
-+
-+ /var/lib/stap-server(/.*)?
-+.br
-+
-+.br
-+.B stapserver_var_run_t
-+
-+ /var/run/stap-server(/.*)?
-+.br
-+
-+.SH NSSWITCH DOMAIN
-+
-+.PP
-+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the stapserver_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
-+
-+.EX
-+.B setsebool -P authlogin_nsswitch_use_ldap 1
-+.EE
-+
-+.PP
-+If you want to allow confined applications to run with kerberos for the stapserver_t, you must turn on the kerberos_enabled boolean.
-+
-+.EX
-+.B setsebool -P kerberos_enabled 1
-+.EE
-+
-+.SH "COMMANDS"
-+.B semanage fcontext
-+can also be used to manipulate default file context mappings.
-+.PP
-+.B semanage permissive
-+can also be used to manipulate whether or not a process type is permissive.
-+.PP
-+.B semanage module
-+can also be used to enable/disable/install/remove policy modules.
-+
-+.PP
-+.B system-config-selinux
-+is a GUI tool available to customize SELinux policy settings.
-+
-+.SH AUTHOR
-+This manual page was auto-generated using
-+.B "sepolicy manpage"
-+by Dan Walsh.
-+
-+.SH "SEE ALSO"
-+selinux(8), stapserver(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
-diff --git a/man/man8/stunnel_selinux.8 b/man/man8/stunnel_selinux.8
-new file mode 100644
-index 0000000..feb8ccd
---- /dev/null
-+++ b/man/man8/stunnel_selinux.8
-@@ -0,0 +1,160 @@
-+.TH "stunnel_selinux" "8" "12-11-01" "stunnel" "SELinux Policy documentation for stunnel"
-+.SH "NAME"
-+stunnel_selinux \- Security Enhanced Linux Policy for the stunnel processes
-+.SH "DESCRIPTION"
-+
-+Security-Enhanced Linux secures the stunnel processes via flexible mandatory access control.
-+
-+The stunnel processes execute with the stunnel_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
-+
-+For example:
-+
-+.B ps -eZ | grep stunnel_t
-+
-+
-+.SH "ENTRYPOINTS"
-+
-+The stunnel_t SELinux type can be entered via the "stunnel_exec_t" file type. The default entrypoint paths for the stunnel_t domain are the following:"
-+
-+/usr/bin/stunnel, /usr/sbin/stunnel
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux stunnel policy is very flexible allowing users to setup their stunnel processes in as secure a method as possible.
-+.PP
-+The following process types are defined for stunnel:
-+
-+.EX
-+.B stunnel_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
-+.SH FILE CONTEXTS
-+SELinux requires files to have an extended attribute to define the file type.
-+.PP
-+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
-+.PP
-+Policy governs the access confined processes have to these files.
-+SELinux stunnel policy is very flexible allowing users to setup their stunnel processes in as secure a method as possible.
-+.PP
-+The following file types are defined for stunnel:
-+
-+
-+.EX
-+.PP
-+.B stunnel_etc_t
-+.EE
-+
-+- Set files with the stunnel_etc_t type, if you want to store stunnel files in the /etc directories.
-+
-+
-+.EX
-+.PP
-+.B stunnel_exec_t
-+.EE
-+
-+- Set files with the stunnel_exec_t type, if you want to transition an executable to the stunnel_t domain.
-+
-+
-+.EX
-+.PP
-+.B stunnel_tmp_t
-+.EE
-+
-+- Set files with the stunnel_tmp_t type, if you want to store stunnel temporary files in the /tmp directories.
-+
-+
-+.EX
-+.PP
-+.B stunnel_var_run_t
-+.EE
-+
-+- Set files with the stunnel_var_run_t type, if you want to store the stunnel files under the /run directory.
-+
-+
-+.PP
-+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
-+.B semanage fcontext
-+command. This will modify the SELinux labeling database. You will need to use
-+.B restorecon
-+to apply the labels.
-+
-+.SH PORT TYPES
-+SELinux defines port types to represent TCP and UDP ports.
-+.PP
-+You can see the types associated with a port by using the following command:
-+
-+.B semanage port -l
-+
-+.PP
-+Policy governs the access confined processes have to these ports.
-+SELinux stunnel policy is very flexible allowing users to setup their stunnel processes in as secure a method as possible.
-+.PP
-+The following port types are defined for stunnel:
-+
-+.EX
-+.TP 5
-+.B stunnel_port_t
-+.TP 10
-+.EE
-+
-+.SH "MANAGED FILES"
-+
-+The SELinux process type stunnel_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
-+
-+.br
-+.B stunnel_tmp_t
-+
-+
-+.br
-+.B stunnel_var_run_t
-+
-+ /var/run/stunnel(/.*)?
-+.br
-+
-+.SH NSSWITCH DOMAIN
-+
-+.PP
-+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the stunnel_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
-+
-+.EX
-+.B setsebool -P authlogin_nsswitch_use_ldap 1
-+.EE
-+
-+.PP
-+If you want to allow confined applications to run with kerberos for the stunnel_t, you must turn on the kerberos_enabled boolean.
-+
-+.EX
-+.B setsebool -P kerberos_enabled 1
-+.EE
-+
-+.SH "COMMANDS"
-+.B semanage fcontext
-+can also be used to manipulate default file context mappings.
-+.PP
-+.B semanage permissive
-+can also be used to manipulate whether or not a process type is permissive.
-+.PP
-+.B semanage module
-+can also be used to enable/disable/install/remove policy modules.
-+
-+.B semanage port
-+can also be used to manipulate the port definitions
-+
-+.PP
-+.B system-config-selinux
-+is a GUI tool available to customize SELinux policy settings.
-+
-+.SH AUTHOR
-+This manual page was auto-generated using
-+.B "sepolicy manpage"
-+by Dan Walsh.
-+
-+.SH "SEE ALSO"
-+selinux(8), stunnel(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
-diff --git a/man/man8/sulogin_selinux.8 b/man/man8/sulogin_selinux.8
-new file mode 100644
-index 0000000..debe287
---- /dev/null
-+++ b/man/man8/sulogin_selinux.8
-@@ -0,0 +1,110 @@
-+.TH "sulogin_selinux" "8" "12-11-01" "sulogin" "SELinux Policy documentation for sulogin"
-+.SH "NAME"
-+sulogin_selinux \- Security Enhanced Linux Policy for the sulogin processes
-+.SH "DESCRIPTION"
-+
-+Security-Enhanced Linux secures the sulogin processes via flexible mandatory access control.
-+
-+The sulogin processes execute with the sulogin_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
-+
-+For example:
-+
-+.B ps -eZ | grep sulogin_t
-+
-+
-+.SH "ENTRYPOINTS"
-+
-+The sulogin_t SELinux type can be entered via the "sulogin_exec_t" file type. The default entrypoint paths for the sulogin_t domain are the following:"
-+
-+/sbin/sulogin, /sbin/sushell, /usr/sbin/sulogin, /usr/sbin/sushell
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux sulogin policy is very flexible allowing users to setup their sulogin processes in as secure a method as possible.
-+.PP
-+The following process types are defined for sulogin:
-+
-+.EX
-+.B sulogin_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
-+.SH FILE CONTEXTS
-+SELinux requires files to have an extended attribute to define the file type.
-+.PP
-+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
-+.PP
-+Policy governs the access confined processes have to these files.
-+SELinux sulogin policy is very flexible allowing users to setup their sulogin processes in as secure a method as possible.
-+.PP
-+The following file types are defined for sulogin:
-+
-+
-+.EX
-+.PP
-+.B sulogin_exec_t
-+.EE
-+
-+- Set files with the sulogin_exec_t type, if you want to transition an executable to the sulogin_t domain.
-+
-+
-+.PP
-+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
-+.B semanage fcontext
-+command. This will modify the SELinux labeling database. You will need to use
-+.B restorecon
-+to apply the labels.
-+
-+.SH "MANAGED FILES"
-+
-+The SELinux process type sulogin_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
-+
-+.br
-+.B security_t
-+
-+ /selinux
-+.br
-+
-+.SH NSSWITCH DOMAIN
-+
-+.PP
-+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the sulogin_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
-+
-+.EX
-+.B setsebool -P authlogin_nsswitch_use_ldap 1
-+.EE
-+
-+.PP
-+If you want to allow confined applications to run with kerberos for the sulogin_t, you must turn on the kerberos_enabled boolean.
-+
-+.EX
-+.B setsebool -P kerberos_enabled 1
-+.EE
-+
-+.SH "COMMANDS"
-+.B semanage fcontext
-+can also be used to manipulate default file context mappings.
-+.PP
-+.B semanage permissive
-+can also be used to manipulate whether or not a process type is permissive.
-+.PP
-+.B semanage module
-+can also be used to enable/disable/install/remove policy modules.
-+
-+.PP
-+.B system-config-selinux
-+is a GUI tool available to customize SELinux policy settings.
-+
-+.SH AUTHOR
-+This manual page was auto-generated using
-+.B "sepolicy manpage"
-+by Dan Walsh.
-+
-+.SH "SEE ALSO"
-+selinux(8), sulogin(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
-diff --git a/man/man8/svc_multilog_selinux.8 b/man/man8/svc_multilog_selinux.8
-new file mode 100644
-index 0000000..723cd0c
---- /dev/null
-+++ b/man/man8/svc_multilog_selinux.8
-@@ -0,0 +1,155 @@
-+.TH "svc_multilog_selinux" "8" "12-11-01" "svc_multilog" "SELinux Policy documentation for svc_multilog"
-+.SH "NAME"
-+svc_multilog_selinux \- Security Enhanced Linux Policy for the svc_multilog processes
-+.SH "DESCRIPTION"
-+
-+Security-Enhanced Linux secures the svc_multilog processes via flexible mandatory access control.
-+
-+The svc_multilog processes execute with the svc_multilog_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
-+
-+For example:
-+
-+.B ps -eZ | grep svc_multilog_t
-+
-+
-+.SH "ENTRYPOINTS"
-+
-+The svc_multilog_t SELinux type can be entered via the "svc_multilog_exec_t" file type. The default entrypoint paths for the svc_multilog_t domain are the following:"
-+
-+/usr/bin/multilog
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux svc_multilog policy is very flexible allowing users to setup their svc_multilog processes in as secure a method as possible.
-+.PP
-+The following process types are defined for svc_multilog:
-+
-+.EX
-+.B svc_multilog_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
-+.SH FILE CONTEXTS
-+SELinux requires files to have an extended attribute to define the file type.
-+.PP
-+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
-+.PP
-+Policy governs the access confined processes have to these files.
-+SELinux svc_multilog policy is very flexible allowing users to setup their svc_multilog processes in as secure a method as possible.
-+.PP
-+The following file types are defined for svc_multilog:
-+
-+
-+.EX
-+.PP
-+.B svc_multilog_exec_t
-+.EE
-+
-+- Set files with the svc_multilog_exec_t type, if you want to transition an executable to the svc_multilog_t domain.
-+
-+
-+.PP
-+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
-+.B semanage fcontext
-+command. This will modify the SELinux labeling database. You will need to use
-+.B restorecon
-+to apply the labels.
-+
-+.SH "MANAGED FILES"
-+
-+The SELinux process type svc_multilog_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
-+
-+.br
-+.B svc_svc_t
-+
-+ /service/.*
-+.br
-+ /var/axfrdns(/.*)?
-+.br
-+ /var/tinydns(/.*)?
-+.br
-+ /var/service/.*
-+.br
-+ /var/dnscache(/.*)?
-+.br
-+ /var/qmail/supervise(/.*)?
-+.br
-+ /service
-+.br
-+
-+.br
-+.B var_log_t
-+
-+ /var/log/.*
-+.br
-+ /nsr/logs(/.*)?
-+.br
-+ /var/webmin(/.*)?
-+.br
-+ /var/log/cron[^/]*
-+.br
-+ /var/log/secure[^/]*
-+.br
-+ /opt/zimbra/log(/.*)?
-+.br
-+ /var/log/maillog[^/]*
-+.br
-+ /var/log/spooler[^/]*
-+.br
-+ /var/log/messages[^/]*
-+.br
-+ /usr/centreon/log(/.*)?
-+.br
-+ /var/spool/rsyslog(/.*)?
-+.br
-+ /var/axfrdns/log/main(/.*)?
-+.br
-+ /var/spool/bacula/log(/.*)?
-+.br
-+ /var/tinydns/log/main(/.*)?
-+.br
-+ /var/dnscache/log/main(/.*)?
-+.br
-+ /var/stockmaniac/templates_cache(/.*)?
-+.br
-+ /opt/Symantec/scspagent/IDS/system(/.*)?
-+.br
-+ /var/log
-+.br
-+ /var/log/dmesg
-+.br
-+ /var/log/syslog
-+.br
-+ /var/named/chroot/var/log
-+.br
-+
-+.SH NSSWITCH DOMAIN
-+
-+.SH "COMMANDS"
-+.B semanage fcontext
-+can also be used to manipulate default file context mappings.
-+.PP
-+.B semanage permissive
-+can also be used to manipulate whether or not a process type is permissive.
-+.PP
-+.B semanage module
-+can also be used to enable/disable/install/remove policy modules.
-+
-+.PP
-+.B system-config-selinux
-+is a GUI tool available to customize SELinux policy settings.
-+
-+.SH AUTHOR
-+This manual page was auto-generated using
-+.B "sepolicy manpage"
-+by Dan Walsh.
-+
-+.SH "SEE ALSO"
-+selinux(8), svc_multilog(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
-+, svc_run_selinux(8), svc_start_selinux(8)
-\ No newline at end of file
-diff --git a/man/man8/svc_run_selinux.8 b/man/man8/svc_run_selinux.8
-new file mode 100644
-index 0000000..81dbe8e
---- /dev/null
-+++ b/man/man8/svc_run_selinux.8
-@@ -0,0 +1,87 @@
-+.TH "svc_run_selinux" "8" "12-11-01" "svc_run" "SELinux Policy documentation for svc_run"
-+.SH "NAME"
-+svc_run_selinux \- Security Enhanced Linux Policy for the svc_run processes
-+.SH "DESCRIPTION"
-+
-+Security-Enhanced Linux secures the svc_run processes via flexible mandatory access control.
-+
-+The svc_run processes execute with the svc_run_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
-+
-+For example:
-+
-+.B ps -eZ | grep svc_run_t
-+
-+
-+.SH "ENTRYPOINTS"
-+
-+The svc_run_t SELinux type can be entered via the "svc_run_exec_t" file type. The default entrypoint paths for the svc_run_t domain are the following:"
-+
-+/var/service/.*/run.*, /var/service/.*/log/run, /var/qmail/supervise/.*/run, /var/qmail/supervise/.*/log/run, /usr/bin/envdir, /usr/bin/fghack, /usr/bin/setlock, /var/axfrdns/run, /var/tinydns/run, /usr/bin/pgrphack, /var/dnscache/run, /usr/bin/envuidgid, /usr/bin/setuidgid, /usr/bin/softlimit, /var/axfrdns/log/run, /var/tinydns/log/run, /var/dnscache/log/run
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux svc_run policy is very flexible allowing users to setup their svc_run processes in as secure a method as possible.
-+.PP
-+The following process types are defined for svc_run:
-+
-+.EX
-+.B svc_run_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
-+.SH FILE CONTEXTS
-+SELinux requires files to have an extended attribute to define the file type.
-+.PP
-+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
-+.PP
-+Policy governs the access confined processes have to these files.
-+SELinux svc_run policy is very flexible allowing users to setup their svc_run processes in as secure a method as possible.
-+.PP
-+The following file types are defined for svc_run:
-+
-+
-+.EX
-+.PP
-+.B svc_run_exec_t
-+.EE
-+
-+- Set files with the svc_run_exec_t type, if you want to transition an executable to the svc_run_t domain.
-+
-+
-+.PP
-+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
-+.B semanage fcontext
-+command. This will modify the SELinux labeling database. You will need to use
-+.B restorecon
-+to apply the labels.
-+
-+.SH NSSWITCH DOMAIN
-+
-+.SH "COMMANDS"
-+.B semanage fcontext
-+can also be used to manipulate default file context mappings.
-+.PP
-+.B semanage permissive
-+can also be used to manipulate whether or not a process type is permissive.
-+.PP
-+.B semanage module
-+can also be used to enable/disable/install/remove policy modules.
-+
-+.PP
-+.B system-config-selinux
-+is a GUI tool available to customize SELinux policy settings.
-+
-+.SH AUTHOR
-+This manual page was auto-generated using
-+.B "sepolicy manpage"
-+by Dan Walsh.
-+
-+.SH "SEE ALSO"
-+selinux(8), svc_run(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
-+, svc_multilog_selinux(8), svc_start_selinux(8)
-\ No newline at end of file
-diff --git a/man/man8/svc_start_selinux.8 b/man/man8/svc_start_selinux.8
-new file mode 100644
-index 0000000..bada5e7
---- /dev/null
-+++ b/man/man8/svc_start_selinux.8
-@@ -0,0 +1,109 @@
-+.TH "svc_start_selinux" "8" "12-11-01" "svc_start" "SELinux Policy documentation for svc_start"
-+.SH "NAME"
-+svc_start_selinux \- Security Enhanced Linux Policy for the svc_start processes
-+.SH "DESCRIPTION"
-+
-+Security-Enhanced Linux secures the svc_start processes via flexible mandatory access control.
-+
-+The svc_start processes execute with the svc_start_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
-+
-+For example:
-+
-+.B ps -eZ | grep svc_start_t
-+
-+
-+.SH "ENTRYPOINTS"
-+
-+The svc_start_t SELinux type can be entered via the "svc_start_exec_t" file type. The default entrypoint paths for the svc_start_t domain are the following:"
-+
-+/usr/bin/svc, /usr/bin/svok, /usr/bin/svscan, /usr/bin/supervise, /usr/bin/svscanboot
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux svc_start policy is very flexible allowing users to setup their svc_start processes in as secure a method as possible.
-+.PP
-+The following process types are defined for svc_start:
-+
-+.EX
-+.B svc_start_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
-+.SH FILE CONTEXTS
-+SELinux requires files to have an extended attribute to define the file type.
-+.PP
-+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
-+.PP
-+Policy governs the access confined processes have to these files.
-+SELinux svc_start policy is very flexible allowing users to setup their svc_start processes in as secure a method as possible.
-+.PP
-+The following file types are defined for svc_start:
-+
-+
-+.EX
-+.PP
-+.B svc_start_exec_t
-+.EE
-+
-+- Set files with the svc_start_exec_t type, if you want to transition an executable to the svc_start_t domain.
-+
-+
-+.PP
-+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
-+.B semanage fcontext
-+command. This will modify the SELinux labeling database. You will need to use
-+.B restorecon
-+to apply the labels.
-+
-+.SH "MANAGED FILES"
-+
-+The SELinux process type svc_start_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
-+
-+.br
-+.B svc_svc_t
-+
-+ /service/.*
-+.br
-+ /var/axfrdns(/.*)?
-+.br
-+ /var/tinydns(/.*)?
-+.br
-+ /var/service/.*
-+.br
-+ /var/dnscache(/.*)?
-+.br
-+ /var/qmail/supervise(/.*)?
-+.br
-+ /service
-+.br
-+
-+.SH NSSWITCH DOMAIN
-+
-+.SH "COMMANDS"
-+.B semanage fcontext
-+can also be used to manipulate default file context mappings.
-+.PP
-+.B semanage permissive
-+can also be used to manipulate whether or not a process type is permissive.
-+.PP
-+.B semanage module
-+can also be used to enable/disable/install/remove policy modules.
-+
-+.PP
-+.B system-config-selinux
-+is a GUI tool available to customize SELinux policy settings.
-+
-+.SH AUTHOR
-+This manual page was auto-generated using
-+.B "sepolicy manpage"
-+by Dan Walsh.
-+
-+.SH "SEE ALSO"
-+selinux(8), svc_start(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
-+, svc_multilog_selinux(8), svc_run_selinux(8)
-\ No newline at end of file
-diff --git a/man/man8/svnserve_selinux.8 b/man/man8/svnserve_selinux.8
-new file mode 100644
-index 0000000..19003a2
---- /dev/null
-+++ b/man/man8/svnserve_selinux.8
-@@ -0,0 +1,138 @@
-+.TH "svnserve_selinux" "8" "12-11-01" "svnserve" "SELinux Policy documentation for svnserve"
-+.SH "NAME"
-+svnserve_selinux \- Security Enhanced Linux Policy for the svnserve processes
-+.SH "DESCRIPTION"
-+
-+Security-Enhanced Linux secures the svnserve processes via flexible mandatory access control.
-+
-+The svnserve processes execute with the svnserve_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
-+
-+For example:
-+
-+.B ps -eZ | grep svnserve_t
-+
-+
-+.SH "ENTRYPOINTS"
-+
-+The svnserve_t SELinux type can be entered via the "svnserve_exec_t" file type. The default entrypoint paths for the svnserve_t domain are the following:"
-+
-+/usr/bin/svnserve
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux svnserve policy is very flexible allowing users to setup their svnserve processes in as secure a method as possible.
-+.PP
-+The following process types are defined for svnserve:
-+
-+.EX
-+.B svnserve_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
-+.SH FILE CONTEXTS
-+SELinux requires files to have an extended attribute to define the file type.
-+.PP
-+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
-+.PP
-+Policy governs the access confined processes have to these files.
-+SELinux svnserve policy is very flexible allowing users to setup their svnserve processes in as secure a method as possible.
-+.PP
-+The following file types are defined for svnserve:
-+
-+
-+.EX
-+.PP
-+.B svnserve_content_t
-+.EE
-+
-+- Set files with the svnserve_content_t type, if you want to treat the files as svnserve content.
-+
-+
-+.EX
-+.PP
-+.B svnserve_exec_t
-+.EE
-+
-+- Set files with the svnserve_exec_t type, if you want to transition an executable to the svnserve_t domain.
-+
-+
-+.EX
-+.PP
-+.B svnserve_initrc_exec_t
-+.EE
-+
-+- Set files with the svnserve_initrc_exec_t type, if you want to transition an executable to the svnserve_initrc_t domain.
-+
-+
-+.EX
-+.PP
-+.B svnserve_unit_file_t
-+.EE
-+
-+- Set files with the svnserve_unit_file_t type, if you want to treat the files as svnserve unit content.
-+
-+
-+.EX
-+.PP
-+.B svnserve_var_run_t
-+.EE
-+
-+- Set files with the svnserve_var_run_t type, if you want to store the svnserve files under the /run directory.
-+
-+
-+.PP
-+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
-+.B semanage fcontext
-+command. This will modify the SELinux labeling database. You will need to use
-+.B restorecon
-+to apply the labels.
-+
-+.SH "MANAGED FILES"
-+
-+The SELinux process type svnserve_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
-+
-+.br
-+.B svnserve_content_t
-+
-+ /var/subversion/repo(/.*)?
-+.br
-+ /var/lib/subversion/repo(/.*)?
-+.br
-+
-+.br
-+.B svnserve_var_run_t
-+
-+ /var/run/svnserve.pid
-+.br
-+ /var/run/svnserve(/.*)?
-+.br
-+
-+.SH NSSWITCH DOMAIN
-+
-+.SH "COMMANDS"
-+.B semanage fcontext
-+can also be used to manipulate default file context mappings.
-+.PP
-+.B semanage permissive
-+can also be used to manipulate whether or not a process type is permissive.
-+.PP
-+.B semanage module
-+can also be used to enable/disable/install/remove policy modules.
-+
-+.PP
-+.B system-config-selinux
-+is a GUI tool available to customize SELinux policy settings.
-+
-+.SH AUTHOR
-+This manual page was auto-generated using
-+.B "sepolicy manpage"
-+by Dan Walsh.
-+
-+.SH "SEE ALSO"
-+selinux(8), svnserve(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
-diff --git a/man/man8/swat_selinux.8 b/man/man8/swat_selinux.8
-new file mode 100644
-index 0000000..7533603
---- /dev/null
-+++ b/man/man8/swat_selinux.8
-@@ -0,0 +1,214 @@
-+.TH "swat_selinux" "8" "12-11-01" "swat" "SELinux Policy documentation for swat"
-+.SH "NAME"
-+swat_selinux \- Security Enhanced Linux Policy for the swat processes
-+.SH "DESCRIPTION"
-+
-+Security-Enhanced Linux secures the swat processes via flexible mandatory access control.
-+
-+The swat processes execute with the swat_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
-+
-+For example:
-+
-+.B ps -eZ | grep swat_t
-+
-+
-+.SH "ENTRYPOINTS"
-+
-+The swat_t SELinux type can be entered via the "swat_exec_t" file type. The default entrypoint paths for the swat_t domain are the following:"
-+
-+/usr/sbin/swat
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux swat policy is very flexible allowing users to setup their swat processes in as secure a method as possible.
-+.PP
-+The following process types are defined for swat:
-+
-+.EX
-+.B swat_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
-+.SH FILE CONTEXTS
-+SELinux requires files to have an extended attribute to define the file type.
-+.PP
-+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
-+.PP
-+Policy governs the access confined processes have to these files.
-+SELinux swat policy is very flexible allowing users to setup their swat processes in as secure a method as possible.
-+.PP
-+The following file types are defined for swat:
-+
-+
-+.EX
-+.PP
-+.B swat_exec_t
-+.EE
-+
-+- Set files with the swat_exec_t type, if you want to transition an executable to the swat_t domain.
-+
-+
-+.EX
-+.PP
-+.B swat_tmp_t
-+.EE
-+
-+- Set files with the swat_tmp_t type, if you want to store swat temporary files in the /tmp directories.
-+
-+
-+.EX
-+.PP
-+.B swat_var_run_t
-+.EE
-+
-+- Set files with the swat_var_run_t type, if you want to store the swat files under the /run directory.
-+
-+
-+.PP
-+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
-+.B semanage fcontext
-+command. This will modify the SELinux labeling database. You will need to use
-+.B restorecon
-+to apply the labels.
-+
-+.SH PORT TYPES
-+SELinux defines port types to represent TCP and UDP ports.
-+.PP
-+You can see the types associated with a port by using the following command:
-+
-+.B semanage port -l
-+
-+.PP
-+Policy governs the access confined processes have to these ports.
-+SELinux swat policy is very flexible allowing users to setup their swat processes in as secure a method as possible.
-+.PP
-+The following port types are defined for swat:
-+
-+.EX
-+.TP 5
-+.B swat_port_t
-+.TP 10
-+.EE
-+
-+
-+Default Defined Ports:
-+tcp 901
-+.EE
-+.SH "MANAGED FILES"
-+
-+The SELinux process type swat_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
-+
-+.br
-+.B faillog_t
-+
-+ /var/log/btmp.*
-+.br
-+ /var/run/faillock(/.*)?
-+.br
-+ /var/log/faillog
-+.br
-+ /var/log/tallylog
-+.br
-+
-+.br
-+.B pcscd_var_run_t
-+
-+ /var/run/pcscd(/.*)?
-+.br
-+ /var/run/pcscd\.events(/.*)?
-+.br
-+ /var/run/pcscd\.pid
-+.br
-+ /var/run/pcscd\.pub
-+.br
-+ /var/run/pcscd\.comm
-+.br
-+
-+.br
-+.B samba_etc_t
-+
-+ /etc/samba(/.*)?
-+.br
-+
-+.br
-+.B samba_log_t
-+
-+ /var/log/samba(/.*)?
-+.br
-+
-+.br
-+.B samba_secrets_t
-+
-+ /etc/samba/smbpasswd
-+.br
-+ /etc/samba/passdb\.tdb
-+.br
-+ /etc/samba/MACHINE\.SID
-+.br
-+ /etc/samba/secrets\.tdb
-+.br
-+
-+.br
-+.B samba_var_t
-+
-+ /var/lib/samba(/.*)?
-+.br
-+ /var/cache/samba(/.*)?
-+.br
-+ /var/spool/samba(/.*)?
-+.br
-+
-+.br
-+.B swat_tmp_t
-+
-+
-+.br
-+.B swat_var_run_t
-+
-+
-+.SH NSSWITCH DOMAIN
-+
-+.PP
-+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the swat_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
-+
-+.EX
-+.B setsebool -P authlogin_nsswitch_use_ldap 1
-+.EE
-+
-+.PP
-+If you want to allow confined applications to run with kerberos for the swat_t, you must turn on the kerberos_enabled boolean.
-+
-+.EX
-+.B setsebool -P kerberos_enabled 1
-+.EE
-+
-+.SH "COMMANDS"
-+.B semanage fcontext
-+can also be used to manipulate default file context mappings.
-+.PP
-+.B semanage permissive
-+can also be used to manipulate whether or not a process type is permissive.
-+.PP
-+.B semanage module
-+can also be used to enable/disable/install/remove policy modules.
-+
-+.B semanage port
-+can also be used to manipulate the port definitions
-+
-+.PP
-+.B system-config-selinux
-+is a GUI tool available to customize SELinux policy settings.
-+
-+.SH AUTHOR
-+This manual page was auto-generated using
-+.B "sepolicy manpage"
-+by Dan Walsh.
-+
-+.SH "SEE ALSO"
-+selinux(8), swat(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
-diff --git a/man/man8/sysadm_selinux.8 b/man/man8/sysadm_selinux.8
-new file mode 100644
-index 0000000..a815869
---- /dev/null
-+++ b/man/man8/sysadm_selinux.8
-@@ -0,0 +1,532 @@
-+.TH "sysadm_selinux" "8" "sysadm" "mgrepl@redhat.com" "sysadm SELinux Policy documentation"
-+.SH "NAME"
-+sysadm_u \- \fBGeneral system administration role\fP - Security Enhanced Linux Policy
-+
-+.SH DESCRIPTION
-+
-+\fBsysadm_u\fP is an SELinux User defined in the SELinux
-+policy. SELinux users have default roles, \fBsysadm_r\fP. The
-+default role has a default type, \fBsysadm_t\fP, associated with it.
-+
-+The SELinux user will usually login to a system with a context that looks like:
-+
-+.B sysadm_u:sysadm_r:sysadm_t:s0-s0:c0.c1023
-+
-+Linux users are automatically assigned an SELinux users at login.
-+Login programs use the SELinux User to assign initial context to the user's shell.
-+
-+SELinux policy uses the context to control the user's access.
-+
-+By default all users are assigned to the SELinux user via the \fB__default__\fP flag
-+
-+On Targeted policy systems the \fB__default__\fP user is assigned to the \fBunconfined_u\fP SELinux user.
-+
-+You can list all Linux User to SELinux user mapping using:
-+
-+.B semanage login -l
-+
-+If you wanted to change the default user mapping to use the sysadm_u user, you would execute:
-+
-+.B semanage login -m -s sysadm_u __default__
-+
-+
-+If you want to map the one Linux user (joe) to the SELinux user sysadm, you would execute:
-+
-+.B $ semanage login -a -s sysadm_u joe
-+
-+
-+.SH USER DESCRIPTION
-+
-+The SELinux user sysadm_u is an admin user. It means that a mapped Linux user to this SELinux user is intended for administrative actions. Usually this is assigned to a root Linux user.
-+
-+.SH SUDO
-+
-+The SELinux user sysadm can execute sudo.
-+
-+You can set up sudo to allow sysadm to transition to an administrative domain:
-+
-+Add one or more of the following record to sudoers using visudo.
-+
-+
-+USERNAME ALL=(ALL) ROLE=auditadm_r TYPE=auditadm_t COMMAND
-+.br
-+sudo will run COMMAND as sysadm_u:auditadm_r:auditadm_t:LEVEL
-+
-+You might also need to add one or more of these new roles to your SELinux user record.
-+
-+List the SELinux roles your SELinux user can reach by executing:
-+
-+.B $ semanage user -l |grep selinux_name
-+
-+Modify the roles list and add sysadm_r to this list.
-+
-+.B $ semanage user -m -R 'sysadm_r auditadm_r secadm_r staff_r user_r' sysadm_u
-+
-+For more details you can see semanage man page.
-+
-+
-+USERNAME ALL=(ALL) ROLE=secadm_r TYPE=secadm_t COMMAND
-+.br
-+sudo will run COMMAND as sysadm_u:secadm_r:secadm_t:LEVEL
-+
-+You might also need to add one or more of these new roles to your SELinux user record.
-+
-+List the SELinux roles your SELinux user can reach by executing:
-+
-+.B $ semanage user -l |grep selinux_name
-+
-+Modify the roles list and add sysadm_r to this list.
-+
-+.B $ semanage user -m -R 'sysadm_r auditadm_r secadm_r staff_r user_r' sysadm_u
-+
-+For more details you can see semanage man page.
-+
-+
-+USERNAME ALL=(ALL) ROLE=staff_r TYPE=staff_t COMMAND
-+.br
-+sudo will run COMMAND as sysadm_u:staff_r:staff_t:LEVEL
-+
-+You might also need to add one or more of these new roles to your SELinux user record.
-+
-+List the SELinux roles your SELinux user can reach by executing:
-+
-+.B $ semanage user -l |grep selinux_name
-+
-+Modify the roles list and add sysadm_r to this list.
-+
-+.B $ semanage user -m -R 'sysadm_r auditadm_r secadm_r staff_r user_r' sysadm_u
-+
-+For more details you can see semanage man page.
-+
-+
-+USERNAME ALL=(ALL) ROLE=user_r TYPE=user_t COMMAND
-+.br
-+sudo will run COMMAND as sysadm_u:user_r:user_t:LEVEL
-+
-+You might also need to add one or more of these new roles to your SELinux user record.
-+
-+List the SELinux roles your SELinux user can reach by executing:
-+
-+.B $ semanage user -l |grep selinux_name
-+
-+Modify the roles list and add sysadm_r to this list.
-+
-+.B $ semanage user -m -R 'sysadm_r auditadm_r secadm_r staff_r user_r' sysadm_u
-+
-+For more details you can see semanage man page.
-+
-+
-+The SELinux type sysadm_t is not allowed to execute sudo.
-+
-+.SH X WINDOWS LOGIN
-+
-+The SELinux user sysadm_u is able to X Windows login.
-+
-+.SH NETWORK
-+
-+.TP
-+The SELinux user sysadm_u is able to listen on the following tcp ports.
-+
-+.B all ports with out defined types
-+
-+.B ephemeral_port_t: 32768-61000
-+
-+.TP
-+The SELinux user sysadm_u is able to connect to the following tcp ports.
-+
-+.B all ports
-+
-+.TP
-+The SELinux user sysadm_u is able to listen on the following udp ports.
-+
-+.B all ports with out defined types
-+
-+.B ntp_port_t: 123
-+
-+.B ephemeral_port_t: 32768-61000
-+
-+.TP
-+The SELinux user sysadm_u is able to connect to the following tcp ports.
-+
-+.B all ports
-+
-+.SH BOOLEANS
-+SELinux policy is customizable based on least access required. sysadm policy is extremely flexible and has several booleans that allow you to manipulate the policy and run sysadm with the tightest access possible.
-+
-+
-+.PP
-+If you want to allow ssh logins as sysadm_r:sysadm_t, you must turn on the ssh_sysadm_login boolean.
-+
-+.EX
-+.B setsebool -P ssh_sysadm_login 1
-+.EE
-+
-+.PP
-+If you want to allow the graphical login program to login directly as sysadm_r:sysadm_t, you must turn on the xdm_sysadm_login boolean.
-+
-+.EX
-+.B setsebool -P xdm_sysadm_login 1
-+.EE
-+
-+.PP
-+If you want to allow ssh logins as sysadm_r:sysadm_t, you must turn on the ssh_sysadm_login boolean.
-+
-+.EX
-+.B setsebool -P ssh_sysadm_login 1
-+.EE
-+
-+.PP
-+If you want to allow the graphical login program to login directly as sysadm_r:sysadm_t, you must turn on the xdm_sysadm_login boolean.
-+
-+.EX
-+.B setsebool -P xdm_sysadm_login 1
-+.EE
-+
-+.SH HOME_EXEC
-+
-+The SELinux user sysadm_u is able execute home content files.
-+
-+.SH TRANSITIONS
-+
-+Three things can happen when sysadm_t attempts to execute a program.
-+
-+\fB1.\fP SELinux Policy can deny sysadm_t from executing the program.
-+
-+.TP
-+
-+\fB2.\fP SELinux Policy can allow sysadm_t to execute the program in the current user type.
-+
-+Execute the following to see the types that the SELinux user sysadm_t can execute without transitioning:
-+
-+.B search -A -s sysadm_t -c file -p execute_no_trans
-+
-+.TP
-+
-+\fB3.\fP SELinux can allow sysadm_t to execute the program and transition to a new type.
-+
-+Execute the following to see the types that the SELinux user sysadm_t can execute and transition:
-+
-+.B $ search -A -s sysadm_t -c process -p transition
-+
-+
-+.SH "MANAGED FILES"
-+
-+The SELinux process type sysadm_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
-+
-+.br
-+.B auditd_etc_t
-+
-+ /etc/audit(/.*)?
-+.br
-+
-+.br
-+.B auditd_log_t
-+
-+ /var/log/audit(/.*)?
-+.br
-+ /var/log/audit\.log
-+.br
-+
-+.br
-+.B boolean_type
-+
-+
-+.br
-+.B etc_runtime_t
-+
-+ /[^/]+
-+.br
-+ /etc/mtab.*
-+.br
-+ /etc/blkid(/.*)?
-+.br
-+ /etc/nologin.*
-+.br
-+ /etc/\.fstab\.hal\..+
-+.br
-+ /halt
-+.br
-+ /fastboot
-+.br
-+ /poweroff
-+.br
-+ /etc/cmtab
-+.br
-+ /\.autofsck
-+.br
-+ /forcefsck
-+.br
-+ /\.suspended
-+.br
-+ /fsckoptions
-+.br
-+ /\.autorelabel
-+.br
-+ /etc/securetty
-+.br
-+ /etc/killpower
-+.br
-+ /etc/nohotplug
-+.br
-+ /etc/ioctl\.save
-+.br
-+ /etc/fstab\.REVOKE
-+.br
-+ /etc/network/ifstate
-+.br
-+ /etc/sysconfig/hwconf
-+.br
-+ /etc/ptal/ptal-printd-like
-+.br
-+ /etc/sysconfig/iptables\.save
-+.br
-+ /etc/xorg\.conf\.d/00-system-setup-keyboard\.conf
-+.br
-+ /etc/X11/xorg\.conf\.d/00-system-setup-keyboard\.conf
-+.br
-+
-+.br
-+.B iceauth_home_t
-+
-+ /root/\.DCOP.*
-+.br
-+ /root/\.ICEauthority.*
-+.br
-+ /home/[^/]*/\.DCOP.*
-+.br
-+ /home/[^/]*/\.ICEauthority.*
-+.br
-+ /home/dwalsh/\.DCOP.*
-+.br
-+ /home/dwalsh/\.ICEauthority.*
-+.br
-+ /var/lib/xguest/home/xguest/\.DCOP.*
-+.br
-+ /var/lib/xguest/home/xguest/\.ICEauthority.*
-+.br
-+
-+.br
-+.B krb5_host_rcache_t
-+
-+ /var/cache/krb5rcache(/.*)?
-+.br
-+ /var/tmp/nfs_0
-+.br
-+ /var/tmp/DNS_25
-+.br
-+ /var/tmp/host_0
-+.br
-+ /var/tmp/imap_0
-+.br
-+ /var/tmp/HTTP_23
-+.br
-+ /var/tmp/HTTP_48
-+.br
-+ /var/tmp/ldap_55
-+.br
-+ /var/tmp/ldap_487
-+.br
-+ /var/tmp/ldapmap1_0
-+.br
-+
-+.br
-+.B krb5_keytab_t
-+
-+ /etc/krb5\.keytab
-+.br
-+ /etc/krb5kdc/kadm5\.keytab
-+.br
-+ /var/kerberos/krb5kdc/kadm5\.keytab
-+.br
-+
-+.br
-+.B non_security_file_type
-+
-+
-+.br
-+.B noxattrfs
-+
-+ all files on file systems which do not support extended attributes
-+.br
-+
-+.br
-+.B screen_home_t
-+
-+ /root/\.screen(/.*)?
-+.br
-+ /home/[^/]*/\.screen(/.*)?
-+.br
-+ /home/[^/]*/\.screenrc
-+.br
-+ /home/dwalsh/\.screen(/.*)?
-+.br
-+ /home/dwalsh/\.screenrc
-+.br
-+ /var/lib/xguest/home/xguest/\.screen(/.*)?
-+.br
-+ /var/lib/xguest/home/xguest/\.screenrc
-+.br
-+
-+.br
-+.B sysctl_type
-+
-+
-+.br
-+.B systemd_passwd_var_run_t
-+
-+ /var/run/systemd/ask-password(/.*)?
-+.br
-+ /var/run/systemd/ask-password-block(/.*)?
-+.br
-+
-+.br
-+.B systemd_unit_file_type
-+
-+
-+.br
-+.B usbfs_t
-+
-+
-+.br
-+.B user_fonts_cache_t
-+
-+ /root/\.fontconfig(/.*)?
-+.br
-+ /root/\.fonts/auto(/.*)?
-+.br
-+ /root/\.fonts\.cache-.*
-+.br
-+ /home/[^/]*/\.fontconfig(/.*)?
-+.br
-+ /home/[^/]*/\.fonts/auto(/.*)?
-+.br
-+ /home/[^/]*/\.fonts\.cache-.*
-+.br
-+ /home/dwalsh/\.fontconfig(/.*)?
-+.br
-+ /home/dwalsh/\.fonts/auto(/.*)?
-+.br
-+ /home/dwalsh/\.fonts\.cache-.*
-+.br
-+ /var/lib/xguest/home/xguest/\.fontconfig(/.*)?
-+.br
-+ /var/lib/xguest/home/xguest/\.fonts/auto(/.*)?
-+.br
-+ /var/lib/xguest/home/xguest/\.fonts\.cache-.*
-+.br
-+
-+.br
-+.B user_fonts_t
-+
-+ /root/\.fonts(/.*)?
-+.br
-+ /tmp/\.font-unix(/.*)?
-+.br
-+ /home/[^/]*/\.fonts(/.*)?
-+.br
-+ /home/dwalsh/\.fonts(/.*)?
-+.br
-+ /var/lib/xguest/home/xguest/\.fonts(/.*)?
-+.br
-+
-+.br
-+.B user_home_t
-+
-+ /home/[^/]*/.+
-+.br
-+ /home/dwalsh/.+
-+.br
-+ /var/lib/xguest/home/xguest/.+
-+.br
-+
-+.br
-+.B user_home_type
-+
-+ all user home files
-+.br
-+
-+.br
-+.B user_tmp_type
-+
-+ all user tmp files
-+.br
-+
-+.br
-+.B user_tmpfs_type
-+
-+ all user content in tmpfs file systems
-+.br
-+
-+.br
-+.B xauth_home_t
-+
-+ /root/\.xauth.*
-+.br
-+ /root/\.Xauth.*
-+.br
-+ /root/\.serverauth.*
-+.br
-+ /root/\.Xauthority.*
-+.br
-+ /var/lib/pqsql/\.xauth.*
-+.br
-+ /var/lib/pqsql/\.Xauthority.*
-+.br
-+ /var/lib/nxserver/home/\.xauth.*
-+.br
-+ /var/lib/nxserver/home/\.Xauthority.*
-+.br
-+ /home/[^/]*/\.xauth.*
-+.br
-+ /home/[^/]*/\.Xauth.*
-+.br
-+ /home/[^/]*/\.serverauth.*
-+.br
-+ /home/[^/]*/\.Xauthority.*
-+.br
-+ /home/dwalsh/\.xauth.*
-+.br
-+ /home/dwalsh/\.Xauth.*
-+.br
-+ /home/dwalsh/\.serverauth.*
-+.br
-+ /home/dwalsh/\.Xauthority.*
-+.br
-+ /var/lib/xguest/home/xguest/\.xauth.*
-+.br
-+ /var/lib/xguest/home/xguest/\.Xauth.*
-+.br
-+ /var/lib/xguest/home/xguest/\.serverauth.*
-+.br
-+ /var/lib/xguest/home/xguest/\.Xauthority.*
-+.br
-+
-+.br
-+.B xserver_tmpfs_t
-+
-+
-+.SH "COMMANDS"
-+.B semanage fcontext
-+can also be used to manipulate default file context mappings.
-+.PP
-+.B semanage permissive
-+can also be used to manipulate whether or not a process type is permissive.
-+.PP
-+.B semanage module
-+can also be used to enable/disable/install/remove policy modules.
-+
-+.B semanage boolean
-+can also be used to manipulate the booleans
-+
-+.PP
-+.B system-config-selinux
-+is a GUI tool available to customize SELinux policy settings.
-+
-+.SH AUTHOR
-+This manual page was auto-generated using
-+.B "sepolicy manpage"
-+by Dan Walsh.
-+
-+.SH "SEE ALSO"
-+selinux(8), sysadm(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
-+, setsebool(8)
-\ No newline at end of file
-diff --git a/man/man8/syslogd_selinux.8 b/man/man8/syslogd_selinux.8
-new file mode 100644
-index 0000000..6ebf4fa
---- /dev/null
-+++ b/man/man8/syslogd_selinux.8
-@@ -0,0 +1,286 @@
-+.TH "syslogd_selinux" "8" "12-11-01" "syslogd" "SELinux Policy documentation for syslogd"
-+.SH "NAME"
-+syslogd_selinux \- Security Enhanced Linux Policy for the syslogd processes
-+.SH "DESCRIPTION"
-+
-+Security-Enhanced Linux secures the syslogd processes via flexible mandatory access control.
-+
-+The syslogd processes execute with the syslogd_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
-+
-+For example:
-+
-+.B ps -eZ | grep syslogd_t
-+
-+
-+.SH "ENTRYPOINTS"
-+
-+The syslogd_t SELinux type can be entered via the "syslogd_exec_t" file type. The default entrypoint paths for the syslogd_t domain are the following:"
-+
-+/sbin/syslogd, /sbin/minilogd, /sbin/rsyslogd, /sbin/syslog-ng, /usr/sbin/metalog, /usr/sbin/syslogd, /usr/sbin/minilogd, /usr/sbin/rsyslogd, /usr/sbin/syslog-ng, /usr/lib/systemd/systemd-journald, /usr/lib/systemd/systemd-kmsg-syslogd
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux syslogd policy is very flexible allowing users to setup their syslogd processes in as secure a method as possible.
-+.PP
-+The following process types are defined for syslogd:
-+
-+.EX
-+.B syslogd_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
-+.SH BOOLEANS
-+SELinux policy is customizable based on least access required. syslogd policy is extremely flexible and has several booleans that allow you to manipulate the policy and run syslogd with the tightest access possible.
-+
-+
-+.PP
-+If you want to allow syslogd the ability to read/write terminals, you must turn on the logging_syslogd_use_tty boolean.
-+
-+.EX
-+.B setsebool -P logging_syslogd_use_tty 1
-+.EE
-+
-+.PP
-+If you want to allow syslogd daemon to send mail, you must turn on the logging_syslogd_can_sendmail boolean.
-+
-+.EX
-+.B setsebool -P logging_syslogd_can_sendmail 1
-+.EE
-+
-+.PP
-+If you want to allow syslogd the ability to read/write terminals, you must turn on the logging_syslogd_use_tty boolean.
-+
-+.EX
-+.B setsebool -P logging_syslogd_use_tty 1
-+.EE
-+
-+.PP
-+If you want to allow syslogd daemon to send mail, you must turn on the logging_syslogd_can_sendmail boolean.
-+
-+.EX
-+.B setsebool -P logging_syslogd_can_sendmail 1
-+.EE
-+
-+.SH FILE CONTEXTS
-+SELinux requires files to have an extended attribute to define the file type.
-+.PP
-+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
-+.PP
-+Policy governs the access confined processes have to these files.
-+SELinux syslogd policy is very flexible allowing users to setup their syslogd processes in as secure a method as possible.
-+.PP
-+The following file types are defined for syslogd:
-+
-+
-+.EX
-+.PP
-+.B syslogd_exec_t
-+.EE
-+
-+- Set files with the syslogd_exec_t type, if you want to transition an executable to the syslogd_t domain.
-+
-+
-+.EX
-+.PP
-+.B syslogd_initrc_exec_t
-+.EE
-+
-+- Set files with the syslogd_initrc_exec_t type, if you want to transition an executable to the syslogd_initrc_t domain.
-+
-+
-+.EX
-+.PP
-+.B syslogd_keytab_t
-+.EE
-+
-+- Set files with the syslogd_keytab_t type, if you want to treat the files as kerberos keytab files.
-+
-+
-+.EX
-+.PP
-+.B syslogd_tmp_t
-+.EE
-+
-+- Set files with the syslogd_tmp_t type, if you want to store syslogd temporary files in the /tmp directories.
-+
-+
-+.EX
-+.PP
-+.B syslogd_var_lib_t
-+.EE
-+
-+- Set files with the syslogd_var_lib_t type, if you want to store the syslogd files under the /var/lib directory.
-+
-+
-+.EX
-+.PP
-+.B syslogd_var_run_t
-+.EE
-+
-+- Set files with the syslogd_var_run_t type, if you want to store the syslogd files under the /run directory.
-+
-+
-+.PP
-+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
-+.B semanage fcontext
-+command. This will modify the SELinux labeling database. You will need to use
-+.B restorecon
-+to apply the labels.
-+
-+.SH PORT TYPES
-+SELinux defines port types to represent TCP and UDP ports.
-+.PP
-+You can see the types associated with a port by using the following command:
-+
-+.B semanage port -l
-+
-+.PP
-+Policy governs the access confined processes have to these ports.
-+SELinux syslogd policy is very flexible allowing users to setup their syslogd processes in as secure a method as possible.
-+.PP
-+The following port types are defined for syslogd:
-+
-+.EX
-+.TP 5
-+.B syslogd_port_t
-+.TP 10
-+.EE
-+
-+
-+Default Defined Ports:
-+tcp 6514
-+.EE
-+udp 514,6514
-+.EE
-+.SH "MANAGED FILES"
-+
-+The SELinux process type syslogd_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
-+
-+.br
-+.B krb5_host_rcache_t
-+
-+ /var/cache/krb5rcache(/.*)?
-+.br
-+ /var/tmp/nfs_0
-+.br
-+ /var/tmp/DNS_25
-+.br
-+ /var/tmp/host_0
-+.br
-+ /var/tmp/imap_0
-+.br
-+ /var/tmp/HTTP_23
-+.br
-+ /var/tmp/HTTP_48
-+.br
-+ /var/tmp/ldap_55
-+.br
-+ /var/tmp/ldap_487
-+.br
-+ /var/tmp/ldapmap1_0
-+.br
-+
-+.br
-+.B logfile
-+
-+ all log files
-+.br
-+
-+.br
-+.B security_t
-+
-+ /selinux
-+.br
-+
-+.br
-+.B syslogd_tmp_t
-+
-+
-+.br
-+.B syslogd_var_lib_t
-+
-+ /var/lib/r?syslog(/.*)?
-+.br
-+ /var/lib/syslog-ng(/.*)?
-+.br
-+ /var/lib/syslog-ng.persist
-+.br
-+
-+.br
-+.B syslogd_var_run_t
-+
-+ /var/run/log(/.*)?
-+.br
-+ /var/run/syslog-ng.ctl
-+.br
-+ /var/log/syslog-ng(/.*)?
-+.br
-+ /var/run/syslog-ng(/.*)?
-+.br
-+ /var/run/systemd/journal(/.*)?
-+.br
-+ /var/run/metalog\.pid
-+.br
-+ /var/run/syslogd\.pid
-+.br
-+
-+.br
-+.B tmpfs_t
-+
-+ /dev/shm
-+.br
-+ /lib/udev/devices/shm
-+.br
-+ /usr/lib/udev/devices/shm
-+.br
-+
-+.SH NSSWITCH DOMAIN
-+
-+.PP
-+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the syslogd_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
-+
-+.EX
-+.B setsebool -P authlogin_nsswitch_use_ldap 1
-+.EE
-+
-+.PP
-+If you want to allow confined applications to run with kerberos for the syslogd_t, you must turn on the kerberos_enabled boolean.
-+
-+.EX
-+.B setsebool -P kerberos_enabled 1
-+.EE
-+
-+.SH "COMMANDS"
-+.B semanage fcontext
-+can also be used to manipulate default file context mappings.
-+.PP
-+.B semanage permissive
-+can also be used to manipulate whether or not a process type is permissive.
-+.PP
-+.B semanage module
-+can also be used to enable/disable/install/remove policy modules.
-+
-+.B semanage port
-+can also be used to manipulate the port definitions
-+
-+.B semanage boolean
-+can also be used to manipulate the booleans
-+
-+.PP
-+.B system-config-selinux
-+is a GUI tool available to customize SELinux policy settings.
-+
-+.SH AUTHOR
-+This manual page was auto-generated using
-+.B "sepolicy manpage"
-+by Dan Walsh.
-+
-+.SH "SEE ALSO"
-+selinux(8), syslogd(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
-+, setsebool(8)
-\ No newline at end of file
-diff --git a/man/man8/sysstat_selinux.8 b/man/man8/sysstat_selinux.8
-new file mode 100644
-index 0000000..a41e354
---- /dev/null
-+++ b/man/man8/sysstat_selinux.8
-@@ -0,0 +1,124 @@
-+.TH "sysstat_selinux" "8" "12-11-01" "sysstat" "SELinux Policy documentation for sysstat"
-+.SH "NAME"
-+sysstat_selinux \- Security Enhanced Linux Policy for the sysstat processes
-+.SH "DESCRIPTION"
-+
-+Security-Enhanced Linux secures the sysstat processes via flexible mandatory access control.
-+
-+The sysstat processes execute with the sysstat_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
-+
-+For example:
-+
-+.B ps -eZ | grep sysstat_t
-+
-+
-+.SH "ENTRYPOINTS"
-+
-+The sysstat_t SELinux type can be entered via the "sysstat_exec_t" file type. The default entrypoint paths for the sysstat_t domain are the following:"
-+
-+/usr/lib/sa/sa.*, /usr/lib/atsar/atsa.*, /usr/lib/sysstat/sa.*
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux sysstat policy is very flexible allowing users to setup their sysstat processes in as secure a method as possible.
-+.PP
-+The following process types are defined for sysstat:
-+
-+.EX
-+.B sysstat_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
-+.SH FILE CONTEXTS
-+SELinux requires files to have an extended attribute to define the file type.
-+.PP
-+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
-+.PP
-+Policy governs the access confined processes have to these files.
-+SELinux sysstat policy is very flexible allowing users to setup their sysstat processes in as secure a method as possible.
-+.PP
-+The following file types are defined for sysstat:
-+
-+
-+.EX
-+.PP
-+.B sysstat_exec_t
-+.EE
-+
-+- Set files with the sysstat_exec_t type, if you want to transition an executable to the sysstat_t domain.
-+
-+
-+.EX
-+.PP
-+.B sysstat_log_t
-+.EE
-+
-+- Set files with the sysstat_log_t type, if you want to treat the data as sysstat log data, usually stored under the /var/log directory.
-+
-+
-+.PP
-+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
-+.B semanage fcontext
-+command. This will modify the SELinux labeling database. You will need to use
-+.B restorecon
-+to apply the labels.
-+
-+.SH "MANAGED FILES"
-+
-+The SELinux process type sysstat_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
-+
-+.br
-+.B sysstat_log_t
-+
-+ /var/log/sa(/.*)?
-+.br
-+ /opt/sartest(/.*)?
-+.br
-+ /var/log/atsar(/.*)?
-+.br
-+ /var/log/sysstat(/.*)?
-+.br
-+
-+.SH NSSWITCH DOMAIN
-+
-+.PP
-+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the sysstat_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
-+
-+.EX
-+.B setsebool -P authlogin_nsswitch_use_ldap 1
-+.EE
-+
-+.PP
-+If you want to allow confined applications to run with kerberos for the sysstat_t, you must turn on the kerberos_enabled boolean.
-+
-+.EX
-+.B setsebool -P kerberos_enabled 1
-+.EE
-+
-+.SH "COMMANDS"
-+.B semanage fcontext
-+can also be used to manipulate default file context mappings.
-+.PP
-+.B semanage permissive
-+can also be used to manipulate whether or not a process type is permissive.
-+.PP
-+.B semanage module
-+can also be used to enable/disable/install/remove policy modules.
-+
-+.PP
-+.B system-config-selinux
-+is a GUI tool available to customize SELinux policy settings.
-+
-+.SH AUTHOR
-+This manual page was auto-generated using
-+.B "sepolicy manpage"
-+by Dan Walsh.
-+
-+.SH "SEE ALSO"
-+selinux(8), sysstat(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
-diff --git a/man/man8/system_munin_plugin_selinux.8 b/man/man8/system_munin_plugin_selinux.8
-new file mode 100644
-index 0000000..1b3a9b7
---- /dev/null
-+++ b/man/man8/system_munin_plugin_selinux.8
-@@ -0,0 +1,115 @@
-+.TH "system_munin_plugin_selinux" "8" "12-11-01" "system_munin_plugin" "SELinux Policy documentation for system_munin_plugin"
-+.SH "NAME"
-+system_munin_plugin_selinux \- Security Enhanced Linux Policy for the system_munin_plugin processes
-+.SH "DESCRIPTION"
-+
-+Security-Enhanced Linux secures the system_munin_plugin processes via flexible mandatory access control.
-+
-+The system_munin_plugin processes execute with the system_munin_plugin_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
-+
-+For example:
-+
-+.B ps -eZ | grep system_munin_plugin_t
-+
-+
-+.SH "ENTRYPOINTS"
-+
-+The system_munin_plugin_t SELinux type can be entered via the "system_munin_plugin_exec_t" file type. The default entrypoint paths for the system_munin_plugin_t domain are the following:"
-+
-+/usr/share/munin/plugins/cpu.*, /usr/share/munin/plugins/if_.*, /usr/share/munin/plugins/nfs.*, /usr/share/munin/plugins/iostat.*, /usr/share/munin/plugins/munin_.*, /usr/share/munin/plugins/yum, /usr/share/munin/plugins/acpi, /usr/share/munin/plugins/load, /usr/share/munin/plugins/swap, /usr/share/munin/plugins/forks, /usr/share/munin/plugins/users, /usr/share/munin/plugins/memory, /usr/share/munin/plugins/uptime, /usr/share/munin/plugins/netstat, /usr/share/munin/plugins/threads, /usr/share/munin/plugins/irqstats, /usr/share/munin/plugins/proc_pri, /usr/share/munin/plugins/processes, /usr/share/munin/plugins/interrupts, /usr/share/munin/plugins/open_files
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux system_munin_plugin policy is very flexible allowing users to setup their system_munin_plugin processes in as secure a method as possible.
-+.PP
-+The following process types are defined for system_munin_plugin:
-+
-+.EX
-+.B system_munin_plugin_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
-+.SH FILE CONTEXTS
-+SELinux requires files to have an extended attribute to define the file type.
-+.PP
-+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
-+.PP
-+Policy governs the access confined processes have to these files.
-+SELinux system_munin_plugin policy is very flexible allowing users to setup their system_munin_plugin processes in as secure a method as possible.
-+.PP
-+The following file types are defined for system_munin_plugin:
-+
-+
-+.EX
-+.PP
-+.B system_munin_plugin_exec_t
-+.EE
-+
-+- Set files with the system_munin_plugin_exec_t type, if you want to transition an executable to the system_munin_plugin_t domain.
-+
-+
-+.EX
-+.PP
-+.B system_munin_plugin_tmp_t
-+.EE
-+
-+- Set files with the system_munin_plugin_tmp_t type, if you want to store system munin plugin temporary files in the /tmp directories.
-+
-+
-+.PP
-+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
-+.B semanage fcontext
-+command. This will modify the SELinux labeling database. You will need to use
-+.B restorecon
-+to apply the labels.
-+
-+.SH "MANAGED FILES"
-+
-+The SELinux process type system_munin_plugin_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
-+
-+.br
-+.B munin_plugin_state_t
-+
-+ /var/lib/munin/plugin-state(/.*)?
-+.br
-+
-+.br
-+.B munin_var_lib_t
-+
-+ /var/lib/munin(/.*)?
-+.br
-+
-+.br
-+.B system_munin_plugin_tmp_t
-+
-+
-+.SH NSSWITCH DOMAIN
-+
-+.SH "COMMANDS"
-+.B semanage fcontext
-+can also be used to manipulate default file context mappings.
-+.PP
-+.B semanage permissive
-+can also be used to manipulate whether or not a process type is permissive.
-+.PP
-+.B semanage module
-+can also be used to enable/disable/install/remove policy modules.
-+
-+.PP
-+.B system-config-selinux
-+is a GUI tool available to customize SELinux policy settings.
-+
-+.SH AUTHOR
-+This manual page was auto-generated using
-+.B "sepolicy manpage"
-+by Dan Walsh.
-+
-+.SH "SEE ALSO"
-+selinux(8), system_munin_plugin(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
-+, systemd_logger_selinux(8), systemd_logind_selinux(8), systemd_notify_selinux(8), systemd_passwd_agent_selinux(8), systemd_tmpfiles_selinux(8)
-\ No newline at end of file
-diff --git a/man/man8/systemd_logger_selinux.8 b/man/man8/systemd_logger_selinux.8
-new file mode 100644
-index 0000000..b8b6a98
---- /dev/null
-+++ b/man/man8/systemd_logger_selinux.8
-@@ -0,0 +1,101 @@
-+.TH "systemd_logger_selinux" "8" "12-11-01" "systemd_logger" "SELinux Policy documentation for systemd_logger"
-+.SH "NAME"
-+systemd_logger_selinux \- Security Enhanced Linux Policy for the systemd_logger processes
-+.SH "DESCRIPTION"
-+
-+Security-Enhanced Linux secures the systemd_logger processes via flexible mandatory access control.
-+
-+The systemd_logger processes execute with the systemd_logger_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
-+
-+For example:
-+
-+.B ps -eZ | grep systemd_logger_t
-+
-+
-+.SH "ENTRYPOINTS"
-+
-+The systemd_logger_t SELinux type can be entered via the "systemd_logger_exec_t" file type. The default entrypoint paths for the systemd_logger_t domain are the following:"
-+
-+/usr/lib/systemd/systemd-logger
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux systemd_logger policy is very flexible allowing users to setup their systemd_logger processes in as secure a method as possible.
-+.PP
-+The following process types are defined for systemd_logger:
-+
-+.EX
-+.B systemd_logger_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
-+.SH FILE CONTEXTS
-+SELinux requires files to have an extended attribute to define the file type.
-+.PP
-+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
-+.PP
-+Policy governs the access confined processes have to these files.
-+SELinux systemd_logger policy is very flexible allowing users to setup their systemd_logger processes in as secure a method as possible.
-+.PP
-+The following file types are defined for systemd_logger:
-+
-+
-+.EX
-+.PP
-+.B systemd_logger_exec_t
-+.EE
-+
-+- Set files with the systemd_logger_exec_t type, if you want to transition an executable to the systemd_logger_t domain.
-+
-+
-+.PP
-+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
-+.B semanage fcontext
-+command. This will modify the SELinux labeling database. You will need to use
-+.B restorecon
-+to apply the labels.
-+
-+.SH NSSWITCH DOMAIN
-+
-+.PP
-+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the systemd_logger_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
-+
-+.EX
-+.B setsebool -P authlogin_nsswitch_use_ldap 1
-+.EE
-+
-+.PP
-+If you want to allow confined applications to run with kerberos for the systemd_logger_t, you must turn on the kerberos_enabled boolean.
-+
-+.EX
-+.B setsebool -P kerberos_enabled 1
-+.EE
-+
-+.SH "COMMANDS"
-+.B semanage fcontext
-+can also be used to manipulate default file context mappings.
-+.PP
-+.B semanage permissive
-+can also be used to manipulate whether or not a process type is permissive.
-+.PP
-+.B semanage module
-+can also be used to enable/disable/install/remove policy modules.
-+
-+.PP
-+.B system-config-selinux
-+is a GUI tool available to customize SELinux policy settings.
-+
-+.SH AUTHOR
-+This manual page was auto-generated using
-+.B "sepolicy manpage"
-+by Dan Walsh.
-+
-+.SH "SEE ALSO"
-+selinux(8), systemd_logger(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
-+, systemd_logind_selinux(8), systemd_notify_selinux(8), systemd_passwd_agent_selinux(8), systemd_tmpfiles_selinux(8)
-\ No newline at end of file
-diff --git a/man/man8/systemd_logind_selinux.8 b/man/man8/systemd_logind_selinux.8
-new file mode 100644
-index 0000000..d2912c3
---- /dev/null
-+++ b/man/man8/systemd_logind_selinux.8
-@@ -0,0 +1,249 @@
-+.TH "systemd_logind_selinux" "8" "12-11-01" "systemd_logind" "SELinux Policy documentation for systemd_logind"
-+.SH "NAME"
-+systemd_logind_selinux \- Security Enhanced Linux Policy for the systemd_logind processes
-+.SH "DESCRIPTION"
-+
-+Security-Enhanced Linux secures the systemd_logind processes via flexible mandatory access control.
-+
-+The systemd_logind processes execute with the systemd_logind_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
-+
-+For example:
-+
-+.B ps -eZ | grep systemd_logind_t
-+
-+
-+.SH "ENTRYPOINTS"
-+
-+The systemd_logind_t SELinux type can be entered via the "systemd_logind_exec_t" file type. The default entrypoint paths for the systemd_logind_t domain are the following:"
-+
-+/usr/lib/systemd/systemd-logind
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux systemd_logind policy is very flexible allowing users to setup their systemd_logind processes in as secure a method as possible.
-+.PP
-+The following process types are defined for systemd_logind:
-+
-+.EX
-+.B systemd_logind_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
-+.SH FILE CONTEXTS
-+SELinux requires files to have an extended attribute to define the file type.
-+.PP
-+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
-+.PP
-+Policy governs the access confined processes have to these files.
-+SELinux systemd_logind policy is very flexible allowing users to setup their systemd_logind processes in as secure a method as possible.
-+.PP
-+The following file types are defined for systemd_logind:
-+
-+
-+.EX
-+.PP
-+.B systemd_logind_exec_t
-+.EE
-+
-+- Set files with the systemd_logind_exec_t type, if you want to transition an executable to the systemd_logind_t domain.
-+
-+
-+.EX
-+.PP
-+.B systemd_logind_inhibit_var_run_t
-+.EE
-+
-+- Set files with the systemd_logind_inhibit_var_run_t type, if you want to store the systemd logind inhibit files under the /run directory.
-+
-+
-+.EX
-+.PP
-+.B systemd_logind_sessions_t
-+.EE
-+
-+- Set files with the systemd_logind_sessions_t type, if you want to treat the files as systemd logind sessions data.
-+
-+
-+.EX
-+.PP
-+.B systemd_logind_var_run_t
-+.EE
-+
-+- Set files with the systemd_logind_var_run_t type, if you want to store the systemd logind files under the /run directory.
-+
-+
-+.PP
-+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
-+.B semanage fcontext
-+command. This will modify the SELinux labeling database. You will need to use
-+.B restorecon
-+to apply the labels.
-+
-+.SH "MANAGED FILES"
-+
-+The SELinux process type systemd_logind_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
-+
-+.br
-+.B cgroup_t
-+
-+ /cgroup
-+.br
-+ /sys/fs/cgroup
-+.br
-+
-+.br
-+.B config_home_t
-+
-+ /root/\.kde(/.*)?
-+.br
-+ /root/\.xine(/.*)?
-+.br
-+ /root/\.config(/.*)?
-+.br
-+ /var/run/user/[^/]*/dconf(/.*)?
-+.br
-+ /root/\.Xdefaults
-+.br
-+ /home/[^/]*/\.kde(/.*)?
-+.br
-+ /home/[^/]*/\.xine(/.*)?
-+.br
-+ /home/[^/]*/\.config(/.*)?
-+.br
-+ /home/[^/]*/\.Xdefaults
-+.br
-+ /home/dwalsh/\.kde(/.*)?
-+.br
-+ /home/dwalsh/\.xine(/.*)?
-+.br
-+ /home/dwalsh/\.config(/.*)?
-+.br
-+ /home/dwalsh/\.Xdefaults
-+.br
-+ /var/lib/xguest/home/xguest/\.kde(/.*)?
-+.br
-+ /var/lib/xguest/home/xguest/\.xine(/.*)?
-+.br
-+ /var/lib/xguest/home/xguest/\.config(/.*)?
-+.br
-+ /var/lib/xguest/home/xguest/\.Xdefaults
-+.br
-+
-+.br
-+.B sysfs_t
-+
-+ /sys(/.*)?
-+.br
-+
-+.br
-+.B systemd_logind_inhibit_var_run_t
-+
-+ /var/run/systemd/inhibit(/.*)?
-+.br
-+
-+.br
-+.B systemd_logind_sessions_t
-+
-+ /var/run/systemd/sessions(/.*)?
-+.br
-+
-+.br
-+.B systemd_logind_var_run_t
-+
-+ /var/run/systemd/seats(/.*)?
-+.br
-+ /var/run/systemd/users(/.*)?
-+.br
-+ /var/run/nologin
-+.br
-+
-+.br
-+.B systemd_passwd_var_run_t
-+
-+ /var/run/systemd/ask-password(/.*)?
-+.br
-+ /var/run/systemd/ask-password-block(/.*)?
-+.br
-+
-+.br
-+.B udev_rules_t
-+
-+ /etc/udev/rules.d(/.*)?
-+.br
-+
-+.br
-+.B user_tmp_t
-+
-+ /var/run/user(/.*)?
-+.br
-+ /tmp/gconfd-.*
-+.br
-+ /tmp/gconfd-dwalsh
-+.br
-+ /tmp/gconfd-xguest
-+.br
-+
-+.br
-+.B var_auth_t
-+
-+ /var/ace(/.*)?
-+.br
-+ /var/rsa(/.*)?
-+.br
-+ /var/lib/abl(/.*)?
-+.br
-+ /var/lib/rsa(/.*)?
-+.br
-+ /var/lib/pam_ssh(/.*)?
-+.br
-+ /var/run/pam_ssh(/.*)?
-+.br
-+ /var/lib/pam_shield(/.*)?
-+.br
-+ /var/lib/google-authenticator(/.*)?
-+.br
-+
-+.SH NSSWITCH DOMAIN
-+
-+.PP
-+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the systemd_logind_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
-+
-+.EX
-+.B setsebool -P authlogin_nsswitch_use_ldap 1
-+.EE
-+
-+.PP
-+If you want to allow confined applications to run with kerberos for the systemd_logind_t, you must turn on the kerberos_enabled boolean.
-+
-+.EX
-+.B setsebool -P kerberos_enabled 1
-+.EE
-+
-+.SH "COMMANDS"
-+.B semanage fcontext
-+can also be used to manipulate default file context mappings.
-+.PP
-+.B semanage permissive
-+can also be used to manipulate whether or not a process type is permissive.
-+.PP
-+.B semanage module
-+can also be used to enable/disable/install/remove policy modules.
-+
-+.PP
-+.B system-config-selinux
-+is a GUI tool available to customize SELinux policy settings.
-+
-+.SH AUTHOR
-+This manual page was auto-generated using
-+.B "sepolicy manpage"
-+by Dan Walsh.
-+
-+.SH "SEE ALSO"
-+selinux(8), systemd_logind(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
-+, systemd_logger_selinux(8), systemd_notify_selinux(8), systemd_passwd_agent_selinux(8), systemd_tmpfiles_selinux(8)
-\ No newline at end of file
-diff --git a/man/man8/systemd_notify_selinux.8 b/man/man8/systemd_notify_selinux.8
-new file mode 100644
-index 0000000..6a06f93
---- /dev/null
-+++ b/man/man8/systemd_notify_selinux.8
-@@ -0,0 +1,113 @@
-+.TH "systemd_notify_selinux" "8" "12-11-01" "systemd_notify" "SELinux Policy documentation for systemd_notify"
-+.SH "NAME"
-+systemd_notify_selinux \- Security Enhanced Linux Policy for the systemd_notify processes
-+.SH "DESCRIPTION"
-+
-+Security-Enhanced Linux secures the systemd_notify processes via flexible mandatory access control.
-+
-+The systemd_notify processes execute with the systemd_notify_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
-+
-+For example:
-+
-+.B ps -eZ | grep systemd_notify_t
-+
-+
-+.SH "ENTRYPOINTS"
-+
-+The systemd_notify_t SELinux type can be entered via the "systemd_notify_exec_t" file type. The default entrypoint paths for the systemd_notify_t domain are the following:"
-+
-+/bin/systemd-notify, /usr/bin/systemd-notify
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux systemd_notify policy is very flexible allowing users to setup their systemd_notify processes in as secure a method as possible.
-+.PP
-+The following process types are defined for systemd_notify:
-+
-+.EX
-+.B systemd_notify_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
-+.SH FILE CONTEXTS
-+SELinux requires files to have an extended attribute to define the file type.
-+.PP
-+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
-+.PP
-+Policy governs the access confined processes have to these files.
-+SELinux systemd_notify policy is very flexible allowing users to setup their systemd_notify processes in as secure a method as possible.
-+.PP
-+The following file types are defined for systemd_notify:
-+
-+
-+.EX
-+.PP
-+.B systemd_notify_exec_t
-+.EE
-+
-+- Set files with the systemd_notify_exec_t type, if you want to transition an executable to the systemd_notify_t domain.
-+
-+
-+.PP
-+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
-+.B semanage fcontext
-+command. This will modify the SELinux labeling database. You will need to use
-+.B restorecon
-+to apply the labels.
-+
-+.SH "MANAGED FILES"
-+
-+The SELinux process type systemd_notify_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
-+
-+.br
-+.B readahead_var_run_t
-+
-+ /dev/\.systemd/readahead(/.*)?
-+.br
-+ /var/run/systemd/readahead(/.*)?
-+.br
-+
-+.SH NSSWITCH DOMAIN
-+
-+.PP
-+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the systemd_notify_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
-+
-+.EX
-+.B setsebool -P authlogin_nsswitch_use_ldap 1
-+.EE
-+
-+.PP
-+If you want to allow confined applications to run with kerberos for the systemd_notify_t, you must turn on the kerberos_enabled boolean.
-+
-+.EX
-+.B setsebool -P kerberos_enabled 1
-+.EE
-+
-+.SH "COMMANDS"
-+.B semanage fcontext
-+can also be used to manipulate default file context mappings.
-+.PP
-+.B semanage permissive
-+can also be used to manipulate whether or not a process type is permissive.
-+.PP
-+.B semanage module
-+can also be used to enable/disable/install/remove policy modules.
-+
-+.PP
-+.B system-config-selinux
-+is a GUI tool available to customize SELinux policy settings.
-+
-+.SH AUTHOR
-+This manual page was auto-generated using
-+.B "sepolicy manpage"
-+by Dan Walsh.
-+
-+.SH "SEE ALSO"
-+selinux(8), systemd_notify(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
-+, systemd_logger_selinux(8), systemd_logind_selinux(8), systemd_passwd_agent_selinux(8), systemd_tmpfiles_selinux(8)
-\ No newline at end of file
-diff --git a/man/man8/systemd_passwd_agent_selinux.8 b/man/man8/systemd_passwd_agent_selinux.8
-new file mode 100644
-index 0000000..e32dad2
---- /dev/null
-+++ b/man/man8/systemd_passwd_agent_selinux.8
-@@ -0,0 +1,113 @@
-+.TH "systemd_passwd_agent_selinux" "8" "12-11-01" "systemd_passwd_agent" "SELinux Policy documentation for systemd_passwd_agent"
-+.SH "NAME"
-+systemd_passwd_agent_selinux \- Security Enhanced Linux Policy for the systemd_passwd_agent processes
-+.SH "DESCRIPTION"
-+
-+Security-Enhanced Linux secures the systemd_passwd_agent processes via flexible mandatory access control.
-+
-+The systemd_passwd_agent processes execute with the systemd_passwd_agent_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
-+
-+For example:
-+
-+.B ps -eZ | grep systemd_passwd_agent_t
-+
-+
-+.SH "ENTRYPOINTS"
-+
-+The systemd_passwd_agent_t SELinux type can be entered via the "systemd_passwd_agent_exec_t" file type. The default entrypoint paths for the systemd_passwd_agent_t domain are the following:"
-+
-+/bin/systemd-tty-ask-password-agent, /usr/bin/systemd-tty-ask-password-agent, /usr/bin/systemd-gnome-ask-password-agent
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux systemd_passwd_agent policy is very flexible allowing users to setup their systemd_passwd_agent processes in as secure a method as possible.
-+.PP
-+The following process types are defined for systemd_passwd_agent:
-+
-+.EX
-+.B systemd_passwd_agent_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
-+.SH FILE CONTEXTS
-+SELinux requires files to have an extended attribute to define the file type.
-+.PP
-+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
-+.PP
-+Policy governs the access confined processes have to these files.
-+SELinux systemd_passwd_agent policy is very flexible allowing users to setup their systemd_passwd_agent processes in as secure a method as possible.
-+.PP
-+The following file types are defined for systemd_passwd_agent:
-+
-+
-+.EX
-+.PP
-+.B systemd_passwd_agent_exec_t
-+.EE
-+
-+- Set files with the systemd_passwd_agent_exec_t type, if you want to transition an executable to the systemd_passwd_agent_t domain.
-+
-+
-+.PP
-+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
-+.B semanage fcontext
-+command. This will modify the SELinux labeling database. You will need to use
-+.B restorecon
-+to apply the labels.
-+
-+.SH "MANAGED FILES"
-+
-+The SELinux process type systemd_passwd_agent_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
-+
-+.br
-+.B systemd_passwd_var_run_t
-+
-+ /var/run/systemd/ask-password(/.*)?
-+.br
-+ /var/run/systemd/ask-password-block(/.*)?
-+.br
-+
-+.SH NSSWITCH DOMAIN
-+
-+.PP
-+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the systemd_passwd_agent_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
-+
-+.EX
-+.B setsebool -P authlogin_nsswitch_use_ldap 1
-+.EE
-+
-+.PP
-+If you want to allow confined applications to run with kerberos for the systemd_passwd_agent_t, you must turn on the kerberos_enabled boolean.
-+
-+.EX
-+.B setsebool -P kerberos_enabled 1
-+.EE
-+
-+.SH "COMMANDS"
-+.B semanage fcontext
-+can also be used to manipulate default file context mappings.
-+.PP
-+.B semanage permissive
-+can also be used to manipulate whether or not a process type is permissive.
-+.PP
-+.B semanage module
-+can also be used to enable/disable/install/remove policy modules.
-+
-+.PP
-+.B system-config-selinux
-+is a GUI tool available to customize SELinux policy settings.
-+
-+.SH AUTHOR
-+This manual page was auto-generated using
-+.B "sepolicy manpage"
-+by Dan Walsh.
-+
-+.SH "SEE ALSO"
-+selinux(8), systemd_passwd_agent(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
-+, systemd_logger_selinux(8), systemd_logind_selinux(8), systemd_notify_selinux(8), systemd_tmpfiles_selinux(8)
-\ No newline at end of file
-diff --git a/man/man8/systemd_tmpfiles_selinux.8 b/man/man8/systemd_tmpfiles_selinux.8
-new file mode 100644
-index 0000000..de442a9
---- /dev/null
-+++ b/man/man8/systemd_tmpfiles_selinux.8
-@@ -0,0 +1,187 @@
-+.TH "systemd_tmpfiles_selinux" "8" "12-11-01" "systemd_tmpfiles" "SELinux Policy documentation for systemd_tmpfiles"
-+.SH "NAME"
-+systemd_tmpfiles_selinux \- Security Enhanced Linux Policy for the systemd_tmpfiles processes
-+.SH "DESCRIPTION"
-+
-+Security-Enhanced Linux secures the systemd_tmpfiles processes via flexible mandatory access control.
-+
-+The systemd_tmpfiles processes execute with the systemd_tmpfiles_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
-+
-+For example:
-+
-+.B ps -eZ | grep systemd_tmpfiles_t
-+
-+
-+.SH "ENTRYPOINTS"
-+
-+The systemd_tmpfiles_t SELinux type can be entered via the "systemd_tmpfiles_exec_t" file type. The default entrypoint paths for the systemd_tmpfiles_t domain are the following:"
-+
-+/bin/systemd-tmpfiles, /usr/bin/systemd-tmpfiles, /usr/lib/systemd/systemd-tmpfiles
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux systemd_tmpfiles policy is very flexible allowing users to setup their systemd_tmpfiles processes in as secure a method as possible.
-+.PP
-+The following process types are defined for systemd_tmpfiles:
-+
-+.EX
-+.B systemd_tmpfiles_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
-+.SH FILE CONTEXTS
-+SELinux requires files to have an extended attribute to define the file type.
-+.PP
-+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
-+.PP
-+Policy governs the access confined processes have to these files.
-+SELinux systemd_tmpfiles policy is very flexible allowing users to setup their systemd_tmpfiles processes in as secure a method as possible.
-+.PP
-+The following file types are defined for systemd_tmpfiles:
-+
-+
-+.EX
-+.PP
-+.B systemd_tmpfiles_exec_t
-+.EE
-+
-+- Set files with the systemd_tmpfiles_exec_t type, if you want to transition an executable to the systemd_tmpfiles_t domain.
-+
-+
-+.PP
-+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
-+.B semanage fcontext
-+command. This will modify the SELinux labeling database. You will need to use
-+.B restorecon
-+to apply the labels.
-+
-+.SH "MANAGED FILES"
-+
-+The SELinux process type systemd_tmpfiles_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
-+
-+.br
-+.B faillog_t
-+
-+ /var/log/btmp.*
-+.br
-+ /var/run/faillock(/.*)?
-+.br
-+ /var/log/faillog
-+.br
-+ /var/log/tallylog
-+.br
-+
-+.br
-+.B lockfile
-+
-+
-+.br
-+.B man_t
-+
-+ /opt/(.*/)?man(/.*)?
-+.br
-+ /usr/man(/.*)?
-+.br
-+ /usr/share/man(/.*)?
-+.br
-+ /usr/X11R6/man(/.*)?
-+.br
-+ /usr/lib/perl5/man(/.*)?
-+.br
-+
-+.br
-+.B pidfile
-+
-+
-+.br
-+.B sysfs_t
-+
-+ /sys(/.*)?
-+.br
-+
-+.br
-+.B tmp_t
-+
-+ /sandbox(/.*)?
-+.br
-+ /tmp
-+.br
-+ /var/tmp
-+.br
-+ /var/tmp
-+.br
-+ /usr/tmp
-+.br
-+ /var/tmp/vi\.recover
-+.br
-+
-+.br
-+.B var_auth_t
-+
-+ /var/ace(/.*)?
-+.br
-+ /var/rsa(/.*)?
-+.br
-+ /var/lib/abl(/.*)?
-+.br
-+ /var/lib/rsa(/.*)?
-+.br
-+ /var/lib/pam_ssh(/.*)?
-+.br
-+ /var/run/pam_ssh(/.*)?
-+.br
-+ /var/lib/pam_shield(/.*)?
-+.br
-+ /var/lib/google-authenticator(/.*)?
-+.br
-+
-+.br
-+.B wtmp_t
-+
-+ /var/log/wtmp.*
-+.br
-+
-+.SH NSSWITCH DOMAIN
-+
-+.PP
-+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the systemd_tmpfiles_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
-+
-+.EX
-+.B setsebool -P authlogin_nsswitch_use_ldap 1
-+.EE
-+
-+.PP
-+If you want to allow confined applications to run with kerberos for the systemd_tmpfiles_t, you must turn on the kerberos_enabled boolean.
-+
-+.EX
-+.B setsebool -P kerberos_enabled 1
-+.EE
-+
-+.SH "COMMANDS"
-+.B semanage fcontext
-+can also be used to manipulate default file context mappings.
-+.PP
-+.B semanage permissive
-+can also be used to manipulate whether or not a process type is permissive.
-+.PP
-+.B semanage module
-+can also be used to enable/disable/install/remove policy modules.
-+
-+.PP
-+.B system-config-selinux
-+is a GUI tool available to customize SELinux policy settings.
-+
-+.SH AUTHOR
-+This manual page was auto-generated using
-+.B "sepolicy manpage"
-+by Dan Walsh.
-+
-+.SH "SEE ALSO"
-+selinux(8), systemd_tmpfiles(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
-+, systemd_logger_selinux(8), systemd_logind_selinux(8), systemd_notify_selinux(8), systemd_passwd_agent_selinux(8)
-\ No newline at end of file
-diff --git a/man/man8/tcpd_selinux.8 b/man/man8/tcpd_selinux.8
-new file mode 100644
-index 0000000..42ef6d7
---- /dev/null
-+++ b/man/man8/tcpd_selinux.8
-@@ -0,0 +1,152 @@
-+.TH "tcpd_selinux" "8" "12-11-01" "tcpd" "SELinux Policy documentation for tcpd"
-+.SH "NAME"
-+tcpd_selinux \- Security Enhanced Linux Policy for the tcpd processes
-+.SH "DESCRIPTION"
-+
-+Security-Enhanced Linux secures the tcpd processes via flexible mandatory access control.
-+
-+The tcpd processes execute with the tcpd_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
-+
-+For example:
-+
-+.B ps -eZ | grep tcpd_t
-+
-+
-+.SH "ENTRYPOINTS"
-+
-+The tcpd_t SELinux type can be entered via the "tcpd_exec_t" file type. The default entrypoint paths for the tcpd_t domain are the following:"
-+
-+/usr/sbin/tcpd
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux tcpd policy is very flexible allowing users to setup their tcpd processes in as secure a method as possible.
-+.PP
-+The following process types are defined for tcpd:
-+
-+.EX
-+.B tcpd_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
-+.SH BOOLEANS
-+SELinux policy is customizable based on least access required. tcpd policy is extremely flexible and has several booleans that allow you to manipulate the policy and run tcpd with the tightest access possible.
-+
-+
-+.PP
-+If you want to allow all daemons to use tcp wrappers, you must turn on the daemons_use_tcp_wrapper boolean.
-+
-+.EX
-+.B setsebool -P daemons_use_tcp_wrapper 1
-+.EE
-+
-+.PP
-+If you want to allow users to run TCP servers (bind to ports and accept connection from the same domain and outside users) disabling this forces FTP passive mode and may change other protocols, you must turn on the selinuxuser_tcp_server boolean.
-+
-+.EX
-+.B setsebool -P selinuxuser_tcp_server 1
-+.EE
-+
-+.PP
-+If you want to allow the Telepathy connection managers to connect to any generic TCP port, you must turn on the telepathy_tcp_connect_generic_network_ports boolean.
-+
-+.EX
-+.B setsebool -P telepathy_tcp_connect_generic_network_ports 1
-+.EE
-+
-+.PP
-+If you want to allow all daemons to use tcp wrappers, you must turn on the daemons_use_tcp_wrapper boolean.
-+
-+.EX
-+.B setsebool -P daemons_use_tcp_wrapper 1
-+.EE
-+
-+.PP
-+If you want to allow users to run TCP servers (bind to ports and accept connection from the same domain and outside users) disabling this forces FTP passive mode and may change other protocols, you must turn on the selinuxuser_tcp_server boolean.
-+
-+.EX
-+.B setsebool -P selinuxuser_tcp_server 1
-+.EE
-+
-+.PP
-+If you want to allow the Telepathy connection managers to connect to any generic TCP port, you must turn on the telepathy_tcp_connect_generic_network_ports boolean.
-+
-+.EX
-+.B setsebool -P telepathy_tcp_connect_generic_network_ports 1
-+.EE
-+
-+.SH FILE CONTEXTS
-+SELinux requires files to have an extended attribute to define the file type.
-+.PP
-+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
-+.PP
-+Policy governs the access confined processes have to these files.
-+SELinux tcpd policy is very flexible allowing users to setup their tcpd processes in as secure a method as possible.
-+.PP
-+The following file types are defined for tcpd:
-+
-+
-+.EX
-+.PP
-+.B tcpd_exec_t
-+.EE
-+
-+- Set files with the tcpd_exec_t type, if you want to transition an executable to the tcpd_t domain.
-+
-+
-+.EX
-+.PP
-+.B tcpd_tmp_t
-+.EE
-+
-+- Set files with the tcpd_tmp_t type, if you want to store tcpd temporary files in the /tmp directories.
-+
-+
-+.PP
-+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
-+.B semanage fcontext
-+command. This will modify the SELinux labeling database. You will need to use
-+.B restorecon
-+to apply the labels.
-+
-+.SH "MANAGED FILES"
-+
-+The SELinux process type tcpd_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
-+
-+.br
-+.B tcpd_tmp_t
-+
-+
-+.SH NSSWITCH DOMAIN
-+
-+.SH "COMMANDS"
-+.B semanage fcontext
-+can also be used to manipulate default file context mappings.
-+.PP
-+.B semanage permissive
-+can also be used to manipulate whether or not a process type is permissive.
-+.PP
-+.B semanage module
-+can also be used to enable/disable/install/remove policy modules.
-+
-+.B semanage boolean
-+can also be used to manipulate the booleans
-+
-+.PP
-+.B system-config-selinux
-+is a GUI tool available to customize SELinux policy settings.
-+
-+.SH AUTHOR
-+This manual page was auto-generated using
-+.B "sepolicy manpage"
-+by Dan Walsh.
-+
-+.SH "SEE ALSO"
-+selinux(8), tcpd(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
-+, setsebool(8)
-\ No newline at end of file
-diff --git a/man/man8/tcsd_selinux.8 b/man/man8/tcsd_selinux.8
-new file mode 100644
-index 0000000..f4bc953
---- /dev/null
-+++ b/man/man8/tcsd_selinux.8
-@@ -0,0 +1,152 @@
-+.TH "tcsd_selinux" "8" "12-11-01" "tcsd" "SELinux Policy documentation for tcsd"
-+.SH "NAME"
-+tcsd_selinux \- Security Enhanced Linux Policy for the tcsd processes
-+.SH "DESCRIPTION"
-+
-+Security-Enhanced Linux secures the tcsd processes via flexible mandatory access control.
-+
-+The tcsd processes execute with the tcsd_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
-+
-+For example:
-+
-+.B ps -eZ | grep tcsd_t
-+
-+
-+.SH "ENTRYPOINTS"
-+
-+The tcsd_t SELinux type can be entered via the "tcsd_exec_t" file type. The default entrypoint paths for the tcsd_t domain are the following:"
-+
-+/usr/sbin/tcsd
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux tcsd policy is very flexible allowing users to setup their tcsd processes in as secure a method as possible.
-+.PP
-+The following process types are defined for tcsd:
-+
-+.EX
-+.B tcsd_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
-+.SH FILE CONTEXTS
-+SELinux requires files to have an extended attribute to define the file type.
-+.PP
-+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
-+.PP
-+Policy governs the access confined processes have to these files.
-+SELinux tcsd policy is very flexible allowing users to setup their tcsd processes in as secure a method as possible.
-+.PP
-+The following file types are defined for tcsd:
-+
-+
-+.EX
-+.PP
-+.B tcsd_exec_t
-+.EE
-+
-+- Set files with the tcsd_exec_t type, if you want to transition an executable to the tcsd_t domain.
-+
-+
-+.EX
-+.PP
-+.B tcsd_initrc_exec_t
-+.EE
-+
-+- Set files with the tcsd_initrc_exec_t type, if you want to transition an executable to the tcsd_initrc_t domain.
-+
-+
-+.EX
-+.PP
-+.B tcsd_var_lib_t
-+.EE
-+
-+- Set files with the tcsd_var_lib_t type, if you want to store the tcsd files under the /var/lib directory.
-+
-+
-+.PP
-+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
-+.B semanage fcontext
-+command. This will modify the SELinux labeling database. You will need to use
-+.B restorecon
-+to apply the labels.
-+
-+.SH PORT TYPES
-+SELinux defines port types to represent TCP and UDP ports.
-+.PP
-+You can see the types associated with a port by using the following command:
-+
-+.B semanage port -l
-+
-+.PP
-+Policy governs the access confined processes have to these ports.
-+SELinux tcsd policy is very flexible allowing users to setup their tcsd processes in as secure a method as possible.
-+.PP
-+The following port types are defined for tcsd:
-+
-+.EX
-+.TP 5
-+.B tcs_port_t
-+.TP 10
-+.EE
-+
-+
-+Default Defined Ports:
-+tcp 30003
-+.EE
-+.SH "MANAGED FILES"
-+
-+The SELinux process type tcsd_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
-+
-+.br
-+.B tcsd_var_lib_t
-+
-+ /var/lib/tpm(/.*)?
-+.br
-+
-+.SH NSSWITCH DOMAIN
-+
-+.PP
-+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the tcsd_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
-+
-+.EX
-+.B setsebool -P authlogin_nsswitch_use_ldap 1
-+.EE
-+
-+.PP
-+If you want to allow confined applications to run with kerberos for the tcsd_t, you must turn on the kerberos_enabled boolean.
-+
-+.EX
-+.B setsebool -P kerberos_enabled 1
-+.EE
-+
-+.SH "COMMANDS"
-+.B semanage fcontext
-+can also be used to manipulate default file context mappings.
-+.PP
-+.B semanage permissive
-+can also be used to manipulate whether or not a process type is permissive.
-+.PP
-+.B semanage module
-+can also be used to enable/disable/install/remove policy modules.
-+
-+.B semanage port
-+can also be used to manipulate the port definitions
-+
-+.PP
-+.B system-config-selinux
-+is a GUI tool available to customize SELinux policy settings.
-+
-+.SH AUTHOR
-+This manual page was auto-generated using
-+.B "sepolicy manpage"
-+by Dan Walsh.
-+
-+.SH "SEE ALSO"
-+selinux(8), tcsd(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
-diff --git a/man/man8/telepathy_gabble_selinux.8 b/man/man8/telepathy_gabble_selinux.8
-new file mode 100644
-index 0000000..a1ba3c0
---- /dev/null
-+++ b/man/man8/telepathy_gabble_selinux.8
-@@ -0,0 +1,193 @@
-+.TH "telepathy_gabble_selinux" "8" "12-11-01" "telepathy_gabble" "SELinux Policy documentation for telepathy_gabble"
-+.SH "NAME"
-+telepathy_gabble_selinux \- Security Enhanced Linux Policy for the telepathy_gabble processes
-+.SH "DESCRIPTION"
-+
-+Security-Enhanced Linux secures the telepathy_gabble processes via flexible mandatory access control.
-+
-+The telepathy_gabble processes execute with the telepathy_gabble_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
-+
-+For example:
-+
-+.B ps -eZ | grep telepathy_gabble_t
-+
-+
-+.SH "ENTRYPOINTS"
-+
-+The telepathy_gabble_t SELinux type can be entered via the "telepathy_gabble_exec_t" file type. The default entrypoint paths for the telepathy_gabble_t domain are the following:"
-+
-+/usr/libexec/telepathy-gabble
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux telepathy_gabble policy is very flexible allowing users to setup their telepathy_gabble processes in as secure a method as possible.
-+.PP
-+The following process types are defined for telepathy_gabble:
-+
-+.EX
-+.B telepathy_gabble_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
-+.SH FILE CONTEXTS
-+SELinux requires files to have an extended attribute to define the file type.
-+.PP
-+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
-+.PP
-+Policy governs the access confined processes have to these files.
-+SELinux telepathy_gabble policy is very flexible allowing users to setup their telepathy_gabble processes in as secure a method as possible.
-+.PP
-+The following file types are defined for telepathy_gabble:
-+
-+
-+.EX
-+.PP
-+.B telepathy_gabble_cache_home_t
-+.EE
-+
-+- Set files with the telepathy_gabble_cache_home_t type, if you want to store telepathy gabble cache files in the users home directory.
-+
-+
-+.EX
-+.PP
-+.B telepathy_gabble_exec_t
-+.EE
-+
-+- Set files with the telepathy_gabble_exec_t type, if you want to transition an executable to the telepathy_gabble_t domain.
-+
-+
-+.EX
-+.PP
-+.B telepathy_gabble_tmp_t
-+.EE
-+
-+- Set files with the telepathy_gabble_tmp_t type, if you want to store telepathy gabble temporary files in the /tmp directories.
-+
-+
-+.PP
-+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
-+.B semanage fcontext
-+command. This will modify the SELinux labeling database. You will need to use
-+.B restorecon
-+to apply the labels.
-+
-+.SH "MANAGED FILES"
-+
-+The SELinux process type telepathy_gabble_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
-+
-+.br
-+.B cache_home_t
-+
-+ /root/\.cache(/.*)?
-+.br
-+ /home/[^/]*/\.nv(/.*)?
-+.br
-+ /home/[^/]*/\.cache(/.*)?
-+.br
-+ /home/dwalsh/\.nv(/.*)?
-+.br
-+ /home/dwalsh/\.cache(/.*)?
-+.br
-+ /var/lib/xguest/home/xguest/\.nv(/.*)?
-+.br
-+ /var/lib/xguest/home/xguest/\.cache(/.*)?
-+.br
-+
-+.br
-+.B config_home_t
-+
-+ /root/\.kde(/.*)?
-+.br
-+ /root/\.xine(/.*)?
-+.br
-+ /root/\.config(/.*)?
-+.br
-+ /var/run/user/[^/]*/dconf(/.*)?
-+.br
-+ /root/\.Xdefaults
-+.br
-+ /home/[^/]*/\.kde(/.*)?
-+.br
-+ /home/[^/]*/\.xine(/.*)?
-+.br
-+ /home/[^/]*/\.config(/.*)?
-+.br
-+ /home/[^/]*/\.Xdefaults
-+.br
-+ /home/dwalsh/\.kde(/.*)?
-+.br
-+ /home/dwalsh/\.xine(/.*)?
-+.br
-+ /home/dwalsh/\.config(/.*)?
-+.br
-+ /home/dwalsh/\.Xdefaults
-+.br
-+ /var/lib/xguest/home/xguest/\.kde(/.*)?
-+.br
-+ /var/lib/xguest/home/xguest/\.xine(/.*)?
-+.br
-+ /var/lib/xguest/home/xguest/\.config(/.*)?
-+.br
-+ /var/lib/xguest/home/xguest/\.Xdefaults
-+.br
-+
-+.br
-+.B telepathy_gabble_cache_home_t
-+
-+ /home/[^/]*/\.cache/wocky(/.*)?
-+.br
-+ /home/[^/]*/\.cache/telepathy/gabble(/.*)?
-+.br
-+ /home/dwalsh/\.cache/wocky(/.*)?
-+.br
-+ /home/dwalsh/\.cache/telepathy/gabble(/.*)?
-+.br
-+ /var/lib/xguest/home/xguest/\.cache/wocky(/.*)?
-+.br
-+ /var/lib/xguest/home/xguest/\.cache/telepathy/gabble(/.*)?
-+.br
-+
-+.SH NSSWITCH DOMAIN
-+
-+.PP
-+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the telepathy_gabble_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
-+
-+.EX
-+.B setsebool -P authlogin_nsswitch_use_ldap 1
-+.EE
-+
-+.PP
-+If you want to allow confined applications to run with kerberos for the telepathy_gabble_t, you must turn on the kerberos_enabled boolean.
-+
-+.EX
-+.B setsebool -P kerberos_enabled 1
-+.EE
-+
-+.SH "COMMANDS"
-+.B semanage fcontext
-+can also be used to manipulate default file context mappings.
-+.PP
-+.B semanage permissive
-+can also be used to manipulate whether or not a process type is permissive.
-+.PP
-+.B semanage module
-+can also be used to enable/disable/install/remove policy modules.
-+
-+.PP
-+.B system-config-selinux
-+is a GUI tool available to customize SELinux policy settings.
-+
-+.SH AUTHOR
-+This manual page was auto-generated using
-+.B "sepolicy manpage"
-+by Dan Walsh.
-+
-+.SH "SEE ALSO"
-+selinux(8), telepathy_gabble(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
-+, telepathy_idle_selinux(8), telepathy_logger_selinux(8), telepathy_mission_control_selinux(8), telepathy_msn_selinux(8), telepathy_salut_selinux(8), telepathy_sofiasip_selinux(8), telepathy_stream_engine_selinux(8), telepathy_sunshine_selinux(8)
-\ No newline at end of file
-diff --git a/man/man8/telepathy_idle_selinux.8 b/man/man8/telepathy_idle_selinux.8
-new file mode 100644
-index 0000000..dd6fb69
---- /dev/null
-+++ b/man/man8/telepathy_idle_selinux.8
-@@ -0,0 +1,131 @@
-+.TH "telepathy_idle_selinux" "8" "12-11-01" "telepathy_idle" "SELinux Policy documentation for telepathy_idle"
-+.SH "NAME"
-+telepathy_idle_selinux \- Security Enhanced Linux Policy for the telepathy_idle processes
-+.SH "DESCRIPTION"
-+
-+Security-Enhanced Linux secures the telepathy_idle processes via flexible mandatory access control.
-+
-+The telepathy_idle processes execute with the telepathy_idle_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
-+
-+For example:
-+
-+.B ps -eZ | grep telepathy_idle_t
-+
-+
-+.SH "ENTRYPOINTS"
-+
-+The telepathy_idle_t SELinux type can be entered via the "telepathy_idle_exec_t" file type. The default entrypoint paths for the telepathy_idle_t domain are the following:"
-+
-+/usr/libexec/telepathy-idle
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux telepathy_idle policy is very flexible allowing users to setup their telepathy_idle processes in as secure a method as possible.
-+.PP
-+The following process types are defined for telepathy_idle:
-+
-+.EX
-+.B telepathy_idle_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
-+.SH FILE CONTEXTS
-+SELinux requires files to have an extended attribute to define the file type.
-+.PP
-+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
-+.PP
-+Policy governs the access confined processes have to these files.
-+SELinux telepathy_idle policy is very flexible allowing users to setup their telepathy_idle processes in as secure a method as possible.
-+.PP
-+The following file types are defined for telepathy_idle:
-+
-+
-+.EX
-+.PP
-+.B telepathy_idle_exec_t
-+.EE
-+
-+- Set files with the telepathy_idle_exec_t type, if you want to transition an executable to the telepathy_idle_t domain.
-+
-+
-+.EX
-+.PP
-+.B telepathy_idle_tmp_t
-+.EE
-+
-+- Set files with the telepathy_idle_tmp_t type, if you want to store telepathy idle temporary files in the /tmp directories.
-+
-+
-+.PP
-+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
-+.B semanage fcontext
-+command. This will modify the SELinux labeling database. You will need to use
-+.B restorecon
-+to apply the labels.
-+
-+.SH "MANAGED FILES"
-+
-+The SELinux process type telepathy_idle_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
-+
-+.br
-+.B cache_home_t
-+
-+ /root/\.cache(/.*)?
-+.br
-+ /home/[^/]*/\.nv(/.*)?
-+.br
-+ /home/[^/]*/\.cache(/.*)?
-+.br
-+ /home/dwalsh/\.nv(/.*)?
-+.br
-+ /home/dwalsh/\.cache(/.*)?
-+.br
-+ /var/lib/xguest/home/xguest/\.nv(/.*)?
-+.br
-+ /var/lib/xguest/home/xguest/\.cache(/.*)?
-+.br
-+
-+.SH NSSWITCH DOMAIN
-+
-+.PP
-+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the telepathy_idle_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
-+
-+.EX
-+.B setsebool -P authlogin_nsswitch_use_ldap 1
-+.EE
-+
-+.PP
-+If you want to allow confined applications to run with kerberos for the telepathy_idle_t, you must turn on the kerberos_enabled boolean.
-+
-+.EX
-+.B setsebool -P kerberos_enabled 1
-+.EE
-+
-+.SH "COMMANDS"
-+.B semanage fcontext
-+can also be used to manipulate default file context mappings.
-+.PP
-+.B semanage permissive
-+can also be used to manipulate whether or not a process type is permissive.
-+.PP
-+.B semanage module
-+can also be used to enable/disable/install/remove policy modules.
-+
-+.PP
-+.B system-config-selinux
-+is a GUI tool available to customize SELinux policy settings.
-+
-+.SH AUTHOR
-+This manual page was auto-generated using
-+.B "sepolicy manpage"
-+by Dan Walsh.
-+
-+.SH "SEE ALSO"
-+selinux(8), telepathy_idle(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
-+, telepathy_gabble_selinux(8), telepathy_logger_selinux(8), telepathy_mission_control_selinux(8), telepathy_msn_selinux(8), telepathy_salut_selinux(8), telepathy_sofiasip_selinux(8), telepathy_stream_engine_selinux(8), telepathy_sunshine_selinux(8)
-\ No newline at end of file
-diff --git a/man/man8/telepathy_logger_selinux.8 b/man/man8/telepathy_logger_selinux.8
-new file mode 100644
-index 0000000..e218a21
---- /dev/null
-+++ b/man/man8/telepathy_logger_selinux.8
-@@ -0,0 +1,205 @@
-+.TH "telepathy_logger_selinux" "8" "12-11-01" "telepathy_logger" "SELinux Policy documentation for telepathy_logger"
-+.SH "NAME"
-+telepathy_logger_selinux \- Security Enhanced Linux Policy for the telepathy_logger processes
-+.SH "DESCRIPTION"
-+
-+Security-Enhanced Linux secures the telepathy_logger processes via flexible mandatory access control.
-+
-+The telepathy_logger processes execute with the telepathy_logger_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
-+
-+For example:
-+
-+.B ps -eZ | grep telepathy_logger_t
-+
-+
-+.SH "ENTRYPOINTS"
-+
-+The telepathy_logger_t SELinux type can be entered via the "telepathy_logger_exec_t" file type. The default entrypoint paths for the telepathy_logger_t domain are the following:"
-+
-+/usr/libexec/telepathy-logger
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux telepathy_logger policy is very flexible allowing users to setup their telepathy_logger processes in as secure a method as possible.
-+.PP
-+The following process types are defined for telepathy_logger:
-+
-+.EX
-+.B telepathy_logger_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
-+.SH FILE CONTEXTS
-+SELinux requires files to have an extended attribute to define the file type.
-+.PP
-+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
-+.PP
-+Policy governs the access confined processes have to these files.
-+SELinux telepathy_logger policy is very flexible allowing users to setup their telepathy_logger processes in as secure a method as possible.
-+.PP
-+The following file types are defined for telepathy_logger:
-+
-+
-+.EX
-+.PP
-+.B telepathy_logger_cache_home_t
-+.EE
-+
-+- Set files with the telepathy_logger_cache_home_t type, if you want to store telepathy logger cache files in the users home directory.
-+
-+
-+.EX
-+.PP
-+.B telepathy_logger_data_home_t
-+.EE
-+
-+- Set files with the telepathy_logger_data_home_t type, if you want to store telepathy logger data files in the users home directory.
-+
-+
-+.EX
-+.PP
-+.B telepathy_logger_exec_t
-+.EE
-+
-+- Set files with the telepathy_logger_exec_t type, if you want to transition an executable to the telepathy_logger_t domain.
-+
-+
-+.EX
-+.PP
-+.B telepathy_logger_tmp_t
-+.EE
-+
-+- Set files with the telepathy_logger_tmp_t type, if you want to store telepathy logger temporary files in the /tmp directories.
-+
-+
-+.PP
-+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
-+.B semanage fcontext
-+command. This will modify the SELinux labeling database. You will need to use
-+.B restorecon
-+to apply the labels.
-+
-+.SH "MANAGED FILES"
-+
-+The SELinux process type telepathy_logger_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
-+
-+.br
-+.B cache_home_t
-+
-+ /root/\.cache(/.*)?
-+.br
-+ /home/[^/]*/\.nv(/.*)?
-+.br
-+ /home/[^/]*/\.cache(/.*)?
-+.br
-+ /home/dwalsh/\.nv(/.*)?
-+.br
-+ /home/dwalsh/\.cache(/.*)?
-+.br
-+ /var/lib/xguest/home/xguest/\.nv(/.*)?
-+.br
-+ /var/lib/xguest/home/xguest/\.cache(/.*)?
-+.br
-+
-+.br
-+.B config_home_t
-+
-+ /root/\.kde(/.*)?
-+.br
-+ /root/\.xine(/.*)?
-+.br
-+ /root/\.config(/.*)?
-+.br
-+ /var/run/user/[^/]*/dconf(/.*)?
-+.br
-+ /root/\.Xdefaults
-+.br
-+ /home/[^/]*/\.kde(/.*)?
-+.br
-+ /home/[^/]*/\.xine(/.*)?
-+.br
-+ /home/[^/]*/\.config(/.*)?
-+.br
-+ /home/[^/]*/\.Xdefaults
-+.br
-+ /home/dwalsh/\.kde(/.*)?
-+.br
-+ /home/dwalsh/\.xine(/.*)?
-+.br
-+ /home/dwalsh/\.config(/.*)?
-+.br
-+ /home/dwalsh/\.Xdefaults
-+.br
-+ /var/lib/xguest/home/xguest/\.kde(/.*)?
-+.br
-+ /var/lib/xguest/home/xguest/\.xine(/.*)?
-+.br
-+ /var/lib/xguest/home/xguest/\.config(/.*)?
-+.br
-+ /var/lib/xguest/home/xguest/\.Xdefaults
-+.br
-+
-+.br
-+.B telepathy_logger_cache_home_t
-+
-+ /home/[^/]*/\.cache/telepathy/logger(/.*)?
-+.br
-+ /home/dwalsh/\.cache/telepathy/logger(/.*)?
-+.br
-+ /var/lib/xguest/home/xguest/\.cache/telepathy/logger(/.*)?
-+.br
-+
-+.br
-+.B telepathy_logger_data_home_t
-+
-+ /home/[^/]*/\.local/share/TpLogger(/.*)?
-+.br
-+ /home/dwalsh/\.local/share/TpLogger(/.*)?
-+.br
-+ /var/lib/xguest/home/xguest/\.local/share/TpLogger(/.*)?
-+.br
-+
-+.SH NSSWITCH DOMAIN
-+
-+.PP
-+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the telepathy_logger_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
-+
-+.EX
-+.B setsebool -P authlogin_nsswitch_use_ldap 1
-+.EE
-+
-+.PP
-+If you want to allow confined applications to run with kerberos for the telepathy_logger_t, you must turn on the kerberos_enabled boolean.
-+
-+.EX
-+.B setsebool -P kerberos_enabled 1
-+.EE
-+
-+.SH "COMMANDS"
-+.B semanage fcontext
-+can also be used to manipulate default file context mappings.
-+.PP
-+.B semanage permissive
-+can also be used to manipulate whether or not a process type is permissive.
-+.PP
-+.B semanage module
-+can also be used to enable/disable/install/remove policy modules.
-+
-+.PP
-+.B system-config-selinux
-+is a GUI tool available to customize SELinux policy settings.
-+
-+.SH AUTHOR
-+This manual page was auto-generated using
-+.B "sepolicy manpage"
-+by Dan Walsh.
-+
-+.SH "SEE ALSO"
-+selinux(8), telepathy_logger(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
-+, telepathy_gabble_selinux(8), telepathy_idle_selinux(8), telepathy_mission_control_selinux(8), telepathy_msn_selinux(8), telepathy_salut_selinux(8), telepathy_sofiasip_selinux(8), telepathy_stream_engine_selinux(8), telepathy_sunshine_selinux(8)
-\ No newline at end of file
-diff --git a/man/man8/telepathy_mission_control_selinux.8 b/man/man8/telepathy_mission_control_selinux.8
-new file mode 100644
-index 0000000..6367510
---- /dev/null
-+++ b/man/man8/telepathy_mission_control_selinux.8
-@@ -0,0 +1,223 @@
-+.TH "telepathy_mission_control_selinux" "8" "12-11-01" "telepathy_mission_control" "SELinux Policy documentation for telepathy_mission_control"
-+.SH "NAME"
-+telepathy_mission_control_selinux \- Security Enhanced Linux Policy for the telepathy_mission_control processes
-+.SH "DESCRIPTION"
-+
-+Security-Enhanced Linux secures the telepathy_mission_control processes via flexible mandatory access control.
-+
-+The telepathy_mission_control processes execute with the telepathy_mission_control_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
-+
-+For example:
-+
-+.B ps -eZ | grep telepathy_mission_control_t
-+
-+
-+.SH "ENTRYPOINTS"
-+
-+The telepathy_mission_control_t SELinux type can be entered via the "telepathy_mission_control_exec_t" file type. The default entrypoint paths for the telepathy_mission_control_t domain are the following:"
-+
-+/usr/libexec/mission-control-5
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux telepathy_mission_control policy is very flexible allowing users to setup their telepathy_mission_control processes in as secure a method as possible.
-+.PP
-+The following process types are defined for telepathy_mission_control:
-+
-+.EX
-+.B telepathy_mission_control_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
-+.SH FILE CONTEXTS
-+SELinux requires files to have an extended attribute to define the file type.
-+.PP
-+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
-+.PP
-+Policy governs the access confined processes have to these files.
-+SELinux telepathy_mission_control policy is very flexible allowing users to setup their telepathy_mission_control processes in as secure a method as possible.
-+.PP
-+The following file types are defined for telepathy_mission_control:
-+
-+
-+.EX
-+.PP
-+.B telepathy_mission_control_cache_home_t
-+.EE
-+
-+- Set files with the telepathy_mission_control_cache_home_t type, if you want to store telepathy mission control cache files in the users home directory.
-+
-+
-+.EX
-+.PP
-+.B telepathy_mission_control_data_home_t
-+.EE
-+
-+- Set files with the telepathy_mission_control_data_home_t type, if you want to store telepathy mission control data files in the users home directory.
-+
-+
-+.EX
-+.PP
-+.B telepathy_mission_control_exec_t
-+.EE
-+
-+- Set files with the telepathy_mission_control_exec_t type, if you want to transition an executable to the telepathy_mission_control_t domain.
-+
-+
-+.EX
-+.PP
-+.B telepathy_mission_control_home_t
-+.EE
-+
-+- Set files with the telepathy_mission_control_home_t type, if you want to store telepathy mission control files in the users home directory.
-+
-+
-+.EX
-+.PP
-+.B telepathy_mission_control_tmp_t
-+.EE
-+
-+- Set files with the telepathy_mission_control_tmp_t type, if you want to store telepathy mission control temporary files in the /tmp directories.
-+
-+
-+.PP
-+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
-+.B semanage fcontext
-+command. This will modify the SELinux labeling database. You will need to use
-+.B restorecon
-+to apply the labels.
-+
-+.SH "MANAGED FILES"
-+
-+The SELinux process type telepathy_mission_control_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
-+
-+.br
-+.B cache_home_t
-+
-+ /root/\.cache(/.*)?
-+.br
-+ /home/[^/]*/\.nv(/.*)?
-+.br
-+ /home/[^/]*/\.cache(/.*)?
-+.br
-+ /home/dwalsh/\.nv(/.*)?
-+.br
-+ /home/dwalsh/\.cache(/.*)?
-+.br
-+ /var/lib/xguest/home/xguest/\.nv(/.*)?
-+.br
-+ /var/lib/xguest/home/xguest/\.cache(/.*)?
-+.br
-+
-+.br
-+.B config_home_t
-+
-+ /root/\.kde(/.*)?
-+.br
-+ /root/\.xine(/.*)?
-+.br
-+ /root/\.config(/.*)?
-+.br
-+ /var/run/user/[^/]*/dconf(/.*)?
-+.br
-+ /root/\.Xdefaults
-+.br
-+ /home/[^/]*/\.kde(/.*)?
-+.br
-+ /home/[^/]*/\.xine(/.*)?
-+.br
-+ /home/[^/]*/\.config(/.*)?
-+.br
-+ /home/[^/]*/\.Xdefaults
-+.br
-+ /home/dwalsh/\.kde(/.*)?
-+.br
-+ /home/dwalsh/\.xine(/.*)?
-+.br
-+ /home/dwalsh/\.config(/.*)?
-+.br
-+ /home/dwalsh/\.Xdefaults
-+.br
-+ /var/lib/xguest/home/xguest/\.kde(/.*)?
-+.br
-+ /var/lib/xguest/home/xguest/\.xine(/.*)?
-+.br
-+ /var/lib/xguest/home/xguest/\.config(/.*)?
-+.br
-+ /var/lib/xguest/home/xguest/\.Xdefaults
-+.br
-+
-+.br
-+.B telepathy_mission_control_cache_home_t
-+
-+ /home/[^/]*/\.cache/\.mc_connections
-+.br
-+ /home/dwalsh/\.cache/\.mc_connections
-+.br
-+ /var/lib/xguest/home/xguest/\.cache/\.mc_connections
-+.br
-+
-+.br
-+.B telepathy_mission_control_data_home_t
-+
-+ /home/[^/]*/\.local/share/telepathy/mission-control(/.*)?
-+.br
-+ /home/dwalsh/\.local/share/telepathy/mission-control(/.*)?
-+.br
-+ /var/lib/xguest/home/xguest/\.local/share/telepathy/mission-control(/.*)?
-+.br
-+
-+.br
-+.B telepathy_mission_control_home_t
-+
-+ /home/[^/]*/\.mission-control(/.*)?
-+.br
-+ /home/dwalsh/\.mission-control(/.*)?
-+.br
-+ /var/lib/xguest/home/xguest/\.mission-control(/.*)?
-+.br
-+
-+.SH NSSWITCH DOMAIN
-+
-+.PP
-+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the telepathy_mission_control_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
-+
-+.EX
-+.B setsebool -P authlogin_nsswitch_use_ldap 1
-+.EE
-+
-+.PP
-+If you want to allow confined applications to run with kerberos for the telepathy_mission_control_t, you must turn on the kerberos_enabled boolean.
-+
-+.EX
-+.B setsebool -P kerberos_enabled 1
-+.EE
-+
-+.SH "COMMANDS"
-+.B semanage fcontext
-+can also be used to manipulate default file context mappings.
-+.PP
-+.B semanage permissive
-+can also be used to manipulate whether or not a process type is permissive.
-+.PP
-+.B semanage module
-+can also be used to enable/disable/install/remove policy modules.
-+
-+.PP
-+.B system-config-selinux
-+is a GUI tool available to customize SELinux policy settings.
-+
-+.SH AUTHOR
-+This manual page was auto-generated using
-+.B "sepolicy manpage"
-+by Dan Walsh.
-+
-+.SH "SEE ALSO"
-+selinux(8), telepathy_mission_control(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
-+, telepathy_gabble_selinux(8), telepathy_idle_selinux(8), telepathy_logger_selinux(8), telepathy_msn_selinux(8), telepathy_salut_selinux(8), telepathy_sofiasip_selinux(8), telepathy_stream_engine_selinux(8), telepathy_sunshine_selinux(8)
-\ No newline at end of file
-diff --git a/man/man8/telepathy_msn_selinux.8 b/man/man8/telepathy_msn_selinux.8
-new file mode 100644
-index 0000000..69bc52e
---- /dev/null
-+++ b/man/man8/telepathy_msn_selinux.8
-@@ -0,0 +1,135 @@
-+.TH "telepathy_msn_selinux" "8" "12-11-01" "telepathy_msn" "SELinux Policy documentation for telepathy_msn"
-+.SH "NAME"
-+telepathy_msn_selinux \- Security Enhanced Linux Policy for the telepathy_msn processes
-+.SH "DESCRIPTION"
-+
-+Security-Enhanced Linux secures the telepathy_msn processes via flexible mandatory access control.
-+
-+The telepathy_msn processes execute with the telepathy_msn_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
-+
-+For example:
-+
-+.B ps -eZ | grep telepathy_msn_t
-+
-+
-+.SH "ENTRYPOINTS"
-+
-+The telepathy_msn_t SELinux type can be entered via the "telepathy_msn_exec_t" file type. The default entrypoint paths for the telepathy_msn_t domain are the following:"
-+
-+/usr/libexec/telepathy-haze, /usr/libexec/telepathy-butterfly
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux telepathy_msn policy is very flexible allowing users to setup their telepathy_msn processes in as secure a method as possible.
-+.PP
-+The following process types are defined for telepathy_msn:
-+
-+.EX
-+.B telepathy_msn_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
-+.SH FILE CONTEXTS
-+SELinux requires files to have an extended attribute to define the file type.
-+.PP
-+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
-+.PP
-+Policy governs the access confined processes have to these files.
-+SELinux telepathy_msn policy is very flexible allowing users to setup their telepathy_msn processes in as secure a method as possible.
-+.PP
-+The following file types are defined for telepathy_msn:
-+
-+
-+.EX
-+.PP
-+.B telepathy_msn_exec_t
-+.EE
-+
-+- Set files with the telepathy_msn_exec_t type, if you want to transition an executable to the telepathy_msn_t domain.
-+
-+
-+.EX
-+.PP
-+.B telepathy_msn_tmp_t
-+.EE
-+
-+- Set files with the telepathy_msn_tmp_t type, if you want to store telepathy msn temporary files in the /tmp directories.
-+
-+
-+.PP
-+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
-+.B semanage fcontext
-+command. This will modify the SELinux labeling database. You will need to use
-+.B restorecon
-+to apply the labels.
-+
-+.SH "MANAGED FILES"
-+
-+The SELinux process type telepathy_msn_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
-+
-+.br
-+.B cache_home_t
-+
-+ /root/\.cache(/.*)?
-+.br
-+ /home/[^/]*/\.nv(/.*)?
-+.br
-+ /home/[^/]*/\.cache(/.*)?
-+.br
-+ /home/dwalsh/\.nv(/.*)?
-+.br
-+ /home/dwalsh/\.cache(/.*)?
-+.br
-+ /var/lib/xguest/home/xguest/\.nv(/.*)?
-+.br
-+ /var/lib/xguest/home/xguest/\.cache(/.*)?
-+.br
-+
-+.br
-+.B telepathy_msn_tmp_t
-+
-+
-+.SH NSSWITCH DOMAIN
-+
-+.PP
-+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the telepathy_msn_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
-+
-+.EX
-+.B setsebool -P authlogin_nsswitch_use_ldap 1
-+.EE
-+
-+.PP
-+If you want to allow confined applications to run with kerberos for the telepathy_msn_t, you must turn on the kerberos_enabled boolean.
-+
-+.EX
-+.B setsebool -P kerberos_enabled 1
-+.EE
-+
-+.SH "COMMANDS"
-+.B semanage fcontext
-+can also be used to manipulate default file context mappings.
-+.PP
-+.B semanage permissive
-+can also be used to manipulate whether or not a process type is permissive.
-+.PP
-+.B semanage module
-+can also be used to enable/disable/install/remove policy modules.
-+
-+.PP
-+.B system-config-selinux
-+is a GUI tool available to customize SELinux policy settings.
-+
-+.SH AUTHOR
-+This manual page was auto-generated using
-+.B "sepolicy manpage"
-+by Dan Walsh.
-+
-+.SH "SEE ALSO"
-+selinux(8), telepathy_msn(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
-+, telepathy_gabble_selinux(8), telepathy_idle_selinux(8), telepathy_logger_selinux(8), telepathy_mission_control_selinux(8), telepathy_salut_selinux(8), telepathy_sofiasip_selinux(8), telepathy_stream_engine_selinux(8), telepathy_sunshine_selinux(8)
-\ No newline at end of file
-diff --git a/man/man8/telepathy_salut_selinux.8 b/man/man8/telepathy_salut_selinux.8
-new file mode 100644
-index 0000000..b680807
---- /dev/null
-+++ b/man/man8/telepathy_salut_selinux.8
-@@ -0,0 +1,131 @@
-+.TH "telepathy_salut_selinux" "8" "12-11-01" "telepathy_salut" "SELinux Policy documentation for telepathy_salut"
-+.SH "NAME"
-+telepathy_salut_selinux \- Security Enhanced Linux Policy for the telepathy_salut processes
-+.SH "DESCRIPTION"
-+
-+Security-Enhanced Linux secures the telepathy_salut processes via flexible mandatory access control.
-+
-+The telepathy_salut processes execute with the telepathy_salut_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
-+
-+For example:
-+
-+.B ps -eZ | grep telepathy_salut_t
-+
-+
-+.SH "ENTRYPOINTS"
-+
-+The telepathy_salut_t SELinux type can be entered via the "telepathy_salut_exec_t" file type. The default entrypoint paths for the telepathy_salut_t domain are the following:"
-+
-+/usr/libexec/telepathy-salut
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux telepathy_salut policy is very flexible allowing users to setup their telepathy_salut processes in as secure a method as possible.
-+.PP
-+The following process types are defined for telepathy_salut:
-+
-+.EX
-+.B telepathy_salut_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
-+.SH FILE CONTEXTS
-+SELinux requires files to have an extended attribute to define the file type.
-+.PP
-+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
-+.PP
-+Policy governs the access confined processes have to these files.
-+SELinux telepathy_salut policy is very flexible allowing users to setup their telepathy_salut processes in as secure a method as possible.
-+.PP
-+The following file types are defined for telepathy_salut:
-+
-+
-+.EX
-+.PP
-+.B telepathy_salut_exec_t
-+.EE
-+
-+- Set files with the telepathy_salut_exec_t type, if you want to transition an executable to the telepathy_salut_t domain.
-+
-+
-+.EX
-+.PP
-+.B telepathy_salut_tmp_t
-+.EE
-+
-+- Set files with the telepathy_salut_tmp_t type, if you want to store telepathy salut temporary files in the /tmp directories.
-+
-+
-+.PP
-+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
-+.B semanage fcontext
-+command. This will modify the SELinux labeling database. You will need to use
-+.B restorecon
-+to apply the labels.
-+
-+.SH "MANAGED FILES"
-+
-+The SELinux process type telepathy_salut_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
-+
-+.br
-+.B cache_home_t
-+
-+ /root/\.cache(/.*)?
-+.br
-+ /home/[^/]*/\.nv(/.*)?
-+.br
-+ /home/[^/]*/\.cache(/.*)?
-+.br
-+ /home/dwalsh/\.nv(/.*)?
-+.br
-+ /home/dwalsh/\.cache(/.*)?
-+.br
-+ /var/lib/xguest/home/xguest/\.nv(/.*)?
-+.br
-+ /var/lib/xguest/home/xguest/\.cache(/.*)?
-+.br
-+
-+.SH NSSWITCH DOMAIN
-+
-+.PP
-+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the telepathy_salut_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
-+
-+.EX
-+.B setsebool -P authlogin_nsswitch_use_ldap 1
-+.EE
-+
-+.PP
-+If you want to allow confined applications to run with kerberos for the telepathy_salut_t, you must turn on the kerberos_enabled boolean.
-+
-+.EX
-+.B setsebool -P kerberos_enabled 1
-+.EE
-+
-+.SH "COMMANDS"
-+.B semanage fcontext
-+can also be used to manipulate default file context mappings.
-+.PP
-+.B semanage permissive
-+can also be used to manipulate whether or not a process type is permissive.
-+.PP
-+.B semanage module
-+can also be used to enable/disable/install/remove policy modules.
-+
-+.PP
-+.B system-config-selinux
-+is a GUI tool available to customize SELinux policy settings.
-+
-+.SH AUTHOR
-+This manual page was auto-generated using
-+.B "sepolicy manpage"
-+by Dan Walsh.
-+
-+.SH "SEE ALSO"
-+selinux(8), telepathy_salut(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
-+, telepathy_gabble_selinux(8), telepathy_idle_selinux(8), telepathy_logger_selinux(8), telepathy_mission_control_selinux(8), telepathy_msn_selinux(8), telepathy_sofiasip_selinux(8), telepathy_stream_engine_selinux(8), telepathy_sunshine_selinux(8)
-\ No newline at end of file
-diff --git a/man/man8/telepathy_sofiasip_selinux.8 b/man/man8/telepathy_sofiasip_selinux.8
-new file mode 100644
-index 0000000..7a6973e
---- /dev/null
-+++ b/man/man8/telepathy_sofiasip_selinux.8
-@@ -0,0 +1,131 @@
-+.TH "telepathy_sofiasip_selinux" "8" "12-11-01" "telepathy_sofiasip" "SELinux Policy documentation for telepathy_sofiasip"
-+.SH "NAME"
-+telepathy_sofiasip_selinux \- Security Enhanced Linux Policy for the telepathy_sofiasip processes
-+.SH "DESCRIPTION"
-+
-+Security-Enhanced Linux secures the telepathy_sofiasip processes via flexible mandatory access control.
-+
-+The telepathy_sofiasip processes execute with the telepathy_sofiasip_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
-+
-+For example:
-+
-+.B ps -eZ | grep telepathy_sofiasip_t
-+
-+
-+.SH "ENTRYPOINTS"
-+
-+The telepathy_sofiasip_t SELinux type can be entered via the "telepathy_sofiasip_exec_t" file type. The default entrypoint paths for the telepathy_sofiasip_t domain are the following:"
-+
-+/usr/libexec/telepathy-sofiasip
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux telepathy_sofiasip policy is very flexible allowing users to setup their telepathy_sofiasip processes in as secure a method as possible.
-+.PP
-+The following process types are defined for telepathy_sofiasip:
-+
-+.EX
-+.B telepathy_sofiasip_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
-+.SH FILE CONTEXTS
-+SELinux requires files to have an extended attribute to define the file type.
-+.PP
-+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
-+.PP
-+Policy governs the access confined processes have to these files.
-+SELinux telepathy_sofiasip policy is very flexible allowing users to setup their telepathy_sofiasip processes in as secure a method as possible.
-+.PP
-+The following file types are defined for telepathy_sofiasip:
-+
-+
-+.EX
-+.PP
-+.B telepathy_sofiasip_exec_t
-+.EE
-+
-+- Set files with the telepathy_sofiasip_exec_t type, if you want to transition an executable to the telepathy_sofiasip_t domain.
-+
-+
-+.EX
-+.PP
-+.B telepathy_sofiasip_tmp_t
-+.EE
-+
-+- Set files with the telepathy_sofiasip_tmp_t type, if you want to store telepathy sofiasip temporary files in the /tmp directories.
-+
-+
-+.PP
-+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
-+.B semanage fcontext
-+command. This will modify the SELinux labeling database. You will need to use
-+.B restorecon
-+to apply the labels.
-+
-+.SH "MANAGED FILES"
-+
-+The SELinux process type telepathy_sofiasip_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
-+
-+.br
-+.B cache_home_t
-+
-+ /root/\.cache(/.*)?
-+.br
-+ /home/[^/]*/\.nv(/.*)?
-+.br
-+ /home/[^/]*/\.cache(/.*)?
-+.br
-+ /home/dwalsh/\.nv(/.*)?
-+.br
-+ /home/dwalsh/\.cache(/.*)?
-+.br
-+ /var/lib/xguest/home/xguest/\.nv(/.*)?
-+.br
-+ /var/lib/xguest/home/xguest/\.cache(/.*)?
-+.br
-+
-+.SH NSSWITCH DOMAIN
-+
-+.PP
-+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the telepathy_sofiasip_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
-+
-+.EX
-+.B setsebool -P authlogin_nsswitch_use_ldap 1
-+.EE
-+
-+.PP
-+If you want to allow confined applications to run with kerberos for the telepathy_sofiasip_t, you must turn on the kerberos_enabled boolean.
-+
-+.EX
-+.B setsebool -P kerberos_enabled 1
-+.EE
-+
-+.SH "COMMANDS"
-+.B semanage fcontext
-+can also be used to manipulate default file context mappings.
-+.PP
-+.B semanage permissive
-+can also be used to manipulate whether or not a process type is permissive.
-+.PP
-+.B semanage module
-+can also be used to enable/disable/install/remove policy modules.
-+
-+.PP
-+.B system-config-selinux
-+is a GUI tool available to customize SELinux policy settings.
-+
-+.SH AUTHOR
-+This manual page was auto-generated using
-+.B "sepolicy manpage"
-+by Dan Walsh.
-+
-+.SH "SEE ALSO"
-+selinux(8), telepathy_sofiasip(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
-+, telepathy_gabble_selinux(8), telepathy_idle_selinux(8), telepathy_logger_selinux(8), telepathy_mission_control_selinux(8), telepathy_msn_selinux(8), telepathy_salut_selinux(8), telepathy_stream_engine_selinux(8), telepathy_sunshine_selinux(8)
-\ No newline at end of file
-diff --git a/man/man8/telepathy_stream_engine_selinux.8 b/man/man8/telepathy_stream_engine_selinux.8
-new file mode 100644
-index 0000000..dafb6b0
---- /dev/null
-+++ b/man/man8/telepathy_stream_engine_selinux.8
-@@ -0,0 +1,131 @@
-+.TH "telepathy_stream_engine_selinux" "8" "12-11-01" "telepathy_stream_engine" "SELinux Policy documentation for telepathy_stream_engine"
-+.SH "NAME"
-+telepathy_stream_engine_selinux \- Security Enhanced Linux Policy for the telepathy_stream_engine processes
-+.SH "DESCRIPTION"
-+
-+Security-Enhanced Linux secures the telepathy_stream_engine processes via flexible mandatory access control.
-+
-+The telepathy_stream_engine processes execute with the telepathy_stream_engine_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
-+
-+For example:
-+
-+.B ps -eZ | grep telepathy_stream_engine_t
-+
-+
-+.SH "ENTRYPOINTS"
-+
-+The telepathy_stream_engine_t SELinux type can be entered via the "telepathy_stream_engine_exec_t" file type. The default entrypoint paths for the telepathy_stream_engine_t domain are the following:"
-+
-+/usr/libexec/telepathy-stream-engine
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux telepathy_stream_engine policy is very flexible allowing users to setup their telepathy_stream_engine processes in as secure a method as possible.
-+.PP
-+The following process types are defined for telepathy_stream_engine:
-+
-+.EX
-+.B telepathy_stream_engine_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
-+.SH FILE CONTEXTS
-+SELinux requires files to have an extended attribute to define the file type.
-+.PP
-+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
-+.PP
-+Policy governs the access confined processes have to these files.
-+SELinux telepathy_stream_engine policy is very flexible allowing users to setup their telepathy_stream_engine processes in as secure a method as possible.
-+.PP
-+The following file types are defined for telepathy_stream_engine:
-+
-+
-+.EX
-+.PP
-+.B telepathy_stream_engine_exec_t
-+.EE
-+
-+- Set files with the telepathy_stream_engine_exec_t type, if you want to transition an executable to the telepathy_stream_engine_t domain.
-+
-+
-+.EX
-+.PP
-+.B telepathy_stream_engine_tmp_t
-+.EE
-+
-+- Set files with the telepathy_stream_engine_tmp_t type, if you want to store telepathy stream engine temporary files in the /tmp directories.
-+
-+
-+.PP
-+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
-+.B semanage fcontext
-+command. This will modify the SELinux labeling database. You will need to use
-+.B restorecon
-+to apply the labels.
-+
-+.SH "MANAGED FILES"
-+
-+The SELinux process type telepathy_stream_engine_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
-+
-+.br
-+.B cache_home_t
-+
-+ /root/\.cache(/.*)?
-+.br
-+ /home/[^/]*/\.nv(/.*)?
-+.br
-+ /home/[^/]*/\.cache(/.*)?
-+.br
-+ /home/dwalsh/\.nv(/.*)?
-+.br
-+ /home/dwalsh/\.cache(/.*)?
-+.br
-+ /var/lib/xguest/home/xguest/\.nv(/.*)?
-+.br
-+ /var/lib/xguest/home/xguest/\.cache(/.*)?
-+.br
-+
-+.SH NSSWITCH DOMAIN
-+
-+.PP
-+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the telepathy_stream_engine_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
-+
-+.EX
-+.B setsebool -P authlogin_nsswitch_use_ldap 1
-+.EE
-+
-+.PP
-+If you want to allow confined applications to run with kerberos for the telepathy_stream_engine_t, you must turn on the kerberos_enabled boolean.
-+
-+.EX
-+.B setsebool -P kerberos_enabled 1
-+.EE
-+
-+.SH "COMMANDS"
-+.B semanage fcontext
-+can also be used to manipulate default file context mappings.
-+.PP
-+.B semanage permissive
-+can also be used to manipulate whether or not a process type is permissive.
-+.PP
-+.B semanage module
-+can also be used to enable/disable/install/remove policy modules.
-+
-+.PP
-+.B system-config-selinux
-+is a GUI tool available to customize SELinux policy settings.
-+
-+.SH AUTHOR
-+This manual page was auto-generated using
-+.B "sepolicy manpage"
-+by Dan Walsh.
-+
-+.SH "SEE ALSO"
-+selinux(8), telepathy_stream_engine(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
-+, telepathy_gabble_selinux(8), telepathy_idle_selinux(8), telepathy_logger_selinux(8), telepathy_mission_control_selinux(8), telepathy_msn_selinux(8), telepathy_salut_selinux(8), telepathy_sofiasip_selinux(8), telepathy_sunshine_selinux(8)
-\ No newline at end of file
-diff --git a/man/man8/telepathy_sunshine_selinux.8 b/man/man8/telepathy_sunshine_selinux.8
-new file mode 100644
-index 0000000..96616f7
---- /dev/null
-+++ b/man/man8/telepathy_sunshine_selinux.8
-@@ -0,0 +1,153 @@
-+.TH "telepathy_sunshine_selinux" "8" "12-11-01" "telepathy_sunshine" "SELinux Policy documentation for telepathy_sunshine"
-+.SH "NAME"
-+telepathy_sunshine_selinux \- Security Enhanced Linux Policy for the telepathy_sunshine processes
-+.SH "DESCRIPTION"
-+
-+Security-Enhanced Linux secures the telepathy_sunshine processes via flexible mandatory access control.
-+
-+The telepathy_sunshine processes execute with the telepathy_sunshine_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
-+
-+For example:
-+
-+.B ps -eZ | grep telepathy_sunshine_t
-+
-+
-+.SH "ENTRYPOINTS"
-+
-+The telepathy_sunshine_t SELinux type can be entered via the "telepathy_sunshine_exec_t" file type. The default entrypoint paths for the telepathy_sunshine_t domain are the following:"
-+
-+/usr/libexec/telepathy-sunshine
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux telepathy_sunshine policy is very flexible allowing users to setup their telepathy_sunshine processes in as secure a method as possible.
-+.PP
-+The following process types are defined for telepathy_sunshine:
-+
-+.EX
-+.B telepathy_sunshine_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
-+.SH FILE CONTEXTS
-+SELinux requires files to have an extended attribute to define the file type.
-+.PP
-+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
-+.PP
-+Policy governs the access confined processes have to these files.
-+SELinux telepathy_sunshine policy is very flexible allowing users to setup their telepathy_sunshine processes in as secure a method as possible.
-+.PP
-+The following file types are defined for telepathy_sunshine:
-+
-+
-+.EX
-+.PP
-+.B telepathy_sunshine_exec_t
-+.EE
-+
-+- Set files with the telepathy_sunshine_exec_t type, if you want to transition an executable to the telepathy_sunshine_t domain.
-+
-+
-+.EX
-+.PP
-+.B telepathy_sunshine_home_t
-+.EE
-+
-+- Set files with the telepathy_sunshine_home_t type, if you want to store telepathy sunshine files in the users home directory.
-+
-+
-+.EX
-+.PP
-+.B telepathy_sunshine_tmp_t
-+.EE
-+
-+- Set files with the telepathy_sunshine_tmp_t type, if you want to store telepathy sunshine temporary files in the /tmp directories.
-+
-+
-+.PP
-+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
-+.B semanage fcontext
-+command. This will modify the SELinux labeling database. You will need to use
-+.B restorecon
-+to apply the labels.
-+
-+.SH "MANAGED FILES"
-+
-+The SELinux process type telepathy_sunshine_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
-+
-+.br
-+.B cache_home_t
-+
-+ /root/\.cache(/.*)?
-+.br
-+ /home/[^/]*/\.nv(/.*)?
-+.br
-+ /home/[^/]*/\.cache(/.*)?
-+.br
-+ /home/dwalsh/\.nv(/.*)?
-+.br
-+ /home/dwalsh/\.cache(/.*)?
-+.br
-+ /var/lib/xguest/home/xguest/\.nv(/.*)?
-+.br
-+ /var/lib/xguest/home/xguest/\.cache(/.*)?
-+.br
-+
-+.br
-+.B telepathy_sunshine_home_t
-+
-+ /home/[^/]*/\.telepathy-sunshine(/.*)?
-+.br
-+ /home/dwalsh/\.telepathy-sunshine(/.*)?
-+.br
-+ /var/lib/xguest/home/xguest/\.telepathy-sunshine(/.*)?
-+.br
-+
-+.br
-+.B telepathy_sunshine_tmp_t
-+
-+
-+.SH NSSWITCH DOMAIN
-+
-+.PP
-+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the telepathy_sunshine_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
-+
-+.EX
-+.B setsebool -P authlogin_nsswitch_use_ldap 1
-+.EE
-+
-+.PP
-+If you want to allow confined applications to run with kerberos for the telepathy_sunshine_t, you must turn on the kerberos_enabled boolean.
-+
-+.EX
-+.B setsebool -P kerberos_enabled 1
-+.EE
-+
-+.SH "COMMANDS"
-+.B semanage fcontext
-+can also be used to manipulate default file context mappings.
-+.PP
-+.B semanage permissive
-+can also be used to manipulate whether or not a process type is permissive.
-+.PP
-+.B semanage module
-+can also be used to enable/disable/install/remove policy modules.
-+
-+.PP
-+.B system-config-selinux
-+is a GUI tool available to customize SELinux policy settings.
-+
-+.SH AUTHOR
-+This manual page was auto-generated using
-+.B "sepolicy manpage"
-+by Dan Walsh.
-+
-+.SH "SEE ALSO"
-+selinux(8), telepathy_sunshine(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
-+, telepathy_gabble_selinux(8), telepathy_idle_selinux(8), telepathy_logger_selinux(8), telepathy_mission_control_selinux(8), telepathy_msn_selinux(8), telepathy_salut_selinux(8), telepathy_sofiasip_selinux(8), telepathy_stream_engine_selinux(8)
-\ No newline at end of file
-diff --git a/man/man8/telnetd_selinux.8 b/man/man8/telnetd_selinux.8
-new file mode 100644
-index 0000000..955a5aa
---- /dev/null
-+++ b/man/man8/telnetd_selinux.8
-@@ -0,0 +1,222 @@
-+.TH "telnetd_selinux" "8" "12-11-01" "telnetd" "SELinux Policy documentation for telnetd"
-+.SH "NAME"
-+telnetd_selinux \- Security Enhanced Linux Policy for the telnetd processes
-+.SH "DESCRIPTION"
-+
-+Security-Enhanced Linux secures the telnetd processes via flexible mandatory access control.
-+
-+The telnetd processes execute with the telnetd_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
-+
-+For example:
-+
-+.B ps -eZ | grep telnetd_t
-+
-+
-+.SH "ENTRYPOINTS"
-+
-+The telnetd_t SELinux type can be entered via the "telnetd_exec_t" file type. The default entrypoint paths for the telnetd_t domain are the following:"
-+
-+/usr/sbin/in\.telnetd, /usr/kerberos/sbin/telnetd
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux telnetd policy is very flexible allowing users to setup their telnetd processes in as secure a method as possible.
-+.PP
-+The following process types are defined for telnetd:
-+
-+.EX
-+.B telnetd_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
-+.SH FILE CONTEXTS
-+SELinux requires files to have an extended attribute to define the file type.
-+.PP
-+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
-+.PP
-+Policy governs the access confined processes have to these files.
-+SELinux telnetd policy is very flexible allowing users to setup their telnetd processes in as secure a method as possible.
-+.PP
-+The following file types are defined for telnetd:
-+
-+
-+.EX
-+.PP
-+.B telnetd_exec_t
-+.EE
-+
-+- Set files with the telnetd_exec_t type, if you want to transition an executable to the telnetd_t domain.
-+
-+
-+.EX
-+.PP
-+.B telnetd_keytab_t
-+.EE
-+
-+- Set files with the telnetd_keytab_t type, if you want to treat the files as kerberos keytab files.
-+
-+
-+.EX
-+.PP
-+.B telnetd_tmp_t
-+.EE
-+
-+- Set files with the telnetd_tmp_t type, if you want to store telnetd temporary files in the /tmp directories.
-+
-+
-+.EX
-+.PP
-+.B telnetd_var_run_t
-+.EE
-+
-+- Set files with the telnetd_var_run_t type, if you want to store the telnetd files under the /run directory.
-+
-+
-+.PP
-+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
-+.B semanage fcontext
-+command. This will modify the SELinux labeling database. You will need to use
-+.B restorecon
-+to apply the labels.
-+
-+.SH PORT TYPES
-+SELinux defines port types to represent TCP and UDP ports.
-+.PP
-+You can see the types associated with a port by using the following command:
-+
-+.B semanage port -l
-+
-+.PP
-+Policy governs the access confined processes have to these ports.
-+SELinux telnetd policy is very flexible allowing users to setup their telnetd processes in as secure a method as possible.
-+.PP
-+The following port types are defined for telnetd:
-+
-+.EX
-+.TP 5
-+.B telnetd_port_t
-+.TP 10
-+.EE
-+
-+
-+Default Defined Ports:
-+tcp 23
-+.EE
-+.SH "MANAGED FILES"
-+
-+The SELinux process type telnetd_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
-+
-+.br
-+.B initrc_var_run_t
-+
-+ /var/run/utmp
-+.br
-+ /var/run/random-seed
-+.br
-+ /var/run/runlevel\.dir
-+.br
-+ /var/run/setmixer_flag
-+.br
-+
-+.br
-+.B krb5_host_rcache_t
-+
-+ /var/cache/krb5rcache(/.*)?
-+.br
-+ /var/tmp/nfs_0
-+.br
-+ /var/tmp/DNS_25
-+.br
-+ /var/tmp/host_0
-+.br
-+ /var/tmp/imap_0
-+.br
-+ /var/tmp/HTTP_23
-+.br
-+ /var/tmp/HTTP_48
-+.br
-+ /var/tmp/ldap_55
-+.br
-+ /var/tmp/ldap_487
-+.br
-+ /var/tmp/ldapmap1_0
-+.br
-+
-+.br
-+.B security_t
-+
-+ /selinux
-+.br
-+
-+.br
-+.B telnetd_tmp_t
-+
-+
-+.br
-+.B telnetd_var_run_t
-+
-+
-+.br
-+.B user_tmp_t
-+
-+ /var/run/user(/.*)?
-+.br
-+ /tmp/gconfd-.*
-+.br
-+ /tmp/gconfd-dwalsh
-+.br
-+ /tmp/gconfd-xguest
-+.br
-+
-+.br
-+.B wtmp_t
-+
-+ /var/log/wtmp.*
-+.br
-+
-+.SH NSSWITCH DOMAIN
-+
-+.PP
-+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the telnetd_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
-+
-+.EX
-+.B setsebool -P authlogin_nsswitch_use_ldap 1
-+.EE
-+
-+.PP
-+If you want to allow confined applications to run with kerberos for the telnetd_t, you must turn on the kerberos_enabled boolean.
-+
-+.EX
-+.B setsebool -P kerberos_enabled 1
-+.EE
-+
-+.SH "COMMANDS"
-+.B semanage fcontext
-+can also be used to manipulate default file context mappings.
-+.PP
-+.B semanage permissive
-+can also be used to manipulate whether or not a process type is permissive.
-+.PP
-+.B semanage module
-+can also be used to enable/disable/install/remove policy modules.
-+
-+.B semanage port
-+can also be used to manipulate the port definitions
-+
-+.PP
-+.B system-config-selinux
-+is a GUI tool available to customize SELinux policy settings.
-+
-+.SH AUTHOR
-+This manual page was auto-generated using
-+.B "sepolicy manpage"
-+by Dan Walsh.
-+
-+.SH "SEE ALSO"
-+selinux(8), telnetd(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
-diff --git a/man/man8/tftpd_selinux.8 b/man/man8/tftpd_selinux.8
-new file mode 100644
-index 0000000..9909eeb
---- /dev/null
-+++ b/man/man8/tftpd_selinux.8
-@@ -0,0 +1,227 @@
-+.TH "tftpd_selinux" "8" "12-11-01" "tftpd" "SELinux Policy documentation for tftpd"
-+.SH "NAME"
-+tftpd_selinux \- Security Enhanced Linux Policy for the tftpd processes
-+.SH "DESCRIPTION"
-+
-+Security-Enhanced Linux secures the tftpd processes via flexible mandatory access control.
-+
-+The tftpd processes execute with the tftpd_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
-+
-+For example:
-+
-+.B ps -eZ | grep tftpd_t
-+
-+
-+.SH "ENTRYPOINTS"
-+
-+The tftpd_t SELinux type can be entered via the "tftpd_exec_t" file type. The default entrypoint paths for the tftpd_t domain are the following:"
-+
-+/usr/sbin/atftpd, /usr/sbin/in\.tftpd
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux tftpd policy is very flexible allowing users to setup their tftpd processes in as secure a method as possible.
-+.PP
-+The following process types are defined for tftpd:
-+
-+.EX
-+.B tftpd_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
-+.SH BOOLEANS
-+SELinux policy is customizable based on least access required. tftpd policy is extremely flexible and has several booleans that allow you to manipulate the policy and run tftpd with the tightest access possible.
-+
-+
-+.PP
-+If you want to allow tftp to read and write files in the user home directories, you must turn on the tftp_home_dir boolean.
-+
-+.EX
-+.B setsebool -P tftp_home_dir 1
-+.EE
-+
-+.PP
-+If you want to allow tftp to read and write files in the user home directories, you must turn on the tftp_home_dir boolean.
-+
-+.EX
-+.B setsebool -P tftp_home_dir 1
-+.EE
-+
-+.SH SHARING FILES
-+If you want to share files with multiple domains (Apache, FTP, rsync, Samba), you can set a file context of public_content_t and public_content_rw_t. These context allow any of the above domains to read the content. If you want a particular domain to write to the public_content_rw_t domain, you must set the appropriate boolean.
-+.TP
-+Allow tftpd servers to read the /var/tftpd directory by adding the public_content_t file type to the directory and by restoring the file type.
-+.PP
-+.B
-+semanage fcontext -a -t public_content_t "/var/tftpd(/.*)?"
-+.br
-+.B restorecon -F -R -v /var/tftpd
-+.pp
-+.TP
-+Allow tftpd servers to read and write /var/tmp/incoming by adding the public_content_rw_t type to the directory and by restoring the file type. This also requires the allow_tftpdd_anon_write boolean to be set.
-+.PP
-+.B
-+semanage fcontext -a -t public_content_rw_t "/var/tftpd/incoming(/.*)?"
-+.br
-+.B restorecon -F -R -v /var/tftpd/incoming
-+
-+
-+.PP
-+If you want to allow tftp to modify public files used for public file transfer services., you must turn on the tftp_anon_write boolean.
-+
-+.EX
-+.B setsebool -P tftp_anon_write 1
-+.EE
-+
-+.PP
-+If you want to allow tftp to modify public files used for public file transfer services., you must turn on the tftp_anon_write boolean.
-+
-+.EX
-+.B setsebool -P tftp_anon_write 1
-+.EE
-+
-+.SH FILE CONTEXTS
-+SELinux requires files to have an extended attribute to define the file type.
-+.PP
-+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
-+.PP
-+Policy governs the access confined processes have to these files.
-+SELinux tftpd policy is very flexible allowing users to setup their tftpd processes in as secure a method as possible.
-+.PP
-+The following file types are defined for tftpd:
-+
-+
-+.EX
-+.PP
-+.B tftpd_etc_t
-+.EE
-+
-+- Set files with the tftpd_etc_t type, if you want to store tftpd files in the /etc directories.
-+
-+
-+.EX
-+.PP
-+.B tftpd_exec_t
-+.EE
-+
-+- Set files with the tftpd_exec_t type, if you want to transition an executable to the tftpd_t domain.
-+
-+
-+.EX
-+.PP
-+.B tftpd_var_run_t
-+.EE
-+
-+- Set files with the tftpd_var_run_t type, if you want to store the tftpd files under the /run directory.
-+
-+
-+.EX
-+.PP
-+.B tftpdir_rw_t
-+.EE
-+
-+- Set files with the tftpdir_rw_t type, if you want to treat the files as tftpdir read/write content.
-+
-+
-+.EX
-+.PP
-+.B tftpdir_t
-+.EE
-+
-+- Set files with the tftpdir_t type, if you want to treat the files as tftpdir data.
-+
-+
-+.PP
-+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
-+.B semanage fcontext
-+command. This will modify the SELinux labeling database. You will need to use
-+.B restorecon
-+to apply the labels.
-+
-+.SH PORT TYPES
-+SELinux defines port types to represent TCP and UDP ports.
-+.PP
-+You can see the types associated with a port by using the following command:
-+
-+.B semanage port -l
-+
-+.PP
-+Policy governs the access confined processes have to these ports.
-+SELinux tftpd policy is very flexible allowing users to setup their tftpd processes in as secure a method as possible.
-+.PP
-+The following port types are defined for tftpd:
-+
-+.EX
-+.TP 5
-+.B tftp_port_t
-+.TP 10
-+.EE
-+
-+
-+Default Defined Ports:
-+udp 69
-+.EE
-+.SH "MANAGED FILES"
-+
-+The SELinux process type tftpd_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
-+
-+.br
-+.B tftpd_var_run_t
-+
-+
-+.br
-+.B tftpdir_rw_t
-+
-+ /var/lib/tftpboot(/.*)?
-+.br
-+
-+.SH NSSWITCH DOMAIN
-+
-+.PP
-+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the tftpd_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
-+
-+.EX
-+.B setsebool -P authlogin_nsswitch_use_ldap 1
-+.EE
-+
-+.PP
-+If you want to allow confined applications to run with kerberos for the tftpd_t, you must turn on the kerberos_enabled boolean.
-+
-+.EX
-+.B setsebool -P kerberos_enabled 1
-+.EE
-+
-+.SH "COMMANDS"
-+.B semanage fcontext
-+can also be used to manipulate default file context mappings.
-+.PP
-+.B semanage permissive
-+can also be used to manipulate whether or not a process type is permissive.
-+.PP
-+.B semanage module
-+can also be used to enable/disable/install/remove policy modules.
-+
-+.B semanage port
-+can also be used to manipulate the port definitions
-+
-+.B semanage boolean
-+can also be used to manipulate the booleans
-+
-+.PP
-+.B system-config-selinux
-+is a GUI tool available to customize SELinux policy settings.
-+
-+.SH AUTHOR
-+This manual page was auto-generated using
-+.B "sepolicy manpage"
-+by Dan Walsh.
-+
-+.SH "SEE ALSO"
-+selinux(8), tftpd(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
-+, setsebool(8)
-\ No newline at end of file
-diff --git a/man/man8/tgtd_selinux.8 b/man/man8/tgtd_selinux.8
-new file mode 100644
-index 0000000..e0da88e
---- /dev/null
-+++ b/man/man8/tgtd_selinux.8
-@@ -0,0 +1,146 @@
-+.TH "tgtd_selinux" "8" "12-11-01" "tgtd" "SELinux Policy documentation for tgtd"
-+.SH "NAME"
-+tgtd_selinux \- Security Enhanced Linux Policy for the tgtd processes
-+.SH "DESCRIPTION"
-+
-+Security-Enhanced Linux secures the tgtd processes via flexible mandatory access control.
-+
-+The tgtd processes execute with the tgtd_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
-+
-+For example:
-+
-+.B ps -eZ | grep tgtd_t
-+
-+
-+.SH "ENTRYPOINTS"
-+
-+The tgtd_t SELinux type can be entered via the "tgtd_exec_t" file type. The default entrypoint paths for the tgtd_t domain are the following:"
-+
-+/usr/sbin/tgtd
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux tgtd policy is very flexible allowing users to setup their tgtd processes in as secure a method as possible.
-+.PP
-+The following process types are defined for tgtd:
-+
-+.EX
-+.B tgtd_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
-+.SH FILE CONTEXTS
-+SELinux requires files to have an extended attribute to define the file type.
-+.PP
-+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
-+.PP
-+Policy governs the access confined processes have to these files.
-+SELinux tgtd policy is very flexible allowing users to setup their tgtd processes in as secure a method as possible.
-+.PP
-+The following file types are defined for tgtd:
-+
-+
-+.EX
-+.PP
-+.B tgtd_exec_t
-+.EE
-+
-+- Set files with the tgtd_exec_t type, if you want to transition an executable to the tgtd_t domain.
-+
-+
-+.EX
-+.PP
-+.B tgtd_initrc_exec_t
-+.EE
-+
-+- Set files with the tgtd_initrc_exec_t type, if you want to transition an executable to the tgtd_initrc_t domain.
-+
-+
-+.EX
-+.PP
-+.B tgtd_tmp_t
-+.EE
-+
-+- Set files with the tgtd_tmp_t type, if you want to store tgtd temporary files in the /tmp directories.
-+
-+
-+.EX
-+.PP
-+.B tgtd_tmpfs_t
-+.EE
-+
-+- Set files with the tgtd_tmpfs_t type, if you want to store tgtd files on a tmpfs file system.
-+
-+
-+.EX
-+.PP
-+.B tgtd_var_lib_t
-+.EE
-+
-+- Set files with the tgtd_var_lib_t type, if you want to store the tgtd files under the /var/lib directory.
-+
-+
-+.EX
-+.PP
-+.B tgtd_var_run_t
-+.EE
-+
-+- Set files with the tgtd_var_run_t type, if you want to store the tgtd files under the /run directory.
-+
-+
-+.PP
-+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
-+.B semanage fcontext
-+command. This will modify the SELinux labeling database. You will need to use
-+.B restorecon
-+to apply the labels.
-+
-+.SH "MANAGED FILES"
-+
-+The SELinux process type tgtd_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
-+
-+.br
-+.B tgtd_tmpfs_t
-+
-+
-+.br
-+.B tgtd_var_lib_t
-+
-+ /var/lib/tgtd(/.*)?
-+.br
-+
-+.br
-+.B tgtd_var_run_t
-+
-+ /var/run/tgtd.*
-+.br
-+
-+.SH NSSWITCH DOMAIN
-+
-+.SH "COMMANDS"
-+.B semanage fcontext
-+can also be used to manipulate default file context mappings.
-+.PP
-+.B semanage permissive
-+can also be used to manipulate whether or not a process type is permissive.
-+.PP
-+.B semanage module
-+can also be used to enable/disable/install/remove policy modules.
-+
-+.PP
-+.B system-config-selinux
-+is a GUI tool available to customize SELinux policy settings.
-+
-+.SH AUTHOR
-+This manual page was auto-generated using
-+.B "sepolicy manpage"
-+by Dan Walsh.
-+
-+.SH "SEE ALSO"
-+selinux(8), tgtd(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
-diff --git a/man/man8/thin_aeolus_configserver_selinux.8 b/man/man8/thin_aeolus_configserver_selinux.8
-new file mode 100644
-index 0000000..66344ef
---- /dev/null
-+++ b/man/man8/thin_aeolus_configserver_selinux.8
-@@ -0,0 +1,133 @@
-+.TH "thin_aeolus_configserver_selinux" "8" "12-11-01" "thin_aeolus_configserver" "SELinux Policy documentation for thin_aeolus_configserver"
-+.SH "NAME"
-+thin_aeolus_configserver_selinux \- Security Enhanced Linux Policy for the thin_aeolus_configserver processes
-+.SH "DESCRIPTION"
-+
-+Security-Enhanced Linux secures the thin_aeolus_configserver processes via flexible mandatory access control.
-+
-+The thin_aeolus_configserver processes execute with the thin_aeolus_configserver_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
-+
-+For example:
-+
-+.B ps -eZ | grep thin_aeolus_configserver_t
-+
-+
-+.SH "ENTRYPOINTS"
-+
-+The thin_aeolus_configserver_t SELinux type can be entered via the "thin_aeolus_configserver_exec_t" file type. The default entrypoint paths for the thin_aeolus_configserver_t domain are the following:"
-+
-+/usr/bin/aeolus-configserver-thinwrapper
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux thin_aeolus_configserver policy is very flexible allowing users to setup their thin_aeolus_configserver processes in as secure a method as possible.
-+.PP
-+The following process types are defined for thin_aeolus_configserver:
-+
-+.EX
-+.B thin_aeolus_configserver_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
-+.SH FILE CONTEXTS
-+SELinux requires files to have an extended attribute to define the file type.
-+.PP
-+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
-+.PP
-+Policy governs the access confined processes have to these files.
-+SELinux thin_aeolus_configserver policy is very flexible allowing users to setup their thin_aeolus_configserver processes in as secure a method as possible.
-+.PP
-+The following file types are defined for thin_aeolus_configserver:
-+
-+
-+.EX
-+.PP
-+.B thin_aeolus_configserver_exec_t
-+.EE
-+
-+- Set files with the thin_aeolus_configserver_exec_t type, if you want to transition an executable to the thin_aeolus_configserver_t domain.
-+
-+
-+.EX
-+.PP
-+.B thin_aeolus_configserver_lib_t
-+.EE
-+
-+- Set files with the thin_aeolus_configserver_lib_t type, if you want to treat the files as thin aeolus configserver lib data.
-+
-+
-+.EX
-+.PP
-+.B thin_aeolus_configserver_log_t
-+.EE
-+
-+- Set files with the thin_aeolus_configserver_log_t type, if you want to treat the data as thin aeolus configserver log data, usually stored under the /var/log directory.
-+
-+
-+.EX
-+.PP
-+.B thin_aeolus_configserver_var_run_t
-+.EE
-+
-+- Set files with the thin_aeolus_configserver_var_run_t type, if you want to store the thin aeolus configserver files under the /run directory.
-+
-+
-+.PP
-+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
-+.B semanage fcontext
-+command. This will modify the SELinux labeling database. You will need to use
-+.B restorecon
-+to apply the labels.
-+
-+.SH "MANAGED FILES"
-+
-+The SELinux process type thin_aeolus_configserver_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
-+
-+.br
-+.B thin_aeolus_configserver_lib_t
-+
-+ /var/lib/aeolus-configserver(/.*)?
-+.br
-+
-+.br
-+.B thin_aeolus_configserver_log_t
-+
-+ /var/log/aeolus-configserver(/.*)?
-+.br
-+
-+.br
-+.B thin_aeolus_configserver_var_run_t
-+
-+ /var/run/aeolus-configserver(/.*)?
-+.br
-+
-+.SH NSSWITCH DOMAIN
-+
-+.SH "COMMANDS"
-+.B semanage fcontext
-+can also be used to manipulate default file context mappings.
-+.PP
-+.B semanage permissive
-+can also be used to manipulate whether or not a process type is permissive.
-+.PP
-+.B semanage module
-+can also be used to enable/disable/install/remove policy modules.
-+
-+.PP
-+.B system-config-selinux
-+is a GUI tool available to customize SELinux policy settings.
-+
-+.SH AUTHOR
-+This manual page was auto-generated using
-+.B "sepolicy manpage"
-+by Dan Walsh.
-+
-+.SH "SEE ALSO"
-+selinux(8), thin_aeolus_configserver(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
-+, thin_selinux(8), thin_selinux(8)
-\ No newline at end of file
-diff --git a/man/man8/thin_selinux.8 b/man/man8/thin_selinux.8
-new file mode 100644
-index 0000000..dbab03d
---- /dev/null
-+++ b/man/man8/thin_selinux.8
-@@ -0,0 +1,151 @@
-+.TH "thin_selinux" "8" "12-11-01" "thin" "SELinux Policy documentation for thin"
-+.SH "NAME"
-+thin_selinux \- Security Enhanced Linux Policy for the thin processes
-+.SH "DESCRIPTION"
-+
-+Security-Enhanced Linux secures the thin processes via flexible mandatory access control.
-+
-+The thin processes execute with the thin_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
-+
-+For example:
-+
-+.B ps -eZ | grep thin_t
-+
-+
-+.SH "ENTRYPOINTS"
-+
-+The thin_t SELinux type can be entered via the "thin_exec_t" file type. The default entrypoint paths for the thin_t domain are the following:"
-+
-+/usr/bin/thin
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux thin policy is very flexible allowing users to setup their thin processes in as secure a method as possible.
-+.PP
-+The following process types are defined for thin:
-+
-+.EX
-+.B thin_t, thin_aeolus_configserver_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
-+.SH FILE CONTEXTS
-+SELinux requires files to have an extended attribute to define the file type.
-+.PP
-+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
-+.PP
-+Policy governs the access confined processes have to these files.
-+SELinux thin policy is very flexible allowing users to setup their thin processes in as secure a method as possible.
-+.PP
-+The following file types are defined for thin:
-+
-+
-+.EX
-+.PP
-+.B thin_aeolus_configserver_exec_t
-+.EE
-+
-+- Set files with the thin_aeolus_configserver_exec_t type, if you want to transition an executable to the thin_aeolus_configserver_t domain.
-+
-+
-+.EX
-+.PP
-+.B thin_aeolus_configserver_lib_t
-+.EE
-+
-+- Set files with the thin_aeolus_configserver_lib_t type, if you want to treat the files as thin aeolus configserver lib data.
-+
-+
-+.EX
-+.PP
-+.B thin_aeolus_configserver_log_t
-+.EE
-+
-+- Set files with the thin_aeolus_configserver_log_t type, if you want to treat the data as thin aeolus configserver log data, usually stored under the /var/log directory.
-+
-+
-+.EX
-+.PP
-+.B thin_aeolus_configserver_var_run_t
-+.EE
-+
-+- Set files with the thin_aeolus_configserver_var_run_t type, if you want to store the thin aeolus configserver files under the /run directory.
-+
-+
-+.EX
-+.PP
-+.B thin_exec_t
-+.EE
-+
-+- Set files with the thin_exec_t type, if you want to transition an executable to the thin_t domain.
-+
-+
-+.EX
-+.PP
-+.B thin_log_t
-+.EE
-+
-+- Set files with the thin_log_t type, if you want to treat the data as thin log data, usually stored under the /var/log directory.
-+
-+
-+.EX
-+.PP
-+.B thin_var_run_t
-+.EE
-+
-+- Set files with the thin_var_run_t type, if you want to store the thin files under the /run directory.
-+
-+
-+.PP
-+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
-+.B semanage fcontext
-+command. This will modify the SELinux labeling database. You will need to use
-+.B restorecon
-+to apply the labels.
-+
-+.SH "MANAGED FILES"
-+
-+The SELinux process type thin_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
-+
-+.br
-+.B thin_log_t
-+
-+ /var/log/thin\.log.*
-+.br
-+
-+.br
-+.B thin_var_run_t
-+
-+ /var/run/aeolus/thin\.pid
-+.br
-+
-+.SH NSSWITCH DOMAIN
-+
-+.SH "COMMANDS"
-+.B semanage fcontext
-+can also be used to manipulate default file context mappings.
-+.PP
-+.B semanage permissive
-+can also be used to manipulate whether or not a process type is permissive.
-+.PP
-+.B semanage module
-+can also be used to enable/disable/install/remove policy modules.
-+
-+.PP
-+.B system-config-selinux
-+is a GUI tool available to customize SELinux policy settings.
-+
-+.SH AUTHOR
-+This manual page was auto-generated using
-+.B "sepolicy manpage"
-+by Dan Walsh.
-+
-+.SH "SEE ALSO"
-+selinux(8), thin(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
-+, thin_aeolus_configserver_selinux(8)
-\ No newline at end of file
-diff --git a/man/man8/thumb_selinux.8 b/man/man8/thumb_selinux.8
-new file mode 100644
-index 0000000..0983a25
---- /dev/null
-+++ b/man/man8/thumb_selinux.8
-@@ -0,0 +1,236 @@
-+.TH "thumb_selinux" "8" "12-11-01" "thumb" "SELinux Policy documentation for thumb"
-+.SH "NAME"
-+thumb_selinux \- Security Enhanced Linux Policy for the thumb processes
-+.SH "DESCRIPTION"
-+
-+Security-Enhanced Linux secures the thumb processes via flexible mandatory access control.
-+
-+The thumb processes execute with the thumb_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
-+
-+For example:
-+
-+.B ps -eZ | grep thumb_t
-+
-+
-+.SH "ENTRYPOINTS"
-+
-+The thumb_t SELinux type can be entered via the "thumb_exec_t" file type. The default entrypoint paths for the thumb_t domain are the following:"
-+
-+/usr/bin/[^/]*thumbnailer, /usr/bin/gnome-[^/]*-thumbnailer(.sh)?, /usr/lib/tumbler[^/]*/tumblerd, /usr/bin/raw-thumbnailer, /usr/bin/whaaw-thumbnailer, /usr/bin/ffmpegthumbnailer, /usr/bin/evince-thumbnailer, /usr/bin/gnome-thumbnail-font, /usr/bin/gsf-office-thumbnailer, /usr/bin/totem-video-thumbnailer, /usr/bin/shotwell-video-thumbnailer
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux thumb policy is very flexible allowing users to setup their thumb processes in as secure a method as possible.
-+.PP
-+The following process types are defined for thumb:
-+
-+.EX
-+.B thumb_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
-+.SH FILE CONTEXTS
-+SELinux requires files to have an extended attribute to define the file type.
-+.PP
-+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
-+.PP
-+Policy governs the access confined processes have to these files.
-+SELinux thumb policy is very flexible allowing users to setup their thumb processes in as secure a method as possible.
-+.PP
-+The following file types are defined for thumb:
-+
-+
-+.EX
-+.PP
-+.B thumb_exec_t
-+.EE
-+
-+- Set files with the thumb_exec_t type, if you want to transition an executable to the thumb_t domain.
-+
-+
-+.EX
-+.PP
-+.B thumb_home_t
-+.EE
-+
-+- Set files with the thumb_home_t type, if you want to store thumb files in the users home directory.
-+
-+
-+.EX
-+.PP
-+.B thumb_tmp_t
-+.EE
-+
-+- Set files with the thumb_tmp_t type, if you want to store thumb temporary files in the /tmp directories.
-+
-+
-+.EX
-+.PP
-+.B thumb_tmpfs_t
-+.EE
-+
-+- Set files with the thumb_tmpfs_t type, if you want to store thumb files on a tmpfs file system.
-+
-+
-+.PP
-+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
-+.B semanage fcontext
-+command. This will modify the SELinux labeling database. You will need to use
-+.B restorecon
-+to apply the labels.
-+
-+.SH "MANAGED FILES"
-+
-+The SELinux process type thumb_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
-+
-+.br
-+.B gstreamer_home_t
-+
-+ /var/run/user/[^/]*/\.orc(/.*)?
-+.br
-+ /root/\.gstreamer-.*
-+.br
-+ /home/[^/]*/\.orc(/.*)?
-+.br
-+ /home/[^/]*/\.gstreamer-.*
-+.br
-+ /home/[^/]*/\.grl-bookmarks
-+.br
-+ /home/[^/]*/\.grl-bookmarks
-+.br
-+ /home/[^/]*/\.grl-metadata-store
-+.br
-+ /home/dwalsh/\.orc(/.*)?
-+.br
-+ /home/dwalsh/\.gstreamer-.*
-+.br
-+ /home/dwalsh/\.grl-bookmarks
-+.br
-+ /home/dwalsh/\.grl-bookmarks
-+.br
-+ /home/dwalsh/\.grl-metadata-store
-+.br
-+ /var/lib/xguest/home/xguest/\.orc(/.*)?
-+.br
-+ /var/lib/xguest/home/xguest/\.gstreamer-.*
-+.br
-+ /var/lib/xguest/home/xguest/\.grl-bookmarks
-+.br
-+ /var/lib/xguest/home/xguest/\.grl-bookmarks
-+.br
-+ /var/lib/xguest/home/xguest/\.grl-metadata-store
-+.br
-+
-+.br
-+.B thumb_home_t
-+
-+ /home/[^/]*/\.thumbnails(/.*)?
-+.br
-+ /home/[^/]*/missfont\.log.*
-+.br
-+ /home/[^/]*/\.cache/thumbnails(/.*)?
-+.br
-+ /home/dwalsh/\.thumbnails(/.*)?
-+.br
-+ /home/dwalsh/missfont\.log.*
-+.br
-+ /home/dwalsh/\.cache/thumbnails(/.*)?
-+.br
-+ /var/lib/xguest/home/xguest/\.thumbnails(/.*)?
-+.br
-+ /var/lib/xguest/home/xguest/missfont\.log.*
-+.br
-+ /var/lib/xguest/home/xguest/\.cache/thumbnails(/.*)?
-+.br
-+
-+.br
-+.B thumb_tmp_t
-+
-+
-+.br
-+.B thumb_tmpfs_t
-+
-+
-+.br
-+.B user_fonts_cache_t
-+
-+ /root/\.fontconfig(/.*)?
-+.br
-+ /root/\.fonts/auto(/.*)?
-+.br
-+ /root/\.fonts\.cache-.*
-+.br
-+ /home/[^/]*/\.fontconfig(/.*)?
-+.br
-+ /home/[^/]*/\.fonts/auto(/.*)?
-+.br
-+ /home/[^/]*/\.fonts\.cache-.*
-+.br
-+ /home/dwalsh/\.fontconfig(/.*)?
-+.br
-+ /home/dwalsh/\.fonts/auto(/.*)?
-+.br
-+ /home/dwalsh/\.fonts\.cache-.*
-+.br
-+ /var/lib/xguest/home/xguest/\.fontconfig(/.*)?
-+.br
-+ /var/lib/xguest/home/xguest/\.fonts/auto(/.*)?
-+.br
-+ /var/lib/xguest/home/xguest/\.fonts\.cache-.*
-+.br
-+
-+.br
-+.B user_tmp_t
-+
-+ /var/run/user(/.*)?
-+.br
-+ /tmp/gconfd-.*
-+.br
-+ /tmp/gconfd-dwalsh
-+.br
-+ /tmp/gconfd-xguest
-+.br
-+
-+.SH NSSWITCH DOMAIN
-+
-+.PP
-+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the thumb_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
-+
-+.EX
-+.B setsebool -P authlogin_nsswitch_use_ldap 1
-+.EE
-+
-+.PP
-+If you want to allow confined applications to run with kerberos for the thumb_t, you must turn on the kerberos_enabled boolean.
-+
-+.EX
-+.B setsebool -P kerberos_enabled 1
-+.EE
-+
-+.SH "COMMANDS"
-+.B semanage fcontext
-+can also be used to manipulate default file context mappings.
-+.PP
-+.B semanage permissive
-+can also be used to manipulate whether or not a process type is permissive.
-+.PP
-+.B semanage module
-+can also be used to enable/disable/install/remove policy modules.
-+
-+.PP
-+.B system-config-selinux
-+is a GUI tool available to customize SELinux policy settings.
-+
-+.SH AUTHOR
-+This manual page was auto-generated using
-+.B "sepolicy manpage"
-+by Dan Walsh.
-+
-+.SH "SEE ALSO"
-+selinux(8), thumb(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
-diff --git a/man/man8/tmpreaper_selinux.8 b/man/man8/tmpreaper_selinux.8
-new file mode 100644
-index 0000000..1f3820f
---- /dev/null
-+++ b/man/man8/tmpreaper_selinux.8
-@@ -0,0 +1,136 @@
-+.TH "tmpreaper_selinux" "8" "12-11-01" "tmpreaper" "SELinux Policy documentation for tmpreaper"
-+.SH "NAME"
-+tmpreaper_selinux \- Security Enhanced Linux Policy for the tmpreaper processes
-+.SH "DESCRIPTION"
-+
-+Security-Enhanced Linux secures the tmpreaper processes via flexible mandatory access control.
-+
-+The tmpreaper processes execute with the tmpreaper_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
-+
-+For example:
-+
-+.B ps -eZ | grep tmpreaper_t
-+
-+
-+.SH "ENTRYPOINTS"
-+
-+The tmpreaper_t SELinux type can be entered via the "tmpreaper_exec_t" file type. The default entrypoint paths for the tmpreaper_t domain are the following:"
-+
-+/usr/sbin/tmpwatch, /usr/sbin/tmpreaper
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux tmpreaper policy is very flexible allowing users to setup their tmpreaper processes in as secure a method as possible.
-+.PP
-+The following process types are defined for tmpreaper:
-+
-+.EX
-+.B tmpreaper_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
-+.SH FILE CONTEXTS
-+SELinux requires files to have an extended attribute to define the file type.
-+.PP
-+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
-+.PP
-+Policy governs the access confined processes have to these files.
-+SELinux tmpreaper policy is very flexible allowing users to setup their tmpreaper processes in as secure a method as possible.
-+.PP
-+The following file types are defined for tmpreaper:
-+
-+
-+.EX
-+.PP
-+.B tmpreaper_exec_t
-+.EE
-+
-+- Set files with the tmpreaper_exec_t type, if you want to transition an executable to the tmpreaper_t domain.
-+
-+
-+.PP
-+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
-+.B semanage fcontext
-+command. This will modify the SELinux labeling database. You will need to use
-+.B restorecon
-+to apply the labels.
-+
-+.SH "MANAGED FILES"
-+
-+The SELinux process type tmpreaper_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
-+
-+.br
-+.B amavis_spool_t
-+
-+ /var/spool/amavisd(/.*)?
-+.br
-+
-+.br
-+.B kismet_log_t
-+
-+ /var/log/kismet(/.*)?
-+.br
-+
-+.br
-+.B print_spool_t
-+
-+ /var/spool/lpd(/.*)?
-+.br
-+ /var/spool/cups(/.*)?
-+.br
-+ /var/spool/cups-pdf(/.*)?
-+.br
-+
-+.br
-+.B rpm_var_cache_t
-+
-+ /var/cache/yum(/.*)?
-+.br
-+ /var/spool/up2date(/.*)?
-+.br
-+ /var/cache/PackageKit(/.*)?
-+.br
-+
-+.SH NSSWITCH DOMAIN
-+
-+.PP
-+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the tmpreaper_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
-+
-+.EX
-+.B setsebool -P authlogin_nsswitch_use_ldap 1
-+.EE
-+
-+.PP
-+If you want to allow confined applications to run with kerberos for the tmpreaper_t, you must turn on the kerberos_enabled boolean.
-+
-+.EX
-+.B setsebool -P kerberos_enabled 1
-+.EE
-+
-+.SH "COMMANDS"
-+.B semanage fcontext
-+can also be used to manipulate default file context mappings.
-+.PP
-+.B semanage permissive
-+can also be used to manipulate whether or not a process type is permissive.
-+.PP
-+.B semanage module
-+can also be used to enable/disable/install/remove policy modules.
-+
-+.PP
-+.B system-config-selinux
-+is a GUI tool available to customize SELinux policy settings.
-+
-+.SH AUTHOR
-+This manual page was auto-generated using
-+.B "sepolicy manpage"
-+by Dan Walsh.
-+
-+.SH "SEE ALSO"
-+selinux(8), tmpreaper(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
-diff --git a/man/man8/tomcat_selinux.8 b/man/man8/tomcat_selinux.8
-new file mode 100644
-index 0000000..c89378e
---- /dev/null
-+++ b/man/man8/tomcat_selinux.8
-@@ -0,0 +1,166 @@
-+.TH "tomcat_selinux" "8" "12-11-01" "tomcat" "SELinux Policy documentation for tomcat"
-+.SH "NAME"
-+tomcat_selinux \- Security Enhanced Linux Policy for the tomcat processes
-+.SH "DESCRIPTION"
-+
-+Security-Enhanced Linux secures the tomcat processes via flexible mandatory access control.
-+
-+The tomcat processes execute with the tomcat_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
-+
-+For example:
-+
-+.B ps -eZ | grep tomcat_t
-+
-+
-+.SH "ENTRYPOINTS"
-+
-+The tomcat_t SELinux type can be entered via the "tomcat_exec_t" file type. The default entrypoint paths for the tomcat_t domain are the following:"
-+
-+/usr/sbin/tomcat(6)?
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux tomcat policy is very flexible allowing users to setup their tomcat processes in as secure a method as possible.
-+.PP
-+The following process types are defined for tomcat:
-+
-+.EX
-+.B tomcat_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
-+.SH FILE CONTEXTS
-+SELinux requires files to have an extended attribute to define the file type.
-+.PP
-+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
-+.PP
-+Policy governs the access confined processes have to these files.
-+SELinux tomcat policy is very flexible allowing users to setup their tomcat processes in as secure a method as possible.
-+.PP
-+The following file types are defined for tomcat:
-+
-+
-+.EX
-+.PP
-+.B tomcat_cache_t
-+.EE
-+
-+- Set files with the tomcat_cache_t type, if you want to store the files under the /var/cache directory.
-+
-+
-+.EX
-+.PP
-+.B tomcat_exec_t
-+.EE
-+
-+- Set files with the tomcat_exec_t type, if you want to transition an executable to the tomcat_t domain.
-+
-+
-+.EX
-+.PP
-+.B tomcat_log_t
-+.EE
-+
-+- Set files with the tomcat_log_t type, if you want to treat the data as tomcat log data, usually stored under the /var/log directory.
-+
-+
-+.EX
-+.PP
-+.B tomcat_tmp_t
-+.EE
-+
-+- Set files with the tomcat_tmp_t type, if you want to store tomcat temporary files in the /tmp directories.
-+
-+
-+.EX
-+.PP
-+.B tomcat_unit_file_t
-+.EE
-+
-+- Set files with the tomcat_unit_file_t type, if you want to treat the files as tomcat unit content.
-+
-+
-+.EX
-+.PP
-+.B tomcat_var_lib_t
-+.EE
-+
-+- Set files with the tomcat_var_lib_t type, if you want to store the tomcat files under the /var/lib directory.
-+
-+
-+.EX
-+.PP
-+.B tomcat_var_run_t
-+.EE
-+
-+- Set files with the tomcat_var_run_t type, if you want to store the tomcat files under the /run directory.
-+
-+
-+.PP
-+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
-+.B semanage fcontext
-+command. This will modify the SELinux labeling database. You will need to use
-+.B restorecon
-+to apply the labels.
-+
-+.SH "MANAGED FILES"
-+
-+The SELinux process type tomcat_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
-+
-+.br
-+.B tomcat_cache_t
-+
-+ /var/cache/tomcat6?(/.*)?
-+.br
-+
-+.br
-+.B tomcat_log_t
-+
-+ /var/log/tomcat6?(/.*)?
-+.br
-+
-+.br
-+.B tomcat_tmp_t
-+
-+
-+.br
-+.B tomcat_var_lib_t
-+
-+ /var/lib/tomcat6?(/.*)?
-+.br
-+
-+.br
-+.B tomcat_var_run_t
-+
-+ /var/run/tomcat6?\.pid
-+.br
-+
-+.SH NSSWITCH DOMAIN
-+
-+.SH "COMMANDS"
-+.B semanage fcontext
-+can also be used to manipulate default file context mappings.
-+.PP
-+.B semanage permissive
-+can also be used to manipulate whether or not a process type is permissive.
-+.PP
-+.B semanage module
-+can also be used to enable/disable/install/remove policy modules.
-+
-+.PP
-+.B system-config-selinux
-+is a GUI tool available to customize SELinux policy settings.
-+
-+.SH AUTHOR
-+This manual page was auto-generated using
-+.B "sepolicy manpage"
-+by Dan Walsh.
-+
-+.SH "SEE ALSO"
-+selinux(8), tomcat(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
-diff --git a/man/man8/tor_selinux.8 b/man/man8/tor_selinux.8
-new file mode 100644
-index 0000000..2274d81
---- /dev/null
-+++ b/man/man8/tor_selinux.8
-@@ -0,0 +1,231 @@
-+.TH "tor_selinux" "8" "12-11-01" "tor" "SELinux Policy documentation for tor"
-+.SH "NAME"
-+tor_selinux \- Security Enhanced Linux Policy for the tor processes
-+.SH "DESCRIPTION"
-+
-+Security-Enhanced Linux secures the tor processes via flexible mandatory access control.
-+
-+The tor processes execute with the tor_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
-+
-+For example:
-+
-+.B ps -eZ | grep tor_t
-+
-+
-+.SH "ENTRYPOINTS"
-+
-+The tor_t SELinux type can be entered via the "tor_exec_t" file type. The default entrypoint paths for the tor_t domain are the following:"
-+
-+/usr/bin/tor, /usr/sbin/tor
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux tor policy is very flexible allowing users to setup their tor processes in as secure a method as possible.
-+.PP
-+The following process types are defined for tor:
-+
-+.EX
-+.B tor_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
-+.SH BOOLEANS
-+SELinux policy is customizable based on least access required. tor policy is extremely flexible and has several booleans that allow you to manipulate the policy and run tor with the tightest access possible.
-+
-+
-+.PP
-+If you want to allow tor daemon to bind tcp sockets to all unreserved ports, you must turn on the tor_bind_all_unreserved_ports boolean.
-+
-+.EX
-+.B setsebool -P tor_bind_all_unreserved_ports 1
-+.EE
-+
-+.PP
-+If you want to allow tor daemon to bind tcp sockets to all unreserved ports, you must turn on the tor_bind_all_unreserved_ports boolean.
-+
-+.EX
-+.B setsebool -P tor_bind_all_unreserved_ports 1
-+.EE
-+
-+.SH FILE CONTEXTS
-+SELinux requires files to have an extended attribute to define the file type.
-+.PP
-+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
-+.PP
-+Policy governs the access confined processes have to these files.
-+SELinux tor policy is very flexible allowing users to setup their tor processes in as secure a method as possible.
-+.PP
-+The following file types are defined for tor:
-+
-+
-+.EX
-+.PP
-+.B tor_etc_t
-+.EE
-+
-+- Set files with the tor_etc_t type, if you want to store tor files in the /etc directories.
-+
-+
-+.EX
-+.PP
-+.B tor_exec_t
-+.EE
-+
-+- Set files with the tor_exec_t type, if you want to transition an executable to the tor_t domain.
-+
-+
-+.EX
-+.PP
-+.B tor_initrc_exec_t
-+.EE
-+
-+- Set files with the tor_initrc_exec_t type, if you want to transition an executable to the tor_initrc_t domain.
-+
-+
-+.EX
-+.PP
-+.B tor_unit_file_t
-+.EE
-+
-+- Set files with the tor_unit_file_t type, if you want to treat the files as tor unit content.
-+
-+
-+.EX
-+.PP
-+.B tor_var_lib_t
-+.EE
-+
-+- Set files with the tor_var_lib_t type, if you want to store the tor files under the /var/lib directory.
-+
-+
-+.EX
-+.PP
-+.B tor_var_log_t
-+.EE
-+
-+- Set files with the tor_var_log_t type, if you want to treat the data as tor var log data, usually stored under the /var/log directory.
-+
-+
-+.EX
-+.PP
-+.B tor_var_run_t
-+.EE
-+
-+- Set files with the tor_var_run_t type, if you want to store the tor files under the /run directory.
-+
-+
-+.PP
-+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
-+.B semanage fcontext
-+command. This will modify the SELinux labeling database. You will need to use
-+.B restorecon
-+to apply the labels.
-+
-+.SH PORT TYPES
-+SELinux defines port types to represent TCP and UDP ports.
-+.PP
-+You can see the types associated with a port by using the following command:
-+
-+.B semanage port -l
-+
-+.PP
-+Policy governs the access confined processes have to these ports.
-+SELinux tor policy is very flexible allowing users to setup their tor processes in as secure a method as possible.
-+.PP
-+The following port types are defined for tor:
-+
-+.EX
-+.TP 5
-+.B tor_port_t
-+.TP 10
-+.EE
-+
-+
-+Default Defined Ports:
-+tcp 6969,9001,9030,9051
-+.EE
-+
-+.EX
-+.TP 5
-+.B tor_socks_port_t
-+.TP 10
-+.EE
-+
-+
-+Default Defined Ports:
-+tcp 9050
-+.EE
-+.SH "MANAGED FILES"
-+
-+The SELinux process type tor_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
-+
-+.br
-+.B tor_var_lib_t
-+
-+ /var/lib/tor(/.*)?
-+.br
-+ /var/lib/tor-data(/.*)?
-+.br
-+
-+.br
-+.B tor_var_log_t
-+
-+ /var/log/tor(/.*)?
-+.br
-+
-+.br
-+.B tor_var_run_t
-+
-+ /var/run/tor(/.*)?
-+.br
-+
-+.SH NSSWITCH DOMAIN
-+
-+.PP
-+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the tor_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
-+
-+.EX
-+.B setsebool -P authlogin_nsswitch_use_ldap 1
-+.EE
-+
-+.PP
-+If you want to allow confined applications to run with kerberos for the tor_t, you must turn on the kerberos_enabled boolean.
-+
-+.EX
-+.B setsebool -P kerberos_enabled 1
-+.EE
-+
-+.SH "COMMANDS"
-+.B semanage fcontext
-+can also be used to manipulate default file context mappings.
-+.PP
-+.B semanage permissive
-+can also be used to manipulate whether or not a process type is permissive.
-+.PP
-+.B semanage module
-+can also be used to enable/disable/install/remove policy modules.
-+
-+.B semanage port
-+can also be used to manipulate the port definitions
-+
-+.B semanage boolean
-+can also be used to manipulate the booleans
-+
-+.PP
-+.B system-config-selinux
-+is a GUI tool available to customize SELinux policy settings.
-+
-+.SH AUTHOR
-+This manual page was auto-generated using
-+.B "sepolicy manpage"
-+by Dan Walsh.
-+
-+.SH "SEE ALSO"
-+selinux(8), tor(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
-+, setsebool(8)
-\ No newline at end of file
-diff --git a/man/man8/traceroute_selinux.8 b/man/man8/traceroute_selinux.8
-new file mode 100644
-index 0000000..00db217
---- /dev/null
-+++ b/man/man8/traceroute_selinux.8
-@@ -0,0 +1,126 @@
-+.TH "traceroute_selinux" "8" "12-11-01" "traceroute" "SELinux Policy documentation for traceroute"
-+.SH "NAME"
-+traceroute_selinux \- Security Enhanced Linux Policy for the traceroute processes
-+.SH "DESCRIPTION"
-+
-+Security-Enhanced Linux secures the traceroute processes via flexible mandatory access control.
-+
-+The traceroute processes execute with the traceroute_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
-+
-+For example:
-+
-+.B ps -eZ | grep traceroute_t
-+
-+
-+.SH "ENTRYPOINTS"
-+
-+The traceroute_t SELinux type can be entered via the "traceroute_exec_t" file type. The default entrypoint paths for the traceroute_t domain are the following:"
-+
-+/bin/tracepath.*, /bin/traceroute.*, /usr/bin/tracepath.*, /usr/bin/traceroute.*, /usr/sbin/traceroute.*, /usr/bin/lft, /usr/bin/mtr, /usr/bin/nmap, /usr/sbin/mtr
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux traceroute policy is very flexible allowing users to setup their traceroute processes in as secure a method as possible.
-+.PP
-+The following process types are defined for traceroute:
-+
-+.EX
-+.B traceroute_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
-+.SH FILE CONTEXTS
-+SELinux requires files to have an extended attribute to define the file type.
-+.PP
-+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
-+.PP
-+Policy governs the access confined processes have to these files.
-+SELinux traceroute policy is very flexible allowing users to setup their traceroute processes in as secure a method as possible.
-+.PP
-+The following file types are defined for traceroute:
-+
-+
-+.EX
-+.PP
-+.B traceroute_exec_t
-+.EE
-+
-+- Set files with the traceroute_exec_t type, if you want to transition an executable to the traceroute_t domain.
-+
-+
-+.PP
-+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
-+.B semanage fcontext
-+command. This will modify the SELinux labeling database. You will need to use
-+.B restorecon
-+to apply the labels.
-+
-+.SH PORT TYPES
-+SELinux defines port types to represent TCP and UDP ports.
-+.PP
-+You can see the types associated with a port by using the following command:
-+
-+.B semanage port -l
-+
-+.PP
-+Policy governs the access confined processes have to these ports.
-+SELinux traceroute policy is very flexible allowing users to setup their traceroute processes in as secure a method as possible.
-+.PP
-+The following port types are defined for traceroute:
-+
-+.EX
-+.TP 5
-+.B traceroute_port_t
-+.TP 10
-+.EE
-+
-+
-+Default Defined Ports:
-+udp 64000-64010
-+.EE
-+.SH NSSWITCH DOMAIN
-+
-+.PP
-+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the traceroute_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
-+
-+.EX
-+.B setsebool -P authlogin_nsswitch_use_ldap 1
-+.EE
-+
-+.PP
-+If you want to allow confined applications to run with kerberos for the traceroute_t, you must turn on the kerberos_enabled boolean.
-+
-+.EX
-+.B setsebool -P kerberos_enabled 1
-+.EE
-+
-+.SH "COMMANDS"
-+.B semanage fcontext
-+can also be used to manipulate default file context mappings.
-+.PP
-+.B semanage permissive
-+can also be used to manipulate whether or not a process type is permissive.
-+.PP
-+.B semanage module
-+can also be used to enable/disable/install/remove policy modules.
-+
-+.B semanage port
-+can also be used to manipulate the port definitions
-+
-+.PP
-+.B system-config-selinux
-+is a GUI tool available to customize SELinux policy settings.
-+
-+.SH AUTHOR
-+This manual page was auto-generated using
-+.B "sepolicy manpage"
-+by Dan Walsh.
-+
-+.SH "SEE ALSO"
-+selinux(8), traceroute(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
-diff --git a/man/man8/tuned_selinux.8 b/man/man8/tuned_selinux.8
-new file mode 100644
-index 0000000..31c8195
---- /dev/null
-+++ b/man/man8/tuned_selinux.8
-@@ -0,0 +1,172 @@
-+.TH "tuned_selinux" "8" "12-11-01" "tuned" "SELinux Policy documentation for tuned"
-+.SH "NAME"
-+tuned_selinux \- Security Enhanced Linux Policy for the tuned processes
-+.SH "DESCRIPTION"
-+
-+Security-Enhanced Linux secures the tuned processes via flexible mandatory access control.
-+
-+The tuned processes execute with the tuned_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
-+
-+For example:
-+
-+.B ps -eZ | grep tuned_t
-+
-+
-+.SH "ENTRYPOINTS"
-+
-+The tuned_t SELinux type can be entered via the "tuned_exec_t" file type. The default entrypoint paths for the tuned_t domain are the following:"
-+
-+/usr/sbin/tuned
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux tuned policy is very flexible allowing users to setup their tuned processes in as secure a method as possible.
-+.PP
-+The following process types are defined for tuned:
-+
-+.EX
-+.B tuned_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
-+.SH FILE CONTEXTS
-+SELinux requires files to have an extended attribute to define the file type.
-+.PP
-+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
-+.PP
-+Policy governs the access confined processes have to these files.
-+SELinux tuned policy is very flexible allowing users to setup their tuned processes in as secure a method as possible.
-+.PP
-+The following file types are defined for tuned:
-+
-+
-+.EX
-+.PP
-+.B tuned_etc_t
-+.EE
-+
-+- Set files with the tuned_etc_t type, if you want to store tuned files in the /etc directories.
-+
-+
-+.EX
-+.PP
-+.B tuned_exec_t
-+.EE
-+
-+- Set files with the tuned_exec_t type, if you want to transition an executable to the tuned_t domain.
-+
-+
-+.EX
-+.PP
-+.B tuned_initrc_exec_t
-+.EE
-+
-+- Set files with the tuned_initrc_exec_t type, if you want to transition an executable to the tuned_initrc_t domain.
-+
-+
-+.EX
-+.PP
-+.B tuned_log_t
-+.EE
-+
-+- Set files with the tuned_log_t type, if you want to treat the data as tuned log data, usually stored under the /var/log directory.
-+
-+
-+.EX
-+.PP
-+.B tuned_rw_etc_t
-+.EE
-+
-+- Set files with the tuned_rw_etc_t type, if you want to store tuned rw files in the /etc directories.
-+
-+
-+.EX
-+.PP
-+.B tuned_var_run_t
-+.EE
-+
-+- Set files with the tuned_var_run_t type, if you want to store the tuned files under the /run directory.
-+
-+
-+.PP
-+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
-+.B semanage fcontext
-+command. This will modify the SELinux labeling database. You will need to use
-+.B restorecon
-+to apply the labels.
-+
-+.SH "MANAGED FILES"
-+
-+The SELinux process type tuned_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
-+
-+.br
-+.B sysfs_t
-+
-+ /sys(/.*)?
-+.br
-+
-+.br
-+.B tuned_log_t
-+
-+ /var/log/tuned(/.*)?
-+.br
-+ /var/log/tuned\.log.*
-+.br
-+
-+.br
-+.B tuned_rw_etc_t
-+
-+ /etc/tuned/active_profile
-+.br
-+
-+.br
-+.B tuned_var_run_t
-+
-+ /var/run/tuned(/.*)?
-+.br
-+ /var/run/tuned\.pid
-+.br
-+
-+.SH NSSWITCH DOMAIN
-+
-+.PP
-+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the tuned_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
-+
-+.EX
-+.B setsebool -P authlogin_nsswitch_use_ldap 1
-+.EE
-+
-+.PP
-+If you want to allow confined applications to run with kerberos for the tuned_t, you must turn on the kerberos_enabled boolean.
-+
-+.EX
-+.B setsebool -P kerberos_enabled 1
-+.EE
-+
-+.SH "COMMANDS"
-+.B semanage fcontext
-+can also be used to manipulate default file context mappings.
-+.PP
-+.B semanage permissive
-+can also be used to manipulate whether or not a process type is permissive.
-+.PP
-+.B semanage module
-+can also be used to enable/disable/install/remove policy modules.
-+
-+.PP
-+.B system-config-selinux
-+is a GUI tool available to customize SELinux policy settings.
-+
-+.SH AUTHOR
-+This manual page was auto-generated using
-+.B "sepolicy manpage"
-+by Dan Walsh.
-+
-+.SH "SEE ALSO"
-+selinux(8), tuned(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
-diff --git a/man/man8/tvtime_selinux.8 b/man/man8/tvtime_selinux.8
-new file mode 100644
-index 0000000..f52edbe
---- /dev/null
-+++ b/man/man8/tvtime_selinux.8
-@@ -0,0 +1,154 @@
-+.TH "tvtime_selinux" "8" "12-11-01" "tvtime" "SELinux Policy documentation for tvtime"
-+.SH "NAME"
-+tvtime_selinux \- Security Enhanced Linux Policy for the tvtime processes
-+.SH "DESCRIPTION"
-+
-+Security-Enhanced Linux secures the tvtime processes via flexible mandatory access control.
-+
-+The tvtime processes execute with the tvtime_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
-+
-+For example:
-+
-+.B ps -eZ | grep tvtime_t
-+
-+
-+.SH "ENTRYPOINTS"
-+
-+The tvtime_t SELinux type can be entered via the "tvtime_exec_t" file type. The default entrypoint paths for the tvtime_t domain are the following:"
-+
-+/usr/bin/tvtime
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux tvtime policy is very flexible allowing users to setup their tvtime processes in as secure a method as possible.
-+.PP
-+The following process types are defined for tvtime:
-+
-+.EX
-+.B tvtime_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
-+.SH FILE CONTEXTS
-+SELinux requires files to have an extended attribute to define the file type.
-+.PP
-+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
-+.PP
-+Policy governs the access confined processes have to these files.
-+SELinux tvtime policy is very flexible allowing users to setup their tvtime processes in as secure a method as possible.
-+.PP
-+The following file types are defined for tvtime:
-+
-+
-+.EX
-+.PP
-+.B tvtime_exec_t
-+.EE
-+
-+- Set files with the tvtime_exec_t type, if you want to transition an executable to the tvtime_t domain.
-+
-+
-+.EX
-+.PP
-+.B tvtime_home_t
-+.EE
-+
-+- Set files with the tvtime_home_t type, if you want to store tvtime files in the users home directory.
-+
-+
-+.EX
-+.PP
-+.B tvtime_tmp_t
-+.EE
-+
-+- Set files with the tvtime_tmp_t type, if you want to store tvtime temporary files in the /tmp directories.
-+
-+
-+.EX
-+.PP
-+.B tvtime_tmpfs_t
-+.EE
-+
-+- Set files with the tvtime_tmpfs_t type, if you want to store tvtime files on a tmpfs file system.
-+
-+
-+.PP
-+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
-+.B semanage fcontext
-+command. This will modify the SELinux labeling database. You will need to use
-+.B restorecon
-+to apply the labels.
-+
-+.SH "MANAGED FILES"
-+
-+The SELinux process type tvtime_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
-+
-+.br
-+.B tvtime_home_t
-+
-+
-+.br
-+.B tvtime_tmp_t
-+
-+
-+.br
-+.B tvtime_tmpfs_t
-+
-+
-+.br
-+.B user_fonts_cache_t
-+
-+ /root/\.fontconfig(/.*)?
-+.br
-+ /root/\.fonts/auto(/.*)?
-+.br
-+ /root/\.fonts\.cache-.*
-+.br
-+ /home/[^/]*/\.fontconfig(/.*)?
-+.br
-+ /home/[^/]*/\.fonts/auto(/.*)?
-+.br
-+ /home/[^/]*/\.fonts\.cache-.*
-+.br
-+ /home/dwalsh/\.fontconfig(/.*)?
-+.br
-+ /home/dwalsh/\.fonts/auto(/.*)?
-+.br
-+ /home/dwalsh/\.fonts\.cache-.*
-+.br
-+ /var/lib/xguest/home/xguest/\.fontconfig(/.*)?
-+.br
-+ /var/lib/xguest/home/xguest/\.fonts/auto(/.*)?
-+.br
-+ /var/lib/xguest/home/xguest/\.fonts\.cache-.*
-+.br
-+
-+.SH NSSWITCH DOMAIN
-+
-+.SH "COMMANDS"
-+.B semanage fcontext
-+can also be used to manipulate default file context mappings.
-+.PP
-+.B semanage permissive
-+can also be used to manipulate whether or not a process type is permissive.
-+.PP
-+.B semanage module
-+can also be used to enable/disable/install/remove policy modules.
-+
-+.PP
-+.B system-config-selinux
-+is a GUI tool available to customize SELinux policy settings.
-+
-+.SH AUTHOR
-+This manual page was auto-generated using
-+.B "sepolicy manpage"
-+by Dan Walsh.
-+
-+.SH "SEE ALSO"
-+selinux(8), tvtime(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
-diff --git a/man/man8/udev_selinux.8 b/man/man8/udev_selinux.8
-new file mode 100644
-index 0000000..8e9a765
---- /dev/null
-+++ b/man/man8/udev_selinux.8
-@@ -0,0 +1,328 @@
-+.TH "udev_selinux" "8" "12-11-01" "udev" "SELinux Policy documentation for udev"
-+.SH "NAME"
-+udev_selinux \- Security Enhanced Linux Policy for the udev processes
-+.SH "DESCRIPTION"
-+
-+Security-Enhanced Linux secures the udev processes via flexible mandatory access control.
-+
-+The udev processes execute with the udev_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
-+
-+For example:
-+
-+.B ps -eZ | grep udev_t
-+
-+
-+.SH "ENTRYPOINTS"
-+
-+The udev_t SELinux type can be entered via the "udev_exec_t,udev_helper_exec_t" file types. The default entrypoint paths for the udev_t domain are the following:"
-+
-+/sbin/udev, /sbin/udevd, /bin/udevadm, /sbin/udevadm, /sbin/udevsend, /usr/sbin/udev, /lib/udev/udevd, /sbin/udevstart, /usr/sbin/udevd, /sbin/start_udev, /usr/bin/udevadm, /usr/bin/udevinfo, /usr/sbin/udevadm, /lib/udev/udev-acl, /usr/sbin/udevsend, /usr/sbin/udevstart, /usr/lib/udev/udevd, /sbin/wait_for_sysfs, /usr/sbin/start_udev, /usr/lib/udev/udev-acl, /usr/sbin/wait_for_sysfs, /usr/lib/systemd/systemd-udevd, /etc/dev\.d/.+, /etc/udev/scripts/.+, /etc/hotplug\.d/default/udev.*
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux udev policy is very flexible allowing users to setup their udev processes in as secure a method as possible.
-+.PP
-+The following process types are defined for udev:
-+
-+.EX
-+.B udev_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
-+.SH FILE CONTEXTS
-+SELinux requires files to have an extended attribute to define the file type.
-+.PP
-+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
-+.PP
-+Policy governs the access confined processes have to these files.
-+SELinux udev policy is very flexible allowing users to setup their udev processes in as secure a method as possible.
-+.PP
-+The following file types are defined for udev:
-+
-+
-+.EX
-+.PP
-+.B udev_etc_t
-+.EE
-+
-+- Set files with the udev_etc_t type, if you want to store udev files in the /etc directories.
-+
-+
-+.EX
-+.PP
-+.B udev_exec_t
-+.EE
-+
-+- Set files with the udev_exec_t type, if you want to transition an executable to the udev_t domain.
-+
-+
-+.EX
-+.PP
-+.B udev_helper_exec_t
-+.EE
-+
-+- Set files with the udev_helper_exec_t type, if you want to transition an executable to the udev_helper_t domain.
-+
-+
-+.EX
-+.PP
-+.B udev_rules_t
-+.EE
-+
-+- Set files with the udev_rules_t type, if you want to treat the files as udev rules data.
-+
-+
-+.EX
-+.PP
-+.B udev_var_run_t
-+.EE
-+
-+- Set files with the udev_var_run_t type, if you want to store the udev files under the /run directory.
-+
-+
-+.PP
-+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
-+.B semanage fcontext
-+command. This will modify the SELinux labeling database. You will need to use
-+.B restorecon
-+to apply the labels.
-+
-+.SH "MANAGED FILES"
-+
-+The SELinux process type udev_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
-+
-+.br
-+.B anon_inodefs_t
-+
-+
-+.br
-+.B device_t
-+
-+ /dev/.*
-+.br
-+ /lib/udev/devices(/.*)?
-+.br
-+ /usr/lib/udev/devices(/.*)?
-+.br
-+ /dev
-+.br
-+ /etc/udev/devices
-+.br
-+ /var/named/chroot/dev
-+.br
-+ /var/spool/postfix/dev
-+.br
-+
-+.br
-+.B dhcp_etc_t
-+
-+ /etc/dhcpc.*
-+.br
-+ /etc/dhcp3(/.*)?
-+.br
-+ /etc/dhcpd(6)?\.conf
-+.br
-+ /etc/dhcp3?/dhclient.*
-+.br
-+ /etc/dhclient.*conf
-+.br
-+ /etc/dhcp/dhcpd(6)?\.conf
-+.br
-+ /etc/dhclient-script
-+.br
-+
-+.br
-+.B etc_t
-+
-+ /etc/.*
-+.br
-+ /var/db/.*\.db
-+.br
-+ /usr/etc(/.*)?
-+.br
-+ /var/ftp/etc(/.*)?
-+.br
-+ /var/lib/openshift/.limits.d(/.*)?
-+.br
-+ /var/lib/openshift/.openshift-proxy.d(/.*)?
-+.br
-+ /var/lib/openshift/.stickshift-proxy.d(/.*)?
-+.br
-+ /var/lib/stickshift/.limits.d(/.*)?
-+.br
-+ /var/lib/stickshift/.stickshift-proxy.d(/.*)?
-+.br
-+ /var/named/chroot/etc(/.*)?
-+.br
-+ /etc/ipsec\.d/examples(/.*)?
-+.br
-+ /var/spool/postfix/etc(/.*)?
-+.br
-+ /etc
-+.br
-+ /etc/cups/client\.conf
-+.br
-+
-+.br
-+.B net_conf_t
-+
-+ /etc/ntpd?\.conf.*
-+.br
-+ /etc/hosts[^/]*
-+.br
-+ /etc/yp\.conf.*
-+.br
-+ /etc/denyhosts.*
-+.br
-+ /etc/hosts\.deny.*
-+.br
-+ /etc/resolv\.conf.*
-+.br
-+ /etc/ntp/step-tickers.*
-+.br
-+ /etc/sysconfig/networking(/.*)?
-+.br
-+ /etc/sysconfig/network-scripts(/.*)?
-+.br
-+ /etc/sysconfig/network-scripts/.*resolv\.conf
-+.br
-+ /etc/ethers
-+.br
-+
-+.br
-+.B security_t
-+
-+ /selinux
-+.br
-+
-+.br
-+.B sysfs_t
-+
-+ /sys(/.*)?
-+.br
-+
-+.br
-+.B udev_exec_t
-+
-+ /sbin/udev
-+.br
-+ /sbin/udevd
-+.br
-+ /bin/udevadm
-+.br
-+ /sbin/udevadm
-+.br
-+ /sbin/udevsend
-+.br
-+ /usr/sbin/udev
-+.br
-+ /lib/udev/udevd
-+.br
-+ /sbin/udevstart
-+.br
-+ /usr/sbin/udevd
-+.br
-+ /sbin/start_udev
-+.br
-+ /usr/bin/udevadm
-+.br
-+ /usr/bin/udevinfo
-+.br
-+ /usr/sbin/udevadm
-+.br
-+ /lib/udev/udev-acl
-+.br
-+ /usr/sbin/udevsend
-+.br
-+ /usr/sbin/udevstart
-+.br
-+ /usr/lib/udev/udevd
-+.br
-+ /sbin/wait_for_sysfs
-+.br
-+ /usr/sbin/start_udev
-+.br
-+ /usr/lib/udev/udev-acl
-+.br
-+ /usr/sbin/wait_for_sysfs
-+.br
-+ /usr/lib/systemd/systemd-udevd
-+.br
-+
-+.br
-+.B udev_rules_t
-+
-+ /etc/udev/rules.d(/.*)?
-+.br
-+
-+.br
-+.B udev_var_run_t
-+
-+ /dev/\.udev(/.*)?
-+.br
-+ /var/run/udev(/.*)?
-+.br
-+ /var/run/libgpod(/.*)?
-+.br
-+ /var/run/PackageKit/udev(/.*)?
-+.br
-+ /dev/\.udevdb
-+.br
-+ /dev/udev\.tbl
-+.br
-+
-+.br
-+.B xend_var_log_t
-+
-+ /var/log/xen(/.*)?
-+.br
-+ /var/log/xend\.log.*
-+.br
-+ /var/log/xend-debug\.log.*
-+.br
-+ /var/log/xen-hotplug\.log.*
-+.br
-+
-+.SH NSSWITCH DOMAIN
-+
-+.PP
-+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the udev_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
-+
-+.EX
-+.B setsebool -P authlogin_nsswitch_use_ldap 1
-+.EE
-+
-+.PP
-+If you want to allow confined applications to run with kerberos for the udev_t, you must turn on the kerberos_enabled boolean.
-+
-+.EX
-+.B setsebool -P kerberos_enabled 1
-+.EE
-+
-+.SH "COMMANDS"
-+.B semanage fcontext
-+can also be used to manipulate default file context mappings.
-+.PP
-+.B semanage permissive
-+can also be used to manipulate whether or not a process type is permissive.
-+.PP
-+.B semanage module
-+can also be used to enable/disable/install/remove policy modules.
-+
-+.PP
-+.B system-config-selinux
-+is a GUI tool available to customize SELinux policy settings.
-+
-+.SH AUTHOR
-+This manual page was auto-generated using
-+.B "sepolicy manpage"
-+by Dan Walsh.
-+
-+.SH "SEE ALSO"
-+selinux(8), udev(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
-diff --git a/man/man8/ulogd_selinux.8 b/man/man8/ulogd_selinux.8
-new file mode 100644
-index 0000000..3953cf8
---- /dev/null
-+++ b/man/man8/ulogd_selinux.8
-@@ -0,0 +1,128 @@
-+.TH "ulogd_selinux" "8" "12-11-01" "ulogd" "SELinux Policy documentation for ulogd"
-+.SH "NAME"
-+ulogd_selinux \- Security Enhanced Linux Policy for the ulogd processes
-+.SH "DESCRIPTION"
-+
-+Security-Enhanced Linux secures the ulogd processes via flexible mandatory access control.
-+
-+The ulogd processes execute with the ulogd_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
-+
-+For example:
-+
-+.B ps -eZ | grep ulogd_t
-+
-+
-+.SH "ENTRYPOINTS"
-+
-+The ulogd_t SELinux type can be entered via the "ulogd_exec_t" file type. The default entrypoint paths for the ulogd_t domain are the following:"
-+
-+/usr/sbin/ulogd
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux ulogd policy is very flexible allowing users to setup their ulogd processes in as secure a method as possible.
-+.PP
-+The following process types are defined for ulogd:
-+
-+.EX
-+.B ulogd_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
-+.SH FILE CONTEXTS
-+SELinux requires files to have an extended attribute to define the file type.
-+.PP
-+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
-+.PP
-+Policy governs the access confined processes have to these files.
-+SELinux ulogd policy is very flexible allowing users to setup their ulogd processes in as secure a method as possible.
-+.PP
-+The following file types are defined for ulogd:
-+
-+
-+.EX
-+.PP
-+.B ulogd_etc_t
-+.EE
-+
-+- Set files with the ulogd_etc_t type, if you want to store ulogd files in the /etc directories.
-+
-+
-+.EX
-+.PP
-+.B ulogd_exec_t
-+.EE
-+
-+- Set files with the ulogd_exec_t type, if you want to transition an executable to the ulogd_t domain.
-+
-+
-+.EX
-+.PP
-+.B ulogd_initrc_exec_t
-+.EE
-+
-+- Set files with the ulogd_initrc_exec_t type, if you want to transition an executable to the ulogd_initrc_t domain.
-+
-+
-+.EX
-+.PP
-+.B ulogd_modules_t
-+.EE
-+
-+- Set files with the ulogd_modules_t type, if you want to treat the files as ulogd modules.
-+
-+
-+.EX
-+.PP
-+.B ulogd_var_log_t
-+.EE
-+
-+- Set files with the ulogd_var_log_t type, if you want to treat the data as ulogd var log data, usually stored under the /var/log directory.
-+
-+
-+.PP
-+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
-+.B semanage fcontext
-+command. This will modify the SELinux labeling database. You will need to use
-+.B restorecon
-+to apply the labels.
-+
-+.SH "MANAGED FILES"
-+
-+The SELinux process type ulogd_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
-+
-+.br
-+.B ulogd_var_log_t
-+
-+ /var/log/ulogd(/.*)?
-+.br
-+
-+.SH NSSWITCH DOMAIN
-+
-+.SH "COMMANDS"
-+.B semanage fcontext
-+can also be used to manipulate default file context mappings.
-+.PP
-+.B semanage permissive
-+can also be used to manipulate whether or not a process type is permissive.
-+.PP
-+.B semanage module
-+can also be used to enable/disable/install/remove policy modules.
-+
-+.PP
-+.B system-config-selinux
-+is a GUI tool available to customize SELinux policy settings.
-+
-+.SH AUTHOR
-+This manual page was auto-generated using
-+.B "sepolicy manpage"
-+by Dan Walsh.
-+
-+.SH "SEE ALSO"
-+selinux(8), ulogd(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
-diff --git a/man/man8/uml_selinux.8 b/man/man8/uml_selinux.8
-new file mode 100644
-index 0000000..5629dd2
---- /dev/null
-+++ b/man/man8/uml_selinux.8
-@@ -0,0 +1,157 @@
-+.TH "uml_selinux" "8" "12-11-01" "uml" "SELinux Policy documentation for uml"
-+.SH "NAME"
-+uml_selinux \- Security Enhanced Linux Policy for the uml processes
-+.SH "DESCRIPTION"
-+
-+Security-Enhanced Linux secures the uml processes via flexible mandatory access control.
-+
-+The uml processes execute with the uml_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
-+
-+For example:
-+
-+.B ps -eZ | grep uml_t
-+
-+
-+.SH "ENTRYPOINTS"
-+
-+The uml_t SELinux type can be entered via the "uml_exec_t" file type. The default entrypoint paths for the uml_t domain are the following:"
-+
-+
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux uml policy is very flexible allowing users to setup their uml processes in as secure a method as possible.
-+.PP
-+The following process types are defined for uml:
-+
-+.EX
-+.B uml_switch_t, uml_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
-+.SH FILE CONTEXTS
-+SELinux requires files to have an extended attribute to define the file type.
-+.PP
-+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
-+.PP
-+Policy governs the access confined processes have to these files.
-+SELinux uml policy is very flexible allowing users to setup their uml processes in as secure a method as possible.
-+.PP
-+The following file types are defined for uml:
-+
-+
-+.EX
-+.PP
-+.B uml_exec_t
-+.EE
-+
-+- Set files with the uml_exec_t type, if you want to transition an executable to the uml_t domain.
-+
-+
-+.EX
-+.PP
-+.B uml_ro_t
-+.EE
-+
-+- Set files with the uml_ro_t type, if you want to treat the files as uml read/only content.
-+
-+
-+.EX
-+.PP
-+.B uml_rw_t
-+.EE
-+
-+- Set files with the uml_rw_t type, if you want to treat the files as uml read/write content.
-+
-+
-+.EX
-+.PP
-+.B uml_switch_exec_t
-+.EE
-+
-+- Set files with the uml_switch_exec_t type, if you want to transition an executable to the uml_switch_t domain.
-+
-+
-+.EX
-+.PP
-+.B uml_switch_var_run_t
-+.EE
-+
-+- Set files with the uml_switch_var_run_t type, if you want to store the uml switch files under the /run directory.
-+
-+
-+.EX
-+.PP
-+.B uml_tmp_t
-+.EE
-+
-+- Set files with the uml_tmp_t type, if you want to store uml temporary files in the /tmp directories.
-+
-+
-+.EX
-+.PP
-+.B uml_tmpfs_t
-+.EE
-+
-+- Set files with the uml_tmpfs_t type, if you want to store uml files on a tmpfs file system.
-+
-+
-+.PP
-+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
-+.B semanage fcontext
-+command. This will modify the SELinux labeling database. You will need to use
-+.B restorecon
-+to apply the labels.
-+
-+.SH "MANAGED FILES"
-+
-+The SELinux process type uml_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
-+
-+.br
-+.B uml_rw_t
-+
-+ /home/[^/]*/\.uml(/.*)?
-+.br
-+ /home/dwalsh/\.uml(/.*)?
-+.br
-+ /var/lib/xguest/home/xguest/\.uml(/.*)?
-+.br
-+
-+.br
-+.B uml_tmp_t
-+
-+
-+.br
-+.B uml_tmpfs_t
-+
-+
-+.SH NSSWITCH DOMAIN
-+
-+.SH "COMMANDS"
-+.B semanage fcontext
-+can also be used to manipulate default file context mappings.
-+.PP
-+.B semanage permissive
-+can also be used to manipulate whether or not a process type is permissive.
-+.PP
-+.B semanage module
-+can also be used to enable/disable/install/remove policy modules.
-+
-+.PP
-+.B system-config-selinux
-+is a GUI tool available to customize SELinux policy settings.
-+
-+.SH AUTHOR
-+This manual page was auto-generated using
-+.B "sepolicy manpage"
-+by Dan Walsh.
-+
-+.SH "SEE ALSO"
-+selinux(8), uml(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
-+, uml_switch_selinux(8)
-\ No newline at end of file
-diff --git a/man/man8/uml_switch_selinux.8 b/man/man8/uml_switch_selinux.8
-new file mode 100644
-index 0000000..e67ca95
---- /dev/null
-+++ b/man/man8/uml_switch_selinux.8
-@@ -0,0 +1,105 @@
-+.TH "uml_switch_selinux" "8" "12-11-01" "uml_switch" "SELinux Policy documentation for uml_switch"
-+.SH "NAME"
-+uml_switch_selinux \- Security Enhanced Linux Policy for the uml_switch processes
-+.SH "DESCRIPTION"
-+
-+Security-Enhanced Linux secures the uml_switch processes via flexible mandatory access control.
-+
-+The uml_switch processes execute with the uml_switch_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
-+
-+For example:
-+
-+.B ps -eZ | grep uml_switch_t
-+
-+
-+.SH "ENTRYPOINTS"
-+
-+The uml_switch_t SELinux type can be entered via the "uml_switch_exec_t" file type. The default entrypoint paths for the uml_switch_t domain are the following:"
-+
-+/usr/bin/uml_switch
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux uml_switch policy is very flexible allowing users to setup their uml_switch processes in as secure a method as possible.
-+.PP
-+The following process types are defined for uml_switch:
-+
-+.EX
-+.B uml_switch_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
-+.SH FILE CONTEXTS
-+SELinux requires files to have an extended attribute to define the file type.
-+.PP
-+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
-+.PP
-+Policy governs the access confined processes have to these files.
-+SELinux uml_switch policy is very flexible allowing users to setup their uml_switch processes in as secure a method as possible.
-+.PP
-+The following file types are defined for uml_switch:
-+
-+
-+.EX
-+.PP
-+.B uml_switch_exec_t
-+.EE
-+
-+- Set files with the uml_switch_exec_t type, if you want to transition an executable to the uml_switch_t domain.
-+
-+
-+.EX
-+.PP
-+.B uml_switch_var_run_t
-+.EE
-+
-+- Set files with the uml_switch_var_run_t type, if you want to store the uml switch files under the /run directory.
-+
-+
-+.PP
-+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
-+.B semanage fcontext
-+command. This will modify the SELinux labeling database. You will need to use
-+.B restorecon
-+to apply the labels.
-+
-+.SH "MANAGED FILES"
-+
-+The SELinux process type uml_switch_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
-+
-+.br
-+.B uml_switch_var_run_t
-+
-+ /var/run/uml-utilities(/.*)?
-+.br
-+
-+.SH NSSWITCH DOMAIN
-+
-+.SH "COMMANDS"
-+.B semanage fcontext
-+can also be used to manipulate default file context mappings.
-+.PP
-+.B semanage permissive
-+can also be used to manipulate whether or not a process type is permissive.
-+.PP
-+.B semanage module
-+can also be used to enable/disable/install/remove policy modules.
-+
-+.PP
-+.B system-config-selinux
-+is a GUI tool available to customize SELinux policy settings.
-+
-+.SH AUTHOR
-+This manual page was auto-generated using
-+.B "sepolicy manpage"
-+by Dan Walsh.
-+
-+.SH "SEE ALSO"
-+selinux(8), uml_switch(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
-+, uml_selinux(8), uml_selinux(8)
-\ No newline at end of file
-diff --git a/man/man8/unconfined_munin_plugin_selinux.8 b/man/man8/unconfined_munin_plugin_selinux.8
-new file mode 100644
-index 0000000..0eca181
---- /dev/null
-+++ b/man/man8/unconfined_munin_plugin_selinux.8
-@@ -0,0 +1,109 @@
-+.TH "unconfined_munin_plugin_selinux" "8" "12-11-01" "unconfined_munin_plugin" "SELinux Policy documentation for unconfined_munin_plugin"
-+.SH "NAME"
-+unconfined_munin_plugin_selinux \- Security Enhanced Linux Policy for the unconfined_munin_plugin processes
-+.SH "DESCRIPTION"
-+
-+Security-Enhanced Linux secures the unconfined_munin_plugin processes via flexible mandatory access control.
-+
-+The unconfined_munin_plugin processes execute with the unconfined_munin_plugin_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
-+
-+For example:
-+
-+.B ps -eZ | grep unconfined_munin_plugin_t
-+
-+
-+.SH "ENTRYPOINTS"
-+
-+The unconfined_munin_plugin_t SELinux type can be entered via the "unconfined_munin_plugin_exec_t" file type. The default entrypoint paths for the unconfined_munin_plugin_t domain are the following:"
-+
-+
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux unconfined_munin_plugin policy is very flexible allowing users to setup their unconfined_munin_plugin processes in as secure a method as possible.
-+.PP
-+The following process types are defined for unconfined_munin_plugin:
-+
-+.EX
-+.B unconfined_munin_plugin_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
-+.SH FILE CONTEXTS
-+SELinux requires files to have an extended attribute to define the file type.
-+.PP
-+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
-+.PP
-+Policy governs the access confined processes have to these files.
-+SELinux unconfined_munin_plugin policy is very flexible allowing users to setup their unconfined_munin_plugin processes in as secure a method as possible.
-+.PP
-+The following file types are defined for unconfined_munin_plugin:
-+
-+
-+.EX
-+.PP
-+.B unconfined_munin_plugin_exec_t
-+.EE
-+
-+- Set files with the unconfined_munin_plugin_exec_t type, if you want to transition an executable to the unconfined_munin_plugin_t domain.
-+
-+
-+.EX
-+.PP
-+.B unconfined_munin_plugin_tmp_t
-+.EE
-+
-+- Set files with the unconfined_munin_plugin_tmp_t type, if you want to store unconfined munin plugin temporary files in the /tmp directories.
-+
-+
-+.PP
-+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
-+.B semanage fcontext
-+command. This will modify the SELinux labeling database. You will need to use
-+.B restorecon
-+to apply the labels.
-+
-+.SH "MANAGED FILES"
-+
-+The SELinux process type unconfined_munin_plugin_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
-+
-+.br
-+.B munin_plugin_state_t
-+
-+ /var/lib/munin/plugin-state(/.*)?
-+.br
-+
-+.br
-+.B unconfined_munin_plugin_tmp_t
-+
-+
-+.SH NSSWITCH DOMAIN
-+
-+.SH "COMMANDS"
-+.B semanage fcontext
-+can also be used to manipulate default file context mappings.
-+.PP
-+.B semanage permissive
-+can also be used to manipulate whether or not a process type is permissive.
-+.PP
-+.B semanage module
-+can also be used to enable/disable/install/remove policy modules.
-+
-+.PP
-+.B system-config-selinux
-+is a GUI tool available to customize SELinux policy settings.
-+
-+.SH AUTHOR
-+This manual page was auto-generated using
-+.B "sepolicy manpage"
-+by Dan Walsh.
-+
-+.SH "SEE ALSO"
-+selinux(8), unconfined_munin_plugin(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
-+, unconfined_selinux(8), unconfined_selinux(8)
-\ No newline at end of file
-diff --git a/man/man8/unconfined_selinux.8 b/man/man8/unconfined_selinux.8
-new file mode 100644
-index 0000000..da88b6e
---- /dev/null
-+++ b/man/man8/unconfined_selinux.8
-@@ -0,0 +1,165 @@
-+.TH "unconfined_selinux" "8" "unconfined" "mgrepl@redhat.com" "unconfined SELinux Policy documentation"
-+.SH "NAME"
-+unconfined_r \- \fBUnconfiend user role\fP - Security Enhanced Linux Policy
-+
-+.SH DESCRIPTION
-+
-+SELinux supports Roles Based Access Control (RBAC), some Linux roles are login roles, while other roles need to be transition into.
-+
-+.I Note:
-+Examples in this man page will use the
-+.B staff_u
-+SELinux user.
-+
-+Non login roles are usually used for administrative tasks. For example, tasks that require root privileges. Roles control which types a user can run processes with. Roles often have default types assigned to them.
-+
-+The default type for the unconfined_r role is unconfined_t.
-+
-+The
-+.B newrole
-+program to transition directly to this role.
-+
-+.B newrole -r unconfined_r -t unconfined_t
-+
-+.B sudo
-+is the preferred method to do transition from one role to another. You setup sudo to transition to unconfined_r by adding a similar line to the /etc/sudoers file.
-+
-+USERNAME ALL=(ALL) ROLE=unconfined_r TYPE=unconfined_t COMMAND
-+
-+.br
-+sudo will run COMMAND as staff_u:unconfined_r:unconfined_t:LEVEL
-+
-+When using a a non login role, you need to setup SELinux so that your SELinux user can reach unconfined_r role.
-+
-+Execute the following to see all of the assigned SELinux roles:
-+
-+.B semanage user -l
-+
-+You need to add unconfined_r to the staff_u user. You could setup the staff_u user to be able to use the unconfined_r role with a command like:
-+
-+.B $ semanage user -m -R 'staff_r system_r unconfined_r' staff_u
-+
-+
-+.SH BOOLEANS
-+SELinux policy is customizable based on least access required. unconfined policy is extremely flexible and has several booleans that allow you to manipulate the policy and run unconfined with the tightest access possible.
-+
-+
-+.PP
-+If you want to allow database admins to execute DML statement, you must turn on the postgresql_selinux_unconfined_dbadm boolean.
-+
-+.EX
-+.B setsebool -P postgresql_selinux_unconfined_dbadm 1
-+.EE
-+
-+.PP
-+If you want to allow unconfined users to transition to the chrome sandbox domains when running chrome-sandbox, you must turn on the unconfined_chrome_sandbox_transition boolean.
-+
-+.EX
-+.B setsebool -P unconfined_chrome_sandbox_transition 1
-+.EE
-+
-+.PP
-+If you want to allow a user to login as an unconfined domain, you must turn on the unconfined_login boolean.
-+
-+.EX
-+.B setsebool -P unconfined_login 1
-+.EE
-+
-+.PP
-+If you want to allow samba to run unconfined scripts, you must turn on the samba_run_unconfined boolean.
-+
-+.EX
-+.B setsebool -P samba_run_unconfined 1
-+.EE
-+
-+.PP
-+If you want to allow video playing tools to run unconfined, you must turn on the unconfined_mplayer boolean.
-+
-+.EX
-+.B setsebool -P unconfined_mplayer 1
-+.EE
-+
-+.PP
-+If you want to allow unconfined users to transition to the Mozilla plugin domain when running xulrunner plugin-container, you must turn on the unconfined_mozilla_plugin_transition boolean.
-+
-+.EX
-+.B setsebool -P unconfined_mozilla_plugin_transition 1
-+.EE
-+
-+.PP
-+If you want to allow database admins to execute DML statement, you must turn on the postgresql_selinux_unconfined_dbadm boolean.
-+
-+.EX
-+.B setsebool -P postgresql_selinux_unconfined_dbadm 1
-+.EE
-+
-+.PP
-+If you want to allow unconfined users to transition to the chrome sandbox domains when running chrome-sandbox, you must turn on the unconfined_chrome_sandbox_transition boolean.
-+
-+.EX
-+.B setsebool -P unconfined_chrome_sandbox_transition 1
-+.EE
-+
-+.PP
-+If you want to allow a user to login as an unconfined domain, you must turn on the unconfined_login boolean.
-+
-+.EX
-+.B setsebool -P unconfined_login 1
-+.EE
-+
-+.PP
-+If you want to allow samba to run unconfined scripts, you must turn on the samba_run_unconfined boolean.
-+
-+.EX
-+.B setsebool -P samba_run_unconfined 1
-+.EE
-+
-+.PP
-+If you want to allow video playing tools to run unconfined, you must turn on the unconfined_mplayer boolean.
-+
-+.EX
-+.B setsebool -P unconfined_mplayer 1
-+.EE
-+
-+.PP
-+If you want to allow unconfined users to transition to the Mozilla plugin domain when running xulrunner plugin-container, you must turn on the unconfined_mozilla_plugin_transition boolean.
-+
-+.EX
-+.B setsebool -P unconfined_mozilla_plugin_transition 1
-+.EE
-+
-+.SH "MANAGED FILES"
-+
-+The SELinux process type unconfined_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
-+
-+.br
-+.B file_type
-+
-+ all files on the system
-+.br
-+
-+.SH "COMMANDS"
-+.B semanage fcontext
-+can also be used to manipulate default file context mappings.
-+.PP
-+.B semanage permissive
-+can also be used to manipulate whether or not a process type is permissive.
-+.PP
-+.B semanage module
-+can also be used to enable/disable/install/remove policy modules.
-+
-+.B semanage boolean
-+can also be used to manipulate the booleans
-+
-+.PP
-+.B system-config-selinux
-+is a GUI tool available to customize SELinux policy settings.
-+
-+.SH AUTHOR
-+This manual page was auto-generated using
-+.B "sepolicy manpage"
-+by Dan Walsh.
-+
-+.SH "SEE ALSO"
-+selinux(8), unconfined(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
-+, setsebool(8), unconfined_munin_plugin_selinux(8)
-\ No newline at end of file
-diff --git a/man/man8/update_modules_selinux.8 b/man/man8/update_modules_selinux.8
-new file mode 100644
-index 0000000..733d361
---- /dev/null
-+++ b/man/man8/update_modules_selinux.8
-@@ -0,0 +1,122 @@
-+.TH "update_modules_selinux" "8" "12-11-01" "update_modules" "SELinux Policy documentation for update_modules"
-+.SH "NAME"
-+update_modules_selinux \- Security Enhanced Linux Policy for the update_modules processes
-+.SH "DESCRIPTION"
-+
-+Security-Enhanced Linux secures the update_modules processes via flexible mandatory access control.
-+
-+The update_modules processes execute with the update_modules_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
-+
-+For example:
-+
-+.B ps -eZ | grep update_modules_t
-+
-+
-+.SH "ENTRYPOINTS"
-+
-+The update_modules_t SELinux type can be entered via the "update_modules_exec_t" file type. The default entrypoint paths for the update_modules_t domain are the following:"
-+
-+/sbin/modules-update, /sbin/update-modules, /usr/sbin/modules-update, /usr/sbin/update-modules, /sbin/generate-modprobe\.conf, /usr/sbin/generate-modprobe\.conf
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux update_modules policy is very flexible allowing users to setup their update_modules processes in as secure a method as possible.
-+.PP
-+The following process types are defined for update_modules:
-+
-+.EX
-+.B update_modules_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
-+.SH FILE CONTEXTS
-+SELinux requires files to have an extended attribute to define the file type.
-+.PP
-+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
-+.PP
-+Policy governs the access confined processes have to these files.
-+SELinux update_modules policy is very flexible allowing users to setup their update_modules processes in as secure a method as possible.
-+.PP
-+The following file types are defined for update_modules:
-+
-+
-+.EX
-+.PP
-+.B update_modules_exec_t
-+.EE
-+
-+- Set files with the update_modules_exec_t type, if you want to transition an executable to the update_modules_t domain.
-+
-+
-+.EX
-+.PP
-+.B update_modules_tmp_t
-+.EE
-+
-+- Set files with the update_modules_tmp_t type, if you want to store update modules temporary files in the /tmp directories.
-+
-+
-+.PP
-+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
-+.B semanage fcontext
-+command. This will modify the SELinux labeling database. You will need to use
-+.B restorecon
-+to apply the labels.
-+
-+.SH "MANAGED FILES"
-+
-+The SELinux process type update_modules_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
-+
-+.br
-+.B modules_conf_t
-+
-+ /etc/modprobe\.d(/.*)?
-+.br
-+ /etc/modules\.conf.*
-+.br
-+ /etc/modprobe\.conf.*
-+.br
-+ /lib/modules/modprobe\.conf
-+.br
-+ /usr/lib/modules/modprobe\.conf
-+.br
-+
-+.br
-+.B modules_dep_t
-+
-+ /lib/modules/[^/]+/modules\..+
-+.br
-+
-+.br
-+.B update_modules_tmp_t
-+
-+
-+.SH NSSWITCH DOMAIN
-+
-+.SH "COMMANDS"
-+.B semanage fcontext
-+can also be used to manipulate default file context mappings.
-+.PP
-+.B semanage permissive
-+can also be used to manipulate whether or not a process type is permissive.
-+.PP
-+.B semanage module
-+can also be used to enable/disable/install/remove policy modules.
-+
-+.PP
-+.B system-config-selinux
-+is a GUI tool available to customize SELinux policy settings.
-+
-+.SH AUTHOR
-+This manual page was auto-generated using
-+.B "sepolicy manpage"
-+by Dan Walsh.
-+
-+.SH "SEE ALSO"
-+selinux(8), update_modules(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
-diff --git a/man/man8/updfstab_selinux.8 b/man/man8/updfstab_selinux.8
-new file mode 100644
-index 0000000..9bf36a1
---- /dev/null
-+++ b/man/man8/updfstab_selinux.8
-@@ -0,0 +1,168 @@
-+.TH "updfstab_selinux" "8" "12-11-01" "updfstab" "SELinux Policy documentation for updfstab"
-+.SH "NAME"
-+updfstab_selinux \- Security Enhanced Linux Policy for the updfstab processes
-+.SH "DESCRIPTION"
-+
-+Security-Enhanced Linux secures the updfstab processes via flexible mandatory access control.
-+
-+The updfstab processes execute with the updfstab_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
-+
-+For example:
-+
-+.B ps -eZ | grep updfstab_t
-+
-+
-+.SH "ENTRYPOINTS"
-+
-+The updfstab_t SELinux type can be entered via the "updfstab_exec_t" file type. The default entrypoint paths for the updfstab_t domain are the following:"
-+
-+/usr/sbin/updfstab, /usr/sbin/fstab-sync
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux updfstab policy is very flexible allowing users to setup their updfstab processes in as secure a method as possible.
-+.PP
-+The following process types are defined for updfstab:
-+
-+.EX
-+.B updfstab_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
-+.SH FILE CONTEXTS
-+SELinux requires files to have an extended attribute to define the file type.
-+.PP
-+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
-+.PP
-+Policy governs the access confined processes have to these files.
-+SELinux updfstab policy is very flexible allowing users to setup their updfstab processes in as secure a method as possible.
-+.PP
-+The following file types are defined for updfstab:
-+
-+
-+.EX
-+.PP
-+.B updfstab_exec_t
-+.EE
-+
-+- Set files with the updfstab_exec_t type, if you want to transition an executable to the updfstab_t domain.
-+
-+
-+.PP
-+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
-+.B semanage fcontext
-+command. This will modify the SELinux labeling database. You will need to use
-+.B restorecon
-+to apply the labels.
-+
-+.SH "MANAGED FILES"
-+
-+The SELinux process type updfstab_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
-+
-+.br
-+.B etc_t
-+
-+ /etc/.*
-+.br
-+ /var/db/.*\.db
-+.br
-+ /usr/etc(/.*)?
-+.br
-+ /var/ftp/etc(/.*)?
-+.br
-+ /var/lib/openshift/.limits.d(/.*)?
-+.br
-+ /var/lib/openshift/.openshift-proxy.d(/.*)?
-+.br
-+ /var/lib/openshift/.stickshift-proxy.d(/.*)?
-+.br
-+ /var/lib/stickshift/.limits.d(/.*)?
-+.br
-+ /var/lib/stickshift/.stickshift-proxy.d(/.*)?
-+.br
-+ /var/named/chroot/etc(/.*)?
-+.br
-+ /etc/ipsec\.d/examples(/.*)?
-+.br
-+ /var/spool/postfix/etc(/.*)?
-+.br
-+ /etc
-+.br
-+ /etc/cups/client\.conf
-+.br
-+
-+.br
-+.B mnt_t
-+
-+ /mnt(/[^/]*)
-+.br
-+ /mnt(/[^/]*)?
-+.br
-+ /rhev(/[^/]*)?
-+.br
-+ /media(/[^/]*)
-+.br
-+ /media(/[^/]*)?
-+.br
-+ /media/\.hal-.*
-+.br
-+ /var/run/media(/[^/]*)?
-+.br
-+ /net
-+.br
-+ /afs
-+.br
-+ /rhev
-+.br
-+ /misc
-+.br
-+
-+.br
-+.B security_t
-+
-+ /selinux
-+.br
-+
-+.SH NSSWITCH DOMAIN
-+
-+.PP
-+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the updfstab_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
-+
-+.EX
-+.B setsebool -P authlogin_nsswitch_use_ldap 1
-+.EE
-+
-+.PP
-+If you want to allow confined applications to run with kerberos for the updfstab_t, you must turn on the kerberos_enabled boolean.
-+
-+.EX
-+.B setsebool -P kerberos_enabled 1
-+.EE
-+
-+.SH "COMMANDS"
-+.B semanage fcontext
-+can also be used to manipulate default file context mappings.
-+.PP
-+.B semanage permissive
-+can also be used to manipulate whether or not a process type is permissive.
-+.PP
-+.B semanage module
-+can also be used to enable/disable/install/remove policy modules.
-+
-+.PP
-+.B system-config-selinux
-+is a GUI tool available to customize SELinux policy settings.
-+
-+.SH AUTHOR
-+This manual page was auto-generated using
-+.B "sepolicy manpage"
-+by Dan Walsh.
-+
-+.SH "SEE ALSO"
-+selinux(8), updfstab(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
-diff --git a/man/man8/updpwd_selinux.8 b/man/man8/updpwd_selinux.8
-new file mode 100644
-index 0000000..158653a
---- /dev/null
-+++ b/man/man8/updpwd_selinux.8
-@@ -0,0 +1,170 @@
-+.TH "updpwd_selinux" "8" "12-11-01" "updpwd" "SELinux Policy documentation for updpwd"
-+.SH "NAME"
-+updpwd_selinux \- Security Enhanced Linux Policy for the updpwd processes
-+.SH "DESCRIPTION"
-+
-+Security-Enhanced Linux secures the updpwd processes via flexible mandatory access control.
-+
-+The updpwd processes execute with the updpwd_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
-+
-+For example:
-+
-+.B ps -eZ | grep updpwd_t
-+
-+
-+.SH "ENTRYPOINTS"
-+
-+The updpwd_t SELinux type can be entered via the "updpwd_exec_t" file type. The default entrypoint paths for the updpwd_t domain are the following:"
-+
-+/sbin/unix_update, /usr/sbin/unix_update
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux updpwd policy is very flexible allowing users to setup their updpwd processes in as secure a method as possible.
-+.PP
-+The following process types are defined for updpwd:
-+
-+.EX
-+.B updpwd_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
-+.SH FILE CONTEXTS
-+SELinux requires files to have an extended attribute to define the file type.
-+.PP
-+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
-+.PP
-+Policy governs the access confined processes have to these files.
-+SELinux updpwd policy is very flexible allowing users to setup their updpwd processes in as secure a method as possible.
-+.PP
-+The following file types are defined for updpwd:
-+
-+
-+.EX
-+.PP
-+.B updpwd_exec_t
-+.EE
-+
-+- Set files with the updpwd_exec_t type, if you want to transition an executable to the updpwd_t domain.
-+
-+
-+.PP
-+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
-+.B semanage fcontext
-+command. This will modify the SELinux labeling database. You will need to use
-+.B restorecon
-+to apply the labels.
-+
-+.SH "MANAGED FILES"
-+
-+The SELinux process type updpwd_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
-+
-+.br
-+.B etc_t
-+
-+ /etc/.*
-+.br
-+ /var/db/.*\.db
-+.br
-+ /usr/etc(/.*)?
-+.br
-+ /var/ftp/etc(/.*)?
-+.br
-+ /var/lib/openshift/.limits.d(/.*)?
-+.br
-+ /var/lib/openshift/.openshift-proxy.d(/.*)?
-+.br
-+ /var/lib/openshift/.stickshift-proxy.d(/.*)?
-+.br
-+ /var/lib/stickshift/.limits.d(/.*)?
-+.br
-+ /var/lib/stickshift/.stickshift-proxy.d(/.*)?
-+.br
-+ /var/named/chroot/etc(/.*)?
-+.br
-+ /etc/ipsec\.d/examples(/.*)?
-+.br
-+ /var/spool/postfix/etc(/.*)?
-+.br
-+ /etc
-+.br
-+ /etc/cups/client\.conf
-+.br
-+
-+.br
-+.B passwd_file_t
-+
-+ /etc/group[-\+]?
-+.br
-+ /etc/passwd[-\+]?
-+.br
-+ /etc/passwd\.adjunct.*
-+.br
-+ /etc/ptmptmp
-+.br
-+ /etc/\.pwd\.lock
-+.br
-+ /etc/group\.lock
-+.br
-+ /etc/passwd\.OLD
-+.br
-+ /etc/passwd\.lock
-+.br
-+
-+.br
-+.B shadow_t
-+
-+ /etc/shadow.*
-+.br
-+ /etc/gshadow.*
-+.br
-+ /var/db/shadow.*
-+.br
-+ /etc/security/opasswd
-+.br
-+ /etc/security/opasswd\.old
-+.br
-+
-+.SH NSSWITCH DOMAIN
-+
-+.PP
-+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the updpwd_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
-+
-+.EX
-+.B setsebool -P authlogin_nsswitch_use_ldap 1
-+.EE
-+
-+.PP
-+If you want to allow confined applications to run with kerberos for the updpwd_t, you must turn on the kerberos_enabled boolean.
-+
-+.EX
-+.B setsebool -P kerberos_enabled 1
-+.EE
-+
-+.SH "COMMANDS"
-+.B semanage fcontext
-+can also be used to manipulate default file context mappings.
-+.PP
-+.B semanage permissive
-+can also be used to manipulate whether or not a process type is permissive.
-+.PP
-+.B semanage module
-+can also be used to enable/disable/install/remove policy modules.
-+
-+.PP
-+.B system-config-selinux
-+is a GUI tool available to customize SELinux policy settings.
-+
-+.SH AUTHOR
-+This manual page was auto-generated using
-+.B "sepolicy manpage"
-+by Dan Walsh.
-+
-+.SH "SEE ALSO"
-+selinux(8), updpwd(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
-diff --git a/man/man8/usbmodules_selinux.8 b/man/man8/usbmodules_selinux.8
-new file mode 100644
-index 0000000..39fd388
---- /dev/null
-+++ b/man/man8/usbmodules_selinux.8
-@@ -0,0 +1,94 @@
-+.TH "usbmodules_selinux" "8" "12-11-01" "usbmodules" "SELinux Policy documentation for usbmodules"
-+.SH "NAME"
-+usbmodules_selinux \- Security Enhanced Linux Policy for the usbmodules processes
-+.SH "DESCRIPTION"
-+
-+Security-Enhanced Linux secures the usbmodules processes via flexible mandatory access control.
-+
-+The usbmodules processes execute with the usbmodules_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
-+
-+For example:
-+
-+.B ps -eZ | grep usbmodules_t
-+
-+
-+.SH "ENTRYPOINTS"
-+
-+The usbmodules_t SELinux type can be entered via the "usbmodules_exec_t" file type. The default entrypoint paths for the usbmodules_t domain are the following:"
-+
-+/sbin/usbmodules, /usr/sbin/usbmodules
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux usbmodules policy is very flexible allowing users to setup their usbmodules processes in as secure a method as possible.
-+.PP
-+The following process types are defined for usbmodules:
-+
-+.EX
-+.B usbmodules_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
-+.SH FILE CONTEXTS
-+SELinux requires files to have an extended attribute to define the file type.
-+.PP
-+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
-+.PP
-+Policy governs the access confined processes have to these files.
-+SELinux usbmodules policy is very flexible allowing users to setup their usbmodules processes in as secure a method as possible.
-+.PP
-+The following file types are defined for usbmodules:
-+
-+
-+.EX
-+.PP
-+.B usbmodules_exec_t
-+.EE
-+
-+- Set files with the usbmodules_exec_t type, if you want to transition an executable to the usbmodules_t domain.
-+
-+
-+.PP
-+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
-+.B semanage fcontext
-+command. This will modify the SELinux labeling database. You will need to use
-+.B restorecon
-+to apply the labels.
-+
-+.SH "MANAGED FILES"
-+
-+The SELinux process type usbmodules_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
-+
-+.br
-+.B usbfs_t
-+
-+
-+.SH NSSWITCH DOMAIN
-+
-+.SH "COMMANDS"
-+.B semanage fcontext
-+can also be used to manipulate default file context mappings.
-+.PP
-+.B semanage permissive
-+can also be used to manipulate whether or not a process type is permissive.
-+.PP
-+.B semanage module
-+can also be used to enable/disable/install/remove policy modules.
-+
-+.PP
-+.B system-config-selinux
-+is a GUI tool available to customize SELinux policy settings.
-+
-+.SH AUTHOR
-+This manual page was auto-generated using
-+.B "sepolicy manpage"
-+by Dan Walsh.
-+
-+.SH "SEE ALSO"
-+selinux(8), usbmodules(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
-diff --git a/man/man8/usbmuxd_selinux.8 b/man/man8/usbmuxd_selinux.8
-new file mode 100644
-index 0000000..66ed42f
---- /dev/null
-+++ b/man/man8/usbmuxd_selinux.8
-@@ -0,0 +1,126 @@
-+.TH "usbmuxd_selinux" "8" "12-11-01" "usbmuxd" "SELinux Policy documentation for usbmuxd"
-+.SH "NAME"
-+usbmuxd_selinux \- Security Enhanced Linux Policy for the usbmuxd processes
-+.SH "DESCRIPTION"
-+
-+Security-Enhanced Linux secures the usbmuxd processes via flexible mandatory access control.
-+
-+The usbmuxd processes execute with the usbmuxd_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
-+
-+For example:
-+
-+.B ps -eZ | grep usbmuxd_t
-+
-+
-+.SH "ENTRYPOINTS"
-+
-+The usbmuxd_t SELinux type can be entered via the "usbmuxd_exec_t" file type. The default entrypoint paths for the usbmuxd_t domain are the following:"
-+
-+/usr/sbin/usbmuxd
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux usbmuxd policy is very flexible allowing users to setup their usbmuxd processes in as secure a method as possible.
-+.PP
-+The following process types are defined for usbmuxd:
-+
-+.EX
-+.B usbmuxd_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
-+.SH FILE CONTEXTS
-+SELinux requires files to have an extended attribute to define the file type.
-+.PP
-+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
-+.PP
-+Policy governs the access confined processes have to these files.
-+SELinux usbmuxd policy is very flexible allowing users to setup their usbmuxd processes in as secure a method as possible.
-+.PP
-+The following file types are defined for usbmuxd:
-+
-+
-+.EX
-+.PP
-+.B usbmuxd_exec_t
-+.EE
-+
-+- Set files with the usbmuxd_exec_t type, if you want to transition an executable to the usbmuxd_t domain.
-+
-+
-+.EX
-+.PP
-+.B usbmuxd_unit_file_t
-+.EE
-+
-+- Set files with the usbmuxd_unit_file_t type, if you want to treat the files as usbmuxd unit content.
-+
-+
-+.EX
-+.PP
-+.B usbmuxd_var_run_t
-+.EE
-+
-+- Set files with the usbmuxd_var_run_t type, if you want to store the usbmuxd files under the /run directory.
-+
-+
-+.PP
-+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
-+.B semanage fcontext
-+command. This will modify the SELinux labeling database. You will need to use
-+.B restorecon
-+to apply the labels.
-+
-+.SH "MANAGED FILES"
-+
-+The SELinux process type usbmuxd_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
-+
-+.br
-+.B usbmuxd_var_run_t
-+
-+ /var/run/usbmuxd.*
-+.br
-+
-+.SH NSSWITCH DOMAIN
-+
-+.PP
-+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the usbmuxd_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
-+
-+.EX
-+.B setsebool -P authlogin_nsswitch_use_ldap 1
-+.EE
-+
-+.PP
-+If you want to allow confined applications to run with kerberos for the usbmuxd_t, you must turn on the kerberos_enabled boolean.
-+
-+.EX
-+.B setsebool -P kerberos_enabled 1
-+.EE
-+
-+.SH "COMMANDS"
-+.B semanage fcontext
-+can also be used to manipulate default file context mappings.
-+.PP
-+.B semanage permissive
-+can also be used to manipulate whether or not a process type is permissive.
-+.PP
-+.B semanage module
-+can also be used to enable/disable/install/remove policy modules.
-+
-+.PP
-+.B system-config-selinux
-+is a GUI tool available to customize SELinux policy settings.
-+
-+.SH AUTHOR
-+This manual page was auto-generated using
-+.B "sepolicy manpage"
-+by Dan Walsh.
-+
-+.SH "SEE ALSO"
-+selinux(8), usbmuxd(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
-diff --git a/man/man8/user_selinux.8 b/man/man8/user_selinux.8
-new file mode 100644
-index 0000000..1106e32
---- /dev/null
-+++ b/man/man8/user_selinux.8
-@@ -0,0 +1,763 @@
-+.TH "user_selinux" "8" "user" "mgrepl@redhat.com" "user SELinux Policy documentation"
-+.SH "NAME"
-+user_u \- \fBGeneric unprivileged user\fP - Security Enhanced Linux Policy
-+
-+.SH DESCRIPTION
-+
-+\fBuser_u\fP is an SELinux User defined in the SELinux
-+policy. SELinux users have default roles, \fBuser_r\fP. The
-+default role has a default type, \fBuser_t\fP, associated with it.
-+
-+The SELinux user will usually login to a system with a context that looks like:
-+
-+.B user_u:user_r:user_t:s0-s0:c0.c1023
-+
-+Linux users are automatically assigned an SELinux users at login.
-+Login programs use the SELinux User to assign initial context to the user's shell.
-+
-+SELinux policy uses the context to control the user's access.
-+
-+By default all users are assigned to the SELinux user via the \fB__default__\fP flag
-+
-+On Targeted policy systems the \fB__default__\fP user is assigned to the \fBunconfined_u\fP SELinux user.
-+
-+You can list all Linux User to SELinux user mapping using:
-+
-+.B semanage login -l
-+
-+If you wanted to change the default user mapping to use the user_u user, you would execute:
-+
-+.B semanage login -m -s user_u __default__
-+
-+
-+If you want to map the one Linux user (joe) to the SELinux user user, you would execute:
-+
-+.B $ semanage login -a -s user_u joe
-+
-+
-+.SH USER DESCRIPTION
-+
-+The SELinux user user_u is defined in policy as a unprivileged user. SELinux prevents unprivileged users from doing administration tasks without transitioning to a different role.
-+
-+.SH SUDO
-+
-+.SH X WINDOWS LOGIN
-+
-+The SELinux user user_u is able to X Windows login.
-+
-+.SH NETWORK
-+
-+.TP
-+The SELinux user user_u is able to listen on the following tcp ports.
-+
-+.B xserver_port_t: 6000-6020
-+
-+.TP
-+The SELinux user user_u is able to connect to the following tcp ports.
-+
-+.B all ports
-+
-+.TP
-+The SELinux user user_u is able to listen on the following udp ports.
-+
-+.B all ports with out defined types
-+
-+.B ephemeral_port_t: 32768-61000
-+
-+.TP
-+The SELinux user user_u is able to connect to the following tcp ports.
-+
-+.B all ports
-+
-+.SH BOOLEANS
-+SELinux policy is customizable based on least access required. user policy is extremely flexible and has several booleans that allow you to manipulate the policy and run user with the tightest access possible.
-+
-+
-+.PP
-+If you want to allow unconfined executables to make their stack executable. This should never, ever be necessary. Probably indicates a badly coded executable, but could indicate an attack. This executable should be reported in bugzilla, you must turn on the selinuxuser_execstack boolean.
-+
-+.EX
-+.B setsebool -P selinuxuser_execstack 1
-+.EE
-+
-+.PP
-+If you want to allow user to use ssh chroot environment, you must turn on the selinuxuser_use_ssh_chroot boolean.
-+
-+.EX
-+.B setsebool -P selinuxuser_use_ssh_chroot 1
-+.EE
-+
-+.PP
-+If you want to determine whether calling user domains can execute Polipo daemon in the polipo_session_t domain, you must turn on the polipo_session_users boolean.
-+
-+.EX
-+.B setsebool -P polipo_session_users 1
-+.EE
-+
-+.PP
-+If you want to allow confined users the ability to execute the ping and traceroute commands, you must turn on the selinuxuser_ping boolean.
-+
-+.EX
-+.B setsebool -P selinuxuser_ping 1
-+.EE
-+
-+.PP
-+If you want to allow user music sharing, you must turn on the selinuxuser_user_share_music boolean.
-+
-+.EX
-+.B setsebool -P selinuxuser_user_share_music 1
-+.EE
-+
-+.PP
-+If you want to allow unprivledged user to create and transition to svirt domains, you must turn on the unprivuser_use_svirt boolean.
-+
-+.EX
-+.B setsebool -P unprivuser_use_svirt 1
-+.EE
-+
-+.PP
-+If you want to allow regular users direct dri device access, you must turn on the selinuxuser_direct_dri_enabled boolean.
-+
-+.EX
-+.B setsebool -P selinuxuser_direct_dri_enabled 1
-+.EE
-+
-+.PP
-+If you want to allow users to run TCP servers (bind to ports and accept connection from the same domain and outside users) disabling this forces FTP passive mode and may change other protocols, you must turn on the selinuxuser_tcp_server boolean.
-+
-+.EX
-+.B setsebool -P selinuxuser_tcp_server 1
-+.EE
-+
-+.PP
-+If you want to allow unconfined executables to make their heap memory executable. Doing this is a really bad idea. Probably indicates a badly coded executable, but could indicate an attack. This executable should be reported in bugzilla, you must turn on the selinuxuser_execheap boolean.
-+
-+.EX
-+.B setsebool -P selinuxuser_execheap 1
-+.EE
-+
-+.PP
-+If you want to allow users to connect to PostgreSQL, you must turn on the selinuxuser_postgresql_connect_enabled boolean.
-+
-+.EX
-+.B setsebool -P selinuxuser_postgresql_connect_enabled 1
-+.EE
-+
-+.PP
-+If you want to allow user to r/w files on filesystems that do not have extended attributes (FAT, CDROM, FLOPPY), you must turn on the selinuxuser_rw_noexattrfile boolean.
-+
-+.EX
-+.B setsebool -P selinuxuser_rw_noexattrfile 1
-+.EE
-+
-+.PP
-+If you want to allow httpd to read user content, you must turn on the httpd_read_user_content boolean.
-+
-+.EX
-+.B setsebool -P httpd_read_user_content 1
-+.EE
-+
-+.PP
-+If you want to allow unprivileged users to execute DDL statement, you must turn on the postgresql_selinux_users_ddl boolean.
-+
-+.EX
-+.B setsebool -P postgresql_selinux_users_ddl 1
-+.EE
-+
-+.PP
-+If you want to allow all unconfined executables to use libraries requiring text relocation that are not labeled textrel_shlib_t, you must turn on the selinuxuser_execmod boolean.
-+
-+.EX
-+.B setsebool -P selinuxuser_execmod 1
-+.EE
-+
-+.PP
-+If you want to allow webadm to manage files in users home directories, you must turn on the webadm_manage_user_files boolean.
-+
-+.EX
-+.B setsebool -P webadm_manage_user_files 1
-+.EE
-+
-+.PP
-+If you want to allow pppd to be run for a regular user, you must turn on the pppd_for_user boolean.
-+
-+.EX
-+.B setsebool -P pppd_for_user 1
-+.EE
-+
-+.PP
-+If you want to allow users to connect to the local mysql server, you must turn on the selinuxuser_mysql_connect_enabled boolean.
-+
-+.EX
-+.B setsebool -P selinuxuser_mysql_connect_enabled 1
-+.EE
-+
-+.PP
-+If you want to allow clamscan to read user content, you must turn on the clamscan_read_user_content boolean.
-+
-+.EX
-+.B setsebool -P clamscan_read_user_content 1
-+.EE
-+
-+.PP
-+If you want to allow dbadm to manage files in users home directories, you must turn on the dbadm_manage_user_files boolean.
-+
-+.EX
-+.B setsebool -P dbadm_manage_user_files 1
-+.EE
-+
-+.PP
-+If you want to allow exim to create, read, write, and delete unprivileged user files, you must turn on the exim_manage_user_files boolean.
-+
-+.EX
-+.B setsebool -P exim_manage_user_files 1
-+.EE
-+
-+.PP
-+If you want to determine whether calling user domains can execute Git daemon in the git_session_t domain, you must turn on the git_session_users boolean.
-+
-+.EX
-+.B setsebool -P git_session_users 1
-+.EE
-+
-+.PP
-+If you want to allow dbadm to read files in users home directories, you must turn on the dbadm_read_user_files boolean.
-+
-+.EX
-+.B setsebool -P dbadm_read_user_files 1
-+.EE
-+
-+.PP
-+If you want to allow exim to read unprivileged user files, you must turn on the exim_read_user_files boolean.
-+
-+.EX
-+.B setsebool -P exim_read_user_files 1
-+.EE
-+
-+.PP
-+If you want to allow webadm to read files in users home directories, you must turn on the webadm_read_user_files boolean.
-+
-+.EX
-+.B setsebool -P webadm_read_user_files 1
-+.EE
-+
-+.PP
-+If you want to allow unconfined executables to make their stack executable. This should never, ever be necessary. Probably indicates a badly coded executable, but could indicate an attack. This executable should be reported in bugzilla, you must turn on the selinuxuser_execstack boolean.
-+
-+.EX
-+.B setsebool -P selinuxuser_execstack 1
-+.EE
-+
-+.PP
-+If you want to allow user to use ssh chroot environment, you must turn on the selinuxuser_use_ssh_chroot boolean.
-+
-+.EX
-+.B setsebool -P selinuxuser_use_ssh_chroot 1
-+.EE
-+
-+.PP
-+If you want to determine whether calling user domains can execute Polipo daemon in the polipo_session_t domain, you must turn on the polipo_session_users boolean.
-+
-+.EX
-+.B setsebool -P polipo_session_users 1
-+.EE
-+
-+.PP
-+If you want to allow confined users the ability to execute the ping and traceroute commands, you must turn on the selinuxuser_ping boolean.
-+
-+.EX
-+.B setsebool -P selinuxuser_ping 1
-+.EE
-+
-+.PP
-+If you want to allow user music sharing, you must turn on the selinuxuser_user_share_music boolean.
-+
-+.EX
-+.B setsebool -P selinuxuser_user_share_music 1
-+.EE
-+
-+.PP
-+If you want to allow unprivledged user to create and transition to svirt domains, you must turn on the unprivuser_use_svirt boolean.
-+
-+.EX
-+.B setsebool -P unprivuser_use_svirt 1
-+.EE
-+
-+.PP
-+If you want to allow regular users direct dri device access, you must turn on the selinuxuser_direct_dri_enabled boolean.
-+
-+.EX
-+.B setsebool -P selinuxuser_direct_dri_enabled 1
-+.EE
-+
-+.PP
-+If you want to allow users to run TCP servers (bind to ports and accept connection from the same domain and outside users) disabling this forces FTP passive mode and may change other protocols, you must turn on the selinuxuser_tcp_server boolean.
-+
-+.EX
-+.B setsebool -P selinuxuser_tcp_server 1
-+.EE
-+
-+.PP
-+If you want to allow unconfined executables to make their heap memory executable. Doing this is a really bad idea. Probably indicates a badly coded executable, but could indicate an attack. This executable should be reported in bugzilla, you must turn on the selinuxuser_execheap boolean.
-+
-+.EX
-+.B setsebool -P selinuxuser_execheap 1
-+.EE
-+
-+.PP
-+If you want to allow users to connect to PostgreSQL, you must turn on the selinuxuser_postgresql_connect_enabled boolean.
-+
-+.EX
-+.B setsebool -P selinuxuser_postgresql_connect_enabled 1
-+.EE
-+
-+.PP
-+If you want to allow user to r/w files on filesystems that do not have extended attributes (FAT, CDROM, FLOPPY), you must turn on the selinuxuser_rw_noexattrfile boolean.
-+
-+.EX
-+.B setsebool -P selinuxuser_rw_noexattrfile 1
-+.EE
-+
-+.PP
-+If you want to allow httpd to read user content, you must turn on the httpd_read_user_content boolean.
-+
-+.EX
-+.B setsebool -P httpd_read_user_content 1
-+.EE
-+
-+.PP
-+If you want to allow unprivileged users to execute DDL statement, you must turn on the postgresql_selinux_users_ddl boolean.
-+
-+.EX
-+.B setsebool -P postgresql_selinux_users_ddl 1
-+.EE
-+
-+.PP
-+If you want to allow all unconfined executables to use libraries requiring text relocation that are not labeled textrel_shlib_t, you must turn on the selinuxuser_execmod boolean.
-+
-+.EX
-+.B setsebool -P selinuxuser_execmod 1
-+.EE
-+
-+.PP
-+If you want to allow webadm to manage files in users home directories, you must turn on the webadm_manage_user_files boolean.
-+
-+.EX
-+.B setsebool -P webadm_manage_user_files 1
-+.EE
-+
-+.PP
-+If you want to allow pppd to be run for a regular user, you must turn on the pppd_for_user boolean.
-+
-+.EX
-+.B setsebool -P pppd_for_user 1
-+.EE
-+
-+.PP
-+If you want to allow users to connect to the local mysql server, you must turn on the selinuxuser_mysql_connect_enabled boolean.
-+
-+.EX
-+.B setsebool -P selinuxuser_mysql_connect_enabled 1
-+.EE
-+
-+.PP
-+If you want to allow clamscan to read user content, you must turn on the clamscan_read_user_content boolean.
-+
-+.EX
-+.B setsebool -P clamscan_read_user_content 1
-+.EE
-+
-+.PP
-+If you want to allow dbadm to manage files in users home directories, you must turn on the dbadm_manage_user_files boolean.
-+
-+.EX
-+.B setsebool -P dbadm_manage_user_files 1
-+.EE
-+
-+.PP
-+If you want to allow exim to create, read, write, and delete unprivileged user files, you must turn on the exim_manage_user_files boolean.
-+
-+.EX
-+.B setsebool -P exim_manage_user_files 1
-+.EE
-+
-+.PP
-+If you want to determine whether calling user domains can execute Git daemon in the git_session_t domain, you must turn on the git_session_users boolean.
-+
-+.EX
-+.B setsebool -P git_session_users 1
-+.EE
-+
-+.PP
-+If you want to allow dbadm to read files in users home directories, you must turn on the dbadm_read_user_files boolean.
-+
-+.EX
-+.B setsebool -P dbadm_read_user_files 1
-+.EE
-+
-+.PP
-+If you want to allow exim to read unprivileged user files, you must turn on the exim_read_user_files boolean.
-+
-+.EX
-+.B setsebool -P exim_read_user_files 1
-+.EE
-+
-+.PP
-+If you want to allow webadm to read files in users home directories, you must turn on the webadm_read_user_files boolean.
-+
-+.EX
-+.B setsebool -P webadm_read_user_files 1
-+.EE
-+
-+.SH HOME_EXEC
-+
-+The SELinux user user_u is able execute home content files.
-+
-+.SH TRANSITIONS
-+
-+Three things can happen when user_t attempts to execute a program.
-+
-+\fB1.\fP SELinux Policy can deny user_t from executing the program.
-+
-+.TP
-+
-+\fB2.\fP SELinux Policy can allow user_t to execute the program in the current user type.
-+
-+Execute the following to see the types that the SELinux user user_t can execute without transitioning:
-+
-+.B search -A -s user_t -c file -p execute_no_trans
-+
-+.TP
-+
-+\fB3.\fP SELinux can allow user_t to execute the program and transition to a new type.
-+
-+Execute the following to see the types that the SELinux user user_t can execute and transition:
-+
-+.B $ search -A -s user_t -c process -p transition
-+
-+
-+.SH "MANAGED FILES"
-+
-+The SELinux process type user_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
-+
-+.br
-+.B anon_inodefs_t
-+
-+
-+.br
-+.B auth_cache_t
-+
-+ /var/cache/coolkey(/.*)?
-+.br
-+
-+.br
-+.B bluetooth_helper_tmp_t
-+
-+
-+.br
-+.B bluetooth_helper_tmpfs_t
-+
-+
-+.br
-+.B cgroup_t
-+
-+ /cgroup
-+.br
-+ /sys/fs/cgroup
-+.br
-+
-+.br
-+.B chrome_sandbox_tmpfs_t
-+
-+
-+.br
-+.B games_data_t
-+
-+ /var/games(/.*)?
-+.br
-+ /var/lib/games(/.*)?
-+.br
-+
-+.br
-+.B gpg_agent_tmp_t
-+
-+ /home/[^/]*/\.gnupg/log-socket
-+.br
-+ /home/dwalsh/\.gnupg/log-socket
-+.br
-+ /var/lib/xguest/home/xguest/\.gnupg/log-socket
-+.br
-+
-+.br
-+.B httpd_user_content_t
-+
-+ /home/[^/]*/((www)|(web)|(public_html))(/.+)?
-+.br
-+ /home/dwalsh/((www)|(web)|(public_html))(/.+)?
-+.br
-+ /var/lib/xguest/home/xguest/((www)|(web)|(public_html))(/.+)?
-+.br
-+
-+.br
-+.B httpd_user_htaccess_t
-+
-+ /home/[^/]*/((www)|(web)|(public_html))(/.*)?/\.htaccess
-+.br
-+ /home/dwalsh/((www)|(web)|(public_html))(/.*)?/\.htaccess
-+.br
-+ /var/lib/xguest/home/xguest/((www)|(web)|(public_html))(/.*)?/\.htaccess
-+.br
-+
-+.br
-+.B httpd_user_ra_content_t
-+
-+ /home/[^/]*/((www)|(web)|(public_html))(/.*)?/logs(/.*)?
-+.br
-+ /home/dwalsh/((www)|(web)|(public_html))(/.*)?/logs(/.*)?
-+.br
-+ /var/lib/xguest/home/xguest/((www)|(web)|(public_html))(/.*)?/logs(/.*)?
-+.br
-+
-+.br
-+.B httpd_user_rw_content_t
-+
-+
-+.br
-+.B httpd_user_script_exec_t
-+
-+ /home/[^/]*/((www)|(web)|(public_html))/cgi-bin(/.+)?
-+.br
-+ /home/dwalsh/((www)|(web)|(public_html))/cgi-bin(/.+)?
-+.br
-+ /var/lib/xguest/home/xguest/((www)|(web)|(public_html))/cgi-bin(/.+)?
-+.br
-+
-+.br
-+.B iceauth_home_t
-+
-+ /root/\.DCOP.*
-+.br
-+ /root/\.ICEauthority.*
-+.br
-+ /home/[^/]*/\.DCOP.*
-+.br
-+ /home/[^/]*/\.ICEauthority.*
-+.br
-+ /home/dwalsh/\.DCOP.*
-+.br
-+ /home/dwalsh/\.ICEauthority.*
-+.br
-+ /var/lib/xguest/home/xguest/\.DCOP.*
-+.br
-+ /var/lib/xguest/home/xguest/\.ICEauthority.*
-+.br
-+
-+.br
-+.B mail_spool_t
-+
-+ /var/mail(/.*)?
-+.br
-+ /var/spool/imap(/.*)?
-+.br
-+ /var/spool/mail(/.*)?
-+.br
-+
-+.br
-+.B mqueue_spool_t
-+
-+ /var/spool/(client)?mqueue(/.*)?
-+.br
-+ /var/spool/mqueue\.in(/.*)?
-+.br
-+
-+.br
-+.B nfsd_rw_t
-+
-+
-+.br
-+.B noxattrfs
-+
-+ all files on file systems which do not support extended attributes
-+.br
-+
-+.br
-+.B sandbox_file_t
-+
-+
-+.br
-+.B sandbox_tmpfs_type
-+
-+ all sandbox content in tmpfs file systems
-+.br
-+
-+.br
-+.B screen_home_t
-+
-+ /root/\.screen(/.*)?
-+.br
-+ /home/[^/]*/\.screen(/.*)?
-+.br
-+ /home/[^/]*/\.screenrc
-+.br
-+ /home/dwalsh/\.screen(/.*)?
-+.br
-+ /home/dwalsh/\.screenrc
-+.br
-+ /var/lib/xguest/home/xguest/\.screen(/.*)?
-+.br
-+ /var/lib/xguest/home/xguest/\.screenrc
-+.br
-+
-+.br
-+.B security_t
-+
-+ /selinux
-+.br
-+
-+.br
-+.B usbfs_t
-+
-+
-+.br
-+.B user_fonts_cache_t
-+
-+ /root/\.fontconfig(/.*)?
-+.br
-+ /root/\.fonts/auto(/.*)?
-+.br
-+ /root/\.fonts\.cache-.*
-+.br
-+ /home/[^/]*/\.fontconfig(/.*)?
-+.br
-+ /home/[^/]*/\.fonts/auto(/.*)?
-+.br
-+ /home/[^/]*/\.fonts\.cache-.*
-+.br
-+ /home/dwalsh/\.fontconfig(/.*)?
-+.br
-+ /home/dwalsh/\.fonts/auto(/.*)?
-+.br
-+ /home/dwalsh/\.fonts\.cache-.*
-+.br
-+ /var/lib/xguest/home/xguest/\.fontconfig(/.*)?
-+.br
-+ /var/lib/xguest/home/xguest/\.fonts/auto(/.*)?
-+.br
-+ /var/lib/xguest/home/xguest/\.fonts\.cache-.*
-+.br
-+
-+.br
-+.B user_fonts_t
-+
-+ /root/\.fonts(/.*)?
-+.br
-+ /tmp/\.font-unix(/.*)?
-+.br
-+ /home/[^/]*/\.fonts(/.*)?
-+.br
-+ /home/dwalsh/\.fonts(/.*)?
-+.br
-+ /var/lib/xguest/home/xguest/\.fonts(/.*)?
-+.br
-+
-+.br
-+.B user_home_type
-+
-+ all user home files
-+.br
-+
-+.br
-+.B user_tmp_type
-+
-+ all user tmp files
-+.br
-+
-+.br
-+.B user_tmpfs_type
-+
-+ all user content in tmpfs file systems
-+.br
-+
-+.br
-+.B xauth_home_t
-+
-+ /root/\.xauth.*
-+.br
-+ /root/\.Xauth.*
-+.br
-+ /root/\.serverauth.*
-+.br
-+ /root/\.Xauthority.*
-+.br
-+ /var/lib/pqsql/\.xauth.*
-+.br
-+ /var/lib/pqsql/\.Xauthority.*
-+.br
-+ /var/lib/nxserver/home/\.xauth.*
-+.br
-+ /var/lib/nxserver/home/\.Xauthority.*
-+.br
-+ /home/[^/]*/\.xauth.*
-+.br
-+ /home/[^/]*/\.Xauth.*
-+.br
-+ /home/[^/]*/\.serverauth.*
-+.br
-+ /home/[^/]*/\.Xauthority.*
-+.br
-+ /home/dwalsh/\.xauth.*
-+.br
-+ /home/dwalsh/\.Xauth.*
-+.br
-+ /home/dwalsh/\.serverauth.*
-+.br
-+ /home/dwalsh/\.Xauthority.*
-+.br
-+ /var/lib/xguest/home/xguest/\.xauth.*
-+.br
-+ /var/lib/xguest/home/xguest/\.Xauth.*
-+.br
-+ /var/lib/xguest/home/xguest/\.serverauth.*
-+.br
-+ /var/lib/xguest/home/xguest/\.Xauthority.*
-+.br
-+
-+.br
-+.B xdm_tmp_t
-+
-+ /tmp/\.X11-unix(/.*)?
-+.br
-+ /tmp/\.ICE-unix(/.*)?
-+.br
-+ /tmp/\.X0-lock
-+.br
-+
-+.br
-+.B xserver_tmpfs_t
-+
-+
-+.SH "COMMANDS"
-+.B semanage fcontext
-+can also be used to manipulate default file context mappings.
-+.PP
-+.B semanage permissive
-+can also be used to manipulate whether or not a process type is permissive.
-+.PP
-+.B semanage module
-+can also be used to enable/disable/install/remove policy modules.
-+
-+.B semanage boolean
-+can also be used to manipulate the booleans
-+
-+.PP
-+.B system-config-selinux
-+is a GUI tool available to customize SELinux policy settings.
-+
-+.SH AUTHOR
-+This manual page was auto-generated using
-+.B "sepolicy manpage"
-+by Dan Walsh.
-+
-+.SH "SEE ALSO"
-+selinux(8), user(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
-+, setsebool(8), useradd_selinux(8), usernetctl_selinux(8)
-\ No newline at end of file
-diff --git a/man/man8/useradd_selinux.8 b/man/man8/useradd_selinux.8
-new file mode 100644
-index 0000000..81ee3be
---- /dev/null
-+++ b/man/man8/useradd_selinux.8
-@@ -0,0 +1,311 @@
-+.TH "useradd_selinux" "8" "12-11-01" "useradd" "SELinux Policy documentation for useradd"
-+.SH "NAME"
-+useradd_selinux \- Security Enhanced Linux Policy for the useradd processes
-+.SH "DESCRIPTION"
-+
-+Security-Enhanced Linux secures the useradd processes via flexible mandatory access control.
-+
-+The useradd processes execute with the useradd_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
-+
-+For example:
-+
-+.B ps -eZ | grep useradd_t
-+
-+
-+.SH "ENTRYPOINTS"
-+
-+The useradd_t SELinux type can be entered via the "useradd_exec_t,user_home_t" file types. The default entrypoint paths for the useradd_t domain are the following:"
-+
-+/usr/sbin/useradd, /usr/sbin/userdel, /usr/sbin/usermod, /usr/sbin/newusers, /home/[^/]*/.+, /home/dwalsh/.+, /var/lib/xguest/home/xguest/.+
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux useradd policy is very flexible allowing users to setup their useradd processes in as secure a method as possible.
-+.PP
-+The following process types are defined for useradd:
-+
-+.EX
-+.B useradd_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
-+.SH FILE CONTEXTS
-+SELinux requires files to have an extended attribute to define the file type.
-+.PP
-+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
-+.PP
-+Policy governs the access confined processes have to these files.
-+SELinux useradd policy is very flexible allowing users to setup their useradd processes in as secure a method as possible.
-+.PP
-+The following file types are defined for useradd:
-+
-+
-+.EX
-+.PP
-+.B useradd_exec_t
-+.EE
-+
-+- Set files with the useradd_exec_t type, if you want to transition an executable to the useradd_t domain.
-+
-+
-+.PP
-+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
-+.B semanage fcontext
-+command. This will modify the SELinux labeling database. You will need to use
-+.B restorecon
-+to apply the labels.
-+
-+.SH "MANAGED FILES"
-+
-+The SELinux process type useradd_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
-+
-+.br
-+.B default_context_t
-+
-+ /etc/selinux/([^/]*/)?contexts(/.*)?
-+.br
-+ /root/\.default_contexts
-+.br
-+
-+.br
-+.B etc_t
-+
-+ /etc/.*
-+.br
-+ /var/db/.*\.db
-+.br
-+ /usr/etc(/.*)?
-+.br
-+ /var/ftp/etc(/.*)?
-+.br
-+ /var/lib/openshift/.limits.d(/.*)?
-+.br
-+ /var/lib/openshift/.openshift-proxy.d(/.*)?
-+.br
-+ /var/lib/openshift/.stickshift-proxy.d(/.*)?
-+.br
-+ /var/lib/stickshift/.limits.d(/.*)?
-+.br
-+ /var/lib/stickshift/.stickshift-proxy.d(/.*)?
-+.br
-+ /var/named/chroot/etc(/.*)?
-+.br
-+ /etc/ipsec\.d/examples(/.*)?
-+.br
-+ /var/spool/postfix/etc(/.*)?
-+.br
-+ /etc
-+.br
-+ /etc/cups/client\.conf
-+.br
-+
-+.br
-+.B faillog_t
-+
-+ /var/log/btmp.*
-+.br
-+ /var/run/faillock(/.*)?
-+.br
-+ /var/log/faillog
-+.br
-+ /var/log/tallylog
-+.br
-+
-+.br
-+.B file_context_t
-+
-+ /etc/selinux/([^/]*/)?contexts/files(/.*)?
-+.br
-+
-+.br
-+.B httpd_user_content_type
-+
-+
-+.br
-+.B httpd_user_script_exec_type
-+
-+
-+.br
-+.B initrc_var_run_t
-+
-+ /var/run/utmp
-+.br
-+ /var/run/random-seed
-+.br
-+ /var/run/runlevel\.dir
-+.br
-+ /var/run/setmixer_flag
-+.br
-+
-+.br
-+.B lastlog_t
-+
-+ /var/log/lastlog
-+.br
-+
-+.br
-+.B mail_spool_t
-+
-+ /var/mail(/.*)?
-+.br
-+ /var/spool/imap(/.*)?
-+.br
-+ /var/spool/mail(/.*)?
-+.br
-+
-+.br
-+.B passwd_file_t
-+
-+ /etc/group[-\+]?
-+.br
-+ /etc/passwd[-\+]?
-+.br
-+ /etc/passwd\.adjunct.*
-+.br
-+ /etc/ptmptmp
-+.br
-+ /etc/\.pwd\.lock
-+.br
-+ /etc/group\.lock
-+.br
-+ /etc/passwd\.OLD
-+.br
-+ /etc/passwd\.lock
-+.br
-+
-+.br
-+.B pcscd_var_run_t
-+
-+ /var/run/pcscd(/.*)?
-+.br
-+ /var/run/pcscd\.events(/.*)?
-+.br
-+ /var/run/pcscd\.pid
-+.br
-+ /var/run/pcscd\.pub
-+.br
-+ /var/run/pcscd\.comm
-+.br
-+
-+.br
-+.B security_t
-+
-+ /selinux
-+.br
-+
-+.br
-+.B selinux_config_t
-+
-+ /etc/selinux(/.*)?
-+.br
-+ /etc/selinux/([^/]*/)?seusers
-+.br
-+ /etc/selinux/([^/]*/)?users(/.*)?
-+.br
-+ /etc/selinux/([^/]*/)?setrans\.conf
-+.br
-+
-+.br
-+.B selinux_login_config_t
-+
-+ /etc/selinux/([^/]*/)?logins(/.*)?
-+.br
-+
-+.br
-+.B semanage_read_lock_t
-+
-+ /etc/selinux/([^/]*/)?modules/semanage\.read\.LOCK
-+.br
-+
-+.br
-+.B semanage_store_t
-+
-+ /etc/selinux/([^/]*/)?policy(/.*)?
-+.br
-+ /etc/selinux/([^/]*/)?modules/(active|tmp|previous)(/.*)?
-+.br
-+ /etc/share/selinux/mls(/.*)?
-+.br
-+ /etc/share/selinux/targeted(/.*)?
-+.br
-+
-+.br
-+.B semanage_tmp_t
-+
-+
-+.br
-+.B semanage_trans_lock_t
-+
-+ /etc/selinux/([^/]*/)?modules/semanage\.trans\.LOCK
-+.br
-+
-+.br
-+.B shadow_t
-+
-+ /etc/shadow.*
-+.br
-+ /etc/gshadow.*
-+.br
-+ /var/db/shadow.*
-+.br
-+ /etc/security/opasswd
-+.br
-+ /etc/security/opasswd\.old
-+.br
-+
-+.br
-+.B stapserver_var_lib_t
-+
-+ /var/lib/stap-server(/.*)?
-+.br
-+
-+.br
-+.B user_home_type
-+
-+ all user home files
-+.br
-+
-+.SH NSSWITCH DOMAIN
-+
-+.PP
-+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the useradd_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
-+
-+.EX
-+.B setsebool -P authlogin_nsswitch_use_ldap 1
-+.EE
-+
-+.PP
-+If you want to allow confined applications to run with kerberos for the useradd_t, you must turn on the kerberos_enabled boolean.
-+
-+.EX
-+.B setsebool -P kerberos_enabled 1
-+.EE
-+
-+.SH "COMMANDS"
-+.B semanage fcontext
-+can also be used to manipulate default file context mappings.
-+.PP
-+.B semanage permissive
-+can also be used to manipulate whether or not a process type is permissive.
-+.PP
-+.B semanage module
-+can also be used to enable/disable/install/remove policy modules.
-+
-+.PP
-+.B system-config-selinux
-+is a GUI tool available to customize SELinux policy settings.
-+
-+.SH AUTHOR
-+This manual page was auto-generated using
-+.B "sepolicy manpage"
-+by Dan Walsh.
-+
-+.SH "SEE ALSO"
-+selinux(8), useradd(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
-+, user_selinux(8)
-\ No newline at end of file
-diff --git a/man/man8/usernetctl_selinux.8 b/man/man8/usernetctl_selinux.8
-new file mode 100644
-index 0000000..cb4d1bf
---- /dev/null
-+++ b/man/man8/usernetctl_selinux.8
-@@ -0,0 +1,101 @@
-+.TH "usernetctl_selinux" "8" "12-11-01" "usernetctl" "SELinux Policy documentation for usernetctl"
-+.SH "NAME"
-+usernetctl_selinux \- Security Enhanced Linux Policy for the usernetctl processes
-+.SH "DESCRIPTION"
-+
-+Security-Enhanced Linux secures the usernetctl processes via flexible mandatory access control.
-+
-+The usernetctl processes execute with the usernetctl_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
-+
-+For example:
-+
-+.B ps -eZ | grep usernetctl_t
-+
-+
-+.SH "ENTRYPOINTS"
-+
-+The usernetctl_t SELinux type can be entered via the "usernetctl_exec_t" file type. The default entrypoint paths for the usernetctl_t domain are the following:"
-+
-+/usr/sbin/usernetctl
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux usernetctl policy is very flexible allowing users to setup their usernetctl processes in as secure a method as possible.
-+.PP
-+The following process types are defined for usernetctl:
-+
-+.EX
-+.B usernetctl_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
-+.SH FILE CONTEXTS
-+SELinux requires files to have an extended attribute to define the file type.
-+.PP
-+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
-+.PP
-+Policy governs the access confined processes have to these files.
-+SELinux usernetctl policy is very flexible allowing users to setup their usernetctl processes in as secure a method as possible.
-+.PP
-+The following file types are defined for usernetctl:
-+
-+
-+.EX
-+.PP
-+.B usernetctl_exec_t
-+.EE
-+
-+- Set files with the usernetctl_exec_t type, if you want to transition an executable to the usernetctl_t domain.
-+
-+
-+.PP
-+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
-+.B semanage fcontext
-+command. This will modify the SELinux labeling database. You will need to use
-+.B restorecon
-+to apply the labels.
-+
-+.SH NSSWITCH DOMAIN
-+
-+.PP
-+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the usernetctl_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
-+
-+.EX
-+.B setsebool -P authlogin_nsswitch_use_ldap 1
-+.EE
-+
-+.PP
-+If you want to allow confined applications to run with kerberos for the usernetctl_t, you must turn on the kerberos_enabled boolean.
-+
-+.EX
-+.B setsebool -P kerberos_enabled 1
-+.EE
-+
-+.SH "COMMANDS"
-+.B semanage fcontext
-+can also be used to manipulate default file context mappings.
-+.PP
-+.B semanage permissive
-+can also be used to manipulate whether or not a process type is permissive.
-+.PP
-+.B semanage module
-+can also be used to enable/disable/install/remove policy modules.
-+
-+.PP
-+.B system-config-selinux
-+is a GUI tool available to customize SELinux policy settings.
-+
-+.SH AUTHOR
-+This manual page was auto-generated using
-+.B "sepolicy manpage"
-+by Dan Walsh.
-+
-+.SH "SEE ALSO"
-+selinux(8), usernetctl(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
-+, user_selinux(8)
-\ No newline at end of file
-diff --git a/man/man8/utempter_selinux.8 b/man/man8/utempter_selinux.8
-new file mode 100644
-index 0000000..7ae0085
---- /dev/null
-+++ b/man/man8/utempter_selinux.8
-@@ -0,0 +1,134 @@
-+.TH "utempter_selinux" "8" "12-11-01" "utempter" "SELinux Policy documentation for utempter"
-+.SH "NAME"
-+utempter_selinux \- Security Enhanced Linux Policy for the utempter processes
-+.SH "DESCRIPTION"
-+
-+Security-Enhanced Linux secures the utempter processes via flexible mandatory access control.
-+
-+The utempter processes execute with the utempter_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
-+
-+For example:
-+
-+.B ps -eZ | grep utempter_t
-+
-+
-+.SH "ENTRYPOINTS"
-+
-+The utempter_t SELinux type can be entered via the "utempter_exec_t" file type. The default entrypoint paths for the utempter_t domain are the following:"
-+
-+/usr/sbin/utempter
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux utempter policy is very flexible allowing users to setup their utempter processes in as secure a method as possible.
-+.PP
-+The following process types are defined for utempter:
-+
-+.EX
-+.B utempter_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
-+.SH FILE CONTEXTS
-+SELinux requires files to have an extended attribute to define the file type.
-+.PP
-+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
-+.PP
-+Policy governs the access confined processes have to these files.
-+SELinux utempter policy is very flexible allowing users to setup their utempter processes in as secure a method as possible.
-+.PP
-+The following file types are defined for utempter:
-+
-+
-+.EX
-+.PP
-+.B utempter_exec_t
-+.EE
-+
-+- Set files with the utempter_exec_t type, if you want to transition an executable to the utempter_t domain.
-+
-+
-+.PP
-+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
-+.B semanage fcontext
-+command. This will modify the SELinux labeling database. You will need to use
-+.B restorecon
-+to apply the labels.
-+
-+.SH "MANAGED FILES"
-+
-+The SELinux process type utempter_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
-+
-+.br
-+.B initrc_var_run_t
-+
-+ /var/run/utmp
-+.br
-+ /var/run/random-seed
-+.br
-+ /var/run/runlevel\.dir
-+.br
-+ /var/run/setmixer_flag
-+.br
-+
-+.br
-+.B user_tmp_t
-+
-+ /var/run/user(/.*)?
-+.br
-+ /tmp/gconfd-.*
-+.br
-+ /tmp/gconfd-dwalsh
-+.br
-+ /tmp/gconfd-xguest
-+.br
-+
-+.br
-+.B wtmp_t
-+
-+ /var/log/wtmp.*
-+.br
-+
-+.SH NSSWITCH DOMAIN
-+
-+.PP
-+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the utempter_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
-+
-+.EX
-+.B setsebool -P authlogin_nsswitch_use_ldap 1
-+.EE
-+
-+.PP
-+If you want to allow confined applications to run with kerberos for the utempter_t, you must turn on the kerberos_enabled boolean.
-+
-+.EX
-+.B setsebool -P kerberos_enabled 1
-+.EE
-+
-+.SH "COMMANDS"
-+.B semanage fcontext
-+can also be used to manipulate default file context mappings.
-+.PP
-+.B semanage permissive
-+can also be used to manipulate whether or not a process type is permissive.
-+.PP
-+.B semanage module
-+can also be used to enable/disable/install/remove policy modules.
-+
-+.PP
-+.B system-config-selinux
-+is a GUI tool available to customize SELinux policy settings.
-+
-+.SH AUTHOR
-+This manual page was auto-generated using
-+.B "sepolicy manpage"
-+by Dan Walsh.
-+
-+.SH "SEE ALSO"
-+selinux(8), utempter(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
-diff --git a/man/man8/uucpd_selinux.8 b/man/man8/uucpd_selinux.8
-new file mode 100644
-index 0000000..1f472de
---- /dev/null
-+++ b/man/man8/uucpd_selinux.8
-@@ -0,0 +1,218 @@
-+.TH "uucpd_selinux" "8" "12-11-01" "uucpd" "SELinux Policy documentation for uucpd"
-+.SH "NAME"
-+uucpd_selinux \- Security Enhanced Linux Policy for the uucpd processes
-+.SH "DESCRIPTION"
-+
-+Security-Enhanced Linux secures the uucpd processes via flexible mandatory access control.
-+
-+The uucpd processes execute with the uucpd_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
-+
-+For example:
-+
-+.B ps -eZ | grep uucpd_t
-+
-+
-+.SH "ENTRYPOINTS"
-+
-+The uucpd_t SELinux type can be entered via the "uucpd_exec_t" file type. The default entrypoint paths for the uucpd_t domain are the following:"
-+
-+/usr/sbin/uucico
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux uucpd policy is very flexible allowing users to setup their uucpd processes in as secure a method as possible.
-+.PP
-+The following process types are defined for uucpd:
-+
-+.EX
-+.B uucpd_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
-+.SH FILE CONTEXTS
-+SELinux requires files to have an extended attribute to define the file type.
-+.PP
-+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
-+.PP
-+Policy governs the access confined processes have to these files.
-+SELinux uucpd policy is very flexible allowing users to setup their uucpd processes in as secure a method as possible.
-+.PP
-+The following file types are defined for uucpd:
-+
-+
-+.EX
-+.PP
-+.B uucpd_exec_t
-+.EE
-+
-+- Set files with the uucpd_exec_t type, if you want to transition an executable to the uucpd_t domain.
-+
-+
-+.EX
-+.PP
-+.B uucpd_lock_t
-+.EE
-+
-+- Set files with the uucpd_lock_t type, if you want to treat the files as uucpd lock data, stored under the /var/lock directory
-+
-+
-+.EX
-+.PP
-+.B uucpd_log_t
-+.EE
-+
-+- Set files with the uucpd_log_t type, if you want to treat the data as uucpd log data, usually stored under the /var/log directory.
-+
-+
-+.EX
-+.PP
-+.B uucpd_ro_t
-+.EE
-+
-+- Set files with the uucpd_ro_t type, if you want to treat the files as uucpd read/only content.
-+
-+
-+.EX
-+.PP
-+.B uucpd_rw_t
-+.EE
-+
-+- Set files with the uucpd_rw_t type, if you want to treat the files as uucpd read/write content.
-+
-+
-+.EX
-+.PP
-+.B uucpd_spool_t
-+.EE
-+
-+- Set files with the uucpd_spool_t type, if you want to store the uucpd files under the /var/spool directory.
-+
-+
-+.EX
-+.PP
-+.B uucpd_tmp_t
-+.EE
-+
-+- Set files with the uucpd_tmp_t type, if you want to store uucpd temporary files in the /tmp directories.
-+
-+
-+.EX
-+.PP
-+.B uucpd_var_run_t
-+.EE
-+
-+- Set files with the uucpd_var_run_t type, if you want to store the uucpd files under the /run directory.
-+
-+
-+.PP
-+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
-+.B semanage fcontext
-+command. This will modify the SELinux labeling database. You will need to use
-+.B restorecon
-+to apply the labels.
-+
-+.SH PORT TYPES
-+SELinux defines port types to represent TCP and UDP ports.
-+.PP
-+You can see the types associated with a port by using the following command:
-+
-+.B semanage port -l
-+
-+.PP
-+Policy governs the access confined processes have to these ports.
-+SELinux uucpd policy is very flexible allowing users to setup their uucpd processes in as secure a method as possible.
-+.PP
-+The following port types are defined for uucpd:
-+
-+.EX
-+.TP 5
-+.B uucpd_port_t
-+.TP 10
-+.EE
-+
-+
-+Default Defined Ports:
-+tcp 540
-+.EE
-+.SH "MANAGED FILES"
-+
-+The SELinux process type uucpd_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
-+
-+.br
-+.B uucpd_lock_t
-+
-+ /var/lock/uucp(/.*)?
-+.br
-+
-+.br
-+.B uucpd_log_t
-+
-+ /var/log/uucp(/.*)?
-+.br
-+
-+.br
-+.B uucpd_rw_t
-+
-+
-+.br
-+.B uucpd_spool_t
-+
-+ /var/spool/uucp(/.*)?
-+.br
-+ /var/spool/uucppublic(/.*)?
-+.br
-+
-+.br
-+.B uucpd_tmp_t
-+
-+
-+.br
-+.B uucpd_var_run_t
-+
-+
-+.SH NSSWITCH DOMAIN
-+
-+.PP
-+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the uucpd_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
-+
-+.EX
-+.B setsebool -P authlogin_nsswitch_use_ldap 1
-+.EE
-+
-+.PP
-+If you want to allow confined applications to run with kerberos for the uucpd_t, you must turn on the kerberos_enabled boolean.
-+
-+.EX
-+.B setsebool -P kerberos_enabled 1
-+.EE
-+
-+.SH "COMMANDS"
-+.B semanage fcontext
-+can also be used to manipulate default file context mappings.
-+.PP
-+.B semanage permissive
-+can also be used to manipulate whether or not a process type is permissive.
-+.PP
-+.B semanage module
-+can also be used to enable/disable/install/remove policy modules.
-+
-+.B semanage port
-+can also be used to manipulate the port definitions
-+
-+.PP
-+.B system-config-selinux
-+is a GUI tool available to customize SELinux policy settings.
-+
-+.SH AUTHOR
-+This manual page was auto-generated using
-+.B "sepolicy manpage"
-+by Dan Walsh.
-+
-+.SH "SEE ALSO"
-+selinux(8), uucpd(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
-diff --git a/man/man8/uuidd_selinux.8 b/man/man8/uuidd_selinux.8
-new file mode 100644
-index 0000000..219e6f4
---- /dev/null
-+++ b/man/man8/uuidd_selinux.8
-@@ -0,0 +1,126 @@
-+.TH "uuidd_selinux" "8" "12-11-01" "uuidd" "SELinux Policy documentation for uuidd"
-+.SH "NAME"
-+uuidd_selinux \- Security Enhanced Linux Policy for the uuidd processes
-+.SH "DESCRIPTION"
-+
-+Security-Enhanced Linux secures the uuidd processes via flexible mandatory access control.
-+
-+The uuidd processes execute with the uuidd_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
-+
-+For example:
-+
-+.B ps -eZ | grep uuidd_t
-+
-+
-+.SH "ENTRYPOINTS"
-+
-+The uuidd_t SELinux type can be entered via the "uuidd_exec_t" file type. The default entrypoint paths for the uuidd_t domain are the following:"
-+
-+/usr/sbin/uuidd
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux uuidd policy is very flexible allowing users to setup their uuidd processes in as secure a method as possible.
-+.PP
-+The following process types are defined for uuidd:
-+
-+.EX
-+.B uuidd_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
-+.SH FILE CONTEXTS
-+SELinux requires files to have an extended attribute to define the file type.
-+.PP
-+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
-+.PP
-+Policy governs the access confined processes have to these files.
-+SELinux uuidd policy is very flexible allowing users to setup their uuidd processes in as secure a method as possible.
-+.PP
-+The following file types are defined for uuidd:
-+
-+
-+.EX
-+.PP
-+.B uuidd_exec_t
-+.EE
-+
-+- Set files with the uuidd_exec_t type, if you want to transition an executable to the uuidd_t domain.
-+
-+
-+.EX
-+.PP
-+.B uuidd_initrc_exec_t
-+.EE
-+
-+- Set files with the uuidd_initrc_exec_t type, if you want to transition an executable to the uuidd_initrc_t domain.
-+
-+
-+.EX
-+.PP
-+.B uuidd_var_lib_t
-+.EE
-+
-+- Set files with the uuidd_var_lib_t type, if you want to store the uuidd files under the /var/lib directory.
-+
-+
-+.EX
-+.PP
-+.B uuidd_var_run_t
-+.EE
-+
-+- Set files with the uuidd_var_run_t type, if you want to store the uuidd files under the /run directory.
-+
-+
-+.PP
-+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
-+.B semanage fcontext
-+command. This will modify the SELinux labeling database. You will need to use
-+.B restorecon
-+to apply the labels.
-+
-+.SH "MANAGED FILES"
-+
-+The SELinux process type uuidd_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
-+
-+.br
-+.B uuidd_var_lib_t
-+
-+ /var/lib/libuuid(/.*)?
-+.br
-+
-+.br
-+.B uuidd_var_run_t
-+
-+ /var/run/uuidd(/.*)?
-+.br
-+
-+.SH NSSWITCH DOMAIN
-+
-+.SH "COMMANDS"
-+.B semanage fcontext
-+can also be used to manipulate default file context mappings.
-+.PP
-+.B semanage permissive
-+can also be used to manipulate whether or not a process type is permissive.
-+.PP
-+.B semanage module
-+can also be used to enable/disable/install/remove policy modules.
-+
-+.PP
-+.B system-config-selinux
-+is a GUI tool available to customize SELinux policy settings.
-+
-+.SH AUTHOR
-+This manual page was auto-generated using
-+.B "sepolicy manpage"
-+by Dan Walsh.
-+
-+.SH "SEE ALSO"
-+selinux(8), uuidd(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
-diff --git a/man/man8/uux_selinux.8 b/man/man8/uux_selinux.8
-new file mode 100644
-index 0000000..5c1314d
---- /dev/null
-+++ b/man/man8/uux_selinux.8
-@@ -0,0 +1,116 @@
-+.TH "uux_selinux" "8" "12-11-01" "uux" "SELinux Policy documentation for uux"
-+.SH "NAME"
-+uux_selinux \- Security Enhanced Linux Policy for the uux processes
-+.SH "DESCRIPTION"
-+
-+Security-Enhanced Linux secures the uux processes via flexible mandatory access control.
-+
-+The uux processes execute with the uux_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
-+
-+For example:
-+
-+.B ps -eZ | grep uux_t
-+
-+
-+.SH "ENTRYPOINTS"
-+
-+The uux_t SELinux type can be entered via the "uux_exec_t" file type. The default entrypoint paths for the uux_t domain are the following:"
-+
-+/usr/bin/uux
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux uux policy is very flexible allowing users to setup their uux processes in as secure a method as possible.
-+.PP
-+The following process types are defined for uux:
-+
-+.EX
-+.B uux_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
-+.SH FILE CONTEXTS
-+SELinux requires files to have an extended attribute to define the file type.
-+.PP
-+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
-+.PP
-+Policy governs the access confined processes have to these files.
-+SELinux uux policy is very flexible allowing users to setup their uux processes in as secure a method as possible.
-+.PP
-+The following file types are defined for uux:
-+
-+
-+.EX
-+.PP
-+.B uux_exec_t
-+.EE
-+
-+- Set files with the uux_exec_t type, if you want to transition an executable to the uux_t domain.
-+
-+
-+.PP
-+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
-+.B semanage fcontext
-+command. This will modify the SELinux labeling database. You will need to use
-+.B restorecon
-+to apply the labels.
-+
-+.SH "MANAGED FILES"
-+
-+The SELinux process type uux_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
-+
-+.br
-+.B anon_inodefs_t
-+
-+
-+.br
-+.B uucpd_spool_t
-+
-+ /var/spool/uucp(/.*)?
-+.br
-+ /var/spool/uucppublic(/.*)?
-+.br
-+
-+.SH NSSWITCH DOMAIN
-+
-+.PP
-+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the uux_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
-+
-+.EX
-+.B setsebool -P authlogin_nsswitch_use_ldap 1
-+.EE
-+
-+.PP
-+If you want to allow confined applications to run with kerberos for the uux_t, you must turn on the kerberos_enabled boolean.
-+
-+.EX
-+.B setsebool -P kerberos_enabled 1
-+.EE
-+
-+.SH "COMMANDS"
-+.B semanage fcontext
-+can also be used to manipulate default file context mappings.
-+.PP
-+.B semanage permissive
-+can also be used to manipulate whether or not a process type is permissive.
-+.PP
-+.B semanage module
-+can also be used to enable/disable/install/remove policy modules.
-+
-+.PP
-+.B system-config-selinux
-+is a GUI tool available to customize SELinux policy settings.
-+
-+.SH AUTHOR
-+This manual page was auto-generated using
-+.B "sepolicy manpage"
-+by Dan Walsh.
-+
-+.SH "SEE ALSO"
-+selinux(8), uux(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
-diff --git a/man/man8/varnishd_selinux.8 b/man/man8/varnishd_selinux.8
-new file mode 100644
-index 0000000..a0af064
---- /dev/null
-+++ b/man/man8/varnishd_selinux.8
-@@ -0,0 +1,208 @@
-+.TH "varnishd_selinux" "8" "12-11-01" "varnishd" "SELinux Policy documentation for varnishd"
-+.SH "NAME"
-+varnishd_selinux \- Security Enhanced Linux Policy for the varnishd processes
-+.SH "DESCRIPTION"
-+
-+Security-Enhanced Linux secures the varnishd processes via flexible mandatory access control.
-+
-+The varnishd processes execute with the varnishd_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
-+
-+For example:
-+
-+.B ps -eZ | grep varnishd_t
-+
-+
-+.SH "ENTRYPOINTS"
-+
-+The varnishd_t SELinux type can be entered via the "varnishd_exec_t" file type. The default entrypoint paths for the varnishd_t domain are the following:"
-+
-+/usr/sbin/varnishd
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux varnishd policy is very flexible allowing users to setup their varnishd processes in as secure a method as possible.
-+.PP
-+The following process types are defined for varnishd:
-+
-+.EX
-+.B varnishd_t, varnishlog_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
-+.SH BOOLEANS
-+SELinux policy is customizable based on least access required. varnishd policy is extremely flexible and has several booleans that allow you to manipulate the policy and run varnishd with the tightest access possible.
-+
-+
-+.PP
-+If you want to allow varnishd to connect to all ports, not just HTTP, you must turn on the varnishd_connect_any boolean.
-+
-+.EX
-+.B setsebool -P varnishd_connect_any 1
-+.EE
-+
-+.PP
-+If you want to allow varnishd to connect to all ports, not just HTTP, you must turn on the varnishd_connect_any boolean.
-+
-+.EX
-+.B setsebool -P varnishd_connect_any 1
-+.EE
-+
-+.SH FILE CONTEXTS
-+SELinux requires files to have an extended attribute to define the file type.
-+.PP
-+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
-+.PP
-+Policy governs the access confined processes have to these files.
-+SELinux varnishd policy is very flexible allowing users to setup their varnishd processes in as secure a method as possible.
-+.PP
-+The following file types are defined for varnishd:
-+
-+
-+.EX
-+.PP
-+.B varnishd_etc_t
-+.EE
-+
-+- Set files with the varnishd_etc_t type, if you want to store varnishd files in the /etc directories.
-+
-+
-+.EX
-+.PP
-+.B varnishd_exec_t
-+.EE
-+
-+- Set files with the varnishd_exec_t type, if you want to transition an executable to the varnishd_t domain.
-+
-+
-+.EX
-+.PP
-+.B varnishd_initrc_exec_t
-+.EE
-+
-+- Set files with the varnishd_initrc_exec_t type, if you want to transition an executable to the varnishd_initrc_t domain.
-+
-+
-+.EX
-+.PP
-+.B varnishd_tmp_t
-+.EE
-+
-+- Set files with the varnishd_tmp_t type, if you want to store varnishd temporary files in the /tmp directories.
-+
-+
-+.EX
-+.PP
-+.B varnishd_var_lib_t
-+.EE
-+
-+- Set files with the varnishd_var_lib_t type, if you want to store the varnishd files under the /var/lib directory.
-+
-+
-+.EX
-+.PP
-+.B varnishd_var_run_t
-+.EE
-+
-+- Set files with the varnishd_var_run_t type, if you want to store the varnishd files under the /run directory.
-+
-+
-+.PP
-+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
-+.B semanage fcontext
-+command. This will modify the SELinux labeling database. You will need to use
-+.B restorecon
-+to apply the labels.
-+
-+.SH PORT TYPES
-+SELinux defines port types to represent TCP and UDP ports.
-+.PP
-+You can see the types associated with a port by using the following command:
-+
-+.B semanage port -l
-+
-+.PP
-+Policy governs the access confined processes have to these ports.
-+SELinux varnishd policy is very flexible allowing users to setup their varnishd processes in as secure a method as possible.
-+.PP
-+The following port types are defined for varnishd:
-+
-+.EX
-+.TP 5
-+.B varnishd_port_t
-+.TP 10
-+.EE
-+
-+
-+Default Defined Ports:
-+tcp 6081-6082
-+.EE
-+.SH "MANAGED FILES"
-+
-+The SELinux process type varnishd_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
-+
-+.br
-+.B varnishd_tmp_t
-+
-+
-+.br
-+.B varnishd_var_lib_t
-+
-+ /var/lib/varnish(/.*)?
-+.br
-+
-+.br
-+.B varnishd_var_run_t
-+
-+ /var/run/varnish\.pid
-+.br
-+
-+.SH NSSWITCH DOMAIN
-+
-+.PP
-+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the varnishd_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
-+
-+.EX
-+.B setsebool -P authlogin_nsswitch_use_ldap 1
-+.EE
-+
-+.PP
-+If you want to allow confined applications to run with kerberos for the varnishd_t, you must turn on the kerberos_enabled boolean.
-+
-+.EX
-+.B setsebool -P kerberos_enabled 1
-+.EE
-+
-+.SH "COMMANDS"
-+.B semanage fcontext
-+can also be used to manipulate default file context mappings.
-+.PP
-+.B semanage permissive
-+can also be used to manipulate whether or not a process type is permissive.
-+.PP
-+.B semanage module
-+can also be used to enable/disable/install/remove policy modules.
-+
-+.B semanage port
-+can also be used to manipulate the port definitions
-+
-+.B semanage boolean
-+can also be used to manipulate the booleans
-+
-+.PP
-+.B system-config-selinux
-+is a GUI tool available to customize SELinux policy settings.
-+
-+.SH AUTHOR
-+This manual page was auto-generated using
-+.B "sepolicy manpage"
-+by Dan Walsh.
-+
-+.SH "SEE ALSO"
-+selinux(8), varnishd(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
-+, setsebool(8), varnishlog_selinux(8)
-\ No newline at end of file
-diff --git a/man/man8/varnishlog_selinux.8 b/man/man8/varnishlog_selinux.8
-new file mode 100644
-index 0000000..bc3b750
---- /dev/null
-+++ b/man/man8/varnishlog_selinux.8
-@@ -0,0 +1,128 @@
-+.TH "varnishlog_selinux" "8" "12-11-01" "varnishlog" "SELinux Policy documentation for varnishlog"
-+.SH "NAME"
-+varnishlog_selinux \- Security Enhanced Linux Policy for the varnishlog processes
-+.SH "DESCRIPTION"
-+
-+Security-Enhanced Linux secures the varnishlog processes via flexible mandatory access control.
-+
-+The varnishlog processes execute with the varnishlog_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
-+
-+For example:
-+
-+.B ps -eZ | grep varnishlog_t
-+
-+
-+.SH "ENTRYPOINTS"
-+
-+The varnishlog_t SELinux type can be entered via the "varnishlog_exec_t" file type. The default entrypoint paths for the varnishlog_t domain are the following:"
-+
-+/usr/bin/varnishlog, /usr/bin/varnisncsa
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux varnishlog policy is very flexible allowing users to setup their varnishlog processes in as secure a method as possible.
-+.PP
-+The following process types are defined for varnishlog:
-+
-+.EX
-+.B varnishlog_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
-+.SH FILE CONTEXTS
-+SELinux requires files to have an extended attribute to define the file type.
-+.PP
-+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
-+.PP
-+Policy governs the access confined processes have to these files.
-+SELinux varnishlog policy is very flexible allowing users to setup their varnishlog processes in as secure a method as possible.
-+.PP
-+The following file types are defined for varnishlog:
-+
-+
-+.EX
-+.PP
-+.B varnishlog_exec_t
-+.EE
-+
-+- Set files with the varnishlog_exec_t type, if you want to transition an executable to the varnishlog_t domain.
-+
-+
-+.EX
-+.PP
-+.B varnishlog_initrc_exec_t
-+.EE
-+
-+- Set files with the varnishlog_initrc_exec_t type, if you want to transition an executable to the varnishlog_initrc_t domain.
-+
-+
-+.EX
-+.PP
-+.B varnishlog_log_t
-+.EE
-+
-+- Set files with the varnishlog_log_t type, if you want to treat the data as varnishlog log data, usually stored under the /var/log directory.
-+
-+
-+.EX
-+.PP
-+.B varnishlog_var_run_t
-+.EE
-+
-+- Set files with the varnishlog_var_run_t type, if you want to store the varnishlog files under the /run directory.
-+
-+
-+.PP
-+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
-+.B semanage fcontext
-+command. This will modify the SELinux labeling database. You will need to use
-+.B restorecon
-+to apply the labels.
-+
-+.SH "MANAGED FILES"
-+
-+The SELinux process type varnishlog_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
-+
-+.br
-+.B varnishlog_log_t
-+
-+ /var/log/varnish(/.*)?
-+.br
-+
-+.br
-+.B varnishlog_var_run_t
-+
-+ /var/run/varnishlog\.pid
-+.br
-+ /var/run/varnishncsa\.pid
-+.br
-+
-+.SH NSSWITCH DOMAIN
-+
-+.SH "COMMANDS"
-+.B semanage fcontext
-+can also be used to manipulate default file context mappings.
-+.PP
-+.B semanage permissive
-+can also be used to manipulate whether or not a process type is permissive.
-+.PP
-+.B semanage module
-+can also be used to enable/disable/install/remove policy modules.
-+
-+.PP
-+.B system-config-selinux
-+is a GUI tool available to customize SELinux policy settings.
-+
-+.SH AUTHOR
-+This manual page was auto-generated using
-+.B "sepolicy manpage"
-+by Dan Walsh.
-+
-+.SH "SEE ALSO"
-+selinux(8), varnishlog(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
-diff --git a/man/man8/vbetool_selinux.8 b/man/man8/vbetool_selinux.8
-new file mode 100644
-index 0000000..507145b
---- /dev/null
-+++ b/man/man8/vbetool_selinux.8
-@@ -0,0 +1,124 @@
-+.TH "vbetool_selinux" "8" "12-11-01" "vbetool" "SELinux Policy documentation for vbetool"
-+.SH "NAME"
-+vbetool_selinux \- Security Enhanced Linux Policy for the vbetool processes
-+.SH "DESCRIPTION"
-+
-+Security-Enhanced Linux secures the vbetool processes via flexible mandatory access control.
-+
-+The vbetool processes execute with the vbetool_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
-+
-+For example:
-+
-+.B ps -eZ | grep vbetool_t
-+
-+
-+.SH "ENTRYPOINTS"
-+
-+The vbetool_t SELinux type can be entered via the "vbetool_exec_t" file type. The default entrypoint paths for the vbetool_t domain are the following:"
-+
-+/usr/sbin/vbetool
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux vbetool policy is very flexible allowing users to setup their vbetool processes in as secure a method as possible.
-+.PP
-+The following process types are defined for vbetool:
-+
-+.EX
-+.B vbetool_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
-+.SH BOOLEANS
-+SELinux policy is customizable based on least access required. vbetool policy is extremely flexible and has several booleans that allow you to manipulate the policy and run vbetool with the tightest access possible.
-+
-+
-+.PP
-+If you want to ignore vbetool mmap_zero errors, you must turn on the vbetool_mmap_zero_ignore boolean.
-+
-+.EX
-+.B setsebool -P vbetool_mmap_zero_ignore 1
-+.EE
-+
-+.PP
-+If you want to ignore vbetool mmap_zero errors, you must turn on the vbetool_mmap_zero_ignore boolean.
-+
-+.EX
-+.B setsebool -P vbetool_mmap_zero_ignore 1
-+.EE
-+
-+.SH FILE CONTEXTS
-+SELinux requires files to have an extended attribute to define the file type.
-+.PP
-+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
-+.PP
-+Policy governs the access confined processes have to these files.
-+SELinux vbetool policy is very flexible allowing users to setup their vbetool processes in as secure a method as possible.
-+.PP
-+The following file types are defined for vbetool:
-+
-+
-+.EX
-+.PP
-+.B vbetool_exec_t
-+.EE
-+
-+- Set files with the vbetool_exec_t type, if you want to transition an executable to the vbetool_t domain.
-+
-+
-+.PP
-+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
-+.B semanage fcontext
-+command. This will modify the SELinux labeling database. You will need to use
-+.B restorecon
-+to apply the labels.
-+
-+.SH "MANAGED FILES"
-+
-+The SELinux process type vbetool_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
-+
-+.br
-+.B mtrr_device_t
-+
-+ /dev/cpu/mtrr
-+.br
-+
-+.br
-+.B sysfs_t
-+
-+ /sys(/.*)?
-+.br
-+
-+.SH NSSWITCH DOMAIN
-+
-+.SH "COMMANDS"
-+.B semanage fcontext
-+can also be used to manipulate default file context mappings.
-+.PP
-+.B semanage permissive
-+can also be used to manipulate whether or not a process type is permissive.
-+.PP
-+.B semanage module
-+can also be used to enable/disable/install/remove policy modules.
-+
-+.B semanage boolean
-+can also be used to manipulate the booleans
-+
-+.PP
-+.B system-config-selinux
-+is a GUI tool available to customize SELinux policy settings.
-+
-+.SH AUTHOR
-+This manual page was auto-generated using
-+.B "sepolicy manpage"
-+by Dan Walsh.
-+
-+.SH "SEE ALSO"
-+selinux(8), vbetool(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
-+, setsebool(8)
-\ No newline at end of file
-diff --git a/man/man8/vdagent_selinux.8 b/man/man8/vdagent_selinux.8
-new file mode 100644
-index 0000000..1d1e6e4
---- /dev/null
-+++ b/man/man8/vdagent_selinux.8
-@@ -0,0 +1,122 @@
-+.TH "vdagent_selinux" "8" "12-11-01" "vdagent" "SELinux Policy documentation for vdagent"
-+.SH "NAME"
-+vdagent_selinux \- Security Enhanced Linux Policy for the vdagent processes
-+.SH "DESCRIPTION"
-+
-+Security-Enhanced Linux secures the vdagent processes via flexible mandatory access control.
-+
-+The vdagent processes execute with the vdagent_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
-+
-+For example:
-+
-+.B ps -eZ | grep vdagent_t
-+
-+
-+.SH "ENTRYPOINTS"
-+
-+The vdagent_t SELinux type can be entered via the "vdagent_exec_t" file type. The default entrypoint paths for the vdagent_t domain are the following:"
-+
-+/usr/sbin/spice-vdagentd
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux vdagent policy is very flexible allowing users to setup their vdagent processes in as secure a method as possible.
-+.PP
-+The following process types are defined for vdagent:
-+
-+.EX
-+.B vdagent_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
-+.SH FILE CONTEXTS
-+SELinux requires files to have an extended attribute to define the file type.
-+.PP
-+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
-+.PP
-+Policy governs the access confined processes have to these files.
-+SELinux vdagent policy is very flexible allowing users to setup their vdagent processes in as secure a method as possible.
-+.PP
-+The following file types are defined for vdagent:
-+
-+
-+.EX
-+.PP
-+.B vdagent_exec_t
-+.EE
-+
-+- Set files with the vdagent_exec_t type, if you want to transition an executable to the vdagent_t domain.
-+
-+
-+.EX
-+.PP
-+.B vdagent_log_t
-+.EE
-+
-+- Set files with the vdagent_log_t type, if you want to treat the data as vdagent log data, usually stored under the /var/log directory.
-+
-+
-+.EX
-+.PP
-+.B vdagent_var_run_t
-+.EE
-+
-+- Set files with the vdagent_var_run_t type, if you want to store the vdagent files under the /run directory.
-+
-+
-+.PP
-+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
-+.B semanage fcontext
-+command. This will modify the SELinux labeling database. You will need to use
-+.B restorecon
-+to apply the labels.
-+
-+.SH "MANAGED FILES"
-+
-+The SELinux process type vdagent_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
-+
-+.br
-+.B vdagent_log_t
-+
-+ /var/log/spice-vdagentd(/.*)?
-+.br
-+ /var/log/spice-vdagentd\.log.*
-+.br
-+
-+.br
-+.B vdagent_var_run_t
-+
-+ /var/run/spice-vdagentd(/.*)?
-+.br
-+ /var/run/spice-vdagentd\.pid
-+.br
-+
-+.SH NSSWITCH DOMAIN
-+
-+.SH "COMMANDS"
-+.B semanage fcontext
-+can also be used to manipulate default file context mappings.
-+.PP
-+.B semanage permissive
-+can also be used to manipulate whether or not a process type is permissive.
-+.PP
-+.B semanage module
-+can also be used to enable/disable/install/remove policy modules.
-+
-+.PP
-+.B system-config-selinux
-+is a GUI tool available to customize SELinux policy settings.
-+
-+.SH AUTHOR
-+This manual page was auto-generated using
-+.B "sepolicy manpage"
-+by Dan Walsh.
-+
-+.SH "SEE ALSO"
-+selinux(8), vdagent(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
-diff --git a/man/man8/vhostmd_selinux.8 b/man/man8/vhostmd_selinux.8
-new file mode 100644
-index 0000000..eafe755
---- /dev/null
-+++ b/man/man8/vhostmd_selinux.8
-@@ -0,0 +1,156 @@
-+.TH "vhostmd_selinux" "8" "12-11-01" "vhostmd" "SELinux Policy documentation for vhostmd"
-+.SH "NAME"
-+vhostmd_selinux \- Security Enhanced Linux Policy for the vhostmd processes
-+.SH "DESCRIPTION"
-+
-+Security-Enhanced Linux secures the vhostmd processes via flexible mandatory access control.
-+
-+The vhostmd processes execute with the vhostmd_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
-+
-+For example:
-+
-+.B ps -eZ | grep vhostmd_t
-+
-+
-+.SH "ENTRYPOINTS"
-+
-+The vhostmd_t SELinux type can be entered via the "vhostmd_exec_t" file type. The default entrypoint paths for the vhostmd_t domain are the following:"
-+
-+/usr/sbin/vhostmd
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux vhostmd policy is very flexible allowing users to setup their vhostmd processes in as secure a method as possible.
-+.PP
-+The following process types are defined for vhostmd:
-+
-+.EX
-+.B vhostmd_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
-+.SH FILE CONTEXTS
-+SELinux requires files to have an extended attribute to define the file type.
-+.PP
-+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
-+.PP
-+Policy governs the access confined processes have to these files.
-+SELinux vhostmd policy is very flexible allowing users to setup their vhostmd processes in as secure a method as possible.
-+.PP
-+The following file types are defined for vhostmd:
-+
-+
-+.EX
-+.PP
-+.B vhostmd_exec_t
-+.EE
-+
-+- Set files with the vhostmd_exec_t type, if you want to transition an executable to the vhostmd_t domain.
-+
-+
-+.EX
-+.PP
-+.B vhostmd_initrc_exec_t
-+.EE
-+
-+- Set files with the vhostmd_initrc_exec_t type, if you want to transition an executable to the vhostmd_initrc_t domain.
-+
-+
-+.EX
-+.PP
-+.B vhostmd_tmpfs_t
-+.EE
-+
-+- Set files with the vhostmd_tmpfs_t type, if you want to store vhostmd files on a tmpfs file system.
-+
-+
-+.EX
-+.PP
-+.B vhostmd_var_run_t
-+.EE
-+
-+- Set files with the vhostmd_var_run_t type, if you want to store the vhostmd files under the /run directory.
-+
-+
-+.PP
-+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
-+.B semanage fcontext
-+command. This will modify the SELinux labeling database. You will need to use
-+.B restorecon
-+to apply the labels.
-+
-+.SH "MANAGED FILES"
-+
-+The SELinux process type vhostmd_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
-+
-+.br
-+.B vhostmd_tmpfs_t
-+
-+
-+.br
-+.B vhostmd_var_run_t
-+
-+ /var/run/vhostmd.pid
-+.br
-+
-+.br
-+.B virt_content_t
-+
-+ /var/lib/vdsm(/.*)?
-+.br
-+ /var/lib/oz/isos(/.*)?
-+.br
-+ /var/lib/libvirt/boot(/.*)?
-+.br
-+ /var/lib/libvirt/isos(/.*)?
-+.br
-+ /home/[^/]*/VirtualMachines/isos(/.*)?
-+.br
-+ /home/dwalsh/VirtualMachines/isos(/.*)?
-+.br
-+ /var/lib/xguest/home/xguest/VirtualMachines/isos(/.*)?
-+.br
-+
-+.SH NSSWITCH DOMAIN
-+
-+.PP
-+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the vhostmd_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
-+
-+.EX
-+.B setsebool -P authlogin_nsswitch_use_ldap 1
-+.EE
-+
-+.PP
-+If you want to allow confined applications to run with kerberos for the vhostmd_t, you must turn on the kerberos_enabled boolean.
-+
-+.EX
-+.B setsebool -P kerberos_enabled 1
-+.EE
-+
-+.SH "COMMANDS"
-+.B semanage fcontext
-+can also be used to manipulate default file context mappings.
-+.PP
-+.B semanage permissive
-+can also be used to manipulate whether or not a process type is permissive.
-+.PP
-+.B semanage module
-+can also be used to enable/disable/install/remove policy modules.
-+
-+.PP
-+.B system-config-selinux
-+is a GUI tool available to customize SELinux policy settings.
-+
-+.SH AUTHOR
-+This manual page was auto-generated using
-+.B "sepolicy manpage"
-+by Dan Walsh.
-+
-+.SH "SEE ALSO"
-+selinux(8), vhostmd(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
-diff --git a/man/man8/virsh_selinux.8 b/man/man8/virsh_selinux.8
-new file mode 100644
-index 0000000..595b506
---- /dev/null
-+++ b/man/man8/virsh_selinux.8
-@@ -0,0 +1,186 @@
-+.TH "virsh_selinux" "8" "12-11-01" "virsh" "SELinux Policy documentation for virsh"
-+.SH "NAME"
-+virsh_selinux \- Security Enhanced Linux Policy for the virsh processes
-+.SH "DESCRIPTION"
-+
-+Security-Enhanced Linux secures the virsh processes via flexible mandatory access control.
-+
-+The virsh processes execute with the virsh_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
-+
-+For example:
-+
-+.B ps -eZ | grep virsh_t
-+
-+
-+.SH "ENTRYPOINTS"
-+
-+The virsh_t SELinux type can be entered via the "virsh_exec_t" file type. The default entrypoint paths for the virsh_t domain are the following:"
-+
-+/usr/bin/virt-sandbox-service.*, /usr/bin/virsh
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux virsh policy is very flexible allowing users to setup their virsh processes in as secure a method as possible.
-+.PP
-+The following process types are defined for virsh:
-+
-+.EX
-+.B virsh_ssh_t, virsh_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
-+.SH FILE CONTEXTS
-+SELinux requires files to have an extended attribute to define the file type.
-+.PP
-+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
-+.PP
-+Policy governs the access confined processes have to these files.
-+SELinux virsh policy is very flexible allowing users to setup their virsh processes in as secure a method as possible.
-+.PP
-+The following file types are defined for virsh:
-+
-+
-+.EX
-+.PP
-+.B virsh_exec_t
-+.EE
-+
-+- Set files with the virsh_exec_t type, if you want to transition an executable to the virsh_t domain.
-+
-+
-+.PP
-+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
-+.B semanage fcontext
-+command. This will modify the SELinux labeling database. You will need to use
-+.B restorecon
-+to apply the labels.
-+
-+.SH "MANAGED FILES"
-+
-+The SELinux process type virsh_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
-+
-+.br
-+.B ssh_home_t
-+
-+ /root/\.ssh(/.*)?
-+.br
-+ /var/lib/openshift/[^/]+/\.ssh(/.*)?
-+.br
-+ /var/lib/amanda/\.ssh(/.*)?
-+.br
-+ /var/lib/stickshift/[^/]+/\.ssh(/.*)?
-+.br
-+ /var/lib/gitolite/\.ssh(/.*)?
-+.br
-+ /var/lib/nocpulse/\.ssh(/.*)?
-+.br
-+ /var/lib/gitolite3/\.ssh(/.*)?
-+.br
-+ /root/\.shosts
-+.br
-+ /home/[^/]*/\.ssh(/.*)?
-+.br
-+ /home/[^/]*/\.shosts
-+.br
-+ /home/dwalsh/\.ssh(/.*)?
-+.br
-+ /home/dwalsh/\.shosts
-+.br
-+ /var/lib/xguest/home/xguest/\.ssh(/.*)?
-+.br
-+ /var/lib/xguest/home/xguest/\.shosts
-+.br
-+
-+.br
-+.B svirt_lxc_file_t
-+
-+
-+.br
-+.B vhostmd_tmpfs_t
-+
-+
-+.br
-+.B virt_etc_rw_t
-+
-+ /etc/xen/.*/.*
-+.br
-+ /etc/xen/[^/]*
-+.br
-+ /etc/libvirt/.*/.*
-+.br
-+ /etc/libvirt/[^/]*
-+.br
-+
-+.br
-+.B virt_etc_t
-+
-+ /etc/xen/[^/]*
-+.br
-+ /etc/libvirt/[^/]*
-+.br
-+ /etc/xen
-+.br
-+ /etc/libvirt
-+.br
-+
-+.br
-+.B virt_image_type
-+
-+ all virtual image files
-+.br
-+
-+.br
-+.B virt_lxc_var_run_t
-+
-+ /var/run/libvirt/lxc(/.*)?
-+.br
-+ /var/run/libvirt-sandbox(/.*)?
-+.br
-+
-+.br
-+.B xenfs_t
-+
-+
-+.SH NSSWITCH DOMAIN
-+
-+.PP
-+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the virsh_ssh_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
-+
-+.EX
-+.B setsebool -P authlogin_nsswitch_use_ldap 1
-+.EE
-+
-+.PP
-+If you want to allow confined applications to run with kerberos for the virsh_ssh_t, you must turn on the kerberos_enabled boolean.
-+
-+.EX
-+.B setsebool -P kerberos_enabled 1
-+.EE
-+
-+.SH "COMMANDS"
-+.B semanage fcontext
-+can also be used to manipulate default file context mappings.
-+.PP
-+.B semanage permissive
-+can also be used to manipulate whether or not a process type is permissive.
-+.PP
-+.B semanage module
-+can also be used to enable/disable/install/remove policy modules.
-+
-+.PP
-+.B system-config-selinux
-+is a GUI tool available to customize SELinux policy settings.
-+
-+.SH AUTHOR
-+This manual page was auto-generated using
-+.B "sepolicy manpage"
-+by Dan Walsh.
-+
-+.SH "SEE ALSO"
-+selinux(8), virsh(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
-diff --git a/man/man8/virt_bridgehelper_selinux.8 b/man/man8/virt_bridgehelper_selinux.8
-new file mode 100644
-index 0000000..4c6e5e6
---- /dev/null
-+++ b/man/man8/virt_bridgehelper_selinux.8
-@@ -0,0 +1,119 @@
-+.TH "virt_bridgehelper_selinux" "8" "12-11-01" "virt_bridgehelper" "SELinux Policy documentation for virt_bridgehelper"
-+.SH "NAME"
-+virt_bridgehelper_selinux \- Security Enhanced Linux Policy for the virt_bridgehelper processes
-+.SH "DESCRIPTION"
-+
-+Security-Enhanced Linux secures the virt_bridgehelper processes via flexible mandatory access control.
-+
-+The virt_bridgehelper processes execute with the virt_bridgehelper_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
-+
-+For example:
-+
-+.B ps -eZ | grep virt_bridgehelper_t
-+
-+
-+.SH "ENTRYPOINTS"
-+
-+The virt_bridgehelper_t SELinux type can be entered via the "virt_bridgehelper_exec_t" file type. The default entrypoint paths for the virt_bridgehelper_t domain are the following:"
-+
-+/usr/libexec/qemu-bridge-helper
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux virt_bridgehelper policy is very flexible allowing users to setup their virt_bridgehelper processes in as secure a method as possible.
-+.PP
-+The following process types are defined for virt_bridgehelper:
-+
-+.EX
-+.B virt_bridgehelper_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
-+.SH FILE CONTEXTS
-+SELinux requires files to have an extended attribute to define the file type.
-+.PP
-+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
-+.PP
-+Policy governs the access confined processes have to these files.
-+SELinux virt_bridgehelper policy is very flexible allowing users to setup their virt_bridgehelper processes in as secure a method as possible.
-+.PP
-+The following file types are defined for virt_bridgehelper:
-+
-+
-+.EX
-+.PP
-+.B virt_bridgehelper_exec_t
-+.EE
-+
-+- Set files with the virt_bridgehelper_exec_t type, if you want to transition an executable to the virt_bridgehelper_t domain.
-+
-+
-+.PP
-+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
-+.B semanage fcontext
-+command. This will modify the SELinux labeling database. You will need to use
-+.B restorecon
-+to apply the labels.
-+
-+.SH "MANAGED FILES"
-+
-+The SELinux process type virt_bridgehelper_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
-+
-+.br
-+.B svirt_home_t
-+
-+ /home/[^/]*/\.libvirt/qemu(/.*)?
-+.br
-+ /home/[^/]*/\.cache/libvirt/qemu(/.*)?
-+.br
-+ /home/[^/]*/\.config/libvirt/qemu(/.*)?
-+.br
-+ /home/[^/]*/\.local/share/gnome-boxes/images(/.*)?
-+.br
-+ /home/dwalsh/\.libvirt/qemu(/.*)?
-+.br
-+ /home/dwalsh/\.cache/libvirt/qemu(/.*)?
-+.br
-+ /home/dwalsh/\.config/libvirt/qemu(/.*)?
-+.br
-+ /home/dwalsh/\.local/share/gnome-boxes/images(/.*)?
-+.br
-+ /var/lib/xguest/home/xguest/\.libvirt/qemu(/.*)?
-+.br
-+ /var/lib/xguest/home/xguest/\.cache/libvirt/qemu(/.*)?
-+.br
-+ /var/lib/xguest/home/xguest/\.config/libvirt/qemu(/.*)?
-+.br
-+ /var/lib/xguest/home/xguest/\.local/share/gnome-boxes/images(/.*)?
-+.br
-+
-+.SH NSSWITCH DOMAIN
-+
-+.SH "COMMANDS"
-+.B semanage fcontext
-+can also be used to manipulate default file context mappings.
-+.PP
-+.B semanage permissive
-+can also be used to manipulate whether or not a process type is permissive.
-+.PP
-+.B semanage module
-+can also be used to enable/disable/install/remove policy modules.
-+
-+.PP
-+.B system-config-selinux
-+is a GUI tool available to customize SELinux policy settings.
-+
-+.SH AUTHOR
-+This manual page was auto-generated using
-+.B "sepolicy manpage"
-+by Dan Walsh.
-+
-+.SH "SEE ALSO"
-+selinux(8), virt_bridgehelper(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
-+, virt_qemu_ga_selinux(8), virt_qmf_selinux(8), virtd_selinux(8), virtd_lxc_selinux(8)
-\ No newline at end of file
-diff --git a/man/man8/virt_qemu_ga_selinux.8 b/man/man8/virt_qemu_ga_selinux.8
-new file mode 100644
-index 0000000..0419773
---- /dev/null
-+++ b/man/man8/virt_qemu_ga_selinux.8
-@@ -0,0 +1,119 @@
-+.TH "virt_qemu_ga_selinux" "8" "12-11-01" "virt_qemu_ga" "SELinux Policy documentation for virt_qemu_ga"
-+.SH "NAME"
-+virt_qemu_ga_selinux \- Security Enhanced Linux Policy for the virt_qemu_ga processes
-+.SH "DESCRIPTION"
-+
-+Security-Enhanced Linux secures the virt_qemu_ga processes via flexible mandatory access control.
-+
-+The virt_qemu_ga processes execute with the virt_qemu_ga_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
-+
-+For example:
-+
-+.B ps -eZ | grep virt_qemu_ga_t
-+
-+
-+.SH "ENTRYPOINTS"
-+
-+The virt_qemu_ga_t SELinux type can be entered via the "virt_qemu_ga_exec_t" file type. The default entrypoint paths for the virt_qemu_ga_t domain are the following:"
-+
-+/usr/bin/qemu-ga
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux virt_qemu_ga policy is very flexible allowing users to setup their virt_qemu_ga processes in as secure a method as possible.
-+.PP
-+The following process types are defined for virt_qemu_ga:
-+
-+.EX
-+.B virt_qemu_ga_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
-+.SH FILE CONTEXTS
-+SELinux requires files to have an extended attribute to define the file type.
-+.PP
-+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
-+.PP
-+Policy governs the access confined processes have to these files.
-+SELinux virt_qemu_ga policy is very flexible allowing users to setup their virt_qemu_ga processes in as secure a method as possible.
-+.PP
-+The following file types are defined for virt_qemu_ga:
-+
-+
-+.EX
-+.PP
-+.B virt_qemu_ga_exec_t
-+.EE
-+
-+- Set files with the virt_qemu_ga_exec_t type, if you want to transition an executable to the virt_qemu_ga_t domain.
-+
-+
-+.EX
-+.PP
-+.B virt_qemu_ga_log_t
-+.EE
-+
-+- Set files with the virt_qemu_ga_log_t type, if you want to treat the data as virt qemu ga log data, usually stored under the /var/log directory.
-+
-+
-+.EX
-+.PP
-+.B virt_qemu_ga_var_run_t
-+.EE
-+
-+- Set files with the virt_qemu_ga_var_run_t type, if you want to store the virt qemu ga files under the /run directory.
-+
-+
-+.PP
-+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
-+.B semanage fcontext
-+command. This will modify the SELinux labeling database. You will need to use
-+.B restorecon
-+to apply the labels.
-+
-+.SH "MANAGED FILES"
-+
-+The SELinux process type virt_qemu_ga_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
-+
-+.br
-+.B virt_qemu_ga_log_t
-+
-+ /var/log/qemu-ga\.log
-+.br
-+
-+.br
-+.B virt_qemu_ga_var_run_t
-+
-+ /var/run/qemu-ga\.pid
-+.br
-+
-+.SH NSSWITCH DOMAIN
-+
-+.SH "COMMANDS"
-+.B semanage fcontext
-+can also be used to manipulate default file context mappings.
-+.PP
-+.B semanage permissive
-+can also be used to manipulate whether or not a process type is permissive.
-+.PP
-+.B semanage module
-+can also be used to enable/disable/install/remove policy modules.
-+
-+.PP
-+.B system-config-selinux
-+is a GUI tool available to customize SELinux policy settings.
-+
-+.SH AUTHOR
-+This manual page was auto-generated using
-+.B "sepolicy manpage"
-+by Dan Walsh.
-+
-+.SH "SEE ALSO"
-+selinux(8), virt_qemu_ga(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
-+, virt_bridgehelper_selinux(8), virt_qmf_selinux(8), virtd_selinux(8), virtd_lxc_selinux(8)
-\ No newline at end of file
-diff --git a/man/man8/virt_qmf_selinux.8 b/man/man8/virt_qmf_selinux.8
-new file mode 100644
-index 0000000..03fd507
---- /dev/null
-+++ b/man/man8/virt_qmf_selinux.8
-@@ -0,0 +1,87 @@
-+.TH "virt_qmf_selinux" "8" "12-11-01" "virt_qmf" "SELinux Policy documentation for virt_qmf"
-+.SH "NAME"
-+virt_qmf_selinux \- Security Enhanced Linux Policy for the virt_qmf processes
-+.SH "DESCRIPTION"
-+
-+Security-Enhanced Linux secures the virt_qmf processes via flexible mandatory access control.
-+
-+The virt_qmf processes execute with the virt_qmf_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
-+
-+For example:
-+
-+.B ps -eZ | grep virt_qmf_t
-+
-+
-+.SH "ENTRYPOINTS"
-+
-+The virt_qmf_t SELinux type can be entered via the "virt_qmf_exec_t" file type. The default entrypoint paths for the virt_qmf_t domain are the following:"
-+
-+/usr/sbin/libvirt-qmf
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux virt_qmf policy is very flexible allowing users to setup their virt_qmf processes in as secure a method as possible.
-+.PP
-+The following process types are defined for virt_qmf:
-+
-+.EX
-+.B virt_qmf_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
-+.SH FILE CONTEXTS
-+SELinux requires files to have an extended attribute to define the file type.
-+.PP
-+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
-+.PP
-+Policy governs the access confined processes have to these files.
-+SELinux virt_qmf policy is very flexible allowing users to setup their virt_qmf processes in as secure a method as possible.
-+.PP
-+The following file types are defined for virt_qmf:
-+
-+
-+.EX
-+.PP
-+.B virt_qmf_exec_t
-+.EE
-+
-+- Set files with the virt_qmf_exec_t type, if you want to transition an executable to the virt_qmf_t domain.
-+
-+
-+.PP
-+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
-+.B semanage fcontext
-+command. This will modify the SELinux labeling database. You will need to use
-+.B restorecon
-+to apply the labels.
-+
-+.SH NSSWITCH DOMAIN
-+
-+.SH "COMMANDS"
-+.B semanage fcontext
-+can also be used to manipulate default file context mappings.
-+.PP
-+.B semanage permissive
-+can also be used to manipulate whether or not a process type is permissive.
-+.PP
-+.B semanage module
-+can also be used to enable/disable/install/remove policy modules.
-+
-+.PP
-+.B system-config-selinux
-+is a GUI tool available to customize SELinux policy settings.
-+
-+.SH AUTHOR
-+This manual page was auto-generated using
-+.B "sepolicy manpage"
-+by Dan Walsh.
-+
-+.SH "SEE ALSO"
-+selinux(8), virt_qmf(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
-+, virt_bridgehelper_selinux(8), virt_qemu_ga_selinux(8), virtd_selinux(8), virtd_lxc_selinux(8)
-\ No newline at end of file
-diff --git a/man/man8/virt_selinux.8 b/man/man8/virt_selinux.8
-new file mode 100644
-index 0000000..ee560da
---- /dev/null
-+++ b/man/man8/virt_selinux.8
-@@ -0,0 +1 @@
-+.so man8/virtd_selinux.8
-\ No newline at end of file
-diff --git a/man/man8/virtd_lxc_selinux.8 b/man/man8/virtd_lxc_selinux.8
-new file mode 100644
-index 0000000..68244d4
---- /dev/null
-+++ b/man/man8/virtd_lxc_selinux.8
-@@ -0,0 +1,145 @@
-+.TH "virtd_lxc_selinux" "8" "12-11-01" "virtd_lxc" "SELinux Policy documentation for virtd_lxc"
-+.SH "NAME"
-+virtd_lxc_selinux \- Security Enhanced Linux Policy for the virtd_lxc processes
-+.SH "DESCRIPTION"
-+
-+Security-Enhanced Linux secures the virtd_lxc processes via flexible mandatory access control.
-+
-+The virtd_lxc processes execute with the virtd_lxc_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
-+
-+For example:
-+
-+.B ps -eZ | grep virtd_lxc_t
-+
-+
-+.SH "ENTRYPOINTS"
-+
-+The virtd_lxc_t SELinux type can be entered via the "virtd_lxc_exec_t" file type. The default entrypoint paths for the virtd_lxc_t domain are the following:"
-+
-+/usr/libexec/libvirt_lxc
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux virtd_lxc policy is very flexible allowing users to setup their virtd_lxc processes in as secure a method as possible.
-+.PP
-+The following process types are defined for virtd_lxc:
-+
-+.EX
-+.B virtd_lxc_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
-+.SH FILE CONTEXTS
-+SELinux requires files to have an extended attribute to define the file type.
-+.PP
-+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
-+.PP
-+Policy governs the access confined processes have to these files.
-+SELinux virtd_lxc policy is very flexible allowing users to setup their virtd_lxc processes in as secure a method as possible.
-+.PP
-+The following file types are defined for virtd_lxc:
-+
-+
-+.EX
-+.PP
-+.B virtd_lxc_exec_t
-+.EE
-+
-+- Set files with the virtd_lxc_exec_t type, if you want to transition an executable to the virtd_lxc_t domain.
-+
-+
-+.PP
-+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
-+.B semanage fcontext
-+command. This will modify the SELinux labeling database. You will need to use
-+.B restorecon
-+to apply the labels.
-+
-+.SH "MANAGED FILES"
-+
-+The SELinux process type virtd_lxc_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
-+
-+.br
-+.B cgroup_t
-+
-+ /cgroup
-+.br
-+ /sys/fs/cgroup
-+.br
-+
-+.br
-+.B security_t
-+
-+ /selinux
-+.br
-+
-+.br
-+.B svirt_lxc_file_t
-+
-+
-+.br
-+.B sysfs_t
-+
-+ /sys(/.*)?
-+.br
-+
-+.br
-+.B virt_image_t
-+
-+ /var/lib/libvirt/images(/.*)?
-+.br
-+ /var/lib/imagefactory/images(/.*)?
-+.br
-+
-+.br
-+.B virt_lxc_var_run_t
-+
-+ /var/run/libvirt/lxc(/.*)?
-+.br
-+ /var/run/libvirt-sandbox(/.*)?
-+.br
-+
-+.SH NSSWITCH DOMAIN
-+
-+.PP
-+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the virtd_lxc_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
-+
-+.EX
-+.B setsebool -P authlogin_nsswitch_use_ldap 1
-+.EE
-+
-+.PP
-+If you want to allow confined applications to run with kerberos for the virtd_lxc_t, you must turn on the kerberos_enabled boolean.
-+
-+.EX
-+.B setsebool -P kerberos_enabled 1
-+.EE
-+
-+.SH "COMMANDS"
-+.B semanage fcontext
-+can also be used to manipulate default file context mappings.
-+.PP
-+.B semanage permissive
-+can also be used to manipulate whether or not a process type is permissive.
-+.PP
-+.B semanage module
-+can also be used to enable/disable/install/remove policy modules.
-+
-+.PP
-+.B system-config-selinux
-+is a GUI tool available to customize SELinux policy settings.
-+
-+.SH AUTHOR
-+This manual page was auto-generated using
-+.B "sepolicy manpage"
-+by Dan Walsh.
-+
-+.SH "SEE ALSO"
-+selinux(8), virtd_lxc(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
-+, virtd_selinux(8), virtd_selinux(8)
-\ No newline at end of file
-diff --git a/man/man8/virtd_selinux.8 b/man/man8/virtd_selinux.8
-new file mode 100644
-index 0000000..783d0c9
---- /dev/null
-+++ b/man/man8/virtd_selinux.8
-@@ -0,0 +1,616 @@
-+.TH "virtd_selinux" "8" "12-11-01" "virtd" "SELinux Policy documentation for virtd"
-+.SH "NAME"
-+virtd_selinux \- Security Enhanced Linux Policy for the virtd processes
-+.SH "DESCRIPTION"
-+
-+Security-Enhanced Linux secures the virtd processes via flexible mandatory access control.
-+
-+The virtd processes execute with the virtd_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
-+
-+For example:
-+
-+.B ps -eZ | grep virtd_t
-+
-+
-+.SH "ENTRYPOINTS"
-+
-+The virtd_t SELinux type can be entered via the "virtd_exec_t" file type. The default entrypoint paths for the virtd_t domain are the following:"
-+
-+/usr/sbin/libvirtd, /usr/bin/imgfac\.py, /usr/bin/imagefactory, /usr/bin/nova-compute, /usr/sbin/condor_vm-gahp, /usr/bin/vios-proxy-host, /usr/bin/vios-proxy-guest
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux virtd policy is very flexible allowing users to setup their virtd processes in as secure a method as possible.
-+.PP
-+The following process types are defined for virtd:
-+
-+.EX
-+.B virtd_lxc_t, virt_qmf_t, virt_qemu_ga_t, virt_bridgehelper_t, virtd_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
-+.SH BOOLEANS
-+SELinux policy is customizable based on least access required. virtd policy is extremely flexible and has several booleans that allow you to manipulate the policy and run virtd with the tightest access possible.
-+
-+
-+.PP
-+If you want to allow confined virtual guests to manage device configuration, (pci), you must turn on the virt_use_sysfs boolean.
-+
-+.EX
-+.B setsebool -P virt_use_sysfs 1
-+.EE
-+
-+.PP
-+If you want to allow unprivledged user to create and transition to svirt domains, you must turn on the unprivuser_use_svirt boolean.
-+
-+.EX
-+.B setsebool -P unprivuser_use_svirt 1
-+.EE
-+
-+.PP
-+If you want to allow confined virtual guests to manage nfs files, you must turn on the virt_use_nfs boolean.
-+
-+.EX
-+.B setsebool -P virt_use_nfs 1
-+.EE
-+
-+.PP
-+If you want to allow confined virtual guests to manage cifs files, you must turn on the virt_use_samba boolean.
-+
-+.EX
-+.B setsebool -P virt_use_samba 1
-+.EE
-+
-+.PP
-+If you want to allow confined virtual guests to use usb devices, you must turn on the virt_use_usb boolean.
-+
-+.EX
-+.B setsebool -P virt_use_usb 1
-+.EE
-+
-+.PP
-+If you want to allow confined virtual guests to use serial/parallel communication ports, you must turn on the virt_use_comm boolean.
-+
-+.EX
-+.B setsebool -P virt_use_comm 1
-+.EE
-+
-+.PP
-+If you want to allow confined virtual guests to interact with the xserver, you must turn on the virt_use_xserver boolean.
-+
-+.EX
-+.B setsebool -P virt_use_xserver 1
-+.EE
-+
-+.PP
-+If you want to allow staff user to create and transition to svirt domains, you must turn on the staff_use_svirt boolean.
-+
-+.EX
-+.B setsebool -P staff_use_svirt 1
-+.EE
-+
-+.PP
-+If you want to allow confined virtual guests to read fuse files, you must turn on the virt_use_fusefs boolean.
-+
-+.EX
-+.B setsebool -P virt_use_fusefs 1
-+.EE
-+
-+.PP
-+If you want to allow confined virtual guests to use executable memory and executable stack, you must turn on the virt_use_execmem boolean.
-+
-+.EX
-+.B setsebool -P virt_use_execmem 1
-+.EE
-+
-+.PP
-+If you want to allow confined virtual guests to interact with the sanlock, you must turn on the virt_use_sanlock boolean.
-+
-+.EX
-+.B setsebool -P virt_use_sanlock 1
-+.EE
-+
-+.PP
-+If you want to allow confined virtual guests to manage device configuration, (pci), you must turn on the virt_use_sysfs boolean.
-+
-+.EX
-+.B setsebool -P virt_use_sysfs 1
-+.EE
-+
-+.PP
-+If you want to allow unprivledged user to create and transition to svirt domains, you must turn on the unprivuser_use_svirt boolean.
-+
-+.EX
-+.B setsebool -P unprivuser_use_svirt 1
-+.EE
-+
-+.PP
-+If you want to allow confined virtual guests to manage nfs files, you must turn on the virt_use_nfs boolean.
-+
-+.EX
-+.B setsebool -P virt_use_nfs 1
-+.EE
-+
-+.PP
-+If you want to allow confined virtual guests to manage cifs files, you must turn on the virt_use_samba boolean.
-+
-+.EX
-+.B setsebool -P virt_use_samba 1
-+.EE
-+
-+.PP
-+If you want to allow confined virtual guests to use usb devices, you must turn on the virt_use_usb boolean.
-+
-+.EX
-+.B setsebool -P virt_use_usb 1
-+.EE
-+
-+.PP
-+If you want to allow confined virtual guests to use serial/parallel communication ports, you must turn on the virt_use_comm boolean.
-+
-+.EX
-+.B setsebool -P virt_use_comm 1
-+.EE
-+
-+.PP
-+If you want to allow confined virtual guests to interact with the xserver, you must turn on the virt_use_xserver boolean.
-+
-+.EX
-+.B setsebool -P virt_use_xserver 1
-+.EE
-+
-+.PP
-+If you want to allow staff user to create and transition to svirt domains, you must turn on the staff_use_svirt boolean.
-+
-+.EX
-+.B setsebool -P staff_use_svirt 1
-+.EE
-+
-+.PP
-+If you want to allow confined virtual guests to read fuse files, you must turn on the virt_use_fusefs boolean.
-+
-+.EX
-+.B setsebool -P virt_use_fusefs 1
-+.EE
-+
-+.PP
-+If you want to allow confined virtual guests to use executable memory and executable stack, you must turn on the virt_use_execmem boolean.
-+
-+.EX
-+.B setsebool -P virt_use_execmem 1
-+.EE
-+
-+.PP
-+If you want to allow confined virtual guests to interact with the sanlock, you must turn on the virt_use_sanlock boolean.
-+
-+.EX
-+.B setsebool -P virt_use_sanlock 1
-+.EE
-+
-+.PP
-+If you want to allow confined virtual guests to manage device configuration, (pci), you must turn on the virt_use_sysfs boolean.
-+
-+.EX
-+.B setsebool -P virt_use_sysfs 1
-+.EE
-+
-+.PP
-+If you want to allow unprivledged user to create and transition to svirt domains, you must turn on the unprivuser_use_svirt boolean.
-+
-+.EX
-+.B setsebool -P unprivuser_use_svirt 1
-+.EE
-+
-+.PP
-+If you want to allow confined virtual guests to manage nfs files, you must turn on the virt_use_nfs boolean.
-+
-+.EX
-+.B setsebool -P virt_use_nfs 1
-+.EE
-+
-+.PP
-+If you want to allow confined virtual guests to manage cifs files, you must turn on the virt_use_samba boolean.
-+
-+.EX
-+.B setsebool -P virt_use_samba 1
-+.EE
-+
-+.PP
-+If you want to allow confined virtual guests to use usb devices, you must turn on the virt_use_usb boolean.
-+
-+.EX
-+.B setsebool -P virt_use_usb 1
-+.EE
-+
-+.PP
-+If you want to allow confined virtual guests to use serial/parallel communication ports, you must turn on the virt_use_comm boolean.
-+
-+.EX
-+.B setsebool -P virt_use_comm 1
-+.EE
-+
-+.PP
-+If you want to allow confined virtual guests to interact with the xserver, you must turn on the virt_use_xserver boolean.
-+
-+.EX
-+.B setsebool -P virt_use_xserver 1
-+.EE
-+
-+.PP
-+If you want to allow staff user to create and transition to svirt domains, you must turn on the staff_use_svirt boolean.
-+
-+.EX
-+.B setsebool -P staff_use_svirt 1
-+.EE
-+
-+.PP
-+If you want to allow confined virtual guests to read fuse files, you must turn on the virt_use_fusefs boolean.
-+
-+.EX
-+.B setsebool -P virt_use_fusefs 1
-+.EE
-+
-+.PP
-+If you want to allow confined virtual guests to use executable memory and executable stack, you must turn on the virt_use_execmem boolean.
-+
-+.EX
-+.B setsebool -P virt_use_execmem 1
-+.EE
-+
-+.PP
-+If you want to allow confined virtual guests to interact with the sanlock, you must turn on the virt_use_sanlock boolean.
-+
-+.EX
-+.B setsebool -P virt_use_sanlock 1
-+.EE
-+
-+.SH FILE CONTEXTS
-+SELinux requires files to have an extended attribute to define the file type.
-+.PP
-+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
-+.PP
-+Policy governs the access confined processes have to these files.
-+SELinux virtd policy is very flexible allowing users to setup their virtd processes in as secure a method as possible.
-+.PP
-+The following file types are defined for virtd:
-+
-+
-+.EX
-+.PP
-+.B virtd_exec_t
-+.EE
-+
-+- Set files with the virtd_exec_t type, if you want to transition an executable to the virtd_t domain.
-+
-+
-+.EX
-+.PP
-+.B virtd_initrc_exec_t
-+.EE
-+
-+- Set files with the virtd_initrc_exec_t type, if you want to transition an executable to the virtd_initrc_t domain.
-+
-+
-+.EX
-+.PP
-+.B virtd_keytab_t
-+.EE
-+
-+- Set files with the virtd_keytab_t type, if you want to treat the files as kerberos keytab files.
-+
-+
-+.EX
-+.PP
-+.B virtd_lxc_exec_t
-+.EE
-+
-+- Set files with the virtd_lxc_exec_t type, if you want to transition an executable to the virtd_lxc_t domain.
-+
-+
-+.EX
-+.PP
-+.B virtd_unit_file_t
-+.EE
-+
-+- Set files with the virtd_unit_file_t type, if you want to treat the files as virtd unit content.
-+
-+
-+.PP
-+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
-+.B semanage fcontext
-+command. This will modify the SELinux labeling database. You will need to use
-+.B restorecon
-+to apply the labels.
-+
-+.SH PORT TYPES
-+SELinux defines port types to represent TCP and UDP ports.
-+.PP
-+You can see the types associated with a port by using the following command:
-+
-+.B semanage port -l
-+
-+.PP
-+Policy governs the access confined processes have to these ports.
-+SELinux virtd policy is very flexible allowing users to setup their virtd processes in as secure a method as possible.
-+.PP
-+The following port types are defined for virtd:
-+
-+.EX
-+.TP 5
-+.B virt_migration_port_t
-+.TP 10
-+.EE
-+
-+
-+Default Defined Ports:
-+tcp 49152-49216
-+.EE
-+
-+.EX
-+.TP 5
-+.B virt_port_t
-+.TP 10
-+.EE
-+
-+
-+Default Defined Ports:
-+tcp 16509,16514
-+.EE
-+udp 16509,16514
-+.EE
-+.SH "MANAGED FILES"
-+
-+The SELinux process type virtd_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
-+
-+.br
-+.B anon_inodefs_t
-+
-+
-+.br
-+.B cgroup_t
-+
-+ /cgroup
-+.br
-+ /sys/fs/cgroup
-+.br
-+
-+.br
-+.B dnsmasq_var_run_t
-+
-+ /var/run/libvirt/network(/.*)?
-+.br
-+ /var/run/dnsmasq\.pid
-+.br
-+
-+.br
-+.B hugetlbfs_t
-+
-+ /dev/hugepages
-+.br
-+ /lib/udev/devices/hugepages
-+.br
-+ /usr/lib/udev/devices/hugepages
-+.br
-+
-+.br
-+.B modules_conf_t
-+
-+ /etc/modprobe\.d(/.*)?
-+.br
-+ /etc/modules\.conf.*
-+.br
-+ /etc/modprobe\.conf.*
-+.br
-+ /lib/modules/modprobe\.conf
-+.br
-+ /usr/lib/modules/modprobe\.conf
-+.br
-+
-+.br
-+.B mtrr_device_t
-+
-+ /dev/cpu/mtrr
-+.br
-+
-+.br
-+.B qemu_var_run_t
-+
-+ /var/lib/libvirt/qemu(/.*)?
-+.br
-+ /var/run/libvirt/qemu(/.*)?
-+.br
-+
-+.br
-+.B security_t
-+
-+ /selinux
-+.br
-+
-+.br
-+.B sysfs_t
-+
-+ /sys(/.*)?
-+.br
-+
-+.br
-+.B system_conf_t
-+
-+ /etc/sysctl\.conf(\.old)?
-+.br
-+ /etc/sysconfig/ip6?tables.*
-+.br
-+ /etc/sysconfig/ipvsadm.*
-+.br
-+ /etc/sysconfig/ebtables.*
-+.br
-+ /etc/sysconfig/system-config-firewall.*
-+.br
-+
-+.br
-+.B systemd_passwd_var_run_t
-+
-+ /var/run/systemd/ask-password(/.*)?
-+.br
-+ /var/run/systemd/ask-password-block(/.*)?
-+.br
-+
-+.br
-+.B virt_cache_t
-+
-+ /var/cache/oz(/.*)?
-+.br
-+ /var/cache/libvirt(/.*)?
-+.br
-+
-+.br
-+.B virt_etc_rw_t
-+
-+ /etc/xen/.*/.*
-+.br
-+ /etc/xen/[^/]*
-+.br
-+ /etc/libvirt/.*/.*
-+.br
-+ /etc/libvirt/[^/]*
-+.br
-+
-+.br
-+.B virt_home_t
-+
-+ /home/[^/]*/\.libvirt(/.*)?
-+.br
-+ /home/[^/]*/\.virtinst(/.*)?
-+.br
-+ /home/[^/]*/\.cache/libvirt(/.*)?
-+.br
-+ /home/[^/]*/\.config/libvirt(/.*)?
-+.br
-+ /home/[^/]*/VirtualMachines(/.*)?
-+.br
-+ /home/[^/]*/\.cache/gnome-boxes(/.*)?
-+.br
-+ /home/dwalsh/\.libvirt(/.*)?
-+.br
-+ /home/dwalsh/\.virtinst(/.*)?
-+.br
-+ /home/dwalsh/\.cache/libvirt(/.*)?
-+.br
-+ /home/dwalsh/\.config/libvirt(/.*)?
-+.br
-+ /home/dwalsh/VirtualMachines(/.*)?
-+.br
-+ /home/dwalsh/\.cache/gnome-boxes(/.*)?
-+.br
-+ /var/lib/xguest/home/xguest/\.libvirt(/.*)?
-+.br
-+ /var/lib/xguest/home/xguest/\.virtinst(/.*)?
-+.br
-+ /var/lib/xguest/home/xguest/\.cache/libvirt(/.*)?
-+.br
-+ /var/lib/xguest/home/xguest/\.config/libvirt(/.*)?
-+.br
-+ /var/lib/xguest/home/xguest/VirtualMachines(/.*)?
-+.br
-+ /var/lib/xguest/home/xguest/\.cache/gnome-boxes(/.*)?
-+.br
-+
-+.br
-+.B virt_image_type
-+
-+ all virtual image files
-+.br
-+
-+.br
-+.B virt_lock_t
-+
-+
-+.br
-+.B virt_log_t
-+
-+ /var/log/log(/.*)?
-+.br
-+ /var/log/vdsm(/.*)?
-+.br
-+ /var/log/libvirt(/.*)?
-+.br
-+
-+.br
-+.B virt_lxc_var_run_t
-+
-+ /var/run/libvirt/lxc(/.*)?
-+.br
-+ /var/run/libvirt-sandbox(/.*)?
-+.br
-+
-+.br
-+.B virt_tmp_t
-+
-+
-+.br
-+.B virt_var_lib_t
-+
-+ /var/lib/oz(/.*)?
-+.br
-+ /var/lib/libvirt(/.*)?
-+.br
-+
-+.br
-+.B virt_var_run_t
-+
-+ /var/vdsm(/.*)?
-+.br
-+ /var/run/vdsm(/.*)?
-+.br
-+ /var/run/libvirt(/.*)?
-+.br
-+
-+.SH NSSWITCH DOMAIN
-+
-+.PP
-+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the virtd_t, virtd_lxc_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
-+
-+.EX
-+.B setsebool -P authlogin_nsswitch_use_ldap 1
-+.EE
-+
-+.PP
-+If you want to allow confined applications to run with kerberos for the virtd_t, virtd_lxc_t, you must turn on the kerberos_enabled boolean.
-+
-+.EX
-+.B setsebool -P kerberos_enabled 1
-+.EE
-+
-+.SH "COMMANDS"
-+.B semanage fcontext
-+can also be used to manipulate default file context mappings.
-+.PP
-+.B semanage permissive
-+can also be used to manipulate whether or not a process type is permissive.
-+.PP
-+.B semanage module
-+can also be used to enable/disable/install/remove policy modules.
-+
-+.B semanage port
-+can also be used to manipulate the port definitions
-+
-+.B semanage boolean
-+can also be used to manipulate the booleans
-+
-+.PP
-+.B system-config-selinux
-+is a GUI tool available to customize SELinux policy settings.
-+
-+.SH AUTHOR
-+This manual page was auto-generated using
-+.B "sepolicy manpage"
-+by Dan Walsh.
-+
-+.SH "SEE ALSO"
-+selinux(8), virtd(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
-+, setsebool(8), virt_bridgehelper_selinux(8), virt_qemu_ga_selinux(8), virt_qmf_selinux(8), virtd_lxc_selinux(8)
-\ No newline at end of file
-diff --git a/man/man8/vlock_selinux.8 b/man/man8/vlock_selinux.8
-new file mode 100644
-index 0000000..372dfc6
---- /dev/null
-+++ b/man/man8/vlock_selinux.8
-@@ -0,0 +1,130 @@
-+.TH "vlock_selinux" "8" "12-11-01" "vlock" "SELinux Policy documentation for vlock"
-+.SH "NAME"
-+vlock_selinux \- Security Enhanced Linux Policy for the vlock processes
-+.SH "DESCRIPTION"
-+
-+Security-Enhanced Linux secures the vlock processes via flexible mandatory access control.
-+
-+The vlock processes execute with the vlock_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
-+
-+For example:
-+
-+.B ps -eZ | grep vlock_t
-+
-+
-+.SH "ENTRYPOINTS"
-+
-+The vlock_t SELinux type can be entered via the "vlock_exec_t" file type. The default entrypoint paths for the vlock_t domain are the following:"
-+
-+/usr/sbin/vlock-main
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux vlock policy is very flexible allowing users to setup their vlock processes in as secure a method as possible.
-+.PP
-+The following process types are defined for vlock:
-+
-+.EX
-+.B vlock_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
-+.SH FILE CONTEXTS
-+SELinux requires files to have an extended attribute to define the file type.
-+.PP
-+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
-+.PP
-+Policy governs the access confined processes have to these files.
-+SELinux vlock policy is very flexible allowing users to setup their vlock processes in as secure a method as possible.
-+.PP
-+The following file types are defined for vlock:
-+
-+
-+.EX
-+.PP
-+.B vlock_exec_t
-+.EE
-+
-+- Set files with the vlock_exec_t type, if you want to transition an executable to the vlock_t domain.
-+
-+
-+.PP
-+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
-+.B semanage fcontext
-+command. This will modify the SELinux labeling database. You will need to use
-+.B restorecon
-+to apply the labels.
-+
-+.SH "MANAGED FILES"
-+
-+The SELinux process type vlock_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
-+
-+.br
-+.B faillog_t
-+
-+ /var/log/btmp.*
-+.br
-+ /var/run/faillock(/.*)?
-+.br
-+ /var/log/faillog
-+.br
-+ /var/log/tallylog
-+.br
-+
-+.br
-+.B pcscd_var_run_t
-+
-+ /var/run/pcscd(/.*)?
-+.br
-+ /var/run/pcscd\.events(/.*)?
-+.br
-+ /var/run/pcscd\.pid
-+.br
-+ /var/run/pcscd\.pub
-+.br
-+ /var/run/pcscd\.comm
-+.br
-+
-+.SH NSSWITCH DOMAIN
-+
-+.PP
-+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the vlock_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
-+
-+.EX
-+.B setsebool -P authlogin_nsswitch_use_ldap 1
-+.EE
-+
-+.PP
-+If you want to allow confined applications to run with kerberos for the vlock_t, you must turn on the kerberos_enabled boolean.
-+
-+.EX
-+.B setsebool -P kerberos_enabled 1
-+.EE
-+
-+.SH "COMMANDS"
-+.B semanage fcontext
-+can also be used to manipulate default file context mappings.
-+.PP
-+.B semanage permissive
-+can also be used to manipulate whether or not a process type is permissive.
-+.PP
-+.B semanage module
-+can also be used to enable/disable/install/remove policy modules.
-+
-+.PP
-+.B system-config-selinux
-+is a GUI tool available to customize SELinux policy settings.
-+
-+.SH AUTHOR
-+This manual page was auto-generated using
-+.B "sepolicy manpage"
-+by Dan Walsh.
-+
-+.SH "SEE ALSO"
-+selinux(8), vlock(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
-diff --git a/man/man8/vmware_host_selinux.8 b/man/man8/vmware_host_selinux.8
-new file mode 100644
-index 0000000..2dd2f97
---- /dev/null
-+++ b/man/man8/vmware_host_selinux.8
-@@ -0,0 +1,139 @@
-+.TH "vmware_host_selinux" "8" "12-11-01" "vmware_host" "SELinux Policy documentation for vmware_host"
-+.SH "NAME"
-+vmware_host_selinux \- Security Enhanced Linux Policy for the vmware_host processes
-+.SH "DESCRIPTION"
-+
-+Security-Enhanced Linux secures the vmware_host processes via flexible mandatory access control.
-+
-+The vmware_host processes execute with the vmware_host_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
-+
-+For example:
-+
-+.B ps -eZ | grep vmware_host_t
-+
-+
-+.SH "ENTRYPOINTS"
-+
-+The vmware_host_t SELinux type can be entered via the "vmware_host_exec_t" file type. The default entrypoint paths for the vmware_host_t domain are the following:"
-+
-+/usr/sbin/vmware-guest.*, /usr/lib/vmware-tools/sbin32/vmware.*, /usr/lib/vmware-tools/sbin64/vmware.*, /usr/bin/vmnet-natd, /usr/bin/vmware-vmx, /usr/bin/vmnet-dhcpd, /usr/bin/vmware-nmbd, /usr/bin/vmware-smbd, /usr/bin/vmnet-bridge, /usr/bin/vmnet-netifup, /usr/bin/vmnet-sniffer, /usr/bin/vmware-network, /usr/bin/vmware-smbpasswd, /usr/bin/vmware-smbpasswd\.bin, /usr/lib/vmware/bin/vmware-vmx
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux vmware_host policy is very flexible allowing users to setup their vmware_host processes in as secure a method as possible.
-+.PP
-+The following process types are defined for vmware_host:
-+
-+.EX
-+.B vmware_host_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
-+.SH FILE CONTEXTS
-+SELinux requires files to have an extended attribute to define the file type.
-+.PP
-+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
-+.PP
-+Policy governs the access confined processes have to these files.
-+SELinux vmware_host policy is very flexible allowing users to setup their vmware_host processes in as secure a method as possible.
-+.PP
-+The following file types are defined for vmware_host:
-+
-+
-+.EX
-+.PP
-+.B vmware_host_exec_t
-+.EE
-+
-+- Set files with the vmware_host_exec_t type, if you want to transition an executable to the vmware_host_t domain.
-+
-+
-+.EX
-+.PP
-+.B vmware_host_pid_t
-+.EE
-+
-+- Set files with the vmware_host_pid_t type, if you want to store the vmware host files under the /run directory.
-+
-+
-+.EX
-+.PP
-+.B vmware_host_tmp_t
-+.EE
-+
-+- Set files with the vmware_host_tmp_t type, if you want to store vmware host temporary files in the /tmp directories.
-+
-+
-+.PP
-+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
-+.B semanage fcontext
-+command. This will modify the SELinux labeling database. You will need to use
-+.B restorecon
-+to apply the labels.
-+
-+.SH "MANAGED FILES"
-+
-+The SELinux process type vmware_host_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
-+
-+.br
-+.B systemd_passwd_var_run_t
-+
-+ /var/run/systemd/ask-password(/.*)?
-+.br
-+ /var/run/systemd/ask-password-block(/.*)?
-+.br
-+
-+.br
-+.B vmware_host_pid_t
-+
-+
-+.br
-+.B vmware_host_tmp_t
-+
-+
-+.br
-+.B vmware_log_t
-+
-+ /var/log/vmware.*
-+.br
-+ /var/log/vnetlib.*
-+.br
-+
-+.br
-+.B vmware_sys_conf_t
-+
-+ /etc/vmware.*(/.*)?
-+.br
-+ /usr/lib/vmware/config
-+.br
-+
-+.SH NSSWITCH DOMAIN
-+
-+.SH "COMMANDS"
-+.B semanage fcontext
-+can also be used to manipulate default file context mappings.
-+.PP
-+.B semanage permissive
-+can also be used to manipulate whether or not a process type is permissive.
-+.PP
-+.B semanage module
-+can also be used to enable/disable/install/remove policy modules.
-+
-+.PP
-+.B system-config-selinux
-+is a GUI tool available to customize SELinux policy settings.
-+
-+.SH AUTHOR
-+This manual page was auto-generated using
-+.B "sepolicy manpage"
-+by Dan Walsh.
-+
-+.SH "SEE ALSO"
-+selinux(8), vmware_host(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
-+, vmware_selinux(8), vmware_selinux(8)
-\ No newline at end of file
-diff --git a/man/man8/vmware_selinux.8 b/man/man8/vmware_selinux.8
-new file mode 100644
-index 0000000..de1de63
---- /dev/null
-+++ b/man/man8/vmware_selinux.8
-@@ -0,0 +1,241 @@
-+.TH "vmware_selinux" "8" "12-11-01" "vmware" "SELinux Policy documentation for vmware"
-+.SH "NAME"
-+vmware_selinux \- Security Enhanced Linux Policy for the vmware processes
-+.SH "DESCRIPTION"
-+
-+Security-Enhanced Linux secures the vmware processes via flexible mandatory access control.
-+
-+The vmware processes execute with the vmware_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
-+
-+For example:
-+
-+.B ps -eZ | grep vmware_t
-+
-+
-+.SH "ENTRYPOINTS"
-+
-+The vmware_t SELinux type can be entered via the "vmware_exec_t" file type. The default entrypoint paths for the vmware_t domain are the following:"
-+
-+/usr/bin/vmware, /usr/bin/vmware-ping, /usr/bin/vmware-wizard, /usr/sbin/vmware-serverd, /usr/lib/vmware/bin/vmplayer, /usr/lib/vmware/bin/vmware-ui, /usr/lib/vmware/bin/vmware-mks
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux vmware policy is very flexible allowing users to setup their vmware processes in as secure a method as possible.
-+.PP
-+The following process types are defined for vmware:
-+
-+.EX
-+.B vmware_t, vmware_host_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
-+.SH FILE CONTEXTS
-+SELinux requires files to have an extended attribute to define the file type.
-+.PP
-+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
-+.PP
-+Policy governs the access confined processes have to these files.
-+SELinux vmware policy is very flexible allowing users to setup their vmware processes in as secure a method as possible.
-+.PP
-+The following file types are defined for vmware:
-+
-+
-+.EX
-+.PP
-+.B vmware_conf_t
-+.EE
-+
-+- Set files with the vmware_conf_t type, if you want to treat the files as vmware configuration data, usually stored under the /etc directory.
-+
-+
-+.EX
-+.PP
-+.B vmware_exec_t
-+.EE
-+
-+- Set files with the vmware_exec_t type, if you want to transition an executable to the vmware_t domain.
-+
-+
-+.EX
-+.PP
-+.B vmware_file_t
-+.EE
-+
-+- Set files with the vmware_file_t type, if you want to treat the files as vmware content.
-+
-+
-+.EX
-+.PP
-+.B vmware_host_exec_t
-+.EE
-+
-+- Set files with the vmware_host_exec_t type, if you want to transition an executable to the vmware_host_t domain.
-+
-+
-+.EX
-+.PP
-+.B vmware_host_pid_t
-+.EE
-+
-+- Set files with the vmware_host_pid_t type, if you want to store the vmware host files under the /run directory.
-+
-+
-+.EX
-+.PP
-+.B vmware_host_tmp_t
-+.EE
-+
-+- Set files with the vmware_host_tmp_t type, if you want to store vmware host temporary files in the /tmp directories.
-+
-+
-+.EX
-+.PP
-+.B vmware_log_t
-+.EE
-+
-+- Set files with the vmware_log_t type, if you want to treat the data as vmware log data, usually stored under the /var/log directory.
-+
-+
-+.EX
-+.PP
-+.B vmware_pid_t
-+.EE
-+
-+- Set files with the vmware_pid_t type, if you want to store the vmware files under the /run directory.
-+
-+
-+.EX
-+.PP
-+.B vmware_sys_conf_t
-+.EE
-+
-+- Set files with the vmware_sys_conf_t type, if you want to treat the files as vmware sys configuration data, usually stored under the /etc directory.
-+
-+
-+.EX
-+.PP
-+.B vmware_tmp_t
-+.EE
-+
-+- Set files with the vmware_tmp_t type, if you want to store vmware temporary files in the /tmp directories.
-+
-+
-+.EX
-+.PP
-+.B vmware_tmpfs_t
-+.EE
-+
-+- Set files with the vmware_tmpfs_t type, if you want to store vmware files on a tmpfs file system.
-+
-+
-+.PP
-+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
-+.B semanage fcontext
-+command. This will modify the SELinux labeling database. You will need to use
-+.B restorecon
-+to apply the labels.
-+
-+.SH "MANAGED FILES"
-+
-+The SELinux process type vmware_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
-+
-+.br
-+.B usbfs_t
-+
-+
-+.br
-+.B user_fonts_cache_t
-+
-+ /root/\.fontconfig(/.*)?
-+.br
-+ /root/\.fonts/auto(/.*)?
-+.br
-+ /root/\.fonts\.cache-.*
-+.br
-+ /home/[^/]*/\.fontconfig(/.*)?
-+.br
-+ /home/[^/]*/\.fonts/auto(/.*)?
-+.br
-+ /home/[^/]*/\.fonts\.cache-.*
-+.br
-+ /home/dwalsh/\.fontconfig(/.*)?
-+.br
-+ /home/dwalsh/\.fonts/auto(/.*)?
-+.br
-+ /home/dwalsh/\.fonts\.cache-.*
-+.br
-+ /var/lib/xguest/home/xguest/\.fontconfig(/.*)?
-+.br
-+ /var/lib/xguest/home/xguest/\.fonts/auto(/.*)?
-+.br
-+ /var/lib/xguest/home/xguest/\.fonts\.cache-.*
-+.br
-+
-+.br
-+.B vmware_conf_t
-+
-+ /home/[^/]*/\.vmware[^/]*/.*\.cfg
-+.br
-+ /home/dwalsh/\.vmware[^/]*/.*\.cfg
-+.br
-+ /var/lib/xguest/home/xguest/\.vmware[^/]*/.*\.cfg
-+.br
-+
-+.br
-+.B vmware_file_t
-+
-+ /home/[^/]*/vmware(/.*)?
-+.br
-+ /home/[^/]*/\.vmware(/.*)?
-+.br
-+ /home/dwalsh/vmware(/.*)?
-+.br
-+ /home/dwalsh/\.vmware(/.*)?
-+.br
-+ /var/lib/xguest/home/xguest/vmware(/.*)?
-+.br
-+ /var/lib/xguest/home/xguest/\.vmware(/.*)?
-+.br
-+
-+.br
-+.B vmware_pid_t
-+
-+
-+.br
-+.B vmware_tmp_t
-+
-+
-+.br
-+.B vmware_tmpfs_t
-+
-+
-+.SH NSSWITCH DOMAIN
-+
-+.SH "COMMANDS"
-+.B semanage fcontext
-+can also be used to manipulate default file context mappings.
-+.PP
-+.B semanage permissive
-+can also be used to manipulate whether or not a process type is permissive.
-+.PP
-+.B semanage module
-+can also be used to enable/disable/install/remove policy modules.
-+
-+.PP
-+.B system-config-selinux
-+is a GUI tool available to customize SELinux policy settings.
-+
-+.SH AUTHOR
-+This manual page was auto-generated using
-+.B "sepolicy manpage"
-+by Dan Walsh.
-+
-+.SH "SEE ALSO"
-+selinux(8), vmware(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
-+, vmware_host_selinux(8)
-\ No newline at end of file
-diff --git a/man/man8/vnstat_selinux.8 b/man/man8/vnstat_selinux.8
-new file mode 100644
-index 0000000..2139a86
---- /dev/null
-+++ b/man/man8/vnstat_selinux.8
-@@ -0,0 +1,121 @@
-+.TH "vnstat_selinux" "8" "12-11-01" "vnstat" "SELinux Policy documentation for vnstat"
-+.SH "NAME"
-+vnstat_selinux \- Security Enhanced Linux Policy for the vnstat processes
-+.SH "DESCRIPTION"
-+
-+Security-Enhanced Linux secures the vnstat processes via flexible mandatory access control.
-+
-+The vnstat processes execute with the vnstat_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
-+
-+For example:
-+
-+.B ps -eZ | grep vnstat_t
-+
-+
-+.SH "ENTRYPOINTS"
-+
-+The vnstat_t SELinux type can be entered via the "vnstat_exec_t" file type. The default entrypoint paths for the vnstat_t domain are the following:"
-+
-+/usr/bin/vnstat
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux vnstat policy is very flexible allowing users to setup their vnstat processes in as secure a method as possible.
-+.PP
-+The following process types are defined for vnstat:
-+
-+.EX
-+.B vnstat_t, vnstatd_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
-+.SH FILE CONTEXTS
-+SELinux requires files to have an extended attribute to define the file type.
-+.PP
-+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
-+.PP
-+Policy governs the access confined processes have to these files.
-+SELinux vnstat policy is very flexible allowing users to setup their vnstat processes in as secure a method as possible.
-+.PP
-+The following file types are defined for vnstat:
-+
-+
-+.EX
-+.PP
-+.B vnstat_exec_t
-+.EE
-+
-+- Set files with the vnstat_exec_t type, if you want to transition an executable to the vnstat_t domain.
-+
-+
-+.EX
-+.PP
-+.B vnstatd_exec_t
-+.EE
-+
-+- Set files with the vnstatd_exec_t type, if you want to transition an executable to the vnstatd_t domain.
-+
-+
-+.EX
-+.PP
-+.B vnstatd_var_lib_t
-+.EE
-+
-+- Set files with the vnstatd_var_lib_t type, if you want to store the vnstatd files under the /var/lib directory.
-+
-+
-+.EX
-+.PP
-+.B vnstatd_var_run_t
-+.EE
-+
-+- Set files with the vnstatd_var_run_t type, if you want to store the vnstatd files under the /run directory.
-+
-+
-+.PP
-+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
-+.B semanage fcontext
-+command. This will modify the SELinux labeling database. You will need to use
-+.B restorecon
-+to apply the labels.
-+
-+.SH "MANAGED FILES"
-+
-+The SELinux process type vnstat_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
-+
-+.br
-+.B vnstatd_var_lib_t
-+
-+ /var/lib/vnstat(/.*)?
-+.br
-+
-+.SH NSSWITCH DOMAIN
-+
-+.SH "COMMANDS"
-+.B semanage fcontext
-+can also be used to manipulate default file context mappings.
-+.PP
-+.B semanage permissive
-+can also be used to manipulate whether or not a process type is permissive.
-+.PP
-+.B semanage module
-+can also be used to enable/disable/install/remove policy modules.
-+
-+.PP
-+.B system-config-selinux
-+is a GUI tool available to customize SELinux policy settings.
-+
-+.SH AUTHOR
-+This manual page was auto-generated using
-+.B "sepolicy manpage"
-+by Dan Walsh.
-+
-+.SH "SEE ALSO"
-+selinux(8), vnstat(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
-+, vnstatd_selinux(8)
-\ No newline at end of file
-diff --git a/man/man8/vnstatd_selinux.8 b/man/man8/vnstatd_selinux.8
-new file mode 100644
-index 0000000..548eb69
---- /dev/null
-+++ b/man/man8/vnstatd_selinux.8
-@@ -0,0 +1,119 @@
-+.TH "vnstatd_selinux" "8" "12-11-01" "vnstatd" "SELinux Policy documentation for vnstatd"
-+.SH "NAME"
-+vnstatd_selinux \- Security Enhanced Linux Policy for the vnstatd processes
-+.SH "DESCRIPTION"
-+
-+Security-Enhanced Linux secures the vnstatd processes via flexible mandatory access control.
-+
-+The vnstatd processes execute with the vnstatd_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
-+
-+For example:
-+
-+.B ps -eZ | grep vnstatd_t
-+
-+
-+.SH "ENTRYPOINTS"
-+
-+The vnstatd_t SELinux type can be entered via the "vnstatd_exec_t" file type. The default entrypoint paths for the vnstatd_t domain are the following:"
-+
-+/usr/sbin/vnstatd
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux vnstatd policy is very flexible allowing users to setup their vnstatd processes in as secure a method as possible.
-+.PP
-+The following process types are defined for vnstatd:
-+
-+.EX
-+.B vnstat_t, vnstatd_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
-+.SH FILE CONTEXTS
-+SELinux requires files to have an extended attribute to define the file type.
-+.PP
-+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
-+.PP
-+Policy governs the access confined processes have to these files.
-+SELinux vnstatd policy is very flexible allowing users to setup their vnstatd processes in as secure a method as possible.
-+.PP
-+The following file types are defined for vnstatd:
-+
-+
-+.EX
-+.PP
-+.B vnstatd_exec_t
-+.EE
-+
-+- Set files with the vnstatd_exec_t type, if you want to transition an executable to the vnstatd_t domain.
-+
-+
-+.EX
-+.PP
-+.B vnstatd_var_lib_t
-+.EE
-+
-+- Set files with the vnstatd_var_lib_t type, if you want to store the vnstatd files under the /var/lib directory.
-+
-+
-+.EX
-+.PP
-+.B vnstatd_var_run_t
-+.EE
-+
-+- Set files with the vnstatd_var_run_t type, if you want to store the vnstatd files under the /run directory.
-+
-+
-+.PP
-+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
-+.B semanage fcontext
-+command. This will modify the SELinux labeling database. You will need to use
-+.B restorecon
-+to apply the labels.
-+
-+.SH "MANAGED FILES"
-+
-+The SELinux process type vnstatd_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
-+
-+.br
-+.B vnstatd_var_lib_t
-+
-+ /var/lib/vnstat(/.*)?
-+.br
-+
-+.br
-+.B vnstatd_var_run_t
-+
-+ /var/run/vnstat\.pid
-+.br
-+
-+.SH NSSWITCH DOMAIN
-+
-+.SH "COMMANDS"
-+.B semanage fcontext
-+can also be used to manipulate default file context mappings.
-+.PP
-+.B semanage permissive
-+can also be used to manipulate whether or not a process type is permissive.
-+.PP
-+.B semanage module
-+can also be used to enable/disable/install/remove policy modules.
-+
-+.PP
-+.B system-config-selinux
-+is a GUI tool available to customize SELinux policy settings.
-+
-+.SH AUTHOR
-+This manual page was auto-generated using
-+.B "sepolicy manpage"
-+by Dan Walsh.
-+
-+.SH "SEE ALSO"
-+selinux(8), vnstatd(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
-+, vnstat_selinux(8), vnstat_selinux(8)
-\ No newline at end of file
-diff --git a/man/man8/vpnc_selinux.8 b/man/man8/vpnc_selinux.8
-new file mode 100644
-index 0000000..d20c0f1
---- /dev/null
-+++ b/man/man8/vpnc_selinux.8
-@@ -0,0 +1,156 @@
-+.TH "vpnc_selinux" "8" "12-11-01" "vpnc" "SELinux Policy documentation for vpnc"
-+.SH "NAME"
-+vpnc_selinux \- Security Enhanced Linux Policy for the vpnc processes
-+.SH "DESCRIPTION"
-+
-+Security-Enhanced Linux secures the vpnc processes via flexible mandatory access control.
-+
-+The vpnc processes execute with the vpnc_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
-+
-+For example:
-+
-+.B ps -eZ | grep vpnc_t
-+
-+
-+.SH "ENTRYPOINTS"
-+
-+The vpnc_t SELinux type can be entered via the "vpnc_exec_t" file type. The default entrypoint paths for the vpnc_t domain are the following:"
-+
-+/sbin/vpnc, /usr/sbin/vpnc, /usr/bin/openconnect
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux vpnc policy is very flexible allowing users to setup their vpnc processes in as secure a method as possible.
-+.PP
-+The following process types are defined for vpnc:
-+
-+.EX
-+.B vpnc_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
-+.SH FILE CONTEXTS
-+SELinux requires files to have an extended attribute to define the file type.
-+.PP
-+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
-+.PP
-+Policy governs the access confined processes have to these files.
-+SELinux vpnc policy is very flexible allowing users to setup their vpnc processes in as secure a method as possible.
-+.PP
-+The following file types are defined for vpnc:
-+
-+
-+.EX
-+.PP
-+.B vpnc_exec_t
-+.EE
-+
-+- Set files with the vpnc_exec_t type, if you want to transition an executable to the vpnc_t domain.
-+
-+
-+.EX
-+.PP
-+.B vpnc_tmp_t
-+.EE
-+
-+- Set files with the vpnc_tmp_t type, if you want to store vpnc temporary files in the /tmp directories.
-+
-+
-+.EX
-+.PP
-+.B vpnc_var_run_t
-+.EE
-+
-+- Set files with the vpnc_var_run_t type, if you want to store the vpnc files under the /run directory.
-+
-+
-+.PP
-+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
-+.B semanage fcontext
-+command. This will modify the SELinux labeling database. You will need to use
-+.B restorecon
-+to apply the labels.
-+
-+.SH "MANAGED FILES"
-+
-+The SELinux process type vpnc_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
-+
-+.br
-+.B net_conf_t
-+
-+ /etc/ntpd?\.conf.*
-+.br
-+ /etc/hosts[^/]*
-+.br
-+ /etc/yp\.conf.*
-+.br
-+ /etc/denyhosts.*
-+.br
-+ /etc/hosts\.deny.*
-+.br
-+ /etc/resolv\.conf.*
-+.br
-+ /etc/ntp/step-tickers.*
-+.br
-+ /etc/sysconfig/networking(/.*)?
-+.br
-+ /etc/sysconfig/network-scripts(/.*)?
-+.br
-+ /etc/sysconfig/network-scripts/.*resolv\.conf
-+.br
-+ /etc/ethers
-+.br
-+
-+.br
-+.B vpnc_tmp_t
-+
-+
-+.br
-+.B vpnc_var_run_t
-+
-+ /var/run/vpnc(/.*)?
-+.br
-+
-+.SH NSSWITCH DOMAIN
-+
-+.PP
-+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the vpnc_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
-+
-+.EX
-+.B setsebool -P authlogin_nsswitch_use_ldap 1
-+.EE
-+
-+.PP
-+If you want to allow confined applications to run with kerberos for the vpnc_t, you must turn on the kerberos_enabled boolean.
-+
-+.EX
-+.B setsebool -P kerberos_enabled 1
-+.EE
-+
-+.SH "COMMANDS"
-+.B semanage fcontext
-+can also be used to manipulate default file context mappings.
-+.PP
-+.B semanage permissive
-+can also be used to manipulate whether or not a process type is permissive.
-+.PP
-+.B semanage module
-+can also be used to enable/disable/install/remove policy modules.
-+
-+.PP
-+.B system-config-selinux
-+is a GUI tool available to customize SELinux policy settings.
-+
-+.SH AUTHOR
-+This manual page was auto-generated using
-+.B "sepolicy manpage"
-+by Dan Walsh.
-+
-+.SH "SEE ALSO"
-+selinux(8), vpnc(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
-diff --git a/man/man8/wdmd_selinux.8 b/man/man8/wdmd_selinux.8
-new file mode 100644
-index 0000000..347d6d8
---- /dev/null
-+++ b/man/man8/wdmd_selinux.8
-@@ -0,0 +1,138 @@
-+.TH "wdmd_selinux" "8" "12-11-01" "wdmd" "SELinux Policy documentation for wdmd"
-+.SH "NAME"
-+wdmd_selinux \- Security Enhanced Linux Policy for the wdmd processes
-+.SH "DESCRIPTION"
-+
-+Security-Enhanced Linux secures the wdmd processes via flexible mandatory access control.
-+
-+The wdmd processes execute with the wdmd_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
-+
-+For example:
-+
-+.B ps -eZ | grep wdmd_t
-+
-+
-+.SH "ENTRYPOINTS"
-+
-+The wdmd_t SELinux type can be entered via the "wdmd_exec_t" file type. The default entrypoint paths for the wdmd_t domain are the following:"
-+
-+/usr/sbin/wdmd
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux wdmd policy is very flexible allowing users to setup their wdmd processes in as secure a method as possible.
-+.PP
-+The following process types are defined for wdmd:
-+
-+.EX
-+.B wdmd_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
-+.SH FILE CONTEXTS
-+SELinux requires files to have an extended attribute to define the file type.
-+.PP
-+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
-+.PP
-+Policy governs the access confined processes have to these files.
-+SELinux wdmd policy is very flexible allowing users to setup their wdmd processes in as secure a method as possible.
-+.PP
-+The following file types are defined for wdmd:
-+
-+
-+.EX
-+.PP
-+.B wdmd_exec_t
-+.EE
-+
-+- Set files with the wdmd_exec_t type, if you want to transition an executable to the wdmd_t domain.
-+
-+
-+.EX
-+.PP
-+.B wdmd_initrc_exec_t
-+.EE
-+
-+- Set files with the wdmd_initrc_exec_t type, if you want to transition an executable to the wdmd_initrc_t domain.
-+
-+
-+.EX
-+.PP
-+.B wdmd_tmpfs_t
-+.EE
-+
-+- Set files with the wdmd_tmpfs_t type, if you want to store wdmd files on a tmpfs file system.
-+
-+
-+.EX
-+.PP
-+.B wdmd_var_run_t
-+.EE
-+
-+- Set files with the wdmd_var_run_t type, if you want to store the wdmd files under the /run directory.
-+
-+
-+.PP
-+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
-+.B semanage fcontext
-+command. This will modify the SELinux labeling database. You will need to use
-+.B restorecon
-+to apply the labels.
-+
-+.SH "MANAGED FILES"
-+
-+The SELinux process type wdmd_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
-+
-+.br
-+.B wdmd_tmpfs_t
-+
-+
-+.br
-+.B wdmd_var_run_t
-+
-+ /var/run/wdmd(/.*)?
-+.br
-+
-+.SH NSSWITCH DOMAIN
-+
-+.PP
-+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the wdmd_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
-+
-+.EX
-+.B setsebool -P authlogin_nsswitch_use_ldap 1
-+.EE
-+
-+.PP
-+If you want to allow confined applications to run with kerberos for the wdmd_t, you must turn on the kerberos_enabled boolean.
-+
-+.EX
-+.B setsebool -P kerberos_enabled 1
-+.EE
-+
-+.SH "COMMANDS"
-+.B semanage fcontext
-+can also be used to manipulate default file context mappings.
-+.PP
-+.B semanage permissive
-+can also be used to manipulate whether or not a process type is permissive.
-+.PP
-+.B semanage module
-+can also be used to enable/disable/install/remove policy modules.
-+
-+.PP
-+.B system-config-selinux
-+is a GUI tool available to customize SELinux policy settings.
-+
-+.SH AUTHOR
-+This manual page was auto-generated using
-+.B "sepolicy manpage"
-+by Dan Walsh.
-+
-+.SH "SEE ALSO"
-+selinux(8), wdmd(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
-diff --git a/man/man8/webadm_selinux.8 b/man/man8/webadm_selinux.8
-new file mode 100644
-index 0000000..46d2721
---- /dev/null
-+++ b/man/man8/webadm_selinux.8
-@@ -0,0 +1,255 @@
-+.TH "webadm_selinux" "8" "webadm" "mgrepl@redhat.com" "webadm SELinux Policy documentation"
-+.SH "NAME"
-+webadm_r \- \fBWeb administrator role\fP - Security Enhanced Linux Policy
-+
-+.SH DESCRIPTION
-+
-+SELinux supports Roles Based Access Control (RBAC), some Linux roles are login roles, while other roles need to be transition into.
-+
-+.I Note:
-+Examples in this man page will use the
-+.B staff_u
-+SELinux user.
-+
-+Non login roles are usually used for administrative tasks. For example, tasks that require root privileges. Roles control which types a user can run processes with. Roles often have default types assigned to them.
-+
-+The default type for the webadm_r role is webadm_t.
-+
-+The
-+.B newrole
-+program to transition directly to this role.
-+
-+.B newrole -r webadm_r -t webadm_t
-+
-+.B sudo
-+is the preferred method to do transition from one role to another. You setup sudo to transition to webadm_r by adding a similar line to the /etc/sudoers file.
-+
-+USERNAME ALL=(ALL) ROLE=webadm_r TYPE=webadm_t COMMAND
-+
-+.br
-+sudo will run COMMAND as staff_u:webadm_r:webadm_t:LEVEL
-+
-+When using a a non login role, you need to setup SELinux so that your SELinux user can reach webadm_r role.
-+
-+Execute the following to see all of the assigned SELinux roles:
-+
-+.B semanage user -l
-+
-+You need to add webadm_r to the staff_u user. You could setup the staff_u user to be able to use the webadm_r role with a command like:
-+
-+.B $ semanage user -m -R 'staff_r system_r webadm_r' staff_u
-+
-+
-+.SH BOOLEANS
-+SELinux policy is customizable based on least access required. webadm policy is extremely flexible and has several booleans that allow you to manipulate the policy and run webadm with the tightest access possible.
-+
-+
-+.PP
-+If you want to allow webadm to manage files in users home directories, you must turn on the webadm_manage_user_files boolean.
-+
-+.EX
-+.B setsebool -P webadm_manage_user_files 1
-+.EE
-+
-+.PP
-+If you want to allow webadm to read files in users home directories, you must turn on the webadm_read_user_files boolean.
-+
-+.EX
-+.B setsebool -P webadm_read_user_files 1
-+.EE
-+
-+.PP
-+If you want to allow webadm to manage files in users home directories, you must turn on the webadm_manage_user_files boolean.
-+
-+.EX
-+.B setsebool -P webadm_manage_user_files 1
-+.EE
-+
-+.PP
-+If you want to allow webadm to read files in users home directories, you must turn on the webadm_read_user_files boolean.
-+
-+.EX
-+.B setsebool -P webadm_read_user_files 1
-+.EE
-+
-+.SH "MANAGED FILES"
-+
-+The SELinux process type webadm_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
-+
-+.br
-+.B httpd_config_t
-+
-+ /etc/httpd(/.*)?
-+.br
-+ /etc/apache(2)?(/.*)?
-+.br
-+ /etc/cherokee(/.*)?
-+.br
-+ /etc/lighttpd(/.*)?
-+.br
-+ /etc/apache-ssl(2)?(/.*)?
-+.br
-+ /var/lib/openshift/.httpd.d(/.*)?
-+.br
-+ /var/lib/stickshift/.httpd.d(/.*)?
-+.br
-+ /etc/vhosts
-+.br
-+
-+.br
-+.B httpd_lock_t
-+
-+
-+.br
-+.B httpd_log_t
-+
-+ /var/www(/.*)?/logs(/.*)?
-+.br
-+ /var/log/cacti(/.*)?
-+.br
-+ /var/log/httpd(/.*)?
-+.br
-+ /var/log/apache(2)?(/.*)?
-+.br
-+ /var/log/cherokee(/.*)?
-+.br
-+ /var/log/lighttpd(/.*)?
-+.br
-+ /var/log/suphp\.log.*
-+.br
-+ /var/log/apache-ssl(2)?(/.*)?
-+.br
-+ /var/log/cgiwrap\.log.*
-+.br
-+ /var/www/stickshift/[^/]*/log(/.*)?
-+.br
-+ /var/log/roundcubemail(/.*)?
-+.br
-+ /var/log/dirsrv/admin-serv(/.*)?
-+.br
-+ /etc/httpd/logs
-+.br
-+
-+.br
-+.B httpd_modules_t
-+
-+ /usr/lib/httpd(/.*)?
-+.br
-+ /usr/lib/apache(/.*)?
-+.br
-+ /usr/lib/cherokee(/.*)?
-+.br
-+ /usr/lib/lighttpd(/.*)?
-+.br
-+ /usr/lib/apache2/modules(/.*)?
-+.br
-+ /etc/httpd/modules
-+.br
-+
-+.br
-+.B httpd_php_tmp_t
-+
-+
-+.br
-+.B httpd_script_exec_type
-+
-+
-+.br
-+.B httpd_suexec_tmp_t
-+
-+
-+.br
-+.B httpd_tmp_t
-+
-+ /var/run/user/apache(/.*)?
-+.br
-+
-+.br
-+.B httpd_unit_file_t
-+
-+ /usr/lib/systemd/system/httpd.*
-+.br
-+ /usr/lib/systemd/system/jetty.*
-+.br
-+
-+.br
-+.B httpd_var_run_t
-+
-+ /var/run/mod_.*
-+.br
-+ /var/run/wsgi.*
-+.br
-+ /var/run/httpd.*
-+.br
-+ /var/run/apache.*
-+.br
-+ /var/run/lighttpd(/.*)?
-+.br
-+ /var/lib/php/session(/.*)?
-+.br
-+ /var/run/dirsrv/admin-serv.*
-+.br
-+ /opt/dirsrv/var/run/dirsrv/dsgw/cookies(/.*)?
-+.br
-+ /var/run/gcache_port
-+.br
-+ /var/run/cherokee\.pid
-+.br
-+
-+.br
-+.B httpdcontent
-+
-+
-+.br
-+.B public_content_rw_t
-+
-+ /var/spool/abrt-upload(/.*)?
-+.br
-+
-+.br
-+.B systemd_passwd_var_run_t
-+
-+ /var/run/systemd/ask-password(/.*)?
-+.br
-+ /var/run/systemd/ask-password-block(/.*)?
-+.br
-+
-+.br
-+.B var_lock_t
-+
-+ /var/lock(/.*)?
-+.br
-+ /run/lock(/.*)?
-+.br
-+ /var/lock
-+.br
-+
-+.br
-+.B webadm_tmp_t
-+
-+
-+.SH "COMMANDS"
-+.B semanage fcontext
-+can also be used to manipulate default file context mappings.
-+.PP
-+.B semanage permissive
-+can also be used to manipulate whether or not a process type is permissive.
-+.PP
-+.B semanage module
-+can also be used to enable/disable/install/remove policy modules.
-+
-+.B semanage boolean
-+can also be used to manipulate the booleans
-+
-+.PP
-+.B system-config-selinux
-+is a GUI tool available to customize SELinux policy settings.
-+
-+.SH AUTHOR
-+This manual page was auto-generated using
-+.B "sepolicy manpage"
-+by Dan Walsh.
-+
-+.SH "SEE ALSO"
-+selinux(8), webadm(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
-+, setsebool(8)
-\ No newline at end of file
-diff --git a/man/man8/webalizer_selinux.8 b/man/man8/webalizer_selinux.8
-new file mode 100644
-index 0000000..c971659
---- /dev/null
-+++ b/man/man8/webalizer_selinux.8
-@@ -0,0 +1,198 @@
-+.TH "webalizer_selinux" "8" "12-11-01" "webalizer" "SELinux Policy documentation for webalizer"
-+.SH "NAME"
-+webalizer_selinux \- Security Enhanced Linux Policy for the webalizer processes
-+.SH "DESCRIPTION"
-+
-+Security-Enhanced Linux secures the webalizer processes via flexible mandatory access control.
-+
-+The webalizer processes execute with the webalizer_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
-+
-+For example:
-+
-+.B ps -eZ | grep webalizer_t
-+
-+
-+.SH "ENTRYPOINTS"
-+
-+The webalizer_t SELinux type can be entered via the "webalizer_exec_t" file type. The default entrypoint paths for the webalizer_t domain are the following:"
-+
-+/usr/bin/awffull, /usr/bin/webalizer
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux webalizer policy is very flexible allowing users to setup their webalizer processes in as secure a method as possible.
-+.PP
-+The following process types are defined for webalizer:
-+
-+.EX
-+.B webalizer_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
-+.SH FILE CONTEXTS
-+SELinux requires files to have an extended attribute to define the file type.
-+.PP
-+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
-+.PP
-+Policy governs the access confined processes have to these files.
-+SELinux webalizer policy is very flexible allowing users to setup their webalizer processes in as secure a method as possible.
-+.PP
-+The following file types are defined for webalizer:
-+
-+
-+.EX
-+.PP
-+.B webalizer_etc_t
-+.EE
-+
-+- Set files with the webalizer_etc_t type, if you want to store webalizer files in the /etc directories.
-+
-+
-+.EX
-+.PP
-+.B webalizer_exec_t
-+.EE
-+
-+- Set files with the webalizer_exec_t type, if you want to transition an executable to the webalizer_t domain.
-+
-+
-+.EX
-+.PP
-+.B webalizer_tmp_t
-+.EE
-+
-+- Set files with the webalizer_tmp_t type, if you want to store webalizer temporary files in the /tmp directories.
-+
-+
-+.EX
-+.PP
-+.B webalizer_usage_t
-+.EE
-+
-+- Set files with the webalizer_usage_t type, if you want to treat the files as webalizer usage data.
-+
-+
-+.EX
-+.PP
-+.B webalizer_var_lib_t
-+.EE
-+
-+- Set files with the webalizer_var_lib_t type, if you want to store the webalizer files under the /var/lib directory.
-+
-+
-+.EX
-+.PP
-+.B webalizer_write_t
-+.EE
-+
-+- Set files with the webalizer_write_t type, if you want to treat the files as webalizer read/write content.
-+
-+
-+.PP
-+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
-+.B semanage fcontext
-+command. This will modify the SELinux labeling database. You will need to use
-+.B restorecon
-+to apply the labels.
-+
-+.SH "MANAGED FILES"
-+
-+The SELinux process type webalizer_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
-+
-+.br
-+.B anon_inodefs_t
-+
-+
-+.br
-+.B httpd_sys_content_t
-+
-+ /srv/([^/]*/)?www(/.*)?
-+.br
-+ /var/www(/.*)?
-+.br
-+ /etc/htdig(/.*)?
-+.br
-+ /srv/gallery2(/.*)?
-+.br
-+ /var/lib/trac(/.*)?
-+.br
-+ /var/lib/htdig(/.*)?
-+.br
-+ /var/www/icons(/.*)?
-+.br
-+ /usr/share/htdig(/.*)?
-+.br
-+ /usr/share/drupal.*
-+.br
-+ /var/www/svn/conf(/.*)?
-+.br
-+ /usr/share/icecast(/.*)?
-+.br
-+ /usr/share/mythweb(/.*)?
-+.br
-+ /var/lib/cacti/rra(/.*)?
-+.br
-+ /usr/share/ntop/html(/.*)?
-+.br
-+ /usr/share/mythtv/data(/.*)?
-+.br
-+ /usr/share/doc/ghc/html(/.*)?
-+.br
-+ /usr/share/openca/htdocs(/.*)?
-+.br
-+ /usr/share/selinux-policy[^/]*/html(/.*)?
-+.br
-+
-+.br
-+.B webalizer_tmp_t
-+
-+
-+.br
-+.B webalizer_var_lib_t
-+
-+ /var/lib/webalizer(/.*)?
-+.br
-+
-+.SH NSSWITCH DOMAIN
-+
-+.PP
-+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the webalizer_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
-+
-+.EX
-+.B setsebool -P authlogin_nsswitch_use_ldap 1
-+.EE
-+
-+.PP
-+If you want to allow confined applications to run with kerberos for the webalizer_t, you must turn on the kerberos_enabled boolean.
-+
-+.EX
-+.B setsebool -P kerberos_enabled 1
-+.EE
-+
-+.SH "COMMANDS"
-+.B semanage fcontext
-+can also be used to manipulate default file context mappings.
-+.PP
-+.B semanage permissive
-+can also be used to manipulate whether or not a process type is permissive.
-+.PP
-+.B semanage module
-+can also be used to enable/disable/install/remove policy modules.
-+
-+.PP
-+.B system-config-selinux
-+is a GUI tool available to customize SELinux policy settings.
-+
-+.SH AUTHOR
-+This manual page was auto-generated using
-+.B "sepolicy manpage"
-+by Dan Walsh.
-+
-+.SH "SEE ALSO"
-+selinux(8), webalizer(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
-diff --git a/man/man8/winbind_helper_selinux.8 b/man/man8/winbind_helper_selinux.8
-new file mode 100644
-index 0000000..2cf4c75
---- /dev/null
-+++ b/man/man8/winbind_helper_selinux.8
-@@ -0,0 +1,101 @@
-+.TH "winbind_helper_selinux" "8" "12-11-01" "winbind_helper" "SELinux Policy documentation for winbind_helper"
-+.SH "NAME"
-+winbind_helper_selinux \- Security Enhanced Linux Policy for the winbind_helper processes
-+.SH "DESCRIPTION"
-+
-+Security-Enhanced Linux secures the winbind_helper processes via flexible mandatory access control.
-+
-+The winbind_helper processes execute with the winbind_helper_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
-+
-+For example:
-+
-+.B ps -eZ | grep winbind_helper_t
-+
-+
-+.SH "ENTRYPOINTS"
-+
-+The winbind_helper_t SELinux type can be entered via the "winbind_helper_exec_t" file type. The default entrypoint paths for the winbind_helper_t domain are the following:"
-+
-+/usr/bin/ntlm_auth
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux winbind_helper policy is very flexible allowing users to setup their winbind_helper processes in as secure a method as possible.
-+.PP
-+The following process types are defined for winbind_helper:
-+
-+.EX
-+.B winbind_helper_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
-+.SH FILE CONTEXTS
-+SELinux requires files to have an extended attribute to define the file type.
-+.PP
-+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
-+.PP
-+Policy governs the access confined processes have to these files.
-+SELinux winbind_helper policy is very flexible allowing users to setup their winbind_helper processes in as secure a method as possible.
-+.PP
-+The following file types are defined for winbind_helper:
-+
-+
-+.EX
-+.PP
-+.B winbind_helper_exec_t
-+.EE
-+
-+- Set files with the winbind_helper_exec_t type, if you want to transition an executable to the winbind_helper_t domain.
-+
-+
-+.PP
-+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
-+.B semanage fcontext
-+command. This will modify the SELinux labeling database. You will need to use
-+.B restorecon
-+to apply the labels.
-+
-+.SH NSSWITCH DOMAIN
-+
-+.PP
-+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the winbind_helper_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
-+
-+.EX
-+.B setsebool -P authlogin_nsswitch_use_ldap 1
-+.EE
-+
-+.PP
-+If you want to allow confined applications to run with kerberos for the winbind_helper_t, you must turn on the kerberos_enabled boolean.
-+
-+.EX
-+.B setsebool -P kerberos_enabled 1
-+.EE
-+
-+.SH "COMMANDS"
-+.B semanage fcontext
-+can also be used to manipulate default file context mappings.
-+.PP
-+.B semanage permissive
-+can also be used to manipulate whether or not a process type is permissive.
-+.PP
-+.B semanage module
-+can also be used to enable/disable/install/remove policy modules.
-+
-+.PP
-+.B system-config-selinux
-+is a GUI tool available to customize SELinux policy settings.
-+
-+.SH AUTHOR
-+This manual page was auto-generated using
-+.B "sepolicy manpage"
-+by Dan Walsh.
-+
-+.SH "SEE ALSO"
-+selinux(8), winbind_helper(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
-+, winbind_selinux(8), winbind_selinux(8)
-\ No newline at end of file
-diff --git a/man/man8/winbind_selinux.8 b/man/man8/winbind_selinux.8
-new file mode 100644
-index 0000000..63e0898
---- /dev/null
-+++ b/man/man8/winbind_selinux.8
-@@ -0,0 +1,284 @@
-+.TH "winbind_selinux" "8" "12-11-01" "winbind" "SELinux Policy documentation for winbind"
-+.SH "NAME"
-+winbind_selinux \- Security Enhanced Linux Policy for the winbind processes
-+.SH "DESCRIPTION"
-+
-+Security-Enhanced Linux secures the winbind processes via flexible mandatory access control.
-+
-+The winbind processes execute with the winbind_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
-+
-+For example:
-+
-+.B ps -eZ | grep winbind_t
-+
-+
-+.SH "ENTRYPOINTS"
-+
-+The winbind_t SELinux type can be entered via the "winbind_exec_t" file type. The default entrypoint paths for the winbind_t domain are the following:"
-+
-+/usr/sbin/winbindd
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux winbind policy is very flexible allowing users to setup their winbind processes in as secure a method as possible.
-+.PP
-+The following process types are defined for winbind:
-+
-+.EX
-+.B winbind_helper_t, winbind_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
-+.SH BOOLEANS
-+SELinux policy is customizable based on least access required. winbind policy is extremely flexible and has several booleans that allow you to manipulate the policy and run winbind with the tightest access possible.
-+
-+
-+.PP
-+If you want to allow Apache to use mod_auth_ntlm_winbind, you must turn on the httpd_mod_auth_ntlm_winbind boolean.
-+
-+.EX
-+.B setsebool -P httpd_mod_auth_ntlm_winbind 1
-+.EE
-+
-+.PP
-+If you want to allow Apache to use mod_auth_ntlm_winbind, you must turn on the httpd_mod_auth_ntlm_winbind boolean.
-+
-+.EX
-+.B setsebool -P httpd_mod_auth_ntlm_winbind 1
-+.EE
-+
-+.SH FILE CONTEXTS
-+SELinux requires files to have an extended attribute to define the file type.
-+.PP
-+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
-+.PP
-+Policy governs the access confined processes have to these files.
-+SELinux winbind policy is very flexible allowing users to setup their winbind processes in as secure a method as possible.
-+.PP
-+The following file types are defined for winbind:
-+
-+
-+.EX
-+.PP
-+.B winbind_exec_t
-+.EE
-+
-+- Set files with the winbind_exec_t type, if you want to transition an executable to the winbind_t domain.
-+
-+
-+.EX
-+.PP
-+.B winbind_helper_exec_t
-+.EE
-+
-+- Set files with the winbind_helper_exec_t type, if you want to transition an executable to the winbind_helper_t domain.
-+
-+
-+.EX
-+.PP
-+.B winbind_log_t
-+.EE
-+
-+- Set files with the winbind_log_t type, if you want to treat the data as winbind log data, usually stored under the /var/log directory.
-+
-+
-+.EX
-+.PP
-+.B winbind_var_run_t
-+.EE
-+
-+- Set files with the winbind_var_run_t type, if you want to store the winbind files under the /run directory.
-+
-+
-+.PP
-+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
-+.B semanage fcontext
-+command. This will modify the SELinux labeling database. You will need to use
-+.B restorecon
-+to apply the labels.
-+
-+.SH "MANAGED FILES"
-+
-+The SELinux process type winbind_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
-+
-+.br
-+.B auth_cache_t
-+
-+ /var/cache/coolkey(/.*)?
-+.br
-+
-+.br
-+.B ctdbd_var_lib_t
-+
-+ /etc/ctdb(/.*)?
-+.br
-+ /var/ctdb(/.*)?
-+.br
-+ /var/ctdbd(/.*)?
-+.br
-+ /var/lib/ctdbd(/.*)?
-+.br
-+
-+.br
-+.B faillog_t
-+
-+ /var/log/btmp.*
-+.br
-+ /var/run/faillock(/.*)?
-+.br
-+ /var/log/faillog
-+.br
-+ /var/log/tallylog
-+.br
-+
-+.br
-+.B pcscd_var_run_t
-+
-+ /var/run/pcscd(/.*)?
-+.br
-+ /var/run/pcscd\.events(/.*)?
-+.br
-+ /var/run/pcscd\.pid
-+.br
-+ /var/run/pcscd\.pub
-+.br
-+ /var/run/pcscd\.comm
-+.br
-+
-+.br
-+.B samba_log_t
-+
-+ /var/log/samba(/.*)?
-+.br
-+
-+.br
-+.B samba_secrets_t
-+
-+ /etc/samba/smbpasswd
-+.br
-+ /etc/samba/passdb\.tdb
-+.br
-+ /etc/samba/MACHINE\.SID
-+.br
-+ /etc/samba/secrets\.tdb
-+.br
-+
-+.br
-+.B samba_var_t
-+
-+ /var/lib/samba(/.*)?
-+.br
-+ /var/cache/samba(/.*)?
-+.br
-+ /var/spool/samba(/.*)?
-+.br
-+
-+.br
-+.B smbd_tmp_t
-+
-+
-+.br
-+.B smbd_var_run_t
-+
-+ /var/run/samba(/.*)?
-+.br
-+ /var/run/samba/smbd\.pid
-+.br
-+ /var/run/samba/brlock\.tdb
-+.br
-+ /var/run/samba/locking\.tdb
-+.br
-+ /var/run/samba/gencache\.tdb
-+.br
-+ /var/run/samba/sessionid\.tdb
-+.br
-+ /var/run/samba/share_info\.tdb
-+.br
-+ /var/run/samba/connections\.tdb
-+.br
-+
-+.br
-+.B user_home_t
-+
-+ /home/[^/]*/.+
-+.br
-+ /home/dwalsh/.+
-+.br
-+ /var/lib/xguest/home/xguest/.+
-+.br
-+
-+.br
-+.B user_tmp_t
-+
-+ /var/run/user(/.*)?
-+.br
-+ /tmp/gconfd-.*
-+.br
-+ /tmp/gconfd-dwalsh
-+.br
-+ /tmp/gconfd-xguest
-+.br
-+
-+.br
-+.B winbind_log_t
-+
-+
-+.br
-+.B winbind_var_run_t
-+
-+ /var/run/winbindd(/.*)?
-+.br
-+ /var/run/samba/winbindd(/.*)?
-+.br
-+ /var/lib/samba/winbindd_privileged(/.*)?
-+.br
-+ /var/cache/samba/winbindd_privileged(/.*)?
-+.br
-+
-+.SH NSSWITCH DOMAIN
-+
-+.PP
-+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the winbind_helper_t, winbind_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
-+
-+.EX
-+.B setsebool -P authlogin_nsswitch_use_ldap 1
-+.EE
-+
-+.PP
-+If you want to allow confined applications to run with kerberos for the winbind_helper_t, winbind_t, you must turn on the kerberos_enabled boolean.
-+
-+.EX
-+.B setsebool -P kerberos_enabled 1
-+.EE
-+
-+.SH "COMMANDS"
-+.B semanage fcontext
-+can also be used to manipulate default file context mappings.
-+.PP
-+.B semanage permissive
-+can also be used to manipulate whether or not a process type is permissive.
-+.PP
-+.B semanage module
-+can also be used to enable/disable/install/remove policy modules.
-+
-+.B semanage boolean
-+can also be used to manipulate the booleans
-+
-+.PP
-+.B system-config-selinux
-+is a GUI tool available to customize SELinux policy settings.
-+
-+.SH AUTHOR
-+This manual page was auto-generated using
-+.B "sepolicy manpage"
-+by Dan Walsh.
-+
-+.SH "SEE ALSO"
-+selinux(8), winbind(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
-+, setsebool(8), winbind_helper_selinux(8)
-\ No newline at end of file
-diff --git a/man/man8/wine_selinux.8 b/man/man8/wine_selinux.8
-new file mode 100644
-index 0000000..b6b7f15
---- /dev/null
-+++ b/man/man8/wine_selinux.8
-@@ -0,0 +1,124 @@
-+.TH "wine_selinux" "8" "12-11-01" "wine" "SELinux Policy documentation for wine"
-+.SH "NAME"
-+wine_selinux \- Security Enhanced Linux Policy for the wine processes
-+.SH "DESCRIPTION"
-+
-+Security-Enhanced Linux secures the wine processes via flexible mandatory access control.
-+
-+The wine processes execute with the wine_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
-+
-+For example:
-+
-+.B ps -eZ | grep wine_t
-+
-+
-+.SH "ENTRYPOINTS"
-+
-+The wine_t SELinux type can be entered via the "wine_exec_t" file type. The default entrypoint paths for the wine_t domain are the following:"
-+
-+/usr/bin/wine.*, /opt/teamviewer(/.*)?/bin/wine.*, /opt/google/picasa(/.*)?/bin/wdi, /opt/google/picasa(/.*)?/bin/wine.*, /opt/google/picasa(/.*)?/bin/msiexec, /opt/google/picasa(/.*)?/bin/notepad, /opt/google/picasa(/.*)?/bin/progman, /opt/google/picasa(/.*)?/bin/regedit, /opt/google/picasa(/.*)?/bin/regsvr32, /opt/google/picasa(/.*)?/Picasa3/.*exe, /opt/google/picasa(/.*)?/bin/uninstaller, /opt/cxoffice/bin/wine.*, /opt/picasa/wine/bin/wine.*, /usr/bin/msiexec, /usr/bin/notepad, /usr/bin/regedit, /usr/bin/regsvr32, /usr/bin/uninstaller, /home/[^/]*/cxoffice/bin/wine.+, /home/dwalsh/cxoffice/bin/wine.+, /var/lib/xguest/home/xguest/cxoffice/bin/wine.+
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux wine policy is very flexible allowing users to setup their wine processes in as secure a method as possible.
-+.PP
-+The following process types are defined for wine:
-+
-+.EX
-+.B wine_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
-+.SH BOOLEANS
-+SELinux policy is customizable based on least access required. wine policy is extremely flexible and has several booleans that allow you to manipulate the policy and run wine with the tightest access possible.
-+
-+
-+.PP
-+If you want to ignore wine mmap_zero errors, you must turn on the wine_mmap_zero_ignore boolean.
-+
-+.EX
-+.B setsebool -P wine_mmap_zero_ignore 1
-+.EE
-+
-+.PP
-+If you want to ignore wine mmap_zero errors, you must turn on the wine_mmap_zero_ignore boolean.
-+
-+.EX
-+.B setsebool -P wine_mmap_zero_ignore 1
-+.EE
-+
-+.SH FILE CONTEXTS
-+SELinux requires files to have an extended attribute to define the file type.
-+.PP
-+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
-+.PP
-+Policy governs the access confined processes have to these files.
-+SELinux wine policy is very flexible allowing users to setup their wine processes in as secure a method as possible.
-+.PP
-+The following file types are defined for wine:
-+
-+
-+.EX
-+.PP
-+.B wine_exec_t
-+.EE
-+
-+- Set files with the wine_exec_t type, if you want to transition an executable to the wine_t domain.
-+
-+
-+.EX
-+.PP
-+.B wine_tmp_t
-+.EE
-+
-+- Set files with the wine_tmp_t type, if you want to store wine temporary files in the /tmp directories.
-+
-+
-+.PP
-+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
-+.B semanage fcontext
-+command. This will modify the SELinux labeling database. You will need to use
-+.B restorecon
-+to apply the labels.
-+
-+.SH "MANAGED FILES"
-+
-+The SELinux process type wine_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
-+
-+.br
-+.B wine_tmp_t
-+
-+
-+.SH NSSWITCH DOMAIN
-+
-+.SH "COMMANDS"
-+.B semanage fcontext
-+can also be used to manipulate default file context mappings.
-+.PP
-+.B semanage permissive
-+can also be used to manipulate whether or not a process type is permissive.
-+.PP
-+.B semanage module
-+can also be used to enable/disable/install/remove policy modules.
-+
-+.B semanage boolean
-+can also be used to manipulate the booleans
-+
-+.PP
-+.B system-config-selinux
-+is a GUI tool available to customize SELinux policy settings.
-+
-+.SH AUTHOR
-+This manual page was auto-generated using
-+.B "sepolicy manpage"
-+by Dan Walsh.
-+
-+.SH "SEE ALSO"
-+selinux(8), wine(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
-+, setsebool(8)
-\ No newline at end of file
-diff --git a/man/man8/wireshark_selinux.8 b/man/man8/wireshark_selinux.8
-new file mode 100644
-index 0000000..58e07b9
---- /dev/null
-+++ b/man/man8/wireshark_selinux.8
-@@ -0,0 +1,184 @@
-+.TH "wireshark_selinux" "8" "12-11-01" "wireshark" "SELinux Policy documentation for wireshark"
-+.SH "NAME"
-+wireshark_selinux \- Security Enhanced Linux Policy for the wireshark processes
-+.SH "DESCRIPTION"
-+
-+Security-Enhanced Linux secures the wireshark processes via flexible mandatory access control.
-+
-+The wireshark processes execute with the wireshark_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
-+
-+For example:
-+
-+.B ps -eZ | grep wireshark_t
-+
-+
-+.SH "ENTRYPOINTS"
-+
-+The wireshark_t SELinux type can be entered via the "wireshark_exec_t" file type. The default entrypoint paths for the wireshark_t domain are the following:"
-+
-+/usr/bin/wireshark
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux wireshark policy is very flexible allowing users to setup their wireshark processes in as secure a method as possible.
-+.PP
-+The following process types are defined for wireshark:
-+
-+.EX
-+.B wireshark_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
-+.SH FILE CONTEXTS
-+SELinux requires files to have an extended attribute to define the file type.
-+.PP
-+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
-+.PP
-+Policy governs the access confined processes have to these files.
-+SELinux wireshark policy is very flexible allowing users to setup their wireshark processes in as secure a method as possible.
-+.PP
-+The following file types are defined for wireshark:
-+
-+
-+.EX
-+.PP
-+.B wireshark_exec_t
-+.EE
-+
-+- Set files with the wireshark_exec_t type, if you want to transition an executable to the wireshark_t domain.
-+
-+
-+.EX
-+.PP
-+.B wireshark_home_t
-+.EE
-+
-+- Set files with the wireshark_home_t type, if you want to store wireshark files in the users home directory.
-+
-+
-+.EX
-+.PP
-+.B wireshark_tmp_t
-+.EE
-+
-+- Set files with the wireshark_tmp_t type, if you want to store wireshark temporary files in the /tmp directories.
-+
-+
-+.EX
-+.PP
-+.B wireshark_tmpfs_t
-+.EE
-+
-+- Set files with the wireshark_tmpfs_t type, if you want to store wireshark files on a tmpfs file system.
-+
-+
-+.PP
-+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
-+.B semanage fcontext
-+command. This will modify the SELinux labeling database. You will need to use
-+.B restorecon
-+to apply the labels.
-+
-+.SH "MANAGED FILES"
-+
-+The SELinux process type wireshark_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
-+
-+.br
-+.B user_fonts_cache_t
-+
-+ /root/\.fontconfig(/.*)?
-+.br
-+ /root/\.fonts/auto(/.*)?
-+.br
-+ /root/\.fonts\.cache-.*
-+.br
-+ /home/[^/]*/\.fontconfig(/.*)?
-+.br
-+ /home/[^/]*/\.fonts/auto(/.*)?
-+.br
-+ /home/[^/]*/\.fonts\.cache-.*
-+.br
-+ /home/dwalsh/\.fontconfig(/.*)?
-+.br
-+ /home/dwalsh/\.fonts/auto(/.*)?
-+.br
-+ /home/dwalsh/\.fonts\.cache-.*
-+.br
-+ /var/lib/xguest/home/xguest/\.fontconfig(/.*)?
-+.br
-+ /var/lib/xguest/home/xguest/\.fonts/auto(/.*)?
-+.br
-+ /var/lib/xguest/home/xguest/\.fonts\.cache-.*
-+.br
-+
-+.br
-+.B user_home_t
-+
-+ /home/[^/]*/.+
-+.br
-+ /home/dwalsh/.+
-+.br
-+ /var/lib/xguest/home/xguest/.+
-+.br
-+
-+.br
-+.B wireshark_home_t
-+
-+ /home/[^/]*/\.wireshark(/.*)?
-+.br
-+ /home/dwalsh/\.wireshark(/.*)?
-+.br
-+ /var/lib/xguest/home/xguest/\.wireshark(/.*)?
-+.br
-+
-+.br
-+.B wireshark_tmp_t
-+
-+
-+.br
-+.B wireshark_tmpfs_t
-+
-+
-+.SH NSSWITCH DOMAIN
-+
-+.PP
-+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the wireshark_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
-+
-+.EX
-+.B setsebool -P authlogin_nsswitch_use_ldap 1
-+.EE
-+
-+.PP
-+If you want to allow confined applications to run with kerberos for the wireshark_t, you must turn on the kerberos_enabled boolean.
-+
-+.EX
-+.B setsebool -P kerberos_enabled 1
-+.EE
-+
-+.SH "COMMANDS"
-+.B semanage fcontext
-+can also be used to manipulate default file context mappings.
-+.PP
-+.B semanage permissive
-+can also be used to manipulate whether or not a process type is permissive.
-+.PP
-+.B semanage module
-+can also be used to enable/disable/install/remove policy modules.
-+
-+.PP
-+.B system-config-selinux
-+is a GUI tool available to customize SELinux policy settings.
-+
-+.SH AUTHOR
-+This manual page was auto-generated using
-+.B "sepolicy manpage"
-+by Dan Walsh.
-+
-+.SH "SEE ALSO"
-+selinux(8), wireshark(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
-diff --git a/man/man8/wpa_cli_selinux.8 b/man/man8/wpa_cli_selinux.8
-new file mode 100644
-index 0000000..2ea0f25
---- /dev/null
-+++ b/man/man8/wpa_cli_selinux.8
-@@ -0,0 +1,86 @@
-+.TH "wpa_cli_selinux" "8" "12-11-01" "wpa_cli" "SELinux Policy documentation for wpa_cli"
-+.SH "NAME"
-+wpa_cli_selinux \- Security Enhanced Linux Policy for the wpa_cli processes
-+.SH "DESCRIPTION"
-+
-+Security-Enhanced Linux secures the wpa_cli processes via flexible mandatory access control.
-+
-+The wpa_cli processes execute with the wpa_cli_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
-+
-+For example:
-+
-+.B ps -eZ | grep wpa_cli_t
-+
-+
-+.SH "ENTRYPOINTS"
-+
-+The wpa_cli_t SELinux type can be entered via the "wpa_cli_exec_t" file type. The default entrypoint paths for the wpa_cli_t domain are the following:"
-+
-+/sbin/wpa_cli, /usr/sbin/wpa_cli
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux wpa_cli policy is very flexible allowing users to setup their wpa_cli processes in as secure a method as possible.
-+.PP
-+The following process types are defined for wpa_cli:
-+
-+.EX
-+.B wpa_cli_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
-+.SH FILE CONTEXTS
-+SELinux requires files to have an extended attribute to define the file type.
-+.PP
-+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
-+.PP
-+Policy governs the access confined processes have to these files.
-+SELinux wpa_cli policy is very flexible allowing users to setup their wpa_cli processes in as secure a method as possible.
-+.PP
-+The following file types are defined for wpa_cli:
-+
-+
-+.EX
-+.PP
-+.B wpa_cli_exec_t
-+.EE
-+
-+- Set files with the wpa_cli_exec_t type, if you want to transition an executable to the wpa_cli_t domain.
-+
-+
-+.PP
-+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
-+.B semanage fcontext
-+command. This will modify the SELinux labeling database. You will need to use
-+.B restorecon
-+to apply the labels.
-+
-+.SH NSSWITCH DOMAIN
-+
-+.SH "COMMANDS"
-+.B semanage fcontext
-+can also be used to manipulate default file context mappings.
-+.PP
-+.B semanage permissive
-+can also be used to manipulate whether or not a process type is permissive.
-+.PP
-+.B semanage module
-+can also be used to enable/disable/install/remove policy modules.
-+
-+.PP
-+.B system-config-selinux
-+is a GUI tool available to customize SELinux policy settings.
-+
-+.SH AUTHOR
-+This manual page was auto-generated using
-+.B "sepolicy manpage"
-+by Dan Walsh.
-+
-+.SH "SEE ALSO"
-+selinux(8), wpa_cli(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
-diff --git a/man/man8/xauth_selinux.8 b/man/man8/xauth_selinux.8
-new file mode 100644
-index 0000000..4e36630
---- /dev/null
-+++ b/man/man8/xauth_selinux.8
-@@ -0,0 +1,232 @@
-+.TH "xauth_selinux" "8" "12-11-01" "xauth" "SELinux Policy documentation for xauth"
-+.SH "NAME"
-+xauth_selinux \- Security Enhanced Linux Policy for the xauth processes
-+.SH "DESCRIPTION"
-+
-+Security-Enhanced Linux secures the xauth processes via flexible mandatory access control.
-+
-+The xauth processes execute with the xauth_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
-+
-+For example:
-+
-+.B ps -eZ | grep xauth_t
-+
-+
-+.SH "ENTRYPOINTS"
-+
-+The xauth_t SELinux type can be entered via the "xauth_exec_t" file type. The default entrypoint paths for the xauth_t domain are the following:"
-+
-+/usr/bin/xauth, /usr/X11R6/bin/xauth
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux xauth policy is very flexible allowing users to setup their xauth processes in as secure a method as possible.
-+.PP
-+The following process types are defined for xauth:
-+
-+.EX
-+.B xauth_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
-+.SH FILE CONTEXTS
-+SELinux requires files to have an extended attribute to define the file type.
-+.PP
-+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
-+.PP
-+Policy governs the access confined processes have to these files.
-+SELinux xauth policy is very flexible allowing users to setup their xauth processes in as secure a method as possible.
-+.PP
-+The following file types are defined for xauth:
-+
-+
-+.EX
-+.PP
-+.B xauth_exec_t
-+.EE
-+
-+- Set files with the xauth_exec_t type, if you want to transition an executable to the xauth_t domain.
-+
-+
-+.EX
-+.PP
-+.B xauth_home_t
-+.EE
-+
-+- Set files with the xauth_home_t type, if you want to store xauth files in the users home directory.
-+
-+
-+.EX
-+.PP
-+.B xauth_tmp_t
-+.EE
-+
-+- Set files with the xauth_tmp_t type, if you want to store xauth temporary files in the /tmp directories.
-+
-+
-+.PP
-+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
-+.B semanage fcontext
-+command. This will modify the SELinux labeling database. You will need to use
-+.B restorecon
-+to apply the labels.
-+
-+.SH "MANAGED FILES"
-+
-+The SELinux process type xauth_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
-+
-+.br
-+.B user_home_t
-+
-+ /home/[^/]*/.+
-+.br
-+ /home/dwalsh/.+
-+.br
-+ /var/lib/xguest/home/xguest/.+
-+.br
-+
-+.br
-+.B user_tmp_t
-+
-+ /var/run/user(/.*)?
-+.br
-+ /tmp/gconfd-.*
-+.br
-+ /tmp/gconfd-dwalsh
-+.br
-+ /tmp/gconfd-xguest
-+.br
-+
-+.br
-+.B xauth_home_t
-+
-+ /root/\.xauth.*
-+.br
-+ /root/\.Xauth.*
-+.br
-+ /root/\.serverauth.*
-+.br
-+ /root/\.Xauthority.*
-+.br
-+ /var/lib/pqsql/\.xauth.*
-+.br
-+ /var/lib/pqsql/\.Xauthority.*
-+.br
-+ /var/lib/nxserver/home/\.xauth.*
-+.br
-+ /var/lib/nxserver/home/\.Xauthority.*
-+.br
-+ /home/[^/]*/\.xauth.*
-+.br
-+ /home/[^/]*/\.Xauth.*
-+.br
-+ /home/[^/]*/\.serverauth.*
-+.br
-+ /home/[^/]*/\.Xauthority.*
-+.br
-+ /home/dwalsh/\.xauth.*
-+.br
-+ /home/dwalsh/\.Xauth.*
-+.br
-+ /home/dwalsh/\.serverauth.*
-+.br
-+ /home/dwalsh/\.Xauthority.*
-+.br
-+ /var/lib/xguest/home/xguest/\.xauth.*
-+.br
-+ /var/lib/xguest/home/xguest/\.Xauth.*
-+.br
-+ /var/lib/xguest/home/xguest/\.serverauth.*
-+.br
-+ /var/lib/xguest/home/xguest/\.Xauthority.*
-+.br
-+
-+.br
-+.B xauth_tmp_t
-+
-+
-+.br
-+.B xdm_tmp_t
-+
-+ /tmp/\.X11-unix(/.*)?
-+.br
-+ /tmp/\.ICE-unix(/.*)?
-+.br
-+ /tmp/\.X0-lock
-+.br
-+
-+.br
-+.B xdm_var_run_t
-+
-+ /etc/kde[34]?/kdm/backgroundrc
-+.br
-+ /var/run/[gx]dm\.pid
-+.br
-+ /var/run/[kgm]dm(/.*)?
-+.br
-+ /usr/lib/qt-.*/etc/settings(/.*)?
-+.br
-+ /var/run/slim.*
-+.br
-+ /var/run/lxdm(/.*)?
-+.br
-+ /var/run/slim(/.*)?
-+.br
-+ /var/run/xauth(/.*)?
-+.br
-+ /var/run/xdmctl(/.*)?
-+.br
-+ /var/run/lightdm(/.*)?
-+.br
-+ /var/run/systemd/multi-session-x(/.*)?
-+.br
-+ /var/run/lxdm\.pid
-+.br
-+ /var/run/lxdm\.auth
-+.br
-+ /var/run/gdm_socket
-+.br
-+
-+.SH NSSWITCH DOMAIN
-+
-+.PP
-+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the xauth_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
-+
-+.EX
-+.B setsebool -P authlogin_nsswitch_use_ldap 1
-+.EE
-+
-+.PP
-+If you want to allow confined applications to run with kerberos for the xauth_t, you must turn on the kerberos_enabled boolean.
-+
-+.EX
-+.B setsebool -P kerberos_enabled 1
-+.EE
-+
-+.SH "COMMANDS"
-+.B semanage fcontext
-+can also be used to manipulate default file context mappings.
-+.PP
-+.B semanage permissive
-+can also be used to manipulate whether or not a process type is permissive.
-+.PP
-+.B semanage module
-+can also be used to enable/disable/install/remove policy modules.
-+
-+.PP
-+.B system-config-selinux
-+is a GUI tool available to customize SELinux policy settings.
-+
-+.SH AUTHOR
-+This manual page was auto-generated using
-+.B "sepolicy manpage"
-+by Dan Walsh.
-+
-+.SH "SEE ALSO"
-+selinux(8), xauth(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
-diff --git a/man/man8/xdm_selinux.8 b/man/man8/xdm_selinux.8
-new file mode 100644
-index 0000000..b6a703d
---- /dev/null
-+++ b/man/man8/xdm_selinux.8
-@@ -0,0 +1,758 @@
-+.TH "xdm_selinux" "8" "12-11-01" "xdm" "SELinux Policy documentation for xdm"
-+.SH "NAME"
-+xdm_selinux \- Security Enhanced Linux Policy for the xdm processes
-+.SH "DESCRIPTION"
-+
-+Security-Enhanced Linux secures the xdm processes via flexible mandatory access control.
-+
-+The xdm processes execute with the xdm_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
-+
-+For example:
-+
-+.B ps -eZ | grep xdm_t
-+
-+
-+.SH "ENTRYPOINTS"
-+
-+The xdm_t SELinux type can be entered via the "xdm_exec_t,bin_t" file types. The default entrypoint paths for the xdm_t domain are the following:"
-+
-+/usr/(s)?bin/lightdm*, /usr/(s)?bin/[mxgkw]dm, /usr/(s)?bin/gdm-binary, /usr/(s)?bin/lxdm(-binary)?, /usr/X11R6/bin/[xgkw]dm, /usr/bin/slim, /usr/bin/gpe-dm, /opt/kde3/bin/kdm, /usr/sbin/mdm-binary, /bin/.*, /opt/(.*/)?bin(/.*)?, /usr/(.*/)?Bin(/.*)?, /usr/(.*/)?bin(/.*)?, /usr/(.*/)?sbin(/.*)?, /opt/(.*/)?sbin(/.*)?, /opt/(.*/)?libexec(/.*)?, /sbin/.*, /usr/lib(.*/)?bin(/.*)?, /usr/lib(.*/)?sbin(/.*)?, /etc/gdm/[^/]+, /root/bin(/.*)?, /etc/gdm/[^/]+/.*, /etc/cron.daily(/.*)?, /etc/cron.weekly(/.*)?, /etc/cron.hourly(/.*)?, /etc/cron.monthly(/.*)?, /usr/lib/.*/program(/.*)?, /usr/lib/.*/scripts(/.*)?, /usr/lib/[^/]*/run-mozilla\.sh, /usr/lib/[^/]*/mozilla-xremote-client, /usr/lib/[^/]*thunderbird[^/]*/thunderbird, /usr/lib/[^/]*thunderbird[^/]*/open-browser\.sh, /usr/lib/[^/]*thunderbird[^/]*/thunderbird-bin, /lib/udev/[^/]*, /etc/auto\.[^/]*, /etc/avahi/.*\.action, /usr/lib/qt.*/bin(/.*)?, /usr/lib/yp/.+, /var/ftp/bin(/.*)?, /usr/Brother(/.*)?, /usr/Printer(/.*)?, /usr/libexec(/.*)?, /lib/upstart(/.*)?, /etc/kde/env(/.*)?, /etc/profile.d(/.*)?, /var/mailman.*/bin(/.*)?, /etc/lxdm/Pre.*, /etc/hotplug/.*rc, /usr/lib/cups(/.*)?, /etc/hotplug/.*agent, /usr/Brother/(.*/)?inf/setup.*, /usr/Brother/(.*/)?inf/brprintconf.*, /usr/lib/dpkg/.+, /etc/lxdm/Post.*, /usr/lib/udev/[^/]*, /var/qmail/bin(/.*)?, /usr/lib/xfce4(/.*)?, /usr/lib/fence(/.*)?, /etc/X11/xinit(/.*)?, /lib/readahead(/.*)?, /etc/netplug\.d(/.*)?, /usr/lib/gimp/.*/plug-ins(/.*)?, /usr/lib/ipsec/.*, /etc/ppp/ip-up\..*, /usr/bin/pingus.*, /etc/cipe/ip-up.*, /usr/lib/dracut(/.*)?, /etc/pm/power\.d(/.*)?, /etc/pm/sleep\.d(/.*)?, /etc/redhat-lsb(/.*)?, /usr/lib/tuned/.*/.*\.sh, /usr/lib/xen/bin(/.*)?, /usr/lib/upstart(/.*)?, /usr/lib/courier(/.*)?, /etc/xen/scripts(/.*)?, /usr/share/tucan.*/tucan.py, /usr/lib/mailman.*/bin(/.*)?, /usr/lib/mailman.*/mail(/.*)?, /etc/ppp/ipv6-up\..*, /etc/ppp/ip-down\..*, /etc/cipe/ip-down.*, /usr/share/hplip/[^/]*, /usr/lib/news/bin(/.*)?, /usr/lib/pm-utils(/.*)?, /etc/vmware-tools(/.*)?, /etc/kde/shutdown(/.*)?, /etc/acpi/actions(/.*)?, /etc/pki/tls/misc(/.*)?, /usr/lib/jvm/java(.*/)bin(/.*), /usr/lib/tumbler-[^/]*/tumblerd, /usr/lib/readahead(/.*)?, /opt/google/chrome(/.*)?, /etc/munin/plugins(/.*)?, /usr/lib/bluetooth(/.*)?, /usr/lib/debug/bin(/.*)?, /usr/lib/xulrunner[^/]*/updater, /usr/lib/xulrunner[^/]*/crashreporter, /usr/lib/xulrunner[^/]*/xulrunner[^/]*, /usr/lib/ruby/gems(/.*)?/helper-scripts(/.*)?, /usr/share/debconf/.+, /etc/ppp/ipv6-down\..*, /usr/share/cluster/.*\.sh, /usr/share/sectool/.*\.py, /usr/share/ssl/misc(/.*)?, /usr/share/e16/misc(/.*)?, /usr/lib/ccache/bin(/.*)?, /etc/racoon/scripts(/.*)?, /usr/lib/debug/sbin(/.*)?, /usr/lib/ruby/gems/.*/agents(/.*)?, /usr/share/mc/extfs/.*, /usr/lib/apt/methods.+, /usr/lib/portage/bin(/.*)?, /usr/lib/MailScanner(/.*)?, /etc/mcelog/triggers(/.*)?, /etc/dhcp/dhclient\.d(/.*)?, /emul/ia32-linux/bin(/.*)?, /usr/lib/libreoffice(/.*)?/bin(/.*)?, /emul/ia32-linux/usr(/.*)?/bin(/.*)?, /emul/ia32-linux/usr(/.*)?/Bin(/.*)?, /emul/ia32-linux/usr(/.*)?/sbin(/.*)?, /usr/lib/thunderbird.*/mozilla-xremote-client, /usr/lib/cyrus-imapd/.*, /usr/share/createrepo(/.*)?, /emul/ia32-linux/sbin(/.*)?, /usr/share/virtualbox/.*\.sh, /usr/share/wicd/daemon(/.*)?, /usr/share/hal/scripts(/.*)?, /lib/security/pam_krb5(/.*)?, /opt/google/talkplugin(/.*)?, /etc/PackageKit/events(/.*)?, /usr/lib/debug/usr/bin(/.*)?, /usr/lib/vmware-tools/(s)?bin64(/.*)?, /usr/lib/vmware-tools/(s)?bin32(/.*)?, /etc/gdm/XKeepsCrashing[^/]*, /usr/lib/oracle/xe/apps(/.*)?, /usr/share/Modules/init(/.*)?, /usr/share/smolt/client(/.*)?, /usr/lib/nagios/plugins(/.*)?, /usr/lib/debug/usr/sbin(/.*)?, /usr/share/apr-0/build/[^/]+\.sh, /usr/lib/emacsen-common/.*, /usr/share/ajaxterm/qweb.py.*, /var/lib/asterisk/agi-bin(/.*)?, /usr/share/shorewall-perl(/.*)?, /usr/share/shorewall-lite(/.*)?, /usr/linuxprinter/filters(/.*)?, /usr/lib/netsaint/plugins(/.*)?, /usr/lib/chromium-browser(/.*)?, /usr/share/turboprint/lib(/.*)?, /usr/lib/nfs-utils/scripts(/.*)?, /usr/share/shorewall6-lite(/.*)?, /usr/share/shorewall-shell(/.*)?, /usr/share/vhostmd/scripts(/.*)?, /usr/lib/debug/usr/libexec(/.*)?, /etc/ConsoleKit/run-seat\.d(/.*)?, /usr/lib/nspluginwrapper/np.*, /usr/share/sandbox/sandboxX.sh, /usr/lib/ConsoleKit/scripts(/.*)?, /usr/share/ajaxterm/ajaxterm.py.*, /usr/lib/pgsql/test/regress/.*\.sh, /usr/share/denyhosts/scripts(/.*)?, /usr/share/denyhosts/plugins(/.*)?, /emul/ia32-linux/usr/libexec(/.*)?, /usr/lib/mediawiki/math/texvc.*, /usr/share/PackageKit/helpers(/.*)?, /etc/ConsoleKit/run-session\.d(/.*)?, /etc/hotplug\.d/default/default.*, /usr/lib/systemd/system-sleep/(.*)?, /opt/gutenprint/cups/lib/filter(/.*)?, /usr/share/system-config-network(/netconfig)?/[^/]+\.py, /usr/lib/ConsoleKit/run-session\.d(/.*)?, /etc/sysconfig/network-scripts/net.*, /etc/sysconfig/network-scripts/ifup.*, /etc/sysconfig/network-scripts/init.*, /usr/share/kde4/apps/kajongg/kajongg.py, /etc/sysconfig/network-scripts/ifdown.*, /opt/OpenPrinting-Gutenprint/cups/lib/filter(/.*)?, /usr/share/gedit-2/plugins/externaltools/tools(/.*)?, /bin, /sbin, /usr/bin, /dev/MAKEDEV, /var/qmail/rc, /var/qmail/bin, /etc/mail/make, /bin/mountpoint, /usr/lib/rpm/rpmq, /usr/lib/rpm/rpmv, /usr/lib/rpm/rpmd, /usr/lib/rpm/rpmk, /lib/udev/scsi_id, /sbin/mkfs\.cramfs, /etc/xen/qemu-ifup, /etc/lxdm/Xsession, /etc/sysconfig/init, /usr/bin/mountpoint, /etc/apcupsd/commok, /usr/lib/sftp-server, /etc/sysconfig/crond, /etc/lxdm/LoginReady, /usr/sbin/mkfs\.cramfs, /usr/lib/udev/scsi_id, /etc/X11/xdm/Xsetup_0, /etc/init\.d/functions, /etc/apcupsd/changeme, /usr/lib/iscan/network, /etc/apcupsd/onbattery, /usr/lib/yaboot/addnote, /etc/sysconfig/libvirtd, /etc/apcupsd/apccontrol, /etc/apcupsd/offbattery, /usr/lib/wicd/monitor\.py, /etc/X11/xdm/TakeConsole, /etc/X11/xdm/GiveConsole, /etc/apcupsd/commfailure, /usr/lib/misc/sftp-server, /etc/sysconfig/netconsole, /lib/udev/devices/MAKEDEV, /var/lib/iscan/interpreter, /etc/rc\.d/init\.d/functions, /etc/apcupsd/masterconnect, /etc/apcupsd/mastertimeout, /usr/share/pydict/pydict\.py, /usr/share/clamav/clamd-gen, /sbin/insmod_ksymoops_clean, /etc/mgetty\+sendfax/new_fax, /usr/lib/xfce4/panel/migrate, /usr/lib/xfce4/panel/wrapper, /etc/sysconfig/readonly-root, /usr/lib/vte/gnome-pty-helper, /usr/lib/udev/devices/MAKEDEV, /usr/lib/xfce4/xfconf/xfconfd, /usr/share/cvs/contrib/rcs2log, /usr/share/hwbrowser/hwbrowser, /usr/X11R6/lib/X11/xkb/xkbcomp, /usr/lib/virtualbox/VBoxManage, /usr/share/cluster/SAPInstance, /usr/share/cluster/checkquorum, /usr/share/shorewall/getparams, /usr/share/apr-0/build/libtool, /usr/share/cluster/SAPDatabase, /etc/hotplug/hotplug\.functions, /usr/share/texmf/web2c/mktexdir, /usr/share/texmf/web2c/mktexnam, /usr/share/texmf/web2c/mktexupd, /usr/share/shorewall/configpath, /usr/sbin/insmod_ksymoops_clean, /etc/mcelog/cache-error-trigger, /usr/share/shorewall/compiler\.pl, /usr/share/dayplanner/dayplanner, /usr/libexec/openssh/sftp-server, /usr/share/texmf/texconfig/tcfmgr, /usr/share/clamav/freshclam-sleep, /usr/share/cluster/svclib_nfslock, /usr/share/cluster/ocf-shellfuncs, /usr/lib/xfce4/exo-1/exo-helper-1, /usr/share/pwlib/make/ptlib-config, /usr/share/fedora-usermgmt/wrapper, /usr/share/printconf/util/print\.py, /usr/lib/xfce4/xfwm4/helper-dialog, /etc/pki/tls/certs/make-dummy-cert, /usr/share/rhn/rhn_applet/applet\.py, /usr/share/authconfig/authconfig\.py, /usr/share/spamassassin/sa-update\.cron, /usr/share/gnucash/finance-quote-check, /usr/share/cluster/fence_scsi_check\.pl, /usr/share/selinux/devel/policygentool, /usr/share/switchdesk/switchdesk-gui\.py, /usr/share/authconfig/authconfig-tui\.py, /usr/share/authconfig/authconfig-gtk\.py, /usr/share/gnucash/finance-quote-helper, /usr/share/gitolite/hooks/common/update, /usr/lib/xfce4/exo-1/exo-compose-mail-1, /usr/share/system-config-services/gui\.py, /lib/security/pam_krb5/pam_krb5_storetmp, /usr/share/system-config-netboot/pxeos\.py, /usr/lib/xfce4/session/balou-export-theme, /usr/share/system-config-selinux/polgen\.py, /usr/share/system-config-nfs/nfs-export\.py, /usr/share/system-config-printer/applet\.py, /usr/share/PackageKit/pk-upgrade-distro\.sh, /usr/lib/xfce4/session/balou-install-theme, /usr/share/system-config-netboot/pxeboot\.py, /usr/lib/xfce4/session/xfsm-shutdown-helper, /usr/share/rhn/rhn_applet/needed-packages\.py, /usr/lib/security/pam_krb5/pam_krb5_storetmp, /usr/share/system-logviewer/system-logviewer\.py, /usr/share/system-config-network/neat-control\.py, /usr/share/system-config-services/serviceconf\.py, /usr/share/hal/device-manager/hal-device-manager, /usr/share/system-config-lvm/system-config-lvm\.py, /usr/share/system-config-nfs/system-config-nfs\.py, /usr/share/system-config-mouse/system-config-mouse, /usr/share/system-config-httpd/system-config-httpd, /usr/share/system-config-users/system-config-users, /usr/share/system-config-date/system-config-date\.py, /usr/share/doc/ghc/html/libraries/gen_contents_index, /usr/share/gitolite/hooks/gitolite-admin/post-update, /usr/share/system-config-samba/system-config-samba\.py, /usr/share/system-config-display/system-config-display, /usr/share/system-config-keyboard/system-config-keyboard, /usr/share/system-config-language/system-config-language, /usr/share/system-config-services/system-config-services, /usr/share/system-config-selinux/system-config-selinux\.py, /usr/share/system-config-netboot/system-config-netboot\.py, /usr/share/system-config-soundcard/system-config-soundcard, /usr/share/system-config-rootpassword/system-config-rootpassword, /usr/share/system-config-securitylevel/system-config-securitylevel\.py
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux xdm policy is very flexible allowing users to setup their xdm processes in as secure a method as possible.
-+.PP
-+The following process types are defined for xdm:
-+
-+.EX
-+.B xdm_t, xdm_dbusd_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
-+.SH BOOLEANS
-+SELinux policy is customizable based on least access required. xdm policy is extremely flexible and has several booleans that allow you to manipulate the policy and run xdm with the tightest access possible.
-+
-+
-+.PP
-+If you want to allow the graphical login program to execute bootloader, you must turn on the xdm_exec_bootloader boolean.
-+
-+.EX
-+.B setsebool -P xdm_exec_bootloader 1
-+.EE
-+
-+.PP
-+If you want to allow the graphical login program to login directly as sysadm_r:sysadm_t, you must turn on the xdm_sysadm_login boolean.
-+
-+.EX
-+.B setsebool -P xdm_sysadm_login 1
-+.EE
-+
-+.PP
-+If you want to allow the graphical login program to execute bootloader, you must turn on the xdm_exec_bootloader boolean.
-+
-+.EX
-+.B setsebool -P xdm_exec_bootloader 1
-+.EE
-+
-+.PP
-+If you want to allow the graphical login program to login directly as sysadm_r:sysadm_t, you must turn on the xdm_sysadm_login boolean.
-+
-+.EX
-+.B setsebool -P xdm_sysadm_login 1
-+.EE
-+
-+.SH FILE CONTEXTS
-+SELinux requires files to have an extended attribute to define the file type.
-+.PP
-+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
-+.PP
-+Policy governs the access confined processes have to these files.
-+SELinux xdm policy is very flexible allowing users to setup their xdm processes in as secure a method as possible.
-+.PP
-+The following file types are defined for xdm:
-+
-+
-+.EX
-+.PP
-+.B xdm_etc_t
-+.EE
-+
-+- Set files with the xdm_etc_t type, if you want to store xdm files in the /etc directories.
-+
-+
-+.EX
-+.PP
-+.B xdm_exec_t
-+.EE
-+
-+- Set files with the xdm_exec_t type, if you want to transition an executable to the xdm_t domain.
-+
-+
-+.EX
-+.PP
-+.B xdm_home_t
-+.EE
-+
-+- Set files with the xdm_home_t type, if you want to store xdm files in the users home directory.
-+
-+
-+.EX
-+.PP
-+.B xdm_lock_t
-+.EE
-+
-+- Set files with the xdm_lock_t type, if you want to treat the files as xdm lock data, stored under the /var/lock directory
-+
-+
-+.EX
-+.PP
-+.B xdm_log_t
-+.EE
-+
-+- Set files with the xdm_log_t type, if you want to treat the data as xdm log data, usually stored under the /var/log directory.
-+
-+
-+.EX
-+.PP
-+.B xdm_rw_etc_t
-+.EE
-+
-+- Set files with the xdm_rw_etc_t type, if you want to store xdm rw files in the /etc directories.
-+
-+
-+.EX
-+.PP
-+.B xdm_spool_t
-+.EE
-+
-+- Set files with the xdm_spool_t type, if you want to store the xdm files under the /var/spool directory.
-+
-+
-+.EX
-+.PP
-+.B xdm_tmp_t
-+.EE
-+
-+- Set files with the xdm_tmp_t type, if you want to store xdm temporary files in the /tmp directories.
-+
-+
-+.EX
-+.PP
-+.B xdm_tmpfs_t
-+.EE
-+
-+- Set files with the xdm_tmpfs_t type, if you want to store xdm files on a tmpfs file system.
-+
-+
-+.EX
-+.PP
-+.B xdm_unconfined_exec_t
-+.EE
-+
-+- Set files with the xdm_unconfined_exec_t type, if you want to transition an executable to the xdm_unconfined_t domain.
-+
-+
-+.EX
-+.PP
-+.B xdm_var_lib_t
-+.EE
-+
-+- Set files with the xdm_var_lib_t type, if you want to store the xdm files under the /var/lib directory.
-+
-+
-+.EX
-+.PP
-+.B xdm_var_run_t
-+.EE
-+
-+- Set files with the xdm_var_run_t type, if you want to store the xdm files under the /run directory.
-+
-+
-+.PP
-+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
-+.B semanage fcontext
-+command. This will modify the SELinux labeling database. You will need to use
-+.B restorecon
-+to apply the labels.
-+
-+.SH PORT TYPES
-+SELinux defines port types to represent TCP and UDP ports.
-+.PP
-+You can see the types associated with a port by using the following command:
-+
-+.B semanage port -l
-+
-+.PP
-+Policy governs the access confined processes have to these ports.
-+SELinux xdm policy is very flexible allowing users to setup their xdm processes in as secure a method as possible.
-+.PP
-+The following port types are defined for xdm:
-+
-+.EX
-+.TP 5
-+.B xdmcp_port_t
-+.TP 10
-+.EE
-+
-+
-+Default Defined Ports:
-+tcp 177
-+.EE
-+udp 177
-+.EE
-+.SH "MANAGED FILES"
-+
-+The SELinux process type xdm_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
-+
-+.br
-+.B anon_inodefs_t
-+
-+
-+.br
-+.B auth_cache_t
-+
-+ /var/cache/coolkey(/.*)?
-+.br
-+
-+.br
-+.B auth_home_t
-+
-+ /root/\.google_authenticator
-+.br
-+ /root/\.google_authenticator~
-+.br
-+ /home/[^/]*/\.google_authenticator
-+.br
-+ /home/[^/]*/\.google_authenticator~
-+.br
-+ /home/dwalsh/\.google_authenticator
-+.br
-+ /home/dwalsh/\.google_authenticator~
-+.br
-+ /var/lib/xguest/home/xguest/\.google_authenticator
-+.br
-+ /var/lib/xguest/home/xguest/\.google_authenticator~
-+.br
-+
-+.br
-+.B cgroup_t
-+
-+ /cgroup
-+.br
-+ /sys/fs/cgroup
-+.br
-+
-+.br
-+.B etc_runtime_t
-+
-+ /[^/]+
-+.br
-+ /etc/mtab.*
-+.br
-+ /etc/blkid(/.*)?
-+.br
-+ /etc/nologin.*
-+.br
-+ /etc/\.fstab\.hal\..+
-+.br
-+ /halt
-+.br
-+ /fastboot
-+.br
-+ /poweroff
-+.br
-+ /etc/cmtab
-+.br
-+ /\.autofsck
-+.br
-+ /forcefsck
-+.br
-+ /\.suspended
-+.br
-+ /fsckoptions
-+.br
-+ /\.autorelabel
-+.br
-+ /etc/securetty
-+.br
-+ /etc/killpower
-+.br
-+ /etc/nohotplug
-+.br
-+ /etc/ioctl\.save
-+.br
-+ /etc/fstab\.REVOKE
-+.br
-+ /etc/network/ifstate
-+.br
-+ /etc/sysconfig/hwconf
-+.br
-+ /etc/ptal/ptal-printd-like
-+.br
-+ /etc/sysconfig/iptables\.save
-+.br
-+ /etc/xorg\.conf\.d/00-system-setup-keyboard\.conf
-+.br
-+ /etc/X11/xorg\.conf\.d/00-system-setup-keyboard\.conf
-+.br
-+
-+.br
-+.B faillog_t
-+
-+ /var/log/btmp.*
-+.br
-+ /var/run/faillock(/.*)?
-+.br
-+ /var/log/faillog
-+.br
-+ /var/log/tallylog
-+.br
-+
-+.br
-+.B fonts_cache_t
-+
-+ /var/cache/fontconfig(/.*)?
-+.br
-+
-+.br
-+.B gconf_home_t
-+
-+ /root/\.local.*
-+.br
-+ /root/\.gconf(d)?(/.*)?
-+.br
-+ /home/[^/]*/\.local.*
-+.br
-+ /home/[^/]*/\.gconf(d)?(/.*)?
-+.br
-+ /home/dwalsh/\.local.*
-+.br
-+ /home/dwalsh/\.gconf(d)?(/.*)?
-+.br
-+ /var/lib/xguest/home/xguest/\.local.*
-+.br
-+ /var/lib/xguest/home/xguest/\.gconf(d)?(/.*)?
-+.br
-+
-+.br
-+.B gnome_home_type
-+
-+
-+.br
-+.B initrc_var_run_t
-+
-+ /var/run/utmp
-+.br
-+ /var/run/random-seed
-+.br
-+ /var/run/runlevel\.dir
-+.br
-+ /var/run/setmixer_flag
-+.br
-+
-+.br
-+.B krb5_host_rcache_t
-+
-+ /var/cache/krb5rcache(/.*)?
-+.br
-+ /var/tmp/nfs_0
-+.br
-+ /var/tmp/DNS_25
-+.br
-+ /var/tmp/host_0
-+.br
-+ /var/tmp/imap_0
-+.br
-+ /var/tmp/HTTP_23
-+.br
-+ /var/tmp/HTTP_48
-+.br
-+ /var/tmp/ldap_55
-+.br
-+ /var/tmp/ldap_487
-+.br
-+ /var/tmp/ldapmap1_0
-+.br
-+
-+.br
-+.B lastlog_t
-+
-+ /var/log/lastlog
-+.br
-+
-+.br
-+.B locale_t
-+
-+ /etc/locale.conf
-+.br
-+ /usr/lib/locale(/.*)?
-+.br
-+ /usr/share/locale(/.*)?
-+.br
-+ /usr/share/zoneinfo(/.*)?
-+.br
-+ /usr/share/X11/locale(/.*)?
-+.br
-+ /etc/timezone
-+.br
-+ /etc/localtime
-+.br
-+ /etc/sysconfig/clock
-+.br
-+ /etc/avahi/etc/localtime
-+.br
-+ /var/empty/sshd/etc/localtime
-+.br
-+ /var/spool/postfix/etc/localtime
-+.br
-+
-+.br
-+.B pam_var_console_t
-+
-+ /var/run/console(/.*)?
-+.br
-+
-+.br
-+.B pam_var_run_t
-+
-+ /var/(db|lib|adm)/sudo(/.*)?
-+.br
-+ /var/run/sudo(/.*)?
-+.br
-+ /var/run/sepermit(/.*)?
-+.br
-+ /var/run/pam_mount(/.*)?
-+.br
-+
-+.br
-+.B pcscd_var_run_t
-+
-+ /var/run/pcscd(/.*)?
-+.br
-+ /var/run/pcscd\.events(/.*)?
-+.br
-+ /var/run/pcscd\.pid
-+.br
-+ /var/run/pcscd\.pub
-+.br
-+ /var/run/pcscd\.comm
-+.br
-+
-+.br
-+.B security_t
-+
-+ /selinux
-+.br
-+
-+.br
-+.B sysfs_t
-+
-+ /sys(/.*)?
-+.br
-+
-+.br
-+.B systemd_passwd_var_run_t
-+
-+ /var/run/systemd/ask-password(/.*)?
-+.br
-+ /var/run/systemd/ask-password-block(/.*)?
-+.br
-+
-+.br
-+.B user_fonts_t
-+
-+ /root/\.fonts(/.*)?
-+.br
-+ /tmp/\.font-unix(/.*)?
-+.br
-+ /home/[^/]*/\.fonts(/.*)?
-+.br
-+ /home/dwalsh/\.fonts(/.*)?
-+.br
-+ /var/lib/xguest/home/xguest/\.fonts(/.*)?
-+.br
-+
-+.br
-+.B user_tmp_t
-+
-+ /var/run/user(/.*)?
-+.br
-+ /tmp/gconfd-.*
-+.br
-+ /tmp/gconfd-dwalsh
-+.br
-+ /tmp/gconfd-xguest
-+.br
-+
-+.br
-+.B user_tmpfs_type
-+
-+ all user content in tmpfs file systems
-+.br
-+
-+.br
-+.B var_auth_t
-+
-+ /var/ace(/.*)?
-+.br
-+ /var/rsa(/.*)?
-+.br
-+ /var/lib/abl(/.*)?
-+.br
-+ /var/lib/rsa(/.*)?
-+.br
-+ /var/lib/pam_ssh(/.*)?
-+.br
-+ /var/run/pam_ssh(/.*)?
-+.br
-+ /var/lib/pam_shield(/.*)?
-+.br
-+ /var/lib/google-authenticator(/.*)?
-+.br
-+
-+.br
-+.B wtmp_t
-+
-+ /var/log/wtmp.*
-+.br
-+
-+.br
-+.B xauth_home_t
-+
-+ /root/\.xauth.*
-+.br
-+ /root/\.Xauth.*
-+.br
-+ /root/\.serverauth.*
-+.br
-+ /root/\.Xauthority.*
-+.br
-+ /var/lib/pqsql/\.xauth.*
-+.br
-+ /var/lib/pqsql/\.Xauthority.*
-+.br
-+ /var/lib/nxserver/home/\.xauth.*
-+.br
-+ /var/lib/nxserver/home/\.Xauthority.*
-+.br
-+ /home/[^/]*/\.xauth.*
-+.br
-+ /home/[^/]*/\.Xauth.*
-+.br
-+ /home/[^/]*/\.serverauth.*
-+.br
-+ /home/[^/]*/\.Xauthority.*
-+.br
-+ /home/dwalsh/\.xauth.*
-+.br
-+ /home/dwalsh/\.Xauth.*
-+.br
-+ /home/dwalsh/\.serverauth.*
-+.br
-+ /home/dwalsh/\.Xauthority.*
-+.br
-+ /var/lib/xguest/home/xguest/\.xauth.*
-+.br
-+ /var/lib/xguest/home/xguest/\.Xauth.*
-+.br
-+ /var/lib/xguest/home/xguest/\.serverauth.*
-+.br
-+ /var/lib/xguest/home/xguest/\.Xauthority.*
-+.br
-+
-+.br
-+.B xdm_home_t
-+
-+ /root/\.dmrc.*
-+.br
-+ /root/\.xsession-errors.*
-+.br
-+ /home/[^/]*/\.dmrc.*
-+.br
-+ /home/[^/]*/\.cache/gdm(/.*)?
-+.br
-+ /home/[^/]*/\.xsession-errors.*
-+.br
-+ /home/dwalsh/\.dmrc.*
-+.br
-+ /home/dwalsh/\.cache/gdm(/.*)?
-+.br
-+ /home/dwalsh/\.xsession-errors.*
-+.br
-+ /var/lib/xguest/home/xguest/\.dmrc.*
-+.br
-+ /var/lib/xguest/home/xguest/\.cache/gdm(/.*)?
-+.br
-+ /var/lib/xguest/home/xguest/\.xsession-errors.*
-+.br
-+
-+.br
-+.B xdm_lock_t
-+
-+
-+.br
-+.B xdm_log_t
-+
-+ /var/log/[mg]dm(/.*)?
-+.br
-+ /var/log/[mkwx]dm\.log.*
-+.br
-+ /var/log/lxdm\.log.*
-+.br
-+ /var/log/slim\.log
-+.br
-+
-+.br
-+.B xdm_rw_etc_t
-+
-+ /etc/X11/wdm(/.*)?
-+.br
-+ /etc/opt/VirtualGL(/.*)?
-+.br
-+
-+.br
-+.B xdm_spool_t
-+
-+ /var/spool/[mg]dm(/.*)?
-+.br
-+
-+.br
-+.B xdm_tmp_t
-+
-+ /tmp/\.X11-unix(/.*)?
-+.br
-+ /tmp/\.ICE-unix(/.*)?
-+.br
-+ /tmp/\.X0-lock
-+.br
-+
-+.br
-+.B xdm_tmpfs_t
-+
-+
-+.br
-+.B xdm_var_lib_t
-+
-+ /var/lib/[mxkwg]dm(/.*)?
-+.br
-+ /var/cache/[mg]dm(/.*)?
-+.br
-+ /var/lib/lxdm(/.*)?
-+.br
-+ /var/lib/lightdm(/.*)?
-+.br
-+ /var/cache/lightdm(/.*)?
-+.br
-+
-+.br
-+.B xdm_var_run_t
-+
-+ /etc/kde[34]?/kdm/backgroundrc
-+.br
-+ /var/run/[gx]dm\.pid
-+.br
-+ /var/run/[kgm]dm(/.*)?
-+.br
-+ /usr/lib/qt-.*/etc/settings(/.*)?
-+.br
-+ /var/run/slim.*
-+.br
-+ /var/run/lxdm(/.*)?
-+.br
-+ /var/run/slim(/.*)?
-+.br
-+ /var/run/xauth(/.*)?
-+.br
-+ /var/run/xdmctl(/.*)?
-+.br
-+ /var/run/lightdm(/.*)?
-+.br
-+ /var/run/systemd/multi-session-x(/.*)?
-+.br
-+ /var/run/lxdm\.pid
-+.br
-+ /var/run/lxdm\.auth
-+.br
-+ /var/run/gdm_socket
-+.br
-+
-+.br
-+.B xkb_var_lib_t
-+
-+ /var/lib/xkb(/.*)?
-+.br
-+ /usr/X11R6/lib/X11/xkb/.*
-+.br
-+ /usr/X11R6/lib/X11/xkb
-+.br
-+
-+.br
-+.B xserver_log_t
-+
-+ /var/[xgkw]dm(/.*)?
-+.br
-+ /usr/var/[xgkw]dm(/.*)?
-+.br
-+ /var/log/Xorg.*
-+.br
-+ /var/log/XFree86.*
-+.br
-+ /var/log/lightdm(/.*)?
-+.br
-+ /var/log/nvidia-installer\.log.*
-+.br
-+
-+.br
-+.B xserver_tmpfs_t
-+
-+
-+.SH NSSWITCH DOMAIN
-+
-+.PP
-+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the xdm_dbusd_t, xdm_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
-+
-+.EX
-+.B setsebool -P authlogin_nsswitch_use_ldap 1
-+.EE
-+
-+.PP
-+If you want to allow confined applications to run with kerberos for the xdm_dbusd_t, xdm_t, you must turn on the kerberos_enabled boolean.
-+
-+.EX
-+.B setsebool -P kerberos_enabled 1
-+.EE
-+
-+.SH "COMMANDS"
-+.B semanage fcontext
-+can also be used to manipulate default file context mappings.
-+.PP
-+.B semanage permissive
-+can also be used to manipulate whether or not a process type is permissive.
-+.PP
-+.B semanage module
-+can also be used to enable/disable/install/remove policy modules.
-+
-+.B semanage port
-+can also be used to manipulate the port definitions
-+
-+.B semanage boolean
-+can also be used to manipulate the booleans
-+
-+.PP
-+.B system-config-selinux
-+is a GUI tool available to customize SELinux policy settings.
-+
-+.SH AUTHOR
-+This manual page was auto-generated using
-+.B "sepolicy manpage"
-+by Dan Walsh.
-+
-+.SH "SEE ALSO"
-+selinux(8), xdm(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
-+, setsebool(8)
-\ No newline at end of file
-diff --git a/man/man8/xenconsoled_selinux.8 b/man/man8/xenconsoled_selinux.8
-new file mode 100644
-index 0000000..9d5fe35
---- /dev/null
-+++ b/man/man8/xenconsoled_selinux.8
-@@ -0,0 +1,126 @@
-+.TH "xenconsoled_selinux" "8" "12-11-01" "xenconsoled" "SELinux Policy documentation for xenconsoled"
-+.SH "NAME"
-+xenconsoled_selinux \- Security Enhanced Linux Policy for the xenconsoled processes
-+.SH "DESCRIPTION"
-+
-+Security-Enhanced Linux secures the xenconsoled processes via flexible mandatory access control.
-+
-+The xenconsoled processes execute with the xenconsoled_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
-+
-+For example:
-+
-+.B ps -eZ | grep xenconsoled_t
-+
-+
-+.SH "ENTRYPOINTS"
-+
-+The xenconsoled_t SELinux type can be entered via the "xenconsoled_exec_t" file type. The default entrypoint paths for the xenconsoled_t domain are the following:"
-+
-+/usr/sbin/xenconsoled
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux xenconsoled policy is very flexible allowing users to setup their xenconsoled processes in as secure a method as possible.
-+.PP
-+The following process types are defined for xenconsoled:
-+
-+.EX
-+.B xenconsoled_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
-+.SH FILE CONTEXTS
-+SELinux requires files to have an extended attribute to define the file type.
-+.PP
-+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
-+.PP
-+Policy governs the access confined processes have to these files.
-+SELinux xenconsoled policy is very flexible allowing users to setup their xenconsoled processes in as secure a method as possible.
-+.PP
-+The following file types are defined for xenconsoled:
-+
-+
-+.EX
-+.PP
-+.B xenconsoled_exec_t
-+.EE
-+
-+- Set files with the xenconsoled_exec_t type, if you want to transition an executable to the xenconsoled_t domain.
-+
-+
-+.EX
-+.PP
-+.B xenconsoled_var_run_t
-+.EE
-+
-+- Set files with the xenconsoled_var_run_t type, if you want to store the xenconsoled files under the /run directory.
-+
-+
-+.PP
-+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
-+.B semanage fcontext
-+command. This will modify the SELinux labeling database. You will need to use
-+.B restorecon
-+to apply the labels.
-+
-+.SH "MANAGED FILES"
-+
-+The SELinux process type xenconsoled_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
-+
-+.br
-+.B sysfs_t
-+
-+ /sys(/.*)?
-+.br
-+
-+.br
-+.B xenconsoled_var_run_t
-+
-+ /var/run/xenconsoled\.pid
-+.br
-+
-+.br
-+.B xend_var_log_t
-+
-+ /var/log/xen(/.*)?
-+.br
-+ /var/log/xend\.log.*
-+.br
-+ /var/log/xend-debug\.log.*
-+.br
-+ /var/log/xen-hotplug\.log.*
-+.br
-+
-+.br
-+.B xenfs_t
-+
-+
-+.SH NSSWITCH DOMAIN
-+
-+.SH "COMMANDS"
-+.B semanage fcontext
-+can also be used to manipulate default file context mappings.
-+.PP
-+.B semanage permissive
-+can also be used to manipulate whether or not a process type is permissive.
-+.PP
-+.B semanage module
-+can also be used to enable/disable/install/remove policy modules.
-+
-+.PP
-+.B system-config-selinux
-+is a GUI tool available to customize SELinux policy settings.
-+
-+.SH AUTHOR
-+This manual page was auto-generated using
-+.B "sepolicy manpage"
-+by Dan Walsh.
-+
-+.SH "SEE ALSO"
-+selinux(8), xenconsoled(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
-diff --git a/man/man8/xend_selinux.8 b/man/man8/xend_selinux.8
-new file mode 100644
-index 0000000..b211bcb
---- /dev/null
-+++ b/man/man8/xend_selinux.8
-@@ -0,0 +1,330 @@
-+.TH "xend_selinux" "8" "12-11-01" "xend" "SELinux Policy documentation for xend"
-+.SH "NAME"
-+xend_selinux \- Security Enhanced Linux Policy for the xend processes
-+.SH "DESCRIPTION"
-+
-+Security-Enhanced Linux secures the xend processes via flexible mandatory access control.
-+
-+The xend processes execute with the xend_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
-+
-+For example:
-+
-+.B ps -eZ | grep xend_t
-+
-+
-+.SH "ENTRYPOINTS"
-+
-+The xend_t SELinux type can be entered via the "xend_exec_t" file type. The default entrypoint paths for the xend_t domain are the following:"
-+
-+/usr/sbin/xend
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux xend policy is very flexible allowing users to setup their xend processes in as secure a method as possible.
-+.PP
-+The following process types are defined for xend:
-+
-+.EX
-+.B xend_t, xenstored_t, xenconsoled_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
-+.SH BOOLEANS
-+SELinux policy is customizable based on least access required. xend policy is extremely flexible and has several booleans that allow you to manipulate the policy and run xend with the tightest access possible.
-+
-+
-+.PP
-+If you want to allow xend to run blktapctrl/tapdisk. Not required if using dedicated logical volumes for disk images, you must turn on the xend_run_blktap boolean.
-+
-+.EX
-+.B setsebool -P xend_run_blktap 1
-+.EE
-+
-+.PP
-+If you want to allow xen to manage nfs files, you must turn on the xen_use_nfs boolean.
-+
-+.EX
-+.B setsebool -P xen_use_nfs 1
-+.EE
-+
-+.PP
-+If you want to allow xend to run qemu-dm. Not required if using paravirt and no vfb, you must turn on the xend_run_qemu boolean.
-+
-+.EX
-+.B setsebool -P xend_run_qemu 1
-+.EE
-+
-+.PP
-+If you want to allow xend to run blktapctrl/tapdisk. Not required if using dedicated logical volumes for disk images, you must turn on the xend_run_blktap boolean.
-+
-+.EX
-+.B setsebool -P xend_run_blktap 1
-+.EE
-+
-+.PP
-+If you want to allow xen to manage nfs files, you must turn on the xen_use_nfs boolean.
-+
-+.EX
-+.B setsebool -P xen_use_nfs 1
-+.EE
-+
-+.PP
-+If you want to allow xend to run qemu-dm. Not required if using paravirt and no vfb, you must turn on the xend_run_qemu boolean.
-+
-+.EX
-+.B setsebool -P xend_run_qemu 1
-+.EE
-+
-+.SH FILE CONTEXTS
-+SELinux requires files to have an extended attribute to define the file type.
-+.PP
-+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
-+.PP
-+Policy governs the access confined processes have to these files.
-+SELinux xend policy is very flexible allowing users to setup their xend processes in as secure a method as possible.
-+.PP
-+The following file types are defined for xend:
-+
-+
-+.EX
-+.PP
-+.B xend_exec_t
-+.EE
-+
-+- Set files with the xend_exec_t type, if you want to transition an executable to the xend_t domain.
-+
-+
-+.EX
-+.PP
-+.B xend_tmp_t
-+.EE
-+
-+- Set files with the xend_tmp_t type, if you want to store xend temporary files in the /tmp directories.
-+
-+
-+.EX
-+.PP
-+.B xend_var_lib_t
-+.EE
-+
-+- Set files with the xend_var_lib_t type, if you want to store the xend files under the /var/lib directory.
-+
-+
-+.EX
-+.PP
-+.B xend_var_log_t
-+.EE
-+
-+- Set files with the xend_var_log_t type, if you want to treat the data as xend var log data, usually stored under the /var/log directory.
-+
-+
-+.EX
-+.PP
-+.B xend_var_run_t
-+.EE
-+
-+- Set files with the xend_var_run_t type, if you want to store the xend files under the /run directory.
-+
-+
-+.PP
-+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
-+.B semanage fcontext
-+command. This will modify the SELinux labeling database. You will need to use
-+.B restorecon
-+to apply the labels.
-+
-+.SH PORT TYPES
-+SELinux defines port types to represent TCP and UDP ports.
-+.PP
-+You can see the types associated with a port by using the following command:
-+
-+.B semanage port -l
-+
-+.PP
-+Policy governs the access confined processes have to these ports.
-+SELinux xend policy is very flexible allowing users to setup their xend processes in as secure a method as possible.
-+.PP
-+The following port types are defined for xend:
-+
-+.EX
-+.TP 5
-+.B xen_port_t
-+.TP 10
-+.EE
-+
-+
-+Default Defined Ports:
-+tcp 8002
-+.EE
-+.SH "MANAGED FILES"
-+
-+The SELinux process type xend_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
-+
-+.br
-+.B dhcp_etc_t
-+
-+ /etc/dhcpc.*
-+.br
-+ /etc/dhcp3(/.*)?
-+.br
-+ /etc/dhcpd(6)?\.conf
-+.br
-+ /etc/dhcp3?/dhclient.*
-+.br
-+ /etc/dhclient.*conf
-+.br
-+ /etc/dhcp/dhcpd(6)?\.conf
-+.br
-+ /etc/dhclient-script
-+.br
-+
-+.br
-+.B etc_runtime_t
-+
-+ /[^/]+
-+.br
-+ /etc/mtab.*
-+.br
-+ /etc/blkid(/.*)?
-+.br
-+ /etc/nologin.*
-+.br
-+ /etc/\.fstab\.hal\..+
-+.br
-+ /halt
-+.br
-+ /fastboot
-+.br
-+ /poweroff
-+.br
-+ /etc/cmtab
-+.br
-+ /\.autofsck
-+.br
-+ /forcefsck
-+.br
-+ /\.suspended
-+.br
-+ /fsckoptions
-+.br
-+ /\.autorelabel
-+.br
-+ /etc/securetty
-+.br
-+ /etc/killpower
-+.br
-+ /etc/nohotplug
-+.br
-+ /etc/ioctl\.save
-+.br
-+ /etc/fstab\.REVOKE
-+.br
-+ /etc/network/ifstate
-+.br
-+ /etc/sysconfig/hwconf
-+.br
-+ /etc/ptal/ptal-printd-like
-+.br
-+ /etc/sysconfig/iptables\.save
-+.br
-+ /etc/xorg\.conf\.d/00-system-setup-keyboard\.conf
-+.br
-+ /etc/X11/xorg\.conf\.d/00-system-setup-keyboard\.conf
-+.br
-+
-+.br
-+.B sysfs_t
-+
-+ /sys(/.*)?
-+.br
-+
-+.br
-+.B xen_image_t
-+
-+ /xen(/.*)?
-+.br
-+ /var/lib/xen/images(/.*)?
-+.br
-+
-+.br
-+.B xend_tmp_t
-+
-+
-+.br
-+.B xend_var_lib_t
-+
-+ /var/lib/xen(/.*)?
-+.br
-+ /var/lib/xend(/.*)?
-+.br
-+
-+.br
-+.B xend_var_log_t
-+
-+ /var/log/xen(/.*)?
-+.br
-+ /var/log/xend\.log.*
-+.br
-+ /var/log/xend-debug\.log.*
-+.br
-+ /var/log/xen-hotplug\.log.*
-+.br
-+
-+.br
-+.B xend_var_run_t
-+
-+ /var/run/xend(/.*)?
-+.br
-+ /var/run/xenner(/.*)?
-+.br
-+ /var/run/xend\.pid
-+.br
-+
-+.br
-+.B xenfs_t
-+
-+
-+.br
-+.B xenstored_var_run_t
-+
-+ /var/run/xenstored(/.*)?
-+.br
-+ /var/run/xenstore\.pid
-+.br
-+
-+.SH NSSWITCH DOMAIN
-+
-+.SH "COMMANDS"
-+.B semanage fcontext
-+can also be used to manipulate default file context mappings.
-+.PP
-+.B semanage permissive
-+can also be used to manipulate whether or not a process type is permissive.
-+.PP
-+.B semanage module
-+can also be used to enable/disable/install/remove policy modules.
-+
-+.B semanage port
-+can also be used to manipulate the port definitions
-+
-+.B semanage boolean
-+can also be used to manipulate the booleans
-+
-+.PP
-+.B system-config-selinux
-+is a GUI tool available to customize SELinux policy settings.
-+
-+.SH AUTHOR
-+This manual page was auto-generated using
-+.B "sepolicy manpage"
-+by Dan Walsh.
-+
-+.SH "SEE ALSO"
-+selinux(8), xend(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
-+, setsebool(8), xenconsoled_selinux(8), xenstored_selinux(8)
-\ No newline at end of file
-diff --git a/man/man8/xenstored_selinux.8 b/man/man8/xenstored_selinux.8
-new file mode 100644
-index 0000000..5ad6f42
---- /dev/null
-+++ b/man/man8/xenstored_selinux.8
-@@ -0,0 +1,148 @@
-+.TH "xenstored_selinux" "8" "12-11-01" "xenstored" "SELinux Policy documentation for xenstored"
-+.SH "NAME"
-+xenstored_selinux \- Security Enhanced Linux Policy for the xenstored processes
-+.SH "DESCRIPTION"
-+
-+Security-Enhanced Linux secures the xenstored processes via flexible mandatory access control.
-+
-+The xenstored processes execute with the xenstored_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
-+
-+For example:
-+
-+.B ps -eZ | grep xenstored_t
-+
-+
-+.SH "ENTRYPOINTS"
-+
-+The xenstored_t SELinux type can be entered via the "xenstored_exec_t" file type. The default entrypoint paths for the xenstored_t domain are the following:"
-+
-+/usr/sbin/xenstored
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux xenstored policy is very flexible allowing users to setup their xenstored processes in as secure a method as possible.
-+.PP
-+The following process types are defined for xenstored:
-+
-+.EX
-+.B xenstored_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
-+.SH FILE CONTEXTS
-+SELinux requires files to have an extended attribute to define the file type.
-+.PP
-+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
-+.PP
-+Policy governs the access confined processes have to these files.
-+SELinux xenstored policy is very flexible allowing users to setup their xenstored processes in as secure a method as possible.
-+.PP
-+The following file types are defined for xenstored:
-+
-+
-+.EX
-+.PP
-+.B xenstored_exec_t
-+.EE
-+
-+- Set files with the xenstored_exec_t type, if you want to transition an executable to the xenstored_t domain.
-+
-+
-+.EX
-+.PP
-+.B xenstored_tmp_t
-+.EE
-+
-+- Set files with the xenstored_tmp_t type, if you want to store xenstored temporary files in the /tmp directories.
-+
-+
-+.EX
-+.PP
-+.B xenstored_var_lib_t
-+.EE
-+
-+- Set files with the xenstored_var_lib_t type, if you want to store the xenstored files under the /var/lib directory.
-+
-+
-+.EX
-+.PP
-+.B xenstored_var_log_t
-+.EE
-+
-+- Set files with the xenstored_var_log_t type, if you want to treat the data as xenstored var log data, usually stored under the /var/log directory.
-+
-+
-+.EX
-+.PP
-+.B xenstored_var_run_t
-+.EE
-+
-+- Set files with the xenstored_var_run_t type, if you want to store the xenstored files under the /run directory.
-+
-+
-+.PP
-+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
-+.B semanage fcontext
-+command. This will modify the SELinux labeling database. You will need to use
-+.B restorecon
-+to apply the labels.
-+
-+.SH "MANAGED FILES"
-+
-+The SELinux process type xenstored_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
-+
-+.br
-+.B xenfs_t
-+
-+
-+.br
-+.B xenstored_tmp_t
-+
-+
-+.br
-+.B xenstored_var_lib_t
-+
-+ /var/lib/xenstored(/.*)?
-+.br
-+
-+.br
-+.B xenstored_var_log_t
-+
-+
-+.br
-+.B xenstored_var_run_t
-+
-+ /var/run/xenstored(/.*)?
-+.br
-+ /var/run/xenstore\.pid
-+.br
-+
-+.SH NSSWITCH DOMAIN
-+
-+.SH "COMMANDS"
-+.B semanage fcontext
-+can also be used to manipulate default file context mappings.
-+.PP
-+.B semanage permissive
-+can also be used to manipulate whether or not a process type is permissive.
-+.PP
-+.B semanage module
-+can also be used to enable/disable/install/remove policy modules.
-+
-+.PP
-+.B system-config-selinux
-+is a GUI tool available to customize SELinux policy settings.
-+
-+.SH AUTHOR
-+This manual page was auto-generated using
-+.B "sepolicy manpage"
-+by Dan Walsh.
-+
-+.SH "SEE ALSO"
-+selinux(8), xenstored(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
-diff --git a/man/man8/xguest_selinux.8 b/man/man8/xguest_selinux.8
-new file mode 100644
-index 0000000..9a09106
---- /dev/null
-+++ b/man/man8/xguest_selinux.8
-@@ -0,0 +1,345 @@
-+.TH "xguest_selinux" "8" "xguest" "mgrepl@redhat.com" "xguest SELinux Policy documentation"
-+.SH "NAME"
-+xguest_u \- \fBLeast privledge xwindows user role\fP - Security Enhanced Linux Policy
-+
-+.SH DESCRIPTION
-+
-+\fBxguest_u\fP is an SELinux User defined in the SELinux
-+policy. SELinux users have default roles, \fBxguest_r\fP. The
-+default role has a default type, \fBxguest_t\fP, associated with it.
-+
-+The SELinux user will usually login to a system with a context that looks like:
-+
-+.B xguest_u:xguest_r:xguest_t:s0-s0:c0.c1023
-+
-+Linux users are automatically assigned an SELinux users at login.
-+Login programs use the SELinux User to assign initial context to the user's shell.
-+
-+SELinux policy uses the context to control the user's access.
-+
-+By default all users are assigned to the SELinux user via the \fB__default__\fP flag
-+
-+On Targeted policy systems the \fB__default__\fP user is assigned to the \fBunconfined_u\fP SELinux user.
-+
-+You can list all Linux User to SELinux user mapping using:
-+
-+.B semanage login -l
-+
-+If you wanted to change the default user mapping to use the xguest_u user, you would execute:
-+
-+.B semanage login -m -s xguest_u __default__
-+
-+
-+If you want to map the one Linux user (joe) to the SELinux user xguest, you would execute:
-+
-+.B $ semanage login -a -s xguest_u joe
-+
-+
-+.SH USER DESCRIPTION
-+
-+The SELinux user xguest_u is defined in policy as a unprivileged user. SELinux prevents unprivileged users from doing administration tasks without transitioning to a different role.
-+
-+.SH SUDO
-+
-+.SH X WINDOWS LOGIN
-+
-+The SELinux user xguest_u is able to X Windows login.
-+
-+.SH NETWORK
-+
-+.TP
-+The SELinux user xguest_u is able to connect to the following tcp ports.
-+
-+.B dns_port_t: 53
-+
-+.B all ports with out defined types
-+
-+.B ftp_port_t: 21,990
-+
-+.B speech_port_t: 8036
-+
-+.B http_cache_port_t: 8080,8118,10001-10010
-+
-+.B http_port_t: 80,81,443,488,8008,8009,8443
-+
-+.B ocsp_port_t: 9080
-+
-+.B squid_port_t: 3128,3401,4827
-+
-+.B ephemeral_port_t: 32768-61000
-+
-+.B kerberos_port_t: 88,750,4444
-+
-+.B pulseaudio_port_t: 4713
-+
-+.B flash_port_t: 843,1935
-+
-+.B soundd_port_t: 8000,9433,16001
-+
-+.B commplex_port_t: 5001
-+
-+.B ipp_port_t: 631,8610-8614
-+
-+.B transproxy_port_t: 8081
-+
-+.TP
-+The SELinux user xguest_u is able to connect to the following tcp ports.
-+
-+.B dns_port_t: 53
-+
-+.B all ports with out defined types
-+
-+.B ftp_port_t: 21,990
-+
-+.B speech_port_t: 8036
-+
-+.B http_cache_port_t: 8080,8118,10001-10010
-+
-+.B http_port_t: 80,81,443,488,8008,8009,8443
-+
-+.B ocsp_port_t: 9080
-+
-+.B squid_port_t: 3128,3401,4827
-+
-+.B ephemeral_port_t: 32768-61000
-+
-+.B kerberos_port_t: 88,750,4444
-+
-+.B pulseaudio_port_t: 4713
-+
-+.B flash_port_t: 843,1935
-+
-+.B soundd_port_t: 8000,9433,16001
-+
-+.B commplex_port_t: 5001
-+
-+.B ipp_port_t: 631,8610-8614
-+
-+.B transproxy_port_t: 8081
-+
-+.SH BOOLEANS
-+SELinux policy is customizable based on least access required. xguest policy is extremely flexible and has several booleans that allow you to manipulate the policy and run xguest with the tightest access possible.
-+
-+
-+.PP
-+If you want to allow xguest users to mount removable media, you must turn on the xguest_mount_media boolean.
-+
-+.EX
-+.B setsebool -P xguest_mount_media 1
-+.EE
-+
-+.PP
-+If you want to allow xguest users to configure Network Manager and connect to apache ports, you must turn on the xguest_connect_network boolean.
-+
-+.EX
-+.B setsebool -P xguest_connect_network 1
-+.EE
-+
-+.PP
-+If you want to allow xguest to use blue tooth devices, you must turn on the xguest_use_bluetooth boolean.
-+
-+.EX
-+.B setsebool -P xguest_use_bluetooth 1
-+.EE
-+
-+.PP
-+If you want to allow xguest users to mount removable media, you must turn on the xguest_mount_media boolean.
-+
-+.EX
-+.B setsebool -P xguest_mount_media 1
-+.EE
-+
-+.PP
-+If you want to allow xguest users to configure Network Manager and connect to apache ports, you must turn on the xguest_connect_network boolean.
-+
-+.EX
-+.B setsebool -P xguest_connect_network 1
-+.EE
-+
-+.PP
-+If you want to allow xguest to use blue tooth devices, you must turn on the xguest_use_bluetooth boolean.
-+
-+.EX
-+.B setsebool -P xguest_use_bluetooth 1
-+.EE
-+
-+.SH HOME_EXEC
-+
-+The SELinux user xguest_u is able execute home content files.
-+
-+.SH TRANSITIONS
-+
-+Three things can happen when xguest_t attempts to execute a program.
-+
-+\fB1.\fP SELinux Policy can deny xguest_t from executing the program.
-+
-+.TP
-+
-+\fB2.\fP SELinux Policy can allow xguest_t to execute the program in the current user type.
-+
-+Execute the following to see the types that the SELinux user xguest_t can execute without transitioning:
-+
-+.B search -A -s xguest_t -c file -p execute_no_trans
-+
-+.TP
-+
-+\fB3.\fP SELinux can allow xguest_t to execute the program and transition to a new type.
-+
-+Execute the following to see the types that the SELinux user xguest_t can execute and transition:
-+
-+.B $ search -A -s xguest_t -c process -p transition
-+
-+
-+.SH "MANAGED FILES"
-+
-+The SELinux process type xguest_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
-+
-+.br
-+.B anon_inodefs_t
-+
-+
-+.br
-+.B auth_cache_t
-+
-+ /var/cache/coolkey(/.*)?
-+.br
-+
-+.br
-+.B chrome_sandbox_tmpfs_t
-+
-+
-+.br
-+.B httpd_user_content_t
-+
-+ /home/[^/]*/((www)|(web)|(public_html))(/.+)?
-+.br
-+ /home/dwalsh/((www)|(web)|(public_html))(/.+)?
-+.br
-+ /var/lib/xguest/home/xguest/((www)|(web)|(public_html))(/.+)?
-+.br
-+
-+.br
-+.B httpd_user_htaccess_t
-+
-+ /home/[^/]*/((www)|(web)|(public_html))(/.*)?/\.htaccess
-+.br
-+ /home/dwalsh/((www)|(web)|(public_html))(/.*)?/\.htaccess
-+.br
-+ /var/lib/xguest/home/xguest/((www)|(web)|(public_html))(/.*)?/\.htaccess
-+.br
-+
-+.br
-+.B httpd_user_ra_content_t
-+
-+ /home/[^/]*/((www)|(web)|(public_html))(/.*)?/logs(/.*)?
-+.br
-+ /home/dwalsh/((www)|(web)|(public_html))(/.*)?/logs(/.*)?
-+.br
-+ /var/lib/xguest/home/xguest/((www)|(web)|(public_html))(/.*)?/logs(/.*)?
-+.br
-+
-+.br
-+.B httpd_user_rw_content_t
-+
-+
-+.br
-+.B httpd_user_script_exec_t
-+
-+ /home/[^/]*/((www)|(web)|(public_html))/cgi-bin(/.+)?
-+.br
-+ /home/dwalsh/((www)|(web)|(public_html))/cgi-bin(/.+)?
-+.br
-+ /var/lib/xguest/home/xguest/((www)|(web)|(public_html))/cgi-bin(/.+)?
-+.br
-+
-+.br
-+.B noxattrfs
-+
-+ all files on file systems which do not support extended attributes
-+.br
-+
-+.br
-+.B usbfs_t
-+
-+
-+.br
-+.B user_fonts_cache_t
-+
-+ /root/\.fontconfig(/.*)?
-+.br
-+ /root/\.fonts/auto(/.*)?
-+.br
-+ /root/\.fonts\.cache-.*
-+.br
-+ /home/[^/]*/\.fontconfig(/.*)?
-+.br
-+ /home/[^/]*/\.fonts/auto(/.*)?
-+.br
-+ /home/[^/]*/\.fonts\.cache-.*
-+.br
-+ /home/dwalsh/\.fontconfig(/.*)?
-+.br
-+ /home/dwalsh/\.fonts/auto(/.*)?
-+.br
-+ /home/dwalsh/\.fonts\.cache-.*
-+.br
-+ /var/lib/xguest/home/xguest/\.fontconfig(/.*)?
-+.br
-+ /var/lib/xguest/home/xguest/\.fonts/auto(/.*)?
-+.br
-+ /var/lib/xguest/home/xguest/\.fonts\.cache-.*
-+.br
-+
-+.br
-+.B user_home_type
-+
-+ all user home files
-+.br
-+
-+.br
-+.B user_tmp_type
-+
-+ all user tmp files
-+.br
-+
-+.br
-+.B user_tmpfs_type
-+
-+ all user content in tmpfs file systems
-+.br
-+
-+.br
-+.B xdm_tmp_t
-+
-+ /tmp/\.X11-unix(/.*)?
-+.br
-+ /tmp/\.ICE-unix(/.*)?
-+.br
-+ /tmp/\.X0-lock
-+.br
-+
-+.SH "COMMANDS"
-+.B semanage fcontext
-+can also be used to manipulate default file context mappings.
-+.PP
-+.B semanage permissive
-+can also be used to manipulate whether or not a process type is permissive.
-+.PP
-+.B semanage module
-+can also be used to enable/disable/install/remove policy modules.
-+
-+.B semanage boolean
-+can also be used to manipulate the booleans
-+
-+.PP
-+.B system-config-selinux
-+is a GUI tool available to customize SELinux policy settings.
-+
-+.SH AUTHOR
-+This manual page was auto-generated using
-+.B "sepolicy manpage"
-+by Dan Walsh.
-+
-+.SH "SEE ALSO"
-+selinux(8), xguest(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
-+, setsebool(8)
-\ No newline at end of file
-diff --git a/man/man8/xserver_selinux.8 b/man/man8/xserver_selinux.8
-new file mode 100644
-index 0000000..936e2de
---- /dev/null
-+++ b/man/man8/xserver_selinux.8
-@@ -0,0 +1,416 @@
-+.TH "xserver_selinux" "8" "12-11-01" "xserver" "SELinux Policy documentation for xserver"
-+.SH "NAME"
-+xserver_selinux \- Security Enhanced Linux Policy for the xserver processes
-+.SH "DESCRIPTION"
-+
-+Security-Enhanced Linux secures the xserver processes via flexible mandatory access control.
-+
-+The xserver processes execute with the xserver_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
-+
-+For example:
-+
-+.B ps -eZ | grep xserver_t
-+
-+
-+.SH "ENTRYPOINTS"
-+
-+The xserver_t SELinux type can be entered via the "xserver_exec_t" file type. The default entrypoint paths for the xserver_t domain are the following:"
-+
-+/usr/bin/Xair, /usr/bin/Xorg, /usr/bin/Xephyr, /usr/X11R6/bin/X, /usr/X11R6/bin/Xorg, /usr/X11R6/bin/Xipaq, /usr/X11R6/bin/XFree86, /usr/X11R6/bin/Xwrapper, /etc/init\.d/xfree86-common
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux xserver policy is very flexible allowing users to setup their xserver processes in as secure a method as possible.
-+.PP
-+The following process types are defined for xserver:
-+
-+.EX
-+.B xserver_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
-+.SH BOOLEANS
-+SELinux policy is customizable based on least access required. xserver policy is extremely flexible and has several booleans that allow you to manipulate the policy and run xserver with the tightest access possible.
-+
-+
-+.PP
-+If you want to support X userspace object manager, you must turn on the xserver_object_manager boolean.
-+
-+.EX
-+.B setsebool -P xserver_object_manager 1
-+.EE
-+
-+.PP
-+If you want to allow confined virtual guests to interact with the xserver, you must turn on the virt_use_xserver boolean.
-+
-+.EX
-+.B setsebool -P virt_use_xserver 1
-+.EE
-+
-+.PP
-+If you want to allows clients to write to the X server shared memory segments, you must turn on the xserver_clients_write_xshm boolean.
-+
-+.EX
-+.B setsebool -P xserver_clients_write_xshm 1
-+.EE
-+
-+.PP
-+If you want to allows XServer to execute writable memory, you must turn on the xserver_execmem boolean.
-+
-+.EX
-+.B setsebool -P xserver_execmem 1
-+.EE
-+
-+.PP
-+If you want to support X userspace object manager, you must turn on the xserver_object_manager boolean.
-+
-+.EX
-+.B setsebool -P xserver_object_manager 1
-+.EE
-+
-+.PP
-+If you want to allow confined virtual guests to interact with the xserver, you must turn on the virt_use_xserver boolean.
-+
-+.EX
-+.B setsebool -P virt_use_xserver 1
-+.EE
-+
-+.PP
-+If you want to allows clients to write to the X server shared memory segments, you must turn on the xserver_clients_write_xshm boolean.
-+
-+.EX
-+.B setsebool -P xserver_clients_write_xshm 1
-+.EE
-+
-+.PP
-+If you want to allows XServer to execute writable memory, you must turn on the xserver_execmem boolean.
-+
-+.EX
-+.B setsebool -P xserver_execmem 1
-+.EE
-+
-+.SH FILE CONTEXTS
-+SELinux requires files to have an extended attribute to define the file type.
-+.PP
-+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
-+.PP
-+Policy governs the access confined processes have to these files.
-+SELinux xserver policy is very flexible allowing users to setup their xserver processes in as secure a method as possible.
-+.PP
-+The following file types are defined for xserver:
-+
-+
-+.EX
-+.PP
-+.B xserver_exec_t
-+.EE
-+
-+- Set files with the xserver_exec_t type, if you want to transition an executable to the xserver_t domain.
-+
-+
-+.EX
-+.PP
-+.B xserver_log_t
-+.EE
-+
-+- Set files with the xserver_log_t type, if you want to treat the data as xserver log data, usually stored under the /var/log directory.
-+
-+
-+.EX
-+.PP
-+.B xserver_tmpfs_t
-+.EE
-+
-+- Set files with the xserver_tmpfs_t type, if you want to store xserver files on a tmpfs file system.
-+
-+
-+.EX
-+.PP
-+.B xserver_var_lib_t
-+.EE
-+
-+- Set files with the xserver_var_lib_t type, if you want to store the xserver files under the /var/lib directory.
-+
-+
-+.EX
-+.PP
-+.B xserver_var_run_t
-+.EE
-+
-+- Set files with the xserver_var_run_t type, if you want to store the xserver files under the /run directory.
-+
-+
-+.PP
-+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
-+.B semanage fcontext
-+command. This will modify the SELinux labeling database. You will need to use
-+.B restorecon
-+to apply the labels.
-+
-+.SH PORT TYPES
-+SELinux defines port types to represent TCP and UDP ports.
-+.PP
-+You can see the types associated with a port by using the following command:
-+
-+.B semanage port -l
-+
-+.PP
-+Policy governs the access confined processes have to these ports.
-+SELinux xserver policy is very flexible allowing users to setup their xserver processes in as secure a method as possible.
-+.PP
-+The following port types are defined for xserver:
-+
-+.EX
-+.TP 5
-+.B xserver_port_t
-+.TP 10
-+.EE
-+
-+
-+Default Defined Ports:
-+tcp 6000-6020
-+.EE
-+.SH "MANAGED FILES"
-+
-+The SELinux process type xserver_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
-+
-+.br
-+.B bluetooth_helper_tmpfs_t
-+
-+
-+.br
-+.B chrome_sandbox_tmpfs_t
-+
-+
-+.br
-+.B consolekit_tmpfs_t
-+
-+
-+.br
-+.B games_tmpfs_t
-+
-+
-+.br
-+.B gpg_pinentry_tmpfs_t
-+
-+
-+.br
-+.B mozilla_tmpfs_t
-+
-+
-+.br
-+.B mplayer_tmpfs_t
-+
-+
-+.br
-+.B mtrr_device_t
-+
-+ /dev/cpu/mtrr
-+.br
-+
-+.br
-+.B pulseaudio_tmpfs_t
-+
-+
-+.br
-+.B rhgb_tmpfs_t
-+
-+
-+.br
-+.B sandbox_xserver_tmpfs_t
-+
-+
-+.br
-+.B security_t
-+
-+ /selinux
-+.br
-+
-+.br
-+.B ssh_tmpfs_t
-+
-+
-+.br
-+.B sysfs_t
-+
-+ /sys(/.*)?
-+.br
-+
-+.br
-+.B tmpfs_t
-+
-+ /dev/shm
-+.br
-+ /lib/udev/devices/shm
-+.br
-+ /usr/lib/udev/devices/shm
-+.br
-+
-+.br
-+.B tvtime_tmpfs_t
-+
-+
-+.br
-+.B user_fonts_cache_t
-+
-+ /root/\.fontconfig(/.*)?
-+.br
-+ /root/\.fonts/auto(/.*)?
-+.br
-+ /root/\.fonts\.cache-.*
-+.br
-+ /home/[^/]*/\.fontconfig(/.*)?
-+.br
-+ /home/[^/]*/\.fonts/auto(/.*)?
-+.br
-+ /home/[^/]*/\.fonts\.cache-.*
-+.br
-+ /home/dwalsh/\.fontconfig(/.*)?
-+.br
-+ /home/dwalsh/\.fonts/auto(/.*)?
-+.br
-+ /home/dwalsh/\.fonts\.cache-.*
-+.br
-+ /var/lib/xguest/home/xguest/\.fontconfig(/.*)?
-+.br
-+ /var/lib/xguest/home/xguest/\.fonts/auto(/.*)?
-+.br
-+ /var/lib/xguest/home/xguest/\.fonts\.cache-.*
-+.br
-+
-+.br
-+.B user_tmpfs_t
-+
-+ /dev/shm/mono.*
-+.br
-+ /dev/shm/pulse-shm.*
-+.br
-+
-+.br
-+.B vmware_tmpfs_t
-+
-+
-+.br
-+.B wireshark_tmpfs_t
-+
-+
-+.br
-+.B xdm_log_t
-+
-+ /var/log/[mg]dm(/.*)?
-+.br
-+ /var/log/[mkwx]dm\.log.*
-+.br
-+ /var/log/lxdm\.log.*
-+.br
-+ /var/log/slim\.log
-+.br
-+
-+.br
-+.B xdm_tmp_t
-+
-+ /tmp/\.X11-unix(/.*)?
-+.br
-+ /tmp/\.ICE-unix(/.*)?
-+.br
-+ /tmp/\.X0-lock
-+.br
-+
-+.br
-+.B xdm_tmpfs_t
-+
-+
-+.br
-+.B xkb_var_lib_t
-+
-+ /var/lib/xkb(/.*)?
-+.br
-+ /usr/X11R6/lib/X11/xkb/.*
-+.br
-+ /usr/X11R6/lib/X11/xkb
-+.br
-+
-+.br
-+.B xserver_log_t
-+
-+ /var/[xgkw]dm(/.*)?
-+.br
-+ /usr/var/[xgkw]dm(/.*)?
-+.br
-+ /var/log/Xorg.*
-+.br
-+ /var/log/XFree86.*
-+.br
-+ /var/log/lightdm(/.*)?
-+.br
-+ /var/log/nvidia-installer\.log.*
-+.br
-+
-+.br
-+.B xserver_tmpfs_t
-+
-+
-+.br
-+.B xserver_var_lib_t
-+
-+ /var/lib/xorg(/.*)?
-+.br
-+
-+.br
-+.B xserver_var_run_t
-+
-+ /var/run/xorg(/.*)?
-+.br
-+ /var/run/video.rom
-+.br
-+
-+.SH NSSWITCH DOMAIN
-+
-+.PP
-+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the xserver_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
-+
-+.EX
-+.B setsebool -P authlogin_nsswitch_use_ldap 1
-+.EE
-+
-+.PP
-+If you want to allow confined applications to run with kerberos for the xserver_t, you must turn on the kerberos_enabled boolean.
-+
-+.EX
-+.B setsebool -P kerberos_enabled 1
-+.EE
-+
-+.SH "COMMANDS"
-+.B semanage fcontext
-+can also be used to manipulate default file context mappings.
-+.PP
-+.B semanage permissive
-+can also be used to manipulate whether or not a process type is permissive.
-+.PP
-+.B semanage module
-+can also be used to enable/disable/install/remove policy modules.
-+
-+.B semanage port
-+can also be used to manipulate the port definitions
-+
-+.B semanage boolean
-+can also be used to manipulate the booleans
-+
-+.PP
-+.B system-config-selinux
-+is a GUI tool available to customize SELinux policy settings.
-+
-+.SH AUTHOR
-+This manual page was auto-generated using
-+.B "sepolicy manpage"
-+by Dan Walsh.
-+
-+.SH "SEE ALSO"
-+selinux(8), xserver(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
-+, setsebool(8)
-\ No newline at end of file
-diff --git a/man/man8/ypbind_selinux.8 b/man/man8/ypbind_selinux.8
-index 5061a5f..017254a 100644
---- a/man/man8/ypbind_selinux.8
-+++ b/man/man8/ypbind_selinux.8
-@@ -1,19 +1,138 @@
--.TH "ypbind_selinux" "8" "17 Jan 2005" "dwalsh@redhat.com" "ypbind Selinux Policy documentation"
-+.TH "ypbind_selinux" "8" "12-11-01" "ypbind" "SELinux Policy documentation for ypbind"
- .SH "NAME"
--ypbind_selinux \- Security Enhanced Linux Policy for NIS.
-+ypbind_selinux \- Security Enhanced Linux Policy for the ypbind processes
- .SH "DESCRIPTION"
-
--Security-Enhanced Linux secures the system via flexible mandatory access
--control. SELinux can be setup deny NIS from working, since it requires daemons to be allowed greater access to the network.
--.SH BOOLEANS
--.TP
--You must set the allow_ypbind boolean to allow your system to work properly in a NIS environment.
--.TP
--setsebool -P allow_ypbind 1
--.TP
--system-config-selinux is a GUI tool available to customize SELinux policy settings.
--.SH AUTHOR
--This manual page was written by Dan Walsh .
-+Security-Enhanced Linux secures the ypbind processes via flexible mandatory access control.
-+
-+The ypbind processes execute with the ypbind_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
-+
-+For example:
-+
-+.B ps -eZ | grep ypbind_t
-+
-+
-+.SH "ENTRYPOINTS"
-+
-+The ypbind_t SELinux type can be entered via the "ypbind_exec_t" file type. The default entrypoint paths for the ypbind_t domain are the following:"
-+
-+/sbin/ypbind, /usr/sbin/ypbind
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux ypbind policy is very flexible allowing users to setup their ypbind processes in as secure a method as possible.
-+.PP
-+The following process types are defined for ypbind:
-+
-+.EX
-+.B ypbind_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
-+.SH FILE CONTEXTS
-+SELinux requires files to have an extended attribute to define the file type.
-+.PP
-+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
-+.PP
-+Policy governs the access confined processes have to these files.
-+SELinux ypbind policy is very flexible allowing users to setup their ypbind processes in as secure a method as possible.
-+.PP
-+The following file types are defined for ypbind:
-+
-+
-+.EX
-+.PP
-+.B ypbind_exec_t
-+.EE
-+
-+- Set files with the ypbind_exec_t type, if you want to transition an executable to the ypbind_t domain.
-+
-+
-+.EX
-+.PP
-+.B ypbind_initrc_exec_t
-+.EE
-+
-+- Set files with the ypbind_initrc_exec_t type, if you want to transition an executable to the ypbind_initrc_t domain.
-+
-+
-+.EX
-+.PP
-+.B ypbind_tmp_t
-+.EE
-+
-+- Set files with the ypbind_tmp_t type, if you want to store ypbind temporary files in the /tmp directories.
-+
-+
-+.EX
-+.PP
-+.B ypbind_unit_file_t
-+.EE
-+
-+- Set files with the ypbind_unit_file_t type, if you want to treat the files as ypbind unit content.
-+
-+
-+.EX
-+.PP
-+.B ypbind_var_run_t
-+.EE
-+
-+- Set files with the ypbind_var_run_t type, if you want to store the ypbind files under the /run directory.
-+
-+
-+.PP
-+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
-+.B semanage fcontext
-+command. This will modify the SELinux labeling database. You will need to use
-+.B restorecon
-+to apply the labels.
-+
-+.SH "MANAGED FILES"
-+
-+The SELinux process type ypbind_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
-+
-+.br
-+.B var_yp_t
-+
-+ /var/yp(/.*)?
-+.br
-+
-+.br
-+.B ypbind_tmp_t
-+
-+
-+.br
-+.B ypbind_var_run_t
-+
-+ /var/run/ypbind.*
-+.br
-+
-+.SH NSSWITCH DOMAIN
-+
-+.SH "COMMANDS"
-+.B semanage fcontext
-+can also be used to manipulate default file context mappings.
-+.PP
-+.B semanage permissive
-+can also be used to manipulate whether or not a process type is permissive.
-+.PP
-+.B semanage module
-+can also be used to enable/disable/install/remove policy modules.
-+
-+.PP
-+.B system-config-selinux
-+is a GUI tool available to customize SELinux policy settings.
-+
-+.SH AUTHOR
-+This manual page was auto-generated using
-+.B "sepolicy manpage"
-+by Dan Walsh.
-
- .SH "SEE ALSO"
--selinux(8), ypbind(8), chcon(1), setsebool(8)
-+selinux(8), ypbind(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
-diff --git a/man/man8/yppasswdd_selinux.8 b/man/man8/yppasswdd_selinux.8
-new file mode 100644
-index 0000000..dc85345
---- /dev/null
-+++ b/man/man8/yppasswdd_selinux.8
-@@ -0,0 +1,124 @@
-+.TH "yppasswdd_selinux" "8" "12-11-01" "yppasswdd" "SELinux Policy documentation for yppasswdd"
-+.SH "NAME"
-+yppasswdd_selinux \- Security Enhanced Linux Policy for the yppasswdd processes
-+.SH "DESCRIPTION"
-+
-+Security-Enhanced Linux secures the yppasswdd processes via flexible mandatory access control.
-+
-+The yppasswdd processes execute with the yppasswdd_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
-+
-+For example:
-+
-+.B ps -eZ | grep yppasswdd_t
-+
-+
-+.SH "ENTRYPOINTS"
-+
-+The yppasswdd_t SELinux type can be entered via the "yppasswdd_exec_t" file type. The default entrypoint paths for the yppasswdd_t domain are the following:"
-+
-+/usr/sbin/rpc\.yppasswdd, /usr/sbin/rpc\.yppasswdd\.env
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux yppasswdd policy is very flexible allowing users to setup their yppasswdd processes in as secure a method as possible.
-+.PP
-+The following process types are defined for yppasswdd:
-+
-+.EX
-+.B yppasswdd_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
-+.SH FILE CONTEXTS
-+SELinux requires files to have an extended attribute to define the file type.
-+.PP
-+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
-+.PP
-+Policy governs the access confined processes have to these files.
-+SELinux yppasswdd policy is very flexible allowing users to setup their yppasswdd processes in as secure a method as possible.
-+.PP
-+The following file types are defined for yppasswdd:
-+
-+
-+.EX
-+.PP
-+.B yppasswdd_exec_t
-+.EE
-+
-+- Set files with the yppasswdd_exec_t type, if you want to transition an executable to the yppasswdd_t domain.
-+
-+
-+.EX
-+.PP
-+.B yppasswdd_var_run_t
-+.EE
-+
-+- Set files with the yppasswdd_var_run_t type, if you want to store the yppasswdd files under the /run directory.
-+
-+
-+.PP
-+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
-+.B semanage fcontext
-+command. This will modify the SELinux labeling database. You will need to use
-+.B restorecon
-+to apply the labels.
-+
-+.SH "MANAGED FILES"
-+
-+The SELinux process type yppasswdd_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
-+
-+.br
-+.B shadow_t
-+
-+ /etc/shadow.*
-+.br
-+ /etc/gshadow.*
-+.br
-+ /var/db/shadow.*
-+.br
-+ /etc/security/opasswd
-+.br
-+ /etc/security/opasswd\.old
-+.br
-+
-+.br
-+.B var_yp_t
-+
-+ /var/yp(/.*)?
-+.br
-+
-+.br
-+.B yppasswdd_var_run_t
-+
-+ /var/run/yppass.*
-+.br
-+
-+.SH NSSWITCH DOMAIN
-+
-+.SH "COMMANDS"
-+.B semanage fcontext
-+can also be used to manipulate default file context mappings.
-+.PP
-+.B semanage permissive
-+can also be used to manipulate whether or not a process type is permissive.
-+.PP
-+.B semanage module
-+can also be used to enable/disable/install/remove policy modules.
-+
-+.PP
-+.B system-config-selinux
-+is a GUI tool available to customize SELinux policy settings.
-+
-+.SH AUTHOR
-+This manual page was auto-generated using
-+.B "sepolicy manpage"
-+by Dan Walsh.
-+
-+.SH "SEE ALSO"
-+selinux(8), yppasswdd(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
-diff --git a/man/man8/ypserv_selinux.8 b/man/man8/ypserv_selinux.8
-new file mode 100644
-index 0000000..b34ed73
---- /dev/null
-+++ b/man/man8/ypserv_selinux.8
-@@ -0,0 +1,130 @@
-+.TH "ypserv_selinux" "8" "12-11-01" "ypserv" "SELinux Policy documentation for ypserv"
-+.SH "NAME"
-+ypserv_selinux \- Security Enhanced Linux Policy for the ypserv processes
-+.SH "DESCRIPTION"
-+
-+Security-Enhanced Linux secures the ypserv processes via flexible mandatory access control.
-+
-+The ypserv processes execute with the ypserv_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
-+
-+For example:
-+
-+.B ps -eZ | grep ypserv_t
-+
-+
-+.SH "ENTRYPOINTS"
-+
-+The ypserv_t SELinux type can be entered via the "ypserv_exec_t" file type. The default entrypoint paths for the ypserv_t domain are the following:"
-+
-+/usr/sbin/ypserv
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux ypserv policy is very flexible allowing users to setup their ypserv processes in as secure a method as possible.
-+.PP
-+The following process types are defined for ypserv:
-+
-+.EX
-+.B ypserv_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
-+.SH FILE CONTEXTS
-+SELinux requires files to have an extended attribute to define the file type.
-+.PP
-+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
-+.PP
-+Policy governs the access confined processes have to these files.
-+SELinux ypserv policy is very flexible allowing users to setup their ypserv processes in as secure a method as possible.
-+.PP
-+The following file types are defined for ypserv:
-+
-+
-+.EX
-+.PP
-+.B ypserv_conf_t
-+.EE
-+
-+- Set files with the ypserv_conf_t type, if you want to treat the files as ypserv configuration data, usually stored under the /etc directory.
-+
-+
-+.EX
-+.PP
-+.B ypserv_exec_t
-+.EE
-+
-+- Set files with the ypserv_exec_t type, if you want to transition an executable to the ypserv_t domain.
-+
-+
-+.EX
-+.PP
-+.B ypserv_tmp_t
-+.EE
-+
-+- Set files with the ypserv_tmp_t type, if you want to store ypserv temporary files in the /tmp directories.
-+
-+
-+.EX
-+.PP
-+.B ypserv_var_run_t
-+.EE
-+
-+- Set files with the ypserv_var_run_t type, if you want to store the ypserv files under the /run directory.
-+
-+
-+.PP
-+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
-+.B semanage fcontext
-+command. This will modify the SELinux labeling database. You will need to use
-+.B restorecon
-+to apply the labels.
-+
-+.SH "MANAGED FILES"
-+
-+The SELinux process type ypserv_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
-+
-+.br
-+.B var_yp_t
-+
-+ /var/yp(/.*)?
-+.br
-+
-+.br
-+.B ypserv_tmp_t
-+
-+
-+.br
-+.B ypserv_var_run_t
-+
-+ /var/run/ypserv.*
-+.br
-+
-+.SH NSSWITCH DOMAIN
-+
-+.SH "COMMANDS"
-+.B semanage fcontext
-+can also be used to manipulate default file context mappings.
-+.PP
-+.B semanage permissive
-+can also be used to manipulate whether or not a process type is permissive.
-+.PP
-+.B semanage module
-+can also be used to enable/disable/install/remove policy modules.
-+
-+.PP
-+.B system-config-selinux
-+is a GUI tool available to customize SELinux policy settings.
-+
-+.SH AUTHOR
-+This manual page was auto-generated using
-+.B "sepolicy manpage"
-+by Dan Walsh.
-+
-+.SH "SEE ALSO"
-+selinux(8), ypserv(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
-diff --git a/man/man8/ypxfr_selinux.8 b/man/man8/ypxfr_selinux.8
-new file mode 100644
-index 0000000..ca3f8ec
---- /dev/null
-+++ b/man/man8/ypxfr_selinux.8
-@@ -0,0 +1,110 @@
-+.TH "ypxfr_selinux" "8" "12-11-01" "ypxfr" "SELinux Policy documentation for ypxfr"
-+.SH "NAME"
-+ypxfr_selinux \- Security Enhanced Linux Policy for the ypxfr processes
-+.SH "DESCRIPTION"
-+
-+Security-Enhanced Linux secures the ypxfr processes via flexible mandatory access control.
-+
-+The ypxfr processes execute with the ypxfr_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
-+
-+For example:
-+
-+.B ps -eZ | grep ypxfr_t
-+
-+
-+.SH "ENTRYPOINTS"
-+
-+The ypxfr_t SELinux type can be entered via the "ypxfr_exec_t" file type. The default entrypoint paths for the ypxfr_t domain are the following:"
-+
-+/usr/lib/yp/ypxfr, /usr/sbin/rpc\.ypxfrd
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux ypxfr policy is very flexible allowing users to setup their ypxfr processes in as secure a method as possible.
-+.PP
-+The following process types are defined for ypxfr:
-+
-+.EX
-+.B ypxfr_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
-+.SH FILE CONTEXTS
-+SELinux requires files to have an extended attribute to define the file type.
-+.PP
-+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
-+.PP
-+Policy governs the access confined processes have to these files.
-+SELinux ypxfr policy is very flexible allowing users to setup their ypxfr processes in as secure a method as possible.
-+.PP
-+The following file types are defined for ypxfr:
-+
-+
-+.EX
-+.PP
-+.B ypxfr_exec_t
-+.EE
-+
-+- Set files with the ypxfr_exec_t type, if you want to transition an executable to the ypxfr_t domain.
-+
-+
-+.EX
-+.PP
-+.B ypxfr_var_run_t
-+.EE
-+
-+- Set files with the ypxfr_var_run_t type, if you want to store the ypxfr files under the /run directory.
-+
-+
-+.PP
-+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
-+.B semanage fcontext
-+command. This will modify the SELinux labeling database. You will need to use
-+.B restorecon
-+to apply the labels.
-+
-+.SH "MANAGED FILES"
-+
-+The SELinux process type ypxfr_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
-+
-+.br
-+.B var_yp_t
-+
-+ /var/yp(/.*)?
-+.br
-+
-+.br
-+.B ypxfr_var_run_t
-+
-+ /var/run/ypxfrd.*
-+.br
-+
-+.SH NSSWITCH DOMAIN
-+
-+.SH "COMMANDS"
-+.B semanage fcontext
-+can also be used to manipulate default file context mappings.
-+.PP
-+.B semanage permissive
-+can also be used to manipulate whether or not a process type is permissive.
-+.PP
-+.B semanage module
-+can also be used to enable/disable/install/remove policy modules.
-+
-+.PP
-+.B system-config-selinux
-+is a GUI tool available to customize SELinux policy settings.
-+
-+.SH AUTHOR
-+This manual page was auto-generated using
-+.B "sepolicy manpage"
-+by Dan Walsh.
-+
-+.SH "SEE ALSO"
-+selinux(8), ypxfr(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
-diff --git a/man/man8/zabbix_agent_selinux.8 b/man/man8/zabbix_agent_selinux.8
-new file mode 100644
-index 0000000..e7df99d
---- /dev/null
-+++ b/man/man8/zabbix_agent_selinux.8
-@@ -0,0 +1,141 @@
-+.TH "zabbix_agent_selinux" "8" "12-11-01" "zabbix_agent" "SELinux Policy documentation for zabbix_agent"
-+.SH "NAME"
-+zabbix_agent_selinux \- Security Enhanced Linux Policy for the zabbix_agent processes
-+.SH "DESCRIPTION"
-+
-+Security-Enhanced Linux secures the zabbix_agent processes via flexible mandatory access control.
-+
-+The zabbix_agent processes execute with the zabbix_agent_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
-+
-+For example:
-+
-+.B ps -eZ | grep zabbix_agent_t
-+
-+
-+.SH "ENTRYPOINTS"
-+
-+The zabbix_agent_t SELinux type can be entered via the "zabbix_agent_exec_t" file type. The default entrypoint paths for the zabbix_agent_t domain are the following:"
-+
-+/usr/(s)?bin/zabbix_agentd
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux zabbix_agent policy is very flexible allowing users to setup their zabbix_agent processes in as secure a method as possible.
-+.PP
-+The following process types are defined for zabbix_agent:
-+
-+.EX
-+.B zabbix_agent_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
-+.SH FILE CONTEXTS
-+SELinux requires files to have an extended attribute to define the file type.
-+.PP
-+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
-+.PP
-+Policy governs the access confined processes have to these files.
-+SELinux zabbix_agent policy is very flexible allowing users to setup their zabbix_agent processes in as secure a method as possible.
-+.PP
-+The following file types are defined for zabbix_agent:
-+
-+
-+.EX
-+.PP
-+.B zabbix_agent_exec_t
-+.EE
-+
-+- Set files with the zabbix_agent_exec_t type, if you want to transition an executable to the zabbix_agent_t domain.
-+
-+
-+.EX
-+.PP
-+.B zabbix_agent_initrc_exec_t
-+.EE
-+
-+- Set files with the zabbix_agent_initrc_exec_t type, if you want to transition an executable to the zabbix_agent_initrc_t domain.
-+
-+
-+.PP
-+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
-+.B semanage fcontext
-+command. This will modify the SELinux labeling database. You will need to use
-+.B restorecon
-+to apply the labels.
-+
-+.SH PORT TYPES
-+SELinux defines port types to represent TCP and UDP ports.
-+.PP
-+You can see the types associated with a port by using the following command:
-+
-+.B semanage port -l
-+
-+.PP
-+Policy governs the access confined processes have to these ports.
-+SELinux zabbix_agent policy is very flexible allowing users to setup their zabbix_agent processes in as secure a method as possible.
-+.PP
-+The following port types are defined for zabbix_agent:
-+
-+.EX
-+.TP 5
-+.B zabbix_agent_port_t
-+.TP 10
-+.EE
-+
-+
-+Default Defined Ports:
-+tcp 10050
-+.EE
-+.SH "MANAGED FILES"
-+
-+The SELinux process type zabbix_agent_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
-+
-+.br
-+.B zabbix_log_t
-+
-+ /var/log/zabbix(/.*)?
-+.br
-+
-+.br
-+.B zabbix_tmpfs_t
-+
-+
-+.br
-+.B zabbix_var_run_t
-+
-+ /var/run/zabbix(/.*)?
-+.br
-+
-+.SH NSSWITCH DOMAIN
-+
-+.SH "COMMANDS"
-+.B semanage fcontext
-+can also be used to manipulate default file context mappings.
-+.PP
-+.B semanage permissive
-+can also be used to manipulate whether or not a process type is permissive.
-+.PP
-+.B semanage module
-+can also be used to enable/disable/install/remove policy modules.
-+
-+.B semanage port
-+can also be used to manipulate the port definitions
-+
-+.PP
-+.B system-config-selinux
-+is a GUI tool available to customize SELinux policy settings.
-+
-+.SH AUTHOR
-+This manual page was auto-generated using
-+.B "sepolicy manpage"
-+by Dan Walsh.
-+
-+.SH "SEE ALSO"
-+selinux(8), zabbix_agent(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
-+, zabbix_selinux(8), zabbix_selinux(8)
-\ No newline at end of file
-diff --git a/man/man8/zabbix_selinux.8 b/man/man8/zabbix_selinux.8
-new file mode 100644
-index 0000000..ed7cfcc
---- /dev/null
-+++ b/man/man8/zabbix_selinux.8
-@@ -0,0 +1,253 @@
-+.TH "zabbix_selinux" "8" "12-11-01" "zabbix" "SELinux Policy documentation for zabbix"
-+.SH "NAME"
-+zabbix_selinux \- Security Enhanced Linux Policy for the zabbix processes
-+.SH "DESCRIPTION"
-+
-+Security-Enhanced Linux secures the zabbix processes via flexible mandatory access control.
-+
-+The zabbix processes execute with the zabbix_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
-+
-+For example:
-+
-+.B ps -eZ | grep zabbix_t
-+
-+
-+.SH "ENTRYPOINTS"
-+
-+The zabbix_t SELinux type can be entered via the "zabbix_exec_t" file type. The default entrypoint paths for the zabbix_t domain are the following:"
-+
-+/usr/(s)?bin/zabbix_server, /usr/sbin/zabbix_server_mysql, /usr/sbin/zabbix_server_pgsql, /usr/sbin/zabbix_server_sqlite3
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux zabbix policy is very flexible allowing users to setup their zabbix processes in as secure a method as possible.
-+.PP
-+The following process types are defined for zabbix:
-+
-+.EX
-+.B zabbix_agent_t, zabbix_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
-+.SH BOOLEANS
-+SELinux policy is customizable based on least access required. zabbix policy is extremely flexible and has several booleans that allow you to manipulate the policy and run zabbix with the tightest access possible.
-+
-+
-+.PP
-+If you want to allow zabbix to connect to unreserved ports, you must turn on the zabbix_can_network boolean.
-+
-+.EX
-+.B setsebool -P zabbix_can_network 1
-+.EE
-+
-+.PP
-+If you want to allow http daemon to connect to zabbix, you must turn on the httpd_can_connect_zabbix boolean.
-+
-+.EX
-+.B setsebool -P httpd_can_connect_zabbix 1
-+.EE
-+
-+.PP
-+If you want to allow zabbix to connect to unreserved ports, you must turn on the zabbix_can_network boolean.
-+
-+.EX
-+.B setsebool -P zabbix_can_network 1
-+.EE
-+
-+.PP
-+If you want to allow http daemon to connect to zabbix, you must turn on the httpd_can_connect_zabbix boolean.
-+
-+.EX
-+.B setsebool -P httpd_can_connect_zabbix 1
-+.EE
-+
-+.SH FILE CONTEXTS
-+SELinux requires files to have an extended attribute to define the file type.
-+.PP
-+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
-+.PP
-+Policy governs the access confined processes have to these files.
-+SELinux zabbix policy is very flexible allowing users to setup their zabbix processes in as secure a method as possible.
-+.PP
-+The following file types are defined for zabbix:
-+
-+
-+.EX
-+.PP
-+.B zabbix_agent_exec_t
-+.EE
-+
-+- Set files with the zabbix_agent_exec_t type, if you want to transition an executable to the zabbix_agent_t domain.
-+
-+
-+.EX
-+.PP
-+.B zabbix_agent_initrc_exec_t
-+.EE
-+
-+- Set files with the zabbix_agent_initrc_exec_t type, if you want to transition an executable to the zabbix_agent_initrc_t domain.
-+
-+
-+.EX
-+.PP
-+.B zabbix_exec_t
-+.EE
-+
-+- Set files with the zabbix_exec_t type, if you want to transition an executable to the zabbix_t domain.
-+
-+
-+.EX
-+.PP
-+.B zabbix_initrc_exec_t
-+.EE
-+
-+- Set files with the zabbix_initrc_exec_t type, if you want to transition an executable to the zabbix_initrc_t domain.
-+
-+
-+.EX
-+.PP
-+.B zabbix_log_t
-+.EE
-+
-+- Set files with the zabbix_log_t type, if you want to treat the data as zabbix log data, usually stored under the /var/log directory.
-+
-+
-+.EX
-+.PP
-+.B zabbix_tmp_t
-+.EE
-+
-+- Set files with the zabbix_tmp_t type, if you want to store zabbix temporary files in the /tmp directories.
-+
-+
-+.EX
-+.PP
-+.B zabbix_tmpfs_t
-+.EE
-+
-+- Set files with the zabbix_tmpfs_t type, if you want to store zabbix files on a tmpfs file system.
-+
-+
-+.EX
-+.PP
-+.B zabbix_var_run_t
-+.EE
-+
-+- Set files with the zabbix_var_run_t type, if you want to store the zabbix files under the /run directory.
-+
-+
-+.PP
-+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
-+.B semanage fcontext
-+command. This will modify the SELinux labeling database. You will need to use
-+.B restorecon
-+to apply the labels.
-+
-+.SH PORT TYPES
-+SELinux defines port types to represent TCP and UDP ports.
-+.PP
-+You can see the types associated with a port by using the following command:
-+
-+.B semanage port -l
-+
-+.PP
-+Policy governs the access confined processes have to these ports.
-+SELinux zabbix policy is very flexible allowing users to setup their zabbix processes in as secure a method as possible.
-+.PP
-+The following port types are defined for zabbix:
-+
-+.EX
-+.TP 5
-+.B zabbix_agent_port_t
-+.TP 10
-+.EE
-+
-+
-+Default Defined Ports:
-+tcp 10050
-+.EE
-+
-+.EX
-+.TP 5
-+.B zabbix_port_t
-+.TP 10
-+.EE
-+
-+
-+Default Defined Ports:
-+tcp 10051
-+.EE
-+.SH "MANAGED FILES"
-+
-+The SELinux process type zabbix_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
-+
-+.br
-+.B zabbix_log_t
-+
-+ /var/log/zabbix(/.*)?
-+.br
-+
-+.br
-+.B zabbix_tmp_t
-+
-+
-+.br
-+.B zabbix_tmpfs_t
-+
-+
-+.br
-+.B zabbix_var_run_t
-+
-+ /var/run/zabbix(/.*)?
-+.br
-+
-+.SH NSSWITCH DOMAIN
-+
-+.PP
-+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the zabbix_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
-+
-+.EX
-+.B setsebool -P authlogin_nsswitch_use_ldap 1
-+.EE
-+
-+.PP
-+If you want to allow confined applications to run with kerberos for the zabbix_t, you must turn on the kerberos_enabled boolean.
-+
-+.EX
-+.B setsebool -P kerberos_enabled 1
-+.EE
-+
-+.SH "COMMANDS"
-+.B semanage fcontext
-+can also be used to manipulate default file context mappings.
-+.PP
-+.B semanage permissive
-+can also be used to manipulate whether or not a process type is permissive.
-+.PP
-+.B semanage module
-+can also be used to enable/disable/install/remove policy modules.
-+
-+.B semanage port
-+can also be used to manipulate the port definitions
-+
-+.B semanage boolean
-+can also be used to manipulate the booleans
-+
-+.PP
-+.B system-config-selinux
-+is a GUI tool available to customize SELinux policy settings.
-+
-+.SH AUTHOR
-+This manual page was auto-generated using
-+.B "sepolicy manpage"
-+by Dan Walsh.
-+
-+.SH "SEE ALSO"
-+selinux(8), zabbix(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
-+, setsebool(8), zabbix_agent_selinux(8)
-\ No newline at end of file
-diff --git a/man/man8/zarafa_deliver_selinux.8 b/man/man8/zarafa_deliver_selinux.8
-new file mode 100644
-index 0000000..a840dc6
---- /dev/null
-+++ b/man/man8/zarafa_deliver_selinux.8
-@@ -0,0 +1,145 @@
-+.TH "zarafa_deliver_selinux" "8" "12-11-01" "zarafa_deliver" "SELinux Policy documentation for zarafa_deliver"
-+.SH "NAME"
-+zarafa_deliver_selinux \- Security Enhanced Linux Policy for the zarafa_deliver processes
-+.SH "DESCRIPTION"
-+
-+Security-Enhanced Linux secures the zarafa_deliver processes via flexible mandatory access control.
-+
-+The zarafa_deliver processes execute with the zarafa_deliver_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
-+
-+For example:
-+
-+.B ps -eZ | grep zarafa_deliver_t
-+
-+
-+.SH "ENTRYPOINTS"
-+
-+The zarafa_deliver_t SELinux type can be entered via the "zarafa_deliver_exec_t" file type. The default entrypoint paths for the zarafa_deliver_t domain are the following:"
-+
-+/usr/bin/zarafa-dagent
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux zarafa_deliver policy is very flexible allowing users to setup their zarafa_deliver processes in as secure a method as possible.
-+.PP
-+The following process types are defined for zarafa_deliver:
-+
-+.EX
-+.B zarafa_deliver_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
-+.SH FILE CONTEXTS
-+SELinux requires files to have an extended attribute to define the file type.
-+.PP
-+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
-+.PP
-+Policy governs the access confined processes have to these files.
-+SELinux zarafa_deliver policy is very flexible allowing users to setup their zarafa_deliver processes in as secure a method as possible.
-+.PP
-+The following file types are defined for zarafa_deliver:
-+
-+
-+.EX
-+.PP
-+.B zarafa_deliver_exec_t
-+.EE
-+
-+- Set files with the zarafa_deliver_exec_t type, if you want to transition an executable to the zarafa_deliver_t domain.
-+
-+
-+.EX
-+.PP
-+.B zarafa_deliver_log_t
-+.EE
-+
-+- Set files with the zarafa_deliver_log_t type, if you want to treat the data as zarafa deliver log data, usually stored under the /var/log directory.
-+
-+
-+.EX
-+.PP
-+.B zarafa_deliver_tmp_t
-+.EE
-+
-+- Set files with the zarafa_deliver_tmp_t type, if you want to store zarafa deliver temporary files in the /tmp directories.
-+
-+
-+.EX
-+.PP
-+.B zarafa_deliver_var_run_t
-+.EE
-+
-+- Set files with the zarafa_deliver_var_run_t type, if you want to store the zarafa deliver files under the /run directory.
-+
-+
-+.PP
-+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
-+.B semanage fcontext
-+command. This will modify the SELinux labeling database. You will need to use
-+.B restorecon
-+to apply the labels.
-+
-+.SH "MANAGED FILES"
-+
-+The SELinux process type zarafa_deliver_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
-+
-+.br
-+.B zarafa_deliver_log_t
-+
-+ /var/log/zarafa/dagent\.log.*
-+.br
-+
-+.br
-+.B zarafa_deliver_tmp_t
-+
-+
-+.br
-+.B zarafa_deliver_var_run_t
-+
-+ /var/run/zarafa-dagent\.pid
-+.br
-+
-+.SH NSSWITCH DOMAIN
-+
-+.PP
-+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the zarafa_deliver_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
-+
-+.EX
-+.B setsebool -P authlogin_nsswitch_use_ldap 1
-+.EE
-+
-+.PP
-+If you want to allow confined applications to run with kerberos for the zarafa_deliver_t, you must turn on the kerberos_enabled boolean.
-+
-+.EX
-+.B setsebool -P kerberos_enabled 1
-+.EE
-+
-+.SH "COMMANDS"
-+.B semanage fcontext
-+can also be used to manipulate default file context mappings.
-+.PP
-+.B semanage permissive
-+can also be used to manipulate whether or not a process type is permissive.
-+.PP
-+.B semanage module
-+can also be used to enable/disable/install/remove policy modules.
-+
-+.PP
-+.B system-config-selinux
-+is a GUI tool available to customize SELinux policy settings.
-+
-+.SH AUTHOR
-+This manual page was auto-generated using
-+.B "sepolicy manpage"
-+by Dan Walsh.
-+
-+.SH "SEE ALSO"
-+selinux(8), zarafa_deliver(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
-+, zarafa_gateway_selinux(8), zarafa_ical_selinux(8), zarafa_indexer_selinux(8), zarafa_monitor_selinux(8), zarafa_server_selinux(8), zarafa_spooler_selinux(8)
-\ No newline at end of file
-diff --git a/man/man8/zarafa_gateway_selinux.8 b/man/man8/zarafa_gateway_selinux.8
-new file mode 100644
-index 0000000..e4eeeb5
---- /dev/null
-+++ b/man/man8/zarafa_gateway_selinux.8
-@@ -0,0 +1,133 @@
-+.TH "zarafa_gateway_selinux" "8" "12-11-01" "zarafa_gateway" "SELinux Policy documentation for zarafa_gateway"
-+.SH "NAME"
-+zarafa_gateway_selinux \- Security Enhanced Linux Policy for the zarafa_gateway processes
-+.SH "DESCRIPTION"
-+
-+Security-Enhanced Linux secures the zarafa_gateway processes via flexible mandatory access control.
-+
-+The zarafa_gateway processes execute with the zarafa_gateway_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
-+
-+For example:
-+
-+.B ps -eZ | grep zarafa_gateway_t
-+
-+
-+.SH "ENTRYPOINTS"
-+
-+The zarafa_gateway_t SELinux type can be entered via the "zarafa_gateway_exec_t" file type. The default entrypoint paths for the zarafa_gateway_t domain are the following:"
-+
-+/usr/bin/zarafa-gateway
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux zarafa_gateway policy is very flexible allowing users to setup their zarafa_gateway processes in as secure a method as possible.
-+.PP
-+The following process types are defined for zarafa_gateway:
-+
-+.EX
-+.B zarafa_gateway_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
-+.SH FILE CONTEXTS
-+SELinux requires files to have an extended attribute to define the file type.
-+.PP
-+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
-+.PP
-+Policy governs the access confined processes have to these files.
-+SELinux zarafa_gateway policy is very flexible allowing users to setup their zarafa_gateway processes in as secure a method as possible.
-+.PP
-+The following file types are defined for zarafa_gateway:
-+
-+
-+.EX
-+.PP
-+.B zarafa_gateway_exec_t
-+.EE
-+
-+- Set files with the zarafa_gateway_exec_t type, if you want to transition an executable to the zarafa_gateway_t domain.
-+
-+
-+.EX
-+.PP
-+.B zarafa_gateway_log_t
-+.EE
-+
-+- Set files with the zarafa_gateway_log_t type, if you want to treat the data as zarafa gateway log data, usually stored under the /var/log directory.
-+
-+
-+.EX
-+.PP
-+.B zarafa_gateway_var_run_t
-+.EE
-+
-+- Set files with the zarafa_gateway_var_run_t type, if you want to store the zarafa gateway files under the /run directory.
-+
-+
-+.PP
-+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
-+.B semanage fcontext
-+command. This will modify the SELinux labeling database. You will need to use
-+.B restorecon
-+to apply the labels.
-+
-+.SH "MANAGED FILES"
-+
-+The SELinux process type zarafa_gateway_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
-+
-+.br
-+.B zarafa_gateway_log_t
-+
-+ /var/log/zarafa/gateway\.log.*
-+.br
-+
-+.br
-+.B zarafa_gateway_var_run_t
-+
-+ /var/run/zarafa-gateway\.pid
-+.br
-+
-+.SH NSSWITCH DOMAIN
-+
-+.PP
-+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the zarafa_gateway_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
-+
-+.EX
-+.B setsebool -P authlogin_nsswitch_use_ldap 1
-+.EE
-+
-+.PP
-+If you want to allow confined applications to run with kerberos for the zarafa_gateway_t, you must turn on the kerberos_enabled boolean.
-+
-+.EX
-+.B setsebool -P kerberos_enabled 1
-+.EE
-+
-+.SH "COMMANDS"
-+.B semanage fcontext
-+can also be used to manipulate default file context mappings.
-+.PP
-+.B semanage permissive
-+can also be used to manipulate whether or not a process type is permissive.
-+.PP
-+.B semanage module
-+can also be used to enable/disable/install/remove policy modules.
-+
-+.PP
-+.B system-config-selinux
-+is a GUI tool available to customize SELinux policy settings.
-+
-+.SH AUTHOR
-+This manual page was auto-generated using
-+.B "sepolicy manpage"
-+by Dan Walsh.
-+
-+.SH "SEE ALSO"
-+selinux(8), zarafa_gateway(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
-+, zarafa_deliver_selinux(8), zarafa_ical_selinux(8), zarafa_indexer_selinux(8), zarafa_monitor_selinux(8), zarafa_server_selinux(8), zarafa_spooler_selinux(8)
-\ No newline at end of file
-diff --git a/man/man8/zarafa_ical_selinux.8 b/man/man8/zarafa_ical_selinux.8
-new file mode 100644
-index 0000000..08fcb78
---- /dev/null
-+++ b/man/man8/zarafa_ical_selinux.8
-@@ -0,0 +1,133 @@
-+.TH "zarafa_ical_selinux" "8" "12-11-01" "zarafa_ical" "SELinux Policy documentation for zarafa_ical"
-+.SH "NAME"
-+zarafa_ical_selinux \- Security Enhanced Linux Policy for the zarafa_ical processes
-+.SH "DESCRIPTION"
-+
-+Security-Enhanced Linux secures the zarafa_ical processes via flexible mandatory access control.
-+
-+The zarafa_ical processes execute with the zarafa_ical_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
-+
-+For example:
-+
-+.B ps -eZ | grep zarafa_ical_t
-+
-+
-+.SH "ENTRYPOINTS"
-+
-+The zarafa_ical_t SELinux type can be entered via the "zarafa_ical_exec_t" file type. The default entrypoint paths for the zarafa_ical_t domain are the following:"
-+
-+/usr/bin/zarafa-ical
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux zarafa_ical policy is very flexible allowing users to setup their zarafa_ical processes in as secure a method as possible.
-+.PP
-+The following process types are defined for zarafa_ical:
-+
-+.EX
-+.B zarafa_ical_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
-+.SH FILE CONTEXTS
-+SELinux requires files to have an extended attribute to define the file type.
-+.PP
-+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
-+.PP
-+Policy governs the access confined processes have to these files.
-+SELinux zarafa_ical policy is very flexible allowing users to setup their zarafa_ical processes in as secure a method as possible.
-+.PP
-+The following file types are defined for zarafa_ical:
-+
-+
-+.EX
-+.PP
-+.B zarafa_ical_exec_t
-+.EE
-+
-+- Set files with the zarafa_ical_exec_t type, if you want to transition an executable to the zarafa_ical_t domain.
-+
-+
-+.EX
-+.PP
-+.B zarafa_ical_log_t
-+.EE
-+
-+- Set files with the zarafa_ical_log_t type, if you want to treat the data as zarafa ical log data, usually stored under the /var/log directory.
-+
-+
-+.EX
-+.PP
-+.B zarafa_ical_var_run_t
-+.EE
-+
-+- Set files with the zarafa_ical_var_run_t type, if you want to store the zarafa ical files under the /run directory.
-+
-+
-+.PP
-+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
-+.B semanage fcontext
-+command. This will modify the SELinux labeling database. You will need to use
-+.B restorecon
-+to apply the labels.
-+
-+.SH "MANAGED FILES"
-+
-+The SELinux process type zarafa_ical_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
-+
-+.br
-+.B zarafa_ical_log_t
-+
-+ /var/log/zarafa/ical\.log.*
-+.br
-+
-+.br
-+.B zarafa_ical_var_run_t
-+
-+ /var/run/zarafa-ical\.pid
-+.br
-+
-+.SH NSSWITCH DOMAIN
-+
-+.PP
-+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the zarafa_ical_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
-+
-+.EX
-+.B setsebool -P authlogin_nsswitch_use_ldap 1
-+.EE
-+
-+.PP
-+If you want to allow confined applications to run with kerberos for the zarafa_ical_t, you must turn on the kerberos_enabled boolean.
-+
-+.EX
-+.B setsebool -P kerberos_enabled 1
-+.EE
-+
-+.SH "COMMANDS"
-+.B semanage fcontext
-+can also be used to manipulate default file context mappings.
-+.PP
-+.B semanage permissive
-+can also be used to manipulate whether or not a process type is permissive.
-+.PP
-+.B semanage module
-+can also be used to enable/disable/install/remove policy modules.
-+
-+.PP
-+.B system-config-selinux
-+is a GUI tool available to customize SELinux policy settings.
-+
-+.SH AUTHOR
-+This manual page was auto-generated using
-+.B "sepolicy manpage"
-+by Dan Walsh.
-+
-+.SH "SEE ALSO"
-+selinux(8), zarafa_ical(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
-+, zarafa_deliver_selinux(8), zarafa_gateway_selinux(8), zarafa_indexer_selinux(8), zarafa_monitor_selinux(8), zarafa_server_selinux(8), zarafa_spooler_selinux(8)
-\ No newline at end of file
-diff --git a/man/man8/zarafa_indexer_selinux.8 b/man/man8/zarafa_indexer_selinux.8
-new file mode 100644
-index 0000000..72df8d0
---- /dev/null
-+++ b/man/man8/zarafa_indexer_selinux.8
-@@ -0,0 +1,155 @@
-+.TH "zarafa_indexer_selinux" "8" "12-11-01" "zarafa_indexer" "SELinux Policy documentation for zarafa_indexer"
-+.SH "NAME"
-+zarafa_indexer_selinux \- Security Enhanced Linux Policy for the zarafa_indexer processes
-+.SH "DESCRIPTION"
-+
-+Security-Enhanced Linux secures the zarafa_indexer processes via flexible mandatory access control.
-+
-+The zarafa_indexer processes execute with the zarafa_indexer_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
-+
-+For example:
-+
-+.B ps -eZ | grep zarafa_indexer_t
-+
-+
-+.SH "ENTRYPOINTS"
-+
-+The zarafa_indexer_t SELinux type can be entered via the "zarafa_indexer_exec_t" file type. The default entrypoint paths for the zarafa_indexer_t domain are the following:"
-+
-+/usr/bin/zarafa-indexer
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux zarafa_indexer policy is very flexible allowing users to setup their zarafa_indexer processes in as secure a method as possible.
-+.PP
-+The following process types are defined for zarafa_indexer:
-+
-+.EX
-+.B zarafa_indexer_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
-+.SH FILE CONTEXTS
-+SELinux requires files to have an extended attribute to define the file type.
-+.PP
-+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
-+.PP
-+Policy governs the access confined processes have to these files.
-+SELinux zarafa_indexer policy is very flexible allowing users to setup their zarafa_indexer processes in as secure a method as possible.
-+.PP
-+The following file types are defined for zarafa_indexer:
-+
-+
-+.EX
-+.PP
-+.B zarafa_indexer_exec_t
-+.EE
-+
-+- Set files with the zarafa_indexer_exec_t type, if you want to transition an executable to the zarafa_indexer_t domain.
-+
-+
-+.EX
-+.PP
-+.B zarafa_indexer_log_t
-+.EE
-+
-+- Set files with the zarafa_indexer_log_t type, if you want to treat the data as zarafa indexer log data, usually stored under the /var/log directory.
-+
-+
-+.EX
-+.PP
-+.B zarafa_indexer_tmp_t
-+.EE
-+
-+- Set files with the zarafa_indexer_tmp_t type, if you want to store zarafa indexer temporary files in the /tmp directories.
-+
-+
-+.EX
-+.PP
-+.B zarafa_indexer_var_run_t
-+.EE
-+
-+- Set files with the zarafa_indexer_var_run_t type, if you want to store the zarafa indexer files under the /run directory.
-+
-+
-+.PP
-+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
-+.B semanage fcontext
-+command. This will modify the SELinux labeling database. You will need to use
-+.B restorecon
-+to apply the labels.
-+
-+.SH "MANAGED FILES"
-+
-+The SELinux process type zarafa_indexer_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
-+
-+.br
-+.B zarafa_indexer_log_t
-+
-+ /var/log/zarafa/indexer\.log.*
-+.br
-+
-+.br
-+.B zarafa_indexer_tmp_t
-+
-+
-+.br
-+.B zarafa_indexer_var_run_t
-+
-+ /var/run/zarafa-indexer
-+.br
-+ /var/run/zarafa-indexer\.pid
-+.br
-+
-+.br
-+.B zarafa_var_lib_t
-+
-+ /var/lib/zarafa(/.*)?
-+.br
-+ /var/lib/zarafa-webaccess(/.*)?
-+.br
-+
-+.SH NSSWITCH DOMAIN
-+
-+.PP
-+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the zarafa_indexer_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
-+
-+.EX
-+.B setsebool -P authlogin_nsswitch_use_ldap 1
-+.EE
-+
-+.PP
-+If you want to allow confined applications to run with kerberos for the zarafa_indexer_t, you must turn on the kerberos_enabled boolean.
-+
-+.EX
-+.B setsebool -P kerberos_enabled 1
-+.EE
-+
-+.SH "COMMANDS"
-+.B semanage fcontext
-+can also be used to manipulate default file context mappings.
-+.PP
-+.B semanage permissive
-+can also be used to manipulate whether or not a process type is permissive.
-+.PP
-+.B semanage module
-+can also be used to enable/disable/install/remove policy modules.
-+
-+.PP
-+.B system-config-selinux
-+is a GUI tool available to customize SELinux policy settings.
-+
-+.SH AUTHOR
-+This manual page was auto-generated using
-+.B "sepolicy manpage"
-+by Dan Walsh.
-+
-+.SH "SEE ALSO"
-+selinux(8), zarafa_indexer(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
-+, zarafa_deliver_selinux(8), zarafa_gateway_selinux(8), zarafa_ical_selinux(8), zarafa_monitor_selinux(8), zarafa_server_selinux(8), zarafa_spooler_selinux(8)
-\ No newline at end of file
-diff --git a/man/man8/zarafa_monitor_selinux.8 b/man/man8/zarafa_monitor_selinux.8
-new file mode 100644
-index 0000000..c563b1e
---- /dev/null
-+++ b/man/man8/zarafa_monitor_selinux.8
-@@ -0,0 +1,133 @@
-+.TH "zarafa_monitor_selinux" "8" "12-11-01" "zarafa_monitor" "SELinux Policy documentation for zarafa_monitor"
-+.SH "NAME"
-+zarafa_monitor_selinux \- Security Enhanced Linux Policy for the zarafa_monitor processes
-+.SH "DESCRIPTION"
-+
-+Security-Enhanced Linux secures the zarafa_monitor processes via flexible mandatory access control.
-+
-+The zarafa_monitor processes execute with the zarafa_monitor_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
-+
-+For example:
-+
-+.B ps -eZ | grep zarafa_monitor_t
-+
-+
-+.SH "ENTRYPOINTS"
-+
-+The zarafa_monitor_t SELinux type can be entered via the "zarafa_monitor_exec_t" file type. The default entrypoint paths for the zarafa_monitor_t domain are the following:"
-+
-+/usr/bin/zarafa-monitor
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux zarafa_monitor policy is very flexible allowing users to setup their zarafa_monitor processes in as secure a method as possible.
-+.PP
-+The following process types are defined for zarafa_monitor:
-+
-+.EX
-+.B zarafa_monitor_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
-+.SH FILE CONTEXTS
-+SELinux requires files to have an extended attribute to define the file type.
-+.PP
-+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
-+.PP
-+Policy governs the access confined processes have to these files.
-+SELinux zarafa_monitor policy is very flexible allowing users to setup their zarafa_monitor processes in as secure a method as possible.
-+.PP
-+The following file types are defined for zarafa_monitor:
-+
-+
-+.EX
-+.PP
-+.B zarafa_monitor_exec_t
-+.EE
-+
-+- Set files with the zarafa_monitor_exec_t type, if you want to transition an executable to the zarafa_monitor_t domain.
-+
-+
-+.EX
-+.PP
-+.B zarafa_monitor_log_t
-+.EE
-+
-+- Set files with the zarafa_monitor_log_t type, if you want to treat the data as zarafa monitor log data, usually stored under the /var/log directory.
-+
-+
-+.EX
-+.PP
-+.B zarafa_monitor_var_run_t
-+.EE
-+
-+- Set files with the zarafa_monitor_var_run_t type, if you want to store the zarafa monitor files under the /run directory.
-+
-+
-+.PP
-+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
-+.B semanage fcontext
-+command. This will modify the SELinux labeling database. You will need to use
-+.B restorecon
-+to apply the labels.
-+
-+.SH "MANAGED FILES"
-+
-+The SELinux process type zarafa_monitor_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
-+
-+.br
-+.B zarafa_monitor_log_t
-+
-+ /var/log/zarafa/monitor\.log.*
-+.br
-+
-+.br
-+.B zarafa_monitor_var_run_t
-+
-+ /var/run/zarafa-monitor\.pid
-+.br
-+
-+.SH NSSWITCH DOMAIN
-+
-+.PP
-+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the zarafa_monitor_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
-+
-+.EX
-+.B setsebool -P authlogin_nsswitch_use_ldap 1
-+.EE
-+
-+.PP
-+If you want to allow confined applications to run with kerberos for the zarafa_monitor_t, you must turn on the kerberos_enabled boolean.
-+
-+.EX
-+.B setsebool -P kerberos_enabled 1
-+.EE
-+
-+.SH "COMMANDS"
-+.B semanage fcontext
-+can also be used to manipulate default file context mappings.
-+.PP
-+.B semanage permissive
-+can also be used to manipulate whether or not a process type is permissive.
-+.PP
-+.B semanage module
-+can also be used to enable/disable/install/remove policy modules.
-+
-+.PP
-+.B system-config-selinux
-+is a GUI tool available to customize SELinux policy settings.
-+
-+.SH AUTHOR
-+This manual page was auto-generated using
-+.B "sepolicy manpage"
-+by Dan Walsh.
-+
-+.SH "SEE ALSO"
-+selinux(8), zarafa_monitor(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
-+, zarafa_deliver_selinux(8), zarafa_gateway_selinux(8), zarafa_ical_selinux(8), zarafa_indexer_selinux(8), zarafa_server_selinux(8), zarafa_spooler_selinux(8)
-\ No newline at end of file
-diff --git a/man/man8/zarafa_selinux.8 b/man/man8/zarafa_selinux.8
-new file mode 100644
-index 0000000..23c13e3
---- /dev/null
-+++ b/man/man8/zarafa_selinux.8
-@@ -0,0 +1,165 @@
-+.TH "zarafa_selinux" "8" "zarafa" "dwalsh@redhat.com" "zarafa SELinux Policy documentation"
-+.SH "NAME"
-+zarafa_selinux \- Security Enhanced Linux Policy for the zarafa processes
-+.SH "DESCRIPTION"
-+
-+Security-Enhanced Linux secures the zarafa processes via flexible mandatory access
-+control.
-+
-+.SH NSSWITCH DOMAIN
-+
-+.PP
-+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the zarafa_deliver_t, zarafa_spooler_t, zarafa_gateway_t, zarafa_ical_t, zarafa_server_t, zarafa_monitor_t, zarafa_indexer_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
-+
-+.EX
-+.B setsebool -P authlogin_nsswitch_use_ldap 1
-+.EE
-+
-+.PP
-+If you want to allow confined applications to run with kerberos for the zarafa_deliver_t, zarafa_spooler_t, zarafa_gateway_t, zarafa_ical_t, zarafa_server_t, zarafa_monitor_t, zarafa_indexer_t, you must turn on the kerberos_enabled boolean.
-+
-+.EX
-+.B setsebool -P kerberos_enabled 1
-+.EE
-+
-+.SH FILE CONTEXTS
-+SELinux requires files to have an extended attribute to define the file type.
-+.PP
-+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
-+.PP
-+Policy governs the access confined processes have to these files.
-+SELinux zarafa policy is very flexible allowing users to setup their zarafa processes in as secure a method as possible.
-+.PP
-+The following file types are defined for zarafa:
-+
-+
-+.EX
-+.PP
-+.B zarafa_deliver_exec_t
-+.EE
-+
-+- Set files with the zarafa_deliver_exec_t type, if you want to transition an executable to the zarafa_deliver_t domain.
-+
-+
-+.EX
-+.PP
-+.B zarafa_deliver_log_t
-+.EE
-+
-+- Set files with the zarafa_deliver_log_t type, if you want to treat the data as zarafa deliver log data, usually stored under the /var/log directory.
-+
-+
-+.EX
-+.PP
-+.B zarafa_deliver_tmp_t
-+.EE
-+
-+- Set files with the zarafa_deliver_tmp_t type, if you want to store zarafa deliver temporary files in the /tmp directories.
-+
-+
-+.EX
-+.PP
-+.B zarafa_deliver_var_run_t
-+.EE
-+
-+- Set files with the zarafa_deliver_var_run_t type, if you want to store the zarafa deliver files under the /run directory.
-+
-+
-+.EX
-+.PP
-+.B zarafa_etc_t
-+.EE
-+
-+- Set files with the zarafa_etc_t type, if you want to store zarafa files in the /etc directories.
-+
-+
-+.EX
-+.PP
-+.B zarafa_gateway_exec_t
-+.EE
-+
-+- Set files with the zarafa_gateway_exec_t type, if you want to transition an executable to the zarafa_gateway_t domain.
-+
-+
-+.EX
-+.PP
-+.B zarafa_gateway_log_t
-+.EE
-+
-+- Set files with the zarafa_gateway_log_t type, if you want to treat the data as zarafa gateway log data, usually stored under the /var/log directory.
-+
-+
-+.EX
-+.PP
-+.B zarafa_gateway_var_run_t
-+.EE
-+
-+- Set files with the zarafa_gateway_var_run_t type, if you want to store the zarafa gateway files under the /run directory.
-+
-+
-+.EX
-+.PP
-+.B zarafa_ical_exec_t
-+.EE
-+
-+- Set files with the zarafa_ical_exec_t type, if you want to transition an executable to the zarafa_ical_t domain.
-+
-+
-+.EX
-+.PP
-+.B zarafa_ical_log_t
-+.EE
-+
-+- Set files with the zarafa_ical_log_t type, if you want to treat the data as zarafa ical log data, usually stored under the /var/log directory.
-+
-+
-+.EX
-+.PP
-+.B zarafa_ical_var_run_t
-+.EE
-+
-+- Set files with the zarafa_ical_var_run_t type, if you want to store the zarafa ical files under the /run directory.
-+
-+
-+.EX
-+.PP
-+.B zarafa_indexer_exec_t
-+.EE
-+
-+- Set files with the zarafa_indexer_exec_t type, if you want to transition an executable to the zarafa_indexer_t domain.
-+
-+
-+.EX
-+.PP
-+.B zarafa_indexer_log_t
-+.EE
-+
-+- Set files with the zarafa_indexer_log_t type, if you want to treat the data as zarafa indexer log data, usually stored under the /var/log directory.
-+
-+
-+.EX
-+.PP
-+.B zarafa_indexer_tmp_t
-+.EE
-+
-+- Set files with the zarafa_indexer_tmp_t type, if you want to store zarafa indexer temporary files in the /tmp directories.
-+
-+
-+.EX
-+.PP
-+.B zarafa_indexer_var_run_t
-+.EE
-+
-+- Set files with the zarafa_indexer_var_run_t type, if you want to store the zarafa indexer files under the /run directory.
-+
-+.br
-+.TP 5
-+Paths:
-+/var/run/zarafa-indexer\.pid, /var/run/zarafa-indexer
-+
-+.EX
-+.PP
-+.B zarafa_monitor_exec_t
-+.EE
-+
-+- Set files with the zarafa_monitor_exec_t type, if you want to transition an execut
-\ No newline at end of file
-diff --git a/man/man8/zarafa_server_selinux.8 b/man/man8/zarafa_server_selinux.8
-new file mode 100644
-index 0000000..09bb9df
---- /dev/null
-+++ b/man/man8/zarafa_server_selinux.8
-@@ -0,0 +1,155 @@
-+.TH "zarafa_server_selinux" "8" "12-11-01" "zarafa_server" "SELinux Policy documentation for zarafa_server"
-+.SH "NAME"
-+zarafa_server_selinux \- Security Enhanced Linux Policy for the zarafa_server processes
-+.SH "DESCRIPTION"
-+
-+Security-Enhanced Linux secures the zarafa_server processes via flexible mandatory access control.
-+
-+The zarafa_server processes execute with the zarafa_server_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
-+
-+For example:
-+
-+.B ps -eZ | grep zarafa_server_t
-+
-+
-+.SH "ENTRYPOINTS"
-+
-+The zarafa_server_t SELinux type can be entered via the "zarafa_server_exec_t" file type. The default entrypoint paths for the zarafa_server_t domain are the following:"
-+
-+/usr/bin/zarafa-server
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux zarafa_server policy is very flexible allowing users to setup their zarafa_server processes in as secure a method as possible.
-+.PP
-+The following process types are defined for zarafa_server:
-+
-+.EX
-+.B zarafa_server_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
-+.SH FILE CONTEXTS
-+SELinux requires files to have an extended attribute to define the file type.
-+.PP
-+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
-+.PP
-+Policy governs the access confined processes have to these files.
-+SELinux zarafa_server policy is very flexible allowing users to setup their zarafa_server processes in as secure a method as possible.
-+.PP
-+The following file types are defined for zarafa_server:
-+
-+
-+.EX
-+.PP
-+.B zarafa_server_exec_t
-+.EE
-+
-+- Set files with the zarafa_server_exec_t type, if you want to transition an executable to the zarafa_server_t domain.
-+
-+
-+.EX
-+.PP
-+.B zarafa_server_log_t
-+.EE
-+
-+- Set files with the zarafa_server_log_t type, if you want to treat the data as zarafa server log data, usually stored under the /var/log directory.
-+
-+
-+.EX
-+.PP
-+.B zarafa_server_tmp_t
-+.EE
-+
-+- Set files with the zarafa_server_tmp_t type, if you want to store zarafa server temporary files in the /tmp directories.
-+
-+
-+.EX
-+.PP
-+.B zarafa_server_var_run_t
-+.EE
-+
-+- Set files with the zarafa_server_var_run_t type, if you want to store the zarafa server files under the /run directory.
-+
-+
-+.PP
-+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
-+.B semanage fcontext
-+command. This will modify the SELinux labeling database. You will need to use
-+.B restorecon
-+to apply the labels.
-+
-+.SH "MANAGED FILES"
-+
-+The SELinux process type zarafa_server_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
-+
-+.br
-+.B zarafa_server_log_t
-+
-+ /var/log/zarafa/server\.log.*
-+.br
-+
-+.br
-+.B zarafa_server_tmp_t
-+
-+
-+.br
-+.B zarafa_server_var_run_t
-+
-+ /var/run/zarafa
-+.br
-+ /var/run/zarafa-server\.pid
-+.br
-+
-+.br
-+.B zarafa_var_lib_t
-+
-+ /var/lib/zarafa(/.*)?
-+.br
-+ /var/lib/zarafa-webaccess(/.*)?
-+.br
-+
-+.SH NSSWITCH DOMAIN
-+
-+.PP
-+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the zarafa_server_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
-+
-+.EX
-+.B setsebool -P authlogin_nsswitch_use_ldap 1
-+.EE
-+
-+.PP
-+If you want to allow confined applications to run with kerberos for the zarafa_server_t, you must turn on the kerberos_enabled boolean.
-+
-+.EX
-+.B setsebool -P kerberos_enabled 1
-+.EE
-+
-+.SH "COMMANDS"
-+.B semanage fcontext
-+can also be used to manipulate default file context mappings.
-+.PP
-+.B semanage permissive
-+can also be used to manipulate whether or not a process type is permissive.
-+.PP
-+.B semanage module
-+can also be used to enable/disable/install/remove policy modules.
-+
-+.PP
-+.B system-config-selinux
-+is a GUI tool available to customize SELinux policy settings.
-+
-+.SH AUTHOR
-+This manual page was auto-generated using
-+.B "sepolicy manpage"
-+by Dan Walsh.
-+
-+.SH "SEE ALSO"
-+selinux(8), zarafa_server(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
-+, zarafa_deliver_selinux(8), zarafa_gateway_selinux(8), zarafa_ical_selinux(8), zarafa_indexer_selinux(8), zarafa_monitor_selinux(8), zarafa_spooler_selinux(8)
-\ No newline at end of file
-diff --git a/man/man8/zarafa_spooler_selinux.8 b/man/man8/zarafa_spooler_selinux.8
-new file mode 100644
-index 0000000..2c41587
---- /dev/null
-+++ b/man/man8/zarafa_spooler_selinux.8
-@@ -0,0 +1,133 @@
-+.TH "zarafa_spooler_selinux" "8" "12-11-01" "zarafa_spooler" "SELinux Policy documentation for zarafa_spooler"
-+.SH "NAME"
-+zarafa_spooler_selinux \- Security Enhanced Linux Policy for the zarafa_spooler processes
-+.SH "DESCRIPTION"
-+
-+Security-Enhanced Linux secures the zarafa_spooler processes via flexible mandatory access control.
-+
-+The zarafa_spooler processes execute with the zarafa_spooler_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
-+
-+For example:
-+
-+.B ps -eZ | grep zarafa_spooler_t
-+
-+
-+.SH "ENTRYPOINTS"
-+
-+The zarafa_spooler_t SELinux type can be entered via the "zarafa_spooler_exec_t" file type. The default entrypoint paths for the zarafa_spooler_t domain are the following:"
-+
-+/usr/bin/zarafa-spooler
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux zarafa_spooler policy is very flexible allowing users to setup their zarafa_spooler processes in as secure a method as possible.
-+.PP
-+The following process types are defined for zarafa_spooler:
-+
-+.EX
-+.B zarafa_spooler_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
-+.SH FILE CONTEXTS
-+SELinux requires files to have an extended attribute to define the file type.
-+.PP
-+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
-+.PP
-+Policy governs the access confined processes have to these files.
-+SELinux zarafa_spooler policy is very flexible allowing users to setup their zarafa_spooler processes in as secure a method as possible.
-+.PP
-+The following file types are defined for zarafa_spooler:
-+
-+
-+.EX
-+.PP
-+.B zarafa_spooler_exec_t
-+.EE
-+
-+- Set files with the zarafa_spooler_exec_t type, if you want to transition an executable to the zarafa_spooler_t domain.
-+
-+
-+.EX
-+.PP
-+.B zarafa_spooler_log_t
-+.EE
-+
-+- Set files with the zarafa_spooler_log_t type, if you want to treat the data as zarafa spooler log data, usually stored under the /var/log directory.
-+
-+
-+.EX
-+.PP
-+.B zarafa_spooler_var_run_t
-+.EE
-+
-+- Set files with the zarafa_spooler_var_run_t type, if you want to store the zarafa spooler files under the /run directory.
-+
-+
-+.PP
-+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
-+.B semanage fcontext
-+command. This will modify the SELinux labeling database. You will need to use
-+.B restorecon
-+to apply the labels.
-+
-+.SH "MANAGED FILES"
-+
-+The SELinux process type zarafa_spooler_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
-+
-+.br
-+.B zarafa_spooler_log_t
-+
-+ /var/log/zarafa/spooler\.log.*
-+.br
-+
-+.br
-+.B zarafa_spooler_var_run_t
-+
-+ /var/run/zarafa-spooler\.pid
-+.br
-+
-+.SH NSSWITCH DOMAIN
-+
-+.PP
-+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the zarafa_spooler_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
-+
-+.EX
-+.B setsebool -P authlogin_nsswitch_use_ldap 1
-+.EE
-+
-+.PP
-+If you want to allow confined applications to run with kerberos for the zarafa_spooler_t, you must turn on the kerberos_enabled boolean.
-+
-+.EX
-+.B setsebool -P kerberos_enabled 1
-+.EE
-+
-+.SH "COMMANDS"
-+.B semanage fcontext
-+can also be used to manipulate default file context mappings.
-+.PP
-+.B semanage permissive
-+can also be used to manipulate whether or not a process type is permissive.
-+.PP
-+.B semanage module
-+can also be used to enable/disable/install/remove policy modules.
-+
-+.PP
-+.B system-config-selinux
-+is a GUI tool available to customize SELinux policy settings.
-+
-+.SH AUTHOR
-+This manual page was auto-generated using
-+.B "sepolicy manpage"
-+by Dan Walsh.
-+
-+.SH "SEE ALSO"
-+selinux(8), zarafa_spooler(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
-+, zarafa_deliver_selinux(8), zarafa_gateway_selinux(8), zarafa_ical_selinux(8), zarafa_indexer_selinux(8), zarafa_monitor_selinux(8), zarafa_server_selinux(8)
-\ No newline at end of file
-diff --git a/man/man8/zebra_selinux.8 b/man/man8/zebra_selinux.8
-new file mode 100644
-index 0000000..0875d31
---- /dev/null
-+++ b/man/man8/zebra_selinux.8
-@@ -0,0 +1,198 @@
-+.TH "zebra_selinux" "8" "12-11-01" "zebra" "SELinux Policy documentation for zebra"
-+.SH "NAME"
-+zebra_selinux \- Security Enhanced Linux Policy for the zebra processes
-+.SH "DESCRIPTION"
-+
-+Security-Enhanced Linux secures the zebra processes via flexible mandatory access control.
-+
-+The zebra processes execute with the zebra_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
-+
-+For example:
-+
-+.B ps -eZ | grep zebra_t
-+
-+
-+.SH "ENTRYPOINTS"
-+
-+The zebra_t SELinux type can be entered via the "zebra_exec_t" file type. The default entrypoint paths for the zebra_t domain are the following:"
-+
-+/usr/sbin/rip.*, /usr/sbin/ospf.*, /usr/sbin/bgpd, /usr/sbin/zebra
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux zebra policy is very flexible allowing users to setup their zebra processes in as secure a method as possible.
-+.PP
-+The following process types are defined for zebra:
-+
-+.EX
-+.B zebra_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
-+.SH BOOLEANS
-+SELinux policy is customizable based on least access required. zebra policy is extremely flexible and has several booleans that allow you to manipulate the policy and run zebra with the tightest access possible.
-+
-+
-+.PP
-+If you want to allow zebra daemon to write it configuration files, you must turn on the zebra_write_config boolean.
-+
-+.EX
-+.B setsebool -P zebra_write_config 1
-+.EE
-+
-+.PP
-+If you want to allow zebra daemon to write it configuration files, you must turn on the zebra_write_config boolean.
-+
-+.EX
-+.B setsebool -P zebra_write_config 1
-+.EE
-+
-+.SH FILE CONTEXTS
-+SELinux requires files to have an extended attribute to define the file type.
-+.PP
-+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
-+.PP
-+Policy governs the access confined processes have to these files.
-+SELinux zebra policy is very flexible allowing users to setup their zebra processes in as secure a method as possible.
-+.PP
-+The following file types are defined for zebra:
-+
-+
-+.EX
-+.PP
-+.B zebra_conf_t
-+.EE
-+
-+- Set files with the zebra_conf_t type, if you want to treat the files as zebra configuration data, usually stored under the /etc directory.
-+
-+
-+.EX
-+.PP
-+.B zebra_exec_t
-+.EE
-+
-+- Set files with the zebra_exec_t type, if you want to transition an executable to the zebra_t domain.
-+
-+
-+.EX
-+.PP
-+.B zebra_initrc_exec_t
-+.EE
-+
-+- Set files with the zebra_initrc_exec_t type, if you want to transition an executable to the zebra_initrc_t domain.
-+
-+
-+.EX
-+.PP
-+.B zebra_log_t
-+.EE
-+
-+- Set files with the zebra_log_t type, if you want to treat the data as zebra log data, usually stored under the /var/log directory.
-+
-+
-+.EX
-+.PP
-+.B zebra_tmp_t
-+.EE
-+
-+- Set files with the zebra_tmp_t type, if you want to store zebra temporary files in the /tmp directories.
-+
-+
-+.EX
-+.PP
-+.B zebra_var_run_t
-+.EE
-+
-+- Set files with the zebra_var_run_t type, if you want to store the zebra files under the /run directory.
-+
-+
-+.PP
-+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
-+.B semanage fcontext
-+command. This will modify the SELinux labeling database. You will need to use
-+.B restorecon
-+to apply the labels.
-+
-+.SH PORT TYPES
-+SELinux defines port types to represent TCP and UDP ports.
-+.PP
-+You can see the types associated with a port by using the following command:
-+
-+.B semanage port -l
-+
-+.PP
-+Policy governs the access confined processes have to these ports.
-+SELinux zebra policy is very flexible allowing users to setup their zebra processes in as secure a method as possible.
-+.PP
-+The following port types are defined for zebra:
-+
-+.EX
-+.TP 5
-+.B zebra_port_t
-+.TP 10
-+.EE
-+
-+
-+Default Defined Ports:
-+tcp 2600-2604,2606
-+.EE
-+udp 2600-2604,2606
-+.EE
-+.SH "MANAGED FILES"
-+
-+The SELinux process type zebra_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
-+
-+.br
-+.B zebra_log_t
-+
-+ /var/log/zebra(/.*)?
-+.br
-+ /var/log/quagga(/.*)?
-+.br
-+
-+.br
-+.B zebra_var_run_t
-+
-+ /var/run/quagga(/.*)?
-+.br
-+ /var/run/\.zebra
-+.br
-+ /var/run/\.zserv
-+.br
-+
-+.SH NSSWITCH DOMAIN
-+
-+.SH "COMMANDS"
-+.B semanage fcontext
-+can also be used to manipulate default file context mappings.
-+.PP
-+.B semanage permissive
-+can also be used to manipulate whether or not a process type is permissive.
-+.PP
-+.B semanage module
-+can also be used to enable/disable/install/remove policy modules.
-+
-+.B semanage port
-+can also be used to manipulate the port definitions
-+
-+.B semanage boolean
-+can also be used to manipulate the booleans
-+
-+.PP
-+.B system-config-selinux
-+is a GUI tool available to customize SELinux policy settings.
-+
-+.SH AUTHOR
-+This manual page was auto-generated using
-+.B "sepolicy manpage"
-+by Dan Walsh.
-+
-+.SH "SEE ALSO"
-+selinux(8), zebra(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
-+, setsebool(8)
-\ No newline at end of file
-diff --git a/man/man8/zoneminder_selinux.8 b/man/man8/zoneminder_selinux.8
-new file mode 100644
-index 0000000..ac66364
---- /dev/null
-+++ b/man/man8/zoneminder_selinux.8
-@@ -0,0 +1,217 @@
-+.TH "zoneminder_selinux" "8" "12-11-01" "zoneminder" "SELinux Policy documentation for zoneminder"
-+.SH "NAME"
-+zoneminder_selinux \- Security Enhanced Linux Policy for the zoneminder processes
-+.SH "DESCRIPTION"
-+
-+Security-Enhanced Linux secures the zoneminder processes via flexible mandatory access control.
-+
-+The zoneminder processes execute with the zoneminder_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
-+
-+For example:
-+
-+.B ps -eZ | grep zoneminder_t
-+
-+
-+.SH "ENTRYPOINTS"
-+
-+The zoneminder_t SELinux type can be entered via the "zoneminder_exec_t" file type. The default entrypoint paths for the zoneminder_t domain are the following:"
-+
-+/usr/bin/zmpkg.pl, /usr/bin/motion
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux zoneminder policy is very flexible allowing users to setup their zoneminder processes in as secure a method as possible.
-+.PP
-+The following process types are defined for zoneminder:
-+
-+.EX
-+.B zoneminder_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
-+.SH SHARING FILES
-+If you want to share files with multiple domains (Apache, FTP, rsync, Samba), you can set a file context of public_content_t and public_content_rw_t. These context allow any of the above domains to read the content. If you want a particular domain to write to the public_content_rw_t domain, you must set the appropriate boolean.
-+.TP
-+Allow zoneminder servers to read the /var/zoneminder directory by adding the public_content_t file type to the directory and by restoring the file type.
-+.PP
-+.B
-+semanage fcontext -a -t public_content_t "/var/zoneminder(/.*)?"
-+.br
-+.B restorecon -F -R -v /var/zoneminder
-+.pp
-+.TP
-+Allow zoneminder servers to read and write /var/tmp/incoming by adding the public_content_rw_t type to the directory and by restoring the file type. This also requires the allow_zoneminderd_anon_write boolean to be set.
-+.PP
-+.B
-+semanage fcontext -a -t public_content_rw_t "/var/zoneminder/incoming(/.*)?"
-+.br
-+.B restorecon -F -R -v /var/zoneminder/incoming
-+
-+
-+.PP
-+If you want to allow ZoneMinder to modify public files used for public file transfer services., you must turn on the zoneminder_anon_write boolean.
-+
-+.EX
-+.B setsebool -P zoneminder_anon_write 1
-+.EE
-+
-+.PP
-+If you want to allow ZoneMinder to modify public files used for public file transfer services., you must turn on the zoneminder_anon_write boolean.
-+
-+.EX
-+.B setsebool -P zoneminder_anon_write 1
-+.EE
-+
-+.SH FILE CONTEXTS
-+SELinux requires files to have an extended attribute to define the file type.
-+.PP
-+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
-+.PP
-+Policy governs the access confined processes have to these files.
-+SELinux zoneminder policy is very flexible allowing users to setup their zoneminder processes in as secure a method as possible.
-+.PP
-+The following file types are defined for zoneminder:
-+
-+
-+.EX
-+.PP
-+.B zoneminder_exec_t
-+.EE
-+
-+- Set files with the zoneminder_exec_t type, if you want to transition an executable to the zoneminder_t domain.
-+
-+
-+.EX
-+.PP
-+.B zoneminder_initrc_exec_t
-+.EE
-+
-+- Set files with the zoneminder_initrc_exec_t type, if you want to transition an executable to the zoneminder_initrc_t domain.
-+
-+
-+.EX
-+.PP
-+.B zoneminder_log_t
-+.EE
-+
-+- Set files with the zoneminder_log_t type, if you want to treat the data as zoneminder log data, usually stored under the /var/log directory.
-+
-+
-+.EX
-+.PP
-+.B zoneminder_spool_t
-+.EE
-+
-+- Set files with the zoneminder_spool_t type, if you want to store the zoneminder files under the /var/spool directory.
-+
-+
-+.EX
-+.PP
-+.B zoneminder_tmpfs_t
-+.EE
-+
-+- Set files with the zoneminder_tmpfs_t type, if you want to store zoneminder files on a tmpfs file system.
-+
-+
-+.EX
-+.PP
-+.B zoneminder_var_lib_t
-+.EE
-+
-+- Set files with the zoneminder_var_lib_t type, if you want to store the zoneminder files under the /var/lib directory.
-+
-+
-+.EX
-+.PP
-+.B zoneminder_var_run_t
-+.EE
-+
-+- Set files with the zoneminder_var_run_t type, if you want to store the zoneminder files under the /run directory.
-+
-+
-+.PP
-+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
-+.B semanage fcontext
-+command. This will modify the SELinux labeling database. You will need to use
-+.B restorecon
-+to apply the labels.
-+
-+.SH "MANAGED FILES"
-+
-+The SELinux process type zoneminder_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
-+
-+.br
-+.B zoneminder_log_t
-+
-+ /var/log/motion\.log.*
-+.br
-+ /var/log/zoneminder(/.*)?
-+.br
-+
-+.br
-+.B zoneminder_spool_t
-+
-+ /var/spool/zoneminder-upload(/.*)?
-+.br
-+
-+.br
-+.B zoneminder_tmpfs_t
-+
-+
-+.br
-+.B zoneminder_var_lib_t
-+
-+ /var/motion(/.*)?
-+.br
-+ /var/lib/zoneminder(/.*)?
-+.br
-+
-+.br
-+.B zoneminder_var_run_t
-+
-+ /var/run/motion\.pid
-+.br
-+
-+.SH NSSWITCH DOMAIN
-+
-+.PP
-+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the zoneminder_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
-+
-+.EX
-+.B setsebool -P authlogin_nsswitch_use_ldap 1
-+.EE
-+
-+.PP
-+If you want to allow confined applications to run with kerberos for the zoneminder_t, you must turn on the kerberos_enabled boolean.
-+
-+.EX
-+.B setsebool -P kerberos_enabled 1
-+.EE
-+
-+.SH "COMMANDS"
-+.B semanage fcontext
-+can also be used to manipulate default file context mappings.
-+.PP
-+.B semanage permissive
-+can also be used to manipulate whether or not a process type is permissive.
-+.PP
-+.B semanage module
-+can also be used to enable/disable/install/remove policy modules.
-+
-+.PP
-+.B system-config-selinux
-+is a GUI tool available to customize SELinux policy settings.
-+
-+.SH AUTHOR
-+This manual page was auto-generated using
-+.B "sepolicy manpage"
-+by Dan Walsh.
-+
-+.SH "SEE ALSO"
-+selinux(8), zoneminder(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
-diff --git a/man/man8/zos_remote_selinux.8 b/man/man8/zos_remote_selinux.8
-new file mode 100644
-index 0000000..29d9940
---- /dev/null
-+++ b/man/man8/zos_remote_selinux.8
-@@ -0,0 +1,100 @@
-+.TH "zos_remote_selinux" "8" "12-11-01" "zos_remote" "SELinux Policy documentation for zos_remote"
-+.SH "NAME"
-+zos_remote_selinux \- Security Enhanced Linux Policy for the zos_remote processes
-+.SH "DESCRIPTION"
-+
-+Security-Enhanced Linux secures the zos_remote processes via flexible mandatory access control.
-+
-+The zos_remote processes execute with the zos_remote_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
-+
-+For example:
-+
-+.B ps -eZ | grep zos_remote_t
-+
-+
-+.SH "ENTRYPOINTS"
-+
-+The zos_remote_t SELinux type can be entered via the "zos_remote_exec_t" file type. The default entrypoint paths for the zos_remote_t domain are the following:"
-+
-+/sbin/audispd-zos-remote, /usr/sbin/audispd-zos-remote
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux zos_remote policy is very flexible allowing users to setup their zos_remote processes in as secure a method as possible.
-+.PP
-+The following process types are defined for zos_remote:
-+
-+.EX
-+.B zos_remote_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
-+.SH FILE CONTEXTS
-+SELinux requires files to have an extended attribute to define the file type.
-+.PP
-+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
-+.PP
-+Policy governs the access confined processes have to these files.
-+SELinux zos_remote policy is very flexible allowing users to setup their zos_remote processes in as secure a method as possible.
-+.PP
-+The following file types are defined for zos_remote:
-+
-+
-+.EX
-+.PP
-+.B zos_remote_exec_t
-+.EE
-+
-+- Set files with the zos_remote_exec_t type, if you want to transition an executable to the zos_remote_t domain.
-+
-+
-+.PP
-+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
-+.B semanage fcontext
-+command. This will modify the SELinux labeling database. You will need to use
-+.B restorecon
-+to apply the labels.
-+
-+.SH NSSWITCH DOMAIN
-+
-+.PP
-+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the zos_remote_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
-+
-+.EX
-+.B setsebool -P authlogin_nsswitch_use_ldap 1
-+.EE
-+
-+.PP
-+If you want to allow confined applications to run with kerberos for the zos_remote_t, you must turn on the kerberos_enabled boolean.
-+
-+.EX
-+.B setsebool -P kerberos_enabled 1
-+.EE
-+
-+.SH "COMMANDS"
-+.B semanage fcontext
-+can also be used to manipulate default file context mappings.
-+.PP
-+.B semanage permissive
-+can also be used to manipulate whether or not a process type is permissive.
-+.PP
-+.B semanage module
-+can also be used to enable/disable/install/remove policy modules.
-+
-+.PP
-+.B system-config-selinux
-+is a GUI tool available to customize SELinux policy settings.
-+
-+.SH AUTHOR
-+This manual page was auto-generated using
-+.B "sepolicy manpage"
-+by Dan Walsh.
-+
-+.SH "SEE ALSO"
-+selinux(8), zos_remote(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
-diff --git a/policy/constraints b/policy/constraints
-index 3a45f23..f4754f0 100644
---- a/policy/constraints
-+++ b/policy/constraints
-@@ -105,6 +105,18 @@ constrain process { transition dyntransition noatsecure siginh rlimitinh }
- or ( t1 == process_uncond_exempt )
- );
-
-+constrain process dyntransition
-+(
-+ u1 == u2
-+ or ( t1 == can_change_process_identity and t2 == process_user_target )
-+);
-+
-+constrain process dyntransition
-+(
-+ r1 == r2
-+ or ( t1 == can_change_process_identity and t2 == process_user_target )
-+);
-+
- # These permissions do not have ubac constraints:
- # fork
- # setexec
-diff --git a/policy/flask/access_vectors b/policy/flask/access_vectors
-index 28802c5..d9460ea 100644
---- a/policy/flask/access_vectors
-+++ b/policy/flask/access_vectors
-@@ -329,6 +329,7 @@ class process
- execheap
- setkeycreate
- setsockcreate
-+ ptrace_child
- }
-
-
-@@ -393,6 +394,10 @@ class system
- syslog_mod
- syslog_console
- module_request
-+ halt
-+ reboot
-+ status
-+ undefined
- }
-
- #
-@@ -443,10 +448,12 @@ class capability
- class capability2
- {
- mac_override # unused by SELinux
-- mac_admin # unused by SELinux
-+ mac_admin
- syslog
- wake_alarm
-+ epolwakeup
- block_suspend
-+ compromise_kernel
- }
-
- #
-@@ -862,3 +869,20 @@ inherits database
- implement
- execute
- }
-+
-+class service
-+{
-+ start
-+ stop
-+ status
-+ reload
-+ kill
-+ load
-+ enable
-+ disable
-+}
-+
-+class proxy
-+{
-+ read
-+}
-diff --git a/policy/flask/security_classes b/policy/flask/security_classes
-index 14a4799..db2e4a0 100644
---- a/policy/flask/security_classes
-+++ b/policy/flask/security_classes
-@@ -131,4 +131,11 @@ class db_view # userspace
- class db_sequence # userspace
- class db_language # userspace
-
-+# systemd services
-+class service
-+
-+# gssd services
-+class proxy
-+
-+
- # FLASK
-diff --git a/policy/global_booleans b/policy/global_booleans
-index 66e85ea..d02654d 100644
---- a/policy/global_booleans
-+++ b/policy/global_booleans
-@@ -6,7 +6,7 @@
-
- ##
- ##
--## Enabling secure mode disallows programs, such as
-+## disallow programs, such as
- ## newrole, from transitioning to administrative
- ## user domains.
- ##
-diff --git a/policy/global_tunables b/policy/global_tunables
-index 4705ab6..11a1ae6 100644
---- a/policy/global_tunables
-+++ b/policy/global_tunables
-@@ -6,52 +6,59 @@
-
- ##
- ##
-+## Allow sysadm to debug or ptrace all processes.
-+##
-+##
-+gen_tunable(deny_ptrace, false)
-+
-+##
-+##
- ## Allow unconfined executables to make their heap memory executable. Doing this is a really bad idea. Probably indicates a badly coded executable, but could indicate an attack. This executable should be reported in bugzilla
- ##
- ##
--gen_tunable(allow_execheap,false)
-+gen_tunable(selinuxuser_execheap,false)
-
- ##
- ##
--## Allow unconfined executables to map a memory region as both executable and writable, this is dangerous and the executable should be reported in bugzilla")
-+## Deny user domains applications to map a memory region as both executable and writable, this is dangerous and the executable should be reported in bugzilla
- ##
- ##
--gen_tunable(allow_execmem,false)
-+gen_tunable(deny_execmem,false)
-
- ##
- ##
--## Allow all unconfined executables to use libraries requiring text relocation that are not labeled textrel_shlib_t")
-+## Allow all unconfined executables to use libraries requiring text relocation that are not labeled textrel_shlib_t
- ##
- ##
--gen_tunable(allow_execmod,false)
-+gen_tunable(selinuxuser_execmod,false)
-
- ##
- ##
--## Allow unconfined executables to make their stack executable. This should never, ever be necessary. Probably indicates a badly coded executable, but could indicate an attack. This executable should be reported in bugzilla")
-+## Allow unconfined executables to make their stack executable. This should never, ever be necessary. Probably indicates a badly coded executable, but could indicate an attack. This executable should be reported in bugzilla
- ##
- ##
--gen_tunable(allow_execstack,false)
-+gen_tunable(selinuxuser_execstack,false)
-
- ##
- ##
- ## Enable polyinstantiated directory support.
- ##
- ##
--gen_tunable(allow_polyinstantiation,false)
-+gen_tunable(polyinstantiation_enabled,false)
-
- ##
- ##
- ## Allow system to run with NIS
- ##
- ##
--gen_tunable(allow_ypbind,false)
-+gen_tunable(nis_enabled,false)
-
- ##
- ##
- ## Allow logging in and using the system from /dev/console.
- ##
- ##
--gen_tunable(console_login,true)
-+gen_tunable(login_console_enabled,true)
-
- ##
- ##
-@@ -68,15 +75,6 @@ gen_tunable(global_ssp,false)
-
- ##
- ##
--## Allow email client to various content.
--## nfs, samba, removable devices, and user temp
--## files
--##
--##
--gen_tunable(mail_read_content,false)
--
--##
--##
- ## Allow any files/directories to be exported read/write via NFS.
- ##
- ##
-@@ -105,9 +103,24 @@ gen_tunable(use_samba_home_dirs,false)
-
- ##
- ##
-+## Support ecryptfs home directories
-+##
-+##
-+gen_tunable(use_ecryptfs_home_dirs,false)
-+
-+##
-+##
-+## Support fusefs home directories
-+##
-+##
-+gen_tunable(use_fusefs_home_dirs,false)
-+
-+##
-+##
- ## Allow users to run TCP servers (bind to ports and accept connection from
- ## the same domain and outside users) disabling this forces FTP passive mode
- ## and may change other protocols.
- ##
- ##
--gen_tunable(user_tcp_server,false)
-+gen_tunable(selinuxuser_tcp_server,false)
-+
-diff --git a/policy/mcs b/policy/mcs
-index f477c7f..ff7369c 100644
---- a/policy/mcs
-+++ b/policy/mcs
-@@ -1,4 +1,6 @@
- ifdef(`enable_mcs',`
-+default_range dir_file_class_set target low;
-+
- #
- # Define sensitivities
- #
-@@ -69,28 +71,48 @@ gen_levels(1,mcs_num_cats)
- # - /proc/pid operations are not constrained.
-
- mlsconstrain file { read ioctl lock execute execute_no_trans }
-- (( h1 dom h2 ) or ( t1 == mcsreadall ) or ( t2 == domain ));
-+ (( h1 dom h2 ) or ( t1 == mcsreadall ) or
-+ (( t1 != mcsuntrustedproc ) and (t2 == domain)));
-
- mlsconstrain file { write setattr append unlink link rename }
-- (( h1 dom h2 ) or ( t1 == mcswriteall ) or ( t2 == domain ));
-+ (( h1 dom h2 ) or ( t1 == mcswriteall ) or
-+ (( t1 != mcsuntrustedproc ) and (t2 == domain)));
-
- mlsconstrain dir { search read ioctl lock }
-- (( h1 dom h2 ) or ( t1 == mcsreadall ) or ( t2 == domain ));
-+ (( h1 dom h2 ) or ( t1 == mcsreadall ) or
-+ (( t1 != mcsuntrustedproc ) and (t2 == domain)));
-
- mlsconstrain dir { write setattr append unlink link rename add_name remove_name }
-- (( h1 dom h2 ) or ( t1 == mcswriteall ) or ( t2 == domain ));
-+ (( h1 dom h2 ) or ( t1 == mcswriteall ) or
-+ (( t1 != mcsuntrustedproc ) and (t2 == domain)));
-+
-+mlsconstrain fifo_file { open }
-+ (( h1 dom h2 ) or ( t1 == mcsreadall ) or
-+ (( t1 != mcsuntrustedproc ) and ( t2 == domain )));
-+
-+mlsconstrain { lnk_file chr_file blk_file sock_file } { getattr read ioctl }
-+ (( h1 dom h2 ) or ( t1 == mcsreadall ) or
-+ (( t1 != mcsuntrustedproc ) and (t2 == domain)));
-+
-+mlsconstrain { lnk_file chr_file blk_file sock_file } { write setattr }
-+ (( h1 dom h2 ) or ( t1 == mcswriteall ) or
-+ (( t1 != mcsuntrustedproc ) and (t2 == domain)));
-
- # New filesystem object labels must be dominated by the relabeling subject
- # clearance, also the objects are single-level.
- mlsconstrain file { create relabelto }
-- (( h1 dom h2 ) and ( l2 eq h2 ));
-+ ((( h1 dom h2 ) and ( l2 eq h2 )) or
-+ ( t1 != mcsuntrustedproc ));
-
- # new file labels must be dominated by the relabeling subject clearance
- mlsconstrain { dir file lnk_file chr_file blk_file sock_file fifo_file } { relabelfrom }
-- ( h1 dom h2 );
-+ (( h1 dom h2 ) or ( t1 == mcswriteall ));
-+
-+mlsconstrain { file lnk_file fifo_file } { create relabelto }
-+ ( l2 eq h2 );
-
- mlsconstrain { dir file lnk_file chr_file blk_file sock_file fifo_file } { create relabelto }
-- (( h1 dom h2 ) and ( l2 eq h2 ));
-+ ( h1 dom h2 );
-
- mlsconstrain process { transition dyntransition }
- (( h1 dom h2 ) or ( t1 == mcssetcats ));
-@@ -101,6 +123,9 @@ mlsconstrain process { ptrace }
- mlsconstrain process { sigkill sigstop }
- (( h1 dom h2 ) or ( t1 == mcskillall ));
-
-+mlsconstrain process { signal }
-+ (( h1 dom h2 ) or ( t1 != mcsuntrustedproc ));
-+
- #
- # MCS policy for SELinux-enabled databases
- #
-@@ -144,4 +169,23 @@ mlsconstrain db_language { drop getattr setattr relabelfrom execute }
- mlsconstrain db_blob { drop getattr setattr relabelfrom read write import export }
- ( h1 dom h2 );
-
-+mlsconstrain { tcp_socket udp_socket rawip_socket } node_bind
-+ (( h1 dom h2 ) or ( t1 != mcsuntrustedproc ));
-+
-+# the node recvfrom/sendto ops, the recvfrom permission is a "write" operation
-+# because the subject in this particular case is the remote domain which is
-+# writing data out the network node which is acting as the object
-+mlsconstrain { node } { recvfrom sendto }
-+ (( l1 dom l2 ) or (t1 != mcsuntrustedproc));
-+
-+mlsconstrain { packet peer } { recv }
-+ (( l1 dom l2 ) or
-+ ((t1 != mcsuntrustedproc) and (t2 != mcsuntrustedproc)));
-+
-+# the netif ingress/egress ops, the ingress permission is a "write" operation
-+# because the subject in this particular case is the remote domain which is
-+# writing data out the network interface which is acting as the object
-+mlsconstrain { netif } { egress ingress }
-+ (( l1 dom l2 ) or (t1 != mcsuntrustedproc));
-+
- ') dnl end enable_mcs
-diff --git a/policy/mls b/policy/mls
-index d218387..c2541c2 100644
---- a/policy/mls
-+++ b/policy/mls
-@@ -195,7 +195,8 @@ mlsconstrain { socket tcp_socket udp_socket rawip_socket netlink_socket packet_s
- (( l1 eq l2 ) or
- (( t1 == mlsnetwriteranged ) and ( l1 dom l2 ) and ( l1 domby h2 )) or
- (( t1 == mlsnetwritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or
-- ( t1 == mlsnetwrite ));
-+ ( t1 == mlsnetwrite ) or
-+ ( t2 == mlstrustedobject ));
-
- # used by netlabel to restrict normal domains to same level connections
- mlsconstrain { tcp_socket udp_socket rawip_socket } recvfrom
-@@ -361,9 +362,6 @@ mlsconstrain { peer packet } { recv }
- (( t1 == mlsnetreadtoclr ) and ( h1 dom l2 )) or
- ( t1 == mlsnetread ));
-
--
--
--
- #
- # MLS policy for the process class
- #
-diff --git a/policy/modules/admin/bootloader.fc b/policy/modules/admin/bootloader.fc
-index 7a6f06f..bf04b0a 100644
---- a/policy/modules/admin/bootloader.fc
-+++ b/policy/modules/admin/bootloader.fc
-@@ -1,9 +1,16 @@
--
-+/etc/default/grub -- gen_context(system_u:object_r:bootloader_etc_t,s0)
- /etc/lilo\.conf.* -- gen_context(system_u:object_r:bootloader_etc_t,s0)
- /etc/yaboot\.conf.* -- gen_context(system_u:object_r:bootloader_etc_t,s0)
-+/etc/zipl\.conf.* -- gen_context(system_u:object_r:bootloader_etc_t,s0)
-
--/sbin/grub -- gen_context(system_u:object_r:bootloader_exec_t,s0)
-+/sbin/grub.* -- gen_context(system_u:object_r:bootloader_exec_t,s0)
- /sbin/lilo.* -- gen_context(system_u:object_r:bootloader_exec_t,s0)
- /sbin/ybin.* -- gen_context(system_u:object_r:bootloader_exec_t,s0)
-+/sbin/zipl -- gen_context(system_u:object_r:bootloader_exec_t,s0)
-+
-+/usr/sbin/grub.* -- gen_context(system_u:object_r:bootloader_exec_t,s0)
-+/usr/sbin/lilo.* -- gen_context(system_u:object_r:bootloader_exec_t,s0)
-+/usr/sbin/ybin.* -- gen_context(system_u:object_r:bootloader_exec_t,s0)
-+/usr/sbin/zipl -- gen_context(system_u:object_r:bootloader_exec_t,s0)
-
--/usr/sbin/grub -- gen_context(system_u:object_r:bootloader_exec_t,s0)
-+/var/lib/os-prober(/.*)? gen_context(system_u:object_r:bootloader_var_lib_t,s0)
-diff --git a/policy/modules/admin/bootloader.if b/policy/modules/admin/bootloader.if
-index a778bb1..5e914db 100644
---- a/policy/modules/admin/bootloader.if
-+++ b/policy/modules/admin/bootloader.if
-@@ -19,6 +19,24 @@ interface(`bootloader_domtrans',`
- domtrans_pattern($1, bootloader_exec_t, bootloader_t)
- ')
-
-+######################################
-+##
-+## Execute bootloader in the caller domain.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`bootloader_exec',`
-+ gen_require(`
-+ type bootloader_exec_t;
-+ ')
-+
-+ can_exec($1, bootloader_exec_t)
-+')
-+
- ########################################
- ##
- ## Execute bootloader interactively and do
-@@ -38,11 +56,21 @@ interface(`bootloader_domtrans',`
- #
- interface(`bootloader_run',`
- gen_require(`
-- attribute_role bootloader_roles;
-+ type bootloader_t;
-+ #attribute_role bootloader_roles;
- ')
-
-+ #bootloader_domtrans($1)
-+ #roleattribute $2 bootloader_roles;
-+
- bootloader_domtrans($1)
-- roleattribute $2 bootloader_roles;
-+
-+ role $2 types bootloader_t;
-+
-+ ifdef(`distro_redhat',`
-+ # for mke2fs
-+ mount_run(bootloader_t, $2)
-+ ')
- ')
-
- ########################################
-@@ -100,7 +128,7 @@ interface(`bootloader_rw_tmp_files',`
- ')
-
- files_search_tmp($1)
-- allow $1 bootloader_tmp_t:file rw_file_perms;
-+ allow $1 bootloader_tmp_t:file rw_inherited_file_perms;
- ')
-
- ########################################
-@@ -122,3 +150,22 @@ interface(`bootloader_create_runtime_file',`
- allow $1 boot_runtime_t:file { create_file_perms rw_file_perms };
- files_boot_filetrans($1, boot_runtime_t, file)
- ')
-+
-+########################################
-+##
-+## Type transition files created in /etc
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`bootloader_filetrans_config',`
-+ gen_require(`
-+ type bootloader_etc_t;
-+ ')
-+
-+ files_etc_filetrans($1,bootloader_etc_t,file, "lilo.conf")
-+ files_etc_filetrans($1,bootloader_etc_t,file, "yaboot.conf")
-+')
-diff --git a/policy/modules/admin/bootloader.te b/policy/modules/admin/bootloader.te
-index ab0439a..57890fe 100644
---- a/policy/modules/admin/bootloader.te
-+++ b/policy/modules/admin/bootloader.te
-@@ -5,8 +5,8 @@ policy_module(bootloader, 1.13.0)
- # Declarations
- #
-
--attribute_role bootloader_roles;
--roleattribute system_r bootloader_roles;
-+#attribute_role bootloader_roles;
-+#roleattribute system_r bootloader_roles;
-
- #
- # boot_runtime_t is the type for /boot/kernel.h,
-@@ -19,14 +19,21 @@ files_type(boot_runtime_t)
- type bootloader_t;
- type bootloader_exec_t;
- application_domain(bootloader_t, bootloader_exec_t)
--role bootloader_roles types bootloader_t;
-+#role bootloader_roles types bootloader_t;
-+role system_r types bootloader_t;
-+
-+type bootloader_var_run_t;
-+files_pid_file(bootloader_var_run_t)
-+
-+type bootloader_var_lib_t;
-+files_type(bootloader_var_lib_t)
-
- #
- # bootloader_etc_t is the configuration file,
- # grub.conf, lilo.conf, etc.
- #
- type bootloader_etc_t alias etc_bootloader_t;
--files_type(bootloader_etc_t)
-+files_config_file(bootloader_etc_t)
-
- #
- # The temp file is used for initrd creation;
-@@ -41,7 +48,7 @@ dev_node(bootloader_tmp_t)
- # bootloader local policy
- #
-
--allow bootloader_t self:capability { dac_override dac_read_search fsetid sys_rawio sys_admin mknod chown };
-+allow bootloader_t self:capability { dac_override dac_read_search fsetid sys_rawio sys_admin sys_chroot mknod chown };
- allow bootloader_t self:process { signal_perms execmem };
- allow bootloader_t self:fifo_file rw_fifo_file_perms;
-
-@@ -59,6 +66,15 @@ files_tmp_filetrans(bootloader_t, bootloader_tmp_t, { dir file lnk_file chr_file
- # for tune2fs (cjp: ?)
- files_root_filetrans(bootloader_t, bootloader_tmp_t, file)
-
-+manage_dirs_pattern(bootloader_t, bootloader_var_run_t, bootloader_var_run_t)
-+manage_files_pattern(bootloader_t, bootloader_var_run_t, bootloader_var_run_t)
-+files_pid_filetrans(bootloader_t, bootloader_var_run_t, {dir file })
-+
-+manage_dirs_pattern(bootloader_t, bootloader_var_lib_t, bootloader_var_lib_t)
-+manage_files_pattern(bootloader_t, bootloader_var_lib_t, bootloader_var_lib_t)
-+manage_lnk_files_pattern(bootloader_t, bootloader_var_lib_t, bootloader_var_lib_t)
-+files_var_lib_filetrans(bootloader_t, bootloader_var_lib_t, {dir file })
-+
- kernel_getattr_core_if(bootloader_t)
- kernel_read_network_state(bootloader_t)
- kernel_read_system_state(bootloader_t)
-@@ -81,6 +97,8 @@ dev_rw_nvram(bootloader_t)
-
- fs_getattr_xattr_fs(bootloader_t)
- fs_getattr_tmpfs(bootloader_t)
-+fs_list_hugetlbfs(bootloader_t)
-+fs_list_tmpfs(bootloader_t)
- fs_read_tmpfs_symlinks(bootloader_t)
- #Needed for ia64
- fs_manage_dos_files(bootloader_t)
-@@ -89,7 +107,10 @@ mls_file_read_all_levels(bootloader_t)
- mls_file_write_all_levels(bootloader_t)
-
- term_getattr_all_ttys(bootloader_t)
-+term_getattr_all_ptys(bootloader_t)
- term_dontaudit_manage_pty_dirs(bootloader_t)
-+term_dontaudit_getattr_generic_ptys(bootloader_t)
-+term_use_unallocated_ttys(bootloader_t)
-
- corecmd_exec_all_executables(bootloader_t)
-
-@@ -98,12 +119,14 @@ domain_use_interactive_fds(bootloader_t)
- files_create_boot_dirs(bootloader_t)
- files_manage_boot_files(bootloader_t)
- files_manage_boot_symlinks(bootloader_t)
-+files_manage_kernel_modules(bootloader_t)
- files_read_etc_files(bootloader_t)
- files_exec_etc_files(bootloader_t)
- files_read_usr_src_files(bootloader_t)
- files_read_usr_files(bootloader_t)
- files_read_var_files(bootloader_t)
- files_read_kernel_modules(bootloader_t)
-+files_read_kernel_symbol_table(bootloader_t)
- # for nscd
- files_dontaudit_search_pids(bootloader_t)
- # for blkid.tab
-@@ -111,6 +134,7 @@ files_manage_etc_runtime_files(bootloader_t)
- files_etc_filetrans_etc_runtime(bootloader_t, file)
- files_dontaudit_search_home(bootloader_t)
-
-+
- init_getattr_initctl(bootloader_t)
- init_use_script_ptys(bootloader_t)
- init_use_script_fds(bootloader_t)
-@@ -118,19 +142,21 @@ init_rw_script_pipes(bootloader_t)
-
- libs_read_lib_files(bootloader_t)
- libs_exec_lib_files(bootloader_t)
-+libs_exec_ld_so(bootloader_t)
-+
-+auth_use_nsswitch(bootloader_t)
-
- logging_send_syslog_msg(bootloader_t)
- logging_rw_generic_logs(bootloader_t)
-
--miscfiles_read_localization(bootloader_t)
-
- modutils_domtrans_insmod(bootloader_t)
-
- seutil_read_bin_policy(bootloader_t)
- seutil_read_loadpolicy(bootloader_t)
--seutil_dontaudit_search_config(bootloader_t)
-
--userdom_use_user_terminals(bootloader_t)
-+userdom_getattr_user_tmpfs_files(bootloader_t)
-+userdom_use_inherited_user_terminals(bootloader_t)
- userdom_dontaudit_search_user_home_dirs(bootloader_t)
-
- ifdef(`distro_debian',`
-@@ -166,7 +192,8 @@ ifdef(`distro_redhat',`
- files_manage_isid_type_chr_files(bootloader_t)
-
- # for mke2fs
-- mount_run(bootloader_t, bootloader_roles)
-+ #mount_run(bootloader_t, bootloader_roles)
-+ mount_domtrans(bootloader_t)
-
- optional_policy(`
- unconfined_domain(bootloader_t)
-@@ -174,6 +201,10 @@ ifdef(`distro_redhat',`
- ')
-
- optional_policy(`
-+ devicekit_dontaudit_read_pid_files(bootloader_t)
-+')
-+
-+optional_policy(`
- fstools_exec(bootloader_t)
- ')
-
-@@ -183,6 +214,14 @@ optional_policy(`
- ')
-
- optional_policy(`
-+ gpm_getattr_gpmctl(bootloader_t)
-+')
-+
-+optional_policy(`
-+ fsadm_manage_pid(bootloader_t)
-+')
-+
-+optional_policy(`
- kudzu_domtrans(bootloader_t)
- ')
-
-@@ -195,17 +234,19 @@ optional_policy(`
-
- optional_policy(`
- modutils_exec_insmod(bootloader_t)
-+ modutils_list_module_config(bootloader_t)
- modutils_read_module_deps(bootloader_t)
- modutils_read_module_config(bootloader_t)
- modutils_exec_insmod(bootloader_t)
- modutils_exec_depmod(bootloader_t)
- modutils_exec_update_mods(bootloader_t)
-+ modutils_domtrans_insmod_uncond(bootloader_t)
- ')
-
- optional_policy(`
-- nscd_socket_use(bootloader_t)
-+ rpm_rw_pipes(bootloader_t)
- ')
-
- optional_policy(`
-- rpm_rw_pipes(bootloader_t)
-+ udev_read_pid_files(bootloader_t)
- ')
-diff --git a/policy/modules/admin/consoletype.fc b/policy/modules/admin/consoletype.fc
-index b7f053b..5d4fc31 100644
---- a/policy/modules/admin/consoletype.fc
-+++ b/policy/modules/admin/consoletype.fc
-@@ -1,2 +1,4 @@
-
- /sbin/consoletype -- gen_context(system_u:object_r:consoletype_exec_t,s0)
-+
-+/usr/sbin/consoletype -- gen_context(system_u:object_r:consoletype_exec_t,s0)
-diff --git a/policy/modules/admin/consoletype.if b/policy/modules/admin/consoletype.if
-index 0f57d3b..655d07f 100644
---- a/policy/modules/admin/consoletype.if
-+++ b/policy/modules/admin/consoletype.if
-@@ -19,10 +19,6 @@ interface(`consoletype_domtrans',`
-
- corecmd_search_bin($1)
- domtrans_pattern($1, consoletype_exec_t, consoletype_t)
--
-- ifdef(`hide_broken_symptoms', `
-- dontaudit consoletype_t $1:socket_class_set { read write };
-- ')
- ')
-
- ########################################
-diff --git a/policy/modules/admin/consoletype.te b/policy/modules/admin/consoletype.te
-index cd5e005..247259a 100644
---- a/policy/modules/admin/consoletype.te
-+++ b/policy/modules/admin/consoletype.te
-@@ -7,8 +7,8 @@ policy_module(consoletype, 1.10.0)
-
- type consoletype_t;
- type consoletype_exec_t;
--init_domain(consoletype_t, consoletype_exec_t)
--init_system_domain(consoletype_t, consoletype_exec_t)
-+application_domain(consoletype_t, consoletype_exec_t)
-+role system_r types consoletype_t;
-
- ########################################
- #
-@@ -47,14 +47,16 @@ fs_list_inotifyfs(consoletype_t)
- mls_file_read_all_levels(consoletype_t)
- mls_file_write_all_levels(consoletype_t)
-
--term_use_all_terms(consoletype_t)
-+term_use_all_inherited_terms(consoletype_t)
-+term_use_ptmx(consoletype_t)
-
- init_use_fds(consoletype_t)
- init_use_script_ptys(consoletype_t)
- init_use_script_fds(consoletype_t)
- init_rw_script_pipes(consoletype_t)
-+init_rw_inherited_script_tmp_files(consoletype_t)
-
--userdom_use_user_terminals(consoletype_t)
-+userdom_use_inherited_user_terminals(consoletype_t)
-
- ifdef(`distro_redhat',`
- fs_rw_tmpfs_chr_files(consoletype_t)
-@@ -79,16 +81,14 @@ optional_policy(`
- ')
-
- optional_policy(`
-- files_read_etc_files(consoletype_t)
-- firstboot_use_fds(consoletype_t)
-- firstboot_rw_pipes(consoletype_t)
-+ devicekit_dontaudit_read_pid_files(consoletype_t)
-+ devicekit_dontaudit_rw_log(consoletype_t)
- ')
-
- optional_policy(`
-- hal_dontaudit_use_fds(consoletype_t)
-- hal_dontaudit_rw_pipes(consoletype_t)
-- hal_dontaudit_rw_dgram_sockets(consoletype_t)
-- hal_dontaudit_write_log(consoletype_t)
-+ files_read_etc_files(consoletype_t)
-+ firstboot_use_fds(consoletype_t)
-+ firstboot_rw_pipes(consoletype_t)
- ')
-
- optional_policy(`
-@@ -114,6 +114,7 @@ optional_policy(`
-
- optional_policy(`
- userdom_use_unpriv_users_fds(consoletype_t)
-+ userdom_dontaudit_rw_dgram_socket(consoletype_t)
- ')
-
- optional_policy(`
-diff --git a/policy/modules/admin/dmesg.fc b/policy/modules/admin/dmesg.fc
-index d6cc2d9..0685b19 100644
---- a/policy/modules/admin/dmesg.fc
-+++ b/policy/modules/admin/dmesg.fc
-@@ -1,2 +1,4 @@
-
- /bin/dmesg -- gen_context(system_u:object_r:dmesg_exec_t,s0)
-+
-+/usr/bin/dmesg -- gen_context(system_u:object_r:dmesg_exec_t,s0)
-diff --git a/policy/modules/admin/dmesg.te b/policy/modules/admin/dmesg.te
-index 72bc6d8..ff164b3 100644
---- a/policy/modules/admin/dmesg.te
-+++ b/policy/modules/admin/dmesg.te
-@@ -9,6 +9,10 @@ type dmesg_t;
- type dmesg_exec_t;
- init_system_domain(dmesg_t, dmesg_exec_t)
-
-+ifdef(`enable_mls',`
-+ init_ranged_daemon_domain(dmesg_t, dmesg_exec_t, mls_systemhigh)
-+')
-+
- ########################################
- #
- # Local policy
-@@ -19,6 +23,7 @@ dontaudit dmesg_t self:capability sys_tty_config;
-
- allow dmesg_t self:process signal_perms;
-
-+kernel_read_system_state(dmesg_t)
- kernel_read_kernel_sysctls(dmesg_t)
- kernel_read_ring_buffer(dmesg_t)
- kernel_clear_ring_buffer(dmesg_t)
-@@ -27,6 +32,7 @@ kernel_list_proc(dmesg_t)
- kernel_read_proc_symlinks(dmesg_t)
-
- dev_read_sysfs(dmesg_t)
-+dev_read_kmsg(dmesg_t)
-
- fs_search_auto_mountpoints(dmesg_t)
-
-@@ -44,10 +50,13 @@ init_use_script_ptys(dmesg_t)
- logging_send_syslog_msg(dmesg_t)
- logging_write_generic_logs(dmesg_t)
-
--miscfiles_read_localization(dmesg_t)
-
- userdom_dontaudit_use_unpriv_user_fds(dmesg_t)
--userdom_use_user_terminals(dmesg_t)
-+userdom_use_inherited_user_terminals(dmesg_t)
-+
-+optional_policy(`
-+ abrt_rw_inherited_cache(dmesg_t)
-+')
-
- optional_policy(`
- seutil_sigchld_newrole(dmesg_t)
-diff --git a/policy/modules/admin/netutils.fc b/policy/modules/admin/netutils.fc
-index 407078f..1a09bea 100644
---- a/policy/modules/admin/netutils.fc
-+++ b/policy/modules/admin/netutils.fc
-@@ -1,15 +1,22 @@
- /bin/ping.* -- gen_context(system_u:object_r:ping_exec_t,s0)
--/bin/tracepath.* -- gen_context(system_u:object_r:traceroute_exec_t,s0)
-+/bin/tracepath.* -- gen_context(system_u:object_r:traceroute_exec_t,s0)
- /bin/traceroute.* -- gen_context(system_u:object_r:traceroute_exec_t,s0)
-
- /sbin/arping -- gen_context(system_u:object_r:netutils_exec_t,s0)
-
- /usr/bin/lft -- gen_context(system_u:object_r:traceroute_exec_t,s0)
-+/usr/bin/mtr -- gen_context(system_u:object_r:traceroute_exec_t,s0)
- /usr/bin/nmap -- gen_context(system_u:object_r:traceroute_exec_t,s0)
-+/usr/bin/ping.* -- gen_context(system_u:object_r:ping_exec_t,s0)
-+/usr/bin/tracepath.* -- gen_context(system_u:object_r:traceroute_exec_t,s0)
- /usr/bin/traceroute.* -- gen_context(system_u:object_r:traceroute_exec_t,s0)
-
--/usr/sbin/fping -- gen_context(system_u:object_r:ping_exec_t,s0)
-+/usr/lib/heartbeat/send_arp -- gen_context(system_u:object_r:ping_exec_t,s0)
-+
-+/usr/sbin/arping -- gen_context(system_u:object_r:netutils_exec_t,s0)
-+/usr/sbin/fping.* -- gen_context(system_u:object_r:ping_exec_t,s0)
- /usr/sbin/traceroute.* -- gen_context(system_u:object_r:traceroute_exec_t,s0)
- /usr/sbin/hping2 -- gen_context(system_u:object_r:ping_exec_t,s0)
-+/usr/sbin/mtr -- gen_context(system_u:object_r:traceroute_exec_t,s0)
- /usr/sbin/send_arp -- gen_context(system_u:object_r:ping_exec_t,s0)
- /usr/sbin/tcpdump -- gen_context(system_u:object_r:netutils_exec_t,s0)
-diff --git a/policy/modules/admin/netutils.if b/policy/modules/admin/netutils.if
-index c6ca761..0c86bfd 100644
---- a/policy/modules/admin/netutils.if
-+++ b/policy/modules/admin/netutils.if
-@@ -42,6 +42,7 @@ interface(`netutils_run',`
- ')
-
- netutils_domtrans($1)
-+ allow $1 netutils_t:process { signal sigkill };
- role $2 types netutils_t;
- ')
-
-@@ -161,6 +162,7 @@ interface(`netutils_run_ping',`
-
- netutils_domtrans_ping($1)
- role $2 types ping_t;
-+ allow $1 ping_t:process { signal sigkill };
- ')
-
- ########################################
-@@ -183,13 +185,14 @@ interface(`netutils_run_ping',`
- interface(`netutils_run_ping_cond',`
- gen_require(`
- type ping_t;
-- bool user_ping;
-+ bool selinuxuser_ping;
- ')
-
- role $2 types ping_t;
-
-- if ( user_ping ) {
-+ if ( selinuxuser_ping ) {
- netutils_domtrans_ping($1)
-+ allow $1 ping_t:process { signal sigkill };
- }
- ')
-
-@@ -254,6 +257,7 @@ interface(`netutils_run_traceroute',`
- ')
-
- netutils_domtrans_traceroute($1)
-+ allow $1 traceroute_t:process { signal sigkill };
- role $2 types traceroute_t;
- ')
-
-@@ -277,13 +281,14 @@ interface(`netutils_run_traceroute',`
- interface(`netutils_run_traceroute_cond',`
- gen_require(`
- type traceroute_t;
-- bool user_ping;
-+ bool selinuxuser_ping;
- ')
-
- role $2 types traceroute_t;
-
-- if( user_ping ) {
-+ if( selinuxuser_ping ) {
- netutils_domtrans_traceroute($1)
-+ allow $1 traceroute_t:process { signal sigkill };
- }
- ')
-
-diff --git a/policy/modules/admin/netutils.te b/policy/modules/admin/netutils.te
-index e0791b9..db9ddf7 100644
---- a/policy/modules/admin/netutils.te
-+++ b/policy/modules/admin/netutils.te
-@@ -7,10 +7,10 @@ policy_module(netutils, 1.11.0)
-
- ##
- ##
--## Control users use of ping and traceroute
-+## Allow confined users the ability to execute the ping and traceroute commands.
- ##
- ##
--gen_tunable(user_ping, false)
-+gen_tunable(selinuxuser_ping, false)
-
- type netutils_t;
- type netutils_exec_t;
-@@ -35,12 +35,13 @@ init_system_domain(traceroute_t, traceroute_exec_t)
- # Perform network administration operations and have raw access to the network.
- allow netutils_t self:capability { net_admin net_raw setuid setgid };
- dontaudit netutils_t self:capability sys_tty_config;
--allow netutils_t self:process signal_perms;
-+allow netutils_t self:process { setcap signal_perms };
- allow netutils_t self:netlink_route_socket create_netlink_socket_perms;
- allow netutils_t self:packet_socket create_socket_perms;
- allow netutils_t self:udp_socket create_socket_perms;
- allow netutils_t self:tcp_socket create_stream_socket_perms;
- allow netutils_t self:socket create_socket_perms;
-+allow netutils_t self:netlink_socket create_socket_perms;
-
- manage_dirs_pattern(netutils_t, netutils_tmp_t, netutils_tmp_t)
- manage_files_pattern(netutils_t, netutils_tmp_t, netutils_tmp_t)
-@@ -48,8 +49,9 @@ files_tmp_filetrans(netutils_t, netutils_tmp_t, { file dir })
-
- kernel_search_proc(netutils_t)
- kernel_read_all_sysctls(netutils_t)
-+kernel_read_network_state(netutils_t)
-+kernel_request_load_module(netutils_t)
-
--corenet_all_recvfrom_unlabeled(netutils_t)
- corenet_all_recvfrom_netlabel(netutils_t)
- corenet_tcp_sendrecv_generic_if(netutils_t)
- corenet_raw_sendrecv_generic_if(netutils_t)
-@@ -64,6 +66,9 @@ corenet_sendrecv_all_client_packets(netutils_t)
- corenet_udp_bind_generic_node(netutils_t)
-
- dev_read_sysfs(netutils_t)
-+dev_read_usbmon_dev(netutils_t)
-+dev_write_usbmon_dev(netutils_t)
-+dev_rw_generic_usb_dev(netutils_t)
-
- fs_getattr_xattr_fs(netutils_t)
-
-@@ -80,10 +85,9 @@ auth_use_nsswitch(netutils_t)
-
- logging_send_syslog_msg(netutils_t)
-
--miscfiles_read_localization(netutils_t)
-
- term_dontaudit_use_console(netutils_t)
--userdom_use_user_terminals(netutils_t)
-+userdom_use_inherited_user_terminals(netutils_t)
- userdom_use_all_users_fds(netutils_t)
-
- optional_policy(`
-@@ -104,13 +108,14 @@ optional_policy(`
- #
-
- allow ping_t self:capability { setuid net_raw };
-+allow ping_t self:process setcap;
-+
- dontaudit ping_t self:capability sys_tty_config;
- allow ping_t self:tcp_socket create_socket_perms;
--allow ping_t self:rawip_socket { create ioctl read write bind getopt setopt };
--allow ping_t self:packet_socket { create ioctl read write bind getopt setopt };
-+allow ping_t self:rawip_socket create_socket_perms;
-+allow ping_t self:packet_socket create_socket_perms;
- allow ping_t self:netlink_route_socket create_netlink_socket_perms;
-
--corenet_all_recvfrom_unlabeled(ping_t)
- corenet_all_recvfrom_netlabel(ping_t)
- corenet_tcp_sendrecv_generic_if(ping_t)
- corenet_raw_sendrecv_generic_if(ping_t)
-@@ -120,6 +125,7 @@ corenet_raw_bind_generic_node(ping_t)
- corenet_tcp_sendrecv_all_ports(ping_t)
-
- fs_dontaudit_getattr_xattr_fs(ping_t)
-+fs_dontaudit_rw_anon_inodefs_files(ping_t)
-
- domain_use_interactive_fds(ping_t)
-
-@@ -130,11 +136,9 @@ kernel_read_system_state(ping_t)
-
- auth_use_nsswitch(ping_t)
-
--logging_send_syslog_msg(ping_t)
--
--miscfiles_read_localization(ping_t)
-+init_rw_inherited_script_tmp_files(ping_t)
-
--userdom_use_user_terminals(ping_t)
-+logging_send_syslog_msg(ping_t)
-
- ifdef(`hide_broken_symptoms',`
- init_dontaudit_use_fds(ping_t)
-@@ -145,11 +149,25 @@ ifdef(`hide_broken_symptoms',`
- ')
- ')
-
-+term_use_all_inherited_terms(ping_t)
-+
-+tunable_policy(`selinuxuser_ping',`
-+ term_use_all_ttys(ping_t)
-+ term_use_all_ptys(ping_t)
-+',`
-+ term_dontaudit_use_all_ttys(ping_t)
-+ term_dontaudit_use_all_ptys(ping_t)
-+')
-+
- optional_policy(`
- munin_append_log(ping_t)
- ')
-
- optional_policy(`
-+ nagios_rw_inerited_tmp_files(ping_t)
-+')
-+
-+optional_policy(`
- pcmcia_use_cardmgr_fds(ping_t)
- ')
-
-@@ -157,6 +175,15 @@ optional_policy(`
- hotplug_use_fds(ping_t)
- ')
-
-+optional_policy(`
-+ openshift_rw_inherited_content(ping_t)
-+ openshift_dontaudit_rw_inherited_fifo_files(ping_t)
-+')
-+
-+optional_policy(`
-+ zabbix_read_tmp(ping_t)
-+')
-+
- ########################################
- #
- # Traceroute local policy
-@@ -170,7 +197,6 @@ allow traceroute_t self:udp_socket create_socket_perms;
- kernel_read_system_state(traceroute_t)
- kernel_read_network_state(traceroute_t)
-
--corenet_all_recvfrom_unlabeled(traceroute_t)
- corenet_all_recvfrom_netlabel(traceroute_t)
- corenet_tcp_sendrecv_generic_if(traceroute_t)
- corenet_udp_sendrecv_generic_if(traceroute_t)
-@@ -194,6 +220,7 @@ fs_dontaudit_getattr_xattr_fs(traceroute_t)
- domain_use_interactive_fds(traceroute_t)
-
- files_read_etc_files(traceroute_t)
-+files_read_usr_files(traceroute_t)
- files_dontaudit_search_var(traceroute_t)
-
- init_use_fds(traceroute_t)
-@@ -202,11 +229,17 @@ auth_use_nsswitch(traceroute_t)
-
- logging_send_syslog_msg(traceroute_t)
-
--miscfiles_read_localization(traceroute_t)
--
--userdom_use_user_terminals(traceroute_t)
-
- #rules needed for nmap
- dev_read_rand(traceroute_t)
- dev_read_urand(traceroute_t)
--files_read_usr_files(traceroute_t)
-+
-+term_use_all_inherited_terms(traceroute_t)
-+
-+tunable_policy(`selinuxuser_ping',`
-+ term_use_all_ttys(traceroute_t)
-+ term_use_all_ptys(traceroute_t)
-+',`
-+ term_dontaudit_use_all_ttys(traceroute_t)
-+ term_dontaudit_use_all_ptys(traceroute_t)
-+')
-diff --git a/policy/modules/admin/su.fc b/policy/modules/admin/su.fc
-index 688abc2..3d89250 100644
---- a/policy/modules/admin/su.fc
-+++ b/policy/modules/admin/su.fc
-@@ -3,3 +3,4 @@
-
- /usr/(local/)?bin/ksu -- gen_context(system_u:object_r:su_exec_t,s0)
- /usr/bin/kdesu -- gen_context(system_u:object_r:su_exec_t,s0)
-+/usr/bin/su -- gen_context(system_u:object_r:su_exec_t,s0)
-diff --git a/policy/modules/admin/su.if b/policy/modules/admin/su.if
-index 03ec5ca..bfc85a0 100644
---- a/policy/modules/admin/su.if
-+++ b/policy/modules/admin/su.if
-@@ -89,7 +89,6 @@ template(`su_restricted_domain_template', `
-
- logging_send_syslog_msg($1_su_t)
-
-- miscfiles_read_localization($1_su_t)
-
- ifdef(`distro_redhat',`
- # RHEL5 and possibly newer releases incl. Fedora
-@@ -119,11 +118,6 @@ template(`su_restricted_domain_template', `
- userdom_spec_domtrans_unpriv_users($1_su_t)
- ')
-
-- ifdef(`hide_broken_symptoms',`
-- # dontaudit leaked sockets from parent
-- dontaudit $1_su_t $2:socket_class_set { read write };
-- ')
--
- optional_policy(`
- cron_read_pipes($1_su_t)
- ')
-@@ -208,7 +202,7 @@ template(`su_role_template',`
-
- auth_domtrans_chk_passwd($1_su_t)
- auth_dontaudit_read_shadow($1_su_t)
-- auth_use_nsswitch($1_su_t)
-+ auth_use_pam($1_su_t)
- auth_rw_faillog($1_su_t)
-
- corecmd_search_bin($1_su_t)
-@@ -228,10 +222,10 @@ template(`su_role_template',`
-
- logging_send_syslog_msg($1_su_t)
-
-- miscfiles_read_localization($1_su_t)
-
- userdom_use_user_terminals($1_su_t)
- userdom_search_user_home_dirs($1_su_t)
-+ userdom_search_admin_dir($1_su_t)
-
- ifdef(`distro_redhat',`
- # RHEL5 and possibly newer releases incl. Fedora
-@@ -277,12 +271,7 @@ template(`su_role_template',`
- ')
- ')
-
-- ifdef(`hide_broken_symptoms',`
-- # dontaudit leaked sockets from parent
-- dontaudit $1_su_t $3:socket_class_set { read write };
-- ')
--
-- tunable_policy(`allow_polyinstantiation',`
-+ tunable_policy(`polyinstantiation_enabled',`
- fs_mount_xattr_fs($1_su_t)
- fs_unmount_xattr_fs($1_su_t)
- ')
-diff --git a/policy/modules/admin/sudo.fc b/policy/modules/admin/sudo.fc
-index 7bddc02..2b59ed0 100644
---- a/policy/modules/admin/sudo.fc
-+++ b/policy/modules/admin/sudo.fc
-@@ -1,2 +1,4 @@
-
- /usr/bin/sudo(edit)? -- gen_context(system_u:object_r:sudo_exec_t,s0)
-+
-+/var/db/sudo(/.*)? gen_context(system_u:object_r:sudo_db_t,s0)
-diff --git a/policy/modules/admin/sudo.if b/policy/modules/admin/sudo.if
-index 0960199..aa51ab2 100644
---- a/policy/modules/admin/sudo.if
-+++ b/policy/modules/admin/sudo.if
-@@ -32,6 +32,7 @@ template(`sudo_role_template',`
-
- gen_require(`
- type sudo_exec_t;
-+ type sudo_db_t;
- attribute sudodomain;
- ')
-
-@@ -45,27 +46,13 @@ template(`sudo_role_template',`
- domain_interactive_fd($1_sudo_t)
- domain_role_change_exemption($1_sudo_t)
- role $2 types $1_sudo_t;
-+ userdom_home_manager($1_sudo_t)
-
-- ##############################
-- #
-- # Local Policy
-- #
-+ type $1_sudo_tmp_t;
-+ files_tmp_file($1_sudo_tmp_t)
-
-- # Use capabilities.
-- allow $1_sudo_t self:capability { fowner setuid setgid dac_override sys_nice sys_resource };
-- allow $1_sudo_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
-- allow $1_sudo_t self:process { setexec setrlimit };
-- allow $1_sudo_t self:fd use;
-- allow $1_sudo_t self:fifo_file rw_fifo_file_perms;
-- allow $1_sudo_t self:shm create_shm_perms;
-- allow $1_sudo_t self:sem create_sem_perms;
-- allow $1_sudo_t self:msgq create_msgq_perms;
-- allow $1_sudo_t self:msg { send receive };
-- allow $1_sudo_t self:unix_dgram_socket create_socket_perms;
-- allow $1_sudo_t self:unix_stream_socket create_stream_socket_perms;
-- allow $1_sudo_t self:unix_dgram_socket sendto;
-- allow $1_sudo_t self:unix_stream_socket connectto;
-- allow $1_sudo_t self:key manage_key_perms;
-+ allow $1_sudo_t $1_sudo_tmp_t:file manage_file_perms;
-+ files_tmp_filetrans($1_sudo_t, $1_sudo_tmp_t, file)
-
- allow $1_sudo_t $3:key search;
-
-@@ -75,88 +62,30 @@ template(`sudo_role_template',`
- # By default, revert to the calling domain when a shell is executed.
- corecmd_shell_domtrans($1_sudo_t, $3)
- corecmd_bin_domtrans($1_sudo_t, $3)
-+ userdom_domtrans_user_home($1_sudo_t, $3)
-+ userdom_domtrans_user_tmp($1_sudo_t, $3)
-+ domain_entry_file($3, sudo_exec_t)
-+ domain_auto_transition_pattern($1_sudo_t, sudo_exec_t, $3)
-+
- allow $3 $1_sudo_t:fd use;
- allow $3 $1_sudo_t:fifo_file rw_fifo_file_perms;
- allow $3 $1_sudo_t:process signal_perms;
-
-- kernel_read_kernel_sysctls($1_sudo_t)
- kernel_read_system_state($1_sudo_t)
-- kernel_link_key($1_sudo_t)
--
-- corecmd_read_bin_symlinks($1_sudo_t)
-- corecmd_exec_all_executables($1_sudo_t)
--
-- dev_getattr_fs($1_sudo_t)
-- dev_read_urand($1_sudo_t)
-- dev_rw_generic_usb_dev($1_sudo_t)
-- dev_read_sysfs($1_sudo_t)
--
-- domain_use_interactive_fds($1_sudo_t)
-- domain_sigchld_interactive_fds($1_sudo_t)
-- domain_getattr_all_entry_files($1_sudo_t)
--
-- files_read_etc_files($1_sudo_t)
-- files_read_var_files($1_sudo_t)
-- files_read_usr_symlinks($1_sudo_t)
-- files_getattr_usr_files($1_sudo_t)
-- # for some PAM modules and for cwd
-- files_dontaudit_search_home($1_sudo_t)
-- files_list_tmp($1_sudo_t)
--
-- fs_search_auto_mountpoints($1_sudo_t)
-- fs_getattr_xattr_fs($1_sudo_t)
--
-- selinux_validate_context($1_sudo_t)
-- selinux_compute_relabel_context($1_sudo_t)
--
-- term_getattr_pty_fs($1_sudo_t)
-- term_relabel_all_ttys($1_sudo_t)
-- term_relabel_all_ptys($1_sudo_t)
-+ seutil_libselinux_linked($1_sudo_t)
-
- auth_run_chk_passwd($1_sudo_t, $2)
-- # sudo stores a token in the pam_pid directory
-- auth_manage_pam_pid($1_sudo_t)
- auth_use_nsswitch($1_sudo_t)
-
-- init_rw_utmp($1_sudo_t)
--
-- logging_send_audit_msgs($1_sudo_t)
- logging_send_syslog_msg($1_sudo_t)
-
-- miscfiles_read_localization($1_sudo_t)
--
-- seutil_search_default_contexts($1_sudo_t)
-- seutil_libselinux_linked($1_sudo_t)
--
-- userdom_spec_domtrans_all_users($1_sudo_t)
-- userdom_create_all_users_keys($1_sudo_t)
-- userdom_manage_user_home_content_files($1_sudo_t)
-- userdom_manage_user_home_content_symlinks($1_sudo_t)
-- userdom_manage_user_tmp_files($1_sudo_t)
-- userdom_manage_user_tmp_symlinks($1_sudo_t)
-- userdom_use_user_terminals($1_sudo_t)
-- # for some PAM modules and for cwd
-- userdom_dontaudit_search_user_home_content($1_sudo_t)
-- userdom_dontaudit_search_user_home_dirs($1_sudo_t)
--
-- ifdef(`hide_broken_symptoms', `
-- dontaudit $1_sudo_t $3:socket_class_set { read write };
-- ')
--
-- tunable_policy(`use_nfs_home_dirs',`
-- fs_manage_nfs_files($1_sudo_t)
-- ')
--
-- tunable_policy(`use_samba_home_dirs',`
-- fs_manage_cifs_files($1_sudo_t)
-- ')
--
- optional_policy(`
-- dbus_system_bus_client($1_sudo_t)
-+ mta_role($2, $1_sudo_t)
- ')
-
- optional_policy(`
-- fprintd_dbus_chat($1_sudo_t)
-+ kerberos_manage_host_rcache($1_sudo_t)
-+ kerberos_read_config($1_sudo_t)
- ')
-
- ')
-@@ -178,3 +107,22 @@ interface(`sudo_sigchld',`
-
- allow $1 sudodomain:process sigchld;
- ')
-+
-+#######################################
-+##
-+## Allow execute sudo in called domain.
-+## This interfaces is added for nova-stack policy.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`sudo_exec',`
-+ gen_require(`
-+ type sudo_exec_t;
-+ ')
-+
-+ can_exec($1, sudo_exec_t)
-+')
-diff --git a/policy/modules/admin/sudo.te b/policy/modules/admin/sudo.te
-index d9fce57..8ae7673 100644
---- a/policy/modules/admin/sudo.te
-+++ b/policy/modules/admin/sudo.te
-@@ -7,3 +7,100 @@ attribute sudodomain;
-
- type sudo_exec_t;
- application_executable_file(sudo_exec_t)
-+
-+type sudo_db_t;
-+files_type(sudo_db_t)
-+mls_trusted_object(sudo_db_t)
-+
-+manage_dirs_pattern(sudodomain, sudo_db_t, sudo_db_t)
-+manage_files_pattern(sudodomain, sudo_db_t, sudo_db_t)
-+
-+##############################
-+#
-+# Local Policy
-+#
-+
-+# Use capabilities.
-+allow sudodomain self:capability { chown fowner setuid setgid dac_override sys_nice sys_resource };
-+allow sudodomain self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
-+allow sudodomain self:process { setexec setrlimit };
-+allow sudodomain self:fd use;
-+allow sudodomain self:fifo_file rw_fifo_file_perms;
-+allow sudodomain self:shm create_shm_perms;
-+allow sudodomain self:sem create_sem_perms;
-+allow sudodomain self:msgq create_msgq_perms;
-+allow sudodomain self:msg { send receive };
-+allow sudodomain self:unix_dgram_socket create_socket_perms;
-+allow sudodomain self:unix_stream_socket create_stream_socket_perms;
-+allow sudodomain self:unix_dgram_socket sendto;
-+allow sudodomain self:unix_stream_socket connectto;
-+allow sudodomain self:key manage_key_perms;
-+
-+kernel_read_kernel_sysctls(sudodomain)
-+kernel_link_key(sudodomain)
-+
-+corecmd_read_bin_symlinks(sudodomain)
-+corecmd_exec_all_executables(sudodomain)
-+
-+dev_getattr_fs(sudodomain)
-+dev_read_urand(sudodomain)
-+dev_rw_generic_usb_dev(sudodomain)
-+dev_read_sysfs(sudodomain)
-+dev_dontaudit_getattr_all(sudodomain)
-+
-+domain_use_interactive_fds(sudodomain)
-+domain_sigchld_interactive_fds(sudodomain)
-+domain_getattr_all_entry_files(sudodomain)
-+
-+files_read_etc_files(sudodomain)
-+files_read_var_files(sudodomain)
-+files_read_usr_files(sudodomain)
-+# for some PAM modules and for cwd
-+files_dontaudit_search_home(sudodomain)
-+files_list_tmp(sudodomain)
-+
-+fs_search_auto_mountpoints(sudodomain)
-+fs_getattr_all_fs(sudodomain)
-+
-+selinux_validate_context(sudodomain)
-+selinux_compute_relabel_context(sudodomain)
-+
-+term_getattr_pty_fs(sudodomain)
-+term_relabel_all_ttys(sudodomain)
-+term_relabel_all_ptys(sudodomain)
-+term_getattr_pty_fs(sudodomain)
-+
-+#auth_run_chk_passwd(sudodomain)
-+# sudo stores a token in the pam_pid directory
-+auth_manage_pam_pid(sudodomain)
-+#auth_use_nsswitch(sudodomain)
-+
-+application_signal(sudodomain)
-+
-+init_rw_utmp(sudodomain)
-+
-+logging_send_audit_msgs(sudodomain)
-+logging_set_audit_parameters(sudodomain)
-+
-+seutil_read_default_contexts(sudodomain)
-+
-+userdom_spec_domtrans_all_users(sudodomain)
-+userdom_manage_user_home_content_files(sudodomain)
-+userdom_manage_user_home_content_symlinks(sudodomain)
-+userdom_manage_user_tmp_files(sudodomain)
-+userdom_manage_user_tmp_symlinks(sudodomain)
-+userdom_use_user_terminals(sudodomain)
-+userdom_signal_all_users(sudodomain)
-+userdom_exec_user_home_content_files(sudodomain)
-+# for some PAM modules and for cwd
-+userdom_search_user_home_content(sudodomain)
-+userdom_search_admin_dir(sudodomain)
-+userdom_manage_all_users_keys(sudodomain)
-+
-+optional_policy(`
-+ dbus_system_bus_client(sudodomain)
-+')
-+
-+optional_policy(`
-+ fprintd_dbus_chat(sudodomain)
-+')
-diff --git a/policy/modules/admin/usermanage.fc b/policy/modules/admin/usermanage.fc
-index f82f0ce..204bdc8 100644
---- a/policy/modules/admin/usermanage.fc
-+++ b/policy/modules/admin/usermanage.fc
-@@ -20,6 +20,7 @@ ifdef(`distro_gentoo',`
- /usr/sbin/groupmod -- gen_context(system_u:object_r:groupadd_exec_t,s0)
- /usr/sbin/grpconv -- gen_context(system_u:object_r:admin_passwd_exec_t,s0)
- /usr/sbin/grpunconv -- gen_context(system_u:object_r:admin_passwd_exec_t,s0)
-+/usr/sbin/newusers -- gen_context(system_u:object_r:useradd_exec_t,s0)
- /usr/sbin/pwconv -- gen_context(system_u:object_r:admin_passwd_exec_t,s0)
- /usr/sbin/pwunconv -- gen_context(system_u:object_r:admin_passwd_exec_t,s0)
- /usr/sbin/useradd -- gen_context(system_u:object_r:useradd_exec_t,s0)
-diff --git a/policy/modules/admin/usermanage.if b/policy/modules/admin/usermanage.if
-index 98b8b2d..41f4994 100644
---- a/policy/modules/admin/usermanage.if
-+++ b/policy/modules/admin/usermanage.if
-@@ -17,10 +17,6 @@ interface(`usermanage_domtrans_chfn',`
-
- corecmd_search_bin($1)
- domtrans_pattern($1, chfn_exec_t, chfn_t)
--
-- ifdef(`hide_broken_symptoms',`
-- dontaudit chfn_t $1:socket_class_set { read write };
-- ')
- ')
-
- ########################################
-@@ -41,11 +37,16 @@ interface(`usermanage_domtrans_chfn',`
- #
- interface(`usermanage_run_chfn',`
- gen_require(`
-- attribute_role chfn_roles;
-+ #attribute_role chfn_roles;
-+ type chfn_t;
- ')
-
-+ #usermanage_domtrans_chfn($1)
-+ #roleattribute $2 chfn_roles;
-+
- usermanage_domtrans_chfn($1)
-- roleattribute $2 chfn_roles;
-+ role $2 types chfn_t;
-+
- ')
-
- ########################################
-@@ -65,10 +66,25 @@ interface(`usermanage_domtrans_groupadd',`
-
- corecmd_search_bin($1)
- domtrans_pattern($1, groupadd_exec_t, groupadd_t)
-+')
-
-- ifdef(`hide_broken_symptoms',`
-- dontaudit groupadd_t $1:socket_class_set { read write };
-+########################################
-+##
-+## Check access to the groupadd executable.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`usermanage_access_check_groupadd',`
-+ gen_require(`
-+ type groupadd_exec_t;
- ')
-+
-+ corecmd_search_bin($1)
-+ allow $1 groupadd_exec_t:file { getattr_file_perms execute };
- ')
-
- ########################################
-@@ -90,11 +106,19 @@ interface(`usermanage_domtrans_groupadd',`
- #
- interface(`usermanage_run_groupadd',`
- gen_require(`
-- attribute_role groupadd_roles;
-+ type groupadd_t;
-+ #attribute_role groupadd_roles;
- ')
-
-+ #usermanage_domtrans_groupadd($1)
-+ #roleattribute $2 groupadd_roles;
- usermanage_domtrans_groupadd($1)
-- roleattribute $2 groupadd_roles;
-+ role $2 types groupadd_t;
-+
-+ optional_policy(`
-+ nscd_run(groupadd_t, $2)
-+ ')
-+
- ')
-
- ########################################
-@@ -114,10 +138,6 @@ interface(`usermanage_domtrans_passwd',`
-
- corecmd_search_bin($1)
- domtrans_pattern($1, passwd_exec_t, passwd_t)
--
-- ifdef(`hide_broken_symptoms',`
-- dontaudit passwd_t $1:socket_class_set { read write };
-- ')
- ')
-
- ########################################
-@@ -156,11 +176,35 @@ interface(`usermanage_kill_passwd',`
- #
- interface(`usermanage_run_passwd',`
- gen_require(`
-- attribute_role passwd_roles;
-+ type passwd_t;
-+ #attribute_role passwd_roles;
- ')
-
-+ #usermanage_domtrans_passwd($1)
-+ #roleattribute $2 passwd_roles;
-+
- usermanage_domtrans_passwd($1)
-- roleattribute $2 passwd_roles;
-+ role $2 types passwd_t;
-+ auth_run_chk_passwd(passwd_t, $2)
-+')
-+
-+########################################
-+##
-+## Check access to the passwd executable
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`usermanage_access_check_passwd',`
-+ gen_require(`
-+ type passwd_exec_t;
-+ ')
-+
-+ corecmd_search_bin($1)
-+ allow $1 passwd_exec_t:file { getattr_file_perms execute };
- ')
-
- ########################################
-@@ -203,11 +247,20 @@ interface(`usermanage_domtrans_admin_passwd',`
- #
- interface(`usermanage_run_admin_passwd',`
- gen_require(`
-- attribute_role sysadm_passwd_roles;
-+ type sysadm_passwd_t;
-+ #attribute_role sysadm_passwd_roles;
- ')
-
-+ #usermanage_domtrans_admin_passwd($1)
-+ #roleattribute $2 sysadm_passwd_roles;
-+
- usermanage_domtrans_admin_passwd($1)
-- roleattribute $2 sysadm_passwd_roles;
-+ role $2 types sysadm_passwd_t;
-+
-+ optional_policy(`
-+ nscd_run(sysadm_passwd_t, $2)
-+ ')
-+
- ')
-
- ########################################
-@@ -245,10 +298,6 @@ interface(`usermanage_domtrans_useradd',`
-
- corecmd_search_bin($1)
- domtrans_pattern($1, useradd_exec_t, useradd_t)
--
-- ifdef(`hide_broken_symptoms',`
-- dontaudit useradd_t $1:socket_class_set { read write };
-- ')
- ')
-
- ########################################
-@@ -270,11 +319,38 @@ interface(`usermanage_domtrans_useradd',`
- #
- interface(`usermanage_run_useradd',`
- gen_require(`
-- attribute_role useradd_roles;
-+ #attribute_role useradd_roles;
-+ type useradd_t;
- ')
-
-+ #usermanage_domtrans_useradd($1)
-+ #roleattribute $2 useradd_roles;
-+
- usermanage_domtrans_useradd($1)
-- roleattribute $2 useradd_roles;
-+ role $2 types useradd_t;
-+
-+ optional_policy(`
-+ nscd_run(useradd_t, $2)
-+ ')
-+')
-+
-+########################################
-+##
-+## Check access to the useradd executable.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`usermanage_access_check_useradd',`
-+ gen_require(`
-+ type useradd_exec_t;
-+ ')
-+
-+ corecmd_search_bin($1)
-+ allow $1 useradd_exec_t:file { getattr_file_perms execute };
- ')
-
- ########################################
-diff --git a/policy/modules/admin/usermanage.te b/policy/modules/admin/usermanage.te
-index 673180c..82cfc6e 100644
---- a/policy/modules/admin/usermanage.te
-+++ b/policy/modules/admin/usermanage.te
-@@ -5,18 +5,18 @@ policy_module(usermanage, 1.18.0)
- # Declarations
- #
-
--attribute_role chfn_roles;
--role system_r types chfn_t;
-+#attribute_role chfn_roles;
-+#role system_r types chfn_t;
-
--attribute_role groupadd_roles;
-+#attribute_role groupadd_roles;
-
--attribute_role passwd_roles;
--roleattribute system_r passwd_roles;
-+#attribute_role passwd_roles;
-+#roleattribute system_r passwd_roles;
-
--attribute_role sysadm_passwd_roles;
--roleattribute system_r sysadm_passwd_roles;
-+#attribute_role sysadm_passwd_roles;
-+#roleattribute system_r sysadm_passwd_roles;
-
--attribute_role useradd_roles;
-+#attribute_role useradd_roles;
-
- type admin_passwd_exec_t;
- files_type(admin_passwd_exec_t)
-@@ -25,7 +25,8 @@ type chfn_t;
- type chfn_exec_t;
- domain_obj_id_change_exemption(chfn_t)
- application_domain(chfn_t, chfn_exec_t)
--role chfn_roles types chfn_t;
-+#role chfn_roles types chfn_t;
-+role system_r types chfn_t;
-
- type crack_t;
- type crack_exec_t;
-@@ -42,18 +43,21 @@ type groupadd_t;
- type groupadd_exec_t;
- domain_obj_id_change_exemption(groupadd_t)
- init_system_domain(groupadd_t, groupadd_exec_t)
--role groupadd_roles types groupadd_t;
-+#role groupadd_roles types groupadd_t;
-+
-
- type passwd_t;
- type passwd_exec_t;
- domain_obj_id_change_exemption(passwd_t)
- application_domain(passwd_t, passwd_exec_t)
--role passwd_roles types passwd_t;
-+#role passwd_roles types passwd_t;
-+role system_r types passwd_t;
-
- type sysadm_passwd_t;
- domain_obj_id_change_exemption(sysadm_passwd_t)
- application_domain(sysadm_passwd_t, admin_passwd_exec_t)
--role sysadm_passwd_roles types sysadm_passwd_t;
-+#role sysadm_passwd_roles types sysadm_passwd_t;
-+role system_r types sysadm_passwd_t;
-
- type sysadm_passwd_tmp_t;
- files_tmp_file(sysadm_passwd_tmp_t)
-@@ -61,8 +65,10 @@ files_tmp_file(sysadm_passwd_tmp_t)
- type useradd_t;
- type useradd_exec_t;
- domain_obj_id_change_exemption(useradd_t)
-+domain_system_change_exemption(useradd_t)
- init_system_domain(useradd_t, useradd_exec_t)
--role useradd_roles types useradd_t;
-+#role useradd_roles types useradd_t;
-+role system_r types useradd_t;
-
- ########################################
- #
-@@ -86,6 +92,7 @@ allow chfn_t self:unix_stream_socket connectto;
-
- kernel_read_system_state(chfn_t)
- kernel_read_kernel_sysctls(chfn_t)
-+kernel_dontaudit_getattr_core_if(chfn_t)
-
- selinux_get_fs_mount(chfn_t)
- selinux_validate_context(chfn_t)
-@@ -94,25 +101,29 @@ selinux_compute_create_context(chfn_t)
- selinux_compute_relabel_context(chfn_t)
- selinux_compute_user_contexts(chfn_t)
-
--term_use_all_ttys(chfn_t)
--term_use_all_ptys(chfn_t)
-+term_use_all_inherited_ttys(chfn_t)
-+term_use_all_inherited_ptys(chfn_t)
-+term_getattr_all_ptys(chfn_t)
-
- fs_getattr_xattr_fs(chfn_t)
- fs_search_auto_mountpoints(chfn_t)
-
- # for SSP
- dev_read_urand(chfn_t)
-+dev_dontaudit_getattr_all(chfn_t)
-
--auth_run_chk_passwd(chfn_t, chfn_roles)
--auth_dontaudit_read_shadow(chfn_t)
--auth_use_nsswitch(chfn_t)
-+auth_manage_passwd(chfn_t)
-+auth_use_pam(chfn_t)
-+#auth_run_chk_passwd(chfn_t, chfn_roles)
-+#auth_dontaudit_read_shadow(chfn_t)
-+#auth_use_nsswitch(chfn_t)
-
- # allow checking if a shell is executable
- corecmd_check_exec_shell(chfn_t)
-+corecmd_exec_bin(chfn_t)
-
- domain_use_interactive_fds(chfn_t)
-
--files_manage_etc_files(chfn_t)
- files_read_etc_runtime_files(chfn_t)
- files_dontaudit_search_var(chfn_t)
- files_dontaudit_search_home(chfn_t)
-@@ -120,19 +131,29 @@ files_dontaudit_search_home(chfn_t)
- # /usr/bin/passwd asks for w access to utmp, but it will operate
- # correctly without it. Do not audit write denials to utmp.
- init_dontaudit_rw_utmp(chfn_t)
-+init_dontaudit_getattr_initctl(chfn_t)
-
--miscfiles_read_localization(chfn_t)
-
- logging_send_syslog_msg(chfn_t)
-
--# uses unix_chkpwd for checking passwords
--seutil_dontaudit_search_config(chfn_t)
-+userdom_manage_user_tmp_files(chfn_t)
-+userdom_tmp_filetrans_user_tmp(chfn_t, { file })
-
- userdom_use_unpriv_users_fds(chfn_t)
- # user generally runs this from their home directory, so do not audit a search
- # on user home dir
- userdom_dontaudit_search_user_home_content(chfn_t)
-
-+optional_policy(`
-+ rssh_exec(chfn_t)
-+')
-+
-+
-+optional_policy(`
-+ # allow to exec tmux
-+ screen_exec(chfn_t)
-+')
-+
- ########################################
- #
- # Crack local policy
-@@ -209,8 +230,8 @@ selinux_compute_create_context(groupadd_t)
- selinux_compute_relabel_context(groupadd_t)
- selinux_compute_user_contexts(groupadd_t)
-
--term_use_all_ttys(groupadd_t)
--term_use_all_ptys(groupadd_t)
-+term_use_all_inherited_terms(groupadd_t)
-+term_getattr_all_ptys(groupadd_t)
-
- init_use_fds(groupadd_t)
- init_read_utmp(groupadd_t)
-@@ -218,8 +239,8 @@ init_dontaudit_write_utmp(groupadd_t)
-
- domain_use_interactive_fds(groupadd_t)
-
--files_manage_etc_files(groupadd_t)
- files_relabel_etc_files(groupadd_t)
-+files_read_etc_files(groupadd_t)
- files_read_etc_runtime_files(groupadd_t)
- files_read_usr_symlinks(groupadd_t)
-
-@@ -229,14 +250,15 @@ corecmd_exec_bin(groupadd_t)
- logging_send_audit_msgs(groupadd_t)
- logging_send_syslog_msg(groupadd_t)
-
--miscfiles_read_localization(groupadd_t)
-
--auth_run_chk_passwd(groupadd_t, groupadd_roles)
-+#auth_run_chk_passwd(groupadd_t, groupadd_roles)
-+auth_domtrans_chk_passwd(groupadd_t)
- auth_rw_lastlog(groupadd_t)
- auth_use_nsswitch(groupadd_t)
-+auth_manage_passwd(groupadd_t)
-+auth_manage_shadow(groupadd_t)
- # these may be unnecessary due to the above
- # domtrans_chk_passwd() call.
--auth_manage_shadow(groupadd_t)
- auth_relabel_shadow(groupadd_t)
- auth_etc_filetrans_shadow(groupadd_t)
-
-@@ -253,7 +275,8 @@ optional_policy(`
- ')
-
- optional_policy(`
-- nscd_run(groupadd_t, groupadd_roles)
-+# nscd_run(groupadd_t, groupadd_roles)
-+ nscd_domtrans(groupadd_t)
- ')
-
- optional_policy(`
-@@ -285,6 +308,7 @@ allow passwd_t self:shm create_shm_perms;
- allow passwd_t self:sem create_sem_perms;
- allow passwd_t self:msgq create_msgq_perms;
- allow passwd_t self:msg { send receive };
-+allow passwd_t self:netlink_selinux_socket create_socket_perms;
-
- allow passwd_t crack_db_t:dir list_dir_perms;
- read_files_pattern(passwd_t, crack_db_t, crack_db_t)
-@@ -293,6 +317,7 @@ kernel_read_kernel_sysctls(passwd_t)
-
- # for SSP
- dev_read_urand(passwd_t)
-+dev_dontaudit_getattr_all(passwd_t)
-
- fs_getattr_xattr_fs(passwd_t)
- fs_search_auto_mountpoints(passwd_t)
-@@ -307,26 +332,38 @@ selinux_compute_create_context(passwd_t)
- selinux_compute_relabel_context(passwd_t)
- selinux_compute_user_contexts(passwd_t)
-
--term_use_all_ttys(passwd_t)
--term_use_all_ptys(passwd_t)
-+term_use_all_inherited_terms(passwd_t)
-+term_getattr_all_ptys(passwd_t)
-
--auth_run_chk_passwd(passwd_t, passwd_roles)
-+auth_manage_passwd(passwd_t)
- auth_manage_shadow(passwd_t)
- auth_relabel_shadow(passwd_t)
- auth_etc_filetrans_shadow(passwd_t)
--auth_use_nsswitch(passwd_t)
-+auth_use_pam(passwd_t)
-+
-+#auth_run_chk_passwd(passwd_t, passwd_roles)
-+#auth_manage_passwd(passwd_t)
-+#auth_manage_shadow(passwd_t)
-+#auth_relabel_shadow(passwd_t)
-+#auth_etc_filetrans_shadow(passwd_t)
-+#auth_use_nsswitch(passwd_t)
-
- # allow checking if a shell is executable
- corecmd_check_exec_shell(passwd_t)
-+corecmd_exec_bin(passwd_t)
-+
-+corenet_tcp_connect_kerberos_password_port(passwd_t)
-
- domain_use_interactive_fds(passwd_t)
-
- files_read_etc_runtime_files(passwd_t)
--files_manage_etc_files(passwd_t)
-+files_read_usr_files(passwd_t)
- files_search_var(passwd_t)
- files_dontaudit_search_pids(passwd_t)
- files_relabel_etc_files(passwd_t)
-
-+term_search_ptys(passwd_t)
-+
- # /usr/bin/passwd asks for w access to utmp, but it will operate
- # correctly without it. Do not audit write denials to utmp.
- init_dontaudit_rw_utmp(passwd_t)
-@@ -335,12 +372,11 @@ init_use_fds(passwd_t)
- logging_send_audit_msgs(passwd_t)
- logging_send_syslog_msg(passwd_t)
-
--miscfiles_read_localization(passwd_t)
-
- seutil_read_config(passwd_t)
- seutil_read_file_contexts(passwd_t)
-
--userdom_use_user_terminals(passwd_t)
-+userdom_use_inherited_user_terminals(passwd_t)
- userdom_use_unpriv_users_fds(passwd_t)
- # make sure that getcon succeeds
- userdom_getattr_all_users(passwd_t)
-@@ -349,9 +385,15 @@ userdom_read_user_tmp_files(passwd_t)
- # user generally runs this from their home directory, so do not audit a search
- # on user home dir
- userdom_dontaudit_search_user_home_content(passwd_t)
-+userdom_stream_connect(passwd_t)
-+
-+optional_policy(`
-+ gnome_exec_keyringd(passwd_t)
-+')
-
- optional_policy(`
-- nscd_run(passwd_t, passwd_roles)
-+ #nscd_run(passwd_t, passwd_roles)
-+ nscd_domtrans(passwd_t)
- ')
-
- ########################################
-@@ -398,9 +440,10 @@ dev_read_urand(sysadm_passwd_t)
- fs_getattr_xattr_fs(sysadm_passwd_t)
- fs_search_auto_mountpoints(sysadm_passwd_t)
-
--term_use_all_ttys(sysadm_passwd_t)
--term_use_all_ptys(sysadm_passwd_t)
-+term_use_all_inherited_terms(sysadm_passwd_t)
-+term_getattr_all_ptys(sysadm_passwd_t)
-
-+auth_manage_passwd(sysadm_passwd_t)
- auth_manage_shadow(sysadm_passwd_t)
- auth_relabel_shadow(sysadm_passwd_t)
- auth_etc_filetrans_shadow(sysadm_passwd_t)
-@@ -413,7 +456,6 @@ files_read_usr_files(sysadm_passwd_t)
-
- domain_use_interactive_fds(sysadm_passwd_t)
-
--files_manage_etc_files(sysadm_passwd_t)
- files_relabel_etc_files(sysadm_passwd_t)
- files_read_etc_runtime_files(sysadm_passwd_t)
- # for nscd lookups
-@@ -423,19 +465,17 @@ files_dontaudit_search_pids(sysadm_passwd_t)
- # correctly without it. Do not audit write denials to utmp.
- init_dontaudit_rw_utmp(sysadm_passwd_t)
-
--miscfiles_read_localization(sysadm_passwd_t)
-
- logging_send_syslog_msg(sysadm_passwd_t)
-
--seutil_dontaudit_search_config(sysadm_passwd_t)
--
- userdom_use_unpriv_users_fds(sysadm_passwd_t)
- # user generally runs this from their home directory, so do not audit a search
- # on user home dir
- userdom_dontaudit_search_user_home_content(sysadm_passwd_t)
-
- optional_policy(`
-- nscd_run(sysadm_passwd_t, sysadm_passwd_roles)
-+ nscd_domtrans(sysadm_passwd_t)
-+ #nscd_run(sysadm_passwd_t, sysadm_passwd_roles)
- ')
-
- ########################################
-@@ -443,7 +483,8 @@ optional_policy(`
- # Useradd local policy
- #
-
--allow useradd_t self:capability { dac_override chown kill fowner fsetid setuid sys_resource };
-+allow useradd_t self:capability { dac_override chown kill fowner fsetid setuid sys_ptrace sys_resource };
-+
- dontaudit useradd_t self:capability sys_tty_config;
- allow useradd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
- allow useradd_t self:process setfscreate;
-@@ -465,36 +506,35 @@ corecmd_exec_shell(useradd_t)
- # Execute /usr/bin/{passwd,chfn,chsh} and /usr/sbin/{useradd,vipw}.
- corecmd_exec_bin(useradd_t)
-
-+kernel_getattr_core_if(useradd_t)
-+dev_dontaudit_getattr_all(useradd_t)
-+
- domain_use_interactive_fds(useradd_t)
- domain_read_all_domains_state(useradd_t)
-+domain_dontaudit_read_all_domains_state(useradd_t)
-
--files_manage_etc_files(useradd_t)
- files_search_var_lib(useradd_t)
- files_relabel_etc_files(useradd_t)
- files_read_etc_runtime_files(useradd_t)
-+files_manage_etc_files(useradd_t)
-
- fs_search_auto_mountpoints(useradd_t)
- fs_getattr_xattr_fs(useradd_t)
-
- mls_file_upgrade(useradd_t)
-+mls_process_read_to_clearance(useradd_t)
-
--# Allow access to context for shadow file
--selinux_get_fs_mount(useradd_t)
--selinux_validate_context(useradd_t)
--selinux_compute_access_vector(useradd_t)
--selinux_compute_create_context(useradd_t)
--selinux_compute_relabel_context(useradd_t)
--selinux_compute_user_contexts(useradd_t)
--
--term_use_all_ttys(useradd_t)
--term_use_all_ptys(useradd_t)
-+term_use_all_inherited_terms(useradd_t)
-+term_getattr_all_ptys(useradd_t)
-
--auth_run_chk_passwd(useradd_t, useradd_roles)
-+#auth_run_chk_passwd(useradd_t, useradd_roles)
-+auth_domtrans_chk_passwd(useradd_t)
- auth_rw_lastlog(useradd_t)
- auth_rw_faillog(useradd_t)
- auth_use_nsswitch(useradd_t)
- # these may be unnecessary due to the above
- # domtrans_chk_passwd() call.
-+auth_manage_passwd(useradd_t)
- auth_manage_shadow(useradd_t)
- auth_relabel_shadow(useradd_t)
- auth_etc_filetrans_shadow(useradd_t)
-@@ -505,33 +545,36 @@ init_rw_utmp(useradd_t)
- logging_send_audit_msgs(useradd_t)
- logging_send_syslog_msg(useradd_t)
-
--miscfiles_read_localization(useradd_t)
-+
-+seutil_semanage_policy(useradd_t)
-+seutil_manage_file_contexts(useradd_t)
-+seutil_manage_config(useradd_t)
-+seutil_manage_login_config(useradd_t)
-+seutil_manage_default_contexts(useradd_t)
-
- seutil_read_config(useradd_t)
- seutil_read_file_contexts(useradd_t)
- seutil_read_default_contexts(useradd_t)
--seutil_run_semanage(useradd_t, useradd_roles)
--seutil_run_setfiles(useradd_t, useradd_roles)
-+seutil_domtrans_semanage(useradd_t)
-+seutil_domtrans_setfiles(useradd_t)
-+seutil_domtrans_loadpolicy(useradd_t)
-+#seutil_manage_bin_policy(useradd_t)
-+#seutil_manage_module_store(useradd_t)
-+seutil_get_semanage_trans_lock(useradd_t)
-+seutil_get_semanage_read_lock(useradd_t)
-+#seutil_run_semanage(useradd_t, useradd_roles)
-+#seutil_run_setfiles(useradd_t, useradd_roles)
-
- userdom_use_unpriv_users_fds(useradd_t)
- # Add/remove user home directories
--userdom_manage_user_home_dirs(useradd_t)
--userdom_home_filetrans_user_home_dir(useradd_t)
--userdom_manage_user_home_content_dirs(useradd_t)
--userdom_manage_user_home_content_files(useradd_t)
- userdom_home_filetrans_user_home_dir(useradd_t)
--userdom_user_home_dir_filetrans_user_home_content(useradd_t, notdevfile_class_set)
-+userdom_manage_home_role(system_r, useradd_t)
-+userdom_delete_all_user_home_content(useradd_t)
-
- optional_policy(`
- mta_manage_spool(useradd_t)
- ')
-
--ifdef(`distro_redhat',`
-- optional_policy(`
-- unconfined_domain(useradd_t)
-- ')
--')
--
- optional_policy(`
- apache_manage_all_user_content(useradd_t)
- ')
-@@ -542,7 +585,8 @@ optional_policy(`
- ')
-
- optional_policy(`
-- nscd_run(useradd_t, useradd_roles)
-+ nscd_domtrans(useradd_t)
-+# nscd_run(useradd_t, useradd_roles)
- ')
-
- optional_policy(`
-@@ -550,6 +594,11 @@ optional_policy(`
- ')
-
- optional_policy(`
-+ rpc_list_nfs_state_data(useradd_t)
-+ rpc_read_nfs_state_data(useradd_t)
-+')
-+
-+optional_policy(`
- tunable_policy(`samba_domain_controller',`
- samba_append_log(useradd_t)
- ')
-@@ -559,3 +608,7 @@ optional_policy(`
- rpm_use_fds(useradd_t)
- rpm_rw_pipes(useradd_t)
- ')
-+
-+optional_policy(`
-+ stapserver_manage_lib(useradd_t)
-+')
-diff --git a/policy/modules/apps/seunshare.if b/policy/modules/apps/seunshare.if
-index 1dc7a85..dcc6337 100644
---- a/policy/modules/apps/seunshare.if
-+++ b/policy/modules/apps/seunshare.if
-@@ -43,18 +43,18 @@ interface(`seunshare_run',`
- role $2 types seunshare_t;
-
- allow $1 seunshare_t:process signal_perms;
--
-- ifdef(`hide_broken_symptoms', `
-- dontaudit seunshare_t $1:tcp_socket rw_socket_perms;
-- dontaudit seunshare_t $1:udp_socket rw_socket_perms;
-- dontaudit seunshare_t $1:unix_stream_socket rw_socket_perms;
-- ')
- ')
-
- ########################################
- ##
--## Role access for seunshare
-+## The role template for the seunshare module.
- ##
-+##
-+##
-+## The prefix of the user role (e.g., user
-+## is the prefix for user_r).
-+##
-+##
- ##
- ##
- ## Role allowed access.
-@@ -66,15 +66,43 @@ interface(`seunshare_run',`
- ##
- ##
- #
--interface(`seunshare_role',`
-+interface(`seunshare_role_template',`
- gen_require(`
-- type seunshare_t;
-+ attribute seunshare_domain;
-+ type seunshare_exec_t;
- ')
-
-- role $2 types seunshare_t;
-+ type $1_seunshare_t, seunshare_domain;
-+ application_domain($1_seunshare_t, seunshare_exec_t)
-+ role $2 types $1_seunshare_t;
-
-- seunshare_domtrans($1)
-+ kernel_read_system_state($1_seunshare_t)
-+
-+ auth_use_nsswitch($1_seunshare_t)
-+
-+ logging_send_syslog_msg($1_seunshare_t)
-+
-+ mls_process_set_level($1_seunshare_t)
-+
-+ domtrans_pattern($3, seunshare_exec_t, $1_seunshare_t)
-+
-+ # part of sandboxX.pp
-+ optional_policy(`
-+ sandbox_x_transition($1_seunshare_t, $2)
-+ ')
-+
-+ # part of sandbox.pp
-+ optional_policy(`
-+ sandbox_transition($1_seunshare_t, $2)
-+ ')
-+
-+ ps_process_pattern($3, $1_seunshare_t)
-+ allow $3 $1_seunshare_t:process signal_perms;
-+ allow $3 $1_seunshare_t:fd use;
-+
-+ allow $1_seunshare_t $3:process transition;
-+ dontaudit $1_seunshare_t $3:process { noatsecure siginh rlimitinh };
-
-- ps_process_pattern($2, seunshare_t)
-- allow $2 seunshare_t:process signal;
-+ corecmd_bin_domtrans($1_seunshare_t, $1_t)
-+ corecmd_shell_domtrans($1_seunshare_t, $1_t)
- ')
-diff --git a/policy/modules/apps/seunshare.te b/policy/modules/apps/seunshare.te
-index 7590165..19aaaed 100644
---- a/policy/modules/apps/seunshare.te
-+++ b/policy/modules/apps/seunshare.te
-@@ -5,40 +5,57 @@ policy_module(seunshare, 1.1.0)
- # Declarations
- #
-
--type seunshare_t;
-+attribute seunshare_domain;
- type seunshare_exec_t;
--application_domain(seunshare_t, seunshare_exec_t)
--role system_r types seunshare_t;
-
- ########################################
- #
- # seunshare local policy
- #
-+allow seunshare_domain self:capability { fowner setgid setuid dac_override setpcap sys_admin sys_nice };
-+allow seunshare_domain self:process { fork setexec signal getcap setcap setsched };
-
--allow seunshare_t self:capability { setuid dac_override setpcap sys_admin };
--allow seunshare_t self:process { setexec signal getcap setcap };
-+allow seunshare_domain self:fifo_file rw_file_perms;
-+allow seunshare_domain self:unix_stream_socket create_stream_socket_perms;
-
--allow seunshare_t self:fifo_file rw_file_perms;
--allow seunshare_t self:unix_stream_socket create_stream_socket_perms;
-+corecmd_exec_shell(seunshare_domain)
-+corecmd_exec_bin(seunshare_domain)
-
--corecmd_exec_shell(seunshare_t)
--corecmd_exec_bin(seunshare_t)
-+dev_read_urand(seunshare_domain)
-+dev_dontaudit_rw_dri(seunshare_domain)
-
--files_read_etc_files(seunshare_t)
--files_mounton_all_poly_members(seunshare_t)
-+files_search_all(seunshare_domain)
-+files_read_etc_files(seunshare_domain)
-+files_mounton_all_poly_members(seunshare_domain)
-+files_mounton_rootfs(seunshare_domain)
-+files_manage_generic_tmp_dirs(seunshare_domain)
-+files_relabelfrom_tmp_dirs(seunshare_domain)
-
--auth_use_nsswitch(seunshare_t)
--
--logging_send_syslog_msg(seunshare_t)
--
--miscfiles_read_localization(seunshare_t)
--
--userdom_use_user_terminals(seunshare_t)
-+fs_manage_cgroup_dirs(seunshare_domain)
-+fs_manage_cgroup_files(seunshare_domain)
-+fs_unmount_all_fs(seunshare_domain)
-
-+userdom_dontaudit_rw_user_tmp_pipes(seunshare_domain)
-+userdom_use_inherited_user_terminals(seunshare_domain)
-+userdom_list_user_home_content(seunshare_domain)
- ifdef(`hide_broken_symptoms', `
-- fs_dontaudit_rw_anon_inodefs_files(seunshare_t)
-+ fs_dontaudit_rw_anon_inodefs_files(seunshare_domain)
-+ fs_dontaudit_list_inotifyfs(seunshare_domain)
-
- optional_policy(`
-- mozilla_dontaudit_manage_user_home_files(seunshare_t)
-+ mozilla_dontaudit_manage_user_home_files(seunshare_domain)
-+ mozilla_plugin_dontaudit_leaks(seunshare_domain)
- ')
- ')
-+
-+tunable_policy(`use_nfs_home_dirs',`
-+ fs_mounton_nfs(seunshare_domain)
-+')
-+
-+tunable_policy(`use_samba_home_dirs',`
-+ fs_mounton_cifs(seunshare_domain)
-+')
-+
-+tunable_policy(`use_fusefs_home_dirs',`
-+ fs_mounton_fusefs(seunshare_domain)
-+')
-diff --git a/policy/modules/kernel/corecommands.fc b/policy/modules/kernel/corecommands.fc
-index db981df..e2c87b3 100644
---- a/policy/modules/kernel/corecommands.fc
-+++ b/policy/modules/kernel/corecommands.fc
-@@ -1,9 +1,10 @@
- #
- # /bin
- #
--/bin -d gen_context(system_u:object_r:bin_t,s0)
-+/bin gen_context(system_u:object_r:bin_t,s0)
- /bin/.* gen_context(system_u:object_r:bin_t,s0)
- /bin/d?ash -- gen_context(system_u:object_r:shell_exec_t,s0)
-+/bin/esh -- gen_context(system_u:object_r:shell_exec_t,s0)
- /bin/bash -- gen_context(system_u:object_r:shell_exec_t,s0)
- /bin/bash2 -- gen_context(system_u:object_r:shell_exec_t,s0)
- /bin/fish -- gen_context(system_u:object_r:shell_exec_t,s0)
-@@ -46,6 +47,7 @@ ifdef(`distro_redhat',`
- /etc/apcupsd/offbattery -- gen_context(system_u:object_r:bin_t,s0)
- /etc/apcupsd/onbattery -- gen_context(system_u:object_r:bin_t,s0)
-
-+/etc/auto\.[^/]* -- gen_context(system_u:object_r:bin_t,s0)
- /etc/avahi/.*\.action -- gen_context(system_u:object_r:bin_t,s0)
-
- /etc/cipe/ip-up.* -- gen_context(system_u:object_r:bin_t,s0)
-@@ -71,10 +73,18 @@ ifdef(`distro_redhat',`
- /etc/kde/env(/.*)? gen_context(system_u:object_r:bin_t,s0)
- /etc/kde/shutdown(/.*)? gen_context(system_u:object_r:bin_t,s0)
-
-+/etc/redhat-lsb(/.*)? gen_context(system_u:object_r:bin_t,s0)
-+
-+/etc/lxdm/LoginReady -- gen_context(system_u:object_r:bin_t,s0)
-+/etc/lxdm/Post.* -- gen_context(system_u:object_r:bin_t,s0)
-+/etc/lxdm/Pre.* -- gen_context(system_u:object_r:bin_t,s0)
-+/etc/lxdm/Xsession -- gen_context(system_u:object_r:bin_t,s0)
-+
- /etc/mail/make -- gen_context(system_u:object_r:bin_t,s0)
- /etc/mcelog/cache-error-trigger -- gen_context(system_u:object_r:bin_t,s0)
- /etc/mcelog/triggers(/.*)? gen_context(system_u:object_r:bin_t,s0)
- /etc/mgetty\+sendfax/new_fax -- gen_context(system_u:object_r:bin_t,s0)
-+/etc/munin/plugins(/.*)? gen_context(system_u:object_r:bin_t,s0)
-
- /etc/netplug\.d(/.*)? gen_context(system_u:object_r:bin_t,s0)
-
-@@ -97,8 +107,6 @@ ifdef(`distro_redhat',`
-
- /etc/rc\.d/init\.d/functions -- gen_context(system_u:object_r:bin_t,s0)
-
--/etc/security/namespace.init -- gen_context(system_u:object_r:bin_t,s0)
--
- /etc/sysconfig/crond -- gen_context(system_u:object_r:bin_t,s0)
- /etc/sysconfig/init -- gen_context(system_u:object_r:bin_t,s0)
- /etc/sysconfig/libvirtd -- gen_context(system_u:object_r:bin_t,s0)
-@@ -130,10 +138,11 @@ ifdef(`distro_debian',`
-
- /lib/readahead(/.*)? gen_context(system_u:object_r:bin_t,s0)
- /lib/security/pam_krb5/pam_krb5_storetmp -- gen_context(system_u:object_r:bin_t,s0)
--/lib/systemd/systemd.* -- gen_context(system_u:object_r:bin_t,s0)
- /lib/udev/[^/]* -- gen_context(system_u:object_r:bin_t,s0)
-+/lib/udev/devices/MAKEDEV -l gen_context(system_u:object_r:bin_t,s0)
- /lib/udev/scsi_id -- gen_context(system_u:object_r:bin_t,s0)
- /lib/upstart(/.*)? gen_context(system_u:object_r:bin_t,s0)
-+/lib/security/pam_krb5(/.*)? gen_context(system_u:object_r:bin_t,s0)
-
- ifdef(`distro_gentoo',`
- /lib/dhcpcd/dhcpcd-run-hooks -- gen_context(system_u:object_r:bin_t,s0)
-@@ -147,7 +156,7 @@ ifdef(`distro_gentoo',`
- #
- # /sbin
- #
--/sbin -d gen_context(system_u:object_r:bin_t,s0)
-+/sbin gen_context(system_u:object_r:bin_t,s0)
- /sbin/.* gen_context(system_u:object_r:bin_t,s0)
- /sbin/insmod_ksymoops_clean -- gen_context(system_u:object_r:bin_t,s0)
- /sbin/mkfs\.cramfs -- gen_context(system_u:object_r:bin_t,s0)
-@@ -163,6 +172,7 @@ ifdef(`distro_gentoo',`
- /opt/(.*/)?sbin(/.*)? gen_context(system_u:object_r:bin_t,s0)
-
- /opt/google/talkplugin(/.*)? gen_context(system_u:object_r:bin_t,s0)
-+/opt/google/chrome(/.*)? gen_context(system_u:object_r:bin_t,s0)
-
- /opt/gutenprint/cups/lib/filter(/.*)? gen_context(system_u:object_r:bin_t,s0)
-
-@@ -174,53 +184,80 @@ ifdef(`distro_gentoo',`
- /opt/vmware/workstation/lib/lib/wrapper-gtk24\.sh -- gen_context(system_u:object_r:bin_t,s0)
- ')
-
-+/root/bin(/.*)? gen_context(system_u:object_r:bin_t,s0)
-+
- #
- # /usr
- #
-+/usr/bin -d gen_context(system_u:object_r:bin_t,s0)
- /usr/(.*/)?Bin(/.*)? gen_context(system_u:object_r:bin_t,s0)
- /usr/(.*/)?bin(/.*)? gen_context(system_u:object_r:bin_t,s0)
--/usr/bin/git-shell -- gen_context(system_u:object_r:shell_exec_t,s0)
-+/usr/bin/d?ash -- gen_context(system_u:object_r:shell_exec_t,s0)
-+/usr/bin/esh -- gen_context(system_u:object_r:shell_exec_t,s0)
-+/usr/bin/bash -- gen_context(system_u:object_r:shell_exec_t,s0)
-+/usr/bin/bash2 -- gen_context(system_u:object_r:shell_exec_t,s0)
- /usr/bin/fish -- gen_context(system_u:object_r:shell_exec_t,s0)
--/usr/bin/scponly -- gen_context(system_u:object_r:shell_exec_t,s0)
-+/usr/bin/ksh.* -- gen_context(system_u:object_r:shell_exec_t,s0)
-+/usr/bin/mksh -- gen_context(system_u:object_r:shell_exec_t,s0)
-+/usr/bin/mountpoint -- gen_context(system_u:object_r:bin_t,s0)
-+/usr/bin/pingus.* -- gen_context(system_u:object_r:bin_t,s0)
-+/usr/bin/sash -- gen_context(system_u:object_r:shell_exec_t,s0)
- /usr/bin/tcsh -- gen_context(system_u:object_r:shell_exec_t,s0)
-+/usr/bin/yash -- gen_context(system_u:object_r:shell_exec_t,s0)
-+/usr/bin/zsh.* -- gen_context(system_u:object_r:shell_exec_t,s0)
-
--/usr/lib(.*/)?bin(/.*)? gen_context(system_u:object_r:bin_t,s0)
-+/usr/bin/git-shell -- gen_context(system_u:object_r:shell_exec_t,s0)
-+/usr/bin/scponly -- gen_context(system_u:object_r:shell_exec_t,s0)
-
- /usr/(.*/)?sbin(/.*)? gen_context(system_u:object_r:bin_t,s0)
- /usr/lib(.*/)?sbin(/.*)? gen_context(system_u:object_r:bin_t,s0)
-
-+/usr/lib/jvm/java(.*/)bin(/.*) gen_context(system_u:object_r:bin_t,s0)
-+/usr/lib(.*/)?bin(/.*)? gen_context(system_u:object_r:bin_t,s0)
- /usr/lib/ccache/bin(/.*)? gen_context(system_u:object_r:bin_t,s0)
- /usr/lib/fence(/.*)? gen_context(system_u:object_r:bin_t,s0)
-+/usr/lib/libreoffice(/.*)?/bin(/.*)? gen_context(system_u:object_r:bin_t,s0)
- /usr/lib/pgsql/test/regress/.*\.sh -- gen_context(system_u:object_r:bin_t,s0)
- /usr/lib/qt.*/bin(/.*)? gen_context(system_u:object_r:bin_t,s0)
- /usr/lib/wicd/monitor\.py -- gen_context(system_u:object_r:bin_t, s0)
--/usr/lib/apt/methods.+ -- gen_context(system_u:object_r:bin_t,s0)
-+/usr/lib/apt/methods.+ -- gen_context(system_u:object_r:bin_t,s0)
-+/usr/lib/chromium-browser(/.*)? gen_context(system_u:object_r:bin_t,s0)
- /usr/lib/ConsoleKit/scripts(/.*)? gen_context(system_u:object_r:bin_t,s0)
--/usr/lib/ConsoleKit/run-session.d(/.*)? gen_context(system_u:object_r:bin_t,s0)
--/usr/lib/courier(/.*)? gen_context(system_u:object_r:bin_t,s0)
--/usr/lib/cups(/.*)? gen_context(system_u:object_r:bin_t,s0)
--/usr/lib/cyrus/.* -- gen_context(system_u:object_r:bin_t,s0)
--/usr/lib/cyrus-imapd/.* -- gen_context(system_u:object_r:bin_t,s0)
-+/usr/lib/ConsoleKit/run-session\.d(/.*)? gen_context(system_u:object_r:bin_t,s0)
-+/usr/lib/courier(/.*)? gen_context(system_u:object_r:bin_t,s0)
-+/usr/lib/cups(/.*)? gen_context(system_u:object_r:bin_t,s0)
-+/usr/lib/cyrus-imapd/.* -- gen_context(system_u:object_r:bin_t,s0)
- /usr/lib/dpkg/.+ -- gen_context(system_u:object_r:bin_t,s0)
- /usr/lib/emacsen-common/.* gen_context(system_u:object_r:bin_t,s0)
--/usr/lib/gimp/.*/plug-ins(/.*)? gen_context(system_u:object_r:bin_t,s0)
-+/usr/lib/gimp/.*/plug-ins(/.*)? gen_context(system_u:object_r:bin_t,s0)
- /usr/lib/ipsec/.* -- gen_context(system_u:object_r:bin_t,s0)
--/usr/lib/mailman/bin(/.*)? gen_context(system_u:object_r:bin_t,s0)
--/usr/lib/mailman/mail(/.*)? gen_context(system_u:object_r:bin_t,s0)
--/usr/lib/mediawiki/math/texvc.* gen_context(system_u:object_r:bin_t,s0)
-+/usr/lib/mailman.*/bin(/.*)? gen_context(system_u:object_r:bin_t,s0)
-+/usr/lib/mailman.*/mail(/.*)? gen_context(system_u:object_r:bin_t,s0)
-+/usr/lib/MailScanner(/.*)? gen_context(system_u:object_r:bin_t,s0)
-+/usr/lib/mediawiki/math/texvc.* gen_context(system_u:object_r:bin_t,s0)
- /usr/lib/misc/sftp-server -- gen_context(system_u:object_r:bin_t,s0)
--/usr/lib/nagios/plugins(/.*)? gen_context(system_u:object_r:bin_t,s0)
--/usr/lib/netsaint/plugins(/.*)? gen_context(system_u:object_r:bin_t,s0)
--/usr/lib/news/bin(/.*)? gen_context(system_u:object_r:bin_t,s0)
--/usr/lib/nspluginwrapper/np.* gen_context(system_u:object_r:bin_t,s0)
--/usr/lib/portage/bin(/.*)? gen_context(system_u:object_r:bin_t,s0)
--/usr/lib/pm-utils(/.*)? gen_context(system_u:object_r:bin_t,s0)
-+/usr/lib/nagios/plugins(/.*)? gen_context(system_u:object_r:bin_t,s0)
-+/usr/lib/netsaint/plugins(/.*)? gen_context(system_u:object_r:bin_t,s0)
-+/usr/lib/news/bin(/.*)? gen_context(system_u:object_r:bin_t,s0)
-+/usr/lib/nspluginwrapper/np.* gen_context(system_u:object_r:bin_t,s0)
-+/usr/lib/ocf(/.*)? gen_context(system_u:object_r:bin_t,s0)
-+/usr/lib/portage/bin(/.*)? gen_context(system_u:object_r:bin_t,s0)
-+/usr/lib/pm-utils(/.*)? gen_context(system_u:object_r:bin_t,s0)
-+/usr/lib/readahead(/.*)? gen_context(system_u:object_r:bin_t,s0)
- /usr/lib/rpm/rpmd -- gen_context(system_u:object_r:bin_t,s0)
- /usr/lib/rpm/rpmk -- gen_context(system_u:object_r:bin_t,s0)
- /usr/lib/rpm/rpmq -- gen_context(system_u:object_r:bin_t,s0)
- /usr/lib/rpm/rpmv -- gen_context(system_u:object_r:bin_t,s0)
-+/usr/lib/tumbler-[^/]*/tumblerd -- gen_context(system_u:object_r:bin_t,s0)
-+/usr/lib/security/pam_krb5/pam_krb5_storetmp -- gen_context(system_u:object_r:bin_t,s0)
- /usr/lib/sftp-server -- gen_context(system_u:object_r:bin_t,s0)
--/usr/lib/vte/gnome-pty-helper -- gen_context(system_u:object_r:bin_t,s0)
-+/usr/lib/systemd/system-sleep/(.*)? gen_context(system_u:object_r:bin_t,s0)
-+/usr/lib/vte/gnome-pty-helper -- gen_context(system_u:object_r:bin_t,s0)
-+/usr/lib/yaboot/addnote -- gen_context(system_u:object_r:bin_t,s0)
-+/usr/lib/udev/[^/]* -- gen_context(system_u:object_r:bin_t,s0)
-+/usr/lib/udev/devices/MAKEDEV -l gen_context(system_u:object_r:bin_t,s0)
-+/usr/lib/udev/scsi_id -- gen_context(system_u:object_r:bin_t,s0)
-+/usr/lib/upstart(/.*)? gen_context(system_u:object_r:bin_t,s0)
- /usr/lib/xfce4/exo-1/exo-compose-mail-1 -- gen_context(system_u:object_r:bin_t,s0)
- /usr/lib/xfce4/exo-1/exo-helper-1 -- gen_context(system_u:object_r:bin_t,s0)
- /usr/lib/xfce4/panel/migrate -- gen_context(system_u:object_r:bin_t,s0)
-@@ -235,10 +272,15 @@ ifdef(`distro_gentoo',`
- /usr/lib/debug/sbin(/.*)? -- gen_context(system_u:object_r:bin_t,s0)
- /usr/lib/debug/usr/bin(/.*)? -- gen_context(system_u:object_r:bin_t,s0)
- /usr/lib/debug/usr/sbin(/.*)? -- gen_context(system_u:object_r:bin_t,s0)
-+/usr/lib/debug/usr/libexec(/.*)? gen_context(system_u:object_r:bin_t,s0)
-
- /usr/lib/[^/]*thunderbird[^/]*/thunderbird -- gen_context(system_u:object_r:bin_t,s0)
- /usr/lib/[^/]*thunderbird[^/]*/thunderbird-bin -- gen_context(system_u:object_r:bin_t,s0)
- /usr/lib/[^/]*thunderbird[^/]*/open-browser\.sh -- gen_context(system_u:object_r:bin_t,s0)
-+/usr/lib/xulrunner[^/]*/xulrunner[^/]* -- gen_context(system_u:object_r:bin_t,s0)
-+/usr/lib/xulrunner[^/]*/updater -- gen_context(system_u:object_r:bin_t,s0)
-+/usr/lib/xulrunner[^/]*/crashreporter -- gen_context(system_u:object_r:bin_t,s0)
-+
- /usr/lib/[^/]*/run-mozilla\.sh -- gen_context(system_u:object_r:bin_t,s0)
- /usr/lib/[^/]*/mozilla-xremote-client -- gen_context(system_u:object_r:bin_t,s0)
- /usr/lib/thunderbird.*/mozilla-xremote-client -- gen_context(system_u:object_r:bin_t,s0)
-@@ -251,11 +293,17 @@ ifdef(`distro_gentoo',`
-
- /usr/libexec/openssh/sftp-server -- gen_context(system_u:object_r:bin_t,s0)
-
--/usr/local/lib(64)?/ipsec/.* -- gen_context(system_u:object_r:bin_t,s0)
--/usr/local/Brother(/.*)? gen_context(system_u:object_r:bin_t,s0)
--/usr/local/Printer(/.*)? gen_context(system_u:object_r:bin_t,s0)
--/usr/local/linuxprinter/filters(/.*)? gen_context(system_u:object_r:bin_t,s0)
-+/usr/lib/xfce4(/.*)? gen_context(system_u:object_r:bin_t,s0)
-
-+/usr/Brother(/.*)? gen_context(system_u:object_r:bin_t,s0)
-+/usr/Printer(/.*)? gen_context(system_u:object_r:bin_t,s0)
-+/usr/Brother/(.*/)?inf/brprintconf.* gen_context(system_u:object_r:bin_t,s0)
-+/usr/Brother/(.*/)?inf/setup.* gen_context(system_u:object_r:bin_t,s0)
-+/usr/linuxprinter/filters(/.*)? gen_context(system_u:object_r:bin_t,s0)
-+
-+/usr/sbin/insmod_ksymoops_clean -- gen_context(system_u:object_r:bin_t,s0)
-+/usr/sbin/mkfs\.cramfs -- gen_context(system_u:object_r:bin_t,s0)
-+/usr/sbin/nologin -- gen_context(system_u:object_r:shell_exec_t,s0)
- /usr/sbin/scponlyc -- gen_context(system_u:object_r:shell_exec_t,s0)
- /usr/sbin/sesh -- gen_context(system_u:object_r:shell_exec_t,s0)
- /usr/sbin/smrsh -- gen_context(system_u:object_r:shell_exec_t,s0)
-@@ -271,10 +319,15 @@ ifdef(`distro_gentoo',`
- /usr/share/cluster/.*\.sh gen_context(system_u:object_r:bin_t,s0)
- /usr/share/cluster/ocf-shellfuncs -- gen_context(system_u:object_r:bin_t,s0)
- /usr/share/cluster/svclib_nfslock -- gen_context(system_u:object_r:bin_t,s0)
-+/usr/share/cluster/SAPDatabase -- gen_context(system_u:object_r:bin_t,s0)
-+/usr/share/cluster/SAPInstance -- gen_context(system_u:object_r:bin_t,s0)
-+/usr/share/cluster/fence_scsi_check\.pl -- gen_context(system_u:object_r:bin_t,s0)
-+/usr/share/cluster/checkquorum.* -- gen_context(system_u:object_r:bin_t,s0)
- /usr/share/e16/misc(/.*)? gen_context(system_u:object_r:bin_t,s0)
- /usr/share/gedit-2/plugins/externaltools/tools(/.*)? gen_context(system_u:object_r:bin_t,s0)
- /usr/share/gitolite/hooks/common/update -- gen_context(system_u:object_r:bin_t,s0)
- /usr/share/gitolite/hooks/gitolite-admin/post-update -- gen_context(system_u:object_r:bin_t,s0)
-+/usr/share/gitolite3/commands(/.*)? -- gen_context(system_u:object_r:bin_t,s0)
- /usr/share/gnucash/finance-quote-check -- gen_context(system_u:object_r:bin_t,s0)
- /usr/share/gnucash/finance-quote-helper -- gen_context(system_u:object_r:bin_t,s0)
- /usr/share/hal/device-manager/hal-device-manager -- gen_context(system_u:object_r:bin_t,s0)
-@@ -289,16 +342,21 @@ ifdef(`distro_gentoo',`
- /usr/share/selinux/devel/policygentool -- gen_context(system_u:object_r:bin_t,s0)
- /usr/share/smolt/client(/.*)? gen_context(system_u:object_r:bin_t,s0)
- /usr/share/shorewall/compiler\.pl -- gen_context(system_u:object_r:bin_t,s0)
--/usr/share/shorewall/configpath -- gen_context(system_u:object_r:bin_t,s0)
-+/usr/share/shorewall6?/configpath -- gen_context(system_u:object_r:bin_t,s0)
-+/usr/share/shorewall/getparams -- gen_context(system_u:object_r:bin_t,s0)
-+/usr/share/shorewall6?/wait4ifup -- gen_context(system_u:object_r:bin_t,s0)
- /usr/share/shorewall-perl(/.*)? gen_context(system_u:object_r:bin_t,s0)
- /usr/share/shorewall-shell(/.*)? gen_context(system_u:object_r:bin_t,s0)
- /usr/share/shorewall-lite(/.*)? gen_context(system_u:object_r:bin_t,s0)
- /usr/share/shorewall6-lite(/.*)? gen_context(system_u:object_r:bin_t,s0)
- /usr/share/spamassassin/sa-update\.cron gen_context(system_u:object_r:bin_t,s0)
- /usr/share/turboprint/lib(/.*)? -- gen_context(system_u:object_r:bin_t,s0)
-+/usr/share/tucan.*/tucan.py -- gen_context(system_u:object_r:bin_t,s0)
- /usr/share/vhostmd/scripts(/.*)? gen_context(system_u:object_r:bin_t,s0)
-+/usr/share/virtualbox/.*\.sh gen_context(system_u:object_r:bin_t,s0)
-+/usr/share/wicd/daemon(/.*)? gen_context(system_u:object_r:bin_t,s0)
-
--/usr/X11R6/lib(64)?/X11/xkb/xkbcomp -- gen_context(system_u:object_r:bin_t,s0)
-+/usr/X11R6/lib/X11/xkb/xkbcomp -- gen_context(system_u:object_r:bin_t,s0)
-
- ifdef(`distro_debian',`
- /usr/lib/ConsoleKit/.* -- gen_context(system_u:object_r:bin_t,s0)
-@@ -314,8 +372,12 @@ ifdef(`distro_redhat', `
- /etc/gdm/[^/]+ -d gen_context(system_u:object_r:bin_t,s0)
- /etc/gdm/[^/]+/.* gen_context(system_u:object_r:bin_t,s0)
-
-+/usr/lib/.*/scripts(/.*)? gen_context(system_u:object_r:bin_t,s0)
- /usr/lib/.*/program(/.*)? gen_context(system_u:object_r:bin_t,s0)
- /usr/lib/bluetooth(/.*)? -- gen_context(system_u:object_r:bin_t,s0)
-+/usr/lib/nfs-utils/scripts(/.*)? gen_context(system_u:object_r:bin_t,s0)
-+/usr/lib/oracle/xe/apps(/.*)? gen_context(system_u:object_r:bin_t,s0)
-+/usr/lib/tuned/.*/.*\.sh -- gen_context(system_u:object_r:bin_t,s0)
- /usr/lib/vmware-tools/(s)?bin32(/.*)? gen_context(system_u:object_r:bin_t,s0)
- /usr/lib/vmware-tools/(s)?bin64(/.*)? gen_context(system_u:object_r:bin_t,s0)
- /usr/share/authconfig/authconfig-gtk\.py -- gen_context(system_u:object_r:bin_t,s0)
-@@ -325,9 +387,11 @@ ifdef(`distro_redhat', `
- /usr/share/clamav/clamd-gen -- gen_context(system_u:object_r:bin_t,s0)
- /usr/share/clamav/freshclam-sleep -- gen_context(system_u:object_r:bin_t,s0)
- /usr/share/createrepo(/.*)? gen_context(system_u:object_r:bin_t,s0)
-+/usr/share/doc/ghc/html/libraries/gen_contents_index -- gen_context(system_u:object_r:bin_t,s0)
- /usr/share/fedora-usermgmt/wrapper -- gen_context(system_u:object_r:bin_t,s0)
- /usr/share/hplip/[^/]* -- gen_context(system_u:object_r:bin_t,s0)
- /usr/share/hwbrowser/hwbrowser -- gen_context(system_u:object_r:bin_t,s0)
-+/usr/share/kde4/apps/kajongg/kajongg.py -- gen_context(system_u:object_r:bin_t,s0)
- /usr/share/pwlib/make/ptlib-config -- gen_context(system_u:object_r:bin_t,s0)
- /usr/share/pydict/pydict\.py -- gen_context(system_u:object_r:bin_t,s0)
- /usr/share/rhn/rhn_applet/applet\.py -- gen_context(system_u:object_r:bin_t,s0)
-@@ -376,11 +440,15 @@ ifdef(`distro_suse', `
- #
- # /var
- #
--/var/mailman/bin(/.*)? gen_context(system_u:object_r:bin_t,s0)
-+/var/mailman.*/bin(/.*)? gen_context(system_u:object_r:bin_t,s0)
-
- /var/ftp/bin(/.*)? gen_context(system_u:object_r:bin_t,s0)
-
- /var/lib/asterisk/agi-bin(/.*)? gen_context(system_u:object_r:bin_t,s0)
-+/var/lib/iscan/interpreter gen_context(system_u:object_r:bin_t,s0)
-+/usr/lib/ruby/gems(/.*)?/helper-scripts(/.*)? gen_context(system_u:object_r:bin_t,s0)
-+/usr/share/gems(/.*)?/helper-scripts(/.*)? gen_context(system_u:object_r:bin_t,s0)
-+
- /usr/lib/yp/.+ -- gen_context(system_u:object_r:bin_t,s0)
-
- /var/qmail/bin -d gen_context(system_u:object_r:bin_t,s0)
-@@ -390,3 +458,12 @@ ifdef(`distro_suse', `
- ifdef(`distro_suse',`
- /var/lib/samba/bin/.+ gen_context(system_u:object_r:bin_t,s0)
- ')
-+
-+#
-+# /usr/lib
-+#
-+
-+/usr/lib/dracut(/.*)? gen_context(system_u:object_r:bin_t,s0)
-+/usr/lib/iscan/network -- gen_context(system_u:object_r:bin_t,s0)
-+/usr/lib/ruby/gems/.*/agents(/.*)? gen_context(system_u:object_r:bin_t,s0)
-+/usr/lib/virtualbox/VBoxManage -- gen_context(system_u:object_r:bin_t,s0)
-diff --git a/policy/modules/kernel/corecommands.if b/policy/modules/kernel/corecommands.if
-index 9e9263a..87d577e 100644
---- a/policy/modules/kernel/corecommands.if
-+++ b/policy/modules/kernel/corecommands.if
-@@ -122,6 +122,7 @@ interface(`corecmd_search_bin',`
- type bin_t;
- ')
-
-+ corecmd_read_bin_symlinks($1)
- search_dirs_pattern($1, bin_t, bin_t)
- ')
-
-@@ -158,6 +159,7 @@ interface(`corecmd_list_bin',`
- type bin_t;
- ')
-
-+ corecmd_read_bin_symlinks($1)
- list_dirs_pattern($1, bin_t, bin_t)
- ')
-
-@@ -203,7 +205,7 @@ interface(`corecmd_getattr_bin_files',`
- ##
- ##
- ##
--## Domain allowed access.
-+## Domain to not audit.
- ##
- ##
- #
-@@ -231,6 +233,7 @@ interface(`corecmd_read_bin_files',`
- type bin_t;
- ')
-
-+ corecmd_read_bin_symlinks($1)
- read_files_pattern($1, bin_t, bin_t)
- ')
-
-@@ -254,6 +257,24 @@ interface(`corecmd_dontaudit_write_bin_files',`
-
- ########################################
- ##
-+## Do not audit attempts to access check bin files.
-+##
-+##
-+##
-+## Domain to not audit.
-+##
-+##
-+#
-+interface(`corecmd_dontaudit_access_check_bin',`
-+ gen_require(`
-+ type bin_t;
-+ ')
-+
-+ dontaudit $1 bin_t:file audit_access;
-+')
-+
-+########################################
-+##
- ## Read symbolic links in bin directories.
- ##
- ##
-@@ -285,6 +306,7 @@ interface(`corecmd_read_bin_pipes',`
- type bin_t;
- ')
-
-+ corecmd_read_bin_symlinks(bin_t)
- read_fifo_files_pattern($1, bin_t, bin_t)
- ')
-
-@@ -303,6 +325,7 @@ interface(`corecmd_read_bin_sockets',`
- type bin_t;
- ')
-
-+ corecmd_read_bin_symlinks($1)
- read_sock_files_pattern($1, bin_t, bin_t)
- ')
-
-@@ -345,6 +368,10 @@ interface(`corecmd_exec_bin',`
- read_lnk_files_pattern($1, bin_t, bin_t)
- list_dirs_pattern($1, bin_t, bin_t)
- can_exec($1, bin_t)
-+
-+ ifdef(`enable_mls',`',`
-+ files_exec_all_base_ro_files($1)
-+ ')
- ')
-
- ########################################
-@@ -362,6 +389,7 @@ interface(`corecmd_manage_bin_files',`
- type bin_t;
- ')
-
-+ corecmd_read_bin_symlinks($1)
- manage_files_pattern($1, bin_t, bin_t)
- ')
-
-@@ -398,6 +426,7 @@ interface(`corecmd_mmap_bin_files',`
- type bin_t;
- ')
-
-+ corecmd_read_bin_symlinks($1)
- mmap_files_pattern($1, bin_t, bin_t)
- ')
-
-@@ -954,6 +983,24 @@ interface(`corecmd_exec_chroot',`
-
- ########################################
- ##
-+## Do not audit attempts to access check executable files.
-+##
-+##
-+##
-+## Domain to not audit.
-+##
-+##
-+#
-+interface(`corecmd_dontaudit_access_all_executables',`
-+ gen_require(`
-+ attribute exec_type;
-+ ')
-+
-+ dontaudit $1 exec_type:file audit_access;
-+')
-+
-+########################################
-+##
- ## Get the attributes of all executable files.
- ##
- ##
-@@ -1012,6 +1059,10 @@ interface(`corecmd_exec_all_executables',`
- can_exec($1, exec_type)
- list_dirs_pattern($1, bin_t, bin_t)
- read_lnk_files_pattern($1, bin_t, exec_type)
-+
-+ ifdef(`enable_mls',`',`
-+ files_exec_all_base_ro_files($1)
-+ ')
- ')
-
- ########################################
-@@ -1049,6 +1100,7 @@ interface(`corecmd_manage_all_executables',`
- type bin_t;
- ')
-
-+ manage_dirs_pattern($1, bin_t, exec_type)
- manage_files_pattern($1, bin_t, exec_type)
- manage_lnk_files_pattern($1, bin_t, bin_t)
- ')
-@@ -1091,3 +1143,36 @@ interface(`corecmd_mmap_all_executables',`
-
- mmap_files_pattern($1, bin_t, exec_type)
- ')
-+
-+########################################
-+##
-+## Create objects in the /bin directory
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+##
-+##
-+## The type of the object to be created
-+##
-+##
-+##
-+##
-+## The object class.
-+##
-+##
-+##
-+##
-+## The name of the object being created.
-+##
-+##
-+#
-+interface(`corecmd_bin_filetrans',`
-+ gen_require(`
-+ type bin_t;
-+ ')
-+
-+ filetrans_pattern($1, bin_t, $2, $3, $4)
-+')
-diff --git a/policy/modules/kernel/corecommands.te b/policy/modules/kernel/corecommands.te
-index 1dd0427..6d6f456 100644
---- a/policy/modules/kernel/corecommands.te
-+++ b/policy/modules/kernel/corecommands.te
-@@ -13,7 +13,8 @@ attribute exec_type;
- #
- # bin_t is the type of files in the system bin/sbin directories.
- #
--type bin_t alias { ls_exec_t sbin_t };
-+type bin_t alias { ls_exec_t sbin_t unconfined_execmem_exec_t execmem_exec_t java_exec_t mono_exec_t };
-+files_ro_base_file(bin_t)
- corecmd_executable_file(bin_t)
- dev_associate(bin_t) #For /dev/MAKEDEV
-
-@@ -21,6 +22,7 @@ dev_associate(bin_t) #For /dev/MAKEDEV
- # shell_exec_t is the type of user shells such as /bin/bash.
- #
- type shell_exec_t;
-+files_ro_base_file(shell_exec_t)
- corecmd_executable_file(shell_exec_t)
-
- type chroot_exec_t;
-diff --git a/policy/modules/kernel/corenetwork.fc b/policy/modules/kernel/corenetwork.fc
-index f9b25c1..9af1f7a 100644
---- a/policy/modules/kernel/corenetwork.fc
-+++ b/policy/modules/kernel/corenetwork.fc
-@@ -8,3 +8,6 @@
-
- /lib/udev/devices/ppp -c gen_context(system_u:object_r:ppp_device_t,s0)
- /lib/udev/devices/net/.* -c gen_context(system_u:object_r:tun_tap_device_t,s0)
-+
-+/usr/lib/udev/devices/ppp -c gen_context(system_u:object_r:ppp_device_t,s0)
-+/usr/lib/udev/devices/net/.* -c gen_context(system_u:object_r:tun_tap_device_t,s0)
-diff --git a/policy/modules/kernel/corenetwork.if.in b/policy/modules/kernel/corenetwork.if.in
-index 07126bd..7ac4630 100644
---- a/policy/modules/kernel/corenetwork.if.in
-+++ b/policy/modules/kernel/corenetwork.if.in
-@@ -55,6 +55,7 @@ interface(`corenet_reserved_port',`
- ')
-
- typeattribute $1 reserved_port_type;
-+ corenet_port($1)
- ')
-
- ########################################
-@@ -82,6 +83,7 @@ interface(`corenet_rpc_port',`
- ')
-
- typeattribute $1 rpc_port_type;
-+ corenet_port($1)
- ')
-
- ########################################
-@@ -615,6 +617,24 @@ interface(`corenet_raw_sendrecv_all_if',`
-
- ########################################
- ##
-+## Send and receive DCCP network traffic on generic nodes.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`corenet_dccp_sendrecv_generic_node',`
-+ gen_require(`
-+ type node_t;
-+ ')
-+
-+ allow $1 node_t:node { dccp_send dccp_recv sendto recvfrom };
-+')
-+
-+########################################
-+##
- ## Send and receive TCP network traffic on generic nodes.
- ##
- ##
-@@ -789,6 +809,24 @@ interface(`corenet_raw_sendrecv_generic_node',`
-
- ########################################
- ##
-+## Bind DCCP sockets to generic nodes.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`corenet_dccp_bind_generic_node',`
-+ gen_require(`
-+ type node_t;
-+ ')
-+
-+ allow $1 node_t:dccp_socket node_bind;
-+')
-+
-+########################################
-+##
- ## Bind TCP sockets to generic nodes.
- ##
- ##
-@@ -928,6 +966,24 @@ interface(`corenet_inout_generic_node',`
-
- ########################################
- ##
-+## Send and receive DCCP network traffic on all nodes.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`corenet_dccp_sendrecv_all_nodes',`
-+ gen_require(`
-+ attribute node_type;
-+ ')
-+
-+ allow $1 node_type:node { dccp_send dccp_recv sendto recvfrom };
-+')
-+
-+########################################
-+##
- ## Send and receive TCP network traffic on all nodes.
- ##
- ##
-@@ -1102,6 +1158,24 @@ interface(`corenet_raw_sendrecv_all_nodes',`
-
- ########################################
- ##
-+## Bind DCCP sockets to all nodes.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`corenet_dccp_bind_all_nodes',`
-+ gen_require(`
-+ attribute node_type;
-+ ')
-+
-+ allow $1 node_type:dccp_socket node_bind;
-+')
-+
-+########################################
-+##
- ## Bind TCP sockets to all nodes.
- ##
- ##
-@@ -1157,6 +1231,24 @@ interface(`corenet_raw_bind_all_nodes',`
-
- ########################################
- ##
-+## Send and receive DCCP network traffic on generic ports.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`corenet_dccp_sendrecv_generic_port',`
-+ gen_require(`
-+ type port_t, unreserved_port_t, ephemeral_port_t;
-+ ')
-+
-+ allow $1 { port_t unreserved_port_t ephemeral_port_t }:dccp_socket { send_msg recv_msg };
-+')
-+
-+########################################
-+##
- ## Send and receive TCP network traffic on generic ports.
- ##
- ##
-@@ -1167,10 +1259,30 @@ interface(`corenet_raw_bind_all_nodes',`
- #
- interface(`corenet_tcp_sendrecv_generic_port',`
- gen_require(`
-- type port_t;
-+ type port_t, unreserved_port_t, ephemeral_port_t;
- ')
-
-- allow $1 port_t:tcp_socket { send_msg recv_msg };
-+ allow $1 { port_t unreserved_port_t ephemeral_port_t }:tcp_socket { send_msg recv_msg };
-+')
-+
-+########################################
-+##
-+## Do not audit attempts to send and
-+## receive DCCP network traffic on
-+## generic ports.
-+##
-+##
-+##
-+## Domain to not audit.
-+##
-+##
-+#
-+interface(`corenet_dontaudit_dccp_sendrecv_generic_port',`
-+ gen_require(`
-+ type port_t, unreserved_port_t, ephemeral_port_t;
-+ ')
-+
-+ dontaudit $1 { port_t unreserved_port_t ephemeral_port_t }:dccp_socket { send_msg recv_msg };
- ')
-
- ########################################
-@@ -1185,10 +1297,10 @@ interface(`corenet_tcp_sendrecv_generic_port',`
- #
- interface(`corenet_dontaudit_tcp_sendrecv_generic_port',`
- gen_require(`
-- type port_t;
-+ type port_t, unreserved_port_t, ephemeral_port_t;
- ')
-
-- dontaudit $1 port_t:tcp_socket { send_msg recv_msg };
-+ dontaudit $1 { port_t unreserved_port_t ephemeral_port_t }:tcp_socket { send_msg recv_msg };
- ')
-
- ########################################
-@@ -1203,10 +1315,10 @@ interface(`corenet_dontaudit_tcp_sendrecv_generic_port',`
- #
- interface(`corenet_udp_send_generic_port',`
- gen_require(`
-- type port_t;
-+ type port_t, unreserved_port_t, ephemeral_port_t;
- ')
-
-- allow $1 port_t:udp_socket send_msg;
-+ allow $1 { port_t unreserved_port_t ephemeral_port_t }:udp_socket send_msg;
- ')
-
- ########################################
-@@ -1221,10 +1333,10 @@ interface(`corenet_udp_send_generic_port',`
- #
- interface(`corenet_udp_receive_generic_port',`
- gen_require(`
-- type port_t;
-+ type port_t, unreserved_port_t, ephemeral_port_t;
- ')
-
-- allow $1 port_t:udp_socket recv_msg;
-+ allow $1 { port_t unreserved_port_t ephemeral_port_t }:udp_socket recv_msg;
- ')
-
- ########################################
-@@ -1244,6 +1356,26 @@ interface(`corenet_udp_sendrecv_generic_port',`
-
- ########################################
- ##
-+## Bind DCCP sockets to generic ports.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`corenet_dccp_bind_generic_port',`
-+ gen_require(`
-+ type port_t, unreserved_port_t, ephemeral_port_t;
-+ attribute defined_port_type;
-+ ')
-+
-+ allow $1 { port_t unreserved_port_t ephemeral_port_t }:dccp_socket name_bind;
-+ dontaudit $1 defined_port_type:dccp_socket name_bind;
-+')
-+
-+########################################
-+##
- ## Bind TCP sockets to generic ports.
- ##
- ##
-@@ -1254,16 +1386,35 @@ interface(`corenet_udp_sendrecv_generic_port',`
- #
- interface(`corenet_tcp_bind_generic_port',`
- gen_require(`
-- type port_t;
-+ type port_t, unreserved_port_t, ephemeral_port_t;
- attribute defined_port_type;
- ')
-
-- allow $1 port_t:tcp_socket name_bind;
-+ allow $1 { port_t unreserved_port_t ephemeral_port_t }:tcp_socket name_bind;
- dontaudit $1 defined_port_type:tcp_socket name_bind;
- ')
-
- ########################################
- ##
-+## Do not audit attempts to bind DCCP
-+## sockets to generic ports.
-+##
-+##
-+##
-+## Domain to not audit.
-+##
-+##
-+#
-+interface(`corenet_dontaudit_dccp_bind_generic_port',`
-+ gen_require(`
-+ type port_t, unreserved_port_t, ephemeral_port_t;
-+ ')
-+
-+ dontaudit $1 { port_t unreserved_port_t ephemeral_port_t }:dccp_socket name_bind;
-+')
-+
-+########################################
-+##
- ## Do not audit bind TCP sockets to generic ports.
- ##
- ##
-@@ -1274,10 +1425,10 @@ interface(`corenet_tcp_bind_generic_port',`
- #
- interface(`corenet_dontaudit_tcp_bind_generic_port',`
- gen_require(`
-- type port_t;
-+ type port_t, unreserved_port_t, ephemeral_port_t;
- ')
-
-- dontaudit $1 port_t:tcp_socket name_bind;
-+ dontaudit $1 { port_t unreserved_port_t ephemeral_port_t }:tcp_socket name_bind;
- ')
-
- ########################################
-@@ -1292,16 +1443,34 @@ interface(`corenet_dontaudit_tcp_bind_generic_port',`
- #
- interface(`corenet_udp_bind_generic_port',`
- gen_require(`
-- type port_t;
-+ type port_t, unreserved_port_t, ephemeral_port_t;
- attribute defined_port_type;
- ')
-
-- allow $1 port_t:udp_socket name_bind;
-+ allow $1 { port_t unreserved_port_t ephemeral_port_t }:udp_socket name_bind;
- dontaudit $1 defined_port_type:udp_socket name_bind;
- ')
-
- ########################################
- ##
-+## Connect DCCP sockets to generic ports.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`corenet_dccp_connect_generic_port',`
-+ gen_require(`
-+ type port_t, unreserved_port_t,ephemeral_port_t;
-+ ')
-+
-+ allow $1 { port_t unreserved_port_t ephemeral_port_t }:dccp_socket name_connect;
-+')
-+
-+########################################
-+##
- ## Connect TCP sockets to generic ports.
- ##
- ##
-@@ -1312,10 +1481,28 @@ interface(`corenet_udp_bind_generic_port',`
- #
- interface(`corenet_tcp_connect_generic_port',`
- gen_require(`
-- type port_t;
-+ type port_t, unreserved_port_t, ephemeral_port_t;
- ')
-
-- allow $1 port_t:tcp_socket name_connect;
-+ allow $1 { port_t unreserved_port_t ephemeral_port_t }:tcp_socket name_connect;
-+')
-+
-+########################################
-+##
-+## Send and receive DCCP network traffic on all ports.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`corenet_dccp_sendrecv_all_ports',`
-+ gen_require(`
-+ attribute port_type;
-+ ')
-+
-+ allow $1 port_type:dccp_socket { send_msg recv_msg };
- ')
-
- ########################################
-@@ -1439,6 +1626,25 @@ interface(`corenet_udp_sendrecv_all_ports',`
-
- ########################################
- ##
-+## Bind DCCP sockets to all ports.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`corenet_dccp_bind_all_ports',`
-+ gen_require(`
-+ attribute port_type;
-+ ')
-+
-+ allow $1 port_type:dccp_socket name_bind;
-+ allow $1 self:capability net_bind_service;
-+')
-+
-+########################################
-+##
- ## Bind TCP sockets to all ports.
- ##
- ##
-@@ -1458,6 +1664,24 @@ interface(`corenet_tcp_bind_all_ports',`
-
- ########################################
- ##
-+## Do not audit attepts to bind DCCP sockets to any ports.
-+##
-+##
-+##
-+## Domain to not audit.
-+##
-+##
-+#
-+interface(`corenet_dontaudit_dccp_bind_all_ports',`
-+ gen_require(`
-+ attribute port_type;
-+ ')
-+
-+ dontaudit $1 port_type:dccp_socket name_bind;
-+')
-+
-+########################################
-+##
- ## Do not audit attepts to bind TCP sockets to any ports.
- ##
- ##
-@@ -1513,6 +1737,24 @@ interface(`corenet_dontaudit_udp_bind_all_ports',`
-
- ########################################
- ##
-+## Connect DCCP sockets to all ports.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`corenet_dccp_connect_all_ports',`
-+ gen_require(`
-+ attribute port_type;
-+ ')
-+
-+ allow $1 port_type:dccp_socket name_connect;
-+')
-+
-+########################################
-+##
- ## Connect TCP sockets to all ports.
- ##
- ##
-@@ -1559,6 +1801,25 @@ interface(`corenet_tcp_connect_all_ports',`
-
- ########################################
- ##
-+## Do not audit attempts to connect DCCP sockets
-+## to all ports.
-+##
-+##
-+##
-+## Domain to not audit.
-+##
-+##
-+#
-+interface(`corenet_dontaudit_dccp_connect_all_ports',`
-+ gen_require(`
-+ attribute port_type;
-+ ')
-+
-+ dontaudit $1 port_type:dccp_socket name_connect;
-+')
-+
-+########################################
-+##
- ## Do not audit attempts to connect TCP sockets
- ## to all ports.
- ##
-@@ -1578,6 +1839,24 @@ interface(`corenet_dontaudit_tcp_connect_all_ports',`
-
- ########################################
- ##
-+## Send and receive DCCP network traffic on generic reserved ports.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`corenet_dccp_sendrecv_reserved_port',`
-+ gen_require(`
-+ type reserved_port_t;
-+ ')
-+
-+ allow $1 reserved_port_t:dccp_socket { send_msg recv_msg };
-+')
-+
-+########################################
-+##
- ## Send and receive TCP network traffic on generic reserved ports.
- ##
- ##
-@@ -1647,6 +1926,25 @@ interface(`corenet_udp_sendrecv_reserved_port',`
-
- ########################################
- ##
-+## Bind DCCP sockets to generic reserved ports.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`corenet_dccp_bind_reserved_port',`
-+ gen_require(`
-+ type reserved_port_t;
-+ ')
-+
-+ allow $1 reserved_port_t:dccp_socket name_bind;
-+ allow $1 self:capability net_bind_service;
-+')
-+
-+########################################
-+##
- ## Bind TCP sockets to generic reserved ports.
- ##
- ##
-@@ -1685,6 +1983,24 @@ interface(`corenet_udp_bind_reserved_port',`
-
- ########################################
- ##
-+## Connect DCCP sockets to generic reserved ports.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`corenet_dccp_connect_reserved_port',`
-+ gen_require(`
-+ type reserved_port_t;
-+ ')
-+
-+ allow $1 reserved_port_t:dccp_socket name_connect;
-+')
-+
-+########################################
-+##
- ## Connect TCP sockets to generic reserved ports.
- ##
- ##
-@@ -1703,6 +2019,24 @@ interface(`corenet_tcp_connect_reserved_port',`
-
- ########################################
- ##
-+## Send and receive DCCP network traffic on all reserved ports.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`corenet_dccp_sendrecv_all_reserved_ports',`
-+ gen_require(`
-+ attribute reserved_port_type;
-+ ')
-+
-+ allow $1 reserved_port_type:dccp_socket { send_msg recv_msg };
-+')
-+
-+########################################
-+##
- ## Send and receive TCP network traffic on all reserved ports.
- ##
- ##
-@@ -1752,12 +2086,210 @@ interface(`corenet_udp_receive_all_reserved_ports',`
- attribute reserved_port_type;
- ')
-
-- allow $1 reserved_port_type:udp_socket recv_msg;
-+ allow $1 reserved_port_type:udp_socket recv_msg;
-+')
-+
-+########################################
-+##
-+## Send and receive UDP network traffic on all reserved ports.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`corenet_udp_sendrecv_all_reserved_ports',`
-+ corenet_udp_send_all_reserved_ports($1)
-+ corenet_udp_receive_all_reserved_ports($1)
-+')
-+
-+########################################
-+##
-+## Bind DCCP sockets to all reserved ports.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`corenet_dccp_bind_all_reserved_ports',`
-+ gen_require(`
-+ attribute reserved_port_type;
-+ ')
-+
-+ allow $1 reserved_port_type:dccp_socket name_bind;
-+ allow $1 self:capability net_bind_service;
-+')
-+
-+########################################
-+##
-+## Bind TCP sockets to all reserved ports.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`corenet_tcp_bind_all_reserved_ports',`
-+ gen_require(`
-+ attribute reserved_port_type;
-+ ')
-+
-+ allow $1 reserved_port_type:tcp_socket name_bind;
-+ allow $1 self:capability net_bind_service;
-+')
-+
-+########################################
-+##
-+## Do not audit attempts to bind DCCP sockets to all reserved ports.
-+##
-+##
-+##
-+## Domain to not audit.
-+##
-+##
-+#
-+interface(`corenet_dontaudit_dccp_bind_all_reserved_ports',`
-+ gen_require(`
-+ attribute reserved_port_type;
-+ ')
-+
-+ dontaudit $1 reserved_port_type:dccp_socket name_bind;
-+')
-+
-+########################################
-+##
-+## Do not audit attempts to bind TCP sockets to all reserved ports.
-+##
-+##
-+##
-+## Domain to not audit.
-+##
-+##
-+#
-+interface(`corenet_dontaudit_tcp_bind_all_reserved_ports',`
-+ gen_require(`
-+ attribute reserved_port_type;
-+ ')
-+
-+ dontaudit $1 reserved_port_type:tcp_socket name_bind;
-+')
-+
-+########################################
-+##
-+## Bind UDP sockets to all reserved ports.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`corenet_udp_bind_all_reserved_ports',`
-+ gen_require(`
-+ attribute reserved_port_type;
-+ ')
-+
-+ allow $1 reserved_port_type:udp_socket name_bind;
-+ allow $1 self:capability net_bind_service;
-+')
-+
-+########################################
-+##
-+## Do not audit attempts to bind UDP sockets to all reserved ports.
-+##
-+##
-+##
-+## Domain to not audit.
-+##
-+##
-+#
-+interface(`corenet_dontaudit_udp_bind_all_reserved_ports',`
-+ gen_require(`
-+ attribute reserved_port_type;
-+ ')
-+
-+ dontaudit $1 reserved_port_type:udp_socket name_bind;
-+')
-+
-+########################################
-+##
-+## Bind DCCP sockets to all ports > 1024.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`corenet_dccp_bind_all_unreserved_ports',`
-+ gen_require(`
-+ attribute unreserved_port_type;
-+ ')
-+
-+ allow $1 unreserved_port_type:dccp_socket name_bind;
-+')
-+
-+########################################
-+##
-+## Bind TCP sockets to all ports > 1024.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`corenet_tcp_bind_all_unreserved_ports',`
-+ gen_require(`
-+ attribute unreserved_port_type;
-+ ')
-+
-+ allow $1 unreserved_port_type:tcp_socket name_bind;
-+')
-+
-+########################################
-+##
-+## Bind UDP sockets to all ports > 1024.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`corenet_udp_bind_all_unreserved_ports',`
-+ gen_require(`
-+ attribute unreserved_port_type;
-+ ')
-+
-+ allow $1 unreserved_port_type:udp_socket name_bind;
-+')
-+
-+########################################
-+##
-+## Bind TCP sockets to all ports > 32768.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`corenet_tcp_bind_all_ephemeral_ports',`
-+ gen_require(`
-+ attribute ephemeral_port_type;
-+ ')
-+
-+ allow $1 ephemeral_port_type:tcp_socket name_bind;
- ')
-
- ########################################
- ##
--## Send and receive UDP network traffic on all reserved ports.
-+## Bind UDP sockets to all ports > 32768.
- ##
- ##
- ##
-@@ -1765,14 +2297,17 @@ interface(`corenet_udp_receive_all_reserved_ports',`
- ##
- ##
- #
--interface(`corenet_udp_sendrecv_all_reserved_ports',`
-- corenet_udp_send_all_reserved_ports($1)
-- corenet_udp_receive_all_reserved_ports($1)
-+interface(`corenet_udp_bind_all_ephemeral_ports',`
-+ gen_require(`
-+ attribute ephemeral_port_type;
-+ ')
-+
-+ allow $1 ephemeral_port_type:udp_socket name_bind;
- ')
-
- ########################################
- ##
--## Bind TCP sockets to all reserved ports.
-+## Connect DCCP sockets to reserved ports.
- ##
- ##
- ##
-@@ -1780,36 +2315,35 @@ interface(`corenet_udp_sendrecv_all_reserved_ports',`
- ##
- ##
- #
--interface(`corenet_tcp_bind_all_reserved_ports',`
-+interface(`corenet_dccp_connect_all_reserved_ports',`
- gen_require(`
- attribute reserved_port_type;
- ')
-
-- allow $1 reserved_port_type:tcp_socket name_bind;
-- allow $1 self:capability net_bind_service;
-+ allow $1 reserved_port_type:dccp_socket name_connect;
- ')
-
- ########################################
- ##
--## Do not audit attempts to bind TCP sockets to all reserved ports.
-+## Connect TCP sockets to reserved ports.
- ##
- ##
- ##
--## Domain to not audit.
-+## Domain allowed access.
- ##
- ##
- #
--interface(`corenet_dontaudit_tcp_bind_all_reserved_ports',`
-+interface(`corenet_tcp_connect_all_reserved_ports',`
- gen_require(`
- attribute reserved_port_type;
- ')
-
-- dontaudit $1 reserved_port_type:tcp_socket name_bind;
-+ allow $1 reserved_port_type:tcp_socket name_connect;
- ')
-
- ########################################
- ##
--## Bind UDP sockets to all reserved ports.
-+## Connect DCCP sockets to all ports > 1024.
- ##
- ##
- ##
-@@ -1817,36 +2351,35 @@ interface(`corenet_dontaudit_tcp_bind_all_reserved_ports',`
- ##
- ##
- #
--interface(`corenet_udp_bind_all_reserved_ports',`
-+interface(`corenet_dccp_connect_all_unreserved_ports',`
- gen_require(`
-- attribute reserved_port_type;
-+ attribute unreserved_port_type;
- ')
-
-- allow $1 reserved_port_type:udp_socket name_bind;
-- allow $1 self:capability net_bind_service;
-+ allow $1 unreserved_port_type:dccp_socket name_connect;
- ')
-
--########################################
-+#######################################
- ##
--## Do not audit attempts to bind UDP sockets to all reserved ports.
-+## Connect TCP sockets to ports > 1024.
- ##
- ##
--##
--## Domain to not audit.
--##
-+##
-+## Domain allowed access.
-+##
- ##
- #
--interface(`corenet_dontaudit_udp_bind_all_reserved_ports',`
-- gen_require(`
-- attribute reserved_port_type;
-- ')
-+interface(`corenet_tcp_connect_unreserved_ports',`
-+ gen_require(`
-+ type unreserved_port_t;
-+ ')
-
-- dontaudit $1 reserved_port_type:udp_socket name_bind;
-+ allow $1 unreserved_port_t:tcp_socket name_connect;
- ')
-
- ########################################
- ##
--## Bind TCP sockets to all ports > 1024.
-+## Connect TCP sockets to all ports > 1024.
- ##
- ##
- ##
-@@ -1854,17 +2387,17 @@ interface(`corenet_dontaudit_udp_bind_all_reserved_ports',`
- ##
- ##
- #
--interface(`corenet_tcp_bind_all_unreserved_ports',`
-+interface(`corenet_tcp_connect_all_unreserved_ports',`
- gen_require(`
- attribute unreserved_port_type;
- ')
-
-- allow $1 unreserved_port_type:tcp_socket name_bind;
-+ allow $1 unreserved_port_type:tcp_socket name_connect;
- ')
-
- ########################################
- ##
--## Bind UDP sockets to all ports > 1024.
-+## Connect TCP sockets to all ports > 32768.
- ##
- ##
- ##
-@@ -1872,67 +2405,68 @@ interface(`corenet_tcp_bind_all_unreserved_ports',`
- ##
- ##
- #
--interface(`corenet_udp_bind_all_unreserved_ports',`
-+interface(`corenet_tcp_connect_all_ephemeral_ports',`
- gen_require(`
-- attribute unreserved_port_type;
-+ attribute ephemeral_port_type;
- ')
-
-- allow $1 unreserved_port_type:udp_socket name_bind;
-+ allow $1 ephemeral_port_type:tcp_socket name_connect;
- ')
-
- ########################################
- ##
--## Connect TCP sockets to reserved ports.
-+## Do not audit attempts to connect DCCP sockets
-+## all reserved ports.
- ##
- ##
- ##
--## Domain allowed access.
-+## Domain to not audit.
- ##
- ##
- #
--interface(`corenet_tcp_connect_all_reserved_ports',`
-+interface(`corenet_dontaudit_dccp_connect_all_reserved_ports',`
- gen_require(`
- attribute reserved_port_type;
- ')
-
-- allow $1 reserved_port_type:tcp_socket name_connect;
-+ dontaudit $1 reserved_port_type:dccp_socket name_connect;
- ')
-
- ########################################
- ##
--## Connect TCP sockets to all ports > 1024.
-+## Do not audit attempts to connect TCP sockets
-+## all reserved ports.
- ##
- ##
- ##
--## Domain allowed access.
-+## Domain to not audit.
- ##
- ##
- #
--interface(`corenet_tcp_connect_all_unreserved_ports',`
-+interface(`corenet_dontaudit_tcp_connect_all_reserved_ports',`
- gen_require(`
-- attribute unreserved_port_type;
-+ attribute reserved_port_type;
- ')
-
-- allow $1 unreserved_port_type:tcp_socket name_connect;
-+ dontaudit $1 reserved_port_type:tcp_socket name_connect;
- ')
-
- ########################################
- ##
--## Do not audit attempts to connect TCP sockets
--## all reserved ports.
-+## Connect DCCP sockets to rpc ports.
- ##
- ##
- ##
--## Domain to not audit.
-+## Domain allowed access.
- ##
- ##
- #
--interface(`corenet_dontaudit_tcp_connect_all_reserved_ports',`
-+interface(`corenet_dccp_connect_all_rpc_ports',`
- gen_require(`
-- attribute reserved_port_type;
-+ attribute rpc_port_type;
- ')
-
-- dontaudit $1 reserved_port_type:tcp_socket name_connect;
-+ allow $1 rpc_port_type:dccp_socket name_connect;
- ')
-
- ########################################
-@@ -1955,6 +2489,25 @@ interface(`corenet_tcp_connect_all_rpc_ports',`
-
- ########################################
- ##
-+## Do not audit attempts to connect DCCP sockets
-+## all rpc ports.
-+##
-+##
-+##
-+## Domain to not audit.
-+##
-+##
-+#
-+interface(`corenet_dontaudit_dccp_connect_all_rpc_ports',`
-+ gen_require(`
-+ attribute rpc_port_type;
-+ ')
-+
-+ dontaudit $1 rpc_port_type:dccp_socket name_connect;
-+')
-+
-+########################################
-+##
- ## Do not audit attempts to connect TCP sockets
- ## all rpc ports.
- ##
-@@ -1993,6 +2546,24 @@ interface(`corenet_rw_tun_tap_dev',`
-
- ########################################
- ##
-+## Read and write inherited TUN/TAP virtual network device.
-+##
-+##
-+##
-+## The domain allowed access.
-+##
-+##
-+#
-+interface(`corenet_rw_inherited_tun_tap_dev',`
-+ gen_require(`
-+ type tun_tap_device_t;
-+ ')
-+
-+ allow $1 tun_tap_device_t:chr_file rw_inherited_chr_file_perms;
-+')
-+
-+########################################
-+##
- ## Do not audit attempts to read or write the TUN/TAP
- ## virtual network device.
- ##
-@@ -2049,6 +2620,25 @@ interface(`corenet_rw_ppp_dev',`
-
- ########################################
- ##
-+## Bind DCCP sockets to all RPC ports.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`corenet_dccp_bind_all_rpc_ports',`
-+ gen_require(`
-+ attribute rpc_port_type;
-+ ')
-+
-+ allow $1 rpc_port_type:dccp_socket name_bind;
-+ allow $1 self:capability net_bind_service;
-+')
-+
-+########################################
-+##
- ## Bind TCP sockets to all RPC ports.
- ##
- ##
-@@ -2068,6 +2658,24 @@ interface(`corenet_tcp_bind_all_rpc_ports',`
-
- ########################################
- ##
-+## Do not audit attempts to bind DCCP sockets to all RPC ports.
-+##
-+##
-+##
-+## Domain to not audit.
-+##
-+##
-+#
-+interface(`corenet_dontaudit_dccp_bind_all_rpc_ports',`
-+ gen_require(`
-+ attribute rpc_port_type;
-+ ')
-+
-+ dontaudit $1 rpc_port_type:dccp_socket name_bind;
-+')
-+
-+########################################
-+##
- ## Do not audit attempts to bind TCP sockets to all RPC ports.
- ##
- ##
-@@ -2194,6 +2802,25 @@ interface(`corenet_tcp_recv_netlabel',`
-
- ########################################
- ##
-+## Receive DCCP packets from a NetLabel connection.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`corenet_dccp_recvfrom_netlabel',`
-+ gen_require(`
-+ type netlabel_peer_t;
-+ ')
-+
-+ allow $1 netlabel_peer_t:peer recv;
-+ allow $1 netlabel_peer_t:dccp_socket recvfrom;
-+')
-+
-+########################################
-+##
- ## Receive TCP packets from a NetLabel connection.
- ##
- ##
-@@ -2213,7 +2840,7 @@ interface(`corenet_tcp_recvfrom_netlabel',`
-
- ########################################
- ##
--## Receive TCP packets from an unlabled connection.
-+## Receive DCCP packets from an unlabled connection.
- ##
- ##
- ##
-@@ -2221,10 +2848,15 @@ interface(`corenet_tcp_recvfrom_netlabel',`
- ##
- ##
- #
--interface(`corenet_tcp_recvfrom_unlabeled',`
-- kernel_tcp_recvfrom_unlabeled($1)
-+interface(`corenet_dccp_recvfrom_unlabeled',`
-+ gen_require(`
-+ attribute corenet_unlabeled_type;
-+ ')
-+
-+ kernel_dccp_recvfrom_unlabeled($1)
- kernel_recvfrom_unlabeled_peer($1)
-
-+ typeattribute $1 corenet_unlabeled_type;
- # XXX - at some point the oubound/send access check will be removed
- # but for right now we need to keep this in place so as not to break
- # older systems
-@@ -2249,6 +2881,26 @@ interface(`corenet_dontaudit_tcp_recv_netlabel',`
-
- ########################################
- ##
-+## Do not audit attempts to receive DCCP packets from a NetLabel
-+## connection.
-+##
-+##
-+##
-+## Domain to not audit.
-+##
-+##
-+#
-+interface(`corenet_dontaudit_dccp_recvfrom_netlabel',`
-+ gen_require(`
-+ type netlabel_peer_t;
-+ ')
-+
-+ dontaudit $1 netlabel_peer_t:peer recv;
-+ dontaudit $1 netlabel_peer_t:dccp_socket recvfrom;
-+')
-+
-+########################################
-+##
- ## Do not audit attempts to receive TCP packets from a NetLabel
- ## connection.
- ##
-@@ -2269,6 +2921,27 @@ interface(`corenet_dontaudit_tcp_recvfrom_netlabel',`
-
- ########################################
- ##
-+## Do not audit attempts to receive DCCP packets from an unlabeled
-+## connection.
-+##
-+##
-+##
-+## Domain to not audit.
-+##
-+##
-+#
-+interface(`corenet_dontaudit_dccp_recvfrom_unlabeled',`
-+ kernel_dontaudit_dccp_recvfrom_unlabeled($1)
-+ kernel_dontaudit_recvfrom_unlabeled_peer($1)
-+
-+ # XXX - at some point the oubound/send access check will be removed
-+ # but for right now we need to keep this in place so as not to break
-+ # older systems
-+ kernel_dontaudit_sendrecv_unlabeled_association($1)
-+')
-+
-+########################################
-+##
- ## Do not audit attempts to receive TCP packets from an unlabeled
- ## connection.
- ##
-@@ -2533,15 +3206,10 @@ interface(`corenet_dontaudit_raw_recvfrom_unlabeled',`
- ##
- #
- interface(`corenet_all_recvfrom_unlabeled',`
-- kernel_tcp_recvfrom_unlabeled($1)
-- kernel_udp_recvfrom_unlabeled($1)
-- kernel_raw_recvfrom_unlabeled($1)
-- kernel_recvfrom_unlabeled_peer($1)
--
-- # XXX - at some point the oubound/send access check will be removed
-- # but for right now we need to keep this in place so as not to break
-- # older systems
-- kernel_sendrecv_unlabeled_association($1)
-+ gen_require(`
-+ attribute corenet_unlabeled_type;
-+ ')
-+ typeattribute $1 corenet_unlabeled_type;
- ')
-
- ########################################
-@@ -2567,11 +3235,34 @@ interface(`corenet_all_recvfrom_unlabeled',`
- #
- interface(`corenet_all_recvfrom_netlabel',`
- gen_require(`
-- type netlabel_peer_t;
-+ attribute netlabel_peer_type;
- ')
-
-- allow $1 netlabel_peer_t:peer recv;
-- allow $1 netlabel_peer_t:{ tcp_socket udp_socket rawip_socket } recvfrom;
-+ typeattribute $1 netlabel_peer_type;
-+')
-+
-+########################################
-+##
-+## Enable unlabeled net packets
-+##
-+##
-+##
-+## Allow unlabeled_packet_t to be used by all domains that use the network
-+##
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+##
-+#
-+interface(`corenet_enable_unlabeled_packets',`
-+ gen_require(`
-+ attribute corenet_unlabeled_type;
-+ ')
-+
-+ kernel_sendrecv_unlabeled_association(corenet_unlabeled_type)
- ')
-
- ########################################
-@@ -2585,6 +3276,7 @@ interface(`corenet_all_recvfrom_netlabel',`
- ##
- #
- interface(`corenet_dontaudit_all_recvfrom_unlabeled',`
-+ kernel_dontaudit_dccp_recvfrom_unlabeled($1)
- kernel_dontaudit_tcp_recvfrom_unlabeled($1)
- kernel_dontaudit_udp_recvfrom_unlabeled($1)
- kernel_dontaudit_raw_recvfrom_unlabeled($1)
-@@ -2613,7 +3305,35 @@ interface(`corenet_dontaudit_all_recvfrom_netlabel',`
- ')
-
- dontaudit $1 netlabel_peer_t:peer recv;
-- dontaudit $1 netlabel_peer_t:{ tcp_socket udp_socket rawip_socket } recvfrom;
-+ dontaudit $1 netlabel_peer_t:{ tcp_socket udp_socket rawip_socket dccp_socket } recvfrom;
-+')
-+
-+########################################
-+##
-+## Rules for receiving labeled DCCP packets.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+##
-+##
-+## Peer domain.
-+##
-+##
-+#
-+interface(`corenet_dccp_recvfrom_labeled',`
-+ allow { $1 $2 } self:association sendto;
-+ allow $1 $2:{ association dccp_socket } recvfrom;
-+ allow $2 $1:{ association dccp_socket } recvfrom;
-+
-+ allow $1 $2:peer recv;
-+ allow $2 $1:peer recv;
-+
-+ # allow receiving packets from MLS-only peers using NetLabel
-+ corenet_dccp_recvfrom_netlabel($1)
-+ corenet_dccp_recvfrom_netlabel($2)
- ')
-
- ########################################
-@@ -2727,6 +3447,7 @@ interface(`corenet_raw_recvfrom_labeled',`
- ##
- #
- interface(`corenet_all_recvfrom_labeled',`
-+ corenet_dccp_recvfrom_labeled($1, $2)
- corenet_tcp_recvfrom_labeled($1, $2)
- corenet_udp_recvfrom_labeled($1, $2)
- corenet_raw_recvfrom_labeled($1, $2)
-@@ -3134,3 +3855,53 @@ interface(`corenet_unconfined',`
-
- typeattribute $1 corenet_unconfined_type;
- ')
-+
-+########################################
-+##
-+## Create all network named devices with the correct label
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`corenet_filetrans_all_named_dev',`
-+
-+ gen_require(`
-+ type tun_tap_device_t;
-+ type ppp_device_t;
-+ ')
-+
-+ dev_filetrans($1, tun_tap_device_t, chr_file, "tap0")
-+ dev_filetrans($1, tun_tap_device_t, chr_file, "tap1")
-+ dev_filetrans($1, tun_tap_device_t, chr_file, "tap2")
-+ dev_filetrans($1, tun_tap_device_t, chr_file, "tap3")
-+ dev_filetrans($1, tun_tap_device_t, chr_file, "tap4")
-+ dev_filetrans($1, tun_tap_device_t, chr_file, "tap5")
-+ dev_filetrans($1, tun_tap_device_t, chr_file, "tap6")
-+ dev_filetrans($1, tun_tap_device_t, chr_file, "tap7")
-+ dev_filetrans($1, tun_tap_device_t, chr_file, "tap8")
-+ dev_filetrans($1, tun_tap_device_t, chr_file, "tap9")
-+ dev_filetrans($1, tun_tap_device_t, chr_file, "tap10")
-+ dev_filetrans($1, tun_tap_device_t, chr_file, "tap11")
-+ dev_filetrans($1, tun_tap_device_t, chr_file, "tap12")
-+ dev_filetrans($1, tun_tap_device_t, chr_file, "tap13")
-+ dev_filetrans($1, tun_tap_device_t, chr_file, "tap14")
-+ dev_filetrans($1, tun_tap_device_t, chr_file, "tap15")
-+ dev_filetrans($1, tun_tap_device_t, chr_file, "tap16")
-+ dev_filetrans($1, tun_tap_device_t, chr_file, "tap17")
-+ dev_filetrans($1, tun_tap_device_t, chr_file, "tap18")
-+ dev_filetrans($1, tun_tap_device_t, chr_file, "tap19")
-+ dev_filetrans($1, tun_tap_device_t, chr_file, "tap20")
-+ dev_filetrans($1, tun_tap_device_t, chr_file, "tap21")
-+ dev_filetrans($1, tun_tap_device_t, chr_file, "tap22")
-+ dev_filetrans($1, tun_tap_device_t, chr_file, "tap23")
-+ dev_filetrans($1, tun_tap_device_t, chr_file, "tap24")
-+ dev_filetrans($1, tun_tap_device_t, chr_file, "tap25")
-+ dev_filetrans($1, tun_tap_device_t, chr_file, "tap26")
-+ dev_filetrans($1, tun_tap_device_t, chr_file, "tap27")
-+ dev_filetrans($1, tun_tap_device_t, chr_file, "tap28")
-+ dev_filetrans($1, tun_tap_device_t, chr_file, "tap29")
-+ dev_filetrans($1, ppp_device_t, chr_file, "ppp")
-+')
-diff --git a/policy/modules/kernel/corenetwork.if.m4 b/policy/modules/kernel/corenetwork.if.m4
-index 8e0f9cd..b9f45b9 100644
---- a/policy/modules/kernel/corenetwork.if.m4
-+++ b/policy/modules/kernel/corenetwork.if.m4
-@@ -631,6 +631,26 @@ interface(`corenet_udp_bind_$1_port',`
-
- ########################################
- ##
-+## Do not audit attempts to sbind to $1 port.
-+##
-+##
-+##
-+## Domain to not audit.
-+##
-+##
-+##
-+#
-+interface(`corenet_dontaudit_udp_bind_$1_port',`
-+ gen_require(`
-+ $3 $1_$2;
-+ ')
-+
-+ dontaudit dollarsone $1_$2:udp_socket name_bind;
-+ $4
-+')
-+
-+########################################
-+##
- ## Make a TCP connection to the $1 port.
- ##
- ##
-@@ -646,6 +666,23 @@ interface(`corenet_tcp_connect_$1_port',`
-
- allow dollarsone $1_$2:tcp_socket name_connect;
- ')
-+########################################
-+##
-+## Do not audit attempts to make a TCP connection to $1 port.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`corenet_dontaudit_tcp_connect_$1_port',`
-+ gen_require(`
-+ $3 $1_$2;
-+ ')
-+
-+ dontaudit dollarsone $1_$2:tcp_socket name_connect;
-+')
- '') dnl end create_port_interfaces
-
- define(`create_packet_interfaces',``
-diff --git a/policy/modules/kernel/corenetwork.te.in b/policy/modules/kernel/corenetwork.te.in
-index fe2ee5e..72c5a3b 100644
---- a/policy/modules/kernel/corenetwork.te.in
-+++ b/policy/modules/kernel/corenetwork.te.in
-@@ -5,6 +5,7 @@ policy_module(corenetwork, 1.18.0)
- # Declarations
- #
-
-+attribute netlabel_peer_type;
- attribute client_packet_type;
- # This is an optimization for { port_type -port_t }
- attribute defined_port_type;
-@@ -14,12 +15,14 @@ attribute node_type;
- attribute packet_type;
- attribute port_type;
- attribute reserved_port_type;
-+attribute ephemeral_port_type;
- attribute rpc_port_type;
- attribute server_packet_type;
- # This is an optimization for { port_type -reserved_port_type }
- attribute unreserved_port_type;
-
- attribute corenet_unconfined_type;
-+attribute corenet_unlabeled_type;
-
- type ppp_device_t;
- dev_node(ppp_device_t)
-@@ -29,6 +32,7 @@ dev_node(ppp_device_t)
- #
- type tun_tap_device_t;
- dev_node(tun_tap_device_t)
-+mls_trusted_object(tun_tap_device_t)
-
- ########################################
- #
-@@ -38,6 +42,18 @@ dev_node(tun_tap_device_t)
- #
- # client_packet_t is the default type of IPv4 and IPv6 client packets.
- #
-+type intranet_packet_t;
-+corenet_packet(intranet_packet_t)
-+
-+#
-+# client_packet_t is the default type of IPv4 and IPv6 client packets.
-+#
-+type internet_packet_t;
-+corenet_packet(internet_packet_t)
-+
-+#
-+# client_packet_t is the default type of IPv4 and IPv6 client packets.
-+#
- type client_packet_t, packet_type, client_packet_type;
-
- #
-@@ -46,6 +62,7 @@ type client_packet_t, packet_type, client_packet_type;
- #
- type netlabel_peer_t;
- sid netmsg gen_context(system_u:object_r:netlabel_peer_t,mls_systemhigh)
-+mcs_untrusted_proc(netlabel_peer_t)
-
- #
- # port_t is the default type of INET port numbers.
-@@ -59,6 +76,12 @@ sid port gen_context(system_u:object_r:port_t,s0)
- type unreserved_port_t, port_type, unreserved_port_type;
-
- #
-+# ephemeral_port_t is the default type of ephemeral port numbers.
-+# cat /proc/sys/net/ipv4/ip_local_port_range
-+#
-+type ephemeral_port_t, port_type, ephemeral_port_type;
-+
-+#
- # reserved_port_t is the type of INET port numbers below 1024.
- #
- type reserved_port_t, port_type, reserved_port_type;
-@@ -74,30 +97,39 @@ type hi_reserved_port_t, port_type, reserved_port_type, rpc_port_type;
- type server_packet_t, packet_type, server_packet_type;
-
- network_port(afs_bos, udp,7007,s0)
-+network_port(afs_client, udp,7001,s0)
- network_port(afs_fs, tcp,2040,s0, udp,7000,s0, udp,7005,s0)
- network_port(afs_ka, udp,7004,s0)
- network_port(afs_pt, udp,7002,s0)
- network_port(afs_vl, udp,7003,s0)
- network_port(agentx, udp,705,s0, tcp,705,s0)
-+network_port(ajaxterm, tcp,8022,s0)
- network_port(amanda, udp,10080-10082,s0, tcp,10080-10083,s0)
- network_port(amavisd_recv, tcp,10024,s0)
- network_port(amavisd_send, tcp,10025,s0)
- network_port(amqp, udp,5671-5672,s0, tcp,5671-5672,s0)
--network_port(aol, udp,5190-5193,s0, tcp,5190-5193,s0)
-+network_port(aol, udp,5190-5193,s0, tcp,5190-5193,s0)
- network_port(apcupsd, tcp,3551,s0, udp,3551,s0)
-+network_port(apertus_ldp, tcp,539,s0, udp,539,s0)
- network_port(asterisk, tcp,1720,s0, udp,2427,s0, udp,2727,s0, udp,4569,s0)
- network_port(audit, tcp,60,s0)
- network_port(auth, tcp,113,s0)
- network_port(bgp, tcp,179,s0, udp,179,s0, tcp,2605,s0, udp,2605,s0)
- network_port(boinc, tcp,31416,s0)
-+network_port(boinc_client_ctrl, tcp,1043,s0)
- network_port(biff) # no defined portcon
- network_port(certmaster, tcp,51235,s0)
- network_port(chronyd, udp,323,s0)
- network_port(clamd, tcp,3310,s0)
- network_port(clockspeed, udp,4041,s0)
- network_port(cluster, tcp,5149,s0, udp,5149,s0, tcp,40040,s0, tcp,50006-50008,s0, udp,50006-50008,s0)
-+network_port(cma, tcp,1050,s0, udp,1050,s0)
- network_port(cobbler, tcp,25151,s0)
-+network_port(commplex, tcp,5001,s0, udp,5001,s0)
- network_port(comsat, udp,512,s0)
-+network_port(condor, tcp, 9618,s0, udp, 9618,s0)
-+network_port(couchdb, tcp,5984,s0, udp,5984,s0)
-+network_port(ctdb, tcp,4379,s0, udp,4379,s0)
- network_port(cvs, tcp,2401,s0, udp,2401,s0)
- network_port(cyphesis, tcp,6767,s0, tcp,6769,s0, tcp,6780-6799,s0, udp,32771,s0)
- network_port(daap, tcp,3689,s0, udp,3689,s0)
-@@ -108,14 +140,23 @@ network_port(dhcpc, udp,68,s0, tcp,68,s0, udp,546,s0, tcp, 546,s0)
- network_port(dhcpd, udp,67,s0, udp,547,s0, tcp, 547,s0, udp,548,s0, tcp, 548,s0, tcp,647,s0, udp,647,s0, tcp,847,s0, udp,847,s0, tcp,7911,s0)
- network_port(dict, tcp,2628,s0)
- network_port(distccd, tcp,3632,s0)
-+network_port(dogtag, tcp,7390,s0)
- network_port(dns, udp,53,s0, tcp,53,s0)
-+network_port(dnssec, tcp,8955,s0)
-+network_port(echo, tcp,7,s0, udp,7,s0)
- network_port(epmap, tcp,135,s0, udp,135,s0)
-+network_port(epmd, tcp,4369,s0, udp,4369,s0)
-+network_port(festival, tcp,1314,s0)
- network_port(fingerd, tcp,79,s0)
-+network_port(firebird, tcp,3050,s0, udp,3050,s0)
-+network_port(flash, tcp,843,s0, tcp,1935,s0, udp,1935,s0)
-+network_port(fprot, tcp,10200,s0)
- network_port(ftp, tcp,21,s0, tcp,990,s0, udp,990,s0)
- network_port(ftp_data, tcp,20,s0)
- network_port(gatekeeper, udp,1718,s0, udp,1719,s0, tcp,1721,s0, tcp,7000,s0)
- network_port(giftd, tcp,1213,s0)
- network_port(git, tcp,9418,s0, udp,9418,s0)
-+network_port(glance, tcp,9292,s0, udp,9292,s0)
- network_port(glance_registry, tcp,9191,s0, udp,9191,s0)
- network_port(gopher, tcp,70,s0, udp,70,s0)
- network_port(gpsd, tcp,2947,s0)
-@@ -123,104 +164,139 @@ network_port(hadoop_datanode, tcp,50010,s0)
- network_port(hadoop_namenode, tcp,8020,s0)
- network_port(hddtemp, tcp,7634,s0)
- network_port(howl, tcp,5335,s0, udp,5353,s0)
--network_port(hplip, tcp,1782,s0, tcp,2207,s0, tcp,2208,s0, tcp, 8290,s0, tcp,50000,s0, tcp,50002,s0, tcp,8292,s0, tcp,9100,s0, tcp,9101,s0, tcp,9102,s0, tcp,9220,s0, tcp,9221,s0, tcp,9222,s0, tcp,9280,s0, tcp,9281,s0, tcp,9282,s0, tcp,9290,s0, tcp,9291,s0, tcp,9292,s0)
--network_port(http, tcp,80,s0, tcp,443,s0, tcp,488,s0, tcp,8008,s0, tcp,8009,s0, tcp,8443,s0) #8443 is mod_nss default port
--network_port(http_cache, tcp,3128,s0, udp,3130,s0, tcp,8080,s0, tcp,8118,s0, tcp,10001-10010,s0) # 8118 is for privoxy
-+network_port(hplip, tcp,1782,s0, tcp,2207,s0, tcp,2208,s0, tcp, 8290,s0, tcp,50000,s0, tcp,50002,s0, tcp,8292,s0, tcp,9100,s0, tcp,9101,s0, tcp,9102,s0, tcp,9220,s0, tcp,9221,s0, tcp,9222,s0, tcp,9280,s0, tcp,9281,s0, tcp,9282,s0, tcp,9290,s0, tcp,9291,s0)
-+network_port(http, tcp,80,s0, tcp,81,s0, tcp,443,s0, tcp,488,s0, tcp,8008,s0, tcp,8009,s0, tcp,8443,s0,tcp,9000, s0) #8443 is mod_nss default port
-+network_port(http_cache, udp,3130,s0, tcp,8080,s0, tcp,8118,s0, tcp,8123,s0, tcp,10001-10010,s0) # 8118 is for privoxy
- network_port(i18n_input, tcp,9010,s0)
- network_port(imaze, tcp,5323,s0, udp,5323,s0)
--network_port(inetd_child, tcp,1,s0, udp,1,s0, tcp,7,s0, udp,7,s0, tcp,9,s0, udp,9,s0, tcp,13,s0, udp,13,s0, tcp,19,s0, udp,19,s0, tcp,37,s0, udp,37,s0, tcp,512,s0, tcp,543,s0, tcp,544,s0, tcp,891,s0, udp,891,s0, tcp,892,s0, udp,892,s0, tcp,2105,s0, tcp,5666,s0)
-+network_port(inetd_child, tcp,1,s0, udp,1,s0, tcp,9,s0, udp,9,s0, tcp,13,s0, udp,13,s0, tcp,19,s0, udp,19,s0, tcp,512,s0, tcp,543,s0, tcp,544,s0, tcp,891,s0, udp,891,s0, tcp,892,s0, udp,892,s0, tcp,2105,s0, tcp,5666,s0)
- network_port(innd, tcp,119,s0)
-+network_port(interwise, tcp,7778,s0, udp,7778,s0)
-+network_port(ionixnetmon, tcp,7410,s0, udp,7410,s0)
- network_port(ipmi, udp,623,s0, udp,664,s0)
- network_port(ipp, tcp,631,s0, udp,631,s0, tcp,8610-8614,s0, udp,8610-8614,s0)
- network_port(ipsecnat, tcp,4500,s0, udp,4500,s0)
--network_port(ircd, tcp,6667,s0)
-+network_port(ircd, tcp,6667,s0, tcp,6697,s0)
- network_port(isakmp, udp,500,s0)
- network_port(iscsi, tcp,3260,s0)
- network_port(isns, tcp,3205,s0, udp,3205,s0)
- network_port(jabber_client, tcp,5222,s0, tcp,5223,s0)
- network_port(jabber_interserver, tcp,5269,s0)
--network_port(kerberos, tcp,88,s0, udp,88,s0, tcp,750,s0, udp,750,s0)
--network_port(kerberos_admin, tcp,464,s0, udp,464,s0, tcp,749,s0)
--network_port(kerberos_master, tcp,4444,s0, udp,4444,s0)
--network_port(kismet, tcp,2501,s0)
-+network_port(jabber_router, tcp,5347,s0)
-+network_port(jacorb, tcp,3528,s0, tcp,3529,s0)
-+network_port(jboss_debug, tcp,8787,s0)
-+network_port(jboss_messaging, tcp,5445,s0, tcp,5455,s0)
-+network_port(jboss_management, tcp,4712,s0, udp,4712,s0, tcp,4447,s0, tcp,7600,s0, tcp,9123,s0, udp,9123,s0, tcp, 9990, s0, tcp, 9999, s0, tcp, 18001, s0)
-+network_port(kerberos, tcp,88,s0, udp,88,s0, tcp,750,s0, udp,750,s0, tcp,4444,s0, udp,4444,s0)
-+network_port(kerberos_admin, tcp,749,s0)
-+network_port(kerberos_password, tcp,464,s0, udp,464,s0)
-+network_port(keystone, tcp,5000,s0, udp,5000,s0, tcp, 35357,s0, udp, 35357,s0)
-+network_port(rtsclient, tcp,2501,s0)
- network_port(kprop, tcp,754,s0)
- network_port(ktalkd, udp,517,s0, udp,518,s0)
--network_port(ldap, tcp,389,s0, udp,389,s0, tcp,636,s0, udp,636,s0, tcp,3268,s0)
-+network_port(ldap, tcp,389,s0, udp,389,s0, tcp,636,s0, udp,636,s0, tcp,3268,s0, tcp, 7389,s0)
- network_port(lirc, tcp,8765,s0)
-+network_port(luci, tcp,8084,s0)
- network_port(lmtp, tcp,24,s0, udp,24,s0)
- network_port(lrrd) # no defined portcon
-+network_port(l2tp, tcp,1701,s0, udp,1701,s0)
- network_port(mail, tcp,2000,s0, tcp,3905,s0)
- network_port(matahari, tcp,49000,s0, udp,49000,s0)
- network_port(memcache, tcp,11211,s0, udp,11211,s0)
- network_port(milter) # no defined portcon
- network_port(mmcc, tcp,5050,s0, udp,5050,s0)
-+network_port(mongod, tcp,27017,s0)
- network_port(monopd, tcp,1234,s0)
-+network_port(movaz_ssc, tcp,5252,s0)
- network_port(mpd, tcp,6600,s0)
- network_port(msnp, tcp,1863,s0, udp,1863,s0)
- network_port(mssql, tcp,1433-1434,s0, udp,1433-1434,s0)
- network_port(munin, tcp,4949,s0, udp,4949,s0)
-+network_port(mxi, tcp,8005, s0, udp, 8005,s0)
- network_port(mysqld, tcp,1186,s0, tcp,3306,s0, tcp,63132-63164,s0)
- network_port(mysqlmanagerd, tcp,2273,s0)
- network_port(nessus, tcp,1241,s0)
- network_port(netport, tcp,3129,s0, udp,3129,s0)
- network_port(netsupport, tcp,5404,s0, udp,5404,s0, tcp,5405,s0, udp,5405,s0)
-+network_port(nfs, tcp,2049,s0, udp,2049,s0, tcp,20048-20049,s0, udp,20048-20049,s0)
- network_port(nmbd, udp,137,s0, udp,138,s0)
-+network_port(nodejs_debug, tcp,5858,s0, udp,5858,s0)
- network_port(ntop, tcp,3000-3001,s0, udp,3000-3001,s0)
- network_port(ntp, udp,123,s0)
--network_port(oracledb, tcp, 1521,s0,udp, 1521,s0, tcp,2483,s0,udp,2483,s0, tcp,2484,s0, udp,2484,s0)
-+network_port(oracle, tcp, 1521,s0,udp, 1521,s0, tcp,2483,s0,udp,2483,s0, tcp,2484,s0, udp,2484,s0)
- network_port(ocsp, tcp,9080,s0)
- network_port(openvpn, tcp,1194,s0, udp,1194,s0)
-+network_port(openhpid, tcp,4743,s0, udp,4743,s0)
-+network_port(pktcable, tcp,2126,s0, udp,2126,s0, tcp,3198,s0, udp,3198,s0)
- network_port(pegasus_http, tcp,5988,s0)
- network_port(pegasus_https, tcp,5989,s0)
- network_port(pgpkeyserver, udp, 11371,s0, tcp,11371,s0)
- network_port(pingd, tcp,9125,s0)
-+network_port(piranha, tcp,3636,s0)
-+network_port(pki_ca, tcp, 9180, s0, tcp, 9701, s0, tcp, 9443-9447, s0)
-+network_port(pki_kra, tcp, 10180, s0, tcp, 10701, s0, tcp, 10443-10446, s0)
-+network_port(pki_ocsp, tcp, 11180, s0, tcp, 11701, s0, tcp, 11443-11446, s0)
-+network_port(pki_tks, tcp, 13180, s0, tcp, 13701, s0, tcp, 13443-13446, s0)
-+network_port(pki_ra, tcp,12888-12889,s0)
-+network_port(pki_tps, tcp,7888-7889,s0)
- network_port(pop, tcp,106,s0, tcp,109,s0, tcp,110,s0, tcp,143,s0, tcp,220,s0, tcp,993,s0, tcp,995,s0, tcp,1109,s0)
- network_port(portmap, udp,111,s0, tcp,111,s0)
- network_port(postfix_policyd, tcp,10031,s0)
- network_port(postgresql, tcp,5432,s0)
- network_port(postgrey, tcp,60000,s0)
-+network_port(pptp, tcp, 1723,s0, udp, 1723, s0)
- network_port(prelude, tcp,4690,s0, udp,4690,s0)
- network_port(presence, tcp,5298-5299,s0, udp,5298-5299,s0)
- network_port(printer, tcp,515,s0)
- network_port(ptal, tcp,5703,s0)
--network_port(pulseaudio, tcp,4713,s0)
-+network_port(pulseaudio, tcp,4713,s0, udp,4713,s0)
- network_port(puppet, tcp, 8140, s0)
- network_port(pxe, udp,4011,s0)
- network_port(pyzor, udp,24441,s0)
-+network_port(quantum, tcp,9696,s0)
- network_port(radacct, udp,1646,s0, udp,1813,s0)
- network_port(radius, udp,1645,s0, udp,1812,s0)
- network_port(radsec, tcp,2083,s0)
- network_port(razor, tcp,2703,s0)
-+network_port(time, tcp,37,s0, udp,37,s0)
- network_port(repository, tcp, 6363, s0)
- network_port(ricci, tcp,11111,s0, udp,11111,s0)
- network_port(ricci_modcluster, tcp,16851,s0, udp,16851,s0)
- network_port(rlogind, tcp,513,s0)
--network_port(rndc, tcp,953,s0)
--network_port(router, udp,520,s0, udp,521,s0, tcp,521,s0)
-+network_port(rndc, tcp,953,s0, tcp,8953,s0)
-+network_port(router, udp,520-521,s0, tcp,521,s0)
- network_port(rsh, tcp,514,s0)
- network_port(rsync, tcp,873,s0, udp,873,s0)
- network_port(rwho, udp,513,s0)
- network_port(sap, tcp,9875,s0, udp,9875,s0)
-+network_port(saphostctrl, tcp,1128,s0, tcp,1129,s0)
-+network_port(sametime, tcp,1533,s0, udp,1533,s0)
- network_port(sieve, tcp,4190,s0)
- network_port(sip, tcp,5060,s0, udp,5060,s0, tcp,5061,s0, udp,5061,s0)
- network_port(sixxsconfig, tcp,3874,s0, udp,3874,s0)
- network_port(smbd, tcp,137-139,s0, tcp,445,s0)
- network_port(smtp, tcp,25,s0, tcp,465,s0, tcp,587,s0)
--network_port(snmp, udp,161,s0, udp,162,s0, tcp,199,s0, tcp, 1161, s0)
--network_port(socks) # no defined portcon
-+network_port(snmp, tcp,161-162,s0, udp,161-162,s0, tcp,199,s0, tcp, 1161, s0)
-+type socks_port_t, port_type; dnl network_port(socks) # no defined portcon
- network_port(soundd, tcp,8000,s0, tcp,9433,s0, tcp, 16001, s0)
--network_port(spamd, tcp,783,s0)
-+network_port(spamd, tcp,783,s0, tcp, 10026, s0, tcp, 10027, s0)
- network_port(speech, tcp,8036,s0)
--network_port(squid, udp,3401,s0, tcp,3401,s0, udp,4827,s0, tcp,4827,s0) # snmp and htcp
-+network_port(squid, tcp,3128,s0, udp,3401,s0, tcp,3401,s0, udp,4827,s0, tcp,4827,s0) # snmp and htcp
-+network_port(ssdp, tcp,1900,s0, udp, 1900, s0)
- network_port(ssh, tcp,22,s0)
-+network_port(streaming, tcp, 554, s0, udp, 554, s0, tcp, 1755, s0, udp, 1755, s0)
-+network_port(svn, tcp,3690,s0, udp,3690,s0)
- network_port(stunnel) # no defined portcon
- network_port(swat, tcp,901,s0)
--network_port(syslogd, udp,514,s0)
-+network_port(sype, tcp,9911,s0, udp,9911,s0)
-+network_port(syslogd, udp,514,s0, tcp,6514,s0, udp,6514,s0)
- network_port(tcs, tcp, 30003, s0)
- network_port(telnetd, tcp,23,s0)
- network_port(tftp, udp,69,s0)
--network_port(tor, tcp, 6969, s0, tcp,9001,s0, tcp,9030,s0, tcp,9050,s0, tcp,9051,s0)
-+network_port(tor, tcp, 6969, s0, tcp,9001,s0, tcp,9030,s0, tcp,9051,s0)
-+network_port(tor_socks, tcp,9050,s0)
- network_port(traceroute, udp,64000-64010,s0)
-+network_port(tram, tcp, 4567, s0)
- network_port(transproxy, tcp,8081,s0)
- network_port(ups, tcp,3493,s0)
- network_port(utcpserver) # no defined portcon
-@@ -228,9 +304,12 @@ network_port(uucpd, tcp,540,s0)
- network_port(varnishd, tcp,6081-6082,s0)
- network_port(virt, tcp,16509,s0, udp,16509,s0, tcp,16514,s0, udp,16514,s0)
- network_port(virt_migration, tcp,49152-49216,s0)
--network_port(vnc, tcp,5900,s0)
-+network_port(vnc, tcp,5900-5983,s0, tcp,5985-5999,s0)
- network_port(wccp, udp,2048,s0)
-+network_port(websm, tcp,9090,s0, udp,9090,s0)
- network_port(whois, tcp,43,s0, udp,43,s0, tcp, 4321, s0 , udp, 4321, s0 )
-+network_port(winshadow, tcp, 3261, s0, udp, 3261,s0)
-+network_port(wsicopy, tcp, 3378, s0, udp, 3378,s0)
- network_port(xdmcp, udp,177,s0, tcp,177,s0)
- network_port(xen, tcp,8002,s0)
- network_port(xfs, tcp,7100,s0)
-@@ -242,17 +321,22 @@ network_port(zookeeper_client, tcp,2181,s0)
- network_port(zookeeper_election, tcp,3888,s0)
- network_port(zookeeper_leader, tcp,2888,s0)
- network_port(zebra, tcp,2600-2604,s0, tcp,2606,s0, udp,2600-2604,s0, udp,2606,s0)
-+network_port(zented, tcp,1229,s0, udp,1229,s0)
- network_port(zope, tcp,8021,s0)
-
- # Defaults for reserved ports. Earlier portcon entries take precedence;
- # these entries just cover any remaining reserved ports not otherwise declared.
-
--portcon udp 1024-65535 gen_context(system_u:object_r:unreserved_port_t, s0)
--portcon tcp 1024-65535 gen_context(system_u:object_r:unreserved_port_t, s0)
- portcon tcp 512-1023 gen_context(system_u:object_r:hi_reserved_port_t, s0)
- portcon udp 512-1023 gen_context(system_u:object_r:hi_reserved_port_t, s0)
- portcon tcp 1-511 gen_context(system_u:object_r:reserved_port_t, s0)
- portcon udp 1-511 gen_context(system_u:object_r:reserved_port_t, s0)
-+portcon tcp 1024-32767 gen_context(system_u:object_r:unreserved_port_t, s0)
-+portcon tcp 32768-61000 gen_context(system_u:object_r:ephemeral_port_t, s0)
-+portcon tcp 61001-65535 gen_context(system_u:object_r:unreserved_port_t, s0)
-+portcon udp 1024-32767 gen_context(system_u:object_r:unreserved_port_t, s0)
-+portcon udp 32768-61000 gen_context(system_u:object_r:ephemeral_port_t, s0)
-+portcon udp 61001-65535 gen_context(system_u:object_r:unreserved_port_t, s0)
-
- ########################################
- #
-@@ -297,9 +381,24 @@ typealias netif_t alias { lo_netif_t netif_lo_t };
- allow corenet_unconfined_type node_type:node *;
- allow corenet_unconfined_type netif_type:netif *;
- allow corenet_unconfined_type packet_type:packet *;
-+allow corenet_unconfined_type port_type:dccp_socket { send_msg recv_msg name_connect };
- allow corenet_unconfined_type port_type:tcp_socket { send_msg recv_msg name_connect };
- allow corenet_unconfined_type port_type:udp_socket { send_msg recv_msg };
-
- # Bind to any network address.
--allow corenet_unconfined_type port_type:{ tcp_socket udp_socket rawip_socket } name_bind;
--allow corenet_unconfined_type node_type:{ tcp_socket udp_socket rawip_socket } node_bind;
-+allow corenet_unconfined_type port_type:{ dccp_socket tcp_socket udp_socket rawip_socket } name_bind;
-+allow corenet_unconfined_type node_type:{ dccp_socket tcp_socket udp_socket rawip_socket } node_bind;
-+
-+#
-+# Rules coverning the use of unlabeled types
-+#
-+kernel_dccp_recvfrom_unlabeled(corenet_unlabeled_type)
-+kernel_tcp_recvfrom_unlabeled(corenet_unlabeled_type)
-+kernel_udp_recvfrom_unlabeled(corenet_unlabeled_type)
-+kernel_raw_recvfrom_unlabeled(corenet_unlabeled_type)
-+kernel_recvfrom_unlabeled_peer(corenet_unlabeled_type)
-+
-+allow netlabel_peer_type netlabel_peer_t:peer recv;
-+allow netlabel_peer_type netlabel_peer_t:{ tcp_socket udp_socket rawip_socket dccp_socket } recvfrom;
-+allow netlabel_peer_t netif_t:netif { rawip_recv egress ingress };
-+allow netlabel_peer_t node_t:node recvfrom;
-diff --git a/policy/modules/kernel/corenetwork.te.m4 b/policy/modules/kernel/corenetwork.te.m4
-index 3f6e168..51ad69a 100644
---- a/policy/modules/kernel/corenetwork.te.m4
-+++ b/policy/modules/kernel/corenetwork.te.m4
-@@ -86,6 +86,11 @@ define(`add_port_attribute',`dnl
- ifelse(eval(range_start($2) < 1024),1,`typeattribute $1 reserved_port_type;',`typeattribute $1 unreserved_port_type;')
- ')
-
-+define(`add_ephemeral_attribute',`dnl
-+ifelse(eval(range_start($3) >= 32768 && range_start($3) < 61001),1,`typeattribute $1 ephemeral_port_type;
-+',`ifelse(`$5',`',`',`add_ephemeral_attribute($1,shiftn(4,$*))')')dnl
-+')
-+
- # bindresvport in glibc starts searching for reserved ports at 512
- define(`add_rpc_attribute',`dnl
- ifelse(eval(range_start($3) >= 512 && range_start($3) < 1024),1,`typeattribute $1 rpc_port_type;
-@@ -101,6 +106,7 @@ type $1_client_packet_t, packet_type, client_packet_type;
- type $1_server_packet_t, packet_type, server_packet_type;
- ifelse(`$2',`',`',`add_port_attribute($1_port_t,$3)')dnl
- ifelse(`$2',`',`',`add_rpc_attribute($1_port_t,shift($*))')dnl
-+ifelse(`$2',`',`',`add_ephemeral_attribute($1_port_t,shift($*))')dnl
- ifelse(`$2',`',`',`declare_portcons($1_port_t,shift($*))')dnl
- ')
-
-diff --git a/policy/modules/kernel/devices.fc b/policy/modules/kernel/devices.fc
-index 02b7ac1..b30f7b8 100644
---- a/policy/modules/kernel/devices.fc
-+++ b/policy/modules/kernel/devices.fc
-@@ -15,14 +15,17 @@
- /dev/atibm -c gen_context(system_u:object_r:mouse_device_t,s0)
- /dev/audio.* -c gen_context(system_u:object_r:sound_device_t,s0)
- /dev/autofs.* -c gen_context(system_u:object_r:autofs_device_t,s0)
-+/dev/bsr.* -c gen_context(system_u:object_r:cpu_device_t,s0)
- /dev/beep -c gen_context(system_u:object_r:sound_device_t,s0)
- /dev/btrfs-control -c gen_context(system_u:object_r:lvm_control_t,s0)
- /dev/controlD64 -c gen_context(system_u:object_r:xserver_misc_device_t,s0)
- /dev/crash -c gen_context(system_u:object_r:crash_device_t,mls_systemhigh)
- /dev/dahdi/.* -c gen_context(system_u:object_r:sound_device_t,s0)
--/dev/dmfm -c gen_context(system_u:object_r:sound_device_t,s0)
-+/dev/dlm.* -c gen_context(system_u:object_r:dlm_control_device_t,s0)
-+/dev/dmfm.* -c gen_context(system_u:object_r:sound_device_t,s0)
- /dev/dmmidi.* -c gen_context(system_u:object_r:sound_device_t,s0)
- /dev/dsp.* -c gen_context(system_u:object_r:sound_device_t,s0)
-+/dev/ecryptfs -c gen_context(system_u:object_r:ecryptfs_device_t,mls_systemhigh)
- /dev/efirtc -c gen_context(system_u:object_r:clock_device_t,s0)
- /dev/elographics/e2201 -c gen_context(system_u:object_r:mouse_device_t,s0)
- /dev/em8300.* -c gen_context(system_u:object_r:v4l_device_t,s0)
-@@ -57,8 +60,11 @@
- /dev/lirc[0-9]+ -c gen_context(system_u:object_r:lirc_device_t,s0)
- /dev/lircm -c gen_context(system_u:object_r:mouse_device_t,s0)
- /dev/logibm -c gen_context(system_u:object_r:mouse_device_t,s0)
-+/dev/loop-control -c gen_context(system_u:object_r:loop_control_device_t,s0)
- /dev/lp.* -c gen_context(system_u:object_r:printer_device_t,s0)
- /dev/mcelog -c gen_context(system_u:object_r:kmsg_device_t,mls_systemhigh)
-+/dev/media.* -c gen_context(system_u:object_r:v4l_device_t,s0)
-+/dev/mei -c gen_context(system_u:object_r:mei_device_t,s0)
- /dev/mem -c gen_context(system_u:object_r:memory_device_t,mls_systemhigh)
- /dev/mergemem -c gen_context(system_u:object_r:memory_device_t,mls_systemhigh)
- /dev/mga_vid.* -c gen_context(system_u:object_r:xserver_misc_device_t,s0)
-@@ -125,13 +131,15 @@ ifdef(`distro_suse', `
- /dev/vrtpanel -c gen_context(system_u:object_r:mouse_device_t,s0)
- /dev/vttuner -c gen_context(system_u:object_r:v4l_device_t,s0)
- /dev/vtx.* -c gen_context(system_u:object_r:v4l_device_t,s0)
--/dev/watchdog -c gen_context(system_u:object_r:watchdog_device_t,s0)
-+/dev/watchdog.* -c gen_context(system_u:object_r:watchdog_device_t,s0)
-+/dev/cdc-wdm[0-1] -c gen_context(system_u:object_r:modem_device_t,s0)
- /dev/winradio. -c gen_context(system_u:object_r:v4l_device_t,s0)
- /dev/z90crypt -c gen_context(system_u:object_r:crypt_device_t,s0)
- /dev/zero -c gen_context(system_u:object_r:zero_device_t,s0)
-
- /dev/bus/usb/.*/[0-9]+ -c gen_context(system_u:object_r:usb_device_t,s0)
-
-+/dev/ati/card.* -c gen_context(system_u:object_r:xserver_misc_device_t,s0)
- /dev/card.* -c gen_context(system_u:object_r:xserver_misc_device_t,s0)
- /dev/cmx.* -c gen_context(system_u:object_r:smartcard_device_t,s0)
-
-@@ -195,12 +203,22 @@ ifdef(`distro_debian',`
- /lib/udev/devices/null -c gen_context(system_u:object_r:null_device_t,s0)
- /lib/udev/devices/zero -c gen_context(system_u:object_r:zero_device_t,s0)
-
--/sys(/.*)? gen_context(system_u:object_r:sysfs_t,s0)
--
- ifdef(`distro_redhat',`
- # originally from named.fc
- /var/named/chroot/dev -d gen_context(system_u:object_r:device_t,s0)
- /var/named/chroot/dev/null -c gen_context(system_u:object_r:null_device_t,s0)
- /var/named/chroot/dev/random -c gen_context(system_u:object_r:random_device_t,s0)
- /var/named/chroot/dev/zero -c gen_context(system_u:object_r:zero_device_t,s0)
-+/var/spool/postfix/dev -d gen_context(system_u:object_r:device_t,s0)
- ')
-+
-+#
-+# /sys
-+#
-+/sys(/.*)? gen_context(system_u:object_r:sysfs_t,s0)
-+/sys/devices/system/cpu/online gen_context(system_u:object_r:cpu_online_t,s0)
-+
-+/usr/lib/udev/devices(/.*)? gen_context(system_u:object_r:device_t,s0)
-+/usr/lib/udev/devices/lp.* -c gen_context(system_u:object_r:printer_device_t,s0)
-+/usr/lib/udev/devices/null -c gen_context(system_u:object_r:null_device_t,s0)
-+/usr/lib/udev/devices/zero -c gen_context(system_u:object_r:zero_device_t,s0)
-diff --git a/policy/modules/kernel/devices.if b/policy/modules/kernel/devices.if
-index d820975..a8b5aa9 100644
---- a/policy/modules/kernel/devices.if
-+++ b/policy/modules/kernel/devices.if
-@@ -143,13 +143,32 @@ interface(`dev_relabel_all_dev_nodes',`
- type device_t;
- ')
-
-- relabelfrom_dirs_pattern($1, device_t, device_node)
-- relabelfrom_files_pattern($1, device_t, device_node)
-- relabelfrom_lnk_files_pattern($1, device_t, { device_t device_node })
-- relabelfrom_fifo_files_pattern($1, device_t, device_node)
-- relabelfrom_sock_files_pattern($1, device_t, device_node)
-- relabel_blk_files_pattern($1, device_t, { device_t device_node })
-- relabel_chr_files_pattern($1, device_t, { device_t device_node })
-+ relabel_dirs_pattern($1, device_t, device_node)
-+ relabel_files_pattern($1, device_t, device_node)
-+ relabel_lnk_files_pattern($1, device_t, device_node)
-+ relabel_fifo_files_pattern($1, device_t, device_node)
-+ relabel_sock_files_pattern($1, device_t, device_node)
-+ relabel_blk_files_pattern($1, device_t, device_node)
-+ relabel_chr_files_pattern($1, device_t, device_node)
-+')
-+
-+########################################
-+##
-+## Allow full relabeling (to and from) of all device files.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+##
-+#
-+interface(`dev_relabel_all_dev_files',`
-+ gen_require(`
-+ type device_t;
-+ ')
-+
-+ relabel_files_pattern($1, device_t, device_t)
- ')
-
- ########################################
-@@ -209,6 +228,24 @@ interface(`dev_dontaudit_list_all_dev_nodes',`
-
- ########################################
- ##
-+## Dontaudit attempts to list all device nodes.
-+##
-+##
-+##
-+## Domain to not audit.
-+##
-+##
-+#
-+interface(`dev_dontaudit_all_access_check',`
-+ gen_require(`
-+ attribute device_node;
-+ ')
-+
-+ dontaudit $1 device_node:file_class_set audit_access;
-+')
-+
-+########################################
-+##
- ## Add entries to directories in /dev.
- ##
- ##
-@@ -352,6 +389,24 @@ interface(`dev_read_generic_files',`
- read_files_pattern($1, device_t, device_t)
- ')
-
-+#######################################
-+##
-+## Read generic files in /dev.
-+##
-+##
-+##
-+## Domain to not audit.
-+##
-+##
-+#
-+interface(`dev_dontaudit_read_generic_files',`
-+ gen_require(`
-+ type device_t;
-+ ')
-+
-+ dontaudit $1 device_t:file { read getattr };
-+')
-+
- ########################################
- ##
- ## Read and write generic files in /dev.
-@@ -462,6 +517,42 @@ interface(`dev_getattr_generic_blk_files',`
-
- ########################################
- ##
-+## Rename generic block device nodes.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`dev_rename_generic_blk_files',`
-+ gen_require(`
-+ type device_t;
-+ ')
-+
-+ rename_blk_files_pattern($1, device_t, device_t)
-+')
-+
-+########################################
-+##
-+## write generic sock files in /dev.
-+##
-+##
-+##
-+## Domain to not audit.
-+##
-+##
-+#
-+interface(`dev_write_generic_sock_files',`
-+ gen_require(`
-+ type device_t;
-+ ')
-+
-+ write_sock_files_pattern($1, device_t, device_t)
-+')
-+
-+########################################
-+##
- ## Dontaudit getattr on generic block devices.
- ##
- ##
-@@ -570,6 +661,24 @@ interface(`dev_dontaudit_getattr_generic_chr_files',`
-
- ########################################
- ##
-+## Rename generic character device nodes.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`dev_rename_generic_chr_files',`
-+ gen_require(`
-+ type device_t;
-+ ')
-+
-+ rename_chr_files_pattern($1, device_t, device_t)
-+')
-+
-+########################################
-+##
- ## Dontaudit setattr for generic character device files.
- ##
- ##
-@@ -646,7 +755,7 @@ interface(`dev_rw_generic_blk_files',`
- ##
- ##
- ##
--## Domain to dontaudit access.
-+## Domain to not audit.
- ##
- ##
- #
-@@ -733,7 +842,7 @@ interface(`dev_dontaudit_setattr_generic_symlinks',`
-
- ########################################
- ##
--## Read symbolic links in device directories.
-+## Create symbolic links in device directories.
- ##
- ##
- ##
-@@ -741,17 +850,17 @@ interface(`dev_dontaudit_setattr_generic_symlinks',`
- ##
- ##
- #
--interface(`dev_read_generic_symlinks',`
-+interface(`dev_create_generic_symlinks',`
- gen_require(`
- type device_t;
- ')
-
-- allow $1 device_t:lnk_file read_lnk_file_perms;
-+ create_lnk_files_pattern($1, device_t, device_t)
- ')
-
- ########################################
- ##
--## Create symbolic links in device directories.
-+## Delete symbolic links in device directories.
- ##
- ##
- ##
-@@ -759,17 +868,17 @@ interface(`dev_read_generic_symlinks',`
- ##
- ##
- #
--interface(`dev_create_generic_symlinks',`
-+interface(`dev_delete_generic_symlinks',`
- gen_require(`
- type device_t;
- ')
-
-- create_lnk_files_pattern($1, device_t, device_t)
-+ delete_lnk_files_pattern($1, device_t, device_t)
- ')
-
- ########################################
- ##
--## Delete symbolic links in device directories.
-+## Read symbolic links in device directories.
- ##
- ##
- ##
-@@ -777,12 +886,12 @@ interface(`dev_create_generic_symlinks',`
- ##
- ##
- #
--interface(`dev_delete_generic_symlinks',`
-+interface(`dev_read_generic_symlinks',`
- gen_require(`
- type device_t;
- ')
-
-- delete_lnk_files_pattern($1, device_t, device_t)
-+ allow $1 device_t:lnk_file read_lnk_file_perms;
- ')
-
- ########################################
-@@ -1003,6 +1112,26 @@ interface(`dev_getattr_all_blk_files',`
-
- ########################################
- ##
-+## Read on all block file device nodes.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+##
-+#
-+interface(`dev_read_all_blk_files',`
-+ gen_require(`
-+ attribute device_node;
-+ type device_t;
-+ ')
-+
-+ read_blk_files_pattern($1, device_t, device_node)
-+')
-+
-+########################################
-+##
- ## Dontaudit getattr on all block file device nodes.
- ##
- ##
-@@ -1034,6 +1163,7 @@ interface(`dev_dontaudit_getattr_all_blk_files',`
- interface(`dev_getattr_all_chr_files',`
- gen_require(`
- attribute device_node;
-+ type device_t;
- ')
-
- getattr_chr_files_pattern($1, device_t, device_node)
-@@ -1206,6 +1336,42 @@ interface(`dev_create_all_chr_files',`
-
- ########################################
- ##
-+## rw all inherited character device files.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`dev_rw_all_inherited_chr_files',`
-+ gen_require(`
-+ attribute device_node;
-+ ')
-+
-+ allow $1 device_node:chr_file rw_inherited_chr_file_perms;
-+')
-+
-+########################################
-+##
-+## rw all inherited blk device files.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`dev_rw_all_inherited_blk_files',`
-+ gen_require(`
-+ attribute device_node;
-+ ')
-+
-+ allow $1 device_node:blk_file rw_inherited_blk_file_perms;
-+')
-+
-+########################################
-+##
- ## Delete all block device files.
- ##
- ##
-@@ -1663,6 +1829,26 @@ interface(`dev_filetrans_cardmgr',`
-
- ########################################
- ##
-+## Automatic type transition to the type
-+## for xserver misc device nodes when
-+## created in /dev.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`dev_filetrans_xserver_misc',`
-+ gen_require(`
-+ type device_t, xserver_misc_device_t;
-+ ')
-+
-+ filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file )
-+')
-+
-+########################################
-+##
- ## Get the attributes of the CPU
- ## microcode and id interfaces.
- ##
-@@ -1772,6 +1958,24 @@ interface(`dev_rw_crypto',`
- rw_chr_files_pattern($1, device_t, crypt_device_t)
- ')
-
-+########################################
-+##
-+## Read and write the the ecrypt filesystem device.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`dev_rw_ecryptfs',`
-+ gen_require(`
-+ type device_t, ecryptfs_device_t;
-+ ')
-+
-+ rw_chr_files_pattern($1, device_t, ecryptfs_device_t)
-+')
-+
- #######################################
- ##
- ## Set the attributes of the dlm control devices.
-@@ -2383,7 +2587,7 @@ interface(`dev_filetrans_lirc',`
-
- ########################################
- ##
--## Get the attributes of the lvm comtrol device.
-+## Get the attributes of the loop comtrol device.
- ##
- ##
- ##
-@@ -2391,17 +2595,17 @@ interface(`dev_filetrans_lirc',`
- ##
- ##
- #
--interface(`dev_getattr_lvm_control',`
-+interface(`dev_getattr_loop_control',`
- gen_require(`
-- type device_t, lvm_control_t;
-+ type device_t, loop_control_device_t;
- ')
-
-- getattr_chr_files_pattern($1, device_t, lvm_control_t)
-+ getattr_chr_files_pattern($1, device_t, loop_control_device_t)
- ')
-
- ########################################
- ##
--## Read the lvm comtrol device.
-+## Read the loop comtrol device.
- ##
- ##
- ##
-@@ -2409,17 +2613,17 @@ interface(`dev_getattr_lvm_control',`
- ##
- ##
- #
--interface(`dev_read_lvm_control',`
-+interface(`dev_read_loop_control',`
- gen_require(`
-- type device_t, lvm_control_t;
-+ type device_t, loop_control_device_t;
- ')
-
-- read_chr_files_pattern($1, device_t, lvm_control_t)
-+ read_chr_files_pattern($1, device_t, loop_control_device_t)
- ')
-
- ########################################
- ##
--## Read and write the lvm control device.
-+## Read and write the loop control device.
- ##
- ##
- ##
-@@ -2427,17 +2631,17 @@ interface(`dev_read_lvm_control',`
- ##
- ##
- #
--interface(`dev_rw_lvm_control',`
-+interface(`dev_rw_loop_control',`
- gen_require(`
-- type device_t, lvm_control_t;
-+ type device_t, loop_control_device_t;
- ')
-
-- rw_chr_files_pattern($1, device_t, lvm_control_t)
-+ rw_chr_files_pattern($1, device_t, loop_control_device_t)
- ')
-
- ########################################
- ##
--## Do not audit attempts to read and write lvm control device.
-+## Do not audit attempts to read and write loop control device.
- ##
- ##
- ##
-@@ -2445,17 +2649,17 @@ interface(`dev_rw_lvm_control',`
- ##
- ##
- #
--interface(`dev_dontaudit_rw_lvm_control',`
-+interface(`dev_dontaudit_rw_loop_control',`
- gen_require(`
-- type lvm_control_t;
-+ type loop_control_device_t;
- ')
-
-- dontaudit $1 lvm_control_t:chr_file rw_file_perms;
-+ dontaudit $1 loop_control_device_t:chr_file rw_file_perms;
- ')
-
- ########################################
- ##
--## Delete the lvm control device.
-+## Delete the loop control device.
- ##
- ##
- ##
-@@ -2463,35 +2667,35 @@ interface(`dev_dontaudit_rw_lvm_control',`
- ##
- ##
- #
--interface(`dev_delete_lvm_control_dev',`
-+interface(`dev_delete_loop_control_dev',`
- gen_require(`
-- type device_t, lvm_control_t;
-+ type device_t, loop_control_device_t;
- ')
-
-- delete_chr_files_pattern($1, device_t, lvm_control_t)
-+ delete_chr_files_pattern($1, device_t, loop_control_device_t)
- ')
-
- ########################################
- ##
--## dontaudit getattr raw memory devices (e.g. /dev/mem).
-+## Get the attributes of the loop comtrol device.
- ##
- ##
- ##
--## Domain to not audit.
-+## Domain allowed access.
- ##
- ##
- #
--interface(`dev_dontaudit_getattr_memory_dev',`
-+interface(`dev_getattr_lvm_control',`
- gen_require(`
-- type memory_device_t;
-+ type device_t, lvm_control_t;
- ')
-
-- dontaudit $1 memory_device_t:chr_file getattr;
-+ getattr_chr_files_pattern($1, device_t, lvm_control_t)
- ')
-
- ########################################
- ##
--## Read raw memory devices (e.g. /dev/mem).
-+## Read the lvm comtrol device.
- ##
- ##
- ##
-@@ -2499,62 +2703,53 @@ interface(`dev_dontaudit_getattr_memory_dev',`
- ##
- ##
- #
--interface(`dev_read_raw_memory',`
-+interface(`dev_read_lvm_control',`
- gen_require(`
-- type device_t, memory_device_t;
-- attribute memory_raw_read;
-+ type device_t, lvm_control_t;
- ')
-
-- read_chr_files_pattern($1, device_t, memory_device_t)
--
-- allow $1 self:capability sys_rawio;
-- typeattribute $1 memory_raw_read;
-+ read_chr_files_pattern($1, device_t, lvm_control_t)
- ')
-
- ########################################
- ##
--## Do not audit attempts to read raw memory devices
--## (e.g. /dev/mem).
-+## Read and write the lvm control device.
- ##
- ##
- ##
--## Domain to not audit.
-+## Domain allowed access.
- ##
- ##
- #
--interface(`dev_dontaudit_read_raw_memory',`
-+interface(`dev_rw_lvm_control',`
- gen_require(`
-- type memory_device_t;
-+ type device_t, lvm_control_t;
- ')
-
-- dontaudit $1 memory_device_t:chr_file read_chr_file_perms;
-+ rw_chr_files_pattern($1, device_t, lvm_control_t)
- ')
-
- ########################################
- ##
--## Write raw memory devices (e.g. /dev/mem).
-+## Do not audit attempts to read and write lvm control device.
- ##
- ##
- ##
--## Domain allowed access.
-+## Domain to not audit.
- ##
- ##
- #
--interface(`dev_write_raw_memory',`
-+interface(`dev_dontaudit_rw_lvm_control',`
- gen_require(`
-- type device_t, memory_device_t;
-- attribute memory_raw_write;
-+ type lvm_control_t;
- ')
-
-- write_chr_files_pattern($1, device_t, memory_device_t)
--
-- allow $1 self:capability sys_rawio;
-- typeattribute $1 memory_raw_write;
-+ dontaudit $1 lvm_control_t:chr_file rw_file_perms;
- ')
-
- ########################################
- ##
--## Read and execute raw memory devices (e.g. /dev/mem).
-+## Delete the lvm control device.
- ##
- ##
- ##
-@@ -2562,7 +2757,106 @@ interface(`dev_write_raw_memory',`
- ##
- ##
- #
--interface(`dev_rx_raw_memory',`
-+interface(`dev_delete_lvm_control_dev',`
-+ gen_require(`
-+ type device_t, lvm_control_t;
-+ ')
-+
-+ delete_chr_files_pattern($1, device_t, lvm_control_t)
-+')
-+
-+########################################
-+##
-+## dontaudit getattr raw memory devices (e.g. /dev/mem).
-+##
-+##
-+##
-+## Domain to not audit.
-+##
-+##
-+#
-+interface(`dev_dontaudit_getattr_memory_dev',`
-+ gen_require(`
-+ type memory_device_t;
-+ ')
-+
-+ dontaudit $1 memory_device_t:chr_file getattr;
-+')
-+
-+########################################
-+##
-+## Read raw memory devices (e.g. /dev/mem).
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`dev_read_raw_memory',`
-+ gen_require(`
-+ type device_t, memory_device_t;
-+ attribute memory_raw_read;
-+ ')
-+
-+ read_chr_files_pattern($1, device_t, memory_device_t)
-+
-+ allow $1 self:capability sys_rawio;
-+ typeattribute $1 memory_raw_read;
-+')
-+
-+########################################
-+##
-+## Do not audit attempts to read raw memory devices
-+## (e.g. /dev/mem).
-+##
-+##
-+##
-+## Domain to not audit.
-+##
-+##
-+#
-+interface(`dev_dontaudit_read_raw_memory',`
-+ gen_require(`
-+ type memory_device_t;
-+ ')
-+
-+ dontaudit $1 memory_device_t:chr_file read_chr_file_perms;
-+')
-+
-+########################################
-+##
-+## Write raw memory devices (e.g. /dev/mem).
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`dev_write_raw_memory',`
-+ gen_require(`
-+ type device_t, memory_device_t;
-+ attribute memory_raw_write;
-+ ')
-+
-+ write_chr_files_pattern($1, device_t, memory_device_t)
-+
-+ allow $1 self:capability sys_rawio;
-+ typeattribute $1 memory_raw_write;
-+')
-+
-+########################################
-+##
-+## Read and execute raw memory devices (e.g. /dev/mem).
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`dev_rx_raw_memory',`
- gen_require(`
- type device_t, memory_device_t;
- ')
-@@ -2706,7 +3000,7 @@ interface(`dev_write_misc',`
- ##
- ##
- ##
--## Domain allowed access.
-+## Domain to not audit.
- ##
- ##
- #
-@@ -2956,8 +3250,8 @@ interface(`dev_dontaudit_write_mtrr',`
- type mtrr_device_t;
- ')
-
-- dontaudit $1 mtrr_device_t:file write;
-- dontaudit $1 mtrr_device_t:chr_file write;
-+ dontaudit $1 mtrr_device_t:file write_file_perms;
-+ dontaudit $1 mtrr_device_t:chr_file write_chr_file_perms;
- ')
-
- ########################################
-@@ -3125,6 +3419,42 @@ interface(`dev_create_null_dev',`
-
- ########################################
- ##
-+## Get the status of a null device service.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`dev_service_status_null_dev',`
-+ gen_require(`
-+ type null_device_t;
-+ ')
-+
-+ allow $1 null_device_t:service status;
-+')
-+
-+########################################
-+##
-+## Configure null_device as a unit files.
-+##
-+##
-+##
-+## Domain allowed to transition.
-+##
-+##
-+#
-+interface(`dev_config_null_dev_service',`
-+ gen_require(`
-+ type null_device_t;
-+ ')
-+
-+ allow $1 null_device_t:service manage_service_perms;
-+')
-+
-+########################################
-+##
- ## Do not audit attempts to get the attributes
- ## of the BIOS non-volatile RAM device.
- ##
-@@ -3235,7 +3565,25 @@ interface(`dev_rw_printer',`
-
- ########################################
- ##
--## Read printk devices (e.g., /dev/kmsg /dev/mcelog)
-+## Relabel the printer device node.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`dev_relabel_printer',`
-+ gen_require(`
-+ type printer_device_t;
-+ ')
-+
-+ allow $1 printer_device_t:chr_file relabel_chr_file_perms;
-+')
-+
-+########################################
-+##
-+## Read and write the printer device.
- ##
- ##
- ##
-@@ -3243,12 +3591,13 @@ interface(`dev_rw_printer',`
- ##
- ##
- #
--interface(`dev_read_printk',`
-+interface(`dev_manage_printer',`
- gen_require(`
-- type device_t, printk_device_t;
-+ type device_t, printer_device_t;
- ')
-
-- read_chr_files_pattern($1, device_t, printk_device_t)
-+ manage_chr_files_pattern($1, device_t, printer_device_t)
-+ dev_filetrans_printer_named_dev($1)
- ')
-
- ########################################
-@@ -3836,6 +4185,42 @@ interface(`dev_getattr_sysfs_dirs',`
-
- ########################################
- ##
-+## Set the attributes of sysfs directories.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`dev_setattr_sysfs_dirs',`
-+ gen_require(`
-+ type sysfs_t;
-+ ')
-+
-+ allow $1 sysfs_t:dir setattr_dir_perms;
-+')
-+
-+########################################
-+##
-+## Get attributes of sysfs filesystems.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`dev_getattr_sysfs_fs',`
-+ gen_require(`
-+ type sysfs_t;
-+ ')
-+
-+ allow $1 sysfs_t:filesystem getattr;
-+')
-+
-+########################################
-+##
- ## Search the sysfs directories.
- ##
- ##
-@@ -3885,6 +4270,7 @@ interface(`dev_list_sysfs',`
- type sysfs_t;
- ')
-
-+ read_lnk_files_pattern($1, sysfs_t, sysfs_t)
- list_dirs_pattern($1, sysfs_t, sysfs_t)
- ')
-
-@@ -3927,23 +4313,49 @@ interface(`dev_dontaudit_write_sysfs_dirs',`
-
- ########################################
- ##
--## Create, read, write, and delete sysfs
--## directories.
-+## Read cpu online hardware state information.
- ##
-+##
-+##
-+## Allow the specified domain to read /sys/devices/system/cpu/online file.
-+##
-+##
- ##
- ##
- ## Domain allowed access.
- ##
- ##
- #
--interface(`dev_manage_sysfs_dirs',`
-+interface(`dev_read_cpu_online',`
- gen_require(`
-+ type cpu_online_t;
-+ ')
-+
-+ dev_search_sysfs($1)
-+ read_files_pattern($1, cpu_online_t, cpu_online_t)
-+')
-+
-+########################################
-+##
-+## Relabel cpu online hardware state information.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`dev_relabel_cpu_online',`
-+ gen_require(`
-+ type cpu_online_t;
- type sysfs_t;
- ')
-
-- manage_dirs_pattern($1, sysfs_t, sysfs_t)
-+ dev_search_sysfs($1)
-+ allow $1 cpu_online_t:file relabel_file_perms;
- ')
-
-+
- ########################################
- ##
- ## Read hardware state information.
-@@ -3997,6 +4409,62 @@ interface(`dev_rw_sysfs',`
-
- ########################################
- ##
-+## Relabel hardware state directories.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`dev_relabel_sysfs_dirs',`
-+ gen_require(`
-+ type sysfs_t;
-+ ')
-+
-+ relabel_dirs_pattern($1, sysfs_t, sysfs_t)
-+')
-+
-+########################################
-+##
-+## Relabel hardware state files
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`dev_relabel_all_sysfs',`
-+ gen_require(`
-+ type sysfs_t;
-+ ')
-+
-+ relabel_dirs_pattern($1, sysfs_t, sysfs_t)
-+ relabel_files_pattern($1, sysfs_t, sysfs_t)
-+ relabel_lnk_files_pattern($1, sysfs_t, sysfs_t)
-+')
-+
-+########################################
-+##
-+## Allow caller to modify hardware state information.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`dev_manage_sysfs_dirs',`
-+ gen_require(`
-+ type sysfs_t;
-+ ')
-+
-+ manage_dirs_pattern($1, sysfs_t, sysfs_t)
-+')
-+
-+########################################
-+##
- ## Read and write the TPM device.
- ##
- ##
-@@ -4094,6 +4562,25 @@ interface(`dev_write_urand',`
-
- ########################################
- ##
-+## Do not audit attempts to write to pseudo
-+## random devices (e.g., /dev/urandom)
-+##
-+##
-+##
-+## Domain to not audit.
-+##
-+##
-+#
-+interface(`dev_dontaudit_write_urand',`
-+ gen_require(`
-+ type urandom_device_t;
-+ ')
-+
-+ dontaudit $1 urandom_device_t:chr_file write;
-+')
-+
-+########################################
-+##
- ## Getattr generic the USB devices.
- ##
- ##
-@@ -4128,6 +4615,24 @@ interface(`dev_setattr_generic_usb_dev',`
- setattr_chr_files_pattern($1, device_t, usb_device_t)
- ')
-
-+######################################
-+##
-+## Allow relabeling (to and from) of generic usb device
-+##
-+##
-+##
-+## Domain allowed to relabel.
-+##
-+##
-+#
-+interface(`dev_relabel_generic_usb_dev',`
-+ gen_require(`
-+ type usb_device_t;
-+ ')
-+
-+ relabel_dirs_pattern($1, usb_device_t, usb_device_t)
-+')
-+
- ########################################
- ##
- ## Read generic the USB devices.
-@@ -4520,6 +5025,24 @@ interface(`dev_rw_vhost',`
-
- ########################################
- ##
-+## Allow read/write inheretid the vhost net device
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`dev_rw_inherited_vhost',`
-+ gen_require(`
-+ type device_t, vhost_device_t;
-+ ')
-+
-+ allow $1 vhost_device_t:chr_file rw_inherited_chr_file_perms;
-+')
-+
-+########################################
-+##
- ## Read and write VMWare devices.
- ##
- ##
-@@ -4725,6 +5248,26 @@ interface(`dev_rw_xserver_misc',`
-
- ########################################
- ##
-+## Read and write X server miscellaneous devices.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`dev_manage_xserver_misc',`
-+ gen_require(`
-+ type device_t, xserver_misc_device_t;
-+ ')
-+
-+ manage_chr_files_pattern($1, device_t, xserver_misc_device_t)
-+
-+ dev_filetrans_xserver_named_dev($1)
-+')
-+
-+########################################
-+##
- ## Read and write to the zero device (/dev/zero).
- ##
- ##
-@@ -4814,3 +5357,917 @@ interface(`dev_unconfined',`
-
- typeattribute $1 devices_unconfined_type;
- ')
-+
-+########################################
-+##
-+## Dontaudit getattr on all device nodes.
-+##
-+##
-+##
-+## Domain to not audit.
-+##
-+##
-+#
-+interface(`dev_dontaudit_getattr_all',`
-+ gen_require(`
-+ attribute device_node;
-+ type device_t;
-+ ')
-+
-+ dontaudit $1 { device_t device_node }:dir_file_class_set getattr;
-+')
-+
-+########################################
-+##
-+## Get the attributes of the mei devices.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`dev_getattr_mei',`
-+ gen_require(`
-+ type device_t, mei_device_t;
-+ ')
-+
-+ getattr_chr_files_pattern($1, device_t, mei_device_t)
-+')
-+
-+########################################
-+##
-+## Read the mei devices.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`dev_read_mei',`
-+ gen_require(`
-+ type device_t, mei_device_t;
-+ ')
-+
-+ read_chr_files_pattern($1, device_t, mei_device_t)
-+')
-+
-+########################################
-+##
-+## Read and write to mei devices.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`dev_rw_mei',`
-+ gen_require(`
-+ type device_t, mei_device_t;
-+ ')
-+
-+ rw_chr_files_pattern($1, device_t, mei_device_t)
-+')
-+
-+########################################
-+##
-+## Create all named devices with the correct label
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`dev_filetrans_printer_named_dev',`
-+
-+ gen_require(`
-+ type printer_device_t;
-+
-+ ')
-+ filetrans_pattern($1, device_t, printer_device_t, chr_file, "irlpt0")
-+ filetrans_pattern($1, device_t, printer_device_t, chr_file, "irlpt1")
-+ filetrans_pattern($1, device_t, printer_device_t, chr_file, "irlpt2")
-+ filetrans_pattern($1, device_t, printer_device_t, chr_file, "irlpt3")
-+ filetrans_pattern($1, device_t, printer_device_t, chr_file, "irlpt4")
-+ filetrans_pattern($1, device_t, printer_device_t, chr_file, "irlpt5")
-+ filetrans_pattern($1, device_t, printer_device_t, chr_file, "irlpt6")
-+ filetrans_pattern($1, device_t, printer_device_t, chr_file, "irlpt7")
-+ filetrans_pattern($1, device_t, printer_device_t, chr_file, "irlpt8")
-+ filetrans_pattern($1, device_t, printer_device_t, chr_file, "irlpt9")
-+ filetrans_pattern($1, device_t, printer_device_t, chr_file, "lp0")
-+ filetrans_pattern($1, device_t, printer_device_t, chr_file, "lp1")
-+ filetrans_pattern($1, device_t, printer_device_t, chr_file, "lp2")
-+ filetrans_pattern($1, device_t, printer_device_t, chr_file, "lp3")
-+ filetrans_pattern($1, device_t, printer_device_t, chr_file, "lp4")
-+ filetrans_pattern($1, device_t, printer_device_t, chr_file, "lp5")
-+ filetrans_pattern($1, device_t, printer_device_t, chr_file, "lp6")
-+ filetrans_pattern($1, device_t, printer_device_t, chr_file, "lp7")
-+ filetrans_pattern($1, device_t, printer_device_t, chr_file, "lp8")
-+ filetrans_pattern($1, device_t, printer_device_t, chr_file, "lp9")
-+ filetrans_pattern($1, device_t, printer_device_t, chr_file, "par0")
-+ filetrans_pattern($1, device_t, printer_device_t, chr_file, "par1")
-+ filetrans_pattern($1, device_t, printer_device_t, chr_file, "par2")
-+ filetrans_pattern($1, device_t, printer_device_t, chr_file, "par3")
-+ filetrans_pattern($1, device_t, printer_device_t, chr_file, "par4")
-+ filetrans_pattern($1, device_t, printer_device_t, chr_file, "par5")
-+ filetrans_pattern($1, device_t, printer_device_t, chr_file, "par6")
-+ filetrans_pattern($1, device_t, printer_device_t, chr_file, "par7")
-+ filetrans_pattern($1, device_t, printer_device_t, chr_file, "par8")
-+ filetrans_pattern($1, device_t, printer_device_t, chr_file, "par9")
-+ filetrans_pattern($1, device_t, printer_device_t, chr_file, "usblp0")
-+ filetrans_pattern($1, device_t, printer_device_t, chr_file, "usblp1")
-+ filetrans_pattern($1, device_t, printer_device_t, chr_file, "usblp2")
-+ filetrans_pattern($1, device_t, printer_device_t, chr_file, "usblp3")
-+ filetrans_pattern($1, device_t, printer_device_t, chr_file, "usblp4")
-+ filetrans_pattern($1, device_t, printer_device_t, chr_file, "usblp5")
-+ filetrans_pattern($1, device_t, printer_device_t, chr_file, "usblp6")
-+ filetrans_pattern($1, device_t, printer_device_t, chr_file, "usblp7")
-+ filetrans_pattern($1, device_t, printer_device_t, chr_file, "usblp8")
-+ filetrans_pattern($1, device_t, printer_device_t, chr_file, "usblp9")
-+')
-+
-+########################################
-+##
-+## Create all named devices with the correct label
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`dev_filetrans_all_named_dev',`
-+
-+gen_require(`
-+ type device_t;
-+ type usb_device_t;
-+ type sound_device_t;
-+ type apm_bios_t;
-+ type mouse_device_t;
-+ type autofs_device_t;
-+ type lvm_control_t;
-+ type crash_device_t;
-+ type dlm_control_device_t;
-+ type clock_device_t;
-+ type v4l_device_t;
-+ type event_device_t;
-+ type xen_device_t;
-+ type framebuf_device_t;
-+ type null_device_t;
-+ type random_device_t;
-+ type dri_device_t;
-+ type ipmi_device_t;
-+ type memory_device_t;
-+ type kmsg_device_t;
-+ type qemu_device_t;
-+ type ksm_device_t;
-+ type kvm_device_t;
-+ type lirc_device_t;
-+ type cpu_device_t;
-+ type scanner_device_t;
-+ type modem_device_t;
-+ type vhost_device_t;
-+ type netcontrol_device_t;
-+ type nvram_device_t;
-+ type power_device_t;
-+ type wireless_device_t;
-+ type tpm_device_t;
-+ type userio_device_t;
-+ type urandom_device_t;
-+ type usbmon_device_t;
-+ type vmware_device_t;
-+ type watchdog_device_t;
-+ type crypt_device_t;
-+ type zero_device_t;
-+ type smartcard_device_t;
-+ type mtrr_device_t;
-+ type ecryptfs_device_t;
-+')
-+
-+ dev_filetrans_printer_named_dev($1)
-+ filetrans_pattern($1, device_t, sound_device_t, chr_file, "admmidi0")
-+ filetrans_pattern($1, device_t, sound_device_t, chr_file, "admmidi1")
-+ filetrans_pattern($1, device_t, sound_device_t, chr_file, "admmidi2")
-+ filetrans_pattern($1, device_t, sound_device_t, chr_file, "admmidi3")
-+ filetrans_pattern($1, device_t, sound_device_t, chr_file, "admmidi4")
-+ filetrans_pattern($1, device_t, sound_device_t, chr_file, "admmidi5")
-+ filetrans_pattern($1, device_t, sound_device_t, chr_file, "admmidi6")
-+ filetrans_pattern($1, device_t, sound_device_t, chr_file, "admmidi7")
-+ filetrans_pattern($1, device_t, sound_device_t, chr_file, "admmidi8")
-+ filetrans_pattern($1, device_t, sound_device_t, chr_file, "admmidi9")
-+ filetrans_pattern($1, device_t, sound_device_t, chr_file, "adsp0")
-+ filetrans_pattern($1, device_t, sound_device_t, chr_file, "adsp1")
-+ filetrans_pattern($1, device_t, sound_device_t, chr_file, "adsp2")
-+ filetrans_pattern($1, device_t, sound_device_t, chr_file, "adsp3")
-+ filetrans_pattern($1, device_t, sound_device_t, chr_file, "adsp4")
-+ filetrans_pattern($1, device_t, sound_device_t, chr_file, "adsp5")
-+ filetrans_pattern($1, device_t, sound_device_t, chr_file, "adsp6")
-+ filetrans_pattern($1, device_t, sound_device_t, chr_file, "adsp7")
-+ filetrans_pattern($1, device_t, sound_device_t, chr_file, "adsp8")
-+ filetrans_pattern($1, device_t, sound_device_t, chr_file, "adsp9")
-+ filetrans_pattern($1, device_t, sound_device_t, chr_file, "aload0")
-+ filetrans_pattern($1, device_t, sound_device_t, chr_file, "aload1")
-+ filetrans_pattern($1, device_t, sound_device_t, chr_file, "aload2")
-+ filetrans_pattern($1, device_t, sound_device_t, chr_file, "aload3")
-+ filetrans_pattern($1, device_t, sound_device_t, chr_file, "aload4")
-+ filetrans_pattern($1, device_t, sound_device_t, chr_file, "aload5")
-+ filetrans_pattern($1, device_t, sound_device_t, chr_file, "aload6")
-+ filetrans_pattern($1, device_t, sound_device_t, chr_file, "aload7")
-+ filetrans_pattern($1, device_t, sound_device_t, chr_file, "aload8")
-+ filetrans_pattern($1, device_t, sound_device_t, chr_file, "aload9")
-+ filetrans_pattern($1, device_t, sound_device_t, chr_file, "amidi0")
-+ filetrans_pattern($1, device_t, sound_device_t, chr_file, "amidi1")
-+ filetrans_pattern($1, device_t, sound_device_t, chr_file, "amidi2")
-+ filetrans_pattern($1, device_t, sound_device_t, chr_file, "amidi3")
-+ filetrans_pattern($1, device_t, sound_device_t, chr_file, "amidi4")
-+ filetrans_pattern($1, device_t, sound_device_t, chr_file, "amidi5")
-+ filetrans_pattern($1, device_t, sound_device_t, chr_file, "amidi6")
-+ filetrans_pattern($1, device_t, sound_device_t, chr_file, "amidi7")
-+ filetrans_pattern($1, device_t, sound_device_t, chr_file, "amidi8")
-+ filetrans_pattern($1, device_t, sound_device_t, chr_file, "amidi9")
-+ filetrans_pattern($1, device_t, sound_device_t, chr_file, "amixer0")
-+ filetrans_pattern($1, device_t, sound_device_t, chr_file, "amixer1")
-+ filetrans_pattern($1, device_t, sound_device_t, chr_file, "amixer2")
-+ filetrans_pattern($1, device_t, sound_device_t, chr_file, "amixer3")
-+ filetrans_pattern($1, device_t, sound_device_t, chr_file, "amixer4")
-+ filetrans_pattern($1, device_t, sound_device_t, chr_file, "amixer5")
-+ filetrans_pattern($1, device_t, sound_device_t, chr_file, "amixer6")
-+ filetrans_pattern($1, device_t, sound_device_t, chr_file, "amixer7")
-+ filetrans_pattern($1, device_t, sound_device_t, chr_file, "amixer8")
-+ filetrans_pattern($1, device_t, sound_device_t, chr_file, "amixer9")
-+ filetrans_pattern($1, device_t, apm_bios_t, chr_file, "apm_bios")
-+ filetrans_pattern($1, device_t, mouse_device_t, chr_file, "atibm")
-+ filetrans_pattern($1, device_t, sound_device_t, chr_file, "audio0")
-+ filetrans_pattern($1, device_t, sound_device_t, chr_file, "audio1")
-+ filetrans_pattern($1, device_t, sound_device_t, chr_file, "audio2")
-+ filetrans_pattern($1, device_t, sound_device_t, chr_file, "audio3")
-+ filetrans_pattern($1, device_t, sound_device_t, chr_file, "audio4")
-+ filetrans_pattern($1, device_t, sound_device_t, chr_file, "audio5")
-+ filetrans_pattern($1, device_t, sound_device_t, chr_file, "audio6")
-+ filetrans_pattern($1, device_t, sound_device_t, chr_file, "audio7")
-+ filetrans_pattern($1, device_t, sound_device_t, chr_file, "audio8")
-+ filetrans_pattern($1, device_t, sound_device_t, chr_file, "audio9")
-+ filetrans_pattern($1, device_t, ecryptfs_device_t, chr_file, "ecryptfs")
-+ filetrans_pattern($1, device_t, autofs_device_t, chr_file, "autofs0")
-+ filetrans_pattern($1, device_t, autofs_device_t, chr_file, "autofs1")
-+ filetrans_pattern($1, device_t, autofs_device_t, chr_file, "autofs2")
-+ filetrans_pattern($1, device_t, autofs_device_t, chr_file, "autofs3")
-+ filetrans_pattern($1, device_t, autofs_device_t, chr_file, "autofs4")
-+ filetrans_pattern($1, device_t, autofs_device_t, chr_file, "autofs5")
-+ filetrans_pattern($1, device_t, autofs_device_t, chr_file, "autofs6")
-+ filetrans_pattern($1, device_t, autofs_device_t, chr_file, "autofs7")
-+ filetrans_pattern($1, device_t, autofs_device_t, chr_file, "autofs8")
-+ filetrans_pattern($1, device_t, autofs_device_t, chr_file, "autofs9")
-+ filetrans_pattern($1, device_t, sound_device_t, chr_file, "beep")
-+ filetrans_pattern($1, device_t, lvm_control_t, chr_file, "btrfs-control")
-+ filetrans_pattern($1, device_t, crash_device_t, chr_file, "crash")
-+ filetrans_pattern($1, device_t, dlm_control_device_t, chr_file, "dlm0")
-+ filetrans_pattern($1, device_t, dlm_control_device_t, chr_file, "dlm1")
-+ filetrans_pattern($1, device_t, dlm_control_device_t, chr_file, "dlm2")
-+ filetrans_pattern($1, device_t, dlm_control_device_t, chr_file, "dlm3")
-+ filetrans_pattern($1, device_t, dlm_control_device_t, chr_file, "dlm4")
-+ filetrans_pattern($1, device_t, dlm_control_device_t, chr_file, "dlm5")
-+ filetrans_pattern($1, device_t, dlm_control_device_t, chr_file, "dlm6")
-+ filetrans_pattern($1, device_t, dlm_control_device_t, chr_file, "dlm7")
-+ filetrans_pattern($1, device_t, dlm_control_device_t, chr_file, "dlm8")
-+ filetrans_pattern($1, device_t, dlm_control_device_t, chr_file, "dlm9")
-+ filetrans_pattern($1, device_t, sound_device_t, chr_file, "dmfm")
-+ filetrans_pattern($1, device_t, sound_device_t, chr_file, "dmmidi0")
-+ filetrans_pattern($1, device_t, sound_device_t, chr_file, "dmmidi1")
-+ filetrans_pattern($1, device_t, sound_device_t, chr_file, "dmmidi2")
-+ filetrans_pattern($1, device_t, sound_device_t, chr_file, "dmmidi3")
-+ filetrans_pattern($1, device_t, sound_device_t, chr_file, "dmmidi4")
-+ filetrans_pattern($1, device_t, sound_device_t, chr_file, "dmmidi5")
-+ filetrans_pattern($1, device_t, sound_device_t, chr_file, "dmmidi6")
-+ filetrans_pattern($1, device_t, sound_device_t, chr_file, "dmmidi7")
-+ filetrans_pattern($1, device_t, sound_device_t, chr_file, "dmmidi8")
-+ filetrans_pattern($1, device_t, sound_device_t, chr_file, "dmmidi9")
-+ filetrans_pattern($1, device_t, sound_device_t, chr_file, "dsp0")
-+ filetrans_pattern($1, device_t, sound_device_t, chr_file, "dsp1")
-+ filetrans_pattern($1, device_t, sound_device_t, chr_file, "dsp2")
-+ filetrans_pattern($1, device_t, sound_device_t, chr_file, "dsp3")
-+ filetrans_pattern($1, device_t, sound_device_t, chr_file, "dsp4")
-+ filetrans_pattern($1, device_t, sound_device_t, chr_file, "dsp5")
-+ filetrans_pattern($1, device_t, sound_device_t, chr_file, "dsp6")
-+ filetrans_pattern($1, device_t, sound_device_t, chr_file, "dsp7")
-+ filetrans_pattern($1, device_t, sound_device_t, chr_file, "dsp8")
-+ filetrans_pattern($1, device_t, sound_device_t, chr_file, "dsp9")
-+ filetrans_pattern($1, device_t, clock_device_t, chr_file, "efirtc")
-+ filetrans_pattern($1, device_t, mouse_device_t, chr_file, "e2201")
-+ filetrans_pattern($1, device_t, v4l_device_t, chr_file, "em83000")
-+ filetrans_pattern($1, device_t, v4l_device_t, chr_file, "em83001")
-+ filetrans_pattern($1, device_t, v4l_device_t, chr_file, "em83002")
-+ filetrans_pattern($1, device_t, v4l_device_t, chr_file, "em83003")
-+ filetrans_pattern($1, device_t, v4l_device_t, chr_file, "em83004")
-+ filetrans_pattern($1, device_t, v4l_device_t, chr_file, "em83005")
-+ filetrans_pattern($1, device_t, v4l_device_t, chr_file, "em83006")
-+ filetrans_pattern($1, device_t, v4l_device_t, chr_file, "em83007")
-+ filetrans_pattern($1, device_t, v4l_device_t, chr_file, "em83008")
-+ filetrans_pattern($1, device_t, v4l_device_t, chr_file, "em83009")
-+ filetrans_pattern($1, device_t, event_device_t, chr_file, "event0")
-+ filetrans_pattern($1, device_t, event_device_t, chr_file, "event1")
-+ filetrans_pattern($1, device_t, event_device_t, chr_file, "event2")
-+ filetrans_pattern($1, device_t, event_device_t, chr_file, "event3")
-+ filetrans_pattern($1, device_t, event_device_t, chr_file, "event4")
-+ filetrans_pattern($1, device_t, event_device_t, chr_file, "event5")
-+ filetrans_pattern($1, device_t, event_device_t, chr_file, "event6")
-+ filetrans_pattern($1, device_t, event_device_t, chr_file, "event7")
-+ filetrans_pattern($1, device_t, event_device_t, chr_file, "event8")
-+ filetrans_pattern($1, device_t, event_device_t, chr_file, "event9")
-+ filetrans_pattern($1, device_t, event_device_t, chr_file, "event10")
-+ filetrans_pattern($1, device_t, event_device_t, chr_file, "event11")
-+ filetrans_pattern($1, device_t, event_device_t, chr_file, "event12")
-+ filetrans_pattern($1, device_t, event_device_t, chr_file, "event13")
-+ filetrans_pattern($1, device_t, event_device_t, chr_file, "event14")
-+ filetrans_pattern($1, device_t, event_device_t, chr_file, "event15")
-+ filetrans_pattern($1, device_t, event_device_t, chr_file, "event16")
-+ filetrans_pattern($1, device_t, event_device_t, chr_file, "event17")
-+ filetrans_pattern($1, device_t, event_device_t, chr_file, "event18")
-+ filetrans_pattern($1, device_t, event_device_t, chr_file, "event19")
-+ filetrans_pattern($1, device_t, event_device_t, chr_file, "event20")
-+ filetrans_pattern($1, device_t, xen_device_t, chr_file, "evtchn")
-+ filetrans_pattern($1, device_t, framebuf_device_t, chr_file, "fb0")
-+ filetrans_pattern($1, device_t, framebuf_device_t, chr_file, "fb1")
-+ filetrans_pattern($1, device_t, framebuf_device_t, chr_file, "fb2")
-+ filetrans_pattern($1, device_t, framebuf_device_t, chr_file, "fb3")
-+ filetrans_pattern($1, device_t, framebuf_device_t, chr_file, "fb4")
-+ filetrans_pattern($1, device_t, framebuf_device_t, chr_file, "fb5")
-+ filetrans_pattern($1, device_t, framebuf_device_t, chr_file, "fb6")
-+ filetrans_pattern($1, device_t, framebuf_device_t, chr_file, "fb7")
-+ filetrans_pattern($1, device_t, framebuf_device_t, chr_file, "fb8")
-+ filetrans_pattern($1, device_t, framebuf_device_t, chr_file, "fb9")
-+ filetrans_pattern($1, device_t, null_device_t, chr_file, "full")
-+ filetrans_pattern($1, device_t, usb_device_t, chr_file, "fw0")
-+ filetrans_pattern($1, device_t, usb_device_t, chr_file, "fw1")
-+ filetrans_pattern($1, device_t, usb_device_t, chr_file, "fw2")
-+ filetrans_pattern($1, device_t, usb_device_t, chr_file, "fw3")
-+ filetrans_pattern($1, device_t, usb_device_t, chr_file, "fw4")
-+ filetrans_pattern($1, device_t, usb_device_t, chr_file, "fw5")
-+ filetrans_pattern($1, device_t, usb_device_t, chr_file, "fw6")
-+ filetrans_pattern($1, device_t, usb_device_t, chr_file, "fw7")
-+ filetrans_pattern($1, device_t, usb_device_t, chr_file, "fw8")
-+ filetrans_pattern($1, device_t, usb_device_t, chr_file, "fw9")
-+ filetrans_pattern($1, device_t, usb_device_t, chr_file, "000")
-+ filetrans_pattern($1, device_t, usb_device_t, chr_file, "001")
-+ filetrans_pattern($1, device_t, usb_device_t, chr_file, "002")
-+ filetrans_pattern($1, device_t, usb_device_t, chr_file, "003")
-+ filetrans_pattern($1, device_t, usb_device_t, chr_file, "004")
-+ filetrans_pattern($1, device_t, usb_device_t, chr_file, "005")
-+ filetrans_pattern($1, device_t, usb_device_t, chr_file, "006")
-+ filetrans_pattern($1, device_t, usb_device_t, chr_file, "007")
-+ filetrans_pattern($1, device_t, usb_device_t, chr_file, "008")
-+ filetrans_pattern($1, device_t, usb_device_t, chr_file, "009")
-+ filetrans_pattern($1, device_t, usb_device_t, chr_file, "010")
-+ filetrans_pattern($1, device_t, usb_device_t, chr_file, "011")
-+ filetrans_pattern($1, device_t, usb_device_t, chr_file, "012")
-+ filetrans_pattern($1, device_t, usb_device_t, chr_file, "013")
-+ filetrans_pattern($1, device_t, usb_device_t, chr_file, "014")
-+ filetrans_pattern($1, device_t, usb_device_t, chr_file, "015")
-+ filetrans_pattern($1, device_t, usb_device_t, chr_file, "016")
-+ filetrans_pattern($1, device_t, usb_device_t, chr_file, "017")
-+ filetrans_pattern($1, device_t, usb_device_t, chr_file, "018")
-+ filetrans_pattern($1, device_t, usb_device_t, chr_file, "019")
-+ filetrans_pattern($1, device_t, usb_device_t, chr_file, "020")
-+ filetrans_pattern($1, device_t, usb_device_t, chr_file, "021")
-+ filetrans_pattern($1, device_t, usb_device_t, chr_file, "022")
-+ filetrans_pattern($1, device_t, usb_device_t, chr_file, "023")
-+ filetrans_pattern($1, device_t, usb_device_t, chr_file, "024")
-+ filetrans_pattern($1, device_t, usb_device_t, chr_file, "025")
-+ filetrans_pattern($1, device_t, usb_device_t, chr_file, "026")
-+ filetrans_pattern($1, device_t, usb_device_t, chr_file, "027")
-+ filetrans_pattern($1, device_t, usb_device_t, chr_file, "028")
-+ filetrans_pattern($1, device_t, usb_device_t, chr_file, "029")
-+ filetrans_pattern($1, device_t, clock_device_t, chr_file, "gtrsc0")
-+ filetrans_pattern($1, device_t, clock_device_t, chr_file, "gtrsc1")
-+ filetrans_pattern($1, device_t, clock_device_t, chr_file, "gtrsc2")
-+ filetrans_pattern($1, device_t, clock_device_t, chr_file, "gtrsc3")
-+ filetrans_pattern($1, device_t, clock_device_t, chr_file, "gtrsc4")
-+ filetrans_pattern($1, device_t, clock_device_t, chr_file, "gtrsc5")
-+ filetrans_pattern($1, device_t, clock_device_t, chr_file, "gtrsc6")
-+ filetrans_pattern($1, device_t, clock_device_t, chr_file, "gtrsc7")
-+ filetrans_pattern($1, device_t, clock_device_t, chr_file, "gtrsc8")
-+ filetrans_pattern($1, device_t, clock_device_t, chr_file, "gtrsc9")
-+ filetrans_pattern($1, device_t, sound_device_t, chr_file, "hfmodem")
-+ filetrans_pattern($1, device_t, usb_device_t, chr_file, "hiddev0")
-+ filetrans_pattern($1, device_t, usb_device_t, chr_file, "hiddev1")
-+ filetrans_pattern($1, device_t, usb_device_t, chr_file, "hiddev2")
-+ filetrans_pattern($1, device_t, usb_device_t, chr_file, "hiddev3")
-+ filetrans_pattern($1, device_t, usb_device_t, chr_file, "hiddev4")
-+ filetrans_pattern($1, device_t, usb_device_t, chr_file, "hiddev5")
-+ filetrans_pattern($1, device_t, usb_device_t, chr_file, "hiddev6")
-+ filetrans_pattern($1, device_t, usb_device_t, chr_file, "hiddev7")
-+ filetrans_pattern($1, device_t, usb_device_t, chr_file, "hiddev8")
-+ filetrans_pattern($1, device_t, usb_device_t, chr_file, "hiddev9")
-+ filetrans_pattern($1, device_t, usb_device_t, chr_file, "hidraw0")
-+ filetrans_pattern($1, device_t, usb_device_t, chr_file, "hidraw1")
-+ filetrans_pattern($1, device_t, usb_device_t, chr_file, "hidraw2")
-+ filetrans_pattern($1, device_t, usb_device_t, chr_file, "hidraw3")
-+ filetrans_pattern($1, device_t, usb_device_t, chr_file, "hidraw4")
-+ filetrans_pattern($1, device_t, usb_device_t, chr_file, "hidraw5")
-+ filetrans_pattern($1, device_t, usb_device_t, chr_file, "hidraw6")
-+ filetrans_pattern($1, device_t, usb_device_t, chr_file, "hidraw7")
-+ filetrans_pattern($1, device_t, usb_device_t, chr_file, "hidraw8")
-+ filetrans_pattern($1, device_t, usb_device_t, chr_file, "hidraw9")
-+ filetrans_pattern($1, device_t, clock_device_t, chr_file, "hpet")
-+ filetrans_pattern($1, device_t, random_device_t, chr_file, "hw_random")
-+ filetrans_pattern($1, device_t, random_device_t, chr_file, "hwrng")
-+ filetrans_pattern($1, device_t, dri_device_t, chr_file, "i915")
-+ filetrans_pattern($1, device_t, mouse_device_t, chr_file, "inportbm")
-+ filetrans_pattern($1, device_t, ipmi_device_t, chr_file, "ipmi0")
-+ filetrans_pattern($1, device_t, ipmi_device_t, chr_file, "ipmi1")
-+ filetrans_pattern($1, device_t, ipmi_device_t, chr_file, "ipmi2")
-+ filetrans_pattern($1, device_t, ipmi_device_t, chr_file, "ipmi3")
-+ filetrans_pattern($1, device_t, ipmi_device_t, chr_file, "ipmi4")
-+ filetrans_pattern($1, device_t, ipmi_device_t, chr_file, "ipmi5")
-+ filetrans_pattern($1, device_t, ipmi_device_t, chr_file, "ipmi6")
-+ filetrans_pattern($1, device_t, ipmi_device_t, chr_file, "ipmi7")
-+ filetrans_pattern($1, device_t, ipmi_device_t, chr_file, "ipmi8")
-+ filetrans_pattern($1, device_t, ipmi_device_t, chr_file, "ipmi9")
-+ filetrans_pattern($1, device_t, mouse_device_t, chr_file, "jbm")
-+ filetrans_pattern($1, device_t, mouse_device_t, chr_file, "js0")
-+ filetrans_pattern($1, device_t, mouse_device_t, chr_file, "js1")
-+ filetrans_pattern($1, device_t, mouse_device_t, chr_file, "js2")
-+ filetrans_pattern($1, device_t, mouse_device_t, chr_file, "js3")
-+ filetrans_pattern($1, device_t, mouse_device_t, chr_file, "js4")
-+ filetrans_pattern($1, device_t, mouse_device_t, chr_file, "js5")
-+ filetrans_pattern($1, device_t, mouse_device_t, chr_file, "js6")
-+ filetrans_pattern($1, device_t, mouse_device_t, chr_file, "js7")
-+ filetrans_pattern($1, device_t, mouse_device_t, chr_file, "js8")
-+ filetrans_pattern($1, device_t, mouse_device_t, chr_file, "js9")
-+ filetrans_pattern($1, device_t, mouse_device_t, chr_file, "mouse0")
-+ filetrans_pattern($1, device_t, mouse_device_t, chr_file, "mouse1")
-+ filetrans_pattern($1, device_t, mouse_device_t, chr_file, "mouse2")
-+ filetrans_pattern($1, device_t, mouse_device_t, chr_file, "mouse3")
-+ filetrans_pattern($1, device_t, mouse_device_t, chr_file, "mouse4")
-+ filetrans_pattern($1, device_t, mouse_device_t, chr_file, "mouse5")
-+ filetrans_pattern($1, device_t, mouse_device_t, chr_file, "mouse6")
-+ filetrans_pattern($1, device_t, mouse_device_t, chr_file, "mouse7")
-+ filetrans_pattern($1, device_t, mouse_device_t, chr_file, "mouse8")
-+ filetrans_pattern($1, device_t, mouse_device_t, chr_file, "mouse9")
-+ filetrans_pattern($1, device_t, memory_device_t, chr_file, "kmem")
-+ filetrans_pattern($1, device_t, kmsg_device_t, chr_file, "kmsg")
-+ filetrans_pattern($1, device_t, qemu_device_t, chr_file, "kqemu")
-+ filetrans_pattern($1, device_t, ksm_device_t, chr_file, "ksm")
-+ filetrans_pattern($1, device_t, kvm_device_t, chr_file, "kvm")
-+ filetrans_pattern($1, device_t, event_device_t, chr_file, "lik0")
-+ filetrans_pattern($1, device_t, event_device_t, chr_file, "lik1")
-+ filetrans_pattern($1, device_t, event_device_t, chr_file, "lik2")
-+ filetrans_pattern($1, device_t, event_device_t, chr_file, "lik3")
-+ filetrans_pattern($1, device_t, event_device_t, chr_file, "lik4")
-+ filetrans_pattern($1, device_t, event_device_t, chr_file, "lik5")
-+ filetrans_pattern($1, device_t, event_device_t, chr_file, "lik6")
-+ filetrans_pattern($1, device_t, event_device_t, chr_file, "lik7")
-+ filetrans_pattern($1, device_t, event_device_t, chr_file, "lik8")
-+ filetrans_pattern($1, device_t, event_device_t, chr_file, "lik9")
-+ filetrans_pattern($1, device_t, lirc_device_t, chr_file, "lirc0")
-+ filetrans_pattern($1, device_t, lirc_device_t, chr_file, "lirc1")
-+ filetrans_pattern($1, device_t, lirc_device_t, chr_file, "lirc2")
-+ filetrans_pattern($1, device_t, lirc_device_t, chr_file, "lirc3")
-+ filetrans_pattern($1, device_t, lirc_device_t, chr_file, "lirc4")
-+ filetrans_pattern($1, device_t, lirc_device_t, chr_file, "lirc5")
-+ filetrans_pattern($1, device_t, lirc_device_t, chr_file, "lirc6")
-+ filetrans_pattern($1, device_t, lirc_device_t, chr_file, "lirc7")
-+ filetrans_pattern($1, device_t, lirc_device_t, chr_file, "lirc8")
-+ filetrans_pattern($1, device_t, lirc_device_t, chr_file, "lirc9")
-+ filetrans_pattern($1, device_t, mouse_device_t, chr_file, "lircm")
-+ filetrans_pattern($1, device_t, mouse_device_t, chr_file, "logibm")
-+ filetrans_pattern($1, device_t, kmsg_device_t, chr_file, "mcelog")
-+ filetrans_pattern($1, device_t, memory_device_t, chr_file, "mem")
-+ filetrans_pattern($1, device_t, memory_device_t, chr_file, "mergemem")
-+ filetrans_pattern($1, device_t, mouse_device_t, chr_file, "mice")
-+ filetrans_pattern($1, device_t, cpu_device_t, chr_file, "microcode")
-+ filetrans_pattern($1, device_t, sound_device_t, chr_file, "midi0")
-+ filetrans_pattern($1, device_t, sound_device_t, chr_file, "midi1")
-+ filetrans_pattern($1, device_t, sound_device_t, chr_file, "midi2")
-+ filetrans_pattern($1, device_t, sound_device_t, chr_file, "midi3")
-+ filetrans_pattern($1, device_t, sound_device_t, chr_file, "midi4")
-+ filetrans_pattern($1, device_t, sound_device_t, chr_file, "midi5")
-+ filetrans_pattern($1, device_t, sound_device_t, chr_file, "midi6")
-+ filetrans_pattern($1, device_t, sound_device_t, chr_file, "midi7")
-+ filetrans_pattern($1, device_t, sound_device_t, chr_file, "midi8")
-+ filetrans_pattern($1, device_t, sound_device_t, chr_file, "midi9")
-+ filetrans_pattern($1, device_t, sound_device_t, chr_file, "mixer0")
-+ filetrans_pattern($1, device_t, sound_device_t, chr_file, "mixer1")
-+ filetrans_pattern($1, device_t, sound_device_t, chr_file, "mixer2")
-+ filetrans_pattern($1, device_t, sound_device_t, chr_file, "mixer3")
-+ filetrans_pattern($1, device_t, sound_device_t, chr_file, "mixer4")
-+ filetrans_pattern($1, device_t, sound_device_t, chr_file, "mixer5")
-+ filetrans_pattern($1, device_t, sound_device_t, chr_file, "mixer6")
-+ filetrans_pattern($1, device_t, sound_device_t, chr_file, "mixer7")
-+ filetrans_pattern($1, device_t, sound_device_t, chr_file, "mixer8")
-+ filetrans_pattern($1, device_t, sound_device_t, chr_file, "mixer9")
-+ filetrans_pattern($1, device_t, scanner_device_t, chr_file, "mmetfgrab")
-+ filetrans_pattern($1, device_t, modem_device_t, chr_file, "modem")
-+ filetrans_pattern($1, device_t, sound_device_t, chr_file, "mpu4010")
-+ filetrans_pattern($1, device_t, sound_device_t, chr_file, "mpu4011")
-+ filetrans_pattern($1, device_t, sound_device_t, chr_file, "mpu4012")
-+ filetrans_pattern($1, device_t, sound_device_t, chr_file, "mpu4013")
-+ filetrans_pattern($1, device_t, sound_device_t, chr_file, "mpu4014")
-+ filetrans_pattern($1, device_t, sound_device_t, chr_file, "mpu4015")
-+ filetrans_pattern($1, device_t, sound_device_t, chr_file, "mpu4016")
-+ filetrans_pattern($1, device_t, sound_device_t, chr_file, "mpu4017")
-+ filetrans_pattern($1, device_t, sound_device_t, chr_file, "mpu4018")
-+ filetrans_pattern($1, device_t, sound_device_t, chr_file, "mpu4019")
-+ filetrans_pattern($1, device_t, cpu_device_t, chr_file, "msr0")
-+ filetrans_pattern($1, device_t, cpu_device_t, chr_file, "msr1")
-+ filetrans_pattern($1, device_t, cpu_device_t, chr_file, "msr2")
-+ filetrans_pattern($1, device_t, cpu_device_t, chr_file, "msr3")
-+ filetrans_pattern($1, device_t, cpu_device_t, chr_file, "msr4")
-+ filetrans_pattern($1, device_t, cpu_device_t, chr_file, "msr5")
-+ filetrans_pattern($1, device_t, cpu_device_t, chr_file, "msr6")
-+ filetrans_pattern($1, device_t, cpu_device_t, chr_file, "msr7")
-+ filetrans_pattern($1, device_t, cpu_device_t, chr_file, "msr8")
-+ filetrans_pattern($1, device_t, cpu_device_t, chr_file, "msr9")
-+ filetrans_pattern($1, device_t, vhost_device_t, chr_file, "vhost")
-+ filetrans_pattern($1, device_t, netcontrol_device_t, chr_file, "network_latency")
-+ filetrans_pattern($1, device_t, netcontrol_device_t, chr_file, "network_throughput")
-+ filetrans_pattern($1, device_t, modem_device_t, chr_file, "noz0")
-+ filetrans_pattern($1, device_t, modem_device_t, chr_file, "noz1")
-+ filetrans_pattern($1, device_t, modem_device_t, chr_file, "noz2")
-+ filetrans_pattern($1, device_t, modem_device_t, chr_file, "noz3")
-+ filetrans_pattern($1, device_t, modem_device_t, chr_file, "noz4")
-+ filetrans_pattern($1, device_t, modem_device_t, chr_file, "noz5")
-+ filetrans_pattern($1, device_t, modem_device_t, chr_file, "noz6")
-+ filetrans_pattern($1, device_t, modem_device_t, chr_file, "noz7")
-+ filetrans_pattern($1, device_t, modem_device_t, chr_file, "noz8")
-+ filetrans_pattern($1, device_t, modem_device_t, chr_file, "noz9")
-+ filetrans_pattern($1, device_t, null_device_t, chr_file, "null")
-+ filetrans_pattern($1, device_t, nvram_device_t, chr_file, "nvram")
-+ filetrans_pattern($1, device_t, memory_device_t, chr_file, "oldmem")
-+ filetrans_pattern($1, device_t, mouse_device_t, chr_file, "pc110pad")
-+ filetrans_pattern($1, device_t, clock_device_t, chr_file, "pcfclock0")
-+ filetrans_pattern($1, device_t, clock_device_t, chr_file, "pcfclock1")
-+ filetrans_pattern($1, device_t, clock_device_t, chr_file, "pcfclock2")
-+ filetrans_pattern($1, device_t, clock_device_t, chr_file, "pcfclock3")
-+ filetrans_pattern($1, device_t, clock_device_t, chr_file, "pcfclock4")
-+ filetrans_pattern($1, device_t, clock_device_t, chr_file, "pcfclock5")
-+ filetrans_pattern($1, device_t, clock_device_t, chr_file, "pcfclock6")
-+ filetrans_pattern($1, device_t, clock_device_t, chr_file, "pcfclock7")
-+ filetrans_pattern($1, device_t, clock_device_t, chr_file, "pcfclock8")
-+ filetrans_pattern($1, device_t, clock_device_t, chr_file, "pcfclock9")
-+ filetrans_pattern($1, device_t, power_device_t, chr_file, "pmu")
-+ filetrans_pattern($1, device_t, memory_device_t, chr_file, "port")
-+ filetrans_pattern($1, device_t, clock_device_t, chr_file, "pps0")
-+ filetrans_pattern($1, device_t, clock_device_t, chr_file, "pps1")
-+ filetrans_pattern($1, device_t, clock_device_t, chr_file, "pps2")
-+ filetrans_pattern($1, device_t, clock_device_t, chr_file, "pps3")
-+ filetrans_pattern($1, device_t, clock_device_t, chr_file, "pps4")
-+ filetrans_pattern($1, device_t, clock_device_t, chr_file, "pps5")
-+ filetrans_pattern($1, device_t, clock_device_t, chr_file, "pps6")
-+ filetrans_pattern($1, device_t, clock_device_t, chr_file, "pps7")
-+ filetrans_pattern($1, device_t, clock_device_t, chr_file, "pps8")
-+ filetrans_pattern($1, device_t, clock_device_t, chr_file, "pps9")
-+ filetrans_pattern($1, device_t, sound_device_t, chr_file, "rmidi0")
-+ filetrans_pattern($1, device_t, sound_device_t, chr_file, "rmidi1")
-+ filetrans_pattern($1, device_t, sound_device_t, chr_file, "rmidi2")
-+ filetrans_pattern($1, device_t, sound_device_t, chr_file, "rmidi3")
-+ filetrans_pattern($1, device_t, sound_device_t, chr_file, "rmidi4")
-+ filetrans_pattern($1, device_t, sound_device_t, chr_file, "rmidi5")
-+ filetrans_pattern($1, device_t, sound_device_t, chr_file, "rmidi6")
-+ filetrans_pattern($1, device_t, sound_device_t, chr_file, "rmidi7")
-+ filetrans_pattern($1, device_t, sound_device_t, chr_file, "rmidi8")
-+ filetrans_pattern($1, device_t, sound_device_t, chr_file, "rmidi9")
-+ filetrans_pattern($1, device_t, dri_device_t, chr_file, "radeon")
-+ filetrans_pattern($1, device_t, v4l_device_t, chr_file, "radio0")
-+ filetrans_pattern($1, device_t, v4l_device_t, chr_file, "radio1")
-+ filetrans_pattern($1, device_t, v4l_device_t, chr_file, "radio2")
-+ filetrans_pattern($1, device_t, v4l_device_t, chr_file, "radio3")
-+ filetrans_pattern($1, device_t, v4l_device_t, chr_file, "radio4")
-+ filetrans_pattern($1, device_t, v4l_device_t, chr_file, "radio5")
-+ filetrans_pattern($1, device_t, v4l_device_t, chr_file, "radio6")
-+ filetrans_pattern($1, device_t, v4l_device_t, chr_file, "radio7")
-+ filetrans_pattern($1, device_t, v4l_device_t, chr_file, "radio8")
-+ filetrans_pattern($1, device_t, v4l_device_t, chr_file, "radio9")
-+ filetrans_pattern($1, device_t, random_device_t, chr_file, "random")
-+ filetrans_pattern($1, device_t, v4l_device_t, chr_file, "raw13940")
-+ filetrans_pattern($1, device_t, v4l_device_t, chr_file, "raw13941")
-+ filetrans_pattern($1, device_t, v4l_device_t, chr_file, "raw13942")
-+ filetrans_pattern($1, device_t, v4l_device_t, chr_file, "raw13943")
-+ filetrans_pattern($1, device_t, v4l_device_t, chr_file, "raw13944")
-+ filetrans_pattern($1, device_t, v4l_device_t, chr_file, "raw13945")
-+ filetrans_pattern($1, device_t, v4l_device_t, chr_file, "raw13946")
-+ filetrans_pattern($1, device_t, v4l_device_t, chr_file, "raw13947")
-+ filetrans_pattern($1, device_t, v4l_device_t, chr_file, "raw13948")
-+ filetrans_pattern($1, device_t, v4l_device_t, chr_file, "raw13949")
-+ filetrans_pattern($1, device_t, modem_device_t, chr_file, "cdc-wdm0")
-+ filetrans_pattern($1, device_t, modem_device_t, chr_file, "cdc-wdm1")
-+ filetrans_pattern($1, device_t, wireless_device_t, chr_file, "rfkill")
-+ filetrans_pattern($1, device_t, sound_device_t, chr_file, "sequencer")
-+ filetrans_pattern($1, device_t, sound_device_t, chr_file, "sequencer2")
-+ filetrans_pattern($1, device_t, sound_device_t, chr_file, "smpte0")
-+ filetrans_pattern($1, device_t, sound_device_t, chr_file, "smpte1")
-+ filetrans_pattern($1, device_t, sound_device_t, chr_file, "smpte2")
-+ filetrans_pattern($1, device_t, sound_device_t, chr_file, "smpte3")
-+ filetrans_pattern($1, device_t, sound_device_t, chr_file, "smpte4")
-+ filetrans_pattern($1, device_t, sound_device_t, chr_file, "smpte5")
-+ filetrans_pattern($1, device_t, sound_device_t, chr_file, "smpte6")
-+ filetrans_pattern($1, device_t, sound_device_t, chr_file, "smpte7")
-+ filetrans_pattern($1, device_t, sound_device_t, chr_file, "smpte8")
-+ filetrans_pattern($1, device_t, sound_device_t, chr_file, "smpte9")
-+ filetrans_pattern($1, device_t, power_device_t, chr_file, "smu")
-+ filetrans_pattern($1, device_t, apm_bios_t, chr_file, "snapshot")
-+ filetrans_pattern($1, device_t, sound_device_t, chr_file, "sndstat")
-+ filetrans_pattern($1, device_t, v4l_device_t, chr_file, "sonypi")
-+ filetrans_pattern($1, device_t, tpm_device_t, chr_file, "tpm0")
-+ filetrans_pattern($1, device_t, tpm_device_t, chr_file, "tpm1")
-+ filetrans_pattern($1, device_t, tpm_device_t, chr_file, "tpm2")
-+ filetrans_pattern($1, device_t, tpm_device_t, chr_file, "tpm3")
-+ filetrans_pattern($1, device_t, tpm_device_t, chr_file, "tpm4")
-+ filetrans_pattern($1, device_t, tpm_device_t, chr_file, "tpm5")
-+ filetrans_pattern($1, device_t, tpm_device_t, chr_file, "tpm6")
-+ filetrans_pattern($1, device_t, tpm_device_t, chr_file, "tpm7")
-+ filetrans_pattern($1, device_t, tpm_device_t, chr_file, "tpm8")
-+ filetrans_pattern($1, device_t, tpm_device_t, chr_file, "tpm9")
-+ filetrans_pattern($1, device_t, event_device_t, chr_file, "uinput")
-+ filetrans_pattern($1, device_t, userio_device_t, chr_file, "uio0")
-+ filetrans_pattern($1, device_t, userio_device_t, chr_file, "uio1")
-+ filetrans_pattern($1, device_t, userio_device_t, chr_file, "uio2")
-+ filetrans_pattern($1, device_t, userio_device_t, chr_file, "uio3")
-+ filetrans_pattern($1, device_t, userio_device_t, chr_file, "uio4")
-+ filetrans_pattern($1, device_t, userio_device_t, chr_file, "uio5")
-+ filetrans_pattern($1, device_t, userio_device_t, chr_file, "uio6")
-+ filetrans_pattern($1, device_t, userio_device_t, chr_file, "uio7")
-+ filetrans_pattern($1, device_t, userio_device_t, chr_file, "uio8")
-+ filetrans_pattern($1, device_t, userio_device_t, chr_file, "uio9")
-+ filetrans_pattern($1, device_t, urandom_device_t, chr_file, "urandom")
-+ filetrans_pattern($1, device_t, usb_device_t, chr_file, "usb0")
-+ filetrans_pattern($1, device_t, usb_device_t, chr_file, "usb1")
-+ filetrans_pattern($1, device_t, usb_device_t, chr_file, "usb2")
-+ filetrans_pattern($1, device_t, usb_device_t, chr_file, "usb3")
-+ filetrans_pattern($1, device_t, usb_device_t, chr_file, "usb4")
-+ filetrans_pattern($1, device_t, usb_device_t, chr_file, "usb5")
-+ filetrans_pattern($1, device_t, usb_device_t, chr_file, "usb6")
-+ filetrans_pattern($1, device_t, usb_device_t, chr_file, "usb7")
-+ filetrans_pattern($1, device_t, usb_device_t, chr_file, "usb8")
-+ filetrans_pattern($1, device_t, usbmon_device_t, chr_file, "usbmon0")
-+ filetrans_pattern($1, device_t, usbmon_device_t, chr_file, "usbmon1")
-+ filetrans_pattern($1, device_t, usbmon_device_t, chr_file, "usbmon2")
-+ filetrans_pattern($1, device_t, usbmon_device_t, chr_file, "usbmon3")
-+ filetrans_pattern($1, device_t, usbmon_device_t, chr_file, "usbmon4")
-+ filetrans_pattern($1, device_t, usbmon_device_t, chr_file, "usbmon5")
-+ filetrans_pattern($1, device_t, usbmon_device_t, chr_file, "usbmon6")
-+ filetrans_pattern($1, device_t, usbmon_device_t, chr_file, "usbmon7")
-+ filetrans_pattern($1, device_t, usbmon_device_t, chr_file, "usbmon8")
-+ filetrans_pattern($1, device_t, usbmon_device_t, chr_file, "usbmon9")
-+ filetrans_pattern($1, device_t, scanner_device_t, chr_file, "usbscanner")
-+ filetrans_pattern($1, device_t, vhost_device_t, chr_file, "vhost-net")
-+ filetrans_pattern($1, device_t, v4l_device_t, chr_file, "vbi0")
-+ filetrans_pattern($1, device_t, v4l_device_t, chr_file, "vbi1")
-+ filetrans_pattern($1, device_t, v4l_device_t, chr_file, "vbi2")
-+ filetrans_pattern($1, device_t, v4l_device_t, chr_file, "vbi3")
-+ filetrans_pattern($1, device_t, v4l_device_t, chr_file, "vbi4")
-+ filetrans_pattern($1, device_t, v4l_device_t, chr_file, "vbi5")
-+ filetrans_pattern($1, device_t, v4l_device_t, chr_file, "vbi6")
-+ filetrans_pattern($1, device_t, v4l_device_t, chr_file, "vbi7")
-+ filetrans_pattern($1, device_t, v4l_device_t, chr_file, "vbi8")
-+ filetrans_pattern($1, device_t, v4l_device_t, chr_file, "vbi9")
-+ filetrans_pattern($1, device_t, vmware_device_t, chr_file, "vmmon")
-+ filetrans_pattern($1, device_t, vmware_device_t, chr_file, "vmnet0")
-+ filetrans_pattern($1, device_t, vmware_device_t, chr_file, "vmnet1")
-+ filetrans_pattern($1, device_t, vmware_device_t, chr_file, "vmnet2")
-+ filetrans_pattern($1, device_t, vmware_device_t, chr_file, "vmnet3")
-+ filetrans_pattern($1, device_t, vmware_device_t, chr_file, "vmnet4")
-+ filetrans_pattern($1, device_t, vmware_device_t, chr_file, "vmnet5")
-+ filetrans_pattern($1, device_t, vmware_device_t, chr_file, "vmnet6")
-+ filetrans_pattern($1, device_t, vmware_device_t, chr_file, "vmnet7")
-+ filetrans_pattern($1, device_t, vmware_device_t, chr_file, "vmnet8")
-+ filetrans_pattern($1, device_t, vmware_device_t, chr_file, "vmnet9")
-+ filetrans_pattern($1, device_t, v4l_device_t, chr_file, "media0")
-+ filetrans_pattern($1, device_t, v4l_device_t, chr_file, "media1")
-+ filetrans_pattern($1, device_t, v4l_device_t, chr_file, "media2")
-+ filetrans_pattern($1, device_t, v4l_device_t, chr_file, "media3")
-+ filetrans_pattern($1, device_t, v4l_device_t, chr_file, "media4")
-+ filetrans_pattern($1, device_t, v4l_device_t, chr_file, "media5")
-+ filetrans_pattern($1, device_t, v4l_device_t, chr_file, "media6")
-+ filetrans_pattern($1, device_t, v4l_device_t, chr_file, "media7")
-+ filetrans_pattern($1, device_t, v4l_device_t, chr_file, "media8")
-+ filetrans_pattern($1, device_t, v4l_device_t, chr_file, "media9")
-+ filetrans_pattern($1, device_t, v4l_device_t, chr_file, "video0")
-+ filetrans_pattern($1, device_t, v4l_device_t, chr_file, "video1")
-+ filetrans_pattern($1, device_t, v4l_device_t, chr_file, "video2")
-+ filetrans_pattern($1, device_t, v4l_device_t, chr_file, "video3")
-+ filetrans_pattern($1, device_t, v4l_device_t, chr_file, "video4")
-+ filetrans_pattern($1, device_t, v4l_device_t, chr_file, "video5")
-+ filetrans_pattern($1, device_t, v4l_device_t, chr_file, "video6")
-+ filetrans_pattern($1, device_t, v4l_device_t, chr_file, "video7")
-+ filetrans_pattern($1, device_t, v4l_device_t, chr_file, "video8")
-+ filetrans_pattern($1, device_t, v4l_device_t, chr_file, "video9")
-+ filetrans_pattern($1, device_t, mouse_device_t, chr_file, "vrtpanel")
-+ filetrans_pattern($1, device_t, v4l_device_t, chr_file, "vttuner")
-+ filetrans_pattern($1, device_t, v4l_device_t, chr_file, "vtx0")
-+ filetrans_pattern($1, device_t, v4l_device_t, chr_file, "vtx1")
-+ filetrans_pattern($1, device_t, v4l_device_t, chr_file, "vtx2")
-+ filetrans_pattern($1, device_t, v4l_device_t, chr_file, "vtx3")
-+ filetrans_pattern($1, device_t, v4l_device_t, chr_file, "vtx4")
-+ filetrans_pattern($1, device_t, v4l_device_t, chr_file, "vtx5")
-+ filetrans_pattern($1, device_t, v4l_device_t, chr_file, "vtx6")
-+ filetrans_pattern($1, device_t, v4l_device_t, chr_file, "vtx7")
-+ filetrans_pattern($1, device_t, v4l_device_t, chr_file, "vtx8")
-+ filetrans_pattern($1, device_t, v4l_device_t, chr_file, "vtx9")
-+ filetrans_pattern($1, device_t, watchdog_device_t, chr_file, "watchdog")
-+ filetrans_pattern($1, device_t, v4l_device_t, chr_file, "winradio0")
-+ filetrans_pattern($1, device_t, v4l_device_t, chr_file, "winradio1")
-+ filetrans_pattern($1, device_t, v4l_device_t, chr_file, "winradio2")
-+ filetrans_pattern($1, device_t, v4l_device_t, chr_file, "winradio3")
-+ filetrans_pattern($1, device_t, v4l_device_t, chr_file, "winradio4")
-+ filetrans_pattern($1, device_t, v4l_device_t, chr_file, "winradio5")
-+ filetrans_pattern($1, device_t, v4l_device_t, chr_file, "winradio6")
-+ filetrans_pattern($1, device_t, v4l_device_t, chr_file, "winradio7")
-+ filetrans_pattern($1, device_t, v4l_device_t, chr_file, "winradio8")
-+ filetrans_pattern($1, device_t, v4l_device_t, chr_file, "winradio9")
-+ filetrans_pattern($1, device_t, crypt_device_t, chr_file, "z90crypt")
-+ filetrans_pattern($1, device_t, zero_device_t, chr_file, "zero")
-+ filetrans_pattern($1, device_t, smartcard_device_t, chr_file, "cmx0")
-+ filetrans_pattern($1, device_t, smartcard_device_t, chr_file, "cmx1")
-+ filetrans_pattern($1, device_t, smartcard_device_t, chr_file, "cmx2")
-+ filetrans_pattern($1, device_t, smartcard_device_t, chr_file, "cmx3")
-+ filetrans_pattern($1, device_t, smartcard_device_t, chr_file, "cmx4")
-+ filetrans_pattern($1, device_t, smartcard_device_t, chr_file, "cmx5")
-+ filetrans_pattern($1, device_t, smartcard_device_t, chr_file, "cmx6")
-+ filetrans_pattern($1, device_t, smartcard_device_t, chr_file, "cmx7")
-+ filetrans_pattern($1, device_t, smartcard_device_t, chr_file, "cmx8")
-+ filetrans_pattern($1, device_t, smartcard_device_t, chr_file, "cmx9")
-+ filetrans_pattern($1, device_t, netcontrol_device_t, chr_file, "cpu_dma_latency")
-+ filetrans_pattern($1, device_t, cpu_device_t, chr_file, "cpu0")
-+ filetrans_pattern($1, device_t, cpu_device_t, chr_file, "cpu1")
-+ filetrans_pattern($1, device_t, cpu_device_t, chr_file, "cpu2")
-+ filetrans_pattern($1, device_t, cpu_device_t, chr_file, "cpu3")
-+ filetrans_pattern($1, device_t, cpu_device_t, chr_file, "cpu4")
-+ filetrans_pattern($1, device_t, cpu_device_t, chr_file, "cpu5")
-+ filetrans_pattern($1, device_t, cpu_device_t, chr_file, "cpu6")
-+ filetrans_pattern($1, device_t, cpu_device_t, chr_file, "cpu7")
-+ filetrans_pattern($1, device_t, cpu_device_t, chr_file, "cpu8")
-+ filetrans_pattern($1, device_t, cpu_device_t, chr_file, "cpu9")
-+ filetrans_pattern($1, device_t, mtrr_device_t, chr_file, "mtrr")
-+ filetrans_pattern($1, device_t, event_device_t, chr_file, "sensor0")
-+ filetrans_pattern($1, device_t, event_device_t, chr_file, "sensor1")
-+ filetrans_pattern($1, device_t, event_device_t, chr_file, "sensor2")
-+ filetrans_pattern($1, device_t, event_device_t, chr_file, "sensor3")
-+ filetrans_pattern($1, device_t, event_device_t, chr_file, "sensor4")
-+ filetrans_pattern($1, device_t, event_device_t, chr_file, "sensor5")
-+ filetrans_pattern($1, device_t, event_device_t, chr_file, "sensor6")
-+ filetrans_pattern($1, device_t, event_device_t, chr_file, "sensor7")
-+ filetrans_pattern($1, device_t, event_device_t, chr_file, "sensor8")
-+ filetrans_pattern($1, device_t, event_device_t, chr_file, "sensor9")
-+ filetrans_pattern($1, device_t, mouse_device_t, chr_file, "m0")
-+ filetrans_pattern($1, device_t, mouse_device_t, chr_file, "m1")
-+ filetrans_pattern($1, device_t, mouse_device_t, chr_file, "m2")
-+ filetrans_pattern($1, device_t, mouse_device_t, chr_file, "m3")
-+ filetrans_pattern($1, device_t, mouse_device_t, chr_file, "m4")
-+ filetrans_pattern($1, device_t, mouse_device_t, chr_file, "m5")
-+ filetrans_pattern($1, device_t, mouse_device_t, chr_file, "m6")
-+ filetrans_pattern($1, device_t, mouse_device_t, chr_file, "m7")
-+ filetrans_pattern($1, device_t, mouse_device_t, chr_file, "m8")
-+ filetrans_pattern($1, device_t, mouse_device_t, chr_file, "m9")
-+ filetrans_pattern($1, device_t, event_device_t, chr_file, "keyboard0")
-+ filetrans_pattern($1, device_t, event_device_t, chr_file, "keyboard1")
-+ filetrans_pattern($1, device_t, event_device_t, chr_file, "keyboard2")
-+ filetrans_pattern($1, device_t, event_device_t, chr_file, "keyboard3")
-+ filetrans_pattern($1, device_t, event_device_t, chr_file, "keyboard4")
-+ filetrans_pattern($1, device_t, event_device_t, chr_file, "keyboard5")
-+ filetrans_pattern($1, device_t, event_device_t, chr_file, "keyboard6")
-+ filetrans_pattern($1, device_t, event_device_t, chr_file, "keyboard7")
-+ filetrans_pattern($1, device_t, event_device_t, chr_file, "keyboard8")
-+ filetrans_pattern($1, device_t, event_device_t, chr_file, "keyboard9")
-+ filetrans_pattern($1, device_t, lvm_control_t, chr_file, "control")
-+ filetrans_pattern($1, device_t, mouse_device_t, chr_file, "ucb1x00")
-+ filetrans_pattern($1, device_t, mouse_device_t, chr_file, "mk712")
-+ filetrans_pattern($1, device_t, scanner_device_t, chr_file, "dc2xx0")
-+ filetrans_pattern($1, device_t, scanner_device_t, chr_file, "dc2xx1")
-+ filetrans_pattern($1, device_t, scanner_device_t, chr_file, "dc2xx2")
-+ filetrans_pattern($1, device_t, scanner_device_t, chr_file, "dc2xx3")
-+ filetrans_pattern($1, device_t, scanner_device_t, chr_file, "dc2xx4")
-+ filetrans_pattern($1, device_t, scanner_device_t, chr_file, "dc2xx5")
-+ filetrans_pattern($1, device_t, scanner_device_t, chr_file, "dc2xx6")
-+ filetrans_pattern($1, device_t, scanner_device_t, chr_file, "dc2xx7")
-+ filetrans_pattern($1, device_t, scanner_device_t, chr_file, "dc2xx8")
-+ filetrans_pattern($1, device_t, scanner_device_t, chr_file, "dc2xx9")
-+ filetrans_pattern($1, device_t, scanner_device_t, chr_file, "mdc8000")
-+ filetrans_pattern($1, device_t, scanner_device_t, chr_file, "mdc8001")
-+ filetrans_pattern($1, device_t, scanner_device_t, chr_file, "mdc8002")
-+ filetrans_pattern($1, device_t, scanner_device_t, chr_file, "mdc8003")
-+ filetrans_pattern($1, device_t, scanner_device_t, chr_file, "mdc8004")
-+ filetrans_pattern($1, device_t, scanner_device_t, chr_file, "mdc8005")
-+ filetrans_pattern($1, device_t, scanner_device_t, chr_file, "mdc8006")
-+ filetrans_pattern($1, device_t, scanner_device_t, chr_file, "mdc8007")
-+ filetrans_pattern($1, device_t, scanner_device_t, chr_file, "mdc8008")
-+ filetrans_pattern($1, device_t, scanner_device_t, chr_file, "mdc8009")
-+ filetrans_pattern($1, device_t, scanner_device_t, chr_file, "scanner0")
-+ filetrans_pattern($1, device_t, scanner_device_t, chr_file, "scanner1")
-+ filetrans_pattern($1, device_t, scanner_device_t, chr_file, "scanner2")
-+ filetrans_pattern($1, device_t, scanner_device_t, chr_file, "scanner3")
-+ filetrans_pattern($1, device_t, scanner_device_t, chr_file, "scanner4")
-+ filetrans_pattern($1, device_t, scanner_device_t, chr_file, "scanner5")
-+ filetrans_pattern($1, device_t, scanner_device_t, chr_file, "scanner6")
-+ filetrans_pattern($1, device_t, scanner_device_t, chr_file, "scanner7")
-+ filetrans_pattern($1, device_t, scanner_device_t, chr_file, "scanner8")
-+ filetrans_pattern($1, device_t, scanner_device_t, chr_file, "scanner9")
-+ filetrans_pattern($1, device_t, xen_device_t, chr_file, "blktap0")
-+ filetrans_pattern($1, device_t, xen_device_t, chr_file, "blktap1")
-+ filetrans_pattern($1, device_t, xen_device_t, chr_file, "blktap2")
-+ filetrans_pattern($1, device_t, xen_device_t, chr_file, "blktap3")
-+ filetrans_pattern($1, device_t, xen_device_t, chr_file, "blktap4")
-+ filetrans_pattern($1, device_t, xen_device_t, chr_file, "blktap5")
-+ filetrans_pattern($1, device_t, xen_device_t, chr_file, "blktap6")
-+ filetrans_pattern($1, device_t, xen_device_t, chr_file, "blktap7")
-+ filetrans_pattern($1, device_t, xen_device_t, chr_file, "blktap8")
-+ filetrans_pattern($1, device_t, xen_device_t, chr_file, "blktap9")
-+ filetrans_pattern($1, device_t, xen_device_t, chr_file, "gntdev")
-+ filetrans_pattern($1, device_t, xen_device_t, chr_file, "gntalloc")
-+ filetrans_pattern($1, device_t, sound_device_t, chr_file, "controlC0")
-+ filetrans_pattern($1, device_t, sound_device_t, chr_file, "controlC1")
-+ filetrans_pattern($1, device_t, sound_device_t, chr_file, "controlC2")
-+ filetrans_pattern($1, device_t, sound_device_t, chr_file, "controlC3")
-+ filetrans_pattern($1, device_t, sound_device_t, chr_file, "controlC4")
-+ filetrans_pattern($1, device_t, sound_device_t, chr_file, "controlC5")
-+ filetrans_pattern($1, device_t, sound_device_t, chr_file, "controlC6")
-+ filetrans_pattern($1, device_t, sound_device_t, chr_file, "controlC7")
-+ filetrans_pattern($1, device_t, sound_device_t, chr_file, "controlC8")
-+ filetrans_pattern($1, device_t, sound_device_t, chr_file, "controlC9")
-+ filetrans_pattern($1, device_t, sound_device_t, chr_file, "patmgr0")
-+ filetrans_pattern($1, device_t, sound_device_t, chr_file, "patmgr1")
-+ filetrans_pattern($1, device_t, sound_device_t, chr_file, "srnd0")
-+ filetrans_pattern($1, device_t, sound_device_t, chr_file, "srnd1")
-+ filetrans_pattern($1, device_t, sound_device_t, chr_file, "srnd2")
-+ filetrans_pattern($1, device_t, sound_device_t, chr_file, "srnd3")
-+ filetrans_pattern($1, device_t, sound_device_t, chr_file, "srnd4")
-+ filetrans_pattern($1, device_t, sound_device_t, chr_file, "srnd5")
-+ filetrans_pattern($1, device_t, sound_device_t, chr_file, "srnd6")
-+ filetrans_pattern($1, device_t, sound_device_t, chr_file, "srnd7")
-+ filetrans_pattern($1, device_t, v4l_device_t, chr_file, "tlk0")
-+ filetrans_pattern($1, device_t, v4l_device_t, chr_file, "tlk1")
-+ filetrans_pattern($1, device_t, v4l_device_t, chr_file, "tlk2")
-+ filetrans_pattern($1, device_t, v4l_device_t, chr_file, "tlk3")
-+ filetrans_pattern($1, device_t, usb_device_t, chr_file, "uba")
-+ filetrans_pattern($1, device_t, usb_device_t, chr_file, "ubb")
-+ filetrans_pattern($1, device_t, usb_device_t, chr_file, "ubc")
-+ dev_filetrans_xserver_named_dev($1)
-+')
-+
-+########################################
-+##
-+## Create all named devices with the correct label
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`dev_filetrans_xserver_named_dev',`
-+
-+ gen_require(`
-+ type xserver_misc_device_t;
-+ ')
-+
-+ filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "3dfx")
-+ filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "controlD64")
-+ filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "gfx")
-+ filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "graphics")
-+ filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "mga_vid0")
-+ filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "mga_vid1")
-+ filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "mga_vid2")
-+ filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "mga_vid3")
-+ filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "mga_vid4")
-+ filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "mga_vid5")
-+ filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "mga_vid6")
-+ filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "mga_vid7")
-+ filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "mga_vid8")
-+ filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "mga_vid9")
-+ filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "nvidia0")
-+ filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "nvidia1")
-+ filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "nvidia2")
-+ filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "nvidia3")
-+ filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "nvidia4")
-+ filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "nvidia5")
-+ filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "nvidia6")
-+ filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "nvidia7")
-+ filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "nvidia8")
-+ filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "nvidia9")
-+ filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "nvidiactl")
-+ filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "opengl")
-+ filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "vbox0")
-+ filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "vbox1")
-+ filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "vbox2")
-+ filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "vbox3")
-+ filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "vbox4")
-+ filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "vbox5")
-+ filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "vbox6")
-+ filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "vbox7")
-+ filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "vbox8")
-+ filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "vbox9")
-+ filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "vga_arbiter")
-+ filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "card0")
-+ filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "card1")
-+ filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "card2")
-+ filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "card3")
-+ filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "card4")
-+ filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "card5")
-+ filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "card6")
-+ filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "card7")
-+ filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "card8")
-+ filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "card9")
-+')
-diff --git a/policy/modules/kernel/devices.te b/policy/modules/kernel/devices.te
-index 06eda45..ed26516 100644
---- a/policy/modules/kernel/devices.te
-+++ b/policy/modules/kernel/devices.te
-@@ -15,11 +15,12 @@ attribute devices_unconfined_type;
- #
- type device_t;
- fs_associate_tmpfs(device_t)
--files_type(device_t)
-+files_base_file(device_t)
- files_mountpoint(device_t)
- files_associate_tmp(device_t)
- fs_type(device_t)
- fs_use_trans devtmpfs gen_context(system_u:object_r:device_t,s0);
-+dev_node(device_t)
-
- #
- # Type for /dev/agpgart
-@@ -62,6 +63,9 @@ dev_node(cpu_device_t)
- type crash_device_t;
- dev_node(crash_device_t)
-
-+type ecryptfs_device_t;
-+dev_node(ecryptfs_device_t)
-+
- # for the IBM zSeries z90crypt hardware ssl accelorator
- type crypt_device_t;
- dev_node(crypt_device_t)
-@@ -108,6 +112,7 @@ dev_node(ksm_device_t)
- #
- type kvm_device_t;
- dev_node(kvm_device_t)
-+mls_trusted_object(kvm_device_t)
-
- #
- # Type for /dev/lirc
-@@ -118,9 +123,18 @@ dev_node(lirc_device_t)
- #
- # Type for /dev/mapper/control
- #
-+type loop_control_device_t;
-+dev_node(loop_control_device_t)
-+
-+#
-+# Type for /dev/mapper/control
-+#
- type lvm_control_t;
- dev_node(lvm_control_t)
-
-+type mei_device_t;
-+dev_node(mei_device_t)
-+
- #
- # memory_device_t is the type of /dev/kmem,
- # /dev/mem and /dev/port.
-@@ -218,6 +232,10 @@ files_mountpoint(sysfs_t)
- fs_type(sysfs_t)
- genfscon sysfs / gen_context(system_u:object_r:sysfs_t,s0)
-
-+type cpu_online_t;
-+files_type(cpu_online_t)
-+dev_associate_sysfs(cpu_online_t)
-+
- #
- # Type for /dev/tpm
- #
-@@ -265,6 +283,7 @@ dev_node(v4l_device_t)
- #
- type vhost_device_t;
- dev_node(vhost_device_t)
-+mls_trusted_object(vhost_device_t)
-
- # Type for vmware devices.
- type vmware_device_t;
-@@ -310,5 +329,5 @@ files_associate_tmp(device_node)
- #
-
- allow devices_unconfined_type self:capability sys_rawio;
--allow devices_unconfined_type device_node:{ blk_file chr_file } *;
-+allow devices_unconfined_type device_node:{ blk_file chr_file lnk_file } *;
- allow devices_unconfined_type mtrr_device_t:file *;
-diff --git a/policy/modules/kernel/domain.if b/policy/modules/kernel/domain.if
-index 6a1e4d1..eee8419 100644
---- a/policy/modules/kernel/domain.if
-+++ b/policy/modules/kernel/domain.if
-@@ -76,33 +76,8 @@ interface(`domain_type',`
- # start with basic domain
- domain_base_type($1)
-
-- ifdef(`distro_redhat',`
-- optional_policy(`
-- unconfined_use_fds($1)
-- ')
-- ')
--
-- # send init a sigchld and signull
-- optional_policy(`
-- init_sigchld($1)
-- init_signull($1)
-- ')
--
-- # these seem questionable:
--
-- optional_policy(`
-- rpm_use_fds($1)
-- rpm_read_pipes($1)
-- ')
--
-- optional_policy(`
-- selinux_dontaudit_getattr_fs($1)
-- selinux_dontaudit_read_fs($1)
-- ')
--
-- optional_policy(`
-- seutil_dontaudit_read_config($1)
-- ')
-+ # Only way to get corenet_unlabeled packets disabled to work
-+ corenet_all_recvfrom_unlabeled($1)
- ')
-
- ########################################
-@@ -513,6 +488,26 @@ interface(`domain_signull_all_domains',`
-
- ########################################
- ##
-+## Do not audit attempts to send
-+## signulls to all domains.
-+##
-+##
-+##
-+## Domain to not audit.
-+##
-+##
-+##
-+#
-+interface(`domain_dontaudit_signull_all_domains',`
-+ gen_require(`
-+ attribute domain;
-+ ')
-+
-+ dontaudit $1 domain:process signull;
-+')
-+
-+########################################
-+##
- ## Send a stop signal to all domains.
- ##
- ##
-@@ -631,7 +626,7 @@ interface(`domain_read_all_domains_state',`
-
- ########################################
- ##
--## Get the attributes of all domains of all domains.
-+## Get the attributes of all domains.
- ##
- ##
- ##
-@@ -655,7 +650,7 @@ interface(`domain_getattr_all_domains',`
- ##
- ##
- ##
--## Domain allowed access.
-+## Domain to not audit.
- ##
- ##
- #
-@@ -1356,6 +1351,24 @@ interface(`domain_manage_all_entry_files',`
-
- ########################################
- ##
-+## Relabel from domain types on files if a user managed to mislable
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`domain_relabelfrom',`
-+ gen_require(`
-+ attribute domain;
-+ ')
-+
-+ allow $1 domain:dir_file_class_set relabelfrom_file_perms;
-+')
-+
-+########################################
-+##
- ## Relabel to and from all entry point
- ## file types.
- ##
-@@ -1530,4 +1543,29 @@ interface(`domain_unconfined',`
- typeattribute $1 can_change_object_identity;
- typeattribute $1 set_curr_context;
- typeattribute $1 process_uncond_exempt;
-+
-+ mcs_file_read_all($1)
-+ mcs_file_write_all($1)
-+ mcs_killall($1)
-+ mcs_ptrace_all($1)
-+ mcs_socket_write_all_levels($1)
-+')
-+
-+########################################
-+##
-+## Do not audit attempts to read or write
-+## all leaked sockets.
-+##
-+##
-+##
-+## Domain to not audit.
-+##
-+##
-+#
-+interface(`domain_dontaudit_leaks',`
-+ gen_require(`
-+ attribute domain;
-+ ')
-+
-+ dontaudit $1 domain:socket_class_set { read write };
- ')
-diff --git a/policy/modules/kernel/domain.te b/policy/modules/kernel/domain.te
-index cf04cb5..09a61e6 100644
---- a/policy/modules/kernel/domain.te
-+++ b/policy/modules/kernel/domain.te
-@@ -4,6 +4,29 @@ policy_module(domain, 1.11.0)
- #
- # Declarations
- #
-+##
-+##
-+## Allow all domains to use other domains file descriptors
-+##
-+##
-+#
-+gen_tunable(domain_fd_use, true)
-+
-+##
-+##
-+## Allow all domains to execute in fips_mode
-+##
-+##
-+#
-+gen_tunable(fips_mode, true)
-+
-+##
-+##
-+## Allow all domains to have the kernel load modules
-+##
-+##
-+#
-+gen_tunable(domain_kernel_load_modules, false)
-
- ##
- ##
-@@ -86,23 +109,43 @@ neverallow ~{ domain unlabeled_t } *:process *;
- allow domain self:dir list_dir_perms;
- allow domain self:lnk_file { read_lnk_file_perms lock ioctl };
- allow domain self:file rw_file_perms;
-+allow domain self:fifo_file rw_fifo_file_perms;
-+
- kernel_read_proc_symlinks(domain)
-+kernel_read_crypto_sysctls(domain)
-+kernel_read_vm_overcommit_sysctls(domain)
-+
- # Every domain gets the key ring, so we should default
- # to no one allowed to look at it; afs kernel support creates
- # a keyring
- kernel_dontaudit_search_key(domain)
- kernel_dontaudit_link_key(domain)
-+kernel_dontaudit_search_debugfs(domain)
-
- # create child processes in the domain
--allow domain self:process { fork sigchld };
-+allow domain self:process { getcap fork getsched sigchld };
-
- # Use trusted objects in /dev
-+dev_read_cpu_online(domain)
- dev_rw_null(domain)
- dev_rw_zero(domain)
- term_use_controlling_term(domain)
-
- # list the root directory
- files_list_root(domain)
-+# allow all domains to search through default_t directory, since users sometimes
-+# place labels within these directories. (samba_share_t) for example.
-+files_search_default(domain)
-+files_read_inherited_tmp_files(domain)
-+files_append_inherited_tmp_files(domain)
-+files_read_all_base_ro_files(domain)
-+
-+# All executables should be able to search the directory they are in
-+corecmd_search_bin(domain)
-+
-+tunable_policy(`domain_kernel_load_modules',`
-+ kernel_request_load_module(domain)
-+')
-
- ifdef(`hide_broken_symptoms',`
- # This check is in the general socket
-@@ -121,8 +164,18 @@ tunable_policy(`global_ssp',`
- ')
-
- optional_policy(`
-+ afs_rw_cache(domain)
-+')
-+
-+optional_policy(`
- libs_use_ld_so(domain)
- libs_use_shared_libs(domain)
-+ libs_read_lib_files(domain)
-+')
-+
-+optional_policy(`
-+ miscfiles_read_localization(domain)
-+ miscfiles_read_man_pages(domain)
- ')
-
- optional_policy(`
-@@ -133,6 +186,8 @@ optional_policy(`
- optional_policy(`
- xserver_dontaudit_use_xdm_fds(domain)
- xserver_dontaudit_rw_xdm_pipes(domain)
-+ xserver_dontaudit_append_xdm_home_files(domain)
-+ xserver_dontaudit_write_log(domain)
- ')
-
- ########################################
-@@ -147,12 +202,18 @@ optional_policy(`
- # Use/sendto/connectto sockets created by any domain.
- allow unconfined_domain_type domain:{ socket_class_set socket key_socket } *;
-
-+allow unconfined_domain_type domain:system all_system_perms;
- # Use descriptors and pipes created by any domain.
- allow unconfined_domain_type domain:fd use;
- allow unconfined_domain_type domain:fifo_file rw_file_perms;
-
-+allow unconfined_domain_type unconfined_domain_type:dbus send_msg;
-+
- # Act upon any other process.
--allow unconfined_domain_type domain:process ~{ transition dyntransition execmem execstack execheap };
-+allow unconfined_domain_type domain:process ~{ ptrace transition dyntransition execmem execstack execheap };
-+tunable_policy(`deny_ptrace',`',`
-+ allow unconfined_domain_type domain:process ptrace;
-+')
-
- # Create/access any System V IPC objects.
- allow unconfined_domain_type domain:{ sem msgq shm } *;
-@@ -166,5 +227,278 @@ allow unconfined_domain_type domain:lnk_file { read_lnk_file_perms ioctl lock };
- # act on all domains keys
- allow unconfined_domain_type domain:key *;
-
-+corenet_filetrans_all_named_dev(unconfined_domain_type)
-+
-+dev_filetrans_all_named_dev(unconfined_domain_type)
-+
- # receive from all domains over labeled networking
- domain_all_recvfrom_all_domains(unconfined_domain_type)
-+
-+files_filetrans_named_content(unconfined_domain_type)
-+files_filetrans_system_conf_named_files(unconfined_domain_type)
-+files_config_all_files(unconfined_domain_type)
-+dev_config_null_dev_service(unconfined_domain_type)
-+
-+storage_filetrans_all_named_dev(unconfined_domain_type)
-+
-+term_filetrans_all_named_dev(unconfined_domain_type)
-+
-+optional_policy(`
-+ init_status(unconfined_domain_type)
-+ init_reboot(unconfined_domain_type)
-+ init_halt(unconfined_domain_type)
-+ init_undefined(unconfined_domain_type)
-+')
-+
-+optional_policy(`
-+ auth_filetrans_named_content(unconfined_domain_type)
-+ auth_filetrans_admin_home_content(unconfined_domain_type)
-+ auth_filetrans_home_content(unconfined_domain_type)
-+')
-+
-+optional_policy(`
-+ libs_filetrans_named_content(unconfined_domain_type)
-+')
-+
-+optional_policy(`
-+ logging_filetrans_named_content(unconfined_domain_type)
-+')
-+
-+optional_policy(`
-+ miscfiles_filetrans_named_content(unconfined_domain_type)
-+')
-+
-+optional_policy(`
-+ alsa_filetrans_named_content(unconfined_domain_type)
-+')
-+
-+optional_policy(`
-+ apache_filetrans_named_content(unconfined_domain_type)
-+')
-+
-+optional_policy(`
-+ bootloader_filetrans_config(unconfined_domain_type)
-+')
-+
-+optional_policy(`
-+ cups_filetrans_named_content(unconfined_domain_type)
-+')
-+
-+optional_policy(`
-+ devicekit_filetrans_named_content(unconfined_domain_type)
-+')
-+
-+optional_policy(`
-+ dnsmasq_filetrans_named_content(unconfined_domain_type)
-+')
-+
-+optional_policy(`
-+ gnome_filetrans_admin_home_content(unconfined_domain_type)
-+')
-+
-+optional_policy(`
-+ gpg_filetrans_home_content(unconfined_domain_type)
-+')
-+
-+optional_policy(`
-+ irc_filetrans_home_content(unconfined_domain_type)
-+')
-+
-+optional_policy(`
-+ kerberos_filetrans_named_content(unconfined_domain_type)
-+')
-+
-+optional_policy(`
-+ mta_filetrans_named_content(unconfined_domain_type)
-+')
-+
-+optional_policy(`
-+ modules_filetrans_named_content(unconfined_domain_type)
-+')
-+
-+optional_policy(`
-+ mozilla_filetrans_home_content(unconfined_domain_type)
-+')
-+
-+optional_policy(`
-+ mysql_filetrans_named_content(unconfined_domain_type)
-+')
-+
-+optional_policy(`
-+ networkmanager_filetrans_named_content(unconfined_domain_type)
-+')
-+
-+optional_policy(`
-+ nx_filetrans_named_content(unconfined_domain_type)
-+')
-+
-+optional_policy(`
-+ postfix_filetrans_named_content(unconfined_domain_type)
-+')
-+
-+optional_policy(`
-+ prelink_filetrans_named_content(unconfined_domain_type)
-+')
-+
-+optional_policy(`
-+ pulseaudio_filetrans_home_content(unconfined_domain_type)
-+ pulseaudio_filetrans_admin_home_content(unconfined_domain_type)
-+')
-+
-+optional_policy(`
-+ quota_filetrans_named_content(unconfined_domain_type)
-+')
-+
-+optional_policy(`
-+ rpcbind_filetrans_named_content(unconfined_domain_type)
-+')
-+
-+optional_policy(`
-+ sysnet_filetrans_named_content(unconfined_domain_type)
-+')
-+
-+optional_policy(`
-+ systemd_login_status(unconfined_domain_type)
-+ systemd_login_reboot(unconfined_domain_type)
-+ systemd_login_halt(unconfined_domain_type)
-+ systemd_login_undefined(unconfined_domain_type)
-+')
-+
-+optional_policy(`
-+ thumb_filetrans_home_content(unconfined_domain_type)
-+')
-+
-+optional_policy(`
-+ tftp_filetrans_named_content(unconfined_domain_type)
-+')
-+
-+optional_policy(`
-+ userdom_user_home_dir_filetrans_user_home_content(unconfined_domain_type, { dir file lnk_file fifo_file sock_file })
-+ userdom_filetrans_home_content(unconfined_domain_type)
-+')
-+
-+optional_policy(`
-+ virt_filetrans_named_content(unconfined_domain_type)
-+ virt_filetrans_home_content(unconfined_domain_type)
-+')
-+
-+optional_policy(`
-+ ssh_filetrans_admin_home_content(unconfined_domain_type)
-+')
-+
-+selinux_getattr_fs(domain)
-+selinux_search_fs(domain)
-+selinux_dontaudit_read_fs(domain)
-+
-+optional_policy(`
-+ seutil_dontaudit_read_config(domain)
-+')
-+
-+optional_policy(`
-+ init_sigchld(domain)
-+ init_signull(domain)
-+ init_read_machineid(domain)
-+')
-+
-+ifdef(`distro_redhat',`
-+ files_search_mnt(domain)
-+ optional_policy(`
-+ unconfined_use_fds(domain)
-+ ')
-+')
-+
-+# these seem questionable:
-+
-+optional_policy(`
-+ abrt_domtrans_helper(domain)
-+ abrt_read_pid_files(domain)
-+ abrt_read_state(domain)
-+ abrt_signull(domain)
-+ abrt_append_cache(domain)
-+ abrt_rw_fifo_file(domain)
-+')
-+
-+optional_policy(`
-+ rpm_use_fds(domain)
-+ rpm_read_pipes(domain)
-+ rpm_search_log(domain)
-+ rpm_append_tmp_files(domain)
-+ rpm_dontaudit_leaks(domain)
-+ rpm_read_script_tmp_files(domain)
-+ rpm_inherited_fifo(domain)
-+')
-+
-+optional_policy(`
-+ sosreport_append_tmp_files(domain)
-+')
-+
-+tunable_policy(`domain_fd_use',`
-+ # Allow all domains to use fds past to them
-+ allow domain domain:fd use;
-+')
-+
-+optional_policy(`
-+ cron_dontaudit_write_system_job_tmp_files(domain)
-+ cron_rw_pipes(domain)
-+ cron_rw_system_job_pipes(domain)
-+')
-+
-+ifdef(`hide_broken_symptoms',`
-+ dontaudit domain self:udp_socket listen;
-+ allow domain domain:key { link search };
-+ dontaudit domain domain:socket_class_set { read write };
-+ dontaudit domain self:capability sys_module;
-+')
-+
-+optional_policy(`
-+ ipsec_match_default_spd(domain)
-+')
-+
-+optional_policy(`
-+ ifdef(`hide_broken_symptoms',`
-+ afs_rw_udp_sockets(domain)
-+ ')
-+')
-+
-+optional_policy(`
-+ ssh_rw_pipes(domain)
-+')
-+
-+optional_policy(`
-+ unconfined_dontaudit_rw_pipes(domain)
-+ unconfined_sigchld(domain)
-+')
-+
-+# broken kernel
-+dontaudit can_change_object_identity can_change_object_identity:key link;
-+
-+ifdef(`distro_redhat',`
-+ optional_policy(`
-+ unconfined_use_fds(domain)
-+ ')
-+')
-+
-+# these seem questionable:
-+
-+optional_policy(`
-+ puppet_rw_tmp(domain)
-+')
-+
-+optional_policy(`
-+ rpm_use_fds(domain)
-+ rpm_read_pipes(domain)
-+')
-+
-+dontaudit domain domain:process { noatsecure siginh rlimitinh } ;
-+
-+
-+tunable_policy(`fips_mode',`
-+ allow domain self:fifo_file manage_fifo_file_perms;
-+ kernel_read_kernel_sysctls(domain)
-+')
-+
-+optional_policy(`
-+ tunable_policy(`fips_mode',`
-+ prelink_exec(domain)
-+ ')
-+')
-diff --git a/policy/modules/kernel/files.fc b/policy/modules/kernel/files.fc
-index 8796ca3..cb02728 100644
---- a/policy/modules/kernel/files.fc
-+++ b/policy/modules/kernel/files.fc
-@@ -18,6 +18,7 @@ ifdef(`distro_redhat',`
- /fsckoptions -- gen_context(system_u:object_r:etc_runtime_t,s0)
- /halt -- gen_context(system_u:object_r:etc_runtime_t,s0)
- /poweroff -- gen_context(system_u:object_r:etc_runtime_t,s0)
-+/[^/]+ -- gen_context(system_u:object_r:etc_runtime_t,s0)
- ')
-
- ifdef(`distro_suse',`
-@@ -27,7 +28,7 @@ ifdef(`distro_suse',`
- #
- # /boot
- #
--/boot -d gen_context(system_u:object_r:boot_t,s0)
-+/boot gen_context(system_u:object_r:boot_t,s0)
- /boot/.* gen_context(system_u:object_r:boot_t,s0)
- /boot/\.journal <>
- /boot/efi(/.*)?/System\.map(-.*)? -- gen_context(system_u:object_r:system_map_t,s0)
-@@ -38,13 +39,13 @@ ifdef(`distro_suse',`
- #
- # /emul
- #
--/emul -d gen_context(system_u:object_r:usr_t,s0)
-+/emul gen_context(system_u:object_r:usr_t,s0)
- /emul/.* gen_context(system_u:object_r:usr_t,s0)
-
- #
- # /etc
- #
--/etc -d gen_context(system_u:object_r:etc_t,s0)
-+/etc gen_context(system_u:object_r:etc_t,s0)
- /etc/.* gen_context(system_u:object_r:etc_t,s0)
- /etc/\.fstab\.hal\..+ -- gen_context(system_u:object_r:etc_runtime_t,s0)
- /etc/blkid(/.*)? gen_context(system_u:object_r:etc_runtime_t,s0)
-@@ -52,13 +53,16 @@ ifdef(`distro_suse',`
- /etc/fstab\.REVOKE -- gen_context(system_u:object_r:etc_runtime_t,s0)
- /etc/ioctl\.save -- gen_context(system_u:object_r:etc_runtime_t,s0)
- /etc/killpower -- gen_context(system_u:object_r:etc_runtime_t,s0)
--/etc/localtime -l gen_context(system_u:object_r:etc_t,s0)
--/etc/mtab -- gen_context(system_u:object_r:etc_runtime_t,s0)
--/etc/mtab~[0-9]* -- gen_context(system_u:object_r:etc_runtime_t,s0)
--/etc/mtab\.tmp -- gen_context(system_u:object_r:etc_runtime_t,s0)
--/etc/mtab\.fuselock -- gen_context(system_u:object_r:etc_runtime_t,s0)
-+/etc/mtab.* -- gen_context(system_u:object_r:etc_runtime_t,s0)
- /etc/nohotplug -- gen_context(system_u:object_r:etc_runtime_t,s0)
- /etc/nologin.* -- gen_context(system_u:object_r:etc_runtime_t,s0)
-+/etc/securetty -- gen_context(system_u:object_r:etc_runtime_t,s0)
-+
-+/etc/sysctl\.conf(\.old)? -- gen_context(system_u:object_r:system_conf_t,s0)
-+/etc/sysconfig/ebtables.* -- gen_context(system_u:object_r:system_conf_t,s0)
-+/etc/sysconfig/ip6?tables.* -- gen_context(system_u:object_r:system_conf_t,s0)
-+/etc/sysconfig/ipvsadm.* -- gen_context(system_u:object_r:system_conf_t,s0)
-+/etc/sysconfig/system-config-firewall.* -- gen_context(system_u:object_r:system_conf_t,s0)
-
- /etc/cups/client\.conf -- gen_context(system_u:object_r:etc_t,s0)
-
-@@ -70,7 +74,10 @@ ifdef(`distro_suse',`
-
- /etc/sysconfig/hwconf -- gen_context(system_u:object_r:etc_runtime_t,s0)
- /etc/sysconfig/iptables\.save -- gen_context(system_u:object_r:etc_runtime_t,s0)
--/etc/sysconfig/firstboot -- gen_context(system_u:object_r:etc_runtime_t,s0)
-+
-+/etc/xorg\.conf\.d/00-system-setup-keyboard\.conf -- gen_context(system_u:object_r:etc_runtime_t,s0)
-+/etc/X11/xorg\.conf\.d/00-system-setup-keyboard\.conf -- gen_context(system_u:object_r:etc_runtime_t,s0)
-+
-
- ifdef(`distro_gentoo', `
- /etc/profile\.env -- gen_context(system_u:object_r:etc_runtime_t,s0)
-@@ -78,10 +85,6 @@ ifdef(`distro_gentoo', `
- /etc/env\.d/.* -- gen_context(system_u:object_r:etc_runtime_t,s0)
- ')
-
--ifdef(`distro_redhat',`
--/etc/rhgb(/.*)? -d gen_context(system_u:object_r:mnt_t,s0)
--')
--
- ifdef(`distro_suse',`
- /etc/defkeymap\.map -- gen_context(system_u:object_r:etc_runtime_t,s0)
- /etc/init\.d/\.depend.* -- gen_context(system_u:object_r:etc_runtime_t,s0)
-@@ -104,7 +107,7 @@ HOME_ROOT/lost\+found/.* <>
- /initrd -d gen_context(system_u:object_r:root_t,s0)
-
- #
--# /lib(64)?
-+# /lib
- #
- /lib/modules(/.*)? gen_context(system_u:object_r:modules_object_t,s0)
-
-@@ -129,6 +132,8 @@ ifdef(`distro_debian',`
- /media(/[^/]*)? -d gen_context(system_u:object_r:mnt_t,s0)
- /media/[^/]*/.* <>
- /media/\.hal-.* -- gen_context(system_u:object_r:mnt_t,s0)
-+/var/run/media(/[^/]*)? -d gen_context(system_u:object_r:mnt_t,s0)
-+/var/run/media/.* <>
-
- #
- # /misc
-@@ -150,10 +155,10 @@ ifdef(`distro_debian',`
- #
- # /opt
- #
--/opt -d gen_context(system_u:object_r:usr_t,s0)
-+/opt gen_context(system_u:object_r:usr_t,s0)
- /opt/.* gen_context(system_u:object_r:usr_t,s0)
-
--/opt/(.*/)?var/lib(64)?(/.*)? gen_context(system_u:object_r:var_lib_t,s0)
-+/opt/(.*/)?var/lib(/.*)? gen_context(system_u:object_r:var_lib_t,s0)
-
- #
- # /proc
-@@ -161,6 +166,12 @@ ifdef(`distro_debian',`
- /proc -d <>
- /proc/.* <>
-
-+ifdef(`distro_redhat',`
-+/rhev -d gen_context(system_u:object_r:mnt_t,s0)
-+/rhev(/[^/]*)? -d gen_context(system_u:object_r:mnt_t,s0)
-+/rhev/[^/]*/.* <>
-+')
-+
- #
- # /run
- #
-@@ -169,6 +180,7 @@ ifdef(`distro_debian',`
- /run/.*\.*pid <>
- /run/lock(/.*)? gen_context(system_u:object_r:var_lock_t,s0)
-
-+/sandbox(/.*)? gen_context(system_u:object_r:tmp_t,s0)
- #
- # /selinux
- #
-@@ -178,13 +190,14 @@ ifdef(`distro_debian',`
- #
- # /srv
- #
--/srv -d gen_context(system_u:object_r:var_t,s0)
-+/srv gen_context(system_u:object_r:var_t,s0)
- /srv/.* gen_context(system_u:object_r:var_t,s0)
-
- #
- # /tmp
- #
--/tmp -d gen_context(system_u:object_r:tmp_t,s0-mls_systemhigh)
-+/tmp gen_context(system_u:object_r:tmp_t,s0-mls_systemhigh)
-+/tmp-inst gen_context(system_u:object_r:tmp_t,s0-mls_systemhigh)
- /tmp/.* <>
- /tmp/\.journal <>
-
-@@ -194,9 +207,10 @@ ifdef(`distro_debian',`
- #
- # /usr
- #
--/usr -d gen_context(system_u:object_r:usr_t,s0)
-+/usr gen_context(system_u:object_r:usr_t,s0)
- /usr/.* gen_context(system_u:object_r:usr_t,s0)
- /usr/\.journal <>
-+/export(/.*)? gen_context(system_u:object_r:usr_t,s0)
-
- /usr/doc(/.*)?/lib(/.*)? gen_context(system_u:object_r:usr_t,s0)
-
-@@ -204,15 +218,9 @@ ifdef(`distro_debian',`
-
- /usr/inclu.e(/.*)? gen_context(system_u:object_r:usr_t,s0)
-
--/usr/local/\.journal <>
--
--/usr/local/etc(/.*)? gen_context(system_u:object_r:etc_t,s0)
--
--/usr/local/lost\+found -d gen_context(system_u:object_r:lost_found_t,mls_systemhigh)
--/usr/local/lost\+found/.* <>
--
- /usr/lost\+found -d gen_context(system_u:object_r:lost_found_t,mls_systemhigh)
- /usr/lost\+found/.* <>
-+/usr/lib/modules(/.*)? gen_context(system_u:object_r:modules_object_t,s0)
-
- /usr/share/doc(/.*)?/README.* gen_context(system_u:object_r:usr_t,s0)
-
-@@ -220,8 +228,6 @@ ifdef(`distro_debian',`
- /usr/tmp/.* <>
-
- ifndef(`distro_redhat',`
--/usr/local/src(/.*)? gen_context(system_u:object_r:src_t,s0)
--
- /usr/src(/.*)? gen_context(system_u:object_r:src_t,s0)
- /usr/src/kernels/.+/lib(/.*)? gen_context(system_u:object_r:usr_t,s0)
- ')
-@@ -229,7 +235,7 @@ ifndef(`distro_redhat',`
- #
- # /var
- #
--/var -d gen_context(system_u:object_r:var_t,s0)
-+/var gen_context(system_u:object_r:var_t,s0)
- /var/.* gen_context(system_u:object_r:var_t,s0)
- /var/\.journal <>
-
-@@ -237,11 +243,21 @@ ifndef(`distro_redhat',`
-
- /var/ftp/etc(/.*)? gen_context(system_u:object_r:etc_t,s0)
-
-+/var/named/chroot/etc(/.*)? gen_context(system_u:object_r:etc_t,s0)
-+
- /var/lib(/.*)? gen_context(system_u:object_r:var_lib_t,s0)
-
- /var/lib/nfs/rpc_pipefs(/.*)? <>
-
-+/var/lib/stickshift/.stickshift-proxy.d(/.*)? gen_context(system_u:object_r:etc_t,s0)
-+/var/lib/stickshift/.limits.d(/.*)? gen_context(system_u:object_r:etc_t,s0)
-+
-+/var/lib/openshift/.openshift-proxy.d(/.*)? gen_context(system_u:object_r:etc_t,s0)
-+/var/lib/openshift/.stickshift-proxy.d(/.*)? gen_context(system_u:object_r:etc_t,s0)
-+/var/lib/openshift/.limits.d(/.*)? gen_context(system_u:object_r:etc_t,s0)
-+
- /var/lock(/.*)? gen_context(system_u:object_r:var_lock_t,s0)
-+/var/lock -l gen_context(system_u:object_r:var_lock_t,s0)
-
- /var/lost\+found -d gen_context(system_u:object_r:lost_found_t,mls_systemhigh)
- /var/lost\+found/.* <>
-@@ -256,6 +272,7 @@ ifndef(`distro_redhat',`
-
- /var/tmp -d gen_context(system_u:object_r:tmp_t,s0-mls_systemhigh)
- /var/tmp -l gen_context(system_u:object_r:tmp_t,s0)
-+/var/tmp-inst -d gen_context(system_u:object_r:tmp_t,s0-mls_systemhigh)
- /var/tmp/.* <>
- /var/tmp/lost\+found -d gen_context(system_u:object_r:lost_found_t,mls_systemhigh)
- /var/tmp/lost\+found/.* <>
-@@ -264,3 +281,5 @@ ifndef(`distro_redhat',`
- ifdef(`distro_debian',`
- /var/run/motd -- gen_context(system_u:object_r:initrc_var_run_t,s0)
- ')
-+/nsr(/.*)? gen_context(system_u:object_r:var_t,s0)
-+/nsr/logs(/.*)? gen_context(system_u:object_r:var_log_t,s0)
-diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if
-index e1e814d..37f3b90 100644
---- a/policy/modules/kernel/files.if
-+++ b/policy/modules/kernel/files.if
-@@ -55,6 +55,7 @@
- ## files_pid_file()
- ## files_security_file()
- ## files_security_mountpoint()
-+## files_spool_file()
- ## files_tmp_file()
- ## files_tmpfs_file()
- ## logging_log_file()
-@@ -521,7 +522,7 @@ interface(`files_mounton_non_security',`
- attribute non_security_file_type;
- ')
-
-- allow $1 non_security_file_type:dir mounton;
-+ allow $1 non_security_file_type:dir { write setattr mounton };
- allow $1 non_security_file_type:file mounton;
- ')
-
-@@ -620,6 +621,63 @@ interface(`files_dontaudit_getattr_non_security_files',`
-
- ########################################
- ##
-+## Do not audit attempts to search
-+## non security dirs.
-+##
-+##
-+##
-+## Domain to not audit.
-+##
-+##
-+#
-+interface(`files_dontaudit_search_non_security_dirs',`
-+ gen_require(`
-+ attribute non_security_file_type;
-+ ')
-+
-+ dontaudit $1 non_security_file_type:dir search_dir_perms;
-+')
-+
-+########################################
-+##
-+## Do not audit attempts to set the attributes
-+## of non security files.
-+##
-+##
-+##
-+## Domain to not audit.
-+##
-+##
-+#
-+interface(`files_dontaudit_setattr_non_security_files',`
-+ gen_require(`
-+ attribute non_security_file_type;
-+ ')
-+
-+ dontaudit $1 non_security_file_type:file setattr;
-+')
-+
-+########################################
-+##
-+## Do not audit attempts to set the attributes
-+## of non security directories.
-+##
-+##
-+##
-+## Domain to not audit.
-+##
-+##
-+#
-+interface(`files_dontaudit_setattr_non_security_dirs',`
-+ gen_require(`
-+ attribute non_security_file_type;
-+ ')
-+
-+ dontaudit $1 non_security_file_type:dir setattr;
-+')
-+
-+########################################
-+##
- ## Read all files.
- ##
- ##
-@@ -683,12 +741,82 @@ interface(`files_read_non_security_files',`
- attribute non_security_file_type;
- ')
-
-+ list_dirs_pattern($1, non_security_file_type, non_security_file_type)
- read_files_pattern($1, non_security_file_type, non_security_file_type)
- read_lnk_files_pattern($1, non_security_file_type, non_security_file_type)
- ')
-
- ########################################
- ##
-+## Read/Write all inherited non-security files.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+##
-+#
-+interface(`files_rw_inherited_non_security_files',`
-+ gen_require(`
-+ attribute non_security_file_type;
-+ ')
-+
-+ allow $1 non_security_file_type:file { read write };
-+')
-+
-+########################################
-+##
-+## Manage all non-security files.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+##
-+#
-+interface(`files_manage_non_security_files',`
-+ gen_require(`
-+ attribute non_security_file_type;
-+ ')
-+
-+ manage_files_pattern($1, non_security_file_type, non_security_file_type)
-+ manage_lnk_files_pattern($1, non_security_file_type, non_security_file_type)
-+')
-+
-+########################################
-+##
-+## Relabel all non-security files.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+##
-+#
-+interface(`files_relabel_non_security_files',`
-+ gen_require(`
-+ attribute non_security_file_type;
-+ ')
-+
-+ relabel_files_pattern($1, non_security_file_type, non_security_file_type)
-+ allow $1 { non_security_file_type }:dir list_dir_perms;
-+ relabel_dirs_pattern($1, { non_security_file_type }, { non_security_file_type })
-+ relabel_files_pattern($1, { non_security_file_type }, { non_security_file_type })
-+ relabel_lnk_files_pattern($1, { non_security_file_type }, { non_security_file_type })
-+ relabel_fifo_files_pattern($1, { non_security_file_type }, { non_security_file_type })
-+ relabel_sock_files_pattern($1, { non_security_file_type }, { non_security_file_type })
-+ relabel_blk_files_pattern($1, { non_security_file_type }, { non_security_file_type })
-+ relabel_chr_files_pattern($1, { non_security_file_type }, { non_security_file_type })
-+
-+ # satisfy the assertions:
-+ seutil_relabelto_bin_policy($1)
-+')
-+
-+########################################
-+##
- ## Read all directories on the filesystem, except
- ## the listed exceptions.
- ##
-@@ -953,6 +1081,25 @@ interface(`files_dontaudit_getattr_non_security_pipes',`
-
- ########################################
- ##
-+## Do not audit attempts to read/write
-+## of non security named pipes.
-+##
-+##
-+##
-+## Domain to not audit.
-+##
-+##
-+#
-+interface(`files_dontaudit_rw_inherited_pipes',`
-+ gen_require(`
-+ attribute non_security_file_type;
-+ ')
-+
-+ dontaudit $1 non_security_file_type:fifo_file rw_inherited_fifo_file_perms;
-+')
-+
-+########################################
-+##
- ## Get the attributes of all named sockets.
- ##
- ##
-@@ -1073,10 +1220,8 @@ interface(`files_relabel_all_files',`
- relabel_lnk_files_pattern($1, { file_type $2 }, { file_type $2 })
- relabel_fifo_files_pattern($1, { file_type $2 }, { file_type $2 })
- relabel_sock_files_pattern($1, { file_type $2 }, { file_type $2 })
-- # this is only relabelfrom since there should be no
-- # device nodes with file types.
-- relabelfrom_blk_files_pattern($1, { file_type $2 }, { file_type $2 })
-- relabelfrom_chr_files_pattern($1, { file_type $2 }, { file_type $2 })
-+ relabel_blk_files_pattern($1, { file_type $2 }, { file_type $2 })
-+ relabel_chr_files_pattern($1, { file_type $2 }, { file_type $2 })
-
- # satisfy the assertions:
- seutil_relabelto_bin_policy($1)
-@@ -1655,6 +1800,24 @@ interface(`files_dontaudit_list_all_mountpoints',`
-
- ########################################
- ##
-+## Write all mount points.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`files_write_all_mountpoints',`
-+ gen_require(`
-+ attribute mountpoint;
-+ ')
-+
-+ allow $1 mountpoint:dir write;
-+')
-+
-+########################################
-+##
- ## Do not audit attempts to write to mount points.
- ##
- ##
-@@ -1673,6 +1836,24 @@ interface(`files_dontaudit_write_all_mountpoints',`
-
- ########################################
- ##
-+## Write all file type directories.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`files_write_all_dirs',`
-+ gen_require(`
-+ attribute file_type;
-+ ')
-+
-+ allow $1 file_type:dir write;
-+')
-+
-+########################################
-+##
- ## List the contents of the root directory.
- ##
- ##
-@@ -1856,6 +2037,42 @@ interface(`files_delete_root_dir_entry',`
-
- ########################################
- ##
-+## Set attributes of the root directory.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`files_setattr_root_dirs',`
-+ gen_require(`
-+ type root_t;
-+ ')
-+
-+ allow $1 root_t:dir setattr_dir_perms;
-+')
-+
-+########################################
-+##
-+## Relabel a rootfs filesystem.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`files_relabel_rootfs',`
-+ gen_require(`
-+ type root_t;
-+ ')
-+
-+ allow $1 root_t:filesystem relabel_file_perms;
-+')
-+
-+########################################
-+##
- ## Unmount a rootfs filesystem.
- ##
- ##
-@@ -1874,6 +2091,24 @@ interface(`files_unmount_rootfs',`
-
- ########################################
- ##
-+## Mount a filesystem on the root file system
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`files_mounton_rootfs',`
-+ gen_require(`
-+ type root_t;
-+ ')
-+
-+ allow $1 root_t:dir { search_dir_perms mounton };
-+')
-+
-+########################################
-+##
- ## Get attributes of the /boot directory.
- ##
- ##
-@@ -2573,6 +2808,24 @@ interface(`files_rw_etc_dirs',`
- allow $1 etc_t:dir rw_dir_perms;
- ')
-
-+#######################################
-+##
-+## Dontaudit remove dir /etc directories.
-+##
-+##
-+##
-+## Domain to not audit.
-+##
-+##
-+#
-+interface(`files_dontaudit_remove_etc_dir',`
-+ gen_require(`
-+ type etc_t;
-+ ')
-+
-+ dontaudit $1 etc_t:dir rmdir;
-+')
-+
- ##########################################
- ##
- ## Manage generic directories in /etc
-@@ -2644,6 +2897,7 @@ interface(`files_read_etc_files',`
- allow $1 etc_t:dir list_dir_perms;
- read_files_pattern($1, etc_t, etc_t)
- read_lnk_files_pattern($1, etc_t, etc_t)
-+ files_read_etc_runtime_files($1)
- ')
-
- ########################################
-@@ -2652,7 +2906,7 @@ interface(`files_read_etc_files',`
- ##
- ##
- ##
--## Domain allowed access.
-+## Domain to not audit.
- ##
- ##
- #
-@@ -2708,6 +2962,25 @@ interface(`files_manage_etc_files',`
-
- ########################################
- ##
-+## Do not audit attempts to check the
-+## access on etc files
-+##
-+##
-+##
-+## Domain to not audit.
-+##
-+##
-+#
-+interface(`files_dontaudit_access_check_etc',`
-+ gen_require(`
-+ type etc_t;
-+ ')
-+
-+ dontaudit $1 etc_t:file_class_set audit_access;
-+')
-+
-+########################################
-+##
- ## Delete system configuration files in /etc.
- ##
- ##
-@@ -2726,6 +2999,24 @@ interface(`files_delete_etc_files',`
-
- ########################################
- ##
-+## Remove entries from the etc directory.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`files_delete_etc_dir_entry',`
-+ gen_require(`
-+ type etc_t;
-+ ')
-+
-+ allow $1 etc_t:dir del_entry_dir_perms;
-+')
-+
-+########################################
-+##
- ## Execute generic files in /etc.
- ##
- ##
-@@ -2891,24 +3182,6 @@ interface(`files_delete_boot_flag',`
-
- ########################################
- ##
--## Do not audit attempts to set the attributes of the etc_runtime files
--##
--##
--##
--## Domain allowed access.
--##
--##
--#
--interface(`files_dontaudit_setattr_etc_runtime_files',`
-- gen_require(`
-- type etc_runtime_t;
-- ')
--
-- dontaudit $1 etc_runtime_t:file setattr;
--')
--
--########################################
--##
- ## Read files in /etc that are dynamically
- ## created on boot, such as mtab.
- ##
-@@ -2949,9 +3222,7 @@ interface(`files_read_etc_runtime_files',`
-
- ########################################
- ##
--## Do not audit attempts to read files
--## in /etc that are dynamically
--## created on boot, such as mtab.
-+## Do not audit attempts to set the attributes of the etc_runtime files
- ##
- ##
- ##
-@@ -2959,12 +3230,50 @@ interface(`files_read_etc_runtime_files',`
- ##
- ##
- #
--interface(`files_dontaudit_read_etc_runtime_files',`
-+interface(`files_dontaudit_setattr_etc_runtime_files',`
- gen_require(`
- type etc_runtime_t;
- ')
-
-- dontaudit $1 etc_runtime_t:file { getattr read };
-+ dontaudit $1 etc_runtime_t:file setattr;
-+')
-+
-+########################################
-+##
-+## Do not audit attempts to write etc_runtime files
-+##
-+##
-+##
-+## Domain to not audit.
-+##
-+##
-+#
-+interface(`files_dontaudit_write_etc_runtime_files',`
-+ gen_require(`
-+ type etc_runtime_t;
-+ ')
-+
-+ dontaudit $1 etc_runtime_t:file write;
-+')
-+
-+########################################
-+##
-+## Do not audit attempts to read files
-+## in /etc that are dynamically
-+## created on boot, such as mtab.
-+##
-+##
-+##
-+## Domain to not audit.
-+##
-+##
-+#
-+interface(`files_dontaudit_read_etc_runtime_files',`
-+ gen_require(`
-+ type etc_runtime_t;
-+ ')
-+
-+ dontaudit $1 etc_runtime_t:file { getattr read };
- ')
-
- ########################################
-@@ -2986,6 +3295,7 @@ interface(`files_rw_etc_runtime_files',`
-
- allow $1 etc_t:dir list_dir_perms;
- rw_files_pattern($1, etc_t, etc_runtime_t)
-+ read_lnk_files_pattern($1, etc_t, etc_t)
- ')
-
- ########################################
-@@ -3007,6 +3317,7 @@ interface(`files_manage_etc_runtime_files',`
- ')
-
- manage_files_pattern($1, { etc_t etc_runtime_t }, etc_runtime_t)
-+ read_lnk_files_pattern($1, etc_t, etc_runtime_t)
- ')
-
- ########################################
-@@ -3135,6 +3446,25 @@ interface(`files_delete_isid_type_dirs',`
-
- ########################################
- ##
-+## Relabelfrom all file opbjects on new filesystems
-+## that have not yet been labeled.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`files_relabelfrom_isid_type',`
-+ gen_require(`
-+ type file_t;
-+ ')
-+
-+ dontaudit $1 file_t:dir_file_class_set relabelfrom;
-+')
-+
-+########################################
-+##
- ## Create, read, write, and delete directories
- ## on new filesystems that have not yet been labeled.
- ##
-@@ -3382,6 +3712,25 @@ interface(`files_rw_isid_type_blk_files',`
-
- ########################################
- ##
-+## rw any files inherited from another process
-+## on new filesystems that have not yet been labeled.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`files_rw_inherited_isid_type_files',`
-+ gen_require(`
-+ type file_t;
-+ ')
-+
-+ allow $1 file_t:file rw_inherited_file_perms;
-+')
-+
-+########################################
-+##
- ## Create, read, write, and delete block device nodes
- ## on new filesystems that have not yet been labeled.
- ##
-@@ -3723,20 +4072,38 @@ interface(`files_list_mnt',`
-
- ######################################
- ##
--## Do not audit attempts to list the contents of /mnt.
-+## dontaudit List the contents of /mnt.
-+##
-+##
-+##
-+## Domain to not audit.
-+##
-+##
-+#
-+interface(`files_dontaudit_list_mnt',`
-+ gen_require(`
-+ type mnt_t;
-+ ')
-+
-+ dontaudit $1 mnt_t:dir list_dir_perms;
-+')
-+
-+########################################
-+##
-+## Do not audit attempts to check the
-+## write access on mnt files
- ##
- ##
- ##
--## Domain allowed access.
-+## Domain to not audit.
- ##
- ##
- #
--interface(`files_dontaudit_list_mnt',`
-+interface(`files_dontaudit_access_check_mnt',`
- gen_require(`
- type mnt_t;
- ')
--
-- dontaudit $1 mnt_t:dir list_dir_perms;
-+ dontaudit $1 mnt_t:file_class_set audit_access;
- ')
-
- ########################################
-@@ -4126,6 +4493,133 @@ interface(`files_read_world_readable_sockets',`
- allow $1 readable_t:sock_file read_sock_file_perms;
- ')
-
-+#######################################
-+##
-+## Read manageable system configuration files in /etc
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`files_read_system_conf_files',`
-+ gen_require(`
-+ type etc_t, system_conf_t;
-+ ')
-+
-+ allow $1 etc_t:dir list_dir_perms;
-+ read_files_pattern($1, etc_t, system_conf_t)
-+ read_lnk_files_pattern($1, etc_t, system_conf_t)
-+')
-+
-+######################################
-+##
-+## Manage manageable system configuration files in /etc.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`files_manage_system_conf_files',`
-+ gen_require(`
-+ type etc_t, system_conf_t;
-+ ')
-+
-+ manage_files_pattern($1, { etc_t system_conf_t }, system_conf_t)
-+ files_filetrans_system_conf_named_files($1)
-+')
-+
-+#####################################
-+##
-+## File name transition for system configuration files in /etc.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`files_filetrans_system_conf_named_files',`
-+ gen_require(`
-+ type etc_t, system_conf_t;
-+ ')
-+
-+ filetrans_pattern($1, etc_t, system_conf_t, file, "sysctl.conf")
-+ filetrans_pattern($1, etc_t, system_conf_t, file, "sysctl.conf.old")
-+ filetrans_pattern($1, etc_t, system_conf_t, file, "ebtables")
-+ filetrans_pattern($1, etc_t, system_conf_t, file, "ebtables.old")
-+ filetrans_pattern($1, etc_t, system_conf_t, file, "ebtables-config")
-+ filetrans_pattern($1, etc_t, system_conf_t, file, "ebtables-config.old")
-+ filetrans_pattern($1, etc_t, system_conf_t, file, "iptables")
-+ filetrans_pattern($1, etc_t, system_conf_t, file, "iptables.old")
-+ filetrans_pattern($1, etc_t, system_conf_t, file, "iptables-config")
-+ filetrans_pattern($1, etc_t, system_conf_t, file, "iptables-config.old")
-+ filetrans_pattern($1, etc_t, system_conf_t, file, "ip6tables")
-+ filetrans_pattern($1, etc_t, system_conf_t, file, "ip6tables.old")
-+ filetrans_pattern($1, etc_t, system_conf_t, file, "ip6tables-config")
-+ filetrans_pattern($1, etc_t, system_conf_t, file, "ip6tables-config.old")
-+ filetrans_pattern($1, etc_t, system_conf_t, file, "system-config-firewall")
-+ filetrans_pattern($1, etc_t, system_conf_t, file, "system-config-firewall.old")
-+')
-+
-+######################################
-+##
-+## Relabel manageable system configuration files in /etc.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`files_relabelto_system_conf_files',`
-+ gen_require(`
-+ type usr_t;
-+ ')
-+
-+ relabelto_files_pattern($1, system_conf_t, system_conf_t)
-+')
-+
-+######################################
-+##
-+## Relabel manageable system configuration files in /etc.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`files_relabelfrom_system_conf_files',`
-+ gen_require(`
-+ type usr_t;
-+ ')
-+
-+ relabelfrom_files_pattern($1, system_conf_t, system_conf_t)
-+')
-+
-+###################################
-+##
-+## Create files in /etc with the type used for
-+## the manageable system config files.
-+##
-+##
-+##
-+## The type of the process performing this action.
-+##
-+##
-+#
-+interface(`files_etc_filetrans_system_conf',`
-+ gen_require(`
-+ type etc_t, system_conf_t;
-+ ')
-+
-+ filetrans_pattern($1, etc_t, system_conf_t, file)
-+')
-+
- ########################################
- ##
- ## Allow the specified type to associate
-@@ -4148,6 +4642,26 @@ interface(`files_associate_tmp',`
-
- ########################################
- ##
-+## Allow the specified type to associate
-+## to a filesystem with the type of the
-+## / file system
-+##
-+##
-+##
-+## Type of the file to associate.
-+##
-+##
-+#
-+interface(`files_associate_rootfs',`
-+ gen_require(`
-+ type root_t;
-+ ')
-+
-+ allow $1 root_t:filesystem associate;
-+')
-+
-+########################################
-+##
- ## Get the attributes of the tmp directory (/tmp).
- ##
- ##
-@@ -4161,6 +4675,7 @@ interface(`files_getattr_tmp_dirs',`
- type tmp_t;
- ')
-
-+ read_lnk_files_pattern($1, tmp_t, tmp_t)
- allow $1 tmp_t:dir getattr;
- ')
-
-@@ -4171,7 +4686,7 @@ interface(`files_getattr_tmp_dirs',`
- ##
- ##
- ##
--## Domain allowed access.
-+## Domain to not audit.
- ##
- ##
- #
-@@ -4198,6 +4713,7 @@ interface(`files_search_tmp',`
- type tmp_t;
- ')
-
-+ read_lnk_files_pattern($1, tmp_t, tmp_t)
- allow $1 tmp_t:dir search_dir_perms;
- ')
-
-@@ -4234,6 +4750,7 @@ interface(`files_list_tmp',`
- type tmp_t;
- ')
-
-+ read_lnk_files_pattern($1, tmp_t, tmp_t)
- allow $1 tmp_t:dir list_dir_perms;
- ')
-
-@@ -4243,7 +4760,7 @@ interface(`files_list_tmp',`
- ##
- ##
- ##
--## Domain not to audit.
-+## Domain to not audit.
- ##
- ##
- #
-@@ -4255,6 +4772,25 @@ interface(`files_dontaudit_list_tmp',`
- dontaudit $1 tmp_t:dir list_dir_perms;
- ')
-
-+#######################################
-+##
-+## Allow read and write to the tmp directory (/tmp).
-+##
-+##
-+##
-+## Domain not to audit.
-+##
-+##
-+#
-+interface(`files_rw_generic_tmp_dir',`
-+ gen_require(`
-+ type tmp_t;
-+ ')
-+
-+ files_search_tmp($1)
-+ allow $1 tmp_t:dir rw_dir_perms;
-+')
-+
- ########################################
- ##
- ## Remove entries from the tmp directory.
-@@ -4270,6 +4806,7 @@ interface(`files_delete_tmp_dir_entry',`
- type tmp_t;
- ')
-
-+ files_search_tmp($1)
- allow $1 tmp_t:dir del_entry_dir_perms;
- ')
-
-@@ -4311,6 +4848,32 @@ interface(`files_manage_generic_tmp_dirs',`
-
- ########################################
- ##
-+## Allow shared library text relocations in tmp files.
-+##
-+##
-+##
-+## Allow shared library text relocations in tmp files.
-+##
-+##
-+## This is added to support java policy.
-+##
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`files_execmod_tmp',`
-+ gen_require(`
-+ attribute tmpfile;
-+ ')
-+
-+ allow $1 tmpfile:file execmod;
-+')
-+
-+########################################
-+##
- ## Manage temporary files and directories in /tmp.
- ##
- ##
-@@ -4365,6 +4928,42 @@ interface(`files_rw_generic_tmp_sockets',`
-
- ########################################
- ##
-+## Relabel a dir from the type used in /tmp.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`files_relabelfrom_tmp_dirs',`
-+ gen_require(`
-+ type tmp_t;
-+ ')
-+
-+ relabelfrom_dirs_pattern($1, tmp_t, tmp_t)
-+')
-+
-+########################################
-+##
-+## Relabel a file from the type used in /tmp.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`files_relabelfrom_tmp_files',`
-+ gen_require(`
-+ type tmp_t;
-+ ')
-+
-+ relabelfrom_files_pattern($1, tmp_t, tmp_t)
-+')
-+
-+########################################
-+##
- ## Set the attributes of all tmp directories.
- ##
- ##
-@@ -4383,6 +4982,42 @@ interface(`files_setattr_all_tmp_dirs',`
-
- ########################################
- ##
-+## Allow caller to read inherited tmp files.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`files_read_inherited_tmp_files',`
-+ gen_require(`
-+ attribute tmpfile;
-+ ')
-+
-+ allow $1 tmpfile:file { append read_inherited_file_perms };
-+')
-+
-+########################################
-+##
-+## Allow caller to append inherited tmp files.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`files_append_inherited_tmp_files',`
-+ gen_require(`
-+ attribute tmpfile;
-+ ')
-+
-+ allow $1 tmpfile:file append_inherited_file_perms;
-+')
-+
-+########################################
-+##
- ## List all tmp directories.
- ##
- ##
-@@ -4428,7 +5063,7 @@ interface(`files_relabel_all_tmp_dirs',`
- ##
- ##
- ##
--## Domain not to audit.
-+## Domain to not audit.
- ##
- ##
- #
-@@ -4488,7 +5123,7 @@ interface(`files_relabel_all_tmp_files',`
- ##
- ##
- ##
--## Domain not to audit.
-+## Domain to not audit.
- ##
- ##
- #
-@@ -4573,6 +5208,16 @@ interface(`files_purge_tmp',`
- delete_lnk_files_pattern($1, tmpfile, tmpfile)
- delete_fifo_files_pattern($1, tmpfile, tmpfile)
- delete_sock_files_pattern($1, tmpfile, tmpfile)
-+ delete_chr_files_pattern($1, tmpfile, tmpfile)
-+ delete_blk_files_pattern($1, tmpfile, tmpfile)
-+ files_list_isid_type_dirs($1)
-+ files_delete_isid_type_dirs($1)
-+ files_delete_isid_type_files($1)
-+ files_delete_isid_type_symlinks($1)
-+ files_delete_isid_type_fifo_files($1)
-+ files_delete_isid_type_sock_files($1)
-+ files_delete_isid_type_blk_files($1)
-+ files_delete_isid_type_chr_files($1)
- ')
-
- ########################################
-@@ -5150,12 +5795,30 @@ interface(`files_list_var',`
-
- ########################################
- ##
--## Create, read, write, and delete directories
--## in the /var directory.
-+## Do not audit listing of the var directory (/var).
- ##
- ##
- ##
--## Domain allowed access.
-+## Domain to not audit.
-+##
-+##
-+#
-+interface(`files_dontaudit_list_var',`
-+ gen_require(`
-+ type var_t;
-+ ')
-+
-+ dontaudit $1 var_t:dir list_dir_perms;
-+')
-+
-+########################################
-+##
-+## Create, read, write, and delete directories
-+## in the /var directory.
-+##
-+##
-+##
-+## Domain allowed access.
- ##
- ##
- #
-@@ -5505,6 +6168,25 @@ interface(`files_read_var_lib_symlinks',`
- read_lnk_files_pattern($1, { var_t var_lib_t }, var_lib_t)
- ')
-
-+########################################
-+##
-+## manage generic symbolic links
-+## in the /var/lib directory.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`files_manage_var_lib_symlinks',`
-+ gen_require(`
-+ type var_lib_t;
-+ ')
-+
-+ manage_lnk_files_pattern($1,var_lib_t,var_lib_t)
-+')
-+
- # cjp: the next two interfaces really need to be fixed
- # in some way. They really neeed their own types.
-
-@@ -5550,7 +6232,7 @@ interface(`files_manage_mounttab',`
-
- ########################################
- ##
--## Set the attributes of the generic lock directories.
-+## List generic lock directories.
- ##
- ##
- ##
-@@ -5558,12 +6240,13 @@ interface(`files_manage_mounttab',`
- ##
- ##
- #
--interface(`files_setattr_lock_dirs',`
-+interface(`files_list_locks',`
- gen_require(`
- type var_t, var_lock_t;
- ')
-
-- setattr_dirs_pattern($1, var_t, var_lock_t)
-+ files_search_locks($1)
-+ list_dirs_pattern($1, var_t, var_lock_t)
- ')
-
- ########################################
-@@ -5581,6 +6264,7 @@ interface(`files_search_locks',`
- type var_t, var_lock_t;
- ')
-
-+ files_search_pids($1)
- allow $1 var_lock_t:lnk_file read_lnk_file_perms;
- search_dirs_pattern($1, var_t, var_lock_t)
- ')
-@@ -5607,7 +6291,26 @@ interface(`files_dontaudit_search_locks',`
-
- ########################################
- ##
--## List generic lock directories.
-+## Do not audit attempts to read/write inherited
-+## locks (/var/lock).
-+##
-+##
-+##
-+## Domain to not audit.
-+##
-+##
-+#
-+interface(`files_dontaudit_rw_inherited_locks',`
-+ gen_require(`
-+ type var_lock_t;
-+ ')
-+
-+ dontaudit $1 var_lock_t:file rw_inherited_file_perms;
-+')
-+
-+########################################
-+##
-+## Set the attributes of the /var/lock directory.
- ##
- ##
- ##
-@@ -5615,13 +6318,12 @@ interface(`files_dontaudit_search_locks',`
- ##
- ##
- #
--interface(`files_list_locks',`
-+interface(`files_setattr_lock_dirs',`
- gen_require(`
-- type var_t, var_lock_t;
-+ type var_lock_t;
- ')
-
-- allow $1 var_lock_t:lnk_file read_lnk_file_perms;
-- list_dirs_pattern($1, var_t, var_lock_t)
-+ allow $1 var_lock_t:dir setattr;
- ')
-
- ########################################
-@@ -5640,7 +6342,7 @@ interface(`files_rw_lock_dirs',`
- type var_t, var_lock_t;
- ')
-
-- allow $1 var_lock_t:lnk_file read_lnk_file_perms;
-+ files_search_locks($1)
- rw_dirs_pattern($1, var_t, var_lock_t)
- ')
-
-@@ -5673,7 +6375,6 @@ interface(`files_create_lock_dirs',`
- ## Domain allowed access.
- ##
- ##
--##
- #
- interface(`files_relabel_all_lock_dirs',`
- gen_require(`
-@@ -5701,8 +6402,7 @@ interface(`files_getattr_generic_locks',`
- type var_t, var_lock_t;
- ')
-
-- allow $1 var_t:dir search_dir_perms;
-- allow $1 var_lock_t:lnk_file read_lnk_file_perms;
-+ files_search_locks($1)
- allow $1 var_lock_t:dir list_dir_perms;
- getattr_files_pattern($1, var_lock_t, var_lock_t)
- ')
-@@ -5718,13 +6418,12 @@ interface(`files_getattr_generic_locks',`
- ##
- #
- interface(`files_delete_generic_locks',`
-- gen_require(`
-+ gen_require(`
- type var_t, var_lock_t;
-- ')
-+ ')
-
-- allow $1 var_t:dir search_dir_perms;
-- allow $1 var_lock_t:lnk_file read_lnk_file_perms;
-- delete_files_pattern($1, var_lock_t, var_lock_t)
-+ files_search_locks($1)
-+ delete_files_pattern($1, var_lock_t, var_lock_t)
- ')
-
- ########################################
-@@ -5743,8 +6442,7 @@ interface(`files_manage_generic_locks',`
- type var_t, var_lock_t;
- ')
-
-- allow $1 var_t:dir search_dir_perms;
-- allow $1 var_lock_t:lnk_file read_lnk_file_perms;
-+ files_search_locks($1)
- manage_files_pattern($1, var_lock_t, var_lock_t)
- ')
-
-@@ -5786,8 +6484,7 @@ interface(`files_read_all_locks',`
- type var_t, var_lock_t;
- ')
-
-- allow $1 var_lock_t:lnk_file read_lnk_file_perms;
-- allow $1 { var_t var_lock_t }:dir search_dir_perms;
-+ files_search_locks($1)
- allow $1 lockfile:dir list_dir_perms;
- read_files_pattern($1, lockfile, lockfile)
- read_lnk_files_pattern($1, lockfile, lockfile)
-@@ -5809,8 +6506,7 @@ interface(`files_manage_all_locks',`
- type var_t, var_lock_t;
- ')
-
-- allow $1 var_lock_t:lnk_file read_lnk_file_perms;
-- allow $1 { var_t var_lock_t }:dir search_dir_perms;
-+ files_search_locks($1)
- manage_dirs_pattern($1, lockfile, lockfile)
- manage_files_pattern($1, lockfile, lockfile)
- manage_lnk_files_pattern($1, lockfile, lockfile)
-@@ -5847,8 +6543,7 @@ interface(`files_lock_filetrans',`
- type var_t, var_lock_t;
- ')
-
-- allow $1 var_t:dir search_dir_perms;
-- allow $1 var_lock_t:lnk_file read_lnk_file_perms;
-+ files_search_locks($1)
- filetrans_pattern($1, var_lock_t, $2, $3, $4)
- ')
-
-@@ -5911,6 +6606,43 @@ interface(`files_search_pids',`
- search_dirs_pattern($1, var_t, var_run_t)
- ')
-
-+######################################
-+##
-+## Add and remove entries from pid directories.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`files_rw_pid_dirs',`
-+ gen_require(`
-+ type var_run_t;
-+ ')
-+
-+ allow $1 var_run_t:dir rw_dir_perms;
-+')
-+
-+#######################################
-+##
-+## Create generic pid directory.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`files_create_var_run_dirs',`
-+ gen_require(`
-+ type var_t, var_run_t;
-+ ')
-+
-+ allow $1 var_t:dir search_dir_perms;
-+ allow $1 var_run_t:dir create_dir_perms;
-+')
-+
- ########################################
- ##
- ## Do not audit attempts to search
-@@ -5933,6 +6665,25 @@ interface(`files_dontaudit_search_pids',`
-
- ########################################
- ##
-+## Do not audit attempts to search
-+## the all /var/run directory.
-+##
-+##
-+##
-+## Domain to not audit.
-+##
-+##
-+#
-+interface(`files_dontaudit_search_all_pids',`
-+ gen_require(`
-+ attribute pidfile;
-+ ')
-+
-+ dontaudit $1 pidfile:dir search_dir_perms;
-+')
-+
-+########################################
-+##
- ## List the contents of the runtime process
- ## ID directories (/var/run).
- ##
-@@ -6048,7 +6799,6 @@ interface(`files_pid_filetrans',`
- ')
-
- allow $1 var_t:dir search_dir_perms;
-- allow $1 var_run_t:lnk_file read_lnk_file_perms;
- filetrans_pattern($1, var_run_t, $2, $3, $4)
- ')
-
-@@ -6157,30 +6907,25 @@ interface(`files_dontaudit_ioctl_all_pids',`
-
- ########################################
- ##
--## Read all process ID files.
-+## Relable all pid directories
- ##
- ##
- ##
- ## Domain allowed access.
- ##
- ##
--##
- #
--interface(`files_read_all_pids',`
-+interface(`files_relabel_all_pid_dirs',`
- gen_require(`
- attribute pidfile;
-- type var_t, var_run_t;
- ')
-
-- allow $1 var_run_t:lnk_file read_lnk_file_perms;
-- list_dirs_pattern($1, var_t, pidfile)
-- read_files_pattern($1, pidfile, pidfile)
-+ relabel_dirs_pattern($1, pidfile, pidfile)
- ')
-
- ########################################
- ##
--## Mount filesystems on all polyinstantiation
--## member directories.
-+## Delete all pid sockets
- ##
- ##
- ##
-@@ -6188,43 +6933,35 @@ interface(`files_read_all_pids',`
- ##
- ##
- #
--interface(`files_mounton_all_poly_members',`
-+interface(`files_delete_all_pid_sockets',`
- gen_require(`
-- attribute polymember;
-+ attribute pidfile;
- ')
-
-- allow $1 polymember:dir mounton;
-+ allow $1 pidfile:sock_file delete_sock_file_perms;
- ')
-
- ########################################
- ##
--## Delete all process IDs.
-+## Create all pid sockets
- ##
- ##
- ##
- ## Domain allowed access.
- ##
- ##
--##
- #
--interface(`files_delete_all_pids',`
-+interface(`files_create_all_pid_sockets',`
- gen_require(`
- attribute pidfile;
-- type var_t, var_run_t;
- ')
-
-- allow $1 var_t:dir search_dir_perms;
-- allow $1 var_run_t:lnk_file read_lnk_file_perms;
-- allow $1 var_run_t:dir rmdir;
-- allow $1 var_run_t:lnk_file delete_lnk_file_perms;
-- delete_files_pattern($1, pidfile, pidfile)
-- delete_fifo_files_pattern($1, pidfile, pidfile)
-- delete_sock_files_pattern($1, pidfile, { pidfile var_run_t })
-+ allow $1 pidfile:sock_file create_sock_file_perms;
- ')
-
- ########################################
- ##
--## Delete all process ID directories.
-+## Create all pid named pipes
- ##
- ##
- ##
-@@ -6232,21 +6969,17 @@ interface(`files_delete_all_pids',`
- ##
- ##
- #
--interface(`files_delete_all_pid_dirs',`
-+interface(`files_create_all_pid_pipes',`
- gen_require(`
- attribute pidfile;
-- type var_t, var_run_t;
- ')
-
-- allow $1 var_t:dir search_dir_perms;
-- allow $1 var_run_t:lnk_file read_lnk_file_perms;
-- delete_dirs_pattern($1, pidfile, pidfile)
-+ allow $1 pidfile:fifo_file create_fifo_file_perms;
- ')
-
- ########################################
- ##
--## Search the contents of generic spool
--## directories (/var/spool).
-+## Delete all pid named pipes
- ##
- ##
- ##
-@@ -6254,56 +6987,59 @@ interface(`files_delete_all_pid_dirs',`
- ##
- ##
- #
--interface(`files_search_spool',`
-+interface(`files_delete_all_pid_pipes',`
- gen_require(`
-- type var_t, var_spool_t;
-+ attribute pidfile;
- ')
-
-- search_dirs_pattern($1, var_t, var_spool_t)
-+ allow $1 pidfile:fifo_file delete_fifo_file_perms;
- ')
-
- ########################################
- ##
--## Do not audit attempts to search generic
--## spool directories.
-+## manage all pidfile directories
-+## in the /var/run directory.
- ##
- ##
- ##
--## Domain to not audit.
-+## Domain allowed access.
- ##
- ##
- #
--interface(`files_dontaudit_search_spool',`
-+interface(`files_manage_all_pid_dirs',`
- gen_require(`
-- type var_spool_t;
-+ attribute pidfile;
- ')
-
-- dontaudit $1 var_spool_t:dir search_dir_perms;
-+ manage_dirs_pattern($1,pidfile,pidfile)
- ')
-
-+
- ########################################
- ##
--## List the contents of generic spool
--## (/var/spool) directories.
-+## Read all process ID files.
- ##
- ##
- ##
- ## Domain allowed access.
- ##
- ##
-+##
- #
--interface(`files_list_spool',`
-+interface(`files_read_all_pids',`
- gen_require(`
-- type var_t, var_spool_t;
-+ attribute pidfile;
-+ type var_t;
- ')
-
-- list_dirs_pattern($1, var_t, var_spool_t)
-+ list_dirs_pattern($1, var_t, pidfile)
-+ read_files_pattern($1, pidfile, pidfile)
-+ read_lnk_files_pattern($1, pidfile, pidfile)
- ')
-
- ########################################
- ##
--## Create, read, write, and delete generic
--## spool directories (/var/spool).
-+## Relable all pid files
- ##
- ##
- ##
-@@ -6311,18 +7047,17 @@ interface(`files_list_spool',`
- ##
- ##
- #
--interface(`files_manage_generic_spool_dirs',`
-+interface(`files_relabel_all_pid_files',`
- gen_require(`
-- type var_t, var_spool_t;
-+ attribute pidfile;
- ')
-
-- allow $1 var_t:dir search_dir_perms;
-- manage_dirs_pattern($1, var_spool_t, var_spool_t)
-+ relabel_files_pattern($1, pidfile, pidfile)
- ')
-
- ########################################
- ##
--## Read generic spool files.
-+## Execute generic programs in /var/run in the caller domain.
- ##
- ##
- ##
-@@ -6330,19 +7065,18 @@ interface(`files_manage_generic_spool_dirs',`
- ##
- ##
- #
--interface(`files_read_generic_spool',`
-+interface(`files_exec_generic_pid_files',`
- gen_require(`
-- type var_t, var_spool_t;
-+ type var_run_t;
- ')
-
-- list_dirs_pattern($1, var_t, var_spool_t)
-- read_files_pattern($1, var_spool_t, var_spool_t)
-+ exec_files_pattern($1, var_run_t, var_run_t)
- ')
-
- ########################################
- ##
--## Create, read, write, and delete generic
--## spool files.
-+## manage all pidfiles
-+## in the /var/run directory.
- ##
- ##
- ##
-@@ -6350,55 +7084,62 @@ interface(`files_read_generic_spool',`
- ##
- ##
- #
--interface(`files_manage_generic_spool',`
-+interface(`files_manage_all_pids',`
- gen_require(`
-- type var_t, var_spool_t;
-+ attribute pidfile;
- ')
-
-- allow $1 var_t:dir search_dir_perms;
-- manage_files_pattern($1, var_spool_t, var_spool_t)
-+ manage_files_pattern($1,pidfile,pidfile)
- ')
-
- ########################################
- ##
--## Create objects in the spool directory
--## with a private type with a type transition.
-+## Mount filesystems on all polyinstantiation
-+## member directories.
- ##
- ##
- ##
- ## Domain allowed access.
- ##
- ##
--##
--##
--## Type to which the created node will be transitioned.
--##
--##
--##
--##
--## Object class(es) (single or set including {}) for which this
--## the transition will occur.
--##
--##
--##
-+#
-+interface(`files_mounton_all_poly_members',`
-+ gen_require(`
-+ attribute polymember;
-+ ')
-+
-+ allow $1 polymember:dir mounton;
-+')
-+
-+########################################
-+##
-+## Delete all process IDs.
-+##
-+##
- ##
--## The name of the object being created.
-+## Domain allowed access.
- ##
- ##
-+##
- #
--interface(`files_spool_filetrans',`
-+interface(`files_delete_all_pids',`
- gen_require(`
-- type var_t, var_spool_t;
-+ attribute pidfile;
-+ type var_t, var_run_t;
- ')
-
- allow $1 var_t:dir search_dir_perms;
-- filetrans_pattern($1, var_spool_t, $2, $3, $4)
-+ allow $1 var_run_t:lnk_file read_lnk_file_perms;
-+ allow $1 var_run_t:dir rmdir;
-+ allow $1 var_run_t:lnk_file delete_lnk_file_perms;
-+ delete_files_pattern($1, pidfile, pidfile)
-+ delete_fifo_files_pattern($1, pidfile, pidfile)
-+ delete_sock_files_pattern($1, pidfile, { pidfile var_run_t })
- ')
-
- ########################################
- ##
--## Allow access to manage all polyinstantiated
--## directories on the system.
-+## Delete all process ID directories.
- ##
- ##
- ##
-@@ -6406,25 +7147,283 @@ interface(`files_spool_filetrans',`
- ##
- ##
- #
--interface(`files_polyinstantiate_all',`
-+interface(`files_delete_all_pid_dirs',`
- gen_require(`
-- attribute polydir, polymember, polyparent;
-- type poly_t;
-+ attribute pidfile;
-+ type var_t, var_run_t;
- ')
-
-- # Need to give access to /selinux/member
-- selinux_compute_member($1)
--
-- # Need sys_admin capability for mounting
-- allow $1 self:capability { chown fsetid sys_admin fowner };
--
-- # Need to give access to the directories to be polyinstantiated
-- allow $1 polydir:dir { create open getattr search write add_name setattr mounton rmdir };
--
-- # Need to give access to the polyinstantiated subdirectories
-- allow $1 polymember:dir search_dir_perms;
-+ allow $1 var_t:dir search_dir_perms;
-+ allow $1 var_run_t:lnk_file read_lnk_file_perms;
-+ delete_dirs_pattern($1, pidfile, pidfile)
-+')
-
-- # Need to give access to parent directories where original
-+########################################
-+##
-+## Make the specified type a file
-+## used for spool files.
-+##
-+##
-+##
-+## Make the specified type usable for spool files.
-+## This will also make the type usable for files, making
-+## calls to files_type() redundant. Failure to use this interface
-+## for a spool file may result in problems with
-+## purging spool files.
-+##
-+##
-+## Related interfaces:
-+##
-+##
-+## - files_spool_filetrans()
-+##
-+##
-+## Example usage with a domain that can create and
-+## write its spool file in the system spool file
-+## directories (/var/spool):
-+##
-+##
-+## type myspoolfile_t;
-+## files_spool_file(myfile_spool_t)
-+## allow mydomain_t myfile_spool_t:file { create_file_perms write_file_perms };
-+## files_spool_filetrans(mydomain_t, myfile_spool_t, file)
-+##
-+##
-+##
-+##
-+## Type of the file to be used as a
-+## spool file.
-+##
-+##
-+##
-+#
-+interface(`files_spool_file',`
-+ gen_require(`
-+ attribute spoolfile;
-+ ')
-+
-+ files_type($1)
-+ typeattribute $1 spoolfile;
-+')
-+
-+########################################
-+##
-+## Create all spool sockets
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`files_create_all_spool_sockets',`
-+ gen_require(`
-+ attribute spoolfile;
-+ ')
-+
-+ allow $1 spoolfile:sock_file create_sock_file_perms;
-+')
-+
-+########################################
-+##
-+## Delete all spool sockets
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`files_delete_all_spool_sockets',`
-+ gen_require(`
-+ attribute spoolfile;
-+ ')
-+
-+ allow $1 spoolfile:sock_file delete_sock_file_perms;
-+')
-+
-+########################################
-+##
-+## Search the contents of generic spool
-+## directories (/var/spool).
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`files_search_spool',`
-+ gen_require(`
-+ type var_t, var_spool_t;
-+ ')
-+
-+ search_dirs_pattern($1, var_t, var_spool_t)
-+')
-+
-+########################################
-+##
-+## Do not audit attempts to search generic
-+## spool directories.
-+##
-+##
-+##
-+## Domain to not audit.
-+##
-+##
-+#
-+interface(`files_dontaudit_search_spool',`
-+ gen_require(`
-+ type var_spool_t;
-+ ')
-+
-+ dontaudit $1 var_spool_t:dir search_dir_perms;
-+')
-+
-+########################################
-+##
-+## List the contents of generic spool
-+## (/var/spool) directories.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`files_list_spool',`
-+ gen_require(`
-+ type var_t, var_spool_t;
-+ ')
-+
-+ list_dirs_pattern($1, var_t, var_spool_t)
-+')
-+
-+########################################
-+##
-+## Create, read, write, and delete generic
-+## spool directories (/var/spool).
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`files_manage_generic_spool_dirs',`
-+ gen_require(`
-+ type var_t, var_spool_t;
-+ ')
-+
-+ allow $1 var_t:dir search_dir_perms;
-+ manage_dirs_pattern($1, var_spool_t, var_spool_t)
-+')
-+
-+########################################
-+##
-+## Read generic spool files.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`files_read_generic_spool',`
-+ gen_require(`
-+ type var_t, var_spool_t;
-+ ')
-+
-+ list_dirs_pattern($1, var_t, var_spool_t)
-+ read_files_pattern($1, var_spool_t, var_spool_t)
-+')
-+
-+########################################
-+##
-+## Create, read, write, and delete generic
-+## spool files.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`files_manage_generic_spool',`
-+ gen_require(`
-+ type var_t, var_spool_t;
-+ ')
-+
-+ allow $1 var_t:dir search_dir_perms;
-+ manage_files_pattern($1, var_spool_t, var_spool_t)
-+')
-+
-+########################################
-+##
-+## Create objects in the spool directory
-+## with a private type with a type transition.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+##
-+##
-+## Type to which the created node will be transitioned.
-+##
-+##
-+##
-+##
-+## Object class(es) (single or set including {}) for which this
-+## the transition will occur.
-+##
-+##
-+##
-+##
-+## The name of the object being created.
-+##
-+##
-+#
-+interface(`files_spool_filetrans',`
-+ gen_require(`
-+ type var_t, var_spool_t;
-+ ')
-+
-+ allow $1 var_t:dir search_dir_perms;
-+ filetrans_pattern($1, var_spool_t, $2, $3, $4)
-+')
-+
-+########################################
-+##
-+## Allow access to manage all polyinstantiated
-+## directories on the system.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`files_polyinstantiate_all',`
-+ gen_require(`
-+ attribute polydir, polymember, polyparent;
-+ type poly_t;
-+ ')
-+
-+ # Need to give access to /selinux/member
-+ selinux_compute_member($1)
-+
-+ # Need sys_admin capability for mounting
-+ allow $1 self:capability { chown fsetid sys_admin fowner };
-+
-+ # Need to give access to the directories to be polyinstantiated
-+ allow $1 polydir:dir { create open getattr search write add_name setattr mounton rmdir };
-+
-+ # Need to give access to the polyinstantiated subdirectories
-+ allow $1 polymember:dir search_dir_perms;
-+
-+ # Need to give access to parent directories where original
- # is remounted for polyinstantiation aware programs (like gdm)
- allow $1 polyparent:dir { getattr mounton };
-
-@@ -6467,3 +7466,457 @@ interface(`files_unconfined',`
-
- typeattribute $1 files_unconfined_type;
- ')
-+
-+########################################
-+##
-+## Create a core files in /
-+##
-+##
-+##
-+## Create a core file in /,
-+##
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+##
-+#
-+interface(`files_manage_root_files',`
-+ gen_require(`
-+ type root_t;
-+ ')
-+
-+ manage_files_pattern($1, root_t, root_t)
-+')
-+
-+########################################
-+##
-+## Create a default directory
-+##
-+##
-+##
-+## Create a default_t direcrory
-+##
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+##
-+#
-+interface(`files_create_default_dir',`
-+ gen_require(`
-+ type default_t;
-+ ')
-+
-+ allow $1 default_t:dir create;
-+')
-+
-+########################################
-+##
-+## Create, default_t objects with an automatic
-+## type transition.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+##
-+##
-+## The class of the object being created.
-+##
-+##
-+#
-+interface(`files_root_filetrans_default',`
-+ gen_require(`
-+ type root_t, default_t;
-+ ')
-+
-+ filetrans_pattern($1, root_t, default_t, $2)
-+')
-+
-+########################################
-+##
-+## manage generic symbolic links
-+## in the /var/run directory.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`files_manage_generic_pids_symlinks',`
-+ gen_require(`
-+ type var_run_t;
-+ ')
-+
-+ manage_lnk_files_pattern($1,var_run_t,var_run_t)
-+')
-+
-+########################################
-+##
-+## Do not audit attempts to getattr
-+## all tmpfs files.
-+##
-+##
-+##
-+## Domain to not audit.
-+##
-+##
-+#
-+interface(`files_dontaudit_getattr_tmpfs_files',`
-+ gen_require(`
-+ attribute tmpfsfile;
-+ ')
-+
-+ allow $1 tmpfsfile:file getattr;
-+')
-+
-+########################################
-+##
-+## Allow read write all tmpfs files
-+##
-+##
-+##
-+## Domain to not audit.
-+##
-+##
-+#
-+interface(`files_rw_tmpfs_files',`
-+ gen_require(`
-+ attribute tmpfsfile;
-+ ')
-+
-+ allow $1 tmpfsfile:file { read write };
-+')
-+
-+########################################
-+##
-+## Do not audit attempts to read security files
-+##
-+##
-+##
-+## Domain to not audit.
-+##
-+##
-+#
-+interface(`files_dontaudit_read_security_files',`
-+ gen_require(`
-+ attribute security_file_type;
-+ ')
-+
-+ dontaudit $1 security_file_type:file read_file_perms;
-+')
-+
-+########################################
-+##
-+## rw any files inherited from another process
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+##
-+##
-+## Object type.
-+##
-+##
-+#
-+interface(`files_rw_all_inherited_files',`
-+ gen_require(`
-+ attribute file_type;
-+ ')
-+
-+ allow $1 { file_type $2 }:file rw_inherited_file_perms;
-+ allow $1 { file_type $2 }:fifo_file rw_inherited_fifo_file_perms;
-+ allow $1 { file_type $2 }:sock_file rw_inherited_sock_file_perms;
-+ allow $1 { file_type $2 }:chr_file rw_inherited_chr_file_perms;
-+')
-+
-+########################################
-+##
-+## Allow any file point to be the entrypoint of this domain
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+##
-+#
-+interface(`files_entrypoint_all_files',`
-+ gen_require(`
-+ attribute file_type;
-+ ')
-+ allow $1 file_type:file entrypoint;
-+')
-+
-+########################################
-+##
-+## Do not audit attempts to rw inherited file perms
-+## of non security files.
-+##
-+##
-+##
-+## Domain to not audit.
-+##
-+##
-+#
-+interface(`files_dontaudit_all_non_security_leaks',`
-+ gen_require(`
-+ attribute non_security_file_type;
-+ ')
-+
-+ dontaudit $1 non_security_file_type:file_class_set rw_inherited_file_perms;
-+')
-+
-+########################################
-+##
-+## Do not audit attempts to read or write
-+## all leaked files.
-+##
-+##
-+##
-+## Domain to not audit.
-+##
-+##
-+#
-+interface(`files_dontaudit_leaks',`
-+ gen_require(`
-+ attribute file_type;
-+ ')
-+
-+ dontaudit $1 file_type:file rw_inherited_file_perms;
-+ dontaudit $1 file_type:lnk_file { read };
-+')
-+
-+########################################
-+##
-+## Allow domain to create_file_ass all types
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`files_create_as_is_all_files',`
-+ gen_require(`
-+ attribute file_type;
-+ class kernel_service create_files_as;
-+ ')
-+
-+ allow $1 file_type:kernel_service create_files_as;
-+')
-+
-+########################################
-+##
-+## Do not audit attempts to check the
-+## write access on all files
-+##
-+##
-+##
-+## Domain to not audit.
-+##
-+##
-+#
-+interface(`files_dontaudit_all_access_check',`
-+ gen_require(`
-+ attribute file_type;
-+ ')
-+
-+ dontaudit $1 file_type:file_class_set audit_access;
-+')
-+
-+########################################
-+##
-+## Do not audit attempts to write to all files
-+##
-+##
-+##
-+## Domain to not audit.
-+##
-+##
-+#
-+interface(`files_dontaudit_write_all_files',`
-+ gen_require(`
-+ attribute file_type;
-+ ')
-+
-+ dontaudit $1 file_type:dir_file_class_set write;
-+')
-+
-+########################################
-+##
-+## Allow domain to delete to all files
-+##
-+##
-+##
-+## Domain to not audit.
-+##
-+##
-+#
-+interface(`files_delete_all_non_security_files',`
-+ gen_require(`
-+ attribute non_security_file_type;
-+ ')
-+
-+ allow $1 non_security_file_type:dir del_entry_dir_perms;
-+ allow $1 non_security_file_type:file_class_set delete_file_perms;
-+')
-+
-+########################################
-+##
-+## Transition named content in the var_run_t directory
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`files_filetrans_named_content',`
-+ gen_require(`
-+ type mnt_t;
-+ type usr_t;
-+ type var_t;
-+ ')
-+
-+ files_pid_filetrans($1, mnt_t, dir, "media")
-+ files_root_filetrans($1, etc_runtime_t, file, ".readahead")
-+ files_root_filetrans($1, etc_runtime_t, file, ".autorelabel")
-+ files_root_filetrans($1, mnt_t, dir, "afs")
-+ files_root_filetrans($1, mnt_t, dir, "misc")
-+ files_root_filetrans($1, mnt_t, dir, "net")
-+ files_root_filetrans($1, usr_t, dir, "export")
-+ files_root_filetrans($1, usr_t, dir, "emul")
-+ files_root_filetrans($1, var_t, dir, "nsr")
-+ files_etc_filetrans_etc_runtime($1, file, "runtime")
-+ files_etc_filetrans_etc_runtime($1, dir, "blkid")
-+ files_etc_filetrans_etc_runtime($1, dir, "cmtab")
-+ files_etc_filetrans_etc_runtime($1, file, "fstab.REVOKE")
-+ files_etc_filetrans_etc_runtime($1, file, "ioctl.save")
-+ files_etc_filetrans_etc_runtime($1, file, "nologin")
-+ files_etc_filetrans_etc_runtime($1, file, "securetty")
-+ files_etc_filetrans_etc_runtime($1, file, "ifstate")
-+ files_etc_filetrans_etc_runtime($1, file, "ptal-printd-like")
-+ files_etc_filetrans_etc_runtime($1, file, "hwconf")
-+ files_etc_filetrans_etc_runtime($1, file, "iptables.save")
-+')
-+
-+########################################
-+##
-+## Make the specified type a
-+## base file.
-+##
-+##
-+##
-+## Identify file type as base file type. Tools will use this attribute,
-+## to help users diagnose problems.
-+##
-+##
-+##
-+##
-+## Type to be used as a base files.
-+##
-+##
-+##
-+#
-+interface(`files_base_file',`
-+ gen_require(`
-+ attribute base_file_type;
-+ ')
-+ files_type($1)
-+ typeattribute $1 base_file_type;
-+')
-+
-+########################################
-+##
-+## Make the specified type a
-+## base read only file.
-+##
-+##
-+##
-+## Make the specified type readable for all domains.
-+##
-+##
-+##
-+##
-+## Type to be used as a base read only files.
-+##
-+##
-+##
-+#
-+interface(`files_ro_base_file',`
-+ gen_require(`
-+ attribute base_ro_file_type;
-+ ')
-+ files_base_file($1)
-+ typeattribute $1 base_ro_file_type;
-+')
-+
-+########################################
-+##
-+## Read all ro base files.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+##
-+#
-+interface(`files_read_all_base_ro_files',`
-+ gen_require(`
-+ attribute base_ro_file_type;
-+ ')
-+
-+ list_dirs_pattern($1, base_ro_file_type, base_ro_file_type)
-+ read_files_pattern($1, base_ro_file_type, base_ro_file_type)
-+ read_lnk_files_pattern($1, base_ro_file_type, base_ro_file_type)
-+')
-+
-+########################################
-+##
-+## Execute all base ro files.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+##
-+#
-+interface(`files_exec_all_base_ro_files',`
-+ gen_require(`
-+ attribute base_ro_file_type;
-+ ')
-+
-+ can_exec($1, base_ro_file_type)
-+')
-+
-+########################################
-+##
-+## Allow the specified domain to modify the systemd configuration of
-+## any file.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`files_config_all_files',`
-+ gen_require(`
-+ attribute file_type;
-+ ')
-+
-+ allow $1 file_type:service all_service_perms;
-+')
-+
-diff --git a/policy/modules/kernel/files.te b/policy/modules/kernel/files.te
-index 52ef84e..45cb0bc 100644
---- a/policy/modules/kernel/files.te
-+++ b/policy/modules/kernel/files.te
-@@ -5,12 +5,16 @@ policy_module(files, 1.17.0)
- # Declarations
- #
-
-+attribute base_file_type;
-+attribute base_ro_file_type;
- attribute file_type;
- attribute files_unconfined_type;
- attribute lockfile;
- attribute mountpoint;
- attribute pidfile;
-+attribute spoolfile;
- attribute configfile;
-+attribute etcfile;
-
- # For labeling types that are to be polyinstantiated
- attribute polydir;
-@@ -48,28 +52,40 @@ attribute usercanread;
- #
- type boot_t;
- files_mountpoint(boot_t)
-+files_ro_base_file(boot_t)
-
- # default_t is the default type for files that do not
- # match any specification in the file_contexts configuration
- # other than the generic /.* specification.
- type default_t;
- files_mountpoint(default_t)
-+files_base_file(default_t)
-
- #
- # etc_t is the type of the system etc directories.
- #
- type etc_t, configfile;
--files_type(etc_t)
-+files_ro_base_file(etc_t)
-+
- # compatibility aliases for removed types:
- typealias etc_t alias automount_etc_t;
- typealias etc_t alias snmpd_etc_t;
-
-+# system_conf_t is a new type of various
-+# files in /etc/ that can be managed and
-+# created by several domains.
-+#
-+type system_conf_t, configfile;
-+files_type(system_conf_t)
-+# compatibility aliases for removed type:
-+typealias system_conf_t alias iptables_conf_t;
-+
- #
- # etc_runtime_t is the type of various
- # files in /etc that are automatically
- # generated during initialization.
- #
--type etc_runtime_t;
-+type etc_runtime_t, configfile;
- files_type(etc_runtime_t)
- #Temporarily in policy until FC5 dissappears
- typealias etc_runtime_t alias firstboot_rw_t;
-@@ -81,6 +97,7 @@ typealias etc_runtime_t alias firstboot_rw_t;
- #
- type file_t;
- files_mountpoint(file_t)
-+files_base_file(file_t)
- kernel_rootfs_mountpoint(file_t)
- sid file gen_context(system_u:object_r:file_t,s0)
-
-@@ -89,6 +106,7 @@ sid file gen_context(system_u:object_r:file_t,s0)
- # are created
- #
- type home_root_t;
-+files_base_file(home_root_t)
- files_mountpoint(home_root_t)
- files_poly_parent(home_root_t)
-
-@@ -96,12 +114,13 @@ files_poly_parent(home_root_t)
- # lost_found_t is the type for the lost+found directories.
- #
- type lost_found_t;
--files_type(lost_found_t)
-+files_base_file(lost_found_t)
-
- #
- # mnt_t is the type for mount points such as /mnt/cdrom
- #
- type mnt_t;
-+files_base_file(mnt_t)
- files_mountpoint(mnt_t)
-
- #
-@@ -123,6 +142,7 @@ files_type(readable_t)
- # root_t is the type for rootfs and the root directory.
- #
- type root_t;
-+files_base_file(root_t)
- files_mountpoint(root_t)
- files_poly_parent(root_t)
- kernel_rootfs_mountpoint(root_t)
-@@ -133,52 +153,63 @@ genfscon rootfs / gen_context(system_u:object_r:root_t,s0)
- #
- type src_t;
- files_mountpoint(src_t)
-+files_ro_base_file(src_t)
-
- #
- # system_map_t is for the system.map files in /boot
- #
- type system_map_t;
- files_type(system_map_t)
-+kernel_proc_type(system_map_t)
- genfscon proc /kallsyms gen_context(system_u:object_r:system_map_t,s0)
-
- #
- # tmp_t is the type of the temporary directories
- #
- type tmp_t;
-+files_base_file(tmp_t)
- files_tmp_file(tmp_t)
- files_mountpoint(tmp_t)
- files_poly(tmp_t)
- files_poly_parent(tmp_t)
-+typealias tmp_t alias firstboot_tmp_t;
-
- #
- # usr_t is the type for /usr.
- #
- type usr_t;
-+files_ro_base_file(usr_t)
- files_mountpoint(usr_t)
-
- #
- # var_t is the type of /var
- #
- type var_t;
-+files_base_file(var_t)
- files_mountpoint(var_t)
-
- #
- # var_lib_t is the type of /var/lib
- #
- type var_lib_t;
-+files_base_file(var_lib_t)
- files_mountpoint(var_lib_t)
-+files_poly(var_lib_t)
-
- #
- # var_lock_t is tye type of /var/lock
- #
- type var_lock_t;
-+files_base_file(var_lock_t)
- files_lock_file(var_lock_t)
-+files_mountpoint(var_lock_t)
-
- #
- # var_run_t is the type of /var/run, usually
- # used for pid and other runtime files.
- #
- type var_run_t;
-+files_base_file(var_run_t)
- files_pid_file(var_run_t)
- files_mountpoint(var_run_t)
-
-@@ -186,7 +217,9 @@ files_mountpoint(var_run_t)
- # var_spool_t is the type of /var/spool
- #
- type var_spool_t;
-+files_base_file(var_spool_t)
- files_tmp_file(var_spool_t)
-+files_spool_file(var_spool_t)
-
- ########################################
- #
-@@ -225,10 +258,11 @@ fs_associate_tmpfs(tmpfsfile)
- # Create/access any file in a labeled filesystem;
- allow files_unconfined_type file_type:{ file chr_file } ~execmod;
- allow files_unconfined_type file_type:{ dir lnk_file sock_file fifo_file blk_file } *;
-+allow files_unconfined_type file_type:service *;
-
- # Mount/unmount any filesystem with the context= option.
- allow files_unconfined_type file_type:filesystem *;
-
--tunable_policy(`allow_execmod',`
-+tunable_policy(`selinuxuser_execmod',`
- allow files_unconfined_type file_type:file execmod;
- ')
-diff --git a/policy/modules/kernel/filesystem.fc b/policy/modules/kernel/filesystem.fc
-index cda5588..91d1e25 100644
---- a/policy/modules/kernel/filesystem.fc
-+++ b/policy/modules/kernel/filesystem.fc
-@@ -1,3 +1,7 @@
-+# ecryptfs does not support xattr
-+HOME_DIR/\.ecryptfs(/.*)? gen_context(system_u:object_r:ecryptfs_t,s0)
-+HOME_DIR/\.Private(/.*)? gen_context(system_u:object_r:ecryptfs_t,s0)
-+
- /cgroup -d gen_context(system_u:object_r:cgroup_t,s0)
- /cgroup/.* <>
-
-@@ -14,3 +18,8 @@
- # for systemd systems:
- /sys/fs/cgroup -d gen_context(system_u:object_r:cgroup_t,s0)
- /sys/fs/cgroup/.* <>
-+
-+/usr/lib/udev/devices/hugepages -d gen_context(system_u:object_r:hugetlbfs_t,s0)
-+/usr/lib/udev/devices/hugepages/.* <>
-+/usr/lib/udev/devices/shm -d gen_context(system_u:object_r:tmpfs_t,s0)
-+/usr/lib/udev/devices/shm/.* <>
-diff --git a/policy/modules/kernel/filesystem.if b/policy/modules/kernel/filesystem.if
-index 7c6b791..aa86bf7 100644
---- a/policy/modules/kernel/filesystem.if
-+++ b/policy/modules/kernel/filesystem.if
-@@ -631,6 +631,27 @@ interface(`fs_getattr_cgroup',`
-
- ########################################
- ##
-+## Get attributes of cgroup files.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`fs_getattr_cgroup_files',`
-+ gen_require(`
-+ type cgroup_t;
-+
-+ ')
-+
-+ getattr_files_pattern($1, cgroup_t, cgroup_t)
-+ fs_search_tmpfs($1)
-+ dev_search_sysfs($1)
-+')
-+
-+########################################
-+##
- ## Search cgroup directories.
- ##
- ##
-@@ -646,11 +667,31 @@ interface(`fs_search_cgroup_dirs',`
- ')
-
- search_dirs_pattern($1, cgroup_t, cgroup_t)
-+ fs_search_tmpfs($1)
- dev_search_sysfs($1)
- ')
-
- ########################################
- ##
-+## Relabel cgroup directories.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`fs_relabel_cgroup_dirs',`
-+ gen_require(`
-+ type cgroup_t;
-+
-+ ')
-+
-+ relabel_dirs_pattern($1, cgroup_t, cgroup_t)
-+')
-+
-+########################################
-+##
- ## list cgroup directories.
- ##
- ##
-@@ -665,9 +706,29 @@ interface(`fs_list_cgroup_dirs', `
- ')
-
- list_dirs_pattern($1, cgroup_t, cgroup_t)
-+ fs_search_tmpfs($1)
- dev_search_sysfs($1)
- ')
-
-+#######################################
-+##
-+## Do not audit attempts to search cgroup directories.
-+##
-+##
-+##
-+## Domain to not audit.
-+##
-+##
-+#
-+interface(`fs_dontaudit_search_cgroup_dirs', `
-+ gen_require(`
-+ type cgroup_t;
-+ ')
-+
-+ dontaudit $1 cgroup_t:dir search_dir_perms;
-+ dev_dontaudit_search_sysfs($1)
-+')
-+
- ########################################
- ##
- ## Delete cgroup directories.
-@@ -684,6 +745,7 @@ interface(`fs_delete_cgroup_dirs', `
- ')
-
- delete_dirs_pattern($1, cgroup_t, cgroup_t)
-+ fs_search_tmpfs($1)
- dev_search_sysfs($1)
- ')
-
-@@ -704,6 +766,7 @@ interface(`fs_manage_cgroup_dirs',`
- ')
-
- manage_dirs_pattern($1, cgroup_t, cgroup_t)
-+ fs_search_tmpfs($1)
- dev_search_sysfs($1)
- ')
-
-@@ -724,6 +787,8 @@ interface(`fs_read_cgroup_files',`
- ')
-
- read_files_pattern($1, cgroup_t, cgroup_t)
-+ read_lnk_files_pattern($1, cgroup_t, cgroup_t)
-+ fs_search_tmpfs($1)
- dev_search_sysfs($1)
- ')
-
-@@ -743,6 +808,7 @@ interface(`fs_write_cgroup_files', `
- ')
-
- write_files_pattern($1, cgroup_t, cgroup_t)
-+ fs_search_tmpfs($1)
- dev_search_sysfs($1)
- ')
-
-@@ -762,7 +828,9 @@ interface(`fs_rw_cgroup_files',`
-
- ')
-
-+ read_lnk_files_pattern($1, cgroup_t, cgroup_t)
- rw_files_pattern($1, cgroup_t, cgroup_t)
-+ fs_search_tmpfs($1)
- dev_search_sysfs($1)
- ')
-
-@@ -803,6 +871,8 @@ interface(`fs_manage_cgroup_files',`
- ')
-
- manage_files_pattern($1, cgroup_t, cgroup_t)
-+ manage_lnk_files_pattern($1, cgroup_t, cgroup_t)
-+ fs_search_tmpfs($1)
- dev_search_sysfs($1)
- ')
-
-@@ -1107,6 +1177,24 @@ interface(`fs_read_noxattr_fs_files',`
-
- ########################################
- ##
-+## Read/Write all inherited noxattrfs files.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`fs_rw_inherited_noxattr_fs_files',`
-+ gen_require(`
-+ attribute noxattrfs;
-+ ')
-+
-+ allow $1 noxattrfs:file rw_inherited_file_perms;
-+')
-+
-+########################################
-+##
- ## Do not audit attempts to read all
- ## noxattrfs files.
- ##
-@@ -1245,7 +1333,7 @@ interface(`fs_append_cifs_files',`
-
- ########################################
- ##
--## dontaudit Append files
-+## Do not audit attempts to append files
- ## on a CIFS filesystem.
- ##
- ##
-@@ -1265,6 +1353,42 @@ interface(`fs_dontaudit_append_cifs_files',`
-
- ########################################
- ##
-+## Read inherited files on a CIFS or SMB filesystem.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`fs_read_inherited_cifs_files',`
-+ gen_require(`
-+ type cifs_t;
-+ ')
-+
-+ allow $1 cifs_t:file read_inherited_file_perms;
-+')
-+
-+########################################
-+##
-+## Read/Write inherited files on a CIFS or SMB filesystem.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`fs_rw_inherited_cifs_files',`
-+ gen_require(`
-+ type cifs_t;
-+ ')
-+
-+ allow $1 cifs_t:file rw_inherited_file_perms;
-+')
-+
-+########################################
-+##
- ## Do not audit attempts to read or
- ## write files on a CIFS or SMB filesystem.
- ##
-@@ -1279,7 +1403,7 @@ interface(`fs_dontaudit_rw_cifs_files',`
- type cifs_t;
- ')
-
-- dontaudit $1 cifs_t:file rw_file_perms;
-+ dontaudit $1 cifs_t:file rw_inherited_file_perms;
- ')
-
- ########################################
-@@ -1542,6 +1666,25 @@ interface(`fs_cifs_domtrans',`
- domain_auto_transition_pattern($1, cifs_t, $2)
- ')
-
-+########################################
-+##
-+## Make general progams in cifs an entrypoint for
-+## the specified domain.
-+##
-+##
-+##
-+## The domain for which cifs_t is an entrypoint.
-+##
-+##
-+#
-+interface(`fs_cifs_entry_type',`
-+ gen_require(`
-+ type cifs_t;
-+ ')
-+
-+ domain_entry_file($1, cifs_t)
-+')
-+
- #######################################
- ##
- ## Create, read, write, and delete dirs
-@@ -1582,6 +1725,24 @@ interface(`fs_manage_configfs_files',`
-
- ########################################
- ##
-+## Unmount a configfs filesystem
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`fs_unmount_configfs',`
-+ gen_require(`
-+ type configfs_t;
-+ ')
-+
-+ allow $1 configfs_t:filesystem unmount;
-+')
-+
-+########################################
-+##
- ## Mount a DOS filesystem, such as
- ## FAT32 or NTFS.
- ##
-@@ -1679,6 +1840,25 @@ interface(`fs_relabelfrom_dos_fs',`
-
- ########################################
- ##
-+## Allow changing of the label of a
-+## tmpfs filesystem using the context= mount option.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`fs_relabelfrom_tmpfs',`
-+ gen_require(`
-+ type tmpfs_t;
-+ ')
-+
-+ allow $1 tmpfs_t:filesystem relabelfrom;
-+')
-+
-+########################################
-+##
- ## Search dosfs filesystem.
- ##
- ##
-@@ -1793,6 +1973,188 @@ interface(`fs_read_eventpollfs',`
- refpolicywarn(`$0($*) has been deprecated.')
- ')
-
-+
-+#######################################
-+##
-+## Search directories
-+## on a ecrypt filesystem.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`fs_search_ecryptfs',`
-+ gen_require(`
-+ type ecryptfs_t;
-+ ')
-+
-+ allow $1 ecryptfs_t:dir search_dir_perms;
-+')
-+
-+########################################
-+##
-+## Create, read, write, and delete directories
-+## on a FUSEFS filesystem.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+##
-+#
-+interface(`fs_manage_ecryptfs_dirs',`
-+ gen_require(`
-+ type ecryptfs_t;
-+ ')
-+
-+ manage_dirs_pattern($1, ecryptfs_t, ecryptfs_t)
-+ allow $1 ecryptfs_t:dir manage_dir_perms;
-+')
-+
-+#######################################
-+##
-+## Create, read, write, and delete files
-+## on a FUSEFS filesystem.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+##
-+#
-+interface(`fs_read_ecryptfs_files',`
-+ gen_require(`
-+ type ecryptfs_t;
-+ ')
-+
-+ read_files_pattern($1, ecryptfs_t, ecryptfs_t)
-+')
-+
-+########################################
-+##
-+## Create, read, write, and delete files
-+## on a FUSEFS filesystem.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+##
-+#
-+interface(`fs_manage_ecryptfs_files',`
-+ gen_require(`
-+ type ecryptfs_t;
-+ ')
-+
-+ manage_files_pattern($1, ecryptfs_t, ecryptfs_t)
-+')
-+
-+########################################
-+##
-+## Do not audit attempts to create,
-+## read, write, and delete files
-+## on a FUSEFS filesystem.
-+##
-+##
-+##
-+## Domain to not audit.
-+##
-+##
-+#
-+interface(`fs_dontaudit_manage_ecryptfs_files',`
-+ gen_require(`
-+ type ecryptfs_t;
-+ ')
-+
-+ dontaudit $1 ecryptfs_t:file manage_file_perms;
-+')
-+
-+########################################
-+##
-+## Read symbolic links on a FUSEFS filesystem.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`fs_read_ecryptfs_symlinks',`
-+ gen_require(`
-+ type ecryptfs_t;
-+ ')
-+
-+ allow $1 ecryptfs_t:dir list_dir_perms;
-+ read_lnk_files_pattern($1, ecryptfs_t, ecryptfs_t)
-+')
-+
-+########################################
-+##
-+## Manage symbolic links on a FUSEFS filesystem.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`fs_manage_ecryptfs_symlinks',`
-+ gen_require(`
-+ type ecryptfs_t;
-+ ')
-+
-+ manage_lnk_files_pattern($1, ecryptfs_t, ecryptfs_t)
-+')
-+
-+########################################
-+##
-+## Execute a file on a FUSE filesystem
-+## in the specified domain.
-+##
-+##
-+##
-+## Execute a file on a FUSE filesystem
-+## in the specified domain. This allows
-+## the specified domain to execute any file
-+## on these filesystems in the specified
-+## domain. This is not suggested.
-+##
-+##
-+## No interprocess communication (signals, pipes,
-+## etc.) is provided by this interface since
-+## the domains are not owned by this module.
-+##
-+##
-+## This interface was added to handle
-+## home directories on FUSE filesystems,
-+## in particular used by the ssh-agent policy.
-+##
-+##
-+##
-+##
-+## Domain allowed to transition.
-+##
-+##
-+##
-+##
-+## The type of the new process.
-+##
-+##
-+#
-+interface(`fs_ecryptfs_domtrans',`
-+ gen_require(`
-+ type ecryptfs_t;
-+ ')
-+
-+ allow $1 ecryptfs_t:dir search_dir_perms;
-+ domain_auto_transition_pattern($1, ecryptfs_t, $2)
-+')
-+
- ########################################
- ##
- ## Mount a FUSE filesystem.
-@@ -2025,6 +2387,87 @@ interface(`fs_read_fusefs_symlinks',`
-
- ########################################
- ##
-+## Manage symbolic links on a FUSEFS filesystem.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`fs_manage_fusefs_symlinks',`
-+ gen_require(`
-+ type fusefs_t;
-+ ')
-+
-+ manage_lnk_files_pattern($1, fusefs_t, fusefs_t)
-+')
-+
-+########################################
-+##
-+## Execute a file on a FUSE filesystem
-+## in the specified domain.
-+##
-+##
-+##
-+## Execute a file on a FUSE filesystem
-+## in the specified domain. This allows
-+## the specified domain to execute any file
-+## on these filesystems in the specified
-+## domain. This is not suggested.
-+##
-+##
-+## No interprocess communication (signals, pipes,
-+## etc.) is provided by this interface since
-+## the domains are not owned by this module.
-+##
-+##
-+## This interface was added to handle
-+## home directories on FUSE filesystems,
-+## in particular used by the ssh-agent policy.
-+##
-+##
-+##
-+##
-+## Domain allowed to transition.
-+##
-+##
-+##
-+##
-+## The type of the new process.
-+##
-+##
-+#
-+interface(`fs_fusefs_domtrans',`
-+ gen_require(`
-+ type fusefs_t;
-+ ')
-+
-+ allow $1 fusefs_t:dir search_dir_perms;
-+ domain_auto_transition_pattern($1, fusefs_t, $2)
-+')
-+
-+########################################
-+##
-+## Get the attributes of a FUSEFS filesystem.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+##
-+#
-+interface(`fs_getattr_fusefs',`
-+ gen_require(`
-+ type fusefs_t;
-+ ')
-+
-+ allow $1 fusefs_t:filesystem getattr;
-+')
-+
-+########################################
-+##
- ## Get the attributes of an hugetlbfs
- ## filesystem.
- ##
-@@ -2080,6 +2523,24 @@ interface(`fs_manage_hugetlbfs_dirs',`
-
- ########################################
- ##
-+## Read hugetlbfs files.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`fs_read_hugetlbfs_files',`
-+ gen_require(`
-+ type hugetlbfs_t;
-+ ')
-+
-+ read_files_pattern($1, hugetlbfs_t, hugetlbfs_t)
-+')
-+
-+########################################
-+##
- ## Read and write hugetlbfs files.
- ##
- ##
-@@ -2148,11 +2609,12 @@ interface(`fs_list_inotifyfs',`
- ')
-
- allow $1 inotifyfs_t:dir list_dir_perms;
-+ fs_read_anon_inodefs_files($1)
- ')
-
- ########################################
- ##
--## Dontaudit List inotifyfs filesystem.
-+## Do not audit attempts to list inotifyfs filesystem.
- ##
- ##
- ##
-@@ -2485,6 +2947,7 @@ interface(`fs_read_nfs_files',`
- type nfs_t;
- ')
-
-+ fs_search_auto_mountpoints($1)
- allow $1 nfs_t:dir list_dir_perms;
- read_files_pattern($1, nfs_t, nfs_t)
- ')
-@@ -2510,81 +2973,137 @@ interface(`fs_dontaudit_read_nfs_files',`
-
- ########################################
- ##
--## Read files on a NFS filesystem.
-+## Read files on a NFS filesystem.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`fs_write_nfs_files',`
-+ gen_require(`
-+ type nfs_t;
-+ ')
-+
-+ fs_search_auto_mountpoints($1)
-+ allow $1 nfs_t:dir list_dir_perms;
-+ write_files_pattern($1, nfs_t, nfs_t)
-+')
-+
-+########################################
-+##
-+## Execute files on a NFS filesystem.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+##
-+#
-+interface(`fs_exec_nfs_files',`
-+ gen_require(`
-+ type nfs_t;
-+ ')
-+
-+ allow $1 nfs_t:dir list_dir_perms;
-+ exec_files_pattern($1, nfs_t, nfs_t)
-+')
-+
-+########################################
-+##
-+## Make general progams in nfs an entrypoint for
-+## the specified domain.
-+##
-+##
-+##
-+## The domain for which nfs_t is an entrypoint.
-+##
-+##
-+#
-+interface(`fs_nfs_entry_type',`
-+ gen_require(`
-+ type nfs_t;
-+ ')
-+
-+ domain_entry_file($1, nfs_t)
-+')
-+
-+########################################
-+##
-+## Append files
-+## on a NFS filesystem.
- ##
- ##
- ##
- ## Domain allowed access.
- ##
- ##
-+##
- #
--interface(`fs_write_nfs_files',`
-+interface(`fs_append_nfs_files',`
- gen_require(`
- type nfs_t;
- ')
-
-- allow $1 nfs_t:dir list_dir_perms;
-- write_files_pattern($1, nfs_t, nfs_t)
-+ append_files_pattern($1, nfs_t, nfs_t)
- ')
-
- ########################################
- ##
--## Execute files on a NFS filesystem.
-+## Do not audit attempts to append files
-+## on a NFS filesystem.
- ##
- ##
- ##
--## Domain allowed access.
-+## Domain to not audit.
- ##
- ##
- ##
- #
--interface(`fs_exec_nfs_files',`
-+interface(`fs_dontaudit_append_nfs_files',`
- gen_require(`
- type nfs_t;
- ')
-
-- allow $1 nfs_t:dir list_dir_perms;
-- exec_files_pattern($1, nfs_t, nfs_t)
-+ dontaudit $1 nfs_t:file append_file_perms;
- ')
-
- ########################################
- ##
--## Append files
--## on a NFS filesystem.
-+## Read inherited files on a NFS filesystem.
- ##
- ##
- ##
- ## Domain allowed access.
- ##
- ##
--##
- #
--interface(`fs_append_nfs_files',`
-+interface(`fs_read_inherited_nfs_files',`
- gen_require(`
- type nfs_t;
- ')
-
-- append_files_pattern($1, nfs_t, nfs_t)
-+ allow $1 nfs_t:file read_inherited_file_perms;
- ')
-
- ########################################
- ##
--## dontaudit Append files
--## on a NFS filesystem.
-+## Read/write inherited files on a NFS filesystem.
- ##
- ##
- ##
--## Domain to not audit.
-+## Domain allowed access.
- ##
- ##
--##
- #
--interface(`fs_dontaudit_append_nfs_files',`
-+interface(`fs_rw_inherited_nfs_files',`
- gen_require(`
- type nfs_t;
- ')
-
-- dontaudit $1 nfs_t:file append_file_perms;
-+ allow $1 nfs_t:file rw_inherited_file_perms;
- ')
-
- ########################################
-@@ -2603,7 +3122,7 @@ interface(`fs_dontaudit_rw_nfs_files',`
- type nfs_t;
- ')
-
-- dontaudit $1 nfs_t:file rw_file_perms;
-+ dontaudit $1 nfs_t:file rw_inherited_file_perms;
- ')
-
- ########################################
-@@ -2627,7 +3146,7 @@ interface(`fs_read_nfs_symlinks',`
-
- ########################################
- ##
--## Dontaudit read symbolic links on a NFS filesystem.
-+## Do not audit attempts to read symbolic links on a NFS filesystem.
- ##
- ##
- ##
-@@ -2741,7 +3260,7 @@ interface(`fs_search_removable',`
- ##
- ##
- ##
--## Domain not to audit.
-+## Domain to not audit.
- ##
- ##
- #
-@@ -2777,7 +3296,7 @@ interface(`fs_read_removable_files',`
- ##
- ##
- ##
--## Domain not to audit.
-+## Domain to not audit.
- ##
- ##
- #
-@@ -2970,6 +3489,7 @@ interface(`fs_manage_nfs_dirs',`
- type nfs_t;
- ')
-
-+ fs_search_auto_mountpoints($1)
- allow $1 nfs_t:dir manage_dir_perms;
- ')
-
-@@ -3010,6 +3530,7 @@ interface(`fs_manage_nfs_files',`
- type nfs_t;
- ')
-
-+ fs_search_auto_mountpoints($1)
- manage_files_pattern($1, nfs_t, nfs_t)
- ')
-
-@@ -3050,6 +3571,7 @@ interface(`fs_manage_nfs_symlinks',`
- type nfs_t;
- ')
-
-+ fs_search_auto_mountpoints($1)
- manage_lnk_files_pattern($1, nfs_t, nfs_t)
- ')
-
-@@ -3263,6 +3785,24 @@ interface(`fs_getattr_nfsd_files',`
- getattr_files_pattern($1, nfsd_fs_t, nfsd_fs_t)
- ')
-
-+#######################################
-+##
-+## read files on an nfsd filesystem
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`fs_read_nfsd_files',`
-+ gen_require(`
-+ type nfsd_fs_t;
-+ ')
-+
-+ read_files_pattern($1, nfsd_fs_t, nfsd_fs_t)
-+')
-+
- ########################################
- ##
- ## Read and write NFS server files.
-@@ -3283,6 +3823,24 @@ interface(`fs_rw_nfsd_fs',`
-
- ########################################
- ##
-+## Manage NFS server files.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`fs_manage_nfsd_fs',`
-+ gen_require(`
-+ type nfsd_fs_t;
-+ ')
-+
-+ manage_files_pattern($1, nfsd_fs_t, nfsd_fs_t)
-+')
-+
-+########################################
-+##
- ## Allow the type to associate to ramfs filesystems.
- ##
- ##
-@@ -3392,7 +3950,7 @@ interface(`fs_search_ramfs',`
-
- ########################################
- ##
--## Dontaudit Search directories on a ramfs
-+## Do not audit attempts to search directories on a ramfs
- ##
- ##
- ##
-@@ -3429,7 +3987,7 @@ interface(`fs_manage_ramfs_dirs',`
-
- ########################################
- ##
--## Dontaudit read on a ramfs files.
-+## Do not audit attempts to read on a ramfs files.
- ##
- ##
- ##
-@@ -3447,7 +4005,7 @@ interface(`fs_dontaudit_read_ramfs_files',`
-
- ########################################
- ##
--## Dontaudit read on a ramfs fifo_files.
-+## Do not audit attempts to read on a ramfs fifo_files.
- ##
- ##
- ##
-@@ -3815,6 +4373,24 @@ interface(`fs_unmount_tmpfs',`
-
- ########################################
- ##
-+## Mount on tmpfs directories.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`fs_mounton_tmpfs', `
-+ gen_require(`
-+ type tmpfs_t;
-+ ')
-+
-+ allow $1 tmpfs_t:dir mounton;
-+')
-+
-+########################################
-+##
- ## Get the attributes of a tmpfs
- ## filesystem.
- ##
-@@ -3963,6 +4539,60 @@ interface(`fs_dontaudit_list_tmpfs',`
-
- ########################################
- ##
-+## Relabel directory on tmpfs filesystems.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`fs_relabel_tmpfs_dirs',`
-+ gen_require(`
-+ type tmpfs_t;
-+ ')
-+
-+ relabel_dirs_pattern($1, tmpfs_t, tmpfs_t)
-+')
-+
-+########################################
-+##
-+## Relabel fifo_file on tmpfs filesystems.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`fs_relabel_tmpfs_fifo_files',`
-+ gen_require(`
-+ type tmpfs_t;
-+ ')
-+
-+ relabel_fifo_files_pattern($1, tmpfs_t, tmpfs_t)
-+')
-+
-+########################################
-+##
-+## Relabel files on tmpfs filesystems.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`fs_relabel_tmpfs_files',`
-+ gen_require(`
-+ type tmpfs_t;
-+ ')
-+
-+ relabel_files_pattern($1, tmpfs_t, tmpfs_t)
-+')
-+
-+########################################
-+##
- ## Create, read, write, and delete
- ## tmpfs directories
- ##
-@@ -4069,7 +4699,7 @@ interface(`fs_dontaudit_rw_tmpfs_files',`
- type tmpfs_t;
- ')
-
-- dontaudit $1 tmpfs_t:file rw_file_perms;
-+ dontaudit $1 tmpfs_t:file rw_inherited_file_perms;
- ')
-
- ########################################
-@@ -4129,6 +4759,24 @@ interface(`fs_rw_tmpfs_files',`
-
- ########################################
- ##
-+## Read and write generic tmpfs files.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`fs_rw_inherited_tmpfs_files',`
-+ gen_require(`
-+ type tmpfs_t;
-+ ')
-+
-+ allow $1 tmpfs_t:file { read write };
-+')
-+
-+########################################
-+##
- ## Read tmpfs link files.
- ##
- ##
-@@ -4166,7 +4814,7 @@ interface(`fs_rw_tmpfs_chr_files',`
-
- ########################################
- ##
--## dontaudit Read and write character nodes on tmpfs filesystems.
-+## Do not audit attempts to read and write character nodes on tmpfs filesystems.
- ##
- ##
- ##
-@@ -4185,6 +4833,60 @@ interface(`fs_dontaudit_use_tmpfs_chr_dev',`
-
- ########################################
- ##
-+## Do not audit attempts to create character nodes on tmpfs filesystems.
-+##
-+##
-+##
-+## Domain to not audit.
-+##
-+##
-+#
-+interface(`fs_dontaudit_create_tmpfs_chr_dev',`
-+ gen_require(`
-+ type tmpfs_t;
-+ ')
-+
-+ dontaudit $1 tmpfs_t:chr_file create;
-+')
-+
-+########################################
-+##
-+## Do not audit attempts to dontaudit read block nodes on tmpfs filesystems.
-+##
-+##
-+##
-+## Domain to not audit.
-+##
-+##
-+#
-+interface(`fs_dontaudit_read_tmpfs_blk_dev',`
-+ gen_require(`
-+ type tmpfs_t;
-+ ')
-+
-+ dontaudit $1 tmpfs_t:blk_file read_blk_file_perms;
-+')
-+
-+########################################
-+##
-+## Do not audit attempts to read files on tmpfs filesystems.
-+##
-+##
-+##
-+## Domain to not audit.
-+##
-+##
-+#
-+interface(`fs_dontaudit_read_tmpfs_files',`
-+ gen_require(`
-+ type tmpfs_t;
-+ ')
-+
-+ dontaudit $1 tmpfs_t:blk_file read;
-+')
-+
-+########################################
-+##
- ## Relabel character nodes on tmpfs filesystems.
- ##
- ##
-@@ -4242,6 +4944,43 @@ interface(`fs_relabel_tmpfs_blk_file',`
-
- ########################################
- ##
-+## Relabel sock nodes on tmpfs filesystems.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`fs_relabel_tmpfs_sock_file',`
-+ gen_require(`
-+ type tmpfs_t;
-+ ')
-+
-+ allow $1 tmpfs_t:dir list_dir_perms;
-+ relabel_sock_files_pattern($1, tmpfs_t, tmpfs_t)
-+')
-+
-+########################################
-+##
-+## Delete generic files in tmpfs directory.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`fs_delete_tmpfs_files',`
-+ gen_require(`
-+ type tmpfs_t;
-+ ')
-+
-+ allow $1 tmpfs_t:file unlink;
-+')
-+
-+########################################
-+##
- ## Read and write, create and delete generic
- ## files on tmpfs filesystems.
- ##
-@@ -4261,6 +5000,25 @@ interface(`fs_manage_tmpfs_files',`
-
- ########################################
- ##
-+## Execute files on a tmpfs filesystem.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+##
-+#
-+interface(`fs_exec_tmpfs_files',`
-+ gen_require(`
-+ type tmpfs_t;
-+ ')
-+
-+ exec_files_pattern($1, tmpfs_t, tmpfs_t)
-+')
-+
-+########################################
-+##
- ## Read and write, create and delete symbolic
- ## links on tmpfs filesystems.
- ##
-@@ -4467,6 +5225,8 @@ interface(`fs_mount_all_fs',`
- ')
-
- allow $1 filesystem_type:filesystem mount;
-+# Mount checks write access on the dir
-+ allow $1 filesystem_type:dir write;
- ')
-
- ########################################
-@@ -4513,7 +5273,7 @@ interface(`fs_unmount_all_fs',`
- ##
- ##
- ## Allow the specified domain to
--## et the attributes of all filesystems.
-+## get the attributes of all filesystems.
- ## Example attributes:
- ##
- ##
-@@ -4876,3 +5636,43 @@ interface(`fs_unconfined',`
-
- typeattribute $1 filesystem_unconfined_type;
- ')
-+
-+########################################
-+##
-+## Do not audit attempts to read or write
-+## all leaked filesystems files.
-+##
-+##
-+##
-+## Domain to not audit.
-+##
-+##
-+#
-+interface(`fs_dontaudit_leaks',`
-+ gen_require(`
-+ attribute filesystem_type;
-+ ')
-+
-+ dontaudit $1 filesystem_type:file rw_inherited_file_perms;
-+ dontaudit $1 filesystem_type:lnk_file { read };
-+')
-+
-+
-+########################################
-+##
-+## Transition named content in tmpfs_t directory
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`fs_tmpfs_filetrans_named_content',`
-+ gen_require(`
-+ type cgroup_t;
-+ ')
-+
-+ fs_tmpfs_filetrans($1, cgroup_t, lnk_file, "cpu")
-+ fs_tmpfs_filetrans($1, cgroup_t, lnk_file, "cpuacct")
-+')
-diff --git a/policy/modules/kernel/filesystem.te b/policy/modules/kernel/filesystem.te
-index 376bae8..36a5041 100644
---- a/policy/modules/kernel/filesystem.te
-+++ b/policy/modules/kernel/filesystem.te
-@@ -33,6 +33,8 @@ fs_use_xattr jffs2 gen_context(system_u:object_r:fs_t,s0);
- fs_use_xattr jfs gen_context(system_u:object_r:fs_t,s0);
- fs_use_xattr lustre gen_context(system_u:object_r:fs_t,s0);
- fs_use_xattr xfs gen_context(system_u:object_r:fs_t,s0);
-+fs_use_xattr squashfs gen_context(system_u:object_r:fs_t,s0);
-+fs_use_xattr zfs gen_context(system_u:object_r:fs_t,s0);
-
- # Use the allocating task SID to label inodes in the following filesystem
- # types, and label the filesystem itself with the specified context.
-@@ -52,6 +54,7 @@ type anon_inodefs_t;
- fs_type(anon_inodefs_t)
- files_mountpoint(anon_inodefs_t)
- genfscon anon_inodefs / gen_context(system_u:object_r:anon_inodefs_t,s0)
-+mls_trusted_object(anon_inodefs_t)
-
- type bdev_t;
- fs_type(bdev_t)
-@@ -67,7 +70,7 @@ fs_type(capifs_t)
- files_mountpoint(capifs_t)
- genfscon capifs / gen_context(system_u:object_r:capifs_t,s0)
-
--type cgroup_t;
-+type cgroup_t alias cgroupfs_t;
- fs_type(cgroup_t)
- files_type(cgroup_t)
- files_mountpoint(cgroup_t)
-@@ -88,6 +91,11 @@ fs_noxattr_type(ecryptfs_t)
- files_mountpoint(ecryptfs_t)
- genfscon ecryptfs / gen_context(system_u:object_r:ecryptfs_t,s0)
-
-+type efivarfs_t;
-+fs_noxattr_type(efivarfs_t)
-+files_mountpoint(efivarfs_t)
-+genfscon efivarfs / gen_context(system_u:object_r:efivarfs_t,s0)
-+
- type futexfs_t;
- fs_type(futexfs_t)
- genfscon futexfs / gen_context(system_u:object_r:futexfs_t,s0)
-@@ -96,6 +104,7 @@ type hugetlbfs_t;
- fs_type(hugetlbfs_t)
- files_mountpoint(hugetlbfs_t)
- fs_use_trans hugetlbfs gen_context(system_u:object_r:hugetlbfs_t,s0);
-+dev_associate(hugetlbfs_t)
-
- type ibmasmfs_t;
- fs_type(ibmasmfs_t)
-@@ -144,11 +153,6 @@ fs_type(spufs_t)
- genfscon spufs / gen_context(system_u:object_r:spufs_t,s0)
- files_mountpoint(spufs_t)
-
--type squash_t;
--fs_type(squash_t)
--genfscon squash / gen_context(system_u:object_r:squash_t,s0)
--files_mountpoint(squash_t)
--
- type sysv_t;
- fs_noxattr_type(sysv_t)
- files_mountpoint(sysv_t)
-@@ -175,6 +179,7 @@ fs_type(tmpfs_t)
- files_type(tmpfs_t)
- files_mountpoint(tmpfs_t)
- files_poly_parent(tmpfs_t)
-+dev_associate(tmpfs_t)
-
- # Use a transition SID based on the allocating task SID and the
- # filesystem SID to label inodes in the following filesystem types,
-@@ -254,6 +259,8 @@ genfscon udf / gen_context(system_u:object_r:iso9660_t,s0)
- type removable_t;
- allow removable_t noxattrfs:filesystem associate;
- fs_noxattr_type(removable_t)
-+files_type(removable_t)
-+dev_node(removable_t)
- files_mountpoint(removable_t)
-
- #
-@@ -273,6 +280,7 @@ genfscon ncpfs / gen_context(system_u:object_r:nfs_t,s0)
- genfscon reiserfs / gen_context(system_u:object_r:nfs_t,s0)
- genfscon panfs / gen_context(system_u:object_r:nfs_t,s0)
- genfscon gadgetfs / gen_context(system_u:object_r:nfs_t,s0)
-+genfscon 9p / gen_context(system_u:object_r:nfs_t,s0)
-
- ########################################
- #
-diff --git a/policy/modules/kernel/kernel.fc b/policy/modules/kernel/kernel.fc
-index 7be4ddf..f7021a0 100644
---- a/policy/modules/kernel/kernel.fc
-+++ b/policy/modules/kernel/kernel.fc
-@@ -1 +1,2 @@
--# This module currently does not have any file contexts.
-+
-+/sys/class/net/ib.* gen_context(system_u:object_r:sysctl_net_t,s0)
-diff --git a/policy/modules/kernel/kernel.if b/policy/modules/kernel/kernel.if
-index 4bf45cb..9f81200 100644
---- a/policy/modules/kernel/kernel.if
-+++ b/policy/modules/kernel/kernel.if
-@@ -267,7 +267,7 @@ interface(`kernel_rw_unix_dgram_sockets',`
- type kernel_t;
- ')
-
-- allow $1 kernel_t:unix_dgram_socket { read write ioctl };
-+ allow $1 kernel_t:unix_dgram_socket { getattr read write ioctl };
- ')
-
- ########################################
-@@ -785,6 +785,24 @@ interface(`kernel_unmount_proc',`
-
- ########################################
- ##
-+## Mounton a proc filesystem.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`kernel_mounton_proc',`
-+ gen_require(`
-+ type proc_t;
-+ ')
-+
-+ allow $1 proc_t:dir mounton;
-+')
-+
-+########################################
-+##
- ## Get the attributes of the proc filesystem.
- ##
- ##
-@@ -972,13 +990,10 @@ interface(`kernel_read_proc_symlinks',`
- #
- interface(`kernel_read_system_state',`
- gen_require(`
-- type proc_t;
-+ attribute kernel_system_state_reader;
- ')
-
-- read_files_pattern($1, proc_t, proc_t)
-- read_lnk_files_pattern($1, proc_t, proc_t)
--
-- list_dirs_pattern($1, proc_t, proc_t)
-+ typeattribute $1 kernel_system_state_reader;
- ')
-
- ########################################
-@@ -1458,6 +1473,24 @@ interface(`kernel_dontaudit_list_all_proc',`
-
- ########################################
- ##
-+## Allow attempts to read all proc types.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`kernel_read_all_proc',`
-+ gen_require(`
-+ attribute proc_type;
-+ ')
-+
-+ read_files_pattern($1, proc_type, proc_type)
-+')
-+
-+########################################
-+##
- ## Do not audit attempts by caller to search
- ## the base directory of sysctls.
- ##
-@@ -2066,7 +2099,7 @@ interface(`kernel_dontaudit_list_all_sysctls',`
- ')
-
- dontaudit $1 sysctl_type:dir list_dir_perms;
-- dontaudit $1 sysctl_type:file getattr;
-+ dontaudit $1 sysctl_type:file read_file_perms;
- ')
-
- ########################################
-@@ -2263,6 +2296,25 @@ interface(`kernel_list_unlabeled',`
-
- ########################################
- ##
-+## Delete unlabeled files
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`kernel_delete_unlabeled',`
-+ gen_require(`
-+ type unlabeled_t;
-+ ')
-+
-+ allow $1 unlabeled_t:dir delete_dir_perms;
-+ allow $1 unlabeled_t:dir_file_class_set delete_file_perms;
-+')
-+
-+########################################
-+##
- ## Read the process state (/proc/pid) of all unlabeled_t.
- ##
- ##
-@@ -2287,7 +2339,7 @@ interface(`kernel_read_unlabeled_state',`
- ##
- ##
- ##
--## Domain allowed access.
-+## Domain to not audit.
- ##
- ##
- #
-@@ -2469,6 +2521,24 @@ interface(`kernel_rw_unlabeled_blk_files',`
-
- ########################################
- ##
-+## Read and write unlabeled sockets.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`kernel_rw_unlabeled_socket',`
-+ gen_require(`
-+ type unlabeled_t;
-+ ')
-+
-+ allow $1 unlabeled_t:socket rw_socket_perms;
-+')
-+
-+########################################
-+##
- ## Do not audit attempts by caller to get attributes for
- ## unlabeled character devices.
- ##
-@@ -2506,6 +2576,24 @@ interface(`kernel_relabelfrom_unlabeled_dirs',`
-
- ########################################
- ##
-+## Allow caller to relabel unlabeled filesystems.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`kernel_relabelfrom_unlabeled_fs',`
-+ gen_require(`
-+ type unlabeled_t;
-+ ')
-+
-+ allow $1 unlabeled_t:filesystem relabelfrom;
-+')
-+
-+########################################
-+##
- ## Allow caller to relabel unlabeled files.
- ##
- ##
-@@ -2613,7 +2701,7 @@ interface(`kernel_sendrecv_unlabeled_association',`
- allow $1 unlabeled_t:association { sendto recvfrom };
-
- # temporary hack until labeling on packets is supported
-- allow $1 unlabeled_t:packet { send recv };
-+# allow $1 unlabeled_t:packet { send recv };
- ')
-
- ########################################
-@@ -2651,6 +2739,24 @@ interface(`kernel_dontaudit_sendrecv_unlabeled_association',`
-
- ########################################
- ##
-+## Receive DCCP packets from an unlabeled connection.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`kernel_dccp_recvfrom_unlabeled',`
-+ gen_require(`
-+ type unlabeled_t;
-+ ')
-+
-+ allow $1 unlabeled_t:dccp_socket recvfrom;
-+')
-+
-+########################################
-+##
- ## Receive TCP packets from an unlabeled connection.
- ##
- ##
-@@ -2678,6 +2784,25 @@ interface(`kernel_tcp_recvfrom_unlabeled',`
-
- ########################################
- ##
-+## Do not audit attempts to receive DCCP packets from an unlabeled
-+## connection.
-+##
-+##
-+##
-+## Domain to not audit.
-+##
-+##
-+#
-+interface(`kernel_dontaudit_dccp_recvfrom_unlabeled',`
-+ gen_require(`
-+ type unlabeled_t;
-+ ')
-+
-+ dontaudit $1 unlabeled_t:dccp_socket recvfrom;
-+')
-+
-+########################################
-+##
- ## Do not audit attempts to receive TCP packets from an unlabeled
- ## connection.
- ##
-@@ -2787,6 +2912,33 @@ interface(`kernel_raw_recvfrom_unlabeled',`
-
- allow $1 unlabeled_t:rawip_socket recvfrom;
- ')
-+########################################
-+##
-+## Read/Write Raw IP packets from an unlabeled connection.
-+##
-+##
-+##
-+## Receive Raw IP packets from an unlabeled connection.
-+##
-+##
-+## The corenetwork interface corenet_raw_recv_unlabeled() should
-+## be used instead of this one.
-+##
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`kernel_rw_unlabeled_rawip_socket',`
-+ gen_require(`
-+ type unlabeled_t;
-+ ')
-+
-+ allow $1 unlabeled_t:rawip_socket rw_socket_perms;
-+')
-+
-
- ########################################
- ##
-@@ -2942,6 +3094,24 @@ interface(`kernel_relabelfrom_unlabeled_database',`
-
- ########################################
- ##
-+## Relabel to unlabeled context .
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`kernel_relabelto_unlabeled',`
-+ gen_require(`
-+ type unlabeled_t;
-+ ')
-+
-+ allow $1 unlabeled_t:dir_file_class_set relabelto;
-+')
-+
-+########################################
-+##
- ## Unconfined access to kernel module resources.
- ##
- ##
-@@ -2956,5 +3126,318 @@ interface(`kernel_unconfined',`
- ')
-
- typeattribute $1 kern_unconfined;
-- kernel_load_module($1)
-+ kernel_load_module($1)
-+')
-+
-+########################################
-+##
-+## Allow the specified domain to connect to
-+## the kernel with a unix socket.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`kernel_stream_connect',`
-+ gen_require(`
-+ type kernel_t;
-+ ')
-+
-+ allow $1 kernel_t:unix_stream_socket connectto;
-+')
-+
-+########################################
-+##
-+## Allow the specified domain to getattr on
-+## the kernel with a unix socket.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`kernel_stream_read',`
-+ gen_require(`
-+ type kernel_t;
-+ ')
-+
-+ allow $1 kernel_t:unix_stream_socket { read getattr };
-+')
-+
-+#######################################
-+##
-+## Allow the specified domain to write on
-+## the kernel with a unix socket.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`kernel_stream_write',`
-+ gen_require(`
-+ type kernel_t;
-+ ')
-+
-+ allow $1 kernel_t:unix_stream_socket { write getattr };
-+')
-+
-+#######################################
-+##
-+## Allow the specified domain to read/write on
-+## the kernel with a unix socket.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`kernel_rw_stream_socket_perms',`
-+ gen_require(`
-+ type kernel_t;
-+ ')
-+
-+ allow $1 kernel_t:unix_stream_socket rw_socket_perms;
-+')
-+
-+########################################
-+##
-+## Make the specified type usable for regular entries in proc
-+##
-+##
-+##
-+## Type to be used for /proc entries.
-+##
-+##
-+#
-+interface(`kernel_proc_type',`
-+ gen_require(`
-+ attribute proc_type;
-+ ')
-+
-+ typeattribute $1 proc_type;
-+')
-+
-+########################################
-+##
-+## Do not audit attempts by caller to get attributes on all sysctls.
-+##
-+##
-+##
-+## Domain to not audit.
-+##
-+##
-+#
-+interface(`kernel_dontaudit_getattr_all_sysctls',`
-+ gen_require(`
-+ attribute sysctl_type;
-+ ')
-+
-+ dontaudit $1 sysctl_type:file getattr;
-+')
-+
-+########################################
-+##
-+## Read the process state (/proc/pid) of the kernel.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`kernel_read_state',`
-+ gen_require(`
-+ type kernel_t;
-+ ')
-+
-+ allow $1 kernel_t:dir search_dir_perms;
-+ allow $1 kernel_t:file read_file_perms;
-+ allow $1 kernel_t:lnk_file read_lnk_file_perms;
-+')
-+
-+########################################
-+##
-+## Dontaudit attempts to read the process state (/proc/pid) of the kernel.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`kernel_dontaudit_read_state',`
-+ gen_require(`
-+ type kernel_t;
-+ ')
-+
-+ dontaudit $1 kernel_t:dir search_dir_perms;
-+ dontaudit $1 kernel_t:file read_file_perms;
-+ dontaudit $1 kernel_t:lnk_file read_lnk_file_perms;
-+')
-+
-+########################################
-+##
-+## Allow searching of numa state directory.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+##
-+#
-+interface(`kernel_search_numa_state',`
-+ gen_require(`
-+ type proc_t, proc_numa_t;
-+ ')
-+
-+ search_dirs_pattern($1, proc_t, proc_numa_t)
-+')
-+
-+########################################
-+##
-+## Do not audit attempts to search the numa
-+## state directory.
-+##
-+##
-+##
-+## Domain to not audit.
-+##
-+##
-+##
-+#
-+interface(`kernel_dontaudit_search_numa_state',`
-+ gen_require(`
-+ type proc_numa_t;
-+ ')
-+
-+ dontaudit $1 proc_numa_t:dir search;
-+')
-+
-+########################################
-+##
-+## Allow caller to read the numa state information.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+##
-+#
-+interface(`kernel_read_numa_state',`
-+ gen_require(`
-+ type proc_t, proc_numa_t;
-+ ')
-+
-+ read_files_pattern($1, { proc_t proc_numa_t }, proc_numa_t)
-+ read_lnk_files_pattern($1, { proc_t proc_numa_t }, proc_numa_t)
-+
-+ list_dirs_pattern($1, proc_t, proc_numa_t)
-+')
-+
-+########################################
-+##
-+## Allow caller to read the numa state symbolic links.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+##
-+#
-+interface(`kernel_read_numa_state_symlinks',`
-+ gen_require(`
-+ type proc_t, proc_numa_t;
-+ ')
-+
-+ read_lnk_files_pattern($1, { proc_t proc_numa_t }, proc_numa_t)
-+
-+ list_dirs_pattern($1, proc_t, proc_numa_t)
-+')
-+
-+########################################
-+##
-+## Allow caller to write numa state information.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+##
-+#
-+interface(`kernel_write_numa_state',`
-+ gen_require(`
-+ type proc_t, proc_numa_t;
-+ ')
-+
-+ write_files_pattern($1, { proc_t proc_numa_t }, proc_numa_t)
-+')
-+
-+########################################
-+##
-+## Allow caller to search virtual memory overcommit sysctls.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`kernel_search_vm_overcommit_sysctl',`
-+ gen_require(`
-+ type sysctl_vm_overcommit_t;
-+ ')
-+
-+ kernel_search_vm_sysctl($1)
-+ search_dirs_pattern($1, sysctl_vm_overcommit_t, sysctl_vm_overcommit_t)
-+')
-+
-+########################################
-+##
-+## Allow caller to read virtual memory overcommit sysctls.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+##
-+#
-+interface(`kernel_read_vm_overcommit_sysctls',`
-+ gen_require(`
-+ type sysctl_vm_overcommit_t;
-+ ')
-+
-+ kernel_search_vm_sysctl($1)
-+ read_files_pattern($1, sysctl_vm_overcommit_t, sysctl_vm_overcommit_t)
-+')
-+
-+########################################
-+##
-+## Read and write virtual memory overcommit sysctls.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+##
-+#
-+interface(`kernel_rw_vm_overcommit_sysctls',`
-+ gen_require(`
-+ type sysctl_vm_overcommit_t;
-+ ')
-+
-+ kernel_search_vm_sysctl($1)
-+ rw_files_pattern($1, sysctl_vm_overcommit_t, sysctl_vm_overcommit_t)
-+ list_dirs_pattern($1, sysctl_vm_overcommit_t, sysctl_vm_overcommit_t)
- ')
-diff --git a/policy/modules/kernel/kernel.te b/policy/modules/kernel/kernel.te
-index ab9b6cd..ccffb0f 100644
---- a/policy/modules/kernel/kernel.te
-+++ b/policy/modules/kernel/kernel.te
-@@ -25,6 +25,9 @@ attribute kern_unconfined;
- # regular entries in proc
- attribute proc_type;
-
-+# attribute for domains which read proc_t
-+attribute kernel_system_state_reader;
-+
- # sysctls
- attribute sysctl_type;
-
-@@ -48,6 +51,7 @@ ifdef(`enable_mls',`
- type kernel_t, can_load_kernmodule;
- domain_base_type(kernel_t)
- mls_rangetrans_source(kernel_t)
-+mls_trusted_object(kernel_t)
- role system_r types kernel_t;
- sid kernel gen_context(system_u:system_r:kernel_t,mls_systemhigh)
-
-@@ -58,6 +62,8 @@ sid kernel gen_context(system_u:system_r:kernel_t,mls_systemhigh)
- type debugfs_t;
- files_mountpoint(debugfs_t)
- fs_type(debugfs_t)
-+files_mountpoint(debugfs_t)
-+
- allow debugfs_t self:filesystem associate;
- genfscon debugfs / gen_context(system_u:object_r:debugfs_t,s0)
-
-@@ -95,6 +101,10 @@ genfscon proc /kcore gen_context(system_u:object_r:proc_kcore_t,mls_systemhigh)
- type proc_mdstat_t, proc_type;
- genfscon proc /mdstat gen_context(system_u:object_r:proc_mdstat_t,s0)
-
-+type proc_numa_t, proc_type;
-+genfscon proc /numatools gen_context(system_u:object_r:proc_numa_t,s0)
-+mls_trusted_object(proc_numa_t)
-+
- type proc_net_t, proc_type;
- genfscon proc /net gen_context(system_u:object_r:proc_net_t,s0)
-
-@@ -153,6 +163,10 @@ genfscon proc /sys/net/unix gen_context(system_u:object_r:sysctl_net_unix_t,s0)
- type sysctl_vm_t, sysctl_type;
- genfscon proc /sys/vm gen_context(system_u:object_r:sysctl_vm_t,s0)
-
-+# /proc/sys/vm/overcommit_memory
-+type sysctl_vm_overcommit_t, sysctl_type;
-+genfscon proc /sys/vm/overcommit_memory gen_context(system_u:object_r:sysctl_vm_overcommit_t,s0)
-+
- # /proc/sys/dev directory and files
- type sysctl_dev_t, sysctl_type;
- genfscon proc /sys/dev gen_context(system_u:object_r:sysctl_dev_t,s0)
-@@ -165,6 +179,7 @@ genfscon proc /sys/dev gen_context(system_u:object_r:sysctl_dev_t,s0)
- type unlabeled_t;
- fs_associate(unlabeled_t)
- sid unlabeled gen_context(system_u:object_r:unlabeled_t,mls_systemhigh)
-+fs_associate(unlabeled_t)
-
- # These initial sids are no longer used, and can be removed:
- sid any_socket gen_context(system_u:object_r:unlabeled_t,mls_systemhigh)
-@@ -233,7 +248,6 @@ allow unlabeled_t unlabeled_t:packet { forward_in forward_out };
- corenet_in_generic_if(unlabeled_t)
- corenet_in_generic_node(unlabeled_t)
-
--corenet_all_recvfrom_unlabeled(kernel_t)
- corenet_all_recvfrom_netlabel(kernel_t)
- # Kernel-generated traffic e.g., ICMP replies:
- corenet_raw_sendrecv_all_if(kernel_t)
-@@ -244,17 +258,21 @@ corenet_tcp_sendrecv_all_if(kernel_t)
- corenet_tcp_sendrecv_all_nodes(kernel_t)
- corenet_raw_send_generic_node(kernel_t)
- corenet_send_all_packets(kernel_t)
-+corenet_filetrans_all_named_dev(kernel_t)
-
- dev_read_sysfs(kernel_t)
- dev_search_usbfs(kernel_t)
- # devtmpfs handling:
- dev_create_generic_dirs(kernel_t)
- dev_delete_generic_dirs(kernel_t)
--dev_create_generic_blk_files(kernel_t)
--dev_delete_generic_blk_files(kernel_t)
--dev_create_generic_chr_files(kernel_t)
--dev_delete_generic_chr_files(kernel_t)
-+dev_create_all_blk_files(kernel_t)
-+dev_delete_all_blk_files(kernel_t)
-+dev_create_all_chr_files(kernel_t)
-+dev_delete_all_chr_files(kernel_t)
- dev_mounton(kernel_t)
-+dev_filetrans_all_named_dev(kernel_t)
-+storage_filetrans_all_named_dev(kernel_t)
-+term_filetrans_all_named_dev(kernel_t)
-
- # Mount root file system. Used when loading a policy
- # from initrd, then mounting the root filesystem
-@@ -263,7 +281,8 @@ fs_unmount_all_fs(kernel_t)
-
- selinux_load_policy(kernel_t)
-
--term_use_console(kernel_t)
-+term_use_all_terms(kernel_t)
-+term_use_ptmx(kernel_t)
-
- corecmd_exec_shell(kernel_t)
- corecmd_list_bin(kernel_t)
-@@ -277,25 +296,48 @@ files_list_root(kernel_t)
- files_list_etc(kernel_t)
- files_list_home(kernel_t)
- files_read_usr_files(kernel_t)
-+files_manage_mounttab(kernel_t)
-+files_manage_generic_spool_dirs(kernel_t)
-
- mcs_process_set_categories(kernel_t)
-+mcs_file_read_all(kernel_t)
-+mcs_file_write_all(kernel_t)
-+mcs_socket_write_all_levels(kernel_t)
-
- mls_process_read_up(kernel_t)
- mls_process_write_down(kernel_t)
-+mls_file_downgrade(kernel_t)
- mls_file_write_all_levels(kernel_t)
- mls_file_read_all_levels(kernel_t)
-+mls_socket_write_all_levels(kernel_t)
-+mls_fd_share_all_levels(kernel_t)
-+mls_fd_use_all_levels(kernel_t)
-
- ifdef(`distro_redhat',`
- # Bugzilla 222337
- fs_rw_tmpfs_chr_files(kernel_t)
- ')
-
-+
-+optional_policy(`
-+ apache_filetrans_home_content(kernel_t)
-+')
-+
-+optional_policy(`
-+ gnome_filetrans_home_content(kernel_t)
-+')
-+
-+optional_policy(`
-+ kerberos_filetrans_home_content(kernel_t)
-+')
-+
- optional_policy(`
- hotplug_search_config(kernel_t)
- ')
-
- optional_policy(`
- init_sigchld(kernel_t)
-+ init_dyntrans(kernel_t)
- ')
-
- optional_policy(`
-@@ -305,6 +347,19 @@ optional_policy(`
-
- optional_policy(`
- logging_send_syslog_msg(kernel_t)
-+ logging_manage_generic_logs(kernel_t)
-+')
-+
-+optional_policy(`
-+ mta_filetrans_home_content(kernel_t)
-+')
-+
-+optional_policy(`
-+ ssh_filetrans_home_content(kernel_t)
-+')
-+
-+optional_policy(`
-+ userdom_user_home_dir_filetrans_user_home_content(kernel_t, { file dir })
- ')
-
- optional_policy(`
-@@ -334,7 +389,6 @@ optional_policy(`
-
- rpc_manage_nfs_ro_content(kernel_t)
- rpc_manage_nfs_rw_content(kernel_t)
-- rpc_tcp_rw_nfs_sockets(kernel_t)
- rpc_udp_rw_nfs_sockets(kernel_t)
-
- tunable_policy(`nfs_export_all_ro',`
-@@ -343,9 +397,7 @@ optional_policy(`
- fs_read_noxattr_fs_files(kernel_t)
- fs_read_noxattr_fs_symlinks(kernel_t)
-
-- files_list_non_auth_dirs(kernel_t)
-- files_read_non_auth_files(kernel_t)
-- files_read_non_auth_symlinks(kernel_t)
-+ files_read_non_security_files(kernel_t)
- ')
-
- tunable_policy(`nfs_export_all_rw',`
-@@ -354,7 +406,7 @@ optional_policy(`
- fs_read_noxattr_fs_files(kernel_t)
- fs_read_noxattr_fs_symlinks(kernel_t)
-
-- files_manage_non_auth_files(kernel_t)
-+ files_manage_non_security_files(kernel_t)
- ')
- ')
-
-@@ -367,6 +419,15 @@ optional_policy(`
- unconfined_domain_noaudit(kernel_t)
- ')
-
-+optional_policy(`
-+ virt_filetrans_home_content(kernel_t)
-+')
-+
-+optional_policy(`
-+ xserver_xdm_manage_spool(kernel_t)
-+ xserver_filetrans_home_content(kernel_t)
-+')
-+
- ########################################
- #
- # Unlabeled process local policy
-@@ -409,4 +470,26 @@ allow kern_unconfined unlabeled_t:dir_file_class_set *;
- allow kern_unconfined unlabeled_t:filesystem *;
- allow kern_unconfined unlabeled_t:association *;
- allow kern_unconfined unlabeled_t:packet *;
--allow kern_unconfined unlabeled_t:process ~{ transition dyntransition execmem execstack execheap };
-+allow kern_unconfined unlabeled_t:process ~{ ptrace transition dyntransition execmem execstack execheap };
-+
-+gen_require(`
-+ bool secure_mode_insmod;
-+')
-+
-+if( ! secure_mode_insmod ) {
-+ allow can_load_kernmodule self:capability sys_module;
-+ allow can_load_kernmodule self:capability2 compromise_kernel;
-+ # load_module() calls stop_machine() which
-+ # calls sched_setscheduler()
-+ allow can_load_kernmodule self:capability sys_nice;
-+ kernel_setsched(can_load_kernmodule)
-+}
-+
-+#######################################
-+#
-+# Kernel system state reader policy
-+#
-+
-+read_files_pattern(kernel_system_state_reader, proc_t, proc_t)
-+read_lnk_files_pattern(kernel_system_state_reader, proc_t, proc_t)
-+list_dirs_pattern(kernel_system_state_reader, proc_t, proc_t)
-diff --git a/policy/modules/kernel/mcs.if b/policy/modules/kernel/mcs.if
-index f52faaf..6bb6529 100644
---- a/policy/modules/kernel/mcs.if
-+++ b/policy/modules/kernel/mcs.if
-@@ -102,3 +102,49 @@ interface(`mcs_process_set_categories',`
-
- typeattribute $1 mcssetcats;
- ')
-+
-+########################################
-+##
-+## Make specified process type MCS untrusted.
-+##
-+##
-+##
-+## Make specified process type MCS untrusted. This
-+## prevents this process from sending signals to other processes
-+## with different mcs labels
-+## object.
-+##
-+##
-+##
-+##
-+## The type of the process.
-+##
-+##
-+#
-+interface(`mcs_untrusted_proc',`
-+ gen_require(`
-+ attribute mcsuntrustedproc;
-+ ')
-+
-+ typeattribute $1 mcsuntrustedproc;
-+')
-+
-+########################################
-+##
-+## Make specified domain MCS trusted
-+## for writing to sockets at any level.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+##
-+#
-+interface(`mcs_socket_write_all_levels',`
-+ gen_require(`
-+ attribute mcsnetwrite;
-+ ')
-+
-+ typeattribute $1 mcsnetwrite;
-+')
-diff --git a/policy/modules/kernel/mcs.te b/policy/modules/kernel/mcs.te
-index 0e5b661..3168d72 100644
---- a/policy/modules/kernel/mcs.te
-+++ b/policy/modules/kernel/mcs.te
-@@ -10,3 +10,5 @@ attribute mcsptraceall;
- attribute mcssetcats;
- attribute mcswriteall;
- attribute mcsreadall;
-+attribute mcsuntrustedproc;
-+attribute mcsnetwrite;
-diff --git a/policy/modules/kernel/selinux.fc b/policy/modules/kernel/selinux.fc
-index 7be4ddf..4d4c577 100644
---- a/policy/modules/kernel/selinux.fc
-+++ b/policy/modules/kernel/selinux.fc
-@@ -1 +1 @@
--# This module currently does not have any file contexts.
-+/selinux -l gen_context(system_u:object_r:security_t,s0)
-diff --git a/policy/modules/kernel/selinux.if b/policy/modules/kernel/selinux.if
-index 81440c5..a02d444 100644
---- a/policy/modules/kernel/selinux.if
-+++ b/policy/modules/kernel/selinux.if
-@@ -40,7 +40,7 @@ interface(`selinux_labeled_boolean',`
-
- # because of this statement, any module which
- # calls this interface must be in the base module:
-- genfscon selinuxfs /booleans/$2 gen_context(system_u:object_r:$1,s0)
-+# genfscon selinuxfs /booleans/$2 gen_context(system_u:object_r:$1,s0)
- ')
-
- ########################################
-@@ -58,6 +58,9 @@ interface(`selinux_get_fs_mount',`
- type security_t;
- ')
-
-+ allow $1 security_t:lnk_file read_lnk_file_perms;
-+ dev_getattr_sysfs_fs($1)
-+ dev_search_sysfs($1)
- # starting in libselinux 2.0.5, init_selinuxmnt() will
- # attempt to short circuit by checking if SELINUXMNT
- # (/selinux) is already a selinuxfs
-@@ -87,6 +90,7 @@ interface(`selinux_dontaudit_get_fs_mount',`
- # starting in libselinux 2.0.5, init_selinuxmnt() will
- # attempt to short circuit by checking if SELINUXMNT
- # (/selinux) is already a selinuxfs
-+ dev_dontaudit_search_sysfs($1)
- dontaudit $1 security_t:filesystem getattr;
-
- # read /proc/filesystems to see if selinuxfs is supported
-@@ -109,6 +113,9 @@ interface(`selinux_mount_fs',`
- type security_t;
- ')
-
-+ dev_getattr_sysfs_fs($1)
-+ dev_search_sysfs($1)
-+ allow $1 security_t:lnk_file read_lnk_file_perms;
- allow $1 security_t:filesystem mount;
- ')
-
-@@ -128,6 +135,9 @@ interface(`selinux_remount_fs',`
- type security_t;
- ')
-
-+ dev_getattr_sysfs_fs($1)
-+ dev_search_sysfs($1)
-+ allow $1 security_t:lnk_file read_lnk_file_perms;
- allow $1 security_t:filesystem remount;
- ')
-
-@@ -146,6 +156,9 @@ interface(`selinux_unmount_fs',`
- type security_t;
- ')
-
-+ dev_getattr_sysfs_fs($1)
-+ dev_search_sysfs($1)
-+ allow $1 security_t:lnk_file read_lnk_file_perms;
- allow $1 security_t:filesystem unmount;
- ')
-
-@@ -164,6 +177,7 @@ interface(`selinux_getattr_fs',`
- type security_t;
- ')
-
-+ allow $1 security_t:lnk_file read_lnk_file_perms;
- allow $1 security_t:filesystem getattr;
- ')
-
-@@ -220,6 +234,9 @@ interface(`selinux_search_fs',`
- type security_t;
- ')
-
-+ dev_getattr_sysfs_fs($1)
-+ dev_search_sysfs($1)
-+ allow $1 security_t:lnk_file read_lnk_file_perms;
- allow $1 security_t:dir search_dir_perms;
- ')
-
-@@ -243,6 +260,28 @@ interface(`selinux_dontaudit_search_fs',`
-
- ########################################
- ##
-+## Mount on selinuxfs directories.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`selinux_mounton_fs',`
-+ gen_require(`
-+ type security_t;
-+ ')
-+
-+ dev_getattr_sysfs_fs($1)
-+ dev_search_sysfs($1)
-+ allow $1 security_t:lnk_file read_lnk_file_perms;
-+ allow $1 security_t:dir mounton;
-+')
-+
-+
-+########################################
-+##
- ## Do not audit attempts to read
- ## generic selinuxfs entries
- ##
-@@ -257,6 +296,7 @@ interface(`selinux_dontaudit_read_fs',`
- type security_t;
- ')
-
-+ selinux_dontaudit_getattr_fs($1)
- dontaudit $1 security_t:dir search_dir_perms;
- dontaudit $1 security_t:file read_file_perms;
- ')
-@@ -278,6 +318,8 @@ interface(`selinux_get_enforce_mode',`
- type security_t;
- ')
-
-+ selinux_get_fs_mount($1)
-+ allow $1 security_t:lnk_file read_lnk_file_perms;
- allow $1 security_t:dir list_dir_perms;
- allow $1 security_t:file read_file_perms;
- ')
-@@ -308,21 +350,9 @@ interface(`selinux_set_enforce_mode',`
- gen_require(`
- type security_t;
- attribute can_setenforce;
-- bool secure_mode_policyload;
- ')
-
-- allow $1 security_t:dir list_dir_perms;
-- allow $1 security_t:file rw_file_perms;
- typeattribute $1 can_setenforce;
--
-- if(!secure_mode_policyload) {
-- allow $1 security_t:security setenforce;
--
-- ifdef(`distro_rhel4',`
-- # needed for systems without audit support
-- auditallow $1 security_t:security setenforce;
-- ')
-- }
- ')
-
- ########################################
-@@ -339,21 +369,14 @@ interface(`selinux_load_policy',`
- gen_require(`
- type security_t;
- attribute can_load_policy;
-- bool secure_mode_policyload;
- ')
-
-+ dev_getattr_sysfs_fs($1)
-+ dev_search_sysfs($1)
-+ allow $1 security_t:lnk_file read_lnk_file_perms;
- allow $1 security_t:dir list_dir_perms;
- allow $1 security_t:file rw_file_perms;
- typeattribute $1 can_load_policy;
--
-- if(!secure_mode_policyload) {
-- allow $1 security_t:security load_policy;
--
-- ifdef(`distro_rhel4',`
-- # needed for systems without audit support
-- auditallow $1 security_t:security load_policy;
-- ')
-- }
- ')
-
- ########################################
-@@ -371,6 +394,9 @@ interface(`selinux_read_policy',`
- type security_t;
- ')
-
-+ dev_getattr_sysfs_fs($1)
-+ dev_search_sysfs($1)
-+ allow $1 security_t:lnk_file read_lnk_file_perms;
- allow $1 security_t:dir list_dir_perms;
- allow $1 security_t:file read_file_perms;
- allow $1 security_t:security read_policy;
-@@ -433,17 +459,16 @@ interface(`selinux_set_boolean',`
- interface(`selinux_set_generic_booleans',`
- gen_require(`
- type security_t;
-+ attribute can_setbool;
- ')
-
-+ typeattribute $1 can_setbool;
-+ dev_getattr_sysfs_fs($1)
-+ dev_search_sysfs($1)
-+ allow $1 security_t:lnk_file read_lnk_file_perms;
- allow $1 security_t:dir list_dir_perms;
- allow $1 security_t:file rw_file_perms;
-
-- allow $1 security_t:security setbool;
--
-- ifdef(`distro_rhel4',`
-- # needed for systems without audit support
-- auditallow $1 security_t:security setbool;
-- ')
- ')
-
- ########################################
-@@ -472,23 +497,16 @@ interface(`selinux_set_all_booleans',`
- gen_require(`
- type security_t, secure_mode_policyload_t;
- attribute boolean_type;
-- bool secure_mode_policyload;
-+ attribute can_setbool;
- ')
-
-+ typeattribute $1 can_setbool;
-+ dev_getattr_sysfs_fs($1)
-+ dev_search_sysfs($1)
-+ allow $1 security_t:lnk_file read_lnk_file_perms;
- allow $1 security_t:dir list_dir_perms;
-- allow $1 { boolean_type -secure_mode_policyload_t }:file rw_file_perms;
-- allow $1 secure_mode_policyload_t:file read_file_perms;
--
-- allow $1 security_t:security setbool;
--
-- ifdef(`distro_rhel4',`
-- # needed for systems without audit support
-- auditallow $1 security_t:security setbool;
-- ')
--
-- if(!secure_mode_policyload) {
-- allow $1 secure_mode_policyload_t:file write_file_perms;
-- }
-+ allow $1 boolean_type:dir list_dir_perms;
-+ allow $1 boolean_type:file rw_file_perms;
- ')
-
- ########################################
-@@ -519,6 +537,9 @@ interface(`selinux_set_parameters',`
- attribute can_setsecparam;
- ')
-
-+ dev_getattr_sysfs_fs($1)
-+ dev_search_sysfs($1)
-+ allow $1 security_t:lnk_file read_lnk_file_perms;
- allow $1 security_t:dir list_dir_perms;
- allow $1 security_t:file rw_file_perms;
- allow $1 security_t:security setsecparam;
-@@ -542,6 +563,9 @@ interface(`selinux_validate_context',`
- type security_t;
- ')
-
-+ dev_getattr_sysfs_fs($1)
-+ dev_search_sysfs($1)
-+ allow $1 security_t:lnk_file read_lnk_file_perms;
- allow $1 security_t:dir list_dir_perms;
- allow $1 security_t:file rw_file_perms;
- allow $1 security_t:security check_context;
-@@ -584,6 +608,9 @@ interface(`selinux_compute_access_vector',`
- type security_t;
- ')
-
-+ dev_getattr_sysfs_fs($1)
-+ dev_search_sysfs($1)
-+ allow $1 security_t:lnk_file read_lnk_file_perms;
- allow $1 security_t:dir list_dir_perms;
- allow $1 security_t:file rw_file_perms;
- allow $1 security_t:security compute_av;
-@@ -605,6 +632,9 @@ interface(`selinux_compute_create_context',`
- type security_t;
- ')
-
-+ dev_getattr_sysfs_fs($1)
-+ dev_search_sysfs($1)
-+ allow $1 security_t:lnk_file read_lnk_file_perms;
- allow $1 security_t:dir list_dir_perms;
- allow $1 security_t:file rw_file_perms;
- allow $1 security_t:security compute_create;
-@@ -626,6 +656,9 @@ interface(`selinux_compute_member',`
- type security_t;
- ')
-
-+ dev_getattr_sysfs_fs($1)
-+ dev_search_sysfs($1)
-+ allow $1 security_t:lnk_file read_lnk_file_perms;
- allow $1 security_t:dir list_dir_perms;
- allow $1 security_t:file rw_file_perms;
- allow $1 security_t:security compute_member;
-@@ -655,6 +688,9 @@ interface(`selinux_compute_relabel_context',`
- type security_t;
- ')
-
-+ dev_getattr_sysfs_fs($1)
-+ dev_search_sysfs($1)
-+ allow $1 security_t:lnk_file read_lnk_file_perms;
- allow $1 security_t:dir list_dir_perms;
- allow $1 security_t:file rw_file_perms;
- allow $1 security_t:security compute_relabel;
-@@ -675,6 +711,9 @@ interface(`selinux_compute_user_contexts',`
- type security_t;
- ')
-
-+ dev_getattr_sysfs_fs($1)
-+ dev_search_sysfs($1)
-+ allow $1 security_t:lnk_file read_lnk_file_perms;
- allow $1 security_t:dir list_dir_perms;
- allow $1 security_t:file rw_file_perms;
- allow $1 security_t:security compute_user;
-@@ -696,4 +735,29 @@ interface(`selinux_unconfined',`
- ')
-
- typeattribute $1 selinux_unconfined_type;
-+ selinux_set_all_booleans($1)
-+ selinux_load_policy($1)
-+ selinux_set_parameters($1)
-+ selinux_set_enforce_mode($1)
-+')
-+
-+########################################
-+##
-+## Generate a file context for a boolean type
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`selinux_genbool',`
-+ gen_require(`
-+ attribute boolean_type;
-+ ')
-+
-+ type $1, boolean_type;
-+ fs_type($1)
-+ mls_trusted_object($1)
- ')
-+
-diff --git a/policy/modules/kernel/selinux.te b/policy/modules/kernel/selinux.te
-index 522ab32..443f4a0 100644
---- a/policy/modules/kernel/selinux.te
-+++ b/policy/modules/kernel/selinux.te
-@@ -17,6 +17,7 @@ gen_bool(secure_mode_policyload,false)
- attribute boolean_type;
- attribute can_load_policy;
- attribute can_setenforce;
-+attribute can_setbool;
- attribute can_setsecparam;
- attribute selinux_unconfined_type;
-
-@@ -31,14 +32,15 @@ selinux_labeled_boolean(secure_mode_policyload_t, secure_mode_policyload)
- type security_t, boolean_type;
- files_mountpoint(security_t)
- fs_type(security_t)
-+files_mountpoint(security_t)
- mls_trusted_object(security_t)
- sid security gen_context(system_u:object_r:security_t,mls_systemhigh)
- genfscon selinuxfs / gen_context(system_u:object_r:security_t,s0)
- genfscon securityfs / gen_context(system_u:object_r:security_t,s0)
-
--neverallow ~{ selinux_unconfined_type can_load_policy } security_t:security load_policy;
--neverallow ~{ selinux_unconfined_type can_setenforce } security_t:security setenforce;
--neverallow ~{ selinux_unconfined_type can_setsecparam } security_t:security setsecparam;
-+neverallow ~{ can_load_policy } security_t:security load_policy;
-+neverallow ~{ can_setenforce } security_t:security setenforce;
-+neverallow ~{ can_setsecparam } security_t:security setsecparam;
-
- ########################################
- #
-@@ -60,11 +62,28 @@ ifdef(`distro_rhel4',`
- ')
-
- if(!secure_mode_policyload) {
-- allow selinux_unconfined_type security_t:security { load_policy setenforce };
-- allow selinux_unconfined_type secure_mode_policyload_t:file write_file_perms;
-+ allow can_setenforce security_t:security setenforce;
-+ dev_getattr_sysfs_fs(can_setenforce)
-+ dev_search_sysfs(can_setenforce)
-+ allow can_setenforce security_t:dir list_dir_perms;
-+ allow can_setenforce security_t:file rw_file_perms;
-+
-+ ifdef(`distro_rhel4',`
-+ # needed for systems without audit support
-+ auditallow can_setenforce security_t:security setenforce;
-+ ')
-+
-+ allow can_load_policy security_t:security load_policy;
-+
-+ ifdef(`distro_rhel4',`
-+ # needed for systems without audit support
-+ auditallow can_load_policy security_t:security load_policy;
-+ ')
-+
-+ allow can_setbool boolean_type:security setbool;
-
- ifdef(`distro_rhel4',`
- # needed for systems without audit support
-- auditallow selinux_unconfined_type security_t:security { load_policy setenforce };
-+ auditallow can_setbool boolean_type:security setbool;
- ')
- }
-diff --git a/policy/modules/kernel/storage.fc b/policy/modules/kernel/storage.fc
-index 54f1827..a2d5eaa 100644
---- a/policy/modules/kernel/storage.fc
-+++ b/policy/modules/kernel/storage.fc
-@@ -28,7 +28,8 @@
- /dev/loop.* -b gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
- /dev/lvm -c gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
- /dev/mcdx? -b gen_context(system_u:object_r:removable_device_t,s0)
--/dev/megadev.* -c gen_context(system_u:object_r:removable_device_t,s0)
-+/dev/megaraid_sas_ioctl_node -c gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
-+/dev/megadev.* -c gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
- /dev/mmcblk.* -b gen_context(system_u:object_r:removable_device_t,s0)
- /dev/mspblk.* -b gen_context(system_u:object_r:removable_device_t,s0)
- /dev/mtd.* -b gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
-@@ -51,7 +52,7 @@ ifdef(`distro_redhat', `
- /dev/sjcd -b gen_context(system_u:object_r:removable_device_t,s0)
- /dev/sonycd -b gen_context(system_u:object_r:removable_device_t,s0)
- /dev/tape.* -c gen_context(system_u:object_r:tape_device_t,s0)
--/dev/tw[a-z][^/]+ -c gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
-+/dev/tw[a-z][^/]* -c gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
- /dev/ub[a-z][^/]+ -b gen_context(system_u:object_r:removable_device_t,mls_systemhigh)
- /dev/ubd[^/]* -b gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
- /dev/vd[^/]* -b gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
-@@ -81,3 +82,6 @@ ifdef(`distro_redhat', `
-
- /lib/udev/devices/loop.* -b gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
- /lib/udev/devices/fuse -c gen_context(system_u:object_r:fuse_device_t,s0)
-+
-+/usr/lib/udev/devices/loop.* -b gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
-+/usr/lib/udev/devices/fuse -c gen_context(system_u:object_r:fuse_device_t,s0)
-diff --git a/policy/modules/kernel/storage.if b/policy/modules/kernel/storage.if
-index 1700ef2..6fb69e7 100644
---- a/policy/modules/kernel/storage.if
-+++ b/policy/modules/kernel/storage.if
-@@ -22,6 +22,26 @@ interface(`storage_getattr_fixed_disk_dev',`
-
- ########################################
- ##
-+## Allow the caller to read/write inherited fixed disk
-+## device nodes.
-+##
-+##
-+##
-+## The domain allowed access.
-+##
-+##
-+#
-+interface(`storage_rw_inherited_fixed_disk_dev',`
-+ gen_require(`
-+ type fixed_disk_device_t;
-+ ')
-+
-+ allow $1 fixed_disk_device_t:chr_file { read write };
-+ allow $1 fixed_disk_device_t:blk_file { read write };
-+')
-+
-+########################################
-+##
- ## Do not audit attempts made by the caller to get
- ## the attributes of fixed disk device nodes.
- ##
-@@ -101,6 +121,8 @@ interface(`storage_raw_read_fixed_disk',`
- dev_list_all_dev_nodes($1)
- allow $1 fixed_disk_device_t:blk_file read_blk_file_perms;
- allow $1 fixed_disk_device_t:chr_file read_chr_file_perms;
-+ #577012
-+ allow $1 fixed_disk_device_t:lnk_file read_lnk_file_perms;
- typeattribute $1 fixed_disk_raw_read;
- ')
-
-@@ -205,6 +227,7 @@ interface(`storage_create_fixed_disk_dev',`
-
- allow $1 self:capability mknod;
- allow $1 fixed_disk_device_t:blk_file create_blk_file_perms;
-+ allow $1 fixed_disk_device_t:chr_file create_chr_file_perms;
- dev_add_entry_generic_dirs($1)
- ')
-
-@@ -269,6 +292,48 @@ interface(`storage_dev_filetrans_fixed_disk',`
- dev_filetrans($1, fixed_disk_device_t, blk_file)
- ')
-
-+#######################################
-+##
-+## Create block devices in /dev with the fixed disk type
-+## via an automatic type transition.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`storage_dev_filetrans_named_fixed_disk',`
-+ gen_require(`
-+ type fixed_disk_device_t;
-+ ')
-+
-+ dev_filetrans($1, fixed_disk_device_t, chr_file, "jsflash")
-+ dev_filetrans($1, fixed_disk_device_t, chr_file, "lvm")
-+ dev_filetrans($1, fixed_disk_device_t, chr_file, "megaraid_sas_ioctl_node")
-+ dev_filetrans($1, fixed_disk_device_t, chr_file, "megadev0")
-+ dev_filetrans($1, fixed_disk_device_t, chr_file, "megadev1")
-+ dev_filetrans($1, fixed_disk_device_t, chr_file, "megadev2")
-+ dev_filetrans($1, fixed_disk_device_t, chr_file, "megadev3")
-+ dev_filetrans($1, fixed_disk_device_t, chr_file, "megadev4")
-+ dev_filetrans($1, fixed_disk_device_t, chr_file, "megadev5")
-+ dev_filetrans($1, fixed_disk_device_t, chr_file, "megadev6")
-+ dev_filetrans($1, fixed_disk_device_t, chr_file, "megadev7")
-+ dev_filetrans($1, fixed_disk_device_t, chr_file, "megadev8")
-+ dev_filetrans($1, fixed_disk_device_t, chr_file, "megadev9")
-+ dev_filetrans($1, fixed_disk_device_t, chr_file, "device-mapper")
-+ dev_filetrans($1, fixed_disk_device_t, chr_file, "raw0")
-+ dev_filetrans($1, fixed_disk_device_t, chr_file, "raw1")
-+ dev_filetrans($1, fixed_disk_device_t, chr_file, "raw2")
-+ dev_filetrans($1, fixed_disk_device_t, chr_file, "raw3")
-+ dev_filetrans($1, fixed_disk_device_t, chr_file, "raw4")
-+ dev_filetrans($1, fixed_disk_device_t, chr_file, "raw5")
-+ dev_filetrans($1, fixed_disk_device_t, chr_file, "raw6")
-+ dev_filetrans($1, fixed_disk_device_t, chr_file, "raw7")
-+ dev_filetrans($1, fixed_disk_device_t, chr_file, "raw8")
-+ dev_filetrans($1, fixed_disk_device_t, chr_file, "raw9")
-+')
-+
- ########################################
- ##
- ## Create block devices in on a tmpfs filesystem with the
-@@ -711,6 +776,24 @@ interface(`storage_dontaudit_raw_write_removable_device',`
- dontaudit $1 removable_device_t:blk_file write_blk_file_perms;
- ')
-
-+#######################################
-+##
-+## Alow read and write inherited removable devices.
-+##
-+##
-+##
-+## Domain to not audit.
-+##
-+##
-+#
-+interface(`storage_rw_inherited_removable_device',`
-+ gen_require(`
-+ type removable_device_t;
-+ ')
-+
-+ dontaudit $1 removable_device_t:blk_file { read write };
-+')
-+
- ########################################
- ##
- ## Allow the caller to directly read
-@@ -808,3 +891,369 @@ interface(`storage_unconfined',`
-
- typeattribute $1 storage_unconfined_type;
- ')
-+
-+########################################
-+##
-+## Create all named devices with the correct label
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`storage_filetrans_all_named_dev',`
-+
-+ gen_require(`
-+ type tape_device_t;
-+ type fixed_disk_device_t;
-+ type removable_device_t;
-+ type scsi_generic_device_t;
-+ type fuse_device_t;
-+ ')
-+
-+ dev_filetrans($1, tape_device_t, chr_file, "ht00")
-+ dev_filetrans($1, tape_device_t, chr_file, "ht01")
-+ dev_filetrans($1, tape_device_t, chr_file, "ht02")
-+ dev_filetrans($1, tape_device_t, chr_file, "ht03")
-+ dev_filetrans($1, tape_device_t, chr_file, "ht04")
-+ dev_filetrans($1, tape_device_t, chr_file, "ht05")
-+ dev_filetrans($1, tape_device_t, chr_file, "ht06")
-+ dev_filetrans($1, tape_device_t, chr_file, "ht07")
-+ dev_filetrans($1, tape_device_t, chr_file, "ht08")
-+ dev_filetrans($1, tape_device_t, chr_file, "ht09")
-+ dev_filetrans($1, tape_device_t, chr_file, "st00")
-+ dev_filetrans($1, tape_device_t, chr_file, "st01")
-+ dev_filetrans($1, tape_device_t, chr_file, "st02")
-+ dev_filetrans($1, tape_device_t, chr_file, "st03")
-+ dev_filetrans($1, tape_device_t, chr_file, "st04")
-+ dev_filetrans($1, tape_device_t, chr_file, "st05")
-+ dev_filetrans($1, tape_device_t, chr_file, "st06")
-+ dev_filetrans($1, tape_device_t, chr_file, "st07")
-+ dev_filetrans($1, tape_device_t, chr_file, "st08")
-+ dev_filetrans($1, tape_device_t, chr_file, "st09")
-+ dev_filetrans($1, tape_device_t, chr_file, "qft0")
-+ dev_filetrans($1, tape_device_t, chr_file, "qft1")
-+ dev_filetrans($1, tape_device_t, chr_file, "qft2")
-+ dev_filetrans($1, tape_device_t, chr_file, "qft3")
-+ dev_filetrans($1, tape_device_t, chr_file, "osst00")
-+ dev_filetrans($1, tape_device_t, chr_file, "osst01")
-+ dev_filetrans($1, tape_device_t, chr_file, "osst02")
-+ dev_filetrans($1, tape_device_t, chr_file, "osst03")
-+ dev_filetrans($1, tape_device_t, chr_file, "osst04")
-+ dev_filetrans($1, tape_device_t, chr_file, "osst05")
-+ dev_filetrans($1, tape_device_t, chr_file, "osst06")
-+ dev_filetrans($1, tape_device_t, chr_file, "osst07")
-+ dev_filetrans($1, tape_device_t, chr_file, "osst08")
-+ dev_filetrans($1, tape_device_t, chr_file, "osst09")
-+ dev_filetrans($1, tape_device_t, chr_file, "pt0")
-+ dev_filetrans($1, tape_device_t, chr_file, "pt1")
-+ dev_filetrans($1, tape_device_t, chr_file, "pt2")
-+ dev_filetrans($1, tape_device_t, chr_file, "pt3")
-+ dev_filetrans($1, tape_device_t, chr_file, "pt4")
-+ dev_filetrans($1, tape_device_t, chr_file, "pt5")
-+ dev_filetrans($1, tape_device_t, chr_file, "pt6")
-+ dev_filetrans($1, tape_device_t, chr_file, "pt7")
-+ dev_filetrans($1, tape_device_t, chr_file, "pt8")
-+ dev_filetrans($1, tape_device_t, chr_file, "pt9")
-+ dev_filetrans($1, tape_device_t, chr_file, "tpqic0")
-+ dev_filetrans($1, tape_device_t, chr_file, "tpqic1")
-+ dev_filetrans($1, tape_device_t, chr_file, "tpqic2")
-+ dev_filetrans($1, tape_device_t, chr_file, "tpqic3")
-+ dev_filetrans($1, tape_device_t, chr_file, "tpqic4")
-+ dev_filetrans($1, tape_device_t, chr_file, "tpqic5")
-+ dev_filetrans($1, tape_device_t, chr_file, "tpqic6")
-+ dev_filetrans($1, tape_device_t, chr_file, "tpqic7")
-+ dev_filetrans($1, tape_device_t, chr_file, "tpqic8")
-+ dev_filetrans($1, tape_device_t, chr_file, "tpqic9")
-+ dev_filetrans($1, removable_device_t, blk_file, "aztcd")
-+ dev_filetrans($1, removable_device_t, blk_file, "bpcd")
-+ dev_filetrans($1, removable_device_t, blk_file, "cdu0")
-+ dev_filetrans($1, removable_device_t, blk_file, "cdu1")
-+ dev_filetrans($1, removable_device_t, blk_file, "cdu2")
-+ dev_filetrans($1, removable_device_t, blk_file, "cdu3")
-+ dev_filetrans($1, removable_device_t, blk_file, "cdu4")
-+ dev_filetrans($1, removable_device_t, blk_file, "cdu5")
-+ dev_filetrans($1, removable_device_t, blk_file, "cdu6")
-+ dev_filetrans($1, removable_device_t, blk_file, "cdu7")
-+ dev_filetrans($1, removable_device_t, blk_file, "cdu8")
-+ dev_filetrans($1, removable_device_t, blk_file, "cdu9")
-+ dev_filetrans($1, removable_device_t, blk_file, "cm200")
-+ dev_filetrans($1, removable_device_t, blk_file, "cm201")
-+ dev_filetrans($1, removable_device_t, blk_file, "cm202")
-+ dev_filetrans($1, removable_device_t, blk_file, "cm203")
-+ dev_filetrans($1, removable_device_t, blk_file, "cm204")
-+ dev_filetrans($1, removable_device_t, blk_file, "cm205")
-+ dev_filetrans($1, removable_device_t, blk_file, "cm206")
-+ dev_filetrans($1, removable_device_t, blk_file, "cm207")
-+ dev_filetrans($1, removable_device_t, blk_file, "cm208")
-+ dev_filetrans($1, removable_device_t, blk_file, "cm209")
-+ dev_filetrans($1, fixed_disk_device_t, blk_file, "md0")
-+ dev_filetrans($1, fixed_disk_device_t, blk_file, "md1")
-+ dev_filetrans($1, fixed_disk_device_t, blk_file, "md2")
-+ dev_filetrans($1, fixed_disk_device_t, blk_file, "md3")
-+ dev_filetrans($1, fixed_disk_device_t, blk_file, "md4")
-+ dev_filetrans($1, fixed_disk_device_t, blk_file, "md5")
-+ dev_filetrans($1, fixed_disk_device_t, blk_file, "md6")
-+ dev_filetrans($1, fixed_disk_device_t, blk_file, "md7")
-+ dev_filetrans($1, fixed_disk_device_t, blk_file, "md8")
-+ dev_filetrans($1, fixed_disk_device_t, blk_file, "md9")
-+ dev_filetrans($1, fixed_disk_device_t, blk_file, "sda")
-+ dev_filetrans($1, fixed_disk_device_t, blk_file, "sda0")
-+ dev_filetrans($1, fixed_disk_device_t, blk_file, "sda1")
-+ dev_filetrans($1, fixed_disk_device_t, blk_file, "sda2")
-+ dev_filetrans($1, fixed_disk_device_t, blk_file, "sda3")
-+ dev_filetrans($1, fixed_disk_device_t, blk_file, "sda4")
-+ dev_filetrans($1, fixed_disk_device_t, blk_file, "sda5")
-+ dev_filetrans($1, fixed_disk_device_t, blk_file, "sda6")
-+ dev_filetrans($1, fixed_disk_device_t, blk_file, "sda7")
-+ dev_filetrans($1, fixed_disk_device_t, blk_file, "sda8")
-+ dev_filetrans($1, fixed_disk_device_t, blk_file, "sda9")
-+ dev_filetrans($1, fixed_disk_device_t, blk_file, "sdb")
-+ dev_filetrans($1, fixed_disk_device_t, blk_file, "sdb0")
-+ dev_filetrans($1, fixed_disk_device_t, blk_file, "sdb1")
-+ dev_filetrans($1, fixed_disk_device_t, blk_file, "sdb2")
-+ dev_filetrans($1, fixed_disk_device_t, blk_file, "sdb3")
-+ dev_filetrans($1, fixed_disk_device_t, blk_file, "sdb4")
-+ dev_filetrans($1, fixed_disk_device_t, blk_file, "sdb5")
-+ dev_filetrans($1, fixed_disk_device_t, blk_file, "sdb6")
-+ dev_filetrans($1, fixed_disk_device_t, blk_file, "sdb7")
-+ dev_filetrans($1, fixed_disk_device_t, blk_file, "sdb8")
-+ dev_filetrans($1, fixed_disk_device_t, blk_file, "sdb9")
-+ dev_filetrans($1, fixed_disk_device_t, blk_file, "sdc")
-+ dev_filetrans($1, fixed_disk_device_t, blk_file, "sdc0")
-+ dev_filetrans($1, fixed_disk_device_t, blk_file, "sdc1")
-+ dev_filetrans($1, fixed_disk_device_t, blk_file, "sdc2")
-+ dev_filetrans($1, fixed_disk_device_t, blk_file, "sdc3")
-+ dev_filetrans($1, fixed_disk_device_t, blk_file, "sdc4")
-+ dev_filetrans($1, fixed_disk_device_t, blk_file, "sdc5")
-+ dev_filetrans($1, fixed_disk_device_t, blk_file, "sdc6")
-+ dev_filetrans($1, fixed_disk_device_t, blk_file, "sdc7")
-+ dev_filetrans($1, fixed_disk_device_t, blk_file, "sdc8")
-+ dev_filetrans($1, fixed_disk_device_t, blk_file, "sdc9")
-+ dev_filetrans($1, fixed_disk_device_t, blk_file, "sdd")
-+ dev_filetrans($1, fixed_disk_device_t, blk_file, "sdd0")
-+ dev_filetrans($1, fixed_disk_device_t, blk_file, "sdd1")
-+ dev_filetrans($1, fixed_disk_device_t, blk_file, "sdd2")
-+ dev_filetrans($1, fixed_disk_device_t, blk_file, "sdd3")
-+ dev_filetrans($1, fixed_disk_device_t, blk_file, "sdd4")
-+ dev_filetrans($1, fixed_disk_device_t, blk_file, "sdd5")
-+ dev_filetrans($1, fixed_disk_device_t, blk_file, "sdd6")
-+ dev_filetrans($1, fixed_disk_device_t, blk_file, "sdd7")
-+ dev_filetrans($1, fixed_disk_device_t, blk_file, "sdd8")
-+ dev_filetrans($1, fixed_disk_device_t, blk_file, "sdd9")
-+ dev_filetrans($1, fixed_disk_device_t, blk_file, "sde")
-+ dev_filetrans($1, fixed_disk_device_t, blk_file, "sde0")
-+ dev_filetrans($1, fixed_disk_device_t, blk_file, "sde1")
-+ dev_filetrans($1, fixed_disk_device_t, blk_file, "sde2")
-+ dev_filetrans($1, fixed_disk_device_t, blk_file, "sde3")
-+ dev_filetrans($1, fixed_disk_device_t, blk_file, "sde4")
-+ dev_filetrans($1, fixed_disk_device_t, blk_file, "sde5")
-+ dev_filetrans($1, fixed_disk_device_t, blk_file, "sde6")
-+ dev_filetrans($1, fixed_disk_device_t, blk_file, "sde7")
-+ dev_filetrans($1, fixed_disk_device_t, blk_file, "sde8")
-+ dev_filetrans($1, fixed_disk_device_t, blk_file, "sde9")
-+ dev_filetrans($1, fixed_disk_device_t, blk_file, "sdf")
-+ dev_filetrans($1, fixed_disk_device_t, blk_file, "sdf0")
-+ dev_filetrans($1, fixed_disk_device_t, blk_file, "sdf1")
-+ dev_filetrans($1, fixed_disk_device_t, blk_file, "sdf2")
-+ dev_filetrans($1, fixed_disk_device_t, blk_file, "sdf3")
-+ dev_filetrans($1, fixed_disk_device_t, blk_file, "sdf4")
-+ dev_filetrans($1, fixed_disk_device_t, blk_file, "sdf5")
-+ dev_filetrans($1, fixed_disk_device_t, blk_file, "sdf6")
-+ dev_filetrans($1, fixed_disk_device_t, blk_file, "sdf7")
-+ dev_filetrans($1, fixed_disk_device_t, blk_file, "sdf8")
-+ dev_filetrans($1, fixed_disk_device_t, blk_file, "sdf9")
-+ dev_filetrans($1, fixed_disk_device_t, blk_file, "sdg")
-+ dev_filetrans($1, fixed_disk_device_t, blk_file, "sdg0")
-+ dev_filetrans($1, fixed_disk_device_t, blk_file, "sdg1")
-+ dev_filetrans($1, fixed_disk_device_t, blk_file, "sdg2")
-+ dev_filetrans($1, fixed_disk_device_t, blk_file, "sdg3")
-+ dev_filetrans($1, fixed_disk_device_t, blk_file, "sdg4")
-+ dev_filetrans($1, fixed_disk_device_t, blk_file, "sdg5")
-+ dev_filetrans($1, fixed_disk_device_t, blk_file, "sdg6")
-+ dev_filetrans($1, fixed_disk_device_t, blk_file, "sdg7")
-+ dev_filetrans($1, fixed_disk_device_t, blk_file, "sdg8")
-+ dev_filetrans($1, fixed_disk_device_t, blk_file, "sdg9")
-+ dev_filetrans($1, fixed_disk_device_t, blk_file, "dm-0")
-+ dev_filetrans($1, fixed_disk_device_t, blk_file, "dm-1")
-+ dev_filetrans($1, fixed_disk_device_t, blk_file, "dm-2")
-+ dev_filetrans($1, fixed_disk_device_t, blk_file, "dm-3")
-+ dev_filetrans($1, fixed_disk_device_t, blk_file, "dm-4")
-+ dev_filetrans($1, fixed_disk_device_t, blk_file, "dm-5")
-+ dev_filetrans($1, fixed_disk_device_t, blk_file, "dm-6")
-+ dev_filetrans($1, fixed_disk_device_t, blk_file, "dm-7")
-+ dev_filetrans($1, fixed_disk_device_t, blk_file, "dm-8")
-+ dev_filetrans($1, fixed_disk_device_t, blk_file, "dm-9")
-+ dev_filetrans($1, removable_device_t, blk_file, "gscd")
-+ dev_filetrans($1, removable_device_t, blk_file, "hitcd")
-+ dev_filetrans($1, tape_device_t, blk_file, "ht0")
-+ dev_filetrans($1, tape_device_t, blk_file, "ht1")
-+ dev_filetrans($1, removable_device_t, blk_file, "hwcdrom")
-+ dev_filetrans($1, fixed_disk_device_t, blk_file, "initrd")
-+ dev_filetrans($1, fixed_disk_device_t, blk_file, "jsfd")
-+ dev_filetrans($1, fixed_disk_device_t, chr_file, "jsflash")
-+ dev_filetrans($1, fixed_disk_device_t, blk_file, "loop0")
-+ dev_filetrans($1, fixed_disk_device_t, blk_file, "loop1")
-+ dev_filetrans($1, fixed_disk_device_t, blk_file, "loop2")
-+ dev_filetrans($1, fixed_disk_device_t, blk_file, "loop3")
-+ dev_filetrans($1, fixed_disk_device_t, blk_file, "loop4")
-+ dev_filetrans($1, fixed_disk_device_t, blk_file, "loop5")
-+ dev_filetrans($1, fixed_disk_device_t, blk_file, "loop6")
-+ dev_filetrans($1, fixed_disk_device_t, blk_file, "loop7")
-+ dev_filetrans($1, fixed_disk_device_t, blk_file, "loop8")
-+ dev_filetrans($1, fixed_disk_device_t, blk_file, "loop9")
-+ dev_filetrans($1, fixed_disk_device_t, chr_file, "lvm")
-+ dev_filetrans($1, removable_device_t, blk_file, "mcd")
-+ dev_filetrans($1, removable_device_t, blk_file, "mcdx")
-+ dev_filetrans($1, fixed_disk_device_t, chr_file, "megaraid_sas_ioctl_node")
-+ dev_filetrans($1, fixed_disk_device_t, chr_file, "megadev0")
-+ dev_filetrans($1, fixed_disk_device_t, chr_file, "megadev1")
-+ dev_filetrans($1, fixed_disk_device_t, chr_file, "megadev2")
-+ dev_filetrans($1, fixed_disk_device_t, chr_file, "megadev3")
-+ dev_filetrans($1, fixed_disk_device_t, chr_file, "megadev4")
-+ dev_filetrans($1, fixed_disk_device_t, chr_file, "megadev5")
-+ dev_filetrans($1, fixed_disk_device_t, chr_file, "megadev6")
-+ dev_filetrans($1, fixed_disk_device_t, chr_file, "megadev7")
-+ dev_filetrans($1, fixed_disk_device_t, chr_file, "megadev8")
-+ dev_filetrans($1, fixed_disk_device_t, chr_file, "megadev9")
-+ dev_filetrans($1, removable_device_t, blk_file, "mmcblk0")
-+ dev_filetrans($1, removable_device_t, blk_file, "mmcblk1")
-+ dev_filetrans($1, removable_device_t, blk_file, "mmcblk2")
-+ dev_filetrans($1, removable_device_t, blk_file, "mmcblk3")
-+ dev_filetrans($1, removable_device_t, blk_file, "mmcblk4")
-+ dev_filetrans($1, removable_device_t, blk_file, "mmcblk5")
-+ dev_filetrans($1, removable_device_t, blk_file, "mmcblk6")
-+ dev_filetrans($1, removable_device_t, blk_file, "mmcblk7")
-+ dev_filetrans($1, removable_device_t, blk_file, "mmcblk8")
-+ dev_filetrans($1, removable_device_t, blk_file, "mmcblk9")
-+ dev_filetrans($1, removable_device_t, blk_file, "mspblk0")
-+ dev_filetrans($1, removable_device_t, blk_file, "mspblk1")
-+ dev_filetrans($1, removable_device_t, blk_file, "mspblk2")
-+ dev_filetrans($1, removable_device_t, blk_file, "mspblk3")
-+ dev_filetrans($1, removable_device_t, blk_file, "mspblk4")
-+ dev_filetrans($1, removable_device_t, blk_file, "mspblk5")
-+ dev_filetrans($1, removable_device_t, blk_file, "mspblk6")
-+ dev_filetrans($1, removable_device_t, blk_file, "mspblk7")
-+ dev_filetrans($1, removable_device_t, blk_file, "mspblk8")
-+ dev_filetrans($1, removable_device_t, blk_file, "mspblk9")
-+ dev_filetrans($1, fixed_disk_device_t, blk_file, "mtd0")
-+ dev_filetrans($1, fixed_disk_device_t, blk_file, "mtd1")
-+ dev_filetrans($1, fixed_disk_device_t, blk_file, "mtd2")
-+ dev_filetrans($1, fixed_disk_device_t, blk_file, "mtd3")
-+ dev_filetrans($1, fixed_disk_device_t, blk_file, "mtd4")
-+ dev_filetrans($1, fixed_disk_device_t, blk_file, "mtd5")
-+ dev_filetrans($1, fixed_disk_device_t, blk_file, "mtd6")
-+ dev_filetrans($1, fixed_disk_device_t, blk_file, "mtd7")
-+ dev_filetrans($1, fixed_disk_device_t, blk_file, "mtd8")
-+ dev_filetrans($1, fixed_disk_device_t, blk_file, "mtd9")
-+ dev_filetrans($1, removable_device_t, blk_file, "optcd")
-+ dev_filetrans($1, removable_device_t, blk_file, "pf0")
-+ dev_filetrans($1, removable_device_t, blk_file, "pf1")
-+ dev_filetrans($1, removable_device_t, blk_file, "pf2")
-+ dev_filetrans($1, removable_device_t, blk_file, "pf3")
-+ dev_filetrans($1, removable_device_t, blk_file, "pg0")
-+ dev_filetrans($1, removable_device_t, blk_file, "pg1")
-+ dev_filetrans($1, removable_device_t, blk_file, "pg2")
-+ dev_filetrans($1, removable_device_t, blk_file, "pg3")
-+ dev_filetrans($1, removable_device_t, blk_file, "pcd0")
-+ dev_filetrans($1, removable_device_t, blk_file, "pcd1")
-+ dev_filetrans($1, removable_device_t, blk_file, "pcd2")
-+ dev_filetrans($1, removable_device_t, blk_file, "pcd3")
-+ dev_filetrans($1, removable_device_t, chr_file, "pg0")
-+ dev_filetrans($1, removable_device_t, chr_file, "pg1")
-+ dev_filetrans($1, removable_device_t, chr_file, "pg2")
-+ dev_filetrans($1, removable_device_t, chr_file, "pg3")
-+ dev_filetrans($1, fixed_disk_device_t, blk_file, "ps3d0")
-+ dev_filetrans($1, fixed_disk_device_t, blk_file, "ps3d1")
-+ dev_filetrans($1, fixed_disk_device_t, blk_file, "ps3d2")
-+ dev_filetrans($1, fixed_disk_device_t, blk_file, "ps3d3")
-+ dev_filetrans($1, fixed_disk_device_t, blk_file, "ps3d4")
-+ dev_filetrans($1, fixed_disk_device_t, blk_file, "ps3d5")
-+ dev_filetrans($1, fixed_disk_device_t, blk_file, "ps3d6")
-+ dev_filetrans($1, fixed_disk_device_t, blk_file, "ps3d7")
-+ dev_filetrans($1, fixed_disk_device_t, blk_file, "ps3d8")
-+ dev_filetrans($1, fixed_disk_device_t, blk_file, "ps3d9")
-+ dev_filetrans($1, fixed_disk_device_t, blk_file, "ram0")
-+ dev_filetrans($1, fixed_disk_device_t, blk_file, "ram1")
-+ dev_filetrans($1, fixed_disk_device_t, blk_file, "ram2")
-+ dev_filetrans($1, fixed_disk_device_t, blk_file, "ram3")
-+ dev_filetrans($1, fixed_disk_device_t, blk_file, "ram4")
-+ dev_filetrans($1, fixed_disk_device_t, blk_file, "ram5")
-+ dev_filetrans($1, fixed_disk_device_t, blk_file, "ram6")
-+ dev_filetrans($1, fixed_disk_device_t, blk_file, "ram7")
-+ dev_filetrans($1, fixed_disk_device_t, blk_file, "ram8")
-+ dev_filetrans($1, fixed_disk_device_t, blk_file, "ram9")
-+ dev_filetrans($1, fixed_disk_device_t, blk_file, "ram10")
-+ dev_filetrans($1, fixed_disk_device_t, blk_file, "ram11")
-+ dev_filetrans($1, fixed_disk_device_t, blk_file, "ram12")
-+ dev_filetrans($1, fixed_disk_device_t, blk_file, "ram13")
-+ dev_filetrans($1, fixed_disk_device_t, blk_file, "ram14")
-+ dev_filetrans($1, fixed_disk_device_t, blk_file, "ram15")
-+ dev_filetrans($1, fixed_disk_device_t, blk_file, "rd0")
-+ dev_filetrans($1, fixed_disk_device_t, blk_file, "rd1")
-+ dev_filetrans($1, fixed_disk_device_t, blk_file, "rd2")
-+ dev_filetrans($1, fixed_disk_device_t, blk_file, "rd3")
-+ dev_filetrans($1, fixed_disk_device_t, blk_file, "rd4")
-+ dev_filetrans($1, fixed_disk_device_t, blk_file, "rd5")
-+ dev_filetrans($1, fixed_disk_device_t, blk_file, "rd6")
-+ dev_filetrans($1, fixed_disk_device_t, blk_file, "rd7")
-+ dev_filetrans($1, fixed_disk_device_t, blk_file, "rd8")
-+ dev_filetrans($1, fixed_disk_device_t, blk_file, "rd9")
-+ dev_filetrans($1, fixed_disk_device_t, blk_file, "root")
-+ dev_filetrans($1, removable_device_t, blk_file, "sbpcd0")
-+ dev_filetrans($1, removable_device_t, blk_file, "sbpcd1")
-+ dev_filetrans($1, removable_device_t, blk_file, "sbpcd2")
-+ dev_filetrans($1, removable_device_t, blk_file, "sbpcd3")
-+ dev_filetrans($1, removable_device_t, blk_file, "sbpcd4")
-+ dev_filetrans($1, removable_device_t, blk_file, "sbpcd5")
-+ dev_filetrans($1, removable_device_t, blk_file, "sbpcd6")
-+ dev_filetrans($1, removable_device_t, blk_file, "sbpcd7")
-+ dev_filetrans($1, removable_device_t, blk_file, "sbpcd8")
-+ dev_filetrans($1, removable_device_t, blk_file, "sbpcd9")
-+ dev_filetrans($1, scsi_generic_device_t, chr_file, "sg0")
-+ dev_filetrans($1, scsi_generic_device_t, chr_file, "sg1")
-+ dev_filetrans($1, scsi_generic_device_t, chr_file, "sg2")
-+ dev_filetrans($1, scsi_generic_device_t, chr_file, "sg3")
-+ dev_filetrans($1, scsi_generic_device_t, chr_file, "sg4")
-+ dev_filetrans($1, scsi_generic_device_t, chr_file, "sg5")
-+ dev_filetrans($1, scsi_generic_device_t, chr_file, "sg6")
-+ dev_filetrans($1, scsi_generic_device_t, chr_file, "sg7")
-+ dev_filetrans($1, scsi_generic_device_t, chr_file, "sg8")
-+ dev_filetrans($1, scsi_generic_device_t, chr_file, "sg9")
-+ dev_filetrans($1, removable_device_t, blk_file, "sr0")
-+ dev_filetrans($1, removable_device_t, blk_file, "sr1")
-+ dev_filetrans($1, removable_device_t, blk_file, "sr2")
-+ dev_filetrans($1, removable_device_t, blk_file, "sr3")
-+ dev_filetrans($1, removable_device_t, blk_file, "sr4")
-+ dev_filetrans($1, removable_device_t, blk_file, "sr5")
-+ dev_filetrans($1, removable_device_t, blk_file, "sr6")
-+ dev_filetrans($1, removable_device_t, blk_file, "sr7")
-+ dev_filetrans($1, removable_device_t, blk_file, "sr8")
-+ dev_filetrans($1, removable_device_t, blk_file, "sr9")
-+ dev_filetrans($1, removable_device_t, blk_file, "sjcd")
-+ dev_filetrans($1, removable_device_t, blk_file, "sonycd")
-+ dev_filetrans($1, tape_device_t, chr_file, "tape0")
-+ dev_filetrans($1, tape_device_t, chr_file, "tape1")
-+ dev_filetrans($1, tape_device_t, chr_file, "tape2")
-+ dev_filetrans($1, tape_device_t, chr_file, "tape3")
-+ dev_filetrans($1, tape_device_t, chr_file, "tape4")
-+ dev_filetrans($1, tape_device_t, chr_file, "tape5")
-+ dev_filetrans($1, tape_device_t, chr_file, "tape6")
-+ dev_filetrans($1, tape_device_t, chr_file, "tape7")
-+ dev_filetrans($1, tape_device_t, chr_file, "tape8")
-+ dev_filetrans($1, tape_device_t, chr_file, "tape9")
-+ dev_filetrans($1, fuse_device_t, chr_file, "fuse")
-+ dev_filetrans($1, fixed_disk_device_t, chr_file, "device-mapper")
-+ dev_filetrans($1, fixed_disk_device_t, chr_file, "raw0")
-+ dev_filetrans($1, fixed_disk_device_t, chr_file, "raw1")
-+ dev_filetrans($1, fixed_disk_device_t, chr_file, "raw2")
-+ dev_filetrans($1, fixed_disk_device_t, chr_file, "raw3")
-+ dev_filetrans($1, fixed_disk_device_t, chr_file, "raw4")
-+ dev_filetrans($1, fixed_disk_device_t, chr_file, "raw5")
-+ dev_filetrans($1, fixed_disk_device_t, chr_file, "raw6")
-+ dev_filetrans($1, fixed_disk_device_t, chr_file, "raw7")
-+ dev_filetrans($1, fixed_disk_device_t, chr_file, "raw8")
-+ dev_filetrans($1, fixed_disk_device_t, chr_file, "raw9")
-+ dev_filetrans($1, removable_device_t, chr_file, "rio500")
-+')
-diff --git a/policy/modules/kernel/terminal.fc b/policy/modules/kernel/terminal.fc
-index 7d45d15..22c9cfe 100644
---- a/policy/modules/kernel/terminal.fc
-+++ b/policy/modules/kernel/terminal.fc
-@@ -14,11 +14,12 @@
- /dev/ip2[^/]* -c gen_context(system_u:object_r:tty_device_t,s0)
- /dev/isdn.* -c gen_context(system_u:object_r:tty_device_t,s0)
- /dev/ptmx -c gen_context(system_u:object_r:ptmx_t,s0)
--/dev/pts/ptmx -c gen_context(system_u:object_r:ptmx_t,s0)
- /dev/rfcomm[0-9]+ -c gen_context(system_u:object_r:tty_device_t,s0)
- /dev/slamr[0-9]+ -c gen_context(system_u:object_r:tty_device_t,s0)
- /dev/tty -c gen_context(system_u:object_r:devtty_t,s0)
- /dev/ttySG.* -c gen_context(system_u:object_r:tty_device_t,s0)
-+/dev/ttyUSB[0-9]+ -c gen_context(system_u:object_r:usbtty_device_t,s0)
-+/dev/vport[0-9]p[0-9]+ -c gen_context(system_u:object_r:virtio_device_t,s0)
- /dev/xvc[^/]* -c gen_context(system_u:object_r:tty_device_t,s0)
-
- /dev/pty/.* -c gen_context(system_u:object_r:bsdpty_device_t,s0)
-@@ -41,3 +42,7 @@ ifdef(`distro_gentoo',`
- # used by init scripts to initally populate udev /dev
- /lib/udev/devices/console -c gen_context(system_u:object_r:console_device_t,s0)
- ')
-+
-+/lib/udev/devices/pts -d gen_context(system_u:object_r:devpts_t,s0-mls_systemhigh)
-+
-+/usr/lib/udev/devices/pts -d gen_context(system_u:object_r:devpts_t,s0-mls_systemhigh)
-diff --git a/policy/modules/kernel/terminal.if b/policy/modules/kernel/terminal.if
-index 01dd2f1..3541088 100644
---- a/policy/modules/kernel/terminal.if
-+++ b/policy/modules/kernel/terminal.if
-@@ -124,7 +124,7 @@ interface(`term_user_tty',`
- type_change $1 ttynode:chr_file $2;
- ')
-
-- tunable_policy(`console_login',`
-+ tunable_policy(`login_console_enabled',`
- # When user logs in from /dev/console, relabel it
- # to user tty type as well.
- type_change $1 console_device_t:chr_file $2;
-@@ -208,6 +208,27 @@ interface(`term_use_all_terms',`
-
- ########################################
- ##
-+## Read and write the inherited console, all inherited
-+## ttys and ptys.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+##
-+#
-+interface(`term_use_all_inherited_terms',`
-+ gen_require(`
-+ attribute ttynode, ptynode;
-+ type console_device_t, devpts_t, tty_device_t;
-+ ')
-+
-+ allow $1 { devpts_t console_device_t tty_device_t ttynode ptynode }:chr_file rw_inherited_term_perms;
-+')
-+
-+########################################
-+##
- ## Write to the console.
- ##
- ##
-@@ -274,7 +295,6 @@ interface(`term_dontaudit_read_console',`
- ## Domain allowed access.
- ##
- ##
--##
- #
- interface(`term_use_console',`
- gen_require(`
-@@ -299,9 +319,12 @@ interface(`term_use_console',`
- interface(`term_dontaudit_use_console',`
- gen_require(`
- type console_device_t;
-+ type tty_device_t;
- ')
-
-- dontaudit $1 console_device_t:chr_file rw_chr_file_perms;
-+ init_dontaudit_use_fds($1)
-+ dontaudit $1 console_device_t:chr_file rw_inherited_chr_file_perms;
-+ dontaudit $1 tty_device_t:chr_file rw_inherited_chr_file_perms;
- ')
-
- ########################################
-@@ -384,6 +407,24 @@ interface(`term_getattr_pty_fs',`
-
- ########################################
- ##
-+## Relabel a pty filesystem.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`term_relabel_pty_fs',`
-+ gen_require(`
-+ type devpts_t;
-+ ')
-+
-+ allow $1 devpts_t:filesystem relabel_file_perms;
-+')
-+
-+########################################
-+##
- ## Do not audit attempts to get the
- ## attributes of the /dev/pts directory.
- ##
-@@ -462,6 +503,24 @@ interface(`term_list_ptys',`
-
- ########################################
- ##
-+## Relabel the /dev/pts directory
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`term_relabel_ptys_dirs',`
-+ gen_require(`
-+ type devpts_t;
-+ ')
-+
-+ allow $1 devpts_t:dir relabel_dir_perms;
-+')
-+
-+########################################
-+##
- ## Do not audit attempts to read the
- ## /dev/pts directory.
- ##
-@@ -601,7 +660,7 @@ interface(`term_use_generic_ptys',`
-
- ########################################
- ##
--## Dot not audit attempts to read and
-+## Do not audit attempts to read and
- ## write the generic pty type. This is
- ## generally only used in the targeted policy.
- ##
-@@ -616,6 +675,7 @@ interface(`term_dontaudit_use_generic_ptys',`
- type devpts_t;
- ')
-
-+ init_dontaudit_use_fds($1)
- dontaudit $1 devpts_t:chr_file { getattr read write ioctl };
- ')
-
-@@ -860,6 +920,26 @@ interface(`term_use_all_ptys',`
-
- ########################################
- ##
-+## Read and write all inherited ptys.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+##
-+#
-+interface(`term_use_all_inherited_ptys',`
-+ gen_require(`
-+ attribute ptynode;
-+ type devpts_t;
-+ ')
-+
-+ allow $1 ptynode:chr_file { rw_inherited_term_perms lock };
-+')
-+
-+########################################
-+##
- ## Do not audit attempts to read or write any ptys.
- ##
- ##
-@@ -873,7 +953,7 @@ interface(`term_dontaudit_use_all_ptys',`
- attribute ptynode;
- ')
-
-- dontaudit $1 ptynode:chr_file { rw_term_perms lock append };
-+ dontaudit $1 ptynode:chr_file { rw_inherited_term_perms lock append };
- ')
-
- ########################################
-@@ -893,7 +973,7 @@ interface(`term_relabel_all_ptys',`
- ')
-
- dev_list_all_dev_nodes($1)
-- relabel_chr_files_pattern($1, devpts_t, ptynode)
-+ relabel_chr_files_pattern($1, devpts_t, { ptynode devpts_t } )
- ')
-
- ########################################
-@@ -921,7 +1001,7 @@ interface(`term_getattr_all_user_ptys',`
- ##
- ##
- ##
--## Domain allowed access.
-+## Domain to not audit.
- ##
- ##
- #
-@@ -1240,7 +1320,47 @@ interface(`term_dontaudit_use_unallocated_ttys',`
- type tty_device_t;
- ')
-
-- dontaudit $1 tty_device_t:chr_file rw_chr_file_perms;
-+ init_dontaudit_use_fds($1)
-+ dontaudit $1 tty_device_t:chr_file rw_inherited_chr_file_perms;
-+')
-+
-+########################################
-+##
-+## Read and write USB tty character
-+## device nodes.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`term_use_usb_ttys',`
-+ gen_require(`
-+ type usbtty_device_t;
-+ ')
-+
-+ dev_list_all_dev_nodes($1)
-+ allow $1 usbtty_device_t:chr_file rw_chr_file_perms;
-+')
-+
-+#######################################
-+##
-+## Setattr on USB tty character
-+## device nodes.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`term_setattr_usb_ttys',`
-+ gen_require(`
-+ type usbtty_device_t;
-+ ')
-+
-+ allow $1 usbtty_device_t:chr_file setattr;
- ')
-
- ########################################
-@@ -1256,11 +1376,13 @@ interface(`term_dontaudit_use_unallocated_ttys',`
- #
- interface(`term_getattr_all_ttys',`
- gen_require(`
-+ type tty_device_t;
- attribute ttynode;
- ')
-
- dev_list_all_dev_nodes($1)
- allow $1 ttynode:chr_file getattr;
-+ allow $1 tty_device_t:chr_file getattr;
- ')
-
- ########################################
-@@ -1277,10 +1399,12 @@ interface(`term_getattr_all_ttys',`
- interface(`term_dontaudit_getattr_all_ttys',`
- gen_require(`
- attribute ttynode;
-+ type tty_device_t;
- ')
-
- dev_list_all_dev_nodes($1)
- dontaudit $1 ttynode:chr_file getattr;
-+ dontaudit $1 tty_device_t:chr_file getattr;
- ')
-
- ########################################
-@@ -1358,7 +1482,27 @@ interface(`term_use_all_ttys',`
- ')
-
- dev_list_all_dev_nodes($1)
-- allow $1 ttynode:chr_file rw_chr_file_perms;
-+ allow $1 ttynode:chr_file rw_term_perms;
-+')
-+
-+########################################
-+##
-+## Read and write all inherited ttys.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+##
-+#
-+interface(`term_use_all_inherited_ttys',`
-+ gen_require(`
-+ attribute ttynode;
-+ ')
-+
-+ dev_list_all_dev_nodes($1)
-+ allow $1 ttynode:chr_file rw_inherited_term_perms;
- ')
-
- ########################################
-@@ -1377,7 +1521,7 @@ interface(`term_dontaudit_use_all_ttys',`
- attribute ttynode;
- ')
-
-- dontaudit $1 ttynode:chr_file rw_chr_file_perms;
-+ dontaudit $1 ttynode:chr_file rw_inherited_chr_file_perms;
- ')
-
- ########################################
-@@ -1485,7 +1629,7 @@ interface(`term_use_all_user_ttys',`
- ##
- ##
- ##
--## Domain allowed access.
-+## Domain to not audit.
- ##
- ##
- #
-@@ -1493,3 +1637,436 @@ interface(`term_dontaudit_use_all_user_ttys',`
- refpolicywarn(`$0() is deprecated, use term_dontaudit_use_all_ttys() instead.')
- term_dontaudit_use_all_ttys($1)
- ')
-+
-+####################################
-+##
-+## Getattr on the virtio console.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`term_getattr_virtio_console',`
-+ gen_require(`
-+ type virtio_device_t;
-+ ')
-+
-+ allow $1 virtio_device_t:chr_file getattr_chr_file_perms;
-+')
-+
-+#####################################
-+##
-+## Read from and write to the virtio console.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`term_use_virtio_console',`
-+ gen_require(`
-+ type virtio_device_t;
-+ ')
-+
-+ dev_list_all_dev_nodes($1)
-+ allow $1 virtio_device_t:chr_file rw_chr_file_perms;
-+')
-+
-+########################################
-+##
-+## Create all named term devices with the correct label
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`term_filetrans_all_named_dev',`
-+
-+gen_require(`
-+ type tty_device_t;
-+ type bsdpty_device_t;
-+ type console_device_t;
-+ type ptmx_t;
-+ type devtty_t;
-+ type virtio_device_t;
-+ type devpts_t;
-+ type usbtty_device_t;
-+')
-+
-+ dev_filetrans($1, devtty_t, chr_file, "tty")
-+ dev_filetrans($1, tty_device_t, chr_file, "tty0")
-+ dev_filetrans($1, tty_device_t, chr_file, "tty1")
-+ dev_filetrans($1, tty_device_t, chr_file, "tty2")
-+ dev_filetrans($1, tty_device_t, chr_file, "tty3")
-+ dev_filetrans($1, tty_device_t, chr_file, "tty4")
-+ dev_filetrans($1, tty_device_t, chr_file, "tty5")
-+ dev_filetrans($1, tty_device_t, chr_file, "tty6")
-+ dev_filetrans($1, tty_device_t, chr_file, "tty7")
-+ dev_filetrans($1, tty_device_t, chr_file, "tty8")
-+ dev_filetrans($1, tty_device_t, chr_file, "tty9")
-+ dev_filetrans($1, tty_device_t, chr_file, "tty10")
-+ dev_filetrans($1, tty_device_t, chr_file, "tty11")
-+ dev_filetrans($1, tty_device_t, chr_file, "tty12")
-+ dev_filetrans($1, tty_device_t, chr_file, "tty13")
-+ dev_filetrans($1, tty_device_t, chr_file, "tty14")
-+ dev_filetrans($1, tty_device_t, chr_file, "tty15")
-+ dev_filetrans($1, tty_device_t, chr_file, "tty16")
-+ dev_filetrans($1, tty_device_t, chr_file, "tty17")
-+ dev_filetrans($1, tty_device_t, chr_file, "tty18")
-+ dev_filetrans($1, tty_device_t, chr_file, "tty19")
-+ dev_filetrans($1, tty_device_t, chr_file, "tty20")
-+ dev_filetrans($1, tty_device_t, chr_file, "tty21")
-+ dev_filetrans($1, tty_device_t, chr_file, "tty22")
-+ dev_filetrans($1, tty_device_t, chr_file, "tty23")
-+ dev_filetrans($1, tty_device_t, chr_file, "tty24")
-+ dev_filetrans($1, tty_device_t, chr_file, "tty25")
-+ dev_filetrans($1, tty_device_t, chr_file, "tty26")
-+ dev_filetrans($1, tty_device_t, chr_file, "tty27")
-+ dev_filetrans($1, tty_device_t, chr_file, "tty28")
-+ dev_filetrans($1, tty_device_t, chr_file, "tty29")
-+ dev_filetrans($1, tty_device_t, chr_file, "tty30")
-+ dev_filetrans($1, tty_device_t, chr_file, "tty31")
-+ dev_filetrans($1, tty_device_t, chr_file, "tty32")
-+ dev_filetrans($1, tty_device_t, chr_file, "tty33")
-+ dev_filetrans($1, tty_device_t, chr_file, "tty34")
-+ dev_filetrans($1, tty_device_t, chr_file, "tty35")
-+ dev_filetrans($1, tty_device_t, chr_file, "tty36")
-+ dev_filetrans($1, tty_device_t, chr_file, "tty37")
-+ dev_filetrans($1, tty_device_t, chr_file, "tty38")
-+ dev_filetrans($1, tty_device_t, chr_file, "tty39")
-+ dev_filetrans($1, tty_device_t, chr_file, "tty40")
-+ dev_filetrans($1, tty_device_t, chr_file, "tty41")
-+ dev_filetrans($1, tty_device_t, chr_file, "tty42")
-+ dev_filetrans($1, tty_device_t, chr_file, "tty43")
-+ dev_filetrans($1, tty_device_t, chr_file, "tty44")
-+ dev_filetrans($1, tty_device_t, chr_file, "tty45")
-+ dev_filetrans($1, tty_device_t, chr_file, "tty46")
-+ dev_filetrans($1, tty_device_t, chr_file, "tty47")
-+ dev_filetrans($1, tty_device_t, chr_file, "tty48")
-+ dev_filetrans($1, tty_device_t, chr_file, "tty49")
-+ dev_filetrans($1, tty_device_t, chr_file, "tty50")
-+ dev_filetrans($1, tty_device_t, chr_file, "tty51")
-+ dev_filetrans($1, tty_device_t, chr_file, "tty52")
-+ dev_filetrans($1, tty_device_t, chr_file, "tty53")
-+ dev_filetrans($1, tty_device_t, chr_file, "tty54")
-+ dev_filetrans($1, tty_device_t, chr_file, "tty55")
-+ dev_filetrans($1, tty_device_t, chr_file, "tty56")
-+ dev_filetrans($1, tty_device_t, chr_file, "tty57")
-+ dev_filetrans($1, tty_device_t, chr_file, "tty58")
-+ dev_filetrans($1, tty_device_t, chr_file, "tty59")
-+ dev_filetrans($1, tty_device_t, chr_file, "tty60")
-+ dev_filetrans($1, tty_device_t, chr_file, "tty61")
-+ dev_filetrans($1, tty_device_t, chr_file, "tty62")
-+ dev_filetrans($1, tty_device_t, chr_file, "tty63")
-+ dev_filetrans($1, tty_device_t, chr_file, "tty64")
-+ dev_filetrans($1, tty_device_t, chr_file, "tty65")
-+ dev_filetrans($1, tty_device_t, chr_file, "tty66")
-+ dev_filetrans($1, tty_device_t, chr_file, "tty67")
-+ dev_filetrans($1, tty_device_t, chr_file, "tty68")
-+ dev_filetrans($1, tty_device_t, chr_file, "tty69")
-+ dev_filetrans($1, tty_device_t, chr_file, "tty70")
-+ dev_filetrans($1, tty_device_t, chr_file, "tty71")
-+ dev_filetrans($1, tty_device_t, chr_file, "tty72")
-+ dev_filetrans($1, tty_device_t, chr_file, "tty73")
-+ dev_filetrans($1, tty_device_t, chr_file, "tty74")
-+ dev_filetrans($1, tty_device_t, chr_file, "tty75")
-+ dev_filetrans($1, tty_device_t, chr_file, "tty76")
-+ dev_filetrans($1, tty_device_t, chr_file, "tty77")
-+ dev_filetrans($1, tty_device_t, chr_file, "tty78")
-+ dev_filetrans($1, tty_device_t, chr_file, "tty79")
-+ dev_filetrans($1, tty_device_t, chr_file, "tty80")
-+ dev_filetrans($1, tty_device_t, chr_file, "tty81")
-+ dev_filetrans($1, tty_device_t, chr_file, "tty82")
-+ dev_filetrans($1, tty_device_t, chr_file, "tty83")
-+ dev_filetrans($1, tty_device_t, chr_file, "tty84")
-+ dev_filetrans($1, tty_device_t, chr_file, "tty85")
-+ dev_filetrans($1, tty_device_t, chr_file, "tty86")
-+ dev_filetrans($1, tty_device_t, chr_file, "tty87")
-+ dev_filetrans($1, tty_device_t, chr_file, "tty88")
-+ dev_filetrans($1, tty_device_t, chr_file, "tty89")
-+ dev_filetrans($1, tty_device_t, chr_file, "tty90")
-+ dev_filetrans($1, tty_device_t, chr_file, "tty91")
-+ dev_filetrans($1, tty_device_t, chr_file, "tty92")
-+ dev_filetrans($1, tty_device_t, chr_file, "tty93")
-+ dev_filetrans($1, tty_device_t, chr_file, "tty94")
-+ dev_filetrans($1, tty_device_t, chr_file, "tty95")
-+ dev_filetrans($1, tty_device_t, chr_file, "tty96")
-+ dev_filetrans($1, tty_device_t, chr_file, "tty97")
-+ dev_filetrans($1, tty_device_t, chr_file, "tty98")
-+ dev_filetrans($1, tty_device_t, chr_file, "tty99")
-+ dev_filetrans($1, tty_device_t, chr_file, "pty")
-+ dev_filetrans($1, tty_device_t, chr_file, "pty0")
-+ dev_filetrans($1, tty_device_t, chr_file, "pty1")
-+ dev_filetrans($1, tty_device_t, chr_file, "pty2")
-+ dev_filetrans($1, tty_device_t, chr_file, "pty3")
-+ dev_filetrans($1, tty_device_t, chr_file, "pty4")
-+ dev_filetrans($1, tty_device_t, chr_file, "pty5")
-+ dev_filetrans($1, tty_device_t, chr_file, "pty6")
-+ dev_filetrans($1, tty_device_t, chr_file, "pty7")
-+ dev_filetrans($1, tty_device_t, chr_file, "pty8")
-+ dev_filetrans($1, tty_device_t, chr_file, "pty9")
-+ dev_filetrans($1, tty_device_t, chr_file, "pty10")
-+ dev_filetrans($1, tty_device_t, chr_file, "pty11")
-+ dev_filetrans($1, tty_device_t, chr_file, "pty12")
-+ dev_filetrans($1, tty_device_t, chr_file, "pty13")
-+ dev_filetrans($1, tty_device_t, chr_file, "pty14")
-+ dev_filetrans($1, tty_device_t, chr_file, "pty15")
-+ dev_filetrans($1, tty_device_t, chr_file, "pty16")
-+ dev_filetrans($1, tty_device_t, chr_file, "pty17")
-+ dev_filetrans($1, tty_device_t, chr_file, "pty18")
-+ dev_filetrans($1, tty_device_t, chr_file, "pty19")
-+ dev_filetrans($1, tty_device_t, chr_file, "pty20")
-+ dev_filetrans($1, tty_device_t, chr_file, "pty21")
-+ dev_filetrans($1, tty_device_t, chr_file, "pty22")
-+ dev_filetrans($1, tty_device_t, chr_file, "pty23")
-+ dev_filetrans($1, tty_device_t, chr_file, "pty24")
-+ dev_filetrans($1, tty_device_t, chr_file, "pty25")
-+ dev_filetrans($1, tty_device_t, chr_file, "pty26")
-+ dev_filetrans($1, tty_device_t, chr_file, "pty27")
-+ dev_filetrans($1, tty_device_t, chr_file, "pty28")
-+ dev_filetrans($1, tty_device_t, chr_file, "pty29")
-+ dev_filetrans($1, tty_device_t, chr_file, "pty30")
-+ dev_filetrans($1, tty_device_t, chr_file, "pty31")
-+ dev_filetrans($1, tty_device_t, chr_file, "pty32")
-+ dev_filetrans($1, tty_device_t, chr_file, "pty33")
-+ dev_filetrans($1, tty_device_t, chr_file, "pty34")
-+ dev_filetrans($1, tty_device_t, chr_file, "pty35")
-+ dev_filetrans($1, tty_device_t, chr_file, "pty36")
-+ dev_filetrans($1, tty_device_t, chr_file, "pty37")
-+ dev_filetrans($1, tty_device_t, chr_file, "pty38")
-+ dev_filetrans($1, tty_device_t, chr_file, "pty39")
-+ dev_filetrans($1, tty_device_t, chr_file, "pty40")
-+ dev_filetrans($1, tty_device_t, chr_file, "pty41")
-+ dev_filetrans($1, tty_device_t, chr_file, "pty42")
-+ dev_filetrans($1, tty_device_t, chr_file, "pty43")
-+ dev_filetrans($1, tty_device_t, chr_file, "pty44")
-+ dev_filetrans($1, tty_device_t, chr_file, "pty45")
-+ dev_filetrans($1, tty_device_t, chr_file, "pty46")
-+ dev_filetrans($1, tty_device_t, chr_file, "pty47")
-+ dev_filetrans($1, tty_device_t, chr_file, "pty48")
-+ dev_filetrans($1, tty_device_t, chr_file, "pty49")
-+ dev_filetrans($1, tty_device_t, chr_file, "pty50")
-+ dev_filetrans($1, tty_device_t, chr_file, "pty51")
-+ dev_filetrans($1, tty_device_t, chr_file, "pty52")
-+ dev_filetrans($1, tty_device_t, chr_file, "pty53")
-+ dev_filetrans($1, tty_device_t, chr_file, "pty54")
-+ dev_filetrans($1, tty_device_t, chr_file, "pty55")
-+ dev_filetrans($1, tty_device_t, chr_file, "pty56")
-+ dev_filetrans($1, tty_device_t, chr_file, "pty57")
-+ dev_filetrans($1, tty_device_t, chr_file, "pty58")
-+ dev_filetrans($1, tty_device_t, chr_file, "pty59")
-+ dev_filetrans($1, tty_device_t, chr_file, "pty60")
-+ dev_filetrans($1, tty_device_t, chr_file, "pty61")
-+ dev_filetrans($1, tty_device_t, chr_file, "pty62")
-+ dev_filetrans($1, tty_device_t, chr_file, "pty63")
-+ dev_filetrans($1, tty_device_t, chr_file, "pty64")
-+ dev_filetrans($1, tty_device_t, chr_file, "pty65")
-+ dev_filetrans($1, tty_device_t, chr_file, "pty66")
-+ dev_filetrans($1, tty_device_t, chr_file, "pty67")
-+ dev_filetrans($1, tty_device_t, chr_file, "pty68")
-+ dev_filetrans($1, tty_device_t, chr_file, "pty69")
-+ dev_filetrans($1, tty_device_t, chr_file, "pty70")
-+ dev_filetrans($1, tty_device_t, chr_file, "pty71")
-+ dev_filetrans($1, tty_device_t, chr_file, "pty72")
-+ dev_filetrans($1, tty_device_t, chr_file, "pty73")
-+ dev_filetrans($1, tty_device_t, chr_file, "pty74")
-+ dev_filetrans($1, tty_device_t, chr_file, "pty75")
-+ dev_filetrans($1, tty_device_t, chr_file, "pty76")
-+ dev_filetrans($1, tty_device_t, chr_file, "pty77")
-+ dev_filetrans($1, tty_device_t, chr_file, "pty78")
-+ dev_filetrans($1, tty_device_t, chr_file, "pty79")
-+ dev_filetrans($1, tty_device_t, chr_file, "pty80")
-+ dev_filetrans($1, tty_device_t, chr_file, "pty81")
-+ dev_filetrans($1, tty_device_t, chr_file, "pty82")
-+ dev_filetrans($1, tty_device_t, chr_file, "pty83")
-+ dev_filetrans($1, tty_device_t, chr_file, "pty84")
-+ dev_filetrans($1, tty_device_t, chr_file, "pty85")
-+ dev_filetrans($1, tty_device_t, chr_file, "pty86")
-+ dev_filetrans($1, tty_device_t, chr_file, "pty87")
-+ dev_filetrans($1, tty_device_t, chr_file, "pty88")
-+ dev_filetrans($1, tty_device_t, chr_file, "pty89")
-+ dev_filetrans($1, tty_device_t, chr_file, "pty90")
-+ dev_filetrans($1, tty_device_t, chr_file, "pty91")
-+ dev_filetrans($1, tty_device_t, chr_file, "pty92")
-+ dev_filetrans($1, tty_device_t, chr_file, "pty93")
-+ dev_filetrans($1, tty_device_t, chr_file, "pty94")
-+ dev_filetrans($1, tty_device_t, chr_file, "pty95")
-+ dev_filetrans($1, tty_device_t, chr_file, "pty96")
-+ dev_filetrans($1, tty_device_t, chr_file, "pty97")
-+ dev_filetrans($1, tty_device_t, chr_file, "pty98")
-+ dev_filetrans($1, tty_device_t, chr_file, "pty99")
-+ dev_filetrans($1, tty_device_t, chr_file, "adb0")
-+ dev_filetrans($1, tty_device_t, chr_file, "adb1")
-+ dev_filetrans($1, tty_device_t, chr_file, "adb2")
-+ dev_filetrans($1, tty_device_t, chr_file, "adb3")
-+ dev_filetrans($1, tty_device_t, chr_file, "adb4")
-+ dev_filetrans($1, tty_device_t, chr_file, "adb5")
-+ dev_filetrans($1, tty_device_t, chr_file, "adb6")
-+ dev_filetrans($1, tty_device_t, chr_file, "adb7")
-+ dev_filetrans($1, tty_device_t, chr_file, "adb8")
-+ dev_filetrans($1, tty_device_t, chr_file, "adb9")
-+ dev_filetrans($1, tty_device_t, chr_file, "capi0")
-+ dev_filetrans($1, tty_device_t, chr_file, "capi1")
-+ dev_filetrans($1, tty_device_t, chr_file, "capi2")
-+ dev_filetrans($1, tty_device_t, chr_file, "capi3")
-+ dev_filetrans($1, tty_device_t, chr_file, "capi4")
-+ dev_filetrans($1, tty_device_t, chr_file, "capi5")
-+ dev_filetrans($1, tty_device_t, chr_file, "capi6")
-+ dev_filetrans($1, tty_device_t, chr_file, "capi7")
-+ dev_filetrans($1, tty_device_t, chr_file, "capi8")
-+ dev_filetrans($1, tty_device_t, chr_file, "capi9")
-+ dev_filetrans($1, console_device_t, chr_file, "console")
-+ dev_filetrans($1, tty_device_t, chr_file, "cu0")
-+ dev_filetrans($1, tty_device_t, chr_file, "cu1")
-+ dev_filetrans($1, tty_device_t, chr_file, "cu2")
-+ dev_filetrans($1, tty_device_t, chr_file, "cu3")
-+ dev_filetrans($1, tty_device_t, chr_file, "cu4")
-+ dev_filetrans($1, tty_device_t, chr_file, "cu5")
-+ dev_filetrans($1, tty_device_t, chr_file, "cu6")
-+ dev_filetrans($1, tty_device_t, chr_file, "cu7")
-+ dev_filetrans($1, tty_device_t, chr_file, "cu8")
-+ dev_filetrans($1, tty_device_t, chr_file, "cu9")
-+ dev_filetrans($1, tty_device_t, chr_file, "dcbri0")
-+ dev_filetrans($1, tty_device_t, chr_file, "dcbri1")
-+ dev_filetrans($1, tty_device_t, chr_file, "dcbri2")
-+ dev_filetrans($1, tty_device_t, chr_file, "dcbri3")
-+ dev_filetrans($1, tty_device_t, chr_file, "dcbri4")
-+ dev_filetrans($1, tty_device_t, chr_file, "dcbri5")
-+ dev_filetrans($1, tty_device_t, chr_file, "dcbri6")
-+ dev_filetrans($1, tty_device_t, chr_file, "dcbri7")
-+ dev_filetrans($1, tty_device_t, chr_file, "dcbri8")
-+ dev_filetrans($1, tty_device_t, chr_file, "dcbri9")
-+ dev_filetrans($1, tty_device_t, chr_file, "vcsa")
-+ dev_filetrans($1, tty_device_t, chr_file, "vcsb")
-+ dev_filetrans($1, tty_device_t, chr_file, "vcsc")
-+ dev_filetrans($1, tty_device_t, chr_file, "vcsd")
-+ dev_filetrans($1, tty_device_t, chr_file, "vcse")
-+ dev_filetrans($1, tty_device_t, chr_file, "hvc0")
-+ dev_filetrans($1, tty_device_t, chr_file, "hvc1")
-+ dev_filetrans($1, tty_device_t, chr_file, "hvc2")
-+ dev_filetrans($1, tty_device_t, chr_file, "hvc3")
-+ dev_filetrans($1, tty_device_t, chr_file, "hvc4")
-+ dev_filetrans($1, tty_device_t, chr_file, "hvc5")
-+ dev_filetrans($1, tty_device_t, chr_file, "hvc6")
-+ dev_filetrans($1, tty_device_t, chr_file, "hvc7")
-+ dev_filetrans($1, tty_device_t, chr_file, "hvc8")
-+ dev_filetrans($1, tty_device_t, chr_file, "hvc9")
-+ dev_filetrans($1, tty_device_t, chr_file, "hvsi0")
-+ dev_filetrans($1, tty_device_t, chr_file, "hvsi1")
-+ dev_filetrans($1, tty_device_t, chr_file, "hvsi2")
-+ dev_filetrans($1, tty_device_t, chr_file, "hvsi3")
-+ dev_filetrans($1, tty_device_t, chr_file, "hvsi4")
-+ dev_filetrans($1, tty_device_t, chr_file, "hvsi5")
-+ dev_filetrans($1, tty_device_t, chr_file, "hvsi6")
-+ dev_filetrans($1, tty_device_t, chr_file, "hvsi7")
-+ dev_filetrans($1, tty_device_t, chr_file, "hvsi8")
-+ dev_filetrans($1, tty_device_t, chr_file, "hvsi9")
-+ dev_filetrans($1, tty_device_t, chr_file, "ircomm0")
-+ dev_filetrans($1, tty_device_t, chr_file, "ircomm1")
-+ dev_filetrans($1, tty_device_t, chr_file, "ircomm2")
-+ dev_filetrans($1, tty_device_t, chr_file, "ircomm3")
-+ dev_filetrans($1, tty_device_t, chr_file, "ircomm4")
-+ dev_filetrans($1, tty_device_t, chr_file, "ircomm5")
-+ dev_filetrans($1, tty_device_t, chr_file, "ircomm6")
-+ dev_filetrans($1, tty_device_t, chr_file, "ircomm7")
-+ dev_filetrans($1, tty_device_t, chr_file, "ircomm8")
-+ dev_filetrans($1, tty_device_t, chr_file, "ircomm9")
-+ dev_filetrans($1, tty_device_t, chr_file, "isdn0")
-+ dev_filetrans($1, tty_device_t, chr_file, "isdn1")
-+ dev_filetrans($1, tty_device_t, chr_file, "isdn2")
-+ dev_filetrans($1, tty_device_t, chr_file, "isdn3")
-+ dev_filetrans($1, tty_device_t, chr_file, "isdn4")
-+ dev_filetrans($1, tty_device_t, chr_file, "isdn5")
-+ dev_filetrans($1, tty_device_t, chr_file, "isdn6")
-+ dev_filetrans($1, tty_device_t, chr_file, "isdn7")
-+ dev_filetrans($1, tty_device_t, chr_file, "isdn8")
-+ dev_filetrans($1, tty_device_t, chr_file, "isdn9")
-+ filetrans_pattern($1, devpts_t, ptmx_t, chr_file, "ptmx")
-+ dev_filetrans($1, ptmx_t, chr_file, "ptmx")
-+ dev_filetrans($1, tty_device_t, chr_file, "rfcomm0")
-+ dev_filetrans($1, tty_device_t, chr_file, "rfcomm1")
-+ dev_filetrans($1, tty_device_t, chr_file, "rfcomm2")
-+ dev_filetrans($1, tty_device_t, chr_file, "rfcomm3")
-+ dev_filetrans($1, tty_device_t, chr_file, "rfcomm4")
-+ dev_filetrans($1, tty_device_t, chr_file, "rfcomm5")
-+ dev_filetrans($1, tty_device_t, chr_file, "rfcomm6")
-+ dev_filetrans($1, tty_device_t, chr_file, "rfcomm7")
-+ dev_filetrans($1, tty_device_t, chr_file, "rfcomm8")
-+ dev_filetrans($1, tty_device_t, chr_file, "rfcomm9")
-+ dev_filetrans($1, tty_device_t, chr_file, "slamr0")
-+ dev_filetrans($1, tty_device_t, chr_file, "slamr1")
-+ dev_filetrans($1, tty_device_t, chr_file, "slamr2")
-+ dev_filetrans($1, tty_device_t, chr_file, "slamr3")
-+ dev_filetrans($1, tty_device_t, chr_file, "slamr4")
-+ dev_filetrans($1, tty_device_t, chr_file, "slamr5")
-+ dev_filetrans($1, tty_device_t, chr_file, "slamr6")
-+ dev_filetrans($1, tty_device_t, chr_file, "slamr7")
-+ dev_filetrans($1, tty_device_t, chr_file, "slamr8")
-+ dev_filetrans($1, tty_device_t, chr_file, "slamr9")
-+ dev_filetrans($1, tty_device_t, chr_file, "ttyACM0")
-+ dev_filetrans($1, tty_device_t, chr_file, "ttyACM1")
-+ dev_filetrans($1, tty_device_t, chr_file, "ttyACM2")
-+ dev_filetrans($1, tty_device_t, chr_file, "ttyACM3")
-+ dev_filetrans($1, tty_device_t, chr_file, "ttyACM4")
-+ dev_filetrans($1, tty_device_t, chr_file, "ttyACM5")
-+ dev_filetrans($1, tty_device_t, chr_file, "ttyACM6")
-+ dev_filetrans($1, tty_device_t, chr_file, "ttyACM7")
-+ dev_filetrans($1, tty_device_t, chr_file, "ttyACM8")
-+ dev_filetrans($1, tty_device_t, chr_file, "ttyACM9")
-+ dev_filetrans($1, tty_device_t, chr_file, "ttyS0")
-+ dev_filetrans($1, tty_device_t, chr_file, "ttyS1")
-+ dev_filetrans($1, tty_device_t, chr_file, "ttyS2")
-+ dev_filetrans($1, tty_device_t, chr_file, "ttyS3")
-+ dev_filetrans($1, tty_device_t, chr_file, "ttyS4")
-+ dev_filetrans($1, tty_device_t, chr_file, "ttyS5")
-+ dev_filetrans($1, tty_device_t, chr_file, "ttyS6")
-+ dev_filetrans($1, tty_device_t, chr_file, "ttyS7")
-+ dev_filetrans($1, tty_device_t, chr_file, "ttyS8")
-+ dev_filetrans($1, tty_device_t, chr_file, "ttyS9")
-+ dev_filetrans($1, tty_device_t, chr_file, "ttySG0")
-+ dev_filetrans($1, tty_device_t, chr_file, "ttySG1")
-+ dev_filetrans($1, tty_device_t, chr_file, "ttySG2")
-+ dev_filetrans($1, tty_device_t, chr_file, "ttySG3")
-+ dev_filetrans($1, tty_device_t, chr_file, "ttySG4")
-+ dev_filetrans($1, tty_device_t, chr_file, "ttySG5")
-+ dev_filetrans($1, tty_device_t, chr_file, "ttySG6")
-+ dev_filetrans($1, tty_device_t, chr_file, "ttySG7")
-+ dev_filetrans($1, tty_device_t, chr_file, "ttySG8")
-+ dev_filetrans($1, tty_device_t, chr_file, "ttySG9")
-+ dev_filetrans($1, usbtty_device_t, chr_file, "ttyUSB0")
-+ dev_filetrans($1, usbtty_device_t, chr_file, "ttyUSB1")
-+ dev_filetrans($1, usbtty_device_t, chr_file, "ttyUSB2")
-+ dev_filetrans($1, usbtty_device_t, chr_file, "ttyUSB3")
-+ dev_filetrans($1, usbtty_device_t, chr_file, "ttyUSB4")
-+ dev_filetrans($1, usbtty_device_t, chr_file, "ttyUSB5")
-+ dev_filetrans($1, usbtty_device_t, chr_file, "ttyUSB6")
-+ dev_filetrans($1, usbtty_device_t, chr_file, "ttyUSB7")
-+ dev_filetrans($1, usbtty_device_t, chr_file, "ttyUSB8")
-+ dev_filetrans($1, usbtty_device_t, chr_file, "ttyUSB9")
-+ dev_filetrans($1, virtio_device_t, chr_file, "vport0p0")
-+ dev_filetrans($1, virtio_device_t, chr_file, "vport0p1")
-+ dev_filetrans($1, virtio_device_t, chr_file, "vport0p2")
-+ dev_filetrans($1, virtio_device_t, chr_file, "vport0p3")
-+ dev_filetrans($1, virtio_device_t, chr_file, "vport0p4")
-+ dev_filetrans($1, virtio_device_t, chr_file, "vport0p5")
-+ dev_filetrans($1, virtio_device_t, chr_file, "vport0p6")
-+ dev_filetrans($1, virtio_device_t, chr_file, "vport0p7")
-+ dev_filetrans($1, virtio_device_t, chr_file, "vport0p8")
-+ dev_filetrans($1, virtio_device_t, chr_file, "vport0p9")
-+ dev_filetrans($1, devpts_t, dir, "pts")
-+ dev_filetrans($1, tty_device_t, chr_file, "xvc0")
-+ dev_filetrans($1, tty_device_t, chr_file, "xvc1")
-+ dev_filetrans($1, tty_device_t, chr_file, "xvc2")
-+ dev_filetrans($1, tty_device_t, chr_file, "xvc3")
-+ dev_filetrans($1, tty_device_t, chr_file, "xvc4")
-+ dev_filetrans($1, tty_device_t, chr_file, "xvc5")
-+ dev_filetrans($1, tty_device_t, chr_file, "xvc6")
-+ dev_filetrans($1, tty_device_t, chr_file, "xvc7")
-+ dev_filetrans($1, tty_device_t, chr_file, "xvc8")
-+ dev_filetrans($1, tty_device_t, chr_file, "xvc9")
-+')
-diff --git a/policy/modules/kernel/terminal.te b/policy/modules/kernel/terminal.te
-index 9d64659..f85e86f 100644
---- a/policy/modules/kernel/terminal.te
-+++ b/policy/modules/kernel/terminal.te
-@@ -29,6 +29,7 @@ files_mountpoint(devpts_t)
- fs_associate_tmpfs(devpts_t)
- fs_type(devpts_t)
- fs_use_trans devpts gen_context(system_u:object_r:devpts_t,s0);
-+dev_associate(devpts_t)
-
- #
- # devtty_t is the type of /dev/tty.
-@@ -54,5 +55,11 @@ dev_node(tty_device_t)
- #
- # usbtty_device_t is the type of /dev/usr/tty*
- #
--type usbtty_device_t, serial_device;
--dev_node(usbtty_device_t)
-+type usbtty_device_t;
-+term_tty(usbtty_device_t)
-+
-+#
-+# virtio_device_t is the type of /dev/vport[0-9]p[0-9]
-+#
-+type virtio_device_t, serial_device;
-+dev_node(virtio_device_t)
-diff --git a/policy/modules/kernel/unlabelednet.fc b/policy/modules/kernel/unlabelednet.fc
-new file mode 100644
-index 0000000..f310b9d
---- /dev/null
-+++ b/policy/modules/kernel/unlabelednet.fc
-@@ -0,0 +1 @@
-+# No unlabelednet file contexts.
-diff --git a/policy/modules/kernel/unlabelednet.if b/policy/modules/kernel/unlabelednet.if
-new file mode 100644
-index 0000000..0ce0470
---- /dev/null
-+++ b/policy/modules/kernel/unlabelednet.if
-@@ -0,0 +1 @@
-+## Policy for allowing confined domains to use unlabeled_t packets
-diff --git a/policy/modules/kernel/unlabelednet.te b/policy/modules/kernel/unlabelednet.te
-new file mode 100644
-index 0000000..64b5db7
---- /dev/null
-+++ b/policy/modules/kernel/unlabelednet.te
-@@ -0,0 +1,3 @@
-+policy_module(unlabelednet, 1.0.0)
-+
-+corenet_enable_unlabeled_packets()
-diff --git a/policy/modules/roles/auditadm.te b/policy/modules/roles/auditadm.te
-index 834a065..1105353 100644
---- a/policy/modules/roles/auditadm.te
-+++ b/policy/modules/roles/auditadm.te
-@@ -22,16 +22,21 @@ corecmd_exec_shell(auditadm_t)
-
- domain_kill_all_domains(auditadm_t)
-
-+selinux_read_policy(auditadm_t)
-+
- logging_send_syslog_msg(auditadm_t)
- logging_read_generic_logs(auditadm_t)
- logging_manage_audit_log(auditadm_t)
- logging_manage_audit_config(auditadm_t)
- logging_run_auditctl(auditadm_t, auditadm_r)
- logging_run_auditd(auditadm_t, auditadm_r)
-+logging_stream_connect_syslog(auditadm_t)
-
- seutil_run_runinit(auditadm_t, auditadm_r)
- seutil_read_bin_policy(auditadm_t)
-
-+userdom_dontaudit_search_admin_dir(auditadm_t)
-+
- optional_policy(`
- consoletype_exec(auditadm_t)
- ')
-diff --git a/policy/modules/roles/logadm.te b/policy/modules/roles/logadm.te
-index 3a45a3e..6b08160 100644
---- a/policy/modules/roles/logadm.te
-+++ b/policy/modules/roles/logadm.te
-@@ -14,6 +14,5 @@ userdom_base_user_template(logadm)
- # logadmin local policy
- #
-
--allow logadm_t self:capability { dac_override dac_read_search kill sys_ptrace sys_nice };
--
-+allow logadm_t self:capability { dac_override dac_read_search kill sys_nice };
- logging_admin(logadm_t, logadm_r)
-diff --git a/policy/modules/roles/secadm.te b/policy/modules/roles/secadm.te
-index da11120..34f3a61 100644
---- a/policy/modules/roles/secadm.te
-+++ b/policy/modules/roles/secadm.te
-@@ -9,6 +9,8 @@ role secadm_r;
-
- userdom_unpriv_user_template(secadm)
- userdom_security_admin_template(secadm_t, secadm_r)
-+userdom_inherit_append_admin_home_files(secadm_t)
-+userdom_read_admin_home_files(secadm_t)
-
- ########################################
- #
-@@ -30,8 +32,7 @@ mls_file_upgrade(secadm_t)
- mls_file_downgrade(secadm_t)
-
- auth_role(secadm_r, secadm_t)
--files_relabel_non_auth_files(secadm_t)
--auth_relabel_shadow(secadm_t)
-+files_relabel_all_files(secadm_t)
-
- init_exec(secadm_t)
-
-diff --git a/policy/modules/roles/staff.if b/policy/modules/roles/staff.if
-index 234a940..d340f20 100644
---- a/policy/modules/roles/staff.if
-+++ b/policy/modules/roles/staff.if
-@@ -1,4 +1,4 @@
--## Administrator's unprivileged user role
-+## Administrator's unprivileged user
-
- ########################################
- ##
-diff --git a/policy/modules/roles/staff.te b/policy/modules/roles/staff.te
-index e5aee97..2fdb49f 100644
---- a/policy/modules/roles/staff.te
-+++ b/policy/modules/roles/staff.te
-@@ -8,12 +8,67 @@ policy_module(staff, 2.3.0)
- role staff_r;
-
- userdom_unpriv_user_template(staff)
-+fs_exec_noxattr(staff_t)
-+
-+##
-+##
-+## allow staff user to create and transition to svirt domains.
-+##
-+##
-+gen_tunable(staff_use_svirt, false)
-
- ########################################
- #
- # Local policy
- #
-
-+kernel_read_ring_buffer(staff_t)
-+kernel_getattr_core_if(staff_t)
-+kernel_getattr_message_if(staff_t)
-+kernel_read_software_raid_state(staff_t)
-+kernel_read_fs_sysctls(staff_t)
-+kernel_read_numa_state(staff_t)
-+kernel_write_numa_state(staff_t)
-+
-+fs_read_hugetlbfs_files(staff_t)
-+
-+dev_read_cpuid(staff_t)
-+dev_read_kmsg(staff_t)
-+
-+domain_read_all_domains_state(staff_t)
-+domain_getattr_all_domains(staff_t)
-+domain_obj_id_change_exemption(staff_t)
-+
-+files_read_kernel_modules(staff_t)
-+
-+seutil_read_module_store(staff_t)
-+seutil_run_newrole(staff_t, staff_r)
-+
-+storage_read_scsi_generic(staff_t)
-+storage_write_scsi_generic(staff_t)
-+
-+term_use_unallocated_ttys(staff_t)
-+
-+auth_domtrans_pam_console(staff_t)
-+
-+init_dbus_chat(staff_t)
-+init_dbus_chat_script(staff_t)
-+
-+miscfiles_read_hwdata(staff_t)
-+
-+ifndef(`enable_mls',`
-+ selinux_read_policy(staff_t)
-+')
-+
-+optional_policy(`
-+ abrt_read_cache(staff_t)
-+')
-+
-+optional_policy(`
-+ accountsd_dbus_chat(staff_t)
-+ accountsd_read_lib_files(staff_t)
-+')
-+
- optional_policy(`
- apache_role(staff_r, staff_t)
- ')
-@@ -23,11 +78,110 @@ optional_policy(`
- ')
-
- optional_policy(`
-+ blueman_dbus_chat(staff_t)
-+')
-+
-+optional_policy(`
-+ kdumpgui_dbus_chat(staff_t)
-+')
-+
-+optional_policy(`
-+ bluetooth_role(staff_r, staff_t)
-+')
-+
-+optional_policy(`
-+ chrome_role(staff_r, staff_t)
-+')
-+
-+optional_policy(`
-+ colord_dbus_chat(staff_t)
-+')
-+
-+optional_policy(`
- dbadm_role_change(staff_r)
- ')
-
- optional_policy(`
-- git_role(staff_r, staff_t)
-+ dnsmasq_read_pid_files(staff_t)
-+')
-+
-+optional_policy(`
-+ dmesg_exec(staff_t)
-+')
-+
-+optional_policy(`
-+ firewalld_dbus_chat(staff_t)
-+')
-+
-+optional_policy(`
-+ firewallgui_dbus_chat(staff_t)
-+')
-+
-+optional_policy(`
-+ gnomeclock_dbus_chat(staff_t)
-+')
-+
-+optional_policy(`
-+ gnome_role(staff_r, staff_t)
-+')
-+
-+optional_policy(`
-+ irc_role(staff_r, staff_t)
-+')
-+
-+optional_policy(`
-+ kerneloops_dbus_chat(staff_t)
-+')
-+
-+optional_policy(`
-+ logadm_role_change(staff_r)
-+')
-+
-+optional_policy(`
-+ lpd_list_spool(staff_t)
-+')
-+
-+optional_policy(`
-+ mock_role(staff_r, staff_t)
-+')
-+
-+optional_policy(`
-+ mozilla_run_plugin(staff_t, staff_r)
-+')
-+
-+optional_policy(`
-+ modutils_read_module_config(staff_t)
-+ modutils_read_module_deps(staff_t)
-+')
-+
-+optional_policy(`
-+ netutils_run_ping(staff_t, staff_r)
-+ netutils_run_traceroute(staff_t, staff_r)
-+ netutils_signal_ping(staff_t)
-+ netutils_kill_ping(staff_t)
-+')
-+
-+optional_policy(`
-+ oident_manage_user_content(staff_t)
-+ oident_relabel_user_content(staff_t)
-+')
-+
-+optional_policy(`
-+ mta_role(staff_r, staff_t)
-+')
-+
-+optional_policy(`
-+ mysql_exec(staff_t)
-+')
-+
-+optional_policy(`
-+ polipo_role(staff_r, staff_t)
-+ polipo_named_filetrans_cache_home_dirs(staff_t)
-+ polipo_named_filetrans_config_home_files(staff_t)
-+')
-+
-+optional_policy(`
-+ git_session_role(staff_r, staff_t)
- ')
-
- optional_policy(`
-@@ -35,15 +189,31 @@ optional_policy(`
- ')
-
- optional_policy(`
-+ rtkit_scheduled(staff_t)
-+')
-+
-+optional_policy(`
-+ rpm_dbus_chat(staff_t)
-+')
-+
-+optional_policy(`
-+ rwho_read_spool_files(staff_t)
-+')
-+
-+optional_policy(`
- secadm_role_change(staff_r)
- ')
-
- optional_policy(`
-- ssh_role_template(staff, staff_r, staff_t)
-+ sandbox_transition(staff_t, staff_r)
- ')
-
- optional_policy(`
-- sudo_role_template(staff, staff_r, staff_t)
-+ sandbox_x_transition(staff_t, staff_r)
-+')
-+
-+optional_policy(`
-+ screen_role_template(staff, staff_r, staff_t)
- ')
-
- optional_policy(`
-@@ -52,10 +222,59 @@ optional_policy(`
- ')
-
- optional_policy(`
-+ systemd_read_unit_files(staff_t)
-+ systemd_exec_systemctl(staff_t)
-+')
-+
-+optional_policy(`
-+ setroubleshoot_stream_connect(staff_t)
-+ setroubleshoot_dbus_chat(staff_t)
-+ setroubleshoot_dbus_chat_fixit(staff_t)
-+')
-+
-+optional_policy(`
-+ ssh_role_template(staff, staff_r, staff_t)
-+')
-+
-+optional_policy(`
-+ sudo_role_template(staff, staff_r, staff_t)
-+')
-+
-+#optional_policy(`
-+# telepathy_dbus_session_role(staff_r, staff_t)
-+#')
-+
-+optional_policy(`
-+ userhelper_console_role_template(staff, staff_r, staff_t)
-+')
-+
-+optional_policy(`
-+ unconfined_role_change(staff_r)
-+')
-+
-+optional_policy(`
-+ usbmuxd_stream_connect(staff_t)
-+')
-+
-+optional_policy(`
-+ virt_getattr_exec(staff_t)
-+ virt_search_images(staff_t)
-+ virt_stream_connect(staff_t)
-+')
-+
-+optional_policy(`
- vlock_run(staff_t, staff_r)
- ')
-
- optional_policy(`
-+ vnstatd_read_lib_files(staff_t)
-+')
-+
-+optional_policy(`
-+ webadm_role_change(staff_r)
-+')
-+
-+optional_policy(`
- xserver_role(staff_r, staff_t)
- ')
-
-@@ -65,10 +284,6 @@ ifndef(`distro_redhat',`
- ')
-
- optional_policy(`
-- bluetooth_role(staff_r, staff_t)
-- ')
--
-- optional_policy(`
- cdrecord_role(staff_r, staff_t)
- ')
-
-@@ -93,18 +308,10 @@ ifndef(`distro_redhat',`
- ')
-
- optional_policy(`
-- gnome_role(staff_r, staff_t)
-- ')
--
-- optional_policy(`
- gpg_role(staff_r, staff_t)
- ')
-
- optional_policy(`
-- irc_role(staff_r, staff_t)
-- ')
--
-- optional_policy(`
- java_role(staff_r, staff_t)
- ')
-
-@@ -125,10 +332,6 @@ ifndef(`distro_redhat',`
- ')
-
- optional_policy(`
-- mta_role(staff_r, staff_t)
-- ')
--
-- optional_policy(`
- pyzor_role(staff_r, staff_t)
- ')
-
-@@ -141,10 +344,6 @@ ifndef(`distro_redhat',`
- ')
-
- optional_policy(`
-- screen_role_template(staff, staff_r, staff_t)
-- ')
--
-- optional_policy(`
- spamassassin_role(staff_r, staff_t)
- ')
-
-@@ -176,3 +375,20 @@ ifndef(`distro_redhat',`
- wireshark_role(staff_r, staff_t)
- ')
- ')
-+
-+tunable_policy(`selinuxuser_execmod',`
-+ userdom_execmod_user_home_files(staff_t)
-+')
-+
-+optional_policy(`
-+ virt_transition_svirt(staff_t, staff_r)
-+ virt_filetrans_home_content(staff_t)
-+')
-+
-+optional_policy(`
-+ tunable_policy(`staff_use_svirt',`
-+ allow staff_t self:fifo_file relabelfrom;
-+ dev_rw_kvm(staff_t)
-+ virt_manage_images(staff_t)
-+ ')
-+')
-diff --git a/policy/modules/roles/sysadm.if b/policy/modules/roles/sysadm.if
-index ff92430..36740ea 100644
---- a/policy/modules/roles/sysadm.if
-+++ b/policy/modules/roles/sysadm.if
-@@ -70,6 +70,23 @@ interface(`sysadm_shell_domtrans',`
- allow sysadm_t $1:process sigchld;
- ')
-
-+#######################################
-+##
-+## sysadm stub interface. No access allowed.
-+##
-+##
-+##
-+## Domain allowed access
-+##
-+##
-+#
-+interface(`sysadm_stub',`
-+ gen_require(`
-+ type sysadm_t;
-+ role sysadm_r;
-+ ')
-+')
-+
- ########################################
- ##
- ## Execute a generic bin program in the sysadm domain.
-diff --git a/policy/modules/roles/sysadm.te b/policy/modules/roles/sysadm.te
-index 44c198a..82eb9e5 100644
---- a/policy/modules/roles/sysadm.te
-+++ b/policy/modules/roles/sysadm.te
-@@ -5,39 +5,73 @@ policy_module(sysadm, 2.5.0)
- # Declarations
- #
-
--##
--##
--## Allow sysadm to debug or ptrace all processes.
--##
--##
--gen_tunable(allow_ptrace, false)
--
- role sysadm_r;
-
- userdom_admin_user_template(sysadm)
-
--ifndef(`enable_mls',`
-- userdom_security_admin_template(sysadm_t, sysadm_r)
--')
--
- ########################################
- #
- # Local policy
- #
-+kernel_read_fs_sysctls(sysadm_t)
-
- corecmd_exec_shell(sysadm_t)
-
-+dev_filetrans_all_named_dev(sysadm_t)
-+
-+domain_dontaudit_read_all_domains_state(sysadm_t)
-+
-+files_read_kernel_modules(sysadm_t)
-+files_filetrans_named_content(sysadm_t)
-+
-+fs_mount_fusefs(sysadm_t)
-+
-+storage_filetrans_all_named_dev(sysadm_t)
-+
-+term_filetrans_all_named_dev(sysadm_t)
-+
- mls_process_read_up(sysadm_t)
-+mls_file_read_all_levels(sysadm_t)
-+mls_file_write_all_levels(sysadm_t)
-+mls_file_read_to_clearance(sysadm_t)
-+mls_process_write_to_clearance(sysadm_t)
-+
-+storage_setattr_fixed_disk_dev(sysadm_t)
-
- ubac_process_exempt(sysadm_t)
- ubac_file_exempt(sysadm_t)
- ubac_fd_exempt(sysadm_t)
-
-+application_exec(sysadm_t)
-+
- init_exec(sysadm_t)
-+init_exec_script_files(sysadm_t)
-+init_dbus_chat(sysadm_t)
-+init_script_role_transition(sysadm_r)
-+init_status(sysadm_t)
-+init_reboot(sysadm_t)
-+init_halt(sysadm_t)
-+init_undefined(sysadm_t)
-+
-+logging_filetrans_named_content(sysadm_t)
-+
-+miscfiles_filetrans_named_content(sysadm_t)
-+miscfiles_read_hwdata(sysadm_t)
-+
-+sysnet_filetrans_named_content(sysadm_t)
-
- # Add/remove user home directories
- userdom_manage_user_home_dirs(sysadm_t)
- userdom_home_filetrans_user_home_dir(sysadm_t)
-+userdom_manage_tmp_role(sysadm_r, sysadm_t)
-+
-+optional_policy(`
-+ alsa_filetrans_named_content(sysadm_t)
-+')
-+
-+optional_policy(`
-+ ssh_filetrans_admin_home_content(sysadm_t)
-+')
-
- ifdef(`direct_sysadm_daemon',`
- optional_policy(`
-@@ -55,13 +89,7 @@ ifdef(`distro_gentoo',`
- init_exec_rc(sysadm_t)
- ')
-
--ifndef(`enable_mls',`
-- logging_manage_audit_log(sysadm_t)
-- logging_manage_audit_config(sysadm_t)
-- logging_run_auditctl(sysadm_t, sysadm_r)
--')
--
--tunable_policy(`allow_ptrace',`
-+tunable_policy(`deny_ptrace',`',`
- domain_ptrace_all_domains(sysadm_t)
- ')
-
-@@ -71,9 +99,9 @@ optional_policy(`
-
- optional_policy(`
- apache_run_helper(sysadm_t, sysadm_r)
-+ apache_filetrans_named_content(sysadm_t)
- #apache_run_all_scripts(sysadm_t, sysadm_r)
- #apache_domtrans_sys_script(sysadm_t)
-- apache_role(sysadm_r, sysadm_t)
- ')
-
- optional_policy(`
-@@ -110,6 +138,10 @@ optional_policy(`
- ')
-
- optional_policy(`
-+ certmonger_dbus_chat(sysadm_t)
-+')
-+
-+optional_policy(`
- certwatch_run(sysadm_t, sysadm_r)
- ')
-
-@@ -122,11 +154,20 @@ optional_policy(`
- ')
-
- optional_policy(`
-- consoletype_run(sysadm_t, sysadm_r)
-+ cron_admin_role(sysadm_r, sysadm_t)
-+ #cron_role(sysadm_r, sysadm_t)
-+')
-+
-+optional_policy(`
-+ consoletype_exec(sysadm_t)
- ')
-
- optional_policy(`
-- cvs_exec(sysadm_t)
-+ daemonstools_run_start(sysadm_t, sysadm_r)
-+')
-+
-+optional_policy(`
-+ dbus_role_template(sysadm, sysadm_r, sysadm_t)
- ')
-
- optional_policy(`
-@@ -140,6 +181,10 @@ optional_policy(`
- ')
-
- optional_policy(`
-+ devicekit_filetrans_named_content(sysadm_t)
-+')
-+
-+optional_policy(`
- dmesg_exec(sysadm_t)
- ')
-
-@@ -156,11 +201,15 @@ optional_policy(`
- ')
-
- optional_policy(`
-+ firewalld_dbus_chat(sysadm_t)
-+')
-+
-+optional_policy(`
- fstools_run(sysadm_t, sysadm_r)
- ')
-
- optional_policy(`
-- git_role(sysadm_r, sysadm_t)
-+ git_session_role(sysadm_r, sysadm_t)
- ')
-
- optional_policy(`
-@@ -179,6 +228,13 @@ optional_policy(`
- ipsec_stream_connect(sysadm_t)
- # for lsof
- ipsec_getattr_key_sockets(sysadm_t)
-+ ipsec_run_setkey(sysadm_t, sysadm_r)
-+ ipsec_run_racoon(sysadm_t, sysadm_r)
-+ ipsec_stream_connect_racoon(sysadm_t)
-+
-+ optional_policy(`
-+ ipsec_mgmt_dbus_chat(sysadm_t)
-+ ')
- ')
-
- optional_policy(`
-@@ -186,15 +242,20 @@ optional_policy(`
- ')
-
- optional_policy(`
-- kudzu_run(sysadm_t, sysadm_r)
-+ irc_role(sysadm_r, sysadm_t)
- ')
-
- optional_policy(`
-- libs_run_ldconfig(sysadm_t, sysadm_r)
-+ kerberos_exec_kadmind(sysadm_t)
-+ kerberos_filetrans_named_content(sysadm_t)
-+')
-+
-+optional_policy(`
-+ kudzu_run(sysadm_t, sysadm_r)
- ')
-
- optional_policy(`
-- lockdev_role(sysadm_r, sysadm_t)
-+ libs_run_ldconfig(sysadm_t, sysadm_r)
- ')
-
- optional_policy(`
-@@ -214,22 +275,20 @@ optional_policy(`
- modutils_run_depmod(sysadm_t, sysadm_r)
- modutils_run_insmod(sysadm_t, sysadm_r)
- modutils_run_update_mods(sysadm_t, sysadm_r)
-+ modutils_read_module_deps(sysadm_t)
-+ modules_filetrans_named_content(sysadm_t)
- ')
-
- optional_policy(`
- mount_run(sysadm_t, sysadm_r)
--')
--
--optional_policy(`
-- mozilla_role(sysadm_r, sysadm_t)
--')
--
--optional_policy(`
-- mplayer_role(sysadm_r, sysadm_t)
-+ mount_run_showmount(sysadm_t, sysadm_r)
- ')
-
- optional_policy(`
- mta_role(sysadm_r, sysadm_t)
-+ # this is defined in userdom_common_user_template
-+ #mta_filetrans_home_content(sysadm_t)
-+ mta_filetrans_admin_home_content(sysadm_t)
- ')
-
- optional_policy(`
-@@ -241,25 +300,47 @@ optional_policy(`
- ')
-
- optional_policy(`
-+ ncftool_run(sysadm_t, sysadm_r)
-+')
-+
-+optional_policy(`
- netutils_run(sysadm_t, sysadm_r)
- netutils_run_ping(sysadm_t, sysadm_r)
- netutils_run_traceroute(sysadm_t, sysadm_r)
- ')
-
- optional_policy(`
-+ networkmanager_filetrans_named_content(sysadm_t)
-+')
-+
-+optional_policy(`
- ntp_stub()
- corenet_udp_bind_ntp_port(sysadm_t)
- ')
-
- optional_policy(`
-+ nx_filetrans_named_content(sysadm_t)
-+')
-+
-+optional_policy(`
- oav_run_update(sysadm_t, sysadm_r)
- ')
-
- optional_policy(`
-+ openvpn_run(sysadm_t, sysadm_r)
-+')
-+
-+optional_policy(`
- pcmcia_run_cardctl(sysadm_t, sysadm_r)
- ')
-
- optional_policy(`
-+ polipo_role(sysadm_r, sysadm_t)
-+ polipo_named_filetrans_admin_cache_home_dirs(sysadm_t)
-+ polipo_named_filetrans_admin_config_home_files(sysadm_t)
-+')
-+
-+optional_policy(`
- portage_run(sysadm_t, sysadm_r)
- portage_run_fetch(sysadm_t, sysadm_r)
- portage_run_gcc_config(sysadm_t, sysadm_r)
-@@ -270,31 +351,32 @@ optional_policy(`
- ')
-
- optional_policy(`
-- pyzor_role(sysadm_r, sysadm_t)
-+ postfix_filetrans_named_content(sysadm_t)
- ')
-
- optional_policy(`
-- quota_run(sysadm_t, sysadm_r)
-+ prelink_run(sysadm_t, sysadm_r)
- ')
-
- optional_policy(`
-- raid_run_mdadm(sysadm_r, sysadm_t)
-+ puppet_run_puppetca(sysadm_t, sysadm_r)
- ')
-
- optional_policy(`
-- razor_role(sysadm_r, sysadm_t)
-+ quota_filetrans_named_content(sysadm_t)
- ')
-
- optional_policy(`
-- rpc_domtrans_nfsd(sysadm_t)
-+ raid_domtrans_mdadm(sysadm_t)
- ')
-
- optional_policy(`
-- rpm_run(sysadm_t, sysadm_r)
-+ rpc_domtrans_nfsd(sysadm_t)
- ')
-
- optional_policy(`
-- rssh_role(sysadm_r, sysadm_t)
-+ rpm_run(sysadm_t, sysadm_r)
-+ rpm_dbus_chat(sysadm_t, sysadm_r)
- ')
-
- optional_policy(`
-@@ -319,12 +401,18 @@ optional_policy(`
- ')
-
- optional_policy(`
-+ setroubleshoot_stream_connect(sysadm_t)
-+ setroubleshoot_dbus_chat(sysadm_t)
-+ setroubleshoot_dbus_chat_fixit(sysadm_t)
-+')
-+
-+optional_policy(`
- seutil_run_setfiles(sysadm_t, sysadm_r)
- seutil_run_runinit(sysadm_t, sysadm_r)
- ')
-
- optional_policy(`
-- spamassassin_role(sysadm_r, sysadm_t)
-+ shutdown_run(sysadm_t, sysadm_r)
- ')
-
- optional_policy(`
-@@ -349,7 +437,18 @@ optional_policy(`
- ')
-
- optional_policy(`
-- thunderbird_role(sysadm_r, sysadm_t)
-+ systemd_passwd_agent_run(sysadm_t, sysadm_r)
-+ systemd_config_all_services(sysadm_t)
-+ systemd_manage_all_unit_files(sysadm_t)
-+ systemd_manage_all_unit_lnk_files(sysadm_t)
-+ systemd_login_status(sysadm_t)
-+ systemd_login_reboot(sysadm_t)
-+ systemd_login_halt(sysadm_t)
-+ systemd_login_undefined(sysadm_t)
-+')
-+
-+optional_policy(`
-+ tftp_filetrans_named_content(sysadm_t)
- ')
-
- optional_policy(`
-@@ -360,19 +459,15 @@ optional_policy(`
- ')
-
- optional_policy(`
-- tvtime_role(sysadm_r, sysadm_t)
--')
--
--optional_policy(`
- tzdata_domtrans(sysadm_t)
- ')
-
- optional_policy(`
-- uml_role(sysadm_r, sysadm_t)
-+ unconfined_domtrans(sysadm_t)
- ')
-
- optional_policy(`
-- unconfined_domtrans(sysadm_t)
-+ udev_run(sysadm_t, sysadm_r)
- ')
-
- optional_policy(`
-@@ -384,10 +479,6 @@ optional_policy(`
- ')
-
- optional_policy(`
-- userhelper_role_template(sysadm, sysadm_r, sysadm_t)
--')
--
--optional_policy(`
- usermanage_run_admin_passwd(sysadm_t, sysadm_r)
- usermanage_run_groupadd(sysadm_t, sysadm_r)
- usermanage_run_useradd(sysadm_t, sysadm_r)
-@@ -395,6 +486,9 @@ optional_policy(`
-
- optional_policy(`
- virt_stream_connect(sysadm_t)
-+ virt_filetrans_home_content(sysadm_t)
-+ virt_manage_pid_dirs(sysadm_t)
-+ virt_transition_svirt_lxc(sysadm_t, sysadm_r)
- ')
-
- optional_policy(`
-@@ -402,31 +496,34 @@ optional_policy(`
- ')
-
- optional_policy(`
-- vpn_run(sysadm_t, sysadm_r)
-+ vlock_run(sysadm_t, sysadm_r)
- ')
-
- optional_policy(`
-- webalizer_run(sysadm_t, sysadm_r)
-+ vpn_run(sysadm_t, sysadm_r)
- ')
-
- optional_policy(`
-- wireshark_role(sysadm_r, sysadm_t)
-+ webalizer_run(sysadm_t, sysadm_r)
- ')
-
- optional_policy(`
-- vlock_run(sysadm_t, sysadm_r)
-+ xserver_role(sysadm_r, sysadm_t)
- ')
-
- optional_policy(`
-- xserver_role(sysadm_r, sysadm_t)
-+ yam_run(sysadm_t, sysadm_r)
- ')
-
- optional_policy(`
-- yam_run(sysadm_t, sysadm_r)
-+ zebra_stream_connect(sysadm_t)
- ')
-
- ifndef(`distro_redhat',`
- optional_policy(`
-+ apache_role(sysadm_r, sysadm_t)
-+ ')
-+ optional_policy(`
- auth_role(sysadm_r, sysadm_t)
- ')
-
-@@ -439,10 +536,6 @@ ifndef(`distro_redhat',`
- ')
-
- optional_policy(`
-- cron_admin_role(sysadm_r, sysadm_t)
-- ')
--
-- optional_policy(`
- dbus_role_template(sysadm, sysadm_r, sysadm_t)
- ')
-
-@@ -460,6 +553,7 @@ ifndef(`distro_redhat',`
-
- optional_policy(`
- gnome_role(sysadm_r, sysadm_t)
-+ gnome_filetrans_admin_home_content(sysadm_t)
- ')
-
- optional_policy(`
-@@ -467,11 +561,66 @@ ifndef(`distro_redhat',`
- ')
-
- optional_policy(`
-- irc_role(sysadm_r, sysadm_t)
-+ java_role(sysadm_r, sysadm_t)
- ')
-
- optional_policy(`
-- java_role(sysadm_r, sysadm_t)
-+ lockdev_role(sysadm_r, sysadm_t)
-+ ')
-+
-+ optional_policy(`
-+ mock_admin(sysadm_t)
-+ ')
-+
-+ optional_policy(`
-+ mozilla_role(sysadm_r, sysadm_t)
- ')
--')
-
-+ optional_policy(`
-+ mplayer_role(sysadm_r, sysadm_t)
-+ ')
-+
-+ optional_policy(`
-+ pyzor_role(sysadm_r, sysadm_t)
-+ ')
-+
-+ optional_policy(`
-+ razor_role(sysadm_r, sysadm_t)
-+ ')
-+
-+ optional_policy(`
-+ rssh_role(sysadm_r, sysadm_t)
-+ ')
-+
-+ optional_policy(`
-+ spamassassin_role(sysadm_r, sysadm_t)
-+ ')
-+
-+ optional_policy(`
-+ thunderbird_role(sysadm_r, sysadm_t)
-+ ')
-+
-+ optional_policy(`
-+ tvtime_role(sysadm_r, sysadm_t)
-+ ')
-+
-+ optional_policy(`
-+ uml_role(sysadm_r, sysadm_t)
-+ ')
-+
-+ optional_policy(`
-+ userhelper_role_template(sysadm, sysadm_r, sysadm_t)
-+ ')
-+
-+ optional_policy(`
-+ vmware_role(sysadm_r, sysadm_t)
-+ ')
-+
-+ optional_policy(`
-+ wireshark_role(sysadm_r, sysadm_t)
-+ ')
-+
-+ optional_policy(`
-+ xserver_role(sysadm_r, sysadm_t)
-+ ')
-+')
-diff --git a/policy/modules/roles/sysadm_secadm.fc b/policy/modules/roles/sysadm_secadm.fc
-new file mode 100644
-index 0000000..ae3b6db
---- /dev/null
-+++ b/policy/modules/roles/sysadm_secadm.fc
-@@ -0,0 +1 @@
-+# No context
-diff --git a/policy/modules/roles/sysadm_secadm.if b/policy/modules/roles/sysadm_secadm.if
-new file mode 100644
-index 0000000..bd83148
---- /dev/null
-+++ b/policy/modules/roles/sysadm_secadm.if
-@@ -0,0 +1 @@
-+## No Interfaces
-diff --git a/policy/modules/roles/sysadm_secadm.te b/policy/modules/roles/sysadm_secadm.te
-new file mode 100644
-index 0000000..63bc797
---- /dev/null
-+++ b/policy/modules/roles/sysadm_secadm.te
-@@ -0,0 +1,25 @@
-+policy_module(sysadm_secadm, 1.0.0)
-+
-+########################################
-+#
-+# Declarations
-+#
-+
-+gen_require(`
-+ type sysadm_t;
-+ role sysadm_r;
-+')
-+
-+userdom_security_admin_template(sysadm_t, sysadm_r)
-+
-+#######################################
-+#
-+# Local policy
-+#
-+
-+mls_file_write_all_levels(sysadm_t)
-+
-+logging_manage_audit_log(sysadm_t)
-+logging_manage_audit_config(sysadm_t)
-+logging_run_auditctl(sysadm_t, sysadm_r)
-+logging_stream_connect_syslog(sysadm_t)
-diff --git a/policy/modules/roles/unconfineduser.fc b/policy/modules/roles/unconfineduser.fc
-new file mode 100644
-index 0000000..0e8654b
---- /dev/null
-+++ b/policy/modules/roles/unconfineduser.fc
-@@ -0,0 +1,8 @@
-+# Add programs here which should not be confined by SELinux
-+# e.g.:
-+# /usr/local/bin/appsrv -- gen_context(system_u:object_r:unconfined_exec_t,s0)
-+# For the time being until someone writes a sane policy, we need initrc to transition to unconfined_t
-+/usr/bin/vncserver -- gen_context(system_u:object_r:unconfined_exec_t,s0)
-+
-+/usr/sbin/xrdp -- gen_context(system_u:object_r:unconfined_exec_t,s0)
-+/usr/sbin/xrdp-sesman -- gen_context(system_u:object_r:unconfined_exec_t,s0)
-diff --git a/policy/modules/roles/unconfineduser.if b/policy/modules/roles/unconfineduser.if
-new file mode 100644
-index 0000000..bac0dc0
---- /dev/null
-+++ b/policy/modules/roles/unconfineduser.if
-@@ -0,0 +1,595 @@
-+## Unconfiend user role
-+
-+########################################
-+##
-+## Change from the unconfineduser role.
-+##
-+##
-+##
-+## Change from the unconfineduser role to
-+## the specified role.
-+##
-+##
-+## This is an interface to support third party modules
-+## and its use is not allowed in upstream reference
-+## policy.
-+##
-+##
-+##
-+##
-+## Role allowed access.
-+##
-+##
-+##
-+#
-+interface(`unconfined_role_change_to',`
-+ gen_require(`
-+ role unconfined_r;
-+ ')
-+
-+ allow unconfined_r $1;
-+')
-+
-+########################################
-+##
-+## Transition to the unconfined domain.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`unconfined_domtrans',`
-+ gen_require(`
-+ type unconfined_t, unconfined_exec_t;
-+ ')
-+
-+ domtrans_pattern($1,unconfined_exec_t,unconfined_t)
-+')
-+
-+########################################
-+##
-+## Execute specified programs in the unconfined domain.
-+##
-+##
-+##
-+## The type of the process performing this action.
-+##
-+##
-+##
-+##
-+## The role to allow the unconfined domain.
-+##
-+##
-+#
-+interface(`unconfined_run',`
-+ gen_require(`
-+ type unconfined_t;
-+ ')
-+
-+ unconfined_domtrans($1)
-+ role $2 types unconfined_t;
-+')
-+
-+########################################
-+##
-+## Transition to the unconfined domain by executing a shell.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`unconfined_shell_domtrans',`
-+ gen_require(`
-+ attribute unconfined_login_domain;
-+ ')
-+ typeattribute $1 unconfined_login_domain;
-+')
-+
-+########################################
-+##
-+## Allow unconfined to execute the specified program in
-+## the specified domain.
-+##
-+##
-+##
-+## Allow unconfined to execute the specified program in
-+## the specified domain.
-+##
-+##
-+## This is a interface to support third party modules
-+## and its use is not allowed in upstream reference
-+## policy.
-+##
-+##
-+##
-+##
-+## Domain to execute in.
-+##
-+##
-+##
-+##
-+## Domain entry point file.
-+##
-+##
-+#
-+interface(`unconfined_domtrans_to',`
-+ gen_require(`
-+ type unconfined_t;
-+ ')
-+
-+ domtrans_pattern(unconfined_t,$2,$1)
-+')
-+
-+########################################
-+##
-+## Allow unconfined to execute the specified program in
-+## the specified domain. Allow the specified domain the
-+## unconfined role and use of unconfined user terminals.
-+##
-+##
-+##
-+## Allow unconfined to execute the specified program in
-+## the specified domain. Allow the specified domain the
-+## unconfined role and use of unconfined user terminals.
-+##
-+##
-+## This is a interface to support third party modules
-+## and its use is not allowed in upstream reference
-+## policy.
-+##
-+##
-+##
-+##
-+## Domain to execute in.
-+##
-+##
-+##
-+##
-+## Domain entry point file.
-+##
-+##
-+#
-+interface(`unconfined_run_to',`
-+ gen_require(`
-+ type unconfined_t;
-+ role unconfined_r;
-+ ')
-+
-+ domtrans_pattern(unconfined_t,$2,$1)
-+ role unconfined_r types $1;
-+ userdom_use_user_terminals($1)
-+')
-+
-+########################################
-+##
-+## Inherit file descriptors from the unconfined domain.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`unconfined_use_fds',`
-+ gen_require(`
-+ type unconfined_t;
-+ ')
-+
-+ allow $1 unconfined_t:fd use;
-+')
-+
-+########################################
-+##
-+## Send a SIGCHLD signal to the unconfined domain.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`unconfined_sigchld',`
-+ gen_require(`
-+ type unconfined_t;
-+ ')
-+
-+ allow $1 unconfined_t:process sigchld;
-+')
-+
-+########################################
-+##
-+## Send a SIGNULL signal to the unconfined domain.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`unconfined_signull',`
-+ gen_require(`
-+ type unconfined_t;
-+ ')
-+
-+ allow $1 unconfined_t:process signull;
-+')
-+
-+########################################
-+##
-+## Send generic signals to the unconfined domain.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`unconfined_signal',`
-+ gen_require(`
-+ type unconfined_t;
-+ ')
-+
-+ allow $1 unconfined_t:process signal;
-+')
-+
-+########################################
-+##
-+## Read unconfined domain unnamed pipes.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`unconfined_read_pipes',`
-+ gen_require(`
-+ type unconfined_t;
-+ ')
-+
-+ allow $1 unconfined_t:fifo_file read_fifo_file_perms;
-+')
-+
-+########################################
-+##
-+## Do not audit attempts to read unconfined domain unnamed pipes.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`unconfined_dontaudit_read_pipes',`
-+ gen_require(`
-+ type unconfined_t;
-+ ')
-+
-+ dontaudit $1 unconfined_t:fifo_file read;
-+')
-+
-+########################################
-+##
-+## Read and write unconfined domain unnamed pipes.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`unconfined_rw_pipes',`
-+ gen_require(`
-+ type unconfined_t;
-+ ')
-+
-+ allow $1 unconfined_t:fifo_file rw_fifo_file_perms;
-+')
-+
-+########################################
-+##
-+## Do not audit attempts to read and write
-+## unconfined domain unnamed pipes.
-+##
-+##
-+##
-+## Domain to not audit.
-+##
-+##
-+#
-+interface(`unconfined_dontaudit_rw_pipes',`
-+ gen_require(`
-+ type unconfined_t;
-+ ')
-+
-+ dontaudit $1 unconfined_t:fifo_file rw_file_perms;
-+')
-+
-+########################################
-+##
-+## Do not audit attempts to read and write
-+## unconfined domain stream.
-+##
-+##
-+##
-+## Domain to not audit.
-+##
-+##
-+#
-+interface(`unconfined_dontaudit_rw_stream',`
-+ gen_require(`
-+ type unconfined_t;
-+ ')
-+
-+ dontaudit $1 unconfined_t:unix_stream_socket rw_socket_perms;
-+')
-+
-+########################################
-+##
-+## Connect to the unconfined domain using
-+## a unix domain stream socket.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`unconfined_stream_connect',`
-+ gen_require(`
-+ type unconfined_t;
-+ ')
-+
-+ allow $1 unconfined_t:unix_stream_socket connectto;
-+')
-+
-+########################################
-+##
-+## Do not audit attempts to read or write
-+## unconfined domain tcp sockets.
-+##
-+##
-+##
-+## Do not audit attempts to read or write
-+## unconfined domain tcp sockets.
-+##
-+##
-+## This interface was added due to a broken
-+## symptom in ldconfig.
-+##
-+##
-+##
-+##
-+## Domain to not audit.
-+##
-+##
-+#
-+interface(`unconfined_dontaudit_rw_tcp_sockets',`
-+ gen_require(`
-+ type unconfined_t;
-+ ')
-+
-+ dontaudit $1 unconfined_t:tcp_socket { read write };
-+')
-+
-+########################################
-+##
-+## Do not audit attempts to read or write
-+## unconfined domain packet sockets.
-+##
-+##
-+##
-+## Do not audit attempts to read or write
-+## unconfined domain packet sockets.
-+##
-+##
-+## This interface was added due to a broken
-+## symptom.
-+##
-+##
-+##
-+##
-+## Domain to not audit.
-+##
-+##
-+#
-+interface(`unconfined_dontaudit_rw_packet_sockets',`
-+ gen_require(`
-+ type unconfined_t;
-+ ')
-+
-+ dontaudit $1 unconfined_t:packet_socket { read write };
-+')
-+
-+########################################
-+##
-+## Create keys for the unconfined domain.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`unconfined_create_keys',`
-+ gen_require(`
-+ type unconfined_t;
-+ ')
-+
-+ allow $1 unconfined_t:key create;
-+')
-+
-+########################################
-+##
-+## Send messages to the unconfined domain over dbus.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`unconfined_dbus_send',`
-+ gen_require(`
-+ type unconfined_t;
-+ class dbus send_msg;
-+ ')
-+
-+ allow $1 unconfined_t:dbus send_msg;
-+')
-+
-+########################################
-+##
-+## Send and receive messages from
-+## unconfined_t over dbus.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`unconfined_dbus_chat',`
-+ gen_require(`
-+ type unconfined_t;
-+ class dbus send_msg;
-+ ')
-+
-+ allow $1 unconfined_t:dbus send_msg;
-+ allow unconfined_t $1:dbus send_msg;
-+')
-+
-+########################################
-+##
-+## Connect to the the unconfined DBUS
-+## for service (acquire_svc).
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`unconfined_dbus_connect',`
-+ gen_require(`
-+ type unconfined_t;
-+ class dbus acquire_svc;
-+ ')
-+
-+ allow $1 unconfined_t:dbus acquire_svc;
-+')
-+
-+########################################
-+##
-+## Allow ptrace of unconfined domain
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`unconfined_ptrace',`
-+ gen_require(`
-+ type unconfined_t;
-+ ')
-+
-+ allow $1 unconfined_t:process ptrace;
-+')
-+
-+########################################
-+##
-+## Read and write to unconfined shared memory.
-+##
-+##
-+##
-+## The type of the process performing this action.
-+##
-+##
-+#
-+interface(`unconfined_rw_shm',`
-+ gen_require(`
-+ type unconfined_t;
-+ ')
-+
-+ allow $1 unconfined_t:shm rw_shm_perms;
-+')
-+
-+########################################
-+##
-+## Allow apps to set rlimits on userdomain
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`unconfined_set_rlimitnh',`
-+ gen_require(`
-+ type unconfined_t;
-+ ')
-+
-+ allow $1 unconfined_t:process rlimitinh;
-+')
-+
-+########################################
-+##
-+## Get the process group of unconfined.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`unconfined_getpgid',`
-+ gen_require(`
-+ type unconfined_t;
-+ ')
-+
-+ allow $1 unconfined_t:process getpgid;
-+')
-+
-+########################################
-+##
-+## Change to the unconfined role.
-+##
-+##
-+##
-+## Role allowed access.
-+##
-+##
-+##
-+#
-+interface(`unconfined_role_change',`
-+ gen_require(`
-+ role unconfined_r;
-+ ')
-+
-+ allow $1 unconfined_r;
-+')
-+
-+########################################
-+##
-+## Allow domain to attach to TUN devices created by unconfined_t users.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`unconfined_attach_tun_iface',`
-+ gen_require(`
-+ type unconfined_t;
-+ ')
-+
-+ allow $1 unconfined_t:tun_socket relabelfrom;
-+ allow $1 self:tun_socket relabelto;
-+')
-+
-diff --git a/policy/modules/roles/unconfineduser.te b/policy/modules/roles/unconfineduser.te
-new file mode 100644
-index 0000000..d609f53
---- /dev/null
-+++ b/policy/modules/roles/unconfineduser.te
-@@ -0,0 +1,387 @@
-+policy_module(unconfineduser, 1.0.0)
-+
-+########################################
-+#
-+# Declarations
-+#
-+attribute unconfined_login_domain;
-+
-+##
-+##
-+## allow unconfined users to transition to the chrome sandbox domains when running chrome-sandbox
-+##
-+##
-+gen_tunable(unconfined_chrome_sandbox_transition, false)
-+
-+##
-+##
-+## Allow unconfined users to transition to the Mozilla plugin domain when running xulrunner plugin-container.
-+##
-+##
-+gen_tunable(unconfined_mozilla_plugin_transition, false)
-+
-+##
-+##
-+## Allow video playing tools to run unconfined
-+##
-+##
-+gen_tunable(unconfined_mplayer, false)
-+
-+##
-+##
-+## Allow a user to login as an unconfined domain
-+##
-+##
-+gen_tunable(unconfined_login, true)
-+
-+# usage in this module of types created by these
-+# calls is not correct, however we dont currently
-+# have another method to add access to these types
-+userdom_base_user_template(unconfined)
-+userdom_manage_home_role(unconfined_r, unconfined_t)
-+userdom_manage_tmp_role(unconfined_r, unconfined_t)
-+userdom_manage_tmpfs_role(unconfined_r, unconfined_t)
-+userdom_unpriv_type(unconfined_t)
-+
-+type unconfined_exec_t;
-+init_system_domain(unconfined_t, unconfined_exec_t)
-+role unconfined_r types unconfined_t;
-+role_transition system_r unconfined_exec_t unconfined_r;
-+allow system_r unconfined_r;
-+
-+domain_user_exemption_target(unconfined_t)
-+allow system_r unconfined_r;
-+allow unconfined_r system_r;
-+init_script_role_transition(unconfined_r)
-+role system_r types unconfined_t;
-+typealias unconfined_t alias unconfined_crontab_t;
-+
-+########################################
-+#
-+# Local policy
-+#
-+
-+dontaudit unconfined_t self:dir write;
-+dontaudit unconfined_t self:file setattr;
-+
-+allow unconfined_t self:system syslog_read;
-+dontaudit unconfined_t self:capability sys_module;
-+
-+kernel_rw_unlabeled_socket(unconfined_t)
-+kernel_rw_unlabeled_rawip_socket(unconfined_t)
-+
-+files_create_boot_flag(unconfined_t)
-+files_create_default_dir(unconfined_t)
-+files_root_filetrans_default(unconfined_t, dir)
-+
-+mcs_killall(unconfined_t)
-+mcs_ptrace_all(unconfined_t)
-+mls_file_write_all_levels(unconfined_t)
-+
-+init_run_daemon(unconfined_t, unconfined_r)
-+init_domtrans_script(unconfined_t)
-+init_telinit(unconfined_t)
-+
-+logging_send_syslog_msg(unconfined_t)
-+logging_run_auditctl(unconfined_t, unconfined_r)
-+
-+systemd_config_all_services(unconfined_t)
-+
-+seutil_run_loadpolicy(unconfined_t, unconfined_r)
-+seutil_run_setsebool(unconfined_t, unconfined_r)
-+seutil_run_setfiles(unconfined_t, unconfined_r)
-+seutil_run_semanage(unconfined_t, unconfined_r)
-+
-+unconfined_domain_noaudit(unconfined_t)
-+
-+usermanage_run_passwd(unconfined_t, unconfined_r)
-+
-+tunable_policy(`deny_execmem',`',`
-+ allow unconfined_t self:process execmem;
-+')
-+
-+tunable_policy(`selinuxuser_execstack',`
-+ allow unconfined_t self:process execstack;
-+')
-+
-+tunable_policy(`selinuxuser_execmod',`
-+ userdom_execmod_user_home_files(unconfined_t)
-+')
-+
-+tunable_policy(`unconfined_login',`
-+ corecmd_shell_domtrans(unconfined_login_domain,unconfined_t)
-+ allow unconfined_t unconfined_login_domain:fd use;
-+ allow unconfined_t unconfined_login_domain:fifo_file rw_file_perms;
-+ allow unconfined_t unconfined_login_domain:process sigchld;
-+')
-+
-+optional_policy(`
-+ gen_require(`
-+ type unconfined_t;
-+ ')
-+
-+ optional_policy(`
-+ abrt_dbus_chat(unconfined_t)
-+ abrt_run_helper(unconfined_t, unconfined_r)
-+ ')
-+
-+ optional_policy(`
-+ avahi_dbus_chat(unconfined_t)
-+ ')
-+
-+ optional_policy(`
-+ blueman_dbus_chat(unconfined_t)
-+ ')
-+
-+ optional_policy(`
-+ certmonger_dbus_chat(unconfined_t)
-+ ')
-+
-+ optional_policy(`
-+ devicekit_dbus_chat(unconfined_t)
-+ devicekit_dbus_chat_disk(unconfined_t)
-+ devicekit_dbus_chat_power(unconfined_t)
-+ ')
-+
-+ optional_policy(`
-+ hal_dbus_chat(unconfined_t)
-+ ')
-+
-+ optional_policy(`
-+ networkmanager_dbus_chat(unconfined_t)
-+ ')
-+
-+ optional_policy(`
-+ policykit_role(unconfined_r, unconfined_t)
-+ ')
-+
-+ optional_policy(`
-+ rtkit_scheduled(unconfined_t)
-+ ')
-+
-+ # Might remove later if this proves to be problematic, but would like to gather AVCs
-+ optional_policy(`
-+ thumb_role(unconfined_r, unconfined_t)
-+ ')
-+
-+ optional_policy(`
-+ setroubleshoot_dbus_chat(unconfined_t)
-+ setroubleshoot_dbus_chat_fixit(unconfined_t)
-+ ')
-+
-+ optional_policy(`
-+ sandbox_transition(unconfined_t, unconfined_r)
-+ ')
-+
-+ optional_policy(`
-+ sandbox_x_transition(unconfined_t, unconfined_r)
-+ ')
-+
-+ optional_policy(`
-+ shutdown_run(unconfined_t, unconfined_r)
-+ ')
-+
-+ optional_policy(`
-+ gen_require(`
-+ type user_tmpfs_t;
-+ ')
-+
-+ xserver_rw_session(unconfined_t, user_tmpfs_t)
-+ xserver_run_xauth(unconfined_t, unconfined_r)
-+ xserver_dbus_chat_xdm(unconfined_t)
-+ ')
-+')
-+
-+ifdef(`distro_gentoo',`
-+ seutil_run_runinit(unconfined_t, unconfined_r)
-+ seutil_init_script_run_runinit(unconfined_t, unconfined_r)
-+')
-+
-+optional_policy(`
-+ accountsd_dbus_chat(unconfined_t)
-+')
-+
-+optional_policy(`
-+ apache_run_helper(unconfined_t, unconfined_r)
-+')
-+
-+optional_policy(`
-+ bind_run_ndc(unconfined_t, unconfined_r)
-+')
-+
-+optional_policy(`
-+ chrome_role_notrans(unconfined_r, unconfined_t)
-+
-+ tunable_policy(`unconfined_chrome_sandbox_transition',`
-+ chrome_domtrans_sandbox(unconfined_t)
-+ ')
-+')
-+
-+optional_policy(`
-+ dbus_role_template(unconfined, unconfined_r, unconfined_t)
-+
-+ optional_policy(`
-+ unconfined_domain(unconfined_dbusd_t)
-+
-+ optional_policy(`
-+ xserver_rw_shm(unconfined_dbusd_t)
-+ ')
-+ ')
-+
-+ init_dbus_chat(unconfined_t)
-+ init_dbus_chat_script(unconfined_t)
-+
-+ dbus_stub(unconfined_t)
-+
-+ optional_policy(`
-+ bluetooth_dbus_chat(unconfined_t)
-+ ')
-+
-+ optional_policy(`
-+ consolekit_dbus_chat(unconfined_t)
-+ ')
-+
-+ optional_policy(`
-+ cups_dbus_chat_config(unconfined_t)
-+ ')
-+
-+ optional_policy(`
-+ fprintd_dbus_chat(unconfined_t)
-+ ')
-+
-+ optional_policy(`
-+ gnomeclock_dbus_chat(unconfined_t)
-+ gnome_dbus_chat_gconfdefault(unconfined_t)
-+ gnome_command_domtrans_gkeyringd(unconfined_dbusd_t,unconfined_t)
-+ ')
-+
-+ optional_policy(`
-+ ipsec_mgmt_dbus_chat(unconfined_t)
-+ ')
-+
-+ optional_policy(`
-+ kerneloops_dbus_chat(unconfined_t)
-+ ')
-+
-+ optional_policy(`
-+ telepathy_command_domtrans(unconfined_dbusd_t, unconfined_t)
-+ ')
-+
-+ optional_policy(`
-+ oddjob_dbus_chat(unconfined_t)
-+ ')
-+
-+ optional_policy(`
-+ vpn_dbus_chat(unconfined_t)
-+ ')
-+
-+ optional_policy(`
-+ firewalld_dbus_chat(unconfined_t)
-+ ')
-+
-+ optional_policy(`
-+ firewallgui_dbus_chat(unconfined_t)
-+ ')
-+')
-+
-+optional_policy(`
-+ firstboot_run(unconfined_t, unconfined_r)
-+')
-+
-+optional_policy(`
-+ fsadm_manage_pid(unconfined_t)
-+')
-+
-+optional_policy(`
-+ ftp_run_ftpdctl(unconfined_t, unconfined_r)
-+')
-+
-+optional_policy(`
-+ gpsd_run(unconfined_t, unconfined_r)
-+')
-+
-+optional_policy(`
-+ java_run_unconfined(unconfined_t, unconfined_r)
-+')
-+
-+optional_policy(`
-+ livecd_run(unconfined_t, unconfined_r)
-+')
-+
-+optional_policy(`
-+ lpd_run_checkpc(unconfined_t, unconfined_r)
-+')
-+
-+#optional_policy(`
-+# mock_role(unconfined_r, unconfined_t)
-+#')
-+
-+optional_policy(`
-+ modutils_run_update_mods(unconfined_t, unconfined_r)
-+')
-+
-+optional_policy(`
-+ mozilla_role_plugin(unconfined_r)
-+
-+ tunable_policy(`unconfined_mozilla_plugin_transition', `
-+ mozilla_domtrans_plugin(unconfined_t)
-+ ')
-+')
-+
-+optional_policy(`
-+ oddjob_run_mkhomedir(unconfined_t, unconfined_r)
-+')
-+
-+optional_policy(`
-+ portmap_run_helper(unconfined_t, unconfined_r)
-+')
-+
-+optional_policy(`
-+ rpm_run(unconfined_t, unconfined_r)
-+ # Allow SELinux aware applications to request rpm_script execution
-+ rpm_transition_script(unconfined_t)
-+ rpm_dbus_chat(unconfined_t)
-+')
-+
-+optional_policy(`
-+ optional_policy(`
-+ samba_run_unconfined_net(unconfined_t, unconfined_r)
-+ ')
-+
-+ samba_role_notrans(unconfined_r)
-+ samba_run_smbcontrol(unconfined_t, unconfined_r)
-+')
-+
-+optional_policy(`
-+ sysnet_run_dhcpc(unconfined_t, unconfined_r)
-+ sysnet_dbus_chat_dhcpc(unconfined_t)
-+ sysnet_role_transition_dhcpc(unconfined_r)
-+')
-+
-+optional_policy(`
-+ openshift_run(unconfined_usertype, unconfined_r)
-+')
-+
-+optional_policy(`
-+ usermanage_run_useradd(unconfined_t, unconfined_r)
-+')
-+
-+optional_policy(`
-+ virt_transition_svirt(unconfined_t, unconfined_r)
-+ virt_transition_svirt_lxc(unconfined_t, unconfined_r)
-+')
-+
-+optional_policy(`
-+ webalizer_run(unconfined_t, unconfined_r)
-+')
-+
-+optional_policy(`
-+ wine_run(unconfined_t, unconfined_r)
-+')
-+
-+optional_policy(`
-+ xserver_run(unconfined_t, unconfined_r)
-+ xserver_manage_home_fonts(unconfined_t)
-+')
-+
-+gen_user(unconfined_u, user, unconfined_r system_r, s0, s0 - mls_systemhigh, mcs_allcats)
-diff --git a/policy/modules/roles/unprivuser.if b/policy/modules/roles/unprivuser.if
-index 3835596..fbca2be 100644
---- a/policy/modules/roles/unprivuser.if
-+++ b/policy/modules/roles/unprivuser.if
-@@ -1,4 +1,4 @@
--## Generic unprivileged user role
-+## Generic unprivileged user
-
- ########################################
- ##
-diff --git a/policy/modules/roles/unprivuser.te b/policy/modules/roles/unprivuser.te
-index 9f6d4c3..23a78b4 100644
---- a/policy/modules/roles/unprivuser.te
-+++ b/policy/modules/roles/unprivuser.te
-@@ -1,5 +1,12 @@
- policy_module(unprivuser, 2.3.0)
-
-+##
-+##
-+## Allow unprivledged user to create and transition to svirt domains.
-+##
-+##
-+gen_tunable(unprivuser_use_svirt, false)
-+
- # this module should be named user, but that is
- # a compile error since user is a keyword.
-
-@@ -12,12 +19,97 @@ role user_r;
-
- userdom_unpriv_user_template(user)
-
-+kernel_read_numa_state(user_t)
-+kernel_write_numa_state(user_t)
-+
-+fs_exec_noxattr(user_t)
-+fs_read_hugetlbfs_files(user_t)
-+
-+storage_read_scsi_generic(user_t)
-+storage_write_scsi_generic(user_t)
-+
-+tunable_policy(`selinuxuser_execmod',`
-+ userdom_execmod_user_home_files(user_t)
-+')
-+
-+optional_policy(`
-+ abrt_read_cache(user_t)
-+')
-+
- optional_policy(`
- apache_role(user_r, user_t)
- ')
-
- optional_policy(`
-- git_role(user_r, user_t)
-+ blueman_dbus_chat(user_t)
-+')
-+
-+optional_policy(`
-+ bluetooth_role(user_r, user_t)
-+')
-+
-+optional_policy(`
-+ colord_dbus_chat(user_t)
-+')
-+
-+optional_policy(`
-+ chrome_role(user_r, user_t)
-+')
-+
-+optional_policy(`
-+ gnome_role(user_r, user_t)
-+')
-+
-+optional_policy(`
-+ irc_role(user_r, user_t)
-+')
-+
-+optional_policy(`
-+ oident_manage_user_content(user_t)
-+ oident_relabel_user_content(user_t)
-+')
-+
-+optional_policy(`
-+ mozilla_run_plugin(user_t, user_r)
-+')
-+
-+optional_policy(`
-+ mta_role(user_r, user_t)
-+')
-+
-+optional_policy(`
-+ netutils_run_ping_cond(user_t, user_r)
-+ netutils_run_traceroute_cond(user_t, user_r)
-+')
-+
-+optional_policy(`
-+ polipo_role(user_r, user_t)
-+ polipo_named_filetrans_cache_home_dirs(user_t)
-+ polipo_named_filetrans_config_home_files(user_t)
-+')
-+
-+optional_policy(`
-+ rpm_dontaudit_dbus_chat(user_t)
-+')
-+
-+optional_policy(`
-+ rtkit_scheduled(user_t)
-+')
-+
-+optional_policy(`
-+ sandbox_transition(user_t, user_r)
-+')
-+
-+optional_policy(`
-+ sandbox_x_transition(user_t, user_r)
-+')
-+
-+optional_policy(`
-+ ssh_role_template(user, user_r, user_t)
-+')
-+
-+optional_policy(`
-+ git_session_role(user_r, user_t)
- ')
-
- optional_policy(`
-@@ -25,6 +117,18 @@ optional_policy(`
- ')
-
- optional_policy(`
-+ setroubleshoot_dontaudit_stream_connect(user_t)
-+')
-+
-+#optional_policy(`
-+# telepathy_dbus_session_role(user_r, user_t)
-+#')
-+
-+optional_policy(`
-+ usbmuxd_stream_connect(user_t)
-+')
-+
-+optional_policy(`
- vlock_run(user_t, user_r)
- ')
-
-@@ -66,10 +170,6 @@ ifndef(`distro_redhat',`
- ')
-
- optional_policy(`
-- gnome_role(user_r, user_t)
-- ')
--
-- optional_policy(`
- gpg_role(user_r, user_t)
- ')
-
-@@ -102,10 +202,6 @@ ifndef(`distro_redhat',`
- ')
-
- optional_policy(`
-- mta_role(user_r, user_t)
-- ')
--
-- optional_policy(`
- postgresql_role(user_r, user_t)
- ')
-
-@@ -128,7 +224,6 @@ ifndef(`distro_redhat',`
- optional_policy(`
- ssh_role_template(user, user_r, user_t)
- ')
--
- optional_policy(`
- su_role_template(user, user_r, user_t)
- ')
-@@ -161,3 +256,15 @@ ifndef(`distro_redhat',`
- wireshark_role(user_r, user_t)
- ')
- ')
-+
-+
-+optional_policy(`
-+ virt_transition_svirt(user_t, user_r)
-+ virt_filetrans_home_content(user_t)
-+')
-+
-+optional_policy(`
-+ tunable_policy(`unprivuser_use_svirt',`
-+ virt_manage_images(user_t)
-+ ')
-+')
-diff --git a/policy/modules/services/postgresql.fc b/policy/modules/services/postgresql.fc
-index a26f84f..d3cc612 100644
---- a/policy/modules/services/postgresql.fc
-+++ b/policy/modules/services/postgresql.fc
-@@ -10,6 +10,7 @@
- #
- /usr/bin/initdb(\.sepgsql)? -- gen_context(system_u:object_r:postgresql_exec_t,s0)
- /usr/bin/(se)?postgres -- gen_context(system_u:object_r:postgresql_exec_t,s0)
-+/usr/bin/pg_ctl -- gen_context(system_u:object_r:postgresql_exec_t,s0)
-
- /usr/lib/pgsql/test/regress(/.*)? gen_context(system_u:object_r:postgresql_db_t,s0)
- /usr/lib/pgsql/test/regress/pg_regress -- gen_context(system_u:object_r:postgresql_exec_t,s0)
-@@ -28,9 +29,9 @@ ifdef(`distro_redhat', `
- #
- /var/lib/postgres(ql)?(/.*)? gen_context(system_u:object_r:postgresql_db_t,s0)
-
--/var/lib/pgsql/data(/.*)? gen_context(system_u:object_r:postgresql_db_t,s0)
-+/var/lib/pgsql(/.*)? gen_context(system_u:object_r:postgresql_db_t,s0)
- /var/lib/pgsql/logfile(/.*)? gen_context(system_u:object_r:postgresql_log_t,s0)
--/var/lib/pgsql/pgstartup\.log gen_context(system_u:object_r:postgresql_log_t,s0)
-+/var/lib/pgsql/.*\.log gen_context(system_u:object_r:postgresql_log_t,s0)
-
- /var/lib/sepgsql(/.*)? gen_context(system_u:object_r:postgresql_db_t,s0)
- /var/lib/sepgsql/pgstartup\.log -- gen_context(system_u:object_r:postgresql_log_t,s0)
-@@ -45,4 +46,4 @@ ifdef(`distro_redhat', `
-
- /var/run/postgresql(/.*)? gen_context(system_u:object_r:postgresql_var_run_t,s0)
-
--/var/run/postmaster.* gen_context(system_u:object_r:postgresql_var_run_t,s0)
-+#/var/run/postmaster.* gen_context(system_u:object_r:postgresql_var_run_t,s0)
-diff --git a/policy/modules/services/postgresql.if b/policy/modules/services/postgresql.if
-index ecef19f..fcbc25a 100644
---- a/policy/modules/services/postgresql.if
-+++ b/policy/modules/services/postgresql.if
-@@ -10,7 +10,7 @@
- ##
- ##
- ##
--##
-+##
- ## The type of the user domain.
- ##
- ##
-@@ -54,15 +54,6 @@ interface(`postgresql_role',`
- # Client local policy
- #
-
-- tunable_policy(`sepgsql_enable_users_ddl',`
-- allow $2 user_sepgsql_schema_t:db_schema { create drop setattr };
-- allow $2 user_sepgsql_table_t:db_table { create drop setattr };
-- allow $2 user_sepgsql_table_t:db_column { create drop setattr };
-- allow $2 user_sepgsql_sysobj_t:db_tuple { update insert delete };
-- allow $2 user_sepgsql_seq_t:db_sequence { create drop setattr set_value };
-- allow $2 user_sepgsql_view_t:db_view { create drop setattr };
-- allow $2 user_sepgsql_proc_exec_t:db_procedure { create drop setattr };
-- ')
-
- allow $2 user_sepgsql_schema_t:db_schema { getattr search add_name remove_name };
- type_transition $2 sepgsql_database_type:db_schema user_sepgsql_schema_t;
-@@ -94,6 +85,16 @@ interface(`postgresql_role',`
-
- allow $2 sepgsql_trusted_proc_t:process transition;
- type_transition $2 sepgsql_trusted_proc_exec_t:process sepgsql_trusted_proc_t;
-+
-+ tunable_policy(`sepgsql_enable_users_ddl',`
-+ allow $2 user_sepgsql_schema_t:db_schema { create drop setattr };
-+ allow $2 user_sepgsql_table_t:db_table { create drop setattr };
-+ allow $2 user_sepgsql_table_t:db_column { create drop setattr };
-+ allow $2 user_sepgsql_sysobj_t:db_tuple { update insert delete };
-+ allow $2 user_sepgsql_seq_t:db_sequence { create drop setattr set_value };
-+ allow $2 user_sepgsql_view_t:db_view { create drop setattr };
-+ allow $2 user_sepgsql_proc_exec_t:db_procedure { create drop setattr };
-+ ')
- ')
-
- ########################################
-@@ -312,7 +313,7 @@ interface(`postgresql_search_db',`
- type postgresql_db_t;
- ')
-
-- allow $1 postgresql_db_t:dir search;
-+ allow $1 postgresql_db_t:dir search_dir_perms;
- ')
-
- ########################################
-@@ -324,14 +325,16 @@ interface(`postgresql_search_db',`
- ## Domain allowed access.
- ##
- ##
-+#
- interface(`postgresql_manage_db',`
- gen_require(`
- type postgresql_db_t;
- ')
-
-- allow $1 postgresql_db_t:dir rw_dir_perms;
-- allow $1 postgresql_db_t:file rw_file_perms;
-- allow $1 postgresql_db_t:lnk_file { getattr read };
-+ files_search_var_lib($1)
-+ manage_dirs_pattern($1, postgresql_db_t, postgresql_db_t)
-+ manage_files_pattern($1, postgresql_db_t, postgresql_db_t)
-+ manage_lnk_files_pattern($1, postgresql_db_t, postgresql_db_t)
- ')
-
- ########################################
-@@ -354,6 +357,24 @@ interface(`postgresql_domtrans',`
-
- ######################################
- ##
-+## Execute Postgresql in the caller domain.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`postgresql_exec',`
-+ gen_require(`
-+ type postgresql_exec_t;
-+ ')
-+
-+ can_exec($1, postgresql_exec_t)
-+')
-+
-+######################################
-+##
- ## Allow domain to signal postgresql
- ##
- ##
-@@ -421,7 +442,6 @@ interface(`postgresql_tcp_connect',`
- ## Domain allowed access.
- ##
- ##
--##
- #
- interface(`postgresql_stream_connect',`
- gen_require(`
-@@ -429,10 +449,8 @@ interface(`postgresql_stream_connect',`
- ')
-
- files_search_pids($1)
-- allow $1 postgresql_t:unix_stream_socket connectto;
-- allow $1 postgresql_var_run_t:sock_file write;
-- # Some versions of postgresql put the sock file in /tmp
-- allow $1 postgresql_tmp_t:sock_file write;
-+ files_search_tmp($1)
-+ stream_connect_pattern($1, { postgresql_var_run_t postgresql_tmp_t }, { postgresql_var_run_t postgresql_tmp_t }, postgresql_t)
- ')
-
- ########################################
-@@ -515,7 +533,6 @@ interface(`postgresql_unpriv_client',`
- allow $1 unpriv_sepgsql_view_t:db_view { getattr expand };
- type_transition $1 sepgsql_schema_type:db_view unpriv_sepgsql_view_t;
-
--
- tunable_policy(`sepgsql_enable_users_ddl',`
- allow $1 unpriv_sepgsql_schema_t:db_schema { create drop setattr };
- allow $1 unpriv_sepgsql_table_t:db_table { create drop setattr };
-@@ -564,33 +581,38 @@ interface(`postgresql_unconfined',`
- #
- interface(`postgresql_admin',`
- gen_require(`
-- attribute sepgsql_admin_type;
-- attribute sepgsql_client_type;
--
-- type postgresql_t, postgresql_var_run_t;
-- type postgresql_tmp_t, postgresql_db_t;
-- type postgresql_etc_t, postgresql_log_t;
-- type postgresql_initrc_exec_t;
-+ attribute sepgsql_admin_type, sepgsql_client_type;
-+ type postgresql_t, postgresql_var_run_t, postgresql_initrc_exec_t;
-+ type postgresql_tmp_t, postgresql_db_t, postgresql_log_t;
-+ type postgresql_etc_t;
- ')
-
- typeattribute $1 sepgsql_admin_type;
-
-- allow $1 postgresql_t:process { ptrace signal_perms };
-+ allow $1 postgresql_t:process signal_perms;
- ps_process_pattern($1, postgresql_t)
-+ tunable_policy(`deny_ptrace',`',`
-+ allow $1 postgresql_t:process ptrace;
-+ ')
-
- init_labeled_script_domtrans($1, postgresql_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 postgresql_initrc_exec_t system_r;
- allow $2 system_r;
-
-+ files_list_pids($1)
- admin_pattern($1, postgresql_var_run_t)
-
-+ files_list_var_lib($1)
- admin_pattern($1, postgresql_db_t)
-
-+ files_list_etc($1)
- admin_pattern($1, postgresql_etc_t)
-
-+ logging_list_logs($1)
- admin_pattern($1, postgresql_log_t)
-
-+ files_list_tmp($1)
- admin_pattern($1, postgresql_tmp_t)
-
- postgresql_tcp_connect($1)
-diff --git a/policy/modules/services/postgresql.te b/policy/modules/services/postgresql.te
-index 4318f73..e4d0b31 100644
---- a/policy/modules/services/postgresql.te
-+++ b/policy/modules/services/postgresql.te
-@@ -19,25 +19,32 @@ gen_require(`
- #
-
- ##
--##
--## Allow unprived users to execute DDL statement
--##
-+##
-+## Allow postgresql to use ssh and rsync for point-in-time recovery
-+##
-+##
-+gen_tunable(postgresql_can_rsync, false)
-+
-+##
-+##
-+## Allow unprivileged users to execute DDL statement
-+##
- ##
--gen_tunable(sepgsql_enable_users_ddl, true)
-+gen_tunable(postgresql_selinux_users_ddl, true)
-
- ##
- ##
- ## Allow transmit client label to foreign database
- ##
- ##
--gen_tunable(sepgsql_transmit_client_label, false)
-+gen_tunable(postgresql_selinux_transmit_client_label, false)
-
- ##
- ##
- ## Allow database admins to execute DML statement
- ##
- ##
--gen_tunable(sepgsql_unconfined_dbadm, true)
-+gen_tunable(postgresql_selinux_unconfined_dbadm, true)
-
- type postgresql_t;
- type postgresql_exec_t;
-@@ -233,9 +240,10 @@ allow postgresql_t self:shm create_shm_perms;
- allow postgresql_t self:tcp_socket create_stream_socket_perms;
- allow postgresql_t self:udp_socket create_stream_socket_perms;
- allow postgresql_t self:unix_dgram_socket create_socket_perms;
--allow postgresql_t self:unix_stream_socket create_stream_socket_perms;
-+allow postgresql_t self:unix_stream_socket { connectto create_stream_socket_perms };
- allow postgresql_t self:netlink_selinux_socket create_socket_perms;
--tunable_policy(`sepgsql_transmit_client_label',`
-+
-+tunable_policy(`postgresql_selinux_transmit_client_label',`
- allow postgresql_t self:process { setsockcreate };
- ')
-
-@@ -275,7 +283,7 @@ allow postgresql_t postgresql_etc_t:dir list_dir_perms;
- read_files_pattern(postgresql_t, postgresql_etc_t, postgresql_etc_t)
- read_lnk_files_pattern(postgresql_t, postgresql_etc_t, postgresql_etc_t)
-
--allow postgresql_t postgresql_exec_t:lnk_file { getattr read };
-+allow postgresql_t postgresql_exec_t:lnk_file read_lnk_file_perms;
- can_exec(postgresql_t, postgresql_exec_t )
-
- allow postgresql_t postgresql_lock_t:file manage_file_perms;
-@@ -303,7 +311,6 @@ kernel_list_proc(postgresql_t)
- kernel_read_all_sysctls(postgresql_t)
- kernel_read_proc_symlinks(postgresql_t)
-
--corenet_all_recvfrom_unlabeled(postgresql_t)
- corenet_all_recvfrom_netlabel(postgresql_t)
- corenet_tcp_sendrecv_generic_if(postgresql_t)
- corenet_udp_sendrecv_generic_if(postgresql_t)
-@@ -341,8 +348,7 @@ domain_dontaudit_list_all_domains_state(postgresql_t)
- domain_use_interactive_fds(postgresql_t)
-
- files_dontaudit_search_home(postgresql_t)
--files_manage_etc_files(postgresql_t)
--files_search_etc(postgresql_t)
-+files_read_etc_files(postgresql_t)
- files_read_etc_runtime_files(postgresql_t)
- files_read_usr_files(postgresql_t)
-
-@@ -353,7 +359,6 @@ init_read_utmp(postgresql_t)
- logging_send_syslog_msg(postgresql_t)
- logging_send_audit_msgs(postgresql_t)
-
--miscfiles_read_localization(postgresql_t)
-
- seutil_libselinux_linked(postgresql_t)
- seutil_read_default_contexts(postgresql_t)
-@@ -366,7 +371,7 @@ optional_policy(`
- mta_getattr_spool(postgresql_t)
- ')
-
--tunable_policy(`allow_execmem',`
-+tunable_policy(`deny_execmem',`',`
- allow postgresql_t self:process execmem;
- ')
-
-@@ -487,7 +492,7 @@ allow sepgsql_client_type sepgsql_temp_object_t:{db_schema db_table db_column db
- # Note that permission of creation/deletion are eventually controlled by
- # create or drop permission of individual objects within shared schemas.
- # So, it just allows to create/drop user specific types.
--tunable_policy(`sepgsql_enable_users_ddl',`
-+tunable_policy(`postgresql_selinux_users_ddl',`
- allow sepgsql_client_type sepgsql_schema_t:db_schema { add_name remove_name };
- ')
-
-@@ -535,7 +540,7 @@ allow sepgsql_admin_type sepgsql_module_type:db_database install_module;
-
- kernel_relabelfrom_unlabeled_database(sepgsql_admin_type)
-
--tunable_policy(`sepgsql_unconfined_dbadm',`
-+tunable_policy(`postgresql_selinux_unconfined_dbadm',`
- allow sepgsql_admin_type sepgsql_database_type:db_database *;
-
- allow sepgsql_admin_type sepgsql_schema_type:db_schema *;
-@@ -588,3 +593,17 @@ allow sepgsql_unconfined_type sepgsql_blob_type:db_blob *;
- allow sepgsql_unconfined_type sepgsql_module_type:db_database install_module;
-
- kernel_relabelfrom_unlabeled_database(sepgsql_unconfined_type)
-+
-+optional_policy(`
-+ tunable_policy(`postgresql_can_rsync',`
-+ rsync_exec(postgresql_t)
-+ ')
-+')
-+
-+optional_policy(`
-+ tunable_policy(`postgresql_can_rsync',`
-+ ssh_exec(postgresql_t)
-+ ssh_read_user_home_files(postgresql_t)
-+ corenet_tcp_connect_ssh_port(postgresql_t)
-+ ')
-+')
-diff --git a/policy/modules/services/ssh.fc b/policy/modules/services/ssh.fc
-index 078bcd7..022c7db 100644
---- a/policy/modules/services/ssh.fc
-+++ b/policy/modules/services/ssh.fc
-@@ -1,9 +1,23 @@
- HOME_DIR/\.ssh(/.*)? gen_context(system_u:object_r:ssh_home_t,s0)
-+HOME_DIR/\.shosts gen_context(system_u:object_r:ssh_home_t,s0)
-+
-+/var/lib/amanda/\.ssh(/.*)? gen_context(system_u:object_r:ssh_home_t,s0)
-+/var/lib/gitolite/\.ssh(/.*)? gen_context(system_u:object_r:ssh_home_t,s0)
-+/var/lib/gitolite3/\.ssh(/.*)? gen_context(system_u:object_r:ssh_home_t,s0)
-+/var/lib/nocpulse/\.ssh(/.*)? gen_context(system_u:object_r:ssh_home_t,s0)
-+/var/lib/stickshift/[^/]+/\.ssh(/.*)? gen_context(system_u:object_r:ssh_home_t,s0)
-+/var/lib/openshift/[^/]+/\.ssh(/.*)? gen_context(system_u:object_r:ssh_home_t,s0)
-+/var/lib/pgsql/\.ssh(/.*)? gen_context(system_u:object_r:ssh_home_t,s0)
-+
-+/etc/rc\.d/init\.d/sshd -- gen_context(system_u:object_r:sshd_initrc_exec_t,s0)
-
- /etc/ssh/primes -- gen_context(system_u:object_r:sshd_key_t,s0)
- /etc/ssh/ssh_host_key -- gen_context(system_u:object_r:sshd_key_t,s0)
- /etc/ssh/ssh_host_dsa_key -- gen_context(system_u:object_r:sshd_key_t,s0)
- /etc/ssh/ssh_host_rsa_key -- gen_context(system_u:object_r:sshd_key_t,s0)
-+/etc/ssh/ssh_host_key.pub -- gen_context(system_u:object_r:sshd_key_t,s0)
-+/etc/ssh/ssh_host_dsa_key.pub -- gen_context(system_u:object_r:sshd_key_t,s0)
-+/etc/ssh/ssh_host_rsa_key.pub -- gen_context(system_u:object_r:sshd_key_t,s0)
-
- /usr/bin/ssh -- gen_context(system_u:object_r:ssh_exec_t,s0)
- /usr/bin/ssh-agent -- gen_context(system_u:object_r:ssh_agent_exec_t,s0)
-@@ -12,5 +26,10 @@ HOME_DIR/\.ssh(/.*)? gen_context(system_u:object_r:ssh_home_t,s0)
- /usr/libexec/openssh/ssh-keysign -- gen_context(system_u:object_r:ssh_keysign_exec_t,s0)
-
- /usr/sbin/sshd -- gen_context(system_u:object_r:sshd_exec_t,s0)
-+/usr/sbin/gsisshd -- gen_context(system_u:object_r:sshd_exec_t,s0)
-
- /var/run/sshd\.init\.pid -- gen_context(system_u:object_r:sshd_var_run_t,s0)
-+/var/run/sshd\.pid -- gen_context(system_u:object_r:sshd_var_run_t,s0)
-+
-+/root/\.ssh(/.*)? gen_context(system_u:object_r:ssh_home_t,s0)
-+/root/\.shosts gen_context(system_u:object_r:ssh_home_t,s0)
-diff --git a/policy/modules/services/ssh.if b/policy/modules/services/ssh.if
-index fe0c682..6395fe1 100644
---- a/policy/modules/services/ssh.if
-+++ b/policy/modules/services/ssh.if
-@@ -32,10 +32,11 @@
- ##
- #
- template(`ssh_basic_client_template',`
--
- gen_require(`
- attribute ssh_server;
- type ssh_exec_t, sshd_key_t, sshd_tmp_t;
-+ type ssh_keysign_exec_t, ssh_keysign_t;
-+ type ssh_home_t;
- ')
-
- ##############################
-@@ -47,10 +48,6 @@ template(`ssh_basic_client_template',`
- application_domain($1_ssh_t, ssh_exec_t)
- role $3 types $1_ssh_t;
-
-- type $1_ssh_home_t;
-- files_type($1_ssh_home_t)
-- typealias $1_ssh_home_t alias $1_home_ssh_t;
--
- ##############################
- #
- # Client local policy
-@@ -89,33 +86,38 @@ template(`ssh_basic_client_template',`
- # or "regular" (not special like sshd_extern_t) servers
- allow $2 ssh_server:unix_stream_socket rw_stream_socket_perms;
-
-+ # derived domain can execute ssh-keysign
-+ domtrans_pattern($1_ssh_t, ssh_keysign_exec_t, ssh_keysign_t)
-+ role $3 types ssh_keysign_t;
-+
- # allow ps to show ssh
- ps_process_pattern($2, $1_ssh_t)
-
- # user can manage the keys and config
-- manage_files_pattern($2, $1_ssh_home_t, $1_ssh_home_t)
-- manage_lnk_files_pattern($2, $1_ssh_home_t, $1_ssh_home_t)
-- manage_sock_files_pattern($2, $1_ssh_home_t, $1_ssh_home_t)
-+ manage_files_pattern($2, ssh_home_t, ssh_home_t)
-+ manage_lnk_files_pattern($2, ssh_home_t, ssh_home_t)
-+ manage_sock_files_pattern($2, ssh_home_t, ssh_home_t)
-
- # ssh client can manage the keys and config
-- manage_files_pattern($1_ssh_t, $1_ssh_home_t, $1_ssh_home_t)
-- read_lnk_files_pattern($1_ssh_t, $1_ssh_home_t, $1_ssh_home_t)
-+ manage_files_pattern($1_ssh_t, ssh_home_t, ssh_home_t)
-+ read_lnk_files_pattern($1_ssh_t, ssh_home_t, ssh_home_t)
-
- # ssh servers can read the user keys and config
-- allow ssh_server $1_ssh_home_t:dir list_dir_perms;
-- read_files_pattern(ssh_server, $1_ssh_home_t, $1_ssh_home_t)
-- read_lnk_files_pattern(ssh_server, $1_ssh_home_t, $1_ssh_home_t)
-+ allow ssh_server ssh_home_t:dir list_dir_perms;
-+ read_files_pattern(ssh_server, ssh_home_t, ssh_home_t)
-+ read_lnk_files_pattern(ssh_server, ssh_home_t, ssh_home_t)
-
- kernel_read_kernel_sysctls($1_ssh_t)
- kernel_read_system_state($1_ssh_t)
-
-- corenet_all_recvfrom_unlabeled($1_ssh_t)
- corenet_all_recvfrom_netlabel($1_ssh_t)
- corenet_tcp_sendrecv_generic_if($1_ssh_t)
- corenet_tcp_sendrecv_generic_node($1_ssh_t)
- corenet_tcp_sendrecv_all_ports($1_ssh_t)
- corenet_tcp_connect_ssh_port($1_ssh_t)
- corenet_sendrecv_ssh_client_packets($1_ssh_t)
-+ corenet_tcp_bind_generic_node($1_ssh_t)
-+ corenet_tcp_bind_all_unreserved_ports($1_ssh_t)
-
- dev_read_urand($1_ssh_t)
-
-@@ -139,7 +141,6 @@ template(`ssh_basic_client_template',`
- logging_send_syslog_msg($1_ssh_t)
- logging_read_generic_logs($1_ssh_t)
-
-- miscfiles_read_localization($1_ssh_t)
-
- seutil_read_config($1_ssh_t)
-
-@@ -148,6 +149,29 @@ template(`ssh_basic_client_template',`
- ')
- ')
-
-+######################################
-+##
-+## The template to define a domain to which sshd dyntransition.
-+##
-+##
-+##
-+## The prefix of the dyntransition domain
-+##
-+##
-+#
-+template(`ssh_dyntransition_domain_template',`
-+ gen_require(`
-+ attribute ssh_dyntransition_domain;
-+ ')
-+
-+ type $1, ssh_dyntransition_domain;
-+ domain_type($1)
-+ role system_r types $1;
-+
-+ optional_policy(`
-+ ssh_dyntransition_to($1)
-+ ')
-+')
- #######################################
- ##
- ## The template to define a ssh server.
-@@ -168,7 +192,7 @@ template(`ssh_basic_client_template',`
- ##
- ##
- #
--template(`ssh_server_template', `
-+template(`ssh_server_template',`
- type $1_t, ssh_server;
- auth_login_pgm_domain($1_t)
-
-@@ -181,16 +205,18 @@ template(`ssh_server_template', `
- type $1_var_run_t;
- files_pid_file($1_var_run_t)
-
-- allow $1_t self:capability { kill sys_chroot sys_nice sys_resource chown dac_override fowner fsetid setgid setuid sys_tty_config };
-+ allow $1_t self:capability { kill sys_chroot sys_nice sys_resource chown dac_override fowner fsetid net_admin setgid setuid sys_tty_config };
- allow $1_t self:fifo_file rw_fifo_file_perms;
-- allow $1_t self:process { signal getsched setsched setrlimit setexec setkeycreate };
-+ allow $1_t self:process { getcap signal getsched setsched setrlimit setexec };
-+ allow $1_t self:process { signal getcap getsched setsched setrlimit setexec };
- allow $1_t self:tcp_socket create_stream_socket_perms;
- allow $1_t self:udp_socket create_socket_perms;
-+ allow $1_t self:tun_socket { create_socket_perms relabelfrom relabelto };
- # ssh agent connections:
- allow $1_t self:unix_stream_socket create_stream_socket_perms;
- allow $1_t self:shm create_shm_perms;
-
-- allow $1_t $1_devpts_t:chr_file { rw_chr_file_perms setattr getattr relabelfrom };
-+ allow $1_t $1_devpts_t:chr_file { rw_chr_file_perms setattr_chr_file_perms getattr_chr_file_perms relabelfrom };
- term_create_pty($1_t, $1_devpts_t)
-
- manage_files_pattern($1_t, $1_tmpfs_t, $1_tmpfs_t)
-@@ -206,6 +232,7 @@ template(`ssh_server_template', `
-
- kernel_read_kernel_sysctls($1_t)
- kernel_read_network_state($1_t)
-+ kernel_request_load_module($1_t)
-
- corenet_all_recvfrom_unlabeled($1_t)
- corenet_all_recvfrom_netlabel($1_t)
-@@ -220,10 +247,13 @@ template(`ssh_server_template', `
- corenet_tcp_bind_generic_node($1_t)
- corenet_udp_bind_generic_node($1_t)
- corenet_tcp_bind_ssh_port($1_t)
-- corenet_tcp_connect_all_ports($1_t)
- corenet_sendrecv_ssh_server_packets($1_t)
-+ # -R qualifier
-+ corenet_sendrecv_ssh_server_packets($1_t)
-+ # tunnel feature and -w (net_admin capability also)
-+ corenet_rw_tun_tap_dev($1_t)
-
-- fs_dontaudit_getattr_all_fs($1_t)
-+ fs_getattr_all_fs($1_t)
-
- auth_rw_login_records($1_t)
- auth_rw_faillog($1_t)
-@@ -234,6 +264,7 @@ template(`ssh_server_template', `
- corecmd_getattr_bin_files($1_t)
-
- domain_interactive_fd($1_t)
-+ domain_dyntrans_type($1_t)
-
- files_read_etc_files($1_t)
- files_read_etc_runtime_files($1_t)
-@@ -241,35 +272,34 @@ template(`ssh_server_template', `
-
- logging_search_logs($1_t)
-
-- miscfiles_read_localization($1_t)
-
-- userdom_create_all_users_keys($1_t)
- userdom_dontaudit_relabelfrom_user_ptys($1_t)
-- userdom_search_user_home_dirs($1_t)
-+ userdom_read_user_home_content_files($1_t)
-
- # Allow checking users mail at login
- optional_policy(`
- mta_getattr_spool($1_t)
- ')
-
-- tunable_policy(`use_nfs_home_dirs',`
-- fs_read_nfs_files($1_t)
-- fs_read_nfs_symlinks($1_t)
-- ')
--
-- tunable_policy(`use_samba_home_dirs',`
-- fs_read_cifs_files($1_t)
-- ')
-+ userdom_home_manager($1_t)
-
- optional_policy(`
- kerberos_use($1_t)
-- kerberos_manage_host_rcache($1_t)
-+ #kerberos_manage_host_rcache($1_t)
- ')
-
- optional_policy(`
- files_read_var_lib_symlinks($1_t)
- nx_spec_domtrans_server($1_t)
- ')
-+
-+ optional_policy(`
-+ rlogin_read_home_content($1_t)
-+ ')
-+
-+ optional_policy(`
-+ shutdown_getattr_exec_files($1_t)
-+ ')
- ')
-
- ########################################
-@@ -292,14 +322,15 @@ template(`ssh_server_template', `
- ## User domain for the role
- ##
- ##
-+##
- #
- template(`ssh_role_template',`
- gen_require(`
- attribute ssh_server, ssh_agent_type;
--
- type ssh_t, ssh_exec_t, ssh_tmpfs_t, ssh_home_t;
- type ssh_agent_exec_t, ssh_keysign_t, ssh_tmpfs_t;
- type ssh_agent_tmp_t;
-+ type cache_home_t;
- ')
-
- ##############################
-@@ -328,103 +359,56 @@ template(`ssh_role_template',`
-
- # allow ps to show ssh
- ps_process_pattern($3, ssh_t)
-- allow $3 ssh_t:process signal;
-+ allow $3 ssh_t:process signal_perms;
-
- # for rsync
- allow ssh_t $3:unix_stream_socket rw_socket_perms;
- allow ssh_t $3:unix_stream_socket connectto;
-+ allow ssh_t $3:key manage_key_perms;
-+ allow $3 ssh_t:key read;
-
- # user can manage the keys and config
- manage_files_pattern($3, ssh_home_t, ssh_home_t)
- manage_lnk_files_pattern($3, ssh_home_t, ssh_home_t)
- manage_sock_files_pattern($3, ssh_home_t, ssh_home_t)
- userdom_search_user_home_dirs($1_t)
-+ userdom_manage_tmp_role($2, ssh_t)
-
- ##############################
- #
- # SSH agent local policy
- #
-
-- allow $1_ssh_agent_t self:process setrlimit;
-- allow $1_ssh_agent_t self:capability setgid;
--
- allow $1_ssh_agent_t { $1_ssh_agent_t $3 }:process signull;
-
- allow $1_ssh_agent_t self:unix_stream_socket { create_stream_socket_perms connectto };
-
-- manage_dirs_pattern($1_ssh_agent_t, ssh_agent_tmp_t, ssh_agent_tmp_t)
-- manage_sock_files_pattern($1_ssh_agent_t, ssh_agent_tmp_t, ssh_agent_tmp_t)
-- files_tmp_filetrans($1_ssh_agent_t, ssh_agent_tmp_t, { dir sock_file })
--
- # for ssh-add
- stream_connect_pattern($3, ssh_agent_tmp_t, ssh_agent_tmp_t, $1_ssh_agent_t)
-+ stream_connect_pattern($3, cache_home_t, cache_home_t, $1_ssh_agent_t)
-
- # Allow the user shell to signal the ssh program.
-- allow $3 $1_ssh_agent_t:process signal;
-+ allow $3 $1_ssh_agent_t:process signal_perms;
-
- # allow ps to show ssh
- ps_process_pattern($3, $1_ssh_agent_t)
-
- domtrans_pattern($3, ssh_agent_exec_t, $1_ssh_agent_t)
-
-- kernel_read_kernel_sysctls($1_ssh_agent_t)
--
-- dev_read_urand($1_ssh_agent_t)
-- dev_read_rand($1_ssh_agent_t)
--
-- fs_search_auto_mountpoints($1_ssh_agent_t)
-+ kernel_read_system_state($1_ssh_agent_t)
-
- # transition back to normal privs upon exec
- corecmd_shell_domtrans($1_ssh_agent_t, $3)
- corecmd_bin_domtrans($1_ssh_agent_t, $3)
-
-- domain_use_interactive_fds($1_ssh_agent_t)
--
-- files_read_etc_files($1_ssh_agent_t)
-- files_read_etc_runtime_files($1_ssh_agent_t)
-- files_search_home($1_ssh_agent_t)
--
-- libs_read_lib_files($1_ssh_agent_t)
-+ auth_use_nsswitch($1_ssh_agent_t)
-
- logging_send_syslog_msg($1_ssh_agent_t)
-
-- miscfiles_read_localization($1_ssh_agent_t)
-- miscfiles_read_generic_certs($1_ssh_agent_t)
--
-- seutil_dontaudit_read_config($1_ssh_agent_t)
--
-- # Write to the user domain tty.
-- userdom_use_user_terminals($1_ssh_agent_t)
--
-- # for the transition back to normal privs upon exec
-- userdom_search_user_home_content($1_ssh_agent_t)
- userdom_user_home_domtrans($1_ssh_agent_t, $3)
-- allow $3 $1_ssh_agent_t:fd use;
-- allow $3 $1_ssh_agent_t:fifo_file rw_file_perms;
-- allow $3 $1_ssh_agent_t:process sigchld;
--
-- tunable_policy(`use_nfs_home_dirs',`
-- fs_manage_nfs_files($1_ssh_agent_t)
--
-- # transition back to normal privs upon exec
-- fs_nfs_domtrans($1_ssh_agent_t, $3)
-- ')
--
-- tunable_policy(`use_samba_home_dirs',`
-- fs_manage_cifs_files($1_ssh_agent_t)
--
-- # transition back to normal privs upon exec
-- fs_cifs_domtrans($1_ssh_agent_t, $3)
-- ')
--
-- optional_policy(`
-- nis_use_ypbind($1_ssh_agent_t)
-- ')
-+ userdom_home_manager($1_ssh_agent_t)
-
-- optional_policy(`
-- xserver_use_xdm_fds($1_ssh_agent_t)
-- xserver_rw_xdm_pipes($1_ssh_agent_t)
-- ')
-+ ssh_exec_keygen($3)
- ')
-
- ########################################
-@@ -496,8 +480,27 @@ interface(`ssh_read_pipes',`
- type sshd_t;
- ')
-
-- allow $1 sshd_t:fifo_file { getattr read };
-+ allow $1 sshd_t:fifo_file read_fifo_file_perms;
- ')
-+
-+######################################
-+##
-+## Read and write ssh server unix dgram sockets.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`ssh_rw_dgram_sockets',`
-+ gen_require(`
-+ type sshd_t;
-+ ')
-+
-+ allow $1 sshd_t:unix_dgram_socket rw_stream_socket_perms;
-+')
-+
- ########################################
- ##
- ## Read and write a ssh server unnamed pipe.
-@@ -513,7 +516,7 @@ interface(`ssh_rw_pipes',`
- type sshd_t;
- ')
-
-- allow $1 sshd_t:fifo_file { write read getattr ioctl };
-+ allow $1 sshd_t:fifo_file rw_inherited_fifo_file_perms;
- ')
-
- ########################################
-@@ -605,6 +608,24 @@ interface(`ssh_domtrans',`
-
- ########################################
- ##
-+## Execute sshd server in the sshd domain.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`ssh_initrc_domtrans',`
-+ gen_require(`
-+ type sshd_initrc_exec_t;
-+ ')
-+
-+ init_labeled_script_domtrans($1, sshd_initrc_exec_t)
-+')
-+
-+########################################
-+##
- ## Execute the ssh client in the caller domain.
- ##
- ##
-@@ -637,7 +658,7 @@ interface(`ssh_setattr_key_files',`
- type sshd_key_t;
- ')
-
-- allow $1 sshd_key_t:file setattr;
-+ allow $1 sshd_key_t:file setattr_file_perms;
- files_search_pids($1)
- ')
-
-@@ -662,6 +683,42 @@ interface(`ssh_agent_exec',`
-
- ########################################
- ##
-+## Getattr ssh home directory
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`ssh_getattr_user_home_dir',`
-+ gen_require(`
-+ type ssh_home_t;
-+ ')
-+
-+ allow $1 ssh_home_t:dir getattr;
-+')
-+
-+########################################
-+##
-+## Dontaudit search ssh home directory
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`ssh_dontaudit_search_user_home_dir',`
-+ gen_require(`
-+ type ssh_home_t;
-+ ')
-+
-+ dontaudit $1 ssh_home_t:dir search_dir_perms;
-+')
-+
-+########################################
-+##
- ## Read ssh home directory content
- ##
- ##
-@@ -701,6 +758,50 @@ interface(`ssh_domtrans_keygen',`
-
- ########################################
- ##
-+## Execute the ssh key generator in the caller domain.
-+##
-+##
-+##
-+## Domain allowed to transition.
-+##
-+##
-+#
-+interface(`ssh_exec_keygen',`
-+ gen_require(`
-+ type ssh_keygen_exec_t;
-+ ')
-+
-+ can_exec($1, ssh_keygen_exec_t)
-+')
-+
-+#######################################
-+##
-+## Execute ssh-keygen in the iptables domain, and
-+## allow the specified role the ssh-keygen domain.
-+##
-+##
-+##
-+## Domain allowed to transition.
-+##
-+##
-+##
-+##
-+## Role allowed access.
-+##
-+##
-+##
-+#
-+interface(`ssh_run_keygen',`
-+ gen_require(`
-+ type ssh_keygen_t;
-+ ')
-+
-+ role $2 types ssh_keygen_t;
-+ ssh_domtrans_keygen($1)
-+')
-+
-+########################################
-+##
- ## Read ssh server keys
- ##
- ##
-@@ -714,7 +815,7 @@ interface(`ssh_dontaudit_read_server_keys',`
- type sshd_key_t;
- ')
-
-- dontaudit $1 sshd_key_t:file { getattr read };
-+ dontaudit $1 sshd_key_t:file read_file_perms;
- ')
-
- ######################################
-@@ -754,3 +855,101 @@ interface(`ssh_delete_tmp',`
- files_search_tmp($1)
- delete_files_pattern($1, sshd_tmp_t, sshd_tmp_t)
- ')
-+
-+#####################################
-+##
-+## Allow domain dyntransition to chroot_user_t domain.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`ssh_dyntransition_to',`
-+ gen_require(`
-+ type sshd_t;
-+ ')
-+
-+ allow sshd_t $1:process dyntransition;
-+ allow $1 sshd_t:process sigchld;
-+ allow sshd_t $1:process { getattr sigkill sigstop signull signal };
-+')
-+
-+########################################
-+##
-+## Create .ssh directory in the /root directory
-+## with an correct label.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`ssh_filetrans_admin_home_content',`
-+ gen_require(`
-+ type ssh_home_t;
-+ ')
-+
-+ userdom_admin_home_dir_filetrans($1, ssh_home_t, dir, ".ssh")
-+ userdom_admin_home_dir_filetrans($1, ssh_home_t, dir, ".shosts")
-+')
-+
-+########################################
-+##
-+## Create .ssh directory in the user home directory
-+## with an correct label.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`ssh_filetrans_home_content',`
-+
-+ gen_require(`
-+ type ssh_home_t;
-+ ')
-+
-+ userdom_user_home_dir_filetrans($1, ssh_home_t, dir, ".ssh")
-+ userdom_user_home_dir_filetrans($1, ssh_home_t, dir, ".shosts")
-+')
-+
-+########################################
-+##
-+## Do not audit attempts to read and
-+## write the sshd pty type.
-+##
-+##
-+##
-+## Domain to not audit.
-+##
-+##
-+#
-+interface(`ssh_dontaudit_use_ptys',`
-+ gen_require(`
-+ type sshd_devpts_t;
-+ ')
-+
-+ dontaudit $1 sshd_devpts_t:chr_file { getattr read write ioctl };
-+')
-+
-+########################################
-+##
-+## Read and write inherited sshd pty type.
-+##
-+##
-+##
-+## Domain to not audit.
-+##
-+##
-+#
-+interface(`ssh_use_ptys',`
-+ gen_require(`
-+ type sshd_devpts_t;
-+ ')
-+
-+ allow $1 sshd_devpts_t:chr_file { getattr open read write ioctl };
-+')
-diff --git a/policy/modules/services/ssh.te b/policy/modules/services/ssh.te
-index b17e27a..3354b8f 100644
---- a/policy/modules/services/ssh.te
-+++ b/policy/modules/services/ssh.te
-@@ -6,44 +6,51 @@ policy_module(ssh, 2.3.0)
- #
-
- ##
--##
--## allow host key based authentication
--##
-+##
-+## allow host key based authentication
-+##
- ##
--gen_tunable(allow_ssh_keysign, false)
-+gen_tunable(ssh_keysign, false)
-+
-+##
-+##
-+## Allow ssh logins as sysadm_r:sysadm_t
-+##
-+##
-+gen_tunable(ssh_sysadm_login, false)
-
- ##
- ##
--## Allow ssh logins as sysadm_r:sysadm_t
-+## Allow ssh with chroot env to read and write files
-+## in the user home directories
- ##
- ##
--gen_tunable(ssh_sysadm_login, false)
-+gen_tunable(ssh_chroot_rw_homedirs, false)
-
-+attribute ssh_dyntransition_domain;
- attribute ssh_server;
- attribute ssh_agent_type;
-
-+ssh_dyntransition_domain_template(chroot_user_t)
-+ssh_dyntransition_domain_template(sshd_sandbox_t)
-+
- type ssh_keygen_t;
- type ssh_keygen_exec_t;
- init_system_domain(ssh_keygen_t, ssh_keygen_exec_t)
--role system_r types ssh_keygen_t;
-
- type sshd_exec_t;
- corecmd_executable_file(sshd_exec_t)
-
- ssh_server_template(sshd)
- init_daemon_domain(sshd_t, sshd_exec_t)
-+mls_trusted_object(sshd_t)
-+
-+type sshd_initrc_exec_t;
-+init_script_file(sshd_initrc_exec_t)
-
- type sshd_key_t;
- files_type(sshd_key_t)
-
--type sshd_tmp_t;
--files_tmp_file(sshd_tmp_t)
--files_poly_parent(sshd_tmp_t)
--
--ifdef(`enable_mcs',`
-- init_ranged_daemon_domain(sshd_t, sshd_exec_t, s0 - mcs_systemhigh)
--')
--
- type ssh_t;
- type ssh_exec_t;
- typealias ssh_t alias { user_ssh_t staff_ssh_t sysadm_ssh_t };
-@@ -73,6 +80,11 @@ type ssh_home_t;
- typealias ssh_home_t alias { home_ssh_t user_ssh_home_t user_home_ssh_t staff_home_ssh_t sysadm_home_ssh_t };
- typealias ssh_home_t alias { auditadm_home_ssh_t secadm_home_ssh_t };
- userdom_user_home_content(ssh_home_t)
-+files_poly_parent(ssh_home_t)
-+
-+ifdef(`enable_mcs',`
-+ init_ranged_daemon_domain(sshd_t, sshd_exec_t, s0 - mcs_systemhigh)
-+')
-
- ##############################
- #
-@@ -83,6 +95,7 @@ allow ssh_t self:capability { setuid setgid dac_override dac_read_search };
- allow ssh_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
- allow ssh_t self:fd use;
- allow ssh_t self:fifo_file rw_fifo_file_perms;
-+allow ssh_t self:key read;
- allow ssh_t self:unix_dgram_socket { create_socket_perms sendto };
- allow ssh_t self:unix_stream_socket { create_stream_socket_perms connectto };
- allow ssh_t self:shm create_shm_perms;
-@@ -90,15 +103,11 @@ allow ssh_t self:sem create_sem_perms;
- allow ssh_t self:msgq create_msgq_perms;
- allow ssh_t self:msg { send receive };
- allow ssh_t self:tcp_socket create_stream_socket_perms;
-+can_exec(ssh_t, ssh_exec_t)
-
- # Read the ssh key file.
- allow ssh_t sshd_key_t:file read_file_perms;
-
--# Access the ssh temporary files.
--allow ssh_t sshd_tmp_t:dir manage_dir_perms;
--allow ssh_t sshd_tmp_t:file manage_file_perms;
--files_tmp_filetrans(ssh_t, sshd_tmp_t, { file dir })
--
- manage_files_pattern(ssh_t, ssh_tmpfs_t, ssh_tmpfs_t)
- manage_lnk_files_pattern(ssh_t, ssh_tmpfs_t, ssh_tmpfs_t)
- manage_fifo_files_pattern(ssh_t, ssh_tmpfs_t, ssh_tmpfs_t)
-@@ -108,32 +117,42 @@ fs_tmpfs_filetrans(ssh_t, ssh_tmpfs_t, { dir file lnk_file sock_file fifo_file }
- manage_dirs_pattern(ssh_t, ssh_home_t, ssh_home_t)
- manage_sock_files_pattern(ssh_t, ssh_home_t, ssh_home_t)
- userdom_user_home_dir_filetrans(ssh_t, ssh_home_t, { dir sock_file })
-+userdom_read_all_users_keys(ssh_t)
-+userdom_stream_connect(ssh_t)
-+userdom_search_admin_dir(sshd_t)
-+userdom_admin_home_dir_filetrans(ssh_t, ssh_home_t, { dir sock_file })
-
- # Allow the ssh program to communicate with ssh-agent.
- stream_connect_pattern(ssh_t, ssh_agent_tmp_t, ssh_agent_tmp_t, ssh_agent_type)
-
- allow ssh_t sshd_t:unix_stream_socket connectto;
-+allow ssh_t sshd_t:peer recv;
-
- # ssh client can manage the keys and config
- manage_files_pattern(ssh_t, ssh_home_t, ssh_home_t)
- read_lnk_files_pattern(ssh_t, ssh_home_t, ssh_home_t)
-
- # ssh servers can read the user keys and config
--allow ssh_server ssh_home_t:dir list_dir_perms;
--read_files_pattern(ssh_server, ssh_home_t, ssh_home_t)
--read_lnk_files_pattern(ssh_server, ssh_home_t, ssh_home_t)
-+manage_dirs_pattern(ssh_server, ssh_home_t, ssh_home_t)
-+manage_files_pattern(ssh_server, ssh_home_t, ssh_home_t)
-+userdom_user_home_dir_filetrans(ssh_server, ssh_home_t, dir)
-+userdom_admin_home_dir_filetrans(ssh_server, ssh_home_t, dir)
-
- kernel_read_kernel_sysctls(ssh_t)
- kernel_read_system_state(ssh_t)
-
--corenet_all_recvfrom_unlabeled(ssh_t)
- corenet_all_recvfrom_netlabel(ssh_t)
- corenet_tcp_sendrecv_generic_if(ssh_t)
- corenet_tcp_sendrecv_generic_node(ssh_t)
- corenet_tcp_sendrecv_all_ports(ssh_t)
- corenet_tcp_connect_ssh_port(ssh_t)
-+corenet_tcp_connect_all_unreserved_ports(ssh_t)
- corenet_sendrecv_ssh_client_packets(ssh_t)
-+corenet_tcp_bind_generic_node(ssh_t)
-+#corenet_tcp_bind_all_unreserved_ports(ssh_t)
-+corenet_rw_tun_tap_dev(ssh_t)
-
-+dev_read_rand(ssh_t)
- dev_read_urand(ssh_t)
-
- fs_getattr_all_fs(ssh_t)
-@@ -156,38 +175,42 @@ logging_read_generic_logs(ssh_t)
-
- auth_use_nsswitch(ssh_t)
-
--miscfiles_read_localization(ssh_t)
-+miscfiles_read_generic_certs(ssh_t)
-
- seutil_read_config(ssh_t)
-
- userdom_dontaudit_list_user_home_dirs(ssh_t)
- userdom_search_user_home_dirs(ssh_t)
-+userdom_search_admin_dir(ssh_t)
- # Write to the user domain tty.
--userdom_use_user_terminals(ssh_t)
--# needs to read krb tgt
-+userdom_use_inherited_user_terminals(ssh_t)
-+# needs to read krb/write tgt
- userdom_read_user_tmp_files(ssh_t)
--
--tunable_policy(`allow_ssh_keysign',`
-- domain_auto_trans(ssh_t, ssh_keysign_exec_t, ssh_keysign_t)
-- allow ssh_keysign_t ssh_t:fd use;
-- allow ssh_keysign_t ssh_t:process sigchld;
-- allow ssh_keysign_t ssh_t:fifo_file rw_file_perms;
-+userdom_write_user_tmp_files(ssh_t)
-+userdom_read_user_home_content_symlinks(ssh_t)
-+userdom_rw_inherited_user_home_content_files(ssh_t)
-+userdom_read_home_certs(ssh_t)
-+userdom_home_manager(ssh_t)
-+
-+tunable_policy(`ssh_keysign',`
-+ domtrans_pattern(ssh_t, ssh_keysign_exec_t, ssh_keysign_t)
- ')
-
--tunable_policy(`use_nfs_home_dirs',`
-- fs_manage_nfs_dirs(ssh_t)
-- fs_manage_nfs_files(ssh_t)
-+# for port forwarding
-+tunable_policy(`selinuxuser_tcp_server',`
-+ corenet_tcp_bind_ssh_port(ssh_t)
-+ corenet_tcp_bind_generic_node(ssh_t)
-+ corenet_tcp_bind_all_unreserved_ports(ssh_t)
- ')
-
--tunable_policy(`use_samba_home_dirs',`
-- fs_manage_cifs_dirs(ssh_t)
-- fs_manage_cifs_files(ssh_t)
-+ifdef(`enable_mcs',`
-+ optional_policy(`
-+ condor_startd_ranged_domtrans_to(sshd_t, sshd_exec_t, mcs_systemlow - mcs_systemhigh)
-+ ')
- ')
-
--# for port forwarding
--tunable_policy(`user_tcp_server',`
-- corenet_tcp_bind_ssh_port(ssh_t)
-- corenet_tcp_bind_generic_node(ssh_t)
-+optional_policy(`
-+ gnome_stream_connect_gkeyringd(ssh_t)
- ')
-
- optional_policy(`
-@@ -195,28 +218,24 @@ optional_policy(`
- xserver_domtrans_xauth(ssh_t)
- ')
-
-+
- ##############################
- #
- # ssh_keysign_t local policy
- #
-
--tunable_policy(`allow_ssh_keysign',`
-+tunable_policy(`ssh_keysign',`
- allow ssh_keysign_t self:capability { setgid setuid };
- allow ssh_keysign_t self:unix_stream_socket create_socket_perms;
-
-- allow ssh_keysign_t sshd_key_t:file { getattr read };
-+ allow ssh_keysign_t sshd_key_t:file read_file_perms;
-
-+ dev_read_rand(ssh_keysign_t)
- dev_read_urand(ssh_keysign_t)
-
- files_read_etc_files(ssh_keysign_t)
- ')
-
--optional_policy(`
-- tunable_policy(`allow_ssh_keysign',`
-- nscd_socket_use(ssh_keysign_t)
-- ')
--')
--
- #################################
- #
- # sshd local policy
-@@ -227,33 +246,50 @@ optional_policy(`
- # so a tunnel can point to another ssh tunnel
- allow sshd_t self:netlink_route_socket r_netlink_socket_perms;
- allow sshd_t self:key { search link write };
--
--manage_dirs_pattern(sshd_t, sshd_tmp_t, sshd_tmp_t)
--manage_files_pattern(sshd_t, sshd_tmp_t, sshd_tmp_t)
--manage_sock_files_pattern(sshd_t, sshd_tmp_t, sshd_tmp_t)
--files_tmp_filetrans(sshd_t, sshd_tmp_t, { dir file sock_file })
-+allow sshd_t self:process setcurrent;
-
- kernel_search_key(sshd_t)
- kernel_link_key(sshd_t)
-
-+files_search_all(sshd_t)
-+
- term_use_all_ptys(sshd_t)
- term_setattr_all_ptys(sshd_t)
-+term_setattr_all_ttys(sshd_t)
- term_relabelto_all_ptys(sshd_t)
-+term_use_ptmx(sshd_t)
-
- # for X forwarding
- corenet_tcp_bind_xserver_port(sshd_t)
- corenet_sendrecv_xserver_server_packets(sshd_t)
-
-+auth_exec_login_program(sshd_t)
-+
-+userdom_read_user_home_content_files(sshd_t)
-+userdom_read_user_home_content_symlinks(sshd_t)
-+userdom_manage_tmp_role(system_r, sshd_t)
-+userdom_spec_domtrans_unpriv_users(sshd_t)
-+userdom_signal_unpriv_users(sshd_t)
-+userdom_dyntransition_unpriv_users(sshd_t)
-+userdom_dyntransition_admin_users(sshd_t)
-+
- tunable_policy(`ssh_sysadm_login',`
- # Relabel and access ptys created by sshd
- # ioctl is necessary for logout() processing for utmp entry and for w to
- # display the tty.
- # some versions of sshd on the new SE Linux require setattr
-- userdom_spec_domtrans_all_users(sshd_t)
- userdom_signal_all_users(sshd_t)
--',`
-- userdom_spec_domtrans_unpriv_users(sshd_t)
-- userdom_signal_unpriv_users(sshd_t)
-+ userdom_spec_domtrans_all_users(sshd_t)
-+')
-+
-+optional_policy(`
-+ amanda_search_var_lib(sshd_t)
-+')
-+
-+optional_policy(`
-+ condor_rw_lib_files(sshd_t)
-+ condor_rw_tcp_sockets_startd(sshd_t)
-+ condor_rw_tcp_sockets_schedd(sshd_t)
- ')
-
- optional_policy(`
-@@ -261,11 +297,24 @@ optional_policy(`
- ')
-
- optional_policy(`
-+ kerberos_keytab_template(sshd, sshd_t)
-+')
-+
-+optional_policy(`
-+ ftp_dyntrans_sftpd(sshd_t)
-+ ftp_dyntrans_anon_sftpd(sshd_t)
-+')
-+
-+optional_policy(`
-+ gitosis_manage_lib_files(sshd_t)
-+')
-+
-+optional_policy(`
- inetd_tcp_service_domain(sshd_t, sshd_exec_t)
- ')
-
- optional_policy(`
-- kerberos_keytab_template(sshd, sshd_t)
-+ nx_read_home_files(sshd_t)
- ')
-
- optional_policy(`
-@@ -273,6 +322,10 @@ optional_policy(`
- ')
-
- optional_policy(`
-+ munin_read_var_lib_files(sshd_t)
-+')
-+
-+optional_policy(`
- rpm_use_script_fds(sshd_t)
- ')
-
-@@ -283,6 +336,28 @@ optional_policy(`
- ')
-
- optional_policy(`
-+ systemd_exec_systemctl(sshd_t)
-+')
-+
-+optional_policy(`
-+ usermanage_domtrans_passwd(sshd_t)
-+ usermanage_read_crack_db(sshd_t)
-+')
-+
-+optional_policy(`
-+ openshift_dyntransition(sshd_t)
-+ openshift_transition(sshd_t)
-+ openshift_manage_tmp_files(sshd_t)
-+ openshift_manage_tmp_sockets(sshd_t)
-+ openshift_mounton_tmp(sshd_t)
-+ openshift_search_lib(sshd_t)
-+')
-+
-+optional_policy(`
-+ postgresql_search_db(sshd_t)
-+')
-+
-+optional_policy(`
- unconfined_shell_domtrans(sshd_t)
- ')
-
-@@ -290,6 +365,29 @@ optional_policy(`
- xserver_domtrans_xauth(sshd_t)
- ')
-
-+ifdef(`TODO',`
-+ tunable_policy(`ssh_sysadm_login',`
-+ # Relabel and access ptys created by sshd
-+ # ioctl is necessary for logout() processing for utmp entry and for w to
-+ # display the tty.
-+ # some versions of sshd on the new SE Linux require setattr
-+ allow sshd_t ptyfile:chr_file relabelto;
-+
-+ optional_policy(`
-+ domain_trans(sshd_t, xauth_exec_t, userdomain)
-+ ')
-+ ',`
-+ optional_policy(`
-+ domain_trans(sshd_t, xauth_exec_t, unpriv_userdomain)
-+ ')
-+ # Relabel and access ptys created by sshd
-+ # ioctl is necessary for logout() processing for utmp entry and for w to
-+ # display the tty.
-+ # some versions of sshd on the new SE Linux require setattr
-+ allow sshd_t userpty_type:chr_file { relabelto rw_inherited_chr_file_perms setattr_chr_file_perms };
-+ ')
-+') dnl endif TODO
-+
- ########################################
- #
- # ssh_keygen local policy
-@@ -298,19 +396,26 @@ optional_policy(`
- # ssh_keygen_t is the type of the ssh-keygen program when run at install time
- # and by sysadm_t
-
-+allow ssh_keygen_t self:capability dac_override;
- dontaudit ssh_keygen_t self:capability sys_tty_config;
- allow ssh_keygen_t self:process { sigchld sigkill sigstop signull signal };
--
- allow ssh_keygen_t self:unix_stream_socket create_stream_socket_perms;
-
- allow ssh_keygen_t sshd_key_t:file manage_file_perms;
- files_etc_filetrans(ssh_keygen_t, sshd_key_t, file)
-
-+manage_dirs_pattern(ssh_keygen_t, ssh_home_t, ssh_home_t)
-+manage_files_pattern(ssh_keygen_t, ssh_home_t, ssh_home_t)
-+userdom_admin_home_dir_filetrans(ssh_keygen_t, ssh_home_t, dir)
-+userdom_user_home_dir_filetrans(ssh_keygen_t, ssh_home_t, dir)
-+
-+kernel_read_system_state(ssh_keygen_t)
- kernel_read_kernel_sysctls(ssh_keygen_t)
-
- fs_search_auto_mountpoints(ssh_keygen_t)
-
- dev_read_sysfs(ssh_keygen_t)
-+dev_read_rand(ssh_keygen_t)
- dev_read_urand(ssh_keygen_t)
-
- term_dontaudit_use_console(ssh_keygen_t)
-@@ -327,9 +432,11 @@ auth_use_nsswitch(ssh_keygen_t)
- logging_send_syslog_msg(ssh_keygen_t)
-
- userdom_dontaudit_use_unpriv_user_fds(ssh_keygen_t)
-+userdom_use_user_terminals(ssh_keygen_t)
-
--optional_policy(`
-- nscd_socket_use(ssh_keygen_t)
-+tunable_policy(`use_nfs_home_dirs',`
-+ fs_manage_nfs_files(ssh_keygen_t)
-+ fs_manage_nfs_dirs(ssh_keygen_t)
- ')
-
- optional_policy(`
-@@ -339,3 +446,121 @@ optional_policy(`
- optional_policy(`
- udev_read_db(ssh_keygen_t)
- ')
-+
-+####################################
-+#
-+# ssh_dyntransition domain local policy
-+#
-+
-+allow ssh_dyntransition_domain self:capability { setuid sys_chroot setgid };
-+
-+allow ssh_dyntransition_domain self:fifo_file rw_fifo_file_perms;
-+
-+optional_policy(`
-+ ssh_rw_stream_sockets(ssh_dyntransition_domain)
-+ ssh_rw_tcp_sockets(ssh_dyntransition_domain)
-+')
-+
-+#####################################
-+#
-+# ssh_sandbox local policy
-+#
-+
-+allow sshd_t sshd_sandbox_t:process signal;
-+
-+init_ioctl_stream_sockets(sshd_sandbox_t)
-+
-+logging_send_audit_msgs(sshd_sandbox_t)
-+
-+######################################
-+#
-+# chroot_user_t local policy
-+#
-+allow chroot_user_t self:unix_dgram_socket create_socket_perms;
-+
-+corecmd_exec_shell(chroot_user_t)
-+
-+term_search_ptys(chroot_user_t)
-+term_use_ptmx(chroot_user_t)
-+
-+userdom_read_user_home_content_files(chroot_user_t)
-+userdom_read_inherited_user_home_content_files(chroot_user_t)
-+userdom_read_user_home_content_symlinks(chroot_user_t)
-+userdom_exec_user_home_content_files(chroot_user_t)
-+userdom_use_inherited_user_ptys(chroot_user_t)
-+
-+tunable_policy(`ssh_chroot_rw_homedirs',`
-+ files_list_home(chroot_user_t)
-+ userdom_read_user_home_content_files(chroot_user_t)
-+ userdom_manage_user_home_content(chroot_user_t)
-+', `
-+
-+ userdom_user_home_dir_filetrans_pattern(chroot_user_t, { dir file lnk_file })
-+')
-+
-+tunable_policy(`ssh_chroot_rw_homedirs && use_nfs_home_dirs',`
-+ fs_manage_nfs_dirs(chroot_user_t)
-+ fs_manage_nfs_files(chroot_user_t)
-+ fs_manage_nfs_symlinks(chroot_user_t)
-+')
-+
-+tunable_policy(`ssh_chroot_rw_homedirs && use_samba_home_dirs',`
-+ fs_manage_cifs_dirs(chroot_user_t)
-+ fs_manage_cifs_files(chroot_user_t)
-+ fs_manage_cifs_symlinks(chroot_user_t)
-+')
-+
-+tunable_policy(`ssh_chroot_rw_homedirs && use_fusefs_home_dirs',`
-+ fs_manage_fusefs_dirs(chroot_user_t)
-+ fs_manage_fusefs_files(chroot_user_t)
-+ fs_manage_fusefs_symlinks(chroot_user_t)
-+')
-+
-+tunable_policy(`use_samba_home_dirs',`
-+ fs_read_cifs_files(chroot_user_t)
-+ fs_read_cifs_symlinks(chroot_user_t)
-+')
-+
-+userdom_home_manager(chroot_user_t)
-+
-+optional_policy(`
-+ ssh_rw_dgram_sockets(chroot_user_t)
-+')
-+
-+######################################
-+#
-+# ssh_agent_type common policy local policy
-+#
-+allow ssh_agent_type self:process setrlimit;
-+allow ssh_agent_type self:capability setgid;
-+
-+manage_dirs_pattern(ssh_agent_type, ssh_agent_tmp_t, ssh_agent_tmp_t)
-+manage_sock_files_pattern(ssh_agent_type, ssh_agent_tmp_t, ssh_agent_tmp_t)
-+files_tmp_filetrans(ssh_agent_type, ssh_agent_tmp_t, { dir sock_file })
-+
-+kernel_read_kernel_sysctls(ssh_agent_type)
-+
-+dev_read_urand(ssh_agent_type)
-+dev_read_rand(ssh_agent_type)
-+
-+fs_search_auto_mountpoints(ssh_agent_type)
-+
-+domain_use_interactive_fds(ssh_agent_type)
-+
-+files_read_etc_files(ssh_agent_type)
-+files_read_etc_runtime_files(ssh_agent_type)
-+
-+libs_read_lib_files(ssh_agent_type)
-+
-+miscfiles_read_generic_certs(ssh_agent_type)
-+
-+# Write to the user domain tty.
-+userdom_use_inherited_user_terminals(ssh_agent_type)
-+
-+# for the transition back to normal privs upon exec
-+userdom_search_user_home_content(ssh_agent_type)
-+
-+optional_policy(`
-+ xserver_use_xdm_fds(ssh_agent_type)
-+ xserver_rw_xdm_pipes(ssh_agent_type)
-+')
-diff --git a/policy/modules/services/xserver.fc b/policy/modules/services/xserver.fc
-index fc86b7c..ba6be42 100644
---- a/policy/modules/services/xserver.fc
-+++ b/policy/modules/services/xserver.fc
-@@ -2,13 +2,35 @@
- # HOME_DIR
- #
- HOME_DIR/\.fonts\.conf -- gen_context(system_u:object_r:user_fonts_config_t,s0)
-+HOME_DIR/\.fonts\.d(/.*)? gen_context(system_u:object_r:user_fonts_config_t,s0)
- HOME_DIR/\.fonts(/.*)? gen_context(system_u:object_r:user_fonts_t,s0)
-+HOME_DIR/\.fontconfig(/.*)? gen_context(system_u:object_r:user_fonts_cache_t,s0)
- HOME_DIR/\.fonts/auto(/.*)? gen_context(system_u:object_r:user_fonts_cache_t,s0)
- HOME_DIR/\.fonts\.cache-.* -- gen_context(system_u:object_r:user_fonts_cache_t,s0)
-+HOME_DIR/\.DCOP.* -- gen_context(system_u:object_r:iceauth_home_t,s0)
- HOME_DIR/\.ICEauthority.* -- gen_context(system_u:object_r:iceauth_home_t,s0)
- HOME_DIR/\.serverauth.* -- gen_context(system_u:object_r:xauth_home_t,s0)
- HOME_DIR/\.xauth.* -- gen_context(system_u:object_r:xauth_home_t,s0)
-+HOME_DIR/\.Xauth.* -- gen_context(system_u:object_r:xauth_home_t,s0)
- HOME_DIR/\.Xauthority.* -- gen_context(system_u:object_r:xauth_home_t,s0)
-+HOME_DIR/\.cache/gdm(/.*)? gen_context(system_u:object_r:xdm_home_t,s0)
-+HOME_DIR/\.xsession-errors.* -- gen_context(system_u:object_r:xdm_home_t,s0)
-+HOME_DIR/\.dmrc.* -- gen_context(system_u:object_r:xdm_home_t,s0)
-+
-+/root/\.fonts\.conf -- gen_context(system_u:object_r:user_fonts_config_t,s0)
-+/root/\.fonts\.d(/.*)? gen_context(system_u:object_r:user_fonts_config_t,s0)
-+/root/\.fonts(/.*)? gen_context(system_u:object_r:user_fonts_t,s0)
-+/root/\.fontconfig(/.*)? gen_context(system_u:object_r:user_fonts_cache_t,s0)
-+/root/\.fonts/auto(/.*)? gen_context(system_u:object_r:user_fonts_cache_t,s0)
-+/root/\.fonts\.cache-.* -- gen_context(system_u:object_r:user_fonts_cache_t,s0)
-+/root/\.DCOP.* -- gen_context(system_u:object_r:iceauth_home_t,s0)
-+/root/\.ICEauthority.* -- gen_context(system_u:object_r:iceauth_home_t,s0)
-+/root/\.serverauth.* -- gen_context(system_u:object_r:xauth_home_t,s0)
-+/root/\.xauth.* -- gen_context(system_u:object_r:xauth_home_t,s0)
-+/root/\.Xauth.* -- gen_context(system_u:object_r:xauth_home_t,s0)
-+/root/\.Xauthority.* -- gen_context(system_u:object_r:xauth_home_t,s0)
-+/root/\.xsession-errors.* -- gen_context(system_u:object_r:xdm_home_t,s0)
-+/root/\.dmrc.* -- gen_context(system_u:object_r:xdm_home_t,s0)
-
- #
- # /dev
-@@ -24,11 +46,18 @@ HOME_DIR/\.Xauthority.* -- gen_context(system_u:object_r:xauth_home_t,s0)
-
- /etc/init\.d/xfree86-common -- gen_context(system_u:object_r:xserver_exec_t,s0)
-
-+/etc/[mg]dm(/.*)? gen_context(system_u:object_r:xdm_etc_t,s0)
-+/etc/[mg]dm/Init(/.*)? gen_context(system_u:object_r:xdm_unconfined_exec_t,s0)
-+/etc/[mg]dm/PostLogin(/.*)? gen_context(system_u:object_r:xdm_unconfined_exec_t,s0)
-+/etc/[mg]dm/PostSession(/.*)? gen_context(system_u:object_r:xdm_unconfined_exec_t,s0)
-+/etc/[mg]dm/PreSession(/.*)? gen_context(system_u:object_r:xdm_unconfined_exec_t,s0)
-+
- /etc/kde[34]?/kdm/Xstartup -- gen_context(system_u:object_r:xsession_exec_t,s0)
- /etc/kde[34]?/kdm/Xreset -- gen_context(system_u:object_r:xsession_exec_t,s0)
- /etc/kde[34]?/kdm/Xsession -- gen_context(system_u:object_r:xsession_exec_t,s0)
- /etc/kde[34]?/kdm/backgroundrc gen_context(system_u:object_r:xdm_var_run_t,s0)
-
-+/etc/opt/VirtualGL(/.*)? gen_context(system_u:object_r:xdm_rw_etc_t,s0)
- /etc/X11/[wx]dm/Xreset.* -- gen_context(system_u:object_r:xsession_exec_t,s0)
- /etc/X11/[wxg]dm/Xsession -- gen_context(system_u:object_r:xsession_exec_t,s0)
- /etc/X11/wdm(/.*)? gen_context(system_u:object_r:xdm_rw_etc_t,s0)
-@@ -46,23 +75,25 @@ HOME_DIR/\.Xauthority.* -- gen_context(system_u:object_r:xauth_home_t,s0)
- # /tmp
- #
-
--/tmp/\.ICE-unix -d gen_context(system_u:object_r:xdm_tmp_t,s0)
--/tmp/\.ICE-unix/.* -s <>
--/tmp/\.X0-lock -- gen_context(system_u:object_r:xserver_tmp_t,s0)
--/tmp/\.X11-unix -d gen_context(system_u:object_r:xdm_tmp_t,s0)
--/tmp/\.X11-unix/.* -s <>
-+/tmp/\.X0-lock -- gen_context(system_u:object_r:xdm_tmp_t,s0)
-+/tmp/\.X11-unix(/.*)? gen_context(system_u:object_r:xdm_tmp_t,s0)
-+/tmp/\.ICE-unix(/.*)? gen_context(system_u:object_r:xdm_tmp_t,s0)
-+/tmp/\.font-unix(/.*)? gen_context(system_u:object_r:user_fonts_t,s0)
-
- #
- # /usr
- #
-
-+/usr/sbin/mdm-binary -- gen_context(system_u:object_r:xdm_exec_t,s0)
- /usr/(s)?bin/gdm-binary -- gen_context(system_u:object_r:xdm_exec_t,s0)
- /usr/(s)?bin/lxdm(-binary)? -- gen_context(system_u:object_r:xdm_exec_t,s0)
--/usr/(s)?bin/[xgkw]dm -- gen_context(system_u:object_r:xdm_exec_t,s0)
-+/usr/(s)?bin/lightdm* -- gen_context(system_u:object_r:xdm_exec_t,s0)
-+/usr/(s)?bin/[mxgkw]dm -- gen_context(system_u:object_r:xdm_exec_t,s0)
- /usr/bin/gpe-dm -- gen_context(system_u:object_r:xdm_exec_t,s0)
- /usr/bin/iceauth -- gen_context(system_u:object_r:iceauth_exec_t,s0)
- /usr/bin/slim -- gen_context(system_u:object_r:xdm_exec_t,s0)
- /usr/bin/Xair -- gen_context(system_u:object_r:xserver_exec_t,s0)
-+/usr/bin/Xephyr -- gen_context(system_u:object_r:xserver_exec_t,s0)
- /usr/bin/xauth -- gen_context(system_u:object_r:xauth_exec_t,s0)
- /usr/bin/Xorg -- gen_context(system_u:object_r:xserver_exec_t,s0)
-
-@@ -90,24 +121,47 @@ ifndef(`distro_debian',`
- /var/[xgkw]dm(/.*)? gen_context(system_u:object_r:xserver_log_t,s0)
-
- /var/lib/lxdm(/.*)? gen_context(system_u:object_r:xdm_var_lib_t,s0)
--/var/lib/[xkw]dm(/.*)? gen_context(system_u:object_r:xdm_var_lib_t,s0)
-+/var/lib/lightdm(/.*)? gen_context(system_u:object_r:xdm_var_lib_t,s0)
-+/var/lib/[mxkwg]dm(/.*)? gen_context(system_u:object_r:xdm_var_lib_t,s0)
- /var/lib/xkb(/.*)? gen_context(system_u:object_r:xkb_var_lib_t,s0)
-+/var/lib/xorg(/.*)? gen_context(system_u:object_r:xserver_var_lib_t,s0)
-+
-+/var/cache/lightdm(/.*)? gen_context(system_u:object_r:xdm_var_lib_t,s0)
-+/var/cache/[mg]dm(/.*)? gen_context(system_u:object_r:xdm_var_lib_t,s0)
-
--/var/log/[kwx]dm\.log.* -- gen_context(system_u:object_r:xserver_log_t,s0)
--/var/log/lxdm\.log -- gen_context(system_u:object_r:xserver_log_t,s0)
--/var/log/gdm(/.*)? gen_context(system_u:object_r:xserver_log_t,s0)
--/var/log/slim\.log -- gen_context(system_u:object_r:xserver_log_t,s0)
-+/var/log/[mkwx]dm\.log.* -- gen_context(system_u:object_r:xdm_log_t,s0)
-+/var/log/lightdm(/.*)? gen_context(system_u:object_r:xserver_log_t,s0)
-+/var/log/lxdm\.log.* -- gen_context(system_u:object_r:xdm_log_t,s0)
-+/var/log/[mg]dm(/.*)? gen_context(system_u:object_r:xdm_log_t,s0)
-+/var/log/slim\.log -- gen_context(system_u:object_r:xdm_log_t,s0)
- /var/log/XFree86.* -- gen_context(system_u:object_r:xserver_log_t,s0)
- /var/log/Xorg.* -- gen_context(system_u:object_r:xserver_log_t,s0)
-+/var/log/nvidia-installer\.log.* -- gen_context(system_u:object_r:xserver_log_t,s0)
-+
-+/var/spool/[mg]dm(/.*)? gen_context(system_u:object_r:xdm_spool_t,s0)
-
-+/var/run/[kgm]dm(/.*)? gen_context(system_u:object_r:xdm_var_run_t,s0)
-+/var/run/gdm_socket -s gen_context(system_u:object_r:xdm_var_run_t,s0)
- /var/run/[gx]dm\.pid -- gen_context(system_u:object_r:xdm_var_run_t,s0)
-+/var/run/lightdm(/.*)? gen_context(system_u:object_r:xdm_var_run_t,s0)
- /var/run/lxdm\.auth -- gen_context(system_u:object_r:xdm_var_run_t,s0)
- /var/run/lxdm\.pid -- gen_context(system_u:object_r:xdm_var_run_t,s0)
- /var/run/lxdm(/.*)? gen_context(system_u:object_r:xdm_var_run_t,s0)
--/var/run/slim(/.*)? gen_context(system_u:object_r:xdm_var_run_t,s0)
-+/var/run/slim(/.*)? gen_context(system_u:object_r:xdm_var_run_t,s0)
-+/var/run/slim.* -- gen_context(system_u:object_r:xdm_var_run_t,s0)
- /var/run/xauth(/.*)? gen_context(system_u:object_r:xdm_var_run_t,s0)
- /var/run/xdmctl(/.*)? gen_context(system_u:object_r:xdm_var_run_t,s0)
-
-+/var/run/video.rom -- gen_context(system_u:object_r:xserver_var_run_t,s0)
-+/var/run/xorg(/.*)? gen_context(system_u:object_r:xserver_var_run_t,s0)
-+/var/run/systemd/multi-session-x(/.*)? gen_context(system_u:object_r:xdm_var_run_t,s0)
-+
- ifdef(`distro_suse',`
- /var/lib/pam_devperm/:0 -- gen_context(system_u:object_r:xdm_var_lib_t,s0)
- ')
-+
-+/var/lib/nxserver/home/\.xauth.* -- gen_context(system_u:object_r:xauth_home_t,s0)
-+/var/lib/nxserver/home/\.Xauthority.* -- gen_context(system_u:object_r:xauth_home_t,s0)
-+/var/lib/pqsql/\.xauth.* -- gen_context(system_u:object_r:xauth_home_t,s0)
-+/var/lib/pqsql/\.Xauthority.* -- gen_context(system_u:object_r:xauth_home_t,s0)
-+
-diff --git a/policy/modules/services/xserver.if b/policy/modules/services/xserver.if
-index 130ced9..a75282a 100644
---- a/policy/modules/services/xserver.if
-+++ b/policy/modules/services/xserver.if
-@@ -19,9 +19,10 @@
- interface(`xserver_restricted_role',`
- gen_require(`
- type xserver_t, xserver_exec_t, xserver_tmp_t, xserver_tmpfs_t;
-- type user_fonts_t, user_fonts_cache_t, user_fonts_config_t;
-+ type user_fonts_t, user_fonts_cache_t, user_fonts_config_t, xdm_tmp_t;
- type iceauth_t, iceauth_exec_t, iceauth_home_t;
- type xauth_t, xauth_exec_t, xauth_home_t;
-+ class dbus send_msg;
- ')
-
- role $1 types { xserver_t xauth_t iceauth_t };
-@@ -30,12 +31,13 @@ interface(`xserver_restricted_role',`
- allow xserver_t $2:fd use;
- allow xserver_t $2:shm rw_shm_perms;
-
-- allow xserver_t $2:process signal;
-+ allow xserver_t $2:process { getpgid signal };
-
- allow xserver_t $2:shm rw_shm_perms;
-
- allow $2 user_fonts_t:dir list_dir_perms;
- allow $2 user_fonts_t:file read_file_perms;
-+ allow $2 user_fonts_t:lnk_file read_lnk_file_perms;
-
- allow $2 user_fonts_config_t:dir list_dir_perms;
- allow $2 user_fonts_config_t:file read_file_perms;
-@@ -44,6 +46,8 @@ interface(`xserver_restricted_role',`
- manage_files_pattern($2, user_fonts_cache_t, user_fonts_cache_t)
-
- stream_connect_pattern($2, xserver_tmp_t, xserver_tmp_t, xserver_t)
-+ allow $2 xserver_tmp_t:sock_file delete_sock_file_perms;
-+ dontaudit $2 xdm_tmp_t:sock_file setattr_sock_file_perms;
- files_search_tmp($2)
-
- # Communicate via System V shared memory.
-@@ -69,17 +73,21 @@ interface(`xserver_restricted_role',`
-
- # for when /tmp/.X11-unix is created by the system
- allow $2 xdm_t:fd use;
-- allow $2 xdm_t:fifo_file { getattr read write ioctl };
-- allow $2 xdm_tmp_t:dir search;
-- allow $2 xdm_tmp_t:sock_file { read write };
-+ allow $2 xdm_t:fifo_file rw_inherited_fifo_file_perms;
-+ allow $2 xdm_tmp_t:dir search_dir_perms;
-+ allow $2 xdm_tmp_t:sock_file rw_inherited_sock_file_perms;
- dontaudit $2 xdm_t:tcp_socket { read write };
-+ dontaudit $2 xdm_tmp_t:dir setattr_dir_perms;
-+
-+ allow $2 xdm_t:dbus send_msg;
-+ allow xdm_t $2:dbus send_msg;
-
- # Client read xserver shm
- allow $2 xserver_t:fd use;
- allow $2 xserver_tmpfs_t:file read_file_perms;
-
- # Read /tmp/.X0-lock
-- allow $2 xserver_tmp_t:file { getattr read };
-+ allow $2 xserver_tmp_t:file read_inherited_file_perms;
-
- dev_rw_xserver_misc($2)
- dev_rw_power_management($2)
-@@ -88,15 +96,17 @@ interface(`xserver_restricted_role',`
- dev_write_misc($2)
- # open office is looking for the following
- dev_getattr_agp_dev($2)
-- dev_dontaudit_rw_dri($2)
-+
- # GNOME checks for usb and other devices:
- dev_rw_usbfs($2)
-
- miscfiles_read_fonts($2)
-+ miscfiles_setattr_fonts_cache_dirs($2)
-+ miscfiles_read_hwdata($2)
-
- xserver_common_x_domain_template(user, $2)
- xserver_domtrans($2)
-- xserver_unconfined($2)
-+ #xserver_unconfined($2)
- xserver_xsession_entry_type($2)
- xserver_dontaudit_write_log($2)
- xserver_stream_connect_xdm($2)
-@@ -106,12 +116,26 @@ interface(`xserver_restricted_role',`
- xserver_create_xdm_tmp_sockets($2)
- # Needed for escd, remove if we get escd policy
- xserver_manage_xdm_tmp_files($2)
-+ xserver_read_xdm_etc_files($2)
-+ xserver_xdm_append_log($2)
-+
-+ term_use_virtio_console($2)
-+
-+ modutils_run_insmod(xserver_t, $1)
-
- # Client write xserver shm
-- tunable_policy(`allow_write_xshm',`
-+ tunable_policy(`xserver_clients_write_xshm',`
- allow $2 xserver_t:shm rw_shm_perms;
- allow $2 xserver_tmpfs_t:file rw_file_perms;
- ')
-+
-+ tunable_policy(`selinuxuser_direct_dri_enabled',`
-+ dev_rw_dri($2)
-+ ')
-+
-+ optional_policy(`
-+ gnome_read_gconf_config($2)
-+ ')
- ')
-
- ########################################
-@@ -143,13 +167,15 @@ interface(`xserver_role',`
- allow $2 xserver_tmpfs_t:file rw_file_perms;
-
- allow $2 iceauth_home_t:file manage_file_perms;
-- allow $2 iceauth_home_t:file { relabelfrom relabelto };
-+ allow $2 iceauth_home_t:file relabel_file_perms;
-
- allow $2 xauth_home_t:file manage_file_perms;
-- allow $2 xauth_home_t:file { relabelfrom relabelto };
-+ allow $2 xauth_home_t:file relabel_file_perms;
-
-+ mls_xwin_read_to_clearance($2)
- manage_dirs_pattern($2, user_fonts_t, user_fonts_t)
- manage_files_pattern($2, user_fonts_t, user_fonts_t)
-+ allow $2 user_fonts_t:lnk_file read_lnk_file_perms;
- relabel_dirs_pattern($2, user_fonts_t, user_fonts_t)
- relabel_files_pattern($2, user_fonts_t, user_fonts_t)
-
-@@ -162,7 +188,6 @@ interface(`xserver_role',`
- manage_files_pattern($2, user_fonts_config_t, user_fonts_config_t)
- relabel_dirs_pattern($2, user_fonts_config_t, user_fonts_config_t)
- relabel_files_pattern($2, user_fonts_config_t, user_fonts_config_t)
--
- ')
-
- #######################################
-@@ -197,7 +222,7 @@ interface(`xserver_ro_session',`
- allow $1 xserver_t:process signal;
-
- # Read /tmp/.X0-lock
-- allow $1 xserver_tmp_t:file { getattr read };
-+ allow $1 xserver_tmp_t:file read_file_perms;
-
- # Client read xserver shm
- allow $1 xserver_t:fd use;
-@@ -227,7 +252,7 @@ interface(`xserver_rw_session',`
- type xserver_t, xserver_tmpfs_t;
- ')
-
-- xserver_ro_session($1,$2)
-+ xserver_ro_session($1, $2)
- allow $1 xserver_t:shm rw_shm_perms;
- allow $1 xserver_tmpfs_t:file rw_file_perms;
- ')
-@@ -255,7 +280,7 @@ interface(`xserver_non_drawing_client',`
-
- allow $1 self:x_gc { create setattr };
-
-- allow $1 xdm_var_run_t:dir search;
-+ allow $1 xdm_var_run_t:dir search_dir_perms;
- allow $1 xserver_t:unix_stream_socket connectto;
-
- allow $1 xextension_t:x_extension { query use };
-@@ -291,13 +316,13 @@ interface(`xserver_user_client',`
- allow $1 self:unix_stream_socket { connectto create_stream_socket_perms };
-
- # Read .Xauthority file
-- allow $1 xauth_home_t:file { getattr read };
-- allow $1 iceauth_home_t:file { getattr read };
-+ allow $1 xauth_home_t:file read_file_perms;
-+ allow $1 iceauth_home_t:file read_file_perms;
-
- # for when /tmp/.X11-unix is created by the system
- allow $1 xdm_t:fd use;
-- allow $1 xdm_t:fifo_file { getattr read write ioctl };
-- allow $1 xdm_tmp_t:dir search;
-+ allow $1 xdm_t:fifo_file rw_inherited_fifo_file_perms;
-+ allow $1 xdm_tmp_t:dir search_dir_perms;
- allow $1 xdm_tmp_t:sock_file { read write };
- dontaudit $1 xdm_t:tcp_socket { read write };
-
-@@ -316,7 +341,7 @@ interface(`xserver_user_client',`
- xserver_read_xdm_tmp_files($1)
-
- # Client write xserver shm
-- tunable_policy(`allow_write_xshm',`
-+ tunable_policy(`xserver_clients_write_xshm',`
- allow $1 xserver_t:shm rw_shm_perms;
- allow $1 xserver_tmpfs_t:file rw_file_perms;
- ')
-@@ -342,19 +367,23 @@ interface(`xserver_user_client',`
- #
- template(`xserver_common_x_domain_template',`
- gen_require(`
-- type root_xdrawable_t;
-+ type root_xdrawable_t, xdm_t, xserver_t;
- type xproperty_t, $1_xproperty_t;
- type xevent_t, client_xevent_t;
- type input_xevent_t, $1_input_xevent_t;
-
-- attribute x_domain;
-+ attribute x_domain, input_xevent_type;
- attribute xdrawable_type, xcolormap_type;
-- attribute input_xevent_type;
-
- class x_drawable all_x_drawable_perms;
- class x_property all_x_property_perms;
- class x_event all_x_event_perms;
- class x_synthetic_event all_x_synthetic_event_perms;
-+ class x_client destroy;
-+ class x_server manage;
-+ class x_screen { saver_setattr saver_hide saver_show };
-+ class x_pointer { get_property set_property manage };
-+ class x_keyboard { read manage };
- ')
-
- ##############################
-@@ -386,6 +415,15 @@ template(`xserver_common_x_domain_template',`
- allow $2 xevent_t:{ x_event x_synthetic_event } receive;
- # dont audit send failures
- dontaudit $2 input_xevent_type:x_event send;
-+
-+ allow $2 xdm_t:x_drawable { hide read add_child manage };
-+ allow $2 xdm_t:x_client destroy;
-+
-+ allow $2 root_xdrawable_t:x_drawable write;
-+ allow $2 xserver_t:x_server manage;
-+ allow $2 xserver_t:x_screen { saver_setattr saver_hide saver_show };
-+ allow $2 xserver_t:x_pointer { get_property set_property manage };
-+ allow $2 xserver_t:x_keyboard { read manage };
- ')
-
- #######################################
-@@ -444,8 +482,9 @@ template(`xserver_object_types_template',`
- #
- template(`xserver_user_x_domain_template',`
- gen_require(`
-- type xdm_t, xdm_tmp_t;
-- type xauth_home_t, iceauth_home_t, xserver_t, xserver_tmpfs_t;
-+ type xdm_t, xdm_tmp_t, xserver_tmpfs_t;
-+ type xdm_home_t;
-+ type xauth_home_t, iceauth_home_t, xserver_t;
- ')
-
- allow $2 self:shm create_shm_perms;
-@@ -456,11 +495,24 @@ template(`xserver_user_x_domain_template',`
- allow $2 xauth_home_t:file read_file_perms;
- allow $2 iceauth_home_t:file read_file_perms;
-
-+ userdom_user_home_dir_filetrans($2, iceauth_home_t, file, ".DCOP")
-+ userdom_user_home_dir_filetrans($2, iceauth_home_t, file, ".ICEauthority")
-+ userdom_user_home_dir_filetrans($2, iceauth_home_t, file, ".ICEauthority-c")
-+ userdom_user_home_dir_filetrans($2, iceauth_home_t, file, ".ICEauthority-n")
-+ userdom_user_home_dir_filetrans($2, xauth_home_t, file, ".Xauthority")
-+ userdom_user_home_dir_filetrans($2, xauth_home_t, file, ".Xauthority-l")
-+ userdom_user_home_dir_filetrans($2, xauth_home_t, file, ".Xauthority-c")
-+ userdom_user_home_dir_filetrans($2, xauth_home_t, file, ".xauth")
-+ userdom_user_home_dir_filetrans($2, xdm_home_t, file, ".xsession-errors")
-+ userdom_user_home_dir_filetrans($2, xdm_home_t, file, ".xsession-errors-stamped")
-+ userdom_user_home_dir_filetrans($2, xdm_home_t, file, ".xsession-errors-stamped.old")
-+ userdom_user_home_dir_filetrans($2, xdm_home_t, file, ".dmrc")
-+
- # for when /tmp/.X11-unix is created by the system
- allow $2 xdm_t:fd use;
-- allow $2 xdm_t:fifo_file { getattr read write ioctl };
-+ allow $2 xdm_t:fifo_file rw_inherited_fifo_file_perms;
- allow $2 xdm_tmp_t:dir search_dir_perms;
-- allow $2 xdm_tmp_t:sock_file { read write };
-+ allow $2 xdm_tmp_t:sock_file rw_inherited_sock_file_perms;
- dontaudit $2 xdm_t:tcp_socket { read write };
-
- # Allow connections to X server.
-@@ -472,20 +524,26 @@ template(`xserver_user_x_domain_template',`
- # for .xsession-errors
- userdom_dontaudit_write_user_home_content_files($2)
-
-- xserver_ro_session($2,$3)
-+ xserver_ro_session($2, $3)
- xserver_use_user_fonts($2)
-
- xserver_read_xdm_tmp_files($2)
-+ xserver_read_xdm_pid($2)
-+ xserver_xdm_append_log($2)
-
- # X object manager
- xserver_object_types_template($1)
-- xserver_common_x_domain_template($1,$2)
-+ xserver_common_x_domain_template($1, $2)
-
- # Client write xserver shm
-- tunable_policy(`allow_write_xshm',`
-+ tunable_policy(`xserver_clients_write_xshm',`
- allow $2 xserver_t:shm rw_shm_perms;
- allow $2 xserver_tmpfs_t:file rw_file_perms;
- ')
-+
-+ tunable_policy(`selinuxuser_direct_dri_enabled',`
-+ dev_rw_dri($2)
-+ ')
- ')
-
- ########################################
-@@ -517,6 +575,7 @@ interface(`xserver_use_user_fonts',`
- # Read per user fonts
- allow $1 user_fonts_t:dir list_dir_perms;
- allow $1 user_fonts_t:file read_file_perms;
-+ allow $1 user_fonts_t:lnk_file read_lnk_file_perms;
-
- # Manipulate the global font cache
- manage_dirs_pattern($1, user_fonts_cache_t, user_fonts_cache_t)
-@@ -547,6 +606,42 @@ interface(`xserver_domtrans_xauth',`
- domtrans_pattern($1, xauth_exec_t, xauth_t)
- ')
-
-+######################################
-+##
-+## Allow exec of Xauthority program..
-+##
-+##
-+##
-+## Domain allowed to transition.
-+##
-+##
-+#
-+interface(`xserver_exec_xauth',`
-+ gen_require(`
-+ type xauth_t, xauth_exec_t;
-+ ')
-+
-+ can_exec($1, xauth_exec_t)
-+')
-+
-+########################################
-+##
-+## Dontaudit exec of Xauthority program.
-+##
-+##
-+##
-+## Domain to not audit.
-+##
-+##
-+#
-+interface(`xserver_dontaudit_exec_xauth',`
-+ gen_require(`
-+ type xauth_exec_t;
-+ ')
-+
-+ dontaudit $1 xauth_exec_t:file execute;
-+')
-+
- ########################################
- ##
- ## Create a Xauthority file in the user home directory.
-@@ -598,6 +693,7 @@ interface(`xserver_read_user_xauth',`
-
- allow $1 xauth_home_t:file read_file_perms;
- userdom_search_user_home_dirs($1)
-+ xserver_read_xdm_pid($1)
- ')
-
- ########################################
-@@ -615,7 +711,7 @@ interface(`xserver_setattr_console_pipes',`
- type xconsole_device_t;
- ')
-
-- allow $1 xconsole_device_t:fifo_file setattr;
-+ allow $1 xconsole_device_t:fifo_file setattr_fifo_file_perms;
- ')
-
- ########################################
-@@ -638,6 +734,25 @@ interface(`xserver_rw_console',`
-
- ########################################
- ##
-+## Read XDM state files.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`xserver_read_state_xdm',`
-+ gen_require(`
-+ type xdm_t;
-+ ')
-+
-+ kernel_search_proc($1)
-+ ps_process_pattern($1, xdm_t)
-+')
-+
-+########################################
-+##
- ## Use file descriptors for xdm.
- ##
- ##
-@@ -651,7 +766,7 @@ interface(`xserver_use_xdm_fds',`
- type xdm_t;
- ')
-
-- allow $1 xdm_t:fd use;
-+ allow $1 xdm_t:fd use;
- ')
-
- ########################################
-@@ -670,7 +785,7 @@ interface(`xserver_dontaudit_use_xdm_fds',`
- type xdm_t;
- ')
-
-- dontaudit $1 xdm_t:fd use;
-+ dontaudit $1 xdm_t:fd use;
- ')
-
- ########################################
-@@ -688,7 +803,7 @@ interface(`xserver_rw_xdm_pipes',`
- type xdm_t;
- ')
-
-- allow $1 xdm_t:fifo_file { getattr read write };
-+ allow $1 xdm_t:fifo_file rw_inherited_fifo_file_perms;
- ')
-
- ########################################
-@@ -703,12 +818,11 @@ interface(`xserver_rw_xdm_pipes',`
- ##
- #
- interface(`xserver_dontaudit_rw_xdm_pipes',`
--
- gen_require(`
- type xdm_t;
- ')
-
-- dontaudit $1 xdm_t:fifo_file rw_fifo_file_perms;
-+ dontaudit $1 xdm_t:fifo_file rw_fifo_file_perms;
- ')
-
- ########################################
-@@ -724,11 +838,31 @@ interface(`xserver_dontaudit_rw_xdm_pipes',`
- #
- interface(`xserver_stream_connect_xdm',`
- gen_require(`
-- type xdm_t, xdm_tmp_t;
-+ type xdm_t, xdm_tmp_t, xdm_var_run_t;
- ')
-
- files_search_tmp($1)
-- stream_connect_pattern($1, xdm_tmp_t, xdm_tmp_t, xdm_t)
-+ files_search_pids($1)
-+ stream_connect_pattern($1, { xdm_tmp_t xdm_var_run_t }, { xdm_tmp_t xdm_var_run_t }, xdm_t)
-+')
-+
-+########################################
-+##
-+## Read XDM files in user home directories.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`xserver_read_xdm_home_files',`
-+ gen_require(`
-+ type xdm_home_t;
-+ ')
-+
-+ userdom_search_user_home_dirs($1)
-+ allow $1 xdm_home_t:file read_file_perms;
- ')
-
- ########################################
-@@ -752,6 +886,25 @@ interface(`xserver_read_xdm_rw_config',`
-
- ########################################
- ##
-+## Search XDM temporary directories.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`xserver_search_xdm_tmp_dirs',`
-+ gen_require(`
-+ type xdm_tmp_t;
-+ ')
-+
-+ files_search_tmp($1)
-+ allow $1 xdm_tmp_t:dir search_dir_perms;
-+')
-+
-+########################################
-+##
- ## Set the attributes of XDM temporary directories.
- ##
- ##
-@@ -765,7 +918,25 @@ interface(`xserver_setattr_xdm_tmp_dirs',`
- type xdm_tmp_t;
- ')
-
-- allow $1 xdm_tmp_t:dir setattr;
-+ allow $1 xdm_tmp_t:dir setattr_dir_perms;
-+')
-+
-+########################################
-+##
-+## Dont audit attempts to set the attributes of XDM temporary directories.
-+##
-+##
-+##
-+## Domain to not audit.
-+##
-+##
-+#
-+interface(`xserver_dontaudit_xdm_tmp_dirs',`
-+ gen_require(`
-+ type xdm_tmp_t;
-+ ')
-+
-+ dontaudit $1 xdm_tmp_t:dir setattr_dir_perms;
- ')
-
- ########################################
-@@ -805,7 +976,26 @@ interface(`xserver_read_xdm_pid',`
- ')
-
- files_search_pids($1)
-- allow $1 xdm_var_run_t:file read_file_perms;
-+ read_files_pattern($1, xdm_var_run_t, xdm_var_run_t)
-+')
-+
-+######################################
-+##
-+## Dontaudit Read XDM pid files.
-+##
-+##
-+##
-+## Domain to not audit.
-+##
-+##
-+#
-+interface(`xserver_dontaudit_read_xdm_pid',`
-+ gen_require(`
-+ type xdm_var_run_t;
-+ ')
-+
-+ dontaudit $1 xdm_var_run_t:dir search_dir_perms;
-+ dontaudit $1 xdm_var_run_t:file read_file_perms;
- ')
-
- ########################################
-@@ -828,6 +1018,24 @@ interface(`xserver_read_xdm_lib_files',`
-
- ########################################
- ##
-+## Read inherited XDM var lib files.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`xserver_read_inherited_xdm_lib_files',`
-+ gen_require(`
-+ type xdm_var_lib_t;
-+ ')
-+
-+ allow $1 xdm_var_lib_t:file read_inherited_file_perms;
-+')
-+
-+########################################
-+##
- ## Make an X session script an entrypoint for the specified domain.
- ##
- ##
-@@ -897,7 +1105,26 @@ interface(`xserver_getattr_log',`
- ')
-
- logging_search_logs($1)
-- allow $1 xserver_log_t:file getattr;
-+ allow $1 xserver_log_t:file getattr_file_perms;
-+')
-+
-+#######################################
-+##
-+## Allow domain to read X server logs.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`xserver_read_log',`
-+ gen_require(`
-+ type xserver_log_t;
-+ ')
-+
-+ logging_search_logs($1)
-+ allow $1 xserver_log_t:file read_file_perms;
- ')
-
- ########################################
-@@ -916,7 +1143,7 @@ interface(`xserver_dontaudit_write_log',`
- type xserver_log_t;
- ')
-
-- dontaudit $1 xserver_log_t:file { append write };
-+ dontaudit $1 xserver_log_t:file rw_inherited_file_perms;
- ')
-
- ########################################
-@@ -963,6 +1190,45 @@ interface(`xserver_read_xkb_libs',`
-
- ########################################
- ##
-+## Read xdm config files.
-+##
-+##
-+##
-+## Domain to not audit
-+##
-+##
-+#
-+interface(`xserver_read_xdm_etc_files',`
-+ gen_require(`
-+ type xdm_etc_t;
-+ ')
-+
-+ files_search_etc($1)
-+ read_files_pattern($1, xdm_etc_t, xdm_etc_t)
-+ read_lnk_files_pattern($1, xdm_etc_t, xdm_etc_t)
-+')
-+
-+########################################
-+##
-+## Manage xdm config files.
-+##
-+##
-+##
-+## Domain to not audit
-+##
-+##
-+#
-+interface(`xserver_manage_xdm_etc_files',`
-+ gen_require(`
-+ type xdm_etc_t;
-+ ')
-+
-+ files_search_etc($1)
-+ manage_files_pattern($1, xdm_etc_t, xdm_etc_t)
-+')
-+
-+########################################
-+##
- ## Read xdm temporary files.
- ##
- ##
-@@ -976,7 +1242,7 @@ interface(`xserver_read_xdm_tmp_files',`
- type xdm_tmp_t;
- ')
-
-- files_search_tmp($1)
-+ files_search_tmp($1)
- read_files_pattern($1, xdm_tmp_t, xdm_tmp_t)
- ')
-
-@@ -1038,6 +1304,42 @@ interface(`xserver_manage_xdm_tmp_files',`
-
- ########################################
- ##
-+## Create, read, write, and delete xdm temporary dirs.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`xserver_relabel_xdm_tmp_dirs',`
-+ gen_require(`
-+ type xdm_tmp_t;
-+ ')
-+
-+ allow $1 xdm_tmp_t:dir relabel_dir_perms;
-+')
-+
-+########################################
-+##
-+## Create, read, write, and delete xdm temporary dirs.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`xserver_manage_xdm_tmp_dirs',`
-+ gen_require(`
-+ type xdm_tmp_t;
-+ ')
-+
-+ manage_dirs_pattern($1, xdm_tmp_t, xdm_tmp_t)
-+')
-+
-+########################################
-+##
- ## Do not audit attempts to get the attributes of
- ## xdm temporary named sockets.
- ##
-@@ -1052,7 +1354,7 @@ interface(`xserver_dontaudit_getattr_xdm_tmp_sockets',`
- type xdm_tmp_t;
- ')
-
-- dontaudit $1 xdm_tmp_t:sock_file getattr;
-+ dontaudit $1 xdm_tmp_t:sock_file getattr_sock_file_perms;
- ')
-
- ########################################
-@@ -1070,8 +1372,10 @@ interface(`xserver_domtrans',`
- type xserver_t, xserver_exec_t;
- ')
-
-- allow $1 xserver_t:process siginh;
-+ allow $1 xserver_t:process siginh;
- domtrans_pattern($1, xserver_exec_t, xserver_t)
-+
-+ allow xserver_t $1:process getpgid;
- ')
-
- ########################################
-@@ -1185,6 +1489,26 @@ interface(`xserver_stream_connect',`
-
- files_search_tmp($1)
- stream_connect_pattern($1, xserver_tmp_t, xserver_tmp_t, xserver_t)
-+ allow xserver_t $1:shm rw_shm_perms;
-+')
-+
-+######################################
-+##
-+## Dontaudit attempts to connect to xserver
-+## over a unix stream socket.
-+##
-+##
-+##
-+## Domain to not audit.
-+##
-+##
-+#
-+interface(`xserver_dontaudit_stream_connect',`
-+ gen_require(`
-+ type xserver_t, xserver_tmp_t;
-+ ')
-+
-+ stream_connect_pattern($1, xserver_tmp_t, xserver_tmp_t, xserver_t)
- ')
-
- ########################################
-@@ -1210,7 +1534,7 @@ interface(`xserver_read_tmp_files',`
- ##
- ## Interface to provide X object permissions on a given X server to
- ## an X client domain. Gives the domain permission to read the
--## virtual core keyboard and virtual core pointer devices.
-+## virtual core keyboard and virtual core pointer devices.
- ##
- ##
- ##
-@@ -1220,13 +1544,23 @@ interface(`xserver_read_tmp_files',`
- #
- interface(`xserver_manage_core_devices',`
- gen_require(`
-- type xserver_t;
-+ type xserver_t, root_xdrawable_t;
- class x_device all_x_device_perms;
- class x_pointer all_x_pointer_perms;
- class x_keyboard all_x_keyboard_perms;
-+ class x_screen all_x_screen_perms;
-+ class x_drawable { manage };
-+ attribute x_domain;
-+ class x_drawable { read manage setattr show };
-+ class x_resource { write read };
- ')
-
- allow $1 xserver_t:{ x_device x_pointer x_keyboard } *;
-+ allow $1 xserver_t:{ x_screen } setattr;
-+
-+ allow $1 x_domain:x_drawable { read manage setattr show };
-+ allow $1 x_domain:x_resource { write read };
-+ allow $1 root_xdrawable_t:x_drawable { manage read };
- ')
-
- ########################################
-@@ -1243,10 +1577,541 @@ interface(`xserver_manage_core_devices',`
- #
- interface(`xserver_unconfined',`
- gen_require(`
-- attribute x_domain;
-- attribute xserver_unconfined_type;
-+ attribute x_domain, xserver_unconfined_type;
- ')
-
- typeattribute $1 x_domain;
- typeattribute $1 xserver_unconfined_type;
- ')
-+
-+########################################
-+##
-+## Dontaudit append to .xsession-errors file
-+##
-+##
-+##
-+## Domain to not audit
-+##
-+##
-+#
-+interface(`xserver_dontaudit_append_xdm_home_files',`
-+ gen_require(`
-+ type xdm_home_t;
-+ ')
-+
-+ dontaudit $1 xdm_home_t:file rw_inherited_file_perms;
-+
-+ tunable_policy(`use_nfs_home_dirs',`
-+ fs_dontaudit_rw_nfs_files($1)
-+ ')
-+
-+ tunable_policy(`use_samba_home_dirs',`
-+ fs_dontaudit_rw_cifs_files($1)
-+ ')
-+')
-+
-+########################################
-+##
-+## append to .xsession-errors file
-+##
-+##
-+##
-+## Domain to not audit
-+##
-+##
-+#
-+interface(`xserver_append_xdm_home_files',`
-+ gen_require(`
-+ type xdm_home_t, xserver_tmp_t;
-+ ')
-+
-+ allow $1 xdm_home_t:file append_file_perms;
-+ allow $1 xserver_tmp_t:file append_file_perms;
-+
-+ tunable_policy(`use_nfs_home_dirs',`
-+ fs_append_nfs_files($1)
-+ ')
-+
-+ tunable_policy(`use_samba_home_dirs',`
-+ fs_append_cifs_files($1)
-+ ')
-+')
-+
-+#######################################
-+##
-+## Allow search the xdm_spool files
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`xserver_xdm_search_spool',`
-+ gen_require(`
-+ type xdm_spool_t;
-+ ')
-+
-+ files_search_spool($1)
-+ search_dirs_pattern($1, xdm_spool_t, xdm_spool_t)
-+')
-+
-+######################################
-+##
-+## Allow read the xdm_spool files
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`xserver_xdm_read_spool',`
-+ gen_require(`
-+ type xdm_spool_t;
-+ ')
-+
-+ files_search_spool($1)
-+ read_files_pattern($1, xdm_spool_t, xdm_spool_t)
-+')
-+
-+########################################
-+##
-+## Manage the xdm_spool files
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`xserver_xdm_manage_spool',`
-+ gen_require(`
-+ type xdm_spool_t;
-+ ')
-+
-+ files_search_spool($1)
-+ manage_files_pattern($1, xdm_spool_t, xdm_spool_t)
-+')
-+
-+########################################
-+##
-+## Send and receive messages from
-+## xdm over dbus.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`xserver_dbus_chat_xdm',`
-+ gen_require(`
-+ type xdm_t;
-+ class dbus send_msg;
-+ ')
-+
-+ allow $1 xdm_t:dbus send_msg;
-+ allow xdm_t $1:dbus send_msg;
-+')
-+
-+########################################
-+##
-+## Read xserver files created in /var/run
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`xserver_read_pid',`
-+ gen_require(`
-+ type xserver_var_run_t;
-+ ')
-+
-+ files_search_pids($1)
-+ read_files_pattern($1, xserver_var_run_t, xserver_var_run_t)
-+')
-+
-+########################################
-+##
-+## Execute xserver files created in /var/run
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`xserver_exec_pid',`
-+ gen_require(`
-+ type xserver_var_run_t;
-+ ')
-+
-+ files_search_pids($1)
-+ exec_files_pattern($1, xserver_var_run_t, xserver_var_run_t)
-+')
-+
-+########################################
-+##
-+## Write xserver files created in /var/run
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`xserver_write_pid',`
-+ gen_require(`
-+ type xserver_var_run_t;
-+ ')
-+
-+ files_search_pids($1)
-+ write_files_pattern($1, xserver_var_run_t, xserver_var_run_t)
-+')
-+
-+########################################
-+##
-+## Allow append the xdm
-+## log files.
-+##
-+##
-+##
-+## Domain to not audit
-+##
-+##
-+#
-+interface(`xserver_xdm_append_log',`
-+ gen_require(`
-+ type xdm_log_t;
-+ attribute xdmhomewriter;
-+ ')
-+
-+ typeattribute $1 xdmhomewriter;
-+ allow $1 xdm_log_t:file append_inherited_file_perms;
-+')
-+
-+########################################
-+##
-+## Allow append the xdm
-+## tmp files.
-+##
-+##
-+##
-+## Domain to not audit
-+##
-+##
-+#
-+interface(`xserver_append_xdm_tmp_files',`
-+ gen_require(`
-+ type xdm_tmp_t;
-+ ')
-+
-+ allow $1 xdm_tmp_t:file append_inherited_file_perms;
-+')
-+
-+########################################
-+##
-+## Read a user Iceauthority domain.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`xserver_read_user_iceauth',`
-+ gen_require(`
-+ type iceauth_home_t;
-+ ')
-+
-+ # Read .Iceauthority file
-+ allow $1 iceauth_home_t:file read_file_perms;
-+')
-+
-+########################################
-+##
-+## Read/write inherited user homedir fonts.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`xserver_rw_inherited_user_fonts',`
-+ gen_require(`
-+ type user_fonts_t, user_fonts_config_t;
-+ ')
-+
-+ allow $1 user_fonts_t:file rw_inherited_file_perms;
-+ allow $1 user_fonts_t:file read_lnk_file_perms;
-+
-+ allow $1 user_fonts_config_t:file rw_inherited_file_perms;
-+')
-+
-+########################################
-+##
-+## Search XDM var lib dirs.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`xserver_search_xdm_lib',`
-+ gen_require(`
-+ type xdm_var_lib_t;
-+ ')
-+
-+ allow $1 xdm_var_lib_t:dir search_dir_perms;
-+')
-+
-+########################################
-+##
-+## Make an X executable an entrypoint for the specified domain.
-+##
-+##
-+##
-+## The domain for which the shell is an entrypoint.
-+##
-+##
-+#
-+interface(`xserver_entry_type',`
-+ gen_require(`
-+ type xserver_exec_t;
-+ ')
-+
-+ domain_entry_file($1, xserver_exec_t)
-+')
-+
-+########################################
-+##
-+## Execute xsever in the xserver domain, and
-+## allow the specified role the xserver domain.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+##
-+##
-+## The role to be allowed the xserver domain.
-+##
-+##
-+##
-+#
-+interface(`xserver_run',`
-+ gen_require(`
-+ type xserver_t;
-+ ')
-+
-+ xserver_domtrans($1)
-+ role $2 types xserver_t;
-+')
-+
-+########################################
-+##
-+## Execute xsever in the xserver domain, and
-+## allow the specified role the xserver domain.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+##
-+##
-+## The role to be allowed the xserver domain.
-+##
-+##
-+##
-+#
-+interface(`xserver_run_xauth',`
-+ gen_require(`
-+ type xauth_t;
-+ ')
-+
-+ xserver_domtrans_xauth($1)
-+ role $2 types xauth_t;
-+')
-+
-+########################################
-+##
-+## Read user homedir fonts.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+##
-+#
-+interface(`xserver_read_home_fonts',`
-+ gen_require(`
-+ type user_fonts_t, user_fonts_config_t;
-+ ')
-+
-+ list_dirs_pattern($1, user_fonts_t, user_fonts_t)
-+ read_files_pattern($1, user_fonts_t, user_fonts_t)
-+ read_lnk_files_pattern($1, user_fonts_t, user_fonts_t)
-+
-+ read_files_pattern($1, user_fonts_config_t, user_fonts_config_t)
-+')
-+
-+########################################
-+##
-+## Manage user fonts dir.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+##
-+#
-+interface(`xserver_manage_user_fonts_dir',`
-+ gen_require(`
-+ type user_fonts_t;
-+ ')
-+
-+ manage_dirs_pattern($1, user_fonts_t, user_fonts_t)
-+ files_tmp_filetrans($1, user_fonts_t, dir, ".font-unix")
-+')
-+
-+########################################
-+##
-+## Manage user homedir fonts.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+##
-+#
-+interface(`xserver_manage_home_fonts',`
-+ gen_require(`
-+ type user_fonts_t, user_fonts_config_t, user_fonts_cache_t;
-+ ')
-+
-+ manage_dirs_pattern($1, user_fonts_t, user_fonts_t)
-+ manage_files_pattern($1, user_fonts_t, user_fonts_t)
-+ manage_lnk_files_pattern($1, user_fonts_t, user_fonts_t)
-+
-+ manage_files_pattern($1, user_fonts_config_t, user_fonts_config_t)
-+
-+# userdom_user_home_dir_filetrans($1, user_fonts_t, dir, ".fonts.d")
-+# userdom_user_home_dir_filetrans($1, user_fonts_t, dir, ".fonts")
-+# userdom_user_home_dir_filetrans($1, user_fonts_cache_t, dir, ".fontconfig")
-+')
-+
-+########################################
-+##
-+## Transition to xserver named content
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`xserver_filetrans_home_content',`
-+ gen_require(`
-+ type xdm_home_t, xauth_home_t, iceauth_home_t;
-+ type user_home_t, user_fonts_t, user_fonts_cache_t;
-+ type user_fonts_config_t;
-+ ')
-+
-+ userdom_user_home_dir_filetrans($1, xdm_home_t, file, ".dmrc")
-+ userdom_user_home_dir_filetrans($1, xdm_home_t, file, ".xsession-errors")
-+ userdom_user_home_dir_filetrans($1, iceauth_home_t, file, ".DCOP")
-+ userdom_user_home_dir_filetrans($1, iceauth_home_t, file, ".ICEauthority")
-+ userdom_user_home_dir_filetrans($1, xauth_home_t, file, ".Xauthority")
-+ userdom_user_home_dir_filetrans($1, xauth_home_t, file, ".Xauthority-l")
-+ userdom_user_home_dir_filetrans($1, xauth_home_t, file, ".Xauthority-c")
-+ userdom_user_home_dir_filetrans($1, xauth_home_t, file, ".xauth")
-+ userdom_user_home_dir_filetrans($1, xauth_home_t, file, ".Xauth")
-+ userdom_user_home_dir_filetrans($1, user_fonts_config_t, file, ".fonts.conf")
-+ userdom_user_home_dir_filetrans($1, user_fonts_config_t, dir, ".fonts.d")
-+ userdom_user_home_dir_filetrans($1, user_fonts_t, dir, ".fonts")
-+ userdom_user_home_dir_filetrans($1, user_fonts_cache_t, dir, ".fontconfig")
-+ filetrans_pattern($1, user_fonts_t, user_fonts_cache_t, dir, "auto")
-+ files_tmp_filetrans($1, user_fonts_t, dir, ".font-unix")
-+')
-+
-+########################################
-+##
-+## Create xserver content in admin home
-+## directory with a named file transition.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`xserver_filetrans_admin_home_content',`
-+ gen_require(`
-+ type xdm_home_t, xauth_home_t, iceauth_home_t;
-+ type user_home_t, user_fonts_t, user_fonts_cache_t;
-+ type user_fonts_config_t;
-+ ')
-+
-+ userdom_admin_home_dir_filetrans($1, xdm_home_t, file, ".dmrc")
-+ userdom_admin_home_dir_filetrans($1, xdm_home_t, file, ".xsession-errors")
-+ userdom_admin_home_dir_filetrans($1, iceauth_home_t, file, ".DCOP")
-+ userdom_admin_home_dir_filetrans($1, iceauth_home_t, file, ".ICEauthority")
-+ userdom_admin_home_dir_filetrans($1, xauth_home_t, file, ".Xauthority")
-+ userdom_admin_home_dir_filetrans($1, xauth_home_t, file, ".Xauthority-l")
-+ userdom_admin_home_dir_filetrans($1, xauth_home_t, file, ".Xauthority-c")
-+ userdom_admin_home_dir_filetrans($1, xauth_home_t, file, ".xauth")
-+ userdom_admin_home_dir_filetrans($1, xauth_home_t, file, ".Xauth")
-+ userdom_admin_home_dir_filetrans($1, user_fonts_config_t, file, ".fonts.conf")
-+ userdom_admin_home_dir_filetrans($1, user_fonts_config_t, dir, ".fonts.d")
-+ userdom_admin_home_dir_filetrans($1, user_fonts_t, dir, ".fonts")
-+ userdom_admin_home_dir_filetrans($1, user_fonts_cache_t, dir, ".fontconfig")
-+ optional_policy(`
-+ gnome_cache_filetrans($1, xdm_home_t, dir, "xdm")
-+ ')
-+')
-+
-+########################################
-+##
-+## Create objects in a xdm temporary directory
-+## with an automatic type transition to
-+## a specified private type.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+##
-+##
-+## The type of the object to create.
-+##
-+##
-+##
-+##
-+## The class of the object to be created.
-+##
-+##
-+##
-+##
-+## The name of the object being created.
-+##
-+##
-+#
-+interface(`xserver_xdm_tmp_filetrans',`
-+ gen_require(`
-+ type xdm_tmp_t;
-+ ')
-+
-+ filetrans_pattern($1, xdm_tmp_t, $2, $3, $4)
-+ files_search_tmp($1)
-+')
-diff --git a/policy/modules/services/xserver.te b/policy/modules/services/xserver.te
-index d40f750..9f53f97 100644
---- a/policy/modules/services/xserver.te
-+++ b/policy/modules/services/xserver.te
-@@ -26,27 +26,50 @@ gen_require(`
- #
-
- ##
--##
--## Allows clients to write to the X server shared
--## memory segments.
--##
-+##
-+## Allows clients to write to the X server shared
-+## memory segments.
-+##
-+##
-+gen_tunable(xserver_clients_write_xshm, false)
-+
-+##
-+##
-+## Allows XServer to execute writable memory
-+##
- ##
--gen_tunable(allow_write_xshm, false)
-+gen_tunable(xserver_execmem, false)
-
- ##
- ##
--## Allow xdm logins as sysadm
-+## Allow the graphical login program to execute bootloader
- ##
- ##
-+gen_tunable(xdm_exec_bootloader, false)
-+
-+##
-+##
-+## Allow the graphical login program to login directly as sysadm_r:sysadm_t
-+##
-+##
- gen_tunable(xdm_sysadm_login, false)
-
- ##
--##
--## Support X userspace object manager
--##
-+##
-+## Support X userspace object manager
-+##
- ##
- gen_tunable(xserver_object_manager, false)
-
-+##
-+##
-+## Allow regular users direct dri device access
-+##
-+##
-+gen_tunable(selinuxuser_direct_dri_enabled, false)
-+
-+attribute xdmhomewriter;
-+attribute x_userdomain;
- attribute x_domain;
-
- # X Events
-@@ -107,44 +130,54 @@ xserver_object_types_template(remote)
- xserver_common_x_domain_template(remote, remote_t)
-
- type user_fonts_t;
--typealias user_fonts_t alias { staff_fonts_t sysadm_fonts_t };
-+typealias user_fonts_t alias { staff_fonts_t sysadm_fonts_t xfs_fonts_t };
- typealias user_fonts_t alias { auditadm_fonts_t secadm_fonts_t };
-+typealias user_fonts_t alias { xguest_fonts_t unconfined_fonts_t user_fonts_home_t };
-+typealias user_fonts_t alias xfs_tmp_t;
- userdom_user_home_content(user_fonts_t)
-+files_tmp_file(user_fonts_t)
-
- type user_fonts_cache_t;
- typealias user_fonts_cache_t alias { staff_fonts_cache_t sysadm_fonts_cache_t };
- typealias user_fonts_cache_t alias { auditadm_fonts_cache_t secadm_fonts_cache_t };
-+typealias user_fonts_cache_t alias { xguest_fonts_cache_t unconfined_fonts_cache_t };
- userdom_user_home_content(user_fonts_cache_t)
-
- type user_fonts_config_t;
- typealias user_fonts_config_t alias { staff_fonts_config_t sysadm_fonts_config_t };
- typealias user_fonts_config_t alias { auditadm_fonts_config_t secadm_fonts_config_t };
-+typealias user_fonts_config_t alias { fonts_config_home_t xguest_fonts_config_t unconfined_fonts_config_t };
- userdom_user_home_content(user_fonts_config_t)
-
- type iceauth_t;
- type iceauth_exec_t;
- typealias iceauth_t alias { user_iceauth_t staff_iceauth_t sysadm_iceauth_t };
-+typealias iceauth_t alias { xguest_iceauth_t };
- typealias iceauth_t alias { auditadm_iceauth_t secadm_iceauth_t };
- userdom_user_application_domain(iceauth_t, iceauth_exec_t)
-
- type iceauth_home_t;
- typealias iceauth_home_t alias { user_iceauth_home_t staff_iceauth_home_t sysadm_iceauth_home_t };
- typealias iceauth_home_t alias { auditadm_iceauth_home_t secadm_iceauth_home_t };
-+typealias iceauth_home_t alias { xguest_iceauth_home_t };
- userdom_user_home_content(iceauth_home_t)
-
- type xauth_t;
- type xauth_exec_t;
- typealias xauth_t alias { user_xauth_t staff_xauth_t sysadm_xauth_t };
- typealias xauth_t alias { auditadm_xauth_t secadm_xauth_t };
-+typealias xauth_t alias { xguest_xauth_t unconfined_xauth_t };
- userdom_user_application_domain(xauth_t, xauth_exec_t)
-
- type xauth_home_t;
- typealias xauth_home_t alias { user_xauth_home_t staff_xauth_home_t sysadm_xauth_home_t };
- typealias xauth_home_t alias { auditadm_xauth_home_t secadm_xauth_home_t };
-+typealias xauth_home_t alias { xguest_xauth_home_t unconfined_xauth_home_t };
- userdom_user_home_content(xauth_home_t)
-
- type xauth_tmp_t;
- typealias xauth_tmp_t alias { user_xauth_tmp_t staff_xauth_tmp_t sysadm_xauth_tmp_t };
-+typealias xauth_tmp_t alias { xguest_xauth_tmp_t unconfined_xauth_tmp_t };
- typealias xauth_tmp_t alias { auditadm_xauth_tmp_t secadm_xauth_tmp_t };
- userdom_user_tmp_file(xauth_tmp_t)
-
-@@ -154,19 +187,28 @@ files_type(xconsole_device_t)
- fs_associate_tmpfs(xconsole_device_t)
- files_associate_tmp(xconsole_device_t)
-
-+type xdm_unconfined_exec_t;
-+application_executable_file(xdm_unconfined_exec_t)
-+
- type xdm_t;
- type xdm_exec_t;
- auth_login_pgm_domain(xdm_t)
- init_domain(xdm_t, xdm_exec_t)
--init_daemon_domain(xdm_t, xdm_exec_t)
-+init_system_domain(xdm_t, xdm_exec_t)
- xserver_object_types_template(xdm)
- xserver_common_x_domain_template(xdm, xdm_t)
-
- type xdm_lock_t;
- files_lock_file(xdm_lock_t)
-
-+type xdm_etc_t;
-+files_config_file(xdm_etc_t)
-+
- type xdm_rw_etc_t;
--files_type(xdm_rw_etc_t)
-+files_config_file(xdm_rw_etc_t)
-+
-+type xdm_spool_t;
-+files_spool_file(xdm_spool_t)
-
- type xdm_var_lib_t;
- files_type(xdm_var_lib_t)
-@@ -174,13 +216,27 @@ files_type(xdm_var_lib_t)
- type xdm_var_run_t;
- files_pid_file(xdm_var_run_t)
-
-+type xserver_var_lib_t;
-+files_type(xserver_var_lib_t)
-+
-+type xserver_var_run_t;
-+files_pid_file(xserver_var_run_t)
-+
- type xdm_tmp_t;
- files_tmp_file(xdm_tmp_t)
--typealias xdm_tmp_t alias ice_tmp_t;
-+typealias xdm_tmp_t alias { xserver_tmp_t user_xserver_tmp_t staff_xserver_tmp_t sysadm_xserver_tmp_t ice_tmp_t };
-+typealias xdm_tmp_t alias { auditadm_xserver_tmp_t secadm_xserver_tmp_t xdm_xserver_tmp_t };
-+userdom_user_tmp_file(xserver_tmp_t)
-
- type xdm_tmpfs_t;
- files_tmpfs_file(xdm_tmpfs_t)
-
-+type xdm_home_t;
-+userdom_user_home_content(xdm_home_t)
-+
-+type xdm_log_t;
-+logging_log_file(xdm_log_t)
-+
- # type for /var/lib/xkb
- type xkb_var_lib_t;
- files_type(xkb_var_lib_t)
-@@ -193,14 +249,9 @@ typealias xserver_t alias { auditadm_xserver_t secadm_xserver_t xdm_xserver_t };
- init_system_domain(xserver_t, xserver_exec_t)
- ubac_constrained(xserver_t)
-
--type xserver_tmp_t;
--typealias xserver_tmp_t alias { user_xserver_tmp_t staff_xserver_tmp_t sysadm_xserver_tmp_t };
--typealias xserver_tmp_t alias { auditadm_xserver_tmp_t secadm_xserver_tmp_t xdm_xserver_tmp_t };
--userdom_user_tmp_file(xserver_tmp_t)
--
- type xserver_tmpfs_t;
--typealias xserver_tmpfs_t alias { user_xserver_tmpfs_t staff_xserver_tmpfs_t sysadm_xserver_tmpfs_t };
--typealias xserver_tmpfs_t alias { auditadm_xserver_tmpfs_t secadm_xserver_tmpfs_t xdm_xserver_tmpfs_t };
-+typealias xserver_tmpfs_t alias { user_xserver_tmpfs_t staff_xserver_tmpfs_t sysadm_xserver_tmpfs_t xguest_xserver_tmpfs_t unconfined_xserver_tmpfs_t xdm_xserver_tmpfs_t };
-+typealias xserver_tmpfs_t alias { auditadm_xserver_tmpfs_t secadm_xserver_tmpfs_t };
- userdom_user_tmpfs_file(xserver_tmpfs_t)
-
- type xsession_exec_t;
-@@ -229,17 +280,30 @@ userdom_user_home_dir_filetrans(iceauth_t, iceauth_home_t, file)
-
- allow xdm_t iceauth_home_t:file read_file_perms;
-
-+dev_read_rand(iceauth_t)
-+
- fs_search_auto_mountpoints(iceauth_t)
-
--userdom_use_user_terminals(iceauth_t)
-+userdom_use_inherited_user_terminals(iceauth_t)
- userdom_read_user_tmp_files(iceauth_t)
--
--tunable_policy(`use_nfs_home_dirs',`
-- fs_manage_nfs_files(iceauth_t)
--')
--
--tunable_policy(`use_samba_home_dirs',`
-- fs_manage_cifs_files(iceauth_t)
-+userdom_read_all_users_state(iceauth_t)
-+userdom_home_manager(iceauth_t)
-+
-+ifdef(`hide_broken_symptoms',`
-+ dev_dontaudit_read_urand(iceauth_t)
-+ dev_dontaudit_rw_dri(iceauth_t)
-+ dev_dontaudit_rw_generic_dev_nodes(iceauth_t)
-+ fs_dontaudit_list_inotifyfs(iceauth_t)
-+ fs_dontaudit_rw_anon_inodefs_files(iceauth_t)
-+ term_dontaudit_use_unallocated_ttys(iceauth_t)
-+
-+ userdom_dontaudit_read_user_home_content_files(iceauth_t)
-+ userdom_dontaudit_write_user_home_content_files(iceauth_t)
-+ userdom_dontaudit_write_user_tmp_files(iceauth_t)
-+
-+ optional_policy(`
-+ mozilla_dontaudit_rw_user_home_files(iceauth_t)
-+ ')
- ')
-
- ########################################
-@@ -247,45 +311,81 @@ tunable_policy(`use_samba_home_dirs',`
- # Xauth local policy
- #
-
-+allow xauth_t self:capability dac_override;
- allow xauth_t self:process signal;
-+allow xauth_t self:shm create_shm_perms;
- allow xauth_t self:unix_stream_socket create_stream_socket_perms;
-+allow xauth_t self:unix_dgram_socket create_socket_perms;
-+
-+allow xauth_t xdm_t:process sigchld;
-+allow xauth_t xserver_t:unix_stream_socket connectto;
-+
-+corenet_tcp_connect_xserver_port(xauth_t)
-
- allow xauth_t xauth_home_t:file manage_file_perms;
- userdom_user_home_dir_filetrans(xauth_t, xauth_home_t, file)
-+userdom_admin_home_dir_filetrans(xauth_t, xauth_home_t, file)
-+
-+manage_dirs_pattern(xauth_t, xdm_var_run_t, xdm_var_run_t)
-+manage_files_pattern(xauth_t, xdm_var_run_t, xdm_var_run_t)
-
- manage_dirs_pattern(xauth_t, xauth_tmp_t, xauth_tmp_t)
- manage_files_pattern(xauth_t, xauth_tmp_t, xauth_tmp_t)
- files_tmp_filetrans(xauth_t, xauth_tmp_t, { file dir })
-
--allow xdm_t xauth_home_t:file manage_file_perms;
--userdom_user_home_dir_filetrans(xdm_t, xauth_home_t, file)
-+stream_connect_pattern(xauth_t, xserver_tmp_t, xserver_tmp_t, xserver_t)
-
-+kernel_read_network_state(xauth_t)
-+kernel_read_system_state(xauth_t)
- kernel_request_load_module(xauth_t)
-
-+dev_read_rand(xauth_t)
-+dev_read_urand(xauth_t)
-+
- domain_use_interactive_fds(xauth_t)
-+domain_dontaudit_leaks(xauth_t)
-
- files_read_etc_files(xauth_t)
-+files_read_usr_files(xauth_t)
- files_search_pids(xauth_t)
-+files_dontaudit_getattr_all_dirs(xauth_t)
-+files_dontaudit_leaks(xauth_t)
-+files_var_lib_filetrans(xauth_t, xauth_home_t, file)
-
--fs_getattr_xattr_fs(xauth_t)
-+fs_dontaudit_leaks(xauth_t)
-+fs_getattr_all_fs(xauth_t)
- fs_search_auto_mountpoints(xauth_t)
-
--# cjp: why?
--term_use_ptmx(xauth_t)
-+# Probably a leak
-+term_dontaudit_use_ptmx(xauth_t)
-+term_dontaudit_use_console(xauth_t)
-
- auth_use_nsswitch(xauth_t)
-
--userdom_use_user_terminals(xauth_t)
-+userdom_use_inherited_user_terminals(xauth_t)
- userdom_read_user_tmp_files(xauth_t)
-+userdom_read_all_users_state(xauth_t)
-
- xserver_rw_xdm_tmp_files(xauth_t)
-
--tunable_policy(`use_nfs_home_dirs',`
-- fs_manage_nfs_files(xauth_t)
-+ifdef(`hide_broken_symptoms',`
-+ fs_dontaudit_rw_anon_inodefs_files(xauth_t)
-+ fs_dontaudit_list_inotifyfs(xauth_t)
-+ userdom_manage_user_home_content_files(xauth_t)
-+ userdom_manage_user_tmp_files(xauth_t)
-+ dev_dontaudit_rw_generic_dev_nodes(xauth_t)
-+ miscfiles_read_fonts(xauth_t)
- ')
-
--tunable_policy(`use_samba_home_dirs',`
-- fs_manage_cifs_files(xauth_t)
-+userdom_home_manager(xauth_t)
-+
-+ifdef(`hide_broken_symptoms',`
-+ term_dontaudit_use_unallocated_ttys(xauth_t)
-+ dev_dontaudit_rw_dri(xauth_t)
-+')
-+
-+optional_policy(`
-+ nx_var_lib_filetrans(xauth_t, xauth_home_t, file)
- ')
-
- optional_policy(`
-@@ -299,64 +399,108 @@ optional_policy(`
- # XDM Local policy
- #
-
--allow xdm_t self:capability { setgid setuid sys_resource kill sys_tty_config mknod chown dac_override dac_read_search fowner fsetid ipc_owner sys_nice sys_rawio net_bind_service };
--allow xdm_t self:process { setexec setpgid getsched setsched setrlimit signal_perms setkeycreate };
-+allow xdm_t self:capability { setgid setuid sys_resource kill sys_tty_config mknod chown dac_override dac_read_search fowner fsetid ipc_owner sys_nice sys_rawio net_bind_service sys_ptrace };
-+allow xdm_t self:capability2 { block_suspend };
-+dontaudit xdm_t self:capability sys_admin;
-+tunable_policy(`deny_ptrace',`',`
-+ allow xdm_t self:process ptrace;
-+')
-+
-+allow xdm_t self:process { setexec setpgid getattr getcap setcap getsched getsession setsched setrlimit signal_perms setkeycreate };
- allow xdm_t self:fifo_file rw_fifo_file_perms;
- allow xdm_t self:shm create_shm_perms;
- allow xdm_t self:sem create_sem_perms;
- allow xdm_t self:unix_stream_socket { connectto create_stream_socket_perms };
--allow xdm_t self:unix_dgram_socket create_socket_perms;
-+allow xdm_t self:unix_dgram_socket { create_socket_perms sendto };
- allow xdm_t self:tcp_socket create_stream_socket_perms;
- allow xdm_t self:udp_socket create_socket_perms;
-+allow xdm_t self:netlink_kobject_uevent_socket create_socket_perms;
- allow xdm_t self:socket create_socket_perms;
- allow xdm_t self:appletalk_socket create_socket_perms;
- allow xdm_t self:key { search link write };
-
--allow xdm_t xconsole_device_t:fifo_file { getattr setattr };
-+allow xdm_t xauth_home_t:file manage_file_perms;
-+
-+allow xdm_t xconsole_device_t:fifo_file { getattr_fifo_file_perms setattr_fifo_file_perms };
-+manage_dirs_pattern(xdm_t, xkb_var_lib_t, xkb_var_lib_t)
-+manage_files_pattern(xdm_t, xkb_var_lib_t, xkb_var_lib_t)
-+
-+manage_dirs_pattern(xdm_t, xdm_home_t, xdm_home_t)
-+manage_files_pattern(xdm_t, xdm_home_t, xdm_home_t)
-+userdom_user_home_dir_filetrans(xdm_t, xdm_home_t, file)
-+userdom_admin_home_dir_filetrans(xdm_t, xdm_home_t, file)
-+xserver_filetrans_home_content(xdm_t)
-+xserver_filetrans_admin_home_content(xdm_t)
-+
-+#Handle mislabeled files in homedir
-+userdom_delete_user_home_content_files(xdm_t)
-+userdom_signull_unpriv_users(xdm_t)
-+userdom_dontaudit_read_admin_home_lnk_files(xdm_t)
-
- # Allow gdm to run gdm-binary
- can_exec(xdm_t, xdm_exec_t)
-+can_exec(xdm_t, xsession_exec_t)
-
- allow xdm_t xdm_lock_t:file manage_file_perms;
- files_lock_filetrans(xdm_t, xdm_lock_t, file)
-
-+read_lnk_files_pattern(xdm_t, xdm_etc_t, xdm_etc_t)
-+read_files_pattern(xdm_t, xdm_etc_t, xdm_etc_t)
- # wdm has its own config dir /etc/X11/wdm
- # this is ugly, daemons should not create files under /etc!
- manage_files_pattern(xdm_t, xdm_rw_etc_t, xdm_rw_etc_t)
-
- manage_dirs_pattern(xdm_t, xdm_tmp_t, xdm_tmp_t)
- manage_files_pattern(xdm_t, xdm_tmp_t, xdm_tmp_t)
-+manage_lnk_files_pattern(xdm_t, xdm_tmp_t, xdm_tmp_t)
- manage_sock_files_pattern(xdm_t, xdm_tmp_t, xdm_tmp_t)
--files_tmp_filetrans(xdm_t, xdm_tmp_t, { file dir sock_file })
-+files_tmp_filetrans(xdm_t, xdm_tmp_t, { file dir sock_file lnk_file })
-+relabelfrom_dirs_pattern(xdm_t, xdm_tmp_t, xdm_tmp_t)
-+relabelfrom_files_pattern(xdm_t, xdm_tmp_t, xdm_tmp_t)
-+can_exec(xdm_t, xdm_tmp_t)
-
- manage_dirs_pattern(xdm_t, xdm_tmpfs_t, xdm_tmpfs_t)
- manage_files_pattern(xdm_t, xdm_tmpfs_t, xdm_tmpfs_t)
- manage_lnk_files_pattern(xdm_t, xdm_tmpfs_t, xdm_tmpfs_t)
- manage_fifo_files_pattern(xdm_t, xdm_tmpfs_t, xdm_tmpfs_t)
- manage_sock_files_pattern(xdm_t, xdm_tmpfs_t, xdm_tmpfs_t)
--fs_tmpfs_filetrans(xdm_t, xdm_tmpfs_t, { dir file lnk_file sock_file fifo_file })
-+
-+manage_files_pattern(xdm_t, user_fonts_t, user_fonts_t)
-+
-+files_search_spool(xdm_t)
-+manage_dirs_pattern(xdm_t, xdm_spool_t, xdm_spool_t)
-+manage_files_pattern(xdm_t, xdm_spool_t, xdm_spool_t)
-+files_spool_filetrans(xdm_t, xdm_spool_t, { file dir })
-
- manage_dirs_pattern(xdm_t, xdm_var_lib_t, xdm_var_lib_t)
- manage_files_pattern(xdm_t, xdm_var_lib_t, xdm_var_lib_t)
--files_var_lib_filetrans(xdm_t, xdm_var_lib_t, file)
-+manage_lnk_files_pattern(xdm_t, xdm_var_lib_t, xdm_var_lib_t)
-+manage_sock_files_pattern(xdm_t, xdm_var_lib_t, xdm_var_lib_t)
-+files_var_lib_filetrans(xdm_t, xdm_var_lib_t, { file dir })
-+# Read machine-id
-+files_read_var_lib_files(xdm_t)
-
- manage_dirs_pattern(xdm_t, xdm_var_run_t, xdm_var_run_t)
- manage_files_pattern(xdm_t, xdm_var_run_t, xdm_var_run_t)
- manage_fifo_files_pattern(xdm_t, xdm_var_run_t, xdm_var_run_t)
--files_pid_filetrans(xdm_t, xdm_var_run_t, { dir file fifo_file })
-+manage_sock_files_pattern(xdm_t, xdm_var_run_t, xdm_var_run_t)
-+files_pid_filetrans(xdm_t, xdm_var_run_t, { dir file fifo_file sock_file })
-
--allow xdm_t xserver_t:process signal;
-+allow xdm_t xserver_t:process { signal signull };
- allow xdm_t xserver_t:unix_stream_socket connectto;
-
- allow xdm_t xserver_tmp_t:sock_file rw_sock_file_perms;
--allow xdm_t xserver_tmp_t:dir { setattr list_dir_perms };
-+allow xdm_t xserver_tmp_t:dir { setattr_dir_perms list_dir_perms };
-
- # transition to the xdm xserver
- domtrans_pattern(xdm_t, xserver_exec_t, xserver_t)
-+
-+ps_process_pattern(xserver_t, xdm_t)
- allow xserver_t xdm_t:process signal;
- allow xdm_t xserver_t:process { noatsecure siginh rlimitinh signal sigkill };
-
- allow xdm_t xserver_t:shm rw_shm_perms;
-+read_files_pattern(xdm_t, xserver_t, xserver_t)
-
- # connect to xdm xserver over stream socket
- stream_connect_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t, xserver_t)
-@@ -365,20 +509,27 @@ stream_connect_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t, xserver_t)
- delete_files_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t)
- delete_sock_files_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t)
-
-+manage_dirs_pattern(xdm_t, xdm_log_t, xdm_log_t)
-+manage_files_pattern(xdm_t, xdm_log_t, xdm_log_t)
-+manage_fifo_files_pattern(xdm_t, xdm_log_t, xdm_log_t)
-+logging_log_filetrans(xdm_t, xdm_log_t, { dir file })
-+
- manage_dirs_pattern(xdm_t, xserver_log_t, xserver_log_t)
- manage_files_pattern(xdm_t, xserver_log_t, xserver_log_t)
- manage_fifo_files_pattern(xdm_t, xserver_log_t, xserver_log_t)
--logging_log_filetrans(xdm_t, xserver_log_t, file)
-
- kernel_read_system_state(xdm_t)
-+kernel_read_device_sysctls(xdm_t)
- kernel_read_kernel_sysctls(xdm_t)
- kernel_read_net_sysctls(xdm_t)
- kernel_read_network_state(xdm_t)
-+kernel_request_load_module(xdm_t)
-+kernel_stream_connect(xdm_t)
-
- corecmd_exec_shell(xdm_t)
- corecmd_exec_bin(xdm_t)
-+corecmd_dontaudit_access_all_executables(xdm_t)
-
--corenet_all_recvfrom_unlabeled(xdm_t)
- corenet_all_recvfrom_netlabel(xdm_t)
- corenet_tcp_sendrecv_generic_if(xdm_t)
- corenet_udp_sendrecv_generic_if(xdm_t)
-@@ -388,38 +539,48 @@ corenet_tcp_sendrecv_all_ports(xdm_t)
- corenet_udp_sendrecv_all_ports(xdm_t)
- corenet_tcp_bind_generic_node(xdm_t)
- corenet_udp_bind_generic_node(xdm_t)
-+corenet_udp_bind_ipp_port(xdm_t)
-+corenet_udp_bind_xdmcp_port(xdm_t)
- corenet_tcp_connect_all_ports(xdm_t)
- corenet_sendrecv_all_client_packets(xdm_t)
- # xdm tries to bind to biff_port_t
- corenet_dontaudit_tcp_bind_all_ports(xdm_t)
-
-+dev_rwx_zero(xdm_t)
- dev_read_rand(xdm_t)
--dev_read_sysfs(xdm_t)
-+dev_rw_sysfs(xdm_t)
- dev_getattr_framebuffer_dev(xdm_t)
- dev_setattr_framebuffer_dev(xdm_t)
- dev_getattr_mouse_dev(xdm_t)
- dev_setattr_mouse_dev(xdm_t)
- dev_rw_apm_bios(xdm_t)
-+dev_rw_input_dev(xdm_t)
- dev_setattr_apm_bios_dev(xdm_t)
- dev_rw_dri(xdm_t)
- dev_rw_agp(xdm_t)
- dev_getattr_xserver_misc_dev(xdm_t)
- dev_setattr_xserver_misc_dev(xdm_t)
-+dev_rw_xserver_misc(xdm_t)
- dev_getattr_misc_dev(xdm_t)
- dev_setattr_misc_dev(xdm_t)
- dev_dontaudit_rw_misc(xdm_t)
--dev_getattr_video_dev(xdm_t)
-+dev_read_video_dev(xdm_t)
-+dev_write_video_dev(xdm_t)
- dev_setattr_video_dev(xdm_t)
- dev_getattr_scanner_dev(xdm_t)
- dev_setattr_scanner_dev(xdm_t)
--dev_getattr_sound_dev(xdm_t)
--dev_setattr_sound_dev(xdm_t)
-+dev_read_sound(xdm_t)
-+dev_write_sound(xdm_t)
- dev_getattr_power_mgmt_dev(xdm_t)
- dev_setattr_power_mgmt_dev(xdm_t)
-+dev_getattr_null_dev(xdm_t)
-+dev_setattr_null_dev(xdm_t)
-
- domain_use_interactive_fds(xdm_t)
- # Do not audit denied probes of /proc.
- domain_dontaudit_read_all_domains_state(xdm_t)
-+domain_dontaudit_signal_all_domains(xdm_t)
-+domain_dontaudit_getattr_all_entry_files(xdm_t)
-
- files_read_etc_files(xdm_t)
- files_read_var_files(xdm_t)
-@@ -430,9 +591,26 @@ files_list_mnt(xdm_t)
- files_read_usr_files(xdm_t)
- # Poweroff wants to create the /poweroff file when run from xdm
- files_create_boot_flag(xdm_t)
-+files_dontaudit_getattr_boot_dirs(xdm_t)
-+files_dontaudit_write_usr_files(xdm_t)
-+files_dontaudit_access_check_etc(xdm_t)
-+files_dontaudit_getattr_all_dirs(xdm_t)
-+files_dontaudit_getattr_all_symlinks(xdm_t)
-+files_dontaudit_getattr_all_tmp_sockets(xdm_t)
-+files_dontaudit_all_access_check(xdm_t)
-
- fs_getattr_all_fs(xdm_t)
- fs_search_auto_mountpoints(xdm_t)
-+fs_search_all(xdm_t)
-+fs_rw_anon_inodefs_files(xdm_t)
-+fs_mount_tmpfs(xdm_t)
-+fs_list_inotifyfs(xdm_t)
-+fs_dontaudit_list_noxattr_fs(xdm_t)
-+fs_dontaudit_read_noxattr_fs_files(xdm_t)
-+fs_manage_cgroup_dirs(xdm_t)
-+fs_manage_cgroup_files(xdm_t)
-+
-+mls_socket_write_to_clearance(xdm_t)
-
- storage_dontaudit_read_fixed_disk(xdm_t)
- storage_dontaudit_write_fixed_disk(xdm_t)
-@@ -441,28 +619,42 @@ storage_dontaudit_raw_read_removable_device(xdm_t)
- storage_dontaudit_raw_write_removable_device(xdm_t)
- storage_dontaudit_setattr_removable_dev(xdm_t)
- storage_dontaudit_rw_scsi_generic(xdm_t)
-+storage_dontaudit_rw_fuse(xdm_t)
-
- term_setattr_console(xdm_t)
-+term_use_console(xdm_t)
-+term_use_virtio_console(xdm_t)
- term_use_unallocated_ttys(xdm_t)
- term_setattr_unallocated_ttys(xdm_t)
-+term_relabel_all_ttys(xdm_t)
-+term_relabel_unallocated_ttys(xdm_t)
-
- auth_domtrans_pam_console(xdm_t)
--auth_manage_pam_pid(xdm_t)
-+#auth_manage_pam_pid(xdm_t)
- auth_manage_pam_console_data(xdm_t)
-+auth_signal_pam(xdm_t)
- auth_rw_faillog(xdm_t)
- auth_write_login_records(xdm_t)
-
- # Run telinit->init to shutdown.
- init_telinit(xdm_t)
-+init_dbus_chat(xdm_t)
-+init_pid_filetrans(xdm_t, xdm_var_run_t, dir, "multi-session-x")
-+init_status(xdm_t)
-+
-+systemd_write_inhibit_pipes(xdm_t)
-
- libs_exec_lib_files(xdm_t)
-
- logging_read_generic_logs(xdm_t)
-
--miscfiles_read_localization(xdm_t)
-+miscfiles_search_man_pages(xdm_t)
- miscfiles_read_fonts(xdm_t)
-+miscfiles_manage_fonts_cache(xdm_t)
-+miscfiles_manage_localization(xdm_t)
-+miscfiles_read_hwdata(xdm_t)
-
--sysnet_read_config(xdm_t)
-+systemd_write_inhibit_pipes(xdm_t)
-
- userdom_dontaudit_use_unpriv_user_fds(xdm_t)
- userdom_create_all_users_keys(xdm_t)
-@@ -471,24 +663,43 @@ userdom_read_user_home_content_files(xdm_t)
- # Search /proc for any user domain processes.
- userdom_read_all_users_state(xdm_t)
- userdom_signal_all_users(xdm_t)
-+userdom_stream_connect(xdm_t)
-+userdom_manage_user_tmp_dirs(xdm_t)
-+userdom_manage_user_tmp_files(xdm_t)
-+userdom_manage_user_tmp_sockets(xdm_t)
-+userdom_manage_tmpfs_role(system_r, xdm_t)
-+userdom_home_manager(xdm_t)
-+
-+application_signal(xdm_t)
-
- xserver_rw_session(xdm_t, xdm_tmpfs_t)
- xserver_unconfined(xdm_t)
-+xserver_domtrans_xauth(xdm_t)
-+
-+ifndef(`distro_redhat',`
-+ allow xdm_t self:process { execheap execmem };
-+')
-+
-+ifdef(`distro_rhel4',`
-+ allow xdm_t self:process { execheap execmem };
-+')
-
- tunable_policy(`use_nfs_home_dirs',`
-- fs_manage_nfs_dirs(xdm_t)
-- fs_manage_nfs_files(xdm_t)
-- fs_manage_nfs_symlinks(xdm_t)
- fs_exec_nfs_files(xdm_t)
- ')
-
- tunable_policy(`use_samba_home_dirs',`
-- fs_manage_cifs_dirs(xdm_t)
-- fs_manage_cifs_files(xdm_t)
-- fs_manage_cifs_symlinks(xdm_t)
- fs_exec_cifs_files(xdm_t)
- ')
-
-+optional_policy(`
-+ tunable_policy(`xdm_exec_bootloader',`
-+ bootloader_exec(xdm_t)
-+ files_read_boot_files(xdm_t)
-+ files_read_boot_symlinks(xdm_t)
-+ ')
-+')
-+
- tunable_policy(`xdm_sysadm_login',`
- userdom_xsession_spec_domtrans_all_users(xdm_t)
- # FIXME:
-@@ -502,11 +713,26 @@ tunable_policy(`xdm_sysadm_login',`
- ')
-
- optional_policy(`
-+ accountsd_read_lib_files(xdm_t)
-+ accountsd_dbus_chat(xdm_t)
-+')
-+
-+optional_policy(`
-+ acct_dontaudit_list_data(xdm_t)
-+')
-+
-+optional_policy(`
-+ boinc_dontaudit_getattr_lib(xdm_t)
-+')
-+
-+optional_policy(`
- alsa_domtrans(xdm_t)
-+ alsa_read_rw_config(xdm_t)
- ')
-
- optional_policy(`
- consolekit_dbus_chat(xdm_t)
-+ consolekit_read_log(xdm_t)
- ')
-
- optional_policy(`
-@@ -514,12 +740,71 @@ optional_policy(`
- ')
-
- optional_policy(`
-+ # Use dbus to start other processes as xdm_t
-+ dbus_role_template(xdm, system_r, xdm_t)
-+ dbus_system_bus_client(xdm_dbusd_t)
-+ dbus_system_bus_client(xdm_t)
-+
-+ application_dontaudit_exec(xdm_dbusd_t)
-+ #fixes for xfce4-notifyd
-+ allow xdm_dbusd_t self:unix_stream_socket connectto;
-+ allow xdm_dbusd_t xserver_t:unix_stream_socket connectto;
-+
-+
-+ dontaudit xdm_dbusd_t xdm_var_lib_t:dir search_dir_perms;
-+ xserver_xdm_append_log(xdm_dbusd_t)
-+ xserver_read_xdm_pid(xdm_dbusd_t)
-+
-+ miscfiles_read_fonts(xdm_dbusd_t)
-+
-+ corecmd_bin_entry_type(xdm_t)
-+
-+ optional_policy(`
-+ bluetooth_dbus_chat(xdm_t)
-+ ')
-+
-+ optional_policy(`
-+ cpufreqselector_dbus_chat(xdm_t)
-+ ')
-+
-+ optional_policy(`
-+ devicekit_dbus_chat_disk(xdm_t)
-+ devicekit_dbus_chat_power(xdm_t)
-+ ')
-+
-+ optional_policy(`
-+ hal_dbus_chat(xdm_t)
-+ ')
-+
-+ optional_policy(`
-+ gnomeclock_dbus_chat(xdm_t)
-+ ')
-+
-+ optional_policy(`
-+ networkmanager_dbus_chat(xdm_t)
-+ ')
-+')
-+
-+optional_policy(`
- # Talk to the console mouse server.
- gpm_stream_connect(xdm_t)
- gpm_setattr_gpmctl(xdm_t)
- ')
-
- optional_policy(`
-+ gnome_stream_connect_gkeyringd(xdm_t)
-+ gnome_exec_keyringd(xdm_t)
-+ gnome_manage_config(xdm_t)
-+ gnome_manage_gconf_home_files(xdm_t)
-+ gnome_filetrans_home_content(xdm_t)
-+ gnome_read_config(xdm_t)
-+ gnome_read_usr_config(xdm_t)
-+ gnome_read_gconf_config(xdm_t)
-+ gnome_transition_gkeyringd(xdm_t)
-+ gnome_cache_filetrans(xdm_t, xdm_home_t, dir, "gdm")
-+')
-+
-+optional_policy(`
- hostname_exec(xdm_t)
- ')
-
-@@ -537,28 +822,78 @@ optional_policy(`
- ')
-
- optional_policy(`
-+ policykit_dbus_chat(xdm_t)
-+ policykit_domtrans_auth(xdm_t)
-+ policykit_read_lib(xdm_t)
-+ policykit_read_reload(xdm_t)
-+ policykit_signal_auth(xdm_t)
-+')
-+
-+optional_policy(`
-+ pcscd_stream_connect(xdm_t)
-+')
-+
-+optional_policy(`
-+ plymouthd_search_spool(xdm_t)
-+ plymouthd_exec_plymouth(xdm_t)
-+ plymouthd_stream_connect(xdm_t)
-+ plymouthd_read_log(xdm_t)
-+')
-+
-+optional_policy(`
-+ pulseaudio_exec(xdm_t)
-+ pulseaudio_dbus_chat(xdm_t)
-+ pulseaudio_stream_connect(xdm_t)
-+ pulseaudio_read_state(xserver_t)
-+')
-+
-+optional_policy(`
- resmgr_stream_connect(xdm_t)
- ')
-
- optional_policy(`
-+ rhev_stream_connect_agentd(xdm_t)
-+ rhev_read_pid_files_agentd(xdm_t)
-+')
-+
-+# On crash gdm execs gdb to dump stack
-+optional_policy(`
-+ rpm_exec(xdm_t)
-+ rpm_read_db(xdm_t)
-+ rpm_dontaudit_manage_db(xdm_t)
-+ rpm_dontaudit_dbus_chat(xdm_t)
-+')
-+
-+optional_policy(`
-+ rtkit_scheduled(xdm_t)
-+')
-+
-+optional_policy(`
- seutil_sigchld_newrole(xdm_t)
- ')
-
- optional_policy(`
-- udev_read_db(xdm_t)
-+ ssh_signull(xdm_t)
-+')
-+
-+optional_policy(`
-+ shutdown_domtrans(xdm_t)
- ')
-
- optional_policy(`
-- unconfined_domain(xdm_t)
-- unconfined_domtrans(xdm_t)
-+ telepathy_exec(xdm_t)
-+')
-
-- ifndef(`distro_redhat',`
-- allow xdm_t self:process { execheap execmem };
-- ')
-+optional_policy(`
-+ udev_read_db(xdm_t)
-+')
-
-- ifdef(`distro_rhel4',`
-- allow xdm_t self:process { execheap execmem };
-- ')
-+optional_policy(`
-+ unconfined_signal(xdm_t)
-+')
-+
-+optional_policy(`
-+ usbmuxd_stream_connect(xdm_t)
- ')
-
- optional_policy(`
-@@ -570,6 +905,14 @@ optional_policy(`
- ')
-
- optional_policy(`
-+ vdagent_stream_connect(xdm_t)
-+')
-+
-+optional_policy(`
-+ wm_exec(xdm_t)
-+')
-+
-+optional_policy(`
- xfs_stream_connect(xdm_t)
- ')
-
-@@ -594,8 +937,11 @@ allow xserver_t input_xevent_t:x_event send;
- # execheap needed until the X module loader is fixed.
- # NVIDIA Needs execstack
-
--allow xserver_t self:capability { dac_override fowner fsetid setgid setuid ipc_owner sys_rawio sys_admin sys_nice sys_tty_config mknod net_bind_service };
-+allow xserver_t self:capability { sys_ptrace dac_override fowner fsetid setgid setuid ipc_owner sys_rawio sys_admin sys_nice sys_tty_config mknod net_bind_service };
-+
- dontaudit xserver_t self:capability chown;
-+allow xserver_t self:capability2 compromise_kernel;
-+
- allow xserver_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
- allow xserver_t self:fd use;
- allow xserver_t self:fifo_file rw_fifo_file_perms;
-@@ -608,8 +954,15 @@ allow xserver_t self:unix_dgram_socket { create_socket_perms sendto };
- allow xserver_t self:unix_stream_socket { create_stream_socket_perms connectto };
- allow xserver_t self:tcp_socket create_stream_socket_perms;
- allow xserver_t self:udp_socket create_socket_perms;
-+allow xserver_t self:netlink_selinux_socket create_socket_perms;
- allow xserver_t self:netlink_kobject_uevent_socket create_socket_perms;
-
-+allow xserver_t { input_xevent_t input_xevent_type }:x_event send;
-+
-+domtrans_pattern(xserver_t, xauth_exec_t, xauth_t)
-+
-+allow xserver_t xauth_home_t:file read_file_perms;
-+
- manage_dirs_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t)
- manage_files_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t)
- manage_sock_files_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t)
-@@ -628,12 +981,19 @@ manage_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t)
- manage_lnk_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t)
- files_search_var_lib(xserver_t)
-
--domtrans_pattern(xserver_t, xauth_exec_t, xauth_t)
--allow xserver_t xauth_home_t:file read_file_perms;
-+manage_dirs_pattern(xserver_t, xserver_var_lib_t, xserver_var_lib_t)
-+manage_files_pattern(xserver_t, xserver_var_lib_t, xserver_var_lib_t)
-+files_var_lib_filetrans(xserver_t, xserver_var_lib_t, dir)
-+
-+manage_dirs_pattern(xserver_t, xserver_var_run_t, xserver_var_run_t)
-+manage_files_pattern(xserver_t, xserver_var_run_t, xserver_var_run_t)
-+manage_sock_files_pattern(xserver_t, xdm_var_run_t, xdm_var_run_t)
-+files_pid_filetrans(xserver_t, xserver_var_run_t, { file dir })
-
- # Create files in /var/log with the xserver_log_t type.
- manage_files_pattern(xserver_t, xserver_log_t, xserver_log_t)
- logging_log_filetrans(xserver_t, xserver_log_t, file)
-+manage_files_pattern(xserver_t, xdm_log_t, xdm_log_t)
-
- kernel_read_system_state(xserver_t)
- kernel_read_device_sysctls(xserver_t)
-@@ -641,12 +1001,12 @@ kernel_read_modprobe_sysctls(xserver_t)
- # Xorg wants to check if kernel is tainted
- kernel_read_kernel_sysctls(xserver_t)
- kernel_write_proc_files(xserver_t)
-+kernel_request_load_module(xserver_t)
-
- # Run helper programs in xserver_t.
- corecmd_exec_bin(xserver_t)
- corecmd_exec_shell(xserver_t)
-
--corenet_all_recvfrom_unlabeled(xserver_t)
- corenet_all_recvfrom_netlabel(xserver_t)
- corenet_tcp_sendrecv_generic_if(xserver_t)
- corenet_udp_sendrecv_generic_if(xserver_t)
-@@ -667,23 +1027,28 @@ dev_rw_apm_bios(xserver_t)
- dev_rw_agp(xserver_t)
- dev_rw_framebuffer(xserver_t)
- dev_manage_dri_dev(xserver_t)
--dev_filetrans_dri(xserver_t)
- dev_create_generic_dirs(xserver_t)
- dev_setattr_generic_dirs(xserver_t)
- # raw memory access is needed if not using the frame buffer
- dev_read_raw_memory(xserver_t)
- dev_wx_raw_memory(xserver_t)
- # for other device nodes such as the NVidia binary-only driver
--dev_rw_xserver_misc(xserver_t)
-+dev_manage_xserver_misc(xserver_t)
-+dev_filetrans_xserver_misc(xserver_t)
-+
- # read events - the synaptics touchpad driver reads raw events
- dev_rw_input_dev(xserver_t)
-+dev_read_raw_memory(xserver_t)
-+dev_write_raw_memory(xserver_t)
- dev_rwx_zero(xserver_t)
-
--domain_dontaudit_search_all_domains_state(xserver_t)
-+domain_dontaudit_read_all_domains_state(xserver_t)
-+domain_signal_all_domains(xserver_t)
-
- files_read_etc_files(xserver_t)
- files_read_etc_runtime_files(xserver_t)
- files_read_usr_files(xserver_t)
-+files_rw_tmpfs_files(xserver_t)
-
- # brought on by rhgb
- files_search_mnt(xserver_t)
-@@ -694,8 +1059,13 @@ fs_getattr_xattr_fs(xserver_t)
- fs_search_nfs(xserver_t)
- fs_search_auto_mountpoints(xserver_t)
- fs_search_ramfs(xserver_t)
-+fs_rw_tmpfs_files(xserver_t)
-
- mls_xwin_read_to_clearance(xserver_t)
-+mls_process_write_to_clearance(xserver_t)
-+mls_file_read_to_clearance(xserver_t)
-+mls_file_write_all_levels(xserver_t)
-+mls_file_upgrade(xserver_t)
-
- selinux_validate_context(xserver_t)
- selinux_compute_access_vector(xserver_t)
-@@ -708,20 +1078,18 @@ init_getpgid(xserver_t)
- term_setattr_unallocated_ttys(xserver_t)
- term_use_unallocated_ttys(xserver_t)
-
--getty_use_fds(xserver_t)
--
- locallogin_use_fds(xserver_t)
-
- logging_send_syslog_msg(xserver_t)
- logging_send_audit_msgs(xserver_t)
-
--miscfiles_read_localization(xserver_t)
- miscfiles_read_fonts(xserver_t)
--
--modutils_domtrans_insmod(xserver_t)
-+miscfiles_read_hwdata(xserver_t)
-
- # read x_contexts
- seutil_read_default_contexts(xserver_t)
-+seutil_read_config(xserver_t)
-+seutil_read_file_contexts(xserver_t)
-
- userdom_search_user_home_dirs(xserver_t)
- userdom_use_user_ttys(xserver_t)
-@@ -775,16 +1143,40 @@ optional_policy(`
- ')
-
- optional_policy(`
-+ consolekit_read_state(xserver_t)
-+')
-+
-+optional_policy(`
-+ devicekit_signal_power(xserver_t)
-+')
-+
-+optional_policy(`
-+ getty_use_fds(xserver_t)
-+')
-+
-+optional_policy(`
-+ modutils_domtrans_insmod(xserver_t)
-+')
-+
-+optional_policy(`
- rhgb_getpgid(xserver_t)
- rhgb_signal(xserver_t)
- ')
-
- optional_policy(`
-+ setrans_translate_context(xserver_t)
-+')
-+
-+optional_policy(`
-+ sandbox_rw_xserver_tmpfs_files(xserver_t)
-+')
-+
-+optional_policy(`
- udev_read_db(xserver_t)
- ')
-
- optional_policy(`
-- unconfined_domain_noaudit(xserver_t)
-+ unconfined_domain(xserver_t)
- unconfined_domtrans(xserver_t)
- ')
-
-@@ -793,6 +1185,10 @@ optional_policy(`
- ')
-
- optional_policy(`
-+ wine_rw_shm(xserver_t)
-+')
-+
-+optional_policy(`
- xfs_stream_connect(xserver_t)
- ')
-
-@@ -808,10 +1204,10 @@ allow xserver_t xdm_t:shm rw_shm_perms;
-
- # NB we do NOT allow xserver_t xdm_var_lib_t:dir, only access to an open
- # handle of a file inside the dir!!!
--allow xserver_t xdm_var_lib_t:file { getattr read };
--dontaudit xserver_t xdm_var_lib_t:dir search;
-+allow xserver_t xdm_var_lib_t:file read_file_perms;
-+dontaudit xserver_t xdm_var_lib_t:dir search_dir_perms;
-
--allow xserver_t xdm_var_run_t:file read_file_perms;
-+read_files_pattern(xserver_t, xdm_var_run_t, xdm_var_run_t)
-
- # Label pid and temporary files with derived types.
- manage_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t)
-@@ -819,7 +1215,7 @@ manage_lnk_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t)
- manage_sock_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t)
-
- # Run xkbcomp.
--allow xserver_t xkb_var_lib_t:lnk_file read;
-+allow xserver_t xkb_var_lib_t:lnk_file read_lnk_file_perms;
- can_exec(xserver_t, xkb_var_lib_t)
-
- # VNC v4 module in X server
-@@ -832,26 +1228,21 @@ init_use_fds(xserver_t)
- # to read ROLE_home_t - examine this in more detail
- # (xauth?)
- userdom_read_user_home_content_files(xserver_t)
-+userdom_read_all_users_state(xserver_t)
-+userdom_home_manager(xserver_t)
-
--tunable_policy(`use_nfs_home_dirs',`
-- fs_manage_nfs_dirs(xserver_t)
-- fs_manage_nfs_files(xserver_t)
-- fs_manage_nfs_symlinks(xserver_t)
--')
--
--tunable_policy(`use_samba_home_dirs',`
-- fs_manage_cifs_dirs(xserver_t)
-- fs_manage_cifs_files(xserver_t)
-- fs_manage_cifs_symlinks(xserver_t)
--')
-+xserver_use_user_fonts(xserver_t)
-
- optional_policy(`
- dbus_system_bus_client(xserver_t)
-- hal_dbus_chat(xserver_t)
-+
-+ optional_policy(`
-+ hal_dbus_chat(xserver_t)
-+ ')
- ')
-
- optional_policy(`
-- resmgr_stream_connect(xdm_t)
-+ mono_rw_shm(xserver_t)
- ')
-
- optional_policy(`
-@@ -859,6 +1250,10 @@ optional_policy(`
- rhgb_rw_tmpfs_files(xserver_t)
- ')
-
-+optional_policy(`
-+ userhelper_search_config(xserver_t)
-+')
-+
- ########################################
- #
- # Rules common to all X window domains
-@@ -902,7 +1297,7 @@ allow x_domain xproperty_t:x_property { getattr create read write append destroy
- allow x_domain root_xdrawable_t:x_drawable { getattr setattr list_child add_child remove_child send receive hide show };
- # operations allowed on my windows
- allow x_domain self:x_drawable { create destroy getattr setattr read write show hide list_child add_child remove_child manage send receive };
--allow x_domain self:x_drawable { blend };
-+allow x_domain self:x_drawable blend;
- # operations allowed on all windows
- allow x_domain x_domain:x_drawable { getattr get_property set_property remove_child };
-
-@@ -956,11 +1351,31 @@ allow x_domain self:x_resource { read write };
- # can mess with the screensaver
- allow x_domain xserver_t:x_screen { getattr saver_getattr };
-
-+# Device rules
-+allow x_domain xserver_t:x_device { read getattr use setattr setfocus grab bell };
-+allow x_domain xserver_t:x_screen getattr;
-+
- ########################################
- #
- # Rules for unconfined access to this module
- #
-
-+allow xserver_unconfined_type xserver_t:x_server *;
-+allow xserver_unconfined_type xdrawable_type:x_drawable *;
-+allow xserver_unconfined_type xserver_t:x_screen *;
-+allow xserver_unconfined_type x_domain:x_gc *;
-+allow xserver_unconfined_type xcolormap_type:x_colormap *;
-+allow xserver_unconfined_type xproperty_type:x_property *;
-+allow xserver_unconfined_type xselection_type:x_selection *;
-+allow xserver_unconfined_type x_domain:x_cursor *;
-+allow xserver_unconfined_type x_domain:x_client *;
-+allow xserver_unconfined_type { x_domain xserver_t }:x_device *;
-+allow xserver_unconfined_type { x_domain xserver_t }:x_pointer *;
-+allow xserver_unconfined_type { x_domain xserver_t }:x_keyboard *;
-+allow xserver_unconfined_type xextension_type:x_extension *;
-+allow xserver_unconfined_type { x_domain xserver_t }:x_resource *;
-+allow xserver_unconfined_type xevent_type:{ x_event x_synthetic_event } *;
-+
- tunable_policy(`! xserver_object_manager',`
- # should be xserver_unconfined(x_domain),
- # but typeattribute doesnt work in conditionals
-@@ -982,18 +1397,44 @@ tunable_policy(`! xserver_object_manager',`
- allow x_domain xevent_type:{ x_event x_synthetic_event } *;
- ')
-
--allow xserver_unconfined_type xserver_t:x_server *;
--allow xserver_unconfined_type xdrawable_type:x_drawable *;
--allow xserver_unconfined_type xserver_t:x_screen *;
--allow xserver_unconfined_type x_domain:x_gc *;
--allow xserver_unconfined_type xcolormap_type:x_colormap *;
--allow xserver_unconfined_type xproperty_type:x_property *;
--allow xserver_unconfined_type xselection_type:x_selection *;
--allow xserver_unconfined_type x_domain:x_cursor *;
--allow xserver_unconfined_type x_domain:x_client *;
--allow xserver_unconfined_type { x_domain xserver_t }:x_device *;
--allow xserver_unconfined_type { x_domain xserver_t }:x_pointer *;
--allow xserver_unconfined_type { x_domain xserver_t }:x_keyboard *;
--allow xserver_unconfined_type xextension_type:x_extension *;
--allow xserver_unconfined_type { x_domain xserver_t }:x_resource *;
--allow xserver_unconfined_type xevent_type:{ x_event x_synthetic_event } *;
-+tunable_policy(`xserver_execmem',`
-+ allow xserver_t self:process { execheap execmem execstack };
-+')
-+
-+# Hack to handle the problem of using the nvidia blobs
-+tunable_policy(`deny_execmem',`',`
-+ allow xdm_t self:process execmem;
-+')
-+
-+tunable_policy(`selinuxuser_execstack',`
-+ allow xdm_t self:process { execstack execmem };
-+')
-+
-+tunable_policy(`use_nfs_home_dirs',`
-+ fs_append_nfs_files(xdmhomewriter)
-+')
-+
-+tunable_policy(`use_nfs_home_dirs',`
-+ fs_append_nfs_files(xdmhomewriter)
-+')
-+
-+optional_policy(`
-+ unconfined_rw_shm(xserver_t)
-+
-+ # xserver signals unconfined user on startx
-+ unconfined_signal(xserver_t)
-+ unconfined_getpgid(xserver_t)
-+')
-+
-+allow xdm_t xdm_unconfined_exec_t:dir search_dir_perms;
-+can_exec(xdm_t, xdm_unconfined_exec_t)
-+
-+optional_policy(`
-+ type xdm_unconfined_t;
-+ domain_type(xdm_unconfined_t)
-+ domain_entry_file(xdm_unconfined_t, xdm_unconfined_exec_t)
-+ role system_r types xdm_unconfined_t;
-+
-+ domtrans_pattern(xdm_t, xdm_unconfined_exec_t, xdm_unconfined_t)
-+ unconfined_domain(xdm_unconfined_t)
-+')
-diff --git a/policy/modules/system/application.if b/policy/modules/system/application.if
-index 1b6619e..be02b96 100644
---- a/policy/modules/system/application.if
-+++ b/policy/modules/system/application.if
-@@ -43,6 +43,27 @@ interface(`application_executable_file',`
- corecmd_executable_file($1)
- ')
-
-+#######################################
-+##
-+## Make the specified type usable for files
-+## that are exectuables, such as binary programs.
-+## This does not include shared libraries.
-+##
-+##
-+##
-+## Type to be used for files.
-+##
-+##
-+#
-+interface(`application_executable_ioctl',`
-+ gen_require(`
-+ attribute application_exec_type;
-+ ')
-+
-+ allow $1 application_exec_type:file ioctl;
-+
-+')
-+
- ########################################
- ##
- ## Execute application executables in the caller domain.
-@@ -76,13 +97,30 @@ interface(`application_exec_all',`
- corecmd_dontaudit_exec_all_executables($1)
- corecmd_exec_bin($1)
- corecmd_exec_shell($1)
-- corecmd_exec_chroot($1)
-
- application_exec($1)
- ')
-
- ########################################
- ##
-+## Dontaudit execute all executable files.
-+##
-+##
-+##
-+## Domain to not audit.
-+##
-+##
-+#
-+interface(`application_dontaudit_exec',`
-+ gen_require(`
-+ attribute application_exec_type;
-+ ')
-+
-+ dontaudit $1 application_exec_type:file execute;
-+')
-+
-+########################################
-+##
- ## Create a domain for applications.
- ##
- ##
-@@ -189,6 +227,24 @@ interface(`application_dontaudit_signal',`
-
- ########################################
- ##
-+## Send kill signals to all application domains.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`application_sigkill',`
-+ gen_require(`
-+ attribute application_domain_type;
-+ ')
-+
-+ allow $1 application_domain_type:process sigkill;
-+')
-+
-+########################################
-+##
- ## Do not audit attempts to send kill signals
- ## to all application domains.
- ##
-@@ -205,3 +261,21 @@ interface(`application_dontaudit_sigkill',`
-
- dontaudit $1 application_domain_type:process sigkill;
- ')
-+
-+#######################################
-+##
-+## Getattr all application sockets.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`application_getattr_socket',`
-+ gen_require(`
-+ attribute application_domain_type;
-+ ')
-+
-+ allow $1 application_domain_type:socket_class_set getattr;
-+')
-diff --git a/policy/modules/system/application.te b/policy/modules/system/application.te
-index c6fdab7..c59902a 100644
---- a/policy/modules/system/application.te
-+++ b/policy/modules/system/application.te
-@@ -6,6 +6,30 @@ attribute application_domain_type;
- # Executables to be run by user
- attribute application_exec_type;
-
-+domain_use_interactive_fds(application_domain_type)
-+
-+userdom_inherit_append_user_home_content_files(application_domain_type)
-+userdom_inherit_append_admin_home_files(application_domain_type)
-+userdom_inherit_append_user_tmp_files(application_domain_type)
-+userdom_rw_inherited_user_tmp_files(application_domain_type)
-+userdom_rw_inherited_user_pipes(application_domain_type)
-+logging_inherit_append_all_logs(application_domain_type)
-+
-+files_dontaudit_search_non_security_dirs(application_domain_type)
-+
-+optional_policy(`
-+ afs_rw_udp_sockets(application_domain_type)
-+')
-+
-+optional_policy(`
-+ cfengine_append_inherited_log(application_domain_type)
-+')
-+
-+optional_policy(`
-+ cron_rw_inherited_user_spool_files(application_domain_type)
-+ cron_sigchld(application_domain_type)
-+')
-+
- optional_policy(`
- cron_sigchld(application_domain_type)
- ')
-diff --git a/policy/modules/system/authlogin.fc b/policy/modules/system/authlogin.fc
-index 28ad538..ffa1f8f 100644
---- a/policy/modules/system/authlogin.fc
-+++ b/policy/modules/system/authlogin.fc
-@@ -1,14 +1,25 @@
-+HOME_DIR/\.google_authenticator gen_context(system_u:object_r:auth_home_t,s0)
-+HOME_DIR/\.google_authenticator~ gen_context(system_u:object_r:auth_home_t,s0)
-+/root/\.google_authenticator gen_context(system_u:object_r:auth_home_t,s0)
-+/root/\.google_authenticator~ gen_context(system_u:object_r:auth_home_t,s0)
-
- /bin/login -- gen_context(system_u:object_r:login_exec_t,s0)
-
--/etc/\.pwd\.lock -- gen_context(system_u:object_r:shadow_t,s0)
--/etc/group\.lock -- gen_context(system_u:object_r:shadow_t,s0)
-+/etc/group\.lock -- gen_context(system_u:object_r:passwd_file_t,s0)
- /etc/gshadow.* -- gen_context(system_u:object_r:shadow_t,s0)
--/etc/passwd\.lock -- gen_context(system_u:object_r:shadow_t,s0)
- /etc/shadow.* -- gen_context(system_u:object_r:shadow_t,s0)
-+/etc/security/opasswd -- gen_context(system_u:object_r:shadow_t,s0)
-+/etc/security/opasswd\.old -- gen_context(system_u:object_r:shadow_t,s0)
-+/etc/passwd\.lock -- gen_context(system_u:object_r:passwd_file_t,s0)
-+/etc/passwd\.adjunct.* -- gen_context(system_u:object_r:passwd_file_t,s0)
-+/etc/\.pwd\.lock -- gen_context(system_u:object_r:passwd_file_t,s0)
-+/etc/passwd[-\+]? -- gen_context(system_u:object_r:passwd_file_t,s0)
-+/etc/passwd\.OLD -- gen_context(system_u:object_r:passwd_file_t,s0)
-+/etc/ptmptmp -- gen_context(system_u:object_r:passwd_file_t,s0)
-+/etc/group[-\+]? -- gen_context(system_u:object_r:passwd_file_t,s0)
-
- /sbin/pam_console_apply -- gen_context(system_u:object_r:pam_console_exec_t,s0)
--/sbin/pam_timestamp_check -- gen_context(system_u:object_r:pam_exec_t,s0)
-+/sbin/pam_timestamp_check -- gen_context(system_u:object_r:pam_timestamp_exec_t,s0)
- /sbin/unix_chkpwd -- gen_context(system_u:object_r:chkpwd_exec_t,s0)
- /sbin/unix_update -- gen_context(system_u:object_r:updpwd_exec_t,s0)
- /sbin/unix_verify -- gen_context(system_u:object_r:chkpwd_exec_t,s0)
-@@ -16,13 +27,24 @@ ifdef(`distro_suse', `
- /sbin/unix2_chkpwd -- gen_context(system_u:object_r:chkpwd_exec_t,s0)
- ')
-
-+/usr/bin/login -- gen_context(system_u:object_r:login_exec_t,s0)
-+
- /usr/kerberos/sbin/login\.krb5 -- gen_context(system_u:object_r:login_exec_t,s0)
-
--/usr/sbin/utempter -- gen_context(system_u:object_r:utempter_exec_t,s0)
--/usr/sbin/validate -- gen_context(system_u:object_r:chkpwd_exec_t,s0)
-+/usr/sbin/pam_console_apply -- gen_context(system_u:object_r:pam_console_exec_t,s0)
-+/usr/sbin/pam_timestamp_check -- gen_context(system_u:object_r:pam_timestamp_exec_t,s0)
-+/usr/sbin/unix_chkpwd -- gen_context(system_u:object_r:chkpwd_exec_t,s0)
-+/usr/sbin/unix_update -- gen_context(system_u:object_r:updpwd_exec_t,s0)
-+/usr/sbin/unix_verify -- gen_context(system_u:object_r:chkpwd_exec_t,s0)
- ifdef(`distro_gentoo', `
- /usr/sbin/unix_chkpwd -- gen_context(system_u:object_r:chkpwd_exec_t,s0)
- ')
-+/usr/sbin/utempter -- gen_context(system_u:object_r:utempter_exec_t,s0)
-+/usr/sbin/validate -- gen_context(system_u:object_r:chkpwd_exec_t,s0)
-+
-+/var/ace(/.*)? gen_context(system_u:object_r:var_auth_t,s0)
-+
-+/var/opt/quest/vas/vasd(/.*)? gen_context(system_u:object_r:var_auth_t,s0)
-
- /var/cache/coolkey(/.*)? gen_context(system_u:object_r:auth_cache_t,s0)
-
-@@ -30,20 +52,24 @@ ifdef(`distro_gentoo', `
-
- /var/lib/abl(/.*)? gen_context(system_u:object_r:var_auth_t,s0)
- /var/lib/pam_ssh(/.*)? gen_context(system_u:object_r:var_auth_t,s0)
-+/var/lib/pam_shield(/.*)? gen_context(system_u:object_r:var_auth_t,s0)
-+/var/lib/google-authenticator(/.*)? gen_context(system_u:object_r:var_auth_t,s0)
-
- /var/log/btmp.* -- gen_context(system_u:object_r:faillog_t,s0)
- /var/log/dmesg -- gen_context(system_u:object_r:var_log_t,s0)
--/var/log/faillog -- gen_context(system_u:object_r:faillog_t,s0)
--/var/log/lastlog -- gen_context(system_u:object_r:lastlog_t,s0)
-+/var/log/faillog.* -- gen_context(system_u:object_r:faillog_t,s0)
-+/var/log/lastlog.* -- gen_context(system_u:object_r:lastlog_t,s0)
- /var/log/syslog -- gen_context(system_u:object_r:var_log_t,s0)
--/var/log/tallylog -- gen_context(system_u:object_r:faillog_t,s0)
-+/var/log/tallylog.* -- gen_context(system_u:object_r:faillog_t,s0)
- /var/log/wtmp.* -- gen_context(system_u:object_r:wtmp_t,s0)
-
-+/var/lib/rsa(/.*)? gen_context(system_u:object_r:var_auth_t,s0)
-+/var/rsa(/.*)? gen_context(system_u:object_r:var_auth_t,s0)
-+
- /var/run/console(/.*)? gen_context(system_u:object_r:pam_var_console_t,s0)
- /var/run/faillock(/.*)? gen_context(system_u:object_r:faillog_t,s0)
- /var/run/pam_mount(/.*)? gen_context(system_u:object_r:pam_var_run_t,s0)
- /var/run/pam_ssh(/.*)? gen_context(system_u:object_r:var_auth_t,s0)
- /var/run/sepermit(/.*)? gen_context(system_u:object_r:pam_var_run_t,s0)
- /var/run/sudo(/.*)? gen_context(system_u:object_r:pam_var_run_t,s0)
--/var/run/user(/.*)? gen_context(system_u:object_r:var_auth_t,s0)
- /var/(db|lib|adm)/sudo(/.*)? gen_context(system_u:object_r:pam_var_run_t,s0)
-diff --git a/policy/modules/system/authlogin.if b/policy/modules/system/authlogin.if
-index f416ce9..b4efacf 100644
---- a/policy/modules/system/authlogin.if
-+++ b/policy/modules/system/authlogin.if
-@@ -23,11 +23,17 @@ interface(`auth_role',`
- role $1 types chkpwd_t;
-
- # Transition from the user domain to this domain.
-- domtrans_pattern($2, chkpwd_exec_t, chkpwd_t)
-+ auth_domtrans_chkpwd($2)
-
- ps_process_pattern($2, chkpwd_t)
-
- dontaudit $2 shadow_t:file read_file_perms;
-+
-+ logging_send_syslog_msg($2)
-+ logging_send_audit_msgs($2)
-+
-+ usermanage_read_crack_db($2)
-+
- ')
-
- ########################################
-@@ -57,6 +63,8 @@ interface(`auth_use_pam',`
- auth_exec_pam($1)
- auth_use_nsswitch($1)
-
-+ init_rw_stream_sockets($1)
-+
- logging_send_audit_msgs($1)
- logging_send_syslog_msg($1)
-
-@@ -78,8 +86,19 @@ interface(`auth_use_pam',`
- ')
-
- optional_policy(`
-+ locallogin_getattr_home_content($1)
-+ ')
-+
-+ optional_policy(`
- nis_authenticate($1)
- ')
-+
-+ optional_policy(`
-+ systemd_dbus_chat_logind($1)
-+ systemd_use_fds_logind($1)
-+ systemd_write_inherited_logind_sessions_pipes($1)
-+ systemd_read_logind_sessions_files($1)
-+ ')
- ')
-
- ########################################
-@@ -95,48 +114,21 @@ interface(`auth_use_pam',`
- interface(`auth_login_pgm_domain',`
- gen_require(`
- type var_auth_t, auth_cache_t;
-+ attribute polydomain;
-+ attribute login_pgm;
-+ type auth_home_t;
- ')
-
- domain_type($1)
-+ typeattribute $1 polydomain;
-+ typeattribute $1 login_pgm;
-+
- domain_subj_id_change_exemption($1)
- domain_role_change_exemption($1)
- domain_obj_id_change_exemption($1)
- role system_r types $1;
-
-- # Needed for pam_selinux_permit to cleanup properly
-- domain_read_all_domains_state($1)
-- domain_kill_all_domains($1)
--
-- # pam_keyring
-- allow $1 self:capability ipc_lock;
-- allow $1 self:process setkeycreate;
-- allow $1 self:key manage_key_perms;
--
-- files_list_var_lib($1)
-- manage_files_pattern($1, var_auth_t, var_auth_t)
--
-- manage_dirs_pattern($1, auth_cache_t, auth_cache_t)
-- manage_files_pattern($1, auth_cache_t, auth_cache_t)
-- manage_sock_files_pattern($1, auth_cache_t, auth_cache_t)
-- files_var_filetrans($1, auth_cache_t, dir)
--
-- # needed for afs - https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=253321
-- kernel_rw_afs_state($1)
--
-- # for fingerprint readers
-- dev_rw_input_dev($1)
-- dev_rw_generic_usb_dev($1)
--
-- files_read_etc_files($1)
--
-- fs_list_auto_mountpoints($1)
--
- selinux_get_fs_mount($1)
-- selinux_validate_context($1)
-- selinux_compute_access_vector($1)
-- selinux_compute_create_context($1)
-- selinux_compute_relabel_context($1)
-- selinux_compute_user_contexts($1)
-
- mls_file_read_all_levels($1)
- mls_file_write_all_levels($1)
-@@ -146,18 +138,43 @@ interface(`auth_login_pgm_domain',`
- mls_fd_share_all_levels($1)
-
- auth_use_pam($1)
-+')
-
-- init_rw_utmp($1)
--
-- logging_set_loginuid($1)
-- logging_set_tty_audit($1)
-+########################################
-+##
-+## Read authlogin state files.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`authlogin_read_state',`
-+ gen_require(`
-+ attribute polydomain;
-+ ')
-
-- seutil_read_config($1)
-- seutil_read_default_contexts($1)
-+ kernel_search_proc($1)
-+ ps_process_pattern($1, polydomain)
-+')
-
-- tunable_policy(`allow_polyinstantiation',`
-- files_polyinstantiate_all($1)
-+########################################
-+##
-+## Read and write a authlogin unnamed pipe.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`authlogin_rw_pipes',`
-+ gen_require(`
-+ attribute polydomain;
- ')
-+
-+ allow $1 polydomain:fifo_file rw_inherited_fifo_file_perms;
- ')
-
- ########################################
-@@ -231,6 +248,25 @@ interface(`auth_domtrans_login_program',`
-
- ########################################
- ##
-+## Execute a login_program in the caller domain.
-+##
-+##
-+##
-+## Domain allowed to transition.
-+##
-+##
-+#
-+interface(`auth_exec_login_program',`
-+ gen_require(`
-+ type login_exec_t;
-+ ')
-+
-+ corecmd_search_bin($1)
-+ can_exec($1, login_exec_t)
-+')
-+
-+########################################
-+##
- ## Execute a login_program in the target domain,
- ## with a range transition.
- ##
-@@ -395,13 +431,15 @@ interface(`auth_domtrans_chk_passwd',`
- ')
-
- optional_policy(`
-- pcscd_read_pub_files($1)
-+ pcscd_manage_pub_files($1)
-+ pcscd_manage_pub_pipes($1)
- pcscd_stream_connect($1)
- ')
-
- optional_policy(`
- samba_stream_connect_winbind($1)
- ')
-+ auth_domtrans_upd_passwd($1)
- ')
-
- ########################################
-@@ -448,6 +486,25 @@ interface(`auth_run_chk_passwd',`
-
- auth_domtrans_chk_passwd($1)
- role $2 types chkpwd_t;
-+ auth_run_upd_passwd($1, $2)
-+')
-+
-+########################################
-+##
-+## Send generic signals to chkpwd processes.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`auth_signal_chk_passwd',`
-+ gen_require(`
-+ type chkpwd_t;
-+ ')
-+
-+ allow $1 chkpwd_t:process signal;
- ')
-
- ########################################
-@@ -467,7 +524,6 @@ interface(`auth_domtrans_upd_passwd',`
-
- domtrans_pattern($1, updpwd_exec_t, updpwd_t)
- auth_dontaudit_read_shadow($1)
--
- ')
-
- ########################################
-@@ -664,6 +720,9 @@ interface(`auth_manage_shadow',`
-
- allow $1 shadow_t:file manage_file_perms;
- typeattribute $1 can_read_shadow_passwords, can_write_shadow_passwords;
-+ files_var_filetrans($1, shadow_t, file, "shadow")
-+ files_var_filetrans($1, shadow_t, file, "shadow-")
-+ files_etc_filetrans($1, shadow_t, file, "gshadow")
- ')
-
- #######################################
-@@ -763,7 +822,50 @@ interface(`auth_rw_faillog',`
- ')
-
- logging_search_logs($1)
-- allow $1 faillog_t:file rw_file_perms;
-+ rw_files_pattern($1, faillog_t, faillog_t)
-+')
-+
-+########################################
-+##
-+## Relabel the login failure log.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`auth_relabel_faillog',`
-+ gen_require(`
-+ type faillog_t;
-+ ')
-+
-+ allow $1 faillog_t:dir relabel_dir_perms;
-+ allow $1 faillog_t:file relabel_file_perms;
-+')
-+
-+########################################
-+##
-+## Manage the login failure log.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`auth_manage_faillog',`
-+ gen_require(`
-+ type faillog_t;
-+ ')
-+
-+ logging_search_logs($1)
-+ files_search_pids($1)
-+ allow $1 faillog_t:dir manage_dir_perms;
-+ allow $1 faillog_t:file manage_file_perms;
-+ logging_log_named_filetrans($1, faillog_t, file, "tallylog")
-+ logging_log_named_filetrans($1, faillog_t, file, "faillog")
-+ logging_log_named_filetrans($1, faillog_t, file, "btmp")
- ')
-
- #######################################
-@@ -826,7 +928,7 @@ interface(`auth_rw_lastlog',`
-
- ########################################
- ##
--## Execute pam programs in the pam domain.
-+## Execute pam timestamp programs in the pam timestamp domain.
- ##
- ##
- ##
-@@ -834,12 +936,27 @@ interface(`auth_rw_lastlog',`
- ##
- ##
- #
--interface(`auth_domtrans_pam',`
-+interface(`auth_domtrans_pam_timestamp',`
- gen_require(`
-- type pam_t, pam_exec_t;
-+ type pam_timestamp_t, pam_timestamp_exec_t;
- ')
-
-- domtrans_pattern($1, pam_exec_t, pam_t)
-+ domtrans_pattern($1, pam_timestamp_exec_t, pam_timestamp_t)
-+')
-+
-+########################################
-+##
-+## Execute pam timestamp programs in the pam timestamp domain.
-+##
-+##
-+##
-+## Domain allowed to transition.
-+##
-+##
-+#
-+interface(`auth_domtrans_pam',`
-+ auth_domtrans_pam_timestamp($1)
-+ refpolicywarn(`$0() has been deprecated, please use auth_domtrans_pam_timestamp() instead.')
- ')
-
- ########################################
-@@ -854,15 +971,15 @@ interface(`auth_domtrans_pam',`
- #
- interface(`auth_signal_pam',`
- gen_require(`
-- type pam_t;
-+ type pam_timestamp_t;
- ')
-
-- allow $1 pam_t:process signal;
-+ allow $1 pam_timestamp_t:process signal;
- ')
-
- ########################################
- ##
--## Execute pam programs in the PAM domain.
-+## Execute pam_timestamp programs in the PAM timestamp domain.
- ##
- ##
- ##
-@@ -875,13 +992,33 @@ interface(`auth_signal_pam',`
- ##
- ##
- #
--interface(`auth_run_pam',`
-+interface(`auth_run_pam_timestamp',`
- gen_require(`
-- type pam_t;
-+ type pam_timestamp_t;
- ')
-
-- auth_domtrans_pam($1)
-- role $2 types pam_t;
-+ auth_domtrans_pam_timestamp($1)
-+ role $2 types pam_timestamp_t;
-+')
-+
-+########################################
-+##
-+## Execute pam_timestamp programs in the PAM timestamp domain.
-+##
-+##
-+##
-+## Domain allowed to transition.
-+##
-+##
-+##
-+##
-+## The role to allow the PAM domain.
-+##
-+##
-+#
-+interface(`auth_run_pam',`
-+ auth_run_pam_timestamp($1, $2)
-+ refpolicywarn(`$0() has been deprecated, please use auth_run_pam_timestamp.')
- ')
-
- ########################################
-@@ -959,9 +1096,30 @@ interface(`auth_manage_var_auth',`
- ')
-
- files_search_var($1)
-- allow $1 var_auth_t:dir manage_dir_perms;
-- allow $1 var_auth_t:file rw_file_perms;
-- allow $1 var_auth_t:lnk_file rw_lnk_file_perms;
-+
-+ manage_dirs_pattern($1, var_auth_t, var_auth_t)
-+ manage_files_pattern($1, var_auth_t, var_auth_t)
-+ manage_lnk_files_pattern($1, var_auth_t, var_auth_t)
-+')
-+
-+########################################
-+##
-+## Relabel all var auth files. Used by various other applications
-+## and pam applets etc.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`auth_relabel_var_auth_dirs',`
-+ gen_require(`
-+ type var_auth_t;
-+ ')
-+
-+ files_search_var($1)
-+ relabel_dirs_pattern($1, var_auth_t, var_auth_t)
- ')
-
- ########################################
-@@ -1040,6 +1198,10 @@ interface(`auth_manage_pam_pid',`
- files_search_pids($1)
- allow $1 pam_var_run_t:dir manage_dir_perms;
- allow $1 pam_var_run_t:file manage_file_perms;
-+ files_pid_filetrans($1, pam_var_run_t, dir, "pam_mount")
-+ files_pid_filetrans($1, pam_var_run_t, dir, "pam_ssh")
-+ files_pid_filetrans($1, pam_var_run_t, dir, "sepermit")
-+ files_pid_filetrans($1, pam_var_run_t, dir, "sudo")
- ')
-
- ########################################
-@@ -1157,6 +1319,7 @@ interface(`auth_manage_pam_console_data',`
- files_search_pids($1)
- manage_files_pattern($1, pam_var_console_t, pam_var_console_t)
- manage_lnk_files_pattern($1, pam_var_console_t, pam_var_console_t)
-+ files_pid_filetrans($1, pam_var_console_t, dir, "console")
- ')
-
- #######################################
-@@ -1526,6 +1689,25 @@ interface(`auth_setattr_login_records',`
-
- ########################################
- ##
-+## Relabel login record files.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`auth_relabel_login_records',`
-+ gen_require(`
-+ type wtmp_t;
-+ ')
-+
-+ allow $1 wtmp_t:file relabel_file_perms;
-+')
-+
-+
-+########################################
-+##
- ## Read login records files (/var/log/wtmp).
- ##
- ##
-@@ -1676,24 +1858,7 @@ interface(`auth_manage_login_records',`
-
- logging_rw_generic_log_dirs($1)
- allow $1 wtmp_t:file manage_file_perms;
--')
--
--########################################
--##
--## Relabel login record files.
--##
--##
--##
--## Domain allowed access.
--##
--##
--#
--interface(`auth_relabel_login_records',`
-- gen_require(`
-- type wtmp_t;
-- ')
--
-- allow $1 wtmp_t:file relabel_file_perms;
-+ logging_log_named_filetrans($1, wtmp_t, file, "wtmp")
- ')
-
- ########################################
-@@ -1717,11 +1882,13 @@ interface(`auth_relabel_login_records',`
- ##
- #
- interface(`auth_use_nsswitch',`
-- gen_require(`
-- attribute nsswitch_domain;
-- ')
-+ gen_require(`
-+ attribute nsswitch_domain;
-+ ')
-
- typeattribute $1 nsswitch_domain;
-+
-+ corenet_all_recvfrom_netlabel($1)
- ')
-
- ########################################
-@@ -1755,3 +1922,199 @@ interface(`auth_unconfined',`
- typeattribute $1 can_write_shadow_passwords;
- typeattribute $1 can_relabelto_shadow_passwords;
- ')
-+
-+########################################
-+##
-+## Transition to authlogin named content
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`auth_filetrans_named_content',`
-+ gen_require(`
-+ type shadow_t;
-+ type passwd_file_t;
-+ type faillog_t;
-+ type lastlog_t;
-+ type wtmp_t;
-+ type pam_var_console_t;
-+ type pam_var_run_t;
-+ type auth_cache_t;
-+ ')
-+
-+ files_etc_filetrans($1, passwd_file_t, file, "group")
-+ files_etc_filetrans($1, passwd_file_t, file, "group-")
-+ #files_etc_filetrans($1, passwd_file_t, file, "group+")
-+ files_etc_filetrans($1, passwd_file_t, file, "passwd")
-+ files_etc_filetrans($1, passwd_file_t, file, "passwd-")
-+ #files_etc_filetrans($1, passwd_file_t, file, "passwd+")
-+ files_etc_filetrans($1, passwd_file_t, file, "passwd.OLD")
-+ files_etc_filetrans($1, passwd_file_t, file, "ptmptmp")
-+ files_etc_filetrans($1, passwd_file_t, file, "passwd.lock")
-+ files_etc_filetrans($1, passwd_file_t, file, "group.lock")
-+ files_etc_filetrans($1, passwd_file_t, file, "passwd.adjunct")
-+ files_etc_filetrans($1, passwd_file_t, file, ".pwd.lock")
-+ files_etc_filetrans($1, shadow_t, file, "shadow")
-+ files_etc_filetrans($1, shadow_t, file, "shadow-")
-+ files_etc_filetrans($1, shadow_t, file, "gshadow")
-+ logging_log_named_filetrans($1, lastlog_t, file, "lastlog")
-+ logging_log_named_filetrans($1, faillog_t, file, "tallylog")
-+ logging_log_named_filetrans($1, faillog_t, file, "faillog")
-+ logging_log_named_filetrans($1, faillog_t, file, "btmp")
-+ files_pid_filetrans($1, faillog_t, file, "faillog")
-+ files_pid_filetrans($1, faillog_t, dir, "faillock")
-+ files_pid_filetrans($1, pam_var_console_t, dir, "console")
-+ files_pid_filetrans($1, pam_var_run_t, dir, "pam_mount")
-+ files_pid_filetrans($1, pam_var_run_t, dir, "pam_ssh")
-+ files_pid_filetrans($1, pam_var_run_t, dir, "sepermit")
-+ files_pid_filetrans($1, pam_var_run_t, dir, "sudo")
-+ logging_log_named_filetrans($1, wtmp_t, file, "wtmp")
-+ files_var_filetrans($1, auth_cache_t, dir, "coolkey")
-+')
-+
-+########################################
-+##
-+## Get the attributes of the passwd passwords file.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`auth_getattr_passwd',`
-+ gen_require(`
-+ type passwd_file_t;
-+ ')
-+
-+ files_search_etc($1)
-+ allow $1 passwd_file_t:file getattr;
-+')
-+
-+########################################
-+##
-+## Do not audit attempts to get the attributes
-+## of the passwd passwords file.
-+##
-+##
-+##
-+## Domain to not audit.
-+##
-+##
-+#
-+interface(`auth_dontaudit_getattr_passwd',`
-+ gen_require(`
-+ type passwd_file_t;
-+ ')
-+
-+ dontaudit $1 passwd_file_t:file getattr;
-+')
-+
-+########################################
-+##
-+## Read the passwd passwords file (/etc/passwd)
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`auth_read_passwd',`
-+ gen_require(`
-+ type passwd_file_t;
-+ ')
-+
-+ allow $1 passwd_file_t:file read_file_perms;
-+')
-+
-+########################################
-+##
-+## Do not audit attempts to read the passwd
-+## password file (/etc/passwd).
-+##
-+##
-+##
-+## Domain to not audit.
-+##
-+##
-+#
-+interface(`auth_dontaudit_read_passwd',`
-+ gen_require(`
-+ type passwd_file_t;
-+ ')
-+
-+ dontaudit $1 passwd_file_t:file read_file_perms;
-+')
-+
-+########################################
-+##
-+## Create, read, write, and delete the passwd
-+## password file.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`auth_manage_passwd',`
-+ gen_require(`
-+ type passwd_file_t;
-+ ')
-+
-+ files_rw_etc_dirs($1)
-+ allow $1 passwd_file_t:file manage_file_perms;
-+ files_etc_filetrans($1, passwd_file_t, file, "passwd")
-+ files_etc_filetrans($1, passwd_file_t, file, "passwd-")
-+ files_etc_filetrans($1, passwd_file_t, file, "ptmptmp")
-+ files_etc_filetrans($1, passwd_file_t, file, "group")
-+ files_etc_filetrans($1, passwd_file_t, file, "group-")
-+ files_etc_filetrans($1, passwd_file_t, file, ".pwd.lock")
-+ files_etc_filetrans($1, passwd_file_t, file, "passwd.lock")
-+ files_etc_filetrans($1, passwd_file_t, file, "group.lock")
-+')
-+
-+########################################
-+##
-+## Create auth directory in the /root directory
-+## with an correct label.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`auth_filetrans_admin_home_content',`
-+ gen_require(`
-+ type auth_home_t;
-+ ')
-+
-+ userdom_admin_home_dir_filetrans($1, auth_home_t, file, ".google_authenticator")
-+ userdom_admin_home_dir_filetrans($1, auth_home_t, file, ".google_authenticator~")
-+')
-+
-+########################################
-+##
-+## Create auth directory in the user home directory
-+## with an correct label.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`auth_filetrans_home_content',`
-+
-+ gen_require(`
-+ type auth_home_t;
-+ ')
-+
-+ userdom_user_home_dir_filetrans($1, auth_home_t, file, ".google_authenticator")
-+ userdom_user_home_dir_filetrans($1, auth_home_t, file, ".google_authenticator~")
-+')
-diff --git a/policy/modules/system/authlogin.te b/policy/modules/system/authlogin.te
-index f145ccb..499ee40 100644
---- a/policy/modules/system/authlogin.te
-+++ b/policy/modules/system/authlogin.te
-@@ -5,6 +5,19 @@ policy_module(authlogin, 2.4.0)
- # Declarations
- #
-
-+##
-+##
-+## Allow users to login using a radius server
-+##
-+##
-+gen_tunable(authlogin_radius, false)
-+
-+##
-+##
-+## Allow users to login using a yubikey server
-+##
-+##
-+gen_tunable(authlogin_yubikey, false)
-
- ##
- ##
-@@ -16,20 +29,26 @@ gen_tunable(authlogin_nsswitch_use_ldap, false)
- attribute can_read_shadow_passwords;
- attribute can_write_shadow_passwords;
- attribute can_relabelto_shadow_passwords;
-+attribute polydomain;
- attribute nsswitch_domain;
-+attribute login_pgm;
-
- type auth_cache_t;
- logging_log_file(auth_cache_t)
-
-+type auth_home_t;
-+userdom_user_home_content(auth_home_t)
-+
- type chkpwd_t, can_read_shadow_passwords;
- type chkpwd_exec_t;
- typealias chkpwd_t alias { user_chkpwd_t staff_chkpwd_t sysadm_chkpwd_t };
--typealias chkpwd_t alias { auditadm_chkpwd_t secadm_chkpwd_t };
-+typealias chkpwd_t alias { auditadm_chkpwd_t secadm_chkpwd_t system_chkpwd_t };
- application_domain(chkpwd_t, chkpwd_exec_t)
- role system_r types chkpwd_t;
-
- type faillog_t;
- logging_log_file(faillog_t)
-+mls_trusted_object(faillog_t)
-
- type lastlog_t;
- logging_log_file(lastlog_t)
-@@ -42,15 +61,15 @@ type pam_console_exec_t;
- init_system_domain(pam_console_t, pam_console_exec_t)
- role system_r types pam_console_t;
-
--type pam_t;
--domain_type(pam_t)
--role system_r types pam_t;
-+type pam_timestamp_t alias pam_t;
-+domain_type(pam_timestamp_t)
-+role system_r types pam_timestamp_t;
-
--type pam_exec_t;
--domain_entry_file(pam_t, pam_exec_t)
-+type pam_timestamp_exec_t alias pam_exec_t;
-+domain_entry_file(pam_timestamp_t, pam_timestamp_exec_t)
-
--type pam_tmp_t;
--files_tmp_file(pam_tmp_t)
-+type pam_timestamp_tmp_t;
-+files_tmp_file(pam_timestamp_tmp_t)
-
- type pam_var_console_t;
- files_pid_file(pam_var_console_t)
-@@ -64,6 +83,9 @@ neverallow ~can_read_shadow_passwords shadow_t:file read;
- neverallow ~can_write_shadow_passwords shadow_t:file { create write };
- neverallow ~can_relabelto_shadow_passwords shadow_t:file relabelto;
-
-+type passwd_file_t;
-+files_type(passwd_file_t)
-+
- type updpwd_t;
- type updpwd_exec_t;
- domain_type(updpwd_t)
-@@ -109,6 +131,8 @@ dev_read_urand(chkpwd_t)
- files_read_etc_files(chkpwd_t)
- # for nscd
- files_dontaudit_search_var(chkpwd_t)
-+files_read_usr_symlinks(chkpwd_t)
-+files_list_tmp(chkpwd_t)
-
- fs_dontaudit_getattr_xattr_fs(chkpwd_t)
-
-@@ -122,12 +146,11 @@ auth_use_nsswitch(chkpwd_t)
- logging_send_audit_msgs(chkpwd_t)
- logging_send_syslog_msg(chkpwd_t)
-
--miscfiles_read_localization(chkpwd_t)
-
- seutil_read_config(chkpwd_t)
- seutil_dontaudit_use_newrole_fds(chkpwd_t)
-
--userdom_use_user_terminals(chkpwd_t)
-+userdom_dontaudit_use_user_ttys(chkpwd_t)
-
- ifdef(`distro_ubuntu',`
- optional_policy(`
-@@ -153,53 +176,52 @@ optional_policy(`
- # PAM local policy
- #
-
--allow pam_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
--dontaudit pam_t self:capability sys_tty_config;
-+allow pam_timestamp_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
-+dontaudit pam_timestamp_t self:capability sys_tty_config;
-
--allow pam_t self:fd use;
--allow pam_t self:fifo_file rw_file_perms;
--allow pam_t self:unix_dgram_socket create_socket_perms;
--allow pam_t self:unix_stream_socket rw_stream_socket_perms;
--allow pam_t self:unix_dgram_socket sendto;
--allow pam_t self:unix_stream_socket connectto;
--allow pam_t self:shm create_shm_perms;
--allow pam_t self:sem create_sem_perms;
--allow pam_t self:msgq create_msgq_perms;
--allow pam_t self:msg { send receive };
-+allow pam_timestamp_t self:fd use;
-+allow pam_timestamp_t self:fifo_file rw_file_perms;
-+allow pam_timestamp_t self:unix_dgram_socket create_socket_perms;
-+allow pam_timestamp_t self:unix_stream_socket rw_stream_socket_perms;
-+allow pam_timestamp_t self:unix_dgram_socket sendto;
-+allow pam_timestamp_t self:unix_stream_socket connectto;
-+allow pam_timestamp_t self:shm create_shm_perms;
-+allow pam_timestamp_t self:sem create_sem_perms;
-+allow pam_timestamp_t self:msgq create_msgq_perms;
-+allow pam_timestamp_t self:msg { send receive };
-
--delete_files_pattern(pam_t, pam_var_run_t, pam_var_run_t)
--read_files_pattern(pam_t, pam_var_run_t, pam_var_run_t)
--files_list_pids(pam_t)
-+delete_files_pattern(pam_timestamp_t, pam_var_run_t, pam_var_run_t)
-+read_files_pattern(pam_timestamp_t, pam_var_run_t, pam_var_run_t)
-+files_list_pids(pam_timestamp_t)
-
--allow pam_t pam_tmp_t:dir manage_dir_perms;
--allow pam_t pam_tmp_t:file manage_file_perms;
--files_tmp_filetrans(pam_t, pam_tmp_t, { file dir })
-+allow pam_timestamp_t pam_timestamp_tmp_t:dir manage_dir_perms;
-+allow pam_timestamp_t pam_timestamp_tmp_t:file manage_file_perms;
-+files_tmp_filetrans(pam_timestamp_t, pam_timestamp_tmp_t, { file dir })
-
--auth_use_nsswitch(pam_t)
-+auth_use_nsswitch(pam_timestamp_t)
-
--kernel_read_system_state(pam_t)
-+kernel_read_system_state(pam_timestamp_t)
-
--files_read_etc_files(pam_t)
-+files_read_etc_files(pam_timestamp_t)
-
--fs_search_auto_mountpoints(pam_t)
-+fs_search_auto_mountpoints(pam_timestamp_t)
-
--miscfiles_read_localization(pam_t)
-
--term_use_all_ttys(pam_t)
--term_use_all_ptys(pam_t)
-+term_use_all_ttys(pam_timestamp_t)
-+term_use_all_ptys(pam_timestamp_t)
-
--init_dontaudit_rw_utmp(pam_t)
-+init_dontaudit_rw_utmp(pam_timestamp_t)
-
--logging_send_syslog_msg(pam_t)
-+logging_send_syslog_msg(pam_timestamp_t)
-
- ifdef(`distro_ubuntu',`
- optional_policy(`
-- unconfined_domain(pam_t)
-+ unconfined_domain(pam_timestamp_t)
- ')
- ')
-
- optional_policy(`
-- locallogin_use_fds(pam_t)
-+ locallogin_use_fds(pam_timestamp_t)
- ')
-
- ########################################
-@@ -289,7 +311,6 @@ init_use_script_ptys(pam_console_t)
-
- logging_send_syslog_msg(pam_console_t)
-
--miscfiles_read_localization(pam_console_t)
- miscfiles_read_generic_certs(pam_console_t)
-
- seutil_read_file_contexts(pam_console_t)
-@@ -341,6 +362,7 @@ kernel_read_system_state(updpwd_t)
- dev_read_urand(updpwd_t)
-
- files_manage_etc_files(updpwd_t)
-+auth_manage_passwd(updpwd_t)
-
- term_dontaudit_use_console(updpwd_t)
- term_dontaudit_use_unallocated_ttys(updpwd_t)
-@@ -350,9 +372,8 @@ auth_use_nsswitch(updpwd_t)
-
- logging_send_syslog_msg(updpwd_t)
-
--miscfiles_read_localization(updpwd_t)
-
--userdom_use_user_terminals(updpwd_t)
-+userdom_use_inherited_user_terminals(updpwd_t)
-
- ifdef(`distro_ubuntu',`
- optional_policy(`
-@@ -380,13 +401,15 @@ term_dontaudit_use_all_ttys(utempter_t)
- term_dontaudit_use_all_ptys(utempter_t)
- term_dontaudit_use_ptmx(utempter_t)
-
-+auth_use_nsswitch(utempter_t)
-+
- init_rw_utmp(utempter_t)
-
- domain_use_interactive_fds(utempter_t)
-
- logging_search_logs(utempter_t)
-
--userdom_use_user_terminals(utempter_t)
-+userdom_use_inherited_user_terminals(utempter_t)
- # Allow utemper to write to /tmp/.xses-*
- userdom_write_user_tmp_files(utempter_t)
-
-@@ -397,19 +420,27 @@ ifdef(`distro_ubuntu',`
- ')
-
- optional_policy(`
-- nscd_socket_use(utempter_t)
-+ xserver_use_xdm_fds(utempter_t)
-+ xserver_rw_xdm_pipes(utempter_t)
-+')
-+
-+tunable_policy(`polyinstantiation_enabled',`
-+ files_polyinstantiate_all(polydomain)
- ')
-
- optional_policy(`
-- xserver_use_xdm_fds(utempter_t)
-- xserver_rw_xdm_pipes(utempter_t)
-+ tunable_policy(`polyinstantiation_enabled',`
-+ namespace_init_domtrans(polydomain)
-+ ')
- ')
-
--#######################################
-+######################################
- #
- # nsswitch_domain local policy
- #
-
-+auth_read_passwd(nsswitch_domain)
-+
- files_list_var_lib(nsswitch_domain)
-
- # read /etc/nsswitch.conf
-@@ -426,6 +457,12 @@ tunable_policy(`authlogin_nsswitch_use_ldap',`
-
- optional_policy(`
- tunable_policy(`authlogin_nsswitch_use_ldap',`
-+ dirsrv_stream_connect(nsswitch_domain)
-+ ')
-+')
-+
-+optional_policy(`
-+ tunable_policy(`authlogin_nsswitch_use_ldap',`
- ldap_stream_connect(nsswitch_domain)
- ')
- ')
-@@ -438,6 +475,7 @@ optional_policy(`
- likewise_stream_connect_lsassd(nsswitch_domain)
- ')
-
-+# can not wrap nis_use_ypbind or kerberos_use, but they both have booleans you can turn off.
- optional_policy(`
- kerberos_use(nsswitch_domain)
- ')
-@@ -447,7 +485,7 @@ optional_policy(`
- ')
-
- optional_policy(`
-- nscd_socket_use(nsswitch_domain)
-+ nscd_use(nsswitch_domain)
- ')
-
- optional_policy(`
-@@ -456,6 +494,7 @@ optional_policy(`
-
- optional_policy(`
- sssd_stream_connect(nsswitch_domain)
-+ sssd_read_public_files(nsswitch_domain)
- ')
-
- optional_policy(`
-@@ -463,3 +502,132 @@ optional_policy(`
- samba_read_var_files(nsswitch_domain)
- samba_dontaudit_write_var_files(nsswitch_domain)
- ')
-+
-+#######################################
-+#
-+# Login Program local policy
-+#
-+
-+domain_read_all_domains_state(login_pgm)
-+corecmd_getattr_all_executables(login_pgm)
-+domain_kill_all_domains(login_pgm)
-+
-+# pam_keyring
-+allow login_pgm self:capability ipc_lock;
-+allow login_pgm self:process setkeycreate;
-+allow login_pgm self:key manage_key_perms;
-+userdom_manage_all_users_keys(login_pgm)
-+
-+files_list_var_lib(login_pgm)
-+manage_dirs_pattern(login_pgm, var_auth_t, var_auth_t)
-+manage_files_pattern(login_pgm, var_auth_t, var_auth_t)
-+manage_sock_files_pattern(login_pgm, var_auth_t, var_auth_t)
-+
-+manage_dirs_pattern(login_pgm, auth_cache_t, auth_cache_t)
-+manage_files_pattern(login_pgm, auth_cache_t, auth_cache_t)
-+manage_sock_files_pattern(login_pgm, auth_cache_t, auth_cache_t)
-+files_var_filetrans(login_pgm, auth_cache_t, dir)
-+
-+manage_dirs_pattern(login_pgm, auth_home_t, auth_home_t)
-+manage_files_pattern(login_pgm, auth_home_t, auth_home_t)
-+auth_filetrans_admin_home_content(login_pgm)
-+auth_filetrans_home_content(login_pgm)
-+
-+# needed for afs - https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=253321
-+kernel_search_network_sysctl(login_pgm)
-+kernel_rw_afs_state(login_pgm)
-+
-+tunable_policy(`authlogin_radius',`
-+ corenet_udp_bind_all_unreserved_ports(login_pgm)
-+')
-+
-+tunable_policy(`authlogin_yubikey',`
-+ corenet_tcp_connect_http_port(login_pgm)
-+')
-+
-+corenet_tcp_connect_pki_ca_port(login_pgm)
-+
-+# for fingerprint readers
-+dev_rw_input_dev(login_pgm)
-+dev_rw_generic_usb_dev(login_pgm)
-+
-+files_read_config_files(login_pgm)
-+
-+fs_list_auto_mountpoints(login_pgm)
-+fs_manage_cgroup_dirs(login_pgm)
-+fs_manage_cgroup_files(login_pgm)
-+fs_read_ecryptfs_symlinks(login_pgm)
-+fs_read_ecryptfs_files(login_pgm)
-+
-+selinux_validate_context(login_pgm)
-+selinux_compute_access_vector(login_pgm)
-+selinux_compute_create_context(login_pgm)
-+selinux_compute_relabel_context(login_pgm)
-+selinux_compute_user_contexts(login_pgm)
-+
-+auth_manage_faillog(login_pgm)
-+auth_manage_pam_pid(login_pgm)
-+
-+init_rw_utmp(login_pgm)
-+
-+logging_set_loginuid(login_pgm)
-+logging_set_tty_audit(login_pgm)
-+
-+miscfiles_dontaudit_write_generic_cert_files(login_pgm)
-+
-+seutil_read_config(login_pgm)
-+seutil_read_login_config(login_pgm)
-+seutil_read_default_contexts(login_pgm)
-+systemd_login_read_pid_files(login_pgm)
-+
-+userdom_set_rlimitnh(login_pgm)
-+userdom_read_user_home_content_symlinks(login_pgm)
-+userdom_delete_user_tmp_files(login_pgm)
-+userdom_search_admin_dir(login_pgm)
-+userdom_stream_connect(login_pgm)
-+userdom_manage_user_tmp_dirs(login_pgm)
-+userdom_manage_user_tmp_files(login_pgm)
-+
-+optional_policy(`
-+ afs_rw_udp_sockets(login_pgm)
-+')
-+
-+optional_policy(`
-+ kerberos_read_config(login_pgm)
-+')
-+
-+optional_policy(`
-+ oddjob_dbus_chat(login_pgm)
-+ oddjob_domtrans_mkhomedir(login_pgm)
-+')
-+
-+optional_policy(`
-+ openct_stream_connect(login_pgm)
-+ openct_signull(login_pgm)
-+ openct_read_pid_files(login_pgm)
-+')
-+
-+optional_policy(`
-+ corecmd_exec_bin(login_pgm)
-+ storage_getattr_fixed_disk_dev(login_pgm)
-+ mount_domtrans(login_pgm)
-+ mount_domtrans_ecryptmount(login_pgm)
-+')
-+
-+optional_policy(`
-+ fprintd_dbus_chat(login_pgm)
-+')
-+
-+optional_policy(`
-+ realmd_dbus_chat(login_pgm)
-+')
-+
-+optional_policy(`
-+ # allow execute tmux
-+ screen_exec(login_pgm)
-+')
-+
-+optional_policy(`
-+ ssh_agent_exec(login_pgm)
-+ ssh_read_user_home_files(login_pgm)
-+')
-diff --git a/policy/modules/system/clock.fc b/policy/modules/system/clock.fc
-index c5e05ca..c9ddbee 100644
---- a/policy/modules/system/clock.fc
-+++ b/policy/modules/system/clock.fc
-@@ -3,3 +3,5 @@
-
- /sbin/hwclock -- gen_context(system_u:object_r:hwclock_exec_t,s0)
-
-+/usr/sbin/hwclock -- gen_context(system_u:object_r:hwclock_exec_t,s0)
-+
-diff --git a/policy/modules/system/clock.if b/policy/modules/system/clock.if
-index e2f6d93..c78ccc6 100644
---- a/policy/modules/system/clock.if
-+++ b/policy/modules/system/clock.if
-@@ -82,6 +82,25 @@ interface(`clock_dontaudit_write_adjtime',`
-
- ########################################
- ##
-+## Read clock drift adjustments.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`clock_read_adjtime',`
-+ gen_require(`
-+ type adjtime_t;
-+ ')
-+
-+ allow $1 adjtime_t:file read_file_perms;
-+ files_list_etc($1)
-+')
-+
-+########################################
-+##
- ## Read and write clock drift adjustments.
- ##
- ##
-diff --git a/policy/modules/system/clock.te b/policy/modules/system/clock.te
-index b9ed25b..91e25b5 100644
---- a/policy/modules/system/clock.te
-+++ b/policy/modules/system/clock.te
-@@ -46,18 +46,19 @@ fs_search_auto_mountpoints(hwclock_t)
-
- term_dontaudit_use_console(hwclock_t)
- term_use_unallocated_ttys(hwclock_t)
--term_use_all_ttys(hwclock_t)
--term_use_all_ptys(hwclock_t)
-+term_use_all_inherited_ttys(hwclock_t)
-+term_use_all_inherited_ptys(hwclock_t)
-
- domain_use_interactive_fds(hwclock_t)
-
-+auth_use_nsswitch(hwclock_t)
-+
- init_use_fds(hwclock_t)
- init_use_script_ptys(hwclock_t)
-
- logging_send_audit_msgs(hwclock_t)
- logging_send_syslog_msg(hwclock_t)
-
--miscfiles_read_localization(hwclock_t)
-
- optional_policy(`
- apm_append_log(hwclock_t)
-@@ -65,10 +66,6 @@ optional_policy(`
- ')
-
- optional_policy(`
-- nscd_socket_use(hwclock_t)
--')
--
--optional_policy(`
- seutil_sigchld_newrole(hwclock_t)
- ')
-
-diff --git a/policy/modules/system/fstools.fc b/policy/modules/system/fstools.fc
-index a97a096..f65892c 100644
---- a/policy/modules/system/fstools.fc
-+++ b/policy/modules/system/fstools.fc
-@@ -1,4 +1,3 @@
--/sbin/badblocks -- gen_context(system_u:object_r:fsadm_exec_t,s0)
- /sbin/blkid -- gen_context(system_u:object_r:fsadm_exec_t,s0)
- /sbin/blockdev -- gen_context(system_u:object_r:fsadm_exec_t,s0)
- /sbin/cfdisk -- gen_context(system_u:object_r:fsadm_exec_t,s0)
-@@ -23,7 +22,6 @@
- /sbin/mkfs.* -- gen_context(system_u:object_r:fsadm_exec_t,s0)
- /sbin/mkraid -- gen_context(system_u:object_r:fsadm_exec_t,s0)
- /sbin/mkreiserfs -- gen_context(system_u:object_r:fsadm_exec_t,s0)
--/sbin/mkswap -- gen_context(system_u:object_r:fsadm_exec_t,s0)
- /sbin/parted -- gen_context(system_u:object_r:fsadm_exec_t,s0)
- /sbin/partprobe -- gen_context(system_u:object_r:fsadm_exec_t,s0)
- /sbin/partx -- gen_context(system_u:object_r:fsadm_exec_t,s0)
-@@ -41,7 +39,46 @@
- /usr/bin/scsi_unique_id -- gen_context(system_u:object_r:fsadm_exec_t,s0)
- /usr/bin/syslinux -- gen_context(system_u:object_r:fsadm_exec_t,s0)
-
-+/usr/lib/systemd/systemd-fsck -- gen_context(system_u:object_r:fsadm_exec_t,s0)
-+
-+/usr/sbin/blkid -- gen_context(system_u:object_r:fsadm_exec_t,s0)
-+/usr/sbin/blockdev -- gen_context(system_u:object_r:fsadm_exec_t,s0)
-+/usr/sbin/cfdisk -- gen_context(system_u:object_r:fsadm_exec_t,s0)
- /usr/sbin/clubufflush -- gen_context(system_u:object_r:fsadm_exec_t,s0)
-+/usr/sbin/dosfsck -- gen_context(system_u:object_r:fsadm_exec_t,s0)
-+/usr/sbin/dump -- gen_context(system_u:object_r:fsadm_exec_t,s0)
-+/usr/sbin/dumpe2fs -- gen_context(system_u:object_r:fsadm_exec_t,s0)
-+/usr/sbin/e2fsck -- gen_context(system_u:object_r:fsadm_exec_t,s0)
-+/usr/sbin/e4fsck -- gen_context(system_u:object_r:fsadm_exec_t,s0)
-+/usr/sbin/e2label -- gen_context(system_u:object_r:fsadm_exec_t,s0)
-+/usr/sbin/fdisk -- gen_context(system_u:object_r:fsadm_exec_t,s0)
-+/usr/sbin/findfs -- gen_context(system_u:object_r:fsadm_exec_t,s0)
-+/usr/sbin/fsck.* -- gen_context(system_u:object_r:fsadm_exec_t,s0)
-+/usr/sbin/hdparm -- gen_context(system_u:object_r:fsadm_exec_t,s0)
-+/usr/sbin/install-mbr -- gen_context(system_u:object_r:fsadm_exec_t,s0)
-+/usr/sbin/jfs_.* -- gen_context(system_u:object_r:fsadm_exec_t,s0)
-+/usr/sbin/losetup.* -- gen_context(system_u:object_r:fsadm_exec_t,s0)
-+/usr/sbin/lsraid -- gen_context(system_u:object_r:fsadm_exec_t,s0)
-+/usr/sbin/make_reiser4 -- gen_context(system_u:object_r:fsadm_exec_t,s0)
-+/usr/sbin/mkdosfs -- gen_context(system_u:object_r:fsadm_exec_t,s0)
-+/usr/sbin/mke2fs -- gen_context(system_u:object_r:fsadm_exec_t,s0)
-+/usr/sbin/mke4fs -- gen_context(system_u:object_r:fsadm_exec_t,s0)
-+/usr/sbin/mkfs.* -- gen_context(system_u:object_r:fsadm_exec_t,s0)
-+/usr/sbin/mkraid -- gen_context(system_u:object_r:fsadm_exec_t,s0)
-+/usr/sbin/mkreiserfs -- gen_context(system_u:object_r:fsadm_exec_t,s0)
-+/usr/sbin/parted -- gen_context(system_u:object_r:fsadm_exec_t,s0)
-+/usr/sbin/partprobe -- gen_context(system_u:object_r:fsadm_exec_t,s0)
-+/usr/sbin/partx -- gen_context(system_u:object_r:fsadm_exec_t,s0)
-+/usr/sbin/raidautorun -- gen_context(system_u:object_r:fsadm_exec_t,s0)
-+/usr/sbin/raidstart -- gen_context(system_u:object_r:fsadm_exec_t,s0)
-+/usr/sbin/reiserfs(ck|tune) -- gen_context(system_u:object_r:fsadm_exec_t,s0)
-+/usr/sbin/resize.*fs -- gen_context(system_u:object_r:fsadm_exec_t,s0)
-+/usr/sbin/scsi_info -- gen_context(system_u:object_r:fsadm_exec_t,s0)
-+/usr/sbin/sfdisk -- gen_context(system_u:object_r:fsadm_exec_t,s0)
- /usr/sbin/smartctl -- gen_context(system_u:object_r:fsadm_exec_t,s0)
-+/usr/sbin/swapon.* -- gen_context(system_u:object_r:fsadm_exec_t,s0)
-+/usr/sbin/tune2fs -- gen_context(system_u:object_r:fsadm_exec_t,s0)
-
- /var/log/fsck(/.*)? gen_context(system_u:object_r:fsadm_log_t,s0)
-+
-+/var/run/blkid(/.*)? gen_context(system_u:object_r:fsadm_var_run_t,s0)
-diff --git a/policy/modules/system/fstools.if b/policy/modules/system/fstools.if
-index 016a770..927f4b8 100644
---- a/policy/modules/system/fstools.if
-+++ b/policy/modules/system/fstools.if
-@@ -154,3 +154,23 @@ interface(`fstools_getattr_swap_files',`
-
- allow $1 swapfile_t:file getattr;
- ')
-+
-+########################################
-+##
-+## Create, read, write, and delete the FSADM pid files.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`fsadm_manage_pid',`
-+ gen_require(`
-+ type fsadm_var_run_t;
-+ ')
-+
-+ files_search_pids($1)
-+ manage_files_pattern($1, fsadm_var_run_t, fsadm_var_run_t)
-+ files_pid_filetrans($1, fsadm_var_run_t, dir, "blkid")
-+')
-diff --git a/policy/modules/system/fstools.te b/policy/modules/system/fstools.te
-index 6c4b6ee..86a90a2 100644
---- a/policy/modules/system/fstools.te
-+++ b/policy/modules/system/fstools.te
-@@ -13,6 +13,9 @@ role system_r types fsadm_t;
- type fsadm_log_t;
- logging_log_file(fsadm_log_t)
-
-+type fsadm_var_run_t;
-+files_pid_file(fsadm_var_run_t)
-+
- type fsadm_tmp_t;
- files_tmp_file(fsadm_tmp_t)
-
-@@ -41,9 +44,15 @@ allow fsadm_t self:msg { send receive };
-
- can_exec(fsadm_t, fsadm_exec_t)
-
-+manage_dirs_pattern(fsadm_t, fsadm_var_run_t, fsadm_var_run_t)
-+manage_files_pattern(fsadm_t, fsadm_var_run_t, fsadm_var_run_t)
-+files_pid_filetrans(fsadm_t, fsadm_var_run_t, {dir file })
-+
- allow fsadm_t fsadm_tmp_t:dir manage_dir_perms;
- allow fsadm_t fsadm_tmp_t:file manage_file_perms;
- files_tmp_filetrans(fsadm_t, fsadm_tmp_t, { file dir })
-+files_create_boot_flag(fsadm_t)
-+files_setattr_root_dirs(fsadm_t)
-
- # log files
- allow fsadm_t fsadm_log_t:dir setattr;
-@@ -101,6 +110,8 @@ files_read_usr_files(fsadm_t)
- files_read_etc_files(fsadm_t)
- files_manage_lost_found(fsadm_t)
- files_manage_isid_type_dirs(fsadm_t)
-+# /etc/mtab is a link
-+files_read_etc_runtime_files(fsadm_t)
- # Write to /etc/mtab.
- files_manage_etc_runtime_files(fsadm_t)
- files_etc_filetrans_etc_runtime(fsadm_t, file)
-@@ -120,11 +131,16 @@ fs_list_auto_mountpoints(fsadm_t)
- fs_search_tmpfs(fsadm_t)
- fs_getattr_tmpfs_dirs(fsadm_t)
- fs_read_tmpfs_symlinks(fsadm_t)
-+fs_manage_nfs_files(fsadm_t)
-+fs_manage_cifs_files(fsadm_t)
-+fs_rw_hugetlbfs_files(fsadm_t)
- # Recreate /mnt/cdrom.
- files_manage_mnt_dirs(fsadm_t)
- # for tune2fs
- files_search_all(fsadm_t)
-
-+mcs_file_read_all(fsadm_t)
-+
- mls_file_read_all_levels(fsadm_t)
- mls_file_write_all_levels(fsadm_t)
-
-@@ -133,21 +149,24 @@ storage_raw_write_fixed_disk(fsadm_t)
- storage_raw_read_removable_device(fsadm_t)
- storage_raw_write_removable_device(fsadm_t)
- storage_read_scsi_generic(fsadm_t)
-+storage_rw_fuse(fsadm_t)
- storage_swapon_fixed_disk(fsadm_t)
-
- term_use_console(fsadm_t)
-
-+init_read_state(fsadm_t)
- init_use_fds(fsadm_t)
- init_use_script_ptys(fsadm_t)
- init_dontaudit_getattr_initctl(fsadm_t)
-+init_stream_connect(fsadm_t)
-
- logging_send_syslog_msg(fsadm_t)
-+logging_stream_connect_syslog(fsadm_t)
-
--miscfiles_read_localization(fsadm_t)
-
- seutil_read_config(fsadm_t)
-
--userdom_use_user_terminals(fsadm_t)
-+term_use_all_inherited_terms(fsadm_t)
-
- ifdef(`distro_redhat',`
- optional_policy(`
-@@ -166,6 +185,11 @@ optional_policy(`
- ')
-
- optional_policy(`
-+ devicekit_dontaudit_read_pid_files(fsadm_t)
-+ devicekit_dontaudit_rw_log(fsadm_t)
-+')
-+
-+optional_policy(`
- hal_dontaudit_write_log(fsadm_t)
- ')
-
-@@ -179,6 +203,10 @@ optional_policy(`
- ')
-
- optional_policy(`
-+ mount_read_pid_files(fsadm_t)
-+')
-+
-+optional_policy(`
- nis_use_ypbind(fsadm_t)
- ')
-
-@@ -192,6 +220,10 @@ optional_policy(`
- ')
-
- optional_policy(`
-+ virt_read_blk_images(fsadm_t)
-+')
-+
-+optional_policy(`
- xen_append_log(fsadm_t)
- xen_rw_image_files(fsadm_t)
- ')
-diff --git a/policy/modules/system/getty.fc b/policy/modules/system/getty.fc
-index e1a1848..c0d34e7 100644
---- a/policy/modules/system/getty.fc
-+++ b/policy/modules/system/getty.fc
-@@ -3,6 +3,10 @@
-
- /sbin/.*getty -- gen_context(system_u:object_r:getty_exec_t,s0)
-
-+/usr/lib/systemd/system/[^/]*getty.* -- gen_context(system_u:object_r:getty_unit_file_t,s0)
-+
-+/usr/sbin/.*getty -- gen_context(system_u:object_r:getty_exec_t,s0)
-+
- /var/log/mgetty\.log.* -- gen_context(system_u:object_r:getty_log_t,s0)
- /var/log/vgetty\.log\..* -- gen_context(system_u:object_r:getty_log_t,s0)
-
-diff --git a/policy/modules/system/getty.if b/policy/modules/system/getty.if
-index e4376aa..2c98c56 100644
---- a/policy/modules/system/getty.if
-+++ b/policy/modules/system/getty.if
-@@ -96,3 +96,45 @@ interface(`getty_rw_config',`
- files_search_etc($1)
- allow $1 getty_etc_t:file rw_file_perms;
- ')
-+
-+########################################
-+##
-+## Execute getty server in the getty domain.
-+##
-+##
-+##
-+## Domain allowed to transition.
-+##
-+##
-+#
-+interface(`getty_systemctl',`
-+ gen_require(`
-+ type getty_unit_file_t;
-+ type getty_t;
-+ ')
-+
-+ systemd_exec_systemctl($1)
-+ allow $1 getty_unit_file_t:file read_file_perms;
-+ allow $1 getty_unit_file_t:service manage_service_perms;
-+
-+ ps_process_pattern($1, getty_t)
-+')
-+
-+########################################
-+##
-+## Start getty unit files domain.
-+##
-+##
-+##
-+## Domain allowed to transition.
-+##
-+##
-+#
-+interface(`getty_start_services',`
-+ gen_require(`
-+ type getty_unit_file_t;
-+ ')
-+
-+ systemd_exec_systemctl($1)
-+ allow $1 getty_unit_file_t:service start;
-+')
-diff --git a/policy/modules/system/getty.te b/policy/modules/system/getty.te
-index fd100fc..3e61328 100644
---- a/policy/modules/system/getty.te
-+++ b/policy/modules/system/getty.te
-@@ -27,6 +27,9 @@ files_tmp_file(getty_tmp_t)
- type getty_var_run_t;
- files_pid_file(getty_var_run_t)
-
-+type getty_unit_file_t;
-+systemd_unit_file(getty_unit_file_t)
-+
- ########################################
- #
- # Getty local policy
-@@ -83,8 +86,11 @@ term_use_unallocated_ttys(getty_t)
- term_setattr_all_ttys(getty_t)
- term_setattr_unallocated_ttys(getty_t)
- term_setattr_console(getty_t)
-+term_setattr_usb_ttys(getty_t)
-+term_use_console(getty_t)
-
- auth_rw_login_records(getty_t)
-+auth_use_nsswitch(getty_t)
-
- init_rw_utmp(getty_t)
- init_use_script_ptys(getty_t)
-@@ -94,7 +100,6 @@ locallogin_domtrans(getty_t)
-
- logging_send_syslog_msg(getty_t)
-
--miscfiles_read_localization(getty_t)
-
- ifdef(`distro_gentoo',`
- # Gentoo default /etc/issue makes agetty
-@@ -113,7 +118,7 @@ ifdef(`distro_ubuntu',`
- ')
- ')
-
--tunable_policy(`console_login',`
-+tunable_policy(`login_console_enabled',`
- # Support logging in from /dev/console
- term_use_console(getty_t)
- ',`
-@@ -125,10 +130,6 @@ optional_policy(`
- ')
-
- optional_policy(`
-- nscd_socket_use(getty_t)
--')
--
--optional_policy(`
- ppp_domtrans(getty_t)
- ')
-
-diff --git a/policy/modules/system/hostname.fc b/policy/modules/system/hostname.fc
-index 9dfecf7..6d00f5c 100644
---- a/policy/modules/system/hostname.fc
-+++ b/policy/modules/system/hostname.fc
-@@ -1,2 +1,4 @@
-
- /bin/hostname -- gen_context(system_u:object_r:hostname_exec_t,s0)
-+
-+/usr/bin/hostname -- gen_context(system_u:object_r:hostname_exec_t,s0)
-diff --git a/policy/modules/system/hostname.te b/policy/modules/system/hostname.te
-index f6cbda9..8c37105 100644
---- a/policy/modules/system/hostname.te
-+++ b/policy/modules/system/hostname.te
-@@ -23,39 +23,47 @@ dontaudit hostname_t self:capability sys_tty_config;
-
- kernel_list_proc(hostname_t)
- kernel_read_proc_symlinks(hostname_t)
-+kernel_read_network_state(hostname_t)
-
- dev_read_sysfs(hostname_t)
- # Early devtmpfs, before udev relabel
- dev_dontaudit_rw_generic_chr_files(hostname_t)
-
-+domain_dontaudit_leaks(hostname_t)
- domain_use_interactive_fds(hostname_t)
-
- files_read_etc_files(hostname_t)
-+files_dontaudit_leaks(hostname_t)
- files_dontaudit_search_var(hostname_t)
- # for when /usr is not mounted:
- files_dontaudit_search_isid_type_dirs(hostname_t)
-
- fs_getattr_xattr_fs(hostname_t)
- fs_search_auto_mountpoints(hostname_t)
-+fs_dontaudit_leaks(hostname_t)
- fs_dontaudit_use_tmpfs_chr_dev(hostname_t)
-
- term_dontaudit_use_console(hostname_t)
--term_use_all_ttys(hostname_t)
--term_use_all_ptys(hostname_t)
-+term_use_all_inherited_ttys(hostname_t)
-+term_use_all_inherited_ptys(hostname_t)
-
- init_use_fds(hostname_t)
- init_use_script_fds(hostname_t)
- init_use_script_ptys(hostname_t)
-+init_rw_inherited_script_tmp_files(hostname_t)
-
- logging_send_syslog_msg(hostname_t)
-
--miscfiles_read_localization(hostname_t)
-
- sysnet_dontaudit_rw_dhcpc_unix_stream_sockets(hostname_t)
- sysnet_read_config(hostname_t)
- sysnet_dns_name_resolve(hostname_t)
-
- optional_policy(`
-+ mock_dontaudit_write_lib_chr_files(hostname_t)
-+')
-+
-+optional_policy(`
- nis_use_ypbind(hostname_t)
- ')
-
-diff --git a/policy/modules/system/hotplug.fc b/policy/modules/system/hotplug.fc
-index caf736b..91c4c6f 100644
---- a/policy/modules/system/hotplug.fc
-+++ b/policy/modules/system/hotplug.fc
-@@ -7,5 +7,8 @@
- /sbin/hotplug -- gen_context(system_u:object_r:hotplug_exec_t,s0)
- /sbin/netplugd -- gen_context(system_u:object_r:hotplug_exec_t,s0)
-
-+/usr/sbin/hotplug -- gen_context(system_u:object_r:hotplug_exec_t,s0)
-+/usr/sbin/netplugd -- gen_context(system_u:object_r:hotplug_exec_t,s0)
-+
- /var/run/usb(/.*)? gen_context(system_u:object_r:hotplug_var_run_t,s0)
- /var/run/hotplug(/.*)? gen_context(system_u:object_r:hotplug_var_run_t,s0)
-diff --git a/policy/modules/system/hotplug.if b/policy/modules/system/hotplug.if
-index 40eb10c..2a0a32c 100644
---- a/policy/modules/system/hotplug.if
-+++ b/policy/modules/system/hotplug.if
-@@ -34,7 +34,7 @@ interface(`hotplug_domtrans',`
- #
- interface(`hotplug_exec',`
- gen_require(`
-- type hotplug_t;
-+ type hotplug_exec_t;
- ')
-
- corecmd_search_bin($1)
-diff --git a/policy/modules/system/hotplug.te b/policy/modules/system/hotplug.te
-index b2e41cc..6a37dca 100644
---- a/policy/modules/system/hotplug.te
-+++ b/policy/modules/system/hotplug.te
-@@ -23,7 +23,7 @@ files_pid_file(hotplug_var_run_t)
- #
-
- allow hotplug_t self:capability { net_admin sys_tty_config mknod sys_rawio };
--dontaudit hotplug_t self:capability { sys_module sys_admin sys_ptrace sys_tty_config };
-+dontaudit hotplug_t self:capability { sys_module sys_admin sys_tty_config };
- # for access("/etc/bashrc", X_OK) on Red Hat
- dontaudit hotplug_t self:capability { dac_override dac_read_search };
- allow hotplug_t self:process { setpgid getsession getattr signal_perms };
-@@ -52,7 +52,6 @@ kernel_rw_net_sysctls(hotplug_t)
-
- files_read_kernel_modules(hotplug_t)
-
--corenet_all_recvfrom_unlabeled(hotplug_t)
- corenet_all_recvfrom_netlabel(hotplug_t)
- corenet_tcp_sendrecv_generic_if(hotplug_t)
- corenet_udp_sendrecv_generic_if(hotplug_t)
-@@ -96,6 +95,8 @@ init_domtrans_script(hotplug_t)
- # kernel threads inherit from shared descriptor table used by init
- init_dontaudit_rw_initctl(hotplug_t)
-
-+auth_use_nsswitch(hotplug_t)
-+
- logging_send_syslog_msg(hotplug_t)
- logging_search_logs(hotplug_t)
-
-@@ -103,9 +104,6 @@ logging_search_logs(hotplug_t)
- libs_read_lib_files(hotplug_t)
-
- miscfiles_read_hwdata(hotplug_t)
--miscfiles_read_localization(hotplug_t)
--
--seutil_dontaudit_search_config(hotplug_t)
-
- sysnet_read_config(hotplug_t)
-
-@@ -164,14 +162,6 @@ optional_policy(`
- ')
-
- optional_policy(`
-- nis_use_ypbind(hotplug_t)
--')
--
--optional_policy(`
-- nscd_socket_use(hotplug_t)
--')
--
--optional_policy(`
- seutil_sigchld_newrole(hotplug_t)
- ')
-
-diff --git a/policy/modules/system/init.fc b/policy/modules/system/init.fc
-index d2e40b8..3ba2e4c 100644
---- a/policy/modules/system/init.fc
-+++ b/policy/modules/system/init.fc
-@@ -2,6 +2,7 @@
- # /etc
- #
- /etc/init\.d/.* -- gen_context(system_u:object_r:initrc_exec_t,s0)
-+/etc/machine-id -- gen_context(system_u:object_r:machineid_t,s0)
-
- /etc/rc\.d/rc -- gen_context(system_u:object_r:initrc_exec_t,s0)
- /etc/rc\.d/rc\.[^/]+ -- gen_context(system_u:object_r:initrc_exec_t,s0)
-@@ -31,6 +32,11 @@ ifdef(`distro_gentoo', `
- #
- # /sbin
- #
-+/bin/systemd -- gen_context(system_u:object_r:init_exec_t,s0)
-+
-+#
-+# /sbin
-+#
- /sbin/init(ng)? -- gen_context(system_u:object_r:init_exec_t,s0)
- # because nowadays, /sbin/init is often a symlink to /sbin/upstart
- /sbin/upstart -- gen_context(system_u:object_r:init_exec_t,s0)
-@@ -48,11 +54,23 @@ ifdef(`distro_gentoo', `
- #
- /usr/bin/sepg_ctl -- gen_context(system_u:object_r:initrc_exec_t,s0)
-
-+/usr/sbin/init(ng)? -- gen_context(system_u:object_r:init_exec_t,s0)
-+# because nowadays, /sbin/init is often a symlink to /sbin/upstart
-+/usr/sbin/upstart -- gen_context(system_u:object_r:init_exec_t,s0)
-+
-+/usr/lib/systemd/[^/]* -- gen_context(system_u:object_r:init_exec_t,s0)
-+/usr/lib/systemd/fedora[^/]* -- gen_context(system_u:object_r:initrc_exec_t,s0)
-+/usr/lib/systemd/system-generators/[^/]* -- gen_context(system_u:object_r:init_exec_t,s0)
-+
- /usr/libexec/dcc/start-.* -- gen_context(system_u:object_r:initrc_exec_t,s0)
- /usr/libexec/dcc/stop-.* -- gen_context(system_u:object_r:initrc_exec_t,s0)
-
- /usr/sbin/apachectl -- gen_context(system_u:object_r:initrc_exec_t,s0)
- /usr/sbin/open_init_pty -- gen_context(system_u:object_r:initrc_exec_t,s0)
-+/usr/sbin/startx -- gen_context(system_u:object_r:initrc_exec_t,s0)
-+/usr/bin/systemd -- gen_context(system_u:object_r:init_exec_t,s0)
-+
-+/usr/share/system-config-services/system-config-services-mechanism\.py -- gen_context(system_u:object_r:initrc_exec_t,s0)
-
- #
- # /var
-@@ -61,6 +79,7 @@ ifdef(`distro_gentoo', `
- /var/run/runlevel\.dir gen_context(system_u:object_r:initrc_var_run_t,s0)
- /var/run/random-seed -- gen_context(system_u:object_r:initrc_var_run_t,s0)
- /var/run/setmixer_flag -- gen_context(system_u:object_r:initrc_var_run_t,s0)
-+/var/run/systemd/machine-id -- gen_context(system_u:object_r:machineid_t,s0)
-
- ifdef(`distro_debian',`
- /var/run/hotkey-setup -- gen_context(system_u:object_r:initrc_var_run_t,s0)
-@@ -79,3 +98,4 @@ ifdef(`distro_suse', `
- /var/run/setleds-on -- gen_context(system_u:object_r:initrc_var_run_t,s0)
- /var/run/sysconfig(/.*)? gen_context(system_u:object_r:initrc_var_run_t,s0)
- ')
-+/var/run/systemd(/.*)? gen_context(system_u:object_r:init_var_run_t,s0)
-diff --git a/policy/modules/system/init.if b/policy/modules/system/init.if
-index d26fe81..95c1bd8 100644
---- a/policy/modules/system/init.if
-+++ b/policy/modules/system/init.if
-@@ -106,6 +106,8 @@ interface(`init_domain',`
- role system_r types $1;
-
- domtrans_pattern(init_t, $2, $1)
-+ allow init_t $1:unix_stream_socket create_stream_socket_perms;
-+ allow $1 init_t:unix_dgram_socket sendto;
-
- ifdef(`hide_broken_symptoms',`
- # RHEL4 systems seem to have a stray
-@@ -192,50 +194,43 @@ interface(`init_ranged_domain',`
- interface(`init_daemon_domain',`
- gen_require(`
- attribute direct_run_init, direct_init, direct_init_entry;
-- type initrc_t;
-+ type init_t;
- role system_r;
- attribute daemon;
-+ attribute initrc_transition_domain;
-+ attribute initrc_domain;
- ')
-
- typeattribute $1 daemon;
-+ typeattribute $2 direct_init_entry;
-
- domain_type($1)
- domain_entry_file($1, $2)
-
-- role system_r types $1;
--
-- domtrans_pattern(initrc_t, $2, $1)
--
-- # daemons started from init will
-- # inherit fds from init for the console
-- init_dontaudit_use_fds($1)
-- term_dontaudit_use_console($1)
--
-- # init script ptys are the stdin/out/err
-- # when using run_init
-- init_use_script_ptys($1)
-+ type_transition initrc_domain $2:process $1;
-
- ifdef(`direct_sysadm_daemon',`
-- domtrans_pattern(direct_run_init, $2, $1)
-- allow direct_run_init $1:process { noatsecure siginh rlimitinh };
--
-+ type_transition direct_run_init $2:process $1;
- typeattribute $1 direct_init;
-- typeattribute $2 direct_init_entry;
--
-- userdom_dontaudit_use_user_terminals($1)
- ')
-+')
-
-- ifdef(`hide_broken_symptoms',`
-- # RHEL4 systems seem to have a stray
-- # fds open from the initrd
-- ifdef(`distro_rhel4',`
-- kernel_dontaudit_use_fds($1)
-- ')
-- ')
-+#######################################
-+##
-+## Create initrc domain.
-+##
-+##
-+##
-+## Type to be used as a initrc daemon domain.
-+##
-+##
-+#
-+interface(`init_initrc_domain',`
-+ gen_require(`
-+ attribute initrc_domain;
-+ ')
-
-- optional_policy(`
-- nscd_socket_use($1)
-- ')
-+ typeattribute $1 initrc_domain;
- ')
-
- ########################################
-@@ -283,17 +278,20 @@ interface(`init_daemon_domain',`
- interface(`init_ranged_daemon_domain',`
- gen_require(`
- type initrc_t;
-+ type init_t;
- ')
-
-- init_daemon_domain($1, $2)
-+# init_daemon_domain($1, $2)
-
- ifdef(`enable_mcs',`
- range_transition initrc_t $2:process $3;
-+ range_transition init_t $2:process $3;
- ')
-
- ifdef(`enable_mls',`
- range_transition initrc_t $2:process $3;
- mls_rangetrans_target($1)
-+ range_transition init_t $2:process $3;
- ')
- ')
-
-@@ -336,23 +334,19 @@ interface(`init_ranged_daemon_domain',`
- #
- interface(`init_system_domain',`
- gen_require(`
-- type initrc_t;
-+ type init_t;
- role system_r;
-+ attribute initrc_transition_domain;
-+ attribute systemprocess, systemprocess_entry;
-+ attribute initrc_domain;
- ')
-
-+ typeattribute $1 systemprocess;
- application_domain($1, $2)
--
- role system_r types $1;
-+ typeattribute $2 systemprocess_entry;
-
-- domtrans_pattern(initrc_t, $2, $1)
--
-- ifdef(`hide_broken_symptoms',`
-- # RHEL4 systems seem to have a stray
-- # fds open from the initrd
-- ifdef(`distro_rhel4',`
-- kernel_dontaudit_use_fds($1)
-- ')
-- ')
-+ type_transition initrc_domain $2:process $1;
- ')
-
- ########################################
-@@ -401,20 +395,41 @@ interface(`init_system_domain',`
- interface(`init_ranged_system_domain',`
- gen_require(`
- type initrc_t;
-+ type init_t;
- ')
-
- init_system_domain($1, $2)
-
- ifdef(`enable_mcs',`
- range_transition initrc_t $2:process $3;
-+ range_transition init_t $2:process $3;
- ')
-
- ifdef(`enable_mls',`
- range_transition initrc_t $2:process $3;
-+ range_transition init_t $2:process $3;
- mls_rangetrans_target($1)
- ')
- ')
-
-+######################################
-+##
-+## Allow domain dyntransition to init_t domain.
-+##
-+##
-+##
-+## Domain allowed to transition.
-+##
-+##
-+#
-+interface(`init_dyntrans',`
-+ gen_require(`
-+ type init_t;
-+ ')
-+
-+ dyntrans_pattern($1, init_t)
-+')
-+
- ########################################
- ##
- ## Execute init (/sbin/init) with a domain transition.
-@@ -442,7 +457,6 @@ interface(`init_domtrans',`
- ## Domain allowed access.
- ##
- ##
--##
- #
- interface(`init_exec',`
- gen_require(`
-@@ -451,6 +465,48 @@ interface(`init_exec',`
-
- corecmd_search_bin($1)
- can_exec($1, init_exec_t)
-+
-+ optional_policy(`
-+ systemd_exec_systemctl($1)
-+ ')
-+')
-+
-+#######################################
-+##
-+## Check access to the init/systemd executable.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`init_access_check',`
-+ gen_require(`
-+ type init_exec_t;
-+ ')
-+
-+ corecmd_search_bin($1)
-+ allow $1 init_exec_t:file { getattr_file_perms execute };
-+')
-+
-+#######################################
-+##
-+## Dontaudit getattr on the init program.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+##
-+#
-+interface(`init_dontaudit_getattr_exec',`
-+ gen_require(`
-+ type init_exec_t;
-+ ')
-+
-+ dontaudit $1 init_exec_t:file getattr;
- ')
-
- ########################################
-@@ -539,6 +595,24 @@ interface(`init_sigchld',`
-
- ########################################
- ##
-+## Send generic signals to init.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`init_signal',`
-+ gen_require(`
-+ type init_t;
-+ ')
-+
-+ allow $1 init_t:process signal;
-+')
-+
-+########################################
-+##
- ## Connect to init with a unix socket.
- ##
- ##
-@@ -549,10 +623,66 @@ interface(`init_sigchld',`
- #
- interface(`init_stream_connect',`
- gen_require(`
-- type init_t;
-+ type init_t, init_var_run_t;
- ')
-
-- allow $1 init_t:unix_stream_socket connectto;
-+ files_search_pids($1)
-+ stream_connect_pattern($1, init_var_run_t, init_var_run_t, init_t)
-+ allow $1 init_t:unix_stream_socket getattr;
-+')
-+
-+#######################################
-+##
-+## Dontaudit Connect to init with a unix socket.
-+##
-+##
-+##
-+## Domain to not audit.
-+##
-+##
-+#
-+interface(`init_dontaudit_stream_connect',`
-+ gen_require(`
-+ type init_t;
-+ ')
-+
-+ dontaudit $1 init_t:unix_stream_socket connectto;
-+')
-+
-+######################################
-+##
-+## Dontaudit getattr to init with a unix socket.
-+##
-+##
-+##
-+## Domain to not audit.
-+##
-+##
-+#
-+interface(`init_dontaudit_getattr_stream_socket',`
-+ gen_require(`
-+ type init_t;
-+ ')
-+
-+ dontaudit $1 init_t:unix_stream_socket getattr;
-+')
-+
-+######################################
-+##
-+## Dontaudit read and write to init with a unix socket.
-+##
-+##
-+##
-+## Domain to not audit.
-+##
-+##
-+#
-+interface(`init_dontaudit_rw_stream_socket',`
-+ gen_require(`
-+ type init_t;
-+ ')
-+
-+ dontaudit $1 init_t:unix_stream_socket { getattr read write };
- ')
-
- ########################################
-@@ -716,22 +846,23 @@ interface(`init_write_initctl',`
- interface(`init_telinit',`
- gen_require(`
- type initctl_t;
-+ type init_t;
- ')
-
-+ corecmd_exec_bin($1)
-+
- dev_list_all_dev_nodes($1)
- allow $1 initctl_t:fifo_file rw_fifo_file_perms;
-
- init_exec($1)
-
-- tunable_policy(`init_upstart',`
-- gen_require(`
-- type init_t;
-- ')
--
-- # upstart uses a datagram socket instead of initctl pipe
-- allow $1 self:unix_dgram_socket create_socket_perms;
-- allow $1 init_t:unix_dgram_socket sendto;
-- ')
-+ ps_process_pattern($1, init_t)
-+ allow $1 init_t:process signal;
-+ # upstart uses a datagram socket instead of initctl pipe
-+ allow $1 self:unix_dgram_socket create_socket_perms;
-+ allow $1 init_t:unix_dgram_socket sendto;
-+ #576913
-+ allow $1 init_t:unix_stream_socket connectto;
- ')
-
- ########################################
-@@ -760,7 +891,7 @@ interface(`init_rw_initctl',`
- ##
- ##
- ##
--## Domain allowed access.
-+## Domain to not audit.
- ##
- ##
- #
-@@ -803,11 +934,12 @@ interface(`init_script_file_entry_type',`
- #
- interface(`init_spec_domtrans_script',`
- gen_require(`
-- type initrc_t, initrc_exec_t;
-+ type initrc_t;
-+ attribute init_script_file_type;
- ')
-
- files_list_etc($1)
-- spec_domtrans_pattern($1, initrc_exec_t, initrc_t)
-+ spec_domtrans_pattern($1, init_script_file_type, initrc_t)
-
- ifdef(`distro_gentoo',`
- gen_require(`
-@@ -818,11 +950,11 @@ interface(`init_spec_domtrans_script',`
- ')
-
- ifdef(`enable_mcs',`
-- range_transition $1 initrc_exec_t:process s0;
-+ range_transition $1 init_script_file_type:process s0;
- ')
-
- ifdef(`enable_mls',`
-- range_transition $1 initrc_exec_t:process s0 - mls_systemhigh;
-+ range_transition $1 init_script_file_type:process s0 - mls_systemhigh;
- ')
- ')
-
-@@ -838,19 +970,41 @@ interface(`init_spec_domtrans_script',`
- #
- interface(`init_domtrans_script',`
- gen_require(`
-- type initrc_t, initrc_exec_t;
-+ type initrc_t;
-+ attribute init_script_file_type;
-+ attribute initrc_transition_domain;
- ')
-+ typeattribute $1 initrc_transition_domain;
-
- files_list_etc($1)
-- domtrans_pattern($1, initrc_exec_t, initrc_t)
-+ domtrans_pattern($1, init_script_file_type, initrc_t)
-
- ifdef(`enable_mcs',`
-- range_transition $1 initrc_exec_t:process s0;
-+ range_transition $1 init_script_file_type:process s0;
- ')
-
- ifdef(`enable_mls',`
-- range_transition $1 initrc_exec_t:process s0 - mls_systemhigh;
-+ range_transition $1 init_script_file_type:process s0 - mls_systemhigh;
-+ ')
-+')
-+
-+########################################
-+##
-+## Execute a file in a bin directory
-+## in the initrc_t domain
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`init_bin_domtrans_spec',`
-+ gen_require(`
-+ type initrc_t;
- ')
-+
-+ corecmd_bin_domtrans($1, initrc_t)
- ')
-
- ########################################
-@@ -906,9 +1060,14 @@ interface(`init_script_file_domtrans',`
- interface(`init_labeled_script_domtrans',`
- gen_require(`
- type initrc_t;
-+ attribute initrc_transition_domain;
- ')
-
-+ typeattribute $1 initrc_transition_domain;
-+ # service script searches all filesystems via mountpoint
-+ fs_search_all($1)
- domtrans_pattern($1, $2, initrc_t)
-+ allow $1 $2:file ioctl;
- files_search_etc($1)
- ')
-
-@@ -999,7 +1158,9 @@ interface(`init_ptrace',`
- type init_t;
- ')
-
-- allow $1 init_t:process ptrace;
-+ tunable_policy(`deny_ptrace',`',`
-+ allow $1 init_t:process ptrace;
-+ ')
- ')
-
- ########################################
-@@ -1098,6 +1259,25 @@ interface(`init_getattr_all_script_files',`
-
- ########################################
- ##
-+## Allow the specified domain to modify the systemd configuration of
-+## all init scripts.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`init_config_all_script_files',`
-+ gen_require(`
-+ attribute init_script_file_type;
-+ ')
-+
-+ allow $1 init_script_file_type:service all_service_perms;
-+')
-+
-+########################################
-+##
- ## Read all init script files.
- ##
- ##
-@@ -1117,6 +1297,24 @@ interface(`init_read_all_script_files',`
-
- #######################################
- ##
-+## Dontaudit getattr all init script files.
-+##
-+##
-+##
-+## Domain to not audit.
-+##
-+##
-+#
-+interface(`init_dontaudit_getattr_all_script_files',`
-+ gen_require(`
-+ attribute init_script_file_type;
-+ ')
-+
-+ dontaudit $1 init_script_file_type:file getattr;
-+')
-+
-+#######################################
-+##
- ## Dontaudit read all init script files.
- ##
- ##
-@@ -1168,12 +1366,7 @@ interface(`init_read_script_state',`
- ')
-
- kernel_search_proc($1)
-- read_files_pattern($1, initrc_t, initrc_t)
-- read_lnk_files_pattern($1, initrc_t, initrc_t)
-- list_dirs_pattern($1, initrc_t, initrc_t)
--
-- # should move this to separate interface
-- allow $1 initrc_t:process getattr;
-+ ps_process_pattern($1, initrc_t)
- ')
-
- ########################################
-@@ -1413,6 +1606,27 @@ interface(`init_dbus_send_script',`
- ########################################
- ##
- ## Send and receive messages from
-+## init over dbus.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`init_dbus_chat',`
-+ gen_require(`
-+ type init_t;
-+ class dbus send_msg;
-+ ')
-+
-+ allow $1 init_t:dbus send_msg;
-+ allow init_t $1:dbus send_msg;
-+')
-+
-+########################################
-+##
-+## Send and receive messages from
- ## init scripts over dbus.
- ##
- ##
-@@ -1499,6 +1713,25 @@ interface(`init_getattr_script_status_files',`
-
- ########################################
- ##
-+## Manage init script
-+## status files.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`init_manage_script_status_files',`
-+ gen_require(`
-+ type initrc_state_t;
-+ ')
-+
-+ manage_files_pattern($1, initrc_state_t, initrc_state_t)
-+')
-+
-+########################################
-+##
- ## Do not audit attempts to read init script
- ## status files.
- ##
-@@ -1557,6 +1790,24 @@ interface(`init_rw_script_tmp_files',`
-
- ########################################
- ##
-+## Read and write init script inherited temporary data.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`init_rw_inherited_script_tmp_files',`
-+ gen_require(`
-+ type initrc_tmp_t;
-+ ')
-+
-+ allow $1 initrc_tmp_t:file rw_inherited_file_perms;
-+')
-+
-+########################################
-+##
- ## Create files in a init script
- ## temporary data directory.
- ##
-@@ -1629,6 +1880,43 @@ interface(`init_read_utmp',`
-
- ########################################
- ##
-+## Read utmp.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`init_read_machineid',`
-+ gen_require(`
-+ type machineid_t;
-+ ')
-+
-+ files_search_etc($1)
-+ allow $1 machineid_t:file read_file_perms;
-+')
-+
-+########################################
-+##
-+## Do not audit attempts to read utmp.
-+##
-+##
-+##
-+## Domain to not audit.
-+##
-+##
-+#
-+interface(`init_dontaudit_read_utmp',`
-+ gen_require(`
-+ type initrc_var_run_t;
-+ ')
-+
-+ dontaudit $1 initrc_var_run_t:file read_file_perms;
-+')
-+
-+########################################
-+##
- ## Do not audit attempts to write utmp.
- ##
- ##
-@@ -1717,7 +2005,7 @@ interface(`init_dontaudit_rw_utmp',`
- type initrc_var_run_t;
- ')
-
-- dontaudit $1 initrc_var_run_t:file { getattr read write append lock };
-+ dontaudit $1 initrc_var_run_t:file rw_file_perms;
- ')
-
- ########################################
-@@ -1758,7 +2046,134 @@ interface(`init_pid_filetrans_utmp',`
- files_pid_filetrans($1, initrc_var_run_t, file, "utmp")
- ')
-
--########################################
-+######################################
-+##
-+## Allow search directory in the /run/systemd directory.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`init_search_pid_dirs',`
-+ gen_require(`
-+ type init_var_run_t;
-+ ')
-+
-+ allow $1 init_var_run_t:dir search_dir_perms;
-+')
-+
-+######################################
-+##
-+## Allow listing of the /run/systemd directory.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`init_list_pid_dirs',`
-+ gen_require(`
-+ type init_var_run_t;
-+ ')
-+
-+ allow $1 init_var_run_t:dir list_dir_perms;
-+')
-+
-+#######################################
-+##
-+## Create a directory in the /run/systemd directory.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`init_create_pid_dirs',`
-+ gen_require(`
-+ type init_var_run_t;
-+ ')
-+
-+ allow $1 init_var_run_t:dir list_dir_perms;
-+ create_dirs_pattern($1, init_var_run_t, init_var_run_t)
-+')
-+
-+#######################################
-+##
-+## Create objects in /run/systemd directory
-+## with an automatic type transition to
-+## a specified private type.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+##
-+##
-+## The type of the object to create.
-+##
-+##
-+##
-+##
-+## The class of the object to be created.
-+##
-+##
-+##
-+##
-+## The name of the object being created.
-+##
-+##
-+#
-+interface(`init_pid_filetrans',`
-+ gen_require(`
-+ type init_var_run_t;
-+ ')
-+
-+ files_search_pids($1)
-+ filetrans_pattern($1, init_var_run_t, $2, $3, $4)
-+')
-+
-+#######################################
-+##
-+## Create objects in /run/systemd directory
-+## with an automatic type transition to
-+## a specified private type.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+##
-+##
-+## The type of the object to create.
-+##
-+##
-+##
-+##
-+## The class of the object to be created.
-+##
-+##
-+##
-+##
-+## The name of the object being created.
-+##
-+##
-+#
-+interface(`init_named_pid_filetrans',`
-+ gen_require(`
-+ type init_var_run_t;
-+ ')
-+
-+ files_search_pids($1)
-+ filetrans_pattern($1, init_var_run_t, $2, $3, $4)
-+')
-+
-+########################################
- ##
- ## Allow the specified domain to connect to daemon with a tcp socket
- ##
-@@ -1792,3 +2207,283 @@ interface(`init_udp_recvfrom_all_daemons',`
- ')
- corenet_udp_recvfrom_labeled($1, daemon)
- ')
-+
-+########################################
-+##
-+## Transition to system_r when execute an init script
-+##
-+##
-+##
-+## Execute a init script in a specified role
-+##
-+##
-+## No interprocess communication (signals, pipes,
-+## etc.) is provided by this interface since
-+## the domains are not owned by this module.
-+##
-+##
-+##
-+##
-+## Role to transition from.
-+##
-+##
-+#
-+interface(`init_script_role_transition',`
-+ gen_require(`
-+ attribute init_script_file_type;
-+ ')
-+
-+ role_transition $1 init_script_file_type system_r;
-+')
-+
-+########################################
-+##
-+## dontaudit read and write an leaked init scrip file descriptors
-+##
-+##
-+##
-+## Domain to not audit.
-+##
-+##
-+#
-+interface(`init_dontaudit_script_leaks',`
-+ gen_require(`
-+ type initrc_t;
-+ ')
-+
-+ dontaudit $1 initrc_t:socket_class_set { read write };
-+ dontaudit $1 initrc_t:shm rw_shm_perms;
-+ init_dontaudit_use_script_ptys($1)
-+ init_dontaudit_use_script_fds($1)
-+')
-+
-+#######################################
-+##
-+## Allow the specified domain to ioctl an
-+## init with a unix domain stream sockets.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`init_ioctl_stream_sockets',`
-+ gen_require(`
-+ type init_t;
-+ ')
-+
-+ allow $1 init_t:unix_stream_socket ioctl;
-+')
-+
-+########################################
-+##
-+## Allow the specified domain to read/write to
-+## init with a unix domain stream sockets.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`init_rw_stream_sockets',`
-+ gen_require(`
-+ type init_t;
-+ ')
-+
-+ allow $1 init_t:unix_stream_socket rw_stream_socket_perms;
-+')
-+
-+#######################################
-+##
-+## Allow the specified domain to write to
-+## init sock file.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`init_write_pid_socket',`
-+ gen_require(`
-+ type init_var_run_t;
-+ ')
-+
-+ allow $1 init_var_run_t:sock_file write;
-+')
-+
-+########################################
-+##
-+## Send a message to init over a unix domain
-+## datagram socket.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`init_dgram_send',`
-+ gen_require(`
-+ type init_t;
-+ ')
-+
-+ allow $1 init_t:unix_dgram_socket sendto;
-+')
-+
-+########################################
-+##
-+## Send a message to init over a unix domain
-+## stream socket.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`init_stream_send',`
-+ gen_require(`
-+ type init_t;
-+ ')
-+
-+ allow $1 init_t:unix_stream_socket sendto;
-+')
-+
-+########################################
-+##
-+## Create a file type used for init socket files.
-+##
-+##
-+##
-+## This defines a type that init can create sock_file within for
-+## impersonation purposes
-+##
-+##
-+##
-+##
-+## Type to be used for a sock file.
-+##
-+##
-+##
-+#
-+interface(`init_sock_file',`
-+ gen_require(`
-+ attribute init_sock_file_type;
-+ ')
-+
-+ typeattribute $1 init_sock_file_type;
-+
-+')
-+
-+########################################
-+##
-+## Read init unnamed pipes.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`init_read_pipes',`
-+ gen_require(`
-+ type init_var_run_t;
-+ ')
-+
-+ read_fifo_files_pattern($1, init_var_run_t, init_var_run_t)
-+')
-+
-+########################################
-+##
-+## Read/Write init unnamed pipes.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`init_rw_pipes',`
-+ gen_require(`
-+ type init_var_run_t;
-+ ')
-+
-+ rw_fifo_files_pattern($1, init_var_run_t, init_var_run_t)
-+')
-+
-+########################################
-+##
-+## Get the system status information from init
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`init_status',`
-+ gen_require(`
-+ type init_t;
-+ ')
-+
-+ allow $1 init_t:system status;
-+')
-+
-+########################################
-+##
-+## Tell init to reboot the system.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`init_reboot',`
-+ gen_require(`
-+ type init_t;
-+ ')
-+
-+ allow $1 init_t:system reboot;
-+ systemd_config_power_services($1)
-+')
-+
-+########################################
-+##
-+## Tell init to halt the system.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`init_halt',`
-+ gen_require(`
-+ type init_t;
-+ ')
-+
-+ allow $1 init_t:system halt;
-+ systemd_config_power_services($1)
-+')
-+
-+########################################
-+##
-+## Tell init to do an unknown access.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`init_undefined',`
-+ gen_require(`
-+ type init_t;
-+ ')
-+
-+ allow $1 init_t:system undefined;
-+')
-diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
-index 4a88fa1..c57afad 100644
---- a/policy/modules/system/init.te
-+++ b/policy/modules/system/init.te
-@@ -11,10 +11,24 @@ gen_require(`
-
- ##
- ##
--## Enable support for upstart as the init program.
-+## Allow all daemons to use tcp wrappers.
- ##
- ##
--gen_tunable(init_upstart, false)
-+gen_tunable(daemons_use_tcp_wrapper, false)
-+
-+##
-+##
-+## Allow all daemons the ability to read/write terminals
-+##
-+##
-+gen_tunable(daemons_use_tty, false)
-+
-+##
-+##
-+## Allow all daemons to write corefiles to /
-+##
-+##
-+gen_tunable(daemons_dump_core, false)
-
- # used for direct running of init scripts
- # by admin domains
-@@ -25,19 +39,28 @@ attribute direct_init_entry;
- attribute init_script_domain_type;
- attribute init_script_file_type;
- attribute init_run_all_scripts_domain;
-+attribute initrc_transition_domain;
-+# Attribute used for systemd so domains can allow systemd to create sock_files
-+attribute init_sock_file_type;
-
- # Mark process types as daemons
- attribute daemon;
-+attribute systemprocess;
-+attribute systemprocess_entry;
-+
-+# Mark process types as initrc domain
-+attribute initrc_domain;
-
- #
- # init_t is the domain of the init process.
- #
--type init_t;
-+type init_t, initrc_transition_domain;
- type init_exec_t;
- domain_type(init_t)
- domain_entry_file(init_t, init_exec_t)
- kernel_domtrans_to(init_t, init_exec_t)
- role system_r types init_t;
-+init_initrc_domain(init_t)
-
- #
- # init_var_run_t is the type for /var/run/shutdown.pid.
-@@ -46,6 +69,15 @@ type init_var_run_t;
- files_pid_file(init_var_run_t)
-
- #
-+# init_var_lib_t is the type for /var/lib/random-seed
-+#
-+type init_var_lib_t;
-+files_pid_file(init_var_lib_t)
-+
-+type machineid_t;
-+files_config_file(machineid_t)
-+
-+#
- # initctl_t is the type of the named pipe created
- # by init during initialization. This pipe is used
- # to communicate with init.
-@@ -54,7 +86,7 @@ type initctl_t;
- files_type(initctl_t)
- mls_trusted_object(initctl_t)
-
--type initrc_t, init_script_domain_type, init_run_all_scripts_domain;
-+type initrc_t, initrc_domain, init_script_domain_type, init_run_all_scripts_domain;
- type initrc_exec_t, init_script_file_type;
- domain_type(initrc_t)
- domain_entry_file(initrc_t, initrc_exec_t)
-@@ -63,6 +95,8 @@ role system_r types initrc_t;
- # of the below init_upstart tunable
- # but this has a typeattribute in it
- corecmd_shell_entry_type(initrc_t)
-+corecmd_bin_entry_type(initrc_t)
-+corecmd_bin_domtrans(init_t, initrc_t)
-
- type initrc_devpts_t;
- term_pty(initrc_devpts_t)
-@@ -95,7 +129,8 @@ ifdef(`enable_mls',`
- #
-
- # Use capabilities. old rule:
--allow init_t self:capability ~sys_module;
-+allow init_t self:capability ~{ audit_control audit_write sys_module };
-+allow init_t self:capability2 ~{ mac_admin mac_override };
- # is ~sys_module really needed? observed:
- # sys_boot
- # sys_tty_config
-@@ -107,12 +142,32 @@ allow init_t self:fifo_file rw_fifo_file_perms;
-
- # Re-exec itself
- can_exec(init_t, init_exec_t)
--
--allow init_t initrc_t:unix_stream_socket connectto;
--
--# For /var/run/shutdown.pid.
--allow init_t init_var_run_t:file manage_file_perms;
--files_pid_filetrans(init_t, init_var_run_t, file)
-+# executing content in /run/initramfs
-+manage_files_pattern(init_t, initrc_state_t, initrc_state_t)
-+can_exec(init_t, initrc_state_t)
-+
-+allow init_t initrc_t:unix_stream_socket { connectto create_stream_socket_perms };
-+allow initrc_t init_t:unix_stream_socket { connectto rw_stream_socket_perms sendto };
-+allow initrc_t init_t:fifo_file rw_fifo_file_perms;
-+
-+manage_dirs_pattern(init_t, init_var_lib_t, init_var_lib_t)
-+manage_files_pattern(init_t, init_var_lib_t, init_var_lib_t)
-+manage_lnk_files_pattern(init_t, init_var_lib_t, init_var_lib_t)
-+manage_sock_files_pattern(init_t, init_var_lib_t, init_var_lib_t)
-+files_var_lib_filetrans(init_t, init_var_lib_t, { dir file })
-+
-+manage_dirs_pattern(init_t, init_var_run_t, init_var_run_t)
-+manage_files_pattern(init_t, init_var_run_t, init_var_run_t)
-+manage_lnk_files_pattern(init_t, init_var_run_t, init_var_run_t)
-+manage_sock_files_pattern(init_t, init_var_run_t, init_var_run_t)
-+files_pid_filetrans(init_t, init_var_run_t, { dir file })
-+allow init_t init_var_run_t:dir mounton;
-+allow init_t init_var_run_t:sock_file relabelto;
-+
-+allow init_t machineid_t:file manage_file_perms;
-+files_pid_filetrans(init_t, machineid_t, file, "machine-id")
-+files_etc_filetrans(init_t, machineid_t, file, "machine-id")
-+allow init_t machineid_t:file mounton;
-
- allow init_t initctl_t:fifo_file manage_fifo_file_perms;
- dev_filetrans(init_t, initctl_t, fifo_file)
-@@ -122,28 +177,38 @@ allow init_t initrc_var_run_t:file { rw_file_perms setattr };
-
- kernel_read_system_state(init_t)
- kernel_share_state(init_t)
-+kernel_stream_connect(init_t)
-
- corecmd_exec_chroot(init_t)
- corecmd_exec_bin(init_t)
-
--dev_read_sysfs(init_t)
-+dev_rw_sysfs(init_t)
-+dev_read_urand(init_t)
- # Early devtmpfs
- dev_rw_generic_chr_files(init_t)
-+dev_filetrans_all_named_dev(init_t)
-
- domain_getpgid_all_domains(init_t)
- domain_kill_all_domains(init_t)
- domain_signal_all_domains(init_t)
- domain_signull_all_domains(init_t)
- domain_sigstop_all_domains(init_t)
-+domain_sigstop_all_domains(init_t)
- domain_sigchld_all_domains(init_t)
-+domain_read_all_domains_state(init_t)
-
- files_read_etc_files(init_t)
-+files_read_all_pids(init_t)
-+files_read_system_conf_files(init_t)
- files_rw_generic_pids(init_t)
- files_dontaudit_search_isid_type_dirs(init_t)
-+files_read_etc_runtime_files(init_t)
- files_manage_etc_runtime_files(init_t)
-+files_manage_etc_symlinks(init_t)
- files_etc_filetrans_etc_runtime(init_t, file)
- # Run /etc/X11/prefdm:
- files_exec_etc_files(init_t)
-+files_read_usr_files(init_t)
- # file descriptors inherited from the rootfs:
- files_dontaudit_rw_root_files(init_t)
- files_dontaudit_rw_root_chr_files(init_t)
-@@ -152,6 +217,8 @@ fs_list_inotifyfs(init_t)
- # cjp: this may be related to /dev/log
- fs_write_ramfs_sockets(init_t)
-
-+mcs_file_read_all(init_t)
-+mcs_file_write_all(init_t)
- mcs_process_set_categories(init_t)
- mcs_killall(init_t)
-
-@@ -159,22 +226,41 @@ mls_file_read_all_levels(init_t)
- mls_file_write_all_levels(init_t)
- mls_process_write_down(init_t)
- mls_fd_use_all_levels(init_t)
-+mls_socket_read_all_levels(init_t)
-+mls_socket_write_all_levels(init_t)
-+
-+mls_rangetrans_source(init_t)
-+mls_rangetrans_source(initrc_t)
-
- selinux_set_all_booleans(init_t)
-+selinux_load_policy(init_t)
-+selinux_mounton_fs(init_t)
-+allow init_t security_t:security load_policy;
-
--term_use_all_terms(init_t)
-+term_use_unallocated_ttys(init_t)
-+term_use_console(init_t)
-+term_use_all_inherited_terms(init_t)
-
- # Run init scripts.
- init_domtrans_script(init_t)
-
- libs_rw_ld_so_cache(init_t)
-
-+logging_create_devlog_dev(init_t)
- logging_send_syslog_msg(init_t)
-+logging_send_audit_msgs(init_t)
- logging_rw_generic_logs(init_t)
-+logging_relabel_devlog_dev(init_t)
-
- seutil_read_config(init_t)
-+seutil_read_module_store(init_t)
-+
-+miscfiles_manage_localization(init_t)
-+miscfiles_filetrans_named_content(init_t)
-+
-+userdom_use_user_ttys(init_t)
-
--miscfiles_read_localization(init_t)
-+allow init_t self:process setsched;
-
- ifdef(`distro_gentoo',`
- allow init_t self:process { getcap setcap };
-@@ -183,29 +269,177 @@ ifdef(`distro_gentoo',`
- ')
-
- ifdef(`distro_redhat',`
-+ fs_manage_tmpfs_files(init_t)
-+ fs_manage_tmpfs_sockets(init_t)
-+ fs_exec_tmpfs_files(init_t)
- fs_read_tmpfs_symlinks(init_t)
- fs_rw_tmpfs_chr_files(init_t)
- fs_tmpfs_filetrans(init_t, initctl_t, fifo_file)
-+ fs_tmpfs_filetrans_named_content(init_t)
-+
-+ logging_stream_connect_syslog(init_t)
-+ logging_relabel_syslog_pid_socket(init_t)
- ')
-
--tunable_policy(`init_upstart',`
-- corecmd_shell_domtrans(init_t, initrc_t)
--',`
-- # Run the shell in the sysadm role for single-user mode.
-- # causes problems with upstart
-- sysadm_shell_domtrans(init_t)
-+corecmd_shell_domtrans(init_t, initrc_t)
-+
-+storage_raw_rw_fixed_disk(init_t)
-+
-+optional_policy(`
-+ gnome_filetrans_home_content(init_t)
-+')
-+
-+optional_policy(`
-+ modutils_domtrans_insmod(init_t)
-+ modutils_list_module_config(init_t)
-+')
-+
-+optional_policy(`
-+ postfix_exec(init_t)
-+ postfix_list_spool(init_t)
-+ mta_read_aliases(init_t)
-+')
-+
-+allow init_t self:system all_system_perms;
-+allow init_t self:unix_dgram_socket { create_socket_perms sendto };
-+allow init_t self:process { setsockcreate setfscreate setrlimit };
-+allow init_t self:process { getcap setcap };
-+allow init_t self:unix_stream_socket { create_stream_socket_perms connectto };
-+allow init_t self:netlink_kobject_uevent_socket create_socket_perms;
-+allow init_t self:netlink_selinux_socket create_socket_perms;
-+# Until systemd is fixed
-+allow daemon init_t:socket_class_set { getopt read getattr ioctl setopt write };
-+allow init_t self:udp_socket create_socket_perms;
-+allow init_t self:netlink_route_socket create_netlink_socket_perms;
-+
-+allow init_t initrc_t:unix_dgram_socket create_socket_perms;
-+
-+kernel_list_unlabeled(init_t)
-+kernel_read_network_state(init_t)
-+kernel_rw_kernel_sysctl(init_t)
-+kernel_rw_net_sysctls(init_t)
-+kernel_read_all_sysctls(init_t)
-+kernel_read_software_raid_state(init_t)
-+kernel_unmount_debugfs(init_t)
-+kernel_setsched(init_t)
-+
-+dev_write_kmsg(init_t)
-+dev_write_urand(init_t)
-+dev_rw_lvm_control(init_t)
-+dev_rw_autofs(init_t)
-+dev_manage_generic_symlinks(init_t)
-+dev_manage_generic_dirs(init_t)
-+dev_manage_generic_files(init_t)
-+dev_read_generic_chr_files(init_t)
-+dev_relabel_generic_dev_dirs(init_t)
-+dev_relabel_all_dev_nodes(init_t)
-+dev_relabel_all_dev_files(init_t)
-+dev_manage_sysfs_dirs(init_t)
-+dev_relabel_sysfs_dirs(init_t)
-+
-+files_search_all(init_t)
-+files_mounton_all_mountpoints(init_t)
-+files_unmount_all_file_type_fs(init_t)
-+files_manage_all_pid_dirs(init_t)
-+files_manage_etc_dirs(init_t)
-+files_manage_generic_tmp_dirs(init_t)
-+files_relabel_all_pid_dirs(init_t)
-+files_relabel_all_pid_files(init_t)
-+files_create_all_pid_sockets(init_t)
-+files_delete_all_pids(init_t)
-+files_exec_generic_pid_files(init_t)
-+files_create_all_pid_pipes(init_t)
-+files_create_all_spool_sockets(init_t)
-+files_delete_all_spool_sockets(init_t)
-+files_manage_urandom_seed(init_t)
-+files_list_locks(init_t)
-+files_list_spool(init_t)
-+files_list_var(init_t)
-+files_list_boot(init_t)
-+files_list_home(init_t)
-+files_create_lock_dirs(init_t)
-+files_relabel_all_lock_dirs(init_t)
-+files_read_kernel_modules(init_t)
-+fs_getattr_all_fs(init_t)
-+fs_manage_cgroup_dirs(init_t)
-+fs_manage_cgroup_files(init_t)
-+fs_manage_hugetlbfs_dirs(init_t)
-+fs_manage_tmpfs_dirs(init_t)
-+fs_relabel_tmpfs_dirs(init_t)
-+fs_relabel_tmpfs_files(init_t)
-+fs_relabel_tmpfs_fifo_files(init_t)
-+fs_mount_all_fs(init_t)
-+fs_unmount_all_fs(init_t)
-+fs_remount_all_fs(init_t)
-+fs_list_auto_mountpoints(init_t)
-+fs_register_binary_executable_type(init_t)
-+fs_relabel_tmpfs_sock_file(init_t)
-+fs_rw_tmpfs_files(init_t)
-+fs_relabel_cgroup_dirs(init_t)
-+fs_search_cgroup_dirs(init_t)
-+selinux_compute_access_vector(init_t)
-+selinux_compute_create_context(init_t)
-+selinux_validate_context(init_t)
-+selinux_unmount_fs(init_t)
-+
-+storage_getattr_removable_dev(init_t)
-+
-+term_relabel_ptys_dirs(init_t)
-+
-+auth_relabel_login_records(init_t)
-+auth_relabel_pam_console_data_dirs(init_t)
-+
-+clock_read_adjtime(init_t)
-+
-+init_read_script_state(init_t)
-+
-+modutils_read_module_config(init_t)
-+
-+seutil_read_file_contexts(init_t)
-+
-+systemd_exec_systemctl(init_t)
-+systemd_manage_unit_dirs(init_t)
-+systemd_manage_random_seed(init_t)
-+systemd_manage_all_unit_files(init_t)
-+systemd_logger_stream_connect(init_t)
-+systemd_config_all_services(init_t)
-+systemd_relabelto_fifo_file_passwd_run(init_t)
-+systemd_relabel_unit_dirs(init_t)
-+systemd_relabel_unit_files(init_t)
-+systemd_config_all_services(initrc_t)
-+systemd_read_unit_files(initrc_t)
-+
-+create_sock_files_pattern(init_t, init_sock_file_type, init_sock_file_type)
-+
-+auth_use_nsswitch(init_t)
-+auth_rw_login_records(init_t)
-+
-+optional_policy(`
-+ lvm_rw_pipes(init_t)
-+ lvm_read_config(init_t)
- ')
-
- optional_policy(`
-- auth_rw_login_records(init_t)
-+ consolekit_manage_log(init_t)
- ')
-
- optional_policy(`
-+ dbus_connect_system_bus(init_t)
- dbus_system_bus_client(init_t)
-+ dbus_delete_pid_files(init_t)
- ')
-
- optional_policy(`
-- nscd_socket_use(init_t)
-+ # /var/run/dovecot/login/ssl-parameters.dat is a hard link to
-+ # /var/lib/dovecot/ssl-parameters.dat and init tries to clean up
-+ # the directory. But we do not want to allow this.
-+ # The master process of dovecot will manage this file.
-+ dovecot_dontaudit_unlink_lib_files(initrc_t)
-+')
-+
-+optional_policy(`
-+ plymouthd_stream_connect(init_t)
-+ plymouthd_exec_plymouth(init_t)
- ')
-
- optional_policy(`
-@@ -213,6 +447,27 @@ optional_policy(`
- ')
-
- optional_policy(`
-+ rpcbind_filetrans_named_content(init_t)
-+ rpcbind_relabel_sock_file(init_t)
-+')
-+
-+optional_policy(`
-+ systemd_filetrans_named_content(init_t)
-+')
-+
-+optional_policy(`
-+ udev_read_db(init_t)
-+ udev_relabelto_db(init_t)
-+ udev_create_kobject_uevent_socket(init_t)
-+ udev_relabel_pid_sockfile(init_t)
-+')
-+
-+optional_policy(`
-+ xserver_relabel_xdm_tmp_dirs(init_t)
-+ xserver_manage_xdm_tmp_dirs(init_t)
-+')
-+
-+optional_policy(`
- unconfined_domain(init_t)
- ')
-
-@@ -222,8 +477,9 @@ optional_policy(`
- #
-
- allow initrc_t self:process { getpgid setsched setpgid setrlimit getsched };
--allow initrc_t self:capability ~{ sys_admin sys_module };
--dontaudit initrc_t self:capability sys_module; # sysctl is triggering this
-+allow initrc_t self:capability ~{ sys_ptrace audit_control audit_write sys_admin sys_module };
-+allow initrc_t self:capability2 block_suspend;
-+dontaudit initrc_t self:capability { sys_ptrace sys_module }; # sysctl is triggering this
- allow initrc_t self:passwd rootok;
- allow initrc_t self:key manage_key_perms;
-
-@@ -251,12 +507,16 @@ manage_fifo_files_pattern(initrc_t, initrc_state_t, initrc_state_t)
-
- allow initrc_t initrc_var_run_t:file manage_file_perms;
- files_pid_filetrans(initrc_t, initrc_var_run_t, file)
-+files_manage_generic_pids_symlinks(initrc_t)
-+files_create_var_run_dirs(initrc_t)
-+files_relabelfrom_isid_type(initrc_t)
-
- can_exec(initrc_t, initrc_tmp_t)
- manage_files_pattern(initrc_t, initrc_tmp_t, initrc_tmp_t)
- manage_dirs_pattern(initrc_t, initrc_tmp_t, initrc_tmp_t)
- manage_lnk_files_pattern(initrc_t, initrc_tmp_t, initrc_tmp_t)
- files_tmp_filetrans(initrc_t, initrc_tmp_t, { file dir })
-+allow initrc_t initrc_tmp_t:dir relabelfrom;
-
- manage_dirs_pattern(initrc_t, initrc_var_log_t, initrc_var_log_t)
- manage_files_pattern(initrc_t, initrc_var_log_t, initrc_var_log_t)
-@@ -272,23 +532,36 @@ kernel_change_ring_buffer_level(initrc_t)
- kernel_clear_ring_buffer(initrc_t)
- kernel_get_sysvipc_info(initrc_t)
- kernel_read_all_sysctls(initrc_t)
-+kernel_request_load_module(initrc_t)
- kernel_rw_all_sysctls(initrc_t)
- # for lsof which is used by alsa shutdown:
- kernel_dontaudit_getattr_message_if(initrc_t)
-+kernel_stream_connect(initrc_t)
-+files_read_kernel_modules(initrc_t)
-+files_read_config_files(initrc_t)
-+files_read_var_lib_symlinks(initrc_t)
-+files_setattr_pid_dirs(initrc_t)
-
- files_create_lock_dirs(initrc_t)
- files_pid_filetrans_lock_dir(initrc_t, "lock")
- files_read_kernel_symbol_table(initrc_t)
--files_setattr_lock_dirs(initrc_t)
-+files_exec_etc_files(initrc_t)
-+files_manage_etc_symlinks(initrc_t)
-+files_manage_system_conf_files(initrc_t)
-+
-+fs_manage_tmpfs_dirs(initrc_t)
-+fs_manage_tmpfs_symlinks(initrc_t)
-+fs_delete_tmpfs_files(initrc_t)
-+fs_tmpfs_filetrans(initrc_t, initrc_state_t, file)
-+fs_read_nfsd_files(initrc_t)
-
- corecmd_exec_all_executables(initrc_t)
-
--corenet_all_recvfrom_unlabeled(initrc_t)
- corenet_all_recvfrom_netlabel(initrc_t)
--corenet_tcp_sendrecv_all_if(initrc_t)
--corenet_udp_sendrecv_all_if(initrc_t)
--corenet_tcp_sendrecv_all_nodes(initrc_t)
--corenet_udp_sendrecv_all_nodes(initrc_t)
-+corenet_tcp_sendrecv_generic_if(initrc_t)
-+corenet_udp_sendrecv_generic_if(initrc_t)
-+corenet_tcp_sendrecv_generic_node(initrc_t)
-+corenet_udp_sendrecv_generic_node(initrc_t)
- corenet_tcp_sendrecv_all_ports(initrc_t)
- corenet_udp_sendrecv_all_ports(initrc_t)
- corenet_tcp_connect_all_ports(initrc_t)
-@@ -296,9 +569,11 @@ corenet_sendrecv_all_client_packets(initrc_t)
-
- dev_read_rand(initrc_t)
- dev_read_urand(initrc_t)
-+dev_dontaudit_read_kmsg(initrc_t)
- dev_write_kmsg(initrc_t)
- dev_write_rand(initrc_t)
- dev_write_urand(initrc_t)
-+dev_write_watchdog(initrc_t)
- dev_rw_sysfs(initrc_t)
- dev_list_usbfs(initrc_t)
- dev_read_framebuffer(initrc_t)
-@@ -306,8 +581,10 @@ dev_write_framebuffer(initrc_t)
- dev_read_realtime_clock(initrc_t)
- dev_read_sound_mixer(initrc_t)
- dev_write_sound_mixer(initrc_t)
-+dev_setattr_generic_dirs(initrc_t)
- dev_setattr_all_chr_files(initrc_t)
- dev_rw_lvm_control(initrc_t)
-+dev_rw_generic_chr_files(initrc_t)
- dev_delete_lvm_control_dev(initrc_t)
- dev_manage_generic_symlinks(initrc_t)
- dev_manage_generic_files(initrc_t)
-@@ -315,17 +592,16 @@ dev_manage_generic_files(initrc_t)
- dev_delete_generic_symlinks(initrc_t)
- dev_getattr_all_blk_files(initrc_t)
- dev_getattr_all_chr_files(initrc_t)
--# Early devtmpfs
--dev_rw_generic_chr_files(initrc_t)
-+dev_rw_xserver_misc(initrc_t)
-
- domain_kill_all_domains(initrc_t)
- domain_signal_all_domains(initrc_t)
- domain_signull_all_domains(initrc_t)
- domain_sigstop_all_domains(initrc_t)
-+domain_sigstop_all_domains(initrc_t)
- domain_sigchld_all_domains(initrc_t)
- domain_read_all_domains_state(initrc_t)
- domain_getattr_all_domains(initrc_t)
--domain_dontaudit_ptrace_all_domains(initrc_t)
- domain_getsession_all_domains(initrc_t)
- domain_use_interactive_fds(initrc_t)
- # for lsof which is used by alsa shutdown:
-@@ -333,6 +609,7 @@ domain_dontaudit_getattr_all_udp_sockets(initrc_t)
- domain_dontaudit_getattr_all_tcp_sockets(initrc_t)
- domain_dontaudit_getattr_all_dgram_sockets(initrc_t)
- domain_dontaudit_getattr_all_pipes(initrc_t)
-+domain_obj_id_change_exemption(initrc_t)
-
- files_getattr_all_dirs(initrc_t)
- files_getattr_all_files(initrc_t)
-@@ -340,8 +617,10 @@ files_getattr_all_symlinks(initrc_t)
- files_getattr_all_pipes(initrc_t)
- files_getattr_all_sockets(initrc_t)
- files_purge_tmp(initrc_t)
--files_delete_all_locks(initrc_t)
-+files_manage_all_locks(initrc_t)
-+files_manage_boot_files(initrc_t)
- files_read_all_pids(initrc_t)
-+files_delete_root_files(initrc_t)
- files_delete_all_pids(initrc_t)
- files_delete_all_pid_dirs(initrc_t)
- files_read_etc_files(initrc_t)
-@@ -357,8 +636,12 @@ files_list_isid_type_dirs(initrc_t)
- files_mounton_isid_type_dirs(initrc_t)
- files_list_default(initrc_t)
- files_mounton_default(initrc_t)
-+files_manage_mnt_dirs(initrc_t)
-+files_manage_mnt_files(initrc_t)
-
--fs_write_cgroup_files(initrc_t)
-+fs_delete_cgroup_dirs(initrc_t)
-+fs_list_cgroup_dirs(initrc_t)
-+fs_rw_cgroup_files(initrc_t)
- fs_list_inotifyfs(initrc_t)
- fs_register_binary_executable_type(initrc_t)
- # rhgb-console writes to ramfs
-@@ -368,9 +651,13 @@ fs_mount_all_fs(initrc_t)
- fs_unmount_all_fs(initrc_t)
- fs_remount_all_fs(initrc_t)
- fs_getattr_all_fs(initrc_t)
-+fs_search_all(initrc_t)
-+fs_getattr_nfsd_files(initrc_t)
-+fs_dontaudit_create_tmpfs_chr_dev(initrc_t)
-
- # initrc_t needs to do a pidof which requires ptrace
--mcs_ptrace_all(initrc_t)
-+mcs_file_read_all(initrc_t)
-+mcs_file_write_all(initrc_t)
- mcs_killall(initrc_t)
- mcs_process_set_categories(initrc_t)
-
-@@ -380,6 +667,7 @@ mls_process_read_up(initrc_t)
- mls_process_write_down(initrc_t)
- mls_rangetrans_source(initrc_t)
- mls_fd_share_all_levels(initrc_t)
-+mls_socket_write_to_clearance(initrc_t)
-
- selinux_get_enforce_mode(initrc_t)
-
-@@ -391,6 +679,7 @@ term_use_all_terms(initrc_t)
- term_reset_tty_labels(initrc_t)
-
- auth_rw_login_records(initrc_t)
-+auth_manage_faillog(initrc_t)
- auth_setattr_login_records(initrc_t)
- auth_rw_lastlog(initrc_t)
- auth_read_pam_pid(initrc_t)
-@@ -409,20 +698,18 @@ logging_read_all_logs(initrc_t)
- logging_append_all_logs(initrc_t)
- logging_read_audit_config(initrc_t)
-
--miscfiles_read_localization(initrc_t)
- # slapd needs to read cert files from its initscript
--miscfiles_read_generic_certs(initrc_t)
-+miscfiles_manage_generic_cert_files(initrc_t)
-
--modutils_read_module_config(initrc_t)
--modutils_domtrans_insmod(initrc_t)
-
- seutil_read_config(initrc_t)
-
-+userdom_read_admin_home_files(initrc_t)
- userdom_read_user_home_content_files(initrc_t)
- # Allow access to the sysadm TTYs. Note that this will give access to the
- # TTYs to any process in the initrc_t domain. Therefore, daemons and such
- # started from init should be placed in their own domain.
--userdom_use_user_terminals(initrc_t)
-+userdom_use_inherited_user_terminals(initrc_t)
-
- ifdef(`distro_debian',`
- dev_setattr_generic_dirs(initrc_t)
-@@ -476,6 +763,10 @@ ifdef(`distro_gentoo',`
- sysnet_setattr_config(initrc_t)
-
- optional_policy(`
-+ abrt_manage_pid_files(initrc_t)
-+ ')
-+
-+ optional_policy(`
- alsa_read_lib(initrc_t)
- ')
-
-@@ -496,7 +787,7 @@ ifdef(`distro_redhat',`
-
- # Red Hat systems seem to have a stray
- # fd open from the initrd
-- kernel_dontaudit_use_fds(initrc_t)
-+ kernel_use_fds(initrc_t)
- files_dontaudit_read_root_files(initrc_t)
-
- # These seem to be from the initrd
-@@ -511,6 +802,7 @@ ifdef(`distro_redhat',`
- files_create_boot_dirs(initrc_t)
- files_create_boot_flag(initrc_t)
- files_rw_boot_symlinks(initrc_t)
-+
- # wants to read /.fonts directory
- files_read_default_files(initrc_t)
- files_mountpoint(initrc_tmp_t)
-@@ -531,6 +823,7 @@ ifdef(`distro_redhat',`
- miscfiles_rw_localization(initrc_t)
- miscfiles_setattr_localization(initrc_t)
- miscfiles_relabel_localization(initrc_t)
-+ miscfiles_filetrans_named_content(initrc_t)
-
- miscfiles_read_fonts(initrc_t)
- miscfiles_read_hwdata(initrc_t)
-@@ -540,8 +833,40 @@ ifdef(`distro_redhat',`
- ')
-
- optional_policy(`
-+ abrt_manage_pid_files(initrc_t)
-+ ')
-+
-+ optional_policy(`
- bind_manage_config_dirs(initrc_t)
-+ bind_manage_config(initrc_t)
- bind_write_config(initrc_t)
-+ bind_setattr_zone_dirs(initrc_t)
-+ ')
-+
-+ optional_policy(`
-+ cyrus_write_data(initrc_t)
-+ ')
-+
-+ optional_policy(`
-+ devicekit_append_inherited_log_files(initrc_t)
-+ devicekit_dbus_chat_power(initrc_t)
-+ ')
-+
-+ optional_policy(`
-+ dirsrvadmin_read_config(initrc_t)
-+ dirsrv_manage_var_run(initrc_t)
-+ ')
-+
-+ optional_policy(`
-+ gnome_manage_gconf_config(initrc_t)
-+ ')
-+
-+ optional_policy(`
-+ ldap_read_db_files(initrc_t)
-+ ')
-+
-+ optional_policy(`
-+ pulseaudio_stream_connect(initrc_t)
- ')
-
- optional_policy(`
-@@ -549,14 +874,31 @@ ifdef(`distro_redhat',`
- rpc_write_exports(initrc_t)
- rpc_manage_nfs_state_data(initrc_t)
- ')
-+ optional_policy(`
-+ rpcbind_stream_connect(initrc_t)
-+ ')
-
- optional_policy(`
- sysnet_rw_dhcp_config(initrc_t)
- sysnet_manage_config(initrc_t)
-+ sysnet_manage_dhcpc_state(initrc_t)
-+ sysnet_relabelfrom_dhcpc_state(initrc_t)
-+ sysnet_relabelfrom_net_conf(initrc_t)
-+ sysnet_relabelto_net_conf(initrc_t)
-+ sysnet_filetrans_named_content(initrc_t)
-+ ')
-+
-+ optional_policy(`
-+ tgtd_stream_connect(initrc_t)
-+ ')
-+
-+ optional_policy(`
-+ wdmd_manage_pid_files(initrc_t)
- ')
-
- optional_policy(`
- xserver_delete_log(initrc_t)
-+ xserver_manage_user_fonts_dir(initrc_t)
- ')
- ')
-
-@@ -567,6 +909,39 @@ ifdef(`distro_suse',`
- ')
- ')
-
-+domain_dontaudit_use_interactive_fds(daemon)
-+
-+userdom_dontaudit_list_admin_dir(daemon)
-+userdom_dontaudit_search_user_tmp(daemon)
-+
-+tunable_policy(`daemons_use_tcp_wrapper',`
-+ corenet_tcp_connect_auth_port(daemon)
-+')
-+
-+tunable_policy(`daemons_use_tty',`
-+ term_use_unallocated_ttys(daemon)
-+ term_use_generic_ptys(daemon)
-+ term_use_all_ttys(daemon)
-+ term_use_all_ptys(daemon)
-+',`
-+ term_dontaudit_use_unallocated_ttys(daemon)
-+ term_dontaudit_use_generic_ptys(daemon)
-+ term_dontaudit_use_all_ttys(daemon)
-+ term_dontaudit_use_all_ptys(daemon)
-+ ')
-+
-+# system-config-services causes avc messages that should be dontaudited
-+tunable_policy(`daemons_dump_core',`
-+ files_manage_root_files(daemon)
-+')
-+
-+optional_policy(`
-+ unconfined_dontaudit_rw_pipes(daemon)
-+ unconfined_dontaudit_rw_stream(daemon)
-+ userdom_dontaudit_read_user_tmp_files(daemon)
-+ userdom_dontaudit_write_user_tmp_files(daemon)
-+')
-+
- optional_policy(`
- amavis_search_lib(initrc_t)
- amavis_setattr_pid_files(initrc_t)
-@@ -579,6 +954,8 @@ optional_policy(`
- optional_policy(`
- apache_read_config(initrc_t)
- apache_list_modules(initrc_t)
-+ # webmin seems to cause this.
-+ apache_search_sys_content(daemon)
- ')
-
- optional_policy(`
-@@ -600,6 +977,7 @@ optional_policy(`
-
- optional_policy(`
- cgroup_stream_connect_cgred(initrc_t)
-+ domain_setpriority_all_domains(initrc_t)
- ')
-
- optional_policy(`
-@@ -612,6 +990,17 @@ optional_policy(`
- ')
-
- optional_policy(`
-+ chronyd_append_keys(initrc_t)
-+ chronyd_read_keys(initrc_t)
-+')
-+
-+optional_policy(`
-+ cron_read_pipes(initrc_t)
-+ # managing /etc/cron.d/mailman content
-+ cron_manage_system_spool(initrc_t)
-+')
-+
-+optional_policy(`
- dev_getattr_printer_dev(initrc_t)
-
- cups_read_log(initrc_t)
-@@ -628,9 +1017,13 @@ optional_policy(`
- dbus_connect_system_bus(initrc_t)
- dbus_system_bus_client(initrc_t)
- dbus_read_config(initrc_t)
-+ dbus_manage_lib_files(initrc_t)
-+
-+ init_dbus_chat(initrc_t)
-
- optional_policy(`
- consolekit_dbus_chat(initrc_t)
-+ consolekit_manage_log(initrc_t)
- ')
-
- optional_policy(`
-@@ -655,6 +1048,10 @@ optional_policy(`
- ')
-
- optional_policy(`
-+ glance_manage_pid_files(initrc_t)
-+')
-+
-+optional_policy(`
- gpm_setattr_gpmctl(initrc_t)
- ')
-
-@@ -672,6 +1069,15 @@ optional_policy(`
- ')
-
- optional_policy(`
-+ firewalld_dbus_chat(initrc_t)
-+')
-+
-+optional_policy(`
-+ modutils_read_module_config(initrc_t)
-+ modutils_domtrans_insmod(initrc_t)
-+')
-+
-+optional_policy(`
- inn_exec_config(initrc_t)
- ')
-
-@@ -712,6 +1118,7 @@ optional_policy(`
- lpd_list_spool(initrc_t)
-
- lpd_read_config(initrc_t)
-+ lpd_manage_spool(init_t)
- ')
-
- optional_policy(`
-@@ -729,7 +1136,14 @@ optional_policy(`
- ')
-
- optional_policy(`
-+ milter_delete_dkim_pid_files(initrc_t)
-+ milter_setattr_all_dirs(initrc_t)
-+')
-+
-+optional_policy(`
-+ mta_manage_aliases(initrc_t)
- mta_read_config(initrc_t)
-+ mta_write_config(initrc_t)
- mta_dontaudit_read_spool_symlinks(initrc_t)
- ')
-
-@@ -752,6 +1166,10 @@ optional_policy(`
- ')
-
- optional_policy(`
-+ plymouthd_stream_connect(initrc_t)
-+')
-+
-+optional_policy(`
- postgresql_manage_db(initrc_t)
- postgresql_read_config(initrc_t)
- ')
-@@ -761,10 +1179,20 @@ optional_policy(`
- ')
-
- optional_policy(`
-+ psad_setattr_fifo_file(initrc_t)
-+ psad_setattr_log(initrc_t)
-+ psad_write_log(initrc_t)
-+')
-+
-+optional_policy(`
- puppet_rw_tmp(initrc_t)
- ')
-
- optional_policy(`
-+ qpidd_manage_var_run(initrc_t)
-+')
-+
-+optional_policy(`
- quota_manage_flags(initrc_t)
- ')
-
-@@ -773,6 +1201,10 @@ optional_policy(`
- ')
-
- optional_policy(`
-+ ricci_manage_lib_files(initrc_t)
-+')
-+
-+optional_policy(`
- fs_write_ramfs_sockets(initrc_t)
- fs_search_ramfs(initrc_t)
-
-@@ -794,8 +1226,6 @@ optional_policy(`
- # bash tries ioctl for some reason
- files_dontaudit_ioctl_all_pids(initrc_t)
-
-- # why is this needed:
-- rpm_manage_db(initrc_t)
- ')
-
- optional_policy(`
-@@ -804,6 +1234,10 @@ optional_policy(`
- ')
-
- optional_policy(`
-+ sendmail_setattr_pid_files(initrc_t)
-+')
-+
-+optional_policy(`
- # shorewall-init script run /var/lib/shorewall/firewall
- shorewall_lib_domtrans(initrc_t)
- ')
-@@ -813,10 +1247,12 @@ optional_policy(`
- squid_manage_logs(initrc_t)
- ')
-
-+ifdef(`enabled_mls',`
- optional_policy(`
- # allow init scripts to su
- su_restricted_domain_template(initrc, initrc_t, system_r)
- ')
-+')
-
- optional_policy(`
- ssh_dontaudit_read_server_keys(initrc_t)
-@@ -828,8 +1264,6 @@ optional_policy(`
- ')
-
- optional_policy(`
-- udev_rw_db(initrc_t)
-- udev_generic_pid_filetrans_run_dirs(initrc_t, "udev")
- udev_manage_pid_files(initrc_t)
- udev_manage_pid_dirs(initrc_t)
- udev_manage_rules_files(initrc_t)
-@@ -840,12 +1274,30 @@ optional_policy(`
- ')
-
- optional_policy(`
-- virt_stream_connect(initrc_t)
-- virt_manage_svirt_cache(initrc_t)
-+ virt_manage_pid_dirs(initrc_t)
-+ virt_manage_cache(initrc_t)
-+ virt_manage_lib_files(initrc_t)
-+')
-+
-+# Cron jobs used to start and stop services
-+optional_policy(`
-+ cron_rw_pipes(daemon)
-+ cron_rw_inherited_user_spool_files(daemon)
-+')
-+
-+optional_policy(`
-+ cfengine_append_inherited_log(daemon)
- ')
-
- optional_policy(`
- unconfined_domain(initrc_t)
-+ domain_role_change_exemption(initrc_t)
-+ mcs_file_read_all(initrc_t)
-+ mcs_file_write_all(initrc_t)
-+ mcs_socket_write_all_levels(initrc_t)
-+ mcs_killall(initrc_t)
-+
-+ files_tmp_filetrans(initrc_t, initrc_tmp_t, { dir_file_class_set })
-
- ifdef(`distro_redhat',`
- # system-config-services causes avc messages that should be dontaudited
-@@ -855,6 +1307,18 @@ optional_policy(`
- optional_policy(`
- mono_domtrans(initrc_t)
- ')
-+
-+ # Allow SELinux aware applications to request rpm_script_t execution
-+ rpm_transition_script(initrc_t)
-+
-+ optional_policy(`
-+ rtkit_scheduled(initrc_t)
-+ ')
-+')
-+
-+optional_policy(`
-+ rpm_read_db(initrc_t)
-+ rpm_delete_db(initrc_t)
- ')
-
- optional_policy(`
-@@ -870,6 +1334,10 @@ optional_policy(`
- ')
-
- optional_policy(`
-+ sanlock_manage_pid_files(initrc_t)
-+')
-+
-+optional_policy(`
- # Set device ownerships/modes.
- xserver_setattr_console_pipes(initrc_t)
-
-@@ -880,3 +1348,185 @@ optional_policy(`
- optional_policy(`
- zebra_read_config(initrc_t)
- ')
-+
-+userdom_inherit_append_user_home_content_files(daemon)
-+userdom_inherit_append_user_tmp_files(daemon)
-+userdom_dontaudit_rw_stream(daemon)
-+
-+logging_inherit_append_all_logs(daemon)
-+
-+optional_policy(`
-+ # sudo service restart causes this
-+ unconfined_signull(daemon)
-+')
-+
-+
-+optional_policy(`
-+ xserver_dontaudit_append_xdm_home_files(daemon)
-+ tunable_policy(`use_nfs_home_dirs',`
-+ fs_dontaudit_rw_nfs_files(daemon)
-+ ')
-+ tunable_policy(`use_samba_home_dirs',`
-+ fs_dontaudit_rw_cifs_files(daemon)
-+ ')
-+')
-+
-+init_rw_script_stream_sockets(daemon)
-+
-+optional_policy(`
-+ abrt_stream_connect(daemon)
-+')
-+
-+optional_policy(`
-+ fail2ban_read_lib_files(daemon)
-+')
-+
-+optional_policy(`
-+ firstboot_dontaudit_leaks(daemon)
-+')
-+
-+init_rw_stream_sockets(daemon)
-+init_dontaudit_script_leaks(daemon)
-+
-+allow init_t var_run_t:dir relabelto;
-+
-+init_stream_connect(initrc_t)
-+
-+allow initrc_t daemon:process siginh;
-+allow daemon initrc_transition_domain:fifo_file rw_inherited_fifo_file_perms;
-+allow daemon initrc_transition_domain:fd use;
-+
-+allow init_t daemon:unix_stream_socket create_stream_socket_perms;
-+allow init_t daemon:unix_dgram_socket create_socket_perms;
-+allow init_t daemon:tcp_socket create_stream_socket_perms;
-+allow init_t daemon:udp_socket create_socket_perms;
-+allow daemon init_t:unix_dgram_socket sendto;
-+# need write to /var/run/systemd/notify
-+init_write_pid_socket(daemon)
-+allow daemon init_t:unix_stream_socket { append write read getattr ioctl };
-+
-+# daemons started from init will
-+# inherit fds from init for the console
-+init_dontaudit_use_fds(daemon)
-+term_dontaudit_use_console(daemon)
-+# init script ptys are the stdin/out/err
-+# when using run_init
-+init_use_script_ptys(daemon)
-+
-+allow init_t daemon:process siginh;
-+
-+ifdef(`hide_broken_symptoms',`
-+ # RHEL4 systems seem to have a stray
-+ # fds open from the initrd
-+ ifdef(`distro_rhel4',`
-+ kernel_dontaudit_use_fds(daemon)
-+ ')
-+
-+ dontaudit daemon init_t:dir search_dir_perms;
-+')
-+
-+optional_policy(`
-+ nscd_socket_use(daemon)
-+')
-+
-+optional_policy(`
-+ puppet_rw_tmp(daemon)
-+')
-+
-+allow direct_run_init daemon:process { noatsecure siginh rlimitinh };
-+
-+allow initrc_t systemprocess:process siginh;
-+allow systemprocess initrc_transition_domain:fifo_file rw_inherited_fifo_file_perms;
-+allow systemprocess initrc_transition_domain:fd use;
-+
-+dontaudit systemprocess init_t:unix_stream_socket getattr;
-+
-+allow init_t daemon:unix_stream_socket create_stream_socket_perms;
-+allow init_t daemon:unix_dgram_socket create_socket_perms;
-+allow daemon init_t:unix_stream_socket ioctl;
-+allow daemon init_t:unix_dgram_socket sendto;
-+# need write to /var/run/systemd/notify
-+init_write_pid_socket(daemon)
-+init_rw_inherited_script_tmp_files(daemon)
-+
-+# Handle upstart/systemd direct transition to a executable
-+allow init_t systemprocess:process { dyntransition siginh };
-+allow init_t systemprocess:unix_stream_socket create_stream_socket_perms;
-+allow init_t systemprocess:unix_dgram_socket create_socket_perms;
-+allow systemprocess init_t:unix_dgram_socket sendto;
-+allow systemprocess init_t:unix_stream_socket { append write read getattr ioctl };
-+
-+files_dontaudit_rw_inherited_locks(systemprocess)
-+
-+init_rw_inherited_script_tmp_files(systemprocess)
-+
-+logging_dontaudit_rw_inherited_generic_logs(systemprocess)
-+
-+userdom_dontaudit_search_user_home_dirs(systemprocess)
-+userdom_dontaudit_rw_stream(systemprocess)
-+userdom_dontaudit_write_user_tmp_files(systemprocess)
-+
-+tunable_policy(`daemons_use_tty',`
-+ term_use_all_ttys(systemprocess)
-+ term_use_all_ptys(systemprocess)
-+',`
-+ term_dontaudit_use_all_ttys(systemprocess)
-+ term_dontaudit_use_all_ptys(systemprocess)
-+')
-+
-+# these apps are often redirect output to random log files
-+logging_inherit_append_all_logs(systemprocess)
-+
-+optional_policy(`
-+ abrt_stream_connect(systemprocess)
-+')
-+
-+optional_policy(`
-+ cfengine_append_inherited_log(systemprocess)
-+')
-+
-+optional_policy(`
-+ cron_rw_pipes(systemprocess)
-+')
-+
-+optional_policy(`
-+ puppet_rw_tmp(systemprocess)
-+')
-+
-+optional_policy(`
-+ xserver_dontaudit_append_xdm_home_files(systemprocess)
-+')
-+
-+optional_policy(`
-+ unconfined_dontaudit_rw_pipes(systemprocess)
-+ unconfined_dontaudit_rw_stream(systemprocess)
-+ userdom_dontaudit_read_user_tmp_files(systemprocess)
-+')
-+
-+init_rw_script_stream_sockets(systemprocess)
-+
-+role system_r types systemprocess;
-+role system_r types daemon;
-+
-+#ifdef(`enable_mls',`
-+# mls_rangetrans_target(systemprocess)
-+#')
-+
-+allow initrc_domain daemon:process transition;
-+allow daemon initrc_domain:fd use;
-+allow daemon initrc_domain:fifo_file rw_inherited_fifo_file_perms;
-+allow daemon initrc_domain:process sigchld;
-+allow initrc_domain direct_init_entry:file { getattr open read execute };
-+
-+allow systemprocess initrc_domain:fd use;
-+allow systemprocess initrc_domain:fifo_file rw_inherited_fifo_file_perms;
-+allow systemprocess initrc_domain:process sigchld;
-+allow initrc_domain systemprocess_entry:file { getattr open read execute };
-+allow initrc_domain systemprocess:process transition;
-+
-+ifdef(`direct_sysadm_daemon',`
-+ allow daemon direct_run_init:fd use;
-+ allow daemon direct_run_init:fifo_file rw_inherited_fifo_file_perms;
-+ allow daemon direct_run_init:process sigchld;
-+ allow direct_run_init direct_init_entry:file { getattr open read execute };
-+')
-diff --git a/policy/modules/system/ipsec.fc b/policy/modules/system/ipsec.fc
-index ec85acb..662e79b 100644
---- a/policy/modules/system/ipsec.fc
-+++ b/policy/modules/system/ipsec.fc
-@@ -27,11 +27,6 @@
- /usr/libexec/ipsec/spi -- gen_context(system_u:object_r:ipsec_exec_t,s0)
- /usr/libexec/nm-openswan-service -- gen_context(system_u:object_r:ipsec_mgmt_exec_t,s0)
-
--/usr/local/lib(64)?/ipsec/eroute -- gen_context(system_u:object_r:ipsec_exec_t,s0)
--/usr/local/lib(64)?/ipsec/klipsdebug -- gen_context(system_u:object_r:ipsec_exec_t,s0)
--/usr/local/lib(64)?/ipsec/pluto -- gen_context(system_u:object_r:ipsec_exec_t,s0)
--/usr/local/lib(64)?/ipsec/spi -- gen_context(system_u:object_r:ipsec_exec_t,s0)
--
- /usr/sbin/ipsec -- gen_context(system_u:object_r:ipsec_mgmt_exec_t,s0)
- /usr/sbin/racoon -- gen_context(system_u:object_r:racoon_exec_t,s0)
- /usr/sbin/setkey -- gen_context(system_u:object_r:setkey_exec_t,s0)
-diff --git a/policy/modules/system/ipsec.if b/policy/modules/system/ipsec.if
-index 0d4c8d3..9d66bf7 100644
---- a/policy/modules/system/ipsec.if
-+++ b/policy/modules/system/ipsec.if
-@@ -120,7 +120,6 @@ interface(`ipsec_exec_mgmt',`
- ##
- ##
- #
--#
- interface(`ipsec_signal_mgmt',`
- gen_require(`
- type ipsec_mgmt_t;
-@@ -139,7 +138,6 @@ interface(`ipsec_signal_mgmt',`
- ##
- ##
- #
--#
- interface(`ipsec_signull_mgmt',`
- gen_require(`
- type ipsec_mgmt_t;
-@@ -158,7 +156,6 @@ interface(`ipsec_signull_mgmt',`
- ##
- ##
- #
--#
- interface(`ipsec_kill_mgmt',`
- gen_require(`
- type ipsec_mgmt_t;
-@@ -225,6 +222,7 @@ interface(`ipsec_match_default_spd',`
-
- allow $1 ipsec_spd_t:association polmatch;
- allow $1 self:association sendto;
-+ allow $1 self:peer recv;
- ')
-
- ########################################
-diff --git a/policy/modules/system/ipsec.te b/policy/modules/system/ipsec.te
-index a30840c..77206a0 100644
---- a/policy/modules/system/ipsec.te
-+++ b/policy/modules/system/ipsec.te
-@@ -73,13 +73,15 @@ role system_r types setkey_t;
- #
-
- allow ipsec_t self:capability { net_admin dac_override dac_read_search setpcap sys_nice };
--dontaudit ipsec_t self:capability { sys_ptrace sys_tty_config };
-+dontaudit ipsec_t self:capability sys_tty_config;
- allow ipsec_t self:process { getcap setcap getsched signal setsched };
- allow ipsec_t self:tcp_socket create_stream_socket_perms;
- allow ipsec_t self:udp_socket create_socket_perms;
- allow ipsec_t self:key_socket create_socket_perms;
- allow ipsec_t self:fifo_file read_fifo_file_perms;
- allow ipsec_t self:netlink_xfrm_socket { create_netlink_socket_perms nlmsg_write };
-+allow ipsec_t self:netlink_selinux_socket create_socket_perms;
-+allow ipsec_t self:unix_stream_socket create_stream_socket_perms;
-
- allow ipsec_t ipsec_initrc_exec_t:file read_file_perms;
-
-@@ -113,6 +115,7 @@ allow ipsec_mgmt_t ipsec_t:unix_stream_socket { read write };
- allow ipsec_mgmt_t ipsec_t:process { rlimitinh sigchld };
-
- kernel_read_kernel_sysctls(ipsec_t)
-+kernel_read_net_sysctls(ipsec_t)
- kernel_list_proc(ipsec_t)
- kernel_read_proc_symlinks(ipsec_t)
- # allow pluto to access /proc/net/ipsec_eroute;
-@@ -127,20 +130,21 @@ corecmd_exec_shell(ipsec_t)
- corecmd_exec_bin(ipsec_t)
-
- # Pluto needs network access
--corenet_all_recvfrom_unlabeled(ipsec_t)
--corenet_tcp_sendrecv_all_if(ipsec_t)
--corenet_raw_sendrecv_all_if(ipsec_t)
--corenet_tcp_sendrecv_all_nodes(ipsec_t)
--corenet_raw_sendrecv_all_nodes(ipsec_t)
-+corenet_tcp_sendrecv_generic_if(ipsec_t)
-+corenet_raw_sendrecv_generic_if(ipsec_t)
-+corenet_tcp_sendrecv_generic_node(ipsec_t)
-+corenet_raw_sendrecv_generic_node(ipsec_t)
- corenet_tcp_sendrecv_all_ports(ipsec_t)
--corenet_tcp_bind_all_nodes(ipsec_t)
--corenet_udp_bind_all_nodes(ipsec_t)
-+corenet_tcp_bind_generic_node(ipsec_t)
-+corenet_udp_bind_generic_node(ipsec_t)
- corenet_tcp_bind_reserved_port(ipsec_t)
- corenet_tcp_bind_isakmp_port(ipsec_t)
- corenet_udp_bind_isakmp_port(ipsec_t)
- corenet_udp_bind_ipsecnat_port(ipsec_t)
- corenet_sendrecv_generic_server_packets(ipsec_t)
- corenet_sendrecv_isakmp_server_packets(ipsec_t)
-+corenet_tcp_connect_http_port(ipsec_t)
-+corenet_tcp_connect_ldap_port(ipsec_t)
-
- dev_read_sysfs(ipsec_t)
- dev_read_rand(ipsec_t)
-@@ -156,6 +160,8 @@ files_dontaudit_search_home(ipsec_t)
- fs_getattr_all_fs(ipsec_t)
- fs_search_auto_mountpoints(ipsec_t)
-
-+selinux_compute_access_vector(ipsec_t)
-+
- term_use_console(ipsec_t)
- term_dontaudit_use_all_ttys(ipsec_t)
-
-@@ -164,11 +170,13 @@ auth_use_nsswitch(ipsec_t)
- init_use_fds(ipsec_t)
- init_use_script_ptys(ipsec_t)
-
-+logging_read_all_logs(ipsec_mgmt_t)
- logging_send_syslog_msg(ipsec_t)
-
--miscfiles_read_localization(ipsec_t)
-
- sysnet_domtrans_ifconfig(ipsec_t)
-+sysnet_manage_config(ipsec_t)
-+sysnet_etc_filetrans_config(ipsec_t)
-
- userdom_dontaudit_use_unpriv_user_fds(ipsec_t)
- userdom_dontaudit_search_user_home_dirs(ipsec_t)
-@@ -186,9 +194,9 @@ optional_policy(`
- # ipsec_mgmt Local policy
- #
-
--allow ipsec_mgmt_t self:capability { dac_override dac_read_search net_admin setpcap sys_nice };
--dontaudit ipsec_mgmt_t self:capability { sys_ptrace sys_tty_config };
--allow ipsec_mgmt_t self:process { getsched ptrace setrlimit setsched signal };
-+allow ipsec_mgmt_t self:capability { dac_override dac_read_search net_admin setpcap sys_nice sys_ptrace };
-+dontaudit ipsec_mgmt_t self:capability sys_tty_config;
-+allow ipsec_mgmt_t self:process { getsched setrlimit setsched signal };
- allow ipsec_mgmt_t self:unix_stream_socket create_stream_socket_perms;
- allow ipsec_mgmt_t self:tcp_socket create_stream_socket_perms;
- allow ipsec_mgmt_t self:udp_socket create_socket_perms;
-@@ -245,6 +253,16 @@ kernel_read_kernel_sysctls(ipsec_mgmt_t)
- kernel_getattr_core_if(ipsec_mgmt_t)
- kernel_getattr_message_if(ipsec_mgmt_t)
-
-+domain_dontaudit_getattr_all_sockets(ipsec_mgmt_t)
-+domain_dontaudit_getattr_all_pipes(ipsec_mgmt_t)
-+
-+dev_dontaudit_getattr_all_blk_files(ipsec_mgmt_t)
-+dev_dontaudit_getattr_all_chr_files(ipsec_mgmt_t)
-+
-+dev_read_sysfs(ipsec_mgmt_t)
-+
-+files_dontaudit_getattr_all_files(ipsec_mgmt_t)
-+files_dontaudit_getattr_all_sockets(ipsec_mgmt_t)
- files_read_kernel_symbol_table(ipsec_mgmt_t)
- files_getattr_kernel_modules(ipsec_mgmt_t)
-
-@@ -254,6 +272,8 @@ files_getattr_kernel_modules(ipsec_mgmt_t)
- corecmd_exec_bin(ipsec_mgmt_t)
- corecmd_exec_shell(ipsec_mgmt_t)
-
-+corenet_tcp_connect_rndc_port(ipsec_mgmt_t)
-+
- dev_read_rand(ipsec_mgmt_t)
- dev_read_urand(ipsec_mgmt_t)
-
-@@ -277,9 +297,10 @@ fs_getattr_xattr_fs(ipsec_mgmt_t)
- fs_list_tmpfs(ipsec_mgmt_t)
-
- term_use_console(ipsec_mgmt_t)
--term_dontaudit_getattr_unallocated_ttys(ipsec_mgmt_t)
-+term_use_all_inherited_terms(ipsec_mgmt_t)
-
- auth_dontaudit_read_login_records(ipsec_mgmt_t)
-+auth_use_nsswitch(ipsec_mgmt_t)
-
- init_read_utmp(ipsec_mgmt_t)
- init_use_script_ptys(ipsec_mgmt_t)
-@@ -289,15 +310,16 @@ init_labeled_script_domtrans(ipsec_mgmt_t, ipsec_initrc_exec_t)
-
- logging_send_syslog_msg(ipsec_mgmt_t)
-
--miscfiles_read_localization(ipsec_mgmt_t)
--
--seutil_dontaudit_search_config(ipsec_mgmt_t)
--
- sysnet_manage_config(ipsec_mgmt_t)
- sysnet_domtrans_ifconfig(ipsec_mgmt_t)
- sysnet_etc_filetrans_config(ipsec_mgmt_t)
-
--userdom_use_user_terminals(ipsec_mgmt_t)
-+userdom_use_inherited_user_terminals(ipsec_mgmt_t)
-+
-+optional_policy(`
-+ bind_read_dnssec_keys(ipsec_mgmt_t)
-+ bind_read_config(ipsec_mgmt_t)
-+')
-
- optional_policy(`
- consoletype_exec(ipsec_mgmt_t)
-@@ -369,13 +391,12 @@ kernel_request_load_module(racoon_t)
- corecmd_exec_shell(racoon_t)
- corecmd_exec_bin(racoon_t)
-
--corenet_all_recvfrom_unlabeled(racoon_t)
--corenet_tcp_sendrecv_all_if(racoon_t)
--corenet_udp_sendrecv_all_if(racoon_t)
--corenet_tcp_sendrecv_all_nodes(racoon_t)
--corenet_udp_sendrecv_all_nodes(racoon_t)
--corenet_tcp_bind_all_nodes(racoon_t)
--corenet_udp_bind_all_nodes(racoon_t)
-+corenet_tcp_sendrecv_generic_if(racoon_t)
-+corenet_udp_sendrecv_generic_if(racoon_t)
-+corenet_tcp_sendrecv_generic_node(racoon_t)
-+corenet_udp_sendrecv_generic_node(racoon_t)
-+corenet_tcp_bind_generic_node(racoon_t)
-+corenet_udp_bind_generic_node(racoon_t)
- corenet_udp_bind_isakmp_port(racoon_t)
- corenet_udp_bind_ipsecnat_port(racoon_t)
-
-@@ -400,10 +421,11 @@ locallogin_use_fds(racoon_t)
- logging_send_syslog_msg(racoon_t)
- logging_send_audit_msgs(racoon_t)
-
--miscfiles_read_localization(racoon_t)
-
- sysnet_exec_ifconfig(racoon_t)
-
-+auth_use_pam(racoon_t)
-+
- auth_can_read_shadow_passwords(racoon_t)
- tunable_policy(`racoon_read_shadow',`
- auth_tunable_read_shadow(racoon_t)
-@@ -437,9 +459,9 @@ corenet_setcontext_all_spds(setkey_t)
-
- locallogin_use_fds(setkey_t)
-
--miscfiles_read_localization(setkey_t)
-
- seutil_read_config(setkey_t)
-
--userdom_use_user_terminals(setkey_t)
-+userdom_use_inherited_user_terminals(setkey_t)
-+userdom_read_user_tmp_files(setkey_t)
-
-diff --git a/policy/modules/system/iptables.fc b/policy/modules/system/iptables.fc
-index 14cffd2..5effebe 100644
---- a/policy/modules/system/iptables.fc
-+++ b/policy/modules/system/iptables.fc
-@@ -1,7 +1,8 @@
- /etc/rc\.d/init\.d/ip6?tables -- gen_context(system_u:object_r:iptables_initrc_exec_t,s0)
--/etc/rc\.d/init\.d/ebtables -- gen_context(system_u:object_r:iptables_initrc_exec_t,s0)
--/etc/sysconfig/ip6?tables.* -- gen_context(system_u:object_r:iptables_conf_t,s0)
--/etc/sysconfig/system-config-firewall.* -- gen_context(system_u:object_r:iptables_conf_t,s0)
-+/etc/rc\.d/init\.d/ebtables -- gen_context(system_u:object_r:iptables_initrc_exec_t,s0)
-+
-+/usr/lib/systemd/system/iptables.* -- gen_context(system_u:object_r:iptables_unit_file_t,s0)
-+/usr/lib/systemd/system/ip6tables.* -- gen_context(system_u:object_r:iptables_unit_file_t,s0)
-
- /sbin/ebtables -- gen_context(system_u:object_r:iptables_exec_t,s0)
- /sbin/ebtables-restore -- gen_context(system_u:object_r:iptables_exec_t,s0)
-@@ -14,7 +15,13 @@
- /sbin/ipvsadm-save -- gen_context(system_u:object_r:iptables_exec_t,s0)
- /sbin/xtables-multi -- gen_context(system_u:object_r:iptables_exec_t,s0)
-
-+/usr/sbin/ebtables -- gen_context(system_u:object_r:iptables_exec_t,s0)
-+/usr/sbin/ebtables-restore -- gen_context(system_u:object_r:iptables_exec_t,s0)
- /usr/sbin/ipchains.* -- gen_context(system_u:object_r:iptables_exec_t,s0)
--/usr/sbin/iptables -- gen_context(system_u:object_r:iptables_exec_t,s0)
--/usr/sbin/iptables-multi -- gen_context(system_u:object_r:iptables_exec_t,s0)
--/usr/sbin/iptables-restore -- gen_context(system_u:object_r:iptables_exec_t,s0)
-+/usr/sbin/ip6?tables -- gen_context(system_u:object_r:iptables_exec_t,s0)
-+/usr/sbin/ip6?tables-restore -- gen_context(system_u:object_r:iptables_exec_t,s0)
-+/usr/sbin/ip6?tables-multi -- gen_context(system_u:object_r:iptables_exec_t,s0)
-+/usr/sbin/ipvsadm -- gen_context(system_u:object_r:iptables_exec_t,s0)
-+/usr/sbin/ipvsadm-restore -- gen_context(system_u:object_r:iptables_exec_t,s0)
-+/usr/sbin/ipvsadm-save -- gen_context(system_u:object_r:iptables_exec_t,s0)
-+/usr/sbin/xtables-multi -- gen_context(system_u:object_r:iptables_exec_t,s0)
-diff --git a/policy/modules/system/iptables.if b/policy/modules/system/iptables.if
-index c42fbc3..7071460 100644
---- a/policy/modules/system/iptables.if
-+++ b/policy/modules/system/iptables.if
-@@ -17,10 +17,6 @@ interface(`iptables_domtrans',`
-
- corecmd_search_bin($1)
- domtrans_pattern($1, iptables_exec_t, iptables_t)
--
-- ifdef(`hide_broken_symptoms', `
-- dontaudit iptables_t $1:socket_class_set { read write };
-- ')
- ')
-
- ########################################
-@@ -42,11 +38,22 @@ interface(`iptables_domtrans',`
- #
- interface(`iptables_run',`
- gen_require(`
-- attribute_role iptables_roles;
-+ #attribute_role iptables_roles;
-+ type iptables_t;
- ')
-
-+ #iptables_domtrans($1)
-+ #roleattribute $2 iptables_roles;
-+
- iptables_domtrans($1)
-- roleattribute $2 iptables_roles;
-+ role $2 types iptables_t;
-+
-+ sysnet_run_ifconfig(iptables_t, $2)
-+
-+ optional_policy(`
-+ modutils_run_insmod(iptables_t, $2)
-+ ')
-+
- ')
-
- ########################################
-@@ -86,6 +93,29 @@ interface(`iptables_initrc_domtrans',`
- init_labeled_script_domtrans($1, iptables_initrc_exec_t)
- ')
-
-+########################################
-+##
-+## Execute iptables server in the iptables domain.
-+##
-+##
-+##
-+## Domain allowed to transition.
-+##
-+##
-+#
-+interface(`iptables_systemctl',`
-+ gen_require(`
-+ type iptables_unit_file_t;
-+ type iptables_t;
-+ ')
-+
-+ systemd_exec_systemctl($1)
-+ allow $1 iptables_unit_file_t:file read_file_perms;
-+ allow $1 iptables_unit_file_t:service manage_service_perms;
-+
-+ ps_process_pattern($1, iptables_t)
-+')
-+
- #####################################
- ##
- ## Set the attributes of iptables config files.
-diff --git a/policy/modules/system/iptables.te b/policy/modules/system/iptables.te
-index 0646ee7..da1337a 100644
---- a/policy/modules/system/iptables.te
-+++ b/policy/modules/system/iptables.te
-@@ -5,26 +5,27 @@ policy_module(iptables, 1.13.0)
- # Declarations
- #
-
--attribute_role iptables_roles;
--roleattribute system_r iptables_roles;
-+#attribute_role iptables_roles;
-+#roleattribute system_r iptables_roles;
-
- type iptables_t;
- type iptables_exec_t;
- init_system_domain(iptables_t, iptables_exec_t)
--role iptables_roles types iptables_t;
-+#role iptables_roles types iptables_t;
-+role system_r types iptables_t;
-
- type iptables_initrc_exec_t;
- init_script_file(iptables_initrc_exec_t)
-
--type iptables_conf_t;
--files_config_file(iptables_conf_t)
--
- type iptables_tmp_t;
- files_tmp_file(iptables_tmp_t)
-
- type iptables_var_run_t;
- files_pid_file(iptables_var_run_t)
-
-+type iptables_unit_file_t;
-+systemd_unit_file(iptables_unit_file_t)
-+
- ########################################
- #
- # Iptables local policy
-@@ -37,8 +38,8 @@ allow iptables_t self:process { sigchld sigkill sigstop signull signal };
- allow iptables_t self:netlink_socket create_socket_perms;
- allow iptables_t self:rawip_socket create_socket_perms;
-
--manage_files_pattern(iptables_t, iptables_conf_t, iptables_conf_t)
--files_etc_filetrans(iptables_t, iptables_conf_t, file)
-+files_manage_system_conf_files(iptables_t)
-+files_etc_filetrans_system_conf(iptables_t)
-
- manage_files_pattern(iptables_t, iptables_var_run_t, iptables_var_run_t)
- files_pid_filetrans(iptables_t, iptables_var_run_t, file)
-@@ -49,6 +50,7 @@ allow iptables_t iptables_tmp_t:dir manage_dir_perms;
- allow iptables_t iptables_tmp_t:file manage_file_perms;
- files_tmp_filetrans(iptables_t, iptables_tmp_t, { file dir })
-
-+kernel_getattr_proc(iptables_t)
- kernel_request_load_module(iptables_t)
- kernel_read_system_state(iptables_t)
- kernel_read_network_state(iptables_t)
-@@ -64,6 +66,10 @@ corenet_relabelto_all_packets(iptables_t)
- corenet_dontaudit_rw_tun_tap_dev(iptables_t)
-
- dev_read_sysfs(iptables_t)
-+dev_read_urand(iptables_t)
-+ifdef(`hide_broken_symptoms',`
-+ dev_dontaudit_write_mtrr(iptables_t)
-+')
-
- fs_getattr_xattr_fs(iptables_t)
- fs_search_auto_mountpoints(iptables_t)
-@@ -72,11 +78,13 @@ fs_list_inotifyfs(iptables_t)
- mls_file_read_all_levels(iptables_t)
-
- term_dontaudit_use_console(iptables_t)
-+term_use_all_inherited_terms(iptables_t)
-
- domain_use_interactive_fds(iptables_t)
-
- files_read_etc_files(iptables_t)
--files_read_etc_runtime_files(iptables_t)
-+files_rw_etc_runtime_files(iptables_t)
-+files_read_usr_files(iptables_t)
-
- auth_use_nsswitch(iptables_t)
-
-@@ -85,15 +93,16 @@ init_use_script_ptys(iptables_t)
- # to allow rules to be saved on reboot:
- init_rw_script_tmp_files(iptables_t)
- init_rw_script_stream_sockets(iptables_t)
-+init_dontaudit_script_leaks(iptables_t)
-
- logging_send_syslog_msg(iptables_t)
-
--miscfiles_read_localization(iptables_t)
-
--sysnet_run_ifconfig(iptables_t, iptables_roles)
-+#sysnet_run_ifconfig(iptables_t, iptables_roles)
-+sysnet_domtrans_ifconfig(iptables_t)
- sysnet_dns_name_resolve(iptables_t)
-
--userdom_use_user_terminals(iptables_t)
-+userdom_use_inherited_user_terminals(iptables_t)
- userdom_use_all_users_fds(iptables_t)
-
- ifdef(`hide_broken_symptoms',`
-@@ -102,6 +111,8 @@ ifdef(`hide_broken_symptoms',`
-
- optional_policy(`
- fail2ban_append_log(iptables_t)
-+ fail2ban_dontaudit_leaks(iptables_t)
-+ fail2ban_rw_inherited_tmp_files(iptables_t)
- ')
-
- optional_policy(`
-@@ -110,7 +121,8 @@ optional_policy(`
- ')
-
- optional_policy(`
-- modutils_run_insmod(iptables_t, iptables_roles)
-+ modutils_domtrans_insmod(iptables_t)
-+ #modutils_run_insmod(iptables_t, iptables_roles)
- ')
-
- optional_policy(`
-@@ -124,6 +136,7 @@ optional_policy(`
-
- optional_policy(`
- psad_rw_tmp_files(iptables_t)
-+ psad_write_log(iptables_t)
- ')
-
- optional_policy(`
-@@ -137,6 +150,7 @@ optional_policy(`
- optional_policy(`
- shorewall_read_tmp_files(iptables_t)
- shorewall_rw_lib_files(iptables_t)
-+ shorewall_read_tmp_files(iptables_t)
- shorewall_read_config(iptables_t)
- ')
-
-diff --git a/policy/modules/system/libraries.fc b/policy/modules/system/libraries.fc
-index ef8bbaf..a21d5fe 100644
---- a/policy/modules/system/libraries.fc
-+++ b/policy/modules/system/libraries.fc
-@@ -1,3 +1,4 @@
-+
- #
- # /emul
- #
-@@ -28,14 +29,17 @@ ifdef(`distro_redhat',`
- # /etc
- #
- /etc/ld\.so\.cache -- gen_context(system_u:object_r:ld_so_cache_t,s0)
-+/etc/ld\.so\.cache~ -- gen_context(system_u:object_r:ld_so_cache_t,s0)
- /etc/ld\.so\.preload -- gen_context(system_u:object_r:ld_so_cache_t,s0)
-+/etc/ld\.so\.preload~ -- gen_context(system_u:object_r:ld_so_cache_t,s0)
-
- /etc/ppp/plugins/rp-pppoe\.so -- gen_context(system_u:object_r:lib_t,s0)
-
- #
- # /lib(64)?
- #
--/lib -d gen_context(system_u:object_r:lib_t,s0)
-+/lib gen_context(system_u:object_r:lib_t,s0)
-+/lib64 gen_context(system_u:object_r:lib_t,s0)
- /lib/.* gen_context(system_u:object_r:lib_t,s0)
- /lib/ld-[^/]*\.so(\.[^/]*)* -- gen_context(system_u:object_r:ld_so_t,s0)
-
-@@ -52,9 +56,8 @@ ifdef(`distro_gentoo',`
- #
- # /opt
- #
--/opt/.*\.so gen_context(system_u:object_r:lib_t,s0)
-+/opt/.*\.so(\.[^/]*)* gen_context(system_u:object_r:lib_t,s0)
- /opt/(.*/)?lib(/.*)? gen_context(system_u:object_r:lib_t,s0)
--/opt/(.*/)?lib64(/.*)? gen_context(system_u:object_r:lib_t,s0)
- /opt/(.*/)?java/.+\.jar -- gen_context(system_u:object_r:lib_t,s0)
- /opt/(.*/)?jre.*/.+\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
- /opt/(.*/)?jre/.+\.jar -- gen_context(system_u:object_r:lib_t,s0)
-@@ -103,6 +106,12 @@ ifdef(`distro_redhat',`
- #
- # /usr
- #
-+/usr/lib -d gen_context(system_u:object_r:lib_t,s0)
-+/usr/lib/.* gen_context(system_u:object_r:lib_t,s0)
-+/usr/lib/ld-[^/]*\.so(\.[^/]*)* -- gen_context(system_u:object_r:ld_so_t,s0)
-+
-+/usr/lib/security/pam_poldi\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-+
- /usr/(.*/)?/HelixPlayer/.+\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
- /usr/(.*/)?/RealPlayer/.+\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-
-@@ -111,12 +120,12 @@ ifdef(`distro_redhat',`
- /usr/(.*/)?java/.+\.jsa -- gen_context(system_u:object_r:lib_t,s0)
-
- /usr/(.*/)?lib(/.*)? gen_context(system_u:object_r:lib_t,s0)
--/usr/(.*/)?lib64(/.*)? gen_context(system_u:object_r:lib_t,s0)
-
--/usr/(.*/)?lib(64)?(/.*)?/ld-[^/]*\.so(\.[^/]*)* gen_context(system_u:object_r:ld_so_t,s0)
-+/usr/(.*/)?lib(/.*)?/ld-[^/]*\.so(\.[^/]*)* gen_context(system_u:object_r:ld_so_t,s0)
-
- /usr/(.*/)?nvidia/.+\.so(\..*)? -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-
-+/usr/lib/(sse2/)?libfame-.*\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
- /usr/lib/altivec/libavcodec\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
- /usr/lib/cedega/.+\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
- /usr/lib/vlc/video_chroma/libi420_rgb_mmx_plugin\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-@@ -140,6 +149,8 @@ ifdef(`distro_redhat',`
- /usr/lib/ati-fglrx/.+\.so(\..*)? -- gen_context(system_u:object_r:textrel_shlib_t,s0)
- /usr/lib/fglrx/.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
- /usr/lib/libjs\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-+/usr/lib/libjavascriptcoregtk[^/]*\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-+/usr/lib/libzvbi\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
- /usr/lib/sse2/libx264\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
- /usr/lib(/.*)?/libnvidia.+\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
- /usr/lib(/.*)?/nvidia_drv.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-@@ -147,12 +158,11 @@ ifdef(`distro_redhat',`
- /usr/lib/nvidia-graphics(-[^/]*/)?libGL(core)?\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
- /usr/lib/nvidia-graphics(-[^/]*/)?libnvidia.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
- /usr/lib/nvidia-graphics(-[^/]*/)?libXvMCNVIDIA\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
--/usr/lib/nvidia/libGL(core)?\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-+/usr/lib/nvidia.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
- /usr/lib/xorg/modules/glesx\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-
--/usr/(local/)?.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:lib_t,s0)
--/usr/(local/)?lib(64)?/wine/.+\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
--/usr/(local/)?lib(64)?/(sse2/)?libfame-.*\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-+/usr/.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:lib_t,s0)
-+/usr/lib/wine/.+\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
- /usr/NX/lib/libXcomp\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
- /usr/NX/lib/libjpeg\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-
-@@ -181,11 +191,13 @@ ifdef(`distro_redhat',`
- # Fedora Core packages: gstreamer-plugins, compat-libstdc++, Glide3, libdv
- # HelixPlayer, SDL, xorg-x11, xorg-x11-libs, Hermes, valgrind, openoffice.org-libs, httpd - php
- HOME_DIR/.*/plugins/nppdf\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-+/usr/(.*/)?nprhapengine\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
- /usr/lib/allegro/(.*/)?alleg-vga\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
- /usr/lib/firefox-[^/]*/extensions(/.*)?/libqfaservices.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
- /usr/lib/firefox-[^/]*/plugins/nppdf.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
- /usr/lib/firefox/plugins/libractrl\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
- /usr/lib/libFLAC\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-+/usr/lib/dri/fglrx_dri.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
- /usr/lib/libfglrx_gamma\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
- /usr/lib/mozilla/plugins/nppdf\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
- /usr/lib/mozilla/plugins/libvlcplugin\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-@@ -240,14 +252,10 @@ HOME_DIR/.*/plugins/nppdf\.so.* -- gen_context(system_u:object_r:textrel_shlib_
-
- # Livna.org packages: xmms-mp3, ffmpeg, xvidcore, xine-lib, gsm, lame
- /usr/lib.*/libmpg123\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
--/usr/local(/.*)?/libmpg123\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-+/usr/libmpg123\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
- /usr/lib/codecs/drv[1-9c]\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
--/usr/local/lib/codecs/drv[1-9c]\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-
--HOME_DIR/.*/plugins/nppdf\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
--HOME_DIR/.mozilla/plugins/nprhapengine\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
- /usr/lib/.*/nprhapengine\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
--/usr/local/(.*/)?nprhapengine\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-
- # Jai, Sun Microsystems (Jpackage SPRM)
- /usr/lib/libmlib_jai\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-@@ -269,20 +277,19 @@ HOME_DIR/.mozilla/plugins/nprhapengine\.so.* -- gen_context(system_u:object_r:te
-
- # Java, Sun Microsystems (JPackage SRPM)
- /usr/(.*/)?jre.*/.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
--/usr/local/(.*/)?jre.*/.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
- /usr/lib/(.*/)?jre.*/.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-
--/usr/(local/)?Adobe/(.*/)?intellinux/nppdf\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
--/usr/(local/)?Adobe/(.*/)?intellinux/sidecars/* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-+/usr/Adobe/(.*/)?intellinux/nppdf\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-+/usr/Adobe/(.*/)?intellinux/sidecars/* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-
--/usr/(local/)?acroread/(.*/)?intellinux/nppdf\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
--/usr/(local/)?Adobe/(.*/)?lib/[^/]*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
--/usr/(local/)?acroread/(.*/)?lib/[^/]*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
--/usr/(local/)?Adobe/.*\.api -- gen_context(system_u:object_r:textrel_shlib_t,s0)
--/usr/(local/)?lib/xchat/plugins/systray\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
--/usr/(local/)?matlab.*/bin/glnx86/libmwlapack\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
--/usr/(local/)?matlab.*/bin/glnx86/(libmw(lapack|mathutil|services)|lapack|libmkl)\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
--/usr/(local/)?matlab.*/sys/os/glnx86/libtermcap\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-+/usr/acroread/(.*/)?intellinux/nppdf\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-+/usr/Adobe/(.*/)?lib/[^/]*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-+/usr/acroread/(.*/)?lib/[^/]*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-+/usr/Adobe/.*\.api -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-+/usr/lib/xchat/plugins/systray\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-+/usr/matlab.*/bin/glnx86/libmwlapack\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-+/usr/matlab.*/bin/glnx86/(libmw(lapack|mathutil|services)|lapack|libmkl)\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-+/usr/matlab.*/sys/os/glnx86/libtermcap\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-
- /usr/(.*/)?intellinux/SPPlugins/ADMPlugin\.apl -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-
-@@ -299,17 +306,151 @@ HOME_DIR/.mozilla/plugins/nprhapengine\.so.* -- gen_context(system_u:object_r:te
- #
- /var/cache/ldconfig(/.*)? gen_context(system_u:object_r:ldconfig_cache_t,s0)
-
--/var/ftp/lib(64)?(/.*)? gen_context(system_u:object_r:lib_t,s0)
--/var/ftp/lib(64)?/ld[^/]*\.so(\.[^/]*)* -- gen_context(system_u:object_r:ld_so_t,s0)
--
--/var/lib/spamassassin/compiled/.*\.so.* -- gen_context(system_u:object_r:lib_t,s0)
-+/var/ftp/lib(/.*)? gen_context(system_u:object_r:lib_t,s0)
-+/var/ftp/lib/ld[^/]*\.so(\.[^/]*)* -- gen_context(system_u:object_r:ld_so_t,s0)
-
- /var/mailman/pythonlib(/.*)?/.+\.so(\..*)? -- gen_context(system_u:object_r:lib_t,s0)
-
-+/usr/lib/pgsql/.*\.so.* -- gen_context(system_u:object_r:lib_t,s0)
-+/usr/lib/pgsql/test/regress/.*\.so.* -- gen_context(system_u:object_r:lib_t,s0)
-+/var/lib/spamassassin/compiled/.*\.so.* -- gen_context(system_u:object_r:lib_t,s0)
-+/usr/lib/xfce4/.*\.so.* -- gen_context(system_u:object_r:lib_t,s0)
-+
- ifdef(`distro_suse',`
- /var/lib/samba/bin/.+\.so(\.[^/]*)* -l gen_context(system_u:object_r:lib_t,s0)
- ')
-
--/var/spool/postfix/lib(64)?(/.*)? gen_context(system_u:object_r:lib_t,s0)
-+/usr/share/hplip/prnt/plugins(/.*)? gen_context(system_u:object_r:lib_t,s0)
-+/usr/share/squeezeboxserver/CPAN/arch/.+\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-+
-+/var/spool/postfix/lib(/.*)? gen_context(system_u:object_r:lib_t,s0)
-+/var/spool/postfix/lib64(/.*)? gen_context(system_u:object_r:lib_t,s0)
- /var/spool/postfix/usr(/.*)? gen_context(system_u:object_r:lib_t,s0)
--/var/spool/postfix/lib(64)?/ld.*\.so.* -- gen_context(system_u:object_r:ld_so_t,s0)
-+/var/spool/postfix/lib/ld.*\.so.* -- gen_context(system_u:object_r:ld_so_t,s0)
-+
-+/usr/lib/libmyth[^/]+\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-+/usr/lib/mythtv/filters/.*\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-+
-+/usr/lib/jvm/java(.*/)bin(/.*)?/.*\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-+
-+/usr/lib/oracle/.*/lib/libnnz10\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-+
-+/opt/altera9.1/quartus/linux/libccl_err\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-+
-+/opt/novell/groupwise/client/lib/libgwapijni\.so\.1 -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-+
-+/usr/lib/sse2/.*\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-+/usr/lib/i686/.*\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-+/usr/google-earth/.*\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-+/usr/lib/googleearth/.*\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-+/usr/lib/google-earth/.*\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-+/opt/google-earth/.*\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-+/opt/google/.*\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-+/opt/google/chrome/.*\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-+
-+/usr/lib/nspluginwrapper/np.*\.so -- gen_context(system_u:object_r:lib_t,s0)
-+
-+/usr/lib/oracle/.*/lib/libnnz.*\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-+/usr/lib/oracle/.*/lib/libclntsh\.so(\.[^/]*)* gen_context(system_u:object_r:textrel_shlib_t,s0)
-+
-+/opt/(.*/)?oracle/(.*/)?libnnz.*\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-+/usr/lib/libnnz11.so(\.[^/]*)* gen_context(system_u:object_r:textrel_shlib_t,s0)
-+/usr/lib/libxvidcore\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-+
-+
-+/opt/matlab.*\.so(\.[^/]*)* gen_context(system_u:object_r:textrel_shlib_t,s0)
-+/usr/matlab.*\.so(\.[^/]*)* gen_context(system_u:object_r:textrel_shlib_t,s0)
-+/opt/local/matlab.*\.so(\.[^/]*)* gen_context(system_u:object_r:textrel_shlib_t,s0)
-+
-+/usr/Zend/lib/ZendExtensionManager\.so gen_context(system_u:object_r:textrel_shlib_t,s0)
-+
-+/usr/lib/libcncpmslld328\.so(\.[^/]*)* gen_context(system_u:object_r:textrel_shlib_t,s0)
-+
-+/usr/lib/ICAClient/.*\.so(\.[^/]*)* gen_context(system_u:object_r:textrel_shlib_t,s0)
-+
-+/usr/lib/midori/.*\.so(\.[^/]*)* gen_context(system_u:object_r:textrel_shlib_t,s0)
-+
-+/usr/lib/libav.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-+
-+/usr/lib/xine/plugins/.+\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-+
-+/usr/lib/yafaray/libDarkSky.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-+
-+/usr/lib/libpostproc\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-+
-+/usr/lib/libswscale\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-+
-+/usr/lib/libADM.*\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-+
-+/usr/lib/gstreamer-.*/[^/]*\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-+
-+/usr/lib/libx264\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-+
-+/usr/lib/libmp3lame\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-+/usr/lib/libmpeg2\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-+
-+/usr/lib/.*/libflashplayer\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-+
-+/usr/lib/xorg/modules/dri/.+\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-+/usr/X11R6/lib/modules/dri/.+\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-+/usr/lib/dri/.+\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-+
-+ifdef(`fixed',`
-+/usr/lib/libavfilter\.so(\..*)? -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-+/usr/lib/libavdevice\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-+/usr/lib/libavformat.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-+/usr/lib/libavcodec.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-+/usr/lib/libavutil.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-+/usr/lib/libdv\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-+/usr/lib/libGLU\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-+/usr/lib/libgsm\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-+/usr/lib/libImlib2\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-+/usr/lib/libjackserver\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-+/usr/X11R6/lib/libOSMesa.*\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-+/usr/lib/libOSMesa.*\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-+/usr/lib/libSDL-.*\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-+/usr/lib/xulrunner-[^/]*/libgtkembedmoz\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-+/usr/lib/xulrunner-[^/]*/libxul\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-+# Flash plugin, Macromedia
-+/usr/lib/php/modules/.+\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-+/usr/lib/httpd/modules/libphp5\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-+')
-+/opt/VBoxGuestAdditions.*/lib/VBox.*\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-+
-+/usr/lib/nmm/liba52\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-+/opt/lampp/lib/libct\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-+/opt/lampp/lib/.*\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-+/opt/VirtualBox(/.*)?/VBox.*\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-+
-+/usr/lib/chromium-browser/.*\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-+/usr/zend/lib/apache2/libphp5\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-+
-+/usr/lib/python.*/site-packages/pymedia/muxer\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-+/usr/games/darwinia/lib/libSDL.*\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-+
-+/usr/lib/octagaplayer/libapplication\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-+/opt/AutoScan/usr/lib/libvte\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-+
-+/usr/bin/bsnes -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-+
-+/usr/lib/libGLcore\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-+
-+/usr/lib/libkmplayercommon\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-+
-+/opt/Unify/SQLBase/libgptsblmsui11\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-+
-+/opt/real/RealPlayer/plugins(/.*)? -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-+
-+/opt/real/RealPlayer/codecs(/.*)? -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-+
-+/usr/lib/vdpau/libvdpau_nvidia\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-+
-+/usr/lib/libGTL.*\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-+
-+/usr/lib/nsr/(.*/)?.*\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-+/opt/lgtonmc/bin/.*\.so(\.[0-9])? -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-+/opt/google/picasa/.*\.dll -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-+/opt/google/picasa/.*\.yti -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-+/opt/google/talkplugin/.*\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-+
-+/usr/sbin/ldconfig -- gen_context(system_u:object_r:ldconfig_exec_t,s0)
-diff --git a/policy/modules/system/libraries.if b/policy/modules/system/libraries.if
-index 808ba93..7b506f2 100644
---- a/policy/modules/system/libraries.if
-+++ b/policy/modules/system/libraries.if
-@@ -66,6 +66,25 @@ interface(`libs_exec_ldconfig',`
-
- ########################################
- ##
-+## Make ldconfig_exec_t entrypoint for
-+## the specified domain.
-+##
-+##
-+##
-+## The domain for which bin_t is an entrypoint.
-+##
-+##
-+#
-+interface(`libs_ldconfig_exec_entry_type',`
-+ gen_require(`
-+ type ldconfig_exec_t;
-+ ')
-+
-+ domain_entry_file($1, ldconfig_exec_t)
-+')
-+
-+########################################
-+##
- ## Use the dynamic link/loader for automatic loading
- ## of shared libraries.
- ##
-@@ -147,6 +166,7 @@ interface(`libs_manage_ld_so',`
- type lib_t, ld_so_t;
- ')
-
-+ read_lnk_files_pattern($1, lib_t, lib_t)
- manage_files_pattern($1, lib_t, ld_so_t)
- ')
-
-@@ -205,8 +225,26 @@ interface(`libs_search_lib',`
- type lib_t;
- ')
-
-+ read_lnk_files_pattern($1, lib_t, lib_t)
- allow $1 lib_t:dir search_dir_perms;
- ')
-+########################################
-+##
-+## dontaudit attempts to setattr on library files
-+##
-+##
-+##
-+## Domain to not audit.
-+##
-+##
-+#
-+interface(`libs_dontaudit_setattr_lib_files',`
-+ gen_require(`
-+ type lib_t;
-+ ')
-+
-+ dontaudit $1 lib_t:file setattr;
-+')
-
- ########################################
- ##
-@@ -248,29 +286,12 @@ interface(`libs_manage_lib_dirs',`
- type lib_t;
- ')
-
-+ read_lnk_files_pattern($1, lib_t, lib_t)
- allow $1 lib_t:dir manage_dir_perms;
- ')
-
- ########################################
- ##
--## dontaudit attempts to setattr on library files
--##
--##
--##
--## Domain to not audit.
--##
--##
--#
--interface(`libs_dontaudit_setattr_lib_files',`
-- gen_require(`
-- type lib_t;
-- ')
--
-- dontaudit $1 lib_t:file setattr;
--')
--
--########################################
--##
- ## Read files in the library directories, such
- ## as static libraries.
- ##
-@@ -345,6 +366,7 @@ interface(`libs_manage_lib_files',`
- type lib_t;
- ')
-
-+ read_lnk_files_pattern($1, lib_t, lib_t)
- manage_files_pattern($1, lib_t, lib_t)
- ')
-
-@@ -421,7 +443,8 @@ interface(`libs_manage_shared_libs',`
- type lib_t, textrel_shlib_t;
- ')
-
-- manage_files_pattern($1, lib_t, { lib_t textrel_shlib_t })
-+ read_lnk_files_pattern($1, lib_t, lib_t)
-+ manage_files_pattern($1, { textrel_shlib_t lib_t }, { lib_t textrel_shlib_t })
- ')
-
- ########################################
-@@ -440,9 +463,9 @@ interface(`libs_use_shared_libs',`
- ')
-
- files_search_usr($1)
-- allow $1 lib_t:dir list_dir_perms;
-- read_lnk_files_pattern($1, lib_t, { lib_t textrel_shlib_t })
-- mmap_files_pattern($1, lib_t, { lib_t textrel_shlib_t })
-+ allow $1 { textrel_shlib_t lib_t }:dir list_dir_perms;
-+ read_lnk_files_pattern($1, { textrel_shlib_t lib_t }, { lib_t textrel_shlib_t })
-+ mmap_files_pattern($1, { textrel_shlib_t lib_t }, { lib_t textrel_shlib_t })
- allow $1 textrel_shlib_t:file execmod;
- ')
-
-@@ -483,7 +506,7 @@ interface(`libs_relabel_shared_libs',`
- type lib_t, textrel_shlib_t;
- ')
-
-- relabel_files_pattern($1, lib_t, { lib_t textrel_shlib_t })
-+ relabel_files_pattern($1, { textrel_shlib_t lib_t }, { lib_t textrel_shlib_t })
- ')
-
- ########################################
-@@ -534,3 +557,26 @@ interface(`lib_filetrans_shared_lib',`
- interface(`files_lib_filetrans_shared_lib',`
- refpolicywarn(`$0($*) has been deprecated.')
- ')
-+
-+########################################
-+##
-+## Transition to lib named content
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`libs_filetrans_named_content',`
-+ gen_require(`
-+ type ld_so_cache_t;
-+ type ldconfig_cache_t;
-+ ')
-+
-+ files_var_filetrans($1, ldconfig_cache_t, dir, "ldconfig")
-+ files_etc_filetrans($1, ld_so_cache_t, file, "ld.so.cache")
-+ files_etc_filetrans($1, ld_so_cache_t, file, "ld.so.cache~")
-+ files_etc_filetrans($1, ld_so_cache_t, file, "ld.so.preload")
-+ files_etc_filetrans($1, ld_so_cache_t, file, "ld.so.preload~")
-+')
-diff --git a/policy/modules/system/libraries.te b/policy/modules/system/libraries.te
-index ad01883..a003fa8 100644
---- a/policy/modules/system/libraries.te
-+++ b/policy/modules/system/libraries.te
-@@ -32,14 +32,14 @@ files_tmp_file(ldconfig_tmp_t)
- # lib_t is the type of files in the system lib directories.
- #
- type lib_t alias shlib_t;
--files_type(lib_t)
-+files_ro_base_file(lib_t)
-
- #
- # textrel_shlib_t is the type of shared objects in the system lib
- # directories, which require text relocation.
- #
- type textrel_shlib_t alias texrel_shlib_t;
--files_type(textrel_shlib_t)
-+files_ro_base_file(textrel_shlib_t)
-
- ifdef(`distro_gentoo',`
- # openrc unfortunately mounts a tmpfs
-@@ -59,9 +59,11 @@ optional_policy(`
-
- allow ldconfig_t self:capability { dac_override sys_chroot };
-
-+manage_dirs_pattern(ldconfig_t, ldconfig_cache_t, ldconfig_cache_t)
- manage_files_pattern(ldconfig_t, ldconfig_cache_t, ldconfig_cache_t)
-+files_var_filetrans(ldconfig_t, ldconfig_cache_t, dir, "ldconfig")
-
--allow ldconfig_t ld_so_cache_t:file manage_file_perms;
-+manage_files_pattern(ldconfig_t, ld_so_cache_t, ld_so_cache_t)
- files_etc_filetrans(ldconfig_t, ld_so_cache_t, file)
-
- manage_dirs_pattern(ldconfig_t, ldconfig_tmp_t, ldconfig_tmp_t)
-@@ -75,10 +77,14 @@ kernel_read_system_state(ldconfig_t)
-
- fs_getattr_xattr_fs(ldconfig_t)
-
-+files_list_var_lib(ldconfig_t)
-+files_manage_var_lib_symlinks(ldconfig_t)
-+
- corecmd_search_bin(ldconfig_t)
-
- domain_use_interactive_fds(ldconfig_t)
-
-+files_search_home(ldconfig_t)
- files_search_var_lib(ldconfig_t)
- files_read_etc_files(ldconfig_t)
- files_read_usr_files(ldconfig_t)
-@@ -90,11 +96,11 @@ files_delete_etc_files(ldconfig_t)
- init_use_script_ptys(ldconfig_t)
- init_read_script_tmp_files(ldconfig_t)
-
--miscfiles_read_localization(ldconfig_t)
-
- logging_send_syslog_msg(ldconfig_t)
-
--userdom_use_user_terminals(ldconfig_t)
-+term_use_console(ldconfig_t)
-+userdom_use_inherited_user_terminals(ldconfig_t)
- userdom_use_all_users_fds(ldconfig_t)
-
- ifdef(`distro_ubuntu',`
-@@ -103,6 +109,12 @@ ifdef(`distro_ubuntu',`
- ')
- ')
-
-+userdom_dontaudit_list_admin_dir(ldconfig_t)
-+userdom_list_user_home_dirs(ldconfig_t)
-+userdom_manage_user_home_content_files(ldconfig_t)
-+userdom_manage_user_tmp_files(ldconfig_t)
-+userdom_manage_user_tmp_symlinks(ldconfig_t)
-+
- ifdef(`hide_broken_symptoms',`
- ifdef(`distro_gentoo',`
- # leaked fds from portage
-@@ -114,6 +126,9 @@ ifdef(`hide_broken_symptoms',`
- ')
- ')
-
-+ dev_dontaudit_rw_lvm_control(ldconfig_t)
-+ term_dontaudit_use_unallocated_ttys(ldconfig_t)
-+
- optional_policy(`
- unconfined_dontaudit_rw_tcp_sockets(ldconfig_t)
- ')
-@@ -131,6 +146,14 @@ optional_policy(`
- ')
-
- optional_policy(`
-+ gnome_append_generic_cache_files(ldconfig_t)
-+')
-+
-+optional_policy(`
-+ kdump_manage_kdumpctl_tmp_files(ldconfig_t)
-+')
-+
-+optional_policy(`
- puppet_rw_tmp(ldconfig_t)
- ')
-
-@@ -141,6 +164,3 @@ optional_policy(`
- rpm_manage_script_tmp_files(ldconfig_t)
- ')
-
--optional_policy(`
-- unconfined_domain(ldconfig_t)
--')
-diff --git a/policy/modules/system/locallogin.fc b/policy/modules/system/locallogin.fc
-index be6a81b..a5303e9 100644
---- a/policy/modules/system/locallogin.fc
-+++ b/policy/modules/system/locallogin.fc
-@@ -1,3 +1,8 @@
-+HOME_DIR/\.hushlogin -- gen_context(system_u:object_r:local_login_home_t,s0)
-+/root/\.hushlogin -- gen_context(system_u:object_r:local_login_home_t,s0)
-
- /sbin/sulogin -- gen_context(system_u:object_r:sulogin_exec_t,s0)
- /sbin/sushell -- gen_context(system_u:object_r:sulogin_exec_t,s0)
-+
-+/usr/sbin/sulogin -- gen_context(system_u:object_r:sulogin_exec_t,s0)
-+/usr/sbin/sushell -- gen_context(system_u:object_r:sulogin_exec_t,s0)
-diff --git a/policy/modules/system/locallogin.if b/policy/modules/system/locallogin.if
-index 0e3c2a9..40adf5a 100644
---- a/policy/modules/system/locallogin.if
-+++ b/policy/modules/system/locallogin.if
-@@ -129,3 +129,59 @@ interface(`locallogin_domtrans_sulogin',`
-
- domtrans_pattern($1, sulogin_exec_t, sulogin_t)
- ')
-+
-+#######################################
-+##
-+## Allow domain to gettatr local login home content
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`locallogin_getattr_home_content',`
-+ gen_require(`
-+ type local_login_home_t;
-+ ')
-+
-+ getattr_files_pattern($1, local_login_home_t, local_login_home_t)
-+')
-+
-+########################################
-+##
-+## create local login content in the in the /root directory
-+## with an correct label.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`locallogin_filetrans_admin_home_content',`
-+ gen_require(`
-+ type local_login_home_t;
-+ ')
-+
-+ userdom_admin_home_dir_filetrans($1, local_login_home_t, file, ".hushlogin")
-+')
-+
-+########################################
-+##
-+## Transition to local login named content
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`locallogin_filetrans_home_content',`
-+ gen_require(`
-+ type local_login_home_t;
-+ ')
-+
-+ userdom_user_home_dir_filetrans($1, local_login_home_t, file, ".hushlogin")
-+')
-+
-diff --git a/policy/modules/system/locallogin.te b/policy/modules/system/locallogin.te
-index 9fd5be7..7e2a02e 100644
---- a/policy/modules/system/locallogin.te
-+++ b/policy/modules/system/locallogin.te
-@@ -13,9 +13,8 @@ auth_login_entry_type(local_login_t)
- type local_login_lock_t;
- files_lock_file(local_login_lock_t)
-
--type local_login_tmp_t;
--files_tmp_file(local_login_tmp_t)
--files_poly_parent(local_login_tmp_t)
-+type local_login_home_t;
-+userdom_user_home_content(local_login_home_t)
-
- type sulogin_t;
- type sulogin_exec_t;
-@@ -27,14 +26,21 @@ init_domain(sulogin_t, sulogin_exec_t)
- init_system_domain(sulogin_t, sulogin_exec_t)
- role system_r types sulogin_t;
-
-+ifdef(`enable_mcs',`
-+ init_ranged_daemon_domain(sulogin_t, sulogin_exec_t, s0 - mcs_systemhigh)
-+')
-+
-+ifdef(`enable_mls',`
-+ init_ranged_daemon_domain(sulogin_t, sulogin_exec_t, mls_systemhigh)
-+')
-+
- ########################################
- #
- # Local login local policy
- #
-
--allow local_login_t self:capability { dac_override chown fowner fsetid kill setgid setuid sys_nice sys_resource sys_tty_config };
--allow local_login_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
--allow local_login_t self:process { setrlimit setexec };
-+allow local_login_t self:capability { dac_override chown fowner fsetid kill setgid setuid sys_admin sys_nice sys_resource sys_tty_config };
-+allow local_login_t self:process ~{ ptrace setcurrent setfscreate execmem execstack execheap };
- allow local_login_t self:fd use;
- allow local_login_t self:fifo_file rw_fifo_file_perms;
- allow local_login_t self:sock_file read_sock_file_perms;
-@@ -51,9 +57,7 @@ allow local_login_t self:key { search write link };
- allow local_login_t local_login_lock_t:file manage_file_perms;
- files_lock_filetrans(local_login_t, local_login_lock_t, file)
-
--allow local_login_t local_login_tmp_t:dir manage_dir_perms;
--allow local_login_t local_login_tmp_t:file manage_file_perms;
--files_tmp_filetrans(local_login_t, local_login_tmp_t, { file dir })
-+allow local_login_t local_login_home_t:file read_file_perms;
-
- kernel_read_system_state(local_login_t)
- kernel_read_kernel_sysctls(local_login_t)
-@@ -73,6 +77,8 @@ dev_getattr_power_mgmt_dev(local_login_t)
- dev_setattr_power_mgmt_dev(local_login_t)
- dev_getattr_sound_dev(local_login_t)
- dev_setattr_sound_dev(local_login_t)
-+dev_rw_generic_usb_dev(local_login_t)
-+dev_read_video_dev(local_login_t)
- dev_dontaudit_getattr_apm_bios_dev(local_login_t)
- dev_dontaudit_setattr_apm_bios_dev(local_login_t)
- dev_dontaudit_read_framebuffer(local_login_t)
-@@ -117,16 +123,19 @@ term_relabel_unallocated_ttys(local_login_t)
- term_relabel_all_ttys(local_login_t)
- term_setattr_all_ttys(local_login_t)
- term_setattr_unallocated_ttys(local_login_t)
-+term_relabel_all_ptys(local_login_t)
-+term_setattr_generic_ptys(local_login_t)
-
- auth_rw_login_records(local_login_t)
- auth_rw_faillog(local_login_t)
--auth_manage_pam_pid(local_login_t)
-+#auth_manage_pam_pid(local_login_t)
- auth_manage_pam_console_data(local_login_t)
- auth_domtrans_pam_console(local_login_t)
-+auth_use_nsswitch(local_login_t)
-
- init_dontaudit_use_fds(local_login_t)
-+init_stream_connect(local_login_t)
-
--miscfiles_read_localization(local_login_t)
-
- userdom_spec_domtrans_all_users(local_login_t)
- userdom_signal_all_users(local_login_t)
-@@ -141,19 +150,19 @@ ifdef(`distro_ubuntu',`
- ')
- ')
-
--tunable_policy(`console_login',`
-+tunable_policy(`login_console_enabled',`
- # Able to relabel /dev/console to user tty types.
- term_relabel_console(local_login_t)
- ')
-
--tunable_policy(`use_nfs_home_dirs',`
-- fs_read_nfs_files(local_login_t)
-- fs_read_nfs_symlinks(local_login_t)
--')
-+userdom_home_reader(local_login_t)
-+userdom_manage_tmp_files(local_login_t)
-+userdom_tmp_filetrans_user_tmp(local_login_t, file)
-
--tunable_policy(`use_samba_home_dirs',`
-- fs_read_cifs_files(local_login_t)
-- fs_read_cifs_symlinks(local_login_t)
-+tunable_policy(`login_console_enabled',`
-+ term_use_console(local_login_t)
-+ term_relabel_console(local_login_t)
-+ term_setattr_console(local_login_t)
- ')
-
- optional_policy(`
-@@ -177,14 +186,6 @@ optional_policy(`
- ')
-
- optional_policy(`
-- nis_use_ypbind(local_login_t)
--')
--
--optional_policy(`
-- nscd_socket_use(local_login_t)
--')
--
--optional_policy(`
- unconfined_shell_domtrans(local_login_t)
- ')
-
-@@ -215,6 +216,7 @@ allow sulogin_t self:sem create_sem_perms;
- allow sulogin_t self:msgq create_msgq_perms;
- allow sulogin_t self:msg { send receive };
-
-+kernel_read_crypto_sysctls(sulogin_t)
- kernel_read_system_state(sulogin_t)
-
- fs_search_auto_mountpoints(sulogin_t)
-@@ -223,13 +225,16 @@ fs_rw_tmpfs_chr_files(sulogin_t)
- files_read_etc_files(sulogin_t)
- # because file systems are not mounted:
- files_dontaudit_search_isid_type_dirs(sulogin_t)
-+files_search_pids(sulogin_t)
-
- auth_read_shadow(sulogin_t)
-+auth_use_nsswitch(sulogin_t)
-
- init_getpgid_script(sulogin_t)
-
- logging_send_syslog_msg(sulogin_t)
-
-+
- seutil_read_config(sulogin_t)
- seutil_read_default_contexts(sulogin_t)
-
-@@ -238,14 +243,24 @@ userdom_use_unpriv_users_fds(sulogin_t)
- userdom_search_user_home_dirs(sulogin_t)
- userdom_use_user_ptys(sulogin_t)
-
--sysadm_shell_domtrans(sulogin_t)
-+term_use_console(sulogin_t)
-+term_use_unallocated_ttys(sulogin_t)
-+term_use_generic_ptys(sulogin_t)
-+
-+ifdef(`enable_mls',`
-+ sysadm_shell_domtrans(sulogin_t)
-+',`
-+ optional_policy(`
-+ unconfined_shell_domtrans(sulogin_t)
-+ ')
-+')
-
- # suse and debian do not use pam with sulogin...
- ifdef(`distro_suse', `define(`sulogin_no_pam')')
- ifdef(`distro_debian', `define(`sulogin_no_pam')')
-
-+allow sulogin_t self:capability sys_tty_config;
- ifdef(`sulogin_no_pam', `
-- allow sulogin_t self:capability sys_tty_config;
- init_getpgid(sulogin_t)
- ', `
- allow sulogin_t self:process setexec;
-@@ -256,11 +271,3 @@ ifdef(`sulogin_no_pam', `
- selinux_compute_relabel_context(sulogin_t)
- selinux_compute_user_contexts(sulogin_t)
- ')
--
--optional_policy(`
-- nis_use_ypbind(sulogin_t)
--')
--
--optional_policy(`
-- nscd_socket_use(sulogin_t)
--')
-diff --git a/policy/modules/system/logging.fc b/policy/modules/system/logging.fc
-index 02f4c97..70248c6 100644
---- a/policy/modules/system/logging.fc
-+++ b/policy/modules/system/logging.fc
-@@ -2,10 +2,13 @@
-
- /etc/rsyslog.conf gen_context(system_u:object_r:syslog_conf_t,s0)
- /etc/syslog.conf gen_context(system_u:object_r:syslog_conf_t,s0)
-+/etc/rsyslog.d(/.*)? gen_context(system_u:object_r:syslog_conf_t,s0)
- /etc/audit(/.*)? gen_context(system_u:object_r:auditd_etc_t,mls_systemhigh)
- /etc/rc\.d/init\.d/auditd -- gen_context(system_u:object_r:auditd_initrc_exec_t,s0)
- /etc/rc\.d/init\.d/rsyslog -- gen_context(system_u:object_r:syslogd_initrc_exec_t,s0)
-
-+/usr/lib/systemd/system/auditd.* -- gen_context(system_u:object_r:auditd_unit_file_t,s0)
-+
- /sbin/audispd -- gen_context(system_u:object_r:audisp_exec_t,s0)
- /sbin/audisp-remote -- gen_context(system_u:object_r:audisp_remote_exec_t,s0)
- /sbin/auditctl -- gen_context(system_u:object_r:auditctl_exec_t,s0)
-@@ -17,12 +20,25 @@
- /sbin/syslogd -- gen_context(system_u:object_r:syslogd_exec_t,s0)
- /sbin/syslog-ng -- gen_context(system_u:object_r:syslogd_exec_t,s0)
-
-+/opt/zimbra/log(/.*)? gen_context(system_u:object_r:var_log_t,s0)
-+/opt/Symantec/scspagent/IDS/system(/.*)? gen_context(system_u:object_r:var_log_t,s0)
-+
-+/usr/lib/systemd/systemd-journald -- gen_context(system_u:object_r:syslogd_exec_t,s0)
-+/usr/lib/systemd/systemd-kmsg-syslogd -- gen_context(system_u:object_r:syslogd_exec_t,s0)
-+
-+/usr/centreon/log(/.*)? gen_context(system_u:object_r:var_log_t,s0)
-+
-+/usr/sbin/audispd -- gen_context(system_u:object_r:audisp_exec_t,s0)
-+/usr/sbin/audisp-remote -- gen_context(system_u:object_r:audisp_remote_exec_t,s0)
-+/usr/sbin/auditctl -- gen_context(system_u:object_r:auditctl_exec_t,s0)
-+/usr/sbin/auditd -- gen_context(system_u:object_r:auditd_exec_t,s0)
- /usr/sbin/klogd -- gen_context(system_u:object_r:klogd_exec_t,s0)
- /usr/sbin/metalog -- gen_context(system_u:object_r:syslogd_exec_t,s0)
-+/usr/sbin/minilogd -- gen_context(system_u:object_r:syslogd_exec_t,s0)
- /usr/sbin/rklogd -- gen_context(system_u:object_r:klogd_exec_t,s0)
- /usr/sbin/rsyslogd -- gen_context(system_u:object_r:syslogd_exec_t,s0)
--/usr/sbin/syslog-ng -- gen_context(system_u:object_r:syslogd_exec_t,s0)
- /usr/sbin/syslogd -- gen_context(system_u:object_r:syslogd_exec_t,s0)
-+/usr/sbin/syslog-ng -- gen_context(system_u:object_r:syslogd_exec_t,s0)
-
- /var/lib/syslog-ng(/.*)? gen_context(system_u:object_r:syslogd_var_lib_t,s0)
- /var/lib/r?syslog(/.*)? gen_context(system_u:object_r:syslogd_var_lib_t,s0)
-@@ -34,11 +50,10 @@ ifdef(`distro_suse', `
-
- /var/axfrdns/log/main(/.*)? gen_context(system_u:object_r:var_log_t,s0)
- /var/dnscache/log/main(/.*)? gen_context(system_u:object_r:var_log_t,s0)
--/var/cfengine/outputs(/.*)? gen_context(system_u:object_r:var_log_t,s0)
-+#/var/cfengine/outputs(/.*)? gen_context(system_u:object_r:var_log_t,s0)
-
- /var/log -d gen_context(system_u:object_r:var_log_t,s0-mls_systemhigh)
- /var/log/.* gen_context(system_u:object_r:var_log_t,s0)
--/var/log/boot\.log -- gen_context(system_u:object_r:var_log_t,mls_systemhigh)
- /var/log/messages[^/]* gen_context(system_u:object_r:var_log_t,mls_systemhigh)
- /var/log/secure[^/]* gen_context(system_u:object_r:var_log_t,mls_systemhigh)
- /var/log/cron[^/]* gen_context(system_u:object_r:var_log_t,mls_systemhigh)
-@@ -46,6 +61,8 @@ ifdef(`distro_suse', `
- /var/log/spooler[^/]* gen_context(system_u:object_r:var_log_t,mls_systemhigh)
- /var/log/audit(/.*)? gen_context(system_u:object_r:auditd_log_t,mls_systemhigh)
- /var/log/syslog-ng(/.*)? gen_context(system_u:object_r:syslogd_var_run_t,mls_systemhigh)
-+/var/run/log(/.*)? gen_context(system_u:object_r:syslogd_var_run_t,mls_systemhigh)
-+/var/run/systemd/journal(/.*)? gen_context(system_u:object_r:syslogd_var_run_t,mls_systemhigh)
-
- ifndef(`distro_gentoo',`
- /var/log/audit\.log -- gen_context(system_u:object_r:auditd_log_t,mls_systemhigh)
-@@ -54,6 +71,7 @@ ifndef(`distro_gentoo',`
- ifdef(`distro_redhat',`
- /var/named/chroot/var/log -d gen_context(system_u:object_r:var_log_t,s0)
- /var/named/chroot/dev/log -s gen_context(system_u:object_r:devlog_t,s0)
-+/var/spool/postfix/dev/log -s gen_context(system_u:object_r:devlog_t,s0)
- ')
-
- /var/run/audit_events -s gen_context(system_u:object_r:auditd_var_run_t,mls_systemhigh)
-@@ -66,11 +84,16 @@ ifdef(`distro_redhat',`
- /var/run/syslogd\.pid -- gen_context(system_u:object_r:syslogd_var_run_t,mls_systemhigh)
- /var/run/syslog-ng.ctl -- gen_context(system_u:object_r:syslogd_var_run_t,s0)
- /var/run/syslog-ng(/.*)? gen_context(system_u:object_r:syslogd_var_run_t,s0)
-+/var/run/systemd/journal/syslog -s gen_context(system_u:object_r:devlog_t,mls_systemhigh)
-
- /var/spool/audit(/.*)? gen_context(system_u:object_r:audit_spool_t,mls_systemhigh)
- /var/spool/bacula/log(/.*)? gen_context(system_u:object_r:var_log_t,s0)
- /var/spool/postfix/pid -d gen_context(system_u:object_r:var_run_t,s0)
--/var/spool/plymouth/boot\.log gen_context(system_u:object_r:var_log_t,mls_systemhigh)
- /var/spool/rsyslog(/.*)? gen_context(system_u:object_r:var_log_t,s0)
-
-+/var/stockmaniac/templates_cache(/.*)? gen_context(system_u:object_r:var_log_t,s0)
-+
- /var/tinydns/log/main(/.*)? gen_context(system_u:object_r:var_log_t,s0)
-+
-+/var/webmin(/.*)? gen_context(system_u:object_r:var_log_t,s0)
-+
-diff --git a/policy/modules/system/logging.if b/policy/modules/system/logging.if
-index 321bb13..3638d50 100644
---- a/policy/modules/system/logging.if
-+++ b/policy/modules/system/logging.if
-@@ -233,7 +233,7 @@ interface(`logging_run_auditd',`
-
- ########################################
- ##
--## Connect to auditdstored over an unix stream socket.
-+## Connect to auditdstored over a unix stream socket.
- ##
- ##
- ##
-@@ -318,7 +318,7 @@ interface(`logging_dispatcher_domain',`
-
- ########################################
- ##
--## Connect to the audit dispatcher over an unix stream socket.
-+## Connect to the audit dispatcher over a unix stream socket.
- ##
- ##
- ##
-@@ -496,6 +496,68 @@ interface(`logging_log_filetrans',`
- filetrans_pattern($1, var_log_t, $2, $3, $4)
- ')
-
-+#######################################
-+##
-+## Create an object in the log directory, with a private type.
-+##
-+##
-+##
-+## Allow the specified domain to create an object
-+## in the general system log directories (e.g., /var/log)
-+## with a private type. Typically this is used for creating
-+## private log files in /var/log with the private type instead
-+## of the general system log type. To accomplish this goal,
-+## either the program must be SELinux-aware, or use this interface.
-+##
-+##
-+## Related interfaces:
-+##
-+##
-+## - logging_log_file()
-+##
-+##
-+## Example usage with a domain that can create
-+## and append to a private log file stored in the
-+## general directories (e.g., /var/log):
-+##
-+##
-+## type mylogfile_t;
-+## logging_log_file(mylogfile_t)
-+## allow mydomain_t mylogfile_t:file { create_file_perms append_file_perms };
-+## logging_log_filetrans(mydomain_t, mylogfile_t, file)
-+##
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+##
-+##
-+## The type of the object to be created.
-+##
-+##
-+##
-+##
-+## The object class of the object being created.
-+##
-+##
-+##
-+##
-+## The name of the object being created.
-+##
-+##
-+##
-+#
-+interface(`logging_log_named_filetrans',`
-+ gen_require(`
-+ type var_log_t;
-+ ')
-+
-+ files_search_var($1)
-+ filetrans_pattern($1, var_log_t, $2, $3, $4)
-+')
-+
- ########################################
- ##
- ## Send system log messages.
-@@ -530,22 +592,85 @@ interface(`logging_log_filetrans',`
- #
- interface(`logging_send_syslog_msg',`
- gen_require(`
-- type syslogd_t, devlog_t;
-+ attribute syslog_client_type;
-+ ')
-+
-+ typeattribute $1 syslog_client_type;
-+')
-+
-+########################################
-+##
-+## Connect to the syslog control unix stream socket.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`logging_create_devlog_dev',`
-+ gen_require(`
-+ type devlog_t;
-+ ')
-+
-+ allow $1 devlog_t:sock_file manage_sock_file_perms;
-+ dev_filetrans($1, devlog_t, sock_file)
-+ init_pid_filetrans($1, devlog_t, sock_file, "syslog")
-+')
-+
-+########################################
-+##
-+## Relabel the devlog sock_file.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`logging_relabel_devlog_dev',`
-+ gen_require(`
-+ type devlog_t;
-+ ')
-+
-+ allow $1 devlog_t:sock_file relabel_sock_file_perms;
-+')
-+
-+########################################
-+##
-+## Relabel the syslog pid sock_file.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`logging_relabel_syslog_pid_socket',`
-+ gen_require(`
-+ type devlog_t;
- ')
-
-- allow $1 devlog_t:lnk_file read_lnk_file_perms;
-- allow $1 devlog_t:sock_file write_sock_file_perms;
-+ allow $1 syslogd_var_run_t:sock_file relabel_sock_file_perms;
-+')
-
-- # the type of socket depends on the syslog daemon
-- allow $1 syslogd_t:unix_dgram_socket sendto;
-- allow $1 syslogd_t:unix_stream_socket connectto;
-- allow $1 self:unix_dgram_socket create_socket_perms;
-- allow $1 self:unix_stream_socket create_socket_perms;
-+########################################
-+##
-+## Connect to the syslog control unix stream socket.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`logging_stream_connect_syslog',`
-+ gen_require(`
-+ type syslogd_t, syslogd_var_run_t;
-+ ')
-
-- # If syslog is down, the glibc syslog() function
-- # will write to the console.
-- term_write_console($1)
-- term_dontaudit_read_console($1)
-+ files_search_pids($1)
-+ stream_connect_pattern($1, syslogd_var_run_t, syslogd_var_run_t, syslogd_t)
- ')
-
- ########################################
-@@ -739,7 +864,25 @@ interface(`logging_append_all_logs',`
- ')
-
- files_search_var($1)
-- append_files_pattern($1, var_log_t, logfile)
-+ append_files_pattern($1, logfile, logfile)
-+')
-+
-+########################################
-+##
-+## Append to all log files.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`logging_inherit_append_all_logs',`
-+ gen_require(`
-+ attribute logfile;
-+ ')
-+
-+ allow $1 logfile:file { getattr append ioctl lock };
- ')
-
- ########################################
-@@ -822,7 +965,7 @@ interface(`logging_manage_all_logs',`
-
- files_search_var($1)
- manage_files_pattern($1, logfile, logfile)
-- read_lnk_files_pattern($1, logfile, logfile)
-+ manage_lnk_files_pattern($1, logfile, logfile)
- ')
-
- ########################################
-@@ -848,6 +991,44 @@ interface(`logging_read_generic_logs',`
-
- ########################################
- ##
-+## Link generic log files.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+##
-+#
-+interface(`logging_link_generic_logs',`
-+ gen_require(`
-+ type var_log_t;
-+ ')
-+
-+ allow $1 var_log_t:file link;
-+')
-+
-+########################################
-+##
-+## Delete generic log files.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+##
-+#
-+interface(`logging_delete_generic_logs',`
-+ gen_require(`
-+ type var_log_t;
-+ ')
-+
-+ allow $1 var_log_t:file unlink;
-+')
-+
-+########################################
-+##
- ## Write generic log files.
- ##
- ##
-@@ -868,6 +1049,24 @@ interface(`logging_write_generic_logs',`
-
- ########################################
- ##
-+## Dontaudit read/Write inherited generic log files.
-+##
-+##
-+##
-+## Domain to not audit.
-+##
-+##
-+#
-+interface(`logging_dontaudit_rw_inherited_generic_logs',`
-+ gen_require(`
-+ type var_log_t;
-+ ')
-+
-+ dontaudit $1 var_log_t:file rw_inherited_file_perms;
-+')
-+
-+########################################
-+##
- ## Dontaudit Write generic log files.
- ##
- ##
-@@ -947,11 +1146,16 @@ interface(`logging_admin_audit',`
- type auditd_t, auditd_etc_t, auditd_log_t;
- type auditd_var_run_t;
- type auditd_initrc_exec_t;
-+ type auditd_unit_file_t;
- ')
-
-- allow $1 auditd_t:process { ptrace signal_perms };
-+ allow $1 auditd_t:process signal_perms;
- ps_process_pattern($1, auditd_t)
-
-+ tunable_policy(`deny_ptrace',`',`
-+ allow $1 auditd_t:process ptrace;
-+ ')
-+
- manage_dirs_pattern($1, auditd_etc_t, auditd_etc_t)
- manage_files_pattern($1, auditd_etc_t, auditd_etc_t)
-
-@@ -967,6 +1171,33 @@ interface(`logging_admin_audit',`
- domain_system_change_exemption($1)
- role_transition $2 auditd_initrc_exec_t system_r;
- allow $2 system_r;
-+
-+ logging_systemctl_audit($1)
-+ admin_pattern($1, auditd_unit_file_t)
-+ allow $1 auditd_unit_file_t:service all_service_perms;
-+')
-+
-+########################################
-+##
-+## Execute auditd server in the auditd domain.
-+##
-+##
-+##
-+## Domain allowed to transition.
-+##
-+##
-+#
-+interface(`logging_systemctl_audit',`
-+ gen_require(`
-+ type auditd_t;
-+ type auditd_unit_file_t;
-+ ')
-+
-+ systemd_exec_systemctl($1)
-+ allow $1 auditd_unit_file_t:file read_file_perms;
-+ allow $1 auditd_unit_file_t:service manage_service_perms;
-+
-+ ps_process_pattern($1, auditd_t)
- ')
-
- ########################################
-@@ -995,10 +1226,15 @@ interface(`logging_admin_syslog',`
- type syslogd_initrc_exec_t;
- ')
-
-- allow $1 syslogd_t:process { ptrace signal_perms };
-- allow $1 klogd_t:process { ptrace signal_perms };
-+ allow $1 self:capability2 syslog;
-+ allow $1 syslogd_t:process signal_perms;
-+ allow $1 klogd_t:process signal_perms;
- ps_process_pattern($1, syslogd_t)
- ps_process_pattern($1, klogd_t)
-+ tunable_policy(`deny_ptrace',`',`
-+ allow $1 syslogd_t:process ptrace;
-+ allow $1 klogd_t:process ptrace;
-+ ')
-
- manage_dirs_pattern($1, klogd_var_run_t, klogd_var_run_t)
- manage_files_pattern($1, klogd_var_run_t, klogd_var_run_t)
-@@ -1020,6 +1256,8 @@ interface(`logging_admin_syslog',`
- manage_files_pattern($1, syslogd_var_run_t, syslogd_var_run_t)
-
- logging_manage_all_logs($1)
-+ allow $1 logfile:dir relabel_dir_perms;
-+ allow $1 logfile:file relabel_file_perms;
-
- init_labeled_script_domtrans($1, syslogd_initrc_exec_t)
- domain_system_change_exemption($1)
-@@ -1048,3 +1286,29 @@ interface(`logging_admin',`
- logging_admin_audit($1, $2)
- logging_admin_syslog($1, $2)
- ')
-+
-+########################################
-+##
-+## Transition to logging named content
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`logging_filetrans_named_content',`
-+ gen_require(`
-+ type var_log_t;
-+ type audit_spool_t;
-+ type syslogd_var_run_t;
-+ ')
-+
-+ files_pid_filetrans($1, syslogd_var_run_t, dir, "log")
-+ files_spool_filetrans($1, var_log_t, dir, "rsyslog")
-+ files_spool_filetrans($1, var_log_t, dir, "log")
-+ files_spool_filetrans($1, audit_spool_t, dir, "audit")
-+ files_var_filetrans($1, var_log_t, dir, "webmin")
-+
-+ init_named_pid_filetrans($1, syslogd_var_run_t, dir, "journal")
-+')
-diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te
-index 0034021..c62bd95 100644
---- a/policy/modules/system/logging.te
-+++ b/policy/modules/system/logging.te
-@@ -4,6 +4,21 @@ policy_module(logging, 1.19.0)
- #
- # Declarations
- #
-+attribute syslog_client_type;
-+
-+##
-+##
-+## Allow syslogd daemon to send mail
-+##
-+##
-+gen_tunable(logging_syslogd_can_sendmail, false)
-+
-+##
-+##
-+## Allow syslogd the ability to read/write terminals
-+##
-+##
-+gen_tunable(logging_syslogd_use_tty, false)
-
- attribute logfile;
-
-@@ -20,6 +35,7 @@ files_security_file(auditd_log_t)
- files_security_mountpoint(auditd_log_t)
-
- type audit_spool_t;
-+files_spool_file(audit_spool_t)
- files_security_file(audit_spool_t)
- files_security_mountpoint(audit_spool_t)
-
-@@ -33,6 +49,9 @@ init_script_file(auditd_initrc_exec_t)
- type auditd_var_run_t;
- files_pid_file(auditd_var_run_t)
-
-+type auditd_unit_file_t;
-+systemd_unit_file(auditd_unit_file_t)
-+
- type audisp_t;
- type audisp_exec_t;
- init_system_domain(audisp_t, audisp_exec_t)
-@@ -64,6 +83,7 @@ files_config_file(syslog_conf_t)
- type syslogd_t;
- type syslogd_exec_t;
- init_daemon_domain(syslogd_t, syslogd_exec_t)
-+mls_trusted_object(syslogd_t)
-
- type syslogd_initrc_exec_t;
- init_script_file(syslogd_initrc_exec_t)
-@@ -76,6 +96,7 @@ files_type(syslogd_var_lib_t)
-
- type syslogd_var_run_t;
- files_pid_file(syslogd_var_run_t)
-+mls_trusted_object(syslogd_var_run_t)
-
- type var_log_t;
- logging_log_file(var_log_t)
-@@ -94,6 +115,8 @@ ifdef(`enable_mls',`
- allow auditctl_t self:capability { fsetid dac_read_search dac_override };
- allow auditctl_t self:netlink_audit_socket nlmsg_readpriv;
-
-+allow auditctl_t self:process getcap;
-+
- read_files_pattern(auditctl_t, auditd_etc_t, auditd_etc_t)
- allow auditctl_t auditd_etc_t:dir list_dir_perms;
-
-@@ -111,7 +134,7 @@ domain_use_interactive_fds(auditctl_t)
-
- mls_file_read_all_levels(auditctl_t)
-
--term_use_all_terms(auditctl_t)
-+term_use_all_inherited_terms(auditctl_t)
-
- init_dontaudit_use_fds(auditctl_t)
-
-@@ -148,6 +171,7 @@ kernel_read_kernel_sysctls(auditd_t)
- # Needs to be able to run dispatcher. see /etc/audit/auditd.conf
- # Probably want a transition, and a new auditd_helper app
- kernel_read_system_state(auditd_t)
-+kernel_read_network_state(auditd_t)
-
- dev_read_sysfs(auditd_t)
-
-@@ -155,9 +179,6 @@ fs_getattr_all_fs(auditd_t)
- fs_search_auto_mountpoints(auditd_t)
- fs_rw_anon_inodefs_files(auditd_t)
-
--selinux_search_fs(auditctl_t)
--
--corenet_all_recvfrom_unlabeled(auditd_t)
- corenet_all_recvfrom_netlabel(auditd_t)
- corenet_tcp_sendrecv_generic_if(auditd_t)
- corenet_tcp_sendrecv_generic_node(auditd_t)
-@@ -183,16 +204,16 @@ logging_send_syslog_msg(auditd_t)
- logging_domtrans_dispatcher(auditd_t)
- logging_signal_dispatcher(auditd_t)
-
--miscfiles_read_localization(auditd_t)
-+auth_use_nsswitch(auditd_t)
-+
-
- mls_file_read_all_levels(auditd_t)
- mls_file_write_all_levels(auditd_t) # Need to be able to write to /var/run/ directory
--
--seutil_dontaudit_read_config(auditd_t)
-+mls_socket_write_all_levels(auditd_t)
-
- sysnet_dns_name_resolve(auditd_t)
-
--userdom_use_user_terminals(auditd_t)
-+userdom_use_inherited_user_terminals(auditd_t)
- userdom_dontaudit_use_unpriv_user_fds(auditd_t)
- userdom_dontaudit_search_user_home_dirs(auditd_t)
-
-@@ -237,19 +258,29 @@ corecmd_exec_shell(audisp_t)
-
- domain_use_interactive_fds(audisp_t)
-
-+fs_getattr_all_fs(audisp_t)
-+
- files_read_etc_files(audisp_t)
- files_read_etc_runtime_files(audisp_t)
-
-+mls_file_read_all_levels(audisp_t)
- mls_file_write_all_levels(audisp_t)
-+mls_socket_write_all_levels(audisp_t)
-+mls_dbus_send_all_levels(audisp_t)
-+
-+auth_use_nsswitch(audisp_t)
-
- logging_send_syslog_msg(audisp_t)
-
--miscfiles_read_localization(audisp_t)
-
- sysnet_dns_name_resolve(audisp_t)
-
- optional_policy(`
- dbus_system_bus_client(audisp_t)
-+
-+ optional_policy(`
-+ setroubleshoot_dbus_chat(audisp_t)
-+ ')
- ')
-
- ########################################
-@@ -268,7 +299,6 @@ files_spool_filetrans(audisp_remote_t, audit_spool_t, { dir file })
-
- corecmd_exec_bin(audisp_remote_t)
-
--corenet_all_recvfrom_unlabeled(audisp_remote_t)
- corenet_all_recvfrom_netlabel(audisp_remote_t)
- corenet_tcp_sendrecv_generic_if(audisp_remote_t)
- corenet_tcp_sendrecv_generic_node(audisp_remote_t)
-@@ -280,10 +310,18 @@ corenet_sendrecv_audit_client_packets(audisp_remote_t)
-
- files_read_etc_files(audisp_remote_t)
-
-+mls_socket_write_all_levels(audisp_remote_t)
-+
- logging_send_syslog_msg(audisp_remote_t)
- logging_send_audit_msgs(audisp_remote_t)
-
--miscfiles_read_localization(audisp_remote_t)
-+auth_use_nsswitch(audisp_remote_t)
-+auth_append_login_records(audisp_remote_t)
-+
-+
-+init_telinit(audisp_remote_t)
-+init_read_utmp(audisp_remote_t)
-+init_dontaudit_write_utmp(audisp_remote_t)
-
- sysnet_dns_name_resolve(audisp_remote_t)
-
-@@ -326,7 +364,6 @@ files_read_etc_files(klogd_t)
-
- logging_send_syslog_msg(klogd_t)
-
--miscfiles_read_localization(klogd_t)
-
- mls_file_read_all_levels(klogd_t)
-
-@@ -354,12 +391,12 @@ optional_policy(`
- # chown fsetid for syslog-ng
- # sys_admin for the integrated klog of syslog-ng and metalog
- # cjp: why net_admin!
--allow syslogd_t self:capability { dac_override sys_resource sys_tty_config net_admin sys_admin chown fsetid };
-+allow syslogd_t self:capability { sys_ptrace dac_override sys_resource sys_tty_config ipc_lock net_admin sys_admin sys_nice chown fsetid setuid setgid };
- dontaudit syslogd_t self:capability sys_tty_config;
-+allow syslogd_t self:capability2 { syslog block_suspend };
- # setpgid for metalog
- # setrlimit for syslog-ng
--# getsched for syslog-ng
--allow syslogd_t self:process { signal_perms setpgid setrlimit getsched };
-+allow syslogd_t self:process { signal_perms getcap setcap setpgid getsched setsched setrlimit };
- # receive messages to be logged
- allow syslogd_t self:unix_dgram_socket create_socket_perms;
- allow syslogd_t self:unix_stream_socket create_stream_socket_perms;
-@@ -369,6 +406,7 @@ allow syslogd_t self:udp_socket create_socket_perms;
- allow syslogd_t self:tcp_socket create_stream_socket_perms;
-
- allow syslogd_t syslog_conf_t:file read_file_perms;
-+allow syslogd_t syslog_conf_t:dir list_dir_perms;
-
- # Create and bind to /dev/log or /var/run/log.
- allow syslogd_t devlog_t:sock_file manage_sock_file_perms;
-@@ -377,6 +415,7 @@ files_pid_filetrans(syslogd_t, devlog_t, sock_file)
- # create/append log files.
- manage_files_pattern(syslogd_t, var_log_t, var_log_t)
- rw_fifo_files_pattern(syslogd_t, var_log_t, var_log_t)
-+files_search_spool(syslogd_t)
-
- # Allow access for syslog-ng
- allow syslogd_t var_log_t:dir { create setattr };
-@@ -386,22 +425,35 @@ manage_dirs_pattern(syslogd_t, syslogd_tmp_t, syslogd_tmp_t)
- manage_files_pattern(syslogd_t, syslogd_tmp_t, syslogd_tmp_t)
- files_tmp_filetrans(syslogd_t, syslogd_tmp_t, { dir file })
-
-+manage_sock_files_pattern(syslogd_t, syslogd_var_lib_t, syslogd_var_lib_t)
- manage_files_pattern(syslogd_t, syslogd_var_lib_t, syslogd_var_lib_t)
- files_search_var_lib(syslogd_t)
-
-+manage_dirs_pattern(syslogd_t, syslogd_var_run_t, syslogd_var_run_t)
-+manage_files_pattern(syslogd_t, syslogd_var_run_t, syslogd_var_run_t)
-+manage_sock_files_pattern(syslogd_t, syslogd_var_run_t, syslogd_var_run_t)
-+files_pid_filetrans(syslogd_t, syslogd_var_run_t, { file dir })
-+
- # manage pid file
- manage_files_pattern(syslogd_t, syslogd_var_run_t, syslogd_var_run_t)
- files_pid_filetrans(syslogd_t, syslogd_var_run_t, file)
-
-+kernel_rw_stream_socket_perms(syslogd_t)
- kernel_read_system_state(syslogd_t)
-+kernel_read_network_state(syslogd_t)
- kernel_read_kernel_sysctls(syslogd_t)
- kernel_read_proc_symlinks(syslogd_t)
- # Allow access to /proc/kmsg for syslog-ng
- kernel_read_messages(syslogd_t)
-+kernel_request_load_module(syslogd_t)
- kernel_clear_ring_buffer(syslogd_t)
- kernel_change_ring_buffer_level(syslogd_t)
-+kernel_read_ring_buffer(syslogd_t)
-+
-+ifdef(`hide_broken_symptoms',`
-+ kernel_rw_unix_dgram_sockets(syslogd_t)
-+')
-
--corenet_all_recvfrom_unlabeled(syslogd_t)
- corenet_all_recvfrom_netlabel(syslogd_t)
- corenet_udp_sendrecv_generic_if(syslogd_t)
- corenet_udp_sendrecv_generic_node(syslogd_t)
-@@ -427,10 +479,28 @@ corenet_sendrecv_syslogd_server_packets(syslogd_t)
- corenet_sendrecv_postgresql_client_packets(syslogd_t)
- corenet_sendrecv_mysqld_client_packets(syslogd_t)
-
-+tunable_policy(`logging_syslogd_use_tty',`
-+ term_use_all_ttys(syslogd_t)
-+ term_use_all_ptys(syslogd_t)
-+')
-+
-+tunable_policy(`logging_syslogd_can_sendmail',`
-+ # support for ommail module to send logs via mail
-+ corenet_tcp_connect_smtp_port(syslogd_t)
-+')
-+
- dev_filetrans(syslogd_t, devlog_t, sock_file)
- dev_read_sysfs(syslogd_t)
-+dev_read_rand(syslogd_t)
-+dev_read_urand(syslogd_t)
-+# relating to systemd-kmsg-syslogd
-+dev_write_kmsg(syslogd_t)
-+dev_read_kmsg(syslogd_t)
-
-+domain_read_all_domains_state(syslogd_t)
- domain_use_interactive_fds(syslogd_t)
-+domain_read_all_domains_state(syslogd_t)
-+domain_getattr_all_domains(syslogd_t)
-
- files_read_etc_files(syslogd_t)
- files_read_usr_files(syslogd_t)
-@@ -441,14 +511,18 @@ files_dontaudit_search_isid_type_dirs(syslogd_t)
- files_read_kernel_symbol_table(syslogd_t)
-
- fs_getattr_all_fs(syslogd_t)
-+fs_rw_tmpfs_files(syslogd_t)
- fs_search_auto_mountpoints(syslogd_t)
-+fs_search_cgroup_dirs(syslogd_t)
-
- mls_file_write_all_levels(syslogd_t) # Need to be able to write to /var/run/ and /var/log directories
-
- term_write_console(syslogd_t)
- # Allow syslog to a terminal
- term_write_unallocated_ttys(syslogd_t)
-+term_use_generic_ptys(syslogd_t)
-
-+init_stream_connect(syslogd_t)
- # for sending messages to logged in users
- init_read_utmp(syslogd_t)
- init_dontaudit_write_utmp(syslogd_t)
-@@ -460,11 +534,11 @@ init_use_fds(syslogd_t)
-
- # cjp: this doesnt make sense
- logging_send_syslog_msg(syslogd_t)
-+logging_manage_all_logs(syslogd_t)
-
--miscfiles_read_localization(syslogd_t)
-
- userdom_dontaudit_use_unpriv_user_fds(syslogd_t)
--userdom_dontaudit_search_user_home_dirs(syslogd_t)
-+userdom_search_user_home_dirs(syslogd_t)
-
- ifdef(`distro_gentoo',`
- # default gentoo syslog-ng config appends kernel
-@@ -493,15 +567,36 @@ optional_policy(`
- ')
-
- optional_policy(`
-+ kerberos_keytab_template(syslogd, syslogd_t)
-+ kerberos_manage_host_rcache(syslogd_t)
-+ kerberos_read_config(syslogd_t)
-+')
-+
-+optional_policy(`
-+ mysql_read_config(syslogd_t)
- mysql_stream_connect(syslogd_t)
- ')
-
- optional_policy(`
-+ plymouthd_manage_log(syslogd_t)
-+')
-+
-+optional_policy(`
-+ postfix_search_spool(syslogd_t)
-+')
-+
-+optional_policy(`
- postgresql_stream_connect(syslogd_t)
- ')
-
- optional_policy(`
- seutil_sigchld_newrole(syslogd_t)
-+ snmp_read_snmp_var_lib_files(syslogd_t)
-+ snmp_dontaudit_write_snmp_var_lib_files(syslogd_t)
-+')
-+
-+optional_policy(`
-+ daemontools_search_svc_dir(syslogd_t)
- ')
-
- optional_policy(`
-@@ -512,3 +607,24 @@ optional_policy(`
- # log to the xconsole
- xserver_rw_console(syslogd_t)
- ')
-+
-+#####################################################
-+#
-+# syslog client rules
-+#
-+allow syslog_client_type devlog_t:lnk_file read_lnk_file_perms;
-+allow syslog_client_type devlog_t:sock_file write_sock_file_perms;
-+
-+# the type of socket depends on the syslog daemon
-+allow syslog_client_type syslogd_t:unix_dgram_socket sendto;
-+allow syslog_client_type syslogd_t:unix_stream_socket connectto;
-+allow syslog_client_type self:unix_dgram_socket create_socket_perms;
-+allow syslog_client_type self:unix_stream_socket create_socket_perms;
-+
-+# If syslog is down, the glibc syslog() function
-+# will write to the console.
-+term_write_console(syslog_client_type)
-+term_dontaudit_read_console(syslog_client_type)
-+ifdef(`hide_broken_symptoms',`
-+ kernel_dgram_send(syslog_client_type)
-+')
-diff --git a/policy/modules/system/lvm.fc b/policy/modules/system/lvm.fc
-index 879bb1e..c11d48b 100644
---- a/policy/modules/system/lvm.fc
-+++ b/policy/modules/system/lvm.fc
-@@ -23,28 +23,34 @@ ifdef(`distro_gentoo',`
- /etc/lvmtab(/.*)? gen_context(system_u:object_r:lvm_metadata_t,s0)
- /etc/lvmtab\.d(/.*)? gen_context(system_u:object_r:lvm_metadata_t,s0)
-
-+/etc/multipath(/.*)? gen_context(system_u:object_r:lvm_metadata_t,s0)
-+
- #
- # /lib
- #
- /lib/lvm-10/.* -- gen_context(system_u:object_r:lvm_exec_t,s0)
- /lib/lvm-200/.* -- gen_context(system_u:object_r:lvm_exec_t,s0)
-+/lib/udev/udisks-lvm-pv-export -- gen_context(system_u:object_r:lvm_exec_t,s0)
-
- #
- # /sbin
- #
-+/sbin/mount\.crypt -- gen_context(system_u:object_r:lvm_exec_t,s0)
- /sbin/cryptsetup -- gen_context(system_u:object_r:lvm_exec_t,s0)
- /sbin/dmraid -- gen_context(system_u:object_r:lvm_exec_t,s0)
- /sbin/dmsetup -- gen_context(system_u:object_r:lvm_exec_t,s0)
- /sbin/dmsetup\.static -- gen_context(system_u:object_r:lvm_exec_t,s0)
- /sbin/e2fsadm -- gen_context(system_u:object_r:lvm_exec_t,s0)
-+/sbin/kpartx -- gen_context(system_u:object_r:lvm_exec_t,s0)
- /sbin/lvchange -- gen_context(system_u:object_r:lvm_exec_t,s0)
- /sbin/lvcreate -- gen_context(system_u:object_r:lvm_exec_t,s0)
- /sbin/lvdisplay -- gen_context(system_u:object_r:lvm_exec_t,s0)
- /sbin/lvextend -- gen_context(system_u:object_r:lvm_exec_t,s0)
--/sbin/lvm -- gen_context(system_u:object_r:lvm_exec_t,s0)
-+/sbin/lvm -- gen_context(system_u:object_r:lvm_exec_t,s0)
- /sbin/lvm\.static -- gen_context(system_u:object_r:lvm_exec_t,s0)
- /sbin/lvmchange -- gen_context(system_u:object_r:lvm_exec_t,s0)
- /sbin/lvmdiskscan -- gen_context(system_u:object_r:lvm_exec_t,s0)
-+/sbin/lvmetad -- gen_context(system_u:object_r:lvm_exec_t,s0)
- /sbin/lvmiopversion -- gen_context(system_u:object_r:lvm_exec_t,s0)
- /sbin/lvmsadc -- gen_context(system_u:object_r:lvm_exec_t,s0)
- /sbin/lvmsar -- gen_context(system_u:object_r:lvm_exec_t,s0)
-@@ -88,8 +94,69 @@ ifdef(`distro_gentoo',`
- #
- # /usr
- #
--/usr/sbin/clvmd -- gen_context(system_u:object_r:clvmd_exec_t,s0)
--/usr/sbin/lvm -- gen_context(system_u:object_r:lvm_exec_t,s0)
-+/usr/sbin/clvmd -- gen_context(system_u:object_r:clvmd_exec_t,s0)
-+/usr/sbin/cryptsetup -- gen_context(system_u:object_r:lvm_exec_t,s0)
-+/usr/sbin/dmeventd -- gen_context(system_u:object_r:lvm_exec_t,s0)
-+/usr/sbin/dmraid -- gen_context(system_u:object_r:lvm_exec_t,s0)
-+/usr/sbin/dmsetup -- gen_context(system_u:object_r:lvm_exec_t,s0)
-+/usr/sbin/dmsetup\.static -- gen_context(system_u:object_r:lvm_exec_t,s0)
-+/usr/sbin/e2fsadm -- gen_context(system_u:object_r:lvm_exec_t,s0)
-+/usr/sbin/kpartx -- gen_context(system_u:object_r:lvm_exec_t,s0)
-+/usr/sbin/lvchange -- gen_context(system_u:object_r:lvm_exec_t,s0)
-+/usr/sbin/lvcreate -- gen_context(system_u:object_r:lvm_exec_t,s0)
-+/usr/sbin/lvdisplay -- gen_context(system_u:object_r:lvm_exec_t,s0)
-+/usr/sbin/lvextend -- gen_context(system_u:object_r:lvm_exec_t,s0)
-+/usr/sbin/lvm -- gen_context(system_u:object_r:lvm_exec_t,s0)
-+/usr/sbin/lvm\.static -- gen_context(system_u:object_r:lvm_exec_t,s0)
-+/usr/sbin/lvmchange -- gen_context(system_u:object_r:lvm_exec_t,s0)
-+/usr/sbin/lvmdiskscan -- gen_context(system_u:object_r:lvm_exec_t,s0)
-+/usr/sbin/lvmetad -- gen_context(system_u:object_r:lvm_exec_t,s0)
-+/usr/sbin/lvmiopversion -- gen_context(system_u:object_r:lvm_exec_t,s0)
-+/usr/sbin/lvmsadc -- gen_context(system_u:object_r:lvm_exec_t,s0)
-+/usr/sbin/lvmsar -- gen_context(system_u:object_r:lvm_exec_t,s0)
-+/usr/sbin/lvreduce -- gen_context(system_u:object_r:lvm_exec_t,s0)
-+/usr/sbin/lvremove -- gen_context(system_u:object_r:lvm_exec_t,s0)
-+/usr/sbin/lvrename -- gen_context(system_u:object_r:lvm_exec_t,s0)
-+/usr/sbin/lvresize -- gen_context(system_u:object_r:lvm_exec_t,s0)
-+/usr/sbin/lvs -- gen_context(system_u:object_r:lvm_exec_t,s0)
-+/usr/sbin/lvscan -- gen_context(system_u:object_r:lvm_exec_t,s0)
-+/usr/sbin/mount\.crypt -- gen_context(system_u:object_r:lvm_exec_t,s0)
-+/usr/sbin/multipathd -- gen_context(system_u:object_r:lvm_exec_t,s0)
-+/usr/sbin/multipath\.static -- gen_context(system_u:object_r:lvm_exec_t,s0)
-+/usr/sbin/pvchange -- gen_context(system_u:object_r:lvm_exec_t,s0)
-+/usr/sbin/pvcreate -- gen_context(system_u:object_r:lvm_exec_t,s0)
-+/usr/sbin/pvdata -- gen_context(system_u:object_r:lvm_exec_t,s0)
-+/usr/sbin/pvdisplay -- gen_context(system_u:object_r:lvm_exec_t,s0)
-+/usr/sbin/pvmove -- gen_context(system_u:object_r:lvm_exec_t,s0)
-+/usr/sbin/pvremove -- gen_context(system_u:object_r:lvm_exec_t,s0)
-+/usr/sbin/pvs -- gen_context(system_u:object_r:lvm_exec_t,s0)
-+/usr/sbin/pvscan -- gen_context(system_u:object_r:lvm_exec_t,s0)
-+/usr/sbin/vgcfgbackup -- gen_context(system_u:object_r:lvm_exec_t,s0)
-+/usr/sbin/vgcfgrestore -- gen_context(system_u:object_r:lvm_exec_t,s0)
-+/usr/sbin/vgchange -- gen_context(system_u:object_r:lvm_exec_t,s0)
-+/usr/sbin/vgchange\.static -- gen_context(system_u:object_r:lvm_exec_t,s0)
-+/usr/sbin/vgck -- gen_context(system_u:object_r:lvm_exec_t,s0)
-+/usr/sbin/vgcreate -- gen_context(system_u:object_r:lvm_exec_t,s0)
-+/usr/sbin/vgdisplay -- gen_context(system_u:object_r:lvm_exec_t,s0)
-+/usr/sbin/vgexport -- gen_context(system_u:object_r:lvm_exec_t,s0)
-+/usr/sbin/vgextend -- gen_context(system_u:object_r:lvm_exec_t,s0)
-+/usr/sbin/vgimport -- gen_context(system_u:object_r:lvm_exec_t,s0)
-+/usr/sbin/vgmerge -- gen_context(system_u:object_r:lvm_exec_t,s0)
-+/usr/sbin/vgmknodes -- gen_context(system_u:object_r:lvm_exec_t,s0)
-+/usr/sbin/vgreduce -- gen_context(system_u:object_r:lvm_exec_t,s0)
-+/usr/sbin/vgremove -- gen_context(system_u:object_r:lvm_exec_t,s0)
-+/usr/sbin/vgrename -- gen_context(system_u:object_r:lvm_exec_t,s0)
-+/usr/sbin/vgs -- gen_context(system_u:object_r:lvm_exec_t,s0)
-+/usr/sbin/vgscan -- gen_context(system_u:object_r:lvm_exec_t,s0)
-+/usr/sbin/vgscan\.static -- gen_context(system_u:object_r:lvm_exec_t,s0)
-+/usr/sbin/vgsplit -- gen_context(system_u:object_r:lvm_exec_t,s0)
-+/usr/sbin/vgwrapper -- gen_context(system_u:object_r:lvm_exec_t,s0)
-+
-+/usr/lib/lvm-10/.* -- gen_context(system_u:object_r:lvm_exec_t,s0)
-+/usr/lib/lvm-200/.* -- gen_context(system_u:object_r:lvm_exec_t,s0)
-+/usr/lib/systemd/systemd-cryptsetup -- gen_context(system_u:object_r:lvm_exec_t,s0)
-+/usr/lib/systemd/system-generators/lvm2.* -- gen_context(system_u:object_r:lvm_exec_t,s0)
-+/usr/lib/udev/udisks-lvm-pv-export -- gen_context(system_u:object_r:lvm_exec_t,s0)
-
- #
- # /var
-@@ -97,5 +164,7 @@ ifdef(`distro_gentoo',`
- /var/cache/multipathd(/.*)? gen_context(system_u:object_r:lvm_metadata_t,s0)
- /var/lib/multipath(/.*)? gen_context(system_u:object_r:lvm_var_lib_t,s0)
- /var/lock/lvm(/.*)? gen_context(system_u:object_r:lvm_lock_t,s0)
-+/var/run/lvm(/.*)? gen_context(system_u:object_r:lvm_var_run_t,s0)
- /var/run/multipathd\.sock -s gen_context(system_u:object_r:lvm_var_run_t,s0)
-+/var/run/clvmd\.pid -- gen_context(system_u:object_r:clvmd_var_run_t,s0)
- /var/run/dmevent.* gen_context(system_u:object_r:lvm_var_run_t,s0)
-diff --git a/policy/modules/system/lvm.if b/policy/modules/system/lvm.if
-index 58bc27f..51e9872 100644
---- a/policy/modules/system/lvm.if
-+++ b/policy/modules/system/lvm.if
-@@ -123,3 +123,94 @@ interface(`lvm_domtrans_clvmd',`
- corecmd_search_bin($1)
- domtrans_pattern($1, clvmd_exec_t, clvmd_t)
- ')
-+
-+########################################
-+##
-+## Read and write to lvm temporary file system.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`lvm_rw_clvmd_tmpfs_files',`
-+ gen_require(`
-+ type clvmd_tmpfs_t;
-+ ')
-+
-+ allow $1 clvmd_tmpfs_t:file rw_file_perms;
-+')
-+
-+########################################
-+##
-+## Delete lvm temporary file system.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`lvm_delete_clvmd_tmpfs_files',`
-+ gen_require(`
-+ type clvmd_tmpfs_t;
-+ ')
-+
-+ allow $1 clvmd_tmpfs_t:file unlink;
-+')
-+
-+########################################
-+##
-+## Send lvm a null signal.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`lvm_signull',`
-+ gen_require(`
-+ type lvm_t;
-+ ')
-+
-+ allow $1 lvm_t:process signull;
-+')
-+
-+########################################
-+##
-+## Send a message to lvm over the
-+## datagram socket.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`lvm_dgram_send',`
-+ gen_require(`
-+ type lvm_t;
-+ ')
-+
-+ allow $1 lvm_t:unix_dgram_socket sendto;
-+')
-+
-+########################################
-+##
-+## Read and write a lvm unnamed pipe.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`lvm_rw_pipes',`
-+ gen_require(`
-+ type lvm_var_run_t;
-+ ')
-+
-+ allow $1 lvm_var_run_t:fifo_file rw_inherited_fifo_file_perms;
-+')
-diff --git a/policy/modules/system/lvm.te b/policy/modules/system/lvm.te
-index f8eeecd..0d42470 100644
---- a/policy/modules/system/lvm.te
-+++ b/policy/modules/system/lvm.te
-@@ -12,6 +12,9 @@ init_daemon_domain(clvmd_t, clvmd_exec_t)
- type clvmd_initrc_exec_t;
- init_script_file(clvmd_initrc_exec_t)
-
-+type clvmd_tmpfs_t alias clmvd_tmpfs_t;
-+files_tmpfs_file(clvmd_tmpfs_t)
-+
- type clvmd_var_run_t;
- files_pid_file(clvmd_var_run_t)
-
-@@ -24,7 +27,7 @@ domain_obj_id_change_exemption(lvm_t)
- role system_r types lvm_t;
-
- type lvm_etc_t;
--files_type(lvm_etc_t)
-+files_config_file(lvm_etc_t)
-
- type lvm_lock_t;
- files_lock_file(lvm_lock_t)
-@@ -49,13 +52,16 @@ files_tmp_file(lvm_tmp_t)
- allow clvmd_t self:capability { sys_nice chown ipc_lock sys_admin mknod };
- dontaudit clvmd_t self:capability sys_tty_config;
- allow clvmd_t self:process { signal_perms setsched };
--dontaudit clvmd_t self:process ptrace;
- allow clvmd_t self:socket create_socket_perms;
- allow clvmd_t self:fifo_file rw_fifo_file_perms;
- allow clvmd_t self:unix_stream_socket { connectto create_stream_socket_perms };
- allow clvmd_t self:tcp_socket create_stream_socket_perms;
- allow clvmd_t self:udp_socket create_socket_perms;
-
-+manage_dirs_pattern(clvmd_t, clvmd_tmpfs_t, clvmd_tmpfs_t)
-+manage_files_pattern(clvmd_t, clvmd_tmpfs_t,clvmd_tmpfs_t)
-+fs_tmpfs_filetrans(clvmd_t, clvmd_tmpfs_t, { dir file })
-+
- manage_files_pattern(clvmd_t, clvmd_var_run_t, clvmd_var_run_t)
- files_pid_filetrans(clvmd_t, clvmd_var_run_t, file)
-
-@@ -71,7 +77,6 @@ kernel_dontaudit_getattr_core_if(clvmd_t)
- corecmd_exec_shell(clvmd_t)
- corecmd_getattr_bin_files(clvmd_t)
-
--corenet_all_recvfrom_unlabeled(clvmd_t)
- corenet_all_recvfrom_netlabel(clvmd_t)
- corenet_tcp_sendrecv_generic_if(clvmd_t)
- corenet_udp_sendrecv_generic_if(clvmd_t)
-@@ -120,9 +125,7 @@ init_dontaudit_getattr_initctl(clvmd_t)
-
- logging_send_syslog_msg(clvmd_t)
-
--miscfiles_read_localization(clvmd_t)
-
--seutil_dontaudit_search_config(clvmd_t)
- seutil_sigchld_newrole(clvmd_t)
- seutil_read_config(clvmd_t)
- seutil_read_file_contexts(clvmd_t)
-@@ -141,6 +144,11 @@ ifdef(`distro_redhat',`
- ')
-
- optional_policy(`
-+ aisexec_stream_connect(clvmd_t)
-+ corosync_stream_connect(clvmd_t)
-+')
-+
-+optional_policy(`
- ccs_stream_connect(clvmd_t)
- ')
-
-@@ -170,6 +178,7 @@ dontaudit lvm_t self:capability sys_tty_config;
- allow lvm_t self:process { sigchld sigkill sigstop signull signal setfscreate };
- # LVM will complain a lot if it cannot set its priority.
- allow lvm_t self:process setsched;
-+allow lvm_t self:sem create_sem_perms;
- allow lvm_t self:file rw_file_perms;
- allow lvm_t self:fifo_file manage_fifo_file_perms;
- allow lvm_t self:unix_dgram_socket create_socket_perms;
-@@ -191,8 +200,9 @@ read_lnk_files_pattern(lvm_t, lvm_exec_t, lvm_exec_t)
- can_exec(lvm_t, lvm_exec_t)
-
- # Creating lock files
-+manage_dirs_pattern(lvm_t, lvm_lock_t, lvm_lock_t)
- manage_files_pattern(lvm_t, lvm_lock_t, lvm_lock_t)
--files_lock_filetrans(lvm_t, lvm_lock_t, file)
-+files_lock_filetrans(lvm_t, lvm_lock_t, { file dir })
-
- manage_dirs_pattern(lvm_t, lvm_var_lib_t, lvm_var_lib_t)
- manage_files_pattern(lvm_t, lvm_var_lib_t, lvm_var_lib_t)
-@@ -200,8 +210,9 @@ files_var_lib_filetrans(lvm_t, lvm_var_lib_t, { dir file })
-
- manage_dirs_pattern(lvm_t, lvm_var_run_t, lvm_var_run_t)
- manage_files_pattern(lvm_t, lvm_var_run_t, lvm_var_run_t)
-+manage_fifo_files_pattern(lvm_t, lvm_var_run_t, lvm_var_run_t)
- manage_sock_files_pattern(lvm_t, lvm_var_run_t, lvm_var_run_t)
--files_pid_filetrans(lvm_t, lvm_var_run_t, { file sock_file })
-+files_pid_filetrans(lvm_t, lvm_var_run_t, { dir file fifo_file sock_file })
-
- read_files_pattern(lvm_t, lvm_etc_t, lvm_etc_t)
- read_lnk_files_pattern(lvm_t, lvm_etc_t, lvm_etc_t)
-@@ -213,11 +224,13 @@ files_search_mnt(lvm_t)
-
- kernel_get_sysvipc_info(lvm_t)
- kernel_read_system_state(lvm_t)
-+kernel_read_kernel_sysctls(lvm_t)
- # Read system variables in /proc/sys
- kernel_read_kernel_sysctls(lvm_t)
- # it has no reason to need this
- kernel_dontaudit_getattr_core_if(lvm_t)
- kernel_use_fds(lvm_t)
-+kernel_request_load_module(lvm_t)
- kernel_search_debugfs(lvm_t)
-
- corecmd_exec_bin(lvm_t)
-@@ -228,11 +241,13 @@ dev_delete_generic_dirs(lvm_t)
- dev_read_rand(lvm_t)
- dev_read_urand(lvm_t)
- dev_rw_lvm_control(lvm_t)
-+dev_write_kmsg(lvm_t)
- dev_manage_generic_symlinks(lvm_t)
- dev_relabel_generic_dev_dirs(lvm_t)
- dev_manage_generic_blk_files(lvm_t)
- # Read /sys/block. Device mapper metadata is kept there.
--dev_read_sysfs(lvm_t)
-+# cryptsetup writes read_ahead_kb
-+dev_rw_sysfs(lvm_t)
- # cjp: this has no effect since LVM does not
- # have lnk_file relabelto for anything else.
- # perhaps this should be blk_files?
-@@ -244,6 +259,7 @@ dev_dontaudit_getattr_generic_chr_files(lvm_t)
- dev_dontaudit_getattr_generic_blk_files(lvm_t)
- dev_dontaudit_getattr_generic_pipes(lvm_t)
- dev_create_generic_dirs(lvm_t)
-+dev_rw_generic_files(lvm_t)
-
- domain_use_interactive_fds(lvm_t)
- domain_read_all_domains_state(lvm_t)
-@@ -253,17 +269,21 @@ files_read_etc_files(lvm_t)
- files_read_etc_runtime_files(lvm_t)
- # for when /usr is not mounted:
- files_dontaudit_search_isid_type_dirs(lvm_t)
-+fs_rw_inherited_tmpfs_files(lvm_t)
-
--fs_getattr_xattr_fs(lvm_t)
-+fs_getattr_all_fs(lvm_t)
- fs_search_auto_mountpoints(lvm_t)
- fs_list_tmpfs(lvm_t)
- fs_read_tmpfs_symlinks(lvm_t)
- fs_dontaudit_read_removable_files(lvm_t)
- fs_dontaudit_getattr_tmpfs_files(lvm_t)
- fs_rw_anon_inodefs_files(lvm_t)
-+fs_list_auto_mountpoints(lvm_t)
-+fs_list_hugetlbfs(lvm_t)
-
- mls_file_read_all_levels(lvm_t)
- mls_file_write_to_clearance(lvm_t)
-+mls_file_upgrade(lvm_t)
-
- selinux_get_fs_mount(lvm_t)
- selinux_validate_context(lvm_t)
-@@ -283,7 +303,7 @@ storage_dev_filetrans_fixed_disk(lvm_t)
- # Access raw devices and old /dev/lvm (c 109,0). Is this needed?
- storage_manage_fixed_disk(lvm_t)
-
--term_use_all_terms(lvm_t)
-+term_use_all_inherited_terms(lvm_t)
-
- init_use_fds(lvm_t)
- init_dontaudit_getattr_initctl(lvm_t)
-@@ -291,15 +311,20 @@ init_use_script_ptys(lvm_t)
- init_read_script_state(lvm_t)
-
- logging_send_syslog_msg(lvm_t)
-+logging_stream_connect_syslog(lvm_t)
-+
-+authlogin_rw_pipes(lvm_t)
-
--miscfiles_read_localization(lvm_t)
-
- seutil_read_config(lvm_t)
- seutil_read_file_contexts(lvm_t)
- seutil_search_default_contexts(lvm_t)
- seutil_sigchld_newrole(lvm_t)
-
-+userdom_use_inherited_user_terminals(lvm_t)
- userdom_use_user_terminals(lvm_t)
-+userdom_rw_semaphores(lvm_t)
-+userdom_search_user_home_dirs(lvm_t)
-
- ifdef(`distro_redhat',`
- # this is from the initrd:
-@@ -311,6 +336,11 @@ ifdef(`distro_redhat',`
- ')
-
- optional_policy(`
-+ aisexec_stream_connect(lvm_t)
-+ corosync_stream_connect(lvm_t)
-+')
-+
-+optional_policy(`
- bootloader_rw_tmp_files(lvm_t)
- ')
-
-@@ -331,14 +361,26 @@ optional_policy(`
- ')
-
- optional_policy(`
-+ livecd_rw_semaphores(lvm_t)
-+')
-+
-+optional_policy(`
- modutils_domtrans_insmod(lvm_t)
- ')
-
- optional_policy(`
-+ raid_read_mdadm_pid(lvm_t)
-+')
-+
-+optional_policy(`
- rpm_manage_script_tmp_files(lvm_t)
- ')
-
- optional_policy(`
-+ systemd_manage_passwd_run(lvm_t)
-+')
-+
-+optional_policy(`
- udev_read_db(lvm_t)
- ')
-
-diff --git a/policy/modules/system/miscfiles.fc b/policy/modules/system/miscfiles.fc
-index fe3427d..2410a4e 100644
---- a/policy/modules/system/miscfiles.fc
-+++ b/policy/modules/system/miscfiles.fc
-@@ -9,8 +9,9 @@ ifdef(`distro_gentoo',`
- # /etc
- #
- /etc/avahi/etc/localtime -- gen_context(system_u:object_r:locale_t,s0)
--/etc/httpd/alias/[^/]*\.db(\.[^/]*)* -- gen_context(system_u:object_r:cert_t,s0)
--/etc/localtime -- gen_context(system_u:object_r:locale_t,s0)
-+/etc/httpd/alias(/.*)? gen_context(system_u:object_r:cert_t,s0)
-+/etc/localtime gen_context(system_u:object_r:locale_t,s0)
-+/etc/locale.conf -- gen_context(system_u:object_r:locale_t,s0)
- /etc/pki(/.*)? gen_context(system_u:object_r:cert_t,s0)
- /etc/timezone -- gen_context(system_u:object_r:locale_t,s0)
-
-@@ -36,11 +37,6 @@ ifdef(`distro_redhat',`
-
- /usr/lib/perl5/man(/.*)? gen_context(system_u:object_r:man_t,s0)
-
--/usr/local/man(/.*)? gen_context(system_u:object_r:man_t,s0)
--/usr/local/share/man(/.*)? gen_context(system_u:object_r:man_t,s0)
--
--/usr/local/share/fonts(/.*)? gen_context(system_u:object_r:fonts_t,s0)
--
- /usr/man(/.*)? gen_context(system_u:object_r:man_t,s0)
-
- /usr/share/fonts(/.*)? gen_context(system_u:object_r:fonts_t,s0)
-@@ -75,8 +71,9 @@ ifdef(`distro_redhat',`
-
- /var/cache/fontconfig(/.*)? gen_context(system_u:object_r:fonts_cache_t,s0)
- /var/cache/fonts(/.*)? gen_context(system_u:object_r:tetex_data_t,s0)
--/var/cache/man(/.*)? gen_context(system_u:object_r:man_t,s0)
-
-+
-+/var/named/chroot/etc/localtime -- gen_context(system_u:object_r:cert_t,s0)
- /var/named/chroot/etc/pki(/.*)? gen_context(system_u:object_r:cert_t,s0)
-
- /var/spool/abrt-upload(/.*)? gen_context(system_u:object_r:public_content_rw_t,s0)
-diff --git a/policy/modules/system/miscfiles.if b/policy/modules/system/miscfiles.if
-index 926ba65..9cac7b3 100644
---- a/policy/modules/system/miscfiles.if
-+++ b/policy/modules/system/miscfiles.if
-@@ -106,6 +106,24 @@ interface(`miscfiles_manage_generic_cert_dirs',`
-
- ########################################
- ##
-+## Dontaudit attempts to write generic SSL certificates.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`miscfiles_dontaudit_write_generic_cert_files',`
-+ gen_require(`
-+ type cert_t;
-+ ')
-+
-+ dontaudit $1 cert_t:file write;
-+')
-+
-+########################################
-+##
- ## Manage generic SSL certificates.
- ##
- ##
-@@ -434,6 +452,7 @@ interface(`miscfiles_rw_localization',`
- files_search_usr($1)
- allow $1 locale_t:dir list_dir_perms;
- rw_files_pattern($1, locale_t, locale_t)
-+ manage_lnk_files_pattern($1, locale_t, locale_t)
- ')
-
- ########################################
-@@ -453,6 +472,7 @@ interface(`miscfiles_relabel_localization',`
-
- files_search_usr($1)
- relabel_files_pattern($1, locale_t, locale_t)
-+ relabel_lnk_files_pattern($1, locale_t, locale_t)
- ')
-
- ########################################
-@@ -470,7 +490,6 @@ interface(`miscfiles_legacy_read_localization',`
- type locale_t;
- ')
-
-- miscfiles_read_localization($1)
- allow $1 locale_t:file execute;
- ')
-
-@@ -531,6 +550,10 @@ interface(`miscfiles_read_man_pages',`
- allow $1 man_t:dir list_dir_perms;
- read_files_pattern($1, man_t, man_t)
- read_lnk_files_pattern($1, man_t, man_t)
-+
-+ optional_policy(`
-+ mandb_read_cache_files($1)
-+ ')
- ')
-
- ########################################
-@@ -557,6 +580,11 @@ interface(`miscfiles_delete_man_pages',`
- delete_dirs_pattern($1, man_t, man_t)
- delete_files_pattern($1, man_t, man_t)
- delete_lnk_files_pattern($1, man_t, man_t)
-+
-+ optional_policy(`
-+ mandb_setattr_cache_dirs($1)
-+ mandb_delete_cache($1)
-+ ')
- ')
-
- ########################################
-@@ -582,6 +610,30 @@ interface(`miscfiles_manage_man_pages',`
-
- ########################################
- ##
-+## Allow process to relabel man_pages info
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`miscfiles_relabel_man_pages',`
-+ gen_require(`
-+ type man_t;
-+ ')
-+
-+ files_search_usr($1)
-+ relabel_dirs_pattern($1, man_t, man_t)
-+ relabel_files_pattern($1, man_t, man_t)
-+
-+ optional_policy(`
-+ mandb_relabel_cache($1)
-+ ')
-+')
-+
-+########################################
-+##
- ## Read public files used for file
- ## transfer services.
- ##
-@@ -744,8 +796,10 @@ interface(`miscfiles_etc_filetrans_localization',`
- type locale_t;
- ')
-
-- files_etc_filetrans($1, locale_t, file)
--
-+ files_etc_filetrans($1, locale_t, lnk_file)
-+ files_etc_filetrans($1, locale_t, {lnk_file file}, "localtime" )
-+ files_etc_filetrans($1, locale_t, file, "locale.conf" )
-+ files_etc_filetrans($1, locale_t, file, "timezone" )
- ')
-
- ########################################
-@@ -769,3 +823,43 @@ interface(`miscfiles_manage_localization',`
- manage_lnk_files_pattern($1, locale_t, locale_t)
- ')
-
-+########################################
-+##
-+## Transition to miscfiles named content
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`miscfiles_filetrans_named_content',`
-+ gen_require(`
-+ type locale_t;
-+ type man_t;
-+ type cert_t;
-+ type fonts_t;
-+ type fonts_cache_t;
-+ type hwdata_t;
-+ type tetex_data_t;
-+ type public_content_t;
-+ ')
-+
-+ files_etc_filetrans($1, locale_t, { lnk_file file }, "localtime")
-+ files_etc_filetrans($1, locale_t, file, "locale.conf")
-+ files_etc_filetrans($1, locale_t, file, "locale.conf.new")
-+ files_var_filetrans($1, man_t, dir, "man")
-+ files_etc_filetrans($1, locale_t, file, "timezone")
-+ files_etc_filetrans($1, locale_t, file, "clock")
-+ files_etc_filetrans($1, cert_t, dir, "pki")
-+ files_usr_filetrans($1, locale_t, dir, "locale")
-+ files_usr_filetrans($1, locale_t, dir, "zoneinfo")
-+ files_usr_filetrans($1, cert_t, dir, "certs")
-+ files_usr_filetrans($1, fonts_t, dir, "fonts")
-+ files_usr_filetrans($1, hwdata_t, dir, "hwdata")
-+ files_var_filetrans($1, fonts_cache_t, dir, "fontconfig")
-+ files_var_filetrans($1, tetex_data_t, dir, "fonts")
-+ files_spool_filetrans($1, tetex_data_t, dir, "texmf")
-+ files_var_lib_filetrans($1, tetex_data_t, dir, "texmf")
-+ files_var_filetrans($1, public_content_t, dir, "ftp")
-+')
-diff --git a/policy/modules/system/miscfiles.te b/policy/modules/system/miscfiles.te
-index 622fb4f..69b6fef 100644
---- a/policy/modules/system/miscfiles.te
-+++ b/policy/modules/system/miscfiles.te
-@@ -4,7 +4,6 @@ policy_module(miscfiles, 1.10.0)
- #
- # Declarations
- #
--
- attribute cert_type;
-
- #
-diff --git a/policy/modules/system/modutils.fc b/policy/modules/system/modutils.fc
-index 2410551..e5026a9 100644
---- a/policy/modules/system/modutils.fc
-+++ b/policy/modules/system/modutils.fc
-@@ -20,3 +20,15 @@ ifdef(`distro_gentoo',`
- /sbin/modules-update -- gen_context(system_u:object_r:update_modules_exec_t,s0)
- /sbin/rmmod.* -- gen_context(system_u:object_r:insmod_exec_t,s0)
- /sbin/update-modules -- gen_context(system_u:object_r:update_modules_exec_t,s0)
-+
-+/usr/bin/kmod -- gen_context(system_u:object_r:insmod_exec_t,s0)
-+
-+/usr/sbin/depmod.* -- gen_context(system_u:object_r:depmod_exec_t,s0)
-+/usr/sbin/generate-modprobe\.conf -- gen_context(system_u:object_r:update_modules_exec_t,s0)
-+/usr/sbin/insmod.* -- gen_context(system_u:object_r:insmod_exec_t,s0)
-+/usr/sbin/modprobe.* -- gen_context(system_u:object_r:insmod_exec_t,s0)
-+/usr/sbin/modules-update -- gen_context(system_u:object_r:update_modules_exec_t,s0)
-+/usr/sbin/rmmod.* -- gen_context(system_u:object_r:insmod_exec_t,s0)
-+/usr/sbin/update-modules -- gen_context(system_u:object_r:update_modules_exec_t,s0)
-+
-+/usr/lib/modules/modprobe\.conf -- gen_context(system_u:object_r:modules_conf_t,s0)
-diff --git a/policy/modules/system/modutils.if b/policy/modules/system/modutils.if
-index 350c450..2debedc 100644
---- a/policy/modules/system/modutils.if
-+++ b/policy/modules/system/modutils.if
-@@ -12,7 +12,7 @@
- #
- interface(`modutils_getattr_module_deps',`
- gen_require(`
-- type modules_dep_t;
-+ type modules_dep_t, modules_object_t;
- ')
-
- getattr_files_pattern($1, modules_object_t, modules_dep_t)
-@@ -39,6 +39,44 @@ interface(`modutils_read_module_deps',`
-
- ########################################
- ##
-+## Read the dependencies of kernel modules.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`modutils_delete_module_deps',`
-+ gen_require(`
-+ type modules_dep_t;
-+ ')
-+
-+ delete_files_pattern($1, modules_dep_t, modules_dep_t)
-+')
-+
-+########################################
-+##
-+## list the configuration options used when
-+## loading modules.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+##
-+#
-+interface(`modutils_list_module_config',`
-+ gen_require(`
-+ type modules_conf_t;
-+ ')
-+
-+ list_dirs_pattern($1, modules_conf_t, modules_conf_t)
-+')
-+
-+########################################
-+##
- ## Read the configuration options used when
- ## loading modules.
- ##
-@@ -307,11 +345,18 @@ interface(`modutils_domtrans_update_mods',`
- #
- interface(`modutils_run_update_mods',`
- gen_require(`
-- attribute_role update_modules_roles;
-+ #attribute_role update_modules_roles;
-+ type update_modules_t;
- ')
-
-+ #modutils_domtrans_update_mods($1)
-+ #roleattribute $2 update_modules_roles;
-+
- modutils_domtrans_update_mods($1)
-- roleattribute $2 update_modules_roles;
-+ role $2 types update_modules_t;
-+
-+ modutils_run_insmod(update_modules_t, $2)
-+
- ')
-
- ########################################
-@@ -332,3 +377,25 @@ interface(`modutils_exec_update_mods',`
- corecmd_search_bin($1)
- can_exec($1, update_modules_exec_t)
- ')
-+
-+########################################
-+##
-+## Transition to modutils named content
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`modules_filetrans_named_content',`
-+ gen_require(`
-+ type modules_dep_t;
-+ type modules_conf_t;
-+ ')
-+
-+ files_etc_filetrans($1, modules_conf_t, file, "modprobe.conf")
-+ files_etc_filetrans($1, modules_conf_t, file, "modules.conf")
-+ files_kernel_modules_filetrans($1, modules_dep_t, file, "modules.dep")
-+ files_kernel_modules_filetrans($1, modules_dep_t, file, "modules.dep.bin")
-+')
-diff --git a/policy/modules/system/modutils.te b/policy/modules/system/modutils.te
-index b4ff2f7..0db04d2 100644
---- a/policy/modules/system/modutils.te
-+++ b/policy/modules/system/modutils.te
-@@ -5,7 +5,7 @@ policy_module(modutils, 1.13.0)
- # Declarations
- #
-
--attribute_role update_modules_roles;
-+#attribute_role update_modules_roles;
-
- type depmod_t;
- type depmod_exec_t;
-@@ -16,11 +16,12 @@ type insmod_t;
- type insmod_exec_t;
- application_domain(insmod_t, insmod_exec_t)
- mls_file_write_all_levels(insmod_t)
-+mls_process_write_down(insmod_t)
- role system_r types insmod_t;
-
- # module loading config
- type modules_conf_t;
--files_type(modules_conf_t)
-+files_config_file(modules_conf_t)
-
- # module dependencies
- type modules_dep_t;
-@@ -29,12 +30,16 @@ files_type(modules_dep_t)
- type update_modules_t;
- type update_modules_exec_t;
- init_system_domain(update_modules_t, update_modules_exec_t)
--roleattribute system_r update_modules_roles;
--role update_modules_roles types update_modules_t;
-+#roleattribute system_r update_modules_roles;
-+#role update_modules_roles types update_modules_t;
-+role system_r types update_modules_t;
-
- type update_modules_tmp_t;
- files_tmp_file(update_modules_tmp_t)
-
-+type insmod_tmpfs_t;
-+files_tmpfs_file(insmod_tmpfs_t)
-+
- ########################################
- #
- # depmod local policy
-@@ -54,12 +59,15 @@ corecmd_search_bin(depmod_t)
-
- domain_use_interactive_fds(depmod_t)
-
-+files_delete_kernel_modules(depmod_t)
- files_read_kernel_symbol_table(depmod_t)
- files_read_kernel_modules(depmod_t)
- files_read_etc_runtime_files(depmod_t)
- files_read_etc_files(depmod_t)
- files_read_usr_src_files(depmod_t)
- files_list_usr(depmod_t)
-+files_append_var_files(depmod_t)
-+files_read_boot_files(depmod_t)
-
- fs_getattr_xattr_fs(depmod_t)
-
-@@ -69,10 +77,12 @@ init_use_fds(depmod_t)
- init_use_script_fds(depmod_t)
- init_use_script_ptys(depmod_t)
-
--userdom_use_user_terminals(depmod_t)
-+userdom_use_inherited_user_terminals(depmod_t)
- # Read System.map from home directories.
- files_list_home(depmod_t)
- userdom_read_user_home_content_files(depmod_t)
-+userdom_manage_user_tmp_files(depmod_t)
-+userdom_home_reader(depmod_t)
-
- ifdef(`distro_ubuntu',`
- optional_policy(`
-@@ -80,12 +90,8 @@ ifdef(`distro_ubuntu',`
- ')
- ')
-
--tunable_policy(`use_nfs_home_dirs',`
-- fs_read_nfs_files(depmod_t)
--')
--
--tunable_policy(`use_samba_home_dirs',`
-- fs_read_cifs_files(depmod_t)
-+optional_policy(`
-+ bootloader_rw_tmp_files(insmod_t)
- ')
-
- optional_policy(`
-@@ -94,7 +100,6 @@ optional_policy(`
- ')
-
- optional_policy(`
-- # Read System.map from home directories.
- unconfined_domain(depmod_t)
- ')
-
-@@ -103,11 +108,12 @@ optional_policy(`
- # insmod local policy
- #
-
--allow insmod_t self:capability { dac_override net_raw sys_nice sys_tty_config };
-+allow insmod_t self:capability { dac_override mknod net_raw sys_nice sys_tty_config };
- allow insmod_t self:process { execmem sigchld sigkill sigstop signull signal };
-
- allow insmod_t self:udp_socket create_socket_perms;
- allow insmod_t self:rawip_socket create_socket_perms;
-+allow insmod_t self:shm create_shm_perms;
-
- # Read module config and dependency information
- list_dirs_pattern(insmod_t, modules_conf_t, modules_conf_t)
-@@ -117,7 +123,11 @@ read_files_pattern(insmod_t, modules_dep_t, modules_dep_t)
-
- can_exec(insmod_t, insmod_exec_t)
-
-+manage_files_pattern(insmod_t,insmod_tmpfs_t,insmod_tmpfs_t)
-+fs_tmpfs_filetrans(insmod_t,insmod_tmpfs_t,file)
-+
- kernel_load_module(insmod_t)
-+files_manage_kernel_modules(insmod_t)
- kernel_request_load_module(insmod_t)
- kernel_read_system_state(insmod_t)
- kernel_read_network_state(insmod_t)
-@@ -125,6 +135,7 @@ kernel_write_proc_files(insmod_t)
- kernel_mount_debugfs(insmod_t)
- kernel_mount_kvmfs(insmod_t)
- kernel_read_debugfs(insmod_t)
-+kernel_request_load_module(insmod_t)
- # Rules for /proc/sys/kernel/tainted
- kernel_read_kernel_sysctls(insmod_t)
- kernel_rw_kernel_sysctl(insmod_t)
-@@ -142,6 +153,7 @@ dev_rw_agp(insmod_t)
- dev_read_sound(insmod_t)
- dev_write_sound(insmod_t)
- dev_rw_apm_bios(insmod_t)
-+dev_create_generic_chr_files(insmod_t)
-
- domain_signal_all_domains(insmod_t)
- domain_use_interactive_fds(insmod_t)
-@@ -151,30 +163,38 @@ files_read_etc_runtime_files(insmod_t)
- files_read_etc_files(insmod_t)
- files_read_usr_files(insmod_t)
- files_exec_etc_files(insmod_t)
-+files_read_kernel_symbol_table(insmod_t)
- # for nscd:
- files_dontaudit_search_pids(insmod_t)
- # for when /var is not mounted early in the boot:
- files_dontaudit_search_isid_type_dirs(insmod_t)
- # for locking: (cjp: ????)
- files_write_kernel_modules(insmod_t)
-+allow insmod_t modules_dep_t:file manage_file_perms;
-+files_kernel_modules_filetrans(depmod_t, modules_dep_t, file)
-
- fs_getattr_xattr_fs(insmod_t)
- fs_dontaudit_use_tmpfs_chr_dev(insmod_t)
-+fs_mount_rpc_pipefs(insmod_t)
-+fs_search_rpc(insmod_t)
-+
-+auth_use_nsswitch(insmod_t)
-
- init_rw_initctl(insmod_t)
- init_use_fds(insmod_t)
- init_use_script_fds(insmod_t)
- init_use_script_ptys(insmod_t)
-+init_spec_domtrans_script(insmod_t)
-+init_rw_script_tmp_files(insmod_t)
-+init_dontaudit_getattr_stream_socket(insmod_t)
-
- logging_send_syslog_msg(insmod_t)
- logging_search_logs(insmod_t)
-
--miscfiles_read_localization(insmod_t)
-
- seutil_read_file_contexts(insmod_t)
-
--userdom_use_user_terminals(insmod_t)
--
-+term_use_all_inherited_terms(insmod_t)
- userdom_dontaudit_search_user_home_dirs(insmod_t)
-
- kernel_domtrans_to(insmod_t, insmod_exec_t)
-@@ -184,28 +204,32 @@ optional_policy(`
- ')
-
- optional_policy(`
-- firstboot_dontaudit_rw_pipes(insmod_t)
-- firstboot_dontaudit_rw_stream_sockets(insmod_t)
-+ devicekit_use_fds_disk(insmod_t)
-+ devicekit_dontaudit_read_pid_files(insmod_t)
- ')
-
- optional_policy(`
-- hal_write_log(insmod_t)
-+ firstboot_dontaudit_leaks(insmod_t)
- ')
-
- optional_policy(`
-- hotplug_search_config(insmod_t)
-+ firewallgui_dontaudit_rw_pipes(insmod_t)
- ')
-
- optional_policy(`
-- mount_domtrans(insmod_t)
-+ hal_write_log(insmod_t)
-+')
-+
-+optional_policy(`
-+ hotplug_search_config(insmod_t)
- ')
-
- optional_policy(`
-- nis_use_ypbind(insmod_t)
-+ kdump_manage_kdumpctl_tmp_files(insmod_t)
- ')
-
- optional_policy(`
-- nscd_socket_use(insmod_t)
-+ mount_domtrans(insmod_t)
- ')
-
- optional_policy(`
-@@ -225,6 +249,7 @@ optional_policy(`
-
- optional_policy(`
- rpm_rw_pipes(insmod_t)
-+ rpm_manage_script_tmp_files(insmod_t)
- ')
-
- optional_policy(`
-@@ -233,6 +258,10 @@ optional_policy(`
- ')
-
- optional_policy(`
-+ virt_dontaudit_write_pipes(insmod_t)
-+')
-+
-+optional_policy(`
- # cjp: why is this needed:
- dev_rw_xserver_misc(insmod_t)
-
-@@ -291,11 +320,10 @@ init_use_script_ptys(update_modules_t)
-
- logging_send_syslog_msg(update_modules_t)
-
--miscfiles_read_localization(update_modules_t)
-
--modutils_run_insmod(update_modules_t, update_modules_roles)
-+#modutils_run_insmod(update_modules_t, update_modules_roles)
-
--userdom_use_user_terminals(update_modules_t)
-+userdom_use_inherited_user_terminals(update_modules_t)
- userdom_dontaudit_search_user_home_dirs(update_modules_t)
-
- ifdef(`distro_gentoo',`
-diff --git a/policy/modules/system/mount.fc b/policy/modules/system/mount.fc
-index 72c746e..f035d9f 100644
---- a/policy/modules/system/mount.fc
-+++ b/policy/modules/system/mount.fc
-@@ -1,4 +1,26 @@
-+/bin/fusermount -- gen_context(system_u:object_r:fusermount_exec_t,s0)
- /bin/mount.* -- gen_context(system_u:object_r:mount_exec_t,s0)
- /bin/umount.* -- gen_context(system_u:object_r:mount_exec_t,s0)
-
--/usr/bin/fusermount -- gen_context(system_u:object_r:mount_exec_t,s0)
-+/dev/\.mount(/.*)? gen_context(system_u:object_r:mount_var_run_t,s0)
-+/run/mount(/.*)? gen_context(system_u:object_r:mount_var_run_t,s0)
-+
-+/sbin/mount.* -- gen_context(system_u:object_r:mount_exec_t,s0)
-+/sbin/umount.* -- gen_context(system_u:object_r:mount_exec_t,s0)
-+
-+/usr/bin/fusermount -- gen_context(system_u:object_r:fusermount_exec_t,s0)
-+/usr/bin/mount.* -- gen_context(system_u:object_r:mount_exec_t,s0)
-+/usr/bin/umount.* -- gen_context(system_u:object_r:mount_exec_t,s0)
-+
-+/usr/sbin/mount.* -- gen_context(system_u:object_r:mount_exec_t,s0)
-+/usr/sbin/umount.* -- gen_context(system_u:object_r:mount_exec_t,s0)
-+/usr/sbin/showmount -- gen_context(system_u:object_r:showmount_exec_t,s0)
-+
-+/var/cache/davfs2(/.*)? gen_context(system_u:object_r:mount_var_run_t,s0)
-+/var/run/davfs2(/.*)? gen_context(system_u:object_r:mount_var_run_t,s0)
-+/var/run/mount(/.*)? gen_context(system_u:object_r:mount_var_run_t,s0)
-+
-+/usr/sbin/mount\.ecryptfs_private -- gen_context(system_u:object_r:mount_ecryptfs_exec_t,s0)
-+/usr/sbin/mount\.ecryptfs -- gen_context(system_u:object_r:mount_ecryptfs_exec_t,s0)
-+/usr/sbin/umount\.ecryptfs_private -- gen_context(system_u:object_r:mount_ecryptfs_exec_t,s0)
-+/usr/sbin/umount\.ecryptfs -- gen_context(system_u:object_r:mount_ecryptfs_exec_t,s0)
-diff --git a/policy/modules/system/mount.if b/policy/modules/system/mount.if
-index 4584457..300c3f7 100644
---- a/policy/modules/system/mount.if
-+++ b/policy/modules/system/mount.if
-@@ -16,6 +16,13 @@ interface(`mount_domtrans',`
- ')
-
- domtrans_pattern($1, mount_exec_t, mount_t)
-+ mount_domtrans_fusermount($1)
-+
-+ allow $1 mount_t:fd use;
-+ ps_process_pattern(mount_t, $1)
-+
-+ allow mount_t $1:key write;
-+ allow mount_t $1:unix_stream_socket { read write };
- ')
-
- ########################################
-@@ -38,11 +45,103 @@ interface(`mount_domtrans',`
- #
- interface(`mount_run',`
- gen_require(`
-- attribute_role mount_roles;
-+ #attribute_role mount_roles;
-+ type mount_t;
- ')
-
-+ #mount_domtrans($1)
-+ #roleattribute $2 mount_roles;
-+
- mount_domtrans($1)
-- roleattribute $2 mount_roles;
-+ role $2 types mount_t;
-+
-+ optional_policy(`
-+ fstools_run(mount_t, $2)
-+ ')
-+
-+ optional_policy(`
-+ lvm_run(mount_t, $2)
-+ ')
-+
-+ optional_policy(`
-+ modutils_run_insmod(mount_t, $2)
-+ ')
-+
-+ optional_policy(`
-+ rpc_run_rpcd(mount_t, $2)
-+ ')
-+
-+ optional_policy(`
-+ samba_run_smbmount(mount_t, $2)
-+ ')
-+
-+')
-+
-+########################################
-+##
-+## Execute fusermount in the mount domain, and
-+## allow the specified role the mount domain,
-+## and use the caller's terminal.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+##
-+##
-+## The role to be allowed the mount domain.
-+##
-+##
-+##
-+#
-+interface(`mount_run_fusermount',`
-+ gen_require(`
-+ type mount_t;
-+ ')
-+
-+ mount_domtrans_fusermount($1)
-+ role $2 types mount_t;
-+
-+ fstools_run(mount_t, $2)
-+')
-+
-+########################################
-+##
-+## Read mount PID files.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`mount_read_pid_files',`
-+ gen_require(`
-+ type mount_var_run_t;
-+ ')
-+
-+ allow $1 mount_var_run_t:file read_file_perms;
-+ files_search_pids($1)
-+')
-+
-+########################################
-+##
-+## Manage mount PID files.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`mount_manage_pid_files',`
-+ gen_require(`
-+ type mount_var_run_t;
-+ ')
-+
-+ allow $1 mount_var_run_t:file manage_file_perms;
-+ files_search_pids($1)
- ')
-
- ########################################
-@@ -91,7 +190,7 @@ interface(`mount_signal',`
- ##
- ##
- ##
--## The type of the process performing this action.
-+## Domain allowed access.
- ##
- ##
- #
-@@ -131,45 +230,138 @@ interface(`mount_send_nfs_client_request',`
-
- ########################################
- ##
--## Execute mount in the unconfined mount domain.
-+## Read the mount tmp directory
- ##
- ##
- ##
--## Domain allowed to transition.
-+## Domain allowed access.
- ##
- ##
- #
--interface(`mount_domtrans_unconfined',`
-+interface(`mount_list_tmp',`
- gen_require(`
-- type unconfined_mount_t, mount_exec_t;
-+ type mount_tmp_t;
- ')
-
-- domtrans_pattern($1, mount_exec_t, unconfined_mount_t)
-+ allow $1 mount_tmp_t:dir list_dir_perms;
- ')
-
- ########################################
- ##
--## Execute mount in the unconfined mount domain, and
--## allow the specified role the unconfined mount domain,
--## and use the caller's terminal.
-+## Execute fusermount in the mount domain.
- ##
- ##
- ##
--## Domain allowed to transition.
-+## Domain allowed access.
- ##
- ##
--##
-+#
-+interface(`mount_domtrans_fusermount',`
-+ gen_require(`
-+ type mount_t, fusermount_exec_t;
-+ ')
-+
-+ domtrans_pattern($1, fusermount_exec_t, mount_t)
-+ ps_process_pattern(mount_t, $1)
-+
-+ allow mount_t $1:unix_stream_socket { read write };
-+ allow $1 mount_t:fd use;
-+')
-+
-+########################################
-+##
-+## Execute fusermount.
-+##
-+##
- ##
--## Role allowed access.
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`mount_exec_fusermount',`
-+ gen_require(`
-+ type fusermount_exec_t;
-+ ')
-+
-+ can_exec($1, fusermount_exec_t)
-+')
-+
-+########################################
-+##
-+## dontaudit Execute fusermount.
-+##
-+##
-+##
-+## Domain to not audit.
- ##
- ##
--##
- #
--interface(`mount_run_unconfined',`
-+interface(`mount_dontaudit_exec_fusermount',`
- gen_require(`
-- type unconfined_mount_t;
-+ type fusermount_exec_t;
- ')
-
-- mount_domtrans_unconfined($1)
-- role $2 types unconfined_mount_t;
-+ dontaudit $1 fusermount_exec_t:file exec_file_perms;
-+')
-+
-+######################################
-+##
-+## Execute a domain transition to run showmount.
-+##
-+##
-+##
-+## Domain allowed to transition.
-+##
-+##
-+#
-+interface(`mount_domtrans_showmount',`
-+ gen_require(`
-+ type showmount_t, showmount_exec_t;
-+ ')
-+
-+ domtrans_pattern($1, showmount_exec_t, showmount_t)
-+')
-+
-+######################################
-+##
-+## Execute showmount in the showmount domain, and
-+## allow the specified role the showmount domain.
-+##
-+##
-+##
-+## Domain allowed access
-+##
-+##
-+##
-+##
-+## The role to be allowed the showmount domain.
-+##
-+##
-+#
-+interface(`mount_run_showmount',`
-+ gen_require(`
-+ type showmount_t;
-+ ')
-+
-+ mount_domtrans_showmount($1)
-+ role $2 types showmount_t;
-+')
-+
-+#######################################
-+##
-+## Transition to ecryptmount.
-+##
-+##
-+##
-+## Domain allowed to transition.
-+##
-+##
-+#
-+interface(`mount_domtrans_ecryptmount',`
-+ gen_require(`
-+ type mount_ecryptfs_t, mount_ecryptfs_exec_t;
-+ ')
-+
-+ corecmd_search_bin($1)
-+ domtrans_pattern($1, mount_ecryptfs_exec_t, mount_ecryptfs_t)
- ')
-diff --git a/policy/modules/system/mount.te b/policy/modules/system/mount.te
-index 63931f6..041c38f 100644
---- a/policy/modules/system/mount.te
-+++ b/policy/modules/system/mount.te
-@@ -10,35 +10,60 @@ policy_module(mount, 1.15.0)
- ## Allow the mount command to mount any directory or file.
- ##
- ##
--gen_tunable(allow_mount_anyfile, false)
-+gen_tunable(mount_anyfile, false)
-
--attribute_role mount_roles;
--roleattribute system_r mount_roles;
-+#attribute_role mount_roles;
-+#roleattribute system_r mount_roles;
-
- type mount_t;
- type mount_exec_t;
- init_system_domain(mount_t, mount_exec_t)
--role mount_roles types mount_t;
-+#role mount_roles types mount_t;
-+role system_r types mount_t;
-+
-+type fusermount_exec_t;
-+domain_entry_file(mount_t, fusermount_exec_t)
-+
-+typealias mount_t alias mount_ntfs_t;
-+typealias mount_exec_t alias mount_ntfs_exec_t;
-
- type mount_loopback_t; # customizable
- files_type(mount_loopback_t)
-+typealias mount_loopback_t alias mount_loop_t;
-
- type mount_tmp_t;
- files_tmp_file(mount_tmp_t)
-
--# causes problems with interfaces when
--# this is optionally declared in monolithic
--# policy--duplicate type declaration
--type unconfined_mount_t;
--application_domain(unconfined_mount_t, mount_exec_t)
-+type mount_var_run_t;
-+files_pid_file(mount_var_run_t)
-+dev_associate(mount_var_run_t)
-+
-+# showmount - show mount information for an NFS server
-+
-+type showmount_t;
-+type showmount_exec_t;
-+application_domain(showmount_t, showmount_exec_t)
-+role system_r types showmount_t;
-+
-+type mount_ecryptfs_t;
-+type mount_ecryptfs_exec_t;
-+application_domain(mount_ecryptfs_t, mount_ecryptfs_exec_t)
-+role system_r types mount_ecryptfs_t;
-+
-+type mount_ecryptfs_tmpfs_t;
-+files_tmpfs_file(mount_ecryptfs_tmpfs_t)
-
- ########################################
- #
- # mount local policy
- #
-
--# setuid/setgid needed to mount cifs
--allow mount_t self:capability { ipc_lock sys_rawio sys_admin dac_override chown sys_tty_config setuid setgid };
-+# setuid/setgid needed to mount cifs
-+allow mount_t self:capability { fsetid fowner ipc_lock setpcap sys_rawio sys_resource sys_admin dac_override dac_read_search chown sys_tty_config setuid setgid sys_nice };
-+allow mount_t self:process { getcap getsched setsched setcap setrlimit signal };
-+allow mount_t self:fifo_file rw_fifo_file_perms;
-+allow mount_t self:unix_stream_socket create_stream_socket_perms;
-+allow mount_t self:unix_dgram_socket create_socket_perms;
-
- allow mount_t mount_loopback_t:file read_file_perms;
-
-@@ -49,9 +74,25 @@ can_exec(mount_t, mount_exec_t)
-
- files_tmp_filetrans(mount_t, mount_tmp_t, { file dir })
-
-+manage_dirs_pattern(mount_t,mount_var_run_t,mount_var_run_t)
-+manage_files_pattern(mount_t,mount_var_run_t,mount_var_run_t)
-+files_pid_filetrans(mount_t,mount_var_run_t,dir)
-+files_var_filetrans(mount_t,mount_var_run_t,dir)
-+dev_filetrans(mount_t, mount_var_run_t, dir)
-+
-+# In order to mount reiserfs_t
-+kernel_dontaudit_getattr_core_if(mount_t)
-+kernel_list_unlabeled(mount_t)
-+kernel_mount_unlabeled(mount_t)
-+kernel_unmount_unlabeled(mount_t)
- kernel_read_system_state(mount_t)
-+kernel_read_network_state(mount_t)
- kernel_read_kernel_sysctls(mount_t)
--kernel_dontaudit_getattr_core_if(mount_t)
-+kernel_relabelfrom_unlabeled_fs(mount_t)
-+kernel_manage_debugfs(mount_t)
-+kernel_setsched(mount_t)
-+kernel_use_fds(mount_t)
-+kernel_request_load_module(mount_t)
- kernel_dontaudit_write_debugfs_dirs(mount_t)
- kernel_dontaudit_write_proc_dirs(mount_t)
- # To load binfmt_misc kernel module
-@@ -60,31 +101,46 @@ kernel_request_load_module(mount_t)
- # required for mount.smbfs
- corecmd_exec_bin(mount_t)
-
-+dev_getattr_generic_blk_files(mount_t)
- dev_getattr_all_blk_files(mount_t)
- dev_list_all_dev_nodes(mount_t)
-+dev_read_usbfs(mount_t)
-+dev_read_rand(mount_t)
-+dev_read_urand(mount_t)
- dev_read_sysfs(mount_t)
- dev_dontaudit_write_sysfs_dirs(mount_t)
- dev_rw_lvm_control(mount_t)
- dev_dontaudit_getattr_all_chr_files(mount_t)
- dev_dontaudit_getattr_memory_dev(mount_t)
- dev_getattr_sound_dev(mount_t)
-+
-+ifdef(`hide_broken_symptoms',`
-+ dev_rw_generic_blk_files(mount_t)
-+')
-+
- # Early devtmpfs, before udev relabel
- dev_dontaudit_rw_generic_chr_files(mount_t)
-
- domain_use_interactive_fds(mount_t)
-+domain_read_all_domains_state(mount_t)
-
- files_search_all(mount_t)
- files_read_etc_files(mount_t)
-+files_read_etc_runtime_files(mount_t)
- files_manage_etc_runtime_files(mount_t)
- files_etc_filetrans_etc_runtime(mount_t, file)
-+# for when /etc/mtab loses its type
-+files_delete_etc_files(mount_t)
- files_mounton_all_mountpoints(mount_t)
-+files_setattr_all_mountpoints(mount_t)
-+# ntfs-3g checks whether the mountpoint is writable before mounting
-+files_write_all_mountpoints(mount_t)
- files_unmount_rootfs(mount_t)
-+
- # These rules need to be generalized. Only admin, initrc should have it:
--files_relabelto_all_file_type_fs(mount_t)
-+files_relabel_all_file_type_fs(mount_t)
- files_mount_all_file_type_fs(mount_t)
- files_unmount_all_file_type_fs(mount_t)
--# for when /etc/mtab loses its type
--# cjp: this seems wrong, the type should probably be etc
- files_read_isid_type_files(mount_t)
- # For reading cert files
- files_read_usr_files(mount_t)
-@@ -92,28 +148,42 @@ files_list_mnt(mount_t)
- files_dontaudit_write_all_mountpoints(mount_t)
- files_dontaudit_setattr_all_mountpoints(mount_t)
-
--fs_getattr_xattr_fs(mount_t)
--fs_getattr_cifs(mount_t)
-+fs_list_all(mount_t)
-+fs_getattr_all_fs(mount_t)
- fs_mount_all_fs(mount_t)
- fs_unmount_all_fs(mount_t)
- fs_remount_all_fs(mount_t)
- fs_relabelfrom_all_fs(mount_t)
--fs_list_auto_mountpoints(mount_t)
-+fs_rw_anon_inodefs_files(mount_t)
- fs_rw_tmpfs_chr_files(mount_t)
-+fs_rw_nfsd_fs(mount_t)
-+fs_rw_removable_blk_files(mount_t)
-+#fs_manage_tmpfs_dirs(mount_t)
- fs_read_tmpfs_symlinks(mount_t)
-+fs_read_fusefs_files(mount_t)
-+fs_manage_nfs_dirs(mount_t)
-+fs_read_nfs_symlinks(mount_t)
-+fs_manage_cgroup_dirs(mount_t)
-+fs_manage_cgroup_files(mount_t)
- fs_dontaudit_write_tmpfs_dirs(mount_t)
-
--mls_file_read_all_levels(mount_t)
--mls_file_write_all_levels(mount_t)
-+mcs_file_read_all(mount_t)
-+mcs_file_write_all(mount_t)
-+
-+mls_file_read_to_clearance(mount_t)
-+mls_file_write_to_clearance(mount_t)
-+mls_process_write_to_clearance(mount_t)
-
- selinux_get_enforce_mode(mount_t)
-+selinux_mounton_fs(mount_t)
-
- storage_raw_read_fixed_disk(mount_t)
- storage_raw_write_fixed_disk(mount_t)
- storage_raw_read_removable_device(mount_t)
- storage_raw_write_removable_device(mount_t)
-+storage_rw_fuse(mount_t)
-
--term_use_all_terms(mount_t)
-+term_use_all_inherited_terms(mount_t)
- term_dontaudit_manage_pty_dirs(mount_t)
-
- auth_use_nsswitch(mount_t)
-@@ -121,16 +191,20 @@ auth_use_nsswitch(mount_t)
- init_use_fds(mount_t)
- init_use_script_ptys(mount_t)
- init_dontaudit_getattr_initctl(mount_t)
-+init_stream_connect_script(mount_t)
-+init_rw_script_stream_sockets(mount_t)
-
- logging_send_syslog_msg(mount_t)
-
--miscfiles_read_localization(mount_t)
-
- sysnet_use_portmap(mount_t)
-
- seutil_read_config(mount_t)
-
- userdom_use_all_users_fds(mount_t)
-+userdom_manage_user_home_content_dirs(mount_t)
-+userdom_read_user_home_content_symlinks(mount_t)
-+userdom_list_user_tmp(mount_t)
-
- ifdef(`distro_redhat',`
- optional_policy(`
-@@ -146,26 +220,27 @@ ifdef(`distro_ubuntu',`
- ')
- ')
-
--tunable_policy(`allow_mount_anyfile',`
-- files_list_non_auth_dirs(mount_t)
-- files_read_non_auth_files(mount_t)
-+corecmd_exec_shell(mount_t)
-+
-+tunable_policy(`mount_anyfile',`
-+ files_read_non_security_files(mount_t)
- files_mounton_non_security(mount_t)
-+ files_rw_inherited_non_security_files(mount_t)
- ')
-
- optional_policy(`
- # for nfs
-- corenet_all_recvfrom_unlabeled(mount_t)
- corenet_all_recvfrom_netlabel(mount_t)
-- corenet_tcp_sendrecv_all_if(mount_t)
-- corenet_raw_sendrecv_all_if(mount_t)
-- corenet_udp_sendrecv_all_if(mount_t)
-- corenet_tcp_sendrecv_all_nodes(mount_t)
-- corenet_raw_sendrecv_all_nodes(mount_t)
-- corenet_udp_sendrecv_all_nodes(mount_t)
-+ corenet_tcp_sendrecv_generic_if(mount_t)
-+ corenet_raw_sendrecv_generic_if(mount_t)
-+ corenet_udp_sendrecv_generic_if(mount_t)
-+ corenet_tcp_sendrecv_generic_node(mount_t)
-+ corenet_raw_sendrecv_generic_node(mount_t)
-+ corenet_udp_sendrecv_generic_node(mount_t)
- corenet_tcp_sendrecv_all_ports(mount_t)
- corenet_udp_sendrecv_all_ports(mount_t)
-- corenet_tcp_bind_all_nodes(mount_t)
-- corenet_udp_bind_all_nodes(mount_t)
-+ corenet_tcp_bind_generic_node(mount_t)
-+ corenet_udp_bind_generic_node(mount_t)
- corenet_tcp_bind_generic_port(mount_t)
- corenet_udp_bind_generic_port(mount_t)
- corenet_tcp_bind_reserved_port(mount_t)
-@@ -179,6 +254,8 @@ optional_policy(`
- fs_search_rpc(mount_t)
-
- rpc_stub(mount_t)
-+
-+ rpc_domtrans_rpcd(mount_t)
- ')
-
- optional_policy(`
-@@ -186,6 +263,28 @@ optional_policy(`
- ')
-
- optional_policy(`
-+ cron_system_entry(mount_t, mount_exec_t)
-+')
-+
-+optional_policy(`
-+ devicekit_read_state_power(mount_t)
-+')
-+
-+optional_policy(`
-+ dbus_system_bus_client(mount_t)
-+
-+ optional_policy(`
-+ hal_dbus_chat(mount_t)
-+ ')
-+')
-+
-+optional_policy(`
-+ hal_write_log(mount_t)
-+ hal_use_fds(mount_t)
-+ hal_dontaudit_rw_pipes(mount_t)
-+')
-+
-+optional_policy(`
- ifdef(`hide_broken_symptoms',`
- # for a bug in the X server
- rhgb_dontaudit_rw_stream_sockets(mount_t)
-@@ -193,21 +292,121 @@ optional_policy(`
- ')
- ')
-
-+optional_policy(`
-+ livecd_rw_tmp_files(mount_t)
-+')
-+
-+# Needed for mount crypt https://bugzilla.redhat.com/show_bug.cgi?id=418711
-+optional_policy(`
-+# lvm_run(mount_t, mount_roles)
-+ lvm_domtrans(mount_t)
-+')
-+
-+optional_policy(`
-+ #modutils_run_insmod(mount_t, mount_roles)
-+ modutils_domtrans_insmod(mount_t)
-+ modutils_read_module_deps(mount_t)
-+')
-+
-+optional_policy(`
-+ fstools_domtrans(mount_t)
-+ #fstools_run(mount_t, mount_roles)
-+')
-+
-+optional_policy(`
-+ rhcs_stream_connect_gfs_controld(mount_t)
-+')
-+
-+#optional_policy(`
-+# rpc_run_rpcd(mount_t, mount_roles)
-+#')
-+
- # for kernel package installation
- optional_policy(`
- rpm_rw_pipes(mount_t)
-+ rpm_dontaudit_leaks(mount_t)
- ')
-
- optional_policy(`
-- samba_run_smbmount(mount_t, mount_roles)
-+ samba_read_config(mount_t)
-+ samba_domtrans_smbmount(mount_t)
-+ #samba_run_smbmount(mount_t, mount_roles)
- ')
-
--########################################
--#
--# Unconfined mount local policy
--#
-+optional_policy(`
-+ ssh_exec(mount_t)
-+')
-+
-+optional_policy(`
-+ usbmuxd_stream_connect(mount_t)
-+')
-+
-+optional_policy(`
-+ userhelper_exec_console(mount_t)
-+')
-+
-+optional_policy(`
-+ virt_read_blk_images(mount_t)
-+')
-
- optional_policy(`
-- files_etc_filetrans_etc_runtime(unconfined_mount_t, file)
-- unconfined_domain(unconfined_mount_t)
-+ vmware_exec_host(mount_t)
- ')
-+
-+######################################
-+#
-+# showmount local policy
-+#
-+
-+allow showmount_t self:tcp_socket create_stream_socket_perms;
-+allow showmount_t self:udp_socket create_socket_perms;
-+
-+kernel_read_system_state(showmount_t)
-+
-+corenet_all_recvfrom_netlabel(showmount_t)
-+corenet_tcp_sendrecv_generic_if(showmount_t)
-+corenet_udp_sendrecv_generic_if(showmount_t)
-+corenet_tcp_sendrecv_generic_node(showmount_t)
-+corenet_udp_sendrecv_generic_node(showmount_t)
-+corenet_tcp_sendrecv_all_ports(showmount_t)
-+corenet_udp_sendrecv_all_ports(showmount_t)
-+corenet_tcp_bind_generic_node(showmount_t)
-+corenet_udp_bind_generic_node(showmount_t)
-+corenet_tcp_bind_all_rpc_ports(showmount_t)
-+corenet_udp_bind_all_rpc_ports(showmount_t)
-+corenet_tcp_connect_all_ports(showmount_t)
-+
-+files_read_etc_files(showmount_t)
-+files_read_etc_runtime_files(showmount_t)
-+
-+
-+sysnet_dns_name_resolve(showmount_t)
-+
-+userdom_use_inherited_user_terminals(showmount_t)
-+
-+#######################################
-+#
-+# mount_ecryptfs local policy
-+#
-+
-+domtrans_pattern(mount_ecryptfs_t, mount_exec_t, mount_t)
-+
-+allow mount_ecryptfs_t self:capability setgid;
-+allow mount_ecryptfs_t self:capability { setuid sys_admin };
-+allow mount_ecryptfs_t self:fifo_file rw_fifo_file_perms;
-+allow mount_ecryptfs_t self:unix_stream_socket create_stream_socket_perms;
-+
-+manage_dirs_pattern(mount_ecryptfs_t, mount_ecryptfs_tmpfs_t, mount_ecryptfs_tmpfs_t)
-+manage_files_pattern(mount_ecryptfs_t, mount_ecryptfs_tmpfs_t, mount_ecryptfs_tmpfs_t)
-+fs_tmpfs_filetrans(mount_ecryptfs_t, mount_ecryptfs_tmpfs_t, { dir file })
-+userdom_rw_user_tmpfs_files(mount_ecryptfs_t)
-+
-+domain_use_interactive_fds(mount_ecryptfs_t)
-+
-+files_read_etc_files(mount_ecryptfs_t)
-+
-+fs_read_ecryptfs_symlinks(mount_ecryptfs_t)
-+fs_read_ecryptfs_files(mount_ecryptfs_t)
-+
-+auth_use_nsswitch(mount_ecryptfs_t)
-+
-diff --git a/policy/modules/system/netlabel.fc b/policy/modules/system/netlabel.fc
-index b263a8a..9348c8c 100644
---- a/policy/modules/system/netlabel.fc
-+++ b/policy/modules/system/netlabel.fc
-@@ -1 +1,3 @@
- /sbin/netlabelctl -- gen_context(system_u:object_r:netlabel_mgmt_exec_t,s0)
-+
-+/usr/sbin/netlabelctl -- gen_context(system_u:object_r:netlabel_mgmt_exec_t,s0)
-diff --git a/policy/modules/system/netlabel.te b/policy/modules/system/netlabel.te
-index cbbda4a..8dcc346 100644
---- a/policy/modules/system/netlabel.te
-+++ b/policy/modules/system/netlabel.te
-@@ -23,6 +23,11 @@ kernel_read_network_state(netlabel_mgmt_t)
-
- files_read_etc_files(netlabel_mgmt_t)
-
-+term_use_all_inherited_terms(netlabel_mgmt_t)
-+
- seutil_use_newrole_fds(netlabel_mgmt_t)
-
--userdom_use_user_terminals(netlabel_mgmt_t)
-+term_use_all_terms(netlabel_mgmt_t)
-+
-+userdom_use_inherited_user_terminals(netlabel_mgmt_t)
-+
-diff --git a/policy/modules/system/selinuxutil.fc b/policy/modules/system/selinuxutil.fc
-index d43f3b1..c4182e8 100644
---- a/policy/modules/system/selinuxutil.fc
-+++ b/policy/modules/system/selinuxutil.fc
-@@ -6,13 +6,14 @@
- /etc/selinux(/.*)? gen_context(system_u:object_r:selinux_config_t,s0)
- /etc/selinux/([^/]*/)?contexts(/.*)? gen_context(system_u:object_r:default_context_t,s0)
- /etc/selinux/([^/]*/)?contexts/files(/.*)? gen_context(system_u:object_r:file_context_t,s0)
--/etc/selinux/([^/]*/)?policy(/.*)? gen_context(system_u:object_r:policy_config_t,mls_systemhigh)
-+/etc/selinux/([^/]*/)?logins(/.*)? gen_context(system_u:object_r:selinux_login_config_t,s0)
-+/etc/selinux/([^/]*/)?policy(/.*)? gen_context(system_u:object_r:semanage_store_t,s0)
- /etc/selinux/([^/]*/)?setrans\.conf -- gen_context(system_u:object_r:selinux_config_t,mls_systemhigh)
--/etc/selinux/([^/]*/)?seusers -- gen_context(system_u:object_r:selinux_config_t,mls_systemhigh)
-+/etc/selinux/([^/]*/)?seusers -- gen_context(system_u:object_r:selinux_config_t,s0)
- /etc/selinux/([^/]*/)?modules/(active|tmp|previous)(/.*)? gen_context(system_u:object_r:semanage_store_t,s0)
- /etc/selinux/([^/]*/)?modules/semanage\.read\.LOCK -- gen_context(system_u:object_r:semanage_read_lock_t,s0)
- /etc/selinux/([^/]*/)?modules/semanage\.trans\.LOCK -- gen_context(system_u:object_r:semanage_trans_lock_t,s0)
--/etc/selinux/([^/]*/)?users(/.*)? -- gen_context(system_u:object_r:selinux_config_t,mls_systemhigh)
-+/etc/selinux/([^/]*/)?users(/.*)? -- gen_context(system_u:object_r:selinux_config_t,s0)
-
- #
- # /root
-@@ -35,12 +36,14 @@
- /usr/lib/selinux(/.*)? gen_context(system_u:object_r:policy_src_t,s0)
-
- /usr/sbin/load_policy -- gen_context(system_u:object_r:load_policy_exec_t,s0)
-+/usr/sbin/restorecon -- gen_context(system_u:object_r:setfiles_exec_t,s0)
- /usr/sbin/restorecond -- gen_context(system_u:object_r:restorecond_exec_t,s0)
- /usr/sbin/run_init -- gen_context(system_u:object_r:run_init_exec_t,s0)
- /usr/sbin/setfiles.* -- gen_context(system_u:object_r:setfiles_exec_t,s0)
--/usr/sbin/setsebool -- gen_context(system_u:object_r:semanage_exec_t,s0)
-+/usr/sbin/setsebool -- gen_context(system_u:object_r:setsebool_exec_t,s0)
- /usr/sbin/semanage -- gen_context(system_u:object_r:semanage_exec_t,s0)
- /usr/sbin/semodule -- gen_context(system_u:object_r:semanage_exec_t,s0)
-+/usr/share/system-config-selinux/system-config-selinux-dbus\.py -- gen_context(system_u:object_r:semanage_exec_t,s0)
-
- #
- # /var/lib
-@@ -51,3 +54,7 @@
- # /var/run
- #
- /var/run/restorecond\.pid -- gen_context(system_u:object_r:restorecond_var_run_t,s0)
-+
-+
-+/etc/share/selinux/targeted(/.*)? gen_context(system_u:object_r:semanage_store_t,s0)
-+/etc/share/selinux/mls(/.*)? gen_context(system_u:object_r:semanage_store_t,s0)
-diff --git a/policy/modules/system/selinuxutil.if b/policy/modules/system/selinuxutil.if
-index 3822072..702e0e0 100644
---- a/policy/modules/system/selinuxutil.if
-+++ b/policy/modules/system/selinuxutil.if
-@@ -192,11 +192,22 @@ interface(`seutil_domtrans_newrole',`
- #
- interface(`seutil_run_newrole',`
- gen_require(`
-- attribute_role newrole_roles;
-+ type newrole_t;
-+ #attribute_role newrole_roles;
- ')
-
-+ #seutil_domtrans_newrole($1)
-+ #roleattribute $2 newrole_roles;
-+
- seutil_domtrans_newrole($1)
-- roleattribute $2 newrole_roles;
-+ role $2 types newrole_t;
-+
-+ auth_run_upd_passwd(newrole_t, $2)
-+
-+ optional_policy(`
-+ namespace_init_run(newrole_t, $2)
-+ ')
-+
- ')
-
- ########################################
-@@ -359,6 +370,27 @@ interface(`seutil_exec_restorecon',`
-
- ########################################
- ##
-+## Execute restorecond in the caller domain.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+##
-+#
-+interface(`seutil_exec_restorecond',`
-+ gen_require(`
-+ type restorecond_exec_t;
-+ ')
-+
-+ files_search_usr($1)
-+ corecmd_search_bin($1)
-+ can_exec($1, restorecond_exec_t)
-+')
-+
-+########################################
-+##
- ## Execute run_init in the run_init domain.
- ##
- ##
-@@ -425,11 +457,20 @@ interface(`seutil_init_script_domtrans_runinit',`
- #
- interface(`seutil_run_runinit',`
- gen_require(`
-- attribute_role run_init_roles;
-+ #attribute_role run_init_roles;
-+ type run_init_t;
-+ role system_r;
- ')
-
-- seutil_domtrans_runinit($1)
-- roleattribute $2 run_init_roles;
-+ #seutil_domtrans_runinit($1)
-+ #roleattribute $2 run_init_roles;
-+
-+ auth_run_chk_passwd(run_init_t, $2)
-+ seutil_domtrans_runinit($1)
-+ role $2 types run_init_t;
-+
-+ allow $2 system_r;
-+
- ')
-
- ########################################
-@@ -461,11 +502,19 @@ interface(`seutil_run_runinit',`
- #
- interface(`seutil_init_script_run_runinit',`
- gen_require(`
-- attribute_role run_init_roles;
-+ #attribute_role run_init_roles;
-+ type run_init_t;
-+ role system_r;
- ')
-
-- seutil_init_script_domtrans_runinit($1)
-- roleattribute $2 run_init_roles;
-+ #seutil_init_script_domtrans_runinit($1)
-+ #roleattribute $2 run_init_roles;
-+ auth_run_chk_passwd(run_init_t, $2)
-+ seutil_init_script_domtrans_runinit($1)
-+ role $2 types run_init_t;
-+
-+ allow $2 system_r;
-+
- ')
-
- ########################################
-@@ -535,6 +584,53 @@ interface(`seutil_run_setfiles',`
-
- ########################################
- ##
-+## Execute setfiles in the setfiles domain.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`seutil_domtrans_setfiles_mac',`
-+ gen_require(`
-+ type setfiles_mac_t, setfiles_exec_t;
-+ ')
-+
-+ files_search_usr($1)
-+ corecmd_search_bin($1)
-+ domtrans_pattern($1, setfiles_exec_t, setfiles_mac_t)
-+')
-+
-+########################################
-+##
-+## Execute setfiles in the setfiles_mac domain, and
-+## allow the specified role the setfiles_mac domain,
-+## and use the caller's terminal.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+##
-+##
-+## The role to be allowed the setfiles_mac domain.
-+##
-+##
-+##
-+#
-+interface(`seutil_run_setfiles_mac',`
-+ gen_require(`
-+ type setfiles_mac_t;
-+ ')
-+
-+ seutil_domtrans_setfiles_mac($1)
-+ role $2 types setfiles_mac_t;
-+')
-+
-+########################################
-+##
- ## Execute setfiles in the caller domain.
- ##
- ##
-@@ -680,10 +776,115 @@ interface(`seutil_manage_config',`
- ')
-
- files_search_etc($1)
-+ manage_dirs_pattern($1, selinux_config_t, selinux_config_t)
- manage_files_pattern($1, selinux_config_t, selinux_config_t)
- read_lnk_files_pattern($1, selinux_config_t, selinux_config_t)
- ')
-
-+######################################
-+##
-+## Create, read, write, and delete
-+## the general selinux configuration files.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+##
-+#
-+interface(`seutil_manage_config_dirs',`
-+ gen_require(`
-+ type selinux_config_t;
-+ ')
-+
-+ files_search_etc($1)
-+ allow $1 selinux_config_t:dir manage_dir_perms;
-+')
-+
-+########################################
-+##
-+## Do not audit attempts to search the SELinux
-+## login configuration directory.
-+##
-+##
-+##
-+## Domain to not audit.
-+##
-+##
-+#
-+interface(`seutil_dontaudit_search_login_config',`
-+ gen_require(`
-+ type selinux_login_config_t;
-+ ')
-+
-+ dontaudit $1 selinux_login_config_t:dir search_dir_perms;
-+')
-+
-+########################################
-+##
-+## Do not audit attempts to read the SELinux
-+## login configuration.
-+##
-+##
-+##
-+## Domain to not audit.
-+##
-+##
-+#
-+interface(`seutil_dontaudit_read_login_config',`
-+ gen_require(`
-+ type selinux_login_config_t;
-+ ')
-+ dontaudit $1 selinux_login_config_t:dir search_dir_perms;
-+ dontaudit $1 selinux_login_config_t:file read_file_perms;
-+')
-+
-+########################################
-+##
-+## Read the SELinux login configuration files.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`seutil_read_login_config',`
-+ gen_require(`
-+ type selinux_config_t;
-+ type selinux_login_config_t;
-+ ')
-+
-+ files_search_etc($1)
-+ allow $1 selinux_config_t:dir search_dir_perms;
-+ allow $1 selinux_login_config_t:dir list_dir_perms;
-+ read_files_pattern($1, selinux_login_config_t, selinux_login_config_t)
-+ read_lnk_files_pattern($1, selinux_login_config_t, selinux_login_config_t)
-+')
-+
-+########################################
-+##
-+## Read and write the SELinux login configuration files.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`seutil_rw_login_config',`
-+ gen_require(`
-+ type selinux_config_t;
-+ type selinux_login_config_t;
-+ ')
-+
-+ files_search_etc($1)
-+ allow $1 selinux_config_t:dir search_dir_perms;
-+ allow $1 selinux_login_config_t:dir list_dir_perms;
-+ rw_files_pattern($1, selinux_login_config_t, selinux_login_config_t)
-+')
-+
- #######################################
- ##
- ## Create, read, write, and delete
-@@ -694,15 +895,62 @@ interface(`seutil_manage_config',`
- ## Domain allowed access.
- ##
- ##
--##
- #
--interface(`seutil_manage_config_dirs',`
-+interface(`seutil_rw_login_config_dirs',`
- gen_require(`
- type selinux_config_t;
-+ type selinux_login_config_t;
- ')
-
- files_search_etc($1)
-- allow $1 selinux_config_t:dir manage_dir_perms;
-+ allow $1 selinux_config_t:dir search_dir_perms;
-+ allow $1 selinux_login_config_t:dir rw_dir_perms;
-+')
-+
-+######################################
-+##
-+## Create, read, write, and delete
-+## the general selinux configuration files.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`seutil_manage_login_config',`
-+ gen_require(`
-+ type selinux_config_t;
-+ type selinux_login_config_t;
-+ ')
-+
-+ files_search_etc($1)
-+ allow $1 selinux_config_t:dir search_dir_perms;
-+ manage_dirs_pattern($1, selinux_login_config_t, selinux_login_config_t)
-+ manage_files_pattern($1, selinux_login_config_t, selinux_login_config_t)
-+ read_lnk_files_pattern($1, selinux_login_config_t, selinux_login_config_t)
-+')
-+
-+######################################
-+##
-+## manage the login selinux configuration files.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`seutil_manage_login_config_files',`
-+ gen_require(`
-+ type selinux_config_t;
-+ type selinux_login_config_t;
-+ ')
-+
-+ files_search_etc($1)
-+ allow $1 selinux_config_t:dir search_dir_perms;
-+ manage_files_pattern($1, selinux_login_config_t, selinux_login_config_t)
-+ read_lnk_files_pattern($1, selinux_login_config_t, selinux_login_config_t)
- ')
-
- ########################################
-@@ -746,6 +994,29 @@ interface(`seutil_read_default_contexts',`
- read_files_pattern($1, default_context_t, default_context_t)
- ')
-
-+#######################################
-+##
-+## Read and write the default_contexts files.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+##
-+#
-+interface(`seutil_rw_default_contexts',`
-+ gen_require(`
-+ type default_context_t;
-+ type selinux_config_t;
-+ ')
-+
-+ files_search_etc($1)
-+ allow $1 selinux_config_t:dir list_dir_perms;
-+ allow $1 default_context_t:dir list_dir_perms;
-+ rw_files_pattern($1, default_context_t, default_context_t)
-+')
-+
- ########################################
- ##
- ## Create, read, write, and delete the default_contexts files.
-@@ -999,6 +1270,26 @@ interface(`seutil_domtrans_semanage',`
-
- ########################################
- ##
-+## Execute a domain transition to run setsebool.
-+##
-+##
-+##
-+## Domain allowed to transition.
-+##
-+##
-+#
-+interface(`seutil_domtrans_setsebool',`
-+ gen_require(`
-+ type setsebool_t, setsebool_exec_t;
-+ ')
-+
-+ files_search_usr($1)
-+ corecmd_search_bin($1)
-+ domtrans_pattern($1, setsebool_exec_t, setsebool_t)
-+')
-+
-+########################################
-+##
- ## Execute semanage in the semanage domain, and
- ## allow the specified role the semanage domain,
- ## and use the caller's terminal.
-@@ -1017,11 +1308,66 @@ interface(`seutil_domtrans_semanage',`
- #
- interface(`seutil_run_semanage',`
- gen_require(`
-- attribute_role semanage_roles;
-+ #attribute_role semanage_roles;
-+ type semanage_t;
- ')
-
-+ #seutil_domtrans_semanage($1)
-+ #roleattribute $2 semanage_roles;
-+
- seutil_domtrans_semanage($1)
-- roleattribute $2 semanage_roles;
-+ seutil_run_setfiles(semanage_t, $2)
-+ seutil_run_loadpolicy(semanage_t, $2)
-+ role $2 types semanage_t;
-+
-+')
-+
-+########################################
-+##
-+## Execute setsebool in the semanage domain, and
-+## allow the specified role the semanage domain,
-+## and use the caller's terminal.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+##
-+##
-+## The role to be allowed the setsebool domain.
-+##
-+##
-+##
-+#
-+interface(`seutil_run_setsebool',`
-+ gen_require(`
-+ type semanage_t;
-+ ')
-+
-+ seutil_domtrans_setsebool($1)
-+ role $2 types setsebool_t;
-+')
-+
-+########################################
-+##
-+## Full management of the semanage
-+## module store.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`seutil_read_module_store',`
-+ gen_require(`
-+ type selinux_config_t, semanage_store_t;
-+ ')
-+
-+ files_search_etc($1)
-+ list_dirs_pattern($1, selinux_config_t, semanage_store_t)
-+ read_files_pattern($1, semanage_store_t, semanage_store_t)
- ')
-
- ########################################
-@@ -1044,6 +1390,9 @@ interface(`seutil_manage_module_store',`
- manage_dirs_pattern($1, selinux_config_t, semanage_store_t)
- manage_files_pattern($1, semanage_store_t, semanage_store_t)
- filetrans_pattern($1, selinux_config_t, semanage_store_t, dir, "modules")
-+ filetrans_pattern($1, selinux_config_t, semanage_store_t, dir, "active")
-+ filetrans_pattern($1, selinux_config_t, semanage_store_t, dir, "previous")
-+ filetrans_pattern($1, selinux_config_t, semanage_store_t, dir, "tmp")
- ')
-
- #######################################
-@@ -1137,3 +1486,69 @@ interface(`seutil_dontaudit_libselinux_linked',`
- selinux_dontaudit_get_fs_mount($1)
- seutil_dontaudit_read_config($1)
- ')
-+
-+#######################################
-+##
-+## All rules necessary to run semanage command
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`seutil_semanage_policy',`
-+ gen_require(`
-+ type semanage_tmp_t;
-+ type policy_config_t;
-+ attribute policy_manager_domain;
-+ ')
-+ typeattribute $1 policy_manager_domain;
-+
-+ kernel_read_system_state($1)
-+
-+ # Running genhomedircon requires this for finding all users
-+ auth_use_nsswitch($1)
-+
-+ mls_file_write_all_levels($1)
-+ mls_file_read_all_levels($1)
-+
-+ selinux_get_enforce_mode($1)
-+
-+ seutil_manage_bin_policy($1)
-+
-+ logging_send_syslog_msg($1)
-+')
-+
-+#######################################
-+##
-+## All rules necessary to run setfiles command
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`seutil_setfiles',`
-+
-+ gen_require(`
-+ attribute setfiles_domain;
-+ ')
-+ typeattribute $1 setfiles_domain;
-+
-+ kernel_read_system_state($1)
-+ seutil_libselinux_linked($1)
-+
-+ files_relabel_all_files($1)
-+
-+ mls_file_read_all_levels($1)
-+ mls_file_write_all_levels($1)
-+ mls_file_upgrade($1)
-+ mls_file_downgrade($1)
-+
-+ # this is to satisfy the assertion:
-+ auth_relabelto_shadow($1)
-+
-+ logging_send_syslog_msg($1)
-+')
-diff --git a/policy/modules/system/selinuxutil.te b/policy/modules/system/selinuxutil.te
-index ec01d0b..51e91d2 100644
---- a/policy/modules/system/selinuxutil.te
-+++ b/policy/modules/system/selinuxutil.te
-@@ -11,14 +11,17 @@ gen_require(`
-
- attribute can_write_binary_policy;
- attribute can_relabelto_binary_policy;
-+attribute setfiles_domain;
-+attribute seutil_semanage_domain;
-+attribute policy_manager_domain;
-
--attribute_role newrole_roles;
-+#attribute_role newrole_roles;
-
--attribute_role run_init_roles;
--role system_r types run_init_t;
-+#attribute_role run_init_roles;
-+#role system_r types run_init_t;
-
--attribute_role semanage_roles;
--roleattribute system_r semanage_roles;
-+#attribute_role semanage_roles;
-+#roleattribute system_r semanage_roles;
-
- #
- # selinux_config_t is the type applied to
-@@ -30,6 +33,12 @@ roleattribute system_r semanage_roles;
- type selinux_config_t;
- files_type(selinux_config_t)
-
-+type selinux_login_config_t;
-+files_type(selinux_login_config_t)
-+
-+type selinux_var_lib_t;
-+files_type(selinux_var_lib_t)
-+
- type checkpolicy_t, can_write_binary_policy;
- type checkpolicy_exec_t;
- application_domain(checkpolicy_t, checkpolicy_exec_t)
-@@ -60,14 +69,20 @@ application_domain(newrole_t, newrole_exec_t)
- domain_role_change_exemption(newrole_t)
- domain_obj_id_change_exemption(newrole_t)
- domain_interactive_fd(newrole_t)
--role newrole_roles types newrole_t;
-+#role newrole_roles types newrole_t;
-+role system_r types newrole_t;
-
- #
- # policy_config_t is the type of /etc/security/selinux/*
- # the security server policy configuration.
- #
--type policy_config_t;
--files_type(policy_config_t)
-+#type policy_config_t;
-+#files_type(policy_config_t)
-+gen_require(`
-+ type semanage_store_t;
-+')
-+
-+typealias semanage_store_t alias policy_config_t;
-
- neverallow ~can_relabelto_binary_policy policy_config_t:file relabelto;
- #neverallow ~can_write_binary_policy policy_config_t:file { write append };
-@@ -83,7 +98,6 @@ type restorecond_t;
- type restorecond_exec_t;
- init_daemon_domain(restorecond_t, restorecond_exec_t)
- domain_obj_id_change_exemption(restorecond_t)
--role system_r types restorecond_t;
-
- type restorecond_var_run_t;
- files_pid_file(restorecond_var_run_t)
-@@ -92,25 +106,32 @@ type run_init_t;
- type run_init_exec_t;
- application_domain(run_init_t, run_init_exec_t)
- domain_system_change_exemption(run_init_t)
--role run_init_roles types run_init_t;
-+#role run_init_roles types run_init_t;
-+role system_r types run_init_t;
-
- type semanage_t;
- type semanage_exec_t;
- application_domain(semanage_t, semanage_exec_t)
-+init_daemon_domain(semanage_t, semanage_exec_t)
- domain_interactive_fd(semanage_t)
--role semanage_roles types semanage_t;
-+#role semanage_roles types semanage_t;
-+role system_r types semanage_t;
-+
-+type setsebool_t;
-+type setsebool_exec_t;
-+init_system_domain(setsebool_t, setsebool_exec_t)
-
- type semanage_store_t;
- files_type(semanage_store_t)
-
- type semanage_read_lock_t;
--files_type(semanage_read_lock_t)
-+files_lock_file(semanage_read_lock_t)
-
- type semanage_tmp_t;
- files_tmp_file(semanage_tmp_t)
-
--type semanage_trans_lock_t;
--files_type(semanage_trans_lock_t)
-+type semanage_trans_lock_t;
-+files_lock_file(semanage_trans_lock_t)
-
- type semanage_var_lib_t;
- files_type(semanage_var_lib_t)
-@@ -120,6 +141,11 @@ type setfiles_exec_t alias restorecon_exec_t;
- init_system_domain(setfiles_t, setfiles_exec_t)
- domain_obj_id_change_exemption(setfiles_t)
-
-+type setfiles_mac_t;
-+domain_type(setfiles_mac_t)
-+domain_entry_file(setfiles_mac_t, setfiles_exec_t)
-+domain_obj_id_change_exemption(setfiles_mac_t)
-+
- ########################################
- #
- # Checkpolicy local policy
-@@ -137,6 +163,7 @@ filetrans_add_pattern(checkpolicy_t, policy_src_t, policy_config_t, file)
- read_files_pattern(checkpolicy_t, policy_src_t, policy_src_t)
- read_lnk_files_pattern(checkpolicy_t, policy_src_t, policy_src_t)
- allow checkpolicy_t selinux_config_t:dir search_dir_perms;
-+allow checkpolicy_t selinux_login_config_t:dir search_dir_perms;
-
- domain_use_interactive_fds(checkpolicy_t)
-
-@@ -151,7 +178,7 @@ term_use_console(checkpolicy_t)
- init_use_fds(checkpolicy_t)
- init_use_script_ptys(checkpolicy_t)
-
--userdom_use_user_terminals(checkpolicy_t)
-+userdom_use_inherited_user_terminals(checkpolicy_t)
- userdom_use_all_users_fds(checkpolicy_t)
-
- ifdef(`distro_ubuntu',`
-@@ -188,13 +215,13 @@ term_list_ptys(load_policy_t)
-
- init_use_script_fds(load_policy_t)
- init_use_script_ptys(load_policy_t)
--
--miscfiles_read_localization(load_policy_t)
-+init_write_script_pipes(load_policy_t)
-
- seutil_libselinux_linked(load_policy_t)
-
--userdom_use_user_terminals(load_policy_t)
-+userdom_use_inherited_user_terminals(load_policy_t)
- userdom_use_all_users_fds(load_policy_t)
-+userdom_dontaudit_read_user_tmp_files(load_policy_t)
-
- ifdef(`distro_ubuntu',`
- optional_policy(`
-@@ -205,6 +232,7 @@ ifdef(`distro_ubuntu',`
- ifdef(`hide_broken_symptoms',`
- # cjp: cover up stray file descriptors.
- dontaudit load_policy_t selinux_config_t:file write;
-+ dontaudit load_policy_t selinux_login_config_t:file write;
-
- optional_policy(`
- unconfined_dontaudit_read_pipes(load_policy_t)
-@@ -215,12 +243,17 @@ optional_policy(`
- portage_dontaudit_use_fds(load_policy_t)
- ')
-
-+optional_policy(`
-+ # pki is leaking
-+ pki_dontaudit_write_log(load_policy_t)
-+')
-+
- ########################################
- #
- # Newrole local policy
- #
-
--allow newrole_t self:capability { fowner setuid setgid dac_override };
-+allow newrole_t self:capability { fowner setpcap setuid setgid dac_override };
- allow newrole_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execheap execstack };
- allow newrole_t self:process setexec;
- allow newrole_t self:fd use;
-@@ -232,7 +265,7 @@ allow newrole_t self:msgq create_msgq_perms;
- allow newrole_t self:msg { send receive };
- allow newrole_t self:unix_dgram_socket sendto;
- allow newrole_t self:unix_stream_socket { create_stream_socket_perms connectto };
--allow newrole_t self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay };
-+logging_send_audit_msgs(newrole_t)
-
- read_files_pattern(newrole_t, default_context_t, default_context_t)
- read_lnk_files_pattern(newrole_t, default_context_t, default_context_t)
-@@ -249,6 +282,7 @@ domain_use_interactive_fds(newrole_t)
- # for when the user types "exec newrole" at the command line:
- domain_sigchld_interactive_fds(newrole_t)
-
-+files_list_var(newrole_t)
- files_read_etc_files(newrole_t)
- files_read_var_files(newrole_t)
- files_read_var_symlinks(newrole_t)
-@@ -276,25 +310,38 @@ term_relabel_all_ptys(newrole_t)
- term_getattr_unallocated_ttys(newrole_t)
- term_dontaudit_use_unallocated_ttys(newrole_t)
-
--auth_use_nsswitch(newrole_t)
--auth_run_chk_passwd(newrole_t, newrole_roles)
--auth_run_upd_passwd(newrole_t, newrole_roles)
--auth_rw_faillog(newrole_t)
-+#auth_use_nsswitch(newrole_t)
-+#auth_run_chk_passwd(newrole_t, newrole_roles)
-+#auth_run_upd_passwd(newrole_t, newrole_roles)
-+#auth_rw_faillog(newrole_t)
-+auth_use_pam(newrole_t)
-
- # Write to utmp.
- init_rw_utmp(newrole_t)
- init_use_fds(newrole_t)
-
--logging_send_syslog_msg(newrole_t)
--
--miscfiles_read_localization(newrole_t)
-
- seutil_libselinux_linked(newrole_t)
-
-+userdom_use_unpriv_users_fds(newrole_t)
- # for some PAM modules and for cwd
- userdom_dontaudit_search_user_home_content(newrole_t)
- userdom_search_user_home_dirs(newrole_t)
-
-+# need to talk with dbus
-+optional_policy(`
-+ dbus_system_bus_client(newrole_t)
-+')
-+
-+#optional_policy(`
-+# namespace_init_run(newrole_t, newrole_roles)
-+#')
-+
-+
-+optional_policy(`
-+ xserver_dontaudit_exec_xauth(newrole_t)
-+')
-+
- ifdef(`distro_ubuntu',`
- optional_policy(`
- unconfined_domain(newrole_t)
-@@ -309,7 +356,7 @@ if(secure_mode) {
- userdom_spec_domtrans_all_users(newrole_t)
- }
-
--tunable_policy(`allow_polyinstantiation',`
-+tunable_policy(`polyinstantiation_enabled',`
- files_polyinstantiate_all(newrole_t)
- ')
-
-@@ -328,9 +375,13 @@ kernel_use_fds(restorecond_t)
- kernel_rw_pipes(restorecond_t)
- kernel_read_system_state(restorecond_t)
-
-+dev_relabel_all_dev_nodes(restorecond_t)
-+
-+files_dontaudit_read_all_symlinks(restorecond_t)
-+
- fs_relabelfrom_noxattr_fs(restorecond_t)
- fs_dontaudit_list_nfs(restorecond_t)
--fs_getattr_xattr_fs(restorecond_t)
-+fs_getattr_all_fs(restorecond_t)
- fs_list_inotifyfs(restorecond_t)
-
- selinux_validate_context(restorecond_t)
-@@ -341,16 +392,17 @@ selinux_compute_user_contexts(restorecond_t)
-
- files_relabel_non_auth_files(restorecond_t )
- files_read_non_auth_files(restorecond_t)
-+
- auth_use_nsswitch(restorecond_t)
-
- locallogin_dontaudit_use_fds(restorecond_t)
-
- logging_send_syslog_msg(restorecond_t)
-
--miscfiles_read_localization(restorecond_t)
--
- seutil_libselinux_linked(restorecond_t)
-
-+userdom_read_user_home_content_symlinks(restorecond_t)
-+
- ifdef(`distro_ubuntu',`
- optional_policy(`
- unconfined_domain(restorecond_t)
-@@ -366,21 +418,24 @@ optional_policy(`
- # Run_init local policy
- #
-
--allow run_init_roles system_r;
-+#allow run_init_roles system_r;
-
- allow run_init_t self:process setexec;
- allow run_init_t self:capability setuid;
- allow run_init_t self:fifo_file rw_file_perms;
--allow run_init_t self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay };
-+logging_send_audit_msgs(run_init_t)
-
- # often the administrator runs such programs from a directory that is owned
- # by a different user or has restrictive SE permissions, do not want to audit
- # the failed access to the current directory
- dontaudit run_init_t self:capability { dac_override dac_read_search };
-
-+kernel_dontaudit_getattr_core_if(run_init_t)
-+
- corecmd_exec_bin(run_init_t)
- corecmd_exec_shell(run_init_t)
-
-+dev_dontaudit_getattr_all(run_init_t)
- dev_dontaudit_list_all_dev_nodes(run_init_t)
-
- domain_use_interactive_fds(run_init_t)
-@@ -398,23 +453,30 @@ selinux_compute_create_context(run_init_t)
- selinux_compute_relabel_context(run_init_t)
- selinux_compute_user_contexts(run_init_t)
-
-+term_use_console(run_init_t)
-+
-+#auth_use_nsswitch(run_init_t)
-+#auth_run_chk_passwd(run_init_t, run_init_roles)
-+#auth_run_upd_passwd(run_init_t, run_init_roles)
-+#auth_dontaudit_read_shadow(run_init_t)
-+
- auth_use_nsswitch(run_init_t)
--auth_run_chk_passwd(run_init_t, run_init_roles)
--auth_run_upd_passwd(run_init_t, run_init_roles)
-+auth_domtrans_chk_passwd(run_init_t)
-+auth_domtrans_upd_passwd(run_init_t)
- auth_dontaudit_read_shadow(run_init_t)
-
-+
- init_spec_domtrans_script(run_init_t)
- # for utmp
- init_rw_utmp(run_init_t)
-+init_dontaudit_getattr_initctl(run_init_t)
-
- logging_send_syslog_msg(run_init_t)
-
--miscfiles_read_localization(run_init_t)
--
- seutil_libselinux_linked(run_init_t)
- seutil_read_default_contexts(run_init_t)
-
--userdom_use_user_terminals(run_init_t)
-+userdom_use_inherited_user_terminals(run_init_t)
-
- ifndef(`direct_sysadm_daemon',`
- ifdef(`distro_gentoo',`
-@@ -425,6 +487,19 @@ ifndef(`direct_sysadm_daemon',`
- ')
- ')
-
-+# need to talk with dbus
-+optional_policy(`
-+ dbus_system_bus_client(run_init_t)
-+')
-+
-+optional_policy(`
-+ gpm_dontaudit_getattr_gpmctl(run_init_t)
-+')
-+
-+optional_policy(`
-+ rpm_domtrans(run_init_t)
-+')
-+
- ifdef(`distro_ubuntu',`
- optional_policy(`
- unconfined_domain(run_init_t)
-@@ -440,81 +515,87 @@ optional_policy(`
- # semodule local policy
- #
-
--allow semanage_t self:capability { dac_override audit_write };
--allow semanage_t self:unix_stream_socket create_stream_socket_perms;
--allow semanage_t self:unix_dgram_socket create_socket_perms;
- allow semanage_t self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay };
--allow semanage_t self:fifo_file rw_fifo_file_perms;
--
--allow semanage_t policy_config_t:file rw_file_perms;
--
--allow semanage_t semanage_tmp_t:dir manage_dir_perms;
--allow semanage_t semanage_tmp_t:file manage_file_perms;
--files_tmp_filetrans(semanage_t, semanage_tmp_t, { file dir })
-
- manage_dirs_pattern(semanage_t, semanage_var_lib_t, semanage_var_lib_t)
- manage_files_pattern(semanage_t, semanage_var_lib_t, semanage_var_lib_t)
-
--kernel_read_system_state(semanage_t)
--kernel_read_kernel_sysctls(semanage_t)
--
--corecmd_exec_bin(semanage_t)
--
--dev_read_urand(semanage_t)
--
--domain_use_interactive_fds(semanage_t)
--
--files_read_etc_files(semanage_t)
--files_read_etc_runtime_files(semanage_t)
--files_read_usr_files(semanage_t)
--files_list_pids(semanage_t)
--
--mls_file_write_all_levels(semanage_t)
--mls_file_read_all_levels(semanage_t)
--
--selinux_validate_context(semanage_t)
--selinux_get_enforce_mode(semanage_t)
--selinux_getattr_fs(semanage_t)
--# for setsebool:
- selinux_set_all_booleans(semanage_t)
-+can_exec(semanage_t, semanage_exec_t)
-
--term_use_all_terms(semanage_t)
--
--# Running genhomedircon requires this for finding all users
--auth_use_nsswitch(semanage_t)
--
--locallogin_use_fds(semanage_t)
--
--logging_send_syslog_msg(semanage_t)
-+# Admins are creating pp files in random locations
-+files_read_non_security_files(semanage_t)
-
--miscfiles_read_localization(semanage_t)
--
--seutil_libselinux_linked(semanage_t)
-+seutil_semanage_policy(semanage_t)
- seutil_manage_file_contexts(semanage_t)
- seutil_manage_config(semanage_t)
--seutil_run_setfiles(semanage_t, semanage_roles)
--seutil_run_loadpolicy(semanage_t, semanage_roles)
--seutil_manage_bin_policy(semanage_t)
--seutil_use_newrole_fds(semanage_t)
--seutil_manage_module_store(semanage_t)
--seutil_get_semanage_trans_lock(semanage_t)
--seutil_get_semanage_read_lock(semanage_t)
-+seutil_domtrans_setfiles(semanage_t)
-+
-+#seutil_run_setfiles(semanage_t, semanage_roles)
-+#seutil_run_loadpolicy(semanage_t, semanage_roles)
-+#seutil_manage_bin_policy(semanage_t)
-+#seutil_use_newrole_fds(semanage_t)
-+#seutil_manage_module_store(semanage_t)
-+#seutil_get_semanage_trans_lock(semanage_t)
-+#seutil_get_semanage_read_lock(semanage_t)
- # netfilter_contexts:
- seutil_manage_default_contexts(semanage_t)
-
- # Handle pp files created in homedir and /tmp
- userdom_read_user_home_content_files(semanage_t)
- userdom_read_user_tmp_files(semanage_t)
-+userdom_home_reader(semanage_t)
-
- ifdef(`distro_debian',`
- files_read_var_lib_files(semanage_t)
- files_read_var_lib_symlinks(semanage_t)
- ')
-
--ifdef(`distro_ubuntu',`
-- optional_policy(`
-- unconfined_domain(semanage_t)
-- ')
-+optional_policy(`
-+ dbus_system_domain(semanage_t, semanage_exec_t)
-+')
-+
-+optional_policy(`
-+ mock_manage_lib_files(semanage_t)
-+ mock_manage_lib_dirs(semanage_t)
-+')
-+
-+optional_policy(`
-+ unconfined_domain(semanage_t)
-+')
-+
-+####################################n####
-+#
-+# setsebool local policy
-+#
-+seutil_semanage_policy(setsebool_t)
-+selinux_set_all_booleans(setsebool_t)
-+
-+init_dontaudit_use_fds(setsebool_t)
-+
-+# Bug in semanage
-+seutil_domtrans_setfiles(setsebool_t)
-+seutil_manage_file_contexts(setsebool_t)
-+seutil_manage_default_contexts(setsebool_t)
-+seutil_manage_config(setsebool_t)
-+
-+########################################
-+#
-+# Setfiles mac local policy
-+#
-+seutil_setfiles(setfiles_mac_t)
-+allow setfiles_mac_t self:capability2 mac_admin;
-+kernel_relabelto_unlabeled(setfiles_mac_t)
-+
-+optional_policy(`
-+ files_dontaudit_write_isid_chr_files(setfiles_mac_t)
-+ livecd_dontaudit_leaks(setfiles_mac_t)
-+ livecd_rw_tmp_files(setfiles_mac_t)
-+ dev_dontaudit_write_all_chr_files(setfiles_mac_t)
-+')
-+
-+optional_policy(`
-+ unconfined_domain(setfiles_mac_t)
- ')
-
- ########################################
-@@ -522,108 +603,180 @@ ifdef(`distro_ubuntu',`
- # Setfiles local policy
- #
-
--allow setfiles_t self:capability { dac_override dac_read_search fowner };
--dontaudit setfiles_t self:capability sys_tty_config;
--allow setfiles_t self:fifo_file rw_file_perms;
--
--allow setfiles_t { policy_src_t policy_config_t file_context_t default_context_t }:dir list_dir_perms;
--allow setfiles_t { policy_src_t policy_config_t file_context_t default_context_t }:file read_file_perms;
--allow setfiles_t { policy_src_t policy_config_t file_context_t default_context_t }:lnk_file { read_lnk_file_perms ioctl lock };
--
--kernel_read_system_state(setfiles_t)
--kernel_relabelfrom_unlabeled_dirs(setfiles_t)
--kernel_relabelfrom_unlabeled_files(setfiles_t)
--kernel_relabelfrom_unlabeled_symlinks(setfiles_t)
--kernel_relabelfrom_unlabeled_pipes(setfiles_t)
--kernel_relabelfrom_unlabeled_sockets(setfiles_t)
--kernel_use_fds(setfiles_t)
--kernel_rw_pipes(setfiles_t)
--kernel_rw_unix_dgram_sockets(setfiles_t)
--kernel_dontaudit_list_all_proc(setfiles_t)
--kernel_dontaudit_list_all_sysctls(setfiles_t)
--
--dev_relabel_all_dev_nodes(setfiles_t)
--
--domain_use_interactive_fds(setfiles_t)
--domain_dontaudit_search_all_domains_state(setfiles_t)
--
--files_read_etc_runtime_files(setfiles_t)
--files_read_etc_files(setfiles_t)
--files_list_all(setfiles_t)
--files_relabel_all_files(setfiles_t)
--files_read_usr_symlinks(setfiles_t)
--
--fs_getattr_xattr_fs(setfiles_t)
--fs_list_all(setfiles_t)
--fs_search_auto_mountpoints(setfiles_t)
--fs_relabelfrom_noxattr_fs(setfiles_t)
--
--mls_file_read_all_levels(setfiles_t)
--mls_file_write_all_levels(setfiles_t)
--mls_file_upgrade(setfiles_t)
--mls_file_downgrade(setfiles_t)
--
--selinux_validate_context(setfiles_t)
--selinux_compute_access_vector(setfiles_t)
--selinux_compute_create_context(setfiles_t)
--selinux_compute_relabel_context(setfiles_t)
--selinux_compute_user_contexts(setfiles_t)
--
--term_use_all_ttys(setfiles_t)
--term_use_all_ptys(setfiles_t)
--term_use_unallocated_ttys(setfiles_t)
--
--# this is to satisfy the assertion:
--auth_relabelto_shadow(setfiles_t)
--
--init_use_fds(setfiles_t)
--init_use_script_fds(setfiles_t)
--init_use_script_ptys(setfiles_t)
--init_exec_script_files(setfiles_t)
-+seutil_setfiles(setfiles_t)
-+# During boot in Rawhide
-+term_use_generic_ptys(setfiles_t)
-+
-+# needs to be able to read symlinks to make restorecon on symlink working
-+files_read_all_symlinks(setfiles_t)
-
- logging_send_audit_msgs(setfiles_t)
- logging_send_syslog_msg(setfiles_t)
-
--miscfiles_read_localization(setfiles_t)
-+optional_policy(`
-+ devicekit_dontaudit_read_pid_files(setfiles_t)
-+ devicekit_dontaudit_rw_log(setfiles_t)
-+')
-+
-+optional_policy(`
-+ # pki is leaking
-+ pki_dontaudit_write_log(setfiles_t)
-+')
-+
-+optional_policy(`
-+ xserver_append_xdm_tmp_files(setfiles_t)
-+')
-
--seutil_libselinux_linked(setfiles_t)
-+ifdef(`hide_broken_symptoms',`
-+
-+ optional_policy(`
-+ setroubleshoot_fixit_dontaudit_leaks(setfiles_t)
-+ setroubleshoot_fixit_dontaudit_leaks(setsebool_t)
-+ ')
-+')
-+ifdef(`distro_ubuntu',`
-+ optional_policy(`
-+ unconfined_domain(setfiles_t)
-+ ')
-+')
-
--userdom_use_all_users_fds(setfiles_t)
-+########################################
-+#
-+# Setfiles common policy
-+#
-+allow setfiles_domain self:capability { dac_override dac_read_search fowner };
-+dontaudit setfiles_domain self:capability sys_tty_config;
-+allow setfiles_domain self:fifo_file rw_file_perms;
-+dontaudit setfiles_domain self:dir relabelfrom;
-+dontaudit setfiles_domain self:file relabelfrom;
-+dontaudit setfiles_domain self:lnk_file relabelfrom;
-+
-+domain_relabelfrom(setfiles_domain)
-+
-+allow setfiles_domain { policy_src_t policy_config_t file_context_t default_context_t }:dir list_dir_perms;
-+allow setfiles_domain { policy_src_t policy_config_t file_context_t default_context_t }:file read_file_perms;
-+allow setfiles_domain { policy_src_t policy_config_t file_context_t default_context_t }:lnk_file { read_lnk_file_perms ioctl lock };
-+
-+logging_send_audit_msgs(setfiles_domain)
-+
-+kernel_relabelfrom_unlabeled_dirs(setfiles_domain)
-+kernel_relabelfrom_unlabeled_files(setfiles_domain)
-+kernel_relabelfrom_unlabeled_symlinks(setfiles_domain)
-+kernel_relabelfrom_unlabeled_pipes(setfiles_domain)
-+kernel_relabelfrom_unlabeled_sockets(setfiles_domain)
-+kernel_use_fds(setfiles_domain)
-+kernel_rw_pipes(setfiles_domain)
-+kernel_rw_unix_dgram_sockets(setfiles_domain)
-+kernel_dontaudit_list_all_proc(setfiles_domain)
-+kernel_read_all_sysctls(setfiles_domain)
-+kernel_read_network_state_symlinks(setfiles_domain)
-+
-+dev_relabel_all_dev_nodes(setfiles_domain)
-+dev_dontaudit_rw_lvm_control(setfiles_domain)
-+dev_dontaudit_read_rand(setfiles_domain)
-+dev_dontaudit_read_urand(setfiles_domain)
-+
-+domain_use_interactive_fds(setfiles_domain)
-+domain_read_all_domains_state(setfiles_domain)
-+
-+files_read_etc_runtime_files(setfiles_domain)
-+files_read_etc_files(setfiles_domain)
-+files_list_all(setfiles_domain)
-+files_list_isid_type_dirs(setfiles_domain)
-+files_read_isid_type_files(setfiles_domain)
-+files_dontaudit_read_all_symlinks(setfiles_domain)
-+
-+fs_getattr_all_fs(setfiles_domain)
-+fs_list_all(setfiles_domain)
-+fs_getattr_all_files(setfiles_domain)
-+fs_search_auto_mountpoints(setfiles_domain)
-+fs_relabelfrom_noxattr_fs(setfiles_domain)
-+
-+selinux_validate_context(setfiles_domain)
-+selinux_compute_access_vector(setfiles_domain)
-+selinux_compute_create_context(setfiles_domain)
-+selinux_compute_relabel_context(setfiles_domain)
-+selinux_compute_user_contexts(setfiles_domain)
-+
-+term_use_all_inherited_terms(setfiles_domain)
-+
-+init_use_fds(setfiles_domain)
-+init_use_script_fds(setfiles_domain)
-+init_use_script_ptys(setfiles_domain)
-+init_exec_script_files(setfiles_domain)
-+
-+userdom_use_all_users_fds(setfiles_domain)
- # for config files in a home directory
--userdom_read_user_home_content_files(setfiles_t)
-+userdom_read_user_home_content_files(setfiles_domain)
-+userdom_rw_inherited_user_home_content_files(setfiles_domain)
-
- ifdef(`distro_debian',`
- # udev tmpfs is populated with static device nodes
- # and then relabeled afterwards; thus
- # /dev/console has the tmpfs type
-- fs_rw_tmpfs_chr_files(setfiles_t)
-+ fs_rw_tmpfs_chr_files(setfiles_domain)
- ')
-
--ifdef(`distro_redhat', `
-- fs_rw_tmpfs_chr_files(setfiles_t)
-- fs_rw_tmpfs_blk_files(setfiles_t)
-- fs_relabel_tmpfs_blk_file(setfiles_t)
-- fs_relabel_tmpfs_chr_file(setfiles_t)
-+ifdef(`distro_redhat',`
-+ fs_rw_tmpfs_chr_files(setfiles_domain)
-+ fs_rw_tmpfs_blk_files(setfiles_domain)
-+ fs_relabel_tmpfs_blk_file(setfiles_domain)
-+ fs_relabel_tmpfs_chr_file(setfiles_domain)
- ')
-
--ifdef(`distro_ubuntu',`
-- optional_policy(`
-- unconfined_domain(setfiles_t)
-- ')
-+optional_policy(`
-+ hotplug_use_fds(setfiles_domain)
- ')
-
--ifdef(`hide_broken_symptoms',`
-- optional_policy(`
-- udev_dontaudit_rw_dgram_sockets(setfiles_t)
-- ')
-+allow policy_manager_domain self:capability { dac_override sys_nice sys_resource };
-+dontaudit policy_manager_domain self:capability sys_tty_config;
-+allow policy_manager_domain self:process { signal setsched };
-+allow policy_manager_domain self:unix_stream_socket create_stream_socket_perms;
-+allow policy_manager_domain self:unix_dgram_socket create_socket_perms;
-+allow policy_manager_domain self:fifo_file rw_fifo_file_perms;
-
-- # cjp: cover up stray file descriptors.
-- optional_policy(`
-- unconfined_dontaudit_read_pipes(setfiles_t)
-- unconfined_dontaudit_rw_tcp_sockets(setfiles_t)
-- ')
--')
-+dev_read_rand(policy_manager_domain)
-+dev_read_urand(policy_manager_domain)
-
--optional_policy(`
-- hotplug_use_fds(setfiles_t)
--')
-+logging_send_audit_msgs(policy_manager_domain)
-+
-+# Domains that will manage policy
-+allow policy_manager_domain policy_config_t:file rw_file_perms;
-+
-+allow policy_manager_domain semanage_tmp_t:dir manage_dir_perms;
-+allow policy_manager_domain semanage_tmp_t:file manage_file_perms;
-+files_tmp_filetrans(policy_manager_domain, semanage_tmp_t, { file dir })
-+
-+kernel_read_kernel_sysctls(policy_manager_domain)
-+
-+corecmd_exec_bin(policy_manager_domain)
-+corecmd_exec_shell(policy_manager_domain)
-+
-+dev_read_urand(policy_manager_domain)
-+
-+domain_use_interactive_fds(policy_manager_domain)
-+
-+files_read_etc_files(policy_manager_domain)
-+files_read_etc_runtime_files(policy_manager_domain)
-+files_read_usr_files(policy_manager_domain)
-+files_list_pids(policy_manager_domain)
-+fs_list_inotifyfs(policy_manager_domain)
-+fs_getattr_all_fs(policy_manager_domain)
-+
-+selinux_validate_context(policy_manager_domain)
-+selinux_read_policy(policy_manager_domain)
-+
-+term_use_all_inherited_terms(policy_manager_domain)
-+
-+locallogin_use_fds(policy_manager_domain)
-+
-+seutil_search_default_contexts(policy_manager_domain)
-+seutil_domtrans_loadpolicy(policy_manager_domain)
-+seutil_read_config(policy_manager_domain)
-+seutil_use_newrole_fds(policy_manager_domain)
-+seutil_manage_module_store(policy_manager_domain)
-+seutil_get_semanage_trans_lock(policy_manager_domain)
-+seutil_get_semanage_read_lock(policy_manager_domain)
-+
-+userdom_dontaudit_write_user_home_content_files(policy_manager_domain)
-+userdom_use_user_ptys(policy_manager_domain)
-diff --git a/policy/modules/system/setrans.fc b/policy/modules/system/setrans.fc
-index bea4629..06e2834 100644
---- a/policy/modules/system/setrans.fc
-+++ b/policy/modules/system/setrans.fc
-@@ -2,4 +2,7 @@
-
- /sbin/mcstransd -- gen_context(system_u:object_r:setrans_exec_t,s0)
-
-+/usr/sbin/mcstransd -- gen_context(system_u:object_r:setrans_exec_t,s0)
-+
- /var/run/setrans(/.*)? gen_context(system_u:object_r:setrans_var_run_t,mls_systemhigh)
-+/var/run/mcstransd\.pid gen_context(system_u:object_r:setrans_var_run_t,mls_systemhigh)
-diff --git a/policy/modules/system/setrans.te b/policy/modules/system/setrans.te
-index 1447687..d5e6fb9 100644
---- a/policy/modules/system/setrans.te
-+++ b/policy/modules/system/setrans.te
-@@ -12,6 +12,7 @@ gen_require(`
- type setrans_t;
- type setrans_exec_t;
- init_daemon_domain(setrans_t, setrans_exec_t)
-+mls_trusted_object(setrans_t)
-
- type setrans_initrc_exec_t;
- init_script_file(setrans_initrc_exec_t)
-@@ -78,7 +79,6 @@ locallogin_dontaudit_use_fds(setrans_t)
-
- logging_send_syslog_msg(setrans_t)
-
--miscfiles_read_localization(setrans_t)
-
- seutil_read_config(setrans_t)
-
-diff --git a/policy/modules/system/sysnetwork.fc b/policy/modules/system/sysnetwork.fc
-index 346a7cc..1285089 100644
---- a/policy/modules/system/sysnetwork.fc
-+++ b/policy/modules/system/sysnetwork.fc
-@@ -17,10 +17,10 @@ ifdef(`distro_debian',`
- /etc/dhclient.*conf -- gen_context(system_u:object_r:dhcp_etc_t,s0)
- /etc/dhclient-script -- gen_context(system_u:object_r:dhcp_etc_t,s0)
- /etc/dhcpc.* gen_context(system_u:object_r:dhcp_etc_t,s0)
--/etc/dhcpd\.conf -- gen_context(system_u:object_r:dhcp_etc_t,s0)
--/etc/dhcp/dhcpd\.conf -- gen_context(system_u:object_r:dhcp_etc_t,s0)
-+/etc/dhcpd(6)?\.conf -- gen_context(system_u:object_r:dhcp_etc_t,s0)
-+/etc/dhcp/dhcpd(6)?\.conf -- gen_context(system_u:object_r:dhcp_etc_t,s0)
- /etc/ethers -- gen_context(system_u:object_r:net_conf_t,s0)
--/etc/hosts -- gen_context(system_u:object_r:net_conf_t,s0)
-+/etc/hosts[^/]* -- gen_context(system_u:object_r:net_conf_t,s0)
- /etc/hosts\.deny.* -- gen_context(system_u:object_r:net_conf_t,s0)
- /etc/denyhosts.* -- gen_context(system_u:object_r:net_conf_t,s0)
- /etc/resolv\.conf.* -- gen_context(system_u:object_r:net_conf_t,s0)
-@@ -55,6 +55,20 @@ ifdef(`distro_redhat',`
- #
- # /usr
- #
-+/usr/bin/ip -- gen_context(system_u:object_r:ifconfig_exec_t,s0)
-+
-+/usr/sbin/dhclient.* -- gen_context(system_u:object_r:dhcpc_exec_t,s0)
-+/usr/sbin/dhcdbd -- gen_context(system_u:object_r:dhcpc_exec_t,s0)
-+/usr/sbin/dhcpcd -- gen_context(system_u:object_r:dhcpc_exec_t,s0)
-+/usr/sbin/ethtool -- gen_context(system_u:object_r:ifconfig_exec_t,s0)
-+/usr/sbin/ifconfig -- gen_context(system_u:object_r:ifconfig_exec_t,s0)
-+/usr/sbin/ip -- gen_context(system_u:object_r:ifconfig_exec_t,s0)
-+/usr/sbin/ipx_configure -- gen_context(system_u:object_r:ifconfig_exec_t,s0)
-+/usr/sbin/ipx_interface -- gen_context(system_u:object_r:ifconfig_exec_t,s0)
-+/usr/sbin/ipx_internal_net -- gen_context(system_u:object_r:ifconfig_exec_t,s0)
-+/usr/sbin/iwconfig -- gen_context(system_u:object_r:ifconfig_exec_t,s0)
-+/usr/sbin/mii-tool -- gen_context(system_u:object_r:ifconfig_exec_t,s0)
-+/usr/sbin/pump -- gen_context(system_u:object_r:dhcpc_exec_t,s0)
- /usr/sbin/tc -- gen_context(system_u:object_r:ifconfig_exec_t,s0)
-
- #
-@@ -72,3 +86,5 @@ ifdef(`distro_redhat',`
- ifdef(`distro_gentoo',`
- /var/lib/dhcpc(/.*)? gen_context(system_u:object_r:dhcpc_state_t,s0)
- ')
-+
-+/etc/firestarter/firestarter\.sh gen_context(system_u:object_r:dhcpc_helper_exec_t,s0)
-diff --git a/policy/modules/system/sysnetwork.if b/policy/modules/system/sysnetwork.if
-index 41a1853..af08353 100644
---- a/policy/modules/system/sysnetwork.if
-+++ b/policy/modules/system/sysnetwork.if
-@@ -38,11 +38,47 @@ interface(`sysnet_domtrans_dhcpc',`
- #
- interface(`sysnet_run_dhcpc',`
- gen_require(`
-- attribute_role dhcpc_roles;
-+ type dhcpc_t;
-+ #attribute_role dhcpc_roles;
- ')
-
-+ #sysnet_domtrans_dhcpc($1)
-+ #roleattribute $2 dhcpc_roles;
-+
- sysnet_domtrans_dhcpc($1)
-- roleattribute $2 dhcpc_roles;
-+ role $2 types dhcpc_t;
-+
-+ modutils_run_insmod(dhcpc_t, $2)
-+
-+ sysnet_run_ifconfig(dhcpc_t, $2)
-+
-+ optional_policy(`
-+ hostname_run(dhcpc_t, $2)
-+ ')
-+
-+ optional_policy(`
-+ netutils_run(dhcpc_t, $2)
-+ netutils_run_ping(dhcpc_t, $2)
-+ ')
-+
-+ optional_policy(`
-+ networkmanager_run(dhcpc_t, $2)
-+ ')
-+
-+ optional_policy(`
-+ nis_run_ypbind(dhcpc_t, $2)
-+ ')
-+
-+ optional_policy(`
-+ nscd_run(dhcpc_t, $2)
-+ ')
-+
-+ optional_policy(`
-+ ntp_run(dhcpc_t, $2)
-+ ')
-+
-+ seutil_run_setfiles(dhcpc_t, $2)
-+
- ')
-
- ########################################
-@@ -271,6 +307,43 @@ interface(`sysnet_delete_dhcpc_state',`
- delete_files_pattern($1, dhcpc_state_t, dhcpc_state_t)
- ')
-
-+########################################
-+##
-+## Allow caller to relabel dhcpc_state files
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`sysnet_relabelfrom_dhcpc_state',`
-+
-+ gen_require(`
-+ type dhcpc_state_t;
-+ ')
-+
-+ allow $1 dhcpc_state_t:file relabelfrom;
-+')
-+
-+#######################################
-+##
-+## Manage the dhcp client state files.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`sysnet_manage_dhcpc_state',`
-+ gen_require(`
-+ type dhcpc_state_t;
-+ ')
-+
-+ manage_files_pattern($1, dhcpc_state_t, dhcpc_state_t)
-+')
-+
- #######################################
- ##
- ## Set the attributes of network config files.
-@@ -292,6 +365,44 @@ interface(`sysnet_setattr_config',`
-
- #######################################
- ##
-+## Allow caller to relabel net_conf files
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`sysnet_relabelfrom_net_conf',`
-+
-+ gen_require(`
-+ type net_conf_t;
-+ ')
-+
-+ allow $1 net_conf_t:file relabelfrom;
-+')
-+
-+######################################
-+##
-+## Allow caller to relabel net_conf files
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`sysnet_relabelto_net_conf',`
-+
-+ gen_require(`
-+ type net_conf_t;
-+ ')
-+
-+ allow $1 net_conf_t:file relabelto;
-+')
-+
-+#######################################
-+##
- ## Read network config files.
- ##
- ##
-@@ -331,6 +442,7 @@ interface(`sysnet_read_config',`
-
- ifdef(`distro_redhat',`
- allow $1 net_conf_t:dir list_dir_perms;
-+ allow $1 net_conf_t:lnk_file read_lnk_file_perms;
- read_files_pattern($1, net_conf_t, net_conf_t)
- ')
- ')
-@@ -433,6 +545,7 @@ interface(`sysnet_manage_config',`
- allow $1 net_conf_t:file manage_file_perms;
-
- ifdef(`distro_redhat',`
-+ allow $1 net_conf_t:dir list_dir_perms;
- manage_files_pattern($1, net_conf_t, net_conf_t)
- ')
- ')
-@@ -471,6 +584,7 @@ interface(`sysnet_delete_dhcpc_pid',`
- type dhcpc_var_run_t;
- ')
-
-+ files_rw_pid_dirs($1)
- allow $1 dhcpc_var_run_t:file unlink;
- ')
-
-@@ -561,6 +675,45 @@ interface(`sysnet_signal_ifconfig',`
-
- ########################################
- ##
-+## Send a null signal to ifconfig.
-+##
-+##
-+##
-+## Domain allowed access.pwd
-+
-+##
-+##
-+##
-+#
-+interface(`sysnet_signull_ifconfig',`
-+ gen_require(`
-+ type ifconfig_t;
-+ ')
-+
-+ allow $1 ifconfig_t:process signull;
-+')
-+
-+########################################
-+##
-+## Send a kill signal to iconfig.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+##
-+#
-+interface(`sysnet_kill_ifconfig',`
-+ gen_require(`
-+ type ifconfig_t;
-+ ')
-+
-+ allow $1 ifconfig_t:process sigkill;
-+')
-+
-+########################################
-+##
- ## Read the DHCP configuration files.
- ##
- ##
-@@ -577,6 +730,7 @@ interface(`sysnet_read_dhcp_config',`
- files_search_etc($1)
- allow $1 dhcp_etc_t:dir list_dir_perms;
- read_files_pattern($1, dhcp_etc_t, dhcp_etc_t)
-+ allow $1 dhcp_etc_t:lnk_file read_lnk_file_perms;
- ')
-
- ########################################
-@@ -662,8 +816,6 @@ interface(`sysnet_dns_name_resolve',`
- allow $1 self:udp_socket create_socket_perms;
- allow $1 self:netlink_route_socket r_netlink_socket_perms;
-
-- corenet_all_recvfrom_unlabeled($1)
-- corenet_all_recvfrom_netlabel($1)
- corenet_tcp_sendrecv_generic_if($1)
- corenet_udp_sendrecv_generic_if($1)
- corenet_tcp_sendrecv_generic_node($1)
-@@ -673,6 +825,8 @@ interface(`sysnet_dns_name_resolve',`
- corenet_tcp_connect_dns_port($1)
- corenet_sendrecv_dns_client_packets($1)
-
-+ miscfiles_read_generic_certs($1)
-+
- sysnet_read_config($1)
-
- optional_policy(`
-@@ -701,8 +855,6 @@ interface(`sysnet_use_ldap',`
-
- allow $1 self:tcp_socket create_socket_perms;
-
-- corenet_all_recvfrom_unlabeled($1)
-- corenet_all_recvfrom_netlabel($1)
- corenet_tcp_sendrecv_generic_if($1)
- corenet_tcp_sendrecv_generic_node($1)
- corenet_tcp_sendrecv_ldap_port($1)
-@@ -714,6 +866,9 @@ interface(`sysnet_use_ldap',`
- dev_read_urand($1)
-
- sysnet_read_config($1)
-+
-+ # LDAP Configuration using encrypted requires
-+ dev_read_urand($1)
- ')
-
- ########################################
-@@ -735,7 +890,6 @@ interface(`sysnet_use_portmap',`
- allow $1 self:udp_socket create_socket_perms;
-
- corenet_all_recvfrom_unlabeled($1)
-- corenet_all_recvfrom_netlabel($1)
- corenet_tcp_sendrecv_generic_if($1)
- corenet_udp_sendrecv_generic_if($1)
- corenet_tcp_sendrecv_generic_node($1)
-@@ -747,3 +901,73 @@ interface(`sysnet_use_portmap',`
-
- sysnet_read_config($1)
- ')
-+
-+########################################
-+##
-+## Do not audit attempts to use
-+## the dhcp file descriptors.
-+##
-+##
-+##
-+## Domain to not audit.
-+##
-+##
-+#
-+interface(`sysnet_dontaudit_dhcpc_use_fds',`
-+ gen_require(`
-+ type dhcpc_t;
-+ ')
-+
-+ dontaudit $1 dhcpc_t:fd use;
-+')
-+
-+########################################
-+##
-+## Transition to system_r when execute an dhclient script
-+##
-+##
-+##
-+## Execute dhclient script in a specified role
-+##
-+##
-+## No interprocess communication (signals, pipes,
-+## etc.) is provided by this interface since
-+## the domains are not owned by this module.
-+##
-+##
-+##
-+##
-+## Role to transition from.
-+##
-+##
-+interface(`sysnet_role_transition_dhcpc',`
-+ gen_require(`
-+ type dhcpc_exec_t;
-+ ')
-+
-+ role_transition $1 dhcpc_exec_t system_r;
-+')
-+
-+########################################
-+##
-+## Transition to sysnet named content
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`sysnet_filetrans_named_content',`
-+ gen_require(`
-+ type net_conf_t;
-+ ')
-+
-+ files_etc_filetrans($1, net_conf_t, file, "resolv.conf")
-+ files_etc_filetrans($1, net_conf_t, file, "resolv.conf.tmp")
-+ files_etc_filetrans($1, net_conf_t, file, "denyhosts")
-+ files_etc_filetrans($1, net_conf_t, file, "hosts")
-+ files_etc_filetrans($1, net_conf_t, file, "hosts.deny")
-+ files_etc_filetrans($1, net_conf_t, file, "ethers")
-+ files_etc_filetrans($1, net_conf_t, file, "yp.conf")
-+')
-diff --git a/policy/modules/system/sysnetwork.te b/policy/modules/system/sysnetwork.te
-index ed363e1..808e49e 100644
---- a/policy/modules/system/sysnetwork.te
-+++ b/policy/modules/system/sysnetwork.te
-@@ -5,8 +5,15 @@ policy_module(sysnetwork, 1.14.0)
- # Declarations
- #
-
--attribute_role dhcpc_roles;
--roleattribute system_r dhcpc_roles;
-+##
-+##
-+## Allow dhcpc client applications to execute iptables commands
-+##
-+##
-+gen_tunable(dhcpc_exec_iptables, false)
-+
-+#attribute_role dhcpc_roles;
-+#roleattribute system_r dhcpc_roles;
-
- # this is shared between dhcpc and dhcpd:
- type dhcp_etc_t;
-@@ -20,7 +27,11 @@ files_type(dhcp_state_t)
- type dhcpc_t;
- type dhcpc_exec_t;
- init_daemon_domain(dhcpc_t, dhcpc_exec_t)
--role dhcpc_roles types dhcpc_t;
-+#role dhcpc_roles types dhcpc_t;
-+role system_r types dhcpc_t;
-+
-+type dhcpc_helper_exec_t;
-+init_script_file(dhcpc_helper_exec_t)
-
- type dhcpc_state_t;
- files_type(dhcpc_state_t)
-@@ -37,17 +48,17 @@ init_system_domain(ifconfig_t, ifconfig_exec_t)
- role system_r types ifconfig_t;
-
- type net_conf_t alias resolv_conf_t;
--files_type(net_conf_t)
-+files_config_file(net_conf_t)
-
- ########################################
- #
- # DHCP client local policy
- #
- allow dhcpc_t self:capability { dac_override fsetid net_admin net_raw net_bind_service setpcap sys_nice sys_resource sys_tty_config };
--dontaudit dhcpc_t self:capability { sys_tty_config sys_ptrace };
-+dontaudit dhcpc_t self:capability sys_tty_config;
- # for access("/etc/bashrc", X_OK) on Red Hat
- dontaudit dhcpc_t self:capability { dac_read_search sys_module };
--allow dhcpc_t self:process { getsched getcap setcap setfscreate ptrace signal_perms };
-+allow dhcpc_t self:process { getsched setsched getcap setcap setfscreate signal_perms };
-
- allow dhcpc_t self:fifo_file rw_fifo_file_perms;
- allow dhcpc_t self:tcp_socket create_stream_socket_perms;
-@@ -60,8 +71,11 @@ read_lnk_files_pattern(dhcpc_t, dhcp_etc_t, dhcp_etc_t)
- exec_files_pattern(dhcpc_t, dhcp_etc_t, dhcp_etc_t)
-
- allow dhcpc_t dhcp_state_t:file read_file_perms;
-+allow dhcpc_t dhcp_state_t:file relabel_file_perms;
-+
- manage_files_pattern(dhcpc_t, dhcpc_state_t, dhcpc_state_t)
- filetrans_pattern(dhcpc_t, dhcp_state_t, dhcpc_state_t, file)
-+allow dhcpc_t dhcpc_state_t:file relabel_file_perms;
-
- # create pid file
- manage_files_pattern(dhcpc_t, dhcpc_var_run_t, dhcpc_var_run_t)
-@@ -69,6 +83,8 @@ files_pid_filetrans(dhcpc_t, dhcpc_var_run_t, file)
-
- # Allow read/write to /etc/resolv.conf and /etc/ntp.conf. Note that any files
- # in /etc created by dhcpcd will be labelled net_conf_t.
-+allow dhcpc_t net_conf_t:file manage_file_perms;
-+allow dhcpc_t net_conf_t:file relabel_file_perms;
- sysnet_manage_config(dhcpc_t)
- files_etc_filetrans(dhcpc_t, net_conf_t, file)
-
-@@ -90,27 +106,29 @@ kernel_rw_net_sysctls(dhcpc_t)
- corecmd_exec_bin(dhcpc_t)
- corecmd_exec_shell(dhcpc_t)
-
--corenet_all_recvfrom_unlabeled(dhcpc_t)
- corenet_all_recvfrom_netlabel(dhcpc_t)
--corenet_tcp_sendrecv_all_if(dhcpc_t)
--corenet_raw_sendrecv_all_if(dhcpc_t)
--corenet_udp_sendrecv_all_if(dhcpc_t)
--corenet_tcp_sendrecv_all_nodes(dhcpc_t)
--corenet_raw_sendrecv_all_nodes(dhcpc_t)
--corenet_udp_sendrecv_all_nodes(dhcpc_t)
-+corenet_tcp_sendrecv_generic_if(dhcpc_t)
-+corenet_raw_sendrecv_generic_if(dhcpc_t)
-+corenet_udp_sendrecv_generic_if(dhcpc_t)
-+corenet_tcp_sendrecv_generic_node(dhcpc_t)
-+corenet_raw_sendrecv_generic_node(dhcpc_t)
-+corenet_udp_sendrecv_generic_node(dhcpc_t)
- corenet_tcp_sendrecv_all_ports(dhcpc_t)
- corenet_udp_sendrecv_all_ports(dhcpc_t)
--corenet_tcp_bind_all_nodes(dhcpc_t)
--corenet_udp_bind_all_nodes(dhcpc_t)
-+corenet_tcp_bind_generic_node(dhcpc_t)
-+corenet_udp_bind_generic_node(dhcpc_t)
- corenet_udp_bind_dhcpc_port(dhcpc_t)
- corenet_tcp_connect_all_ports(dhcpc_t)
- corenet_sendrecv_dhcpd_client_packets(dhcpc_t)
- corenet_sendrecv_dhcpc_server_packets(dhcpc_t)
-+corenet_dontaudit_udp_bind_all_reserved_ports(dhcpc_t)
-+corenet_udp_bind_all_unreserved_ports(dhcpc_t)
-
- dev_read_sysfs(dhcpc_t)
- # for SSP:
- dev_read_urand(dhcpc_t)
-
-+domain_obj_id_change_exemption(dhcpc_t)
- domain_use_interactive_fds(dhcpc_t)
- domain_dontaudit_read_all_domains_state(dhcpc_t)
-
-@@ -130,15 +148,20 @@ term_dontaudit_use_all_ptys(dhcpc_t)
- term_dontaudit_use_unallocated_ttys(dhcpc_t)
- term_dontaudit_use_generic_ptys(dhcpc_t)
-
-+auth_use_nsswitch(dhcpc_t)
-+
- init_rw_utmp(dhcpc_t)
-+init_stream_connect(dhcpc_t)
-+init_stream_send(dhcpc_t)
-
- logging_send_syslog_msg(dhcpc_t)
-
--miscfiles_read_localization(dhcpc_t)
-+miscfiles_read_generic_certs(dhcpc_t)
-
--modutils_run_insmod(dhcpc_t, dhcpc_roles)
-+#modutils_run_insmod(dhcpc_t, dhcpc_roles)
-+modutils_domtrans_insmod(dhcpc_t)
-+#sysnet_run_ifconfig(dhcpc_t, dhcpc_roles)
-
--sysnet_run_ifconfig(dhcpc_t, dhcpc_roles)
-
- userdom_use_user_terminals(dhcpc_t)
- userdom_dontaudit_search_user_home_dirs(dhcpc_t)
-@@ -153,8 +176,23 @@ ifdef(`distro_ubuntu',`
- ')
- ')
-
-+#optional_policy(`
-+# consoletype_run(dhcpc_t, dhcpc_roles)
-+#')
-+
-+optional_policy(`
-+ chronyd_initrc_domtrans(dhcpc_t)
-+ chronyd_systemctl(dhcpc_t)
-+ chronyd_read_keys(dhcpc_t)
-+')
-+
-+optional_policy(`
-+ consoletype_exec(dhcpc_t)
-+')
-+
- optional_policy(`
-- consoletype_run(dhcpc_t, dhcpc_roles)
-+ devicekit_dontaudit_rw_log(dhcpc_t)
-+ devicekit_dontaudit_read_pid_files(dhcpc_t)
- ')
-
- optional_policy(`
-@@ -169,11 +207,14 @@ optional_policy(`
- ')
-
- optional_policy(`
-- hostname_run(dhcpc_t, dhcpc_roles)
-+ hostname_domtrans(dhcpc_t)
-+# hostname_run(dhcpc_t, dhcpc_roles)
- ')
-
- optional_policy(`
- hal_dontaudit_rw_dgram_sockets(dhcpc_t)
-+ hal_dontaudit_read_pid_files(dhcpc_t)
-+ hal_dontaudit_write_log(dhcpc_t)
- ')
-
- optional_policy(`
-@@ -187,25 +228,41 @@ optional_policy(`
-
- # for the dhcp client to run ping to check IP addresses
- optional_policy(`
-- netutils_run_ping(dhcpc_t, dhcpc_roles)
-- netutils_run(dhcpc_t, dhcpc_roles)
-+ #netutils_run_ping(dhcpc_t, dhcpc_roles)
-+ #netutils_run(dhcpc_t, dhcpc_roles)
-+ netutils_domtrans_ping(dhcpc_t)
-+ netutils_domtrans(dhcpc_t)
- ',`
- allow dhcpc_t self:capability setuid;
- allow dhcpc_t self:rawip_socket create_socket_perms;
- ')
-
- optional_policy(`
-+ modutils_domtrans_insmod(dhcpc_t)
-+')
-+
-+optional_policy(`
-+ networkmanager_domtrans(dhcpc_t)
-+ networkmanager_read_pid_files(dhcpc_t)
-+ networkmanager_manage_lib(dhcpc_t)
-+')
-+
-+optional_policy(`
-+ nis_initrc_domtrans_ypbind(dhcpc_t)
- nis_read_ypbind_pid(dhcpc_t)
-+ nis_systemctl_ypbind(dhcpc_t)
- ')
-
- optional_policy(`
- nscd_initrc_domtrans(dhcpc_t)
-+ nscd_systemctl(dhcpc_t)
- nscd_domtrans(dhcpc_t)
- nscd_read_pid(dhcpc_t)
- ')
-
- optional_policy(`
- ntp_initrc_domtrans(dhcpc_t)
-+ ntp_systemctl(dhcpc_t)
- ')
-
- optional_policy(`
-@@ -215,7 +272,11 @@ optional_policy(`
-
- optional_policy(`
- seutil_sigchld_newrole(dhcpc_t)
-- seutil_dontaudit_search_config(dhcpc_t)
-+ seutil_domtrans_setfiles(dhcpc_t)
-+')
-+optional_policy(`
-+ systemd_passwd_agent_domtrans(dhcpc_t)
-+ systemd_signal_passwd_agent(dhcpc_t)
- ')
-
- optional_policy(`
-@@ -258,6 +319,7 @@ allow ifconfig_t self:msgq create_msgq_perms;
- allow ifconfig_t self:msg { send receive };
- # Create UDP sockets, necessary when called from dhcpc
- allow ifconfig_t self:udp_socket create_socket_perms;
-+allow ifconfig_t self:appletalk_socket create_socket_perms;
- # for /sbin/ip
- allow ifconfig_t self:packet_socket create_socket_perms;
- allow ifconfig_t self:netlink_route_socket create_netlink_socket_perms;
-@@ -276,11 +338,18 @@ corenet_rw_tun_tap_dev(ifconfig_t)
- dev_read_sysfs(ifconfig_t)
- # for IPSEC setup:
- dev_read_urand(ifconfig_t)
-+# needed by tuned
-+dev_rw_netcontrol(ifconfig_t)
-
- domain_use_interactive_fds(ifconfig_t)
-
-+read_files_pattern(ifconfig_t, dhcpc_state_t, dhcpc_state_t)
-+
-+files_dontaudit_rw_inherited_pipes(ifconfig_t)
-+files_dontaudit_read_root_files(ifconfig_t)
- files_read_etc_files(ifconfig_t)
- files_read_etc_runtime_files(ifconfig_t)
-+files_read_usr_files(ifconfig_t)
-
- fs_getattr_xattr_fs(ifconfig_t)
- fs_search_auto_mountpoints(ifconfig_t)
-@@ -293,22 +362,22 @@ term_dontaudit_use_all_ptys(ifconfig_t)
- term_dontaudit_use_ptmx(ifconfig_t)
- term_dontaudit_use_generic_ptys(ifconfig_t)
-
--files_dontaudit_read_root_files(ifconfig_t)
-+auth_use_nsswitch(ifconfig_t)
-
- init_use_fds(ifconfig_t)
- init_use_script_ptys(ifconfig_t)
-+init_rw_inherited_script_tmp_files(ifconfig_t)
-
- libs_read_lib_files(ifconfig_t)
-
- logging_send_syslog_msg(ifconfig_t)
-
--miscfiles_read_localization(ifconfig_t)
--
--modutils_domtrans_insmod(ifconfig_t)
-
- seutil_use_runinit_fds(ifconfig_t)
-
--userdom_use_user_terminals(ifconfig_t)
-+sysnet_dns_name_resolve(ifconfig_t)
-+
-+userdom_use_inherited_user_terminals(ifconfig_t)
- userdom_use_all_users_fds(ifconfig_t)
-
- ifdef(`distro_ubuntu',`
-@@ -317,7 +386,22 @@ ifdef(`distro_ubuntu',`
- ')
- ')
-
-+optional_policy(`
-+ brctl_domtrans(ifconfig_t)
-+')
-+
-+optional_policy(`
-+ cfengine_dontaudit_write_log(ifconfig_t)
-+')
-+
-+optional_policy(`
-+ ctdbd_read_lib_files(ifconfig_t)
-+')
-+
- ifdef(`hide_broken_symptoms',`
-+ # caused by some bogus kernel code
-+ dontaudit ifconfig_t self:capability sys_module;
-+
- optional_policy(`
- dev_dontaudit_rw_cardmgr(ifconfig_t)
- ')
-@@ -328,8 +412,14 @@ ifdef(`hide_broken_symptoms',`
- ')
-
- optional_policy(`
-+ devicekit_dontaudit_read_pid_files(ifconfig_t)
-+')
-+
-+optional_policy(`
- hal_dontaudit_rw_pipes(ifconfig_t)
- hal_dontaudit_rw_dgram_sockets(ifconfig_t)
-+ hal_dontaudit_read_pid_files(ifconfig_t)
-+ hal_write_log(ifconfig_t)
- ')
-
- optional_policy(`
-@@ -338,7 +428,15 @@ optional_policy(`
- ')
-
- optional_policy(`
-- nis_use_ypbind(ifconfig_t)
-+ kdump_dontaudit_read_config(ifconfig_t)
-+')
-+
-+optional_policy(`
-+ modutils_domtrans_insmod(ifconfig_t)
-+')
-+
-+optional_policy(`
-+ netutils_domtrans(dhcpc_t)
- ')
-
- optional_policy(`
-@@ -359,3 +457,9 @@ optional_policy(`
- xen_append_log(ifconfig_t)
- xen_dontaudit_rw_unix_stream_sockets(ifconfig_t)
- ')
-+
-+optional_policy(`
-+ tunable_policy(`dhcpc_exec_iptables',`
-+ iptables_domtrans(dhcpc_t)
-+ ')
-+')
-diff --git a/policy/modules/system/systemd.fc b/policy/modules/system/systemd.fc
-new file mode 100644
-index 0000000..6d7c302
---- /dev/null
-+++ b/policy/modules/system/systemd.fc
-@@ -0,0 +1,34 @@
-+/bin/systemd-notify -- gen_context(system_u:object_r:systemd_notify_exec_t,s0)
-+/bin/systemctl -- gen_context(system_u:object_r:systemd_systemctl_exec_t,s0)
-+/bin/systemd-tty-ask-password-agent -- gen_context(system_u:object_r:systemd_passwd_agent_exec_t,s0)
-+/bin/systemd-tmpfiles -- gen_context(system_u:object_r:systemd_tmpfiles_exec_t,s0)
-+
-+/usr/bin/systemctl -- gen_context(system_u:object_r:systemd_systemctl_exec_t,s0)
-+/usr/bin/systemd-gnome-ask-password-agent -- gen_context(system_u:object_r:systemd_passwd_agent_exec_t,s0)
-+/usr/bin/systemd-notify -- gen_context(system_u:object_r:systemd_notify_exec_t,s0)
-+/usr/bin/systemd-tmpfiles -- gen_context(system_u:object_r:systemd_tmpfiles_exec_t,s0)
-+/usr/bin/systemd-tty-ask-password-agent -- gen_context(system_u:object_r:systemd_passwd_agent_exec_t,s0)
-+
-+/usr/lib/systemd/system(/.*)? gen_context(system_u:object_r:systemd_unit_file_t,s0)
-+/usr/lib/systemd/system/.*halt.* -- gen_context(system_u:object_r:power_unit_file_t,s0)
-+/usr/lib/systemd/system/.*hibernate.* -- gen_context(system_u:object_r:power_unit_file_t,s0)
-+/usr/lib/systemd/system/.*power.* -- gen_context(system_u:object_r:power_unit_file_t,s0)
-+/usr/lib/systemd/system/.*reboot.* -- gen_context(system_u:object_r:power_unit_file_t,s0)
-+/usr/lib/systemd/system/.*sleep.* -- gen_context(system_u:object_r:power_unit_file_t,s0)
-+/usr/lib/systemd/system/.*shutdown.* -- gen_context(system_u:object_r:power_unit_file_t,s0)
-+/usr/lib/systemd/system/.*suspend.* -- gen_context(system_u:object_r:power_unit_file_t,s0)
-+/usr/lib/systemd/systemd-logind -- gen_context(system_u:object_r:systemd_logind_exec_t,s0)
-+/usr/lib/systemd/systemd-logger -- gen_context(system_u:object_r:systemd_logger_exec_t,s0)
-+/usr/lib/systemd/systemd-tmpfiles -- gen_context(system_u:object_r:systemd_tmpfiles_exec_t,s0)
-+
-+/var/lib/random-seed gen_context(system_u:object_r:random_seed_t,mls_systemhigh)
-+/usr/var/lib/random-seed gen_context(system_u:object_r:random_seed_t,mls_systemhigh)
-+
-+/var/run/nologin gen_context(system_u:object_r:systemd_logind_var_run_t,s0)
-+/var/run/systemd/seats(/.*)? gen_context(system_u:object_r:systemd_logind_var_run_t,s0)
-+/var/run/systemd/sessions(/.*)? gen_context(system_u:object_r:systemd_logind_sessions_t,s0)
-+/var/run/systemd/users(/.*)? gen_context(system_u:object_r:systemd_logind_var_run_t,s0)
-+/var/run/systemd/inhibit(/.*)? gen_context(system_u:object_r:systemd_logind_inhibit_var_run_t,s0)
-+/var/run/systemd/ask-password-block(/.*)? gen_context(system_u:object_r:systemd_passwd_var_run_t,s0)
-+/var/run/systemd/ask-password(/.*)? gen_context(system_u:object_r:systemd_passwd_var_run_t,s0)
-+/var/run/initramfs(/.*)? <>
-diff --git a/policy/modules/system/systemd.if b/policy/modules/system/systemd.if
-new file mode 100644
-index 0000000..5d53f08
---- /dev/null
-+++ b/policy/modules/system/systemd.if
-@@ -0,0 +1,924 @@
-+## SELinux policy for systemd components
-+
-+#######################################
-+##
-+## Create a domain for processes which are started
-+## exuting systemctl.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`systemd_systemctl_domain',`
-+ gen_require(`
-+ type systemd_systemctl_exec_t;
-+ role system_r;
-+ attribute systemctl_domain;
-+ ')
-+
-+ type $1_systemctl_t, systemctl_domain;
-+ domain_type($1_systemctl_t)
-+ domain_entry_file($1_systemctl_t, systemd_systemctl_exec_t)
-+
-+ role system_r types $1_systemctl_t;
-+
-+ domtrans_pattern($1_t, systemd_systemctl_exec_t , $1_systemctl_t)
-+')
-+
-+########################################
-+##
-+## Execute systemctl in the caller domain.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`systemd_exec_systemctl',`
-+ gen_require(`
-+ type systemd_systemctl_exec_t;
-+ ')
-+
-+ corecmd_search_bin($1)
-+ can_exec($1, systemd_systemctl_exec_t)
-+
-+ fs_list_cgroup_dirs($1)
-+ fs_read_cgroup_files($1)
-+ systemd_list_unit_dirs($1)
-+ init_list_pid_dirs($1)
-+ init_read_state($1)
-+ init_stream_send($1)
-+ init_stream_connect($1)
-+
-+ systemd_login_list_pid_dirs($1)
-+ systemd_login_read_pid_files($1)
-+ systemd_passwd_agent_exec($1)
-+')
-+
-+#######################################
-+##
-+## Create a file type used for systemd unit files.
-+##
-+##
-+##
-+## Type to be used for an unit file.
-+##
-+##
-+#
-+interface(`systemd_unit_file',`
-+ gen_require(`
-+ attribute systemd_unit_file_type;
-+ ')
-+
-+ typeattribute $1 systemd_unit_file_type;
-+ files_type($1)
-+')
-+
-+######################################
-+##
-+## Allow domain to search systemd unit dirs.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`systemd_search_unit_dirs',`
-+ gen_require(`
-+ attribute systemd_unit_file_type;
-+ ')
-+
-+ files_search_var_lib($1)
-+ allow $1 systemd_unit_file_type:dir search_dir_perms;
-+')
-+
-+######################################
-+##
-+## Allow domain to list systemd unit dirs.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`systemd_list_unit_dirs',`
-+ gen_require(`
-+ attribute systemd_unit_file_type;
-+ ')
-+
-+ files_search_var_lib($1)
-+ allow $1 systemd_unit_file_type:dir list_dir_perms;
-+')
-+
-+#####################################
-+##
-+## Allow domain to getattr all systemd unit files.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`systemd_getattr_unit_files',`
-+ gen_require(`
-+ attribute systemd_unit_file_type;
-+ ')
-+
-+ files_search_var_lib($1)
-+ allow $1 systemd_unit_file_type:file getattr_file_perms;
-+')
-+
-+######################################
-+##
-+## Allow domain to read all systemd unit files.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`systemd_read_unit_files',`
-+ gen_require(`
-+ attribute systemd_unit_file_type;
-+ ')
-+
-+ files_search_var_lib($1)
-+ allow $1 systemd_unit_file_type:file read_file_perms;
-+ allow $1 systemd_unit_file_type:lnk_file read_lnk_file_perms;
-+ allow $1 systemd_unit_file_type:dir list_dir_perms;
-+')
-+
-+#####################################
-+##
-+## Dontaudit domain to read all systemd unit files.
-+##
-+##
-+##
-+## Domain to not audit.
-+##
-+##
-+#
-+interface(`systemd_dontaudit_read_unit_files',`
-+ gen_require(`
-+ attribute systemd_unit_file_type;
-+ ')
-+
-+ dontaudit $1 systemd_unit_file_type:file read_file_perms;
-+')
-+
-+######################################
-+##
-+## Read systemd_login PID files.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`systemd_login_read_pid_files',`
-+ gen_require(`
-+ type systemd_logind_var_run_t;
-+ ')
-+
-+ files_search_pids($1)
-+ read_files_pattern($1, systemd_logind_var_run_t, systemd_logind_var_run_t)
-+')
-+
-+######################################
-+##
-+## Read systemd_login PID files.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`systemd_login_list_pid_dirs',`
-+ gen_require(`
-+ type systemd_logind_var_run_t;
-+ ')
-+
-+ files_search_pids($1)
-+ list_dirs_pattern($1, systemd_logind_var_run_t, systemd_logind_var_run_t)
-+')
-+
-+######################################
-+##
-+## Use and and inherited systemd
-+## logind file descriptors.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`systemd_use_fds_logind',`
-+ gen_require(`
-+ type systemd_logind_t;
-+ ')
-+
-+ allow $1 systemd_logind_t:fd use;
-+')
-+
-+######################################
-+##
-+## Read logind sessions files.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`systemd_read_logind_sessions_files',`
-+ gen_require(`
-+ type systemd_logind_sessions_t;
-+ ')
-+
-+ init_search_pid_dirs($1)
-+ allow $1 systemd_logind_sessions_t:dir list_dir_perms;
-+ read_files_pattern($1, systemd_logind_sessions_t, systemd_logind_sessions_t)
-+')
-+
-+######################################
-+##
-+## Write inherited logind sessions pipes.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`systemd_write_inherited_logind_sessions_pipes',`
-+ gen_require(`
-+ type systemd_logind_sessions_t;
-+ ')
-+
-+ allow $1 systemd_logind_sessions_t:fifo_file write;
-+')
-+
-+######################################
-+##
-+## Write systemd inhibit pipes.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`systemd_write_inhibit_pipes',`
-+ gen_require(`
-+ type systemd_logind_inhibit_var_run_t;
-+ ')
-+
-+ allow $1 systemd_logind_inhibit_var_run_t:fifo_file write;
-+')
-+
-+########################################
-+##
-+## Send and receive messages from
-+## systemd logind over dbus.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`systemd_dbus_chat_logind',`
-+ gen_require(`
-+ type systemd_logind_t;
-+ class dbus send_msg;
-+ ')
-+
-+ allow $1 systemd_logind_t:dbus send_msg;
-+ allow systemd_logind_t $1:dbus send_msg;
-+ ps_process_pattern(systemd_logind_t, $1)
-+ allow systemd_logind_t $1:process signal;
-+')
-+
-+#######################################
-+##
-+## Execute a domain transition to run systemd-tmpfiles.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`systemd_tmpfiles_domtrans',`
-+ gen_require(`
-+ type systemd_tmpfiles_t, systemd_tmpfiles_exec_t;
-+ ')
-+
-+ domtrans_pattern($1, systemd_tmpfiles_exec_t, systemd_tmpfiles_t)
-+')
-+
-+########################################
-+##
-+## Execute a domain transition to run systemd-tty-ask-password-agent.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`systemd_passwd_agent_domtrans',`
-+ gen_require(`
-+ type systemd_passwd_agent_t, systemd_passwd_agent_exec_t;
-+ ')
-+
-+ domtrans_pattern($1, systemd_passwd_agent_exec_t, systemd_passwd_agent_t)
-+')
-+
-+#######################################
-+##
-+## Execute systemd-tty-ask-password-agent in the caller domain
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`systemd_passwd_agent_exec',`
-+ gen_require(`
-+ type systemd_passwd_agent_t, systemd_passwd_agent_exec_t;
-+ ')
-+
-+ can_exec($1, systemd_passwd_agent_exec_t)
-+ systemd_manage_passwd_run($1)
-+')
-+
-+########################################
-+##
-+## Execute a domain transition to run systemd_notify.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`systemd_notify_domtrans',`
-+ gen_require(`
-+ type systemd_notify_t, systemd_notify_exec_t;
-+ ')
-+
-+ domtrans_pattern($1, systemd_notify_exec_t, systemd_notify_t)
-+')
-+
-+########################################
-+##
-+## Execute systemd-tty-ask-password-agent in the systemd_passwd_agent domain, and
-+## allow the specified role the systemd_passwd_agent domain.
-+##
-+##
-+##
-+## Domain allowed access
-+##
-+##
-+##
-+##
-+## The role to be allowed the systemd_passwd_agent domain.
-+##
-+##
-+#
-+interface(`systemd_passwd_agent_run',`
-+ gen_require(`
-+ type systemd_passwd_agent_t;
-+ ')
-+
-+ systemd_passwd_agent_domtrans($1)
-+ role $2 types systemd_passwd_agent_t;
-+')
-+
-+########################################
-+##
-+## Role access for systemd_passwd_agent
-+##
-+##
-+##
-+## Role allowed access
-+##
-+##
-+##
-+##
-+## User domain for the role
-+##
-+##
-+#
-+interface(`systemd_passwd_agent_role',`
-+ gen_require(`
-+ type systemd_passwd_agent_t;
-+ ')
-+
-+ role $1 types systemd_passwd_agent_t;
-+
-+ systemd_passwd_agent_domtrans($2)
-+
-+ ps_process_pattern($2, systemd_passwd_agent_t)
-+ allow $2 systemd_passwd_agent_t:process signal;
-+')
-+
-+########################################
-+##
-+## Send generic signals to systemd_passwd_agent processes.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`systemd_signal_passwd_agent',`
-+ gen_require(`
-+ type systemd_passwd_agent_t;
-+ ')
-+
-+ allow $1 systemd_passwd_agent_t:process signal;
-+')
-+
-+######################################
-+##
-+## Allow to domain to read systemd-passwd pipe
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`systemd_read_fifo_file_passwd_run',`
-+ gen_require(`
-+ type systemd_passwd_var_run_t;
-+ ')
-+
-+ init_search_pid_dirs($1)
-+ read_sock_files_pattern($1, systemd_passwd_var_run_t, systemd_passwd_var_run_t)
-+')
-+
-+########################################
-+##
-+## Relabel to user home directories.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`systemd_relabelto_fifo_file_passwd_run',`
-+ gen_require(`
-+ type systemd_passwd_var_run_t;
-+ ')
-+
-+ allow $1 systemd_passwd_var_run_t:fifo_file relabelto;
-+')
-+
-+#######################################
-+##
-+## Relabel systemd unit directories
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`systemd_relabel_unit_dirs',`
-+ gen_require(`
-+ attribute systemd_unit_file_type;
-+ ')
-+
-+ relabel_dirs_pattern($1, systemd_unit_file_type, systemd_unit_file_type)
-+')
-+
-+#######################################
-+##
-+## Relabel systemd unit files
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`systemd_relabel_unit_files',`
-+ gen_require(`
-+ attribute systemd_unit_file_type;
-+ ')
-+
-+ relabel_files_pattern($1, systemd_unit_file_type, systemd_unit_file_type)
-+')
-+
-+#######################################
-+##
-+## Send generic signals to systemd_passwd_agent processes.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`systemd_manage_passwd_run',`
-+ gen_require(`
-+ type systemd_passwd_agent_t;
-+ type systemd_passwd_var_run_t;
-+ ')
-+
-+ init_search_pid_dirs($1)
-+ manage_files_pattern($1, systemd_passwd_var_run_t, systemd_passwd_var_run_t)
-+ manage_sock_files_pattern($1, systemd_passwd_var_run_t, systemd_passwd_var_run_t)
-+ manage_fifo_files_pattern($1, systemd_passwd_var_run_t, systemd_passwd_var_run_t)
-+
-+ allow systemd_passwd_agent_t $1:process signull;
-+ allow systemd_passwd_agent_t $1:unix_dgram_socket sendto;
-+')
-+
-+######################################
-+##
-+## Template for temporary sockets and files in /dev/.systemd/ask-password
-+## which are used by systemd-passwd-agent
-+##
-+##
-+##
-+## The prefix of the domain (e.g., user
-+## is the prefix for user_t).
-+##
-+##
-+#
-+interface(`systemd_passwd_agent_dev_template',`
-+ gen_require(`
-+ type systemd_passwd_agent_t;
-+ ')
-+
-+ type systemd_$1_device_t;
-+ files_type(systemd_$1_device_t)
-+ dev_associate(systemd_$1_device_t)
-+
-+ dev_filetrans($1_t, systemd_$1_device_t, { file sock_file })
-+ init_pid_filetrans($1_t, systemd_$1_device_t, { file sock_file })
-+ allow $1_t systemd_$1_device_t:file manage_file_perms;
-+ allow $1_t systemd_$1_device_t:sock_file manage_sock_file_perms;
-+
-+ allow systemd_passwd_agent_t $1_t:process signull;
-+ allow systemd_passwd_agent_t $1_t:unix_dgram_socket sendto;
-+ allow systemd_passwd_agent_t systemd_$1_device_t:sock_file write;
-+ allow systemd_passwd_agent_t systemd_$1_device_t:file read_file_perms;
-+')
-+
-+########################################
-+##
-+## Allow the specified domain to connect to
-+## systemd_logger with a unix socket.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`systemd_logger_stream_connect',`
-+ gen_require(`
-+ type systemd_logger_t;
-+ ')
-+
-+ allow $1 systemd_logger_t:unix_stream_socket connectto;
-+')
-+
-+########################################
-+##
-+## manage systemd unit dirs
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`systemd_manage_unit_dirs',`
-+ gen_require(`
-+ attribute systemd_unit_file_type;
-+ ')
-+
-+ manage_dirs_pattern($1, systemd_unit_file_type, systemd_unit_file_type)
-+')
-+
-+########################################
-+##
-+## manage all systemd unit files
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`systemd_manage_all_unit_files',`
-+ gen_require(`
-+ attribute systemd_unit_file_type;
-+ ')
-+
-+ manage_files_pattern($1, systemd_unit_file_type, systemd_unit_file_type)
-+ manage_lnk_files_pattern($1, systemd_unit_file_type, systemd_unit_file_type)
-+')
-+
-+########################################
-+##
-+## manage all systemd unit lnk_files
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`systemd_manage_all_unit_lnk_files',`
-+ gen_require(`
-+ attribute systemd_unit_file_type;
-+ ')
-+
-+ manage_lnk_files_pattern($1, systemd_unit_file_type, systemd_unit_file_type)
-+')
-+
-+########################################
-+##
-+## Allow the specified domain to start all systemd services.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`systemd_start_all_services',`
-+ gen_require(`
-+ attribute systemd_unit_file_type;
-+ ')
-+
-+ allow $1 systemd_unit_file_type:service start;
-+')
-+
-+#######################################
-+##
-+## Allow the specified domain to reload all systemd services.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`systemd_reload_all_services',`
-+ gen_require(`
-+ attribute systemd_unit_file_type;
-+ ')
-+
-+ allow $1 systemd_unit_file_type:service reload;
-+')
-+
-+########################################
-+##
-+## Allow the specified domain to modify the systemd configuration of
-+## all systemd services
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`systemd_config_all_services',`
-+ gen_require(`
-+ attribute systemd_unit_file_type;
-+ ')
-+
-+ allow $1 systemd_unit_file_type:service all_service_perms;
-+ init_config_all_script_files($1)
-+')
-+
-+
-+########################################
-+##
-+## manage all systemd random seed file
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`systemd_manage_random_seed',`
-+ gen_require(`
-+ type random_seed_t;
-+ ')
-+
-+ allow $1 random_seed_t:file manage_file_perms;
-+ files_var_lib_filetrans($1, random_seed_t, file, "random_seed")
-+')
-+
-+
-+########################################
-+##
-+## Transition to systemd named content
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`systemd_filetrans_named_content',`
-+ gen_require(`
-+ type systemd_passwd_var_run_t;
-+ type systemd_logind_var_run_t;
-+ ')
-+
-+ files_pid_filetrans($1, systemd_logind_var_run_t, file, "nologin")
-+ init_named_pid_filetrans($1, systemd_passwd_var_run_t, dir, "ask-password-block")
-+ init_named_pid_filetrans($1, systemd_passwd_var_run_t, dir, "ask-password")
-+')
-+
-+########################################
-+##
-+## Get the system status information from systemd_login
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`systemd_login_status',`
-+ gen_require(`
-+ type systemd_logind_t;
-+ ')
-+
-+ allow $1 systemd_logind_t:system status;
-+')
-+
-+########################################
-+##
-+## Send systemd_login a null signal.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`systemd_login_signull',`
-+ gen_require(`
-+ type systemd_logind_t;
-+ ')
-+
-+ allow $1 systemd_logind_t:process signull;
-+')
-+
-+########################################
-+##
-+## Tell systemd_login to reboot the system.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`systemd_login_reboot',`
-+ gen_require(`
-+ type systemd_logind_t;
-+ ')
-+
-+ allow $1 systemd_logind_t:system reboot;
-+')
-+
-+########################################
-+##
-+## Tell systemd_login to halt the system.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`systemd_login_halt',`
-+ gen_require(`
-+ type systemd_logind_t;
-+ ')
-+
-+ allow $1 systemd_logind_t:system halt;
-+')
-+
-+########################################
-+##
-+## Tell systemd_login to do an unknown access.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`systemd_login_undefined',`
-+ gen_require(`
-+ type systemd_logind_t;
-+ ')
-+
-+ allow $1 systemd_logind_t:system undefined;
-+')
-+
-+########################################
-+##
-+## Configure generic unit files domain.
-+##
-+##
-+##
-+## Domain allowed to transition.
-+##
-+##
-+#
-+interface(`systemd_config_generic_services',`
-+ gen_require(`
-+ type systemd_unit_file_t;
-+ ')
-+
-+ systemd_exec_systemctl($1)
-+ allow $1 systemd_unit_file_t:file read_file_perms;
-+ allow $1 systemd_unit_file_t:service manage_service_perms;
-+')
-+
-+########################################
-+##
-+## Configure power unit files domain.
-+##
-+##
-+##
-+## Domain allowed to transition.
-+##
-+##
-+#
-+interface(`systemd_config_power_services',`
-+ gen_require(`
-+ type power_unit_file_t;
-+ ')
-+
-+ systemd_exec_systemctl($1)
-+ allow $1 power_unit_file_t:file read_file_perms;
-+ allow $1 power_unit_file_t:service manage_service_perms;
-+')
-+
-+########################################
-+##
-+## Start power unit files domain.
-+##
-+##
-+##
-+## Domain allowed to transition.
-+##
-+##
-+#
-+interface(`systemd_start_power_services',`
-+ gen_require(`
-+ type power_unit_file_t;
-+ ')
-+
-+ systemd_exec_systemctl($1)
-+ allow $1 power_unit_file_t:service start;
-+')
-+
-+#######################################
-+##
-+## Start power unit files domain.
-+##
-+##
-+##
-+## Domain allowed to transition.
-+##
-+##
-+#
-+interface(`systemd_start_all_unit_files',`
-+ gen_require(`
-+ attribute systemd_unit_file_type;
-+ ')
-+
-+ systemd_exec_systemctl($1)
-+ allow $1 systemd_unit_file_type:service start;
-+')
-diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
-new file mode 100644
-index 0000000..223e3f0
---- /dev/null
-+++ b/policy/modules/system/systemd.te
-@@ -0,0 +1,451 @@
-+policy_module(systemd, 1.0.0)
-+
-+#######################################
-+#
-+# Declarations
-+#
-+
-+attribute systemd_unit_file_type;
-+attribute systemd_domain;
-+attribute systemctl_domain;
-+
-+type systemd_logger_t;
-+type systemd_logger_exec_t;
-+init_daemon_domain(systemd_logger_t, systemd_logger_exec_t)
-+
-+type systemd_logind_t;
-+type systemd_logind_exec_t;
-+init_daemon_domain(systemd_logind_t, systemd_logind_exec_t)
-+
-+# /run/systemd/sessions
-+type systemd_logind_sessions_t;
-+files_pid_file(systemd_logind_sessions_t)
-+
-+# /run/systemd/{seats, users}
-+type systemd_logind_var_run_t;
-+files_pid_file(systemd_logind_var_run_t)
-+
-+type systemd_logind_inhibit_var_run_t;
-+files_pid_file(systemd_logind_inhibit_var_run_t)
-+
-+type random_seed_t;
-+files_security_file(random_seed_t)
-+
-+# domain for systemd-tty-ask-password-agent and systemd-gnome-ask-password-agent
-+# systemd components
-+
-+type systemd_passwd_agent_t;
-+type systemd_passwd_agent_exec_t;
-+init_daemon_domain(systemd_passwd_agent_t, systemd_passwd_agent_exec_t)
-+
-+type systemd_passwd_var_run_t alias systemd_device_t;
-+files_pid_file(systemd_passwd_var_run_t)
-+
-+# domain for systemd-tmpfiles component
-+type systemd_tmpfiles_t;
-+type systemd_tmpfiles_exec_t;
-+init_daemon_domain(systemd_tmpfiles_t, systemd_tmpfiles_exec_t)
-+
-+type systemd_notify_t;
-+type systemd_notify_exec_t;
-+init_daemon_domain(systemd_notify_t, systemd_notify_exec_t)
-+
-+# type for systemd unit files
-+type systemd_unit_file_t;
-+systemd_unit_file(systemd_unit_file_t)
-+
-+type power_unit_file_t;
-+systemd_unit_file(power_unit_file_t)
-+
-+# executable for systemctl
-+type systemd_systemctl_exec_t;
-+corecmd_executable_file(systemd_systemctl_exec_t)
-+
-+#######################################
-+#
-+# Systemd_logind local policy
-+#
-+
-+# dac_override is for /run/user/$USER ($USER ownership is $USER:$USER)
-+allow systemd_logind_t self:capability { chown kill dac_override fowner sys_tty_config };
-+allow systemd_logind_t self:process getcap;
-+allow systemd_logind_t self:netlink_kobject_uevent_socket create_socket_perms;
-+allow systemd_logind_t self:unix_dgram_socket create_socket_perms;
-+
-+mls_file_read_all_levels(systemd_logind_t)
-+mls_file_write_all_levels(systemd_logind_t)
-+
-+manage_dirs_pattern(systemd_logind_t, { systemd_logind_sessions_t systemd_logind_var_run_t }, { systemd_logind_sessions_t systemd_logind_var_run_t })
-+manage_files_pattern(systemd_logind_t, { systemd_logind_sessions_t systemd_logind_var_run_t }, { systemd_logind_var_run_t systemd_logind_sessions_t })
-+manage_fifo_files_pattern(systemd_logind_t, systemd_logind_sessions_t, { systemd_logind_sessions_t systemd_logind_var_run_t })
-+init_named_pid_filetrans(systemd_logind_t, systemd_logind_sessions_t, dir, "sessions")
-+init_pid_filetrans(systemd_logind_t, systemd_logind_var_run_t, dir)
-+
-+manage_dirs_pattern(systemd_logind_t, systemd_logind_inhibit_var_run_t, systemd_logind_inhibit_var_run_t)
-+manage_files_pattern(systemd_logind_t, systemd_logind_inhibit_var_run_t, systemd_logind_inhibit_var_run_t)
-+manage_fifo_files_pattern(systemd_logind_t, systemd_logind_inhibit_var_run_t, systemd_logind_inhibit_var_run_t)
-+manage_sock_files_pattern(systemd_logind_t, systemd_logind_inhibit_var_run_t, systemd_logind_inhibit_var_run_t)
-+
-+kernel_read_system_state(systemd_logind_t)
-+
-+dev_getattr_all_chr_files(systemd_logind_t)
-+dev_getattr_all_blk_files(systemd_logind_t)
-+dev_rw_sysfs(systemd_logind_t)
-+dev_rw_input_dev(systemd_logind_t)
-+dev_setattr_all_chr_files(systemd_logind_t)
-+dev_setattr_dri_dev(systemd_logind_t)
-+dev_setattr_generic_usb_dev(systemd_logind_t)
-+dev_setattr_input_dev(systemd_logind_t)
-+dev_setattr_kvm_dev(systemd_logind_t)
-+dev_setattr_mouse_dev(systemd_logind_t)
-+dev_setattr_sound_dev(systemd_logind_t)
-+dev_setattr_video_dev(systemd_logind_t)
-+dev_write_kmsg(systemd_logind_t)
-+
-+domain_read_all_domains_state(systemd_logind_t)
-+domain_signal_all_domains(systemd_logind_t)
-+domain_signull_all_domains(systemd_logind_t)
-+domain_kill_all_domains(systemd_logind_t)
-+
-+# /etc/udev/udev.conf should probably have a private type if only for confined administration
-+# /etc/nsswitch.conf
-+files_read_etc_files(systemd_logind_t)
-+
-+# /sys/fs/cgroup/systemd/user
-+fs_manage_cgroup_dirs(systemd_logind_t)
-+# write getattr open setattr
-+fs_manage_cgroup_files(systemd_logind_t)
-+fs_getattr_tmpfs(systemd_logind_t)
-+fs_read_tmpfs_symlinks(systemd_logind_t)
-+
-+mcs_killall(systemd_logind_t)
-+
-+storage_setattr_removable_dev(systemd_logind_t)
-+storage_setattr_scsi_generic_dev(systemd_logind_t)
-+
-+term_use_unallocated_ttys(systemd_logind_t)
-+
-+init_named_pid_filetrans(systemd_logind_t, systemd_logind_inhibit_var_run_t, dir, "inhibit")
-+
-+init_status(systemd_logind_t)
-+init_signal(systemd_logind_t)
-+init_reboot(systemd_logind_t)
-+init_halt(systemd_logind_t)
-+init_undefined(systemd_logind_t)
-+init_signal_script(systemd_logind_t)
-+
-+getty_systemctl(systemd_logind_t)
-+
-+systemd_config_generic_services(systemd_logind_t)
-+
-+# /run/user/.*
-+# Actually only have proof of it creating dirs and symlinks (/run/user/$USER/X11/display)
-+auth_manage_var_auth(systemd_logind_t)
-+auth_use_nsswitch(systemd_logind_t)
-+
-+authlogin_read_state(systemd_logind_t)
-+
-+init_dbus_chat(systemd_logind_t)
-+init_dbus_chat_script(systemd_logind_t)
-+init_read_script_state(systemd_logind_t)
-+init_read_state(systemd_logind_t)
-+init_rw_stream_sockets(systemd_logind_t)
-+
-+logging_send_syslog_msg(systemd_logind_t)
-+logging_stream_connect_syslog(systemd_logind_t)
-+
-+
-+udev_read_db(systemd_logind_t)
-+udev_manage_rules_files(systemd_logind_t)
-+
-+userdom_read_all_users_state(systemd_logind_t)
-+userdom_use_user_ttys(systemd_logind_t)
-+userdom_manage_all_user_tmp_content(systemd_logind_t)
-+
-+optional_policy(`
-+ apache_read_tmp_files(systemd_logind_t)
-+')
-+
-+optional_policy(`
-+ cron_dbus_chat_crond(systemd_logind_t)
-+ cron_read_state_crond(systemd_logind_t)
-+')
-+
-+optional_policy(`
-+ dbus_connect_system_bus(systemd_logind_t)
-+ dbus_system_bus_client(systemd_logind_t)
-+')
-+
-+optional_policy(`
-+ devicekit_dbus_chat_power(systemd_logind_t)
-+ devicekit_dbus_chat_disk(systemd_logind_t)
-+')
-+
-+optional_policy(`
-+ # we label /run/user/$USER/dconf as config_home_t
-+ gnome_manage_home_config_dirs(systemd_logind_t)
-+ gnome_manage_home_config(systemd_logind_t)
-+ gnome_manage_gkeyringd_tmp_dirs(systemd_logind_t)
-+ gnome_manage_gstreamer_home_dirs(systemd_logind_t)
-+')
-+
-+optional_policy(`
-+ policykit_dbus_chat(systemd_logind_t)
-+')
-+
-+optional_policy(`
-+ rpm_dbus_chat(systemd_logind_t)
-+')
-+
-+optional_policy(`
-+ # It links /run/user/$USER/X11/display to /tmp/.X11-unix/X* sock_file
-+ xserver_search_xdm_tmp_dirs(systemd_logind_t)
-+')
-+
-+#######################################
-+#
-+# Local policy
-+#
-+
-+allow systemd_passwd_agent_t self:capability { chown sys_tty_config dac_override };
-+allow systemd_passwd_agent_t self:process { setfscreate setsockcreate signal };
-+allow systemd_passwd_agent_t self:unix_dgram_socket create_socket_perms;
-+
-+manage_dirs_pattern(systemd_passwd_agent_t, systemd_passwd_var_run_t, systemd_passwd_var_run_t);
-+manage_files_pattern(systemd_passwd_agent_t, systemd_passwd_var_run_t, systemd_passwd_var_run_t);
-+manage_sock_files_pattern(systemd_passwd_agent_t, systemd_passwd_var_run_t, systemd_passwd_var_run_t);
-+manage_fifo_files_pattern(systemd_passwd_agent_t, systemd_passwd_var_run_t, systemd_passwd_var_run_t);
-+init_pid_filetrans(systemd_passwd_agent_t, systemd_passwd_var_run_t, { dir fifo_file file })
-+
-+kernel_stream_connect(systemd_passwd_agent_t)
-+
-+files_read_etc_files(systemd_passwd_agent_t)
-+
-+dev_create_generic_dirs(systemd_passwd_agent_t)
-+dev_read_generic_files(systemd_passwd_agent_t)
-+dev_write_generic_sock_files(systemd_passwd_agent_t)
-+
-+term_read_console(systemd_passwd_agent_t)
-+
-+auth_use_nsswitch(systemd_passwd_agent_t)
-+
-+init_create_pid_dirs(systemd_passwd_agent_t)
-+init_rw_pipes(systemd_passwd_agent_t)
-+init_read_utmp(systemd_passwd_agent_t)
-+init_stream_connect(systemd_passwd_agent_t)
-+
-+logging_send_syslog_msg(systemd_passwd_agent_t)
-+logging_stream_connect_syslog(systemd_passwd_agent_t)
-+
-+
-+userdom_use_user_ptys(systemd_passwd_agent_t)
-+
-+optional_policy(`
-+ lvm_signull(systemd_passwd_agent_t)
-+')
-+
-+optional_policy(`
-+ plymouthd_stream_connect(systemd_passwd_agent_t)
-+')
-+
-+#######################################
-+#
-+# Local policy
-+#
-+
-+allow systemd_tmpfiles_t self:capability { chown dac_override fsetid fowner mknod };
-+allow systemd_tmpfiles_t self:process { setfscreate };
-+
-+allow systemd_tmpfiles_t self:unix_dgram_socket create_socket_perms;
-+
-+kernel_read_network_state(systemd_tmpfiles_t)
-+kernel_request_load_module(systemd_tmpfiles_t)
-+
-+dev_write_kmsg(systemd_tmpfiles_t)
-+dev_rw_sysfs(systemd_tmpfiles_t)
-+dev_relabel_all_sysfs(systemd_tmpfiles_t)
-+dev_relabel_cpu_online(systemd_tmpfiles_t)
-+dev_read_cpu_online(systemd_tmpfiles_t)
-+dev_manage_printer(systemd_tmpfiles_t)
-+dev_relabel_printer(systemd_tmpfiles_t)
-+
-+domain_obj_id_change_exemption(systemd_tmpfiles_t)
-+
-+# systemd-tmpfiles relabel /run/lock and creates /run/lock/lockdev
-+fs_manage_tmpfs_dirs(systemd_tmpfiles_t)
-+fs_relabel_tmpfs_dirs(systemd_tmpfiles_t)
-+fs_list_all(systemd_tmpfiles_t)
-+
-+files_read_etc_files(systemd_tmpfiles_t)
-+files_getattr_all_dirs(systemd_tmpfiles_t)
-+files_getattr_all_files(systemd_tmpfiles_t)
-+files_getattr_all_sockets(systemd_tmpfiles_t)
-+files_getattr_all_symlinks(systemd_tmpfiles_t)
-+files_relabel_all_lock_dirs(systemd_tmpfiles_t)
-+files_relabel_all_pid_dirs(systemd_tmpfiles_t)
-+files_relabel_all_pid_files(systemd_tmpfiles_t)
-+files_manage_all_pids(systemd_tmpfiles_t)
-+files_manage_all_pid_dirs(systemd_tmpfiles_t)
-+files_manage_all_locks(systemd_tmpfiles_t)
-+files_read_generic_tmp_symlinks(systemd_tmpfiles_t)
-+files_setattr_all_tmp_dirs(systemd_tmpfiles_t)
-+files_delete_boot_flag(systemd_tmpfiles_t)
-+files_delete_all_non_security_files(systemd_tmpfiles_t)
-+files_delete_all_pid_sockets(systemd_tmpfiles_t)
-+files_delete_all_pid_pipes(systemd_tmpfiles_t)
-+files_purge_tmp(systemd_tmpfiles_t)
-+files_manage_generic_tmp_files(systemd_tmpfiles_t)
-+files_manage_generic_tmp_dirs(systemd_tmpfiles_t)
-+files_relabelfrom_tmp_dirs(systemd_tmpfiles_t)
-+files_relabelfrom_tmp_files(systemd_tmpfiles_t)
-+files_relabel_all_tmp_dirs(systemd_tmpfiles_t)
-+files_relabel_all_tmp_files(systemd_tmpfiles_t)
-+files_list_lost_found(systemd_tmpfiles_t)
-+
-+mcs_file_read_all(systemd_tmpfiles_t)
-+mcs_file_write_all(systemd_tmpfiles_t)
-+mls_file_read_all_levels(systemd_tmpfiles_t)
-+mls_file_write_all_levels(systemd_tmpfiles_t)
-+
-+selinux_get_enforce_mode(systemd_tmpfiles_t)
-+
-+auth_manage_faillog(systemd_tmpfiles_t)
-+auth_relabel_faillog(systemd_tmpfiles_t)
-+auth_manage_var_auth(systemd_tmpfiles_t)
-+auth_relabel_var_auth_dirs(systemd_tmpfiles_t)
-+auth_relabel_login_records(systemd_tmpfiles_t)
-+auth_setattr_login_records(systemd_tmpfiles_t)
-+auth_use_nsswitch(systemd_tmpfiles_t)
-+
-+init_dgram_send(systemd_tmpfiles_t)
-+init_rw_stream_sockets(systemd_tmpfiles_t)
-+
-+logging_create_devlog_dev(systemd_tmpfiles_t)
-+logging_send_syslog_msg(systemd_tmpfiles_t)
-+logging_stream_connect_syslog(systemd_tmpfiles_t)
-+
-+miscfiles_filetrans_named_content(systemd_tmpfiles_t)
-+miscfiles_manage_man_pages(systemd_tmpfiles_t)
-+miscfiles_relabel_man_pages(systemd_tmpfiles_t)
-+miscfiles_delete_man_pages(systemd_tmpfiles_t)
-+
-+seutil_read_config(systemd_tmpfiles_t)
-+seutil_read_file_contexts(systemd_tmpfiles_t)
-+
-+ifdef(`distro_redhat',`
-+ userdom_list_user_home_content(systemd_tmpfiles_t)
-+ userdom_delete_all_user_home_content_dirs(systemd_tmpfiles_t)
-+ userdom_delete_all_user_home_content_files(systemd_tmpfiles_t)
-+ userdom_delete_all_user_home_content_sock_files(systemd_tmpfiles_t)
-+ userdom_delete_all_user_home_content_symlinks(systemd_tmpfiles_t)
-+ userdom_delete_admin_home_files(systemd_tmpfiles_t)
-+')
-+
-+optional_policy(`
-+ apache_delete_sys_content_rw(systemd_tmpfiles_t)
-+ apache_list_cache(systemd_tmpfiles_t)
-+ apache_delete_cache_dirs(systemd_tmpfiles_t)
-+ apache_delete_cache_files(systemd_tmpfiles_t)
-+ apache_setattr_cache_dirs(systemd_tmpfiles_t)
-+')
-+
-+
-+optional_policy(`
-+ auth_rw_login_records(systemd_tmpfiles_t)
-+')
-+
-+optional_policy(`
-+ # we have /run/user/$USER/dconf
-+ gnome_delete_home_config(systemd_tmpfiles_t)
-+ gnome_delete_home_config_dirs(systemd_tmpfiles_t)
-+ gnome_setattr_home_config_dirs(systemd_tmpfiles_t)
-+')
-+
-+optional_policy(`
-+ rpm_read_db(systemd_tmpfiles_t)
-+ rpm_delete_db(systemd_tmpfiles_t)
-+')
-+
-+optional_policy(`
-+ sandbox_list(systemd_tmpfiles_t)
-+ sandbox_delete_dirs(systemd_tmpfiles_t)
-+ sandbox_delete_files(systemd_tmpfiles_t)
-+ sandbox_delete_lnk_files(systemd_tmpfiles_t)
-+ sandbox_delete_pipes(systemd_tmpfiles_t)
-+ sandbox_delete_sock_files(systemd_tmpfiles_t)
-+ sandbox_setattr_dirs(systemd_tmpfiles_t)
-+')
-+
-+########################################
-+#
-+# systemd_notify local policy
-+#
-+allow systemd_notify_t self:capability chown;
-+allow systemd_notify_t self:process { fork setfscreate setsockcreate };
-+
-+allow systemd_notify_t self:fifo_file rw_fifo_file_perms;
-+allow systemd_notify_t self:unix_stream_socket create_stream_socket_perms;
-+
-+domain_use_interactive_fds(systemd_notify_t)
-+
-+files_read_etc_files(systemd_notify_t)
-+files_read_usr_files(systemd_notify_t)
-+
-+fs_getattr_cgroup_files(systemd_notify_t)
-+
-+auth_use_nsswitch(systemd_notify_t)
-+
-+init_rw_stream_sockets(systemd_notify_t)
-+
-+
-+optional_policy(`
-+ readahead_manage_pid_files(systemd_notify_t)
-+')
-+
-+########################################
-+#
-+# systemd_logger local policy
-+#
-+
-+allow systemd_logger_t self:capability { sys_admin chown kill };
-+allow systemd_logger_t self:process { fork setfscreate setsockcreate };
-+
-+allow systemd_logger_t self:fifo_file rw_fifo_file_perms;
-+allow systemd_logger_t self:unix_stream_socket create_stream_socket_perms;
-+
-+kernel_use_fds(systemd_logger_t)
-+
-+dev_write_kmsg(systemd_logger_t)
-+
-+domain_use_interactive_fds(systemd_logger_t)
-+
-+files_read_etc_files(systemd_logger_t)
-+files_read_usr_files(systemd_logger_t)
-+
-+# only needs write
-+term_use_generic_ptys(systemd_logger_t)
-+
-+auth_use_nsswitch(systemd_logger_t)
-+
-+# /run/systemd/notify
-+init_write_pid_socket(systemd_logger_t)
-+
-+logging_send_syslog_msg(systemd_logger_t)
-+logging_stream_connect_syslog(systemd_logger_t)
-+
-+########################################
-+#
-+# systemd_sysctl domains local policy
-+#
-+
-+allow systemctl_domain systemd_unit_file_type:dir search_dir_perms;
-+
-+fs_list_cgroup_dirs(systemctl_domain)
-+fs_read_cgroup_files(systemctl_domain)
-+
-+# needed by systemctl
-+init_dgram_send(systemctl_domain)
-+init_stream_connect(systemctl_domain)
-+init_read_state(systemctl_domain)
-+init_list_pid_dirs(systemctl_domain)
-+init_use_fds(systemctl_domain)
-diff --git a/policy/modules/system/udev.fc b/policy/modules/system/udev.fc
-index 2575393..49fd32e 100644
---- a/policy/modules/system/udev.fc
-+++ b/policy/modules/system/udev.fc
-@@ -1,6 +1,8 @@
--/dev/\.udev(/.*)? -- gen_context(system_u:object_r:udev_tbl_t,s0)
--/dev/\.udevdb -- gen_context(system_u:object_r:udev_tbl_t,s0)
--/dev/udev\.tbl -- gen_context(system_u:object_r:udev_tbl_t,s0)
-+/bin/udevadm -- gen_context(system_u:object_r:udev_exec_t,s0)
-+
-+/dev/\.udev(/.*)? -- gen_context(system_u:object_r:udev_var_run_t,s0)
-+/dev/\.udevdb -- gen_context(system_u:object_r:udev_var_run_t,s0)
-+/dev/udev\.tbl -- gen_context(system_u:object_r:udev_var_run_t,s0)
-
- /etc/dev\.d/.+ -- gen_context(system_u:object_r:udev_helper_exec_t,s0)
-
-@@ -10,6 +12,7 @@
- /etc/udev/scripts/.+ -- gen_context(system_u:object_r:udev_helper_exec_t,s0)
-
- /lib/udev/udev-acl -- gen_context(system_u:object_r:udev_exec_t,s0)
-+/lib/udev/udevd -- gen_context(system_u:object_r:udev_exec_t,s0)
-
- ifdef(`distro_debian',`
- /lib/udev/create_static_nodes -- gen_context(system_u:object_r:udev_exec_t,s0)
-@@ -27,9 +30,23 @@ ifdef(`distro_redhat',`
- ')
-
- /usr/bin/udevinfo -- gen_context(system_u:object_r:udev_exec_t,s0)
--
--/var/run/PackageKit/udev(/.*)? gen_context(system_u:object_r:udev_var_run_t,s0)
--/var/run/udev(/.*)? gen_context(system_u:object_r:udev_tbl_t,s0)
-+/usr/bin/udevadm -- gen_context(system_u:object_r:udev_exec_t,s0)
-+
-+/usr/sbin/start_udev -- gen_context(system_u:object_r:udev_exec_t,s0)
-+/usr/sbin/udev -- gen_context(system_u:object_r:udev_exec_t,s0)
-+/usr/sbin/udevadm -- gen_context(system_u:object_r:udev_exec_t,s0)
-+/usr/sbin/udevd -- gen_context(system_u:object_r:udev_exec_t,s0)
-+/usr/sbin/udevsend -- gen_context(system_u:object_r:udev_exec_t,s0)
-+/usr/sbin/udevstart -- gen_context(system_u:object_r:udev_exec_t,s0)
-+/usr/sbin/wait_for_sysfs -- gen_context(system_u:object_r:udev_exec_t,s0)
-+
-+/usr/lib/systemd/systemd-udevd -- gen_context(system_u:object_r:udev_exec_t,s0)
-+/usr/lib/udev/udev-acl -- gen_context(system_u:object_r:udev_exec_t,s0)
-+/usr/lib/udev/udevd -- gen_context(system_u:object_r:udev_exec_t,s0)
-+
-+/var/run/PackageKit/udev(/.*)? gen_context(system_u:object_r:udev_var_run_t,s0)
-+/var/run/libgpod(/.*)? gen_context(system_u:object_r:udev_var_run_t,s0)
-+/var/run/udev(/.*)? gen_context(system_u:object_r:udev_var_run_t,s0)
-
- ifdef(`distro_debian',`
- /var/run/xen-hotplug -d gen_context(system_u:object_r:udev_var_run_t,s0)
-diff --git a/policy/modules/system/udev.if b/policy/modules/system/udev.if
-index 77a13a5..9a5a73f 100644
---- a/policy/modules/system/udev.if
-+++ b/policy/modules/system/udev.if
-@@ -34,6 +34,7 @@ interface(`udev_domtrans',`
- ')
-
- domtrans_pattern($1, udev_exec_t, udev_t)
-+ allow $1 udev_t:process noatsecure;
- ')
-
- ########################################
-@@ -88,8 +89,7 @@ interface(`udev_read_state',`
- ')
-
- kernel_search_proc($1)
-- allow $1 udev_t:file read_file_perms;
-- allow $1 udev_t:lnk_file read_lnk_file_perms;
-+ ps_process_pattern($1, udev_t)
- ')
-
- ########################################
-@@ -164,10 +164,10 @@ interface(`udev_manage_rules_files',`
- #
- interface(`udev_dontaudit_search_db',`
- gen_require(`
-- type udev_tbl_t;
-+ type udev_var_run_t;
- ')
-
-- dontaudit $1 udev_tbl_t:dir search_dir_perms;
-+ dontaudit $1 udev_var_run_t:dir search_dir_perms;
- ')
-
- ########################################
-@@ -187,25 +187,70 @@ interface(`udev_dontaudit_search_db',`
- ##
- #
- interface(`udev_read_db',`
-+ udev_read_pid_files($1)
-+')
-+
-+########################################
-+##
-+## Allow process to modify list of devices.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`udev_rw_db',`
- gen_require(`
-- type udev_tbl_t;
-+ type udev_var_run_t;
- ')
-
-- allow $1 udev_tbl_t:dir list_dir_perms;
-+ files_search_pids($1)
-+ dev_list_all_dev_nodes($1)
-+ rw_files_pattern($1, udev_var_run_t, udev_var_run_t)
-+')
-
-- read_files_pattern($1, udev_tbl_t, udev_tbl_t)
-- read_lnk_files_pattern($1, udev_tbl_t, udev_tbl_t)
-+########################################
-+##
-+## Allow process to modify relabelto udev database
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`udev_relabelto_db',`
-+ gen_require(`
-+ type udev_var_run_t;
-+ ')
-
-- dev_list_all_dev_nodes($1)
-+ files_search_pids($1)
-+ allow $1 udev_var_run_t:file relabelto_file_perms;
-+')
-
-- files_search_etc($1)
-+########################################
-+##
-+## Relabel the udev sock_file.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`udev_relabel_pid_sockfile',`
-+ gen_require(`
-+ type udev_var_run_t;
-+ ')
-
-- udev_search_pids($1)
-+ allow $1 udev_var_run_t:sock_file relabel_sock_file_perms;
- ')
-
- ########################################
- ##
--## Allow process to modify list of devices.
-+## Create, read, write, and delete
-+## udev pid files.
- ##
- ##
- ##
-@@ -213,13 +258,16 @@ interface(`udev_read_db',`
- ##
- ##
- #
--interface(`udev_rw_db',`
-+interface(`udev_read_pid_files',`
- gen_require(`
-- type udev_tbl_t;
-+ type udev_var_run_t;
- ')
-
- dev_list_all_dev_nodes($1)
-- allow $1 udev_tbl_t:file rw_file_perms;
-+ files_search_pids($1)
-+ allow $1 udev_var_run_t:dir list_dir_perms;
-+ read_files_pattern($1, udev_var_run_t, udev_var_run_t)
-+ read_lnk_files_pattern($1, udev_var_run_t, udev_var_run_t)
- ')
-
- ########################################
-@@ -300,6 +348,84 @@ interface(`udev_manage_pid_files',`
- type udev_var_run_t;
- ')
-
-- files_search_var_lib($1)
-+ files_search_pids($1)
- manage_files_pattern($1, udev_var_run_t, udev_var_run_t)
- ')
-+
-+#######################################
-+##
-+## Execute udev in the udev domain, and
-+## allow the specified role the udev domain.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+##
-+##
-+## The role to be allowed the iptables domain.
-+##
-+##
-+##
-+#
-+interface(`udev_run',`
-+ gen_require(`
-+ type udev_t;
-+ ')
-+
-+ udev_domtrans($1)
-+ role $2 types udev_t;
-+')
-+
-+#######################################
-+##
-+## Allow caller to create kobject uevent socket for udev
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`udev_create_kobject_uevent_socket',`
-+ gen_require(`
-+ type udev_t;
-+ role system_r;
-+ ')
-+
-+ allow $1 udev_t:netlink_kobject_uevent_socket create_socket_perms;
-+')
-+
-+########################################
-+##
-+## Create a domain for processes
-+## which can be started by udev.
-+##
-+##
-+##
-+## Type to be used as a domain.
-+##
-+##
-+##
-+##
-+## Type of the program to be used as an entry point to this domain.
-+##
-+##
-+#
-+interface(`udev_system_domain',`
-+ gen_require(`
-+ type udev_t;
-+ role system_r;
-+ ')
-+
-+ domain_type($1)
-+ domain_entry_file($1, $2)
-+
-+ role system_r types $1;
-+
-+ domtrans_pattern(udev_t, $2, $1)
-+
-+ dontaudit $1 udev_t:unix_dgram_socket { read write };
-+')
-+
-diff --git a/policy/modules/system/udev.te b/policy/modules/system/udev.te
-index 29075b3..8d185fc 100644
---- a/policy/modules/system/udev.te
-+++ b/policy/modules/system/udev.te
-@@ -17,14 +17,12 @@ init_daemon_domain(udev_t, udev_exec_t)
- type udev_etc_t alias etc_udev_t;
- files_config_file(udev_etc_t)
-
--type udev_tbl_t alias udev_tdb_t;
--files_type(udev_tbl_t)
--
- type udev_rules_t;
- files_type(udev_rules_t)
-
- type udev_var_run_t;
- files_pid_file(udev_var_run_t)
-+typealias udev_var_run_t alias udev_tbl_t;
-
- ifdef(`enable_mcs',`
- kernel_ranged_domtrans_to(udev_t, udev_exec_t, s0 - mcs_systemhigh)
-@@ -36,9 +34,11 @@ ifdef(`enable_mcs',`
- # Local policy
- #
-
--allow udev_t self:capability { chown dac_override dac_read_search fowner fsetid sys_admin mknod net_raw net_admin sys_nice sys_rawio sys_resource setuid setgid sys_nice sys_ptrace };
-+allow udev_t self:capability { chown dac_override dac_read_search fowner fsetid sys_admin mknod net_raw net_admin sys_nice sys_rawio sys_resource setuid setgid sys_nice };
-+allow udev_t self:capability2 { block_suspend compromise_kernel };
- dontaudit udev_t self:capability sys_tty_config;
--allow udev_t self:process ~{ setcurrent setexec setfscreate setrlimit execmem execstack execheap };
-+
-+allow udev_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
- allow udev_t self:process { execmem setfscreate };
- allow udev_t self:fd use;
- allow udev_t self:fifo_file rw_fifo_file_perms;
-@@ -52,6 +52,7 @@ allow udev_t self:unix_dgram_socket sendto;
- allow udev_t self:unix_stream_socket connectto;
- allow udev_t self:netlink_kobject_uevent_socket create_socket_perms;
- allow udev_t self:rawip_socket create_socket_perms;
-+allow udev_t self:netlink_socket create_socket_perms;
-
- allow udev_t udev_exec_t:file write;
- can_exec(udev_t, udev_exec_t)
-@@ -62,31 +63,35 @@ can_exec(udev_t, udev_helper_exec_t)
- # read udev config
- allow udev_t udev_etc_t:file read_file_perms;
-
--# create udev database in /dev/.udevdb
--allow udev_t udev_tbl_t:file manage_file_perms;
--dev_filetrans(udev_t, udev_tbl_t, file)
--
- list_dirs_pattern(udev_t, udev_rules_t, udev_rules_t)
--read_files_pattern(udev_t, udev_rules_t, udev_rules_t)
-+manage_files_pattern(udev_t, udev_rules_t, udev_rules_t)
-+manage_lnk_files_pattern(udev_t, udev_rules_t, udev_rules_t)
-
- manage_dirs_pattern(udev_t, udev_var_run_t, udev_var_run_t)
-+manage_sock_files_pattern(udev_t, udev_var_run_t, udev_var_run_t)
- manage_files_pattern(udev_t, udev_var_run_t, udev_var_run_t)
- manage_lnk_files_pattern(udev_t, udev_var_run_t, udev_var_run_t)
--files_pid_filetrans(udev_t, udev_var_run_t, { dir file })
-+files_pid_filetrans(udev_t, udev_var_run_t, { file dir })
-+allow udev_t udev_var_run_t:file mounton;
-+dev_filetrans(udev_t, udev_var_run_t, { file lnk_file } )
-
-+kernel_load_module(udev_t)
- kernel_read_system_state(udev_t)
- kernel_request_load_module(udev_t)
- kernel_getattr_core_if(udev_t)
- kernel_use_fds(udev_t)
- kernel_read_device_sysctls(udev_t)
-+kernel_read_fs_sysctls(udev_t)
- kernel_read_hotplug_sysctls(udev_t)
- kernel_read_modprobe_sysctls(udev_t)
- kernel_read_kernel_sysctls(udev_t)
- kernel_rw_hotplug_sysctls(udev_t)
- kernel_rw_unix_dgram_sockets(udev_t)
- kernel_dgram_send(udev_t)
--kernel_signal(udev_t)
- kernel_search_debugfs(udev_t)
-+kernel_setsched(udev_t)
-+kernel_stream_connect(udev_t)
-+kernel_signal(udev_t)
-
- #https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=235182
- kernel_rw_net_sysctls(udev_t)
-@@ -97,6 +102,7 @@ corecmd_exec_all_executables(udev_t)
-
- dev_rw_sysfs(udev_t)
- dev_manage_all_dev_nodes(udev_t)
-+dev_rw_generic_usb_dev(udev_t)
- dev_rw_generic_files(udev_t)
- dev_delete_generic_files(udev_t)
- dev_search_usbfs(udev_t)
-@@ -105,23 +111,31 @@ dev_relabel_all_dev_nodes(udev_t)
- # preserved, instead of short circuiting the relabel
- dev_relabel_generic_symlinks(udev_t)
- dev_manage_generic_symlinks(udev_t)
-+dev_filetrans_all_named_dev(udev_t)
-
- domain_read_all_domains_state(udev_t)
--domain_dontaudit_ptrace_all_domains(udev_t) #pidof triggers these
-
- files_read_usr_files(udev_t)
- files_read_etc_runtime_files(udev_t)
--files_read_etc_files(udev_t)
-+files_read_kernel_modules(udev_t)
-+files_read_system_conf_files(udev_t)
-+
-+
-+# console_init manages files in /etc/sysconfig
-+files_manage_etc_files(udev_t)
- files_exec_etc_files(udev_t)
-+files_exec_usr_files(udev_t)
- files_dontaudit_search_isid_type_dirs(udev_t)
- files_getattr_generic_locks(udev_t)
- files_search_mnt(udev_t)
-+files_list_tmp(udev_t)
-
- fs_getattr_all_fs(udev_t)
- fs_list_inotifyfs(udev_t)
- fs_rw_anon_inodefs_files(udev_t)
--
--mcs_ptrace_all(udev_t)
-+fs_list_auto_mountpoints(udev_t)
-+fs_list_hugetlbfs(udev_t)
-+fs_read_cgroup_files(udev_t)
-
- mls_file_read_all_levels(udev_t)
- mls_file_write_all_levels(udev_t)
-@@ -143,17 +157,20 @@ auth_use_nsswitch(udev_t)
- init_read_utmp(udev_t)
- init_dontaudit_write_utmp(udev_t)
- init_getattr_initctl(udev_t)
-+init_stream_connect(udev_t)
-
- logging_search_logs(udev_t)
- logging_send_syslog_msg(udev_t)
- logging_send_audit_msgs(udev_t)
-+logging_stream_connect_syslog(udev_t)
-
--miscfiles_read_localization(udev_t)
- miscfiles_read_hwdata(udev_t)
-
- modutils_domtrans_insmod(udev_t)
- # read modules.inputmap:
- modutils_read_module_deps(udev_t)
-+modutils_list_module_config(udev_t)
-+modutils_read_module_config(udev_t)
-
- seutil_read_config(udev_t)
- seutil_read_default_contexts(udev_t)
-@@ -169,6 +186,8 @@ sysnet_signal_dhcpc(udev_t)
- sysnet_manage_config(udev_t)
- sysnet_etc_filetrans_config(udev_t)
-
-+systemd_login_read_pid_files(udev_t)
-+
- userdom_dontaudit_search_user_home_content(udev_t)
-
- ifdef(`distro_gentoo',`
-@@ -178,16 +197,9 @@ ifdef(`distro_gentoo',`
- ')
-
- ifdef(`distro_redhat',`
-- fs_manage_tmpfs_dirs(udev_t)
-- fs_manage_tmpfs_files(udev_t)
-- fs_manage_tmpfs_symlinks(udev_t)
-- fs_manage_tmpfs_sockets(udev_t)
-- fs_manage_tmpfs_blk_files(udev_t)
-- fs_manage_tmpfs_chr_files(udev_t)
-- fs_relabel_tmpfs_blk_file(udev_t)
-- fs_relabel_tmpfs_chr_file(udev_t)
-+ fs_manage_hugetlbfs_dirs(udev_t)
-
-- term_search_ptys(udev_t)
-+ term_use_generic_ptys(udev_t)
-
- # for arping used for static IP addresses on PCMCIA ethernet
- netutils_domtrans(udev_t)
-@@ -216,11 +228,16 @@ optional_policy(`
- ')
-
- optional_policy(`
-+ consolekit_read_pid_files(udev_t)
-+')
-+
-+optional_policy(`
- consoletype_exec(udev_t)
- ')
-
- optional_policy(`
- cups_domtrans_config(udev_t)
-+ cups_read_config(udev_t)
- ')
-
- optional_policy(`
-@@ -230,10 +247,20 @@ optional_policy(`
- optional_policy(`
- devicekit_read_pid_files(udev_t)
- devicekit_dgram_send(udev_t)
-+ devicekit_domtrans_disk(udev_t)
-+')
-+
-+optional_policy(`
-+ gnome_read_home_config(udev_t)
-+')
-+
-+optional_policy(`
-+ gpsd_domtrans(udev_t)
- ')
-
- optional_policy(`
- lvm_domtrans(udev_t)
-+ lvm_dgram_send(udev_t)
- ')
-
- optional_policy(`
-@@ -259,6 +286,10 @@ optional_policy(`
- ')
-
- optional_policy(`
-+ networkmanager_dbus_chat(udev_t)
-+')
-+
-+optional_policy(`
- openct_read_pid_files(udev_t)
- openct_domtrans(udev_t)
- ')
-@@ -273,6 +304,15 @@ optional_policy(`
- ')
-
- optional_policy(`
-+ radvd_read_pid_files(udev_t)
-+')
-+
-+optional_policy(`
-+ usbmuxd_domtrans(udev_t)
-+ usbmuxd_stream_connect(udev_t)
-+')
-+
-+optional_policy(`
- unconfined_signal(udev_t)
- ')
-
-@@ -285,6 +325,7 @@ optional_policy(`
- kernel_read_xen_state(udev_t)
- xen_manage_log(udev_t)
- xen_read_image_files(udev_t)
-+ xen_stream_connect_xenstore(udev_t)
- ')
-
- optional_policy(`
-diff --git a/policy/modules/system/unconfined.fc b/policy/modules/system/unconfined.fc
-index 0abaf84..8b34dbc 100644
---- a/policy/modules/system/unconfined.fc
-+++ b/policy/modules/system/unconfined.fc
-@@ -1,21 +1 @@
- # Add programs here which should not be confined by SELinux
--# e.g.:
--# /usr/local/bin/appsrv -- gen_context(system_u:object_r:unconfined_exec_t,s0)
--# For the time being until someone writes a sane policy, we need initrc to transition to unconfined_t
--/usr/bin/valgrind -- gen_context(system_u:object_r:unconfined_execmem_exec_t,s0)
--/usr/bin/vncserver -- gen_context(system_u:object_r:unconfined_exec_t,s0)
--
--/usr/lib/ia32el/ia32x_loader -- gen_context(system_u:object_r:unconfined_execmem_exec_t,s0)
--/usr/lib/openoffice\.org.*/program/.+\.bin -- gen_context(system_u:object_r:unconfined_execmem_exec_t,s0)
--
--/usr/local/RealPlayer/realplay\.bin -- gen_context(system_u:object_r:unconfined_execmem_exec_t,s0)
--
--ifdef(`distro_debian',`
--/usr/bin/gcj-dbtool-4\.1 -- gen_context(system_u:object_r:unconfined_execmem_exec_t,s0)
--/usr/bin/gij-4\.1 -- gen_context(system_u:object_r:unconfined_execmem_exec_t,s0)
--/usr/lib/openoffice/program/soffice\.bin -- gen_context(system_u:object_r:unconfined_execmem_exec_t,s0)
--')
--
--ifdef(`distro_gentoo',`
--/usr/lib/openoffice/program/[^/]+\.bin -- gen_context(system_u:object_r:unconfined_execmem_exec_t,s0)
--')
-diff --git a/policy/modules/system/unconfined.if b/policy/modules/system/unconfined.if
-index db7aabb..4012a61 100644
---- a/policy/modules/system/unconfined.if
-+++ b/policy/modules/system/unconfined.if
-@@ -12,53 +12,59 @@
- #
- interface(`unconfined_domain_noaudit',`
- gen_require(`
-- type unconfined_t;
- class dbus all_dbus_perms;
- class nscd all_nscd_perms;
- class passwd all_passwd_perms;
- ')
-
-- # Use most Linux capabilities
-- allow $1 self:capability ~sys_module;
-- allow $1 self:fifo_file manage_fifo_file_perms;
-+ # Use any Linux capability.
-+
-+ allow $1 self:capability ~{ sys_module };
-+ allow $1 self:capability2 ~{ mac_admin mac_override };
-+ allow $1 self:fifo_file { manage_fifo_file_perms relabelfrom relabelto };
-
- # Transition to myself, to make get_ordered_context_list happy.
-- allow $1 self:process transition;
-+ allow $1 self:process { dyntransition transition };
-
- # Write access is for setting attributes under /proc/self/attr.
- allow $1 self:file rw_file_perms;
-+ allow $1 self:dir rw_dir_perms;
-
- # Userland object managers
-- allow $1 self:nscd *;
-- allow $1 self:dbus *;
-- allow $1 self:passwd *;
-- allow $1 self:association *;
-+ allow $1 self:nscd all_nscd_perms;
-+ allow $1 self:dbus all_dbus_perms;
-+ allow $1 self:passwd all_passwd_perms;
-+ allow $1 self:association all_association_perms;
-+ allow $1 self:socket_class_set create_socket_perms;
-
- kernel_unconfined($1)
- corenet_unconfined($1)
- dev_unconfined($1)
- domain_unconfined($1)
-- domain_dontaudit_read_all_domains_state($1)
-- domain_dontaudit_ptrace_all_domains($1)
- files_unconfined($1)
- fs_unconfined($1)
- selinux_unconfined($1)
-+ systemd_config_all_services($1)
-+
-+ domain_mmap_low($1)
-+
-+ mcs_file_read_all($1)
-
-- tunable_policy(`allow_execheap',`
-+ ubac_process_exempt($1)
-+
-+ tunable_policy(`selinuxuser_execheap',`
- # Allow making the stack executable via mprotect.
- allow $1 self:process execheap;
- ')
-
-- tunable_policy(`allow_execmem',`
-+ tunable_policy(`deny_execmem',`',`
- # Allow making anonymous memory executable, e.g.
- # for runtime-code generation or executable stack.
- allow $1 self:process execmem;
- ')
-
-- tunable_policy(`allow_execstack',`
-- # Allow making the stack executable via mprotect;
-- # execstack implies execmem;
-- allow $1 self:process { execstack execmem };
-+ tunable_policy(`selinuxuser_execstack',`
-+ allow $1 self:process execstack;
- # auditallow $1 self:process execstack;
- ')
-
-@@ -69,6 +75,7 @@ interface(`unconfined_domain_noaudit',`
- optional_policy(`
- # Communicate via dbusd.
- dbus_system_bus_unconfined($1)
-+ dbus_unconfined($1)
- ')
-
- optional_policy(`
-@@ -122,9 +129,13 @@ interface(`unconfined_domain_noaudit',`
- ##
- #
- interface(`unconfined_domain',`
-+ gen_require(`
-+ attribute unconfined_services;
-+ ')
-+
- unconfined_domain_noaudit($1)
-
-- tunable_policy(`allow_execheap',`
-+ tunable_policy(`selinuxuser_execheap',`
- auditallow $1 self:process execheap;
- ')
- ')
-@@ -150,7 +161,7 @@ interface(`unconfined_domain',`
- ##
- #
- interface(`unconfined_alias_domain',`
-- refpolicywarn(`$0($1) has been deprecated.')
-+ refpolicywarn(`$0() has been deprecated.')
- ')
-
- ########################################
-@@ -176,414 +187,5 @@ interface(`unconfined_alias_domain',`
- ##
- #
- interface(`unconfined_execmem_alias_program',`
-- refpolicywarn(`$0($1) has been deprecated.')
--')
--
--########################################
--##
--## Transition to the unconfined domain.
--##
--##
--##
--## Domain allowed to transition.
--##
--##
--#
--interface(`unconfined_domtrans',`
-- gen_require(`
-- type unconfined_t, unconfined_exec_t;
-- ')
--
-- domtrans_pattern($1, unconfined_exec_t, unconfined_t)
--')
--
--########################################
--##
--## Execute specified programs in the unconfined domain.
--##
--##
--##
--## Domain allowed to transition.
--##
--##
--##
--##
--## The role to allow the unconfined domain.
--##
--##
--#
--interface(`unconfined_run',`
-- gen_require(`
-- type unconfined_t;
-- ')
--
-- unconfined_domtrans($1)
-- role $2 types unconfined_t;
--')
--
--########################################
--##
--## Transition to the unconfined domain by executing a shell.
--##
--##
--##
--## Domain allowed to transition.
--##
--##
--#
--interface(`unconfined_shell_domtrans',`
-- gen_require(`
-- type unconfined_t;
-- ')
--
-- corecmd_shell_domtrans($1, unconfined_t)
-- allow unconfined_t $1:fd use;
-- allow unconfined_t $1:fifo_file rw_file_perms;
-- allow unconfined_t $1:process sigchld;
--')
--
--########################################
--##
--## Allow unconfined to execute the specified program in
--## the specified domain.
--##
--##
--##
--## Allow unconfined to execute the specified program in
--## the specified domain.
--##
--##
--## This is a interface to support third party modules
--## and its use is not allowed in upstream reference
--## policy.
--##
--##
--##
--##
--## Domain to execute in.
--##
--##
--##
--##
--## Domain entry point file.
--##
--##
--#
--interface(`unconfined_domtrans_to',`
-- gen_require(`
-- type unconfined_t;
-- ')
--
-- domtrans_pattern(unconfined_t,$2,$1)
--')
--
--########################################
--##
--## Allow unconfined to execute the specified program in
--## the specified domain. Allow the specified domain the
--## unconfined role and use of unconfined user terminals.
--##
--##
--##
--## Allow unconfined to execute the specified program in
--## the specified domain. Allow the specified domain the
--## unconfined role and use of unconfined user terminals.
--##
--##
--## This is a interface to support third party modules
--## and its use is not allowed in upstream reference
--## policy.
--##
--##
--##
--##
--## Domain to execute in.
--##
--##
--##
--##
--## Domain entry point file.
--##
--##
--#
--interface(`unconfined_run_to',`
-- gen_require(`
-- type unconfined_t;
-- role unconfined_r;
-- ')
--
-- domtrans_pattern(unconfined_t,$2,$1)
-- role unconfined_r types $1;
-- userdom_use_user_terminals($1)
--')
--
--########################################
--##
--## Inherit file descriptors from the unconfined domain.
--##
--##
--##
--## Domain allowed access.
--##
--##
--#
--interface(`unconfined_use_fds',`
-- gen_require(`
-- type unconfined_t;
-- ')
--
-- allow $1 unconfined_t:fd use;
--')
--
--########################################
--##
--## Send a SIGCHLD signal to the unconfined domain.
--##
--##
--##
--## Domain allowed access.
--##
--##
--#
--interface(`unconfined_sigchld',`
-- gen_require(`
-- type unconfined_t;
-- ')
--
-- allow $1 unconfined_t:process sigchld;
--')
--
--########################################
--##
--## Send a SIGNULL signal to the unconfined domain.
--##
--##
--##
--## Domain allowed access.
--##
--##
--#
--interface(`unconfined_signull',`
-- gen_require(`
-- type unconfined_t;
-- ')
--
-- allow $1 unconfined_t:process signull;
--')
--
--########################################
--##
--## Send generic signals to the unconfined domain.
--##
--##
--##
--## Domain allowed access.
--##
--##
--#
--interface(`unconfined_signal',`
-- gen_require(`
-- type unconfined_t;
-- ')
--
-- allow $1 unconfined_t:process signal;
--')
--
--########################################
--##
--## Read unconfined domain unnamed pipes.
--##
--##
--##
--## Domain allowed access.
--##
--##
--#
--interface(`unconfined_read_pipes',`
-- gen_require(`
-- type unconfined_t;
-- ')
--
-- allow $1 unconfined_t:fifo_file read_fifo_file_perms;
--')
--
--########################################
--##
--## Do not audit attempts to read unconfined domain unnamed pipes.
--##
--##
--##
--## Domain to not audit.
--##
--##
--#
--interface(`unconfined_dontaudit_read_pipes',`
-- gen_require(`
-- type unconfined_t;
-- ')
--
-- dontaudit $1 unconfined_t:fifo_file read;
--')
--
--########################################
--##
--## Read and write unconfined domain unnamed pipes.
--##
--##
--##
--## Domain allowed access.
--##
--##
--#
--interface(`unconfined_rw_pipes',`
-- gen_require(`
-- type unconfined_t;
-- ')
--
-- allow $1 unconfined_t:fifo_file rw_fifo_file_perms;
--')
--
--########################################
--##
--## Do not audit attempts to read and write
--## unconfined domain unnamed pipes.
--##
--##
--##
--## Domain to not audit.
--##
--##
--#
--interface(`unconfined_dontaudit_rw_pipes',`
-- gen_require(`
-- type unconfined_t;
-- ')
--
-- dontaudit $1 unconfined_t:fifo_file rw_file_perms;
--')
--
--########################################
--##
--## Connect to the unconfined domain using
--## a unix domain stream socket.
--##
--##
--##
--## Domain allowed access.
--##
--##
--#
--interface(`unconfined_stream_connect',`
-- gen_require(`
-- type unconfined_t;
-- ')
--
-- allow $1 unconfined_t:unix_stream_socket connectto;
--')
--
--########################################
--##
--## Do not audit attempts to read or write
--## unconfined domain tcp sockets.
--##
--##
--##
--## Do not audit attempts to read or write
--## unconfined domain tcp sockets.
--##
--##
--## This interface was added due to a broken
--## symptom in ldconfig.
--##
--##
--##
--##
--## Domain to not audit.
--##
--##
--#
--interface(`unconfined_dontaudit_rw_tcp_sockets',`
-- gen_require(`
-- type unconfined_t;
-- ')
--
-- dontaudit $1 unconfined_t:tcp_socket { read write };
--')
--
--########################################
--##
--## Create keys for the unconfined domain.
--##
--##
--##
--## Domain allowed access.
--##
--##
--#
--interface(`unconfined_create_keys',`
-- gen_require(`
-- type unconfined_t;
-- ')
--
-- allow $1 unconfined_t:key create;
--')
--
--########################################
--##
--## Send messages to the unconfined domain over dbus.
--##
--##
--##
--## Domain allowed access.
--##
--##
--#
--interface(`unconfined_dbus_send',`
-- gen_require(`
-- type unconfined_t;
-- class dbus send_msg;
-- ')
--
-- allow $1 unconfined_t:dbus send_msg;
--')
--
--########################################
--##
--## Send and receive messages from
--## unconfined_t over dbus.
--##
--##
--##
--## Domain allowed access.
--##
--##
--#
--interface(`unconfined_dbus_chat',`
-- gen_require(`
-- type unconfined_t;
-- class dbus send_msg;
-- ')
--
-- allow $1 unconfined_t:dbus send_msg;
-- allow unconfined_t $1:dbus send_msg;
--')
--
--########################################
--##
--## Connect to the the unconfined DBUS
--## for service (acquire_svc).
--##
--##
--##
--## Domain allowed access.
--##
--##
--#
--interface(`unconfined_dbus_connect',`
-- gen_require(`
-- type unconfined_t;
-- class dbus acquire_svc;
-- ')
--
-- allow $1 unconfined_t:dbus acquire_svc;
-+ refpolicywarn(`$0() has been deprecated.')
- ')
-diff --git a/policy/modules/system/unconfined.te b/policy/modules/system/unconfined.te
-index 0280b32..61f19e9 100644
---- a/policy/modules/system/unconfined.te
-+++ b/policy/modules/system/unconfined.te
-@@ -4,237 +4,4 @@ policy_module(unconfined, 3.5.0)
- #
- # Declarations
- #
--
--# usage in this module of types created by these
--# calls is not correct, however we dont currently
--# have another method to add access to these types
--userdom_base_user_template(unconfined)
--userdom_manage_home_role(unconfined_r, unconfined_t)
--userdom_manage_tmp_role(unconfined_r, unconfined_t)
--userdom_manage_tmpfs_role(unconfined_r, unconfined_t)
--
--type unconfined_exec_t;
--init_system_domain(unconfined_t, unconfined_exec_t)
--
--type unconfined_execmem_t;
--type unconfined_execmem_exec_t;
--init_system_domain(unconfined_execmem_t, unconfined_execmem_exec_t)
--role unconfined_r types unconfined_execmem_t;
--
--########################################
--#
--# Local policy
--#
--
--domtrans_pattern(unconfined_t, unconfined_execmem_exec_t, unconfined_execmem_t)
--
--files_create_boot_flag(unconfined_t)
--
--mcs_killall(unconfined_t)
--mcs_ptrace_all(unconfined_t)
--
--init_run_daemon(unconfined_t, unconfined_r)
--
--libs_run_ldconfig(unconfined_t, unconfined_r)
--
--logging_send_syslog_msg(unconfined_t)
--logging_run_auditctl(unconfined_t, unconfined_r)
--
--mount_run_unconfined(unconfined_t, unconfined_r)
--
--seutil_run_setfiles(unconfined_t, unconfined_r)
--seutil_run_semanage(unconfined_t, unconfined_r)
--
--unconfined_domain(unconfined_t)
--
--userdom_user_home_dir_filetrans_user_home_content(unconfined_t, { dir file lnk_file fifo_file sock_file })
--
--ifdef(`distro_gentoo',`
-- seutil_run_runinit(unconfined_t, unconfined_r)
-- seutil_init_script_run_runinit(unconfined_t, unconfined_r)
--')
--
--optional_policy(`
-- ada_domtrans(unconfined_t)
--')
--
--optional_policy(`
-- apache_run_helper(unconfined_t, unconfined_r)
-- apache_role(unconfined_r, unconfined_t)
--')
--
--optional_policy(`
-- bind_run_ndc(unconfined_t, unconfined_r)
--')
--
--optional_policy(`
-- bootloader_run(unconfined_t, unconfined_r)
--')
--
--optional_policy(`
-- cron_unconfined_role(unconfined_r, unconfined_t)
--')
--
--optional_policy(`
-- init_dbus_chat_script(unconfined_t)
--
-- dbus_stub(unconfined_t)
--
-- optional_policy(`
-- avahi_dbus_chat(unconfined_t)
-- ')
--
-- optional_policy(`
-- bluetooth_dbus_chat(unconfined_t)
-- ')
--
-- optional_policy(`
-- consolekit_dbus_chat(unconfined_t)
-- ')
--
-- optional_policy(`
-- cups_dbus_chat_config(unconfined_t)
-- ')
--
-- optional_policy(`
-- hal_dbus_chat(unconfined_t)
-- ')
--
-- optional_policy(`
-- networkmanager_dbus_chat(unconfined_t)
-- ')
--
-- optional_policy(`
-- oddjob_dbus_chat(unconfined_t)
-- ')
--')
--
--optional_policy(`
-- firstboot_run(unconfined_t, unconfined_r)
--')
--
--optional_policy(`
-- ftp_run_ftpdctl(unconfined_t, unconfined_r)
--')
--
--optional_policy(`
-- hadoop_role(unconfined_r, unconfined_t)
--')
--
--optional_policy(`
-- inn_domtrans(unconfined_t)
--')
--
--optional_policy(`
-- java_run_unconfined(unconfined_t, unconfined_r)
--')
--
--optional_policy(`
-- lpd_run_checkpc(unconfined_t, unconfined_r)
--')
--
--optional_policy(`
-- modutils_run_update_mods(unconfined_t, unconfined_r)
--')
--
--optional_policy(`
-- mono_domtrans(unconfined_t)
--')
--
--optional_policy(`
-- mta_role(unconfined_r, unconfined_t)
--')
--
--optional_policy(`
-- oddjob_domtrans_mkhomedir(unconfined_t)
--')
--
--optional_policy(`
-- portage_run(unconfined_t, unconfined_r)
-- portage_run_fetch(unconfined_t, unconfined_r)
-- portage_run_gcc_config(unconfined_t, unconfined_r)
--')
--
--optional_policy(`
-- prelink_run(unconfined_t, unconfined_r)
--')
--
--optional_policy(`
-- portmap_run_helper(unconfined_t, unconfined_r)
--')
--
--optional_policy(`
-- postfix_run_map(unconfined_t, unconfined_r)
-- # cjp: this should probably be removed:
-- postfix_domtrans_master(unconfined_t)
--')
--
--optional_policy(`
-- pyzor_role(unconfined_r, unconfined_t)
--')
--
--optional_policy(`
-- # cjp: this should probably be removed:
-- rpc_domtrans_nfsd(unconfined_t)
--')
--
--optional_policy(`
-- rpm_run(unconfined_t, unconfined_r)
--')
--
--optional_policy(`
-- samba_run_net(unconfined_t, unconfined_r)
-- samba_run_winbind_helper(unconfined_t, unconfined_r)
--')
--
--optional_policy(`
-- spamassassin_role(unconfined_r, unconfined_t)
--')
--
--optional_policy(`
-- sysnet_run_dhcpc(unconfined_t, unconfined_r)
-- sysnet_dbus_chat_dhcpc(unconfined_t)
--')
--
--optional_policy(`
-- tzdata_run(unconfined_t, unconfined_r)
--')
--
--optional_policy(`
-- usermanage_run_admin_passwd(unconfined_t, unconfined_r)
--')
--
--optional_policy(`
-- vpn_run(unconfined_t, unconfined_r)
--')
--
--optional_policy(`
-- webalizer_run(unconfined_t, unconfined_r)
--')
--
--optional_policy(`
-- wine_domtrans(unconfined_t)
--')
--
--optional_policy(`
-- xserver_domtrans(unconfined_t)
--')
--
--########################################
--#
--# Unconfined Execmem Local policy
--#
--
--allow unconfined_execmem_t self:process { execstack execmem };
--unconfined_domain_noaudit(unconfined_execmem_t)
--
--optional_policy(`
-- dbus_stub(unconfined_execmem_t)
--
-- init_dbus_chat_script(unconfined_execmem_t)
-- unconfined_dbus_chat(unconfined_execmem_t)
--
-- optional_policy(`
-- hal_dbus_chat(unconfined_execmem_t)
-- ')
--')
-+attribute unconfined_services;
-diff --git a/policy/modules/system/userdomain.fc b/policy/modules/system/userdomain.fc
-index db75976..65191bd 100644
---- a/policy/modules/system/userdomain.fc
-+++ b/policy/modules/system/userdomain.fc
-@@ -1,4 +1,21 @@
- HOME_DIR -d gen_context(system_u:object_r:user_home_dir_t,s0-mls_systemhigh)
-+HOME_DIR -l gen_context(system_u:object_r:user_home_dir_t,s0-mls_systemhigh)
- HOME_DIR/.+ gen_context(system_u:object_r:user_home_t,s0)
--
- /tmp/gconfd-USER -d gen_context(system_u:object_r:user_tmp_t,s0)
-+/root(/.*)? gen_context(system_u:object_r:admin_home_t,s0)
-+/root/\.cert(/.*)? gen_context(system_u:object_r:home_cert_t,s0)
-+/root/\.pki(/.*)? gen_context(system_u:object_r:home_cert_t,s0)
-+/root/\.debug(/.*)? <>
-+/dev/shm/pulse-shm.* gen_context(system_u:object_r:user_tmpfs_t,s0)
-+/dev/shm/mono.* gen_context(system_u:object_r:user_tmpfs_t,s0)
-+HOME_DIR/bin(/.*)? gen_context(system_u:object_r:home_bin_t,s0)
-+HOME_DIR/\.local/bin(/.*)? gen_context(system_u:object_r:home_bin_t,s0)
-+HOME_DIR/Audio(/.*)? gen_context(system_u:object_r:audio_home_t,s0)
-+HOME_DIR/Music(/.*)? gen_context(system_u:object_r:audio_home_t,s0)
-+HOME_DIR/\.cert(/.*)? gen_context(system_u:object_r:home_cert_t,s0)
-+HOME_DIR/.kde/share/apps/networkmanagement/certificates(/.*)? gen_context(system_u:object_r:home_cert_t,s0)
-+HOME_DIR/\.pki(/.*)? gen_context(system_u:object_r:home_cert_t,s0)
-+HOME_DIR/\.gvfs/.* <>
-+HOME_DIR/\.debug(/.*)? <>
-+
-+/var/run/user(/.*)? gen_context(system_u:object_r:user_tmp_t,s0)
-diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
-index e720dcd..53ea674 100644
---- a/policy/modules/system/userdomain.if
-+++ b/policy/modules/system/userdomain.if
-@@ -30,9 +30,11 @@ template(`userdom_base_user_template',`
- ')
-
- attribute $1_file_type;
-+ attribute $1_usertype;
-
-- type $1_t, userdomain;
-+ type $1_t, userdomain, $1_usertype;
- domain_type($1_t)
-+ role $1_r;
- corecmd_shell_entry_type($1_t)
- corecmd_bin_entry_type($1_t)
- domain_user_exemption_target($1_t)
-@@ -44,79 +46,131 @@ template(`userdom_base_user_template',`
- term_user_pty($1_t, user_devpts_t)
-
- term_user_tty($1_t, user_tty_device_t)
--
-- allow $1_t self:process { signal_perms getsched setsched share getpgid setpgid setcap getsession getattr };
-- allow $1_t self:fd use;
-- allow $1_t self:fifo_file rw_fifo_file_perms;
-- allow $1_t self:unix_dgram_socket { create_socket_perms sendto };
-- allow $1_t self:unix_stream_socket { create_stream_socket_perms connectto };
-- allow $1_t self:shm create_shm_perms;
-- allow $1_t self:sem create_sem_perms;
-- allow $1_t self:msgq create_msgq_perms;
-- allow $1_t self:msg { send receive };
-- allow $1_t self:context contains;
-- dontaudit $1_t self:socket create;
--
-- allow $1_t user_devpts_t:chr_file { setattr rw_chr_file_perms };
-- term_create_pty($1_t, user_devpts_t)
-+ term_dontaudit_getattr_generic_ptys($1_t)
-+
-+ allow $1_usertype $1_usertype:process { signal_perms getsched setsched share getpgid setpgid getcap setcap getsession getattr };
-+ tunable_policy(`deny_ptrace',`',`
-+ allow $1_usertype $1_usertype:process ptrace;
-+ ')
-+ allow $1_usertype $1_usertype:fd use;
-+ allow $1_usertype $1_t:key { create view read write search link setattr };
-+
-+ allow $1_usertype $1_usertype:fifo_file rw_fifo_file_perms;
-+ allow $1_usertype $1_usertype:unix_dgram_socket { create_socket_perms sendto };
-+ allow $1_usertype $1_usertype:unix_stream_socket { create_stream_socket_perms connectto };
-+ allow $1_usertype $1_usertype:shm create_shm_perms;
-+ allow $1_usertype $1_usertype:sem create_sem_perms;
-+ allow $1_usertype $1_usertype:msgq create_msgq_perms;
-+ allow $1_usertype $1_usertype:msg { send receive };
-+ allow $1_usertype $1_usertype:context contains;
-+ dontaudit $1_usertype $1_usertype:socket create;
-+
-+ allow $1_usertype user_devpts_t:chr_file { setattr rw_chr_file_perms };
-+ term_create_pty($1_usertype, user_devpts_t)
- # avoid annoying messages on terminal hangup on role change
-- dontaudit $1_t user_devpts_t:chr_file ioctl;
-+ dontaudit $1_usertype user_devpts_t:chr_file ioctl;
-
-- allow $1_t user_tty_device_t:chr_file { setattr rw_chr_file_perms };
-+ allow $1_usertype user_tty_device_t:chr_file { setattr rw_chr_file_perms };
- # avoid annoying messages on terminal hangup on role change
-- dontaudit $1_t user_tty_device_t:chr_file ioctl;
--
-- kernel_read_kernel_sysctls($1_t)
-- kernel_dontaudit_list_unlabeled($1_t)
-- kernel_dontaudit_getattr_unlabeled_files($1_t)
-- kernel_dontaudit_getattr_unlabeled_symlinks($1_t)
-- kernel_dontaudit_getattr_unlabeled_pipes($1_t)
-- kernel_dontaudit_getattr_unlabeled_sockets($1_t)
-- kernel_dontaudit_getattr_unlabeled_blk_files($1_t)
-- kernel_dontaudit_getattr_unlabeled_chr_files($1_t)
--
-- dev_dontaudit_getattr_all_blk_files($1_t)
-- dev_dontaudit_getattr_all_chr_files($1_t)
-+ dontaudit $1_usertype user_tty_device_t:chr_file ioctl;
-+
-+ application_exec_all($1_usertype)
-+
-+ kernel_read_kernel_sysctls($1_usertype)
-+ kernel_read_all_sysctls($1_usertype)
-+ kernel_dontaudit_list_unlabeled($1_usertype)
-+ kernel_dontaudit_getattr_unlabeled_files($1_usertype)
-+ kernel_dontaudit_getattr_unlabeled_symlinks($1_usertype)
-+ kernel_dontaudit_getattr_unlabeled_pipes($1_usertype)
-+ kernel_dontaudit_getattr_unlabeled_sockets($1_usertype)
-+ kernel_dontaudit_getattr_unlabeled_blk_files($1_usertype)
-+ kernel_dontaudit_getattr_unlabeled_chr_files($1_usertype)
-+ kernel_dontaudit_list_proc($1_usertype)
-+
-+ dev_dontaudit_getattr_all_blk_files($1_usertype)
-+ dev_dontaudit_getattr_all_chr_files($1_usertype)
-+ dev_getattr_mtrr_dev($1_t)
-
- # When the user domain runs ps, there will be a number of access
- # denials when ps tries to search /proc. Do not audit these denials.
-- domain_dontaudit_read_all_domains_state($1_t)
-- domain_dontaudit_getattr_all_domains($1_t)
-- domain_dontaudit_getsession_all_domains($1_t)
--
-- files_read_etc_files($1_t)
-- files_read_etc_runtime_files($1_t)
-- files_read_usr_files($1_t)
-+ domain_dontaudit_read_all_domains_state($1_usertype)
-+ domain_dontaudit_getattr_all_domains($1_usertype)
-+ domain_dontaudit_getsession_all_domains($1_usertype)
-+ dev_dontaudit_all_access_check($1_usertype)
-+
-+ files_read_etc_files($1_usertype)
-+ files_list_mnt($1_usertype)
-+ files_list_var($1_usertype)
-+ files_read_mnt_files($1_usertype)
-+ files_dontaudit_access_check_mnt($1_usertype)
-+ files_read_etc_runtime_files($1_usertype)
-+ files_read_usr_files($1_usertype)
-+ files_read_usr_src_files($1_usertype)
- # Read directories and files with the readable_t type.
- # This type is a general type for "world"-readable files.
-- files_list_world_readable($1_t)
-- files_read_world_readable_files($1_t)
-- files_read_world_readable_symlinks($1_t)
-- files_read_world_readable_pipes($1_t)
-- files_read_world_readable_sockets($1_t)
-+ files_list_world_readable($1_usertype)
-+ files_read_world_readable_files($1_usertype)
-+ files_read_world_readable_symlinks($1_usertype)
-+ files_read_world_readable_pipes($1_usertype)
-+ files_read_world_readable_sockets($1_usertype)
- # old broswer_domain():
-- files_dontaudit_list_non_security($1_t)
-- files_dontaudit_getattr_non_security_files($1_t)
-- files_dontaudit_getattr_non_security_symlinks($1_t)
-- files_dontaudit_getattr_non_security_pipes($1_t)
-- files_dontaudit_getattr_non_security_sockets($1_t)
-+ files_dontaudit_getattr_all_dirs($1_usertype)
-+ files_dontaudit_list_non_security($1_usertype)
-+ files_dontaudit_getattr_all_files($1_usertype)
-+ files_dontaudit_getattr_non_security_symlinks($1_usertype)
-+ files_dontaudit_getattr_non_security_pipes($1_usertype)
-+ files_dontaudit_getattr_non_security_sockets($1_usertype)
-+ files_dontaudit_setattr_etc_runtime_files($1_usertype)
-+
-+ files_exec_usr_files($1_t)
-+
-+ fs_list_cgroup_dirs($1_usertype)
-+ fs_dontaudit_rw_cgroup_files($1_usertype)
-+
-+ storage_rw_fuse($1_usertype)
-+
-+ auth_use_nsswitch($1_t)
-+
-+ init_stream_connect($1_usertype)
-+ # The library functions always try to open read-write first,
-+ # then fall back to read-only if it fails.
-+ init_dontaudit_rw_utmp($1_usertype)
-
-- libs_exec_ld_so($1_t)
-+ libs_exec_ld_so($1_usertype)
-
-- miscfiles_read_localization($1_t)
- miscfiles_read_generic_certs($1_t)
-
-- sysnet_read_config($1_t)
-+ miscfiles_read_all_certs($1_usertype)
-+ miscfiles_read_public_files($1_usertype)
-
-- tunable_policy(`allow_execmem',`
-+ systemd_dbus_chat_logind($1_usertype)
-+ systemd_read_logind_sessions_files($1_usertype)
-+ systemd_write_inhibit_pipes($1_usertype)
-+ systemd_write_inherited_logind_sessions_pipes($1_usertype)
-+
-+ tunable_policy(`deny_execmem',`', `
- # Allow loading DSOs that require executable stack.
- allow $1_t self:process execmem;
- ')
-
-- tunable_policy(`allow_execmem && allow_execstack',`
-+ tunable_policy(`selinuxuser_execstack',`
- # Allow making the stack executable via mprotect.
- allow $1_t self:process execstack;
- ')
-+
-+ optional_policy(`
-+ abrt_stream_connect($1_usertype)
-+ ')
-+
-+ optional_policy(`
-+ fs_list_cgroup_dirs($1_usertype)
-+ ')
-+
-+ optional_policy(`
-+ ssh_rw_stream_sockets($1_usertype)
-+ ssh_delete_tmp($1_t)
-+ ssh_signal($1_t)
-+ ')
- ')
-
- #######################################
-@@ -150,6 +204,8 @@ interface(`userdom_ro_home_role',`
- type user_home_t, user_home_dir_t;
- ')
-
-+ role $1 types { user_home_t user_home_dir_t };
-+
- ##############################
- #
- # Domain access to home dir
-@@ -167,27 +223,6 @@ interface(`userdom_ro_home_role',`
- read_sock_files_pattern($2, { user_home_t user_home_dir_t }, user_home_t)
- files_list_home($2)
-
-- tunable_policy(`use_nfs_home_dirs',`
-- fs_list_nfs($2)
-- fs_read_nfs_files($2)
-- fs_read_nfs_symlinks($2)
-- fs_read_nfs_named_sockets($2)
-- fs_read_nfs_named_pipes($2)
-- ',`
-- fs_dontaudit_list_nfs($2)
-- fs_dontaudit_read_nfs_files($2)
-- ')
--
-- tunable_policy(`use_samba_home_dirs',`
-- fs_list_cifs($2)
-- fs_read_cifs_files($2)
-- fs_read_cifs_symlinks($2)
-- fs_read_cifs_named_sockets($2)
-- fs_read_cifs_named_pipes($2)
-- ',`
-- fs_dontaudit_list_cifs($2)
-- fs_dontaudit_read_cifs_files($2)
-- ')
- ')
-
- #######################################
-@@ -219,8 +254,11 @@ interface(`userdom_ro_home_role',`
- interface(`userdom_manage_home_role',`
- gen_require(`
- type user_home_t, user_home_dir_t;
-+ attribute user_home_type;
- ')
-
-+ role $1 types { user_home_type user_home_dir_t };
-+
- ##############################
- #
- # Domain access to home dir
-@@ -229,43 +267,47 @@ interface(`userdom_manage_home_role',`
- type_member $2 user_home_dir_t:dir user_home_dir_t;
-
- # full control of the home directory
-+ allow $2 user_home_t:dir mounton;
- allow $2 user_home_t:file entrypoint;
-- manage_dirs_pattern($2, { user_home_dir_t user_home_t }, user_home_t)
-- manage_files_pattern($2, { user_home_dir_t user_home_t }, user_home_t)
-- manage_lnk_files_pattern($2, { user_home_dir_t user_home_t }, user_home_t)
-- manage_sock_files_pattern($2, { user_home_dir_t user_home_t }, user_home_t)
-- manage_fifo_files_pattern($2, { user_home_dir_t user_home_t }, user_home_t)
-- relabel_dirs_pattern($2, { user_home_dir_t user_home_t }, user_home_t)
-- relabel_files_pattern($2, { user_home_dir_t user_home_t }, user_home_t)
-- relabel_lnk_files_pattern($2, { user_home_dir_t user_home_t }, user_home_t)
-- relabel_sock_files_pattern($2, { user_home_dir_t user_home_t }, user_home_t)
-- relabel_fifo_files_pattern($2, { user_home_dir_t user_home_t }, user_home_t)
-+
-+ allow $2 user_home_type:dir_file_class_set { relabelto relabelfrom };
-+ allow $2 user_home_dir_t:lnk_file read_lnk_file_perms;
-+ manage_dirs_pattern($2, { user_home_dir_t user_home_type }, user_home_type)
-+ manage_files_pattern($2, { user_home_dir_t user_home_type }, user_home_type)
-+ manage_lnk_files_pattern($2, { user_home_dir_t user_home_type }, user_home_type)
-+ manage_sock_files_pattern($2, { user_home_dir_t user_home_type }, user_home_type)
-+ manage_fifo_files_pattern($2, { user_home_dir_t user_home_type }, user_home_type)
-+ relabel_dirs_pattern($2, { user_home_dir_t user_home_type }, user_home_type)
-+ relabel_files_pattern($2, { user_home_dir_t user_home_type }, user_home_type)
-+ relabel_lnk_files_pattern($2, { user_home_dir_t user_home_type }, user_home_type)
-+ relabel_sock_files_pattern($2, { user_home_dir_t user_home_type }, user_home_type)
-+ relabel_fifo_files_pattern($2, { user_home_dir_t user_home_type }, user_home_type)
- filetrans_pattern($2, user_home_dir_t, user_home_t, { dir file lnk_file sock_file fifo_file })
-+ userdom_filetrans_home_content($2)
-+
- files_list_home($2)
-
- # cjp: this should probably be removed:
- allow $2 user_home_dir_t:dir { manage_dir_perms relabel_dir_perms };
-
- tunable_policy(`use_nfs_home_dirs',`
-+ fs_mount_nfs($2)
-+ fs_mounton_nfs($2)
- fs_manage_nfs_dirs($2)
- fs_manage_nfs_files($2)
- fs_manage_nfs_symlinks($2)
- fs_manage_nfs_named_sockets($2)
- fs_manage_nfs_named_pipes($2)
-- ',`
-- fs_dontaudit_manage_nfs_dirs($2)
-- fs_dontaudit_manage_nfs_files($2)
- ')
-
- tunable_policy(`use_samba_home_dirs',`
-+ fs_mount_cifs($2)
-+ fs_mounton_cifs($2)
- fs_manage_cifs_dirs($2)
- fs_manage_cifs_files($2)
- fs_manage_cifs_symlinks($2)
- fs_manage_cifs_named_sockets($2)
- fs_manage_cifs_named_pipes($2)
-- ',`
-- fs_dontaudit_manage_cifs_dirs($2)
-- fs_dontaudit_manage_cifs_files($2)
- ')
- ')
-
-@@ -273,6 +315,25 @@ interface(`userdom_manage_home_role',`
- ##
- ## Manage user temporary files
- ##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+##
-+#
-+interface(`userdom_manage_tmp_files',`
-+ gen_require(`
-+ type user_tmp_t;
-+ ')
-+
-+ allow $1 user_tmp_t:file manage_file_perms;
-+')
-+
-+#######################################
-+##
-+## Manage user temporary files
-+##
- ##
- ##
- ## Role allowed access.
-@@ -287,17 +348,64 @@ interface(`userdom_manage_home_role',`
- #
- interface(`userdom_manage_tmp_role',`
- gen_require(`
-+ attribute user_tmp_type;
- type user_tmp_t;
- ')
-
-+ role $1 types user_tmp_t;
-+
- files_poly_member_tmp($2, user_tmp_t)
-
-- manage_dirs_pattern($2, user_tmp_t, user_tmp_t)
-- manage_files_pattern($2, user_tmp_t, user_tmp_t)
-- manage_lnk_files_pattern($2, user_tmp_t, user_tmp_t)
-- manage_sock_files_pattern($2, user_tmp_t, user_tmp_t)
-- manage_fifo_files_pattern($2, user_tmp_t, user_tmp_t)
-+ allow $2 user_tmp_type:dir mounton;
-+ manage_dirs_pattern($2, user_tmp_type, user_tmp_type)
-+ manage_files_pattern($2, user_tmp_type, user_tmp_type)
-+ manage_lnk_files_pattern($2, user_tmp_type, user_tmp_type)
-+ manage_sock_files_pattern($2, user_tmp_type, user_tmp_type)
-+ manage_fifo_files_pattern($2, user_tmp_type, user_tmp_type)
- files_tmp_filetrans($2, user_tmp_t, { dir file lnk_file sock_file fifo_file })
-+ relabel_dirs_pattern($2, user_tmp_type, user_tmp_type)
-+ relabel_files_pattern($2, user_tmp_type, user_tmp_type)
-+ relabel_lnk_files_pattern($2, user_tmp_type, user_tmp_type)
-+ relabel_sock_files_pattern($2, user_tmp_type, user_tmp_type)
-+ relabel_fifo_files_pattern($2, user_tmp_type, user_tmp_type)
-+')
-+
-+#######################################
-+##
-+## Dontaudit search of user bin dirs.
-+##
-+##
-+##
-+## Domain to not audit.
-+##
-+##
-+#
-+interface(`userdom_dontaudit_search_user_bin_dirs',`
-+ gen_require(`
-+ type home_bin_t;
-+ ')
-+
-+ dontaudit $1 home_bin_t:dir search_dir_perms;
-+')
-+
-+#######################################
-+##
-+## Execute user bin files.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`userdom_exec_user_bin_files',`
-+ gen_require(`
-+ attribute user_home_type;
-+ type home_bin_t, user_home_dir_t;
-+ ')
-+
-+ exec_files_pattern($1, { user_home_dir_t user_home_type }, home_bin_t)
-+ files_search_home($1)
- ')
-
- #######################################
-@@ -317,11 +425,31 @@ interface(`userdom_exec_user_tmp_files',`
- ')
-
- exec_files_pattern($1, user_tmp_t, user_tmp_t)
-+ dontaudit $1 user_tmp_t:sock_file execute;
- files_search_tmp($1)
- ')
-
- #######################################
- ##
-+## Manage user temporary file system files
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+##
-+#
-+interface(`userdom_manage_tmpfs_files',`
-+ gen_require(`
-+ type user_tmpfs_t;
-+ ')
-+
-+ allow $1 user_tmpfs_t:file manage_file_perms;
-+')
-+
-+#######################################
-+##
- ## Role access for the user tmpfs type
- ## that the user has full access.
- ##
-@@ -348,59 +476,60 @@ interface(`userdom_exec_user_tmp_files',`
- #
- interface(`userdom_manage_tmpfs_role',`
- gen_require(`
-+ attribute user_tmpfs_type;
- type user_tmpfs_t;
- ')
-
-- manage_dirs_pattern($2, user_tmpfs_t, user_tmpfs_t)
-- manage_files_pattern($2, user_tmpfs_t, user_tmpfs_t)
-- manage_lnk_files_pattern($2, user_tmpfs_t, user_tmpfs_t)
-- manage_sock_files_pattern($2, user_tmpfs_t, user_tmpfs_t)
-- manage_fifo_files_pattern($2, user_tmpfs_t, user_tmpfs_t)
-+ role $1 types user_tmpfs_t;
-+
-+ manage_dirs_pattern($2, user_tmpfs_type, user_tmpfs_type)
-+ manage_files_pattern($2, user_tmpfs_type, user_tmpfs_type)
-+ manage_lnk_files_pattern($2, user_tmpfs_type, user_tmpfs_type)
-+ manage_sock_files_pattern($2, user_tmpfs_type, user_tmpfs_type)
-+ manage_fifo_files_pattern($2, user_tmpfs_type, user_tmpfs_type)
- fs_tmpfs_filetrans($2, user_tmpfs_t, { dir file lnk_file sock_file fifo_file })
-+ relabel_dirs_pattern($2, user_tmpfs_type, user_tmpfs_type)
-+ relabel_files_pattern($2, user_tmpfs_type, user_tmpfs_type)
-+ relabel_lnk_files_pattern($2, user_tmpfs_type, user_tmpfs_type)
-+ relabel_sock_files_pattern($2, user_tmpfs_type, user_tmpfs_type)
-+ relabel_fifo_files_pattern($2, user_tmpfs_type, user_tmpfs_type)
- ')
-
- #######################################
- ##
--## The template allowing the user basic
-+## The interface allowing the user basic
- ## network permissions
- ##
--##
-+##
- ##
--## The prefix of the user domain (e.g., user
--## is the prefix for user_t).
-+## The user domain
- ##
- ##
- ##
- #
--template(`userdom_basic_networking_template',`
-- gen_require(`
-- type $1_t;
-- ')
--
-- allow $1_t self:tcp_socket create_stream_socket_perms;
-- allow $1_t self:udp_socket create_socket_perms;
-+interface(`userdom_basic_networking',`
-
-- corenet_all_recvfrom_unlabeled($1_t)
-- corenet_all_recvfrom_netlabel($1_t)
-- corenet_tcp_sendrecv_generic_if($1_t)
-- corenet_udp_sendrecv_generic_if($1_t)
-- corenet_tcp_sendrecv_generic_node($1_t)
-- corenet_udp_sendrecv_generic_node($1_t)
-- corenet_tcp_sendrecv_all_ports($1_t)
-- corenet_udp_sendrecv_all_ports($1_t)
-- corenet_tcp_connect_all_ports($1_t)
-- corenet_sendrecv_all_client_packets($1_t)
-+ allow $1 self:tcp_socket create_stream_socket_perms;
-+ allow $1 self:udp_socket create_socket_perms;
-
-- corenet_all_recvfrom_labeled($1_t, $1_t)
-+ corenet_tcp_sendrecv_generic_if($1)
-+ corenet_udp_sendrecv_generic_if($1)
-+ corenet_tcp_sendrecv_generic_node($1)
-+ corenet_udp_sendrecv_generic_node($1)
-+ corenet_tcp_sendrecv_all_ports($1)
-+ corenet_udp_sendrecv_all_ports($1)
-+ corenet_tcp_connect_all_ports($1)
-+ corenet_sendrecv_all_client_packets($1)
-
- optional_policy(`
-- init_tcp_recvfrom_all_daemons($1_t)
-- init_udp_recvfrom_all_daemons($1_t)
-+ init_tcp_recvfrom_all_daemons($1)
-+ init_udp_recvfrom_all_daemons($1)
- ')
-
- optional_policy(`
-- ipsec_match_default_spd($1_t)
-+ ipsec_match_default_spd($1)
- ')
-+
- ')
-
- #######################################
-@@ -431,6 +560,7 @@ template(`userdom_xwindows_client_template',`
- dev_dontaudit_rw_dri($1_t)
- # GNOME checks for usb and other devices:
- dev_rw_usbfs($1_t)
-+ dev_rw_generic_usb_dev($1_t)
-
- xserver_user_x_domain_template($1, $1_t, user_tmpfs_t)
- xserver_xsession_entry_type($1_t)
-@@ -463,8 +593,8 @@ template(`userdom_change_password_template',`
- ')
-
- optional_policy(`
-- usermanage_run_chfn($1_t, $1_r)
-- usermanage_run_passwd($1_t, $1_r)
-+ usermanage_run_chfn($1_t,$1_r)
-+ usermanage_run_passwd($1_t,$1_r)
- ')
- ')
-
-@@ -491,7 +621,8 @@ template(`userdom_common_user_template',`
- attribute unpriv_userdomain;
- ')
-
-- userdom_basic_networking_template($1)
-+ userdom_basic_networking($1_usertype)
-+ corenet_all_recvfrom_netlabel($1_t)
-
- ##############################
- #
-@@ -501,41 +632,51 @@ template(`userdom_common_user_template',`
- # evolution and gnome-session try to create a netlink socket
- dontaudit $1_t self:netlink_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown };
- dontaudit $1_t self:netlink_route_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown nlmsg_read nlmsg_write };
-+ allow $1_t self:netlink_kobject_uevent_socket create_socket_perms;
-+ allow $1_t self:socket create_socket_perms;
-
-- allow $1_t unpriv_userdomain:fd use;
-+ allow $1_usertype unpriv_userdomain:fd use;
-
- kernel_read_system_state($1_t)
-- kernel_read_network_state($1_t)
-- kernel_read_net_sysctls($1_t)
-+ kernel_read_network_state($1_usertype)
-+ kernel_read_software_raid_state($1_usertype)
-+ kernel_read_net_sysctls($1_usertype)
- # Very permissive allowing every domain to see every type:
-- kernel_get_sysvipc_info($1_t)
-+ kernel_get_sysvipc_info($1_usertype)
- # Find CDROM devices:
-- kernel_read_device_sysctls($1_t)
-+ kernel_read_device_sysctls($1_usertype)
-+ kernel_request_load_module($1_usertype)
-
-- corecmd_exec_bin($1_t)
-+ corenet_udp_bind_generic_node($1_usertype)
-+ corenet_udp_bind_generic_port($1_usertype)
-
-- corenet_udp_bind_generic_node($1_t)
-- corenet_udp_bind_generic_port($1_t)
-+ dev_read_rand($1_usertype)
-+ dev_write_sound($1_usertype)
-+ dev_read_sound($1_usertype)
-+ dev_read_sound_mixer($1_usertype)
-+ dev_write_sound_mixer($1_usertype)
-
-- dev_read_rand($1_t)
-- dev_write_sound($1_t)
-- dev_read_sound($1_t)
-- dev_read_sound_mixer($1_t)
-- dev_write_sound_mixer($1_t)
--
-- files_exec_etc_files($1_t)
-- files_search_locks($1_t)
-+ files_exec_etc_files($1_usertype)
-+ files_search_locks($1_usertype)
- # Check to see if cdrom is mounted
-- files_search_mnt($1_t)
-+ files_search_mnt($1_usertype)
- # cjp: perhaps should cut back on file reads:
-- files_read_var_files($1_t)
-- files_read_var_symlinks($1_t)
-- files_read_generic_spool($1_t)
-- files_read_var_lib_files($1_t)
-+ files_read_var_files($1_usertype)
-+ files_read_var_symlinks($1_usertype)
-+ files_read_generic_spool($1_usertype)
-+ files_read_var_lib_files($1_usertype)
- # Stat lost+found.
-- files_getattr_lost_found_dirs($1_t)
-+ files_getattr_lost_found_dirs($1_usertype)
-+ files_read_config_files($1_usertype)
-+ fs_read_noxattr_fs_files($1_usertype)
-+ fs_read_noxattr_fs_symlinks($1_usertype)
-+ fs_rw_cgroup_files($1_usertype)
-+
-+ application_getattr_socket($1_usertype)
-
-- fs_rw_cgroup_files($1_t)
-+ logging_send_syslog_msg($1_t)
-+
-+ selinux_get_enforce_mode($1_t)
-
- # cjp: some of this probably can be removed
- selinux_get_fs_mount($1_t)
-@@ -546,100 +687,140 @@ template(`userdom_common_user_template',`
- selinux_compute_user_contexts($1_t)
-
- # for eject
-- storage_getattr_fixed_disk_dev($1_t)
-+ storage_getattr_fixed_disk_dev($1_usertype)
-
-- auth_use_nsswitch($1_t)
-- auth_read_login_records($1_t)
-- auth_search_pam_console_data($1_t)
-- auth_run_pam($1_t, $1_r)
-- auth_run_utempter($1_t, $1_r)
-+ auth_read_login_records($1_usertype)
-+ auth_run_pam_timestamp($1_t,$1_r)
-+ auth_run_utempter($1_t,$1_r)
-+ auth_filetrans_admin_home_content($1_t)
-+ auth_filetrans_home_content($1_t)
-
-- init_read_utmp($1_t)
-+ init_read_utmp($1_usertype)
-
-- seutil_read_file_contexts($1_t)
-- seutil_read_default_contexts($1_t)
-- seutil_run_newrole($1_t, $1_r)
-+ seutil_read_file_contexts($1_usertype)
-+ seutil_read_default_contexts($1_usertype)
-+ seutil_run_newrole($1_t,$1_r)
- seutil_exec_checkpolicy($1_t)
-- seutil_exec_setfiles($1_t)
-+ seutil_exec_setfiles($1_usertype)
- # for when the network connection is killed
- # this is needed when a login role can change
- # to this one.
- seutil_dontaudit_signal_newrole($1_t)
-
-- tunable_policy(`user_direct_mouse',`
-- dev_read_mouse($1_t)
-- ')
-+ term_getattr_all_ttys($1_t)
-
-- tunable_policy(`user_ttyfile_stat',`
-- term_getattr_all_ttys($1_t)
-+ optional_policy(`
-+ # Allow graphical boot to check battery lifespan
-+ apm_stream_connect($1_usertype)
- ')
-
- optional_policy(`
-- alsa_manage_home_files($1_t)
-- alsa_read_rw_config($1_t)
-- alsa_relabel_home_files($1_t)
-+ canna_stream_connect($1_usertype)
- ')
-
- optional_policy(`
-- # Allow graphical boot to check battery lifespan
-- apm_stream_connect($1_t)
-+ chrome_role($1_r, $1_usertype)
- ')
-
- optional_policy(`
-- canna_stream_connect($1_t)
-+ colord_read_lib_files($1_usertype)
- ')
-
- optional_policy(`
-- dbus_system_bus_client($1_t)
-+ dbus_system_bus_client($1_usertype)
-+
-+ allow $1_usertype $1_usertype:dbus send_msg;
-
- optional_policy(`
-- bluetooth_dbus_chat($1_t)
-+ avahi_dbus_chat($1_usertype)
- ')
-
- optional_policy(`
-- evolution_dbus_chat($1_t)
-- evolution_alarm_dbus_chat($1_t)
-+ policykit_dbus_chat($1_usertype)
- ')
-
- optional_policy(`
-- cups_dbus_chat_config($1_t)
-+ bluetooth_dbus_chat($1_usertype)
- ')
-
- optional_policy(`
-- hal_dbus_chat($1_t)
-+ consolekit_dbus_chat($1_usertype)
-+ consolekit_read_log($1_usertype)
- ')
-
- optional_policy(`
-- networkmanager_dbus_chat($1_t)
-+ devicekit_dbus_chat($1_usertype)
-+ devicekit_dbus_chat_power($1_usertype)
-+ devicekit_dbus_chat_disk($1_usertype)
- ')
-+
-+ optional_policy(`
-+ evolution_dbus_chat($1_usertype)
-+ evolution_alarm_dbus_chat($1_usertype)
-+ ')
-+
-+ optional_policy(`
-+ gnome_dbus_chat_gconfdefault($1_usertype)
-+ ')
-+
-+ optional_policy(`
-+ hal_dbus_chat($1_usertype)
-+ ')
-+
-+ optional_policy(`
-+ kde_dbus_chat_backlighthelper($1_usertype)
-+ ')
-+
-+ optional_policy(`
-+ modemmanager_dbus_chat($1_usertype)
-+ ')
-+
-+ optional_policy(`
-+ networkmanager_dbus_chat($1_usertype)
-+ networkmanager_read_lib_files($1_usertype)
-+ ')
-+
-+ optional_policy(`
-+ vpn_dbus_chat($1_usertype)
-+ ')
-+ ')
-+
-+ optional_policy(`
-+ git_session_role($1_r, $1_usertype)
- ')
-
- optional_policy(`
-- inetd_use_fds($1_t)
-- inetd_rw_tcp_sockets($1_t)
-+ inetd_use_fds($1_usertype)
-+ inetd_rw_tcp_sockets($1_usertype)
- ')
-
- optional_policy(`
-- inn_read_config($1_t)
-- inn_read_news_lib($1_t)
-- inn_read_news_spool($1_t)
-+ inn_read_config($1_usertype)
-+ inn_read_news_lib($1_usertype)
-+ inn_read_news_spool($1_usertype)
- ')
-
- optional_policy(`
-- locate_read_lib_files($1_t)
-+ lircd_stream_connect($1_usertype)
-+ ')
-+
-+ optional_policy(`
-+ locate_read_lib_files($1_usertype)
- ')
-
- # for running depmod as part of the kernel packaging process
- optional_policy(`
-- modutils_read_module_config($1_t)
-+ modutils_read_module_config($1_usertype)
- ')
-
- optional_policy(`
-- mta_rw_spool($1_t)
-+ mta_rw_spool($1_usertype)
-+ mta_manage_queue($1_usertype)
-+ mta_filetrans_home_content($1_usertype)
- ')
-
- optional_policy(`
-- tunable_policy(`allow_user_mysql_connect',`
-+ tunable_policy(`selinuxuser_mysql_connect_enabled',`
- mysql_stream_connect($1_t)
- ')
- ')
-@@ -651,40 +832,52 @@ template(`userdom_common_user_template',`
-
- optional_policy(`
- # to allow monitoring of pcmcia status
-- pcmcia_read_pid($1_t)
-+ pcmcia_read_pid($1_usertype)
- ')
-
- optional_policy(`
-- pcscd_read_pub_files($1_t)
-- pcscd_stream_connect($1_t)
-+ pcscd_read_pub_files($1_usertype)
-+ pcscd_stream_connect($1_usertype)
- ')
-
- optional_policy(`
-- tunable_policy(`allow_user_postgresql_connect',`
-- postgresql_stream_connect($1_t)
-- postgresql_tcp_connect($1_t)
-+ tunable_policy(`selinuxuser_postgresql_connect_enabled',`
-+ postgresql_stream_connect($1_usertype)
-+ postgresql_tcp_connect($1_usertype)
- ')
- ')
-
- optional_policy(`
-- resmgr_stream_connect($1_t)
-+ resmgr_stream_connect($1_usertype)
-+ ')
-+
-+ optional_policy(`
-+ rpc_dontaudit_getattr_exports($1_usertype)
-+ rpc_manage_nfs_rw_content($1_usertype)
-+ ')
-+
-+ optional_policy(`
-+ rpcbind_stream_connect($1_usertype)
-+ ')
-+
-+ optional_policy(`
-+ samba_stream_connect_winbind($1_usertype)
- ')
-
- optional_policy(`
-- rpc_dontaudit_getattr_exports($1_t)
-- rpc_manage_nfs_rw_content($1_t)
-+ sandbox_transition($1_usertype, $1_r)
- ')
-
- optional_policy(`
-- samba_stream_connect_winbind($1_t)
-+ seunshare_role_template($1, $1_r, $1_t)
- ')
-
- optional_policy(`
-- slrnpull_search_spool($1_t)
-+ slrnpull_search_spool($1_usertype)
- ')
-
- optional_policy(`
-- usernetctl_run($1_t, $1_r)
-+ thumb_role($1_r, $1_usertype)
- ')
- ')
-
-@@ -709,17 +902,33 @@ template(`userdom_common_user_template',`
- template(`userdom_login_user_template', `
- gen_require(`
- class context contains;
-+ attribute login_userdomain;
- ')
-
- userdom_base_user_template($1)
-
-- userdom_manage_home_role($1_r, $1_t)
-+ typeattribute $1_t login_userdomain;
-
-- userdom_manage_tmp_role($1_r, $1_t)
-- userdom_manage_tmpfs_role($1_r, $1_t)
-+ userdom_manage_home_role($1_r, $1_usertype)
-+
-+ userdom_manage_tmp_role($1_r, $1_usertype)
-+ userdom_manage_tmpfs_role($1_r, $1_usertype)
-+
-+ ifelse(`$1',`unconfined',`',`
-+ gen_tunable($1_exec_content, true)
-+
-+ tunable_policy(`$1_exec_content',`
-+ userdom_exec_user_tmp_files($1_usertype)
-+ userdom_exec_user_home_content_files($1_usertype)
-+ ')
-+ tunable_policy(`$1_exec_content && use_nfs_home_dirs',`
-+ fs_exec_nfs_files($1_usertype)
-+ ')
-
-- userdom_exec_user_tmp_files($1_t)
-- userdom_exec_user_home_content_files($1_t)
-+ tunable_policy(`$1_exec_content && use_samba_home_dirs',`
-+ fs_exec_cifs_files($1_usertype)
-+ ')
-+ ')
-
- userdom_change_password_template($1)
-
-@@ -727,82 +936,100 @@ template(`userdom_login_user_template', `
- #
- # User domain Local policy
- #
--
-- allow $1_t self:capability { setgid chown fowner };
- dontaudit $1_t self:capability { sys_nice fsetid };
-+ allow $1_t self:process ~{ ptrace execmem execstack execheap };
-+
-+ tunable_policy(`selinuxuser_use_ssh_chroot',`
-+ allow $1_t self:capability { setuid sys_chroot };
-+ ')
-
-- allow $1_t self:process ~{ setcurrent setexec setrlimit execmem execstack execheap };
- dontaudit $1_t self:process setrlimit;
- dontaudit $1_t self:netlink_route_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown nlmsg_read nlmsg_write };
-+ domain_dyntrans_type($1_t)
-
- allow $1_t self:context contains;
-
-- kernel_dontaudit_read_system_state($1_t)
-+ kernel_dontaudit_read_system_state($1_usertype)
-+ kernel_dontaudit_list_all_proc($1_usertype)
-
-- dev_read_sysfs($1_t)
-- dev_read_urand($1_t)
-+ dev_read_sysfs($1_usertype)
-+ dev_read_rand($1_usertype)
-+ dev_read_urand($1_usertype)
-
-- domain_use_interactive_fds($1_t)
-+ domain_use_interactive_fds($1_usertype)
- # Command completion can fire hundreds of denials
-- domain_dontaudit_exec_all_entry_files($1_t)
-+ domain_dontaudit_exec_all_entry_files($1_usertype)
-
-- files_dontaudit_list_default($1_t)
-- files_dontaudit_read_default_files($1_t)
-+ files_dontaudit_list_default($1_usertype)
-+ files_dontaudit_read_default_files($1_usertype)
- # Stat lost+found.
-- files_getattr_lost_found_dirs($1_t)
-+ files_getattr_lost_found_dirs($1_usertype)
-
-- fs_get_all_fs_quotas($1_t)
-- fs_getattr_all_fs($1_t)
-- fs_getattr_all_dirs($1_t)
-- fs_search_auto_mountpoints($1_t)
-- fs_list_cgroup_dirs($1_t)
-- fs_list_inotifyfs($1_t)
-- fs_rw_anon_inodefs_files($1_t)
-- fs_dontaudit_rw_cgroup_files($1_t)
-+ fs_get_all_fs_quotas($1_usertype)
-+ fs_getattr_all_fs($1_usertype)
-+ fs_search_all($1_usertype)
-+ fs_list_inotifyfs($1_usertype)
-+ fs_rw_anon_inodefs_files($1_usertype)
-
-+ auth_role($1_r, $1_t)
-+ auth_rw_cache($1_t)
-+ auth_search_pam_console_data($1_t)
-+ auth_dontaudit_read_login_records($1_t)
- auth_dontaudit_write_login_records($1_t)
-
- application_exec_all($1_t)
--
- # The library functions always try to open read-write first,
- # then fall back to read-only if it fails.
- init_dontaudit_rw_utmp($1_t)
-+
- # Stop warnings about access to /dev/console
-- init_dontaudit_use_fds($1_t)
-- init_dontaudit_use_script_fds($1_t)
-+ init_dontaudit_use_fds($1_usertype)
-+ init_dontaudit_use_script_fds($1_usertype)
-
-- libs_exec_lib_files($1_t)
-+ libs_exec_lib_files($1_usertype)
-
-- logging_dontaudit_getattr_all_logs($1_t)
-+ logging_dontaudit_getattr_all_logs($1_usertype)
-
-- miscfiles_read_man_pages($1_t)
- # for running TeX programs
-- miscfiles_read_tetex_data($1_t)
-- miscfiles_exec_tetex_data($1_t)
-+ miscfiles_read_tetex_data($1_usertype)
-+ miscfiles_exec_tetex_data($1_usertype)
-+
-+ seutil_read_config($1_usertype)
-+ seutil_read_file_contexts($1_usertype)
-+ seutil_read_default_contexts($1_usertype)
-+ seutil_exec_setfiles($1_usertype)
-+
-+ optional_policy(`
-+ cups_read_config($1_usertype)
-+ cups_stream_connect($1_usertype)
-+ cups_stream_connect_ptal($1_usertype)
-+ ')
-
-- seutil_read_config($1_t)
-+ optional_policy(`
-+ kerberos_use($1_usertype)
-+ kerberos_filetrans_home_content($1_usertype)
-+ ')
-
- optional_policy(`
-- cups_read_config($1_t)
-- cups_stream_connect($1_t)
-- cups_stream_connect_ptal($1_t)
-+ mysql_filetrans_named_content($1_usertype)
- ')
-
- optional_policy(`
-- kerberos_use($1_t)
-+ mta_dontaudit_read_spool_symlinks($1_usertype)
- ')
-
- optional_policy(`
-- mta_dontaudit_read_spool_symlinks($1_t)
-+ quota_dontaudit_getattr_db($1_usertype)
- ')
-
- optional_policy(`
-- quota_dontaudit_getattr_db($1_t)
-+ rpm_read_db($1_usertype)
-+ rpm_dontaudit_manage_db($1_usertype)
-+ rpm_read_cache($1_usertype)
- ')
-
- optional_policy(`
-- rpm_read_db($1_t)
-- rpm_dontaudit_manage_db($1_t)
-+ oddjob_run_mkhomedir($1_t, $1_r)
- ')
- ')
-
-@@ -834,6 +1061,12 @@ template(`userdom_restricted_user_template',`
- typeattribute $1_t unpriv_userdomain;
- domain_interactive_fd($1_t)
-
-+ allow $1_usertype self:netlink_kobject_uevent_socket create_socket_perms;
-+ dontaudit $1_usertype self:netlink_audit_socket create_socket_perms;
-+
-+ seutil_read_file_contexts($1_t)
-+ seutil_read_default_contexts($1_t)
-+
- ##############################
- #
- # Local policy
-@@ -874,46 +1107,118 @@ template(`userdom_restricted_xwindows_user_template',`
- # Local policy
- #
-
-- auth_role($1_r, $1_t)
-- auth_search_pam_console_data($1_t)
--
-- dev_read_sound($1_t)
-- dev_write_sound($1_t)
-+ dev_read_sound($1_usertype)
-+ dev_write_sound($1_usertype)
- # gnome keyring wants to read this.
-- dev_dontaudit_read_rand($1_t)
-+ dev_dontaudit_read_rand($1_usertype)
-+ # temporarily allow since openoffice requires this
-+ dev_read_rand($1_usertype)
-+
-+ dev_read_video_dev($1_usertype)
-+ dev_write_video_dev($1_usertype)
-+ dev_rw_wireless($1_usertype)
-+
-+ libs_dontaudit_setattr_lib_files($1_usertype)
-+
-+ tunable_policy(`selinuxuser_rw_noexattrfile',`
-+ dev_rw_usbfs($1_t)
-+ dev_rw_generic_usb_dev($1_usertype)
-+
-+ fs_manage_noxattr_fs_files($1_usertype)
-+ fs_manage_noxattr_fs_dirs($1_usertype)
-+ fs_manage_dos_dirs($1_usertype)
-+ fs_manage_dos_files($1_usertype)
-+ storage_raw_read_removable_device($1_usertype)
-+ storage_raw_write_removable_device($1_usertype)
-+ ')
-
- logging_send_syslog_msg($1_t)
- logging_dontaudit_send_audit_msgs($1_t)
-
- # Need to to this just so screensaver will work. Should be moved to screensaver domain
-- logging_send_audit_msgs($1_t)
- selinux_get_enforce_mode($1_t)
-+ seutil_exec_restorecond($1_t)
-+ seutil_read_file_contexts($1_t)
-+ seutil_read_default_contexts($1_t)
-
- xserver_restricted_role($1_r, $1_t)
-
- optional_policy(`
-- alsa_read_rw_config($1_t)
-+ alsa_read_rw_config($1_usertype)
-+ ')
-+
-+ # cjp: needed by KDE apps
-+ # bug: #682499
-+ optional_policy(`
-+ gnome_read_usr_config($1_usertype)
-+ gnome_role_gkeyringd($1, $1_r, $1_usertype)
-+ # cjp: telepathy F15 bugs
-+ telepathy_role($1_r, $1_t, $1)
-+ ')
-+
-+ optional_policy(`
-+ obex_role($1_r, $1_t, $1)
- ')
-
- optional_policy(`
-- dbus_role_template($1, $1_r, $1_t)
-- dbus_system_bus_client($1_t)
-+ dbus_role_template($1, $1_r, $1_usertype)
-+ dbus_system_bus_client($1_usertype)
-+ allow $1_usertype $1_usertype:dbus send_msg;
-+
-+ optional_policy(`
-+ abrt_dbus_chat($1_usertype)
-+ abrt_run_helper($1_usertype, $1_r)
-+ ')
-+
-+ optional_policy(`
-+ consolekit_dontaudit_read_log($1_usertype)
-+ consolekit_dbus_chat($1_usertype)
-+ ')
-+
-+ optional_policy(`
-+ cups_dbus_chat($1_usertype)
-+ cups_dbus_chat_config($1_usertype)
-+ ')
-
- optional_policy(`
-- consolekit_dbus_chat($1_t)
-+ devicekit_dbus_chat($1_usertype)
-+ devicekit_dbus_chat_disk($1_usertype)
-+ devicekit_dbus_chat_power($1_usertype)
- ')
-
- optional_policy(`
-- cups_dbus_chat($1_t)
-+ fprintd_dbus_chat($1_t)
- ')
-+
-+ optional_policy(`
-+ realmd_dbus_chat($1_t)
-+ ')
-+ ')
-+
-+ optional_policy(`
-+ policykit_role($1_r, $1_usertype)
-+ ')
-+
-+ optional_policy(`
-+ pulseaudio_role($1_r, $1_usertype)
-+ pulseaudio_filetrans_admin_home_content($1_usertype)
-+ pulseaudio_filetrans_home_content($1_usertype)
- ')
-
- optional_policy(`
-- java_role($1_r, $1_t)
-+ rtkit_scheduled($1_usertype)
- ')
-
- optional_policy(`
- setroubleshoot_dontaudit_stream_connect($1_t)
-+ ')
-+
-+ optional_policy(`
-+ udev_read_db($1_usertype)
-+ ')
-+
-+ optional_policy(`
-+ wm_role_template($1, $1_r, $1_t)
- ')
- ')
-
-@@ -948,27 +1253,33 @@ template(`userdom_unpriv_user_template', `
- #
-
- # Inherit rules for ordinary users.
-- userdom_restricted_user_template($1)
-+ userdom_restricted_xwindows_user_template($1)
- userdom_common_user_template($1)
-
- ##############################
- #
- # Local policy
- #
-+ allow $1_t self:capability { setgid chown fowner };
-+
-+ corecmd_exec_chroot($1_t)
-
- # port access is audited even if dac would not have allowed it, so dontaudit it here
-- corenet_dontaudit_tcp_bind_all_reserved_ports($1_t)
-+# corenet_dontaudit_tcp_bind_all_reserved_ports($1_t)
- # Need the following rule to allow users to run vpnc
- corenet_tcp_bind_xserver_port($1_t)
-+ corenet_tcp_bind_generic_node($1_usertype)
-+
-+ storage_rw_fuse($1_t)
-
- files_exec_usr_files($1_t)
-- # cjp: why?
-+ # cjp: why?
- files_read_kernel_symbol_table($1_t)
-
- ifndef(`enable_mls',`
- fs_exec_noxattr($1_t)
-
-- tunable_policy(`user_rw_noexattrfile',`
-+ tunable_policy(`selinuxuser_rw_noexattrfile',`
- fs_manage_noxattr_fs_files($1_t)
- fs_manage_noxattr_fs_dirs($1_t)
- # Write floppies
-@@ -979,54 +1290,89 @@ template(`userdom_unpriv_user_template', `
- ')
- ')
-
-- tunable_policy(`user_dmesg',`
-- kernel_read_ring_buffer($1_t)
-- ',`
-- kernel_dontaudit_read_ring_buffer($1_t)
-- ')
-+ miscfiles_read_hwdata($1_usertype)
-
- # Allow users to run TCP servers (bind to ports and accept connection from
- # the same domain and outside users) disabling this forces FTP passive mode
- # and may change other protocols
-- tunable_policy(`user_tcp_server',`
-- corenet_tcp_bind_generic_node($1_t)
-- corenet_tcp_bind_generic_port($1_t)
-+
-+ tunable_policy(`selinuxuser_user_share_music',`
-+ corenet_tcp_bind_daap_port($1_usertype)
-+ ')
-+
-+ tunable_policy(`selinuxuser_tcp_server',`
-+ corenet_tcp_bind_all_unreserved_ports($1_usertype)
- ')
-
- optional_policy(`
-- netutils_run_ping_cond($1_t, $1_r)
-- netutils_run_traceroute_cond($1_t, $1_r)
-+ cdrecord_role($1_r, $1_t)
- ')
-
-- # Run pppd in pppd_t by default for user
- optional_policy(`
-- ppp_run_cond($1_t, $1_r)
-+ cron_role($1_r, $1_t)
- ')
-
- optional_policy(`
-- setroubleshoot_stream_connect($1_t)
-+ games_rw_data($1_usertype)
- ')
--')
-
--#######################################
--##
--## The template for creating an administrative user.
--##
--##
--##
--## This template creates a user domain, types, and
--## rules for the user's tty, pty, home directories,
--## tmp, and tmpfs files.
--##
--##
--## The privileges given to administrative users are:
--##
--## - Raw disk access
--## - Set all sysctls
--## - All kernel ring buffer controls
--## - Create, read, write, and delete all files but shadow
--## - Manage source and binary format SELinux policy
--## - Run insmod
-+ optional_policy(`
-+ gpg_role($1_r, $1_usertype)
-+ ')
-+
-+ optional_policy(`
-+ gnomeclock_dbus_chat($1_t)
-+ ')
-+
-+ optional_policy(`
-+ gpm_stream_connect($1_usertype)
-+ ')
-+
-+ optional_policy(`
-+ mount_run_fusermount($1_t, $1_r)
-+ mount_read_pid_files($1_t)
-+ ')
-+
-+ optional_policy(`
-+ wine_role_template($1, $1_r, $1_t)
-+ ')
-+
-+ optional_policy(`
-+ postfix_run_postdrop($1_t, $1_r)
-+ postfix_search_spool($1_t)
-+ ')
-+
-+ # Run pppd in pppd_t by default for user
-+ optional_policy(`
-+ ppp_run_cond($1_t, $1_r)
-+ ')
-+
-+ optional_policy(`
-+ vdagent_getattr_log($1_t)
-+ vdagent_getattr_exec_files($1_t)
-+ vdagent_stream_connect($1_t)
-+ ')
-+')
-+
-+#######################################
-+##
-+## The template for creating an administrative user.
-+##
-+##
-+##
-+## This template creates a user domain, types, and
-+## rules for the user's tty, pty, home directories,
-+## tmp, and tmpfs files.
-+##
-+##
-+## The privileges given to administrative users are:
-+##
-+## - Raw disk access
-+## - Set all sysctls
-+## - All kernel ring buffer controls
-+## - Create, read, write, and delete all files but shadow
-+## - Manage source and binary format SELinux policy
-+## - Run insmod
- ##
- ##
- ##
-@@ -1040,7 +1386,7 @@ template(`userdom_unpriv_user_template', `
- template(`userdom_admin_user_template',`
- gen_require(`
- attribute admindomain;
-- class passwd { passwd chfn chsh rootok };
-+ class passwd { passwd chfn chsh rootok crontab };
- ')
-
- ##############################
-@@ -1067,6 +1413,7 @@ template(`userdom_admin_user_template',`
- #
-
- allow $1_t self:capability ~{ sys_module audit_control audit_write };
-+ allow $1_t self:capability2 { block_suspend syslog };
- allow $1_t self:process { setexec setfscreate };
- allow $1_t self:netlink_audit_socket nlmsg_readpriv;
- allow $1_t self:tun_socket create;
-@@ -1075,6 +1422,9 @@ template(`userdom_admin_user_template',`
- # Skip authentication when pam_rootok is specified.
- allow $1_t self:passwd rootok;
-
-+ # Manipulate other users crontab.
-+ allow $1_t self:passwd crontab;
-+
- kernel_read_software_raid_state($1_t)
- kernel_getattr_core_if($1_t)
- kernel_getattr_message_if($1_t)
-@@ -1089,6 +1439,7 @@ template(`userdom_admin_user_template',`
- kernel_sigstop_unlabeled($1_t)
- kernel_signull_unlabeled($1_t)
- kernel_sigchld_unlabeled($1_t)
-+ kernel_signal($1_t)
-
- corenet_tcp_bind_generic_port($1_t)
- # allow setting up tunnels
-@@ -1106,10 +1457,14 @@ template(`userdom_admin_user_template',`
- dev_rename_all_blk_files($1_t)
- dev_rename_all_chr_files($1_t)
- dev_create_generic_symlinks($1_t)
-+ dev_rw_generic_usb_dev($1_t)
-+ dev_rw_usbfs($1_t)
-+ dev_read_kmsg($1_t)
-
- domain_setpriority_all_domains($1_t)
- domain_read_all_domains_state($1_t)
- domain_getattr_all_domains($1_t)
-+ domain_getcap_all_domains($1_t)
- domain_dontaudit_ptrace_all_domains($1_t)
- # signal all domains:
- domain_kill_all_domains($1_t)
-@@ -1120,29 +1475,38 @@ template(`userdom_admin_user_template',`
- domain_sigchld_all_domains($1_t)
- # for lsof
- domain_getattr_all_sockets($1_t)
-+ domain_dontaudit_getattr_all_sockets($1_t)
-
- files_exec_usr_src_files($1_t)
-
- fs_getattr_all_fs($1_t)
-+ fs_getattr_all_files($1_t)
-+ fs_list_all($1_t)
- fs_set_all_quotas($1_t)
- fs_exec_noxattr($1_t)
-
- storage_raw_read_removable_device($1_t)
- storage_raw_write_removable_device($1_t)
-+ storage_dontaudit_read_fixed_disk($1_t)
-
-- term_use_all_terms($1_t)
-+ term_use_all_inherited_terms($1_t)
-+ term_use_unallocated_ttys($1_t)
-
- auth_getattr_shadow($1_t)
- # Manage almost all files
-- files_manage_non_auth_files($1_t)
-+ files_manage_non_security_dirs($1_t)
-+ files_manage_non_security_files($1_t)
- # Relabel almost all files
-- files_relabel_non_auth_files($1_t)
-+ files_relabel_non_security_files($1_t)
-
- init_telinit($1_t)
-
- logging_send_syslog_msg($1_t)
-
-- modutils_domtrans_insmod($1_t)
-+ optional_policy(`
-+ modutils_domtrans_insmod($1_t)
-+ modutils_domtrans_depmod($1_t)
-+ ')
-
- # The following rule is temporary until such time that a complete
- # policy management infrastructure is in place so that an administrator
-@@ -1152,6 +1516,8 @@ template(`userdom_admin_user_template',`
- # But presently necessary for installing the file_contexts file.
- seutil_manage_bin_policy($1_t)
-
-+ systemd_config_all_services($1_t)
-+
- userdom_manage_user_home_content_dirs($1_t)
- userdom_manage_user_home_content_files($1_t)
- userdom_manage_user_home_content_symlinks($1_t)
-@@ -1159,13 +1525,17 @@ template(`userdom_admin_user_template',`
- userdom_manage_user_home_content_sockets($1_t)
- userdom_user_home_dir_filetrans_user_home_content($1_t, { dir file lnk_file fifo_file sock_file })
-
-- tunable_policy(`user_rw_noexattrfile',`
-+ tunable_policy(`selinuxuser_rw_noexattrfile',`
- fs_manage_noxattr_fs_files($1_t)
- fs_manage_noxattr_fs_dirs($1_t)
- ',`
- fs_read_noxattr_fs_files($1_t)
- ')
-
-+ tunable_policy(`selinuxuser_tcp_server',`
-+ corenet_tcp_bind_all_unreserved_ports($1_t)
-+ ')
-+
- optional_policy(`
- postgresql_unconfined($1_t)
- ')
-@@ -1211,6 +1581,8 @@ template(`userdom_security_admin_template',`
- dev_relabel_all_dev_nodes($1)
-
- files_create_boot_flag($1)
-+ files_create_default_dir($1)
-+ files_root_filetrans_default($1, dir)
-
- # Necessary for managing /boot/efi
- fs_manage_dos_files($1)
-@@ -1223,8 +1595,10 @@ template(`userdom_security_admin_template',`
- selinux_set_enforce_mode($1)
- selinux_set_all_booleans($1)
- selinux_set_parameters($1)
-+ selinux_read_policy($1)
-+
-+ files_relabel_all_files($1)
-
-- files_relabel_non_auth_files($1)
- auth_relabel_shadow($1)
-
- init_exec($1)
-@@ -1235,29 +1609,31 @@ template(`userdom_security_admin_template',`
- logging_read_audit_config($1)
-
- seutil_manage_bin_policy($1)
-- seutil_run_checkpolicy($1, $2)
-- seutil_run_loadpolicy($1, $2)
-- seutil_run_semanage($1, $2)
-+ seutil_manage_default_contexts($1)
-+ seutil_manage_file_contexts($1)
-+ seutil_manage_module_store($1)
-+ seutil_manage_config($1)
-+ seutil_manage_login_config($1)
-+ seutil_run_checkpolicy($1,$2)
-+ seutil_run_loadpolicy($1,$2)
-+ seutil_run_semanage($1,$2)
-+ seutil_run_setsebool($1,$2)
- seutil_run_setfiles($1, $2)
-
- optional_policy(`
-- aide_run($1, $2)
-+ aide_run($1,$2)
- ')
-
- optional_policy(`
- consoletype_exec($1)
- ')
-
-- optional_policy(`
-- dmesg_exec($1)
-- ')
--
-- optional_policy(`
-- ipsec_run_setkey($1, $2)
-+ optional_policy(`
-+ ipsec_run_setkey($1,$2)
- ')
-
- optional_policy(`
-- netlabel_run_mgmt($1, $2)
-+ netlabel_run_mgmt($1,$2)
- ')
-
- optional_policy(`
-@@ -1317,12 +1693,15 @@ interface(`userdom_user_application_domain',`
- interface(`userdom_user_home_content',`
- gen_require(`
- type user_home_t;
-+ attribute user_home_type;
- ')
-
- allow $1 user_home_t:filesystem associate;
- files_type($1)
-- files_poly_member($1)
- ubac_constrained($1)
-+
-+ files_poly_member($1)
-+ typeattribute $1 user_home_type;
- ')
-
- ########################################
-@@ -1363,6 +1742,51 @@ interface(`userdom_user_tmpfs_file',`
- ##
- ## Allow domain to attach to TUN devices created by administrative users.
- ##
-+##
-+##
-+## Type to be used as a file in the
-+## generic temporary directory.
-+##
-+##
-+#
-+interface(`userdom_user_tmp_content',`
-+ gen_require(`
-+ attribute user_tmp_type;
-+ ')
-+
-+ typeattribute $1 user_tmp_type;
-+
-+ files_tmp_file($1)
-+ ubac_constrained($1)
-+')
-+
-+########################################
-+##
-+## Make the specified type usable in a
-+## generic tmpfs_t directory.
-+##
-+##
-+##
-+## Type to be used as a file in the
-+## generic temporary directory.
-+##
-+##
-+#
-+interface(`userdom_user_tmpfs_content',`
-+ gen_require(`
-+ attribute user_tmpfs_type;
-+ ')
-+
-+ typeattribute $1 user_tmpfs_type;
-+
-+ files_tmpfs_file($1)
-+ ubac_constrained($1)
-+')
-+
-+########################################
-+##
-+## Allow domain to attach to TUN devices created by administrative users.
-+##
- ##
- ##
- ## Domain allowed access.
-@@ -1467,11 +1891,31 @@ interface(`userdom_search_user_home_dirs',`
- ')
-
- allow $1 user_home_dir_t:dir search_dir_perms;
-+ allow $1 user_home_dir_t:lnk_file read_lnk_file_perms;
- files_search_home($1)
- ')
-
- ########################################
- ##
-+## Search user tmp directories.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`userdom_search_user_tmp_dirs',`
-+ gen_require(`
-+ type user_tmp_t;
-+ ')
-+
-+ files_search_tmp($1)
-+ allow $1 user_tmp_t:dir search_dir_perms;
-+')
-+
-+########################################
-+##
- ## Do not audit attempts to search user home directories.
- ##
- ##
-@@ -1513,6 +1957,14 @@ interface(`userdom_list_user_home_dirs',`
-
- allow $1 user_home_dir_t:dir list_dir_perms;
- files_search_home($1)
-+
-+ tunable_policy(`use_nfs_home_dirs',`
-+ fs_list_nfs($1)
-+ ')
-+
-+ tunable_policy(`use_samba_home_dirs',`
-+ fs_list_cifs($1)
-+ ')
- ')
-
- ########################################
-@@ -1528,9 +1980,11 @@ interface(`userdom_list_user_home_dirs',`
- interface(`userdom_dontaudit_list_user_home_dirs',`
- gen_require(`
- type user_home_dir_t;
-+ type user_home_t;
- ')
-
- dontaudit $1 user_home_dir_t:dir list_dir_perms;
-+ dontaudit $1 user_home_t:dir list_dir_perms;
- ')
-
- ########################################
-@@ -1587,6 +2041,42 @@ interface(`userdom_relabelto_user_home_dirs',`
- allow $1 user_home_dir_t:dir relabelto;
- ')
-
-+
-+########################################
-+##
-+## Relabel to user home files.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`userdom_relabelto_user_home_files',`
-+ gen_require(`
-+ type user_home_t;
-+ ')
-+
-+ allow $1 user_home_t:file relabelto;
-+')
-+########################################
-+##
-+## Relabel user home files.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`userdom_relabel_user_home_files',`
-+ gen_require(`
-+ type user_home_t;
-+ ')
-+
-+ allow $1 user_home_t:file relabel_file_perms;
-+')
-+
- ########################################
- ##
- ## Create directories in the home dir root with
-@@ -1666,6 +2156,8 @@ interface(`userdom_dontaudit_search_user_home_content',`
- ')
-
- dontaudit $1 user_home_t:dir search_dir_perms;
-+ fs_dontaudit_list_nfs($1)
-+ fs_dontaudit_list_cifs($1)
- ')
-
- ########################################
-@@ -1680,10 +2172,12 @@ interface(`userdom_dontaudit_search_user_home_content',`
- #
- interface(`userdom_list_user_home_content',`
- gen_require(`
-- type user_home_t;
-+ type user_home_dir_t;
-+ attribute user_home_type;
- ')
-
-- allow $1 user_home_t:dir list_dir_perms;
-+ files_list_home($1)
-+ allow $1 { user_home_dir_t user_home_type }:dir list_dir_perms;
- ')
-
- ########################################
-@@ -1726,6 +2220,43 @@ interface(`userdom_delete_user_home_content_dirs',`
-
- ########################################
- ##
-+## Delete all directories in a user home subdirectory.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`userdom_delete_all_user_home_content_dirs',`
-+ gen_require(`
-+ attribute user_home_type;
-+ ')
-+
-+ allow $1 user_home_type:dir delete_dir_perms;
-+')
-+
-+########################################
-+##
-+## Set the attributes of user home files.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+##
-+#
-+interface(`userdom_setattr_user_home_content_files',`
-+ gen_require(`
-+ type user_home_t;
-+ ')
-+
-+ allow $1 user_home_t:file setattr;
-+')
-+
-+########################################
-+##
- ## Do not audit attempts to set the
- ## attributes of user home files.
- ##
-@@ -1745,6 +2276,25 @@ interface(`userdom_dontaudit_setattr_user_home_content_files',`
-
- ########################################
- ##
-+## Set the attributes of all user home directories.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+##
-+#
-+interface(`userdom_setattr_all_user_home_content_dirs',`
-+ gen_require(`
-+ attribute user_home_type;
-+ ')
-+
-+ allow $1 user_home_type:dir setattr_dir_perms;
-+')
-+
-+########################################
-+##
- ## Mmap user home files.
- ##
- ##
-@@ -1775,14 +2325,36 @@ interface(`userdom_mmap_user_home_content_files',`
- interface(`userdom_read_user_home_content_files',`
- gen_require(`
- type user_home_dir_t, user_home_t;
-+ attribute user_home_type;
- ')
-
-- read_files_pattern($1, { user_home_dir_t user_home_t }, user_home_t)
-+ allow $1 user_home_dir_t:lnk_file read_lnk_file_perms;
-+ list_dirs_pattern($1, { user_home_dir_t user_home_type }, { user_home_dir_t user_home_type })
-+ read_files_pattern($1, { user_home_dir_t user_home_type }, user_home_type)
- files_search_home($1)
- ')
-
- ########################################
- ##
-+## Do not audit attempts to getattr user home files.
-+##
-+##
-+##
-+## Domain to not audit.
-+##
-+##
-+#
-+interface(`userdom_dontaudit_getattr_user_home_content',`
-+ gen_require(`
-+ attribute user_home_type;
-+ ')
-+
-+ dontaudit $1 user_home_type:dir getattr;
-+ dontaudit $1 user_home_type:file getattr;
-+')
-+
-+########################################
-+##
- ## Do not audit attempts to read user home files.
- ##
- ##
-@@ -1793,11 +2365,14 @@ interface(`userdom_read_user_home_content_files',`
- #
- interface(`userdom_dontaudit_read_user_home_content_files',`
- gen_require(`
-- type user_home_t;
-+ attribute user_home_type;
-+ type user_home_dir_t;
- ')
-
-- dontaudit $1 user_home_t:dir list_dir_perms;
-- dontaudit $1 user_home_t:file read_file_perms;
-+ dontaudit $1 user_home_dir_t:dir list_dir_perms;
-+ dontaudit $1 user_home_type:dir list_dir_perms;
-+ dontaudit $1 user_home_type:file read_file_perms;
-+ dontaudit $1 user_home_type:lnk_file read_lnk_file_perms;
- ')
-
- ########################################
-@@ -1856,25 +2431,25 @@ interface(`userdom_delete_user_home_content_files',`
-
- ########################################
- ##
--## Do not audit attempts to write user home files.
-+## Delete all files in a user home subdirectory.
- ##
- ##
- ##
--## Domain to not audit.
-+## Domain allowed access.
- ##
- ##
- #
--interface(`userdom_dontaudit_relabel_user_home_content_files',`
-+interface(`userdom_delete_all_user_home_content_files',`
- gen_require(`
-- type user_home_t;
-+ attribute user_home_type;
- ')
-
-- dontaudit $1 user_home_t:file relabel_file_perms;
-+ allow $1 user_home_type:file delete_file_perms;
- ')
-
- ########################################
- ##
--## Read user home subdirectory symbolic links.
-+## Delete sock files in a user home subdirectory.
- ##
- ##
- ##
-@@ -1882,46 +2457,53 @@ interface(`userdom_dontaudit_relabel_user_home_content_files',`
- ##
- ##
- #
--interface(`userdom_read_user_home_content_symlinks',`
-+interface(`userdom_delete_user_home_content_sock_files',`
- gen_require(`
-- type user_home_dir_t, user_home_t;
-+ type user_home_t;
- ')
-
-- read_lnk_files_pattern($1, { user_home_dir_t user_home_t }, user_home_t)
-- files_search_home($1)
-+ allow $1 user_home_t:sock_file delete_file_perms;
- ')
-
- ########################################
- ##
--## Execute user home files.
-+## Delete all sock files in a user home subdirectory.
- ##
- ##
- ##
- ## Domain allowed access.
- ##
- ##
--##
- #
--interface(`userdom_exec_user_home_content_files',`
-+interface(`userdom_delete_all_user_home_content_sock_files',`
- gen_require(`
-- type user_home_dir_t, user_home_t;
-+ attribute user_home_type;
- ')
-
-- files_search_home($1)
-- exec_files_pattern($1, { user_home_dir_t user_home_t }, user_home_t)
-+ allow $1 user_home_type:sock_file delete_file_perms;
-+')
-
-- tunable_policy(`use_nfs_home_dirs',`
-- fs_exec_nfs_files($1)
-+########################################
-+##
-+## Delete all files in a user home subdirectory.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`userdom_delete_all_user_home_content',`
-+ gen_require(`
-+ attribute user_home_type;
- ')
-
-- tunable_policy(`use_samba_home_dirs',`
-- fs_exec_cifs_files($1)
-- ')
-+ allow $1 user_home_type:dir_file_class_set delete_file_perms;
- ')
-
- ########################################
- ##
--## Do not audit attempts to execute user home files.
-+## Do not audit attempts to write user home files.
- ##
- ##
- ##
-@@ -1929,18 +2511,17 @@ interface(`userdom_exec_user_home_content_files',`
- ##
- ##
- #
--interface(`userdom_dontaudit_exec_user_home_content_files',`
-+interface(`userdom_dontaudit_relabel_user_home_content_files',`
- gen_require(`
- type user_home_t;
- ')
-
-- dontaudit $1 user_home_t:file exec_file_perms;
-+ dontaudit $1 user_home_t:file relabel_file_perms;
- ')
-
- ########################################
- ##
--## Create, read, write, and delete files
--## in a user home subdirectory.
-+## Read user home subdirectory symbolic links.
- ##
- ##
- ##
-@@ -1948,7 +2529,66 @@ interface(`userdom_dontaudit_exec_user_home_content_files',`
- ##
- ##
- #
--interface(`userdom_manage_user_home_content_files',`
-+interface(`userdom_read_user_home_content_symlinks',`
-+ gen_require(`
-+ type user_home_dir_t, user_home_t;
-+ ')
-+
-+ allow $1 { user_home_dir_t user_home_t }:lnk_file read_lnk_file_perms;
-+')
-+
-+########################################
-+##
-+## Execute user home files.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+##
-+#
-+interface(`userdom_exec_user_home_content_files',`
-+ gen_require(`
-+ type user_home_dir_t;
-+ attribute user_home_type;
-+ ')
-+
-+ files_search_home($1)
-+ exec_files_pattern($1, { user_home_dir_t user_home_type }, user_home_type)
-+ dontaudit $1 user_home_type:sock_file execute;
-+ ')
-+
-+########################################
-+##
-+## Do not audit attempts to execute user home files.
-+##
-+##
-+##
-+## Domain to not audit.
-+##
-+##
-+#
-+interface(`userdom_dontaudit_exec_user_home_content_files',`
-+ gen_require(`
-+ type user_home_t;
-+ ')
-+
-+ dontaudit $1 user_home_t:file exec_file_perms;
-+')
-+
-+########################################
-+##
-+## Create, read, write, and delete files
-+## in a user home subdirectory.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`userdom_manage_user_home_content_files',`
- gen_require(`
- type user_home_dir_t, user_home_t;
- ')
-@@ -2018,6 +2658,24 @@ interface(`userdom_delete_user_home_content_symlinks',`
-
- ########################################
- ##
-+## Delete all symbolic links in a user home directory.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`userdom_delete_all_user_home_content_symlinks',`
-+ gen_require(`
-+ attribute user_home_type;
-+ ')
-+
-+ allow $1 user_home_type:lnk_file delete_lnk_file_perms;
-+')
-+
-+########################################
-+##
- ## Create, read, write, and delete named pipes
- ## in a user home subdirectory.
- ##
-@@ -2250,11 +2908,11 @@ interface(`userdom_dontaudit_manage_user_tmp_dirs',`
- #
- interface(`userdom_read_user_tmp_files',`
- gen_require(`
-- type user_tmp_t;
-+ attribute user_tmp_type;
- ')
-
-- read_files_pattern($1, user_tmp_t, user_tmp_t)
-- allow $1 user_tmp_t:dir list_dir_perms;
-+ read_files_pattern($1, user_tmp_type, user_tmp_type)
-+ allow $1 user_tmp_type:dir list_dir_perms;
- files_search_tmp($1)
- ')
-
-@@ -2274,7 +2932,7 @@ interface(`userdom_dontaudit_read_user_tmp_files',`
- type user_tmp_t;
- ')
-
-- dontaudit $1 user_tmp_t:file read_file_perms;
-+ dontaudit $1 user_tmp_t:file read_inherited_file_perms;
- ')
-
- ########################################
-@@ -2521,6 +3179,25 @@ interface(`userdom_tmp_filetrans_user_tmp',`
- files_tmp_filetrans($1, user_tmp_t, $2, $3)
- ')
-
-+#######################################
-+##
-+## Getattr user tmpfs files.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`userdom_getattr_user_tmpfs_files',`
-+ gen_require(`
-+ type user_tmpfs_t;
-+ ')
-+
-+ getattr_files_pattern($1, user_tmpfs_t, user_tmpfs_t)
-+ fs_search_tmpfs($1)
-+')
-+
- ########################################
- ##
- ## Read user tmpfs files.
-@@ -2537,13 +3214,14 @@ interface(`userdom_read_user_tmpfs_files',`
- ')
-
- read_files_pattern($1, user_tmpfs_t, user_tmpfs_t)
-+ read_lnk_files_pattern($1, user_tmpfs_t, user_tmpfs_t)
- allow $1 user_tmpfs_t:dir list_dir_perms;
- fs_search_tmpfs($1)
- ')
-
- ########################################
- ##
--## Read user tmpfs files.
-+## Read/Write user tmpfs files.
- ##
- ##
- ##
-@@ -2564,7 +3242,7 @@ interface(`userdom_rw_user_tmpfs_files',`
-
- ########################################
- ##
--## Create, read, write, and delete user tmpfs files.
-+## Read/Write inherited user tmpfs files.
- ##
- ##
- ##
-@@ -2572,14 +3250,30 @@ interface(`userdom_rw_user_tmpfs_files',`
- ##
- ##
- #
--interface(`userdom_manage_user_tmpfs_files',`
-+interface(`userdom_rw_inherited_user_tmpfs_files',`
- gen_require(`
- type user_tmpfs_t;
- ')
-
-- manage_files_pattern($1, user_tmpfs_t, user_tmpfs_t)
-- allow $1 user_tmpfs_t:dir list_dir_perms;
-- fs_search_tmpfs($1)
-+ allow $1 user_tmpfs_t:file rw_inherited_file_perms;
-+')
-+
-+########################################
-+##
-+## Execute user tmpfs files.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`userdom_execute_user_tmpfs_files',`
-+ gen_require(`
-+ type user_tmpfs_t;
-+ ')
-+
-+ allow $1 user_tmpfs_t:file execute;
- ')
-
- ########################################
-@@ -2674,6 +3368,24 @@ interface(`userdom_use_user_ttys',`
-
- ########################################
- ##
-+## Read and write a inherited user domain tty.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`userdom_use_inherited_user_ttys',`
-+ gen_require(`
-+ type user_tty_device_t;
-+ ')
-+
-+ allow $1 user_tty_device_t:chr_file rw_inherited_term_perms;
-+')
-+
-+########################################
-+##
- ## Read and write a user domain pty.
- ##
- ##
-@@ -2692,22 +3404,34 @@ interface(`userdom_use_user_ptys',`
-
- ########################################
- ##
--## Read and write a user TTYs and PTYs.
-+## Read and write a inherited user domain pty.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`userdom_use_inherited_user_ptys',`
-+ gen_require(`
-+ type user_devpts_t;
-+ ')
-+
-+ allow $1 user_devpts_t:chr_file rw_inherited_term_perms;
-+')
-+
-+########################################
-+##
-+## Read and write a inherited user TTYs and PTYs.
- ##
- ##
- ##
--## Allow the specified domain to read and write user
-+## Allow the specified domain to read and write inherited user
- ## TTYs and PTYs. This will allow the domain to
- ## interact with the user via the terminal. Typically
- ## all interactive applications will require this
- ## access.
- ##
--##
--## However, this also allows the applications to spy
--## on user sessions or inject information into the
--## user session. Thus, this access should likely
--## not be allowed for non-interactive domains.
--##
- ##
- ##
- ##
-@@ -2716,14 +3440,33 @@ interface(`userdom_use_user_ptys',`
- ##
- ##
- #
--interface(`userdom_use_user_terminals',`
-+interface(`userdom_use_inherited_user_terminals',`
- gen_require(`
- type user_tty_device_t, user_devpts_t;
- ')
-
-- allow $1 user_tty_device_t:chr_file rw_term_perms;
-- allow $1 user_devpts_t:chr_file rw_term_perms;
-- term_list_ptys($1)
-+ allow $1 user_tty_device_t:chr_file rw_inherited_term_perms;
-+ allow $1 user_devpts_t:chr_file rw_inherited_term_perms;
-+')
-+
-+#######################################
-+##
-+## Allow attempts to read and write
-+## a user domain tty and pty.
-+##
-+##
-+##
-+## Domain to not audit.
-+##
-+##
-+#
-+interface(`userdom_use_user_terminals',`
-+ gen_require(`
-+ type user_tty_device_t, user_devpts_t;
-+ ')
-+
-+ allow $1 user_tty_device_t:chr_file rw_term_perms;
-+ allow $1 user_devpts_t:chr_file rw_term_perms;
- ')
-
- ########################################
-@@ -2742,8 +3485,27 @@ interface(`userdom_dontaudit_use_user_terminals',`
- type user_tty_device_t, user_devpts_t;
- ')
-
-- dontaudit $1 user_tty_device_t:chr_file rw_term_perms;
-- dontaudit $1 user_devpts_t:chr_file rw_term_perms;
-+ dontaudit $1 user_tty_device_t:chr_file rw_inherited_term_perms;
-+ dontaudit $1 user_devpts_t:chr_file rw_inherited_term_perms;
-+')
-+
-+
-+########################################
-+##
-+## Get attributes of user domain tty and pty.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`userdom_getattr_user_terminals',`
-+ gen_require(`
-+ type user_tty_device_t, user_devpts_t;
-+ ')
-+
-+ allow $1 { user_tty_device_t user_devpts_t }:chr_file getattr_chr_file_perms;
- ')
-
- ########################################
-@@ -2815,69 +3577,68 @@ interface(`userdom_spec_domtrans_unpriv_users',`
- allow unpriv_userdomain $1:process sigchld;
- ')
-
--########################################
-+#####################################
- ##
--## Execute an Xserver session in all unprivileged user domains. This
--## is an explicit transition, requiring the
--## caller to use setexeccon().
-+## Allow domain dyntrans to unpriv userdomain.
- ##
- ##
--##
--## Domain allowed to transition.
--##
-+##
-+## Domain allowed access.
-+##
- ##
- #
--interface(`userdom_xsession_spec_domtrans_unpriv_users',`
-- gen_require(`
-- attribute unpriv_userdomain;
-- ')
-+interface(`userdom_dyntransition_unpriv_users',`
-+ gen_require(`
-+ attribute unpriv_userdomain;
-+ ')
-
-- xserver_xsession_spec_domtrans($1, unpriv_userdomain)
-- allow unpriv_userdomain $1:fd use;
-- allow unpriv_userdomain $1:fifo_file rw_file_perms;
-- allow unpriv_userdomain $1:process sigchld;
-+ allow $1 unpriv_userdomain:process dyntransition;
- ')
-
--#######################################
-+####################################
- ##
--## Read and write unpriviledged user SysV sempaphores.
-+## Allow domain dyntrans to admin userdomain.
- ##
- ##
--##
--## Domain allowed access.
--##
-+##
-+## Domain allowed access.
-+##
- ##
- #
--interface(`userdom_rw_unpriv_user_semaphores',`
-- gen_require(`
-- attribute unpriv_userdomain;
-- ')
-+interface(`userdom_dyntransition_admin_users',`
-+ gen_require(`
-+ attribute admindomain;
-+ ')
-
-- allow $1 unpriv_userdomain:sem rw_sem_perms;
-+ allow $1 admindomain:process dyntransition;
- ')
-
- ########################################
- ##
--## Manage unpriviledged user SysV sempaphores.
-+## Execute an Xserver session in all unprivileged user domains. This
-+## is an explicit transition, requiring the
-+## caller to use setexeccon().
- ##
- ##
- ##
--## Domain allowed access.
-+## Domain allowed to transition.
- ##
- ##
- #
--interface(`userdom_manage_unpriv_user_semaphores',`
-+interface(`userdom_xsession_spec_domtrans_unpriv_users',`
- gen_require(`
- attribute unpriv_userdomain;
- ')
-
-- allow $1 unpriv_userdomain:sem create_sem_perms;
-+ xserver_xsession_spec_domtrans($1, unpriv_userdomain)
-+ allow unpriv_userdomain $1:fd use;
-+ allow unpriv_userdomain $1:fifo_file rw_file_perms;
-+ allow unpriv_userdomain $1:process sigchld;
- ')
-
--#######################################
-+########################################
- ##
--## Read and write unpriviledged user SysV shared
--## memory segments.
-+## Manage unpriviledged user SysV sempaphores.
- ##
- ##
- ##
-@@ -2885,12 +3646,12 @@ interface(`userdom_manage_unpriv_user_semaphores',`
- ##
- ##
- #
--interface(`userdom_rw_unpriv_user_shared_mem',`
-+interface(`userdom_manage_unpriv_user_semaphores',`
- gen_require(`
- attribute unpriv_userdomain;
- ')
-
-- allow $1 unpriv_userdomain:shm rw_shm_perms;
-+ allow $1 unpriv_userdomain:sem create_sem_perms;
- ')
-
- ########################################
-@@ -2954,7 +3715,7 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',`
-
- domain_entry_file_spec_domtrans($1, unpriv_userdomain)
- allow unpriv_userdomain $1:fd use;
-- allow unpriv_userdomain $1:fifo_file rw_file_perms;
-+ allow unpriv_userdomain $1:fifo_file rw_fifo_file_perms;
- allow unpriv_userdomain $1:process sigchld;
- ')
-
-@@ -2970,29 +3731,13 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',`
- #
- interface(`userdom_search_user_home_content',`
- gen_require(`
-- type user_home_dir_t, user_home_t;
-+ type user_home_dir_t;
-+ attribute user_home_type;
- ')
-
- files_list_home($1)
-- allow $1 { user_home_dir_t user_home_t }:dir search_dir_perms;
--')
--
--########################################
--##
--## Send signull to unprivileged user domains.
--##
--##
--##
--## Domain allowed access.
--##
--##
--#
--interface(`userdom_signull_unpriv_users',`
-- gen_require(`
-- attribute unpriv_userdomain;
-- ')
--
-- allow $1 unpriv_userdomain:process signull;
-+ allow $1 { user_home_dir_t user_home_type }:dir search_dir_perms;
-+ allow $1 { user_home_dir_t user_home_type }:lnk_file read_lnk_file_perms;
- ')
-
- ########################################
-@@ -3074,7 +3819,7 @@ interface(`userdom_dontaudit_use_user_ptys',`
- type user_devpts_t;
- ')
-
-- dontaudit $1 user_devpts_t:chr_file rw_file_perms;
-+ dontaudit $1 user_devpts_t:chr_file rw_inherited_file_perms;
- ')
-
- ########################################
-@@ -3129,12 +3874,13 @@ interface(`userdom_write_user_tmp_files',`
- type user_tmp_t;
- ')
-
-- allow $1 user_tmp_t:file write_file_perms;
-+ write_files_pattern($1, user_tmp_t, user_tmp_t)
- ')
-
- ########################################
- ##
--## Do not audit attempts to use user ttys.
-+## Do not audit attempts to write users
-+## temporary files.
- ##
- ##
- ##
-@@ -3142,36 +3888,37 @@ interface(`userdom_write_user_tmp_files',`
- ##
- ##
- #
--interface(`userdom_dontaudit_use_user_ttys',`
-+interface(`userdom_dontaudit_write_user_tmp_files',`
- gen_require(`
-- type user_tty_device_t;
-+ type user_tmp_t;
- ')
-
-- dontaudit $1 user_tty_device_t:chr_file rw_file_perms;
-+ dontaudit $1 user_tmp_t:file write;
- ')
-
- ########################################
- ##
--## Read the process state of all user domains.
-+## Do not audit attempts to read/write users
-+## temporary fifo files.
- ##
- ##
- ##
--## Domain allowed access.
-+## Domain to not audit.
- ##
- ##
- #
--interface(`userdom_read_all_users_state',`
-+interface(`userdom_dontaudit_rw_user_tmp_pipes',`
- gen_require(`
-- attribute userdomain;
-+ type user_tmp_t;
- ')
-
-- read_files_pattern($1, userdomain, userdomain)
-- kernel_search_proc($1)
-+ dontaudit $1 user_tmp_t:fifo_file rw_inherited_fifo_file_perms;
- ')
-
- ########################################
- ##
--## Get the attributes of all user domains.
-+## Allow domain to read/write inherited users
-+## fifo files.
- ##
- ##
- ##
-@@ -3179,40 +3926,96 @@ interface(`userdom_read_all_users_state',`
- ##
- ##
- #
--interface(`userdom_getattr_all_users',`
-+interface(`userdom_rw_inherited_user_pipes',`
- gen_require(`
- attribute userdomain;
- ')
-
-- allow $1 userdomain:process getattr;
-+ allow $1 userdomain:fifo_file rw_inherited_fifo_file_perms;
- ')
-
- ########################################
- ##
--## Inherit the file descriptors from all user domains
-+## Do not audit attempts to use user ttys.
- ##
- ##
- ##
--## Domain allowed access.
-+## Domain to not audit.
- ##
- ##
- #
--interface(`userdom_use_all_users_fds',`
-+interface(`userdom_dontaudit_use_user_ttys',`
- gen_require(`
-- attribute userdomain;
-+ type user_tty_device_t;
- ')
-
-- allow $1 userdomain:fd use;
-+ dontaudit $1 user_tty_device_t:chr_file rw_inherited_file_perms;
- ')
-
- ########################################
- ##
--## Do not audit attempts to inherit the file
--## descriptors from any user domains.
-+## Read the process state of all user domains.
- ##
- ##
- ##
--## Domain to not audit.
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`userdom_read_all_users_state',`
-+ gen_require(`
-+ attribute userdomain;
-+ ')
-+
-+ read_files_pattern($1, userdomain, userdomain)
-+ read_lnk_files_pattern($1,userdomain,userdomain)
-+ kernel_search_proc($1)
-+')
-+
-+########################################
-+##
-+## Get the attributes of all user domains.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`userdom_getattr_all_users',`
-+ gen_require(`
-+ attribute userdomain;
-+ ')
-+
-+ allow $1 userdomain:process getattr;
-+')
-+
-+########################################
-+##
-+## Inherit the file descriptors from all user domains
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`userdom_use_all_users_fds',`
-+ gen_require(`
-+ attribute userdomain;
-+ ')
-+
-+ allow $1 userdomain:fd use;
-+')
-+
-+########################################
-+##
-+## Do not audit attempts to inherit the file
-+## descriptors from any user domains.
-+##
-+##
-+##
-+## Domain to not audit.
- ##
- ##
- #
-@@ -3242,6 +4045,42 @@ interface(`userdom_signal_all_users',`
- allow $1 userdomain:process signal;
- ')
-
-+#######################################
-+##
-+## Send signull to all user domains.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`userdom_signull_all_users',`
-+ gen_require(`
-+ attribute userdomain;
-+ ')
-+
-+ allow $1 userdomain:process signull;
-+')
-+
-+########################################
-+##
-+## Send kill signals to all user domains.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`userdom_kill_all_users',`
-+ gen_require(`
-+ attribute userdomain;
-+ ')
-+
-+ allow $1 userdomain:process sigkill;
-+')
-+
- ########################################
- ##
- ## Send a SIGCHLD signal to all user domains.
-@@ -3262,6 +4101,24 @@ interface(`userdom_sigchld_all_users',`
-
- ########################################
- ##
-+## Read keys for all user domains.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`userdom_read_all_users_keys',`
-+ gen_require(`
-+ attribute userdomain;
-+ ')
-+
-+ allow $1 userdomain:key read;
-+')
-+
-+########################################
-+##
- ## Create keys for all user domains.
- ##
- ##
-@@ -3296,3 +4153,1365 @@ interface(`userdom_dbus_send_all_users',`
-
- allow $1 userdomain:dbus send_msg;
- ')
-+
-+########################################
-+##
-+## Allow apps to set rlimits on userdomain
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`userdom_set_rlimitnh',`
-+ gen_require(`
-+ attribute userdomain;
-+ ')
-+
-+ allow $1 userdomain:process rlimitinh;
-+')
-+
-+########################################
-+##
-+## Define this type as a Allow apps to set rlimits on userdomain
-+##
-+##
-+##
-+## The prefix of the user domain (e.g., user
-+## is the prefix for user_t).
-+##
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+template(`userdom_unpriv_usertype',`
-+ gen_require(`
-+ attribute unpriv_userdomain, userdomain;
-+ attribute $1_usertype;
-+ ')
-+ typeattribute $2 $1_usertype;
-+ typeattribute $2 unpriv_userdomain;
-+ typeattribute $2 userdomain;
-+
-+ auth_use_nsswitch($2)
-+ ubac_constrained($2)
-+')
-+
-+#######################################
-+##
-+## Define this type as a Allow apps to set rlimits on userdomain
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+template(`userdom_unpriv_type',`
-+ gen_require(`
-+ attribute unpriv_userdomain, userdomain;
-+ ')
-+ typeattribute $1 unpriv_userdomain;
-+ typeattribute $1 userdomain;
-+
-+ auth_use_nsswitch($1)
-+ ubac_constrained($1)
-+')
-+
-+########################################
-+##
-+## Connect to users over a unix stream socket.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`userdom_stream_connect',`
-+ gen_require(`
-+ type user_tmp_t;
-+ attribute userdomain;
-+ ')
-+
-+ stream_connect_pattern($1, user_tmp_t, user_tmp_t, userdomain)
-+')
-+
-+########################################
-+##
-+## Ptrace user domains.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`userdom_ptrace_all_users',`
-+ gen_require(`
-+ attribute userdomain;
-+ ')
-+
-+ tunable_policy(`deny_ptrace',`',`
-+ allow $1 userdomain:process ptrace;
-+ ')
-+')
-+
-+########################################
-+##
-+## dontaudit Search /root
-+##
-+##
-+##
-+## Domain to not audit.
-+##
-+##
-+#
-+interface(`userdom_dontaudit_search_admin_dir',`
-+ gen_require(`
-+ type admin_home_t;
-+ ')
-+
-+ dontaudit $1 admin_home_t:dir search_dir_perms;
-+')
-+
-+########################################
-+##
-+## dontaudit list /root
-+##
-+##
-+##
-+## Domain to not audit.
-+##
-+##
-+#
-+interface(`userdom_dontaudit_list_admin_dir',`
-+ gen_require(`
-+ type admin_home_t;
-+ ')
-+
-+ dontaudit $1 admin_home_t:dir list_dir_perms;
-+')
-+
-+########################################
-+##
-+## Allow domain to list /root
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`userdom_list_admin_dir',`
-+ gen_require(`
-+ type admin_home_t;
-+ ')
-+
-+ allow $1 admin_home_t:dir list_dir_perms;
-+')
-+
-+########################################
-+##
-+## Allow Search /root
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`userdom_search_admin_dir',`
-+ gen_require(`
-+ type admin_home_t;
-+ ')
-+
-+ allow $1 admin_home_t:dir search_dir_perms;
-+')
-+
-+########################################
-+##
-+## RW unpriviledged user SysV sempaphores.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`userdom_rw_semaphores',`
-+ gen_require(`
-+ attribute unpriv_userdomain;
-+ ')
-+
-+ allow $1 unpriv_userdomain:sem rw_sem_perms;
-+')
-+
-+########################################
-+##
-+## Send a message to unpriv users over a unix domain
-+## datagram socket.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`userdom_dgram_send',`
-+ gen_require(`
-+ attribute unpriv_userdomain;
-+ ')
-+
-+ allow $1 unpriv_userdomain:unix_dgram_socket sendto;
-+')
-+
-+######################################
-+##
-+## Send a message to users over a unix domain
-+## datagram socket.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`userdom_users_dgram_send',`
-+ gen_require(`
-+ attribute userdomain;
-+ ')
-+
-+ allow $1 userdomain:unix_dgram_socket sendto;
-+')
-+
-+#######################################
-+##
-+## Allow execmod on files in homedirectory
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+##
-+#
-+interface(`userdom_execmod_user_home_files',`
-+ gen_require(`
-+ type user_home_type;
-+ ')
-+
-+ allow $1 user_home_type:file execmod;
-+')
-+
-+########################################
-+##
-+## Read admin home files.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+##
-+#
-+interface(`userdom_read_admin_home_files',`
-+ gen_require(`
-+ type admin_home_t;
-+ ')
-+
-+ read_files_pattern($1, admin_home_t, admin_home_t)
-+')
-+
-+########################################
-+##
-+## Delete admin home files.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+##
-+#
-+interface(`userdom_delete_admin_home_files',`
-+ gen_require(`
-+ type admin_home_t;
-+ ')
-+
-+ allow $1 admin_home_t:file delete_file_perms;
-+')
-+
-+########################################
-+##
-+## Execute admin home files.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+##
-+#
-+interface(`userdom_exec_admin_home_files',`
-+ gen_require(`
-+ type admin_home_t;
-+ ')
-+
-+ exec_files_pattern($1, admin_home_t, admin_home_t)
-+')
-+
-+########################################
-+##
-+## Append files inherited
-+## in the /root directory.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`userdom_inherit_append_admin_home_files',`
-+ gen_require(`
-+ type admin_home_t;
-+ ')
-+
-+ allow $1 admin_home_t:file { getattr append };
-+')
-+
-+
-+#######################################
-+##
-+## Manage all files/directories in the homedir
-+##
-+##
-+##
-+## The user domain
-+##
-+##
-+##
-+#
-+interface(`userdom_manage_user_home_content',`
-+ gen_require(`
-+ type user_home_dir_t, user_home_t;
-+ attribute user_home_type;
-+ ')
-+
-+ files_list_home($1)
-+ manage_dirs_pattern($1, { user_home_dir_t user_home_type }, user_home_type)
-+ manage_files_pattern($1, { user_home_dir_t user_home_type }, user_home_type)
-+ manage_lnk_files_pattern($1, { user_home_dir_t user_home_type }, user_home_type)
-+ manage_sock_files_pattern($1, { user_home_dir_t user_home_type }, user_home_type)
-+ manage_fifo_files_pattern($1, { user_home_dir_t user_home_type }, user_home_type)
-+ filetrans_pattern($1, user_home_dir_t, user_home_t, { dir file lnk_file sock_file fifo_file })
-+
-+')
-+
-+
-+########################################
-+##
-+## Create objects in a user home directory
-+## with an automatic type transition to
-+## the user home file type.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+##
-+##
-+## The class of the object to be created.
-+##
-+##
-+#
-+interface(`userdom_user_home_dir_filetrans_pattern',`
-+ gen_require(`
-+ type user_home_dir_t, user_home_t;
-+ ')
-+
-+ type_transition $1 user_home_dir_t:$2 user_home_t;
-+')
-+
-+########################################
-+##
-+## Create objects in the /root directory
-+## with an automatic type transition to
-+## a specified private type.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+##
-+##
-+## The type of the object to create.
-+##
-+##
-+##
-+##
-+## The class of the object to be created.
-+##
-+##
-+##
-+##
-+## The name of the object being created.
-+##
-+##
-+#
-+interface(`userdom_admin_home_dir_filetrans',`
-+ gen_require(`
-+ type admin_home_t;
-+ ')
-+
-+ filetrans_pattern($1, admin_home_t, $2, $3, $4)
-+')
-+
-+########################################
-+##
-+## Send signull to unprivileged user domains.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`userdom_signull_unpriv_users',`
-+ gen_require(`
-+ attribute unpriv_userdomain;
-+ ')
-+
-+ allow $1 unpriv_userdomain:process signull;
-+')
-+
-+########################################
-+##
-+## Write all users files in /tmp
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`userdom_write_user_tmp_dirs',`
-+ gen_require(`
-+ type user_tmp_t;
-+ ')
-+
-+ write_files_pattern($1, user_tmp_t, user_tmp_t)
-+')
-+
-+########################################
-+##
-+## Manage keys for all user domains.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`userdom_manage_all_users_keys',`
-+ gen_require(`
-+ attribute userdomain;
-+ ')
-+
-+ allow $1 userdomain:key manage_key_perms;
-+')
-+
-+
-+########################################
-+##
-+## Do not audit attempts to read and write
-+## unserdomain stream.
-+##
-+##
-+##
-+## Domain to not audit.
-+##
-+##
-+#
-+interface(`userdom_dontaudit_rw_stream',`
-+ gen_require(`
-+ attribute userdomain;
-+ ')
-+
-+ dontaudit $1 userdomain:unix_stream_socket rw_socket_perms;
-+')
-+
-+########################################
-+##
-+## Do not audit attempts to read and write
-+## unserdomain datagram socket.
-+##
-+##
-+##
-+## Domain to not audit.
-+##
-+##
-+#
-+interface(`userdom_dontaudit_rw_dgram_socket',`
-+ gen_require(`
-+ attribute userdomain;
-+ ')
-+
-+ dontaudit $1 userdomain:unix_dgram_socket { read write };
-+')
-+
-+########################################
-+##
-+## Append files
-+## in a user home subdirectory.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`userdom_append_user_home_content_files',`
-+ gen_require(`
-+ type user_home_dir_t, user_home_t;
-+ ')
-+
-+ append_files_pattern($1, user_home_t, user_home_t)
-+ allow $1 user_home_dir_t:dir search_dir_perms;
-+ files_search_home($1)
-+')
-+
-+########################################
-+##
-+## Read files inherited
-+## in a user home subdirectory.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`userdom_read_inherited_user_home_content_files',`
-+ gen_require(`
-+ attribute user_home_type;
-+ ')
-+
-+ allow $1 user_home_type:file { getattr read };
-+')
-+
-+########################################
-+##
-+## Read/Write files inherited
-+## in a user home subdirectory.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`userdom_rw_inherited_user_home_content_files',`
-+ gen_require(`
-+ attribute user_home_type;
-+ ')
-+
-+ allow $1 user_home_type:file rw_inherited_file_perms;
-+')
-+
-+########################################
-+##
-+## Append files inherited
-+## in a user home subdirectory.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`userdom_inherit_append_user_home_content_files',`
-+ gen_require(`
-+ type user_home_t;
-+ ')
-+
-+ allow $1 user_home_t:file { getattr append };
-+')
-+
-+########################################
-+##
-+## Append files inherited
-+## in a user tmp files.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`userdom_inherit_append_user_tmp_files',`
-+ gen_require(`
-+ type user_tmp_t;
-+ ')
-+
-+ allow $1 user_tmp_t:file { getattr append };
-+')
-+
-+######################################
-+##
-+## Read audio files in the users homedir.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+##
-+#
-+interface(`userdom_read_home_audio_files',`
-+ gen_require(`
-+ type audio_home_t;
-+ ')
-+
-+ userdom_search_user_home_dirs($1)
-+ allow $1 audio_home_t:dir list_dir_perms;
-+ read_files_pattern($1, audio_home_t, audio_home_t)
-+ read_lnk_files_pattern($1, audio_home_t, audio_home_t)
-+')
-+
-+########################################
-+##
-+## Do not audit attempts to write all user home content files.
-+##
-+##
-+##
-+## Domain to not audit.
-+##
-+##
-+#
-+interface(`userdom_dontaudit_write_all_user_home_content_files',`
-+ gen_require(`
-+ attribute user_home_type;
-+ ')
-+
-+ dontaudit $1 user_home_type:file write_inherited_file_perms;
-+')
-+
-+########################################
-+##
-+## Do not audit attempts to write all user tmp content files.
-+##
-+##
-+##
-+## Domain to not audit.
-+##
-+##
-+#
-+interface(`userdom_dontaudit_write_all_user_tmp_content_files',`
-+ gen_require(`
-+ attribute user_tmp_type;
-+ ')
-+
-+ dontaudit $1 user_tmp_type:file write_inherited_file_perms;
-+')
-+
-+########################################
-+##
-+## Manage all user temporary content.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`userdom_manage_all_user_tmp_content',`
-+ gen_require(`
-+ attribute user_tmp_type;
-+ ')
-+
-+ manage_dirs_pattern($1, user_tmp_type, user_tmp_type)
-+ manage_files_pattern($1, user_tmp_type, user_tmp_type)
-+ manage_lnk_files_pattern($1, user_tmp_type, user_tmp_type)
-+ manage_sock_files_pattern($1, user_tmp_type, user_tmp_type)
-+ manage_fifo_files_pattern($1, user_tmp_type, user_tmp_type)
-+ files_search_tmp($1)
-+')
-+
-+########################################
-+##
-+## List all user temporary content.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`userdom_list_all_user_tmp_content',`
-+ gen_require(`
-+ attribute user_tmp_type;
-+ ')
-+
-+ list_dirs_pattern($1, user_tmp_type, user_tmp_type)
-+ getattr_files_pattern($1, user_tmp_type, user_tmp_type)
-+ read_lnk_files_pattern($1, user_tmp_type, user_tmp_type)
-+ getattr_sock_files_pattern($1, user_tmp_type, user_tmp_type)
-+ getattr_fifo_files_pattern($1, user_tmp_type, user_tmp_type)
-+ files_search_var($1)
-+ files_search_tmp($1)
-+')
-+
-+########################################
-+##
-+## Manage all user tmpfs content.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`userdom_manage_all_user_tmpfs_content',`
-+ gen_require(`
-+ attribute user_tmpfs_type;
-+ ')
-+
-+ manage_dirs_pattern($1, user_tmpfs_type, user_tmpfs_type)
-+ manage_files_pattern($1, user_tmpfs_type, user_tmpfs_type)
-+ manage_lnk_files_pattern($1, user_tmpfs_type, user_tmpfs_type)
-+ manage_sock_files_pattern($1, user_tmpfs_type, user_tmpfs_type)
-+ manage_fifo_files_pattern($1, user_tmpfs_type, user_tmpfs_type)
-+ fs_search_tmpfs($1)
-+')
-+
-+########################################
-+##
-+## Delete all user temporary content.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`userdom_delete_all_user_tmp_content',`
-+ gen_require(`
-+ attribute user_tmp_type;
-+ ')
-+
-+ delete_dirs_pattern($1, user_tmp_type, user_tmp_type)
-+ delete_files_pattern($1, user_tmp_type, user_tmp_type)
-+ delete_lnk_files_pattern($1, user_tmp_type, user_tmp_type)
-+ delete_sock_files_pattern($1, user_tmp_type, user_tmp_type)
-+ delete_fifo_files_pattern($1, user_tmp_type, user_tmp_type)
-+ # /var/tmp
-+ files_search_var($1)
-+ files_delete_tmp_dir_entry($1)
-+')
-+
-+########################################
-+##
-+## Read system SSL certificates in the users homedir.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`userdom_read_home_certs',`
-+ gen_require(`
-+ type home_cert_t;
-+ ')
-+
-+ userdom_search_user_home_content($1)
-+ allow $1 home_cert_t:dir list_dir_perms;
-+ read_files_pattern($1, home_cert_t, home_cert_t)
-+ read_lnk_files_pattern($1, home_cert_t, home_cert_t)
-+')
-+
-+########################################
-+##
-+## Manage system SSL certificates in the users homedir.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`userdom_manage_home_certs',`
-+ gen_require(`
-+ type home_cert_t;
-+ ')
-+
-+ allow $1 home_cert_t:dir list_dir_perms;
-+ manage_dirs_pattern($1, home_cert_t, home_cert_t)
-+ manage_files_pattern($1, home_cert_t, home_cert_t)
-+ manage_lnk_files_pattern($1, home_cert_t, home_cert_t)
-+
-+ userdom_user_home_dir_filetrans($1, home_cert_t, dir, ".cert")
-+ userdom_user_home_dir_filetrans($1, home_cert_t, dir, ".pki")
-+')
-+
-+#######################################
-+##
-+## Dontaudit Write system SSL certificates in the users homedir.
-+##
-+##
-+##
-+## Domain to not audit.
-+##
-+##
-+#
-+interface(`userdom_dontaudit_write_home_certs',`
-+ gen_require(`
-+ type home_cert_t;
-+ ')
-+
-+ dontaudit $1 home_cert_t:file write;
-+')
-+
-+########################################
-+##
-+## dontaudit Search getatrr /root files
-+##
-+##
-+##
-+## Domain to not audit.
-+##
-+##
-+#
-+interface(`userdom_dontaudit_getattr_admin_home_files',`
-+ gen_require(`
-+ type admin_home_t;
-+ ')
-+
-+ dontaudit $1 admin_home_t:file getattr;
-+')
-+
-+########################################
-+##
-+## dontaudit read /root lnk files
-+##
-+##
-+##
-+## Domain to not audit.
-+##
-+##
-+#
-+interface(`userdom_dontaudit_read_admin_home_lnk_files',`
-+ gen_require(`
-+ type admin_home_t;
-+ ')
-+
-+ dontaudit $1 admin_home_t:lnk_file read;
-+')
-+
-+########################################
-+##
-+## dontaudit read /root files
-+##
-+##
-+##
-+## Domain to not audit.
-+##
-+##
-+#
-+interface(`userdom_dontaudit_read_admin_home_files',`
-+ gen_require(`
-+ type admin_home_t;
-+ ')
-+
-+ dontaudit $1 admin_home_t:file read_file_perms;
-+')
-+
-+########################################
-+##
-+## Create, read, write, and delete user
-+## temporary chr files.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`userdom_manage_user_tmp_chr_files',`
-+ gen_require(`
-+ type user_tmp_t;
-+ ')
-+
-+ manage_chr_files_pattern($1, user_tmp_t, user_tmp_t)
-+ files_search_tmp($1)
-+')
-+
-+########################################
-+##
-+## Create, read, write, and delete user
-+## temporary blk files.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`userdom_manage_user_tmp_blk_files',`
-+ gen_require(`
-+ type user_tmp_t;
-+ ')
-+
-+ manage_blk_files_pattern($1, user_tmp_t, user_tmp_t)
-+ files_search_tmp($1)
-+')
-+
-+########################################
-+##
-+## Dontaudit attempt to set attributes on user temporary directories.
-+##
-+##
-+##
-+## Domain to not audit.
-+##
-+##
-+#
-+interface(`userdom_dontaudit_setattr_user_tmp',`
-+ gen_require(`
-+ type user_tmp_t;
-+ ')
-+
-+ dontaudit $1 user_tmp_t:dir setattr;
-+')
-+
-+########################################
-+##
-+## Dontaudit attempt to set attributes on user temporary file system files.
-+##
-+##
-+##
-+## Domain to not audit.
-+##
-+##
-+#
-+interface(`userdom_dontaudit_setattr_user_tmpfs',`
-+ gen_require(`
-+ type user_tmpfs_t;
-+ ')
-+
-+ dontaudit $1 user_tmpfs_t:file setattr;
-+')
-+
-+########################################
-+##
-+## Read all inherited users files in /tmp
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`userdom_read_inherited_user_tmp_files',`
-+ gen_require(`
-+ type user_tmp_t;
-+ ')
-+
-+ allow $1 user_tmp_t:file read_inherited_file_perms;
-+')
-+
-+########################################
-+##
-+## Read/write all inherited users files in /tmp
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`userdom_rw_inherited_user_tmp_files',`
-+ gen_require(`
-+ type user_tmp_t;
-+ ')
-+
-+ allow $1 user_tmp_t:file rw_inherited_file_perms;
-+')
-+
-+########################################
-+##
-+## Write all inherited users files in /tmp
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`userdom_write_inherited_user_tmp_files',`
-+ gen_require(`
-+ type user_tmp_t;
-+ ')
-+
-+ allow $1 user_tmp_t:file write;
-+')
-+
-+########################################
-+##
-+## Write all inherited users home files
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`userdom_rw_inherited_user_home_sock_files',`
-+ gen_require(`
-+ attribute user_home_type;
-+ ')
-+
-+ allow $1 user_home_type:sock_file write;
-+')
-+
-+########################################
-+##
-+## Delete all users files in /tmp
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`userdom_delete_user_tmp_files',`
-+ gen_require(`
-+ type user_tmp_t;
-+ ')
-+
-+ allow $1 user_tmp_t:file delete_file_perms;
-+')
-+
-+########################################
-+##
-+## Delete user tmpfs files.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`userdom_delete_user_tmpfs_files',`
-+ gen_require(`
-+ type user_tmpfs_t;
-+ ')
-+
-+ allow $1 user_tmpfs_t:file delete_file_perms;
-+')
-+
-+########################################
-+##
-+## Read/Write unpriviledged user SysV shared
-+## memory segments.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`userdom_rw_unpriv_user_shared_mem',`
-+ gen_require(`
-+ attribute unpriv_userdomain;
-+ ')
-+
-+ allow $1 unpriv_userdomain:shm rw_shm_perms;
-+')
-+
-+########################################
-+##
-+## Do not audit attempts to search user
-+## temporary directories.
-+##
-+##
-+##
-+## Domain to not audit.
-+##
-+##
-+#
-+interface(`userdom_dontaudit_search_user_tmp',`
-+ gen_require(`
-+ type user_tmp_t;
-+ ')
-+
-+ dontaudit $1 user_tmp_t:dir search_dir_perms;
-+')
-+
-+########################################
-+##
-+## Execute a file in a user home directory
-+## in the specified domain.
-+##
-+##
-+##
-+## Execute a file in a user home directory
-+## in the specified domain.
-+##
-+##
-+## No interprocess communication (signals, pipes,
-+## etc.) is provided by this interface since
-+## the domains are not owned by this module.
-+##
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+##
-+##
-+## The type of the new process.
-+##
-+##
-+#
-+interface(`userdom_domtrans_user_home',`
-+ gen_require(`
-+ type user_home_t;
-+ ')
-+
-+ read_lnk_files_pattern($1, user_home_t, user_home_t)
-+ domain_transition_pattern($1, user_home_t, $2)
-+ type_transition $1 user_home_t:process $2;
-+')
-+
-+########################################
-+##
-+## Execute a file in a user tmp directory
-+## in the specified domain.
-+##
-+##
-+##
-+## Execute a file in a user tmp directory
-+## in the specified domain.
-+##
-+##
-+## No interprocess communication (signals, pipes,
-+## etc.) is provided by this interface since
-+## the domains are not owned by this module.
-+##
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+##
-+##
-+## The type of the new process.
-+##
-+##
-+#
-+interface(`userdom_domtrans_user_tmp',`
-+ gen_require(`
-+ type user_tmp_t;
-+ ')
-+
-+ files_search_tmp($1)
-+ read_lnk_files_pattern($1, user_tmp_t, user_tmp_t)
-+ domain_transition_pattern($1, user_tmp_t, $2)
-+ type_transition $1 user_tmp_t:process $2;
-+')
-+
-+########################################
-+##
-+## Do not audit attempts to read all user home content files.
-+##
-+##
-+##
-+## Domain to not audit.
-+##
-+##
-+#
-+interface(`userdom_dontaudit_read_all_user_home_content_files',`
-+ gen_require(`
-+ attribute user_home_type;
-+ ')
-+
-+ dontaudit $1 user_home_type:file read_file_perms;
-+')
-+
-+########################################
-+##
-+## Do not audit attempts to read all user tmp content files.
-+##
-+##
-+##
-+## Domain to not audit.
-+##
-+##
-+#
-+interface(`userdom_dontaudit_read_all_user_tmp_content_files',`
-+ gen_require(`
-+ attribute user_tmp_type;
-+ ')
-+
-+ dontaudit $1 user_tmp_type:file read_file_perms;
-+')
-+
-+#######################################
-+##
-+## Read and write unpriviledged user SysV sempaphores.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`userdom_rw_unpriv_user_semaphores',`
-+ gen_require(`
-+ attribute unpriv_userdomain;
-+ ')
-+
-+ allow $1 unpriv_userdomain:sem rw_sem_perms;
-+')
-+
-+########################################
-+##
-+## Transition to userdom named content
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`userdom_filetrans_home_content',`
-+ gen_require(`
-+ type home_bin_t, home_cert_t;
-+ type audio_home_t;
-+ ')
-+
-+ userdom_user_home_dir_filetrans($1, home_bin_t, dir, "bin")
-+ userdom_user_home_dir_filetrans($1, audio_home_t, dir, "Audio")
-+ userdom_user_home_dir_filetrans($1, audio_home_t, dir, "Music")
-+ userdom_user_home_dir_filetrans($1, home_cert_t, dir, ".cert")
-+ userdom_user_home_dir_filetrans($1, home_cert_t, dir, ".pki")
-+ userdom_user_home_dir_filetrans($1, home_cert_t, dir, "certificates")
-+
-+ optional_policy(`
-+ gnome_config_filetrans($1, home_cert_t, dir, "certificates")
-+ #gnome_admin_home_gconf_filetrans($1, home_bin_t, dir, "bin")
-+ ')
-+')
-+
-+########################################
-+##
-+## Make the specified type able to read content in user home dirs
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`userdom_home_reader',`
-+ gen_require(`
-+ attribute userdom_home_reader_type;
-+ ')
-+
-+ typeattribute $1 userdom_home_reader_type;
-+')
-+
-+
-+########################################
-+##
-+## Make the specified type able to manage content in user home dirs
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`userdom_home_manager',`
-+ gen_require(`
-+ attribute userdom_home_manager_type;
-+ ')
-+
-+ typeattribute $1 userdom_home_manager_type;
-+')
-+
-+########################################
-+##
-+## Create objects in the temporary filesystem directory
-+## with an automatic type transition to
-+## the user temporary filesystem type.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+##
-+##
-+## The class of the object to be created.
-+##
-+##
-+##
-+##
-+## The name of the object being created.
-+##
-+##
-+#
-+interface(`userdom_tmpfs_filetrans',`
-+ gen_require(`
-+ type user_tmpfs_t;
-+ ')
-+
-+ fs_tmpfs_filetrans($1, user_tmpfs_t, $2, $3)
-+')
-+
-+
-+#######################################
-+##
-+## Create objects in the temporary filesystem directory
-+## with an automatic type transition to
-+## the user temporary filesystem type.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+##
-+##
-+## The class of the object to be created.
-+##
-+##
-+##
-+##
-+## The name of the object being created.
-+##
-+##
-+##
-+##
-+## The name of the object being created.
-+##
-+##
-+#
-+interface(`userdom_tmpfs_filetrans_to',`
-+ gen_require(`
-+ type user_tmpfs_t;
-+ ')
-+
-+ filetrans_pattern($1, user_tmpfs_t, $2, $3, $4)
-+')
-diff --git a/policy/modules/system/userdomain.te b/policy/modules/system/userdomain.te
-index 6a4bd85..4f23ca8 100644
---- a/policy/modules/system/userdomain.te
-+++ b/policy/modules/system/userdomain.te
-@@ -7,48 +7,42 @@ policy_module(userdomain, 4.8.0)
-
- ##
- ##
--## Allow users to connect to mysql
-+## Allow users to connect to the local mysql server
- ##
- ##
--gen_tunable(allow_user_mysql_connect, false)
-+gen_tunable(selinuxuser_mysql_connect_enabled, false)
-
- ##
- ##
- ## Allow users to connect to PostgreSQL
- ##
- ##
--gen_tunable(allow_user_postgresql_connect, false)
-+gen_tunable(selinuxuser_postgresql_connect_enabled, false)
-
- ##
- ##
--## Allow regular users direct mouse access
-+## Allow user to r/w files on filesystems
-+## that do not have extended attributes (FAT, CDROM, FLOPPY)
- ##
- ##
--gen_tunable(user_direct_mouse, false)
-+gen_tunable(selinuxuser_rw_noexattrfile, false)
-
- ##
- ##
--## Allow users to read system messages.
-+## Allow user music sharing
- ##
- ##
--gen_tunable(user_dmesg, false)
-+gen_tunable(selinuxuser_user_share_music, false)
-
- ##
- ##
--## Allow user to r/w files on filesystems
--## that do not have extended attributes (FAT, CDROM, FLOPPY)
-+## Allow user to use ssh chroot environment.
- ##
- ##
--gen_tunable(user_rw_noexattrfile, false)
--
--##
--##
--## Allow w to display everyone
--##
--##
--gen_tunable(user_ttyfile_stat, false)
-+gen_tunable(selinuxuser_use_ssh_chroot, false)
-
- attribute admindomain;
-+attribute login_userdomain;
-
- # all user domains
- attribute userdomain;
-@@ -59,6 +53,22 @@ attribute unpriv_userdomain;
- attribute untrusted_content_type;
- attribute untrusted_content_tmp_type;
-
-+attribute userdom_home_reader_type;
-+attribute userdom_home_manager_type;
-+
-+# unprivileged user domains
-+attribute user_home_type;
-+attribute user_tmp_type;
-+attribute user_tmpfs_type;
-+
-+type admin_home_t;
-+files_type(admin_home_t)
-+files_associate_tmp(admin_home_t)
-+fs_associate_tmpfs(admin_home_t)
-+files_mountpoint(admin_home_t)
-+files_poly_member(admin_home_t)
-+files_poly_parent(admin_home_t)
-+
- type user_home_dir_t alias { staff_home_dir_t sysadm_home_dir_t secadm_home_dir_t auditadm_home_dir_t unconfined_home_dir_t };
- fs_associate_tmpfs(user_home_dir_t)
- files_type(user_home_dir_t)
-@@ -71,26 +81,122 @@ ubac_constrained(user_home_dir_t)
-
- type user_home_t alias { staff_home_t sysadm_home_t secadm_home_t auditadm_home_t unconfined_home_t };
- typealias user_home_t alias { staff_untrusted_content_t sysadm_untrusted_content_t secadm_untrusted_content_t auditadm_untrusted_content_t unconfined_untrusted_content_t };
-+typeattribute user_home_t user_home_type;
- userdom_user_home_content(user_home_t)
- fs_associate_tmpfs(user_home_t)
- files_associate_tmp(user_home_t)
-+files_poly_member(user_home_t)
- files_poly_parent(user_home_t)
- files_mountpoint(user_home_t)
-+ubac_constrained(user_home_t)
-
- type user_devpts_t alias { staff_devpts_t sysadm_devpts_t secadm_devpts_t auditadm_devpts_t unconfined_devpts_t };
- dev_node(user_devpts_t)
- files_type(user_devpts_t)
- ubac_constrained(user_devpts_t)
-
--type user_tmp_t alias { staff_tmp_t sysadm_tmp_t secadm_tmp_t auditadm_tmp_t unconfined_tmp_t };
-+type user_tmp_t, user_tmp_type;
-+typealias user_tmp_t alias { screen_tmp_t winbind_tmp_t sshd_tmp_t staff_tmp_t sysadm_tmp_t secadm_tmp_t auditadm_tmp_t unconfined_tmp_t };
- typealias user_tmp_t alias { staff_untrusted_content_tmp_t sysadm_untrusted_content_tmp_t secadm_untrusted_content_tmp_t auditadm_untrusted_content_tmp_t unconfined_untrusted_content_tmp_t };
- files_tmp_file(user_tmp_t)
- userdom_user_home_content(user_tmp_t)
-+files_poly_parent(user_tmp_t)
-+files_mountpoint(user_tmp_t)
-
--type user_tmpfs_t alias { staff_tmpfs_t sysadm_tmpfs_t secadm_tmpfs_t auditadm_tmpfs_t unconfined_tmpfs_t };
-+type user_tmpfs_t, user_tmpfs_type;
-+typealias user_tmpfs_t alias { staff_tmpfs_t sysadm_tmpfs_t secadm_tmpfs_t auditadm_tmpfs_t unconfined_tmpfs_t };
- files_tmpfs_file(user_tmpfs_t)
- userdom_user_home_content(user_tmpfs_t)
-
- type user_tty_device_t alias { staff_tty_device_t sysadm_tty_device_t secadm_tty_device_t auditadm_tty_device_t unconfined_tty_device_t };
- dev_node(user_tty_device_t)
- ubac_constrained(user_tty_device_t)
-+
-+type audio_home_t;
-+userdom_user_home_content(audio_home_t)
-+ubac_constrained(audio_home_t)
-+
-+type home_bin_t;
-+userdom_user_home_content(home_bin_t)
-+ubac_constrained(home_bin_t)
-+
-+type home_cert_t;
-+miscfiles_cert_type(home_cert_t)
-+userdom_user_home_content(home_cert_t)
-+ubac_constrained(home_cert_t)
-+
-+tunable_policy(`login_console_enabled',`
-+ term_use_console(userdomain)
-+')
-+
-+allow userdomain userdomain:process signull;
-+allow userdomain userdomain:fifo_file rw_inherited_fifo_file_perms;
-+
-+# Nautilus causes this avc
-+dontaudit unpriv_userdomain self:dir setattr;
-+allow unpriv_userdomain self:key manage_key_perms;
-+
-+optional_policy(`
-+ alsa_read_rw_config(unpriv_userdomain)
-+ alsa_manage_home_files(unpriv_userdomain)
-+ alsa_relabel_home_files(unpriv_userdomain)
-+')
-+
-+optional_policy(`
-+ gnome_filetrans_home_content(userdomain)
-+')
-+
-+optional_policy(`
-+ ssh_filetrans_home_content(userdomain)
-+ ssh_rw_tcp_sockets(userdomain)
-+')
-+
-+optional_policy(`
-+ telepathy_filetrans_home_content(userdomain)
-+')
-+
-+optional_policy(`
-+ xserver_filetrans_home_content(userdomain)
-+')
-+
-+tunable_policy(`use_nfs_home_dirs',`
-+ fs_list_auto_mountpoints(userdom_home_reader_type)
-+ fs_read_nfs_files(userdom_home_reader_type)
-+')
-+
-+tunable_policy(`use_samba_home_dirs',`
-+ fs_read_cifs_files(userdom_home_reader_type)
-+')
-+
-+tunable_policy(`use_fusefs_home_dirs',`
-+ fs_read_fusefs_files(userdom_home_reader_type)
-+')
-+
-+tunable_policy(`use_ecryptfs_home_dirs',`
-+ fs_read_ecryptfs_files(userdom_home_reader_type)
-+')
-+
-+tunable_policy(`use_nfs_home_dirs',`
-+ fs_list_auto_mountpoints(userdom_home_manager_type)
-+ fs_manage_nfs_dirs(userdom_home_manager_type)
-+ fs_manage_nfs_files(userdom_home_manager_type)
-+ fs_manage_nfs_symlinks(userdom_home_manager_type)
-+')
-+
-+tunable_policy(`use_samba_home_dirs',`
-+ fs_manage_cifs_dirs(userdom_home_manager_type)
-+ fs_manage_cifs_files(userdom_home_manager_type)
-+ fs_manage_cifs_symlinks(userdom_home_manager_type)
-+')
-+
-+tunable_policy(`use_fusefs_home_dirs',`
-+ fs_manage_fusefs_dirs(userdom_home_manager_type)
-+ fs_manage_fusefs_files(userdom_home_manager_type)
-+ fs_manage_fusefs_symlinks(userdom_home_manager_type)
-+')
-+
-+tunable_policy(`use_ecryptfs_home_dirs',`
-+ fs_manage_ecryptfs_dirs(userdom_home_manager_type)
-+ fs_manage_ecryptfs_files(userdom_home_manager_type)
-+ fs_manage_ecryptfs_files(userdom_home_manager_type)
-+')
-diff --git a/policy/support/misc_patterns.spt b/policy/support/misc_patterns.spt
-index e79d545..101086d 100644
---- a/policy/support/misc_patterns.spt
-+++ b/policy/support/misc_patterns.spt
-@@ -4,7 +4,7 @@
- define(`domain_transition_pattern',`
- allow $1 $2:file { getattr open read execute };
- allow $1 $3:process transition;
-- dontaudit $1 $3:process { noatsecure siginh rlimitinh };
-+# dontaudit $1 $3:process { noatsecure siginh rlimitinh };
- ')
-
- # compatibility:
-@@ -15,7 +15,7 @@ define(`spec_domtrans_pattern',`
- domain_transition_pattern($1,$2,$3)
-
- allow $3 $1:fd use;
-- allow $3 $1:fifo_file rw_fifo_file_perms;
-+ allow $3 $1:fifo_file rw_inherited_fifo_file_perms;
- allow $3 $1:process sigchld;
- ')
-
-@@ -34,7 +34,7 @@ define(`domtrans_pattern',`
- domain_auto_transition_pattern($1,$2,$3)
-
- allow $3 $1:fd use;
-- allow $3 $1:fifo_file rw_fifo_file_perms;
-+ allow $3 $1:fifo_file rw_inherited_fifo_file_perms;
- allow $3 $1:process sigchld;
- ')
-
-diff --git a/policy/support/obj_perm_sets.spt b/policy/support/obj_perm_sets.spt
-index 6e91317..936a91d 100644
---- a/policy/support/obj_perm_sets.spt
-+++ b/policy/support/obj_perm_sets.spt
-@@ -28,8 +28,7 @@ define(`devfile_class_set', `{ chr_file blk_file }')
- #
- # All socket classes.
- #
--define(`socket_class_set', `{ tcp_socket udp_socket rawip_socket netlink_socket packet_socket unix_stream_socket unix_dgram_socket appletalk_socket netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinux_socket netlink_audit_socket netlink_ip6fw_socket netlink_dnrt_socket netlink_kobject_uevent_socket tun_socket }')
--
-+define(`socket_class_set', `{ socket dccp_socket tcp_socket udp_socket rawip_socket netlink_socket packet_socket unix_stream_socket unix_dgram_socket appletalk_socket netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinux_socket netlink_audit_socket netlink_ip6fw_socket netlink_dnrt_socket netlink_kobject_uevent_socket tun_socket }')
-
- #
- # Datagram socket classes.
-@@ -59,7 +58,7 @@ define(`mount_fs_perms', `{ mount remount unmount getattr }')
- #
- # Permissions for using sockets.
- #
--define(`rw_socket_perms', `{ ioctl read getattr write setattr append bind connect getopt setopt shutdown }')
-+define(`rw_socket_perms', `{ ioctl read getattr lock write setattr append bind connect getopt setopt shutdown }')
-
- #
- # Permissions for creating and using sockets.
-@@ -153,12 +152,16 @@ define(`relabel_dir_perms',`{ getattr relabelfrom relabelto }')
- #
- define(`getattr_file_perms',`{ getattr }')
- define(`setattr_file_perms',`{ setattr }')
--define(`read_file_perms',`{ getattr open read lock ioctl }')
-+define(`read_inherited_file_perms',`{ getattr read ioctl lock }')
-+define(`read_file_perms',`{ open read_inherited_file_perms }')
- define(`mmap_file_perms',`{ getattr open read execute ioctl }')
- define(`exec_file_perms',`{ getattr open read execute ioctl execute_no_trans }')
--define(`append_file_perms',`{ getattr open append lock ioctl }')
--define(`write_file_perms',`{ getattr open write append lock ioctl }')
--define(`rw_file_perms',`{ getattr open read write append ioctl lock }')
-+define(`append_inherited_file_perms',`{ getattr append }')
-+define(`append_file_perms',`{ open lock ioctl append_inherited_file_perms }')
-+define(`write_inherited_file_perms',`{ getattr write append lock ioctl }')
-+define(`write_file_perms',`{ open write_inherited_file_perms }')
-+define(`rw_inherited_file_perms',`{ getattr read write append ioctl lock }')
-+define(`rw_file_perms',`{ open rw_inherited_file_perms }')
- define(`create_file_perms',`{ getattr create open }')
- define(`rename_file_perms',`{ getattr rename }')
- define(`delete_file_perms',`{ getattr unlink }')
-@@ -179,7 +182,7 @@ define(`rw_lnk_file_perms',`{ getattr read write lock ioctl }')
- define(`create_lnk_file_perms',`{ create getattr }')
- define(`rename_lnk_file_perms',`{ getattr rename }')
- define(`delete_lnk_file_perms',`{ getattr unlink }')
--define(`manage_lnk_file_perms',`{ create read write getattr setattr link unlink rename }')
-+define(`manage_lnk_file_perms',`{ create getattr setattr read write append rename link unlink ioctl lock }')
- define(`relabelfrom_lnk_file_perms',`{ getattr relabelfrom }')
- define(`relabelto_lnk_file_perms',`{ getattr relabelto }')
- define(`relabel_lnk_file_perms',`{ getattr relabelfrom relabelto }')
-@@ -192,7 +195,8 @@ define(`setattr_fifo_file_perms',`{ setattr }')
- define(`read_fifo_file_perms',`{ getattr open read lock ioctl }')
- define(`append_fifo_file_perms',`{ getattr open append lock ioctl }')
- define(`write_fifo_file_perms',`{ getattr open write append lock ioctl }')
--define(`rw_fifo_file_perms',`{ getattr open read write append ioctl lock }')
-+define(`rw_inherited_fifo_file_perms',`{ getattr read write append ioctl lock }')
-+define(`rw_fifo_file_perms',`{ open rw_inherited_fifo_file_perms }')
- define(`create_fifo_file_perms',`{ getattr create open }')
- define(`rename_fifo_file_perms',`{ getattr rename }')
- define(`delete_fifo_file_perms',`{ getattr unlink }')
-@@ -208,7 +212,8 @@ define(`getattr_sock_file_perms',`{ getattr }')
- define(`setattr_sock_file_perms',`{ setattr }')
- define(`read_sock_file_perms',`{ getattr open read }')
- define(`write_sock_file_perms',`{ getattr write open append }')
--define(`rw_sock_file_perms',`{ getattr open read write append }')
-+define(`rw_inherited_sock_file_perms',`{ getattr read write append }')
-+define(`rw_sock_file_perms',`{ open rw_inherited_sock_file_perms }')
- define(`create_sock_file_perms',`{ getattr create open }')
- define(`rename_sock_file_perms',`{ getattr rename }')
- define(`delete_sock_file_perms',`{ getattr unlink }')
-@@ -225,7 +230,8 @@ define(`setattr_blk_file_perms',`{ setattr }')
- define(`read_blk_file_perms',`{ getattr open read lock ioctl }')
- define(`append_blk_file_perms',`{ getattr open append lock ioctl }')
- define(`write_blk_file_perms',`{ getattr open write append lock ioctl }')
--define(`rw_blk_file_perms',`{ getattr open read write append ioctl lock }')
-+define(`rw_inherited_blk_file_perms',`{ getattr read write append ioctl lock }')
-+define(`rw_blk_file_perms',`{ open rw_inherited_blk_file_perms }')
- define(`create_blk_file_perms',`{ getattr create }')
- define(`rename_blk_file_perms',`{ getattr rename }')
- define(`delete_blk_file_perms',`{ getattr unlink }')
-@@ -242,7 +248,8 @@ define(`setattr_chr_file_perms',`{ setattr }')
- define(`read_chr_file_perms',`{ getattr open read lock ioctl }')
- define(`append_chr_file_perms',`{ getattr open append lock ioctl }')
- define(`write_chr_file_perms',`{ getattr open write append lock ioctl }')
--define(`rw_chr_file_perms',`{ getattr open read write append ioctl lock }')
-+define(`rw_inherited_chr_file_perms',`{ getattr read write append ioctl lock }')
-+define(`rw_chr_file_perms',`{ open rw_inherited_chr_file_perms }')
- define(`create_chr_file_perms',`{ getattr create }')
- define(`rename_chr_file_perms',`{ getattr rename }')
- define(`delete_chr_file_perms',`{ getattr unlink }')
-@@ -259,7 +266,8 @@ define(`relabel_chr_file_perms',`{ getattr relabelfrom relabelto }')
- #
- # Use (read and write) terminals
- #
--define(`rw_term_perms', `{ getattr open read write append ioctl }')
-+define(`rw_inherited_term_perms', `{ getattr read write append ioctl }')
-+define(`rw_term_perms', `{ rw_inherited_term_perms open }')
-
- #
- # Sockets
-@@ -271,3 +279,8 @@ define(`server_stream_socket_perms', `{ client_stream_socket_perms listen accept
- # Keys
- #
- define(`manage_key_perms', `{ create link read search setattr view write } ')
-+
-+#
-+# Service
-+#
-+define(`manage_service_perms', `{ start stop status reload kill load } ')
-diff --git a/policy/users b/policy/users
-index c4ebc7e..30d6d7a 100644
---- a/policy/users
-+++ b/policy/users
-@@ -15,7 +15,7 @@
- # and a user process should never be assigned the system user
- # identity.
- #
--gen_user(system_u,, system_r, s0, s0 - mls_systemhigh, mcs_allcats)
-+gen_user(system_u,, system_r unconfined_r, s0, s0 - mls_systemhigh, mcs_allcats)
-
- #
- # user_u is a generic user identity for Linux users who have no
-@@ -24,12 +24,9 @@ gen_user(system_u,, system_r, s0, s0 - mls_systemhigh, mcs_allcats)
- # SELinux user identity for a Linux user. If you do not want to
- # permit any access to such users, then remove this entry.
- #
--gen_user(user_u, user, user_r, s0, s0)
--gen_user(staff_u, staff, staff_r sysadm_r ifdef(`enable_mls',`secadm_r auditadm_r'), s0, s0 - mls_systemhigh, mcs_allcats)
--gen_user(sysadm_u, sysadm, sysadm_r, s0, s0 - mls_systemhigh, mcs_allcats)
--
--# Until order dependence is fixed for users:
--gen_user(unconfined_u, unconfined, unconfined_r, s0, s0 - mls_systemhigh, mcs_allcats)
-+gen_user(user_u, user, user_r, s0, s0 - mls_systemhigh, mcs_allcats)
-+gen_user(staff_u, user, staff_r system_r sysadm_r ifdef(`enable_mls',`secadm_r auditadm_r'), s0, s0 - mls_systemhigh, mcs_allcats)
-+gen_user(sysadm_u, user, sysadm_r, s0, s0 - mls_systemhigh, mcs_allcats)
-
- #
- # The following users correspond to Unix identities.
-@@ -38,8 +35,4 @@ gen_user(unconfined_u, unconfined, unconfined_r, s0, s0 - mls_systemhigh, mcs_al
- # role should use the staff_r role instead of the user_r role when
- # not in the sysadm_r.
- #
--ifdef(`direct_sysadm_daemon',`
-- gen_user(root, sysadm, sysadm_r staff_r ifdef(`enable_mls',`secadm_r auditadm_r') system_r, s0, s0 - mls_systemhigh, mcs_allcats)
--',`
-- gen_user(root, sysadm, sysadm_r staff_r ifdef(`enable_mls',`secadm_r auditadm_r'), s0, s0 - mls_systemhigh, mcs_allcats)
--')
-+gen_user(root, user, unconfined_r sysadm_r staff_r ifdef(`enable_mls',`secadm_r auditadm_r') system_r, s0, s0 - mls_systemhigh, mcs_allcats)
-diff --git a/support/Makefile.devel b/support/Makefile.devel
-index b96e9b3..ff7340f 100644
---- a/support/Makefile.devel
-+++ b/support/Makefile.devel
-@@ -26,7 +26,6 @@ XMLLINT := $(BINDIR)/xmllint
- # set default build options if missing
- TYPE ?= standard
- DIRECT_INITRC ?= n
--POLY ?= n
- QUIET ?= y
-
- genxml := $(PYTHON) $(HEADERDIR)/support/segenxml.py
diff --git a/policy_contrib-rawhide.patch b/policy_contrib-rawhide.patch
deleted file mode 100644
index 916914e..0000000
--- a/policy_contrib-rawhide.patch
+++ /dev/null
@@ -1,75176 +0,0 @@
-diff --git a/abrt.fc b/abrt.fc
-index 1bd5812..ad5baf5 100644
---- a/abrt.fc
-+++ b/abrt.fc
-@@ -1,20 +1,37 @@
- /etc/abrt(/.*)? gen_context(system_u:object_r:abrt_etc_t,s0)
- /etc/rc\.d/init\.d/abrt -- gen_context(system_u:object_r:abrt_initrc_exec_t,s0)
-
--/usr/bin/abrt-pyhook-helper -- gen_context(system_u:object_r:abrt_helper_exec_t,s0)
-+/usr/lib/systemd/system/abrt.* -- gen_context(system_u:object_r:abrt_unit_file_t,s0)
-
--/usr/libexec/abrt-pyhook-helper -- gen_context(system_u:object_r:abrt_helper_exec_t,s0)
--/usr/libexec/abrt-hook-python -- gen_context(system_u:object_r:abrt_helper_exec_t,s0)
-+/usr/bin/abrt-dump-oops -- gen_context(system_u:object_r:abrt_dump_oops_exec_t,s0)
-+/usr/bin/abrt-pyhook-helper -- gen_context(system_u:object_r:abrt_helper_exec_t,s0)
-+/usr/bin/abrt-watch-log -- gen_context(system_u:object_r:abrt_watch_log_exec_t,s0)
-
- /usr/sbin/abrtd -- gen_context(system_u:object_r:abrt_exec_t,s0)
-+/usr/sbin/abrt-dbus -- gen_context(system_u:object_r:abrt_exec_t,s0)
-+
-+/usr/libexec/abrt-handle-event -- gen_context(system_u:object_r:abrt_handle_event_exec_t,s0)
-
- /var/cache/abrt(/.*)? gen_context(system_u:object_r:abrt_var_cache_t,s0)
- /var/cache/abrt-di(/.*)? gen_context(system_u:object_r:abrt_var_cache_t,s0)
-
--/var/log/abrt-logger -- gen_context(system_u:object_r:abrt_var_log_t,s0)
-+/var/log/abrt-logger.* -- gen_context(system_u:object_r:abrt_var_log_t,s0)
-
- /var/run/abrt\.pid -- gen_context(system_u:object_r:abrt_var_run_t,s0)
- /var/run/abrtd?\.lock -- gen_context(system_u:object_r:abrt_var_run_t,s0)
-+/var/run/abrtd?\.socket -- gen_context(system_u:object_r:abrt_var_run_t,s0)
- /var/run/abrt(/.*)? gen_context(system_u:object_r:abrt_var_run_t,s0)
-
- /var/spool/abrt(/.*)? gen_context(system_u:object_r:abrt_var_cache_t,s0)
-+
-+# ABRT retrace server
-+/usr/bin/abrt-retrace-worker -- gen_context(system_u:object_r:abrt_retrace_worker_exec_t,s0)
-+/usr/bin/coredump2packages -- gen_context(system_u:object_r:abrt_retrace_coredump_exec_t,s0)
-+
-+/var/cache/abrt-retrace(/.*)? gen_context(system_u:object_r:abrt_retrace_cache_t,s0)
-+/var/spool/abrt-retrace(/.*)? gen_context(system_u:object_r:abrt_retrace_spool_t,s0)
-+
-+# cjp: new version
-+/usr/bin/retrace-server-worker -- gen_context(system_u:object_r:abrt_retrace_worker_exec_t,s0)
-+/var/cache/retrace-server(/.*)? gen_context(system_u:object_r:abrt_retrace_cache_t,s0)
-+/var/spool/retrace-server(/.*)? gen_context(system_u:object_r:abrt_retrace_spool_t,s0)
-diff --git a/abrt.if b/abrt.if
-index 0b827c5..cce58bb 100644
---- a/abrt.if
-+++ b/abrt.if
-@@ -2,6 +2,28 @@
-
- ######################################
- ##
-+## Creates types and rules for a basic
-+## ABRT daemon domain.
-+##
-+##
-+##
-+## Prefix for the domain.
-+##
-+##
-+#
-+template(`abrt_basic_types_template',`
-+ gen_require(`
-+ attribute abrt_domain;
-+ ')
-+
-+ type $1_t, abrt_domain;
-+ type $1_exec_t;
-+
-+ kernel_read_system_state($1_t)
-+')
-+
-+######################################
-+##
- ## Execute abrt in the abrt domain.
- ##
- ##
-@@ -71,12 +93,13 @@ interface(`abrt_read_state',`
- type abrt_t;
- ')
-
-+ kernel_search_proc($1)
- ps_process_pattern($1, abrt_t)
- ')
-
- ########################################
- ##
--## Connect to abrt over an unix stream socket.
-+## Connect to abrt over a unix stream socket.
- ##
- ##
- ##
-@@ -160,8 +183,26 @@ interface(`abrt_run_helper',`
-
- ########################################
- ##
--## Send and receive messages from
--## abrt over dbus.
-+## Read abrt cache
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`abrt_read_cache',`
-+ gen_require(`
-+ type abrt_var_cache_t;
-+ ')
-+
-+ read_files_pattern($1, abrt_var_cache_t, abrt_var_cache_t)
-+ read_lnk_files_pattern($1, abrt_var_cache_t, abrt_var_cache_t)
-+')
-+
-+########################################
-+##
-+## Append abrt cache
- ##
- ##
- ##
-@@ -169,12 +210,52 @@ interface(`abrt_run_helper',`
- ##
- ##
- #
--interface(`abrt_cache_manage',`
-+interface(`abrt_append_cache',`
-+ gen_require(`
-+ type abrt_var_cache_t;
-+ ')
-+
-+
-+ allow $1 abrt_var_cache_t:file append_inherited_file_perms;
-+')
-+
-+########################################
-+##
-+## Read/Write inherited abrt cache
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`abrt_rw_inherited_cache',`
-+ gen_require(`
-+ type abrt_var_cache_t;
-+ ')
-+
-+
-+ allow $1 abrt_var_cache_t:file rw_inherited_file_perms;
-+')
-+
-+########################################
-+##
-+## Manage abrt cache
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`abrt_manage_cache',`
- gen_require(`
- type abrt_var_cache_t;
- ')
-
- manage_files_pattern($1, abrt_var_cache_t, abrt_var_cache_t)
-+ manage_lnk_files_pattern($1, abrt_var_cache_t, abrt_var_cache_t)
-+ manage_dirs_pattern($1, abrt_var_cache_t, abrt_var_cache_t)
- ')
-
- ####################################
-@@ -253,6 +334,47 @@ interface(`abrt_manage_pid_files',`
- manage_files_pattern($1, abrt_var_run_t, abrt_var_run_t)
- ')
-
-+########################################
-+##
-+## Read and write abrt fifo files.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`abrt_rw_fifo_file',`
-+ gen_require(`
-+ type abrt_t;
-+ ')
-+
-+ allow $1 abrt_t:fifo_file rw_inherited_fifo_file_perms;
-+')
-+
-+########################################
-+##
-+## Execute abrt server in the abrt domain.
-+##
-+##
-+##
-+## Domain allowed to transition.
-+##
-+##
-+#
-+interface(`abrt_systemctl',`
-+ gen_require(`
-+ type abrt_t;
-+ type abrt_unit_file_t;
-+ ')
-+
-+ systemd_exec_systemctl($1)
-+ allow $1 abrt_unit_file_t:file read_file_perms;
-+ allow $1 abrt_unit_file_t:service manage_service_perms;
-+
-+ ps_process_pattern($1, abrt_t)
-+')
-+
- #####################################
- ##
- ## All of the rules required to administrate
-@@ -276,28 +398,135 @@ interface(`abrt_admin',`
- type abrt_var_cache_t, abrt_var_log_t;
- type abrt_var_run_t, abrt_tmp_t;
- type abrt_initrc_exec_t;
-+ type abrt_unit_file_t;
- ')
-
-- allow $1 abrt_t:process { ptrace signal_perms };
-+ allow $1 abrt_t:process { signal_perms };
- ps_process_pattern($1, abrt_t)
-
-+ tunable_policy(`deny_ptrace',`',`
-+ allow $1 abrt_t:process ptrace;
-+ ')
-+
- init_labeled_script_domtrans($1, abrt_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 abrt_initrc_exec_t system_r;
- allow $2 system_r;
-
-- files_search_etc($1)
-+ files_list_etc($1)
- admin_pattern($1, abrt_etc_t)
-
-- logging_search_logs($1)
-+ logging_list_logs($1)
- admin_pattern($1, abrt_var_log_t)
-
-- files_search_var($1)
-+ files_list_var($1)
- admin_pattern($1, abrt_var_cache_t)
-
-- files_search_pids($1)
-+ files_list_pids($1)
- admin_pattern($1, abrt_var_run_t)
-
-- files_search_tmp($1)
-+ files_list_tmp($1)
- admin_pattern($1, abrt_tmp_t)
-+
-+ abrt_systemctl($1)
-+ admin_pattern($1, abrt_unit_file_t)
-+ allow $1 abrt_unit_file_t:service all_service_perms;
-+')
-+
-+####################################
-+##
-+## Execute abrt-retrace in the abrt-retrace domain.
-+##
-+##
-+##
-+## Domain allowed to transition.
-+##
-+##
-+#
-+interface(`abrt_domtrans_retrace_worker',`
-+ gen_require(`
-+ type abrt_retrace_worker_t, abrt_retrace_worker_exec_t;
-+ ')
-+
-+ corecmd_search_bin($1)
-+ domtrans_pattern($1, abrt_retrace_worker_exec_t, abrt_retrace_worker_t)
-+')
-+
-+######################################
-+##
-+## Manage abrt retrace server cache
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`abrt_manage_spool_retrace',`
-+ gen_require(`
-+ type abrt_retrace_spool_t;
-+ ')
-+
-+ manage_dirs_pattern($1, abrt_retrace_spool_t, abrt_retrace_spool_t)
-+ manage_files_pattern($1, abrt_retrace_spool_t, abrt_retrace_spool_t)
-+ manage_lnk_files_pattern($1, abrt_retrace_spool_t, abrt_retrace_spool_t)
-+')
-+
-+#####################################
-+##
-+## Read abrt retrace server cache
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`abrt_read_spool_retrace',`
-+ gen_require(`
-+ type abrt_retrace_spool_t;
-+ ')
-+
-+ list_dirs_pattern($1, abrt_retrace_spool_t, abrt_retrace_spool_t)
-+ read_files_pattern($1, abrt_retrace_spool_t, abrt_retrace_spool_t)
-+ read_lnk_files_pattern($1, abrt_retrace_spool_t, abrt_retrace_spool_t)
-+')
-+
-+
-+#####################################
-+##
-+## Read abrt retrace server cache
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`abrt_read_cache_retrace',`
-+ gen_require(`
-+ type abrt_retrace_cache_t;
-+ ')
-+
-+ list_dirs_pattern($1, abrt_retrace_cache_t, abrt_retrace_cache_t)
-+ read_files_pattern($1, abrt_retrace_cache_t, abrt_retrace_cache_t)
-+ read_lnk_files_pattern($1, abrt_retrace_cache_t, abrt_retrace_cache_t)
-+')
-+
-+########################################
-+##
-+## Do not audit attempts to write abrt sock files
-+##
-+##
-+##
-+## Domain to not audit.
-+##
-+##
-+#
-+interface(`abrt_dontaudit_write_sock_file',`
-+ gen_require(`
-+ type abrt_t;
-+ ')
-+
-+ dontaudit $1 abrt_t:sock_file write;
- ')
-diff --git a/abrt.te b/abrt.te
-index 30861ec..864d511 100644
---- a/abrt.te
-+++ b/abrt.te
-@@ -5,13 +5,33 @@ policy_module(abrt, 1.2.0)
- # Declarations
- #
-
--type abrt_t;
--type abrt_exec_t;
-+##
-+##
-+## Allow ABRT to modify public files
-+## used for public file transfer services.
-+##
-+##
-+gen_tunable(abrt_anon_write, false)
-+
-+##
-+##
-+## Allow ABRT to run in abrt_handle_event_t domain
-+## to handle ABRT event scripts
-+##
-+##
-+gen_tunable(abrt_handle_event, false)
-+
-+attribute abrt_domain;
-+
-+abrt_basic_types_template(abrt)
- init_daemon_domain(abrt_t, abrt_exec_t)
-
- type abrt_initrc_exec_t;
- init_script_file(abrt_initrc_exec_t)
-
-+type abrt_unit_file_t;
-+systemd_unit_file(abrt_unit_file_t)
-+
- # etc files
- type abrt_etc_t;
- files_config_file(abrt_etc_t)
-@@ -32,10 +52,20 @@ files_type(abrt_var_cache_t)
- type abrt_var_run_t;
- files_pid_file(abrt_var_run_t)
-
-+abrt_basic_types_template(abrt_dump_oops)
-+init_system_domain(abrt_dump_oops_t, abrt_dump_oops_exec_t)
-+
-+# type for abrt-handle-event to handle
-+# ABRT event scripts
-+abrt_basic_types_template(abrt_handle_event)
-+application_domain(abrt_handle_event_t, abrt_handle_event_exec_t)
-+role system_r types abrt_handle_event_t;
-+
- # type needed to allow all domains
- # to handle /var/cache/abrt
--type abrt_helper_t;
--type abrt_helper_exec_t;
-+# type needed to allow all domains
-+# to handle /var/cache/abrt
-+abrt_basic_types_template(abrt_helper)
- application_domain(abrt_helper_t, abrt_helper_exec_t)
- role system_r types abrt_helper_t;
-
-@@ -43,14 +73,36 @@ ifdef(`enable_mcs',`
- init_ranged_daemon_domain(abrt_t, abrt_exec_t, s0 - mcs_systemhigh)
- ')
-
-+#
-+# Support for ABRT retrace server
-+#
-+
-+abrt_basic_types_template(abrt_retrace_worker)
-+application_domain(abrt_retrace_worker_t, abrt_retrace_worker_exec_t)
-+role system_r types abrt_retrace_worker_t;
-+
-+abrt_basic_types_template(abrt_retrace_coredump)
-+application_domain(abrt_retrace_coredump_t, abrt_retrace_coredump_exec_t)
-+role system_r types abrt_retrace_coredump_t;
-+
-+type abrt_retrace_cache_t;
-+files_type(abrt_retrace_cache_t)
-+
-+type abrt_retrace_spool_t;
-+files_spool_file(abrt_retrace_spool_t)
-+
-+# Support abrt-watch log
-+abrt_basic_types_template(abrt_watch_log)
-+init_daemon_domain(abrt_watch_log_t, abrt_watch_log_exec_t)
-+
- ########################################
- #
- # abrt local policy
- #
-
--allow abrt_t self:capability { chown kill setuid setgid sys_nice dac_override };
-+allow abrt_t self:capability { chown dac_override fowner fsetid kill setgid setuid sys_nice };
- dontaudit abrt_t self:capability sys_rawio;
--allow abrt_t self:process { signal signull setsched getsched };
-+allow abrt_t self:process { setpgid sigkill signal signull setsched getsched };
-
- allow abrt_t self:fifo_file rw_fifo_file_perms;
- allow abrt_t self:tcp_socket create_stream_socket_perms;
-@@ -59,6 +111,7 @@ allow abrt_t self:unix_dgram_socket create_socket_perms;
- allow abrt_t self:netlink_route_socket r_netlink_socket_perms;
-
- # abrt etc files
-+list_dirs_pattern(abrt_t, abrt_etc_t, abrt_etc_t)
- rw_files_pattern(abrt_t, abrt_etc_t, abrt_etc_t)
-
- # log file
-@@ -68,7 +121,9 @@ logging_log_filetrans(abrt_t, abrt_var_log_t, file)
- # abrt tmp files
- manage_dirs_pattern(abrt_t, abrt_tmp_t, abrt_tmp_t)
- manage_files_pattern(abrt_t, abrt_tmp_t, abrt_tmp_t)
-+manage_lnk_files_pattern(abrt_t, abrt_tmp_t, abrt_tmp_t)
- files_tmp_filetrans(abrt_t, abrt_tmp_t, { file dir })
-+can_exec(abrt_t, abrt_tmp_t)
-
- # abrt var/cache files
- manage_files_pattern(abrt_t, abrt_var_cache_t, abrt_var_cache_t)
-@@ -82,10 +137,12 @@ manage_files_pattern(abrt_t, abrt_var_run_t, abrt_var_run_t)
- manage_dirs_pattern(abrt_t, abrt_var_run_t, abrt_var_run_t)
- manage_sock_files_pattern(abrt_t, abrt_var_run_t, abrt_var_run_t)
- manage_lnk_files_pattern(abrt_t, abrt_var_run_t, abrt_var_run_t)
--files_pid_filetrans(abrt_t, abrt_var_run_t, { file dir })
-+files_pid_filetrans(abrt_t, abrt_var_run_t, { file dir sock_file })
-+
-+kernel_read_ring_buffer(abrt_t)
-+kernel_request_load_module(abrt_t)
-
- kernel_read_ring_buffer(abrt_t)
--kernel_read_system_state(abrt_t)
- kernel_rw_kernel_sysctl(abrt_t)
-
- corecmd_exec_bin(abrt_t)
-@@ -93,7 +150,6 @@ corecmd_exec_shell(abrt_t)
- corecmd_read_all_executables(abrt_t)
-
- corenet_all_recvfrom_netlabel(abrt_t)
--corenet_all_recvfrom_unlabeled(abrt_t)
- corenet_tcp_sendrecv_generic_if(abrt_t)
- corenet_tcp_sendrecv_generic_node(abrt_t)
- corenet_tcp_sendrecv_generic_port(abrt_t)
-@@ -104,6 +160,8 @@ corenet_tcp_connect_all_ports(abrt_t)
- corenet_sendrecv_http_client_packets(abrt_t)
-
- dev_getattr_all_chr_files(abrt_t)
-+dev_getattr_all_blk_files(abrt_t)
-+dev_read_rand(abrt_t)
- dev_read_urand(abrt_t)
- dev_rw_sysfs(abrt_t)
- dev_dontaudit_read_raw_memory(abrt_t)
-@@ -113,7 +171,8 @@ domain_read_all_domains_state(abrt_t)
- domain_signull_all_domains(abrt_t)
-
- files_getattr_all_files(abrt_t)
--files_read_etc_files(abrt_t)
-+files_read_config_files(abrt_t)
-+files_read_etc_runtime_files(abrt_t)
- files_read_var_symlinks(abrt_t)
- files_read_var_lib_files(abrt_t)
- files_read_usr_files(abrt_t)
-@@ -121,6 +180,9 @@ files_read_generic_tmp_files(abrt_t)
- files_read_kernel_modules(abrt_t)
- files_dontaudit_list_default(abrt_t)
- files_dontaudit_read_default_files(abrt_t)
-+files_dontaudit_read_all_symlinks(abrt_t)
-+files_dontaudit_getattr_all_sockets(abrt_t)
-+files_list_mnt(abrt_t)
-
- fs_list_inotifyfs(abrt_t)
- fs_getattr_all_fs(abrt_t)
-@@ -131,22 +193,37 @@ fs_read_nfs_files(abrt_t)
- fs_read_nfs_symlinks(abrt_t)
- fs_search_all(abrt_t)
-
--sysnet_read_config(abrt_t)
--
- logging_read_generic_logs(abrt_t)
- logging_send_syslog_msg(abrt_t)
-
-+auth_use_nsswitch(abrt_t)
-+
- miscfiles_read_generic_certs(abrt_t)
--miscfiles_read_localization(abrt_t)
-+miscfiles_read_public_files(abrt_t)
-
- userdom_dontaudit_read_user_home_content_files(abrt_t)
-+userdom_dontaudit_read_admin_home_files(abrt_t)
-+
-+tunable_policy(`abrt_anon_write',`
-+ miscfiles_manage_public_files(abrt_t)
-+')
-+
-+optional_policy(`
-+ apache_list_modules(abrt_t)
-+ apache_read_modules(abrt_t)
-+')
-
- optional_policy(`
- dbus_system_domain(abrt_t, abrt_exec_t)
- ')
-
- optional_policy(`
-- nis_use_ypbind(abrt_t)
-+ dmesg_domtrans(abrt_t)
-+')
-+
-+optional_policy(`
-+ mozilla_plugin_dontaudit_rw_tmp_files(abrt_t)
-+ mozilla_plugin_read_rw_files(abrt_t)
- ')
-
- optional_policy(`
-@@ -167,6 +244,7 @@ optional_policy(`
- rpm_exec(abrt_t)
- rpm_dontaudit_manage_db(abrt_t)
- rpm_manage_cache(abrt_t)
-+ rpm_manage_log(abrt_t)
- rpm_manage_pid_files(abrt_t)
- rpm_read_db(abrt_t)
- rpm_signull(abrt_t)
-@@ -178,9 +256,36 @@ optional_policy(`
- ')
-
- optional_policy(`
-+ sosreport_domtrans(abrt_t)
-+ sosreport_read_tmp_files(abrt_t)
-+ sosreport_delete_tmp_files(abrt_t)
-+')
-+
-+optional_policy(`
- sssd_stream_connect(abrt_t)
- ')
-
-+optional_policy(`
-+ xserver_read_log(abrt_t)
-+')
-+
-+#######################################
-+#
-+# abrt-handle-event local policy
-+#
-+
-+allow abrt_handle_event_t self:fifo_file rw_fifo_file_perms;
-+
-+tunable_policy(`abrt_handle_event',`
-+ domtrans_pattern(abrt_t, abrt_handle_event_exec_t, abrt_handle_event_t)
-+',`
-+ can_exec(abrt_t, abrt_handle_event_exec_t)
-+')
-+
-+optional_policy(`
-+ unconfined_domain(abrt_handle_event_t)
-+')
-+
- ########################################
- #
- # abrt--helper local policy
-@@ -200,9 +305,11 @@ files_var_filetrans(abrt_helper_t, abrt_var_cache_t, { file dir })
- read_files_pattern(abrt_helper_t, abrt_var_run_t, abrt_var_run_t)
- read_lnk_files_pattern(abrt_helper_t, abrt_var_run_t, abrt_var_run_t)
-
-+corecmd_read_all_executables(abrt_helper_t)
-+
- domain_read_all_domains_state(abrt_helper_t)
-
--files_read_etc_files(abrt_helper_t)
-+files_dontaudit_all_non_security_leaks(abrt_helper_t)
-
- fs_list_inotifyfs(abrt_helper_t)
- fs_getattr_all_fs(abrt_helper_t)
-@@ -211,12 +318,11 @@ auth_use_nsswitch(abrt_helper_t)
-
- logging_send_syslog_msg(abrt_helper_t)
-
--miscfiles_read_localization(abrt_helper_t)
--
- term_dontaudit_use_all_ttys(abrt_helper_t)
- term_dontaudit_use_all_ptys(abrt_helper_t)
-
--ifdef(`hide_broken_symptoms', `
-+ifdef(`hide_broken_symptoms',`
-+ domain_dontaudit_leaks(abrt_helper_t)
- userdom_dontaudit_read_user_home_content_files(abrt_helper_t)
- userdom_dontaudit_read_user_tmp_files(abrt_helper_t)
- dev_dontaudit_read_all_blk_files(abrt_helper_t)
-@@ -224,4 +330,149 @@ ifdef(`hide_broken_symptoms', `
- dev_dontaudit_write_all_chr_files(abrt_helper_t)
- dev_dontaudit_write_all_blk_files(abrt_helper_t)
- fs_dontaudit_rw_anon_inodefs_files(abrt_helper_t)
-+
-+ optional_policy(`
-+ rpm_dontaudit_leaks(abrt_helper_t)
-+ ')
- ')
-+
-+ifdef(`hide_broken_symptoms',`
-+ gen_require(`
-+ attribute domain;
-+ ')
-+
-+ allow abrt_t self:capability sys_resource;
-+ allow abrt_t domain:file write;
-+ allow abrt_t domain:process setrlimit;
-+')
-+
-+#######################################
-+#
-+# abrt retrace coredump policy
-+#
-+
-+allow abrt_retrace_coredump_t self:fifo_file rw_fifo_file_perms;
-+
-+list_dirs_pattern(abrt_retrace_coredump_t, abrt_retrace_cache_t, abrt_retrace_cache_t)
-+read_files_pattern(abrt_retrace_coredump_t, abrt_retrace_cache_t, abrt_retrace_cache_t)
-+read_lnk_files_pattern(abrt_retrace_coredump_t, abrt_retrace_cache_t, abrt_retrace_cache_t)
-+
-+list_dirs_pattern(abrt_retrace_coredump_t, abrt_retrace_spool_t, abrt_retrace_spool_t)
-+read_files_pattern(abrt_retrace_coredump_t, abrt_retrace_spool_t, abrt_retrace_spool_t)
-+read_lnk_files_pattern(abrt_retrace_coredump_t, abrt_retrace_spool_t, abrt_retrace_spool_t)
-+
-+corecmd_exec_bin(abrt_retrace_coredump_t)
-+corecmd_exec_shell(abrt_retrace_coredump_t)
-+
-+dev_read_urand(abrt_retrace_coredump_t)
-+
-+files_read_usr_files(abrt_retrace_coredump_t)
-+
-+logging_send_syslog_msg(abrt_retrace_coredump_t)
-+
-+sysnet_dns_name_resolve(abrt_retrace_coredump_t)
-+
-+# to install debuginfo packages
-+optional_policy(`
-+ rpm_exec(abrt_retrace_coredump_t)
-+ rpm_dontaudit_manage_db(abrt_retrace_coredump_t)
-+ rpm_manage_cache(abrt_retrace_coredump_t)
-+ rpm_manage_log(abrt_retrace_coredump_t)
-+ rpm_manage_pid_files(abrt_retrace_coredump_t)
-+ rpm_read_db(abrt_retrace_coredump_t)
-+ rpm_signull(abrt_retrace_coredump_t)
-+')
-+
-+#######################################
-+#
-+# abrt retrace worker policy
-+#
-+
-+allow abrt_retrace_worker_t self:capability { setuid };
-+
-+allow abrt_retrace_worker_t self:fifo_file rw_fifo_file_perms;
-+
-+domtrans_pattern(abrt_retrace_worker_t, abrt_retrace_coredump_exec_t, abrt_retrace_coredump_t)
-+allow abrt_retrace_worker_t abrt_retrace_coredump_exec_t:file ioctl;
-+
-+manage_dirs_pattern(abrt_retrace_worker_t, abrt_retrace_spool_t, abrt_retrace_spool_t)
-+manage_files_pattern(abrt_retrace_worker_t, abrt_retrace_spool_t, abrt_retrace_spool_t)
-+manage_lnk_files_pattern(abrt_retrace_worker_t, abrt_retrace_spool_t, abrt_retrace_spool_t)
-+
-+allow abrt_retrace_worker_t abrt_etc_t:file read_file_perms;
-+
-+can_exec(abrt_retrace_worker_t, abrt_retrace_worker_exec_t)
-+
-+corecmd_exec_bin(abrt_retrace_worker_t)
-+corecmd_exec_shell(abrt_retrace_worker_t)
-+
-+dev_read_urand(abrt_retrace_worker_t)
-+
-+files_read_usr_files(abrt_retrace_worker_t)
-+
-+logging_send_syslog_msg(abrt_retrace_worker_t)
-+
-+sysnet_dns_name_resolve(abrt_retrace_worker_t)
-+
-+optional_policy(`
-+ mock_domtrans(abrt_retrace_worker_t)
-+')
-+
-+########################################
-+#
-+# abrt_dump_oops local policy
-+#
-+
-+allow abrt_dump_oops_t self:capability dac_override;
-+allow abrt_dump_oops_t self:fifo_file rw_fifo_file_perms;
-+allow abrt_dump_oops_t self:unix_stream_socket create_stream_socket_perms;
-+
-+files_search_spool(abrt_dump_oops_t)
-+manage_dirs_pattern(abrt_dump_oops_t, abrt_var_cache_t, abrt_var_cache_t)
-+manage_files_pattern(abrt_dump_oops_t, abrt_var_cache_t, abrt_var_cache_t)
-+manage_lnk_files_pattern(abrt_dump_oops_t, abrt_var_cache_t, abrt_var_cache_t)
-+files_var_filetrans(abrt_dump_oops_t, abrt_var_cache_t, { file dir })
-+
-+read_files_pattern(abrt_dump_oops_t, abrt_var_run_t, abrt_var_run_t)
-+read_lnk_files_pattern(abrt_dump_oops_t, abrt_var_run_t, abrt_var_run_t)
-+
-+read_files_pattern(abrt_dump_oops_t, abrt_etc_t, abrt_etc_t)
-+
-+kernel_read_debugfs(abrt_dump_oops_t)
-+kernel_read_kernel_sysctls(abrt_dump_oops_t)
-+kernel_read_ring_buffer(abrt_dump_oops_t)
-+
-+domain_use_interactive_fds(abrt_dump_oops_t)
-+
-+fs_list_inotifyfs(abrt_dump_oops_t)
-+
-+logging_read_generic_logs(abrt_dump_oops_t)
-+logging_send_syslog_msg(abrt_dump_oops_t)
-+
-+#######################################
-+#
-+# abrt_watch_log local policy
-+#
-+
-+allow abrt_watch_log_t self:fifo_file rw_fifo_file_perms;
-+allow abrt_watch_log_t self:unix_stream_socket create_stream_socket_perms;
-+
-+read_files_pattern(abrt_watch_log_t, abrt_etc_t, abrt_etc_t)
-+
-+domtrans_pattern(abrt_watch_log_t, abrt_dump_oops_exec_t, abrt_dump_oops_t)
-+
-+corecmd_exec_bin(abrt_watch_log_t)
-+
-+logging_read_all_logs(abrt_watch_log_t)
-+logging_send_syslog_msg(abrt_watch_log_t)
-+
-+optional_policy(`
-+ unconfined_domain(abrt_watch_log_t)
-+')
-+
-+#######################################
-+#
-+# Local policy for all abrt domain
-+#
-+
-+files_read_etc_files(abrt_domain)
-diff --git a/accountsd.fc b/accountsd.fc
-index 1adca53..18e0e41 100644
---- a/accountsd.fc
-+++ b/accountsd.fc
-@@ -1,3 +1,5 @@
-+/usr/lib/systemd/system/accountsd.* -- gen_context(system_u:object_r:accountsd_unit_file_t,s0)
-+
- /usr/libexec/accounts-daemon -- gen_context(system_u:object_r:accountsd_exec_t,s0)
-
- /var/lib/AccountsService(/.*)? gen_context(system_u:object_r:accountsd_var_lib_t,s0)
-diff --git a/accountsd.if b/accountsd.if
-index c0f858d..4a3dab6 100644
---- a/accountsd.if
-+++ b/accountsd.if
-@@ -5,9 +5,9 @@
- ## Execute a domain transition to run accountsd.
- ##
- ##
--##
-+##
- ## Domain allowed access.
--##
-+##
- ##
- #
- interface(`accountsd_domtrans',`
-@@ -25,7 +25,7 @@ interface(`accountsd_domtrans',`
- ##
- ##
- ##
--## Domain allowed access.
-+## Domain to not audit.
- ##
- ##
- #
-@@ -93,6 +93,7 @@ interface(`accountsd_read_lib_files',`
- ')
-
- files_search_var_lib($1)
-+ allow $1 accountsd_var_lib_t:dir list_dir_perms;
- read_files_pattern($1, accountsd_var_lib_t, accountsd_var_lib_t)
- ')
-
-@@ -118,28 +119,54 @@ interface(`accountsd_manage_lib_files',`
-
- ########################################
- ##
--## All of the rules required to administrate
--## an accountsd environment
-+## Execute accountsd server in the accountsd domain.
- ##
- ##
- ##
--## Domain allowed access.
-+## Domain allowed to transition.
- ##
- ##
--##
-+#
-+interface(`accountsd_systemctl',`
-+ gen_require(`
-+ type accountsd_t;
-+ type accountsd_unit_file_t;
-+ ')
-+
-+ systemd_exec_systemctl($1)
-+ allow $1 accountsd_unit_file_t:file read_file_perms;
-+ allow $1 accountsd_unit_file_t:service manage_service_perms;
-+
-+ ps_process_pattern($1, accountsd_t)
-+')
-+
-+########################################
-+##
-+## All of the rules required to administrate
-+## an accountsd environment
-+##
-+##
- ##
--## Role allowed access.
-+## Domain allowed access.
- ##
- ##
--##
- #
- interface(`accountsd_admin',`
- gen_require(`
- type accountsd_t;
-+ type accountsd_unit_file_t;
- ')
-
-- allow $1 accountsd_t:process { ptrace signal_perms getattr };
-+ allow $1 accountsd_t:process signal_perms;
- ps_process_pattern($1, accountsd_t)
-
-+ tunable_policy(`deny_ptrace',`',`
-+ allow $1 accountsd_t:process ptrace;
-+ ')
-+
- accountsd_manage_lib_files($1)
-+
-+ accountsd_systemctl($1)
-+ admin_pattern($1, accountsd_unit_file_t)
-+ allow $1 accountsd_unit_file_t:service all_service_perms;
- ')
-diff --git a/accountsd.te b/accountsd.te
-index 1632f10..074ebc9 100644
---- a/accountsd.te
-+++ b/accountsd.te
-@@ -1,5 +1,9 @@
- policy_module(accountsd, 1.0.0)
-
-+gen_require(`
-+ class passwd { passwd chfn chsh rootok crontab };
-+')
-+
- ########################################
- #
- # Declarations
-@@ -7,37 +11,48 @@ policy_module(accountsd, 1.0.0)
-
- type accountsd_t;
- type accountsd_exec_t;
--dbus_system_domain(accountsd_t, accountsd_exec_t)
-+init_daemon_domain(accountsd_t, accountsd_exec_t)
-+role system_r types accountsd_t;
-
- type accountsd_var_lib_t;
- files_type(accountsd_var_lib_t)
-
-+type accountsd_unit_file_t;
-+systemd_unit_file(accountsd_unit_file_t)
-+
- ########################################
- #
- # accountsd local policy
- #
-
--allow accountsd_t self:capability { dac_override setuid setgid sys_ptrace };
-+allow accountsd_t self:capability { chown dac_override setuid setgid };
-+allow accountsd_t self:process signal;
- allow accountsd_t self:fifo_file rw_fifo_file_perms;
-+allow accountsd_t self:passwd { rootok passwd chfn chsh };
-
- manage_dirs_pattern(accountsd_t, accountsd_var_lib_t, accountsd_var_lib_t)
- manage_files_pattern(accountsd_t, accountsd_var_lib_t, accountsd_var_lib_t)
- files_var_lib_filetrans(accountsd_t, accountsd_var_lib_t, { file dir })
-
-+kernel_read_system_state(accountsd_t)
- kernel_read_kernel_sysctls(accountsd_t)
-
- corecmd_exec_bin(accountsd_t)
-
-+dev_read_sysfs(accountsd_t)
-+
- files_read_usr_files(accountsd_t)
- files_read_mnt_files(accountsd_t)
-
- fs_list_inotifyfs(accountsd_t)
-+fs_getattr_xattr_fs(accountsd_t)
- fs_read_noxattr_fs_files(accountsd_t)
-
- auth_use_nsswitch(accountsd_t)
- auth_read_shadow(accountsd_t)
-+auth_read_login_records(accountsd_t)
-
--miscfiles_read_localization(accountsd_t)
-+init_dbus_chat(accountsd_t)
-
- logging_send_syslog_msg(accountsd_t)
- logging_set_loginuid(accountsd_t)
-@@ -50,8 +65,20 @@ usermanage_domtrans_passwd(accountsd_t)
-
- optional_policy(`
- consolekit_read_log(accountsd_t)
-+ consolekit_dbus_chat(accountsd_t)
-+')
-+
-+optional_policy(`
-+ dbus_system_domain(accountsd_t, accountsd_exec_t)
- ')
-
- optional_policy(`
- policykit_dbus_chat(accountsd_t)
- ')
-+
-+optional_policy(`
-+ xserver_read_xdm_tmp_files(accountsd_t)
-+ xserver_read_state_xdm(accountsd_t)
-+ xserver_dbus_chat_xdm(accountsd_t)
-+ xserver_manage_xdm_etc_files(accountsd_t)
-+')
-diff --git a/acct.if b/acct.if
-index e66c296..993a1e9 100644
---- a/acct.if
-+++ b/acct.if
-@@ -78,3 +78,21 @@ interface(`acct_manage_data',`
- manage_files_pattern($1, acct_data_t, acct_data_t)
- manage_lnk_files_pattern($1, acct_data_t, acct_data_t)
- ')
-+
-+########################################
-+##
-+## Dontaudit Attempts to list acct_data directory
-+##
-+##
-+##
-+## Domain to not audit.
-+##
-+##
-+#
-+interface(`acct_dontaudit_list_data',`
-+ gen_require(`
-+ type acct_data_t;
-+ ')
-+
-+ dontaudit $1 acct_data_t:dir list_dir_perms;
-+')
-diff --git a/acct.te b/acct.te
-index 63ef90e..31f524e 100644
---- a/acct.te
-+++ b/acct.te
-@@ -49,20 +49,19 @@ corecmd_exec_shell(acct_t)
-
- domain_use_interactive_fds(acct_t)
-
--files_read_etc_files(acct_t)
- files_read_etc_runtime_files(acct_t)
- files_list_usr(acct_t)
- # for nscd
- files_dontaudit_search_pids(acct_t)
-
-+auth_use_nsswitch(acct_t)
-+
- init_use_fds(acct_t)
- init_use_script_ptys(acct_t)
- init_exec_script_files(acct_t)
-
- logging_send_syslog_msg(acct_t)
-
--miscfiles_read_localization(acct_t)
--
- userdom_dontaudit_use_unpriv_user_fds(acct_t)
- userdom_dontaudit_search_user_home_dirs(acct_t)
-
-diff --git a/ada.te b/ada.te
-index 39c75fb..057d8b1 100644
---- a/ada.te
-+++ b/ada.te
-@@ -17,7 +17,7 @@ role system_r types ada_t;
-
- allow ada_t self:process { execstack execmem };
-
--userdom_use_user_terminals(ada_t)
-+userdom_use_inherited_user_terminals(ada_t)
-
- optional_policy(`
- unconfined_domain(ada_t)
-diff --git a/afs.if b/afs.if
-index 8559cdc..641044e 100644
---- a/afs.if
-+++ b/afs.if
-@@ -97,8 +97,12 @@ interface(`afs_admin',`
- type afs_t, afs_initrc_exec_t;
- ')
-
-- allow $1 afs_t:process { ptrace signal_perms getattr };
-- read_files_pattern($1, afs_t, afs_t)
-+ allow $1 afs_t:process signal_perms;
-+ ps_process_pattern($1, afs_t)
-+
-+ tunable_policy(`deny_ptrace',`',`
-+ allow $1 afs_t:process ptrace;
-+ ')
-
- # Allow afs_admin to restart the afs service
- afs_initrc_domtrans($1)
-diff --git a/afs.te b/afs.te
-index a496fde..8170a8c 100644
---- a/afs.te
-+++ b/afs.te
-@@ -71,6 +71,7 @@ role system_r types afs_vlserver_t;
- #
-
- allow afs_t self:capability { sys_admin sys_nice sys_tty_config };
-+dontaudit afs_t self:capability dac_override;
- allow afs_t self:process { setsched signal };
- allow afs_t self:udp_socket create_socket_perms;
- allow afs_t self:fifo_file rw_file_perms;
-@@ -82,7 +83,6 @@ files_var_filetrans(afs_t, afs_cache_t, { file dir })
-
- kernel_rw_afs_state(afs_t)
-
--corenet_all_recvfrom_unlabeled(afs_t)
- corenet_all_recvfrom_netlabel(afs_t)
- corenet_tcp_sendrecv_generic_if(afs_t)
- corenet_udp_sendrecv_generic_if(afs_t)
-@@ -103,10 +103,12 @@ fs_read_nfs_symlinks(afs_t)
-
- logging_send_syslog_msg(afs_t)
-
--miscfiles_read_localization(afs_t)
--
- sysnet_dns_name_resolve(afs_t)
-
-+ifdef(`hide_broken_symptoms',`
-+ kernel_rw_unlabeled_files(afs_t)
-+')
-+
- ########################################
- #
- # AFS bossserver local policy
-@@ -140,7 +142,6 @@ domtrans_pattern(afs_bosserver_t, afs_vlserver_exec_t, afs_vlserver_t)
-
- kernel_read_kernel_sysctls(afs_bosserver_t)
-
--corenet_all_recvfrom_unlabeled(afs_bosserver_t)
- corenet_all_recvfrom_netlabel(afs_bosserver_t)
- corenet_tcp_sendrecv_generic_if(afs_bosserver_t)
- corenet_udp_sendrecv_generic_if(afs_bosserver_t)
-@@ -156,7 +157,6 @@ files_read_etc_files(afs_bosserver_t)
- files_list_home(afs_bosserver_t)
- files_read_usr_files(afs_bosserver_t)
-
--miscfiles_read_localization(afs_bosserver_t)
-
- seutil_read_config(afs_bosserver_t)
-
-@@ -202,7 +202,6 @@ corenet_tcp_sendrecv_generic_node(afs_fsserver_t)
- corenet_udp_sendrecv_generic_node(afs_fsserver_t)
- corenet_tcp_sendrecv_all_ports(afs_fsserver_t)
- corenet_udp_sendrecv_all_ports(afs_fsserver_t)
--corenet_all_recvfrom_unlabeled(afs_fsserver_t)
- corenet_all_recvfrom_netlabel(afs_fsserver_t)
- corenet_tcp_bind_generic_node(afs_fsserver_t)
- corenet_udp_bind_generic_node(afs_fsserver_t)
-@@ -225,8 +224,6 @@ init_dontaudit_use_script_fds(afs_fsserver_t)
-
- logging_send_syslog_msg(afs_fsserver_t)
-
--miscfiles_read_localization(afs_fsserver_t)
--
- seutil_read_config(afs_fsserver_t)
-
- sysnet_read_config(afs_fsserver_t)
-@@ -252,7 +249,6 @@ manage_files_pattern(afs_kaserver_t, afs_logfile_t, afs_logfile_t)
-
- kernel_read_kernel_sysctls(afs_kaserver_t)
-
--corenet_all_recvfrom_unlabeled(afs_kaserver_t)
- corenet_all_recvfrom_netlabel(afs_kaserver_t)
- corenet_tcp_sendrecv_generic_if(afs_kaserver_t)
- corenet_udp_sendrecv_generic_if(afs_kaserver_t)
-@@ -270,7 +266,6 @@ files_read_etc_files(afs_kaserver_t)
- files_list_home(afs_kaserver_t)
- files_read_usr_files(afs_kaserver_t)
-
--miscfiles_read_localization(afs_kaserver_t)
-
- seutil_read_config(afs_kaserver_t)
-
-@@ -296,7 +291,6 @@ manage_files_pattern(afs_ptserver_t, afs_logfile_t, afs_logfile_t)
- manage_files_pattern(afs_ptserver_t, afs_dbdir_t, afs_pt_db_t)
- filetrans_pattern(afs_ptserver_t, afs_dbdir_t, afs_pt_db_t, file)
-
--corenet_all_recvfrom_unlabeled(afs_ptserver_t)
- corenet_all_recvfrom_netlabel(afs_ptserver_t)
- corenet_tcp_sendrecv_generic_if(afs_ptserver_t)
- corenet_udp_sendrecv_generic_if(afs_ptserver_t)
-@@ -310,7 +304,6 @@ corenet_sendrecv_afs_pt_server_packets(afs_ptserver_t)
-
- files_read_etc_files(afs_ptserver_t)
-
--miscfiles_read_localization(afs_ptserver_t)
-
- sysnet_read_config(afs_ptserver_t)
-
-@@ -334,7 +327,6 @@ manage_files_pattern(afs_vlserver_t, afs_logfile_t, afs_logfile_t)
- manage_files_pattern(afs_vlserver_t, afs_dbdir_t, afs_vl_db_t)
- filetrans_pattern(afs_vlserver_t, afs_dbdir_t, afs_vl_db_t, file)
-
--corenet_all_recvfrom_unlabeled(afs_vlserver_t)
- corenet_all_recvfrom_netlabel(afs_vlserver_t)
- corenet_tcp_sendrecv_generic_if(afs_vlserver_t)
- corenet_udp_sendrecv_generic_if(afs_vlserver_t)
-@@ -348,7 +340,6 @@ corenet_sendrecv_afs_vl_server_packets(afs_vlserver_t)
-
- files_read_etc_files(afs_vlserver_t)
-
--miscfiles_read_localization(afs_vlserver_t)
-
- sysnet_read_config(afs_vlserver_t)
-
-diff --git a/aiccu.if b/aiccu.if
-index 184c9a8..8f77bf5 100644
---- a/aiccu.if
-+++ b/aiccu.if
-@@ -79,9 +79,13 @@ interface(`aiccu_admin',`
- type aiccu_var_run_t;
- ')
-
-- allow $1 aiccu_t:process { ptrace signal_perms };
-+ allow $1 aiccu_t:process signal_perms;
- ps_process_pattern($1, aiccu_t)
-
-+ tunable_policy(`deny_ptrace',`',`
-+ allow $1 aiccu_t:process ptrace;
-+ ')
-+
- aiccu_initrc_domtrans($1)
- domain_system_change_exemption($1)
- role_transition $2 aiccu_initrc_exec_t system_r;
-diff --git a/aiccu.te b/aiccu.te
-index 6d685ba..5a3021d 100644
---- a/aiccu.te
-+++ b/aiccu.te
-@@ -44,10 +44,11 @@ kernel_read_system_state(aiccu_t)
- corecmd_exec_shell(aiccu_t)
-
- corenet_all_recvfrom_netlabel(aiccu_t)
--corenet_all_recvfrom_unlabeled(aiccu_t)
-+corenet_tcp_bind_generic_node(aiccu_t)
- corenet_tcp_sendrecv_generic_if(aiccu_t)
- corenet_tcp_sendrecv_generic_node(aiccu_t)
- corenet_tcp_sendrecv_generic_port(aiccu_t)
-+corenet_sendrecv_sixxsconfig_client_packets(aiccu_t)
- corenet_tcp_sendrecv_sixxsconfig_port(aiccu_t)
- corenet_tcp_bind_generic_node(aiccu_t)
- corenet_tcp_connect_sixxsconfig_port(aiccu_t)
-@@ -62,9 +63,9 @@ dev_read_urand(aiccu_t)
-
- files_read_etc_files(aiccu_t)
-
--logging_send_syslog_msg(aiccu_t)
-+auth_read_passwd(aiccu_t)
-
--miscfiles_read_localization(aiccu_t)
-+logging_send_syslog_msg(aiccu_t)
-
- optional_policy(`
- modutils_domtrans_insmod(aiccu_t)
-diff --git a/aide.fc b/aide.fc
-index 7798464..62ccdc6 100644
---- a/aide.fc
-+++ b/aide.fc
-@@ -3,4 +3,4 @@
- /var/lib/aide(/.*) gen_context(system_u:object_r:aide_db_t,mls_systemhigh)
-
- /var/log/aide(/.*)? gen_context(system_u:object_r:aide_log_t,mls_systemhigh)
--/var/log/aide\.log -- gen_context(system_u:object_r:aide_log_t,mls_systemhigh)
-+/var/log/aide\.log.* -- gen_context(system_u:object_r:aide_log_t,mls_systemhigh)
-diff --git a/aide.if b/aide.if
-index 838d25b..33981e0 100644
---- a/aide.if
-+++ b/aide.if
-@@ -60,9 +60,13 @@ interface(`aide_admin',`
- type aide_t, aide_db_t, aide_log_t;
- ')
-
-- allow $1 aide_t:process { ptrace signal_perms };
-+ allow $1 aide_t:process signal_perms;
- ps_process_pattern($1, aide_t)
-
-+ tunable_policy(`deny_ptrace',`',`
-+ allow $1 aide_t:process ptrace;
-+ ')
-+
- files_list_etc($1)
- admin_pattern($1, aide_db_t)
-
-diff --git a/aide.te b/aide.te
-index 2509dd2..88d5615 100644
---- a/aide.te
-+++ b/aide.te
-@@ -8,6 +8,7 @@ policy_module(aide, 1.6.0)
- type aide_t;
- type aide_exec_t;
- application_domain(aide_t, aide_exec_t)
-+cron_system_entry(aide_t, aide_exec_t)
-
- # log files
- type aide_log_t;
-@@ -32,6 +33,13 @@ manage_files_pattern(aide_t, aide_log_t, aide_log_t)
- logging_log_filetrans(aide_t, aide_log_t, file)
-
- files_read_all_files(aide_t)
-+files_read_boot_symlinks(aide_t)
-+files_read_all_symlinks(aide_t)
-+files_getattr_all_pipes(aide_t)
-+files_getattr_all_sockets(aide_t)
-+
-+mls_file_read_to_clearance(aide_t)
-+mls_file_write_to_clearance(aide_t)
-
- logging_send_audit_msgs(aide_t)
- # AIDE can be configured to log to syslog
-@@ -39,4 +47,4 @@ logging_send_syslog_msg(aide_t)
-
- seutil_use_newrole_fds(aide_t)
-
--userdom_use_user_terminals(aide_t)
-+userdom_use_inherited_user_terminals(aide_t)
-diff --git a/aisexec.fc b/aisexec.fc
-index 7b4f4b9..9c2daa5 100644
---- a/aisexec.fc
-+++ b/aisexec.fc
-@@ -4,6 +4,6 @@
-
- /var/lib/openais(/.*)? gen_context(system_u:object_r:aisexec_var_lib_t,s0)
-
--/var/log/cluster/aisexec\.log -- gen_context(system_u:object_r:aisexec_var_log_t,s0)
-+/var/log/cluster/aisexec\.log.* -- gen_context(system_u:object_r:aisexec_var_log_t,s0)
-
- /var/run/aisexec\.pid -- gen_context(system_u:object_r:aisexec_var_run_t,s0)
-diff --git a/aisexec.if b/aisexec.if
-index 0370dba..c2d68a4 100644
---- a/aisexec.if
-+++ b/aisexec.if
-@@ -82,9 +82,13 @@ interface(`aisexecd_admin',`
- type aisexec_initrc_exec_t;
- ')
-
-- allow $1 aisexec_t:process { ptrace signal_perms };
-+ allow $1 aisexec_t:process signal_perms;
- ps_process_pattern($1, aisexec_t)
-
-+ tunable_policy(`deny_ptrace',`',`
-+ allow $1 aisexec_t:process ptrace;
-+ ')
-+
- init_labeled_script_domtrans($1, aisexec_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 aisexec_initrc_exec_t system_r;
-diff --git a/aisexec.te b/aisexec.te
-index 50b9b48..bd0ccb4 100644
---- a/aisexec.te
-+++ b/aisexec.te
-@@ -64,6 +64,7 @@ files_pid_filetrans(aisexec_t, aisexec_var_run_t, { file sock_file })
- kernel_read_system_state(aisexec_t)
-
- corecmd_exec_bin(aisexec_t)
-+corecmd_exec_shell(aisexec_t)
-
- corenet_udp_bind_netsupport_port(aisexec_t)
- corenet_tcp_bind_reserved_port(aisexec_t)
-@@ -79,8 +80,6 @@ init_rw_script_tmp_files(aisexec_t)
-
- logging_send_syslog_msg(aisexec_t)
-
--miscfiles_read_localization(aisexec_t)
--
- userdom_rw_unpriv_user_semaphores(aisexec_t)
- userdom_rw_unpriv_user_shared_mem(aisexec_t)
-
-@@ -89,6 +88,10 @@ optional_policy(`
- ')
-
- optional_policy(`
-+ corosync_domtrans(aisexec_t)
-+')
-+
-+optional_policy(`
- # to communication with RHCS
- rhcs_rw_dlm_controld_semaphores(aisexec_t)
-
-diff --git a/ajaxterm.fc b/ajaxterm.fc
-new file mode 100644
-index 0000000..aeb1888
---- /dev/null
-+++ b/ajaxterm.fc
-@@ -0,0 +1,6 @@
-+
-+/etc/rc\.d/init\.d/ajaxterm -- gen_context(system_u:object_r:ajaxterm_initrc_exec_t,s0)
-+
-+/usr/share/ajaxterm/ajaxterm\.py -- gen_context(system_u:object_r:ajaxterm_exec_t,s0)
-+
-+/var/run/ajaxterm\.pid -- gen_context(system_u:object_r:ajaxterm_var_run_t,s0)
-diff --git a/ajaxterm.if b/ajaxterm.if
-new file mode 100644
-index 0000000..7abe946
---- /dev/null
-+++ b/ajaxterm.if
-@@ -0,0 +1,90 @@
-+## policy for ajaxterm
-+
-+########################################
-+##
-+## Execute a domain transition to run ajaxterm.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`ajaxterm_domtrans',`
-+ gen_require(`
-+ type ajaxterm_t, ajaxterm_exec_t;
-+ ')
-+
-+ domtrans_pattern($1, ajaxterm_exec_t, ajaxterm_t)
-+')
-+
-+########################################
-+##
-+## Execute ajaxterm server in the ajaxterm domain.
-+##
-+##
-+##
-+## Domain allowed to transition.
-+##
-+##
-+#
-+interface(`ajaxterm_initrc_domtrans',`
-+ gen_require(`
-+ type ajaxterm_initrc_exec_t;
-+ ')
-+
-+ init_labeled_script_domtrans($1, ajaxterm_initrc_exec_t)
-+')
-+
-+#######################################
-+##
-+## Read and write the ajaxterm pty type.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`ajaxterm_rw_ptys',`
-+ gen_require(`
-+ type ajaxterm_devpts_t;
-+ ')
-+
-+ allow $1 ajaxterm_devpts_t:chr_file rw_inherited_term_perms;
-+')
-+
-+########################################
-+##
-+## All of the rules required to administrate
-+## an ajaxterm environment
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+##
-+##
-+## Role allowed access.
-+##
-+##
-+##
-+#
-+interface(`ajaxterm_admin',`
-+ gen_require(`
-+ type ajaxterm_t, ajaxterm_initrc_exec_t;
-+ ')
-+
-+ allow $1 ajaxterm_t:process signal_perms;
-+ ps_process_pattern($1, ajaxterm_t)
-+
-+ tunable_policy(`deny_ptrace',`',`
-+ allow $1 ajaxterm_t:process ptrace;
-+ ')
-+
-+ ajaxterm_initrc_domtrans($1)
-+ domain_system_change_exemption($1)
-+ role_transition $2 ajaxterm_initrc_exec_t system_r;
-+ allow $2 system_r;
-+')
-diff --git a/ajaxterm.te b/ajaxterm.te
-new file mode 100644
-index 0000000..8ba128b
---- /dev/null
-+++ b/ajaxterm.te
-@@ -0,0 +1,62 @@
-+policy_module(ajaxterm, 1.0.0)
-+
-+########################################
-+#
-+# Declarations
-+#
-+
-+type ajaxterm_t;
-+type ajaxterm_exec_t;
-+init_daemon_domain(ajaxterm_t, ajaxterm_exec_t)
-+
-+type ajaxterm_initrc_exec_t;
-+init_script_file(ajaxterm_initrc_exec_t)
-+
-+type ajaxterm_var_run_t;
-+files_pid_file(ajaxterm_var_run_t)
-+
-+type ajaxterm_devpts_t;
-+term_login_pty(ajaxterm_devpts_t)
-+
-+########################################
-+#
-+# ajaxterm local policy
-+#
-+allow ajaxterm_t self:capability setuid;
-+allow ajaxterm_t self:process { setpgid signal };
-+allow ajaxterm_t self:fifo_file rw_fifo_file_perms;
-+allow ajaxterm_t self:unix_stream_socket create_stream_socket_perms;
-+allow ajaxterm_t self:tcp_socket create_stream_socket_perms;
-+
-+allow ajaxterm_t ajaxterm_devpts_t:chr_file { rw_chr_file_perms setattr_chr_file_perms relabelfrom };
-+term_create_pty(ajaxterm_t, ajaxterm_devpts_t)
-+
-+manage_dirs_pattern(ajaxterm_t, ajaxterm_var_run_t, ajaxterm_var_run_t)
-+manage_files_pattern(ajaxterm_t, ajaxterm_var_run_t, ajaxterm_var_run_t)
-+files_pid_filetrans(ajaxterm_t, ajaxterm_var_run_t, { file dir })
-+
-+kernel_read_system_state(ajaxterm_t)
-+
-+corecmd_exec_bin(ajaxterm_t)
-+
-+corenet_tcp_bind_generic_node(ajaxterm_t)
-+corenet_tcp_bind_ajaxterm_port(ajaxterm_t)
-+
-+dev_read_urand(ajaxterm_t)
-+
-+domain_use_interactive_fds(ajaxterm_t)
-+
-+files_read_etc_files(ajaxterm_t)
-+files_read_usr_files(ajaxterm_t)
-+
-+sysnet_dns_name_resolve(ajaxterm_t)
-+
-+#######################################
-+#
-+# SSH component local policy
-+#
-+
-+optional_policy(`
-+ ssh_basic_client_template(ajaxterm, ajaxterm_t, system_r)
-+')
-+
-diff --git a/alsa.fc b/alsa.fc
-index d362d9c..230a2f6 100644
---- a/alsa.fc
-+++ b/alsa.fc
-@@ -11,10 +11,14 @@ HOME_DIR/\.asoundrc -- gen_context(system_u:object_r:alsa_home_t,s0)
- /sbin/salsa -- gen_context(system_u:object_r:alsa_exec_t,s0)
-
- /usr/bin/ainit -- gen_context(system_u:object_r:alsa_exec_t,s0)
-+/usr/bin/alsaunmute -- gen_context(system_u:object_r:alsa_exec_t,s0)
-
- /usr/sbin/alsactl -- gen_context(system_u:object_r:alsa_exec_t,s0)
-+/usr/sbin/salsa -- gen_context(system_u:object_r:alsa_exec_t,s0)
-
- /usr/share/alsa/alsa\.conf gen_context(system_u:object_r:alsa_etc_rw_t,s0)
- /usr/share/alsa/pcm(/.*)? gen_context(system_u:object_r:alsa_etc_rw_t,s0)
-
- /var/lib/alsa(/.*)? gen_context(system_u:object_r:alsa_var_lib_t,s0)
-+
-+/usr/lib/systemd/system/alsa.* -- gen_context(system_u:object_r:alsa_unit_file_t,s0)
-diff --git a/alsa.if b/alsa.if
-index 1392679..64e685f 100644
---- a/alsa.if
-+++ b/alsa.if
-@@ -148,6 +148,7 @@ interface(`alsa_manage_home_files',`
-
- userdom_search_user_home_dirs($1)
- allow $1 alsa_home_t:file manage_file_perms;
-+ alsa_filetrans_home_content($1)
- ')
-
- ########################################
-@@ -206,3 +207,69 @@ interface(`alsa_read_lib',`
- files_search_var_lib($1)
- read_files_pattern($1, alsa_var_lib_t, alsa_var_lib_t)
- ')
-+
-+########################################
-+##
-+## Transition to alsa named content
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`alsa_filetrans_home_content',`
-+ gen_require(`
-+ type alsa_home_t;
-+ ')
-+
-+ userdom_user_home_dir_filetrans($1, alsa_home_t, file, ".asoundrc")
-+')
-+
-+########################################
-+##
-+## Transition to alsa named content
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`alsa_filetrans_named_content',`
-+ gen_require(`
-+ type alsa_home_t;
-+ type alsa_etc_rw_t;
-+ type alsa_var_lib_t;
-+ ')
-+
-+ files_etc_filetrans($1, alsa_etc_rw_t, file, "asound.state")
-+ files_etc_filetrans($1, alsa_etc_rw_t, dir, "pcm")
-+ files_etc_filetrans($1, alsa_etc_rw_t, dir, "asound")
-+ files_usr_filetrans($1, alsa_etc_rw_t, file, "alsa.conf")
-+ files_usr_filetrans($1, alsa_etc_rw_t, dir, "pcm")
-+ files_var_lib_filetrans($1, alsa_var_lib_t, dir, "alsa")
-+')
-+
-+########################################
-+##
-+## Execute alsa server in the alsa domain.
-+##
-+##
-+##
-+## Domain allowed to transition.
-+##
-+##
-+#
-+interface(`alsa_systemctl',`
-+ gen_require(`
-+ type alsa_t;
-+ type alsa_unit_file_t;
-+ ')
-+
-+ systemd_exec_systemctl($1)
-+ allow $1 alsa_unit_file_t:file read_file_perms;
-+ allow $1 alsa_unit_file_t:service manage_service_perms;
-+
-+ ps_process_pattern($1, alsa_t)
-+')
-diff --git a/alsa.te b/alsa.te
-index dc1b088..33678e4 100644
---- a/alsa.te
-+++ b/alsa.te
-@@ -22,6 +22,9 @@ files_type(alsa_var_lib_t)
- type alsa_home_t;
- userdom_user_home_content(alsa_home_t)
-
-+type alsa_unit_file_t;
-+systemd_unit_file(alsa_unit_file_t)
-+
- ########################################
- #
- # Local policy
-@@ -59,7 +62,6 @@ dev_read_sysfs(alsa_t)
-
- corecmd_exec_bin(alsa_t)
-
--files_read_etc_files(alsa_t)
- files_read_usr_files(alsa_t)
-
- term_dontaudit_use_console(alsa_t)
-@@ -72,8 +74,6 @@ init_use_fds(alsa_t)
-
- logging_send_syslog_msg(alsa_t)
-
--miscfiles_read_localization(alsa_t)
--
- userdom_manage_unpriv_user_semaphores(alsa_t)
- userdom_manage_unpriv_user_shared_mem(alsa_t)
- userdom_search_user_home_dirs(alsa_t)
-diff --git a/amanda.te b/amanda.te
-index d8b5abe..a4f5d3a 100644
---- a/amanda.te
-+++ b/amanda.te
-@@ -58,7 +58,7 @@ optional_policy(`
- #
-
- allow amanda_t self:capability { chown dac_override setuid kill };
--allow amanda_t self:process { setpgid signal };
-+allow amanda_t self:process { getsched setsched setpgid signal };
- allow amanda_t self:fifo_file rw_fifo_file_perms;
- allow amanda_t self:unix_stream_socket create_stream_socket_perms;
- allow amanda_t self:unix_dgram_socket create_socket_perms;
-@@ -71,6 +71,7 @@ allow amanda_t amanda_config_t:file read_file_perms;
-
- manage_dirs_pattern(amanda_t, amanda_data_t, amanda_data_t)
- manage_files_pattern(amanda_t, amanda_data_t, amanda_data_t)
-+manage_lnk_files_pattern(amanda_t, amanda_data_t, amanda_data_t)
- filetrans_pattern(amanda_t, amanda_config_t, amanda_data_t, { file dir })
-
- allow amanda_t amanda_dumpdates_t:file rw_file_perms;
-@@ -101,7 +102,6 @@ kernel_dontaudit_read_proc_symlinks(amanda_t)
- corecmd_exec_shell(amanda_t)
- corecmd_exec_bin(amanda_t)
-
--corenet_all_recvfrom_unlabeled(amanda_t)
- corenet_all_recvfrom_netlabel(amanda_t)
- corenet_tcp_sendrecv_generic_if(amanda_t)
- corenet_udp_sendrecv_generic_if(amanda_t)
-@@ -120,7 +120,6 @@ corenet_dontaudit_tcp_bind_all_ports(amanda_t)
- dev_getattr_all_blk_files(amanda_t)
- dev_getattr_all_chr_files(amanda_t)
-
--files_read_etc_files(amanda_t)
- files_read_etc_runtime_files(amanda_t)
- files_list_all(amanda_t)
- files_read_all_files(amanda_t)
-@@ -177,7 +176,6 @@ kernel_read_kernel_sysctls(amanda_recover_t)
- corecmd_exec_shell(amanda_recover_t)
- corecmd_exec_bin(amanda_recover_t)
-
--corenet_all_recvfrom_unlabeled(amanda_recover_t)
- corenet_all_recvfrom_netlabel(amanda_recover_t)
- corenet_tcp_sendrecv_generic_if(amanda_recover_t)
- corenet_udp_sendrecv_generic_if(amanda_recover_t)
-@@ -193,7 +191,6 @@ corenet_sendrecv_amanda_client_packets(amanda_recover_t)
-
- domain_use_interactive_fds(amanda_recover_t)
-
--files_read_etc_files(amanda_recover_t)
- files_read_etc_runtime_files(amanda_recover_t)
- files_search_tmp(amanda_recover_t)
- files_search_pids(amanda_recover_t)
-@@ -205,7 +202,11 @@ fstools_signal(amanda_t)
-
- logging_search_logs(amanda_recover_t)
-
--miscfiles_read_localization(amanda_recover_t)
-
--userdom_use_user_terminals(amanda_recover_t)
-+userdom_use_inherited_user_terminals(amanda_recover_t)
- userdom_search_user_home_content(amanda_recover_t)
-+
-+optional_policy(`
-+ fstools_domtrans(amanda_t)
-+ fstools_signal(amanda_t)
-+')
-diff --git a/amavis.fc b/amavis.fc
-index 446ee16..2346f65 100644
---- a/amavis.fc
-+++ b/amavis.fc
-@@ -2,6 +2,7 @@
- /etc/amavis(d)?\.conf -- gen_context(system_u:object_r:amavis_etc_t,s0)
- /etc/amavisd(/.*)? gen_context(system_u:object_r:amavis_etc_t,s0)
- /etc/rc\.d/init\.d/amavis -- gen_context(system_u:object_r:amavis_initrc_exec_t,s0)
-+/etc/rc\.d/init\.d/amavisd-snmp -- gen_context(system_u:object_r:amavis_initrc_exec_t,s0)
-
- /usr/sbin/amavisd.* -- gen_context(system_u:object_r:amavis_exec_t,s0)
- /usr/lib/AntiVir/antivir -- gen_context(system_u:object_r:amavis_exec_t,s0)
-@@ -12,7 +13,7 @@ ifdef(`distro_debian',`
-
- /var/amavis(/.*)? gen_context(system_u:object_r:amavis_var_lib_t,s0)
- /var/lib/amavis(/.*)? gen_context(system_u:object_r:amavis_var_lib_t,s0)
--/var/log/amavisd\.log -- gen_context(system_u:object_r:amavis_var_log_t,s0)
-+/var/log/amavisd\.log.* -- gen_context(system_u:object_r:amavis_var_log_t,s0)
- /var/run/amavis(d)?(/.*)? gen_context(system_u:object_r:amavis_var_run_t,s0)
- /var/spool/amavisd(/.*)? gen_context(system_u:object_r:amavis_spool_t,s0)
- /var/virusmails(/.*)? gen_context(system_u:object_r:amavis_quarantine_t,s0)
-diff --git a/amavis.if b/amavis.if
-index e31d92a..5cb091a 100644
---- a/amavis.if
-+++ b/amavis.if
-@@ -57,6 +57,7 @@ interface(`amavis_read_spool_files',`
-
- files_search_spool($1)
- read_files_pattern($1, amavis_spool_t, amavis_spool_t)
-+ allow $1 amavis_spool_t:dir list_dir_perms;
- ')
-
- ########################################
-@@ -150,6 +151,26 @@ interface(`amavis_read_lib_files',`
-
- ########################################
- ##
-+## Read and write amavis lib files.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`amavis_rw_lib_files',`
-+ gen_require(`
-+ type amavis_var_lib_t;
-+ ')
-+
-+ rw_files_pattern($1, amavis_var_lib_t, amavis_var_lib_t)
-+ allow $1 amavis_var_lib_t:dir list_dir_perms;
-+ files_search_var_lib($1)
-+')
-+
-+########################################
-+##
- ## Create, read, write, and delete
- ## amavis lib files.
- ##
-@@ -202,6 +223,7 @@ interface(`amavis_create_pid_files',`
- type amavis_var_run_t;
- ')
-
-+ allow $1 amavis_var_run_t:dir rw_dir_perms;
- allow $1 amavis_var_run_t:file create_file_perms;
- files_search_pids($1)
- ')
-@@ -231,9 +253,13 @@ interface(`amavis_admin',`
- type amavis_initrc_exec_t;
- ')
-
-- allow $1 amavis_t:process { ptrace signal_perms };
-+ allow $1 amavis_t:process signal_perms;
- ps_process_pattern($1, amavis_t)
-
-+ tunable_policy(`deny_ptrace',`',`
-+ allow $1 amavis_t:process ptrace;
-+ ')
-+
- amavis_initrc_domtrans($1)
- domain_system_change_exemption($1)
- role_transition $2 amavis_initrc_exec_t system_r;
-diff --git a/amavis.te b/amavis.te
-index 505309b..58c37b3 100644
---- a/amavis.te
-+++ b/amavis.te
-@@ -5,6 +5,13 @@ policy_module(amavis, 1.14.0)
- # Declarations
- #
-
-+##
-+##
-+## Allow amavis to use JIT compiler
-+##
-+##
-+gen_tunable(amavis_use_jit, false)
-+
- type amavis_t;
- type amavis_exec_t;
- domain_type(amavis_t)
-@@ -38,7 +45,7 @@ type amavis_quarantine_t;
- files_type(amavis_quarantine_t)
-
- type amavis_spool_t;
--files_type(amavis_spool_t)
-+files_spool_file(amavis_spool_t)
-
- ########################################
- #
-@@ -49,7 +56,7 @@ allow amavis_t self:capability { kill chown dac_override setgid setuid };
- dontaudit amavis_t self:capability sys_tty_config;
- allow amavis_t self:process { signal sigchld sigkill signull };
- allow amavis_t self:fifo_file rw_fifo_file_perms;
--allow amavis_t self:unix_stream_socket create_stream_socket_perms;
-+allow amavis_t self:unix_stream_socket { create_stream_socket_perms connectto };
- allow amavis_t self:unix_dgram_socket create_socket_perms;
- allow amavis_t self:tcp_socket { listen accept };
- allow amavis_t self:netlink_route_socket r_netlink_socket_perms;
-@@ -75,9 +82,11 @@ filetrans_pattern(amavis_t, amavis_spool_t, amavis_var_run_t, sock_file)
- files_search_spool(amavis_t)
-
- # tmp files
-+manage_dirs_pattern(amavis_t, amavis_tmp_t, amavis_tmp_t)
- manage_files_pattern(amavis_t, amavis_tmp_t, amavis_tmp_t)
-+manage_sock_files_pattern(amavis_t, amavis_tmp_t, amavis_tmp_t)
- allow amavis_t amavis_tmp_t:dir setattr_dir_perms;
--files_tmp_filetrans(amavis_t, amavis_tmp_t, file)
-+files_tmp_filetrans(amavis_t, amavis_tmp_t, { file dir sock_file } )
-
- # var/lib files for amavis
- manage_dirs_pattern(amavis_t, amavis_var_lib_t, amavis_var_lib_t)
-@@ -98,16 +107,15 @@ manage_sock_files_pattern(amavis_t, amavis_var_run_t, amavis_var_run_t)
- files_pid_filetrans(amavis_t, amavis_var_run_t, { dir file sock_file })
-
- kernel_read_kernel_sysctls(amavis_t)
-+kernel_read_system_state(amavis_t)
- # amavis tries to access /proc/self/stat, /etc/shadow and /root - perl...
- kernel_dontaudit_list_proc(amavis_t)
- kernel_dontaudit_read_proc_symlinks(amavis_t)
--kernel_dontaudit_read_system_state(amavis_t)
-
- # find perl
- corecmd_exec_bin(amavis_t)
- corecmd_exec_shell(amavis_t)
-
--corenet_all_recvfrom_unlabeled(amavis_t)
- corenet_all_recvfrom_netlabel(amavis_t)
- corenet_tcp_sendrecv_generic_if(amavis_t)
- corenet_tcp_sendrecv_generic_node(amavis_t)
-@@ -125,20 +133,24 @@ corenet_tcp_bind_amavisd_recv_port(amavis_t)
- corenet_udp_bind_generic_port(amavis_t)
- corenet_dontaudit_udp_bind_all_ports(amavis_t)
- corenet_tcp_connect_razor_port(amavis_t)
-+corenet_tcp_connect_agentx_port(amavis_t)
-
- dev_read_rand(amavis_t)
- dev_read_urand(amavis_t)
-+dev_read_sysfs(amavis_t)
-
- domain_use_interactive_fds(amavis_t)
-+domain_dontaudit_read_all_domains_state(amavis_t)
-
--files_read_etc_files(amavis_t)
- files_read_etc_runtime_files(amavis_t)
- files_read_usr_files(amavis_t)
-
- fs_getattr_xattr_fs(amavis_t)
-
-+auth_use_nsswitch(amavis_t)
- auth_dontaudit_read_shadow(amavis_t)
-
-+init_read_state(amavis_t)
- # uses uptime which reads utmp - redhat bug 561383
- init_read_utmp(amavis_t)
- init_stream_connect_script(amavis_t)
-@@ -146,23 +158,32 @@ init_stream_connect_script(amavis_t)
- logging_send_syslog_msg(amavis_t)
-
- miscfiles_read_generic_certs(amavis_t)
--miscfiles_read_localization(amavis_t)
-
--sysnet_dns_name_resolve(amavis_t)
- sysnet_use_ldap(amavis_t)
-
- userdom_dontaudit_search_user_home_dirs(amavis_t)
-
--# Cron handling
--cron_use_fds(amavis_t)
--cron_use_system_job_fds(amavis_t)
--cron_rw_pipes(amavis_t)
-+tunable_policy(`amavis_use_jit',`
-+ allow amavis_t self:process execmem;
-+',`
-+ dontaudit amavis_t self:process execmem;
-+')
-
--mta_read_config(amavis_t)
-+optional_policy(`
-+ antivirus_domain_template(amavis_t)
-+')
-
- optional_policy(`
- clamav_stream_connect(amavis_t)
- clamav_domtrans_clamscan(amavis_t)
-+ clamav_read_state_clamd(amavis_t)
-+')
-+
-+optional_policy(`
-+ #Cron handling
-+ cron_use_fds(amavis_t)
-+ cron_use_system_job_fds(amavis_t)
-+ cron_rw_pipes(amavis_t)
- ')
-
- optional_policy(`
-@@ -171,11 +192,16 @@ optional_policy(`
- ')
-
- optional_policy(`
-+ mta_read_config(amavis_t)
-+')
-+
-+optional_policy(`
- nslcd_stream_connect(amavis_t)
- ')
-
- optional_policy(`
- postfix_read_config(amavis_t)
-+ postfix_list_spool(amavis_t)
- ')
-
- optional_policy(`
-@@ -188,6 +214,12 @@ optional_policy(`
- ')
-
- optional_policy(`
-+ snmp_manage_var_lib_files(amavis_t)
-+ snmp_manage_var_lib_dirs(amavis_t)
-+ snmp_stream_connect(amavis_t)
-+')
-+
-+optional_policy(`
- spamassassin_exec(amavis_t)
- spamassassin_exec_client(amavis_t)
- spamassassin_read_lib_files(amavis_t)
-diff --git a/amtu.te b/amtu.te
-index 057abb0..c75e9e9 100644
---- a/amtu.te
-+++ b/amtu.te
-@@ -23,7 +23,7 @@ files_read_etc_files(amtu_t)
-
- logging_send_audit_msgs(amtu_t)
-
--userdom_use_user_terminals(amtu_t)
-+userdom_use_inherited_user_terminals(amtu_t)
-
- optional_policy(`
- nscd_dontaudit_search_pid(amtu_t)
-diff --git a/anaconda.te b/anaconda.te
-index e81bdbd..e3a396b 100644
---- a/anaconda.te
-+++ b/anaconda.te
-@@ -1,5 +1,9 @@
- policy_module(anaconda, 1.6.0)
-
-+gen_require(`
-+ class passwd { passwd chfn chsh rootok crontab };
-+')
-+
- ########################################
- #
- # Declarations
-@@ -17,27 +21,23 @@ role system_r types anaconda_t;
- #
-
- allow anaconda_t self:process execmem;
-+allow anaconda_t self:passwd { rootok passwd chfn chsh };
-
- kernel_domtrans_to(anaconda_t, anaconda_exec_t)
-
- init_domtrans_script(anaconda_t)
-
--libs_domtrans_ldconfig(anaconda_t)
--
- logging_send_syslog_msg(anaconda_t)
-
- modutils_domtrans_insmod(anaconda_t)
- modutils_domtrans_depmod(anaconda_t)
-
- seutil_domtrans_semanage(anaconda_t)
-+seutil_domtrans_setsebool(anaconda_t)
-
- userdom_user_home_dir_filetrans_user_home_content(anaconda_t, { dir file lnk_file fifo_file sock_file })
-
- optional_policy(`
-- kudzu_domtrans(anaconda_t)
--')
--
--optional_policy(`
- rpm_domtrans(anaconda_t)
- rpm_domtrans_script(anaconda_t)
- ')
-@@ -51,9 +51,6 @@ optional_policy(`
- ')
-
- optional_policy(`
-- unconfined_domain(anaconda_t)
-+ unconfined_domain_noaudit(anaconda_t)
- ')
-
--optional_policy(`
-- usermanage_domtrans_admin_passwd(anaconda_t)
--')
-diff --git a/antivirus.fc b/antivirus.fc
-new file mode 100644
-index 0000000..e9a09f0
---- /dev/null
-+++ b/antivirus.fc
-@@ -0,0 +1 @@
-+/var/opt/f-secure(/.*)? gen_context(system_u:object_r:antivirus_db_t,s0)
-diff --git a/antivirus.if b/antivirus.if
-new file mode 100644
-index 0000000..fe0cdf0
---- /dev/null
-+++ b/antivirus.if
-@@ -0,0 +1,20 @@
-+## SELinux policy for antivirus programs.
-+
-+######################################
-+##
-+## Creates types and rules for a basic
-+## antivirus domain.
-+##
-+##
-+##
-+## Prefix for the domain.
-+##
-+##
-+#
-+interface(`antivirus_domain_template',`
-+ gen_require(`
-+ attribute antivirus_domain;
-+ ')
-+
-+ typeattribute $1 antivirus_domain;
-+')
-diff --git a/antivirus.te b/antivirus.te
-new file mode 100644
-index 0000000..feabdf3
---- /dev/null
-+++ b/antivirus.te
-@@ -0,0 +1,36 @@
-+policy_module(antivirus, 1.0.0)
-+
-+########################################
-+#
-+# Declarations
-+#
-+
-+##
-+##
-+## Allow antivirus programs to read non security files on a system
-+##
-+##
-+gen_tunable(antivirus_can_scan_system, false)
-+
-+attribute antivirus_domain;
-+
-+type antivirus_db_t;
-+files_type(antivirus_db_t)
-+
-+########################################
-+#
-+# antivirus domain local policy
-+#
-+
-+manage_files_pattern(antivirus_domain, antivirus_db_t, antivirus_db_t)
-+manage_dirs_pattern(antivirus_domain, antivirus_db_t, antivirus_db_t)
-+
-+optional_policy(`
-+ amavis_manage_spool_files(antivirus_domain)
-+')
-+
-+tunable_policy(`antivirus_can_scan_system',`
-+ files_read_non_security_files(antivirus_domain)
-+ files_getattr_all_pipes(antivirus_domain)
-+ files_getattr_all_sockets(antivirus_domain)
-+')
-diff --git a/apache.fc b/apache.fc
-index fd9fa07..cca43af 100644
---- a/apache.fc
-+++ b/apache.fc
-@@ -1,20 +1,37 @@
- HOME_DIR/((www)|(web)|(public_html))(/.+)? gen_context(system_u:object_r:httpd_user_content_t,s0)
-+HOME_DIR/((www)|(web)|(public_html))/cgi-bin(/.+)? gen_context(system_u:object_r:httpd_user_script_exec_t,s0)
-+HOME_DIR/((www)|(web)|(public_html))(/.*)?/\.htaccess -- gen_context(system_u:object_r:httpd_user_htaccess_t,s0)
-+HOME_DIR/((www)|(web)|(public_html))(/.*)?/logs(/.*)? gen_context(system_u:object_r:httpd_user_ra_content_t,s0)
-
- /etc/apache(2)?(/.*)? gen_context(system_u:object_r:httpd_config_t,s0)
- /etc/apache-ssl(2)?(/.*)? gen_context(system_u:object_r:httpd_config_t,s0)
--/etc/drupal(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
-+/etc/cherokee(/.*)? gen_context(system_u:object_r:httpd_config_t,s0)
-+/etc/drupal.* gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
-+/etc/owncloud/config\.php -- gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
-+/etc/horde(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
- /etc/htdig(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
- /etc/httpd(/.*)? gen_context(system_u:object_r:httpd_config_t,s0)
- /etc/httpd/conf/keytab -- gen_context(system_u:object_r:httpd_keytab_t,s0)
- /etc/httpd/logs gen_context(system_u:object_r:httpd_log_t,s0)
- /etc/httpd/modules gen_context(system_u:object_r:httpd_modules_t,s0)
-+/etc/init\.d/cherokee -- gen_context(system_u:object_r:httpd_initrc_exec_t,s0)
- /etc/lighttpd(/.*)? gen_context(system_u:object_r:httpd_config_t,s0)
- /etc/mock/koji(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
- /etc/rc\.d/init\.d/httpd -- gen_context(system_u:object_r:httpd_initrc_exec_t,s0)
- /etc/rc\.d/init\.d/lighttpd -- gen_context(system_u:object_r:httpd_initrc_exec_t,s0)
-
- /etc/vhosts -- gen_context(system_u:object_r:httpd_config_t,s0)
-+/etc/WebCalendar(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
- /etc/zabbix/web(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
-+/etc/z-push(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
-+
-+/usr/.*\.cgi -- gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
-+/opt/.*\.cgi -- gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
-+/usr/lib/systemd/system/httpd.* -- gen_context(system_u:object_r:httpd_unit_file_t,s0)
-+/usr/lib/systemd/system/jetty.* -- gen_context(system_u:object_r:httpd_unit_file_t,s0)
-+/usr/lib/systemd/system/php-fpm.* -- gen_context(system_u:object_r:httpd_unit_file_t,s0)
-+
-+/usr/libexec/httpd-ssl-pass-dialog -- gen_context(system_u:object_r:httpd_passwd_exec_t,s0)
-
- /srv/([^/]*/)?www(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
- /srv/gallery2(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
-@@ -22,20 +39,25 @@ HOME_DIR/((www)|(web)|(public_html))(/.+)? gen_context(system_u:object_r:httpd_u
- /usr/bin/htsslpass -- gen_context(system_u:object_r:httpd_helper_exec_t,s0)
- /usr/bin/mongrel_rails -- gen_context(system_u:object_r:httpd_exec_t,s0)
-
-+/usr/share/jetty/bin/jetty.sh -- gen_context(system_u:object_r:httpd_exec_t,s0)
-+
- /usr/lib/apache-ssl/.+ -- gen_context(system_u:object_r:httpd_exec_t,s0)
- /usr/lib/cgi-bin(/.*)? gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
--/usr/lib/dirsrv/cgi-bin(/.*)? gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
--/usr/lib/apache(/.*)? gen_context(system_u:object_r:httpd_modules_t,s0)
--/usr/lib/apache2/modules(/.*)? gen_context(system_u:object_r:httpd_modules_t,s0)
--/usr/lib/apache(2)?/suexec(2)? -- gen_context(system_u:object_r:httpd_suexec_exec_t,s0)
--/usr/lib/cgi-bin/(nph-)?cgiwrap(d)? -- gen_context(system_u:object_r:httpd_suexec_exec_t,s0)
--/usr/lib/httpd(/.*)? gen_context(system_u:object_r:httpd_modules_t,s0)
--/usr/lib/lighttpd(/.*)? gen_context(system_u:object_r:httpd_modules_t,s0)
-+/usr/lib/apache(/.*)? gen_context(system_u:object_r:httpd_modules_t,s0)
-+/usr/lib/apache2/modules(/.*)? gen_context(system_u:object_r:httpd_modules_t,s0)
-+/usr/lib/apache(2)?/suexec(2)? -- gen_context(system_u:object_r:httpd_suexec_exec_t,s0)
-+/usr/lib/cgi-bin/(nph-)?cgiwrap(d)? -- gen_context(system_u:object_r:httpd_suexec_exec_t,s0)
-+/usr/lib/cherokee(/.*)? gen_context(system_u:object_r:httpd_modules_t,s0)
-+/usr/lib/httpd(/.*)? gen_context(system_u:object_r:httpd_modules_t,s0)
-+/usr/lib/lighttpd(/.*)? gen_context(system_u:object_r:httpd_modules_t,s0)
-
- /usr/sbin/apache(2)? -- gen_context(system_u:object_r:httpd_exec_t,s0)
- /usr/sbin/apache-ssl(2)? -- gen_context(system_u:object_r:httpd_exec_t,s0)
-+/usr/sbin/cherokee -- gen_context(system_u:object_r:httpd_exec_t,s0)
-+/usr/sbin/httpd\.event -- gen_context(system_u:object_r:httpd_exec_t,s0)
- /usr/sbin/httpd(\.worker)? -- gen_context(system_u:object_r:httpd_exec_t,s0)
- /usr/sbin/lighttpd -- gen_context(system_u:object_r:httpd_exec_t,s0)
-+/usr/sbin/php-fpm -- gen_context(system_u:object_r:httpd_exec_t,s0)
- /usr/sbin/rotatelogs -- gen_context(system_u:object_r:httpd_rotatelogs_exec_t,s0)
- /usr/sbin/suexec -- gen_context(system_u:object_r:httpd_suexec_exec_t,s0)
-
-@@ -43,8 +65,9 @@ ifdef(`distro_suse', `
- /usr/sbin/httpd2-.* -- gen_context(system_u:object_r:httpd_exec_t,s0)
- ')
-
--/usr/share/dirsrv(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
--/usr/share/drupal(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
-+/usr/share/drupal.* gen_context(system_u:object_r:httpd_sys_content_t,s0)
-+/usr/share/doc/ghc/html(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
-+
- /usr/share/htdig(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
- /usr/share/icecast(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
- /usr/share/mythweb(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
-@@ -54,9 +77,13 @@ ifdef(`distro_suse', `
- /usr/share/ntop/html(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
- /usr/share/openca/htdocs(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
- /usr/share/selinux-policy[^/]*/html(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
-+/usr/share/wordpress/.*\.php -- gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
- /usr/share/wordpress-mu/wp-config\.php -- gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
- /usr/share/wordpress-mu/wp-content(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
- /usr/share/wordpress/wp-content/uploads(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
-+/usr/share/wordpress/wp-content/upgrade(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
-+/usr/share/wordpress/wp-includes/.*\.php -- gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
-+/usr/share/z-push(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
-
- /var/cache/httpd(/.*)? gen_context(system_u:object_r:httpd_cache_t,s0)
- /var/cache/lighttpd(/.*)? gen_context(system_u:object_r:httpd_cache_t,s0)
-@@ -73,31 +100,50 @@ ifdef(`distro_suse', `
- /var/cache/ssl.*\.sem -- gen_context(system_u:object_r:httpd_cache_t,s0)
-
- /var/lib/cacti/rra(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
-+/var/lib/cherokee(/.*)? gen_context(system_u:object_r:httpd_var_lib_t,s0)
- /var/lib/dav(/.*)? gen_context(system_u:object_r:httpd_var_lib_t,s0)
--/var/lib/drupal(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
-+/var/lib/php(/.*)? gen_context(system_u:object_r:httpd_var_lib_t,s0)
-+/var/lib/dokuwiki(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
-+/var/lib/drupal.* gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
- /var/lib/htdig(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
- /var/lib/httpd(/.*)? gen_context(system_u:object_r:httpd_var_lib_t,s0)
-+/var/lib/lighttpd(/.*)? gen_context(system_u:object_r:httpd_var_lib_t,s0)
- /var/lib/php/session(/.*)? gen_context(system_u:object_r:httpd_var_run_t,s0)
- /var/lib/squirrelmail/prefs(/.*)? gen_context(system_u:object_r:httpd_squirrelmail_t,s0)
-+/var/lib/openshift/\.httpd\.d(/.*)? gen_context(system_u:object_r:httpd_config_t,s0)
-+/var/lib/openshift/\.log/httpd(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
-+/var/lib/stickshift/\.httpd\.d(/.*)? gen_context(system_u:object_r:httpd_config_t,s0)
-+/var/lib/svn(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
-+/var/lib/trac(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
-+/var/lib/z-push(/.*)? gen_context(system_u:object_r:httpd_var_lib_t,s0)
-
- /var/log/apache(2)?(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
- /var/log/apache-ssl(2)?(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
- /var/log/cacti(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
- /var/log/cgiwrap\.log.* -- gen_context(system_u:object_r:httpd_log_t,s0)
--/var/log/httpd(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
--/var/log/lighttpd(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
--/var/log/piranha(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
--
-+/var/log/cherokee(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
-+/var/log/httpd(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
-+/var/log/lighttpd(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
-+/var/log/php-fpm(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
-+/var/log/roundcubemail(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
-+/var/log/suphp\.log.* -- gen_context(system_u:object_r:httpd_log_t,s0)
-+/var/log/z-push(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
- ifdef(`distro_debian', `
- /var/log/horde2(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
- ')
-
-+/var/lib/pootle/po(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
-+/var/lib/rt3/data/RT-Shredder(/.*)? gen_context(system_u:object_r:httpd_var_lib_t,s0)
-+
- /var/run/apache.* gen_context(system_u:object_r:httpd_var_run_t,s0)
-+/var/run/cherokee\.pid -- gen_context(system_u:object_r:httpd_var_run_t,s0)
- /var/run/gcache_port -s gen_context(system_u:object_r:httpd_var_run_t,s0)
- /var/run/httpd.* gen_context(system_u:object_r:httpd_var_run_t,s0)
- /var/run/lighttpd(/.*)? gen_context(system_u:object_r:httpd_var_run_t,s0)
- /var/run/mod_.* gen_context(system_u:object_r:httpd_var_run_t,s0)
-+/var/run/php-fpm(/.*)? gen_context(system_u:object_r:httpd_var_run_t,s0)
- /var/run/wsgi.* -s gen_context(system_u:object_r:httpd_var_run_t,s0)
-+/var/run/user/apache(/.*)? gen_context(system_u:object_r:httpd_tmp_t,s0)
-
- /var/spool/gosa(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
- /var/spool/squirrelmail(/.*)? gen_context(system_u:object_r:squirrelmail_spool_t,s0)
-@@ -109,3 +155,34 @@ ifdef(`distro_debian', `
- /var/www/cgi-bin(/.*)? gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
- /var/www/icons(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
- /var/www/perl(/.*)? gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
-+
-+/var/www/html/[^/]*/cgi-bin(/.*)? gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
-+
-+/var/www/html/[^/]*/sites/default/settings\.php -- gen_context(system_u:object_r:httpd_sys_rw_content_t, s0)
-+/var/www/html/[^/]*/sites/default/files(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t, s0)
-+
-+/var/www/html/configuration\.php gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
-+
-+/var/www/html/wp-content(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
-+
-+/var/www/gallery/albums(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
-+
-+/var/www/moodledata(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
-+
-+/var/www/openshift/console/tmp(/.*)? gen_context(system_u:object_r:httpd_tmp_t,s0)
-+/var/www/openshift/console/log(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
-+
-+/var/www/openshift/broker/httpd/logs(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
-+/var/www/openshift/console/httpd/logs(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
-+/var/www/openshift/broker/httpd/run(/.*)? gen_context(system_u:object_r:httpd_var_run_t,s0)
-+/var/www/openshift/console/httpd/run(/.*)? gen_context(system_u:object_r:httpd_var_run_t,s0)
-+
-+/var/www/stickshift/[^/]*/log(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
-+/var/www/svn(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
-+/var/www/svn/hooks(/.*)? gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
-+/var/www/svn/conf(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
-+
-+/var/log/dirsrv/admin-serv(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
-+
-+/var/run/dirsrv/admin-serv.* gen_context(system_u:object_r:httpd_var_run_t,s0)
-+/opt/dirsrv/var/run/dirsrv/dsgw/cookies(/.*)? gen_context(system_u:object_r:httpd_var_run_t,s0)
-diff --git a/apache.if b/apache.if
-index 6480167..7b2ad39 100644
---- a/apache.if
-+++ b/apache.if
-@@ -13,68 +13,55 @@
- #
- template(`apache_content_template',`
- gen_require(`
-- attribute httpdcontent;
-- attribute httpd_exec_scripts;
-- attribute httpd_script_exec_type;
-+ attribute httpd_exec_scripts, httpd_script_exec_type;
- type httpd_t, httpd_suexec_t, httpd_log_t;
-+ type httpd_sys_content_t;
-+ attribute httpd_script_type, httpd_content_type;
- ')
-- # allow write access to public file transfer
-- # services files.
-- gen_tunable(allow_httpd_$1_script_anon_write, false)
-
- #This type is for webpages
-- type httpd_$1_content_t, httpdcontent; # customizable
-+ type httpd_$1_content_t; # customizable;
-+ typeattribute httpd_$1_content_t httpd_content_type;
- typealias httpd_$1_content_t alias httpd_$1_script_ro_t;
- files_type(httpd_$1_content_t)
-
- # This type is used for .htaccess files
-- type httpd_$1_htaccess_t; # customizable;
-+ type httpd_$1_htaccess_t, httpd_content_type; # customizable;
-+ typeattribute httpd_$1_htaccess_t httpd_content_type;
- files_type(httpd_$1_htaccess_t)
-
- # Type that CGI scripts run as
-- type httpd_$1_script_t;
-+ type httpd_$1_script_t, httpd_script_type;
- domain_type(httpd_$1_script_t)
- role system_r types httpd_$1_script_t;
-
-+ kernel_read_system_state(httpd_$1_script_t)
-+
- # This type is used for executable scripts files
- type httpd_$1_script_exec_t, httpd_script_exec_type; # customizable;
-- corecmd_shell_entry_type(httpd_$1_script_t)
-+ typeattribute httpd_$1_script_exec_t httpd_content_type;
- domain_entry_file(httpd_$1_script_t, httpd_$1_script_exec_t)
-
-- type httpd_$1_rw_content_t, httpdcontent; # customizable
-+ type httpd_$1_rw_content_t; # customizable
-+ typeattribute httpd_$1_rw_content_t httpd_content_type;
- typealias httpd_$1_rw_content_t alias { httpd_$1_script_rw_t httpd_$1_content_rw_t };
- files_type(httpd_$1_rw_content_t)
-
-- type httpd_$1_ra_content_t, httpdcontent; # customizable
-+ type httpd_$1_ra_content_t, httpd_content_type; # customizable
-+ typeattribute httpd_$1_ra_content_t httpd_content_type;
- typealias httpd_$1_ra_content_t alias { httpd_$1_script_ra_t httpd_$1_content_ra_t };
- files_type(httpd_$1_ra_content_t)
-
-- read_files_pattern(httpd_t, httpd_$1_content_t, httpd_$1_htaccess_t)
--
-- domtrans_pattern(httpd_suexec_t, httpd_$1_script_exec_t, httpd_$1_script_t)
--
-- allow httpd_t { httpd_$1_content_t httpd_$1_rw_content_t httpd_$1_script_exec_t }:dir search_dir_perms;
-- allow httpd_suexec_t { httpd_$1_content_t httpd_$1_content_t httpd_$1_rw_content_t httpd_$1_script_exec_t }:dir search_dir_perms;
--
-- allow httpd_$1_script_t self:fifo_file rw_file_perms;
-- allow httpd_$1_script_t self:unix_stream_socket connectto;
--
-- allow httpd_$1_script_t httpd_t:fifo_file write;
-- # apache should set close-on-exec
-- dontaudit httpd_$1_script_t httpd_t:unix_stream_socket { read write };
--
- # Allow the script process to search the cgi directory, and users directory
- allow httpd_$1_script_t httpd_$1_content_t:dir search_dir_perms;
-
-- append_files_pattern(httpd_$1_script_t, httpd_log_t, httpd_log_t)
-- logging_search_logs(httpd_$1_script_t)
--
- can_exec(httpd_$1_script_t, httpd_$1_script_exec_t)
- allow httpd_$1_script_t httpd_$1_script_exec_t:dir list_dir_perms;
-
- allow httpd_$1_script_t httpd_$1_ra_content_t:dir { list_dir_perms add_entry_dir_perms };
- read_files_pattern(httpd_$1_script_t, httpd_$1_ra_content_t, httpd_$1_ra_content_t)
- append_files_pattern(httpd_$1_script_t, httpd_$1_ra_content_t, httpd_$1_ra_content_t)
-+ create_files_pattern(httpd_$1_script_t, httpd_$1_ra_content_t, httpd_$1_ra_content_t)
- read_lnk_files_pattern(httpd_$1_script_t, httpd_$1_ra_content_t, httpd_$1_ra_content_t)
-
- allow httpd_$1_script_t httpd_$1_content_t:dir list_dir_perms;
-@@ -86,40 +73,6 @@ template(`apache_content_template',`
- manage_lnk_files_pattern(httpd_$1_script_t, httpd_$1_rw_content_t, httpd_$1_rw_content_t)
- manage_fifo_files_pattern(httpd_$1_script_t, httpd_$1_rw_content_t, httpd_$1_rw_content_t)
- manage_sock_files_pattern(httpd_$1_script_t, httpd_$1_rw_content_t, httpd_$1_rw_content_t)
-- files_tmp_filetrans(httpd_$1_script_t, httpd_$1_rw_content_t, { dir file lnk_file sock_file fifo_file })
--
-- kernel_dontaudit_search_sysctl(httpd_$1_script_t)
-- kernel_dontaudit_search_kernel_sysctl(httpd_$1_script_t)
--
-- dev_read_rand(httpd_$1_script_t)
-- dev_read_urand(httpd_$1_script_t)
--
-- corecmd_exec_all_executables(httpd_$1_script_t)
--
-- files_exec_etc_files(httpd_$1_script_t)
-- files_read_etc_files(httpd_$1_script_t)
-- files_search_home(httpd_$1_script_t)
--
-- libs_exec_ld_so(httpd_$1_script_t)
-- libs_exec_lib_files(httpd_$1_script_t)
--
-- miscfiles_read_fonts(httpd_$1_script_t)
-- miscfiles_read_public_files(httpd_$1_script_t)
--
-- seutil_dontaudit_search_config(httpd_$1_script_t)
--
-- tunable_policy(`httpd_enable_cgi && httpd_unified',`
-- allow httpd_$1_script_t httpdcontent:file entrypoint;
--
-- manage_dirs_pattern(httpd_$1_script_t, httpdcontent, httpdcontent)
-- manage_files_pattern(httpd_$1_script_t, httpdcontent, httpdcontent)
-- manage_lnk_files_pattern(httpd_$1_script_t, httpdcontent, httpdcontent)
-- can_exec(httpd_$1_script_t, httpdcontent)
-- ')
--
-- tunable_policy(`allow_httpd_$1_script_anon_write',`
-- miscfiles_manage_public_files(httpd_$1_script_t)
-- ')
-
- # Allow the web server to run scripts and serve pages
- tunable_policy(`httpd_builtin_scripting',`
-@@ -128,68 +81,26 @@ template(`apache_content_template',`
- manage_lnk_files_pattern(httpd_t, httpd_$1_rw_content_t, httpd_$1_rw_content_t)
- rw_sock_files_pattern(httpd_t, httpd_$1_rw_content_t, httpd_$1_rw_content_t)
-
-- allow httpd_t httpd_$1_ra_content_t:dir { list_dir_perms add_entry_dir_perms };
-+ allow httpd_t httpd_$1_ra_content_t:dir { add_entry_dir_perms };
- read_files_pattern(httpd_t, httpd_$1_ra_content_t, httpd_$1_ra_content_t)
- append_files_pattern(httpd_t, httpd_$1_ra_content_t, httpd_$1_ra_content_t)
-+ create_files_pattern(httpd_t, httpd_$1_ra_content_t, httpd_$1_ra_content_t)
- read_lnk_files_pattern(httpd_t, httpd_$1_ra_content_t, httpd_$1_ra_content_t)
-
-- allow httpd_t httpd_$1_content_t:dir list_dir_perms;
-- read_files_pattern(httpd_t, httpd_$1_content_t, httpd_$1_content_t)
-- read_lnk_files_pattern(httpd_t, httpd_$1_content_t, httpd_$1_content_t)
--
-- allow httpd_t httpd_$1_content_t:dir list_dir_perms;
-- read_files_pattern(httpd_t, httpd_$1_content_t, httpd_$1_content_t)
-- read_lnk_files_pattern(httpd_t, httpd_$1_content_t, httpd_$1_content_t)
- ')
-
- tunable_policy(`httpd_enable_cgi',`
- allow httpd_$1_script_t httpd_$1_script_exec_t:file entrypoint;
-
-+ domtrans_pattern(httpd_suexec_t, httpd_$1_script_exec_t, httpd_$1_script_t)
-+
- # privileged users run the script:
- domtrans_pattern(httpd_exec_scripts, httpd_$1_script_exec_t, httpd_$1_script_t)
-
-+ allow httpd_exec_scripts httpd_$1_script_exec_t:file read_file_perms;
-+
- # apache runs the script:
- domtrans_pattern(httpd_t, httpd_$1_script_exec_t, httpd_$1_script_t)
--
-- allow httpd_t httpd_$1_script_t:process { signal sigkill sigstop };
-- allow httpd_t httpd_$1_script_exec_t:dir list_dir_perms;
--
-- allow httpd_$1_script_t self:process { setsched signal_perms };
-- allow httpd_$1_script_t self:unix_stream_socket create_stream_socket_perms;
--
-- allow httpd_$1_script_t httpd_t:fd use;
-- allow httpd_$1_script_t httpd_t:process sigchld;
--
-- kernel_read_system_state(httpd_$1_script_t)
--
-- dev_read_urand(httpd_$1_script_t)
--
-- fs_getattr_xattr_fs(httpd_$1_script_t)
--
-- files_read_etc_runtime_files(httpd_$1_script_t)
-- files_read_usr_files(httpd_$1_script_t)
--
-- libs_read_lib_files(httpd_$1_script_t)
--
-- miscfiles_read_localization(httpd_$1_script_t)
-- ')
--
-- optional_policy(`
-- tunable_policy(`httpd_enable_cgi && allow_ypbind',`
-- nis_use_ypbind_uncond(httpd_$1_script_t)
-- ')
-- ')
--
-- optional_policy(`
-- postgresql_unpriv_client(httpd_$1_script_t)
--
-- tunable_policy(`httpd_enable_cgi && httpd_can_network_connect_db',`
-- postgresql_tcp_connect(httpd_$1_script_t)
-- ')
-- ')
--
-- optional_policy(`
-- nscd_socket_use(httpd_$1_script_t)
- ')
- ')
-
-@@ -211,9 +122,8 @@ template(`apache_content_template',`
- interface(`apache_role',`
- gen_require(`
- attribute httpdcontent;
-- type httpd_user_content_t, httpd_user_htaccess_t;
-- type httpd_user_script_t, httpd_user_script_exec_t;
-- type httpd_user_ra_content_t, httpd_user_rw_content_t;
-+ type httpd_user_content_t, httpd_user_htaccess_t, httpd_user_script_t;
-+ type httpd_user_ra_content_t, httpd_user_rw_content_t, httpd_user_script_exec_t;
- ')
-
- role $1 types httpd_user_script_t;
-@@ -234,6 +144,13 @@ interface(`apache_role',`
- relabel_files_pattern($2, httpd_user_ra_content_t, httpd_user_ra_content_t)
- relabel_lnk_files_pattern($2, httpd_user_ra_content_t, httpd_user_ra_content_t)
-
-+ manage_dirs_pattern($2, httpd_user_content_t, httpd_user_content_t)
-+ manage_files_pattern($2, httpd_user_content_t, httpd_user_content_t)
-+ manage_lnk_files_pattern($2, httpd_user_content_t, httpd_user_content_t)
-+ relabel_dirs_pattern($2, httpd_user_content_t, httpd_user_content_t)
-+ relabel_files_pattern($2, httpd_user_content_t, httpd_user_content_t)
-+ relabel_lnk_files_pattern($2, httpd_user_content_t, httpd_user_content_t)
-+
- manage_dirs_pattern($2, httpd_user_rw_content_t, httpd_user_rw_content_t)
- manage_files_pattern($2, httpd_user_rw_content_t, httpd_user_rw_content_t)
- manage_lnk_files_pattern($2, httpd_user_rw_content_t, httpd_user_rw_content_t)
-@@ -248,6 +165,9 @@ interface(`apache_role',`
- relabel_files_pattern($2, httpd_user_script_exec_t, httpd_user_script_exec_t)
- relabel_lnk_files_pattern($2, httpd_user_script_exec_t, httpd_user_script_exec_t)
-
-+ apache_exec_modules($2)
-+ apache_filetrans_home_content($2)
-+
- tunable_policy(`httpd_enable_cgi',`
- # If a user starts a script by hand it gets the proper context
- domtrans_pattern($2, httpd_user_script_exec_t, httpd_user_script_t)
-@@ -317,6 +237,25 @@ interface(`apache_domtrans',`
- domtrans_pattern($1, httpd_exec_t, httpd_t)
- ')
-
-+######################################
-+##
-+## Allow the specified domain to execute apache
-+## in the caller domain.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`apache_exec',`
-+ gen_require(`
-+ type httpd_exec_t;
-+ ')
-+
-+ can_exec($1, httpd_exec_t)
-+')
-+
- #######################################
- ##
- ## Send a generic signal to apache.
-@@ -405,7 +344,7 @@ interface(`apache_dontaudit_rw_fifo_file',`
- type httpd_t;
- ')
-
-- dontaudit $1 httpd_t:fifo_file rw_fifo_file_perms;
-+ dontaudit $1 httpd_t:fifo_file rw_inherited_fifo_file_perms;
- ')
-
- ########################################
-@@ -487,7 +426,7 @@ interface(`apache_setattr_cache_dirs',`
- type httpd_cache_t;
- ')
-
-- allow $1 httpd_cache_t:dir setattr;
-+ allow $1 httpd_cache_t:dir setattr_dir_perms;
- ')
-
- ########################################
-@@ -531,6 +470,25 @@ interface(`apache_rw_cache_files',`
- ########################################
- ##
- ## Allow the specified domain to delete
-+## Apache cache dirs.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`apache_delete_cache_dirs',`
-+ gen_require(`
-+ type httpd_cache_t;
-+ ')
-+
-+ delete_dirs_pattern($1, httpd_cache_t, httpd_cache_t)
-+')
-+
-+########################################
-+##
-+## Allow the specified domain to delete
- ## Apache cache.
- ##
- ##
-@@ -549,6 +507,26 @@ interface(`apache_delete_cache_files',`
-
- ########################################
- ##
-+## Allow the specified domain to search
-+## apache configuration dirs.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`apache_search_config',`
-+ gen_require(`
-+ type httpd_config_t;
-+ ')
-+
-+ files_search_etc($1)
-+ allow $1 httpd_config_t:dir search_dir_perms;
-+')
-+
-+########################################
-+##
- ## Allow the specified domain to read
- ## apache configuration files.
- ##
-@@ -641,6 +619,27 @@ interface(`apache_run_helper',`
-
- ########################################
- ##
-+## dontaudit attempts to read
-+## apache log files.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+##
-+#
-+interface(`apache_dontaudit_read_log',`
-+ gen_require(`
-+ type httpd_log_t;
-+ ')
-+
-+ dontaudit $1 httpd_log_t:file read_file_perms;
-+ dontaudit $1 httpd_log_t:lnk_file read_lnk_file_perms;
-+')
-+
-+########################################
-+##
- ## Allow the specified domain to read
- ## apache log files.
- ##
-@@ -683,6 +682,25 @@ interface(`apache_append_log',`
- append_files_pattern($1, httpd_log_t, httpd_log_t)
- ')
-
-+#######################################
-+##
-+## Allow the specified domain to write
-+## to apache log files.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`apache_write_log',`
-+ gen_require(`
-+ type httpd_log_t;
-+ ')
-+
-+ allow $1 httpd_log_t:file write;
-+')
-+
- ########################################
- ##
- ## Do not audit attempts to append to the
-@@ -699,7 +717,7 @@ interface(`apache_dontaudit_append_log',`
- type httpd_log_t;
- ')
-
-- dontaudit $1 httpd_log_t:file { getattr append };
-+ dontaudit $1 httpd_log_t:file append_file_perms;
- ')
-
- ########################################
-@@ -745,6 +763,25 @@ interface(`apache_dontaudit_search_modules',`
-
- ########################################
- ##
-+## Allow the specified domain to read
-+## the apache module directories.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`apache_read_modules',`
-+ gen_require(`
-+ type httpd_modules_t;
-+ ')
-+
-+ read_files_pattern($1, httpd_modules_t, httpd_modules_t)
-+')
-+
-+########################################
-+##
- ## Allow the specified domain to list
- ## the contents of the apache modules
- ## directory.
-@@ -761,6 +798,7 @@ interface(`apache_list_modules',`
- ')
-
- allow $1 httpd_modules_t:dir list_dir_perms;
-+ read_lnk_files_pattern($1, httpd_modules_t, httpd_modules_t)
- ')
-
- ########################################
-@@ -802,6 +840,43 @@ interface(`apache_domtrans_rotatelogs',`
- domtrans_pattern($1, httpd_rotatelogs_exec_t, httpd_rotatelogs_t)
- ')
-
-+#######################################
-+##
-+## Execute httpd_rotatelogs in the caller domain.
-+##
-+##
-+##
-+## Domain allowed to transition.
-+##
-+##
-+#
-+interface(`apache_exec_rotatelogs',`
-+ gen_require(`
-+ type httpd_rotatelogs_exec_t;
-+ ')
-+
-+ can_exec($1, httpd_rotatelogs_exec_t)
-+')
-+
-+#######################################
-+##
-+## Execute httpd system scripts in the caller domain.
-+##
-+##
-+##
-+## Domain allowed to transition.
-+##
-+##
-+#
-+interface(`apache_exec_sys_script',`
-+ gen_require(`
-+ type httpd_sys_script_exec_t;
-+ ')
-+
-+ allow $1 httpd_sys_script_exec_t:dir search_dir_perms;
-+ can_exec($1, httpd_sys_script_exec_t)
-+')
-+
- ########################################
- ##
- ## Allow the specified domain to list
-@@ -819,6 +894,7 @@ interface(`apache_list_sys_content',`
- ')
-
- list_dirs_pattern($1, httpd_sys_content_t, httpd_sys_content_t)
-+ read_lnk_files_pattern($1, httpd_sys_content_t, httpd_sys_content_t)
- files_search_var($1)
- ')
-
-@@ -846,6 +922,74 @@ interface(`apache_manage_sys_content',`
- manage_lnk_files_pattern($1, httpd_sys_content_t, httpd_sys_content_t)
- ')
-
-+######################################
-+##
-+## Allow the specified domain to read
-+## apache system content rw files.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+##
-+#
-+interface(`apache_read_sys_content_rw_files',`
-+ gen_require(`
-+ type httpd_sys_rw_content_t;
-+ ')
-+
-+ read_files_pattern($1, httpd_sys_rw_content_t, httpd_sys_rw_content_t)
-+')
-+
-+######################################
-+##
-+## Allow the specified domain to manage
-+## apache system content rw files.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+##
-+#
-+interface(`apache_manage_sys_content_rw',`
-+ gen_require(`
-+ type httpd_sys_rw_content_t;
-+ ')
-+
-+ files_search_var($1)
-+ manage_dirs_pattern($1, httpd_sys_rw_content_t, httpd_sys_rw_content_t)
-+ manage_files_pattern($1, httpd_sys_rw_content_t, httpd_sys_rw_content_t)
-+ manage_lnk_files_pattern($1, httpd_sys_rw_content_t, httpd_sys_rw_content_t)
-+')
-+
-+########################################
-+##
-+## Allow the specified domain to delete
-+## apache system content rw files.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+##
-+#
-+interface(`apache_delete_sys_content_rw',`
-+ gen_require(`
-+ type httpd_sys_rw_content_t;
-+ ')
-+
-+ files_search_tmp($1)
-+ delete_dirs_pattern($1, httpd_sys_rw_content_t, httpd_sys_rw_content_t)
-+ delete_files_pattern($1, httpd_sys_rw_content_t, httpd_sys_rw_content_t)
-+ delete_lnk_files_pattern($1, httpd_sys_rw_content_t, httpd_sys_rw_content_t)
-+ delete_fifo_files_pattern($1, httpd_sys_rw_content_t, httpd_sys_rw_content_t)
-+ delete_sock_files_pattern($1, httpd_sys_rw_content_t, httpd_sys_rw_content_t)
-+')
-+
- ########################################
- ##
- ## Execute all web scripts in the system
-@@ -862,7 +1006,12 @@ interface(`apache_manage_sys_content',`
- interface(`apache_domtrans_sys_script',`
- gen_require(`
- attribute httpdcontent;
-- type httpd_sys_script_t;
-+ type httpd_sys_script_exec_t;
-+ type httpd_sys_script_t, httpd_sys_content_t;
-+ ')
-+
-+ tunable_policy(`httpd_enable_cgi',`
-+ domtrans_pattern($1, httpd_sys_script_exec_t, httpd_sys_script_t)
- ')
-
- tunable_policy(`httpd_enable_cgi && httpd_unified',`
-@@ -921,9 +1070,10 @@ interface(`apache_domtrans_all_scripts',`
- ##
- ##
- ##
--## Role allowed access..
-+## Role allowed access.
- ##
- ##
-+##
- #
- interface(`apache_run_all_scripts',`
- gen_require(`
-@@ -950,7 +1100,7 @@ interface(`apache_read_squirrelmail_data',`
- type httpd_squirrelmail_t;
- ')
-
-- allow $1 httpd_squirrelmail_t:file read_file_perms;
-+ read_files_pattern($1, httpd_squirrelmail_t, httpd_squirrelmail_t)
- ')
-
- ########################################
-@@ -1091,6 +1241,25 @@ interface(`apache_read_tmp_files',`
- read_files_pattern($1, httpd_tmp_t, httpd_tmp_t)
- ')
-
-+######################################
-+##
-+## Dontaudit attempts to read and write
-+## apache tmp files.
-+##
-+##
-+##
-+## Domain to not audit.
-+##
-+##
-+#
-+interface(`apache_dontaudit_rw_tmp_files',`
-+ gen_require(`
-+ type httpd_tmp_t;
-+ ')
-+
-+ dontaudit $1 httpd_tmp_t:file { read write };
-+')
-+
- ########################################
- ##
- ## Dontaudit attempts to write
-@@ -1107,7 +1276,7 @@ interface(`apache_dontaudit_write_tmp_files',`
- type httpd_tmp_t;
- ')
-
-- dontaudit $1 httpd_tmp_t:file write_file_perms;
-+ dontaudit $1 httpd_tmp_t:file write;
- ')
-
- ########################################
-@@ -1148,14 +1317,31 @@ interface(`apache_cgi_domain',`
-
- ########################################
- ##
--## All of the rules required to administrate an apache environment
-+## Execute httpd server in the httpd domain.
- ##
--##
-+##
- ##
--## Prefix of the domain. Example, user would be
--## the prefix for the uder_t domain.
-+## Domain allowed to transition.
- ##
- ##
-+#
-+interface(`apache_systemctl',`
-+ gen_require(`
-+ type httpd_t;
-+ type httpd_unit_file_t;
-+ ')
-+
-+ systemd_exec_systemctl($1)
-+ allow $1 httpd_unit_file_t:file read_file_perms;
-+ allow $1 httpd_unit_file_t:service manage_service_perms;
-+
-+ ps_process_pattern($1, httpd_t)
-+')
-+
-+########################################
-+##
-+## All of the rules required to administrate an apache environment
-+##
- ##
- ##
- ## Domain allowed access.
-@@ -1170,19 +1356,21 @@ interface(`apache_cgi_domain',`
- #
- interface(`apache_admin',`
- gen_require(`
-- attribute httpdcontent;
-- attribute httpd_script_exec_type;
--
-+ attribute httpdcontent, httpd_script_exec_type;
- type httpd_t, httpd_config_t, httpd_log_t;
-- type httpd_modules_t, httpd_lock_t;
-- type httpd_var_run_t, httpd_php_tmp_t;
-+ type httpd_modules_t, httpd_lock_t, httpd_bool_t;
-+ type httpd_var_run_t, httpd_php_tmp_t, httpd_initrc_exec_t;
- type httpd_suexec_tmp_t, httpd_tmp_t;
-- type httpd_initrc_exec_t;
-+ type httpd_unit_file_t;
- ')
-
-- allow $1 httpd_t:process { getattr ptrace signal_perms };
-+ allow $1 httpd_t:process signal_perms;
- ps_process_pattern($1, httpd_t)
-
-+ tunable_policy(`deny_ptrace',`',`
-+ allow $1 httpd_t:process ptrace;
-+ ')
-+
- init_labeled_script_domtrans($1, httpd_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 httpd_initrc_exec_t system_r;
-@@ -1191,10 +1379,10 @@ interface(`apache_admin',`
- apache_manage_all_content($1)
- miscfiles_manage_public_files($1)
-
-- files_search_etc($1)
-+ files_list_etc($1)
- admin_pattern($1, httpd_config_t)
-
-- logging_search_logs($1)
-+ logging_list_logs($1)
- admin_pattern($1, httpd_log_t)
-
- admin_pattern($1, httpd_modules_t)
-@@ -1205,14 +1393,106 @@ interface(`apache_admin',`
- admin_pattern($1, httpd_var_run_t)
- files_pid_filetrans($1, httpd_var_run_t, file)
-
-- kernel_search_proc($1)
-- allow $1 httpd_t:dir list_dir_perms;
--
-- read_lnk_files_pattern($1, httpd_t, httpd_t)
--
- admin_pattern($1, httpdcontent)
- admin_pattern($1, httpd_script_exec_type)
-+
-+ seutil_domtrans_setfiles($1)
-+
-+ files_list_tmp($1)
- admin_pattern($1, httpd_tmp_t)
- admin_pattern($1, httpd_php_tmp_t)
- admin_pattern($1, httpd_suexec_tmp_t)
-+
-+ apache_systemctl($1)
-+ admin_pattern($1, httpd_unit_file_t)
-+ allow $1 httpd_unit_file_t:service all_service_perms;
-+
-+ apache_filetrans_named_content($1)
-+')
-+
-+########################################
-+##
-+## dontaudit read and write an leaked file descriptors
-+##
-+##
-+##
-+## Domain to not audit.
-+##
-+##
-+#
-+interface(`apache_dontaudit_leaks',`
-+ gen_require(`
-+ type httpd_t;
-+ type httpd_tmp_t;
-+ ')
-+
-+ dontaudit $1 httpd_t:fifo_file rw_inherited_fifo_file_perms;
-+ dontaudit $1 httpd_t:tcp_socket { read write };
-+ dontaudit $1 httpd_t:unix_dgram_socket { read write };
-+ dontaudit $1 httpd_t:unix_stream_socket { read write };
-+ dontaudit $1 httpd_tmp_t:file { read write };
-+')
-+
-+########################################
-+##
-+## Transition to apache named content
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`apache_filetrans_named_content',`
-+ gen_require(`
-+ type httpd_sys_content_t, httpd_sys_rw_content_t;
-+ type httpd_tmp_t;
-+ ')
-+
-+
-+ apache_filetrans_home_content($1)
-+ filetrans_pattern($1, httpd_sys_content_t, httpd_sys_rw_content_t, file, "settings.php")
-+ userdom_user_tmp_filetrans($1, httpd_tmp_t, dir, "apache")
-+')
-+
-+########################################
-+##
-+## Allow any httpd_exec_t to be an entrypoint of this domain
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+##
-+#
-+interface(`apache_entrypoint',`
-+ gen_require(`
-+ type httpd_exec_t;
-+ ')
-+ allow $1 httpd_exec_t:file entrypoint;
-+')
-+
-+########################################
-+##
-+## Transition to apache home content
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`apache_filetrans_home_content',`
-+ gen_require(`
-+ type httpd_user_content_t, httpd_user_script_exec_t, httpd_user_htaccess_t;
-+ type httpd_user_content_ra_t;
-+ ')
-+
-+ userdom_user_home_dir_filetrans($1, httpd_user_content_t, dir, "public_html")
-+ userdom_user_home_dir_filetrans($1, httpd_user_content_t, dir, "www")
-+ userdom_user_home_dir_filetrans($1, httpd_user_content_t, dir, "web")
-+ filetrans_pattern($1, httpd_user_content_t, httpd_user_script_exec_t, dir, "cgi-bin")
-+ filetrans_pattern($1, httpd_user_content_t, httpd_user_content_ra_t, dir, "logs")
-+ filetrans_pattern($1, { httpd_user_content_t httpd_user_script_exec_t }, httpd_user_htaccess_t, file, ".htaccess")
- ')
-diff --git a/apache.te b/apache.te
-index 0833afb..2864927 100644
---- a/apache.te
-+++ b/apache.te
-@@ -18,6 +18,8 @@ policy_module(apache, 2.4.0)
- # Declarations
- #
-
-+selinux_genbool(httpd_bool_t)
-+
- ##
- ##
- ## Allow Apache to modify public files
-@@ -25,14 +27,35 @@ policy_module(apache, 2.4.0)
- ## be labeled public_content_rw_t.
- ##
- ##
--gen_tunable(allow_httpd_anon_write, false)
-+gen_tunable(httpd_anon_write, false)
-
- ##
- ##
- ## Allow Apache to use mod_auth_pam
- ##
- ##
--gen_tunable(allow_httpd_mod_auth_pam, false)
-+gen_tunable(httpd_mod_auth_pam, false)
-+
-+##
-+##
-+## Allow Apache to use mod_auth_ntlm_winbind
-+##
-+##
-+gen_tunable(httpd_mod_auth_ntlm_winbind, false)
-+
-+##
-+##
-+## Allow httpd scripts and modules execmem/execstack
-+##
-+##
-+gen_tunable(httpd_execmem, false)
-+
-+##
-+##
-+## Allow httpd processes to manage IPA content
-+##
-+##
-+gen_tunable(httpd_manage_ipa, false)
-
- ##
- ##
-@@ -50,6 +73,20 @@ gen_tunable(httpd_can_network_connect, false)
-
- ##
- ##
-+## Allow HTTPD scripts and modules to connect to cobbler over the network.
-+##
-+##
-+gen_tunable(httpd_can_network_connect_cobbler, false)
-+
-+##
-+##
-+## Allow HTTPD to connect to port 80 for graceful shutdown
-+##
-+##
-+gen_tunable(httpd_graceful_shutdown, false)
-+
-+##
-+##
- ## Allow HTTPD scripts and modules to connect to databases over the network.
- ##
- ##
-@@ -57,12 +94,33 @@ gen_tunable(httpd_can_network_connect_db, false)
-
- ##
- ##
-+## Allow httpd to connect to memcache server
-+##
-+##
-+gen_tunable(httpd_can_network_memcache, false)
-+
-+##
-+##
- ## Allow httpd to act as a relay
- ##
- ##
- gen_tunable(httpd_can_network_relay, false)
-
- ##
-+##
-+## Allow http daemon to connect to zabbix
-+##
-+##
-+gen_tunable(httpd_can_connect_zabbix, false)
-+
-+##
-+##
-+## Allow http daemon to check spam
-+##
-+##
-+gen_tunable(httpd_can_check_spam, false)
-+
-+##
- ##
- ## Allow http daemon to send mail
- ##
-@@ -93,6 +151,21 @@ gen_tunable(httpd_enable_ftp_server, false)
-
- ##
- ##
-+## Allow httpd to act as a FTP client
-+## connecting to the ftp port and ephemeral ports
-+##
-+##
-+gen_tunable(httpd_can_connect_ftp, false)
-+
-+##
-+##
-+## Allow httpd to connect to the ldap port
-+##
-+##
-+gen_tunable(httpd_can_connect_ldap, false)
-+
-+##
-+##
- ## Allow httpd to read home directories
- ##
- ##
-@@ -100,6 +173,27 @@ gen_tunable(httpd_enable_homedirs, false)
-
- ##
- ##
-+## Allow httpd to read user content
-+##
-+##
-+gen_tunable(httpd_read_user_content, false)
-+
-+##
-+##
-+## Allow Apache to run in stickshift mode, not transition to passenger
-+##
-+##
-+gen_tunable(httpd_run_stickshift, false)
-+
-+##
-+##
-+## Allow Apache to query NS records
-+##
-+##
-+gen_tunable(httpd_verify_dns, false)
-+
-+##
-+##
- ## Allow httpd daemon to change its resource limits
- ##
- ##
-@@ -114,6 +208,13 @@ gen_tunable(httpd_ssi_exec, false)
-
- ##
- ##
-+## Allow Apache to execute tmp content.
-+##
-+##
-+gen_tunable(httpd_tmp_exec, false)
-+
-+##
-+##
- ## Unify HTTPD to communicate with the terminal.
- ## Needed for entering the passphrase for certificates at
- ## the terminal.
-@@ -130,12 +231,26 @@ gen_tunable(httpd_unified, false)
-
- ##
- ##
-+## Allow httpd to access openstack ports
-+##
-+##
-+gen_tunable(httpd_use_openstack, false)
-+
-+##
-+##
- ## Allow httpd to access cifs file systems
- ##
- ##
- gen_tunable(httpd_use_cifs, false)
-
- ##
-+##
-+## Allow httpd to access FUSE file systems
-+##
-+##
-+gen_tunable(httpd_use_fusefs, false)
-+
-+##
- ##
- ## Allow httpd to run gpg
- ##
-@@ -149,12 +264,28 @@ gen_tunable(httpd_use_gpg, false)
- ##
- gen_tunable(httpd_use_nfs, false)
-
-+##
-+##
-+## Allow apache scripts to write to public content, directories/files must be labeled public_rw_content_t.
-+##
-+##
-+gen_tunable(httpd_sys_script_anon_write, false)
-+
-+##
-+##
-+## Allow httpd to communicate with oddjob to start up a service
-+##
-+##
-+gen_tunable(httpd_use_oddjob, false)
-+
- attribute httpdcontent;
- attribute httpd_user_content_type;
-+attribute httpd_content_type;
-
- # domains that can exec all users scripts
- attribute httpd_exec_scripts;
-
-+attribute httpd_script_type;
- attribute httpd_script_exec_type;
- attribute httpd_user_script_exec_type;
-
-@@ -163,6 +294,10 @@ attribute httpd_script_domains;
-
- type httpd_t;
- type httpd_exec_t;
-+ifdef(`distro_redhat',`
-+ typealias httpd_t alias phpfpm_t;
-+ typealias httpd_exec_t alias phpfpm_exec_t;
-+')
- init_daemon_domain(httpd_t, httpd_exec_t)
- role system_r types httpd_t;
-
-@@ -173,7 +308,7 @@ files_type(httpd_cache_t)
-
- # httpd_config_t is the type given to the configuration files
- type httpd_config_t;
--files_type(httpd_config_t)
-+files_config_file(httpd_config_t)
-
- type httpd_helper_t;
- type httpd_helper_exec_t;
-@@ -184,10 +319,19 @@ role system_r types httpd_helper_t;
- type httpd_initrc_exec_t;
- init_script_file(httpd_initrc_exec_t)
-
-+type httpd_unit_file_t;
-+ifdef(`distro_redhat',`
-+ typealias httpd_unit_file_t alias phpfpm_unit_file_t;
-+')
-+systemd_unit_file(httpd_unit_file_t)
-+
- type httpd_lock_t;
- files_lock_file(httpd_lock_t)
-
- type httpd_log_t;
-+ifdef(`distro_redhat',`
-+ typealias httpd_log_t alias phpfpm_log_t;
-+')
- logging_log_file(httpd_log_t)
-
- # httpd_modules_t is the type given to module files (libraries)
-@@ -223,7 +367,21 @@ files_tmp_file(httpd_suexec_tmp_t)
-
- # setup the system domain for system CGI scripts
- apache_content_template(sys)
--typealias httpd_sys_content_t alias ntop_http_content_t;
-+
-+optional_policy(`
-+ postgresql_unpriv_client(httpd_sys_script_t)
-+')
-+
-+typeattribute httpd_sys_content_t httpdcontent; # customizable
-+typeattribute httpd_sys_rw_content_t httpdcontent; # customizable
-+typeattribute httpd_sys_ra_content_t httpdcontent; # customizable
-+
-+# Removal of fastcgi, will cause problems without the following
-+typealias httpd_sys_script_exec_t alias httpd_fastcgi_script_exec_t;
-+typealias httpd_sys_content_t alias { httpd_fastcgi_content_t httpd_fastcgi_script_ro_t };
-+typealias httpd_sys_rw_content_t alias { httpd_fastcgi_rw_content_t httpd_fastcgi_script_rw_t };
-+typealias httpd_sys_ra_content_t alias httpd_fastcgi_script_ra_t;
-+typealias httpd_sys_script_t alias httpd_fastcgi_script_t;
-
- type httpd_tmp_t;
- files_tmp_file(httpd_tmp_t)
-@@ -233,6 +391,11 @@ files_tmpfs_file(httpd_tmpfs_t)
-
- apache_content_template(user)
- ubac_constrained(httpd_user_script_t)
-+
-+typeattribute httpd_user_content_t httpdcontent;
-+typeattribute httpd_user_rw_content_t httpdcontent;
-+typeattribute httpd_user_ra_content_t httpdcontent;
-+
- userdom_user_home_content(httpd_user_content_t)
- userdom_user_home_content(httpd_user_htaccess_t)
- userdom_user_home_content(httpd_user_script_exec_t)
-@@ -240,6 +403,7 @@ userdom_user_home_content(httpd_user_ra_content_t)
- userdom_user_home_content(httpd_user_rw_content_t)
- typeattribute httpd_user_script_t httpd_script_domains;
- typealias httpd_user_content_t alias { httpd_staff_content_t httpd_sysadm_content_t };
-+typealias httpd_user_content_t alias httpd_unconfined_content_t;
- typealias httpd_user_content_t alias { httpd_auditadm_content_t httpd_secadm_content_t };
- typealias httpd_user_content_t alias { httpd_staff_script_ro_t httpd_sysadm_script_ro_t };
- typealias httpd_user_content_t alias { httpd_auditadm_script_ro_t httpd_secadm_script_ro_t };
-@@ -259,16 +423,28 @@ type httpd_var_lib_t;
- files_type(httpd_var_lib_t)
-
- type httpd_var_run_t;
-+ifdef(`distro_redhat',`
-+ typealias httpd_var_run_t alias phpfpm_var_run_t;
-+')
- files_pid_file(httpd_var_run_t)
-
-+# Removal of fastcgi, will cause problems without the following
-+typealias httpd_var_run_t alias httpd_fastcgi_var_run_t;
-+
- # File Type of squirrelmail attachments
- type squirrelmail_spool_t;
- files_tmp_file(squirrelmail_spool_t)
-+files_spool_file(squirrelmail_spool_t)
-
- optional_policy(`
- prelink_object_file(httpd_modules_t)
- ')
-
-+type httpd_passwd_t;
-+type httpd_passwd_exec_t;
-+application_domain(httpd_passwd_t, httpd_passwd_exec_t)
-+role system_r types httpd_passwd_t;
-+
- ########################################
- #
- # Apache server local policy
-@@ -288,11 +464,13 @@ allow httpd_t self:unix_dgram_socket { create_socket_perms sendto };
- allow httpd_t self:unix_stream_socket { create_stream_socket_perms connectto };
- allow httpd_t self:tcp_socket create_stream_socket_perms;
- allow httpd_t self:udp_socket create_socket_perms;
-+dontaudit httpd_t self:netlink_audit_socket create_socket_perms;
-
- # Allow httpd_t to put files in /var/cache/httpd etc
- manage_dirs_pattern(httpd_t, httpd_cache_t, httpd_cache_t)
- manage_files_pattern(httpd_t, httpd_cache_t, httpd_cache_t)
- manage_lnk_files_pattern(httpd_t, httpd_cache_t, httpd_cache_t)
-+files_var_filetrans(httpd_t, httpd_cache_t, { file dir })
-
- # Allow the httpd_t to read the web servers config files
- allow httpd_t httpd_config_t:dir list_dir_perms;
-@@ -305,6 +483,7 @@ allow httpd_t httpd_lock_t:file manage_file_perms;
- files_lock_filetrans(httpd_t, httpd_lock_t, file)
-
- allow httpd_t httpd_log_t:dir setattr;
-+create_dirs_pattern(httpd_t, httpd_log_t, httpd_log_t)
- create_files_pattern(httpd_t, httpd_log_t, httpd_log_t)
- append_files_pattern(httpd_t, httpd_log_t, httpd_log_t)
- read_files_pattern(httpd_t, httpd_log_t, httpd_log_t)
-@@ -336,8 +515,10 @@ allow httpd_t httpd_sys_script_t:unix_stream_socket connectto;
-
- manage_dirs_pattern(httpd_t, httpd_tmp_t, httpd_tmp_t)
- manage_files_pattern(httpd_t, httpd_tmp_t, httpd_tmp_t)
-+manage_sock_files_pattern(httpd_t, httpd_tmp_t, httpd_tmp_t)
- manage_lnk_files_pattern(httpd_t, httpd_tmp_t, httpd_tmp_t)
--files_tmp_filetrans(httpd_t, httpd_tmp_t, { file dir lnk_file })
-+files_tmp_filetrans(httpd_t, httpd_tmp_t, { file dir lnk_file sock_file })
-+userdom_user_tmp_filetrans(httpd_t, httpd_tmp_t, dir)
-
- manage_dirs_pattern(httpd_t, httpd_tmpfs_t, httpd_tmpfs_t)
- manage_files_pattern(httpd_t, httpd_tmpfs_t, httpd_tmpfs_t)
-@@ -346,8 +527,9 @@ manage_fifo_files_pattern(httpd_t, httpd_tmpfs_t, httpd_tmpfs_t)
- manage_sock_files_pattern(httpd_t, httpd_tmpfs_t, httpd_tmpfs_t)
- fs_tmpfs_filetrans(httpd_t, httpd_tmpfs_t, { dir file lnk_file sock_file fifo_file })
-
-+manage_dirs_pattern(httpd_t, httpd_var_lib_t, httpd_var_lib_t)
- manage_files_pattern(httpd_t, httpd_var_lib_t, httpd_var_lib_t)
--files_var_lib_filetrans(httpd_t, httpd_var_lib_t, file)
-+files_var_lib_filetrans(httpd_t, httpd_var_lib_t, { dir file })
-
- setattr_dirs_pattern(httpd_t, httpd_var_run_t, httpd_var_run_t)
- manage_dirs_pattern(httpd_t, httpd_var_run_t, httpd_var_run_t)
-@@ -362,8 +544,9 @@ manage_lnk_files_pattern(httpd_t, squirrelmail_spool_t, squirrelmail_spool_t)
- kernel_read_kernel_sysctls(httpd_t)
- # for modules that want to access /proc/meminfo
- kernel_read_system_state(httpd_t)
-+kernel_read_network_state(httpd_t)
-+kernel_search_network_sysctl(httpd_t)
-
--corenet_all_recvfrom_unlabeled(httpd_t)
- corenet_all_recvfrom_netlabel(httpd_t)
- corenet_tcp_sendrecv_generic_if(httpd_t)
- corenet_udp_sendrecv_generic_if(httpd_t)
-@@ -372,11 +555,19 @@ corenet_udp_sendrecv_generic_node(httpd_t)
- corenet_tcp_sendrecv_all_ports(httpd_t)
- corenet_udp_sendrecv_all_ports(httpd_t)
- corenet_tcp_bind_generic_node(httpd_t)
-+corenet_udp_bind_generic_node(httpd_t)
- corenet_tcp_bind_http_port(httpd_t)
-+corenet_udp_bind_http_port(httpd_t)
- corenet_tcp_bind_http_cache_port(httpd_t)
-+corenet_tcp_bind_ntop_port(httpd_t)
-+corenet_tcp_bind_jboss_management_port(httpd_t)
-+corenet_tcp_bind_jboss_messaging_port(httpd_t)
- corenet_sendrecv_http_server_packets(httpd_t)
-+corenet_tcp_bind_puppet_port(httpd_t)
- # Signal self for shutdown
--corenet_tcp_connect_http_port(httpd_t)
-+tunable_policy(`httpd_graceful_shutdown',`
-+ corenet_tcp_connect_http_port(httpd_t)
-+')
-
- dev_read_sysfs(httpd_t)
- dev_read_rand(httpd_t)
-@@ -385,9 +576,14 @@ dev_rw_crypto(httpd_t)
-
- fs_getattr_all_fs(httpd_t)
- fs_search_auto_mountpoints(httpd_t)
-+fs_read_iso9660_files(httpd_t)
-+fs_read_anon_inodefs_files(httpd_t)
-+fs_read_hugetlbfs_files(httpd_t)
-
- auth_use_nsswitch(httpd_t)
-
-+application_exec_all(httpd_t)
-+
- # execute perl
- corecmd_exec_bin(httpd_t)
- corecmd_exec_shell(httpd_t)
-@@ -396,61 +592,112 @@ domain_use_interactive_fds(httpd_t)
-
- files_dontaudit_getattr_all_pids(httpd_t)
- files_read_usr_files(httpd_t)
-+files_exec_usr_files(httpd_t)
- files_list_mnt(httpd_t)
- files_search_spool(httpd_t)
-+files_read_var_symlinks(httpd_t)
- files_read_var_lib_files(httpd_t)
- files_search_home(httpd_t)
- files_getattr_home_dir(httpd_t)
- # for modules that want to access /etc/mtab
- files_read_etc_runtime_files(httpd_t)
- # Allow httpd_t to have access to files such as nisswitch.conf
--files_read_etc_files(httpd_t)
- # for tomcat
- files_read_var_lib_symlinks(httpd_t)
-
- fs_search_auto_mountpoints(httpd_sys_script_t)
-+# php uploads a file to /tmp and then execs programs to acton them
-+manage_dirs_pattern(httpd_sys_script_t, httpd_tmp_t, httpd_tmp_t)
-+manage_files_pattern(httpd_sys_script_t, httpd_tmp_t, httpd_tmp_t)
-+manage_sock_files_pattern(httpd_sys_script_t, httpd_tmp_t, httpd_tmp_t)
-+manage_fifo_files_pattern(httpd_sys_script_t, httpd_tmp_t, httpd_tmp_t)
-+manage_lnk_files_pattern(httpd_sys_script_t, httpd_tmp_t, httpd_tmp_t)
-+files_tmp_filetrans(httpd_sys_script_t, httpd_sys_rw_content_t, { dir file lnk_file sock_file fifo_file })
-
- libs_read_lib_files(httpd_t)
-
-+ifdef(`hide_broken_symptoms',`
-+ libs_exec_lib_files(httpd_t)
-+')
-+
- logging_send_syslog_msg(httpd_t)
-
--miscfiles_read_localization(httpd_t)
- miscfiles_read_fonts(httpd_t)
- miscfiles_read_public_files(httpd_t)
- miscfiles_read_generic_certs(httpd_t)
--
--seutil_dontaudit_search_config(httpd_t)
-+miscfiles_read_tetex_data(httpd_t)
-
- userdom_use_unpriv_users_fds(httpd_t)
-
--tunable_policy(`allow_httpd_anon_write',`
-+tunable_policy(`httpd_setrlimit',`
-+ allow httpd_t self:process setrlimit;
-+ allow httpd_t self:capability sys_resource;
-+')
-+
-+tunable_policy(`httpd_anon_write',`
- miscfiles_manage_public_files(httpd_t)
- ')
-
--ifdef(`TODO', `
- #
- # We need optionals to be able to be within booleans to make this work
- #
--tunable_policy(`allow_httpd_mod_auth_pam',`
-- auth_domtrans_chk_passwd(httpd_t)
-+tunable_policy(`httpd_mod_auth_pam',`
-+ auth_domtrans_chkpwd(httpd_t)
-+ logging_send_audit_msgs(httpd_t)
- ')
-+
-+optional_policy(`
-+ tunable_policy(`httpd_mod_auth_ntlm_winbind',`
-+ samba_domtrans_winbind_helper(httpd_t)
-+ ')
- ')
-
- tunable_policy(`httpd_can_network_connect',`
- corenet_tcp_connect_all_ports(httpd_t)
- ')
-
-+tunable_policy(`httpd_can_network_connect_db',`
-+ corenet_tcp_connect_firebird_port(httpd_t)
-+ corenet_tcp_connect_mssql_port(httpd_t)
-+ corenet_sendrecv_mssql_client_packets(httpd_t)
-+ corenet_tcp_connect_oracle_port(httpd_t)
-+ corenet_sendrecv_oracle_client_packets(httpd_t)
-+')
-+
-+tunable_policy(`httpd_can_network_memcache',`
-+ corenet_tcp_connect_memcache_port(httpd_t)
-+')
-+
- tunable_policy(`httpd_can_network_relay',`
- # allow httpd to work as a relay
- corenet_tcp_connect_gopher_port(httpd_t)
- corenet_tcp_connect_ftp_port(httpd_t)
- corenet_tcp_connect_http_port(httpd_t)
- corenet_tcp_connect_http_cache_port(httpd_t)
-+ corenet_tcp_connect_squid_port(httpd_t)
- corenet_tcp_connect_memcache_port(httpd_t)
- corenet_sendrecv_gopher_client_packets(httpd_t)
- corenet_sendrecv_ftp_client_packets(httpd_t)
- corenet_sendrecv_http_client_packets(httpd_t)
- corenet_sendrecv_http_cache_client_packets(httpd_t)
-+ corenet_sendrecv_squid_client_packets(httpd_t)
-+ corenet_tcp_connect_all_ephemeral_ports(httpd_t)
-+')
-+
-+tunable_policy(`httpd_execmem',`
-+ allow httpd_t self:process { execmem execstack };
-+ allow httpd_sys_script_t self:process { execmem execstack };
-+ allow httpd_suexec_t self:process { execmem execstack };
-+')
-+
-+tunable_policy(`httpd_enable_cgi && httpd_unified',`
-+ allow httpd_sys_script_t httpd_sys_content_t:file entrypoint;
-+ filetrans_pattern(httpd_sys_script_t, httpd_sys_content_t, httpd_sys_rw_content_t, { file dir lnk_file })
-+ can_exec(httpd_sys_script_t, httpd_sys_content_t)
-+')
-+
-+tunable_policy(`httpd_sys_script_anon_write',`
-+ miscfiles_manage_public_files(httpd_sys_script_t)
- ')
-
- tunable_policy(`httpd_enable_cgi && httpd_use_nfs',`
-@@ -461,27 +708,61 @@ tunable_policy(`httpd_enable_cgi && httpd_use_cifs',`
- fs_cifs_domtrans(httpd_t, httpd_sys_script_t)
- ')
-
-+tunable_policy(`httpd_enable_cgi && httpd_use_fusefs',`
-+ fs_fusefs_domtrans(httpd_t, httpd_sys_script_t)
-+')
-+
- tunable_policy(`httpd_enable_cgi && httpd_unified && httpd_builtin_scripting',`
- domtrans_pattern(httpd_t, httpdcontent, httpd_sys_script_t)
-+ filetrans_pattern(httpd_t, httpd_sys_content_t, httpd_sys_rw_content_t, { file dir lnk_file })
-+ manage_dirs_pattern(httpd_t, httpdcontent, httpd_sys_rw_content_t)
-+ manage_files_pattern(httpd_t, httpdcontent, httpd_sys_rw_content_t)
-+ manage_lnk_files_pattern(httpd_t, httpdcontent, httpd_sys_rw_content_t)
-
- manage_dirs_pattern(httpd_t, httpdcontent, httpdcontent)
- manage_files_pattern(httpd_t, httpdcontent, httpdcontent)
- manage_lnk_files_pattern(httpd_t, httpdcontent, httpdcontent)
- ')
-
-+tunable_policy(`httpd_can_connect_ftp',`
-+ corenet_tcp_connect_ftp_port(httpd_t)
-+ corenet_tcp_connect_all_ephemeral_ports(httpd_t)
-+')
-+
-+tunable_policy(`httpd_can_connect_ldap',`
-+ corenet_tcp_connect_ldap_port(httpd_t)
-+')
-+
-+tunable_policy(`httpd_can_connect_zabbix',`
-+ corenet_tcp_connect_zabbix_port(httpd_t)
-+')
-+
- tunable_policy(`httpd_enable_ftp_server',`
- corenet_tcp_bind_ftp_port(httpd_t)
-+ corenet_tcp_bind_all_ephemeral_ports(httpd_t)
- ')
-
--tunable_policy(`httpd_enable_homedirs',`
-- userdom_read_user_home_content_files(httpd_t)
-+tunable_policy(`httpd_tmp_exec && httpd_builtin_scripting',`
-+ can_exec(httpd_t, httpd_tmp_t)
-+')
-+
-+tunable_policy(`httpd_tmp_exec && httpd_enable_cgi',`
-+ can_exec(httpd_sys_script_t, httpd_tmp_t)
- ')
-
- tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',`
-+ fs_list_auto_mountpoints(httpd_t)
- fs_read_nfs_files(httpd_t)
- fs_read_nfs_symlinks(httpd_t)
- ')
-
-+tunable_policy(`httpd_use_nfs',`
-+ fs_list_auto_mountpoints(httpd_t)
-+ fs_manage_nfs_dirs(httpd_t)
-+ fs_manage_nfs_files(httpd_t)
-+ fs_manage_nfs_symlinks(httpd_t)
-+')
-+
- tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',`
- fs_read_cifs_files(httpd_t)
- fs_read_cifs_symlinks(httpd_t)
-@@ -491,7 +772,22 @@ tunable_policy(`httpd_can_sendmail',`
- # allow httpd to connect to mail servers
- corenet_tcp_connect_smtp_port(httpd_t)
- corenet_sendrecv_smtp_client_packets(httpd_t)
-+ corenet_tcp_connect_pop_port(httpd_t)
-+ corenet_sendrecv_pop_client_packets(httpd_t)
- mta_send_mail(httpd_t)
-+ mta_signal_system_mail(httpd_t)
-+')
-+
-+tunable_policy(`httpd_use_cifs',`
-+ fs_manage_cifs_dirs(httpd_t)
-+ fs_manage_cifs_files(httpd_t)
-+ fs_manage_cifs_symlinks(httpd_t)
-+')
-+
-+tunable_policy(`httpd_use_fusefs',`
-+ fs_manage_fusefs_dirs(httpd_t)
-+ fs_manage_fusefs_files(httpd_t)
-+ fs_manage_fusefs_symlinks(httpd_t)
- ')
-
- tunable_policy(`httpd_setrlimit',`
-@@ -511,9 +807,19 @@ tunable_policy(`httpd_ssi_exec',`
- # to run correctly without this permission, so the permission
- # are dontaudited here.
- tunable_policy(`httpd_tty_comm',`
-- userdom_use_user_terminals(httpd_t)
-+ userdom_use_inherited_user_terminals(httpd_t)
-+ userdom_use_inherited_user_terminals(httpd_suexec_t)
- ',`
- userdom_dontaudit_use_user_terminals(httpd_t)
-+ userdom_dontaudit_use_user_terminals(httpd_suexec_t)
-+')
-+
-+optional_policy(`
-+ # Support for ABRT retrace server
-+ # mod_wsgi
-+ abrt_manage_spool_retrace(httpd_t)
-+ abrt_domtrans_retrace_worker(httpd_t)
-+ abrt_read_config(httpd_t)
- ')
-
- optional_policy(`
-@@ -525,6 +831,9 @@ optional_policy(`
- ')
-
- optional_policy(`
-+ cobbler_list_config(httpd_t)
-+ cobbler_read_config(httpd_t)
-+ cobbler_read_lib_files(httpd_t)
- cobbler_search_lib(httpd_t)
- ')
-
-@@ -540,6 +849,24 @@ optional_policy(`
- daemontools_service_domain(httpd_t, httpd_exec_t)
- ')
-
-+optional_policy(`
-+ # needed by FreeIPA
-+ dirsrv_stream_connect(httpd_t)
-+ ldap_stream_connect(httpd_t)
-+')
-+
-+optional_policy(`
-+ dirsrv_manage_config(httpd_t)
-+ dirsrv_manage_log(httpd_t)
-+ dirsrv_manage_var_run(httpd_t)
-+ dirsrv_read_share(httpd_t)
-+ dirsrv_signal(httpd_t)
-+ dirsrv_signull(httpd_t)
-+ dirsrvadmin_manage_config(httpd_t)
-+ dirsrvadmin_manage_tmp(httpd_t)
-+ dirsrvadmin_domtrans_unconfined_script_t(httpd_t)
-+')
-+
- optional_policy(`
- dbus_system_bus_client(httpd_t)
-
-@@ -549,13 +876,24 @@ optional_policy(`
- ')
-
- optional_policy(`
-+ git_read_generic_system_content_files(httpd_t)
-+ gitosis_read_lib_files(httpd_t)
-+')
-+
-+optional_policy(`
- tunable_policy(`httpd_enable_cgi && httpd_use_gpg',`
-- gpg_domtrans(httpd_t)
-+ gpg_domtrans_web(httpd_t)
- ')
- ')
-
- optional_policy(`
-+ jetty_admin(httpd_t)
-+')
-+
-+optional_policy(`
- kerberos_keytab_template(httpd, httpd_t)
-+ kerberos_tmp_filetrans_host_rcache(httpd_t, "HTTP_23")
-+ kerberos_tmp_filetrans_host_rcache(httpd_t, "HTTP_48")
- ')
-
- optional_policy(`
-@@ -573,7 +911,21 @@ optional_policy(`
- ')
-
- optional_policy(`
-+ mediawiki_read_tmp_files(httpd_t)
-+ mediawiki_delete_tmp_files(httpd_t)
-+')
-+
-+optional_policy(`
-+ memcached_stream_connect(httpd_t)
-+
-+ tunable_policy(`httpd_manage_ipa',`
-+ memcached_manage_pid_files(httpd_t)
-+ ')
-+')
-+
-+optional_policy(`
- # Allow httpd to work with mysql
-+ mysql_read_config(httpd_t)
- mysql_stream_connect(httpd_t)
- mysql_rw_db_sockets(httpd_t)
-
-@@ -584,6 +936,7 @@ optional_policy(`
-
- optional_policy(`
- nagios_read_config(httpd_t)
-+ nagios_read_log(httpd_t)
- ')
-
- optional_policy(`
-@@ -594,6 +947,42 @@ optional_policy(`
- ')
-
- optional_policy(`
-+ openshift_search_lib(httpd_t)
-+ openshift_initrc_signull(httpd_t)
-+ openshift_initrc_signal(httpd_t)
-+')
-+
-+optional_policy(`
-+ passenger_exec(httpd_t)
-+ passenger_manage_pid_content(httpd_t)
-+')
-+
-+optional_policy(`
-+ pcscd_read_pub_files(httpd_t)
-+')
-+
-+optional_policy(`
-+ pki_apache_domain_signal(httpd_t)
-+ pki_apache_domain_signal(httpd_t)
-+ pki_manage_apache_run(httpd_t)
-+ pki_manage_apache_config_files(httpd_t)
-+ pki_manage_apache_log_files(httpd_t)
-+ pki_manage_apache_lib(httpd_t)
-+')
-+
-+optional_policy(`
-+ puppet_read_lib(httpd_t)
-+')
-+
-+optional_policy(`
-+ pwauth_domtrans(httpd_t)
-+')
-+
-+optional_policy(`
-+ rpc_search_nfs_state_data(httpd_t)
-+')
-+
-+optional_policy(`
- # Allow httpd to work with postgresql
- postgresql_stream_connect(httpd_t)
- postgresql_unpriv_client(httpd_t)
-@@ -608,6 +997,11 @@ optional_policy(`
- ')
-
- optional_policy(`
-+ smokeping_read_lib_files(httpd_t)
-+')
-+
-+optional_policy(`
-+ files_dontaudit_rw_usr_dirs(httpd_t)
- snmp_dontaudit_read_snmp_var_lib_files(httpd_t)
- snmp_dontaudit_write_snmp_var_lib_files(httpd_t)
- ')
-@@ -620,6 +1014,12 @@ optional_policy(`
- yam_read_content(httpd_t)
- ')
-
-+optional_policy(`
-+ zarafa_manage_lib_files(httpd_t)
-+ zarafa_stream_connect_server(httpd_t)
-+ zarafa_search_config(httpd_t)
-+')
-+
- ########################################
- #
- # Apache helper local policy
-@@ -633,7 +1033,43 @@ allow httpd_helper_t httpd_log_t:file append_file_perms;
-
- logging_send_syslog_msg(httpd_helper_t)
-
--userdom_use_user_terminals(httpd_helper_t)
-+userdom_use_inherited_user_terminals(httpd_helper_t)
-+
-+tunable_policy(`httpd_verify_dns',`
-+ corenet_udp_bind_all_ephemeral_ports(httpd_t)
-+')
-+
-+tunable_policy(`httpd_run_stickshift', `
-+ allow httpd_t self:capability { fowner fsetid sys_resource };
-+ dontaudit httpd_t self:capability sys_ptrace;
-+ allow httpd_t self:process setexec;
-+
-+ files_dontaudit_getattr_all_files(httpd_t)
-+ domain_dontaudit_read_all_domains_state(httpd_t)
-+ domain_getpgid_all_domains(httpd_t)
-+')
-+
-+optional_policy(`
-+ tunable_policy(`httpd_run_stickshift', `
-+ passenger_manage_lib_files(httpd_t)
-+ passenger_getattr_log_files(httpd_t)
-+ ',`
-+ passenger_domtrans(httpd_t)
-+ passenger_read_lib_files(httpd_t)
-+ passenger_stream_connect(httpd_t)
-+ passenger_manage_tmp_files(httpd_t)
-+ ')
-+')
-+
-+optional_policy(`
-+ tunable_policy(`httpd_run_stickshift', `
-+ oddjob_dbus_chat(httpd_t)
-+ ')
-+')
-+
-+tunable_policy(`httpd_tty_comm',`
-+ userdom_use_inherited_user_terminals(httpd_helper_t)
-+')
-
- ########################################
- #
-@@ -671,28 +1107,30 @@ libs_exec_lib_files(httpd_php_t)
- userdom_use_unpriv_users_fds(httpd_php_t)
-
- tunable_policy(`httpd_can_network_connect_db',`
-- corenet_tcp_connect_mysqld_port(httpd_t)
-- corenet_sendrecv_mysqld_client_packets(httpd_t)
-- corenet_tcp_connect_mysqld_port(httpd_sys_script_t)
-- corenet_sendrecv_mysqld_client_packets(httpd_sys_script_t)
-- corenet_tcp_connect_mysqld_port(httpd_suexec_t)
-- corenet_sendrecv_mysqld_client_packets(httpd_suexec_t)
--
-- corenet_tcp_connect_mssql_port(httpd_t)
-- corenet_sendrecv_mssql_client_packets(httpd_t)
-- corenet_tcp_connect_mssql_port(httpd_sys_script_t)
-- corenet_sendrecv_mssql_client_packets(httpd_sys_script_t)
-- corenet_tcp_connect_mssql_port(httpd_suexec_t)
-- corenet_sendrecv_mssql_client_packets(httpd_suexec_t)
-+ corenet_tcp_connect_firebird_port(httpd_php_t)
-+ corenet_tcp_connect_mssql_port(httpd_php_t)
-+ corenet_sendrecv_mssql_client_packets(httpd_php_t)
-+ corenet_tcp_connect_oracle_port(httpd_php_t)
-+ corenet_sendrecv_oracle_client_packets(httpd_php_t)
- ')
-
- optional_policy(`
- mysql_stream_connect(httpd_php_t)
-+ mysql_rw_db_sockets(httpd_php_t)
- mysql_read_config(httpd_php_t)
-+
-+ tunable_policy(`httpd_can_network_connect_db',`
-+ mysql_tcp_connect(httpd_php_t)
-+ ')
- ')
-
- optional_policy(`
- postgresql_stream_connect(httpd_php_t)
-+ postgresql_unpriv_client(httpd_php_t)
-+
-+ tunable_policy(`httpd_can_network_connect_db',`
-+ postgresql_tcp_connect(httpd_php_t)
-+ ')
- ')
-
- ########################################
-@@ -702,6 +1140,7 @@ optional_policy(`
-
- allow httpd_suexec_t self:capability { setuid setgid };
- allow httpd_suexec_t self:process signal_perms;
-+allow httpd_suexec_t self:fifo_file rw_fifo_file_perms;
- allow httpd_suexec_t self:unix_stream_socket create_stream_socket_perms;
-
- domtrans_pattern(httpd_t, httpd_suexec_exec_t, httpd_suexec_t)
-@@ -716,19 +1155,27 @@ manage_dirs_pattern(httpd_suexec_t, httpd_suexec_tmp_t, httpd_suexec_tmp_t)
- manage_files_pattern(httpd_suexec_t, httpd_suexec_tmp_t, httpd_suexec_tmp_t)
- files_tmp_filetrans(httpd_suexec_t, httpd_suexec_tmp_t, { file dir })
-
-+can_exec(httpd_suexec_t, httpd_sys_script_exec_t)
-+
-+read_files_pattern(httpd_suexec_t, httpd_user_content_t, httpd_user_content_t)
-+read_files_pattern(httpd_suexec_t, httpd_user_rw_content_t, httpd_user_rw_content_t)
-+read_files_pattern(httpd_suexec_t, httpd_user_ra_content_t, httpd_user_ra_content_t)
-+
- kernel_read_kernel_sysctls(httpd_suexec_t)
- kernel_list_proc(httpd_suexec_t)
- kernel_read_proc_symlinks(httpd_suexec_t)
-
- dev_read_urand(httpd_suexec_t)
-
-+fs_read_iso9660_files(httpd_suexec_t)
- fs_search_auto_mountpoints(httpd_suexec_t)
-
-+application_exec_all(httpd_suexec_t)
-+
- # for shell scripts
- corecmd_exec_bin(httpd_suexec_t)
- corecmd_exec_shell(httpd_suexec_t)
-
--files_read_etc_files(httpd_suexec_t)
- files_read_usr_files(httpd_suexec_t)
- files_dontaudit_search_pids(httpd_suexec_t)
- files_search_home(httpd_suexec_t)
-@@ -738,15 +1185,14 @@ auth_use_nsswitch(httpd_suexec_t)
- logging_search_logs(httpd_suexec_t)
- logging_send_syslog_msg(httpd_suexec_t)
-
--miscfiles_read_localization(httpd_suexec_t)
- miscfiles_read_public_files(httpd_suexec_t)
-
-+corenet_all_recvfrom_netlabel(httpd_suexec_t)
-+
- tunable_policy(`httpd_can_network_connect',`
- allow httpd_suexec_t self:tcp_socket create_stream_socket_perms;
- allow httpd_suexec_t self:udp_socket create_socket_perms;
-
-- corenet_all_recvfrom_unlabeled(httpd_suexec_t)
-- corenet_all_recvfrom_netlabel(httpd_suexec_t)
- corenet_tcp_sendrecv_generic_if(httpd_suexec_t)
- corenet_udp_sendrecv_generic_if(httpd_suexec_t)
- corenet_tcp_sendrecv_generic_node(httpd_suexec_t)
-@@ -757,13 +1203,31 @@ tunable_policy(`httpd_can_network_connect',`
- corenet_sendrecv_all_client_packets(httpd_suexec_t)
- ')
-
-+tunable_policy(`httpd_can_network_connect_db',`
-+ corenet_tcp_connect_firebird_port(httpd_suexec_t)
-+ corenet_tcp_connect_mssql_port(httpd_suexec_t)
-+ corenet_sendrecv_mssql_client_packets(httpd_suexec_t)
-+ corenet_tcp_connect_oracle_port(httpd_suexec_t)
-+ corenet_sendrecv_oracle_client_packets(httpd_suexec_t)
-+')
-+
-+domain_entry_file(httpd_sys_script_t, httpd_sys_content_t)
-+
-+tunable_policy(`httpd_can_sendmail',`
-+ mta_send_mail(httpd_suexec_t)
-+')
-+
- tunable_policy(`httpd_enable_cgi && httpd_unified',`
- allow httpd_sys_script_t httpdcontent:file entrypoint;
- domtrans_pattern(httpd_suexec_t, httpdcontent, httpd_sys_script_t)
--
-+ manage_dirs_pattern(httpd_sys_script_t, httpdcontent, httpdcontent)
-+ manage_files_pattern(httpd_sys_script_t, httpdcontent, httpdcontent)
-+ manage_sock_files_pattern(httpd_sys_script_t, httpdcontent, httpdcontent)
-+ manage_lnk_files_pattern(httpd_sys_script_t, httpdcontent, httpdcontent)
- ')
-
- tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',`
-+ fs_list_auto_mountpoints(httpd_suexec_t)
- fs_read_nfs_files(httpd_suexec_t)
- fs_read_nfs_symlinks(httpd_suexec_t)
- fs_exec_nfs_files(httpd_suexec_t)
-@@ -786,6 +1250,25 @@ optional_policy(`
- dontaudit httpd_suexec_t httpd_t:unix_stream_socket { read write };
- ')
-
-+optional_policy(`
-+ mysql_stream_connect(httpd_suexec_t)
-+ mysql_rw_db_sockets(httpd_suexec_t)
-+ mysql_read_config(httpd_suexec_t)
-+
-+ tunable_policy(`httpd_can_network_connect_db',`
-+ mysql_tcp_connect(httpd_suexec_t)
-+ ')
-+')
-+
-+optional_policy(`
-+ postgresql_stream_connect(httpd_suexec_t)
-+ postgresql_unpriv_client(httpd_suexec_t)
-+
-+ tunable_policy(`httpd_can_network_connect_db',`
-+ postgresql_tcp_connect(httpd_suexec_t)
-+ ')
-+')
-+
- ########################################
- #
- # Apache system script local policy
-@@ -806,12 +1289,17 @@ read_lnk_files_pattern(httpd_sys_script_t, squirrelmail_spool_t, squirrelmail_sp
-
- kernel_read_kernel_sysctls(httpd_sys_script_t)
-
-+files_read_var_symlinks(httpd_sys_script_t)
- files_search_var_lib(httpd_sys_script_t)
- files_search_spool(httpd_sys_script_t)
-
-+logging_inherit_append_all_logs(httpd_sys_script_t)
-+
- # Should we add a boolean?
- apache_domtrans_rotatelogs(httpd_sys_script_t)
-
-+auth_use_nsswitch(httpd_sys_script_t)
-+
- ifdef(`distro_redhat',`
- allow httpd_sys_script_t httpd_log_t:file append_file_perms;
- ')
-@@ -820,18 +1308,50 @@ tunable_policy(`httpd_can_sendmail',`
- mta_send_mail(httpd_sys_script_t)
- ')
-
-+optional_policy(`
-+ tunable_policy(`httpd_can_sendmail && httpd_can_check_spam',`
-+ spamassassin_domtrans_client(httpd_t)
-+ ')
-+')
-+
-+tunable_policy(`httpd_can_network_connect_db',`
-+ corenet_tcp_connect_firebird_port(httpd_sys_script_t)
-+ corenet_tcp_connect_mssql_port(httpd_sys_script_t)
-+ corenet_sendrecv_mssql_client_packets(httpd_sys_script_t)
-+ corenet_tcp_connect_oracle_port(httpd_sys_script_t)
-+ corenet_sendrecv_oracle_client_packets(httpd_sys_script_t)
-+')
-+
-+fs_cifs_entry_type(httpd_sys_script_t)
-+fs_read_iso9660_files(httpd_sys_script_t)
-+fs_nfs_entry_type(httpd_sys_script_t)
-+
-+tunable_policy(`httpd_use_nfs',`
-+ fs_list_auto_mountpoints(httpd_sys_script_t)
-+ fs_manage_nfs_dirs(httpd_sys_script_t)
-+ fs_manage_nfs_files(httpd_sys_script_t)
-+ fs_manage_nfs_symlinks(httpd_sys_script_t)
-+ fs_exec_nfs_files(httpd_sys_script_t)
-+
-+ fs_list_auto_mountpoints(httpd_suexec_t)
-+ fs_manage_nfs_dirs(httpd_suexec_t)
-+ fs_manage_nfs_files(httpd_suexec_t)
-+ fs_manage_nfs_symlinks(httpd_suexec_t)
-+ fs_exec_nfs_files(httpd_suexec_t)
-+')
-+
-+corenet_all_recvfrom_netlabel(httpd_sys_script_t)
-+
- tunable_policy(`httpd_enable_cgi && httpd_can_network_connect',`
- allow httpd_sys_script_t self:tcp_socket create_stream_socket_perms;
- allow httpd_sys_script_t self:udp_socket create_socket_perms;
-
-- corenet_tcp_bind_all_nodes(httpd_sys_script_t)
-- corenet_udp_bind_all_nodes(httpd_sys_script_t)
-- corenet_all_recvfrom_unlabeled(httpd_sys_script_t)
-- corenet_all_recvfrom_netlabel(httpd_sys_script_t)
-- corenet_tcp_sendrecv_all_if(httpd_sys_script_t)
-- corenet_udp_sendrecv_all_if(httpd_sys_script_t)
-- corenet_tcp_sendrecv_all_nodes(httpd_sys_script_t)
-- corenet_udp_sendrecv_all_nodes(httpd_sys_script_t)
-+ corenet_tcp_bind_generic_node(httpd_sys_script_t)
-+ corenet_udp_bind_generic_node(httpd_sys_script_t)
-+ corenet_tcp_sendrecv_generic_if(httpd_sys_script_t)
-+ corenet_udp_sendrecv_generic_if(httpd_sys_script_t)
-+ corenet_tcp_sendrecv_generic_node(httpd_sys_script_t)
-+ corenet_udp_sendrecv_generic_node(httpd_sys_script_t)
- corenet_tcp_sendrecv_all_ports(httpd_sys_script_t)
- corenet_udp_sendrecv_all_ports(httpd_sys_script_t)
- corenet_tcp_connect_all_ports(httpd_sys_script_t)
-@@ -839,14 +1359,39 @@ tunable_policy(`httpd_enable_cgi && httpd_can_network_connect',`
- ')
-
- tunable_policy(`httpd_enable_homedirs',`
-- userdom_read_user_home_content_files(httpd_sys_script_t)
-+ userdom_search_user_home_dirs(httpd_sys_script_t)
- ')
-
- tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',`
-+ fs_list_auto_mountpoints(httpd_sys_script_t)
- fs_read_nfs_files(httpd_sys_script_t)
- fs_read_nfs_symlinks(httpd_sys_script_t)
- ')
-
-+tunable_policy(`httpd_read_user_content',`
-+ userdom_read_user_home_content_files(httpd_sys_script_t)
-+')
-+
-+tunable_policy(`httpd_use_cifs',`
-+ fs_manage_cifs_dirs(httpd_sys_script_t)
-+ fs_manage_cifs_files(httpd_sys_script_t)
-+ fs_manage_cifs_symlinks(httpd_sys_script_t)
-+ fs_manage_cifs_dirs(httpd_suexec_t)
-+ fs_manage_cifs_files(httpd_suexec_t)
-+ fs_manage_cifs_symlinks(httpd_suexec_t)
-+ fs_exec_cifs_files(httpd_suexec_t)
-+')
-+
-+tunable_policy(`httpd_use_fusefs',`
-+ fs_manage_fusefs_dirs(httpd_sys_script_t)
-+ fs_manage_fusefs_files(httpd_sys_script_t)
-+ fs_manage_fusefs_symlinks(httpd_sys_script_t)
-+ fs_manage_fusefs_dirs(httpd_suexec_t)
-+ fs_manage_fusefs_files(httpd_suexec_t)
-+ fs_manage_fusefs_symlinks(httpd_suexec_t)
-+ fs_exec_fusefs_files(httpd_suexec_t)
-+')
-+
- tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',`
- fs_read_cifs_files(httpd_sys_script_t)
- fs_read_cifs_symlinks(httpd_sys_script_t)
-@@ -854,15 +1399,26 @@ tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',`
-
- optional_policy(`
- clamav_domtrans_clamscan(httpd_sys_script_t)
-+ clamav_domtrans_clamscan(httpd_t)
- ')
-
- optional_policy(`
- mysql_stream_connect(httpd_sys_script_t)
- mysql_rw_db_sockets(httpd_sys_script_t)
-+ mysql_read_config(httpd_sys_script_t)
-+
-+ tunable_policy(`httpd_can_network_connect_db',`
-+ mysql_tcp_connect(httpd_sys_script_t)
-+ ')
- ')
-
- optional_policy(`
- postgresql_stream_connect(httpd_sys_script_t)
-+ postgresql_unpriv_client(httpd_sys_script_t)
-+
-+ tunable_policy(`httpd_can_network_connect_db',`
-+ postgresql_tcp_connect(httpd_sys_script_t)
-+ ')
- ')
-
- ########################################
-@@ -878,11 +1434,9 @@ kernel_read_kernel_sysctls(httpd_rotatelogs_t)
- kernel_dontaudit_list_proc(httpd_rotatelogs_t)
- kernel_dontaudit_read_proc_symlinks(httpd_rotatelogs_t)
-
--files_read_etc_files(httpd_rotatelogs_t)
-
- logging_search_logs(httpd_rotatelogs_t)
-
--miscfiles_read_localization(httpd_rotatelogs_t)
-
- ########################################
- #
-@@ -908,11 +1462,138 @@ optional_policy(`
-
- tunable_policy(`httpd_enable_cgi && httpd_unified',`
- allow httpd_user_script_t httpdcontent:file entrypoint;
-+ manage_dirs_pattern(httpd_user_script_t, httpd_user_content_t, httpd_user_content_t)
-+ manage_files_pattern(httpd_user_script_t, httpd_user_content_t, httpd_user_content_t)
-+ manage_dirs_pattern(httpd_user_script_t, httpd_user_ra_content_t, httpd_user_ra_content_t)
-+ manage_files_pattern(httpd_user_script_t, httpd_user_ra_content_t, httpd_user_ra_content_t)
- ')
-
- # allow accessing files/dirs below the users home dir
- tunable_policy(`httpd_enable_homedirs',`
-- userdom_search_user_home_dirs(httpd_t)
-- userdom_search_user_home_dirs(httpd_suexec_t)
-- userdom_search_user_home_dirs(httpd_user_script_t)
-+ userdom_search_user_home_content(httpd_t)
-+ userdom_search_user_home_content(httpd_suexec_t)
-+ userdom_search_user_home_content(httpd_user_script_t)
-+')
-+
-+tunable_policy(`httpd_read_user_content',`
-+ userdom_read_user_home_content_files(httpd_t)
-+ userdom_read_user_home_content_files(httpd_suexec_t)
-+ userdom_read_user_home_content_files(httpd_user_script_t)
-+')
-+
-+########################################
-+#
-+# httpd_passwd local policy
-+#
-+
-+allow httpd_passwd_t self:fifo_file manage_fifo_file_perms;
-+allow httpd_passwd_t self:unix_stream_socket create_stream_socket_perms;
-+allow httpd_passwd_t self:unix_dgram_socket create_socket_perms;
-+
-+kernel_read_system_state(httpd_passwd_t)
-+
-+corecmd_exec_bin(httpd_passwd_t)
-+corecmd_exec_shell(httpd_passwd_t)
-+
-+dev_read_urand(httpd_passwd_t)
-+
-+domain_use_interactive_fds(httpd_passwd_t)
-+
-+
-+auth_use_nsswitch(httpd_passwd_t)
-+
-+miscfiles_read_certs(httpd_passwd_t)
-+
-+systemd_manage_passwd_run(httpd_passwd_t)
-+systemd_manage_passwd_run(httpd_t)
-+#systemd_passwd_agent_dev_template(httpd)
-+
-+domtrans_pattern(httpd_t, httpd_passwd_exec_t, httpd_passwd_t)
-+dontaudit httpd_passwd_t httpd_config_t:file read;
-+
-+search_dirs_pattern(httpd_script_type, httpd_sys_content_t, httpd_script_exec_type)
-+corecmd_shell_entry_type(httpd_script_type)
-+
-+allow httpd_script_type self:fifo_file rw_file_perms;
-+allow httpd_script_type self:unix_stream_socket connectto;
-+
-+allow httpd_script_type httpd_t:fifo_file write;
-+# apache should set close-on-exec
-+apache_dontaudit_leaks(httpd_script_type)
-+
-+append_files_pattern(httpd_script_type, httpd_log_t, httpd_log_t)
-+logging_search_logs(httpd_script_type)
-+
-+kernel_dontaudit_search_sysctl(httpd_script_type)
-+kernel_dontaudit_search_kernel_sysctl(httpd_script_type)
-+
-+dev_read_rand(httpd_script_type)
-+dev_read_urand(httpd_script_type)
-+
-+corecmd_exec_all_executables(httpd_script_type)
-+application_exec_all(httpd_script_type)
-+
-+files_exec_etc_files(httpd_script_type)
-+files_search_home(httpd_script_type)
-+
-+libs_exec_ld_so(httpd_script_type)
-+libs_exec_lib_files(httpd_script_type)
-+
-+miscfiles_read_fonts(httpd_script_type)
-+miscfiles_read_public_files(httpd_script_type)
-+
-+allow httpd_t httpd_script_type:unix_stream_socket connectto;
-+
-+allow httpd_t httpd_script_exec_type:file read_file_perms;
-+allow httpd_t httpd_script_exec_type:lnk_file read_lnk_file_perms;
-+allow httpd_t httpd_script_type:process { signal sigkill sigstop };
-+allow httpd_t httpd_script_exec_type:dir list_dir_perms;
-+
-+allow httpd_script_type self:process { setsched signal_perms };
-+allow httpd_script_type self:unix_stream_socket create_stream_socket_perms;
-+allow httpd_script_type self:unix_dgram_socket create_socket_perms;
-+
-+allow httpd_script_type httpd_t:fd use;
-+allow httpd_script_type httpd_t:process sigchld;
-+
-+dontaudit httpd_script_type httpd_t:tcp_socket { read write };
-+
-+dev_read_urand(httpd_script_type)
-+
-+fs_getattr_xattr_fs(httpd_script_type)
-+
-+files_read_etc_runtime_files(httpd_script_type)
-+files_read_usr_files(httpd_script_type)
-+
-+libs_read_lib_files(httpd_script_type)
-+
-+allow httpd_script_type httpd_sys_content_t:dir search_dir_perms;
-+
-+tunable_policy(`httpd_enable_cgi && nis_enabled',`
-+ nis_use_ypbind_uncond(httpd_script_type)
-+')
-+
-+optional_policy(`
-+ nscd_socket_use(httpd_script_type)
-+')
-+
-+read_files_pattern(httpd_t, httpd_content_type, httpd_content_type)
-+
-+tunable_policy(`httpd_builtin_scripting',`
-+ allow httpd_t httpd_content_type:dir search_dir_perms;
-+ allow httpd_suexec_t httpd_content_type:dir search_dir_perms;
-+
-+ allow httpd_t httpd_content_type:dir list_dir_perms;
-+ read_files_pattern(httpd_t, httpd_content_type, httpd_content_type)
-+ read_lnk_files_pattern(httpd_t, httpd_content_type, httpd_content_type)
-+
-+ allow httpd_t httpd_content_type:dir list_dir_perms;
-+ read_files_pattern(httpd_t, httpd_content_type, httpd_content_type)
-+ read_lnk_files_pattern(httpd_t, httpd_content_type, httpd_content_type)
-+')
-+
-+tunable_policy(`httpd_use_openstack',`
-+ corenet_tcp_connect_keystone_port(httpd_sys_script_t)
-+ corenet_tcp_connect_all_ephemeral_ports(httpd_t)
-+ corenet_tcp_connect_glance_port(httpd_sys_script_t)
- ')
-diff --git a/apcupsd.fc b/apcupsd.fc
-index cd07b96..f3506be 100644
---- a/apcupsd.fc
-+++ b/apcupsd.fc
-@@ -1,9 +1,13 @@
- /etc/rc\.d/init\.d/apcupsd -- gen_context(system_u:object_r:apcupsd_initrc_exec_t,s0)
-
-+/usr/lib/systemd/system/apcupsd.* -- gen_context(system_u:object_r:apcupsd_unit_file_t,s0)
-+
- /sbin/apcupsd -- gen_context(system_u:object_r:apcupsd_exec_t,s0)
-
- /usr/sbin/apcupsd -- gen_context(system_u:object_r:apcupsd_exec_t,s0)
-
-+/var/lock/subsys/apcupsd -- gen_context(system_u:object_r:apcupsd_lock_t,s0)
-+
- /var/log/apcupsd\.events.* -- gen_context(system_u:object_r:apcupsd_log_t,s0)
- /var/log/apcupsd\.status.* -- gen_context(system_u:object_r:apcupsd_log_t,s0)
-
-@@ -13,3 +17,4 @@
- /var/www/apcupsd/upsfstats\.cgi -- gen_context(system_u:object_r:httpd_apcupsd_cgi_script_exec_t,s0)
- /var/www/apcupsd/upsimage\.cgi -- gen_context(system_u:object_r:httpd_apcupsd_cgi_script_exec_t,s0)
- /var/www/apcupsd/upsstats\.cgi -- gen_context(system_u:object_r:httpd_apcupsd_cgi_script_exec_t,s0)
-+/var/www/cgi-bin/apcgui(/.*)? gen_context(system_u:object_r:httpd_apcupsd_cgi_script_exec_t,s0)
-diff --git a/apcupsd.if b/apcupsd.if
-index e342775..1fedbe5 100644
---- a/apcupsd.if
-+++ b/apcupsd.if
-@@ -123,6 +123,29 @@ interface(`apcupsd_cgi_script_domtrans',`
-
- ########################################
- ##
-+## Execute apcupsd server in the apcupsd domain.
-+##
-+##
-+##
-+## Domain allowed to transition.
-+##
-+##
-+#
-+interface(`apcupsd_systemctl',`
-+ gen_require(`
-+ type apcupsd_t;
-+ type apcupsd_unit_file_t;
-+ ')
-+
-+ systemd_exec_systemctl($1)
-+ allow $1 apcupsd_unit_file_t:file read_file_perms;
-+ allow $1 apcupsd_unit_file_t:service manage_service_perms;
-+
-+ ps_process_pattern($1, apcupsd_t)
-+')
-+
-+########################################
-+##
- ## All of the rules required to administrate
- ## an apcupsd environment
- ##
-@@ -144,11 +167,16 @@ interface(`apcupsd_admin',`
- type apcupsd_log_t, apcupsd_lock_t;
- type apcupsd_var_run_t;
- type apcupsd_initrc_exec_t;
-+ type apcupsd_unit_file_t;
- ')
-
-- allow $1 apcupsd_t:process { ptrace signal_perms };
-+ allow $1 apcupsd_t:process signal_perms;
- ps_process_pattern($1, apcupsd_t)
-
-+ tunable_policy(`deny_ptrace',`',`
-+ allow $1 apcupsd_t:process ptrace;
-+ ')
-+
- apcupsd_initrc_domtrans($1, apcupsd_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 apcupsd_initrc_exec_t system_r;
-@@ -165,4 +193,8 @@ interface(`apcupsd_admin',`
-
- files_list_pids($1)
- admin_pattern($1, apcupsd_var_run_t)
-+
-+ apcupsd_systemctl($1)
-+ admin_pattern($1, apcupsd_unit_file_t)
-+ allow $1 apcupsd_unit_file_t:service all_service_perms;
- ')
-diff --git a/apcupsd.te b/apcupsd.te
-index d052bf0..8f2695f 100644
---- a/apcupsd.te
-+++ b/apcupsd.te
-@@ -24,6 +24,9 @@ files_tmp_file(apcupsd_tmp_t)
- type apcupsd_var_run_t;
- files_pid_file(apcupsd_var_run_t)
-
-+type apcupsd_unit_file_t;
-+systemd_unit_file(apcupsd_unit_file_t)
-+
- ########################################
- #
- # apcupsd local policy
-@@ -53,15 +56,16 @@ kernel_read_system_state(apcupsd_t)
- corecmd_exec_bin(apcupsd_t)
- corecmd_exec_shell(apcupsd_t)
-
--corenet_all_recvfrom_unlabeled(apcupsd_t)
- corenet_all_recvfrom_netlabel(apcupsd_t)
- corenet_tcp_sendrecv_generic_if(apcupsd_t)
- corenet_tcp_sendrecv_generic_node(apcupsd_t)
- corenet_tcp_sendrecv_all_ports(apcupsd_t)
- corenet_tcp_bind_generic_node(apcupsd_t)
- corenet_tcp_bind_apcupsd_port(apcupsd_t)
-+corenet_udp_bind_generic_node(apcupsd_t)
- corenet_sendrecv_apcupsd_server_packets(apcupsd_t)
- corenet_tcp_connect_apcupsd_port(apcupsd_t)
-+corenet_udp_bind_snmp_port(apcupsd_t)
-
- dev_rw_generic_usb_dev(apcupsd_t)
-
-@@ -76,24 +80,29 @@ files_etc_filetrans_etc_runtime(apcupsd_t, file)
-
- # https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=240805
- term_use_unallocated_ttys(apcupsd_t)
-+term_use_usb_ttys(apcupsd_t)
-
- #apcupsd runs shutdown, probably need a shutdown domain
- init_rw_utmp(apcupsd_t)
- init_telinit(apcupsd_t)
-
--logging_send_syslog_msg(apcupsd_t)
-+auth_read_passwd(apcupsd_t)
-
--miscfiles_read_localization(apcupsd_t)
-+logging_send_syslog_msg(apcupsd_t)
-
- sysnet_dns_name_resolve(apcupsd_t)
-
--userdom_use_user_ttys(apcupsd_t)
-+userdom_use_inherited_user_ttys(apcupsd_t)
-
- optional_policy(`
- hostname_exec(apcupsd_t)
- ')
-
- optional_policy(`
-+ shutdown_domtrans(apcupsd_t)
-+')
-+
-+optional_policy(`
- mta_send_mail(apcupsd_t)
- mta_system_content(apcupsd_tmp_t)
- ')
-@@ -113,7 +122,6 @@ optional_policy(`
- allow httpd_apcupsd_cgi_script_t self:tcp_socket create_stream_socket_perms;
- allow httpd_apcupsd_cgi_script_t self:udp_socket create_socket_perms;
-
-- corenet_all_recvfrom_unlabeled(httpd_apcupsd_cgi_script_t)
- corenet_all_recvfrom_netlabel(httpd_apcupsd_cgi_script_t)
- corenet_tcp_sendrecv_generic_if(httpd_apcupsd_cgi_script_t)
- corenet_tcp_sendrecv_generic_node(httpd_apcupsd_cgi_script_t)
-diff --git a/apm.fc b/apm.fc
-index 0123777..5bfd421 100644
---- a/apm.fc
-+++ b/apm.fc
-@@ -1,3 +1,4 @@
-+/usr/lib/systemd/system/apmd.* -- gen_context(system_u:object_r:apmd_unit_file_t,s0)
-
- #
- # /usr
-@@ -14,6 +15,7 @@
- /var/log/acpid.* -- gen_context(system_u:object_r:apmd_log_t,s0)
-
- /var/run/\.?acpid\.socket -s gen_context(system_u:object_r:apmd_var_run_t,s0)
-+/var/run/acpid\.pid -- gen_context(system_u:object_r:apmd_var_run_t,s0)
- /var/run/apmd\.pid -- gen_context(system_u:object_r:apmd_var_run_t,s0)
- /var/run/powersaved\.pid -- gen_context(system_u:object_r:apmd_var_run_t,s0)
- /var/run/powersave_socket -s gen_context(system_u:object_r:apmd_var_run_t,s0)
-diff --git a/apm.if b/apm.if
-index 1ea99b2..0b668ae 100644
---- a/apm.if
-+++ b/apm.if
-@@ -89,7 +89,7 @@ interface(`apm_append_log',`
- ')
-
- logging_search_logs($1)
-- allow $1 apmd_log_t:file append;
-+ allow $1 apmd_log_t:file append_file_perms;
- ')
-
- ########################################
-@@ -108,6 +108,28 @@ interface(`apm_stream_connect',`
- ')
-
- files_search_pids($1)
-- allow $1 apmd_var_run_t:sock_file write;
-- allow $1 apmd_t:unix_stream_socket connectto;
-+ stream_connect_pattern($1, apmd_var_run_t, apmd_var_run_t, apmd_t)
-+')
-+
-+########################################
-+##
-+## Execute apmd server in the apmd domain.
-+##
-+##
-+##
-+## Domain allowed to transition.
-+##
-+##
-+#
-+interface(`apmd_systemctl',`
-+ gen_require(`
-+ type apmd_t;
-+ type apmd_unit_file_t;
-+ ')
-+
-+ systemd_exec_systemctl($1)
-+ allow $1 apmd_unit_file_t:file read_file_perms;
-+ allow $1 apmd_unit_file_t:service manage_service_perms;
-+
-+ ps_process_pattern($1, apmd_t)
- ')
-diff --git a/apm.te b/apm.te
-index 1c8c27e..4c09721 100644
---- a/apm.te
-+++ b/apm.te
-@@ -4,6 +4,7 @@ policy_module(apm, 1.11.0)
- #
- # Declarations
- #
-+
- type apmd_t;
- type apmd_exec_t;
- init_daemon_domain(apmd_t, apmd_exec_t)
-@@ -32,6 +33,9 @@ ifdef(`distro_suse',`
- files_type(apmd_var_lib_t)
- ')
-
-+type apmd_unit_file_t;
-+systemd_unit_file(apmd_unit_file_t)
-+
- ########################################
- #
- # apm client Local policy
-@@ -45,7 +49,7 @@ dev_rw_apm_bios(apm_t)
-
- fs_getattr_xattr_fs(apm_t)
-
--term_use_all_terms(apm_t)
-+term_use_all_inherited_terms(apm_t)
-
- domain_use_interactive_fds(apm_t)
-
-@@ -59,9 +63,10 @@ logging_send_syslog_msg(apm_t)
- # mknod: controlling an orderly resume of PCMCIA requires creating device
- # nodes 254,{0,1,2} for some reason.
- allow apmd_t self:capability { sys_admin sys_nice sys_time kill mknod };
--dontaudit apmd_t self:capability { setuid dac_override dac_read_search sys_ptrace sys_tty_config };
-+dontaudit apmd_t self:capability { setuid dac_override dac_read_search sys_tty_config };
- allow apmd_t self:process { signal_perms getsession };
- allow apmd_t self:fifo_file rw_fifo_file_perms;
-+allow apmd_t self:netlink_socket create_socket_perms;
- allow apmd_t self:unix_dgram_socket create_socket_perms;
- allow apmd_t self:unix_stream_socket create_stream_socket_perms;
-
-@@ -81,6 +86,8 @@ kernel_rw_all_sysctls(apmd_t)
- kernel_read_system_state(apmd_t)
- kernel_write_proc_files(apmd_t)
-
-+dev_read_input(apmd_t)
-+dev_read_mouse(apmd_t)
- dev_read_realtime_clock(apmd_t)
- dev_read_urand(apmd_t)
- dev_rw_apm_bios(apmd_t)
-@@ -96,8 +103,6 @@ fs_dontaudit_getattr_all_symlinks(apmd_t) # Excessive?
- fs_dontaudit_getattr_all_pipes(apmd_t) # Excessive?
- fs_dontaudit_getattr_all_sockets(apmd_t) # Excessive?
-
--selinux_search_fs(apmd_t)
--
- corecmd_exec_all_executables(apmd_t)
-
- domain_read_all_domains_state(apmd_t)
-@@ -114,6 +119,8 @@ files_dontaudit_getattr_all_symlinks(apmd_t) # Excessive?
- files_dontaudit_getattr_all_pipes(apmd_t) # Excessive?
- files_dontaudit_getattr_all_sockets(apmd_t) # Excessive?
-
-+auth_use_nsswitch(apmd_t)
-+
- init_domtrans_script(apmd_t)
- init_rw_utmp(apmd_t)
- init_telinit(apmd_t)
-@@ -124,13 +131,12 @@ libs_exec_lib_files(apmd_t)
- logging_send_syslog_msg(apmd_t)
- logging_send_audit_msgs(apmd_t)
-
--miscfiles_read_localization(apmd_t)
- miscfiles_read_hwdata(apmd_t)
-
- modutils_domtrans_insmod(apmd_t)
- modutils_read_module_config(apmd_t)
-
--seutil_dontaudit_read_config(apmd_t)
-+seutil_sigchld_newrole(apmd_t)
-
- userdom_dontaudit_use_unpriv_user_fds(apmd_t)
- userdom_dontaudit_search_user_home_dirs(apmd_t)
-@@ -142,9 +148,8 @@ ifdef(`distro_redhat',`
-
- can_exec(apmd_t, apmd_var_run_t)
-
-- # ifconfig_exec_t needs to be run in its own domain for Red Hat
- optional_policy(`
-- sysnet_domtrans_ifconfig(apmd_t)
-+ fstools_domtrans(apmd_t)
- ')
-
- optional_policy(`
-@@ -155,6 +160,15 @@ ifdef(`distro_redhat',`
- netutils_domtrans(apmd_t)
- ')
-
-+ # ifconfig_exec_t needs to be run in its own domain for Red Hat
-+ optional_policy(`
-+ sssd_search_lib(apmd_t)
-+ ')
-+
-+ optional_policy(`
-+ sysnet_domtrans_ifconfig(apmd_t)
-+ ')
-+
- ',`
- # for ifconfig which is run all the time
- kernel_dontaudit_search_sysctl(apmd_t)
-@@ -181,6 +195,12 @@ optional_policy(`
- ')
-
- optional_policy(`
-+ devicekit_manage_pid_files(apmd_t)
-+ devicekit_manage_log_files(apmd_t)
-+ devicekit_relabel_log_files(apmd_t)
-+')
-+
-+optional_policy(`
- dbus_system_bus_client(apmd_t)
-
- optional_policy(`
-@@ -210,7 +230,11 @@ optional_policy(`
- ')
-
- optional_policy(`
-- seutil_sigchld_newrole(apmd_t)
-+ shutdown_domtrans(apmd_t)
-+')
-+
-+optional_policy(`
-+ systemd_dbus_chat_logind(apmd_t)
- ')
-
- optional_policy(`
-diff --git a/apt.te b/apt.te
-index 8555315..af9bcbe 100644
---- a/apt.te
-+++ b/apt.te
-@@ -94,7 +94,6 @@ kernel_read_kernel_sysctls(apt_t)
- corecmd_exec_bin(apt_t)
- corecmd_exec_shell(apt_t)
-
--corenet_all_recvfrom_unlabeled(apt_t)
- corenet_all_recvfrom_netlabel(apt_t)
- corenet_tcp_sendrecv_generic_if(apt_t)
- corenet_udp_sendrecv_generic_if(apt_t)
-@@ -121,20 +120,18 @@ fs_getattr_all_fs(apt_t)
-
- term_create_pty(apt_t, apt_devpts_t)
- term_list_ptys(apt_t)
--term_use_all_terms(apt_t)
-+term_use_all_inherited_terms(apt_t)
-
- libs_exec_ld_so(apt_t)
- libs_exec_lib_files(apt_t)
-
- logging_send_syslog_msg(apt_t)
-
--miscfiles_read_localization(apt_t)
--
- seutil_use_newrole_fds(apt_t)
-
- sysnet_read_config(apt_t)
-
--userdom_use_user_terminals(apt_t)
-+userdom_use_inherited_user_terminals(apt_t)
-
- # with boolean, for cron-apt and such?
- #optional_policy(`
-diff --git a/arpwatch.fc b/arpwatch.fc
-index a86a6c7..ab50afe 100644
---- a/arpwatch.fc
-+++ b/arpwatch.fc
-@@ -1,5 +1,7 @@
- /etc/rc\.d/init\.d/arpwatch -- gen_context(system_u:object_r:arpwatch_initrc_exec_t,s0)
-
-+/usr/lib/systemd/system/arpwatch.* -- gen_context(system_u:object_r:arpwatch_unit_file_t,s0)
-+
- #
- # /usr
- #
-diff --git a/arpwatch.if b/arpwatch.if
-index c804110..06a516f 100644
---- a/arpwatch.if
-+++ b/arpwatch.if
-@@ -115,6 +115,29 @@ interface(`arpwatch_dontaudit_rw_packet_sockets',`
-
- ########################################
- ##
-+## Execute arpwatch server in the arpwatch domain.
-+##
-+##
-+##
-+## Domain allowed to transition.
-+##
-+##
-+#
-+interface(`arpwatch_systemctl',`
-+ gen_require(`
-+ type arpwatch_t;
-+ type arpwatch_unit_file_t;
-+ ')
-+
-+ systemd_exec_systemctl($1)
-+ allow $1 arpwatch_unit_file_t:file read_file_perms;
-+ allow $1 arpwatch_unit_file_t:service manage_service_perms;
-+
-+ ps_process_pattern($1, arpwatch_t)
-+')
-+
-+########################################
-+##
- ## All of the rules required to administrate
- ## an arpwatch environment
- ##
-@@ -135,11 +158,16 @@ interface(`arpwatch_admin',`
- type arpwatch_t, arpwatch_tmp_t;
- type arpwatch_data_t, arpwatch_var_run_t;
- type arpwatch_initrc_exec_t;
-+ type arpwatch_unit_file_t;
- ')
-
-- allow $1 arpwatch_t:process { ptrace signal_perms getattr };
-+ allow $1 arpwatch_t:process signal_perms;
- ps_process_pattern($1, arpwatch_t)
-
-+ tunable_policy(`deny_ptrace',`',`
-+ allow $1 arpwatch_t:process ptrace;
-+ ')
-+
- arpwatch_initrc_domtrans($1)
- domain_system_change_exemption($1)
- role_transition $2 arpwatch_initrc_exec_t system_r;
-@@ -153,4 +181,8 @@ interface(`arpwatch_admin',`
-
- files_list_pids($1)
- admin_pattern($1, arpwatch_var_run_t)
-+
-+ arpwatch_systemctl($1)
-+ admin_pattern($1, arpwatch_unit_file_t)
-+ allow $1 arpwatch_unit_file_t:service all_service_perms;
- ')
-diff --git a/arpwatch.te b/arpwatch.te
-index 804135f..8d012f7 100644
---- a/arpwatch.te
-+++ b/arpwatch.te
-@@ -21,6 +21,9 @@ files_tmp_file(arpwatch_tmp_t)
- type arpwatch_var_run_t;
- files_pid_file(arpwatch_var_run_t)
-
-+type arpwatch_unit_file_t;
-+systemd_unit_file(arpwatch_unit_file_t)
-+
- ########################################
- #
- # Local policy
-@@ -34,6 +37,7 @@ allow arpwatch_t self:tcp_socket { connect create_stream_socket_perms };
- allow arpwatch_t self:udp_socket create_socket_perms;
- allow arpwatch_t self:packet_socket create_socket_perms;
- allow arpwatch_t self:socket create_socket_perms;
-+allow arpwatch_t self:netlink_socket create_socket_perms;
-
- manage_dirs_pattern(arpwatch_t, arpwatch_data_t, arpwatch_data_t)
- manage_files_pattern(arpwatch_t, arpwatch_data_t, arpwatch_data_t)
-@@ -47,12 +51,12 @@ manage_files_pattern(arpwatch_t, arpwatch_var_run_t, arpwatch_var_run_t)
- files_pid_filetrans(arpwatch_t, arpwatch_var_run_t, file)
-
- kernel_read_network_state(arpwatch_t)
-+# meminfo
-+kernel_read_system_state(arpwatch_t)
- kernel_read_kernel_sysctls(arpwatch_t)
--kernel_list_proc(arpwatch_t)
- kernel_read_proc_symlinks(arpwatch_t)
- kernel_request_load_module(arpwatch_t)
-
--corenet_all_recvfrom_unlabeled(arpwatch_t)
- corenet_all_recvfrom_netlabel(arpwatch_t)
- corenet_tcp_sendrecv_generic_if(arpwatch_t)
- corenet_udp_sendrecv_generic_if(arpwatch_t)
-@@ -74,7 +78,6 @@ corecmd_read_bin_symlinks(arpwatch_t)
-
- domain_use_interactive_fds(arpwatch_t)
-
--files_read_etc_files(arpwatch_t)
- files_read_usr_files(arpwatch_t)
- files_search_var_lib(arpwatch_t)
-
-@@ -82,8 +85,6 @@ auth_use_nsswitch(arpwatch_t)
-
- logging_send_syslog_msg(arpwatch_t)
-
--miscfiles_read_localization(arpwatch_t)
--
- userdom_dontaudit_search_user_home_dirs(arpwatch_t)
- userdom_dontaudit_use_unpriv_user_fds(arpwatch_t)
-
-diff --git a/asterisk.if b/asterisk.if
-index b6168fd..313c6e4 100644
---- a/asterisk.if
-+++ b/asterisk.if
-@@ -105,9 +105,13 @@ interface(`asterisk_admin',`
- type asterisk_initrc_exec_t;
- ')
-
-- allow $1 asterisk_t:process { ptrace signal_perms getattr };
-+ allow $1 asterisk_t:process signal_perms;
- ps_process_pattern($1, asterisk_t)
-
-+ tunable_policy(`deny_ptrace',`',`
-+ allow $1 asterisk_t:process ptrace;
-+ ')
-+
- init_labeled_script_domtrans($1, asterisk_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 asterisk_initrc_exec_t system_r;
-diff --git a/asterisk.te b/asterisk.te
-index 159610b..164b672 100644
---- a/asterisk.te
-+++ b/asterisk.te
-@@ -20,10 +20,11 @@ type asterisk_log_t;
- logging_log_file(asterisk_log_t)
-
- type asterisk_spool_t;
--files_type(asterisk_spool_t)
-+files_spool_file(asterisk_spool_t)
-
- type asterisk_tmp_t;
- files_tmp_file(asterisk_tmp_t)
-+mta_system_content(asterisk_tmp_t)
-
- type asterisk_tmpfs_t;
- files_tmpfs_file(asterisk_tmpfs_t)
-@@ -40,8 +41,8 @@ files_pid_file(asterisk_var_run_t)
- #
-
- # dac_override for /var/run/asterisk
--allow asterisk_t self:capability { dac_override setgid setuid sys_nice net_admin chown };
--dontaudit asterisk_t self:capability sys_tty_config;
-+allow asterisk_t self:capability { dac_override chown setgid setuid sys_nice net_admin };
-+dontaudit asterisk_t self:capability { sys_module sys_tty_config };
- allow asterisk_t self:process { getsched setsched signal_perms getcap setcap };
- allow asterisk_t self:fifo_file rw_fifo_file_perms;
- allow asterisk_t self:sem create_sem_perms;
-@@ -77,11 +78,13 @@ fs_tmpfs_filetrans(asterisk_t, asterisk_tmpfs_t, { dir file lnk_file sock_file f
- manage_files_pattern(asterisk_t, asterisk_var_lib_t, asterisk_var_lib_t)
- files_var_lib_filetrans(asterisk_t, asterisk_var_lib_t, file)
-
-+manage_dirs_pattern(asterisk_t, asterisk_var_run_t, asterisk_var_run_t)
- manage_files_pattern(asterisk_t, asterisk_var_run_t, asterisk_var_run_t)
- manage_fifo_files_pattern(asterisk_t, asterisk_var_run_t, asterisk_var_run_t)
- manage_sock_files_pattern(asterisk_t, asterisk_var_run_t, asterisk_var_run_t)
--files_pid_filetrans(asterisk_t, asterisk_var_run_t, file)
-+files_pid_filetrans(asterisk_t, asterisk_var_run_t, { dir file })
-
-+kernel_read_network_state(asterisk_t)
- kernel_read_system_state(asterisk_t)
- kernel_read_kernel_sysctls(asterisk_t)
- kernel_request_load_module(asterisk_t)
-@@ -89,7 +92,6 @@ kernel_request_load_module(asterisk_t)
- corecmd_exec_bin(asterisk_t)
- corecmd_exec_shell(asterisk_t)
-
--corenet_all_recvfrom_unlabeled(asterisk_t)
- corenet_all_recvfrom_netlabel(asterisk_t)
- corenet_tcp_sendrecv_generic_if(asterisk_t)
- corenet_udp_sendrecv_generic_if(asterisk_t)
-@@ -109,9 +111,13 @@ corenet_tcp_bind_generic_port(asterisk_t)
- corenet_udp_bind_generic_port(asterisk_t)
- corenet_dontaudit_udp_bind_all_ports(asterisk_t)
- corenet_sendrecv_generic_server_packets(asterisk_t)
-+corenet_tcp_connect_festival_port(asterisk_t)
-+corenet_tcp_connect_jabber_client_port(asterisk_t)
-+corenet_tcp_connect_pktcable_port(asterisk_t)
- corenet_tcp_connect_postgresql_port(asterisk_t)
- corenet_tcp_connect_snmp_port(asterisk_t)
- corenet_tcp_connect_sip_port(asterisk_t)
-+corenet_tcp_connect_jabber_client_port(asterisk_t)
-
- dev_rw_generic_usb_dev(asterisk_t)
- dev_read_sysfs(asterisk_t)
-@@ -122,11 +128,11 @@ dev_read_urand(asterisk_t)
-
- domain_use_interactive_fds(asterisk_t)
-
--files_read_etc_files(asterisk_t)
- files_search_spool(asterisk_t)
- # demo files installed in /usr/share/asterisk/sounds/demo-instruct.gsm
- # are labeled usr_t
- files_read_usr_files(asterisk_t)
-+files_dontaudit_search_home(asterisk_t)
-
- fs_getattr_all_fs(asterisk_t)
- fs_list_inotifyfs(asterisk_t)
-@@ -137,12 +143,14 @@ auth_use_nsswitch(asterisk_t)
-
- logging_send_syslog_msg(asterisk_t)
-
--miscfiles_read_localization(asterisk_t)
--
- userdom_dontaudit_use_unpriv_user_fds(asterisk_t)
- userdom_dontaudit_search_user_home_dirs(asterisk_t)
-
- optional_policy(`
-+ alsa_read_rw_config(asterisk_t)
-+')
-+
-+optional_policy(`
- mysql_stream_connect(asterisk_t)
- ')
-
-diff --git a/authconfig.fc b/authconfig.fc
-new file mode 100644
-index 0000000..86bbf21
---- /dev/null
-+++ b/authconfig.fc
-@@ -0,0 +1,3 @@
-+/usr/share/authconfig/authconfig.py -- gen_context(system_u:object_r:authconfig_exec_t,s0)
-+
-+/var/lib/authconfig(/.*)? gen_context(system_u:object_r:authconfig_var_lib_t,s0)
-diff --git a/authconfig.if b/authconfig.if
-new file mode 100644
-index 0000000..98ab9ed
---- /dev/null
-+++ b/authconfig.if
-@@ -0,0 +1,132 @@
-+
-+## policy for authconfig
-+
-+########################################
-+##
-+## Execute TEMPLATE in the authconfig domin.
-+##
-+##
-+##
-+## Domain allowed to transition.
-+##
-+##
-+#
-+interface(`authconfig_domtrans',`
-+ gen_require(`
-+ type authconfig_t, authconfig_exec_t;
-+ ')
-+
-+ corecmd_search_bin($1)
-+ domtrans_pattern($1, authconfig_exec_t, authconfig_t)
-+')
-+
-+########################################
-+##
-+## Search authconfig lib directories.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`authconfig_search_lib',`
-+ gen_require(`
-+ type authconfig_var_lib_t;
-+ ')
-+
-+ allow $1 authconfig_var_lib_t:dir search_dir_perms;
-+ files_search_var_lib($1)
-+')
-+
-+########################################
-+##
-+## Read authconfig lib files.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`authconfig_read_lib_files',`
-+ gen_require(`
-+ type authconfig_var_lib_t;
-+ ')
-+
-+ files_search_var_lib($1)
-+ read_files_pattern($1, authconfig_var_lib_t, authconfig_var_lib_t)
-+')
-+
-+########################################
-+##
-+## Manage authconfig lib files.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`authconfig_manage_lib_files',`
-+ gen_require(`
-+ type authconfig_var_lib_t;
-+ ')
-+
-+ files_search_var_lib($1)
-+ manage_files_pattern($1, authconfig_var_lib_t, authconfig_var_lib_t)
-+')
-+
-+########################################
-+##
-+## Manage authconfig lib directories.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`authconfig_manage_lib_dirs',`
-+ gen_require(`
-+ type authconfig_var_lib_t;
-+ ')
-+
-+ files_search_var_lib($1)
-+ manage_dirs_pattern($1, authconfig_var_lib_t, authconfig_var_lib_t)
-+')
-+
-+
-+########################################
-+##
-+## All of the rules required to administrate
-+## an authconfig environment
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+##
-+##
-+## Role allowed access.
-+##
-+##
-+##
-+#
-+interface(`authconfig_admin',`
-+ gen_require(`
-+ type authconfig_t;
-+ type authconfig_var_lib_t;
-+ ')
-+
-+ allow $1 authconfig_t:process { ptrace signal_perms };
-+ ps_process_pattern($1, authconfig_t)
-+
-+ files_search_var_lib($1)
-+ admin_pattern($1, authconfig_var_lib_t)
-+ optional_policy(`
-+ systemd_passwd_agent_exec($1)
-+ systemd_read_fifo_file_passwd_run($1)
-+ ')
-+')
-diff --git a/authconfig.te b/authconfig.te
-new file mode 100644
-index 0000000..aeea7cf
---- /dev/null
-+++ b/authconfig.te
-@@ -0,0 +1,33 @@
-+policy_module(authconfig, 1.0.0)
-+
-+########################################
-+#
-+# Declarations
-+#
-+
-+type authconfig_t;
-+type authconfig_exec_t;
-+application_domain(authconfig_t, authconfig_exec_t)
-+
-+type authconfig_var_lib_t;
-+files_type(authconfig_var_lib_t)
-+
-+########################################
-+#
-+# authconfig local policy
-+#
-+allow authconfig_t self:fifo_file rw_fifo_file_perms;
-+allow authconfig_t self:unix_stream_socket create_stream_socket_perms;
-+
-+manage_dirs_pattern(authconfig_t, authconfig_var_lib_t, authconfig_var_lib_t)
-+manage_files_pattern(authconfig_t, authconfig_var_lib_t, authconfig_var_lib_t)
-+manage_lnk_files_pattern(authconfig_t, authconfig_var_lib_t, authconfig_var_lib_t)
-+files_var_lib_filetrans(authconfig_t, authconfig_var_lib_t, { dir file lnk_file })
-+
-+domain_use_interactive_fds(authconfig_t)
-+
-+files_read_etc_files(authconfig_t)
-+
-+init_domtrans_script(authconfig_t)
-+
-+unconfined_domain_noaudit(authconfig_t)
-diff --git a/automount.fc b/automount.fc
-index f16ab68..e4178a4 100644
---- a/automount.fc
-+++ b/automount.fc
-@@ -4,6 +4,8 @@
- /etc/apm/event\.d/autofs -- gen_context(system_u:object_r:automount_exec_t,s0)
- /etc/rc\.d/init\.d/autofs -- gen_context(system_u:object_r:automount_initrc_exec_t,s0)
-
-+/usr/lib/systemd/system/autofs.* -- gen_context(system_u:object_r:automount_unit_file_t,s0)
-+
- #
- # /usr
- #
-diff --git a/automount.if b/automount.if
-index d80a16b..ef740ef 100644
---- a/automount.if
-+++ b/automount.if
-@@ -29,7 +29,6 @@ interface(`automount_domtrans',`
- ##
- ##
- #
--#
- interface(`automount_signal',`
- gen_require(`
- type automount_t;
-@@ -123,7 +122,30 @@ interface(`automount_dontaudit_getattr_tmp_dirs',`
- type automount_tmp_t;
- ')
-
-- dontaudit $1 automount_tmp_t:dir getattr;
-+ dontaudit $1 automount_tmp_t:dir getattr_dir_perms;
-+')
-+
-+########################################
-+##
-+## Execute automount server in the automount domain.
-+##
-+##
-+##
-+## Domain allowed to transition.
-+##
-+##
-+#
-+interface(`automount_systemctl',`
-+ gen_require(`
-+ type automount_t;
-+ type automount_unit_file_t;
-+ ')
-+
-+ systemd_exec_systemctl($1)
-+ allow $1 automount_unit_file_t:file read_file_perms;
-+ allow $1 automount_unit_file_t:service manage_service_perms;
-+
-+ ps_process_pattern($1, automount_t)
- ')
-
- ########################################
-@@ -147,11 +169,16 @@ interface(`automount_admin',`
- gen_require(`
- type automount_t, automount_lock_t, automount_tmp_t;
- type automount_var_run_t, automount_initrc_exec_t;
-+ type automount_unit_file_t;
- ')
-
-- allow $1 automount_t:process { ptrace signal_perms getattr };
-+ allow $1 automount_t:process signal_perms;
- ps_process_pattern($1, automount_t)
-
-+ tunable_policy(`deny_ptrace',`',`
-+ allow $1 automount_t:process ptrace;
-+ ')
-+
- init_labeled_script_domtrans($1, automount_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 automount_initrc_exec_t system_r;
-@@ -165,4 +192,8 @@ interface(`automount_admin',`
-
- files_list_pids($1)
- admin_pattern($1, automount_var_run_t)
-+
-+ automount_systemctl($1)
-+ admin_pattern($1, automount_unit_file_t)
-+ allow $1 automount_unit_file_t:service all_service_perms;
- ')
-diff --git a/automount.te b/automount.te
-index 39799db..6264256 100644
---- a/automount.te
-+++ b/automount.te
-@@ -22,6 +22,9 @@ type automount_tmp_t;
- files_tmp_file(automount_tmp_t)
- files_mountpoint(automount_tmp_t)
-
-+type automount_unit_file_t;
-+systemd_unit_file(automount_unit_file_t)
-+
- ########################################
- #
- # Local policy
-@@ -56,14 +59,17 @@ manage_fifo_files_pattern(automount_t, automount_var_run_t, automount_var_run_t)
- files_pid_filetrans(automount_t, automount_var_run_t, { file fifo_file })
-
- kernel_read_kernel_sysctls(automount_t)
-+kernel_read_vm_sysctls(automount_t)
- kernel_read_irq_sysctls(automount_t)
- kernel_read_fs_sysctls(automount_t)
- kernel_read_proc_symlinks(automount_t)
- kernel_read_system_state(automount_t)
- kernel_read_network_state(automount_t)
-+kernel_search_vm_sysctl(automount_t)
- kernel_list_proc(automount_t)
- kernel_dontaudit_search_xen_state(automount_t)
-
-+files_read_usr_files(automount_t)
- files_search_boot(automount_t)
- # Automount is slowly adding all mount functionality internally
- files_search_all(automount_t)
-@@ -79,7 +85,6 @@ fs_search_all(automount_t)
- corecmd_exec_bin(automount_t)
- corecmd_exec_shell(automount_t)
-
--corenet_all_recvfrom_unlabeled(automount_t)
- corenet_all_recvfrom_netlabel(automount_t)
- corenet_tcp_sendrecv_generic_if(automount_t)
- corenet_udp_sendrecv_generic_if(automount_t)
-@@ -113,7 +118,6 @@ files_dontaudit_write_var_dirs(automount_t)
- files_getattr_all_dirs(automount_t)
- files_list_mnt(automount_t)
- files_getattr_home_dir(automount_t)
--files_read_etc_files(automount_t)
- files_read_etc_runtime_files(automount_t)
- # for if the mount point is not labelled
- files_getattr_isid_type_dirs(automount_t)
-@@ -140,13 +144,8 @@ auth_use_nsswitch(automount_t)
- logging_send_syslog_msg(automount_t)
- logging_search_logs(automount_t)
-
--miscfiles_read_localization(automount_t)
- miscfiles_read_generic_certs(automount_t)
-
--# Run mount in the mount_t domain.
--mount_domtrans(automount_t)
--mount_signal(automount_t)
--
- userdom_dontaudit_use_unpriv_user_fds(automount_t)
- userdom_dontaudit_search_user_home_dirs(automount_t)
-
-@@ -155,6 +154,13 @@ optional_policy(`
- ')
-
- optional_policy(`
-+ # Run mount in the mount_t domain.
-+ mount_domtrans(automount_t)
-+ mount_domtrans_showmount(automount_t)
-+ mount_signal(automount_t)
-+')
-+
-+optional_policy(`
- fstools_domtrans(automount_t)
- ')
-
-diff --git a/avahi.fc b/avahi.fc
-index 7e36549..010b2bc 100644
---- a/avahi.fc
-+++ b/avahi.fc
-@@ -1,5 +1,7 @@
- /etc/rc\.d/init\.d/avahi.* -- gen_context(system_u:object_r:avahi_initrc_exec_t,s0)
-
-+/usr/lib/systemd/system/avahi.* -- gen_context(system_u:object_r:avahi_unit_file_t,s0)
-+
- /usr/sbin/avahi-daemon -- gen_context(system_u:object_r:avahi_exec_t,s0)
- /usr/sbin/avahi-dnsconfd -- gen_context(system_u:object_r:avahi_exec_t,s0)
- /usr/sbin/avahi-autoipd -- gen_context(system_u:object_r:avahi_exec_t,s0)
-diff --git a/avahi.if b/avahi.if
-index 61c74bc..17b3ecc 100644
---- a/avahi.if
-+++ b/avahi.if
-@@ -133,6 +133,29 @@ interface(`avahi_dontaudit_search_pid',`
-
- ########################################
- ##
-+## Execute avahi server in the avahi domain.
-+##
-+##
-+##
-+## Domain allowed to transition.
-+##
-+##
-+#
-+interface(`avahi_systemctl',`
-+ gen_require(`
-+ type avahi_t;
-+ type avahi_unit_file_t;
-+ ')
-+
-+ systemd_exec_systemctl($1)
-+ allow $1 avahi_unit_file_t:file read_file_perms;
-+ allow $1 avahi_unit_file_t:service manage_service_perms;
-+
-+ ps_process_pattern($1, avahi_t)
-+')
-+
-+########################################
-+##
- ## All of the rules required to administrate
- ## an avahi environment
- ##
-@@ -151,11 +174,16 @@ interface(`avahi_dontaudit_search_pid',`
- interface(`avahi_admin',`
- gen_require(`
- type avahi_t, avahi_var_run_t, avahi_initrc_exec_t;
-+ type avahi_unit_file_t;
- ')
-
-- allow $1 avahi_t:process { ptrace signal_perms };
-+ allow $1 avahi_t:process signal_perms;
- ps_process_pattern($1, avahi_t)
-
-+ tunable_policy(`deny_ptrace',`',`
-+ allow $1 avahi_t:process ptrace;
-+ ')
-+
- init_labeled_script_domtrans($1, avahi_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 avahi_initrc_exec_t system_r;
-@@ -163,4 +191,8 @@ interface(`avahi_admin',`
-
- files_list_pids($1)
- admin_pattern($1, avahi_var_run_t)
-+
-+ avahi_systemctl($1)
-+ admin_pattern($1, avahi_unit_file_t)
-+ allow $1 avahi_unit_file_t:service all_service_perms;
- ')
-diff --git a/avahi.te b/avahi.te
-index a7a0e71..34bc1be 100644
---- a/avahi.te
-+++ b/avahi.te
-@@ -17,6 +17,10 @@ files_pid_file(avahi_var_lib_t)
-
- type avahi_var_run_t;
- files_pid_file(avahi_var_run_t)
-+init_sock_file(avahi_var_run_t)
-+
-+type avahi_unit_file_t;
-+systemd_unit_file(avahi_unit_file_t)
-
- ########################################
- #
-@@ -46,11 +50,11 @@ files_pid_filetrans(avahi_t, avahi_var_run_t, { dir file })
- kernel_read_system_state(avahi_t)
- kernel_read_kernel_sysctls(avahi_t)
- kernel_read_network_state(avahi_t)
-+kernel_request_load_module(avahi_t)
-
- corecmd_exec_bin(avahi_t)
- corecmd_exec_shell(avahi_t)
-
--corenet_all_recvfrom_unlabeled(avahi_t)
- corenet_all_recvfrom_netlabel(avahi_t)
- corenet_tcp_sendrecv_generic_if(avahi_t)
- corenet_udp_sendrecv_generic_if(avahi_t)
-@@ -73,8 +77,8 @@ fs_search_auto_mountpoints(avahi_t)
- fs_list_inotifyfs(avahi_t)
-
- domain_use_interactive_fds(avahi_t)
-+domain_dontaudit_signull_all_domains(avahi_t)
-
--files_read_etc_files(avahi_t)
- files_read_etc_runtime_files(avahi_t)
- files_read_usr_files(avahi_t)
-
-@@ -85,13 +89,14 @@ init_signull_script(avahi_t)
-
- logging_send_syslog_msg(avahi_t)
-
--miscfiles_read_localization(avahi_t)
- miscfiles_read_generic_certs(avahi_t)
-
- sysnet_domtrans_ifconfig(avahi_t)
- sysnet_manage_config(avahi_t)
- sysnet_etc_filetrans_config(avahi_t)
-
-+systemd_login_signull(avahi_t)
-+
- userdom_dontaudit_use_unpriv_user_fds(avahi_t)
- userdom_dontaudit_search_user_home_dirs(avahi_t)
-
-@@ -104,6 +109,10 @@ optional_policy(`
- ')
-
- optional_policy(`
-+ rpcbind_signull(avahi_t)
-+')
-+
-+optional_policy(`
- seutil_sigchld_newrole(avahi_t)
- ')
-
-diff --git a/awstats.if b/awstats.if
-index 283ff0d..53f9ba1 100644
---- a/awstats.if
-+++ b/awstats.if
-@@ -5,6 +5,25 @@
-
- ########################################
- ##
-+## Execute the awstats program in the awstats domain.
-+##
-+##
-+##
-+## Domain allowed to transition.
-+##
-+##
-+#
-+interface(`awstats_domtrans',`
-+ gen_require(`
-+ type awstats_t, awstats_exec_t;
-+ ')
-+
-+ corecmd_search_bin($1)
-+ domtrans_pattern($1, awstats_exec_t, awstats_t)
-+')
-+
-+########################################
-+##
- ## Read and write awstats unnamed pipes.
- ##
- ##
-diff --git a/awstats.te b/awstats.te
-index 6bd3ad3..9cd42eb 100644
---- a/awstats.te
-+++ b/awstats.te
-@@ -5,6 +5,13 @@ policy_module(awstats, 1.4.0)
- # Declarations
- #
-
-+##
-+##
-+## Allow awstats to purge Apache logs
-+##
-+##
-+gen_tunable(awstats_purge_apache_log, false)
-+
- type awstats_t;
- type awstats_exec_t;
- domain_type(awstats_t)
-@@ -17,8 +24,6 @@ files_tmp_file(awstats_tmp_t)
- type awstats_var_lib_t;
- files_type(awstats_var_lib_t)
-
--apache_content_template(awstats)
--
- ########################################
- #
- # awstats policy
-@@ -55,11 +60,15 @@ libs_read_lib_files(awstats_t)
-
- logging_read_generic_logs(awstats_t)
-
--miscfiles_read_localization(awstats_t)
--
- sysnet_dns_name_resolve(awstats_t)
-
--apache_read_log(awstats_t)
-+tunable_policy(`awstats_purge_apache_log',`
-+ apache_write_log(awstats_t)
-+')
-+
-+optional_policy(`
-+ apache_read_log(awstats_t)
-+')
-
- optional_policy(`
- cron_system_entry(awstats_t, awstats_exec_t)
-@@ -79,7 +88,16 @@ optional_policy(`
- # awstats cgi script policy
- #
-
--allow httpd_awstats_script_t awstats_var_lib_t:dir list_dir_perms;
-+optional_policy(`
-+ apache_content_template(awstats)
-+ apache_read_log(httpd_awstats_script_t)
-+
-+ manage_dirs_pattern(httpd_awstats_script_t, awstats_tmp_t, awstats_tmp_t)
-+ manage_files_pattern(httpd_awstats_script_t, awstats_tmp_t, awstats_tmp_t)
-+ files_tmp_filetrans(httpd_awstats_script_t, awstats_tmp_t, { dir file })
-
--read_files_pattern(httpd_awstats_script_t, awstats_var_lib_t, awstats_var_lib_t)
--files_search_var_lib(httpd_awstats_script_t)
-+ allow httpd_awstats_script_t awstats_var_lib_t:dir list_dir_perms;
-+
-+ read_files_pattern(httpd_awstats_script_t, awstats_var_lib_t, awstats_var_lib_t)
-+ files_search_var_lib(httpd_awstats_script_t)
-+')
-diff --git a/backup.te b/backup.te
-index 0bfc958..81fc8bd 100644
---- a/backup.te
-+++ b/backup.te
-@@ -36,7 +36,6 @@ kernel_read_kernel_sysctls(backup_t)
- corecmd_exec_bin(backup_t)
- corecmd_exec_shell(backup_t)
-
--corenet_all_recvfrom_unlabeled(backup_t)
- corenet_all_recvfrom_netlabel(backup_t)
- corenet_tcp_sendrecv_generic_if(backup_t)
- corenet_udp_sendrecv_generic_if(backup_t)
-@@ -70,7 +69,7 @@ logging_send_syslog_msg(backup_t)
-
- sysnet_read_config(backup_t)
-
--userdom_use_user_terminals(backup_t)
-+userdom_use_inherited_user_terminals(backup_t)
-
- optional_policy(`
- cron_system_entry(backup_t, backup_exec_t)
-diff --git a/bacula.te b/bacula.te
-index fc4ba2a..813e5c1 100644
---- a/bacula.te
-+++ b/bacula.te
-@@ -111,7 +111,6 @@ domain_use_interactive_fds(bacula_admin_t)
-
- files_read_etc_files(bacula_admin_t)
-
--miscfiles_read_localization(bacula_admin_t)
-
- sysnet_dns_name_resolve(bacula_admin_t)
-
-diff --git a/bcfg2.fc b/bcfg2.fc
-index f5413da..9e06a9d 100644
---- a/bcfg2.fc
-+++ b/bcfg2.fc
-@@ -1,5 +1,7 @@
- /etc/rc\.d/init\.d/bcfg2 -- gen_context(system_u:object_r:bcfg2_initrc_exec_t,s0)
-
-+/usr/lib/systemd/system/bcfg2-server.* -- gen_context(system_u:object_r:bcfg2_unit_file_t,s0)
-+
- /usr/sbin/bcfg2-server -- gen_context(system_u:object_r:bcfg2_exec_t,s0)
-
- /var/lib/bcfg2(/.*)? gen_context(system_u:object_r:bcfg2_var_lib_t,s0)
-diff --git a/bcfg2.if b/bcfg2.if
-index b289d93..070f22b 100644
---- a/bcfg2.if
-+++ b/bcfg2.if
-@@ -115,6 +115,31 @@ interface(`bcfg2_manage_lib_dirs',`
-
- ########################################
- ##
-+## Execute bcfg2 server in the bcfg2 domain.
-+##
-+##
-+##
-+## Domain allowed to transition.
-+##
-+##
-+#
-+interface(`bcfg2_systemctl',`
-+ gen_require(`
-+ type bcfg2_t;
-+ type bcfg2_unit_file_t;
-+ ')
-+
-+ systemd_exec_systemctl($1)
-+ systemd_read_fifo_file_passwd_run($1)
-+ allow $1 bcfg2_unit_file_t:file read_file_perms;
-+ allow $1 bcfg2_unit_file_t:service manage_service_perms;
-+
-+ ps_process_pattern($1, bcfg2_t)
-+')
-+
-+
-+########################################
-+##
- ## All of the rules required to administrate
- ## an bcfg2 environment
- ##
-@@ -135,6 +160,7 @@ interface(`bcfg2_admin',`
- type bcfg2_t;
- type bcfg2_initrc_exec_t;
- type bcfg2_var_lib_t;
-+ type bcfg2_unit_file_t;
- ')
-
- allow $1 bcfg2_t:process { ptrace signal_perms };
-@@ -147,4 +173,13 @@ interface(`bcfg2_admin',`
-
- files_search_var_lib($1)
- admin_pattern($1, bcfg2_var_lib_t)
-+
-+ bcfg2_systemctl($1)
-+ admin_pattern($1, bcfg2_unit_file_t)
-+ allow $1 bcfg2_unit_file_t:service all_service_perms;
-+
-+ optional_policy(`
-+ systemd_passwd_agent_exec($1)
-+ systemd_read_fifo_file_passwd_run($1)
-+ ')
- ')
-diff --git a/bcfg2.te b/bcfg2.te
-index cf8e59f..ad57d4a 100644
---- a/bcfg2.te
-+++ b/bcfg2.te
-@@ -15,6 +15,9 @@ init_script_file(bcfg2_initrc_exec_t)
- type bcfg2_var_lib_t;
- files_type(bcfg2_var_lib_t)
-
-+type bcfg2_unit_file_t;
-+systemd_unit_file(bcfg2_unit_file_t)
-+
- type bcfg2_var_run_t;
- files_pid_file(bcfg2_var_run_t)
-
-@@ -36,6 +39,8 @@ files_pid_filetrans(bcfg2_t, bcfg2_var_run_t, file )
-
- kernel_read_system_state(bcfg2_t)
-
-+corenet_tcp_bind_cyphesis_port(bcfg2_t)
-+
- corecmd_exec_bin(bcfg2_t)
-
- dev_read_urand(bcfg2_t)
-@@ -47,5 +52,3 @@ files_read_usr_files(bcfg2_t)
- auth_use_nsswitch(bcfg2_t)
-
- logging_send_syslog_msg(bcfg2_t)
--
--miscfiles_read_localization(bcfg2_t)
-diff --git a/bind.fc b/bind.fc
-index 59aa54f..b01072c 100644
---- a/bind.fc
-+++ b/bind.fc
-@@ -4,6 +4,11 @@
- /etc/rndc.* -- gen_context(system_u:object_r:named_conf_t,s0)
- /etc/rndc\.key -- gen_context(system_u:object_r:dnssec_t,s0)
- /etc/unbound(/.*)? gen_context(system_u:object_r:named_conf_t,s0)
-+/etc/unbound/.*\.key -- gen_context(system_u:object_r:dnssec_t,s0)
-+/etc/dnssec-trigger/dnssec_trigger_server\.key -- gen_context(system_u:object_r:dnssec_t,s0)
-+
-+/usr/lib/systemd/system/unbound.* -- gen_context(system_u:object_r:named_unit_file_t,s0)
-+/usr/lib/systemd/system/named.* -- gen_context(system_u:object_r:named_unit_file_t,s0)
-
- /usr/sbin/lwresd -- gen_context(system_u:object_r:named_exec_t,s0)
- /usr/sbin/named -- gen_context(system_u:object_r:named_exec_t,s0)
-diff --git a/bind.if b/bind.if
-index 44a1e3d..bc50fd6 100644
---- a/bind.if
-+++ b/bind.if
-@@ -20,6 +20,29 @@ interface(`bind_initrc_domtrans',`
-
- ########################################
- ##
-+## Execute bind server in the bind domain.
-+##
-+##
-+##
-+## Domain allowed to transition.
-+##
-+##
-+#
-+interface(`bind_systemctl',`
-+ gen_require(`
-+ type named_unit_file_t;
-+ type named_t;
-+ ')
-+
-+ systemd_exec_systemctl($1)
-+ allow $1 named_unit_file_t:file read_file_perms;
-+ allow $1 named_unit_file_t:service manage_service_perms;
-+
-+ ps_process_pattern($1, named_t)
-+')
-+
-+########################################
-+##
- ## Execute ndc in the ndc domain.
- ##
- ##
-@@ -167,6 +190,7 @@ interface(`bind_read_config',`
- type named_conf_t;
- ')
-
-+ allow $1 named_conf_t:dir list_dir_perms;
- read_files_pattern($1, named_conf_t, named_conf_t)
- ')
-
-@@ -186,7 +210,7 @@ interface(`bind_write_config',`
- ')
-
- write_files_pattern($1, named_conf_t, named_conf_t)
-- allow $1 named_conf_t:file setattr;
-+ allow $1 named_conf_t:file setattr_file_perms;
- ')
-
- ########################################
-@@ -210,6 +234,25 @@ interface(`bind_manage_config_dirs',`
-
- ########################################
- ##
-+## Create, read, write, and delete
-+## BIND configuration files.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`bind_manage_config',`
-+ gen_require(`
-+ type named_conf_t;
-+ ')
-+
-+ manage_files_pattern($1, named_conf_t, named_conf_t)
-+')
-+
-+########################################
-+##
- ## Search the BIND cache directory.
- ##
- ##
-@@ -266,7 +309,7 @@ interface(`bind_setattr_pid_dirs',`
- type named_var_run_t;
- ')
-
-- allow $1 named_var_run_t:dir setattr;
-+ allow $1 named_var_run_t:dir setattr_dir_perms;
- ')
-
- ########################################
-@@ -284,7 +327,7 @@ interface(`bind_setattr_zone_dirs',`
- type named_zone_t;
- ')
-
-- allow $1 named_zone_t:dir setattr;
-+ allow $1 named_zone_t:dir setattr_dir_perms;
- ')
-
- ########################################
-@@ -308,6 +351,27 @@ interface(`bind_read_zone',`
-
- ########################################
- ##
-+## Read BIND zone files.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`bind_read_log',`
-+ gen_require(`
-+ type named_zone_t;
-+ type named_log_t;
-+ ')
-+
-+ files_search_var($1)
-+ allow $1 named_zone_t:dir search_dir_perms;
-+ read_files_pattern($1, named_log_t, named_log_t)
-+')
-+
-+########################################
-+##
- ## Manage BIND zone files.
- ##
- ##
-@@ -359,18 +423,26 @@ interface(`bind_udp_chat_named',`
- interface(`bind_admin',`
- gen_require(`
- type named_t, named_tmp_t, named_log_t;
-- type named_conf_t, named_var_lib_t, named_var_run_t;
-- type named_cache_t, named_zone_t;
-- type dnssec_t, ndc_t;
-- type named_initrc_exec_t;
-+ type named_conf_t, named_var_run_t, named_cache_t;
-+ type named_zone_t, named_initrc_exec_t;
-+ type dnssec_t, ndc_t, named_keytab_t;
-+ type named_unit_file_t;
- ')
-
-- allow $1 named_t:process { ptrace signal_perms };
-+ allow $1 named_t:process signal_perms;
- ps_process_pattern($1, named_t)
-
-- allow $1 ndc_t:process { ptrace signal_perms };
-+ tunable_policy(`deny_ptrace',`',`
-+ allow $1 named_t:process ptrace;
-+ ')
-+
-+ allow $1 ndc_t:process signal_perms;
- ps_process_pattern($1, ndc_t)
-
-+ tunable_policy(`deny_ptrace',`',`
-+ allow $1 ndc_t:process ptrace;
-+ ')
-+
- bind_run_ndc($1, $2)
-
- init_labeled_script_domtrans($1, named_initrc_exec_t)
-@@ -391,9 +463,12 @@ interface(`bind_admin',`
- admin_pattern($1, named_zone_t)
- admin_pattern($1, dnssec_t)
-
-- files_list_var_lib($1)
-- admin_pattern($1, named_var_lib_t)
-+ admin_pattern($1, named_keytab_t)
-
- files_list_pids($1)
- admin_pattern($1, named_var_run_t)
-+
-+ admin_pattern($1, named_unit_file_t)
-+ bind_systemctl($1)
-+ allow $1 named_unit_file_t:service all_service_perms;
- ')
-diff --git a/bind.te b/bind.te
-index 0968cb4..70bebb1 100644
---- a/bind.te
-+++ b/bind.te
-@@ -6,6 +6,13 @@ policy_module(bind, 1.11.0)
- #
-
- ##
-+##
-+## Allow BIND to bind apache port.
-+##
-+##
-+gen_tunable(named_bind_http_port, false)
-+
-+##
- ##
- ## Allow BIND to write the master zone files.
- ## Generally this is used for dynamic DNS or zone transfers.
-@@ -16,6 +23,7 @@ gen_tunable(named_write_master_zones, false)
- # for DNSSEC key files
- type dnssec_t;
- files_security_file(dnssec_t)
-+files_mountpoint(dnssec_t)
-
- type named_t;
- type named_exec_t;
-@@ -27,7 +35,7 @@ init_system_domain(named_t, named_checkconf_exec_t)
-
- # A type for configuration files of named.
- type named_conf_t;
--files_type(named_conf_t)
-+files_config_file(named_conf_t)
- files_mountpoint(named_conf_t)
-
- # for secondary zone files
-@@ -37,6 +45,9 @@ files_type(named_cache_t)
- type named_initrc_exec_t;
- init_script_file(named_initrc_exec_t)
-
-+type named_unit_file_t;
-+systemd_unit_file(named_unit_file_t)
-+
- type named_log_t;
- logging_log_file(named_log_t)
-
-@@ -89,9 +100,10 @@ manage_dirs_pattern(named_t, named_tmp_t, named_tmp_t)
- manage_files_pattern(named_t, named_tmp_t, named_tmp_t)
- files_tmp_filetrans(named_t, named_tmp_t, { file dir })
-
-+manage_dirs_pattern(named_t, named_var_run_t, named_var_run_t)
- manage_files_pattern(named_t, named_var_run_t, named_var_run_t)
- manage_sock_files_pattern(named_t, named_var_run_t, named_var_run_t)
--files_pid_filetrans(named_t, named_var_run_t, { file sock_file })
-+files_pid_filetrans(named_t, named_var_run_t, { file sock_file dir })
-
- # read zone files
- allow named_t named_zone_t:dir list_dir_perms;
-@@ -104,7 +116,6 @@ kernel_read_network_state(named_t)
-
- corecmd_search_bin(named_t)
-
--corenet_all_recvfrom_unlabeled(named_t)
- corenet_all_recvfrom_netlabel(named_t)
- corenet_tcp_sendrecv_generic_if(named_t)
- corenet_udp_sendrecv_generic_if(named_t)
-@@ -131,7 +142,6 @@ dev_read_urand(named_t)
-
- domain_use_interactive_fds(named_t)
-
--files_read_etc_files(named_t)
- files_read_etc_runtime_files(named_t)
-
- fs_getattr_all_fs(named_t)
-@@ -141,12 +151,15 @@ auth_use_nsswitch(named_t)
-
- logging_send_syslog_msg(named_t)
-
--miscfiles_read_localization(named_t)
- miscfiles_read_generic_certs(named_t)
-
- userdom_dontaudit_use_unpriv_user_fds(named_t)
- userdom_dontaudit_search_user_home_dirs(named_t)
-
-+tunable_policy(`named_bind_http_port',`
-+ corenet_tcp_bind_http_port(named_t)
-+')
-+
- tunable_policy(`named_write_master_zones',`
- manage_dirs_pattern(named_t, named_zone_t, named_zone_t)
- manage_files_pattern(named_t, named_zone_t, named_zone_t)
-@@ -154,6 +167,12 @@ tunable_policy(`named_write_master_zones',`
- ')
-
- optional_policy(`
-+ # needed by FreeIPA with DNS support
-+ dirsrv_stream_connect(named_t)
-+ ldap_stream_connect(named_t)
-+')
-+
-+optional_policy(`
- init_dbus_chat_script(named_t)
-
- sysnet_dbus_chat_dhcpc(named_t)
-@@ -168,6 +187,7 @@ optional_policy(`
-
- optional_policy(`
- kerberos_keytab_template(named, named_t)
-+ kerberos_tmp_filetrans_host_rcache(named_t, "DNS_25")
- ')
-
- optional_policy(`
-@@ -199,6 +219,7 @@ optional_policy(`
-
- # cjp: why net_admin?!
- allow ndc_t self:capability { dac_override net_admin };
-+allow ndc_t self:capability2 block_suspend;
- allow ndc_t self:process { fork signal_perms };
- allow ndc_t self:fifo_file rw_fifo_file_perms;
- allow ndc_t self:unix_stream_socket { connect create_stream_socket_perms };
-@@ -211,13 +232,13 @@ allow ndc_t dnssec_t:lnk_file { getattr read };
- stream_connect_pattern(ndc_t, named_var_run_t, named_var_run_t, named_t)
-
- allow ndc_t named_conf_t:file read_file_perms;
--allow ndc_t named_conf_t:lnk_file { getattr read };
-+allow ndc_t named_conf_t:lnk_file read_lnk_file_perms;
-
- allow ndc_t named_zone_t:dir search_dir_perms;
-
-+kernel_read_system_state(ndc_t)
- kernel_read_kernel_sysctls(ndc_t)
-
--corenet_all_recvfrom_unlabeled(ndc_t)
- corenet_all_recvfrom_netlabel(ndc_t)
- corenet_tcp_sendrecv_generic_if(ndc_t)
- corenet_tcp_sendrecv_generic_node(ndc_t)
-@@ -228,28 +249,26 @@ corenet_sendrecv_rndc_client_packets(ndc_t)
-
- domain_use_interactive_fds(ndc_t)
-
--files_read_etc_files(ndc_t)
- files_search_pids(ndc_t)
-
- fs_getattr_xattr_fs(ndc_t)
-
-+auth_use_nsswitch(ndc_t)
-+
- init_use_fds(ndc_t)
- init_use_script_ptys(ndc_t)
-
- logging_send_syslog_msg(ndc_t)
-
--miscfiles_read_localization(ndc_t)
-+userdom_use_inherited_user_terminals(ndc_t)
-
- sysnet_read_config(ndc_t)
--sysnet_dns_name_resolve(ndc_t)
--
--userdom_use_user_terminals(ndc_t)
-
- term_dontaudit_use_console(ndc_t)
-
- # for /etc/rndc.key
- ifdef(`distro_redhat',`
-- allow ndc_t named_conf_t:dir search;
-+ allow ndc_t named_conf_t:dir search_dir_perms;
- ')
-
- optional_policy(`
-diff --git a/bitlbee.fc b/bitlbee.fc
-index 0197980..909ce04 100644
---- a/bitlbee.fc
-+++ b/bitlbee.fc
-@@ -1,6 +1,13 @@
- /etc/rc\.d/init\.d/bitlbee -- gen_context(system_u:object_r:bitlbee_initrc_exec_t,s0)
- /etc/bitlbee(/.*)? gen_context(system_u:object_r:bitlbee_conf_t,s0)
-
-+/usr/bin/bip -- gen_context(system_u:object_r:bitlbee_exec_t,s0)
- /usr/sbin/bitlbee -- gen_context(system_u:object_r:bitlbee_exec_t,s0)
-
- /var/lib/bitlbee(/.*)? gen_context(system_u:object_r:bitlbee_var_t,s0)
-+
-+/var/log/bip(/.*)? gen_context(system_u:object_r:bitlbee_log_t,s0)
-+
-+/var/run/bitlbee\.pid -- gen_context(system_u:object_r:bitlbee_var_run_t,s0)
-+/var/run/bitlbee\.sock -s gen_context(system_u:object_r:bitlbee_var_run_t,s0)
-+/var/run/bip(/.*)? gen_context(system_u:object_r:bitlbee_var_run_t,s0)
-diff --git a/bitlbee.if b/bitlbee.if
-index de0bd67..1df2048 100644
---- a/bitlbee.if
-+++ b/bitlbee.if
-@@ -43,9 +43,13 @@ interface(`bitlbee_admin',`
- type bitlbee_initrc_exec_t;
- ')
-
-- allow $1 bitlbee_t:process { ptrace signal_perms };
-+ allow $1 bitlbee_t:process signal_perms;
- ps_process_pattern($1, bitlbee_t)
-
-+ tunable_policy(`deny_ptrace',`',`
-+ allow $1 bitlbee_t:process ptrace;
-+ ')
-+
- init_labeled_script_domtrans($1, bitlbee_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 bitlbee_initrc_exec_t system_r;
-diff --git a/bitlbee.te b/bitlbee.te
-index f4e7ad3..8e85e9d 100644
---- a/bitlbee.te
-+++ b/bitlbee.te
-@@ -22,36 +22,57 @@ files_tmp_file(bitlbee_tmp_t)
- type bitlbee_var_t;
- files_type(bitlbee_var_t)
-
-+type bitlbee_log_t;
-+logging_log_file(bitlbee_log_t)
-+
-+type bitlbee_var_run_t;
-+files_pid_file(bitlbee_var_run_t)
-+
- ########################################
- #
- # Local policy
- #
-
--allow bitlbee_t self:capability { setgid setuid };
--allow bitlbee_t self:process signal;
-+allow bitlbee_t self:capability { dac_override kill setgid setuid sys_nice };
-+allow bitlbee_t self:process { setsched signal };
-+
-+allow bitlbee_t self:fifo_file rw_fifo_file_perms;
- allow bitlbee_t self:udp_socket create_socket_perms;
- allow bitlbee_t self:tcp_socket { create_stream_socket_perms connected_stream_socket_perms };
- allow bitlbee_t self:unix_stream_socket create_stream_socket_perms;
--allow bitlbee_t self:fifo_file rw_fifo_file_perms;
-+allow bitlbee_t self:netlink_route_socket r_netlink_socket_perms;
-
- bitlbee_read_config(bitlbee_t)
-
- # tmp files
- manage_files_pattern(bitlbee_t, bitlbee_tmp_t, bitlbee_tmp_t)
--files_tmp_filetrans(bitlbee_t, bitlbee_tmp_t, file)
-+manage_dirs_pattern(bitlbee_t, bitlbee_tmp_t, bitlbee_tmp_t)
-+files_tmp_filetrans(bitlbee_t, bitlbee_tmp_t, { dir file })
-
- # user account information is read and edited at runtime; give the usual
- # r/w access to bitlbee_var_t
- manage_files_pattern(bitlbee_t, bitlbee_var_t, bitlbee_var_t)
- files_var_lib_filetrans(bitlbee_t, bitlbee_var_t, file)
-
-+# log files
-+manage_dirs_pattern(bitlbee_t, bitlbee_log_t, bitlbee_log_t)
-+manage_files_pattern(bitlbee_t, bitlbee_log_t, bitlbee_log_t)
-+
-+manage_dirs_pattern(bitlbee_t, bitlbee_var_run_t, bitlbee_var_run_t)
-+manage_files_pattern(bitlbee_t, bitlbee_var_run_t, bitlbee_var_run_t)
-+manage_sock_files_pattern(bitlbee_t, bitlbee_var_run_t, bitlbee_var_run_t)
-+files_pid_filetrans(bitlbee_t, bitlbee_var_run_t, { dir file sock_file })
-+
- kernel_read_system_state(bitlbee_t)
-+kernel_read_kernel_sysctls(bitlbee_t)
-
--corenet_all_recvfrom_unlabeled(bitlbee_t)
- corenet_udp_sendrecv_generic_if(bitlbee_t)
- corenet_udp_sendrecv_generic_node(bitlbee_t)
- corenet_tcp_sendrecv_generic_if(bitlbee_t)
- corenet_tcp_sendrecv_generic_node(bitlbee_t)
-+corenet_tcp_bind_generic_node(bitlbee_t)
-+corenet_tcp_connect_gatekeeper_port(bitlbee_t)
-+corenet_tcp_connect_ircd_port(bitlbee_t)
- # Allow bitlbee to connect to jabber servers
- corenet_tcp_connect_jabber_client_port(bitlbee_t)
- corenet_tcp_sendrecv_jabber_client_port(bitlbee_t)
-@@ -69,11 +90,15 @@ corenet_tcp_connect_http_port(bitlbee_t)
- corenet_tcp_sendrecv_http_port(bitlbee_t)
- corenet_tcp_connect_http_cache_port(bitlbee_t)
- corenet_tcp_sendrecv_http_cache_port(bitlbee_t)
-+corenet_tcp_bind_ircd_port(bitlbee_t)
-+corenet_tcp_sendrecv_ircd_port(bitlbee_t)
-+corenet_sendrecv_ircd_server_packets(bitlbee_t)
-+corenet_tcp_bind_interwise_port(bitlbee_t)
-+corenet_tcp_sendrecv_interwise_port(bitlbee_t)
-
- dev_read_rand(bitlbee_t)
- dev_read_urand(bitlbee_t)
-
--files_read_etc_files(bitlbee_t)
- files_search_pids(bitlbee_t)
- # grant read-only access to the user help files
- files_read_usr_files(bitlbee_t)
-@@ -84,10 +109,6 @@ auth_use_nsswitch(bitlbee_t)
-
- logging_send_syslog_msg(bitlbee_t)
-
--miscfiles_read_localization(bitlbee_t)
--
--sysnet_dns_name_resolve(bitlbee_t)
--
- optional_policy(`
- # normally started from inetd using tcpwrappers, so use those entry points
- tcpd_wrapped_domain(bitlbee_t, bitlbee_exec_t)
-diff --git a/blueman.fc b/blueman.fc
-index 6355318..98ba16a 100644
---- a/blueman.fc
-+++ b/blueman.fc
-@@ -1,3 +1,4 @@
-+
- /usr/libexec/blueman-mechanism -- gen_context(system_u:object_r:blueman_exec_t,s0)
-
- /var/lib/blueman(/.*)? gen_context(system_u:object_r:blueman_var_lib_t,s0)
-diff --git a/blueman.te b/blueman.te
-index 70969fa..4d18e6e 100644
---- a/blueman.te
-+++ b/blueman.te
-@@ -7,23 +7,35 @@ policy_module(blueman, 1.0.0)
-
- type blueman_t;
- type blueman_exec_t;
--dbus_system_domain(blueman_t, blueman_exec_t)
- init_daemon_domain(blueman_t, blueman_exec_t)
-
- type blueman_var_lib_t;
- files_type(blueman_var_lib_t)
-
-+type blueman_var_run_t;
-+files_pid_file(blueman_var_run_t)
-+
- ########################################
- #
- # blueman local policy
- #
-+
-+allow blueman_t self:capability { net_admin sys_nice };
-+allow blueman_t self:process { signal_perms setsched };
-+
- allow blueman_t self:fifo_file rw_fifo_file_perms;
-
- manage_dirs_pattern(blueman_t, blueman_var_lib_t, blueman_var_lib_t)
- manage_files_pattern(blueman_t, blueman_var_lib_t, blueman_var_lib_t)
- files_var_lib_filetrans(blueman_t, blueman_var_lib_t, dir)
-
-+manage_dirs_pattern(blueman_t, blueman_var_run_t, blueman_var_run_t)
-+manage_files_pattern(blueman_t, blueman_var_run_t, blueman_var_run_t)
-+files_pid_filetrans(blueman_t, blueman_var_run_t, { dir file })
-+
- kernel_read_system_state(blueman_t)
-+kernel_request_load_module(blueman_t)
-+kernel_read_net_sysctls(blueman_t)
-
- corecmd_exec_bin(blueman_t)
-
-@@ -34,13 +46,36 @@ dev_rw_wireless(blueman_t)
- domain_use_interactive_fds(blueman_t)
-
- files_read_usr_files(blueman_t)
-+files_list_tmp(blueman_t)
-
- auth_use_nsswitch(blueman_t)
-
- logging_send_syslog_msg(blueman_t)
-
--miscfiles_read_localization(blueman_t)
-+sysnet_domtrans_ifconfig(blueman_t)
-+sysnet_dns_name_resolve(blueman_t)
-
- optional_policy(`
- avahi_domtrans(blueman_t)
- ')
-+
-+optional_policy(`
-+ dbus_system_domain(blueman_t, blueman_exec_t)
-+')
-+
-+optional_policy(`
-+ dnsmasq_domtrans(blueman_t)
-+ dnsmasq_read_pid_files(blueman_t)
-+')
-+
-+optional_policy(`
-+ gnome_search_gconf(blueman_t)
-+')
-+
-+optional_policy(`
-+ iptables_domtrans(blueman_t)
-+')
-+
-+optional_policy(`
-+ xserver_read_state_xdm(blueman_t)
-+')
-diff --git a/bluetooth.fc b/bluetooth.fc
-index dc687e6..e0255eb 100644
---- a/bluetooth.fc
-+++ b/bluetooth.fc
-@@ -7,6 +7,8 @@
- /etc/rc\.d/init\.d/dund -- gen_context(system_u:object_r:bluetooth_initrc_exec_t,s0)
- /etc/rc\.d/init\.d/pand -- gen_context(system_u:object_r:bluetooth_initrc_exec_t,s0)
-
-+/usr/lib/systemd/system/bluetooth.* -- gen_context(system_u:object_r:bluetooth_unit_file_t,s0)
-+
- #
- # /usr
- #
-diff --git a/bluetooth.if b/bluetooth.if
-index 3e45431..758bd64 100644
---- a/bluetooth.if
-+++ b/bluetooth.if
-@@ -27,7 +27,11 @@ interface(`bluetooth_role',`
-
- # allow ps to show cdrecord and allow the user to kill it
- ps_process_pattern($2, bluetooth_helper_t)
-- allow $2 bluetooth_helper_t:process signal;
-+ allow $2 bluetooth_helper_t:process signal_perms;
-+
-+ tunable_policy(`deny_ptrace',`',`
-+ allow $2 bluetooth_helper_t:process ptrace;
-+ ')
-
- manage_dirs_pattern($2, bluetooth_helper_tmp_t, bluetooth_helper_tmp_t)
- manage_files_pattern($2, bluetooth_helper_tmp_t, bluetooth_helper_tmp_t)
-@@ -35,6 +39,8 @@ interface(`bluetooth_role',`
-
- manage_dirs_pattern($2, bluetooth_helper_tmpfs_t, bluetooth_helper_tmpfs_t)
- manage_files_pattern($2, bluetooth_helper_tmpfs_t, bluetooth_helper_tmpfs_t)
-+
-+ bluetooth_stream_connect($2)
- ')
-
- #####################################
-@@ -91,7 +97,7 @@ interface(`bluetooth_read_config',`
- type bluetooth_conf_t;
- ')
-
-- allow $1 bluetooth_conf_t:file { getattr read ioctl };
-+ allow $1 bluetooth_conf_t:file read_file_perms;
- ')
-
- ########################################
-@@ -117,6 +123,27 @@ interface(`bluetooth_dbus_chat',`
-
- ########################################
- ##
-+## dontaudit Send and receive messages from
-+## bluetooth over dbus.
-+##
-+##
-+##
-+## Domain to not audit.
-+##
-+##
-+#
-+interface(`bluetooth_dontaudit_dbus_chat',`
-+ gen_require(`
-+ type bluetooth_t;
-+ class dbus send_msg;
-+ ')
-+
-+ dontaudit $1 bluetooth_t:dbus send_msg;
-+ dontaudit bluetooth_t $1:dbus send_msg;
-+')
-+
-+########################################
-+##
- ## Execute bluetooth_helper in the bluetooth_helper domain. (Deprecated)
- ##
- ##
-@@ -157,7 +184,7 @@ interface(`bluetooth_run_helper',`
-
- ########################################
- ##
--## Read bluetooth helper state files.
-+## Do not audit attempts to read bluetooth helper state files.
- ##
- ##
- ##
-@@ -170,8 +197,31 @@ interface(`bluetooth_dontaudit_read_helper_state',`
- type bluetooth_helper_t;
- ')
-
-- dontaudit $1 bluetooth_helper_t:dir search;
-- dontaudit $1 bluetooth_helper_t:file { read getattr };
-+ dontaudit $1 bluetooth_helper_t:dir search_dir_perms;
-+ dontaudit $1 bluetooth_helper_t:file read_file_perms;
-+')
-+
-+########################################
-+##
-+## Execute bluetooth server in the bluetooth domain.
-+##
-+##
-+##
-+## Domain allowed to transition.
-+##
-+##
-+#
-+interface(`bluetooth_systemctl',`
-+ gen_require(`
-+ type bluetooth_t;
-+ type bluetooth_unit_file_t;
-+ ')
-+
-+ systemd_exec_systemctl($1)
-+ allow $1 bluetooth_unit_file_t:file read_file_perms;
-+ allow $1 bluetooth_unit_file_t:service manage_service_perms;
-+
-+ ps_process_pattern($1, bluetooth_t)
- ')
-
- ########################################
-@@ -193,15 +243,19 @@ interface(`bluetooth_dontaudit_read_helper_state',`
- #
- interface(`bluetooth_admin',`
- gen_require(`
-- type bluetooth_t, bluetooth_tmp_t, bluetooth_lock_t;
-- type bluetooth_spool_t, bluetooth_var_lib_t, bluetooth_var_run_t;
-- type bluetooth_conf_t, bluetooth_conf_rw_t;
-- type bluetooth_initrc_exec_t;
-+ type bluetooth_t, bluetooth_lock_t, bluetooth_spool_t;
-+ type bluetooth_var_lib_t, bluetooth_var_run_t, bluetooth_initrc_exec_t;
-+ type bluetooth_conf_t, bluetooth_conf_rw_t, bluetooth_tmp_t;
-+ type bluetooth_unit_file_t;
- ')
-
-- allow $1 bluetooth_t:process { ptrace signal_perms };
-+ allow $1 bluetooth_t:process signal_perms;
- ps_process_pattern($1, bluetooth_t)
-
-+ tunable_policy(`deny_ptrace',`',`
-+ allow $1 bluetooth_t:process ptrace;
-+ ')
-+
- init_labeled_script_domtrans($1, bluetooth_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 bluetooth_initrc_exec_t system_r;
-@@ -225,4 +279,8 @@ interface(`bluetooth_admin',`
-
- files_list_pids($1)
- admin_pattern($1, bluetooth_var_run_t)
-+
-+ bluetooth_systemctl($1)
-+ admin_pattern($1, bluetooth_unit_file_t)
-+ allow $1 bluetooth_unit_file_t:service all_service_perms;
- ')
-diff --git a/bluetooth.te b/bluetooth.te
-index d3019b3..aed14bb 100644
---- a/bluetooth.te
-+++ b/bluetooth.te
-@@ -4,12 +4,13 @@ policy_module(bluetooth, 3.4.0)
- #
- # Declarations
- #
-+
- type bluetooth_t;
- type bluetooth_exec_t;
- init_daemon_domain(bluetooth_t, bluetooth_exec_t)
-
- type bluetooth_conf_t;
--files_type(bluetooth_conf_t)
-+files_config_file(bluetooth_conf_t)
-
- type bluetooth_conf_rw_t;
- files_type(bluetooth_conf_rw_t)
-@@ -45,6 +46,9 @@ files_type(bluetooth_var_lib_t)
- type bluetooth_var_run_t;
- files_pid_file(bluetooth_var_run_t)
-
-+type bluetooth_unit_file_t;
-+systemd_unit_file(bluetooth_unit_file_t)
-+
- ########################################
- #
- # Bluetooth services local policy
-@@ -96,7 +100,6 @@ kernel_request_load_module(bluetooth_t)
- #search debugfs - redhat bug 548206
- kernel_search_debugfs(bluetooth_t)
-
--corenet_all_recvfrom_unlabeled(bluetooth_t)
- corenet_all_recvfrom_netlabel(bluetooth_t)
- corenet_tcp_sendrecv_generic_if(bluetooth_t)
- corenet_udp_sendrecv_generic_if(bluetooth_t)
-@@ -127,7 +130,6 @@ corecmd_exec_shell(bluetooth_t)
- domain_use_interactive_fds(bluetooth_t)
- domain_dontaudit_search_all_domains_state(bluetooth_t)
-
--files_read_etc_files(bluetooth_t)
- files_read_etc_runtime_files(bluetooth_t)
- files_read_usr_files(bluetooth_t)
-
-@@ -135,7 +137,6 @@ auth_use_nsswitch(bluetooth_t)
-
- logging_send_syslog_msg(bluetooth_t)
-
--miscfiles_read_localization(bluetooth_t)
- miscfiles_read_fonts(bluetooth_t)
- miscfiles_read_hwdata(bluetooth_t)
-
-@@ -144,6 +145,10 @@ userdom_dontaudit_use_user_terminals(bluetooth_t)
- userdom_dontaudit_search_user_home_dirs(bluetooth_t)
-
- optional_policy(`
-+ devicekit_dbus_chat_power(bluetooth_t)
-+')
-+
-+optional_policy(`
- dbus_system_bus_client(bluetooth_t)
- dbus_connect_system_bus(bluetooth_t)
-
-@@ -212,17 +217,16 @@ corecmd_exec_shell(bluetooth_helper_t)
-
- domain_read_all_domains_state(bluetooth_helper_t)
-
--files_read_etc_files(bluetooth_helper_t)
- files_read_etc_runtime_files(bluetooth_helper_t)
- files_read_usr_files(bluetooth_helper_t)
- files_dontaudit_list_default(bluetooth_helper_t)
-
-+auth_use_nsswitch(bluetooth_helper_t)
-+
- locallogin_dontaudit_use_fds(bluetooth_helper_t)
-
- logging_send_syslog_msg(bluetooth_helper_t)
-
--miscfiles_read_localization(bluetooth_helper_t)
--
- sysnet_read_config(bluetooth_helper_t)
-
- optional_policy(`
-diff --git a/boinc.fc b/boinc.fc
-new file mode 100644
-index 0000000..bda740a
---- /dev/null
-+++ b/boinc.fc
-@@ -0,0 +1,12 @@
-+
-+/etc/rc\.d/init\.d/boinc-client -- gen_context(system_u:object_r:boinc_initrc_exec_t,s0)
-+
-+/usr/bin/boinc_client -- gen_context(system_u:object_r:boinc_exec_t,s0)
-+
-+/usr/lib/systemd/system/boinc-client\.service -- gen_context(system_u:object_r:boinc_unit_file_t,s0)
-+
-+/var/lib/boinc(/.*)? gen_context(system_u:object_r:boinc_var_lib_t,s0)
-+/var/lib/boinc/projects(/.*)? gen_context(system_u:object_r:boinc_project_var_lib_t,s0)
-+/var/lib/boinc/slots(/.*)? gen_context(system_u:object_r:boinc_project_var_lib_t,s0)
-+
-+/var/log/boinc\.log.* -- gen_context(system_u:object_r:boinc_log_t,s0)
-diff --git a/boinc.if b/boinc.if
-new file mode 100644
-index 0000000..fbcef10
---- /dev/null
-+++ b/boinc.if
-@@ -0,0 +1,206 @@
-+## policy for boinc
-+
-+########################################
-+##
-+## Execute a domain transition to run boinc.
-+##
-+##
-+##
-+## Domain allowed to transition.
-+##
-+##
-+#
-+interface(`boinc_domtrans',`
-+ gen_require(`
-+ type boinc_t, boinc_exec_t;
-+ ')
-+
-+ domtrans_pattern($1, boinc_exec_t, boinc_t)
-+')
-+
-+#######################################
-+##
-+## Execute boinc server in the boinc domain.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`boinc_initrc_domtrans',`
-+ gen_require(`
-+ type boinc_initrc_exec_t;
-+ ')
-+
-+ init_labeled_script_domtrans($1, boinc_initrc_exec_t)
-+')
-+
-+#######################################
-+##
-+## Dontaudit getattr on boinc lib files.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`boinc_dontaudit_getattr_lib',`
-+ gen_require(`
-+ type boinc_var_lib_t;
-+ ')
-+
-+ dontaudit $1 boinc_var_lib_t:file getattr;
-+')
-+
-+########################################
-+##
-+## Search boinc lib directories.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`boinc_search_lib',`
-+ gen_require(`
-+ type boinc_var_lib_t;
-+ ')
-+
-+ allow $1 boinc_var_lib_t:dir search_dir_perms;
-+ files_search_var_lib($1)
-+')
-+
-+########################################
-+##
-+## Read boinc lib files.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`boinc_read_lib_files',`
-+ gen_require(`
-+ type boinc_var_lib_t;
-+ ')
-+
-+ files_search_var_lib($1)
-+ read_files_pattern($1, boinc_var_lib_t, boinc_var_lib_t)
-+')
-+
-+########################################
-+##
-+## Create, read, write, and delete
-+## boinc lib files.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`boinc_manage_lib_files',`
-+ gen_require(`
-+ type boinc_var_lib_t;
-+ ')
-+
-+ files_search_var_lib($1)
-+ manage_files_pattern($1, boinc_var_lib_t, boinc_var_lib_t)
-+')
-+
-+########################################
-+##
-+## Manage boinc var_lib files.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`boinc_manage_var_lib',`
-+ gen_require(`
-+ type boinc_var_lib_t;
-+ ')
-+
-+ files_search_var_lib($1)
-+ manage_dirs_pattern($1, boinc_var_lib_t, boinc_var_lib_t)
-+ manage_files_pattern($1, boinc_var_lib_t, boinc_var_lib_t)
-+ manage_lnk_files_pattern($1, boinc_var_lib_t, boinc_var_lib_t)
-+')
-+
-+#######################################
-+##
-+## Execute boinc server in the boinc domain.
-+##
-+##
-+##
-+## Domain allowed to transition.
-+##
-+##
-+#
-+interface(`boinc_systemctl',`
-+ gen_require(`
-+ type boinc_t;
-+ type boinc_unit_file_t;
-+ ')
-+
-+ systemd_exec_systemctl($1)
-+ allow $1 boinc_unit_file_t:file read_file_perms;
-+ allow $1 boinc_unit_file_t:service manage_service_perms;
-+
-+ ps_process_pattern($1, boinc_t)
-+')
-+
-+########################################
-+##
-+## All of the rules required to administrate
-+## an boinc environment.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+##
-+##
-+## Role allowed access.
-+##
-+##
-+##
-+#
-+interface(`boinc_admin',`
-+ gen_require(`
-+ type boinc_t, boinc_initrc_exec_t, boinc_var_lib_t;
-+ type boinc_unit_file_t;
-+ ')
-+
-+ allow $1 boinc_t:process signal_perms;
-+ ps_process_pattern($1, boinc_t)
-+
-+ tunable_policy(`deny_ptrace',`',`
-+ allow $1 boinc_t:process ptrace;
-+ ')
-+
-+ boinc_initrc_domtrans($1)
-+ domain_system_change_exemption($1)
-+ role_transition $2 boinc_initrc_exec_t system_r;
-+ allow $2 system_r;
-+
-+ files_list_var_lib($1)
-+ admin_pattern($1, boinc_var_lib_t)
-+
-+ boinc_systemctl($1)
-+ admin_pattern($1, boinc_unit_file_t)
-+
-+ allow $1 boinc_unit_file_t:service all_service_perms;
-+
-+ optional_policy(`
-+ systemd_passwd_agent_exec($1)
-+ systemd_read_fifo_file_passwd_run($1)
-+ ')
-+')
-diff --git a/boinc.te b/boinc.te
-new file mode 100644
-index 0000000..0a7e857
---- /dev/null
-+++ b/boinc.te
-@@ -0,0 +1,199 @@
-+policy_module(boinc, 1.0.0)
-+
-+########################################
-+#
-+# Declarations
-+#
-+
-+attribute boinc_domain;
-+
-+type boinc_t, boinc_domain;
-+type boinc_exec_t;
-+init_daemon_domain(boinc_t, boinc_exec_t)
-+
-+type boinc_initrc_exec_t;
-+init_script_file(boinc_initrc_exec_t)
-+
-+type boinc_tmp_t;
-+files_tmp_file(boinc_tmp_t)
-+
-+type boinc_tmpfs_t;
-+files_tmpfs_file(boinc_tmpfs_t)
-+
-+type boinc_var_lib_t;
-+files_type(boinc_var_lib_t)
-+
-+type boinc_log_t;
-+logging_log_file(boinc_log_t)
-+
-+type boinc_unit_file_t;
-+systemd_unit_file(boinc_unit_file_t)
-+
-+type boinc_project_t;
-+domain_type(boinc_project_t)
-+role system_r types boinc_project_t;
-+
-+type boinc_project_tmp_t;
-+files_tmp_file(boinc_project_tmp_t)
-+
-+type boinc_project_var_lib_t;
-+files_type(boinc_project_var_lib_t)
-+
-+#######################################
-+#
-+# boinc domain local policy
-+#
-+
-+allow boinc_domain self:fifo_file rw_fifo_file_perms;
-+allow boinc_domain self:sem create_sem_perms;
-+
-+manage_dirs_pattern(boinc_domain, boinc_var_lib_t, boinc_var_lib_t)
-+manage_files_pattern(boinc_domain, boinc_var_lib_t, boinc_var_lib_t)
-+manage_lnk_files_pattern(boinc_domain, boinc_var_lib_t, boinc_var_lib_t)
-+
-+
-+corecmd_exec_bin(boinc_domain)
-+corecmd_exec_shell(boinc_domain)
-+
-+dev_read_rand(boinc_domain)
-+dev_read_urand(boinc_domain)
-+dev_read_sysfs(boinc_domain)
-+dev_rw_xserver_misc(boinc_domain)
-+
-+domain_read_all_domains_state(boinc_domain)
-+
-+files_read_etc_files(boinc_domain)
-+files_read_etc_runtime_files(boinc_domain)
-+files_read_usr_files(boinc_domain)
-+
-+fs_getattr_all_fs(boinc_domain)
-+
-+miscfiles_read_fonts(boinc_domain)
-+
-+optional_policy(`
-+ sysnet_dns_name_resolve(boinc_domain)
-+')
-+
-+########################################
-+#
-+# boinc local policy
-+#
-+
-+allow boinc_t self:process { setsched setpgid signull sigkill };
-+
-+allow boinc_t self:unix_stream_socket create_stream_socket_perms;
-+allow boinc_t self:tcp_socket create_stream_socket_perms;
-+allow boinc_t self:shm create_shm_perms;
-+
-+manage_dirs_pattern(boinc_t, boinc_tmp_t, boinc_tmp_t)
-+manage_files_pattern(boinc_t, boinc_tmp_t, boinc_tmp_t)
-+files_tmp_filetrans(boinc_t, boinc_tmp_t, { dir file })
-+
-+manage_files_pattern(boinc_t, boinc_tmpfs_t, boinc_tmpfs_t)
-+fs_tmpfs_filetrans(boinc_t, boinc_tmpfs_t, file)
-+
-+exec_files_pattern(boinc_t, boinc_var_lib_t, boinc_var_lib_t)
-+# this should be created by default by boinc
-+# we need this label for transition to boinc_project_t
-+# other boinc lib files will end up with boinc_var_lib_t
-+filetrans_pattern(boinc_t, boinc_var_lib_t, boinc_project_var_lib_t, dir, "slots")
-+filetrans_pattern(boinc_t, boinc_var_lib_t, boinc_project_var_lib_t, dir, "projects")
-+
-+manage_dirs_pattern(boinc_t, boinc_project_var_lib_t, boinc_project_var_lib_t)
-+manage_files_pattern(boinc_t, boinc_project_var_lib_t, boinc_project_var_lib_t)
-+
-+manage_files_pattern(boinc_t, boinc_log_t, boinc_log_t)
-+logging_log_filetrans(boinc_t, boinc_log_t, { file })
-+
-+# needs read /proc/interrupts
-+kernel_read_system_state(boinc_t)
-+kernel_search_vm_sysctl(boinc_t)
-+
-+files_getattr_all_dirs(boinc_t)
-+files_getattr_all_files(boinc_t)
-+
-+corenet_all_recvfrom_netlabel(boinc_t)
-+corenet_tcp_sendrecv_generic_if(boinc_t)
-+corenet_udp_sendrecv_generic_if(boinc_t)
-+corenet_tcp_sendrecv_generic_node(boinc_t)
-+corenet_udp_sendrecv_generic_node(boinc_t)
-+corenet_tcp_sendrecv_all_ports(boinc_t)
-+corenet_udp_sendrecv_all_ports(boinc_t)
-+corenet_tcp_bind_generic_node(boinc_t)
-+corenet_udp_bind_generic_node(boinc_t)
-+corenet_tcp_bind_boinc_port(boinc_t)
-+corenet_tcp_bind_boinc_client_ctrl_port(boinc_t)
-+corenet_tcp_connect_boinc_port(boinc_t)
-+corenet_tcp_connect_http_port(boinc_t)
-+corenet_tcp_connect_http_cache_port(boinc_t)
-+corenet_tcp_connect_squid_port(boinc_t)
-+
-+files_dontaudit_getattr_boot_dirs(boinc_t)
-+
-+auth_read_passwd(boinc_t)
-+
-+term_getattr_all_ptys(boinc_t)
-+term_getattr_unallocated_ttys(boinc_t)
-+
-+init_read_utmp(boinc_t)
-+
-+logging_send_syslog_msg(boinc_t)
-+
-+optional_policy(`
-+ mta_send_mail(boinc_t)
-+')
-+
-+########################################
-+#
-+# boinc-projects local policy
-+#
-+
-+allow boinc_project_t self:capability { setuid setgid };
-+
-+domtrans_pattern(boinc_t, boinc_project_var_lib_t, boinc_project_t)
-+allow boinc_t boinc_project_t:process sigkill;
-+allow boinc_t boinc_project_t:process noatsecure;
-+
-+allow boinc_project_t self:process { ptrace setcap getcap setpgid setsched signal signull sigkill sigstop };
-+allow boinc_project_t self:process { execmem execstack };
-+
-+manage_dirs_pattern(boinc_project_t, boinc_project_tmp_t, boinc_project_tmp_t)
-+manage_files_pattern(boinc_project_t, boinc_project_tmp_t, boinc_project_tmp_t)
-+manage_sock_files_pattern(boinc_project_t, boinc_project_tmp_t, boinc_project_tmp_t)
-+files_tmp_filetrans(boinc_project_t, boinc_project_tmp_t, { dir file sock_file})
-+
-+allow boinc_project_t boinc_project_var_lib_t:file entrypoint;
-+exec_files_pattern(boinc_project_t, boinc_project_var_lib_t, boinc_project_var_lib_t)
-+manage_dirs_pattern(boinc_project_t, boinc_project_var_lib_t, boinc_project_var_lib_t)
-+manage_files_pattern(boinc_project_t, boinc_project_var_lib_t, boinc_project_var_lib_t)
-+files_var_lib_filetrans(boinc_project_t, boinc_project_var_lib_t, dir, "projects")
-+files_var_lib_filetrans(boinc_project_t, boinc_project_var_lib_t, dir, "slots" )
-+
-+allow boinc_project_t boinc_project_var_lib_t:file execmod;
-+
-+allow boinc_project_t boinc_t:shm rw_shm_perms;
-+allow boinc_project_t boinc_tmpfs_t:file rw_inherited_file_perms;
-+
-+kernel_read_kernel_sysctls(boinc_project_t)
-+kernel_search_vm_sysctl(boinc_project_t)
-+kernel_read_network_state(boinc_project_t)
-+
-+corenet_tcp_connect_boinc_port(boinc_project_t)
-+
-+files_dontaudit_search_home(boinc_project_t)
-+
-+# needed by java
-+fs_read_hugetlbfs_files(boinc_project_t)
-+
-+optional_policy(`
-+ gnome_read_gconf_config(boinc_project_t)
-+')
-+
-+optional_policy(`
-+ java_exec(boinc_project_t)
-+')
-+
-+# until solution for VirtualBox, java ..
-+optional_policy(`
-+ unconfined_domain(boinc_project_t)
-+')
-diff --git a/brctl.if b/brctl.if
-index 2c2cdb6..73b3814 100644
---- a/brctl.if
-+++ b/brctl.if
-@@ -18,3 +18,28 @@ interface(`brctl_domtrans',`
- corecmd_search_bin($1)
- domtrans_pattern($1, brctl_exec_t, brctl_t)
- ')
-+
-+#####################################
-+##
-+## Execute brctl in the brctl domain.
-+##
-+##
-+##
-+## Domain allowed to transition.
-+##
-+##
-+##
-+##
-+## Role allowed access.
-+##
-+##
-+##
-+#
-+interface(`brctl_run',`
-+ gen_require(`
-+ type brctl_t, brctl_exec_t;
-+ ')
-+
-+ brctl_domtrans($1)
-+ role $2 types brctl_t;
-+')
-diff --git a/brctl.te b/brctl.te
-index 9a62a1d..283f4fa 100644
---- a/brctl.te
-+++ b/brctl.te
-@@ -36,7 +36,6 @@ files_read_etc_files(brctl_t)
-
- term_dontaudit_use_console(brctl_t)
-
--miscfiles_read_localization(brctl_t)
-
- optional_policy(`
- xen_append_log(brctl_t)
-diff --git a/bugzilla.if b/bugzilla.if
-index de89d0f..86e4ee7 100644
---- a/bugzilla.if
-+++ b/bugzilla.if
-@@ -48,23 +48,24 @@ interface(`bugzilla_dontaudit_rw_stream_sockets',`
- ## Domain allowed access.
- ##
- ##
--##
--##
--## The role to be allowed to manage the bugzilla domain.
--##
--##
--##
- #
- interface(`bugzilla_admin',`
- gen_require(`
- type httpd_bugzilla_script_t, httpd_bugzilla_content_t, httpd_bugzilla_ra_content_t;
- type httpd_bugzilla_rw_content_t, httpd_bugzilla_script_exec_t;
-- type httpd_bugzilla_htaccess_t;
-+ type httpd_bugzilla_htaccess_t, httpd_bugzilla_tmp_t;
- ')
-
-- allow $1 httpd_bugzilla_script_t:process { ptrace signal_perms };
-+ allow $1 httpd_bugzilla_script_t:process signal_perms;
- ps_process_pattern($1, httpd_bugzilla_script_t)
-
-+ tunable_policy(`deny_ptrace',`',`
-+ allow $1 httpd_bugzilla_script_t:process ptrace;
-+ ')
-+
-+ files_list_tmp($1)
-+ admin_pattern($1, httpd_bugzilla_tmp_t)
-+
- files_list_var_lib(httpd_bugzilla_script_t)
-
- apache_list_sys_content($1)
-diff --git a/bugzilla.te b/bugzilla.te
-index 048abbf..dece084 100644
---- a/bugzilla.te
-+++ b/bugzilla.te
-@@ -7,6 +7,9 @@ policy_module(bugzilla, 1.0.0)
-
- apache_content_template(bugzilla)
-
-+type httpd_bugzilla_tmp_t;
-+files_tmp_file(httpd_bugzilla_tmp_t)
-+
- ########################################
- #
- # bugzilla local policy
-@@ -16,7 +19,6 @@ allow httpd_bugzilla_script_t self:netlink_route_socket r_netlink_socket_perms;
- allow httpd_bugzilla_script_t self:tcp_socket create_stream_socket_perms;
- allow httpd_bugzilla_script_t self:udp_socket create_socket_perms;
-
--corenet_all_recvfrom_unlabeled(httpd_bugzilla_script_t)
- corenet_all_recvfrom_netlabel(httpd_bugzilla_script_t)
- corenet_tcp_sendrecv_generic_if(httpd_bugzilla_script_t)
- corenet_udp_sendrecv_generic_if(httpd_bugzilla_script_t)
-@@ -31,8 +33,14 @@ corenet_tcp_connect_smtp_port(httpd_bugzilla_script_t)
- corenet_sendrecv_postgresql_client_packets(httpd_bugzilla_script_t)
- corenet_sendrecv_mysqld_client_packets(httpd_bugzilla_script_t)
-
-+manage_dirs_pattern(httpd_bugzilla_script_t, httpd_bugzilla_tmp_t, httpd_bugzilla_tmp_t)
-+manage_files_pattern(httpd_bugzilla_script_t, httpd_bugzilla_tmp_t, httpd_bugzilla_tmp_t)
-+files_tmp_filetrans(httpd_bugzilla_script_t, httpd_bugzilla_tmp_t, { file dir })
-+
- files_search_var_lib(httpd_bugzilla_script_t)
-
-+auth_read_passwd(httpd_bugzilla_script_t)
-+
- sysnet_read_config(httpd_bugzilla_script_t)
- sysnet_use_ldap(httpd_bugzilla_script_t)
-
-diff --git a/cachefilesd.fc b/cachefilesd.fc
-new file mode 100644
-index 0000000..aa03fc8
---- /dev/null
-+++ b/cachefilesd.fc
-@@ -0,0 +1,34 @@
-+###############################################################################
-+#
-+# Copyright (C) 2006 Red Hat, Inc. All Rights Reserved.
-+# Written by David Howells (dhowells@redhat.com)
-+# Karl MacMillan (kmacmill@redhat.com)
-+#
-+# This program is free software; you can redistribute it and/or
-+# modify it under the terms of the GNU General Public License
-+# as published by the Free Software Foundation; either version
-+# 2 of the License, or (at your option) any later version.
-+#
-+###############################################################################
-+
-+#
-+# Define the contexts to be assigned to various files and directories of
-+# importance to the CacheFiles kernel module and userspace management daemon.
-+#
-+
-+# cachefilesd executable will have:
-+# label: system_u:object_r:cachefilesd_exec_t
-+# MLS sensitivity: s0
-+# MCS categories:
-+
-+/dev/cachefiles -c gen_context(system_u:object_r:cachefiles_dev_t,s0)
-+
-+/sbin/cachefilesd -- gen_context(system_u:object_r:cachefilesd_exec_t,s0)
-+
-+/usr/sbin/cachefilesd -- gen_context(system_u:object_r:cachefilesd_exec_t,s0)
-+
-+/var/cache/fscache(/.*)? gen_context(system_u:object_r:cachefiles_var_t,s0)
-+
-+/var/fscache(/.*)? gen_context(system_u:object_r:cachefiles_var_t,s0)
-+
-+/var/run/cachefilesd\.pid -- gen_context(system_u:object_r:cachefilesd_var_run_t,s0)
-diff --git a/cachefilesd.if b/cachefilesd.if
-new file mode 100644
-index 0000000..3b41945
---- /dev/null
-+++ b/cachefilesd.if
-@@ -0,0 +1,35 @@
-+###############################################################################
-+#
-+# Copyright (C) 2006 Red Hat, Inc. All Rights Reserved.
-+# Written by David Howells (dhowells@redhat.com)
-+# Karl MacMillan (kmacmill@redhat.com)
-+#
-+# This program is free software; you can redistribute it and/or
-+# modify it under the terms of the GNU General Public License
-+# as published by the Free Software Foundation; either version
-+# 2 of the License, or (at your option) any later version.
-+#
-+###############################################################################
-+
-+#
-+# Define the policy interface for the CacheFiles userspace management daemon.
-+#
-+## policy for cachefilesd
-+
-+########################################
-+##
-+## Execute a domain transition to run cachefilesd.
-+##
-+##
-+##
-+## Domain allowed to transition.
-+##
-+##
-+#
-+interface(`cachefilesd_domtrans',`
-+ gen_require(`
-+ type cachefilesd_t, cachefilesd_exec_t;
-+ ')
-+
-+ domtrans_pattern($1, cachefilesd_exec_t, cachefilesd_t)
-+')
-diff --git a/cachefilesd.te b/cachefilesd.te
-new file mode 100644
-index 0000000..3eda1b1
---- /dev/null
-+++ b/cachefilesd.te
-@@ -0,0 +1,144 @@
-+###############################################################################
-+#
-+# Copyright (C) 2006, 2010 Red Hat, Inc. All Rights Reserved.
-+# Written by David Howells (dhowells@redhat.com)
-+# Karl MacMillan (kmacmill@redhat.com)
-+#
-+# This program is free software; you can redistribute it and/or
-+# modify it under the terms of the GNU General Public License
-+# as published by the Free Software Foundation; either version
-+# 2 of the License, or (at your option) any later version.
-+#
-+###############################################################################
-+
-+#
-+# This security policy governs access by the CacheFiles kernel module and
-+# userspace management daemon to the files and directories in the on-disk
-+# cache, on behalf of the processes accessing the cache through a network
-+# filesystem such as NFS
-+#
-+policy_module(cachefilesd, 1.0.17)
-+
-+###############################################################################
-+#
-+# Declarations
-+#
-+
-+#
-+# Files in the cache are created by the cachefiles module with security ID
-+# cachefiles_var_t
-+#
-+type cachefiles_var_t;
-+files_type(cachefiles_var_t)
-+
-+#
-+# The /dev/cachefiles character device has security ID cachefiles_dev_t
-+#
-+type cachefiles_dev_t;
-+dev_node(cachefiles_dev_t)
-+
-+#
-+# The cachefilesd daemon normally runs with security ID cachefilesd_t
-+#
-+type cachefilesd_t;
-+type cachefilesd_exec_t;
-+init_daemon_domain(cachefilesd_t, cachefilesd_exec_t)
-+
-+#
-+# The cachefilesd daemon pid file context
-+#
-+type cachefilesd_var_run_t;
-+files_pid_file(cachefilesd_var_run_t)
-+
-+#
-+# The CacheFiles kernel module causes processes accessing the cache files to do
-+# so acting as security ID cachefiles_kernel_t
-+#
-+type cachefiles_kernel_t;
-+domain_type(cachefiles_kernel_t)
-+domain_obj_id_change_exemption(cachefiles_kernel_t)
-+role system_r types cachefiles_kernel_t;
-+
-+###############################################################################
-+#
-+# Permit RPM to deal with files in the cache
-+#
-+optional_policy(`
-+ rpm_use_script_fds(cachefilesd_t)
-+')
-+
-+###############################################################################
-+#
-+# cachefilesd local policy
-+#
-+# These define what cachefilesd is permitted to do. This doesn't include very
-+# much: startup stuff, logging, pid file, scanning the cache superstructure and
-+# deleting files from the cache. It is not permitted to read/write files in
-+# the cache.
-+#
-+# Check in /usr/share/selinux/devel/include/ for macros to use instead of allow
-+# rules.
-+#
-+allow cachefilesd_t self:capability { setuid setgid sys_admin dac_override };
-+
-+# Allow manipulation of pid file
-+allow cachefilesd_t cachefilesd_var_run_t:file create_file_perms;
-+manage_files_pattern(cachefilesd_t, cachefilesd_var_run_t, cachefilesd_var_run_t)
-+manage_dirs_pattern(cachefilesd_t, cachefilesd_var_run_t, cachefilesd_var_run_t)
-+files_pid_filetrans(cachefilesd_t, cachefilesd_var_run_t, file)
-+files_create_as_is_all_files(cachefilesd_t)
-+
-+# Allow access to cachefiles device file
-+allow cachefilesd_t cachefiles_dev_t:chr_file rw_file_perms;
-+
-+# Allow access to cache superstructure
-+manage_dirs_pattern(cachefilesd_t, cachefiles_var_t, cachefiles_var_t)
-+manage_files_pattern(cachefilesd_t, cachefiles_var_t, cachefiles_var_t)
-+
-+# Permit statfs on the backing filesystem
-+fs_getattr_xattr_fs(cachefilesd_t)
-+
-+# Basic access
-+files_read_etc_files(cachefilesd_t)
-+logging_send_syslog_msg(cachefilesd_t)
-+init_dontaudit_use_script_ptys(cachefilesd_t)
-+term_dontaudit_use_generic_ptys(cachefilesd_t)
-+term_dontaudit_getattr_unallocated_ttys(cachefilesd_t)
-+
-+###############################################################################
-+#
-+# When cachefilesd invokes the kernel module to begin caching, it has to tell
-+# the kernel module the security context in which it should act, and this
-+# policy has to approve that.
-+#
-+# There are two parts to this:
-+#
-+# (1) the security context used by the module to access files in the cache,
-+# as set by the 'secctx' command in /etc/cachefilesd.conf, and
-+#
-+allow cachefilesd_t cachefiles_kernel_t:kernel_service { use_as_override };
-+
-+#
-+# (2) the label that will be assigned to new files and directories created in
-+# the cache by the module, which will be the same as the label on the
-+# directory pointed to by the 'dir' command.
-+#
-+allow cachefilesd_t cachefiles_var_t:kernel_service { create_files_as };
-+
-+###############################################################################
-+#
-+# cachefiles kernel module local policy
-+#
-+# This governs what the kernel module is allowed to do the contents of the
-+# cache.
-+#
-+allow cachefiles_kernel_t self:capability { dac_override dac_read_search };
-+
-+manage_dirs_pattern(cachefiles_kernel_t, cachefiles_var_t, cachefiles_var_t)
-+manage_files_pattern(cachefiles_kernel_t, cachefiles_var_t, cachefiles_var_t)
-+
-+fs_getattr_xattr_fs(cachefiles_kernel_t)
-+
-+dev_search_sysfs(cachefiles_kernel_t)
-+
-+init_sigchld_script(cachefiles_kernel_t)
-diff --git a/calamaris.te b/calamaris.te
-index b13fb66..8926e84 100644
---- a/calamaris.te
-+++ b/calamaris.te
-@@ -39,7 +39,6 @@ kernel_read_system_state(calamaris_t)
-
- corecmd_exec_bin(calamaris_t)
-
--corenet_all_recvfrom_unlabeled(calamaris_t)
- corenet_all_recvfrom_netlabel(calamaris_t)
- corenet_tcp_sendrecv_generic_if(calamaris_t)
- corenet_udp_sendrecv_generic_if(calamaris_t)
-@@ -51,7 +50,6 @@ corenet_udp_sendrecv_all_ports(calamaris_t)
- dev_read_urand(calamaris_t)
-
- files_search_pids(calamaris_t)
--files_read_etc_files(calamaris_t)
- files_read_usr_files(calamaris_t)
- files_read_var_files(calamaris_t)
- files_read_etc_runtime_files(calamaris_t)
-@@ -62,8 +60,6 @@ auth_use_nsswitch(calamaris_t)
-
- logging_send_syslog_msg(calamaris_t)
-
--miscfiles_read_localization(calamaris_t)
--
- userdom_dontaudit_list_user_home_dirs(calamaris_t)
-
- optional_policy(`
-diff --git a/callweaver.fc b/callweaver.fc
-new file mode 100644
-index 0000000..3e15c63
---- /dev/null
-+++ b/callweaver.fc
-@@ -0,0 +1,11 @@
-+/etc/rc\.d/init\.d/callweaver -- gen_context(system_u:object_r:callweaver_initrc_exec_t,s0)
-+
-+/usr/sbin/callweaver -- gen_context(system_u:object_r:callweaver_exec_t,s0)
-+
-+/var/lib/callweaver(/.*)? gen_context(system_u:object_r:callweaver_var_lib_t,s0)
-+
-+/var/log/callweaver(/.*)? gen_context(system_u:object_r:callweaver_log_t,s0)
-+
-+/var/run/callweaver(/.*)? gen_context(system_u:object_r:callweaver_var_run_t,s0)
-+
-+/var/spool/callweaver(/.*)? gen_context(system_u:object_r:callweaver_spool_t,s0)
-diff --git a/callweaver.if b/callweaver.if
-new file mode 100644
-index 0000000..e07d3b8
---- /dev/null
-+++ b/callweaver.if
-@@ -0,0 +1,362 @@
-+## Open source PBX project.
-+
-+########################################
-+##
-+## Execute callweaver in the
-+## callweaver domain.
-+##
-+##
-+##
-+## Domain allowed to transition.
-+##
-+##
-+#
-+interface(`callweaver_domtrans',`
-+ gen_require(`
-+ type callweaver_t, callweaver_exec_t;
-+ ')
-+
-+ corecmd_search_bin($1)
-+ domtrans_pattern($1, callweaver_exec_t, callweaver_t)
-+')
-+
-+########################################
-+##
-+## Execute callweaver in the
-+## callers domain.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`callweaver_exec',`
-+ gen_require(`
-+ type callweaver_exec_t;
-+ ')
-+
-+ corecmd_search_bin($1)
-+ can_exec($1, callweaver_exec_t)
-+')
-+
-+########################################
-+##
-+## Execute callweaver in the
-+## callweaver domain.
-+##
-+##
-+##
-+## Domain allowed to transition.
-+##
-+##
-+#
-+interface(`callweaver_initrc_domtrans',`
-+ gen_require(`
-+ type callweaver_initrc_exec_t;
-+ ')
-+
-+ init_labeled_script_domtrans($1, callweaver_initrc_exec_t)
-+')
-+
-+########################################
-+##
-+## Read callweaver log files.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`callweaver_read_log',`
-+ gen_require(`
-+ type callweaver_log_t;
-+ ')
-+
-+ logging_search_logs($1)
-+ read_files_pattern($1, callweaver_log_t, callweaver_log_t)
-+')
-+
-+########################################
-+##
-+## Append to callweaver log files.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`callweaver_append_log',`
-+ gen_require(`
-+ type callweaver_log_t;
-+ ')
-+
-+ logging_search_logs($1)
-+ append_files_pattern($1, callweaver_log_t, callweaver_log_t)
-+')
-+
-+########################################
-+##
-+## Manage callweaver log files
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`callweaver_manage_log',`
-+ gen_require(`
-+ type callweaver_log_t;
-+ ')
-+
-+ logging_search_logs($1)
-+ manage_dirs_pattern($1, callweaver_log_t, callweaver_log_t)
-+ manage_files_pattern($1, callweaver_log_t, callweaver_log_t)
-+ manage_lnk_files_pattern($1, callweaver_log_t, callweaver_log_t)
-+')
-+
-+########################################
-+##
-+## Search callweaver lib directories.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`callweaver_search_lib',`
-+ gen_require(`
-+ type callweaver_var_lib_t;
-+ ')
-+
-+ allow $1 callweaver_var_lib_t:dir search_dir_perms;
-+ files_search_var_lib($1)
-+')
-+
-+########################################
-+##
-+## Read callweaver lib files.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`callweaver_read_lib_files',`
-+ gen_require(`
-+ type callweaver_var_lib_t;
-+ ')
-+
-+ files_search_var_lib($1)
-+ read_files_pattern($1, callweaver_var_lib_t, callweaver_var_lib_t)
-+')
-+
-+########################################
-+##
-+## Manage callweaver lib files.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`callweaver_manage_lib_files',`
-+ gen_require(`
-+ type callweaver_var_lib_t;
-+ ')
-+
-+ files_search_var_lib($1)
-+ manage_files_pattern($1, callweaver_var_lib_t, callweaver_var_lib_t)
-+')
-+
-+########################################
-+##
-+## Manage callweaver lib directories.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`callweaver_manage_lib_dirs',`
-+ gen_require(`
-+ type callweaver_var_lib_t;
-+ ')
-+
-+ files_search_var_lib($1)
-+ manage_dirs_pattern($1, callweaver_var_lib_t, callweaver_var_lib_t)
-+')
-+
-+
-+########################################
-+##
-+## Read callweaver PID files.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`callweaver_read_pid_files',`
-+ gen_require(`
-+ type callweaver_var_run_t;
-+ ')
-+
-+ files_search_pids($1)
-+ allow $1 callweaver_var_run_t:file read_file_perms;
-+')
-+
-+########################################
-+##
-+## Connect to callweaver over a unix stream socket.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`callweaver_stream_connect',`
-+ gen_require(`
-+ type callweaver_t, callweaver_var_run_t;
-+ ')
-+
-+ files_search_pids($1)
-+ stream_connect_pattern($1, callweaver_var_run_t, callweaver_var_run_t, callweaver_t)
-+')
-+
-+########################################
-+##
-+## Search callweaver spool directories.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`callweaver_search_spool',`
-+ gen_require(`
-+ type callweaver_spool_t;
-+ ')
-+
-+ allow $1 callweaver_spool_t:dir search_dir_perms;
-+ files_search_spool($1)
-+')
-+
-+########################################
-+##
-+## Read callweaver spool files.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`callweaver_read_spool_files',`
-+ gen_require(`
-+ type callweaver_spool_t;
-+ ')
-+
-+ files_search_spool($1)
-+ read_files_pattern($1, callweaver_spool_t, callweaver_spool_t)
-+')
-+
-+########################################
-+##
-+## Manage callweaver spool files.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`callweaver_manage_spool_files',`
-+ gen_require(`
-+ type callweaver_spool_t;
-+ ')
-+
-+ files_search_spool($1)
-+ manage_files_pattern($1, callweaver_spool_t, callweaver_spool_t)
-+')
-+
-+########################################
-+##
-+## Manage callweaver spool dirs.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`callweaver_manage_spool_dirs',`
-+ gen_require(`
-+ type callweaver_spool_t;
-+ ')
-+
-+ files_search_spool($1)
-+ manage_dirs_pattern($1, callweaver_spool_t, callweaver_spool_t)
-+')
-+
-+########################################
-+##
-+## All of the rules required to administrate
-+## an callweaver environment
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+##
-+##
-+## Role allowed access.
-+##
-+##
-+##
-+#
-+interface(`callweaver_admin',`
-+ gen_require(`
-+ type callweaver_t;
-+ type callweaver_initrc_exec_t;
-+ type callweaver_log_t;
-+ type callweaver_var_lib_t;
-+ type callweaver_var_run_t;
-+ type callweaver_spool_t;
-+ ')
-+
-+ allow $1 callweaver_t:process signal_perms;
-+ ps_process_pattern($1, callweaver_t)
-+
-+ tunable_policy(`deny_ptrace',`',`
-+ allow $1 callweaver_t:process ptrace;
-+ ')
-+
-+ callweaver_initrc_domtrans($1)
-+ domain_system_change_exemption($1)
-+ role_transition $2 callweaver_initrc_exec_t system_r;
-+ allow $2 system_r;
-+
-+ logging_search_logs($1)
-+ admin_pattern($1, callweaver_log_t)
-+
-+ files_search_var_lib($1)
-+ admin_pattern($1, callweaver_var_lib_t)
-+
-+ files_search_pids($1)
-+ admin_pattern($1, callweaver_var_run_t)
-+
-+ files_search_spool($1)
-+ admin_pattern($1, callweaver_spool_t)
-+')
-diff --git a/callweaver.te b/callweaver.te
-new file mode 100644
-index 0000000..978f92f
---- /dev/null
-+++ b/callweaver.te
-@@ -0,0 +1,75 @@
-+policy_module(callweaver,1.0.0)
-+
-+########################################
-+#
-+# Declarations
-+#
-+
-+type callweaver_t;
-+type callweaver_exec_t;
-+init_daemon_domain(callweaver_t, callweaver_exec_t)
-+
-+type callweaver_initrc_exec_t;
-+init_script_file(callweaver_initrc_exec_t)
-+
-+type callweaver_log_t;
-+logging_log_file(callweaver_log_t)
-+
-+type callweaver_var_lib_t;
-+files_type(callweaver_var_lib_t)
-+
-+type callweaver_var_run_t;
-+files_pid_file(callweaver_var_run_t)
-+
-+type callweaver_spool_t;
-+files_spool_file(callweaver_spool_t)
-+
-+########################################
-+#
-+# callweaver local policy
-+#
-+
-+allow callweaver_t self:capability { setuid sys_nice setgid };
-+allow callweaver_t self:process { setsched signal };
-+allow callweaver_t self:fifo_file rw_fifo_file_perms;
-+allow callweaver_t self:unix_stream_socket create_stream_socket_perms;
-+
-+manage_dirs_pattern(callweaver_t, callweaver_log_t, callweaver_log_t)
-+manage_files_pattern(callweaver_t, callweaver_log_t, callweaver_log_t)
-+logging_log_filetrans(callweaver_t, callweaver_log_t, { dir file } )
-+
-+manage_dirs_pattern(callweaver_t, callweaver_var_lib_t, callweaver_var_lib_t)
-+manage_files_pattern(callweaver_t, callweaver_var_lib_t, callweaver_var_lib_t)
-+files_var_lib_filetrans(callweaver_t, callweaver_var_lib_t, { dir file } )
-+
-+manage_dirs_pattern(callweaver_t, callweaver_var_run_t, callweaver_var_run_t)
-+manage_files_pattern(callweaver_t, callweaver_var_run_t, callweaver_var_run_t)
-+manage_sock_files_pattern(callweaver_t, callweaver_var_run_t, callweaver_var_run_t)
-+files_pid_filetrans(callweaver_t, callweaver_var_run_t, { dir file sock_file })
-+
-+manage_dirs_pattern(callweaver_t, callweaver_spool_t, callweaver_spool_t)
-+manage_files_pattern(callweaver_t, callweaver_spool_t, callweaver_spool_t)
-+manage_lnk_files_pattern(callweaver_t, callweaver_spool_t, callweaver_spool_t)
-+files_spool_filetrans(callweaver_t, callweaver_spool_t, { dir file })
-+
-+allow callweaver_t self:tcp_socket create_stream_socket_perms;
-+allow callweaver_t self:udp_socket create_socket_perms;
-+
-+kernel_read_sysctl(callweaver_t)
-+kernel_read_kernel_sysctls(callweaver_t)
-+
-+corenet_udp_bind_asterisk_port(callweaver_t)
-+corenet_udp_bind_generic_port(callweaver_t)
-+corenet_udp_bind_sip_port(callweaver_t)
-+
-+dev_manage_generic_symlinks(callweaver_t)
-+
-+domain_use_interactive_fds(callweaver_t)
-+
-+
-+term_getattr_pty_fs(callweaver_t)
-+term_use_generic_ptys(callweaver_t)
-+term_use_ptmx(callweaver_t)
-+
-+auth_use_nsswitch(callweaver_t)
-+
-diff --git a/canna.fc b/canna.fc
-index 5432d0e..f77df02 100644
---- a/canna.fc
-+++ b/canna.fc
-@@ -20,4 +20,4 @@
-
- /var/run/\.iroha_unix -d gen_context(system_u:object_r:canna_var_run_t,s0)
- /var/run/\.iroha_unix/.* -s gen_context(system_u:object_r:canna_var_run_t,s0)
--/var/run/wnn-unix(/.*) gen_context(system_u:object_r:canna_var_run_t,s0)
-+/var/run/wnn-unix(/.*)? gen_context(system_u:object_r:canna_var_run_t,s0)
-diff --git a/canna.if b/canna.if
-index 4a26b0c..00b64dc 100644
---- a/canna.if
-+++ b/canna.if
-@@ -42,9 +42,13 @@ interface(`canna_admin',`
- type canna_var_run_t, canna_initrc_exec_t;
- ')
-
-- allow $1 canna_t:process { ptrace signal_perms };
-+ allow $1 canna_t:process signal_perms;
- ps_process_pattern($1, canna_t)
-
-+ tunable_policy(`deny_ptrace',`',`
-+ allow $1 canna_t:process ptrace;
-+ ')
-+
- init_labeled_script_domtrans($1, canna_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 canna_initrc_exec_t system_r;
-diff --git a/canna.te b/canna.te
-index 1d25efe..910b94c 100644
---- a/canna.te
-+++ b/canna.te
-@@ -34,7 +34,7 @@ allow canna_t self:unix_dgram_socket create_stream_socket_perms;
- allow canna_t self:tcp_socket create_stream_socket_perms;
-
- manage_files_pattern(canna_t, canna_log_t, canna_log_t)
--allow canna_t canna_log_t:dir setattr;
-+allow canna_t canna_log_t:dir setattr_dir_perms;
- logging_log_filetrans(canna_t, canna_log_t, { file dir })
-
- manage_dirs_pattern(canna_t, canna_var_lib_t, canna_var_lib_t)
-@@ -50,7 +50,6 @@ files_pid_filetrans(canna_t, canna_var_run_t, { dir file sock_file })
- kernel_read_kernel_sysctls(canna_t)
- kernel_read_system_state(canna_t)
-
--corenet_all_recvfrom_unlabeled(canna_t)
- corenet_all_recvfrom_netlabel(canna_t)
- corenet_tcp_sendrecv_generic_if(canna_t)
- corenet_tcp_sendrecv_generic_node(canna_t)
-@@ -73,8 +72,6 @@ files_dontaudit_read_root_files(canna_t)
-
- logging_send_syslog_msg(canna_t)
-
--miscfiles_read_localization(canna_t)
--
- sysnet_read_config(canna_t)
-
- userdom_dontaudit_use_unpriv_user_fds(canna_t)
-diff --git a/ccs.fc b/ccs.fc
-index 8a7177d..bc4f6e7 100644
---- a/ccs.fc
-+++ b/ccs.fc
-@@ -2,5 +2,7 @@
-
- /sbin/ccsd -- gen_context(system_u:object_r:ccs_exec_t,s0)
-
-+/usr/sbin/ccsd -- gen_context(system_u:object_r:ccs_exec_t,s0)
-+
- /var/run/cluster/ccsd\.pid -- gen_context(system_u:object_r:ccs_var_run_t,s0)
- /var/run/cluster/ccsd\.sock -s gen_context(system_u:object_r:ccs_var_run_t,s0)
-diff --git a/ccs.te b/ccs.te
-index 4c90b57..30265d4 100644
---- a/ccs.te
-+++ b/ccs.te
-@@ -10,7 +10,7 @@ type ccs_exec_t;
- init_daemon_domain(ccs_t, ccs_exec_t)
-
- type cluster_conf_t;
--files_type(cluster_conf_t)
-+files_config_file(cluster_conf_t)
-
- type ccs_tmp_t;
- files_tmp_file(ccs_tmp_t)
-@@ -34,7 +34,7 @@ files_pid_file(ccs_var_run_t)
-
- allow ccs_t self:capability { ipc_owner ipc_lock sys_nice sys_resource sys_admin };
- allow ccs_t self:process { signal setrlimit setsched };
--dontaudit ccs_t self:process ptrace;
-+
- allow ccs_t self:fifo_file rw_fifo_file_perms;
- allow ccs_t self:unix_stream_socket { connectto create_stream_socket_perms };
- allow ccs_t self:unix_dgram_socket create_socket_perms;
-@@ -61,7 +61,7 @@ manage_dirs_pattern(ccs_t, ccs_var_lib_t, ccs_var_lib_t)
- manage_files_pattern(ccs_t, ccs_var_lib_t, ccs_var_lib_t)
- files_var_lib_filetrans(ccs_t, ccs_var_lib_t, { file dir })
-
--allow ccs_t ccs_var_log_t:dir setattr;
-+allow ccs_t ccs_var_log_t:dir setattr_dir_perms;
- manage_files_pattern(ccs_t, ccs_var_log_t, ccs_var_log_t)
- manage_sock_files_pattern(ccs_t, ccs_var_log_t, ccs_var_log_t)
- logging_log_filetrans(ccs_t, ccs_var_log_t, { sock_file file dir })
-@@ -77,7 +77,6 @@ kernel_read_kernel_sysctls(ccs_t)
- corecmd_list_bin(ccs_t)
- corecmd_exec_bin(ccs_t)
-
--corenet_all_recvfrom_unlabeled(ccs_t)
- corenet_all_recvfrom_netlabel(ccs_t)
- corenet_tcp_sendrecv_generic_if(ccs_t)
- corenet_udp_sendrecv_generic_if(ccs_t)
-@@ -97,11 +96,10 @@ files_read_etc_files(ccs_t)
- files_read_etc_runtime_files(ccs_t)
-
- init_rw_script_tmp_files(ccs_t)
-+init_signal(ccs_t)
-
- logging_send_syslog_msg(ccs_t)
-
--miscfiles_read_localization(ccs_t)
--
- sysnet_dns_name_resolve(ccs_t)
-
- userdom_manage_unpriv_user_shared_mem(ccs_t)
-@@ -118,5 +116,10 @@ optional_policy(`
- ')
-
- optional_policy(`
-+ qpidd_rw_semaphores(ccs_t)
-+ qpidd_rw_shm(ccs_t)
-+')
-+
-+optional_policy(`
- unconfined_use_fds(ccs_t)
- ')
-diff --git a/cdrecord.te b/cdrecord.te
-index 4626931..93e1495 100644
---- a/cdrecord.te
-+++ b/cdrecord.te
-@@ -52,10 +52,8 @@ storage_write_scsi_generic(cdrecord_t)
-
- logging_send_syslog_msg(cdrecord_t)
-
--miscfiles_read_localization(cdrecord_t)
--
- # write to the user domain tty.
--userdom_use_user_terminals(cdrecord_t)
-+userdom_use_inherited_user_terminals(cdrecord_t)
- userdom_read_user_home_content_files(cdrecord_t)
-
- # Handle nfs home dirs
-@@ -108,11 +106,7 @@ tunable_policy(`cdrecord_read_content',`
- userdom_dontaudit_read_user_home_content_files(cdrecord_t)
- ')
-
--tunable_policy(`use_nfs_home_dirs',`
-- files_search_mnt(cdrecord_t)
-- fs_read_nfs_files(cdrecord_t)
-- fs_read_nfs_symlinks(cdrecord_t)
--')
-+userdom_home_manager(cdrecord_t)
-
- optional_policy(`
- resmgr_stream_connect(cdrecord_t)
-diff --git a/certmaster.if b/certmaster.if
-index fa62787..4230c25 100644
---- a/certmaster.if
-+++ b/certmaster.if
-@@ -116,19 +116,23 @@ interface(`certmaster_manage_log',`
- interface(`certmaster_admin',`
- gen_require(`
- type certmaster_t, certmaster_var_run_t, certmaster_var_lib_t;
-- type certmaster_etc_rw_t, certmaster_var_log_t;
-- type certmaster_initrc_exec_t;
-+ type certmaster_etc_rw_t, certmaster_var_log_t, certmaster_initrc_exec_t;
- ')
-
-- allow $1 certmaster_t:process { ptrace signal_perms };
-+ allow $1 certmaster_t:process signal_perms;
- ps_process_pattern($1, certmaster_t)
-
-+ tunable_policy(`deny_ptrace',`',`
-+ allow $1 certmaster_t:process ptrace;
-+ ')
-+
- init_labeled_script_domtrans($1, certmaster_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 certmaster_initrc_exec_t system_r;
- allow $2 system_r;
-
- files_list_etc($1)
-+
- miscfiles_manage_generic_cert_dirs($1)
- miscfiles_manage_generic_cert_files($1)
-
-diff --git a/certmaster.te b/certmaster.te
-index 3384132..e40c81c 100644
---- a/certmaster.te
-+++ b/certmaster.te
-@@ -53,19 +53,20 @@ files_pid_filetrans(certmaster_t ,certmaster_var_run_t, { file sock_file })
- # read meminfo
- kernel_read_system_state(certmaster_t)
-
--corecmd_search_bin(certmaster_t)
--corecmd_getattr_bin_files(certmaster_t)
-+corecmd_exec_bin(certmaster_t)
-
- corenet_tcp_bind_generic_node(certmaster_t)
- corenet_tcp_bind_certmaster_port(certmaster_t)
-
-+dev_read_urand(certmaster_t)
-+
- files_search_etc(certmaster_t)
-+files_read_usr_files(certmaster_t)
- files_list_var(certmaster_t)
- files_search_var_lib(certmaster_t)
-
- auth_use_nsswitch(certmaster_t)
-
--miscfiles_read_localization(certmaster_t)
-
- miscfiles_manage_generic_cert_dirs(certmaster_t)
- miscfiles_manage_generic_cert_files(certmaster_t)
-diff --git a/certmonger.fc b/certmonger.fc
-index 5ad1a52..e66fcf6 100644
---- a/certmonger.fc
-+++ b/certmonger.fc
-@@ -4,3 +4,5 @@
-
- /var/lib/certmonger(/.*)? gen_context(system_u:object_r:certmonger_var_lib_t,s0)
- /var/run/certmonger.pid -- gen_context(system_u:object_r:certmonger_var_run_t,s0)
-+
-+/usr/lib/ipa/certmonger(/.*)? gen_context(system_u:object_r:certmonger_unconfined_exec_t,s0)
-diff --git a/certmonger.if b/certmonger.if
-index 7a6e5ba..7475aa5 100644
---- a/certmonger.if
-+++ b/certmonger.if
-@@ -158,7 +158,11 @@ interface(`certmonger_admin',`
- ')
-
- ps_process_pattern($1, certmonger_t)
-- allow $1 certmonger_t:process { ptrace signal_perms };
-+ allow $1 certmonger_t:process signal_perms;
-+
-+ tunable_policy(`deny_ptrace',`',`
-+ allow $1 certmonger_t:process ptrace;
-+ ')
-
- # Allow certmonger_t to restart the apache service
- certmonger_initrc_domtrans($1)
-@@ -166,9 +170,9 @@ interface(`certmonger_admin',`
- role_transition $2 certmonger_initrc_exec_t system_r;
- allow $2 system_r;
-
-- files_search_var_lib($1)
-+ files_list_var_lib($1)
- admin_pattern($1, certmonger_var_lib_t)
-
-- files_search_pids($1)
-+ files_list_pids($1)
- admin_pattern($1, certmonger_var_run_t)
- ')
-diff --git a/certmonger.te b/certmonger.te
-index c3e3f79..89db900 100644
---- a/certmonger.te
-+++ b/certmonger.te
-@@ -18,13 +18,19 @@ files_pid_file(certmonger_var_run_t)
- type certmonger_var_lib_t;
- files_type(certmonger_var_lib_t)
-
-+type certmonger_unconfined_exec_t;
-+application_executable_file(certmonger_unconfined_exec_t)
-+
- ########################################
- #
- # certmonger local policy
- #
-
--allow certmonger_t self:capability { kill sys_nice };
--allow certmonger_t self:process { getsched setsched sigkill };
-+allow certmonger_t self:capability { dac_override dac_read_search setgid setuid kill sys_nice };
-+dontaudit certmonger_t self:capability sys_tty_config;
-+allow certmonger_t self:capability2 block_suspend;
-+
-+allow certmonger_t self:process { getsched setsched sigkill signal };
- allow certmonger_t self:fifo_file rw_file_perms;
- allow certmonger_t self:unix_stream_socket create_stream_socket_perms;
- allow certmonger_t self:tcp_socket create_stream_socket_perms;
-@@ -38,25 +44,52 @@ manage_dirs_pattern(certmonger_t, certmonger_var_run_t, certmonger_var_run_t)
- manage_files_pattern(certmonger_t, certmonger_var_run_t, certmonger_var_run_t)
- files_pid_filetrans(certmonger_t, certmonger_var_run_t, { file dir })
-
-+kernel_read_kernel_sysctls(certmonger_t)
-+kernel_read_system_state(certmonger_t)
-+
-+corecmd_exec_bin(certmonger_t)
-+corecmd_exec_shell(certmonger_t)
-+
- corenet_tcp_sendrecv_generic_if(certmonger_t)
- corenet_tcp_sendrecv_generic_node(certmonger_t)
- corenet_tcp_sendrecv_all_ports(certmonger_t)
- corenet_tcp_connect_certmaster_port(certmonger_t)
-+corenet_tcp_connect_http_port(certmonger_t)
-+corenet_tcp_connect_http_cache_port(certmonger_t)
-+corenet_tcp_connect_pki_ca_port(certmonger_t)
-
- dev_read_urand(certmonger_t)
-
- domain_use_interactive_fds(certmonger_t)
-
--files_read_etc_files(certmonger_t)
- files_read_usr_files(certmonger_t)
- files_list_tmp(certmonger_t)
-
-+fs_search_cgroup_dirs(certmonger_t)
-+
-+auth_use_nsswitch(certmonger_t)
-+auth_rw_cache(certmonger_t)
-+
-+init_getattr_all_script_files(certmonger_t)
-+
- logging_send_syslog_msg(certmonger_t)
-
--miscfiles_read_localization(certmonger_t)
- miscfiles_manage_generic_cert_files(certmonger_t)
-
--sysnet_dns_name_resolve(certmonger_t)
-+systemd_exec_systemctl(certmonger_t)
-+
-+userdom_search_user_home_content(certmonger_t)
-+
-+optional_policy(`
-+ apache_search_config(certmonger_t)
-+ apache_signal(certmonger_t)
-+ apache_signull(certmonger_t)
-+ apache_systemctl(certmonger_t)
-+')
-+
-+optional_policy(`
-+ bind_search_cache(certmonger_t)
-+')
-
- optional_policy(`
- dbus_system_bus_client(certmonger_t)
-@@ -64,9 +97,46 @@ optional_policy(`
- ')
-
- optional_policy(`
-+ dirsrv_manage_config(certmonger_t)
-+ dirsrv_signal(certmonger_t)
-+ dirsrv_signull(certmonger_t)
-+')
-+
-+optional_policy(`
- kerberos_use(certmonger_t)
-+ kerberos_read_keytab(certmonger_t)
- ')
-
- optional_policy(`
-+ pcscd_read_pub_files(certmonger_t)
- pcscd_stream_connect(certmonger_t)
- ')
-+
-+optional_policy(`
-+ pki_rw_tomcat_cert(certmonger_t)
-+')
-+
-+########################################
-+#
-+# certmonger_unconfined_script_t local policy
-+#
-+
-+optional_policy(`
-+ type certmonger_unconfined_t;
-+ domain_type(certmonger_unconfined_t)
-+
-+ domain_entry_file(certmonger_unconfined_t, certmonger_unconfined_exec_t)
-+ role system_r types certmonger_unconfined_t;
-+
-+ domtrans_pattern(certmonger_t, certmonger_unconfined_exec_t, certmonger_unconfined_t)
-+
-+ unconfined_domain(certmonger_unconfined_t)
-+
-+ allow certmonger_t certmonger_unconfined_exec_t:dir search_dir_perms;
-+ allow certmonger_t certmonger_unconfined_exec_t:dir read_file_perms;
-+ allow certmonger_t certmonger_unconfined_exec_t:file ioctl;
-+
-+ init_domtrans_script(certmonger_unconfined_t)
-+
-+ unconfined_domain(certmonger_unconfined_t)
-+')
-diff --git a/certwatch.te b/certwatch.te
-index e07cef5..55051ce 100644
---- a/certwatch.te
-+++ b/certwatch.te
-@@ -27,15 +27,15 @@ files_list_tmp(certwatch_t)
- fs_list_inotifyfs(certwatch_t)
-
- auth_manage_cache(certwatch_t)
-+auth_read_passwd(certwatch_t)
- auth_var_filetrans_cache(certwatch_t)
-
- logging_send_syslog_msg(certwatch_t)
-
- miscfiles_read_all_certs(certwatch_t)
--miscfiles_read_localization(certwatch_t)
-
--userdom_use_user_terminals(certwatch_t)
--userdom_dontaudit_list_user_home_dirs(certwatch_t)
-+userdom_use_inherited_user_terminals(certwatch_t)
-+userdom_dontaudit_list_admin_dir(certwatch_t)
-
- optional_policy(`
- apache_exec_modules(certwatch_t)
-diff --git a/cfengine.fc b/cfengine.fc
-new file mode 100644
-index 0000000..4c52fa3
---- /dev/null
-+++ b/cfengine.fc
-@@ -0,0 +1,12 @@
-+
-+/usr/sbin/cf-serverd -- gen_context(system_u:object_r:cfengine_serverd_exec_t,s0)
-+/usr/sbin/cf-execd -- gen_context(system_u:object_r:cfengine_execd_exec_t,s0)
-+/usr/sbin/cf-monitord -- gen_context(system_u:object_r:cfengine_monitord_exec_t,s0)
-+
-+/etc/rc\.d/init\.d/cf-serverd -- gen_context(system_u:object_r:cfengine_initrc_exec_t,s0)
-+/etc/rc\.d/init\.d/cf-monitord -- gen_context(system_u:object_r:cfengine_initrc_exec_t,s0)
-+/etc/rc\.d/init\.d/cf-execd -- gen_context(system_u:object_r:cfengine_initrc_exec_t,s0)
-+
-+/var/cfengine(/.*)? gen_context(system_u:object_r:cfengine_var_lib_t,s0)
-+/var/cfengine/outputs(/.*)? gen_context(system_u:object_r:cfengine_var_log_t,s0)
-+
-diff --git a/cfengine.if b/cfengine.if
-new file mode 100644
-index 0000000..f3c23e9
---- /dev/null
-+++ b/cfengine.if
-@@ -0,0 +1,146 @@
-+
-+## policy for cfengine
-+
-+######################################
-+##
-+## Creates types and rules for a basic
-+## cfengine init daemon domain.
-+##
-+##
-+##
-+## Prefix for the domain.
-+##
-+##
-+#
-+template(`cfengine_domain_template',`
-+ gen_require(`
-+ attribute cfengine_domain;
-+ ')
-+
-+ ##############################
-+ #
-+ # Declarations
-+ #
-+
-+ type cfengine_$1_t, cfengine_domain;
-+ type cfengine_$1_exec_t;
-+ init_daemon_domain(cfengine_$1_t, cfengine_$1_exec_t)
-+
-+ kernel_read_system_state(cfengine_$1_t)
-+
-+ logging_send_syslog_msg(cfengine_$1_t)
-+')
-+
-+########################################
-+##
-+## Transition to cfengine.
-+##
-+##
-+##
-+## Domain allowed to transition.
-+##
-+##
-+#
-+interface(`cfengine_domtrans_server',`
-+ gen_require(`
-+ type cfengine_server_t, cfengine_server_exec_t;
-+ ')
-+
-+ corecmd_search_bin($1)
-+ domtrans_pattern($1, cfengine_server_exec_t, cfengine_server_t)
-+')
-+
-+#######################################
-+##
-+## Search cfengine lib files.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`cfengine_search_lib_files',`
-+ gen_require(`
-+ type cfengine_var_lib_t;
-+ ')
-+
-+ allow $1 cfengine_var_lib_t:dir search_dir_perms;
-+')
-+
-+########################################
-+##
-+## Read cfengine lib files.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`cfengine_read_lib_files',`
-+ gen_require(`
-+ type cfengine_var_lib_t;
-+ ')
-+
-+ files_search_var_lib($1)
-+ read_files_pattern($1, cfengine_var_lib_t, cfengine_var_lib_t)
-+')
-+
-+######################################
-+##
-+## Allow the specified domain to read cfengine's log files.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`cfengine_read_log',`
-+ gen_require(`
-+ type cfengine_var_log_t;
-+ ')
-+
-+ logging_search_logs($1)
-+ files_search_var_lib($1)
-+ cfengine_search_lib_files($1)
-+ read_files_pattern($1, cfengine_var_log_t, cfengine_var_log_t)
-+')
-+
-+#####################################
-+##
-+## Allow the specified domain to append cfengine's log files.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`cfengine_append_inherited_log',`
-+ gen_require(`
-+ type cfengine_var_log_t;
-+ ')
-+
-+ cfengine_search_lib_files($1)
-+ allow $1 cfengine_var_log_t:file { getattr append ioctl lock };
-+')
-+
-+####################################
-+##
-+## Dontaudit the specified domain to write cfengine's log files.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`cfengine_dontaudit_write_log',`
-+ gen_require(`
-+ type cfengine_var_log_t;
-+ ')
-+
-+ dontaudit $1 cfengine_var_log_t:file write;
-+')
-diff --git a/cfengine.te b/cfengine.te
-new file mode 100644
-index 0000000..5b123e1
---- /dev/null
-+++ b/cfengine.te
-@@ -0,0 +1,94 @@
-+policy_module(cfengine, 1.0.0)
-+
-+########################################
-+#
-+# Declarations
-+#
-+
-+attribute cfengine_domain;
-+
-+cfengine_domain_template(serverd)
-+cfengine_domain_template(execd)
-+cfengine_domain_template(monitord)
-+
-+type cfengine_initrc_exec_t;
-+init_script_file(cfengine_initrc_exec_t)
-+
-+type cfengine_var_lib_t;
-+files_type(cfengine_var_lib_t)
-+
-+type cfengine_var_log_t;
-+logging_log_file(cfengine_var_log_t)
-+
-+#######################################
-+#
-+# cfengine domain local policy
-+#
-+
-+allow cfengine_domain self:fifo_file rw_fifo_file_perms;
-+allow cfengine_domain self:unix_stream_socket create_stream_socket_perms;
-+
-+manage_dirs_pattern(cfengine_domain, cfengine_var_lib_t, cfengine_var_lib_t)
-+manage_files_pattern(cfengine_domain, cfengine_var_lib_t, cfengine_var_lib_t)
-+manage_lnk_files_pattern(cfengine_domain, cfengine_var_lib_t, cfengine_var_lib_t)
-+files_var_lib_filetrans(cfengine_domain, cfengine_var_lib_t, { dir file })
-+
-+manage_files_pattern(cfengine_domain, cfengine_var_log_t,cfengine_var_log_t)
-+manage_dirs_pattern(cfengine_domain, cfengine_var_log_t,cfengine_var_log_t)
-+logging_log_filetrans(cfengine_domain,cfengine_var_log_t,{ dir file })
-+
-+corecmd_exec_bin(cfengine_domain)
-+corecmd_exec_shell(cfengine_domain)
-+
-+dev_read_urand(cfengine_domain)
-+dev_read_sysfs(cfengine_domain)
-+
-+sysnet_dns_name_resolve(cfengine_domain)
-+sysnet_domtrans_ifconfig(cfengine_domain)
-+
-+files_read_etc_files(cfengine_domain)
-+
-+########################################
-+#
-+# cfengine-server local policy
-+#
-+
-+allow cfengine_serverd_t self:capability { chown kill setgid setuid sys_chroot };
-+allow cfengine_serverd_t self:process { fork setfscreate signal };
-+
-+domain_use_interactive_fds(cfengine_serverd_t)
-+
-+auth_use_nsswitch(cfengine_serverd_t)
-+
-+########################################
-+#
-+# cfengine_exec local policy
-+#
-+
-+allow cfengine_execd_t self:capability { chown kill setgid setuid sys_chroot };
-+allow cfengine_execd_t self:process { fork setfscreate signal };
-+
-+kernel_read_sysctl(cfengine_execd_t)
-+
-+domain_read_all_domains_state(cfengine_execd_t)
-+domain_use_interactive_fds(cfengine_execd_t)
-+
-+auth_use_nsswitch(cfengine_execd_t)
-+
-+########################################
-+#
-+# cfengine_monitord local policy
-+#
-+
-+allow cfengine_monitord_t self:capability { chown kill setgid setuid sys_chroot };
-+allow cfengine_monitord_t self:process { fork setfscreate signal };
-+
-+kernel_read_hotplug_sysctls(cfengine_monitord_t)
-+kernel_read_network_state(cfengine_monitord_t)
-+
-+domain_read_all_domains_state(cfengine_monitord_t)
-+domain_use_interactive_fds(cfengine_monitord_t)
-+
-+fs_getattr_xattr_fs(cfengine_monitord_t)
-+
-+auth_use_nsswitch(cfengine_monitord_t)
-diff --git a/cgroup.fc b/cgroup.fc
-index b6bb46c..9a2bf65 100644
---- a/cgroup.fc
-+++ b/cgroup.fc
-@@ -11,5 +11,9 @@
- /sbin/cgrulesengd -- gen_context(system_u:object_r:cgred_exec_t,s0)
- /sbin/cgclear -- gen_context(system_u:object_r:cgclear_exec_t,s0)
-
--/var/log/cgrulesengd\.log -- gen_context(system_u:object_r:cgred_log_t,s0)
-+/usr/sbin/cgconfigparser -- gen_context(system_u:object_r:cgconfig_exec_t,s0)
-+/usr/sbin/cgrulesengd -- gen_context(system_u:object_r:cgred_exec_t,s0)
-+/usr/sbin/cgclear -- gen_context(system_u:object_r:cgclear_exec_t,s0)
-+
-+/var/log/cgrulesengd\.log.* -- gen_context(system_u:object_r:cgred_log_t,s0)
- /var/run/cgred.* gen_context(system_u:object_r:cgred_var_run_t,s0)
-diff --git a/cgroup.if b/cgroup.if
-index 33facaf..11700ae 100644
---- a/cgroup.if
-+++ b/cgroup.if
-@@ -171,15 +171,27 @@ interface(`cgroup_admin',`
- type cgrules_etc_t, cgclear_t;
- ')
-
-- allow $1 cgclear_t:process { ptrace signal_perms };
-+ allow $1 cgclear_t:process signal_perms;
- ps_process_pattern($1, cgclear_t)
-
-- allow $1 cgconfig_t:process { ptrace signal_perms };
-+ tunable_policy(`deny_ptrace',`',`
-+ allow $1 cgclear_t:process ptrace;
-+ ')
-+
-+ allow $1 cgconfig_t:process signal_perms;
- ps_process_pattern($1, cgconfig_t)
-
-- allow $1 cgred_t:process { ptrace signal_perms };
-+ tunable_policy(`deny_ptrace',`',`
-+ allow $1 cgconfig_t:process ptrace;
-+ ')
-+
-+ allow $1 cgred_t:process signal_perms;
- ps_process_pattern($1, cgred_t)
-
-+ tunable_policy(`deny_ptrace',`',`
-+ allow $1 cgred_t:process ptrace;
-+ ')
-+
- admin_pattern($1, cgconfig_etc_t)
- admin_pattern($1, cgrules_etc_t)
- files_list_etc($1)
-diff --git a/cgroup.te b/cgroup.te
-index 806191a..d962a82 100644
---- a/cgroup.te
-+++ b/cgroup.te
-@@ -25,8 +25,8 @@ files_pid_file(cgred_var_run_t)
- type cgrules_etc_t;
- files_config_file(cgrules_etc_t)
-
--type cgconfig_t;
--type cgconfig_exec_t;
-+type cgconfig_t alias cgconfigparser_t;
-+type cgconfig_exec_t alias cgconfigparser_exec_t;
- init_daemon_domain(cgconfig_t, cgconfig_exec_t)
-
- type cgconfig_initrc_exec_t;
-@@ -42,8 +42,12 @@ files_config_file(cgconfig_etc_t)
-
- allow cgclear_t self:capability { dac_read_search dac_override sys_admin };
-
-+read_files_pattern(cgclear_t, cgconfig_etc_t, cgconfig_etc_t)
-+
- kernel_read_system_state(cgclear_t)
-
-+auth_use_nsswitch(cgclear_t)
-+
- domain_setpriority_all_domains(cgclear_t)
-
- fs_manage_cgroup_dirs(cgclear_t)
-@@ -64,7 +68,6 @@ kernel_list_unlabeled(cgconfig_t)
- kernel_read_system_state(cgconfig_t)
-
- # /etc/nsswitch.conf, /etc/passwd
--files_read_etc_files(cgconfig_t)
-
- fs_manage_cgroup_dirs(cgconfig_t)
- fs_manage_cgroup_files(cgconfig_t)
-@@ -72,12 +75,15 @@ fs_mount_cgroup(cgconfig_t)
- fs_mounton_cgroup(cgconfig_t)
- fs_unmount_cgroup(cgconfig_t)
-
-+auth_use_nsswitch(cgconfig_t)
-+
- ########################################
- #
- # cgred personal policy.
- #
-
--allow cgred_t self:capability { chown fsetid net_admin sys_admin sys_ptrace dac_override };
-+allow cgred_t self:capability { chown fsetid net_admin sys_admin dac_override sys_ptrace };
-+
- allow cgred_t self:netlink_socket { write bind create read };
- allow cgred_t self:unix_dgram_socket { write create connect };
-
-@@ -86,12 +92,16 @@ logging_log_filetrans(cgred_t, cgred_log_t, file)
-
- allow cgred_t cgrules_etc_t:file read_file_perms;
-
-+manage_files_pattern(cgred_t, cgred_log_t, cgred_log_t)
-+logging_log_filetrans(cgred_t, cgred_log_t, file)
-+
- # rc script creates pid file
- manage_files_pattern(cgred_t, cgred_var_run_t, cgred_var_run_t)
- manage_sock_files_pattern(cgred_t, cgred_var_run_t, cgred_var_run_t)
- files_pid_filetrans(cgred_t, cgred_var_run_t, { file sock_file })
-
- kernel_read_system_state(cgred_t)
-+kernel_read_all_sysctls(cgred_t)
-
- domain_read_all_domains_state(cgred_t)
- domain_setpriority_all_domains(cgred_t)
-@@ -100,10 +110,9 @@ files_getattr_all_files(cgred_t)
- files_getattr_all_sockets(cgred_t)
- files_read_all_symlinks(cgred_t)
- # /etc/group
--files_read_etc_files(cgred_t)
-
- fs_write_cgroup_files(cgred_t)
-
--logging_send_syslog_msg(cgred_t)
-+auth_use_nsswitch(cgred_t)
-
--miscfiles_read_localization(cgred_t)
-+logging_send_syslog_msg(cgred_t)
-diff --git a/chrome.fc b/chrome.fc
-new file mode 100644
-index 0000000..88107d7
---- /dev/null
-+++ b/chrome.fc
-@@ -0,0 +1,6 @@
-+/opt/google/chrome/chrome-sandbox -- gen_context(system_u:object_r:chrome_sandbox_exec_t,s0)
-+
-+/usr/lib/chromium-browser/chrome-sandbox -- gen_context(system_u:object_r:chrome_sandbox_exec_t,s0)
-+
-+/opt/google/chrome/nacl_helper_bootstrap -- gen_context(system_u:object_r:chrome_sandbox_nacl_exec_t,s0)
-+/usr/lib/chromium-browser/nacl_helper_bootstrap -- gen_context(system_u:object_r:chrome_sandbox_nacl_exec_t,s0)
-diff --git a/chrome.if b/chrome.if
-new file mode 100644
-index 0000000..efebae7
---- /dev/null
-+++ b/chrome.if
-@@ -0,0 +1,134 @@
-+
-+## policy for chrome
-+
-+########################################
-+##
-+## Execute a domain transition to run chrome_sandbox.
-+##
-+##
-+##
-+## Domain allowed to transition.
-+##
-+##
-+#
-+interface(`chrome_domtrans_sandbox',`
-+ gen_require(`
-+ type chrome_sandbox_t, chrome_sandbox_exec_t;
-+ ')
-+
-+ domtrans_pattern($1, chrome_sandbox_exec_t, chrome_sandbox_t)
-+ ps_process_pattern(chrome_sandbox_t, $1)
-+
-+ allow $1 chrome_sandbox_t:fd use;
-+
-+ ifdef(`hide_broken_symptoms',`
-+ fs_dontaudit_rw_anon_inodefs_files(chrome_sandbox_t)
-+ ')
-+')
-+
-+
-+########################################
-+##
-+## Execute chrome_sandbox in the chrome_sandbox domain, and
-+## allow the specified role the chrome_sandbox domain.
-+##
-+##
-+##
-+## Domain allowed access
-+##
-+##
-+##
-+##
-+## The role to be allowed the chrome_sandbox domain.
-+##
-+##
-+#
-+interface(`chrome_run_sandbox',`
-+ gen_require(`
-+ type chrome_sandbox_t;
-+ type chrome_sandbox_nacl_t;
-+ ')
-+
-+ chrome_domtrans_sandbox($1)
-+ role $2 types chrome_sandbox_t;
-+ role $2 types chrome_sandbox_nacl_t;
-+')
-+
-+########################################
-+##
-+## Role access for chrome sandbox
-+##
-+##
-+##
-+## Role allowed access
-+##
-+##
-+##
-+##
-+## User domain for the role
-+##
-+##
-+#
-+interface(`chrome_role_notrans',`
-+ gen_require(`
-+ type chrome_sandbox_t;
-+ type chrome_sandbox_tmpfs_t;
-+ type chrome_sandbox_nacl_t;
-+ ')
-+
-+ role $1 types chrome_sandbox_t;
-+ role $1 types chrome_sandbox_nacl_t;
-+
-+ ps_process_pattern($2, chrome_sandbox_t)
-+ allow $2 chrome_sandbox_t:process signal_perms;
-+
-+ allow chrome_sandbox_t $2:unix_dgram_socket { read write };
-+ allow $2 chrome_sandbox_t:unix_dgram_socket { read write };
-+ allow chrome_sandbox_t $2:unix_stream_socket { getattr read write };
-+ dontaudit chrome_sandbox_t $2:unix_stream_socket shutdown;
-+ allow chrome_sandbox_nacl_t $2:unix_stream_socket { getattr read write };
-+ allow $2 chrome_sandbox_nacl_t:unix_stream_socket { getattr read write };
-+ allow $2 chrome_sandbox_t:unix_stream_socket { getattr read write };
-+
-+ allow $2 chrome_sandbox_t:shm rw_shm_perms;
-+
-+ allow $2 chrome_sandbox_tmpfs_t:file rw_file_perms;
-+')
-+
-+########################################
-+##
-+## Role access for chrome sandbox
-+##
-+##
-+##
-+## Role allowed access
-+##
-+##
-+##
-+##
-+## User domain for the role
-+##
-+##
-+#
-+interface(`chrome_role',`
-+ chrome_role_notrans($1, $2)
-+ chrome_domtrans_sandbox($2)
-+')
-+
-+########################################
-+##
-+## Dontaudit read/write to a chrome_sandbox leaks
-+##
-+##
-+##
-+## Domain to not audit.
-+##
-+##
-+#
-+interface(`chrome_dontaudit_sandbox_leaks',`
-+ gen_require(`
-+ type chrome_sandbox_t;
-+ ')
-+
-+ dontaudit $1 chrome_sandbox_t:unix_stream_socket { read write };
-+')
-diff --git a/chrome.te b/chrome.te
-new file mode 100644
-index 0000000..32ff486
---- /dev/null
-+++ b/chrome.te
-@@ -0,0 +1,195 @@
-+policy_module(chrome,1.0.0)
-+
-+########################################
-+#
-+# Declarations
-+#
-+
-+type chrome_sandbox_t;
-+type chrome_sandbox_exec_t;
-+application_domain(chrome_sandbox_t, chrome_sandbox_exec_t)
-+role system_r types chrome_sandbox_t;
-+ubac_constrained(chrome_sandbox_t)
-+
-+type chrome_sandbox_tmp_t;
-+files_tmp_file(chrome_sandbox_tmp_t)
-+
-+type chrome_sandbox_tmpfs_t;
-+files_tmpfs_file(chrome_sandbox_tmpfs_t)
-+ubac_constrained(chrome_sandbox_tmpfs_t)
-+
-+type chrome_sandbox_nacl_t;
-+type chrome_sandbox_nacl_exec_t;
-+application_domain(chrome_sandbox_nacl_t, chrome_sandbox_nacl_exec_t)
-+role system_r types chrome_sandbox_nacl_t;
-+ubac_constrained(chrome_sandbox_nacl_t)
-+
-+########################################
-+#
-+# chrome_sandbox local policy
-+#
-+allow chrome_sandbox_t self:capability { chown dac_override fsetid setgid setuid sys_admin sys_chroot sys_ptrace };
-+allow chrome_sandbox_t self:process { signal_perms setrlimit execmem execstack };
-+allow chrome_sandbox_t self:process setsched;
-+allow chrome_sandbox_t self:fifo_file manage_fifo_file_perms;
-+allow chrome_sandbox_t self:unix_stream_socket create_stream_socket_perms;
-+allow chrome_sandbox_t self:unix_dgram_socket { create_socket_perms sendto };
-+allow chrome_sandbox_t self:shm create_shm_perms;
-+allow chrome_sandbox_t self:sem create_sem_perms;
-+allow chrome_sandbox_t self:msgq create_msgq_perms;
-+allow chrome_sandbox_t self:netlink_route_socket r_netlink_socket_perms;
-+dontaudit chrome_sandbox_t self:memprotect mmap_zero;
-+
-+manage_dirs_pattern(chrome_sandbox_t, chrome_sandbox_tmp_t, chrome_sandbox_tmp_t)
-+manage_files_pattern(chrome_sandbox_t, chrome_sandbox_tmp_t, chrome_sandbox_tmp_t)
-+files_tmp_filetrans(chrome_sandbox_t, chrome_sandbox_tmp_t, { dir file })
-+
-+manage_files_pattern(chrome_sandbox_t, chrome_sandbox_tmpfs_t, chrome_sandbox_tmpfs_t)
-+fs_tmpfs_filetrans(chrome_sandbox_t, chrome_sandbox_tmpfs_t, file)
-+
-+kernel_read_system_state(chrome_sandbox_t)
-+kernel_read_kernel_sysctls(chrome_sandbox_t)
-+
-+fs_manage_cgroup_dirs(chrome_sandbox_t)
-+fs_manage_cgroup_files(chrome_sandbox_t)
-+fs_read_dos_files(chrome_sandbox_t)
-+fs_read_hugetlbfs_files(chrome_sandbox_t)
-+
-+corecmd_exec_bin(chrome_sandbox_t)
-+
-+corenet_all_recvfrom_netlabel(chrome_sandbox_t)
-+corenet_tcp_connect_asterisk_port(chrome_sandbox_t)
-+corenet_tcp_connect_flash_port(chrome_sandbox_t)
-+corenet_tcp_connect_streaming_port(chrome_sandbox_t)
-+corenet_tcp_connect_pulseaudio_port(chrome_sandbox_t)
-+corenet_tcp_connect_http_port(chrome_sandbox_t)
-+corenet_tcp_connect_http_cache_port(chrome_sandbox_t)
-+corenet_tcp_connect_msnp_port(chrome_sandbox_t)
-+corenet_tcp_connect_squid_port(chrome_sandbox_t)
-+corenet_tcp_connect_tor_socks_port(chrome_sandbox_t)
-+corenet_tcp_sendrecv_generic_if(chrome_sandbox_t)
-+corenet_tcp_sendrecv_generic_node(chrome_sandbox_t)
-+corenet_tcp_connect_ipp_port(chrome_sandbox_t)
-+corenet_tcp_connect_speech_port(chrome_sandbox_t)
-+
-+domain_dontaudit_read_all_domains_state(chrome_sandbox_t)
-+
-+dev_read_urand(chrome_sandbox_t)
-+dev_read_sysfs(chrome_sandbox_t)
-+dev_rwx_zero(chrome_sandbox_t)
-+dev_dontaudit_getattr_all_chr_files(chrome_sandbox_t)
-+
-+files_read_etc_files(chrome_sandbox_t)
-+files_read_usr_files(chrome_sandbox_t)
-+
-+fs_dontaudit_getattr_all_fs(chrome_sandbox_t)
-+
-+userdom_rw_inherited_user_tmpfs_files(chrome_sandbox_t)
-+userdom_execute_user_tmpfs_files(chrome_sandbox_t)
-+
-+userdom_use_user_ptys(chrome_sandbox_t)
-+userdom_write_inherited_user_tmp_files(chrome_sandbox_t)
-+userdom_read_inherited_user_home_content_files(chrome_sandbox_t)
-+userdom_dontaudit_use_user_terminals(chrome_sandbox_t)
-+userdom_search_user_home_content(chrome_sandbox_t)
-+# This one we should figure a way to make it more secure
-+userdom_manage_home_certs(chrome_sandbox_t)
-+
-+miscfiles_read_fonts(chrome_sandbox_t)
-+
-+sysnet_dns_name_resolve(chrome_sandbox_t)
-+
-+optional_policy(`
-+ gnome_rw_inherited_config(chrome_sandbox_t)
-+ gnome_read_home_config(chrome_sandbox_t)
-+')
-+
-+optional_policy(`
-+ mozilla_write_user_home_files(chrome_sandbox_t)
-+')
-+
-+optional_policy(`
-+ xserver_use_user_fonts(chrome_sandbox_t)
-+ xserver_user_x_domain_template(chrome_sandbox, chrome_sandbox_t, chrome_sandbox_tmpfs_t)
-+')
-+
-+tunable_policy(`use_nfs_home_dirs',`
-+ fs_search_nfs(chrome_sandbox_t)
-+ fs_exec_nfs_files(chrome_sandbox_t)
-+ fs_read_nfs_files(chrome_sandbox_t)
-+ fs_rw_inherited_nfs_files(chrome_sandbox_t)
-+ fs_read_nfs_symlinks(chrome_sandbox_t)
-+ fs_dontaudit_append_nfs_files(chrome_sandbox_t)
-+')
-+
-+tunable_policy(`use_samba_home_dirs',`
-+ fs_search_cifs(chrome_sandbox_t)
-+ fs_exec_cifs_files(chrome_sandbox_t)
-+ fs_rw_inherited_cifs_files(chrome_sandbox_t)
-+ fs_read_cifs_files(chrome_sandbox_t)
-+ fs_read_cifs_symlinks(chrome_sandbox_t)
-+ fs_dontaudit_append_cifs_files(chrome_sandbox_t)
-+')
-+
-+tunable_policy(`use_fusefs_home_dirs',`
-+ fs_search_fusefs(chrome_sandbox_t)
-+ fs_read_fusefs_files(chrome_sandbox_t)
-+ fs_exec_fusefs_files(chrome_sandbox_t)
-+ fs_read_fusefs_symlinks(chrome_sandbox_t)
-+')
-+
-+optional_policy(`
-+ sandbox_use_ptys(chrome_sandbox_t)
-+')
-+
-+
-+########################################
-+#
-+# chrome_sandbox_nacl local policy
-+#
-+
-+allow chrome_sandbox_nacl_t self:process { execmem setsched sigkill sigstop signull signal };
-+
-+allow chrome_sandbox_nacl_t self:fifo_file manage_fifo_file_perms;
-+allow chrome_sandbox_nacl_t self:unix_stream_socket create_stream_socket_perms;
-+allow chrome_sandbox_nacl_t self:shm create_shm_perms;
-+allow chrome_sandbox_nacl_t self:unix_dgram_socket { create_socket_perms sendto };
-+allow chrome_sandbox_nacl_t chrome_sandbox_t:unix_stream_socket { getattr write read };
-+allow chrome_sandbox_t chrome_sandbox_nacl_t:unix_stream_socket { getattr write read };
-+allow chrome_sandbox_nacl_t chrome_sandbox_t:unix_dgram_socket { read write };
-+
-+allow chrome_sandbox_nacl_t chrome_sandbox_t:shm rw_shm_perms;
-+allow chrome_sandbox_nacl_t chrome_sandbox_tmpfs_t:file rw_inherited_file_perms;
-+allow chrome_sandbox_t chrome_sandbox_nacl_t:process { sigkill sigstop signull signal share };
-+
-+manage_files_pattern(chrome_sandbox_nacl_t, chrome_sandbox_tmpfs_t, chrome_sandbox_tmpfs_t)
-+fs_tmpfs_filetrans(chrome_sandbox_nacl_t, chrome_sandbox_tmpfs_t, file)
-+
-+domain_use_interactive_fds(chrome_sandbox_nacl_t)
-+
-+dontaudit chrome_sandbox_nacl_t self:memprotect mmap_zero;
-+
-+domtrans_pattern(chrome_sandbox_t, chrome_sandbox_nacl_exec_t, chrome_sandbox_nacl_t)
-+ps_process_pattern(chrome_sandbox_t, chrome_sandbox_nacl_t)
-+
-+kernel_read_state(chrome_sandbox_nacl_t)
-+kernel_read_system_state(chrome_sandbox_nacl_t)
-+
-+corecmd_sbin_entry_type(chrome_sandbox_nacl_t)
-+
-+dev_read_urand(chrome_sandbox_nacl_t)
-+dev_read_sysfs(chrome_sandbox_nacl_t)
-+
-+files_read_etc_files(chrome_sandbox_nacl_t)
-+
-+init_read_state(chrome_sandbox_nacl_t)
-+
-+userdom_use_inherited_user_ptys(chrome_sandbox_nacl_t)
-+userdom_rw_inherited_user_tmpfs_files(chrome_sandbox_nacl_t)
-+userdom_execute_user_tmpfs_files(chrome_sandbox_nacl_t)
-+userdom_rw_inherited_user_tmp_files(chrome_sandbox_nacl_t)
-+userdom_dontaudit_read_user_home_content_files(chrome_sandbox_nacl_t)
-+
-+optional_policy(`
-+ gnome_dontaudit_write_config_files(chrome_sandbox_nacl_t)
-+')
-diff --git a/chronyd.fc b/chronyd.fc
-index fd8cd0b..f33885f 100644
---- a/chronyd.fc
-+++ b/chronyd.fc
-@@ -2,8 +2,12 @@
-
- /etc/rc\.d/init\.d/chronyd -- gen_context(system_u:object_r:chronyd_initrc_exec_t,s0)
-
-+/usr/lib/systemd/system/chrony.* -- gen_context(system_u:object_r:chronyd_unit_file_t,s0)
-+
- /usr/sbin/chronyd -- gen_context(system_u:object_r:chronyd_exec_t,s0)
-
- /var/lib/chrony(/.*)? gen_context(system_u:object_r:chronyd_var_lib_t,s0)
- /var/log/chrony(/.*)? gen_context(system_u:object_r:chronyd_var_log_t,s0)
- /var/run/chronyd\.pid -- gen_context(system_u:object_r:chronyd_var_run_t,s0)
-+/var/run/chronyd(/.*) gen_context(system_u:object_r:chronyd_var_run_t,s0)
-+/var/run/chronyd\.sock gen_context(system_u:object_r:chronyd_var_run_t,s0)
-diff --git a/chronyd.if b/chronyd.if
-index 9a0da94..113eae2 100644
---- a/chronyd.if
-+++ b/chronyd.if
-@@ -19,6 +19,24 @@ interface(`chronyd_domtrans',`
- domtrans_pattern($1, chronyd_exec_t, chronyd_t)
- ')
-
-+########################################
-+##
-+## Execute chronyd server in the chronyd domain.
-+##
-+##
-+##
-+## Domain allowed to transition.
-+##
-+##
-+#
-+interface(`chronyd_initrc_domtrans',`
-+ gen_require(`
-+ type chronyd_initrc_exec_t;
-+ ')
-+
-+ init_labeled_script_domtrans($1, chronyd_initrc_exec_t)
-+')
-+
- ####################################
- ##
- ## Execute chronyd
-@@ -56,6 +74,125 @@ interface(`chronyd_read_log',`
- read_files_pattern($1, chronyd_var_log_t, chronyd_var_log_t)
- ')
-
-+########################################
-+##
-+## Read and write chronyd shared memory.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`chronyd_rw_shm',`
-+ gen_require(`
-+ type chronyd_t, chronyd_tmpfs_t;
-+ ')
-+
-+ allow $1 chronyd_t:shm rw_shm_perms;
-+ allow $1 chronyd_tmpfs_t:dir list_dir_perms;
-+ rw_files_pattern($1, chronyd_tmpfs_t, chronyd_tmpfs_t)
-+ read_lnk_files_pattern($1, chronyd_tmpfs_t, chronyd_tmpfs_t)
-+ fs_search_tmpfs($1)
-+')
-+
-+########################################
-+##
-+## Read chronyd keys files.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`chronyd_read_keys',`
-+ gen_require(`
-+ type chronyd_keys_t;
-+ ')
-+
-+ read_files_pattern($1, chronyd_keys_t, chronyd_keys_t)
-+')
-+
-+########################################
-+##
-+## Append chronyd keys files.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`chronyd_append_keys',`
-+ gen_require(`
-+ type chronyd_keys_t;
-+ ')
-+
-+ append_files_pattern($1, chronyd_keys_t, chronyd_keys_t)
-+')
-+
-+########################################
-+##
-+## Execute chronyd server in the chronyd domain.
-+##
-+##
-+##
-+## Domain allowed to transition.
-+##
-+##
-+#
-+interface(`chronyd_systemctl',`
-+ gen_require(`
-+ type chronyd_t;
-+ type chronyd_unit_file_t;
-+ ')
-+
-+ systemd_exec_systemctl($1)
-+ allow $1 chronyd_unit_file_t:file read_file_perms;
-+ allow $1 chronyd_unit_file_t:service manage_service_perms;
-+
-+ ps_process_pattern($1, chronyd_t)
-+')
-+
-+########################################
-+##
-+## Connect to chronyd over a unix stream socket.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`chronyd_stream_connect',`
-+ gen_require(`
-+ type chronyd_t, chronyd_var_run_t;
-+ ')
-+
-+ files_search_pids($1)
-+ stream_connect_pattern($1, chronyd_var_run_t, chronyd_var_run_t, chronyd_t)
-+')
-+
-+########################################
-+##
-+## Send to chronyd over a unix domain
-+## datagram socket.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`chronyd_dgram_send',`
-+ gen_require(`
-+ type chronyd_t;
-+ ')
-+
-+ allow $1 chronyd_t:unix_dgram_socket sendto;
-+')
-+
- ####################################
- ##
- ## All of the rules required to administrate
-@@ -75,31 +212,38 @@ interface(`chronyd_read_log',`
- #
- interface(`chronyd_admin',`
- gen_require(`
-- type chronyd_t, chronyd_var_log_t;
-- type chronyd_var_run_t, chronyd_var_lib_t;
-- type chronyd_initrc_exec_t, chronyd_keys_t;
-+ type chronyd_t, chronyd_var_log_t, chronyd_var_run_t;
-+ type chronyd_var_lib_t, chronyd_tmpfs_t, chronyd_initrc_exec_t;
-+ type chronyd_keys_t, chronyd_unit_file_t;
- ')
-
-- allow $1 chronyd_t:process { ptrace signal_perms };
-+ allow $1 chronyd_t:process signal_perms;
- ps_process_pattern($1, chronyd_t)
-
-+ tunable_policy(`deny_ptrace',`',`
-+ allow $1 chronyd_t:process ptrace;
-+ ')
-+
- init_labeled_script_domtrans($1, chronyd_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 chronyd_initrc_exec_t system_r;
- allow $2 system_r;
-
-- files_search_etc($1)
-+ files_list_etc($1)
- admin_pattern($1, chronyd_keys_t)
-
-- logging_search_logs($1)
-+ logging_list_logs($1)
- admin_pattern($1, chronyd_var_log_t)
-
-- files_search_var_lib($1)
-+ files_list_var_lib($1)
- admin_pattern($1, chronyd_var_lib_t)
-
-- files_search_pids($1)
-+ files_list_pids($1)
- admin_pattern($1, chronyd_var_run_t)
-
-- files_search_tmp($1)
-- admin_pattern($1, chronyd_tmp_t)
-+ admin_pattern($1, chronyd_tmpfs_t)
-+
-+ admin_pattern($1, chronyd_unit_file_t)
-+ chronyd_systemctl($1)
-+ allow $1 chronyd_unit_file_t:service all_service_perms;
- ')
-diff --git a/chronyd.te b/chronyd.te
-index fa82327..ab88d78 100644
---- a/chronyd.te
-+++ b/chronyd.te
-@@ -15,6 +15,12 @@ init_script_file(chronyd_initrc_exec_t)
- type chronyd_keys_t;
- files_type(chronyd_keys_t)
-
-+type chronyd_tmpfs_t;
-+files_tmpfs_file(chronyd_tmpfs_t)
-+
-+type chronyd_unit_file_t;
-+systemd_unit_file(chronyd_unit_file_t)
-+
- type chronyd_var_lib_t;
- files_type(chronyd_var_lib_t)
-
-@@ -30,13 +36,18 @@ files_pid_file(chronyd_var_run_t)
- #
-
- allow chronyd_t self:capability { dac_override ipc_lock setuid setgid sys_resource sys_time };
--allow chronyd_t self:process { getcap setcap setrlimit };
-+allow chronyd_t self:process { getcap setcap setrlimit signal };
- allow chronyd_t self:shm create_shm_perms;
- allow chronyd_t self:udp_socket create_socket_perms;
- allow chronyd_t self:unix_dgram_socket create_socket_perms;
-+allow chronyd_t self:fifo_file rw_fifo_file_perms;
-
- allow chronyd_t chronyd_keys_t:file read_file_perms;
-
-+manage_dirs_pattern(chronyd_t, chronyd_tmpfs_t, chronyd_tmpfs_t)
-+manage_files_pattern(chronyd_t, chronyd_tmpfs_t, chronyd_tmpfs_t)
-+fs_tmpfs_filetrans(chronyd_t, chronyd_tmpfs_t, { dir file })
-+
- manage_files_pattern(chronyd_t, chronyd_var_lib_t, chronyd_var_lib_t)
- manage_dirs_pattern(chronyd_t, chronyd_var_lib_t, chronyd_var_lib_t)
- manage_sock_files_pattern(chronyd_t, chronyd_var_lib_t, chronyd_var_lib_t)
-@@ -48,8 +59,15 @@ logging_log_filetrans(chronyd_t, chronyd_var_log_t, { file dir })
-
- manage_files_pattern(chronyd_t, chronyd_var_run_t, chronyd_var_run_t)
- manage_dirs_pattern(chronyd_t, chronyd_var_run_t, chronyd_var_run_t)
--files_pid_filetrans(chronyd_t, chronyd_var_run_t, file)
-+manage_sock_files_pattern(chronyd_t, chronyd_var_run_t, chronyd_var_run_t)
-+files_pid_filetrans(chronyd_t, chronyd_var_run_t, { dir file sock_file })
-+
-+kernel_read_system_state(chronyd_t)
-+kernel_read_network_state(chronyd_t)
-+
-+corecmd_exec_shell(chronyd_t)
-
-+corenet_udp_bind_generic_node(chronyd_t)
- corenet_udp_bind_ntp_port(chronyd_t)
- # bind to udp/323
- corenet_udp_bind_chronyd_port(chronyd_t)
-@@ -61,7 +79,7 @@ auth_use_nsswitch(chronyd_t)
-
- logging_send_syslog_msg(chronyd_t)
-
--miscfiles_read_localization(chronyd_t)
-+mta_send_mail(chronyd_t)
-
- optional_policy(`
- gpsd_rw_shm(chronyd_t)
-diff --git a/cipe.te b/cipe.te
-index 8e1ef38..08b238c 100644
---- a/cipe.te
-+++ b/cipe.te
-@@ -28,7 +28,6 @@ kernel_read_system_state(ciped_t)
- corecmd_exec_shell(ciped_t)
- corecmd_exec_bin(ciped_t)
-
--corenet_all_recvfrom_unlabeled(ciped_t)
- corenet_all_recvfrom_netlabel(ciped_t)
- corenet_udp_sendrecv_generic_if(ciped_t)
- corenet_udp_sendrecv_generic_node(ciped_t)
-@@ -53,8 +52,6 @@ fs_search_auto_mountpoints(ciped_t)
-
- logging_send_syslog_msg(ciped_t)
-
--miscfiles_read_localization(ciped_t)
--
- sysnet_read_config(ciped_t)
-
- userdom_dontaudit_use_unpriv_user_fds(ciped_t)
-diff --git a/clamav.fc b/clamav.fc
-index e8e9a21..9c47777 100644
---- a/clamav.fc
-+++ b/clamav.fc
-@@ -1,5 +1,5 @@
- /etc/clamav(/.*)? gen_context(system_u:object_r:clamd_etc_t,s0)
--/etc/rc\.d/init\.d/clamd-wrapper -- gen_context(system_u:object_r:clamd_initrc_exec_t,s0)
-+/etc/rc\.d/init\.d/clamd.* -- gen_context(system_u:object_r:clamd_initrc_exec_t,s0)
-
- /usr/bin/clamscan -- gen_context(system_u:object_r:clamscan_exec_t,s0)
- /usr/bin/clamdscan -- gen_context(system_u:object_r:clamscan_exec_t,s0)
-@@ -8,9 +8,13 @@
- /usr/sbin/clamd -- gen_context(system_u:object_r:clamd_exec_t,s0)
- /usr/sbin/clamav-milter -- gen_context(system_u:object_r:clamd_exec_t,s0)
-
-+/usr/lib/systemd/system/clamd.* -- gen_context(system_u:object_r:clamd_unit_file_t,s0)
-+
- /var/clamav(/.*)? gen_context(system_u:object_r:clamd_var_lib_t,s0)
- /var/lib/clamav(/.*)? gen_context(system_u:object_r:clamd_var_lib_t,s0)
-+/var/lib/clamd.* gen_context(system_u:object_r:clamd_var_lib_t,s0)
- /var/log/clamav.* gen_context(system_u:object_r:clamd_var_log_t,s0)
-+/var/log/freshclam.* -- gen_context(system_u:object_r:freshclam_var_log_t,s0)
- /var/log/clamav/freshclam.* -- gen_context(system_u:object_r:freshclam_var_log_t,s0)
- /var/log/clamd.* gen_context(system_u:object_r:clamd_var_log_t,s0)
- /var/run/amavis(d)?/clamd\.pid -- gen_context(system_u:object_r:clamd_var_run_t,s0)
-diff --git a/clamav.if b/clamav.if
-index bbac14a..99c5cca 100644
---- a/clamav.if
-+++ b/clamav.if
-@@ -33,6 +33,7 @@ interface(`clamav_stream_connect',`
- type clamd_t, clamd_var_run_t;
- ')
-
-+ files_search_pids($1)
- stream_connect_pattern($1, clamd_var_run_t, clamd_var_run_t, clamd_t)
- ')
-
-@@ -133,6 +134,68 @@ interface(`clamav_exec_clamscan',`
-
- ########################################
- ##
-+## Manage clamd pid content.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`clamav_manage_clamd_pid',`
-+ gen_require(`
-+ type clamd_var_run_t;
-+ ')
-+
-+ manage_dirs_pattern($1, clamd_var_run_t, clamd_var_run_t)
-+ manage_files_pattern($1, clamd_var_run_t, clamd_var_run_t)
-+')
-+
-+#######################################
-+##
-+## Read clamd state files.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`clamav_read_state_clamd',`
-+ gen_require(`
-+ type clamd_t;
-+ ')
-+
-+ kernel_search_proc($1)
-+ ps_process_pattern($1, clamd_t)
-+')
-+
-+#######################################
-+##
-+## Execute clamd server in the clamd domain.
-+##
-+##
-+##
-+## Domain allowed to transition.
-+##
-+##
-+#
-+interface(`clamd_systemctl',`
-+ gen_require(`
-+ type clamd_t;
-+ type clamd_unit_file_t;
-+ ')
-+
-+ systemd_exec_systemctl($1)
-+ systemd_read_fifo_file_passwd_run($1)
-+ allow $1 clamd_unit_file_t:file read_file_perms;
-+ allow $1 clamd_unit_file_t:service manage_service_perms;
-+
-+ ps_process_pattern($1, clamd_t)
-+')
-+
-+########################################
-+##
- ## All of the rules required to administrate
- ## an clamav environment
- ##
-@@ -151,19 +214,25 @@ interface(`clamav_exec_clamscan',`
- interface(`clamav_admin',`
- gen_require(`
- type clamd_t, clamd_etc_t, clamd_tmp_t;
-- type clamd_var_log_t, clamd_var_lib_t;
-- type clamd_var_run_t, clamscan_t, clamscan_tmp_t;
-- type clamd_initrc_exec_t;
-+ type clamd_var_log_t, clamd_var_lib_t, clamd_var_run_t;
-+ type clamscan_t, clamscan_tmp_t, clamd_initrc_exec_t;
- type freshclam_t, freshclam_var_log_t;
-+ type clamd_unit_file_t;
- ')
-
-- allow $1 clamd_t:process { ptrace signal_perms };
-+ allow $1 clamd_t:process signal_perms;
- ps_process_pattern($1, clamd_t)
-
-- allow $1 clamscan_t:process { ptrace signal_perms };
-+ tunable_policy(`deny_ptrace',`',`
-+ allow $1 clamd_t:process ptrace;
-+ allow $1 clamscan_t:process ptrace;
-+ allow $1 freshclam_t:process ptrace;
-+ ')
-+
-+ allow $1 clamscan_t:process signal_perms;
- ps_process_pattern($1, clamscan_t)
-
-- allow $1 freshclam_t:process { ptrace signal_perms };
-+ allow $1 freshclam_t:process signal_perms;
- ps_process_pattern($1, freshclam_t)
-
- init_labeled_script_domtrans($1, clamd_initrc_exec_t)
-@@ -171,6 +240,10 @@ interface(`clamav_admin',`
- role_transition $2 clamd_initrc_exec_t system_r;
- allow $2 system_r;
-
-+ clamd_systemctl($1)
-+ admin_pattern($1, clamd_unit_file_t)
-+ allow $1 clamd_unit_file_t:service all_service_perms;
-+
- files_list_etc($1)
- admin_pattern($1, clamd_etc_t)
-
-@@ -189,4 +262,10 @@ interface(`clamav_admin',`
- admin_pattern($1, clamscan_tmp_t)
-
- admin_pattern($1, freshclam_var_log_t)
-+
-+ optional_policy(`
-+ systemd_passwd_agent_exec($1)
-+ systemd_read_fifo_file_passwd_run($1)
-+ ')
-+
- ')
-diff --git a/clamav.te b/clamav.te
-index a10350e..a28f16e 100644
---- a/clamav.te
-+++ b/clamav.te
-@@ -1,9 +1,23 @@
- policy_module(clamav, 1.10.0)
-
- ##
--##
--## Allow clamd to use JIT compiler
--##
-+##
-+## Allow clamscan to read user content
-+##
-+##
-+gen_tunable(clamscan_read_user_content, false)
-+
-+##
-+##
-+## Allow clamscan to non security files on a system
-+##
-+##
-+gen_tunable(clamscan_can_scan_system, false)
-+
-+##
-+##
-+## Allow clamd to use JIT compiler
-+##
- ##
- gen_tunable(clamd_use_jit, false)
-
-@@ -24,6 +38,9 @@ files_config_file(clamd_etc_t)
- type clamd_initrc_exec_t;
- init_script_file(clamd_initrc_exec_t)
-
-+type clamd_unit_file_t;
-+systemd_unit_file(clamd_unit_file_t)
-+
- # tmp files
- type clamd_tmp_t;
- files_tmp_file(clamd_tmp_t)
-@@ -64,6 +81,8 @@ logging_log_file(freshclam_var_log_t)
-
- allow clamd_t self:capability { kill setgid setuid dac_override };
- dontaudit clamd_t self:capability sys_tty_config;
-+allow clamd_t self:process signal;
-+
- allow clamd_t self:fifo_file rw_fifo_file_perms;
- allow clamd_t self:unix_stream_socket { create_stream_socket_perms connectto };
- allow clamd_t self:unix_dgram_socket create_socket_perms;
-@@ -80,6 +99,7 @@ manage_files_pattern(clamd_t, clamd_tmp_t, clamd_tmp_t)
- files_tmp_filetrans(clamd_t, clamd_tmp_t, { file dir })
-
- # var/lib files for clamd
-+manage_sock_files_pattern(clamd_t, clamd_var_lib_t, clamd_var_lib_t)
- manage_dirs_pattern(clamd_t, clamd_var_lib_t, clamd_var_lib_t)
- manage_files_pattern(clamd_t, clamd_var_lib_t, clamd_var_lib_t)
-
-@@ -89,9 +109,10 @@ manage_files_pattern(clamd_t, clamd_var_log_t, clamd_var_log_t)
- logging_log_filetrans(clamd_t, clamd_var_log_t, { dir file })
-
- # pid file
-+manage_dirs_pattern(clamd_t, clamd_var_run_t, clamd_var_run_t)
- manage_files_pattern(clamd_t, clamd_var_run_t, clamd_var_run_t)
- manage_sock_files_pattern(clamd_t, clamd_var_run_t, clamd_var_run_t)
--files_pid_filetrans(clamd_t, clamd_var_run_t, { file dir })
-+files_pid_filetrans(clamd_t, clamd_var_run_t, { sock_file file dir })
-
- kernel_dontaudit_list_proc(clamd_t)
- kernel_read_sysctl(clamd_t)
-@@ -100,7 +121,6 @@ kernel_read_system_state(clamd_t)
-
- corecmd_exec_shell(clamd_t)
-
--corenet_all_recvfrom_unlabeled(clamd_t)
- corenet_all_recvfrom_netlabel(clamd_t)
- corenet_tcp_sendrecv_generic_if(clamd_t)
- corenet_tcp_sendrecv_generic_node(clamd_t)
-@@ -110,6 +130,7 @@ corenet_tcp_bind_generic_node(clamd_t)
- corenet_tcp_bind_clamd_port(clamd_t)
- corenet_tcp_bind_generic_port(clamd_t)
- corenet_tcp_connect_generic_port(clamd_t)
-+corenet_tcp_connect_clamd_port(clamd_t)
- corenet_sendrecv_clamd_server_packets(clamd_t)
-
- dev_read_rand(clamd_t)
-@@ -117,7 +138,6 @@ dev_read_urand(clamd_t)
-
- domain_use_interactive_fds(clamd_t)
-
--files_read_etc_files(clamd_t)
- files_read_etc_runtime_files(clamd_t)
- files_search_spool(clamd_t)
-
-@@ -125,30 +145,51 @@ auth_use_nsswitch(clamd_t)
-
- logging_send_syslog_msg(clamd_t)
-
--miscfiles_read_localization(clamd_t)
--
--cron_use_fds(clamd_t)
--cron_use_system_job_fds(clamd_t)
--cron_rw_pipes(clamd_t)
--
--mta_read_config(clamd_t)
--mta_send_mail(clamd_t)
--
- optional_policy(`
- amavis_read_lib_files(clamd_t)
- amavis_read_spool_files(clamd_t)
-- amavis_spool_filetrans(clamd_t, clamd_var_run_t, sock_file)
-+ amavis_spool_filetrans(clamd_t, clamd_var_run_t, { file dir sock_file })
- amavis_create_pid_files(clamd_t)
- ')
-
- optional_policy(`
-+ cron_use_fds(clamd_t)
-+ cron_use_system_job_fds(clamd_t)
-+ cron_rw_pipes(clamd_t)
-+')
-+
-+optional_policy(`
- exim_read_spool_files(clamd_t)
- ')
-
-+optional_policy(`
-+ mta_read_config(clamd_t)
-+ mta_send_mail(clamd_t)
-+')
-+
-+optional_policy(`
-+ spamd_stream_connect(clamd_t)
-+ spamassassin_read_pid_files(clamd_t)
-+')
-+
- tunable_policy(`clamd_use_jit',`
- allow clamd_t self:process execmem;
--', `
-+ allow clamscan_t self:process execmem;
-+',`
- dontaudit clamd_t self:process execmem;
-+ dontaudit clamscan_t self:process execmem;
-+')
-+
-+optional_policy(`
-+ antivirus_domain_template(clamd_t)
-+')
-+
-+optional_policy(`
-+ antivirus_domain_template(clamscan_t)
-+')
-+
-+optional_policy(`
-+ antivirus_domain_template(freshclam_t)
- ')
-
- ########################################
-@@ -178,17 +219,27 @@ files_pid_filetrans(freshclam_t, clamd_var_run_t, file)
-
- # log files (own logfiles only)
- manage_files_pattern(freshclam_t, freshclam_var_log_t, freshclam_var_log_t)
--allow freshclam_t freshclam_var_log_t:dir setattr;
--allow freshclam_t clamd_var_log_t:dir search_dir_perms;
-+allow freshclam_t freshclam_var_log_t:dir setattr_dir_perms;
-+read_files_pattern(freshclam_t, clamd_var_log_t, clamd_var_log_t)
- logging_log_filetrans(freshclam_t, freshclam_var_log_t, file)
-
--corenet_all_recvfrom_unlabeled(freshclam_t)
-+kernel_dontaudit_list_proc(freshclam_t)
-+kernel_read_kernel_sysctls(freshclam_t)
-+kernel_read_network_state(freshclam_t)
-+kernel_read_system_state(freshclam_t)
-+
-+corecmd_exec_shell(freshclam_t)
-+corecmd_exec_bin(freshclam_t)
-+
- corenet_all_recvfrom_netlabel(freshclam_t)
- corenet_tcp_sendrecv_generic_if(freshclam_t)
- corenet_tcp_sendrecv_generic_node(freshclam_t)
- corenet_tcp_sendrecv_all_ports(freshclam_t)
- corenet_tcp_sendrecv_clamd_port(freshclam_t)
- corenet_tcp_connect_http_port(freshclam_t)
-+corenet_tcp_connect_http_cache_port(freshclam_t)
-+corenet_tcp_connect_clamd_port(freshclam_t)
-+corenet_tcp_connect_squid_port(freshclam_t)
- corenet_sendrecv_http_client_packets(freshclam_t)
-
- dev_read_rand(freshclam_t)
-@@ -196,27 +247,32 @@ dev_read_urand(freshclam_t)
-
- domain_use_interactive_fds(freshclam_t)
-
--files_read_etc_files(freshclam_t)
-+files_search_var_lib(freshclam_t)
- files_read_etc_runtime_files(freshclam_t)
-+files_read_usr_files(freshclam_t)
-
- auth_use_nsswitch(freshclam_t)
-
- logging_send_syslog_msg(freshclam_t)
-
--miscfiles_read_localization(freshclam_t)
--
- clamav_stream_connect(freshclam_t)
-
--optional_policy(`
-- cron_system_entry(freshclam_t, freshclam_exec_t)
--')
-+userdom_stream_connect(freshclam_t)
-
- tunable_policy(`clamd_use_jit',`
- allow freshclam_t self:process execmem;
--', `
-+',`
- dontaudit freshclam_t self:process execmem;
- ')
-
-+optional_policy(`
-+ clamd_systemctl(freshclam_t)
-+')
-+
-+optional_policy(`
-+ cron_system_entry(freshclam_t, freshclam_exec_t)
-+')
-+
- ########################################
- #
- # clamscam local policy
-@@ -242,15 +298,39 @@ files_tmp_filetrans(clamscan_t, clamscan_tmp_t, { file dir })
- manage_files_pattern(clamscan_t, clamd_var_lib_t, clamd_var_lib_t)
- allow clamscan_t clamd_var_lib_t:dir list_dir_perms;
-
--corenet_all_recvfrom_unlabeled(clamscan_t)
-+read_files_pattern(clamscan_t, clamd_var_run_t, clamd_var_run_t)
-+allow clamscan_t clamd_var_run_t:dir list_dir_perms;
-+
-+kernel_dontaudit_list_proc(clamscan_t)
-+kernel_read_system_state(clamscan_t)
-+
- corenet_all_recvfrom_netlabel(clamscan_t)
- corenet_tcp_sendrecv_generic_if(clamscan_t)
- corenet_tcp_sendrecv_generic_node(clamscan_t)
- corenet_tcp_sendrecv_all_ports(clamscan_t)
- corenet_tcp_sendrecv_clamd_port(clamscan_t)
-+corenet_tcp_bind_generic_node(clamscan_t)
- corenet_tcp_connect_clamd_port(clamscan_t)
-
-+corecmd_read_all_executables(clamscan_t)
-+
-+tunable_policy(`clamscan_read_user_content',`
-+ userdom_read_user_home_content_files(clamscan_t)
-+ userdom_dontaudit_read_user_home_content_files(clamscan_t)
-+')
-+
-+tunable_policy(`clamscan_can_scan_system',`
-+ files_read_non_security_files(clamscan_t)
-+ files_getattr_all_pipes(clamscan_t)
-+ files_getattr_all_sockets(clamscan_t)
-+
-+ files_read_non_security_files(clamd_t)
-+ files_getattr_all_pipes(clamd_t)
-+ files_getattr_all_sockets(clamd_t)
-+')
-+
- kernel_read_kernel_sysctls(clamscan_t)
-+kernel_read_system_state(clamscan_t)
-
- files_read_etc_files(clamscan_t)
- files_read_etc_runtime_files(clamscan_t)
-@@ -259,15 +339,15 @@ files_search_var_lib(clamscan_t)
- init_read_utmp(clamscan_t)
- init_dontaudit_write_utmp(clamscan_t)
-
--miscfiles_read_localization(clamscan_t)
- miscfiles_read_public_files(clamscan_t)
-
- clamav_stream_connect(clamscan_t)
-
--mta_send_mail(clamscan_t)
-+sysnet_read_config(clamscan_t)
-
- optional_policy(`
-- amavis_read_spool_files(clamscan_t)
-+ mta_send_mail(clamscan_t)
-+ mta_read_queue(clamscan_t)
- ')
-
- optional_policy(`
-diff --git a/clockspeed.te b/clockspeed.te
-index b40f3f7..e8c9c35 100644
---- a/clockspeed.te
-+++ b/clockspeed.te
-@@ -26,7 +26,6 @@ allow clockspeed_cli_t self:udp_socket create_socket_perms;
-
- read_files_pattern(clockspeed_cli_t, clockspeed_var_lib_t, clockspeed_var_lib_t)
-
--corenet_all_recvfrom_unlabeled(clockspeed_cli_t)
- corenet_all_recvfrom_netlabel(clockspeed_cli_t)
- corenet_udp_sendrecv_generic_if(clockspeed_cli_t)
- corenet_udp_sendrecv_generic_node(clockspeed_cli_t)
-@@ -36,9 +35,8 @@ corenet_sendrecv_ntp_client_packets(clockspeed_cli_t)
- files_list_var_lib(clockspeed_cli_t)
- files_read_etc_files(clockspeed_cli_t)
-
--miscfiles_read_localization(clockspeed_cli_t)
-
--userdom_use_user_terminals(clockspeed_cli_t)
-+userdom_use_inherited_user_terminals(clockspeed_cli_t)
-
- ########################################
- #
-@@ -53,7 +51,6 @@ allow clockspeed_srv_t self:unix_stream_socket create_socket_perms;
- manage_files_pattern(clockspeed_srv_t, clockspeed_var_lib_t, clockspeed_var_lib_t)
- manage_fifo_files_pattern(clockspeed_srv_t, clockspeed_var_lib_t, clockspeed_var_lib_t)
-
--corenet_all_recvfrom_unlabeled(clockspeed_srv_t)
- corenet_all_recvfrom_netlabel(clockspeed_srv_t)
- corenet_udp_sendrecv_generic_if(clockspeed_srv_t)
- corenet_udp_sendrecv_generic_node(clockspeed_srv_t)
-@@ -65,7 +62,6 @@ corenet_sendrecv_clockspeed_server_packets(clockspeed_srv_t)
- files_read_etc_files(clockspeed_srv_t)
- files_list_var_lib(clockspeed_srv_t)
-
--miscfiles_read_localization(clockspeed_srv_t)
-
- optional_policy(`
- daemontools_service_domain(clockspeed_srv_t, clockspeed_srv_exec_t)
-diff --git a/clogd.te b/clogd.te
-index 6077339..d44d33f 100644
---- a/clogd.te
-+++ b/clogd.te
-@@ -46,8 +46,6 @@ storage_raw_write_fixed_disk(clogd_t)
-
- logging_send_syslog_msg(clogd_t)
-
--miscfiles_read_localization(clogd_t)
--
- optional_policy(`
- aisexec_stream_connect(clogd_t)
- corosync_stream_connect(clogd_t)
-diff --git a/cloudform.fc b/cloudform.fc
-new file mode 100644
-index 0000000..8a40857
---- /dev/null
-+++ b/cloudform.fc
-@@ -0,0 +1,22 @@
-+/etc/rc\.d/init\.d/iwhd -- gen_context(system_u:object_r:iwhd_initrc_exec_t,s0)
-+/etc/rc\.d/init\.d/mongod -- gen_context(system_u:object_r:mongod_initrc_exec_t,s0)
-+
-+/usr/bin/deltacloudd -- gen_context(system_u:object_r:deltacloudd_exec_t,s0)
-+/usr/bin/iwhd -- gen_context(system_u:object_r:iwhd_exec_t,s0)
-+/usr/bin/mongod -- gen_context(system_u:object_r:mongod_exec_t,s0)
-+
-+/usr/share/aeolus-conductor/dbomatic/dbomatic -- gen_context(system_u:object_r:mongod_exec_t,s0)
-+
-+/var/lib/iwhd(/.*)? gen_context(system_u:object_r:iwhd_var_lib_t,s0)
-+/var/lib/mongodb(/.*)? gen_context(system_u:object_r:mongod_var_lib_t,s0)
-+
-+/var/log/deltacloud-core(/.*)? gen_context(system_u:object_r:deltacloudd_log_t,s0)
-+/var/log/iwhd\.log.* -- gen_context(system_u:object_r:iwhd_log_t,s0)
-+/var/log/mongodb(/.*)? gen_context(system_u:object_r:mongod_log_t,s0)
-+/var/log/mongo(/.*)? gen_context(system_u:object_r:mongod_log_t,s0)
-+/var/log/mongo/mongod\.log.* -- gen_context(system_u:object_r:mongod_log_t,s0)
-+/var/log/aeolus-conductor/dbomatic\.log.* -- gen_context(system_u:object_r:mongod_log_t,s0)
-+
-+/var/run/mongodb(/.*)? gen_context(system_u:object_r:mongod_var_run_t,s0)
-+/var/run/aeolus/dbomatic\.pid -- gen_context(system_u:object_r:mongod_var_run_t,s0)
-+/var/run/iwhd\.pid -- gen_context(system_u:object_r:iwhd_var_run_t,s0)
-diff --git a/cloudform.if b/cloudform.if
-new file mode 100644
-index 0000000..8ac848b
---- /dev/null
-+++ b/cloudform.if
-@@ -0,0 +1,42 @@
-+## cloudform policy
-+
-+#######################################
-+##
-+## Creates types and rules for a basic
-+## cloudform daemon domain.
-+##
-+##
-+##
-+## Prefix for the domain.
-+##
-+##
-+#
-+template(`cloudform_domain_template',`
-+ gen_require(`
-+ attribute cloudform_domain;
-+ ')
-+
-+ type $1_t, cloudform_domain;
-+ type $1_exec_t;
-+ init_daemon_domain($1_t, $1_exec_t)
-+
-+ kernel_read_system_state($1_t)
-+')
-+
-+######################################
-+##
-+## Execute mongod in the caller domain.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`cloudform_exec_mongod',`
-+ gen_require(`
-+ type mongod_exec_t;
-+ ')
-+
-+ can_exec($1, mongod_exec_t)
-+')
-diff --git a/cloudform.te b/cloudform.te
-new file mode 100644
-index 0000000..b73fed6
---- /dev/null
-+++ b/cloudform.te
-@@ -0,0 +1,201 @@
-+policy_module(cloudform, 1.0)
-+########################################
-+#
-+# Declarations
-+#
-+
-+attribute cloudform_domain;
-+
-+cloudform_domain_template(deltacloudd)
-+cloudform_domain_template(iwhd)
-+cloudform_domain_template(mongod)
-+
-+type deltacloudd_log_t;
-+logging_log_file(deltacloudd_log_t)
-+
-+type deltacloudd_var_run_t;
-+files_pid_file(deltacloudd_var_run_t)
-+
-+type deltacloudd_tmp_t;
-+files_tmp_file(deltacloudd_tmp_t)
-+
-+type iwhd_initrc_exec_t;
-+init_script_file(iwhd_initrc_exec_t)
-+
-+type iwhd_var_lib_t;
-+files_type(iwhd_var_lib_t)
-+
-+type iwhd_var_run_t;
-+files_pid_file(iwhd_var_run_t)
-+
-+type mongod_initrc_exec_t;
-+init_script_file(mongod_initrc_exec_t)
-+
-+type mongod_log_t;
-+logging_log_file(mongod_log_t)
-+
-+type mongod_var_lib_t;
-+files_type(mongod_var_lib_t)
-+
-+type mongod_tmp_t;
-+files_tmp_file(mongod_tmp_t)
-+
-+type mongod_var_run_t;
-+files_pid_file(mongod_var_run_t)
-+
-+type iwhd_log_t;
-+logging_log_file(iwhd_log_t)
-+
-+########################################
-+#
-+# cloudform_domain local policy
-+#
-+
-+allow cloudform_domain self:fifo_file rw_fifo_file_perms;
-+allow cloudform_domain self:tcp_socket create_stream_socket_perms;
-+
-+dev_read_rand(cloudform_domain)
-+dev_read_urand(cloudform_domain)
-+dev_read_sysfs(cloudform_domain)
-+
-+files_read_etc_files(cloudform_domain)
-+
-+auth_read_passwd(cloudform_domain)
-+
-+miscfiles_read_certs(cloudform_domain)
-+
-+########################################
-+#
-+# deltacloudd local policy
-+#
-+
-+allow deltacloudd_t self:capability { dac_override setuid setgid };
-+
-+allow deltacloudd_t self:netlink_route_socket r_netlink_socket_perms;
-+allow deltacloudd_t self:udp_socket create_socket_perms;
-+
-+allow deltacloudd_t self:process signal;
-+
-+allow deltacloudd_t self:fifo_file rw_fifo_file_perms;
-+allow deltacloudd_t self:tcp_socket create_stream_socket_perms;
-+allow deltacloudd_t self:unix_stream_socket create_stream_socket_perms;
-+
-+manage_dirs_pattern(deltacloudd_t, deltacloudd_tmp_t, deltacloudd_tmp_t)
-+manage_files_pattern(deltacloudd_t, deltacloudd_tmp_t, deltacloudd_tmp_t)
-+files_tmp_filetrans(deltacloudd_t, deltacloudd_tmp_t, { file dir })
-+
-+manage_files_pattern(deltacloudd_t, deltacloudd_var_run_t, deltacloudd_var_run_t)
-+manage_dirs_pattern(deltacloudd_t, deltacloudd_var_run_t, deltacloudd_var_run_t)
-+manage_lnk_files_pattern(deltacloudd_t, deltacloudd_var_run_t, deltacloudd_var_run_t)
-+files_pid_filetrans(deltacloudd_t, deltacloudd_var_run_t, { file dir })
-+
-+manage_files_pattern(deltacloudd_t, deltacloudd_log_t, deltacloudd_log_t)
-+manage_dirs_pattern(deltacloudd_t, deltacloudd_log_t, deltacloudd_log_t)
-+logging_log_filetrans(deltacloudd_t, deltacloudd_log_t, { file dir })
-+
-+kernel_read_kernel_sysctls(deltacloudd_t)
-+kernel_read_system_state(deltacloudd_t)
-+
-+corecmd_exec_bin(deltacloudd_t)
-+
-+corenet_tcp_bind_generic_node(deltacloudd_t)
-+corenet_tcp_bind_generic_port(deltacloudd_t)
-+corenet_tcp_connect_http_port(deltacloudd_t)
-+corenet_tcp_connect_keystone_port(deltacloudd_t)
-+
-+auth_use_nsswitch(deltacloudd_t)
-+
-+files_read_usr_files(deltacloudd_t)
-+
-+logging_send_syslog_msg(deltacloudd_t)
-+
-+optional_policy(`
-+ sysnet_read_config(deltacloudd_t)
-+')
-+
-+########################################
-+#
-+# iwhd local policy
-+#
-+
-+allow iwhd_t self:capability { chown kill };
-+allow iwhd_t self:process { fork };
-+
-+allow iwhd_t self:netlink_route_socket r_netlink_socket_perms;
-+allow iwhd_t self:unix_stream_socket create_stream_socket_perms;
-+
-+manage_dirs_pattern(iwhd_t, iwhd_var_lib_t, iwhd_var_lib_t)
-+manage_files_pattern(iwhd_t, iwhd_var_lib_t, iwhd_var_lib_t)
-+
-+manage_files_pattern(iwhd_t, iwhd_log_t, iwhd_log_t)
-+logging_log_filetrans(iwhd_t, iwhd_log_t, { file })
-+
-+manage_dirs_pattern(iwhd_t, iwhd_var_run_t, iwhd_var_run_t)
-+manage_files_pattern(iwhd_t, iwhd_var_run_t, iwhd_var_run_t)
-+files_pid_filetrans(iwhd_t, iwhd_var_run_t, { dir file })
-+
-+kernel_read_system_state(iwhd_t)
-+
-+corenet_tcp_bind_generic_node(iwhd_t)
-+corenet_tcp_bind_websm_port(iwhd_t)
-+corenet_tcp_connect_all_ports(iwhd_t)
-+
-+dev_read_rand(iwhd_t)
-+dev_read_urand(iwhd_t)
-+
-+userdom_home_manager(iwhd_t)
-+
-+########################################
-+#
-+# mongod local policy
-+#
-+
-+allow mongod_t self:process { execmem setsched signal };
-+
-+allow mongod_t self:netlink_route_socket r_netlink_socket_perms;
-+allow mongod_t self:unix_stream_socket create_stream_socket_perms;
-+allow mongod_t self:udp_socket create_socket_perms;
-+
-+manage_dirs_pattern(mongod_t, mongod_log_t, mongod_log_t)
-+manage_files_pattern(mongod_t, mongod_log_t, mongod_log_t)
-+logging_log_filetrans(mongod_t, mongod_log_t, file, "dbomatic.log")
-+logging_log_filetrans(mongod_t, mongod_log_t, file, "mongod.log")
-+
-+manage_dirs_pattern(mongod_t, mongod_var_lib_t, mongod_var_lib_t)
-+manage_files_pattern(mongod_t, mongod_var_lib_t, mongod_var_lib_t)
-+
-+manage_dirs_pattern(mongod_t, mongod_tmp_t, mongod_tmp_t)
-+manage_files_pattern(mongod_t, mongod_tmp_t, mongod_tmp_t)
-+manage_sock_files_pattern(mongod_t, mongod_tmp_t, mongod_tmp_t)
-+files_tmp_filetrans(mongod_t, mongod_tmp_t, { file dir sock_file })
-+
-+manage_dirs_pattern(mongod_t, mongod_var_run_t, mongod_var_run_t)
-+manage_files_pattern(mongod_t, mongod_var_run_t, mongod_var_run_t)
-+#needed by dbomatic
-+files_pid_filetrans(mongod_t, mongod_var_run_t, { file })
-+
-+corecmd_exec_bin(mongod_t)
-+corecmd_exec_shell(mongod_t)
-+
-+corenet_tcp_bind_generic_node(mongod_t)
-+corenet_tcp_bind_mongod_port(mongod_t)
-+corenet_tcp_connect_postgresql_port(mongod_t)
-+
-+kernel_read_vm_sysctls(mongod_t)
-+kernel_read_system_state(mongod_t)
-+
-+files_read_usr_files(mongod_t)
-+
-+fs_getattr_all_fs(mongod_t)
-+
-+optional_policy(`
-+ mysql_stream_connect(mongod_t)
-+')
-+
-+optional_policy(`
-+ postgresql_stream_connect(mongod_t)
-+')
-+
-+optional_policy(`
-+ sysnet_dns_name_resolve(mongod_t)
-+')
-diff --git a/cmirrord.if b/cmirrord.if
-index f8463c0..cc4d9ef 100644
---- a/cmirrord.if
-+++ b/cmirrord.if
-@@ -70,10 +70,11 @@ interface(`cmirrord_rw_shm',`
- type cmirrord_t, cmirrord_tmpfs_t;
- ')
-
-- allow $1 cmirrord_t:shm rw_shm_perms;
-+ allow $1 cmirrord_t:shm { rw_shm_perms destroy };
-
- allow $1 cmirrord_tmpfs_t:dir list_dir_perms;
- rw_files_pattern($1, cmirrord_tmpfs_t, cmirrord_tmpfs_t)
-+ delete_files_pattern($1, cmirrord_tmpfs_t, cmirrord_tmpfs_t)
- read_lnk_files_pattern($1, cmirrord_tmpfs_t, cmirrord_tmpfs_t)
- fs_search_tmpfs($1)
- ')
-@@ -100,9 +101,13 @@ interface(`cmirrord_admin',`
- type cmirrord_t, cmirrord_initrc_exec_t, cmirrord_var_run_t;
- ')
-
-- allow $1 cmirrord_t:process { ptrace signal_perms };
-+ allow $1 cmirrord_t:process signal_perms;
- ps_process_pattern($1, cmirrord_t)
-
-+ tunable_policy(`deny_ptrace',`',`
-+ allow $1 cmirrord_t:process ptrace;
-+ ')
-+
- cmirrord_initrc_domtrans($1)
- domain_system_change_exemption($1)
- role_transition $2 cmirrord_initrc_exec_t system_r;
-diff --git a/cmirrord.te b/cmirrord.te
-index 28fdd8a..5605ed7 100644
---- a/cmirrord.te
-+++ b/cmirrord.te
-@@ -51,8 +51,6 @@ seutil_read_file_contexts(cmirrord_t)
-
- logging_send_syslog_msg(cmirrord_t)
-
--miscfiles_read_localization(cmirrord_t)
--
- optional_policy(`
- corosync_stream_connect(cmirrord_t)
- ')
-diff --git a/cobbler.fc b/cobbler.fc
-index 1cf6c4e..0858f92 100644
---- a/cobbler.fc
-+++ b/cobbler.fc
-@@ -1,7 +1,35 @@
--/etc/cobbler(/.*)? gen_context(system_u:object_r:cobbler_etc_t, s0)
--/etc/rc\.d/init\.d/cobblerd -- gen_context(system_u:object_r:cobblerd_initrc_exec_t, s0)
-
--/usr/bin/cobblerd -- gen_context(system_u:object_r:cobblerd_exec_t, s0)
-+/etc/cobbler(/.*)? gen_context(system_u:object_r:cobbler_etc_t,s0)
-+
-+/etc/rc\.d/init\.d/cobblerd -- gen_context(system_u:object_r:cobblerd_initrc_exec_t,s0)
-+
-+/usr/lib/systemd/system/cobblerd.* -- gen_context(system_u:object_r:cobblerd_unit_file_t,s0)
-+
-+/usr/bin/cobblerd -- gen_context(system_u:object_r:cobblerd_exec_t,s0)
-+
-+/var/lib/cobbler(/.*)? gen_context(system_u:object_r:cobbler_var_lib_t,s0)
-+
-+/var/lib/tftpboot/etc(/.*)? gen_context(system_u:object_r:cobbler_var_lib_t,s0)
-+/var/lib/tftpboot/grub(/.*)? gen_context(system_u:object_r:cobbler_var_lib_t,s0)
-+/var/lib/tftpboot/images(/.*)? gen_context(system_u:object_r:cobbler_var_lib_t,s0)
-+/var/lib/tftpboot/memdisk -- gen_context(system_u:object_r:cobbler_var_lib_t,s0)
-+/var/lib/tftpboot/menu\.c32 -- gen_context(system_u:object_r:cobbler_var_lib_t,s0)
-+/var/lib/tftpboot/ppc(/.*)? gen_context(system_u:object_r:cobbler_var_lib_t,s0)
-+/var/lib/tftpboot/pxelinux\.0 -- gen_context(system_u:object_r:cobbler_var_lib_t,s0)
-+/var/lib/tftpboot/pxelinux\.cfg(/.*)? gen_context(system_u:object_r:cobbler_var_lib_t,s0)
-+/var/lib/tftpboot/s390x(/.*)? gen_context(system_u:object_r:cobbler_var_lib_t,s0)
-+/var/lib/tftpboot/yaboot -- gen_context(system_u:object_r:cobbler_var_lib_t,s0)
-+
-+/var/log/cobbler(/.*)? gen_context(system_u:object_r:cobbler_var_log_t,s0)
-+
-+# This should removable when cobbler package installs /var/www/cobbler/rendered
-+/var/www/cobbler(/.*)? gen_context(system_u:object_r:httpd_cobbler_content_t,s0)
-+
-+/var/www/cobbler/images(/.*)? gen_context(system_u:object_r:cobbler_var_lib_t,s0)
-+/var/www/cobbler/ks_mirror(/.*)? gen_context(system_u:object_r:cobbler_var_lib_t,s0)
-+/var/www/cobbler/links(/.*)? gen_context(system_u:object_r:cobbler_var_lib_t,s0)
-+/var/www/cobbler/localmirror(/.*)? gen_context(system_u:object_r:cobbler_var_lib_t,s0)
-+/var/www/cobbler/pub(/.*)? gen_context(system_u:object_r:cobbler_var_lib_t,s0)
-+/var/www/cobbler/rendered(/.*)? gen_context(system_u:object_r:cobbler_var_lib_t,s0)
-+/var/www/cobbler/repo_mirror(/.*)? gen_context(system_u:object_r:cobbler_var_lib_t,s0)
-
--/var/lib/cobbler(/.*)? gen_context(system_u:object_r:cobbler_var_lib_t, s0)
--/var/log/cobbler(/.*)? gen_context(system_u:object_r:cobbler_var_log_t, s0)
-diff --git a/cobbler.if b/cobbler.if
-index 116d60f..e2c6ec6 100644
---- a/cobbler.if
-+++ b/cobbler.if
-@@ -1,12 +1,12 @@
- ## Cobbler installation server.
- ##
- ##
--## Cobbler is a Linux installation server that allows for
--## rapid setup of network installation environments. It
--## glues together and automates many associated Linux
--## tasks so you do not have to hop between lots of various
--## commands and applications when rolling out new systems,
--## and, in some cases, changing existing ones.
-+## Cobbler is a Linux installation server that allows for
-+## rapid setup of network installation environments. It
-+## glues together and automates many associated Linux
-+## tasks so you do not have to hop between lots of various
-+## commands and applications when rolling out new systems,
-+## and, in some cases, changing existing ones.
- ##
- ##
-
-@@ -15,9 +15,9 @@
- ## Execute a domain transition to run cobblerd.
- ##
- ##
--##
-+##
- ## Domain allowed to transition.
--##
-+##
- ##
- #
- interface(`cobblerd_domtrans',`
-@@ -26,6 +26,7 @@ interface(`cobblerd_domtrans',`
- ')
-
- domtrans_pattern($1, cobblerd_exec_t, cobblerd_t)
-+ corecmd_search_bin($1)
- ')
-
- ########################################
-@@ -48,7 +49,7 @@ interface(`cobblerd_initrc_domtrans',`
-
- ########################################
- ##
--## Read Cobbler content in /etc
-+## List Cobbler configuration.
- ##
- ##
- ##
-@@ -56,19 +57,18 @@ interface(`cobblerd_initrc_domtrans',`
- ##
- ##
- #
--interface(`cobbler_read_config',`
-+interface(`cobbler_list_config',`
- gen_require(`
- type cobbler_etc_t;
- ')
-
-- read_files_pattern($1, cobbler_etc_t, cobbler_etc_t)
-+ list_dirs_pattern($1, cobbler_etc_t, cobbler_etc_t)
- files_search_etc($1)
- ')
-
- ########################################
- ##
--## Do not audit attempts to read and write
--## Cobbler log files (leaked fd).
-+## Read Cobbler configuration files.
- ##
- ##
- ##
-@@ -76,12 +76,13 @@ interface(`cobbler_read_config',`
- ##
- ##
- #
--interface(`cobbler_dontaudit_rw_log',`
-+interface(`cobbler_read_config',`
- gen_require(`
-- type cobbler_var_log_t;
-+ type cobbler_etc_t;
- ')
-
-- dontaudit $1 cobbler_var_log_t:file rw_file_perms;
-+ read_files_pattern($1, cobbler_etc_t, cobbler_etc_t)
-+ files_search_etc($1)
- ')
-
- ########################################
-@@ -100,6 +101,7 @@ interface(`cobbler_search_lib',`
- ')
-
- search_dirs_pattern($1, cobbler_var_lib_t, cobbler_var_lib_t)
-+ read_lnk_files_pattern($1, cobbler_var_lib_t, cobbler_var_lib_t)
- files_search_var_lib($1)
- ')
-
-@@ -119,6 +121,7 @@ interface(`cobbler_read_lib_files',`
- ')
-
- read_files_pattern($1, cobbler_var_lib_t, cobbler_var_lib_t)
-+ read_lnk_files_pattern($1, cobbler_var_lib_t, cobbler_var_lib_t)
- files_search_var_lib($1)
- ')
-
-@@ -137,12 +140,56 @@ interface(`cobbler_manage_lib_files',`
- type cobbler_var_lib_t;
- ')
-
-+ manage_dirs_pattern($1, cobbler_var_lib_t, cobbler_var_lib_t)
- manage_files_pattern($1, cobbler_var_lib_t, cobbler_var_lib_t)
-+ manage_lnk_files_pattern($1, cobbler_var_lib_t, cobbler_var_lib_t)
- files_search_var_lib($1)
- ')
-
- ########################################
- ##
-+## Do not audit attempts to read and write
-+## Cobbler log files (leaked fd).
-+##
-+##
-+##
-+## Domain to not audit.
-+##
-+##
-+#
-+interface(`cobbler_dontaudit_rw_log',`
-+ gen_require(`
-+ type cobbler_var_log_t;
-+ ')
-+
-+ dontaudit $1 cobbler_var_log_t:file rw_inherited_file_perms;
-+')
-+
-+########################################
-+##
-+## Execute cobblerd server in the cobblerd domain.
-+##
-+##
-+##
-+## Domain allowed to transition.
-+##
-+##
-+#
-+interface(`cobblerd_systemctl',`
-+ gen_require(`
-+ type cobblerd_t;
-+ type cobblerd_unit_file_t;
-+ ')
-+
-+ systemd_exec_systemctl($1)
-+ allow $1 cobblerd_unit_file_t:file read_file_perms;
-+ allow $1 cobblerd_unit_file_t:service manage_service_perms;
-+
-+ ps_process_pattern($1, cobblerd_t)
-+')
-+
-+########################################
-+##
- ## All of the rules required to administrate
- ## an cobblerd environment
- ##
-@@ -161,25 +208,43 @@ interface(`cobbler_manage_lib_files',`
- interface(`cobblerd_admin',`
- gen_require(`
- type cobblerd_t, cobbler_var_lib_t, cobbler_var_log_t;
-- type cobbler_etc_t, cobblerd_initrc_exec_t;
-+ type cobbler_etc_t, cobblerd_initrc_exec_t, httpd_cobbler_content_t;
-+ type httpd_cobbler_content_ra_t, httpd_cobbler_content_rw_t;
-+ type cobblerd_unit_file_t;
- ')
-
-- allow $1 cobblerd_t:process { ptrace signal_perms getattr };
-- read_files_pattern($1, cobblerd_t, cobblerd_t)
-+ allow $1 cobblerd_t:process signal_perms;
-+ ps_process_pattern($1, cobblerd_t)
-
-- files_search_etc($1)
-+ tunable_policy(`deny_ptrace',`',`
-+ allow $1 cobblerd_t:process ptrace;
-+ ')
-+
-+ files_list_etc($1)
- admin_pattern($1, cobbler_etc_t)
-
- files_list_var_lib($1)
- admin_pattern($1, cobbler_var_lib_t)
-
-- logging_search_logs($1)
-+ logging_list_logs($1)
- admin_pattern($1, cobbler_var_log_t)
-
-+ apache_list_sys_content($1)
-+ admin_pattern($1, httpd_cobbler_content_t)
-+ admin_pattern($1, httpd_cobbler_content_ra_t)
- admin_pattern($1, httpd_cobbler_content_rw_t)
-
- cobblerd_initrc_domtrans($1)
- domain_system_change_exemption($1)
- role_transition $2 cobblerd_initrc_exec_t system_r;
- allow $2 system_r;
-+
-+ optional_policy(`
-+ # traverse /var/lib/tftpdir to get to cobbler_var_lib_t there.
-+ tftp_search_rw_content($1)
-+ ')
-+
-+ cobblerd_systemctl($1)
-+ admin_pattern($1, cobblerd_unit_file_t)
-+ allow $1 cobblerd_unit_file_t:service all_service_perms;
- ')
-diff --git a/cobbler.te b/cobbler.te
-index 0258b48..c68160d 100644
---- a/cobbler.te
-+++ b/cobbler.te
-@@ -6,13 +6,35 @@ policy_module(cobbler, 1.1.0)
- #
-
- ##
--##
--## Allow Cobbler to modify public files
--## used for public file transfer services.
--##
-+##
-+## Allow Cobbler to modify public files
-+## used for public file transfer services.
-+##
- ##
- gen_tunable(cobbler_anon_write, false)
-
-+##
-+##
-+## Allow Cobbler to connect to the
-+## network using TCP.
-+##
-+##
-+gen_tunable(cobbler_can_network_connect, false)
-+
-+##
-+##
-+## Allow Cobbler to access cifs file systems.
-+##
-+##
-+gen_tunable(cobbler_use_cifs, false)
-+
-+##
-+##
-+## Allow Cobbler to access nfs file systems.
-+##
-+##
-+gen_tunable(cobbler_use_nfs, false)
-+
- type cobblerd_t;
- type cobblerd_exec_t;
- init_daemon_domain(cobblerd_t, cobblerd_exec_t)
-@@ -26,25 +48,43 @@ files_config_file(cobbler_etc_t)
- type cobbler_var_log_t;
- logging_log_file(cobbler_var_log_t)
-
--type cobbler_var_lib_t;
-+type cobbler_var_lib_t alias cobbler_content_t;
- files_type(cobbler_var_lib_t)
-
-+type cobbler_tmp_t;
-+files_tmp_file(cobbler_tmp_t)
-+
-+type cobblerd_unit_file_t;
-+systemd_unit_file(cobblerd_unit_file_t)
-+
- ########################################
- #
- # Cobbler personal policy.
- #
-
--allow cobblerd_t self:capability { chown dac_override fowner sys_nice };
-+allow cobblerd_t self:capability { chown dac_override fowner fsetid sys_nice };
-+dontaudit cobblerd_t self:capability sys_tty_config;
-+
- allow cobblerd_t self:process { getsched setsched signal };
- allow cobblerd_t self:fifo_file rw_fifo_file_perms;
-+allow cobblerd_t self:netlink_route_socket create_netlink_socket_perms;
- allow cobblerd_t self:tcp_socket create_stream_socket_perms;
-+allow cobblerd_t self:udp_socket create_socket_perms;
-+allow cobblerd_t self:unix_dgram_socket create_socket_perms;
-
- list_dirs_pattern(cobblerd_t, cobbler_etc_t, cobbler_etc_t)
- read_files_pattern(cobblerd_t, cobbler_etc_t, cobbler_etc_t)
-
-+# Something that runs in the cobberd_t domain tries to relabelfrom cobbler_var_lib_t dir to httpd_sys_content_t.
-+dontaudit cobblerd_t cobbler_var_lib_t:dir relabel_dir_perms;
-+
- manage_dirs_pattern(cobblerd_t, cobbler_var_lib_t, cobbler_var_lib_t)
- manage_files_pattern(cobblerd_t, cobbler_var_lib_t, cobbler_var_lib_t)
--files_var_lib_filetrans(cobblerd_t, cobbler_var_lib_t, { dir file })
-+manage_lnk_files_pattern(cobblerd_t, cobbler_var_lib_t, cobbler_var_lib_t)
-+files_var_lib_filetrans(cobblerd_t, cobbler_var_lib_t, { dir file lnk_file })
-+
-+# Something really needs to write to cobbler.log. Ideally this should not be happening.
-+allow cobblerd_t cobbler_var_log_t:file write;
-
- append_files_pattern(cobblerd_t, cobbler_var_log_t, cobbler_var_log_t)
- create_files_pattern(cobblerd_t, cobbler_var_log_t, cobbler_var_log_t)
-@@ -52,57 +92,131 @@ read_files_pattern(cobblerd_t, cobbler_var_log_t, cobbler_var_log_t)
- setattr_files_pattern(cobblerd_t, cobbler_var_log_t, cobbler_var_log_t)
- logging_log_filetrans(cobblerd_t, cobbler_var_log_t, file)
-
-+manage_dirs_pattern(cobblerd_t, cobbler_tmp_t, cobbler_tmp_t)
-+manage_files_pattern(cobblerd_t, cobbler_tmp_t, cobbler_tmp_t)
-+files_tmp_filetrans(cobblerd_t, cobbler_tmp_t, { dir file })
-+
- kernel_read_system_state(cobblerd_t)
-+kernel_dontaudit_search_network_state(cobblerd_t)
-+
-+auth_read_passwd(cobblerd_t)
-
- corecmd_exec_bin(cobblerd_t)
- corecmd_exec_shell(cobblerd_t)
-
- corenet_all_recvfrom_netlabel(cobblerd_t)
--corenet_all_recvfrom_unlabeled(cobblerd_t)
- corenet_sendrecv_cobbler_server_packets(cobblerd_t)
- corenet_tcp_bind_cobbler_port(cobblerd_t)
- corenet_tcp_bind_generic_node(cobblerd_t)
- corenet_tcp_sendrecv_generic_if(cobblerd_t)
- corenet_tcp_sendrecv_generic_node(cobblerd_t)
- corenet_tcp_sendrecv_generic_port(cobblerd_t)
-+corenet_tcp_sendrecv_cobbler_port(cobblerd_t)
-+# sync and rsync to ftp and http are permitted by default, for any other media use cobbler_can_network_connect.
-+corenet_tcp_connect_ftp_port(cobblerd_t)
-+corenet_tcp_connect_all_ephemeral_ports(cobblerd_t)
-+corenet_tcp_sendrecv_ftp_port(cobblerd_t)
-+corenet_sendrecv_ftp_client_packets(cobblerd_t)
-+corenet_tcp_connect_http_port(cobblerd_t)
-+corenet_tcp_sendrecv_http_port(cobblerd_t)
-+corenet_sendrecv_http_client_packets(cobblerd_t)
-
- dev_read_urand(cobblerd_t)
-
-+domain_dontaudit_exec_all_entry_files(cobblerd_t)
-+domain_dontaudit_read_all_domains_state(cobblerd_t)
-+
-+files_read_etc_files(cobblerd_t)
-+# mtab
-+files_read_etc_runtime_files(cobblerd_t)
- files_read_usr_files(cobblerd_t)
- files_list_boot(cobblerd_t)
-+files_read_boot_files(cobblerd_t)
- files_list_tmp(cobblerd_t)
--# read /etc/nsswitch.conf
--files_read_etc_files(cobblerd_t)
-
--miscfiles_read_localization(cobblerd_t)
-+# read from mounted images (install media)
-+fs_read_iso9660_files(cobblerd_t)
-+
-+auth_read_passwd(cobblerd_t)
-+
-+init_dontaudit_read_all_script_files(cobblerd_t)
-+
-+term_use_console(cobblerd_t)
-+
-+logging_send_syslog_msg(cobblerd_t)
-+
- miscfiles_read_public_files(cobblerd_t)
-
-+selinux_get_enforce_mode(cobblerd_t)
-+
- sysnet_read_config(cobblerd_t)
- sysnet_rw_dhcp_config(cobblerd_t)
- sysnet_write_config(cobblerd_t)
-
-+userdom_dontaudit_use_user_terminals(cobblerd_t)
-+userdom_dontaudit_search_user_home_dirs(cobblerd_t)
-+userdom_dontaudit_search_admin_dir(cobblerd_t)
-+
- tunable_policy(`cobbler_anon_write',`
- miscfiles_manage_public_files(cobblerd_t)
- ')
-
-+tunable_policy(`cobbler_can_network_connect',`
-+ corenet_tcp_connect_all_ports(cobblerd_t)
-+ corenet_tcp_sendrecv_all_ports(cobblerd_t)
-+ corenet_sendrecv_all_client_packets(cobblerd_t)
-+')
-+
-+tunable_policy(`cobbler_use_cifs',`
-+ fs_manage_cifs_dirs(cobblerd_t)
-+ fs_manage_cifs_files(cobblerd_t)
-+ fs_manage_cifs_symlinks(cobblerd_t)
-+')
-+
-+tunable_policy(`cobbler_use_nfs',`
-+ fs_manage_nfs_dirs(cobblerd_t)
-+ fs_manage_nfs_files(cobblerd_t)
-+ fs_manage_nfs_symlinks(cobblerd_t)
-+')
-+
-+optional_policy(`
-+ # Cobbler traverses /var/www to get to /var/www/cobbler/*
-+ apache_search_sys_content(cobblerd_t)
-+')
-+
- optional_policy(`
- bind_read_config(cobblerd_t)
- bind_write_config(cobblerd_t)
- bind_domtrans_ndc(cobblerd_t)
- bind_domtrans(cobblerd_t)
- bind_initrc_domtrans(cobblerd_t)
-+ bind_systemctl(cobblerd_t)
- bind_manage_zone(cobblerd_t)
- ')
-
- optional_policy(`
-+ certmaster_exec(cobblerd_t)
-+')
-+
-+optional_policy(`
- dhcpd_domtrans(cobblerd_t)
- dhcpd_initrc_domtrans(cobblerd_t)
-+ dhcpd_systemctl(cobblerd_t)
- ')
-
- optional_policy(`
- dnsmasq_domtrans(cobblerd_t)
- dnsmasq_initrc_domtrans(cobblerd_t)
- dnsmasq_write_config(cobblerd_t)
-+ dnsmasq_systemctl(cobblerd_t)
-+')
-+
-+optional_policy(`
-+ gnome_dontaudit_search_config(cobblerd_t)
-+')
-+
-+optional_policy(`
-+ puppet_domtrans_puppetca(cobblerd_t)
- ')
-
- optional_policy(`
-@@ -110,12 +224,21 @@ optional_policy(`
- ')
-
- optional_policy(`
-- rsync_read_config(cobblerd_t)
-- rsync_write_config(cobblerd_t)
-+ rsync_exec(cobblerd_t)
-+ rsync_manage_config(cobblerd_t)
-+ # cobbler creates /etc/rsync.conf if its not there.
-+ rsync_filetrans_config(cobblerd_t, file)
- ')
-
- optional_policy(`
-- tftp_manage_rw_content(cobblerd_t)
-+ # Cobbler puts objects in both /var/lib/tftpdir as well as /var/lib/tftpdir/images.
-+ # tftp_manage_rw_content(cobblerd_t) can be used instead if:
-+ # 1. cobbler package installs /var/lib/tftpdir/images.
-+ # 2. no FILES in /var/lib/TFTPDIR are hard linked.
-+ # Cobbler also creates other directories in /var/lib/tftpdir (etc, s390x, ppc, pxelinux.cfg)
-+ # are any of those hard linked?
-+ tftp_filetrans_tftpdir(cobblerd_t, cobbler_var_lib_t, { dir file })
-+ tftp_manage_config(cobblerd_t)
- ')
-
- ########################################
-@@ -123,6 +246,10 @@ optional_policy(`
- # Cobbler web local policy.
- #
-
--apache_content_template(cobbler)
--manage_dirs_pattern(cobblerd_t, httpd_cobbler_content_rw_t, httpd_cobbler_content_rw_t)
--manage_files_pattern(cobblerd_t, httpd_cobbler_content_rw_t, httpd_cobbler_content_rw_t)
-+optional_policy(`
-+ apache_content_template(cobbler)
-+
-+ list_dirs_pattern(cobblerd_t, httpd_cobbler_content_t, httpd_cobbler_content_t)
-+ manage_dirs_pattern(cobblerd_t, httpd_cobbler_content_rw_t, httpd_cobbler_content_rw_t)
-+ manage_files_pattern(cobblerd_t, httpd_cobbler_content_rw_t, httpd_cobbler_content_rw_t)
-+')
-diff --git a/collectd.fc b/collectd.fc
-new file mode 100644
-index 0000000..2e1007b
---- /dev/null
-+++ b/collectd.fc
-@@ -0,0 +1,13 @@
-+
-+/etc/rc\.d/init\.d/collectd -- gen_context(system_u:object_r:collectd_initrc_exec_t,s0)
-+
-+/usr/lib/systemd/system/collectd.* -- gen_context(system_u:object_r:collectd_unit_file_t,s0)
-+
-+/usr/sbin/collectd -- gen_context(system_u:object_r:collectd_exec_t,s0)
-+
-+/var/lib/collectd(/.*)? gen_context(system_u:object_r:collectd_var_lib_t,s0)
-+
-+/var/run/collectd\.pid gen_context(system_u:object_r:collectd_var_run_t,s0)
-+
-+/usr/share/collectd/collection3/bin/.*\.cgi -- gen_context(system_u:object_r:httpd_collectd_script_exec_t,s0)
-+
-diff --git a/collectd.if b/collectd.if
-new file mode 100644
-index 0000000..40415f8
---- /dev/null
-+++ b/collectd.if
-@@ -0,0 +1,186 @@
-+
-+## policy for collectd
-+
-+########################################
-+##
-+## Transition to collectd.
-+##
-+##
-+##
-+## Domain allowed to transition.
-+##
-+##
-+#
-+interface(`collectd_domtrans',`
-+ gen_require(`
-+ type collectd_t, collectd_exec_t;
-+ ')
-+
-+ corecmd_search_bin($1)
-+ domtrans_pattern($1, collectd_exec_t, collectd_t)
-+')
-+
-+
-+########################################
-+##
-+## Execute collectd server in the collectd domain.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`collectd_initrc_domtrans',`
-+ gen_require(`
-+ type collectd_initrc_exec_t;
-+ ')
-+
-+ init_labeled_script_domtrans($1, collectd_initrc_exec_t)
-+')
-+
-+
-+########################################
-+##
-+## Search collectd lib directories.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`collectd_search_lib',`
-+ gen_require(`
-+ type collectd_var_lib_t;
-+ ')
-+
-+ allow $1 collectd_var_lib_t:dir search_dir_perms;
-+ files_search_var_lib($1)
-+')
-+
-+########################################
-+##
-+## Read collectd lib files.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`collectd_read_lib_files',`
-+ gen_require(`
-+ type collectd_var_lib_t;
-+ ')
-+
-+ files_search_var_lib($1)
-+ read_files_pattern($1, collectd_var_lib_t, collectd_var_lib_t)
-+')
-+
-+########################################
-+##
-+## Manage collectd lib files.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`collectd_manage_lib_files',`
-+ gen_require(`
-+ type collectd_var_lib_t;
-+ ')
-+
-+ files_search_var_lib($1)
-+ manage_files_pattern($1, collectd_var_lib_t, collectd_var_lib_t)
-+')
-+
-+########################################
-+##
-+## Manage collectd lib directories.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`collectd_manage_lib_dirs',`
-+ gen_require(`
-+ type collectd_var_lib_t;
-+ ')
-+
-+ files_search_var_lib($1)
-+ manage_dirs_pattern($1, collectd_var_lib_t, collectd_var_lib_t)
-+')
-+
-+########################################
-+##
-+## Execute collectd server in the collectd domain.
-+##
-+##
-+##
-+## Domain allowed to transition.
-+##
-+##
-+#
-+interface(`collectd_systemctl',`
-+ gen_require(`
-+ type collectd_t;
-+ type collectd_unit_file_t;
-+ ')
-+
-+ systemd_exec_systemctl($1)
-+ allow $1 collectd_unit_file_t:file read_file_perms;
-+ allow $1 collectd_unit_file_t:service manage_service_perms;
-+
-+ ps_process_pattern($1, collectd_t)
-+')
-+
-+########################################
-+##
-+## All of the rules required to administrate
-+## an collectd environment
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+##
-+##
-+## Role allowed access.
-+##
-+##
-+##
-+#
-+interface(`collectd_admin',`
-+ gen_require(`
-+ type collectd_t;
-+ type collectd_initrc_exec_t;
-+ type collectd_var_lib_t;
-+ type collectd_unit_file_t;
-+ ')
-+
-+ allow $1 collectd_t:process signal_perms;
-+ ps_process_pattern($1, collectd_t)
-+
-+ tunable_policy(`deny_ptrace',`',`
-+ allow $1 collectd_t:process ptrace;
-+ ')
-+
-+ collectd_initrc_domtrans($1)
-+ domain_system_change_exemption($1)
-+ role_transition $2 collectd_initrc_exec_t system_r;
-+ allow $2 system_r;
-+
-+ files_search_var_lib($1)
-+ admin_pattern($1, collectd_var_lib_t)
-+
-+ collectd_systemctl($1)
-+ admin_pattern($1, collectd_unit_file_t)
-+ allow $1 collectd_unit_file_t:service all_service_perms;
-+')
-+
-diff --git a/collectd.te b/collectd.te
-new file mode 100644
-index 0000000..cb6dbe6
---- /dev/null
-+++ b/collectd.te
-@@ -0,0 +1,89 @@
-+policy_module(collectd, 1.0.0)
-+
-+########################################
-+#
-+# Declarations
-+#
-+
-+##
-+##
-+## Allow collectd to connect to the
-+## network using TCP.
-+##
-+##
-+gen_tunable(collectd_can_network_connect, false)
-+
-+type collectd_t;
-+type collectd_exec_t;
-+init_daemon_domain(collectd_t, collectd_exec_t)
-+
-+type collectd_initrc_exec_t;
-+init_script_file(collectd_initrc_exec_t)
-+
-+type collectd_var_lib_t;
-+files_type(collectd_var_lib_t)
-+
-+type collectd_var_run_t;
-+files_pid_file(collectd_var_run_t)
-+
-+type collectd_unit_file_t;
-+systemd_unit_file(collectd_unit_file_t)
-+
-+########################################
-+#
-+# collectd local policy
-+#
-+
-+allow collectd_t self:capability { ipc_lock sys_nice };
-+allow collectd_t self:process { getsched setsched signal fork };
-+
-+allow collectd_t self:fifo_file rw_fifo_file_perms;
-+allow collectd_t self:packet_socket create_socket_perms;
-+allow collectd_t self:unix_stream_socket create_stream_socket_perms;
-+
-+manage_dirs_pattern(collectd_t, collectd_var_lib_t, collectd_var_lib_t)
-+manage_files_pattern(collectd_t, collectd_var_lib_t, collectd_var_lib_t)
-+files_var_lib_filetrans(collectd_t, collectd_var_lib_t, { dir file })
-+
-+manage_dirs_pattern(collectd_t, collectd_var_run_t, collectd_var_run_t)
-+manage_files_pattern(collectd_t, collectd_var_run_t, collectd_var_run_t)
-+files_pid_filetrans(collectd_t, collectd_var_run_t, { dir file })
-+
-+domain_use_interactive_fds(collectd_t)
-+
-+kernel_read_network_state(collectd_t)
-+kernel_read_net_sysctls(collectd_t)
-+kernel_read_system_state(collectd_t)
-+
-+dev_read_sysfs(collectd_t)
-+dev_read_urand(collectd_t)
-+dev_read_rand(collectd_t)
-+
-+files_getattr_all_dirs(collectd_t)
-+files_read_etc_files(collectd_t)
-+files_read_usr_files(collectd_t)
-+
-+fs_getattr_all_fs(collectd_t)
-+
-+logging_send_syslog_msg(collectd_t)
-+
-+sysnet_dns_name_resolve(collectd_t)
-+
-+tunable_policy(`collectd_can_network_connect',`
-+ corenet_tcp_connect_all_ports(collectd_t)
-+ corenet_tcp_sendrecv_all_ports(collectd_t)
-+ corenet_sendrecv_all_client_packets(collectd_t)
-+')
-+
-+optional_policy(`
-+ apache_content_template(collectd)
-+
-+ files_search_var_lib(httpd_collectd_script_t)
-+ read_files_pattern(httpd_collectd_script_t, collectd_var_lib_t, collectd_var_lib_t)
-+ list_dirs_pattern(httpd_collectd_script_t, collectd_var_lib_t, collectd_var_lib_t)
-+ miscfiles_setattr_fonts_cache_dirs(httpd_collectd_script_t)
-+')
-+
-+optional_policy(`
-+ virt_read_config(collectd_t)
-+')
-diff --git a/colord.fc b/colord.fc
-index 78b2fea..ef975ac 100644
---- a/colord.fc
-+++ b/colord.fc
-@@ -1,4 +1,7 @@
- /usr/libexec/colord -- gen_context(system_u:object_r:colord_exec_t,s0)
-+/usr/libexec/colord-sane -- gen_context(system_u:object_r:colord_exec_t,s0)
-+
-+/usr/lib/systemd/system/colord.* -- gen_context(system_u:object_r:colord_unit_file_t,s0)
-
- /var/lib/color(/.*)? gen_context(system_u:object_r:colord_var_lib_t,s0)
- /var/lib/colord(/.*)? gen_context(system_u:object_r:colord_var_lib_t,s0)
-diff --git a/colord.if b/colord.if
-index 733e4e6..fa2c3cb 100644
---- a/colord.if
-+++ b/colord.if
-@@ -57,3 +57,26 @@ interface(`colord_read_lib_files',`
- files_search_var_lib($1)
- read_files_pattern($1, colord_var_lib_t, colord_var_lib_t)
- ')
-+
-+########################################
-+##
-+## Execute colord server in the colord domain.
-+##
-+##
-+##
-+## Domain allowed to transition.
-+##
-+##
-+#
-+interface(`colord_systemctl',`
-+ gen_require(`
-+ type colord_t;
-+ type colord_unit_file_t;
-+ ')
-+
-+ systemd_exec_systemctl($1)
-+ allow $1 colord_unit_file_t:file read_file_perms;
-+ allow $1 colord_unit_file_t:service manage_service_perms;
-+
-+ ps_process_pattern($1, colord_t)
-+')
-diff --git a/colord.te b/colord.te
-index 74505cc..10d9a27 100644
---- a/colord.te
-+++ b/colord.te
-@@ -8,6 +8,7 @@ policy_module(colord, 1.0.0)
- type colord_t;
- type colord_exec_t;
- dbus_system_domain(colord_t, colord_exec_t)
-+init_daemon_domain(colord_t, colord_exec_t)
-
- type colord_tmp_t;
- files_tmp_file(colord_tmp_t)
-@@ -18,14 +19,20 @@ files_tmpfs_file(colord_tmpfs_t)
- type colord_var_lib_t;
- files_type(colord_var_lib_t)
-
-+type colord_unit_file_t;
-+systemd_unit_file(colord_unit_file_t)
-+
- ########################################
- #
- # colord local policy
- #
- allow colord_t self:capability { dac_read_search dac_override };
-+dontaudit colord_t self:capability sys_admin;
- allow colord_t self:process signal;
- allow colord_t self:fifo_file rw_fifo_file_perms;
- allow colord_t self:netlink_kobject_uevent_socket create_socket_perms;
-+allow colord_t self:tcp_socket create_stream_socket_perms;
-+allow colord_t self:shm create_shm_perms;
- allow colord_t self:udp_socket create_socket_perms;
- allow colord_t self:unix_dgram_socket create_socket_perms;
-
-@@ -41,15 +48,22 @@ manage_dirs_pattern(colord_t, colord_var_lib_t, colord_var_lib_t)
- manage_files_pattern(colord_t, colord_var_lib_t, colord_var_lib_t)
- files_var_lib_filetrans(colord_t, colord_var_lib_t, { file dir })
-
--kernel_getattr_proc_files(colord_t)
-+kernel_read_network_state(colord_t)
-+kernel_read_system_state(colord_t)
- kernel_read_device_sysctls(colord_t)
-+kernel_request_load_module(colord_t)
-+
-+# reads *.ini files
-+corecmd_exec_bin(colord_t)
-+corecmd_exec_shell(colord_t)
-
--corenet_all_recvfrom_unlabeled(colord_t)
- corenet_all_recvfrom_netlabel(colord_t)
- corenet_udp_bind_generic_node(colord_t)
- corenet_udp_bind_ipp_port(colord_t)
- corenet_tcp_connect_ipp_port(colord_t)
-
-+dev_read_raw_memory(colord_t)
-+dev_write_raw_memory(colord_t)
- dev_read_video_dev(colord_t)
- dev_write_video_dev(colord_t)
- dev_rw_printer(colord_t)
-@@ -62,22 +76,36 @@ dev_rw_generic_usb_dev(colord_t)
- domain_use_interactive_fds(colord_t)
-
- files_list_mnt(colord_t)
--files_read_etc_files(colord_t)
- files_read_usr_files(colord_t)
-
-+fs_search_all(colord_t)
-+fs_getattr_noxattr_fs(colord_t)
-+fs_dontaudit_getattr_all_fs(colord_t)
-+fs_list_noxattr_fs(colord_t)
- fs_read_noxattr_fs_files(colord_t)
-
-+storage_getattr_fixed_disk_dev(colord_t)
-+storage_getattr_removable_dev(colord_t)
-+storage_read_scsi_generic(colord_t)
-+storage_write_scsi_generic(colord_t)
-+
-+auth_use_nsswitch(colord_t)
-+
- logging_send_syslog_msg(colord_t)
-
--miscfiles_read_localization(colord_t)
-+fs_getattr_tmpfs(colord_t)
-+userdom_rw_user_tmpfs_files(colord_t)
-
--sysnet_dns_name_resolve(colord_t)
-+userdom_home_reader(colord_t)
-+userdom_read_inherited_user_home_content_files(colord_t)
-
- tunable_policy(`use_nfs_home_dirs',`
-+ fs_getattr_nfs(colord_t)
- fs_read_nfs_files(colord_t)
- ')
-
- tunable_policy(`use_samba_home_dirs',`
-+ fs_getattr_cifs(colord_t)
- fs_read_cifs_files(colord_t)
- ')
-
-@@ -89,6 +117,12 @@ optional_policy(`
- ')
-
- optional_policy(`
-+ gnome_read_home_icc_data_content(colord_t)
-+ # Fixes lots of breakage in F16 on upgrade
-+ gnome_read_generic_data_home_files(colord_t)
-+')
-+
-+optional_policy(`
- policykit_dbus_chat(colord_t)
- policykit_domtrans_auth(colord_t)
- policykit_read_lib(colord_t)
-@@ -96,5 +130,19 @@ optional_policy(`
- ')
-
- optional_policy(`
-+ sysnet_exec_ifconfig(colord_t)
-+')
-+
-+optional_policy(`
- udev_read_db(colord_t)
- ')
-+
-+optional_policy(`
-+ xserver_dbus_chat_xdm(colord_t)
-+ # /var/lib/gdm/.local/share/icc/edid-0a027915105823af34f99b1704e80336.icc
-+ xserver_read_inherited_xdm_lib_files(colord_t)
-+')
-+
-+optional_policy(`
-+ zoneminder_rw_tmpfs_files(colord_t)
-+')
-diff --git a/comsat.te b/comsat.te
-index 3d121fd..b64c98c 100644
---- a/comsat.te
-+++ b/comsat.te
-@@ -39,7 +39,6 @@ kernel_read_kernel_sysctls(comsat_t)
- kernel_read_network_state(comsat_t)
- kernel_read_system_state(comsat_t)
-
--corenet_all_recvfrom_unlabeled(comsat_t)
- corenet_all_recvfrom_netlabel(comsat_t)
- corenet_tcp_sendrecv_generic_if(comsat_t)
- corenet_udp_sendrecv_generic_if(comsat_t)
-@@ -51,7 +50,6 @@ dev_read_urand(comsat_t)
-
- fs_getattr_xattr_fs(comsat_t)
-
--files_read_etc_files(comsat_t)
- files_list_usr(comsat_t)
- files_search_spool(comsat_t)
- files_search_home(comsat_t)
-@@ -63,8 +61,6 @@ init_dontaudit_write_utmp(comsat_t)
-
- logging_send_syslog_msg(comsat_t)
-
--miscfiles_read_localization(comsat_t)
--
- userdom_dontaudit_getattr_user_ttys(comsat_t)
-
- mta_getattr_spool(comsat_t)
-diff --git a/condor.fc b/condor.fc
-new file mode 100644
-index 0000000..b3a5b51
---- /dev/null
-+++ b/condor.fc
-@@ -0,0 +1,21 @@
-+/usr/lib/systemd/system/condor.* -- gen_context(system_u:object_r:condor_unit_file_t,s0)
-+
-+/usr/sbin/condor_master -- gen_context(system_u:object_r:condor_master_exec_t,s0)
-+/usr/sbin/condor_collector -- gen_context(system_u:object_r:condor_collector_exec_t,s0)
-+/usr/sbin/condor_negotiator -- gen_context(system_u:object_r:condor_negotiator_exec_t,s0)
-+/usr/sbin/condor_schedd -- gen_context(system_u:object_r:condor_schedd_exec_t,s0)
-+/usr/sbin/condor_startd -- gen_context(system_u:object_r:condor_startd_exec_t,s0)
-+/usr/sbin/condor_starter -- gen_context(system_u:object_r:condor_startd_exec_t,s0)
-+/usr/sbin/condor_procd -- gen_context(system_u:object_r:condor_procd_exec_t,s0)
-+
-+/var/lib/condor(/.*)? gen_context(system_u:object_r:condor_var_lib_t,s0)
-+
-+/var/lib/condor/execute(/.*)? gen_context(system_u:object_r:condor_var_lib_t,s0)
-+
-+/var/lib/condor/spool(/.*)? gen_context(system_u:object_r:condor_var_lib_t,s0)
-+
-+/var/lock/condor(/.*)? gen_context(system_u:object_r:condor_var_lock_t,s0)
-+
-+/var/log/condor(/.*)? gen_context(system_u:object_r:condor_log_t,s0)
-+
-+/var/run/condor(/.*)? gen_context(system_u:object_r:condor_var_run_t,s0)
-diff --git a/condor.if b/condor.if
-new file mode 100644
-index 0000000..8424fdb
---- /dev/null
-+++ b/condor.if
-@@ -0,0 +1,393 @@
-+
-+## policy for condor
-+
-+#####################################
-+##
-+## Creates types and rules for a basic
-+## condor init daemon domain.
-+##
-+##
-+##
-+## Prefix for the domain.
-+##
-+##
-+#
-+template(`condor_domain_template',`
-+ gen_require(`
-+ type condor_master_t;
-+ attribute condor_domain;
-+ ')
-+
-+ #############################
-+ #
-+ # Declarations
-+ #
-+
-+ type condor_$1_t, condor_domain;
-+ type condor_$1_exec_t;
-+ init_daemon_domain(condor_$1_t, condor_$1_exec_t)
-+ role system_r types condor_$1_t;
-+
-+ domtrans_pattern(condor_master_t, condor_$1_exec_t, condor_$1_t)
-+ allow condor_master_t condor_$1_exec_t:file ioctl;
-+
-+ kernel_read_system_state(condor_$1_t)
-+
-+ auth_use_nsswitch(condor_$1_t)
-+
-+ logging_send_syslog_msg(condor_$1_t)
-+')
-+
-+########################################
-+##
-+## Transition to condor.
-+##
-+##
-+##
-+## Domain allowed to transition.
-+##
-+##
-+#
-+interface(`condor_domtrans',`
-+ gen_require(`
-+ type condor_t, condor_exec_t;
-+ ')
-+
-+ corecmd_search_bin($1)
-+ domtrans_pattern($1, condor_exec_t, condor_t)
-+')
-+
-+#######################################
-+##
-+## Allows to start userland processes
-+## by transitioning to the specified domain,
-+## with a range transition.
-+##
-+##
-+##
-+## The process type entered by condor_startd.
-+##
-+##
-+##
-+##
-+## The executable type for the entrypoint.
-+##
-+##
-+##
-+##
-+## Range for the domain.
-+##
-+##
-+#
-+interface(`condor_startd_ranged_domtrans_to',`
-+ gen_require(`
-+ type sshd_t;
-+ ')
-+ condor_startd_domtrans_to($1, $2)
-+
-+
-+ ifdef(`enable_mcs',`
-+ range_transition condor_startd_t $2:process $3;
-+ ')
-+
-+')
-+
-+#######################################
-+##
-+## Allows to start userlandprocesses
-+## by transitioning to the specified domain.
-+##
-+##
-+##
-+## The process type entered by condor_startd.
-+##
-+##
-+##
-+##
-+## The executable type for the entrypoint.
-+##
-+##
-+#
-+interface(`condor_startd_domtrans_to',`
-+ gen_require(`
-+ type condor_startd_t;
-+ ')
-+
-+ domtrans_pattern(condor_startd_t, $2, $1)
-+')
-+
-+########################################
-+##
-+## Read condor's log files.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+##
-+#
-+interface(`condor_read_log',`
-+ gen_require(`
-+ type condor_log_t;
-+ ')
-+
-+ logging_search_logs($1)
-+ read_files_pattern($1, condor_log_t, condor_log_t)
-+')
-+
-+########################################
-+##
-+## Append to condor log files.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`condor_append_log',`
-+ gen_require(`
-+ type condor_log_t;
-+ ')
-+
-+ logging_search_logs($1)
-+ append_files_pattern($1, condor_log_t, condor_log_t)
-+')
-+
-+########################################
-+##
-+## Manage condor log files
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`condor_manage_log',`
-+ gen_require(`
-+ type condor_log_t;
-+ ')
-+
-+ logging_search_logs($1)
-+ manage_dirs_pattern($1, condor_log_t, condor_log_t)
-+ manage_files_pattern($1, condor_log_t, condor_log_t)
-+ manage_lnk_files_pattern($1, condor_log_t, condor_log_t)
-+')
-+
-+########################################
-+##
-+## Search condor lib directories.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`condor_search_lib',`
-+ gen_require(`
-+ type condor_var_lib_t;
-+ ')
-+
-+ allow $1 condor_var_lib_t:dir search_dir_perms;
-+ files_search_var_lib($1)
-+')
-+
-+########################################
-+##
-+## Read condor lib files.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`condor_read_lib_files',`
-+ gen_require(`
-+ type condor_var_lib_t;
-+ ')
-+
-+ files_search_var_lib($1)
-+ read_files_pattern($1, condor_var_lib_t, condor_var_lib_t)
-+')
-+
-+######################################
-+##
-+## Read and write condor lib files.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`condor_rw_lib_files',`
-+ gen_require(`
-+ type condor_var_lib_t;
-+ ')
-+
-+ files_search_var_lib($1)
-+ rw_files_pattern($1, condor_var_lib_t, condor_var_lib_t)
-+')
-+
-+########################################
-+##
-+## Manage condor lib files.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`condor_manage_lib_files',`
-+ gen_require(`
-+ type condor_var_lib_t;
-+ ')
-+
-+ files_search_var_lib($1)
-+ manage_files_pattern($1, condor_var_lib_t, condor_var_lib_t)
-+')
-+
-+########################################
-+##
-+## Manage condor lib directories.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`condor_manage_lib_dirs',`
-+ gen_require(`
-+ type condor_var_lib_t;
-+ ')
-+
-+ files_search_var_lib($1)
-+ manage_dirs_pattern($1, condor_var_lib_t, condor_var_lib_t)
-+')
-+
-+########################################
-+##
-+## Read condor PID files.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`condor_read_pid_files',`
-+ gen_require(`
-+ type condor_var_run_t;
-+ ')
-+
-+ files_search_pids($1)
-+ allow $1 condor_var_run_t:file read_file_perms;
-+')
-+
-+########################################
-+##
-+## Execute condor server in the condor domain.
-+##
-+##
-+##
-+## Domain allowed to transition.
-+##
-+##
-+#
-+interface(`condor_systemctl',`
-+ gen_require(`
-+ type condor_t;
-+ type condor_unit_file_t;
-+ ')
-+
-+ systemd_exec_systemctl($1)
-+ systemd_read_fifo_file_passwd_run($1)
-+ allow $1 condor_unit_file_t:file read_file_perms;
-+ allow $1 condor_unit_file_t:service manage_service_perms;
-+
-+ ps_process_pattern($1, condor_t)
-+')
-+
-+
-+#######################################
-+##
-+## Read and write condor_startd server TCP sockets.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`condor_rw_tcp_sockets_startd',`
-+ gen_require(`
-+ type condor_startd_t;
-+ ')
-+
-+ allow $1 condor_startd_t:tcp_socket rw_socket_perms;
-+')
-+
-+######################################
-+##
-+## Read and write condor_schedd server TCP sockets.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`condor_rw_tcp_sockets_schedd',`
-+ gen_require(`
-+ type condor_schedd_t;
-+ ')
-+
-+ allow $1 condor_schedd_t:tcp_socket rw_socket_perms;
-+')
-+
-+########################################
-+##
-+## All of the rules required to administrate
-+## an condor environment
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`condor_admin',`
-+ gen_require(`
-+ type condor_t;
-+ type condor_log_t;
-+ type condor_var_lib_t;
-+ type condor_var_run_t;
-+ type condor_unit_file_t;
-+ ')
-+
-+ allow $1 condor_t:process { ptrace signal_perms };
-+ ps_process_pattern($1, condor_t)
-+
-+ logging_search_logs($1)
-+ admin_pattern($1, condor_log_t)
-+
-+ files_search_var_lib($1)
-+ admin_pattern($1, condor_var_lib_t)
-+
-+ files_search_pids($1)
-+ admin_pattern($1, condor_var_run_t)
-+
-+ condor_systemctl($1)
-+ admin_pattern($1, condor_unit_file_t)
-+ allow $1 condor_unit_file_t:service all_service_perms;
-+ optional_policy(`
-+ systemd_passwd_agent_exec($1)
-+ systemd_read_fifo_file_passwd_run($1)
-+ ')
-+')
-diff --git a/condor.te b/condor.te
-new file mode 100644
-index 0000000..c2bc300
---- /dev/null
-+++ b/condor.te
-@@ -0,0 +1,240 @@
-+policy_module(condor, 1.0.0)
-+
-+########################################
-+#
-+# Declarations
-+#
-+
-+##
-+##
-+## Allow codnor domain to connect to the network using TCP.
-+##
-+##
-+gen_tunable(condor_domain_can_network_connect, false)
-+
-+attribute condor_domain;
-+
-+type condor_master_t, condor_domain;
-+type condor_master_exec_t;
-+init_daemon_domain(condor_master_t, condor_master_exec_t)
-+
-+condor_domain_template(collector)
-+condor_domain_template(negotiator)
-+condor_domain_template(schedd)
-+condor_domain_template(startd)
-+condor_domain_template(procd)
-+
-+type condor_master_tmp_t;
-+files_tmp_file(condor_master_tmp_t)
-+
-+type condor_schedd_tmp_t;
-+files_tmp_file(condor_schedd_tmp_t)
-+
-+type condor_startd_tmp_t;
-+files_tmp_file(condor_startd_tmp_t)
-+
-+type condor_startd_tmpfs_t;
-+files_tmpfs_file(condor_startd_tmpfs_t)
-+
-+type condor_log_t;
-+logging_log_file(condor_log_t)
-+
-+type condor_var_lib_t;
-+files_type(condor_var_lib_t)
-+
-+type condor_var_lock_t;
-+files_lock_file(condor_var_lock_t)
-+
-+type condor_var_run_t;
-+files_pid_file(condor_var_run_t)
-+
-+type condor_unit_file_t;
-+systemd_unit_file(condor_unit_file_t)
-+
-+########################################
-+#
-+# condor domain local policy
-+#
-+
-+allow condor_domain self:process signal_perms;
-+allow condor_domain self:fifo_file rw_fifo_file_perms;
-+
-+allow condor_domain self:tcp_socket create_stream_socket_perms;
-+allow condor_domain self:udp_socket create_socket_perms;
-+allow condor_domain self:unix_stream_socket create_stream_socket_perms;
-+
-+allow condor_domain condor_master_t:process signull;
-+allow condor_domain condor_master_t:tcp_socket getattr;
-+
-+manage_dirs_pattern(condor_domain, condor_log_t, condor_log_t)
-+manage_files_pattern(condor_domain, condor_log_t, condor_log_t)
-+logging_log_filetrans(condor_domain, condor_log_t, { dir file })
-+
-+manage_dirs_pattern(condor_domain, condor_var_lib_t, condor_var_lib_t)
-+manage_files_pattern(condor_domain, condor_var_lib_t, condor_var_lib_t)
-+files_var_lib_filetrans(condor_domain, condor_var_lib_t, { dir file })
-+
-+manage_dirs_pattern(condor_domain, condor_var_lock_t, condor_var_lock_t)
-+manage_files_pattern(condor_domain, condor_var_lock_t, condor_var_lock_t)
-+files_lock_filetrans(condor_domain, condor_var_lock_t, { dir file })
-+
-+manage_dirs_pattern(condor_domain, condor_var_run_t, condor_var_run_t)
-+manage_files_pattern(condor_domain, condor_var_run_t, condor_var_run_t)
-+manage_fifo_files_pattern(condor_domain, condor_var_run_t, condor_var_run_t)
-+files_pid_filetrans(condor_domain, condor_var_run_t, { dir file fifo_file })
-+
-+kernel_read_network_state(condor_domain)
-+kernel_read_kernel_sysctls(condor_domain)
-+
-+corecmd_exec_bin(condor_domain)
-+corecmd_exec_shell(condor_domain)
-+
-+corenet_tcp_connect_condor_port(condor_domain)
-+corenet_tcp_connect_all_ephemeral_ports(condor_domain)
-+
-+domain_use_interactive_fds(condor_domain)
-+
-+dev_read_rand(condor_domain)
-+dev_read_urand(condor_domain)
-+dev_read_sysfs(condor_domain)
-+
-+files_read_etc_files(condor_domain)
-+
-+tunable_policy(`condor_domain_can_network_connect',`
-+ corenet_tcp_connect_all_ports(condor_domain)
-+')
-+
-+optional_policy(`
-+ rhcs_stream_connect_cluster(condor_domain)
-+')
-+
-+optional_policy(`
-+ sysnet_dns_name_resolve(condor_domain)
-+')
-+
-+#####################################
-+#
-+# condor master local policy
-+#
-+
-+allow condor_master_t self:capability { setuid setgid dac_override sys_ptrace };
-+
-+allow condor_master_t condor_domain:process { sigkill signal };
-+
-+manage_dirs_pattern(condor_master_t, condor_master_tmp_t, condor_master_tmp_t)
-+manage_files_pattern(condor_master_t, condor_master_tmp_t, condor_master_tmp_t)
-+files_tmp_filetrans(condor_master_t, condor_master_tmp_t, { file dir })
-+
-+corenet_tcp_bind_condor_port(condor_master_t)
-+corenet_udp_bind_condor_port(condor_master_t)
-+corenet_tcp_connect_amqp_port(condor_master_t)
-+
-+domain_read_all_domains_state(condor_master_t)
-+
-+optional_policy(`
-+ mta_send_mail(condor_master_t)
-+ mta_read_config(condor_master_t)
-+')
-+
-+######################################
-+#
-+# condor collector local policy
-+#
-+
-+allow condor_collector_t self:capability { setuid setgid };
-+
-+allow condor_collector_t condor_master_t:tcp_socket rw_stream_socket_perms;
-+allow condor_collector_t condor_master_t:udp_socket rw_socket_perms;
-+
-+kernel_read_network_state(condor_collector_t)
-+
-+#####################################
-+#
-+# condor negotiator local policy
-+#
-+allow condor_negotiator_t self:capability { setuid setgid };
-+allow condor_negotiator_t condor_master_t:tcp_socket rw_stream_socket_perms;
-+allow condor_negotiator_t condor_master_t:udp_socket getattr;
-+
-+corenet_tcp_connect_all_ephemeral_ports(condor_negotiator_t)
-+
-+######################################
-+#
-+# condor procd local policy
-+#
-+
-+allow condor_procd_t self:capability { fowner chown dac_override sys_ptrace };
-+
-+allow condor_procd_t self:capability kill;
-+allow condor_procd_t condor_startd_t:process sigkill;
-+
-+domain_read_all_domains_state(condor_procd_t)
-+
-+#######################################
-+#
-+# condor schedd local policy
-+#
-+
-+domtrans_pattern(condor_schedd_t, condor_procd_exec_t, condor_procd_t)
-+domtrans_pattern(condor_schedd_t, condor_startd_exec_t, condor_startd_t)
-+
-+# dac_override because of /var/log/condor
-+allow condor_schedd_t self:capability { setuid chown setgid dac_override };
-+allow condor_schedd_t condor_master_t:tcp_socket rw_stream_socket_perms;
-+allow condor_schedd_t condor_master_t:udp_socket getattr;
-+
-+allow condor_schedd_t condor_var_lock_t:dir manage_file_perms;
-+
-+manage_dirs_pattern(condor_schedd_t, condor_schedd_tmp_t, condor_schedd_tmp_t)
-+manage_files_pattern(condor_schedd_t, condor_schedd_tmp_t, condor_schedd_tmp_t)
-+files_tmp_filetrans(condor_schedd_t, condor_schedd_tmp_t, { file dir })
-+allow condor_schedd_t condor_schedd_tmp_t:file { relabelfrom relabelto };
-+
-+corenet_tcp_connect_all_ephemeral_ports(condor_schedd_t)
-+
-+#####################################
-+#
-+# condor startd local policy
-+#
-+
-+# also needed by java
-+allow condor_startd_t self:capability { setuid net_admin setgid dac_override };
-+allow condor_startd_t self:process execmem;
-+
-+manage_dirs_pattern(condor_startd_t, condor_startd_tmp_t, condor_startd_tmp_t)
-+manage_files_pattern(condor_startd_t, condor_startd_tmp_t, condor_startd_tmp_t)
-+files_tmp_filetrans(condor_startd_t, condor_startd_tmp_t, { file dir })
-+allow condor_startd_t condor_startd_tmp_t:file { relabelfrom relabelto };
-+
-+manage_dirs_pattern(condor_startd_t, condor_startd_tmpfs_t, condor_startd_tmpfs_t)
-+manage_files_pattern(condor_startd_t, condor_startd_tmpfs_t, condor_startd_tmpfs_t)
-+fs_tmpfs_filetrans(condor_startd_t, condor_startd_tmpfs_t, { dir file })
-+
-+can_exec(condor_startd_t, condor_startd_exec_t)
-+
-+domain_read_all_domains_state(condor_startd_t)
-+
-+mcs_process_set_categories(condor_startd_t)
-+
-+init_domtrans_script(condor_startd_t)
-+init_initrc_domain(condor_startd_t)
-+
-+libs_exec_lib_files(condor_startd_t)
-+
-+files_read_usr_files(condor_startd_t)
-+
-+optional_policy(`
-+ ssh_basic_client_template(condor_startd, condor_startd_t, system_r)
-+ ssh_domtrans(condor_startd_t)
-+
-+ manage_files_pattern(condor_startd_ssh_t, condor_var_lib_t, condor_var_lib_t)
-+ manage_dirs_pattern(condor_startd_ssh_t, condor_var_lib_t, condor_var_lib_t)
-+
-+ optional_policy(`
-+ kerberos_use(condor_startd_ssh_t)
-+ ')
-+')
-+
-+optional_policy(`
-+ unconfined_domain(condor_startd_t)
-+')
-diff --git a/consolekit.fc b/consolekit.fc
-index 32233ab..7058d21 100644
---- a/consolekit.fc
-+++ b/consolekit.fc
-@@ -1,3 +1,5 @@
-+/usr/lib/systemd/system/console-kit.* -- gen_context(system_u:object_r:consolekit_unit_file_t,s0)
-+
- /usr/sbin/console-kit-daemon -- gen_context(system_u:object_r:consolekit_exec_t,s0)
-
- /var/log/ConsoleKit(/.*)? gen_context(system_u:object_r:consolekit_log_t,s0)
-diff --git a/consolekit.if b/consolekit.if
-index fd15dfe..aac1e5d 100644
---- a/consolekit.if
-+++ b/consolekit.if
-@@ -20,6 +20,27 @@ interface(`consolekit_domtrans',`
-
- ########################################
- ##
-+## dontaudit Send and receive messages from
-+## consolekit over dbus.
-+##
-+##
-+##
-+## Domain to not audit.
-+##
-+##
-+#
-+interface(`consolekit_dontaudit_dbus_chat',`
-+ gen_require(`
-+ type consolekit_t;
-+ class dbus send_msg;
-+ ')
-+
-+ dontaudit $1 consolekit_t:dbus send_msg;
-+ dontaudit consolekit_t $1:dbus send_msg;
-+')
-+
-+########################################
-+##
- ## Send and receive messages from
- ## consolekit over dbus.
- ##
-@@ -41,6 +62,24 @@ interface(`consolekit_dbus_chat',`
-
- ########################################
- ##
-+## Dontaudit attempts to read consolekit log files.
-+##
-+##
-+##
-+## Domain to not audit.
-+##
-+##
-+#
-+interface(`consolekit_dontaudit_read_log',`
-+ gen_require(`
-+ type consolekit_log_t;
-+ ')
-+
-+ dontaudit $1 consolekit_log_t:file read_file_perms;
-+')
-+
-+########################################
-+##
- ## Read consolekit log files.
- ##
- ##
-@@ -96,3 +135,64 @@ interface(`consolekit_read_pid_files',`
- allow $1 consolekit_var_run_t:dir list_dir_perms;
- read_files_pattern($1, consolekit_var_run_t, consolekit_var_run_t)
- ')
-+
-+########################################
-+##
-+## List consolekit PID files.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`consolekit_list_pid_files',`
-+ gen_require(`
-+ type consolekit_var_run_t;
-+ ')
-+
-+ files_search_pids($1)
-+ list_dirs_pattern($1, consolekit_var_run_t, consolekit_var_run_t)
-+')
-+
-+########################################
-+##
-+## Allow the domain to read consolekit state files in /proc.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`consolekit_read_state',`
-+ gen_require(`
-+ type consolekit_t;
-+ ')
-+
-+ kernel_search_proc($1)
-+ ps_process_pattern($1, consolekit_t)
-+')
-+
-+########################################
-+##
-+## Execute consolekit server in the consolekit domain.
-+##
-+##
-+##
-+## Domain allowed to transition.
-+##
-+##
-+#
-+interface(`consolekit_systemctl',`
-+ gen_require(`
-+ type consolekit_t;
-+ type consolekit_unit_file_t;
-+ ')
-+
-+ systemd_exec_systemctl($1)
-+ allow $1 consolekit_unit_file_t:file read_file_perms;
-+ allow $1 consolekit_unit_file_t:service manage_service_perms;
-+
-+ ps_process_pattern($1, consolekit_t)
-+')
-diff --git a/consolekit.te b/consolekit.te
-index 6f2896d..ca0b28a 100644
---- a/consolekit.te
-+++ b/consolekit.te
-@@ -15,12 +15,19 @@ logging_log_file(consolekit_log_t)
- type consolekit_var_run_t;
- files_pid_file(consolekit_var_run_t)
-
-+type consolekit_tmpfs_t;
-+files_tmpfs_file(consolekit_tmpfs_t)
-+
-+type consolekit_unit_file_t;
-+systemd_unit_file(consolekit_unit_file_t)
-+
- ########################################
- #
- # consolekit local policy
- #
-
- allow consolekit_t self:capability { chown setuid setgid sys_tty_config dac_override sys_nice sys_ptrace };
-+
- allow consolekit_t self:process { getsched signal };
- allow consolekit_t self:fifo_file rw_fifo_file_perms;
- allow consolekit_t self:unix_stream_socket create_stream_socket_perms;
-@@ -43,9 +50,7 @@ dev_read_sysfs(consolekit_t)
-
- domain_read_all_domains_state(consolekit_t)
- domain_use_interactive_fds(consolekit_t)
--domain_dontaudit_ptrace_all_domains(consolekit_t)
-
--files_read_etc_files(consolekit_t)
- files_read_usr_files(consolekit_t)
- # needs to read /var/lib/dbus/machine-id
- files_read_var_lib_files(consolekit_t)
-@@ -67,17 +72,17 @@ init_rw_utmp(consolekit_t)
- logging_send_syslog_msg(consolekit_t)
- logging_send_audit_msgs(consolekit_t)
-
--miscfiles_read_localization(consolekit_t)
-+systemd_exec_systemctl(consolekit_t)
-
-+userdom_read_all_users_state(consolekit_t)
- userdom_dontaudit_read_user_home_content_files(consolekit_t)
-+userdom_dontaudit_getattr_admin_home_files(consolekit_t)
- userdom_read_user_tmp_files(consolekit_t)
-
--tunable_policy(`use_nfs_home_dirs',`
-- fs_read_nfs_files(consolekit_t)
--')
-+userdom_home_reader(consolekit_t)
-
--tunable_policy(`use_samba_home_dirs',`
-- fs_read_cifs_files(consolekit_t)
-+optional_policy(`
-+ cron_read_system_job_lib_files(consolekit_t)
- ')
-
- optional_policy(`
-@@ -97,7 +102,7 @@ optional_policy(`
- ')
-
- optional_policy(`
-- hal_ptrace(consolekit_t)
-+ networkmanager_append_log(consolekit_t)
- ')
-
- optional_policy(`
-@@ -108,9 +113,10 @@ optional_policy(`
- ')
-
- optional_policy(`
-- type consolekit_tmpfs_t;
-- files_tmpfs_file(consolekit_tmpfs_t)
-+ shutdown_domtrans(consolekit_t)
-+')
-
-+optional_policy(`
- xserver_read_xdm_pid(consolekit_t)
- xserver_read_user_xauth(consolekit_t)
- xserver_non_drawing_client(consolekit_t)
-@@ -126,6 +132,5 @@ optional_policy(`
- ')
-
- optional_policy(`
-- #reading .Xauthity
- unconfined_stream_connect(consolekit_t)
- ')
-diff --git a/corosync.fc b/corosync.fc
-index 3a6d7eb..1bb208a 100644
---- a/corosync.fc
-+++ b/corosync.fc
-@@ -1,12 +1,14 @@
- /etc/rc\.d/init\.d/corosync -- gen_context(system_u:object_r:corosync_initrc_exec_t,s0)
-
--/usr/sbin/corosync -- gen_context(system_u:object_r:corosync_exec_t,s0)
-+/usr/lib/systemd/system/corosync.* -- gen_context(system_u:object_r:corosync_unit_file_t,s0)
-
--/usr/sbin/ccs_tool -- gen_context(system_u:object_r:corosync_exec_t,s0)
-+/usr/sbin/corosync -- gen_context(system_u:object_r:corosync_exec_t,s0)
-+/usr/sbin/corosync-notifyd -- gen_context(system_u:object_r:corosync_exec_t,s0)
-
- /var/lib/corosync(/.*)? gen_context(system_u:object_r:corosync_var_lib_t,s0)
-
--/var/log/cluster/corosync\.log -- gen_context(system_u:object_r:corosync_var_log_t,s0)
-+/var/log/cluster/corosync\.log.* -- gen_context(system_u:object_r:corosync_var_log_t,s0)
-
- /var/run/cman_.* -s gen_context(system_u:object_r:corosync_var_run_t,s0)
- /var/run/corosync\.pid -- gen_context(system_u:object_r:corosync_var_run_t,s0)
-+/var/run/rsctmp(/.*)? gen_context(system_u:object_r:corosync_var_run_t,s0)
-diff --git a/corosync.if b/corosync.if
-index 5220c9d..33df583 100644
---- a/corosync.if
-+++ b/corosync.if
-@@ -20,6 +20,43 @@ interface(`corosync_domtrans',`
-
- #######################################
- ##
-+## Execute a domain transition to run corosync.
-+##
-+##
-+##
-+## Domain allowed to transition.
-+##
-+##
-+#
-+interface(`corosync_initrc_domtrans',`
-+ gen_require(`
-+ type corosync_initrc_exec_t;
-+ ')
-+
-+ init_labeled_script_domtrans($1, corosync_initrc_exec_t)
-+')
-+
-+######################################
-+##
-+## Execute corosync in the caller domain.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`corosync_exec',`
-+ gen_require(`
-+ type corosync_exec_t;
-+ ')
-+
-+ corecmd_search_bin($1)
-+ can_exec($1, corosync_exec_t)
-+')
-+
-+#######################################
-+##
- ## Allow the specified domain to read corosync's log files.
- ##
- ##
-@@ -52,14 +89,58 @@ interface(`corosync_read_log',`
- interface(`corosync_stream_connect',`
- gen_require(`
- type corosync_t, corosync_var_run_t;
-+ type corosync_var_lib_t;
- ')
-
- files_search_pids($1)
-+ stream_connect_pattern($1, corosync_var_lib_t, corosync_var_lib_t, corosync_t)
- stream_connect_pattern($1, corosync_var_run_t, corosync_var_run_t, corosync_t)
- ')
-
- ######################################
- ##
-+## Allow the specified domain to read/write corosync's tmpfs files.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`corosync_rw_tmpfs',`
-+ gen_require(`
-+ type corosync_tmpfs_t;
-+ ')
-+
-+ rw_files_pattern($1, corosync_tmpfs_t, corosync_tmpfs_t)
-+
-+')
-+
-+########################################
-+##
-+## Execute corosync server in the corosync domain.
-+##
-+##
-+##
-+## Domain allowed to transition.
-+##
-+##
-+#
-+interface(`corosync_systemctl',`
-+ gen_require(`
-+ type corosync_t;
-+ type corosync_unit_file_t;
-+ ')
-+
-+ systemd_exec_systemctl($1)
-+ allow $1 corosync_unit_file_t:file read_file_perms;
-+ allow $1 corosync_unit_file_t:service manage_service_perms;
-+
-+ ps_process_pattern($1, corosync_t)
-+')
-+
-+######################################
-+##
- ## All of the rules required to administrate
- ## an corosync environment
- ##
-@@ -80,11 +161,16 @@ interface(`corosyncd_admin',`
- type corosync_t, corosync_var_lib_t, corosync_var_log_t;
- type corosync_var_run_t, corosync_tmp_t, corosync_tmpfs_t;
- type corosync_initrc_exec_t;
-+ type corosync_unit_file_t;
- ')
-
-- allow $1 corosync_t:process { ptrace signal_perms };
-+ allow $1 corosync_t:process signal_perms;
- ps_process_pattern($1, corosync_t)
-
-+ tunable_policy(`deny_ptrace',`',`
-+ allow $1 corosync_t:process ptrace;
-+ ')
-+
- init_labeled_script_domtrans($1, corosync_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 corosync_initrc_exec_t system_r;
-@@ -103,4 +189,8 @@ interface(`corosyncd_admin',`
-
- files_list_pids($1)
- admin_pattern($1, corosync_var_run_t)
-+
-+ corosync_systemctl($1)
-+ admin_pattern($1, corosync_unit_file_t)
-+ allow $1 corosync_unit_file_t:service all_service_perms;
- ')
-diff --git a/corosync.te b/corosync.te
-index 04969e5..1d60d9f 100644
---- a/corosync.te
-+++ b/corosync.te
-@@ -8,6 +8,7 @@ policy_module(corosync, 1.0.0)
- type corosync_t;
- type corosync_exec_t;
- init_daemon_domain(corosync_t, corosync_exec_t)
-+domain_obj_id_change_exemption(corosync_t)
-
- type corosync_initrc_exec_t;
- init_script_file(corosync_initrc_exec_t)
-@@ -27,23 +28,32 @@ logging_log_file(corosync_var_log_t)
- type corosync_var_run_t;
- files_pid_file(corosync_var_run_t)
-
-+type corosync_unit_file_t;
-+systemd_unit_file(corosync_unit_file_t)
-+
- ########################################
- #
- # corosync local policy
- #
-
--allow corosync_t self:capability { sys_nice sys_resource ipc_lock };
--allow corosync_t self:process { setrlimit setsched signal };
-+allow corosync_t self:capability { dac_override fowner setuid setgid sys_nice sys_admin sys_resource ipc_lock };
-+# for hearbeat
-+allow corosync_t self:capability { net_raw chown };
-+allow corosync_t self:process { setpgid setrlimit setsched signal signull };
-
- allow corosync_t self:fifo_file rw_fifo_file_perms;
- allow corosync_t self:sem create_sem_perms;
-+allow corosync_t self:shm create_shm_perms;
- allow corosync_t self:unix_stream_socket { create_stream_socket_perms connectto };
--allow corosync_t self:unix_dgram_socket create_socket_perms;
-+allow corosync_t self:unix_dgram_socket { create_socket_perms sendto };
- allow corosync_t self:udp_socket create_socket_perms;
-
-+can_exec(corosync_t, corosync_exec_t)
-+
- manage_dirs_pattern(corosync_t, corosync_tmp_t, corosync_tmp_t)
- manage_files_pattern(corosync_t, corosync_tmp_t, corosync_tmp_t)
- files_tmp_filetrans(corosync_t, corosync_tmp_t, { file dir })
-+allow corosync_t corosync_tmp_t:file { relabelfrom relabelto };
-
- manage_dirs_pattern(corosync_t, corosync_tmpfs_t, corosync_tmpfs_t)
- manage_files_pattern(corosync_t, corosync_tmpfs_t, corosync_tmpfs_t)
-@@ -52,7 +62,8 @@ fs_tmpfs_filetrans(corosync_t, corosync_tmpfs_t, { dir file })
- manage_files_pattern(corosync_t, corosync_var_lib_t, corosync_var_lib_t)
- manage_dirs_pattern(corosync_t, corosync_var_lib_t, corosync_var_lib_t)
- manage_sock_files_pattern(corosync_t, corosync_var_lib_t, corosync_var_lib_t)
--files_var_lib_filetrans(corosync_t, corosync_var_lib_t, { file dir sock_file })
-+manage_fifo_files_pattern(corosync_t, corosync_var_lib_t,corosync_var_lib_t)
-+files_var_lib_filetrans(corosync_t,corosync_var_lib_t, { file dir fifo_file sock_file })
-
- manage_files_pattern(corosync_t, corosync_var_log_t, corosync_var_log_t)
- manage_sock_files_pattern(corosync_t, corosync_var_log_t, corosync_var_log_t)
-@@ -60,44 +71,96 @@ logging_log_filetrans(corosync_t, corosync_var_log_t, { sock_file file })
-
- manage_files_pattern(corosync_t, corosync_var_run_t, corosync_var_run_t)
- manage_sock_files_pattern(corosync_t, corosync_var_run_t, corosync_var_run_t)
--files_pid_filetrans(corosync_t, corosync_var_run_t, { file sock_file })
-+manage_dirs_pattern(corosync_t, corosync_var_run_t,corosync_var_run_t)
-+files_pid_filetrans(corosync_t, corosync_var_run_t, { file sock_file dir })
-
- kernel_read_system_state(corosync_t)
-+kernel_read_network_state(corosync_t)
-+kernel_read_all_sysctls(corosync_t)
-
- corecmd_exec_bin(corosync_t)
-+corecmd_exec_shell(corosync_t)
-
- corenet_udp_bind_netsupport_port(corosync_t)
-+corenet_tcp_connect_saphostctrl_port(corosync_t)
-
- dev_read_urand(corosync_t)
-+dev_read_sysfs(corosync_t)
-
- domain_read_all_domains_state(corosync_t)
-
- files_manage_mounttab(corosync_t)
-+files_read_usr_files(corosync_t)
-
- auth_use_nsswitch(corosync_t)
-
-+init_domtrans_script(corosync_t)
- init_read_script_state(corosync_t)
- init_rw_script_tmp_files(corosync_t)
-
- logging_send_syslog_msg(corosync_t)
-
--miscfiles_read_localization(corosync_t)
--
-+userdom_read_user_tmp_files(corosync_t)
-+userdom_delete_user_tmpfs_files(corosync_t)
- userdom_rw_user_tmpfs_files(corosync_t)
-
- optional_policy(`
-+ fs_manage_tmpfs_files(corosync_t)
-+ init_manage_script_status_files(corosync_t)
-+')
-+
-+optional_policy(`
- ccs_read_config(corosync_t)
- ')
-
- optional_policy(`
-- # to communication with RHCS
-- rhcs_rw_dlm_controld_semaphores(corosync_t)
-+ cmirrord_rw_shm(corosync_t)
-+')
-
-- rhcs_rw_fenced_semaphores(corosync_t)
-+optional_policy(`
-+ consoletype_exec(corosync_t)
-+')
-+
-+optional_policy(`
-+ dbus_system_bus_client(corosync_t)
-+')
-
-- rhcs_rw_gfs_controld_semaphores(corosync_t)
-+optional_policy(`
-+ drbd_domtrans(corosync_t)
- ')
-
- optional_policy(`
-+ lvm_rw_clvmd_tmpfs_files(corosync_t)
-+ lvm_delete_clvmd_tmpfs_files(corosync_t)
-+')
-+
-+optional_policy(`
-+ qpidd_rw_shm(corosync_t)
-+')
-+
-+optional_policy(`
-+ rhcs_getattr_fenced(corosync_t)
-+ # to communication with RHCS
-+ rhcs_rw_cluster_shm(corosync_t)
-+ rhcs_rw_cluster_semaphores(corosync_t)
-+ rhcs_stream_connect_cluster(corosync_t)
-+ rhcs_read_cluster_lib_files(corosync_t)
-+ rhcs_manage_cluster_lib_files(corosync_t)
-+ rhcs_relabel_cluster_lib_files(corosync_t)
-+')
-+
-+optional_policy(`
-+ # should be removed in F19
-+ # workaround because we switch hearbeat from corosync to rgmanager
-+ rgmanager_manage_files(corosync_t)
-+
- rgmanager_manage_tmpfs_files(corosync_t)
- ')
-+
-+optional_policy(`
-+ rpc_search_nfs_state_data(corosync_t)
-+')
-+
-+optional_policy(`
-+ wdmd_rw_tmpfs(corosync_t)
-+')
-diff --git a/couchdb.fc b/couchdb.fc
-new file mode 100644
-index 0000000..196461b
---- /dev/null
-+++ b/couchdb.fc
-@@ -0,0 +1,11 @@
-+/etc/couchdb(/.*)? gen_context(system_u:object_r:couchdb_etc_t,s0)
-+
-+/usr/bin/couchdb -- gen_context(system_u:object_r:couchdb_exec_t,s0)
-+
-+/usr/lib/systemd/system/couchdb.* -- gen_context(system_u:object_r:couchdb_unit_file_t,s0)
-+
-+/var/lib/couchdb(/.*)? gen_context(system_u:object_r:couchdb_var_lib_t,s0)
-+
-+/var/log/couchdb(/.*)? gen_context(system_u:object_r:couchdb_log_t,s0)
-+
-+/var/run/couchdb(/.*)? gen_context(system_u:object_r:couchdb_var_run_t,s0)
-diff --git a/couchdb.if b/couchdb.if
-new file mode 100644
-index 0000000..3e17383
---- /dev/null
-+++ b/couchdb.if
-@@ -0,0 +1,244 @@
-+
-+## policy for couchdb
-+
-+########################################
-+##
-+## Transition to couchdb.
-+##
-+##
-+##
-+## Domain allowed to transition.
-+##
-+##
-+#
-+interface(`couchdb_domtrans',`
-+ gen_require(`
-+ type couchdb_t, couchdb_exec_t;
-+ ')
-+
-+ corecmd_search_bin($1)
-+ domtrans_pattern($1, couchdb_exec_t, couchdb_t)
-+')
-+########################################
-+##
-+## Read couchdb's log files.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+##
-+#
-+interface(`couchdb_read_log',`
-+ gen_require(`
-+ type couchdb_log_t;
-+ ')
-+
-+ logging_search_logs($1)
-+ read_files_pattern($1, couchdb_log_t, couchdb_log_t)
-+')
-+
-+########################################
-+##
-+## Append to couchdb log files.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`couchdb_append_log',`
-+ gen_require(`
-+ type couchdb_log_t;
-+ ')
-+
-+ logging_search_logs($1)
-+ append_files_pattern($1, couchdb_log_t, couchdb_log_t)
-+')
-+
-+########################################
-+##
-+## Manage couchdb log files
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`couchdb_manage_log',`
-+ gen_require(`
-+ type couchdb_log_t;
-+ ')
-+
-+ logging_search_logs($1)
-+ manage_dirs_pattern($1, couchdb_log_t, couchdb_log_t)
-+ manage_files_pattern($1, couchdb_log_t, couchdb_log_t)
-+ manage_lnk_files_pattern($1, couchdb_log_t, couchdb_log_t)
-+')
-+
-+########################################
-+##
-+## Search couchdb lib directories.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`couchdb_search_lib',`
-+ gen_require(`
-+ type couchdb_var_lib_t;
-+ ')
-+
-+ allow $1 couchdb_var_lib_t:dir search_dir_perms;
-+ files_search_var_lib($1)
-+')
-+
-+########################################
-+##
-+## Read couchdb lib files.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`couchdb_read_lib_files',`
-+ gen_require(`
-+ type couchdb_var_lib_t;
-+ ')
-+
-+ files_search_var_lib($1)
-+ read_files_pattern($1, couchdb_var_lib_t, couchdb_var_lib_t)
-+')
-+
-+########################################
-+##
-+## Manage couchdb lib files.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`couchdb_manage_lib_files',`
-+ gen_require(`
-+ type couchdb_var_lib_t;
-+ ')
-+
-+ files_search_var_lib($1)
-+ manage_files_pattern($1, couchdb_var_lib_t, couchdb_var_lib_t)
-+')
-+
-+########################################
-+##
-+## Manage couchdb lib directories.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`couchdb_manage_lib_dirs',`
-+ gen_require(`
-+ type couchdb_var_lib_t;
-+ ')
-+
-+ files_search_var_lib($1)
-+ manage_dirs_pattern($1, couchdb_var_lib_t, couchdb_var_lib_t)
-+')
-+
-+########################################
-+##
-+## Read couchdb PID files.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`couchdb_read_pid_files',`
-+ gen_require(`
-+ type couchdb_var_run_t;
-+ ')
-+
-+ files_search_pids($1)
-+ allow $1 couchdb_var_run_t:file read_file_perms;
-+')
-+
-+########################################
-+##
-+## Execute couchdb server in the couchdb domain.
-+##
-+##
-+##
-+## Domain allowed to transition.
-+##
-+##
-+#
-+interface(`couchdb_systemctl',`
-+ gen_require(`
-+ type couchdb_t;
-+ type couchdb_unit_file_t;
-+ ')
-+
-+ systemd_exec_systemctl($1)
-+ systemd_read_fifo_file_passwd_run($1)
-+ allow $1 couchdb_unit_file_t:file read_file_perms;
-+ allow $1 couchdb_unit_file_t:service manage_service_perms;
-+
-+ ps_process_pattern($1, couchdb_t)
-+')
-+
-+
-+########################################
-+##
-+## All of the rules required to administrate
-+## an couchdb environment
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+##
-+#
-+interface(`couchdb_admin',`
-+ gen_require(`
-+ type couchdb_t, couchdb_etc_t, couchdb_log_t;
-+ type couchdb_var_lib_t, couchdb_var_run_t;
-+ type couchdb_unit_file_t;
-+ ')
-+
-+ allow $1 couchdb_t:process { ptrace signal_perms };
-+ ps_process_pattern($1, couchdb_t)
-+
-+ logging_search_logs($1)
-+ admin_pattern($1, couchdb_log_t)
-+
-+ files_search_etc($1)
-+ admin_pattern($1, couchdb_etc_t)
-+
-+ files_search_var_lib($1)
-+ admin_pattern($1, couchdb_var_lib_t)
-+
-+ files_search_pids($1)
-+ admin_pattern($1, couchdb_var_run_t)
-+
-+ admin_pattern($1, couchdb_unit_file_t)
-+ couchdb_systemctl($1)
-+ allow $1 couchdb_unit_file_t:service all_service_perms;
-+
-+ optional_policy(`
-+ systemd_passwd_agent_exec($1)
-+ systemd_read_fifo_file_passwd_run($1)
-+ ')
-+')
-diff --git a/couchdb.te b/couchdb.te
-new file mode 100644
-index 0000000..4b0535f
---- /dev/null
-+++ b/couchdb.te
-@@ -0,0 +1,83 @@
-+policy_module(couchdb, 1.0.0)
-+
-+########################################
-+#
-+# Declarations
-+#
-+
-+type couchdb_t;
-+type couchdb_exec_t;
-+init_daemon_domain(couchdb_t, couchdb_exec_t)
-+
-+type couchdb_etc_t;
-+files_config_file(couchdb_etc_t)
-+
-+type couchdb_tmp_t;
-+files_tmp_file(couchdb_tmp_t)
-+
-+type couchdb_log_t;
-+logging_log_file(couchdb_log_t)
-+
-+type couchdb_var_lib_t;
-+files_type(couchdb_var_lib_t)
-+
-+type couchdb_var_run_t;
-+files_pid_file(couchdb_var_run_t)
-+
-+type couchdb_unit_file_t;
-+systemd_unit_file(couchdb_unit_file_t)
-+
-+########################################
-+#
-+# couchdb local policy
-+#
-+allow couchdb_t self:process { setsched signal signull sigkill };
-+allow couchdb_t self:fifo_file rw_fifo_file_perms;
-+allow couchdb_t self:unix_stream_socket create_stream_socket_perms;
-+allow couchdb_t self:tcp_socket create_stream_socket_perms;
-+allow couchdb_t self:udp_socket create_socket_perms;
-+
-+allow couchdb_t couchdb_etc_t:dir list_dir_perms;
-+read_files_pattern(couchdb_t, couchdb_etc_t, couchdb_etc_t)
-+
-+manage_dirs_pattern(couchdb_t, couchdb_log_t, couchdb_log_t)
-+manage_files_pattern(couchdb_t, couchdb_log_t, couchdb_log_t)
-+logging_log_filetrans(couchdb_t, couchdb_log_t, { dir file })
-+
-+manage_dirs_pattern(couchdb_t, couchdb_tmp_t, couchdb_tmp_t)
-+manage_files_pattern(couchdb_t, couchdb_tmp_t, couchdb_tmp_t)
-+files_tmp_filetrans(couchdb_t, couchdb_tmp_t, { dir file })
-+
-+manage_dirs_pattern(couchdb_t, couchdb_var_lib_t, couchdb_var_lib_t)
-+manage_files_pattern(couchdb_t, couchdb_var_lib_t, couchdb_var_lib_t)
-+files_var_lib_filetrans(couchdb_t, couchdb_var_lib_t, { dir file })
-+
-+manage_dirs_pattern(couchdb_t, couchdb_var_run_t, couchdb_var_run_t)
-+manage_files_pattern(couchdb_t, couchdb_var_run_t, couchdb_var_run_t)
-+files_pid_filetrans(couchdb_t, couchdb_var_run_t, { dir file })
-+
-+can_exec(couchdb_t, couchdb_exec_t)
-+
-+kernel_read_system_state(couchdb_t)
-+
-+corecmd_exec_bin(couchdb_t)
-+corecmd_exec_shell(couchdb_t)
-+
-+corenet_tcp_bind_generic_node(couchdb_t)
-+corenet_udp_bind_generic_node(couchdb_t)
-+corenet_tcp_bind_couchdb_port(couchdb_t)
-+
-+dev_list_sysfs(couchdb_t)
-+dev_read_sysfs(couchdb_t)
-+dev_read_urand(couchdb_t)
-+
-+domain_use_interactive_fds(couchdb_t)
-+
-+files_read_usr_files(couchdb_t)
-+
-+fs_getattr_xattr_fs(couchdb_t)
-+
-+auth_use_nsswitch(couchdb_t)
-+
-+libs_exec_lib_files(couchdb_t)
-+
-diff --git a/courier.fc b/courier.fc
-index 47dfa07..1beadbd 100644
---- a/courier.fc
-+++ b/courier.fc
-@@ -8,15 +8,15 @@
- /usr/sbin/courierldapaliasd -- gen_context(system_u:object_r:courier_exec_t,s0)
- /usr/sbin/couriertcpd -- gen_context(system_u:object_r:courier_tcpd_exec_t,s0)
-
--/usr/lib/courier/(courier-)?authlib/.* -- gen_context(system_u:object_r:courier_authdaemon_exec_t,s0)
--/usr/lib/courier/courier/.* -- gen_context(system_u:object_r:courier_exec_t,s0)
--/usr/lib/courier/courier/courierpop.* -- gen_context(system_u:object_r:courier_pop_exec_t,s0)
--/usr/lib/courier/courier/imaplogin -- gen_context(system_u:object_r:courier_pop_exec_t,s0)
--/usr/lib/courier/courier/pcpd -- gen_context(system_u:object_r:courier_pcp_exec_t,s0)
--/usr/lib/courier/imapd -- gen_context(system_u:object_r:courier_pop_exec_t,s0)
--/usr/lib/courier/pop3d -- gen_context(system_u:object_r:courier_pop_exec_t,s0)
-+/usr/lib/courier/authlib/.* -- gen_context(system_u:object_r:courier_authdaemon_exec_t,s0)
-+/usr/lib/courier/courier/.* -- gen_context(system_u:object_r:courier_exec_t,s0)
-+/usr/lib/courier/courier/courierpop.* -- gen_context(system_u:object_r:courier_pop_exec_t,s0)
-+/usr/lib/courier/courier/imaplogin -- gen_context(system_u:object_r:courier_pop_exec_t,s0)
-+/usr/lib/courier/courier/pcpd -- gen_context(system_u:object_r:courier_pcp_exec_t,s0)
-+/usr/lib/courier/imapd -- gen_context(system_u:object_r:courier_pop_exec_t,s0)
-+/usr/lib/courier/pop3d -- gen_context(system_u:object_r:courier_pop_exec_t,s0)
- /usr/lib/courier/rootcerts(/.*)? gen_context(system_u:object_r:courier_etc_t,s0)
--/usr/lib/courier/sqwebmail/cleancache\.pl -- gen_context(system_u:object_r:sqwebmail_cron_exec_t,s0)
-+/usr/lib/courier/sqwebmail/cleancache\.pl -- gen_context(system_u:object_r:sqwebmail_cron_exec_t,s0)
-
- ifdef(`distro_gentoo',`
- /usr/lib/courier-imap/couriertcpd -- gen_context(system_u:object_r:courier_tcpd_exec_t,s0)
-diff --git a/courier.if b/courier.if
-index 9971337..4078c26 100644
---- a/courier.if
-+++ b/courier.if
-@@ -50,7 +50,6 @@ template(`courier_domain_template',`
-
- corecmd_exec_bin(courier_$1_t)
-
-- corenet_all_recvfrom_unlabeled(courier_$1_t)
- corenet_all_recvfrom_netlabel(courier_$1_t)
- corenet_tcp_sendrecv_generic_if(courier_$1_t)
- corenet_udp_sendrecv_generic_if(courier_$1_t)
-@@ -90,7 +89,7 @@ template(`courier_domain_template',`
- ## Execute the courier authentication daemon with
- ## a domain transition.
- ##
--##
-+##
- ##
- ## Domain allowed to transition.
- ##
-@@ -104,12 +103,31 @@ interface(`courier_domtrans_authdaemon',`
- domtrans_pattern($1, courier_authdaemon_exec_t, courier_authdaemon_t)
- ')
-
-+#######################################
-+##
-+## Connect to courier-authdaemon over a unix stream socket.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`courier_stream_connect_authdaemon',`
-+ gen_require(`
-+ type courier_authdaemon_t, courier_spool_t;
-+ ')
-+
-+ files_search_spool($1)
-+ stream_connect_pattern($1, courier_spool_t, courier_spool_t, courier_authdaemon_t)
-+')
-+
- ########################################
- ##
- ## Execute the courier POP3 and IMAP server with
- ## a domain transition.
- ##
--##
-+##
- ##
- ## Domain allowed to transition.
- ##
-@@ -127,7 +145,7 @@ interface(`courier_domtrans_pop',`
- ##
- ## Read courier config files
- ##
--##
-+##
- ##
- ## Domain allowed access.
- ##
-@@ -138,6 +156,7 @@ interface(`courier_read_config',`
- type courier_etc_t;
- ')
-
-+ files_search_etc($1)
- read_files_pattern($1, courier_etc_t, courier_etc_t)
- ')
-
-@@ -146,7 +165,7 @@ interface(`courier_read_config',`
- ## Create, read, write, and delete courier
- ## spool directories.
- ##
--##
-+##
- ##
- ## Domain allowed access.
- ##
-@@ -157,6 +176,7 @@ interface(`courier_manage_spool_dirs',`
- type courier_spool_t;
- ')
-
-+ files_search_spool($1)
- manage_dirs_pattern($1, courier_spool_t, courier_spool_t)
- ')
-
-@@ -165,7 +185,7 @@ interface(`courier_manage_spool_dirs',`
- ## Create, read, write, and delete courier
- ## spool files.
- ##
--##
-+##
- ##
- ## Domain allowed access.
- ##
-@@ -176,6 +196,7 @@ interface(`courier_manage_spool_files',`
- type courier_spool_t;
- ')
-
-+ files_search_spool($1)
- manage_files_pattern($1, courier_spool_t, courier_spool_t)
- ')
-
-@@ -183,7 +204,7 @@ interface(`courier_manage_spool_files',`
- ##
- ## Read courier spool files.
- ##
--##
-+##
- ##
- ## Domain allowed access.
- ##
-@@ -194,6 +215,7 @@ interface(`courier_read_spool',`
- type courier_spool_t;
- ')
-
-+ files_search_spool($1)
- read_files_pattern($1, courier_spool_t, courier_spool_t)
- ')
-
-diff --git a/courier.te b/courier.te
-index d034450..820c10b 100644
---- a/courier.te
-+++ b/courier.te
-@@ -15,7 +15,7 @@ courier_domain_template(pcp)
- courier_domain_template(pop)
-
- type courier_spool_t;
--files_type(courier_spool_t)
-+files_spool_file(courier_spool_t)
-
- courier_domain_template(tcpd)
-
-@@ -68,7 +68,6 @@ auth_domtrans_chk_passwd(courier_authdaemon_t)
-
- libs_read_lib_files(courier_authdaemon_t)
-
--miscfiles_read_localization(courier_authdaemon_t)
-
- # should not be needed!
- userdom_search_user_home_dirs(courier_authdaemon_t)
-@@ -95,9 +94,8 @@ allow courier_pop_t courier_authdaemon_t:process sigchld;
- allow courier_pop_t courier_tcpd_t:{ unix_stream_socket tcp_socket } rw_stream_socket_perms;
-
- # inherits file handle - should it?
--allow courier_pop_t courier_var_lib_t:file { read write };
-+allow courier_pop_t courier_var_lib_t:file rw_inherited_file_perms;
-
--miscfiles_read_localization(courier_pop_t)
-
- courier_domtrans_authdaemon(courier_pop_t)
-
-@@ -132,7 +130,6 @@ corenet_sendrecv_pop_server_packets(courier_tcpd_t)
- dev_read_rand(courier_tcpd_t)
- dev_read_urand(courier_tcpd_t)
-
--miscfiles_read_localization(courier_tcpd_t)
-
- courier_domtrans_pop(courier_tcpd_t)
-
-diff --git a/cpucontrol.fc b/cpucontrol.fc
-index 789c8c7..d1723f5 100644
---- a/cpucontrol.fc
-+++ b/cpucontrol.fc
-@@ -3,6 +3,7 @@
-
- /sbin/microcode_ctl -- gen_context(system_u:object_r:cpucontrol_exec_t,s0)
-
-+/usr/sbin/microcode_ctl -- gen_context(system_u:object_r:cpucontrol_exec_t,s0)
- /usr/sbin/cpufreqd -- gen_context(system_u:object_r:cpuspeed_exec_t,s0)
- /usr/sbin/cpuspeed -- gen_context(system_u:object_r:cpuspeed_exec_t,s0)
- /usr/sbin/powernowd -- gen_context(system_u:object_r:cpuspeed_exec_t,s0)
-diff --git a/cpucontrol.te b/cpucontrol.te
-index 13d2f63..1a00094 100644
---- a/cpucontrol.te
-+++ b/cpucontrol.te
-@@ -10,7 +10,7 @@ type cpucontrol_exec_t;
- init_system_domain(cpucontrol_t, cpucontrol_exec_t)
-
- type cpucontrol_conf_t;
--files_type(cpucontrol_conf_t)
-+files_config_file(cpucontrol_conf_t)
-
- type cpuspeed_t;
- type cpuspeed_exec_t;
-@@ -105,8 +105,6 @@ init_use_script_ptys(cpuspeed_t)
-
- logging_send_syslog_msg(cpuspeed_t)
-
--miscfiles_read_localization(cpuspeed_t)
--
- userdom_dontaudit_use_unpriv_user_fds(cpuspeed_t)
-
- optional_policy(`
-diff --git a/cpufreqselector.te b/cpufreqselector.te
-index f77d58a..f3d98a9 100644
---- a/cpufreqselector.te
-+++ b/cpufreqselector.te
-@@ -14,9 +14,10 @@ application_domain(cpufreqselector_t, cpufreqselector_exec_t)
- # cpufreq-selector local policy
- #
-
--allow cpufreqselector_t self:capability { sys_nice sys_ptrace };
-+allow cpufreqselector_t self:capability sys_nice;
- allow cpufreqselector_t self:process getsched;
- allow cpufreqselector_t self:fifo_file rw_fifo_file_perms;
-+allow cpufreqselector_t self:process getsched;
-
- kernel_read_system_state(cpufreqselector_t)
-
-@@ -27,13 +28,15 @@ corecmd_search_bin(cpufreqselector_t)
-
- dev_rw_sysfs(cpufreqselector_t)
-
--miscfiles_read_localization(cpufreqselector_t)
-+kernel_read_system_state(cpufreqselector_t)
-+
-
- userdom_read_all_users_state(cpufreqselector_t)
--userdom_dontaudit_search_user_home_dirs(cpufreqselector_t)
-+userdom_dontaudit_search_admin_dir(cpufreqselector_t)
-
- optional_policy(`
- dbus_system_domain(cpufreqselector_t, cpufreqselector_exec_t)
-+ init_daemon_domain(cpufreqselector_t, cpufreqselector_exec_t)
-
- optional_policy(`
- consolekit_dbus_chat(cpufreqselector_t)
-@@ -53,3 +56,7 @@ optional_policy(`
- policykit_read_lib(cpufreqselector_t)
- policykit_read_reload(cpufreqselector_t)
- ')
-+
-+optional_policy(`
-+ xserver_dbus_chat_xdm(cpufreqselector_t)
-+')
-diff --git a/cron.fc b/cron.fc
-index 3559a05..224142a 100644
---- a/cron.fc
-+++ b/cron.fc
-@@ -3,6 +3,9 @@
- /etc/cron\.d(/.*)? gen_context(system_u:object_r:system_cron_spool_t,s0)
- /etc/crontab -- gen_context(system_u:object_r:system_cron_spool_t,s0)
-
-+/usr/lib/systemd/system/atd.* -- gen_context(system_u:object_r:crond_unit_file_t,s0)
-+/usr/lib/systemd/system/crond.* -- gen_context(system_u:object_r:crond_unit_file_t,s0)
-+
- /usr/bin/at -- gen_context(system_u:object_r:crontab_exec_t,s0)
- /usr/bin/(f)?crontab -- gen_context(system_u:object_r:crontab_exec_t,s0)
-
-@@ -12,20 +15,34 @@
- /usr/sbin/fcron -- gen_context(system_u:object_r:crond_exec_t,s0)
- /usr/sbin/fcronsighup -- gen_context(system_u:object_r:crontab_exec_t,s0)
-
-+/var/log/rpmpkgs.* -- gen_context(system_u:object_r:cron_log_t,s0)
-+
- /var/run/anacron\.pid -- gen_context(system_u:object_r:crond_var_run_t,s0)
- /var/run/atd\.pid -- gen_context(system_u:object_r:crond_var_run_t,s0)
- /var/run/crond?\.pid -- gen_context(system_u:object_r:crond_var_run_t,s0)
--/var/run/crond\.reboot -- gen_context(system_u:object_r:crond_var_run_t,s0)
-+/var/run/crond?\.reboot -- gen_context(system_u:object_r:crond_var_run_t,s0)
- /var/run/fcron\.fifo -s gen_context(system_u:object_r:crond_var_run_t,s0)
- /var/run/fcron\.pid -- gen_context(system_u:object_r:crond_var_run_t,s0)
-+/var/run/.*cron.* -- gen_context(system_u:object_r:crond_var_run_t,s0)
-
- /var/spool/anacron(/.*)? gen_context(system_u:object_r:system_cron_spool_t,s0)
- /var/spool/at(/.*)? gen_context(system_u:object_r:user_cron_spool_t,s0)
-
--/var/spool/cron -d gen_context(system_u:object_r:cron_spool_t,s0)
-+/var/spool/cron -d gen_context(system_u:object_r:user_cron_spool_t,s0)
- #/var/spool/cron/root -- gen_context(system_u:object_r:sysadm_cron_spool_t,s0)
- /var/spool/cron/[^/]* -- <>
-
-+ifdef(`distro_gentoo',`
-+/var/spool/cron/lastrun -d gen_context(system_u:object_r:crond_tmp_t,s0)
-+/var/spool/cron/lastrun/[^/]* -- <>
-+')
-+
-+ifdef(`distro_suse', `
-+/var/spool/cron/lastrun -d gen_context(system_u:object_r:crond_tmp_t,s0)
-+/var/spool/cron/lastrun/[^/]* -- <>
-+/var/spool/cron/tabs -d gen_context(system_u:object_r:cron_spool_t,s0)
-+')
-+
- /var/spool/cron/crontabs -d gen_context(system_u:object_r:cron_spool_t,s0)
- /var/spool/cron/crontabs/.* -- <>
- #/var/spool/cron/crontabs/root -- gen_context(system_u:object_r:sysadm_cron_spool_t,s0)
-@@ -36,8 +53,10 @@
- /var/spool/fcron/systab -- gen_context(system_u:object_r:system_cron_spool_t,s0)
- /var/spool/fcron/new\.systab -- gen_context(system_u:object_r:system_cron_spool_t,s0)
-
-+/var/lib/glpi/files(/.*)? gen_context(system_u:object_r:cron_var_lib_t,s0)
-+
- ifdef(`distro_debian',`
--/var/log/prelink.log -- gen_context(system_u:object_r:cron_log_t,s0)
-+/var/log/prelink.log.* -- gen_context(system_u:object_r:cron_log_t,s0)
-
- /var/spool/cron/atjobs -d gen_context(system_u:object_r:cron_spool_t,s0)
- /var/spool/cron/atjobs/[^/]* -- <>
-diff --git a/cron.if b/cron.if
-index 6e12dc7..b006818 100644
---- a/cron.if
-+++ b/cron.if
-@@ -12,12 +12,17 @@
- ##
- #
- template(`cron_common_crontab_template',`
-+ gen_require(`
-+ attribute crontab_domain;
-+ type crontab_exec_t;
-+ ')
-+
- ##############################
- #
- # Declarations
- #
-
-- type $1_t;
-+ type $1_t, crontab_domain;
- userdom_user_application_domain($1_t, crontab_exec_t)
-
- type $1_tmp_t;
-@@ -28,63 +33,19 @@ template(`cron_common_crontab_template',`
- # Local policy
- #
-
-- # dac_override is to create the file in the directory under /tmp
-- allow $1_t self:capability { fowner setuid setgid chown dac_override };
-- allow $1_t self:process { setsched signal_perms };
-- allow $1_t self:fifo_file rw_fifo_file_perms;
--
-- allow $1_t $1_tmp_t:file manage_file_perms;
-- files_tmp_filetrans($1_t, $1_tmp_t, file)
--
-- # create files in /var/spool/cron
-- manage_files_pattern($1_t, { cron_spool_t user_cron_spool_t }, user_cron_spool_t)
-- filetrans_pattern($1_t, cron_spool_t, user_cron_spool_t, file)
-- files_list_spool($1_t)
--
-- # crontab signals crond by updating the mtime on the spooldir
-- allow $1_t cron_spool_t:dir setattr;
-+ manage_dirs_pattern($1_t, $1_tmp_t, $1_tmp_t)
-+ manage_files_pattern($1_t, $1_tmp_t, $1_tmp_t)
-+ files_tmp_filetrans($1_t, $1_tmp_t, { dir file })
-
- kernel_read_system_state($1_t)
-
-- # for the checks used by crontab -u
-- selinux_dontaudit_search_fs($1_t)
--
-- fs_getattr_xattr_fs($1_t)
--
-- domain_use_interactive_fds($1_t)
--
-- files_read_etc_files($1_t)
-- files_read_usr_files($1_t)
-- files_dontaudit_search_pids($1_t)
--
- auth_domtrans_chk_passwd($1_t)
-+ auth_use_nsswitch($1_t)
-
- logging_send_syslog_msg($1_t)
-- logging_send_audit_msgs($1_t)
--
-- init_dontaudit_write_utmp($1_t)
-- init_read_utmp($1_t)
--
-- miscfiles_read_localization($1_t)
-
-- seutil_read_config($1_t)
-+ userdom_home_reader($1_t)
-
-- userdom_manage_user_tmp_dirs($1_t)
-- userdom_manage_user_tmp_files($1_t)
-- # Access terminals.
-- userdom_use_user_terminals($1_t)
-- # Read user crontabs
-- userdom_read_user_home_content_files($1_t)
--
-- tunable_policy(`fcron_crond',`
-- # fcron wants an instant update of a crontab change for the administrator
-- # also crontab does a security check for crontab -u
-- dontaudit $1_t crond_t:process signal;
-- ')
--
-- optional_policy(`
-- nscd_socket_use($1_t)
-- ')
- ')
-
- ########################################
-@@ -101,10 +62,12 @@ template(`cron_common_crontab_template',`
- ## User domain for the role
- ##
- ##
-+##
- #
- interface(`cron_role',`
- gen_require(`
- type cronjob_t, crontab_t, crontab_exec_t;
-+ type user_cron_spool_t, crond_t;
- ')
-
- role $1 types { cronjob_t crontab_t };
-@@ -115,9 +78,20 @@ interface(`cron_role',`
- # Transition from the user domain to the derived domain.
- domtrans_pattern($2, crontab_exec_t, crontab_t)
-
-+ allow crond_t $2:process transition;
-+ dontaudit crond_t $2:process { noatsecure siginh rlimitinh };
-+ allow $2 crond_t:process sigchld;
-+
-+ # needs to be authorized SELinux context for cron
-+ allow $2 user_cron_spool_t:file { getattr read write ioctl entrypoint };
-+
- # crontab shows up in user ps
- ps_process_pattern($2, crontab_t)
-- allow $2 crontab_t:process signal;
-+ allow $2 crontab_t:process signal_perms;
-+
-+ tunable_policy(`deny_ptrace',`',`
-+ allow $2 crontab_t:process ptrace;
-+ ')
-
- # Run helper programs as the user domain
- #corecmd_bin_domtrans(crontab_t, $2)
-@@ -150,29 +124,21 @@ interface(`cron_role',`
- ## User domain for the role
- ##
- ##
-+##
- #
- interface(`cron_unconfined_role',`
- gen_require(`
-- type unconfined_cronjob_t, crontab_t, crontab_tmp_t, crontab_exec_t;
-+ type unconfined_cronjob_t;
- ')
-
-- role $1 types { unconfined_cronjob_t crontab_t };
-+ role $1 types unconfined_cronjob_t;
-
- # cronjob shows up in user ps
- ps_process_pattern($2, unconfined_cronjob_t)
--
-- # Transition from the user domain to the derived domain.
-- domtrans_pattern($2, crontab_exec_t, crontab_t)
--
-- # crontab shows up in user ps
-- ps_process_pattern($2, crontab_t)
-- allow $2 crontab_t:process signal;
--
-- # Run helper programs as the user domain
-- #corecmd_bin_domtrans(crontab_t, $2)
-- #corecmd_shell_domtrans(crontab_t, $2)
-- corecmd_exec_bin(crontab_t)
-- corecmd_exec_shell(crontab_t)
-+ allow $2 unconfined_cronjob_t:process signal_perms;
-+ tunable_policy(`deny_ptrace',`',`
-+ allow $2 unconfined_cronjob_t:process ptrace;
-+ ')
-
- optional_policy(`
- gen_require(`
-@@ -180,9 +146,8 @@ interface(`cron_unconfined_role',`
- ')
-
- dbus_stub(unconfined_cronjob_t)
--
- allow unconfined_cronjob_t $2:dbus send_msg;
-- ')
-+ ')
- ')
-
- ########################################
-@@ -199,10 +164,12 @@ interface(`cron_unconfined_role',`
- ## User domain for the role
- ##
- ##
-+##
- #
- interface(`cron_admin_role',`
- gen_require(`
- type cronjob_t, crontab_exec_t, admin_crontab_t, admin_crontab_tmp_t;
-+ type user_cron_spool_t, crond_t;
- class passwd crontab;
- ')
-
-@@ -219,7 +186,18 @@ interface(`cron_admin_role',`
-
- # crontab shows up in user ps
- ps_process_pattern($2, admin_crontab_t)
-- allow $2 admin_crontab_t:process signal;
-+ allow $2 admin_crontab_t:process signal_perms;
-+ tunable_policy(`deny_ptrace',`',`
-+ allow $2 admin_crontab_t:process ptrace;
-+ ')
-+
-+ allow $2 crond_t:process sigchld;
-+ allow crond_t $2:process transition;
-+
-+ dontaudit crond_t $2:process { noatsecure siginh rlimitinh };
-+
-+ # needs to be authorized SELinux context for cron
-+ allow $2 user_cron_spool_t:file entrypoint;
-
- # Run helper programs as the user domain
- #corecmd_bin_domtrans(admin_crontab_t, $2)
-@@ -263,6 +241,9 @@ interface(`cron_system_entry',`
- domtrans_pattern(crond_t, $2, $1)
-
- role system_r types $1;
-+
-+ allow $1 crond_t:fifo_file rw_fifo_file_perms;
-+ allow $1 system_cronjob_t:fifo_file rw_fifo_file_perms;
- ')
-
- ########################################
-@@ -303,7 +284,7 @@ interface(`cron_exec',`
-
- ########################################
- ##
--## Execute crond server in the nscd domain.
-+## Execute crond server in the crond domain.
- ##
- ##
- ##
-@@ -321,6 +302,29 @@ interface(`cron_initrc_domtrans',`
-
- ########################################
- ##
-+## Execute crond server in the crond domain.
-+##
-+##
-+##
-+## Domain allowed to transition.
-+##
-+##
-+#
-+interface(`cron_systemctl',`
-+ gen_require(`
-+ type crond_unit_file_t;
-+ type crond_t;
-+ ')
-+
-+ systemd_exec_systemctl($1)
-+ allow $1 crond_unit_file_t:file read_file_perms;
-+ allow $1 crond_unit_file_t:service manage_service_perms;
-+
-+ ps_process_pattern($1, crond_t)
-+')
-+
-+########################################
-+##
- ## Inherit and use a file descriptor
- ## from the cron daemon.
- ##
-@@ -358,6 +362,24 @@ interface(`cron_sigchld',`
-
- ########################################
- ##
-+## Send a generic signal to cron daemon.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`cron_signal',`
-+ gen_require(`
-+ type crond_t;
-+ ')
-+
-+ allow $1 crond_t:process signal;
-+')
-+
-+########################################
-+##
- ## Read a cron daemon unnamed pipe.
- ##
- ##
-@@ -376,6 +398,47 @@ interface(`cron_read_pipes',`
-
- ########################################
- ##
-+## Read crond state files.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`cron_read_state_crond',`
-+ gen_require(`
-+ type crond_t;
-+ ')
-+
-+ kernel_search_proc($1)
-+ ps_process_pattern($1, crond_t)
-+')
-+
-+
-+########################################
-+##
-+## Send and receive messages from
-+## crond over dbus.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`cron_dbus_chat_crond',`
-+ gen_require(`
-+ type crond_t;
-+ class dbus send_msg;
-+ ')
-+
-+ allow $1 crond_t:dbus send_msg;
-+ allow crond_t $1:dbus send_msg;
-+')
-+
-+########################################
-+##
- ## Do not audit attempts to write cron daemon unnamed pipes.
- ##
- ##
-@@ -407,7 +470,43 @@ interface(`cron_rw_pipes',`
- type crond_t;
- ')
-
-- allow $1 crond_t:fifo_file { getattr read write };
-+ allow $1 crond_t:fifo_file rw_inherited_fifo_file_perms;
-+')
-+
-+########################################
-+##
-+## Read and write inherited user spool files.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`cron_rw_inherited_user_spool_files',`
-+ gen_require(`
-+ type user_cron_spool_t;
-+ ')
-+
-+ allow $1 user_cron_spool_t:file rw_inherited_file_perms;
-+')
-+
-+########################################
-+##
-+## Read and write inherited spool files.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`cron_rw_inherited_spool_files',`
-+ gen_require(`
-+ type cron_spool_t;
-+ ')
-+
-+ allow $1 cron_spool_t:file rw_inherited_file_perms;
- ')
-
- ########################################
-@@ -467,6 +566,25 @@ interface(`cron_search_spool',`
-
- ########################################
- ##
-+## Search the directory containing user cron tables.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`cron_manage_system_spool',`
-+ gen_require(`
-+ type cron_system_spool_t;
-+ ')
-+
-+ files_search_spool($1)
-+ manage_files_pattern($1, cron_system_spool_t, cron_system_spool_t)
-+')
-+
-+########################################
-+##
- ## Manage pid files used by cron
- ##
- ##
-@@ -480,6 +598,7 @@ interface(`cron_manage_pid_files',`
- type crond_var_run_t;
- ')
-
-+ files_search_pids($1)
- manage_files_pattern($1, crond_var_run_t, crond_var_run_t)
- ')
-
-@@ -535,7 +654,7 @@ interface(`cron_write_system_job_pipes',`
- type system_cronjob_t;
- ')
-
-- allow $1 system_cronjob_t:file write;
-+ allow $1 system_cronjob_t:fifo_file write;
- ')
-
- ########################################
-@@ -553,7 +672,7 @@ interface(`cron_rw_system_job_pipes',`
- type system_cronjob_t;
- ')
-
-- allow $1 system_cronjob_t:fifo_file rw_fifo_file_perms;
-+ allow $1 system_cronjob_t:fifo_file rw_inherited_fifo_file_perms;
- ')
-
- ########################################
-@@ -586,11 +705,14 @@ interface(`cron_rw_system_job_stream_sockets',`
- #
- interface(`cron_read_system_job_tmp_files',`
- gen_require(`
-- type system_cronjob_tmp_t;
-+ type system_cronjob_tmp_t, cron_var_run_t;
- ')
-
- files_search_tmp($1)
- allow $1 system_cronjob_tmp_t:file read_file_perms;
-+
-+ files_search_pids($1)
-+ allow $1 cron_var_run_t:file read_file_perms;
- ')
-
- ########################################
-@@ -626,7 +748,47 @@ interface(`cron_dontaudit_append_system_job_tmp_files',`
- interface(`cron_dontaudit_write_system_job_tmp_files',`
- gen_require(`
- type system_cronjob_tmp_t;
-+ type cron_var_run_t;
- ')
-
- dontaudit $1 system_cronjob_tmp_t:file write_file_perms;
-+ dontaudit $1 cron_var_run_t:file write_file_perms;
-+')
-+
-+########################################
-+##
-+## Read temporary files from the system cron jobs.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`cron_read_system_job_lib_files',`
-+ gen_require(`
-+ type system_cronjob_var_lib_t;
-+ ')
-+
-+ files_search_var_lib($1)
-+ read_files_pattern($1, system_cronjob_var_lib_t, system_cronjob_var_lib_t)
-+')
-+
-+########################################
-+##
-+## Manage files from the system cron jobs.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`cron_manage_system_job_lib_files',`
-+ gen_require(`
-+ type system_cronjob_var_lib_t;
-+ ')
-+
-+ files_search_var_lib($1)
-+ manage_files_pattern($1, system_cronjob_var_lib_t, system_cronjob_var_lib_t)
- ')
-diff --git a/cron.te b/cron.te
-index b357856..28ae123 100644
---- a/cron.te
-+++ b/cron.te
-@@ -1,4 +1,4 @@
--policy_module(cron, 2.4.0)
-+policy_module(cron, 2.2.1)
-
- gen_require(`
- class passwd rootok;
-@@ -10,35 +10,36 @@ gen_require(`
- #
-
- ##
--##
--## Allow system cron jobs to relabel filesystem
--## for restoring file contexts.
--##
-+##
-+## Allow system cron jobs to relabel filesystem
-+## for restoring file contexts.
-+##
- ##
- gen_tunable(cron_can_relabel, false)
-
- ##
--##
--## Enable extra rules in the cron domain
--## to support fcron.
--##
-+##
-+## Enable extra rules in the cron domain
-+## to support fcron.
-+##
- ##
- gen_tunable(fcron_crond, false)
-
-+attribute crontab_domain;
- attribute cron_spool_type;
-
- type anacron_exec_t;
- application_executable_file(anacron_exec_t)
-
- type cron_spool_t;
--files_type(cron_spool_t)
-+files_spool_file(cron_spool_t)
-
- # var/lib files
- type cron_var_lib_t;
- files_type(cron_var_lib_t)
-
- type cron_var_run_t;
--files_type(cron_var_run_t)
-+files_pid_file(cron_var_run_t)
-
- # var/log files
- type cron_log_t;
-@@ -61,11 +62,17 @@ domain_cron_exemption_source(crond_t)
- type crond_initrc_exec_t;
- init_script_file(crond_initrc_exec_t)
-
-+type crond_unit_file_t;
-+systemd_unit_file(crond_unit_file_t)
-+
- type crond_tmp_t;
- files_tmp_file(crond_tmp_t)
-+files_poly_parent(crond_tmp_t)
-+mta_system_content(crond_tmp_t)
-
- type crond_var_run_t;
- files_pid_file(crond_var_run_t)
-+mta_system_content(crond_var_run_t)
-
- type crontab_exec_t;
- application_executable_file(crontab_exec_t)
-@@ -79,14 +86,16 @@ typealias crontab_t alias { user_crontab_t staff_crontab_t };
- typealias crontab_t alias { auditadm_crontab_t secadm_crontab_t };
- typealias crontab_tmp_t alias { user_crontab_tmp_t staff_crontab_tmp_t };
- typealias crontab_tmp_t alias { auditadm_crontab_tmp_t secadm_crontab_tmp_t };
-+allow admin_crontab_t crond_t:process signal;
-
- type system_cron_spool_t, cron_spool_type;
--files_type(system_cron_spool_t)
-+files_spool_file(system_cron_spool_t)
-
- type system_cronjob_t alias system_crond_t;
- init_daemon_domain(system_cronjob_t, anacron_exec_t)
- corecmd_shell_entry_type(system_cronjob_t)
- role system_r types system_cronjob_t;
-+domtrans_pattern(crond_t, anacron_exec_t, system_cronjob_t)
-
- type system_cronjob_lock_t alias system_crond_lock_t;
- files_lock_file(system_cronjob_lock_t)
-@@ -94,10 +103,6 @@ files_lock_file(system_cronjob_lock_t)
- type system_cronjob_tmp_t alias system_crond_tmp_t;
- files_tmp_file(system_cronjob_tmp_t)
-
--ifdef(`enable_mcs',`
-- init_ranged_daemon_domain(crond_t, crond_exec_t, s0 - mcs_systemhigh)
--')
--
- type unconfined_cronjob_t;
- domain_type(unconfined_cronjob_t)
- domain_cron_exemption_target(unconfined_cronjob_t)
-@@ -106,8 +111,20 @@ domain_cron_exemption_target(unconfined_cronjob_t)
- type user_cron_spool_t, cron_spool_type;
- typealias user_cron_spool_t alias { staff_cron_spool_t sysadm_cron_spool_t unconfined_cron_spool_t };
- typealias user_cron_spool_t alias { auditadm_cron_spool_t secadm_cron_spool_t };
--files_type(user_cron_spool_t)
-+files_spool_file(user_cron_spool_t)
- ubac_constrained(user_cron_spool_t)
-+mta_system_content(user_cron_spool_t)
-+
-+type system_cronjob_var_lib_t;
-+files_type(system_cronjob_var_lib_t)
-+typealias system_cronjob_var_lib_t alias system_crond_var_lib_t;
-+
-+type system_cronjob_var_run_t;
-+files_pid_file(system_cronjob_var_run_t)
-+
-+ifdef(`enable_mcs',`
-+ init_ranged_daemon_domain(crond_t, crond_exec_t, s0 - mcs_systemhigh)
-+')
-
- ########################################
- #
-@@ -115,7 +132,7 @@ ubac_constrained(user_cron_spool_t)
- #
-
- # Allow our crontab domain to unlink a user cron spool file.
--allow admin_crontab_t user_cron_spool_t:file { getattr read unlink };
-+allow admin_crontab_t user_cron_spool_t:file { read_file_perms delete_file_perms };
-
- # Manipulate other users crontab.
- selinux_get_fs_mount(admin_crontab_t)
-@@ -125,7 +142,7 @@ selinux_compute_create_context(admin_crontab_t)
- selinux_compute_relabel_context(admin_crontab_t)
- selinux_compute_user_contexts(admin_crontab_t)
-
--tunable_policy(`fcron_crond', `
-+tunable_policy(`fcron_crond',`
- # fcron wants an instant update of a crontab change for the administrator
- # also crontab does a security check for crontab -u
- allow admin_crontab_t self:process setfscreate;
-@@ -136,9 +153,9 @@ tunable_policy(`fcron_crond', `
- # Cron daemon local policy
- #
-
--allow crond_t self:capability { dac_override setgid setuid sys_nice dac_read_search };
-+allow crond_t self:capability { dac_override chown fowner setgid setuid sys_nice dac_read_search };
- dontaudit crond_t self:capability { sys_resource sys_tty_config };
--allow crond_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
-+allow crond_t self:process ~{ ptrace setcurrent setexec setfscreate execmem execstack execheap };
- allow crond_t self:process { setexec setfscreate };
- allow crond_t self:fd use;
- allow crond_t self:fifo_file rw_fifo_file_perms;
-@@ -151,6 +168,7 @@ allow crond_t self:sem create_sem_perms;
- allow crond_t self:msgq create_msgq_perms;
- allow crond_t self:msg { send receive };
- allow crond_t self:key { search write link };
-+dontaudit crond_t self:netlink_audit_socket nlmsg_tty_audit;
-
- manage_files_pattern(crond_t, cron_log_t, cron_log_t)
- logging_log_filetrans(crond_t, cron_log_t, file)
-@@ -187,27 +205,47 @@ fs_list_inotifyfs(crond_t)
-
- # need auth_chkpwd to check for locked accounts.
- auth_domtrans_chk_passwd(crond_t)
-+auth_manage_var_auth(crond_t)
-
- corecmd_exec_shell(crond_t)
- corecmd_list_bin(crond_t)
-+corecmd_exec_bin(crond_t)
- corecmd_read_bin_symlinks(crond_t)
-
- domain_use_interactive_fds(crond_t)
-+domain_subj_id_change_exemption(crond_t)
-+domain_role_change_exemption(crond_t)
-
- files_read_usr_files(crond_t)
- files_read_etc_runtime_files(crond_t)
--files_read_etc_files(crond_t)
- files_read_generic_spool(crond_t)
- files_list_usr(crond_t)
- # Read from /var/spool/cron.
- files_search_var_lib(crond_t)
- files_search_default(crond_t)
-
-+fs_manage_cgroup_dirs(crond_t)
-+fs_manage_cgroup_files(crond_t)
-+
-+# needed by "crontab -e"
-+mls_file_read_all_levels(crond_t)
-+mls_file_write_all_levels(crond_t)
-+
-+# needed because of kernel check of transition
-+mls_process_set_level(crond_t)
-+
-+# to make cronjob working
-+mls_fd_share_all_levels(crond_t)
-+mls_trusted_object(crond_t)
-+
-+init_read_state(crond_t)
- init_rw_utmp(crond_t)
- init_spec_domtrans_script(crond_t)
-
-+auth_manage_var_auth(crond_t)
- auth_use_nsswitch(crond_t)
-
-+logging_send_audit_msgs(crond_t)
- logging_send_syslog_msg(crond_t)
- logging_set_loginuid(crond_t)
-
-@@ -215,25 +253,27 @@ seutil_read_config(crond_t)
- seutil_read_default_contexts(crond_t)
- seutil_sigchld_newrole(crond_t)
-
--miscfiles_read_localization(crond_t)
-
- userdom_use_unpriv_users_fds(crond_t)
- # Not sure why this is needed
- userdom_list_user_home_dirs(crond_t)
-+userdom_list_admin_dir(crond_t)
-+userdom_manage_all_users_keys(crond_t)
-
- mta_send_mail(crond_t)
-+mta_system_content(cron_spool_t)
-
- ifdef(`distro_debian',`
- # pam_limits is used
- allow crond_t self:process setrlimit;
-
-- optional_policy(`
-- # Debian logcheck has the home dir set to its cache
-- logwatch_search_cache_dir(crond_t)
-- ')
- ')
-
--ifdef(`distro_redhat', `
-+optional_policy(`
-+ logwatch_search_cache_dir(crond_t)
-+')
-+
-+ifdef(`distro_redhat',`
- # Run the rpm program in the rpm_t domain. Allow creation of RPM log files
- # via redirection of standard out.
- optional_policy(`
-@@ -241,7 +281,7 @@ ifdef(`distro_redhat', `
- ')
- ')
-
--tunable_policy(`allow_polyinstantiation',`
-+tunable_policy(`polyinstantiation_enabled',`
- files_polyinstantiate_all(crond_t)
- ')
-
-@@ -250,11 +290,27 @@ tunable_policy(`fcron_crond', `
- ')
-
- optional_policy(`
-+ apache_search_sys_content(crond_t)
-+')
-+
-+optional_policy(`
-+ djbdns_search_tinydns_keys(crond_t)
-+ djbdns_link_tinydns_keys(crond_t)
-+')
-+
-+optional_policy(`
- locallogin_search_keys(crond_t)
- locallogin_link_keys(crond_t)
- ')
-
- optional_policy(`
-+ # these should probably be unconfined_crond_t
-+ dbus_system_bus_client(crond_t)
-+ init_dbus_send_script(crond_t)
-+ init_dbus_chat(crond_t)
-+')
-+
-+optional_policy(`
- amanda_search_var_lib(crond_t)
- ')
-
-@@ -264,6 +320,8 @@ optional_policy(`
-
- optional_policy(`
- hal_dbus_chat(crond_t)
-+ hal_write_log(crond_t)
-+ hal_dbus_chat(system_cronjob_t)
- ')
-
- optional_policy(`
-@@ -286,15 +344,25 @@ optional_policy(`
- ')
-
- optional_policy(`
-+ systemd_use_fds_logind(crond_t)
-+ systemd_write_inherited_logind_sessions_pipes(crond_t)
-+')
-+
-+optional_policy(`
- udev_read_db(crond_t)
- ')
-
-+optional_policy(`
-+ vnstatd_search_lib(crond_t)
-+')
-+
- ########################################
- #
- # System cron process domain
- #
-
- allow system_cronjob_t self:capability { dac_override dac_read_search chown setgid setuid fowner net_bind_service fsetid sys_nice };
-+
- allow system_cronjob_t self:process { signal_perms getsched setsched };
- allow system_cronjob_t self:fifo_file rw_fifo_file_perms;
- allow system_cronjob_t self:passwd rootok;
-@@ -306,10 +374,19 @@ logging_log_filetrans(system_cronjob_t, cron_log_t, file)
-
- # This is to handle /var/lib/misc directory. Used currently
- # by prelink var/lib files for cron
--allow system_cronjob_t cron_var_lib_t:file manage_file_perms;
-+allow system_cronjob_t cron_var_lib_t:file { manage_file_perms relabel_file_perms };
- files_var_lib_filetrans(system_cronjob_t, cron_var_lib_t, file)
-
-+allow system_cronjob_t cron_var_run_t:file manage_file_perms;
-+files_pid_filetrans(system_cronjob_t, cron_var_run_t, file)
-+
- allow system_cronjob_t system_cron_spool_t:file read_file_perms;
-+
-+mls_file_read_to_clearance(system_cronjob_t)
-+
-+# anacron forces the following
-+manage_files_pattern(system_cronjob_t, system_cron_spool_t, system_cron_spool_t)
-+
- # The entrypoint interface is not used as this is not
- # a regular entrypoint. Since crontab files are
- # not directly executed, crond must ensure that
-@@ -329,6 +406,7 @@ allow crond_t system_cronjob_t:fd use;
- allow system_cronjob_t crond_t:fd use;
- allow system_cronjob_t crond_t:fifo_file rw_file_perms;
- allow system_cronjob_t crond_t:process sigchld;
-+allow crond_t system_cronjob_t:key manage_key_perms;
-
- # Write /var/lock/makewhatis.lock.
- allow system_cronjob_t system_cronjob_lock_t:file manage_file_perms;
-@@ -340,11 +418,16 @@ manage_lnk_files_pattern(system_cronjob_t, crond_tmp_t, system_cronjob_tmp_t)
- filetrans_pattern(system_cronjob_t, crond_tmp_t, system_cronjob_tmp_t, { file lnk_file })
- files_tmp_filetrans(system_cronjob_t, system_cronjob_tmp_t, file)
-
-+# var/lib files for system_crond
-+files_search_var_lib(system_cronjob_t)
-+manage_files_pattern(system_cronjob_t, system_cronjob_var_lib_t, system_cronjob_var_lib_t)
-+
- # Read from /var/spool/cron.
- allow system_cronjob_t cron_spool_t:dir list_dir_perms;
--allow system_cronjob_t cron_spool_t:file read_file_perms;
-+allow system_cronjob_t cron_spool_t:file rw_file_perms;
-
- kernel_read_kernel_sysctls(system_cronjob_t)
-+kernel_read_network_state(system_cronjob_t)
- kernel_read_system_state(system_cronjob_t)
- kernel_read_software_raid_state(system_cronjob_t)
-
-@@ -353,7 +436,6 @@ files_dontaudit_search_boot(system_cronjob_t)
-
- corecmd_exec_all_executables(system_cronjob_t)
-
--corenet_all_recvfrom_unlabeled(system_cronjob_t)
- corenet_all_recvfrom_netlabel(system_cronjob_t)
- corenet_tcp_sendrecv_generic_if(system_cronjob_t)
- corenet_udp_sendrecv_generic_if(system_cronjob_t)
-@@ -365,6 +447,7 @@ corenet_udp_sendrecv_all_ports(system_cronjob_t)
- dev_getattr_all_blk_files(system_cronjob_t)
- dev_getattr_all_chr_files(system_cronjob_t)
- dev_read_urand(system_cronjob_t)
-+dev_read_sysfs(system_cronjob_t)
-
- fs_getattr_all_fs(system_cronjob_t)
- fs_getattr_all_files(system_cronjob_t)
-@@ -376,7 +459,6 @@ fs_getattr_all_sockets(system_cronjob_t)
- domain_dontaudit_read_all_domains_state(system_cronjob_t)
-
- files_exec_etc_files(system_cronjob_t)
--files_read_etc_files(system_cronjob_t)
- files_read_etc_runtime_files(system_cronjob_t)
- files_list_all(system_cronjob_t)
- files_getattr_all_dirs(system_cronjob_t)
-@@ -391,6 +473,7 @@ files_dontaudit_search_pids(system_cronjob_t)
- # Access other spool directories like
- # /var/spool/anacron and /var/spool/slrnpull.
- files_manage_generic_spool(system_cronjob_t)
-+files_create_boot_flag(system_cronjob_t)
-
- init_use_script_fds(system_cronjob_t)
- init_read_utmp(system_cronjob_t)
-@@ -408,23 +491,23 @@ logging_read_generic_logs(system_cronjob_t)
- logging_send_audit_msgs(system_cronjob_t)
- logging_send_syslog_msg(system_cronjob_t)
-
--miscfiles_read_localization(system_cronjob_t)
--miscfiles_manage_man_pages(system_cronjob_t)
--
- seutil_read_config(system_cronjob_t)
-
--ifdef(`distro_redhat', `
-+ifdef(`distro_redhat',`
- # Run the rpm program in the rpm_t domain. Allow creation of RPM log files
-+ allow crond_t system_cron_spool_t:file manage_file_perms;
-+
- # via redirection of standard out.
- optional_policy(`
- rpm_manage_log(system_cronjob_t)
- ')
- ')
-
-+selinux_get_fs_mount(system_cronjob_t)
-+
- tunable_policy(`cron_can_relabel',`
- seutil_domtrans_setfiles(system_cronjob_t)
- ',`
-- selinux_get_fs_mount(system_cronjob_t)
- selinux_validate_context(system_cronjob_t)
- selinux_compute_access_vector(system_cronjob_t)
- selinux_compute_create_context(system_cronjob_t)
-@@ -439,6 +522,12 @@ optional_policy(`
- apache_read_config(system_cronjob_t)
- apache_read_log(system_cronjob_t)
- apache_read_sys_content(system_cronjob_t)
-+ apache_delete_cache_dirs(system_cronjob_t)
-+ apache_delete_cache_files(system_cronjob_t)
-+')
-+
-+optional_policy(`
-+ bind_read_config(system_cronjob_t)
- ')
-
- optional_policy(`
-@@ -446,6 +535,14 @@ optional_policy(`
- ')
-
- optional_policy(`
-+ dbus_system_bus_client(system_cronjob_t)
-+')
-+
-+optional_policy(`
-+ exim_read_spool_files(system_cronjob_t)
-+')
-+
-+optional_policy(`
- ftp_read_log(system_cronjob_t)
- ')
-
-@@ -456,6 +553,10 @@ optional_policy(`
- ')
-
- optional_policy(`
-+ livecd_read_tmp_files(system_cronjob_t)
-+')
-+
-+optional_policy(`
- lpd_list_spool(system_cronjob_t)
- ')
-
-@@ -464,7 +565,9 @@ optional_policy(`
- ')
-
- optional_policy(`
-+ mta_read_config(system_cronjob_t)
- mta_send_mail(system_cronjob_t)
-+ mta_system_content(system_cron_spool_t)
- ')
-
- optional_policy(`
-@@ -472,6 +575,10 @@ optional_policy(`
- ')
-
- optional_policy(`
-+ networkmanager_dbus_chat(system_cronjob_t)
-+')
-+
-+optional_policy(`
- postfix_read_config(system_cronjob_t)
- ')
-
-@@ -480,7 +587,7 @@ optional_policy(`
- prelink_manage_lib(system_cronjob_t)
- prelink_manage_log(system_cronjob_t)
- prelink_read_cache(system_cronjob_t)
-- prelink_relabelfrom_lib(system_cronjob_t)
-+ prelink_relabel_lib(system_cronjob_t)
- ')
-
- optional_policy(`
-@@ -495,6 +602,7 @@ optional_policy(`
-
- optional_policy(`
- spamassassin_manage_lib_files(system_cronjob_t)
-+ spamassassin_manage_home_client(system_cronjob_t)
- ')
-
- optional_policy(`
-@@ -502,7 +610,18 @@ optional_policy(`
- ')
-
- optional_policy(`
-+ systemd_dbus_chat_logind(system_cronjob_t)
-+ systemd_write_inherited_logind_sessions_pipes(system_cronjob_t)
-+')
-+
-+optional_policy(`
-+ unconfined_domain(crond_t)
- unconfined_domain(system_cronjob_t)
-+')
-+
-+optional_policy(`
-+ unconfined_shell_domtrans(crond_t)
-+ unconfined_dbus_send(crond_t)
- userdom_user_home_dir_filetrans_user_home_content(system_cronjob_t, { dir file lnk_file fifo_file sock_file })
- ')
-
-@@ -542,7 +661,6 @@ kernel_read_kernel_sysctls(cronjob_t)
- # ps does not need to access /boot when run from cron
- files_dontaudit_search_boot(cronjob_t)
-
--corenet_all_recvfrom_unlabeled(cronjob_t)
- corenet_all_recvfrom_netlabel(cronjob_t)
- corenet_tcp_sendrecv_generic_if(cronjob_t)
- corenet_udp_sendrecv_generic_if(cronjob_t)
-@@ -579,7 +697,6 @@ logging_search_logs(cronjob_t)
-
- seutil_read_config(cronjob_t)
-
--miscfiles_read_localization(cronjob_t)
-
- userdom_manage_user_tmp_files(cronjob_t)
- userdom_manage_user_tmp_symlinks(cronjob_t)
-@@ -595,9 +712,12 @@ userdom_manage_user_home_content_sockets(cronjob_t)
- #userdom_user_home_dir_filetrans_user_home_content(cronjob_t, notdevfile_class_set)
-
- list_dirs_pattern(crond_t, user_cron_spool_t, user_cron_spool_t)
-+rw_dirs_pattern(crond_t, user_cron_spool_t, user_cron_spool_t)
- read_files_pattern(crond_t, user_cron_spool_t, user_cron_spool_t)
-+read_lnk_files_pattern(crond_t, user_cron_spool_t, user_cron_spool_t)
-+allow crond_t user_cron_spool_t:file manage_lnk_file_perms;
-
--tunable_policy(`fcron_crond', `
-+tunable_policy(`fcron_crond',`
- allow crond_t user_cron_spool_t:file manage_file_perms;
- ')
-
-@@ -626,3 +746,74 @@ optional_policy(`
-
- unconfined_domain(unconfined_cronjob_t)
- ')
-+
-+##############################
-+#
-+# crontab common policy
-+#
-+
-+# dac_override is to create the file in the directory under /tmp
-+allow crontab_domain self:capability { fowner setuid setgid chown dac_override };
-+allow crontab_domain self:process { getcap setsched signal_perms };
-+allow crontab_domain self:fifo_file rw_fifo_file_perms;
-+
-+allow crontab_domain crond_t:process signal;
-+allow crontab_domain crond_var_run_t:file read_file_perms;
-+
-+# create files in /var/spool/cron
-+manage_files_pattern(crontab_domain, { cron_spool_t user_cron_spool_t }, user_cron_spool_t)
-+filetrans_pattern(crontab_domain, cron_spool_t, user_cron_spool_t, file)
-+files_list_spool(crontab_domain)
-+
-+# crontab signals crond by updating the mtime on the spooldir
-+allow crontab_domain cron_spool_t:dir setattr_dir_perms;
-+
-+# for the checks used by crontab -u
-+selinux_dontaudit_search_fs(crontab_domain)
-+
-+fs_getattr_xattr_fs(crontab_domain)
-+fs_manage_cgroup_dirs(crontab_domain)
-+fs_manage_cgroup_files(crontab_domain)
-+
-+domain_use_interactive_fds(crontab_domain)
-+
-+files_read_etc_files(crontab_domain)
-+files_read_usr_files(crontab_domain)
-+files_dontaudit_search_pids(crontab_domain)
-+
-+fs_dontaudit_rw_anon_inodefs_files(crontab_domain)
-+
-+auth_rw_var_auth(crontab_domain)
-+
-+logging_send_audit_msgs(crontab_domain)
-+logging_set_loginuid(crontab_domain)
-+
-+init_dontaudit_write_utmp(crontab_domain)
-+init_read_utmp(crontab_domain)
-+init_read_state(crontab_domain)
-+
-+
-+seutil_read_config(crontab_domain)
-+
-+userdom_manage_user_tmp_dirs(crontab_domain)
-+userdom_manage_user_tmp_files(crontab_domain)
-+# Access terminals.
-+userdom_use_inherited_user_terminals(crontab_domain)
-+# Read user crontabs
-+userdom_read_user_home_content_files(crontab_domain)
-+userdom_read_user_home_content_symlinks(crontab_domain)
-+
-+tunable_policy(`fcron_crond',`
-+ # fcron wants an instant update of a crontab change for the administrator
-+ # also crontab does a security check for crontab -u
-+ dontaudit crontab_domain crond_t:process signal;
-+')
-+
-+optional_policy(`
-+ ssh_dontaudit_use_ptys(crontab_domain)
-+')
-+
-+optional_policy(`
-+ openshift_dontaudit_rw_inherited_fifo_files(crontab_domain)
-+ openshift_transition(system_cronjob_t)
-+')
-diff --git a/ctdbd.fc b/ctdbd.fc
-new file mode 100644
-index 0000000..255568d
---- /dev/null
-+++ b/ctdbd.fc
-@@ -0,0 +1,19 @@
-+
-+/etc/rc\.d/init\.d/ctdb -- gen_context(system_u:object_r:ctdbd_initrc_exec_t,s0)
-+
-+/etc/ctdb(/.*)? gen_context(system_u:object_r:ctdbd_var_lib_t,s0)
-+
-+/usr/sbin/ctdbd -- gen_context(system_u:object_r:ctdbd_exec_t,s0)
-+
-+/var/log/log\.ctdb.* -- gen_context(system_u:object_r:ctdbd_log_t,s0)
-+/var/log/ctdb\.log.* -- gen_context(system_u:object_r:ctdbd_log_t,s0)
-+
-+/var/spool/ctdb(/.*)? gen_context(system_u:object_r:ctdbd_spool_t,s0)
-+
-+/var/run/ctdbd(/.*)? gen_context(system_u:object_r:ctdbd_var_run_t,s0)
-+
-+
-+/var/ctdbd(/.*)? gen_context(system_u:object_r:ctdbd_var_lib_t,s0)
-+/var/ctdb(/.*)? gen_context(system_u:object_r:ctdbd_var_lib_t,s0)
-+/var/lib/ctdbd(/.*)? gen_context(system_u:object_r:ctdbd_var_lib_t,s0)
-+
-diff --git a/ctdbd.if b/ctdbd.if
-new file mode 100644
-index 0000000..4f7d237
---- /dev/null
-+++ b/ctdbd.if
-@@ -0,0 +1,259 @@
-+
-+## policy for ctdbd
-+
-+########################################
-+##
-+## Transition to ctdbd.
-+##
-+##
-+##
-+## Domain allowed to transition.
-+##
-+##
-+#
-+interface(`ctdbd_domtrans',`
-+ gen_require(`
-+ type ctdbd_t, ctdbd_exec_t;
-+ ')
-+
-+ corecmd_search_bin($1)
-+ domtrans_pattern($1, ctdbd_exec_t, ctdbd_t)
-+')
-+
-+########################################
-+##
-+## Execute ctdbd server in the ctdbd domain.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`ctdbd_initrc_domtrans',`
-+ gen_require(`
-+ type ctdbd_initrc_exec_t;
-+ ')
-+
-+ init_labeled_script_domtrans($1, ctdbd_initrc_exec_t)
-+')
-+
-+########################################
-+##
-+## Read ctdbd's log files.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+##
-+#
-+interface(`ctdbd_read_log',`
-+ gen_require(`
-+ type ctdbd_log_t;
-+ ')
-+
-+ logging_search_logs($1)
-+ read_files_pattern($1, ctdbd_log_t, ctdbd_log_t)
-+')
-+
-+########################################
-+##
-+## Append to ctdbd log files.
-+##
-+##
-+##
-+## Domain allowed to transition.
-+##
-+##
-+#
-+interface(`ctdbd_append_log',`
-+ gen_require(`
-+ type ctdbd_log_t;
-+ ')
-+
-+ logging_search_logs($1)
-+ append_files_pattern($1, ctdbd_log_t, ctdbd_log_t)
-+')
-+
-+########################################
-+##
-+## Manage ctdbd log files
-+##
-+##
-+##
-+## Domain to not audit.
-+##
-+##
-+#
-+interface(`ctdbd_manage_log',`
-+ gen_require(`
-+ type ctdbd_log_t;
-+ ')
-+
-+ logging_search_logs($1)
-+ manage_dirs_pattern($1, ctdbd_log_t, ctdbd_log_t)
-+ manage_files_pattern($1, ctdbd_log_t, ctdbd_log_t)
-+ manage_lnk_files_pattern($1, ctdbd_log_t, ctdbd_log_t)
-+')
-+
-+########################################
-+##
-+## Search ctdbd lib directories.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`ctdbd_search_lib',`
-+ gen_require(`
-+ type ctdbd_var_lib_t;
-+ ')
-+
-+ allow $1 ctdbd_var_lib_t:dir search_dir_perms;
-+ files_search_var_lib($1)
-+')
-+
-+########################################
-+##
-+## Read ctdbd lib files.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`ctdbd_read_lib_files',`
-+ gen_require(`
-+ type ctdbd_var_lib_t;
-+ ')
-+
-+ files_search_var_lib($1)
-+ read_files_pattern($1, ctdbd_var_lib_t, ctdbd_var_lib_t)
-+')
-+
-+########################################
-+##
-+## Manage ctdbd lib files.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`ctdbd_manage_lib_files',`
-+ gen_require(`
-+ type ctdbd_var_lib_t;
-+ ')
-+
-+ files_search_var_lib($1)
-+ manage_files_pattern($1, ctdbd_var_lib_t, ctdbd_var_lib_t)
-+')
-+
-+########################################
-+##
-+## Manage ctdbd lib directories.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`ctdbd_manage_lib_dirs',`
-+ gen_require(`
-+ type ctdbd_var_lib_t;
-+ ')
-+
-+ files_search_var_lib($1)
-+ manage_dirs_pattern($1, ctdbd_var_lib_t, ctdbd_var_lib_t)
-+')
-+
-+########################################
-+##
-+## Read ctdbd PID files.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`ctdbd_read_pid_files',`
-+ gen_require(`
-+ type ctdbd_var_run_t;
-+ ')
-+
-+ files_search_pids($1)
-+ allow $1 ctdbd_var_run_t:file read_file_perms;
-+')
-+
-+#######################################
-+##
-+## Connect to ctdbd over a unix stream socket.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`ctdbd_stream_connect',`
-+ gen_require(`
-+ type ctdbd_t, ctdbd_var_run_t, ctdbd_tmp_t;
-+ ')
-+
-+ files_search_pids($1)
-+ stream_connect_pattern($1, ctdbd_var_run_t, ctdbd_var_run_t, ctdbd_t)
-+ stream_connect_pattern($1, ctdbd_tmp_t, ctdbd_tmp_t, ctdbd_t)
-+')
-+
-+########################################
-+##
-+## All of the rules required to administrate
-+## an ctdbd environment
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+##
-+##
-+## Role allowed access.
-+##
-+##
-+##
-+#
-+interface(`ctdbd_admin',`
-+ gen_require(`
-+ type ctdbd_t, ctdbd_initrc_exec_t;
-+ type ctdbd_log_t, ctdbd_var_lib_t, ctdbd_var_run_t;
-+ ')
-+
-+ allow $1 ctdbd_t:process signal_perms;
-+ ps_process_pattern($1, ctdbd_t)
-+ tunable_policy(`deny_ptrace',`',`
-+ allow $1 ctdbd_t:process ptrace;
-+ ')
-+
-+ ctdbd_initrc_domtrans($1)
-+ domain_system_change_exemption($1)
-+ role_transition $2 ctdbd_initrc_exec_t system_r;
-+ allow $2 system_r;
-+
-+ logging_search_logs($1)
-+ admin_pattern($1, ctdbd_log_t)
-+
-+ files_search_var_lib($1)
-+ admin_pattern($1, ctdbd_var_lib_t)
-+
-+ files_search_pids($1)
-+ admin_pattern($1, ctdbd_var_run_t)
-+')
-+
-diff --git a/ctdbd.te b/ctdbd.te
-new file mode 100644
-index 0000000..33656de
---- /dev/null
-+++ b/ctdbd.te
-@@ -0,0 +1,114 @@
-+policy_module(ctdbd, 1.0.0)
-+
-+########################################
-+#
-+# Declarations
-+#
-+
-+type ctdbd_t;
-+type ctdbd_exec_t;
-+init_daemon_domain(ctdbd_t, ctdbd_exec_t)
-+
-+type ctdbd_initrc_exec_t;
-+init_script_file(ctdbd_initrc_exec_t)
-+
-+type ctdbd_log_t;
-+logging_log_file(ctdbd_log_t)
-+
-+type ctdbd_spool_t;
-+files_type(ctdbd_spool_t)
-+#files_spool_file(ctdbd_spool_t)
-+
-+type ctdbd_tmp_t;
-+files_tmp_file(ctdbd_tmp_t)
-+
-+type ctdbd_var_lib_t;
-+files_type(ctdbd_var_lib_t)
-+
-+type ctdbd_var_run_t;
-+files_pid_file(ctdbd_var_run_t)
-+
-+########################################
-+#
-+# ctdbd local policy
-+#
-+
-+allow ctdbd_t self:capability { chown ipc_lock net_admin net_raw sys_nice };
-+allow ctdbd_t self:process { setpgid signal_perms setsched };
-+
-+allow ctdbd_t self:fifo_file rw_fifo_file_perms;
-+allow ctdbd_t self:unix_stream_socket { connectto create_stream_socket_perms };
-+allow ctdbd_t self:netlink_route_socket r_netlink_socket_perms;
-+allow ctdbd_t self:packet_socket create_socket_perms;
-+allow ctdbd_t self:tcp_socket create_stream_socket_perms;
-+
-+manage_dirs_pattern(ctdbd_t, ctdbd_log_t, ctdbd_log_t)
-+manage_files_pattern(ctdbd_t, ctdbd_log_t, ctdbd_log_t)
-+logging_log_filetrans(ctdbd_t, ctdbd_log_t, { dir file } )
-+
-+manage_files_pattern(ctdbd_t, ctdbd_tmp_t, ctdbd_tmp_t)
-+manage_sock_files_pattern(ctdbd_t, ctdbd_tmp_t, ctdbd_tmp_t)
-+files_tmp_filetrans(ctdbd_t, ctdbd_tmp_t, { file sock_file})
-+
-+manage_dirs_pattern(ctdbd_t, ctdbd_spool_t, ctdbd_spool_t)
-+manage_files_pattern(ctdbd_t, ctdbd_spool_t, ctdbd_spool_t)
-+manage_lnk_files_pattern(ctdbd_t, ctdbd_spool_t, ctdbd_spool_t)
-+files_spool_filetrans(ctdbd_t, ctdbd_spool_t, { dir file })
-+
-+exec_files_pattern(ctdbd_t, ctdbd_var_lib_t, ctdbd_var_lib_t)
-+manage_dirs_pattern(ctdbd_t, ctdbd_var_lib_t, ctdbd_var_lib_t)
-+manage_files_pattern(ctdbd_t, ctdbd_var_lib_t, ctdbd_var_lib_t)
-+files_var_lib_filetrans(ctdbd_t, ctdbd_var_lib_t, { dir file } )
-+
-+manage_dirs_pattern(ctdbd_t, ctdbd_var_run_t, ctdbd_var_run_t)
-+manage_files_pattern(ctdbd_t, ctdbd_var_run_t, ctdbd_var_run_t)
-+files_pid_filetrans(ctdbd_t, ctdbd_var_run_t, { dir file })
-+
-+kernel_read_network_state(ctdbd_t)
-+kernel_rw_net_sysctls(ctdbd_t)
-+kernel_read_system_state(ctdbd_t)
-+
-+corenet_tcp_bind_generic_node(ctdbd_t)
-+corenet_tcp_bind_ctdb_port(ctdbd_t)
-+corenet_tcp_connect_ctdb_port(ctdbd_t)
-+
-+corecmd_exec_bin(ctdbd_t)
-+corecmd_exec_shell(ctdbd_t)
-+
-+dev_read_sysfs(ctdbd_t)
-+dev_read_urand(ctdbd_t)
-+
-+domain_use_interactive_fds(ctdbd_t)
-+domain_dontaudit_read_all_domains_state(ctdbd_t)
-+
-+files_read_etc_files(ctdbd_t)
-+files_search_all_mountpoints(ctdbd_t)
-+
-+auth_use_nsswitch(ctdbd_t)
-+
-+logging_send_syslog_msg(ctdbd_t)
-+
-+miscfiles_read_public_files(ctdbd_t)
-+
-+optional_policy(`
-+ consoletype_exec(ctdbd_t)
-+')
-+
-+optional_policy(`
-+ hostname_exec(ctdbd_t)
-+')
-+
-+optional_policy(`
-+ iptables_domtrans(ctdbd_t)
-+')
-+
-+optional_policy(`
-+ samba_initrc_domtrans(ctdbd_t)
-+ samba_domtrans_net(ctdbd_t)
-+ samba_rw_var_files(ctdbd_t)
-+ samba_systemctl(ctdbd_t)
-+')
-+
-+optional_policy(`
-+ sysnet_domtrans_ifconfig(ctdbd_t)
-+')
-diff --git a/cups.fc b/cups.fc
-index 848bb92..600efa5 100644
---- a/cups.fc
-+++ b/cups.fc
-@@ -19,7 +19,10 @@
-
- /etc/printcap.* -- gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
-
-+/usr/lib/systemd/system/cups.* -- gen_context(system_u:object_r:cupsd_unit_file_t,s0)
-+
- /lib/udev/udev-configure-printer -- gen_context(system_u:object_r:cupsd_config_exec_t,s0)
-+/usr/lib/udev/udev-configure-printer -- gen_context(system_u:object_r:cupsd_config_exec_t,s0)
-
- /opt/gutenprint/ppds(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
-
-@@ -52,18 +55,32 @@
-
- /var/lib/cups/certs -d gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
- /var/lib/cups/certs/.* -- gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
-+/usr/lib/bjlib(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,mls_systemhigh)
-
- /var/lib/hp(/.*)? gen_context(system_u:object_r:hplip_var_lib_t,s0)
-+/var/lib/iscan(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
-
- /var/log/cups(/.*)? gen_context(system_u:object_r:cupsd_log_t,s0)
- /var/log/turboprint.* gen_context(system_u:object_r:cupsd_log_t,s0)
-
-+/var/log/hp(/.*)? gen_context(system_u:object_r:hplip_var_log_t,s0)
-+
- /var/ccpd(/.*)? gen_context(system_u:object_r:cupsd_var_run_t,s0)
- /var/ekpd(/.*)? gen_context(system_u:object_r:cupsd_var_run_t,s0)
--/var/run/cups(/.*)? gen_context(system_u:object_r:cupsd_var_run_t,s0)
-+/var/run/cups(/.*)? gen_context(system_u:object_r:cupsd_var_run_t,mls_systemhigh)
- /var/run/hp.*\.pid -- gen_context(system_u:object_r:hplip_var_run_t,s0)
- /var/run/hp.*\.port -- gen_context(system_u:object_r:hplip_var_run_t,s0)
- /var/run/ptal-printd(/.*)? gen_context(system_u:object_r:ptal_var_run_t,s0)
- /var/run/ptal-mlcd(/.*)? gen_context(system_u:object_r:ptal_var_run_t,s0)
- /var/run/udev-configure-printer(/.*)? gen_context(system_u:object_r:cupsd_config_var_run_t,s0)
- /var/turboprint(/.*)? gen_context(system_u:object_r:cupsd_var_run_t,s0)
-+
-+/usr/Brother/fax/.*\.log.* gen_context(system_u:object_r:cupsd_log_t,s0)
-+/usr/Brother/(.*/)?inf(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
-+/etc/opt/Brother/(.*/)?inf(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
-+/usr/Printer/(.*/)?inf(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
-+
-+/usr/local/linuxprinter/ppd(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
-+
-+/etc/opt/brother/Printers/(.*/)?inf(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
-+/opt/brother/Printers(.*/)?inf(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
-diff --git a/cups.if b/cups.if
-index 305ddf4..f3cd95f 100644
---- a/cups.if
-+++ b/cups.if
-@@ -9,6 +9,11 @@
- ## Domain allowed access.
- ##
- ##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
- #
- interface(`cups_backend',`
- gen_require(`
-@@ -190,10 +195,12 @@ interface(`cups_dbus_chat_config',`
- interface(`cups_read_config',`
- gen_require(`
- type cupsd_etc_t, cupsd_rw_etc_t;
-+ type hplip_etc_t;
- ')
-
- files_search_etc($1)
- read_files_pattern($1, cupsd_etc_t, cupsd_etc_t)
-+ read_files_pattern($1, hplip_etc_t, hplip_etc_t)
- read_files_pattern($1, cupsd_etc_t, cupsd_rw_etc_t)
- ')
-
-@@ -296,6 +303,29 @@ interface(`cups_stream_connect_ptal',`
-
- ########################################
- ##
-+## Execute cupsd server in the cupsd domain.
-+##
-+##
-+##
-+## Domain allowed to transition.
-+##
-+##
-+#
-+interface(`cupsd_systemctl',`
-+ gen_require(`
-+ type cupsd_t;
-+ type cupsd_unit_file_t;
-+ ')
-+
-+ systemd_exec_systemctl($1)
-+ allow $1 cupsd_unit_file_t:file read_file_perms;
-+ allow $1 cupsd_unit_file_t:service manage_service_perms;
-+
-+ ps_process_pattern($1, cupsd_t)
-+')
-+
-+########################################
-+##
- ## All of the rules required to administrate
- ## an cups environment
- ##
-@@ -314,16 +344,20 @@ interface(`cups_stream_connect_ptal',`
- interface(`cups_admin',`
- gen_require(`
- type cupsd_t, cupsd_tmp_t, cupsd_lpd_tmp_t;
-- type cupsd_etc_t, cupsd_log_t, cupsd_spool_t;
-- type cupsd_config_var_run_t, cupsd_lpd_var_run_t;
-- type cupsd_var_run_t, ptal_etc_t;
-- type ptal_var_run_t, hplip_var_run_t;
-- type cupsd_initrc_exec_t;
-+ type cupsd_etc_t, cupsd_log_t, hplip_etc_t;
-+ type cupsd_config_var_run_t, cupsd_lpd_var_run_t, cupsd_initrc_exec_t;
-+ type cupsd_var_run_t, ptal_etc_t, hplip_var_run_t;
-+ type ptal_var_run_t;
-+ type cupsd_unit_file_t;
- ')
-
-- allow $1 cupsd_t:process { ptrace signal_perms };
-+ allow $1 cupsd_t:process signal_perms;
- ps_process_pattern($1, cupsd_t)
-
-+ tunable_policy(`deny_ptrace',`',`
-+ allow $1 cupsd_t:process ptrace;
-+ ')
-+
- init_labeled_script_domtrans($1, cupsd_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 cupsd_initrc_exec_t system_r;
-@@ -341,18 +375,53 @@ interface(`cups_admin',`
-
- admin_pattern($1, cupsd_lpd_var_run_t)
-
-- admin_pattern($1, cupsd_spool_t)
-- files_list_spool($1)
--
- admin_pattern($1, cupsd_tmp_t)
- files_list_tmp($1)
-
- admin_pattern($1, cupsd_var_run_t)
- files_list_pids($1)
-
-+ admin_pattern($1, hplip_etc_t)
-+
- admin_pattern($1, hplip_var_run_t)
-
- admin_pattern($1, ptal_etc_t)
-
- admin_pattern($1, ptal_var_run_t)
-+
-+ cupsd_systemctl($1)
-+ admin_pattern($1, cupsd_unit_file_t)
-+ allow $1 cupsd_unit_file_t:service all_service_perms;
-+')
-+
-+########################################
-+##
-+## Transition to cups named content
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`cups_filetrans_named_content',`
-+ gen_require(`
-+ type cupsd_rw_etc_t;
-+ type cupsd_etc_t;
-+ ')
-+
-+ filetrans_pattern($1, cupsd_etc_t, cupsd_rw_etc_t, file, "classes.conf")
-+ filetrans_pattern($1, cupsd_etc_t, cupsd_rw_etc_t, file, "printers.conf")
-+ filetrans_pattern($1, cupsd_etc_t, cupsd_rw_etc_t, file, "printers.conf.O")
-+ filetrans_pattern($1, cupsd_etc_t, cupsd_rw_etc_t, file, "cupsd.conf")
-+ filetrans_pattern($1, cupsd_etc_t, cupsd_rw_etc_t, file, "cupsd.conf.default")
-+ filetrans_pattern($1, cupsd_etc_t, cupsd_rw_etc_t, file, "lpoptions")
-+ filetrans_pattern($1, cupsd_etc_t, cupsd_rw_etc_t, file, "subscriptions.conf")
-+ filetrans_pattern($1, cupsd_etc_t, cupsd_rw_etc_t, file, "subscriptions.conf.O")
-+ filetrans_pattern($1, cupsd_etc_t, cupsd_rw_etc_t, file, "subscriptions.conf.N")
-+ filetrans_pattern($1, cupsd_etc_t, cupsd_rw_etc_t, file, "ppds.dat")
-+ files_etc_filetrans($1, cupsd_rw_etc_t, file, "ppds.dat")
-+ files_etc_filetrans($1, cupsd_rw_etc_t, dir, "inf")
-+ files_usr_filetrans($1, cupsd_rw_etc_t, dir, "inf")
-+ corecmd_bin_filetrans($1, cupsd_rw_etc_t, dir, "inf")
- ')
-diff --git a/cups.te b/cups.te
-index e5a8924..e12c890 100644
---- a/cups.te
-+++ b/cups.te
-@@ -15,6 +15,7 @@ files_pid_file(cupsd_config_var_run_t)
- type cupsd_t;
- type cupsd_exec_t;
- init_daemon_domain(cupsd_t, cupsd_exec_t)
-+mls_trusted_object(cupsd_t)
-
- type cupsd_etc_t;
- files_config_file(cupsd_etc_t)
-@@ -60,6 +61,9 @@ type cupsd_var_run_t;
- files_pid_file(cupsd_var_run_t)
- mls_trusted_object(cupsd_var_run_t)
-
-+type cupsd_unit_file_t;
-+systemd_unit_file(cupsd_unit_file_t)
-+
- type hplip_t;
- type hplip_exec_t;
- init_daemon_domain(hplip_t, hplip_exec_t)
-@@ -75,6 +79,9 @@ files_tmp_file(hplip_tmp_t)
- type hplip_var_lib_t;
- files_type(hplip_var_lib_t)
-
-+type hplip_var_log_t;
-+logging_log_file(hplip_var_log_t)
-+
- type hplip_var_run_t;
- files_pid_file(hplip_var_run_t)
-
-@@ -104,6 +111,7 @@ ifdef(`enable_mls',`
- # /usr/lib/cups/backend/serial needs sys_admin(?!)
- allow cupsd_t self:capability { ipc_lock sys_admin dac_override dac_read_search kill setgid setuid fsetid net_bind_service fowner chown dac_override sys_rawio sys_resource sys_tty_config };
- dontaudit cupsd_t self:capability { sys_tty_config net_admin };
-+allow cupsd_t self:capability2 { block_suspend };
- allow cupsd_t self:process { getpgid setpgid setsched signal_perms };
- allow cupsd_t self:fifo_file rw_fifo_file_perms;
- allow cupsd_t self:unix_stream_socket { create_stream_socket_perms connectto };
-@@ -123,6 +131,7 @@ read_lnk_files_pattern(cupsd_t, cupsd_etc_t, cupsd_etc_t)
- files_search_etc(cupsd_t)
-
- manage_files_pattern(cupsd_t, cupsd_interface_t, cupsd_interface_t)
-+can_exec(cupsd_t, cupsd_interface_t)
-
- manage_dirs_pattern(cupsd_t, cupsd_etc_t, cupsd_rw_etc_t)
- manage_files_pattern(cupsd_t, cupsd_etc_t, cupsd_rw_etc_t)
-@@ -137,6 +146,7 @@ allow cupsd_t cupsd_exec_t:lnk_file read_lnk_file_perms;
- allow cupsd_t cupsd_lock_t:file manage_file_perms;
- files_lock_filetrans(cupsd_t, cupsd_lock_t, file)
-
-+manage_dirs_pattern(cupsd_t, cupsd_log_t, cupsd_log_t)
- manage_files_pattern(cupsd_t, cupsd_log_t, cupsd_log_t)
- allow cupsd_t cupsd_log_t:dir setattr;
- logging_log_filetrans(cupsd_t, cupsd_log_t, { file dir })
-@@ -146,11 +156,12 @@ manage_files_pattern(cupsd_t, cupsd_tmp_t, cupsd_tmp_t)
- manage_fifo_files_pattern(cupsd_t, cupsd_tmp_t, cupsd_tmp_t)
- files_tmp_filetrans(cupsd_t, cupsd_tmp_t, { file dir fifo_file })
-
--allow cupsd_t cupsd_var_run_t:dir setattr;
-+allow cupsd_t cupsd_var_run_t:dir setattr_dir_perms;
-+manage_dirs_pattern(cupsd_t, cupsd_var_run_t, cupsd_var_run_t)
- manage_files_pattern(cupsd_t, cupsd_var_run_t, cupsd_var_run_t)
- manage_sock_files_pattern(cupsd_t, cupsd_var_run_t, cupsd_var_run_t)
- manage_fifo_files_pattern(cupsd_t, cupsd_var_run_t, cupsd_var_run_t)
--files_pid_filetrans(cupsd_t, cupsd_var_run_t, { file fifo_file })
-+files_pid_filetrans(cupsd_t, cupsd_var_run_t, { dir file fifo_file })
-
- allow cupsd_t hplip_t:process { signal sigkill };
-
-@@ -159,14 +170,13 @@ read_files_pattern(cupsd_t, hplip_etc_t, hplip_etc_t)
- allow cupsd_t hplip_var_run_t:file read_file_perms;
-
- stream_connect_pattern(cupsd_t, ptal_var_run_t, ptal_var_run_t, ptal_t)
--allow cupsd_t ptal_var_run_t : sock_file setattr;
-+allow cupsd_t ptal_var_run_t:sock_file setattr_sock_file_perms;
-
- kernel_read_system_state(cupsd_t)
- kernel_read_network_state(cupsd_t)
- kernel_read_all_sysctls(cupsd_t)
- kernel_request_load_module(cupsd_t)
-
--corenet_all_recvfrom_unlabeled(cupsd_t)
- corenet_all_recvfrom_netlabel(cupsd_t)
- corenet_tcp_sendrecv_generic_if(cupsd_t)
- corenet_udp_sendrecv_generic_if(cupsd_t)
-@@ -211,6 +221,7 @@ mls_rangetrans_target(cupsd_t)
- mls_socket_write_all_levels(cupsd_t)
- mls_fd_use_all_levels(cupsd_t)
-
-+term_use_usb_ttys(cupsd_t)
- term_use_unallocated_ttys(cupsd_t)
- term_search_ptys(cupsd_t)
-
-@@ -220,11 +231,12 @@ corecmd_exec_bin(cupsd_t)
-
- domain_use_interactive_fds(cupsd_t)
-
-+files_getattr_boot_dirs(cupsd_t)
- files_list_spool(cupsd_t)
--files_read_etc_files(cupsd_t)
- files_read_etc_runtime_files(cupsd_t)
- # read python modules
- files_read_usr_files(cupsd_t)
-+files_exec_usr_files(cupsd_t)
- # for /var/lib/defoma
- files_read_var_lib_files(cupsd_t)
- files_list_world_readable(cupsd_t)
-@@ -258,7 +270,6 @@ libs_exec_lib_files(cupsd_t)
- logging_send_audit_msgs(cupsd_t)
- logging_send_syslog_msg(cupsd_t)
-
--miscfiles_read_localization(cupsd_t)
- # invoking ghostscript needs to read fonts
- miscfiles_read_fonts(cupsd_t)
- miscfiles_setattr_fonts_cache_dirs(cupsd_t)
-@@ -269,12 +280,7 @@ sysnet_exec_ifconfig(cupsd_t)
- files_dontaudit_list_home(cupsd_t)
- userdom_dontaudit_use_unpriv_user_fds(cupsd_t)
- userdom_dontaudit_search_user_home_content(cupsd_t)
--
--# Write to /var/spool/cups.
--lpd_manage_spool(cupsd_t)
--lpd_read_config(cupsd_t)
--lpd_exec_lpr(cupsd_t)
--lpd_relabel_spool(cupsd_t)
-+userdom_search_admin_dir(cupsd_t)
-
- optional_policy(`
- apm_domtrans_client(cupsd_t)
-@@ -287,6 +293,8 @@ optional_policy(`
- optional_policy(`
- dbus_system_bus_client(cupsd_t)
-
-+ init_dbus_chat(cupsd_t)
-+
- userdom_dbus_send_all_users(cupsd_t)
-
- optional_policy(`
-@@ -297,8 +305,10 @@ optional_policy(`
- hal_dbus_chat(cupsd_t)
- ')
-
-+ # talk to processes that do not have policy
- optional_policy(`
- unconfined_dbus_chat(cupsd_t)
-+ files_write_generic_pid_pipes(cupsd_t)
- ')
- ')
-
-@@ -311,10 +321,23 @@ optional_policy(`
- ')
-
- optional_policy(`
-+ kerberos_tmp_filetrans_host_rcache(cupsd_t, "host_0")
-+ kerberos_manage_host_rcache(cupsd_t)
-+')
-+
-+optional_policy(`
- logrotate_domtrans(cupsd_t)
- ')
-
- optional_policy(`
-+ # Write to /var/spool/cups.
-+ lpd_manage_spool(cupsd_t)
-+ lpd_read_config(cupsd_t)
-+ lpd_exec_lpr(cupsd_t)
-+ lpd_relabel_spool(cupsd_t)
-+')
-+
-+optional_policy(`
- mta_send_mail(cupsd_t)
- ')
-
-@@ -322,6 +345,8 @@ optional_policy(`
- # cups execs smbtool which reads samba_etc_t files
- samba_read_config(cupsd_t)
- samba_rw_var_files(cupsd_t)
-+ # needed by smbspool
-+ samba_stream_connect_nmbd(cupsd_t)
- ')
-
- optional_policy(`
-@@ -336,12 +361,16 @@ optional_policy(`
- udev_read_db(cupsd_t)
- ')
-
-+optional_policy(`
-+ virt_rw_chr_files(cupsd_t)
-+')
-+
- ########################################
- #
- # Cups configuration daemon local policy
- #
-
--allow cupsd_config_t self:capability { chown dac_override sys_tty_config };
-+allow cupsd_config_t self:capability { chown dac_override setuid setgid sys_tty_config };
- dontaudit cupsd_config_t self:capability sys_tty_config;
- allow cupsd_config_t self:process { getsched signal_perms };
- allow cupsd_config_t self:fifo_file rw_fifo_file_perms;
-@@ -371,8 +400,9 @@ files_tmp_filetrans(cupsd_config_t, cupsd_tmp_t, { lnk_file file dir })
-
- allow cupsd_config_t cupsd_var_run_t:file read_file_perms;
-
-+manage_dirs_pattern(cupsd_config_t, cupsd_config_var_run_t, cupsd_config_var_run_t)
- manage_files_pattern(cupsd_config_t, cupsd_config_var_run_t, cupsd_config_var_run_t)
--files_pid_filetrans(cupsd_config_t, cupsd_config_var_run_t, file)
-+files_pid_filetrans(cupsd_config_t, cupsd_config_var_run_t, { dir file })
-
- domtrans_pattern(cupsd_config_t, hplip_exec_t, hplip_t)
-
-@@ -381,7 +411,6 @@ read_files_pattern(cupsd_config_t, hplip_etc_t, hplip_etc_t)
- kernel_read_system_state(cupsd_config_t)
- kernel_read_all_sysctls(cupsd_config_t)
-
--corenet_all_recvfrom_unlabeled(cupsd_config_t)
- corenet_all_recvfrom_netlabel(cupsd_config_t)
- corenet_tcp_sendrecv_generic_if(cupsd_config_t)
- corenet_tcp_sendrecv_generic_node(cupsd_config_t)
-@@ -407,7 +436,6 @@ domain_use_interactive_fds(cupsd_config_t)
- domain_dontaudit_search_all_domains_state(cupsd_config_t)
-
- files_read_usr_files(cupsd_config_t)
--files_read_etc_files(cupsd_config_t)
- files_read_etc_runtime_files(cupsd_config_t)
- files_read_var_symlinks(cupsd_config_t)
-
-@@ -418,18 +446,15 @@ auth_use_nsswitch(cupsd_config_t)
-
- logging_send_syslog_msg(cupsd_config_t)
-
--miscfiles_read_localization(cupsd_config_t)
- miscfiles_read_hwdata(cupsd_config_t)
-
--seutil_dontaudit_search_config(cupsd_config_t)
--
- userdom_dontaudit_use_unpriv_user_fds(cupsd_config_t)
- userdom_dontaudit_search_user_home_dirs(cupsd_config_t)
-+userdom_rw_user_tmp_files(cupsd_config_t)
-+userdom_read_user_tmp_symlinks(cupsd_config_t)
-
- cups_stream_connect(cupsd_config_t)
-
--lpd_read_config(cupsd_config_t)
--
- ifdef(`distro_redhat',`
- optional_policy(`
- rpm_read_db(cupsd_config_t)
-@@ -453,6 +478,10 @@ optional_policy(`
- ')
-
- optional_policy(`
-+ gnome_dontaudit_search_config(cupsd_config_t)
-+')
-+
-+optional_policy(`
- hal_domtrans(cupsd_config_t)
- hal_read_tmp_files(cupsd_config_t)
- hal_dontaudit_use_fds(hplip_t)
-@@ -467,6 +496,10 @@ optional_policy(`
- ')
-
- optional_policy(`
-+ lpd_read_config(cupsd_config_t)
-+')
-+
-+optional_policy(`
- policykit_dbus_chat(cupsd_config_t)
- userdom_read_all_users_state(cupsd_config_t)
- ')
-@@ -526,7 +559,6 @@ kernel_read_kernel_sysctls(cupsd_lpd_t)
- kernel_read_system_state(cupsd_lpd_t)
- kernel_read_network_state(cupsd_lpd_t)
-
--corenet_all_recvfrom_unlabeled(cupsd_lpd_t)
- corenet_all_recvfrom_netlabel(cupsd_lpd_t)
- corenet_tcp_sendrecv_generic_if(cupsd_lpd_t)
- corenet_udp_sendrecv_generic_if(cupsd_lpd_t)
-@@ -537,19 +569,18 @@ corenet_udp_sendrecv_all_ports(cupsd_lpd_t)
- corenet_tcp_bind_generic_node(cupsd_lpd_t)
- corenet_udp_bind_generic_node(cupsd_lpd_t)
- corenet_tcp_connect_ipp_port(cupsd_lpd_t)
-+corenet_tcp_connect_printer_port(cupsd_lpd_t)
-
- dev_read_urand(cupsd_lpd_t)
- dev_read_rand(cupsd_lpd_t)
-
- fs_getattr_xattr_fs(cupsd_lpd_t)
-
--files_read_etc_files(cupsd_lpd_t)
-
- auth_use_nsswitch(cupsd_lpd_t)
-
- logging_send_syslog_msg(cupsd_lpd_t)
-
--miscfiles_read_localization(cupsd_lpd_t)
- miscfiles_setattr_fonts_cache_dirs(cupsd_lpd_t)
-
- cups_stream_connect(cupsd_lpd_t)
-@@ -577,7 +608,6 @@ fs_rw_anon_inodefs_files(cups_pdf_t)
-
- kernel_read_system_state(cups_pdf_t)
-
--files_read_etc_files(cups_pdf_t)
- files_read_usr_files(cups_pdf_t)
-
- corecmd_exec_shell(cups_pdf_t)
-@@ -585,25 +615,23 @@ corecmd_exec_bin(cups_pdf_t)
-
- auth_use_nsswitch(cups_pdf_t)
-
--miscfiles_read_localization(cups_pdf_t)
- miscfiles_read_fonts(cups_pdf_t)
-+miscfiles_setattr_fonts_cache_dirs(cups_pdf_t)
-
- userdom_home_filetrans_user_home_dir(cups_pdf_t)
-+userdom_user_home_dir_filetrans_pattern(cups_pdf_t, { file dir })
- userdom_manage_user_home_content_dirs(cups_pdf_t)
- userdom_manage_user_home_content_files(cups_pdf_t)
-+userdom_dontaudit_search_admin_dir(cups_pdf_t)
-
--lpd_manage_spool(cups_pdf_t)
--
--
--tunable_policy(`use_nfs_home_dirs',`
-- fs_search_auto_mountpoints(cups_pdf_t)
-- fs_manage_nfs_dirs(cups_pdf_t)
-- fs_manage_nfs_files(cups_pdf_t)
-+optional_policy(`
-+ lpd_manage_spool(cups_pdf_t)
- ')
-
--tunable_policy(`use_samba_home_dirs',`
-- fs_manage_cifs_dirs(cups_pdf_t)
-- fs_manage_cifs_files(cups_pdf_t)
-+userdom_home_manager(cups_pdf_t)
-+
-+optional_policy(`
-+ gnome_read_config(cups_pdf_t)
- ')
-
- ########################################
-@@ -635,9 +663,16 @@ read_files_pattern(hplip_t, hplip_etc_t, hplip_etc_t)
- read_lnk_files_pattern(hplip_t, hplip_etc_t, hplip_etc_t)
- files_search_etc(hplip_t)
-
-+allow hplip_t cupsd_unit_file_t:file read_file_perms;
-+
- manage_files_pattern(hplip_t, hplip_var_lib_t, hplip_var_lib_t)
- manage_lnk_files_pattern(hplip_t, hplip_var_lib_t, hplip_var_lib_t)
-
-+manage_files_pattern(hplip_t, hplip_var_log_t,hplip_var_log_t)
-+manage_fifo_files_pattern(hplip_t, hplip_var_log_t,hplip_var_log_t)
-+manage_dirs_pattern(hplip_t, hplip_var_log_t,hplip_var_log_t)
-+logging_log_filetrans(hplip_t,hplip_var_log_t,{ dir fifo_file file })
-+
- manage_fifo_files_pattern(hplip_t, hplip_tmp_t, hplip_tmp_t)
- files_tmp_filetrans(hplip_t, hplip_tmp_t, fifo_file )
-
-@@ -647,7 +682,9 @@ files_pid_filetrans(hplip_t, hplip_var_run_t, file)
- kernel_read_system_state(hplip_t)
- kernel_read_kernel_sysctls(hplip_t)
-
--corenet_all_recvfrom_unlabeled(hplip_t)
-+# for python
-+corecmd_exec_bin(hplip_t)
-+
- corenet_all_recvfrom_netlabel(hplip_t)
- corenet_tcp_sendrecv_generic_if(hplip_t)
- corenet_udp_sendrecv_generic_if(hplip_t)
-@@ -661,10 +698,10 @@ corenet_tcp_bind_generic_node(hplip_t)
- corenet_udp_bind_generic_node(hplip_t)
- corenet_tcp_bind_hplip_port(hplip_t)
- corenet_tcp_connect_hplip_port(hplip_t)
--corenet_tcp_connect_ipp_port(hplip_t)
--corenet_sendrecv_hplip_client_packets(hplip_t)
--corenet_receive_hplip_server_packets(hplip_t)
-+corenet_tcp_bind_glance_port(hplip_t)
-+corenet_tcp_connect_glance_port(hplip_t)
- corenet_udp_bind_howl_port(hplip_t)
-+corenet_tcp_connect_ipp_port(hplip_t)
-
- dev_read_sysfs(hplip_t)
- dev_rw_printer(hplip_t)
-@@ -673,31 +710,34 @@ dev_read_rand(hplip_t)
- dev_rw_generic_usb_dev(hplip_t)
- dev_rw_usbfs(hplip_t)
-
--fs_getattr_all_fs(hplip_t)
--fs_search_auto_mountpoints(hplip_t)
--fs_rw_anon_inodefs_files(hplip_t)
--
--# for python
--corecmd_exec_bin(hplip_t)
--
- domain_use_interactive_fds(hplip_t)
-
- files_read_etc_files(hplip_t)
- files_read_etc_runtime_files(hplip_t)
- files_read_usr_files(hplip_t)
-+files_dontaudit_write_usr_dirs(hplip_t)
-
--logging_send_syslog_msg(hplip_t)
-+fs_getattr_all_fs(hplip_t)
-+fs_search_auto_mountpoints(hplip_t)
-+fs_rw_anon_inodefs_files(hplip_t)
-
--miscfiles_read_localization(hplip_t)
-+term_use_ptmx(hplip_t)
-+
-+auth_read_passwd(hplip_t)
-+
-+logging_send_syslog_msg(hplip_t)
-
- sysnet_read_config(hplip_t)
-
- userdom_dontaudit_use_unpriv_user_fds(hplip_t)
- userdom_dontaudit_search_user_home_dirs(hplip_t)
- userdom_dontaudit_search_user_home_content(hplip_t)
-+userdom_dbus_send_all_users(hplip_t)
-
--lpd_read_config(hplip_t)
--lpd_manage_spool(hplip_t)
-+optional_policy(`
-+ lpd_read_config(hplip_t)
-+ lpd_manage_spool(hplip_t)
-+')
-
- optional_policy(`
- dbus_system_bus_client(hplip_t)
-@@ -743,7 +783,6 @@ kernel_read_kernel_sysctls(ptal_t)
- kernel_list_proc(ptal_t)
- kernel_read_proc_symlinks(ptal_t)
-
--corenet_all_recvfrom_unlabeled(ptal_t)
- corenet_all_recvfrom_netlabel(ptal_t)
- corenet_tcp_sendrecv_generic_if(ptal_t)
- corenet_tcp_sendrecv_generic_node(ptal_t)
-@@ -760,13 +799,10 @@ fs_search_auto_mountpoints(ptal_t)
-
- domain_use_interactive_fds(ptal_t)
-
--files_read_etc_files(ptal_t)
- files_read_etc_runtime_files(ptal_t)
-
- logging_send_syslog_msg(ptal_t)
-
--miscfiles_read_localization(ptal_t)
--
- sysnet_read_config(ptal_t)
-
- userdom_dontaudit_use_unpriv_user_fds(ptal_t)
-diff --git a/cvs.if b/cvs.if
-index c43ff4c..5da88b5 100644
---- a/cvs.if
-+++ b/cvs.if
-@@ -1,5 +1,23 @@
- ## Concurrent versions system
-
-+######################################
-+##
-+## Dontaudit Attempts to list the CVS data and metadata.
-+##
-+##
-+##
-+## Domain to not audit.
-+##
-+##
-+#
-+interface(`cvs_dontaudit_list_data',`
-+ gen_require(`
-+ type cvs_data_t;
-+ ')
-+
-+ dontaudit $1 cvs_data_t:dir list_dir_perms;
-+')
-+
- ########################################
- ##
- ## Read the CVS data and metadata.
-@@ -58,14 +76,17 @@ interface(`cvs_exec',`
- #
- interface(`cvs_admin',`
- gen_require(`
-- type cvs_t, cvs_tmp_t;
-+ type cvs_t, cvs_tmp_t, cvs_initrc_exec_t;
- type cvs_data_t, cvs_var_run_t;
-- type cvs_initrc_exec_t;
- ')
-
-- allow $1 cvs_t:process { ptrace signal_perms };
-+ allow $1 cvs_t:process signal_perms;
- ps_process_pattern($1, cvs_t)
-
-+ tunable_policy(`deny_ptrace',`',`
-+ allow $1 cvs_t:process ptrace;
-+ ')
-+
- # Allow cvs_t to restart the apache service
- init_labeled_script_domtrans($1, cvs_initrc_exec_t)
- domain_system_change_exemption($1)
-diff --git a/cvs.te b/cvs.te
-index 88e7e97..b475317 100644
---- a/cvs.te
-+++ b/cvs.te
-@@ -10,7 +10,7 @@ policy_module(cvs, 1.9.0)
- ## Allow cvs daemon to read shadow
- ##
- ##
--gen_tunable(allow_cvs_read_shadow, false)
-+gen_tunable(cvs_read_shadow, false)
-
- type cvs_t;
- type cvs_exec_t;
-@@ -35,12 +35,12 @@ files_pid_file(cvs_var_run_t)
- # Local policy
- #
-
-+allow cvs_t self:capability { setuid setgid };
- allow cvs_t self:process signal_perms;
- allow cvs_t self:fifo_file rw_fifo_file_perms;
- allow cvs_t self:tcp_socket connected_stream_socket_perms;
- # for identd; cjp: this should probably only be inetd_child rules?
- allow cvs_t self:netlink_tcpdiag_socket r_netlink_socket_perms;
--allow cvs_t self:capability { setuid setgid };
-
- manage_dirs_pattern(cvs_t, cvs_data_t, cvs_data_t)
- manage_files_pattern(cvs_t, cvs_data_t, cvs_data_t)
-@@ -57,7 +57,6 @@ kernel_read_kernel_sysctls(cvs_t)
- kernel_read_system_state(cvs_t)
- kernel_read_network_state(cvs_t)
-
--corenet_all_recvfrom_unlabeled(cvs_t)
- corenet_all_recvfrom_netlabel(cvs_t)
- corenet_tcp_sendrecv_generic_if(cvs_t)
- corenet_udp_sendrecv_generic_if(cvs_t)
-@@ -76,21 +75,22 @@ auth_use_nsswitch(cvs_t)
- corecmd_exec_bin(cvs_t)
- corecmd_exec_shell(cvs_t)
-
--files_read_etc_files(cvs_t)
- files_read_etc_runtime_files(cvs_t)
- # for identd; cjp: this should probably only be inetd_child rules?
- files_search_home(cvs_t)
-
-+init_dontaudit_read_utmp(cvs_t)
-+
- logging_send_syslog_msg(cvs_t)
- logging_send_audit_msgs(cvs_t)
-
--miscfiles_read_localization(cvs_t)
--
- mta_send_mail(cvs_t)
-
-+userdom_dontaudit_search_user_home_dirs(cvs_t)
-+
- # cjp: typeattribute doesnt work in conditionals yet
- auth_can_read_shadow_passwords(cvs_t)
--tunable_policy(`allow_cvs_read_shadow',`
-+tunable_policy(`cvs_read_shadow',`
- allow cvs_t self:capability dac_override;
- auth_tunable_read_shadow(cvs_t)
- ')
-@@ -112,4 +112,5 @@ optional_policy(`
- read_files_pattern(httpd_cvs_script_t, cvs_data_t, cvs_data_t)
- manage_dirs_pattern(httpd_cvs_script_t, cvs_tmp_t, cvs_tmp_t)
- manage_files_pattern(httpd_cvs_script_t, cvs_tmp_t, cvs_tmp_t)
-+ files_tmp_filetrans(httpd_cvs_script_t, cvs_tmp_t, { file dir })
- ')
-diff --git a/cyphesis.te b/cyphesis.te
-index 25897c9..814bdae 100644
---- a/cyphesis.te
-+++ b/cyphesis.te
-@@ -48,7 +48,6 @@ kernel_read_kernel_sysctls(cyphesis_t)
- corecmd_search_bin(cyphesis_t)
- corecmd_getattr_bin_files(cyphesis_t)
-
--corenet_all_recvfrom_unlabeled(cyphesis_t)
- corenet_tcp_sendrecv_generic_if(cyphesis_t)
- corenet_tcp_sendrecv_generic_node(cyphesis_t)
- corenet_tcp_sendrecv_all_ports(cyphesis_t)
-@@ -66,8 +65,6 @@ files_read_usr_files(cyphesis_t)
-
- logging_send_syslog_msg(cyphesis_t)
-
--miscfiles_read_localization(cyphesis_t)
--
- sysnet_dns_name_resolve(cyphesis_t)
-
- # cyphesis wants to talk to avahi via dbus
-diff --git a/cyrus.if b/cyrus.if
-index e4e86d0..4203ea9 100644
---- a/cyrus.if
-+++ b/cyrus.if
-@@ -20,6 +20,25 @@ interface(`cyrus_manage_data',`
- manage_files_pattern($1, cyrus_var_lib_t, cyrus_var_lib_t)
- ')
-
-+#######################################
-+##
-+## Allow write cyrus data files.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`cyrus_write_data',`
-+ gen_require(`
-+ type cyrus_var_lib_t;
-+ ')
-+
-+ files_search_var_lib($1)
-+ write_files_pattern($1, cyrus_var_lib_t, cyrus_var_lib_t)
-+')
-+
- ########################################
- ##
- ## Connect to Cyrus using a unix domain stream socket.
-@@ -62,9 +81,13 @@ interface(`cyrus_admin',`
- type cyrus_var_run_t, cyrus_initrc_exec_t;
- ')
-
-- allow $1 cyrus_t:process { ptrace signal_perms };
-+ allow $1 cyrus_t:process signal_perms;
- ps_process_pattern($1, cyrus_t)
-
-+ tunable_policy(`deny_ptrace',`',`
-+ allow $1 cyrus_t:process ptrace;
-+ ')
-+
- init_labeled_script_domtrans($1, cyrus_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 cyrus_initrc_exec_t system_r;
-diff --git a/cyrus.te b/cyrus.te
-index 097fdcc..fb6e6da 100644
---- a/cyrus.te
-+++ b/cyrus.te
-@@ -26,7 +26,7 @@ files_pid_file(cyrus_var_run_t)
- # Local policy
- #
-
--allow cyrus_t self:capability { dac_override net_bind_service setgid setuid sys_resource };
-+allow cyrus_t self:capability { fsetid dac_override net_bind_service setgid setuid sys_resource };
- dontaudit cyrus_t self:capability sys_tty_config;
- allow cyrus_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
- allow cyrus_t self:process setrlimit;
-@@ -62,7 +62,6 @@ kernel_read_kernel_sysctls(cyrus_t)
- kernel_read_system_state(cyrus_t)
- kernel_read_all_sysctls(cyrus_t)
-
--corenet_all_recvfrom_unlabeled(cyrus_t)
- corenet_all_recvfrom_netlabel(cyrus_t)
- corenet_tcp_sendrecv_generic_if(cyrus_t)
- corenet_udp_sendrecv_generic_if(cyrus_t)
-@@ -73,6 +72,7 @@ corenet_udp_sendrecv_all_ports(cyrus_t)
- corenet_tcp_bind_generic_node(cyrus_t)
- corenet_tcp_bind_mail_port(cyrus_t)
- corenet_tcp_bind_lmtp_port(cyrus_t)
-+corenet_tcp_bind_innd_port(cyrus_t)
- corenet_tcp_bind_pop_port(cyrus_t)
- corenet_tcp_bind_sieve_port(cyrus_t)
- corenet_tcp_connect_all_ports(cyrus_t)
-@@ -93,7 +93,6 @@ corecmd_exec_bin(cyrus_t)
- domain_use_interactive_fds(cyrus_t)
-
- files_list_var_lib(cyrus_t)
--files_read_etc_files(cyrus_t)
- files_read_etc_runtime_files(cyrus_t)
- files_read_usr_files(cyrus_t)
-
-@@ -103,7 +102,6 @@ libs_exec_lib_files(cyrus_t)
-
- logging_send_syslog_msg(cyrus_t)
-
--miscfiles_read_localization(cyrus_t)
- miscfiles_read_generic_certs(cyrus_t)
-
- sysnet_read_config(cyrus_t)
-@@ -119,6 +117,10 @@ optional_policy(`
- ')
-
- optional_policy(`
-+ dirsrv_stream_connect(cyrus_t)
-+')
-+
-+optional_policy(`
- kerberos_keytab_template(cyrus, cyrus_t)
- ')
-
-@@ -135,6 +137,7 @@ optional_policy(`
- ')
-
- optional_policy(`
-+ files_dontaudit_write_usr_dirs(cyrus_t)
- snmp_read_snmp_var_lib_files(cyrus_t)
- snmp_dontaudit_write_snmp_var_lib_files(cyrus_t)
- snmp_stream_connect(cyrus_t)
-diff --git a/daemontools.if b/daemontools.if
-index ce3e676..0158314 100644
---- a/daemontools.if
-+++ b/daemontools.if
-@@ -210,3 +210,4 @@ interface(`daemontools_manage_svc',`
- allow $1 svc_svc_t:file manage_file_perms;
- allow $1 svc_svc_t:lnk_file { read create };
- ')
-+
-diff --git a/daemontools.te b/daemontools.te
-index dcc5f1c..c6fa5c0 100644
---- a/daemontools.te
-+++ b/daemontools.te
-@@ -38,7 +38,10 @@ files_type(svc_svc_t)
- # multilog creates /service/*/log/status
- manage_files_pattern(svc_multilog_t, svc_svc_t, svc_svc_t)
-
-+term_write_console(svc_multilog_t)
-+
- init_use_fds(svc_multilog_t)
-+init_dontaudit_use_script_fds(svc_multilog_t)
-
- # writes to /var/log/*/*
- logging_manage_generic_logs(svc_multilog_t)
-@@ -69,6 +72,8 @@ dev_read_urand(svc_run_t)
- corecmd_exec_bin(svc_run_t)
- corecmd_exec_shell(svc_run_t)
-
-+term_write_console(svc_run_t)
-+
- files_read_etc_files(svc_run_t)
- files_read_etc_runtime_files(svc_run_t)
- files_search_pids(svc_run_t)
-@@ -99,12 +104,19 @@ allow svc_start_t self:unix_stream_socket create_socket_perms;
-
- can_exec(svc_start_t, svc_start_exec_t)
-
-+mmap_files_pattern(svc_start_t, svc_svc_t, svc_svc_t)
-+
- kernel_read_kernel_sysctls(svc_start_t)
- kernel_read_system_state(svc_start_t)
-
- corecmd_exec_bin(svc_start_t)
- corecmd_exec_shell(svc_start_t)
-
-+corenet_tcp_bind_generic_node(svc_start_t)
-+corenet_tcp_bind_generic_port(svc_start_t)
-+
-+term_write_console(svc_start_t)
-+
- files_read_etc_files(svc_start_t)
- files_read_etc_runtime_files(svc_start_t)
- files_search_var(svc_start_t)
-@@ -114,5 +126,3 @@ daemontools_domtrans_run(svc_start_t)
- daemontools_manage_svc(svc_start_t)
-
- logging_send_syslog_msg(svc_start_t)
--
--miscfiles_read_localization(svc_start_t)
-diff --git a/dante.te b/dante.te
-index 9636326..637fc71 100644
---- a/dante.te
-+++ b/dante.te
-@@ -10,7 +10,7 @@ type dante_exec_t;
- init_daemon_domain(dante_t, dante_exec_t)
-
- type dante_conf_t;
--files_type(dante_conf_t)
-+files_config_file(dante_conf_t)
-
- type dante_var_run_t;
- files_pid_file(dante_var_run_t)
-@@ -37,7 +37,6 @@ kernel_read_kernel_sysctls(dante_t)
- kernel_list_proc(dante_t)
- kernel_read_proc_symlinks(dante_t)
-
--corenet_all_recvfrom_unlabeled(dante_t)
- corenet_all_recvfrom_netlabel(dante_t)
- corenet_tcp_sendrecv_generic_if(dante_t)
- corenet_udp_sendrecv_generic_if(dante_t)
-@@ -46,7 +45,6 @@ corenet_udp_sendrecv_generic_node(dante_t)
- corenet_tcp_sendrecv_all_ports(dante_t)
- corenet_udp_sendrecv_all_ports(dante_t)
- corenet_tcp_bind_generic_node(dante_t)
--corenet_tcp_bind_socks_port(dante_t)
-
- dev_read_sysfs(dante_t)
-
-@@ -62,8 +60,6 @@ init_write_utmp(dante_t)
-
- logging_send_syslog_msg(dante_t)
-
--miscfiles_read_localization(dante_t)
--
- sysnet_read_config(dante_t)
-
- userdom_dontaudit_use_unpriv_user_fds(dante_t)
-diff --git a/dbadm.te b/dbadm.te
-index 1875064..2adc35f 100644
---- a/dbadm.te
-+++ b/dbadm.te
-@@ -28,7 +28,7 @@ userdom_base_user_template(dbadm)
- # database admin local policy
- #
-
--allow dbadm_t self:capability { dac_override dac_read_search sys_ptrace };
-+allow dbadm_t self:capability { dac_override dac_read_search };
-
- files_dontaudit_search_all_dirs(dbadm_t)
- files_delete_generic_locks(dbadm_t)
-@@ -37,6 +37,7 @@ files_list_var(dbadm_t)
- selinux_get_enforce_mode(dbadm_t)
-
- logging_send_syslog_msg(dbadm_t)
-+logging_send_audit_msgs(dbadm_t)
-
- userdom_dontaudit_search_user_home_dirs(dbadm_t)
-
-@@ -58,3 +59,7 @@ optional_policy(`
- optional_policy(`
- postgresql_admin(dbadm_t, dbadm_r)
- ')
-+
-+optional_policy(`
-+ sudo_role_template(dbadm, dbadm_r, dbadm_t)
-+')
-diff --git a/dbskk.te b/dbskk.te
-index 1445f97..8ca064c 100644
---- a/dbskk.te
-+++ b/dbskk.te
-@@ -47,7 +47,6 @@ kernel_read_kernel_sysctls(dbskkd_t)
- kernel_read_system_state(dbskkd_t)
- kernel_read_network_state(dbskkd_t)
-
--corenet_all_recvfrom_unlabeled(dbskkd_t)
- corenet_all_recvfrom_netlabel(dbskkd_t)
- corenet_tcp_sendrecv_generic_if(dbskkd_t)
- corenet_udp_sendrecv_generic_if(dbskkd_t)
-@@ -60,10 +59,7 @@ dev_read_urand(dbskkd_t)
-
- fs_getattr_xattr_fs(dbskkd_t)
-
--files_read_etc_files(dbskkd_t)
-
- auth_use_nsswitch(dbskkd_t)
-
- logging_send_syslog_msg(dbskkd_t)
--
--miscfiles_read_localization(dbskkd_t)
-diff --git a/dbus.fc b/dbus.fc
-index e6345ce..31f269b 100644
---- a/dbus.fc
-+++ b/dbus.fc
-@@ -4,6 +4,7 @@
-
- ifdef(`distro_redhat',`
- /lib/dbus-1/dbus-daemon-launch-helper -- gen_context(system_u:object_r:dbusd_exec_t,s0)
-+/usr/lib/dbus-1/dbus-daemon-launch-helper -- gen_context(system_u:object_r:dbusd_exec_t,s0)
- ')
-
- /usr/bin/dbus-daemon(-1)? -- gen_context(system_u:object_r:dbusd_exec_t,s0)
-diff --git a/dbus.if b/dbus.if
-index fb4bf82..126d543 100644
---- a/dbus.if
-+++ b/dbus.if
-@@ -41,9 +41,9 @@ interface(`dbus_stub',`
- template(`dbus_role_template',`
- gen_require(`
- class dbus { send_msg acquire_svc };
--
-- attribute session_bus_type;
-+ attribute dbusd_unconfined, session_bus_type;
- type system_dbusd_t, session_dbusd_tmp_t, dbusd_exec_t, dbusd_etc_t;
-+ type $1_t;
- ')
-
- ##############################
-@@ -52,117 +52,47 @@ template(`dbus_role_template',`
- #
-
- type $1_dbusd_t, session_bus_type;
-- domain_type($1_dbusd_t)
-- domain_entry_file($1_dbusd_t, dbusd_exec_t)
-+ application_domain($1_dbusd_t, dbusd_exec_t)
- ubac_constrained($1_dbusd_t)
- role $2 types $1_dbusd_t;
-
-+ kernel_read_system_state($1_dbusd_t)
-+
-+ selinux_get_fs_mount($1_dbusd_t)
-+
-+ userdom_home_manager($1_dbusd_t)
-+
- ##############################
- #
- # Local policy
- #
-
-- allow $1_dbusd_t self:process { getattr sigkill signal };
-- dontaudit $1_dbusd_t self:process ptrace;
-- allow $1_dbusd_t self:file { getattr read write };
-- allow $1_dbusd_t self:fifo_file rw_fifo_file_perms;
-- allow $1_dbusd_t self:dbus { send_msg acquire_svc };
-- allow $1_dbusd_t self:unix_stream_socket create_stream_socket_perms;
-- allow $1_dbusd_t self:unix_dgram_socket create_socket_perms;
-- allow $1_dbusd_t self:tcp_socket create_stream_socket_perms;
-- allow $1_dbusd_t self:netlink_selinux_socket create_socket_perms;
--
- # For connecting to the bus
- allow $3 $1_dbusd_t:unix_stream_socket connectto;
-
- # SE-DBus specific permissions
-- allow $3 $1_dbusd_t:dbus { send_msg acquire_svc };
-+ allow { dbusd_unconfined $3 } $1_dbusd_t:dbus { send_msg acquire_svc };
- allow $3 system_dbusd_t:dbus { send_msg acquire_svc };
-
-- allow $1_dbusd_t dbusd_etc_t:dir list_dir_perms;
-- read_files_pattern($1_dbusd_t, dbusd_etc_t, dbusd_etc_t)
-- read_lnk_files_pattern($1_dbusd_t, dbusd_etc_t, dbusd_etc_t)
-+ domtrans_pattern($3, dbusd_exec_t, $1_dbusd_t)
-
-- manage_dirs_pattern($1_dbusd_t, session_dbusd_tmp_t, session_dbusd_tmp_t)
-- manage_files_pattern($1_dbusd_t, session_dbusd_tmp_t, session_dbusd_tmp_t)
-- files_tmp_filetrans($1_dbusd_t, session_dbusd_tmp_t, { file dir })
-+ ps_process_pattern($3, $1_dbusd_t)
-+ allow $3 $1_dbusd_t:process signal_perms;
-
-- domtrans_pattern($3, dbusd_exec_t, $1_dbusd_t)
-- allow $3 $1_dbusd_t:process { signull sigkill signal };
-+ tunable_policy(`deny_ptrace',`',`
-+ allow $3 $1_dbusd_t:process ptrace;
-+ ')
-
- # cjp: this seems very broken
-- corecmd_bin_domtrans($1_dbusd_t, $3)
-+ corecmd_bin_domtrans($1_dbusd_t, $1_t)
-+ corecmd_shell_domtrans($1_dbusd_t, $1_t)
- allow $1_dbusd_t $3:process sigkill;
- allow $3 $1_dbusd_t:fd use;
- allow $3 $1_dbusd_t:fifo_file rw_fifo_file_perms;
-- allow $3 $1_dbusd_t:process sigchld;
--
-- kernel_read_system_state($1_dbusd_t)
-- kernel_read_kernel_sysctls($1_dbusd_t)
--
-- corecmd_list_bin($1_dbusd_t)
-- corecmd_read_bin_symlinks($1_dbusd_t)
-- corecmd_read_bin_files($1_dbusd_t)
-- corecmd_read_bin_pipes($1_dbusd_t)
-- corecmd_read_bin_sockets($1_dbusd_t)
-
-- corenet_all_recvfrom_unlabeled($1_dbusd_t)
-- corenet_all_recvfrom_netlabel($1_dbusd_t)
-- corenet_tcp_sendrecv_generic_if($1_dbusd_t)
-- corenet_tcp_sendrecv_generic_node($1_dbusd_t)
-- corenet_tcp_sendrecv_all_ports($1_dbusd_t)
-- corenet_tcp_bind_generic_node($1_dbusd_t)
-- corenet_tcp_bind_reserved_port($1_dbusd_t)
--
-- dev_read_urand($1_dbusd_t)
--
-- domain_use_interactive_fds($1_dbusd_t)
-- domain_read_all_domains_state($1_dbusd_t)
--
-- files_read_etc_files($1_dbusd_t)
-- files_list_home($1_dbusd_t)
-- files_read_usr_files($1_dbusd_t)
-- files_dontaudit_search_var($1_dbusd_t)
--
-- fs_getattr_romfs($1_dbusd_t)
-- fs_getattr_xattr_fs($1_dbusd_t)
-- fs_list_inotifyfs($1_dbusd_t)
-- fs_dontaudit_list_nfs($1_dbusd_t)
--
-- selinux_get_fs_mount($1_dbusd_t)
-- selinux_validate_context($1_dbusd_t)
-- selinux_compute_access_vector($1_dbusd_t)
-- selinux_compute_create_context($1_dbusd_t)
-- selinux_compute_relabel_context($1_dbusd_t)
-- selinux_compute_user_contexts($1_dbusd_t)
--
-- auth_read_pam_console_data($1_dbusd_t)
- auth_use_nsswitch($1_dbusd_t)
-
-- logging_send_audit_msgs($1_dbusd_t)
- logging_send_syslog_msg($1_dbusd_t)
--
-- miscfiles_read_localization($1_dbusd_t)
--
-- seutil_read_config($1_dbusd_t)
-- seutil_read_default_contexts($1_dbusd_t)
--
-- term_use_all_terms($1_dbusd_t)
--
-- userdom_read_user_home_content_files($1_dbusd_t)
--
-- ifdef(`hide_broken_symptoms', `
-- dontaudit $3 $1_dbusd_t:netlink_selinux_socket { read write };
-- ')
--
-- optional_policy(`
-- hal_dbus_chat($1_dbusd_t)
-- ')
--
-- optional_policy(`
-- xserver_use_xdm_fds($1_dbusd_t)
-- xserver_rw_xdm_pipes($1_dbusd_t)
-- ')
- ')
-
- #######################################
-@@ -181,11 +111,12 @@ interface(`dbus_system_bus_client',`
- type system_dbusd_t, system_dbusd_t;
- type system_dbusd_var_run_t, system_dbusd_var_lib_t;
- class dbus send_msg;
-+ attribute dbusd_unconfined;
- ')
-
- # SE-DBus specific permissions
- allow $1 { system_dbusd_t self }:dbus send_msg;
-- allow system_dbusd_t $1:dbus send_msg;
-+ allow { system_dbusd_t dbusd_unconfined } $1:dbus send_msg;
-
- read_files_pattern($1, system_dbusd_var_lib_t, system_dbusd_var_lib_t)
- files_search_var_lib($1)
-@@ -198,6 +129,34 @@ interface(`dbus_system_bus_client',`
-
- #######################################
- ##
-+## Creating connections to specified
-+## DBUS sessions.
-+##
-+##
-+##
-+## The prefix of the user role (e.g., user
-+## is the prefix for user_r).
-+##
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`dbus_session_client',`
-+ gen_require(`
-+ class dbus send_msg;
-+ type $1_dbusd_t;
-+ ')
-+
-+ allow $2 $1_dbusd_t:fd use;
-+ allow $2 { $1_dbusd_t self }:dbus send_msg;
-+ allow $2 $1_dbusd_t:unix_stream_socket connectto;
-+')
-+
-+#######################################
-+##
- ## Template for creating connections to
- ## a user DBUS.
- ##
-@@ -219,7 +178,7 @@ interface(`dbus_session_bus_client',`
- # For connecting to the bus
- allow $1 session_bus_type:unix_stream_socket connectto;
-
-- dontaudit $1 session_bus_type:fd use;
-+ allow session_bus_type $1:process sigkill;
- ')
-
- ########################################
-@@ -324,6 +283,11 @@ interface(`dbus_connect_session_bus',`
- ## Allow a application domain to be started
- ## by the session dbus.
- ##
-+##
-+##
-+## User domain prefix to be used.
-+##
-+##
- ##
- ##
- ## Type to be used as a domain.
-@@ -338,13 +302,13 @@ interface(`dbus_connect_session_bus',`
- #
- interface(`dbus_session_domain',`
- gen_require(`
-- attribute session_bus_type;
-+ type $1_dbusd_t;
- ')
-
-- domtrans_pattern(session_bus_type, $2, $1)
-+ domtrans_pattern($1_dbusd_t, $2, $3)
-
-- dbus_session_bus_client($1)
-- dbus_connect_session_bus($1)
-+ dbus_session_bus_client($3)
-+ dbus_connect_session_bus($3)
- ')
-
- ########################################
-@@ -423,27 +387,16 @@ interface(`dbus_system_bus_unconfined',`
- #
- interface(`dbus_system_domain',`
- gen_require(`
-+ attribute system_bus_type;
- type system_dbusd_t;
- role system_r;
- ')
-+ typeattribute $1 system_bus_type;
-
- domain_type($1)
- domain_entry_file($1, $2)
-
-- role system_r types $1;
--
- domtrans_pattern(system_dbusd_t, $2, $1)
--
-- dbus_system_bus_client($1)
-- dbus_connect_system_bus($1)
--
-- ps_process_pattern(system_dbusd_t, $1)
--
-- userdom_read_all_users_state($1)
--
-- ifdef(`hide_broken_symptoms', `
-- dontaudit $1 system_dbusd_t:netlink_selinux_socket { read write };
-- ')
- ')
-
- ########################################
-@@ -466,26 +419,25 @@ interface(`dbus_use_system_bus_fds',`
-
- ########################################
- ##
--## Dontaudit Read, and write system dbus TCP sockets.
-+## Allow unconfined access to the system DBUS.
- ##
- ##
- ##
--## Domain to not audit.
-+## Domain allowed access.
- ##
- ##
- #
--interface(`dbus_dontaudit_system_bus_rw_tcp_sockets',`
-+interface(`dbus_unconfined',`
- gen_require(`
-- type system_dbusd_t;
-+ attribute dbusd_unconfined;
- ')
-
-- allow $1 system_dbusd_t:tcp_socket { read write };
-- allow $1 system_dbusd_t:fd use;
-+ typeattribute $1 dbusd_unconfined;
- ')
-
- ########################################
- ##
--## Allow unconfined access to the system DBUS.
-+## Delete all dbus pid files
- ##
- ##
- ##
-@@ -493,10 +445,51 @@ interface(`dbus_dontaudit_system_bus_rw_tcp_sockets',`
- ##
- ##
- #
--interface(`dbus_unconfined',`
-+interface(`dbus_delete_pid_files',`
- gen_require(`
-- attribute dbusd_unconfined;
-+ type system_dbusd_var_run_t;
- ')
-
-- typeattribute $1 dbusd_unconfined;
-+ files_search_pids($1)
-+ delete_files_pattern($1, system_dbusd_var_run_t, system_dbusd_var_run_t)
-+')
-+
-+########################################
-+##
-+## Do not audit attempts to connect to
-+## session bus types with a unix
-+## stream socket.
-+##
-+##
-+##
-+## Domain to not audit.
-+##
-+##
-+#
-+interface(`dbus_dontaudit_stream_connect_session_bus',`
-+ gen_require(`
-+ attribute session_bus_type;
-+ ')
-+
-+ dontaudit $1 session_bus_type:unix_stream_socket connectto;
-+')
-+
-+########################################
-+##
-+## Do not audit attempts to send dbus
-+## messages to session bus types.
-+##
-+##
-+##
-+## Domain to not audit.
-+##
-+##
-+#
-+interface(`dbus_dontaudit_chat_session_bus',`
-+ gen_require(`
-+ attribute session_bus_type;
-+ class dbus send_msg;
-+ ')
-+
-+ dontaudit $1 session_bus_type:dbus send_msg;
- ')
-diff --git a/dbus.te b/dbus.te
-index 625cb32..087cecf 100644
---- a/dbus.te
-+++ b/dbus.te
-@@ -10,6 +10,7 @@ gen_require(`
- #
-
- attribute dbusd_unconfined;
-+attribute system_bus_type;
- attribute session_bus_type;
-
- type dbusd_etc_t;
-@@ -35,6 +36,7 @@ files_type(system_dbusd_var_lib_t)
-
- type system_dbusd_var_run_t;
- files_pid_file(system_dbusd_var_run_t)
-+init_sock_file(system_dbusd_var_run_t)
-
- ifdef(`enable_mcs',`
- init_ranged_system_domain(system_dbusd_t, dbusd_exec_t, s0 - mcs_systemhigh)
-@@ -51,9 +53,9 @@ ifdef(`enable_mls',`
-
- # dac_override: /var/run/dbus is owned by messagebus on Debian
- # cjp: dac_override should probably go in a distro_debian
--allow system_dbusd_t self:capability { dac_override setgid setpcap setuid };
-+allow system_dbusd_t self:capability { sys_resource dac_override setgid setpcap setuid };
- dontaudit system_dbusd_t self:capability sys_tty_config;
--allow system_dbusd_t self:process { getattr getsched signal_perms setpgid getcap setcap };
-+allow system_dbusd_t self:process { getattr getsched signal_perms setpgid getcap setcap setrlimit };
- allow system_dbusd_t self:fifo_file rw_fifo_file_perms;
- allow system_dbusd_t self:dbus { send_msg acquire_svc };
- allow system_dbusd_t self:unix_stream_socket { connectto create_stream_socket_perms connectto };
-@@ -73,9 +75,10 @@ files_tmp_filetrans(system_dbusd_t, system_dbusd_tmp_t, { file dir })
-
- read_files_pattern(system_dbusd_t, system_dbusd_var_lib_t, system_dbusd_var_lib_t)
-
-+manage_dirs_pattern(system_dbusd_t, system_dbusd_var_run_t, system_dbusd_var_run_t)
- manage_files_pattern(system_dbusd_t, system_dbusd_var_run_t, system_dbusd_var_run_t)
- manage_sock_files_pattern(system_dbusd_t, system_dbusd_var_run_t, system_dbusd_var_run_t)
--files_pid_filetrans(system_dbusd_t, system_dbusd_var_run_t, file)
-+files_pid_filetrans(system_dbusd_t, system_dbusd_var_run_t, { file dir })
-
- kernel_read_system_state(system_dbusd_t)
- kernel_read_kernel_sysctls(system_dbusd_t)
-@@ -83,11 +86,16 @@ kernel_read_kernel_sysctls(system_dbusd_t)
- dev_read_urand(system_dbusd_t)
- dev_read_sysfs(system_dbusd_t)
-
-+files_rw_inherited_non_security_files(system_dbusd_t)
-+
- fs_getattr_all_fs(system_dbusd_t)
- fs_list_inotifyfs(system_dbusd_t)
- fs_search_auto_mountpoints(system_dbusd_t)
- fs_dontaudit_list_nfs(system_dbusd_t)
-
-+storage_rw_inherited_fixed_disk_dev(system_dbusd_t)
-+storage_rw_inherited_removable_device(system_dbusd_t)
-+
- mls_fd_use_all_levels(system_dbusd_t)
- mls_rangetrans_target(system_dbusd_t)
- mls_file_read_all_levels(system_dbusd_t)
-@@ -110,22 +118,25 @@ auth_read_pam_console_data(system_dbusd_t)
- corecmd_list_bin(system_dbusd_t)
- corecmd_read_bin_pipes(system_dbusd_t)
- corecmd_read_bin_sockets(system_dbusd_t)
-+# needed for system-tools-backends
-+corecmd_exec_shell(system_dbusd_t)
-
- domain_use_interactive_fds(system_dbusd_t)
- domain_read_all_domains_state(system_dbusd_t)
-
--files_read_etc_files(system_dbusd_t)
- files_list_home(system_dbusd_t)
- files_read_usr_files(system_dbusd_t)
-
- init_use_fds(system_dbusd_t)
- init_use_script_ptys(system_dbusd_t)
-+init_bin_domtrans_spec(system_dbusd_t)
- init_domtrans_script(system_dbusd_t)
-+init_rw_stream_sockets(system_dbusd_t)
-+init_status(system_dbusd_t)
-
- logging_send_audit_msgs(system_dbusd_t)
- logging_send_syslog_msg(system_dbusd_t)
-
--miscfiles_read_localization(system_dbusd_t)
- miscfiles_read_generic_certs(system_dbusd_t)
-
- seutil_read_config(system_dbusd_t)
-@@ -135,11 +146,35 @@ seutil_sigchld_newrole(system_dbusd_t)
- userdom_dontaudit_use_unpriv_user_fds(system_dbusd_t)
- userdom_dontaudit_search_user_home_dirs(system_dbusd_t)
-
-+userdom_home_reader(system_dbusd_t)
-+
- optional_policy(`
- bind_domtrans(system_dbusd_t)
- ')
-
- optional_policy(`
-+ bluetooth_stream_connect(system_dbusd_t)
-+')
-+
-+optional_policy(`
-+ cpufreqselector_dbus_chat(system_dbusd_t)
-+')
-+
-+optional_policy(`
-+ getty_start_services(system_dbusd_t)
-+')
-+
-+optional_policy(`
-+ gnome_exec_gconf(system_dbusd_t)
-+ gnome_read_inherited_home_icc_data_files(system_dbusd_t)
-+')
-+
-+optional_policy(`
-+ networkmanager_initrc_domtrans(system_dbusd_t)
-+ networkmanager_systemctl(system_dbusd_t)
-+')
-+
-+optional_policy(`
- policykit_dbus_chat(system_dbusd_t)
- policykit_domtrans_auth(system_dbusd_t)
- policykit_search_lib(system_dbusd_t)
-@@ -150,12 +185,162 @@ optional_policy(`
- ')
-
- optional_policy(`
-+ systemd_use_fds_logind(system_dbusd_t)
-+ systemd_write_inherited_logind_sessions_pipes(system_dbusd_t)
-+ systemd_write_inhibit_pipes(system_dbusd_t)
-+# These are caused by broken systemd patch
-+ systemd_start_power_services(system_dbusd_t)
-+ systemd_config_all_services(system_dbusd_t)
-+ files_config_all_files(system_dbusd_t)
-+')
-+
-+optional_policy(`
- udev_read_db(system_dbusd_t)
- ')
-
-+optional_policy(`
-+ # /var/lib/gdm/.local/share/icc/edid-0a027915105823af34f99b1704e80336.icc
-+ xserver_read_inherited_xdm_lib_files(system_dbusd_t)
-+')
-+
-+########################################
-+#
-+# system_bus_type rules
-+#
-+role system_r types system_bus_type;
-+
-+fs_search_all(system_bus_type)
-+
-+dbus_system_bus_client(system_bus_type)
-+dbus_connect_system_bus(system_bus_type)
-+
-+init_status(system_bus_type)
-+init_stream_connect(system_bus_type)
-+init_dgram_send(system_bus_type)
-+init_use_fds(system_bus_type)
-+init_rw_stream_sockets(system_bus_type)
-+
-+ps_process_pattern(system_dbusd_t, system_bus_type)
-+
-+userdom_dontaudit_search_admin_dir(system_bus_type)
-+userdom_read_all_users_state(system_bus_type)
-+
-+optional_policy(`
-+ abrt_stream_connect(system_bus_type)
-+')
-+
-+optional_policy(`
-+ rpm_script_dbus_chat(system_bus_type)
-+')
-+
-+optional_policy(`
-+ unconfined_dbus_send(system_bus_type)
-+')
-+
-+ifdef(`hide_broken_symptoms',`
-+ dontaudit system_bus_type system_dbusd_t:netlink_selinux_socket { read write };
-+')
-+
-+########################################
-+#
-+# session_bus_type rules
-+#
-+allow session_bus_type self:capability2 block_suspend;
-+dontaudit session_bus_type self:capability sys_resource;
-+allow session_bus_type self:process { getattr sigkill signal };
-+dontaudit session_bus_type self:process setrlimit;
-+allow session_bus_type self:file { getattr read write };
-+allow session_bus_type self:fifo_file rw_fifo_file_perms;
-+allow session_bus_type self:dbus { send_msg acquire_svc };
-+allow session_bus_type self:unix_stream_socket create_stream_socket_perms;
-+allow session_bus_type self:unix_dgram_socket create_socket_perms;
-+allow session_bus_type self:tcp_socket create_stream_socket_perms;
-+allow session_bus_type self:netlink_selinux_socket create_socket_perms;
-+
-+allow session_bus_type dbusd_etc_t:dir list_dir_perms;
-+read_files_pattern(session_bus_type, dbusd_etc_t, dbusd_etc_t)
-+read_lnk_files_pattern(session_bus_type, dbusd_etc_t, dbusd_etc_t)
-+
-+manage_dirs_pattern(session_bus_type, session_dbusd_tmp_t, session_dbusd_tmp_t)
-+manage_files_pattern(session_bus_type, session_dbusd_tmp_t, session_dbusd_tmp_t)
-+files_tmp_filetrans(session_bus_type, session_dbusd_tmp_t, { file dir })
-+
-+kernel_read_kernel_sysctls(session_bus_type)
-+
-+corecmd_list_bin(session_bus_type)
-+corecmd_read_bin_symlinks(session_bus_type)
-+corecmd_read_bin_files(session_bus_type)
-+corecmd_read_bin_pipes(session_bus_type)
-+corecmd_read_bin_sockets(session_bus_type)
-+
-+corenet_tcp_sendrecv_generic_if(session_bus_type)
-+corenet_tcp_sendrecv_generic_node(session_bus_type)
-+corenet_tcp_sendrecv_all_ports(session_bus_type)
-+corenet_tcp_bind_generic_node(session_bus_type)
-+corenet_tcp_bind_reserved_port(session_bus_type)
-+
-+dev_read_urand(session_bus_type)
-+
-+domain_use_interactive_fds(session_bus_type)
-+domain_read_all_domains_state(session_bus_type)
-+
-+files_list_home(session_bus_type)
-+files_read_usr_files(session_bus_type)
-+files_dontaudit_search_var(session_bus_type)
-+
-+fs_getattr_romfs(session_bus_type)
-+fs_getattr_xattr_fs(session_bus_type)
-+fs_list_inotifyfs(session_bus_type)
-+fs_dontaudit_list_nfs(session_bus_type)
-+
-+selinux_validate_context(session_bus_type)
-+selinux_compute_access_vector(session_bus_type)
-+selinux_compute_create_context(session_bus_type)
-+selinux_compute_relabel_context(session_bus_type)
-+selinux_compute_user_contexts(session_bus_type)
-+
-+auth_read_pam_console_data(session_bus_type)
-+
-+logging_send_audit_msgs(session_bus_type)
-+
-+seutil_read_config(session_bus_type)
-+seutil_read_default_contexts(session_bus_type)
-+
-+term_use_all_inherited_terms(session_bus_type)
-+
-+userdom_dontaudit_search_admin_dir(session_bus_type)
-+userdom_manage_user_home_content_dirs(session_bus_type)
-+userdom_manage_user_home_content_files(session_bus_type)
-+userdom_user_home_dir_filetrans_user_home_content(session_bus_type, { dir file })
-+userdom_manage_tmpfs_files(session_bus_type, file)
-+userdom_tmpfs_filetrans(session_bus_type, file)
-+
-+optional_policy(`
-+ gnome_read_gconf_home_files(session_bus_type)
-+')
-+
-+optional_policy(`
-+ hal_dbus_chat(session_bus_type)
-+')
-+
-+optional_policy(`
-+ thumb_domtrans(session_bus_type)
-+')
-+
-+optional_policy(`
-+ xserver_search_xdm_lib(session_bus_type)
-+ xserver_use_xdm_fds(session_bus_type)
-+ xserver_rw_xdm_pipes(session_bus_type)
-+ xserver_use_xdm_fds(session_bus_type)
-+ xserver_rw_xdm_pipes(session_bus_type)
-+ xserver_append_xdm_home_files(session_bus_type)
-+')
-+
- ########################################
- #
- # Unconfined access to this module
- #
-
- allow dbusd_unconfined session_bus_type:dbus all_dbus_perms;
-+allow dbusd_unconfined dbusd_unconfined:dbus all_dbus_perms;
-+allow session_bus_type dbusd_unconfined:dbus send_msg;
-diff --git a/dcc.if b/dcc.if
-index 784753e..bf65e7d 100644
---- a/dcc.if
-+++ b/dcc.if
-@@ -168,6 +168,6 @@ interface(`dcc_stream_connect_dccifd',`
- type dcc_var_t, dccifd_var_run_t, dccifd_t;
- ')
-
-- files_search_var($1)
-+ files_search_pids($1)
- stream_connect_pattern($1, dcc_var_t, dccifd_var_run_t, dccifd_t)
- ')
-diff --git a/dcc.te b/dcc.te
-index 5178337..46bbbed 100644
---- a/dcc.te
-+++ b/dcc.te
-@@ -36,7 +36,7 @@ type dcc_var_t;
- files_type(dcc_var_t)
-
- type dcc_var_run_t;
--files_type(dcc_var_run_t)
-+files_pid_file(dcc_var_run_t)
-
- type dccd_t;
- type dccd_exec_t;
-@@ -95,22 +95,18 @@ allow cdcc_t dcc_var_t:dir list_dir_perms;
- read_files_pattern(cdcc_t, dcc_var_t, dcc_var_t)
- read_lnk_files_pattern(cdcc_t, dcc_var_t, dcc_var_t)
-
--corenet_all_recvfrom_unlabeled(cdcc_t)
- corenet_all_recvfrom_netlabel(cdcc_t)
- corenet_udp_sendrecv_generic_if(cdcc_t)
- corenet_udp_sendrecv_generic_node(cdcc_t)
- corenet_udp_sendrecv_all_ports(cdcc_t)
-
--files_read_etc_files(cdcc_t)
- files_read_etc_runtime_files(cdcc_t)
-
- auth_use_nsswitch(cdcc_t)
-
- logging_send_syslog_msg(cdcc_t)
-
--miscfiles_read_localization(cdcc_t)
--
--userdom_use_user_terminals(cdcc_t)
-+userdom_use_inherited_user_terminals(cdcc_t)
-
- ########################################
- #
-@@ -134,14 +130,12 @@ read_lnk_files_pattern(dcc_client_t, dcc_var_t, dcc_var_t)
-
- kernel_read_system_state(dcc_client_t)
-
--corenet_all_recvfrom_unlabeled(dcc_client_t)
- corenet_all_recvfrom_netlabel(dcc_client_t)
- corenet_udp_sendrecv_generic_if(dcc_client_t)
- corenet_udp_sendrecv_generic_node(dcc_client_t)
- corenet_udp_sendrecv_all_ports(dcc_client_t)
- corenet_udp_bind_generic_node(dcc_client_t)
-
--files_read_etc_files(dcc_client_t)
- files_read_etc_runtime_files(dcc_client_t)
-
- fs_getattr_all_fs(dcc_client_t)
-@@ -150,9 +144,7 @@ auth_use_nsswitch(dcc_client_t)
-
- logging_send_syslog_msg(dcc_client_t)
-
--miscfiles_read_localization(dcc_client_t)
--
--userdom_use_user_terminals(dcc_client_t)
-+userdom_use_inherited_user_terminals(dcc_client_t)
-
- optional_policy(`
- amavis_read_spool_files(dcc_client_t)
-@@ -182,22 +174,18 @@ manage_lnk_files_pattern(dcc_dbclean_t, dcc_var_t, dcc_var_t)
-
- kernel_read_system_state(dcc_dbclean_t)
-
--corenet_all_recvfrom_unlabeled(dcc_dbclean_t)
- corenet_all_recvfrom_netlabel(dcc_dbclean_t)
- corenet_udp_sendrecv_generic_if(dcc_dbclean_t)
- corenet_udp_sendrecv_generic_node(dcc_dbclean_t)
- corenet_udp_sendrecv_all_ports(dcc_dbclean_t)
-
--files_read_etc_files(dcc_dbclean_t)
- files_read_etc_runtime_files(dcc_dbclean_t)
-
- auth_use_nsswitch(dcc_dbclean_t)
-
- logging_send_syslog_msg(dcc_dbclean_t)
-
--miscfiles_read_localization(dcc_dbclean_t)
--
--userdom_use_user_terminals(dcc_dbclean_t)
-+userdom_use_inherited_user_terminals(dcc_dbclean_t)
-
- ########################################
- #
-@@ -238,7 +226,6 @@ files_pid_filetrans(dccd_t, dccd_var_run_t, { dir file })
- kernel_read_system_state(dccd_t)
- kernel_read_kernel_sysctls(dccd_t)
-
--corenet_all_recvfrom_unlabeled(dccd_t)
- corenet_all_recvfrom_netlabel(dccd_t)
- corenet_udp_sendrecv_generic_if(dccd_t)
- corenet_udp_sendrecv_generic_node(dccd_t)
-@@ -251,7 +238,6 @@ dev_read_sysfs(dccd_t)
-
- domain_use_interactive_fds(dccd_t)
-
--files_read_etc_files(dccd_t)
- files_read_etc_runtime_files(dccd_t)
-
- fs_getattr_all_fs(dccd_t)
-@@ -261,8 +247,6 @@ auth_use_nsswitch(dccd_t)
-
- logging_send_syslog_msg(dccd_t)
-
--miscfiles_read_localization(dccd_t)
--
- userdom_dontaudit_use_unpriv_user_fds(dccd_t)
- userdom_dontaudit_search_user_home_dirs(dccd_t)
-
-@@ -306,7 +290,6 @@ files_pid_filetrans(dccifd_t, dccifd_var_run_t, file)
- kernel_read_system_state(dccifd_t)
- kernel_read_kernel_sysctls(dccifd_t)
-
--corenet_all_recvfrom_unlabeled(dccifd_t)
- corenet_all_recvfrom_netlabel(dccifd_t)
- corenet_udp_sendrecv_generic_if(dccifd_t)
- corenet_udp_sendrecv_generic_node(dccifd_t)
-@@ -316,7 +299,6 @@ dev_read_sysfs(dccifd_t)
-
- domain_use_interactive_fds(dccifd_t)
-
--files_read_etc_files(dccifd_t)
- files_read_etc_runtime_files(dccifd_t)
-
- fs_getattr_all_fs(dccifd_t)
-@@ -326,8 +308,6 @@ auth_use_nsswitch(dccifd_t)
-
- logging_send_syslog_msg(dccifd_t)
-
--miscfiles_read_localization(dccifd_t)
--
- userdom_dontaudit_use_unpriv_user_fds(dccifd_t)
- userdom_dontaudit_search_user_home_dirs(dccifd_t)
-
-@@ -370,7 +350,6 @@ files_pid_filetrans(dccm_t, dccm_var_run_t, file)
- kernel_read_system_state(dccm_t)
- kernel_read_kernel_sysctls(dccm_t)
-
--corenet_all_recvfrom_unlabeled(dccm_t)
- corenet_all_recvfrom_netlabel(dccm_t)
- corenet_udp_sendrecv_generic_if(dccm_t)
- corenet_udp_sendrecv_generic_node(dccm_t)
-@@ -380,7 +359,6 @@ dev_read_sysfs(dccm_t)
-
- domain_use_interactive_fds(dccm_t)
-
--files_read_etc_files(dccm_t)
- files_read_etc_runtime_files(dccm_t)
-
- fs_getattr_all_fs(dccm_t)
-@@ -390,8 +368,6 @@ auth_use_nsswitch(dccm_t)
-
- logging_send_syslog_msg(dccm_t)
-
--miscfiles_read_localization(dccm_t)
--
- userdom_dontaudit_use_unpriv_user_fds(dccm_t)
- userdom_dontaudit_search_user_home_dirs(dccm_t)
-
-diff --git a/ddclient.if b/ddclient.if
-index 0a1a61b..64742c6 100644
---- a/ddclient.if
-+++ b/ddclient.if
-@@ -64,13 +64,17 @@ interface(`ddclient_run',`
- interface(`ddclient_admin',`
- gen_require(`
- type ddclient_t, ddclient_etc_t, ddclient_log_t;
-- type ddclient_var_t, ddclient_var_lib_t;
-- type ddclient_var_run_t, ddclient_initrc_exec_t;
-+ type ddclient_var_t, ddclient_var_lib_t, ddclient_initrc_exec_t;
-+ type ddclient_var_run_t;
- ')
-
-- allow $1 ddclient_t:process { ptrace signal_perms };
-+ allow $1 ddclient_t:process signal_perms;
- ps_process_pattern($1, ddclient_t)
-
-+ tunable_policy(`deny_ptrace',`',`
-+ allow $1 ddclient_t:process ptrace;
-+ ')
-+
- init_labeled_script_domtrans($1, ddclient_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 ddclient_initrc_exec_t system_r;
-diff --git a/ddclient.te b/ddclient.te
-index 24ba98a..318a5a1 100644
---- a/ddclient.te
-+++ b/ddclient.te
-@@ -18,6 +18,9 @@ init_script_file(ddclient_initrc_exec_t)
- type ddclient_log_t;
- logging_log_file(ddclient_log_t)
-
-+type ddclient_tmp_t;
-+files_tmp_file(ddclient_tmp_t)
-+
- type ddclient_var_t;
- files_type(ddclient_var_t)
-
-@@ -32,17 +35,23 @@ files_pid_file(ddclient_var_run_t)
- # Declarations
- #
-
-+
- dontaudit ddclient_t self:capability sys_tty_config;
- allow ddclient_t self:process signal_perms;
- allow ddclient_t self:fifo_file rw_fifo_file_perms;
- allow ddclient_t self:tcp_socket create_socket_perms;
- allow ddclient_t self:udp_socket create_socket_perms;
-+allow ddclient_t self:netlink_route_socket r_netlink_socket_perms;
-
--allow ddclient_t ddclient_etc_t:file read_file_perms;
-+read_files_pattern(ddclient_t, ddclient_etc_t, ddclient_etc_t)
-+setattr_files_pattern(ddclient_t, ddclient_etc_t, ddclient_etc_t)
-
- allow ddclient_t ddclient_log_t:file manage_file_perms;
- logging_log_filetrans(ddclient_t, ddclient_log_t, file)
-
-+manage_files_pattern(ddclient_t, ddclient_tmp_t, ddclient_tmp_t)
-+files_tmp_filetrans(ddclient_t, ddclient_tmp_t, { file })
-+
- manage_dirs_pattern(ddclient_t, ddclient_var_t, ddclient_var_t)
- manage_files_pattern(ddclient_t, ddclient_var_t, ddclient_var_t)
- manage_lnk_files_pattern(ddclient_t, ddclient_var_t, ddclient_var_t)
-@@ -62,11 +71,11 @@ kernel_read_software_raid_state(ddclient_t)
- kernel_getattr_core_if(ddclient_t)
- kernel_getattr_message_if(ddclient_t)
- kernel_read_kernel_sysctls(ddclient_t)
-+kernel_search_network_sysctl(ddclient_t)
-
- corecmd_exec_shell(ddclient_t)
- corecmd_exec_bin(ddclient_t)
-
--corenet_all_recvfrom_unlabeled(ddclient_t)
- corenet_all_recvfrom_netlabel(ddclient_t)
- corenet_tcp_sendrecv_generic_if(ddclient_t)
- corenet_udp_sendrecv_generic_if(ddclient_t)
-@@ -74,6 +83,8 @@ corenet_tcp_sendrecv_generic_node(ddclient_t)
- corenet_udp_sendrecv_generic_node(ddclient_t)
- corenet_tcp_sendrecv_all_ports(ddclient_t)
- corenet_udp_sendrecv_all_ports(ddclient_t)
-+corenet_tcp_bind_generic_node(ddclient_t)
-+corenet_udp_bind_generic_node(ddclient_t)
- corenet_tcp_connect_all_ports(ddclient_t)
- corenet_sendrecv_all_client_packets(ddclient_t)
-
-@@ -89,9 +100,11 @@ files_read_usr_files(ddclient_t)
- fs_getattr_all_fs(ddclient_t)
- fs_search_auto_mountpoints(ddclient_t)
-
-+auth_read_passwd(ddclient_t)
-+
- logging_send_syslog_msg(ddclient_t)
-
--miscfiles_read_localization(ddclient_t)
-+mta_send_mail(ddclient_t)
-
- sysnet_exec_ifconfig(ddclient_t)
- sysnet_read_config(ddclient_t)
-diff --git a/ddcprobe.te b/ddcprobe.te
-index 5e062bc..c85c30d 100644
---- a/ddcprobe.te
-+++ b/ddcprobe.te
-@@ -40,12 +40,15 @@ term_use_all_ptys(ddcprobe_t)
-
- libs_read_lib_files(ddcprobe_t)
-
--miscfiles_read_localization(ddcprobe_t)
-
--modutils_read_module_deps(ddcprobe_t)
--
--userdom_use_user_terminals(ddcprobe_t)
-+userdom_use_inherited_user_terminals(ddcprobe_t)
- userdom_use_all_users_fds(ddcprobe_t)
-
--#reh why? this does not seem even necessary to function properly
--kudzu_getattr_exec_files(ddcprobe_t)
-+optional_policy(`
-+ #reh why? this does not seem even necessary to function properly
-+ kudzu_getattr_exec_files(ddcprobe_t)
-+')
-+
-+optional_policy(`
-+ modutils_read_module_deps(ddcprobe_t)
-+')
-diff --git a/denyhosts.if b/denyhosts.if
-index 567865f..b5e9376 100644
---- a/denyhosts.if
-+++ b/denyhosts.if
-@@ -59,6 +59,7 @@ interface(`denyhosts_initrc_domtrans', `
- ## Role allowed access.
- ##
- ##
-+##
- #
- interface(`denyhosts_admin', `
- gen_require(`
-@@ -66,20 +67,24 @@ interface(`denyhosts_admin', `
- type denyhosts_var_log_t, denyhosts_initrc_exec_t;
- ')
-
-- allow $1 denyhosts_t:process { ptrace signal_perms };
-+ allow $1 denyhosts_t:process signal_perms;
- ps_process_pattern($1, denyhosts_t)
-
-+ tunable_policy(`deny_ptrace',`',`
-+ allow $1 denyhosts_t:process ptrace;
-+ ')
-+
- denyhosts_initrc_domtrans($1)
- domain_system_change_exemption($1)
- role_transition $2 denyhosts_initrc_exec_t system_r;
- allow $2 system_r;
-
-- files_search_var_lib($1)
-+ files_list_var_lib($1)
- admin_pattern($1, denyhosts_var_lib_t)
-
-- logging_search_logs($1)
-+ logging_list_logs($1)
- admin_pattern($1, denyhosts_var_log_t)
-
-- files_search_locks($1)
-+ files_list_locks($1)
- admin_pattern($1, denyhosts_var_lock_t)
- ')
-diff --git a/denyhosts.te b/denyhosts.te
-index 8ba9425..2030529 100644
---- a/denyhosts.te
-+++ b/denyhosts.te
-@@ -25,6 +25,9 @@ logging_log_file(denyhosts_var_log_t)
- #
- # DenyHosts personal policy.
- #
-+# Bug #588563
-+allow denyhosts_t self:capability sys_tty_config;
-+allow denyhosts_t self:fifo_file rw_fifo_file_perms;
-
- allow denyhosts_t self:netlink_route_socket create_netlink_socket_perms;
- allow denyhosts_t self:tcp_socket create_socket_perms;
-@@ -43,26 +46,30 @@ read_files_pattern(denyhosts_t, denyhosts_var_log_t, denyhosts_var_log_t)
- setattr_files_pattern(denyhosts_t, denyhosts_var_log_t, denyhosts_var_log_t)
- logging_log_filetrans(denyhosts_t, denyhosts_var_log_t, file)
-
-+kernel_read_network_state(denyhosts_t)
- kernel_read_system_state(denyhosts_t)
-+kernel_read_network_state(denyhosts_t)
-
-+corecmd_exec_shell(denyhosts_t)
- corecmd_exec_bin(denyhosts_t)
-
--corenet_all_recvfrom_unlabeled(denyhosts_t)
- corenet_all_recvfrom_netlabel(denyhosts_t)
- corenet_tcp_sendrecv_generic_if(denyhosts_t)
- corenet_tcp_sendrecv_generic_node(denyhosts_t)
- corenet_tcp_bind_generic_node(denyhosts_t)
- corenet_tcp_connect_smtp_port(denyhosts_t)
-+corenet_tcp_connect_sype_port(denyhosts_t)
- corenet_sendrecv_smtp_client_packets(denyhosts_t)
-
- dev_read_urand(denyhosts_t)
-
--files_read_etc_files(denyhosts_t)
-+files_read_usr_files(denyhosts_t)
-+
-+auth_use_nsswitch(denyhosts_t)
-
- # /var/log/secure
- logging_read_generic_logs(denyhosts_t)
--
--miscfiles_read_localization(denyhosts_t)
-+logging_send_syslog_msg(denyhosts_t)
-
- sysnet_manage_config(denyhosts_t)
- sysnet_etc_filetrans_config(denyhosts_t)
-@@ -70,3 +77,7 @@ sysnet_etc_filetrans_config(denyhosts_t)
- optional_policy(`
- cron_system_entry(denyhosts_t, denyhosts_exec_t)
- ')
-+
-+optional_policy(`
-+ gnome_dontaudit_search_config(denyhosts_t)
-+')
-diff --git a/devicekit.fc b/devicekit.fc
-index 9af85c8..5483806 100644
---- a/devicekit.fc
-+++ b/devicekit.fc
-@@ -1,3 +1,8 @@
-+/lib/udev/udisks-part-id -- gen_context(system_u:object_r:devicekit_disk_exec_t,s0)
-+/lib/udisks2/udisksd -- gen_context(system_u:object_r:devicekit_disk_exec_t,s0)
-+
-+/usr/lib/udev/udisks-part-id -- gen_context(system_u:object_r:devicekit_disk_exec_t,s0)
-+/usr/lib/udisks2/udisksd -- gen_context(system_u:object_r:devicekit_disk_exec_t,s0)
- /usr/lib/udisks/udisks-daemon -- gen_context(system_u:object_r:devicekit_disk_exec_t,s0)
-
- /usr/libexec/devkit-daemon -- gen_context(system_u:object_r:devicekit_exec_t,s0)
-@@ -6,15 +11,16 @@
- /usr/libexec/udisks-daemon -- gen_context(system_u:object_r:devicekit_disk_exec_t,s0)
- /usr/libexec/upowerd -- gen_context(system_u:object_r:devicekit_power_exec_t,s0)
-
--ifdef(`distro_debian',`
--/usr/lib/upower/upowerd -- gen_context(system_u:object_r:devicekit_power_exec_t,s0)
--')
--
- /var/lib/DeviceKit-.* gen_context(system_u:object_r:devicekit_var_lib_t,s0)
- /var/lib/upower(/.*)? gen_context(system_u:object_r:devicekit_var_lib_t,s0)
--/var/lib/udisks(/.*)? gen_context(system_u:object_r:devicekit_var_lib_t,s0)
-+/var/lib/udisks.* gen_context(system_u:object_r:devicekit_var_lib_t,s0)
-+
-+/var/log/pm-powersave\.log.* -- gen_context(system_u:object_r:devicekit_var_log_t,s0)
-+/var/log/pm-suspend\.log.* -- gen_context(system_u:object_r:devicekit_var_log_t,s0)
-
- /var/run/devkit(/.*)? gen_context(system_u:object_r:devicekit_var_run_t,s0)
- /var/run/DeviceKit-disks(/.*)? gen_context(system_u:object_r:devicekit_var_run_t,s0)
--/var/run/udisks(/.*)? gen_context(system_u:object_r:devicekit_var_run_t,s0)
-+/var/run/pm-utils(/.*)? gen_context(system_u:object_r:devicekit_var_run_t,s0)
-+
-+/var/run/udisks.* gen_context(system_u:object_r:devicekit_var_run_t,s0)
- /var/run/upower(/.*)? gen_context(system_u:object_r:devicekit_var_run_t,s0)
-diff --git a/devicekit.if b/devicekit.if
-index f706b99..3b4f593 100644
---- a/devicekit.if
-+++ b/devicekit.if
-@@ -20,6 +20,24 @@ interface(`devicekit_domtrans',`
-
- ########################################
- ##
-+## Execute a domain transition to run devicekit_disk.
-+##
-+##
-+##
-+## Domain allowed to transition.
-+##
-+##
-+#
-+interface(`devicekit_domtrans_disk',`
-+ gen_require(`
-+ type devicekit_disk_t, devicekit_disk_exec_t;
-+ ')
-+
-+ domtrans_pattern($1, devicekit_disk_exec_t, devicekit_disk_t)
-+')
-+
-+########################################
-+##
- ## Send to devicekit over a unix domain
- ## datagram socket.
- ##
-@@ -81,6 +99,45 @@ interface(`devicekit_dbus_chat_disk',`
-
- ########################################
- ##
-+## Use file descriptors for devicekit_disk.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`devicekit_use_fds_disk',`
-+ gen_require(`
-+ type devicekit_disk_t;
-+ ')
-+
-+ allow $1 devicekit_disk_t:fd use;
-+')
-+
-+########################################
-+##
-+## Dontaudit Send and receive messages from
-+## devicekit disk over dbus.
-+##
-+##
-+##
-+## Domain to not audit.
-+##
-+##
-+#
-+interface(`devicekit_dontaudit_dbus_chat_disk',`
-+ gen_require(`
-+ type devicekit_disk_t;
-+ class dbus send_msg;
-+ ')
-+
-+ dontaudit $1 devicekit_disk_t:dbus send_msg;
-+ dontaudit devicekit_disk_t $1:dbus send_msg;
-+')
-+
-+########################################
-+##
- ## Send signal devicekit power
- ##
- ##
-@@ -118,6 +175,62 @@ interface(`devicekit_dbus_chat_power',`
- allow devicekit_power_t $1:dbus send_msg;
- ')
-
-+#######################################
-+##
-+## Append inherited devicekit log files.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`devicekit_append_inherited_log_files',`
-+ gen_require(`
-+ type devicekit_var_log_t;
-+ ')
-+
-+ allow $1 devicekit_var_log_t:file append_inherited_file_perms;
-+')
-+
-+#######################################
-+##
-+## Do not audit attempts to write the devicekit
-+## log files.
-+##
-+##
-+##
-+## Domain to not audit.
-+##
-+##
-+#
-+interface(`devicekit_dontaudit_rw_log',`
-+ gen_require(`
-+ type devicekit_var_log_t;
-+ ')
-+
-+ dontaudit $1 devicekit_var_log_t:file rw_file_perms;
-+')
-+
-+########################################
-+##
-+## Allow the domain to read devicekit_power state files in /proc.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`devicekit_read_state_power',`
-+ gen_require(`
-+ type devicekit_power_t;
-+ ')
-+
-+ kernel_search_proc($1)
-+ ps_process_pattern($1, devicekit_power_t)
-+')
-+
- ########################################
- ##
- ## Read devicekit PID files.
-@@ -139,22 +252,93 @@ interface(`devicekit_read_pid_files',`
-
- ########################################
- ##
--## All of the rules required to administrate
--## an devicekit environment
-+## Do not audit attempts to read
-+## devicekit PID files.
-+##
-+##
-+##
-+## Domain to not audit.
-+##
-+##
-+#
-+interface(`devicekit_dontaudit_read_pid_files',`
-+ gen_require(`
-+ type devicekit_var_run_t;
-+ ')
-+
-+ dontaudit $1 devicekit_var_run_t:file read_inherited_file_perms;
-+')
-+
-+
-+########################################
-+##
-+## Manage devicekit PID files.
- ##
- ##
- ##
- ## Domain allowed access.
- ##
- ##
--##
-+#
-+interface(`devicekit_manage_pid_files',`
-+ gen_require(`
-+ type devicekit_var_run_t;
-+ ')
-+
-+ files_search_pids($1)
-+ manage_dirs_pattern($1, devicekit_var_run_t, devicekit_var_run_t)
-+ manage_files_pattern($1, devicekit_var_run_t, devicekit_var_run_t)
-+ files_pid_filetrans($1, devicekit_var_run_t, dir, "pm-utils")
-+')
-+
-+#######################################
-+##
-+## Relabel devicekit LOG files.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`devicekit_relabel_log_files',`
-+ gen_require(`
-+ type devicekit_var_log_t;
-+ ')
-+
-+ logging_search_logs($1)
-+ relabel_files_pattern($1, devicekit_var_log_t, devicekit_var_log_t)
-+')
-+
-+########################################
-+##
-+## Manage devicekit LOG files.
-+##
-+##
- ##
--## The role to be allowed to manage the devicekit domain.
-+## Domain allowed access.
- ##
- ##
--##
-+#
-+interface(`devicekit_manage_log_files',`
-+ gen_require(`
-+ type devicekit_var_log_t;
-+ ')
-+
-+ logging_search_logs($1)
-+ manage_files_pattern($1, devicekit_var_log_t, devicekit_var_log_t)
-+ #logging_log_filetrans($1, devicekit_var_log_t, file, "pm-powersave.log")
-+ #logging_log_filetrans($1, devicekit_var_log_t, file, "pm-suspend.log")
-+')
-+
-+########################################
-+##
-+## All of the rules required to administrate
-+## an devicekit environment
-+##
-+##
- ##
--## The type of the user terminal.
-+## Domain allowed access.
- ##
- ##
- ##
-@@ -165,21 +349,46 @@ interface(`devicekit_admin',`
- type devicekit_var_lib_t, devicekit_var_run_t, devicekit_tmp_t;
- ')
-
-- allow $1 devicekit_t:process { ptrace signal_perms getattr };
-+ allow $1 devicekit_t:process signal_perms;
- ps_process_pattern($1, devicekit_t)
-+ tunable_policy(`deny_ptrace',`',`
-+ allow $1 devicekit_t:process ptrace;
-+ allow $1 devicekit_disk_t:process ptrace;
-+ allow $1 devicekit_power_t:process ptrace;
-+ ')
-
-- allow $1 devicekit_disk_t:process { ptrace signal_perms getattr };
-+ allow $1 devicekit_disk_t:process signal_perms;
- ps_process_pattern($1, devicekit_disk_t)
-
-- allow $1 devicekit_power_t:process { ptrace signal_perms getattr };
-+ allow $1 devicekit_power_t:process signal_perms;
- ps_process_pattern($1, devicekit_power_t)
-
- admin_pattern($1, devicekit_tmp_t)
-- files_search_tmp($1)
-+ files_list_tmp($1)
-
- admin_pattern($1, devicekit_var_lib_t)
-- files_search_var_lib($1)
-+ files_list_var_lib($1)
-
- admin_pattern($1, devicekit_var_run_t)
-- files_search_pids($1)
-+ files_list_pids($1)
-+')
-+
-+########################################
-+##
-+## Transition to devicekit named content
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`devicekit_filetrans_named_content',`
-+ gen_require(`
-+ type devicekit_var_run_t, devicekit_var_log_t;
-+ ')
-+
-+ files_pid_filetrans($1, devicekit_var_run_t, dir, "pm-utils")
-+ logging_log_filetrans($1, devicekit_var_log_t, file, "pm-powersave.log")
-+ logging_log_filetrans($1, devicekit_var_log_t, file, "pm-suspend.log")
- ')
-diff --git a/devicekit.te b/devicekit.te
-index 1819518..1363f96 100644
---- a/devicekit.te
-+++ b/devicekit.te
-@@ -7,15 +7,15 @@ policy_module(devicekit, 1.2.0)
-
- type devicekit_t;
- type devicekit_exec_t;
--dbus_system_domain(devicekit_t, devicekit_exec_t)
-+init_daemon_domain(devicekit_t, devicekit_exec_t)
-
- type devicekit_power_t;
- type devicekit_power_exec_t;
--dbus_system_domain(devicekit_power_t, devicekit_power_exec_t)
-+init_daemon_domain(devicekit_power_t, devicekit_power_exec_t)
-
- type devicekit_disk_t;
- type devicekit_disk_exec_t;
--dbus_system_domain(devicekit_disk_t, devicekit_disk_exec_t)
-+init_daemon_domain(devicekit_disk_t, devicekit_disk_exec_t)
-
- type devicekit_tmp_t;
- files_tmp_file(devicekit_tmp_t)
-@@ -26,6 +26,9 @@ files_pid_file(devicekit_var_run_t)
- type devicekit_var_lib_t;
- files_type(devicekit_var_lib_t)
-
-+type devicekit_var_log_t;
-+logging_log_file(devicekit_var_log_t)
-+
- ########################################
- #
- # DeviceKit local policy
-@@ -42,11 +45,10 @@ kernel_read_system_state(devicekit_t)
- dev_read_sysfs(devicekit_t)
- dev_read_urand(devicekit_t)
-
--files_read_etc_files(devicekit_t)
-
--miscfiles_read_localization(devicekit_t)
-
- optional_policy(`
-+ dbus_system_domain(devicekit_t, devicekit_exec_t)
- dbus_system_bus_client(devicekit_t)
-
- allow devicekit_t devicekit_disk_t:dbus send_msg;
-@@ -62,7 +64,8 @@ optional_policy(`
- # DeviceKit disk local policy
- #
-
--allow devicekit_disk_t self:capability { chown setuid setgid dac_override fowner fsetid net_admin sys_admin sys_nice sys_ptrace sys_rawio };
-+allow devicekit_disk_t self:capability { chown setuid setgid dac_override fowner fsetid net_admin sys_admin sys_nice sys_rawio };
-+
- allow devicekit_disk_t self:process { getsched signal_perms };
- allow devicekit_disk_t self:fifo_file rw_fifo_file_perms;
- allow devicekit_disk_t self:netlink_kobject_uevent_socket create_socket_perms;
-@@ -75,10 +78,14 @@ manage_dirs_pattern(devicekit_disk_t, devicekit_var_lib_t, devicekit_var_lib_t)
- manage_files_pattern(devicekit_disk_t, devicekit_var_lib_t, devicekit_var_lib_t)
- files_var_lib_filetrans(devicekit_disk_t, devicekit_var_lib_t, dir)
-
-+allow devicekit_disk_t devicekit_var_run_t:dir mounton;
- manage_dirs_pattern(devicekit_disk_t, devicekit_var_run_t, devicekit_var_run_t)
- manage_files_pattern(devicekit_disk_t, devicekit_var_run_t, devicekit_var_run_t)
- files_pid_filetrans(devicekit_disk_t, devicekit_var_run_t, { file dir })
-+files_filetrans_named_content(devicekit_disk_t)
-
-+kernel_list_unlabeled(devicekit_disk_t)
-+kernel_dontaudit_getattr_unlabeled_files(devicekit_disk_t)
- kernel_getattr_message_if(devicekit_disk_t)
- kernel_read_fs_sysctls(devicekit_disk_t)
- kernel_read_network_state(devicekit_disk_t)
-@@ -97,6 +104,7 @@ dev_getattr_usbfs_dirs(devicekit_disk_t)
- dev_manage_generic_files(devicekit_disk_t)
- dev_getattr_all_chr_files(devicekit_disk_t)
- dev_getattr_mtrr_dev(devicekit_disk_t)
-+dev_rw_generic_blk_files(devicekit_disk_t)
-
- domain_getattr_all_pipes(devicekit_disk_t)
- domain_getattr_all_sockets(devicekit_disk_t)
-@@ -105,14 +113,16 @@ domain_read_all_domains_state(devicekit_disk_t)
-
- files_dontaudit_read_all_symlinks(devicekit_disk_t)
- files_getattr_all_sockets(devicekit_disk_t)
--files_getattr_all_mountpoints(devicekit_disk_t)
-+files_getattr_all_dirs(devicekit_disk_t)
- files_getattr_all_files(devicekit_disk_t)
-+files_getattr_all_pipes(devicekit_disk_t)
-+files_manage_boot_dirs(devicekit_disk_t)
- files_manage_isid_type_dirs(devicekit_disk_t)
- files_manage_mnt_dirs(devicekit_disk_t)
--files_read_etc_files(devicekit_disk_t)
- files_read_etc_runtime_files(devicekit_disk_t)
- files_read_usr_files(devicekit_disk_t)
-
-+fs_getattr_all_fs(devicekit_disk_t)
- fs_list_inotifyfs(devicekit_disk_t)
- fs_manage_fusefs_dirs(devicekit_disk_t)
- fs_mount_all_fs(devicekit_disk_t)
-@@ -127,16 +137,18 @@ storage_raw_write_fixed_disk(devicekit_disk_t)
- storage_raw_read_removable_device(devicekit_disk_t)
- storage_raw_write_removable_device(devicekit_disk_t)
-
--term_use_all_terms(devicekit_disk_t)
-+term_use_all_inherited_terms(devicekit_disk_t)
-
- auth_use_nsswitch(devicekit_disk_t)
-
--miscfiles_read_localization(devicekit_disk_t)
-+logging_send_syslog_msg(devicekit_disk_t)
-
- userdom_read_all_users_state(devicekit_disk_t)
- userdom_search_user_home_dirs(devicekit_disk_t)
-+userdom_manage_user_tmp_dirs(devicekit_disk_t)
-
- optional_policy(`
-+ dbus_system_domain(devicekit_disk_t, devicekit_disk_exec_t)
- dbus_system_bus_client(devicekit_disk_t)
-
- allow devicekit_disk_t devicekit_t:dbus send_msg;
-@@ -170,6 +182,10 @@ optional_policy(`
- ')
-
- optional_policy(`
-+ systemd_read_logind_sessions_files(devicekit_disk_t)
-+')
-+
-+optional_policy(`
- udev_domtrans(devicekit_disk_t)
- udev_read_db(devicekit_disk_t)
- ')
-@@ -178,55 +194,84 @@ optional_policy(`
- virt_manage_images(devicekit_disk_t)
- ')
-
-+optional_policy(`
-+ unconfined_domain(devicekit_t)
-+ unconfined_domain(devicekit_power_t)
-+ unconfined_domain(devicekit_disk_t)
-+')
-+
- ########################################
- #
- # DeviceKit-Power local policy
- #
-
--allow devicekit_power_t self:capability { dac_override net_admin sys_admin sys_tty_config sys_nice sys_ptrace };
--allow devicekit_power_t self:process getsched;
-+allow devicekit_power_t self:capability { dac_override net_admin sys_admin sys_tty_config sys_nice };
-+allow devicekit_power_t self:capability2 compromise_kernel;
-+allow devicekit_power_t self:process { getsched signal_perms };
- allow devicekit_power_t self:fifo_file rw_fifo_file_perms;
- allow devicekit_power_t self:unix_dgram_socket create_socket_perms;
- allow devicekit_power_t self:netlink_kobject_uevent_socket create_socket_perms;
-
-+manage_files_pattern(devicekit_power_t, devicekit_var_log_t, devicekit_var_log_t)
-+logging_log_filetrans(devicekit_power_t, devicekit_var_log_t, file)
-+
-+manage_dirs_pattern(devicekit_power_t, devicekit_tmp_t, devicekit_tmp_t)
-+manage_files_pattern(devicekit_power_t, devicekit_tmp_t, devicekit_tmp_t)
-+files_tmp_filetrans(devicekit_power_t, devicekit_tmp_t, { file dir })
-+
- manage_dirs_pattern(devicekit_power_t, devicekit_var_lib_t, devicekit_var_lib_t)
- manage_files_pattern(devicekit_power_t, devicekit_var_lib_t, devicekit_var_lib_t)
- files_var_lib_filetrans(devicekit_power_t, devicekit_var_lib_t, dir)
-
-+manage_files_pattern(devicekit_power_t, devicekit_var_log_t, devicekit_var_log_t)
-+logging_log_filetrans(devicekit_power_t, devicekit_var_log_t, file)
-+
-+manage_files_pattern(devicekit_power_t, devicekit_var_run_t, devicekit_var_run_t)
-+manage_dirs_pattern(devicekit_power_t, devicekit_var_run_t, devicekit_var_run_t)
-+files_pid_filetrans(devicekit_power_t, devicekit_var_run_t, dir)
-+
-+kernel_read_fs_sysctls(devicekit_power_t)
- kernel_read_network_state(devicekit_power_t)
- kernel_read_system_state(devicekit_power_t)
- kernel_rw_hotplug_sysctls(devicekit_power_t)
- kernel_rw_kernel_sysctl(devicekit_power_t)
-+kernel_rw_vm_sysctls(devicekit_power_t)
- kernel_search_debugfs(devicekit_power_t)
- kernel_write_proc_files(devicekit_power_t)
-+kernel_setsched(devicekit_power_t)
-
- corecmd_exec_bin(devicekit_power_t)
- corecmd_exec_shell(devicekit_power_t)
-
--consoletype_exec(devicekit_power_t)
--
- domain_read_all_domains_state(devicekit_power_t)
-
- dev_read_input(devicekit_power_t)
-+dev_read_urand(devicekit_power_t)
- dev_rw_generic_usb_dev(devicekit_power_t)
- dev_rw_generic_chr_files(devicekit_power_t)
- dev_rw_netcontrol(devicekit_power_t)
- dev_rw_sysfs(devicekit_power_t)
-+dev_read_rand(devicekit_power_t)
-+dev_getattr_all_chr_files(devicekit_power_t)
-
- files_read_kernel_img(devicekit_power_t)
--files_read_etc_files(devicekit_power_t)
-+files_read_etc_runtime_files(devicekit_power_t)
- files_read_usr_files(devicekit_power_t)
-+files_dontaudit_list_mnt(devicekit_power_t)
-
- fs_list_inotifyfs(devicekit_power_t)
-+fs_getattr_all_fs(devicekit_power_t)
-
--term_use_all_terms(devicekit_power_t)
-+term_use_all_inherited_terms(devicekit_power_t)
-
- auth_use_nsswitch(devicekit_power_t)
-
--miscfiles_read_localization(devicekit_power_t)
-+
-+seutil_exec_setfiles(devicekit_power_t)
-
- sysnet_read_config(devicekit_power_t)
- sysnet_domtrans_ifconfig(devicekit_power_t)
-+sysnet_domtrans_dhcpc(devicekit_power_t)
-
- userdom_read_all_users_state(devicekit_power_t)
-
-@@ -235,10 +280,16 @@ optional_policy(`
- ')
-
- optional_policy(`
-+ consoletype_exec(devicekit_power_t)
-+')
-+
-+optional_policy(`
- cron_initrc_domtrans(devicekit_power_t)
-+ cron_systemctl(devicekit_power_t)
- ')
-
- optional_policy(`
-+ dbus_system_domain(devicekit_power_t, devicekit_power_exec_t)
- dbus_system_bus_client(devicekit_power_t)
-
- allow devicekit_power_t devicekit_t:dbus send_msg;
-@@ -261,14 +312,21 @@ optional_policy(`
- ')
-
- optional_policy(`
-+ gnome_manage_home_config(devicekit_power_t)
-+')
-+
-+optional_policy(`
- hal_domtrans_mac(devicekit_power_t)
-- hal_manage_log(devicekit_power_t)
- hal_manage_pid_dirs(devicekit_power_t)
- hal_manage_pid_files(devicekit_power_t)
- hal_dbus_chat(devicekit_power_t)
- ')
-
- optional_policy(`
-+ networkmanager_domtrans(devicekit_power_t)
-+')
-+
-+optional_policy(`
- policykit_dbus_chat(devicekit_power_t)
- policykit_domtrans_auth(devicekit_power_t)
- policykit_read_lib(devicekit_power_t)
-@@ -276,9 +334,31 @@ optional_policy(`
- ')
-
- optional_policy(`
-+ modutils_domtrans_insmod(devicekit_power_t)
-+')
-+
-+optional_policy(`
-+ mount_domtrans(devicekit_power_t)
-+')
-+
-+optional_policy(`
-+ readahead_domtrans(devicekit_power_t)
-+')
-+
-+optional_policy(`
- udev_read_db(devicekit_power_t)
- ')
-
- optional_policy(`
-+ usbmuxd_stream_connect(devicekit_power_t)
-+')
-+
-+optional_policy(`
- vbetool_domtrans(devicekit_power_t)
- ')
-+
-+optional_policy(`
-+ corenet_tcp_connect_xserver_port(devicekit_power_t)
-+ xserver_stream_connect(devicekit_power_t)
-+')
-+
-diff --git a/dhcp.fc b/dhcp.fc
-index 767e0c7..9553bcf 100644
---- a/dhcp.fc
-+++ b/dhcp.fc
-@@ -1,8 +1,10 @@
--/etc/rc\.d/init\.d/dhcpd -- gen_context(system_u:object_r:dhcpd_initrc_exec_t,s0)
-+/etc/rc\.d/init\.d/dhcpd(6)? -- gen_context(system_u:object_r:dhcpd_initrc_exec_t,s0)
-+
-+/usr/lib/systemd/system/dhcpcd.* -- gen_context(system_u:object_r:dhcpd_unit_file_t,s0)
-
- /usr/sbin/dhcpd.* -- gen_context(system_u:object_r:dhcpd_exec_t,s0)
-
- /var/lib/dhcpd(/.*)? gen_context(system_u:object_r:dhcpd_state_t,s0)
- /var/lib/dhcp(3)?/dhcpd\.leases.* -- gen_context(system_u:object_r:dhcpd_state_t,s0)
-
--/var/run/dhcpd\.pid -- gen_context(system_u:object_r:dhcpd_var_run_t,s0)
-+/var/run/dhcpd(6)?\.pid -- gen_context(system_u:object_r:dhcpd_var_run_t,s0)
-diff --git a/dhcp.if b/dhcp.if
-index 5e2cea8..2ab8a14 100644
---- a/dhcp.if
-+++ b/dhcp.if
-@@ -36,7 +36,7 @@ interface(`dhcpd_setattr_state_files',`
- ')
-
- sysnet_search_dhcp_state($1)
-- allow $1 dhcpd_state_t:file setattr;
-+ allow $1 dhcpd_state_t:file setattr_file_perms;
- ')
-
- ########################################
-@@ -60,6 +60,30 @@ interface(`dhcpd_initrc_domtrans',`
-
- ########################################
- ##
-+## Execute dhcpd server in the dhcpd domain.
-+##
-+##
-+##
-+## Domain allowed to transition.
-+##
-+##
-+#
-+interface(`dhcpd_systemctl',`
-+ gen_require(`
-+ type dhcpd_unit_file_t;
-+ type dhcpd_t;
-+ ')
-+
-+ systemd_exec_systemctl($1)
-+ systemd_search_unit_dirs($1)
-+ allow $1 dhcpd_unit_file_t:file read_file_perms;
-+ allow $1 dhcpd_unit_file_t:service manage_service_perms;
-+
-+ ps_process_pattern($1, dhcpd_t)
-+')
-+
-+########################################
-+##
- ## All of the rules required to administrate
- ## an dhcp environment
- ##
-@@ -77,12 +101,16 @@ interface(`dhcpd_initrc_domtrans',`
- #
- interface(`dhcpd_admin',`
- gen_require(`
-- type dhcpd_t; type dhcpd_tmp_t; type dhcpd_state_t;
-+ type dhcpd_t, dhcpd_tmp_t, dhcpd_state_t;
- type dhcpd_var_run_t, dhcpd_initrc_exec_t;
-+ type dhcpd_unit_file_t;
- ')
-
-- allow $1 dhcpd_t:process { ptrace signal_perms };
-+ allow $1 dhcpd_t:process signal_perms;
- ps_process_pattern($1, dhcpd_t)
-+ tunable_policy(`deny_ptrace',`',`
-+ allow $1 dhcpd_t:process ptrace;
-+ ')
-
- init_labeled_script_domtrans($1, dhcpd_initrc_exec_t)
- domain_system_change_exemption($1)
-@@ -96,4 +124,8 @@ interface(`dhcpd_admin',`
-
- files_list_pids($1)
- admin_pattern($1, dhcpd_var_run_t)
-+
-+ dhcpd_systemctl($1)
-+ admin_pattern($1, dhcpd_unit_file_t)
-+ allow $1 dhcpd_unit_file_t:service all_service_perms;
- ')
-diff --git a/dhcp.te b/dhcp.te
-index ed07b26..bed6b0d 100644
---- a/dhcp.te
-+++ b/dhcp.te
-@@ -19,6 +19,9 @@ init_daemon_domain(dhcpd_t, dhcpd_exec_t)
- type dhcpd_initrc_exec_t;
- init_script_file(dhcpd_initrc_exec_t)
-
-+type dhcpd_unit_file_t;
-+systemd_unit_file(dhcpd_unit_file_t)
-+
- type dhcpd_state_t;
- files_type(dhcpd_state_t)
-
-@@ -33,9 +36,9 @@ files_pid_file(dhcpd_var_run_t)
- # Local policy
- #
-
--allow dhcpd_t self:capability { net_raw sys_resource };
-+allow dhcpd_t self:capability { chown dac_override sys_chroot net_raw setgid setuid sys_resource };
- dontaudit dhcpd_t self:capability { net_admin sys_tty_config };
--allow dhcpd_t self:process signal_perms;
-+allow dhcpd_t self:process { getcap setcap signal_perms };
- allow dhcpd_t self:fifo_file rw_fifo_file_perms;
- allow dhcpd_t self:unix_dgram_socket create_socket_perms;
- allow dhcpd_t self:unix_stream_socket create_socket_perms;
-@@ -61,7 +64,6 @@ kernel_read_system_state(dhcpd_t)
- kernel_read_kernel_sysctls(dhcpd_t)
- kernel_read_network_state(dhcpd_t)
-
--corenet_all_recvfrom_unlabeled(dhcpd_t)
- corenet_all_recvfrom_netlabel(dhcpd_t)
- corenet_tcp_sendrecv_generic_if(dhcpd_t)
- corenet_udp_sendrecv_generic_if(dhcpd_t)
-@@ -80,7 +82,7 @@ corenet_tcp_connect_all_ports(dhcpd_t)
- corenet_sendrecv_dhcpd_server_packets(dhcpd_t)
- corenet_sendrecv_pxe_server_packets(dhcpd_t)
- corenet_sendrecv_all_client_packets(dhcpd_t)
--# Needed to detect open number of interfaces (common/discover.c::begin_iface_scan)
-+corenet_dontaudit_udp_bind_all_reserved_ports(dhcpd_t)
- corenet_udp_bind_all_unreserved_ports(dhcpd_t)
-
- dev_read_sysfs(dhcpd_t)
-@@ -94,7 +96,6 @@ corecmd_exec_bin(dhcpd_t)
-
- domain_use_interactive_fds(dhcpd_t)
-
--files_read_etc_files(dhcpd_t)
- files_read_usr_files(dhcpd_t)
- files_read_etc_runtime_files(dhcpd_t)
- files_search_var_lib(dhcpd_t)
-@@ -103,19 +104,26 @@ auth_use_nsswitch(dhcpd_t)
-
- logging_send_syslog_msg(dhcpd_t)
-
--miscfiles_read_localization(dhcpd_t)
--
- sysnet_read_dhcp_config(dhcpd_t)
-
- userdom_dontaudit_use_unpriv_user_fds(dhcpd_t)
- userdom_dontaudit_search_user_home_dirs(dhcpd_t)
-
-+tunable_policy(`dhcpd_use_ldap',`
-+ sysnet_use_ldap(dhcpd_t)
-+')
-+
- ifdef(`distro_gentoo',`
- allow dhcpd_t self:capability { chown dac_override setgid setuid sys_chroot };
- ')
-
--tunable_policy(`dhcpd_use_ldap',`
-- sysnet_use_ldap(dhcpd_t)
-+optional_policy(`
-+ # used for dynamic DNS
-+ bind_read_dnssec_keys(dhcpd_t)
-+')
-+
-+optional_policy(`
-+ cobbler_dontaudit_rw_log(dhcpd_t)
- ')
-
- optional_policy(`
-diff --git a/dictd.if b/dictd.if
-index a0d23ce..83a7ca5 100644
---- a/dictd.if
-+++ b/dictd.if
-@@ -38,8 +38,11 @@ interface(`dictd_admin',`
- type dictd_var_run_t, dictd_initrc_exec_t;
- ')
-
-- allow $1 dictd_t:process { ptrace signal_perms };
-+ allow $1 dictd_t:process signal_perms;
- ps_process_pattern($1, dictd_t)
-+ tunable_policy(`deny_ptrace',`',`
-+ allow $1 dictd_t:process ptrace;
-+ ')
-
- init_labeled_script_domtrans($1, dictd_initrc_exec_t)
- domain_system_change_exemption($1)
-diff --git a/dictd.te b/dictd.te
-index d2d9359..b14ece6 100644
---- a/dictd.te
-+++ b/dictd.te
-@@ -45,7 +45,6 @@ files_pid_filetrans(dictd_t, dictd_var_run_t, file)
- kernel_read_system_state(dictd_t)
- kernel_read_kernel_sysctls(dictd_t)
-
--corenet_all_recvfrom_unlabeled(dictd_t)
- corenet_all_recvfrom_netlabel(dictd_t)
- corenet_tcp_sendrecv_generic_if(dictd_t)
- corenet_raw_sendrecv_generic_if(dictd_t)
-@@ -66,30 +65,19 @@ fs_search_auto_mountpoints(dictd_t)
-
- domain_use_interactive_fds(dictd_t)
-
--files_read_etc_files(dictd_t)
- files_read_etc_runtime_files(dictd_t)
- files_read_usr_files(dictd_t)
- files_search_var_lib(dictd_t)
- # for checking for nscd
- files_dontaudit_search_pids(dictd_t)
-
--logging_send_syslog_msg(dictd_t)
--
--miscfiles_read_localization(dictd_t)
-+auth_use_nsswitch(dictd_t)
-
--sysnet_read_config(dictd_t)
-+logging_send_syslog_msg(dictd_t)
-
- userdom_dontaudit_use_unpriv_user_fds(dictd_t)
-
- optional_policy(`
-- nis_use_ypbind(dictd_t)
--')
--
--optional_policy(`
-- nscd_socket_use(dictd_t)
--')
--
--optional_policy(`
- seutil_sigchld_newrole(dictd_t)
- ')
-
-diff --git a/dirsrv-admin.fc b/dirsrv-admin.fc
-new file mode 100644
-index 0000000..fdf5675
---- /dev/null
-+++ b/dirsrv-admin.fc
-@@ -0,0 +1,15 @@
-+/etc/dirsrv/admin-serv(/.*)? gen_context(system_u:object_r:dirsrvadmin_config_t,s0)
-+
-+/etc/dirsrv/dsgw(/.*)? gen_context(system_u:object_r:dirsrvadmin_config_t,s0)
-+
-+/usr/sbin/restart-ds-admin -- gen_context(system_u:object_r:dirsrvadmin_exec_t,s0)
-+/usr/sbin/start-ds-admin -- gen_context(system_u:object_r:dirsrvadmin_exec_t,s0)
-+/usr/sbin/stop-ds-admin -- gen_context(system_u:object_r:dirsrvadmin_exec_t,s0)
-+
-+/usr/lib/dirsrv/cgi-bin(/.*)? gen_context(system_u:object_r:httpd_dirsrvadmin_script_exec_t,s0)
-+/usr/lib/dirsrv/dsgw-cgi-bin(/.*)? gen_context(system_u:object_r:httpd_dirsrvadmin_script_exec_t,s0)
-+
-+/usr/lib/dirsrv/cgi-bin/ds_create -- gen_context(system_u:object_r:dirsrvadmin_unconfined_script_exec_t,s0)
-+/usr/lib/dirsrv/cgi-bin/ds_remove -- gen_context(system_u:object_r:dirsrvadmin_unconfined_script_exec_t,s0)
-+
-+/var/lock/subsys/dirsrv -- gen_context(system_u:object_r:dirsrvadmin_lock_t,s0)
-diff --git a/dirsrv-admin.if b/dirsrv-admin.if
-new file mode 100644
-index 0000000..332a1c9
---- /dev/null
-+++ b/dirsrv-admin.if
-@@ -0,0 +1,134 @@
-+## Administration Server for Directory Server, dirsrv-admin.
-+
-+########################################
-+##
-+## Exec dirsrv-admin programs.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`dirsrvadmin_run_exec',`
-+ gen_require(`
-+ type dirsrvadmin_exec_t;
-+ ')
-+
-+ allow $1 dirsrvadmin_exec_t:dir search_dir_perms;
-+ can_exec($1, dirsrvadmin_exec_t)
-+')
-+
-+########################################
-+##
-+## Exec cgi programs.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`dirsrvadmin_run_httpd_script_exec',`
-+ gen_require(`
-+ type httpd_dirsrvadmin_script_exec_t;
-+ ')
-+
-+ allow $1 httpd_dirsrvadmin_script_exec_t:dir search_dir_perms;
-+ can_exec($1, httpd_dirsrvadmin_script_exec_t)
-+')
-+
-+########################################
-+##
-+## Manage dirsrv-adminserver configuration files.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`dirsrvadmin_read_config',`
-+ gen_require(`
-+ type dirsrvadmin_config_t;
-+ ')
-+
-+ read_files_pattern($1, dirsrvadmin_config_t, dirsrvadmin_config_t)
-+')
-+
-+########################################
-+##
-+## Manage dirsrv-adminserver configuration files.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`dirsrvadmin_manage_config',`
-+ gen_require(`
-+ type dirsrvadmin_config_t;
-+ ')
-+
-+ allow $1 dirsrvadmin_config_t:dir manage_dir_perms;
-+ allow $1 dirsrvadmin_config_t:file manage_file_perms;
-+')
-+
-+#######################################
-+##
-+## Read dirsrv-adminserver tmp files.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`dirsrvadmin_read_tmp',`
-+ gen_require(`
-+ type dirsrvadmin_tmp_t;
-+ ')
-+
-+ read_files_pattern($1, dirsrvadmin_tmp_t, dirsrvadmin_tmp_t)
-+')
-+
-+########################################
-+##
-+## Manage dirsrv-adminserver tmp files.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`dirsrvadmin_manage_tmp',`
-+ gen_require(`
-+ type dirsrvadmin_tmp_t;
-+ ')
-+
-+ manage_files_pattern($1, dirsrvadmin_tmp_t, dirsrvadmin_tmp_t)
-+ manage_dirs_pattern($1, dirsrvadmin_tmp_t, dirsrvadmin_tmp_t)
-+')
-+
-+#######################################
-+##
-+## Execute admin cgi programs in caller domain.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`dirsrvadmin_domtrans_unconfined_script_t',`
-+ gen_require(`
-+ type dirsrvadmin_unconfined_script_t;
-+ type dirsrvadmin_unconfined_script_exec_t;
-+ ')
-+
-+ domtrans_pattern($1, dirsrvadmin_unconfined_script_exec_t, dirsrvadmin_unconfined_script_t)
-+ allow $1 dirsrvadmin_unconfined_script_t:process signal_perms;
-+
-+')
-diff --git a/dirsrv-admin.te b/dirsrv-admin.te
-new file mode 100644
-index 0000000..a3d076f
---- /dev/null
-+++ b/dirsrv-admin.te
-@@ -0,0 +1,144 @@
-+policy_module(dirsrv-admin,1.0.0)
-+
-+########################################
-+#
-+# Declarations for the daemon
-+#
-+
-+type dirsrvadmin_t;
-+type dirsrvadmin_exec_t;
-+init_daemon_domain(dirsrvadmin_t, dirsrvadmin_exec_t)
-+role system_r types dirsrvadmin_t;
-+
-+type dirsrvadmin_config_t;
-+files_type(dirsrvadmin_config_t)
-+
-+type dirsrvadmin_lock_t;
-+files_lock_file(dirsrvadmin_lock_t)
-+
-+type dirsrvadmin_tmp_t;
-+files_tmp_file(dirsrvadmin_tmp_t)
-+
-+type dirsrvadmin_unconfined_script_t;
-+type dirsrvadmin_unconfined_script_exec_t;
-+domain_type(dirsrvadmin_unconfined_script_t)
-+domain_entry_file(dirsrvadmin_unconfined_script_t, dirsrvadmin_unconfined_script_exec_t)
-+corecmd_shell_entry_type(dirsrvadmin_unconfined_script_t)
-+role system_r types dirsrvadmin_unconfined_script_t;
-+
-+########################################
-+#
-+# Local policy for the daemon
-+#
-+allow dirsrvadmin_t self:fifo_file rw_fifo_file_perms;
-+allow dirsrvadmin_t self:capability { dac_read_search dac_override sys_tty_config sys_resource };
-+allow dirsrvadmin_t self:process setrlimit;
-+
-+manage_files_pattern(dirsrvadmin_t, dirsrvadmin_tmp_t, dirsrvadmin_tmp_t)
-+manage_dirs_pattern(dirsrvadmin_t, dirsrvadmin_tmp_t, dirsrvadmin_tmp_t)
-+files_tmp_filetrans(dirsrvadmin_t, dirsrvadmin_tmp_t, { file dir })
-+
-+kernel_read_system_state(dirsrvadmin_t)
-+
-+corecmd_exec_bin(dirsrvadmin_t)
-+corecmd_read_bin_symlinks(dirsrvadmin_t)
-+corecmd_search_bin(dirsrvadmin_t)
-+corecmd_shell_entry_type(dirsrvadmin_t)
-+
-+files_exec_etc_files(dirsrvadmin_t)
-+
-+libs_exec_ld_so(dirsrvadmin_t)
-+
-+logging_search_logs(dirsrvadmin_t)
-+
-+
-+# Needed for stop and restart scripts
-+dirsrv_read_var_run(dirsrvadmin_t)
-+
-+optional_policy(`
-+ apache_domtrans(dirsrvadmin_t)
-+ apache_signal(dirsrvadmin_t)
-+')
-+
-+########################################
-+#
-+# Local policy for the CGIs
-+#
-+#
-+#
-+# Create a domain for the CGI scripts
-+
-+optional_policy(`
-+ apache_content_template(dirsrvadmin)
-+
-+ allow httpd_dirsrvadmin_script_t self:process { getsched getpgid };
-+ allow httpd_dirsrvadmin_script_t self:capability { setuid net_bind_service setgid chown sys_nice kill dac_read_search dac_override };
-+ allow httpd_dirsrvadmin_script_t self:tcp_socket create_stream_socket_perms;
-+ allow httpd_dirsrvadmin_script_t self:udp_socket create_socket_perms;
-+ allow httpd_dirsrvadmin_script_t self:unix_dgram_socket create_socket_perms;
-+ allow httpd_dirsrvadmin_script_t self:netlink_route_socket r_netlink_socket_perms;
-+ allow httpd_dirsrvadmin_script_t self:sem create_sem_perms;
-+
-+
-+ manage_files_pattern(httpd_dirsrvadmin_script_t, dirsrvadmin_lock_t, dirsrvadmin_lock_t)
-+ files_lock_filetrans(httpd_dirsrvadmin_script_t, dirsrvadmin_lock_t, { file })
-+
-+ kernel_read_kernel_sysctls(httpd_dirsrvadmin_script_t)
-+
-+ corenet_all_recvfrom_netlabel(httpd_dirsrvadmin_script_t)
-+ corenet_tcp_connect_generic_port(httpd_dirsrvadmin_script_t)
-+ corenet_tcp_connect_ldap_port(httpd_dirsrvadmin_script_t)
-+ corenet_tcp_connect_http_port(httpd_dirsrvadmin_script_t)
-+
-+ files_search_var_lib(httpd_dirsrvadmin_script_t)
-+
-+ sysnet_read_config(httpd_dirsrvadmin_script_t)
-+
-+ manage_files_pattern(httpd_dirsrvadmin_script_t, dirsrvadmin_tmp_t, dirsrvadmin_tmp_t)
-+ manage_dirs_pattern(httpd_dirsrvadmin_script_t, dirsrvadmin_tmp_t, dirsrvadmin_tmp_t)
-+ files_tmp_filetrans(httpd_dirsrvadmin_script_t, dirsrvadmin_tmp_t, { file dir })
-+
-+ optional_policy(`
-+ # The CGI scripts must be able to manage dirsrv-admin
-+ dirsrvadmin_run_exec(httpd_dirsrvadmin_script_t)
-+ dirsrvadmin_manage_config(httpd_dirsrvadmin_script_t)
-+ dirsrv_domtrans(httpd_dirsrvadmin_script_t)
-+ dirsrv_signal(httpd_dirsrvadmin_script_t)
-+ dirsrv_signull(httpd_dirsrvadmin_script_t)
-+ dirsrv_manage_log(httpd_dirsrvadmin_script_t)
-+ dirsrv_manage_var_lib(httpd_dirsrvadmin_script_t)
-+ dirsrv_pid_filetrans(httpd_dirsrvadmin_script_t)
-+ dirsrv_manage_var_run(httpd_dirsrvadmin_script_t)
-+ dirsrv_manage_config(httpd_dirsrvadmin_script_t)
-+ dirsrv_read_share(httpd_dirsrvadmin_script_t)
-+ ')
-+')
-+
-+#######################################
-+#
-+# Local policy for the admin CGIs
-+#
-+#
-+
-+
-+manage_files_pattern(dirsrvadmin_unconfined_script_t, dirsrvadmin_tmp_t, dirsrvadmin_tmp_t)
-+manage_dirs_pattern(dirsrvadmin_unconfined_script_t, dirsrvadmin_tmp_t, dirsrvadmin_tmp_t)
-+files_tmp_filetrans(dirsrvadmin_unconfined_script_t, dirsrvadmin_tmp_t, { file dir })
-+
-+# needed because of filetrans rules
-+dirsrvadmin_run_exec(dirsrvadmin_unconfined_script_t)
-+dirsrvadmin_manage_config(dirsrvadmin_unconfined_script_t)
-+dirsrv_domtrans(dirsrvadmin_unconfined_script_t)
-+dirsrv_signal(dirsrvadmin_unconfined_script_t)
-+dirsrv_signull(dirsrvadmin_unconfined_script_t)
-+dirsrv_manage_log(dirsrvadmin_unconfined_script_t)
-+dirsrv_manage_var_lib(dirsrvadmin_unconfined_script_t)
-+dirsrv_pid_filetrans(dirsrvadmin_unconfined_script_t)
-+dirsrv_manage_var_run(dirsrvadmin_unconfined_script_t)
-+dirsrv_manage_config(dirsrvadmin_unconfined_script_t)
-+dirsrv_read_share(dirsrvadmin_unconfined_script_t)
-+
-+optional_policy(`
-+ unconfined_domain(dirsrvadmin_unconfined_script_t)
-+')
-+
-diff --git a/dirsrv.fc b/dirsrv.fc
-new file mode 100644
-index 0000000..0ea1ebb
---- /dev/null
-+++ b/dirsrv.fc
-@@ -0,0 +1,23 @@
-+/etc/dirsrv(/.*)? gen_context(system_u:object_r:dirsrv_config_t,s0)
-+
-+/usr/sbin/ns-slapd -- gen_context(system_u:object_r:dirsrv_exec_t,s0)
-+/usr/sbin/ldap-agent -- gen_context(system_u:object_r:initrc_exec_t,s0)
-+/usr/sbin/ldap-agent-bin -- gen_context(system_u:object_r:dirsrv_snmp_exec_t,s0)
-+/usr/sbin/start-dirsrv -- gen_context(system_u:object_r:initrc_exec_t,s0)
-+/usr/sbin/restart-dirsrv -- gen_context(system_u:object_r:initrc_exec_t,s0)
-+
-+/usr/share/dirsrv(/.*)? gen_context(system_u:object_r:dirsrv_share_t,s0)
-+
-+/var/run/dirsrv(/.*)? gen_context(system_u:object_r:dirsrv_var_run_t,s0)
-+/var/run/ldap-agent\.pid gen_context(system_u:object_r:dirsrv_snmp_var_run_t,s0)
-+
-+# BZ:
-+/var/run/slapd.* -s gen_context(system_u:object_r:slapd_var_run_t,s0)
-+
-+/var/lib/dirsrv(/.*)? gen_context(system_u:object_r:dirsrv_var_lib_t,s0)
-+
-+/var/lock/dirsrv(/.*)? gen_context(system_u:object_r:dirsrv_var_lock_t,s0)
-+
-+/var/log/dirsrv(/.*)? gen_context(system_u:object_r:dirsrv_var_log_t,s0)
-+
-+/var/log/dirsrv/ldap-agent.log.* gen_context(system_u:object_r:dirsrv_snmp_var_log_t,s0)
-diff --git a/dirsrv.if b/dirsrv.if
-new file mode 100644
-index 0000000..b214253
---- /dev/null
-+++ b/dirsrv.if
-@@ -0,0 +1,208 @@
-+## policy for dirsrv
-+
-+########################################
-+##
-+## Execute a domain transition to run dirsrv.
-+##
-+##
-+##
-+## Domain allowed to transition.
-+##
-+##
-+#
-+interface(`dirsrv_domtrans',`
-+ gen_require(`
-+ type dirsrv_t, dirsrv_exec_t;
-+ ')
-+
-+ domtrans_pattern($1, dirsrv_exec_t,dirsrv_t)
-+')
-+
-+
-+########################################
-+##
-+## Allow caller to signal dirsrv.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`dirsrv_signal',`
-+ gen_require(`
-+ type dirsrv_t;
-+ ')
-+
-+ allow $1 dirsrv_t:process signal;
-+')
-+
-+
-+########################################
-+##
-+## Send a null signal to dirsrv.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`dirsrv_signull',`
-+ gen_require(`
-+ type dirsrv_t;
-+ ')
-+
-+ allow $1 dirsrv_t:process signull;
-+')
-+
-+#######################################
-+##
-+## Allow a domain to manage dirsrv logs.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`dirsrv_manage_log',`
-+ gen_require(`
-+ type dirsrv_var_log_t;
-+ ')
-+
-+ allow $1 dirsrv_var_log_t:dir manage_dir_perms;
-+ allow $1 dirsrv_var_log_t:file manage_file_perms;
-+ allow $1 dirsrv_var_log_t:fifo_file manage_fifo_file_perms;
-+')
-+
-+#######################################
-+##
-+## Allow a domain to manage dirsrv /var/lib files.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`dirsrv_manage_var_lib',`
-+ gen_require(`
-+ type dirsrv_var_lib_t;
-+ ')
-+ allow $1 dirsrv_var_lib_t:dir manage_dir_perms;
-+ allow $1 dirsrv_var_lib_t:file manage_file_perms;
-+')
-+
-+########################################
-+##
-+## Connect to dirsrv over a unix stream socket.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`dirsrv_stream_connect',`
-+ gen_require(`
-+ type dirsrv_t, dirsrv_var_run_t;
-+ ')
-+
-+ files_search_pids($1)
-+ stream_connect_pattern($1, dirsrv_var_run_t, dirsrv_var_run_t, dirsrv_t)
-+')
-+
-+#######################################
-+##
-+## Allow a domain to manage dirsrv /var/run files.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`dirsrv_manage_var_run',`
-+ gen_require(`
-+ type dirsrv_var_run_t;
-+ ')
-+ allow $1 dirsrv_var_run_t:dir manage_dir_perms;
-+ allow $1 dirsrv_var_run_t:file manage_file_perms;
-+ allow $1 dirsrv_var_run_t:sock_file manage_file_perms;
-+')
-+
-+######################################
-+##
-+## Allow a domain to create dirsrv pid directories.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`dirsrv_pid_filetrans',`
-+ gen_require(`
-+ type dirsrv_var_run_t;
-+ ')
-+ # Allow creating a dir in /var/run with this type
-+ files_pid_filetrans($1, dirsrv_var_run_t, dir)
-+')
-+
-+#######################################
-+##
-+## Allow a domain to read dirsrv /var/run files.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`dirsrv_read_var_run',`
-+ gen_require(`
-+ type dirsrv_var_run_t;
-+ ')
-+ allow $1 dirsrv_var_run_t:dir list_dir_perms;
-+ allow $1 dirsrv_var_run_t:file read_file_perms;
-+')
-+
-+########################################
-+##
-+## Manage dirsrv configuration files.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`dirsrv_manage_config',`
-+ gen_require(`
-+ type dirsrv_config_t;
-+ ')
-+
-+ allow $1 dirsrv_config_t:dir manage_dir_perms;
-+ allow $1 dirsrv_config_t:file manage_file_perms;
-+')
-+
-+########################################
-+##
-+## Read dirsrv share files.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`dirsrv_read_share',`
-+ gen_require(`
-+ type dirsrv_share_t;
-+ ')
-+
-+ allow $1 dirsrv_share_t:dir list_dir_perms;
-+ allow $1 dirsrv_share_t:file read_file_perms;
-+ allow $1 dirsrv_share_t:lnk_file read;
-+')
-diff --git a/dirsrv.te b/dirsrv.te
-new file mode 100644
-index 0000000..7f0b4f6
---- /dev/null
-+++ b/dirsrv.te
-@@ -0,0 +1,193 @@
-+policy_module(dirsrv,1.0.0)
-+
-+########################################
-+#
-+# Declarations
-+#
-+
-+# main daemon
-+type dirsrv_t;
-+type dirsrv_exec_t;
-+domain_type(dirsrv_t)
-+init_daemon_domain(dirsrv_t, dirsrv_exec_t)
-+
-+type dirsrv_snmp_t;
-+type dirsrv_snmp_exec_t;
-+domain_type(dirsrv_snmp_t)
-+init_daemon_domain(dirsrv_snmp_t, dirsrv_snmp_exec_t)
-+
-+type dirsrv_var_lib_t;
-+files_type(dirsrv_var_lib_t)
-+
-+type dirsrv_var_log_t;
-+logging_log_file(dirsrv_var_log_t)
-+
-+type dirsrv_snmp_var_log_t;
-+logging_log_file(dirsrv_snmp_var_log_t)
-+
-+type dirsrv_var_run_t;
-+files_pid_file(dirsrv_var_run_t)
-+
-+type dirsrv_snmp_var_run_t;
-+files_pid_file(dirsrv_snmp_var_run_t)
-+
-+type dirsrv_var_lock_t;
-+files_lock_file(dirsrv_var_lock_t)
-+
-+type dirsrv_config_t;
-+files_type(dirsrv_config_t)
-+
-+type dirsrv_tmp_t;
-+files_tmp_file(dirsrv_tmp_t)
-+
-+type dirsrv_tmpfs_t;
-+files_tmpfs_file(dirsrv_tmpfs_t)
-+
-+type dirsrv_share_t;
-+files_type(dirsrv_share_t);
-+
-+########################################
-+#
-+# dirsrv local policy
-+#
-+allow dirsrv_t self:process { getsched setsched setfscreate signal_perms};
-+allow dirsrv_t self:capability { sys_nice setuid setgid fsetid chown dac_override fowner };
-+allow dirsrv_t self:fifo_file manage_fifo_file_perms;
-+allow dirsrv_t self:sem create_sem_perms;
-+allow dirsrv_t self:tcp_socket create_stream_socket_perms;
-+
-+manage_files_pattern(dirsrv_t, dirsrv_tmpfs_t, dirsrv_tmpfs_t)
-+fs_tmpfs_filetrans(dirsrv_t, dirsrv_tmpfs_t, file)
-+
-+manage_dirs_pattern(dirsrv_t, dirsrv_var_lib_t, dirsrv_var_lib_t)
-+manage_files_pattern(dirsrv_t, dirsrv_var_lib_t, dirsrv_var_lib_t)
-+manage_sock_files_pattern(dirsrv_t, dirsrv_var_lib_t, dirsrv_var_lib_t)
-+files_var_lib_filetrans(dirsrv_t,dirsrv_var_lib_t, { file dir sock_file })
-+
-+manage_dirs_pattern(dirsrv_t, dirsrv_var_log_t, dirsrv_var_log_t)
-+manage_files_pattern(dirsrv_t, dirsrv_var_log_t, dirsrv_var_log_t)
-+manage_fifo_files_pattern(dirsrv_t, dirsrv_var_log_t, dirsrv_var_log_t)
-+allow dirsrv_t dirsrv_var_log_t:dir { setattr };
-+logging_log_filetrans(dirsrv_t,dirsrv_var_log_t,{ sock_file file dir })
-+
-+manage_dirs_pattern(dirsrv_t, dirsrv_var_run_t, dirsrv_var_run_t)
-+manage_files_pattern(dirsrv_t, dirsrv_var_run_t, dirsrv_var_run_t)
-+manage_sock_files_pattern(dirsrv_t, dirsrv_var_run_t, dirsrv_var_run_t)
-+files_pid_filetrans(dirsrv_t, dirsrv_var_run_t, { file dir sock_file })
-+
-+manage_files_pattern(dirsrv_t, dirsrv_var_lock_t, dirsrv_var_lock_t)
-+manage_dirs_pattern(dirsrv_t, dirsrv_var_lock_t, dirsrv_var_lock_t)
-+files_lock_filetrans(dirsrv_t, dirsrv_var_lock_t, file)
-+files_setattr_lock_dirs(dirsrv_t)
-+
-+manage_files_pattern(dirsrv_t, dirsrv_config_t, dirsrv_config_t)
-+manage_dirs_pattern(dirsrv_t, dirsrv_config_t, dirsrv_config_t)
-+manage_lnk_files_pattern(dirsrv_t, dirsrv_config_t, dirsrv_config_t)
-+
-+manage_files_pattern(dirsrv_t, dirsrv_tmp_t, dirsrv_tmp_t)
-+manage_dirs_pattern(dirsrv_t, dirsrv_tmp_t, dirsrv_tmp_t)
-+files_tmp_filetrans(dirsrv_t, dirsrv_tmp_t, { file dir })
-+allow dirsrv_t dirsrv_tmp_t:file relabel_file_perms;
-+
-+kernel_read_system_state(dirsrv_t)
-+kernel_read_kernel_sysctls(dirsrv_t)
-+
-+corecmd_search_bin(dirsrv_t)
-+
-+corenet_all_recvfrom_netlabel(dirsrv_t)
-+corenet_tcp_sendrecv_generic_if(dirsrv_t)
-+corenet_tcp_sendrecv_generic_node(dirsrv_t)
-+corenet_tcp_sendrecv_all_ports(dirsrv_t)
-+corenet_tcp_bind_generic_node(dirsrv_t)
-+corenet_tcp_bind_ldap_port(dirsrv_t)
-+corenet_tcp_bind_dogtag_port(dirsrv_t)
-+corenet_tcp_bind_all_rpc_ports(dirsrv_t)
-+corenet_udp_bind_all_rpc_ports(dirsrv_t)
-+corenet_tcp_connect_all_ports(dirsrv_t)
-+corenet_sendrecv_ldap_server_packets(dirsrv_t)
-+corenet_sendrecv_all_client_packets(dirsrv_t)
-+
-+dev_read_sysfs(dirsrv_t)
-+dev_read_urand(dirsrv_t)
-+
-+files_read_etc_files(dirsrv_t)
-+files_read_usr_symlinks(dirsrv_t)
-+
-+fs_getattr_all_fs(dirsrv_t)
-+
-+auth_use_pam(dirsrv_t)
-+
-+logging_send_syslog_msg(dirsrv_t)
-+
-+sysnet_dns_name_resolve(dirsrv_t)
-+
-+optional_policy(`
-+ apache_dontaudit_leaks(dirsrv_t)
-+')
-+
-+optional_policy(`
-+ dirsrvadmin_read_tmp(dirsrv_t)
-+')
-+
-+
-+optional_policy(`
-+ kerberos_use(dirsrv_t)
-+ kerberos_tmp_filetrans_host_rcache(dirsrv_t, "ldapmap1_0")
-+ kerberos_tmp_filetrans_host_rcache(dirsrv_t, "ldap_487")
-+ kerberos_tmp_filetrans_host_rcache(dirsrv_t, "ldap_55")
-+')
-+
-+# FIPS mode
-+optional_policy(`
-+ prelink_exec(dirsrv_t)
-+')
-+
-+optional_policy(`
-+ rpcbind_stream_connect(dirsrv_t)
-+')
-+
-+########################################
-+#
-+# dirsrv-snmp local policy
-+#
-+allow dirsrv_snmp_t self:capability { dac_override dac_read_search };
-+allow dirsrv_snmp_t self:fifo_file rw_fifo_file_perms;
-+
-+rw_files_pattern(dirsrv_snmp_t, dirsrv_tmpfs_t, dirsrv_tmpfs_t)
-+
-+read_files_pattern(dirsrv_snmp_t, dirsrv_var_run_t, dirsrv_var_run_t)
-+
-+read_files_pattern(dirsrv_snmp_t, dirsrv_config_t, dirsrv_config_t)
-+
-+manage_files_pattern(dirsrv_snmp_t, dirsrv_snmp_var_run_t, dirsrv_snmp_var_run_t)
-+files_pid_filetrans(dirsrv_snmp_t, dirsrv_snmp_var_run_t, { file sock_file })
-+search_dirs_pattern(dirsrv_snmp_t, dirsrv_var_run_t, dirsrv_var_run_t)
-+
-+manage_files_pattern(dirsrv_snmp_t, dirsrv_var_log_t, dirsrv_snmp_var_log_t);
-+filetrans_pattern(dirsrv_snmp_t, dirsrv_var_log_t, dirsrv_snmp_var_log_t, file)
-+
-+corenet_tcp_connect_agentx_port(dirsrv_snmp_t)
-+
-+dev_read_rand(dirsrv_snmp_t)
-+dev_read_urand(dirsrv_snmp_t)
-+
-+domain_use_interactive_fds(dirsrv_snmp_t)
-+
-+#files_manage_var_files(dirsrv_snmp_t)
-+files_read_etc_files(dirsrv_snmp_t)
-+files_read_usr_files(dirsrv_snmp_t)
-+
-+fs_getattr_tmpfs(dirsrv_snmp_t)
-+fs_search_tmpfs(dirsrv_snmp_t)
-+
-+
-+sysnet_read_config(dirsrv_snmp_t)
-+sysnet_dns_name_resolve(dirsrv_snmp_t)
-+
-+optional_policy(`
-+ snmp_dontaudit_read_snmp_var_lib_files(dirsrv_snmp_t)
-+ snmp_dontaudit_write_snmp_var_lib_files(dirsrv_snmp_t)
-+ snmp_manage_var_lib_dirs(dirsrv_snmp_t)
-+ snmp_manage_var_lib_files(dirsrv_snmp_t)
-+ snmp_stream_connect(dirsrv_snmp_t)
-+')
-diff --git a/distcc.te b/distcc.te
-index 54d93e8..16d2e18 100644
---- a/distcc.te
-+++ b/distcc.te
-@@ -44,7 +44,6 @@ files_pid_filetrans(distccd_t, distccd_var_run_t, file)
- kernel_read_system_state(distccd_t)
- kernel_read_kernel_sysctls(distccd_t)
-
--corenet_all_recvfrom_unlabeled(distccd_t)
- corenet_all_recvfrom_netlabel(distccd_t)
- corenet_tcp_sendrecv_generic_if(distccd_t)
- corenet_udp_sendrecv_generic_if(distccd_t)
-@@ -73,8 +72,6 @@ libs_exec_lib_files(distccd_t)
-
- logging_send_syslog_msg(distccd_t)
-
--miscfiles_read_localization(distccd_t)
--
- sysnet_read_config(distccd_t)
-
- userdom_dontaudit_use_unpriv_user_fds(distccd_t)
-diff --git a/djbdns.if b/djbdns.if
-index ade3079..41a21f1 100644
---- a/djbdns.if
-+++ b/djbdns.if
-@@ -34,7 +34,6 @@ template(`djbdns_daemontools_domain_template',`
- allow djbdns_$1_t djbdns_$1_conf_t:dir list_dir_perms;
- allow djbdns_$1_t djbdns_$1_conf_t:file read_file_perms;
-
-- corenet_all_recvfrom_unlabeled(djbdns_$1_t)
- corenet_all_recvfrom_netlabel(djbdns_$1_t)
- corenet_tcp_sendrecv_generic_if(djbdns_$1_t)
- corenet_udp_sendrecv_generic_if(djbdns_$1_t)
-diff --git a/djbdns.te b/djbdns.te
-index 03b5286..62fbae1 100644
---- a/djbdns.te
-+++ b/djbdns.te
-@@ -39,6 +39,9 @@ allow djbdns_axfrdns_t djbdns_tinydns_conf_t:file read_file_perms;
-
- files_search_var(djbdns_axfrdns_t)
-
-+daemontools_ipc_domain(djbdns_axfrdns_t)
-+daemontools_read_svc(djbdns_axfrdns_t)
-+
- ucspitcp_service_domain(djbdns_axfrdns_t, djbdns_axfrdns_exec_t)
-
- ########################################
-diff --git a/dkim.fc b/dkim.fc
-index bf4321a..1820764 100644
---- a/dkim.fc
-+++ b/dkim.fc
-@@ -9,6 +9,7 @@
- /var/run/dkim-filter(/.*)? gen_context(system_u:object_r:dkim_milter_data_t,s0)
- /var/run/dkim-milter(/.*)? gen_context(system_u:object_r:dkim_milter_data_t,s0)
- /var/run/dkim-milter\.pid -- gen_context(system_u:object_r:dkim_milter_data_t,s0)
-+
- /var/run/opendkim(/.*)? gen_context(system_u:object_r:dkim_milter_data_t,s0)
-
- /var/spool/opendkim(/.*)? gen_context(system_u:object_r:dkim_milter_data_t,s0)
-diff --git a/dmidecode.te b/dmidecode.te
-index d6356b5..5db989e 100644
---- a/dmidecode.te
-+++ b/dmidecode.te
-@@ -27,4 +27,4 @@ files_list_usr(dmidecode_t)
-
- locallogin_use_fds(dmidecode_t)
-
--userdom_use_user_terminals(dmidecode_t)
-+userdom_use_inherited_user_terminals(dmidecode_t)
-diff --git a/dnsmasq.fc b/dnsmasq.fc
-index b886676..fb3b2d6 100644
---- a/dnsmasq.fc
-+++ b/dnsmasq.fc
-@@ -1,12 +1,14 @@
- /etc/dnsmasq\.conf -- gen_context(system_u:object_r:dnsmasq_etc_t, s0)
- /etc/rc\.d/init\.d/dnsmasq -- gen_context(system_u:object_r:dnsmasq_initrc_exec_t,s0)
-
-+/usr/lib/systemd/system/dnsmasq.* -- gen_context(system_u:object_r:dnsmasq_unit_file_t,s0)
-+
- /usr/sbin/dnsmasq -- gen_context(system_u:object_r:dnsmasq_exec_t,s0)
-
- /var/lib/misc/dnsmasq\.leases -- gen_context(system_u:object_r:dnsmasq_lease_t,s0)
- /var/lib/dnsmasq(/.*)? gen_context(system_u:object_r:dnsmasq_lease_t,s0)
-
--/var/log/dnsmasq\.log gen_context(system_u:object_r:dnsmasq_var_log_t,s0)
-+/var/log/dnsmasq.* -- gen_context(system_u:object_r:dnsmasq_var_log_t,s0)
-
--/var/run/dnsmasq\.pid -- gen_context(system_u:object_r:dnsmasq_var_run_t,s0)
-+/var/run/dnsmasq.* -- gen_context(system_u:object_r:dnsmasq_var_run_t,s0)
- /var/run/libvirt/network(/.*)? gen_context(system_u:object_r:dnsmasq_var_run_t,s0)
-diff --git a/dnsmasq.if b/dnsmasq.if
-index 9bd812b..53f895e 100644
---- a/dnsmasq.if
-+++ b/dnsmasq.if
-@@ -10,7 +10,6 @@
- ##
- ##
- #
--#
- interface(`dnsmasq_domtrans',`
- gen_require(`
- type dnsmasq_exec_t, dnsmasq_t;
-@@ -20,6 +19,24 @@ interface(`dnsmasq_domtrans',`
- domtrans_pattern($1, dnsmasq_exec_t, dnsmasq_t)
- ')
-
-+#######################################
-+##
-+## Execute dnsmasq server in the caller domain.
-+##
-+##
-+##
-+## Domain allowed to transition.
-+##
-+##
-+#
-+interface(`dnsmasq_exec',`
-+ gen_require(`
-+ type dnsmasq_exec_t;
-+ ')
-+
-+ can_exec($1, dnsmasq_exec_t)
-+')
-+
- ########################################
- ##
- ## Execute the dnsmasq init script in the init script domain.
-@@ -41,6 +58,29 @@ interface(`dnsmasq_initrc_domtrans',`
-
- ########################################
- ##
-+## Execute dnsmasq server in the dnsmasq domain.
-+##
-+##
-+##
-+## Domain allowed to transition.
-+##
-+##
-+#
-+interface(`dnsmasq_systemctl',`
-+ gen_require(`
-+ type dnsmasq_unit_file_t;
-+ type dnsmasq_t;
-+ ')
-+
-+ systemd_exec_systemctl($1)
-+ allow $1 dnsmasq_unit_file_t:file read_file_perms;
-+ allow $1 dnsmasq_unit_file_t:service manage_service_perms;
-+
-+ ps_process_pattern($1, dnsmasq_t)
-+')
-+
-+########################################
-+##
- ## Send dnsmasq a signal
- ##
- ##
-@@ -144,18 +184,18 @@ interface(`dnsmasq_write_config',`
- ##
- ##
- #
--#
- interface(`dnsmasq_delete_pid_files',`
- gen_require(`
- type dnsmasq_var_run_t;
- ')
-
-+ files_search_pids($1)
- delete_files_pattern($1, dnsmasq_var_run_t, dnsmasq_var_run_t)
- ')
-
- ########################################
- ##
--## Read dnsmasq pid files
-+## Manage dnsmasq pid files
- ##
- ##
- ##
-@@ -163,17 +203,99 @@ interface(`dnsmasq_delete_pid_files',`
- ##
- ##
- #
-+interface(`dnsmasq_manage_pid_files',`
-+ gen_require(`
-+ type dnsmasq_var_run_t;
-+ ')
-+
-+ files_search_pids($1)
-+ manage_files_pattern($1, dnsmasq_var_run_t, dnsmasq_var_run_t)
-+')
-+
-+########################################
-+##
-+## Read dnsmasq pid files
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
- #
- interface(`dnsmasq_read_pid_files',`
- gen_require(`
- type dnsmasq_var_run_t;
- ')
-
-+ files_search_pids($1)
- read_files_pattern($1, dnsmasq_var_run_t, dnsmasq_var_run_t)
- ')
-
- ########################################
- ##
-+## Create dnsmasq pid dirs
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`dnsmasq_create_pid_dirs',`
-+ gen_require(`
-+ type dnsmasq_var_run_t;
-+ ')
-+
-+ files_search_pids($1)
-+ create_dirs_pattern($1, dnsmasq_var_run_t, dnsmasq_var_run_t)
-+')
-+
-+########################################
-+##
-+## Transition to dnsmasq named content
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+##
-+##
-+## The type of the directory for the object to be created.
-+##
-+##
-+#
-+interface(`dnsmasq_filetrans_named_content_fromdir',`
-+ gen_require(`
-+ type dnsmasq_var_run_t;
-+ ')
-+
-+ filetrans_pattern($1, $2, dnsmasq_var_run_t, dir, "network")
-+ filetrans_pattern($1, $2, dnsmasq_var_run_t, file, "dnsmasq.pid")
-+')
-+
-+########################################
-+##
-+## Transition to dnsmasq named content
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`dnsmasq_filetrans_named_content',`
-+ gen_require(`
-+ type dnsmasq_var_run_t;
-+ ')
-+
-+ files_pid_filetrans($1, dnsmasq_var_run_t, dir, "network")
-+ files_pid_filetrans($1, dnsmasq_var_run_t, file, "dnsmasq.pid")
-+ virt_pid_filetrans($1, dnsmasq_var_run_t, file, "network")
-+')
-+
-+########################################
-+##
- ## All of the rules required to administrate
- ## an dnsmasq environment
- ##
-@@ -193,10 +315,14 @@ interface(`dnsmasq_admin',`
- gen_require(`
- type dnsmasq_t, dnsmasq_lease_t, dnsmasq_var_run_t;
- type dnsmasq_initrc_exec_t;
-+ type dnsmasq_unit_file_t;
- ')
-
-- allow $1 dnsmasq_t:process { ptrace signal_perms };
-+ allow $1 dnsmasq_t:process signal_perms;
- ps_process_pattern($1, dnsmasq_t)
-+ tunable_policy(`deny_ptrace',`',`
-+ allow $1 dnsmasq_t:process ptrace;
-+ ')
-
- init_labeled_script_domtrans($1, dnsmasq_initrc_exec_t)
- domain_system_change_exemption($1)
-@@ -208,4 +334,8 @@ interface(`dnsmasq_admin',`
-
- files_list_pids($1)
- admin_pattern($1, dnsmasq_var_run_t)
-+
-+ dnsmasq_systemctl($1)
-+ admin_pattern($1, dnsmasq_unit_file_t)
-+ allow $1 dnsmasq_unit_file_t:service all_service_perms;
- ')
-diff --git a/dnsmasq.te b/dnsmasq.te
-index fdaeeba..a29af29 100644
---- a/dnsmasq.te
-+++ b/dnsmasq.te
-@@ -24,6 +24,9 @@ logging_log_file(dnsmasq_var_log_t)
- type dnsmasq_var_run_t;
- files_pid_file(dnsmasq_var_run_t)
-
-+type dnsmasq_unit_file_t;
-+systemd_unit_file(dnsmasq_unit_file_t)
-+
- ########################################
- #
- # Local policy
-@@ -48,13 +51,15 @@ files_var_lib_filetrans(dnsmasq_t, dnsmasq_lease_t, file)
- manage_files_pattern(dnsmasq_t, dnsmasq_var_log_t, dnsmasq_var_log_t)
- logging_log_filetrans(dnsmasq_t, dnsmasq_var_log_t, file)
-
-+manage_dirs_pattern(dnsmasq_t, dnsmasq_var_run_t, dnsmasq_var_run_t)
- manage_files_pattern(dnsmasq_t, dnsmasq_var_run_t, dnsmasq_var_run_t)
--files_pid_filetrans(dnsmasq_t, dnsmasq_var_run_t, file)
-+files_pid_filetrans(dnsmasq_t, dnsmasq_var_run_t, { dir file })
-
- kernel_read_kernel_sysctls(dnsmasq_t)
- kernel_read_system_state(dnsmasq_t)
-+kernel_read_network_state(dnsmasq_t)
-+kernel_request_load_module(dnsmasq_t)
-
--corenet_all_recvfrom_unlabeled(dnsmasq_t)
- corenet_all_recvfrom_netlabel(dnsmasq_t)
- corenet_tcp_sendrecv_generic_if(dnsmasq_t)
- corenet_udp_sendrecv_generic_if(dnsmasq_t)
-@@ -76,7 +81,6 @@ dev_read_urand(dnsmasq_t)
-
- domain_use_interactive_fds(dnsmasq_t)
-
--files_read_etc_files(dnsmasq_t)
- files_read_etc_runtime_files(dnsmasq_t)
-
- fs_getattr_all_fs(dnsmasq_t)
-@@ -86,8 +90,6 @@ auth_use_nsswitch(dnsmasq_t)
-
- logging_send_syslog_msg(dnsmasq_t)
-
--miscfiles_read_localization(dnsmasq_t)
--
- userdom_dontaudit_use_unpriv_user_fds(dnsmasq_t)
- userdom_dontaudit_search_user_home_dirs(dnsmasq_t)
-
-@@ -96,7 +98,21 @@ optional_policy(`
- ')
-
- optional_policy(`
-+ cron_manage_pid_files(dnsmasq_t)
-+')
-+
-+optional_policy(`
- dbus_system_bus_client(dnsmasq_t)
-+ dbus_connect_system_bus(dnsmasq_t)
-+')
-+
-+optional_policy(`
-+ networkmanager_read_conf(dnsmasq_t)
-+ networkmanager_read_pid_files(dnsmasq_t)
-+')
-+
-+optional_policy(`
-+ ppp_read_pid_files(dnsmasq_t)
- ')
-
- optional_policy(`
-@@ -113,5 +129,7 @@ optional_policy(`
-
- optional_policy(`
- virt_manage_lib_files(dnsmasq_t)
-+ virt_read_lib_files(dnsmasq_t)
- virt_read_pid_files(dnsmasq_t)
-+ virt_pid_filetrans(dnsmasq_t, dnsmasq_var_run_t, { dir file })
- ')
-diff --git a/dnssec.fc b/dnssec.fc
-new file mode 100644
-index 0000000..9e231a8
---- /dev/null
-+++ b/dnssec.fc
-@@ -0,0 +1,3 @@
-+/usr/sbin/dnssec-triggerd -- gen_context(system_u:object_r:dnssec_trigger_exec_t,s0)
-+
-+/var/run/dnssec.* gen_context(system_u:object_r:dnssec_trigger_var_run_t,s0)
-diff --git a/dnssec.if b/dnssec.if
-new file mode 100644
-index 0000000..a952041
---- /dev/null
-+++ b/dnssec.if
-@@ -0,0 +1,64 @@
-+
-+## policy for dnssec_trigger
-+
-+########################################
-+##
-+## Transition to dnssec_trigger.
-+##
-+##
-+##
-+## Domain allowed to transition.
-+##
-+##
-+#
-+interface(`dnssec_trigger_domtrans',`
-+ gen_require(`
-+ type dnssec_trigger_t, dnssec_trigger_exec_t;
-+ ')
-+
-+ corecmd_search_bin($1)
-+ domtrans_pattern($1, dnssec_trigger_exec_t, dnssec_trigger_t)
-+')
-+########################################
-+##
-+## Read dnssec_trigger PID files.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`dnssec_trigger_read_pid_files',`
-+ gen_require(`
-+ type dnssec_trigger_var_run_t;
-+ ')
-+
-+ files_search_pids($1)
-+ allow $1 dnssec_trigger_var_run_t:file read_file_perms;
-+')
-+
-+
-+########################################
-+##
-+## All of the rules required to administrate
-+## an dnssec_trigger environment
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`dnssec_trigger_admin',`
-+ gen_require(`
-+ type dnssec_trigger_t;
-+ type dnssec_trigger_var_run_t;
-+ ')
-+
-+ allow $1 dnssec_trigger_t:process { ptrace signal_perms };
-+ ps_process_pattern($1, dnssec_trigger_t)
-+
-+ files_search_pids($1)
-+ admin_pattern($1, dnssec_trigger_var_run_t)
-+')
-diff --git a/dnssec.te b/dnssec.te
-new file mode 100644
-index 0000000..25daf6c
---- /dev/null
-+++ b/dnssec.te
-@@ -0,0 +1,59 @@
-+policy_module(dnssec, 1.0.0)
-+
-+########################################
-+#
-+# Declarations
-+#
-+
-+type dnssec_trigger_t;
-+type dnssec_trigger_exec_t;
-+init_daemon_domain(dnssec_trigger_t, dnssec_trigger_exec_t)
-+
-+type dnssec_trigger_var_run_t;
-+files_pid_file(dnssec_trigger_var_run_t)
-+
-+########################################
-+#
-+# dnssec_trigger local policy
-+#
-+allow dnssec_trigger_t self:capability linux_immutable;
-+allow dnssec_trigger_t self:process signal;
-+allow dnssec_trigger_t self:fifo_file rw_fifo_file_perms;
-+allow dnssec_trigger_t self:unix_stream_socket create_stream_socket_perms;
-+allow dnssec_trigger_t self:tcp_socket create_stream_socket_perms;
-+allow dnssec_trigger_t self:udp_socket create_socket_perms;
-+
-+manage_dirs_pattern(dnssec_trigger_t, dnssec_trigger_var_run_t, dnssec_trigger_var_run_t)
-+manage_files_pattern(dnssec_trigger_t, dnssec_trigger_var_run_t, dnssec_trigger_var_run_t)
-+files_pid_filetrans(dnssec_trigger_t, dnssec_trigger_var_run_t, { dir file })
-+
-+kernel_read_system_state(dnssec_trigger_t)
-+
-+corecmd_exec_bin(dnssec_trigger_t)
-+corecmd_exec_shell(dnssec_trigger_t)
-+
-+corenet_tcp_bind_generic_node(dnssec_trigger_t)
-+corenet_tcp_bind_dnssec_port(dnssec_trigger_t)
-+corenet_tcp_connect_rndc_port(dnssec_trigger_t)
-+corenet_tcp_connect_http_port(dnssec_trigger_t)
-+
-+dev_read_urand(dnssec_trigger_t)
-+
-+domain_use_interactive_fds(dnssec_trigger_t)
-+
-+files_read_etc_runtime_files(dnssec_trigger_t)
-+files_read_etc_files(dnssec_trigger_t)
-+
-+logging_send_syslog_msg(dnssec_trigger_t)
-+
-+auth_read_passwd(dnssec_trigger_t)
-+
-+sysnet_dns_name_resolve(dnssec_trigger_t)
-+sysnet_manage_config(dnssec_trigger_t)
-+
-+optional_policy(`
-+ bind_read_config(dnssec_trigger_t)
-+ bind_read_dnssec_keys(dnssec_trigger_t)
-+')
-+
-+
-diff --git a/dovecot.fc b/dovecot.fc
-index 3a3ecb2..4448055 100644
---- a/dovecot.fc
-+++ b/dovecot.fc
-@@ -2,7 +2,7 @@
- #
- # /etc
- #
--/etc/dovecot(/.*)?* gen_context(system_u:object_r:dovecot_etc_t,s0)
-+/etc/dovecot(/.*)? gen_context(system_u:object_r:dovecot_etc_t,s0)
- /etc/dovecot\.conf.* gen_context(system_u:object_r:dovecot_etc_t,s0)
- /etc/dovecot\.passwd.* gen_context(system_u:object_r:dovecot_passwd_t,s0)
-
-@@ -24,12 +24,13 @@ ifdef(`distro_debian',`
-
- ifdef(`distro_debian', `
- /usr/lib/dovecot/dovecot-auth -- gen_context(system_u:object_r:dovecot_auth_exec_t,s0)
-+/usr/lib/dovecot/deliver -- gen_context(system_u:object_r:dovecot_deliver_exec_t,s0)
- ')
-
- ifdef(`distro_redhat', `
- /usr/libexec/dovecot/auth -- gen_context(system_u:object_r:dovecot_auth_exec_t,s0)
- /usr/libexec/dovecot/deliver -- gen_context(system_u:object_r:dovecot_deliver_exec_t,s0)
--/usr/libexec/dovecot/deliver-lda -- gen_context(system_u:object_r:dovecot_deliver_exec_t,s0)
-+/usr/libexec/dovecot/dovecot-lda -- gen_context(system_u:object_r:dovecot_deliver_exec_t,s0)
- /usr/libexec/dovecot/dovecot-auth -- gen_context(system_u:object_r:dovecot_auth_exec_t,s0)
- ')
-
-@@ -37,6 +38,7 @@ ifdef(`distro_redhat', `
- # /var
- #
- /var/run/dovecot(-login)?(/.*)? gen_context(system_u:object_r:dovecot_var_run_t,s0)
-+/var/run/dovecot/login/ssl-parameters.dat -- gen_context(system_u:object_r:dovecot_var_lib_t,s0)
-
- /var/lib/dovecot(/.*)? gen_context(system_u:object_r:dovecot_var_lib_t,s0)
-
-diff --git a/dovecot.if b/dovecot.if
-index e1d7dc5..66d42bb 100644
---- a/dovecot.if
-+++ b/dovecot.if
-@@ -1,5 +1,46 @@
- ## Dovecot POP and IMAP mail server
-
-+######################################
-+##
-+## Creates types and rules for a basic
-+## dovecot daemon domain.
-+##
-+##
-+##
-+## Prefix for the domain.
-+##
-+##
-+#
-+template(`dovecot_basic_types_template',`
-+ gen_require(`
-+ attribute dovecot_domain;
-+ ')
-+
-+ type $1_t, dovecot_domain;
-+ type $1_exec_t;
-+
-+ kernel_read_system_state($1_t)
-+')
-+
-+#######################################
-+##
-+## Connect to dovecot unix domain stream socket.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`dovecot_stream_connect',`
-+ gen_require(`
-+ type dovecot_t, dovecot_var_run_t;
-+ ')
-+
-+ files_search_pids($1)
-+ stream_connect_pattern($1, dovecot_var_run_t, dovecot_var_run_t, dovecot_t)
-+')
-+
- ########################################
- ##
- ## Connect to dovecot auth unix domain stream socket.
-@@ -16,6 +57,7 @@ interface(`dovecot_stream_connect_auth',`
- type dovecot_auth_t, dovecot_var_run_t;
- ')
-
-+ files_search_pids($1)
- stream_connect_pattern($1, dovecot_var_run_t, dovecot_var_run_t, dovecot_auth_t)
- ')
-
-@@ -52,6 +94,7 @@ interface(`dovecot_manage_spool',`
- type dovecot_spool_t;
- ')
-
-+ files_search_spool($1)
- manage_files_pattern($1, dovecot_spool_t, dovecot_spool_t)
- manage_lnk_files_pattern($1, dovecot_spool_t, dovecot_spool_t)
- ')
-@@ -74,6 +117,25 @@ interface(`dovecot_dontaudit_unlink_lib_files',`
- dontaudit $1 dovecot_var_lib_t:file unlink;
- ')
-
-+######################################
-+##
-+## Allow attempts to write inherited
-+## dovecot tmp files.
-+##
-+##
-+##
-+## Domain to not audit.
-+##
-+##
-+#
-+interface(`dovecot_write_inherited_tmp_files',`
-+ gen_require(`
-+ type dovecot_tmp_t;
-+ ')
-+
-+ allow $1 dovecot_tmp_t:file write;
-+')
-+
- ########################################
- ##
- ## All of the rules required to administrate
-@@ -93,16 +155,17 @@ interface(`dovecot_dontaudit_unlink_lib_files',`
- #
- interface(`dovecot_admin',`
- gen_require(`
-- type dovecot_t, dovecot_etc_t, dovecot_log_t;
-- type dovecot_spool_t, dovecot_var_lib_t;
-- type dovecot_var_run_t;
--
-- type dovecot_cert_t, dovecot_passwd_t;
-- type dovecot_initrc_exec_t;
-+ type dovecot_t, dovecot_etc_t, dovecot_auth_tmp_t;
-+ type dovecot_spool_t, dovecot_var_lib_t, dovecot_var_log_t;
-+ type dovecot_var_run_t, dovecot_tmp_t, dovecot_keytab_t;
-+ type dovecot_cert_t, dovecot_passwd_t, dovecot_initrc_exec_t;
- ')
-
-- allow $1 dovecot_t:process { ptrace signal_perms };
-+ allow $1 dovecot_t:process signal_perms;
- ps_process_pattern($1, dovecot_t)
-+ tunable_policy(`deny_ptrace',`',`
-+ allow $1 dovecot_t:process ptrace;
-+ ')
-
- init_labeled_script_domtrans($1, dovecot_initrc_exec_t)
- domain_system_change_exemption($1)
-@@ -112,8 +175,11 @@ interface(`dovecot_admin',`
- files_list_etc($1)
- admin_pattern($1, dovecot_etc_t)
-
-- logging_list_logs($1)
-- admin_pattern($1, dovecot_log_t)
-+ files_list_tmp($1)
-+ admin_pattern($1, dovecot_auth_tmp_t)
-+ admin_pattern($1, dovecot_tmp_t)
-+
-+ admin_pattern($1, dovecot_keytab_t)
-
- files_list_spool($1)
- admin_pattern($1, dovecot_spool_t)
-@@ -121,6 +187,9 @@ interface(`dovecot_admin',`
- files_list_var_lib($1)
- admin_pattern($1, dovecot_var_lib_t)
-
-+ logging_search_logs($1)
-+ admin_pattern($1, dovecot_var_log_t)
-+
- files_list_pids($1)
- admin_pattern($1, dovecot_var_run_t)
-
-diff --git a/dovecot.te b/dovecot.te
-index 2df7766..d4e008b 100644
---- a/dovecot.te
-+++ b/dovecot.te
-@@ -4,12 +4,12 @@ policy_module(dovecot, 1.14.0)
- #
- # Declarations
- #
--type dovecot_t;
--type dovecot_exec_t;
-+attribute dovecot_domain;
-+
-+dovecot_basic_types_template(dovecot)
- init_daemon_domain(dovecot_t, dovecot_exec_t)
-
--type dovecot_auth_t;
--type dovecot_auth_exec_t;
-+dovecot_basic_types_template(dovecot_auth)
- domain_type(dovecot_auth_t)
- domain_entry_file(dovecot_auth_t, dovecot_auth_exec_t)
- role system_r types dovecot_auth_t;
-@@ -18,14 +18,16 @@ type dovecot_auth_tmp_t;
- files_tmp_file(dovecot_auth_tmp_t)
-
- type dovecot_cert_t;
--files_type(dovecot_cert_t)
-+miscfiles_cert_type(dovecot_cert_t)
-
--type dovecot_deliver_t;
--type dovecot_deliver_exec_t;
-+dovecot_basic_types_template(dovecot_deliver)
- domain_type(dovecot_deliver_t)
- domain_entry_file(dovecot_deliver_t, dovecot_deliver_exec_t)
- role system_r types dovecot_deliver_t;
-
-+type dovecot_deliver_tmp_t;
-+files_tmp_file(dovecot_deliver_tmp_t)
-+
- type dovecot_etc_t;
- files_config_file(dovecot_etc_t)
-
-@@ -36,7 +38,7 @@ type dovecot_passwd_t;
- files_type(dovecot_passwd_t)
-
- type dovecot_spool_t;
--files_type(dovecot_spool_t)
-+files_spool_file(dovecot_spool_t)
-
- type dovecot_tmp_t;
- files_tmp_file(dovecot_tmp_t)
-@@ -51,17 +53,37 @@ logging_log_file(dovecot_var_log_t)
- type dovecot_var_run_t;
- files_pid_file(dovecot_var_run_t)
-
-+#######################################
-+#
-+# dovecot domain local policy
-+#
-+
-+allow dovecot_domain self:capability2 block_suspend;
-+
-+allow dovecot_domain self:unix_dgram_socket create_socket_perms;
-+allow dovecot_domain self:fifo_file rw_fifo_file_perms;
-+
-+kernel_read_all_sysctls(dovecot_domain)
-+
-+corecmd_exec_bin(dovecot_domain)
-+corecmd_exec_shell(dovecot_domain)
-+
-+dev_read_sysfs(dovecot_domain)
-+dev_read_rand(dovecot_domain)
-+dev_read_urand(dovecot_domain)
-+
-+# Dovecot now has quota support and it uses getmntent() to find the mountpoints.
-+files_read_etc_runtime_files(dovecot_domain)
-+
- ########################################
- #
- # dovecot local policy
- #
-
--allow dovecot_t self:capability { dac_override dac_read_search chown kill net_bind_service setgid setuid sys_chroot };
-+allow dovecot_t self:capability { dac_override dac_read_search chown fsetid kill net_bind_service setgid setuid sys_chroot };
- dontaudit dovecot_t self:capability sys_tty_config;
--allow dovecot_t self:process { setrlimit signal_perms getcap setcap };
--allow dovecot_t self:fifo_file rw_fifo_file_perms;
-+allow dovecot_t self:process { setrlimit signal_perms getcap setcap setsched };
- allow dovecot_t self:tcp_socket create_stream_socket_perms;
--allow dovecot_t self:unix_dgram_socket create_socket_perms;
- allow dovecot_t self:unix_stream_socket { create_stream_socket_perms connectto };
-
- domtrans_pattern(dovecot_t, dovecot_auth_exec_t, dovecot_auth_t)
-@@ -72,7 +94,9 @@ allow dovecot_t dovecot_cert_t:dir list_dir_perms;
- read_files_pattern(dovecot_t, dovecot_cert_t, dovecot_cert_t)
- read_lnk_files_pattern(dovecot_t, dovecot_cert_t, dovecot_cert_t)
-
--allow dovecot_t dovecot_etc_t:file read_file_perms;
-+allow dovecot_t dovecot_etc_t:dir list_dir_perms;
-+read_files_pattern(dovecot_t, dovecot_etc_t, dovecot_etc_t)
-+read_lnk_files_pattern(dovecot_t, dovecot_etc_t, dovecot_etc_t)
- files_search_etc(dovecot_t)
-
- can_exec(dovecot_t, dovecot_exec_t)
-@@ -94,15 +118,13 @@ manage_dirs_pattern(dovecot_t, dovecot_spool_t, dovecot_spool_t)
- manage_files_pattern(dovecot_t, dovecot_spool_t, dovecot_spool_t)
- manage_lnk_files_pattern(dovecot_t, dovecot_spool_t, dovecot_spool_t)
-
-+manage_dirs_pattern(dovecot_t, dovecot_var_run_t, dovecot_var_run_t)
- manage_files_pattern(dovecot_t, dovecot_var_run_t, dovecot_var_run_t)
- manage_lnk_files_pattern(dovecot_t, dovecot_var_run_t, dovecot_var_run_t)
- manage_sock_files_pattern(dovecot_t, dovecot_var_run_t, dovecot_var_run_t)
--files_pid_filetrans(dovecot_t, dovecot_var_run_t, file)
--
--kernel_read_kernel_sysctls(dovecot_t)
--kernel_read_system_state(dovecot_t)
-+manage_fifo_files_pattern(dovecot_t, dovecot_var_run_t, dovecot_var_run_t)
-+files_pid_filetrans(dovecot_t, dovecot_var_run_t, { dir file fifo_file })
-
--corenet_all_recvfrom_unlabeled(dovecot_t)
- corenet_all_recvfrom_netlabel(dovecot_t)
- corenet_tcp_sendrecv_generic_if(dovecot_t)
- corenet_tcp_sendrecv_generic_node(dovecot_t)
-@@ -110,41 +132,36 @@ corenet_tcp_sendrecv_all_ports(dovecot_t)
- corenet_tcp_bind_generic_node(dovecot_t)
- corenet_tcp_bind_mail_port(dovecot_t)
- corenet_tcp_bind_pop_port(dovecot_t)
-+corenet_tcp_bind_lmtp_port(dovecot_t)
- corenet_tcp_bind_sieve_port(dovecot_t)
- corenet_tcp_connect_all_ports(dovecot_t)
- corenet_tcp_connect_postgresql_port(dovecot_t)
- corenet_sendrecv_pop_server_packets(dovecot_t)
- corenet_sendrecv_all_client_packets(dovecot_t)
-
--dev_read_sysfs(dovecot_t)
--dev_read_urand(dovecot_t)
--
- fs_getattr_all_fs(dovecot_t)
- fs_getattr_all_dirs(dovecot_t)
- fs_search_auto_mountpoints(dovecot_t)
- fs_list_inotifyfs(dovecot_t)
-
--corecmd_exec_bin(dovecot_t)
--
- domain_use_interactive_fds(dovecot_t)
-
--files_read_etc_files(dovecot_t)
- files_search_spool(dovecot_t)
- files_search_tmp(dovecot_t)
- files_dontaudit_list_default(dovecot_t)
--# Dovecot now has quota support and it uses getmntent() to find the mountpoints.
--files_read_etc_runtime_files(dovecot_t)
-+files_dontaudit_search_all_dirs(dovecot_t)
- files_search_all_mountpoints(dovecot_t)
-+files_read_var_lib_files(dovecot_t)
-
- init_getattr_utmp(dovecot_t)
-
- auth_use_nsswitch(dovecot_t)
-
--logging_send_syslog_msg(dovecot_t)
--
- miscfiles_read_generic_certs(dovecot_t)
--miscfiles_read_localization(dovecot_t)
-
-+logging_send_syslog_msg(dovecot_t)
-+
-+userdom_home_manager(dovecot_t)
- userdom_dontaudit_use_unpriv_user_fds(dovecot_t)
- userdom_manage_user_home_content_dirs(dovecot_t)
- userdom_manage_user_home_content_files(dovecot_t)
-@@ -153,10 +170,23 @@ userdom_manage_user_home_content_pipes(dovecot_t)
- userdom_manage_user_home_content_sockets(dovecot_t)
- userdom_user_home_dir_filetrans_user_home_content(dovecot_t, { dir file lnk_file fifo_file sock_file })
-
--mta_manage_spool(dovecot_t)
-+optional_policy(`
-+ mta_manage_home_rw(dovecot_t)
-+ mta_manage_spool(dovecot_t)
-+')
-+
-+optional_policy(`
-+ kerberos_keytab_template(dovecot_t, dovecot_t)
-+ kerberos_tmp_filetrans_host_rcache(dovecot_t, "imap_0")
-+')
-
- optional_policy(`
-- kerberos_keytab_template(dovecot, dovecot_t)
-+ gnome_manage_data(dovecot_t)
-+')
-+
-+optional_policy(`
-+ postfix_manage_private_sockets(dovecot_t)
-+ postfix_search_spool(dovecot_t)
- ')
-
- optional_policy(`
-@@ -164,6 +194,11 @@ optional_policy(`
- ')
-
- optional_policy(`
-+ # Handle sieve scripts
-+ sendmail_domtrans(dovecot_t)
-+')
-+
-+optional_policy(`
- seutil_sigchld_newrole(dovecot_t)
- ')
-
-@@ -180,16 +215,17 @@ optional_policy(`
- # dovecot auth local policy
- #
-
--allow dovecot_auth_t self:capability { chown dac_override setgid setuid };
--allow dovecot_auth_t self:process { signal_perms getcap setcap };
--allow dovecot_auth_t self:fifo_file rw_fifo_file_perms;
--allow dovecot_auth_t self:unix_dgram_socket create_socket_perms;
-+allow dovecot_auth_t self:capability { chown dac_override ipc_lock setgid setuid sys_nice };
-+allow dovecot_auth_t self:process { getsched setsched signal_perms getcap setcap };
- allow dovecot_auth_t self:unix_stream_socket create_stream_socket_perms;
-
- allow dovecot_auth_t dovecot_t:unix_stream_socket { connectto rw_stream_socket_perms };
-
- read_files_pattern(dovecot_auth_t, dovecot_passwd_t, dovecot_passwd_t)
-
-+read_files_pattern(dovecot_auth_t, dovecot_etc_t, dovecot_etc_t)
-+read_lnk_files_pattern(dovecot_auth_t, dovecot_etc_t, dovecot_etc_t)
-+
- manage_dirs_pattern(dovecot_auth_t, dovecot_auth_tmp_t, dovecot_auth_tmp_t)
- manage_files_pattern(dovecot_auth_t, dovecot_auth_tmp_t, dovecot_auth_tmp_t)
- files_tmp_filetrans(dovecot_auth_t, dovecot_auth_tmp_t, { file dir })
-@@ -198,31 +234,24 @@ allow dovecot_auth_t dovecot_var_run_t:dir list_dir_perms;
- manage_sock_files_pattern(dovecot_auth_t, dovecot_var_run_t, dovecot_var_run_t)
- dovecot_stream_connect_auth(dovecot_auth_t)
-
--kernel_read_all_sysctls(dovecot_auth_t)
--kernel_read_system_state(dovecot_auth_t)
--
- logging_send_audit_msgs(dovecot_auth_t)
--logging_send_syslog_msg(dovecot_auth_t)
--
--dev_read_urand(dovecot_auth_t)
-
- auth_domtrans_chk_passwd(dovecot_auth_t)
- auth_use_nsswitch(dovecot_auth_t)
-
--files_read_etc_files(dovecot_auth_t)
--files_read_etc_runtime_files(dovecot_auth_t)
-+logging_send_syslog_msg(dovecot_auth_t)
-+
- files_search_pids(dovecot_auth_t)
- files_read_usr_files(dovecot_auth_t)
- files_read_usr_symlinks(dovecot_auth_t)
- files_read_var_lib_files(dovecot_auth_t)
- files_search_tmp(dovecot_auth_t)
--files_read_var_lib_files(dovecot_t)
-
--init_rw_utmp(dovecot_auth_t)
-+fs_getattr_xattr_fs(dovecot_auth_t)
-
--miscfiles_read_localization(dovecot_auth_t)
-+init_rw_utmp(dovecot_auth_t)
-
--seutil_dontaudit_search_config(dovecot_auth_t)
-+sysnet_use_ldap(dovecot_auth_t)
-
- optional_policy(`
- kerberos_use(dovecot_auth_t)
-@@ -236,6 +265,8 @@ optional_policy(`
- optional_policy(`
- mysql_search_db(dovecot_auth_t)
- mysql_stream_connect(dovecot_auth_t)
-+ mysql_read_config(dovecot_auth_t)
-+ mysql_tcp_connect(dovecot_auth_t)
- ')
-
- optional_policy(`
-@@ -243,6 +274,8 @@ optional_policy(`
- ')
-
- optional_policy(`
-+ postfix_manage_private_sockets(dovecot_auth_t)
-+ postfix_rw_master_pipes(dovecot_deliver_t)
- postfix_search_spool(dovecot_auth_t)
- ')
-
-@@ -250,25 +283,32 @@ optional_policy(`
- #
- # dovecot deliver local policy
- #
--allow dovecot_deliver_t self:unix_dgram_socket create_socket_perms;
-
- allow dovecot_deliver_t dovecot_t:process signull;
-
--allow dovecot_deliver_t dovecot_etc_t:file read_file_perms;
--allow dovecot_deliver_t dovecot_var_run_t:dir list_dir_perms;
-+allow dovecot_deliver_t dovecot_etc_t:dir list_dir_perms;
-+read_files_pattern(dovecot_deliver_t, dovecot_etc_t, dovecot_etc_t)
-+read_lnk_files_pattern(dovecot_deliver_t, dovecot_etc_t, dovecot_etc_t)
-
--kernel_read_all_sysctls(dovecot_deliver_t)
--kernel_read_system_state(dovecot_deliver_t)
-+allow dovecot_deliver_t dovecot_cert_t:dir search_dir_perms;
-
--files_read_etc_files(dovecot_deliver_t)
--files_read_etc_runtime_files(dovecot_deliver_t)
-+append_files_pattern(dovecot_deliver_t, dovecot_var_log_t, dovecot_var_log_t)
-+
-+manage_dirs_pattern(dovecot_deliver_t, dovecot_deliver_tmp_t, dovecot_deliver_tmp_t)
-+manage_files_pattern(dovecot_deliver_t, dovecot_deliver_tmp_t, dovecot_deliver_tmp_t)
-+files_tmp_filetrans(dovecot_deliver_t, dovecot_deliver_tmp_t, { file dir })
-+
-+allow dovecot_deliver_t dovecot_var_run_t:dir list_dir_perms;
-+read_files_pattern(dovecot_deliver_t, dovecot_var_run_t, dovecot_var_run_t)
-+read_sock_files_pattern(dovecot_deliver_t, dovecot_var_run_t, dovecot_var_run_t)
-+dovecot_stream_connect(dovecot_deliver_t)
-+
-+can_exec(dovecot_deliver_t, dovecot_deliver_exec_t)
-
- auth_use_nsswitch(dovecot_deliver_t)
-
-+logging_append_all_logs(dovecot_deliver_t)
- logging_send_syslog_msg(dovecot_deliver_t)
--logging_search_logs(dovecot_auth_t)
--
--miscfiles_read_localization(dovecot_deliver_t)
-
- dovecot_stream_connect_auth(dovecot_deliver_t)
-
-@@ -283,24 +323,22 @@ userdom_manage_user_home_content_pipes(dovecot_deliver_t)
- userdom_manage_user_home_content_sockets(dovecot_deliver_t)
- userdom_user_home_dir_filetrans_user_home_content(dovecot_deliver_t, { dir file lnk_file fifo_file sock_file })
-
--tunable_policy(`use_nfs_home_dirs',`
-- fs_manage_nfs_dirs(dovecot_deliver_t)
-- fs_manage_nfs_files(dovecot_deliver_t)
-- fs_manage_nfs_symlinks(dovecot_deliver_t)
-- fs_manage_nfs_dirs(dovecot_t)
-- fs_manage_nfs_files(dovecot_t)
-- fs_manage_nfs_symlinks(dovecot_t)
-+userdom_home_manager(dovecot_deliver_t)
-+
-+optional_policy(`
-+ gnome_manage_data(dovecot_deliver_t)
-+')
-+
-+optional_policy(`
-+ mta_mailserver_delivery(dovecot_deliver_t)
-+ mta_read_queue(dovecot_deliver_t)
- ')
-
--tunable_policy(`use_samba_home_dirs',`
-- fs_manage_cifs_dirs(dovecot_deliver_t)
-- fs_manage_cifs_files(dovecot_deliver_t)
-- fs_manage_cifs_symlinks(dovecot_deliver_t)
-- fs_manage_cifs_dirs(dovecot_t)
-- fs_manage_cifs_files(dovecot_t)
-- fs_manage_cifs_symlinks(dovecot_t)
-+optional_policy(`
-+ postfix_use_fds_master(dovecot_deliver_t)
- ')
-
- optional_policy(`
-- mta_manage_spool(dovecot_deliver_t)
-+ # Handle sieve scripts
-+ sendmail_domtrans(dovecot_deliver_t)
- ')
-diff --git a/dpkg.if b/dpkg.if
-index 4d32b42..78736d8 100644
---- a/dpkg.if
-+++ b/dpkg.if
-@@ -62,11 +62,18 @@ interface(`dpkg_domtrans_script',`
- #
- interface(`dpkg_run',`
- gen_require(`
-- attribute_role dpkg_roles;
-+ #attribute_role dpkg_roles;
-+ type dpkg_t, dpkg_script_t;
- ')
-
-+ #dpkg_domtrans($1)
-+ #roleattribute $2 dpkg_roles;
-+
- dpkg_domtrans($1)
-- roleattribute $2 dpkg_roles;
-+ role $2 types dpkg_t;
-+ role $2 types dpkg_script_t;
-+ seutil_run_loadpolicy(dpkg_script_t, $2)
-+
- ')
-
- ########################################
-diff --git a/dpkg.te b/dpkg.te
-index 52725c4..934ce11 100644
---- a/dpkg.te
-+++ b/dpkg.te
-@@ -5,8 +5,8 @@ policy_module(dpkg, 1.10.0)
- # Declarations
- #
-
--attribute_role dpkg_roles;
--roleattribute system_r dpkg_roles;
-+#attribute_role dpkg_roles;
-+#roleattribute system_r dpkg_roles;
-
- type dpkg_t;
- type dpkg_exec_t;
-@@ -17,7 +17,8 @@ domain_obj_id_change_exemption(dpkg_t)
- domain_role_change_exemption(dpkg_t)
- domain_system_change_exemption(dpkg_t)
- domain_interactive_fd(dpkg_t)
--role dpkg_roles types dpkg_t;
-+#role dpkg_roles types dpkg_t;
-+role system_r types dpkg_t;
-
- # lockfile
- type dpkg_lock_t;
-@@ -41,7 +42,8 @@ corecmd_shell_entry_type(dpkg_script_t)
- domain_obj_id_change_exemption(dpkg_script_t)
- domain_system_change_exemption(dpkg_script_t)
- domain_interactive_fd(dpkg_script_t)
--role dpkg_roles types dpkg_script_t;
-+#role dpkg_roles types dpkg_script_t;
-+role system_r types dpkg_script_t;
-
- type dpkg_script_tmp_t;
- files_tmp_file(dpkg_script_tmp_t)
-@@ -92,7 +94,6 @@ kernel_read_kernel_sysctls(dpkg_t)
- corecmd_exec_all_executables(dpkg_t)
-
- # TODO: do we really need all networking?
--corenet_all_recvfrom_unlabeled(dpkg_t)
- corenet_all_recvfrom_netlabel(dpkg_t)
- corenet_tcp_sendrecv_generic_if(dpkg_t)
- corenet_raw_sendrecv_generic_if(dpkg_t)
-@@ -152,9 +153,12 @@ files_exec_etc_files(dpkg_t)
- init_domtrans_script(dpkg_t)
- init_use_script_ptys(dpkg_t)
-
-+#libs_exec_ld_so(dpkg_t)
-+#libs_exec_lib_files(dpkg_t)
-+#libs_run_ldconfig(dpkg_t, dpkg_roles)
- libs_exec_ld_so(dpkg_t)
- libs_exec_lib_files(dpkg_t)
--libs_run_ldconfig(dpkg_t, dpkg_roles)
-+libs_domtrans_ldconfig(dpkg_t)
-
- logging_send_syslog_msg(dpkg_t)
-
-@@ -195,20 +199,30 @@ domain_signal_all_domains(dpkg_t)
- domain_signull_all_domains(dpkg_t)
- files_read_etc_runtime_files(dpkg_t)
- files_exec_usr_files(dpkg_t)
--miscfiles_read_localization(dpkg_t)
--modutils_run_depmod(dpkg_t, dpkg_roles)
--modutils_run_insmod(dpkg_t, dpkg_roles)
--seutil_run_loadpolicy(dpkg_t, dpkg_roles)
--seutil_run_setfiles(dpkg_t, dpkg_roles)
-+#modutils_run_depmod(dpkg_t, dpkg_roles)
-+#modutils_run_insmod(dpkg_t, dpkg_roles)
-+#seutil_run_loadpolicy(dpkg_t, dpkg_roles)
-+#seutil_run_setfiles(dpkg_t, dpkg_roles)
- userdom_use_all_users_fds(dpkg_t)
- optional_policy(`
- mta_send_mail(dpkg_t)
- ')
-+
-+
- optional_policy(`
-- usermanage_run_groupadd(dpkg_t, dpkg_roles)
-- usermanage_run_useradd(dpkg_t, dpkg_roles)
-+ modutils_domtrans_depmod(dpkg_t)
-+ modutils_domtrans_insmod(dpkg_t)
-+ seutil_domtrans_loadpolicy(dpkg_t)
-+ seutil_domtrans_setfiles(dpkg_t)
-+ usermanage_domtrans_groupadd(dpkg_t)
-+ usermanage_domtrans_useradd(dpkg_t)
- ')
-
-+#optional_policy(`
-+# usermanage_run_groupadd(dpkg_t, dpkg_roles)
-+# usermanage_run_useradd(dpkg_t, dpkg_roles)
-+#')
-+
- ########################################
- #
- # dpkg-script Local policy
-@@ -296,21 +310,20 @@ init_use_script_fds(dpkg_script_t)
-
- libs_exec_ld_so(dpkg_script_t)
- libs_exec_lib_files(dpkg_script_t)
--libs_run_ldconfig(dpkg_script_t, dpkg_roles)
-+libs_domtrans_ldconfig(dpkg_script_t)
-+#libs_run_ldconfig(dpkg_script_t, dpkg_roles)
-
- logging_send_syslog_msg(dpkg_script_t)
-
--miscfiles_read_localization(dpkg_script_t)
--
--modutils_run_depmod(dpkg_script_t, dpkg_roles)
--modutils_run_insmod(dpkg_script_t, dpkg_roles)
-+#modutils_run_depmod(dpkg_script_t, dpkg_roles)
-+#modutils_run_insmod(dpkg_script_t, dpkg_roles)
-
--seutil_run_loadpolicy(dpkg_script_t, dpkg_roles)
--seutil_run_setfiles(dpkg_script_t, dpkg_roles)
-+#seutil_run_loadpolicy(dpkg_script_t, dpkg_roles)
-+#seutil_run_setfiles(dpkg_script_t, dpkg_roles)
-
- userdom_use_all_users_fds(dpkg_script_t)
-
--tunable_policy(`allow_execmem',`
-+tunable_policy(`selinuxuser_execmem',`
- allow dpkg_script_t self:process execmem;
- ')
-
-@@ -319,9 +332,9 @@ optional_policy(`
- apt_use_fds(dpkg_script_t)
- ')
-
--optional_policy(`
-- bootloader_run(dpkg_script_t, dpkg_roles)
--')
-+#optional_policy(`
-+# bootloader_run(dpkg_script_t, dpkg_roles)
-+#')
-
- optional_policy(`
- mta_send_mail(dpkg_script_t)
-@@ -335,7 +348,7 @@ optional_policy(`
- unconfined_domain(dpkg_script_t)
- ')
-
--optional_policy(`
-- usermanage_run_groupadd(dpkg_script_t, dpkg_roles)
-- usermanage_run_useradd(dpkg_script_t, dpkg_roles)
--')
-+#optional_policy(`
-+# usermanage_run_groupadd(dpkg_script_t, dpkg_roles)
-+# usermanage_run_useradd(dpkg_script_t, dpkg_roles)
-+#')
-diff --git a/drbd.fc b/drbd.fc
-new file mode 100644
-index 0000000..60c19b9
---- /dev/null
-+++ b/drbd.fc
-@@ -0,0 +1,12 @@
-+
-+/sbin/drbdadm -- gen_context(system_u:object_r:drbd_exec_t,s0)
-+/sbin/drbdsetup -- gen_context(system_u:object_r:drbd_exec_t,s0)
-+
-+/usr/lib/ocf/resource.\d/linbit/drbd -- gen_context(system_u:object_r:drbd_exec_t,s0)
-+
-+/usr/sbin/drbdadm -- gen_context(system_u:object_r:drbd_exec_t,s0)
-+/usr/sbin/drbdsetup -- gen_context(system_u:object_r:drbd_exec_t,s0)
-+
-+/var/lib/drbd(/.*)? gen_context(system_u:object_r:drbd_var_lib_t,s0)
-+
-+
-diff --git a/drbd.if b/drbd.if
-new file mode 100644
-index 0000000..659d051
---- /dev/null
-+++ b/drbd.if
-@@ -0,0 +1,127 @@
-+
-+## policy for drbd
-+
-+########################################
-+##
-+## Execute a domain transition to run drbd.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`drbd_domtrans',`
-+ gen_require(`
-+ type drbd_t, drbd_exec_t;
-+ ')
-+
-+ domtrans_pattern($1, drbd_exec_t, drbd_t)
-+')
-+
-+########################################
-+##
-+## Search drbd lib directories.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`drbd_search_lib',`
-+ gen_require(`
-+ type drbd_var_lib_t;
-+ ')
-+
-+ allow $1 drbd_var_lib_t:dir search_dir_perms;
-+ files_search_var_lib($1)
-+')
-+
-+########################################
-+##
-+## Read drbd lib files.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`drbd_read_lib_files',`
-+ gen_require(`
-+ type drbd_var_lib_t;
-+ ')
-+
-+ files_search_var_lib($1)
-+ read_files_pattern($1, drbd_var_lib_t, drbd_var_lib_t)
-+')
-+
-+########################################
-+##
-+## Create, read, write, and delete
-+## drbd lib files.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`drbd_manage_lib_files',`
-+ gen_require(`
-+ type drbd_var_lib_t;
-+ ')
-+
-+ files_search_var_lib($1)
-+ manage_files_pattern($1, drbd_var_lib_t, drbd_var_lib_t)
-+')
-+
-+########################################
-+##
-+## Manage drbd lib dirs files.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`drbd_manage_lib_dirs',`
-+ gen_require(`
-+ type drbd_var_lib_t;
-+ ')
-+
-+ files_search_var_lib($1)
-+ manage_dirs_pattern($1, drbd_var_lib_t, drbd_var_lib_t)
-+')
-+
-+
-+########################################
-+##
-+## All of the rules required to administrate
-+## an drbd environment
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`drbd_admin',`
-+ gen_require(`
-+ type drbd_t;
-+ type drbd_var_lib_t;
-+ ')
-+
-+ allow $1 drbd_t:process signal_perms;
-+ ps_process_pattern($1, drbd_t)
-+ tunable_policy(`deny_ptrace',`',`
-+ allow $1 drbd_t:process ptrace;
-+ ')
-+
-+ files_search_var_lib($1)
-+ admin_pattern($1, drbd_var_lib_t)
-+
-+')
-+
-diff --git a/drbd.te b/drbd.te
-new file mode 100644
-index 0000000..2f3efe7
---- /dev/null
-+++ b/drbd.te
-@@ -0,0 +1,51 @@
-+policy_module(drbd, 1.0.0)
-+
-+########################################
-+#
-+# Declarations
-+#
-+
-+type drbd_t;
-+type drbd_exec_t;
-+init_daemon_domain(drbd_t, drbd_exec_t)
-+
-+type drbd_var_lib_t;
-+files_type(drbd_var_lib_t)
-+
-+type drbd_lock_t;
-+files_lock_file(drbd_lock_t)
-+
-+########################################
-+#
-+# drbd local policy
-+#
-+
-+allow drbd_t self:capability { kill net_admin };
-+dontaudit drbd_t self:capability sys_tty_config;
-+allow drbd_t self:fifo_file rw_fifo_file_perms;
-+allow drbd_t self:unix_stream_socket create_stream_socket_perms;
-+allow drbd_t self:netlink_socket create_socket_perms;
-+allow drbd_t self:netlink_route_socket rw_netlink_socket_perms;
-+
-+manage_dirs_pattern(drbd_t, drbd_var_lib_t, drbd_var_lib_t)
-+manage_files_pattern(drbd_t, drbd_var_lib_t, drbd_var_lib_t)
-+manage_lnk_files_pattern(drbd_t, drbd_var_lib_t, drbd_var_lib_t)
-+files_var_lib_filetrans(drbd_t, drbd_var_lib_t, { dir file } )
-+
-+manage_files_pattern(drbd_t, drbd_lock_t, drbd_lock_t)
-+files_lock_filetrans(drbd_t, drbd_lock_t, file)
-+
-+can_exec(drbd_t, drbd_exec_t)
-+
-+kernel_read_system_state(drbd_t)
-+
-+dev_read_sysfs(drbd_t)
-+dev_read_rand(drbd_t)
-+dev_read_urand(drbd_t)
-+
-+files_read_etc_files(drbd_t)
-+
-+storage_raw_read_fixed_disk(drbd_t)
-+
-+
-+sysnet_dns_name_resolve(drbd_t)
-diff --git a/dspam.fc b/dspam.fc
-new file mode 100644
-index 0000000..4dc92b3
---- /dev/null
-+++ b/dspam.fc
-@@ -0,0 +1,18 @@
-+
-+/etc/rc\.d/init\.d/dspam -- gen_context(system_u:object_r:dspam_initrc_exec_t,s0)
-+
-+/usr/bin/dspam -- gen_context(system_u:object_r:dspam_exec_t,s0)
-+
-+/var/lib/dspam(/.*)? gen_context(system_u:object_r:dspam_var_lib_t,s0)
-+
-+/var/log/dspam(/.*)? gen_context(system_u:object_r:dspam_log_t,s0)
-+
-+/var/run/dspam(/.*)? gen_context(system_u:object_r:dspam_var_run_t,s0)
-+
-+# web
-+
-+/var/www/dspam/.*\.cgi -- gen_context(system_u:object_r:httpd_dspam_script_exec_t,s0)
-+/var/www/dspam(/.*?) gen_context(system_u:object_r:httpd_dspam_content_t,s0)
-+/usr/share/dspam-web/dspam\.cgi -- gen_context(system_u:object_r:httpd_dspam_script_exec_t,s0)
-+
-+/var/lib/dspam/data(/.*)? gen_context(system_u:object_r:httpd_dspam_content_rw_t,s0)
-diff --git a/dspam.if b/dspam.if
-new file mode 100644
-index 0000000..a446210
---- /dev/null
-+++ b/dspam.if
-@@ -0,0 +1,267 @@
-+
-+## policy for dspam
-+
-+
-+########################################
-+##
-+## Execute a domain transition to run dspam.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`dspam_domtrans',`
-+ gen_require(`
-+ type dspam_t, dspam_exec_t;
-+ ')
-+
-+ domtrans_pattern($1, dspam_exec_t, dspam_t)
-+')
-+
-+
-+########################################
-+##
-+## Execute dspam server in the dspam domain.
-+##
-+##
-+##
-+## The type of the process performing this action.
-+##
-+##
-+#
-+interface(`dspam_initrc_domtrans',`
-+ gen_require(`
-+ type dspam_initrc_exec_t;
-+ ')
-+
-+ init_labeled_script_domtrans($1, dspam_initrc_exec_t)
-+')
-+
-+########################################
-+##
-+## Allow the specified domain to read dspam's log files.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+##
-+#
-+interface(`dspam_read_log',`
-+ gen_require(`
-+ type dspam_log_t;
-+ ')
-+
-+ logging_search_logs($1)
-+ read_files_pattern($1, dspam_log_t, dspam_log_t)
-+')
-+
-+########################################
-+##
-+## Allow the specified domain to append
-+## dspam log files.
-+##
-+##
-+##
-+## Domain allowed to transition.
-+##
-+##
-+#
-+interface(`dspam_append_log',`
-+ gen_require(`
-+ type dspam_log_t;
-+ ')
-+
-+ logging_search_logs($1)
-+ append_files_pattern($1, dspam_log_t, dspam_log_t)
-+')
-+
-+########################################
-+##
-+## Allow domain to manage dspam log files
-+##
-+##
-+##
-+## Domain to not audit.
-+##
-+##
-+#
-+interface(`dspam_manage_log',`
-+ gen_require(`
-+ type dspam_log_t;
-+ ')
-+
-+ logging_search_logs($1)
-+ manage_dirs_pattern($1, dspam_log_t, dspam_log_t)
-+ manage_files_pattern($1, dspam_log_t, dspam_log_t)
-+ manage_lnk_files_pattern($1, dspam_log_t, dspam_log_t)
-+')
-+
-+########################################
-+##
-+## Search dspam lib directories.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`dspam_search_lib',`
-+ gen_require(`
-+ type dspam_var_lib_t;
-+ ')
-+
-+ allow $1 dspam_var_lib_t:dir search_dir_perms;
-+ files_search_var_lib($1)
-+')
-+
-+########################################
-+##
-+## Read dspam lib files.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`dspam_read_lib_files',`
-+ gen_require(`
-+ type dspam_var_lib_t;
-+ ')
-+
-+ files_search_var_lib($1)
-+ read_files_pattern($1, dspam_var_lib_t, dspam_var_lib_t)
-+')
-+
-+########################################
-+##
-+## Create, read, write, and delete
-+## dspam lib files.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`dspam_manage_lib_files',`
-+ gen_require(`
-+ type dspam_var_lib_t;
-+ ')
-+
-+ files_search_var_lib($1)
-+ manage_files_pattern($1, dspam_var_lib_t, dspam_var_lib_t)
-+')
-+
-+########################################
-+##
-+## Manage dspam lib dirs files.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`dspam_manage_lib_dirs',`
-+ gen_require(`
-+ type dspam_var_lib_t;
-+ ')
-+
-+ files_search_var_lib($1)
-+ manage_dirs_pattern($1, dspam_var_lib_t, dspam_var_lib_t)
-+')
-+
-+
-+########################################
-+##
-+## Read dspam PID files.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`dspam_read_pid_files',`
-+ gen_require(`
-+ type dspam_var_run_t;
-+ ')
-+
-+ files_search_pids($1)
-+ allow $1 dspam_var_run_t:file read_file_perms;
-+')
-+
-+#######################################
-+##
-+## Connect to DSPAM using a unix domain stream socket.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`dspam_stream_connect',`
-+ gen_require(`
-+ type dspam_t, dspam_var_run_t, dspam_tmp_t;
-+ ')
-+
-+ files_search_pids($1)
-+ files_search_tmp($1)
-+ stream_connect_pattern($1, dspam_var_run_t, dspam_var_run_t, dspam_t)
-+ stream_connect_pattern($1, dspam_tmp_t, dspam_tmp_t, dspam_t)
-+')
-+
-+########################################
-+##
-+## All of the rules required to administrate
-+## an dspam environment
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+##
-+##
-+## Role allowed access.
-+##
-+##
-+##
-+#
-+interface(`dspam_admin',`
-+ gen_require(`
-+ type dspam_t;
-+ type dspam_initrc_exec_t;
-+ type dspam_log_t;
-+ type dspam_var_lib_t;
-+ type dspam_var_run_t;
-+ ')
-+
-+ allow $1 dspam_t:process signal_perms;
-+ ps_process_pattern($1, dspam_t)
-+ tunable_policy(`deny_ptrace',`',`
-+ allow $1 dspam_t:process ptrace;
-+ ')
-+
-+ dspam_initrc_domtrans($1)
-+ domain_system_change_exemption($1)
-+ role_transition $2 dspam_initrc_exec_t system_r;
-+ allow $2 system_r;
-+
-+ logging_search_logs($1)
-+ admin_pattern($1, dspam_log_t)
-+
-+ files_search_var_lib($1)
-+ admin_pattern($1, dspam_var_lib_t)
-+
-+ files_search_pids($1)
-+ admin_pattern($1, dspam_var_run_t)
-+
-+')
-diff --git a/dspam.te b/dspam.te
-new file mode 100644
-index 0000000..e6f0960
---- /dev/null
-+++ b/dspam.te
-@@ -0,0 +1,113 @@
-+
-+policy_module(dspam, 1.0.0)
-+
-+########################################
-+#
-+# Declarations
-+#
-+
-+type dspam_t;
-+type dspam_exec_t;
-+init_daemon_domain(dspam_t, dspam_exec_t)
-+
-+type dspam_initrc_exec_t;
-+init_script_file(dspam_initrc_exec_t)
-+
-+type dspam_log_t;
-+logging_log_file(dspam_log_t)
-+
-+type dspam_var_lib_t;
-+files_type(dspam_var_lib_t)
-+
-+type dspam_var_run_t;
-+files_pid_file(dspam_var_run_t)
-+
-+# FIXME
-+# /tmp/dspam.sock
-+type dspam_tmp_t;
-+files_tmp_file(dspam_tmp_t)
-+
-+########################################
-+#
-+# dspam local policy
-+#
-+
-+allow dspam_t self:capability net_admin;
-+
-+allow dspam_t self:process { signal };
-+
-+allow dspam_t self:fifo_file rw_fifo_file_perms;
-+allow dspam_t self:unix_stream_socket create_stream_socket_perms;
-+
-+manage_dirs_pattern(dspam_t, dspam_log_t, dspam_log_t)
-+manage_files_pattern(dspam_t, dspam_log_t, dspam_log_t)
-+
-+files_search_var_lib(dspam_t)
-+manage_dirs_pattern(dspam_t, dspam_var_lib_t, dspam_var_lib_t)
-+manage_files_pattern(dspam_t, dspam_var_lib_t, dspam_var_lib_t)
-+
-+manage_dirs_pattern(dspam_t, dspam_var_run_t, dspam_var_run_t)
-+manage_files_pattern(dspam_t, dspam_var_run_t, dspam_var_run_t)
-+manage_sock_files_pattern(dspam_t, dspam_var_run_t, dspam_var_run_t)
-+files_pid_filetrans(dspam_t, dspam_var_run_t, dir, "dspam")
-+
-+manage_sock_files_pattern(dspam_t, dspam_tmp_t, dspam_tmp_t)
-+files_tmp_filetrans(dspam_t, dspam_tmp_t, sock_file)
-+
-+corenet_tcp_connect_spamd_port(dspam_t)
-+corenet_tcp_bind_spamd_port(dspam_t)
-+
-+auth_use_nsswitch(dspam_t)
-+
-+files_search_spool(dspam_t)
-+
-+# for RHEL5
-+libs_use_ld_so(dspam_t)
-+libs_use_shared_libs(dspam_t)
-+libs_read_lib_files(dspam_t)
-+
-+logging_send_syslog_msg(dspam_t)
-+
-+optional_policy(`
-+ mysql_tcp_connect(dspam_t)
-+ mysql_search_db(dspam_t)
-+ mysql_stream_connect(dspam_t)
-+')
-+
-+optional_policy(`
-+ postgresql_tcp_connect(dspam_t)
-+ postgresql_stream_connect(dspam_t)
-+')
-+
-+#######################################
-+#
-+# dspam web local policy.
-+#
-+
-+optional_policy(`
-+ apache_content_template(dspam)
-+
-+ read_files_pattern(httpd_dspam_script_t, dspam_var_lib_t, dspam_var_lib_t)
-+
-+ files_search_var_lib(httpd_dspam_script_t)
-+ list_dirs_pattern(dspam_t, httpd_dspam_content_t, httpd_dspam_content_t)
-+ manage_dirs_pattern(dspam_t, httpd_dspam_content_rw_t, httpd_dspam_content_rw_t)
-+ manage_files_pattern(dspam_t, httpd_dspam_content_rw_t, httpd_dspam_content_rw_t)
-+
-+ domain_dontaudit_read_all_domains_state(httpd_dspam_script_t)
-+
-+ term_dontaudit_search_ptys(httpd_dspam_script_t)
-+ term_dontaudit_getattr_all_ttys(httpd_dspam_script_t)
-+ term_dontaudit_getattr_all_ptys(httpd_dspam_script_t)
-+
-+ init_read_utmp(httpd_dspam_script_t)
-+
-+ logging_send_syslog_msg(httpd_dspam_script_t)
-+
-+ mta_send_mail(httpd_dspam_script_t)
-+
-+ optional_policy(`
-+ mysql_tcp_connect(httpd_dspam_script_t)
-+ mysql_stream_connect(httpd_dspam_script_t)
-+ ')
-+')
-diff --git a/entropyd.te b/entropyd.te
-index b6ac808..6235eb0 100644
---- a/entropyd.te
-+++ b/entropyd.te
-@@ -33,7 +33,7 @@ manage_files_pattern(entropyd_t, entropyd_var_run_t, entropyd_var_run_t)
- files_pid_filetrans(entropyd_t, entropyd_var_run_t, file)
-
- kernel_rw_kernel_sysctl(entropyd_t)
--kernel_list_proc(entropyd_t)
-+kernel_read_system_state(entropyd_t)
- kernel_read_proc_symlinks(entropyd_t)
-
- dev_read_sysfs(entropyd_t)
-@@ -42,7 +42,6 @@ dev_write_urand(entropyd_t)
- dev_read_rand(entropyd_t)
- dev_write_rand(entropyd_t)
-
--files_read_etc_files(entropyd_t)
- files_read_usr_files(entropyd_t)
-
- fs_getattr_all_fs(entropyd_t)
-@@ -52,7 +51,7 @@ domain_use_interactive_fds(entropyd_t)
-
- logging_send_syslog_msg(entropyd_t)
-
--miscfiles_read_localization(entropyd_t)
-+auth_use_nsswitch(entropyd_t)
-
- userdom_dontaudit_use_unpriv_user_fds(entropyd_t)
- userdom_dontaudit_search_user_home_dirs(entropyd_t)
-diff --git a/evolution.te b/evolution.te
-index 73cb712..2c6f3bc 100644
---- a/evolution.te
-+++ b/evolution.te
-@@ -146,7 +146,6 @@ corecmd_exec_shell(evolution_t)
- # Run various programs
- corecmd_exec_bin(evolution_t)
-
--corenet_all_recvfrom_unlabeled(evolution_t)
- corenet_all_recvfrom_netlabel(evolution_t)
- corenet_tcp_sendrecv_generic_if(evolution_t)
- corenet_udp_sendrecv_generic_if(evolution_t)
-@@ -181,19 +180,17 @@ dev_read_urand(evolution_t)
-
- domain_dontaudit_read_all_domains_state(evolution_t)
-
--files_read_etc_files(evolution_t)
- files_read_usr_files(evolution_t)
- files_read_usr_symlinks(evolution_t)
- files_read_var_files(evolution_t)
-
- fs_search_auto_mountpoints(evolution_t)
-
--logging_send_syslog_msg(evolution_t)
-+auth_use_nsswitch(evolution_t)
-
--miscfiles_read_localization(evolution_t)
-+logging_send_syslog_msg(evolution_t)
-
- sysnet_read_config(evolution_t)
--sysnet_dns_name_resolve(evolution_t)
-
- udev_read_state(evolution_t)
-
-@@ -201,7 +198,7 @@ userdom_rw_user_tmp_files(evolution_t)
- userdom_manage_user_tmp_dirs(evolution_t)
- userdom_manage_user_tmp_sockets(evolution_t)
- userdom_manage_user_tmp_files(evolution_t)
--userdom_use_user_terminals(evolution_t)
-+userdom_use_inherited_user_terminals(evolution_t)
- # FIXME: suppress access to .local/.icons/.themes until properly implemented
- # FIXME: suppress access to .gaim/blist.xml (buddy list synchronization)
- # until properly implemented
-@@ -357,12 +354,12 @@ allow evolution_alarm_t evolution_server_orbit_tmp_t:sock_file write;
-
- dev_read_urand(evolution_alarm_t)
-
--files_read_etc_files(evolution_alarm_t)
- files_read_usr_files(evolution_alarm_t)
-
- fs_search_auto_mountpoints(evolution_alarm_t)
-
--miscfiles_read_localization(evolution_alarm_t)
-+auth_use_nsswitch(evolution_alarm_t)
-+
-
- # Access evolution home
- userdom_search_user_home_dirs(evolution_alarm_t)
-@@ -439,13 +436,13 @@ corecmd_exec_bin(evolution_exchange_t)
-
- dev_read_urand(evolution_exchange_t)
-
--files_read_etc_files(evolution_exchange_t)
- files_read_usr_files(evolution_exchange_t)
-
- # Access evolution home
- fs_search_auto_mountpoints(evolution_exchange_t)
-
--miscfiles_read_localization(evolution_exchange_t)
-+auth_use_nsswitch(evolution_exchange_t)
-+
-
- userdom_write_user_tmp_sockets(evolution_exchange_t)
- # Access evolution home
-@@ -506,7 +503,6 @@ kernel_read_system_state(evolution_server_t)
- corecmd_exec_shell(evolution_server_t)
-
- # Obtain weather data via http (read server name from xml file in /usr)
--corenet_all_recvfrom_unlabeled(evolution_server_t)
- corenet_all_recvfrom_netlabel(evolution_server_t)
- corenet_tcp_sendrecv_generic_if(evolution_server_t)
- corenet_tcp_sendrecv_generic_node(evolution_server_t)
-@@ -519,19 +515,18 @@ corenet_sendrecv_http_cache_client_packets(evolution_server_t)
-
- dev_read_urand(evolution_server_t)
-
--files_read_etc_files(evolution_server_t)
- # Obtain weather data via http (read server name from xml file in /usr)
- files_read_usr_files(evolution_server_t)
-
- fs_search_auto_mountpoints(evolution_server_t)
-
--miscfiles_read_localization(evolution_server_t)
-+auth_use_nsswitch(evolution_server_t)
-+
- # Look in /etc/pki
- miscfiles_read_generic_certs(evolution_server_t)
-
- # Talk to ldap (address book)
- sysnet_read_config(evolution_server_t)
--sysnet_dns_name_resolve(evolution_server_t)
- sysnet_use_ldap(evolution_server_t)
-
- # Access evolution home
-@@ -573,7 +568,6 @@ allow evolution_webcal_t evolution_webcal_tmpfs_t:sock_file manage_sock_file_per
- allow evolution_webcal_t evolution_webcal_tmpfs_t:fifo_file manage_fifo_file_perms;
- fs_tmpfs_filetrans(evolution_webcal_t, evolution_webcal_tmpfs_t, { dir file lnk_file sock_file fifo_file })
-
--corenet_all_recvfrom_unlabeled(evolution_webcal_t)
- corenet_all_recvfrom_netlabel(evolution_webcal_t)
- corenet_tcp_sendrecv_generic_if(evolution_webcal_t)
- corenet_raw_sendrecv_generic_if(evolution_webcal_t)
-@@ -586,9 +580,9 @@ corenet_tcp_connect_http_port(evolution_webcal_t)
- corenet_sendrecv_http_client_packets(evolution_webcal_t)
- corenet_sendrecv_http_cache_client_packets(evolution_webcal_t)
-
--# Networking capability - connect to website and handle ics link
-+auth_use_nsswitch(evolution_webcal_t)
-+
- sysnet_read_config(evolution_webcal_t)
--sysnet_dns_name_resolve(evolution_webcal_t)
-
- # Search home directory (?)
- userdom_search_user_home_dirs(evolution_webcal_t)
-diff --git a/exim.fc b/exim.fc
-index 298f066..02c2561 100644
---- a/exim.fc
-+++ b/exim.fc
-@@ -1,4 +1,9 @@
-+
-+/etc/rc\.d/init\.d/exim -- gen_context(system_u:object_r:exim_initrc_exec_t,s0)
-+
- /usr/sbin/exim[0-9]? -- gen_context(system_u:object_r:exim_exec_t,s0)
-+/usr/sbin/exim_tidydb -- gen_context(system_u:object_r:exim_exec_t,s0)
-+
- /var/log/exim[0-9]?(/.*)? gen_context(system_u:object_r:exim_log_t,s0)
- /var/run/exim[0-9]?\.pid -- gen_context(system_u:object_r:exim_var_run_t,s0)
- /var/spool/exim[0-9]?(/.*)? gen_context(system_u:object_r:exim_spool_t,s0)
-diff --git a/exim.if b/exim.if
-index 6bef7f8..ba138e8 100644
---- a/exim.if
-+++ b/exim.if
-@@ -20,6 +20,49 @@ interface(`exim_domtrans',`
-
- ########################################
- ##
-+## Execute the mailman program in the mailman domain.
-+##
-+##
-+##
-+## Domain allowed to transition.
-+##
-+##
-+##
-+##
-+## The role to allow the mailman domain.
-+##
-+##
-+##
-+#
-+interface(`exim_run',`
-+ gen_require(`
-+ type exim_t;
-+ ')
-+
-+ exim_domtrans($1)
-+ role $2 types exim_t;
-+')
-+
-+########################################
-+##
-+## Execute exim in the exim domain.
-+##
-+##
-+##
-+## Domain allowed to transition.
-+##
-+##
-+#
-+interface(`exim_initrc_domtrans',`
-+ gen_require(`
-+ type exim_initrc_exec_t;
-+ ')
-+
-+ init_labeled_script_domtrans($1, exim_initrc_exec_t)
-+')
-+
-+########################################
-+##
- ## Do not audit attempts to read,
- ## exim tmp files
- ##
-@@ -194,3 +237,49 @@ interface(`exim_manage_spool_files',`
- manage_files_pattern($1, exim_spool_t, exim_spool_t)
- files_search_spool($1)
- ')
-+
-+########################################
-+##
-+## All of the rules required to administrate
-+## an exim environment.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+##
-+##
-+## Role allowed access.
-+##
-+##
-+#
-+interface(`exim_admin',`
-+ gen_require(`
-+ type exim_t, exim_initrc_exec_t, exim_log_t;
-+ type exim_tmp_t, exim_spool_t, exim_var_run_t;
-+ ')
-+
-+ allow $1 exim_t:process signal_perms;
-+ ps_process_pattern($1, exim_t)
-+ tunable_policy(`deny_ptrace',`',`
-+ allow $1 exim_t:process ptrace;
-+ ')
-+
-+ exim_initrc_domtrans($1)
-+ domain_system_change_exemption($1)
-+ role_transition $2 exim_initrc_exec_t system_r;
-+ allow $2 system_r;
-+
-+ logging_list_logs($1)
-+ admin_pattern($1, exim_log_t)
-+
-+ files_list_tmp($1)
-+ admin_pattern($1, exim_tmp_t)
-+
-+ files_list_spool($1)
-+ admin_pattern($1, exim_spool_t)
-+
-+ files_list_pids($1)
-+ admin_pattern($1, exim_var_run_t)
-+')
-diff --git a/exim.te b/exim.te
-index f28f64b..91758d5 100644
---- a/exim.te
-+++ b/exim.te
-@@ -35,11 +35,14 @@ mta_mailserver_user_agent(exim_t)
- application_executable_file(exim_exec_t)
- mta_agent_executable(exim_exec_t)
-
-+type exim_initrc_exec_t;
-+init_script_file(exim_initrc_exec_t)
-+
- type exim_log_t;
- logging_log_file(exim_log_t)
-
- type exim_spool_t;
--files_type(exim_spool_t)
-+files_spool_file(exim_spool_t)
-
- type exim_tmp_t;
- files_tmp_file(exim_tmp_t)
-@@ -79,11 +82,10 @@ files_pid_filetrans(exim_t, exim_var_run_t, { file dir })
-
- kernel_read_kernel_sysctls(exim_t)
- kernel_read_network_state(exim_t)
--kernel_dontaudit_read_system_state(exim_t)
-+kernel_read_system_state(exim_t)
-
- corecmd_search_bin(exim_t)
-
--corenet_all_recvfrom_unlabeled(exim_t)
- corenet_all_recvfrom_netlabel(exim_t)
- corenet_tcp_sendrecv_generic_if(exim_t)
- corenet_udp_sendrecv_generic_if(exim_t)
-@@ -108,7 +110,7 @@ domain_use_interactive_fds(exim_t)
-
- files_search_usr(exim_t)
- files_search_var(exim_t)
--files_read_etc_files(exim_t)
-+files_read_usr_files(exim_t)
- files_read_etc_runtime_files(exim_t)
- files_getattr_all_mountpoints(exim_t)
-
-@@ -119,7 +121,6 @@ auth_use_nsswitch(exim_t)
-
- logging_send_syslog_msg(exim_t)
-
--miscfiles_read_localization(exim_t)
- miscfiles_read_generic_certs(exim_t)
-
- userdom_dontaudit_search_user_home_dirs(exim_t)
-@@ -162,6 +163,10 @@ optional_policy(`
- ')
-
- optional_policy(`
-+ dovecot_stream_connect(exim_t)
-+')
-+
-+optional_policy(`
- kerberos_keytab_template(exim, exim_t)
- ')
-
-@@ -171,6 +176,10 @@ optional_policy(`
- ')
-
- optional_policy(`
-+ nagios_search_spool(exim_t)
-+')
-+
-+optional_policy(`
- tunable_policy(`exim_can_connect_db',`
- mysql_stream_connect(exim_t)
- ')
-@@ -184,6 +193,7 @@ optional_policy(`
-
- optional_policy(`
- procmail_domtrans(exim_t)
-+ procmail_read_home_files(exim_t)
- ')
-
- optional_policy(`
-diff --git a/fail2ban.fc b/fail2ban.fc
-index 0de2b83..6de0fca 100644
---- a/fail2ban.fc
-+++ b/fail2ban.fc
-@@ -4,5 +4,5 @@
- /usr/bin/fail2ban-server -- gen_context(system_u:object_r:fail2ban_exec_t,s0)
-
- /var/lib/fail2ban(/.*)? gen_context(system_u:object_r:fail2ban_var_lib_t,s0)
--/var/log/fail2ban\.log -- gen_context(system_u:object_r:fail2ban_log_t,s0)
-+/var/log/fail2ban\.log.* -- gen_context(system_u:object_r:fail2ban_log_t,s0)
- /var/run/fail2ban.* gen_context(system_u:object_r:fail2ban_var_run_t,s0)
-diff --git a/fail2ban.if b/fail2ban.if
-index f590a1f..b1b13b0 100644
---- a/fail2ban.if
-+++ b/fail2ban.if
-@@ -40,7 +40,26 @@ interface(`fail2ban_stream_connect',`
-
- ########################################
- ##
--## Read and write to an fail2ban unix stream socket.
-+## Read and write inherited temporary files.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`fail2ban_rw_inherited_tmp_files',`
-+ gen_require(`
-+ type fail2ban_tmp_t;
-+ ')
-+
-+ files_search_tmp($1)
-+ allow $1 fail2ban_tmp_t:file rw_inherited_file_perms;
-+')
-+
-+########################################
-+##
-+## Read and write to an fail2ba unix stream socket.
- ##
- ##
- ##
-@@ -72,7 +91,7 @@ interface(`fail2ban_read_lib_files',`
- ')
-
- files_search_var_lib($1)
-- allow $1 fail2ban_var_lib_t:file read_file_perms;
-+ read_files_pattern($1, fail2ban_var_lib_t, fail2ban_var_lib_t)
- ')
-
- ########################################
-@@ -138,6 +157,26 @@ interface(`fail2ban_read_pid_files',`
-
- ########################################
- ##
-+## dontaudit read and write an leaked file descriptors
-+##
-+##
-+##
-+## Domain to not audit.
-+##
-+##
-+#
-+interface(`fail2ban_dontaudit_leaks',`
-+ gen_require(`
-+ type fail2ban_t;
-+ ')
-+
-+ dontaudit $1 fail2ban_t:tcp_socket { read write };
-+ dontaudit $1 fail2ban_t:unix_dgram_socket { read write };
-+ dontaudit $1 fail2ban_t:unix_stream_socket { read write };
-+')
-+
-+########################################
-+##
- ## All of the rules required to administrate
- ## an fail2ban environment
- ##
-@@ -155,12 +194,16 @@ interface(`fail2ban_read_pid_files',`
- #
- interface(`fail2ban_admin',`
- gen_require(`
-- type fail2ban_t, fail2ban_log_t;
-- type fail2ban_var_run_t, fail2ban_initrc_exec_t;
-+ type fail2ban_t, fail2ban_log_t, fail2ban_initrc_exec_t;
-+ type fail2ban_var_run_t, fail2ban_var_lib_t, fail2ban_tmp_t;
-+ type fail2ban_client_t;
- ')
-
-- allow $1 fail2ban_t:process { ptrace signal_perms };
-- ps_process_pattern($1, fail2ban_t)
-+ allow $1 { fail2ban_t fail2ban_client_t }:process signal_perms;
-+ ps_process_pattern($1, { fail2ban_t fail2ban_client_t })
-+ tunable_policy(`deny_ptrace',`',`
-+ allow $1 { fail2ban_t fail2ban_client_t }:process ptrace;
-+ ')
-
- init_labeled_script_domtrans($1, fail2ban_initrc_exec_t)
- domain_system_change_exemption($1)
-@@ -172,4 +215,10 @@ interface(`fail2ban_admin',`
-
- files_list_pids($1)
- admin_pattern($1, fail2ban_var_run_t)
-+
-+ files_list_var_lib($1)
-+ admin_pattern($1, fail2ban_var_lib_t)
-+
-+ files_list_tmp($1)
-+ admin_pattern($1, fail2ban_tmp_t)
- ')
-diff --git a/fail2ban.te b/fail2ban.te
-index 2a69e5e..5dccf2c 100644
---- a/fail2ban.te
-+++ b/fail2ban.te
-@@ -23,12 +23,19 @@ files_type(fail2ban_var_lib_t)
- type fail2ban_var_run_t;
- files_pid_file(fail2ban_var_run_t)
-
-+type fail2ban_tmp_t;
-+files_tmp_file(fail2ban_tmp_t)
-+
-+type fail2ban_client_t;
-+type fail2ban_client_exec_t;
-+init_daemon_domain(fail2ban_client_t, fail2ban_client_exec_t)
-+
- ########################################
- #
--# fail2ban local policy
-+# fail2ban server local policy
- #
-
--allow fail2ban_t self:capability { sys_tty_config };
-+allow fail2ban_t self:capability { dac_read_search dac_override sys_tty_config };
- allow fail2ban_t self:process signal;
- allow fail2ban_t self:fifo_file rw_fifo_file_perms;
- allow fail2ban_t self:unix_stream_socket { connectto create_stream_socket_perms };
-@@ -36,7 +43,7 @@ allow fail2ban_t self:unix_dgram_socket create_socket_perms;
- allow fail2ban_t self:tcp_socket create_stream_socket_perms;
-
- # log files
--allow fail2ban_t fail2ban_log_t:dir setattr;
-+allow fail2ban_t fail2ban_log_t:dir setattr_dir_perms;
- manage_files_pattern(fail2ban_t, fail2ban_log_t, fail2ban_log_t)
- logging_log_filetrans(fail2ban_t, fail2ban_log_t, file)
-
-@@ -50,12 +57,16 @@ manage_sock_files_pattern(fail2ban_t, fail2ban_var_run_t, fail2ban_var_run_t)
- manage_files_pattern(fail2ban_t, fail2ban_var_run_t, fail2ban_var_run_t)
- files_pid_filetrans(fail2ban_t, fail2ban_var_run_t, { dir file sock_file })
-
-+manage_dirs_pattern(fail2ban_t, fail2ban_tmp_t, fail2ban_tmp_t)
-+manage_files_pattern(fail2ban_t, fail2ban_tmp_t, fail2ban_tmp_t)
-+exec_files_pattern(fail2ban_t, fail2ban_tmp_t, fail2ban_tmp_t)
-+files_tmp_filetrans(fail2ban_t, fail2ban_tmp_t, { dir file })
-+
- kernel_read_system_state(fail2ban_t)
-
- corecmd_exec_bin(fail2ban_t)
- corecmd_exec_shell(fail2ban_t)
-
--corenet_all_recvfrom_unlabeled(fail2ban_t)
- corenet_all_recvfrom_netlabel(fail2ban_t)
- corenet_tcp_sendrecv_generic_if(fail2ban_t)
- corenet_tcp_sendrecv_generic_node(fail2ban_t)
-@@ -66,8 +77,8 @@ corenet_sendrecv_whois_client_packets(fail2ban_t)
- dev_read_urand(fail2ban_t)
-
- domain_use_interactive_fds(fail2ban_t)
-+domain_dontaudit_read_all_domains_state(fail2ban_t)
-
--files_read_etc_files(fail2ban_t)
- files_read_etc_runtime_files(fail2ban_t)
- files_read_usr_files(fail2ban_t)
- files_list_var(fail2ban_t)
-@@ -81,10 +92,11 @@ auth_use_nsswitch(fail2ban_t)
- logging_read_all_logs(fail2ban_t)
- logging_send_syslog_msg(fail2ban_t)
-
--miscfiles_read_localization(fail2ban_t)
--
- mta_send_mail(fail2ban_t)
-
-+sysnet_manage_config(fail2ban_t)
-+sysnet_filetrans_named_content(fail2ban_t)
-+
- optional_policy(`
- apache_read_log(fail2ban_t)
- ')
-@@ -94,5 +106,43 @@ optional_policy(`
- ')
-
- optional_policy(`
-+ gnome_dontaudit_search_config(fail2ban_t)
-+')
-+
-+optional_policy(`
- iptables_domtrans(fail2ban_t)
- ')
-+
-+optional_policy(`
-+ libs_exec_ldconfig(fail2ban_t)
-+')
-+
-+optional_policy(`
-+ shorewall_domtrans(fail2ban_t)
-+')
-+
-+########################################
-+#
-+# fail2ban client local policy
-+#
-+
-+domtrans_pattern(fail2ban_client_t, fail2ban_exec_t, fail2ban_t)
-+
-+stream_connect_pattern(fail2ban_client_t, fail2ban_var_run_t, fail2ban_var_run_t, fail2ban_t)
-+
-+kernel_read_system_state(fail2ban_client_t)
-+
-+# python
-+corecmd_exec_bin(fail2ban_client_t)
-+
-+# nsswitch.conf, passwd
-+files_read_usr_files(fail2ban_client_t)
-+files_search_pids(fail2ban_client_t)
-+
-+auth_read_passwd(fail2ban_client_t)
-+
-+
-+optional_policy(`
-+ gnome_dontaudit_search_config(fail2ban_client_t)
-+')
-+
-diff --git a/fcoemon.fc b/fcoemon.fc
-new file mode 100644
-index 0000000..83279fb
---- /dev/null
-+++ b/fcoemon.fc
-@@ -0,0 +1,5 @@
-+
-+/usr/sbin/fcoemon -- gen_context(system_u:object_r:fcoemon_exec_t,s0)
-+
-+/var/run/fcm(/.*)? gen_context(system_u:object_r:fcoemon_var_run_t,s0)
-+/var/run/fcoemon\.pid -- gen_context(system_u:object_r:fcoemon_var_run_t,s0)
-diff --git a/fcoemon.if b/fcoemon.if
-new file mode 100644
-index 0000000..33508c1
---- /dev/null
-+++ b/fcoemon.if
-@@ -0,0 +1,88 @@
-+
-+## policy for fcoemon
-+
-+########################################
-+##
-+## Transition to fcoemon.
-+##
-+##
-+##
-+## Domain allowed to transition.
-+##
-+##
-+#
-+interface(`fcoemon_domtrans',`
-+ gen_require(`
-+ type fcoemon_t, fcoemon_exec_t;
-+ ')
-+
-+ corecmd_search_bin($1)
-+ domtrans_pattern($1, fcoemon_exec_t, fcoemon_t)
-+')
-+
-+
-+########################################
-+##
-+## Read fcoemon PID files.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`fcoemon_read_pid_files',`
-+ gen_require(`
-+ type fcoemon_var_run_t;
-+ ')
-+
-+ files_search_pids($1)
-+ allow $1 fcoemon_var_run_t:file read_file_perms;
-+')
-+
-+#######################################
-+##
-+## Send to a fcoemon unix dgram socket.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`fcoemon_dgram_send',`
-+ gen_require(`
-+ type fcoemon_t;
-+ ')
-+
-+ allow $1 fcoemon_t:unix_dgram_socket sendto;
-+')
-+
-+########################################
-+##
-+## All of the rules required to administrate
-+## an fcoemon environment
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`fcoemon_admin',`
-+ gen_require(`
-+ type fcoemon_t;
-+ type fcoemon_var_run_t;
-+ ')
-+
-+ allow $1 fcoemon_t:process signal_perms;
-+ ps_process_pattern($1, fcoemon_t)
-+ tunable_policy(`deny_ptrace',`',`
-+ allow $1 fcoemon_t:process ptrace;
-+ ')
-+
-+ files_search_pids($1)
-+ admin_pattern($1, fcoemon_var_run_t)
-+
-+')
-+
-diff --git a/fcoemon.te b/fcoemon.te
-new file mode 100644
-index 0000000..724ca0d
---- /dev/null
-+++ b/fcoemon.te
-@@ -0,0 +1,44 @@
-+policy_module(fcoemon, 1.0.0)
-+
-+########################################
-+#
-+# Declarations
-+#
-+
-+type fcoemon_t;
-+type fcoemon_exec_t;
-+init_daemon_domain(fcoemon_t, fcoemon_exec_t)
-+
-+type fcoemon_var_run_t;
-+files_pid_file(fcoemon_var_run_t)
-+
-+########################################
-+#
-+# fcoemon local policy
-+#
-+
-+# dac_override
-+# /var/rnn/fcm/fcm_clif socket is owned by root
-+allow fcoemon_t self:capability { net_admin dac_override };
-+allow fcoemon_t self:capability { kill };
-+
-+allow fcoemon_t self:fifo_file rw_fifo_file_perms;
-+allow fcoemon_t self:unix_stream_socket create_stream_socket_perms;
-+allow fcoemon_t self:netlink_socket create_socket_perms;
-+allow fcoemon_t self:netlink_route_socket create_netlink_socket_perms;
-+
-+manage_dirs_pattern(fcoemon_t, fcoemon_var_run_t, fcoemon_var_run_t)
-+manage_files_pattern(fcoemon_t, fcoemon_var_run_t, fcoemon_var_run_t)
-+manage_sock_files_pattern(fcoemon_t, fcoemon_var_run_t, fcoemon_var_run_t)
-+files_pid_filetrans(fcoemon_t, fcoemon_var_run_t, { dir file sock_file })
-+
-+files_read_etc_files(fcoemon_t)
-+
-+dev_read_sysfs(fcoemon_t)
-+
-+logging_send_syslog_msg(fcoemon_t)
-+
-+optional_policy(`
-+ lldpad_dgram_send(fcoemon_t)
-+')
-+
-diff --git a/fetchmail.fc b/fetchmail.fc
-index 39928d5..6c24c84 100644
---- a/fetchmail.fc
-+++ b/fetchmail.fc
-@@ -1,3 +1,9 @@
-+#
-+# /HOME
-+#
-+HOME_DIR/\.fetchmailrc -- gen_context(system_u:object_r:fetchmail_home_t, s0)
-+/root/\.fetchmailrc -- gen_context(system_u:object_r:fetchmail_home_t, s0)
-+
-
- #
- # /etc
-@@ -14,6 +20,7 @@
- #
- # /var
- #
-+/var/log/fetchmail.* gen_context(system_u:object_r:fetchmail_log_t,s0)
- /var/lib/fetchmail(/.*)? gen_context(system_u:object_r:fetchmail_uidl_cache_t,s0)
- /var/mail/\.fetchmail-UIDL-cache -- gen_context(system_u:object_r:fetchmail_uidl_cache_t,s0)
- /var/run/fetchmail/.* -- gen_context(system_u:object_r:fetchmail_var_run_t,s0)
-diff --git a/fetchmail.if b/fetchmail.if
-index 6537214..406d62b 100644
---- a/fetchmail.if
-+++ b/fetchmail.if
-@@ -15,14 +15,20 @@
- interface(`fetchmail_admin',`
- gen_require(`
- type fetchmail_t, fetchmail_etc_t, fetchmail_uidl_cache_t;
-- type fetchmail_var_run_t;
-+ type fetchmail_var_run_t, fetchmail_log_t;
- ')
-
-+ allow $1 fetchmail_t:process signal_perms;
- ps_process_pattern($1, fetchmail_t)
-+ tunable_policy(`deny_ptrace',`',`
-+ allow $1 fetchmail_t:process ptrace;
-+ ')
-
- files_list_etc($1)
- admin_pattern($1, fetchmail_etc_t)
-
-+ admin_pattern($1, fetchmail_log_t)
-+
- admin_pattern($1, fetchmail_uidl_cache_t)
-
- files_list_pids($1)
-diff --git a/fetchmail.te b/fetchmail.te
-index ac6626e..656f329 100644
---- a/fetchmail.te
-+++ b/fetchmail.te
-@@ -10,6 +10,12 @@ type fetchmail_exec_t;
- init_daemon_domain(fetchmail_t, fetchmail_exec_t)
- application_executable_file(fetchmail_exec_t)
-
-+type fetchmail_home_t;
-+userdom_user_home_content(fetchmail_home_t)
-+
-+type fetchmail_log_t;
-+logging_log_file(fetchmail_log_t)
-+
- type fetchmail_var_run_t;
- files_pid_file(fetchmail_var_run_t)
-
-@@ -37,10 +43,19 @@ allow fetchmail_t fetchmail_etc_t:file read_file_perms;
- allow fetchmail_t fetchmail_uidl_cache_t:file manage_file_perms;
- mta_spool_filetrans(fetchmail_t, fetchmail_uidl_cache_t, file)
-
-+manage_dirs_pattern(fetchmail_t, fetchmail_log_t, fetchmail_log_t)
-+manage_files_pattern(fetchmail_t, fetchmail_log_t, fetchmail_log_t)
-+logging_log_filetrans(fetchmail_t, fetchmail_log_t, { dir file })
-+
- manage_dirs_pattern(fetchmail_t, fetchmail_var_run_t, fetchmail_var_run_t)
- manage_files_pattern(fetchmail_t, fetchmail_var_run_t, fetchmail_var_run_t)
- files_pid_filetrans(fetchmail_t, fetchmail_var_run_t, { dir file })
-
-+list_dirs_pattern(fetchmail_t, fetchmail_home_t, fetchmail_home_t)
-+read_files_pattern(fetchmail_t, fetchmail_home_t, fetchmail_home_t)
-+userdom_search_user_home_dirs(fetchmail_t)
-+userdom_search_admin_dir(fetchmail_t)
-+
- kernel_read_kernel_sysctls(fetchmail_t)
- kernel_list_proc(fetchmail_t)
- kernel_getattr_proc_files(fetchmail_t)
-@@ -51,7 +66,6 @@ kernel_dontaudit_read_system_state(fetchmail_t)
- corecmd_exec_bin(fetchmail_t)
- corecmd_exec_shell(fetchmail_t)
-
--corenet_all_recvfrom_unlabeled(fetchmail_t)
- corenet_all_recvfrom_netlabel(fetchmail_t)
- corenet_tcp_sendrecv_generic_if(fetchmail_t)
- corenet_udp_sendrecv_generic_if(fetchmail_t)
-@@ -77,9 +91,10 @@ fs_search_auto_mountpoints(fetchmail_t)
-
- domain_use_interactive_fds(fetchmail_t)
-
-+auth_read_passwd(fetchmail_t)
-+
- logging_send_syslog_msg(fetchmail_t)
-
--miscfiles_read_localization(fetchmail_t)
- miscfiles_read_generic_certs(fetchmail_t)
-
- sysnet_read_config(fetchmail_t)
-@@ -88,6 +103,10 @@ userdom_dontaudit_use_unpriv_user_fds(fetchmail_t)
- userdom_dontaudit_search_user_home_dirs(fetchmail_t)
-
- optional_policy(`
-+ kerberos_use(fetchmail_t)
-+')
-+
-+optional_policy(`
- procmail_domtrans(fetchmail_t)
- ')
-
-diff --git a/finger.te b/finger.te
-index 9b7036a..864b94a 100644
---- a/finger.te
-+++ b/finger.te
-@@ -46,7 +46,6 @@ logging_log_filetrans(fingerd_t, fingerd_log_t, file)
- kernel_read_kernel_sysctls(fingerd_t)
- kernel_read_system_state(fingerd_t)
-
--corenet_all_recvfrom_unlabeled(fingerd_t)
- corenet_all_recvfrom_netlabel(fingerd_t)
- corenet_tcp_sendrecv_generic_if(fingerd_t)
- corenet_udp_sendrecv_generic_if(fingerd_t)
-@@ -66,6 +65,7 @@ term_getattr_all_ttys(fingerd_t)
- term_getattr_all_ptys(fingerd_t)
-
- auth_read_lastlog(fingerd_t)
-+auth_use_nsswitch(fingerd_t)
-
- corecmd_exec_bin(fingerd_t)
- corecmd_exec_shell(fingerd_t)
-@@ -73,7 +73,6 @@ corecmd_exec_shell(fingerd_t)
- domain_use_interactive_fds(fingerd_t)
-
- files_search_home(fingerd_t)
--files_read_etc_files(fingerd_t)
- files_read_etc_runtime_files(fingerd_t)
-
- init_read_utmp(fingerd_t)
-@@ -85,7 +84,6 @@ mta_getattr_spool(fingerd_t)
-
- sysnet_read_config(fingerd_t)
-
--miscfiles_read_localization(fingerd_t)
-
- # stop it accessing sub-directories, prevents checking a Maildir for new mail,
- # have to change this when we create a type for Maildir
-diff --git a/firewalld.fc b/firewalld.fc
-new file mode 100644
-index 0000000..f440549
---- /dev/null
-+++ b/firewalld.fc
-@@ -0,0 +1,13 @@
-+
-+/etc/rc\.d/init\.d/firewalld -- gen_context(system_u:object_r:firewalld_initrc_exec_t,s0)
-+
-+/etc/firewalld(/.*)? gen_context(system_u:object_r:firewalld_etc_rw_t,s0)
-+
-+/usr/lib/systemd/system/firewalld.* -- gen_context(system_u:object_r:firewalld_unit_file_t,s0)
-+
-+/usr/sbin/firewalld -- gen_context(system_u:object_r:firewalld_exec_t,s0)
-+
-+/var/log/firewalld -- gen_context(system_u:object_r:firewalld_var_log_t,s0)
-+
-+/var/run/firewalld(/.*)? gen_context(system_u:object_r:firewalld_var_run_t,s0)
-+/var/run/firewalld\.pid -- gen_context(system_u:object_r:firewalld_var_run_t,s0)
-diff --git a/firewalld.if b/firewalld.if
-new file mode 100644
-index 0000000..c4c7510
---- /dev/null
-+++ b/firewalld.if
-@@ -0,0 +1,130 @@
-+## policy for firewalld
-+
-+########################################
-+##
-+## Execute a domain transition to run firewalld.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`firewalld_domtrans',`
-+ gen_require(`
-+ type firewalld_t, firewalld_exec_t;
-+ ')
-+
-+ domtrans_pattern($1, firewalld_exec_t, firewalld_t)
-+')
-+
-+
-+########################################
-+##
-+## Execute firewalld server in the firewalld domain.
-+##
-+##
-+##
-+## The type of the process performing this action.
-+##
-+##
-+#
-+interface(`firewalld_initrc_domtrans',`
-+ gen_require(`
-+ type firewalld_initrc_exec_t;
-+ ')
-+
-+ init_labeled_script_domtrans($1, firewalld_initrc_exec_t)
-+')
-+
-+########################################
-+##
-+## Execute firewalld server in the firewalld domain.
-+##
-+##
-+##
-+## Domain allowed to transition.
-+##
-+##
-+#
-+interface(`firewalld_systemctl',`
-+ gen_require(`
-+ type firewalld_t;
-+ type firewalld_unit_file_t;
-+ ')
-+
-+ systemd_exec_systemctl($1)
-+ allow $1 firewalld_unit_file_t:file read_file_perms;
-+ allow $1 firewalld_unit_file_t:service manage_service_perms;
-+
-+ ps_process_pattern($1, firewalld_t)
-+')
-+
-+########################################
-+##
-+## Send and receive messages from
-+## firewalld over dbus.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`firewalld_dbus_chat',`
-+ gen_require(`
-+ type firewalld_t;
-+ class dbus send_msg;
-+ ')
-+
-+ allow $1 firewalld_t:dbus send_msg;
-+ allow firewalld_t $1:dbus send_msg;
-+')
-+
-+########################################
-+##
-+## All of the rules required to administrate
-+## an firewalld environment
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+##
-+##
-+## Role allowed access.
-+##
-+##
-+##
-+#
-+interface(`firewalld_admin',`
-+ gen_require(`
-+ type firewalld_t, firewalld_initrc_exec_t;
-+ type firewall_etc_rw_t, firewalld_var_run_t;
-+ type firewalld_var_log_t;
-+ ')
-+
-+ allow $1 firewalld_t:process signal_perms;
-+ ps_process_pattern($1, firewalld_t)
-+ tunable_policy(`deny_ptrace',`',`
-+ allow $1 firewalld_t:process ptrace;
-+ ')
-+
-+ firewalld_initrc_domtrans($1)
-+ domain_system_change_exemption($1)
-+ role_transition $2 firewalld_initrc_exec_t system_r;
-+ allow $2 system_r;
-+
-+ files_search_pids($1)
-+ admin_pattern($1, firewalld_var_run_t)
-+
-+ logging_search_logs($1)
-+ admin_pattern($1, firewalld_var_log_t)
-+
-+ admin_pattern($1, firewall_etc_rw_t)
-+
-+ admin_pattern($1, firewalld_unit_file_t)
-+ firewalld_systemctl($1)
-+ allow $1 firewalld_unit_file_t:service all_service_perms;
-+')
-diff --git a/firewalld.te b/firewalld.te
-new file mode 100644
-index 0000000..a7fcf3c
---- /dev/null
-+++ b/firewalld.te
-@@ -0,0 +1,94 @@
-+
-+policy_module(firewalld,1.0.0)
-+
-+########################################
-+#
-+# Declarations
-+#
-+
-+type firewalld_t;
-+type firewalld_exec_t;
-+init_daemon_domain(firewalld_t, firewalld_exec_t)
-+
-+type firewalld_initrc_exec_t;
-+init_script_file(firewalld_initrc_exec_t)
-+
-+type firewalld_etc_rw_t;
-+files_config_file(firewalld_etc_rw_t)
-+
-+type firewalld_var_log_t;
-+logging_log_file(firewalld_var_log_t)
-+
-+type firewalld_var_run_t;
-+files_pid_file(firewalld_var_run_t)
-+
-+type firewalld_unit_file_t;
-+systemd_unit_file(firewalld_unit_file_t)
-+
-+########################################
-+#
-+# firewalld local policy
-+#
-+dontaudit firewalld_t self:capability sys_tty_config;
-+allow firewalld_t self:fifo_file rw_fifo_file_perms;
-+allow firewalld_t self:unix_stream_socket create_stream_socket_perms;
-+
-+manage_dirs_pattern(firewalld_t, firewalld_etc_rw_t, firewalld_etc_rw_t)
-+manage_files_pattern(firewalld_t, firewalld_etc_rw_t, firewalld_etc_rw_t)
-+
-+append_files_pattern(firewalld_t, firewalld_var_log_t, firewalld_var_log_t)
-+create_files_pattern(firewalld_t, firewalld_var_log_t, firewalld_var_log_t)
-+read_files_pattern(firewalld_t, firewalld_var_log_t, firewalld_var_log_t)
-+setattr_files_pattern(firewalld_t, firewalld_var_log_t, firewalld_var_log_t)
-+logging_log_filetrans(firewalld_t, firewalld_var_log_t, file)
-+
-+# should be fixed to cooperate with systemd to create /var/run/firewalld directory
-+manage_files_pattern(firewalld_t, firewalld_var_run_t, firewalld_var_run_t)
-+files_pid_filetrans(firewalld_t, firewalld_var_run_t, { file })
-+
-+kernel_read_network_state(firewalld_t)
-+kernel_read_system_state(firewalld_t)
-+
-+corecmd_exec_bin(firewalld_t)
-+corecmd_exec_shell(firewalld_t)
-+
-+dev_read_urand(firewalld_t)
-+
-+domain_use_interactive_fds(firewalld_t)
-+
-+files_read_etc_files(firewalld_t)
-+files_read_usr_files(firewalld_t)
-+
-+fs_getattr_xattr_fs(firewalld_t)
-+
-+auth_read_passwd(firewalld_t)
-+
-+logging_send_syslog_msg(firewalld_t)
-+
-+sysnet_dns_name_resolve(firewalld_t)
-+
-+sysnet_read_config(firewalld_t)
-+
-+optional_policy(`
-+ dbus_system_domain(firewalld_t, firewalld_exec_t)
-+
-+ optional_policy(`
-+ devicekit_dbus_chat_power(firewalld_t)
-+ ')
-+
-+ optional_policy(`
-+ policykit_dbus_chat(firewalld_t)
-+ ')
-+
-+ optional_policy(`
-+ networkmanager_dbus_chat(firewalld_t)
-+ ')
-+')
-+
-+optional_policy(`
-+ iptables_domtrans(firewalld_t)
-+')
-+
-+optional_policy(`
-+ modutils_domtrans_insmod(firewalld_t)
-+')
-diff --git a/firewallgui.fc b/firewallgui.fc
-new file mode 100644
-index 0000000..ce498b3
---- /dev/null
-+++ b/firewallgui.fc
-@@ -0,0 +1,3 @@
-+
-+/usr/share/system-config-firewall/system-config-firewall-mechanism.py -- gen_context(system_u:object_r:firewallgui_exec_t,s0)
-+
-diff --git a/firewallgui.if b/firewallgui.if
-new file mode 100644
-index 0000000..2bd5790
---- /dev/null
-+++ b/firewallgui.if
-@@ -0,0 +1,41 @@
-+
-+## policy for firewallgui
-+
-+########################################
-+##
-+## Send and receive messages from
-+## firewallgui over dbus.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`firewallgui_dbus_chat',`
-+ gen_require(`
-+ type firewallgui_t;
-+ class dbus send_msg;
-+ ')
-+
-+ allow $1 firewallgui_t:dbus send_msg;
-+ allow firewallgui_t $1:dbus send_msg;
-+')
-+
-+########################################
-+##
-+## Read and write firewallgui unnamed pipes.
-+##
-+##
-+##
-+## Domain to not audit.
-+##
-+##
-+#
-+interface(`firewallgui_dontaudit_rw_pipes',`
-+ gen_require(`
-+ type firewallgui_t;
-+ ')
-+
-+ dontaudit $1 firewallgui_t:fifo_file rw_inherited_fifo_file_perms;
-+')
-diff --git a/firewallgui.te b/firewallgui.te
-new file mode 100644
-index 0000000..6bd855e
---- /dev/null
-+++ b/firewallgui.te
-@@ -0,0 +1,73 @@
-+policy_module(firewallgui,1.0.0)
-+
-+########################################
-+#
-+# Declarations
-+#
-+
-+type firewallgui_t;
-+type firewallgui_exec_t;
-+dbus_system_domain(firewallgui_t, firewallgui_exec_t)
-+init_daemon_domain(firewallgui_t, firewallgui_exec_t)
-+
-+type firewallgui_tmp_t;
-+files_tmp_file(firewallgui_tmp_t)
-+
-+########################################
-+#
-+# firewallgui local policy
-+#
-+
-+allow firewallgui_t self:capability { net_admin sys_rawio } ;
-+allow firewallgui_t self:fifo_file rw_fifo_file_perms;
-+
-+manage_files_pattern(firewallgui_t,firewallgui_tmp_t,firewallgui_tmp_t)
-+manage_dirs_pattern(firewallgui_t,firewallgui_tmp_t,firewallgui_tmp_t)
-+files_tmp_filetrans(firewallgui_t,firewallgui_tmp_t, { file dir })
-+
-+kernel_read_system_state(firewallgui_t)
-+kernel_read_network_state(firewallgui_t)
-+kernel_rw_net_sysctls(firewallgui_t)
-+kernel_rw_kernel_sysctl(firewallgui_t)
-+kernel_rw_vm_sysctls(firewallgui_t)
-+
-+corecmd_exec_shell(firewallgui_t)
-+corecmd_exec_bin(firewallgui_t)
-+
-+dev_read_urand(firewallgui_t)
-+dev_read_sysfs(firewallgui_t)
-+
-+files_manage_system_conf_files(firewallgui_t)
-+files_etc_filetrans_system_conf(firewallgui_t)
-+files_read_usr_files(firewallgui_t)
-+files_search_kernel_modules(firewallgui_t)
-+files_list_kernel_modules(firewallgui_t)
-+
-+auth_use_nsswitch(firewallgui_t)
-+
-+
-+seutil_read_config(firewallgui_t)
-+
-+userdom_dontaudit_search_user_home_dirs(firewallgui_t)
-+
-+optional_policy(`
-+ consoletype_exec(firewallgui_t)
-+')
-+
-+optional_policy(`
-+ gnome_read_gconf_home_files(firewallgui_t)
-+')
-+
-+optional_policy(`
-+ iptables_domtrans(firewallgui_t)
-+ iptables_initrc_domtrans(firewallgui_t)
-+ iptables_systemctl(firewallgui_t)
-+')
-+
-+optional_policy(`
-+ modutils_getattr_module_deps(firewallgui_t)
-+')
-+
-+optional_policy(`
-+ policykit_dbus_chat(firewallgui_t)
-+')
-diff --git a/firstboot.if b/firstboot.if
-index 8fa451c..f3a67c9 100644
---- a/firstboot.if
-+++ b/firstboot.if
-@@ -85,6 +85,25 @@ interface(`firstboot_dontaudit_use_fds',`
-
- ########################################
- ##
-+## dontaudit read and write an leaked file descriptors
-+##
-+##
-+##
-+## Domain to not audit.
-+##
-+##
-+#
-+interface(`firstboot_dontaudit_leaks',`
-+ gen_require(`
-+ type firstboot_t;
-+ ')
-+
-+ dontaudit $1 firstboot_t:socket_class_set { read write };
-+ dontaudit $1 firstboot_t:fifo_file rw_inherited_fifo_file_perms;
-+')
-+
-+########################################
-+##
- ## Write to a firstboot unnamed pipe.
- ##
- ##
-@@ -98,6 +117,7 @@ interface(`firstboot_write_pipes',`
- type firstboot_t;
- ')
-
-+ allow $1 firstboot_t:fd use;
- allow $1 firstboot_t:fifo_file write;
- ')
-
-diff --git a/firstboot.te b/firstboot.te
-index c4d8998..0647c46 100644
---- a/firstboot.te
-+++ b/firstboot.te
-@@ -1,7 +1,7 @@
- policy_module(firstboot, 1.12.0)
-
- gen_require(`
-- class passwd rootok;
-+ class passwd { passwd chfn chsh rootok crontab };
- ')
-
- ########################################
-@@ -29,14 +29,16 @@ allow firstboot_t self:process setfscreate;
- allow firstboot_t self:fifo_file rw_fifo_file_perms;
- allow firstboot_t self:tcp_socket create_stream_socket_perms;
- allow firstboot_t self:unix_stream_socket { connect create };
--allow firstboot_t self:passwd rootok;
-+allow firstboot_t self:passwd { rootok passwd chfn chsh };
-
- allow firstboot_t firstboot_etc_t:file read_file_perms;
-
-+files_manage_generic_tmp_dirs(firstboot_t)
-+files_manage_generic_tmp_files(firstboot_t)
-+
- kernel_read_system_state(firstboot_t)
- kernel_read_kernel_sysctls(firstboot_t)
-
--corenet_all_recvfrom_unlabeled(firstboot_t)
- corenet_all_recvfrom_netlabel(firstboot_t)
- corenet_tcp_sendrecv_generic_if(firstboot_t)
- corenet_tcp_sendrecv_generic_node(firstboot_t)
-@@ -62,6 +64,8 @@ files_read_usr_files(firstboot_t)
- files_manage_var_dirs(firstboot_t)
- files_manage_var_files(firstboot_t)
- files_manage_var_symlinks(firstboot_t)
-+files_create_boot_flag(firstboot_t)
-+files_delete_boot_flag(firstboot_t)
-
- init_domtrans_script(firstboot_t)
- init_rw_utmp(firstboot_t)
-@@ -73,14 +77,10 @@ locallogin_use_fds(firstboot_t)
-
- logging_send_syslog_msg(firstboot_t)
-
--miscfiles_read_localization(firstboot_t)
-+sysnet_dns_name_resolve(firstboot_t)
-
--modutils_domtrans_insmod(firstboot_t)
--modutils_domtrans_depmod(firstboot_t)
--modutils_read_module_config(firstboot_t)
--modutils_read_module_deps(firstboot_t)
-+userdom_use_inherited_user_terminals(firstboot_t)
-
--userdom_use_user_terminals(firstboot_t)
- # Add/remove user home directories
- userdom_manage_user_home_content_dirs(firstboot_t)
- userdom_manage_user_home_content_files(firstboot_t)
-@@ -91,10 +91,6 @@ userdom_home_filetrans_user_home_dir(firstboot_t)
- userdom_user_home_dir_filetrans_user_home_content(firstboot_t, { dir file lnk_file fifo_file sock_file })
-
- optional_policy(`
-- consoletype_domtrans(firstboot_t)
--')
--
--optional_policy(`
- dbus_system_bus_client(firstboot_t)
-
- optional_policy(`
-@@ -103,7 +99,10 @@ optional_policy(`
- ')
-
- optional_policy(`
-- nis_use_ypbind(firstboot_t)
-+ modutils_domtrans_insmod(firstboot_t)
-+ modutils_domtrans_depmod(firstboot_t)
-+ modutils_read_module_config(firstboot_t)
-+ modutils_read_module_deps(firstboot_t)
- ')
-
- optional_policy(`
-@@ -113,18 +112,11 @@ optional_policy(`
- optional_policy(`
- unconfined_domtrans(firstboot_t)
- # The big hammer
-- unconfined_domain(firstboot_t)
--')
--
--optional_policy(`
-- usermanage_domtrans_chfn(firstboot_t)
-- usermanage_domtrans_groupadd(firstboot_t)
-- usermanage_domtrans_passwd(firstboot_t)
-- usermanage_domtrans_useradd(firstboot_t)
-- usermanage_domtrans_admin_passwd(firstboot_t)
-+ unconfined_domain_noaudit(firstboot_t)
- ')
-
- optional_policy(`
-+ gnome_admin_home_gconf_filetrans(firstboot_t, dir)
- gnome_manage_config(firstboot_t)
- ')
-
-@@ -132,4 +124,5 @@ optional_policy(`
- xserver_domtrans(firstboot_t)
- xserver_rw_shm(firstboot_t)
- xserver_unconfined(firstboot_t)
-+ xserver_stream_connect(firstboot_t)
- ')
-diff --git a/fprintd.if b/fprintd.if
-index ebad8c4..640293e 100644
---- a/fprintd.if
-+++ b/fprintd.if
-@@ -38,4 +38,3 @@ interface(`fprintd_dbus_chat',`
- allow $1 fprintd_t:dbus send_msg;
- allow fprintd_t $1:dbus send_msg;
- ')
--
-diff --git a/fprintd.te b/fprintd.te
-index 7df52c7..46499bd 100644
---- a/fprintd.te
-+++ b/fprintd.te
-@@ -7,7 +7,7 @@ policy_module(fprintd, 1.1.0)
-
- type fprintd_t;
- type fprintd_exec_t;
--dbus_system_domain(fprintd_t, fprintd_exec_t)
-+init_daemon_domain(fprintd_t, fprintd_exec_t)
-
- type fprintd_var_lib_t;
- files_type(fprintd_var_lib_t)
-@@ -17,9 +17,10 @@ files_type(fprintd_var_lib_t)
- # Local policy
- #
-
--allow fprintd_t self:capability sys_ptrace;
-+allow fprintd_t self:capability sys_nice;
-+
- allow fprintd_t self:fifo_file rw_fifo_file_perms;
--allow fprintd_t self:process { getsched signal };
-+allow fprintd_t self:process { getsched setsched signal sigkill };
-
- manage_dirs_pattern(fprintd_t, fprintd_var_lib_t, fprintd_var_lib_t)
- manage_files_pattern(fprintd_t, fprintd_var_lib_t, fprintd_var_lib_t)
-@@ -33,14 +34,12 @@ dev_list_usbfs(fprintd_t)
- dev_rw_generic_usb_dev(fprintd_t)
- dev_read_sysfs(fprintd_t)
-
--files_read_etc_files(fprintd_t)
- files_read_usr_files(fprintd_t)
-
- fs_getattr_all_fs(fprintd_t)
-
- auth_use_nsswitch(fprintd_t)
-
--miscfiles_read_localization(fprintd_t)
-
- userdom_use_user_ptys(fprintd_t)
- userdom_read_all_users_state(fprintd_t)
-@@ -50,8 +49,17 @@ optional_policy(`
- ')
-
- optional_policy(`
-+ dbus_system_domain(fprintd_t, fprintd_exec_t)
-+')
-+
-+optional_policy(`
- policykit_read_reload(fprintd_t)
- policykit_read_lib(fprintd_t)
- policykit_dbus_chat(fprintd_t)
- policykit_domtrans_auth(fprintd_t)
-+ policykit_dbus_chat_auth(fprintd_t)
-+')
-+
-+optional_policy(`
-+ xserver_read_state_xdm(fprintd_t)
- ')
-diff --git a/ftp.fc b/ftp.fc
-index 69dcd2a..4d97da7 100644
---- a/ftp.fc
-+++ b/ftp.fc
-@@ -6,6 +6,9 @@
- /etc/rc\.d/init\.d/vsftpd -- gen_context(system_u:object_r:ftpd_initrc_exec_t,s0)
- /etc/rc\.d/init\.d/proftpd -- gen_context(system_u:object_r:ftpd_initrc_exec_t,s0)
-
-+/usr/lib/systemd/system/vsftpd.* -- gen_context(system_u:object_r:iptables_unit_file_t,s0)
-+/usr/lib/systemd/system/proftpd.* -- gen_context(system_u:object_r:iptables_unit_file_t,s0)
-+
- #
- # /usr
- #
-@@ -29,3 +32,4 @@
- /var/log/vsftpd.* -- gen_context(system_u:object_r:xferlog_t,s0)
- /var/log/xferlog.* -- gen_context(system_u:object_r:xferlog_t,s0)
- /var/log/xferreport.* -- gen_context(system_u:object_r:xferlog_t,s0)
-+/usr/libexec/webmin/vsftpd/webalizer/xfer_log -- gen_context(system_u:object_r:xferlog_t,s0)
-diff --git a/ftp.if b/ftp.if
-index 9d3201b..6e75e3d 100644
---- a/ftp.if
-+++ b/ftp.if
-@@ -1,5 +1,66 @@
- ## File transfer protocol service
-
-+######################################
-+##
-+## Execute a domain transition to run ftpd.
-+##
-+##
-+##
-+## Domain allowed to transition.
-+##
-+##
-+#
-+interface(`ftp_domtrans',`
-+ gen_require(`
-+ type ftpd_t, ftpd_exec_t;
-+ ')
-+
-+ corecmd_search_bin($1)
-+ domtrans_pattern($1,ftpd_exec_t, ftpd_t)
-+
-+')
-+
-+#######################################
-+##
-+## Execute ftpd server in the ftpd domain.
-+##
-+##
-+##
-+## The type of the process performing this action.
-+##
-+##
-+#
-+interface(`ftp_initrc_domtrans',`
-+ gen_require(`
-+ type ftpd_initrc_exec_t;
-+ ')
-+
-+ init_labeled_script_domtrans($1, ftpd_initrc_exec_t)
-+')
-+
-+########################################
-+##
-+## Execute ftpd server in the ftpd domain.
-+##
-+##
-+##
-+## Domain allowed to transition.
-+##
-+##
-+#
-+interface(`ftp_systemctl',`
-+ gen_require(`
-+ type ftpd_unit_file_t;
-+ type ftpd_t;
-+ ')
-+
-+ systemd_exec_systemctl($1)
-+ allow $1 ftpd_unit_file_t:file read_file_perms;
-+ allow $1 ftpd_unit_file_t:service manage_service_perms;
-+
-+ ps_process_pattern($1, ftpd_t)
-+')
-+
- #######################################
- ##
- ## Allow domain dyntransition to sftpd_anon domain.
-@@ -174,10 +235,14 @@ interface(`ftp_admin',`
- type ftpd_etc_t, ftpd_lock_t;
- type ftpd_var_run_t, xferlog_t;
- type ftpd_initrc_exec_t;
-+ type ftpd_unit_file_t;
- ')
-
-- allow $1 ftpd_t:process { ptrace signal_perms };
-+ allow $1 ftpd_t:process signal_perms;
- ps_process_pattern($1, ftpd_t)
-+ tunable_policy(`deny_ptrace',`',`
-+ allow $1 ftpd_t:process ptrace;
-+ ')
-
- init_labeled_script_domtrans($1, ftpd_initrc_exec_t)
- domain_system_change_exemption($1)
-@@ -203,4 +268,8 @@ interface(`ftp_admin',`
-
- logging_list_logs($1)
- admin_pattern($1, xferlog_t)
-+
-+ ftp_systemctl($1)
-+ admin_pattern($1, ftpd_unit_file_t)
-+ allow $1 ftpd_unit_file_t:service all_service_perms;
- ')
-diff --git a/ftp.te b/ftp.te
-index 80026bb..30968b3 100644
---- a/ftp.te
-+++ b/ftp.te
-@@ -12,7 +12,7 @@ policy_module(ftp, 1.14.0)
- ## public_content_rw_t.
- ##
- ##
--gen_tunable(allow_ftpd_anon_write, false)
-+gen_tunable(ftpd_anon_write, false)
-
- ##
- ##
-@@ -20,7 +20,7 @@ gen_tunable(allow_ftpd_anon_write, false)
- ## read/write all files on the system, governed by DAC.
- ##
- ##
--gen_tunable(allow_ftpd_full_access, false)
-+gen_tunable(ftpd_full_access, false)
-
- ##
- ##
-@@ -28,7 +28,7 @@ gen_tunable(allow_ftpd_full_access, false)
- ## used for public file transfer services.
- ##
- ##
--gen_tunable(allow_ftpd_use_cifs, false)
-+gen_tunable(ftpd_use_cifs, false)
-
- ##
- ##
-@@ -36,7 +36,28 @@ gen_tunable(allow_ftpd_use_cifs, false)
- ## used for public file transfer services.
- ##
- ##
--gen_tunable(allow_ftpd_use_nfs, false)
-+gen_tunable(ftpd_use_nfs, false)
-+
-+##
-+##
-+## Allow ftp servers to connect to mysql database ports
-+##
-+##
-+gen_tunable(ftpd_connect_db, false)
-+
-+##
-+##
-+## Allow ftp servers to use bind to all unreserved ports for passive mode
-+##
-+##
-+gen_tunable(ftpd_use_passive_mode, false)
-+
-+##
-+##
-+## Allow ftp servers to connect to all ports > 1023
-+##
-+##
-+gen_tunable(ftpd_connect_all_unreserved, false)
-
- ##
- ##
-@@ -70,6 +91,14 @@ gen_tunable(sftpd_enable_homedirs, false)
- ##
- gen_tunable(sftpd_full_access, false)
-
-+##
-+##
-+## Allow internal-sftp to read and write files
-+## in the user ssh home directories.
-+##
-+##
-+gen_tunable(sftpd_write_ssh_home, false)
-+
- type anon_sftpd_t;
- typealias anon_sftpd_t alias sftpd_anon_t;
- domain_type(anon_sftpd_t)
-@@ -85,6 +114,9 @@ files_config_file(ftpd_etc_t)
- type ftpd_initrc_exec_t;
- init_script_file(ftpd_initrc_exec_t)
-
-+type ftpd_unit_file_t;
-+systemd_unit_file(ftpd_unit_file_t)
-+
- type ftpd_lock_t;
- files_lock_file(ftpd_lock_t)
-
-@@ -115,6 +147,10 @@ ifdef(`enable_mcs',`
- init_ranged_daemon_domain(ftpd_t, ftpd_exec_t, s0 - mcs_systemhigh)
- ')
-
-+ifdef(`enable_mls',`
-+ init_ranged_daemon_domain(ftpd_t, ftpd_exec_t, mls_systemhigh)
-+')
-+
- ########################################
- #
- # anon-sftp local policy
-@@ -133,7 +169,7 @@ tunable_policy(`sftpd_anon_write',`
- # ftpd local policy
- #
-
--allow ftpd_t self:capability { chown fowner fsetid setgid setuid sys_chroot sys_nice sys_resource };
-+allow ftpd_t self:capability { chown fowner fsetid ipc_lock kill setgid setuid sys_chroot sys_admin sys_nice sys_resource };
- dontaudit ftpd_t self:capability sys_tty_config;
- allow ftpd_t self:process { getcap getpgid setcap setsched setrlimit signal_perms };
- allow ftpd_t self:fifo_file rw_fifo_file_perms;
-@@ -151,7 +187,6 @@ files_lock_filetrans(ftpd_t, ftpd_lock_t, file)
-
- manage_dirs_pattern(ftpd_t, ftpd_tmp_t, ftpd_tmp_t)
- manage_files_pattern(ftpd_t, ftpd_tmp_t, ftpd_tmp_t)
--files_tmp_filetrans(ftpd_t, ftpd_tmp_t, { file dir })
-
- manage_dirs_pattern(ftpd_t, ftpd_tmpfs_t, ftpd_tmpfs_t)
- manage_files_pattern(ftpd_t, ftpd_tmpfs_t, ftpd_tmpfs_t)
-@@ -163,13 +198,13 @@ fs_tmpfs_filetrans(ftpd_t, ftpd_tmpfs_t, { dir file lnk_file sock_file fifo_file
- manage_dirs_pattern(ftpd_t, ftpd_var_run_t, ftpd_var_run_t)
- manage_files_pattern(ftpd_t, ftpd_var_run_t, ftpd_var_run_t)
- manage_sock_files_pattern(ftpd_t, ftpd_var_run_t, ftpd_var_run_t)
--files_pid_filetrans(ftpd_t, ftpd_var_run_t, { file dir} )
-+files_pid_filetrans(ftpd_t, ftpd_var_run_t, { file dir })
-
- # proftpd requires the client side to bind a socket so that
- # it can stat the socket to perform access control decisions,
- # since getsockopt with SO_PEERCRED is not available on all
- # proftpd-supported OSs
--allow ftpd_t ftpdctl_tmp_t:sock_file { getattr unlink };
-+allow ftpd_t ftpdctl_tmp_t:sock_file delete_sock_file_perms;
-
- # Create and modify /var/log/xferlog.
- manage_files_pattern(ftpd_t, xferlog_t, xferlog_t)
-@@ -177,14 +212,13 @@ logging_log_filetrans(ftpd_t, xferlog_t, file)
-
- kernel_read_kernel_sysctls(ftpd_t)
- kernel_read_system_state(ftpd_t)
--kernel_search_network_state(ftpd_t)
-+kernel_read_network_state(ftpd_t)
-
- dev_read_sysfs(ftpd_t)
- dev_read_urand(ftpd_t)
-
- corecmd_exec_bin(ftpd_t)
-
--corenet_all_recvfrom_unlabeled(ftpd_t)
- corenet_all_recvfrom_netlabel(ftpd_t)
- corenet_tcp_sendrecv_generic_if(ftpd_t)
- corenet_udp_sendrecv_generic_if(ftpd_t)
-@@ -196,9 +230,8 @@ corenet_tcp_bind_generic_node(ftpd_t)
- corenet_tcp_bind_ftp_port(ftpd_t)
- corenet_tcp_bind_ftp_data_port(ftpd_t)
- corenet_tcp_bind_generic_port(ftpd_t)
--corenet_tcp_bind_all_unreserved_ports(ftpd_t)
--corenet_dontaudit_tcp_bind_all_ports(ftpd_t)
--corenet_tcp_connect_all_ports(ftpd_t)
-+corenet_tcp_bind_all_ephemeral_ports(ftpd_t)
-+corenet_tcp_connect_all_ephemeral_ports(ftpd_t)
- corenet_sendrecv_ftp_server_packets(ftpd_t)
-
- domain_use_interactive_fds(ftpd_t)
-@@ -212,13 +245,11 @@ fs_search_auto_mountpoints(ftpd_t)
- fs_getattr_all_fs(ftpd_t)
- fs_search_fusefs(ftpd_t)
-
--auth_use_nsswitch(ftpd_t)
--auth_domtrans_chk_passwd(ftpd_t)
--# Append to /var/log/wtmp.
--auth_append_login_records(ftpd_t)
-+auth_use_pam(ftpd_t)
- #kerberized ftp requires the following
- auth_write_login_records(ftpd_t)
- auth_rw_faillog(ftpd_t)
-+auth_manage_var_auth(ftpd_t)
-
- init_rw_utmp(ftpd_t)
-
-@@ -226,42 +257,47 @@ logging_send_audit_msgs(ftpd_t)
- logging_send_syslog_msg(ftpd_t)
- logging_set_loginuid(ftpd_t)
-
--miscfiles_read_localization(ftpd_t)
- miscfiles_read_public_files(ftpd_t)
-
--seutil_dontaudit_search_config(ftpd_t)
--
- sysnet_read_config(ftpd_t)
- sysnet_use_ldap(ftpd_t)
-
- userdom_dontaudit_use_unpriv_user_fds(ftpd_t)
- userdom_dontaudit_search_user_home_dirs(ftpd_t)
-
--tunable_policy(`allow_ftpd_anon_write',`
-+tunable_policy(`ftpd_anon_write',`
- miscfiles_manage_public_files(ftpd_t)
- ')
-
--tunable_policy(`allow_ftpd_use_cifs',`
-+tunable_policy(`ftpd_use_cifs',`
- fs_read_cifs_files(ftpd_t)
- fs_read_cifs_symlinks(ftpd_t)
- ')
-
--tunable_policy(`allow_ftpd_use_cifs && allow_ftpd_anon_write',`
-+tunable_policy(`ftpd_use_cifs && ftpd_anon_write',`
- fs_manage_cifs_files(ftpd_t)
- ')
-
--tunable_policy(`allow_ftpd_use_nfs',`
-+tunable_policy(`ftpd_use_nfs',`
- fs_read_nfs_files(ftpd_t)
- fs_read_nfs_symlinks(ftpd_t)
- ')
-
--tunable_policy(`allow_ftpd_use_nfs && allow_ftpd_anon_write',`
-+tunable_policy(`ftpd_use_nfs && ftpd_anon_write',`
- fs_manage_nfs_files(ftpd_t)
- ')
-
--tunable_policy(`allow_ftpd_full_access',`
-+tunable_policy(`ftpd_full_access',`
- allow ftpd_t self:capability { dac_override dac_read_search };
-- files_manage_non_auth_files(ftpd_t)
-+ files_manage_non_security_files(ftpd_t)
-+')
-+
-+tunable_policy(`ftpd_use_passive_mode',`
-+ corenet_tcp_bind_all_unreserved_ports(ftpd_t)
-+')
-+
-+tunable_policy(`ftpd_connect_all_unreserved',`
-+ corenet_tcp_connect_all_unreserved_ports(ftpd_t)
- ')
-
- tunable_policy(`ftp_home_dir',`
-@@ -270,10 +306,13 @@ tunable_policy(`ftp_home_dir',`
- # allow access to /home
- files_list_home(ftpd_t)
- userdom_read_user_home_content_files(ftpd_t)
-- userdom_manage_user_home_content_dirs(ftpd_t)
-- userdom_manage_user_home_content_files(ftpd_t)
-- userdom_manage_user_home_content_symlinks(ftpd_t)
-- userdom_user_home_dir_filetrans_user_home_content(ftpd_t, { dir file lnk_file })
-+ userdom_manage_user_home_content(ftpd_t)
-+ userdom_manage_user_tmp_files(ftpd_t)
-+ userdom_tmp_filetrans_user_tmp(ftpd_t, file)
-+',`
-+ # Needed for permissive mode, to make sure everything gets labeled correctly
-+ userdom_user_home_dir_filetrans_pattern(ftpd_t, { dir file lnk_file })
-+ files_tmp_filetrans(ftpd_t, ftpd_tmp_t, { file dir })
- ')
-
- tunable_policy(`ftp_home_dir && use_nfs_home_dirs',`
-@@ -309,10 +348,35 @@ optional_policy(`
- ')
-
- optional_policy(`
-+ fail2ban_read_lib_files(ftpd_t)
-+')
-+
-+optional_policy(`
- selinux_validate_context(ftpd_t)
-
- kerberos_keytab_template(ftpd, ftpd_t)
-- kerberos_manage_host_rcache(ftpd_t)
-+ # this part of auth_use_pam
-+ #kerberos_manage_host_rcache(ftpd_t)
-+ kerberos_tmp_filetrans_host_rcache(ftpd_t, "host_0")
-+')
-+
-+optional_policy(`
-+ tunable_policy(`ftpd_connect_db',`
-+ mysql_stream_connect(ftpd_t)
-+ ')
-+')
-+
-+optional_policy(`
-+ tunable_policy(`ftpd_connect_db',`
-+ postgresql_stream_connect(ftpd_t)
-+ ')
-+')
-+
-+optional_policy(`
-+ tunable_policy(`ftpd_connect_db',`
-+ mysql_tcp_connect(ftpd_t)
-+ postgresql_tcp_connect(ftpd_t)
-+ ')
- ')
-
- optional_policy(`
-@@ -347,16 +411,17 @@ optional_policy(`
-
- # Allow ftpdctl to talk to ftpd over a socket connection
- stream_connect_pattern(ftpdctl_t, ftpd_var_run_t, ftpd_var_run_t, ftpd_t)
-+files_search_pids(ftpdctl_t)
-
- # ftpdctl creates a socket so that the daemon can perform
- # access control decisions (see comments in ftpd_t rules above)
--allow ftpdctl_t ftpdctl_tmp_t:sock_file { create setattr };
-+allow ftpdctl_t ftpdctl_tmp_t:sock_file manage_sock_file_perms;
- files_tmp_filetrans(ftpdctl_t, ftpdctl_tmp_t, sock_file)
-
- # Allow ftpdctl to read config files
- files_read_etc_files(ftpdctl_t)
-
--userdom_use_user_terminals(ftpdctl_t)
-+userdom_use_inherited_user_terminals(ftpdctl_t)
-
- ########################################
- #
-@@ -365,18 +430,34 @@ userdom_use_user_terminals(ftpdctl_t)
-
- files_read_etc_files(sftpd_t)
-
-+
- # allow read access to /home by default
- userdom_read_user_home_content_files(sftpd_t)
- userdom_read_user_home_content_symlinks(sftpd_t)
-+userdom_dontaudit_list_admin_dir(sftpd_t)
-+
-+tunable_policy(`sftpd_full_access',`
-+ allow sftpd_t self:capability { dac_override dac_read_search };
-+ fs_read_noxattr_fs_files(sftpd_t)
-+ files_manage_non_security_files(sftpd_t)
-+')
-+
-+optional_policy(`
-+ tunable_policy(`sftpd_write_ssh_home',`
-+ ssh_manage_home_files(sftpd_t)
-+ ')
-+')
-
- tunable_policy(`sftpd_enable_homedirs',`
- allow sftpd_t self:capability { dac_override dac_read_search };
-
- # allow access to /home
- files_list_home(sftpd_t)
-- userdom_manage_user_home_content_files(sftpd_t)
-- userdom_manage_user_home_content_dirs(sftpd_t)
-- userdom_user_home_dir_filetrans_user_home_content(sftpd_t, { dir file })
-+ userdom_read_user_home_content_files(sftpd_t)
-+ userdom_manage_user_home_content(sftpd_t)
-+',`
-+ # Needed for permissive mode, to make sure everything gets labeled correctly
-+ userdom_user_home_dir_filetrans_pattern(sftpd_t, { dir file lnk_file })
- ')
-
- tunable_policy(`sftpd_enable_homedirs && use_nfs_home_dirs',`
-@@ -394,19 +475,7 @@ tunable_policy(`sftpd_enable_homedirs && use_samba_home_dirs',`
- tunable_policy(`sftpd_full_access',`
- allow sftpd_t self:capability { dac_override dac_read_search };
- fs_read_noxattr_fs_files(sftpd_t)
-- files_manage_non_auth_files(sftpd_t)
-+ files_manage_non_security_files(sftpd_t)
- ')
-
--tunable_policy(`use_samba_home_dirs',`
-- # allow read access to /home by default
-- fs_list_cifs(sftpd_t)
-- fs_read_cifs_files(sftpd_t)
-- fs_read_cifs_symlinks(sftpd_t)
--')
--
--tunable_policy(`use_nfs_home_dirs',`
-- # allow read access to /home by default
-- fs_list_nfs(sftpd_t)
-- fs_read_nfs_files(sftpd_t)
-- fs_read_nfs_symlinks(ftpd_t)
--')
-+userdom_home_reader(sftpd_t)
-diff --git a/games.te b/games.te
-index b73d33c..ffacbd2 100644
---- a/games.te
-+++ b/games.te
-@@ -75,8 +75,6 @@ init_use_script_ptys(games_srv_t)
-
- logging_send_syslog_msg(games_srv_t)
-
--miscfiles_read_localization(games_srv_t)
--
- userdom_dontaudit_use_unpriv_user_fds(games_srv_t)
-
- userdom_dontaudit_search_user_home_dirs(games_srv_t)
-@@ -120,7 +118,6 @@ kernel_read_system_state(games_t)
-
- corecmd_exec_bin(games_t)
-
--corenet_all_recvfrom_unlabeled(games_t)
- corenet_all_recvfrom_netlabel(games_t)
- corenet_tcp_sendrecv_generic_if(games_t)
- corenet_udp_sendrecv_generic_if(games_t)
-@@ -151,9 +148,6 @@ init_dontaudit_rw_utmp(games_t)
-
- logging_dontaudit_search_logs(games_t)
-
--miscfiles_read_man_pages(games_t)
--miscfiles_read_localization(games_t)
--
- sysnet_read_config(games_t)
-
- userdom_manage_user_tmp_dirs(games_t)
-@@ -163,7 +157,7 @@ userdom_manage_user_tmp_sockets(games_t)
- # Suppress .icons denial until properly implemented
- userdom_dontaudit_read_user_home_content_files(games_t)
-
--tunable_policy(`allow_execmem',`
-+tunable_policy(`deny_execmem',`', `
- allow games_t self:process execmem;
- ')
-
-diff --git a/gatekeeper.te b/gatekeeper.te
-index 99a94de..8b84eda 100644
---- a/gatekeeper.te
-+++ b/gatekeeper.te
-@@ -33,7 +33,7 @@ allow gatekeeper_t self:fifo_file rw_fifo_file_perms;
- allow gatekeeper_t self:tcp_socket create_stream_socket_perms;
- allow gatekeeper_t self:udp_socket create_socket_perms;
-
--allow gatekeeper_t gatekeeper_etc_t:lnk_file { getattr read };
-+allow gatekeeper_t gatekeeper_etc_t:lnk_file read_lnk_file_perms;
- allow gatekeeper_t gatekeeper_etc_t:file read_file_perms;
- files_search_etc(gatekeeper_t)
-
-@@ -52,7 +52,6 @@ kernel_read_kernel_sysctls(gatekeeper_t)
-
- corecmd_list_bin(gatekeeper_t)
-
--corenet_all_recvfrom_unlabeled(gatekeeper_t)
- corenet_all_recvfrom_netlabel(gatekeeper_t)
- corenet_tcp_sendrecv_generic_if(gatekeeper_t)
- corenet_udp_sendrecv_generic_if(gatekeeper_t)
-@@ -79,8 +78,6 @@ fs_search_auto_mountpoints(gatekeeper_t)
-
- logging_send_syslog_msg(gatekeeper_t)
-
--miscfiles_read_localization(gatekeeper_t)
--
- sysnet_read_config(gatekeeper_t)
-
- userdom_dontaudit_use_unpriv_user_fds(gatekeeper_t)
-diff --git a/gift.te b/gift.te
-index 4975343..1c20b64 100644
---- a/gift.te
-+++ b/gift.te
-@@ -52,7 +52,6 @@ domtrans_pattern(gift_t, giftd_exec_t, giftd_t)
- kernel_read_system_state(gift_t)
-
- # Connect to gift daemon
--corenet_all_recvfrom_unlabeled(gift_t)
- corenet_all_recvfrom_netlabel(gift_t)
- corenet_tcp_sendrecv_generic_if(gift_t)
- corenet_tcp_sendrecv_generic_node(gift_t)
-@@ -67,17 +66,7 @@ sysnet_read_config(gift_t)
- # giftui looks in .icons, .themes.
- userdom_dontaudit_read_user_home_content_files(gift_t)
-
--tunable_policy(`use_nfs_home_dirs',`
-- fs_manage_nfs_dirs(gift_t)
-- fs_manage_nfs_files(gift_t)
-- fs_manage_nfs_symlinks(gift_t)
--')
--
--tunable_policy(`use_samba_home_dirs',`
-- fs_manage_cifs_dirs(gift_t)
-- fs_manage_cifs_files(gift_t)
-- fs_manage_cifs_symlinks(gift_t)
--')
-+userdom_home_manager(gift_t)
-
- optional_policy(`
- nscd_socket_use(gift_t)
-@@ -106,7 +95,6 @@ kernel_read_system_state(giftd_t)
- kernel_read_kernel_sysctls(giftd_t)
-
- # Serve content on various p2p networks. Ports can be random.
--corenet_all_recvfrom_unlabeled(giftd_t)
- corenet_all_recvfrom_netlabel(giftd_t)
- corenet_tcp_sendrecv_generic_if(giftd_t)
- corenet_udp_sendrecv_generic_if(giftd_t)
-@@ -125,20 +113,8 @@ files_read_usr_files(giftd_t)
- # Read /etc/mtab
- files_read_etc_runtime_files(giftd_t)
-
--miscfiles_read_localization(giftd_t)
-
- sysnet_read_config(giftd_t)
-
--userdom_use_user_terminals(giftd_t)
--
--tunable_policy(`use_nfs_home_dirs',`
-- fs_manage_nfs_dirs(giftd_t)
-- fs_manage_nfs_files(giftd_t)
-- fs_manage_nfs_symlinks(giftd_t)
--')
--
--tunable_policy(`use_samba_home_dirs',`
-- fs_manage_cifs_dirs(giftd_t)
-- fs_manage_cifs_files(giftd_t)
-- fs_manage_cifs_symlinks(giftd_t)
--')
-+userdom_use_inherited_user_terminals(giftd_t)
-+userdom_home_manager(gitd_t)
-diff --git a/git.fc b/git.fc
-index 13e72a7..a4dc0b9 100644
---- a/git.fc
-+++ b/git.fc
-@@ -1,11 +1,15 @@
- HOME_DIR/public_git(/.*)? gen_context(system_u:object_r:git_user_content_t,s0)
-
-+/srv/git(/.*)? gen_context(system_u:object_r:git_sys_content_t,s0)
-+
- /usr/libexec/git-core/git-daemon -- gen_context(system_u:object_r:gitd_exec_t,s0)
-
- /var/cache/cgit(/.*)? gen_context(system_u:object_r:httpd_git_rw_content_t,s0)
-+/var/cache/gitweb-caching(/.*)? gen_context(system_u:object_r:httpd_git_rw_content_t,s0)
-
- /var/lib/git(/.*)? gen_context(system_u:object_r:git_sys_content_t,s0)
-
- /var/www/cgi-bin/cgit -- gen_context(system_u:object_r:httpd_git_script_exec_t,s0)
- /var/www/git(/.*)? gen_context(system_u:object_r:httpd_git_content_t,s0)
- /var/www/git/gitweb\.cgi -- gen_context(system_u:object_r:httpd_git_script_exec_t,s0)
-+/var/www/gitweb-caching/gitweb\.cgi -- gen_context(system_u:object_r:httpd_git_script_exec_t,s0)
-diff --git a/git.if b/git.if
-index b0242d9..407e79d 100644
---- a/git.if
-+++ b/git.if
-@@ -15,9 +15,9 @@
- ##
- ##
- #
--template(`git_role',`
-+template(`git_session_role',`
- gen_require(`
-- type git_session_t, gitd_exec_t, git_user_content_t;
-+ type git_session_t, gitd_exec_t;
- ')
-
- ########################################
-@@ -32,19 +32,495 @@ template(`git_role',`
- # Policy
- #
-
-- manage_dirs_pattern($2, git_user_content_t, git_user_content_t)
-- relabel_dirs_pattern($2, git_user_content_t, git_user_content_t)
--
-- exec_files_pattern($2, git_user_content_t, git_user_content_t)
-- manage_files_pattern($2, git_user_content_t, git_user_content_t)
-- relabel_files_pattern($2, git_user_content_t, git_user_content_t)
--
-- allow $2 git_session_t:process { ptrace signal_perms };
-+ allow $2 git_session_t:process signal_perms;
- ps_process_pattern($2, git_session_t)
-
-+ tunable_policy(`deny_ptrace',`',`
-+ allow $2 git_session_t:process ptrace;
-+ ')
-+
- tunable_policy(`git_session_users',`
- domtrans_pattern($2, gitd_exec_t, git_session_t)
- ',`
- can_exec($2, gitd_exec_t)
- ')
- ')
-+
-+########################################
-+##
-+## Create a set of derived types for Git
-+## daemon shared repository content.
-+##
-+##
-+##
-+## The prefix to be used for deriving type names.
-+##
-+##
-+#
-+template(`git_content_template',`
-+ gen_require(`
-+ attribute git_system_content, git_content;
-+ ')
-+
-+ ########################################
-+ #
-+ # Git daemon content shared declarations.
-+ #
-+
-+ type git_$1_content_t, git_system_content, git_content;
-+ files_type(git_$1_content_t)
-+')
-+
-+########################################
-+##
-+## Create a set of derived types for Git
-+## daemon shared repository roles.
-+##
-+##
-+##
-+## The prefix to be used for deriving type names.
-+##
-+##
-+#
-+template(`git_role_template',`
-+ gen_require(`
-+ class context contains;
-+ role system_r;
-+ ')
-+
-+ ########################################
-+ #
-+ # Git daemon role shared declarations.
-+ #
-+
-+ attribute $1_usertype;
-+
-+ type $1_t;
-+ userdom_unpriv_usertype($1, $1_t)
-+ domain_type($1_t)
-+
-+ role $1_r types $1_t;
-+ allow system_r $1_r;
-+
-+ ########################################
-+ #
-+ # Git daemon role shared policy.
-+ #
-+
-+ allow $1_t self:context contains;
-+ allow $1_t self:fifo_file rw_fifo_file_perms;
-+
-+ corecmd_exec_bin($1_t)
-+ corecmd_bin_entry_type($1_t)
-+ corecmd_shell_entry_type($1_t)
-+
-+ domain_interactive_fd($1_t)
-+ domain_user_exemption_target($1_t)
-+
-+ kernel_read_system_state($1_t)
-+
-+ files_read_etc_files($1_t)
-+ files_dontaudit_search_home($1_t)
-+
-+
-+ git_rwx_generic_system_content($1_t)
-+
-+ ssh_rw_stream_sockets($1_t)
-+
-+ tunable_policy(`git_system_use_cifs',`
-+ fs_exec_cifs_files($1_t)
-+ fs_manage_cifs_dirs($1_t)
-+ fs_manage_cifs_files($1_t)
-+ ')
-+
-+ tunable_policy(`git_system_use_nfs',`
-+ fs_exec_nfs_files($1_t)
-+ fs_manage_nfs_dirs($1_t)
-+ fs_manage_nfs_files($1_t)
-+ ')
-+
-+ optional_policy(`
-+ nscd_read_pid($1_t)
-+ ')
-+')
-+
-+#######################################
-+##
-+## Allow specified domain access to the
-+## specified Git daemon content.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+##
-+##
-+## Type of the object that access is allowed to.
-+##
-+##
-+#
-+interface(`git_content_delegation',`
-+ gen_require(`
-+ type $1, $2;
-+ ')
-+
-+ exec_files_pattern($1, $2, $2)
-+ manage_dirs_pattern($1, $2, $2)
-+ manage_files_pattern($1, $2, $2)
-+ files_search_var_lib($1)
-+
-+ tunable_policy(`git_system_use_cifs',`
-+ fs_exec_cifs_files($1)
-+ fs_manage_cifs_dirs($1)
-+ fs_manage_cifs_files($1)
-+ ')
-+
-+ tunable_policy(`git_system_use_nfs',`
-+ fs_exec_nfs_files($1)
-+ fs_manage_nfs_dirs($1)
-+ fs_manage_nfs_files($1)
-+ ')
-+')
-+
-+########################################
-+##
-+## Allow the specified domain to manage
-+## and execute all Git daemon content.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`git_rwx_all_content',`
-+ gen_require(`
-+ attribute git_content;
-+ ')
-+
-+ exec_files_pattern($1, git_content, git_content)
-+ manage_dirs_pattern($1, git_content, git_content)
-+ manage_files_pattern($1, git_content, git_content)
-+ userdom_search_user_home_dirs($1)
-+ files_search_var_lib($1)
-+
-+ tunable_policy(`git_system_use_cifs',`
-+ fs_exec_cifs_files($1)
-+ fs_manage_cifs_dirs($1)
-+ fs_manage_cifs_files($1)
-+ ')
-+
-+ tunable_policy(`git_system_use_nfs',`
-+ fs_exec_nfs_files($1)
-+ fs_manage_nfs_dirs($1)
-+ fs_manage_nfs_files($1)
-+ ')
-+')
-+
-+########################################
-+##
-+## Allow the specified domain to manage
-+## and execute all Git daemon system content.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`git_rwx_all_system_content',`
-+ gen_require(`
-+ attribute git_system_content;
-+ ')
-+
-+ exec_files_pattern($1, git_system_content, git_system_content)
-+ manage_dirs_pattern($1, git_system_content, git_system_content)
-+ manage_files_pattern($1, git_system_content, git_system_content)
-+ files_search_var_lib($1)
-+
-+ tunable_policy(`git_system_use_cifs',`
-+ fs_exec_cifs_files($1)
-+ fs_manage_cifs_dirs($1)
-+ fs_manage_cifs_files($1)
-+ ')
-+
-+ tunable_policy(`git_system_use_nfs',`
-+ fs_exec_nfs_files($1)
-+ fs_manage_nfs_dirs($1)
-+ fs_manage_nfs_files($1)
-+ ')
-+')
-+
-+########################################
-+##
-+## Allow the specified domain to manage
-+## and execute Git daemon generic system content.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`git_rwx_generic_system_content',`
-+ gen_require(`
-+ type git_sys_content_t;
-+ ')
-+
-+ exec_files_pattern($1, git_sys_content_t, git_sys_content_t)
-+ manage_dirs_pattern($1, git_sys_content_t, git_sys_content_t)
-+ manage_files_pattern($1, git_sys_content_t, git_sys_content_t)
-+ files_search_var_lib($1)
-+
-+ tunable_policy(`git_system_use_cifs',`
-+ fs_exec_cifs_files($1)
-+ fs_manage_cifs_dirs($1)
-+ fs_manage_cifs_files($1)
-+ ')
-+
-+ tunable_policy(`git_system_use_nfs',`
-+ fs_exec_nfs_files($1)
-+ fs_manage_nfs_dirs($1)
-+ fs_manage_nfs_files($1)
-+ ')
-+')
-+
-+########################################
-+##
-+## Allow the specified domain to read
-+## all Git daemon content files.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`git_read_all_content_files',`
-+ gen_require(`
-+ attribute git_content;
-+ ')
-+
-+ list_dirs_pattern($1, git_content, git_content)
-+ read_files_pattern($1, git_content, git_content)
-+ userdom_search_user_home_dirs($1)
-+ files_search_var_lib($1)
-+
-+ tunable_policy(`git_system_use_cifs',`
-+ fs_list_cifs($1)
-+ fs_read_cifs_files($1)
-+ ')
-+
-+ tunable_policy(`git_system_use_nfs',`
-+ fs_list_nfs($1)
-+ fs_read_nfs_files($1)
-+ ')
-+')
-+
-+########################################
-+##
-+## Allow the specified domain to read
-+## Git daemon session content files.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`git_read_session_content_files',`
-+ gen_require(`
-+ type git_user_content_t;
-+ ')
-+
-+ list_dirs_pattern($1, git_user_content_t, git_user_content_t)
-+ read_files_pattern($1, git_user_content_t, git_user_content_t)
-+ userdom_search_user_home_dirs($1)
-+')
-+
-+#######################################
-+##
-+## Dontaudit the specified domain to read
-+## Git daemon session content files.
-+##
-+##
-+##
-+## Domain to not audit.
-+##
-+##
-+#
-+interface(`git_dontaudit_read_session_content_files',`
-+ gen_require(`
-+ type git_user_content_t;
-+ ')
-+
-+ dontaudit $1 git_user_content_t:file read_file_perms;
-+')
-+
-+########################################
-+##
-+## Allow the specified domain to read
-+## all Git daemon system content files.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`git_read_all_system_content_files',`
-+ gen_require(`
-+ attribute git_system_content;
-+ ')
-+
-+ list_dirs_pattern($1, git_system_content, git_system_content)
-+ read_files_pattern($1, git_system_content, git_system_content)
-+ files_search_var_lib($1)
-+
-+ tunable_policy(`git_system_use_cifs',`
-+ fs_list_cifs($1)
-+ fs_read_cifs_files($1)
-+ ')
-+
-+ tunable_policy(`git_system_use_nfs',`
-+ fs_list_nfs($1)
-+ fs_read_nfs_files($1)
-+ ')
-+')
-+
-+########################################
-+##
-+## Allow the specified domain to read
-+## Git daemon generic system content files.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`git_read_generic_system_content_files',`
-+ gen_require(`
-+ type git_sys_content_t;
-+ ')
-+
-+ list_dirs_pattern($1, git_sys_content_t, git_sys_content_t)
-+ read_files_pattern($1, git_sys_content_t, git_sys_content_t)
-+ read_lnk_files_pattern($1, git_sys_content_t, git_sys_content_t)
-+ files_search_var_lib($1)
-+
-+ tunable_policy(`git_system_use_cifs',`
-+ fs_list_cifs($1)
-+ fs_read_cifs_files($1)
-+ ')
-+
-+ tunable_policy(`git_system_use_nfs',`
-+ fs_list_nfs($1)
-+ fs_read_nfs_files($1)
-+ ')
-+')
-+
-+########################################
-+##
-+## Allow the specified domain to relabel
-+## all Git daemon content.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`git_relabel_all_content',`
-+ gen_require(`
-+ attribute git_content;
-+ ')
-+
-+ relabel_dirs_pattern($1, git_content, git_content)
-+ relabel_files_pattern($1, git_content, git_content)
-+ userdom_search_user_home_dirs($1)
-+ files_search_var_lib($1)
-+')
-+
-+########################################
-+##
-+## Allow the specified domain to relabel
-+## all Git daemon system content.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`git_relabel_all_system_content',`
-+ gen_require(`
-+ attribute git_system_content;
-+ ')
-+
-+ relabel_dirs_pattern($1, git_system_content, git_system_content)
-+ relabel_files_pattern($1, git_system_content, git_system_content)
-+ files_search_var_lib($1)
-+')
-+
-+########################################
-+##
-+## Allow the specified domain to relabel
-+## Git daemon generic system content.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`git_relabel_generic_system_content',`
-+ gen_require(`
-+ type git_sys_content_t;
-+ ')
-+
-+ relabel_dirs_pattern($1, git_sys_content_t, git_sys_content_t)
-+ relabel_files_pattern($1, git_sys_content_t, git_sys_content_t)
-+ files_search_var_lib($1)
-+')
-+
-+########################################
-+##
-+## Allow the specified domain to relabel
-+## Git daemon session content.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`git_relabel_session_content',`
-+ gen_require(`
-+ type git_user_content_t;
-+ ')
-+
-+ relabel_dirs_pattern($1, git_user_content_t, git_user_content_t)
-+ relabel_files_pattern($1, git_user_content_t, git_user_content_t)
-+ userdom_search_user_home_dirs($1)
-+')
-+
-+########################################
-+##
-+## Create Git user content with a
-+## named file transition.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`git_filetrans_user_content',`
-+ gen_require(`
-+ type git_user_content_t;
-+ ')
-+
-+ userdom_user_home_dir_filetrans($1, git_user_content_t, dir, "public_git")
-+')
-diff --git a/git.te b/git.te
-index 6e8e1f3..decdda3 100644
---- a/git.te
-+++ b/git.te
-@@ -31,20 +31,21 @@ gen_tunable(git_cgi_use_nfs, false)
-
- ##
- ##
--## Determine whether calling user domains
--## can execute Git daemon in the
--## git_session_t domain.
-+## Determine whether Git session daemon
-+## can bind TCP sockets to all
-+## unreserved ports.
- ##
- ##
--gen_tunable(git_session_users, false)
-+gen_tunable(git_session_bind_all_unreserved_ports, false)
-
- ##
- ##
--## Determine whether Git session daemons
--## can send syslog messages.
-+## Determine whether calling user domains
-+## can execute Git daemon in the
-+## git_session_t domain.
- ##
- ##
--gen_tunable(git_session_send_syslog_msg, false)
-+gen_tunable(git_session_users, false)
-
- ##
- ##
-@@ -71,6 +72,10 @@ gen_tunable(git_system_use_cifs, false)
- gen_tunable(git_system_use_nfs, false)
-
- attribute git_daemon;
-+attribute git_system_content;
-+attribute git_content;
-+
-+role git_shell_r;
-
- apache_content_template(git)
-
-@@ -79,13 +84,16 @@ type gitd_exec_t;
- inetd_service_domain(git_system_t, gitd_exec_t)
-
- type git_session_t, git_daemon;
--userdom_user_application_domain(git_session_t, gitd_exec_t)
-+application_domain(git_session_t, gitd_exec_t)
-+ubac_constrained(git_session_t)
-
--type git_sys_content_t;
-+type git_sys_content_t, git_content, git_system_content;
- files_type(git_sys_content_t)
-+typealias git_sys_content_t alias { git_data_t git_system_content_t };
-
--type git_user_content_t;
-+type git_user_content_t, git_content;
- userdom_user_home_content(git_user_content_t)
-+typealias git_user_content_t alias git_session_content_t;
-
- ########################################
- #
-@@ -98,8 +106,9 @@ list_dirs_pattern(git_session_t, git_user_content_t, git_user_content_t)
- read_files_pattern(git_session_t, git_user_content_t, git_user_content_t)
- userdom_search_user_home_dirs(git_session_t)
-
-+kernel_read_system_state(git_session_t)
-+
- corenet_all_recvfrom_netlabel(git_session_t)
--corenet_all_recvfrom_unlabeled(git_session_t)
- corenet_tcp_bind_generic_node(git_session_t)
- corenet_tcp_sendrecv_generic_if(git_session_t)
- corenet_tcp_sendrecv_generic_node(git_session_t)
-@@ -112,10 +121,13 @@ auth_use_nsswitch(git_session_t)
-
- userdom_use_user_terminals(git_session_t)
-
--tunable_policy(`git_session_send_syslog_msg',`
-- logging_send_syslog_msg(git_session_t)
-+tunable_policy(`git_session_bind_all_unreserved_ports',`
-+ corenet_tcp_bind_all_unreserved_ports(git_session_t)
-+ corenet_sendrecv_generic_server_packets(git_session_t)
- ')
-
-+logging_send_syslog_msg(git_session_t)
-+
- tunable_policy(`use_nfs_home_dirs',`
- fs_read_nfs_files(git_session_t)
- ',`
-@@ -133,10 +145,12 @@ tunable_policy(`use_samba_home_dirs',`
- # Git system policy
- #
-
--list_dirs_pattern(git_system_t, git_sys_content_t, git_sys_content_t)
--read_files_pattern(git_system_t, git_sys_content_t, git_sys_content_t)
-+list_dirs_pattern(git_system_t, git_content, git_content)
-+read_files_pattern(git_system_t, git_content, git_content)
- files_search_var_lib(git_system_t)
-
-+kernel_read_system_state(git_system_t)
-+
- auth_use_nsswitch(git_system_t)
-
- logging_send_syslog_msg(git_system_t)
-@@ -174,8 +188,8 @@ tunable_policy(`git_system_use_nfs',`
- # Git CGI policy
- #
-
--list_dirs_pattern(httpd_git_script_t, { git_sys_content_t git_user_content_t }, { git_sys_content_t git_user_content_t })
--read_files_pattern(httpd_git_script_t, { git_sys_content_t git_user_content_t }, { git_sys_content_t git_user_content_t })
-+list_dirs_pattern(httpd_git_script_t, git_content, git_content)
-+read_files_pattern(httpd_git_script_t, git_content, git_content)
- files_search_var_lib(httpd_git_script_t)
-
- files_dontaudit_getattr_tmp_dirs(httpd_git_script_t)
-@@ -217,12 +231,16 @@ tunable_policy(`git_cgi_use_nfs',`
-
- allow git_daemon self:fifo_file rw_fifo_file_perms;
-
--kernel_read_system_state(git_daemon)
--
- corecmd_exec_bin(git_daemon)
-
- files_read_usr_files(git_daemon)
-
- fs_search_auto_mountpoints(git_daemon)
-
--miscfiles_read_localization(git_daemon)
-+
-+########################################
-+#
-+# Git-shell private policy.
-+#
-+git_role_template(git_shell)
-+gen_user(git_shell_u, user, git_shell_r, s0, s0)
-diff --git a/gitosis.fc b/gitosis.fc
-index 24f6441..4de3a6b 100644
---- a/gitosis.fc
-+++ b/gitosis.fc
-@@ -6,4 +6,4 @@ ifdef(`distro_debian',`
- /usr/bin/gl-auth-command -- gen_context(system_u:object_r:gitosis_exec_t,s0)
-
- /var/lib/gitosis(/.*)? gen_context(system_u:object_r:gitosis_var_lib_t,s0)
--/var/lib/gitolite(/.*)? gen_context(system_u:object_r:gitosis_var_lib_t,s0)
-+/var/lib/gitolite(3)?(/.*)? gen_context(system_u:object_r:gitosis_var_lib_t,s0)
-diff --git a/gitosis.te b/gitosis.te
-index 0eb75f4..3607a5b 100644
---- a/gitosis.te
-+++ b/gitosis.te
-@@ -5,6 +5,13 @@ policy_module(gitosis, 1.3.0)
- # Declarations
- #
-
-+##
-+##
-+## Allow gitisis daemon to send mail
-+##
-+##
-+gen_tunable(gitosis_can_sendmail, false)
-+
- type gitosis_t;
- type gitosis_exec_t;
- application_domain(gitosis_t, gitosis_exec_t)
-@@ -36,6 +43,11 @@ files_read_etc_files(gitosis_t)
- files_read_usr_files(gitosis_t)
- files_search_var_lib(gitosis_t)
-
--miscfiles_read_localization(gitosis_t)
-
- sysnet_read_config(gitosis_t)
-+
-+corenet_tcp_bind_all_ports(gitosis_t)
-+
-+tunable_policy(`gitosis_can_sendmail',`
-+ mta_send_mail(gitosis_t)
-+')
-diff --git a/glance.if b/glance.if
-index 7ff9d6d..b1c97f2 100644
---- a/glance.if
-+++ b/glance.if
-@@ -1,5 +1,27 @@
- ## policy for glance
-
-+#######################################
-+##
-+## Creates types and rules for a basic
-+## glance daemon domain.
-+##
-+##
-+##
-+## Prefix for the domain.
-+##
-+##
-+#
-+template(`glance_basic_types_template',`
-+ gen_require(`
-+ attribute glance_domain;
-+ ')
-+
-+ type $1_t, glance_domain;
-+ type $1_exec_t;
-+
-+ kernel_read_system_state($1_t)
-+')
-+
- ########################################
- ##
- ## Transition to glance registry.
-@@ -24,9 +46,9 @@ interface(`glance_domtrans_registry',`
- ## Transition to glance api.
- ##
- ##
--##
-+##
- ## Domain allowed to transition.
--##
-+##
- ##
- #
- interface(`glance_domtrans_api',`
-@@ -238,6 +260,10 @@ interface(`glance_admin',`
-
- allow $1 glance_registry_t:process signal_perms;
- ps_process_pattern($1, glance_registry_t)
-+ tunable_policy(`deny_ptrace',`',`
-+ allow $1 glance_registry_t:process ptrace;
-+ allow $1 glance_api_t:process ptrace;
-+ ')
-
- allow $1 glance_api_t:process signal_perms;
- ps_process_pattern($1, glance_api_t)
-diff --git a/glance.te b/glance.te
-index 4afb81f..efff577 100644
---- a/glance.te
-+++ b/glance.te
-@@ -7,8 +7,7 @@ policy_module(glance, 1.0.0)
-
- attribute glance_domain;
-
--type glance_registry_t, glance_domain;
--type glance_registry_exec_t;
-+glance_basic_types_template(glance_registry)
- init_daemon_domain(glance_registry_t, glance_registry_exec_t)
-
- type glance_registry_initrc_exec_t;
-@@ -17,8 +16,10 @@ init_script_file(glance_registry_initrc_exec_t)
- type glance_registry_tmp_t;
- files_tmp_file(glance_registry_tmp_t)
-
--type glance_api_t, glance_domain;
--type glance_api_exec_t;
-+type glance_registry_tmpfs_t;
-+files_tmpfs_file(glance_registry_tmpfs_t)
-+
-+glance_basic_types_template(glance_api)
- init_daemon_domain(glance_api_t, glance_api_exec_t)
-
- type glance_api_initrc_exec_t;
-@@ -54,16 +55,18 @@ manage_files_pattern(glance_domain, glance_var_lib_t, glance_var_lib_t)
- manage_dirs_pattern(glance_domain, glance_var_run_t, glance_var_run_t)
- manage_files_pattern(glance_domain, glance_var_run_t, glance_var_run_t)
-
--kernel_read_system_state(glance_domain)
--
- corecmd_exec_bin(glance_domain)
-+corecmd_exec_shell(glance_domain)
-
- dev_read_urand(glance_domain)
-
- files_read_etc_files(glance_domain)
- files_read_usr_files(glance_domain)
-
--miscfiles_read_localization(glance_domain)
-+auth_read_passwd(glance_domain)
-+
-+libs_exec_ldconfig(glance_domain)
-+
-
- optional_policy(`
- sysnet_dns_name_resolve(glance_domain)
-@@ -78,8 +81,20 @@ manage_dirs_pattern(glance_registry_t, glance_registry_tmp_t, glance_registry_tm
- manage_files_pattern(glance_registry_t, glance_registry_tmp_t, glance_registry_tmp_t)
- files_tmp_filetrans(glance_registry_t, glance_registry_tmp_t, { file dir })
-
-+manage_dirs_pattern(glance_registry_t, glance_registry_tmpfs_t, glance_registry_tmpfs_t)
-+manage_files_pattern(glance_registry_t, glance_registry_tmpfs_t, glance_registry_tmpfs_t)
-+fs_tmpfs_filetrans(glance_registry_t, glance_registry_tmpfs_t,{ dir file })
-+
- corenet_tcp_bind_generic_node(glance_registry_t)
- corenet_tcp_bind_glance_registry_port(glance_registry_t)
-+corenet_tcp_connect_mysqld_port(glance_registry_t)
-+corenet_tcp_connect_all_ephemeral_ports(glance_registry_t)
-+
-+logging_send_syslog_msg(glance_registry_t)
-+
-+optional_policy(`
-+ mysql_stream_connect(glance_registry_t)
-+')
-
- ########################################
- #
-@@ -94,11 +109,15 @@ can_exec(glance_api_t, glance_tmp_t)
- corecmd_exec_shell(glance_api_t)
-
- corenet_tcp_bind_generic_node(glance_api_t)
-+corenet_tcp_bind_glance_port(glance_api_t)
- corenet_tcp_bind_hplip_port(glance_api_t)
- corenet_tcp_connect_glance_registry_port(glance_api_t)
-+corenet_tcp_connect_all_ephemeral_ports(glance_api_t)
-
- dev_read_urand(glance_api_t)
-
- fs_getattr_xattr_fs(glance_api_t)
-
--libs_exec_ldconfig(glance_api_t)
-+optional_policy(`
-+ mysql_stream_connect(glance_api_t)
-+')
-diff --git a/glusterd.fc b/glusterd.fc
-new file mode 100644
-index 0000000..6418e39
---- /dev/null
-+++ b/glusterd.fc
-@@ -0,0 +1,16 @@
-+
-+/etc/rc\.d/init\.d/glusterd -- gen_context(system_u:object_r:glusterd_initrc_exec_t,s0)
-+
-+/etc/glusterfs(/.*)? gen_context(system_u:object_r:glusterd_etc_t,s0)
-+/etc/glusterd(/.*)? gen_context(system_u:object_r:glusterd_etc_t,s0)
-+
-+/usr/sbin/glusterd -- gen_context(system_u:object_r:glusterd_initrc_exec_t,s0)
-+/usr/sbin/glusterfsd -- gen_context(system_u:object_r:glusterd_exec_t,s0)
-+
-+/opt/glusterfs/[^/]+/sbin/glusterfsd -- gen_context(system_u:object_r:glusterd_exec_t,s0)
-+
-+/var/log/glusterfs(/.*)? gen_context(system_u:object_r:glusterd_log_t,s0)
-+
-+/var/run/glusterd(/.*)? gen_context(system_u:object_r:glusterd_var_run_t,s0)
-+/var/run/glusterd\.pid -- gen_context(system_u:object_r:glusterd_var_run_t,s0)
-+
-diff --git a/glusterd.if b/glusterd.if
-new file mode 100644
-index 0000000..e15bbb0
---- /dev/null
-+++ b/glusterd.if
-@@ -0,0 +1,146 @@
-+
-+## policy for glusterd
-+
-+
-+########################################
-+##
-+## Transition to glusterd.
-+##
-+##
-+##
-+## Domain allowed to transition.
-+##
-+##
-+#
-+interface(`glusterd_domtrans',`
-+ gen_require(`
-+ type glusterd_t, glusterd_exec_t;
-+ ')
-+
-+ corecmd_search_bin($1)
-+ domtrans_pattern($1, glusterd_exec_t, glusterd_t)
-+')
-+
-+
-+########################################
-+##
-+## Execute glusterd server in the glusterd domain.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`glusterd_initrc_domtrans',`
-+ gen_require(`
-+ type glusterd_initrc_exec_t;
-+ ')
-+
-+ init_labeled_script_domtrans($1, glusterd_initrc_exec_t)
-+')
-+
-+
-+########################################
-+##
-+## Read glusterd's log files.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+##
-+#
-+interface(`glusterd_read_log',`
-+ gen_require(`
-+ type glusterd_log_t;
-+ ')
-+
-+ logging_search_logs($1)
-+ read_files_pattern($1, glusterd_log_t, glusterd_log_t)
-+')
-+
-+########################################
-+##
-+## Append to glusterd log files.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`glusterd_append_log',`
-+ gen_require(`
-+ type glusterd_log_t;
-+ ')
-+
-+ logging_search_logs($1)
-+ append_files_pattern($1, glusterd_log_t, glusterd_log_t)
-+')
-+
-+########################################
-+##
-+## Manage glusterd log files
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`glusterd_manage_log',`
-+ gen_require(`
-+ type glusterd_log_t;
-+ ')
-+
-+ logging_search_logs($1)
-+ manage_dirs_pattern($1, glusterd_log_t, glusterd_log_t)
-+ manage_files_pattern($1, glusterd_log_t, glusterd_log_t)
-+ manage_lnk_files_pattern($1, glusterd_log_t, glusterd_log_t)
-+')
-+
-+########################################
-+##
-+## All of the rules required to administrate
-+## an glusterd environment
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+##
-+##
-+## Role allowed access.
-+##
-+##
-+##
-+#
-+interface(`glusterd_admin',`
-+ gen_require(`
-+ type glusterd_t;
-+ type glusterd_initrc_exec_t;
-+ type glusterd_log_t;
-+ type glusterd_tmp_t;
-+ type glusterd_etc_t;
-+ ')
-+
-+ allow $1 glusterd_t:process { ptrace signal_perms };
-+ ps_process_pattern($1, glusterd_t)
-+
-+ glusterd_initrc_domtrans($1)
-+ domain_system_change_exemption($1)
-+ role_transition $2 glusterd_initrc_exec_t system_r;
-+ allow $2 system_r;
-+
-+ logging_search_logs($1)
-+ admin_pattern($1, glusterd_log_t)
-+
-+ admin_pattern($1, glusterd_tmp_t)
-+
-+ admin_pattern($1, glusterd_etc_t)
-+
-+')
-+
-diff --git a/glusterd.te b/glusterd.te
-new file mode 100644
-index 0000000..d35f2b0
---- /dev/null
-+++ b/glusterd.te
-@@ -0,0 +1,101 @@
-+policy_module(glusterd, 1.0.0)
-+
-+########################################
-+#
-+# Declarations
-+#
-+
-+type glusterd_t;
-+type glusterd_exec_t;
-+init_daemon_domain(glusterd_t, glusterd_exec_t)
-+
-+type glusterd_etc_t;
-+files_type(glusterd_etc_t)
-+
-+type glusterd_tmp_t;
-+files_tmp_file(glusterd_tmp_t)
-+
-+type glusterd_initrc_exec_t;
-+init_script_file(glusterd_initrc_exec_t)
-+
-+type glusterd_log_t;
-+logging_log_file(glusterd_log_t)
-+
-+type glusterd_var_run_t;
-+files_pid_file(glusterd_var_run_t)
-+
-+type glusterd_var_lib_t;
-+files_type(glusterd_var_lib_t);
-+
-+
-+########################################
-+#
-+# glusterd local policy
-+#
-+
-+allow glusterd_t self:capability { net_bind_service sys_admin dac_override chown dac_read_search fowner };
-+allow glusterd_t self:process { setrlimit signal };
-+allow glusterd_t self:capability sys_resource;
-+
-+allow glusterd_t self:fifo_file rw_fifo_file_perms;
-+allow glusterd_t self:netlink_route_socket r_netlink_socket_perms;
-+allow glusterd_t self:tcp_socket create_stream_socket_perms;
-+allow glusterd_t self:udp_socket create_socket_perms;
-+allow glusterd_t self:unix_stream_socket create_stream_socket_perms;
-+allow glusterd_t self:unix_dgram_socket create_socket_perms;
-+
-+manage_dirs_pattern(glusterd_t, glusterd_tmp_t, glusterd_tmp_t)
-+manage_files_pattern(glusterd_t, glusterd_tmp_t, glusterd_tmp_t)
-+manage_sock_files_pattern(glusterd_t, glusterd_tmp_t, glusterd_tmp_t)
-+files_tmp_filetrans(glusterd_t, glusterd_tmp_t, { dir file sock_file })
-+userdom_user_tmp_filetrans(glusterd_t, glusterd_tmp_t, { dir file sock_file })
-+
-+manage_dirs_pattern(glusterd_t, glusterd_log_t, glusterd_log_t)
-+manage_files_pattern(glusterd_t, glusterd_log_t, glusterd_log_t)
-+logging_log_filetrans(glusterd_t, glusterd_log_t, { dir file })
-+
-+manage_dirs_pattern(glusterd_t, glusterd_var_run_t, glusterd_var_run_t)
-+manage_files_pattern(glusterd_t, glusterd_var_run_t, glusterd_var_run_t)
-+files_pid_filetrans(glusterd_t, glusterd_var_run_t, { dir file })
-+
-+manage_dirs_pattern(glusterd_t, glusterd_var_lib_t, glusterd_var_lib_t)
-+manage_files_pattern(glusterd_t, glusterd_var_lib_t, glusterd_var_lib_t)
-+files_var_lib_filetrans(glusterd_t, glusterd_var_lib_t, { dir file })
-+
-+manage_dirs_pattern(glusterd_t, glusterd_etc_t, glusterd_etc_t)
-+manage_files_pattern(glusterd_t, glusterd_etc_t, glusterd_etc_t)
-+files_etc_filetrans(glusterd_t, glusterd_etc_t, { dir file }, "glusterfs")
-+
-+can_exec(glusterd_t, glusterd_exec_t)
-+
-+kernel_read_system_state(glusterd_t)
-+
-+corecmd_exec_bin(glusterd_t)
-+corecmd_exec_shell(glusterd_t)
-+
-+domain_use_interactive_fds(glusterd_t)
-+
-+corenet_tcp_bind_generic_node(glusterd_t)
-+corenet_tcp_bind_generic_port(glusterd_t)
-+corenet_tcp_bind_all_reserved_ports(glusterd_t)
-+corenet_udp_bind_all_rpc_ports(glusterd_t)
-+corenet_tcp_connect_unreserved_ports(glusterd_t)
-+corenet_udp_bind_generic_node(glusterd_t)
-+corenet_udp_bind_ipp_port(glusterd_t)
-+
-+dev_read_sysfs(glusterd_t)
-+dev_read_urand(glusterd_t)
-+
-+files_read_usr_files(glusterd_t)
-+files_rw_pid_dirs(glusterd_t)
-+
-+# Why is this needed
-+#files_manage_urandom_seed(glusterd_t)
-+
-+auth_use_nsswitch(glusterd_t)
-+
-+logging_send_syslog_msg(glusterd_t)
-+
-+sysnet_read_config(glusterd_t)
-+
-+userdom_manage_user_home_dirs(glusterd_t)
-diff --git a/gnome.fc b/gnome.fc
-index 00a19e3..52e5a3a 100644
---- a/gnome.fc
-+++ b/gnome.fc
-@@ -1,9 +1,57 @@
--HOME_DIR/\.config/gtk-.* gen_context(system_u:object_r:gnome_home_t,s0)
-+HOME_DIR/\.cache(/.*)? gen_context(system_u:object_r:cache_home_t,s0)
-+HOME_DIR/\.color/icc(/.*)? gen_context(system_u:object_r:icc_data_home_t,s0)
-+HOME_DIR/\.dbus(/.*)? gen_context(system_u:object_r:dbus_home_t,s0)
-+HOME_DIR/\.config(/.*)? gen_context(system_u:object_r:config_home_t,s0)
-+HOME_DIR/\.kde(/.*)? gen_context(system_u:object_r:config_home_t,s0)
-+HOME_DIR/\.nv(/.*)? gen_context(system_u:object_r:cache_home_t,s0)
- HOME_DIR/\.gconf(d)?(/.*)? gen_context(system_u:object_r:gconf_home_t,s0)
- HOME_DIR/\.gnome2(/.*)? gen_context(system_u:object_r:gnome_home_t,s0)
-+HOME_DIR/\.gnome2/keyrings(/.*)? gen_context(system_u:object_r:gkeyringd_gnome_home_t,s0)
-+HOME_DIR/\.grl-bookmarks gen_context(system_u:object_r:gstreamer_home_t,s0)
-+HOME_DIR/\.grl-metadata-store gen_context(system_u:object_r:gstreamer_home_t,s0)
-+HOME_DIR/\.grl-bookmarks gen_context(system_u:object_r:gstreamer_home_t,s0)
-+HOME_DIR/\.gstreamer-.* gen_context(system_u:object_r:gstreamer_home_t,s0)
-+HOME_DIR/\.cache/gstreamer-.* gen_context(system_u:object_r:gstreamer_home_t,s0)
-+HOME_DIR/\.orc(/.*)? gen_context(system_u:object_r:gstreamer_home_t,s0)
-+HOME_DIR/\.local.* gen_context(system_u:object_r:gconf_home_t,s0)
-+HOME_DIR/\.local/share(/.*)? gen_context(system_u:object_r:data_home_t,s0)
-+HOME_DIR/\.local/share/icc(/.*)? gen_context(system_u:object_r:icc_data_home_t,s0)
-+HOME_DIR/\.local/share/keyrings(/.*)? gen_context(system_u:object_r:gkeyringd_gnome_home_t,s0)
-+HOME_DIR/\.Xdefaults gen_context(system_u:object_r:config_home_t,s0)
-+HOME_DIR/\.xine(/.*)? gen_context(system_u:object_r:config_home_t,s0)
-+
-+/var/run/user/[^/]*/\.orc(/.*)? gen_context(system_u:object_r:gstreamer_home_t,s0)
-+/var/run/user/[^/]*/dconf(/.*)? gen_context(system_u:object_r:config_home_t,s0)
-+/var/run/user/[^/]*/keyring.* gen_context(system_u:object_r:gkeyringd_tmp_t,s0)
-+
-+/root/\.cache(/.*)? gen_context(system_u:object_r:cache_home_t,s0)
-+/root/\.color/icc(/.*)? gen_context(system_u:object_r:icc_data_home_t,s0)
-+/root/\.config(/.*)? gen_context(system_u:object_r:config_home_t,s0)
-+/root/\.kde(/.*)? gen_context(system_u:object_r:config_home_t,s0)
-+/root/\.gconf(d)?(/.*)? gen_context(system_u:object_r:gconf_home_t,s0)
-+/root/\.dbus(/.*)? gen_context(system_u:object_r:dbus_home_t,s0)
-+/root/\.gnome2(/.*)? gen_context(system_u:object_r:gnome_home_t,s0)
-+/root/\.gnome2/keyrings(/.*)? gen_context(system_u:object_r:gkeyringd_gnome_home_t,s0)
-+/root/\.gstreamer-.* gen_context(system_u:object_r:gstreamer_home_t,s0)
-+/root/\.cache/gstreamer-.* gen_context(system_u:object_r:gstreamer_home_t,s0)
-+/root/\.local.* gen_context(system_u:object_r:gconf_home_t,s0)
-+/root/\.local/share(/.*)? gen_context(system_u:object_r:data_home_t,s0)
-+/root/\.local/share/icc(/.*)? gen_context(system_u:object_r:icc_data_home_t,s0)
-+/root/\.Xdefaults gen_context(system_u:object_r:config_home_t,s0)
-+/root/\.xine(/.*)? gen_context(system_u:object_r:config_home_t,s0)
-
- /etc/gconf(/.*)? gen_context(system_u:object_r:gconf_etc_t,s0)
-
- /tmp/gconfd-USER/.* -- gen_context(system_u:object_r:gconf_tmp_t,s0)
-
--/usr/libexec/gconfd-2 -- gen_context(system_u:object_r:gconfd_exec_t,s0)
-+/usr/share/config(/.*)? gen_context(system_u:object_r:config_usr_t,s0)
-+
-+/usr/bin/gnome-keyring-daemon -- gen_context(system_u:object_r:gkeyringd_exec_t,s0)
-+
-+# Don't use because toolchain is broken
-+#/usr/libexec/gconfd-2 -- gen_context(system_u:object_r:gconfd_exec_t,s0)
-+
-+/usr/libexec/gconf-defaults-mechanism -- gen_context(system_u:object_r:gconfdefaultsm_exec_t,s0)
-+
-+/usr/libexec/gnome-system-monitor-mechanism -- gen_context(system_u:object_r:gnomesystemmm_exec_t,s0)
-+/usr/libexec/kde(3|4)/ksysguardprocesslist_helper -- gen_context(system_u:object_r:gnomesystemmm_exec_t,s0)
-diff --git a/gnome.if b/gnome.if
-index f5afe78..69577c7 100644
---- a/gnome.if
-+++ b/gnome.if
-@@ -1,44 +1,1048 @@
- ## GNU network object model environment (GNOME)
-
--############################################################
-+###########################################################
- ##
--## Role access for gnome
-+## Role access for gnome
- ##
- ##
-+##
-+## Role allowed access
-+##
-+##
-+##
-+##
-+## User domain for the role
-+##
-+##
-+#
-+interface(`gnome_role',`
-+ gen_require(`
-+ type gconfd_t, gconfd_exec_t;
-+ type gconf_tmp_t;
-+ ')
-+
-+ role $1 types gconfd_t;
-+
-+ domain_auto_trans($2, gconfd_exec_t, gconfd_t)
-+ allow gconfd_t $2:fd use;
-+ allow gconfd_t $2:fifo_file write;
-+ allow gconfd_t $2:unix_stream_socket connectto;
-+
-+ ps_process_pattern($2, gconfd_t)
-+
-+ #gnome_stream_connect_gconf_template($1, $2)
-+ read_files_pattern($2, gconf_tmp_t, gconf_tmp_t)
-+ allow $2 gconfd_t:unix_stream_socket connectto;
-+')
-+
-+######################################
-+##
-+## The role template for the gnome-keyring-daemon.
-+##
-+##
-+##
-+## The user prefix.
-+##
-+##
-+##
-+##
-+## The user role.
-+##
-+##
-+##
-+##
-+## The user domain associated with the role.
-+##
-+##
-+#
-+interface(`gnome_role_gkeyringd',`
-+ gen_require(`
-+ attribute gkeyringd_domain;
-+ attribute gnomedomain;
-+ type gnome_home_t;
-+ type gkeyringd_exec_t, gkeyringd_tmp_t, gkeyringd_gnome_home_t;
-+ class dbus send_msg;
-+ ')
-+
-+ type $1_gkeyringd_t, gnomedomain, gkeyringd_domain;
-+ typealias $1_gkeyringd_t alias gkeyringd_$1_t;
-+ application_domain($1_gkeyringd_t, gkeyringd_exec_t)
-+ ubac_constrained($1_gkeyringd_t)
-+ domain_user_exemption_target($1_gkeyringd_t)
-+
-+ userdom_home_manager($1_gkeyringd_t)
-+
-+ role $2 types $1_gkeyringd_t;
-+
-+ domtrans_pattern($3, gkeyringd_exec_t, $1_gkeyringd_t)
-+
-+ allow $3 gkeyringd_gnome_home_t:dir { relabel_dir_perms manage_dir_perms };
-+ allow $3 gkeyringd_gnome_home_t:file { relabel_file_perms manage_file_perms };
-+
-+ allow $3 gkeyringd_tmp_t:dir { relabel_dir_perms manage_dir_perms };
-+ allow $3 gkeyringd_tmp_t:sock_file { relabel_sock_file_perms manage_sock_file_perms };
-+
-+ corecmd_bin_domtrans($1_gkeyringd_t, $1_t)
-+ corecmd_shell_domtrans($1_gkeyringd_t, $1_t)
-+ allow $1_gkeyringd_t $3:process sigkill;
-+ allow $3 $1_gkeyringd_t:fd use;
-+ allow $3 $1_gkeyringd_t:fifo_file rw_fifo_file_perms;
-+
-+ kernel_read_system_state($1_gkeyringd_t)
-+
-+ ps_process_pattern($1_gkeyringd_t, $3)
-+
-+ auth_use_nsswitch($1_gkeyringd_t)
-+
-+ logging_send_syslog_msg($1_gkeyringd_t)
-+
-+ ps_process_pattern($3, $1_gkeyringd_t)
-+ allow $3 $1_gkeyringd_t:process signal_perms;
-+ dontaudit $3 gkeyringd_exec_t:file entrypoint;
-+
-+ stream_connect_pattern($3, gkeyringd_tmp_t, gkeyringd_tmp_t, $1_gkeyringd_t)
-+
-+ allow $1_gkeyringd_t $3:dbus send_msg;
-+ allow $3 $1_gkeyringd_t:dbus send_msg;
-+ optional_policy(`
-+ dbus_session_domain($1, gkeyringd_exec_t, $1_gkeyringd_t)
-+ dbus_session_bus_client($1_gkeyringd_t)
-+ gnome_home_dir_filetrans($1_gkeyringd_t)
-+ gnome_manage_generic_home_dirs($1_gkeyringd_t)
-+ gnome_read_generic_data_home_files($1_gkeyringd_t)
-+ gnome_read_generic_data_home_dirs($1_gkeyringd_t)
-+
-+ optional_policy(`
-+ telepathy_mission_control_read_state($1_gkeyringd_t)
-+ ')
-+ ')
-+')
-+
-+#######################################
-+##
-+## Allow domain to run gkeyring in the $1_gkeyringd_t domain.
-+##
-+##
-+##
-+## The user prefix.
-+##
-+##
-+##
-+##
-+## The user role.
-+##
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`gnome_run_gkeyringd',`
-+ gen_require(`
-+ type $1_gkeyringd_t;
-+ type gkeyringd_exec_t;
-+ ')
-+ role $2 types $1_gkeyringd_t;
-+ domtrans_pattern($3, gkeyringd_exec_t, $1_gkeyringd_t)
-+')
-+
-+########################################
-+##
-+## gconf connection template.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`gnome_stream_connect_gconf',`
-+ gen_require(`
-+ type gconfd_t, gconf_tmp_t;
-+ ')
-+
-+ read_files_pattern($1, gconf_tmp_t, gconf_tmp_t)
-+ allow $1 gconfd_t:unix_stream_socket connectto;
-+')
-+
-+########################################
-+##
-+## Connect to gkeyringd with a unix stream socket.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`gnome_stream_connect_gkeyringd',`
-+ gen_require(`
-+ attribute gkeyringd_domain;
-+ type gkeyringd_tmp_t;
-+ type gconf_tmp_t;
-+ type cache_home_t;
-+ ')
-+
-+ allow $1 gconf_tmp_t:dir search_dir_perms;
-+ userdom_search_user_tmp_dirs($1)
-+ stream_connect_pattern($1, gkeyringd_tmp_t, gkeyringd_tmp_t, gkeyringd_domain)
-+ stream_connect_pattern($1, cache_home_t, cache_home_t, gkeyringd_domain)
-+')
-+
-+########################################
-+##
-+## Run gconfd in gconfd domain.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`gnome_domtrans_gconfd',`
-+ gen_require(`
-+ type gconfd_t, gconfd_exec_t;
-+ ')
-+
-+ domtrans_pattern($1, gconfd_exec_t, gconfd_t)
-+')
-+
-+########################################
-+##
-+## Dontaudit read gnome homedir content (.config)
-+##
-+##
-+##
-+## Domain to not audit.
-+##
-+##
-+#
-+interface(`gnome_dontaudit_read_config',`
-+ gen_require(`
-+ attribute gnome_home_type;
-+ ')
-+
-+ dontaudit $1 gnome_home_type:dir read_inherited_file_perms;
-+')
-+
-+########################################
-+##
-+## Dontaudit search gnome homedir content (.config)
-+##
-+##
-+##
-+## Domain to not audit.
-+##
-+##
-+#
-+interface(`gnome_dontaudit_search_config',`
-+ gen_require(`
-+ attribute gnome_home_type;
-+ ')
-+
-+ dontaudit $1 gnome_home_type:dir search_dir_perms;
-+')
-+
-+########################################
-+##
-+## Dontaudit write gnome homedir content (.config)
-+##
-+##
-+##
-+## Domain to not audit.
-+##
-+##
-+#
-+interface(`gnome_dontaudit_write_config_files',`
-+ gen_require(`
-+ attribute gnome_home_type;
-+ ')
-+
-+ dontaudit $1 gnome_home_type:file write;
-+')
-+
-+########################################
-+##
-+## manage gnome homedir content (.config)
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`gnome_manage_config',`
-+ gen_require(`
-+ attribute gnome_home_type;
-+ ')
-+
-+ allow $1 gnome_home_type:dir manage_dir_perms;
-+ allow $1 gnome_home_type:file manage_file_perms;
-+ allow $1 gnome_home_type:lnk_file manage_lnk_file_perms;
-+ allow $1 gnome_home_type:sock_file manage_sock_file_perms;
-+ userdom_search_user_home_dirs($1)
-+')
-+
-+########################################
-+##
-+## Send general signals to all gconf domains.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`gnome_signal_all',`
-+ gen_require(`
-+ attribute gnomedomain;
-+ ')
-+
-+ allow $1 gnomedomain:process signal;
-+')
-+
-+########################################
-+##
-+## Create objects in a Gnome cache home directory
-+## with an automatic type transition to
-+## a specified private type.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+##
-+##
-+## The type of the object to create.
-+##
-+##
-+##
-+##
-+## The class of the object to be created.
-+##
-+##
-+##
-+##
-+## The name of the object being created.
-+##
-+##
-+#
-+interface(`gnome_cache_filetrans',`
-+ gen_require(`
-+ type cache_home_t;
-+ ')
-+
-+ filetrans_pattern($1, cache_home_t, $2, $3, $4)
-+ userdom_search_user_home_dirs($1)
-+')
-+
-+########################################
-+##
-+## Create objects in a Gnome cache home directory
-+## with an automatic type transition to
-+## a specified private type.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+##
-+##
-+## The type of the object to create.
-+##
-+##
-+##
-+##
-+## The class of the object to be created.
-+##
-+##
-+##
-+##
-+## The name of the object being created.
-+##
-+##
-+#
-+interface(`gnome_config_filetrans',`
-+ gen_require(`
-+ type config_home_t;
-+ ')
-+
-+ filetrans_pattern($1, config_home_t, $2, $3, $4)
-+ userdom_search_user_home_dirs($1)
-+')
-+
-+########################################
-+##
-+## Read generic cache home files (.cache)
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`gnome_read_generic_cache_files',`
-+ gen_require(`
-+ type cache_home_t;
-+ ')
-+
-+ read_files_pattern($1, cache_home_t, cache_home_t)
-+ userdom_search_user_home_dirs($1)
-+')
-+
-+########################################
-+##
-+## Set attributes of cache home dir (.cache)
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`gnome_setattr_cache_home_dir',`
-+ gen_require(`
-+ type cache_home_t;
-+ ')
-+
-+ setattr_dirs_pattern($1, cache_home_t, cache_home_t)
-+ userdom_search_user_home_dirs($1)
-+')
-+
-+########################################
-+##
-+## Manage cache home dir (.cache)
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`gnome_manage_cache_home_dir',`
-+ gen_require(`
-+ type cache_home_t;
-+ ')
-+
-+ manage_dirs_pattern($1, cache_home_t, cache_home_t)
-+ userdom_search_user_home_dirs($1)
-+')
-+
-+########################################
-+##
-+## append to generic cache home files (.cache)
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`gnome_append_generic_cache_files',`
-+ gen_require(`
-+ type cache_home_t;
-+ ')
-+
-+ append_files_pattern($1, cache_home_t, cache_home_t)
-+ userdom_search_user_home_dirs($1)
-+')
-+
-+########################################
-+##
-+## write to generic cache home files (.cache)
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`gnome_write_generic_cache_files',`
-+ gen_require(`
-+ type cache_home_t;
-+ ')
-+
-+ write_files_pattern($1, cache_home_t, cache_home_t)
-+ userdom_search_user_home_dirs($1)
-+')
-+
-+########################################
-+##
-+## Manage a sock_file in the generic cache home files (.cache)
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`gnome_manage_generic_cache_sockets',`
-+ gen_require(`
-+ type cache_home_t;
-+ ')
-+
-+ userdom_search_user_home_dirs($1)
-+ manage_sock_files_pattern($1, cache_home_t, cache_home_t)
-+')
-+
-+########################################
-+##
-+## Dontaudit read/write to generic cache home files (.cache)
-+##
-+##
-+##
-+## Domain to not audit.
-+##
-+##
-+#
-+interface(`gnome_dontaudit_rw_generic_cache_files',`
-+ gen_require(`
-+ type cache_home_t;
-+ ')
-+
-+ dontaudit $1 cache_home_t:file rw_inherited_file_perms;
-+')
-+
-+########################################
-+##
-+## read gnome homedir content (.config)
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`gnome_read_config',`
-+ gen_require(`
-+ attribute gnome_home_type;
-+ ')
-+
-+ list_dirs_pattern($1, gnome_home_type, gnome_home_type)
-+ read_files_pattern($1, gnome_home_type, gnome_home_type)
-+ read_lnk_files_pattern($1, gnome_home_type, gnome_home_type)
-+')
-+
-+########################################
-+##
-+## Create objects in a Gnome gconf home directory
-+## with an automatic type transition to
-+## a specified private type.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+##
-+##
-+## The type of the object to create.
-+##
-+##
-+##
-+##
-+## The class of the object to be created.
-+##
-+##
-+##
-+##
-+## The name of the object being created.
-+##
-+##
-+#
-+interface(`gnome_data_filetrans',`
-+ gen_require(`
-+ type data_home_t;
-+ ')
-+
-+ filetrans_pattern($1, data_home_t, $2, $3, $4)
-+ gnome_search_gconf($1)
-+')
-+
-+#######################################
-+##
-+## Read generic data home files.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`gnome_read_generic_data_home_files',`
-+ gen_require(`
-+ type data_home_t, gconf_home_t;
-+ ')
-+
-+ read_files_pattern($1, { gconf_home_t data_home_t }, data_home_t)
-+')
-+
-+######################################
-+##
-+## Read generic data home dirs.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`gnome_read_generic_data_home_dirs',`
-+ gen_require(`
-+ type data_home_t, gconf_home_t;
-+ ')
-+
-+ list_dirs_pattern($1, { gconf_home_t data_home_t }, data_home_t)
-+')
-+
-+#######################################
-+##
-+## Manage gconf data home files
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`gnome_manage_data',`
-+ gen_require(`
-+ type data_home_t;
-+ type gconf_home_t;
-+ ')
-+
-+ allow $1 gconf_home_t:dir search_dir_perms;
-+ manage_dirs_pattern($1, data_home_t, data_home_t)
-+ manage_files_pattern($1, data_home_t, data_home_t)
-+ manage_lnk_files_pattern($1, data_home_t, data_home_t)
-+')
-+
-+########################################
-+##
-+## Read icc data home content.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`gnome_read_home_icc_data_content',`
-+ gen_require(`
-+ type icc_data_home_t, gconf_home_t, data_home_t;
-+ ')
-+
-+ userdom_search_user_home_dirs($1)
-+ allow $1 { gconf_home_t data_home_t }:dir search_dir_perms;
-+ list_dirs_pattern($1, icc_data_home_t, icc_data_home_t)
-+ read_files_pattern($1, icc_data_home_t, icc_data_home_t)
-+ read_lnk_files_pattern($1, icc_data_home_t, icc_data_home_t)
-+')
-+
-+########################################
-+##
-+## Read inherited icc data home files.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`gnome_read_inherited_home_icc_data_files',`
-+ gen_require(`
-+ type icc_data_home_t;
-+ ')
-+
-+ allow $1 icc_data_home_t:file read_inherited_file_perms;
-+')
-+
-+########################################
-+##
-+## Create gconf_home_t objects in the /root directory
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+##
-+##
-+## The class of the object to be created.
-+##
-+##
-+##
-+##
-+## The name of the object being created.
-+##
-+##
-+#
-+interface(`gnome_admin_home_gconf_filetrans',`
-+ gen_require(`
-+ type gconf_home_t;
-+ ')
-+
-+ userdom_admin_home_dir_filetrans($1, gconf_home_t, $2, $3)
-+')
-+
-+########################################
-+##
-+## Do not audit attempts to read
-+## inherited gconf config files.
-+##
-+##
-+##
-+## Domain to not audit.
-+##
-+##
-+#
-+interface(`gnome_dontaudit_read_inherited_gconf_config_files',`
-+ gen_require(`
-+ type gconf_etc_t;
-+ ')
-+
-+ dontaudit $1 gconf_etc_t:file read_inherited_file_perms;
-+')
-+
-+########################################
-+##
-+## read gconf config files
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`gnome_read_gconf_config',`
-+ gen_require(`
-+ type gconf_etc_t;
-+ ')
-+
-+ allow $1 gconf_etc_t:dir list_dir_perms;
-+ read_files_pattern($1, gconf_etc_t, gconf_etc_t)
-+ files_search_etc($1)
-+')
-+
-+#######################################
-+##
-+## Manage gconf config files
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`gnome_manage_gconf_config',`
-+ gen_require(`
-+ type gconf_etc_t;
-+ ')
-+
-+ allow $1 gconf_etc_t:dir list_dir_perms;
-+ manage_files_pattern($1, gconf_etc_t, gconf_etc_t)
-+')
-+
-+########################################
-+##
-+## Execute gconf programs in
-+## in the caller domain.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`gnome_exec_gconf',`
-+ gen_require(`
-+ type gconfd_exec_t;
-+ ')
-+
-+ can_exec($1, gconfd_exec_t)
-+')
-+
-+########################################
-+##
-+## Execute gnome keyringd in the caller domain.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`gnome_exec_keyringd',`
-+ gen_require(`
-+ type gkeyringd_exec_t;
-+ ')
-+
-+ can_exec($1, gkeyringd_exec_t)
-+ corecmd_search_bin($1)
-+')
-+
-+########################################
-+##
-+## Read gconf home files
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`gnome_read_gconf_home_files',`
-+ gen_require(`
-+ type gconf_home_t;
-+ type data_home_t;
-+ ')
-+
-+ userdom_search_user_home_dirs($1)
-+ allow $1 gconf_home_t:dir list_dir_perms;
-+ allow $1 data_home_t:dir list_dir_perms;
-+ read_files_pattern($1, gconf_home_t, gconf_home_t)
-+ read_files_pattern($1, data_home_t, data_home_t)
-+ read_lnk_files_pattern($1, gconf_home_t, gconf_home_t)
-+ read_lnk_files_pattern($1, data_home_t, data_home_t)
-+')
-+
-+########################################
-+##
-+## Search gkeyringd temporary directories.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`gnome_search_gkeyringd_tmp_dirs',`
-+ gen_require(`
-+ type gkeyringd_tmp_t;
-+ ')
-+
-+ files_search_tmp($1)
-+ allow $1 gkeyringd_tmp_t:dir search_dir_perms;
-+')
-+
-+########################################
-+##
-+## List gkeyringd temporary directories.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`gnome_list_gkeyringd_tmp_dirs',`
-+ gen_require(`
-+ type gkeyringd_tmp_t;
-+ ')
-+
-+ files_search_tmp($1)
-+ allow $1 gkeyringd_tmp_t:dir list_dir_perms;
-+')
-+
-+#######################################
-+##
-+## Manage gkeyringd temporary directories.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`gnome_manage_gkeyringd_tmp_dirs',`
-+ gen_require(`
-+ type gkeyringd_tmp_t;
-+ ')
-+
-+ files_search_tmp($1)
-+ manage_dirs_pattern($1, gkeyringd_tmp_t, gkeyringd_tmp_t)
-+')
-+
-+########################################
-+##
-+## search gconf homedir (.local)
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`gnome_search_gconf',`
-+ gen_require(`
-+ type gconf_home_t;
-+ ')
-+
-+ allow $1 gconf_home_t:dir search_dir_perms;
-+ userdom_search_user_home_dirs($1)
-+')
-+
-+########################################
-+##
-+## Set attributes of Gnome config dirs.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`gnome_setattr_config_dirs',`
-+ gen_require(`
-+ type gnome_home_t;
-+ ')
-+
-+ setattr_dirs_pattern($1, gnome_home_t, gnome_home_t)
-+ files_search_home($1)
-+')
-+
-+########################################
-+##
-+## Manage generic gnome home files.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`gnome_manage_generic_home_files',`
-+ gen_require(`
-+ type gnome_home_t;
-+ ')
-+
-+ userdom_search_user_home_dirs($1)
-+ manage_files_pattern($1, gnome_home_t, gnome_home_t)
-+')
-+
-+########################################
-+##
-+## Manage generic gnome home directories.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`gnome_manage_generic_home_dirs',`
-+ gen_require(`
-+ type gnome_home_t;
-+ ')
-+
-+ userdom_search_user_home_dirs($1)
-+ allow $1 gnome_home_t:dir manage_dir_perms;
-+')
-+
-+########################################
-+##
-+## Append gconf home files
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`gnome_append_gconf_home_files',`
-+ gen_require(`
-+ type gconf_home_t;
-+ ')
-+
-+ append_files_pattern($1, gconf_home_t, gconf_home_t)
-+')
-+
-+########################################
-+##
-+## manage gconf home files
-+##
-+##
- ##
--## Role allowed access
-+## Domain allowed access.
- ##
- ##
-+#
-+interface(`gnome_manage_gconf_home_files',`
-+ gen_require(`
-+ type gconf_home_t;
-+ ')
-+
-+ allow $1 gconf_home_t:dir list_dir_perms;
-+ manage_files_pattern($1, gconf_home_t, gconf_home_t)
-+')
-+
-+########################################
-+##
-+## Connect to gnome over a unix stream socket.
-+##
- ##
- ##
--## User domain for the role
-+## Domain allowed access.
-+##
-+##
-+##
-+##
-+## The type of the user domain.
- ##
- ##
- #
--interface(`gnome_role',`
-+interface(`gnome_stream_connect',`
- gen_require(`
-- type gconfd_t, gconfd_exec_t;
-- type gconf_tmp_t;
-+ attribute gnome_home_type;
- ')
-
-- role $1 types gconfd_t;
-+ # Connect to pulseaudit server
-+ stream_connect_pattern($1, gnome_home_type, gnome_home_type, $2)
-+')
-+
-+########################################
-+##
-+## list gnome homedir content (.config)
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`gnome_list_home_config',`
-+ gen_require(`
-+ type config_home_t;
-+ ')
-
-- domain_auto_trans($2, gconfd_exec_t, gconfd_t)
-- allow gconfd_t $2:fd use;
-- allow gconfd_t $2:fifo_file write;
-- allow gconfd_t $2:unix_stream_socket connectto;
-+ allow $1 config_home_t:dir list_dir_perms;
-+')
-
-- ps_process_pattern($2, gconfd_t)
-+########################################
-+##
-+## Set attributes of gnome homedir content (.config)
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`gnome_setattr_home_config',`
-+ gen_require(`
-+ type config_home_t;
-+ ')
-
-- #gnome_stream_connect_gconf_template($1, $2)
-- read_files_pattern($2, gconf_tmp_t, gconf_tmp_t)
-- allow $2 gconfd_t:unix_stream_socket connectto;
-+ setattr_dirs_pattern($1, config_home_t, config_home_t)
-+ userdom_search_user_home_dirs($1)
- ')
-
- ########################################
- ##
--## Execute gconf programs in
--## in the caller domain.
-+## read gnome homedir content (.config)
- ##
- ##
- ##
-@@ -46,37 +1050,91 @@ interface(`gnome_role',`
- ##
- ##
- #
--interface(`gnome_exec_gconf',`
-+interface(`gnome_read_home_config',`
- gen_require(`
-- type gconfd_exec_t;
-+ type config_home_t;
- ')
-
-- can_exec($1, gconfd_exec_t)
-+ list_dirs_pattern($1, config_home_t, config_home_t)
-+ read_files_pattern($1, config_home_t, config_home_t)
-+ read_lnk_files_pattern($1, config_home_t, config_home_t)
-+')
-+
-+#######################################
-+##
-+## delete gnome homedir content (.config)
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`gnome_delete_home_config',`
-+ gen_require(`
-+ type config_home_t;
-+ ')
-+
-+ delete_files_pattern($1, config_home_t, config_home_t)
-+')
-+
-+#######################################
-+##
-+## setattr gnome homedir content (.config)
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`gnome_setattr_home_config_dirs',`
-+ gen_require(`
-+ type config_home_t;
-+ ')
-+
-+ setattr_dirs_pattern($1, config_home_t, config_home_t)
- ')
-
- ########################################
- ##
--## Read gconf config files.
-+## manage gnome homedir content (.config)
- ##
--##
-+##
- ##
- ## Domain allowed access.
- ##
- ##
- #
--template(`gnome_read_gconf_config',`
-+interface(`gnome_manage_home_config',`
- gen_require(`
-- type gconf_etc_t;
-+ type config_home_t;
- ')
-
-- allow $1 gconf_etc_t:dir list_dir_perms;
-- read_files_pattern($1, gconf_etc_t, gconf_etc_t)
-- files_search_etc($1)
-+ manage_files_pattern($1, config_home_t, config_home_t)
- ')
-
- #######################################
- ##
--## Create, read, write, and delete gconf config files.
-+## delete gnome homedir content (.config)
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`gnome_delete_home_config_dirs',`
-+ gen_require(`
-+ type config_home_t;
-+ ')
-+
-+ delete_dirs_pattern($1, config_home_t, config_home_t)
-+')
-+
-+########################################
-+##
-+## manage gnome homedir content (.config)
- ##
- ##
- ##
-@@ -84,37 +1142,107 @@ template(`gnome_read_gconf_config',`
- ##
- ##
- #
--interface(`gnome_manage_gconf_config',`
-+interface(`gnome_manage_home_config_dirs',`
- gen_require(`
-- type gconf_etc_t;
-+ type config_home_t;
- ')
-
-- manage_files_pattern($1, gconf_etc_t, gconf_etc_t)
-- files_search_etc($1)
-+ manage_dirs_pattern($1, config_home_t, config_home_t)
- ')
-
- ########################################
- ##
--## gconf connection template.
-+## manage gstreamer home content files.
- ##
--##
-+##
- ##
- ## Domain allowed access.
- ##
- ##
- #
--interface(`gnome_stream_connect_gconf',`
-+interface(`gnome_manage_gstreamer_home_files',`
- gen_require(`
-- type gconfd_t, gconf_tmp_t;
-+ type gstreamer_home_t;
- ')
-
-- read_files_pattern($1, gconf_tmp_t, gconf_tmp_t)
-- allow $1 gconfd_t:unix_stream_socket connectto;
-+ manage_dirs_pattern($1, gstreamer_home_t, gstreamer_home_t)
-+ manage_files_pattern($1, gstreamer_home_t, gstreamer_home_t)
-+ gnome_filetrans_gstreamer_home_content($1)
-+')
-+
-+######################################
-+##
-+## Allow to execute gstreamer home content files.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`gnome_exec_gstreamer_home_files',`
-+ gen_require(`
-+ type gstreamer_home_t;
-+ ')
-+
-+ can_exec($1, gstreamer_home_t)
-+')
-+
-+#######################################
-+##
-+## file name transition gstreamer home content files.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`gnome_filetrans_gstreamer_home_content',`
-+ gen_require(`
-+ type gstreamer_home_t;
-+ ')
-+
-+ userdom_user_home_dir_filetrans($1, gstreamer_home_t, file, ".grl-bookmarks")
-+ userdom_user_home_dir_filetrans($1, gstreamer_home_t, file, ".grl-metadata-store")
-+ userdom_user_home_dir_filetrans($1, gstreamer_home_t, file, ".grl-podcasts")
-+ userdom_user_home_dir_filetrans($1, gstreamer_home_t, dir, ".gstreamer-0.12")
-+ userdom_user_home_dir_filetrans($1, gstreamer_home_t, dir, ".gstreamer-0.10")
-+ userdom_user_home_dir_filetrans($1, gstreamer_home_t, dir, ".gstreamer-1.0")
-+ userdom_user_home_dir_filetrans($1, gstreamer_home_t, dir, ".gstreamer-1.2")
-+ userdom_user_home_dir_filetrans($1, gstreamer_home_t, dir, ".gstreamer-10")
-+ userdom_user_home_dir_filetrans($1, gstreamer_home_t, dir, ".gstreamer-12")
-+ userdom_user_home_dir_filetrans($1, gstreamer_home_t, dir, ".orc")
-+ userdom_user_tmp_filetrans($1, gstreamer_home_t, dir, ".orc")
-+ gnome_cache_filetrans($1, gstreamer_home_t, dir, "gstreamer-0.12")
-+ gnome_cache_filetrans($1, gstreamer_home_t, dir, "gstreamer-0.10")
-+ gnome_cache_filetrans($1, gstreamer_home_t, dir, "gstreamer-1.0")
-+ gnome_cache_filetrans($1, gstreamer_home_t, dir, "gstreamer-1.2")
-+ gnome_cache_filetrans($1, gstreamer_home_t, dir, "gstreamer-10")
-+ gnome_cache_filetrans($1, gstreamer_home_t, dir, "gstreamer-12")
-+')
-+
-+#######################################
-+##
-+## manage gstreamer home content files.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`gnome_manage_gstreamer_home_dirs',`
-+ gen_require(`
-+ type gstreamer_home_t;
-+ ')
-+
-+ manage_dirs_pattern($1, gstreamer_home_t, gstreamer_home_t)
- ')
-
- ########################################
- ##
--## Run gconfd in gconfd domain.
-+## Read/Write all inherited gnome home config
- ##
- ##
- ##
-@@ -122,17 +1250,36 @@ interface(`gnome_stream_connect_gconf',`
- ##
- ##
- #
--interface(`gnome_domtrans_gconfd',`
-+interface(`gnome_rw_inherited_config',`
- gen_require(`
-- type gconfd_t, gconfd_exec_t;
-+ attribute gnome_home_type;
- ')
-
-- domtrans_pattern($1, gconfd_exec_t, gconfd_t)
-+ allow $1 gnome_home_type:file rw_inherited_file_perms;
- ')
-
- ########################################
- ##
--## Set attributes of Gnome config dirs.
-+## Dontaudit Read/Write all inherited gnome home config
-+##
-+##
-+##
-+## Domain to not audit.
-+##
-+##
-+#
-+interface(`gnome_dontaudit_rw_inherited_config',`
-+ gen_require(`
-+ attribute gnome_home_type;
-+ ')
-+
-+ dontaudit $1 gnome_home_type:file rw_inherited_file_perms;
-+')
-+
-+########################################
-+##
-+## Send and receive messages from
-+## gconf system service over dbus.
- ##
- ##
- ##
-@@ -140,51 +1287,279 @@ interface(`gnome_domtrans_gconfd',`
- ##
- ##
- #
--interface(`gnome_setattr_config_dirs',`
-+interface(`gnome_dbus_chat_gconfdefault',`
- gen_require(`
-- type gnome_home_t;
-+ type gconfdefaultsm_t;
-+ class dbus send_msg;
- ')
-
-- setattr_dirs_pattern($1, gnome_home_t, gnome_home_t)
-- files_search_home($1)
-+ allow $1 gconfdefaultsm_t:dbus send_msg;
-+ allow gconfdefaultsm_t $1:dbus send_msg;
- ')
-
- ########################################
- ##
--## Read gnome homedir content (.config)
-+## Send and receive messages from
-+## gkeyringd over dbus.
- ##
--##
-+##
- ##
- ## Domain allowed access.
- ##
- ##
- #
--template(`gnome_read_config',`
-+interface(`gnome_dbus_chat_gkeyringd',`
- gen_require(`
-- type gnome_home_t;
-+ attribute gkeyringd_domain;
-+ class dbus send_msg;
- ')
-
-- list_dirs_pattern($1, gnome_home_t, gnome_home_t)
-- read_files_pattern($1, gnome_home_t, gnome_home_t)
-- read_lnk_files_pattern($1, gnome_home_t, gnome_home_t)
-+ allow $1 gkeyringd_domain:dbus send_msg;
-+ allow gkeyringd_domain $1:dbus send_msg;
- ')
-
- ########################################
- ##
--## manage gnome homedir content (.config)
-+## Send signull signal to gkeyringd processes.
- ##
--##
-+##
- ##
- ## Domain allowed access.
- ##
- ##
- #
--interface(`gnome_manage_config',`
-+interface(`gnome_signull_gkeyringd',`
-+ gen_require(`
-+ attribute gkeyringd_domain;
-+ ')
-+
-+ allow $1 gkeyringd_domain:process signull;
-+')
-+
-+########################################
-+##
-+## Allow the domain to read gkeyringd state files in /proc.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`gnome_read_gkeyringd_state',`
-+ gen_require(`
-+ attribute gkeyringd_domain;
-+ ')
-+
-+ ps_process_pattern($1, gkeyringd_domain)
-+')
-+
-+########################################
-+##
-+## Create directories in user home directories
-+## with the gnome home file type.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`gnome_home_dir_filetrans',`
- gen_require(`
- type gnome_home_t;
- ')
-
-- allow $1 gnome_home_t:dir manage_dir_perms;
-- allow $1 gnome_home_t:file manage_file_perms;
-+ userdom_user_home_dir_filetrans($1, gnome_home_t, dir)
- userdom_search_user_home_dirs($1)
- ')
-+
-+######################################
-+##
-+## Allow read kde config content
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`gnome_read_usr_config',`
-+ gen_require(`
-+ type config_usr_t;
-+ ')
-+
-+ files_search_usr($1)
-+ list_dirs_pattern($1, config_usr_t, config_usr_t)
-+ read_files_pattern($1, config_usr_t, config_usr_t)
-+ read_lnk_files_pattern($1, config_usr_t, config_usr_t)
-+')
-+
-+#######################################
-+##
-+## Allow manage kde config content
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`gnome_manage_usr_config',`
-+ gen_require(`
-+ type config_usr_t;
-+ ')
-+
-+ files_search_usr($1)
-+ manage_dirs_pattern($1, config_usr_t, config_usr_t)
-+ manage_files_pattern($1, config_usr_t, config_usr_t)
-+ manage_lnk_files_pattern($1, config_usr_t, config_usr_t)
-+')
-+
-+########################################
-+##
-+## Execute gnome-keyring in the user gkeyring domain
-+##
-+##
-+##
-+## Domain allowed access
-+##
-+##
-+#
-+interface(`gnome_transition_gkeyringd',`
-+ gen_require(`
-+ attribute gkeyringd_domain;
-+ ')
-+
-+ allow $1 gkeyringd_domain:process transition;
-+ dontaudit $1 gkeyringd_domain:process { noatsecure siginh rlimitinh };
-+ allow gkeyringd_domain $1:process { sigchld signull };
-+ allow gkeyringd_domain $1:fifo_file rw_inherited_fifo_file_perms;
-+')
-+
-+########################################
-+##
-+## Create gnome content in the user home directory
-+## with an correct label.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`gnome_filetrans_home_content',`
-+
-+gen_require(`
-+ type config_home_t;
-+ type cache_home_t;
-+ type dbus_home_t;
-+ type gconf_home_t;
-+ type gnome_home_t;
-+ type data_home_t, icc_data_home_t;
-+ type gkeyringd_gnome_home_t;
-+')
-+
-+ userdom_user_home_dir_filetrans($1, config_home_t, dir, ".config")
-+ userdom_user_home_dir_filetrans($1, config_home_t, file, ".Xdefaults")
-+ userdom_user_home_dir_filetrans($1, config_home_t, dir, ".xine")
-+ userdom_user_home_dir_filetrans($1, cache_home_t, dir, ".cache")
-+ userdom_user_home_dir_filetrans($1, dbus_home_t, dir, ".dbus")
-+ userdom_user_home_dir_filetrans($1, cache_home_t, dir, ".nv")
-+ userdom_user_home_dir_filetrans($1, config_home_t, dir, ".kde")
-+ userdom_user_home_dir_filetrans($1, gconf_home_t, dir, ".gconf")
-+ userdom_user_home_dir_filetrans($1, gconf_home_t, dir, ".gconfd")
-+ userdom_user_home_dir_filetrans($1, gconf_home_t, dir, ".local")
-+ userdom_user_home_dir_filetrans($1, gnome_home_t, dir, ".gnome2")
-+
-+ # ~/.color/icc: legacy
-+ userdom_user_home_content_filetrans($1, icc_data_home_t, dir, "icc")
-+ filetrans_pattern($1, gnome_home_t, gkeyringd_gnome_home_t, dir, "keyrings")
-+ filetrans_pattern($1, data_home_t, gkeyringd_gnome_home_t, dir, "keyrings")
-+ filetrans_pattern($1, gconf_home_t, data_home_t, dir, "share")
-+ filetrans_pattern($1, data_home_t, icc_data_home_t, dir, "icc")
-+ userdom_user_tmp_filetrans($1, config_home_t, dir, "dconf")
-+ gnome_filetrans_gstreamer_home_content($1)
-+')
-+
-+########################################
-+##
-+## Create gnome directory in the /root directory
-+## with an correct label.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`gnome_filetrans_admin_home_content',`
-+
-+gen_require(`
-+ type config_home_t;
-+ type cache_home_t;
-+ type dbus_home_t;
-+ type gstreamer_home_t;
-+ type gconf_home_t;
-+ type gnome_home_t;
-+ type icc_data_home_t;
-+')
-+
-+ userdom_admin_home_dir_filetrans($1, config_home_t, dir, ".config")
-+ userdom_admin_home_dir_filetrans($1, config_home_t, file, ".Xdefaults")
-+ userdom_admin_home_dir_filetrans($1, config_home_t, dir, ".xine")
-+ userdom_admin_home_dir_filetrans($1, cache_home_t, dir, ".cache")
-+ userdom_admin_home_dir_filetrans($1, dbus_home_t, dir, ".dbus")
-+ userdom_admin_home_dir_filetrans($1, config_home_t, dir, ".kde")
-+ userdom_admin_home_dir_filetrans($1, gconf_home_t, dir, ".gconf")
-+ userdom_admin_home_dir_filetrans($1, gconf_home_t, dir, ".gconfd")
-+ userdom_admin_home_dir_filetrans($1, gconf_home_t, dir, ".local")
-+ userdom_admin_home_dir_filetrans($1, gnome_home_t, dir, ".gnome2")
-+ gnome_filetrans_gstreamer_home_content($1)
-+ # /root/.color/icc: legacy
-+ userdom_admin_home_dir_filetrans($1, icc_data_home_t, dir, "icc")
-+')
-+
-+#####################################
-+##
-+## Execute gnome-keyring executable
-+## in the specified domain.
-+##
-+##
-+##
-+## Execute a telepathy executable
-+## in the specified domain. This allows
-+## the specified domain to execute any file
-+## on these filesystems in the specified
-+## domain.
-+##
-+##
-+## No interprocess communication (signals, pipes,
-+## etc.) is provided by this interface since
-+## the domains are not owned by this module.
-+##
-+##
-+## This interface was added to handle
-+## the ssh-agent policy.
-+##
-+##
-+##
-+##
-+## Domain allowed to transition.
-+##
-+##
-+##
-+##
-+## The type of the new process.
-+##
-+##
-+#
-+interface(`gnome_command_domtrans_gkeyringd', `
-+ gen_require(`
-+ type gkeyringd_exec_t;
-+ ')
-+
-+ allow $2 gkeyringd_exec_t:file entrypoint;
-+ domain_transition_pattern($1, gkeyringd_exec_t, $2)
-+ type_transition $1 gkeyringd_exec_t:process $2;
-+')
-diff --git a/gnome.te b/gnome.te
-index 783c5fb..7757943 100644
---- a/gnome.te
-+++ b/gnome.te
-@@ -6,11 +6,31 @@ policy_module(gnome, 2.2.0)
- #
-
- attribute gnomedomain;
-+attribute gnome_home_type;
-+attribute gkeyringd_domain;
-
- type gconf_etc_t;
- files_config_file(gconf_etc_t)
-
--type gconf_home_t;
-+type data_home_t, gnome_home_type;
-+userdom_user_home_content(data_home_t)
-+
-+type config_home_t, gnome_home_type;
-+userdom_user_home_content(config_home_t)
-+
-+type cache_home_t, gnome_home_type;
-+userdom_user_home_content(cache_home_t)
-+
-+type gstreamer_home_t, gnome_home_type;
-+userdom_user_home_content(gstreamer_home_t)
-+
-+type dbus_home_t, gnome_home_type;
-+userdom_user_home_content(dbus_home_t)
-+
-+type icc_data_home_t, gnome_home_type;
-+userdom_user_home_content(icc_data_home_t)
-+
-+type gconf_home_t, gnome_home_type;
- typealias gconf_home_t alias { user_gconf_home_t staff_gconf_home_t sysadm_gconf_home_t };
- typealias gconf_home_t alias { auditadm_gconf_home_t secadm_gconf_home_t };
- typealias gconf_home_t alias unconfined_gconf_home_t;
-@@ -28,12 +48,33 @@ typealias gconfd_t alias { user_gconfd_t staff_gconfd_t sysadm_gconfd_t };
- typealias gconfd_t alias { auditadm_gconfd_t secadm_gconfd_t };
- userdom_user_application_domain(gconfd_t, gconfd_exec_t)
-
--type gnome_home_t;
-+type gnome_home_t, gnome_home_type;
- typealias gnome_home_t alias { user_gnome_home_t staff_gnome_home_t sysadm_gnome_home_t };
- typealias gnome_home_t alias { auditadm_gnome_home_t secadm_gnome_home_t };
- typealias gnome_home_t alias unconfined_gnome_home_t;
- userdom_user_home_content(gnome_home_t)
-
-+# type KDE /usr/share/config files
-+type config_usr_t;
-+files_type(config_usr_t)
-+
-+type gkeyringd_exec_t;
-+corecmd_executable_file(gkeyringd_exec_t)
-+
-+type gkeyringd_gnome_home_t;
-+userdom_user_home_content(gkeyringd_gnome_home_t)
-+
-+type gkeyringd_tmp_t;
-+userdom_user_tmp_content(gkeyringd_tmp_t)
-+
-+type gconfdefaultsm_t;
-+type gconfdefaultsm_exec_t;
-+init_daemon_domain(gconfdefaultsm_t, gconfdefaultsm_exec_t)
-+
-+type gnomesystemmm_t;
-+type gnomesystemmm_exec_t;
-+init_daemon_domain(gnomesystemmm_t, gnomesystemmm_exec_t)
-+
- ##############################
- #
- # Local Policy
-@@ -57,7 +98,6 @@ dev_read_urand(gconfd_t)
-
- files_read_etc_files(gconfd_t)
-
--miscfiles_read_localization(gconfd_t)
-
- logging_send_syslog_msg(gconfd_t)
-
-@@ -73,3 +113,163 @@ optional_policy(`
- xserver_use_xdm_fds(gconfd_t)
- xserver_rw_xdm_pipes(gconfd_t)
- ')
-+
-+#######################################
-+#
-+# gconf-defaults-mechanisms local policy
-+#
-+
-+allow gconfdefaultsm_t self:capability { dac_override sys_nice };
-+allow gconfdefaultsm_t self:process getsched;
-+allow gconfdefaultsm_t self:fifo_file rw_fifo_file_perms;
-+
-+corecmd_search_bin(gconfdefaultsm_t)
-+
-+files_read_etc_files(gconfdefaultsm_t)
-+files_read_usr_files(gconfdefaultsm_t)
-+
-+
-+gnome_manage_gconf_home_files(gconfdefaultsm_t)
-+gnome_manage_gconf_config(gconfdefaultsm_t)
-+
-+userdom_read_all_users_state(gconfdefaultsm_t)
-+userdom_search_user_home_dirs(gconfdefaultsm_t)
-+
-+userdom_dontaudit_search_admin_dir(gconfdefaultsm_t)
-+
-+optional_policy(`
-+ consolekit_dbus_chat(gconfdefaultsm_t)
-+')
-+
-+optional_policy(`
-+ dbus_system_domain(gconfdefaultsm_t, gconfdefaultsm_exec_t)
-+')
-+
-+optional_policy(`
-+ nscd_dontaudit_search_pid(gconfdefaultsm_t)
-+')
-+
-+optional_policy(`
-+ policykit_domtrans_auth(gconfdefaultsm_t)
-+ policykit_dbus_chat(gconfdefaultsm_t)
-+ policykit_read_lib(gconfdefaultsm_t)
-+ policykit_read_reload(gconfdefaultsm_t)
-+')
-+
-+userdom_home_manager(gconfdefaultsm_t)
-+
-+#######################################
-+#
-+# gnome-system-monitor-mechanisms local policy
-+#
-+
-+allow gnomesystemmm_t self:capability sys_nice;
-+allow gnomesystemmm_t self:fifo_file rw_fifo_file_perms;
-+
-+rw_files_pattern(gnomesystemmm_t, config_usr_t, config_usr_t)
-+
-+kernel_read_system_state(gnomesystemmm_t)
-+
-+corecmd_search_bin(gnomesystemmm_t)
-+
-+domain_kill_all_domains(gnomesystemmm_t)
-+domain_search_all_domains_state(gnomesystemmm_t)
-+domain_setpriority_all_domains(gnomesystemmm_t)
-+domain_signal_all_domains(gnomesystemmm_t)
-+domain_sigstop_all_domains(gnomesystemmm_t)
-+
-+files_read_etc_files(gnomesystemmm_t)
-+files_read_usr_files(gnomesystemmm_t)
-+
-+fs_getattr_xattr_fs(gnomesystemmm_t)
-+
-+auth_read_passwd(gnomesystemmm_t)
-+
-+logging_send_syslog_msg(gnomesystemmm_t)
-+
-+userdom_read_all_users_state(gnomesystemmm_t)
-+userdom_dontaudit_search_admin_dir(gnomesystemmm_t)
-+
-+optional_policy(`
-+ consolekit_dbus_chat(gnomesystemmm_t)
-+')
-+
-+optional_policy(`
-+ dbus_system_domain(gnomesystemmm_t, gnomesystemmm_exec_t)
-+')
-+
-+optional_policy(`
-+ gnome_read_home_config(gnomesystemmm_t)
-+')
-+
-+optional_policy(`
-+ nscd_dontaudit_search_pid(gnomesystemmm_t)
-+')
-+
-+optional_policy(`
-+ policykit_dbus_chat(gnomesystemmm_t)
-+ policykit_domtrans_auth(gnomesystemmm_t)
-+ policykit_read_lib(gnomesystemmm_t)
-+ policykit_read_reload(gnomesystemmm_t)
-+')
-+
-+######################################
-+#
-+# gnome-keyring-daemon local policy
-+#
-+
-+allow gkeyringd_domain self:capability ipc_lock;
-+allow gkeyringd_domain self:process { getcap getsched setcap signal };
-+allow gkeyringd_domain self:fifo_file rw_fifo_file_perms;
-+allow gkeyringd_domain self:unix_stream_socket { connectto accept listen };
-+
-+allow gkeyringd_domain config_home_t:file write;
-+
-+manage_dirs_pattern(gkeyringd_domain, gkeyringd_gnome_home_t, gkeyringd_gnome_home_t)
-+manage_files_pattern(gkeyringd_domain, gkeyringd_gnome_home_t, gkeyringd_gnome_home_t)
-+filetrans_pattern(gkeyringd_domain, gnome_home_t, gkeyringd_gnome_home_t, dir)
-+
-+manage_dirs_pattern(gkeyringd_domain, gkeyringd_tmp_t, gkeyringd_tmp_t)
-+manage_sock_files_pattern(gkeyringd_domain, gkeyringd_tmp_t, gkeyringd_tmp_t)
-+files_tmp_filetrans(gkeyringd_domain, gkeyringd_tmp_t, dir)
-+userdom_user_tmp_filetrans(gkeyringd_domain, gkeyringd_tmp_t, { sock_file dir })
-+
-+kernel_read_crypto_sysctls(gkeyringd_domain)
-+
-+corecmd_search_bin(gkeyringd_domain)
-+
-+dev_read_rand(gkeyringd_domain)
-+dev_read_urand(gkeyringd_domain)
-+dev_read_sysfs(gkeyringd_domain)
-+
-+files_read_etc_files(gkeyringd_domain)
-+files_read_usr_files(gkeyringd_domain)
-+# for nscd?
-+files_search_pids(gkeyringd_domain)
-+
-+fs_getattr_xattr_fs(gkeyringd_domain)
-+fs_getattr_tmpfs(gkeyringd_domain)
-+
-+userdom_user_home_dir_filetrans(gkeyringd_domain, gnome_home_t, dir)
-+
-+optional_policy(`
-+ xserver_append_xdm_home_files(gkeyringd_domain)
-+ xserver_read_xdm_home_files(gkeyringd_domain)
-+ xserver_use_xdm_fds(gkeyringd_domain)
-+')
-+
-+optional_policy(`
-+ gnome_read_home_config(gkeyringd_domain)
-+ gnome_read_generic_cache_files(gkeyringd_domain)
-+ gnome_write_generic_cache_files(gkeyringd_domain)
-+ gnome_manage_cache_home_dir(gkeyringd_domain)
-+ gnome_manage_generic_cache_sockets(gkeyringd_domain)
-+')
-+
-+optional_policy(`
-+ ssh_read_user_home_files(gkeyringd_domain)
-+')
-+
-+domain_use_interactive_fds(gnomedomain)
-+
-+userdom_use_inherited_user_terminals(gnomedomain)
-diff --git a/gnomeclock.fc b/gnomeclock.fc
-index 462de63..5d92f4e 100644
---- a/gnomeclock.fc
-+++ b/gnomeclock.fc
-@@ -1,2 +1,7 @@
-+/usr/lib/systemd/systemd-timedated -- gen_context(system_u:object_r:gnomeclock_exec_t,s0)
-+
- /usr/libexec/gnome-clock-applet-mechanism -- gen_context(system_u:object_r:gnomeclock_exec_t,s0)
-
-+/usr/libexec/gsd-datetime-mechanism -- gen_context(system_u:object_r:gnomeclock_exec_t,s0)
-+
-+/usr/libexec/kde(3|4)/kcmdatetimehelper -- gen_context(system_u:object_r:gnomeclock_exec_t,s0)
-diff --git a/gnomeclock.if b/gnomeclock.if
-index 671d8fd..25c7ab8 100644
---- a/gnomeclock.if
-+++ b/gnomeclock.if
-@@ -63,3 +63,24 @@ interface(`gnomeclock_dbus_chat',`
- allow $1 gnomeclock_t:dbus send_msg;
- allow gnomeclock_t $1:dbus send_msg;
- ')
-+
-+########################################
-+##
-+## Do not audit send and receive messages from
-+## gnomeclock over dbus.
-+##
-+##
-+##
-+## Domain to not audit.
-+##
-+##
-+#
-+interface(`gnomeclock_dontaudit_dbus_chat',`
-+ gen_require(`
-+ type gnomeclock_t;
-+ class dbus send_msg;
-+ ')
-+
-+ dontaudit $1 gnomeclock_t:dbus send_msg;
-+ dontaudit gnomeclock_t $1:dbus send_msg;
-+')
-diff --git a/gnomeclock.te b/gnomeclock.te
-index 4fde46b..d58acfc 100644
---- a/gnomeclock.te
-+++ b/gnomeclock.te
-@@ -7,38 +7,84 @@ policy_module(gnomeclock, 1.0.0)
-
- type gnomeclock_t;
- type gnomeclock_exec_t;
--dbus_system_domain(gnomeclock_t, gnomeclock_exec_t)
-+init_daemon_domain(gnomeclock_t, gnomeclock_exec_t)
-
- ########################################
- #
- # gnomeclock local policy
- #
-
--allow gnomeclock_t self:capability { sys_nice sys_time sys_ptrace };
--allow gnomeclock_t self:process { getattr getsched };
-+allow gnomeclock_t self:capability { sys_nice sys_time dac_override };
-+allow gnomeclock_t self:process { getattr getsched signal };
- allow gnomeclock_t self:fifo_file rw_fifo_file_perms;
- allow gnomeclock_t self:unix_stream_socket create_stream_socket_perms;
-+allow gnomeclock_t self:unix_dgram_socket create_socket_perms;
-+
-+kernel_read_system_state(gnomeclock_t)
-
- corecmd_exec_bin(gnomeclock_t)
-+corecmd_exec_shell(gnomeclock_t)
-+corecmd_dontaudit_access_check_bin(gnomeclock_t)
-+
-+corenet_tcp_connect_time_port(gnomeclock_t)
-+
-+dev_rw_realtime_clock(gnomeclock_t)
-+dev_read_urand(gnomeclock_t)
-+dev_write_kmsg(gnomeclock_t)
-+dev_read_sysfs(gnomeclock_t)
-
--files_read_etc_files(gnomeclock_t)
-+files_read_etc_runtime_files(gnomeclock_t)
- files_read_usr_files(gnomeclock_t)
-
-+fs_getattr_xattr_fs(gnomeclock_t)
-+
- auth_use_nsswitch(gnomeclock_t)
-
--clock_domtrans(gnomeclock_t)
-+init_dbus_chat(gnomeclock_t)
-+
-+logging_stream_connect_syslog(gnomeclock_t)
-+logging_send_syslog_msg(gnomeclock_t)
-
--miscfiles_read_localization(gnomeclock_t)
- miscfiles_manage_localization(gnomeclock_t)
- miscfiles_etc_filetrans_localization(gnomeclock_t)
-
- userdom_read_all_users_state(gnomeclock_t)
-
- optional_policy(`
-+ chronyd_systemctl(gnomeclock_t)
-+')
-+
-+optional_policy(`
-+ clock_read_adjtime(gnomeclock_t)
-+ clock_domtrans(gnomeclock_t)
-+')
-+
-+optional_policy(`
- consolekit_dbus_chat(gnomeclock_t)
- ')
-
- optional_policy(`
-+ consoletype_exec(gnomeclock_t)
-+')
-+
-+optional_policy(`
-+dbus_system_domain(gnomeclock_t, gnomeclock_exec_t)
-+')
-+
-+optional_policy(`
-+ gnome_manage_usr_config(gnomeclock_t)
-+ gnome_manage_home_config(gnomeclock_t)
-+')
-+
-+optional_policy(`
-+ ntp_domtrans_ntpdate(gnomeclock_t)
-+ ntp_initrc_domtrans(gnomeclock_t)
-+ init_dontaudit_getattr_all_script_files(gnomeclock_t)
-+ init_dontaudit_getattr_exec(gnomeclock_t)
-+ ntp_systemctl(gnomeclock_t)
-+')
-+
-+optional_policy(`
- policykit_dbus_chat(gnomeclock_t)
- policykit_domtrans_auth(gnomeclock_t)
- policykit_read_lib(gnomeclock_t)
-diff --git a/gpg.fc b/gpg.fc
-index 5207fc2..c02fa56 100644
---- a/gpg.fc
-+++ b/gpg.fc
-@@ -1,10 +1,13 @@
- HOME_DIR/\.gnupg(/.+)? gen_context(system_u:object_r:gpg_secret_t,s0)
- HOME_DIR/\.gnupg/log-socket gen_context(system_u:object_r:gpg_agent_tmp_t,s0)
-
-+/etc/mail/spamassassin/sa-update-keys(/.*)? gen_context(system_u:object_r:gpg_secret_t,s0)
-+
-+/root/\.gnupg(/.+)? gen_context(system_u:object_r:gpg_secret_t,s0)
-+
- /usr/bin/gpg(2)? -- gen_context(system_u:object_r:gpg_exec_t,s0)
- /usr/bin/gpgsm -- gen_context(system_u:object_r:gpg_exec_t,s0)
- /usr/bin/gpg-agent -- gen_context(system_u:object_r:gpg_agent_exec_t,s0)
--/usr/bin/kgpg -- gen_context(system_u:object_r:gpg_exec_t,s0)
- /usr/bin/pinentry.* -- gen_context(system_u:object_r:pinentry_exec_t,s0)
-
- /usr/lib/gnupg/.* -- gen_context(system_u:object_r:gpg_exec_t,s0)
-diff --git a/gpg.if b/gpg.if
-index 6d50300..2f0feca 100644
---- a/gpg.if
-+++ b/gpg.if
-@@ -54,15 +54,16 @@ interface(`gpg_role',`
- manage_sock_files_pattern($2, gpg_pinentry_tmp_t, gpg_pinentry_tmp_t)
- relabel_sock_files_pattern($2, gpg_pinentry_tmp_t, gpg_pinentry_tmp_t)
-
-+ allow gpg_pinentry_t $2:fifo_file { read write };
-+
- optional_policy(`
- gpg_pinentry_dbus_chat($2)
- ')
-
-+ allow $2 gpg_agent_t:unix_stream_socket { rw_socket_perms connectto };
- ifdef(`hide_broken_symptoms',`
- #Leaked File Descriptors
-- dontaudit gpg_t $2:socket_class_set { getattr read write };
- dontaudit gpg_t $2:fifo_file rw_fifo_file_perms;
-- dontaudit gpg_agent_t $2:socket_class_set { getattr read write };
- dontaudit gpg_agent_t $2:fifo_file rw_fifo_file_perms;
- ')
- ')
-@@ -85,13 +86,13 @@ interface(`gpg_domtrans',`
- domtrans_pattern($1, gpg_exec_t, gpg_t)
- ')
-
--########################################
-+######################################
- ##
--## Execute the gpg application without transitioning
-+## Execute gpg in the caller domain.
- ##
- ##
- ##
--## Domain allowed to execute gpg
-+## Domain allowed access.
- ##
- ##
- #
-@@ -100,9 +101,47 @@ interface(`gpg_exec',`
- type gpg_exec_t;
- ')
-
-+ corecmd_search_bin($1)
- can_exec($1, gpg_exec_t)
- ')
-
-+######################################
-+##
-+## Transition to a gpg web domain.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`gpg_domtrans_web',`
-+ gen_require(`
-+ type gpg_web_t, gpg_exec_t;
-+ ')
-+
-+ domtrans_pattern($1, gpg_exec_t, gpg_web_t)
-+')
-+
-+######################################
-+##
-+## Make gpg an entrypoint for
-+## the specified domain.
-+##
-+##
-+##
-+## The domain for which cifs_t is an entrypoint.
-+##
-+##
-+#
-+interface(`gpg_entry_type',`
-+ gen_require(`
-+ type gpg_exec_t;
-+ ')
-+
-+ domain_entry_file($1, gpg_exec_t)
-+')
-+
- ########################################
- ##
- ## Send generic signals to user gpg processes.
-@@ -179,3 +218,21 @@ interface(`gpg_list_user_secrets',`
- list_dirs_pattern($1, gpg_secret_t, gpg_secret_t)
- userdom_search_user_home_dirs($1)
- ')
-+
-+########################################
-+##
-+## Transition to gpg named home content
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`gpg_filetrans_home_content',`
-+ gen_require(`
-+ type gpg_secret_t;
-+ ')
-+
-+ userdom_user_home_dir_filetrans($1, gpg_secret_t, dir, ".gnupg")
-+')
-diff --git a/gpg.te b/gpg.te
-index 72a113e..29063e5 100644
---- a/gpg.te
-+++ b/gpg.te
-@@ -4,6 +4,7 @@ policy_module(gpg, 2.6.0)
- #
- # Declarations
- #
-+attribute gpgdomain;
-
- ##
- ##
-@@ -13,23 +14,34 @@ policy_module(gpg, 2.6.0)
- ##
- gen_tunable(gpg_agent_env_file, false)
-
--type gpg_t;
-+##
-+##
-+## Allow gpg web domain to modify public files
-+## used for public file transfer services.
-+##
-+##
-+gen_tunable(gpg_web_anon_write, false)
-+
-+type gpg_t, gpgdomain;
- type gpg_exec_t;
- typealias gpg_t alias { user_gpg_t staff_gpg_t sysadm_gpg_t };
- typealias gpg_t alias { auditadm_gpg_t secadm_gpg_t };
--userdom_user_application_domain(gpg_t, gpg_exec_t)
-+application_domain(gpg_t, gpg_exec_t)
-+ubac_constrained(gpg_t)
- role system_r types gpg_t;
-
- type gpg_agent_t;
- type gpg_agent_exec_t;
- typealias gpg_agent_t alias { user_gpg_agent_t staff_gpg_agent_t sysadm_gpg_agent_t };
- typealias gpg_agent_t alias { auditadm_gpg_agent_t secadm_gpg_agent_t };
--userdom_user_application_domain(gpg_agent_t, gpg_agent_exec_t)
-+application_domain(gpg_agent_t, gpg_agent_exec_t)
-+ubac_constrained(gpg_agent_t)
-
- type gpg_agent_tmp_t;
- typealias gpg_agent_tmp_t alias { user_gpg_agent_tmp_t staff_gpg_agent_tmp_t sysadm_gpg_agent_tmp_t };
- typealias gpg_agent_tmp_t alias { auditadm_gpg_agent_tmp_t secadm_gpg_agent_tmp_t };
--userdom_user_tmp_file(gpg_agent_tmp_t)
-+files_tmp_file(gpg_agent_tmp_t)
-+ubac_constrained(gpg_agent_tmp_t)
-
- type gpg_secret_t;
- typealias gpg_secret_t alias { user_gpg_secret_t staff_gpg_secret_t sysadm_gpg_secret_t };
-@@ -40,32 +52,43 @@ type gpg_helper_t;
- type gpg_helper_exec_t;
- typealias gpg_helper_t alias { user_gpg_helper_t staff_gpg_helper_t sysadm_gpg_helper_t };
- typealias gpg_helper_t alias { auditadm_gpg_helper_t secadm_gpg_helper_t };
--userdom_user_application_domain(gpg_helper_t, gpg_helper_exec_t)
-+application_domain(gpg_helper_t, gpg_helper_exec_t)
-+ubac_constrained(gpg_helper_t)
- role system_r types gpg_helper_t;
-
- type gpg_pinentry_t;
- type pinentry_exec_t;
- typealias gpg_pinentry_t alias { user_gpg_pinentry_t staff_gpg_pinentry_t sysadm_gpg_pinentry_t };
- typealias gpg_pinentry_t alias { auditadm_gpg_pinentry_t secadm_gpg_pinentry_t };
--userdom_user_application_domain(gpg_pinentry_t, pinentry_exec_t)
-+application_domain(gpg_pinentry_t, pinentry_exec_t)
-+ubac_constrained(gpg_pinentry_t)
-
- type gpg_pinentry_tmp_t;
--userdom_user_tmp_file(gpg_pinentry_tmp_t)
-+files_tmp_file(gpg_pinentry_tmp_t)
-+ubac_constrained(gpg_pinentry_tmp_t)
-
- type gpg_pinentry_tmpfs_t;
--userdom_user_tmpfs_file(gpg_pinentry_tmpfs_t)
-+files_tmpfs_file(gpg_pinentry_tmpfs_t)
-+ubac_constrained(gpg_pinentry_tmpfs_t)
-+
-+type gpg_web_t;
-+domain_type(gpg_web_t)
-+gpg_entry_type(gpg_web_t)
-+role system_r types gpg_web_t;
-
- ########################################
- #
- # GPG local policy
- #
-
--allow gpg_t self:capability { ipc_lock setuid };
--# setrlimit is for ulimit -c 0
--allow gpg_t self:process { signal signull setrlimit getcap setcap setpgid };
-+allow gpgdomain self:capability { ipc_lock setuid };
-+allow gpgdomain self:process { getsched setsched };
-+#at setrlimit is for ulimit -c 0
-+allow gpgdomain self:process { signal signull setrlimit getcap setcap setpgid };
-+dontaudit gpgdomain self:netlink_audit_socket r_netlink_socket_perms;
-
--allow gpg_t self:fifo_file rw_fifo_file_perms;
--allow gpg_t self:tcp_socket create_stream_socket_perms;
-+allow gpgdomain self:fifo_file rw_fifo_file_perms;
-+allow gpgdomain self:tcp_socket create_stream_socket_perms;
-
- manage_dirs_pattern(gpg_t, gpg_agent_tmp_t, gpg_agent_tmp_t)
- manage_files_pattern(gpg_t, gpg_agent_tmp_t, gpg_agent_tmp_t)
-@@ -77,16 +100,16 @@ domtrans_pattern(gpg_t, gpg_agent_exec_t, gpg_agent_t)
- domtrans_pattern(gpg_t, gpg_helper_exec_t, gpg_helper_t)
-
- allow gpg_t gpg_secret_t:dir create_dir_perms;
-+manage_sock_files_pattern(gpg_t, gpg_secret_t, gpg_secret_t)
- manage_files_pattern(gpg_t, gpg_secret_t, gpg_secret_t)
- manage_lnk_files_pattern(gpg_t, gpg_secret_t, gpg_secret_t)
--userdom_user_home_dir_filetrans(gpg_t, gpg_secret_t, dir)
-+userdom_user_home_dir_filetrans(gpg_t, gpg_secret_t, dir, ".gnupg")
-
- kernel_read_sysctl(gpg_t)
-
- corecmd_exec_shell(gpg_t)
- corecmd_exec_bin(gpg_t)
-
--corenet_all_recvfrom_unlabeled(gpg_t)
- corenet_all_recvfrom_netlabel(gpg_t)
- corenet_tcp_sendrecv_generic_if(gpg_t)
- corenet_udp_sendrecv_generic_if(gpg_t)
-@@ -106,7 +129,6 @@ fs_list_inotifyfs(gpg_t)
-
- domain_use_interactive_fds(gpg_t)
-
--files_read_etc_files(gpg_t)
- files_read_usr_files(gpg_t)
- files_dontaudit_search_var(gpg_t)
-
-@@ -114,24 +136,23 @@ auth_use_nsswitch(gpg_t)
-
- logging_send_syslog_msg(gpg_t)
-
--miscfiles_read_localization(gpg_t)
--
--userdom_use_user_terminals(gpg_t)
-+userdom_use_inherited_user_terminals(gpg_t)
- # sign/encrypt user files
--userdom_manage_user_tmp_files(gpg_t)
-+userdom_manage_all_user_tmp_content(gpg_t)
-+#userdom_manage_user_home_content(gpg_t)
- userdom_manage_user_home_content_files(gpg_t)
-+userdom_manage_user_home_content_dirs(gpg_t)
- userdom_user_home_dir_filetrans_user_home_content(gpg_t, file)
-+userdom_stream_connect(gpg_t)
-
--mta_write_config(gpg_t)
-+mta_manage_config(gpg_t)
-+mta_read_spool(gpg_t)
-
--tunable_policy(`use_nfs_home_dirs',`
-- fs_manage_nfs_dirs(gpg_t)
-- fs_manage_nfs_files(gpg_t)
--')
-+userdom_home_manager(gpg_t)
-
--tunable_policy(`use_samba_home_dirs',`
-- fs_manage_cifs_dirs(gpg_t)
-- fs_manage_cifs_files(gpg_t)
-+optional_policy(`
-+ gnome_read_config(gpg_t)
-+ gnome_stream_connect_gkeyringd(gpg_t)
- ')
-
- optional_policy(`
-@@ -140,15 +161,19 @@ optional_policy(`
- ')
-
- optional_policy(`
-- xserver_use_xdm_fds(gpg_t)
-- xserver_rw_xdm_pipes(gpg_t)
-+ spamassassin_read_spamd_tmp_files(gpg_t)
- ')
-
- optional_policy(`
-- cron_system_entry(gpg_t, gpg_exec_t)
-- cron_read_system_job_tmp_files(gpg_t)
-+ xserver_use_xdm_fds(gpg_t)
-+ xserver_rw_xdm_pipes(gpg_t)
- ')
-
-+#optional_policy(`
-+# cron_system_entry(gpg_t, gpg_exec_t)
-+# cron_read_system_job_tmp_files(gpg_t)
-+#')
-+
- ########################################
- #
- # GPG helper local policy
-@@ -166,7 +191,6 @@ allow gpg_helper_t self:udp_socket { connect connected_socket_perms };
-
- dontaudit gpg_helper_t gpg_secret_t:file read;
-
--corenet_all_recvfrom_unlabeled(gpg_helper_t)
- corenet_all_recvfrom_netlabel(gpg_helper_t)
- corenet_tcp_sendrecv_generic_if(gpg_helper_t)
- corenet_raw_sendrecv_generic_if(gpg_helper_t)
-@@ -180,11 +204,10 @@ corenet_tcp_bind_generic_node(gpg_helper_t)
- corenet_udp_bind_generic_node(gpg_helper_t)
- corenet_tcp_connect_all_ports(gpg_helper_t)
-
--files_read_etc_files(gpg_helper_t)
-
- auth_use_nsswitch(gpg_helper_t)
-
--userdom_use_user_terminals(gpg_helper_t)
-+userdom_use_inherited_user_terminals(gpg_helper_t)
-
- tunable_policy(`use_nfs_home_dirs',`
- fs_dontaudit_rw_nfs_files(gpg_helper_t)
-@@ -198,15 +221,17 @@ tunable_policy(`use_samba_home_dirs',`
- #
- # GPG agent local policy
- #
-+domtrans_pattern(gpg_t, gpg_agent_exec_t, gpg_agent_t)
-
- # rlimit: gpg-agent wants to prevent coredumps
- allow gpg_agent_t self:process setrlimit;
-
--allow gpg_agent_t self:unix_stream_socket create_stream_socket_perms ;
-+allow gpg_agent_t self:unix_stream_socket { create_stream_socket_perms connectto } ;
- allow gpg_agent_t self:fifo_file rw_fifo_file_perms;
-
- # read and write ~/.gnupg (gpg-agent stores secret keys in ~/.gnupg/private-keys-v1.d )
- manage_dirs_pattern(gpg_agent_t, gpg_secret_t, gpg_secret_t)
-+manage_sock_files_pattern(gpg_agent_t, gpg_secret_t, gpg_secret_t)
- manage_files_pattern(gpg_agent_t, gpg_secret_t, gpg_secret_t)
- manage_lnk_files_pattern(gpg_agent_t, gpg_secret_t, gpg_secret_t)
-
-@@ -223,43 +248,34 @@ corecmd_read_bin_symlinks(gpg_agent_t)
- corecmd_search_bin(gpg_agent_t)
- corecmd_exec_shell(gpg_agent_t)
-
-+dev_read_rand(gpg_agent_t)
- dev_read_urand(gpg_agent_t)
-
- domain_use_interactive_fds(gpg_agent_t)
-
- fs_dontaudit_list_inotifyfs(gpg_agent_t)
-
--miscfiles_read_localization(gpg_agent_t)
-
- # Write to the user domain tty.
--userdom_use_user_terminals(gpg_agent_t)
-+userdom_use_inherited_user_terminals(gpg_agent_t)
- # read and write ~/.gnupg (gpg-agent stores secret keys in ~/.gnupg/private-keys-v1.d )
- userdom_search_user_home_dirs(gpg_agent_t)
-
- ifdef(`hide_broken_symptoms',`
- userdom_dontaudit_read_user_tmp_files(gpg_agent_t)
-+ userdom_dontaudit_write_user_tmp_files(gpg_agent_t)
- ')
-
- tunable_policy(`gpg_agent_env_file',`
- # write ~/.gpg-agent-info or a similar to the users home dir
- # or subdir (gpg-agent --write-env-file option)
- #
-- userdom_user_home_dir_filetrans_user_home_content(gpg_agent_t, file)
-+ userdom_user_home_dir_filetrans_user_home_content(gpg_agent_t, { dir file })
- userdom_manage_user_home_content_dirs(gpg_agent_t)
- userdom_manage_user_home_content_files(gpg_agent_t)
- ')
-
--tunable_policy(`use_nfs_home_dirs',`
-- fs_manage_nfs_dirs(gpg_agent_t)
-- fs_manage_nfs_files(gpg_agent_t)
-- fs_manage_nfs_symlinks(gpg_agent_t)
--')
--
--tunable_policy(`use_samba_home_dirs',`
-- fs_manage_cifs_dirs(gpg_agent_t)
-- fs_manage_cifs_files(gpg_agent_t)
-- fs_manage_cifs_symlinks(gpg_agent_t)
--')
-+userdom_home_manager(gpg_agent_t)
-
- optional_policy(`
- mozilla_dontaudit_rw_user_home_files(gpg_agent_t)
-@@ -294,10 +310,10 @@ fs_tmpfs_filetrans(gpg_pinentry_t, gpg_pinentry_tmpfs_t, { file dir })
- # read /proc/meminfo
- kernel_read_system_state(gpg_pinentry_t)
-
-+corecmd_exec_shell(gpg_pinentry_t)
- corecmd_exec_bin(gpg_pinentry_t)
-
- corenet_all_recvfrom_netlabel(gpg_pinentry_t)
--corenet_all_recvfrom_unlabeled(gpg_pinentry_t)
- corenet_sendrecv_pulseaudio_client_packets(gpg_pinentry_t)
- corenet_tcp_bind_generic_node(gpg_pinentry_t)
- corenet_tcp_connect_pulseaudio_port(gpg_pinentry_t)
-@@ -310,7 +326,6 @@ dev_read_rand(gpg_pinentry_t)
-
- files_read_usr_files(gpg_pinentry_t)
- # read /etc/X11/qtrc
--files_read_etc_files(gpg_pinentry_t)
-
- fs_dontaudit_list_inotifyfs(gpg_pinentry_t)
- fs_getattr_tmpfs(gpg_pinentry_t)
-@@ -320,18 +335,19 @@ auth_use_nsswitch(gpg_pinentry_t)
- logging_send_syslog_msg(gpg_pinentry_t)
-
- miscfiles_read_fonts(gpg_pinentry_t)
--miscfiles_read_localization(gpg_pinentry_t)
-
- # for .Xauthority
- userdom_read_user_home_content_files(gpg_pinentry_t)
- userdom_read_user_tmpfs_files(gpg_pinentry_t)
-+# Bug: user pulseaudio files need open,read and unlink:
-+allow gpg_pinentry_t user_tmpfs_t:file unlink;
-+userdom_signull_unpriv_users(gpg_pinentry_t)
-+userdom_use_user_terminals(gpg_pinentry_t)
-
--tunable_policy(`use_nfs_home_dirs',`
-- fs_read_nfs_files(gpg_pinentry_t)
--')
-+userdom_home_reader(gpg_pinentry_t)
-
--tunable_policy(`use_samba_home_dirs',`
-- fs_read_cifs_files(gpg_pinentry_t)
-+optional_policy(`
-+ gnome_read_home_config(gpg_pinentry_t)
- ')
-
- optional_policy(`
-@@ -340,6 +356,12 @@ optional_policy(`
- ')
-
- optional_policy(`
-+ gnome_write_generic_cache_files(gpg_pinentry_t)
-+ gnome_read_generic_cache_files(gpg_pinentry_t)
-+ gnome_read_gconf_home_files(gpg_pinentry_t)
-+')
-+
-+optional_policy(`
- pulseaudio_exec(gpg_pinentry_t)
- pulseaudio_rw_home_files(gpg_pinentry_t)
- pulseaudio_setattr_home_dir(gpg_pinentry_t)
-@@ -349,4 +371,27 @@ optional_policy(`
-
- optional_policy(`
- xserver_user_x_domain_template(gpg_pinentry, gpg_pinentry_t, gpg_pinentry_tmpfs_t)
-+
-+')
-+
-+#############################
-+#
-+# gpg web local policy
-+#
-+
-+allow gpg_web_t self:process setrlimit;
-+
-+dev_read_rand(gpg_web_t)
-+dev_read_urand(gpg_web_t)
-+
-+can_exec(gpg_web_t, gpg_exec_t)
-+
-+files_read_usr_files(gpg_web_t)
-+
-+
-+apache_dontaudit_rw_tmp_files(gpg_web_t)
-+apache_manage_sys_content_rw(gpg_web_t)
-+
-+tunable_policy(`gpg_web_anon_write',`
-+ miscfiles_manage_public_files(gpg_web_t)
- ')
-diff --git a/gpm.if b/gpm.if
-index 7d97298..d6b2959 100644
---- a/gpm.if
-+++ b/gpm.if
-@@ -16,8 +16,8 @@ interface(`gpm_stream_connect',`
- type gpmctl_t, gpm_t;
- ')
-
-- allow $1 gpmctl_t:sock_file rw_sock_file_perms;
-- allow $1 gpm_t:unix_stream_socket connectto;
-+ dev_list_all_dev_nodes($1)
-+ stream_connect_pattern($1, gpmctl_t, gpmctl_t, gpm_t)
- ')
-
- ########################################
-@@ -37,7 +37,7 @@ interface(`gpm_getattr_gpmctl',`
- ')
-
- dev_list_all_dev_nodes($1)
-- allow $1 gpmctl_t:sock_file getattr;
-+ allow $1 gpmctl_t:sock_file getattr_sock_file_perms;
- ')
-
- ########################################
-@@ -57,7 +57,7 @@ interface(`gpm_dontaudit_getattr_gpmctl',`
- type gpmctl_t;
- ')
-
-- dontaudit $1 gpmctl_t:sock_file getattr;
-+ dontaudit $1 gpmctl_t:sock_file getattr_sock_file_perms;
- ')
-
- ########################################
-@@ -77,5 +77,5 @@ interface(`gpm_setattr_gpmctl',`
- ')
-
- dev_list_all_dev_nodes($1)
-- allow $1 gpmctl_t:sock_file setattr;
-+ allow $1 gpmctl_t:sock_file setattr_sock_file_perms;
- ')
-diff --git a/gpm.te b/gpm.te
-index a627b34..0120907 100644
---- a/gpm.te
-+++ b/gpm.te
-@@ -10,7 +10,7 @@ type gpm_exec_t;
- init_daemon_domain(gpm_t, gpm_exec_t)
-
- type gpm_conf_t;
--files_type(gpm_conf_t)
-+files_config_file(gpm_conf_t)
-
- type gpm_tmp_t;
- files_tmp_file(gpm_tmp_t)
-@@ -65,10 +65,9 @@ domain_use_interactive_fds(gpm_t)
-
- logging_send_syslog_msg(gpm_t)
-
--miscfiles_read_localization(gpm_t)
--
- userdom_dontaudit_use_unpriv_user_fds(gpm_t)
- userdom_dontaudit_search_user_home_dirs(gpm_t)
-+userdom_use_inherited_user_terminals(gpm_t)
-
- optional_policy(`
- seutil_sigchld_newrole(gpm_t)
-diff --git a/gpsd.te b/gpsd.te
-index 03742d8..4fefc6e 100644
---- a/gpsd.te
-+++ b/gpsd.te
-@@ -24,8 +24,9 @@ files_pid_file(gpsd_var_run_t)
- # gpsd local policy
- #
-
--allow gpsd_t self:capability { fowner fsetid setuid setgid sys_nice sys_tty_config };
--allow gpsd_t self:process setsched;
-+allow gpsd_t self:capability { fowner fsetid setuid setgid sys_nice sys_time sys_tty_config };
-+dontaudit gpsd_t self:capability { dac_read_search dac_override };
-+allow gpsd_t self:process { setsched signal_perms };
- allow gpsd_t self:shm create_shm_perms;
- allow gpsd_t self:unix_dgram_socket { create_socket_perms sendto };
- allow gpsd_t self:tcp_socket create_stream_socket_perms;
-@@ -38,22 +39,34 @@ manage_files_pattern(gpsd_t, gpsd_var_run_t, gpsd_var_run_t)
- manage_sock_files_pattern(gpsd_t, gpsd_var_run_t, gpsd_var_run_t)
- files_pid_filetrans(gpsd_t, gpsd_var_run_t, { file sock_file })
-
--corenet_all_recvfrom_unlabeled(gpsd_t)
-+kernel_list_proc(gpsd_t)
-+kernel_request_load_module(gpsd_t)
-+
- corenet_all_recvfrom_netlabel(gpsd_t)
- corenet_tcp_sendrecv_generic_if(gpsd_t)
- corenet_tcp_sendrecv_generic_node(gpsd_t)
- corenet_tcp_sendrecv_all_ports(gpsd_t)
--corenet_tcp_bind_all_nodes(gpsd_t)
-+corenet_tcp_bind_generic_node(gpsd_t)
- corenet_tcp_bind_gpsd_port(gpsd_t)
-
-+dev_read_sysfs(gpsd_t)
-+dev_rw_realtime_clock(gpsd_t)
-+
-+domain_dontaudit_read_all_domains_state(gpsd_t)
-+
- term_use_unallocated_ttys(gpsd_t)
- term_setattr_unallocated_ttys(gpsd_t)
-+term_use_usb_ttys(gpsd_t)
-
- auth_use_nsswitch(gpsd_t)
-
- logging_send_syslog_msg(gpsd_t)
-
--miscfiles_read_localization(gpsd_t)
-+optional_policy(`
-+ chronyd_rw_shm(gpsd_t)
-+ chronyd_stream_connect(gpsd_t)
-+ chronyd_dgram_send(gpsd_t)
-+')
-
- optional_policy(`
- dbus_system_bus_client(gpsd_t)
-diff --git a/guest.te b/guest.te
-index 1cb7311..1de82b2 100644
---- a/guest.te
-+++ b/guest.te
-@@ -9,9 +9,15 @@ role guest_r;
-
- userdom_restricted_user_template(guest)
-
-+kernel_read_system_state(guest_t)
-+
- ########################################
- #
- # Local policy
- #
-
--#gen_user(guest_u,, guest_r, s0, s0)
-+optional_policy(`
-+ apache_role(guest_r, guest_t)
-+')
-+
-+gen_user(guest_u, user, guest_r, s0, s0)
-diff --git a/hadoop.if b/hadoop.if
-index 2d0b4e1..6649814 100644
---- a/hadoop.if
-+++ b/hadoop.if
-@@ -89,7 +89,6 @@ template(`hadoop_domain_template',`
- corecmd_exec_bin(hadoop_$1_t)
- corecmd_exec_shell(hadoop_$1_t)
-
-- corenet_all_recvfrom_unlabeled(hadoop_$1_t)
- corenet_all_recvfrom_netlabel(hadoop_$1_t)
- corenet_tcp_bind_all_nodes(hadoop_$1_t)
- corenet_tcp_sendrecv_generic_if(hadoop_$1_t)
-@@ -120,7 +119,6 @@ template(`hadoop_domain_template',`
- logging_send_audit_msgs(hadoop_$1_t)
- logging_send_syslog_msg(hadoop_$1_t)
-
-- miscfiles_read_localization(hadoop_$1_t)
-
- sysnet_read_config(hadoop_$1_t)
-
-@@ -191,7 +189,6 @@ template(`hadoop_domain_template',`
- logging_send_syslog_msg(hadoop_$1_initrc_t)
- logging_send_audit_msgs(hadoop_$1_initrc_t)
-
-- miscfiles_read_localization(hadoop_$1_initrc_t)
-
- userdom_dontaudit_search_user_home_dirs(hadoop_$1_initrc_t)
-
-@@ -224,14 +221,21 @@ interface(`hadoop_role',`
- hadoop_domtrans($2)
- role $1 types hadoop_t;
-
-- allow $2 hadoop_t:process { ptrace signal_perms };
-+ allow $2 hadoop_t:process signal_perms;
- ps_process_pattern($2, hadoop_t)
-+ tunable_policy(`deny_ptrace',`',`
-+ allow $2 hadoop_t:process ptrace;
-+ ')
-
- hadoop_domtrans_zookeeper_client($2)
- role $1 types zookeeper_t;
-
-- allow $2 zookeeper_t:process { ptrace signal_perms };
-+ allow $2 zookeeper_t:process signal_perms;
- ps_process_pattern($2, zookeeper_t)
-+ tunable_policy(`deny_ptrace',`',`
-+ allow $2 zookeeper_t:process ptrace;
-+ ')
-+
- ')
-
- ########################################
-diff --git a/hadoop.te b/hadoop.te
-index c81c58a..86e3d1d 100644
---- a/hadoop.te
-+++ b/hadoop.te
-@@ -123,7 +123,6 @@ kernel_read_system_state(hadoop_t)
- corecmd_exec_bin(hadoop_t)
- corecmd_exec_shell(hadoop_t)
-
--corenet_all_recvfrom_unlabeled(hadoop_t)
- corenet_all_recvfrom_netlabel(hadoop_t)
- corenet_tcp_sendrecv_generic_if(hadoop_t)
- corenet_udp_sendrecv_generic_if(hadoop_t)
-@@ -151,20 +150,22 @@ dev_read_urand(hadoop_t)
- domain_use_interactive_fds(hadoop_t)
-
- files_dontaudit_search_spool(hadoop_t)
--files_read_etc_files(hadoop_t)
- files_read_usr_files(hadoop_t)
-
- fs_getattr_xattr_fs(hadoop_t)
-
--miscfiles_read_localization(hadoop_t)
-+auth_use_nsswitch(hadoop_t)
-
--sysnet_read_config(hadoop_t)
-
--userdom_use_user_terminals(hadoop_t)
-+userdom_use_inherited_user_terminals(hadoop_t)
-
--java_exec(hadoop_t)
-+optional_policy(`
-+ java_exec(hadoop_t)
-+')
-
--kerberos_use(hadoop_t)
-+optional_policy(`
-+ kerberos_use(hadoop_t)
-+')
-
- optional_policy(`
- nis_use_ypbind(hadoop_t)
-@@ -311,7 +312,6 @@ kernel_read_system_state(zookeeper_t)
- corecmd_exec_bin(zookeeper_t)
- corecmd_exec_shell(zookeeper_t)
-
--corenet_all_recvfrom_unlabeled(zookeeper_t)
- corenet_all_recvfrom_netlabel(zookeeper_t)
- corenet_tcp_sendrecv_generic_if(zookeeper_t)
- corenet_udp_sendrecv_generic_if(zookeeper_t)
-@@ -333,20 +333,18 @@ dev_read_urand(zookeeper_t)
-
- domain_use_interactive_fds(zookeeper_t)
-
--files_read_etc_files(zookeeper_t)
- files_read_usr_files(zookeeper_t)
-
--miscfiles_read_localization(zookeeper_t)
-+auth_use_nsswitch(zookeeper_t)
-+
-
- sysnet_read_config(zookeeper_t)
-
--userdom_use_user_terminals(zookeeper_t)
-+userdom_use_inherited_user_terminals(zookeeper_t)
- userdom_dontaudit_search_user_home_dirs(zookeeper_t)
-
--java_exec(zookeeper_t)
--
- optional_policy(`
-- nscd_socket_use(zookeeper_t)
-+ java_exec(zookeeper_t)
- ')
-
- ########################################
-@@ -393,7 +391,6 @@ kernel_read_system_state(zookeeper_server_t)
- corecmd_exec_bin(zookeeper_server_t)
- corecmd_exec_shell(zookeeper_server_t)
-
--corenet_all_recvfrom_unlabeled(zookeeper_server_t)
- corenet_all_recvfrom_netlabel(zookeeper_server_t)
- corenet_tcp_sendrecv_generic_if(zookeeper_server_t)
- corenet_udp_sendrecv_generic_if(zookeeper_server_t)
-@@ -421,15 +418,14 @@ dev_read_rand(zookeeper_server_t)
- dev_read_sysfs(zookeeper_server_t)
- dev_read_urand(zookeeper_server_t)
-
--files_read_etc_files(zookeeper_server_t)
- files_read_usr_files(zookeeper_server_t)
-
- fs_getattr_xattr_fs(zookeeper_server_t)
-
- logging_send_syslog_msg(zookeeper_server_t)
-
--miscfiles_read_localization(zookeeper_server_t)
--
- sysnet_read_config(zookeeper_server_t)
-
--java_exec(zookeeper_server_t)
-+optional_policy(`
-+ java_exec(zookeeper_server_t)
-+')
-diff --git a/hal.if b/hal.if
-index 7cf6763..9d2be6b 100644
---- a/hal.if
-+++ b/hal.if
-@@ -69,7 +69,9 @@ interface(`hal_ptrace',`
- type hald_t;
- ')
-
-- allow $1 hald_t:process ptrace;
-+ tunable_policy(`deny_ptrace',`',`
-+ allow $1 hald_t:process ptrace;
-+ ')
- ')
-
- ########################################
-@@ -431,3 +433,22 @@ interface(`hal_manage_pid_files',`
- files_search_pids($1)
- manage_files_pattern($1, hald_var_run_t, hald_var_run_t)
- ')
-+
-+#######################################
-+##
-+## Do not audit attempts to read
-+## hald PID files.
-+##
-+##
-+##
-+## Domain to not audit.
-+##
-+##
-+#
-+interface(`hal_dontaudit_read_pid_files',`
-+ gen_require(`
-+ type hald_var_run_t;
-+ ')
-+
-+ dontaudit $1 hald_var_run_t:file read_inherited_file_perms;
-+')
-diff --git a/hal.te b/hal.te
-index e0476cb..0caa5ba 100644
---- a/hal.te
-+++ b/hal.te
-@@ -54,6 +54,9 @@ files_pid_file(hald_var_run_t)
- type hald_var_lib_t;
- files_type(hald_var_lib_t)
-
-+typealias hald_log_t alias pmtools_log_t;
-+typealias hald_var_run_t alias pmtools_var_run_t;
-+
- ########################################
- #
- # Local policy
-@@ -61,7 +64,7 @@ files_type(hald_var_lib_t)
-
- # execute openvt which needs setuid
- allow hald_t self:capability { chown setuid setgid kill net_admin sys_admin sys_nice dac_override dac_read_search mknod sys_rawio sys_tty_config };
--dontaudit hald_t self:capability {sys_ptrace sys_tty_config };
-+dontaudit hald_t self:capability sys_tty_config;
- allow hald_t self:process { getsched getattr signal_perms };
- allow hald_t self:fifo_file rw_fifo_file_perms;
- allow hald_t self:unix_stream_socket { create_stream_socket_perms connectto };
-@@ -99,6 +102,7 @@ kernel_read_fs_sysctls(hald_t)
- kernel_rw_irq_sysctls(hald_t)
- kernel_rw_vm_sysctls(hald_t)
- kernel_write_proc_files(hald_t)
-+kernel_rw_net_sysctls(hald_t)
- kernel_search_network_sysctl(hald_t)
- kernel_setsched(hald_t)
- kernel_request_load_module(hald_t)
-@@ -107,7 +111,6 @@ auth_read_pam_console_data(hald_t)
-
- corecmd_exec_all_executables(hald_t)
-
--corenet_all_recvfrom_unlabeled(hald_t)
- corenet_all_recvfrom_netlabel(hald_t)
- corenet_tcp_sendrecv_generic_if(hald_t)
- corenet_udp_sendrecv_generic_if(hald_t)
-@@ -139,7 +142,6 @@ domain_read_all_domains_state(hald_t)
- domain_dontaudit_ptrace_all_domains(hald_t)
-
- files_exec_etc_files(hald_t)
--files_read_etc_files(hald_t)
- files_rw_etc_runtime_files(hald_t)
- files_manage_mnt_dirs(hald_t)
- files_manage_mnt_files(hald_t)
-@@ -201,7 +203,6 @@ logging_send_audit_msgs(hald_t)
- logging_send_syslog_msg(hald_t)
- logging_search_logs(hald_t)
-
--miscfiles_read_localization(hald_t)
- miscfiles_read_hwdata(hald_t)
-
- modutils_domtrans_insmod(hald_t)
-@@ -372,7 +373,6 @@ dev_setattr_generic_usb_dev(hald_acl_t)
- dev_setattr_usbfs_files(hald_acl_t)
-
- files_read_usr_files(hald_acl_t)
--files_read_etc_files(hald_acl_t)
-
- fs_getattr_all_fs(hald_acl_t)
-
-@@ -385,8 +385,6 @@ auth_use_nsswitch(hald_acl_t)
-
- logging_send_syslog_msg(hald_acl_t)
-
--miscfiles_read_localization(hald_acl_t)
--
- optional_policy(`
- policykit_dbus_chat(hald_acl_t)
- policykit_domtrans_auth(hald_acl_t)
-@@ -418,14 +416,11 @@ dev_write_raw_memory(hald_mac_t)
- dev_read_sysfs(hald_mac_t)
-
- files_read_usr_files(hald_mac_t)
--files_read_etc_files(hald_mac_t)
-
- auth_use_nsswitch(hald_mac_t)
-
- logging_send_syslog_msg(hald_mac_t)
-
--miscfiles_read_localization(hald_mac_t)
--
- ########################################
- #
- # Local hald sonypic policy
-@@ -446,7 +441,6 @@ write_files_pattern(hald_sonypic_t, hald_log_t, hald_log_t)
-
- files_read_usr_files(hald_sonypic_t)
-
--miscfiles_read_localization(hald_sonypic_t)
-
- ########################################
- #
-@@ -465,10 +459,8 @@ write_files_pattern(hald_keymap_t, hald_log_t, hald_log_t)
-
- dev_rw_input_dev(hald_keymap_t)
-
--files_read_etc_files(hald_keymap_t)
- files_read_usr_files(hald_keymap_t)
-
--miscfiles_read_localization(hald_keymap_t)
-
- ########################################
- #
-@@ -504,7 +496,6 @@ kernel_search_network_sysctl(hald_dccm_t)
-
- dev_read_urand(hald_dccm_t)
-
--corenet_all_recvfrom_unlabeled(hald_dccm_t)
- corenet_all_recvfrom_netlabel(hald_dccm_t)
- corenet_tcp_sendrecv_generic_if(hald_dccm_t)
- corenet_udp_sendrecv_generic_if(hald_dccm_t)
-@@ -518,14 +509,12 @@ corenet_udp_bind_dhcpc_port(hald_dccm_t)
- corenet_tcp_bind_ftp_port(hald_dccm_t)
- corenet_tcp_bind_dccm_port(hald_dccm_t)
-
--logging_send_syslog_msg(hald_dccm_t)
--
- files_read_usr_files(hald_dccm_t)
-
--miscfiles_read_localization(hald_dccm_t)
--
- hal_dontaudit_rw_dgram_sockets(hald_dccm_t)
-
-+logging_send_syslog_msg(hald_dccm_t)
-+
- optional_policy(`
- dbus_system_bus_client(hald_dccm_t)
- ')
-diff --git a/hddtemp.if b/hddtemp.if
-index 87b4531..901d905 100644
---- a/hddtemp.if
-+++ b/hddtemp.if
-@@ -60,8 +60,11 @@ interface(`hddtemp_admin',`
- type hddtemp_t, hddtemp_etc_t, hddtemp_initrc_exec_t;
- ')
-
-- allow $1 hddtemp_t:process { ptrace signal_perms };
-+ allow $1 hddtemp_t:process signal_perms;
- ps_process_pattern($1, hddtemp_t)
-+ tunable_policy(`deny_ptrace',`',`
-+ allow $1 hddtemp_t:process ptrace;
-+ ')
-
- init_labeled_script_domtrans($1, hddtemp_initrc_exec_t)
- domain_system_change_exemption($1)
-@@ -69,9 +72,5 @@ interface(`hddtemp_admin',`
- allow $2 system_r;
-
- admin_pattern($1, hddtemp_etc_t)
-- files_search_etc($1)
--
-- allow $1 hddtemp_t:dir list_dir_perms;
-- read_lnk_files_pattern($1, hddtemp_t, hddtemp_t)
-- kernel_search_proc($1)
-+ files_list_etc($1)
- ')
-diff --git a/hddtemp.te b/hddtemp.te
-index c234b32..41d985d 100644
---- a/hddtemp.te
-+++ b/hddtemp.te
-@@ -28,7 +28,6 @@ allow hddtemp_t self:udp_socket create_socket_perms;
-
- allow hddtemp_t hddtemp_etc_t:file read_file_perms;
-
--corenet_all_recvfrom_unlabeled(hddtemp_t)
- corenet_all_recvfrom_netlabel(hddtemp_t)
- corenet_tcp_sendrecv_generic_if(hddtemp_t)
- corenet_tcp_sendrecv_generic_node(hddtemp_t)
-@@ -38,12 +37,13 @@ corenet_tcp_bind_hddtemp_port(hddtemp_t)
- corenet_sendrecv_hddtemp_server_packets(hddtemp_t)
- corenet_tcp_sendrecv_hddtemp_port(hddtemp_t)
-
--files_search_etc(hddtemp_t)
-+files_read_etc_files(hddtemp_t)
- files_read_usr_files(hddtemp_t)
-
- storage_raw_read_fixed_disk(hddtemp_t)
--
-+storage_raw_read_removable_device(hddtemp_t)
- logging_send_syslog_msg(hddtemp_t)
-
--miscfiles_read_localization(hddtemp_t)
--
-+optional_policy(`
-+ sysnet_dns_name_resolve(hddtemp_t)
-+')
-diff --git a/howl.te b/howl.te
-index 6ad2d3c..b23d54a 100644
---- a/howl.te
-+++ b/howl.te
-@@ -33,7 +33,6 @@ kernel_request_load_module(howl_t)
- kernel_list_proc(howl_t)
- kernel_read_proc_symlinks(howl_t)
-
--corenet_all_recvfrom_unlabeled(howl_t)
- corenet_all_recvfrom_netlabel(howl_t)
- corenet_tcp_sendrecv_generic_if(howl_t)
- corenet_udp_sendrecv_generic_if(howl_t)
-@@ -60,8 +59,6 @@ init_rw_utmp(howl_t)
-
- logging_send_syslog_msg(howl_t)
-
--miscfiles_read_localization(howl_t)
--
- sysnet_read_config(howl_t)
-
- userdom_dontaudit_use_unpriv_user_fds(howl_t)
-diff --git a/i18n_input.te b/i18n_input.te
-index 5fc89c4..087c2d0 100644
---- a/i18n_input.te
-+++ b/i18n_input.te
-@@ -36,7 +36,6 @@ can_exec(i18n_input_t, i18n_input_exec_t)
- kernel_read_kernel_sysctls(i18n_input_t)
- kernel_read_system_state(i18n_input_t)
-
--corenet_all_recvfrom_unlabeled(i18n_input_t)
- corenet_all_recvfrom_netlabel(i18n_input_t)
- corenet_tcp_sendrecv_generic_if(i18n_input_t)
- corenet_udp_sendrecv_generic_if(i18n_input_t)
-@@ -68,22 +67,11 @@ init_stream_connect_script(i18n_input_t)
-
- logging_send_syslog_msg(i18n_input_t)
-
--miscfiles_read_localization(i18n_input_t)
--
- sysnet_read_config(i18n_input_t)
-
- userdom_dontaudit_use_unpriv_user_fds(i18n_input_t)
- userdom_read_user_home_content_files(i18n_input_t)
--
--tunable_policy(`use_nfs_home_dirs',`
-- fs_read_nfs_files(i18n_input_t)
-- fs_read_nfs_symlinks(i18n_input_t)
--')
--
--tunable_policy(`use_samba_home_dirs',`
-- fs_read_cifs_files(i18n_input_t)
-- fs_read_cifs_symlinks(i18n_input_t)
--')
-+userdom_home_reader(i18n_input_t)
-
- optional_policy(`
- canna_stream_connect(i18n_input_t)
-diff --git a/icecast.if b/icecast.if
-index ecab47a..6eddc6d 100644
---- a/icecast.if
-+++ b/icecast.if
-@@ -173,7 +173,11 @@ interface(`icecast_admin',`
- type icecast_t, icecast_initrc_exec_t;
- ')
-
-+ allow $1 icecast_t:process signal_perms;
- ps_process_pattern($1, icecast_t)
-+ tunable_policy(`deny_ptrace',`',`
-+ allow $1 icecast_t:process ptrace;
-+ ')
-
- # Allow icecast_t to restart the apache service
- icecast_initrc_domtrans($1)
-@@ -184,5 +188,4 @@ interface(`icecast_admin',`
- icecast_manage_pid_files($1)
-
- icecast_manage_log($1)
--
- ')
-diff --git a/icecast.te b/icecast.te
-index fdb7e9a..b910581 100644
---- a/icecast.te
-+++ b/icecast.te
-@@ -5,6 +5,14 @@ policy_module(icecast, 1.1.0)
- # Declarations
- #
-
-+##
-+##
-+## Allow icecast to connect to all ports, not just
-+## sound ports.
-+##
-+##
-+gen_tunable(icecast_connect_any, false)
-+
- type icecast_t;
- type icecast_exec_t;
- init_daemon_domain(icecast_t, icecast_exec_t)
-@@ -39,18 +47,24 @@ files_pid_filetrans(icecast_t, icecast_var_run_t, { file dir })
-
- kernel_read_system_state(icecast_t)
-
-+dev_read_sysfs(icecast_t)
-+dev_read_urand(icecast_t)
-+dev_read_rand(icecast_t)
-+
- corenet_tcp_bind_soundd_port(icecast_t)
-+corenet_tcp_connect_soundd_port(icecast_t)
-+
-+tunable_policy(`icecast_connect_any',`
-+ corenet_tcp_connect_all_ports(icecast_t)
-+ corenet_tcp_bind_all_ports(icecast_t)
-+ corenet_sendrecv_all_client_packets(icecast_t)
-+')
-
- # Init script handling
- domain_use_interactive_fds(icecast_t)
-
--files_read_etc_files(icecast_t)
--
- auth_use_nsswitch(icecast_t)
-
--miscfiles_read_localization(icecast_t)
--
--sysnet_dns_name_resolve(icecast_t)
-
- optional_policy(`
- apache_read_sys_content(icecast_t)
-diff --git a/ifplugd.if b/ifplugd.if
-index dfb4232..35343f8 100644
---- a/ifplugd.if
-+++ b/ifplugd.if
-@@ -113,11 +113,11 @@ interface(`ifplugd_read_pid_files',`
- #
- interface(`ifplugd_admin',`
- gen_require(`
-- type ifplugd_t, ifplugd_etc_t;
-- type ifplugd_var_run_t, ifplugd_initrc_exec_t;
-+ type ifplugd_t, ifplugd_etc_t, ifplugd_var_run_t;
-+ type ifplugd_initrc_exec_t;
- ')
-
-- allow $1 ifplugd_t:process { ptrace signal_perms };
-+ allow $1 ifplugd_t:process signal_perms;
- ps_process_pattern($1, ifplugd_t)
-
- init_labeled_script_domtrans($1, ifplugd_initrc_exec_t)
-diff --git a/ifplugd.te b/ifplugd.te
-index 978c32f..05927a7 100644
---- a/ifplugd.te
-+++ b/ifplugd.te
-@@ -11,7 +11,7 @@ init_daemon_domain(ifplugd_t, ifplugd_exec_t)
-
- # config files
- type ifplugd_etc_t;
--files_type(ifplugd_etc_t)
-+files_config_file(ifplugd_etc_t)
-
- type ifplugd_initrc_exec_t;
- init_script_file(ifplugd_initrc_exec_t)
-@@ -26,7 +26,7 @@ files_pid_file(ifplugd_var_run_t)
- #
-
- allow ifplugd_t self:capability { net_admin sys_nice net_bind_service };
--dontaudit ifplugd_t self:capability { sys_tty_config sys_ptrace };
-+dontaudit ifplugd_t self:capability sys_tty_config;
- allow ifplugd_t self:process { signal signull };
- allow ifplugd_t self:fifo_file rw_fifo_file_perms;
- allow ifplugd_t self:tcp_socket create_stream_socket_perms;
-@@ -54,15 +54,14 @@ corecmd_exec_bin(ifplugd_t)
- # reading of hardware information
- dev_read_sysfs(ifplugd_t)
-
-+#domain_read_all_domains_state(ifplugd_t)
- domain_read_confined_domains_state(ifplugd_t)
--domain_dontaudit_read_all_domains_state(ifplugd_t)
-+#domain_dontaudit_read_all_domains_state(ifplugd_t)
-
- auth_use_nsswitch(ifplugd_t)
-
- logging_send_syslog_msg(ifplugd_t)
-
--miscfiles_read_localization(ifplugd_t)
--
- netutils_domtrans(ifplugd_t)
- # transition to ifconfig & dhcpc
- sysnet_domtrans_ifconfig(ifplugd_t)
-diff --git a/imaze.fc b/imaze.fc
-index 8d455ba..58729cb 100644
---- a/imaze.fc
-+++ b/imaze.fc
-@@ -1,4 +1,4 @@
- /usr/games/imazesrv -- gen_context(system_u:object_r:imazesrv_exec_t,s0)
- /usr/share/games/imaze(/.*)? gen_context(system_u:object_r:imazesrv_data_t,s0)
-
--/var/log/imaze\.log -- gen_context(system_u:object_r:imazesrv_log_t,s0)
-+/var/log/imaze\.log.* -- gen_context(system_u:object_r:imazesrv_log_t,s0)
-diff --git a/imaze.te b/imaze.te
-index 0778af8..66fb4ae 100644
---- a/imaze.te
-+++ b/imaze.te
-@@ -54,7 +54,6 @@ kernel_read_kernel_sysctls(imazesrv_t)
- kernel_list_proc(imazesrv_t)
- kernel_read_proc_symlinks(imazesrv_t)
-
--corenet_all_recvfrom_unlabeled(imazesrv_t)
- corenet_all_recvfrom_netlabel(imazesrv_t)
- corenet_tcp_sendrecv_generic_if(imazesrv_t)
- corenet_udp_sendrecv_generic_if(imazesrv_t)
-@@ -79,8 +78,6 @@ fs_search_auto_mountpoints(imazesrv_t)
-
- logging_send_syslog_msg(imazesrv_t)
-
--miscfiles_read_localization(imazesrv_t)
--
- sysnet_read_config(imazesrv_t)
-
- userdom_use_unpriv_users_fds(imazesrv_t)
-diff --git a/inetd.fc b/inetd.fc
-index 39d5baa..4288778 100644
---- a/inetd.fc
-+++ b/inetd.fc
-@@ -7,6 +7,6 @@
- /usr/sbin/rlinetd -- gen_context(system_u:object_r:inetd_exec_t,s0)
- /usr/sbin/xinetd -- gen_context(system_u:object_r:inetd_exec_t,s0)
-
--/var/log/(x)?inetd\.log -- gen_context(system_u:object_r:inetd_log_t,s0)
-+/var/log/(x)?inetd\.log.* -- gen_context(system_u:object_r:inetd_log_t,s0)
-
- /var/run/(x)?inetd\.pid -- gen_context(system_u:object_r:inetd_var_run_t,s0)
-diff --git a/inetd.if b/inetd.if
-index df48e5e..161814e 100644
---- a/inetd.if
-+++ b/inetd.if
-@@ -37,6 +37,10 @@ interface(`inetd_core_service_domain',`
-
- domtrans_pattern(inetd_t, $2, $1)
- allow inetd_t $1:process { siginh sigkill };
-+
-+ optional_policy(`
-+ abrt_stream_connect($1)
-+ ')
- ')
-
- ########################################
-diff --git a/inetd.te b/inetd.te
-index 10f25d3..ec4cd54 100644
---- a/inetd.te
-+++ b/inetd.te
-@@ -38,9 +38,9 @@ ifdef(`enable_mcs',`
- # Local policy
- #
-
--allow inetd_t self:capability { setuid setgid sys_resource };
-+allow inetd_t self:capability { setuid setgid };
- dontaudit inetd_t self:capability sys_tty_config;
--allow inetd_t self:process { setsched setexec setrlimit };
-+allow inetd_t self:process { setsched setexec };
- allow inetd_t self:fifo_file rw_fifo_file_perms;
- allow inetd_t self:tcp_socket create_stream_socket_perms;
- allow inetd_t self:udp_socket create_socket_perms;
-@@ -65,7 +65,6 @@ kernel_tcp_recvfrom_unlabeled(inetd_t)
- corecmd_bin_domtrans(inetd_t, inetd_child_t)
-
- # base networking:
--corenet_all_recvfrom_unlabeled(inetd_t)
- corenet_all_recvfrom_netlabel(inetd_t)
- corenet_tcp_sendrecv_generic_if(inetd_t)
- corenet_udp_sendrecv_generic_if(inetd_t)
-@@ -89,16 +88,19 @@ corenet_tcp_bind_ftp_port(inetd_t)
- corenet_udp_bind_ftp_port(inetd_t)
- corenet_tcp_bind_inetd_child_port(inetd_t)
- corenet_udp_bind_inetd_child_port(inetd_t)
-+corenet_tcp_bind_echo_port(inetd_t)
-+corenet_udp_bind_echo_port(inetd_t)
-+corenet_tcp_bind_time_port(inetd_t)
-+corenet_udp_bind_time_port(inetd_t)
- corenet_tcp_bind_ircd_port(inetd_t)
- corenet_udp_bind_ktalkd_port(inetd_t)
--corenet_tcp_bind_pop_port(inetd_t)
- corenet_tcp_bind_printer_port(inetd_t)
- corenet_udp_bind_rlogind_port(inetd_t)
- corenet_udp_bind_rsh_port(inetd_t)
- corenet_tcp_bind_rsh_port(inetd_t)
- corenet_tcp_bind_rsync_port(inetd_t)
- corenet_udp_bind_rsync_port(inetd_t)
--corenet_tcp_bind_stunnel_port(inetd_t)
-+#corenet_tcp_bind_stunnel_port(inetd_t)
- corenet_tcp_bind_swat_port(inetd_t)
- corenet_udp_bind_swat_port(inetd_t)
- corenet_tcp_bind_telnetd_port(inetd_t)
-@@ -119,7 +121,7 @@ corenet_sendrecv_ktalkd_server_packets(inetd_t)
- corenet_sendrecv_printer_server_packets(inetd_t)
- corenet_sendrecv_rsh_server_packets(inetd_t)
- corenet_sendrecv_rsync_server_packets(inetd_t)
--corenet_sendrecv_stunnel_server_packets(inetd_t)
-+#corenet_sendrecv_stunnel_server_packets(inetd_t)
- corenet_sendrecv_swat_server_packets(inetd_t)
- corenet_sendrecv_tftp_server_packets(inetd_t)
-
-@@ -137,20 +139,20 @@ corecmd_read_bin_symlinks(inetd_t)
-
- domain_use_interactive_fds(inetd_t)
-
--files_read_etc_files(inetd_t)
- files_read_etc_runtime_files(inetd_t)
-
- auth_use_nsswitch(inetd_t)
-
- logging_send_syslog_msg(inetd_t)
-
--miscfiles_read_localization(inetd_t)
--
- # xinetd needs MLS override privileges to work
- mls_fd_share_all_levels(inetd_t)
- mls_socket_read_to_clearance(inetd_t)
- mls_socket_write_to_clearance(inetd_t)
-+mls_net_outbound_all_levels(inetd_t)
- mls_process_set_level(inetd_t)
-+#706086
-+mls_net_outbound_all_levels(inetd_t)
-
- sysnet_read_config(inetd_t)
-
-@@ -177,6 +179,10 @@ optional_policy(`
- ')
-
- optional_policy(`
-+ tftp_read_config(inetd_t)
-+')
-+
-+optional_policy(`
- udev_read_db(inetd_t)
- ')
-
-@@ -210,7 +216,6 @@ kernel_read_kernel_sysctls(inetd_child_t)
- kernel_read_system_state(inetd_child_t)
- kernel_read_network_state(inetd_child_t)
-
--corenet_all_recvfrom_unlabeled(inetd_child_t)
- corenet_all_recvfrom_netlabel(inetd_child_t)
- corenet_tcp_sendrecv_generic_if(inetd_child_t)
- corenet_udp_sendrecv_generic_if(inetd_child_t)
-@@ -223,15 +228,12 @@ dev_read_urand(inetd_child_t)
-
- fs_getattr_xattr_fs(inetd_child_t)
-
--files_read_etc_files(inetd_child_t)
- files_read_etc_runtime_files(inetd_child_t)
-
- auth_use_nsswitch(inetd_child_t)
-
- logging_send_syslog_msg(inetd_child_t)
-
--miscfiles_read_localization(inetd_child_t)
--
- sysnet_read_config(inetd_child_t)
-
- optional_policy(`
-diff --git a/inn.if b/inn.if
-index ebc9e0d..617f52f 100644
---- a/inn.if
-+++ b/inn.if
-@@ -13,7 +13,7 @@
- #
- interface(`inn_exec',`
- gen_require(`
-- type innd_t;
-+ type innd_exec_t;
- ')
-
- can_exec($1, innd_exec_t)
-@@ -93,6 +93,7 @@ interface(`inn_read_config',`
- type innd_etc_t;
- ')
-
-+ files_search_etc($1)
- allow $1 innd_etc_t:dir list_dir_perms;
- allow $1 innd_etc_t:file read_file_perms;
- allow $1 innd_etc_t:lnk_file read_lnk_file_perms;
-@@ -113,6 +114,7 @@ interface(`inn_read_news_lib',`
- type innd_var_lib_t;
- ')
-
-+ files_search_var_lib($1)
- allow $1 innd_var_lib_t:dir list_dir_perms;
- allow $1 innd_var_lib_t:file read_file_perms;
- allow $1 innd_var_lib_t:lnk_file read_lnk_file_perms;
-@@ -133,6 +135,7 @@ interface(`inn_read_news_spool',`
- type news_spool_t;
- ')
-
-+ files_search_spool($1)
- allow $1 news_spool_t:dir list_dir_perms;
- allow $1 news_spool_t:file read_file_perms;
- allow $1 news_spool_t:lnk_file read_lnk_file_perms;
-@@ -195,12 +198,15 @@ interface(`inn_domtrans',`
- interface(`inn_admin',`
- gen_require(`
- type innd_t, innd_etc_t, innd_log_t;
-- type news_spool_t, innd_var_lib_t;
-- type innd_var_run_t, innd_initrc_exec_t;
-+ type news_spool_t, innd_var_lib_t, innd_var_run_t;
-+ type innd_initrc_exec_t;
- ')
-
-- allow $1 innd_t:process { ptrace signal_perms };
-+ allow $1 innd_t:process signal_perms;
- ps_process_pattern($1, innd_t)
-+ tunable_policy(`deny_ptrace',`',`
-+ allow $1 innd_t:process ptrace;
-+ ')
-
- init_labeled_script_domtrans($1, innd_initrc_exec_t)
- domain_system_change_exemption($1)
-diff --git a/inn.te b/inn.te
-index 7311364..28012eb 100644
---- a/inn.te
-+++ b/inn.te
-@@ -4,6 +4,7 @@ policy_module(inn, 1.10.0)
- #
- # Declarations
- #
-+
- type innd_t;
- type innd_exec_t;
- init_daemon_domain(innd_t, innd_exec_t)
-@@ -25,11 +26,13 @@ files_pid_file(innd_var_run_t)
-
- type news_spool_t;
- files_mountpoint(news_spool_t)
-+files_spool_file(news_spool_t)
-
- ########################################
- #
- # Local policy
- #
-+
- allow innd_t self:capability { dac_override kill setgid setuid };
- dontaudit innd_t self:capability sys_tty_config;
- allow innd_t self:process { setsched signal_perms };
-@@ -46,7 +49,7 @@ read_lnk_files_pattern(innd_t, innd_etc_t, innd_etc_t)
- can_exec(innd_t, innd_exec_t)
-
- manage_files_pattern(innd_t, innd_log_t, innd_log_t)
--allow innd_t innd_log_t:dir setattr;
-+allow innd_t innd_log_t:dir setattr_dir_perms;
- logging_log_filetrans(innd_t, innd_log_t, file)
-
- manage_dirs_pattern(innd_t, innd_var_lib_t, innd_var_lib_t)
-@@ -56,7 +59,7 @@ files_var_lib_filetrans(innd_t, innd_var_lib_t, file)
- manage_dirs_pattern(innd_t, innd_var_run_t, innd_var_run_t)
- manage_files_pattern(innd_t, innd_var_run_t, innd_var_run_t)
- manage_sock_files_pattern(innd_t, innd_var_run_t, innd_var_run_t)
--files_pid_filetrans(innd_t, innd_var_run_t, file)
-+files_pid_filetrans(innd_t, innd_var_run_t, { dir file })
-
- manage_dirs_pattern(innd_t, news_spool_t, news_spool_t)
- manage_files_pattern(innd_t, news_spool_t, news_spool_t)
-@@ -65,7 +68,6 @@ manage_lnk_files_pattern(innd_t, news_spool_t, news_spool_t)
- kernel_read_kernel_sysctls(innd_t)
- kernel_read_system_state(innd_t)
-
--corenet_all_recvfrom_unlabeled(innd_t)
- corenet_all_recvfrom_netlabel(innd_t)
- corenet_tcp_sendrecv_generic_if(innd_t)
- corenet_udp_sendrecv_generic_if(innd_t)
-@@ -97,14 +99,11 @@ files_read_usr_files(innd_t)
-
- logging_send_syslog_msg(innd_t)
-
--miscfiles_read_localization(innd_t)
--
--seutil_dontaudit_search_config(innd_t)
--
- sysnet_read_config(innd_t)
-
- userdom_dontaudit_use_unpriv_user_fds(innd_t)
- userdom_dontaudit_search_user_home_dirs(innd_t)
-+userdom_dgram_send(innd_t)
-
- mta_send_mail(innd_t)
-
-diff --git a/irc.fc b/irc.fc
-index 65ece18..7e7873c 100644
---- a/irc.fc
-+++ b/irc.fc
-@@ -2,10 +2,15 @@
- # /home
- #
- HOME_DIR/\.ircmotd -- gen_context(system_u:object_r:irc_home_t,s0)
-+HOME_DIR/\.irssi(/.*)? gen_context(system_u:object_r:irssi_home_t,s0)
-+HOME_DIR/irclogs(/.*)? gen_context(system_u:object_r:irssi_home_t,s0)
-+
-+/etc/irssi\.conf -- gen_context(system_u:object_r:irssi_etc_t,s0)
-
- #
- # /usr
- #
- /usr/bin/[st]irc -- gen_context(system_u:object_r:irc_exec_t,s0)
- /usr/bin/ircII -- gen_context(system_u:object_r:irc_exec_t,s0)
-+/usr/bin/irssi -- gen_context(system_u:object_r:irssi_exec_t,s0)
- /usr/bin/tinyirc -- gen_context(system_u:object_r:irc_exec_t,s0)
-diff --git a/irc.if b/irc.if
-index 4f9dc90..2af9361 100644
---- a/irc.if
-+++ b/irc.if
-@@ -18,9 +18,11 @@
- interface(`irc_role',`
- gen_require(`
- type irc_t, irc_exec_t;
-+ type irssi_t, irssi_exec_t, irssi_home_t;
- ')
-
- role $1 types irc_t;
-+ role $1 types irssi_t;
-
- # Transition from the user domain to the derived domain.
- domtrans_pattern($2, irc_exec_t, irc_t)
-@@ -28,4 +30,39 @@ interface(`irc_role',`
- # allow ps to show irc
- ps_process_pattern($2, irc_t)
- allow $2 irc_t:process signal;
-+
-+ domtrans_pattern($2, irssi_exec_t, irssi_t)
-+
-+ allow $2 irssi_t:process signal_perms;
-+ ps_process_pattern($2, irssi_t)
-+
-+ manage_dirs_pattern($2, irssi_home_t, irssi_home_t)
-+ manage_files_pattern($2, irssi_home_t, irssi_home_t)
-+ manage_lnk_files_pattern($2, irssi_home_t, irssi_home_t)
-+
-+ relabel_dirs_pattern($2, irssi_home_t, irssi_home_t)
-+ relabel_files_pattern($2, irssi_home_t, irssi_home_t)
-+ relabel_lnk_files_pattern($2, irssi_home_t, irssi_home_t)
-+
-+ irc_filetrans_home_content($2)
-+')
-+
-+########################################
-+##
-+## Transition to alsa named content
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`irc_filetrans_home_content',`
-+ gen_require(`
-+ type irc_home_t;
-+ ')
-+
-+ userdom_user_home_dir_filetrans($1, irc_home_t, file, ".ircmotd")
-+ userdom_user_home_dir_filetrans($1, irc_home_t, dir, ".irssi")
-+ userdom_user_home_dir_filetrans($1, irc_home_t, dir, "irclogs")
- ')
-diff --git a/irc.te b/irc.te
-index 6e2dbd2..73e129e 100644
---- a/irc.te
-+++ b/irc.te
-@@ -19,7 +19,31 @@ userdom_user_home_content(irc_home_t)
- type irc_tmp_t;
- typealias irc_tmp_t alias { user_irc_tmp_t staff_irc_tmp_t sysadm_irc_tmp_t };
- typealias irc_tmp_t alias { auditadm_irc_tmp_t secadm_irc_tmp_t };
--userdom_user_tmp_file(irc_tmp_t)
-+userdom_user_home_content(irc_tmp_t)
-+
-+########################################
-+#
-+# Irssi personal declarations.
-+#
-+
-+##
-+##
-+## Allow the Irssi IRC Client to connect to any port,
-+## and to bind to any unreserved port.
-+##
-+##
-+gen_tunable(irssi_use_full_network, false)
-+
-+type irssi_t;
-+type irssi_exec_t;
-+application_domain(irssi_t, irssi_exec_t)
-+ubac_constrained(irssi_t)
-+
-+type irssi_etc_t;
-+files_config_file(irssi_etc_t)
-+
-+type irssi_home_t;
-+userdom_user_home_content(irssi_home_t)
-
- ########################################
- #
-@@ -33,7 +57,7 @@ allow irc_t self:udp_socket create_socket_perms;
- manage_dirs_pattern(irc_t, irc_home_t, irc_home_t)
- manage_files_pattern(irc_t, irc_home_t, irc_home_t)
- manage_lnk_files_pattern(irc_t, irc_home_t, irc_home_t)
--userdom_user_home_dir_filetrans(irc_t, irc_home_t, { dir file lnk_file })
-+irc_filetrans_home_content(irc_t)
-
- # access files under /tmp
- manage_dirs_pattern(irc_t, irc_tmp_t, irc_tmp_t)
-@@ -45,7 +69,6 @@ files_tmp_filetrans(irc_t, irc_tmp_t, { file dir lnk_file sock_file fifo_file })
-
- kernel_read_proc_symlinks(irc_t)
-
--corenet_all_recvfrom_unlabeled(irc_t)
- corenet_all_recvfrom_netlabel(irc_t)
- corenet_tcp_sendrecv_generic_if(irc_t)
- corenet_udp_sendrecv_generic_if(irc_t)
-@@ -75,7 +98,6 @@ term_list_ptys(irc_t)
- init_read_utmp(irc_t)
- init_dontaudit_lock_utmp(irc_t)
-
--miscfiles_read_localization(irc_t)
-
- # Inherit and use descriptors from newrole.
- seutil_use_newrole_fds(irc_t)
-@@ -83,20 +105,74 @@ seutil_use_newrole_fds(irc_t)
- sysnet_read_config(irc_t)
-
- # Write to the user domain tty.
--userdom_use_user_terminals(irc_t)
-+userdom_use_inherited_user_terminals(irc_t)
-
--tunable_policy(`use_nfs_home_dirs',`
-- fs_manage_nfs_dirs(irc_t)
-- fs_manage_nfs_files(irc_t)
-- fs_manage_nfs_symlinks(irc_t)
-+userdom_home_manager(irc_t)
-+
-+optional_policy(`
-+ nis_use_ypbind(irc_t)
- ')
-
--tunable_policy(`use_samba_home_dirs',`
-- fs_manage_cifs_dirs(irc_t)
-- fs_manage_cifs_files(irc_t)
-- fs_manage_cifs_symlinks(irc_t)
-+########################################
-+#
-+# Irssi personal declarations.
-+#
-+
-+allow irssi_t self:process { signal sigkill };
-+allow irssi_t self:fifo_file rw_fifo_file_perms;
-+allow irssi_t self:tcp_socket create_stream_socket_perms;
-+
-+read_files_pattern(irssi_t, irssi_etc_t, irssi_etc_t)
-+
-+manage_dirs_pattern(irssi_t, irssi_home_t, irssi_home_t)
-+manage_files_pattern(irssi_t, irssi_home_t, irssi_home_t)
-+manage_lnk_files_pattern(irssi_t, irssi_home_t, irssi_home_t)
-+irc_filetrans_home_content(irssi_t)
-+userdom_search_user_home_dirs(irssi_t)
-+
-+kernel_read_system_state(irssi_t)
-+
-+corecmd_search_bin(irssi_t)
-+corecmd_read_bin_symlinks(irssi_t)
-+
-+corenet_tcp_connect_ircd_port(irssi_t)
-+corenet_tcp_sendrecv_ircd_port(irssi_t)
-+corenet_sendrecv_ircd_client_packets(irssi_t)
-+
-+# tcp:7000 is often used for SSL irc
-+corenet_tcp_connect_gatekeeper_port(irssi_t)
-+corenet_tcp_sendrecv_gatekeeper_port(irssi_t)
-+corenet_sendrecv_gatekeeper_client_packets(irssi_t)
-+
-+# Privoxy
-+corenet_tcp_connect_http_cache_port(irssi_t)
-+corenet_tcp_sendrecv_http_cache_port(irssi_t)
-+corenet_sendrecv_http_cache_client_packets(irssi_t)
-+
-+corenet_tcp_bind_generic_node(irssi_t)
-+
-+dev_read_urand(irssi_t)
-+# irssi-otr genkey.
-+dev_read_rand(irssi_t)
-+
-+files_read_usr_files(irssi_t)
-+
-+fs_search_auto_mountpoints(irssi_t)
-+
-+auth_use_nsswitch(irssi_t)
-+
-+
-+userdom_use_inherited_user_terminals(irssi_t)
-+
-+tunable_policy(`irssi_use_full_network', `
-+ corenet_tcp_bind_all_unreserved_ports(irssi_t)
-+ corenet_tcp_connect_all_ports(irssi_t)
-+ corenet_sendrecv_generic_server_packets(irssi_t)
-+ corenet_sendrecv_all_client_packets(irssi_t)
- ')
-
-+userdom_home_manager(irssi_t)
-+
- optional_policy(`
-- nis_use_ypbind(irc_t)
-+ automount_dontaudit_getattr_tmp_dirs(irssi_t)
- ')
-diff --git a/ircd.te b/ircd.te
-index 75ab1e2..603ea55 100644
---- a/ircd.te
-+++ b/ircd.te
-@@ -49,7 +49,6 @@ kernel_read_kernel_sysctls(ircd_t)
-
- corecmd_search_bin(ircd_t)
-
--corenet_all_recvfrom_unlabeled(ircd_t)
- corenet_all_recvfrom_netlabel(ircd_t)
- corenet_tcp_sendrecv_generic_if(ircd_t)
- corenet_udp_sendrecv_generic_if(ircd_t)
-@@ -73,8 +72,6 @@ fs_search_auto_mountpoints(ircd_t)
-
- logging_send_syslog_msg(ircd_t)
-
--miscfiles_read_localization(ircd_t)
--
- sysnet_read_config(ircd_t)
-
- userdom_dontaudit_use_unpriv_user_fds(ircd_t)
-diff --git a/irqbalance.te b/irqbalance.te
-index 9aeeaf9..a91de65 100644
---- a/irqbalance.te
-+++ b/irqbalance.te
-@@ -19,6 +19,12 @@ files_pid_file(irqbalance_var_run_t)
-
- allow irqbalance_t self:capability { setpcap net_admin };
- dontaudit irqbalance_t self:capability sys_tty_config;
-+
-+ifdef(`hide_broken_symptoms',`
-+ # caused by some bogus kernel code
-+ dontaudit irqbalance_t self:capability sys_module;
-+')
-+
- allow irqbalance_t self:process { getcap setcap signal_perms };
- allow irqbalance_t self:udp_socket create_socket_perms;
-
-@@ -42,8 +48,6 @@ domain_use_interactive_fds(irqbalance_t)
-
- logging_send_syslog_msg(irqbalance_t)
-
--miscfiles_read_localization(irqbalance_t)
--
- userdom_dontaudit_use_unpriv_user_fds(irqbalance_t)
- userdom_dontaudit_search_user_home_dirs(irqbalance_t)
-
-diff --git a/iscsi.fc b/iscsi.fc
-index 14d9670..e94b352 100644
---- a/iscsi.fc
-+++ b/iscsi.fc
-@@ -1,7 +1,17 @@
- /sbin/iscsid -- gen_context(system_u:object_r:iscsid_exec_t,s0)
- /sbin/brcm_iscsiuio -- gen_context(system_u:object_r:iscsid_exec_t,s0)
-+/sbin/iscsiuio -- gen_context(system_u:object_r:iscsid_exec_t,s0)
-
- /var/lib/iscsi(/.*)? gen_context(system_u:object_r:iscsi_var_lib_t,s0)
-+
- /var/lock/iscsi(/.*)? gen_context(system_u:object_r:iscsi_lock_t,s0)
--/var/log/brcm-iscsi\.log -- gen_context(system_u:object_r:iscsi_log_t,s0)
-+
-+/var/log/brcm-iscsi\.log.* -- gen_context(system_u:object_r:iscsi_log_t,s0)
-+/var/log/iscsiuio\.log.* -- gen_context(system_u:object_r:iscsi_log_t,s0)
-+
- /var/run/iscsid\.pid -- gen_context(system_u:object_r:iscsi_var_run_t,s0)
-+/var/run/iscsiuio\.pid -- gen_context(system_u:object_r:iscsi_var_run_t,s0)
-+
-+/usr/sbin/iscsid -- gen_context(system_u:object_r:iscsid_exec_t,s0)
-+/usr/sbin/brcm_iscsiuio -- gen_context(system_u:object_r:iscsid_exec_t,s0)
-+/usr/sbin/iscsiuio -- gen_context(system_u:object_r:iscsid_exec_t,s0)
-diff --git a/iscsi.te b/iscsi.te
-index 8bcfa2f..f71614d 100644
---- a/iscsi.te
-+++ b/iscsi.te
-@@ -31,7 +31,6 @@ files_pid_file(iscsi_var_run_t)
- #
-
- allow iscsid_t self:capability { dac_override ipc_lock net_admin net_raw sys_admin sys_nice sys_resource };
--dontaudit iscsid_t self:capability sys_ptrace;
- allow iscsid_t self:process { setrlimit setsched signal };
- allow iscsid_t self:fifo_file rw_fifo_file_perms;
- allow iscsid_t self:unix_stream_socket { create_stream_socket_perms connectto };
-@@ -66,8 +65,8 @@ files_pid_filetrans(iscsid_t, iscsi_var_run_t, file)
-
- kernel_read_network_state(iscsid_t)
- kernel_read_system_state(iscsid_t)
-+kernel_setsched(iscsid_t)
-
--corenet_all_recvfrom_unlabeled(iscsid_t)
- corenet_all_recvfrom_netlabel(iscsid_t)
- corenet_tcp_sendrecv_generic_if(iscsid_t)
- corenet_tcp_sendrecv_generic_node(iscsid_t)
-@@ -75,14 +74,16 @@ corenet_tcp_sendrecv_all_ports(iscsid_t)
- corenet_tcp_connect_http_port(iscsid_t)
- corenet_tcp_connect_iscsi_port(iscsid_t)
- corenet_tcp_connect_isns_port(iscsid_t)
-+corenet_tcp_connect_winshadow_port(iscsid_t)
-
- dev_rw_sysfs(iscsid_t)
- dev_rw_userio_dev(iscsid_t)
-+dev_read_raw_memory(iscsid_t)
-+dev_write_raw_memory(iscsid_t)
-
- domain_use_interactive_fds(iscsid_t)
- domain_dontaudit_read_all_domains_state(iscsid_t)
-
--files_read_etc_files(iscsid_t)
-
- auth_use_nsswitch(iscsid_t)
-
-@@ -90,8 +91,6 @@ init_stream_connect_script(iscsid_t)
-
- logging_send_syslog_msg(iscsid_t)
-
--miscfiles_read_localization(iscsid_t)
--
- optional_policy(`
- tgtd_manage_semaphores(iscsid_t)
- ')
-diff --git a/isnsd.fc b/isnsd.fc
-new file mode 100644
-index 0000000..3e29080
---- /dev/null
-+++ b/isnsd.fc
-@@ -0,0 +1,8 @@
-+/etc/rc\.d/init\.d/isnsd -- gen_context(system_u:object_r:isnsd_initrc_exec_t,s0)
-+
-+/usr/sbin/isnsd -- gen_context(system_u:object_r:isnsd_exec_t,s0)
-+
-+/var/lib/isns(/.*)? gen_context(system_u:object_r:isnsd_var_lib_t,s0)
-+
-+/var/run/isnsd\.pid -- gen_context(system_u:object_r:isnsd_var_run_t,s0)
-+/var/run/isnsctl -s gen_context(system_u:object_r:isnsd_var_run_t,s0)
-diff --git a/isnsd.if b/isnsd.if
-new file mode 100644
-index 0000000..1b3514a
---- /dev/null
-+++ b/isnsd.if
-@@ -0,0 +1,181 @@
-+
-+## policy for isnsd
-+
-+
-+########################################
-+##
-+## Transition to isnsd.
-+##
-+##
-+##
-+## Domain allowed to transition.
-+##
-+##
-+#
-+interface(`isnsd_domtrans',`
-+ gen_require(`
-+ type isnsd_t, isnsd_exec_t;
-+ ')
-+
-+ corecmd_search_bin($1)
-+ domtrans_pattern($1, isnsd_exec_t, isnsd_t)
-+')
-+
-+
-+########################################
-+##
-+## Execute isnsd server in the isnsd domain.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`isnsd_initrc_domtrans',`
-+ gen_require(`
-+ type isnsd_initrc_exec_t;
-+ ')
-+
-+ init_labeled_script_domtrans($1, isnsd_initrc_exec_t)
-+')
-+
-+
-+########################################
-+##
-+## Search isnsd lib directories.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`isnsd_search_lib',`
-+ gen_require(`
-+ type isnsd_var_lib_t;
-+ ')
-+
-+ allow $1 isnsd_var_lib_t:dir search_dir_perms;
-+ files_search_var_lib($1)
-+')
-+
-+########################################
-+##
-+## Read isnsd lib files.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`isnsd_read_lib_files',`
-+ gen_require(`
-+ type isnsd_var_lib_t;
-+ ')
-+
-+ files_search_var_lib($1)
-+ read_files_pattern($1, isnsd_var_lib_t, isnsd_var_lib_t)
-+')
-+
-+########################################
-+##
-+## Manage isnsd lib files.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`isnsd_manage_lib_files',`
-+ gen_require(`
-+ type isnsd_var_lib_t;
-+ ')
-+
-+ files_search_var_lib($1)
-+ manage_files_pattern($1, isnsd_var_lib_t, isnsd_var_lib_t)
-+')
-+
-+########################################
-+##
-+## Manage isnsd lib directories.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`isnsd_manage_lib_dirs',`
-+ gen_require(`
-+ type isnsd_var_lib_t;
-+ ')
-+
-+ files_search_var_lib($1)
-+ manage_dirs_pattern($1, isnsd_var_lib_t, isnsd_var_lib_t)
-+')
-+
-+
-+########################################
-+##
-+## Read isnsd PID files.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`isnsd_read_pid_files',`
-+ gen_require(`
-+ type isnsd_var_run_t;
-+ ')
-+
-+ files_search_pids($1)
-+ allow $1 isnsd_var_run_t:file read_file_perms;
-+')
-+
-+
-+########################################
-+##
-+## All of the rules required to administrate
-+## an isnsd environment
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+##
-+##
-+## Role allowed access.
-+##
-+##
-+##
-+#
-+interface(`isnsd_admin',`
-+ gen_require(`
-+ type isnsd_t;
-+ type isnsd_initrc_exec_t;
-+ type isnsd_var_lib_t;
-+ type isnsd_var_run_t;
-+ ')
-+
-+ allow $1 isnsd_t:process { ptrace signal_perms };
-+ ps_process_pattern($1, isnsd_t)
-+
-+ isnsd_initrc_domtrans($1)
-+ domain_system_change_exemption($1)
-+ role_transition $2 isnsd_initrc_exec_t system_r;
-+ allow $2 system_r;
-+
-+ files_search_var_lib($1)
-+ admin_pattern($1, isnsd_var_lib_t)
-+
-+ files_search_pids($1)
-+ admin_pattern($1, isnsd_var_run_t)
-+
-+')
-+
-diff --git a/isnsd.te b/isnsd.te
-new file mode 100644
-index 0000000..951fbae
---- /dev/null
-+++ b/isnsd.te
-@@ -0,0 +1,52 @@
-+policy_module(isnsd, 1.0.0)
-+
-+########################################
-+#
-+# Declarations
-+#
-+
-+type isnsd_t;
-+type isnsd_exec_t;
-+init_daemon_domain(isnsd_t, isnsd_exec_t)
-+
-+type isnsd_initrc_exec_t;
-+init_script_file(isnsd_initrc_exec_t)
-+
-+type isnsd_var_lib_t;
-+files_type(isnsd_var_lib_t)
-+
-+type isnsd_var_run_t;
-+files_pid_file(isnsd_var_run_t)
-+
-+########################################
-+#
-+# isnsd local policy
-+#
-+
-+allow isnsd_t self:capability { kill };
-+allow isnsd_t self:process { signal };
-+
-+allow isnsd_t self:fifo_file rw_fifo_file_perms;
-+allow isnsd_t self:tcp_socket { listen };
-+allow isnsd_t self:udp_socket { listen };
-+allow isnsd_t self:unix_stream_socket create_stream_socket_perms;
-+
-+manage_dirs_pattern(isnsd_t, isnsd_var_lib_t, isnsd_var_lib_t)
-+manage_files_pattern(isnsd_t, isnsd_var_lib_t, isnsd_var_lib_t)
-+files_var_lib_filetrans(isnsd_t, isnsd_var_lib_t, { dir file })
-+
-+manage_dirs_pattern(isnsd_t, isnsd_var_run_t, isnsd_var_run_t)
-+manage_sock_files_pattern(isnsd_t, isnsd_var_run_t, isnsd_var_run_t)
-+manage_files_pattern(isnsd_t, isnsd_var_run_t, isnsd_var_run_t)
-+files_pid_filetrans(isnsd_t, isnsd_var_run_t, { dir file sock_file })
-+
-+corenet_tcp_bind_generic_node(isnsd_t)
-+corenet_tcp_bind_isns_port(isnsd_t)
-+
-+domain_use_interactive_fds(isnsd_t)
-+
-+files_read_etc_files(isnsd_t)
-+
-+logging_send_syslog_msg(isnsd_t)
-+
-+sysnet_dns_name_resolve(isnsd_t)
-diff --git a/jabber.fc b/jabber.fc
-index da6f4b4..bd02cc8 100644
---- a/jabber.fc
-+++ b/jabber.fc
-@@ -1,10 +1,18 @@
--/etc/rc\.d/init\.d/jabber -- gen_context(system_u:object_r:jabberd_initrc_exec_t,s0)
-+/etc/rc\.d/init\.d/jabberd -- gen_context(system_u:object_r:jabberd_initrc_exec_t,s0)
-
--/usr/sbin/ejabberd -- gen_context(system_u:object_r:jabberd_exec_t,s0)
--/usr/sbin/jabberd -- gen_context(system_u:object_r:jabberd_exec_t,s0)
-+/usr/bin/router -- gen_context(system_u:object_r:jabberd_router_exec_t,s0)
-+/usr/bin/c2s -- gen_context(system_u:object_r:jabberd_router_exec_t,s0)
-+/usr/bin/s2s -- gen_context(system_u:object_r:jabberd_exec_t,s0)
-+/usr/bin/sm -- gen_context(system_u:object_r:jabberd_exec_t,s0)
-
--/var/lib/ejabberd(/.*)? gen_context(system_u:object_r:jabberd_var_lib_t,s0)
--/var/lib/jabber(/.*)? gen_context(system_u:object_r:jabberd_var_lib_t,s0)
-+/var/lib/jabberd(/.*)? gen_context(system_u:object_r:jabberd_var_lib_t,s0)
-
--/var/log/ejabberd(/.*)? gen_context(system_u:object_r:jabberd_log_t,s0)
--/var/log/jabber(/.*)? gen_context(system_u:object_r:jabberd_log_t,s0)
-+# pyicq-t
-+
-+/usr/share/pyicq-t/PyICQt\.py -- gen_context(system_u:object_r:pyicqt_exec_t,s0)
-+
-+/var/log/pyicq-t\.log.* gen_context(system_u:object_r:pyicqt_log_t,s0)
-+
-+/var/run/pyicq-t(/.*)? gen_context(system_u:object_r:pyicqt_var_run_t,s0)
-+
-+/var/spool/pyicq-t(/.*)? gen_context(system_u:object_r:pyicqt_var_spool_t,s0)
-diff --git a/jabber.if b/jabber.if
-index 9878499..01673a4 100644
---- a/jabber.if
-+++ b/jabber.if
-@@ -1,8 +1,114 @@
- ## Jabber instant messaging server
-
--########################################
-+#####################################
-+##
-+## Creates types and rules for a basic
-+## jabber init daemon domain.
-+##
-+##
-+##
-+## Prefix for the domain.
-+##
-+##
-+#
-+template(`jabber_domain_template',`
-+ gen_require(`
-+ attribute jabberd_domain;
-+ ')
-+
-+ ##############################
-+ #
-+ # $1_t declarations
-+ #
-+
-+ type $1_t, jabberd_domain;
-+ type $1_exec_t;
-+ init_daemon_domain($1_t, $1_exec_t)
-+
-+ kernel_read_system_state($1_t)
-+
-+ corenet_all_recvfrom_netlabel($1_t)
-+
-+ logging_send_syslog_msg($1_t)
-+')
-+
-+#######################################
-+##
-+## Execute a domain transition to run jabberd services
-+##
-+##
-+##
-+## Domain allowed to transition.
-+##
-+##
-+#
-+interface(`jabber_domtrans_jabberd',`
-+ gen_require(`
-+ type jabberd_t, jabberd_exec_t;
-+ ')
-+
-+ domtrans_pattern($1, jabberd_exec_t, jabberd_t)
-+')
-+
-+######################################
-+##
-+## Execute a domain transition to run jabberd router service
-+##
-+##
-+##
-+## Domain allowed to transition.
-+##
-+##
-+#
-+interface(`jabber_domtrans_jabberd_router',`
-+ gen_require(`
-+ type jabberd_router_t, jabberd_router_exec_t;
-+ ')
-+
-+ domtrans_pattern($1, jabberd_router_exec_t, jabberd_router_t)
-+')
-+
-+#######################################
-+##
-+## Read jabberd lib files.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`jabberd_read_lib_files',`
-+ gen_require(`
-+ type jabberd_var_lib_t;
-+ ')
-+
-+ files_search_var_lib($1)
-+ read_files_pattern($1, jabberd_var_lib_t, jabberd_var_lib_t)
-+')
-+
-+#######################################
-+##
-+## Dontaudit inherited read jabberd lib files.
-+##
-+##
-+##
-+## Domain to not audit.
-+##
-+##
-+#
-+interface(`jabberd_dontaudit_read_lib_files',`
-+ gen_require(`
-+ type jabberd_var_lib_t;
-+ ')
-+
-+ dontaudit $1 jabberd_var_lib_t:file read_inherited_file_perms;
-+')
-+
-+#######################################
- ##
--## Connect to jabber over a TCP socket (Deprecated)
-+## Create, read, write, and delete
-+## jabberd lib files.
- ##
- ##
- ##
-@@ -10,8 +116,13 @@
- ##
- ##
- #
--interface(`jabber_tcp_connect',`
-- refpolicywarn(`$0($*) has been deprecated.')
-+interface(`jabberd_manage_lib_files',`
-+ gen_require(`
-+ type jabberd_var_lib_t;
-+ ')
-+
-+ files_search_var_lib($1)
-+ manage_files_pattern($1, jabberd_var_lib_t, jabberd_var_lib_t)
- ')
-
- ########################################
-@@ -33,24 +144,25 @@ interface(`jabber_tcp_connect',`
- #
- interface(`jabber_admin',`
- gen_require(`
-- type jabberd_t, jabberd_log_t, jabberd_var_lib_t;
-- type jabberd_var_run_t, jabberd_initrc_exec_t;
-+ type jabberd_t, jabberd_var_lib_t;
-+ type jabberd_initrc_exec_t, jabberd_router_t;
- ')
-
-- allow $1 jabberd_t:process { ptrace signal_perms };
-+ allow $1 jabberd_t:process signal_perms;
- ps_process_pattern($1, jabberd_t)
-+ tunable_policy(`deny_ptrace',`',`
-+ allow $1 jabberd_t:process ptrace;
-+ allow $1 jabberd_router_t:process ptrace;
-+ ')
-+
-+ allow $1 jabberd_router_t:process signal_perms;
-+ ps_process_pattern($1, jabberd_router_t)
-
- init_labeled_script_domtrans($1, jabberd_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 jabberd_initrc_exec_t system_r;
- allow $2 system_r;
-
-- logging_list_logs($1)
-- admin_pattern($1, jabberd_log_t)
--
- files_list_var_lib($1)
- admin_pattern($1, jabberd_var_lib_t)
--
-- files_list_pids($1)
-- admin_pattern($1, jabberd_var_run_t)
- ')
-diff --git a/jabber.te b/jabber.te
-index 53e53ca..c1ce1b7 100644
---- a/jabber.te
-+++ b/jabber.te
-@@ -1,94 +1,146 @@
--policy_module(jabber, 1.9.0)
-+policy_module(jabber, 1.8.0)
-
- ########################################
- #
- # Declarations
- #
-
--type jabberd_t;
--type jabberd_exec_t;
--init_daemon_domain(jabberd_t, jabberd_exec_t)
-+attribute jabberd_domain;
-+
-+jabber_domain_template(jabberd)
-+jabber_domain_template(jabberd_router)
-+jabber_domain_template(pyicqt)
-
- type jabberd_initrc_exec_t;
- init_script_file(jabberd_initrc_exec_t)
-
--type jabberd_log_t;
--logging_log_file(jabberd_log_t)
--
-+# type which includes log/pid files pro jabberd components
- type jabberd_var_lib_t;
- files_type(jabberd_var_lib_t)
-
--type jabberd_var_run_t;
--files_pid_file(jabberd_var_run_t)
-+# pyicq-t types
-+type pyicqt_log_t;
-+logging_log_file(pyicqt_log_t);
-
--########################################
-+type pyicqt_var_spool_t;
-+files_spool_file(pyicqt_var_spool_t)
-+
-+type pyicqt_var_run_t;
-+files_pid_file(pyicqt_var_run_t)
-+
-+######################################
- #
--# Local policy
-+# Local policy for jabberd-router and c2s components
- #
-
--allow jabberd_t self:capability dac_override;
--dontaudit jabberd_t self:capability sys_tty_config;
--allow jabberd_t self:process signal_perms;
--allow jabberd_t self:fifo_file read_fifo_file_perms;
--allow jabberd_t self:tcp_socket create_stream_socket_perms;
--allow jabberd_t self:udp_socket create_socket_perms;
-+allow jabberd_router_t self:netlink_route_socket r_netlink_socket_perms;
-
--manage_files_pattern(jabberd_t, jabberd_var_lib_t, jabberd_var_lib_t)
--files_var_lib_filetrans(jabberd_t, jabberd_var_lib_t, file)
--
--manage_files_pattern(jabberd_t, jabberd_log_t, jabberd_log_t)
--logging_log_filetrans(jabberd_t, jabberd_log_t, { file dir })
--
--manage_files_pattern(jabberd_t, jabberd_var_run_t, jabberd_var_run_t)
--files_pid_filetrans(jabberd_t, jabberd_var_run_t, file)
--
--kernel_read_kernel_sysctls(jabberd_t)
--kernel_list_proc(jabberd_t)
--kernel_read_proc_symlinks(jabberd_t)
--
--corenet_all_recvfrom_unlabeled(jabberd_t)
--corenet_all_recvfrom_netlabel(jabberd_t)
--corenet_tcp_sendrecv_generic_if(jabberd_t)
--corenet_udp_sendrecv_generic_if(jabberd_t)
--corenet_tcp_sendrecv_generic_node(jabberd_t)
--corenet_udp_sendrecv_generic_node(jabberd_t)
--corenet_tcp_sendrecv_all_ports(jabberd_t)
--corenet_udp_sendrecv_all_ports(jabberd_t)
--corenet_tcp_bind_generic_node(jabberd_t)
--corenet_tcp_bind_jabber_client_port(jabberd_t)
--corenet_tcp_bind_jabber_interserver_port(jabberd_t)
--corenet_sendrecv_jabber_client_server_packets(jabberd_t)
--corenet_sendrecv_jabber_interserver_server_packets(jabberd_t)
-+manage_files_pattern(jabberd_router_t, jabberd_var_lib_t, jabberd_var_lib_t)
-+manage_dirs_pattern(jabberd_router_t, jabberd_var_lib_t, jabberd_var_lib_t)
-+
-+kernel_read_network_state(jabberd_router_t)
-+
-+corenet_tcp_bind_jabber_client_port(jabberd_router_t)
-+corenet_tcp_bind_jabber_router_port(jabberd_router_t)
-+corenet_tcp_connect_jabber_router_port(jabberd_router_t)
-+corenet_sendrecv_jabber_router_server_packets(jabberd_router_t)
-+corenet_sendrecv_jabber_client_server_packets(jabberd_router_t)
-
--dev_read_sysfs(jabberd_t)
--# For SSL
--dev_read_rand(jabberd_t)
-+fs_getattr_all_fs(jabberd_router_t)
-
--domain_use_interactive_fds(jabberd_t)
-+miscfiles_read_generic_certs(jabberd_router_t)
-
--files_read_etc_files(jabberd_t)
--files_read_etc_runtime_files(jabberd_t)
-+optional_policy(`
-+ kerberos_use(jabberd_router_t)
-+')
-
--fs_getattr_all_fs(jabberd_t)
--fs_search_auto_mountpoints(jabberd_t)
-+optional_policy(`
-+ nis_use_ypbind(jabberd_router_t)
-+')
-
--logging_send_syslog_msg(jabberd_t)
-+#####################################
-+#
-+# Local policy for other jabberd components
-+#
-
--miscfiles_read_localization(jabberd_t)
-+manage_files_pattern(jabberd_t, jabberd_var_lib_t, jabberd_var_lib_t)
-+manage_dirs_pattern(jabberd_t, jabberd_var_lib_t, jabberd_var_lib_t)
-
--sysnet_read_config(jabberd_t)
-+corenet_tcp_bind_jabber_interserver_port(jabberd_t)
-+corenet_tcp_connect_jabber_router_port(jabberd_t)
-
- userdom_dontaudit_use_unpriv_user_fds(jabberd_t)
- userdom_dontaudit_search_user_home_dirs(jabberd_t)
-
- optional_policy(`
-- nis_use_ypbind(jabberd_t)
-+ seutil_sigchld_newrole(jabberd_t)
- ')
-
- optional_policy(`
-- seutil_sigchld_newrole(jabberd_t)
-+ udev_read_db(jabberd_t)
-+')
-+
-+######################################
-+#
-+# Local policy for pyicq-t
-+#
-+
-+# need for /var/log/pyicq-t.log
-+manage_files_pattern(pyicqt_t, pyicqt_log_t, pyicqt_log_t)
-+logging_log_filetrans(pyicqt_t, pyicqt_log_t, file)
-+
-+manage_files_pattern(pyicqt_t, pyicqt_var_run_t, pyicqt_var_run_t);
-+
-+files_search_spool(pyicqt_t)
-+manage_files_pattern(pyicqt_t, pyicqt_var_spool_t, pyicqt_var_spool_t);
-+
-+corenet_tcp_bind_jabber_router_port(pyicqt_t)
-+corenet_tcp_connect_jabber_router_port(pyicqt_t)
-+
-+corecmd_exec_bin(pyicqt_t)
-+
-+dev_read_urand(pyicqt_t);
-+
-+files_read_usr_files(pyicqt_t)
-+
-+auth_use_nsswitch(pyicqt_t);
-+
-+# for RHEL5
-+libs_use_ld_so(pyicqt_t)
-+libs_use_shared_libs(pyicqt_t)
-+
-+# needed for pyicq-t-mysql
-+optional_policy(`
-+ corenet_tcp_connect_mysqld_port(pyicqt_t)
- ')
-
- optional_policy(`
-- udev_read_db(jabberd_t)
-+ sysnet_use_ldap(pyicqt_t)
- ')
-+
-+#######################################
-+#
-+# Local policy for jabberd domains
-+#
-+
-+allow jabberd_domain self:process signal_perms;
-+allow jabberd_domain self:fifo_file rw_fifo_file_perms;
-+allow jabberd_domain self:tcp_socket create_stream_socket_perms;
-+allow jabberd_domain self:udp_socket create_socket_perms;
-+
-+corenet_tcp_sendrecv_generic_if(jabberd_domain)
-+corenet_udp_sendrecv_generic_if(jabberd_domain)
-+corenet_tcp_sendrecv_generic_node(jabberd_domain)
-+corenet_udp_sendrecv_generic_node(jabberd_domain)
-+corenet_tcp_sendrecv_all_ports(jabberd_domain)
-+corenet_udp_sendrecv_all_ports(jabberd_domain)
-+corenet_tcp_bind_generic_node(jabberd_domain)
-+
-+dev_read_urand(jabberd_domain)
-+dev_read_urand(jabberd_domain)
-+dev_read_sysfs(jabberd_domain)
-+
-+files_read_etc_files(jabberd_domain)
-+files_read_etc_runtime_files(jabberd_domain)
-+
-+sysnet_read_config(jabberd_domain)
-diff --git a/java.fc b/java.fc
-index bc1a419..f630930 100644
---- a/java.fc
-+++ b/java.fc
-@@ -28,8 +28,6 @@
- /usr/lib/opera(/.*)?/opera -- gen_context(system_u:object_r:java_exec_t,s0)
- /usr/lib/opera(/.*)?/works -- gen_context(system_u:object_r:java_exec_t,s0)
-
--/usr/local/matlab.*/bin.*/MATLAB.* -- gen_context(system_u:object_r:java_exec_t,s0)
--
- /usr/matlab.*/bin.*/MATLAB.* -- gen_context(system_u:object_r:java_exec_t,s0)
-
- ifdef(`distro_redhat',`
-diff --git a/java.te b/java.te
-index ff52c16..bdb4610 100644
---- a/java.te
-+++ b/java.te
-@@ -10,7 +10,7 @@ policy_module(java, 2.6.0)
- ## Allow java executable stack
- ##
- ##
--gen_tunable(allow_java_execstack, false)
-+gen_tunable(java_execstack, false)
-
- type java_t;
- type java_exec_t;
-@@ -62,7 +62,6 @@ kernel_read_system_state(java_t)
- # Search bin directory under java for java executable
- corecmd_search_bin(java_t)
-
--corenet_all_recvfrom_unlabeled(java_t)
- corenet_all_recvfrom_netlabel(java_t)
- corenet_tcp_sendrecv_generic_if(java_t)
- corenet_udp_sendrecv_generic_if(java_t)
-@@ -91,7 +90,6 @@ fs_dontaudit_rw_tmpfs_files(java_t)
-
- logging_send_syslog_msg(java_t)
-
--miscfiles_read_localization(java_t)
- # Read global fonts and font config
- miscfiles_read_fonts(java_t)
-
-@@ -108,7 +106,7 @@ userdom_manage_user_home_content_sockets(java_t)
- userdom_user_home_dir_filetrans_user_home_content(java_t, { file lnk_file sock_file fifo_file })
- userdom_write_user_tmp_sockets(java_t)
-
--tunable_policy(`allow_java_execstack',`
-+tunable_policy(`java_execstack',`
- allow java_t self:process execstack;
-
- allow java_t java_tmp_t:file execute;
-diff --git a/jetty.fc b/jetty.fc
-new file mode 100644
-index 0000000..1725b7e
---- /dev/null
-+++ b/jetty.fc
-@@ -0,0 +1,9 @@
-+
-+/var/cache/jetty(/.*)? gen_context(system_u:object_r:jetty_cache_t,s0)
-+
-+/var/lib/jetty(/.*)? gen_context(system_u:object_r:jetty_var_lib_t,s0)
-+
-+/var/log/jetty(/.*)? gen_context(system_u:object_r:jetty_log_t,s0)
-+
-+/var/run/jetty(/.*)? gen_context(system_u:object_r:jetty_var_run_t,s0)
-+
-diff --git a/jetty.if b/jetty.if
-new file mode 100644
-index 0000000..2abc285
---- /dev/null
-+++ b/jetty.if
-@@ -0,0 +1,268 @@
-+
-+## policy for jetty
-+
-+########################################
-+##
-+## Search jetty cache directories.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`jetty_search_cache',`
-+ gen_require(`
-+ type jetty_cache_t;
-+ ')
-+
-+ allow $1 jetty_cache_t:dir search_dir_perms;
-+ files_search_var($1)
-+')
-+
-+########################################
-+##
-+## Read jetty cache files.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`jetty_read_cache_files',`
-+ gen_require(`
-+ type jetty_cache_t;
-+ ')
-+
-+ files_search_var($1)
-+ read_files_pattern($1, jetty_cache_t, jetty_cache_t)
-+')
-+
-+########################################
-+##
-+## Create, read, write, and delete
-+## jetty cache files.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`jetty_manage_cache_files',`
-+ gen_require(`
-+ type jetty_cache_t;
-+ ')
-+
-+ files_search_var($1)
-+ manage_files_pattern($1, jetty_cache_t, jetty_cache_t)
-+')
-+
-+########################################
-+##
-+## Manage jetty cache dirs.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`jetty_manage_cache_dirs',`
-+ gen_require(`
-+ type jetty_cache_t;
-+ ')
-+
-+ files_search_var($1)
-+ manage_dirs_pattern($1, jetty_cache_t, jetty_cache_t)
-+')
-+
-+########################################
-+##
-+## Read jetty's log files.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+##
-+#
-+interface(`jetty_read_log',`
-+ gen_require(`
-+ type jetty_log_t;
-+ ')
-+
-+ logging_search_logs($1)
-+ read_files_pattern($1, jetty_log_t, jetty_log_t)
-+')
-+
-+########################################
-+##
-+## Append to jetty log files.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`jetty_append_log',`
-+ gen_require(`
-+ type jetty_log_t;
-+ ')
-+
-+ logging_search_logs($1)
-+ append_files_pattern($1, jetty_log_t, jetty_log_t)
-+')
-+
-+########################################
-+##
-+## Manage jetty log files
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`jetty_manage_log',`
-+ gen_require(`
-+ type jetty_log_t;
-+ ')
-+
-+ logging_search_logs($1)
-+ manage_dirs_pattern($1, jetty_log_t, jetty_log_t)
-+ manage_files_pattern($1, jetty_log_t, jetty_log_t)
-+ manage_lnk_files_pattern($1, jetty_log_t, jetty_log_t)
-+')
-+
-+########################################
-+##
-+## Search jetty lib directories.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`jetty_search_lib',`
-+ gen_require(`
-+ type jetty_var_lib_t;
-+ ')
-+
-+ allow $1 jetty_var_lib_t:dir search_dir_perms;
-+ files_search_var_lib($1)
-+')
-+
-+########################################
-+##
-+## Read jetty lib files.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`jetty_read_lib_files',`
-+ gen_require(`
-+ type jetty_var_lib_t;
-+ ')
-+
-+ files_search_var_lib($1)
-+ read_files_pattern($1, jetty_var_lib_t, jetty_var_lib_t)
-+')
-+
-+########################################
-+##
-+## Manage jetty lib files.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`jetty_manage_lib_files',`
-+ gen_require(`
-+ type jetty_var_lib_t;
-+ ')
-+
-+ files_search_var_lib($1)
-+ manage_files_pattern($1, jetty_var_lib_t, jetty_var_lib_t)
-+')
-+
-+########################################
-+##
-+## Manage jetty lib directories.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`jetty_manage_lib_dirs',`
-+ gen_require(`
-+ type jetty_var_lib_t;
-+ ')
-+
-+ files_search_var_lib($1)
-+ manage_dirs_pattern($1, jetty_var_lib_t, jetty_var_lib_t)
-+')
-+
-+########################################
-+##
-+## Read jetty PID files.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`jetty_read_pid_files',`
-+ gen_require(`
-+ type jetty_var_run_t;
-+ ')
-+
-+ files_search_pids($1)
-+ allow $1 jetty_var_run_t:file read_file_perms;
-+')
-+
-+
-+########################################
-+##
-+## All of the rules required to administrate
-+## an jetty environment
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+##
-+#
-+interface(`jetty_admin',`
-+ gen_require(`
-+ type jetty_cache_t;
-+ type jetty_log_t;
-+ type jetty_var_lib_t;
-+ type jetty_var_run_t;
-+ ')
-+
-+ files_search_var($1)
-+ admin_pattern($1, jetty_cache_t)
-+
-+ logging_search_logs($1)
-+ admin_pattern($1, jetty_log_t)
-+
-+ files_search_var_lib($1)
-+ admin_pattern($1, jetty_var_lib_t)
-+
-+ files_search_pids($1)
-+ admin_pattern($1, jetty_var_run_t)
-+')
-diff --git a/jetty.te b/jetty.te
-new file mode 100644
-index 0000000..af510ea
---- /dev/null
-+++ b/jetty.te
-@@ -0,0 +1,25 @@
-+policy_module(jetty, 1.0.0)
-+
-+########################################
-+#
-+# Declarations
-+#
-+
-+type jetty_cache_t;
-+files_type(jetty_cache_t)
-+
-+type jetty_log_t;
-+logging_log_file(jetty_log_t)
-+
-+type jetty_var_lib_t;
-+files_type(jetty_var_lib_t)
-+
-+type jetty_var_run_t;
-+files_pid_file(jetty_var_run_t)
-+
-+########################################
-+#
-+# jetty local policy
-+#
-+
-+# No local policy. This module just contains type definitions
-diff --git a/jockey.fc b/jockey.fc
-new file mode 100644
-index 0000000..a59ad8d
---- /dev/null
-+++ b/jockey.fc
-@@ -0,0 +1,6 @@
-+/usr/share/jockey/jockey-backend -- gen_context(system_u:object_r:jockey_exec_t,s0)
-+
-+/var/cache/jockey(/.*)? gen_context(system_u:object_r:jockey_cache_t,s0)
-+
-+/var/log/jockey(/.*)? gen_context(system_u:object_r:jockey_var_log_t,s0)
-+/var/log/jockey\.log.* -- gen_context(system_u:object_r:jockey_var_log_t,s0)
-diff --git a/jockey.if b/jockey.if
-new file mode 100644
-index 0000000..868c7d0
---- /dev/null
-+++ b/jockey.if
-@@ -0,0 +1,126 @@
-+
-+## policy for jockey
-+
-+########################################
-+##
-+## Transition to jockey.
-+##
-+##
-+##
-+## Domain allowed to transition.
-+##
-+##
-+#
-+interface(`jockey_domtrans',`
-+ gen_require(`
-+ type jockey_t, jockey_exec_t;
-+ ')
-+
-+ corecmd_search_bin($1)
-+ domtrans_pattern($1, jockey_exec_t, jockey_t)
-+')
-+
-+########################################
-+##
-+## Search jockey cache directories.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`jockey_search_cache',`
-+ gen_require(`
-+ type jockey_cache_t;
-+ ')
-+
-+ allow $1 jockey_cache_t:dir search_dir_perms;
-+ files_search_var($1)
-+')
-+
-+########################################
-+##
-+## Read jockey cache files.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`jockey_read_cache_files',`
-+ gen_require(`
-+ type jockey_cache_t;
-+ ')
-+
-+ files_search_var($1)
-+ read_files_pattern($1, jockey_cache_t, jockey_cache_t)
-+')
-+
-+########################################
-+##
-+## Create, read, write, and delete
-+## jockey cache files.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`jockey_manage_cache_files',`
-+ gen_require(`
-+ type jockey_cache_t;
-+ ')
-+
-+ files_search_var($1)
-+ manage_files_pattern($1, jockey_cache_t, jockey_cache_t)
-+')
-+
-+########################################
-+##
-+## Manage jockey cache dirs.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`jockey_manage_cache_dirs',`
-+ gen_require(`
-+ type jockey_cache_t;
-+ ')
-+
-+ files_search_var($1)
-+ manage_dirs_pattern($1, jockey_cache_t, jockey_cache_t)
-+')
-+
-+########################################
-+##
-+## All of the rules required to administrate
-+## an jockey environment
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`jockey_admin',`
-+ gen_require(`
-+ type jockey_t;
-+ type jockey_cache_t;
-+ ')
-+
-+ allow $1 jockey_t:process { ptrace signal_perms };
-+ ps_process_pattern($1, jockey_t)
-+
-+ files_search_var($1)
-+ admin_pattern($1, jockey_cache_t)
-+ optional_policy(`
-+ systemd_passwd_agent_exec($1)
-+ systemd_read_fifo_file_passwd_run($1)
-+ ')
-+')
-diff --git a/jockey.te b/jockey.te
-new file mode 100644
-index 0000000..03a01b4
---- /dev/null
-+++ b/jockey.te
-@@ -0,0 +1,62 @@
-+policy_module(jockey, 1.0.0)
-+
-+########################################
-+#
-+# Declarations
-+#
-+
-+type jockey_t;
-+type jockey_exec_t;
-+init_daemon_domain(jockey_t, jockey_exec_t)
-+
-+type jockey_cache_t;
-+files_type(jockey_cache_t)
-+
-+type jockey_var_log_t;
-+logging_log_file(jockey_var_log_t)
-+
-+########################################
-+#
-+# jockey local policy
-+#
-+allow jockey_t self:fifo_file rw_fifo_file_perms;
-+
-+manage_dirs_pattern(jockey_t, jockey_cache_t, jockey_cache_t)
-+manage_files_pattern(jockey_t, jockey_cache_t, jockey_cache_t)
-+manage_lnk_files_pattern(jockey_t, jockey_cache_t, jockey_cache_t)
-+files_var_filetrans(jockey_t, jockey_cache_t, { dir file })
-+
-+manage_files_pattern(jockey_t, jockey_var_log_t, jockey_var_log_t)
-+manage_dirs_pattern(jockey_t, jockey_var_log_t, jockey_var_log_t)
-+logging_log_filetrans(jockey_t, jockey_var_log_t, { file dir })
-+
-+kernel_read_system_state(jockey_t)
-+
-+corecmd_exec_bin(jockey_t)
-+corecmd_exec_shell(jockey_t)
-+
-+dev_read_rand(jockey_t)
-+dev_read_urand(jockey_t)
-+
-+dev_read_sysfs(jockey_t)
-+
-+domain_use_interactive_fds(jockey_t)
-+
-+files_read_etc_files(jockey_t)
-+files_read_usr_files(jockey_t)
-+
-+auth_read_passwd(jockey_t)
-+
-+optional_policy(`
-+ dbus_system_domain(jockey_t, jockey_exec_t)
-+')
-+
-+optional_policy(`
-+ gnome_dontaudit_search_config(jockey_t)
-+')
-+
-+optional_policy(`
-+ modutils_domtrans_insmod(jockey_t)
-+ modutils_read_module_config(jockey_t)
-+ modutils_list_module_config(jockey_t)
-+')
-diff --git a/kde.fc b/kde.fc
-new file mode 100644
-index 0000000..25e4b68
---- /dev/null
-+++ b/kde.fc
-@@ -0,0 +1 @@
-+#/usr/libexec/kde(3|4)/backlighthelper -- gen_context(system_u:object_r:kdebacklighthelper_exec_t,s0)
-diff --git a/kde.if b/kde.if
-new file mode 100644
-index 0000000..cf65577
---- /dev/null
-+++ b/kde.if
-@@ -0,0 +1,22 @@
-+## Policy for KDE components
-+
-+#######################################
-+##
-+## Send and receive messages from
-+## firewallgui over dbus.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`kde_dbus_chat_backlighthelper',`
-+ gen_require(`
-+ type kdebacklighthelper_t;
-+ class dbus send_msg;
-+ ')
-+
-+ allow $1 kdebacklighthelper_t:dbus send_msg;
-+ allow kdebacklighthelper_t $1:dbus send_msg;
-+')
-diff --git a/kde.te b/kde.te
-new file mode 100644
-index 0000000..7b4b5ff
---- /dev/null
-+++ b/kde.te
-@@ -0,0 +1,42 @@
-+policy_module(kde,1.0.0)
-+
-+########################################
-+#
-+# Declarations
-+#
-+
-+type kdebacklighthelper_t;
-+type kdebacklighthelper_exec_t;
-+init_daemon_domain(kdebacklighthelper_t, kdebacklighthelper_exec_t)
-+
-+########################################
-+#
-+# backlighthelper local policy
-+#
-+allow kdebacklighthelper_t self:fifo_file rw_fifo_file_perms;
-+
-+kernel_read_system_state(kdebacklighthelper_t)
-+
-+# r/w brightness values
-+dev_rw_sysfs(kdebacklighthelper_t)
-+
-+files_read_etc_files(kdebacklighthelper_t)
-+files_read_etc_runtime_files(kdebacklighthelper_t)
-+files_read_usr_files(kdebacklighthelper_t)
-+
-+fs_getattr_all_fs(kdebacklighthelper_t)
-+
-+logging_send_syslog_msg(kdebacklighthelper_t)
-+
-+optional_policy(`
-+ dbus_system_domain(kdebacklighthelper_t, kdebacklighthelper_exec_t)
-+')
-+
-+optional_policy(`
-+ consolekit_dbus_chat(kdebacklighthelper_t)
-+')
-+
-+optional_policy(`
-+ policykit_dbus_chat(kdebacklighthelper_t)
-+')
-+
-diff --git a/kdump.fc b/kdump.fc
-index c66934f..1906ffe 100644
---- a/kdump.fc
-+++ b/kdump.fc
-@@ -3,3 +3,11 @@
-
- /sbin/kdump -- gen_context(system_u:object_r:kdump_exec_t,s0)
- /sbin/kexec -- gen_context(system_u:object_r:kdump_exec_t,s0)
-+
-+
-+/usr/lib/systemd/system/kdump\.service -- gen_context(system_u:object_r:kdump_unit_file_t,s0)
-+
-+/usr/bin/kdumpctl -- gen_context(system_u:object_r:kdumpctl_exec_t,s0)
-+/usr/sbin/kdump -- gen_context(system_u:object_r:kdump_exec_t,s0)
-+/usr/sbin/kexec -- gen_context(system_u:object_r:kdump_exec_t,s0)
-+
-diff --git a/kdump.if b/kdump.if
-index 4198ff5..15d521b 100644
---- a/kdump.if
-+++ b/kdump.if
-@@ -19,6 +19,26 @@ interface(`kdump_domtrans',`
- domtrans_pattern($1, kdump_exec_t, kdump_t)
- ')
-
-+######################################
-+##
-+## Execute kdumpctl in the kdumpctl domain.
-+##
-+##
-+##
-+## Domain allowed to transition.
-+##
-+##
-+#
-+interface(`kdumpctl_domtrans',`
-+ gen_require(`
-+ type kdumpctl_t, kdumpctl_exec_t;
-+ ')
-+
-+ corecmd_search_bin($1)
-+ domtrans_pattern($1, kdumpctl_exec_t, kdumpctl_t)
-+')
-+
-+
- #######################################
- ##
- ## Execute kdump in the kdump domain.
-@@ -37,6 +57,30 @@ interface(`kdump_initrc_domtrans',`
- init_labeled_script_domtrans($1, kdump_initrc_exec_t)
- ')
-
-+########################################
-+##
-+## Execute kdump server in the kdump domain.
-+##
-+##
-+##
-+## Domain allowed to transition.
-+##
-+##
-+#
-+interface(`kdump_systemctl',`
-+ gen_require(`
-+ type kdump_unit_file_t;
-+ type kdump_t;
-+ ')
-+
-+ systemd_exec_systemctl($1)
-+ systemd_search_unit_dirs($1)
-+ allow $1 kdump_unit_file_t:file read_file_perms;
-+ allow $1 kdump_unit_file_t:service all_service_perms;
-+
-+ ps_process_pattern($1, kdump_t)
-+')
-+
- #####################################
- ##
- ## Read kdump configuration file.
-@@ -56,6 +100,24 @@ interface(`kdump_read_config',`
- allow $1 kdump_etc_t:file read_file_perms;
- ')
-
-+#####################################
-+##
-+## Dontaudit read kdump configuration file.
-+##
-+##
-+##
-+## Domain to not audit.
-+##
-+##
-+#
-+interface(`kdump_dontaudit_read_config',`
-+ gen_require(`
-+ type kdump_etc_t;
-+ ')
-+
-+ dontaudit $1 kdump_etc_t:file read_inherited_file_perms;
-+')
-+
- ####################################
- ##
- ## Manage kdump configuration file.
-@@ -75,6 +137,27 @@ interface(`kdump_manage_config',`
- allow $1 kdump_etc_t:file manage_file_perms;
- ')
-
-+###################################
-+##
-+## Manage kdump /var/tmp files.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`kdump_manage_kdumpctl_tmp_files',`
-+ gen_require(`
-+ type kdumpctl_tmp_t;
-+ ')
-+
-+ files_search_tmp($1)
-+ manage_files_pattern($1, kdumpctl_tmp_t, kdumpctl_tmp_t)
-+ manage_dirs_pattern($1, kdumpctl_tmp_t, kdumpctl_tmp_t)
-+ manage_lnk_files_pattern($1, kdumpctl_tmp_t, kdumpctl_tmp_t)
-+')
-+
- ######################################
- ##
- ## All of the rules required to administrate
-@@ -96,10 +179,14 @@ interface(`kdump_admin',`
- gen_require(`
- type kdump_t, kdump_etc_t;
- type kdump_initrc_exec_t;
-+ type kdump_unit_file_t;
- ')
-
-- allow $1 kdump_t:process { ptrace signal_perms };
-+ allow $1 kdump_t:process signal_perms;
- ps_process_pattern($1, kdump_t)
-+ tunable_policy(`deny_ptrace',`',`
-+ allow $1 kdump_t:process ptrace;
-+ ')
-
- init_labeled_script_domtrans($1, kdump_initrc_exec_t)
- domain_system_change_exemption($1)
-@@ -108,4 +195,8 @@ interface(`kdump_admin',`
-
- files_search_etc($1)
- admin_pattern($1, kdump_etc_t)
-+
-+ kdump_systemctl($1)
-+ admin_pattern($1, kdump_unit_file_t)
-+ allow $1 kdump_unit_file_t:service all_service_perms;
- ')
-diff --git a/kdump.te b/kdump.te
-index b29d8e2..6b6a6c4 100644
---- a/kdump.te
-+++ b/kdump.te
-@@ -15,15 +15,28 @@ files_config_file(kdump_etc_t)
- type kdump_initrc_exec_t;
- init_script_file(kdump_initrc_exec_t)
-
-+type kdump_unit_file_t alias kdumpctl_unit_file_t;
-+systemd_unit_file(kdump_unit_file_t)
-+
-+type kdumpctl_t;
-+type kdumpctl_exec_t;
-+init_daemon_domain(kdumpctl_t, kdumpctl_exec_t)
-+init_initrc_domain(kdumpctl_t)
-+
-+type kdumpctl_tmp_t;
-+files_tmp_file(kdumpctl_tmp_t)
-+
- #####################################
- #
- # kdump local policy
- #
-
- allow kdump_t self:capability { sys_boot dac_override };
-+allow kdump_t self:capability2 compromise_kernel;
-
- read_files_pattern(kdump_t, kdump_etc_t, kdump_etc_t)
-
-+files_read_etc_files(kdump_t)
- files_read_etc_runtime_files(kdump_t)
- files_read_kernel_img(kdump_t)
-
-@@ -36,3 +49,89 @@ dev_read_framebuffer(kdump_t)
- dev_read_sysfs(kdump_t)
-
- term_use_console(kdump_t)
-+
-+#######################################
-+#
-+# kdumpctl local policy
-+#
-+
-+#cjp:almost all rules are needed by dracut
-+
-+kdump_domtrans(kdumpctl_t)
-+
-+allow kdumpctl_t self:capability { dac_override sys_chroot };
-+allow kdumpctl_t self:process setfscreate;
-+
-+allow kdumpctl_t self:fifo_file rw_fifo_file_perms;
-+allow kdumpctl_t self:unix_stream_socket create_stream_socket_perms;
-+
-+manage_dirs_pattern(kdumpctl_t, kdumpctl_tmp_t, kdumpctl_tmp_t)
-+manage_chr_files_pattern(kdumpctl_t, kdumpctl_tmp_t, kdumpctl_tmp_t)
-+manage_files_pattern(kdumpctl_t, kdumpctl_tmp_t, kdumpctl_tmp_t)
-+manage_lnk_files_pattern(kdumpctl_t, kdumpctl_tmp_t, kdumpctl_tmp_t)
-+files_tmp_filetrans(kdumpctl_t, kdumpctl_tmp_t, { file dir lnk_file })
-+can_exec(kdumpctl_t, kdumpctl_tmp_t)
-+
-+read_files_pattern(kdumpctl_t, kdump_etc_t, kdump_etc_t)
-+
-+kernel_read_system_state(kdumpctl_t)
-+
-+corecmd_exec_bin(kdumpctl_t)
-+corecmd_exec_shell(kdumpctl_t)
-+
-+dev_read_sysfs(kdumpctl_t)
-+# dracut
-+dev_manage_all_dev_nodes(kdumpctl_t)
-+
-+domain_use_interactive_fds(kdumpctl_t)
-+
-+files_create_kernel_img(kdumpctl_t)
-+files_read_etc_files(kdumpctl_t)
-+files_read_etc_runtime_files(kdumpctl_t)
-+files_read_usr_files(kdumpctl_t)
-+files_read_kernel_modules(kdumpctl_t)
-+files_getattr_all_dirs(kdumpctl_t)
-+files_delete_kernel(kdumpctl_t)
-+
-+fs_getattr_all_fs(kdumpctl_t)
-+fs_search_all(kdumpctl_t)
-+
-+application_executable_ioctl(kdumpctl_t)
-+
-+auth_read_passwd(kdumpctl_t)
-+
-+init_exec(kdumpctl_t)
-+systemd_exec_systemctl(kdumpctl_t)
-+systemd_read_unit_files(kdumpctl_t)
-+
-+libs_exec_ld_so(kdumpctl_t)
-+
-+logging_send_syslog_msg(kdumpctl_t)
-+# Need log file from /var/log/dracut.log
-+logging_write_generic_logs(kdumpctl_t)
-+
-+optional_policy(`
-+ gpg_exec(kdumpctl_t)
-+')
-+
-+optional_policy(`
-+ lvm_read_config(kdumpctl_t)
-+')
-+
-+optional_policy(`
-+ modutils_domtrans_insmod(kdumpctl_t)
-+ modutils_list_module_config(kdumpctl_t)
-+ modutils_read_module_config(kdumpctl_t)
-+')
-+
-+optional_policy(`
-+ plymouthd_domtrans_plymouth(kdumpctl_t)
-+')
-+
-+optional_policy(`
-+ ssh_exec(kdumpctl_t)
-+')
-+
-+optional_policy(`
-+ unconfined_domain(kdumpctl_t)
-+')
-diff --git a/kdumpgui.if b/kdumpgui.if
-index d6af9b0..8b1d9c2 100644
---- a/kdumpgui.if
-+++ b/kdumpgui.if
-@@ -1,2 +1,23 @@
- ## system-config-kdump GUI
-
-+########################################
-+##
-+## Send and receive messages from
-+## kdumpgui over dbus.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`kdumpgui_dbus_chat',`
-+ gen_require(`
-+ type kdumpgui_t;
-+ class dbus send_msg;
-+ ')
-+
-+ allow $1 kdumpgui_t:dbus send_msg;
-+ allow kdumpgui_t $1:dbus send_msg;
-+')
-+
-diff --git a/kdumpgui.te b/kdumpgui.te
-index 0c52f60..acb89ac 100644
---- a/kdumpgui.te
-+++ b/kdumpgui.te
-@@ -7,25 +7,36 @@ policy_module(kdumpgui, 1.1.0)
-
- type kdumpgui_t;
- type kdumpgui_exec_t;
--dbus_system_domain(kdumpgui_t, kdumpgui_exec_t)
-+init_daemon_domain(kdumpgui_t, kdumpgui_exec_t)
-+
-+type kdumpgui_tmp_t;
-+files_tmp_file(kdumpgui_tmp_t)
-
- ######################################
- #
- # system-config-kdump local policy
- #
-
--allow kdumpgui_t self:capability { net_admin sys_admin sys_rawio };
-+allow kdumpgui_t self:capability { net_admin sys_admin sys_nice sys_rawio };
- allow kdumpgui_t self:fifo_file rw_fifo_file_perms;
- allow kdumpgui_t self:netlink_kobject_uevent_socket create_socket_perms;
-+allow kdumpgui_t self:process { setsched sigkill };
-+
-+manage_dirs_pattern(kdumpgui_t, kdumpgui_tmp_t, kdumpgui_tmp_t)
-+manage_files_pattern(kdumpgui_t, kdumpgui_tmp_t, kdumpgui_tmp_t)
-+files_tmp_filetrans(kdumpgui_t, kdumpgui_tmp_t, { dir file })
-
- kernel_read_system_state(kdumpgui_t)
- kernel_read_network_state(kdumpgui_t)
-+kernel_getattr_core_if(kdumpgui_t)
-
- corecmd_exec_bin(kdumpgui_t)
- corecmd_exec_shell(kdumpgui_t)
-
- dev_dontaudit_getattr_all_chr_files(kdumpgui_t)
- dev_read_sysfs(kdumpgui_t)
-+dev_read_urand(kdumpgui_t)
-+dev_getattr_all_blk_files(kdumpgui_t)
-
- files_manage_boot_files(kdumpgui_t)
- files_manage_boot_symlinks(kdumpgui_t)
-@@ -36,28 +47,53 @@ files_manage_etc_runtime_files(kdumpgui_t)
- files_etc_filetrans_etc_runtime(kdumpgui_t, file)
- files_read_usr_files(kdumpgui_t)
-
-+fs_read_dos_files(kdumpgui_t)
-+fs_getattr_all_fs(kdumpgui_t)
-+fs_list_hugetlbfs(kdumpgui_t)
-+
- storage_raw_read_fixed_disk(kdumpgui_t)
- storage_raw_write_fixed_disk(kdumpgui_t)
-+storage_getattr_removable_dev(kdumpgui_t)
-
- auth_use_nsswitch(kdumpgui_t)
-
- logging_send_syslog_msg(kdumpgui_t)
-+logging_list_logs(kdumpgui_t)
-+logging_read_generic_logs(kdumpgui_t)
-
--miscfiles_read_localization(kdumpgui_t)
-+mount_exec(kdumpgui_t)
-
- init_dontaudit_read_all_script_files(kdumpgui_t)
-+init_access_check(kdumpgui_t)
-+
-+userdom_dontaudit_search_admin_dir(kdumpgui_t)
-+
-+optional_policy(`
-+ bootloader_exec(kdumpgui_t)
-+ bootloader_rw_config(kdumpgui_t)
-+')
-
- optional_policy(`
- consoletype_exec(kdumpgui_t)
- ')
-
- optional_policy(`
-+ consoletype_exec(kdumpgui_t)
-+')
-+
-+optional_policy(`
-+ dbus_system_domain(kdumpgui_t, kdumpgui_exec_t)
-+')
-+
-+optional_policy(`
- dev_rw_lvm_control(kdumpgui_t)
- ')
-
- optional_policy(`
- kdump_manage_config(kdumpgui_t)
- kdump_initrc_domtrans(kdumpgui_t)
-+ kdump_systemctl(kdumpgui_t)
-+ kdumpctl_domtrans(kdumpgui_t)
- ')
-
- optional_policy(`
-diff --git a/kerberos.fc b/kerberos.fc
-index 3525d24..8c702c9 100644
---- a/kerberos.fc
-+++ b/kerberos.fc
-@@ -13,13 +13,14 @@ HOME_DIR/\.k5login -- gen_context(system_u:object_r:krb5_home_t,s0)
- /etc/rc\.d/init\.d/krb524d -- gen_context(system_u:object_r:kerberos_initrc_exec_t,s0)
- /etc/rc\.d/init\.d/krb5kdc -- gen_context(system_u:object_r:kerberos_initrc_exec_t,s0)
-
--/usr/(local/)?(kerberos/)?sbin/krb5kdc -- gen_context(system_u:object_r:krb5kdc_exec_t,s0)
--/usr/(local/)?(kerberos/)?sbin/kadmind -- gen_context(system_u:object_r:kadmind_exec_t,s0)
-+/usr/(kerberos/)?sbin/krb5kdc -- gen_context(system_u:object_r:krb5kdc_exec_t,s0)
-+/usr/(kerberos/)?sbin/kadmind -- gen_context(system_u:object_r:kadmind_exec_t,s0)
- /usr/kerberos/sbin/kadmin\.local -- gen_context(system_u:object_r:kadmind_exec_t,s0)
- /usr/kerberos/sbin/kpropd -- gen_context(system_u:object_r:kpropd_exec_t,s0)
-+/usr/sbin/kpropd -- gen_context(system_u:object_r:kpropd_exec_t,s0)
-
--/usr/local/var/krb5kdc(/.*)? gen_context(system_u:object_r:krb5kdc_conf_t,s0)
--/usr/local/var/krb5kdc/principal.* gen_context(system_u:object_r:krb5kdc_principal_t,s0)
-+/usr/var/krb5kdc(/.*)? gen_context(system_u:object_r:krb5kdc_conf_t,s0)
-+/usr/var/krb5kdc/principal.* gen_context(system_u:object_r:krb5kdc_principal_t,s0)
-
- /var/kerberos/krb5kdc(/.*)? gen_context(system_u:object_r:krb5kdc_conf_t,s0)
- /var/kerberos/krb5kdc/from_master.* gen_context(system_u:object_r:krb5kdc_lock_t,s0)
-@@ -27,7 +28,17 @@ HOME_DIR/\.k5login -- gen_context(system_u:object_r:krb5_home_t,s0)
- /var/kerberos/krb5kdc/principal.* gen_context(system_u:object_r:krb5kdc_principal_t,s0)
- /var/kerberos/krb5kdc/principal.*\.ok gen_context(system_u:object_r:krb5kdc_lock_t,s0)
-
--/var/log/krb5kdc\.log gen_context(system_u:object_r:krb5kdc_log_t,s0)
--/var/log/kadmin(d)?\.log gen_context(system_u:object_r:kadmind_log_t,s0)
-+/var/log/krb5kdc\.log.* gen_context(system_u:object_r:krb5kdc_log_t,s0)
-+/var/log/kadmin(d)?\.log.* gen_context(system_u:object_r:kadmind_log_t,s0)
-
-+/var/cache/krb5rcache(/.*)? gen_context(system_u:object_r:krb5_host_rcache_t,s0)
-+
-+/var/tmp/DNS_25 -- gen_context(system_u:object_r:krb5_host_rcache_t,s0)
- /var/tmp/host_0 -- gen_context(system_u:object_r:krb5_host_rcache_t,s0)
-+/var/tmp/HTTP_23 -- gen_context(system_u:object_r:krb5_host_rcache_t,s0)
-+/var/tmp/HTTP_48 -- gen_context(system_u:object_r:krb5_host_rcache_t,s0)
-+/var/tmp/imap_0 -- gen_context(system_u:object_r:krb5_host_rcache_t,s0)
-+/var/tmp/nfs_0 -- gen_context(system_u:object_r:krb5_host_rcache_t,s0)
-+/var/tmp/ldapmap1_0 -- gen_context(system_u:object_r:krb5_host_rcache_t,s0)
-+/var/tmp/ldap_487 -- gen_context(system_u:object_r:krb5_host_rcache_t,s0)
-+/var/tmp/ldap_55 -- gen_context(system_u:object_r:krb5_host_rcache_t,s0)
-diff --git a/kerberos.if b/kerberos.if
-index 604f67b..138e1e2 100644
---- a/kerberos.if
-+++ b/kerberos.if
-@@ -82,14 +82,11 @@ interface(`kerberos_use',`
- #kerberos libraries are attempting to set the correct file context
- dontaudit $1 self:process setfscreate;
- selinux_dontaudit_validate_context($1)
-- seutil_dontaudit_read_file_contexts($1)
-
-- tunable_policy(`allow_kerberos',`
-+ tunable_policy(`kerberos_enabled',`
- allow $1 self:tcp_socket create_socket_perms;
- allow $1 self:udp_socket create_socket_perms;
-
-- corenet_all_recvfrom_unlabeled($1)
-- corenet_all_recvfrom_netlabel($1)
- corenet_tcp_sendrecv_generic_if($1)
- corenet_udp_sendrecv_generic_if($1)
- corenet_tcp_sendrecv_generic_node($1)
-@@ -103,11 +100,12 @@ interface(`kerberos_use',`
- corenet_sendrecv_kerberos_client_packets($1)
- corenet_sendrecv_ocsp_client_packets($1)
-
-- allow $1 krb5_host_rcache_t:file getattr;
-+ allow $1 krb5_host_rcache_t:dir search_dir_perms;
-+ allow $1 krb5_host_rcache_t:file getattr_file_perms;
- ')
-
- optional_policy(`
-- tunable_policy(`allow_kerberos',`
-+ tunable_policy(`kerberos_enabled',`
- pcscd_stream_connect($1)
- ')
- ')
-@@ -218,6 +216,30 @@ interface(`kerberos_rw_keytab',`
-
- ########################################
- ##
-+## Create keytab file in /etc
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+##
-+##
-+## The name of the object being created.
-+##
-+##
-+#
-+interface(`kerberos_etc_filetrans_keytab',`
-+ gen_require(`
-+ type krb5_keytab_t;
-+ ')
-+
-+ allow $1 krb5_keytab_t:file manage_file_perms;
-+ files_etc_filetrans($1, krb5_keytab_t, file, $2)
-+')
-+
-+########################################
-+##
- ## Create a derived type for kerberos keytab
- ##
- ##
-@@ -235,8 +257,13 @@ template(`kerberos_keytab_template',`
- type $1_keytab_t;
- files_type($1_keytab_t)
-
-+ allow $2 self:process setfscreate;
- allow $2 $1_keytab_t:file read_file_perms;
-
-+ seutil_read_file_contexts($2)
-+ seutil_read_config($2)
-+ selinux_get_enforce_mode($2)
-+
- kerberos_read_keytab($2)
- kerberos_use($2)
- ')
-@@ -282,42 +309,21 @@ interface(`kerberos_manage_host_rcache',`
- # does not work in conditionals
- domain_obj_id_change_exemption($1)
-
-- tunable_policy(`allow_kerberos',`
-+ tunable_policy(`kerberos_enabled',`
- allow $1 self:process setfscreate;
-
- selinux_validate_context($1)
-
- seutil_read_file_contexts($1)
-
-- allow $1 krb5_host_rcache_t:file manage_file_perms;
-+ files_rw_generic_tmp_dir($1)
-+ manage_files_pattern($1, krb5_host_rcache_t, krb5_host_rcache_t)
- files_search_tmp($1)
- ')
- ')
-
- ########################################
- ##
--## Connect to krb524 service
--##
--##
--##
--## Domain allowed access.
--##
--##
--#
--interface(`kerberos_connect_524',`
-- tunable_policy(`allow_kerberos',`
-- allow $1 self:udp_socket create_socket_perms;
--
-- corenet_all_recvfrom_unlabeled($1)
-- corenet_udp_sendrecv_generic_if($1)
-- corenet_udp_sendrecv_generic_node($1)
-- corenet_udp_sendrecv_kerberos_master_port($1)
-- corenet_sendrecv_kerberos_master_client_packets($1)
-- ')
--')
--
--########################################
--##
- ## All of the rules required to administrate
- ## an kerberos environment
- ##
-@@ -338,18 +344,22 @@ interface(`kerberos_admin',`
- type kadmind_t, krb5kdc_t, kerberos_initrc_exec_t;
- type kadmind_log_t, kadmind_tmp_t, kadmind_var_run_t;
- type krb5_conf_t, krb5_keytab_t, krb5kdc_conf_t;
-- type krb5kdc_principal_t, krb5kdc_tmp_t;
-+ type krb5kdc_principal_t, krb5kdc_tmp_t, kpropd_t;
- type krb5kdc_var_run_t, krb5_host_rcache_t;
-- type kpropd_t;
- ')
-
-- allow $1 kadmind_t:process { ptrace signal_perms };
-+ allow $1 kadmind_t:process signal_perms;
- ps_process_pattern($1, kadmind_t)
-+ tunable_policy(`deny_ptrace',`',`
-+ allow $1 kadmind_t:process ptrace;
-+ allow $1 krb5kdc_t:process ptrace;
-+ allow $1 kpropd_t:process ptrace;
-+ ')
-
-- allow $1 krb5kdc_t:process { ptrace signal_perms };
-+ allow $1 krb5kdc_t:process signal_perms;
- ps_process_pattern($1, krb5kdc_t)
-
-- allow $1 kpropd_t:process { ptrace signal_perms };
-+ allow $1 kpropd_t:process signal_perms;
- ps_process_pattern($1, kpropd_t)
-
- init_labeled_script_domtrans($1, kerberos_initrc_exec_t)
-@@ -378,3 +388,121 @@ interface(`kerberos_admin',`
-
- admin_pattern($1, krb5kdc_var_run_t)
- ')
-+
-+########################################
-+##
-+## Type transition files created in /tmp
-+## to the krb5_host_rcache type.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+##
-+##
-+## The name of the object being created.
-+##
-+##
-+#
-+interface(`kerberos_tmp_filetrans_host_rcache',`
-+ gen_require(`
-+ type krb5_host_rcache_t;
-+ ')
-+
-+ manage_files_pattern($1, krb5_host_rcache_t, krb5_host_rcache_t)
-+ files_tmp_filetrans($1, krb5_host_rcache_t, file, $2)
-+')
-+
-+########################################
-+##
-+## read kerberos homedir content (.k5login)
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`kerberos_read_home_content',`
-+ gen_require(`
-+ type krb5_home_t;
-+ ')
-+
-+ userdom_search_user_home_dirs($1)
-+ read_files_pattern($1, krb5_home_t, krb5_home_t)
-+')
-+
-+########################################
-+##
-+## create kerberos content in the in the /root directory
-+## with an correct label.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`kerberos_filetrans_admin_home_content',`
-+ gen_require(`
-+ type krb5_home_t;
-+ ')
-+
-+ userdom_admin_home_dir_filetrans($1, krb5_home_t, file, ".k5login")
-+')
-+
-+########################################
-+##
-+## Transition to kerberos named content
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`kerberos_filetrans_home_content',`
-+ gen_require(`
-+ type krb5_home_t;
-+ ')
-+
-+ userdom_user_home_dir_filetrans($1, krb5_home_t, file, ".k5login")
-+')
-+
-+########################################
-+##
-+## Transition to kerberos named content
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`kerberos_filetrans_named_content',`
-+ gen_require(`
-+ type krb5_conf_t, krb5_keytab_t, krb5kdc_conf_t;
-+ type krb5kdc_principal_t;
-+ ')
-+
-+ files_etc_filetrans($1, krb5_conf_t, file, "krb5.conf")
-+ filetrans_pattern($1, krb5kdc_conf_t, krb5_keytab_t, file, "kadm5.keytab")
-+ filetrans_pattern($1, krb5kdc_conf_t, krb5kdc_principal_t, file, "principal")
-+ filetrans_pattern($1, krb5kdc_conf_t, krb5kdc_principal_t, file, "principal0")
-+ filetrans_pattern($1, krb5kdc_conf_t, krb5kdc_principal_t, file, "principal1")
-+ #filetrans_pattern($1, krb5kdc_conf_t, krb5kdc_principal_t, file, "principal1")
-+
-+ kerberos_etc_filetrans_keytab($1, "krb5.keytab")
-+ kerberos_filetrans_admin_home_content($1)
-+
-+ kerberos_tmp_filetrans_host_rcache($1, "DNS_25")
-+ kerberos_tmp_filetrans_host_rcache($1, "host_0")
-+ kerberos_tmp_filetrans_host_rcache($1, "HTTP_23")
-+ kerberos_tmp_filetrans_host_rcache($1, "HTTP_48")
-+ kerberos_tmp_filetrans_host_rcache($1, "imap_0")
-+ kerberos_tmp_filetrans_host_rcache($1, "nfs_0")
-+ kerberos_tmp_filetrans_host_rcache($1, "ldapmap1_0")
-+ kerberos_tmp_filetrans_host_rcache($1, "ldap_487")
-+ kerberos_tmp_filetrans_host_rcache($1, "ldap_55")
-+')
-diff --git a/kerberos.te b/kerberos.te
-index 6a95faf..6127834 100644
---- a/kerberos.te
-+++ b/kerberos.te
-@@ -10,7 +10,7 @@ policy_module(kerberos, 1.11.0)
- ## Allow confined applications to run with kerberos.
- ##
- ##
--gen_tunable(allow_kerberos, false)
-+gen_tunable(kerberos_enabled, false)
-
- type kadmind_t;
- type kadmind_exec_t;
-@@ -35,12 +35,12 @@ init_daemon_domain(kpropd_t, kpropd_exec_t)
- domain_obj_id_change_exemption(kpropd_t)
-
- type krb5_conf_t;
--files_type(krb5_conf_t)
-+files_config_file(krb5_conf_t)
-
- type krb5_home_t;
- userdom_user_home_content(krb5_home_t)
-
--type krb5_host_rcache_t;
-+type krb5_host_rcache_t alias saslauthd_tmp_t;
- files_tmp_file(krb5_host_rcache_t)
-
- # types for general configuration files in /etc
-@@ -49,10 +49,11 @@ files_security_file(krb5_keytab_t)
-
- # types for KDC configs and principal file(s)
- type krb5kdc_conf_t;
--files_type(krb5kdc_conf_t)
-+files_config_file(krb5kdc_conf_t)
-
- type krb5kdc_lock_t;
--files_type(krb5kdc_lock_t)
-+files_lock_file(krb5kdc_lock_t)
-+
-
- # types for KDC principal file(s)
- type krb5kdc_principal_t;
-@@ -79,8 +80,9 @@ files_pid_file(krb5kdc_var_run_t)
-
- # Use capabilities. Surplus capabilities may be allowed.
- allow kadmind_t self:capability { setuid setgid chown fowner dac_override sys_nice };
-+allow kadmind_t self:capability2 block_suspend;
- dontaudit kadmind_t self:capability sys_tty_config;
--allow kadmind_t self:process { setfscreate signal_perms };
-+allow kadmind_t self:process { setfscreate setsched getsched signal_perms };
- allow kadmind_t self:netlink_route_socket r_netlink_socket_perms;
- allow kadmind_t self:unix_dgram_socket { connect create write };
- allow kadmind_t self:tcp_socket connected_stream_socket_perms;
-@@ -92,10 +94,9 @@ logging_log_filetrans(kadmind_t, kadmind_log_t, file)
- allow kadmind_t krb5_conf_t:file read_file_perms;
- dontaudit kadmind_t krb5_conf_t:file write;
-
--read_files_pattern(kadmind_t, krb5kdc_conf_t, krb5kdc_conf_t)
--dontaudit kadmind_t krb5kdc_conf_t:file { write setattr };
-+manage_files_pattern(kadmind_t, krb5kdc_conf_t, krb5kdc_conf_t)
-
--allow kadmind_t krb5kdc_lock_t:file { rw_file_perms setattr };
-+allow kadmind_t krb5kdc_lock_t:file { rw_file_perms setattr_file_perms };
-
- allow kadmind_t krb5kdc_principal_t:file manage_file_perms;
- filetrans_pattern(kadmind_t, krb5kdc_conf_t, krb5kdc_principal_t, file)
-@@ -115,7 +116,9 @@ kernel_read_network_state(kadmind_t)
- kernel_read_proc_symlinks(kadmind_t)
- kernel_read_system_state(kadmind_t)
-
--corenet_all_recvfrom_unlabeled(kadmind_t)
-+corecmd_exec_bin(kadmind_t)
-+corecmd_exec_shell(kadmind_t)
-+
- corenet_all_recvfrom_netlabel(kadmind_t)
- corenet_tcp_sendrecv_generic_if(kadmind_t)
- corenet_udp_sendrecv_generic_if(kadmind_t)
-@@ -126,10 +129,14 @@ corenet_udp_sendrecv_all_ports(kadmind_t)
- corenet_tcp_bind_generic_node(kadmind_t)
- corenet_udp_bind_generic_node(kadmind_t)
- corenet_tcp_bind_kerberos_admin_port(kadmind_t)
-+corenet_tcp_bind_kerberos_password_port(kadmind_t)
- corenet_udp_bind_kerberos_admin_port(kadmind_t)
-+corenet_udp_bind_kerberos_password_port(kadmind_t)
- corenet_tcp_bind_reserved_port(kadmind_t)
- corenet_dontaudit_tcp_bind_all_reserved_ports(kadmind_t)
- corenet_sendrecv_kerberos_admin_server_packets(kadmind_t)
-+corenet_sendrecv_kerberos_password_server_packets(kadmind_t)
-+corenet_tcp_connect_kprop_port(kadmind_t)
-
- dev_read_sysfs(kadmind_t)
- dev_read_rand(kadmind_t)
-@@ -137,6 +144,7 @@ dev_read_urand(kadmind_t)
-
- fs_getattr_all_fs(kadmind_t)
- fs_search_auto_mountpoints(kadmind_t)
-+fs_rw_anon_inodefs_files(kadmind_t)
-
- domain_use_interactive_fds(kadmind_t)
-
-@@ -149,8 +157,9 @@ selinux_validate_context(kadmind_t)
-
- logging_send_syslog_msg(kadmind_t)
-
--miscfiles_read_localization(kadmind_t)
-+miscfiles_read_generic_certs(kadmind_t)
-
-+seutil_read_config(kadmind_t)
- seutil_read_file_contexts(kadmind_t)
-
- sysnet_read_config(kadmind_t)
-@@ -164,10 +173,18 @@ optional_policy(`
- ')
-
- optional_policy(`
-+ dirsrv_stream_connect(kadmind_t)
-+')
-+
-+optional_policy(`
- nis_use_ypbind(kadmind_t)
- ')
-
- optional_policy(`
-+ sssd_read_public_files(kadmind_t)
-+')
-+
-+optional_policy(`
- seutil_sigchld_newrole(kadmind_t)
- ')
-
-@@ -182,6 +199,7 @@ optional_policy(`
-
- # Use capabilities. Surplus capabilities may be allowed.
- allow krb5kdc_t self:capability { setuid setgid net_admin chown fowner dac_override sys_nice };
-+allow krb5kdc_t self:capability2 block_suspend;
- dontaudit krb5kdc_t self:capability sys_tty_config;
- allow krb5kdc_t self:process { setfscreate setsched getsched signal_perms };
- allow krb5kdc_t self:netlink_route_socket r_netlink_socket_perms;
-@@ -197,13 +215,12 @@ can_exec(krb5kdc_t, krb5kdc_exec_t)
- read_files_pattern(krb5kdc_t, krb5kdc_conf_t, krb5kdc_conf_t)
- dontaudit krb5kdc_t krb5kdc_conf_t:file write;
-
--allow krb5kdc_t krb5kdc_lock_t:file { rw_file_perms setattr };
-+allow krb5kdc_t krb5kdc_lock_t:file { rw_file_perms setattr_file_perms };
-
- allow krb5kdc_t krb5kdc_log_t:file manage_file_perms;
- logging_log_filetrans(krb5kdc_t, krb5kdc_log_t, file)
-
--allow krb5kdc_t krb5kdc_principal_t:file read_file_perms;
--dontaudit krb5kdc_t krb5kdc_principal_t:file write;
-+allow krb5kdc_t krb5kdc_principal_t:file rw_file_perms;
-
- manage_dirs_pattern(krb5kdc_t, krb5kdc_tmp_t, krb5kdc_tmp_t)
- manage_files_pattern(krb5kdc_t, krb5kdc_tmp_t, krb5kdc_tmp_t)
-@@ -221,7 +238,6 @@ kernel_search_network_sysctl(krb5kdc_t)
-
- corecmd_exec_bin(krb5kdc_t)
-
--corenet_all_recvfrom_unlabeled(krb5kdc_t)
- corenet_all_recvfrom_netlabel(krb5kdc_t)
- corenet_tcp_sendrecv_generic_if(krb5kdc_t)
- corenet_udp_sendrecv_generic_if(krb5kdc_t)
-@@ -242,6 +258,7 @@ dev_read_urand(krb5kdc_t)
-
- fs_getattr_all_fs(krb5kdc_t)
- fs_search_auto_mountpoints(krb5kdc_t)
-+fs_rw_anon_inodefs_files(krb5kdc_t)
-
- domain_use_interactive_fds(krb5kdc_t)
-
-@@ -253,7 +270,7 @@ selinux_validate_context(krb5kdc_t)
-
- logging_send_syslog_msg(krb5kdc_t)
-
--miscfiles_read_localization(krb5kdc_t)
-+miscfiles_read_generic_certs(krb5kdc_t)
-
- seutil_read_file_contexts(krb5kdc_t)
-
-@@ -268,6 +285,10 @@ optional_policy(`
- ')
-
- optional_policy(`
-+ dirsrv_stream_connect(krb5kdc_t)
-+')
-+
-+optional_policy(`
- nis_use_ypbind(krb5kdc_t)
- ')
-
-@@ -276,6 +297,10 @@ optional_policy(`
- ')
-
- optional_policy(`
-+ sssd_read_public_files(krb5kdc_t)
-+')
-+
-+optional_policy(`
- udev_read_db(krb5kdc_t)
- ')
-
-@@ -308,7 +333,6 @@ files_tmp_filetrans(kpropd_t, krb5kdc_tmp_t, { file dir })
-
- corecmd_exec_bin(kpropd_t)
-
--corenet_all_recvfrom_unlabeled(kpropd_t)
- corenet_tcp_sendrecv_generic_if(kpropd_t)
- corenet_tcp_sendrecv_generic_node(kpropd_t)
- corenet_tcp_sendrecv_all_ports(kpropd_t)
-@@ -324,8 +348,6 @@ selinux_validate_context(kpropd_t)
-
- logging_send_syslog_msg(kpropd_t)
-
--miscfiles_read_localization(kpropd_t)
--
- seutil_read_file_contexts(kpropd_t)
-
- sysnet_dns_name_resolve(kpropd_t)
-diff --git a/kerneloops.if b/kerneloops.if
-index 835b16b..5992eb1 100644
---- a/kerneloops.if
-+++ b/kerneloops.if
-@@ -99,17 +99,21 @@ interface(`kerneloops_manage_tmp_files',`
- #
- interface(`kerneloops_admin',`
- gen_require(`
-- type kerneloops_t, kerneloops_initrc_exec_t;
-- type kerneloops_tmp_t;
-+ type kerneloops_t, kerneloops_initrc_exec_t, kerneloops_tmp_t;
-+ type kerneloops_initrc_exec_t;
- ')
-
-- allow $1 kerneloops_t:process { ptrace signal_perms };
-+ allow $1 kerneloops_t:process signal_perms;
- ps_process_pattern($1, kerneloops_t)
-+ tunable_policy(`deny_ptrace',`',`
-+ allow $1 kerneloops_t:process ptrace;
-+ ')
-
- init_labeled_script_domtrans($1, kerneloops_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 kerneloops_initrc_exec_t system_r;
- allow $2 system_r;
-
-+ files_list_tmp($1)
- admin_pattern($1, kerneloops_tmp_t)
- ')
-diff --git a/kerneloops.te b/kerneloops.te
-index 6b35547..5c641b9 100644
---- a/kerneloops.te
-+++ b/kerneloops.te
-@@ -32,7 +32,6 @@ kernel_read_ring_buffer(kerneloops_t)
- # Init script handling
- domain_use_interactive_fds(kerneloops_t)
-
--corenet_all_recvfrom_unlabeled(kerneloops_t)
- corenet_all_recvfrom_netlabel(kerneloops_t)
- corenet_tcp_sendrecv_generic_if(kerneloops_t)
- corenet_tcp_sendrecv_generic_node(kerneloops_t)
-@@ -40,15 +39,12 @@ corenet_tcp_sendrecv_all_ports(kerneloops_t)
- corenet_tcp_bind_http_port(kerneloops_t)
- corenet_tcp_connect_http_port(kerneloops_t)
-
--files_read_etc_files(kerneloops_t)
-
- auth_use_nsswitch(kerneloops_t)
-
- logging_send_syslog_msg(kerneloops_t)
- logging_read_generic_logs(kerneloops_t)
-
--miscfiles_read_localization(kerneloops_t)
--
- optional_policy(`
- dbus_system_domain(kerneloops_t, kerneloops_exec_t)
- ')
-diff --git a/keyboardd.fc b/keyboardd.fc
-new file mode 100644
-index 0000000..485aacc
---- /dev/null
-+++ b/keyboardd.fc
-@@ -0,0 +1,2 @@
-+
-+/usr/bin/system-setup-keyboard -- gen_context(system_u:object_r:keyboardd_exec_t,s0)
-diff --git a/keyboardd.if b/keyboardd.if
-new file mode 100644
-index 0000000..6134ef2
---- /dev/null
-+++ b/keyboardd.if
-@@ -0,0 +1,39 @@
-+
-+## policy for system-setup-keyboard daemon
-+
-+########################################
-+##
-+## Execute a domain transition to run keyboard setup daemon.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`keyboardd_domtrans',`
-+ gen_require(`
-+ type keyboardd_t, keyboardd_exec_t;
-+ ')
-+
-+ domtrans_pattern($1, keyboardd_exec_t, keyboardd_t)
-+')
-+
-+######################################
-+##
-+## Allow attempts to read to
-+## keyboardd unnamed pipes.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`keyboardd_read_pipes',`
-+ gen_require(`
-+ type keyboardd_t;
-+ ')
-+
-+ allow $1 keyboardd_t:fifo_file read_fifo_file_perms;
-+')
-diff --git a/keyboardd.te b/keyboardd.te
-new file mode 100644
-index 0000000..081ae84
---- /dev/null
-+++ b/keyboardd.te
-@@ -0,0 +1,25 @@
-+
-+policy_module(keyboardd, 1.0.0)
-+
-+########################################
-+#
-+# Declarations
-+#
-+
-+type keyboardd_t;
-+type keyboardd_exec_t;
-+init_daemon_domain(keyboardd_t, keyboardd_exec_t)
-+
-+########################################
-+#
-+# keyboardd local policy
-+#
-+
-+allow keyboardd_t self:fifo_file rw_fifo_file_perms;
-+allow keyboardd_t self:unix_stream_socket create_stream_socket_perms;
-+
-+files_manage_etc_runtime_files(keyboardd_t)
-+files_etc_filetrans_etc_runtime(keyboardd_t, file)
-+
-+files_read_etc_files(keyboardd_t)
-+
-diff --git a/keystone.fc b/keystone.fc
-new file mode 100644
-index 0000000..408d6c0
---- /dev/null
-+++ b/keystone.fc
-@@ -0,0 +1,7 @@
-+/usr/bin/keystone-all -- gen_context(system_u:object_r:keystone_exec_t,s0)
-+
-+/usr/lib/systemd/system/openstack-keystone.* -- gen_context(system_u:object_r:keystone_unit_file_t,s0)
-+
-+/var/lib/keystone(/.*)? gen_context(system_u:object_r:keystone_var_lib_t,s0)
-+
-+/var/log/keystone(/.*)? gen_context(system_u:object_r:keystone_log_t,s0)
-diff --git a/keystone.if b/keystone.if
-new file mode 100644
-index 0000000..f20248c
---- /dev/null
-+++ b/keystone.if
-@@ -0,0 +1,218 @@
-+
-+## policy for keystone
-+
-+########################################
-+##
-+## Transition to keystone.
-+##
-+##
-+##
-+## Domain allowed to transition.
-+##
-+##
-+#
-+interface(`keystone_domtrans',`
-+ gen_require(`
-+ type keystone_t, keystone_exec_t;
-+ ')
-+
-+ corecmd_search_bin($1)
-+ domtrans_pattern($1, keystone_exec_t, keystone_t)
-+')
-+########################################
-+##
-+## Read keystone's log files.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+##
-+#
-+interface(`keystone_read_log',`
-+ gen_require(`
-+ type keystone_log_t;
-+ ')
-+
-+ logging_search_logs($1)
-+ read_files_pattern($1, keystone_log_t, keystone_log_t)
-+')
-+
-+########################################
-+##
-+## Append to keystone log files.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`keystone_append_log',`
-+ gen_require(`
-+ type keystone_log_t;
-+ ')
-+
-+ logging_search_logs($1)
-+ append_files_pattern($1, keystone_log_t, keystone_log_t)
-+')
-+
-+########################################
-+##
-+## Manage keystone log files
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`keystone_manage_log',`
-+ gen_require(`
-+ type keystone_log_t;
-+ ')
-+
-+ logging_search_logs($1)
-+ manage_dirs_pattern($1, keystone_log_t, keystone_log_t)
-+ manage_files_pattern($1, keystone_log_t, keystone_log_t)
-+ manage_lnk_files_pattern($1, keystone_log_t, keystone_log_t)
-+')
-+
-+########################################
-+##
-+## Search keystone lib directories.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`keystone_search_lib',`
-+ gen_require(`
-+ type keystone_var_lib_t;
-+ ')
-+
-+ allow $1 keystone_var_lib_t:dir search_dir_perms;
-+ files_search_var_lib($1)
-+')
-+
-+########################################
-+##
-+## Read keystone lib files.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`keystone_read_lib_files',`
-+ gen_require(`
-+ type keystone_var_lib_t;
-+ ')
-+
-+ files_search_var_lib($1)
-+ read_files_pattern($1, keystone_var_lib_t, keystone_var_lib_t)
-+')
-+
-+########################################
-+##
-+## Manage keystone lib files.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`keystone_manage_lib_files',`
-+ gen_require(`
-+ type keystone_var_lib_t;
-+ ')
-+
-+ files_search_var_lib($1)
-+ manage_files_pattern($1, keystone_var_lib_t, keystone_var_lib_t)
-+')
-+
-+########################################
-+##
-+## Manage keystone lib directories.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`keystone_manage_lib_dirs',`
-+ gen_require(`
-+ type keystone_var_lib_t;
-+ ')
-+
-+ files_search_var_lib($1)
-+ manage_dirs_pattern($1, keystone_var_lib_t, keystone_var_lib_t)
-+')
-+
-+########################################
-+##
-+## Execute keystone server in the keystone domain.
-+##
-+##
-+##
-+## Domain allowed to transition.
-+##
-+##
-+#
-+interface(`keystone_systemctl',`
-+ gen_require(`
-+ type keystone_t;
-+ type keystone_unit_file_t;
-+ ')
-+
-+ systemd_exec_systemctl($1)
-+ systemd_read_fifo_file_passwd_run($1)
-+ allow $1 keystone_unit_file_t:file read_file_perms;
-+ allow $1 keystone_unit_file_t:service manage_service_perms;
-+
-+ ps_process_pattern($1, keystone_t)
-+')
-+
-+
-+########################################
-+##
-+## All of the rules required to administrate
-+## an keystone environment
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`keystone_admin',`
-+ gen_require(`
-+ type keystone_t;
-+ type keystone_log_t;
-+ type keystone_var_lib_t;
-+ type keystone_unit_file_t;
-+ ')
-+
-+ allow $1 keystone_t:process { ptrace signal_perms };
-+ ps_process_pattern($1, keystone_t)
-+
-+ logging_search_logs($1)
-+ admin_pattern($1, keystone_log_t)
-+
-+ files_search_var_lib($1)
-+ admin_pattern($1, keystone_var_lib_t)
-+
-+ keystone_systemctl($1)
-+ admin_pattern($1, keystone_unit_file_t)
-+ allow $1 keystone_unit_file_t:service all_service_perms;
-+ optional_policy(`
-+ systemd_passwd_agent_exec($1)
-+ systemd_read_fifo_file_passwd_run($1)
-+ ')
-+')
-diff --git a/keystone.te b/keystone.te
-new file mode 100644
-index 0000000..a6606f3
---- /dev/null
-+++ b/keystone.te
-@@ -0,0 +1,68 @@
-+policy_module(keystone, 1.0.0)
-+
-+########################################
-+#
-+# Declarations
-+#
-+
-+type keystone_t;
-+type keystone_exec_t;
-+init_daemon_domain(keystone_t, keystone_exec_t)
-+
-+type keystone_log_t;
-+logging_log_file(keystone_log_t)
-+
-+type keystone_var_lib_t;
-+files_type(keystone_var_lib_t)
-+
-+type keystone_tmp_t;
-+files_tmp_file(keystone_tmp_t)
-+
-+type keystone_unit_file_t;
-+systemd_unit_file(keystone_unit_file_t)
-+
-+########################################
-+#
-+# keystone local policy
-+#
-+allow keystone_t self:fifo_file rw_fifo_file_perms;
-+allow keystone_t self:unix_stream_socket create_stream_socket_perms;
-+allow keystone_t self:tcp_socket create_stream_socket_perms;
-+
-+manage_dirs_pattern(keystone_t, keystone_log_t, keystone_log_t)
-+manage_files_pattern(keystone_t, keystone_log_t, keystone_log_t)
-+logging_log_filetrans(keystone_t, keystone_log_t, { dir file })
-+
-+manage_dirs_pattern(keystone_t, keystone_tmp_t, keystone_tmp_t)
-+manage_files_pattern(keystone_t, keystone_tmp_t, keystone_tmp_t)
-+manage_lnk_files_pattern(keystone_t, keystone_tmp_t, keystone_tmp_t)
-+files_tmp_filetrans(keystone_t, keystone_tmp_t, { file dir lnk_file })
-+can_exec(keystone_t, keystone_tmp_t)
-+
-+manage_dirs_pattern(keystone_t, keystone_var_lib_t, keystone_var_lib_t)
-+manage_files_pattern(keystone_t, keystone_var_lib_t, keystone_var_lib_t)
-+files_var_lib_filetrans(keystone_t, keystone_var_lib_t, { dir file })
-+
-+kernel_read_system_state(keystone_t)
-+
-+corecmd_exec_bin(keystone_t)
-+corecmd_exec_shell(keystone_t)
-+
-+corenet_tcp_bind_keystone_port(keystone_t)
-+corenet_tcp_bind_generic_node(keystone_t)
-+
-+dev_read_urand(keystone_t)
-+
-+domain_use_interactive_fds(keystone_t)
-+
-+files_read_etc_files(keystone_t)
-+files_read_usr_files(keystone_t)
-+
-+auth_use_pam(keystone_t)
-+
-+libs_exec_ldconfig(keystone_t)
-+
-+
-+optional_policy(`
-+ mysql_stream_connect(keystone_t)
-+')
-diff --git a/kismet.if b/kismet.if
-index c18c920..582f7f3 100644
---- a/kismet.if
-+++ b/kismet.if
-@@ -239,7 +239,10 @@ interface(`kismet_admin',`
- ')
-
- ps_process_pattern($1, kismet_t)
-- allow $1 kismet_t:process { ptrace signal_perms };
-+ allow $1 kismet_t:process signal_perms;
-+ tunable_policy(`deny_ptrace',`',`
-+ allow $1 kismet_t:process ptrace;
-+ ')
-
- kismet_manage_pid_files($1)
- kismet_manage_lib($1)
-diff --git a/kismet.te b/kismet.te
-index 9dd6880..77c768b 100644
---- a/kismet.te
-+++ b/kismet.te
-@@ -74,24 +74,21 @@ kernel_read_network_state(kismet_t)
-
- corecmd_exec_bin(kismet_t)
-
--corenet_all_recvfrom_unlabeled(kismet_t)
- corenet_all_recvfrom_netlabel(kismet_t)
- corenet_tcp_sendrecv_generic_if(kismet_t)
- corenet_tcp_sendrecv_generic_node(kismet_t)
- corenet_tcp_sendrecv_all_ports(kismet_t)
- corenet_tcp_bind_generic_node(kismet_t)
--corenet_tcp_bind_kismet_port(kismet_t)
--corenet_tcp_connect_kismet_port(kismet_t)
-+corenet_tcp_bind_rtsclient_port(kismet_t)
-+corenet_tcp_connect_rtsclient_port(kismet_t)
- corenet_tcp_connect_pulseaudio_port(kismet_t)
-
- auth_use_nsswitch(kismet_t)
-
--files_read_etc_files(kismet_t)
- files_read_usr_files(kismet_t)
-
--miscfiles_read_localization(kismet_t)
-
--userdom_use_user_terminals(kismet_t)
-+userdom_use_inherited_user_terminals(kismet_t)
- userdom_read_user_tmpfs_files(kismet_t)
-
- optional_policy(`
-diff --git a/ksmtuned.fc b/ksmtuned.fc
-index 9c0c835..8360166 100644
---- a/ksmtuned.fc
-+++ b/ksmtuned.fc
-@@ -3,3 +3,5 @@
- /usr/sbin/ksmtuned -- gen_context(system_u:object_r:ksmtuned_exec_t,s0)
-
- /var/run/ksmtune\.pid -- gen_context(system_u:object_r:ksmtuned_var_run_t,s0)
-+
-+/var/log/ksmtuned.* gen_context(system_u:object_r:ksmtuned_log_t,s0)
-diff --git a/ksmtuned.if b/ksmtuned.if
-index 6fd0b4c..568f842 100644
---- a/ksmtuned.if
-+++ b/ksmtuned.if
-@@ -55,12 +55,14 @@ interface(`ksmtuned_initrc_domtrans',`
- #
- interface(`ksmtuned_admin',`
- gen_require(`
-- type ksmtuned_t, ksmtuned_var_run_t;
-- type ksmtuned_initrc_exec_t;
-+ type ksmtuned_t, ksmtuned_var_run_t, ksmtuned_initrc_exec_t;
- ')
-
-- allow $1 ksmtuned_t:process { ptrace signal_perms };
-- ps_process_pattern(ksmtumed_t)
-+ allow $1 ksmtuned_t:process signal_perms;
-+ ps_process_pattern($1, ksmtuned_t)
-+ tunable_policy(`deny_ptrace',`',`
-+ allow $1 ksmtuned_t:process ptrace;
-+ ')
-
- files_list_pids($1)
- admin_pattern($1, ksmtuned_var_run_t)
-diff --git a/ksmtuned.te b/ksmtuned.te
-index a73b7a1..d143b12 100644
---- a/ksmtuned.te
-+++ b/ksmtuned.te
-@@ -9,6 +9,9 @@ type ksmtuned_t;
- type ksmtuned_exec_t;
- init_daemon_domain(ksmtuned_t, ksmtuned_exec_t)
-
-+type ksmtuned_log_t;
-+logging_log_file(ksmtuned_log_t)
-+
- type ksmtuned_initrc_exec_t;
- init_script_file(ksmtuned_initrc_exec_t)
-
-@@ -20,9 +23,13 @@ files_pid_file(ksmtuned_var_run_t)
- # ksmtuned local policy
- #
-
--allow ksmtuned_t self:capability { sys_ptrace sys_tty_config };
-+allow ksmtuned_t self:capability sys_tty_config;
- allow ksmtuned_t self:fifo_file rw_file_perms;
-
-+manage_dirs_pattern(ksmtuned_t, ksmtuned_log_t, ksmtuned_log_t)
-+manage_files_pattern(ksmtuned_t, ksmtuned_log_t, ksmtuned_log_t)
-+logging_log_filetrans(ksmtuned_t, ksmtuned_log_t, { file dir })
-+
- manage_files_pattern(ksmtuned_t, ksmtuned_var_run_t, ksmtuned_var_run_t)
- files_pid_filetrans(ksmtuned_t, ksmtuned_var_run_t, file)
-
-@@ -31,9 +38,16 @@ kernel_read_system_state(ksmtuned_t)
- dev_rw_sysfs(ksmtuned_t)
-
- domain_read_all_domains_state(ksmtuned_t)
-+domain_dontaudit_read_all_domains_state(ksmtuned_t)
-
- corecmd_exec_bin(ksmtuned_t)
-+corecmd_exec_shell(ksmtuned_t)
-+
-+
-+mls_file_read_to_clearance(ksmtuned_t)
-+
-+term_use_all_inherited_terms(ksmtuned_t)
-
--files_read_etc_files(ksmtuned_t)
-+auth_use_nsswitch(ksmtuned_t)
-
--miscfiles_read_localization(ksmtuned_t)
-+logging_send_syslog_msg(ksmtuned_t)
-diff --git a/ktalk.te b/ktalk.te
-index ca5cfdf..a4457d0 100644
---- a/ktalk.te
-+++ b/ktalk.te
-@@ -52,7 +52,6 @@ kernel_read_kernel_sysctls(ktalkd_t)
- kernel_read_system_state(ktalkd_t)
- kernel_read_network_state(ktalkd_t)
-
--corenet_all_recvfrom_unlabeled(ktalkd_t)
- corenet_all_recvfrom_netlabel(ktalkd_t)
- corenet_tcp_sendrecv_generic_if(ktalkd_t)
- corenet_udp_sendrecv_generic_if(ktalkd_t)
-@@ -65,15 +64,12 @@ dev_read_urand(ktalkd_t)
-
- fs_getattr_xattr_fs(ktalkd_t)
-
--files_read_etc_files(ktalkd_t)
-
- term_search_ptys(ktalkd_t)
--term_use_all_terms(ktalkd_t)
-+term_use_all_inherited_terms(ktalkd_t)
-
- auth_use_nsswitch(ktalkd_t)
-
- init_read_utmp(ktalkd_t)
-
- logging_send_syslog_msg(ktalkd_t)
--
--miscfiles_read_localization(ktalkd_t)
-diff --git a/kudzu.fc b/kudzu.fc
-index dd88f74..3317a0c 100644
---- a/kudzu.fc
-+++ b/kudzu.fc
-@@ -2,4 +2,5 @@
- /sbin/kmodule -- gen_context(system_u:object_r:kudzu_exec_t,s0)
- /sbin/kudzu -- gen_context(system_u:object_r:kudzu_exec_t,s0)
-
-+/usr/sbin/kmodule -- gen_context(system_u:object_r:kudzu_exec_t,s0)
- /usr/sbin/kudzu -- gen_context(system_u:object_r:kudzu_exec_t,s0)
-diff --git a/kudzu.te b/kudzu.te
-index 4f7bd3c..74cc11d 100644
---- a/kudzu.te
-+++ b/kudzu.te
-@@ -20,7 +20,7 @@ files_pid_file(kudzu_var_run_t)
- # Local policy
- #
-
--allow kudzu_t self:capability { dac_override sys_admin sys_ptrace sys_rawio net_admin sys_tty_config mknod };
-+allow kudzu_t self:capability { dac_override sys_admin sys_rawio net_admin sys_tty_config mknod };
- dontaudit kudzu_t self:capability sys_tty_config;
- allow kudzu_t self:process { signal_perms execmem };
- allow kudzu_t self:fifo_file rw_fifo_file_perms;
-@@ -109,17 +109,10 @@ libs_read_lib_files(kudzu_t)
- logging_send_syslog_msg(kudzu_t)
-
- miscfiles_read_hwdata(kudzu_t)
--miscfiles_read_localization(kudzu_t)
--
--modutils_read_module_config(kudzu_t)
--modutils_read_module_deps(kudzu_t)
--modutils_rename_module_config(kudzu_t)
--modutils_delete_module_config(kudzu_t)
--modutils_domtrans_insmod(kudzu_t)
-
- sysnet_read_config(kudzu_t)
-
--userdom_use_user_terminals(kudzu_t)
-+userdom_use_inherited_user_terminals(kudzu_t)
- userdom_dontaudit_use_unpriv_user_fds(kudzu_t)
- userdom_search_user_home_dirs(kudzu_t)
-
-@@ -128,6 +121,14 @@ optional_policy(`
- ')
-
- optional_policy(`
-+ modutils_read_module_config(kudzu_t)
-+ modutils_read_module_deps(kudzu_t)
-+ modutils_rename_module_config(kudzu_t)
-+ modutils_delete_module_config(kudzu_t)
-+ modutils_domtrans_insmod(kudzu_t)
-+')
-+
-+optional_policy(`
- nscd_socket_use(kudzu_t)
- ')
-
-diff --git a/l2tpd.fc b/l2tpd.fc
-new file mode 100644
-index 0000000..6b27066
---- /dev/null
-+++ b/l2tpd.fc
-@@ -0,0 +1,18 @@
-+/etc/prol2tp(/.*)? gen_context(system_u:object_r:l2tp_etc_t,s0)
-+
-+/etc/rc\.d/init\.d/openl2tpd -- gen_context(system_u:object_r:l2tpd_initrc_exec_t,s0)
-+/etc/rc\.d/init\.d/prol2tpd -- gen_context(system_u:object_r:l2tpd_initrc_exec_t,s0)
-+/etc/rc\.d/init\.d/xl2tpd -- gen_context(system_u:object_r:l2tpd_initrc_exec_t,s0)
-+
-+/etc/sysconfig/prol2tpd -- gen_context(system_u:object_r:l2tp_etc_t,s0)
-+
-+/usr/sbin/openl2tpd -- gen_context(system_u:object_r:l2tpd_exec_t,s0)
-+/usr/sbin/prol2tpd -- gen_context(system_u:object_r:l2tpd_exec_t,s0)
-+/usr/sbin/xl2tpd -- gen_context(system_u:object_r:l2tpd_exec_t,s0)
-+
-+/var/run/openl2tpd\.pid -- gen_context(system_u:object_r:l2tpd_var_run_t,s0)
-+/var/run/prol2tpd(/.*)? gen_context(system_u:object_r:l2tpd_var_run_t,s0)
-+/var/run/prol2tpd\.ctl -s gen_context(system_u:object_r:l2tpd_var_run_t,s0)
-+/var/run/prol2tpd\.pid -- gen_context(system_u:object_r:l2tpd_var_run_t,s0)
-+/var/run/xl2tpd(/.*)? gen_context(system_u:object_r:l2tpd_var_run_t,s0)
-+/var/run/xl2tpd\.pid -- gen_context(system_u:object_r:l2tpd_var_run_t,s0)
-diff --git a/l2tpd.if b/l2tpd.if
-new file mode 100644
-index 0000000..562d25b
---- /dev/null
-+++ b/l2tpd.if
-@@ -0,0 +1,178 @@
-+## Layer 2 Tunneling Protocol daemons.
-+
-+########################################
-+##
-+## Transition to l2tpd.
-+##
-+##
-+##
-+## Domain allowed to transition.
-+##
-+##
-+#
-+interface(`l2tpd_domtrans',`
-+ gen_require(`
-+ type l2tpd_t, l2tpd_exec_t;
-+ ')
-+
-+ corecmd_search_bin($1)
-+ domtrans_pattern($1, l2tpd_exec_t, l2tpd_t)
-+')
-+
-+########################################
-+##
-+## Execute l2tpd server in the l2tpd domain.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`l2tpd_initrc_domtrans',`
-+ gen_require(`
-+ type l2tpd_initrc_exec_t;
-+ ')
-+
-+ init_labeled_script_domtrans($1, l2tpd_initrc_exec_t)
-+')
-+
-+########################################
-+##
-+## Send to l2tpd via a unix dgram socket.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`l2tpd_dgram_send',`
-+ gen_require(`
-+ type l2tpd_t, l2tpd_tmp_t, l2tpd_var_run_t;
-+ ')
-+
-+ files_search_tmp($1)
-+ dgram_send_pattern($1, { l2tpd_tmp_t l2tpd_var_run_t }, { l2tpd_tmp_t l2tpd_var_run_t }, l2tpd_t)
-+')
-+
-+########################################
-+##
-+## Read and write l2tpd sockets.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`l2tpd_rw_socket',`
-+ gen_require(`
-+ type l2tpd_t;
-+ ')
-+
-+ allow $1 l2tpd_t:socket rw_socket_perms;
-+')
-+
-+########################################
-+##
-+## Read l2tpd PID files.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`l2tpd_read_pid_files',`
-+ gen_require(`
-+ type l2tpd_var_run_t;
-+ ')
-+
-+ files_search_pids($1)
-+ allow $1 l2tpd_var_run_t:file read_file_perms;
-+')
-+
-+#####################################
-+##
-+## Connect to l2tpd over a unix domain
-+## stream socket.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`l2tpd_stream_connect',`
-+ gen_require(`
-+ type l2tpd_t, l2tpd_var_run_t, l2tpd_tmp_t;
-+ ')
-+
-+ files_search_pids($1)
-+ stream_connect_pattern($1, l2tpd_tmp_t, l2tpd_tmp_t, l2tpd_t)
-+ stream_connect_pattern($1, l2tpd_var_run_t, l2tpd_var_run_t, l2tpd_t)
-+')
-+
-+########################################
-+##
-+## Read and write l2tpd unnamed pipes.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`l2tpd_rw_pipes',`
-+ gen_require(`
-+ type l2tpd_t;
-+ ')
-+
-+ allow $1 l2tpd_t:fifo_file rw_fifo_file_perms;
-+')
-+
-+########################################
-+##
-+## All of the rules required to administrate
-+## an l2tpd environment
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+##
-+##
-+## Role allowed access.
-+##
-+##
-+##
-+#
-+interface(`l2tpd_admin',`
-+ gen_require(`
-+ type l2tpd_t, l2tpd_initrc_exec_t, l2tpd_var_run_t;
-+ type l2tp_etc_t, l2tpd_tmp_t;
-+ ')
-+
-+ allow $1 l2tpd_t:process signal_perms;
-+ ps_process_pattern($1, l2tpd_t)
-+
-+ tunable_policy(`deny_ptrace',`',`
-+ allow $1 l2tpd_t:process ptrace;
-+ ')
-+
-+ l2tpd_initrc_domtrans($1)
-+ domain_system_change_exemption($1)
-+ role_transition $2 l2tpd_initrc_exec_t system_r;
-+ allow $2 system_r;
-+
-+ files_search_etc($1)
-+ admin_pattern($1, l2tp_etc_t)
-+
-+ files_search_pids($1)
-+ admin_pattern($1, l2tpd_var_run_t)
-+
-+ files_search_tmp($1)
-+ admin_pattern($1, l2tpd_tmp_t)
-+')
-diff --git a/l2tpd.te b/l2tpd.te
-new file mode 100644
-index 0000000..1e292d4
---- /dev/null
-+++ b/l2tpd.te
-@@ -0,0 +1,99 @@
-+policy_module(l2tpd, 1.0.0)
-+
-+########################################
-+#
-+# Declarations
-+#
-+
-+type l2tpd_t;
-+type l2tpd_exec_t;
-+init_daemon_domain(l2tpd_t, l2tpd_exec_t)
-+
-+type l2tpd_initrc_exec_t;
-+init_script_file(l2tpd_initrc_exec_t)
-+
-+type l2tp_etc_t;
-+files_config_file(l2tp_etc_t)
-+
-+type l2tpd_tmp_t;
-+files_tmp_file(l2tpd_tmp_t)
-+
-+type l2tpd_var_run_t;
-+files_pid_file(l2tpd_var_run_t)
-+
-+########################################
-+#
-+# Local policy
-+#
-+
-+allow l2tpd_t self:capability { net_admin net_bind_service };
-+allow l2tpd_t self:process signal;
-+allow l2tpd_t self:fifo_file rw_fifo_file_perms;
-+allow l2tpd_t self:netlink_socket create_socket_perms;
-+allow l2tpd_t self:rawip_socket create_socket_perms;
-+allow l2tpd_t self:socket create_socket_perms;
-+allow l2tpd_t self:tcp_socket create_stream_socket_perms;
-+allow l2tpd_t self:unix_dgram_socket sendto;
-+allow l2tpd_t self:unix_stream_socket create_stream_socket_perms;
-+
-+read_files_pattern(l2tpd_t, l2tp_etc_t, l2tp_etc_t)
-+
-+manage_dirs_pattern(l2tpd_t, l2tpd_var_run_t, l2tpd_var_run_t)
-+manage_files_pattern(l2tpd_t, l2tpd_var_run_t, l2tpd_var_run_t)
-+manage_sock_files_pattern(l2tpd_t, l2tpd_var_run_t, l2tpd_var_run_t)
-+manage_fifo_files_pattern(l2tpd_t, l2tpd_var_run_t, l2tpd_var_run_t)
-+files_pid_filetrans(l2tpd_t, l2tpd_var_run_t, { dir file sock_file fifo_file })
-+
-+manage_sock_files_pattern(l2tpd_t, l2tpd_tmp_t, l2tpd_tmp_t)
-+files_tmp_filetrans(l2tpd_t, l2tpd_tmp_t, sock_file)
-+
-+corenet_all_recvfrom_netlabel(l2tpd_t)
-+corenet_raw_sendrecv_generic_if(l2tpd_t)
-+corenet_tcp_sendrecv_generic_if(l2tpd_t)
-+corenet_udp_sendrecv_generic_if(l2tpd_t)
-+corenet_raw_bind_generic_node(l2tpd_t)
-+corenet_tcp_bind_generic_node(l2tpd_t)
-+corenet_udp_bind_generic_node(l2tpd_t)
-+corenet_raw_sendrecv_generic_node(l2tpd_t)
-+corenet_tcp_sendrecv_generic_node(l2tpd_t)
-+corenet_udp_sendrecv_generic_node(l2tpd_t)
-+
-+corenet_tcp_bind_all_rpc_ports(l2tpd_t)
-+corenet_udp_bind_all_rpc_ports(l2tpd_t)
-+corenet_udp_bind_generic_port(l2tpd_t)
-+
-+corenet_udp_bind_l2tp_port(l2tpd_t)
-+corenet_udp_sendrecv_l2tp_port(l2tpd_t)
-+corenet_sendrecv_l2tp_server_packets(l2tpd_t)
-+
-+kernel_read_system_state(l2tpd_t)
-+kernel_read_network_state(l2tpd_t)
-+# net-pf-24 (pppox)
-+kernel_request_load_module(l2tpd_t)
-+
-+term_use_ptmx(l2tpd_t)
-+term_use_generic_ptys(l2tpd_t)
-+term_setattr_generic_ptys(l2tpd_t)
-+
-+# prol2tpc
-+corecmd_exec_bin(l2tpd_t)
-+
-+dev_read_urand(l2tpd_t)
-+
-+domain_use_interactive_fds(l2tpd_t)
-+
-+files_read_etc_files(l2tpd_t)
-+
-+term_use_ptmx(l2tpd_t)
-+
-+auth_read_passwd(l2tpd_t)
-+
-+logging_send_syslog_msg(l2tpd_t)
-+
-+sysnet_dns_name_resolve(l2tpd_t)
-+
-+optional_policy(`
-+ ppp_domtrans(l2tpd_t)
-+ ppp_signal(l2tpd_t)
-+ ppp_kill(l2tpd_t)
-+')
-diff --git a/ldap.fc b/ldap.fc
-index c62f23e..40c6b4d 100644
---- a/ldap.fc
-+++ b/ldap.fc
-@@ -1,6 +1,11 @@
-
- /etc/ldap/slapd\.conf -- gen_context(system_u:object_r:slapd_etc_t,s0)
--/etc/rc\.d/init\.d/ldap -- gen_context(system_u:object_r:slapd_initrc_exec_t,s0)
-+/etc/openldap/certs(/.*)? gen_context(system_u:object_r:slapd_cert_t,s0)
-+/etc/openldap/slapd\.d(/.*)? gen_context(system_u:object_r:slapd_db_t,s0)
-+
-+/etc/rc\.d/init\.d/slapd -- gen_context(system_u:object_r:slapd_initrc_exec_t,s0)
-+
-+/usr/lib/systemd/system/slapd.* -- gen_context(system_u:object_r:iptables_unit_file_t,s0)
-
- /usr/sbin/slapd -- gen_context(system_u:object_r:slapd_exec_t,s0)
-
-diff --git a/ldap.if b/ldap.if
-index d6b7b2d..bc0ccb3 100644
---- a/ldap.if
-+++ b/ldap.if
-@@ -1,5 +1,64 @@
- ## OpenLDAP directory server
-
-+#######################################
-+##
-+## Execute OpenLDAP in the ldap domain.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`ldap_domtrans',`
-+ gen_require(`
-+ type slapd_t, slapd_exec_t;
-+ ')
-+
-+ domtrans_pattern($1, slapd_exec_t, slapd_t)
-+')
-+
-+#######################################
-+##
-+## Execute OpenLDAP server in the ldap domain.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`ldap_initrc_domtrans',`
-+ gen_require(`
-+ type slapd_initrc_exec_t;
-+ ')
-+
-+ init_labeled_script_domtrans($1, slapd_initrc_exec_t)
-+')
-+
-+########################################
-+##
-+## Execute slapd server in the slapd domain.
-+##
-+##
-+##
-+## Domain allowed to transition.
-+##
-+##
-+#
-+interface(`ldap_systemctl',`
-+ gen_require(`
-+ type slapd_unit_file_t;
-+ type slapd_t;
-+ ')
-+
-+ systemd_exec_systemctl($1)
-+ allow $1 slapd_unit_file_t:file read_file_perms;
-+ allow $1 slapd_unit_file_t:service manage_service_perms;
-+
-+ ps_process_pattern($1, slapd_t)
-+')
-+
- ########################################
- ##
- ## Read the contents of the OpenLDAP
-@@ -21,6 +80,25 @@ interface(`ldap_list_db',`
-
- ########################################
- ##
-+## Read the contents of the OpenLDAP
-+## database files.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`ldap_read_db_files',`
-+ gen_require(`
-+ type slapd_db_t;
-+ ')
-+
-+ read_files_pattern($1, slapd_db_t, slapd_db_t)
-+')
-+
-+########################################
-+##
- ## Read the OpenLDAP configuration files.
- ##
- ##
-@@ -94,10 +172,14 @@ interface(`ldap_admin',`
- type slapd_t, slapd_tmp_t, slapd_replog_t;
- type slapd_lock_t, slapd_etc_t, slapd_var_run_t;
- type slapd_initrc_exec_t;
-+ type ldap_unit_file_t;
- ')
-
-- allow $1 slapd_t:process { ptrace signal_perms };
-+ allow $1 slapd_t:process signal_perms;
- ps_process_pattern($1, slapd_t)
-+ tunable_policy(`deny_ptrace',`',`
-+ allow $1 slapd_t:process ptrace;
-+ ')
-
- init_labeled_script_domtrans($1, slapd_initrc_exec_t)
- domain_system_change_exemption($1)
-@@ -109,6 +191,7 @@ interface(`ldap_admin',`
-
- admin_pattern($1, slapd_lock_t)
-
-+ files_list_var_lib($1)
- admin_pattern($1, slapd_replog_t)
-
- files_list_tmp($1)
-@@ -116,4 +199,8 @@ interface(`ldap_admin',`
-
- files_list_pids($1)
- admin_pattern($1, slapd_var_run_t)
-+
-+ ldap_systemctl($1)
-+ admin_pattern($1, ldap_unit_file_t)
-+ allow $1 ldap_unit_file_t:service all_service_perms;
- ')
-diff --git a/ldap.te b/ldap.te
-index 64fd1ff..3ee778a 100644
---- a/ldap.te
-+++ b/ldap.te
-@@ -10,7 +10,7 @@ type slapd_exec_t;
- init_daemon_domain(slapd_t, slapd_exec_t)
-
- type slapd_cert_t;
--files_type(slapd_cert_t)
-+miscfiles_cert_type(slapd_cert_t)
-
- type slapd_db_t;
- files_type(slapd_db_t)
-@@ -21,15 +21,24 @@ files_config_file(slapd_etc_t)
- type slapd_initrc_exec_t;
- init_script_file(slapd_initrc_exec_t)
-
-+type slapd_unit_file_t;
-+systemd_unit_file(slapd_unit_file_t)
-+
- type slapd_lock_t;
- files_lock_file(slapd_lock_t)
-
- type slapd_replog_t;
- files_type(slapd_replog_t)
-
-+type slapd_log_t;
-+logging_log_file(slapd_log_t)
-+
- type slapd_tmp_t;
- files_tmp_file(slapd_tmp_t)
-
-+type slapd_tmpfs_t;
-+files_tmpfs_file(slapd_tmpfs_t)
-+
- type slapd_var_run_t;
- files_pid_file(slapd_var_run_t)
-
-@@ -67,18 +76,25 @@ manage_dirs_pattern(slapd_t, slapd_replog_t, slapd_replog_t)
- manage_files_pattern(slapd_t, slapd_replog_t, slapd_replog_t)
- manage_lnk_files_pattern(slapd_t, slapd_replog_t, slapd_replog_t)
-
-+manage_dirs_pattern(slapd_t, slapd_log_t, slapd_log_t)
-+manage_files_pattern(slapd_t, slapd_log_t, slapd_log_t)
-+logging_log_filetrans(slapd_t, slapd_log_t, { file dir })
-+
- manage_dirs_pattern(slapd_t, slapd_tmp_t, slapd_tmp_t)
- manage_files_pattern(slapd_t, slapd_tmp_t, slapd_tmp_t)
- files_tmp_filetrans(slapd_t, slapd_tmp_t, { file dir })
-
-+manage_files_pattern(slapd_t, slapd_tmpfs_t, slapd_tmpfs_t)
-+fs_tmpfs_filetrans(slapd_t, slapd_tmpfs_t, file)
-+
-+manage_dirs_pattern(slapd_t, slapd_var_run_t, slapd_var_run_t)
- manage_files_pattern(slapd_t, slapd_var_run_t, slapd_var_run_t)
- manage_sock_files_pattern(slapd_t, slapd_var_run_t, slapd_var_run_t)
--files_pid_filetrans(slapd_t, slapd_var_run_t, { file sock_file })
-+files_pid_filetrans(slapd_t, slapd_var_run_t, { dir file sock_file })
-
- kernel_read_system_state(slapd_t)
- kernel_read_kernel_sysctls(slapd_t)
-
--corenet_all_recvfrom_unlabeled(slapd_t)
- corenet_all_recvfrom_netlabel(slapd_t)
- corenet_tcp_sendrecv_generic_if(slapd_t)
- corenet_udp_sendrecv_generic_if(slapd_t)
-@@ -100,23 +116,25 @@ fs_search_auto_mountpoints(slapd_t)
-
- domain_use_interactive_fds(slapd_t)
-
--files_read_etc_files(slapd_t)
- files_read_etc_runtime_files(slapd_t)
- files_read_usr_files(slapd_t)
- files_list_var_lib(slapd_t)
-
- auth_use_nsswitch(slapd_t)
-+auth_rw_cache(slapd_t)
-
- logging_send_syslog_msg(slapd_t)
-
- miscfiles_read_generic_certs(slapd_t)
--miscfiles_read_localization(slapd_t)
-
- userdom_dontaudit_use_unpriv_user_fds(slapd_t)
- userdom_dontaudit_search_user_home_dirs(slapd_t)
-
- optional_policy(`
- kerberos_keytab_template(slapd, slapd_t)
-+ kerberos_tmp_filetrans_host_rcache(slapd_t, "ldapmap1_0")
-+ kerberos_tmp_filetrans_host_rcache(slapd_t, "ldap_487")
-+ kerberos_tmp_filetrans_host_rcache(slapd_t, "ldap_55")
- ')
-
- optional_policy(`
-diff --git a/likewise.fc b/likewise.fc
-index 057a4e4..57491fc 100644
---- a/likewise.fc
-+++ b/likewise.fc
-@@ -20,7 +20,8 @@
- /usr/sbin/netlogond -- gen_context(system_u:object_r:netlogond_exec_t,s0)
- /usr/sbin/srvsvcd -- gen_context(system_u:object_r:srvsvcd_exec_t,s0)
-
--/var/lib/likewise-open(/.*)? gen_context(system_u:object_r:likewise_var_lib_t,s0)
-+/var/lib/likewise-open(/.*)? gen_context(system_u:object_r:likewise_var_lib_t,s0)
-+/var/lib/likewise(/.*)? gen_context(system_u:object_r:likewise_var_lib_t,s0)
- /var/lib/likewise-open/\.lsassd -s gen_context(system_u:object_r:lsassd_var_socket_t,s0)
- /var/lib/likewise-open/\.lwiod -s gen_context(system_u:object_r:lwiod_var_socket_t,s0)
- /var/lib/likewise-open/\.regsd -s gen_context(system_u:object_r:lwregd_var_socket_t,s0)
-diff --git a/likewise.if b/likewise.if
-index 771e04b..1072aea 100644
---- a/likewise.if
-+++ b/likewise.if
-@@ -63,7 +63,7 @@ template(`likewise_domain_template',`
- allow $1_t self:tcp_socket create_stream_socket_perms;
- allow $1_t self:udp_socket create_socket_perms;
-
-- allow $1_t likewise_var_lib_t:dir setattr;
-+ allow $1_t likewise_var_lib_t:dir setattr_dir_perms;
-
- manage_files_pattern($1_t, $1_var_run_t, $1_var_run_t)
- files_pid_filetrans($1_t, $1_var_run_t, file)
-@@ -82,7 +82,6 @@ template(`likewise_domain_template',`
-
- logging_send_syslog_msg($1_t)
-
-- miscfiles_read_localization($1_t)
- ')
-
- ########################################
-diff --git a/likewise.te b/likewise.te
-index 5ba6cc2..e3f65d6 100644
---- a/likewise.te
-+++ b/likewise.te
-@@ -17,7 +17,7 @@ type likewise_var_lib_t;
- files_type(likewise_var_lib_t)
-
- type likewise_pstore_lock_t;
--files_type(likewise_pstore_lock_t)
-+files_lock_file(likewise_pstore_lock_t)
-
- type likewise_krb5_ad_t;
- files_type(likewise_krb5_ad_t)
-@@ -49,7 +49,6 @@ likewise_domain_template(srvsvcd)
- stream_connect_pattern(dcerpcd_t, likewise_var_lib_t, lwregd_var_socket_t, lwregd_t)
-
- corenet_all_recvfrom_netlabel(dcerpcd_t)
--corenet_all_recvfrom_unlabeled(dcerpcd_t)
- corenet_sendrecv_generic_client_packets(dcerpcd_t)
- corenet_sendrecv_generic_server_packets(dcerpcd_t)
- corenet_tcp_sendrecv_generic_if(dcerpcd_t)
-@@ -73,7 +72,6 @@ stream_connect_pattern(eventlogd_t, likewise_var_lib_t, dcerpcd_var_socket_t, dc
- stream_connect_pattern(eventlogd_t, likewise_var_lib_t, lwregd_var_socket_t, lwregd_t)
-
- corenet_all_recvfrom_netlabel(eventlogd_t)
--corenet_all_recvfrom_unlabeled(eventlogd_t)
- corenet_sendrecv_generic_server_packets(eventlogd_t)
- corenet_tcp_sendrecv_generic_if(eventlogd_t)
- corenet_tcp_sendrecv_generic_node(eventlogd_t)
-@@ -116,7 +114,6 @@ corecmd_exec_bin(lsassd_t)
- corecmd_exec_shell(lsassd_t)
-
- corenet_all_recvfrom_netlabel(lsassd_t)
--corenet_all_recvfrom_unlabeled(lsassd_t)
- corenet_tcp_sendrecv_generic_if(lsassd_t)
- corenet_tcp_sendrecv_generic_node(lsassd_t)
- corenet_tcp_sendrecv_generic_port(lsassd_t)
-@@ -165,7 +162,6 @@ stream_connect_pattern(lwiod_t, likewise_var_lib_t, lwregd_var_socket_t, lwregd_
- stream_connect_pattern(lwiod_t, likewise_var_lib_t, lsassd_var_socket_t, lsassd_t)
-
- corenet_all_recvfrom_netlabel(lwiod_t)
--corenet_all_recvfrom_unlabeled(lwiod_t)
- corenet_sendrecv_smbd_server_packets(lwiod_t)
- corenet_sendrecv_smbd_client_packets(lwiod_t)
- corenet_tcp_sendrecv_generic_if(lwiod_t)
-@@ -205,7 +201,7 @@ stream_connect_pattern(lwsmd_t, likewise_var_lib_t, lwregd_var_socket_t, lwregd_
- # Likewise DC location service local policy
- #
-
--allow netlogond_t self:capability {dac_override};
-+allow netlogond_t self:capability dac_override;
-
- manage_files_pattern(netlogond_t, likewise_etc_t, likewise_etc_t)
-
-@@ -226,7 +222,6 @@ stream_connect_pattern(srvsvcd_t, likewise_var_lib_t, lwiod_var_socket_t, lwiod_
- stream_connect_pattern(srvsvcd_t, likewise_var_lib_t, lwregd_var_socket_t, lwregd_t)
-
- corenet_all_recvfrom_netlabel(srvsvcd_t)
--corenet_all_recvfrom_unlabeled(srvsvcd_t)
- corenet_sendrecv_generic_server_packets(srvsvcd_t)
- corenet_tcp_sendrecv_generic_if(srvsvcd_t)
- corenet_tcp_sendrecv_generic_node(srvsvcd_t)
-diff --git a/lircd.fc b/lircd.fc
-index 49e04e5..69db026 100644
---- a/lircd.fc
-+++ b/lircd.fc
-@@ -2,6 +2,7 @@
-
- /etc/rc\.d/init\.d/lirc -- gen_context(system_u:object_r:lircd_initrc_exec_t,s0)
- /etc/lircd\.conf -- gen_context(system_u:object_r:lircd_etc_t,s0)
-+/etc/lirc(/.*)? gen_context(system_u:object_r:lircd_etc_t,s0)
-
- /usr/sbin/lircd -- gen_context(system_u:object_r:lircd_exec_t,s0)
-
-diff --git a/lircd.if b/lircd.if
-index 418cc81..cdb2561 100644
---- a/lircd.if
-+++ b/lircd.if
-@@ -80,8 +80,11 @@ interface(`lircd_admin',`
- type lircd_initrc_exec_t, lircd_etc_t;
- ')
-
-- allow $1 lircd_t:process { ptrace signal_perms };
-+ allow $1 lircd_t:process signal_perms;
- ps_process_pattern($1, lircd_t)
-+ tunable_policy(`deny_ptrace',`',`
-+ allow $1 lircd_t:process ptrace;
-+ ')
-
- init_labeled_script_domtrans($1, lircd_initrc_exec_t)
- domain_system_change_exemption($1)
-diff --git a/lircd.te b/lircd.te
-index 6a78de1..57f0aa2 100644
---- a/lircd.te
-+++ b/lircd.te
-@@ -13,7 +13,7 @@ type lircd_initrc_exec_t;
- init_script_file(lircd_initrc_exec_t)
-
- type lircd_etc_t;
--files_type(lircd_etc_t)
-+files_config_file(lircd_etc_t)
-
- type lircd_var_run_t alias lircd_sock_t;
- files_pid_file(lircd_var_run_t)
-@@ -24,6 +24,7 @@ files_pid_file(lircd_var_run_t)
- #
-
- allow lircd_t self:capability { chown kill sys_admin };
-+allow lircd_t self:process signal;
- allow lircd_t self:fifo_file rw_fifo_file_perms;
- allow lircd_t self:unix_dgram_socket create_socket_perms;
- allow lircd_t self:tcp_socket create_stream_socket_perms;
-@@ -38,27 +39,29 @@ files_pid_filetrans(lircd_t, lircd_var_run_t, { dir file })
- # /dev/lircd socket
- dev_filetrans(lircd_t, lircd_var_run_t, sock_file)
-
-+kernel_request_load_module(lircd_t)
-+
- corenet_tcp_sendrecv_generic_if(lircd_t)
- corenet_tcp_bind_generic_node(lircd_t)
- corenet_tcp_bind_lirc_port(lircd_t)
- corenet_tcp_sendrecv_all_ports(lircd_t)
- corenet_tcp_connect_lirc_port(lircd_t)
-
--dev_read_generic_usb_dev(lircd_t)
-+dev_rw_generic_usb_dev(lircd_t) # this needs to be reproduced. might not be right
- dev_read_mouse(lircd_t)
- dev_filetrans_lirc(lircd_t)
- dev_rw_lirc(lircd_t)
- dev_rw_input_dev(lircd_t)
-+dev_read_sysfs(lircd_t)
-
--files_read_etc_files(lircd_t)
-+files_read_config_files(lircd_t)
- files_list_var(lircd_t)
- files_manage_generic_locks(lircd_t)
- files_read_all_locks(lircd_t)
-
- term_use_ptmx(lircd_t)
-+term_use_usb_ttys(lircd_t)
-
- logging_send_syslog_msg(lircd_t)
-
--miscfiles_read_localization(lircd_t)
--
- sysnet_dns_name_resolve(lircd_t)
-diff --git a/livecd.if b/livecd.if
-index ae29d9f..fb7869e 100644
---- a/livecd.if
-+++ b/livecd.if
-@@ -36,11 +36,39 @@ interface(`livecd_domtrans',`
- #
- interface(`livecd_run',`
- gen_require(`
-- attribute_role livecd_roles;
-+ type livecd_t;
-+ type livecd_exec_t;
-+ #attribute_role livecd_roles;
- ')
-
- livecd_domtrans($1)
-- roleattribute $2 livecd_roles;
-+ #roleattribute $2 livecd_roles;
-+ role $2 types livecd_t;
-+ role_transition $2 livecd_exec_t system_r;
-+
-+ seutil_run_setfiles_mac(livecd_t, system_r)
-+
-+ optional_policy(`
-+ mount_run(livecd_t, $2)
-+ ')
-+')
-+
-+########################################
-+##
-+## Dontaudit read/write to a livecd leaks
-+##
-+##
-+##
-+## Domain to not audit.
-+##
-+##
-+#
-+interface(`livecd_dontaudit_leaks',`
-+ gen_require(`
-+ type livecd_t;
-+ ')
-+
-+ dontaudit $1 livecd_t:unix_dgram_socket { read write };
- ')
-
- ########################################
-diff --git a/livecd.te b/livecd.te
-index 008f718..2a9d6c0 100644
---- a/livecd.te
-+++ b/livecd.te
-@@ -5,13 +5,14 @@ policy_module(livecd, 1.2.0)
- # Declarations
- #
-
--attribute_role livecd_roles;
--roleattribute system_r livecd_roles;
-+#attribute_role livecd_roles;
-+#roleattribute system_r livecd_roles;
-
- type livecd_t;
- type livecd_exec_t;
- application_domain(livecd_t, livecd_exec_t)
--role livecd_roles types livecd_t;
-+role system_r types livecd_t;
-+#role livecd_roles types livecd_t;
-
- type livecd_tmp_t;
- files_tmp_file(livecd_tmp_t)
-@@ -21,7 +22,7 @@ files_tmp_file(livecd_tmp_t)
- # livecd local policy
- #
-
--dontaudit livecd_t self:capability2 mac_admin;
-+allow livecd_t self:capability2 mac_admin;
-
- domain_ptrace_all_domains(livecd_t)
-
-@@ -30,14 +31,5 @@ manage_files_pattern(livecd_t, livecd_tmp_t, livecd_tmp_t)
- files_tmp_filetrans(livecd_t, livecd_tmp_t, { dir file })
-
- optional_policy(`
-- mount_run(livecd_t, livecd_roles)
-+ unconfined_domain_noaudit(livecd_t)
- ')
--
--optional_policy(`
-- hal_dbus_chat(livecd_t)
--')
--
--optional_policy(`
-- unconfined_domain(livecd_t)
--')
--
-diff --git a/lldpad.fc b/lldpad.fc
-new file mode 100644
-index 0000000..83a4348
---- /dev/null
-+++ b/lldpad.fc
-@@ -0,0 +1,8 @@
-+
-+/etc/rc\.d/init\.d/lldpad -- gen_context(system_u:object_r:lldpad_initrc_exec_t,s0)
-+
-+/usr/sbin/lldpad -- gen_context(system_u:object_r:lldpad_exec_t,s0)
-+
-+/var/lib/lldpad(/.*)? gen_context(system_u:object_r:lldpad_var_lib_t,s0)
-+
-+/var/run/lldpad\.pid -- gen_context(system_u:object_r:lldpad_var_run_t,s0)
-diff --git a/lldpad.if b/lldpad.if
-new file mode 100644
-index 0000000..6550968
---- /dev/null
-+++ b/lldpad.if
-@@ -0,0 +1,201 @@
-+
-+## policy for lldpad
-+
-+########################################
-+##
-+## Transition to lldpad.
-+##
-+##
-+##
-+## Domain allowed to transition.
-+##
-+##
-+#
-+interface(`lldpad_domtrans',`
-+ gen_require(`
-+ type lldpad_t, lldpad_exec_t;
-+ ')
-+
-+ corecmd_search_bin($1)
-+ domtrans_pattern($1, lldpad_exec_t, lldpad_t)
-+')
-+
-+
-+########################################
-+##
-+## Execute lldpad server in the lldpad domain.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`lldpad_initrc_domtrans',`
-+ gen_require(`
-+ type lldpad_initrc_exec_t;
-+ ')
-+
-+ init_labeled_script_domtrans($1, lldpad_initrc_exec_t)
-+')
-+
-+
-+########################################
-+##
-+## Search lldpad lib directories.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`lldpad_search_lib',`
-+ gen_require(`
-+ type lldpad_var_lib_t;
-+ ')
-+
-+ allow $1 lldpad_var_lib_t:dir search_dir_perms;
-+ files_search_var_lib($1)
-+')
-+
-+########################################
-+##
-+## Read lldpad lib files.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`lldpad_read_lib_files',`
-+ gen_require(`
-+ type lldpad_var_lib_t;
-+ ')
-+
-+ files_search_var_lib($1)
-+ read_files_pattern($1, lldpad_var_lib_t, lldpad_var_lib_t)
-+')
-+
-+########################################
-+##
-+## Manage lldpad lib files.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`lldpad_manage_lib_files',`
-+ gen_require(`
-+ type lldpad_var_lib_t;
-+ ')
-+
-+ files_search_var_lib($1)
-+ manage_files_pattern($1, lldpad_var_lib_t, lldpad_var_lib_t)
-+')
-+
-+########################################
-+##
-+## Manage lldpad lib directories.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`lldpad_manage_lib_dirs',`
-+ gen_require(`
-+ type lldpad_var_lib_t;
-+ ')
-+
-+ files_search_var_lib($1)
-+ manage_dirs_pattern($1, lldpad_var_lib_t, lldpad_var_lib_t)
-+')
-+
-+
-+########################################
-+##
-+## Read lldpad PID files.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`lldpad_read_pid_files',`
-+ gen_require(`
-+ type lldpad_var_run_t;
-+ ')
-+
-+ files_search_pids($1)
-+ allow $1 lldpad_var_run_t:file read_file_perms;
-+')
-+
-+#####################################
-+##
-+## Send to a lldpad unix dgram socket.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`lldpad_dgram_send',`
-+ gen_require(`
-+ type lldpad_t;
-+ ')
-+
-+ allow $1 lldpad_t:unix_dgram_socket sendto;
-+ allow lldpad_t $1:unix_dgram_socket sendto;
-+')
-+
-+########################################
-+##
-+## All of the rules required to administrate
-+## an lldpad environment
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+##
-+##
-+## Role allowed access.
-+##
-+##
-+##
-+#
-+interface(`lldpad_admin',`
-+ gen_require(`
-+ type lldpad_t;
-+ type lldpad_initrc_exec_t;
-+ type lldpad_var_lib_t;
-+ type lldpad_var_run_t;
-+ ')
-+
-+ allow $1 lldpad_t:process signal_perms;
-+ ps_process_pattern($1, lldpad_t)
-+ tunable_policy(`deny_ptrace',`',`
-+ allow $1 lldpad_t:process ptrace;
-+ ')
-+
-+ lldpad_initrc_domtrans($1)
-+ domain_system_change_exemption($1)
-+ role_transition $2 lldpad_initrc_exec_t system_r;
-+ allow $2 system_r;
-+
-+ files_search_var_lib($1)
-+ admin_pattern($1, lldpad_var_lib_t)
-+
-+ files_search_pids($1)
-+ admin_pattern($1, lldpad_var_run_t)
-+
-+')
-+
-diff --git a/lldpad.te b/lldpad.te
-new file mode 100644
-index 0000000..c38f564
---- /dev/null
-+++ b/lldpad.te
-@@ -0,0 +1,70 @@
-+policy_module(lldpad, 1.0.0)
-+
-+########################################
-+#
-+# Declarations
-+#
-+
-+type lldpad_t;
-+type lldpad_exec_t;
-+init_daemon_domain(lldpad_t, lldpad_exec_t)
-+
-+type lldpad_initrc_exec_t;
-+init_script_file(lldpad_initrc_exec_t)
-+
-+type lldpad_tmpfs_t;
-+files_tmpfs_file(lldpad_tmpfs_t)
-+
-+type lldpad_var_lib_t;
-+files_type(lldpad_var_lib_t)
-+
-+type lldpad_var_run_t;
-+files_pid_file(lldpad_var_run_t)
-+
-+########################################
-+#
-+# lldpad local policy
-+#
-+
-+allow lldpad_t self:capability { net_admin net_raw };
-+ifdef(`hide_broken_symptoms',`
-+ # caused by some bogus kernel code
-+ dontaudit lldpad_t self:capability sys_module;
-+')
-+
-+allow lldpad_t self:shm create_shm_perms;
-+allow lldpad_t self:fifo_file rw_fifo_file_perms;
-+
-+allow lldpad_t self:unix_stream_socket create_stream_socket_perms;
-+allow lldpad_t self:netlink_route_socket create_netlink_socket_perms;
-+allow lldpad_t self:packet_socket create_socket_perms;
-+allow lldpad_t self:udp_socket create_socket_perms;
-+
-+manage_files_pattern(lldpad_t,lldpad_tmpfs_t,lldpad_tmpfs_t)
-+fs_tmpfs_filetrans(lldpad_t,lldpad_tmpfs_t,file)
-+
-+manage_dirs_pattern(lldpad_t, lldpad_var_lib_t, lldpad_var_lib_t)
-+manage_files_pattern(lldpad_t, lldpad_var_lib_t, lldpad_var_lib_t)
-+
-+manage_dirs_pattern(lldpad_t, lldpad_var_run_t, lldpad_var_run_t)
-+manage_files_pattern(lldpad_t, lldpad_var_run_t, lldpad_var_run_t)
-+manage_sock_files_pattern(lldpad_t, lldpad_var_run_t, lldpad_var_run_t)
-+# this needs to be fixed in lldpad package
-+# bug: #
-+files_pid_filetrans(lldpad_t, lldpad_var_run_t, { dir file sock_file })
-+
-+kernel_read_all_sysctls(lldpad_t)
-+kernel_read_network_state(lldpad_t)
-+kernel_request_load_module(lldpad_t)
-+
-+dev_read_sysfs(lldpad_t)
-+
-+files_read_etc_files(lldpad_t)
-+
-+logging_send_syslog_msg(lldpad_t)
-+
-+userdom_dgram_send(lldpad_t)
-+
-+optional_policy(`
-+ fcoemon_dgram_send(lldpad_t)
-+')
-diff --git a/loadkeys.fc b/loadkeys.fc
-index 8549f9f..68be454 100644
---- a/loadkeys.fc
-+++ b/loadkeys.fc
-@@ -1,3 +1,3 @@
-
--/bin/loadkeys -- gen_context(system_u:object_r:loadkeys_exec_t,s0)
--/bin/unikeys -- gen_context(system_u:object_r:loadkeys_exec_t,s0)
-+/usr/bin/loadkeys -- gen_context(system_u:object_r:loadkeys_exec_t,s0)
-+/usr/bin/unikeys -- gen_context(system_u:object_r:loadkeys_exec_t,s0)
-diff --git a/loadkeys.te b/loadkeys.te
-index 2523758..96308b5 100644
---- a/loadkeys.te
-+++ b/loadkeys.te
-@@ -31,14 +31,15 @@ files_read_etc_runtime_files(loadkeys_t)
- term_dontaudit_use_console(loadkeys_t)
- term_use_unallocated_ttys(loadkeys_t)
-
-+auth_read_passwd(loadkeys_t)
-+
- init_dontaudit_use_fds(loadkeys_t)
- init_dontaudit_use_script_ptys(loadkeys_t)
-
- locallogin_use_fds(loadkeys_t)
-
--miscfiles_read_localization(loadkeys_t)
-
--userdom_use_user_ttys(loadkeys_t)
-+userdom_use_inherited_user_ttys(loadkeys_t)
- userdom_list_user_home_content(loadkeys_t)
-
- ifdef(`hide_broken_symptoms',`
-@@ -46,5 +47,9 @@ ifdef(`hide_broken_symptoms',`
- ')
-
- optional_policy(`
-+ keyboardd_read_pipes(loadkeys_t)
-+')
-+
-+optional_policy(`
- nscd_dontaudit_search_pid(loadkeys_t)
- ')
-diff --git a/lockdev.te b/lockdev.te
-index 572b5db..1e55f43 100644
---- a/lockdev.te
-+++ b/lockdev.te
-@@ -34,4 +34,5 @@ fs_getattr_xattr_fs(lockdev_t)
-
- logging_send_syslog_msg(lockdev_t)
-
--userdom_use_user_terminals(lockdev_t)
-+userdom_use_inherited_user_terminals(lockdev_t)
-+
-diff --git a/logrotate.te b/logrotate.te
-index 7090dae..4aaa8fb 100644
---- a/logrotate.te
-+++ b/logrotate.te
-@@ -29,9 +29,8 @@ files_type(logrotate_var_lib_t)
- #
-
- # Change ownership on log files.
--allow logrotate_t self:capability { chown dac_override dac_read_search kill fsetid fowner sys_resource sys_nice };
--# for mailx
--dontaudit logrotate_t self:capability { setuid setgid sys_ptrace };
-+allow logrotate_t self:capability { chown dac_override dac_read_search kill fsetid fowner setuid setgid sys_resource sys_nice };
-+dontaudit logrotate_t self:capability sys_resource;
-
- allow logrotate_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
-
-@@ -39,6 +38,7 @@ allow logrotate_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimi
- allow logrotate_t self:process setfscreate;
-
- allow logrotate_t self:fd use;
-+allow logrotate_t self:key manage_key_perms;
- allow logrotate_t self:fifo_file rw_fifo_file_perms;
- allow logrotate_t self:unix_dgram_socket create_socket_perms;
- allow logrotate_t self:unix_stream_socket create_stream_socket_perms;
-@@ -61,6 +61,7 @@ files_tmp_filetrans(logrotate_t, logrotate_tmp_t, { file dir })
- # for /var/lib/logrotate.status and /var/lib/logcheck
- create_dirs_pattern(logrotate_t, logrotate_var_lib_t, logrotate_var_lib_t)
- manage_files_pattern(logrotate_t, logrotate_var_lib_t, logrotate_var_lib_t)
-+read_lnk_files_pattern(logrotate_t, logrotate_var_lib_t, logrotate_var_lib_t)
- files_var_lib_filetrans(logrotate_t, logrotate_var_lib_t, file)
-
- kernel_read_system_state(logrotate_t)
-@@ -75,6 +76,7 @@ fs_list_inotifyfs(logrotate_t)
- mls_file_read_all_levels(logrotate_t)
- mls_file_write_all_levels(logrotate_t)
- mls_file_upgrade(logrotate_t)
-+mls_process_write_to_clearance(logrotate_t)
-
- selinux_get_fs_mount(logrotate_t)
- selinux_get_enforce_mode(logrotate_t)
-@@ -85,6 +87,7 @@ auth_use_nsswitch(logrotate_t)
- # Run helper programs.
- corecmd_exec_bin(logrotate_t)
- corecmd_exec_shell(logrotate_t)
-+corecmd_getattr_all_executables(logrotate_t)
-
- domain_signal_all_domains(logrotate_t)
- domain_use_interactive_fds(logrotate_t)
-@@ -93,7 +96,6 @@ domain_getattr_all_entry_files(logrotate_t)
- domain_read_all_domains_state(logrotate_t)
-
- files_read_usr_files(logrotate_t)
--files_read_etc_files(logrotate_t)
- files_read_etc_runtime_files(logrotate_t)
- files_read_all_pids(logrotate_t)
- files_search_all(logrotate_t)
-@@ -102,6 +104,7 @@ files_read_var_lib_files(logrotate_t)
- files_manage_generic_spool(logrotate_t)
- files_manage_generic_spool_dirs(logrotate_t)
- files_getattr_generic_locks(logrotate_t)
-+files_dontaudit_list_mnt(logrotate_t)
-
- # cjp: why is this needed?
- init_domtrans_script(logrotate_t)
-@@ -112,21 +115,20 @@ logging_send_audit_msgs(logrotate_t)
- # cjp: why is this needed?
- logging_exec_all_logs(logrotate_t)
-
--miscfiles_read_localization(logrotate_t)
-+systemd_exec_systemctl(logrotate_t)
-+systemd_getattr_unit_files(logrotate_t)
-+systemd_start_all_unit_files(logrotate_t)
-+systemd_reload_all_services(logrotate_t)
-+init_stream_connect(logrotate_t)
-
--seutil_dontaudit_read_config(logrotate_t)
--
--userdom_use_user_terminals(logrotate_t)
-+userdom_use_inherited_user_terminals(logrotate_t)
- userdom_list_user_home_dirs(logrotate_t)
- userdom_use_unpriv_users_fds(logrotate_t)
--
--cron_system_entry(logrotate_t, logrotate_exec_t)
--cron_search_spool(logrotate_t)
--
--mta_send_mail(logrotate_t)
-+userdom_list_admin_dir(logrotate_t)
-+userdom_dontaudit_getattr_user_home_content(logrotate_t)
-
- ifdef(`distro_debian', `
-- allow logrotate_t logrotate_tmp_t:file { relabelfrom relabelto };
-+ allow logrotate_t logrotate_tmp_t:file relabel_file_perms;
- # for savelog
- can_exec(logrotate_t, logrotate_exec_t)
-
-@@ -138,7 +140,7 @@ ifdef(`distro_debian', `
- ')
-
- optional_policy(`
-- abrt_cache_manage(logrotate_t)
-+ abrt_manage_cache(logrotate_t)
- ')
-
- optional_policy(`
-@@ -154,6 +156,10 @@ optional_policy(`
- ')
-
- optional_policy(`
-+ awstats_domtrans(logrotate_t)
-+')
-+
-+optional_policy(`
- asterisk_domtrans(logrotate_t)
- ')
-
-@@ -162,10 +168,20 @@ optional_policy(`
- ')
-
- optional_policy(`
-+ callweaver_exec(logrotate_t)
-+ callweaver_stream_connect(logrotate_t)
-+')
-+
-+optional_policy(`
- consoletype_exec(logrotate_t)
- ')
-
- optional_policy(`
-+ cron_system_entry(logrotate_t, logrotate_exec_t)
-+ cron_search_spool(logrotate_t)
-+')
-+
-+optional_policy(`
- cups_domtrans(logrotate_t)
- ')
-
-@@ -178,6 +194,10 @@ optional_policy(`
- ')
-
- optional_policy(`
-+ chronyd_read_keys(logrotate_t)
-+')
-+
-+optional_policy(`
- icecast_signal(logrotate_t)
- ')
-
-@@ -194,15 +214,19 @@ optional_policy(`
- ')
-
- optional_policy(`
-+ mysql_read_home_content(logrotate_t)
- mysql_read_config(logrotate_t)
- mysql_search_db(logrotate_t)
- mysql_stream_connect(logrotate_t)
- ')
-
- optional_policy(`
-- psad_domtrans(logrotate_t)
-+ polipo_named_filetrans_log_files(logrotate_t)
- ')
-
-+optional_policy(`
-+ psad_domtrans(logrotate_t)
-+')
-
- optional_policy(`
- samba_exec_log(logrotate_t)
-@@ -217,6 +241,11 @@ optional_policy(`
- ')
-
- optional_policy(`
-+ openvswitch_read_pid_files(logrotate_t)
-+ openvswitch_domtrans(logrotate_t)
-+')
-+
-+optional_policy(`
- squid_domtrans(logrotate_t)
- ')
-
-@@ -228,3 +257,14 @@ optional_policy(`
- optional_policy(`
- varnishd_manage_log(logrotate_t)
- ')
-+
-+#######################################
-+#
-+# logrotate_mail local policy
-+#
-+
-+mta_base_mail_template(logrotate)
-+mta_sendmail_domtrans(logrotate_t, logrotate_mail_t)
-+role system_r types logrotate_mail_t;
-+logging_read_all_logs(logrotate_mail_t)
-+manage_files_pattern(logrotate_mail_t, logrotate_tmp_t, logrotate_tmp_t)
-diff --git a/logwatch.fc b/logwatch.fc
-index 3c7b1e8..1e155f5 100644
---- a/logwatch.fc
-+++ b/logwatch.fc
-@@ -1,7 +1,11 @@
- /usr/sbin/logcheck -- gen_context(system_u:object_r:logwatch_exec_t,s0)
-+/usr/sbin/epylog -- gen_context(system_u:object_r:logwatch_exec_t,s0)
-
- /usr/share/logwatch/scripts/logwatch\.pl -- gen_context(system_u:object_r:logwatch_exec_t, s0)
-
- /var/cache/logwatch(/.*)? gen_context(system_u:object_r:logwatch_cache_t, s0)
- /var/lib/logcheck(/.*)? gen_context(system_u:object_r:logwatch_cache_t,s0)
-+/var/lib/epylog(/.*)? gen_context(system_u:object_r:logwatch_cache_t,s0)
- /var/log/logcheck/.+ -- gen_context(system_u:object_r:logwatch_lock_t,s0)
-+
-+/var/run/epylog\.pid gen_context(system_u:object_r:logwatch_var_run_t,s0)
-diff --git a/logwatch.te b/logwatch.te
-index 75ce30f..061b725 100644
---- a/logwatch.te
-+++ b/logwatch.te
-@@ -7,6 +7,7 @@ policy_module(logwatch, 1.11.0)
-
- type logwatch_t;
- type logwatch_exec_t;
-+init_daemon_domain(logwatch_t, logwatch_exec_t)
- application_domain(logwatch_t, logwatch_exec_t)
- role system_r types logwatch_t;
-
-@@ -19,6 +20,12 @@ files_lock_file(logwatch_lock_t)
- type logwatch_tmp_t;
- files_tmp_file(logwatch_tmp_t)
-
-+type logwatch_var_run_t;
-+files_pid_file(logwatch_var_run_t)
-+
-+mta_base_mail_template(logwatch)
-+role system_r types logwatch_mail_t;
-+
- ########################################
- #
- # Local policy
-@@ -39,6 +46,9 @@ manage_dirs_pattern(logwatch_t, logwatch_tmp_t, logwatch_tmp_t)
- manage_files_pattern(logwatch_t, logwatch_tmp_t, logwatch_tmp_t)
- files_tmp_filetrans(logwatch_t, logwatch_tmp_t, { file dir })
-
-+allow logwatch_t logwatch_var_run_t:file manage_file_perms;
-+files_pid_filetrans(logwatch_t, logwatch_var_run_t, file)
-+
- kernel_read_fs_sysctls(logwatch_t)
- kernel_read_kernel_sysctls(logwatch_t)
- kernel_read_system_state(logwatch_t)
-@@ -56,8 +66,8 @@ domain_read_all_domains_state(logwatch_t)
-
- files_list_var(logwatch_t)
- files_read_var_symlinks(logwatch_t)
--files_read_etc_files(logwatch_t)
- files_read_etc_runtime_files(logwatch_t)
-+files_read_system_conf_files(logwatch_t)
- files_read_usr_files(logwatch_t)
- files_search_spool(logwatch_t)
- files_search_mnt(logwatch_t)
-@@ -67,9 +77,14 @@ files_dontaudit_search_boot(logwatch_t)
- files_dontaudit_search_all_dirs(logwatch_t)
-
- fs_getattr_all_fs(logwatch_t)
-+fs_getattr_all_dirs(logwatch_t)
- fs_dontaudit_list_auto_mountpoints(logwatch_t)
- fs_list_inotifyfs(logwatch_t)
-
-+storage_dontaudit_getattr_fixed_disk_dev(logwatch_t)
-+
-+mls_file_read_to_clearance(logwatch_t)
-+
- term_dontaudit_getattr_pty_dirs(logwatch_t)
- term_dontaudit_list_ptys(logwatch_t)
-
-@@ -84,19 +99,19 @@ libs_read_lib_files(logwatch_t)
- logging_read_all_logs(logwatch_t)
- logging_send_syslog_msg(logwatch_t)
-
--miscfiles_read_localization(logwatch_t)
--
- selinux_dontaudit_getattr_dir(logwatch_t)
-
--sysnet_dns_name_resolve(logwatch_t)
- sysnet_exec_ifconfig(logwatch_t)
-
- userdom_dontaudit_search_user_home_dirs(logwatch_t)
-+userdom_dontaudit_list_admin_dir(logwatch_t)
-
--mta_send_mail(logwatch_t)
-+#mta_send_mail(logwatch_t)
-+mta_sendmail_domtrans(logwatch_t, logwatch_mail_t)
-
- ifdef(`distro_redhat',`
- files_search_all(logwatch_t)
-+ files_getattr_all_files(logwatch_t)
- files_getattr_all_file_type_fs(logwatch_t)
- ')
-
-@@ -145,3 +160,24 @@ optional_policy(`
- samba_read_log(logwatch_t)
- samba_read_share_files(logwatch_t)
- ')
-+
-+########################################
-+#
-+# Logwatch mail Local policy
-+#
-+
-+allow logwatch_mail_t self:capability { dac_read_search dac_override };
-+
-+manage_files_pattern(logwatch_mail_t, logwatch_tmp_t, logwatch_tmp_t)
-+
-+dev_read_rand(logwatch_mail_t)
-+dev_read_urand(logwatch_mail_t)
-+dev_read_sysfs(logwatch_mail_t)
-+
-+logging_read_all_logs(logwatch_mail_t)
-+
-+mta_read_home(logwatch_mail_t)
-+
-+optional_policy(`
-+ cron_use_system_job_fds(logwatch_mail_t)
-+')
-diff --git a/lpd.fc b/lpd.fc
-index 5c9eb68..e4f3c24 100644
---- a/lpd.fc
-+++ b/lpd.fc
-@@ -24,7 +24,7 @@
- /usr/sbin/lpinfo -- gen_context(system_u:object_r:lpr_exec_t,s0)
- /usr/sbin/lpmove -- gen_context(system_u:object_r:lpr_exec_t,s0)
-
--/usr/local/linuxprinter/bin/l?lpr -- gen_context(system_u:object_r:lpr_exec_t,s0)
-+/usr/linuxprinter/bin/l?lpr -- gen_context(system_u:object_r:lpr_exec_t,s0)
-
- /usr/share/printconf/.* -- gen_context(system_u:object_r:printconf_t,s0)
-
-@@ -35,3 +35,4 @@
- /var/spool/cups-pdf(/.*)? gen_context(system_u:object_r:print_spool_t,mls_systemhigh)
- /var/spool/lpd(/.*)? gen_context(system_u:object_r:print_spool_t,s0)
- /var/run/lprng(/.*)? gen_context(system_u:object_r:lpd_var_run_t,s0)
-+/var/spool/turboprint(/.*)? gen_context(system_u:object_r:lpd_var_run_t,mls_systemhigh)
-diff --git a/lpd.if b/lpd.if
-index a4f32f5..628b63c 100644
---- a/lpd.if
-+++ b/lpd.if
-@@ -14,6 +14,7 @@
- ## User domain for the role
- ##
- ##
-+##
- #
- interface(`lpd_role',`
- gen_require(`
-@@ -27,7 +28,10 @@ interface(`lpd_role',`
- dontaudit lpr_t $2:unix_stream_socket { read write };
-
- ps_process_pattern($2, lpr_t)
-- allow $2 lpr_t:process signull;
-+ allow $2 lpr_t:process signal_perms;
-+ tunable_policy(`deny_ptrace',`',`
-+ allow $2 lpr_t:process ptrace;
-+ ')
-
- optional_policy(`
- cups_read_config($2)
-@@ -153,7 +157,7 @@ interface(`lpd_relabel_spool',`
- ')
-
- files_search_spool($1)
-- allow $1 print_spool_t:file { relabelto relabelfrom };
-+ allow $1 print_spool_t:file relabel_file_perms;
- ')
-
- ########################################
-@@ -186,7 +190,7 @@ interface(`lpd_read_config',`
- ##
- ##
- #
--template(`lpd_domtrans_lpr',`
-+interface(`lpd_domtrans_lpr',`
- gen_require(`
- type lpr_t, lpr_exec_t;
- ')
-@@ -196,6 +200,32 @@ template(`lpd_domtrans_lpr',`
-
- ########################################
- ##
-+## Execute lpr in the lpr domain, and
-+## allow the specified role the lpr domain.
-+##
-+##
-+##
-+## Domain allowed to transition.
-+##
-+##
-+##
-+##
-+## Role allowed access.
-+##
-+##
-+##
-+#
-+interface(`lpd_run_lpr',`
-+ gen_require(`
-+ type lpr_t;
-+ ')
-+
-+ lpd_domtrans_lpr($1)
-+ role $2 types lpr_t;
-+')
-+
-+########################################
-+##
- ## Allow the specified domain to execute lpr
- ## in the caller domain.
- ##
-diff --git a/lpd.te b/lpd.te
-index a03b63a..99e8d96 100644
---- a/lpd.te
-+++ b/lpd.te
-@@ -45,14 +45,14 @@ userdom_user_tmp_file(lpr_tmp_t)
- type print_spool_t;
- typealias print_spool_t alias { user_print_spool_t staff_print_spool_t sysadm_print_spool_t };
- typealias print_spool_t alias { auditadm_print_spool_t secadm_print_spool_t };
--files_type(print_spool_t)
-+files_spool_file(print_spool_t)
- ubac_constrained(print_spool_t)
-
- type printer_t;
- files_type(printer_t)
-
- type printconf_t;
--files_type(printconf_t)
-+files_config_file(printconf_t)
-
- ########################################
- #
-@@ -78,12 +78,11 @@ rw_files_pattern(checkpc_t, print_spool_t, print_spool_t)
- delete_files_pattern(checkpc_t, print_spool_t, print_spool_t)
- files_search_spool(checkpc_t)
-
--allow checkpc_t printconf_t:file getattr;
-+allow checkpc_t printconf_t:file getattr_file_perms;
- allow checkpc_t printconf_t:dir list_dir_perms;
-
- kernel_read_system_state(checkpc_t)
-
--corenet_all_recvfrom_unlabeled(checkpc_t)
- corenet_all_recvfrom_netlabel(checkpc_t)
- corenet_tcp_sendrecv_generic_if(checkpc_t)
- corenet_udp_sendrecv_generic_if(checkpc_t)
-@@ -102,7 +101,6 @@ corecmd_exec_bin(checkpc_t)
-
- domain_use_interactive_fds(checkpc_t)
-
--files_read_etc_files(checkpc_t)
- files_read_etc_runtime_files(checkpc_t)
-
- init_use_script_ptys(checkpc_t)
-@@ -111,7 +109,7 @@ init_use_fds(checkpc_t)
-
- sysnet_read_config(checkpc_t)
-
--userdom_use_user_terminals(checkpc_t)
-+userdom_use_inherited_user_terminals(checkpc_t)
-
- optional_policy(`
- cron_system_entry(checkpc_t, checkpc_exec_t)
-@@ -143,9 +141,10 @@ manage_dirs_pattern(lpd_t, lpd_tmp_t, lpd_tmp_t)
- manage_files_pattern(lpd_t, lpd_tmp_t, lpd_tmp_t)
- files_tmp_filetrans(lpd_t, lpd_tmp_t, { file dir })
-
-+manage_dirs_pattern(lpd_t, lpd_var_run_t, lpd_var_run_t)
- manage_files_pattern(lpd_t, lpd_var_run_t, lpd_var_run_t)
- manage_sock_files_pattern(lpd_t, lpd_var_run_t, lpd_var_run_t)
--files_pid_filetrans(lpd_t, lpd_var_run_t, file)
-+files_pid_filetrans(lpd_t, lpd_var_run_t, { dir file })
-
- # Write to /var/spool/lpd.
- manage_files_pattern(lpd_t, print_spool_t, print_spool_t)
-@@ -163,7 +162,6 @@ kernel_read_kernel_sysctls(lpd_t)
- # bash wants access to /proc/meminfo
- kernel_read_system_state(lpd_t)
-
--corenet_all_recvfrom_unlabeled(lpd_t)
- corenet_all_recvfrom_netlabel(lpd_t)
- corenet_tcp_sendrecv_generic_if(lpd_t)
- corenet_udp_sendrecv_generic_if(lpd_t)
-@@ -197,12 +195,10 @@ files_list_var_lib(lpd_t)
- files_read_var_lib_files(lpd_t)
- files_read_var_lib_symlinks(lpd_t)
- # config files for lpd are of type etc_t, probably should change this
--files_read_etc_files(lpd_t)
-
- logging_send_syslog_msg(lpd_t)
-
- miscfiles_read_fonts(lpd_t)
--miscfiles_read_localization(lpd_t)
-
- sysnet_read_config(lpd_t)
-
-@@ -236,9 +232,9 @@ can_exec(lpr_t, lpr_exec_t)
- # Allow lpd to read, rename, and unlink spool files.
- allow lpd_t print_spool_t:file { read_file_perms rename_file_perms delete_file_perms };
-
-+kernel_read_system_state(lpr_t)
- kernel_read_kernel_sysctls(lpr_t)
-
--corenet_all_recvfrom_unlabeled(lpr_t)
- corenet_all_recvfrom_netlabel(lpr_t)
- corenet_tcp_sendrecv_generic_if(lpr_t)
- corenet_udp_sendrecv_generic_if(lpr_t)
-@@ -256,7 +252,6 @@ domain_use_interactive_fds(lpr_t)
-
- files_search_spool(lpr_t)
- # for lpd config files (should have a new type)
--files_read_etc_files(lpr_t)
- # for test print
- files_read_usr_files(lpr_t)
- #Added to cover read_content macro
-@@ -271,23 +266,25 @@ term_use_generic_ptys(lpr_t)
-
- auth_use_nsswitch(lpr_t)
-
--miscfiles_read_localization(lpr_t)
-+miscfiles_read_fonts(lpr_t)
-
- userdom_read_user_tmp_symlinks(lpr_t)
- # Write to the user domain tty.
--userdom_use_user_terminals(lpr_t)
-+userdom_use_inherited_user_terminals(lpr_t)
- userdom_read_user_home_content_files(lpr_t)
- userdom_read_user_tmp_files(lpr_t)
-+userdom_write_user_tmp_sockets(lpr_t)
-+userdom_stream_connect(lpr_t)
-
- tunable_policy(`use_lpd_server',`
- # lpr can run in lightweight mode, without a local print spooler.
-- allow lpr_t lpd_var_run_t:dir search;
-- allow lpr_t lpd_var_run_t:sock_file write;
-+ allow lpr_t lpd_var_run_t:dir search_dir_perms;
-+ allow lpr_t lpd_var_run_t:sock_file write_sock_file_perms;
- files_read_var_files(lpr_t)
-
- # Connect to lpd via a Unix domain socket.
-- allow lpr_t printer_t:sock_file rw_sock_file_perms;
-- allow lpr_t lpd_t:unix_stream_socket connectto;
-+ allow lpr_t printer_t:sock_file read_sock_file_perms;
-+ stream_connect_pattern(lpr_t, printer_t, printer_t, lpd_t)
- # Send SIGHUP to lpd.
- allow lpr_t lpd_t:process signal;
-
-@@ -305,17 +302,7 @@ tunable_policy(`use_lpd_server',`
- read_lnk_files_pattern(lpr_t, printconf_t, printconf_t)
- ')
-
--tunable_policy(`use_nfs_home_dirs',`
-- fs_list_auto_mountpoints(lpr_t)
-- fs_read_nfs_files(lpr_t)
-- fs_read_nfs_symlinks(lpr_t)
--')
--
--tunable_policy(`use_samba_home_dirs',`
-- fs_list_auto_mountpoints(lpr_t)
-- fs_read_cifs_files(lpr_t)
-- fs_read_cifs_symlinks(lpr_t)
--')
-+userdom_home_reader(lpr_t)
-
- optional_policy(`
- cups_read_config(lpr_t)
-@@ -324,5 +311,13 @@ optional_policy(`
- ')
-
- optional_policy(`
-+ gnome_stream_connect_gkeyringd(lpr_t)
-+')
-+
-+optional_policy(`
- logging_send_syslog_msg(lpr_t)
- ')
-+
-+optional_policy(`
-+ mozilla_plugin_dontaudit_rw_tmp_files(lpr_t)
-+')
-diff --git a/mailman.fc b/mailman.fc
-index 1083f98..c7daa85 100644
---- a/mailman.fc
-+++ b/mailman.fc
-@@ -1,11 +1,14 @@
--/usr/lib/mailman/bin/mailmanctl -- gen_context(system_u:object_r:mailman_mail_exec_t,s0)
--/usr/lib/mailman/cron/.* -- gen_context(system_u:object_r:mailman_queue_exec_t,s0)
-
--/var/lib/mailman(/.*)? gen_context(system_u:object_r:mailman_data_t,s0)
--/var/lib/mailman/archives(/.*)? gen_context(system_u:object_r:mailman_archive_t,s0)
--/var/lock/mailman(/.*)? gen_context(system_u:object_r:mailman_lock_t,s0)
--/var/log/mailman(/.*)? gen_context(system_u:object_r:mailman_log_t,s0)
--/var/run/mailman(/.*)? gen_context(system_u:object_r:mailman_lock_t,s0)
-+/usr/lib/mailman.*/bin/mailmanctl -- gen_context(system_u:object_r:mailman_mail_exec_t,s0)
-+/usr/lib/mailman.*/bin/mm-handler.* -- gen_context(system_u:object_r:mailman_mail_exec_t,s0)
-+/usr/lib/mailman.*/cron/.* -- gen_context(system_u:object_r:mailman_queue_exec_t,s0)
-+/usr/share/doc/mailman.*/mm-handler.* -- gen_context(system_u:object_r:mailman_mail_exec_t,s0)
-+
-+/var/lib/mailman.* gen_context(system_u:object_r:mailman_data_t,s0)
-+/var/lib/mailman.*/archives(/.*)? gen_context(system_u:object_r:mailman_archive_t,s0)
-+/var/lock/mailman.* gen_context(system_u:object_r:mailman_lock_t,s0)
-+/var/log/mailman.* gen_context(system_u:object_r:mailman_log_t,s0)
-+/var/run/mailman.* gen_context(system_u:object_r:mailman_var_run_t,s0)
-
- #
- # distro_debian
-@@ -23,12 +26,12 @@ ifdef(`distro_debian', `
- # distro_redhat
- #
- ifdef(`distro_redhat', `
--/etc/mailman(/.*)? gen_context(system_u:object_r:mailman_data_t,s0)
-+/etc/mailman.* gen_context(system_u:object_r:mailman_data_t,s0)
-
--/usr/lib/mailman/bin/qrunner -- gen_context(system_u:object_r:mailman_queue_exec_t,s0)
--/usr/lib/mailman/cgi-bin/.* -- gen_context(system_u:object_r:mailman_cgi_exec_t,s0)
--/usr/lib/mailman/mail/mailman -- gen_context(system_u:object_r:mailman_mail_exec_t,s0)
--/usr/lib/mailman/scripts/mailman -- gen_context(system_u:object_r:mailman_mail_exec_t,s0)
-+/usr/lib/mailman.*/bin/qrunner -- gen_context(system_u:object_r:mailman_queue_exec_t,s0)
-+/usr/lib/mailman.*/cgi-bin/.* -- gen_context(system_u:object_r:mailman_cgi_exec_t,s0)
-+/usr/lib/mailman.*/mail/mailman -- gen_context(system_u:object_r:mailman_mail_exec_t,s0)
-+/usr/lib/mailman.*/scripts/mailman -- gen_context(system_u:object_r:mailman_mail_exec_t,s0)
-
--/var/spool/mailman(/.*)? gen_context(system_u:object_r:mailman_data_t,s0)
-+/var/spool/mailman.* gen_context(system_u:object_r:mailman_data_t,s0)
- ')
-diff --git a/mailman.if b/mailman.if
-index 67c7fdd..2f226de 100644
---- a/mailman.if
-+++ b/mailman.if
-@@ -54,7 +54,6 @@ template(`mailman_domain_template', `
- kernel_read_kernel_sysctls(mailman_$1_t)
- kernel_read_system_state(mailman_$1_t)
-
-- corenet_all_recvfrom_unlabeled(mailman_$1_t)
- corenet_all_recvfrom_netlabel(mailman_$1_t)
- corenet_tcp_sendrecv_generic_if(mailman_$1_t)
- corenet_udp_sendrecv_generic_if(mailman_$1_t)
-@@ -74,7 +73,7 @@ template(`mailman_domain_template', `
- corecmd_exec_all_executables(mailman_$1_t)
-
- files_exec_etc_files(mailman_$1_t)
-- files_list_usr(mailman_$1_t)
-+ files_read_usr_files(mailman_$1_t)
- files_list_var(mailman_$1_t)
- files_list_var_lib(mailman_$1_t)
- files_read_var_lib_symlinks(mailman_$1_t)
-@@ -87,7 +86,6 @@ template(`mailman_domain_template', `
-
- logging_send_syslog_msg(mailman_$1_t)
-
-- miscfiles_read_localization(mailman_$1_t)
- ')
-
- #######################################
-@@ -108,6 +106,31 @@ interface(`mailman_domtrans',`
- domtrans_pattern($1, mailman_mail_exec_t, mailman_mail_t)
- ')
-
-+########################################
-+##
-+## Execute the mailman program in the mailman domain.
-+##
-+##
-+##
-+## Domain allowed to transition.
-+##
-+##
-+##
-+##
-+## The role to allow the mailman domain.
-+##
-+##
-+##
-+#
-+interface(`mailman_run',`
-+ gen_require(`
-+ type mailman_mail_t;
-+ ')
-+
-+ mailman_domtrans($1)
-+ role $2 types mailman_mail_t;
-+')
-+
- #######################################
- ##
- ## Execute mailman CGI scripts in the
-diff --git a/mailman.te b/mailman.te
-index 22265f0..da52800 100644
---- a/mailman.te
-+++ b/mailman.te
-@@ -19,6 +19,9 @@ logging_log_file(mailman_log_t)
- type mailman_lock_t;
- files_lock_file(mailman_lock_t)
-
-+type mailman_var_run_t;
-+files_pid_file(mailman_var_run_t)
-+
- mailman_domain_template(mail)
- init_daemon_domain(mailman_mail_t, mailman_mail_exec_t)
-
-@@ -54,6 +57,9 @@ optional_policy(`
- apache_search_sys_script_state(mailman_cgi_t)
- apache_read_config(mailman_cgi_t)
- apache_dontaudit_rw_stream_sockets(mailman_cgi_t)
-+
-+ postfix_read_config(mailman_cgi_t)
-+
- ')
-
- ########################################
-@@ -62,13 +68,23 @@ optional_policy(`
- #
-
- allow mailman_mail_t self:unix_dgram_socket create_socket_perms;
--allow mailman_mail_t self:process { signal signull };
--allow mailman_mail_t self:capability { kill dac_override setuid setgid sys_tty_config };
-+allow mailman_mail_t self:process { setsched signal signull };
-+allow mailman_mail_t self:capability { kill dac_override setuid setgid sys_nice sys_tty_config };
-
- manage_dirs_pattern(mailman_mail_t, mailman_archive_t, mailman_archive_t)
- manage_files_pattern(mailman_mail_t, mailman_archive_t, mailman_archive_t)
- manage_lnk_files_pattern(mailman_mail_t, mailman_archive_t, mailman_archive_t)
-
-+manage_files_pattern(mailman_mail_t, mailman_var_run_t, mailman_var_run_t)
-+manage_dirs_pattern(mailman_mail_t, mailman_var_run_t, mailman_var_run_t)
-+files_pid_filetrans(mailman_mail_t, mailman_var_run_t, { file dir })
-+
-+# make NNTP gateway working
-+corenet_tcp_connect_innd_port(mailman_mail_t)
-+corenet_tcp_connect_spamd_port(mailman_mail_t)
-+
-+dev_read_urand(mailman_mail_t)
-+
- files_search_spool(mailman_mail_t)
-
- fs_rw_anon_inodefs_files(mailman_mail_t)
-@@ -81,11 +97,16 @@ optional_policy(`
- ')
-
- optional_policy(`
-+ gnome_dontaudit_search_config(mailman_mail_t)
-+')
-+
-+optional_policy(`
- cron_read_pipes(mailman_mail_t)
- ')
-
- optional_policy(`
- postfix_search_spool(mailman_mail_t)
-+ postfix_rw_master_pipes(mailman_mail_t)
- ')
-
- ########################################
-@@ -94,7 +115,7 @@ optional_policy(`
- #
-
- allow mailman_queue_t self:capability { setgid setuid };
--allow mailman_queue_t self:process signal;
-+allow mailman_queue_t self:process { setsched signal_perms };
- allow mailman_queue_t self:fifo_file rw_fifo_file_perms;
- allow mailman_queue_t self:unix_dgram_socket create_socket_perms;
-
-@@ -104,13 +125,12 @@ manage_lnk_files_pattern(mailman_queue_t, mailman_archive_t, mailman_archive_t)
-
- kernel_read_proc_symlinks(mailman_queue_t)
-
-+corenet_tcp_connect_innd_port(mailman_queue_t)
-+
- auth_domtrans_chk_passwd(mailman_queue_t)
-
- files_dontaudit_search_pids(mailman_queue_t)
-
--# for su
--seutil_dontaudit_search_config(mailman_queue_t)
--
- # some of the following could probably be changed to dontaudit, someone who
- # knows mailman well should test this out and send the changes
- userdom_search_user_home_dirs(mailman_queue_t)
-@@ -125,4 +145,4 @@ optional_policy(`
-
- optional_policy(`
- su_exec(mailman_queue_t)
--')
-\ No newline at end of file
-+')
-diff --git a/mailscanner.fc b/mailscanner.fc
-new file mode 100644
-index 0000000..827e22e
---- /dev/null
-+++ b/mailscanner.fc
-@@ -0,0 +1,11 @@
-+/etc/MailScanner(/.*)? gen_context(system_u:object_r:mscan_etc_t,s0)
-+
-+/etc/rc\.d/init\.d/MailScanner -- gen_context(system_u:object_r:mscan_initrc_exec_t,s0)
-+
-+/etc/sysconfig/MailScanner -- gen_context(system_u:object_r:mscan_etc_t,s0)
-+
-+/etc/sysconfig/update_spamassassin -- gen_context(system_u:object_r:mscan_etc_t,s0)
-+
-+/usr/sbin/MailScanner -- gen_context(system_u:object_r:mscan_exec_t,s0)
-+
-+/var/run/MailScanner\.pid -- gen_context(system_u:object_r:mscan_var_run_t,s0)
-diff --git a/mailscanner.if b/mailscanner.if
-new file mode 100644
-index 0000000..bd1d48e
---- /dev/null
-+++ b/mailscanner.if
-@@ -0,0 +1,61 @@
-+## E-mail security and anti-spam package for e-mail gateway systems.
-+
-+########################################
-+##
-+## Execute a domain transition to run
-+## MailScanner.
-+##
-+##
-+##
-+## Domain allowed to transition.
-+##
-+##
-+#
-+interface(`mailscanner_initrc_domtrans',`
-+ gen_require(`
-+ type mscan_initrc_exec_t;
-+ ')
-+
-+ init_labeled_script_domtrans($1, mscan_initrc_exec_t)
-+')
-+
-+########################################
-+##
-+## All of the rules required to administrate
-+## an mailscanner environment.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+##
-+##
-+## Role allowed access.
-+##
-+##
-+##
-+#
-+interface(`mailscanner_admin',`
-+ gen_require(`
-+ type mscan_t, mscan_var_run_t, mscan_etc_t;
-+ type mscan_initrc_exec_t;
-+ ')
-+
-+ mailscanner_initrc_domtrans($1)
-+ domain_system_change_exemption($1)
-+ role_transition $2 mscan_initrc_exec_t system_r;
-+ allow $2 system_r;
-+
-+ allow $1 mscan_t:process signal_perms;
-+ ps_process_pattern($1, mscan_t)
-+ tunable_policy(`deny_ptrace',`',`
-+ allow $1 mscan_t:process ptrace;
-+ ')
-+
-+ admin_pattern($1, mscan_etc_t)
-+ files_list_etc($1)
-+
-+ admin_pattern($1, mscan_var_run_t)
-+ files_list_pids($1)
-+')
-diff --git a/mailscanner.te b/mailscanner.te
-new file mode 100644
-index 0000000..45f3262
---- /dev/null
-+++ b/mailscanner.te
-@@ -0,0 +1,85 @@
-+policy_module(mailscanner, 1.0.0)
-+
-+########################################
-+#
-+# Declarations
-+#
-+
-+type mscan_t;
-+type mscan_exec_t;
-+init_daemon_domain(mscan_t, mscan_exec_t)
-+
-+type mscan_initrc_exec_t;
-+init_script_file(mscan_initrc_exec_t)
-+
-+type mscan_etc_t;
-+files_config_file(mscan_etc_t)
-+
-+type mscan_tmp_t;
-+files_tmp_file(mscan_tmp_t)
-+
-+type mscan_var_run_t;
-+files_pid_file(mscan_var_run_t)
-+
-+########################################
-+#
-+# Local policy
-+#
-+
-+allow mscan_t self:capability { setuid chown setgid dac_override };
-+allow mscan_t self:process signal;
-+allow mscan_t self:fifo_file rw_fifo_file_perms;
-+
-+read_files_pattern(mscan_t, mscan_etc_t, mscan_etc_t)
-+
-+manage_files_pattern(mscan_t, mscan_var_run_t, mscan_var_run_t)
-+files_pid_filetrans(mscan_t, mscan_var_run_t, file)
-+
-+manage_dirs_pattern(mscan_t, mscan_tmp_t, mscan_tmp_t)
-+manage_files_pattern(mscan_t, mscan_tmp_t, mscan_tmp_t)
-+files_tmp_filetrans(mscan_t, mscan_tmp_t, { dir file })
-+
-+can_exec(mscan_t, mscan_exec_t)
-+
-+kernel_read_system_state(mscan_t)
-+
-+corecmd_exec_bin(mscan_t)
-+corecmd_exec_shell(mscan_t)
-+
-+corenet_tcp_connect_fprot_port(mscan_t)
-+corenet_tcp_sendrecv_fprot_port(mscan_t)
-+corenet_sendrecv_fprot_client_packets(mscan_t)
-+corenet_udp_bind_generic_node(mscan_t)
-+corenet_udp_bind_generic_port(mscan_t)
-+corenet_udp_sendrecv_all_ports(mscan_t)
-+corenet_sendrecv_generic_server_packets(mscan_t)
-+
-+dev_read_urand(mscan_t)
-+
-+files_read_usr_files(mscan_t)
-+
-+fs_getattr_xattr_fs(mscan_t)
-+
-+auth_dontaudit_read_shadow(mscan_t)
-+auth_use_nsswitch(mscan_t)
-+
-+logging_send_syslog_msg(mscan_t)
-+
-+optional_policy(`
-+ clamav_domtrans_clamscan(mscan_t)
-+ clamav_manage_clamd_pid(mscan_t)
-+')
-+
-+optional_policy(`
-+ mta_send_mail(mscan_t)
-+ mta_manage_queue(mscan_t)
-+')
-+
-+optional_policy(`
-+ procmail_domtrans(mscan_t)
-+')
-+
-+optional_policy(`
-+ spamassassin_read_home_client(mscan_t)
-+ spamassassin_read_lib_files(mscan_t)
-+')
-diff --git a/man2html.fc b/man2html.fc
-new file mode 100644
-index 0000000..2907017
---- /dev/null
-+++ b/man2html.fc
-@@ -0,0 +1,5 @@
-+/usr/lib/man2html/cgi-bin/man/man2html -- gen_context(system_u:object_r:httpd_man2html_script_exec_t,s0)
-+/usr/lib/man2html/cgi-bin/man/mansec -- gen_context(system_u:object_r:httpd_man2html_script_exec_t,s0)
-+/usr/lib/man2html/cgi-bin/man/manwhatis -- gen_context(system_u:object_r:httpd_man2html_script_exec_t,s0)
-+
-+/var/cache/man2html(/.*)? gen_context(system_u:object_r:httpd_man2html_script_cache_t,s0)
-diff --git a/man2html.if b/man2html.if
-new file mode 100644
-index 0000000..050157a
---- /dev/null
-+++ b/man2html.if
-@@ -0,0 +1,127 @@
-+
-+## policy for httpd_man2html_script
-+
-+########################################
-+##
-+## Transition to httpd_man2html_script.
-+##
-+##
-+##
-+## Domain allowed to transition.
-+##
-+##
-+#
-+interface(`httpd_man2html_script_domtrans',`
-+ gen_require(`
-+ type httpd_man2html_script_t, httpd_man2html_script_exec_t;
-+ ')
-+
-+ corecmd_search_bin($1)
-+ domtrans_pattern($1, httpd_man2html_script_exec_t, httpd_man2html_script_t)
-+')
-+
-+########################################
-+##
-+## Search httpd_man2html_script cache directories.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`httpd_man2html_script_search_cache',`
-+ gen_require(`
-+ type httpd_man2html_script_cache_t;
-+ ')
-+
-+ allow $1 httpd_man2html_script_cache_t:dir search_dir_perms;
-+ files_search_var($1)
-+')
-+
-+########################################
-+##
-+## Read httpd_man2html_script cache files.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`httpd_man2html_script_read_cache_files',`
-+ gen_require(`
-+ type httpd_man2html_script_cache_t;
-+ ')
-+
-+ files_search_var($1)
-+ read_files_pattern($1, httpd_man2html_script_cache_t, httpd_man2html_script_cache_t)
-+')
-+
-+########################################
-+##
-+## Create, read, write, and delete
-+## httpd_man2html_script cache files.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`httpd_man2html_script_manage_cache_files',`
-+ gen_require(`
-+ type httpd_man2html_script_cache_t;
-+ ')
-+
-+ files_search_var($1)
-+ manage_files_pattern($1, httpd_man2html_script_cache_t, httpd_man2html_script_cache_t)
-+')
-+
-+########################################
-+##
-+## Manage httpd_man2html_script cache dirs.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`httpd_man2html_script_manage_cache_dirs',`
-+ gen_require(`
-+ type httpd_man2html_script_cache_t;
-+ ')
-+
-+ files_search_var($1)
-+ manage_dirs_pattern($1, httpd_man2html_script_cache_t, httpd_man2html_script_cache_t)
-+')
-+
-+
-+########################################
-+##
-+## All of the rules required to administrate
-+## an httpd_man2html_script environment
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`httpd_man2html_script_admin',`
-+ gen_require(`
-+ type httpd_man2html_script_t;
-+ type httpd_man2html_script_cache_t;
-+ ')
-+
-+ allow $1 httpd_man2html_script_t:process { ptrace signal_perms };
-+ ps_process_pattern($1, httpd_man2html_script_t)
-+
-+ files_search_var($1)
-+ admin_pattern($1, httpd_man2html_script_cache_t)
-+ optional_policy(`
-+ systemd_passwd_agent_exec($1)
-+ systemd_read_fifo_file_passwd_run($1)
-+ ')
-+')
-diff --git a/man2html.te b/man2html.te
-new file mode 100644
-index 0000000..29b79eb
---- /dev/null
-+++ b/man2html.te
-@@ -0,0 +1,30 @@
-+policy_module(man2html, 1.0.0)
-+
-+########################################
-+#
-+# Declarations
-+#
-+
-+type httpd_man2html_script_cache_t;
-+files_type(httpd_man2html_script_cache_t)
-+
-+########################################
-+#
-+# httpd_man2html_script local policy
-+#
-+
-+optional_policy(`
-+
-+ apache_content_template(man2html)
-+
-+ allow httpd_man2html_script_t self:process { fork };
-+
-+ manage_dirs_pattern(httpd_man2html_script_t, httpd_man2html_script_cache_t, httpd_man2html_script_cache_t)
-+ manage_files_pattern(httpd_man2html_script_t, httpd_man2html_script_cache_t, httpd_man2html_script_cache_t)
-+ manage_lnk_files_pattern(httpd_man2html_script_t, httpd_man2html_script_cache_t, httpd_man2html_script_cache_t)
-+ files_var_filetrans(httpd_man2html_script_t, httpd_man2html_script_cache_t, { dir file })
-+
-+ domain_use_interactive_fds(httpd_man2html_script_t)
-+
-+ files_read_etc_files(httpd_man2html_script_t)
-+')
-diff --git a/mandb.fc b/mandb.fc
-new file mode 100644
-index 0000000..75b9968
---- /dev/null
-+++ b/mandb.fc
-@@ -0,0 +1,3 @@
-+/usr/bin/mandb -- gen_context(system_u:object_r:mandb_exec_t,s0)
-+
-+/var/cache/man(/.*)? gen_context(system_u:object_r:mandb_cache_t,s0)
-diff --git a/mandb.if b/mandb.if
-new file mode 100644
-index 0000000..4a4e899
---- /dev/null
-+++ b/mandb.if
-@@ -0,0 +1,187 @@
-+
-+## policy for mandb
-+
-+########################################
-+##
-+## Transition to mandb.
-+##
-+##
-+##
-+## Domain allowed to transition.
-+##
-+##
-+#
-+interface(`mandb_domtrans',`
-+ gen_require(`
-+ type mandb_t, mandb_exec_t;
-+ ')
-+
-+ corecmd_search_bin($1)
-+ domtrans_pattern($1, mandb_exec_t, mandb_t)
-+')
-+
-+########################################
-+##
-+## Search mandb cache directories.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`mandb_search_cache',`
-+ gen_require(`
-+ type mandb_cache_t;
-+ ')
-+
-+ allow $1 mandb_cache_t:dir search_dir_perms;
-+ files_search_var($1)
-+')
-+
-+########################################
-+##
-+## Read mandb cache files.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`mandb_read_cache_files',`
-+ gen_require(`
-+ type mandb_cache_t;
-+ ')
-+
-+ files_search_var($1)
-+ read_files_pattern($1, mandb_cache_t, mandb_cache_t)
-+')
-+
-+########################################
-+##
-+## Relabel mandb cache files/directories
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`mandb_relabel_cache',`
-+ gen_require(`
-+ type mandb_cache_t;
-+ ')
-+
-+ allow $1 mandb_cache_t:dir relabel_dir_perms;
-+ allow $1 mandb_cache_t:file relabel_file_perms;
-+')
-+
-+########################################
-+##
-+## Set attributes on mandb cache files.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`mandb_setattr_cache_dirs',`
-+ gen_require(`
-+ type mandb_cache_t;
-+ ')
-+
-+ files_search_var($1)
-+ allow $1 mandb_cache_t:dir setattr;
-+')
-+
-+########################################
-+##
-+## Delete mandb cache files.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`mandb_delete_cache',`
-+ gen_require(`
-+ type mandb_cache_t;
-+ ')
-+
-+ files_search_var($1)
-+ allow $1 mandb_cache_t:dir list_dir_perms;
-+ delete_dirs_pattern($1, mandb_cache_t, mandb_cache_t)
-+ delete_files_pattern($1, mandb_cache_t, mandb_cache_t)
-+ delete_lnk_files_pattern($1, mandb_cache_t, mandb_cache_t)
-+')
-+
-+########################################
-+##
-+## Create, read, write, and delete
-+## mandb cache files.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`mandb_manage_cache_files',`
-+ gen_require(`
-+ type mandb_cache_t;
-+ ')
-+
-+ files_search_var($1)
-+ manage_files_pattern($1, mandb_cache_t, mandb_cache_t)
-+')
-+
-+########################################
-+##
-+## Manage mandb cache dirs.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`mandb_manage_cache_dirs',`
-+ gen_require(`
-+ type mandb_cache_t;
-+ ')
-+
-+ files_search_var($1)
-+ manage_dirs_pattern($1, mandb_cache_t, mandb_cache_t)
-+')
-+
-+
-+########################################
-+##
-+## All of the rules required to administrate
-+## an mandb environment
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`mandb_admin',`
-+ gen_require(`
-+ type mandb_t;
-+ type mandb_cache_t;
-+ ')
-+
-+ allow $1 mandb_t:process { ptrace signal_perms };
-+ ps_process_pattern($1, mandb_t)
-+
-+ files_search_var($1)
-+ admin_pattern($1, mandb_cache_t)
-+ optional_policy(`
-+ systemd_passwd_agent_exec($1)
-+ systemd_read_fifo_file_passwd_run($1)
-+ ')
-+')
-diff --git a/mandb.te b/mandb.te
-new file mode 100644
-index 0000000..8cc45e7
---- /dev/null
-+++ b/mandb.te
-@@ -0,0 +1,35 @@
-+policy_module(mandb, 1.0.0)
-+
-+########################################
-+#
-+# Declarations
-+#
-+
-+type mandb_t;
-+type mandb_exec_t;
-+init_daemon_domain(mandb_t, mandb_exec_t)
-+cron_system_entry(mandb_t, mandb_exec_t)
-+
-+type mandb_cache_t;
-+files_type(mandb_cache_t)
-+
-+########################################
-+#
-+# mandb local policy
-+#
-+allow mandb_t self:fifo_file rw_fifo_file_perms;
-+allow mandb_t self:unix_stream_socket create_stream_socket_perms;
-+allow mandb_t self:process signal;
-+
-+manage_dirs_pattern(mandb_t, mandb_cache_t, mandb_cache_t)
-+manage_files_pattern(mandb_t, mandb_cache_t, mandb_cache_t)
-+manage_lnk_files_pattern(mandb_t, mandb_cache_t, mandb_cache_t)
-+files_var_filetrans(mandb_t, mandb_cache_t, { dir file lnk_file })
-+
-+kernel_read_system_state(mandb_t)
-+
-+corecmd_exec_bin(mandb_t)
-+
-+domain_use_interactive_fds(mandb_t)
-+
-+files_read_etc_files(mandb_t)
-diff --git a/mcelog.fc b/mcelog.fc
-index 56c43c0..409bbfc 100644
---- a/mcelog.fc
-+++ b/mcelog.fc
-@@ -1 +1,5 @@
- /usr/sbin/mcelog -- gen_context(system_u:object_r:mcelog_exec_t,s0)
-+
-+/var/log/mcelog.* -- gen_context(system_u:object_r:mcelog_log_t,s0)
-+
-+/var/run/mcelog.* gen_context(system_u:object_r:mcelog_var_run_t,s0)
-diff --git a/mcelog.te b/mcelog.te
-index 5671977..99a63b2 100644
---- a/mcelog.te
-+++ b/mcelog.te
-@@ -7,8 +7,14 @@ policy_module(mcelog, 1.1.0)
-
- type mcelog_t;
- type mcelog_exec_t;
-+init_system_domain(mcelog_t, mcelog_exec_t)
- application_domain(mcelog_t, mcelog_exec_t)
--cron_system_entry(mcelog_t, mcelog_exec_t)
-+
-+type mcelog_var_run_t;
-+files_pid_file(mcelog_var_run_t)
-+
-+type mcelog_log_t;
-+logging_log_file(mcelog_log_t)
-
- ########################################
- #
-@@ -17,16 +23,33 @@ cron_system_entry(mcelog_t, mcelog_exec_t)
-
- allow mcelog_t self:capability sys_admin;
-
-+manage_files_pattern(mcelog_t, mcelog_log_t, mcelog_log_t)
-+manage_dirs_pattern(mcelog_t, mcelog_log_t, mcelog_log_t)
-+logging_log_filetrans(mcelog_t, mcelog_log_t, { file dir })
-+
-+manage_files_pattern(mcelog_t, mcelog_var_run_t, mcelog_var_run_t)
-+manage_dirs_pattern(mcelog_t, mcelog_var_run_t, mcelog_var_run_t)
-+manage_sock_files_pattern(mcelog_t, mcelog_var_run_t, mcelog_var_run_t)
-+files_pid_filetrans(mcelog_t, mcelog_var_run_t, { dir file sock_file } )
-+
- kernel_read_system_state(mcelog_t)
-
-+corecmd_exec_shell(mcelog_t)
-+corecmd_exec_bin(mcelog_t)
-+
- dev_read_raw_memory(mcelog_t)
- dev_read_kmsg(mcelog_t)
-+dev_rw_sysfs(mcelog_t)
-
- files_read_etc_files(mcelog_t)
-
- # for /dev/mem access
- mls_file_read_all_levels(mcelog_t)
-
-+auth_read_passwd(mcelog_t)
-+
- logging_send_syslog_msg(mcelog_t)
-
--miscfiles_read_localization(mcelog_t)
-+optional_policy(`
-+ cron_system_entry(mcelog_t, mcelog_exec_t)
-+')
-diff --git a/mcollective.fc b/mcollective.fc
-new file mode 100644
-index 0000000..821bf88
---- /dev/null
-+++ b/mcollective.fc
-@@ -0,0 +1,3 @@
-+/etc/mcollective/facts\.yaml -- gen_context(system_u:object_r:mcollective_etc_rw_t,s0)
-+
-+/usr/libexec/mcollective/update_yaml\.rb -- gen_context(system_u:object_r:mcollective_exec_t,s0)
-diff --git a/mcollective.if b/mcollective.if
-new file mode 100644
-index 0000000..e76a9b5
---- /dev/null
-+++ b/mcollective.if
-@@ -0,0 +1,114 @@
-+
-+## policy for mcollective
-+
-+########################################
-+##
-+## Execute TEMPLATE in the mcollective domin.
-+##
-+##
-+##
-+## Domain allowed to transition.
-+##
-+##
-+#
-+interface(`mcollective_domtrans',`
-+ gen_require(`
-+ type mcollective_t, mcollective_exec_t;
-+ ')
-+
-+ corecmd_search_bin($1)
-+ domtrans_pattern($1, mcollective_exec_t, mcollective_t)
-+')
-+
-+########################################
-+##
-+## Search mcollective conf directories.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`mcollective_search_conf',`
-+ gen_require(`
-+ type mcollective_etc_rw_t;
-+ ')
-+
-+ allow $1 mcollective_etc_rw_t:dir search_dir_perms;
-+ files_search_etc($1)
-+')
-+
-+########################################
-+##
-+## Read mcollective conf files.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`mcollective_read_conf_files',`
-+ gen_require(`
-+ type mcollective_etc_rw_t;
-+ ')
-+
-+ allow $1 mcollective_etc_rw_t:dir list_dir_perms;
-+ read_files_pattern($1, mcollective_etc_rw_t, mcollective_etc_rw_t)
-+ files_search_etc($1)
-+')
-+
-+########################################
-+##
-+## Manage mcollective conf files.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`mcollective_manage_conf_files',`
-+ gen_require(`
-+ type mcollective_etc_rw_t;
-+ ')
-+
-+ manage_files_pattern($1, mcollective_etc_rw_t, mcollective_etc_rw_t)
-+ files_search_etc($1)
-+')
-+
-+
-+########################################
-+##
-+## All of the rules required to administrate
-+## an mcollective environment
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+##
-+##
-+## Role allowed access.
-+##
-+##
-+##
-+#
-+interface(`mcollective_admin',`
-+ gen_require(`
-+ type mcollective_t;
-+ type mcollective_etc_rw_t;
-+ ')
-+
-+ allow $1 mcollective_t:process { ptrace signal_perms };
-+ ps_process_pattern($1, mcollective_t)
-+
-+ files_search_etc($1)
-+ admin_pattern($1, mcollective_etc_rw_t)
-+ optional_policy(`
-+ systemd_passwd_agent_exec($1)
-+ systemd_read_fifo_file_passwd_run($1)
-+ ')
-+')
-diff --git a/mcollective.te b/mcollective.te
-new file mode 100644
-index 0000000..5dd171f
---- /dev/null
-+++ b/mcollective.te
-@@ -0,0 +1,30 @@
-+policy_module(mcollective, 1.0.0)
-+
-+########################################
-+#
-+# Declarations
-+#
-+
-+type mcollective_t;
-+type mcollective_exec_t;
-+init_daemon_domain(mcollective_t, mcollective_exec_t)
-+cron_system_entry(mcollective_t, mcollective_exec_t)
-+
-+permissive mcollective_t;
-+
-+type mcollective_etc_rw_t;
-+files_type(mcollective_etc_rw_t)
-+
-+########################################
-+#
-+# mcollective local policy
-+#
-+allow mcollective_t self:fifo_file rw_fifo_file_perms;
-+allow mcollective_t self:unix_stream_socket create_stream_socket_perms;
-+
-+manage_files_pattern(mcollective_t, mcollective_etc_rw_t, mcollective_etc_rw_t)
-+files_etc_filetrans(mcollective_t, mcollective_etc_rw_t, file, "facts.yaml")
-+
-+domain_use_interactive_fds(mcollective_t)
-+
-+files_read_etc_files(mcollective_t)
-diff --git a/mediawiki.if b/mediawiki.if
-index 98d28b4..1c1d012 100644
---- a/mediawiki.if
-+++ b/mediawiki.if
-@@ -1 +1,40 @@
- ## Mediawiki policy
-+
-+#######################################
-+##
-+## Allow the specified domain to read
-+## mediawiki tmp files.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`mediawiki_read_tmp_files',`
-+ gen_require(`
-+ type httpd_mediawiki_tmp_t;
-+ ')
-+
-+ files_search_tmp($1)
-+ read_files_pattern($1, httpd_mediawiki_tmp_t, httpd_mediawiki_tmp_t)
-+ read_lnk_files_pattern($1, httpd_mediawiki_tmp_t, httpd_mediawiki_tmp_t)
-+')
-+
-+#######################################
-+##
-+## Delete mediawiki tmp files.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`mediawiki_delete_tmp_files',`
-+ gen_require(`
-+ type httpd_mediawiki_tmp_t;
-+ ')
-+
-+ delete_files_pattern($1, httpd_mediawiki_tmp_t, httpd_mediawiki_tmp_t)
-+')
-diff --git a/mediawiki.te b/mediawiki.te
-index d7cb9e4..7e81838 100644
---- a/mediawiki.te
-+++ b/mediawiki.te
-@@ -5,13 +5,16 @@ policy_module(mediawiki, 1.0.0)
- # Declarations
- #
-
--apache_content_template(mediawiki)
-+optional_policy(`
-+
-+ apache_content_template(mediawiki)
-
- ########################################
- #
- # mediawiki local policy
- #
-
--files_search_var_lib(httpd_mediawiki_script_t)
-+ files_search_var_lib(httpd_mediawiki_script_t)
-
--miscfiles_read_tetex_data(httpd_mediawiki_script_t)
-+ miscfiles_read_tetex_data(httpd_mediawiki_script_t)
-+')
-diff --git a/memcached.fc b/memcached.fc
-index 4d69477..d3b4f39 100644
---- a/memcached.fc
-+++ b/memcached.fc
-@@ -2,4 +2,5 @@
-
- /usr/bin/memcached -- gen_context(system_u:object_r:memcached_exec_t,s0)
-
-+/var/run/ipa_memcached(/.*)? gen_context(system_u:object_r:memcached_var_run_t,s0)
- /var/run/memcached(/.*)? gen_context(system_u:object_r:memcached_var_run_t,s0)
-diff --git a/memcached.if b/memcached.if
-index db4fd6f..650014e 100644
---- a/memcached.if
-+++ b/memcached.if
-@@ -40,6 +40,44 @@ interface(`memcached_read_pid_files',`
-
- ########################################
- ##
-+## Manage memcached PID files
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`memcached_manage_pid_files',`
-+ gen_require(`
-+ type memcached_var_run_t;
-+ ')
-+
-+ files_search_pids($1)
-+ manage_files_pattern($1, memcached_var_run_t, memcached_var_run_t)
-+')
-+
-+########################################
-+##
-+## Connect to memcached over a unix stream socket.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`memcached_stream_connect',`
-+ gen_require(`
-+ type memcached_t, memcached_var_run_t;
-+ ')
-+
-+ files_search_pids($1)
-+ stream_connect_pattern($1, memcached_var_run_t, memcached_var_run_t, memcached_t)
-+')
-+
-+########################################
-+##
- ## All of the rules required to administrate
- ## an memcached environment
- ##
-@@ -57,17 +95,20 @@ interface(`memcached_read_pid_files',`
- #
- interface(`memcached_admin',`
- gen_require(`
-- type memcached_t;
-- type memcached_initrc_exec_t;
-+ type memcached_t, memcached_initrc_exec_t, memcached_var_run_t;
- ')
-
-- allow $1 memcached_t:process { ptrace signal_perms };
-+ allow $1 memcached_t:process signal_perms;
- ps_process_pattern($1, memcached_t)
-+ tunable_policy(`deny_ptrace',`',`
-+ allow $1 memcached_t:process ptrace;
-+ ')
-
- init_labeled_script_domtrans($1, memcached_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 memcached_initrc_exec_t system_r;
- allow $2 system_r;
-
-+ files_list_pids($1)
- admin_pattern($1, memcached_var_run_t)
- ')
-diff --git a/memcached.te b/memcached.te
-index b681608..9c4fc55 100644
---- a/memcached.te
-+++ b/memcached.te
-@@ -28,7 +28,6 @@ allow memcached_t self:udp_socket { create_socket_perms listen };
- allow memcached_t self:fifo_file rw_fifo_file_perms;
- allow memcached_t self:unix_stream_socket create_stream_socket_perms;
-
--corenet_all_recvfrom_unlabeled(memcached_t)
- corenet_udp_sendrecv_generic_if(memcached_t)
- corenet_udp_sendrecv_generic_node(memcached_t)
- corenet_udp_sendrecv_all_ports(memcached_t)
-@@ -42,12 +41,12 @@ corenet_udp_bind_memcache_port(memcached_t)
-
- manage_dirs_pattern(memcached_t, memcached_var_run_t, memcached_var_run_t)
- manage_files_pattern(memcached_t, memcached_var_run_t, memcached_var_run_t)
--files_pid_filetrans(memcached_t, memcached_var_run_t, { file dir })
-+manage_sock_files_pattern(memcached_t, memcached_var_run_t, memcached_var_run_t)
-+files_pid_filetrans(memcached_t, memcached_var_run_t, { file dir sock_file })
-
- kernel_read_kernel_sysctls(memcached_t)
- kernel_read_system_state(memcached_t)
-
--files_read_etc_files(memcached_t)
-
- term_dontaudit_use_all_ptys(memcached_t)
- term_dontaudit_use_all_ttys(memcached_t)
-@@ -55,4 +54,3 @@ term_dontaudit_use_console(memcached_t)
-
- auth_use_nsswitch(memcached_t)
-
--miscfiles_read_localization(memcached_t)
-diff --git a/milter.fc b/milter.fc
-index 1ec5a6c..64ac6f0 100644
---- a/milter.fc
-+++ b/milter.fc
-@@ -1,15 +1,26 @@
-+/etc/mail/dkim-milter/keys(/.*)? gen_context(system_u:object_r:dkim_milter_private_key_t,s0)
-+
-+/usr/sbin/dkim-filter -- gen_context(system_u:object_r:dkim_milter_exec_t,s0)
-+/usr/sbin/opendkim -- gen_context(system_u:object_r:dkim_milter_exec_t,s0)
- /usr/sbin/milter-greylist -- gen_context(system_u:object_r:greylist_milter_exec_t,s0)
--/usr/sbin/milter-regex -- gen_context(system_u:object_r:regex_milter_exec_t,s0)
-+/usr/sbin/sqlgrey -- gen_context(system_u:object_r:greylist_milter_exec_t,s0)
-+/usr/sbin/milter-regex -- gen_context(system_u:object_r:regex_milter_exec_t,s0)
- /usr/sbin/spamass-milter -- gen_context(system_u:object_r:spamass_milter_exec_t,s0)
-
-+/var/lib/dkim-milter(/.*)? gen_context(system_u:object_r:dkim_milter_data_t,s0)
- /var/lib/milter-greylist(/.*)? gen_context(system_u:object_r:greylist_milter_data_t,s0)
-+/var/lib/sqlgrey(/.*)? gen_context(system_u:object_r:greylist_milter_data_t,s0)
- /var/lib/spamass-milter(/.*)? gen_context(system_u:object_r:spamass_milter_state_t,s0)
-
-+/var/run/dkim-milter(/.*)? gen_context(system_u:object_r:dkim_milter_data_t,s0)
- /var/run/milter-greylist(/.*)? gen_context(system_u:object_r:greylist_milter_data_t,s0)
- /var/run/milter-greylist\.pid -- gen_context(system_u:object_r:greylist_milter_data_t,s0)
- /var/run/spamass(/.*)? gen_context(system_u:object_r:spamass_milter_data_t,s0)
-+/var/run/sqlgrey\.pid -- gen_context(system_u:object_r:greylist_milter_data_t,s0)
- /var/run/spamass-milter(/.*)? gen_context(system_u:object_r:spamass_milter_data_t,s0)
- /var/run/spamass-milter\.pid -- gen_context(system_u:object_r:spamass_milter_data_t,s0)
-+/var/run/opendkim(/.*)? gen_context(system_u:object_r:dkim_milter_data_t,s0)
-
- /var/spool/milter-regex(/.*)? gen_context(system_u:object_r:regex_milter_data_t,s0)
- /var/spool/postfix/spamass(/.*)? gen_context(system_u:object_r:spamass_milter_data_t,s0)
-+/var/spool/opendkim(/.*)? gen_context(system_u:object_r:dkim_milter_data_t,s0)
-diff --git a/milter.if b/milter.if
-index ee72cbe..bdf319a 100644
---- a/milter.if
-+++ b/milter.if
-@@ -24,9 +24,13 @@ template(`milter_template',`
-
- # Type for the milter data (e.g. the socket used to communicate with the MTA)
- type $1_milter_data_t, milter_data_type;
-- files_type($1_milter_data_t)
-+ files_pid_file($1_milter_data_t)
-+
-+ # Allow communication with MTA over a unix-domain socket
-+ # Note: usage with TCP sockets requires additional policy
-
- allow $1_milter_t self:fifo_file rw_fifo_file_perms;
-+
- # Allow communication with MTA over a TCP socket
- allow $1_milter_t self:tcp_socket create_stream_socket_perms;
-
-@@ -36,12 +40,13 @@ template(`milter_template',`
- # Create other data files and directories in the data directory
- manage_files_pattern($1_milter_t, $1_milter_data_t, $1_milter_data_t)
-
-+ kernel_dontaudit_read_system_state($1_milter_t)
-+
- corenet_tcp_bind_generic_node($1_milter_t)
- corenet_tcp_bind_milter_port($1_milter_t)
-
- files_read_etc_files($1_milter_t)
-
-- miscfiles_read_localization($1_milter_t)
-
- logging_send_syslog_msg($1_milter_t)
- ')
-@@ -61,6 +66,7 @@ interface(`milter_stream_connect_all',`
- attribute milter_data_type, milter_domains;
- ')
-
-+ files_search_pids($1)
- getattr_dirs_pattern($1, milter_data_type, milter_data_type)
- stream_connect_pattern($1, milter_data_type, milter_data_type, milter_domains)
- ')
-@@ -86,6 +92,24 @@ interface(`milter_getattr_all_sockets',`
-
- ########################################
- ##
-+## Allow setattr of milter dirs
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`milter_setattr_all_dirs',`
-+ gen_require(`
-+ attribute milter_data_type;
-+ ')
-+
-+ setattr_dirs_pattern($1, milter_data_type, milter_data_type)
-+')
-+
-+########################################
-+##
- ## Manage spamassassin milter state
- ##
- ##
-@@ -104,3 +128,22 @@ interface(`milter_manage_spamass_state',`
- manage_dirs_pattern($1, spamass_milter_state_t, spamass_milter_state_t)
- manage_lnk_files_pattern($1, spamass_milter_state_t, spamass_milter_state_t)
- ')
-+
-+#######################################
-+##
-+## Delete dkim-milter PID files.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`milter_delete_dkim_pid_files',`
-+ gen_require(`
-+ type dkim_milter_data_t;
-+ ')
-+
-+ files_search_pids($1)
-+ delete_files_pattern($1, dkim_milter_data_t, dkim_milter_data_t)
-+')
-diff --git a/milter.te b/milter.te
-index 26101cb..64c2969 100644
---- a/milter.te
-+++ b/milter.te
-@@ -9,6 +9,13 @@ policy_module(milter, 1.4.0)
- attribute milter_domains;
- attribute milter_data_type;
-
-+# support for dkim-milter - domainKeys Identified Mail sender authentication sendmail milter
-+milter_template(dkim)
-+
-+# type for the private key of dkim-milter
-+type dkim_milter_private_key_t;
-+files_type(dkim_milter_private_key_t)
-+
- # currently-supported milters are milter-greylist, milter-regex and spamass-milter
- milter_template(greylist)
- milter_template(regex)
-@@ -20,6 +27,26 @@ milter_template(spamass)
- type spamass_milter_state_t;
- files_type(spamass_milter_state_t)
-
-+#######################################
-+#
-+# dkim-milter local policy
-+#
-+
-+allow dkim_milter_t self:capability { kill setgid setuid };
-+allow dkim_milter_t self:process signal;
-+allow dkim_milter_t self:tcp_socket create_stream_socket_perms;
-+allow dkim_milter_t self:unix_stream_socket create_stream_socket_perms;
-+
-+read_files_pattern(dkim_milter_t, dkim_milter_private_key_t, dkim_milter_private_key_t)
-+
-+kernel_read_kernel_sysctls(dkim_milter_t)
-+
-+auth_use_nsswitch(dkim_milter_t)
-+
-+sysnet_dns_name_resolve(dkim_milter_t)
-+
-+mta_read_config(dkim_milter_t)
-+
- ########################################
- #
- # milter-greylist local policy
-@@ -33,11 +60,25 @@ files_type(spamass_milter_state_t)
- allow greylist_milter_t self:capability { chown dac_override setgid setuid sys_nice };
- allow greylist_milter_t self:process { setsched getsched };
-
-+allow greylist_milter_t self:tcp_socket create_stream_socket_perms;
-+
- # It creates a pid file /var/run/milter-greylist.pid
- files_pid_filetrans(greylist_milter_t, greylist_milter_data_t, file)
-
- kernel_read_kernel_sysctls(greylist_milter_t)
-
-+dev_read_rand(greylist_milter_t)
-+dev_read_urand(greylist_milter_t)
-+
-+corecmd_exec_bin(greylist_milter_t)
-+corecmd_exec_shell(greylist_milter_t)
-+
-+corenet_tcp_bind_movaz_ssc_port(greylist_milter_t)
-+corenet_tcp_connect_movaz_ssc_port(greylist_milter_t)
-+corenet_tcp_bind_rtsclient_port(greylist_milter_t)
-+
-+# perl getgroups() reads a bunch of files in /etc
-+files_read_etc_files(greylist_milter_t)
- # Allow the milter to read a GeoIP database in /usr/share
- files_read_usr_files(greylist_milter_t)
- # The milter runs from /var/lib/milter-greylist and maintains files there
-@@ -49,6 +90,14 @@ auth_use_nsswitch(greylist_milter_t)
- # Config is in /etc/mail/greylist.conf
- mta_read_config(greylist_milter_t)
-
-+
-+sysnet_read_config(greylist_milter_t)
-+
-+
-+optional_policy(`
-+ mysql_stream_connect(greylist_milter_t)
-+')
-+
- ########################################
- #
- # milter-regex local policy
-@@ -88,6 +137,8 @@ corecmd_exec_shell(spamass_milter_t)
- corecmd_read_bin_symlinks(spamass_milter_t)
- corecmd_search_bin(spamass_milter_t)
-
-+auth_use_nsswitch(spamass_milter_t)
-+
- mta_send_mail(spamass_milter_t)
-
- # The main job of the milter is to pipe spam through spamc and act on the result
-diff --git a/mock.fc b/mock.fc
-new file mode 100644
-index 0000000..8d0e473
---- /dev/null
-+++ b/mock.fc
-@@ -0,0 +1,5 @@
-+
-+/usr/sbin/mock -- gen_context(system_u:object_r:mock_exec_t,s0)
-+
-+/var/lib/mock(/.*)? gen_context(system_u:object_r:mock_var_lib_t,s0)
-+/var/cache/mock(/.*)? gen_context(system_u:object_r:mock_cache_t,s0)
-diff --git a/mock.if b/mock.if
-new file mode 100644
-index 0000000..7f6f2d6
---- /dev/null
-+++ b/mock.if
-@@ -0,0 +1,307 @@
-+## policy for mock
-+
-+########################################
-+##
-+## Execute a domain transition to run mock.
-+##
-+##
-+##
-+## Domain allowed to transition.
-+##
-+##
-+#
-+interface(`mock_domtrans',`
-+ gen_require(`
-+ type mock_t, mock_exec_t;
-+ ')
-+
-+ domtrans_pattern($1, mock_exec_t, mock_t)
-+')
-+
-+########################################
-+##
-+## Search mock lib directories.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`mock_search_lib',`
-+ gen_require(`
-+ type mock_var_lib_t;
-+ ')
-+
-+ allow $1 mock_var_lib_t:dir search_dir_perms;
-+ files_search_var_lib($1)
-+')
-+
-+########################################
-+##
-+## Read mock lib files.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`mock_read_lib_files',`
-+ gen_require(`
-+ type mock_var_lib_t;
-+ ')
-+
-+ files_search_var_lib($1)
-+ read_files_pattern($1, mock_var_lib_t, mock_var_lib_t)
-+')
-+
-+########################################
-+##
-+## Getattr on mock lib file,dir,sock_file ...
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`mock_getattr_lib',`
-+ gen_require(`
-+ type mock_var_lib_t;
-+ ')
-+
-+ allow $1 mock_var_lib_t:dir_file_class_set getattr;
-+')
-+
-+########################################
-+##
-+## Create, read, write, and delete
-+## mock lib files.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`mock_manage_lib_files',`
-+ gen_require(`
-+ type mock_var_lib_t;
-+ ')
-+
-+ files_search_var_lib($1)
-+ manage_files_pattern($1, mock_var_lib_t, mock_var_lib_t)
-+')
-+
-+########################################
-+##
-+## Manage mock lib dirs files.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`mock_manage_lib_dirs',`
-+ gen_require(`
-+ type mock_var_lib_t;
-+ ')
-+
-+ files_search_var_lib($1)
-+ manage_dirs_pattern($1, mock_var_lib_t, mock_var_lib_t)
-+')
-+
-+#########################################
-+##
-+## Manage mock lib symlinks.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`mock_manage_lib_symlinks',`
-+ gen_require(`
-+ type mock_var_lib_t;
-+ ')
-+
-+ files_search_var_lib($1)
-+ manage_lnk_files_pattern($1, mock_var_lib_t, mock_var_lib_t)
-+')
-+
-+########################################
-+##
-+## Manage mock lib files.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`mock_manage_lib_chr_files',`
-+ gen_require(`
-+ type mock_var_lib_t;
-+ ')
-+
-+ files_search_var_lib($1)
-+ manage_chr_files_pattern($1, mock_var_lib_t, mock_var_lib_t)
-+')
-+
-+########################################
-+##
-+## Manage mock lib files.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`mock_dontaudit_write_lib_chr_files',`
-+ gen_require(`
-+ type mock_var_lib_t;
-+ ')
-+
-+ dontaudit $1 mock_var_lib_t:chr_file write;
-+')
-+
-+#######################################
-+##
-+## Dontaudit read and write an leaked file descriptors
-+##
-+##
-+##
-+## Domain to not audit.
-+##
-+##
-+#
-+interface(`mock_dontaudit_leaks',`
-+ gen_require(`
-+ type mock_tmp_t;
-+ ')
-+
-+ dontaudit $1 mock_tmp_t:file rw_inherited_file_perms;
-+')
-+
-+########################################
-+##
-+## Execute mock in the mock domain, and
-+## allow the specified role the mock domain.
-+##
-+##
-+##
-+## Domain allowed access
-+##
-+##
-+##
-+##
-+## The role to be allowed the mock domain.
-+##
-+##
-+##
-+#
-+interface(`mock_run',`
-+ gen_require(`
-+ type mock_t;
-+ type mock_build_t;
-+ ')
-+
-+ mock_domtrans($1)
-+ role $2 types mock_t;
-+ role $2 types mock_build_t;
-+
-+ optional_policy(`
-+ mount_run(mock_t, $2)
-+ ')
-+')
-+
-+########################################
-+##
-+## Role access for mock
-+##
-+##
-+##
-+## Role allowed access
-+##
-+##
-+##
-+##
-+## User domain for the role
-+##
-+##
-+##
-+#
-+interface(`mock_role',`
-+ gen_require(`
-+ type mock_t;
-+ ')
-+
-+ role $1 types mock_t;
-+
-+ mock_run($2, $1)
-+
-+ ps_process_pattern($2, mock_t)
-+ allow $2 mock_t:process signal_perms;
-+ tunable_policy(`deny_ptrace',`',`
-+ allow $2 mock_t:process ptrace;
-+ ')
-+')
-+
-+#######################################
-+##
-+## Send a generic signal to mock.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`mock_signal',`
-+ gen_require(`
-+ type mock_t;
-+ ')
-+
-+ allow $1 mock_t:process signal;
-+')
-+
-+########################################
-+##
-+## All of the rules required to administrate
-+## an mock environment
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`mock_admin',`
-+ gen_require(`
-+ type mock_t, mock_var_lib_t;
-+ type mock_build_t, mock_etc_t, mock_tmp_t;
-+ ')
-+
-+ allow $1 mock_t:process signal_perms;
-+ ps_process_pattern($1, mock_t)
-+ tunable_policy(`deny_ptrace',`',`
-+ allow $1 mock_t:process ptrace;
-+ allow $1 mock_build_t:process ptrace;
-+ ')
-+
-+ allow $1 mock_build_t:process signal_perms;
-+ ps_process_pattern($1, mock_build_t)
-+
-+ files_list_var_lib($1)
-+ admin_pattern($1, mock_var_lib_t)
-+
-+ files_list_tmp($1)
-+ admin_pattern($1, mock_tmp_t)
-+
-+ files_search_etc($1)
-+ admin_pattern($1, mock_etc_t)
-+')
-diff --git a/mock.te b/mock.te
-new file mode 100644
-index 0000000..ecfd7be
---- /dev/null
-+++ b/mock.te
-@@ -0,0 +1,247 @@
-+policy_module(mock,1.0.0)
-+
-+##
-+##
-+## Allow mock to read files in home directories.
-+##
-+##
-+gen_tunable(mock_enable_homedirs, false)
-+
-+########################################
-+#
-+# Declarations
-+#
-+
-+type mock_t;
-+type mock_exec_t;
-+application_domain(mock_t, mock_exec_t)
-+domain_role_change_exemption(mock_t)
-+domain_system_change_exemption(mock_t)
-+role system_r types mock_t;
-+
-+type mock_build_t;
-+type mock_build_exec_t;
-+application_domain(mock_build_t, mock_build_exec_t)
-+role system_r types mock_build_t;
-+
-+type mock_cache_t;
-+files_type(mock_cache_t)
-+
-+type mock_tmp_t;
-+files_tmp_file(mock_tmp_t)
-+
-+type mock_var_lib_t;
-+files_type(mock_var_lib_t)
-+
-+type mock_etc_t;
-+files_config_file(mock_etc_t)
-+
-+########################################
-+#
-+# mock local policy
-+#
-+
-+allow mock_t self:capability { sys_admin sys_ptrace setfcap setuid sys_chroot chown audit_write dac_override sys_nice mknod fsetid setgid fowner };
-+allow mock_t self:process { siginh noatsecure signal_perms transition rlimitinh setsched setpgid };
-+# Needed because mock can run java and mono withing build environment
-+allow mock_t self:process { execmem execstack };
-+dontaudit mock_t self:process { siginh noatsecure rlimitinh };
-+allow mock_t self:fifo_file manage_fifo_file_perms;
-+allow mock_t self:unix_stream_socket create_stream_socket_perms;
-+allow mock_t self:unix_dgram_socket create_socket_perms;
-+
-+manage_dirs_pattern(mock_t, mock_cache_t, mock_cache_t)
-+manage_files_pattern(mock_t, mock_cache_t, mock_cache_t)
-+manage_lnk_files_pattern(mock_t, mock_cache_t, mock_cache_t)
-+files_var_filetrans(mock_t, mock_cache_t, { dir file } )
-+
-+read_files_pattern(mock_t, mock_etc_t, mock_etc_t)
-+read_lnk_files_pattern(mock_t, mock_etc_t, mock_etc_t)
-+
-+manage_dirs_pattern(mock_t, mock_tmp_t, mock_tmp_t)
-+manage_files_pattern(mock_t, mock_tmp_t, mock_tmp_t)
-+manage_lnk_files_pattern(mock_t, mock_tmp_t, mock_tmp_t)
-+files_tmp_filetrans(mock_t, mock_tmp_t, { dir file lnk_file })
-+
-+manage_dirs_pattern(mock_t, mock_var_lib_t, mock_var_lib_t)
-+manage_files_pattern(mock_t, mock_var_lib_t, mock_var_lib_t)
-+manage_lnk_files_pattern(mock_t, mock_var_lib_t, mock_var_lib_t)
-+manage_blk_files_pattern(mock_t, mock_var_lib_t, mock_var_lib_t)
-+manage_chr_files_pattern(mock_t, mock_var_lib_t, mock_var_lib_t)
-+files_var_lib_filetrans(mock_t, mock_var_lib_t, { dir file })
-+allow mock_t mock_var_lib_t:dir mounton;
-+allow mock_t mock_var_lib_t:dir relabel_dir_perms;
-+allow mock_t mock_var_lib_t:file relabel_file_perms;
-+
-+kernel_list_proc(mock_t)
-+kernel_read_irq_sysctls(mock_t)
-+kernel_read_system_state(mock_t)
-+kernel_read_network_state(mock_t)
-+kernel_read_kernel_sysctls(mock_t)
-+kernel_request_load_module(mock_t)
-+kernel_dontaudit_setattr_proc_dirs(mock_t)
-+kernel_read_fs_sysctls(mock_t)
-+
-+corecmd_exec_bin(mock_t)
-+corecmd_exec_shell(mock_t)
-+corecmd_dontaudit_exec_all_executables(mock_t)
-+
-+corenet_tcp_connect_git_port(mock_t)
-+corenet_tcp_connect_http_port(mock_t)
-+corenet_tcp_connect_ftp_port(mock_t)
-+corenet_tcp_connect_all_ephemeral_ports(mock_t)
-+
-+dev_read_urand(mock_t)
-+dev_read_sysfs(mock_t)
-+dev_setattr_sysfs_dirs(mock_t)
-+
-+domain_read_all_domains_state(mock_t)
-+domain_use_interactive_fds(mock_t)
-+
-+files_read_etc_runtime_files(mock_t)
-+files_read_usr_files(mock_t)
-+files_dontaudit_list_boot(mock_t)
-+
-+fs_getattr_all_fs(mock_t)
-+fs_search_all(mock_t)
-+fs_manage_cgroup_dirs(mock_t)
-+files_list_isid_type_dirs(mock_t)
-+
-+selinux_get_enforce_mode(mock_t)
-+
-+term_search_ptys(mock_t)
-+
-+auth_use_nsswitch(mock_t)
-+
-+init_exec(mock_t)
-+init_dontaudit_stream_connect(mock_t)
-+
-+libs_exec_ldconfig(mock_t)
-+
-+logging_send_audit_msgs(mock_t)
-+logging_send_syslog_msg(mock_t)
-+
-+userdom_use_user_ptys(mock_t)
-+
-+files_search_home(mock_t)
-+
-+tunable_policy(`mock_enable_homedirs',`
-+ userdom_manage_user_home_content_dirs(mock_t)
-+ userdom_manage_user_home_content_files(mock_t)
-+')
-+
-+tunable_policy(`mock_enable_homedirs && use_nfs_home_dirs',`
-+ rpc_search_nfs_state_data(mock_t)
-+ fs_list_auto_mountpoints(mock_t)
-+ fs_manage_nfs_files(mock_t)
-+')
-+
-+tunable_policy(`mock_enable_homedirs && use_samba_home_dirs',`
-+ fs_list_auto_mountpoints(mock_t)
-+ fs_read_cifs_files(mock_t)
-+ fs_manage_cifs_files(mock_t)
-+')
-+
-+optional_policy(`
-+ abrt_read_spool_retrace(mock_t)
-+ abrt_read_cache_retrace(mock_t)
-+ abrt_stream_connect(mock_t)
-+')
-+
-+optional_policy(`
-+ rpm_exec(mock_t)
-+')
-+
-+optional_policy(`
-+ mount_exec(mock_t)
-+')
-+
-+optional_policy(`
-+ apache_read_sys_content_rw_files(mock_t)
-+')
-+
-+########################################
-+#
-+# mock_build local policy
-+#
-+allow mock_build_t self:capability { sys_admin setfcap setuid sys_chroot chown dac_override sys_nice mknod fsetid setgid fowner };
-+dontaudit mock_build_t self:capability audit_write;
-+allow mock_build_t self:process { fork setsched setpgid signal_perms };
-+allow mock_build_t self:netlink_audit_socket { create_socket_perms nlmsg_relay };
-+# Needed because mock can run java and mono withing build environment
-+allow mock_build_t self:process { execmem execstack };
-+dontaudit mock_build_t self:process { siginh noatsecure rlimitinh };
-+allow mock_build_t self:fifo_file manage_fifo_file_perms;
-+allow mock_build_t self:unix_stream_socket create_stream_socket_perms;
-+allow mock_build_t self:unix_dgram_socket create_socket_perms;
-+allow mock_build_t self:dir list_dir_perms;
-+allow mock_build_t self:dir read_file_perms;
-+
-+ps_process_pattern(mock_t, mock_build_t)
-+allow mock_t mock_build_t:process signal_perms;
-+domtrans_pattern(mock_t, mock_build_exec_t, mock_build_t)
-+domtrans_pattern(mock_t, mock_tmp_t, mock_build_t)
-+domain_entry_file(mock_build_t, mock_tmp_t)
-+domtrans_pattern(mock_t, mock_var_lib_t, mock_build_t)
-+domain_entry_file(mock_build_t, mock_var_lib_t)
-+
-+manage_dirs_pattern(mock_build_t, mock_cache_t, mock_cache_t)
-+manage_files_pattern(mock_build_t, mock_cache_t, mock_cache_t)
-+manage_lnk_files_pattern(mock_build_t, mock_cache_t, mock_cache_t)
-+files_var_filetrans(mock_build_t, mock_cache_t, { dir file } )
-+
-+manage_dirs_pattern(mock_build_t, mock_tmp_t, mock_tmp_t)
-+manage_files_pattern(mock_build_t, mock_tmp_t, mock_tmp_t)
-+files_tmp_filetrans(mock_build_t, mock_tmp_t, { dir file })
-+can_exec(mock_build_t, mock_tmp_t)
-+
-+manage_dirs_pattern(mock_build_t, mock_var_lib_t, mock_var_lib_t)
-+manage_files_pattern(mock_build_t, mock_var_lib_t, mock_var_lib_t)
-+manage_lnk_files_pattern(mock_build_t, mock_var_lib_t, mock_var_lib_t)
-+manage_blk_files_pattern(mock_build_t, mock_var_lib_t, mock_var_lib_t)
-+manage_chr_files_pattern(mock_build_t, mock_var_lib_t, mock_var_lib_t)
-+files_var_lib_filetrans(mock_build_t, mock_var_lib_t, { dir file })
-+can_exec(mock_build_t, mock_var_lib_t)
-+allow mock_build_t mock_var_lib_t:dir mounton;
-+allow mock_build_t mock_var_lib_t:dir relabel_dir_perms;
-+allow mock_build_t mock_var_lib_t:file relabel_file_perms;
-+
-+kernel_list_proc(mock_build_t)
-+kernel_read_irq_sysctls(mock_build_t)
-+kernel_read_system_state(mock_build_t)
-+kernel_read_network_state(mock_build_t)
-+kernel_read_kernel_sysctls(mock_build_t)
-+kernel_request_load_module(mock_build_t)
-+kernel_dontaudit_setattr_proc_dirs(mock_build_t)
-+
-+corecmd_exec_bin(mock_build_t)
-+corecmd_exec_shell(mock_build_t)
-+corecmd_dontaudit_exec_all_executables(mock_build_t)
-+
-+dev_getattr_all_chr_files(mock_build_t)
-+dev_dontaudit_list_all_dev_nodes(mock_build_t)
-+dev_dontaudit_getattr_all(mock_build_t)
-+fs_getattr_all_dirs(mock_build_t)
-+dev_read_sysfs(mock_build_t)
-+
-+domain_dontaudit_read_all_domains_state(mock_build_t)
-+domain_use_interactive_fds(mock_build_t)
-+
-+files_read_usr_files(mock_build_t)
-+files_dontaudit_list_boot(mock_build_t)
-+
-+fs_getattr_all_fs(mock_build_t)
-+fs_manage_cgroup_dirs(mock_build_t)
-+
-+selinux_get_enforce_mode(mock_build_t)
-+
-+auth_use_nsswitch(mock_build_t)
-+
-+init_exec(mock_build_t)
-+init_dontaudit_stream_connect(mock_build_t)
-+
-+libs_exec_ldconfig(mock_build_t)
-+
-+tunable_policy(`mock_enable_homedirs',`
-+ userdom_read_user_home_content_files(mock_build_t)
-+')
-diff --git a/modemmanager.te b/modemmanager.te
-index b3ace16..41f9aa5 100644
---- a/modemmanager.te
-+++ b/modemmanager.te
-@@ -7,7 +7,7 @@ policy_module(modemmanager, 1.1.0)
-
- type modemmanager_t;
- type modemmanager_exec_t;
--dbus_system_domain(modemmanager_t, modemmanager_exec_t)
-+init_daemon_domain(modemmanager_t, modemmanager_exec_t)
- typealias modemmanager_t alias ModemManager_t;
- typealias modemmanager_exec_t alias ModemManager_exec_t;
-
-@@ -16,7 +16,8 @@ typealias modemmanager_exec_t alias ModemManager_exec_t;
- # ModemManager local policy
- #
-
--allow modemmanager_t self:process signal;
-+allow modemmanager_t self:capability { net_admin sys_admin sys_tty_config };
-+allow modemmanager_t self:process { getsched signal };
- allow modemmanager_t self:fifo_file rw_file_perms;
- allow modemmanager_t self:unix_stream_socket create_stream_socket_perms;
- allow modemmanager_t self:netlink_kobject_uevent_socket create_socket_perms;
-@@ -28,13 +29,29 @@ dev_rw_modem(modemmanager_t)
-
- files_read_etc_files(modemmanager_t)
-
--term_use_unallocated_ttys(modemmanager_t)
-+term_use_generic_ptys(modemmanager_t)
-+term_use_unallocated_ttys(modemmanager_t) # this should be reproduced, might have been mislabelled usbtty_device_t
-+term_use_usb_ttys(modemmanager_t)
-
--miscfiles_read_localization(modemmanager_t)
-+xserver_read_state_xdm(modemmanager_t)
-
- logging_send_syslog_msg(modemmanager_t)
-
--networkmanager_dbus_chat(modemmanager_t)
-+optional_policy(`
-+ dbus_system_domain(modemmanager_t, modemmanager_exec_t)
-+')
-+
-+optional_policy(`
-+ networkmanager_dbus_chat(modemmanager_t)
-+')
-+
-+optional_policy(`
-+ devicekit_dbus_chat_power(modemmanager_t)
-+')
-+
-+optional_policy(`
-+ policykit_dbus_chat(modemmanager_t)
-+')
-
- optional_policy(`
- udev_read_db(modemmanager_t)
-diff --git a/mojomojo.if b/mojomojo.if
-index 657a9fc..7022903 100644
---- a/mojomojo.if
-+++ b/mojomojo.if
-@@ -10,27 +10,26 @@
- ## Domain allowed access.
- ##
- ##
--##
--##
--## Role allowed access.
--##
--##
--##
- #
- interface(`mojomojo_admin',`
- gen_require(`
-- type httpd_mojomojo_script_t;
-- type httpd_mojomojo_content_t, httpd_mojomojo_ra_content_t;
-- type httpd_mojomojo_rw_content_t;
-- type httpd_mojomojo_script_exec_t, httpd_mojomojo_htaccess_t;
-+ type httpd_mojomojo_script_t, httpd_mojomojo_content_t, httpd_mojomojo_ra_content_t;
-+ type httpd_mojomojo_rw_content_t, httpd_mojomojo_tmp_t, httpd_mojomojo_htaccess_t;
-+ type httpd_mojomojo_script_exec_t, httpd_mojomo_script_t;
- ')
-
-- allow $1 httpd_mojomojo_script_t:process { ptrace signal_perms };
-+ allow $1 httpd_mojomojo_script_t:process signal_perms;
- ps_process_pattern($1, httpd_mojomojo_script_t)
-+ tunable_policy(`deny_ptrace',`',`
-+ allow $1 httpd_mojomo_script_t:process ptrace;
-+ ')
-+
-+ files_list_tmp($1)
-+ admin_pattern($1, httpd_mojomojo_tmp_t)
-
-- files_search_var_lib(httpd_mojomojo_script_t)
-+ files_list_var_lib(httpd_mojomojo_script_t)
-
-- apache_search_sys_content($1)
-+ apache_list_sys_content($1)
- admin_pattern($1, httpd_mojomojo_script_exec_t)
- admin_pattern($1, httpd_mojomojo_script_t)
- admin_pattern($1, httpd_mojomojo_content_t)
-diff --git a/mojomojo.te b/mojomojo.te
-index 83f002c..d09878d 100644
---- a/mojomojo.te
-+++ b/mojomojo.te
-@@ -5,32 +5,42 @@ policy_module(mojomojo, 1.0.0)
- # Declarations
- #
-
--apache_content_template(mojomojo)
-+
-+type httpd_mojomojo_tmp_t;
-+files_tmp_file(httpd_mojomojo_tmp_t)
-
- ########################################
- #
- # mojomojo local policy
- #
-
--allow httpd_mojomojo_script_t httpd_t:unix_stream_socket rw_stream_socket_perms;
-+optional_policy(`
-+ apache_content_template(mojomojo)
-
--corenet_tcp_connect_postgresql_port(httpd_mojomojo_script_t)
--corenet_tcp_connect_mysqld_port(httpd_mojomojo_script_t)
--corenet_tcp_connect_smtp_port(httpd_mojomojo_script_t)
--corenet_sendrecv_postgresql_client_packets(httpd_mojomojo_script_t)
--corenet_sendrecv_mysqld_client_packets(httpd_mojomojo_script_t)
--corenet_sendrecv_smtp_client_packets(httpd_mojomojo_script_t)
-+ allow httpd_mojomojo_script_t httpd_t:unix_stream_socket rw_stream_socket_perms;
-
--files_search_var_lib(httpd_mojomojo_script_t)
-+ manage_dirs_pattern(httpd_mojomojo_script_t, httpd_mojomojo_tmp_t, httpd_mojomojo_tmp_t)
-+ manage_files_pattern(httpd_mojomojo_script_t, httpd_mojomojo_tmp_t, httpd_mojomojo_tmp_t)
-+ files_tmp_filetrans(httpd_mojomojo_script_t, httpd_mojomojo_tmp_t, { file dir })
-
--sysnet_dns_name_resolve(httpd_mojomojo_script_t)
-+ corenet_tcp_connect_postgresql_port(httpd_mojomojo_script_t)
-+ corenet_tcp_connect_mysqld_port(httpd_mojomojo_script_t)
-+ corenet_tcp_connect_smtp_port(httpd_mojomojo_script_t)
-+ corenet_sendrecv_postgresql_client_packets(httpd_mojomojo_script_t)
-+ corenet_sendrecv_mysqld_client_packets(httpd_mojomojo_script_t)
-+ corenet_sendrecv_smtp_client_packets(httpd_mojomojo_script_t)
-
--mta_send_mail(httpd_mojomojo_script_t)
-+ files_search_var_lib(httpd_mojomojo_script_t)
-
--optional_policy(`
-- mysql_stream_connect(httpd_mojomojo_script_t)
--')
-+ sysnet_dns_name_resolve(httpd_mojomojo_script_t)
-
--optional_policy(`
-- postgresql_stream_connect(httpd_mojomojo_script_t)
-+ mta_send_mail(httpd_mojomojo_script_t)
-+
-+ optional_policy(`
-+ mysql_stream_connect(httpd_mojomojo_script_t)
-+ ')
-+
-+ optional_policy(`
-+ postgresql_stream_connect(httpd_mojomojo_script_t)
-+ ')
- ')
-diff --git a/mono.te b/mono.te
-index dff0f12..ecab36d 100644
---- a/mono.te
-+++ b/mono.te
-@@ -15,7 +15,7 @@ init_system_domain(mono_t, mono_exec_t)
- # Local policy
- #
-
--allow mono_t self:process { ptrace signal getsched execheap execmem execstack };
-+allow mono_t self:process { signal getsched execheap execmem execstack };
-
- init_dbus_chat_script(mono_t)
-
-diff --git a/monop.te b/monop.te
-index 6647a35..f3b35e1 100644
---- a/monop.te
-+++ b/monop.te
-@@ -42,7 +42,6 @@ kernel_read_kernel_sysctls(monopd_t)
- kernel_list_proc(monopd_t)
- kernel_read_proc_symlinks(monopd_t)
-
--corenet_all_recvfrom_unlabeled(monopd_t)
- corenet_all_recvfrom_netlabel(monopd_t)
- corenet_tcp_sendrecv_generic_if(monopd_t)
- corenet_udp_sendrecv_generic_if(monopd_t)
-@@ -65,8 +64,6 @@ fs_search_auto_mountpoints(monopd_t)
-
- logging_send_syslog_msg(monopd_t)
-
--miscfiles_read_localization(monopd_t)
--
- sysnet_read_config(monopd_t)
-
- userdom_dontaudit_use_unpriv_user_fds(monopd_t)
-diff --git a/mozilla.fc b/mozilla.fc
-index 3a73e74..60e7237 100644
---- a/mozilla.fc
-+++ b/mozilla.fc
-@@ -2,8 +2,17 @@ HOME_DIR/\.config/chromium(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0
- HOME_DIR/\.galeon(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0)
- HOME_DIR/\.java(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0)
- HOME_DIR/\.mozilla(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0)
-+HOME_DIR/\.thunderbird(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0)
- HOME_DIR/\.netscape(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0)
- HOME_DIR/\.phoenix(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0)
-+HOME_DIR/\.adobe(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0)
-+HOME_DIR/\.macromedia(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0)
-+HOME_DIR/\.gnash(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0)
-+HOME_DIR/\.gcjwebplugin(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0)
-+HOME_DIR/\.icedteaplugin(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0)
-+HOME_DIR/\.spicec(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0)
-+HOME_DIR/\.ICAClient(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0)
-+HOME_DIR/zimbrauserdata(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0)
-
- #
- # /bin
-@@ -16,6 +25,12 @@ HOME_DIR/\.phoenix(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0)
- /usr/bin/mozilla-[0-9].* -- gen_context(system_u:object_r:mozilla_exec_t,s0)
- /usr/bin/mozilla-bin-[0-9].* -- gen_context(system_u:object_r:mozilla_exec_t,s0)
-
-+ifdef(`distro_redhat',`
-+/usr/bin/nspluginscan -- gen_context(system_u:object_r:mozilla_plugin_exec_t,s0)
-+/usr/bin/nspluginviewer -- gen_context(system_u:object_r:mozilla_plugin_exec_t,s0)
-+/usr/lib/nspluginwrapper/npviewer.bin -- gen_context(system_u:object_r:mozilla_plugin_exec_t,s0)
-+')
-+
- ifdef(`distro_debian',`
- /usr/lib/iceweasel/iceweasel -- gen_context(system_u:object_r:mozilla_exec_t,s0)
- ')
-@@ -23,11 +38,20 @@ ifdef(`distro_debian',`
- #
- # /lib
- #
--/usr/lib/galeon/galeon -- gen_context(system_u:object_r:mozilla_exec_t,s0)
-+
-+/usr/lib/galeon/galeon -- gen_context(system_u:object_r:mozilla_exec_t,s0)
- /usr/lib/netscape/.+/communicator/communicator-smotif\.real -- gen_context(system_u:object_r:mozilla_exec_t,s0)
--/usr/lib/netscape/base-4/wrapper -- gen_context(system_u:object_r:mozilla_exec_t,s0)
--/usr/lib/mozilla[^/]*/reg.+ -- gen_context(system_u:object_r:mozilla_exec_t,s0)
--/usr/lib/mozilla[^/]*/mozilla-.* -- gen_context(system_u:object_r:mozilla_exec_t,s0)
--/usr/lib/firefox[^/]*/mozilla-.* -- gen_context(system_u:object_r:mozilla_exec_t,s0)
-+/usr/lib/netscape/base-4/wrapper -- gen_context(system_u:object_r:mozilla_exec_t,s0)
-+/usr/lib/mozilla[^/]*/reg.+ -- gen_context(system_u:object_r:mozilla_exec_t,s0)
-+/usr/lib/mozilla[^/]*/mozilla-.* -- gen_context(system_u:object_r:mozilla_exec_t,s0)
-+/usr/lib/firefox[^/]*/mozilla-.* -- gen_context(system_u:object_r:mozilla_exec_t,s0)
- /usr/lib/[^/]*firefox[^/]*/firefox-bin -- gen_context(system_u:object_r:mozilla_exec_t,s0)
--/usr/lib/[^/]*firefox[^/]*/firefox -- gen_context(system_u:object_r:mozilla_exec_t,s0)
-+/usr/lib/[^/]*firefox[^/]*/firefox -- gen_context(system_u:object_r:mozilla_exec_t,s0)
-+
-+/usr/lib/xulrunner[^/]*/plugin-container -- gen_context(system_u:object_r:mozilla_plugin_exec_t,s0)
-+
-+/usr/lib/mozilla/plugins-wrapped(/.*)? gen_context(system_u:object_r:mozilla_plugin_rw_t,s0)
-+
-+ifdef(`distro_redhat',`
-+/usr/lib/nspluginwrapper/plugin-config -- gen_context(system_u:object_r:mozilla_plugin_config_exec_t,s0)
-+')
-diff --git a/mozilla.if b/mozilla.if
-index b397fde..17b14ad 100644
---- a/mozilla.if
-+++ b/mozilla.if
-@@ -18,10 +18,11 @@
- interface(`mozilla_role',`
- gen_require(`
- type mozilla_t, mozilla_exec_t, mozilla_home_t;
-- attribute_role mozilla_roles;
-+ #attribute_role mozilla_roles;
- ')
-
-- roleattribute $1 mozilla_roles;
-+ #roleattribute $1 mozilla_roles;
-+ role $1 types mozilla_t;
-
- domain_auto_trans($2, mozilla_exec_t, mozilla_t)
- # Unrestricted inheritance from the caller.
-@@ -47,7 +48,24 @@ interface(`mozilla_role',`
- relabel_files_pattern($2, mozilla_home_t, mozilla_home_t)
- relabel_lnk_files_pattern($2, mozilla_home_t, mozilla_home_t)
-
-+ #should be remove then with adding of roleattribute
-+ mozilla_run_plugin(mozilla_t, $1)
- mozilla_dbus_chat($2)
-+
-+ userdom_manage_tmp_role($1, mozilla_t)
-+
-+ optional_policy(`
-+ nsplugin_role($1, mozilla_t)
-+ ')
-+
-+ optional_policy(`
-+ pulseaudio_role($1, mozilla_t)
-+ pulseaudio_filetrans_admin_home_content(mozilla_t)
-+ pulseaudio_filetrans_home_content(mozilla_t)
-+ ')
-+
-+ mozilla_filetrans_home_content($2)
-+
- ')
-
- ########################################
-@@ -105,7 +123,7 @@ interface(`mozilla_dontaudit_rw_user_home_files',`
- type mozilla_home_t;
- ')
-
-- dontaudit $1 mozilla_home_t:file rw_file_perms;
-+ dontaudit $1 mozilla_home_t:file rw_inherited_file_perms;
- ')
-
- ########################################
-@@ -193,11 +211,38 @@ interface(`mozilla_domtrans',`
- #
- interface(`mozilla_domtrans_plugin',`
- gen_require(`
-- type mozilla_plugin_t, mozilla_plugin_exec_t, mozilla_plugin_tmpfs_t;
-+ type mozilla_plugin_t, mozilla_plugin_exec_t;
-+ type mozilla_plugin_config_t, mozilla_plugin_config_exec_t;
-+ type mozilla_plugin_rw_t;
- class dbus send_msg;
- ')
-
- domtrans_pattern($1, mozilla_plugin_exec_t, mozilla_plugin_t)
-+ domtrans_pattern($1, mozilla_plugin_config_exec_t, mozilla_plugin_config_t)
-+ allow mozilla_plugin_t $1:process signull;
-+ allow $1 mozilla_plugin_t:unix_stream_socket { connectto rw_socket_perms };
-+ allow $1 mozilla_plugin_t:fd use;
-+
-+ #tunable_policy(`deny_ptrace',`',`
-+ # allow $1 mozilla_plugin_t:process ptrace;
-+ #')
-+
-+ allow mozilla_plugin_t $1:unix_stream_socket rw_socket_perms;
-+ allow mozilla_plugin_t $1:unix_dgram_socket { sendto rw_socket_perms };
-+ allow mozilla_plugin_t $1:shm { rw_shm_perms destroy };
-+ allow mozilla_plugin_t $1:sem create_sem_perms;
-+
-+ ps_process_pattern($1, mozilla_plugin_t)
-+ allow $1 mozilla_plugin_t:process signal_perms;
-+
-+ list_dirs_pattern($1, mozilla_plugin_rw_t, mozilla_plugin_rw_t)
-+ read_files_pattern($1, mozilla_plugin_rw_t, mozilla_plugin_rw_t)
-+ read_lnk_files_pattern($1, mozilla_plugin_rw_t, mozilla_plugin_rw_t)
-+ can_exec($1, mozilla_plugin_rw_t)
-+
-+ allow $1 mozilla_plugin_t:dbus send_msg;
-+ allow mozilla_plugin_t $1:dbus send_msg;
-+
- allow mozilla_plugin_t $1:process signull;
- ')
-
-@@ -224,6 +269,32 @@ interface(`mozilla_run_plugin',`
-
- mozilla_domtrans_plugin($1)
- role $2 types mozilla_plugin_t;
-+ role $2 types mozilla_plugin_config_t;
-+')
-+
-+#######################################
-+##
-+## Execute qemu unconfined programs in the role.
-+##
-+##
-+##
-+## The role to allow the mozilla_plugin domain.
-+##
-+##
-+##
-+#
-+interface(`mozilla_role_plugin',`
-+ gen_require(`
-+ type mozilla_plugin_t;
-+ type mozilla_plugin_config_t;
-+ ')
-+
-+ role $1 types mozilla_plugin_t;
-+ role $1 types mozilla_plugin_config_t;
-+
-+ optional_policy(`
-+ lpd_run_lpr(mozilla_plugin_t, $1)
-+ ')
- ')
-
- ########################################
-@@ -265,9 +336,27 @@ interface(`mozilla_rw_tcp_sockets',`
- allow $1 mozilla_t:tcp_socket rw_socket_perms;
- ')
-
-+#######################################
-+##
-+## Read mozilla_plugin tmpfs files
-+##
-+##
-+##
-+## Domain allowed access
-+##
-+##
-+#
-+interface(`mozilla_plugin_read_tmpfs_files',`
-+ gen_require(`
-+ type mozilla_plugin_tmpfs_t;
-+ ')
-+
-+ allow $1 mozilla_plugin_tmpfs_t:file read_file_perms;
-+')
-+
- ########################################
- ##
--## Read mozilla_plugin tmpfs files
-+## Delete mozilla_plugin tmpfs files
- ##
- ##
- ##
-@@ -275,28 +364,118 @@ interface(`mozilla_rw_tcp_sockets',`
- ##
- ##
- #
--interface(`mozilla_plugin_read_tmpfs_files',`
-+interface(`mozilla_plugin_delete_tmpfs_files',`
- gen_require(`
- type mozilla_plugin_tmpfs_t;
- ')
-
-- allow $1 mozilla_plugin_tmpfs_t:file read_file_perms;
-+ allow $1 mozilla_plugin_tmpfs_t:file delete_file_perms;
- ')
-
- ########################################
- ##
--## Delete mozilla_plugin tmpfs files
-+## Dontaudit read/write to a mozilla_plugin leaks
- ##
- ##
- ##
--## Domain allowed access
-+## Domain to not audit.
- ##
- ##
- #
--interface(`mozilla_plugin_delete_tmpfs_files',`
-+interface(`mozilla_plugin_dontaudit_leaks',`
- gen_require(`
-- type mozilla_plugin_tmpfs_t;
-+ type mozilla_plugin_t;
-+ ')
-+
-+ dontaudit $1 mozilla_plugin_t:unix_stream_socket { read write };
-+')
-+
-+#######################################
-+##
-+## Dontaudit read/write to a mozilla_plugin tmp files.
-+##
-+##
-+##
-+## Domain to not audit.
-+##
-+##
-+#
-+interface(`mozilla_plugin_dontaudit_rw_tmp_files',`
-+ gen_require(`
-+ type mozilla_plugin_tmp_t;
-+ ')
-+
-+ dontaudit $1 mozilla_plugin_tmp_t:file { read write };
-+')
-+
-+########################################
-+##
-+## Create, read, write, and delete
-+## mozilla_plugin rw files.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`mozilla_plugin_manage_rw_files',`
-+ gen_require(`
-+ type mozilla_plugin_rw_t;
-+ ')
-+
-+ allow $1 mozilla_plugin_rw_t:file manage_file_perms;
-+ allow $1 mozilla_plugin_rw_t:dir rw_dir_perms;
-+')
-+
-+########################################
-+##
-+## read mozilla_plugin rw files.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`mozilla_plugin_read_rw_files',`
-+ gen_require(`
-+ type mozilla_plugin_rw_t;
- ')
-
-- allow $1 mozilla_plugin_tmpfs_t:file unlink;
-+ read_files_pattern($1, mozilla_plugin_rw_t, mozilla_plugin_rw_t)
- ')
-+
-+########################################
-+##
-+## Create mozilla content in the user home directory
-+## with an correct label.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`mozilla_filetrans_home_content',`
-+
-+ gen_require(`
-+ type mozilla_home_t;
-+ ')
-+
-+ userdom_user_home_dir_filetrans($1, mozilla_home_t, dir, ".galeon")
-+ userdom_user_home_dir_filetrans($1, mozilla_home_t, dir, ".java")
-+ userdom_user_home_dir_filetrans($1, mozilla_home_t, dir, ".mozilla")
-+ userdom_user_home_dir_filetrans($1, mozilla_home_t, dir, ".thunderbird")
-+ userdom_user_home_dir_filetrans($1, mozilla_home_t, dir, ".netscape")
-+ userdom_user_home_dir_filetrans($1, mozilla_home_t, dir, ".phoenix")
-+ userdom_user_home_dir_filetrans($1, mozilla_home_t, dir, ".adobe")
-+ userdom_user_home_dir_filetrans($1, mozilla_home_t, dir, ".macromedia")
-+ userdom_user_home_dir_filetrans($1, mozilla_home_t, dir, ".gnash")
-+ userdom_user_home_dir_filetrans($1, mozilla_home_t, dir, ".gcjwebplugin")
-+ userdom_user_home_dir_filetrans($1, mozilla_home_t, dir, ".icedteaplugin")
-+ userdom_user_home_dir_filetrans($1, mozilla_home_t, dir, ".spicec")
-+ userdom_user_home_dir_filetrans($1, mozilla_home_t, dir, ".ICAClient")
-+ userdom_user_home_dir_filetrans($1, mozilla_home_t, dir, "zimbrauserdata")
-+')
-+
-diff --git a/mozilla.te b/mozilla.te
-index d4fcb75..907ff48 100644
---- a/mozilla.te
-+++ b/mozilla.te
-@@ -7,19 +7,34 @@ policy_module(mozilla, 2.6.0)
-
- ##
- ##
-+## Allow mozilla plugin domain to connect to the network using TCP.
-+##
-+##
-+gen_tunable(mozilla_plugin_can_network_connect, false)
-+
-+##
-+##
- ## Allow confined web browsers to read home directory content
- ##
- ##
- gen_tunable(mozilla_read_content, false)
-
--attribute_role mozilla_roles;
-+##
-+##
-+## Allow mozilla_plugins to create random content in the users home directory
-+##
-+##
-+gen_tunable(mozilla_plugin_enable_homedirs, false)
-+
-+#attribute_role mozilla_roles;
-
- type mozilla_t;
- type mozilla_exec_t;
- typealias mozilla_t alias { user_mozilla_t staff_mozilla_t sysadm_mozilla_t };
- typealias mozilla_t alias { auditadm_mozilla_t secadm_mozilla_t };
- userdom_user_application_domain(mozilla_t, mozilla_exec_t)
--role mozilla_roles types mozilla_t;
-+#role mozilla_roles types mozilla_t;
-+role system_r types mozilla_t;
-
- type mozilla_conf_t;
- files_config_file(mozilla_conf_t)
-@@ -32,14 +47,26 @@ userdom_user_home_content(mozilla_home_t)
- type mozilla_plugin_t;
- type mozilla_plugin_exec_t;
- application_domain(mozilla_plugin_t, mozilla_plugin_exec_t)
--role mozilla_roles types mozilla_plugin_t;
-+#role mozilla_roles types mozilla_plugin_t;
-+role system_r types mozilla_plugin_t;
-
- type mozilla_plugin_tmp_t;
-+userdom_user_tmp_content(mozilla_plugin_tmp_t)
- userdom_user_tmp_file(mozilla_plugin_tmp_t)
-
- type mozilla_plugin_tmpfs_t;
-+userdom_user_tmpfs_content(mozilla_plugin_tmpfs_t)
- userdom_user_tmpfs_file(mozilla_plugin_tmpfs_t)
-
-+type mozilla_plugin_rw_t;
-+files_type(mozilla_plugin_rw_t)
-+
-+type mozilla_plugin_config_t;
-+type mozilla_plugin_config_exec_t;
-+application_domain(mozilla_plugin_config_t, mozilla_plugin_config_exec_t)
-+#role mozilla_roles types mozilla_plugin_config_t;
-+role system_r types mozilla_plugin_config_t;
-+
- type mozilla_tmp_t;
- userdom_user_tmp_file(mozilla_tmp_t)
-
-@@ -100,7 +127,6 @@ corecmd_exec_shell(mozilla_t)
- corecmd_exec_bin(mozilla_t)
-
- # Browse the web, connect to printer
--corenet_all_recvfrom_unlabeled(mozilla_t)
- corenet_all_recvfrom_netlabel(mozilla_t)
- corenet_tcp_sendrecv_generic_if(mozilla_t)
- corenet_raw_sendrecv_generic_if(mozilla_t)
-@@ -110,6 +136,7 @@ corenet_tcp_sendrecv_http_port(mozilla_t)
- corenet_tcp_sendrecv_http_cache_port(mozilla_t)
- corenet_tcp_sendrecv_squid_port(mozilla_t)
- corenet_tcp_sendrecv_ftp_port(mozilla_t)
-+corenet_tcp_connect_all_ephemeral_ports(mozilla_t)
- corenet_tcp_sendrecv_ipp_port(mozilla_t)
- corenet_tcp_connect_http_port(mozilla_t)
- corenet_tcp_connect_http_cache_port(mozilla_t)
-@@ -140,7 +167,6 @@ domain_dontaudit_read_all_domains_state(mozilla_t)
-
- files_read_etc_runtime_files(mozilla_t)
- files_read_usr_files(mozilla_t)
--files_read_etc_files(mozilla_t)
- # /var/lib
- files_read_var_lib_files(mozilla_t)
- # interacting with gstreamer
-@@ -151,42 +177,34 @@ files_dontaudit_getattr_boot_dirs(mozilla_t)
- fs_dontaudit_getattr_all_fs(mozilla_t)
- fs_search_auto_mountpoints(mozilla_t)
- fs_list_inotifyfs(mozilla_t)
--fs_rw_tmpfs_files(mozilla_t)
-+fs_rw_inherited_tmpfs_files(mozilla_t)
-
- term_dontaudit_getattr_pty_dirs(mozilla_t)
-
-+auth_use_nsswitch(mozilla_t)
-+
- logging_send_syslog_msg(mozilla_t)
-
- miscfiles_read_fonts(mozilla_t)
--miscfiles_read_localization(mozilla_t)
- miscfiles_dontaudit_setattr_fonts_dirs(mozilla_t)
-
--# Browse the web, connect to printer
--sysnet_dns_name_resolve(mozilla_t)
--
--userdom_use_user_ptys(mozilla_t)
-+userdom_use_inherited_user_ptys(mozilla_t)
-
--mozilla_run_plugin(mozilla_t, mozilla_roles)
-+#mozilla_run_plugin(mozilla_t, mozilla_roles)
-
- xserver_user_x_domain_template(mozilla, mozilla_t, mozilla_tmpfs_t)
- xserver_dontaudit_read_xdm_tmp_files(mozilla_t)
- xserver_dontaudit_getattr_xdm_tmp_sockets(mozilla_t)
-
--tunable_policy(`allow_execmem',`
-- allow mozilla_t self:process { execmem execstack };
-+tunable_policy(`selinuxuser_execstack',`
-+ allow mozilla_t self:process execstack;
- ')
-
--tunable_policy(`use_nfs_home_dirs',`
-- fs_manage_nfs_dirs(mozilla_t)
-- fs_manage_nfs_files(mozilla_t)
-- fs_manage_nfs_symlinks(mozilla_t)
-+tunable_policy(`deny_execmem',`',`
-+ allow mozilla_t self:process execmem;
- ')
-
--tunable_policy(`use_samba_home_dirs',`
-- fs_manage_cifs_dirs(mozilla_t)
-- fs_manage_cifs_files(mozilla_t)
-- fs_manage_cifs_symlinks(mozilla_t)
--')
-+userdom_home_manager(mozilla_t)
-
- # Uploads, local html
- tunable_policy(`mozilla_read_content && use_nfs_home_dirs',`
-@@ -263,6 +281,7 @@ optional_policy(`
- optional_policy(`
- gnome_stream_connect_gconf(mozilla_t)
- gnome_manage_config(mozilla_t)
-+ gnome_manage_gconf_home_files(mozilla_t)
- ')
-
- optional_policy(`
-@@ -283,7 +302,8 @@ optional_policy(`
- ')
-
- optional_policy(`
-- pulseaudio_role(mozilla_roles, mozilla_t)
-+ #pulseaudio_role(mozilla_roles, mozilla_t)
-+ pulseaudio_exec(mozilla_t)
- pulseaudio_stream_connect(mozilla_t)
- pulseaudio_manage_home_files(mozilla_t)
- ')
-@@ -297,65 +317,101 @@ optional_policy(`
- # mozilla_plugin local policy
- #
-
--dontaudit mozilla_plugin_t self:capability { sys_ptrace };
--allow mozilla_plugin_t self:process { setsched signal_perms execmem };
--allow mozilla_plugin_t self:fifo_file manage_fifo_file_perms;
--allow mozilla_plugin_t self:unix_stream_socket { connectto create_stream_socket_perms };
-+dontaudit mozilla_plugin_t self:capability { ipc_lock sys_nice sys_tty_config };
-+
-+allow mozilla_plugin_t self:process { setpgid getsched setsched signal_perms execmem execstack setrlimit };
-+allow mozilla_plugin_t self:netlink_route_socket r_netlink_socket_perms;
- allow mozilla_plugin_t self:tcp_socket create_stream_socket_perms;
- allow mozilla_plugin_t self:udp_socket create_socket_perms;
--allow mozilla_plugin_t self:netlink_route_socket r_netlink_socket_perms;
- allow mozilla_plugin_t self:netlink_kobject_uevent_socket create_socket_perms;
-+
- allow mozilla_plugin_t self:sem create_sem_perms;
- allow mozilla_plugin_t self:shm create_shm_perms;
-+allow mozilla_plugin_t self:msgq create_msgq_perms;
-+allow mozilla_plugin_t self:fifo_file manage_fifo_file_perms;
-+allow mozilla_plugin_t self:unix_dgram_socket sendto;
-+allow mozilla_plugin_t self:unix_stream_socket { connectto create_stream_socket_perms };
-
- can_exec(mozilla_plugin_t, mozilla_home_t)
--read_files_pattern(mozilla_plugin_t, mozilla_home_t, mozilla_home_t)
-+manage_dirs_pattern(mozilla_plugin_t, mozilla_home_t, mozilla_home_t)
-+manage_files_pattern(mozilla_plugin_t, mozilla_home_t, mozilla_home_t)
-+manage_lnk_files_pattern(mozilla_plugin_t, mozilla_home_t, mozilla_home_t)
-+mozilla_filetrans_home_content(mozilla_plugin_t)
-
- manage_dirs_pattern(mozilla_plugin_t, mozilla_plugin_tmp_t, mozilla_plugin_tmp_t)
- manage_files_pattern(mozilla_plugin_t, mozilla_plugin_tmp_t, mozilla_plugin_tmp_t)
-+manage_lnk_files_pattern(mozilla_plugin_t, mozilla_plugin_tmp_t, mozilla_plugin_tmp_t)
- manage_fifo_files_pattern(mozilla_plugin_t, mozilla_plugin_tmp_t, mozilla_plugin_tmp_t)
--files_tmp_filetrans(mozilla_plugin_t, mozilla_plugin_tmp_t, { dir file fifo_file })
--userdom_user_tmp_filetrans(mozilla_plugin_t, mozilla_plugin_tmp_t, { dir file fifo_file })
-+manage_sock_files_pattern(mozilla_plugin_t, mozilla_plugin_tmp_t, mozilla_plugin_tmp_t)
-+files_tmp_filetrans(mozilla_plugin_t, mozilla_plugin_tmp_t, { dir file fifo_file sock_file lnk_file })
-+userdom_user_tmp_filetrans(mozilla_plugin_t, mozilla_plugin_tmp_t, { dir file fifo_file sock_file })
-+xserver_xdm_tmp_filetrans(mozilla_plugin_t, mozilla_plugin_tmp_t, { dir file fifo_file sock_file lnk_file })
-+can_exec(mozilla_plugin_t, mozilla_plugin_tmp_t)
-
- manage_files_pattern(mozilla_plugin_t, mozilla_plugin_tmpfs_t, mozilla_plugin_tmpfs_t)
- manage_lnk_files_pattern(mozilla_plugin_t, mozilla_plugin_tmpfs_t, mozilla_plugin_tmpfs_t)
- manage_fifo_files_pattern(mozilla_plugin_t, mozilla_plugin_tmpfs_t, mozilla_plugin_tmpfs_t)
- manage_sock_files_pattern(mozilla_plugin_t, mozilla_plugin_tmpfs_t, mozilla_plugin_tmpfs_t)
- fs_tmpfs_filetrans(mozilla_plugin_t, mozilla_plugin_tmpfs_t, { file lnk_file sock_file fifo_file })
-+userdom_tmpfs_filetrans_to(mozilla_plugin_t, mozilla_plugin_tmpfs_t, { file lnk_file sock_file fifo_file })
-+
-+allow mozilla_plugin_t mozilla_plugin_rw_t:dir list_dir_perms;
-+read_lnk_files_pattern(mozilla_plugin_t, mozilla_plugin_rw_t, mozilla_plugin_rw_t)
-+read_files_pattern(mozilla_plugin_t, mozilla_plugin_rw_t, mozilla_plugin_rw_t)
-
- can_exec(mozilla_plugin_t, mozilla_exec_t)
-
--kernel_read_kernel_sysctls(mozilla_plugin_t)
-+kernel_read_all_sysctls(mozilla_plugin_t)
- kernel_read_system_state(mozilla_plugin_t)
- kernel_read_network_state(mozilla_plugin_t)
- kernel_request_load_module(mozilla_plugin_t)
-+kernel_dontaudit_getattr_core_if(mozilla_plugin_t)
-
- corecmd_exec_bin(mozilla_plugin_t)
- corecmd_exec_shell(mozilla_plugin_t)
-+corecmd_dontaudit_access_all_executables(mozilla_plugin_t)
-
--corenet_all_recvfrom_netlabel(mozilla_plugin_t)
--corenet_all_recvfrom_unlabeled(mozilla_plugin_t)
--corenet_tcp_sendrecv_generic_if(mozilla_plugin_t)
--corenet_tcp_sendrecv_generic_node(mozilla_plugin_t)
-+corenet_tcp_connect_asterisk_port(mozilla_plugin_t)
- corenet_tcp_connect_generic_port(mozilla_plugin_t)
--corenet_tcp_connect_pulseaudio_port(mozilla_plugin_t)
-+corenet_tcp_connect_flash_port(mozilla_plugin_t)
-+corenet_tcp_connect_ftp_port(mozilla_plugin_t)
- corenet_tcp_connect_http_port(mozilla_plugin_t)
-+corenet_tcp_connect_gatekeeper_port(mozilla_plugin_t)
- corenet_tcp_connect_http_cache_port(mozilla_plugin_t)
--corenet_tcp_connect_squid_port(mozilla_plugin_t)
-+corenet_tcp_connect_ipsecnat_port(mozilla_plugin_t)
- corenet_tcp_connect_ipp_port(mozilla_plugin_t)
-+corenet_tcp_connect_ircd_port(mozilla_plugin_t)
-+corenet_tcp_connect_jabber_client_port(mozilla_plugin_t)
- corenet_tcp_connect_mmcc_port(mozilla_plugin_t)
-+corenet_tcp_connect_msnp_port(mozilla_plugin_t)
-+corenet_tcp_connect_pulseaudio_port(mozilla_plugin_t)
- corenet_tcp_connect_speech_port(mozilla_plugin_t)
-+corenet_tcp_connect_squid_port(mozilla_plugin_t)
-+corenet_tcp_connect_streaming_port(mozilla_plugin_t)
-+corenet_tcp_connect_soundd_port(mozilla_plugin_t)
-+corenet_tcp_connect_tor_socks_port(mozilla_plugin_t)
-+corenet_tcp_connect_vnc_port(mozilla_plugin_t)
-+corenet_tcp_connect_commplex_port(mozilla_plugin_t)
-+corenet_tcp_connect_couchdb_port(mozilla_plugin_t)
-+corenet_tcp_connect_monopd_port(mozilla_plugin_t)
-+corenet_tcp_connect_all_ephemeral_ports(mozilla_plugin_t)
-+corenet_tcp_bind_generic_node(mozilla_plugin_t)
-+corenet_udp_bind_generic_node(mozilla_plugin_t)
-+corenet_dontaudit_udp_bind_ssdp_port(mozilla_plugin_t)
-
- dev_read_rand(mozilla_plugin_t)
- dev_read_urand(mozilla_plugin_t)
-+dev_read_generic_usb_dev(mozilla_plugin_t)
- dev_read_video_dev(mozilla_plugin_t)
- dev_write_video_dev(mozilla_plugin_t)
-+dev_read_realtime_clock(mozilla_plugin_t)
- dev_read_sysfs(mozilla_plugin_t)
- dev_read_sound(mozilla_plugin_t)
- dev_write_sound(mozilla_plugin_t)
- # for nvidia driver
- dev_rw_xserver_misc(mozilla_plugin_t)
- dev_dontaudit_rw_dri(mozilla_plugin_t)
-+dev_dontaudit_getattr_all(mozilla_plugin_t)
-
- domain_use_interactive_fds(mozilla_plugin_t)
- domain_dontaudit_read_all_domains_state(mozilla_plugin_t)
-@@ -363,55 +419,59 @@ domain_dontaudit_read_all_domains_state(mozilla_plugin_t)
- files_read_config_files(mozilla_plugin_t)
- files_read_usr_files(mozilla_plugin_t)
- files_list_mnt(mozilla_plugin_t)
-+files_exec_usr_files(mozilla_plugin_t)
-+fs_rw_inherited_tmpfs_files(mozilla_plugin_t)
-
- fs_getattr_all_fs(mozilla_plugin_t)
- fs_list_dos(mozilla_plugin_t)
--fs_read_dos_files(mozilla_plugin_t)
-+fs_read_noxattr_fs_files(mozilla_plugin_t)
-+fs_read_hugetlbfs_files(mozilla_plugin_t)
-
-+application_exec(mozilla_plugin_t)
- application_dontaudit_signull(mozilla_plugin_t)
-
- auth_use_nsswitch(mozilla_plugin_t)
-
-+init_dontaudit_getattr_initctl(mozilla_plugin_t)
-+init_read_all_script_files(mozilla_plugin_t)
-+
-+libs_exec_ld_so(mozilla_plugin_t)
-+libs_exec_lib_files(mozilla_plugin_t)
-+
- logging_send_syslog_msg(mozilla_plugin_t)
-
--miscfiles_read_localization(mozilla_plugin_t)
- miscfiles_read_fonts(mozilla_plugin_t)
- miscfiles_read_generic_certs(mozilla_plugin_t)
- miscfiles_dontaudit_setattr_fonts_dirs(mozilla_plugin_t)
- miscfiles_dontaudit_setattr_fonts_cache_dirs(mozilla_plugin_t)
-
--sysnet_dns_name_resolve(mozilla_plugin_t)
--
- term_getattr_all_ttys(mozilla_plugin_t)
- term_getattr_all_ptys(mozilla_plugin_t)
-+term_getattr_ptmx(mozilla_plugin_t)
-
-+userdom_dontaudit_setattr_user_tmpfs(mozilla_plugin_t)
- userdom_rw_user_tmpfs_files(mozilla_plugin_t)
-+userdom_delete_user_tmpfs_files(mozilla_plugin_t)
- userdom_dontaudit_use_user_terminals(mozilla_plugin_t)
- userdom_manage_user_tmp_sockets(mozilla_plugin_t)
- userdom_manage_user_tmp_dirs(mozilla_plugin_t)
--userdom_read_user_tmp_files(mozilla_plugin_t)
-+userdom_rw_inherited_user_tmp_files(mozilla_plugin_t)
-+userdom_delete_user_tmp_files(mozilla_plugin_t)
-+userdom_rw_inherited_user_home_sock_files(mozilla_plugin_t)
-+userdom_manage_home_certs(mozilla_plugin_t)
- userdom_read_user_tmp_symlinks(mozilla_plugin_t)
-+userdom_stream_connect(mozilla_plugin_t)
-+userdom_dontaudit_rw_user_tmp_pipes(mozilla_plugin_t)
-+
- userdom_read_user_home_content_files(mozilla_plugin_t)
- userdom_read_user_home_content_symlinks(mozilla_plugin_t)
-+userdom_read_home_certs(mozilla_plugin_t)
-+userdom_read_home_audio_files(mozilla_plugin_t)
-
--tunable_policy(`allow_execmem',`
-- allow mozilla_plugin_t self:process { execmem execstack };
--')
--
--tunable_policy(`allow_execstack',`
-- allow mozilla_plugin_t self:process { execstack };
--')
--
--tunable_policy(`use_nfs_home_dirs',`
-- fs_manage_nfs_dirs(mozilla_plugin_t)
-- fs_manage_nfs_files(mozilla_plugin_t)
-- fs_manage_nfs_symlinks(mozilla_plugin_t)
--')
-+userdom_home_manager(mozilla_plugin_t)
-
--tunable_policy(`use_samba_home_dirs',`
-- fs_manage_cifs_dirs(mozilla_plugin_t)
-- fs_manage_cifs_files(mozilla_plugin_t)
-- fs_manage_cifs_symlinks(mozilla_plugin_t)
-+tunable_policy(`mozilla_plugin_can_network_connect',`
-+ corenet_tcp_connect_all_ports(mozilla_plugin_t)
- ')
-
- optional_policy(`
-@@ -422,24 +482,39 @@ optional_policy(`
- optional_policy(`
- dbus_system_bus_client(mozilla_plugin_t)
- dbus_session_bus_client(mozilla_plugin_t)
-+ dbus_connect_session_bus(mozilla_plugin_t)
- dbus_read_lib_files(mozilla_plugin_t)
- ')
-
- optional_policy(`
-+ git_dontaudit_read_session_content_files(mozilla_plugin_t)
-+')
-+
-+
-+optional_policy(`
- gnome_manage_config(mozilla_plugin_t)
-+ gnome_read_usr_config(mozilla_plugin_t)
-+ gnome_filetrans_home_content(mozilla_plugin_t)
-+ gnome_exec_gstreamer_home_files(mozilla_plugin_t)
- ')
-
- optional_policy(`
-- java_exec(mozilla_plugin_t)
-+ gpm_dontaudit_getattr_gpmctl(mozilla_plugin_t)
- ')
-
- optional_policy(`
-- mplayer_exec(mozilla_plugin_t)
-- mplayer_read_user_home_files(mozilla_plugin_t)
-+ java_exec(mozilla_plugin_t)
- ')
-
-+#optional_policy(`
-+# lpd_run_lpr(mozilla_plugin_t, mozilla_roles)
-+#')
-+
- optional_policy(`
-- pcscd_stream_connect(mozilla_plugin_t)
-+ mplayer_exec(mozilla_plugin_t)
-+ mplayer_filetrans_home_content(mozilla_plugin_t)
-+ mplayer_manage_user_home_dirs(mozilla_plugin_t)
-+ mplayer_manage_user_home_files(mozilla_plugin_t)
- ')
-
- optional_policy(`
-@@ -447,10 +522,115 @@ optional_policy(`
- pulseaudio_stream_connect(mozilla_plugin_t)
- pulseaudio_setattr_home_dir(mozilla_plugin_t)
- pulseaudio_manage_home_files(mozilla_plugin_t)
-+ pulseaudio_manage_home_symlinks(mozilla_plugin_t)
-+')
-+
-+optional_policy(`
-+ pcscd_stream_connect(mozilla_plugin_t)
-+')
-+
-+optional_policy(`
-+ rtkit_scheduled(mozilla_plugin_t)
- ')
-
- optional_policy(`
-+ udev_read_db(mozilla_plugin_t)
-+')
-+
-+optional_policy(`
-+ xserver_xdm_tmp_filetrans(mozilla_plugin_t, mozilla_plugin_tmp_t, { dir file fifo_file sock_file })
-+ xserver_dontaudit_read_xdm_tmp_files(mozilla_plugin_t)
- xserver_read_xdm_pid(mozilla_plugin_t)
- xserver_stream_connect(mozilla_plugin_t)
- xserver_use_user_fonts(mozilla_plugin_t)
-+ xserver_read_user_iceauth(mozilla_plugin_t)
-+ xserver_read_user_xauth(mozilla_plugin_t)
-+ xserver_append_xdm_home_files(mozilla_plugin_t)
-+ xserver_dontaudit_xdm_tmp_dirs(mozilla_plugin_t)
-+')
-+
-+########################################
-+#
-+# mozilla_plugin_config local policy
-+#
-+
-+allow mozilla_plugin_config_t self:capability { dac_override dac_read_search sys_nice setuid setgid };
-+allow mozilla_plugin_config_t self:process { setsched signal_perms getsched execmem execstack };
-+
-+allow mozilla_plugin_config_t self:fifo_file rw_file_perms;
-+allow mozilla_plugin_config_t self:unix_stream_socket create_stream_socket_perms;
-+
-+ps_process_pattern(mozilla_plugin_config_t,mozilla_plugin_t)
-+
-+dev_search_sysfs(mozilla_plugin_config_t)
-+dev_read_urand(mozilla_plugin_config_t)
-+dev_dontaudit_read_rand(mozilla_plugin_config_t)
-+dev_dontaudit_rw_dri(mozilla_plugin_config_t)
-+
-+fs_search_auto_mountpoints(mozilla_plugin_config_t)
-+fs_list_inotifyfs(mozilla_plugin_config_t)
-+
-+can_exec(mozilla_plugin_config_t, mozilla_plugin_rw_t)
-+manage_dirs_pattern(mozilla_plugin_config_t, mozilla_plugin_rw_t, mozilla_plugin_rw_t)
-+manage_files_pattern(mozilla_plugin_config_t, mozilla_plugin_rw_t, mozilla_plugin_rw_t)
-+manage_lnk_files_pattern(mozilla_plugin_config_t, mozilla_plugin_rw_t, mozilla_plugin_rw_t)
-+
-+manage_dirs_pattern(mozilla_plugin_config_t, mozilla_home_t, mozilla_home_t)
-+manage_files_pattern(mozilla_plugin_config_t, mozilla_home_t, mozilla_home_t)
-+manage_lnk_files_pattern(mozilla_plugin_config_t, mozilla_home_t, mozilla_home_t)
-+
-+corecmd_exec_bin(mozilla_plugin_config_t)
-+corecmd_exec_shell(mozilla_plugin_config_t)
-+
-+kernel_read_system_state(mozilla_plugin_config_t)
-+kernel_request_load_module(mozilla_plugin_config_t)
-+
-+domain_use_interactive_fds(mozilla_plugin_config_t)
-+
-+files_read_usr_files(mozilla_plugin_config_t)
-+files_dontaudit_search_home(mozilla_plugin_config_t)
-+files_list_tmp(mozilla_plugin_config_t)
-+
-+fs_getattr_all_fs(mozilla_plugin_config_t)
-+
-+auth_use_nsswitch(mozilla_plugin_config_t)
-+
-+miscfiles_read_fonts(mozilla_plugin_config_t)
-+
-+userdom_search_user_home_content(mozilla_plugin_config_t)
-+userdom_read_user_home_content_symlinks(mozilla_plugin_config_t)
-+userdom_read_user_home_content_files(mozilla_plugin_config_t)
-+userdom_dontaudit_search_admin_dir(mozilla_plugin_config_t)
-+userdom_use_inherited_user_ptys(mozilla_plugin_config_t)
-+userdom_dontaudit_use_user_terminals(mozilla_plugin_config_t)
-+userdom_dontaudit_rw_user_tmp_pipes(mozilla_plugin_config_t)
-+userdom_dontaudit_write_all_user_home_content_files(mozilla_plugin_config_t)
-+userdom_dontaudit_write_all_user_tmp_content_files(mozilla_plugin_config_t)
-+
-+domtrans_pattern(mozilla_plugin_config_t, mozilla_plugin_exec_t, mozilla_plugin_t)
-+
-+optional_policy(`
-+ gnome_dontaudit_rw_inherited_config(mozilla_plugin_config_t)
-+')
-+
-+optional_policy(`
-+ xserver_use_user_fonts(mozilla_plugin_config_t)
-+')
-+
-+ifdef(`distro_redhat',`
-+ typealias mozilla_plugin_t alias nsplugin_t;
-+ typealias mozilla_plugin_exec_t alias nsplugin_exec_t;
-+ typealias mozilla_plugin_rw_t alias nsplugin_rw_t;
-+ typealias mozilla_plugin_tmp_t alias nsplugin_tmp_t;
-+ typealias mozilla_home_t alias nsplugin_home_t;
-+ typealias mozilla_plugin_config_t alias nsplugin_config_t;
-+ typealias mozilla_plugin_config_exec_t alias nsplugin_config_exec_t;
-+')
-+
-+tunable_policy(`mozilla_plugin_enable_homedirs',`
-+ userdom_user_home_dir_filetrans(mozilla_plugin_t, mozilla_home_t, { dir file })
-+')
-+
-+tunable_policy(`selinuxuser_execmod',`
-+ userdom_execmod_user_home_files(mozilla_plugin_t)
- ')
-diff --git a/mpd.fc b/mpd.fc
-index ddc14d6..c74bf3d 100644
---- a/mpd.fc
-+++ b/mpd.fc
-@@ -6,3 +6,5 @@
- /var/lib/mpd(/.*)? gen_context(system_u:object_r:mpd_var_lib_t,s0)
- /var/lib/mpd/music(/.*)? gen_context(system_u:object_r:mpd_data_t,s0)
- /var/lib/mpd/playlists(/.*)? gen_context(system_u:object_r:mpd_data_t,s0)
-+
-+/var/log/mpd(/.*)? gen_context(system_u:object_r:mpd_log_t,s0)
-diff --git a/mpd.if b/mpd.if
-index d72276f..cb8c563 100644
---- a/mpd.if
-+++ b/mpd.if
-@@ -244,8 +244,11 @@ interface(`mpd_admin',`
- type mpd_tmpfs_t;
- ')
-
-- allow $1 mpd_t:process { ptrace signal_perms };
-+ allow $1 mpd_t:process signal_perms;
- ps_process_pattern($1, mpd_t)
-+ tunable_policy(`deny_ptrace',`',`
-+ allow $1 mpd_t:process ptrace;
-+ ')
-
- mpd_initrc_domtrans($1)
- domain_system_change_exemption($1)
-diff --git a/mpd.te b/mpd.te
-index 7f68872..d92aaa8 100644
---- a/mpd.te
-+++ b/mpd.te
-@@ -44,6 +44,9 @@ allow mpd_t self:unix_stream_socket { connectto create_stream_socket_perms };
- allow mpd_t self:unix_dgram_socket { create_socket_perms sendto };
- allow mpd_t self:tcp_socket create_stream_socket_perms;
- allow mpd_t self:netlink_kobject_uevent_socket create_socket_perms;
-+allow mpd_t self:unix_dgram_socket { create_socket_perms sendto };
-+
-+read_files_pattern(mpd_t, mpd_etc_t, mpd_etc_t)
-
- manage_dirs_pattern(mpd_t, mpd_data_t, mpd_data_t)
- manage_files_pattern(mpd_t, mpd_data_t, mpd_data_t)
-@@ -51,6 +54,10 @@ manage_lnk_files_pattern(mpd_t, mpd_data_t, mpd_data_t)
-
- read_files_pattern(mpd_t, mpd_etc_t, mpd_etc_t)
-
-+manage_dirs_pattern(mpd_t, mpd_log_t, mpd_log_t)
-+manage_files_pattern(mpd_t, mpd_log_t, mpd_log_t)
-+logging_log_filetrans(mpd_t, mpd_log_t, { dir file lnk_file })
-+
- manage_dirs_pattern(mpd_t, mpd_tmp_t, mpd_tmp_t)
- manage_files_pattern(mpd_t, mpd_tmp_t, mpd_tmp_t)
- manage_sock_files_pattern(mpd_t, mpd_tmp_t, mpd_tmp_t)
-@@ -72,7 +79,6 @@ kernel_read_kernel_sysctls(mpd_t)
-
- corecmd_exec_bin(mpd_t)
-
--corenet_all_recvfrom_unlabeled(mpd_t)
- corenet_all_recvfrom_netlabel(mpd_t)
- corenet_tcp_sendrecv_generic_if(mpd_t)
- corenet_tcp_sendrecv_generic_node(mpd_t)
-@@ -87,6 +93,7 @@ corenet_sendrecv_http_cache_client_packets(mpd_t)
- corenet_sendrecv_pulseaudio_client_packets(mpd_t)
- corenet_sendrecv_soundd_client_packets(mpd_t)
-
-+dev_read_urand(mpd_t)
- dev_read_sound(mpd_t)
- dev_write_sound(mpd_t)
- dev_read_sysfs(mpd_t)
-@@ -101,7 +108,9 @@ auth_use_nsswitch(mpd_t)
-
- logging_send_syslog_msg(mpd_t)
-
--miscfiles_read_localization(mpd_t)
-+userdom_read_home_audio_files(mpd_t)
-+userdom_read_user_tmpfs_files(mpd_t)
-+userdom_home_reader(mpd_t)
-
- optional_policy(`
- alsa_read_rw_config(mpd_t)
-@@ -122,5 +131,20 @@ optional_policy(`
- ')
-
- optional_policy(`
-+ #needed by pulseaudio
-+ systemd_read_logind_sessions_files(mpd_t)
-+ systemd_login_read_pid_files(mpd_t)
-+')
-+
-+optional_policy(`
-+ rtkit_daemon_dontaudit_dbus_chat(mpd_t)
-+')
-+
-+optional_policy(`
- udev_read_db(mpd_t)
- ')
-+
-+optional_policy(`
-+ xserver_dontaudit_stream_connect(mpd_t)
-+ xserver_dontaudit_read_xdm_pid(mpd_t)
-+')
-diff --git a/mplayer.if b/mplayer.if
-index d8ea41d..87c7046 100644
---- a/mplayer.if
-+++ b/mplayer.if
-@@ -102,3 +102,96 @@ interface(`mplayer_read_user_home_files',`
- read_files_pattern($1, mplayer_home_t, mplayer_home_t)
- userdom_search_user_home_dirs($1)
- ')
-+
-+########################################
-+##
-+## Manage mplayer per user homedir
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`mplayer_manage_user_home_dirs',`
-+ gen_require(`
-+ type mplayer_home_t;
-+ ')
-+
-+ manage_dirs_pattern($1, mplayer_home_t, mplayer_home_t)
-+ userdom_search_user_home_dirs($1)
-+')
-+
-+########################################
-+##
-+## Manage mplayer per user homedir
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`mplayer_manage_user_home_files',`
-+ gen_require(`
-+ type mplayer_home_t;
-+ ')
-+
-+ manage_files_pattern($1, mplayer_home_t, mplayer_home_t)
-+ manage_lnk_files_pattern($1, mplayer_home_t, mplayer_home_t)
-+ userdom_search_user_home_dirs($1)
-+')
-+
-+########################################
-+##
-+## Transition to mplayer named content
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`mplayer_filetrans_home_content',`
-+ gen_require(`
-+ type mplayer_home_t;
-+ ')
-+
-+ userdom_user_home_dir_filetrans($1, mplayer_home_t, file, ".mplayer")
-+')
-+
-+########################################
-+##
-+## Execute mplayer_exec_t
-+## in the specified domain.
-+##
-+##
-+##
-+## Execute a mplayer_exec_t
-+## in the specified domain.
-+##
-+##
-+## No interprocess communication (signals, pipes,
-+## etc.) is provided by this interface since
-+## the domains are not owned by this module.
-+##
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+##
-+##
-+## The type of the new process.
-+##
-+##
-+#
-+interface(`mplayer_exec_domtrans',`
-+ gen_require(`
-+ type mplayer_exec_t;
-+ ')
-+
-+ allow $2 mplayer_exec_t:file entrypoint;
-+ domtrans_pattern($1, mplayer_exec_t, $2)
-+')
-diff --git a/mplayer.te b/mplayer.te
-index 0cdea57..321a21a 100644
---- a/mplayer.te
-+++ b/mplayer.te
-@@ -10,7 +10,7 @@ policy_module(mplayer, 2.4.0)
- ## Allow mplayer executable stack
- ##
- ##
--gen_tunable(allow_mplayer_execstack, false)
-+gen_tunable(mplayer_execstack, false)
-
- type mencoder_t;
- type mencoder_exec_t;
-@@ -71,15 +71,15 @@ fs_search_auto_mountpoints(mencoder_t)
- # Access to DVD/CD/V4L
- storage_raw_read_removable_device(mencoder_t)
-
--miscfiles_read_localization(mencoder_t)
-
--userdom_use_user_terminals(mencoder_t)
-+userdom_use_inherited_user_terminals(mencoder_t)
- # Handle removable media, /tmp, and /home
- userdom_list_user_tmp(mencoder_t)
- userdom_read_user_tmp_files(mencoder_t)
- userdom_read_user_tmp_symlinks(mencoder_t)
- userdom_read_user_home_content_files(mencoder_t)
- userdom_read_user_home_content_symlinks(mencoder_t)
-+userdom_home_manager(mencoder_t)
-
- # Read content to encode
- ifndef(`enable_mls',`
-@@ -88,58 +88,18 @@ ifndef(`enable_mls',`
- fs_read_removable_symlinks(mencoder_t)
- ')
-
--tunable_policy(`allow_execmem',`
-+tunable_policy(`deny_execmem',`',`
- allow mencoder_t self:process execmem;
- ')
-
--tunable_policy(`allow_execmod',`
-+tunable_policy(`selinuxuser_execmod',`
- dev_execmod_zero(mencoder_t)
- ')
-
--tunable_policy(`allow_mplayer_execstack',`
-+tunable_policy(`mplayer_execstack',`
- allow mencoder_t self:process { execmem execstack };
- ')
-
--tunable_policy(`use_nfs_home_dirs',`
-- fs_manage_nfs_dirs(mencoder_t)
-- fs_manage_nfs_files(mencoder_t)
-- fs_manage_nfs_symlinks(mencoder_t)
--
--')
--
--tunable_policy(`use_samba_home_dirs',`
-- fs_manage_cifs_dirs(mencoder_t)
-- fs_manage_cifs_files(mencoder_t)
-- fs_manage_cifs_symlinks(mencoder_t)
--
--')
--
--# Read content to encode
--tunable_policy(`use_nfs_home_dirs',`
-- fs_list_auto_mountpoints(mencoder_t)
-- files_list_home(mencoder_t)
-- fs_read_nfs_files(mencoder_t)
-- fs_read_nfs_symlinks(mencoder_t)
--
--',`
-- files_dontaudit_list_home(mencoder_t)
-- fs_dontaudit_list_auto_mountpoints(mencoder_t)
-- fs_dontaudit_read_nfs_files(mencoder_t)
-- fs_dontaudit_list_nfs(mencoder_t)
--')
--
--tunable_policy(`use_samba_home_dirs',`
-- fs_list_auto_mountpoints(mencoder_t)
-- files_list_home(mencoder_t)
-- fs_read_cifs_files(mencoder_t)
-- fs_read_cifs_symlinks(mencoder_t)
--',`
-- files_dontaudit_list_home(mencoder_t)
-- fs_dontaudit_list_auto_mountpoints(mencoder_t)
-- fs_dontaudit_read_cifs_files(mencoder_t)
-- fs_dontaudit_list_cifs(mencoder_t)
--')
--
- ########################################
- #
- # mplayer local policy
-@@ -156,6 +116,7 @@ manage_dirs_pattern(mplayer_t, mplayer_home_t, mplayer_home_t)
- manage_files_pattern(mplayer_t, mplayer_home_t, mplayer_home_t)
- manage_lnk_files_pattern(mplayer_t, mplayer_home_t, mplayer_home_t)
- userdom_user_home_dir_filetrans(mplayer_t, mplayer_home_t, dir)
-+userdom_search_user_home_dirs(mplayer_t)
-
- manage_files_pattern(mplayer_t, mplayer_tmpfs_t, mplayer_tmpfs_t)
- manage_lnk_files_pattern(mplayer_t, mplayer_tmpfs_t, mplayer_tmpfs_t)
-@@ -177,7 +138,6 @@ kernel_read_system_state(mplayer_t)
- kernel_read_kernel_sysctls(mplayer_t)
-
- corenet_all_recvfrom_netlabel(mplayer_t)
--corenet_all_recvfrom_unlabeled(mplayer_t)
- corenet_tcp_sendrecv_generic_if(mplayer_t)
- corenet_tcp_sendrecv_generic_node(mplayer_t)
- corenet_tcp_bind_generic_node(mplayer_t)
-@@ -206,7 +166,6 @@ domain_use_interactive_fds(mplayer_t)
- # Access to DVD/CD/V4L
- storage_raw_read_removable_device(mplayer_t)
-
--files_read_etc_files(mplayer_t)
- files_dontaudit_list_non_security(mplayer_t)
- files_dontaudit_getattr_non_security_files(mplayer_t)
- files_read_non_security_files(mplayer_t)
-@@ -222,10 +181,13 @@ fs_dontaudit_getattr_all_fs(mplayer_t)
- fs_search_auto_mountpoints(mplayer_t)
- fs_list_inotifyfs(mplayer_t)
-
--miscfiles_read_localization(mplayer_t)
-+auth_use_nsswitch(mplayer_t)
-+
-+logging_send_syslog_msg(mplayer_t)
-+
- miscfiles_read_fonts(mplayer_t)
-
--userdom_use_user_terminals(mplayer_t)
-+userdom_use_inherited_user_terminals(mplayer_t)
- # Read media files
- userdom_list_user_tmp(mplayer_t)
- userdom_read_user_tmp_files(mplayer_t)
-@@ -233,6 +195,7 @@ userdom_read_user_tmp_symlinks(mplayer_t)
- userdom_read_user_home_content_files(mplayer_t)
- userdom_read_user_home_content_symlinks(mplayer_t)
- userdom_write_user_tmp_sockets(mplayer_t)
-+userdom_home_manager(mplayer_t)
-
- xserver_user_x_domain_template(mplayer, mplayer_t, mplayer_tmpfs_t)
-
-@@ -243,62 +206,31 @@ ifdef(`enable_mls',`',`
- fs_read_removable_symlinks(mplayer_t)
- ')
-
--tunable_policy(`allow_execmem',`
-+tunable_policy(`deny_execmem',`',`
- allow mplayer_t self:process execmem;
- ')
-
--tunable_policy(`allow_execmod',`
-+tunable_policy(`selinuxuser_execmod',`
- dev_execmod_zero(mplayer_t)
- ')
-
--tunable_policy(`allow_mplayer_execstack',`
-+tunable_policy(`mplayer_execstack',`
- allow mplayer_t self:process { execmem execstack };
- ')
-
--tunable_policy(`use_nfs_home_dirs',`
-- fs_manage_nfs_dirs(mplayer_t)
-- fs_manage_nfs_files(mplayer_t)
-- fs_manage_nfs_symlinks(mplayer_t)
--')
--tunable_policy(`use_samba_home_dirs',`
-- fs_manage_cifs_dirs(mplayer_t)
-- fs_manage_cifs_files(mplayer_t)
-- fs_manage_cifs_symlinks(mplayer_t)
--')
--
- # Legacy domain issues
--tunable_policy(`allow_mplayer_execstack',`
-+tunable_policy(`mplayer_execstack',`
- allow mplayer_t mplayer_tmpfs_t:file execute;
- ')
-
--# Read songs
--tunable_policy(`use_nfs_home_dirs',`
-- fs_list_auto_mountpoints(mplayer_t)
-- files_list_home(mplayer_t)
-- fs_read_nfs_files(mplayer_t)
-- fs_read_nfs_symlinks(mplayer_t)
--
--',`
-- files_dontaudit_list_home(mplayer_t)
-- fs_dontaudit_list_auto_mountpoints(mplayer_t)
-- fs_dontaudit_read_nfs_files(mplayer_t)
-- fs_dontaudit_list_nfs(mplayer_t)
--')
-+userdom_home_manager(mplayer_t)
-
--tunable_policy(`use_samba_home_dirs',`
-- fs_list_auto_mountpoints(mplayer_t)
-- files_list_home(mplayer_t)
-- fs_read_cifs_files(mplayer_t)
-- fs_read_cifs_symlinks(mplayer_t)
--',`
-- files_dontaudit_list_home(mplayer_t)
-- fs_dontaudit_list_auto_mountpoints(mplayer_t)
-- fs_dontaudit_read_cifs_files(mplayer_t)
-- fs_dontaudit_list_cifs(mplayer_t)
-+optional_policy(`
-+ alsa_read_rw_config(mplayer_t)
- ')
-
- optional_policy(`
-- alsa_read_rw_config(mplayer_t)
-+ gnome_setattr_config_dirs(mplayer_t)
- ')
-
- optional_policy(`
-diff --git a/mrtg.fc b/mrtg.fc
-index 37fb953..7e9773a 100644
---- a/mrtg.fc
-+++ b/mrtg.fc
-@@ -14,5 +14,6 @@
- #
- /var/lib/mrtg(/.*)? gen_context(system_u:object_r:mrtg_var_lib_t,s0)
- /var/lock/mrtg(/.*)? gen_context(system_u:object_r:mrtg_lock_t,s0)
-+/var/lock/mrtg-rrd(/.*)? gen_context(system_u:object_r:mrtg_lock_t,s0)
- /var/log/mrtg(/.*)? gen_context(system_u:object_r:mrtg_log_t,s0)
- /var/run/mrtg\.pid gen_context(system_u:object_r:mrtg_var_run_t,s0)
-diff --git a/mrtg.te b/mrtg.te
-index 0e19d80..c203717 100644
---- a/mrtg.te
-+++ b/mrtg.te
-@@ -43,9 +43,12 @@ read_lnk_files_pattern(mrtg_t, mrtg_etc_t, mrtg_etc_t)
- dontaudit mrtg_t mrtg_etc_t:dir write;
- dontaudit mrtg_t mrtg_etc_t:file { write ioctl };
-
-+manage_dirs_pattern(mrtg_t, mrtg_lock_t, mrtg_lock_t)
- manage_files_pattern(mrtg_t, mrtg_lock_t, mrtg_lock_t)
- manage_lnk_files_pattern(mrtg_t, mrtg_lock_t, mrtg_lock_t)
-+files_lock_filetrans(mrtg_t, mrtg_lock_t, { dir file })
-
-+manage_dirs_pattern(mrtg_t, mrtg_log_t, mrtg_log_t)
- manage_files_pattern(mrtg_t, mrtg_log_t, mrtg_log_t)
- logging_log_filetrans(mrtg_t, mrtg_log_t, { file dir })
-
-@@ -62,7 +65,6 @@ kernel_read_kernel_sysctls(mrtg_t)
- corecmd_exec_bin(mrtg_t)
- corecmd_exec_shell(mrtg_t)
-
--corenet_all_recvfrom_unlabeled(mrtg_t)
- corenet_all_recvfrom_netlabel(mrtg_t)
- corenet_tcp_sendrecv_generic_if(mrtg_t)
- corenet_udp_sendrecv_generic_if(mrtg_t)
-@@ -88,7 +90,6 @@ files_getattr_tmp_dirs(mrtg_t)
- # for uptime
- files_read_etc_runtime_files(mrtg_t)
- # read config files
--files_read_etc_files(mrtg_t)
-
- fs_search_auto_mountpoints(mrtg_t)
- fs_getattr_xattr_fs(mrtg_t)
-@@ -108,13 +109,12 @@ libs_read_lib_files(mrtg_t)
-
- logging_send_syslog_msg(mrtg_t)
-
--miscfiles_read_localization(mrtg_t)
--
- selinux_dontaudit_getattr_dir(mrtg_t)
-
--userdom_use_user_terminals(mrtg_t)
-+userdom_use_inherited_user_terminals(mrtg_t)
- userdom_dontaudit_read_user_home_content_files(mrtg_t)
- userdom_dontaudit_use_unpriv_user_fds(mrtg_t)
-+userdom_dontaudit_list_admin_dir(mrtg_t)
-
- netutils_domtrans_ping(mrtg_t)
-
-diff --git a/mta.fc b/mta.fc
-index afa18c8..2f102b2 100644
---- a/mta.fc
-+++ b/mta.fc
-@@ -1,30 +1,41 @@
--HOME_DIR/\.forward -- gen_context(system_u:object_r:mail_forward_t,s0)
-+HOME_DIR/\.esmtp_queue -- gen_context(system_u:object_r:mail_home_t,s0)
-+HOME_DIR/\.forward[^/]* -- gen_context(system_u:object_r:mail_home_t,s0)
-+HOME_DIR/dead\.letter -- gen_context(system_u:object_r:mail_home_t,s0)
-+HOME_DIR/\.mailrc -- gen_context(system_u:object_r:mail_home_t,s0)
-+HOME_DIR/Maildir(/.*)? gen_context(system_u:object_r:mail_home_rw_t,s0)
-
- /bin/mail(x)? -- gen_context(system_u:object_r:sendmail_exec_t,s0)
-
- /etc/aliases -- gen_context(system_u:object_r:etc_aliases_t,s0)
- /etc/aliases\.db -- gen_context(system_u:object_r:etc_aliases_t,s0)
- /etc/mail(/.*)? gen_context(system_u:object_r:etc_mail_t,s0)
--/etc/mail/aliases -- gen_context(system_u:object_r:etc_aliases_t,s0)
--/etc/mail/aliases\.db -- gen_context(system_u:object_r:etc_aliases_t,s0)
-+/etc/mail/aliases.* -- gen_context(system_u:object_r:etc_aliases_t,s0)
- ifdef(`distro_redhat',`
- /etc/postfix/aliases.* gen_context(system_u:object_r:etc_aliases_t,s0)
- ')
-
--/usr/bin/esmtp -- gen_context(system_u:object_r:sendmail_exec_t,s0)
-+/root/\.esmtp_queue -- gen_context(system_u:object_r:mail_home_t,s0)
-+/root/\.forward -- gen_context(system_u:object_r:mail_home_t,s0)
-+/root/dead\.letter -- gen_context(system_u:object_r:mail_home_t,s0)
-+/root/\.mailrc -- gen_context(system_u:object_r:mail_home_t,s0)
-+/root/Maildir(/.*)? gen_context(system_u:object_r:mail_home_rw_t,s0)
-+
-+/usr/bin/esmtp -- gen_context(system_u:object_r:sendmail_exec_t,s0)
-+/usr/bin/mail(x)? -- gen_context(system_u:object_r:sendmail_exec_t,s0)
-
- /usr/lib/sendmail -- gen_context(system_u:object_r:sendmail_exec_t,s0)
--/usr/lib/courier/bin/sendmail -- gen_context(system_u:object_r:sendmail_exec_t,s0)
-+/usr/lib/courier/bin/sendmail -- gen_context(system_u:object_r:sendmail_exec_t,s0)
-
--/usr/sbin/rmail -- gen_context(system_u:object_r:sendmail_exec_t,s0)
--/usr/sbin/sendmail\.postfix -- gen_context(system_u:object_r:sendmail_exec_t,s0)
--/usr/sbin/sendmail(\.sendmail)? -- gen_context(system_u:object_r:sendmail_exec_t,s0)
--/usr/sbin/ssmtp -- gen_context(system_u:object_r:sendmail_exec_t,s0)
-+/usr/sbin/rmail -- gen_context(system_u:object_r:sendmail_exec_t,s0)
-+/usr/sbin/sendmail\.postfix -- gen_context(system_u:object_r:sendmail_exec_t,s0)
-+/usr/sbin/sendmail(\.sendmail)? -- gen_context(system_u:object_r:sendmail_exec_t,s0)
-+/usr/sbin/ssmtp -- gen_context(system_u:object_r:sendmail_exec_t,s0)
-
- /var/mail(/.*)? gen_context(system_u:object_r:mail_spool_t,s0)
-
- /var/qmail/bin/sendmail -- gen_context(system_u:object_r:sendmail_exec_t,s0)
-
- /var/spool/imap(/.*)? gen_context(system_u:object_r:mail_spool_t,s0)
--/var/spool/(client)?mqueue(/.*)? gen_context(system_u:object_r:mqueue_spool_t,s0)
-+/var/spool/(client)?mqueue(/.*)? gen_context(system_u:object_r:mqueue_spool_t,s0)
-+/var/spool/mqueue\.in(/.*)? gen_context(system_u:object_r:mqueue_spool_t,s0)
- /var/spool/mail(/.*)? gen_context(system_u:object_r:mail_spool_t,s0)
-diff --git a/mta.if b/mta.if
-index 4e2a5ba..0005ac0 100644
---- a/mta.if
-+++ b/mta.if
-@@ -37,6 +37,7 @@ interface(`mta_stub',`
- ## is the prefix for user_t).
- ##
- ##
-+##
- #
- template(`mta_base_mail_template',`
-
-@@ -56,92 +57,19 @@ template(`mta_base_mail_template',`
- type $1_mail_tmp_t;
- files_tmp_file($1_mail_tmp_t)
-
-- ##############################
-- #
-- # $1_mail_t local policy
-- #
--
-- allow $1_mail_t self:capability { setuid setgid chown };
-- allow $1_mail_t self:process { signal_perms setrlimit };
-- allow $1_mail_t self:tcp_socket create_socket_perms;
--
-- # re-exec itself
-- can_exec($1_mail_t, sendmail_exec_t)
-- allow $1_mail_t sendmail_exec_t:lnk_file read_lnk_file_perms;
-+ manage_dirs_pattern($1_mail_t, $1_mail_tmp_t, $1_mail_tmp_t)
-+ manage_files_pattern($1_mail_t, $1_mail_tmp_t, $1_mail_tmp_t)
-+ files_tmp_filetrans($1_mail_t, $1_mail_tmp_t, { file dir })
-
- kernel_read_system_state($1_mail_t)
-- kernel_read_kernel_sysctls($1_mail_t)
--
-- corenet_all_recvfrom_unlabeled($1_mail_t)
-- corenet_all_recvfrom_netlabel($1_mail_t)
-- corenet_tcp_sendrecv_generic_if($1_mail_t)
-- corenet_tcp_sendrecv_generic_node($1_mail_t)
-- corenet_tcp_sendrecv_all_ports($1_mail_t)
-- corenet_tcp_connect_all_ports($1_mail_t)
-- corenet_tcp_connect_smtp_port($1_mail_t)
-- corenet_sendrecv_smtp_client_packets($1_mail_t)
--
-- corecmd_exec_bin($1_mail_t)
--
-- files_read_etc_files($1_mail_t)
-- files_search_spool($1_mail_t)
-- # It wants to check for nscd
-- files_dontaudit_search_pids($1_mail_t)
-
- auth_use_nsswitch($1_mail_t)
-
-- init_dontaudit_rw_utmp($1_mail_t)
--
- logging_send_syslog_msg($1_mail_t)
-
-- miscfiles_read_localization($1_mail_t)
--
-- optional_policy(`
-- exim_read_log($1_mail_t)
-- exim_append_log($1_mail_t)
-- exim_manage_spool_files($1_mail_t)
-- ')
--
- optional_policy(`
- postfix_domtrans_user_mail_handler($1_mail_t)
- ')
--
-- optional_policy(`
-- procmail_exec($1_mail_t)
-- ')
--
-- optional_policy(`
-- qmail_domtrans_inject($1_mail_t)
-- ')
--
-- optional_policy(`
-- gen_require(`
-- type etc_mail_t, mail_spool_t, mqueue_spool_t;
-- ')
--
-- manage_dirs_pattern($1_mail_t, $1_mail_tmp_t, $1_mail_tmp_t)
-- manage_files_pattern($1_mail_t, $1_mail_tmp_t, $1_mail_tmp_t)
-- files_tmp_filetrans($1_mail_t, $1_mail_tmp_t, { file dir })
--
-- allow $1_mail_t etc_mail_t:dir search_dir_perms;
--
-- # Write to /var/spool/mail and /var/spool/mqueue.
-- manage_files_pattern($1_mail_t, mail_spool_t, mail_spool_t)
-- manage_files_pattern($1_mail_t, mqueue_spool_t, mqueue_spool_t)
--
-- # Check available space.
-- fs_getattr_xattr_fs($1_mail_t)
--
-- files_read_etc_runtime_files($1_mail_t)
--
-- # Write to /var/log/sendmail.st
-- sendmail_manage_log($1_mail_t)
-- sendmail_create_log($1_mail_t)
-- ')
--
-- optional_policy(`
-- uucp_manage_spool($1_mail_t)
-- ')
- ')
-
- ########################################
-@@ -169,11 +97,19 @@ interface(`mta_role',`
-
- # Transition from the user domain to the derived domain.
- domtrans_pattern($2, sendmail_exec_t, user_mail_t)
-- allow $2 sendmail_exec_t:lnk_file { getattr read };
-+ allow $2 sendmail_exec_t:lnk_file read_lnk_file_perms;
-
- allow mta_user_agent $2:fd use;
- allow mta_user_agent $2:process sigchld;
-- allow mta_user_agent $2:fifo_file { read write };
-+ allow mta_user_agent $2:fifo_file rw_inherited_fifo_file_perms;
-+
-+ optional_policy(`
-+ exim_run($2, $1)
-+ ')
-+
-+ optional_policy(`
-+ mailman_run(mta_user_agent, $1)
-+ ')
- ')
-
- ########################################
-@@ -220,6 +156,25 @@ interface(`mta_agent_executable',`
- application_executable_file($1)
- ')
-
-+######################################
-+##
-+## Dontaudit read and write an leaked file descriptors
-+##
-+##
-+##
-+## Domain to not audit.
-+##
-+##
-+#
-+interface(`mta_dontaudit_leaks_system_mail',`
-+ gen_require(`
-+ type system_mail_t;
-+ ')
-+
-+ dontaudit $1 system_mail_t:fifo_file write;
-+ dontaudit $1 system_mail_t:tcp_socket { read write };
-+')
-+
- ########################################
- ##
- ## Make the specified type by a system MTA.
-@@ -306,10 +261,15 @@ interface(`mta_mailserver_sender',`
- interface(`mta_mailserver_delivery',`
- gen_require(`
- attribute mailserver_delivery;
-- type mail_spool_t;
- ')
-
- typeattribute $1 mailserver_delivery;
-+
-+ userdom_home_manager($1)
-+
-+ optional_policy(`
-+ mta_rw_delivery_tcp_sockets($1)
-+ ')
- ')
-
- #######################################
-@@ -361,8 +321,7 @@ interface(`mta_send_mail',`
-
- allow mta_user_agent $1:fd use;
- allow mta_user_agent $1:process sigchld;
-- allow mta_user_agent $1:fifo_file rw_fifo_file_perms;
--
-+ allow mta_user_agent $1:fifo_file rw_inherited_fifo_file_perms;
- dontaudit mta_user_agent $1:unix_stream_socket rw_socket_perms;
- ')
-
-@@ -393,12 +352,19 @@ interface(`mta_send_mail',`
- #
- interface(`mta_sendmail_domtrans',`
- gen_require(`
-- type sendmail_exec_t;
-+ attribute mta_exec_type;
-+ attribute mta_user_agent;
- ')
-
- files_search_usr($1)
-+ allow $1 mta_exec_type:lnk_file read_lnk_file_perms;
- corecmd_read_bin_symlinks($1)
-- domain_auto_trans($1, sendmail_exec_t, $2)
-+
-+ allow $2 mta_exec_type:file entrypoint;
-+ domtrans_pattern($1, mta_exec_type, $2)
-+ allow mta_user_agent $1:fd use;
-+ allow mta_user_agent $1:process sigchld;
-+ allow mta_user_agent $1:fifo_file rw_inherited_fifo_file_perms;
- ')
-
- ########################################
-@@ -411,7 +377,6 @@ interface(`mta_sendmail_domtrans',`
- ##
- ##
- #
--#
- interface(`mta_signal_system_mail',`
- gen_require(`
- type system_mail_t;
-@@ -422,6 +387,60 @@ interface(`mta_signal_system_mail',`
-
- ########################################
- ##
-+## Send all user mail client a signal
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`mta_signal_user_agent',`
-+ gen_require(`
-+ attribute mta_user_agent;
-+ ')
-+
-+ allow $1 mta_user_agent:process signal;
-+')
-+
-+########################################
-+##
-+## Send all user mail client a kill signal
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`mta_kill_user_agent',`
-+ gen_require(`
-+ attribute mta_user_agent;
-+ ')
-+
-+ allow $1 mta_user_agent:process sigkill;
-+')
-+
-+########################################
-+##
-+## Send system mail client a kill signal
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`mta_kill_system_mail',`
-+ gen_require(`
-+ type system_mail_t;
-+ ')
-+
-+ allow $1 system_mail_t:process sigkill;
-+')
-+
-+########################################
-+##
- ## Execute sendmail in the caller domain.
- ##
- ##
-@@ -440,6 +459,26 @@ interface(`mta_sendmail_exec',`
-
- ########################################
- ##
-+## Check whether sendmail executable
-+## files are executable.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`mta_sendmail_access_check',`
-+ gen_require(`
-+ type sendmail_exec_t;
-+ ')
-+
-+ corecmd_search_bin($1)
-+ allow $1 sendmail_exec_t:file { getattr_file_perms execute };
-+')
-+
-+########################################
-+##
- ## Read mail server configuration.
- ##
- ##
-@@ -481,6 +520,25 @@ interface(`mta_write_config',`
-
- ########################################
- ##
-+## Manage mail server configuration.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+##
-+#
-+interface(`mta_manage_config',`
-+ gen_require(`
-+ type etc_mail_t;
-+ ')
-+
-+ manage_files_pattern($1, etc_mail_t, etc_mail_t)
-+')
-+
-+########################################
-+##
- ## Read mail address aliases.
- ##
- ##
-@@ -496,6 +554,7 @@ interface(`mta_read_aliases',`
-
- files_search_etc($1)
- allow $1 etc_aliases_t:file read_file_perms;
-+ allow $1 etc_aliases_t:lnk_file read_lnk_file_perms;
- ')
-
- ########################################
-@@ -516,6 +575,9 @@ interface(`mta_manage_aliases',`
- files_search_etc($1)
- manage_files_pattern($1, etc_aliases_t, etc_aliases_t)
- manage_lnk_files_pattern($1, etc_aliases_t, etc_aliases_t)
-+ mta_etc_filetrans_aliases($1, "aliases")
-+ mta_etc_filetrans_aliases($1, "aliases.db")
-+ mta_etc_filetrans_aliases($1, "aliasesdb-stamp")
- ')
-
- ########################################
-@@ -528,13 +590,18 @@ interface(`mta_manage_aliases',`
- ## Domain allowed access.
- ##
- ##
-+##
-+##
-+## The name of the object being created.
-+##
-+##
- #
- interface(`mta_etc_filetrans_aliases',`
- gen_require(`
- type etc_aliases_t;
- ')
-
-- files_etc_filetrans($1, etc_aliases_t, file)
-+ files_etc_filetrans($1, etc_aliases_t, file, $2)
- ')
-
- ########################################
-@@ -554,7 +621,7 @@ interface(`mta_rw_aliases',`
- ')
-
- files_search_etc($1)
-- allow $1 etc_aliases_t:file { rw_file_perms setattr };
-+ allow $1 etc_aliases_t:file { rw_file_perms setattr_file_perms };
- ')
-
- #######################################
-@@ -576,6 +643,25 @@ interface(`mta_dontaudit_rw_delivery_tcp_sockets',`
- dontaudit $1 mailserver_delivery:tcp_socket { read write };
- ')
-
-+######################################
-+##
-+## Allow attempts to read and write TCP
-+## sockets of mail delivery domains.
-+##
-+##
-+##
-+## Domain to not audit.
-+##
-+##
-+#
-+interface(`mta_rw_delivery_tcp_sockets',`
-+ gen_require(`
-+ attribute mailserver_delivery;
-+ ')
-+
-+ allow $1 mailserver_delivery:tcp_socket { read write };
-+')
-+
- #######################################
- ##
- ## Connect to all mail servers over TCP. (Deprecated)
-@@ -648,8 +734,8 @@ interface(`mta_dontaudit_getattr_spool_files',`
-
- files_dontaudit_search_spool($1)
- dontaudit $1 mail_spool_t:dir search_dir_perms;
-- dontaudit $1 mail_spool_t:lnk_file read;
-- dontaudit $1 mail_spool_t:file getattr;
-+ dontaudit $1 mail_spool_t:lnk_file read_lnk_file_perms;
-+ dontaudit $1 mail_spool_t:file getattr_file_perms;
- ')
-
- #######################################
-@@ -672,6 +758,11 @@ interface(`mta_dontaudit_getattr_spool_files',`
- ## The object class of the object being created.
- ##
- ##
-+##
-+##
-+## The name of the object being created.
-+##
-+##
- #
- interface(`mta_spool_filetrans',`
- gen_require(`
-@@ -679,7 +770,26 @@ interface(`mta_spool_filetrans',`
- ')
-
- files_search_spool($1)
-- filetrans_pattern($1, mail_spool_t, $2, $3)
-+ filetrans_pattern($1, mail_spool_t, $2, $3, $4)
-+')
-+
-+#######################################
-+##
-+## Read the mail spool.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`mta_read_spool',`
-+ gen_require(`
-+ type mail_spool_t;
-+ ')
-+
-+ files_search_spool($1)
-+ read_files_pattern($1, mail_spool_t, mail_spool_t)
- ')
-
- ########################################
-@@ -699,8 +809,8 @@ interface(`mta_rw_spool',`
-
- files_search_spool($1)
- allow $1 mail_spool_t:dir list_dir_perms;
-- allow $1 mail_spool_t:file setattr;
-- rw_files_pattern($1, mail_spool_t, mail_spool_t)
-+ allow $1 mail_spool_t:file setattr_file_perms;
-+ manage_files_pattern($1, mail_spool_t, mail_spool_t)
- read_lnk_files_pattern($1, mail_spool_t, mail_spool_t)
- ')
-
-@@ -840,7 +950,7 @@ interface(`mta_dontaudit_rw_queue',`
- ')
-
- dontaudit $1 mqueue_spool_t:dir search_dir_perms;
-- dontaudit $1 mqueue_spool_t:file { getattr read write };
-+ dontaudit $1 mqueue_spool_t:file rw_file_perms;
- ')
-
- ########################################
-@@ -866,6 +976,41 @@ interface(`mta_manage_queue',`
-
- #######################################
- ##
-+## Create private objects in the
-+## mqueue spool directory.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+##
-+##
-+## The type of the object to be created.
-+##
-+##
-+##
-+##
-+## The object class of the object being created.
-+##
-+##
-+##
-+##
-+## The name of the object being created.
-+##
-+##
-+#
-+interface(`mta_spool_filetrans_queue',`
-+ gen_require(`
-+ type mqueue_spool_t;
-+ ')
-+
-+ files_search_spool($1)
-+ filetrans_pattern($1, mqueue_spool_t, $2, $3, $4)
-+')
-+
-+#######################################
-+##
- ## Read sendmail binary.
- ##
- ##
-@@ -901,3 +1046,173 @@ interface(`mta_rw_user_mail_stream_sockets',`
-
- allow $1 user_mail_domain:unix_stream_socket rw_socket_perms;
- ')
-+
-+########################################
-+##
-+## Type transition files created in calling dir
-+## to the mail address aliases type.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+##
-+##
-+## Directory to transition on.
-+##
-+##
-+#
-+interface(`mta_filetrans_aliases',`
-+ gen_require(`
-+ type etc_aliases_t;
-+ ')
-+
-+ filetrans_pattern($1, $2, etc_aliases_t, file)
-+')
-+
-+######################################
-+##
-+## ALlow domain to read mail content in the homedir
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`mta_read_home',`
-+ gen_require(`
-+ type mail_home_t;
-+ ')
-+
-+ userdom_search_user_home_dirs($1)
-+ read_files_pattern($1, mail_home_t, mail_home_t)
-+
-+ ifdef(`distro_redhat',`
-+ userdom_search_admin_dir($1)
-+ ')
-+')
-+
-+####################################
-+##
-+## ALlow domain to read mail content in the homedir
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`mta_read_home_rw',`
-+ gen_require(`
-+ type mail_home_rw_t;
-+ ')
-+
-+ userdom_search_user_home_dirs($1)
-+ read_files_pattern($1, mail_home_rw_t, mail_home_rw_t)
-+ read_lnk_files_pattern($1, mail_home_rw_t, mail_home_rw_t)
-+
-+ ifdef(`distro_redhat',`
-+ userdom_search_admin_dir($1)
-+ ')
-+')
-+
-+####################################
-+##
-+## Allow domain to manage mail content in the homedir
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`mta_manage_home_rw',`
-+ gen_require(`
-+ type mail_home_rw_t;
-+ ')
-+
-+ userdom_search_user_home_dirs($1)
-+ userdom_search_admin_dir($1)
-+ manage_files_pattern($1, mail_home_rw_t, mail_home_rw_t)
-+ manage_dirs_pattern($1, mail_home_rw_t, mail_home_rw_t)
-+ manage_lnk_files_pattern($1, mail_home_rw_t, mail_home_rw_t)
-+ userdom_user_home_dir_filetrans($1, mail_home_rw_t, dir, "Maildir")
-+
-+ ifdef(`distro_redhat',`
-+ userdom_search_admin_dir($1)
-+ userdom_admin_home_dir_filetrans($1, mail_home_rw_t, dir, "Maildir")
-+ ')
-+')
-+
-+########################################
-+##
-+## create mail content in the in the /root directory
-+## with an correct label.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`mta_filetrans_admin_home_content',`
-+ gen_require(`
-+ type mail_home_t;
-+ type mail_home_rw_t;
-+ ')
-+
-+ userdom_admin_home_dir_filetrans($1, mail_home_t, file, "dead.letter")
-+ userdom_admin_home_dir_filetrans($1, mail_home_t, file, ".mailrc")
-+ userdom_admin_home_dir_filetrans($1, mail_home_t, file, ".forward")
-+ userdom_admin_home_dir_filetrans($1, mail_home_rw_t, dir, "Maildir")
-+ userdom_admin_home_dir_filetrans($1, mail_home_rw_t, file, ".esmtp_queue")
-+')
-+
-+########################################
-+##
-+## Transition to mta named home content
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`mta_filetrans_home_content',`
-+ gen_require(`
-+ type mail_home_t;
-+ type mail_home_rw_t;
-+ ')
-+
-+ userdom_user_home_dir_filetrans($1, mail_home_t, file, ".mailrc")
-+ userdom_user_home_dir_filetrans($1, mail_home_t, file, "dead.letter")
-+ userdom_user_home_dir_filetrans($1, mail_home_t, file, ".forward")
-+ userdom_user_home_dir_filetrans($1, mail_home_rw_t, dir, "Maildir")
-+ userdom_user_home_dir_filetrans($1, mail_home_rw_t, file, ".esmtp_queue")
-+')
-+
-+########################################
-+##
-+## Transition to mta named content
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`mta_filetrans_named_content',`
-+ gen_require(`
-+ type etc_aliases_t;
-+ type etc_mail_t;
-+ ')
-+
-+ filetrans_pattern($1, etc_mail_t, etc_aliases_t, { dir file })
-+ mta_etc_filetrans_aliases($1, "aliases")
-+ mta_etc_filetrans_aliases($1, "aliases.db")
-+ mta_etc_filetrans_aliases($1, "aliasesdb-stamp")
-+ mta_filetrans_home_content($1)
-+ mta_filetrans_admin_home_content($1)
-+')
-diff --git a/mta.te b/mta.te
-index 84a7d66..61f95e2 100644
---- a/mta.te
-+++ b/mta.te
-@@ -20,14 +20,19 @@ files_type(etc_aliases_t)
- type etc_mail_t;
- files_config_file(etc_mail_t)
-
--type mail_forward_t;
--files_type(mail_forward_t)
-+type mail_home_t alias mail_forward_t;
-+userdom_user_home_content(mail_home_t)
-+
-+type mail_home_rw_t;
-+userdom_user_home_content(mail_home_rw_t)
-
- type mqueue_spool_t;
- files_mountpoint(mqueue_spool_t)
-+files_spool_file(mqueue_spool_t)
-
- type mail_spool_t;
- files_mountpoint(mail_spool_t)
-+files_spool_file(mail_spool_t)
-
- type sendmail_exec_t;
- mta_agent_executable(sendmail_exec_t)
-@@ -50,21 +55,12 @@ userdom_user_tmp_file(user_mail_tmp_t)
-
- # newalias required this, not sure if it is needed in 'if' file
- allow system_mail_t self:capability { dac_override fowner };
--allow system_mail_t self:fifo_file rw_fifo_file_perms;
-
--read_files_pattern(system_mail_t, etc_mail_t, etc_mail_t)
-+allow system_mail_t mail_home_t:file manage_file_perms;
-
- read_files_pattern(system_mail_t, mailcontent_type, mailcontent_type)
-
--allow system_mail_t mail_forward_t:file read_file_perms;
--
--allow system_mail_t mta_exec_type:file entrypoint;
--
--can_exec(system_mail_t, mta_exec_type)
--
--kernel_read_system_state(system_mail_t)
--kernel_read_network_state(system_mail_t)
--kernel_request_load_module(system_mail_t)
-+corecmd_exec_shell(system_mail_t)
-
- dev_read_sysfs(system_mail_t)
- dev_read_rand(system_mail_t)
-@@ -74,14 +70,25 @@ files_read_usr_files(system_mail_t)
-
- fs_rw_anon_inodefs_files(system_mail_t)
-
--selinux_getattr_fs(system_mail_t)
--
- term_dontaudit_use_unallocated_ttys(system_mail_t)
-
- init_use_script_ptys(system_mail_t)
-+init_dontaudit_rw_stream_socket(system_mail_t)
-
--userdom_use_user_terminals(system_mail_t)
-+userdom_use_inherited_user_terminals(system_mail_t)
- userdom_dontaudit_search_user_home_dirs(system_mail_t)
-+userdom_dontaudit_list_admin_dir(system_mail_t)
-+
-+manage_dirs_pattern(system_mail_t, mail_home_rw_t, mail_home_rw_t)
-+manage_files_pattern(system_mail_t, mail_home_rw_t, mail_home_rw_t)
-+
-+allow system_mail_t mail_home_t:file manage_file_perms;
-+userdom_admin_home_dir_filetrans(system_mail_t, mail_home_t, file)
-+
-+
-+logging_append_all_logs(system_mail_t)
-+
-+logging_send_syslog_msg(system_mail_t)
-
- optional_policy(`
- apache_read_squirrelmail_data(system_mail_t)
-@@ -92,25 +99,40 @@ optional_policy(`
- apache_dontaudit_rw_stream_sockets(system_mail_t)
- apache_dontaudit_rw_tcp_sockets(system_mail_t)
- apache_dontaudit_rw_sys_script_stream_sockets(system_mail_t)
-+ apache_dontaudit_rw_tmp_files(system_mail_t)
-+
-+ apache_dontaudit_rw_fifo_file(user_mail_domain)
-+ apache_dontaudit_rw_fifo_file(mta_user_agent)
-+ # apache should set close-on-exec
-+ apache_dontaudit_rw_stream_sockets(mta_user_agent)
-+ apache_dontaudit_rw_sys_script_stream_sockets(mta_user_agent)
-+ apache_append_log(mta_user_agent)
- ')
-
- optional_policy(`
- arpwatch_manage_tmp_files(system_mail_t)
-
-- ifdef(`hide_broken_symptoms', `
-- arpwatch_dontaudit_rw_packet_sockets(system_mail_t)
-- ')
-+ ifdef(`hide_broken_symptoms', `
-+ arpwatch_dontaudit_rw_packet_sockets(system_mail_t)
-+ ')
-+
- ')
-
- optional_policy(`
-- clamav_stream_connect(system_mail_t)
-- clamav_append_log(system_mail_t)
-+ bugzilla_search_content(system_mail_t)
-+ bugzilla_dontaudit_rw_stream_sockets(system_mail_t)
-+')
-+
-+optional_policy(`
-+ courier_stream_connect_authdaemon(system_mail_t)
- ')
-
- optional_policy(`
- cron_read_system_job_tmp_files(system_mail_t)
- cron_dontaudit_write_pipes(system_mail_t)
- cron_rw_system_job_stream_sockets(system_mail_t)
-+ cron_rw_inherited_spool_files(system_mail_t)
-+ cron_rw_inherited_user_spool_files(system_mail_t)
- ')
-
- optional_policy(`
-@@ -124,12 +146,9 @@ optional_policy(`
- ')
-
- optional_policy(`
-- exim_domtrans(system_mail_t)
-- exim_manage_log(system_mail_t)
--')
--
--optional_policy(`
- fail2ban_append_log(system_mail_t)
-+ fail2ban_dontaudit_leaks(system_mail_t)
-+ fail2ban_rw_inherited_tmp_files(system_mail_t)
- ')
-
- optional_policy(`
-@@ -146,6 +165,10 @@ optional_policy(`
- ')
-
- optional_policy(`
-+ munin_dontaudit_leaks(system_mail_t)
-+')
-+
-+optional_policy(`
- nagios_read_tmp_files(system_mail_t)
- ')
-
-@@ -158,22 +181,13 @@ optional_policy(`
- files_etc_filetrans(system_mail_t, etc_aliases_t, { file lnk_file sock_file fifo_file })
-
- domain_use_interactive_fds(system_mail_t)
--
-- # postfix needs this for newaliases
-- files_getattr_tmp_dirs(system_mail_t)
--
-- postfix_exec_master(system_mail_t)
-- postfix_read_config(system_mail_t)
-- postfix_search_spool(system_mail_t)
--
-- ifdef(`distro_redhat',`
-- # compatability for old default main.cf
-- postfix_config_filetrans(system_mail_t, etc_aliases_t, { dir file lnk_file sock_file fifo_file })
-- ')
- ')
-
- optional_policy(`
- qmail_domtrans_inject(system_mail_t)
-+ qmail_manage_spool_dirs(system_mail_t)
-+ qmail_manage_spool_files(system_mail_t)
-+ qmail_rw_spool_pipes(system_mail_t)
- ')
-
- optional_policy(`
-@@ -189,6 +203,10 @@ optional_policy(`
- ')
-
- optional_policy(`
-+ spamd_stream_connect(system_mail_t)
-+')
-+
-+optional_policy(`
- smartmon_read_tmp_files(system_mail_t)
- ')
-
-@@ -199,20 +217,23 @@ optional_policy(`
- arpwatch_search_data(mailserver_delivery)
- arpwatch_manage_tmp_files(mta_user_agent)
-
-- ifdef(`hide_broken_symptoms', `
-- arpwatch_dontaudit_rw_packet_sockets(mta_user_agent)
-- ')
--
- optional_policy(`
- cron_read_system_job_tmp_files(mta_user_agent)
- ')
- ')
-
-+ifdef(`hide_broken_symptoms',`
-+ domain_dontaudit_leaks(user_mail_domain)
-+ domain_dontaudit_leaks(mta_user_agent)
-+')
-+
- ########################################
- #
- # Mailserver delivery local policy
- #
-
-+allow mailserver_delivery self:fifo_file rw_inherited_fifo_file_perms;
-+
- allow mailserver_delivery mail_spool_t:dir list_dir_perms;
- create_files_pattern(mailserver_delivery, mail_spool_t, mail_spool_t)
- read_files_pattern(mailserver_delivery, mail_spool_t, mail_spool_t)
-@@ -220,21 +241,14 @@ append_files_pattern(mailserver_delivery, mail_spool_t, mail_spool_t)
- create_lnk_files_pattern(mailserver_delivery, mail_spool_t, mail_spool_t)
- read_lnk_files_pattern(mailserver_delivery, mail_spool_t, mail_spool_t)
-
--read_files_pattern(mailserver_delivery, mail_forward_t, mail_forward_t)
-+userdom_search_admin_dir(mailserver_delivery)
-+read_files_pattern(mailserver_delivery, mail_home_t, mail_home_t)
-
--read_files_pattern(mailserver_delivery, system_mail_tmp_t, system_mail_tmp_t)
--
--tunable_policy(`use_samba_home_dirs',`
-- fs_manage_cifs_dirs(mailserver_delivery)
-- fs_manage_cifs_files(mailserver_delivery)
-- fs_manage_cifs_symlinks(mailserver_delivery)
--')
-+manage_dirs_pattern(mailserver_delivery, mail_home_rw_t, mail_home_rw_t)
-+manage_files_pattern(mailserver_delivery, mail_home_rw_t, mail_home_rw_t)
-+manage_lnk_files_pattern(mailserver_delivery, mail_home_rw_t, mail_home_rw_t)
-
--tunable_policy(`use_nfs_home_dirs',`
-- fs_manage_nfs_dirs(mailserver_delivery)
-- fs_manage_nfs_files(mailserver_delivery)
-- fs_manage_nfs_symlinks(mailserver_delivery)
--')
-+read_files_pattern(mailserver_delivery, system_mail_tmp_t, system_mail_tmp_t)
-
- optional_policy(`
- dovecot_manage_spool(mailserver_delivery)
-@@ -242,6 +256,10 @@ optional_policy(`
- ')
-
- optional_policy(`
-+ logwatch_search_cache_dir(mailserver_delivery)
-+')
-+
-+optional_policy(`
- # so MTA can access /var/lib/mailman/mail/wrapper
- files_search_var_lib(mailserver_delivery)
-
-@@ -249,6 +267,14 @@ optional_policy(`
- mailman_read_data_symlinks(mailserver_delivery)
- ')
-
-+optional_policy(`
-+ postfix_rw_master_pipes(mailserver_delivery)
-+')
-+
-+optional_policy(`
-+ uucp_domtrans_uux(mailserver_delivery)
-+')
-+
- ########################################
- #
- # User send mail local policy
-@@ -256,9 +282,9 @@ optional_policy(`
-
- domain_use_interactive_fds(user_mail_t)
-
--userdom_use_user_terminals(user_mail_t)
-+userdom_use_inherited_user_terminals(user_mail_t)
- # Write to the user domain tty. cjp: why?
--userdom_use_user_terminals(mta_user_agent)
-+userdom_use_inherited_user_terminals(mta_user_agent)
- # Create dead.letter in user home directories.
- userdom_manage_user_home_content_files(user_mail_t)
- userdom_user_home_dir_filetrans_user_home_content(user_mail_t, file)
-@@ -270,6 +296,8 @@ userdom_manage_user_home_content_symlinks(mailserver_delivery)
- userdom_manage_user_home_content_pipes(mailserver_delivery)
- userdom_manage_user_home_content_sockets(mailserver_delivery)
- userdom_user_home_dir_filetrans_user_home_content(mailserver_delivery, { dir file lnk_file fifo_file sock_file })
-+allow mailserver_delivery mailserver_delivery:fifo_file rw_inherited_fifo_file_perms;
-+
- # Read user temporary files.
- userdom_read_user_tmp_files(user_mail_t)
- userdom_dontaudit_append_user_tmp_files(user_mail_t)
-@@ -277,6 +305,8 @@ userdom_dontaudit_append_user_tmp_files(user_mail_t)
- # files in an appropriate place for mta_user_agent
- userdom_read_user_tmp_files(mta_user_agent)
-
-+dev_read_sysfs(user_mail_t)
-+
- tunable_policy(`use_samba_home_dirs',`
- fs_manage_cifs_files(user_mail_t)
- fs_manage_cifs_symlinks(user_mail_t)
-@@ -292,3 +322,123 @@ optional_policy(`
- postfix_read_config(user_mail_t)
- postfix_list_spool(user_mail_t)
- ')
-+
-+########################################
-+#
-+# Comman user_mail_domain policy
-+#
-+
-+allow user_mail_domain self:capability { setuid setgid chown };
-+allow user_mail_domain self:process { signal_perms setrlimit };
-+allow user_mail_domain self:tcp_socket create_socket_perms;
-+allow user_mail_domain self:fifo_file rw_fifo_file_perms;
-+allow user_mail_domain mta_exec_type:file entrypoint;
-+
-+append_files_pattern(user_mail_domain, mail_home_t, mail_home_t)
-+read_files_pattern(user_mail_domain, mail_home_t, mail_home_t)
-+
-+manage_dirs_pattern(user_mail_domain, mail_home_rw_t, mail_home_rw_t)
-+manage_files_pattern(user_mail_domain, mail_home_rw_t, mail_home_rw_t)
-+
-+read_files_pattern(user_mail_domain, etc_aliases_t, etc_aliases_t)
-+
-+can_exec(user_mail_domain, mta_exec_type)
-+
-+allow system_mail_t user_mail_domain:file read_file_perms;
-+
-+read_files_pattern(user_mail_domain, etc_mail_t, etc_mail_t)
-+
-+kernel_read_network_state(user_mail_domain)
-+kernel_request_load_module(user_mail_domain)
-+
-+dev_read_urand(user_mail_domain)
-+
-+files_read_usr_files(user_mail_domain)
-+
-+# Write to /var/spool/mail and /var/spool/mqueue.
-+manage_files_pattern(user_mail_domain, mail_spool_t, mail_spool_t)
-+manage_files_pattern(user_mail_domain, mqueue_spool_t, mqueue_spool_t)
-+read_lnk_files_pattern(user_mail_domain, mail_spool_t, mail_spool_t)
-+read_lnk_files_pattern(user_mail_domain, mqueue_spool_t, mqueue_spool_t)
-+
-+# re-exec itself
-+can_exec(user_mail_domain, sendmail_exec_t)
-+allow user_mail_domain sendmail_exec_t:lnk_file read_lnk_file_perms;
-+
-+kernel_read_kernel_sysctls(user_mail_domain)
-+
-+corenet_tcp_sendrecv_generic_if(user_mail_domain)
-+corenet_tcp_sendrecv_generic_node(user_mail_domain)
-+corenet_tcp_sendrecv_all_ports(user_mail_domain)
-+corenet_tcp_connect_all_ports(user_mail_domain)
-+corenet_tcp_connect_smtp_port(user_mail_domain)
-+corenet_sendrecv_smtp_client_packets(user_mail_domain)
-+
-+corecmd_exec_bin(user_mail_domain)
-+
-+files_read_etc_files(user_mail_domain)
-+files_search_spool(user_mail_domain)
-+# It wants to check for nscd
-+files_dontaudit_search_pids(user_mail_domain)
-+allow user_mail_domain etc_mail_t:dir search_dir_perms;
-+
-+files_read_etc_runtime_files(user_mail_domain)
-+
-+# Check available space.
-+fs_getattr_xattr_fs(user_mail_domain)
-+
-+init_dontaudit_rw_utmp(user_mail_domain)
-+
-+optional_policy(`
-+ courier_manage_spool_dirs(user_mail_domain)
-+ courier_manage_spool_files(user_mail_domain)
-+ courier_rw_spool_pipes(user_mail_domain)
-+')
-+
-+optional_policy(`
-+ exim_domtrans(user_mail_domain)
-+ exim_manage_log(user_mail_domain)
-+ exim_manage_spool_files(user_mail_domain)
-+')
-+
-+optional_policy(`
-+ # postfix needs this for newaliases
-+ files_getattr_tmp_dirs(user_mail_domain)
-+
-+ postfix_exec_master(user_mail_domain)
-+ postfix_read_config(user_mail_domain)
-+ postfix_search_spool(user_mail_domain)
-+ postfix_rw_master_pipes(user_mail_domain)
-+
-+ ifdef(`distro_redhat',`
-+ # compatability for old default main.cf
-+ postfix_config_filetrans(user_mail_domain, etc_aliases_t, { dir file lnk_file sock_file fifo_file })
-+ ')
-+')
-+
-+optional_policy(`
-+ openshift_rw_inherited_content(mta_user_agent)
-+')
-+
-+optional_policy(`
-+ procmail_exec(user_mail_domain)
-+')
-+
-+optional_policy(`
-+ qmail_domtrans_inject(user_mail_domain)
-+')
-+
-+optional_policy(`
-+ # Write to /var/log/sendmail.st
-+ sendmail_manage_log(user_mail_domain)
-+ sendmail_create_log(user_mail_domain)
-+')
-+
-+optional_policy(`
-+ uucp_manage_spool(user_mail_domain)
-+')
-+
-+optional_policy(`
-+ clamav_stream_connect(user_mail_domain)
-+ clamav_stream_connect(mta_user_agent)
-+')
-diff --git a/munin.fc b/munin.fc
-index fd71d69..123ee4c 100644
---- a/munin.fc
-+++ b/munin.fc
-@@ -4,7 +4,9 @@
- /usr/bin/munin-.* -- gen_context(system_u:object_r:munin_exec_t,s0)
- /usr/sbin/munin-.* -- gen_context(system_u:object_r:munin_exec_t,s0)
- /usr/share/munin/munin-.* -- gen_context(system_u:object_r:munin_exec_t,s0)
--/usr/share/munin/plugins/.* -- gen_context(system_u:object_r:munin_exec_t,s0)
-+
-+# label all plugins as unconfined_munin_plugin_exec_t
-+/usr/share/munin/plugins/.* -- gen_context(system_u:object_r:unconfined_munin_plugin_exec_t,s0)
-
- # disk plugins
- /usr/share/munin/plugins/diskstat.* -- gen_context(system_u:object_r:disk_munin_plugin_exec_t,s0)
-@@ -41,6 +43,9 @@
- /usr/share/munin/plugins/tomcat_.* -- gen_context(system_u:object_r:services_munin_plugin_exec_t,s0)
- /usr/share/munin/plugins/varnish_.* -- gen_context(system_u:object_r:services_munin_plugin_exec_t,s0)
-
-+# selinux plugins
-+/usr/share/munin/plugins/selinux_avcstat -- gen_context(system_u:object_r:selinux_munin_plugin_exec_t,s0)
-+
- # system plugins
- /usr/share/munin/plugins/acpi -- gen_context(system_u:object_r:system_munin_plugin_exec_t,s0)
- /usr/share/munin/plugins/cpu.* -- gen_context(system_u:object_r:system_munin_plugin_exec_t,s0)
-@@ -51,6 +56,7 @@
- /usr/share/munin/plugins/irqstats -- gen_context(system_u:object_r:system_munin_plugin_exec_t,s0)
- /usr/share/munin/plugins/load -- gen_context(system_u:object_r:system_munin_plugin_exec_t,s0)
- /usr/share/munin/plugins/memory -- gen_context(system_u:object_r:system_munin_plugin_exec_t,s0)
-+/usr/share/munin/plugins/munin_.* -- gen_context(system_u:object_r:system_munin_plugin_exec_t,s0)
- /usr/share/munin/plugins/netstat -- gen_context(system_u:object_r:system_munin_plugin_exec_t,s0)
- /usr/share/munin/plugins/nfs.* -- gen_context(system_u:object_r:system_munin_plugin_exec_t,s0)
- /usr/share/munin/plugins/open_files -- gen_context(system_u:object_r:system_munin_plugin_exec_t,s0)
-@@ -58,12 +64,15 @@
- /usr/share/munin/plugins/processes -- gen_context(system_u:object_r:system_munin_plugin_exec_t,s0)
- /usr/share/munin/plugins/swap -- gen_context(system_u:object_r:system_munin_plugin_exec_t,s0)
- /usr/share/munin/plugins/threads -- gen_context(system_u:object_r:system_munin_plugin_exec_t,s0)
-+/usr/share/munin/plugins/unbound -- gen_context(system_u:object_r:system_munin_plugin_exec_t,s0)
- /usr/share/munin/plugins/uptime -- gen_context(system_u:object_r:system_munin_plugin_exec_t,s0)
- /usr/share/munin/plugins/users -- gen_context(system_u:object_r:system_munin_plugin_exec_t,s0)
- /usr/share/munin/plugins/yum -- gen_context(system_u:object_r:system_munin_plugin_exec_t,s0)
-
- /var/lib/munin(/.*)? gen_context(system_u:object_r:munin_var_lib_t,s0)
-+/var/lib/munin/plugin-state(/.*)? gen_context(system_u:object_r:munin_plugin_state_t,s0)
- /var/log/munin.* gen_context(system_u:object_r:munin_log_t,s0)
- /var/run/munin(/.*)? gen_context(system_u:object_r:munin_var_run_t,s0)
- /var/www/html/munin(/.*)? gen_context(system_u:object_r:httpd_munin_content_t,s0)
- /var/www/html/munin/cgi(/.*)? gen_context(system_u:object_r:httpd_munin_script_exec_t,s0)
-+/var/www/html/cgi/munin.* gen_context(system_u:object_r:httpd_munin_script_exec_t,s0)
-diff --git a/munin.if b/munin.if
-index c358d8f..1cc176c 100644
---- a/munin.if
-+++ b/munin.if
-@@ -13,10 +13,11 @@
- #
- template(`munin_plugin_template',`
- gen_require(`
-- type munin_t, munin_exec_t, munin_etc_t;
-+ type munin_t;
-+ attribute munin_plugin_domain;
- ')
-
-- type $1_munin_plugin_t;
-+ type $1_munin_plugin_t, munin_plugin_domain;
- type $1_munin_plugin_exec_t;
- typealias $1_munin_plugin_t alias munin_$1_plugin_t;
- typealias $1_munin_plugin_exec_t alias munin_$1_plugin_exec_t;
-@@ -36,17 +37,9 @@ template(`munin_plugin_template',`
- # automatic transition rules from munin domain
- # to specific munin plugin domain
- domtrans_pattern(munin_t, $1_munin_plugin_exec_t, $1_munin_plugin_t)
--
-- allow $1_munin_plugin_t munin_exec_t:file read_file_perms;
-- allow $1_munin_plugin_t munin_t:tcp_socket rw_socket_perms;
--
-- read_lnk_files_pattern($1_munin_plugin_t, munin_etc_t, munin_etc_t)
-+ allow munin_t $1_munin_plugin_t:process signal_perms;
-
- kernel_read_system_state($1_munin_plugin_t)
--
-- corecmd_exec_bin($1_munin_plugin_t)
--
-- miscfiles_read_localization($1_munin_plugin_t)
- ')
-
- ########################################
-@@ -65,9 +58,8 @@ interface(`munin_stream_connect',`
- type munin_var_run_t, munin_t;
- ')
-
-- allow $1 munin_t:unix_stream_socket connectto;
-- allow $1 munin_var_run_t:sock_file { getattr write };
- files_search_pids($1)
-+ stream_connect_pattern($1, munin_var_run_t, munin_var_run_t, munin_t)
- ')
-
- #######################################
-@@ -88,12 +80,50 @@ interface(`munin_read_config',`
-
- allow $1 munin_etc_t:dir list_dir_perms;
- allow $1 munin_etc_t:file read_file_perms;
-- allow $1 munin_etc_t:lnk_file { getattr read };
-+ allow $1 munin_etc_t:lnk_file read_lnk_file_perms;
- files_search_etc($1)
- ')
-
- #######################################
- ##
-+## Read munin library files.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`munin_read_var_lib_files',`
-+ gen_require(`
-+ type munin_var_lib_t;
-+ ')
-+
-+ files_search_var_lib($1)
-+ read_files_pattern($1, munin_var_lib_t, munin_var_lib_t)
-+
-+')
-+
-+######################################
-+##
-+## dontaudit read and write an leaked file descriptors
-+##
-+##
-+##
-+## Domain to not audit.
-+##
-+##
-+#
-+interface(`munin_dontaudit_leaks',`
-+ gen_require(`
-+ type munin_t;
-+ ')
-+
-+ dontaudit $1 munin_t:tcp_socket { read write };
-+')
-+
-+#######################################
-+##
- ## Append to the munin log.
- ##
- ##
-@@ -172,12 +202,14 @@ interface(`munin_admin',`
- gen_require(`
- type munin_t, munin_etc_t, munin_tmp_t;
- type munin_log_t, munin_var_lib_t, munin_var_run_t;
-- type httpd_munin_content_t;
-- type munin_initrc_exec_t;
-+ type httpd_munin_content_t, munin_initrc_exec_t;
- ')
-
-- allow $1 munin_t:process { ptrace signal_perms };
-+ allow $1 munin_t:process signal_perms;
- ps_process_pattern($1, munin_t)
-+ tunable_policy(`deny_ptrace',`',`
-+ allow $1 munin_t:process ptrace;
-+ ')
-
- init_labeled_script_domtrans($1, munin_initrc_exec_t)
- domain_system_change_exemption($1)
-diff --git a/munin.te b/munin.te
-index f17583b..3a691c7 100644
---- a/munin.te
-+++ b/munin.te
-@@ -5,6 +5,8 @@ policy_module(munin, 1.8.0)
- # Declarations
- #
-
-+attribute munin_plugin_domain;
-+
- type munin_t alias lrrd_t;
- type munin_exec_t alias lrrd_exec_t;
- init_daemon_domain(munin_t, munin_exec_t)
-@@ -24,6 +26,9 @@ files_tmp_file(munin_tmp_t)
- type munin_var_lib_t alias lrrd_var_lib_t;
- files_type(munin_var_lib_t)
-
-+type munin_plugin_state_t;
-+files_type(munin_plugin_state_t)
-+
- type munin_var_run_t alias lrrd_var_run_t;
- files_pid_file(munin_var_run_t)
-
-@@ -31,16 +36,20 @@ munin_plugin_template(disk)
-
- munin_plugin_template(mail)
-
-+munin_plugin_template(selinux)
-+
- munin_plugin_template(services)
-
- munin_plugin_template(system)
-
-+munin_plugin_template(unconfined)
-+
- ########################################
- #
- # Local policy
- #
-
--allow munin_t self:capability { chown dac_override setgid setuid };
-+allow munin_t self:capability { chown dac_override kill setgid setuid sys_rawio };
- dontaudit munin_t self:capability sys_tty_config;
- allow munin_t self:process { getsched setsched signal_perms };
- allow munin_t self:unix_stream_socket { create_stream_socket_perms connectto };
-@@ -71,9 +80,12 @@ manage_files_pattern(munin_t, munin_var_lib_t, munin_var_lib_t)
- manage_lnk_files_pattern(munin_t, munin_var_lib_t, munin_var_lib_t)
- files_search_var_lib(munin_t)
-
-+manage_dirs_pattern(munin_t, munin_var_run_t, munin_var_run_t)
- manage_files_pattern(munin_t, munin_var_run_t, munin_var_run_t)
- manage_sock_files_pattern(munin_t, munin_var_run_t, munin_var_run_t)
--files_pid_filetrans(munin_t, munin_var_run_t, file)
-+files_pid_filetrans(munin_t, munin_var_run_t, { file dir })
-+
-+rw_files_pattern(munin_t, munin_plugin_state_t, munin_plugin_state_t)
-
- kernel_read_system_state(munin_t)
- kernel_read_network_state(munin_t)
-@@ -82,7 +94,6 @@ kernel_read_all_sysctls(munin_t)
- corecmd_exec_bin(munin_t)
- corecmd_exec_shell(munin_t)
-
--corenet_all_recvfrom_unlabeled(munin_t)
- corenet_all_recvfrom_netlabel(munin_t)
- corenet_tcp_sendrecv_generic_if(munin_t)
- corenet_udp_sendrecv_generic_if(munin_t)
-@@ -101,7 +112,6 @@ dev_read_urand(munin_t)
- domain_use_interactive_fds(munin_t)
- domain_read_all_domains_state(munin_t)
-
--files_read_etc_files(munin_t)
- files_read_etc_runtime_files(munin_t)
- files_read_usr_files(munin_t)
- files_list_spool(munin_t)
-@@ -115,7 +125,7 @@ logging_send_syslog_msg(munin_t)
- logging_read_all_logs(munin_t)
-
- miscfiles_read_fonts(munin_t)
--miscfiles_read_localization(munin_t)
-+miscfiles_setattr_fonts_cache_dirs(munin_t)
-
- sysnet_exec_ifconfig(munin_t)
-
-@@ -128,6 +138,11 @@ optional_policy(`
- manage_dirs_pattern(munin_t, httpd_munin_content_t, httpd_munin_content_t)
- manage_files_pattern(munin_t, httpd_munin_content_t, httpd_munin_content_t)
- apache_search_sys_content(munin_t)
-+
-+ read_files_pattern(httpd_munin_script_t, munin_var_lib_t, munin_var_lib_t)
-+ read_files_pattern(httpd_munin_script_t, munin_etc_t, munin_etc_t)
-+
-+ files_search_var_lib(httpd_munin_script_t)
- ')
-
- optional_policy(`
-@@ -145,6 +160,7 @@ optional_policy(`
- optional_policy(`
- mta_read_config(munin_t)
- mta_send_mail(munin_t)
-+ mta_list_queue(munin_t)
- mta_read_queue(munin_t)
- ')
-
-@@ -155,10 +171,13 @@ optional_policy(`
-
- optional_policy(`
- netutils_domtrans_ping(munin_t)
-+ netutils_signal_ping(munin_t)
-+ netutils_kill_ping(munin_t)
- ')
-
- optional_policy(`
- postfix_list_spool(munin_t)
-+ postfix_getattr_spool_files(munin_t)
- ')
-
- optional_policy(`
-@@ -182,6 +201,7 @@ optional_policy(`
- # local policy for disk plugins
- #
-
-+allow disk_munin_plugin_t self:capability { sys_admin sys_rawio };
- allow disk_munin_plugin_t self:tcp_socket create_stream_socket_perms;
-
- rw_files_pattern(disk_munin_plugin_t, munin_var_lib_t, munin_var_lib_t)
-@@ -190,15 +210,18 @@ corecmd_exec_shell(disk_munin_plugin_t)
-
- corenet_tcp_connect_hddtemp_port(disk_munin_plugin_t)
-
--files_read_etc_files(disk_munin_plugin_t)
- files_read_etc_runtime_files(disk_munin_plugin_t)
-+files_read_usr_files(disk_munin_plugin_t)
-
--fs_getattr_all_fs(disk_munin_plugin_t)
--
-+dev_getattr_lvm_control(disk_munin_plugin_t)
- dev_read_sysfs(disk_munin_plugin_t)
- dev_read_urand(disk_munin_plugin_t)
-+dev_read_all_blk_files(munin_disk_plugin_t)
-+
-+fs_getattr_all_fs(disk_munin_plugin_t)
-+fs_getattr_all_dirs(disk_munin_plugin_t)
-
--storage_getattr_fixed_disk_dev(disk_munin_plugin_t)
-+storage_raw_read_fixed_disk(disk_munin_plugin_t)
-
- sysnet_read_config(disk_munin_plugin_t)
-
-@@ -221,30 +244,47 @@ rw_files_pattern(mail_munin_plugin_t, munin_var_lib_t, munin_var_lib_t)
-
- dev_read_urand(mail_munin_plugin_t)
-
--files_read_etc_files(mail_munin_plugin_t)
-+logging_read_generic_logs(mail_munin_plugin_t)
-
--fs_getattr_all_fs(mail_munin_plugin_t)
-+optional_policy(`
-+ exim_read_log(mail_munin_plugin_t)
-+')
-
--logging_read_generic_logs(mail_munin_plugin_t)
-+optional_policy(`
-+ mta_read_config(mail_munin_plugin_t)
-+ mta_send_mail(mail_munin_plugin_t)
-+ mta_list_queue(mail_munin_plugin_t)
-+ mta_read_queue(mail_munin_plugin_t)
-+')
-
--mta_read_config(mail_munin_plugin_t)
--mta_send_mail(mail_munin_plugin_t)
--mta_read_queue(mail_munin_plugin_t)
-+optional_policy(`
-+ nscd_socket_use(mail_munin_plugin_t)
-+')
-
- optional_policy(`
- postfix_read_config(mail_munin_plugin_t)
- postfix_list_spool(mail_munin_plugin_t)
-+ postfix_getattr_spool_files(mail_munin_plugin_t)
- ')
-
- optional_policy(`
- sendmail_read_log(mail_munin_plugin_t)
- ')
-
-+##################################
-+#
-+# local policy for selinux plugins
-+#
-+
-+selinux_get_enforce_mode(selinux_munin_plugin_t)
-+
- ###################################
- #
- # local policy for service plugins
- #
-
-+allow services_munin_plugin_t self:shm create_sem_perms;
-+allow services_munin_plugin_t self:sem create_sem_perms;
- allow services_munin_plugin_t self:tcp_socket create_stream_socket_perms;
- allow services_munin_plugin_t self:udp_socket create_socket_perms;
- allow services_munin_plugin_t self:netlink_route_socket r_netlink_socket_perms;
-@@ -255,13 +295,10 @@ corenet_tcp_connect_http_port(services_munin_plugin_t)
- dev_read_urand(services_munin_plugin_t)
- dev_read_rand(services_munin_plugin_t)
-
--fs_getattr_all_fs(services_munin_plugin_t)
--
--files_read_etc_files(services_munin_plugin_t)
--
- sysnet_read_config(services_munin_plugin_t)
-
- optional_policy(`
-+ cups_read_config(services_munin_plugin_t)
- cups_stream_connect(services_munin_plugin_t)
- ')
-
-@@ -279,6 +316,10 @@ optional_policy(`
- ')
-
- optional_policy(`
-+ nscd_socket_use(services_munin_plugin_t)
-+')
-+
-+optional_policy(`
- postgresql_stream_connect(services_munin_plugin_t)
- ')
-
-@@ -286,6 +327,18 @@ optional_policy(`
- snmp_read_snmp_var_lib_files(services_munin_plugin_t)
- ')
-
-+optional_policy(`
-+ sssd_stream_connect(services_munin_plugin_t)
-+')
-+
-+optional_policy(`
-+ varnishd_read_lib_files(services_munin_plugin_t)
-+')
-+
-+optional_policy(`
-+ bind_read_config(munin_services_plugin_t)
-+')
-+
- ##################################
- #
- # local policy for system plugins
-@@ -295,12 +348,10 @@ allow system_munin_plugin_t self:udp_socket create_socket_perms;
-
- rw_files_pattern(system_munin_plugin_t, munin_var_lib_t, munin_var_lib_t)
-
--kernel_read_network_state(system_munin_plugin_t)
--kernel_read_all_sysctls(system_munin_plugin_t)
--
--corecmd_exec_shell(system_munin_plugin_t)
-+# needed by munin_* plugins
-+read_files_pattern(system_munin_plugin_t, munin_log_t, munin_log_t)
-
--fs_getattr_all_fs(system_munin_plugin_t)
-+kernel_read_network_state(system_munin_plugin_t)
-
- dev_read_sysfs(system_munin_plugin_t)
- dev_read_urand(system_munin_plugin_t)
-@@ -313,3 +364,47 @@ init_read_utmp(system_munin_plugin_t)
- sysnet_exec_ifconfig(system_munin_plugin_t)
-
- term_getattr_unallocated_ttys(system_munin_plugin_t)
-+term_getattr_all_ttys(system_munin_plugin_t)
-+term_getattr_all_ptys(system_munin_plugin_t)
-+
-+optional_policy(`
-+ bind_read_config(system_munin_plugin_t)
-+')
-+
-+#######################################
-+#
-+# Unconfined plugin policy
-+#
-+
-+optional_policy(`
-+ unconfined_domain(unconfined_munin_plugin_t)
-+')
-+
-+################################
-+#
-+# local policy for munin plugin domains
-+#
-+
-+allow munin_plugin_domain self:process signal;
-+
-+allow munin_plugin_domain munin_exec_t:file read_file_perms;
-+allow munin_plugin_domain munin_t:tcp_socket rw_socket_perms;
-+
-+# creates plugin state files
-+manage_files_pattern(munin_plugin_domain, munin_plugin_state_t, munin_plugin_state_t)
-+
-+read_lnk_files_pattern(munin_plugin_domain, munin_etc_t, munin_etc_t)
-+
-+corecmd_exec_bin(munin_plugin_domain)
-+corecmd_exec_shell(munin_plugin_domain)
-+
-+files_search_var_lib(munin_plugin_domain)
-+files_read_usr_files(munin_plugin_domain)
-+
-+fs_getattr_all_fs(munin_plugin_domain)
-+
-+auth_read_passwd(munin_plugin_domain)
-+
-+optional_policy(`
-+ nscd_socket_use(munin_plugin_domain)
-+')
-diff --git a/mysql.fc b/mysql.fc
-index 716d666..43f60de 100644
---- a/mysql.fc
-+++ b/mysql.fc
-@@ -1,6 +1,14 @@
- # mysql database server
-
- #
-+# /HOME
-+#
-+HOME_DIR/\.my\.cnf -- gen_context(system_u:object_r:mysqld_home_t, s0)
-+/root/\.my\.cnf -- gen_context(system_u:object_r:mysqld_home_t, s0)
-+
-+/usr/lib/systemd/system/mysqld.* -- gen_context(system_u:object_r:mysqld_unit_file_t,s0)
-+
-+#
- # /etc
- #
- /etc/my\.cnf -- gen_context(system_u:object_r:mysqld_etc_t,s0)
-diff --git a/mysql.if b/mysql.if
-index e9c0982..404ed6d 100644
---- a/mysql.if
-+++ b/mysql.if
-@@ -18,6 +18,24 @@ interface(`mysql_domtrans',`
- domtrans_pattern($1, mysqld_exec_t, mysqld_t)
- ')
-
-+######################################
-+##
-+## Execute MySQL in the caller domain.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`mysql_exec',`
-+ gen_require(`
-+ type mysqld_exec_t;
-+ ')
-+
-+ can_exec($1, mysqld_exec_t)
-+')
-+
- ########################################
- ##
- ## Send a generic signal to MySQL.
-@@ -36,6 +54,24 @@ interface(`mysql_signal',`
- allow $1 mysqld_t:process signal;
- ')
-
-+#######################################
-+##
-+## Send a null signal to mysql.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`mysql_signull',`
-+ gen_require(`
-+ type mysqld_t;
-+ ')
-+
-+ allow $1 mysqld_t:process signull;
-+')
-+
- ########################################
- ##
- ## Allow the specified domain to connect to postgresql with a tcp socket.
-@@ -73,6 +109,7 @@ interface(`mysql_stream_connect',`
- type mysqld_t, mysqld_var_run_t, mysqld_db_t;
- ')
-
-+ files_search_pids($1)
- stream_connect_pattern($1, mysqld_var_run_t, mysqld_var_run_t, mysqld_t)
- stream_connect_pattern($1, mysqld_db_t, mysqld_var_run_t, mysqld_t)
- ')
-@@ -122,6 +159,26 @@ interface(`mysql_search_db',`
-
- ########################################
- ##
-+## List the directories that contain MySQL
-+## database storage.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`mysql_list_db',`
-+ gen_require(`
-+ type mysqld_db_t;
-+ ')
-+
-+ files_search_var_lib($1)
-+ allow $1 mysqld_db_t:dir list_dir_perms;
-+')
-+
-+########################################
-+##
- ## Read and write to the MySQL database directory.
- ##
- ##
-@@ -252,12 +309,12 @@ interface(`mysql_write_log',`
- ')
-
- logging_search_logs($1)
-- allow $1 mysqld_log_t:file { write_file_perms setattr };
-+ allow $1 mysqld_log_t:file { write_file_perms setattr_file_perms };
- ')
-
- ######################################
- ##
--## Execute MySQL server in the mysql domain.
-+## Execute MySQL safe script in the mysql safe domain.
- ##
- ##
- ##
-@@ -273,6 +330,24 @@ interface(`mysql_domtrans_mysql_safe',`
- domtrans_pattern($1, mysqld_safe_exec_t, mysqld_safe_t)
- ')
-
-+######################################
-+##
-+## Execute MySQL_safe in the caller domain.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`mysql_safe_exec',`
-+ gen_require(`
-+ type mysqld_safe_exec_t;
-+ ')
-+
-+ can_exec($1, mysqld_safe_exec_t)
-+')
-+
- #####################################
- ##
- ## Read MySQL PID files.
-@@ -313,6 +388,67 @@ interface(`mysql_search_pid_files',`
-
- ########################################
- ##
-+## Execute mysqld server in the mysqld domain.
-+##
-+##
-+##
-+## Domain allowed to transition.
-+##
-+##
-+#
-+interface(`mysql_systemctl',`
-+ gen_require(`
-+ type mysqld_unit_file_t;
-+ type mysqld_t;
-+ ')
-+
-+ systemd_exec_systemctl($1)
-+ allow $1 mysqld_unit_file_t:file read_file_perms;
-+ allow $1 mysqld_unit_file_t:service manage_service_perms;
-+
-+ ps_process_pattern($1, mysqld_t)
-+')
-+
-+########################################
-+##
-+## read mysqld homedir content (.k5login)
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`mysql_read_home_content',`
-+ gen_require(`
-+ type mysqld_home_t;
-+ ')
-+
-+ userdom_search_user_home_dirs($1)
-+ read_files_pattern($1, mysqld_home_t, mysqld_home_t)
-+')
-+
-+########################################
-+##
-+## Transition to mysqld named content
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`mysql_filetrans_named_content',`
-+ gen_require(`
-+ type mysqld_home_t;
-+ ')
-+
-+ userdom_admin_home_dir_filetrans($1, mysqld_home_t, file, ".my.cnf")
-+ userdom_user_home_dir_filetrans($1, mysqld_home_t, file, ".my.cnf")
-+')
-+
-+########################################
-+##
- ## All of the rules required to administrate an mysql environment
- ##
- ##
-@@ -329,27 +465,45 @@ interface(`mysql_search_pid_files',`
- #
- interface(`mysql_admin',`
- gen_require(`
-- type mysqld_t, mysqld_var_run_t;
-- type mysqld_tmp_t, mysqld_db_t;
-- type mysqld_etc_t, mysqld_log_t;
-- type mysqld_initrc_exec_t;
-+ type mysqld_t, mysqld_var_run_t, mysqld_initrc_exec_t;
-+ type mysqld_tmp_t, mysqld_db_t, mysqld_log_t;
-+ type mysqld_etc_t;
-+ type mysqld_home_t;
-+ type mysqld_unit_file_t;
- ')
-
-- allow $1 mysqld_t:process { ptrace signal_perms };
-+ allow $1 mysqld_t:process signal_perms;
- ps_process_pattern($1, mysqld_t)
-+ tunable_policy(`deny_ptrace',`',`
-+ allow $1 mysqld_t:process ptrace;
-+ ')
-
- init_labeled_script_domtrans($1, mysqld_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 mysqld_initrc_exec_t system_r;
- allow $2 system_r;
-
-+ files_list_pids($1)
- admin_pattern($1, mysqld_var_run_t)
-
- admin_pattern($1, mysqld_db_t)
-
-+ files_list_etc($1)
- admin_pattern($1, mysqld_etc_t)
-
-+ logging_list_logs($1)
- admin_pattern($1, mysqld_log_t)
-
-+ files_list_tmp($1)
- admin_pattern($1, mysqld_tmp_t)
-+
-+ userdom_search_user_home_dirs($1)
-+ files_list_root($1)
-+ admin_pattern($1, mysqld_home_t)
-+
-+ mysql_systemctl($1)
-+ admin_pattern($1, mysqld_unit_file_t)
-+ allow $1 mysqld_unit_file_t:service all_service_perms;
-+
-+ mysql_stream_connect($1)
- ')
-diff --git a/mysql.te b/mysql.te
-index 1cf05a3..8855ea2 100644
---- a/mysql.te
-+++ b/mysql.te
-@@ -29,6 +29,12 @@ files_type(mysqld_db_t)
- type mysqld_etc_t alias etc_mysqld_t;
- files_config_file(mysqld_etc_t)
-
-+type mysqld_home_t;
-+userdom_user_home_content(mysqld_home_t)
-+
-+type mysqld_unit_file_t;
-+systemd_unit_file(mysqld_unit_file_t)
-+
- type mysqld_initrc_exec_t;
- init_script_file(mysqld_initrc_exec_t)
-
-@@ -64,11 +70,12 @@ allow mysqld_t self:udp_socket create_socket_perms;
-
- manage_dirs_pattern(mysqld_t, mysqld_db_t, mysqld_db_t)
- manage_files_pattern(mysqld_t, mysqld_db_t, mysqld_db_t)
-+manage_sock_files_pattern(mysqld_t, mysqld_db_t, mysqld_db_t)
- manage_lnk_files_pattern(mysqld_t, mysqld_db_t, mysqld_db_t)
- files_var_lib_filetrans(mysqld_t, mysqld_db_t, { dir file lnk_file })
-
- allow mysqld_t mysqld_etc_t:file read_file_perms;
--allow mysqld_t mysqld_etc_t:lnk_file { getattr read };
-+allow mysqld_t mysqld_etc_t:lnk_file read_lnk_file_perms;
- allow mysqld_t mysqld_etc_t:dir list_dir_perms;
-
- allow mysqld_t mysqld_log_t:file manage_file_perms;
-@@ -78,14 +85,21 @@ manage_dirs_pattern(mysqld_t, mysqld_tmp_t, mysqld_tmp_t)
- manage_files_pattern(mysqld_t, mysqld_tmp_t, mysqld_tmp_t)
- files_tmp_filetrans(mysqld_t, mysqld_tmp_t, { file dir })
-
-+manage_dirs_pattern(mysqld_t, mysqld_var_run_t, mysqld_var_run_t)
- manage_files_pattern(mysqld_t, mysqld_var_run_t, mysqld_var_run_t)
- manage_sock_files_pattern(mysqld_t, mysqld_var_run_t, mysqld_var_run_t)
--files_pid_filetrans(mysqld_t, mysqld_var_run_t, { file sock_file })
-+files_pid_filetrans(mysqld_t, mysqld_var_run_t, { dir file sock_file })
-+
-+userdom_dontaudit_use_unpriv_user_fds(mysqld_t)
-
-+kernel_read_network_state(mysqld_t)
- kernel_read_system_state(mysqld_t)
-+kernel_read_network_state(mysqld_t)
- kernel_read_kernel_sysctls(mysqld_t)
-
--corenet_all_recvfrom_unlabeled(mysqld_t)
-+corecmd_exec_bin(mysqld_t)
-+corecmd_exec_shell(mysqld_t)
-+
- corenet_all_recvfrom_netlabel(mysqld_t)
- corenet_tcp_sendrecv_generic_if(mysqld_t)
- corenet_udp_sendrecv_generic_if(mysqld_t)
-@@ -110,7 +124,6 @@ domain_use_interactive_fds(mysqld_t)
-
- files_getattr_var_lib_dirs(mysqld_t)
- files_read_etc_runtime_files(mysqld_t)
--files_read_etc_files(mysqld_t)
- files_read_usr_files(mysqld_t)
- files_search_var_lib(mysqld_t)
-
-@@ -118,17 +131,10 @@ auth_use_nsswitch(mysqld_t)
-
- logging_send_syslog_msg(mysqld_t)
-
--miscfiles_read_localization(mysqld_t)
--
- sysnet_read_config(mysqld_t)
-
--userdom_dontaudit_use_unpriv_user_fds(mysqld_t)
--# for /root/.my.cnf - should not be needed:
--userdom_read_user_home_content_files(mysqld_t)
--
- ifdef(`distro_redhat',`
-- # because Fedora has the sock_file in the database directory
-- type_transition mysqld_t mysqld_db_t:sock_file mysqld_var_run_t;
-+ filetrans_pattern(mysqld_t, mysqld_db_t, mysqld_var_run_t, sock_file)
- ')
-
- tunable_policy(`mysql_connect_any',`
-@@ -154,10 +160,11 @@ optional_policy(`
- #
-
- allow mysqld_safe_t self:capability { chown dac_override fowner kill };
--dontaudit mysqld_safe_t self:capability sys_ptrace;
-+allow mysqld_safe_t self:process { setsched getsched setrlimit };
- allow mysqld_safe_t self:fifo_file rw_fifo_file_perms;
-
- read_lnk_files_pattern(mysqld_safe_t, mysqld_db_t, mysqld_db_t)
-+delete_sock_files_pattern(mysqld_safe_t, mysqld_db_t, mysqld_db_t)
-
- domtrans_pattern(mysqld_safe_t, mysqld_exec_t, mysqld_t)
-
-@@ -170,26 +177,33 @@ kernel_read_system_state(mysqld_safe_t)
- kernel_read_kernel_sysctls(mysqld_safe_t)
-
- corecmd_exec_bin(mysqld_safe_t)
-+corecmd_exec_shell(mysqld_safe_t)
-
- dev_list_sysfs(mysqld_safe_t)
-
- domain_read_all_domains_state(mysqld_safe_t)
-
--files_read_etc_files(mysqld_safe_t)
-+files_dontaudit_search_all_mountpoints(mysqld_safe_t)
- files_read_usr_files(mysqld_safe_t)
- files_dontaudit_getattr_all_dirs(mysqld_safe_t)
-
- logging_log_filetrans(mysqld_safe_t, mysqld_log_t, file)
-+logging_send_syslog_msg(mysqld_safe_t)
-
--hostname_exec(mysqld_safe_t)
-+auth_read_passwd(mysqld_safe_t)
-
--miscfiles_read_localization(mysqld_safe_t)
-+domain_dontaudit_signull_all_domains(mysqld_safe_t)
-
- mysql_manage_db_files(mysqld_safe_t)
- mysql_read_config(mysqld_safe_t)
- mysql_search_pid_files(mysqld_safe_t)
-+mysql_signull(mysqld_safe_t)
- mysql_write_log(mysqld_safe_t)
-
-+optional_policy(`
-+ hostname_exec(mysqld_safe_t)
-+')
-+
- ########################################
- #
- # MySQL Manager Policy
-@@ -218,7 +232,6 @@ kernel_read_system_state(mysqlmanagerd_t)
-
- corecmd_exec_shell(mysqlmanagerd_t)
-
--corenet_all_recvfrom_unlabeled(mysqlmanagerd_t)
- corenet_all_recvfrom_netlabel(mysqlmanagerd_t)
- corenet_tcp_sendrecv_generic_if(mysqlmanagerd_t)
- corenet_tcp_sendrecv_generic_node(mysqlmanagerd_t)
-@@ -231,9 +244,7 @@ corenet_sendrecv_mysqlmanagerd_client_packets(mysqlmanagerd_t)
-
- dev_read_urand(mysqlmanagerd_t)
-
--files_read_etc_files(mysqlmanagerd_t)
- files_read_usr_files(mysqlmanagerd_t)
-
--miscfiles_read_localization(mysqlmanagerd_t)
-
- userdom_getattr_user_home_dirs(mysqlmanagerd_t)
-diff --git a/nagios.fc b/nagios.fc
-index 1238f2e..d80b4db 100644
---- a/nagios.fc
-+++ b/nagios.fc
-@@ -6,7 +6,7 @@
- /usr/s?bin/nagios -- gen_context(system_u:object_r:nagios_exec_t,s0)
- /usr/s?bin/nrpe -- gen_context(system_u:object_r:nrpe_exec_t,s0)
-
--/usr/lib/cgi-bin/netsaint(/.*)? gen_context(system_u:object_r:httpd_nagios_script_exec_t,s0)
-+/usr/lib/cgi-bin/netsaint(/.*)? gen_context(system_u:object_r:httpd_nagios_script_exec_t,s0)
- /usr/lib/nagios/cgi(/.*)? gen_context(system_u:object_r:httpd_nagios_script_exec_t,s0)
-
- /var/log/nagios(/.*)? gen_context(system_u:object_r:nagios_log_t,s0)
-@@ -19,70 +19,75 @@
- ifdef(`distro_debian',`
- /usr/sbin/nagios -- gen_context(system_u:object_r:nagios_exec_t,s0)
- ')
--/usr/lib/cgi-bin/nagios(/.+)? gen_context(system_u:object_r:httpd_nagios_script_exec_t,s0)
--/usr/lib/nagios/cgi-bin(/.*)? gen_context(system_u:object_r:httpd_nagios_script_exec_t,s0)
-+/usr/lib/cgi-bin/nagios(/.+)? gen_context(system_u:object_r:httpd_nagios_script_exec_t,s0)
-+/usr/lib/nagios/cgi-bin(/.*)? gen_context(system_u:object_r:httpd_nagios_script_exec_t,s0)
-
- # admin plugins
--/usr/lib/nagios/plugins/check_file_age -- gen_context(system_u:object_r:nagios_admin_plugin_exec_t,s0)
-+/usr/lib/nagios/plugins/check_file_age -- gen_context(system_u:object_r:nagios_admin_plugin_exec_t,s0)
-
- # check disk plugins
- /usr/lib/nagios/plugins/check_disk -- gen_context(system_u:object_r:nagios_checkdisk_plugin_exec_t,s0)
--/usr/lib/nagios/plugins/check_disk_smb -- gen_context(system_u:object_r:nagios_checkdisk_plugin_exec_t,s0)
--/usr/lib/nagios/plugins/check_ide_smart -- gen_context(system_u:object_r:nagios_checkdisk_plugin_exec_t,s0)
-+/usr/lib/nagios/plugins/check_disk_smb -- gen_context(system_u:object_r:nagios_checkdisk_plugin_exec_t,s0)
-+/usr/lib/nagios/plugins/check_ide_smart -- gen_context(system_u:object_r:nagios_checkdisk_plugin_exec_t,s0)
- /usr/lib/nagios/plugins/check_linux_raid -- gen_context(system_u:object_r:nagios_checkdisk_plugin_exec_t,s0)
-
- # mail plugins
--/usr/lib/nagios/plugins/check_mailq -- gen_context(system_u:object_r:nagios_mail_plugin_exec_t,s0)
-+/usr/lib/nagios/plugins/check_mailq -- gen_context(system_u:object_r:nagios_mail_plugin_exec_t,s0)
-+
-+/usr/lib/pnp4nagios(/.*)? gen_context(system_u:object_r:nagios_var_lib_t,s0)
-
- # system plugins
--/usr/lib/nagios/plugins/check_breeze -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
--/usr/lib/nagios/plugins/check_dummy -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
--/usr/lib/nagios/plugins/check_flexlm -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0)
-+/usr/lib/nagios/plugins/check_breeze -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
-+/usr/lib/nagios/plugins/check_dummy -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
-+/usr/lib/nagios/plugins/check_flexlm -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0)
- /usr/lib/nagios/plugins/check_ifoperstatus -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0)
--/usr/lib/nagios/plugins/check_ifstatus -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0)
-+/usr/lib/nagios/plugins/check_ifstatus -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0)
- /usr/lib/nagios/plugins/check_load -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0)
- /usr/lib/nagios/plugins/check_log -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0)
- /usr/lib/nagios/plugins/check_mrtg -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0)
--/usr/lib/nagios/plugins/check_mrtgtraf -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0)
--/usr/lib/nagios/plugins/check_nagios -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0)
--/usr/lib/nagios/plugins/check_nwstat -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0)
--/usr/lib/nagios/plugins/check_overcr -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0)
--/usr/lib/nagios/plugins/check_procs -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0)
--/usr/lib/nagios/plugins/check_sensors -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0)
-+/usr/lib/nagios/plugins/check_mrtgtraf -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0)
-+/usr/lib/nagios/plugins/check_nagios -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0)
-+/usr/lib/nagios/plugins/check_nwstat -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0)
-+/usr/lib/nagios/plugins/check_overcr -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0)
-+/usr/lib/nagios/plugins/check_procs -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0)
-+/usr/lib/nagios/plugins/check_sensors -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0)
- /usr/lib/nagios/plugins/check_swap -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0)
--/usr/lib/nagios/plugins/check_users -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0)
-+/usr/lib/nagios/plugins/check_users -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0)
- /usr/lib/nagios/plugins/check_wave -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0)
-
- # services plugins
--/usr/lib/nagios/plugins/check_cluster -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
-+/usr/lib/nagios/plugins/check_cluster -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
- /usr/lib/nagios/plugins/check_dhcp -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
- /usr/lib/nagios/plugins/check_dig -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
- /usr/lib/nagios/plugins/check_dns -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
- /usr/lib/nagios/plugins/check_game -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
--/usr/lib/nagios/plugins/check_fping -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
-+/usr/lib/nagios/plugins/check_fping -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
- /usr/lib/nagios/plugins/check_hpjd -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
- /usr/lib/nagios/plugins/check_http -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
- /usr/lib/nagios/plugins/check_icmp -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
- /usr/lib/nagios/plugins/check_ircd -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
- /usr/lib/nagios/plugins/check_ldap -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
--/usr/lib/nagios/plugins/check_mysql -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
-+/usr/lib/nagios/plugins/check_mysql -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
- /usr/lib/nagios/plugins/check_mysql_query -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
- /usr/lib/nagios/plugins/check_nrpe -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
- /usr/lib/nagios/plugins/check_nt -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
--/usr/lib/nagios/plugins/check_ntp.* -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
--/usr/lib/nagios/plugins/check_oracle -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
--/usr/lib/nagios/plugins/check_pgsql -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
-+/usr/lib/nagios/plugins/check_ntp.* -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
-+/usr/lib/nagios/plugins/check_oracle -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
-+/usr/lib/nagios/plugins/check_pgsql -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
- /usr/lib/nagios/plugins/check_ping -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
--/usr/lib/nagios/plugins/check_radius -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
-+/usr/lib/nagios/plugins/check_radius -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
- /usr/lib/nagios/plugins/check_real -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
- /usr/lib/nagios/plugins/check_rpc -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
- /usr/lib/nagios/plugins/check_tcp -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
- /usr/lib/nagios/plugins/check_time -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
- /usr/lib/nagios/plugins/check_sip -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
- /usr/lib/nagios/plugins/check_smtp -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
--/usr/lib/nagios/plugins/check_snmp.* -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
-+/usr/lib/nagios/plugins/check_snmp.* -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
- /usr/lib/nagios/plugins/check_ssh -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
- /usr/lib/nagios/plugins/check_ups -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
-
- # unconfined plugins
--/usr/lib/nagios/plugins/check_by_ssh -- gen_context(system_u:object_r:nagios_unconfined_plugin_exec_t,s0)
-+/usr/lib/nagios/plugins/check_by_ssh -- gen_context(system_u:object_r:nagios_unconfined_plugin_exec_t,s0)
-+
-+# eventhandlers
-+/usr/lib/nagios/plugins/eventhandlers(/.*) gen_context(system_u:object_r:nagios_eventhandler_plugin_exec_t,s0)
-diff --git a/nagios.if b/nagios.if
-index 8581040..d7d9a79 100644
---- a/nagios.if
-+++ b/nagios.if
-@@ -12,31 +12,24 @@
- ##
- #
- template(`nagios_plugin_template',`
--
- gen_require(`
-+ attribute nagios_plugin_domain;
- type nagios_t, nrpe_t;
-- type nagios_log_t;
- ')
-
-- type nagios_$1_plugin_t;
-+ type nagios_$1_plugin_t, nagios_plugin_domain;
- type nagios_$1_plugin_exec_t;
- application_domain(nagios_$1_plugin_t, nagios_$1_plugin_exec_t)
- role system_r types nagios_$1_plugin_t;
-
-- allow nagios_$1_plugin_t self:fifo_file rw_fifo_file_perms;
--
- domtrans_pattern(nrpe_t, nagios_$1_plugin_exec_t, nagios_$1_plugin_t)
-+ allow nagios_t nagios_$1_plugin_exec_t:file ioctl;
-
- # needed by command.cfg
- domtrans_pattern(nagios_t, nagios_$1_plugin_exec_t, nagios_$1_plugin_t)
-
-- allow nagios_t nagios_$1_plugin_t:process signal_perms;
--
-- # cjp: leaked file descriptor
-- dontaudit nagios_$1_plugin_t nrpe_t:tcp_socket { read write };
-- dontaudit nagios_$1_plugin_t nagios_log_t:file { read write };
-+ kernel_read_system_state(nagios_$1_plugin_t)
-
-- miscfiles_read_localization(nagios_$1_plugin_t)
- ')
-
- ########################################
-@@ -49,7 +42,6 @@ template(`nagios_plugin_template',`
- ## Domain to not audit.
- ##
- ##
--##
- #
- interface(`nagios_dontaudit_rw_pipes',`
- gen_require(`
-@@ -159,6 +151,26 @@ interface(`nagios_read_tmp_files',`
-
- ########################################
- ##
-+## Allow the specified domain to read
-+## nagios temporary files.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`nagios_rw_inerited_tmp_files',`
-+ gen_require(`
-+ type nagios_tmp_t;
-+ ')
-+
-+ allow $1 nagios_tmp_t:file rw_inherited_file_perms;
-+ files_search_tmp($1)
-+')
-+
-+########################################
-+##
- ## Execute the nagios NRPE with
- ## a domain transition.
- ##
-@@ -195,15 +207,16 @@ interface(`nagios_domtrans_nrpe',`
- #
- interface(`nagios_admin',`
- gen_require(`
-- type nagios_t, nrpe_t;
-- type nagios_tmp_t, nagios_log_t;
-- type nagios_etc_t, nrpe_etc_t;
-- type nagios_spool_t, nagios_var_run_t;
-- type nagios_initrc_exec_t;
-+ type nagios_t, nrpe_t, nagios_initrc_exec_t;
-+ type nagios_tmp_t, nagios_log_t, nagios_var_run_t;
-+ type nagios_etc_t, nrpe_etc_t, nagios_spool_t;
- ')
-
-- allow $1 nagios_t:process { ptrace signal_perms };
-+ allow $1 nagios_t:process signal_perms;
- ps_process_pattern($1, nagios_t)
-+ tunable_policy(`deny_ptrace',`',`
-+ allow $1 nagios_t:process ptrace;
-+ ')
-
- init_labeled_script_domtrans($1, nagios_initrc_exec_t)
- domain_system_change_exemption($1)
-diff --git a/nagios.te b/nagios.te
-index c3e2a2d..f4cbdff 100644
---- a/nagios.te
-+++ b/nagios.te
-@@ -5,6 +5,8 @@ policy_module(nagios, 1.12.0)
- # Declarations
- #
-
-+attribute nagios_plugin_domain;
-+
- type nagios_t;
- type nagios_exec_t;
- init_daemon_domain(nagios_t, nagios_exec_t)
-@@ -25,7 +27,10 @@ type nagios_var_run_t;
- files_pid_file(nagios_var_run_t)
-
- type nagios_spool_t;
--files_type(nagios_spool_t)
-+files_spool_file(nagios_spool_t)
-+
-+type nagios_var_lib_t;
-+files_type(nagios_var_lib_t)
-
- nagios_plugin_template(admin)
- nagios_plugin_template(checkdisk)
-@@ -33,6 +38,10 @@ nagios_plugin_template(mail)
- nagios_plugin_template(services)
- nagios_plugin_template(system)
- nagios_plugin_template(unconfined)
-+nagios_plugin_template(eventhandler)
-+
-+type nagios_eventhandler_plugin_tmp_t;
-+files_tmp_file(nagios_eventhandler_plugin_tmp_t)
-
- type nagios_system_plugin_tmp_t;
- files_tmp_file(nagios_system_plugin_tmp_t)
-@@ -77,13 +86,17 @@ files_pid_filetrans(nagios_t, nagios_var_run_t, file)
- manage_fifo_files_pattern(nagios_t, nagios_spool_t, nagios_spool_t)
- files_spool_filetrans(nagios_t, nagios_spool_t, fifo_file)
-
-+manage_files_pattern(nagios_t, nagios_var_lib_t, nagios_var_lib_t)
-+manage_fifo_files_pattern(nagios_t, nagios_var_lib_t, nagios_var_lib_t)
-+files_var_lib_filetrans(nagios_t, nagios_var_lib_t, { file dir })
-+
- kernel_read_system_state(nagios_t)
- kernel_read_kernel_sysctls(nagios_t)
-+kernel_read_software_raid_state(nagios_t)
-
- corecmd_exec_bin(nagios_t)
- corecmd_exec_shell(nagios_t)
-
--corenet_all_recvfrom_unlabeled(nagios_t)
- corenet_all_recvfrom_netlabel(nagios_t)
- corenet_tcp_sendrecv_generic_if(nagios_t)
- corenet_udp_sendrecv_generic_if(nagios_t)
-@@ -103,31 +116,27 @@ domain_use_interactive_fds(nagios_t)
- # for ps
- domain_read_all_domains_state(nagios_t)
-
--files_read_etc_files(nagios_t)
- files_read_etc_runtime_files(nagios_t)
- files_read_kernel_symbol_table(nagios_t)
- files_search_spool(nagios_t)
-+files_read_usr_files(nagios_t)
-
- fs_getattr_all_fs(nagios_t)
- fs_search_auto_mountpoints(nagios_t)
-
--# for who
--init_read_utmp(nagios_t)
--
- auth_use_nsswitch(nagios_t)
-
- logging_send_syslog_msg(nagios_t)
-
--miscfiles_read_localization(nagios_t)
-
- userdom_dontaudit_use_unpriv_user_fds(nagios_t)
- userdom_dontaudit_search_user_home_dirs(nagios_t)
-
- mta_send_mail(nagios_t)
-+mta_signal_system_mail(nagios_t)
-+mta_kill_system_mail(nagios_t)
-
- optional_policy(`
-- netutils_domtrans_ping(nagios_t)
-- netutils_signal_ping(nagios_t)
- netutils_kill_ping(nagios_t)
- ')
-
-@@ -143,6 +152,7 @@ optional_policy(`
- #
- # Nagios CGI local policy
- #
-+
- optional_policy(`
- apache_content_template(nagios)
- typealias httpd_nagios_script_t alias nagios_cgi_t;
-@@ -180,29 +190,31 @@ optional_policy(`
- #
-
- allow nrpe_t self:capability { setuid setgid };
--dontaudit nrpe_t self:capability {sys_tty_config sys_resource};
-+dontaudit nrpe_t self:capability { sys_tty_config sys_resource };
- allow nrpe_t self:process { setpgid signal_perms setsched setrlimit };
- allow nrpe_t self:fifo_file rw_fifo_file_perms;
- allow nrpe_t self:tcp_socket create_stream_socket_perms;
-
-+read_files_pattern(nrpe_t, nrpe_etc_t, nrpe_etc_t)
-+
- domtrans_pattern(nrpe_t, nagios_checkdisk_plugin_exec_t, nagios_checkdisk_plugin_t)
-
--read_files_pattern(nrpe_t, nagios_etc_t, nrpe_etc_t)
-+read_files_pattern(nrpe_t, nagios_etc_t, nagios_etc_t)
- files_search_etc(nrpe_t)
-
- manage_files_pattern(nrpe_t, nrpe_var_run_t, nrpe_var_run_t)
- files_pid_filetrans(nrpe_t, nrpe_var_run_t, file)
-
-+kernel_read_system_state(nrpe_t)
- kernel_read_kernel_sysctls(nrpe_t)
- kernel_read_software_raid_state(nrpe_t)
--kernel_read_system_state(nrpe_t)
-
- corecmd_exec_bin(nrpe_t)
- corecmd_exec_shell(nrpe_t)
-
- corenet_tcp_bind_generic_node(nrpe_t)
- corenet_tcp_bind_inetd_child_port(nrpe_t)
--corenet_sendrecv_unlabeled_packets(nrpe_t)
-+corenet_all_recvfrom_netlabel(nrpe_t)
-
- dev_read_sysfs(nrpe_t)
- dev_read_urand(nrpe_t)
-@@ -211,7 +223,7 @@ domain_use_interactive_fds(nrpe_t)
- domain_read_all_domains_state(nrpe_t)
-
- files_read_etc_runtime_files(nrpe_t)
--files_read_etc_files(nrpe_t)
-+files_read_usr_files(nrpe_t)
-
- fs_getattr_all_fs(nrpe_t)
- fs_search_auto_mountpoints(nrpe_t)
-@@ -220,7 +232,6 @@ auth_use_nsswitch(nrpe_t)
-
- logging_send_syslog_msg(nrpe_t)
-
--miscfiles_read_localization(nrpe_t)
-
- userdom_dontaudit_use_unpriv_user_fds(nrpe_t)
-
-@@ -252,11 +263,9 @@ optional_policy(`
- corecmd_read_bin_files(nagios_admin_plugin_t)
- corecmd_read_bin_symlinks(nagios_admin_plugin_t)
-
--dev_read_urand(nagios_admin_plugin_t)
- dev_getattr_all_chr_files(nagios_admin_plugin_t)
- dev_getattr_all_blk_files(nagios_admin_plugin_t)
-
--files_read_etc_files(nagios_admin_plugin_t)
- # for check_file_age plugin
- files_getattr_all_dirs(nagios_admin_plugin_t)
- files_getattr_all_files(nagios_admin_plugin_t)
-@@ -271,20 +280,15 @@ files_getattr_all_file_type_fs(nagios_admin_plugin_t)
- #
-
- allow nagios_mail_plugin_t self:capability { setuid setgid dac_override };
--
- allow nagios_mail_plugin_t self:netlink_route_socket r_netlink_socket_perms;
- allow nagios_mail_plugin_t self:tcp_socket create_stream_socket_perms;
- allow nagios_mail_plugin_t self:udp_socket create_socket_perms;
-
--kernel_read_system_state(nagios_mail_plugin_t)
- kernel_read_kernel_sysctls(nagios_mail_plugin_t)
-
- corecmd_read_bin_files(nagios_mail_plugin_t)
- corecmd_read_bin_symlinks(nagios_mail_plugin_t)
-
--dev_read_urand(nagios_mail_plugin_t)
--
--files_read_etc_files(nagios_mail_plugin_t)
-
- logging_send_syslog_msg(nagios_mail_plugin_t)
-
-@@ -300,7 +304,7 @@ optional_policy(`
-
- optional_policy(`
- postfix_stream_connect_master(nagios_mail_plugin_t)
-- posftix_exec_postqueue(nagios_mail_plugin_t)
-+ postfix_exec_postqueue(nagios_mail_plugin_t)
- ')
-
- ######################################
-@@ -311,7 +315,9 @@ optional_policy(`
- # needed by ioctl()
- allow nagios_checkdisk_plugin_t self:capability { sys_admin sys_rawio };
-
--files_getattr_all_mountpoints(nagios_checkdisk_plugin_t)
-+kernel_read_software_raid_state(nagios_checkdisk_plugin_t)
-+
-+files_getattr_all_dirs(nagios_checkdisk_plugin_t)
- files_read_etc_runtime_files(nagios_checkdisk_plugin_t)
-
- fs_getattr_all_fs(nagios_checkdisk_plugin_t)
-@@ -323,11 +329,11 @@ storage_raw_read_fixed_disk(nagios_checkdisk_plugin_t)
- # local policy for service check plugins
- #
-
--allow nagios_services_plugin_t self:capability { net_bind_service net_raw };
-+allow nagios_services_plugin_t self:capability { setuid net_bind_service net_raw };
- allow nagios_services_plugin_t self:process { signal sigkill };
--
- allow nagios_services_plugin_t self:tcp_socket create_stream_socket_perms;
- allow nagios_services_plugin_t self:udp_socket create_socket_perms;
-+allow nagios_services_plugin_t self:rawip_socket create_socket_perms;
-
- corecmd_exec_bin(nagios_services_plugin_t)
-
-@@ -342,6 +348,8 @@ files_read_usr_files(nagios_services_plugin_t)
-
- optional_policy(`
- netutils_domtrans_ping(nagios_services_plugin_t)
-+ netutils_signal_ping(nagios_services_plugin_t)
-+ netutils_kill_ping(nagios_services_plugin_t)
- ')
-
- optional_policy(`
-@@ -365,6 +373,8 @@ manage_files_pattern(nagios_system_plugin_t, nagios_system_plugin_tmp_t, nagios_
- manage_dirs_pattern(nagios_system_plugin_t, nagios_system_plugin_tmp_t, nagios_system_plugin_tmp_t)
- files_tmp_filetrans(nagios_system_plugin_t, nagios_system_plugin_tmp_t, { dir file })
-
-+read_files_pattern(nagios_system_plugin_t, nagios_log_t, nagios_log_t)
-+
- kernel_read_system_state(nagios_system_plugin_t)
- kernel_read_kernel_sysctls(nagios_system_plugin_t)
-
-@@ -372,11 +382,13 @@ corecmd_exec_bin(nagios_system_plugin_t)
- corecmd_exec_shell(nagios_system_plugin_t)
-
- dev_read_sysfs(nagios_system_plugin_t)
--dev_read_urand(nagios_system_plugin_t)
-
- domain_read_all_domains_state(nagios_system_plugin_t)
-
--files_read_etc_files(nagios_system_plugin_t)
-+
-+fs_getattr_all_fs(nagios_system_plugin_t)
-+
-+auth_read_passwd(nagios_system_plugin_t)
-
- # needed by check_users plugin
- optional_policy(`
-@@ -391,3 +403,48 @@ optional_policy(`
- optional_policy(`
- unconfined_domain(nagios_unconfined_plugin_t)
- ')
-+
-+#######################################
-+#
-+# Event handler plugin plugin policy
-+#
-+
-+manage_files_pattern(nagios_eventhandler_plugin_t, nagios_eventhandler_plugin_tmp_t, nagios_eventhandler_plugin_tmp_t)
-+manage_dirs_pattern(nagios_eventhandler_plugin_t, nagios_eventhandler_plugin_tmp_t, nagios_eventhandler_plugin_tmp_t)
-+files_tmp_filetrans(nagios_eventhandler_plugin_t, nagios_eventhandler_plugin_tmp_t, { dir file })
-+
-+corecmd_exec_bin(nagios_eventhandler_plugin_t)
-+corecmd_exec_shell(nagios_eventhandler_plugin_t)
-+
-+init_domtrans_script(nagios_eventhandler_plugin_t)
-+
-+systemd_exec_systemctl(nagios_eventhandler_plugin_t)
-+
-+allow nagios_t nagios_eventhandler_plugin_exec_t:dir list_dir_perms;
-+
-+optional_policy(`
-+ unconfined_domain(nagios_eventhandler_plugin_t)
-+')
-+
-+######################################
-+#
-+# nagios plugin domain policy
-+#
-+
-+allow nagios_plugin_domain self:fifo_file rw_fifo_file_perms;
-+
-+allow nrpe_t nagios_plugin_domain:process { signal sigkill };
-+
-+allow nagios_t nagios_plugin_domain:process signal_perms;
-+
-+# cjp: leaked file descriptor
-+dontaudit nagios_plugin_domain nrpe_t:tcp_socket { read write };
-+dontaudit nagios_plugin_domain nagios_log_t:file { read write };
-+
-+dev_read_urand(nagios_plugin_domain)
-+dev_read_rand(nagios_plugin_domain)
-+
-+files_read_usr_files(nagios_plugin_domain)
-+
-+userdom_use_inherited_user_ptys(nagios_plugin_domain)
-+userdom_use_inherited_user_ttys(nagios_plugin_domain)
-diff --git a/namespace.fc b/namespace.fc
-new file mode 100644
-index 0000000..ce51c8d
---- /dev/null
-+++ b/namespace.fc
-@@ -0,0 +1,3 @@
-+
-+/etc/security/namespace.init -- gen_context(system_u:object_r:namespace_init_exec_t,s0)
-+
-diff --git a/namespace.if b/namespace.if
-new file mode 100644
-index 0000000..8d7c751
---- /dev/null
-+++ b/namespace.if
-@@ -0,0 +1,48 @@
-+
-+## policy for namespace
-+
-+########################################
-+##
-+## Execute a domain transition to run namespace_init.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`namespace_init_domtrans',`
-+ gen_require(`
-+ type namespace_init_t, namespace_init_exec_t;
-+ ')
-+
-+ domtrans_pattern($1, namespace_init_exec_t, namespace_init_t)
-+')
-+
-+
-+########################################
-+##
-+## Execute namespace_init in the namespace_init domain, and
-+## allow the specified role the namespace_init domain.
-+##
-+##
-+##
-+## Domain allowed access
-+##
-+##
-+##
-+##
-+## The role to be allowed the namespace_init domain.
-+##
-+##
-+#
-+interface(`namespace_init_run',`
-+ gen_require(`
-+ type namespace_init_t;
-+ ')
-+
-+ namespace_init_domtrans($1)
-+ role $2 types namespace_init_t;
-+
-+ seutil_run_setfiles(namespace_init_t, $2)
-+')
-diff --git a/namespace.te b/namespace.te
-new file mode 100644
-index 0000000..ef7b846
---- /dev/null
-+++ b/namespace.te
-@@ -0,0 +1,43 @@
-+policy_module(namespace,1.0.0)
-+
-+########################################
-+#
-+# Declarations
-+#
-+
-+type namespace_init_t;
-+type namespace_init_exec_t;
-+init_system_domain(namespace_init_t, namespace_init_exec_t)
-+role system_r types namespace_init_t;
-+
-+########################################
-+#
-+# namespace_init local policy
-+#
-+
-+allow namespace_init_t self:capability dac_override;
-+
-+allow namespace_init_t self:fifo_file manage_fifo_file_perms;
-+allow namespace_init_t self:unix_stream_socket create_stream_socket_perms;
-+
-+kernel_read_system_state(namespace_init_t)
-+
-+corecmd_exec_shell(namespace_init_t)
-+
-+domain_use_interactive_fds(namespace_init_t)
-+domain_obj_id_change_exemption(namespace_init_t)
-+
-+files_polyinstantiate_all(namespace_init_t)
-+
-+mcs_file_write_all(namespace_init_t)
-+
-+auth_use_nsswitch(namespace_init_t)
-+
-+
-+term_use_console(namespace_init_t)
-+
-+userdom_manage_user_home_content_dirs(namespace_init_t)
-+userdom_manage_user_home_content_files(namespace_init_t)
-+userdom_relabelto_user_home_dirs(namespace_init_t)
-+userdom_relabelto_user_home_files(namespace_init_t)
-+userdom_user_home_dir_filetrans_user_home_content(namespace_init_t, { dir file lnk_file fifo_file sock_file })
-diff --git a/ncftool.if b/ncftool.if
-index a648982..59f096b 100644
---- a/ncftool.if
-+++ b/ncftool.if
-@@ -36,9 +36,19 @@ interface(`ncftool_domtrans',`
- #
- interface(`ncftool_run',`
- gen_require(`
-- attribute_role ncftool_roles;
-- ')
-+ type ncftool_t;
-+ #attribute_role ncftool_roles;
-+ ')
-+
-+ #ncftool_domtrans($1)
-+ #roleattribute $2 ncftool_roles;
-
- ncftool_domtrans($1)
-- roleattribute $2 ncftool_roles;
-+ role $2 types ncftool_t;
-+
-+ optional_policy(`
-+ brctl_run(ncftool_t, $2)
-+ ')
-+
- ')
-+
-diff --git a/ncftool.te b/ncftool.te
-index f19ca0b..3eadfbb 100644
---- a/ncftool.te
-+++ b/ncftool.te
-@@ -5,25 +5,29 @@ policy_module(ncftool, 1.1.0)
- # Declarations
- #
-
--attribute_role ncftool_roles;
--roleattribute system_r ncftool_roles;
-+#attribute_role ncftool_roles;
-+#roleattribute system_r ncftool_roles;
-
- type ncftool_t;
- type ncftool_exec_t;
- application_domain(ncftool_t, ncftool_exec_t)
- domain_obj_id_change_exemption(ncftool_t)
- domain_system_change_exemption(ncftool_t)
--role ncftool_roles types ncftool_t;
-+#role ncftool_roles types ncftool_t;
-+role system_r types ncftool_t;
-
- ########################################
- #
- # ncftool local policy
- #
-
--allow ncftool_t self:capability { net_admin sys_ptrace };
-+allow ncftool_t self:capability net_admin;
- allow ncftool_t self:process signal;
-+
- allow ncftool_t self:fifo_file manage_fifo_file_perms;
- allow ncftool_t self:unix_stream_socket create_stream_socket_perms;
-+
-+allow ncftool_t self:netlink_route_socket create_netlink_socket_perms;
- allow ncftool_t self:tcp_socket create_stream_socket_perms;
- allow ncftool_t self:netlink_route_socket create_netlink_socket_perms;
-
-@@ -41,24 +45,33 @@ domain_read_all_domains_state(ncftool_t)
-
- dev_read_sysfs(ncftool_t)
-
--files_read_etc_files(ncftool_t)
-+files_manage_system_conf_files(ncftool_t)
-+files_relabelto_system_conf_files(ncftool_t)
- files_read_etc_runtime_files(ncftool_t)
- files_read_usr_files(ncftool_t)
-
--miscfiles_read_localization(ncftool_t)
-+term_use_all_inherited_terms(ncftool_t)
-
- sysnet_delete_dhcpc_pid(ncftool_t)
--sysnet_run_dhcpc(ncftool_t, ncftool_roles)
--sysnet_run_ifconfig(ncftool_t, ncftool_roles)
-+sysnet_domtrans_dhcpc(ncftool_t)
-+sysnet_domtrans_ifconfig(ncftool_t)
-+#sysnet_run_dhcpc(ncftool_t, ncftool_roles)
-+#sysnet_run_ifconfig(ncftool_t, ncftool_roles)
- sysnet_etc_filetrans_config(ncftool_t)
- sysnet_manage_config(ncftool_t)
- sysnet_read_dhcpc_state(ncftool_t)
-+sysnet_relabelfrom_net_conf(ncftool_t)
-+sysnet_relabelto_net_conf(ncftool_t)
- sysnet_read_dhcpc_pid(ncftool_t)
- sysnet_signal_dhcpc(ncftool_t)
-
- userdom_use_user_terminals(ncftool_t)
- userdom_read_user_tmp_files(ncftool_t)
-
-+#optional_policy(`
-+# brctl_run(ncftool_t, ncftool_roles)
-+#')
-+
- optional_policy(`
- consoletype_exec(ncftool_t)
- ')
-@@ -69,13 +82,18 @@ optional_policy(`
-
- optional_policy(`
- iptables_initrc_domtrans(ncftool_t)
-+ iptables_systemctl(ncftool_t)
- ')
-
- optional_policy(`
-+ modutils_list_module_config(ncftool_t)
- modutils_read_module_config(ncftool_t)
-- modutils_run_insmod(ncftool_t, ncftool_roles)
-+ modutils_domtrans_insmod(ncftool_t)
-+ #modutils_run_insmod(ncftool_t, ncftool_roles)
-+
- ')
-
- optional_policy(`
-- netutils_run(ncftool_t, ncftool_roles)
-+ netutils_domtrans(ncftool_t)
-+ #netutils_run(ncftool_t, ncftool_roles)
- ')
-diff --git a/nessus.te b/nessus.te
-index abf25da..bad6973 100644
---- a/nessus.te
-+++ b/nessus.te
-@@ -56,7 +56,6 @@ kernel_read_kernel_sysctls(nessusd_t)
- # for nmap etc
- corecmd_exec_bin(nessusd_t)
-
--corenet_all_recvfrom_unlabeled(nessusd_t)
- corenet_all_recvfrom_netlabel(nessusd_t)
- corenet_tcp_sendrecv_generic_if(nessusd_t)
- corenet_udp_sendrecv_generic_if(nessusd_t)
-@@ -85,7 +84,6 @@ fs_search_auto_mountpoints(nessusd_t)
-
- logging_send_syslog_msg(nessusd_t)
-
--miscfiles_read_localization(nessusd_t)
-
- sysnet_read_config(nessusd_t)
-
-diff --git a/networkmanager.fc b/networkmanager.fc
-index 386543b..8fe1d63 100644
---- a/networkmanager.fc
-+++ b/networkmanager.fc
-@@ -1,6 +1,19 @@
- /etc/rc\.d/init\.d/wicd -- gen_context(system_u:object_r:NetworkManager_initrc_exec_t,s0)
-
--/etc/NetworkManager/dispatcher\.d(/.*) gen_context(system_u:object_r:NetworkManager_initrc_exec_t,s0)
-+/etc/NetworkManager(/.*)? gen_context(system_u:object_r:NetworkManager_etc_t,s0)
-+/etc/NetworkManager/NetworkManager\.conf gen_context(system_u:object_r:NetworkManager_etc_rw_t,s0)
-+/etc/NetworkManager/system-connections(/.*)? gen_context(system_u:object_r:NetworkManager_etc_rw_t,s0)
-+/etc/NetworkManager/dispatcher\.d(/.*)? gen_context(system_u:object_r:NetworkManager_initrc_exec_t,s0)
-+
-+/etc/dhcp/manager-settings.conf -- gen_context(system_u:object_r:NetworkManager_var_lib_t, s0)
-+/etc/dhcp/wireless-settings.conf -- gen_context(system_u:object_r:NetworkManager_var_lib_t, s0)
-+/etc/dhcp/wired-settings.conf -- gen_context(system_u:object_r:NetworkManager_var_lib_t, s0)
-+
-+/etc/wicd/manager-settings.conf -- gen_context(system_u:object_r:NetworkManager_var_lib_t, s0)
-+/etc/wicd/wireless-settings.conf -- gen_context(system_u:object_r:NetworkManager_var_lib_t, s0)
-+/etc/wicd/wired-settings.conf -- gen_context(system_u:object_r:NetworkManager_var_lib_t, s0)
-+
-+/usr/lib/systemd/system/NetworkManager.* -- gen_context(system_u:object_r:NetworkManager_unit_file_t,s0)
-
- /usr/libexec/nm-dispatcher.action -- gen_context(system_u:object_r:NetworkManager_initrc_exec_t,s0)
-
-@@ -12,15 +25,19 @@
- /usr/sbin/NetworkManagerDispatcher -- gen_context(system_u:object_r:NetworkManager_exec_t,s0)
- /usr/sbin/nm-system-settings -- gen_context(system_u:object_r:NetworkManager_exec_t,s0)
- /usr/sbin/wicd -- gen_context(system_u:object_r:NetworkManager_exec_t,s0)
-+/usr/sbin/wpa_cli -- gen_context(system_u:object_r:wpa_cli_exec_t,s0)
-+/usr/sbin/wpa_supplicant -- gen_context(system_u:object_r:NetworkManager_exec_t,s0)
-
- /var/lib/wicd(/.*)? gen_context(system_u:object_r:NetworkManager_var_lib_t,s0)
- /var/lib/NetworkManager(/.*)? gen_context(system_u:object_r:NetworkManager_var_lib_t,s0)
-
--/var/log/wicd(/.*)? gen_context(system_u:object_r:NetworkManager_log_t,s0)
-+/var/log/wicd.* -- gen_context(system_u:object_r:NetworkManager_log_t,s0)
-+
- /var/log/wpa_supplicant.* -- gen_context(system_u:object_r:NetworkManager_log_t,s0)
-
- /var/run/NetworkManager\.pid -- gen_context(system_u:object_r:NetworkManager_var_run_t,s0)
- /var/run/NetworkManager(/.*)? gen_context(system_u:object_r:NetworkManager_var_run_t,s0)
- /var/run/nm-dhclient.* gen_context(system_u:object_r:NetworkManager_var_run_t,s0)
-+/var/run/nm-dns-dnsmasq\.conf -- gen_context(system_u:object_r:NetworkManager_var_run_t,s0)
- /var/run/wpa_supplicant(/.*)? gen_context(system_u:object_r:NetworkManager_var_run_t,s0)
- /var/run/wpa_supplicant-global -s gen_context(system_u:object_r:NetworkManager_var_run_t,s0)
-diff --git a/networkmanager.if b/networkmanager.if
-index 2324d9e..96dbf6f 100644
---- a/networkmanager.if
-+++ b/networkmanager.if
-@@ -43,9 +43,9 @@ interface(`networkmanager_rw_packet_sockets',`
- ## Allow caller to relabel tun_socket
- ##
- ##
--##
--## Domain allowed access.
--##
-+##
-+## Domain allowed access.
-+##
- ##
- #
- interface(`networkmanager_attach_tun_iface',`
-@@ -116,6 +116,29 @@ interface(`networkmanager_initrc_domtrans',`
-
- ########################################
- ##
-+## Execute NetworkManager server in the NetworkManager domain.
-+##
-+##
-+##
-+## Domain allowed to transition.
-+##
-+##
-+#
-+interface(`networkmanager_systemctl',`
-+ gen_require(`
-+ type NetworkManager_unit_file_t;
-+ type NetworkManager_t;
-+ ')
-+
-+ systemd_exec_systemctl($1)
-+ allow $1 NetworkManager_unit_file_t:file read_file_perms;
-+ allow $1 NetworkManager_unit_file_t:service manage_service_perms;
-+
-+ ps_process_pattern($1, NetworkManager_t)
-+')
-+
-+########################################
-+##
- ## Send and receive messages from
- ## NetworkManager over dbus.
- ##
-@@ -137,6 +160,28 @@ interface(`networkmanager_dbus_chat',`
-
- ########################################
- ##
-+## Do not audit attempts to send and
-+## receive messages from NetworkManager
-+## over dbus.
-+##
-+##
-+##
-+## Domain to not audit.
-+##
-+##
-+#
-+interface(`networkmanager_dontaudit_dbus_chat',`
-+ gen_require(`
-+ type NetworkManager_t;
-+ class dbus send_msg;
-+ ')
-+
-+ dontaudit $1 NetworkManager_t:dbus send_msg;
-+ dontaudit NetworkManager_t $1:dbus send_msg;
-+')
-+
-+########################################
-+##
- ## Send a generic signal to NetworkManager
- ##
- ##
-@@ -173,6 +218,25 @@ interface(`networkmanager_read_lib_files',`
- read_files_pattern($1, NetworkManager_var_lib_t, NetworkManager_var_lib_t)
- ')
-
-+#######################################
-+##
-+## Read NetworkManager conf files.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`networkmanager_read_conf',`
-+ gen_require(`
-+ type NetworkManager_etc_t;
-+ ')
-+
-+ allow $1 NetworkManager_etc_t:dir list_dir_perms;
-+ read_files_pattern($1,NetworkManager_etc_t,NetworkManager_etc_t)
-+')
-+
- ########################################
- ##
- ## Read NetworkManager PID files.
-@@ -191,3 +255,110 @@ interface(`networkmanager_read_pid_files',`
- files_search_pids($1)
- allow $1 NetworkManager_var_run_t:file read_file_perms;
- ')
-+
-+########################################
-+##
-+## Execute NetworkManager in the NetworkManager domain, and
-+## allow the specified role the NetworkManager domain.
-+##
-+##
-+##
-+## Domain allowed to transition.
-+##
-+##
-+##
-+##
-+## Role allowed access.
-+##
-+##
-+##
-+#
-+interface(`networkmanager_run',`
-+ gen_require(`
-+ type NetworkManager_t, NetworkManager_exec_t;
-+ ')
-+
-+ networkmanager_domtrans($1)
-+ role $2 types NetworkManager_t;
-+')
-+
-+########################################
-+##
-+## Allow the specified domain to append
-+## to Network Manager log files.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`networkmanager_append_log',`
-+ gen_require(`
-+ type NetworkManager_log_t;
-+ ')
-+
-+ logging_search_logs($1)
-+ allow $1 NetworkManager_log_t:dir list_dir_perms;
-+ append_files_pattern($1, NetworkManager_log_t, NetworkManager_log_t)
-+')
-+
-+#######################################
-+##
-+## Allow the specified domain to manage
-+## to Network Manager lib files.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`networkmanager_manage_lib',`
-+ gen_require(`
-+ type NetworkManager_var_lib_t;
-+ ')
-+
-+ manage_files_pattern($1, NetworkManager_var_lib_t, NetworkManager_var_lib_t)
-+')
-+
-+
-+########################################
-+##
-+## Transition to networkmanager named content
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`networkmanager_filetrans_named_content',`
-+ gen_require(`
-+ type NetworkManager_var_run_t;
-+ type NetworkManager_var_lib_t;
-+ ')
-+
-+ files_pid_filetrans($1, NetworkManager_var_run_t, file, "nm-dhclient.-eth0.conf")
-+ files_pid_filetrans($1, NetworkManager_var_run_t, file, "nm-dhclient.-eth1.conf")
-+ files_pid_filetrans($1, NetworkManager_var_run_t, file, "nm-dhclient.-eth2.conf")
-+ files_pid_filetrans($1, NetworkManager_var_run_t, file, "nm-dhclient.-eth3.conf")
-+ files_pid_filetrans($1, NetworkManager_var_run_t, file, "nm-dhclient.-eth4.conf")
-+ files_pid_filetrans($1, NetworkManager_var_run_t, file, "nm-dhclient.-eth5.conf")
-+ files_pid_filetrans($1, NetworkManager_var_run_t, file, "nm-dhclient.-eth6.conf")
-+ files_pid_filetrans($1, NetworkManager_var_run_t, file, "nm-dhclient.-eth7.conf")
-+ files_pid_filetrans($1, NetworkManager_var_run_t, file, "nm-dhclient.-eth8.conf")
-+ files_pid_filetrans($1, NetworkManager_var_run_t, file, "nm-dhclient.-eth9.conf")
-+ files_pid_filetrans($1, NetworkManager_var_run_t, file, "nm-dhclient-em0.conf")
-+ files_pid_filetrans($1, NetworkManager_var_run_t, file, "nm-dhclient-em1.conf")
-+ files_pid_filetrans($1, NetworkManager_var_run_t, file, "nm-dhclient-em2.conf")
-+ files_pid_filetrans($1, NetworkManager_var_run_t, file, "nm-dhclient-em3.conf")
-+ files_pid_filetrans($1, NetworkManager_var_run_t, file, "nm-dhclient-em4.conf")
-+ files_pid_filetrans($1, NetworkManager_var_run_t, file, "nm-dhclient-em5.conf")
-+ files_pid_filetrans($1, NetworkManager_var_run_t, file, "nm-dhclient-em6.conf")
-+ files_pid_filetrans($1, NetworkManager_var_run_t, file, "nm-dhclient-em7.conf")
-+ files_pid_filetrans($1, NetworkManager_var_run_t, file, "nm-dhclient-em8.conf")
-+ files_etc_filetrans($1, NetworkManager_var_lib_t, file, "manager-settings.conf")
-+ files_etc_filetrans($1, NetworkManager_var_lib_t, file, "wireless-settings.conf")
-+ files_etc_filetrans($1, NetworkManager_var_lib_t, file, "wireed-settings.conf")
-+')
-diff --git a/networkmanager.te b/networkmanager.te
-index 0619395..a953cf1 100644
---- a/networkmanager.te
-+++ b/networkmanager.te
-@@ -12,6 +12,15 @@ init_daemon_domain(NetworkManager_t, NetworkManager_exec_t)
- type NetworkManager_initrc_exec_t;
- init_script_file(NetworkManager_initrc_exec_t)
-
-+type NetworkManager_unit_file_t;
-+systemd_unit_file(NetworkManager_unit_file_t)
-+
-+type NetworkManager_etc_t;
-+files_config_file(NetworkManager_etc_t)
-+
-+type NetworkManager_etc_rw_t;
-+files_config_file(NetworkManager_etc_rw_t)
-+
- type NetworkManager_log_t;
- logging_log_file(NetworkManager_log_t)
-
-@@ -35,26 +44,49 @@ init_system_domain(wpa_cli_t, wpa_cli_exec_t)
-
- # networkmanager will ptrace itself if gdb is installed
- # and it receives a unexpected signal (rh bug #204161)
--allow NetworkManager_t self:capability { chown fsetid kill setgid setuid sys_nice sys_ptrace dac_override net_admin net_raw net_bind_service ipc_lock };
--dontaudit NetworkManager_t self:capability { sys_tty_config sys_ptrace };
--allow NetworkManager_t self:process { ptrace getcap setcap setpgid getsched setsched signal_perms };
-+allow NetworkManager_t self:capability { chown fsetid kill setgid setuid sys_admin sys_nice dac_override net_admin net_raw net_bind_service ipc_lock };
-+dontaudit NetworkManager_t self:capability sys_tty_config;
-+ifdef(`hide_broken_symptoms',`
-+ # caused by some bogus kernel code
-+ dontaudit NetworkManager_t self:capability sys_module;
-+')
-+allow NetworkManager_t self:process { getcap setcap setpgid getsched setsched signal_perms };
-+tunable_policy(`deny_ptrace',`',`
-+ allow NetworkManager_t self:capability sys_ptrace;
-+ allow NetworkManager_t self:process ptrace;
-+')
-+
- allow NetworkManager_t self:fifo_file rw_fifo_file_perms;
- allow NetworkManager_t self:unix_dgram_socket { sendto create_socket_perms };
- allow NetworkManager_t self:unix_stream_socket create_stream_socket_perms;
- allow NetworkManager_t self:netlink_route_socket create_netlink_socket_perms;
-+allow NetworkManager_t self:netlink_socket create_socket_perms;
- allow NetworkManager_t self:netlink_kobject_uevent_socket create_socket_perms;
- allow NetworkManager_t self:tcp_socket create_stream_socket_perms;
--allow NetworkManager_t self:tun_socket { create_socket_perms relabelfrom };
-+allow NetworkManager_t self:tun_socket { create_socket_perms relabelfrom relabelto };
- allow NetworkManager_t self:udp_socket create_socket_perms;
- allow NetworkManager_t self:packet_socket create_socket_perms;
-
- allow NetworkManager_t wpa_cli_t:unix_dgram_socket sendto;
-
- can_exec(NetworkManager_t, NetworkManager_exec_t)
-+#wicd
-+can_exec(NetworkManager_t, wpa_cli_exec_t)
-+
-+list_dirs_pattern(NetworkManager_t, NetworkManager_etc_t, NetworkManager_etc_t)
-+read_files_pattern(NetworkManager_t, NetworkManager_etc_t, NetworkManager_etc_t)
-+read_lnk_files_pattern(NetworkManager_t, NetworkManager_etc_t, NetworkManager_etc_t)
-+
-+manage_dirs_pattern(NetworkManager_t, NetworkManager_etc_rw_t, NetworkManager_etc_rw_t)
-+manage_files_pattern(NetworkManager_t, NetworkManager_etc_rw_t, NetworkManager_etc_rw_t)
-+filetrans_pattern(NetworkManager_t, NetworkManager_etc_t, NetworkManager_etc_rw_t, { dir file })
-+
-+logging_log_filetrans(NetworkManager_t, NetworkManager_log_t, file)
-
- manage_files_pattern(NetworkManager_t, NetworkManager_log_t, NetworkManager_log_t)
- logging_log_filetrans(NetworkManager_t, NetworkManager_log_t, file)
-
-+can_exec(NetworkManager_t, NetworkManager_tmp_t)
- manage_files_pattern(NetworkManager_t, NetworkManager_tmp_t, NetworkManager_tmp_t)
- manage_sock_files_pattern(NetworkManager_t, NetworkManager_tmp_t, NetworkManager_tmp_t)
- files_tmp_filetrans(NetworkManager_t, NetworkManager_tmp_t, { sock_file file })
-@@ -75,7 +107,6 @@ kernel_request_load_module(NetworkManager_t)
- kernel_read_debugfs(NetworkManager_t)
- kernel_rw_net_sysctls(NetworkManager_t)
-
--corenet_all_recvfrom_unlabeled(NetworkManager_t)
- corenet_all_recvfrom_netlabel(NetworkManager_t)
- corenet_tcp_sendrecv_generic_if(NetworkManager_t)
- corenet_udp_sendrecv_generic_if(NetworkManager_t)
-@@ -95,11 +126,12 @@ corenet_sendrecv_all_client_packets(NetworkManager_t)
- corenet_rw_tun_tap_dev(NetworkManager_t)
- corenet_getattr_ppp_dev(NetworkManager_t)
-
--dev_read_sysfs(NetworkManager_t)
-+dev_rw_sysfs(NetworkManager_t)
- dev_read_rand(NetworkManager_t)
- dev_read_urand(NetworkManager_t)
- dev_dontaudit_getattr_generic_blk_files(NetworkManager_t)
- dev_getattr_all_chr_files(NetworkManager_t)
-+dev_rw_wireless(NetworkManager_t)
-
- fs_getattr_all_fs(NetworkManager_t)
- fs_search_auto_mountpoints(NetworkManager_t)
-@@ -113,10 +145,10 @@ corecmd_exec_shell(NetworkManager_t)
- corecmd_exec_bin(NetworkManager_t)
-
- domain_use_interactive_fds(NetworkManager_t)
--domain_read_confined_domains_state(NetworkManager_t)
-+domain_read_all_domains_state(NetworkManager_t)
-
--files_read_etc_files(NetworkManager_t)
- files_read_etc_runtime_files(NetworkManager_t)
-+files_read_system_conf_files(NetworkManager_t)
- files_read_usr_files(NetworkManager_t)
- files_read_usr_src_files(NetworkManager_t)
-
-@@ -128,35 +160,51 @@ init_domtrans_script(NetworkManager_t)
-
- auth_use_nsswitch(NetworkManager_t)
-
-+libs_exec_ldconfig(NetworkManager_t)
-+
- logging_send_syslog_msg(NetworkManager_t)
-
--miscfiles_read_localization(NetworkManager_t)
- miscfiles_read_generic_certs(NetworkManager_t)
-
--modutils_domtrans_insmod(NetworkManager_t)
--
- seutil_read_config(NetworkManager_t)
-
- sysnet_domtrans_ifconfig(NetworkManager_t)
- sysnet_domtrans_dhcpc(NetworkManager_t)
- sysnet_signal_dhcpc(NetworkManager_t)
-+sysnet_signull_dhcpc(NetworkManager_t)
- sysnet_read_dhcpc_pid(NetworkManager_t)
-+sysnet_read_dhcp_config(NetworkManager_t)
- sysnet_delete_dhcpc_pid(NetworkManager_t)
-+sysnet_kill_dhcpc(NetworkManager_t)
-+sysnet_read_dhcpc_state(NetworkManager_t)
-+sysnet_delete_dhcpc_state(NetworkManager_t)
- sysnet_search_dhcp_state(NetworkManager_t)
- # in /etc created by NetworkManager will be labelled net_conf_t.
- sysnet_manage_config(NetworkManager_t)
- sysnet_etc_filetrans_config(NetworkManager_t)
-
-+userdom_stream_connect(NetworkManager_t)
- userdom_dontaudit_use_unpriv_user_fds(NetworkManager_t)
- userdom_dontaudit_use_user_ttys(NetworkManager_t)
- # Read gnome-keyring
-+userdom_read_home_certs(NetworkManager_t)
- userdom_read_user_home_content_files(NetworkManager_t)
-+userdom_dgram_send(NetworkManager_t)
-+
-+tunable_policy(`use_nfs_home_dirs',`
-+ fs_read_nfs_files(NetworkManager_t)
-+')
-+
-+tunable_policy(`use_samba_home_dirs',`
-+ fs_read_cifs_files(NetworkManager_t)
-+')
-
- optional_policy(`
- avahi_domtrans(NetworkManager_t)
- avahi_kill(NetworkManager_t)
- avahi_signal(NetworkManager_t)
- avahi_signull(NetworkManager_t)
-+ avahi_dbus_chat(NetworkManager_t)
- ')
-
- optional_policy(`
-@@ -176,10 +224,17 @@ optional_policy(`
- ')
-
- optional_policy(`
-+ cron_read_system_job_lib_files(NetworkManager_t)
-+')
-+
-+optional_policy(`
- dbus_system_domain(NetworkManager_t, NetworkManager_exec_t)
-
-+ init_dbus_chat(NetworkManager_t)
-+
- optional_policy(`
- consolekit_dbus_chat(NetworkManager_t)
-+ consolekit_read_pid_files(NetworkManager_t)
- ')
- ')
-
-@@ -191,6 +246,7 @@ optional_policy(`
- dnsmasq_kill(NetworkManager_t)
- dnsmasq_signal(NetworkManager_t)
- dnsmasq_signull(NetworkManager_t)
-+ dnsmasq_systemctl(NetworkManager_t)
- ')
-
- optional_policy(`
-@@ -202,23 +258,45 @@ optional_policy(`
- ')
-
- optional_policy(`
-+ gnome_dontaudit_search_config(NetworkManager_t)
-+')
-+
-+optional_policy(`
-+ ipsec_domtrans_mgmt(NetworkManager_t)
-+ ipsec_kill_mgmt(NetworkManager_t)
-+ ipsec_signal_mgmt(NetworkManager_t)
-+ ipsec_signull_mgmt(NetworkManager_t)
-+')
-+
-+optional_policy(`
- iptables_domtrans(NetworkManager_t)
- ')
-
- optional_policy(`
-+ netutils_exec_ping(NetworkManager_t)
-+')
-+
-+optional_policy(`
- nscd_domtrans(NetworkManager_t)
- nscd_signal(NetworkManager_t)
- nscd_signull(NetworkManager_t)
- nscd_kill(NetworkManager_t)
- nscd_initrc_domtrans(NetworkManager_t)
-+ nscd_systemctl(NetworkManager_t)
- ')
-
- optional_policy(`
- # Dispatcher starting and stoping ntp
- ntp_initrc_domtrans(NetworkManager_t)
-+ ntp_systemctl(NetworkManager_t)
- ')
-
- optional_policy(`
-+ modutils_domtrans_insmod(NetworkManager_t)
-+')
-+
-+optional_policy(`
-+ openvpn_read_config(NetworkManager_t)
- openvpn_domtrans(NetworkManager_t)
- openvpn_kill(NetworkManager_t)
- openvpn_signal(NetworkManager_t)
-@@ -234,6 +312,10 @@ optional_policy(`
- ')
-
- optional_policy(`
-+ polipo_systemctl(NetworkManager_t)
-+')
-+
-+optional_policy(`
- ppp_initrc_domtrans(NetworkManager_t)
- ppp_domtrans(NetworkManager_t)
- ppp_manage_pid_files(NetworkManager_t)
-@@ -241,6 +323,7 @@ optional_policy(`
- ppp_signal(NetworkManager_t)
- ppp_signull(NetworkManager_t)
- ppp_read_config(NetworkManager_t)
-+ ppp_systemctl(NetworkManager_t)
- ')
-
- optional_policy(`
-@@ -254,6 +337,12 @@ optional_policy(`
- ')
-
- optional_policy(`
-+ systemd_write_inhibit_pipes(NetworkManager_t)
-+ systemd_read_logind_sessions_files(NetworkManager_t)
-+ systemd_dbus_chat_logind(NetworkManager_t)
-+')
-+
-+optional_policy(`
- udev_exec(NetworkManager_t)
- udev_read_db(NetworkManager_t)
- ')
-@@ -263,6 +352,7 @@ optional_policy(`
- vpn_kill(NetworkManager_t)
- vpn_signal(NetworkManager_t)
- vpn_signull(NetworkManager_t)
-+ vpn_relabelfrom_tun_socket(NetworkManager_t)
- ')
-
- ########################################
-@@ -284,6 +374,5 @@ rw_sock_files_pattern(wpa_cli_t, NetworkManager_var_run_t, NetworkManager_var_ru
- init_dontaudit_use_fds(wpa_cli_t)
- init_use_script_ptys(wpa_cli_t)
-
--miscfiles_read_localization(wpa_cli_t)
-
- term_dontaudit_use_console(wpa_cli_t)
-diff --git a/nis.fc b/nis.fc
-index 632a565..cd0e015 100644
---- a/nis.fc
-+++ b/nis.fc
-@@ -9,7 +9,9 @@
- /usr/lib/yp/ypxfr -- gen_context(system_u:object_r:ypxfr_exec_t,s0)
-
- /usr/sbin/rpc\.yppasswdd -- gen_context(system_u:object_r:yppasswdd_exec_t,s0)
-+/usr/sbin/rpc\.yppasswdd\.env -- gen_context(system_u:object_r:yppasswdd_exec_t,s0)
- /usr/sbin/rpc\.ypxfrd -- gen_context(system_u:object_r:ypxfr_exec_t,s0)
-+/usr/sbin/ypbind -- gen_context(system_u:object_r:ypbind_exec_t,s0)
- /usr/sbin/ypserv -- gen_context(system_u:object_r:ypserv_exec_t,s0)
-
- /var/yp(/.*)? gen_context(system_u:object_r:var_yp_t,s0)
-@@ -18,3 +20,8 @@
- /var/run/ypbind.* -- gen_context(system_u:object_r:ypbind_var_run_t,s0)
- /var/run/ypserv.* -- gen_context(system_u:object_r:ypserv_var_run_t,s0)
- /var/run/yppass.* -- gen_context(system_u:object_r:yppasswdd_var_run_t,s0)
-+
-+/usr/lib/systemd/system/ypbind.* -- gen_context(system_u:object_r:ypbind_unit_file_t,s0)
-+/usr/lib/systemd/system/ypserv.* -- gen_context(system_u:object_r:nis_unit_file_t,s0)
-+/usr/lib/systemd/system/yppasswdd.* -- gen_context(system_u:object_r:nis_unit_file_t,s0)
-+/usr/lib/systemd/system/ypxfrd.* -- gen_context(system_u:object_r:nis_unit_file_t,s0)
-diff --git a/nis.if b/nis.if
-index abe3f7f..1112fae 100644
---- a/nis.if
-+++ b/nis.if
-@@ -27,18 +27,13 @@ interface(`nis_use_ypbind_uncond',`
- gen_require(`
- type var_yp_t;
- ')
--
-- allow $1 self:capability net_bind_service;
--
- allow $1 self:tcp_socket create_stream_socket_perms;
- allow $1 self:udp_socket create_socket_perms;
-
- allow $1 var_yp_t:dir list_dir_perms;
-- allow $1 var_yp_t:lnk_file { getattr read };
-+ allow $1 var_yp_t:lnk_file read_lnk_file_perms;
- allow $1 var_yp_t:file read_file_perms;
-
-- corenet_all_recvfrom_unlabeled($1)
-- corenet_all_recvfrom_netlabel($1)
- corenet_tcp_sendrecv_generic_if($1)
- corenet_udp_sendrecv_generic_if($1)
- corenet_tcp_sendrecv_generic_node($1)
-@@ -49,14 +44,13 @@ interface(`nis_use_ypbind_uncond',`
- corenet_udp_bind_generic_node($1)
- corenet_tcp_bind_generic_port($1)
- corenet_udp_bind_generic_port($1)
-- corenet_dontaudit_tcp_bind_all_reserved_ports($1)
-- corenet_dontaudit_udp_bind_all_reserved_ports($1)
-+ corenet_tcp_bind_all_rpc_ports($1)
-+ corenet_udp_bind_all_rpc_ports($1)
- corenet_dontaudit_tcp_bind_all_ports($1)
- corenet_dontaudit_udp_bind_all_ports($1)
- corenet_tcp_connect_portmap_port($1)
-- corenet_tcp_connect_reserved_port($1)
-+ corenet_tcp_connect_all_reserved_ports($1)
- corenet_tcp_connect_generic_port($1)
-- corenet_dontaudit_tcp_connect_all_ports($1)
- corenet_sendrecv_portmap_client_packets($1)
- corenet_sendrecv_generic_client_packets($1)
- corenet_sendrecv_generic_server_packets($1)
-@@ -88,7 +82,7 @@ interface(`nis_use_ypbind_uncond',`
- ##
- #
- interface(`nis_use_ypbind',`
-- tunable_policy(`allow_ypbind',`
-+ tunable_policy(`nis_enabled',`
- nis_use_ypbind_uncond($1)
- ')
- ')
-@@ -105,7 +99,7 @@ interface(`nis_use_ypbind',`
- ##
- #
- interface(`nis_authenticate',`
-- tunable_policy(`allow_ypbind',`
-+ tunable_policy(`nis_enabled',`
- nis_use_ypbind_uncond($1)
- corenet_tcp_bind_all_rpc_ports($1)
- corenet_udp_bind_all_rpc_ports($1)
-@@ -131,6 +125,24 @@ interface(`nis_domtrans_ypbind',`
- domtrans_pattern($1, ypbind_exec_t, ypbind_t)
- ')
-
-+#######################################
-+##
-+## Execute ypbind in the caller domain.
-+##
-+##
-+##
-+## Domain allowed to transition.
-+##
-+##
-+#
-+interface(`nis_exec_ypbind',`
-+ gen_require(`
-+ type ypbind_t, ypbind_exec_t;
-+ ')
-+
-+ can_exec($1, ypbind_exec_t)
-+')
-+
- ########################################
- ##
- ## Execute ypbind in the ypbind domain, and
-@@ -337,6 +349,55 @@ interface(`nis_initrc_domtrans_ypbind',`
-
- ########################################
- ##
-+## Execute ypbind server in the ypbind domain.
-+##
-+##
-+##
-+## Domain allowed to transition.
-+##
-+##
-+#
-+interface(`nis_systemctl_ypbind',`
-+ gen_require(`
-+ type ypbind_unit_file_t;
-+ type ypbind_t;
-+ ')
-+
-+ systemd_exec_systemctl($1)
-+ allow $1 ypbind_unit_file_t:file read_file_perms;
-+ allow $1 ypbind_unit_file_t:service manage_service_perms;
-+
-+ ps_process_pattern($1, ypbind_t)
-+')
-+
-+########################################
-+##
-+## Execute ypbind server in the ypbind domain.
-+##
-+##
-+##
-+## Domain allowed to transition.
-+##
-+##
-+#
-+interface(`nis_systemctl',`
-+ gen_require(`
-+ type nis_unit_file_t, ypbind_unit_file_t;
-+ type ypbind_t, yppasswdd_t, ypserv_t, ypxfr_t;
-+ ')
-+
-+ systemd_exec_systemctl($1)
-+ allow $1 nis_unit_file_t:file read_file_perms;
-+ allow $1 nis_unit_file_t:service manage_service_perms;
-+
-+ ps_process_pattern($1, ypbind_t)
-+ ps_process_pattern($1, yppasswdd_t)
-+ ps_process_pattern($1, ypserv_t)
-+ ps_process_pattern($1, ypxfr_t)
-+')
-+
-+########################################
-+##
- ## All of the rules required to administrate
- ## an nis environment
- ##
-@@ -354,22 +415,31 @@ interface(`nis_initrc_domtrans_ypbind',`
- #
- interface(`nis_admin',`
- gen_require(`
-- type ypbind_t, yppasswdd_t, ypserv_t, ypxfr_t;
-- type ypbind_tmp_t, ypserv_tmp_t, ypserv_conf_t;
-+ type ypbind_t, yppasswdd_t, ypserv_t;
-+ type ypserv_conf_t;
- type ypbind_var_run_t, yppasswdd_var_run_t, ypserv_var_run_t;
-- type ypbind_initrc_exec_t, nis_initrc_exec_t;
-+ type ypserv_tmp_t;
-+ type ypbind_initrc_exec_t, nis_initrc_exec_t, ypxfr_t;
-+ type nis_unit_file_t;
-+ type ypbind_unit_file_t;
- ')
-
-- allow $1 ypbind_t:process { ptrace signal_perms };
-+ allow $1 ypbind_t:process signal_perms;
- ps_process_pattern($1, ypbind_t)
-+ tunable_policy(`deny_ptrace',`',`
-+ allow $1 ypbind_t:process ptrace;
-+ allow $1 yppasswdd_t:process ptrace;
-+ allow $1 ypserv_t:process ptrace;
-+ allow $1 ypxfr_t:process ptrace;
-+ ')
-
-- allow $1 yppasswdd_t:process { ptrace signal_perms };
-+ allow $1 yppasswdd_t:process signal_perms;
- ps_process_pattern($1, yppasswdd_t)
-
-- allow $1 ypserv_t:process { ptrace signal_perms };
-+ allow $1 ypserv_t:process signal_perms;
- ps_process_pattern($1, ypserv_t)
-
-- allow $1 ypxfr_t:process { ptrace signal_perms };
-+ allow $1 ypxfr_t:process signal_perms;
- ps_process_pattern($1, ypxfr_t)
-
- nis_initrc_domtrans($1)
-@@ -379,18 +449,22 @@ interface(`nis_admin',`
- role_transition $2 ypbind_initrc_exec_t system_r;
- allow $2 system_r;
-
-- files_list_tmp($1)
-- admin_pattern($1, ypbind_tmp_t)
--
- files_list_pids($1)
- admin_pattern($1, ypbind_var_run_t)
-+ nis_systemctl_ypbind($1)
-+ admin_pattern($1, ypbind_unit_file_t)
-+ allow $1 ypbind_unit_file_t:service all_service_perms;
-
- admin_pattern($1, yppasswdd_var_run_t)
-
- files_list_etc($1)
- admin_pattern($1, ypserv_conf_t)
-
-+ admin_pattern($1, ypserv_var_run_t)
-+
- admin_pattern($1, ypserv_tmp_t)
-
-- admin_pattern($1, ypserv_var_run_t)
-+ nis_systemctl($1)
-+ admin_pattern($1, nis_unit_file_t)
-+ allow $1 nis_unit_file_t:service all_service_perms;
- ')
-diff --git a/nis.te b/nis.te
-index f27899c..f1dd1fa 100644
---- a/nis.te
-+++ b/nis.te
-@@ -18,11 +18,14 @@ init_daemon_domain(ypbind_t, ypbind_exec_t)
- type ypbind_initrc_exec_t;
- init_script_file(ypbind_initrc_exec_t)
-
-+type ypbind_var_run_t;
-+files_pid_file(ypbind_var_run_t)
-+
- type ypbind_tmp_t;
- files_tmp_file(ypbind_tmp_t)
-
--type ypbind_var_run_t;
--files_pid_file(ypbind_var_run_t)
-+type ypbind_unit_file_t;
-+systemd_unit_file(ypbind_unit_file_t)
-
- type yppasswdd_t;
- type yppasswdd_exec_t;
-@@ -37,7 +40,7 @@ type ypserv_exec_t;
- init_daemon_domain(ypserv_t, ypserv_exec_t)
-
- type ypserv_conf_t;
--files_type(ypserv_conf_t)
-+files_config_file(ypserv_conf_t)
-
- type ypserv_tmp_t;
- files_tmp_file(ypserv_tmp_t)
-@@ -52,6 +55,9 @@ init_daemon_domain(ypxfr_t, ypxfr_exec_t)
- type ypxfr_var_run_t;
- files_pid_file(ypxfr_var_run_t)
-
-+type nis_unit_file_t;
-+systemd_unit_file(nis_unit_file_t)
-+
- ########################################
- #
- # ypbind local policy
-@@ -76,7 +82,6 @@ manage_files_pattern(ypbind_t, var_yp_t, var_yp_t)
- kernel_read_system_state(ypbind_t)
- kernel_read_kernel_sysctls(ypbind_t)
-
--corenet_all_recvfrom_unlabeled(ypbind_t)
- corenet_all_recvfrom_netlabel(ypbind_t)
- corenet_tcp_sendrecv_generic_if(ypbind_t)
- corenet_udp_sendrecv_generic_if(ypbind_t)
-@@ -108,9 +113,9 @@ domain_use_interactive_fds(ypbind_t)
- files_read_etc_files(ypbind_t)
- files_list_var(ypbind_t)
-
--logging_send_syslog_msg(ypbind_t)
-+init_search_pid_dirs(ypbind_t)
-
--miscfiles_read_localization(ypbind_t)
-+logging_send_syslog_msg(ypbind_t)
-
- sysnet_read_config(ypbind_t)
-
-@@ -156,12 +161,13 @@ files_pid_filetrans(yppasswdd_t, yppasswdd_var_run_t, file)
- manage_files_pattern(yppasswdd_t, var_yp_t, var_yp_t)
- manage_lnk_files_pattern(yppasswdd_t, var_yp_t, var_yp_t)
-
-+can_exec(yppasswdd_t,yppasswdd_exec_t)
-+
- kernel_list_proc(yppasswdd_t)
- kernel_read_proc_symlinks(yppasswdd_t)
- kernel_getattr_proc_files(yppasswdd_t)
- kernel_read_kernel_sysctls(yppasswdd_t)
-
--corenet_all_recvfrom_unlabeled(yppasswdd_t)
- corenet_all_recvfrom_netlabel(yppasswdd_t)
- corenet_tcp_sendrecv_generic_if(yppasswdd_t)
- corenet_udp_sendrecv_generic_if(yppasswdd_t)
-@@ -186,6 +192,7 @@ selinux_get_fs_mount(yppasswdd_t)
-
- auth_manage_shadow(yppasswdd_t)
- auth_relabel_shadow(yppasswdd_t)
-+auth_read_passwd(yppasswdd_t)
- auth_etc_filetrans_shadow(yppasswdd_t)
-
- corecmd_exec_bin(yppasswdd_t)
-@@ -199,7 +206,6 @@ files_relabel_etc_files(yppasswdd_t)
-
- logging_send_syslog_msg(yppasswdd_t)
-
--miscfiles_read_localization(yppasswdd_t)
-
- sysnet_read_config(yppasswdd_t)
-
-@@ -211,6 +217,10 @@ optional_policy(`
- ')
-
- optional_policy(`
-+ mta_send_mail(yppasswdd_t)
-+')
-+
-+optional_policy(`
- seutil_sigchld_newrole(yppasswdd_t)
- ')
-
-@@ -247,7 +257,6 @@ kernel_read_kernel_sysctls(ypserv_t)
- kernel_list_proc(ypserv_t)
- kernel_read_proc_symlinks(ypserv_t)
-
--corenet_all_recvfrom_unlabeled(ypserv_t)
- corenet_all_recvfrom_netlabel(ypserv_t)
- corenet_tcp_sendrecv_generic_if(ypserv_t)
- corenet_udp_sendrecv_generic_if(ypserv_t)
-@@ -279,7 +288,6 @@ files_read_etc_files(ypserv_t)
-
- logging_send_syslog_msg(ypserv_t)
-
--miscfiles_read_localization(ypserv_t)
-
- nis_domtrans_ypxfr(ypserv_t)
-
-@@ -317,7 +325,6 @@ allow ypxfr_t ypserv_conf_t:file read_file_perms;
- manage_files_pattern(ypxfr_t, ypxfr_var_run_t, ypxfr_var_run_t)
- files_pid_filetrans(ypxfr_t, ypxfr_var_run_t, file)
-
--corenet_all_recvfrom_unlabeled(ypxfr_t)
- corenet_all_recvfrom_netlabel(ypxfr_t)
- corenet_tcp_sendrecv_generic_if(ypxfr_t)
- corenet_udp_sendrecv_generic_if(ypxfr_t)
-@@ -342,6 +349,5 @@ files_search_usr(ypxfr_t)
-
- logging_send_syslog_msg(ypxfr_t)
-
--miscfiles_read_localization(ypxfr_t)
-
- sysnet_read_config(ypxfr_t)
-diff --git a/nova.fc b/nova.fc
-new file mode 100644
-index 0000000..02dc6dc
---- /dev/null
-+++ b/nova.fc
-@@ -0,0 +1,32 @@
-+
-+/usr/bin/nova-ajax-console-proxy -- gen_context(system_u:object_r:nova_ajax_exec_t,s0)
-+/usr/bin/nova-console.* -- gen_context(system_u:object_r:nova_console_exec_t,s0)
-+/usr/bin/nova-direct-api -- gen_context(system_u:object_r:nova_direct_exec_t,s0)
-+/usr/bin/nova-api -- gen_context(system_u:object_r:nova_api_exec_t,s0)
-+/usr/bin/nova-cert -- gen_context(system_u:object_r:nova_cert_exec_t,s0)
-+/usr//bin/nova-api-metadata -- gen_context(system_u:object_r:nova_api_exec_t,s0)
-+/usr/bin/nova-network -- gen_context(system_u:object_r:nova_network_exec_t,s0)
-+/usr/bin/nova-objectstore -- gen_context(system_u:object_r:nova_objectstore_exec_t,s0)
-+/usr/bin/nova-scheduler -- gen_context(system_u:object_r:nova_scheduler_exec_t,s0)
-+/usr/bin/nova-vncproxy -- gen_context(system_u:object_r:nova_vncproxy_exec_t,s0)
-+/usr/bin/nova-volume -- gen_context(system_u:object_r:nova_volume_exec_t,s0)
-+/usr/bin/nova-xvpvncproxy -- gen_context(system_u:object_r:nova_vncproxy_exec_t,s0)
-+
-+/usr/lib/systemd/system/openstack-nova-ajax-console-proxy.* -- gen_context(system_u:object_r:nova_ajax_unit_file_t,s0)
-+/usr/lib/systemd/system/openstack-nova-api.* -- gen_context(system_u:object_r:nova_api_unit_file_t,s0)
-+/usr/lib/systemd/system/openstack-nova-cert.* -- gen_context(system_u:object_r:nova_cert_unit_file_t,s0)
-+/usr/lib/systemd/system/openstack-nova-console.* -- gen_context(system_u:object_r:nova_console_unit_file_t,s0)
-+/usr/lib/systemd/system/openstack-nova-direct-api.* -- gen_context(system_u:object_r:nova_direct_unit_file_t,s0)
-+/usr/lib/systemd/system/openstack-nova-metadata-api.service.* -- gen_context(system_u:object_r:nova_api_unit_file_t,s0)
-+/usr/lib/systemd/system/openstack-nova-network.* -- gen_context(system_u:object_r:nova_network_unit_file_t,s0)
-+/usr/lib/systemd/system/openstack-nova-objectstore.* -- gen_context(system_u:object_r:nova_objectstore_unit_file_t,s0)
-+/usr/lib/systemd/system/openstack-nova-scheduler.* -- gen_context(system_u:object_r:nova_scheduler_unit_file_t,s0)
-+/usr/lib/systemd/system/openstack-nova-vncproxy.* -- gen_context(system_u:object_r:nova_vncproxy_unit_file_t,s0)
-+/usr/lib/systemd/system/openstack-nova-xvpvncproxy.* -- gen_context(system_u:object_r:nova_vncproxy_unit_file_t,s0)
-+/usr/lib/systemd/system/openstack-nova-volume.* -- gen_context(system_u:object_r:nova_volume_unit_file_t,s0)
-+
-+/var/lib/nova(/.*)? gen_context(system_u:object_r:nova_var_lib_t,s0)
-+
-+/var/log/nova(/.*)? gen_context(system_u:object_r:nova_log_t,s0)
-+
-+/var/run/nova(/.*)? gen_context(system_u:object_r:nova_var_run_t,s0)
-diff --git a/nova.if b/nova.if
-new file mode 100644
-index 0000000..7d11148
---- /dev/null
-+++ b/nova.if
-@@ -0,0 +1,36 @@
-+## openstack-nova
-+
-+#######################################
-+##
-+## Creates types and rules for a basic
-+## openstack-nova systemd daemon domain.
-+##
-+##
-+##
-+## Prefix for the domain.
-+##
-+##
-+#
-+template(`nova_domain_template',`
-+ gen_require(`
-+ attribute nova_domain;
-+ ')
-+
-+ type nova_$1_t, nova_domain;
-+ type nova_$1_exec_t;
-+ init_daemon_domain(nova_$1_t, nova_$1_exec_t)
-+
-+ type nova_$1_unit_file_t;
-+ systemd_unit_file(nova_$1_unit_file_t)
-+
-+ type nova_$1_tmp_t;
-+ files_tmp_file(nova_$1_tmp_t)
-+
-+ manage_dirs_pattern(nova_$1_t, nova_$1_tmp_t, nova_$1_tmp_t)
-+ manage_files_pattern(nova_$1_t, nova_$1_tmp_t, nova_$1_tmp_t)
-+ files_tmp_filetrans(nova_$1_t, nova_$1_tmp_t, { file dir })
-+ can_exec(nova_$1_t, nova_$1_tmp_t)
-+
-+ kernel_read_system_state(nova_$1_t)
-+
-+')
-diff --git a/nova.te b/nova.te
-new file mode 100644
-index 0000000..f0aaecf
---- /dev/null
-+++ b/nova.te
-@@ -0,0 +1,324 @@
-+policy_module(nova, 1.0.0)
-+
-+########################################
-+#
-+# Declarations
-+#
-+
-+#
-+# nova-stack daemons contain security issue with using sudo in the code
-+# we make this policy as unconfined until this issue is fixed
-+#
-+
-+attribute nova_domain;
-+
-+nova_domain_template(ajax)
-+nova_domain_template(api)
-+nova_domain_template(cert)
-+nova_domain_template(compute)
-+nova_domain_template(console)
-+nova_domain_template(direct)
-+nova_domain_template(network)
-+nova_domain_template(objectstore)
-+nova_domain_template(scheduler)
-+nova_domain_template(vncproxy)
-+nova_domain_template(volume)
-+
-+type nova_log_t;
-+logging_log_file(nova_log_t)
-+
-+type nova_var_lib_t;
-+files_type(nova_var_lib_t)
-+
-+type nova_var_run_t;
-+files_pid_file(nova_var_run_t)
-+
-+
-+######################################
-+#
-+# nova general domain local policy
-+#
-+
-+allow nova_domain self:fifo_file rw_fifo_file_perms;
-+allow nova_domain self:tcp_socket create_stream_socket_perms;
-+allow nova_domain self:unix_stream_socket create_stream_socket_perms;
-+
-+manage_dirs_pattern(nova_domain, nova_log_t, nova_log_t)
-+manage_files_pattern(nova_domain, nova_log_t, nova_log_t)
-+
-+manage_dirs_pattern(nova_domain, nova_var_lib_t, nova_var_lib_t)
-+manage_files_pattern(nova_domain, nova_var_lib_t, nova_var_lib_t)
-+
-+manage_dirs_pattern(nova_domain, nova_var_run_t, nova_var_run_t)
-+manage_files_pattern(nova_domain, nova_var_run_t, nova_var_run_t)
-+
-+corenet_tcp_connect_amqp_port(nova_domain)
-+
-+corecmd_exec_bin(nova_domain)
-+corecmd_exec_shell(nova_domain)
-+
-+dev_read_urand(nova_domain)
-+
-+fs_getattr_xattr_fs(nova_domain)
-+
-+files_read_usr_files(nova_domain)
-+
-+libs_exec_ldconfig(nova_domain)
-+
-+files_read_etc_files(nova_domain)
-+
-+
-+optional_policy(`
-+ sysnet_read_config(nova_domain)
-+')
-+
-+######################################
-+#
-+# nova ajax local policy
-+#
-+
-+optional_policy(`
-+ unconfined_domain(nova_ajax_t)
-+')
-+
-+#######################################
-+#
-+# nova api local policy
-+#
-+
-+allow nova_api_t self:process setfscreate;
-+
-+allow nova_api_t self:key write;
-+
-+allow nova_api_t self:netlink_route_socket r_netlink_socket_perms;
-+
-+allow nova_api_t self:udp_socket create_socket_perms;
-+
-+kernel_read_kernel_sysctls(nova_api_t)
-+
-+corenet_tcp_bind_generic_node(nova_api_t)
-+corenet_udp_bind_generic_node(nova_api_t)
-+# should be add to booleans
-+corenet_tcp_connect_all_ports(nova_api_t)
-+corenet_tcp_bind_all_unreserved_ports(nova_api_t)
-+
-+auth_read_passwd(nova_api_t)
-+
-+logging_send_syslog_msg(nova_api_t)
-+
-+miscfiles_read_certs(nova_api_t)
-+
-+ifdef(`hide_broken_symptoms',`
-+ optional_policy(`
-+ sudo_exec(nova_api_t)
-+ allow nova_api_t self:capability { setuid sys_resource setgid };
-+ allow nova_api_t self:process { setsched setrlimit };
-+ logging_send_audit_msgs(nova_api_t)
-+ ')
-+')
-+
-+optional_policy(`
-+ iptables_domtrans(nova_api_t)
-+')
-+
-+optional_policy(`
-+ ssh_exec_keygen(nova_api_t)
-+')
-+
-+optional_policy(`
-+ unconfined_domain(nova_api_t)
-+')
-+
-+######################################
-+#
-+# nova cert local policy
-+#
-+
-+allow nova_cert_t self:process setfscreate;
-+
-+allow nova_cert_t self:udp_socket create_socket_perms;
-+
-+auth_use_nsswitch(nova_cert_t)
-+
-+miscfiles_read_certs(nova_cert_t)
-+
-+optional_policy(`
-+ mysql_stream_connect(nova_cert_t)
-+')
-+
-+#######################################
-+#
-+# nova compute local policy
-+#
-+
-+# needs to be re-write since now runs as virtd_t
-+
-+allow nova_compute_t self:udp_socket create_socket_perms;
-+
-+kernel_read_network_state(nova_compute_t)
-+
-+dev_read_rand(nova_compute_t)
-+
-+dev_read_sysfs(nova_compute_t)
-+
-+optional_policy(`
-+ virt_getattr_exec(nova_compute_t)
-+ virt_stream_connect(nova_compute_t)
-+')
-+
-+######################################
-+#
-+# nova console local policy
-+#
-+
-+allow nova_console_t self:udp_socket create_socket_perms;
-+
-+auth_use_nsswitch(nova_console_t)
-+
-+#######################################
-+#
-+# nova direct local policy
-+#
-+
-+optional_policy(`
-+ unconfined_domain(nova_direct_t)
-+')
-+
-+#######################################
-+#
-+# nova network local policy
-+#
-+
-+allow nova_network_t self:capability { dac_override net_admin net_bind_service };
-+allow nova_network_t self:process { getcap setcap };
-+
-+allow nova_network_t self:netlink_route_socket r_netlink_socket_perms;
-+allow nova_network_t self:udp_socket create_socket_perms;
-+
-+kernel_read_network_state(nova_network_t)
-+kernel_read_kernel_sysctls(nova_network_t)
-+
-+# should be added to boolean or fixed in the code
-+# dnsmasq domtrans does not work since then dnsmasq_t wants
-+# to do some stuff with nova_lib, nova_tmp
-+# nova-dhcpbridge runs in dnsmasq domain
-+corenet_all_recvfrom_netlabel(nova_network_t)
-+corenet_tcp_sendrecv_generic_if(nova_network_t)
-+corenet_udp_sendrecv_generic_if(nova_network_t)
-+corenet_raw_sendrecv_generic_if(nova_network_t)
-+corenet_tcp_sendrecv_generic_node(nova_network_t)
-+corenet_udp_sendrecv_generic_node(nova_network_t)
-+corenet_raw_sendrecv_generic_node(nova_network_t)
-+corenet_tcp_sendrecv_all_ports(nova_network_t)
-+corenet_udp_sendrecv_all_ports(nova_network_t)
-+corenet_tcp_bind_generic_node(nova_network_t)
-+corenet_udp_bind_generic_node(nova_network_t)
-+corenet_tcp_bind_dns_port(nova_network_t)
-+corenet_udp_bind_all_ports(nova_network_t)
-+corenet_sendrecv_dns_server_packets(nova_network_t)
-+corenet_sendrecv_dhcpd_server_packets(nova_network_t)
-+
-+libs_exec_ldconfig(nova_network_t)
-+
-+logging_send_syslog_msg(nova_network_t)
-+
-+ifdef(`hide_broken_symptoms',`
-+ optional_policy(`
-+ sudo_exec(nova_network_t)
-+ allow nova_network_t self:capability { setuid sys_resource setgid };
-+ allow nova_network_t self:process { setsched setrlimit };
-+ logging_send_audit_msgs(nova_network_t)
-+ ')
-+')
-+
-+optional_policy(`
-+ brctl_domtrans(nova_network_t)
-+')
-+
-+optional_policy(`
-+ dnsmasq_exec(nova_network_t)
-+# dnsmasq_domtrans(nova_network_t)
-+')
-+
-+optional_policy(`
-+ iptables_domtrans(nova_network_t)
-+')
-+
-+optional_policy(`
-+ sysnet_domtrans_ifconfig(nova_network_t)
-+')
-+
-+optional_policy(`
-+ unconfined_domain(nova_network_t)
-+')
-+
-+#######################################
-+#
-+# nova object store local policy
-+#
-+
-+allow nova_objectstore_t self:udp_socket create_socket_perms;
-+
-+corenet_tcp_bind_generic_node(nova_objectstore_t)
-+corenet_udp_bind_generic_node(nova_objectstore_t)
-+
-+optional_policy(`
-+ unconfined_domain(nova_objectstore_t)
-+')
-+
-+#######################################
-+#
-+# nova scheduler local policy
-+#
-+
-+allow nova_scheduler_t self:netlink_route_socket r_netlink_socket_perms;
-+allow nova_scheduler_t self:udp_socket create_socket_perms;
-+
-+optional_policy(`
-+ unconfined_domain(nova_scheduler_t)
-+')
-+
-+#######################################
-+#
-+# nova vncproxy local policy
-+#
-+
-+optional_policy(`
-+ unconfined_domain(nova_vncproxy_t)
-+')
-+
-+#######################################
-+#
-+# nova volume local policy
-+#
-+
-+allow nova_volume_t self:netlink_route_socket r_netlink_socket_perms;
-+
-+allow nova_volume_t self:udp_socket create_socket_perms;
-+
-+kernel_read_kernel_sysctls(nova_volume_t)
-+
-+logging_send_syslog_msg(nova_volume_t)
-+
-+optional_policy(`
-+ lvm_domtrans(nova_volume_t)
-+')
-+
-+ifdef(`hide_broken_symptoms',`
-+ require {
-+ type sudo_exec_t;
-+ }
-+
-+ allow nova_volume_t sudo_exec_t:file { read execute open execute_no_trans };
-+
-+ allow nova_volume_t self:capability { setuid sys_resource setgid audit_write };
-+ allow nova_volume_t self:process { setsched setrlimit };
-+
-+ logging_send_audit_msgs(nova_volume_t)
-+
-+')
-+
-+optional_policy(`
-+ unconfined_domain(nova_volume_t)
-+')
-+
-diff --git a/nscd.fc b/nscd.fc
-index 623b731..429bd79 100644
---- a/nscd.fc
-+++ b/nscd.fc
-@@ -11,3 +11,5 @@
- /var/run/\.nscd_socket -s gen_context(system_u:object_r:nscd_var_run_t,s0)
-
- /var/run/nscd(/.*)? gen_context(system_u:object_r:nscd_var_run_t,s0)
-+
-+/usr/lib/systemd/system/nscd\.service -- gen_context(system_u:object_r:nscd_unit_file_t,s0)
-diff --git a/nscd.if b/nscd.if
-index 85188dc..2b37836 100644
---- a/nscd.if
-+++ b/nscd.if
-@@ -116,7 +116,26 @@ interface(`nscd_socket_use',`
- dontaudit $1 nscd_t:nscd { getserv shmempwd shmemgrp shmemhost shmemserv };
- files_search_pids($1)
- stream_connect_pattern($1, nscd_var_run_t, nscd_var_run_t, nscd_t)
-- dontaudit $1 nscd_var_run_t:file { getattr read };
-+ dontaudit $1 nscd_var_run_t:file read_file_perms;
-+ ps_process_pattern(nscd_t, $1)
-+')
-+
-+########################################
-+##
-+## Use nscd services
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`nscd_use',`
-+ tunable_policy(`nscd_use_shm',`
-+ nscd_shm_use($1)
-+ ',`
-+ nscd_socket_use($1)
-+ ')
- ')
-
- ########################################
-@@ -146,11 +165,14 @@ interface(`nscd_shm_use',`
- # nscd_socket_domain macro. need to investigate
- # if they are all actually required
- allow $1 self:unix_stream_socket create_stream_socket_perms;
-- allow $1 nscd_t:unix_stream_socket connectto;
-- allow $1 nscd_var_run_t:sock_file rw_file_perms;
-+
-+ # dg: This may not be required.
-+ allow $1 nscd_var_run_t:sock_file read_sock_file_perms;
-+
-+ stream_connect_pattern($1, nscd_var_run_t, nscd_var_run_t, nscd_t)
- files_search_pids($1)
- allow $1 nscd_t:nscd { getpwd getgrp gethost };
-- dontaudit $1 nscd_var_run_t:file { getattr read };
-+ dontaudit $1 nscd_var_run_t:file read_file_perms;
- ')
-
- ########################################
-@@ -168,7 +190,7 @@ interface(`nscd_dontaudit_search_pid',`
- type nscd_var_run_t;
- ')
-
-- dontaudit $1 nscd_var_run_t:dir search;
-+ dontaudit $1 nscd_var_run_t:dir search_dir_perms;
- ')
-
- ########################################
-@@ -224,6 +246,7 @@ interface(`nscd_unconfined',`
- ## Role allowed access.
- ##
- ##
-+##
- #
- interface(`nscd_run',`
- gen_require(`
-@@ -254,6 +277,29 @@ interface(`nscd_initrc_domtrans',`
-
- ########################################
- ##
-+## Execute nscd server in the nscd domain.
-+##
-+##
-+##
-+## Domain allowed to transition.
-+##
-+##
-+#
-+interface(`nscd_systemctl',`
-+ gen_require(`
-+ type nscd_unit_file_t;
-+ type nscd_t;
-+ ')
-+
-+ systemd_exec_systemctl($1)
-+ allow $1 nscd_unit_file_t:file read_file_perms;
-+ allow $1 nscd_unit_file_t:service manage_service_perms;
-+
-+ ps_process_pattern($1, nscd_t)
-+')
-+
-+########################################
-+##
- ## All of the rules required to administrate
- ## an nscd environment
- ##
-@@ -273,10 +319,14 @@ interface(`nscd_admin',`
- gen_require(`
- type nscd_t, nscd_log_t, nscd_var_run_t;
- type nscd_initrc_exec_t;
-+ type nscd_unit_file_t;
- ')
-
-- allow $1 nscd_t:process { ptrace signal_perms };
-+ allow $1 nscd_t:process signal_perms;
- ps_process_pattern($1, nscd_t)
-+ tunable_policy(`deny_ptrace',`',`
-+ allow $1 nscd_t:process ptrace;
-+ ')
-
- init_labeled_script_domtrans($1, nscd_initrc_exec_t)
- domain_system_change_exemption($1)
-@@ -288,4 +338,8 @@ interface(`nscd_admin',`
-
- files_list_pids($1)
- admin_pattern($1, nscd_var_run_t)
-+
-+ nscd_systemctl($1)
-+ admin_pattern($1, nscd_unit_file_t)
-+ allow $1 nscd_unit_file_t:service all_service_perms;
- ')
-diff --git a/nscd.te b/nscd.te
-index 7936e09..2814186 100644
---- a/nscd.te
-+++ b/nscd.te
-@@ -4,6 +4,13 @@ gen_require(`
- class nscd all_nscd_perms;
- ')
-
-+##
-+##
-+## Allow confined applications to use nscd shared memory.
-+##
-+##
-+gen_tunable(nscd_use_shm, false)
-+
- ########################################
- #
- # Declarations
-@@ -22,6 +29,9 @@ init_daemon_domain(nscd_t, nscd_exec_t)
- type nscd_initrc_exec_t;
- init_script_file(nscd_initrc_exec_t)
-
-+type nscd_unit_file_t;
-+systemd_unit_file(nscd_unit_file_t)
-+
- type nscd_log_t;
- logging_log_file(nscd_log_t)
-
-@@ -47,13 +57,15 @@ allow nscd_t self:nscd { admin getstat };
- allow nscd_t nscd_log_t:file manage_file_perms;
- logging_log_filetrans(nscd_t, nscd_log_t, file)
-
-+manage_dirs_pattern(nscd_t, nscd_var_run_t, nscd_var_run_t)
- manage_files_pattern(nscd_t, nscd_var_run_t, nscd_var_run_t)
- manage_sock_files_pattern(nscd_t, nscd_var_run_t, nscd_var_run_t)
--files_pid_filetrans(nscd_t, nscd_var_run_t, { file sock_file })
-+files_pid_filetrans(nscd_t, nscd_var_run_t, { file sock_file dir })
-
- corecmd_search_bin(nscd_t)
- can_exec(nscd_t, nscd_exec_t)
-
-+kernel_read_network_state(nscd_t)
- kernel_read_kernel_sysctls(nscd_t)
- kernel_list_proc(nscd_t)
- kernel_read_proc_symlinks(nscd_t)
-@@ -70,7 +82,6 @@ fs_list_inotifyfs(nscd_t)
- auth_getattr_shadow(nscd_t)
- auth_use_nsswitch(nscd_t)
-
--corenet_all_recvfrom_unlabeled(nscd_t)
- corenet_all_recvfrom_netlabel(nscd_t)
- corenet_tcp_sendrecv_generic_if(nscd_t)
- corenet_udp_sendrecv_generic_if(nscd_t)
-@@ -90,8 +101,8 @@ selinux_compute_create_context(nscd_t)
- selinux_compute_relabel_context(nscd_t)
- selinux_compute_user_contexts(nscd_t)
- domain_use_interactive_fds(nscd_t)
-+domain_search_all_domains_state(nscd_t)
-
--files_read_etc_files(nscd_t)
- files_read_generic_tmp_symlinks(nscd_t)
- # Needed to read files created by firstboot "/etc/hesiod.conf"
- files_read_etc_runtime_files(nscd_t)
-@@ -99,7 +110,6 @@ files_read_etc_runtime_files(nscd_t)
- logging_send_audit_msgs(nscd_t)
- logging_send_syslog_msg(nscd_t)
-
--miscfiles_read_localization(nscd_t)
-
- seutil_read_config(nscd_t)
- seutil_read_default_contexts(nscd_t)
-@@ -112,6 +122,10 @@ userdom_dontaudit_use_unpriv_user_fds(nscd_t)
- userdom_dontaudit_search_user_home_dirs(nscd_t)
-
- optional_policy(`
-+ accountsd_dontaudit_rw_fifo_file(nscd_t)
-+')
-+
-+optional_policy(`
- cron_read_system_job_tmp_files(nscd_t)
- ')
-
-@@ -127,3 +141,19 @@ optional_policy(`
- xen_dontaudit_rw_unix_stream_sockets(nscd_t)
- xen_append_log(nscd_t)
- ')
-+
-+optional_policy(`
-+ tunable_policy(`samba_domain_controller',`
-+ samba_append_log(nscd_t)
-+ samba_dontaudit_use_fds(nscd_t)
-+ ')
-+')
-+
-+optional_policy(`
-+ samba_read_config(nscd_t)
-+ samba_read_var_files(nscd_t)
-+')
-+
-+optional_policy(`
-+ unconfined_dontaudit_rw_packet_sockets(nscd_t)
-+')
-diff --git a/nsd.fc b/nsd.fc
-index 53cc800..5348e92 100644
---- a/nsd.fc
-+++ b/nsd.fc
-@@ -1,6 +1,6 @@
-
- /etc/nsd(/.*)? gen_context(system_u:object_r:nsd_conf_t,s0)
--/etc/nsd/nsd\.db -- gen_context(system_u:object_r:nsd_db_t,s0)
-+/etc/nsd/nsd\.db -- gen_context(system_u:object_r:nsd_zone_t,s0)
- /etc/nsd/primary(/.*)? gen_context(system_u:object_r:nsd_zone_t,s0)
- /etc/nsd/secondary(/.*)? gen_context(system_u:object_r:nsd_zone_t,s0)
-
-@@ -10,5 +10,4 @@
- /usr/sbin/zonec -- gen_context(system_u:object_r:nsd_exec_t,s0)
-
- /var/lib/nsd(/.*)? gen_context(system_u:object_r:nsd_zone_t,s0)
--/var/lib/nsd/nsd\.db -- gen_context(system_u:object_r:nsd_db_t,s0)
- /var/run/nsd\.pid -- gen_context(system_u:object_r:nsd_var_run_t,s0)
-diff --git a/nsd.if b/nsd.if
-index a1371d5..ad4f14a 100644
---- a/nsd.if
-+++ b/nsd.if
-@@ -2,6 +2,25 @@
-
- ########################################
- ##
-+## Read NSD pid file.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`nsd_read_pid',`
-+ gen_require(`
-+ type nsd_var_run_t;
-+ ')
-+
-+ files_search_pids($1)
-+ read_files_pattern($1, nsd_var_run_t, nsd_var_run_t)
-+')
-+
-+########################################
-+##
- ## Send and receive datagrams from NSD. (Deprecated)
- ##
- ##
-diff --git a/nsd.te b/nsd.te
-index 4b15536..82e97aa 100644
---- a/nsd.te
-+++ b/nsd.te
-@@ -18,15 +18,11 @@ domain_type(nsd_crond_t)
- domain_entry_file(nsd_crond_t, nsd_exec_t)
- role system_r types nsd_crond_t;
-
--# a type for nsd.db
--type nsd_db_t;
--files_type(nsd_db_t)
--
- type nsd_var_run_t;
- files_pid_file(nsd_var_run_t)
-
- # A type for zone files
--type nsd_zone_t;
-+type nsd_zone_t alias nsd_db_t;
- files_type(nsd_zone_t)
-
- ########################################
-@@ -34,25 +30,24 @@ files_type(nsd_zone_t)
- # NSD Local policy
- #
-
--allow nsd_t self:capability { dac_override chown setuid setgid };
-+allow nsd_t self:capability { chown dac_override kill setgid setuid };
- dontaudit nsd_t self:capability sys_tty_config;
- allow nsd_t self:process signal_perms;
- allow nsd_t self:tcp_socket create_stream_socket_perms;
- allow nsd_t self:udp_socket create_socket_perms;
-+allow nsd_t self:fifo_file rw_fifo_file_perms;
-
- allow nsd_t nsd_conf_t:dir list_dir_perms;
- read_files_pattern(nsd_t, nsd_conf_t, nsd_conf_t)
- read_lnk_files_pattern(nsd_t, nsd_conf_t, nsd_conf_t)
-
--allow nsd_t nsd_db_t:file manage_file_perms;
--filetrans_pattern(nsd_t, nsd_zone_t, nsd_db_t, file)
--
- manage_files_pattern(nsd_t, nsd_var_run_t, nsd_var_run_t)
- files_pid_filetrans(nsd_t, nsd_var_run_t, file)
-
--allow nsd_t nsd_zone_t:dir list_dir_perms;
--read_files_pattern(nsd_t, nsd_zone_t, nsd_zone_t)
--read_lnk_files_pattern(nsd_t, nsd_zone_t, nsd_zone_t)
-+manage_dirs_pattern(nsd_t, nsd_zone_t, nsd_zone_t)
-+manage_files_pattern(nsd_t, nsd_zone_t, nsd_zone_t)
-+manage_lnk_files_pattern(nsd_t, nsd_zone_t, nsd_zone_t)
-+files_var_lib_filetrans(nsd_t, nsd_zone_t, dir)
-
- can_exec(nsd_t, nsd_exec_t)
-
-@@ -61,7 +56,6 @@ kernel_read_kernel_sysctls(nsd_t)
-
- corecmd_exec_bin(nsd_t)
-
--corenet_all_recvfrom_unlabeled(nsd_t)
- corenet_all_recvfrom_netlabel(nsd_t)
- corenet_tcp_sendrecv_generic_if(nsd_t)
- corenet_udp_sendrecv_generic_if(nsd_t)
-@@ -79,17 +73,17 @@ dev_read_sysfs(nsd_t)
-
- domain_use_interactive_fds(nsd_t)
-
--files_read_etc_files(nsd_t)
- files_read_etc_runtime_files(nsd_t)
-+files_search_var_lib(nsd_t)
-
- fs_getattr_all_fs(nsd_t)
- fs_search_auto_mountpoints(nsd_t)
-
--logging_send_syslog_msg(nsd_t)
-+auth_use_nsswitch(nsd_t)
-
--miscfiles_read_localization(nsd_t)
-+logging_send_syslog_msg(nsd_t)
-
--sysnet_read_config(nsd_t)
-+sysnet_dns_name_resolve(nsd_t)
-
- userdom_dontaudit_use_unpriv_user_fds(nsd_t)
- userdom_dontaudit_search_user_home_dirs(nsd_t)
-@@ -121,8 +115,6 @@ allow nsd_crond_t self:udp_socket create_socket_perms;
-
- allow nsd_crond_t nsd_conf_t:file read_file_perms;
-
--allow nsd_crond_t nsd_db_t:file manage_file_perms;
--filetrans_pattern(nsd_crond_t, nsd_zone_t, nsd_db_t, file)
- files_search_var_lib(nsd_crond_t)
-
- allow nsd_crond_t nsd_t:process signal;
-@@ -139,7 +131,6 @@ kernel_read_system_state(nsd_crond_t)
- corecmd_exec_bin(nsd_crond_t)
- corecmd_exec_shell(nsd_crond_t)
-
--corenet_all_recvfrom_unlabeled(nsd_crond_t)
- corenet_all_recvfrom_netlabel(nsd_crond_t)
- corenet_tcp_sendrecv_generic_if(nsd_crond_t)
- corenet_udp_sendrecv_generic_if(nsd_crond_t)
-@@ -155,13 +146,13 @@ dev_read_urand(nsd_crond_t)
-
- domain_dontaudit_read_all_domains_state(nsd_crond_t)
-
--files_read_etc_files(nsd_crond_t)
- files_read_etc_runtime_files(nsd_crond_t)
- files_search_var_lib(nsd_t)
-
-+auth_use_nsswitch(nsd_crond_t)
-+
- logging_send_syslog_msg(nsd_crond_t)
-
--miscfiles_read_localization(nsd_crond_t)
-
- sysnet_read_config(nsd_crond_t)
-
-diff --git a/nslcd.if b/nslcd.if
-index 23c769c..0398e70 100644
---- a/nslcd.if
-+++ b/nslcd.if
-@@ -93,12 +93,15 @@ interface(`nslcd_stream_connect',`
- #
- interface(`nslcd_admin',`
- gen_require(`
-- type nslcd_t, nslcd_initrc_exec_t;
-- type nslcd_conf_t, nslcd_var_run_t;
-+ type nslcd_t, nslcd_initrc_exec_t, nslcd_var_run_t;
-+ type nslcd_conf_t;
- ')
-
- ps_process_pattern($1, nslcd_t)
-- allow $1 nslcd_t:process { ptrace signal_perms };
-+ allow $1 nslcd_t:process signal_perms;
-+ tunable_policy(`deny_ptrace',`',`
-+ allow $1 nslcd_t:process ptrace;
-+ ')
-
- # Allow nslcd_t to restart the apache service
- nslcd_initrc_domtrans($1)
-@@ -106,9 +109,9 @@ interface(`nslcd_admin',`
- role_transition $2 nslcd_initrc_exec_t system_r;
- allow $2 system_r;
-
-- manage_files_pattern($1, nslcd_conf_t, nslcd_conf_t)
-+ files_list_etc($1)
-+ admin_pattern($1, nslcd_conf_t)
-
-- manage_dirs_pattern($1, nslcd_var_run_t, nslcd_var_run_t)
-- manage_files_pattern($1, nslcd_var_run_t, nslcd_var_run_t)
-- manage_lnk_files_pattern($1, nslcd_var_run_t, nslcd_var_run_t)
-+ files_list_pids($1)
-+ admin_pattern($1, nslcd_var_run_t, nslcd_var_run_t)
- ')
-diff --git a/nslcd.te b/nslcd.te
-index 01594c8..bcc61b5 100644
---- a/nslcd.te
-+++ b/nslcd.te
-@@ -16,15 +16,15 @@ type nslcd_var_run_t;
- files_pid_file(nslcd_var_run_t)
-
- type nslcd_conf_t;
--files_type(nslcd_conf_t)
-+files_config_file(nslcd_conf_t)
-
- ########################################
- #
- # nslcd local policy
- #
-
--allow nslcd_t self:capability { setgid setuid dac_override };
--allow nslcd_t self:process signal;
-+allow nslcd_t self:capability { dac_override setgid setuid sys_nice };
-+allow nslcd_t self:process { setsched signal };
- allow nslcd_t self:unix_stream_socket create_stream_socket_perms;
-
- allow nslcd_t nslcd_conf_t:file read_file_perms;
-@@ -42,13 +42,21 @@ corenet_tcp_connect_ldap_port(nslcd_t)
- corenet_sendrecv_ldap_client_packets(nslcd_t)
-
- files_read_etc_files(nslcd_t)
-+files_read_usr_symlinks(nslcd_t)
-+files_list_tmp(nslcd_t)
-
- auth_use_nsswitch(nslcd_t)
-
- logging_send_syslog_msg(nslcd_t)
-
--miscfiles_read_localization(nslcd_t)
-+
-+userdom_read_user_tmp_files(nslcd_t)
-+
-+optional_policy(`
-+ dirsrv_stream_connect(nslcd_t)
-+')
-
- optional_policy(`
- ldap_stream_connect(nslcd_t)
- ')
-+
-diff --git a/nsplugin.fc b/nsplugin.fc
-new file mode 100644
-index 0000000..22e6c96
---- /dev/null
-+++ b/nsplugin.fc
-@@ -0,0 +1,11 @@
-+HOME_DIR/\.adobe(/.*)? gen_context(system_u:object_r:nsplugin_home_t,s0)
-+HOME_DIR/\.macromedia(/.*)? gen_context(system_u:object_r:nsplugin_home_t,s0)
-+HOME_DIR/\.gnash(/.*)? gen_context(system_u:object_r:nsplugin_home_t,s0)
-+HOME_DIR/\.gcjwebplugin(/.*)? gen_context(system_u:object_r:nsplugin_home_t,s0)
-+HOME_DIR/\.icedteaplugin(/.*)? gen_context(system_u:object_r:nsplugin_home_t,s0)
-+
-+/usr/bin/nspluginscan -- gen_context(system_u:object_r:nsplugin_exec_t,s0)
-+/usr/bin/nspluginviewer -- gen_context(system_u:object_r:nsplugin_exec_t,s0)
-+/usr/lib/nspluginwrapper/npviewer.bin -- gen_context(system_u:object_r:nsplugin_exec_t,s0)
-+/usr/lib/nspluginwrapper/plugin-config -- gen_context(system_u:object_r:nsplugin_config_exec_t,s0)
-+/usr/lib/mozilla/plugins-wrapped(/.*)? gen_context(system_u:object_r:nsplugin_rw_t,s0)
-diff --git a/nsplugin.if b/nsplugin.if
-new file mode 100644
-index 0000000..fce899a
---- /dev/null
-+++ b/nsplugin.if
-@@ -0,0 +1,472 @@
-+
-+## policy for nsplugin
-+
-+########################################
-+##
-+## Create, read, write, and delete
-+## nsplugin rw files.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`nsplugin_manage_rw_files',`
-+ gen_require(`
-+ type nsplugin_rw_t;
-+ ')
-+
-+ allow $1 nsplugin_rw_t:file manage_file_perms;
-+ allow $1 nsplugin_rw_t:dir rw_dir_perms;
-+')
-+
-+########################################
-+##
-+## Manage nsplugin rw files.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`nsplugin_manage_rw',`
-+ gen_require(`
-+ type nsplugin_rw_t;
-+ ')
-+
-+ manage_dirs_pattern($1, nsplugin_rw_t, nsplugin_rw_t)
-+ manage_files_pattern($1, nsplugin_rw_t, nsplugin_rw_t)
-+ manage_lnk_files_pattern($1, nsplugin_rw_t, nsplugin_rw_t)
-+')
-+
-+#######################################
-+##
-+## The per role template for the nsplugin module.
-+##
-+##
-+##
-+## The role associated with the user domain.
-+##
-+##
-+##
-+##
-+## The type of the user domain.
-+##
-+##
-+#
-+interface(`nsplugin_role_notrans',`
-+ gen_require(`
-+ type nsplugin_rw_t;
-+ type nsplugin_home_t;
-+ type nsplugin_exec_t;
-+ type nsplugin_config_exec_t;
-+ type nsplugin_t;
-+ type nsplugin_config_t;
-+ class x_drawable all_x_drawable_perms;
-+ class x_resource all_x_resource_perms;
-+ class dbus send_msg;
-+ ')
-+
-+ role $1 types nsplugin_t;
-+ role $1 types nsplugin_config_t;
-+
-+ allow nsplugin_t $2:process signull;
-+ allow nsplugin_t $2:dbus send_msg;
-+ allow $2 nsplugin_t:dbus send_msg;
-+
-+ list_dirs_pattern($2, nsplugin_rw_t, nsplugin_rw_t)
-+ read_files_pattern($2, nsplugin_rw_t, nsplugin_rw_t)
-+ read_lnk_files_pattern($2, nsplugin_rw_t, nsplugin_rw_t)
-+ can_exec($2, nsplugin_rw_t)
-+
-+ #Leaked File Descriptors
-+ifdef(`hide_broken_symptoms', `
-+ dontaudit nsplugin_t $2:fifo_file rw_inherited_fifo_file_perms;
-+ dontaudit nsplugin_config_t $2:fifo_file rw_inherited_fifo_file_perms;
-+')
-+ allow nsplugin_t $2:unix_stream_socket connectto;
-+ dontaudit nsplugin_t $2:process ptrace;
-+ allow nsplugin_t $2:sem rw_sem_perms;
-+ allow nsplugin_t $2:shm rw_shm_perms;
-+ dontaudit nsplugin_t $2:shm destroy;
-+ allow $2 nsplugin_t:sem rw_sem_perms;
-+
-+ allow $2 nsplugin_t:process { getattr signal_perms };
-+ allow $2 nsplugin_t:unix_stream_socket connectto;
-+
-+ # Connect to pulseaudit server
-+ stream_connect_pattern(nsplugin_t, user_home_t, user_home_t, $2)
-+ gnome_stream_connect(nsplugin_t, $2)
-+
-+ userdom_use_inherited_user_terminals(nsplugin_t)
-+ userdom_use_inherited_user_terminals(nsplugin_config_t)
-+ userdom_dontaudit_setattr_user_home_content_files(nsplugin_t)
-+ userdom_manage_tmpfs_role($1, nsplugin_t)
-+
-+ optional_policy(`
-+ pulseaudio_role($1, nsplugin_t)
-+ ')
-+')
-+
-+#######################################
-+##
-+## Role access for nsplugin
-+##
-+##
-+##
-+## The role associated with the user domain.
-+##
-+##
-+##
-+##
-+## The type of the user domain.
-+##
-+##
-+#
-+interface(`nsplugin_role',`
-+ gen_require(`
-+ type nsplugin_exec_t;
-+ type nsplugin_config_exec_t;
-+ type nsplugin_t;
-+ type nsplugin_config_t;
-+ ')
-+
-+ nsplugin_role_notrans($1, $2)
-+
-+ domtrans_pattern($2, nsplugin_exec_t, nsplugin_t)
-+ domtrans_pattern($2, nsplugin_config_exec_t, nsplugin_config_t)
-+
-+')
-+
-+#######################################
-+##
-+## The per role template for the nsplugin module.
-+##
-+##
-+##
-+## The type of the user domain.
-+##
-+##
-+#
-+interface(`nsplugin_domtrans',`
-+ gen_require(`
-+ type nsplugin_exec_t;
-+ type nsplugin_t;
-+ ')
-+
-+ domtrans_pattern($1, nsplugin_exec_t, nsplugin_t)
-+ allow $1 nsplugin_t:unix_stream_socket connectto;
-+ allow nsplugin_t $1:process signal;
-+')
-+
-+#######################################
-+##
-+## The per role template for the nsplugin module.
-+##
-+##
-+##
-+## The type of the user domain.
-+##
-+##
-+#
-+interface(`nsplugin_domtrans_config',`
-+ gen_require(`
-+ type nsplugin_config_exec_t;
-+ type nsplugin_config_t;
-+ ')
-+
-+ domtrans_pattern($1, nsplugin_config_exec_t, nsplugin_config_t)
-+')
-+
-+########################################
-+##
-+## Search nsplugin rw directories.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`nsplugin_search_rw_dir',`
-+ gen_require(`
-+ type nsplugin_rw_t;
-+ ')
-+
-+ allow $1 nsplugin_rw_t:dir search_dir_perms;
-+')
-+
-+########################################
-+##
-+## Read nsplugin rw files.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`nsplugin_read_rw_files',`
-+ gen_require(`
-+ type nsplugin_rw_t;
-+ ')
-+
-+ list_dirs_pattern($1, nsplugin_rw_t, nsplugin_rw_t)
-+ read_files_pattern($1, nsplugin_rw_t, nsplugin_rw_t)
-+ read_lnk_files_pattern($1, nsplugin_rw_t, nsplugin_rw_t)
-+')
-+
-+########################################
-+##
-+## Read nsplugin home files.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`nsplugin_read_home',`
-+ gen_require(`
-+ type nsplugin_home_t;
-+ ')
-+
-+ list_dirs_pattern($1, nsplugin_home_t, nsplugin_home_t)
-+ read_files_pattern($1, nsplugin_home_t, nsplugin_home_t)
-+ read_lnk_files_pattern($1, nsplugin_home_t, nsplugin_home_t)
-+')
-+
-+########################################
-+##
-+## Exec nsplugin rw files.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`nsplugin_rw_exec',`
-+ gen_require(`
-+ type nsplugin_rw_t;
-+ ')
-+
-+ can_exec($1, nsplugin_rw_t)
-+')
-+
-+########################################
-+##
-+## Create, read, write, and delete
-+## nsplugin home files.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`nsplugin_manage_home_files',`
-+ gen_require(`
-+ type nsplugin_home_t;
-+ ')
-+
-+ manage_files_pattern($1, nsplugin_home_t, nsplugin_home_t)
-+')
-+
-+########################################
-+##
-+## manage nnsplugin home dirs.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`nsplugin_manage_home_dirs',`
-+ gen_require(`
-+ type nsplugin_home_t;
-+ ')
-+
-+ manage_dirs_pattern($1, nsplugin_home_t, nsplugin_home_t)
-+')
-+
-+########################################
-+##
-+## Allow attempts to read and write to
-+## nsplugin named pipes.
-+##
-+##
-+##
-+## Domain to not audit.
-+##
-+##
-+#
-+interface(`nsplugin_rw_pipes',`
-+ gen_require(`
-+ type nsplugin_home_t;
-+ ')
-+
-+ allow $1 nsplugin_home_t:fifo_file rw_fifo_file_perms;
-+')
-+
-+########################################
-+##
-+## Read and write to nsplugin shared memory.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`nsplugin_rw_shm',`
-+ gen_require(`
-+ type nsplugin_t;
-+ ')
-+
-+ allow $1 nsplugin_t:shm rw_shm_perms;
-+')
-+
-+#####################################
-+##
-+## Allow read and write access to nsplugin semaphores.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`nsplugin_rw_semaphores',`
-+ gen_require(`
-+ type nsplugin_t;
-+ ')
-+
-+ allow $1 nsplugin_t:sem rw_sem_perms;
-+')
-+
-+########################################
-+##
-+## Execute nsplugin_exec_t
-+## in the specified domain.
-+##
-+##
-+##
-+## Execute a nsplugin_exec_t
-+## in the specified domain.
-+##
-+##
-+## No interprocess communication (signals, pipes,
-+## etc.) is provided by this interface since
-+## the domains are not owned by this module.
-+##
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+##
-+##
-+## The type of the new process.
-+##
-+##
-+#
-+interface(`nsplugin_exec_domtrans',`
-+ gen_require(`
-+ type nsplugin_exec_t;
-+ ')
-+
-+ allow $2 nsplugin_exec_t:file entrypoint;
-+ domtrans_pattern($1, nsplugin_exec_t, $2)
-+')
-+
-+########################################
-+##
-+## Send generic signals to user nsplugin processes.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`nsplugin_signal',`
-+ gen_require(`
-+ type nsplugin_t;
-+ ')
-+
-+ allow $1 nsplugin_t:process signal;
-+')
-+
-+########################################
-+##
-+## Create objects in a user home directory
-+## with an automatic type transition to
-+## the nsplugin home file type.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+##
-+##
-+## The class of the object to be created.
-+##
-+##
-+#
-+interface(`nsplugin_user_home_dir_filetrans',`
-+ gen_require(`
-+ type nsplugin_home_t;
-+ ')
-+
-+ userdom_user_home_dir_filetrans($1, nsplugin_home_t, $2)
-+')
-+
-+#######################################
-+##
-+## Create objects in a user home directory
-+## with an automatic type transition to
-+## the nsplugin home file type.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+##
-+##
-+## The class of the object to be created.
-+##
-+##
-+#
-+interface(`nsplugin_user_home_filetrans',`
-+ gen_require(`
-+ type nsplugin_home_t;
-+ ')
-+
-+ userdom_user_home_content_filetrans($1, nsplugin_home_t, $2)
-+')
-+
-+########################################
-+##
-+## Send signull signal to nsplugin
-+## processes.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`nsplugin_signull',`
-+ gen_require(`
-+ type nsplugin_t;
-+ ')
-+
-+ allow $1 nsplugin_t:process signull;
-+')
-diff --git a/nsplugin.te b/nsplugin.te
-new file mode 100644
-index 0000000..a333e40
---- /dev/null
-+++ b/nsplugin.te
-@@ -0,0 +1,323 @@
-+policy_module(nsplugin, 1.0.0)
-+
-+########################################
-+#
-+# Declarations
-+#
-+
-+##
-+##
-+## Allow nsplugin code to execmem/execstack
-+##
-+##
-+gen_tunable(nsplugin_execmem, false)
-+
-+##
-+##
-+## Allow nsplugin code to connect to unreserved ports
-+##
-+##
-+gen_tunable(nsplugin_can_network, true)
-+
-+type nsplugin_exec_t;
-+application_executable_file(nsplugin_exec_t)
-+
-+type nsplugin_config_exec_t;
-+application_executable_file(nsplugin_config_exec_t)
-+
-+type nsplugin_rw_t;
-+files_poly_member(nsplugin_rw_t)
-+files_type(nsplugin_rw_t)
-+
-+type nsplugin_tmp_t;
-+files_tmp_file(nsplugin_tmp_t)
-+
-+type nsplugin_home_t;
-+files_poly_member(nsplugin_home_t)
-+userdom_user_home_content(nsplugin_home_t)
-+typealias nsplugin_home_t alias user_nsplugin_home_t;
-+
-+type nsplugin_t;
-+application_domain(nsplugin_t, nsplugin_exec_t)
-+
-+type nsplugin_config_t;
-+domain_type(nsplugin_config_t)
-+domain_entry_file(nsplugin_config_t, nsplugin_config_exec_t)
-+
-+application_executable_file(nsplugin_exec_t)
-+application_executable_file(nsplugin_config_exec_t)
-+
-+
-+########################################
-+#
-+# nsplugin local policy
-+#
-+dontaudit nsplugin_t self:capability { sys_nice sys_tty_config };
-+allow nsplugin_t self:fifo_file rw_file_perms;
-+allow nsplugin_t self:process { setpgid getsched setsched signal_perms };
-+
-+allow nsplugin_t self:sem create_sem_perms;
-+allow nsplugin_t self:shm create_shm_perms;
-+allow nsplugin_t self:msgq create_msgq_perms;
-+allow nsplugin_t self:netlink_kobject_uevent_socket create_socket_perms;
-+allow nsplugin_t self:unix_stream_socket { connectto create_stream_socket_perms };
-+allow nsplugin_t self:unix_dgram_socket { sendto create_socket_perms };
-+allow nsplugin_t self:tcp_socket create_stream_socket_perms;
-+allow nsplugin_t nsplugin_rw_t:dir list_dir_perms;
-+read_lnk_files_pattern(nsplugin_t, nsplugin_rw_t, nsplugin_rw_t)
-+read_files_pattern(nsplugin_t, nsplugin_rw_t, nsplugin_rw_t)
-+
-+tunable_policy(`nsplugin_execmem',`
-+ allow nsplugin_t self:process { execstack execmem };
-+ allow nsplugin_config_t self:process { execstack execmem };
-+')
-+
-+tunable_policy(`nsplugin_can_network',`
-+ corenet_tcp_connect_all_unreserved_ports(nsplugin_t)
-+ corenet_tcp_connect_all_ephemeral_ports(nsplugin_t)
-+')
-+
-+manage_dirs_pattern(nsplugin_t, nsplugin_home_t, nsplugin_home_t)
-+exec_files_pattern(nsplugin_t, nsplugin_home_t, nsplugin_home_t)
-+manage_files_pattern(nsplugin_t, nsplugin_home_t, nsplugin_home_t)
-+manage_fifo_files_pattern(nsplugin_t, nsplugin_home_t, nsplugin_home_t)
-+manage_sock_files_pattern(nsplugin_t, nsplugin_home_t, nsplugin_home_t)
-+manage_lnk_files_pattern(nsplugin_t, nsplugin_home_t, nsplugin_home_t)
-+userdom_user_home_dir_filetrans(nsplugin_t, nsplugin_home_t, {file dir})
-+userdom_user_home_content_filetrans(nsplugin_t, nsplugin_home_t, {file dir})
-+userdom_dontaudit_getattr_user_home_content(nsplugin_t)
-+userdom_dontaudit_search_user_bin_dirs(nsplugin_t)
-+userdom_dontaudit_write_user_home_content_files(nsplugin_t)
-+userdom_dontaudit_search_admin_dir(nsplugin_t)
-+
-+corecmd_exec_bin(nsplugin_t)
-+corecmd_exec_shell(nsplugin_t)
-+
-+corenet_all_recvfrom_netlabel(nsplugin_t)
-+corenet_tcp_connect_flash_port(nsplugin_t)
-+corenet_tcp_connect_streaming_port(nsplugin_t)
-+corenet_tcp_connect_pulseaudio_port(nsplugin_t)
-+corenet_tcp_connect_http_port(nsplugin_t)
-+corenet_tcp_connect_http_cache_port(nsplugin_t)
-+corenet_tcp_connect_squid_port(nsplugin_t)
-+corenet_tcp_sendrecv_generic_if(nsplugin_t)
-+corenet_tcp_sendrecv_generic_node(nsplugin_t)
-+corenet_tcp_connect_ipp_port(nsplugin_t)
-+corenet_tcp_connect_speech_port(nsplugin_t)
-+
-+domain_dontaudit_read_all_domains_state(nsplugin_t)
-+
-+dev_read_urand(nsplugin_t)
-+dev_read_rand(nsplugin_t)
-+dev_read_sound(nsplugin_t)
-+dev_write_sound(nsplugin_t)
-+dev_read_video_dev(nsplugin_t)
-+dev_write_video_dev(nsplugin_t)
-+dev_getattr_dri_dev(nsplugin_t)
-+dev_getattr_mouse_dev(nsplugin_t)
-+dev_rwx_zero(nsplugin_t)
-+dev_read_sysfs(nsplugin_t)
-+dev_dontaudit_getattr_all(nsplugin_t)
-+
-+kernel_read_kernel_sysctls(nsplugin_t)
-+kernel_read_system_state(nsplugin_t)
-+kernel_read_network_state(nsplugin_t)
-+
-+files_dontaudit_getattr_lost_found_dirs(nsplugin_t)
-+files_dontaudit_list_home(nsplugin_t)
-+files_read_usr_files(nsplugin_t)
-+files_read_config_files(nsplugin_t)
-+
-+fs_getattr_tmpfs(nsplugin_t)
-+fs_getattr_xattr_fs(nsplugin_t)
-+fs_search_auto_mountpoints(nsplugin_t)
-+fs_rw_anon_inodefs_files(nsplugin_t)
-+fs_list_inotifyfs(nsplugin_t)
-+fs_dontaudit_list_fusefs(nsplugin_t)
-+
-+storage_dontaudit_getattr_fixed_disk_dev(nsplugin_t)
-+storage_dontaudit_getattr_removable_dev(nsplugin_t)
-+
-+term_dontaudit_getattr_all_ptys(nsplugin_t)
-+term_dontaudit_getattr_all_ttys(nsplugin_t)
-+
-+auth_use_nsswitch(nsplugin_t)
-+
-+libs_exec_ld_so(nsplugin_t)
-+
-+miscfiles_read_fonts(nsplugin_t)
-+miscfiles_dontaudit_write_fonts(nsplugin_t)
-+miscfiles_setattr_fonts_cache_dirs(nsplugin_t)
-+
-+userdom_manage_user_tmp_dirs(nsplugin_t)
-+userdom_manage_user_tmp_files(nsplugin_t)
-+userdom_manage_user_tmp_sockets(nsplugin_t)
-+userdom_tmp_filetrans_user_tmp(nsplugin_t, { file dir sock_file })
-+userdom_rw_semaphores(nsplugin_t)
-+userdom_dontaudit_rw_user_tmp_pipes(nsplugin_t)
-+
-+userdom_read_user_home_content_symlinks(nsplugin_t)
-+userdom_read_user_home_content_files(nsplugin_t)
-+userdom_read_user_tmp_files(nsplugin_t)
-+userdom_write_user_tmp_sockets(nsplugin_t)
-+userdom_dontaudit_append_user_home_content_files(nsplugin_t)
-+userdom_read_home_audio_files(nsplugin_t)
-+
-+optional_policy(`
-+ alsa_read_rw_config(nsplugin_t)
-+ alsa_read_home_files(nsplugin_t)
-+')
-+
-+optional_policy(`
-+ chrome_dontaudit_sandbox_leaks(nsplugin_t)
-+')
-+
-+optional_policy(`
-+ cups_stream_connect(nsplugin_t)
-+')
-+
-+optional_policy(`
-+ dbus_session_bus_client(nsplugin_t)
-+ dbus_connect_session_bus(nsplugin_t)
-+ dbus_system_bus_client(nsplugin_t)
-+')
-+
-+optional_policy(`
-+ gnome_exec_gconf(nsplugin_t)
-+ gnome_manage_config(nsplugin_t)
-+ gnome_read_gconf_home_files(nsplugin_t)
-+ gnome_read_usr_config(nsplugin_t)
-+')
-+
-+optional_policy(`
-+ gpm_getattr_gpmctl(nsplugin_t)
-+')
-+
-+optional_policy(`
-+ mozilla_exec_user_home_files(nsplugin_t)
-+ mozilla_read_user_home_files(nsplugin_t)
-+ mozilla_write_user_home_files(nsplugin_t)
-+ mozilla_plugin_delete_tmpfs_files(nsplugin_t)
-+')
-+
-+optional_policy(`
-+ mplayer_exec(nsplugin_t)
-+ mplayer_read_user_home_files(nsplugin_t)
-+')
-+
-+optional_policy(`
-+ sandbox_read_tmpfs_files(nsplugin_t)
-+')
-+
-+optional_policy(`
-+ gen_require(`
-+ type user_tmpfs_t;
-+ ')
-+ xserver_user_x_domain_template(nsplugin, nsplugin_t, user_tmpfs_t)
-+ xserver_rw_shm(nsplugin_t)
-+ xserver_read_xdm_pid(nsplugin_t)
-+ xserver_read_xdm_tmp_files(nsplugin_t)
-+ xserver_read_user_xauth(nsplugin_t)
-+ xserver_read_user_iceauth(nsplugin_t)
-+ xserver_use_user_fonts(nsplugin_t)
-+ xserver_rw_inherited_user_fonts(nsplugin_t)
-+')
-+
-+########################################
-+#
-+# nsplugin_config local policy
-+#
-+
-+allow nsplugin_config_t self:capability { dac_override dac_read_search sys_nice setuid setgid };
-+allow nsplugin_config_t self:process { setsched signal_perms getsched execmem };
-+#execing pulseaudio
-+dontaudit nsplugin_t self:process { getcap setcap };
-+
-+allow nsplugin_config_t self:fifo_file rw_file_perms;
-+allow nsplugin_config_t self:unix_stream_socket create_stream_socket_perms;
-+
-+dev_search_sysfs(nsplugin_config_t)
-+dev_read_urand(nsplugin_config_t)
-+dev_dontaudit_read_rand(nsplugin_config_t)
-+dev_dontaudit_rw_dri(nsplugin_config_t)
-+
-+fs_search_auto_mountpoints(nsplugin_config_t)
-+fs_list_inotifyfs(nsplugin_config_t)
-+
-+can_exec(nsplugin_config_t, nsplugin_rw_t)
-+manage_dirs_pattern(nsplugin_config_t, nsplugin_rw_t, nsplugin_rw_t)
-+manage_files_pattern(nsplugin_config_t, nsplugin_rw_t, nsplugin_rw_t)
-+manage_lnk_files_pattern(nsplugin_config_t, nsplugin_rw_t, nsplugin_rw_t)
-+
-+manage_dirs_pattern(nsplugin_config_t, nsplugin_home_t, nsplugin_home_t)
-+manage_files_pattern(nsplugin_config_t, nsplugin_home_t, nsplugin_home_t)
-+manage_lnk_files_pattern(nsplugin_config_t, nsplugin_home_t, nsplugin_home_t)
-+
-+corecmd_exec_bin(nsplugin_config_t)
-+corecmd_exec_shell(nsplugin_config_t)
-+
-+kernel_read_system_state(nsplugin_config_t)
-+kernel_request_load_module(nsplugin_config_t)
-+
-+domain_use_interactive_fds(nsplugin_config_t)
-+
-+files_read_usr_files(nsplugin_config_t)
-+files_dontaudit_search_home(nsplugin_config_t)
-+files_list_tmp(nsplugin_config_t)
-+
-+auth_use_nsswitch(nsplugin_config_t)
-+
-+miscfiles_read_fonts(nsplugin_config_t)
-+
-+userdom_search_user_home_content(nsplugin_config_t)
-+userdom_read_user_home_content_symlinks(nsplugin_config_t)
-+userdom_read_user_home_content_files(nsplugin_config_t)
-+userdom_dontaudit_search_admin_dir(nsplugin_config_t)
-+
-+tunable_policy(`use_nfs_home_dirs',`
-+ fs_getattr_nfs(nsplugin_t)
-+ fs_manage_nfs_dirs(nsplugin_t)
-+ fs_manage_nfs_files(nsplugin_t)
-+ fs_manage_nfs_symlinks(nsplugin_t)
-+ fs_manage_nfs_named_pipes(nsplugin_t)
-+ fs_manage_nfs_dirs(nsplugin_config_t)
-+ fs_manage_nfs_files(nsplugin_config_t)
-+ fs_manage_nfs_named_pipes(nsplugin_config_t)
-+ fs_manage_nfs_symlinks(nsplugin_config_t)
-+')
-+
-+tunable_policy(`use_samba_home_dirs',`
-+ fs_getattr_cifs(nsplugin_t)
-+ fs_manage_cifs_dirs(nsplugin_t)
-+ fs_manage_cifs_files(nsplugin_t)
-+ fs_manage_cifs_symlinks(nsplugin_t)
-+ fs_manage_cifs_named_pipes(nsplugin_t)
-+ fs_manage_cifs_dirs(nsplugin_config_t)
-+ fs_manage_cifs_files(nsplugin_config_t)
-+ fs_manage_cifs_named_pipes(nsplugin_config_t)
-+ fs_manage_cifs_symlinks(nsplugin_config_t)
-+')
-+
-+domtrans_pattern(nsplugin_config_t, nsplugin_exec_t, nsplugin_t)
-+
-+optional_policy(`
-+ xserver_use_user_fonts(nsplugin_config_t)
-+')
-+
-+optional_policy(`
-+ mozilla_read_user_home_files(nsplugin_config_t)
-+ mozilla_write_user_home_files(nsplugin_config_t)
-+')
-+
-+application_signull(nsplugin_t)
-+
-+optional_policy(`
-+ devicekit_dbus_chat_power(nsplugin_t)
-+')
-+
-+optional_policy(`
-+ pulseaudio_exec(nsplugin_t)
-+ pulseaudio_stream_connect(nsplugin_t)
-+ pulseaudio_manage_home_files(nsplugin_t)
-+ pulseaudio_setattr_home_dir(nsplugin_t)
-+')
-diff --git a/ntop.te b/ntop.te
-index ded9fb6..6b11681 100644
---- a/ntop.te
-+++ b/ntop.te
-@@ -63,7 +63,6 @@ kernel_read_kernel_sysctls(ntop_t)
- kernel_list_proc(ntop_t)
- kernel_read_proc_symlinks(ntop_t)
-
--corenet_all_recvfrom_unlabeled(ntop_t)
- corenet_all_recvfrom_netlabel(ntop_t)
- corenet_tcp_sendrecv_generic_if(ntop_t)
- corenet_udp_sendrecv_generic_if(ntop_t)
-@@ -85,7 +84,6 @@ dev_rw_generic_usb_dev(ntop_t)
-
- domain_use_interactive_fds(ntop_t)
-
--files_read_etc_files(ntop_t)
- files_read_usr_files(ntop_t)
-
- fs_getattr_all_fs(ntop_t)
-@@ -95,7 +93,6 @@ auth_use_nsswitch(ntop_t)
-
- logging_send_syslog_msg(ntop_t)
-
--miscfiles_read_localization(ntop_t)
- miscfiles_read_fonts(ntop_t)
-
- userdom_dontaudit_use_unpriv_user_fds(ntop_t)
-diff --git a/ntp.fc b/ntp.fc
-index e79dccc..2a3c6af 100644
---- a/ntp.fc
-+++ b/ntp.fc
-@@ -10,10 +10,14 @@
-
- /etc/rc\.d/init\.d/ntpd -- gen_context(system_u:object_r:ntpd_initrc_exec_t,s0)
-
-+/usr/lib/systemd/system/ntpd.* -- gen_context(system_u:object_r:ntpd_unit_file_t,s0)
-+
- /usr/sbin/ntpd -- gen_context(system_u:object_r:ntpd_exec_t,s0)
- /usr/sbin/ntpdate -- gen_context(system_u:object_r:ntpdate_exec_t,s0)
-+/usr/sbin/sntp -- gen_context(system_u:object_r:ntpdate_exec_t,s0)
-
- /var/lib/ntp(/.*)? gen_context(system_u:object_r:ntp_drift_t,s0)
-+/var/lib/sntp-kod(/.*)? gen_context(system_u:object_r:ntp_drift_t,s0)
-
- /var/log/ntp.* -- gen_context(system_u:object_r:ntpd_log_t,s0)
- /var/log/ntpstats(/.*)? gen_context(system_u:object_r:ntpd_log_t,s0)
-diff --git a/ntp.if b/ntp.if
-index e80f8c0..0044e73 100644
---- a/ntp.if
-+++ b/ntp.if
-@@ -98,6 +98,48 @@ interface(`ntp_initrc_domtrans',`
- init_labeled_script_domtrans($1, ntpd_initrc_exec_t)
- ')
-
-+#####################################
-+##
-+## Allow domain to read ntpd systemd unit files.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`ntp_read_unit_file',`
-+ gen_require(`
-+ type ntpd_unit_file_t;
-+ ')
-+
-+ files_search_var_lib($1)
-+ allow $1 ntpd_unit_file_t:file read_file_perms;
-+')
-+
-+########################################
-+##
-+## Execute ntpd server in the ntpd domain.
-+##
-+##
-+##
-+## Domain allowed to transition.
-+##
-+##
-+#
-+interface(`ntp_systemctl',`
-+ gen_require(`
-+ type ntpd_unit_file_t;
-+ type ntpd_t;
-+ ')
-+
-+ systemd_exec_systemctl($1)
-+ allow $1 ntpd_unit_file_t:file read_file_perms;
-+ allow $1 ntpd_unit_file_t:service manage_service_perms;
-+
-+ ps_process_pattern($1, ntpd_t)
-+')
-+
- ########################################
- ##
- ## Read and write ntpd shared memory.
-@@ -122,6 +164,25 @@ interface(`ntp_rw_shm',`
-
- ########################################
- ##
-+## Allow the domain to read ntpd state files in /proc.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`ntp_read_state',`
-+ gen_require(`
-+ type ntpd_t;
-+ ')
-+
-+ kernel_search_proc($1)
-+ ps_process_pattern($1, ntpd_t)
-+')
-+
-+########################################
-+##
- ## All of the rules required to administrate
- ## an ntp environment
- ##
-@@ -140,12 +201,15 @@ interface(`ntp_rw_shm',`
- interface(`ntp_admin',`
- gen_require(`
- type ntpd_t, ntpd_tmp_t, ntpd_log_t;
-- type ntpd_key_t, ntpd_var_run_t;
-- type ntpd_initrc_exec_t;
-+ type ntpd_key_t, ntpd_var_run_t, ntpd_initrc_exec_t;
-+ type ntpd_unit_file_t;
- ')
-
-- allow $1 ntpd_t:process { ptrace signal_perms getattr };
-+ allow $1 ntpd_t:process signal_perms;
- ps_process_pattern($1, ntpd_t)
-+ tunable_policy(`deny_ptrace',`',`
-+ allow $1 ntpd_t:process ptrace;
-+ ')
-
- init_labeled_script_domtrans($1, ntpd_initrc_exec_t)
- domain_system_change_exemption($1)
-@@ -162,4 +226,8 @@ interface(`ntp_admin',`
-
- files_list_pids($1)
- admin_pattern($1, ntpd_var_run_t)
-+
-+ ntp_systemctl($1)
-+ admin_pattern($1, ntpd_unit_file_t)
-+ allow $1 ntpd_unit_file_t:service all_service_perms;
- ')
-diff --git a/ntp.te b/ntp.te
-index c61adc8..cb20a9d 100644
---- a/ntp.te
-+++ b/ntp.te
-@@ -15,6 +15,9 @@ init_daemon_domain(ntpd_t, ntpd_exec_t)
- type ntpd_initrc_exec_t;
- init_script_file(ntpd_initrc_exec_t)
-
-+type ntpd_unit_file_t;
-+systemd_unit_file(ntpd_unit_file_t)
-+
- type ntpd_key_t;
- files_type(ntpd_key_t)
-
-@@ -50,6 +53,7 @@ allow ntpd_t self:unix_stream_socket create_socket_perms;
- allow ntpd_t self:tcp_socket create_stream_socket_perms;
- allow ntpd_t self:udp_socket create_socket_perms;
-
-+manage_dirs_pattern(ntpd_t, ntp_drift_t, ntp_drift_t)
- manage_files_pattern(ntpd_t, ntp_drift_t, ntp_drift_t)
-
- can_exec(ntpd_t, ntpd_exec_t)
-@@ -78,7 +82,6 @@ kernel_read_system_state(ntpd_t)
- kernel_read_network_state(ntpd_t)
- kernel_request_load_module(ntpd_t)
-
--corenet_all_recvfrom_unlabeled(ntpd_t)
- corenet_all_recvfrom_netlabel(ntpd_t)
- corenet_tcp_sendrecv_generic_if(ntpd_t)
- corenet_udp_sendrecv_generic_if(ntpd_t)
-@@ -96,11 +99,15 @@ corenet_sendrecv_ntp_client_packets(ntpd_t)
- dev_read_sysfs(ntpd_t)
- # for SSP
- dev_read_urand(ntpd_t)
-+dev_rw_realtime_clock(ntpd_t)
-
- fs_getattr_all_fs(ntpd_t)
- fs_search_auto_mountpoints(ntpd_t)
-+# Necessary to communicate with gpsd devices
-+fs_rw_tmpfs_files(ntpd_t)
-
- term_use_ptmx(ntpd_t)
-+term_use_unallocated_ttys(ntpd_t)
-
- auth_use_nsswitch(ntpd_t)
-
-@@ -110,7 +117,6 @@ corecmd_exec_shell(ntpd_t)
- domain_use_interactive_fds(ntpd_t)
- domain_dontaudit_list_all_domains_state(ntpd_t)
-
--files_read_etc_files(ntpd_t)
- files_read_etc_runtime_files(ntpd_t)
- files_read_usr_files(ntpd_t)
- files_list_var_lib(ntpd_t)
-@@ -119,7 +125,6 @@ init_exec_script_files(ntpd_t)
-
- logging_send_syslog_msg(ntpd_t)
-
--miscfiles_read_localization(ntpd_t)
-
- userdom_dontaudit_use_unpriv_user_fds(ntpd_t)
- userdom_list_user_home_dirs(ntpd_t)
-diff --git a/numad.fc b/numad.fc
-new file mode 100644
-index 0000000..1f97624
---- /dev/null
-+++ b/numad.fc
-@@ -0,0 +1,7 @@
-+/usr/bin/numad -- gen_context(system_u:object_r:numad_exec_t,s0)
-+
-+/usr/lib/systemd/system/numad.* -- gen_context(system_u:object_r:numad_unit_file_t,s0)
-+
-+/var/log/numad\.log.* -- gen_context(system_u:object_r:numad_var_log_t,s0)
-+
-+/var/run/numad\.pid -- gen_context(system_u:object_r:numad_var_run_t,s0)
-diff --git a/numad.if b/numad.if
-new file mode 100644
-index 0000000..709dda1
---- /dev/null
-+++ b/numad.if
-@@ -0,0 +1,72 @@
-+
-+## policy for numad
-+
-+########################################
-+##
-+## Transition to numad.
-+##
-+##
-+##
-+## Domain allowed to transition.
-+##
-+##
-+#
-+interface(`numad_domtrans',`
-+ gen_require(`
-+ type numad_t, numad_exec_t;
-+ ')
-+
-+ corecmd_search_bin($1)
-+ domtrans_pattern($1, numad_exec_t, numad_t)
-+')
-+########################################
-+##
-+## Execute numad server in the numad domain.
-+##
-+##
-+##
-+## Domain allowed to transition.
-+##
-+##
-+#
-+interface(`numad_systemctl',`
-+ gen_require(`
-+ type numad_t;
-+ type numad_unit_file_t;
-+ ')
-+
-+ systemd_exec_systemctl($1)
-+ systemd_read_fifo_file_passwd_run($1)
-+ allow $1 numad_unit_file_t:file read_file_perms;
-+ allow $1 numad_unit_file_t:service all_service_perms;
-+
-+ ps_process_pattern($1, numad_t)
-+')
-+
-+
-+########################################
-+##
-+## All of the rules required to administrate
-+## an numad environment
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`numad_admin',`
-+ gen_require(`
-+ type numad_t;
-+ type numad_unit_file_t;
-+ ')
-+
-+ allow $1 numad_t:process { ptrace signal_perms };
-+ ps_process_pattern($1, numad_t)
-+
-+ numad_systemctl($1)
-+ optional_policy(`
-+ systemd_passwd_agent_exec($1)
-+ systemd_read_fifo_file_passwd_run($1)
-+ ')
-+')
-diff --git a/numad.te b/numad.te
-new file mode 100644
-index 0000000..c2d4196
---- /dev/null
-+++ b/numad.te
-@@ -0,0 +1,46 @@
-+policy_module(numad, 1.0.0)
-+
-+########################################
-+#
-+# Declarations
-+#
-+
-+type numad_t;
-+type numad_exec_t;
-+init_daemon_domain(numad_t, numad_exec_t)
-+
-+type numad_unit_file_t;
-+systemd_unit_file(numad_unit_file_t)
-+
-+type numad_var_log_t;
-+logging_log_file(numad_var_log_t)
-+
-+type numad_var_run_t;
-+files_pid_file(numad_var_run_t)
-+
-+########################################
-+#
-+# numad local policy
-+#
-+
-+allow numad_t self:process { fork };
-+allow numad_t self:fifo_file rw_fifo_file_perms;
-+allow numad_t self:msgq create_msgq_perms;
-+allow numad_t self:msg { send receive };
-+allow numad_t self:unix_stream_socket create_stream_socket_perms;
-+
-+manage_files_pattern(numad_t, numad_var_log_t, numad_var_log_t)
-+logging_log_filetrans(numad_t, numad_var_log_t, { file })
-+
-+manage_files_pattern(numad_t, numad_var_run_t, numad_var_run_t)
-+files_pid_filetrans(numad_t, numad_var_run_t, { file })
-+
-+kernel_read_system_state(numad_t)
-+
-+dev_read_sysfs(numad_t)
-+
-+domain_use_interactive_fds(numad_t)
-+
-+files_read_etc_files(numad_t)
-+
-+fs_search_cgroup_dirs(numad_t)
-diff --git a/nut.fc b/nut.fc
-index 0a929ef..371119d 100644
---- a/nut.fc
-+++ b/nut.fc
-@@ -3,6 +3,7 @@
- /sbin/upsdrvctl -- gen_context(system_u:object_r:nut_upsdrvctl_exec_t,s0)
-
- /usr/sbin/upsd -- gen_context(system_u:object_r:nut_upsd_exec_t,s0)
-+/usr/sbin/upsdrvctl -- gen_context(system_u:object_r:nut_upsdrvctl_exec_t,s0)
- /usr/sbin/upsmon -- gen_context(system_u:object_r:nut_upsmon_exec_t,s0)
-
- /var/run/nut(/.*)? gen_context(system_u:object_r:nut_var_run_t,s0)
-diff --git a/nut.te b/nut.te
-index ff962dd..7c6ea74 100644
---- a/nut.te
-+++ b/nut.te
-@@ -29,6 +29,7 @@ files_pid_file(nut_var_run_t)
- #
-
- allow nut_upsd_t self:capability { setgid setuid dac_override };
-+allow nut_upsd_t self:process signal_perms;
-
- allow nut_upsd_t self:unix_dgram_socket { create_socket_perms sendto };
- allow nut_upsd_t self:tcp_socket connected_stream_socket_perms;
-@@ -55,7 +56,6 @@ auth_use_nsswitch(nut_upsd_t)
-
- logging_send_syslog_msg(nut_upsd_t)
-
--miscfiles_read_localization(nut_upsd_t)
-
- ########################################
- #
-@@ -100,7 +100,6 @@ logging_send_syslog_msg(nut_upsmon_t)
-
- auth_use_nsswitch(nut_upsmon_t)
-
--miscfiles_read_localization(nut_upsmon_t)
-
- mta_send_mail(nut_upsmon_t)
-
-@@ -133,6 +132,7 @@ kernel_read_kernel_sysctls(nut_upsdrvctl_t)
- # /sbin/upsdrvctl executes other drivers
- corecmd_exec_bin(nut_upsdrvctl_t)
-
-+dev_read_sysfs(nut_upsdrvctl_t)
- dev_read_urand(nut_upsdrvctl_t)
- dev_rw_generic_usb_dev(nut_upsdrvctl_t)
-
-@@ -144,7 +144,6 @@ init_sigchld(nut_upsdrvctl_t)
-
- logging_send_syslog_msg(nut_upsdrvctl_t)
-
--miscfiles_read_localization(nut_upsdrvctl_t)
-
- #######################################
- #
-@@ -157,7 +156,6 @@ optional_policy(`
-
- read_files_pattern(httpd_nutups_cgi_script_t, nut_conf_t, nut_conf_t)
-
-- corenet_all_recvfrom_unlabeled(httpd_nutups_cgi_script_t)
- corenet_all_recvfrom_netlabel(httpd_nutups_cgi_script_t)
- corenet_tcp_sendrecv_generic_if(httpd_nutups_cgi_script_t)
- corenet_tcp_sendrecv_generic_node(httpd_nutups_cgi_script_t)
-diff --git a/nx.if b/nx.if
-index 79a225c..d82b231 100644
---- a/nx.if
-+++ b/nx.if
-@@ -33,8 +33,10 @@ interface(`nx_read_home_files',`
- type nx_server_home_ssh_t, nx_server_var_lib_t;
- ')
-
-+ files_search_var_lib($1)
- allow $1 nx_server_var_lib_t:dir search_dir_perms;
- read_files_pattern($1, nx_server_home_ssh_t, nx_server_home_ssh_t)
-+ read_lnk_files_pattern($1, nx_server_home_ssh_t, nx_server_home_ssh_t)
- ')
-
- ########################################
-@@ -52,6 +54,7 @@ interface(`nx_search_var_lib',`
- type nx_server_var_lib_t;
- ')
-
-+ files_search_var_lib($1)
- allow $1 nx_server_var_lib_t:dir search_dir_perms;
- ')
-
-@@ -81,5 +84,24 @@ interface(`nx_var_lib_filetrans',`
- type nx_server_var_lib_t;
- ')
-
-+ files_search_var_lib($1)
- filetrans_pattern($1, nx_server_var_lib_t, $2, $3)
- ')
-+
-+########################################
-+##
-+## Transition to nx named content
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`nx_filetrans_named_content',`
-+ gen_require(`
-+ type nx_server_home_ssh_t, nx_server_var_lib_t;
-+ ')
-+
-+ filetrans_pattern($1, nx_server_var_lib_t, nx_server_home_ssh_t, dir, ".ssh")
-+')
-diff --git a/nx.te b/nx.te
-index 58e2972..4633dd2 100644
---- a/nx.te
-+++ b/nx.te
-@@ -28,6 +28,9 @@ files_type(nx_server_var_lib_t)
- type nx_server_var_run_t;
- files_pid_file(nx_server_var_run_t)
-
-+type nx_server_home_ssh_t;
-+files_type(nx_server_home_ssh_t)
-+
- ########################################
- #
- # NX server local policy
-@@ -37,7 +40,7 @@ allow nx_server_t self:fifo_file rw_fifo_file_perms;
- allow nx_server_t self:tcp_socket create_socket_perms;
- allow nx_server_t self:udp_socket create_socket_perms;
-
--allow nx_server_t nx_server_devpts_t:chr_file { rw_chr_file_perms setattr };
-+allow nx_server_t nx_server_devpts_t:chr_file { rw_chr_file_perms setattr_chr_file_perms };
- term_create_pty(nx_server_t, nx_server_devpts_t)
-
- manage_dirs_pattern(nx_server_t, nx_server_tmp_t, nx_server_tmp_t)
-@@ -51,6 +54,9 @@ files_var_lib_filetrans(nx_server_t, nx_server_var_lib_t, { file dir })
- manage_files_pattern(nx_server_t, nx_server_var_run_t, nx_server_var_run_t)
- files_pid_filetrans(nx_server_t, nx_server_var_run_t, file)
-
-+manage_dirs_pattern(nx_server_t, nx_server_home_ssh_t, nx_server_home_ssh_t)
-+manage_files_pattern(nx_server_t, nx_server_home_ssh_t, nx_server_home_ssh_t)
-+
- kernel_read_system_state(nx_server_t)
- kernel_read_kernel_sysctls(nx_server_t)
-
-@@ -58,7 +64,6 @@ kernel_read_kernel_sysctls(nx_server_t)
- corecmd_exec_shell(nx_server_t)
- corecmd_exec_bin(nx_server_t)
-
--corenet_all_recvfrom_unlabeled(nx_server_t)
- corenet_all_recvfrom_netlabel(nx_server_t)
- corenet_tcp_sendrecv_generic_if(nx_server_t)
- corenet_udp_sendrecv_generic_if(nx_server_t)
-@@ -77,10 +82,6 @@ files_read_etc_runtime_files(nx_server_t)
- # but users need to be able to also read the config
- files_read_usr_files(nx_server_t)
-
--miscfiles_read_localization(nx_server_t)
--
--seutil_dontaudit_search_config(nx_server_t)
--
- sysnet_read_config(nx_server_t)
-
- ifdef(`TODO',`
-diff --git a/oav.fc b/oav.fc
-index 0a66474..cf90b6e 100644
---- a/oav.fc
-+++ b/oav.fc
-@@ -6,4 +6,4 @@
-
- /var/lib/oav-virussignatures -- gen_context(system_u:object_r:oav_update_var_lib_t,s0)
- /var/lib/oav-update(/.*)? gen_context(system_u:object_r:oav_update_var_lib_t,s0)
--/var/log/scannerdaemon\.log -- gen_context(system_u:object_r:scannerdaemon_log_t,s0)
-+/var/log/scannerdaemon\.log.* -- gen_context(system_u:object_r:scannerdaemon_log_t,s0)
-diff --git a/oav.te b/oav.te
-index b4c5f86..9ecd4a3 100644
---- a/oav.te
-+++ b/oav.te
-@@ -48,7 +48,6 @@ read_lnk_files_pattern(oav_update_t, oav_update_var_lib_t, oav_update_var_lib_t)
-
- corecmd_exec_all_executables(oav_update_t)
-
--corenet_all_recvfrom_unlabeled(oav_update_t)
- corenet_all_recvfrom_netlabel(oav_update_t)
- corenet_tcp_sendrecv_generic_if(oav_update_t)
- corenet_udp_sendrecv_generic_if(oav_update_t)
-@@ -66,7 +65,7 @@ logging_send_syslog_msg(oav_update_t)
-
- sysnet_read_config(oav_update_t)
-
--userdom_use_user_terminals(oav_update_t)
-+userdom_use_inherited_user_terminals(oav_update_t)
-
- optional_policy(`
- cron_system_entry(oav_update_t, oav_update_exec_t)
-@@ -101,7 +100,6 @@ kernel_read_kernel_sysctls(scannerdaemon_t)
- # Can run kaffe
- corecmd_exec_all_executables(scannerdaemon_t)
-
--corenet_all_recvfrom_unlabeled(scannerdaemon_t)
- corenet_all_recvfrom_netlabel(scannerdaemon_t)
- corenet_tcp_sendrecv_generic_if(scannerdaemon_t)
- corenet_udp_sendrecv_generic_if(scannerdaemon_t)
-@@ -130,7 +128,6 @@ libs_exec_lib_files(scannerdaemon_t)
-
- logging_send_syslog_msg(scannerdaemon_t)
-
--miscfiles_read_localization(scannerdaemon_t)
-
- sysnet_read_config(scannerdaemon_t)
-
-diff --git a/obex.fc b/obex.fc
-new file mode 100644
-index 0000000..7b31529
---- /dev/null
-+++ b/obex.fc
-@@ -0,0 +1,3 @@
-+
-+
-+/usr/bin/obex-data-server -- gen_context(system_u:object_r:obex_exec_t,s0)
-diff --git a/obex.if b/obex.if
-new file mode 100644
-index 0000000..d3b9544
---- /dev/null
-+++ b/obex.if
-@@ -0,0 +1,77 @@
-+## SELinux policy for obex-data-server
-+
-+########################################
-+##
-+## Transition to obex.
-+##
-+##
-+##
-+## Domain allowed to transition.
-+##
-+##
-+#
-+interface(`obex_domtrans',`
-+ gen_require(`
-+ type obex_t, obex_exec_t;
-+ ')
-+
-+ corecmd_search_bin($1)
-+ domtrans_pattern($1, obex_exec_t, obex_t)
-+')
-+
-+########################################
-+##
-+## Send and receive messages from
-+## obex over dbus.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`obex_dbus_chat',`
-+ gen_require(`
-+ type obex_t;
-+ class dbus send_msg;
-+ ')
-+
-+ allow $1 obex_t:dbus send_msg;
-+ allow obex_t $1:dbus send_msg;
-+')
-+
-+#######################################
-+##
-+## Role access for obex domains
-+## that executes via dbus-session
-+##
-+##
-+##
-+## The role associated with the user domain.
-+##
-+##
-+##
-+##
-+## The type of the user domain.
-+##
-+##
-+##
-+##
-+## User domain prefix to be used.
-+##
-+##
-+#
-+template(`obex_role',`
-+ gen_require(`
-+ type obex_t, obex_exec_t;
-+ ')
-+
-+ role $1 types obex_t;
-+
-+ allow $2 obex_t:process signal_perms;
-+ ps_process_pattern($2, obex_t)
-+
-+ dbus_session_domain($3, obex_exec_t, obex_t)
-+
-+ obex_dbus_chat($2)
-+')
-diff --git a/obex.te b/obex.te
-new file mode 100644
-index 0000000..e9f259e
---- /dev/null
-+++ b/obex.te
-@@ -0,0 +1,37 @@
-+policy_module(obex,1.0.0)
-+
-+########################################
-+#
-+# Declarations
-+#
-+
-+type obex_t;
-+type obex_exec_t;
-+application_domain(obex_t, obex_exec_t)
-+ubac_constrained(obex_t)
-+
-+########################################
-+#
-+# obex local policy
-+#
-+
-+allow obex_t self:fifo_file rw_fifo_file_perms;
-+allow obex_t self:socket create_stream_socket_perms;
-+
-+dev_read_urand(obex_t)
-+
-+files_read_etc_files(obex_t)
-+
-+logging_send_syslog_msg(obex_t)
-+
-+
-+userdom_search_user_home_content(obex_t)
-+
-+optional_policy(`
-+ bluetooth_stream_connect(obex_t)
-+ bluetooth_dbus_chat(obex_t)
-+')
-+
-+optional_policy(`
-+ dbus_system_bus_client(obex_t)
-+')
-diff --git a/oddjob.fc b/oddjob.fc
-index 9c272c2..7e2287c 100644
---- a/oddjob.fc
-+++ b/oddjob.fc
-@@ -1,7 +1,7 @@
- /usr/lib/oddjob/mkhomedir -- gen_context(system_u:object_r:oddjob_mkhomedir_exec_t,s0)
-+/usr/libexec/oddjob/mkhomedir -- gen_context(system_u:object_r:oddjob_mkhomedir_exec_t,s0)
-
-+/usr/sbin/mkhomedir_helper -- gen_context(system_u:object_r:oddjob_mkhomedir_exec_t,s0)
- /usr/sbin/oddjobd -- gen_context(system_u:object_r:oddjob_exec_t,s0)
-
--/sbin/mkhomedir_helper -- gen_context(system_u:object_r:oddjob_mkhomedir_exec_t,s0)
--
- /var/run/oddjobd\.pid gen_context(system_u:object_r:oddjob_var_run_t,s0)
-diff --git a/oddjob.if b/oddjob.if
-index bd76ec2..dec6bc7 100644
---- a/oddjob.if
-+++ b/oddjob.if
-@@ -22,6 +22,25 @@ interface(`oddjob_domtrans',`
- domtrans_pattern($1, oddjob_exec_t, oddjob_t)
- ')
-
-+#####################################
-+##
-+## Do not audit attempts to read and write
-+## oddjob fifo file.
-+##
-+##
-+##
-+## Domain to not audit.
-+##
-+##
-+#
-+interface(`oddjob_dontaudit_rw_fifo_file',`
-+ gen_require(`
-+ type oddjob_t;
-+ ')
-+
-+ dontaudit $1 oddjob_t:fifo_file rw_inherited_fifo_file_perms;
-+')
-+
- ########################################
- ##
- ## Make the specified program domain accessable
-@@ -44,6 +63,7 @@ interface(`oddjob_system_entry',`
- ')
-
- domtrans_pattern(oddjob_t, $2, $1)
-+ domain_user_exemption_target($1)
- ')
-
- ########################################
-@@ -67,6 +87,24 @@ interface(`oddjob_dbus_chat',`
- allow oddjob_t $1:dbus send_msg;
- ')
-
-+######################################
-+##
-+## Send a SIGCHLD signal to oddjob.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`oddjob_sigchld',`
-+ gen_require(`
-+ type oddjob_t;
-+ ')
-+
-+ allow $1 oddjob_t:process sigchld;
-+')
-+
- ########################################
- ##
- ## Execute a domain transition to run oddjob_mkhomedir.
-@@ -109,3 +147,41 @@ interface(`oddjob_run_mkhomedir',`
- oddjob_domtrans_mkhomedir($1)
- role $2 types oddjob_mkhomedir_t;
- ')
-+
-+########################################
-+##
-+## Create a domain which can be started by init,
-+## with a range transition.
-+##
-+##
-+##
-+## Type to be used as a domain.
-+##
-+##
-+##
-+##
-+## Type of the program to be used as an entry point to this domain.
-+##
-+##
-+##
-+##
-+## Range for the domain.
-+##
-+##
-+#
-+interface(`oddjob_ranged_domain',`
-+ gen_require(`
-+ type oddjob_t;
-+ ')
-+
-+ oddjob_system_entry($1, $2)
-+
-+ ifdef(`enable_mcs',`
-+ range_transition oddjob_t $2:process $3;
-+ ')
-+
-+ ifdef(`enable_mls',`
-+ range_transition oddjob_t $2:process $3;
-+ mls_rangetrans_target($1)
-+ ')
-+')
-diff --git a/oddjob.te b/oddjob.te
-index a17ba31..467700e 100644
---- a/oddjob.te
-+++ b/oddjob.te
-@@ -51,9 +51,9 @@ mcs_process_set_categories(oddjob_t)
-
- selinux_compute_create_context(oddjob_t)
-
--files_read_etc_files(oddjob_t)
-
--miscfiles_read_localization(oddjob_t)
-+auth_use_nsswitch(oddjob_t)
-+
-
- locallogin_dontaudit_use_fds(oddjob_t)
-
-@@ -78,13 +78,10 @@ allow oddjob_mkhomedir_t self:unix_stream_socket create_stream_socket_perms;
-
- kernel_read_system_state(oddjob_mkhomedir_t)
-
--files_read_etc_files(oddjob_mkhomedir_t)
--
- auth_use_nsswitch(oddjob_mkhomedir_t)
-
- logging_send_syslog_msg(oddjob_mkhomedir_t)
-
--miscfiles_read_localization(oddjob_mkhomedir_t)
-
- selinux_get_fs_mount(oddjob_mkhomedir_t)
- selinux_validate_context(oddjob_mkhomedir_t)
-@@ -99,8 +96,9 @@ seutil_read_default_contexts(oddjob_mkhomedir_t)
-
- # Add/remove user home directories
- userdom_home_filetrans_user_home_dir(oddjob_mkhomedir_t)
--userdom_manage_user_home_content_dirs(oddjob_mkhomedir_t)
--userdom_manage_user_home_content_files(oddjob_mkhomedir_t)
- userdom_manage_user_home_dirs(oddjob_mkhomedir_t)
--userdom_user_home_dir_filetrans_user_home_content(oddjob_mkhomedir_t, notdevfile_class_set)
-+userdom_manage_user_home_content_dirs(oddjob_mkhomedir_t)
-+userdom_manage_user_home_content(oddjob_mkhomedir_t)
-+userdom_home_manager(oddjob_mkhomedir_t)
-+userdom_stream_connect(oddjob_mkhomedir_t)
-
-diff --git a/oident.if b/oident.if
-index bb4fae5..4dfed8a 100644
---- a/oident.if
-+++ b/oident.if
-@@ -66,3 +66,40 @@ interface(`oident_relabel_user_content', `
- allow $1 oidentd_home_t:file relabel_file_perms;
- userdom_search_user_home_dirs($1)
- ')
-+
-+########################################
-+##
-+## All of the rules required to administrate
-+## an oident environment
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+##
-+##
-+## Role allowed access.
-+##
-+##
-+##
-+#
-+interface(`oident_admin',`
-+ gen_require(`
-+ type oidentd_t, oidentd_initrc_exec_t, oidentd_config_t;
-+ ')
-+
-+ allow $1 oidentd_t:process signal_perms;
-+ ps_process_pattern($1, oidentd_t)
-+ tunable_policy(`deny_ptrace',`',`
-+ allow $1 oidentd_t:process ptrace;
-+ ')
-+
-+ init_labeled_script_domtrans($1, oidentd_initrc_exec_t)
-+ domain_system_change_exemption($1)
-+ role_transition $2 oidentd_initrc_exec_t system_r;
-+ allow $2 system_r;
-+
-+ files_list_etc($1)
-+ admin_pattern($1, oidentd_config_t)
-+')
-diff --git a/oident.te b/oident.te
-index 8845174..f7b073f 100644
---- a/oident.te
-+++ b/oident.te
-@@ -26,15 +26,14 @@ files_config_file(oidentd_config_t)
- #
-
- allow oidentd_t self:capability { setuid setgid };
--allow oidentd_t self:netlink_route_socket { write getattr read bind create nlmsg_read };
--allow oidentd_t self:netlink_tcpdiag_socket { write read create nlmsg_read };
--allow oidentd_t self:tcp_socket { setopt read bind create accept write getattr listen };
--allow oidentd_t self:udp_socket { write read create connect getattr ioctl };
-+allow oidentd_t self:netlink_route_socket create_netlink_socket_perms;
-+allow oidentd_t self:netlink_tcpdiag_socket create_netlink_socket_perms;
-+allow oidentd_t self:tcp_socket create_stream_socket_perms;
-+allow oidentd_t self:udp_socket create_socket_perms;
- allow oidentd_t self:unix_dgram_socket { create connect };
-
- allow oidentd_t oidentd_config_t:file read_file_perms;
-
--corenet_all_recvfrom_unlabeled(oidentd_t)
- corenet_all_recvfrom_netlabel(oidentd_t)
- corenet_tcp_sendrecv_generic_if(oidentd_t)
- corenet_tcp_sendrecv_generic_node(oidentd_t)
-@@ -54,22 +53,7 @@ kernel_request_load_module(oidentd_t)
-
- logging_send_syslog_msg(oidentd_t)
-
--miscfiles_read_localization(oidentd_t)
--
- sysnet_read_config(oidentd_t)
-
- oident_read_user_content(oidentd_t)
--
--optional_policy(`
-- nis_use_ypbind(oidentd_t)
--')
--
--tunable_policy(`use_samba_home_dirs', `
-- fs_list_cifs(oidentd_t)
-- fs_read_cifs_files(oidentd_t)
--')
--
--tunable_policy(`use_nfs_home_dirs', `
-- fs_list_nfs(oidentd_t)
-- fs_read_nfs_files(oidentd_t)
--')
-+userdom_home_reader(oidentd_t)
-diff --git a/openct.te b/openct.te
-index 7f8fdc2..bc14bc4 100644
---- a/openct.te
-+++ b/openct.te
-@@ -29,6 +29,8 @@ kernel_read_kernel_sysctls(openct_t)
- kernel_list_proc(openct_t)
- kernel_read_proc_symlinks(openct_t)
-
-+can_exec(openct_t, openct_exec_t)
-+
- dev_read_sysfs(openct_t)
- # openct asks for this
- dev_rw_usbfs(openct_t)
-@@ -45,12 +47,12 @@ fs_search_auto_mountpoints(openct_t)
-
- logging_send_syslog_msg(openct_t)
-
--miscfiles_read_localization(openct_t)
--
- userdom_dontaudit_use_unpriv_user_fds(openct_t)
- userdom_dontaudit_search_user_home_dirs(openct_t)
-
--openct_exec(openct_t)
-+optional_policy(`
-+ pcscd_stream_connect(openct_t)
-+')
-
- optional_policy(`
- seutil_sigchld_newrole(openct_t)
-diff --git a/openhpid.fc b/openhpid.fc
-new file mode 100644
-index 0000000..9441fd7
---- /dev/null
-+++ b/openhpid.fc
-@@ -0,0 +1,8 @@
-+
-+/etc/rc\.d/init\.d/openhpid -- gen_context(system_u:object_r:openhpid_initrc_exec_t,s0)
-+
-+/usr/sbin/openhpid -- gen_context(system_u:object_r:openhpid_exec_t,s0)
-+
-+/var/lib/openhpi(/.*)? gen_context(system_u:object_r:openhpid_var_lib_t,s0)
-+
-+/var/run/openhpid\.pid -- gen_context(system_u:object_r:openhpid_var_run_t,s0)
-diff --git a/openhpid.if b/openhpid.if
-new file mode 100644
-index 0000000..598789a
---- /dev/null
-+++ b/openhpid.if
-@@ -0,0 +1,159 @@
-+
-+## policy for openhpid
-+
-+
-+########################################
-+##
-+## Transition to openhpid.
-+##
-+##
-+##
-+## Domain allowed to transition.
-+##
-+##
-+#
-+interface(`openhpid_domtrans',`
-+ gen_require(`
-+ type openhpid_t, openhpid_exec_t;
-+ ')
-+
-+ corecmd_search_bin($1)
-+ domtrans_pattern($1, openhpid_exec_t, openhpid_t)
-+')
-+
-+
-+########################################
-+##
-+## Execute openhpid server in the openhpid domain.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`openhpid_initrc_domtrans',`
-+ gen_require(`
-+ type openhpid_initrc_exec_t;
-+ ')
-+
-+ init_labeled_script_domtrans($1, openhpid_initrc_exec_t)
-+')
-+
-+
-+########################################
-+##
-+## Search openhpid lib directories.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`openhpid_search_lib',`
-+ gen_require(`
-+ type openhpid_var_lib_t;
-+ ')
-+
-+ allow $1 openhpid_var_lib_t:dir search_dir_perms;
-+ files_search_var_lib($1)
-+')
-+
-+########################################
-+##
-+## Read openhpid lib files.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`openhpid_read_lib_files',`
-+ gen_require(`
-+ type openhpid_var_lib_t;
-+ ')
-+
-+ files_search_var_lib($1)
-+ read_files_pattern($1, openhpid_var_lib_t, openhpid_var_lib_t)
-+')
-+
-+########################################
-+##
-+## Manage openhpid lib files.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`openhpid_manage_lib_files',`
-+ gen_require(`
-+ type openhpid_var_lib_t;
-+ ')
-+
-+ files_search_var_lib($1)
-+ manage_files_pattern($1, openhpid_var_lib_t, openhpid_var_lib_t)
-+')
-+
-+########################################
-+##
-+## Manage openhpid lib directories.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`openhpid_manage_lib_dirs',`
-+ gen_require(`
-+ type openhpid_var_lib_t;
-+ ')
-+
-+ files_search_var_lib($1)
-+ manage_dirs_pattern($1, openhpid_var_lib_t, openhpid_var_lib_t)
-+')
-+
-+
-+########################################
-+##
-+## All of the rules required to administrate
-+## an openhpid environment
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+##
-+##
-+## Role allowed access.
-+##
-+##
-+##
-+#
-+interface(`openhpid_admin',`
-+ gen_require(`
-+ type openhpid_t;
-+ type openhpid_initrc_exec_t;
-+ type openhpid_var_lib_t;
-+ ')
-+
-+ allow $1 openhpid_t:process { ptrace signal_perms };
-+ ps_process_pattern($1, openhpid_t)
-+
-+ openhpid_initrc_domtrans($1)
-+ domain_system_change_exemption($1)
-+ role_transition $2 openhpid_initrc_exec_t system_r;
-+ allow $2 system_r;
-+
-+ files_search_var_lib($1)
-+ admin_pattern($1, openhpid_var_lib_t)
-+
-+
-+
-+')
-+
-diff --git a/openhpid.te b/openhpid.te
-new file mode 100644
-index 0000000..c4ecca7
---- /dev/null
-+++ b/openhpid.te
-@@ -0,0 +1,51 @@
-+policy_module(openhpid, 1.0.0)
-+
-+########################################
-+#
-+# Declarations
-+#
-+
-+type openhpid_t;
-+type openhpid_exec_t;
-+init_daemon_domain(openhpid_t, openhpid_exec_t)
-+
-+type openhpid_initrc_exec_t;
-+init_script_file(openhpid_initrc_exec_t)
-+
-+type openhpid_var_lib_t;
-+files_type(openhpid_var_lib_t)
-+
-+type openhpid_var_run_t;
-+files_pid_file(openhpid_var_run_t)
-+
-+########################################
-+#
-+# openhpid local policy
-+#
-+
-+allow openhpid_t self:capability { kill };
-+allow openhpid_t self:process { fork signal };
-+
-+allow openhpid_t self:fifo_file rw_fifo_file_perms;
-+allow openhpid_t self:netlink_route_socket r_netlink_socket_perms;
-+allow openhpid_t self:unix_stream_socket create_stream_socket_perms;
-+allow openhpid_t self:tcp_socket create_stream_socket_perms;
-+allow openhpid_t self:udp_socket create_socket_perms;
-+
-+manage_dirs_pattern(openhpid_t, openhpid_var_lib_t, openhpid_var_lib_t)
-+manage_files_pattern(openhpid_t, openhpid_var_lib_t, openhpid_var_lib_t)
-+files_var_lib_filetrans(openhpid_t, openhpid_var_lib_t, { dir file })
-+
-+manage_files_pattern(openhpid_t, openhpid_var_run_t, openhpid_var_run_t)
-+files_pid_filetrans(openhpid_t, openhpid_var_run_t, { file })
-+
-+corenet_tcp_bind_generic_node(openhpid_t)
-+corenet_tcp_bind_openhpid_port(openhpid_t)
-+
-+domain_use_interactive_fds(openhpid_t)
-+
-+dev_read_urand(openhpid_t)
-+
-+files_read_etc_files(openhpid_t)
-+
-+logging_send_syslog_msg(openhpid_t)
-diff --git a/openshift-origin.fc b/openshift-origin.fc
-new file mode 100644
-index 0000000..30ca148
---- /dev/null
-+++ b/openshift-origin.fc
-@@ -0,0 +1 @@
-+# Left Blank
-diff --git a/openshift-origin.if b/openshift-origin.if
-new file mode 100644
-index 0000000..3eb6a30
---- /dev/null
-+++ b/openshift-origin.if
-@@ -0,0 +1 @@
-+##
-diff --git a/openshift-origin.te b/openshift-origin.te
-new file mode 100644
-index 0000000..a437f80
---- /dev/null
-+++ b/openshift-origin.te
-@@ -0,0 +1,13 @@
-+policy_module(openshift-origin,1.0.0)
-+gen_require(`
-+ attribute openshift_domain;
-+')
-+
-+########################################
-+#
-+# openshift origin standard local policy
-+#
-+allow openshift_domain self:socket_class_set create_socket_perms;
-+corenet_tcp_connect_all_ports(openshift_domain)
-+corenet_tcp_bind_all_ports(openshift_domain)
-+files_read_config_files(openshift_domain)
-diff --git a/openshift.fc b/openshift.fc
-new file mode 100644
-index 0000000..c9a5f74
---- /dev/null
-+++ b/openshift.fc
-@@ -0,0 +1,24 @@
-+/etc/rc\.d/init\.d/libra gen_context(system_u:object_r:openshift_initrc_exec_t,s0)
-+/etc/rc\.d/init\.d/mcollective gen_context(system_u:object_r:openshift_initrc_exec_t,s0)
-+
-+/var/lib/stickshift(/.*)? gen_context(system_u:object_r:openshift_var_lib_t,s0)
-+/var/lib/stickshift/.*/data(/.*)? gen_context(system_u:object_r:openshift_rw_file_t,s0)
-+/var/lib/openshift(/.*)? gen_context(system_u:object_r:openshift_var_lib_t,s0)
-+/var/lib/openshift/.*/data(/.*)? gen_context(system_u:object_r:openshift_rw_file_t,s0)
-+
-+/var/lib/stickshift/.*/\.tmp(/.*)? gen_context(system_u:object_r:openshift_tmp_t,s0)
-+/var/lib/stickshift/.*/\.sandbox(/.*)? gen_context(system_u:object_r:openshift_tmp_t,s0)
-+/var/lib/openshift/.*/\.tmp(/.*)? gen_context(system_u:object_r:openshift_tmp_t,s0)
-+/var/lib/openshift/.*/\.sandbox(/.*)? gen_context(system_u:object_r:openshift_tmp_t,s0)
-+
-+/var/log/mcollective\.log -- gen_context(system_u:object_r:openshift_log_t,s0)
-+
-+/usr/s?bin/(oo|rhc)-cgroup-read -- gen_context(system_u:object_r:openshift_cgroup_read_exec_t,s0)
-+
-+/usr/s?bin/(oo|rhc)-restorer -- gen_context(system_u:object_r:openshift_initrc_exec_t,s0)
-+/usr/s?bin/(oo|rhc)-restorer-wrapper.sh -- gen_context(unconfined_u:object_r:httpd_openshift_script_exec_t,s0)
-+/usr/s?bin/oo-admin-ctl-gears -- gen_context(system_u:object_r:openshift_initrc_exec_t,s0)
-+/usr/s?bin/mcollectived -- gen_context(system_u:object_r:openshift_initrc_exec_t,s0)
-+
-+/var/run/stickshift(/.*)? gen_context(system_u:object_r:openshift_var_run_t,s0)
-+/var/run/openshift(/.*)? gen_context(system_u:object_r:openshift_var_run_t,s0)
-diff --git a/openshift.if b/openshift.if
-new file mode 100644
-index 0000000..6e20e72
---- /dev/null
-+++ b/openshift.if
-@@ -0,0 +1,644 @@
-+
-+## policy for openshift
-+
-+########################################
-+##
-+## Execute openshift server in the openshift domain.
-+##
-+##
-+##
-+## The type of the process performing this action.
-+##
-+##
-+#
-+interface(`openshift_initrc_domtrans',`
-+ gen_require(`
-+ type openshift_initrc_t;
-+ type openshift_initrc_exec_t;
-+ ')
-+
-+ domtrans_pattern($1, openshift_initrc_exec_t, openshift_initrc_t)
-+')
-+
-+########################################
-+##
-+## Send a null signal to openshift init scripts.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`openshift_initrc_signull',`
-+ gen_require(`
-+ type openshift_initrc_t;
-+ ')
-+
-+ allow $1 openshift_initrc_t:process signull;
-+')
-+
-+#######################################
-+##
-+## Send a signal to openshift init scripts.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`openshift_initrc_signal',`
-+ gen_require(`
-+ type openshift_initrc_t;
-+ ')
-+
-+ allow $1 openshift_initrc_t:process signal;
-+')
-+
-+########################################
-+##
-+## Send a signal to openshift init scripts.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`openshift_initrc_signl',`
-+ gen_require(`
-+ type openshift_initrc_t;
-+ ')
-+
-+ allow $1 openshift_initrc_t:process signal;
-+')
-+
-+########################################
-+##
-+## Search openshift cache directories.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`openshift_search_cache',`
-+ gen_require(`
-+ type openshift_cache_t;
-+ ')
-+
-+ allow $1 openshift_cache_t:dir search_dir_perms;
-+ files_search_var($1)
-+')
-+
-+########################################
-+##
-+## Read openshift cache files.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`openshift_read_cache_files',`
-+ gen_require(`
-+ type openshift_cache_t;
-+ ')
-+
-+ files_search_var($1)
-+ read_files_pattern($1, openshift_cache_t, openshift_cache_t)
-+')
-+
-+########################################
-+##
-+## Create, read, write, and delete
-+## openshift cache files.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`openshift_manage_cache_files',`
-+ gen_require(`
-+ type openshift_cache_t;
-+ ')
-+
-+ files_search_var($1)
-+ manage_files_pattern($1, openshift_cache_t, openshift_cache_t)
-+')
-+
-+########################################
-+##
-+## Create, read, write, and delete
-+## openshift cache dirs.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`openshift_manage_cache_dirs',`
-+ gen_require(`
-+ type openshift_cache_t;
-+ ')
-+
-+ files_search_var($1)
-+ manage_dirs_pattern($1, openshift_cache_t, openshift_cache_t)
-+')
-+
-+
-+########################################
-+##
-+## Allow the specified domain to read openshift's log files.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+##
-+#
-+interface(`openshift_read_log',`
-+ gen_require(`
-+ type openshift_log_t;
-+ ')
-+
-+ logging_search_logs($1)
-+ read_files_pattern($1, openshift_log_t, openshift_log_t)
-+')
-+
-+########################################
-+##
-+## Allow the specified domain to append
-+## openshift log files.
-+##
-+##
-+##
-+## Domain allowed to transition.
-+##
-+##
-+#
-+interface(`openshift_append_log',`
-+ gen_require(`
-+ type openshift_log_t;
-+ ')
-+
-+ logging_search_logs($1)
-+ append_files_pattern($1, openshift_log_t, openshift_log_t)
-+')
-+
-+########################################
-+##
-+## Allow domain to manage openshift log files
-+##
-+##
-+##
-+## Domain to not audit.
-+##
-+##
-+#
-+interface(`openshift_manage_log',`
-+ gen_require(`
-+ type openshift_log_t;
-+ ')
-+
-+ logging_search_logs($1)
-+ manage_dirs_pattern($1, openshift_log_t, openshift_log_t)
-+ manage_files_pattern($1, openshift_log_t, openshift_log_t)
-+ manage_lnk_files_pattern($1, openshift_log_t, openshift_log_t)
-+')
-+
-+########################################
-+##
-+## Search openshift lib directories.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`openshift_search_lib',`
-+ gen_require(`
-+ type openshift_var_lib_t;
-+ ')
-+
-+ allow $1 openshift_var_lib_t:dir search_dir_perms;
-+ files_search_var_lib($1)
-+')
-+
-+########################################
-+##
-+## Read openshift lib files.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`openshift_read_lib_files',`
-+ gen_require(`
-+ type openshift_var_lib_t;
-+ ')
-+
-+ files_search_var_lib($1)
-+ read_files_pattern($1, openshift_var_lib_t, openshift_var_lib_t)
-+')
-+
-+########################################
-+##
-+## Read openshift lib files.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`openshift_append_lib_files',`
-+ gen_require(`
-+ type openshift_var_lib_t;
-+ ')
-+
-+ files_search_var_lib($1)
-+ append_files_pattern($1, openshift_var_lib_t, openshift_var_lib_t)
-+')
-+
-+########################################
-+##
-+## Create, read, write, and delete
-+## openshift lib files.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`openshift_manage_lib_files',`
-+ gen_require(`
-+ type openshift_var_lib_t;
-+ ')
-+
-+ files_search_var_lib($1)
-+ manage_files_pattern($1, openshift_var_lib_t, openshift_var_lib_t)
-+')
-+
-+########################################
-+##
-+## Manage openshift lib dirs files.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`openshift_manage_lib_dirs',`
-+ gen_require(`
-+ type openshift_var_lib_t;
-+ ')
-+
-+ files_search_var_lib($1)
-+ manage_dirs_pattern($1, openshift_var_lib_t, openshift_var_lib_t)
-+')
-+
-+#######################################
-+##
-+## Create private objects in the
-+## mail lib directory.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+##
-+##
-+## The type of the object to be created.
-+##
-+##
-+##
-+##
-+## The object class of the object being created.
-+##
-+##
-+##
-+##
-+## The name of the object being created.
-+##
-+##
-+#
-+interface(`openshift_lib_filetrans',`
-+ gen_require(`
-+ type openshift_var_lib_t;
-+ ')
-+
-+ files_search_var_lib($1)
-+ filetrans_pattern($1, openshift_var_lib_t, $2, $3, $4)
-+')
-+
-+########################################
-+##
-+## Read openshift PID files.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`openshift_read_pid_files',`
-+ gen_require(`
-+ type openshift_var_run_t;
-+ ')
-+
-+ files_search_pids($1)
-+ allow $1 openshift_var_run_t:file read_file_perms;
-+')
-+
-+
-+########################################
-+##
-+## All of the rules required to administrate
-+## an openshift environment
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+##
-+##
-+## Role allowed access.
-+##
-+##
-+##
-+#
-+interface(`openshift_admin',`
-+ gen_require(`
-+ type openshift_t;
-+ type openshift_initrc_exec_t;
-+ type openshift_cache_t;
-+ type openshift_log_t;
-+ type openshift_var_lib_t;
-+ type openshift_var_run_t;
-+ ')
-+
-+ allow $1 openshift_t:process { ptrace signal_perms };
-+ ps_process_pattern($1, openshift_t)
-+
-+ openshift_initrc_domtrans($1)
-+ domain_system_change_exemption($1)
-+ role_transition $2 openshift_initrc_exec_t system_r;
-+ allow $2 system_r;
-+
-+ files_search_var($1)
-+ admin_pattern($1, openshift_cache_t)
-+
-+ logging_search_logs($1)
-+ admin_pattern($1, openshift_log_t)
-+
-+ files_search_var_lib($1)
-+ admin_pattern($1, openshift_var_lib_t)
-+
-+ files_search_pids($1)
-+ admin_pattern($1, openshift_var_run_t)
-+
-+')
-+
-+########################################
-+##
-+## Make the specified type usable as a openshift domain.
-+##
-+##
-+##
-+## The prefix of the domain (e.g., openshift
-+## is the prefix for openshift_t).
-+##
-+##
-+#
-+template(`openshift_service_domain_template',`
-+ gen_require(`
-+ attribute openshift_domain;
-+ attribute openshift_user_domain;
-+ ')
-+
-+ type $1_t;
-+ typeattribute $1_t openshift_domain, openshift_user_domain;
-+ domain_type($1_t)
-+ role system_r types $1_t;
-+ mcs_untrusted_proc($1_t)
-+ domain_user_exemption_target($1_t)
-+ auth_use_nsswitch($1_t)
-+ domain_subj_id_change_exemption($1_t)
-+ domain_obj_id_change_exemption($1_t)
-+ domain_dyntrans_type($1_t)
-+
-+ kernel_read_system_state($1_t)
-+
-+ logging_send_syslog_msg($1_t)
-+
-+ type $1_app_t;
-+ typeattribute $1_app_t openshift_domain;
-+ domain_type($1_app_t)
-+ role system_r types $1_app_t;
-+ mcs_untrusted_proc($1_app_t)
-+ domain_user_exemption_target($1_app_t)
-+ domain_obj_id_change_exemption($1_app_t)
-+ domain_dyntrans_type($1_app_t)
-+
-+ kernel_read_system_state($1_app_t)
-+
-+ logging_send_syslog_msg($1_app_t)
-+')
-+
-+########################################
-+##
-+## Make the specified type usable as a openshift domain.
-+##
-+##
-+##
-+## Type to be used as a openshift domain type.
-+##
-+##
-+#
-+template(`openshift_net_type',`
-+ gen_require(`
-+ attribute openshift_net_domain;
-+ ')
-+
-+ typeattribute $1 openshift_net_domain;
-+')
-+
-+########################################
-+##
-+## Read and write inherited openshift files.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`openshift_rw_inherited_content',`
-+ gen_require(`
-+ attribute openshift_file_type;
-+ ')
-+
-+ allow $1 openshift_file_type:file rw_inherited_file_perms;
-+')
-+
-+########################################
-+##
-+## Manage openshift tmp files.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`openshift_manage_tmp_files',`
-+ gen_require(`
-+ type openshift_tmp_t;
-+ ')
-+
-+ manage_files_pattern($1, openshift_tmp_t, openshift_tmp_t)
-+')
-+
-+########################################
-+##
-+## Manage openshift tmp sockets.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`openshift_manage_tmp_sockets',`
-+ gen_require(`
-+ type openshift_tmp_t;
-+ ')
-+
-+ manage_sock_files_pattern($1, openshift_tmp_t, openshift_tmp_t)
-+')
-+
-+########################################
-+##
-+## Mounton openshift tmp directory.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`openshift_mounton_tmp',`
-+ gen_require(`
-+ type openshift_tmp_t;
-+ ')
-+
-+ allow $1 openshift_tmp_t:dir mounton;
-+')
-+
-+########################################
-+##
-+## Dontaudit Read and write inherited script fifo files.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`openshift_dontaudit_rw_inherited_fifo_files',`
-+ gen_require(`
-+ type openshift_initrc_t;
-+ ')
-+
-+ dontaudit $1 openshift_initrc_t:fifo_file rw_inherited_fifo_file_perms;
-+')
-+
-+########################################
-+##
-+## Allow calling app to transition to an openshift domain
-+##
-+##
-+##
-+## Domain allowed access
-+##
-+##
-+##
-+#
-+interface(`openshift_transition',`
-+ gen_require(`
-+ attribute openshift_user_domain;
-+ ')
-+
-+ allow $1 openshift_user_domain:process transition;
-+ dontaudit $1 openshift_user_domain:process { noatsecure siginh rlimitinh };
-+ allow openshift_user_domain $1:fd use;
-+ allow openshift_user_domain $1:fifo_file rw_inherited_fifo_file_perms;
-+ allow openshift_user_domain $1:process sigchld;
-+ dontaudit $1 openshift_user_domain:socket_class_set { read write };
-+')
-+
-+########################################
-+##
-+## Allow calling app to transition to an openshift domain
-+##
-+##
-+##
-+## Domain allowed access
-+##
-+##
-+##
-+#
-+interface(`openshift_dyntransition',`
-+ gen_require(`
-+ attribute openshift_domain;
-+ attribute openshift_user_domain;
-+ ')
-+
-+ allow $1 openshift_user_domain:process dyntransition;
-+ dontaudit openshift_user_domain $1:key view;
-+ allow openshift_user_domain $1:unix_stream_socket { connectto rw_socket_perms };
-+ allow openshift_user_domain $1:unix_dgram_socket rw_socket_perms;
-+ allow $1 openshift_user_domain:process { rlimitinh signal };
-+ dontaudit openshift_domain $1:tcp_socket { read write getattr setopt getopt shutdown };
-+')
-+
-+########################################
-+##
-+## Execute openshift in the openshift domain, and
-+## allow the specified role the openshift domain.
-+##
-+##
-+##
-+## Domain allowed to transition.
-+##
-+##
-+##
-+##
-+## Role allowed access.
-+##
-+##
-+#
-+interface(`openshift_run',`
-+ gen_require(`
-+ type openshift_initrc_exec_t;
-+ ')
-+
-+ openshift_initrc_domtrans($1)
-+ role_transition $2 openshift_initrc_exec_t system_r;
-+ openshift_transition($1)
-+')
-diff --git a/openshift.te b/openshift.te
-new file mode 100644
-index 0000000..d97b009
---- /dev/null
-+++ b/openshift.te
-@@ -0,0 +1,383 @@
-+policy_module(openshift,1.0.0)
-+
-+gen_require(`
-+ role system_r;
-+')
-+
-+########################################
-+#
-+# Declarations
-+#
-+
-+# openshift applications that can use the network.
-+attribute openshift_net_domain;
-+# Attribute representing all openshift user processes (excludes apache processes)
-+attribute openshift_user_domain;
-+# Attribute representing all openshift processes
-+attribute openshift_domain;
-+
-+# Attribute for all openshift content
-+attribute openshift_file_type;
-+
-+# Type of openshift init script
-+type openshift_initrc_t;
-+type openshift_initrc_exec_t;
-+init_daemon_domain(openshift_initrc_t, openshift_initrc_exec_t)
-+init_ranged_daemon_domain(openshift_initrc_t, openshift_initrc_exec_t, s0 - mcs_systemhigh)
-+domain_obj_id_change_exemption(openshift_initrc_t)
-+optional_policy(`
-+ oddjob_ranged_domain(openshift_initrc_t, openshift_initrc_exec_t, s0 - mcs_systemhigh)
-+')
-+
-+
-+type openshift_initrc_tmp_t;
-+files_tmp_file(openshift_initrc_tmp_t)
-+
-+type openshift_tmpfs_t;
-+files_tmpfs_file(openshift_tmpfs_t)
-+
-+type openshift_tmp_t, openshift_file_type;
-+files_tmp_file(openshift_tmp_t)
-+files_mountpoint(openshift_tmp_t)
-+files_poly(openshift_tmp_t)
-+files_poly_parent(openshift_tmp_t)
-+
-+type openshift_var_run_t;
-+files_pid_file(openshift_var_run_t)
-+
-+type openshift_var_lib_t, openshift_file_type;
-+files_poly(openshift_var_lib_t)
-+files_poly_parent(openshift_var_lib_t)
-+files_mountpoint(openshift_var_lib_t)
-+
-+type openshift_rw_file_t, openshift_file_type;
-+files_poly(openshift_rw_file_t)
-+files_poly_parent(openshift_rw_file_t)
-+
-+type openshift_log_t;
-+logging_log_file(openshift_log_t)
-+
-+type openshift_port_t;
-+corenet_port(openshift_port_t)
-+corenet_reserved_port(openshift_port_t)
-+
-+type openshift_cgroup_read_t;
-+type openshift_cgroup_read_exec_t;
-+application_domain(openshift_cgroup_read_t, openshift_cgroup_read_exec_t)
-+
-+########################################
-+#
-+# Template to create openshift_t and openshift_app_t
-+#
-+
-+openshift_service_domain_template(openshift)
-+
-+########################################
-+#
-+# openshift initrc local policy
-+#
-+unconfined_domain_noaudit(openshift_initrc_t)
-+mcs_process_set_categories(openshift_initrc_t)
-+
-+systemd_dbus_chat_logind(openshift_initrc_t)
-+
-+manage_dirs_pattern(openshift_initrc_t, openshift_initrc_tmp_t, openshift_initrc_tmp_t)
-+manage_files_pattern(openshift_initrc_t, openshift_initrc_tmp_t, openshift_initrc_tmp_t)
-+manage_lnk_files_pattern(openshift_initrc_t, openshift_initrc_tmp_t, openshift_initrc_tmp_t)
-+files_tmp_filetrans(openshift_initrc_t, openshift_initrc_tmp_t, { file dir })
-+
-+manage_dirs_pattern(openshift_initrc_t, openshift_var_run_t, openshift_var_run_t)
-+manage_files_pattern(openshift_initrc_t, openshift_var_run_t, openshift_var_run_t)
-+manage_lnk_files_pattern(openshift_initrc_t, openshift_var_run_t, openshift_var_run_t)
-+files_pid_filetrans(openshift_initrc_t, openshift_var_run_t, { file dir })
-+
-+manage_dirs_pattern(openshift_initrc_t, openshift_log_t, openshift_log_t)
-+manage_files_pattern(openshift_initrc_t, openshift_log_t, openshift_log_t)
-+logging_log_filetrans(openshift_initrc_t, openshift_log_t, { file dir })
-+
-+allow openshift_initrc_t openshift_domain:process { getattr getsched setsched transition signal signull sigkill };
-+allow openshift_domain openshift_initrc_t:fd use;
-+allow openshift_domain openshift_initrc_t:fifo_file rw_inherited_fifo_file_perms;
-+allow openshift_domain openshift_initrc_t:process sigchld;
-+dontaudit openshift_domain openshift_initrc_t:key view;
-+dontaudit openshift_domain openshift_initrc_t:process signull;
-+dontaudit openshift_domain openshift_initrc_t:socket_class_set { read write };
-+
-+#######################################################
-+#
-+# Policy for all openshift domains
-+#
-+allow openshift_domain self:process all_process_perms;
-+allow openshift_domain self:msg all_msg_perms;
-+allow openshift_domain self:msgq create_msgq_perms;
-+allow openshift_domain self:shm create_shm_perms;
-+allow openshift_domain self:sem create_sem_perms;
-+dontaudit openshift_domain self:dir write;
-+
-+dontaudit openshift_domain self:netlink_tcpdiag_socket create;
-+allow openshift_domain self:tcp_socket create_stream_socket_perms;
-+allow openshift_domain self:fifo_file manage_fifo_file_perms;
-+allow openshift_domain self:unix_stream_socket { create_stream_socket_perms connectto };
-+allow openshift_domain self:unix_dgram_socket { create_socket_perms sendto };
-+dontaudit openshift_domain self:netlink_audit_socket { create_socket_perms nlmsg_relay };
-+
-+manage_dirs_pattern(openshift_domain, openshift_rw_file_t, openshift_rw_file_t)
-+manage_files_pattern(openshift_domain, openshift_rw_file_t, openshift_rw_file_t)
-+manage_fifo_files_pattern(openshift_domain, openshift_rw_file_t, openshift_rw_file_t)
-+manage_sock_files_pattern(openshift_domain, openshift_rw_file_t, openshift_rw_file_t)
-+manage_lnk_files_pattern(openshift_domain, openshift_rw_file_t, openshift_rw_file_t)
-+allow openshift_domain openshift_rw_file_t:dir_file_class_set { relabelfrom relabelto };
-+
-+list_dirs_pattern(openshift_domain, openshift_file_type, openshift_file_type)
-+read_files_pattern(openshift_domain, openshift_file_type, openshift_file_type)
-+rw_fifo_files_pattern(openshift_domain, openshift_file_type, openshift_file_type)
-+rw_sock_files_pattern(openshift_domain, openshift_file_type, openshift_file_type)
-+read_lnk_files_pattern(openshift_domain, openshift_file_type, openshift_file_type)
-+allow openshift_domain openshift_file_type:file execmod;
-+can_exec(openshift_domain, openshift_file_type)
-+allow openshift_domain openshift_file_type:file entrypoint;
-+# Allow users to execute files in their home dir
-+allow openshift_domain openshift_file_type:file { execute execute_no_trans };
-+
-+# Dontaudit openshift domains trying to search other openshift domains directories,
-+# this happens just when users are probing the system
-+dontaudit openshift_domain openshift_file_type:dir search_dir_perms
-+;
-+
-+manage_dirs_pattern(openshift_domain, openshift_tmpfs_t, openshift_tmpfs_t)
-+manage_files_pattern(openshift_domain, openshift_tmpfs_t, openshift_tmpfs_t)
-+fs_tmpfs_filetrans(openshift_domain, openshift_tmpfs_t, { dir file })
-+can_exec(openshift_domain, openshift_tmpfs_t)
-+
-+manage_dirs_pattern(openshift_domain, openshift_tmp_t, openshift_tmp_t)
-+manage_fifo_files_pattern(openshift_domain, openshift_tmp_t, openshift_tmp_t)
-+manage_files_pattern(openshift_domain, openshift_tmp_t, openshift_tmp_t)
-+manage_lnk_files_pattern(openshift_domain, openshift_tmp_t, openshift_tmp_t)
-+manage_sock_files_pattern(openshift_domain, openshift_tmp_t, openshift_tmp_t)
-+files_tmp_filetrans(openshift_domain, openshift_tmp_t, { lnk_file file dir sock_file fifo_file })
-+allow openshift_domain openshift_tmp_t:dir_file_class_set { relabelfrom relabelto };
-+
-+allow openshift_domain openshift_log_t:file { getattr append lock ioctl };
-+
-+#lsof
-+allow openshift_domain openshift_initrc_t:tcp_socket getattr;
-+
-+dontaudit openshift_domain openshift_initrc_tmp_t:file append;
-+dontaudit openshift_domain openshift_var_run_t:file append;
-+dontaudit openshift_domain openshift_file_type:sock_file execute;
-+
-+kernel_read_network_state(openshift_domain)
-+kernel_dontaudit_list_all_proc(openshift_domain)
-+kernel_dontaudit_list_all_sysctls(openshift_domain)
-+kernel_dontaudit_request_load_module(openshift_domain)
-+kernel_get_sysvipc_info(openshift_domain)
-+
-+corecmd_shell_entry_type(openshift_domain)
-+corecmd_bin_entry_type(openshift_domain)
-+corecmd_exec_all_executables(openshift_domain)
-+
-+dev_read_sysfs(openshift_domain)
-+dev_read_rand(openshift_domain)
-+dev_read_urand(openshift_domain)
-+dev_dontaudit_append_rand(openshift_domain)
-+dev_dontaudit_write_urand(openshift_domain)
-+dev_dontaudit_getattr_all_blk_files(openshift_domain)
-+dev_dontaudit_getattr_all_chr_files(openshift_domain)
-+
-+domain_use_interactive_fds(openshift_domain)
-+domain_dontaudit_read_all_domains_state(openshift_domain)
-+
-+files_read_var_lib_symlinks(openshift_domain)
-+
-+fs_rw_hugetlbfs_files(openshift_domain)
-+fs_rw_anon_inodefs_files(openshift_domain)
-+fs_search_tmpfs(openshift_domain)
-+fs_getattr_all_fs(openshift_domain)
-+fs_dontaudit_getattr_all_fs(openshift_domain)
-+fs_list_inotifyfs(openshift_domain)
-+fs_dontaudit_list_auto_mountpoints(openshift_domain)
-+fs_dontaudit_list_tmpfs(openshift_domain)
-+storage_dontaudit_getattr_fixed_disk_dev(openshift_domain)
-+storage_getattr_fixed_disk_dev(openshift_domain)
-+fs_get_xattr_fs_quotas(openshift_domain)
-+fs_rw_inherited_tmpfs_files(openshift_domain)
-+fs_dontaudit_rw_anon_inodefs_files(openshift_domain)
-+
-+dontaudit openshift_domain file_type:dir read;
-+files_dontaudit_list_home(openshift_domain)
-+files_dontaudit_search_all_pids(openshift_domain)
-+files_dontaudit_getattr_all_dirs(openshift_domain)
-+files_dontaudit_getattr_all_files(openshift_domain)
-+files_dontaudit_list_mnt(openshift_domain)
-+files_dontaudit_list_var(openshift_domain)
-+files_dontaudit_getattr_lost_found_dirs(openshift_domain)
-+files_dontaudit_search_all_mountpoints(openshift_domain)
-+files_dontaudit_search_spool(openshift_domain)
-+files_dontaudit_search_all_dirs(openshift_domain)
-+files_dontaudit_list_var(openshift_domain)
-+files_read_etc_files(openshift_domain)
-+files_exec_etc_files(openshift_domain)
-+files_read_usr_files(openshift_domain)
-+files_exec_usr_files(openshift_domain)
-+files_dontaudit_getattr_non_security_sockets(openshift_domain)
-+files_dontaudit_setattr_non_security_dirs(openshift_domain)
-+files_dontaudit_setattr_non_security_files(openshift_domain)
-+
-+libs_exec_lib_files(openshift_domain)
-+libs_exec_ld_so(openshift_domain)
-+
-+term_use_ptmx(openshift_domain)
-+term_use_generic_ptys(openshift_domain)
-+
-+selinux_validate_context(openshift_domain)
-+
-+logging_inherit_append_all_logs(openshift_domain)
-+
-+init_dontaudit_read_utmp(openshift_domain)
-+
-+miscfiles_read_fonts(openshift_domain)
-+miscfiles_dontaudit_setattr_fonts_cache_dirs(openshift_domain)
-+
-+mta_dontaudit_read_spool_symlinks(openshift_domain)
-+
-+term_dontaudit_search_ptys(openshift_domain)
-+term_use_ptmx(openshift_domain)
-+
-+userdom_use_inherited_user_ptys(openshift_domain)
-+userdom_dontaudit_search_admin_dir(openshift_domain)
-+
-+application_exec(openshift_domain)
-+
-+optional_policy(`
-+ apache_exec_modules(openshift_domain)
-+ apache_list_modules(openshift_domain)
-+ apache_read_config(openshift_domain)
-+ apache_search_config(openshift_domain)
-+ apache_read_sys_content(openshift_domain)
-+ apache_exec_sys_script(openshift_domain)
-+ apache_entrypoint(openshift_domain)
-+ apache_dontaudit_read_log(openshift_domain)
-+')
-+
-+optional_policy(`
-+ #############################################
-+ #
-+ # openshift cgi script policy
-+ #
-+ apache_content_template(openshift)
-+ domtrans_pattern(httpd_openshift_script_t, openshift_initrc_exec_t, openshift_initrc_t)
-+
-+ optional_policy(`
-+ dbus_system_bus_client(httpd_openshift_script_t)
-+
-+ optional_policy(`
-+ oddjob_dbus_chat(httpd_openshift_script_t)
-+ oddjob_dontaudit_rw_fifo_file(openshift_domain)
-+ ')
-+ ')
-+')
-+
-+optional_policy(`
-+ cron_role(system_r, openshift_domain)
-+')
-+
-+optional_policy(`
-+ gpg_entry_type(openshift_domain)
-+')
-+
-+optional_policy(`
-+ mysql_search_db(openshift_domain)
-+')
-+
-+optional_policy(`
-+ screen_exec(openshift_domain)
-+')
-+
-+optional_policy(`
-+ ssh_use_ptys(openshift_domain)
-+ ssh_getattr_user_home_dir(openshift_domain)
-+ ssh_dontaudit_search_user_home_dir(openshift_domain)
-+')
-+
-+#######################################################
-+#
-+# Policy for openshift user domain process
-+#
-+manage_dirs_pattern(openshift_user_domain, openshift_file_type, openshift_file_type)
-+manage_files_pattern(openshift_user_domain, openshift_file_type, openshift_file_type)
-+manage_fifo_files_pattern(openshift_user_domain, openshift_file_type, openshift_file_type)
-+manage_sock_files_pattern(openshift_user_domain, openshift_file_type, openshift_file_type)
-+manage_lnk_files_pattern(openshift_user_domain, openshift_file_type, openshift_file_type)
-+allow openshift_user_domain openshift_file_type:dir_file_class_set { relabelfrom relabelto };
-+
-+allow openshift_user_domain openshift_domain:process transition;
-+allow openshift_domain openshift_user_domain:fd use;
-+allow openshift_domain openshift_user_domain:fifo_file rw_inherited_fifo_file_perms;
-+allow openshift_domain openshift_user_domain:process sigchld;
-+dontaudit openshift_domain openshift_user_domain:key view;
-+dontaudit openshift_domain openshift_user_domain:process signull;
-+dontaudit openshift_domain openshift_user_domain:socket_class_set { read write };
-+
-+allow openshift_user_domain openshift_domain:process ptrace;
-+
-+optional_policy(`
-+ ssh_rw_tcp_sockets(openshift_user_domain)
-+')
-+
-+############################################################################
-+#
-+# Rules specific to openshift and openshift_app_t
-+#
-+kernel_read_vm_sysctls(openshift_t)
-+kernel_read_vm_sysctls(openshift_app_t)
-+kernel_search_vm_sysctl(openshift_t)
-+kernel_search_vm_sysctl(openshift_app_t)
-+netutils_domtrans_ping(openshift_t)
-+netutils_kill_ping(openshift_t)
-+netutils_signal_ping(openshift_t)
-+
-+openshift_net_type(openshift_app_t)
-+openshift_net_type(openshift_t)
-+
-+optional_policy(`
-+ postfix_rw_public_pipes(openshift_t)
-+ postfix_manage_spool_maildrop_files(openshift_t)
-+')
-+
-+########################################
-+#
-+# openshift_cgroup_read local policy
-+#
-+
-+allow openshift_cgroup_read_t self:process { getattr signal_perms };
-+allow openshift_cgroup_read_t self:fifo_file rw_fifo_file_perms;
-+allow openshift_cgroup_read_t self:unix_stream_socket create_stream_socket_perms;
-+allow openshift_cgroup_read_t openshift_initrc_t:fifo_file rw_inherited_fifo_file_perms;
-+
-+optional_policy(`
-+ ssh_use_ptys(openshift_cgroup_read_t)
-+')
-+
-+corecmd_exec_bin(openshift_cgroup_read_t)
-+
-+dev_read_urand(openshift_cgroup_read_t)
-+
-+domain_use_interactive_fds(openshift_cgroup_read_t)
-+
-+files_read_etc_files(openshift_cgroup_read_t)
-+
-+fs_dontaudit_rw_anon_inodefs_files(openshift_cgroup_read_t)
-+
-+userdom_use_inherited_user_ptys(openshift_cgroup_read_t)
-+
-+miscfiles_read_generic_certs(openshift_cgroup_read_t)
-+
-+domtrans_pattern(openshift_domain, openshift_cgroup_read_exec_t, openshift_cgroup_read_t)
-+role system_r types openshift_cgroup_read_t;
-+
-+allow openshift_domain openshift_cgroup_read_t:process { getattr signal signull sigkill };
-+
-+fs_read_cgroup_files(openshift_cgroup_read_t)
-+
-+allow openshift_cgroup_read_t openshift_var_lib_t:dir list_dir_perms;
-+read_files_pattern(openshift_cgroup_read_t, openshift_var_lib_t, openshift_var_lib_t)
-diff --git a/openvpn.if b/openvpn.if
-index d883214..d6afa87 100644
---- a/openvpn.if
-+++ b/openvpn.if
-@@ -144,8 +144,11 @@ interface(`openvpn_admin',`
- type openvpn_var_run_t, openvpn_initrc_exec_t;
- ')
-
-- allow $1 openvpn_t:process { ptrace signal_perms };
-+ allow $1 openvpn_t:process signal_perms;
- ps_process_pattern($1, openvpn_t)
-+ tunable_policy(`deny_ptrace',`',`
-+ allow $1 openvpn_t:process ptrace;
-+ ')
-
- init_labeled_script_domtrans($1, openvpn_initrc_exec_t)
- domain_system_change_exemption($1)
-diff --git a/openvpn.te b/openvpn.te
-index 66a52ee..6db0311 100644
---- a/openvpn.te
-+++ b/openvpn.te
-@@ -24,6 +24,9 @@ files_config_file(openvpn_etc_t)
- type openvpn_etc_rw_t;
- files_config_file(openvpn_etc_rw_t)
-
-+type openvpn_tmp_t;
-+files_tmp_file(openvpn_tmp_t)
-+
- type openvpn_initrc_exec_t;
- init_script_file(openvpn_initrc_exec_t)
-
-@@ -40,15 +43,15 @@ files_pid_file(openvpn_var_run_t)
- # openvpn local policy
- #
-
--allow openvpn_t self:capability { dac_read_search dac_override ipc_lock net_bind_service net_admin setgid setuid sys_chroot sys_tty_config };
--allow openvpn_t self:process { signal getsched };
-+allow openvpn_t self:capability { dac_read_search dac_override ipc_lock net_bind_service net_admin setgid setuid sys_chroot sys_tty_config sys_nice };
-+allow openvpn_t self:process { signal getsched setsched };
- allow openvpn_t self:fifo_file rw_fifo_file_perms;
-
- allow openvpn_t self:unix_dgram_socket { create_socket_perms sendto };
- allow openvpn_t self:unix_stream_socket { create_stream_socket_perms connectto };
- allow openvpn_t self:udp_socket create_socket_perms;
- allow openvpn_t self:tcp_socket server_stream_socket_perms;
--allow openvpn_t self:tun_socket create;
-+allow openvpn_t self:tun_socket { create_socket_perms relabelfrom };
- allow openvpn_t self:netlink_route_socket rw_netlink_socket_perms;
-
- can_exec(openvpn_t, openvpn_etc_t)
-@@ -58,9 +61,14 @@ read_lnk_files_pattern(openvpn_t, openvpn_etc_t, openvpn_etc_t)
- manage_files_pattern(openvpn_t, openvpn_etc_t, openvpn_etc_rw_t)
- filetrans_pattern(openvpn_t, openvpn_etc_t, openvpn_etc_rw_t, file)
-
--allow openvpn_t openvpn_var_log_t:file manage_file_perms;
--logging_log_filetrans(openvpn_t, openvpn_var_log_t, file)
-+manage_files_pattern(openvpn_t, openvpn_tmp_t, openvpn_tmp_t)
-+files_tmp_filetrans(openvpn_t, openvpn_tmp_t, file)
-+
-+manage_dirs_pattern(openvpn_t, openvpn_var_log_t, openvpn_var_log_t)
-+manage_files_pattern(openvpn_t, openvpn_var_log_t, openvpn_var_log_t)
-+logging_log_filetrans(openvpn_t, openvpn_var_log_t, { dir file })
-
-+manage_dirs_pattern(openvpn_t, openvpn_var_run_t, openvpn_var_run_t)
- manage_files_pattern(openvpn_t, openvpn_var_run_t, openvpn_var_run_t)
- files_pid_filetrans(openvpn_t, openvpn_var_run_t, { file dir })
-
-@@ -68,11 +76,11 @@ kernel_read_kernel_sysctls(openvpn_t)
- kernel_read_net_sysctls(openvpn_t)
- kernel_read_network_state(openvpn_t)
- kernel_read_system_state(openvpn_t)
-+kernel_request_load_module(openvpn_t)
-
- corecmd_exec_bin(openvpn_t)
- corecmd_exec_shell(openvpn_t)
-
--corenet_all_recvfrom_unlabeled(openvpn_t)
- corenet_all_recvfrom_netlabel(openvpn_t)
- corenet_tcp_sendrecv_generic_if(openvpn_t)
- corenet_udp_sendrecv_generic_if(openvpn_t)
-@@ -87,6 +95,7 @@ corenet_udp_bind_openvpn_port(openvpn_t)
- corenet_tcp_bind_http_port(openvpn_t)
- corenet_tcp_connect_openvpn_port(openvpn_t)
- corenet_tcp_connect_http_port(openvpn_t)
-+corenet_tcp_connect_tor_socks_port(openvpn_t)
- corenet_tcp_connect_http_cache_port(openvpn_t)
- corenet_rw_tun_tap_dev(openvpn_t)
- corenet_sendrecv_openvpn_server_packets(openvpn_t)
-@@ -100,33 +109,39 @@ dev_read_urand(openvpn_t)
- files_read_etc_files(openvpn_t)
- files_read_etc_runtime_files(openvpn_t)
-
-+fs_getattr_xattr_fs(openvpn_t)
-+
- auth_use_pam(openvpn_t)
-
-+init_read_utmp(openvpn_t)
-+
- logging_send_syslog_msg(openvpn_t)
-
--miscfiles_read_localization(openvpn_t)
- miscfiles_read_all_certs(openvpn_t)
-
- sysnet_dns_name_resolve(openvpn_t)
-+sysnet_use_ldap(openvpn_t)
- sysnet_exec_ifconfig(openvpn_t)
- sysnet_manage_config(openvpn_t)
- sysnet_etc_filetrans_config(openvpn_t)
-
--userdom_use_user_terminals(openvpn_t)
-+userdom_use_inherited_user_terminals(openvpn_t)
-+userdom_read_home_certs(openvpn_t)
-+userdom_attach_admin_tun_iface(openvpn_t)
-+userdom_read_inherited_user_tmp_files(openvpn_t)
-+userdom_read_inherited_user_home_content_files(openvpn_t)
-
- tunable_policy(`openvpn_enable_homedirs',`
-- userdom_read_user_home_content_files(openvpn_t)
-+ userdom_search_user_home_dirs(openvpn_t)
- ')
-
- tunable_policy(`openvpn_enable_homedirs && use_nfs_home_dirs',`
-- fs_read_nfs_files(openvpn_t)
-- fs_read_nfs_symlinks(openvpn_t)
--')
-+ fs_read_nfs_files(openvpn_t)
-+')
-
- tunable_policy(`openvpn_enable_homedirs && use_samba_home_dirs',`
-- fs_read_cifs_files(openvpn_t)
-- fs_read_cifs_symlinks(openvpn_t)
--')
-+ fs_read_cifs_files(openvpn_t)
-+')
-
- optional_policy(`
- daemontools_service_domain(openvpn_t, openvpn_exec_t)
-@@ -138,3 +153,7 @@ optional_policy(`
-
- networkmanager_dbus_chat(openvpn_t)
- ')
-+
-+optional_policy(`
-+ unconfined_attach_tun_iface(openvpn_t)
-+')
-diff --git a/openvswitch.fc b/openvswitch.fc
-new file mode 100644
-index 0000000..baf8d21
---- /dev/null
-+++ b/openvswitch.fc
-@@ -0,0 +1,15 @@
-+/usr/lib/systemd/system/openvswitch.service -- gen_context(system_u:object_r:openvswitch_unit_file_t,s0)
-+
-+/usr/share/openvswitch/scripts/ovs-ctl -- gen_context(system_u:object_r:openvswitch_exec_t,s0)
-+/usr/bin/ovs-vsctl -- gen_context(system_u:object_r:openvswitch_exec_t,s0)
-+/usr/sbin/ovsdb-ctl -- gen_context(system_u:object_r:openvswitch_exec_t,s0)
-+/usr/sbin/ovsdb-server -- gen_context(system_u:object_r:openvswitch_exec_t,s0)
-+/usr/sbin/ovs-vswitchd -- gen_context(system_u:object_r:openvswitch_exec_t,s0)
-+
-+/var/lib/openvswitch(/.*)? gen_context(system_u:object_r:openvswitch_var_lib_t,s0)
-+
-+/var/log/openvswitch(/.*)? gen_context(system_u:object_r:openvswitch_log_t,s0)
-+
-+/var/run/openvswitch(/.*)? gen_context(system_u:object_r:openvswitch_var_run_t,s0)
-+
-+/etc/openvswitch(/.*)? gen_context(system_u:object_r:openvswitch_rw_t,s0)
-diff --git a/openvswitch.if b/openvswitch.if
-new file mode 100644
-index 0000000..14f29e4
---- /dev/null
-+++ b/openvswitch.if
-@@ -0,0 +1,242 @@
-+
-+## policy for openvswitch
-+
-+########################################
-+##
-+## Execute TEMPLATE in the openvswitch domin.
-+##
-+##
-+##
-+## Domain allowed to transition.
-+##
-+##
-+#
-+interface(`openvswitch_domtrans',`
-+ gen_require(`
-+ type openvswitch_t, openvswitch_exec_t;
-+ ')
-+
-+ corecmd_search_bin($1)
-+ domtrans_pattern($1, openvswitch_exec_t, openvswitch_t)
-+')
-+########################################
-+##
-+## Read openvswitch's log files.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+##
-+#
-+interface(`openvswitch_read_log',`
-+ gen_require(`
-+ type openvswitch_log_t;
-+ ')
-+
-+ logging_search_logs($1)
-+ read_files_pattern($1, openvswitch_log_t, openvswitch_log_t)
-+')
-+
-+########################################
-+##
-+## Append to openvswitch log files.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`openvswitch_append_log',`
-+ gen_require(`
-+ type openvswitch_log_t;
-+ ')
-+
-+ logging_search_logs($1)
-+ append_files_pattern($1, openvswitch_log_t, openvswitch_log_t)
-+')
-+
-+########################################
-+##
-+## Manage openvswitch log files
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`openvswitch_manage_log',`
-+ gen_require(`
-+ type openvswitch_log_t;
-+ ')
-+
-+ logging_search_logs($1)
-+ manage_dirs_pattern($1, openvswitch_log_t, openvswitch_log_t)
-+ manage_files_pattern($1, openvswitch_log_t, openvswitch_log_t)
-+ manage_lnk_files_pattern($1, openvswitch_log_t, openvswitch_log_t)
-+')
-+
-+########################################
-+##
-+## Search openvswitch lib directories.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`openvswitch_search_lib',`
-+ gen_require(`
-+ type openvswitch_var_lib_t;
-+ ')
-+
-+ allow $1 openvswitch_var_lib_t:dir search_dir_perms;
-+ files_search_var_lib($1)
-+')
-+
-+########################################
-+##
-+## Read openvswitch lib files.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`openvswitch_read_lib_files',`
-+ gen_require(`
-+ type openvswitch_var_lib_t;
-+ ')
-+
-+ files_search_var_lib($1)
-+ read_files_pattern($1, openvswitch_var_lib_t, openvswitch_var_lib_t)
-+')
-+
-+########################################
-+##
-+## Manage openvswitch lib files.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`openvswitch_manage_lib_files',`
-+ gen_require(`
-+ type openvswitch_var_lib_t;
-+ ')
-+
-+ files_search_var_lib($1)
-+ manage_files_pattern($1, openvswitch_var_lib_t, openvswitch_var_lib_t)
-+')
-+
-+########################################
-+##
-+## Manage openvswitch lib directories.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`openvswitch_manage_lib_dirs',`
-+ gen_require(`
-+ type openvswitch_var_lib_t;
-+ ')
-+
-+ files_search_var_lib($1)
-+ manage_dirs_pattern($1, openvswitch_var_lib_t, openvswitch_var_lib_t)
-+')
-+
-+########################################
-+##
-+## Read openvswitch PID files.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`openvswitch_read_pid_files',`
-+ gen_require(`
-+ type openvswitch_var_run_t;
-+ ')
-+
-+ files_search_pids($1)
-+ read_files_pattern($1, openvswitch_var_run_t, openvswitch_var_run_t)
-+')
-+
-+########################################
-+##
-+## Execute openvswitch server in the openvswitch domain.
-+##
-+##
-+##
-+## Domain allowed to transition.
-+##
-+##
-+#
-+interface(`openvswitch_systemctl',`
-+ gen_require(`
-+ type openvswitch_t;
-+ type openvswitch_unit_file_t;
-+ ')
-+
-+ systemd_exec_systemctl($1)
-+ systemd_read_fifo_file_password_run($1)
-+ allow $1 openvswitch_unit_file_t:file read_file_perms;
-+ allow $1 openvswitch_unit_file_t:service manage_service_perms;
-+
-+ ps_process_pattern($1, openvswitch_t)
-+')
-+
-+
-+########################################
-+##
-+## All of the rules required to administrate
-+## an openvswitch environment
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+##
-+#
-+interface(`openvswitch_admin',`
-+ gen_require(`
-+ type openvswitch_t, openvswitch_log_t, openvswitch_var_lib_t;
-+ type openvswitch_rw_t, openvswitch_var_run_t, openvswitch_unit_file_t;
-+ ')
-+
-+ allow $1 openvswitch_t:process { ptrace signal_perms };
-+ ps_process_pattern($1, openvswitch_t)
-+
-+ logging_search_logs($1)
-+ admin_pattern($1, openvswitch_rw_t)
-+
-+ logging_search_logs($1)
-+ admin_pattern($1, openvswitch_log_t)
-+
-+ files_search_var_lib($1)
-+ admin_pattern($1, openvswitch_var_lib_t)
-+
-+ files_search_pids($1)
-+ admin_pattern($1, openvswitch_var_run_t)
-+
-+ openvswitch_systemctl($1)
-+ admin_pattern($1, openvswitch_unit_file_t)
-+ allow $1 openvswitch_unit_file_t:service all_service_perms;
-+ optional_policy(`
-+ systemd_passwd_agent_exec($1)
-+ systemd_read_fifo_file_passwd_run($1)
-+ ')
-+')
-diff --git a/openvswitch.te b/openvswitch.te
-new file mode 100644
-index 0000000..31370ed
---- /dev/null
-+++ b/openvswitch.te
-@@ -0,0 +1,83 @@
-+policy_module(openvswitch, 1.0.0)
-+
-+########################################
-+#
-+# Declarations
-+#
-+
-+type openvswitch_t;
-+type openvswitch_exec_t;
-+init_daemon_domain(openvswitch_t, openvswitch_exec_t)
-+
-+type openvswitch_rw_t;
-+files_config_file(openvswitch_rw_t)
-+
-+type openvswitch_var_lib_t;
-+files_type(openvswitch_var_lib_t)
-+
-+type openvswitch_log_t;
-+logging_log_file(openvswitch_log_t)
-+
-+type openvswitch_var_run_t;
-+files_pid_file(openvswitch_var_run_t)
-+
-+type openvswitch_unit_file_t;
-+systemd_unit_file(openvswitch_unit_file_t)
-+
-+########################################
-+#
-+# openvswitch local policy
-+#
-+
-+allow openvswitch_t self:capability { net_admin ipc_lock sys_nice sys_resource };
-+allow openvswitch_t self:process { fork setsched setrlimit signal };
-+allow openvswitch_t self:fifo_file rw_fifo_file_perms;
-+allow openvswitch_t self:unix_stream_socket { create_stream_socket_perms connectto };
-+allow openvswitch_t self:netlink_socket create_socket_perms;
-+
-+can_exec(openvswitch_t, openvswitch_exec_t)
-+
-+manage_dirs_pattern(openvswitch_t, openvswitch_rw_t, openvswitch_rw_t)
-+manage_files_pattern(openvswitch_t, openvswitch_rw_t, openvswitch_rw_t)
-+manage_lnk_files_pattern(openvswitch_t, openvswitch_rw_t, openvswitch_rw_t)
-+
-+manage_dirs_pattern(openvswitch_t, openvswitch_var_lib_t, openvswitch_var_lib_t)
-+manage_files_pattern(openvswitch_t, openvswitch_var_lib_t, openvswitch_var_lib_t)
-+manage_lnk_files_pattern(openvswitch_t, openvswitch_var_lib_t, openvswitch_var_lib_t)
-+files_var_lib_filetrans(openvswitch_t, openvswitch_var_lib_t, { dir file lnk_file })
-+
-+manage_dirs_pattern(openvswitch_t, openvswitch_log_t, openvswitch_log_t)
-+manage_files_pattern(openvswitch_t, openvswitch_log_t, openvswitch_log_t)
-+manage_lnk_files_pattern(openvswitch_t, openvswitch_log_t, openvswitch_log_t)
-+logging_log_filetrans(openvswitch_t, openvswitch_log_t, { dir file lnk_file })
-+
-+manage_dirs_pattern(openvswitch_t, openvswitch_var_run_t, openvswitch_var_run_t)
-+manage_files_pattern(openvswitch_t, openvswitch_var_run_t, openvswitch_var_run_t)
-+manage_sock_files_pattern(openvswitch_t, openvswitch_var_run_t, openvswitch_var_run_t)
-+manage_lnk_files_pattern(openvswitch_t, openvswitch_var_run_t, openvswitch_var_run_t)
-+files_pid_filetrans(openvswitch_t, openvswitch_var_run_t, { dir file lnk_file })
-+
-+kernel_read_network_state(openvswitch_t)
-+kernel_read_system_state(openvswitch_t)
-+
-+corecmd_exec_bin(openvswitch_t)
-+
-+dev_read_urand(openvswitch_t)
-+
-+domain_use_interactive_fds(openvswitch_t)
-+
-+files_read_etc_files(openvswitch_t)
-+
-+fs_getattr_all_fs(openvswitch_t)
-+fs_search_cgroup_dirs(openvswitch_t)
-+
-+auth_read_passwd(openvswitch_t)
-+
-+logging_send_syslog_msg(openvswitch_t)
-+
-+sysnet_dns_name_resolve(openvswitch_t)
-+
-+optional_policy(`
-+ iptables_domtrans(openvswitch_t)
-+')
-+
-diff --git a/pacemaker.fc b/pacemaker.fc
-new file mode 100644
-index 0000000..3793461
---- /dev/null
-+++ b/pacemaker.fc
-@@ -0,0 +1,12 @@
-+/etc/rc\.d/init\.d/pacemaker -- gen_context(system_u:object_r:pacemaker_initrc_exec_t,s0)
-+
-+/usr/lib/systemd/system/pacemaker.* -- gen_context(system_u:object_r:pacemaker_unit_file_t,s0)
-+
-+/usr/sbin/pacemakerd -- gen_context(system_u:object_r:pacemaker_exec_t,s0)
-+
-+/var/lib/heartbeat/crm(/.*)? gen_context(system_u:object_r:pacemaker_var_lib_t,s0)
-+
-+/var/lib/pacemaker(/.*)? gen_context(system_u:object_r:pacemaker_var_lib_t,s0)
-+/var/lib/pengine(/.*)? gen_context(system_u:object_r:pacemaker_var_lib_t,s0)
-+
-+/var/run/crm(/.*)? gen_context(system_u:object_r:pacemaker_var_run_t,s0)
-diff --git a/pacemaker.if b/pacemaker.if
-new file mode 100644
-index 0000000..e05c78f
---- /dev/null
-+++ b/pacemaker.if
-@@ -0,0 +1,209 @@
-+
-+## policy for pacemaker
-+
-+########################################
-+##
-+## Transition to pacemaker.
-+##
-+##
-+##
-+## Domain allowed to transition.
-+##
-+##
-+#
-+interface(`pacemaker_domtrans',`
-+ gen_require(`
-+ type pacemaker_t, pacemaker_exec_t;
-+ ')
-+
-+ corecmd_search_bin($1)
-+ domtrans_pattern($1, pacemaker_exec_t, pacemaker_t)
-+')
-+
-+########################################
-+##
-+## Execute pacemaker server in the pacemaker domain.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`pacemaker_initrc_domtrans',`
-+ gen_require(`
-+ type pacemaker_initrc_exec_t;
-+ ')
-+
-+ init_labeled_script_domtrans($1, pacemaker_initrc_exec_t)
-+')
-+
-+########################################
-+##
-+## Search pacemaker lib directories.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`pacemaker_search_lib',`
-+ gen_require(`
-+ type pacemaker_var_lib_t;
-+ ')
-+
-+ allow $1 pacemaker_var_lib_t:dir search_dir_perms;
-+ files_search_var_lib($1)
-+')
-+
-+########################################
-+##
-+## Read pacemaker lib files.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`pacemaker_read_lib_files',`
-+ gen_require(`
-+ type pacemaker_var_lib_t;
-+ ')
-+
-+ files_search_var_lib($1)
-+ read_files_pattern($1, pacemaker_var_lib_t, pacemaker_var_lib_t)
-+')
-+
-+########################################
-+##
-+## Manage pacemaker lib files.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`pacemaker_manage_lib_files',`
-+ gen_require(`
-+ type pacemaker_var_lib_t;
-+ ')
-+
-+ files_search_var_lib($1)
-+ manage_files_pattern($1, pacemaker_var_lib_t, pacemaker_var_lib_t)
-+')
-+
-+########################################
-+##
-+## Manage pacemaker lib directories.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`pacemaker_manage_lib_dirs',`
-+ gen_require(`
-+ type pacemaker_var_lib_t;
-+ ')
-+
-+ files_search_var_lib($1)
-+ manage_dirs_pattern($1, pacemaker_var_lib_t, pacemaker_var_lib_t)
-+')
-+
-+########################################
-+##
-+## Read pacemaker PID files.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`pacemaker_read_pid_files',`
-+ gen_require(`
-+ type pacemaker_var_run_t;
-+ ')
-+
-+ files_search_pids($1)
-+ allow $1 pacemaker_var_run_t:file read_file_perms;
-+')
-+
-+########################################
-+##
-+## Execute pacemaker server in the pacemaker domain.
-+##
-+##
-+##
-+## Domain allowed to transition.
-+##
-+##
-+#
-+interface(`pacemaker_systemctl',`
-+ gen_require(`
-+ type pacemaker_t;
-+ type pacemaker_unit_file_t;
-+ ')
-+
-+ systemd_exec_systemctl($1)
-+ systemd_read_fifo_file_passwd_run($1)
-+ allow $1 pacemaker_unit_file_t:file read_file_perms;
-+ allow $1 pacemaker_unit_file_t:service manage_service_perms;
-+
-+ ps_process_pattern($1, pacemaker_t)
-+')
-+
-+
-+########################################
-+##
-+## All of the rules required to administrate
-+## an pacemaker environment
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+##
-+##
-+## Role allowed access.
-+##
-+##
-+##
-+#
-+interface(`pacemaker_admin',`
-+ gen_require(`
-+ type pacemaker_t;
-+ type pacemaker_initrc_exec_t;
-+ type pacemaker_var_lib_t;
-+ type pacemaker_var_run_t;
-+ type pacemaker_unit_file_t;
-+ ')
-+
-+ allow $1 pacemaker_t:process { ptrace signal_perms };
-+ ps_process_pattern($1, pacemaker_t)
-+
-+ pacemaker_initrc_domtrans($1)
-+ domain_system_change_exemption($1)
-+ role_transition $2 pacemaker_initrc_exec_t system_r;
-+ allow $2 system_r;
-+
-+ files_search_var_lib($1)
-+ admin_pattern($1, pacemaker_var_lib_t)
-+
-+ files_search_pids($1)
-+ admin_pattern($1, pacemaker_var_run_t)
-+
-+ pacemaker_systemctl($1)
-+ admin_pattern($1, pacemaker_unit_file_t)
-+ allow $1 pacemaker_unit_file_t:service all_service_perms;
-+
-+ optional_policy(`
-+ systemd_passwd_agent_exec($1)
-+ systemd_read_fifo_file_passwd_run($1)
-+ ')
-+')
-diff --git a/pacemaker.te b/pacemaker.te
-new file mode 100644
-index 0000000..3a97ac3
---- /dev/null
-+++ b/pacemaker.te
-@@ -0,0 +1,86 @@
-+policy_module(pacemaker, 1.0.0)
-+
-+########################################
-+#
-+# Declarations
-+#
-+
-+type pacemaker_t;
-+type pacemaker_exec_t;
-+init_daemon_domain(pacemaker_t, pacemaker_exec_t)
-+
-+type pacemaker_initrc_exec_t;
-+init_script_file(pacemaker_initrc_exec_t)
-+
-+type pacemaker_var_lib_t;
-+files_type(pacemaker_var_lib_t)
-+
-+type pacemaker_var_run_t;
-+files_pid_file(pacemaker_var_run_t)
-+
-+type pacemaker_tmp_t;
-+files_tmp_file(pacemaker_tmp_t)
-+
-+type pacemaker_tmpfs_t;
-+files_tmpfs_file(pacemaker_tmpfs_t)
-+
-+type pacemaker_unit_file_t;
-+systemd_unit_file(pacemaker_unit_file_t)
-+
-+########################################
-+#
-+# pacemaker local policy
-+#
-+
-+allow pacemaker_t self:capability { fowner fsetid kill chown dac_override setuid };
-+allow pacemaker_t self:process { fork setrlimit signal setpgid };
-+allow pacemaker_t self:fifo_file rw_fifo_file_perms;
-+allow pacemaker_t self:unix_stream_socket { connectto create_stream_socket_perms };
-+
-+manage_dirs_pattern(pacemaker_t, pacemaker_var_lib_t, pacemaker_var_lib_t)
-+manage_files_pattern(pacemaker_t, pacemaker_var_lib_t, pacemaker_var_lib_t)
-+files_var_lib_filetrans(pacemaker_t, pacemaker_var_lib_t, { dir file })
-+
-+manage_dirs_pattern(pacemaker_t, pacemaker_var_run_t, pacemaker_var_run_t)
-+manage_files_pattern(pacemaker_t, pacemaker_var_run_t, pacemaker_var_run_t)
-+files_pid_filetrans(pacemaker_t, pacemaker_var_run_t, { dir file })
-+
-+manage_dirs_pattern(pacemaker_t, pacemaker_tmp_t, pacemaker_tmp_t)
-+manage_files_pattern(pacemaker_t, pacemaker_tmp_t, pacemaker_tmp_t)
-+files_tmp_filetrans(pacemaker_t, pacemaker_tmp_t, { file dir })
-+
-+manage_dirs_pattern(pacemaker_t, pacemaker_tmpfs_t, pacemaker_tmpfs_t)
-+manage_files_pattern(pacemaker_t, pacemaker_tmpfs_t, pacemaker_tmpfs_t)
-+fs_tmpfs_filetrans(pacemaker_t, pacemaker_tmpfs_t, { dir file })
-+
-+kernel_read_system_state(pacemaker_t)
-+kernel_read_network_state(pacemaker_t)
-+kernel_read_all_sysctls(pacemaker_t)
-+kernel_read_messages(pacemaker_t)
-+kernel_getattr_core_if(pacemaker_t)
-+kernel_read_software_raid_state(pacemaker_t)
-+
-+corecmd_exec_bin(pacemaker_t)
-+corecmd_exec_shell(pacemaker_t)
-+
-+domain_use_interactive_fds(pacemaker_t)
-+domain_read_all_domains_state(pacemaker_t)
-+
-+dev_getattr_mtrr_dev(pacemaker_t)
-+dev_read_rand(pacemaker_t)
-+dev_read_urand(pacemaker_t)
-+
-+files_read_kernel_symbol_table(pacemaker_t)
-+
-+fs_getattr_all_fs(pacemaker_t)
-+
-+auth_use_nsswitch(pacemaker_t)
-+
-+logging_send_syslog_msg(pacemaker_t)
-+
-+optional_policy(`
-+ corosync_read_log(pacemaker_t)
-+ corosync_stream_connect(pacemaker_t)
-+ corosync_rw_tmpfs(pacemaker_t)
-+')
-+
-diff --git a/pads.fc b/pads.fc
-index 0870c56..6d5fb1d 100644
---- a/pads.fc
-+++ b/pads.fc
-@@ -1,10 +1,10 @@
- /etc/pads-ether-codes -- gen_context(system_u:object_r:pads_config_t, s0)
- /etc/pads-signature-list -- gen_context(system_u:object_r:pads_config_t, s0)
--/etc/pads.conf -- gen_context(system_u:object_r:pads_config_t, s0)
-+/etc/pads\.conf -- gen_context(system_u:object_r:pads_config_t, s0)
- /etc/pads-assets.csv -- gen_context(system_u:object_r:pads_config_t, s0)
-
- /etc/rc\.d/init\.d/pads -- gen_context(system_u:object_r:pads_initrc_exec_t, s0)
-
- /usr/bin/pads -- gen_context(system_u:object_r:pads_exec_t, s0)
-
--/var/run/pads.pid -- gen_context(system_u:object_r:pads_var_run_t, s0)
-+/var/run/pads\.pid -- gen_context(system_u:object_r:pads_var_run_t, s0)
-diff --git a/pads.if b/pads.if
-index 8ac407e..45673ad 100644
---- a/pads.if
-+++ b/pads.if
-@@ -25,20 +25,26 @@
- ##
- ##
- #
--interface(`pads_admin', `
-+interface(`pads_admin',`
- gen_require(`
-- type pads_t, pads_config_t;
-- type pads_var_run_t, pads_initrc_exec_t;
-+ type pads_t, pads_config_t, pads_initrc_exec_t;
-+ type pads_var_run_t;
- ')
-
-- allow $1 pads_t:process { ptrace signal_perms };
-+ allow $1 pads_t:process signal_perms;
- ps_process_pattern($1, pads_t)
-+ tunable_policy(`deny_ptrace',`',`
-+ allow $1 pads_t:process ptrace;
-+ ')
-
- init_labeled_script_domtrans($1, pads_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 pads_initrc_exec_t system_r;
- allow $2 system_r;
-
-+ files_list_pids($1)
- admin_pattern($1, pads_var_run_t)
-+
-+ files_list_etc($1)
- admin_pattern($1, pads_config_t)
- ')
-diff --git a/pads.te b/pads.te
-index b246bdd..3cbcc49 100644
---- a/pads.te
-+++ b/pads.te
-@@ -25,10 +25,11 @@ files_pid_file(pads_var_run_t)
- #
-
- allow pads_t self:capability { dac_override net_raw };
--allow pads_t self:netlink_route_socket { write getattr read bind create nlmsg_read };
--allow pads_t self:packet_socket { ioctl setopt getopt read bind create };
--allow pads_t self:udp_socket { create ioctl };
--allow pads_t self:unix_dgram_socket { write create connect };
-+allow pads_t self:netlink_route_socket create_netlink_socket_perms;
-+allow pads_t self:packet_socket create_socket_perms;
-+allow pads_t self:socket create_socket_perms;
-+allow pads_t self:udp_socket create_socket_perms;
-+allow pads_t self:unix_dgram_socket create_socket_perms;
-
- allow pads_t pads_config_t:file manage_file_perms;
- files_etc_filetrans(pads_t, pads_config_t, file)
-@@ -37,10 +38,10 @@ allow pads_t pads_var_run_t:file manage_file_perms;
- files_pid_filetrans(pads_t, pads_var_run_t, file)
-
- kernel_read_sysctl(pads_t)
-+kernel_read_network_state(pads_t)
-
- corecmd_search_bin(pads_t)
-
--corenet_all_recvfrom_unlabeled(pads_t)
- corenet_all_recvfrom_netlabel(pads_t)
- corenet_tcp_sendrecv_generic_if(pads_t)
- corenet_tcp_sendrecv_generic_node(pads_t)
-@@ -48,12 +49,11 @@ corenet_tcp_connect_prelude_port(pads_t)
-
- dev_read_rand(pads_t)
- dev_read_urand(pads_t)
-+dev_read_sysfs(pads_t)
-
- files_read_etc_files(pads_t)
- files_search_spool(pads_t)
-
--miscfiles_read_localization(pads_t)
--
- logging_send_syslog_msg(pads_t)
-
- sysnet_dns_name_resolve(pads_t)
-diff --git a/passenger.fc b/passenger.fc
-index 545518d..9155bd0 100644
---- a/passenger.fc
-+++ b/passenger.fc
-@@ -1,11 +1,12 @@
--/usr/lib/ruby/gems/.*/passenger-.*/ext/apache2/ApplicationPoolServerExecutable -- gen_context(system_u:object_r:passenger_exec_t,s0)
--/usr/lib/ruby/gems/.*/passenger-.*/agents/PassengerWatchdog -- gen_context(system_u:object_r:passenger_exec_t,s0)
--/usr/lib/ruby/gems/.*/passenger-.*/agents/PassengerLoggingAgent -- gen_context(system_u:object_r:passenger_exec_t,s0)
--/usr/lib/ruby/gems/.*/passenger-.*/agents/apache2/PassengerHelperAgent -- gen_context(system_u:object_r:passenger_exec_t,s0)
-+/usr/share/gems/.*/Passenger.* -- gen_context(system_u:object_r:passenger_exec_t,s0)
-+/usr/share/gems/.*/ApplicationPoolServerExecutable -- gen_context(system_u:object_r:passenger_exec_t,s0)
-+/usr/lib/gems/.*/Passenger.* -- gen_context(system_u:object_r:passenger_exec_t,s0)
-+/usr/lib/gems/.*/ApplicationPoolServerExecutable -- gen_context(system_u:object_r:passenger_exec_t,s0)
-+
-+/usr/share/.*/gems/.*/helper-scripts/prespawn -- gen_context(system_u:object_r:passenger_exec_t,s0)
-
- /var/lib/passenger(/.*)? gen_context(system_u:object_r:passenger_var_lib_t,s0)
-
--/var/log/passenger(/.*)? gen_context(system_u:object_r:passenger_log_t,s0)
--/var/log/passenger.* -- gen_context(system_u:object_r:passenger_log_t,s0)
-+/var/log/passenger.* gen_context(system_u:object_r:passenger_log_t,s0)
-
- /var/run/passenger(/.*)? gen_context(system_u:object_r:passenger_var_run_t,s0)
-diff --git a/passenger.if b/passenger.if
-index f68b573..c050b37 100644
---- a/passenger.if
-+++ b/passenger.if
-@@ -18,6 +18,42 @@ interface(`passenger_domtrans',`
- domtrans_pattern($1, passenger_exec_t, passenger_t)
- ')
-
-+######################################
-+##
-+## Execute passenger in the current domain.
-+##
-+##
-+##
-+## Domain allowed to transition.
-+##
-+##
-+#
-+interface(`passenger_exec',`
-+ gen_require(`
-+ type passenger_exec_t;
-+ ')
-+
-+ can_exec($1, passenger_exec_t)
-+')
-+
-+#######################################
-+##
-+## Getattr passenger log files
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`passenger_getattr_log_files',`
-+ gen_require(`
-+ type passenger_log_t;
-+ ')
-+
-+ getattr_files_pattern($1, passenger_log_t, passenger_log_t)
-+')
-+
- ########################################
- ##
- ## Read passenger lib files
-@@ -37,3 +73,84 @@ interface(`passenger_read_lib_files',`
- read_lnk_files_pattern($1, passenger_var_lib_t, passenger_var_lib_t)
- files_search_var_lib($1)
- ')
-+
-+########################################
-+##
-+## Manage passenger lib files
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`passenger_manage_lib_files',`
-+ gen_require(`
-+ type passenger_var_lib_t;
-+ ')
-+
-+ manage_dirs_pattern($1, passenger_var_lib_t, passenger_var_lib_t)
-+ manage_files_pattern($1, passenger_var_lib_t, passenger_var_lib_t)
-+ manage_lnk_files_pattern($1, passenger_var_lib_t, passenger_var_lib_t)
-+ files_search_var_lib($1)
-+')
-+
-+#####################################
-+##
-+## Manage passenger var_run content.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`passenger_manage_pid_content',`
-+ gen_require(`
-+ type passenger_var_run_t;
-+ ')
-+
-+ files_search_pids($1)
-+ manage_dirs_pattern($1, passenger_var_run_t, passenger_var_run_t)
-+ manage_files_pattern($1, passenger_var_run_t, passenger_var_run_t)
-+ manage_fifo_files_pattern($1, passenger_var_run_t, passenger_var_run_t)
-+ manage_sock_files_pattern($1, passenger_var_run_t, passenger_var_run_t)
-+')
-+
-+########################################
-+##
-+## Connect to passenger unix stream socket.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`passenger_stream_connect',`
-+ gen_require(`
-+ type passenger_t;
-+ ')
-+
-+ allow $1 passenger_t:unix_stream_socket connectto;
-+')
-+
-+#######################################
-+##
-+## Allow to manage passenger tmp files/dirs.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`passenger_manage_tmp_files',`
-+ gen_require(`
-+ type passenger_tmp_t;
-+ ')
-+
-+ files_search_tmp($1)
-+ manage_files_pattern($1, passenger_tmp_t, passenger_tmp_t)
-+ manage_dirs_pattern($1, passenger_tmp_t, passenger_tmp_t)
-+')
-diff --git a/passenger.te b/passenger.te
-index 3470036..ca09bc0 100644
---- a/passenger.te
-+++ b/passenger.te
-@@ -28,7 +28,7 @@ files_pid_file(passenger_var_run_t)
- # passanger local policy
- #
-
--allow passenger_t self:capability { chown dac_override fsetid fowner kill setuid setgid sys_nice };
-+allow passenger_t self:capability { chown dac_override fsetid fowner kill setuid setgid sys_nice sys_ptrace sys_resource };
- allow passenger_t self:process { setpgid setsched sigkill signal };
- allow passenger_t self:fifo_file rw_fifo_file_perms;
- allow passenger_t self:unix_stream_socket { create_stream_socket_perms connectto };
-@@ -37,7 +37,7 @@ can_exec(passenger_t, passenger_exec_t)
-
- manage_dirs_pattern(passenger_t, passenger_log_t, passenger_log_t)
- manage_files_pattern(passenger_t, passenger_log_t, passenger_log_t)
--logging_log_filetrans(passenger_t, passenger_log_t, file)
-+logging_log_filetrans(passenger_t, passenger_log_t, { dir file })
-
- manage_dirs_pattern(passenger_t, passenger_var_lib_t, passenger_var_lib_t)
- manage_files_pattern(passenger_t, passenger_var_lib_t, passenger_var_lib_t)
-@@ -49,11 +49,16 @@ manage_fifo_files_pattern(passenger_t, passenger_var_run_t, passenger_var_run_t)
- manage_sock_files_pattern(passenger_t, passenger_var_run_t, passenger_var_run_t)
- files_pid_filetrans(passenger_t, passenger_var_run_t, { file dir sock_file })
-
-+#needed by puppet
-+manage_dirs_pattern(passenger_t, passenger_tmp_t, passenger_tmp_t)
-+manage_files_pattern(passenger_t, passenger_tmp_t, passenger_tmp_t)
-+manage_sock_files_pattern(passenger_t, passenger_tmp_t, passenger_tmp_t)
-+files_tmp_filetrans(passenger_t, passenger_tmp_t, { file dir sock_file })
-+
- kernel_read_system_state(passenger_t)
- kernel_read_kernel_sysctls(passenger_t)
-
- corenet_all_recvfrom_netlabel(passenger_t)
--corenet_all_recvfrom_unlabeled(passenger_t)
- corenet_tcp_sendrecv_generic_if(passenger_t)
- corenet_tcp_sendrecv_generic_node(passenger_t)
- corenet_tcp_connect_http_port(passenger_t)
-@@ -63,11 +68,13 @@ corecmd_exec_shell(passenger_t)
-
- dev_read_urand(passenger_t)
-
--files_read_etc_files(passenger_t)
-+domain_read_all_domains_state(passenger_t)
-+
-+files_read_usr_files(passenger_t)
-
- auth_use_nsswitch(passenger_t)
-
--miscfiles_read_localization(passenger_t)
-+logging_send_syslog_msg(passenger_t)
-
- userdom_dontaudit_use_user_terminals(passenger_t)
-
-@@ -75,3 +82,25 @@ optional_policy(`
- apache_append_log(passenger_t)
- apache_read_sys_content(passenger_t)
- ')
-+
-+optional_policy(`
-+ hostname_exec(passenger_t)
-+')
-+
-+optional_policy(`
-+ mta_send_mail(passenger_t)
-+')
-+
-+optional_policy(`
-+ puppet_manage_lib(passenger_t)
-+ puppet_read_config(passenger_t)
-+ puppet_append_log(passenger_t)
-+ puppet_create_log(passenger_t)
-+ puppet_read_log(passenger_t)
-+ puppet_search_pid(passenger_t)
-+')
-+
-+optional_policy(`
-+ rpm_exec(passenger_t)
-+ rpm_read_db(passenger_t)
-+')
-diff --git a/pcmcia.fc b/pcmcia.fc
-index 9cf0e56..2b5260a 100644
---- a/pcmcia.fc
-+++ b/pcmcia.fc
-@@ -4,6 +4,9 @@
- /sbin/cardctl -- gen_context(system_u:object_r:cardctl_exec_t,s0)
- /sbin/cardmgr -- gen_context(system_u:object_r:cardmgr_exec_t,s0)
-
-+/usr/sbin/cardctl -- gen_context(system_u:object_r:cardctl_exec_t,s0)
-+/usr/sbin/cardmgr -- gen_context(system_u:object_r:cardmgr_exec_t,s0)
-+
- /var/lib/pcmcia(/.*)? gen_context(system_u:object_r:cardmgr_var_run_t,s0)
-
- /var/run/cardmgr\.pid -- gen_context(system_u:object_r:cardmgr_var_run_t,s0)
-diff --git a/pcmcia.te b/pcmcia.te
-index 4d06ae3..e1a4943 100644
---- a/pcmcia.te
-+++ b/pcmcia.te
-@@ -62,9 +62,7 @@ dev_read_urand(cardmgr_t)
-
- domain_use_interactive_fds(cardmgr_t)
- # Read /proc/PID directories for all domains (for fuser).
--domain_read_confined_domains_state(cardmgr_t)
--domain_getattr_confined_domains(cardmgr_t)
--domain_dontaudit_ptrace_confined_domains(cardmgr_t)
-+domain_read_all_domains_state(cardmgr_t)
- # cjp: these look excessive:
- domain_dontaudit_getattr_all_pipes(cardmgr_t)
- domain_dontaudit_getattr_all_sockets(cardmgr_t)
-@@ -96,8 +94,6 @@ libs_exec_lib_files(cardmgr_t)
-
- logging_send_syslog_msg(cardmgr_t)
-
--miscfiles_read_localization(cardmgr_t)
--
- modutils_domtrans_insmod(cardmgr_t)
-
- sysnet_domtrans_ifconfig(cardmgr_t)
-@@ -105,12 +101,11 @@ sysnet_domtrans_ifconfig(cardmgr_t)
- sysnet_etc_filetrans_config(cardmgr_t)
- sysnet_manage_config(cardmgr_t)
-
--userdom_use_user_terminals(cardmgr_t)
-+userdom_use_inherited_user_terminals(cardmgr_t)
- userdom_dontaudit_use_unpriv_user_fds(cardmgr_t)
- userdom_dontaudit_search_user_home_dirs(cardmgr_t)
-
- optional_policy(`
-- seutil_dontaudit_read_config(cardmgr_t)
- seutil_sigchld_newrole(cardmgr_t)
- ')
-
-diff --git a/pcscd.fc b/pcscd.fc
-index 87f17e8..63ee18a 100644
---- a/pcscd.fc
-+++ b/pcscd.fc
-@@ -1,4 +1,5 @@
- /var/run/pcscd\.comm -s gen_context(system_u:object_r:pcscd_var_run_t,s0)
-+/var/run/pcscd(/.*)? gen_context(system_u:object_r:pcscd_var_run_t,s0)
- /var/run/pcscd\.pid -- gen_context(system_u:object_r:pcscd_var_run_t,s0)
- /var/run/pcscd\.pub -- gen_context(system_u:object_r:pcscd_var_run_t,s0)
- /var/run/pcscd\.events(/.*)? gen_context(system_u:object_r:pcscd_var_run_t,s0)
-diff --git a/pcscd.if b/pcscd.if
-index 1c2a091..3ead3cc 100644
---- a/pcscd.if
-+++ b/pcscd.if
-@@ -34,7 +34,7 @@ interface(`pcscd_read_pub_files',`
- ')
-
- files_search_pids($1)
-- allow $1 pcscd_var_run_t:file read_file_perms;
-+ read_files_pattern($1, pcscd_var_run_t, pcscd_var_run_t)
- ')
-
- ########################################
-diff --git a/pcscd.te b/pcscd.te
-index ceafba6..47b690d 100644
---- a/pcscd.te
-+++ b/pcscd.te
-@@ -25,6 +25,7 @@ allow pcscd_t self:fifo_file rw_fifo_file_perms;
- allow pcscd_t self:unix_stream_socket create_stream_socket_perms;
- allow pcscd_t self:unix_dgram_socket create_socket_perms;
- allow pcscd_t self:tcp_socket create_stream_socket_perms;
-+allow pcscd_t self:netlink_kobject_uevent_socket create_socket_perms;
-
- manage_dirs_pattern(pcscd_t, pcscd_var_run_t, pcscd_var_run_t)
- manage_files_pattern(pcscd_t, pcscd_var_run_t, pcscd_var_run_t)
-@@ -34,7 +35,6 @@ files_pid_filetrans(pcscd_t, pcscd_var_run_t, { file sock_file dir })
-
- kernel_read_system_state(pcscd_t)
-
--corenet_all_recvfrom_unlabeled(pcscd_t)
- corenet_all_recvfrom_netlabel(pcscd_t)
- corenet_tcp_sendrecv_generic_if(pcscd_t)
- corenet_tcp_sendrecv_generic_node(pcscd_t)
-@@ -56,8 +56,6 @@ locallogin_use_fds(pcscd_t)
-
- logging_send_syslog_msg(pcscd_t)
-
--miscfiles_read_localization(pcscd_t)
--
- sysnet_dns_name_resolve(pcscd_t)
-
- optional_policy(`
-@@ -77,3 +75,7 @@ optional_policy(`
- optional_policy(`
- rpm_use_script_fds(pcscd_t)
- ')
-+
-+optional_policy(`
-+ udev_read_db(pcscd_t)
-+')
-diff --git a/pegasus.te b/pegasus.te
-index 3185114..d459c82 100644
---- a/pegasus.te
-+++ b/pegasus.te
-@@ -9,6 +9,9 @@ type pegasus_t;
- type pegasus_exec_t;
- init_daemon_domain(pegasus_t, pegasus_exec_t)
-
-+type pegasus_cache_t;
-+files_type(pegasus_cache_t)
-+
- type pegasus_data_t;
- files_type(pegasus_data_t)
-
-@@ -16,7 +19,7 @@ type pegasus_tmp_t;
- files_tmp_file(pegasus_tmp_t)
-
- type pegasus_conf_t;
--files_type(pegasus_conf_t)
-+files_config_file(pegasus_conf_t)
-
- type pegasus_mof_t;
- files_type(pegasus_mof_t)
-@@ -29,18 +32,23 @@ files_pid_file(pegasus_var_run_t)
- # Local policy
- #
-
--allow pegasus_t self:capability { chown sys_nice setuid setgid dac_override net_bind_service };
-+allow pegasus_t self:capability { chown kill ipc_lock sys_nice setuid setgid dac_override net_admin net_bind_service };
- dontaudit pegasus_t self:capability sys_tty_config;
- allow pegasus_t self:process signal;
- allow pegasus_t self:fifo_file rw_fifo_file_perms;
- allow pegasus_t self:unix_dgram_socket create_socket_perms;
--allow pegasus_t self:unix_stream_socket create_stream_socket_perms;
-+allow pegasus_t self:unix_stream_socket { connectto create_stream_socket_perms };
- allow pegasus_t self:tcp_socket create_stream_socket_perms;
-
- allow pegasus_t pegasus_conf_t:dir rw_dir_perms;
--allow pegasus_t pegasus_conf_t:file { read_file_perms link unlink };
-+allow pegasus_t pegasus_conf_t:file { read_file_perms link delete_file_perms rename_file_perms };
- allow pegasus_t pegasus_conf_t:lnk_file read_lnk_file_perms;
-
-+manage_dirs_pattern(pegasus_t, pegasus_cache_t, pegasus_cache_t)
-+manage_files_pattern(pegasus_t, pegasus_cache_t, pegasus_cache_t)
-+manage_lnk_files_pattern(pegasus_t, pegasus_cache_t, pegasus_cache_t)
-+files_var_filetrans(pegasus_t, pegasus_cache_t, { dir file lnk_file })
-+
- manage_dirs_pattern(pegasus_t, pegasus_data_t, pegasus_data_t)
- manage_files_pattern(pegasus_t, pegasus_data_t, pegasus_data_t)
- manage_lnk_files_pattern(pegasus_t, pegasus_data_t, pegasus_data_t)
-@@ -56,17 +64,20 @@ manage_dirs_pattern(pegasus_t, pegasus_tmp_t, pegasus_tmp_t)
- manage_files_pattern(pegasus_t, pegasus_tmp_t, pegasus_tmp_t)
- files_tmp_filetrans(pegasus_t, pegasus_tmp_t, { file dir })
-
--allow pegasus_t pegasus_var_run_t:sock_file { create setattr unlink };
-+manage_sock_files_pattern(pegasus_t, pegasus_var_run_t, pegasus_var_run_t)
-+manage_dirs_pattern(pegasus_t, pegasus_var_run_t, pegasus_var_run_t)
- manage_files_pattern(pegasus_t, pegasus_var_run_t, pegasus_var_run_t)
--files_pid_filetrans(pegasus_t, pegasus_var_run_t, file)
-+files_pid_filetrans(pegasus_t, pegasus_var_run_t, { file dir })
-
-+kernel_read_network_state(pegasus_t)
- kernel_read_kernel_sysctls(pegasus_t)
- kernel_read_fs_sysctls(pegasus_t)
- kernel_read_system_state(pegasus_t)
- kernel_search_vm_sysctl(pegasus_t)
- kernel_read_net_sysctls(pegasus_t)
-+kernel_read_xen_state(pegasus_t)
-+kernel_write_xen_state(pegasus_t)
-
--corenet_all_recvfrom_unlabeled(pegasus_t)
- corenet_all_recvfrom_netlabel(pegasus_t)
- corenet_tcp_sendrecv_generic_if(pegasus_t)
- corenet_tcp_sendrecv_generic_node(pegasus_t)
-@@ -86,7 +97,7 @@ corenet_sendrecv_pegasus_https_server_packets(pegasus_t)
- corecmd_exec_bin(pegasus_t)
- corecmd_exec_shell(pegasus_t)
-
--dev_read_sysfs(pegasus_t)
-+dev_rw_sysfs(pegasus_t)
- dev_read_urand(pegasus_t)
-
- fs_getattr_all_fs(pegasus_t)
-@@ -95,11 +106,11 @@ files_getattr_all_dirs(pegasus_t)
-
- auth_use_nsswitch(pegasus_t)
- auth_domtrans_chk_passwd(pegasus_t)
-+auth_read_shadow(pegasus_t)
-
- domain_use_interactive_fds(pegasus_t)
- domain_read_all_domains_state(pegasus_t)
-
--files_read_etc_files(pegasus_t)
- files_list_var_lib(pegasus_t)
- files_read_var_lib_files(pegasus_t)
- files_read_var_lib_symlinks(pegasus_t)
-@@ -112,8 +123,6 @@ init_stream_connect_script(pegasus_t)
- logging_send_audit_msgs(pegasus_t)
- logging_send_syslog_msg(pegasus_t)
-
--miscfiles_read_localization(pegasus_t)
--
- sysnet_read_config(pegasus_t)
- sysnet_domtrans_ifconfig(pegasus_t)
-
-@@ -121,12 +130,48 @@ userdom_dontaudit_use_unpriv_user_fds(pegasus_t)
- userdom_dontaudit_search_user_home_dirs(pegasus_t)
-
- optional_policy(`
-+ dbus_system_bus_client(pegasus_t)
-+ dbus_connect_system_bus(pegasus_t)
-+
-+ optional_policy(`
-+ networkmanager_dbus_chat(pegasus_t)
-+ ')
-+')
-+
-+optional_policy(`
-+ corosync_stream_connect(pegasus_t)
-+')
-+
-+optional_policy(`
-+ hostname_exec(pegasus_t)
-+')
-+
-+optional_policy(`
-+ lldpad_dgram_send(pegasus_t)
-+')
-+
-+optional_policy(`
-+ ricci_stream_connect_modclusterd(pegasus_t)
-+')
-+
-+optional_policy(`
- rpm_exec(pegasus_t)
- ')
-
- optional_policy(`
-+ samba_manage_config(pegasus_t)
-+')
-+
-+optional_policy(`
-+ sysnet_domtrans_ifconfig(pegasus_t)
-+')
-+
-+optional_policy(`
-+ ssh_exec(pegasus_t)
-+')
-+
-+optional_policy(`
- seutil_sigchld_newrole(pegasus_t)
-- seutil_dontaudit_read_config(pegasus_t)
- ')
-
- optional_policy(`
-@@ -136,3 +181,14 @@ optional_policy(`
- optional_policy(`
- unconfined_signull(pegasus_t)
- ')
-+
-+optional_policy(`
-+ virt_domtrans(pegasus_t)
-+ virt_stream_connect(pegasus_t)
-+ virt_manage_config(pegasus_t)
-+')
-+
-+optional_policy(`
-+ xen_stream_connect(pegasus_t)
-+ xen_stream_connect_xenstore(pegasus_t)
-+')
-diff --git a/perdition.te b/perdition.te
-index 3636277..05e65ad 100644
---- a/perdition.te
-+++ b/perdition.te
-@@ -36,7 +36,6 @@ kernel_read_kernel_sysctls(perdition_t)
- kernel_list_proc(perdition_t)
- kernel_read_proc_symlinks(perdition_t)
-
--corenet_all_recvfrom_unlabeled(perdition_t)
- corenet_all_recvfrom_netlabel(perdition_t)
- corenet_tcp_sendrecv_generic_if(perdition_t)
- corenet_udp_sendrecv_generic_if(perdition_t)
-@@ -59,8 +58,6 @@ files_read_etc_files(perdition_t)
-
- logging_send_syslog_msg(perdition_t)
-
--miscfiles_read_localization(perdition_t)
--
- sysnet_read_config(perdition_t)
-
- userdom_dontaudit_use_unpriv_user_fds(perdition_t)
-diff --git a/phpfpm.fc b/phpfpm.fc
-new file mode 100644
-index 0000000..4c64b13
---- /dev/null
-+++ b/phpfpm.fc
-@@ -0,0 +1,7 @@
-+/usr/lib/systemd/system/php-fpm.service -- gen_context(system_u:object_r:phpfpm_unit_file_t,s0)
-+
-+/usr/sbin/php-fpm -- gen_context(system_u:object_r:phpfpm_exec_t,s0)
-+
-+/var/log/php-fpm(/.*)? gen_context(system_u:object_r:phpfpm_log_t,s0)
-+
-+/var/run/php-fpm(/.*)? gen_context(system_u:object_r:phpfpm_var_run_t,s0)
-diff --git a/phpfpm.if b/phpfpm.if
-new file mode 100644
-index 0000000..18f0425
---- /dev/null
-+++ b/phpfpm.if
-@@ -0,0 +1,162 @@
-+
-+## PHP-FPM (FastCGI Process Manager) is an alternative PHP FastCGI implementation with some additional features useful for sites of any size, especially busier sites.
-+
-+########################################
-+##
-+## Execute php-fpm in the phpfpm domain.
-+##
-+##
-+##
-+## Domain allowed to transition.
-+##
-+##
-+#
-+interface(`phpfpm_domtrans',`
-+ gen_require(`
-+ type phpfpm_t, phpfpm_exec_t;
-+ ')
-+
-+ corecmd_search_bin($1)
-+ domtrans_pattern($1, phpfpm_exec_t, phpfpm_t)
-+')
-+
-+########################################
-+##
-+## Read phpfpm's log files.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+##
-+#
-+interface(`phpfpm_read_log',`
-+ gen_require(`
-+ type phpfpm_log_t;
-+ ')
-+
-+ logging_search_logs($1)
-+ read_files_pattern($1, phpfpm_log_t, phpfpm_log_t)
-+')
-+
-+########################################
-+##
-+## Append to phpfpm log files.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`phpfpm_append_log',`
-+ gen_require(`
-+ type phpfpm_log_t;
-+ ')
-+
-+ logging_search_logs($1)
-+ append_files_pattern($1, phpfpm_log_t, phpfpm_log_t)
-+')
-+
-+########################################
-+##
-+## Manage phpfpm log files
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`phpfpm_manage_log',`
-+ gen_require(`
-+ type phpfpm_log_t;
-+ ')
-+
-+ logging_search_logs($1)
-+ manage_dirs_pattern($1, phpfpm_log_t, phpfpm_log_t)
-+ manage_files_pattern($1, phpfpm_log_t, phpfpm_log_t)
-+ manage_lnk_files_pattern($1, phpfpm_log_t, phpfpm_log_t)
-+')
-+
-+########################################
-+##
-+## Read phpfpm PID files.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`phpfpm_read_pid_files',`
-+ gen_require(`
-+ type phpfpm_var_run_t;
-+ ')
-+
-+ files_search_pids($1)
-+ allow $1 phpfpm_var_run_t:file read_file_perms;
-+')
-+
-+########################################
-+##
-+## Execute phpfpm server in the phpfpm domain.
-+##
-+##
-+##
-+## Domain allowed to transition.
-+##
-+##
-+#
-+interface(`phpfpm_systemctl',`
-+ gen_require(`
-+ type phpfpm_t;
-+ type phpfpm_unit_file_t;
-+ ')
-+
-+ systemd_exec_systemctl($1)
-+ allow $1 phpfpm_unit_file_t:file read_file_perms;
-+ allow $1 phpfpm_unit_file_t:service manage_service_perms;
-+
-+ ps_process_pattern($1, phpfpm_t)
-+')
-+
-+
-+########################################
-+##
-+## All of the rules required to administrate
-+## an phpfpm environment
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`phpfpm_admin',`
-+ gen_require(`
-+ type phpfpm_t;
-+ type phpfpm_log_t;
-+ type phpfpm_var_run_t;
-+ type phpfpm_unit_file_t;
-+ ')
-+
-+ allow $1 phpfpm_t:process { ptrace signal_perms };
-+ ps_process_pattern($1, phpfpm_t)
-+
-+ logging_search_logs($1)
-+ admin_pattern($1, phpfpm_log_t)
-+
-+ files_search_pids($1)
-+ admin_pattern($1, phpfpm_var_run_t)
-+
-+ phpfpm_systemctl($1)
-+ admin_pattern($1, phpfpm_unit_file_t)
-+ allow $1 phpfpm_unit_file_t:service all_service_perms;
-+
-+ optional_policy(`
-+ systemd_passwd_agent_exec($1)
-+ systemd_read_fifo_file_passwd_run($1)
-+ ')
-+')
-diff --git a/phpfpm.te b/phpfpm.te
-new file mode 100644
-index 0000000..78af4d7
---- /dev/null
-+++ b/phpfpm.te
-@@ -0,0 +1,61 @@
-+policy_module(phpfpm, 1.0.0)
-+
-+########################################
-+#
-+# Declarations
-+#
-+
-+type phpfpm_t;
-+type phpfpm_exec_t;
-+init_daemon_domain(phpfpm_t, phpfpm_exec_t)
-+
-+type phpfpm_log_t;
-+logging_log_file(phpfpm_log_t)
-+
-+type phpfpm_var_run_t;
-+files_pid_file(phpfpm_var_run_t)
-+
-+type phpfpm_unit_file_t;
-+systemd_unit_file(phpfpm_unit_file_t)
-+
-+########################################
-+#
-+# phpfpm local policy
-+#
-+
-+allow phpfpm_t self:capability { chown kill setgid setuid sys_chroot sys_nice };
-+allow phpfpm_t self:process { setsched setrlimit signal sigkill };
-+
-+allow phpfpm_t self:fifo_file rw_fifo_file_perms;
-+allow phpfpm_t self:tcp_socket { accept listen };
-+allow phpfpm_t self:unix_stream_socket create_stream_socket_perms;
-+
-+manage_dirs_pattern(phpfpm_t, phpfpm_log_t, phpfpm_log_t)
-+manage_files_pattern(phpfpm_t, phpfpm_log_t, phpfpm_log_t)
-+
-+manage_dirs_pattern(phpfpm_t, phpfpm_var_run_t, phpfpm_var_run_t)
-+manage_files_pattern(phpfpm_t, phpfpm_var_run_t, phpfpm_var_run_t)
-+files_pid_filetrans(phpfpm_t, phpfpm_var_run_t, dir )
-+
-+kernel_read_system_state(phpfpm_t)
-+kernel_read_kernel_sysctls(phpfpm_t)
-+
-+corenet_tcp_bind_generic_port(phpfpm_t)
-+
-+domain_use_interactive_fds(phpfpm_t)
-+
-+files_read_etc_files(phpfpm_t)
-+
-+auth_use_nsswitch(phpfpm_t)
-+
-+dev_read_rand(phpfpm_t)
-+dev_read_urand(phpfpm_t)
-+
-+logging_send_syslog_msg(phpfpm_t)
-+
-+sysnet_dns_name_resolve(phpfpm_t)
-+
-+optional_policy(`
-+ mysql_stream_connect(phpfpm_t)
-+ mysql_tcp_connect(phpfpm_t)
-+')
-diff --git a/pingd.if b/pingd.if
-index 8688aae..cf34fc1 100644
---- a/pingd.if
-+++ b/pingd.if
-@@ -55,7 +55,6 @@ interface(`pingd_manage_config',`
- files_search_etc($1)
- manage_dirs_pattern($1, pingd_etc_t, pingd_etc_t)
- manage_files_pattern($1, pingd_etc_t, pingd_etc_t)
--
- ')
-
- #######################################
-@@ -77,12 +76,15 @@ interface(`pingd_manage_config',`
- #
- interface(`pingd_admin',`
- gen_require(`
-- type pingd_t, pingd_etc_t;
-- type pingd_initrc_exec_t, pingd_modules_t;
-+ type pingd_t, pingd_etc_t, pingd_modules_t;
-+ type pingd_initrc_exec_t;
- ')
-
-- allow $1 pingd_t:process { ptrace signal_perms };
-+ allow $1 pingd_t:process signal_perms;
- ps_process_pattern($1, pingd_t)
-+ tunable_policy(`deny_ptrace',`',`
-+ allow $1 pingd_t:process ptrace;
-+ ')
-
- init_labeled_script_domtrans($1, pingd_initrc_exec_t)
- domain_system_change_exemption($1)
-diff --git a/pingd.te b/pingd.te
-index e9cf8a4..c476cf4 100644
---- a/pingd.te
-+++ b/pingd.te
-@@ -11,7 +11,7 @@ init_daemon_domain(pingd_t, pingd_exec_t)
-
- # type for config
- type pingd_etc_t;
--files_type(pingd_etc_t)
-+files_config_file(pingd_etc_t)
-
- type pingd_initrc_exec_t;
- init_script_file(pingd_initrc_exec_t)
-@@ -27,7 +27,7 @@ files_type(pingd_modules_t)
-
- allow pingd_t self:capability net_raw;
- allow pingd_t self:tcp_socket create_stream_socket_perms;
--allow pingd_t self:rawip_socket { write read create bind };
-+allow pingd_t self:rawip_socket create_socket_perms;
-
- read_files_pattern(pingd_t, pingd_etc_t, pingd_etc_t)
-
-@@ -43,5 +43,3 @@ auth_use_nsswitch(pingd_t)
- files_search_usr(pingd_t)
-
- logging_send_syslog_msg(pingd_t)
--
--miscfiles_read_localization(pingd_t)
-diff --git a/piranha.fc b/piranha.fc
-new file mode 100644
-index 0000000..20ea9f5
---- /dev/null
-+++ b/piranha.fc
-@@ -0,0 +1,24 @@
-+
-+/etc/rc\.d/init\.d/pulse -- gen_context(system_u:object_r:piranha_pulse_initrc_exec_t,s0)
-+
-+# RHEL6
-+#/etc/sysconfig/ha/lvs\.cf -- gen_context(system_u:object_r:piranha_etc_rw_t,s0)
-+
-+/etc/piranha/lvs\.cf -- gen_context(system_u:object_r:piranha_etc_rw_t,s0)
-+
-+/usr/sbin/fos -- gen_context(system_u:object_r:piranha_fos_exec_t,s0)
-+/usr/sbin/lvsd -- gen_context(system_u:object_r:piranha_lvs_exec_t,s0)
-+/usr/sbin/piranha_gui -- gen_context(system_u:object_r:piranha_web_exec_t,s0)
-+/usr/sbin/pulse -- gen_context(system_u:object_r:piranha_pulse_exec_t,s0)
-+
-+/var/lib/luci(/.*)? gen_context(system_u:object_r:piranha_web_data_t,s0)
-+/var/lib/luci/cert(/.*)? gen_context(system_u:object_r:piranha_web_conf_t,s0)
-+/var/lib/luci/etc(/.*)? gen_context(system_u:object_r:piranha_web_conf_t,s0)
-+
-+/var/log/piranha(/.*)? gen_context(system_u:object_r:piranha_log_t,s0)
-+
-+/var/run/fos\.pid -- gen_context(system_u:object_r:piranha_fos_var_run_t,s0)
-+/var/run/lvs\.pid -- gen_context(system_u:object_r:piranha_lvs_var_run_t,s0)
-+/var/run/piranha-httpd\.pid -- gen_context(system_u:object_r:piranha_web_var_run_t,s0)
-+/var/run/pulse\.pid -- gen_context(system_u:object_r:piranha_pulse_var_run_t,s0)
-+
-diff --git a/piranha.if b/piranha.if
-new file mode 100644
-index 0000000..8d681d1
---- /dev/null
-+++ b/piranha.if
-@@ -0,0 +1,179 @@
-+## policy for piranha
-+
-+#######################################
-+##
-+## Creates types and rules for a basic
-+## cluster init daemon domain.
-+##
-+##
-+##
-+## Prefix for the domain.
-+##
-+##
-+#
-+template(`piranha_domain_template',`
-+ gen_require(`
-+ attribute piranha_domain;
-+ ')
-+
-+ ##############################
-+ #
-+ # piranha_$1_t declarations
-+ #
-+
-+ type piranha_$1_t, piranha_domain;
-+ type piranha_$1_exec_t;
-+ init_daemon_domain(piranha_$1_t, piranha_$1_exec_t)
-+
-+ # pid files
-+ type piranha_$1_var_run_t;
-+ files_pid_file(piranha_$1_var_run_t)
-+
-+ ##############################
-+ #
-+ # piranha_$1_t local policy
-+ #
-+
-+ manage_files_pattern(piranha_$1_t, piranha_$1_var_run_t, piranha_$1_var_run_t)
-+ manage_dirs_pattern(piranha_$1_t, piranha_$1_var_run_t, piranha_$1_var_run_t)
-+ files_pid_filetrans(piranha_$1_t, piranha_$1_var_run_t, { dir file })
-+
-+ kernel_read_system_state(piranha_$1_t)
-+
-+ auth_use_nsswitch(piranha_$1_t)
-+
-+ logging_send_syslog_msg(piranha_$1_t)
-+')
-+
-+########################################
-+##
-+## Execute a domain transition to run fos.
-+##
-+##
-+##
-+## Domain allowed to transition.
-+##
-+##
-+#
-+interface(`piranha_domtrans_fos',`
-+ gen_require(`
-+ type piranha_fos_t, piranha_fos_exec_t;
-+ ')
-+
-+ domtrans_pattern($1, piranha_fos_exec_t, piranha_fos_t)
-+')
-+
-+#######################################
-+##
-+## Execute a domain transition to run lvsd.
-+##
-+##
-+##
-+## Domain allowed to transition.
-+##
-+##
-+#
-+interface(`piranha_domtrans_lvs',`
-+ gen_require(`
-+ type piranha_lvs_t, piranha_lvs_exec_t;
-+ ')
-+
-+ domtrans_pattern($1, piranha_lvs_exec_t, piranha_lvs_t)
-+')
-+
-+#######################################
-+##
-+## Execute a domain transition to run pulse.
-+##
-+##
-+##
-+## Domain allowed to transition.
-+##
-+##
-+#
-+interface(`piranha_domtrans_pulse',`
-+ gen_require(`
-+ type piranha_pulse_t, piranha_pulse_exec_t;
-+ ')
-+
-+ domtrans_pattern($1, piranha_pulse_exec_t, piranha_pulse_t)
-+')
-+
-+#######################################
-+##
-+## Execute pulse server in the pulse domain.
-+##
-+##
-+##
-+## Domain allowed to transition.
-+##
-+##
-+#
-+interface(`piranha_pulse_initrc_domtrans',`
-+ gen_require(`
-+ type piranha_pulse_initrc_exec_t;
-+ ')
-+
-+ init_labeled_script_domtrans($1, piranha_pulse_initrc_exec_t)
-+')
-+
-+########################################
-+##
-+## Allow the specified domain to read piranha's log files.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+##
-+#
-+interface(`piranha_read_log',`
-+ gen_require(`
-+ type piranha_log_t;
-+ ')
-+
-+ logging_search_logs($1)
-+ read_files_pattern($1, piranha_log_t, piranha_log_t)
-+')
-+
-+########################################
-+##
-+## Allow the specified domain to append
-+## piranha log files.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`piranha_append_log',`
-+ gen_require(`
-+ type piranha_log_t;
-+ ')
-+
-+ logging_search_logs($1)
-+ append_files_pattern($1, piranha_log_t, piranha_log_t)
-+')
-+
-+########################################
-+##
-+## Allow domain to manage piranha log files
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`piranha_manage_log',`
-+ gen_require(`
-+ type piranha_log_t;
-+ ')
-+
-+ logging_search_logs($1)
-+ manage_dirs_pattern($1, piranha_log_t, piranha_log_t)
-+ manage_files_pattern($1, piranha_log_t, piranha_log_t)
-+ manage_lnk_files_pattern($1, piranha_log_t, piranha_log_t)
-+')
-diff --git a/piranha.te b/piranha.te
-new file mode 100644
-index 0000000..b1d27d7
---- /dev/null
-+++ b/piranha.te
-@@ -0,0 +1,295 @@
-+policy_module(piranha, 1.0.0)
-+
-+########################################
-+#
-+# Declarations
-+#
-+
-+##
-+##
-+## Allow piranha-lvs domain to connect to the network using TCP.
-+##
-+##
-+gen_tunable(piranha_lvs_can_network_connect, false)
-+
-+attribute piranha_domain;
-+
-+piranha_domain_template(fos)
-+
-+piranha_domain_template(lvs)
-+
-+piranha_domain_template(pulse)
-+
-+type piranha_pulse_initrc_exec_t;
-+init_script_file(piranha_pulse_initrc_exec_t)
-+
-+piranha_domain_template(web)
-+
-+type piranha_web_tmpfs_t;
-+files_tmpfs_file(piranha_web_tmpfs_t)
-+
-+type piranha_web_conf_t;
-+files_config_file(piranha_web_conf_t)
-+
-+type piranha_web_data_t;
-+files_type(piranha_web_data_t)
-+
-+type piranha_web_tmp_t;
-+files_tmp_file(piranha_web_tmp_t)
-+
-+type piranha_etc_rw_t;
-+files_config_file(piranha_etc_rw_t)
-+
-+type piranha_log_t;
-+logging_log_file(piranha_log_t)
-+
-+#######################################
-+#
-+# piranha-fos local policy
-+#
-+
-+kernel_read_kernel_sysctls(piranha_fos_t)
-+
-+domain_read_all_domains_state(piranha_fos_t)
-+
-+optional_policy(`
-+ consoletype_exec(piranha_fos_t)
-+')
-+
-+# start and stop services
-+init_domtrans_script(piranha_fos_t)
-+
-+########################################
-+#
-+# piranha-gui local policy
-+#
-+
-+allow piranha_web_t self:capability { setuid sys_nice kill setgid };
-+allow piranha_web_t self:process { getsched setsched signal signull };
-+
-+allow piranha_web_t self:rawip_socket create_socket_perms;
-+allow piranha_web_t self:netlink_route_socket r_netlink_socket_perms;
-+allow piranha_web_t self:sem create_sem_perms;
-+allow piranha_web_t self:shm create_shm_perms;
-+
-+manage_files_pattern(piranha_web_t, piranha_web_data_t, piranha_web_data_t)
-+manage_dirs_pattern(piranha_web_t, piranha_web_data_t, piranha_web_data_t)
-+files_var_lib_filetrans(piranha_web_t, piranha_web_data_t, file)
-+
-+read_files_pattern(piranha_web_t, piranha_web_conf_t, piranha_web_conf_t)
-+
-+rw_files_pattern(piranha_web_t, piranha_etc_rw_t, piranha_etc_rw_t)
-+
-+manage_dirs_pattern(piranha_web_t, piranha_log_t, piranha_log_t)
-+manage_files_pattern(piranha_web_t, piranha_log_t, piranha_log_t)
-+logging_log_filetrans(piranha_web_t, piranha_log_t, { dir file })
-+
-+can_exec(piranha_web_t, piranha_web_tmp_t)
-+manage_dirs_pattern(piranha_web_t, piranha_web_tmp_t, piranha_web_tmp_t)
-+manage_files_pattern(piranha_web_t, piranha_web_tmp_t, piranha_web_tmp_t)
-+files_tmp_filetrans(piranha_web_t, piranha_web_tmp_t, { file dir })
-+
-+manage_dirs_pattern(piranha_web_t, piranha_web_tmpfs_t, piranha_web_tmpfs_t)
-+manage_files_pattern(piranha_web_t, piranha_web_tmpfs_t, piranha_web_tmpfs_t)
-+fs_tmpfs_filetrans(piranha_web_t, piranha_web_tmpfs_t, { dir file })
-+
-+piranha_pulse_initrc_domtrans(piranha_web_t)
-+
-+kernel_read_kernel_sysctls(piranha_web_t)
-+
-+corenet_tcp_bind_http_cache_port(piranha_web_t)
-+corenet_tcp_bind_luci_port(piranha_web_t)
-+corenet_tcp_bind_piranha_port(piranha_web_t)
-+corenet_tcp_connect_ricci_port(piranha_web_t)
-+
-+dev_read_rand(piranha_web_t)
-+dev_read_urand(piranha_web_t)
-+
-+domain_read_all_domains_state(piranha_web_t)
-+
-+files_read_usr_files(piranha_web_t)
-+
-+optional_policy(`
-+ consoletype_exec(piranha_web_t)
-+')
-+
-+optional_policy(`
-+ apache_read_config(piranha_web_t)
-+ apache_exec_modules(piranha_web_t)
-+ apache_exec(piranha_web_t)
-+')
-+
-+optional_policy(`
-+ gnome_dontaudit_search_config(piranha_web_t)
-+')
-+
-+optional_policy(`
-+ sasl_connect(piranha_web_t)
-+')
-+
-+optional_policy(`
-+ snmp_dontaudit_read_snmp_var_lib_files(piranha_web_t)
-+ snmp_dontaudit_write_snmp_var_lib_files(piranha_web_t)
-+')
-+
-+######################################
-+#
-+# piranha-lvs local policy
-+#
-+
-+# neede by nanny
-+allow piranha_lvs_t self:capability { net_raw sys_nice };
-+allow piranha_lvs_t self:process signal;
-+allow piranha_lvs_t self:unix_dgram_socket create_socket_perms;
-+allow piranha_lvs_t self:rawip_socket create_socket_perms;
-+
-+kernel_read_kernel_sysctls(piranha_lvs_t)
-+
-+# needed by nanny
-+corenet_tcp_connect_ftp_port(piranha_lvs_t)
-+corenet_tcp_connect_http_port(piranha_lvs_t)
-+corenet_tcp_connect_smtp_port(piranha_lvs_t)
-+
-+sysnet_dns_name_resolve(piranha_lvs_t)
-+
-+# needed by nanny
-+tunable_policy(`piranha_lvs_can_network_connect',`
-+ corenet_tcp_connect_all_ports(piranha_lvs_t)
-+')
-+
-+# needed by ipvsadm
-+optional_policy(`
-+ iptables_domtrans(piranha_lvs_t)
-+')
-+
-+#######################################
-+#
-+# piranha-pulse local policy
-+#
-+
-+allow piranha_pulse_t self:capability net_admin;
-+
-+allow piranha_pulse_t self:packet_socket create_socket_perms;
-+
-+# pulse starts fos and lvs daemon
-+domtrans_pattern(piranha_pulse_t, piranha_fos_exec_t, piranha_fos_t)
-+allow piranha_pulse_t piranha_fos_t:process signal;
-+
-+domtrans_pattern(piranha_pulse_t, piranha_lvs_exec_t, piranha_lvs_t)
-+allow piranha_pulse_t piranha_lvs_t:process signal;
-+
-+kernel_read_kernel_sysctls(piranha_pulse_t)
-+kernel_read_rpc_sysctls(piranha_pulse_t)
-+kernel_rw_rpc_sysctls(piranha_pulse_t)
-+kernel_search_debugfs(piranha_pulse_t)
-+kernel_search_network_state(piranha_pulse_t)
-+
-+corecmd_exec_bin(piranha_pulse_t)
-+corecmd_exec_shell(piranha_pulse_t)
-+optional_policy(`
-+ consoletype_exec(piranha_pulse_t)
-+')
-+
-+corenet_udp_bind_apertus_ldp_port(piranha_pulse_t)
-+corenet_udp_bind_cma_port(piranha_pulse_t)
-+
-+domain_read_all_domains_state(piranha_pulse_t)
-+domain_getattr_all_domains(piranha_pulse_t)
-+
-+fs_getattr_all_fs(piranha_pulse_t)
-+
-+init_initrc_domain(piranha_pulse_t)
-+
-+logging_send_syslog_msg(piranha_pulse_t)
-+
-+# various services to failover
-+
-+optional_policy(`
-+ apache_domtrans(piranha_pulse_t)
-+ apache_signal(piranha_pulse_t)
-+')
-+
-+optional_policy(`
-+ ftp_domtrans(piranha_pulse_t)
-+ ftp_initrc_domtrans(piranha_pulse_t)
-+ ftp_systemctl(piranha_pulse_t)
-+')
-+
-+optional_policy(`
-+ hostname_exec(piranha_pulse_t)
-+')
-+
-+optional_policy(`
-+ iptables_domtrans(piranha_pulse_t)
-+')
-+
-+optional_policy(`
-+ ldap_systemctl(piranha_pulse_t)
-+ ldap_initrc_domtrans(piranha_pulse_t)
-+ ldap_domtrans(piranha_pulse_t)
-+')
-+
-+optional_policy(`
-+ mysql_domtrans_mysql_safe(piranha_pulse_t)
-+ mysql_stream_connect(piranha_pulse_t)
-+')
-+
-+optional_policy(`
-+ netutils_domtrans(piranha_pulse_t)
-+ netutils_domtrans_ping(piranha_pulse_t)
-+')
-+
-+optional_policy(`
-+ postgresql_domtrans(piranha_pulse_t)
-+ postgresql_signal(piranha_pulse_t)
-+')
-+
-+optional_policy(`
-+ samba_initrc_domtrans(piranha_pulse_t)
-+ samba_systemctl(piranha_pulse_t)
-+ samba_domtrans_smbd(piranha_pulse_t)
-+ samba_domtrans_nmbd(piranha_pulse_t)
-+ samba_manage_var_files(piranha_pulse_t)
-+ samba_rw_config(piranha_pulse_t)
-+ samba_signal_smbd(piranha_pulse_t)
-+ samba_signal_nmbd(piranha_pulse_t)
-+')
-+
-+optional_policy(`
-+ sysnet_domtrans_ifconfig(piranha_pulse_t)
-+')
-+
-+optional_policy(`
-+ udev_read_db(piranha_pulse_t)
-+')
-+
-+####################################
-+#
-+# piranha domains common policy
-+#
-+
-+allow piranha_domain self:process signal_perms;
-+allow piranha_domain self:fifo_file rw_fifo_file_perms;
-+allow piranha_domain self:tcp_socket create_stream_socket_perms;
-+allow piranha_domain self:udp_socket create_socket_perms;
-+allow piranha_domain self:unix_stream_socket create_stream_socket_perms;
-+
-+read_files_pattern(piranha_domain, piranha_etc_rw_t, piranha_etc_rw_t)
-+
-+kernel_read_network_state(piranha_domain)
-+
-+corenet_tcp_sendrecv_generic_if(piranha_domain)
-+corenet_udp_sendrecv_generic_if(piranha_domain)
-+corenet_tcp_sendrecv_generic_node(piranha_domain)
-+corenet_udp_sendrecv_generic_node(piranha_domain)
-+corenet_tcp_sendrecv_all_ports(piranha_domain)
-+corenet_udp_sendrecv_all_ports(piranha_domain)
-+corenet_tcp_bind_generic_node(piranha_domain)
-+corenet_udp_bind_generic_node(piranha_domain)
-+
-+files_read_etc_files(piranha_domain)
-+
-+corecmd_exec_bin(piranha_domain)
-+corecmd_exec_shell(piranha_domain)
-+
-+sysnet_read_config(piranha_domain)
-diff --git a/pkcsslotd.fc b/pkcsslotd.fc
-new file mode 100644
-index 0000000..dd1b8f2
---- /dev/null
-+++ b/pkcsslotd.fc
-@@ -0,0 +1,5 @@
-+/usr/lib/systemd/system/pkcsslotd.service -- gen_context(system_u:object_r:pkcsslotd_unit_file_t,s0)
-+
-+/usr/sbin/pkcsslotd -- gen_context(system_u:object_r:pkcsslotd_exec_t,s0)
-+
-+/var/lib/opencryptoki(/.*)? gen_context(system_u:object_r:pkcsslotd_var_lib_t,s0)
-diff --git a/pkcsslotd.if b/pkcsslotd.if
-new file mode 100644
-index 0000000..848ddc9
---- /dev/null
-+++ b/pkcsslotd.if
-@@ -0,0 +1,155 @@
-+
-+## policy for pkcsslotd
-+
-+########################################
-+##
-+## Transition to pkcsslotd.
-+##
-+##
-+##
-+## Domain allowed to transition.
-+##
-+##
-+#
-+interface(`pkcsslotd_domtrans',`
-+ gen_require(`
-+ type pkcsslotd_t, pkcsslotd_exec_t;
-+ ')
-+
-+ corecmd_search_bin($1)
-+ domtrans_pattern($1, pkcsslotd_exec_t, pkcsslotd_t)
-+')
-+
-+########################################
-+##
-+## Search pkcsslotd lib directories.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`pkcsslotd_search_lib',`
-+ gen_require(`
-+ type pkcsslotd_var_lib_t;
-+ ')
-+
-+ allow $1 pkcsslotd_var_lib_t:dir search_dir_perms;
-+ files_search_var_lib($1)
-+')
-+
-+########################################
-+##
-+## Read pkcsslotd lib files.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`pkcsslotd_read_lib_files',`
-+ gen_require(`
-+ type pkcsslotd_var_lib_t;
-+ ')
-+
-+ files_search_var_lib($1)
-+ read_files_pattern($1, pkcsslotd_var_lib_t, pkcsslotd_var_lib_t)
-+')
-+
-+########################################
-+##
-+## Manage pkcsslotd lib files.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`pkcsslotd_manage_lib_files',`
-+ gen_require(`
-+ type pkcsslotd_var_lib_t;
-+ ')
-+
-+ files_search_var_lib($1)
-+ manage_files_pattern($1, pkcsslotd_var_lib_t, pkcsslotd_var_lib_t)
-+')
-+
-+########################################
-+##
-+## Manage pkcsslotd lib directories.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`pkcsslotd_manage_lib_dirs',`
-+ gen_require(`
-+ type pkcsslotd_var_lib_t;
-+ ')
-+
-+ files_search_var_lib($1)
-+ manage_dirs_pattern($1, pkcsslotd_var_lib_t, pkcsslotd_var_lib_t)
-+')
-+
-+########################################
-+##
-+## Execute pkcsslotd server in the pkcsslotd domain.
-+##
-+##
-+##
-+## Domain allowed to transition.
-+##
-+##
-+#
-+interface(`pkcsslotd_systemctl',`
-+ gen_require(`
-+ type pkcsslotd_t;
-+ type pkcsslotd_unit_file_t;
-+ ')
-+
-+ systemd_exec_systemctl($1)
-+ allow $1 pkcsslotd_unit_file_t:file read_file_perms;
-+ allow $1 pkcsslotd_unit_file_t:service manage_service_perms;
-+
-+ ps_process_pattern($1, pkcsslotd_t)
-+')
-+
-+
-+########################################
-+##
-+## All of the rules required to administrate
-+## an pkcsslotd environment
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`pkcsslotd_admin',`
-+ gen_require(`
-+ type pkcsslotd_t;
-+ type pkcsslotd_var_lib_t;
-+ type pkcsslotd_unit_file_t;
-+ ')
-+
-+ allow $1 pkcsslotd_t:process { ptrace signal_perms };
-+ ps_process_pattern($1, pkcsslotd_t)
-+
-+ files_search_var_lib($1)
-+ admin_pattern($1, pkcsslotd_var_lib_t)
-+
-+ pkcsslotd_systemctl($1)
-+ admin_pattern($1, pkcsslotd_unit_file_t)
-+ allow $1 pkcsslotd_unit_file_t:service all_service_perms;
-+
-+ optional_policy(`
-+ systemd_passwd_agent_exec($1)
-+ systemd_read_fifo_file_passwd_run($1)
-+ ')
-+')
-diff --git a/pkcsslotd.te b/pkcsslotd.te
-new file mode 100644
-index 0000000..9ab2c4d
---- /dev/null
-+++ b/pkcsslotd.te
-@@ -0,0 +1,61 @@
-+policy_module(pkcsslotd, 1.0.0)
-+
-+########################################
-+#
-+# Declarations
-+#
-+
-+type pkcsslotd_t;
-+type pkcsslotd_exec_t;
-+init_daemon_domain(pkcsslotd_t, pkcsslotd_exec_t)
-+
-+type pkcsslotd_var_lib_t;
-+files_type(pkcsslotd_var_lib_t)
-+
-+type pkcsslotd_unit_file_t;
-+systemd_unit_file(pkcsslotd_unit_file_t)
-+
-+type pkcsslotd_tmp_t;
-+files_tmp_file(pkcsslotd_tmp_t)
-+
-+type pkcsslotd_tmpfs_t;
-+files_tmpfs_file(pkcsslotd_tmpfs_t)
-+
-+type pkcsslotd_var_run_t;
-+files_pid_file(pkcsslotd_var_run_t)
-+
-+########################################
-+#
-+# pkcsslotd local policy
-+#
-+
-+allow pkcsslotd_t self:capability { kill };
-+allow pkcsslotd_t self:process { fork };
-+
-+allow pkcsslotd_t self:fifo_file rw_fifo_file_perms;
-+allow pkcsslotd_t self:sem create_sem_perms;
-+allow pkcsslotd_t self:shm create_shm_perms;
-+allow pkcsslotd_t self:unix_stream_socket create_stream_socket_perms;
-+
-+manage_dirs_pattern(pkcsslotd_t, pkcsslotd_tmp_t, pkcsslotd_tmp_t)
-+manage_files_pattern(pkcsslotd_t, pkcsslotd_tmp_t, pkcsslotd_tmp_t)
-+files_tmp_filetrans(pkcsslotd_t, pkcsslotd_tmp_t, { file dir })
-+
-+manage_dirs_pattern(pkcsslotd_t, pkcsslotd_tmpfs_t, pkcsslotd_tmpfs_t)
-+manage_files_pattern(pkcsslotd_t, pkcsslotd_tmpfs_t, pkcsslotd_tmpfs_t)
-+fs_tmpfs_filetrans(pkcsslotd_t, pkcsslotd_tmpfs_t, { dir file })
-+
-+manage_dirs_pattern(pkcsslotd_t, pkcsslotd_var_lib_t, pkcsslotd_var_lib_t)
-+manage_files_pattern(pkcsslotd_t, pkcsslotd_var_lib_t, pkcsslotd_var_lib_t)
-+manage_lnk_files_pattern(pkcsslotd_t, pkcsslotd_var_lib_t, pkcsslotd_var_lib_t)
-+files_var_lib_filetrans(pkcsslotd_t, pkcsslotd_var_lib_t, { dir file lnk_file })
-+
-+manage_files_pattern(pkcsslotd_t, pkcsslotd_var_run_t, pkcsslotd_var_run_t)
-+manage_dirs_pattern(pkcsslotd_t, pkcsslotd_var_run_t,pkcsslotd_var_run_t)
-+files_pid_filetrans(pkcsslotd_t, pkcsslotd_var_run_t, { file dir })
-+
-+domain_use_interactive_fds(pkcsslotd_t)
-+
-+files_read_etc_files(pkcsslotd_t)
-+
-+logging_send_syslog_msg(pkcsslotd_t)
-diff --git a/pki.fc b/pki.fc
-new file mode 100644
-index 0000000..0c167b7
---- /dev/null
-+++ b/pki.fc
-@@ -0,0 +1,55 @@
-+/etc/pki/pki-tomcat(/.*)? gen_context(system_u:object_r:pki_tomcat_etc_rw_t,s0)
-+/var/lib/pki/pki-tomcat(/.*)? gen_context(system_u:object_r:pki_tomcat_var_lib_t,s0)
-+/var/run/pki/tomcat(/.*)? gen_context(system_u:object_r:pki_tomcat_var_run_t,s0)
-+/var/log/pki/pki-tomcat(/.*)? gen_context(system_u:object_r:pki_tomcat_log_t,s0)
-+/etc/sysconfig/pki/tomcat(/.*)? gen_context(system_u:object_r:pki_tomcat_etc_rw_t,s0)
-+/var/log/pki gen_context(system_u:object_r:pki_log_t,s0)
-+/usr/bin/pkidaemon gen_context(system_u:object_r:pki_tomcat_exec_t,s0)
-+/etc/pki/pki-tomcat/alias(/.*)? gen_context(system_u:object_r:pki_tomcat_cert_t,s0)
-+
-+/etc/pki-ra(/.*)? gen_context(system_u:object_r:pki_ra_etc_rw_t,s0)
-+/var/lib/pki-ra(/.*)? gen_context(system_u:object_r:pki_ra_var_lib_t,s0)
-+/var/log/pki-ra(/.*)? gen_context(system_u:object_r:pki_ra_log_t,s0)
-+/var/run/pki/ra(/.*)? gen_context(system_u:object_r:pki_ra_var_run_t,s0)
-+/etc/sysconfig/pki/ra(/.*)? gen_context(system_u:object_r:pki_ra_etc_rw_t,s0)
-+/var/lib/pki-ra/pki-ra gen_context(system_u:object_r:pki_ra_exec_t,s0)
-+
-+/etc/pki-tps(/.*)? gen_context(system_u:object_r:pki_tps_etc_rw_t,s0)
-+/var/lib/pki-tps(/.*)? gen_context(system_u:object_r:pki_tps_var_lib_t,s0)
-+/var/log/pki-tps(/.*)? gen_context(system_u:object_r:pki_tps_log_t,s0)
-+/var/run/pki/tps(/.*)? gen_context(system_u:object_r:pki_tps_var_run_t,s0)
-+/etc/sysconfig/pki/tps(/.*)? gen_context(system_u:object_r:pki_tps_etc_rw_t,s0)
-+/var/lib/pki-tps/pki-tps gen_context(system_u:object_r:pki_tps_exec_t,s0)
-+
-+# default labeling for nCipher
-+/opt/nfast/scripts/init.d/(.*) gen_context(system_u:object_r:initrc_exec_t, s0)
-+/opt/nfast/sbin/init.d-ncipher gen_context(system_u:object_r:initrc_exec_t, s0)
-+/opt/nfast(/.*)? gen_context(system_u:object_r:pki_common_t, s0)
-+/dev/nfast(/.*)? gen_context(system_u:object_r:pki_common_dev_t, s0)
-+
-+# old paths (for migration)
-+/etc/pki-ca(/.*)? gen_context(system_u:object_r:pki_tomcat_etc_rw_t,s0)
-+/var/lib/pki-ca(/.*)? gen_context(system_u:object_r:pki_tomcat_var_lib_t,s0)
-+/var/run/pki-ca.pid gen_context(system_u:object_r:pki_tomcat_var_run_t,s0)
-+/var/log/pki-ca(/.*)? gen_context(system_u:object_r:pki_tomcat_log_t,s0)
-+/var/lib/pki-ca/alias(/.*)? gen_context(system_u:object_r:pki_tomcat_cert_t,s0)
-+/etc/pki-kra(/.*)? gen_context(system_u:object_r:pki_tomcat_etc_rw_t,s0)
-+/var/lib/pki-kra(/.*)? gen_context(system_u:object_r:pki_tomcat_var_lib_t,s0)
-+/var/run/pki-kra.pid gen_context(system_u:object_r:pki_tomcat_var_run_t,s0)
-+/var/log/pki-kra(/.*)? gen_context(system_u:object_r:pki_tomcat_log_t,s0)
-+/var/lib/pki-kra/alias(/.*)? gen_context(system_u:object_r:pki_tomcat_cert_t,s0)
-+/etc/pki-ocsp(/.*)? gen_context(system_u:object_r:pki_tomcat_etc_rw_t,s0)
-+/var/lib/pki-ocsp(/.*)? gen_context(system_u:object_r:pki_tomcat_var_lib_t,s0)
-+/var/run/pki-ocsp.pid gen_context(system_u:object_r:pki_tomcat_var_run_t,s0)
-+/var/log/pki-ocsp(/.*)? gen_context(system_u:object_r:pki_tomcat_log_t,s0)
-+/var/lib/pki-ocsp/alias(/.*)? gen_context(system_u:object_r:pki_tomcat_cert_t,s0)
-+/etc/pki-tks(/.*)? gen_context(system_u:object_r:pki_tomcat_etc_rw_t,s0)
-+/var/lib/pki-tks(/.*)? gen_context(system_u:object_r:pki_tomcat_var_lib_t,s0)
-+/var/run/pki-tks.pid gen_context(system_u:object_r:pki_tomcat_var_run_t,s0)
-+/var/log/pki-tks(/.*)? gen_context(system_u:object_r:pki_tomcat_log_t,s0)
-+/var/lib/pki-tks/alias(/.*)? gen_context(system_u:object_r:pki_tomcat_cert_t,s0)
-+
-+/var/lock/subsys/pkidaemon -- gen_context(system_u:object_r:pki_tomcat_lock_t,s0)
-+
-+#/etc/systemd/system/pki-tomcatd\.target\.wants(/.*)? gen_context(system_u:object_r:pki_tomcat_unit_file_t,s0)
-+/usr/lib/systemd/system/pki-tomcat.* gen_context(system_u:object_r:pki_tomcat_unit_file_t,s0)
-diff --git a/pki.if b/pki.if
-new file mode 100644
-index 0000000..83c13cf
---- /dev/null
-+++ b/pki.if
-@@ -0,0 +1,248 @@
-+
-+## policy for pki
-+########################################
-+##
-+## Allow read and write pki cert files.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`pki_rw_tomcat_cert',`
-+ gen_require(`
-+ type pki_tomcat_cert_t;
-+ type pki_tomcat_etc_rw_t;
-+ ')
-+
-+ allow $1 pki_tomcat_etc_rw_t:dir search_dir_perms;
-+ rw_files_pattern($1, pki_tomcat_cert_t, pki_tomcat_cert_t)
-+')
-+
-+########################################
-+##
-+## Create a set of derived types for apache
-+## web content.
-+##
-+##
-+##
-+## The prefix to be used for deriving type names.
-+##
-+##
-+#
-+template(`pki_apache_template',`
-+ gen_require(`
-+ attribute pki_apache_domain;
-+ attribute pki_apache_config, pki_apache_var_lib, pki_apache_var_run;
-+ attribute pki_apache_executable, pki_apache_script, pki_apache_var_log;
-+ ')
-+
-+ ########################################
-+ #
-+ # Declarations
-+ #
-+
-+ type $1_t, pki_apache_domain;
-+ type $1_exec_t, pki_apache_executable;
-+ domain_type($1_t)
-+ init_daemon_domain($1_t, $1_exec_t)
-+
-+ type $1_script_exec_t, pki_apache_script;
-+ init_script_file($1_script_exec_t)
-+
-+ type $1_etc_rw_t, pki_apache_config;
-+ files_type($1_etc_rw_t)
-+
-+ type $1_var_run_t, pki_apache_var_run;
-+ files_pid_file($1_var_run_t)
-+
-+ type $1_var_lib_t, pki_apache_var_lib;
-+ files_type($1_var_lib_t)
-+
-+ type $1_log_t, pki_apache_var_log;
-+ logging_log_file($1_log_t)
-+
-+ type $1_lock_t;
-+ files_lock_file($1_lock_t)
-+
-+ ########################################
-+ #
-+ # $1 local policy
-+ #
-+
-+ files_read_etc_files($1_t)
-+ allow $1_t $1_etc_rw_t:lnk_file read;
-+
-+ manage_dirs_pattern($1_t, $1_etc_rw_t, $1_etc_rw_t)
-+ manage_files_pattern($1_t, $1_etc_rw_t, $1_etc_rw_t)
-+ files_etc_filetrans($1_t,$1_etc_rw_t, { file dir })
-+
-+ manage_dirs_pattern($1_t, $1_var_run_t, $1_var_run_t)
-+ manage_files_pattern($1_t, $1_var_run_t, $1_var_run_t)
-+ files_pid_filetrans($1_t,$1_var_run_t, { file dir })
-+
-+ manage_dirs_pattern($1_t, $1_var_lib_t, $1_var_lib_t)
-+ manage_files_pattern($1_t, $1_var_lib_t, $1_var_lib_t)
-+ read_lnk_files_pattern($1_t, $1_var_lib_t, $1_var_lib_t)
-+ files_var_lib_filetrans($1_t, $1_var_lib_t, { file dir } )
-+
-+ manage_dirs_pattern($1_t, $1_log_t, $1_log_t)
-+ manage_files_pattern($1_t, $1_log_t, $1_log_t)
-+ logging_log_filetrans($1_t, $1_log_t, { file dir } )
-+
-+ manage_dirs_pattern($1_t, $1_lock_t, $1_lock_t)
-+ manage_files_pattern($1_t, $1_lock_t, $1_lock_t)
-+ manage_lnk_files_pattern($1_t, $1_lock_t, $1_lock_t)
-+ files_lock_filetrans($1_t, $1_lock_t, { dir file lnk_file })
-+
-+ #talk to lunasa hsm
-+ logging_send_syslog_msg($1_t)
-+
-+ kernel_read_kernel_sysctls($1_t)
-+ kernel_read_system_state($1_t)
-+
-+ corenet_all_recvfrom_unlabeled($1_t)
-+
-+ # need to resolve addresses?
-+ auth_use_nsswitch($1_t)
-+
-+ #pki_apache_domain_signal(httpd_t)
-+ #pki_apache_domain_signal(httpd_t)
-+ #pki_manage_apache_run(httpd_t)
-+ #pki_manage_apache_config_files(httpd_t)
-+ #pki_manage_apache_log_files(httpd_t)
-+ #pki_manage_apache_lib(httpd_t)
-+')
-+
-+#######################################
-+##
-+## Send a null signal to pki apache domains.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`pki_apache_domain_signal',`
-+ gen_require(`
-+ attribute pki_apache_domain;
-+ ')
-+
-+ allow $1 pki_apache_domain:process signal;
-+')
-+
-+#######################################
-+##
-+## Send a null signal to pki apache domains.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`pki_apache_domain_signull',`
-+ gen_require(`
-+ attribute pki_apache_domain;
-+ ')
-+
-+ allow $1 pki_apache_domain:process signull;
-+')
-+
-+###################################
-+##
-+## Allow domain to read pki apache subsystem pid files
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`pki_manage_apache_run',`
-+ gen_require(`
-+ attribute pki_apache_var_run;
-+ ')
-+
-+ files_search_var_lib($1)
-+ read_files_pattern($1, pki_apache_var_run, pki_apache_var_run)
-+')
-+
-+####################################
-+##
-+## Allow domain to manage pki apache subsystem lib files
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`pki_manage_apache_lib',`
-+ gen_require(`
-+ attribute pki_apache_var_lib;
-+ ')
-+
-+ files_search_var_lib($1)
-+ manage_files_pattern($1, pki_apache_var_lib, pki_apache_var_lib)
-+ manage_lnk_files_pattern($1, pki_apache_var_lib, pki_apache_var_lib)
-+')
-+
-+##################################
-+##
-+## Dontaudit domain to write pki log files
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`pki_dontaudit_write_log',`
-+ gen_require(`
-+ type pki_log_t;
-+ ')
-+
-+ dontaudit $1 pki_log_t:file write;
-+')
-+
-+###################################
-+##
-+## Allow domain to manage pki apache subsystem log files
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`pki_manage_apache_log_files',`
-+ gen_require(`
-+ attribute pki_apache_var_log;
-+ ')
-+
-+ files_search_var_lib($1)
-+ manage_files_pattern($1, pki_apache_var_log, pki_apache_var_log)
-+')
-+
-+##################################
-+##
-+## Allow domain to manage pki apache subsystem config files
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`pki_manage_apache_config_files',`
-+ gen_require(`
-+ attribute pki_apache_config;
-+ ')
-+
-+ files_search_var_lib($1)
-+ manage_files_pattern($1, pki_apache_config, pki_apache_config)
-+')
-+
-diff --git a/pki.te b/pki.te
-new file mode 100644
-index 0000000..dfebbd9
---- /dev/null
-+++ b/pki.te
-@@ -0,0 +1,289 @@
-+policy_module(pki,10.0.11)
-+
-+########################################
-+#
-+# Declarations
-+#
-+
-+attribute pki_apache_domain;
-+attribute pki_apache_config;
-+attribute pki_apache_executable;
-+attribute pki_apache_var_lib;
-+attribute pki_apache_var_log;
-+attribute pki_apache_var_run;
-+attribute pki_apache_pidfiles;
-+attribute pki_apache_script;
-+
-+type pki_log_t;
-+files_type(pki_log_t)
-+
-+type pki_common_t;
-+files_type(pki_common_t)
-+
-+type pki_common_dev_t;
-+files_type(pki_common_dev_t)
-+
-+type pki_tomcat_etc_rw_t;
-+files_type(pki_tomcat_etc_rw_t)
-+
-+type pki_tomcat_cert_t;
-+files_type(pki_tomcat_cert_t)
-+
-+tomcat_domain_template(pki_tomcat)
-+
-+type pki_tomcat_unit_file_t;
-+systemd_unit_file(pki_tomcat_unit_file_t)
-+
-+type pki_tomcat_lock_t;
-+files_lock_file(pki_tomcat_lock_t)
-+
-+# old type aliases for migration
-+typealias pki_tomcat_t alias { pki_ca_t pki_kra_t pki_ocsp_t pki_tks_t };
-+typealias pki_tomcat_etc_rw_t alias { pki_ca_etc_rw_t pki_kra_etc_rw_t pki_ocsp_etc_rw_t pki_tks_etc_rw_t };
-+typealias pki_tomcat_var_lib_t alias { pki_ca_var_lib_t pki_kra_var_lib_t pki_ocsp_var_lib_t pki_tks_var_lib_t };
-+typealias pki_tomcat_var_run_t alias { pki_ca_var_run_t pki_kra_var_run_t pki_ocsp_var_run_t pki_tks_var_run_t };
-+typealias pki_tomcat_log_t alias { pki_ca_log_t pki_kra_log_t pki_ocsp_log_t pki_tks_log_t };
-+# typealias http_port_t alias { pki_ca_port_t pki_kra_port_t pki_ocsp_port_t pki_tks_port_t };
-+
-+
-+# pki policy types
-+type pki_tps_tomcat_exec_t;
-+files_type(pki_tps_tomcat_exec_t)
-+
-+pki_apache_template(pki_tps)
-+
-+# ra policy types
-+type pki_ra_tomcat_exec_t;
-+files_type(pki_ra_tomcat_exec_t)
-+
-+pki_apache_template(pki_ra)
-+
-+# needed for dogtag 9 style instances
-+type pki_tomcat_script_t;
-+domain_type(pki_tomcat_script_t)
-+role system_r types pki_tomcat_script_t;
-+
-+optional_policy(`
-+ unconfined_domain(pki_tomcat_script_t)
-+')
-+
-+########################################
-+#
-+# pki-tomcat local policy
-+#
-+
-+allow pki_tomcat_t self:capability { setuid chown setgid fowner audit_write dac_override sys_nice fsetid};
-+allow pki_tomcat_t self:process { signal setsched signull execmem };
-+
-+allow pki_tomcat_t self:netlink_audit_socket { nlmsg_relay create };
-+allow pki_tomcat_t self:tcp_socket { accept listen };
-+
-+# allow writing to the kernel keyring
-+allow pki_tomcat_t self:key { write read };
-+
-+manage_dirs_pattern(pki_tomcat_t, pki_tomcat_etc_rw_t, pki_tomcat_etc_rw_t)
-+manage_files_pattern(pki_tomcat_t, pki_tomcat_etc_rw_t, pki_tomcat_etc_rw_t)
-+
-+manage_dirs_pattern(pki_tomcat_t, pki_tomcat_cert_t, pki_tomcat_cert_t)
-+manage_files_pattern(pki_tomcat_t, pki_tomcat_cert_t, pki_tomcat_cert_t)
-+
-+manage_dirs_pattern(pki_tomcat_t, pki_tomcat_lock_t, pki_tomcat_lock_t)
-+manage_files_pattern(pki_tomcat_t, pki_tomcat_lock_t, pki_tomcat_lock_t)
-+manage_lnk_files_pattern(pki_tomcat_t, pki_tomcat_lock_t, pki_tomcat_lock_t)
-+files_lock_filetrans(pki_tomcat_t, pki_tomcat_lock_t, { dir file lnk_file })
-+
-+read_files_pattern(pki_tomcat_t, pki_tomcat_unit_file_t,pki_tomcat_unit_file_t)
-+read_lnk_files_pattern(pki_tomcat_t, pki_tomcat_unit_file_t, pki_tomcat_unit_file_t)
-+allow pki_tomcat_t pki_tomcat_unit_file_t:file setattr;
-+allow pki_tomcat_t pki_tomcat_unit_file_t:lnk_file setattr;
-+systemd_search_unit_dirs(pki_tomcat_t)
-+
-+# allow java subsystems to talk to the ncipher hsm
-+allow pki_tomcat_t pki_common_dev_t:sock_file write;
-+allow pki_tomcat_t pki_common_dev_t:dir search;
-+allow pki_tomcat_t pki_common_t:dir create_dir_perms;
-+manage_files_pattern(pki_tomcat_t, pki_common_t, pki_common_t)
-+can_exec(pki_tomcat_t, pki_common_t)
-+init_stream_connect_script(pki_tomcat_t)
-+
-+search_dirs_pattern(pki_tomcat_t, pki_log_t, pki_log_t)
-+
-+kernel_read_kernel_sysctls(pki_tomcat_t)
-+
-+corenet_tcp_connect_http_cache_port(pki_tomcat_t)
-+corenet_tcp_connect_ldap_port(pki_tomcat_t)
-+corenet_tcp_connect_smtp_port(pki_tomcat_t)
-+corenet_tcp_connect_pki_ca_port(pki_tomcat_t)
-+corenet_tcp_connect_ldap_port(pki_tomcat_t)
-+
-+selinux_get_enforce_mode(pki_tomcat_t)
-+
-+logging_send_audit_msgs(pki_tomcat_t)
-+
-+miscfiles_read_hwdata(pki_tomcat_t)
-+
-+# is this really needed?
-+userdom_manage_user_tmp_dirs(pki_tomcat_t)
-+userdom_manage_user_tmp_files(pki_tomcat_t)
-+
-+# forward proxy
-+# need to define ports to fix this
-+#corenet_tcp_connect_pki_tomcat_port(httpd_t)
-+
-+# for crl publishing
-+allow pki_tomcat_t pki_tomcat_var_lib_t:lnk_file { rename create unlink };
-+
-+# for ECC
-+auth_getattr_shadow(pki_tomcat_t)
-+
-+optional_policy(`
-+ consoletype_exec(pki_tomcat_t)
-+')
-+
-+optional_policy(`
-+ dirsrv_manage_var_lib(pki_tomcat_t)
-+')
-+
-+optional_policy(`
-+ hostname_exec(pki_tomcat_t)
-+')
-+
-+# install/ uninstall instance
-+# WHY? leak?
-+#allow load_policy_t pki_log_t:file write;
-+#allow setfiles_t pki_log_t:file write;
-+
-+#######################################
-+#
-+# tps local policy
-+#
-+
-+# used to serve cgi web pages under /var/lib/pki-tps, formatting, enrollment
-+allow pki_tps_t pki_tps_var_lib_t:file {execute execute_no_trans};
-+
-+corenet_tcp_bind_pki_tps_port(pki_tps_t)
-+# customer may run an ldap server on 389
-+corenet_tcp_connect_ldap_port(pki_tps_t)
-+# connect to other subsystems
-+corenet_tcp_connect_pki_ca_port(pki_tps_t)
-+corenet_tcp_connect_pki_kra_port(pki_tps_t)
-+corenet_tcp_connect_pki_tks_port(pki_tps_t)
-+
-+files_exec_usr_files(pki_tps_t)
-+files_read_usr_files(pki_tps_t)
-+
-+# why do I need to add this?
-+#allow httpd_t httpd_config_t:file execute;
-+
-+######################################
-+#
-+# ra local policy
-+#
-+
-+# RA specific? talking to mysql?
-+allow pki_ra_t self:udp_socket { write read create connect };
-+allow pki_ra_t self:unix_dgram_socket { write create connect };
-+
-+corenet_tcp_bind_pki_ra_port(pki_ra_t)
-+# talk to other subsystems
-+corenet_tcp_connect_pki_ca_port(pki_ra_t)
-+corenet_tcp_connect_smtp_port(pki_ra_t)
-+
-+fs_getattr_xattr_fs(pki_ra_t)
-+
-+files_search_spool(pki_ra_t)
-+files_exec_usr_files(pki_ra_t)
-+
-+optional_policy(`
-+ mta_send_mail(pki_ra_t)
-+ mta_manage_spool(pki_ra_t)
-+ mta_manage_queue(pki_ra_t)
-+ mta_read_config(pki_ra_t)
-+')
-+
-+#####################################
-+#
-+# pki_apache_domain local policy
-+#
-+
-+
-+allow pki_apache_domain self:capability { setuid sys_nice setgid dac_override fowner fsetid kill chown};
-+allow pki_apache_domain self:process { setsched signal getsched signull execstack execmem sigkill};
-+
-+allow pki_apache_domain self:sem all_sem_perms;
-+allow pki_apache_domain self:tcp_socket create_stream_socket_perms;
-+allow pki_apache_domain self:netlink_route_socket { write getattr read bind create nlmsg_read };
-+
-+# allow writing to the kernel keyring
-+allow pki_apache_domain self:key { write read };
-+
-+## internal communication is often done using fifo and unix sockets.
-+allow pki_apache_domain self:fifo_file rw_file_perms;
-+allow pki_apache_domain self:unix_stream_socket create_stream_socket_perms;
-+
-+# talk to the hsm
-+allow pki_apache_domain pki_common_dev_t:sock_file write;
-+allow pki_apache_domain pki_common_dev_t:dir search;
-+allow pki_apache_domain pki_common_t:dir create_dir_perms;
-+manage_files_pattern(pki_apache_domain, pki_common_t, pki_common_t)
-+can_exec(pki_apache_domain, pki_common_t)
-+init_stream_connect_script(pki_apache_domain)
-+
-+corenet_sendrecv_unlabeled_packets(pki_apache_domain)
-+corenet_tcp_bind_all_nodes(pki_apache_domain)
-+corenet_tcp_sendrecv_all_if(pki_apache_domain)
-+corenet_tcp_sendrecv_all_nodes(pki_apache_domain)
-+corenet_tcp_sendrecv_all_ports(pki_apache_domain)
-+#corenet_all_recvfrom_unlabeled(pki_apache_domain)
-+corenet_tcp_connect_generic_port(pki_apache_domain)
-+
-+# Init script handling
-+domain_use_interactive_fds(pki_apache_domain)
-+
-+seutil_exec_setfiles(pki_apache_domain)
-+
-+init_dontaudit_write_utmp(pki_apache_domain)
-+
-+libs_use_ld_so(pki_apache_domain)
-+libs_use_shared_libs(pki_apache_domain)
-+libs_exec_ld_so(pki_apache_domain)
-+libs_exec_lib_files(pki_apache_domain)
-+
-+fs_search_cgroup_dirs(pki_apache_domain)
-+
-+corecmd_exec_bin(pki_apache_domain)
-+corecmd_exec_shell(pki_apache_domain)
-+
-+dev_read_urand(pki_apache_domain)
-+dev_read_rand(pki_apache_domain)
-+
-+# shutdown script uses ps
-+domain_dontaudit_read_all_domains_state(pki_apache_domain)
-+ps_process_pattern(pki_apache_domain, pki_apache_domain)
-+
-+sysnet_read_config(pki_apache_domain)
-+
-+ifdef(`targeted_policy',`
-+ term_dontaudit_use_unallocated_ttys(pki_apache_domain)
-+ term_dontaudit_use_generic_ptys(pki_apache_domain)
-+')
-+
-+optional_policy(`
-+ # apache permissions
-+ apache_exec_modules(pki_apache_domain)
-+ apache_list_modules(pki_apache_domain)
-+ apache_read_config(pki_apache_domain)
-+ apache_exec(pki_apache_domain)
-+ apache_entrypoint(pki_apache_domain)
-+
-+ # should be started using a script which will execute httpd
-+ # start up httpd in pki_apache_domain mode
-+ #can_exec(pki_apache_domain, httpd_config_t)
-+ #can_exec(pki_apache_domain, httpd_suexec_exec_t)
-+')
-+
-+# allow rpm -q in init scripts
-+optional_policy(`
-+ rpm_exec(pki_apache_domain)
-+')
-+
-diff --git a/plymouthd.fc b/plymouthd.fc
-index 5702ca4..ef1dd7a 100644
---- a/plymouthd.fc
-+++ b/plymouthd.fc
-@@ -2,6 +2,14 @@
-
- /sbin/plymouthd -- gen_context(system_u:object_r:plymouthd_exec_t,s0)
-
-+/usr/bin/plymouth -- gen_context(system_u:object_r:plymouth_exec_t,s0)
-+
- /var/lib/plymouth(/.*)? gen_context(system_u:object_r:plymouthd_var_lib_t,s0)
-+
- /var/run/plymouth(/.*)? gen_context(system_u:object_r:plymouthd_var_run_t,s0)
-+/var/log/boot\.log gen_context(system_u:object_r:plymouthd_var_log_t,mls_systemhigh)
-+
-+/usr/sbin/plymouthd -- gen_context(system_u:object_r:plymouthd_exec_t,s0)
-+
- /var/spool/plymouth(/.*)? gen_context(system_u:object_r:plymouthd_spool_t,s0)
-+
-diff --git a/plymouthd.if b/plymouthd.if
-index 9759ed8..17c097d 100644
---- a/plymouthd.if
-+++ b/plymouthd.if
-@@ -120,7 +120,7 @@ interface(`plymouthd_search_spool', `
- ##
- ##
- #
--interface(`plymouthd_read_spool_files', `
-+interface(`plymouthd_read_spool_files',`
- gen_require(`
- type plymouthd_spool_t;
- ')
-@@ -228,20 +228,56 @@ interface(`plymouthd_read_pid_files', `
-
- ########################################
- ##
--## All of the rules required to administrate
--## an plymouthd environment
-+## Allow the specified domain to read
-+## to plymouthd log files.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`plymouthd_read_log',`
-+ gen_require(`
-+ type plymouthd_var_log_t;
-+ ')
-+
-+ logging_search_logs($1)
-+ read_files_pattern($1, plymouthd_var_log_t, plymouthd_var_log_t)
-+')
-+
-+########################################
-+##
-+## Allow the specified domain to manage
-+## to plymouthd log files.
- ##
- ##
- ##
- ## Domain allowed access.
- ##
- ##
--##
-+#
-+interface(`plymouthd_manage_log',`
-+ gen_require(`
-+ type plymouthd_var_log_t;
-+ ')
-+
-+ logging_search_logs($1)
-+ manage_dirs_pattern($1, plymouthd_var_log_t, plymouthd_var_log_t)
-+ manage_files_pattern($1, plymouthd_var_log_t, plymouthd_var_log_t)
-+ read_lnk_files_pattern($1, plymouthd_var_log_t, plymouthd_var_log_t)
-+')
-+
-+########################################
-+##
-+## All of the rules required to administrate
-+## an plymouthd environment
-+##
-+##
- ##
--## Role allowed access.
-+## Domain allowed access.
- ##
- ##
--##
- #
- interface(`plymouthd_admin', `
- gen_require(`
-@@ -249,12 +285,17 @@ interface(`plymouthd_admin', `
- type plymouthd_var_run_t;
- ')
-
-- allow $1 plymouthd_t:process { ptrace signal_perms getattr };
-- read_files_pattern($1, plymouthd_t, plymouthd_t)
-+ allow $1 plymouthd_t:process signal_perms;
-+ ps_process_pattern($1, plymouthd_t)
-+ tunable_policy(`deny_ptrace',`',`
-+ allow $1 plymouthd_t:process ptrace;
-+ ')
-
-+ files_list_var_lib($1)
- admin_pattern($1, plymouthd_spool_t)
-
- admin_pattern($1, plymouthd_var_lib_t)
-
-+ files_list_pids($1)
- admin_pattern($1, plymouthd_var_run_t)
- ')
-diff --git a/plymouthd.te b/plymouthd.te
-index 86700ed..5772ef0 100644
---- a/plymouthd.te
-+++ b/plymouthd.te
-@@ -1,4 +1,4 @@
--policy_module(plymouthd, 1.1.0)
-+policy_module(plymouthd, 1.0.1)
-
- ########################################
- #
-@@ -8,17 +8,21 @@ policy_module(plymouthd, 1.1.0)
- type plymouth_t;
- type plymouth_exec_t;
- application_domain(plymouth_t, plymouth_exec_t)
-+role system_r types plymouth_t;
-
- type plymouthd_t;
- type plymouthd_exec_t;
- init_daemon_domain(plymouthd_t, plymouthd_exec_t)
-
- type plymouthd_spool_t;
--files_type(plymouthd_spool_t)
-+files_spool_file(plymouthd_spool_t)
-
- type plymouthd_var_lib_t;
- files_type(plymouthd_var_lib_t)
-
-+type plymouthd_var_log_t;
-+logging_log_file(plymouthd_var_log_t)
-+
- type plymouthd_var_run_t;
- files_pid_file(plymouthd_var_run_t)
-
-@@ -28,6 +32,7 @@ files_pid_file(plymouthd_var_run_t)
- #
-
- allow plymouthd_t self:capability { sys_admin sys_tty_config };
-+allow plymouthd_t self:capability2 block_suspend;
- dontaudit plymouthd_t self:capability dac_override;
- allow plymouthd_t self:process { signal getsched };
- allow plymouthd_t self:fifo_file rw_fifo_file_perms;
-@@ -42,6 +47,10 @@ manage_dirs_pattern(plymouthd_t, plymouthd_var_lib_t, plymouthd_var_lib_t)
- manage_files_pattern(plymouthd_t, plymouthd_var_lib_t, plymouthd_var_lib_t)
- files_var_lib_filetrans(plymouthd_t, plymouthd_var_lib_t, { file dir })
-
-+manage_dirs_pattern(plymouthd_t, plymouthd_var_log_t, plymouthd_var_log_t)
-+manage_files_pattern(plymouthd_t, plymouthd_var_log_t, plymouthd_var_log_t)
-+logging_log_filetrans(plymouthd_t, plymouthd_var_log_t, { file dir })
-+
- manage_dirs_pattern(plymouthd_t, plymouthd_var_run_t, plymouthd_var_run_t)
- manage_files_pattern(plymouthd_t, plymouthd_var_run_t, plymouthd_var_run_t)
- files_pid_filetrans(plymouthd_t, plymouthd_var_run_t, { file dir })
-@@ -57,13 +66,42 @@ dev_write_framebuffer(plymouthd_t)
-
- domain_use_interactive_fds(plymouthd_t)
-
-+fs_getattr_all_fs(plymouthd_t)
-+
- files_read_etc_files(plymouthd_t)
- files_read_usr_files(plymouthd_t)
-
--miscfiles_read_localization(plymouthd_t)
-+term_getattr_pty_fs(plymouthd_t)
-+term_use_all_terms(plymouthd_t)
-+term_use_ptmx(plymouthd_t)
-+
-+init_signal(plymouthd_t)
-+
-+logging_link_generic_logs(plymouthd_t)
-+logging_delete_generic_logs(plymouthd_t)
-+
-+auth_read_passwd(plymouthd_t)
-+
- miscfiles_read_fonts(plymouthd_t)
- miscfiles_manage_fonts_cache(plymouthd_t)
-
-+userdom_read_admin_home_files(plymouthd_t)
-+
-+term_use_unallocated_ttys(plymouthd_t)
-+
-+optional_policy(`
-+ gnome_read_config(plymouthd_t)
-+')
-+
-+optional_policy(`
-+ sssd_stream_connect(plymouthd_t)
-+')
-+
-+optional_policy(`
-+ xserver_xdm_manage_spool(plymouthd_t)
-+ xserver_read_state_xdm(plymouthd_t)
-+')
-+
- ########################################
- #
- # Plymouth private policy
-@@ -74,6 +112,7 @@ allow plymouth_t self:fifo_file rw_file_perms;
- allow plymouth_t self:unix_stream_socket create_stream_socket_perms;
-
- kernel_read_system_state(plymouth_t)
-+kernel_stream_connect(plymouth_t)
-
- domain_use_interactive_fds(plymouth_t)
-
-@@ -81,7 +120,6 @@ files_read_etc_files(plymouth_t)
-
- term_use_ptmx(plymouth_t)
-
--miscfiles_read_localization(plymouth_t)
-
- sysnet_read_config(plymouth_t)
-
-diff --git a/podsleuth.te b/podsleuth.te
-index 4cffb07..4170218 100644
---- a/podsleuth.te
-+++ b/podsleuth.te
-@@ -25,7 +25,8 @@ userdom_user_tmpfs_file(podsleuth_tmpfs_t)
- # podsleuth local policy
- #
- allow podsleuth_t self:capability { kill dac_override sys_admin sys_rawio };
--allow podsleuth_t self:process { ptrace signal signull getsched execheap execmem execstack };
-+allow podsleuth_t self:process { signal signull getsched execheap execmem execstack };
-+
- allow podsleuth_t self:fifo_file rw_file_perms;
- allow podsleuth_t self:unix_stream_socket create_stream_socket_perms;
- allow podsleuth_t self:sem create_sem_perms;
-@@ -66,7 +67,6 @@ fs_getattr_tmpfs(podsleuth_t)
- fs_list_tmpfs(podsleuth_t)
- fs_rw_removable_blk_files(podsleuth_t)
-
--miscfiles_read_localization(podsleuth_t)
-
- sysnet_dns_name_resolve(podsleuth_t)
-
-diff --git a/policykit.fc b/policykit.fc
-index 63d0061..4718a93 100644
---- a/policykit.fc
-+++ b/policykit.fc
-@@ -1,16 +1,20 @@
- /usr/lib/policykit/polkit-read-auth-helper -- gen_context(system_u:object_r:policykit_auth_exec_t,s0)
--/usr/lib/policykit/polkit-grant-helper.* -- gen_context(system_u:object_r:policykit_grant_exec_t,s0)
-+/usr/lib/policykit/polkit-grant-helper.* -- gen_context(system_u:object_r:policykit_grant_exec_t,s0)
- /usr/lib/policykit/polkit-resolve-exe-helper.* -- gen_context(system_u:object_r:policykit_resolve_exec_t,s0)
- /usr/lib/policykit/polkitd -- gen_context(system_u:object_r:policykit_exec_t,s0)
--/usr/lib/policykit-1/polkitd -- gen_context(system_u:object_r:policykit_exec_t,s0)
-+/usr/lib/polkit-1/polkitd -- gen_context(system_u:object_r:policykit_exec_t,s0)
-
- /usr/libexec/polkit-read-auth-helper -- gen_context(system_u:object_r:policykit_auth_exec_t,s0)
- /usr/libexec/polkit-grant-helper.* -- gen_context(system_u:object_r:policykit_grant_exec_t,s0)
- /usr/libexec/polkit-resolve-exe-helper.* -- gen_context(system_u:object_r:policykit_resolve_exec_t,s0)
--/usr/libexec/polkitd -- gen_context(system_u:object_r:policykit_exec_t,s0)
-+/usr/libexec/polkitd.* -- gen_context(system_u:object_r:policykit_exec_t,s0)
-+/usr/libexec/polkit-1/polkit-agent-helper-1 -- gen_context(system_u:object_r:policykit_auth_exec_t,s0)
-+/usr/lib/polkit-1/polkit-agent-helper-1 -- gen_context(system_u:object_r:policykit_auth_exec_t,s0)
-+/usr/libexec/polkit-1/polkitd.* -- gen_context(system_u:object_r:policykit_exec_t,s0)
-
- /var/lib/misc/PolicyKit.reload gen_context(system_u:object_r:policykit_reload_t,s0)
- /var/lib/PolicyKit(/.*)? gen_context(system_u:object_r:policykit_var_lib_t,s0)
-+/var/lib/polkit-1(/.*)? gen_context(system_u:object_r:policykit_var_lib_t,s0)
- /var/lib/PolicyKit-public(/.*)? gen_context(system_u:object_r:policykit_var_lib_t,s0)
- /var/run/PolicyKit(/.*)? gen_context(system_u:object_r:policykit_var_run_t,s0)
-
-diff --git a/policykit.if b/policykit.if
-index 48ff1e8..be00a65 100644
---- a/policykit.if
-+++ b/policykit.if
-@@ -17,18 +17,43 @@ interface(`policykit_dbus_chat',`
- class dbus send_msg;
- ')
-
-+ ps_process_pattern(policykit_t, $1)
-+
- allow $1 policykit_t:dbus send_msg;
- allow policykit_t $1:dbus send_msg;
- ')
-
- ########################################
- ##
--## Execute a domain transition to run polkit_auth.
-+## Send and receive messages from
-+## policykit over dbus.
- ##
- ##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`policykit_dbus_chat_auth',`
-+ gen_require(`
-+ type policykit_auth_t;
-+ class dbus send_msg;
-+ ')
-+
-+ ps_process_pattern(policykit_auth_t, $1)
-+
-+ allow $1 policykit_auth_t:dbus send_msg;
-+ allow policykit_auth_t $1:dbus send_msg;
-+')
-+
-+########################################
- ##
--## Domain allowed to transition.
-+## Execute a domain transition to run polkit_auth.
- ##
-+##
-+##
-+## Domain allowed to transition.
-+##
- ##
- #
- interface(`policykit_domtrans_auth',`
-@@ -54,6 +79,7 @@ interface(`policykit_domtrans_auth',`
- ## Role allowed access.
- ##
- ##
-+##
- #
- interface(`policykit_run_auth',`
- gen_require(`
-@@ -62,6 +88,9 @@ interface(`policykit_run_auth',`
-
- policykit_domtrans_auth($1)
- role $2 types policykit_auth_t;
-+
-+ allow $1 policykit_auth_t:process signal;
-+ ps_process_pattern(policykit_auth_t, $1)
- ')
-
- ########################################
-@@ -69,9 +98,9 @@ interface(`policykit_run_auth',`
- ## Execute a domain transition to run polkit_grant.
- ##
- ##
--##
-+##
- ## Domain allowed to transition.
--##
-+##
- ##
- #
- interface(`policykit_domtrans_grant',`
-@@ -155,9 +184,9 @@ interface(`policykit_rw_reload',`
- ## Execute a domain transition to run polkit_resolve.
- ##
- ##
--##
-+##
- ## Domain allowed to transition.
--##
-+##
- ##
- #
- interface(`policykit_domtrans_resolve',`
-@@ -206,4 +235,50 @@ interface(`policykit_read_lib',`
-
- files_search_var_lib($1)
- read_files_pattern($1, policykit_var_lib_t, policykit_var_lib_t)
-+
-+ optional_policy(`
-+ # Broken placement
-+ cron_read_system_job_lib_files($1)
-+ ')
-+')
-+
-+#######################################
-+##
-+## The per role template for the policykit module.
-+##
-+##
-+##
-+## Role allowed access
-+##
-+##
-+##
-+##
-+## User domain for the role
-+##
-+##
-+#
-+template(`policykit_role',`
-+ policykit_run_auth($2, $1)
-+ policykit_run_grant($2, $1)
-+ policykit_read_lib($2)
-+ policykit_read_reload($2)
-+ policykit_dbus_chat($2)
-+')
-+
-+########################################
-+##
-+## Send generic signal to policy_auth
-+##
-+##
-+##
-+## Domain allowed to transition.
-+##
-+##
-+#
-+interface(`policykit_signal_auth',`
-+ gen_require(`
-+ type policykit_auth_t;
-+ ')
-+
-+ allow $1 policykit_auth_t:process signal;
- ')
-diff --git a/policykit.te b/policykit.te
-index 44db896..946bfb5 100644
---- a/policykit.te
-+++ b/policykit.te
-@@ -1,51 +1,67 @@
--policy_module(policykit, 1.2.0)
-+policy_module(policykit, 1.1.0)
-
- ########################################
- #
- # Declarations
- #
-
--type policykit_t alias polkit_t;
--type policykit_exec_t alias polkit_exec_t;
-+attribute policykit_domain;
-+
-+type policykit_t, policykit_domain;
-+type policykit_exec_t;
- init_daemon_domain(policykit_t, policykit_exec_t)
-
--type policykit_auth_t alias polkit_auth_t;
--type policykit_auth_exec_t alias polkit_auth_exec_t;
-+type policykit_auth_t, policykit_domain;
-+type policykit_auth_exec_t;
- init_daemon_domain(policykit_auth_t, policykit_auth_exec_t)
-
--type policykit_grant_t alias polkit_grant_t;
--type policykit_grant_exec_t alias polkit_grant_exec_t;
-+type policykit_grant_t, policykit_domain;
-+type policykit_grant_exec_t;
- init_system_domain(policykit_grant_t, policykit_grant_exec_t)
-
--type policykit_resolve_t alias polkit_resolve_t;
--type policykit_resolve_exec_t alias polkit_resolve_exec_t;
-+type policykit_resolve_t, policykit_domain;
-+type policykit_resolve_exec_t;
- init_system_domain(policykit_resolve_t, policykit_resolve_exec_t)
-
- type policykit_reload_t alias polkit_reload_t;
- files_type(policykit_reload_t)
-
-+type policykit_tmp_t;
-+files_tmp_file(policykit_tmp_t)
-+
- type policykit_var_lib_t alias polkit_var_lib_t;
- files_type(policykit_var_lib_t)
-
- type policykit_var_run_t alias polkit_var_run_t;
- files_pid_file(policykit_var_run_t)
-
-+#######################################
-+#
-+# policykit_domain local policy
-+#
-+
-+allow policykit_domain self:process { execmem getattr };
-+allow policykit_domain self:fifo_file rw_fifo_file_perms;
-+
-+dev_read_sysfs(policykit_domain)
-+
- ########################################
- #
- # policykit local policy
- #
-
--allow policykit_t self:capability { setgid setuid };
--allow policykit_t self:process getattr;
--allow policykit_t self:fifo_file rw_file_perms;
-+allow policykit_t self:capability { dac_override dac_read_search setgid setuid sys_nice sys_ptrace };
-+allow policykit_t self:process { getsched setsched signal };
- allow policykit_t self:unix_dgram_socket create_socket_perms;
--allow policykit_t self:unix_stream_socket create_stream_socket_perms;
-+allow policykit_t self:unix_stream_socket { create_stream_socket_perms connectto };
-
- policykit_domtrans_auth(policykit_t)
-
- can_exec(policykit_t, policykit_exec_t)
- corecmd_exec_bin(policykit_t)
-
-+dev_read_sysfs(policykit_t)
-+
- rw_files_pattern(policykit_t, policykit_reload_t, policykit_reload_t)
-
- policykit_domtrans_resolve(policykit_t)
-@@ -56,56 +72,115 @@ manage_dirs_pattern(policykit_t, policykit_var_run_t, policykit_var_run_t)
- manage_files_pattern(policykit_t, policykit_var_run_t, policykit_var_run_t)
- files_pid_filetrans(policykit_t, policykit_var_run_t, { file dir })
-
-+kernel_read_system_state(policykit_t)
- kernel_read_kernel_sysctls(policykit_t)
-
--files_read_etc_files(policykit_t)
-+domain_read_all_domains_state(policykit_t)
-+
- files_read_usr_files(policykit_t)
-+files_dontaudit_search_all_mountpoints(policykit_t)
-+
-+fs_list_inotifyfs(policykit_t)
-
- auth_use_nsswitch(policykit_t)
-
- logging_send_syslog_msg(policykit_t)
-
--miscfiles_read_localization(policykit_t)
--
-+userdom_getattr_all_users(policykit_t)
- userdom_read_all_users_state(policykit_t)
-+userdom_dontaudit_search_admin_dir(policykit_t)
-+
-+optional_policy(`
-+ dbus_system_domain(policykit_t, policykit_exec_t)
-+
-+ init_dbus_chat(policykit_t)
-+
-+ optional_policy(`
-+ consolekit_dbus_chat(policykit_t)
-+ ')
-+
-+ optional_policy(`
-+ rpm_dbus_chat(policykit_t)
-+ ')
-+')
-+
-+optional_policy(`
-+ consolekit_list_pid_files(policykit_t)
-+ consolekit_read_pid_files(policykit_t)
-+')
-+
-+optional_policy(`
-+ kerberos_tmp_filetrans_host_rcache(policykit_t, "host_0")
-+ kerberos_manage_host_rcache(policykit_t)
-+')
-+
-+optional_policy(`
-+ gnome_read_config(policykit_t)
-+')
-+
-+optional_policy(`
-+ systemd_read_logind_sessions_files(policykit_t)
-+ systemd_login_list_pid_dirs(policykit_t)
-+ systemd_login_read_pid_files(policykit_t)
-+')
-
- ########################################
- #
- # polkit_auth local policy
- #
-
--allow policykit_auth_t self:capability setgid;
--allow policykit_auth_t self:process getattr;
--allow policykit_auth_t self:fifo_file rw_file_perms;
-+allow policykit_auth_t self:capability { sys_nice ipc_lock setgid setuid };
-+dontaudit policykit_auth_t self:capability sys_tty_config;
-+allow policykit_auth_t self:process { setsched getsched signal };
-+
- allow policykit_auth_t self:unix_dgram_socket create_socket_perms;
- allow policykit_auth_t self:unix_stream_socket create_stream_socket_perms;
-
-+policykit_dbus_chat(policykit_auth_t)
-+
-+kernel_read_system_state(policykit_auth_t)
-+
- can_exec(policykit_auth_t, policykit_auth_exec_t)
--corecmd_search_bin(policykit_auth_t)
-+corecmd_exec_bin(policykit_auth_t)
-
- rw_files_pattern(policykit_auth_t, policykit_reload_t, policykit_reload_t)
-
-+manage_dirs_pattern(policykit_auth_t, policykit_tmp_t, policykit_tmp_t)
-+manage_files_pattern(policykit_auth_t, policykit_tmp_t, policykit_tmp_t)
-+files_tmp_filetrans(policykit_auth_t, policykit_tmp_t, { file dir })
-+
- manage_files_pattern(policykit_auth_t, policykit_var_lib_t, policykit_var_lib_t)
-
- manage_dirs_pattern(policykit_auth_t, policykit_var_run_t, policykit_var_run_t)
- manage_files_pattern(policykit_auth_t, policykit_var_run_t, policykit_var_run_t)
- files_pid_filetrans(policykit_auth_t, policykit_var_run_t, { file dir })
-
--kernel_read_system_state(policykit_auth_t)
-+kernel_dontaudit_search_kernel_sysctl(policykit_auth_t)
-
--files_read_etc_files(policykit_auth_t)
-+dev_read_video_dev(policykit_auth_t)
-+
-+files_read_etc_runtime_files(policykit_auth_t)
- files_read_usr_files(policykit_auth_t)
-+files_search_home(policykit_auth_t)
-+
-+fs_getattr_all_fs(policykit_auth_t)
-+fs_search_tmpfs(policykit_auth_t)
-
-+auth_rw_var_auth(policykit_auth_t)
- auth_use_nsswitch(policykit_auth_t)
-+auth_domtrans_chk_passwd(policykit_auth_t)
-
- logging_send_syslog_msg(policykit_auth_t)
-
--miscfiles_read_localization(policykit_auth_t)
-+miscfiles_read_fonts(policykit_auth_t)
-+miscfiles_setattr_fonts_cache_dirs(policykit_auth_t)
-
- userdom_dontaudit_read_user_home_content_files(policykit_auth_t)
-+userdom_dontaudit_write_user_tmp_files(policykit_auth_t)
-+userdom_read_admin_home_files(policykit_auth_t)
-
- optional_policy(`
-- dbus_system_bus_client(policykit_auth_t)
-+ dbus_system_domain( policykit_auth_t, policykit_auth_exec_t)
- dbus_session_bus_client(policykit_auth_t)
-
- optional_policy(`
-@@ -118,14 +193,26 @@ optional_policy(`
- hal_read_state(policykit_auth_t)
- ')
-
-+optional_policy(`
-+ kerberos_tmp_filetrans_host_rcache(policykit_auth_t, "host_0")
-+ kerberos_manage_host_rcache(policykit_auth_t)
-+')
-+
-+optional_policy(`
-+ xserver_stream_connect(policykit_auth_t)
-+ xserver_xdm_append_log(policykit_auth_t)
-+ xserver_read_xdm_pid(policykit_auth_t)
-+ xserver_search_xdm_lib(policykit_auth_t)
-+ xserver_create_xdm_tmp_sockets(policykit_auth_t)
-+')
-+
- ########################################
- #
- # polkit_grant local policy
- #
-
- allow policykit_grant_t self:capability setuid;
--allow policykit_grant_t self:process getattr;
--allow policykit_grant_t self:fifo_file rw_file_perms;
-+
- allow policykit_grant_t self:unix_dgram_socket create_socket_perms;
- allow policykit_grant_t self:unix_stream_socket create_stream_socket_perms;
-
-@@ -142,22 +229,22 @@ manage_files_pattern(policykit_grant_t, policykit_var_run_t, policykit_var_run_t
-
- manage_files_pattern(policykit_grant_t, policykit_var_lib_t, policykit_var_lib_t)
-
--files_read_etc_files(policykit_grant_t)
- files_read_usr_files(policykit_grant_t)
-
--auth_use_nsswitch(policykit_grant_t)
- auth_domtrans_chk_passwd(policykit_grant_t)
-+auth_use_nsswitch(policykit_grant_t)
-
- logging_send_syslog_msg(policykit_grant_t)
-
--miscfiles_read_localization(policykit_grant_t)
--
- userdom_read_all_users_state(policykit_grant_t)
-
- optional_policy(`
-- dbus_system_bus_client(policykit_grant_t)
-+ cron_manage_system_job_lib_files(policykit_grant_t)
-+')
-
- optional_policy(`
-+ dbus_system_bus_client(policykit_grant_t)
-+ optional_policy(`
- consolekit_dbus_chat(policykit_grant_t)
- ')
- ')
-@@ -167,9 +254,8 @@ optional_policy(`
- # polkit_resolve local policy
- #
-
--allow policykit_resolve_t self:capability { setuid sys_nice sys_ptrace };
--allow policykit_resolve_t self:process getattr;
--allow policykit_resolve_t self:fifo_file rw_file_perms;
-+allow policykit_resolve_t self:capability { setuid sys_nice };
-+
- allow policykit_resolve_t self:unix_dgram_socket create_socket_perms;
- allow policykit_resolve_t self:unix_stream_socket create_stream_socket_perms;
-
-@@ -182,17 +268,12 @@ read_files_pattern(policykit_resolve_t, policykit_var_lib_t, policykit_var_lib_t
- can_exec(policykit_resolve_t, policykit_resolve_exec_t)
- corecmd_search_bin(policykit_resolve_t)
-
--files_read_etc_files(policykit_resolve_t)
- files_read_usr_files(policykit_resolve_t)
-
--mcs_ptrace_all(policykit_resolve_t)
--
- auth_use_nsswitch(policykit_resolve_t)
-
- logging_send_syslog_msg(policykit_resolve_t)
-
--miscfiles_read_localization(policykit_resolve_t)
--
- userdom_read_all_users_state(policykit_resolve_t)
-
- optional_policy(`
-diff --git a/polipo.fc b/polipo.fc
-new file mode 100644
-index 0000000..11f77ee
---- /dev/null
-+++ b/polipo.fc
-@@ -0,0 +1,16 @@
-+HOME_DIR/\.polipo -- gen_context(system_u:object_r:polipo_config_home_t,s0)
-+HOME_DIR/\.polipo-cache(/.*)? gen_context(system_u:object_r:polipo_cache_home_t,s0)
-+
-+/etc/polipo(/.*)? gen_context(system_u:object_r:polipo_etc_t,s0)
-+
-+/etc/rc\.d/init\.d/polipo -- gen_context(system_u:object_r:polipo_initrc_exec_t,s0)
-+
-+/usr/lib/systemd/system/polipo.* -- gen_context(system_u:object_r:polipo_unit_file_t,s0)
-+
-+/usr/bin/polipo -- gen_context(system_u:object_r:polipo_exec_t,s0)
-+
-+/var/cache/polipo(/.*)? gen_context(system_u:object_r:polipo_cache_t,s0)
-+
-+/var/log/polipo.* -- gen_context(system_u:object_r:polipo_log_t,s0)
-+
-+/var/run/polipo(/.*)? gen_context(system_u:object_r:polipo_pid_t,s0)
-diff --git a/polipo.if b/polipo.if
-new file mode 100644
-index 0000000..d00f6ba
---- /dev/null
-+++ b/polipo.if
-@@ -0,0 +1,219 @@
-+## Caching web proxy.
-+
-+########################################
-+##
-+## Role access for polipo session.
-+##
-+##
-+##
-+## Role allowed access.
-+##
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+template(`polipo_role',`
-+ gen_require(`
-+ type polipo_session_t, polipo_exec_t;
-+ ')
-+
-+ ########################################
-+ #
-+ # Declarations
-+ #
-+
-+ role $1 types polipo_session_t;
-+
-+ ########################################
-+ #
-+ # Policy
-+ #
-+
-+ allow $2 polipo_session_t:process signal_perms;
-+ ps_process_pattern($2, polipo_session_t)
-+ tunable_policy(`deny_ptrace',`',`
-+ allow $2 polipo_session_t:process ptrace;
-+ ')
-+
-+ tunable_policy(`polipo_session_users',`
-+ domtrans_pattern($2, polipo_exec_t, polipo_session_t)
-+ ',`
-+ can_exec($2, polipo_exec_t)
-+ ')
-+')
-+
-+########################################
-+##
-+## Create configuration files in user
-+## home directories with a named file
-+## type transition.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`polipo_named_filetrans_config_home_files',`
-+ gen_require(`
-+ type polipo_config_home_t;
-+ ')
-+
-+ userdom_user_home_dir_filetrans($1, polipo_config_home_t, file, ".polipo")
-+')
-+
-+########################################
-+##
-+## Create cache directories in user
-+## home directories with a named file
-+## type transition.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`polipo_named_filetrans_cache_home_dirs',`
-+ gen_require(`
-+ type polipo_cache_home_t;
-+ ')
-+
-+ userdom_user_home_dir_filetrans($1, polipo_cache_home_t, dir, ".polipo-cache")
-+')
-+
-+########################################
-+##
-+## Create configuration files in admin
-+## home directories with a named file
-+## type transition.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`polipo_named_filetrans_admin_config_home_files',`
-+ gen_require(`
-+ type polipo_config_home_t;
-+ ')
-+
-+ userdom_admin_home_dir_filetrans($1, polipo_config_home_t, file, ".polipo")
-+')
-+
-+########################################
-+##
-+## Create cache directories in admin
-+## home directories with a named file
-+## type transition.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`polipo_named_filetrans_admin_cache_home_dirs',`
-+ gen_require(`
-+ type polipo_cache_home_t;
-+ ')
-+
-+ userdom_admin_home_dir_filetrans($1, polipo_cache_home_t, dir, ".polipo-cache")
-+')
-+
-+########################################
-+##
-+## Create log files with a named file
-+## type transition.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`polipo_named_filetrans_log_files',`
-+ gen_require(`
-+ type polipo_log_t;
-+ ')
-+
-+ logging_log_named_filetrans($1, polipo_log_t, file, "polipo")
-+')
-+
-+########################################
-+##
-+## Execute polipo server in the polipo domain.
-+##
-+##
-+##
-+## Domain allowed to transition.
-+##
-+##
-+#
-+interface(`polipo_systemctl',`
-+ gen_require(`
-+ type polipo_t;
-+ type polipo_unit_file_t;
-+ ')
-+
-+ systemd_exec_systemctl($1)
-+ allow $1 polipo_unit_file_t:file read_file_perms;
-+ allow $1 polipo_unit_file_t:service manage_service_perms;
-+
-+ ps_process_pattern($1, polipo_t)
-+')
-+
-+########################################
-+##
-+## Administrate an polipo environment.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+##
-+##
-+## Role allowed access.
-+##
-+##
-+##
-+#
-+interface(`polipo_admin',`
-+ gen_require(`
-+ type polipo_t, polipo_pid_t, polipo_cache_t;
-+ type polipo_etc_t, polipo_log_t, polipo_initrc_exec_t;
-+ type polipo_unit_file_t;
-+ ')
-+
-+ allow $1 polipo_t:process signal_perms;
-+ ps_process_pattern($1, polipo_t)
-+ tunable_policy(`deny_ptrace',`',`
-+ allow $1 polipo_t:process ptrace;
-+ ')
-+
-+ init_labeled_script_domtrans($1, polipo_initrc_exec_t)
-+ domain_system_change_exemption($1)
-+ role_transition $2 polipo_initrc_exec_t system_r;
-+ allow $2 system_r;
-+
-+ files_list_etc($1)
-+ admin_pattern($1, polipo_etc_t)
-+
-+ logging_list_logs($1)
-+ admin_pattern($1, polipo_log_t)
-+
-+ files_list_var($1)
-+ admin_pattern($1, polipo_cache_t)
-+
-+ files_list_pids($1)
-+ admin_pattern($1, polipo_pid_t)
-+
-+ polipo_systemctl($1)
-+ admin_pattern($1, polipo_unit_file_t)
-+ allow $1 polipo_unit_file_t:service all_service_perms;
-+')
-diff --git a/polipo.te b/polipo.te
-new file mode 100644
-index 0000000..a0b37ad
---- /dev/null
-+++ b/polipo.te
-@@ -0,0 +1,159 @@
-+policy_module(polipo, 1.0.0)
-+
-+########################################
-+#
-+# Declarations
-+#
-+
-+##
-+##
-+## Determine whether polipo can
-+## access cifs file systems.
-+##
-+##
-+gen_tunable(polipo_use_cifs, false)
-+
-+##
-+##
-+## Determine whether Polipo can
-+## access nfs file systems.
-+##
-+##
-+gen_tunable(polipo_use_nfs, false)
-+
-+##
-+##
-+## Determine whether Polipo session daemon
-+## can bind tcp sockets to all unreserved ports.
-+##
-+##
-+gen_tunable(polipo_session_bind_all_unreserved_ports, false)
-+
-+##
-+##
-+## Determine whether calling user domains
-+## can execute Polipo daemon in the
-+## polipo_session_t domain.
-+##
-+##
-+gen_tunable(polipo_session_users, false)
-+
-+##
-+##
-+## Allow polipo to connect to all ports > 1023
-+##
-+##
-+gen_tunable(polipo_connect_all_unreserved, false)
-+
-+attribute polipo_daemon;
-+
-+type polipo_t, polipo_daemon;
-+type polipo_exec_t;
-+init_daemon_domain(polipo_t, polipo_exec_t)
-+
-+type polipo_initrc_exec_t;
-+init_script_file(polipo_initrc_exec_t)
-+
-+type polipo_etc_t;
-+files_config_file(polipo_etc_t)
-+
-+type polipo_cache_t;
-+files_type(polipo_cache_t)
-+
-+type polipo_log_t;
-+logging_log_file(polipo_log_t)
-+
-+type polipo_pid_t;
-+files_pid_file(polipo_pid_t)
-+
-+type polipo_session_t, polipo_daemon;
-+application_domain(polipo_session_t, polipo_exec_t)
-+ubac_constrained(polipo_session_t)
-+
-+type polipo_config_home_t;
-+userdom_user_home_content(polipo_config_home_t)
-+
-+type polipo_cache_home_t;
-+userdom_user_home_content(polipo_cache_home_t)
-+
-+type polipo_unit_file_t;
-+systemd_unit_file(polipo_unit_file_t)
-+
-+########################################
-+#
-+# Global local policy
-+#
-+
-+allow polipo_daemon self:fifo_file rw_fifo_file_perms;
-+allow polipo_daemon self:tcp_socket { listen accept };
-+
-+corenet_tcp_bind_generic_node(polipo_daemon)
-+corenet_tcp_sendrecv_generic_if(polipo_daemon)
-+corenet_tcp_sendrecv_generic_node(polipo_daemon)
-+corenet_tcp_sendrecv_http_cache_port(polipo_daemon)
-+corenet_tcp_bind_http_cache_port(polipo_daemon)
-+corenet_sendrecv_http_cache_server_packets(polipo_daemon)
-+corenet_tcp_connect_http_port(polipo_daemon)
-+
-+files_read_usr_files(polipo_daemon)
-+
-+fs_search_auto_mountpoints(polipo_daemon)
-+
-+
-+########################################
-+#
-+# Polipo local policy
-+#
-+
-+read_files_pattern(polipo_t, polipo_etc_t, polipo_etc_t)
-+
-+manage_files_pattern(polipo_t, polipo_cache_t, polipo_cache_t)
-+manage_dirs_pattern(polipo_t, polipo_cache_t, polipo_cache_t)
-+files_var_filetrans(polipo_t, polipo_cache_t, dir)
-+
-+manage_files_pattern(polipo_t, polipo_log_t, polipo_log_t)
-+logging_log_filetrans(polipo_t, polipo_log_t, file)
-+
-+manage_files_pattern(polipo_t, polipo_pid_t, polipo_pid_t)
-+files_pid_filetrans(polipo_t, polipo_pid_t, file)
-+
-+auth_use_nsswitch(polipo_t)
-+
-+logging_send_syslog_msg(polipo_t)
-+
-+optional_policy(`
-+ cron_system_entry(polipo_t, polipo_exec_t)
-+')
-+
-+tunable_policy(`polipo_connect_all_unreserved',`
-+ corenet_tcp_connect_all_unreserved_ports(polipo_t)
-+')
-+
-+tunable_policy(`polipo_use_cifs',`
-+ fs_manage_cifs_files(polipo_t)
-+')
-+
-+tunable_policy(`polipo_use_nfs',`
-+ fs_manage_nfs_files(polipo_t)
-+')
-+
-+########################################
-+#
-+# Polipo session local policy
-+#
-+
-+read_files_pattern(polipo_session_t, polipo_config_home_t, polipo_config_home_t)
-+manage_files_pattern(polipo_session_t, polipo_cache_home_t, polipo_cache_home_t)
-+
-+auth_use_nsswitch(polipo_session_t)
-+
-+userdom_use_user_terminals(polipo_session_t)
-+
-+tunable_policy(`polipo_session_bind_all_unreserved_ports',`
-+ corenet_tcp_sendrecv_all_ports(polipo_session_t)
-+ corenet_tcp_bind_all_unreserved_ports(polipo_session_t)
-+')
-+
-+logging_send_syslog_msg(polipo_session_t)
-+
-+userdom_home_manager(polipo_session_t)
-diff --git a/portage.fc b/portage.fc
-index d9b2a90..5b0e6f8 100644
---- a/portage.fc
-+++ b/portage.fc
-@@ -25,7 +25,7 @@
- /var/db/pkg(/.*)? gen_context(system_u:object_r:portage_db_t,s0)
- /var/cache/edb(/.*)? gen_context(system_u:object_r:portage_cache_t,s0)
- /var/log/emerge\.log.* -- gen_context(system_u:object_r:portage_log_t,s0)
--/var/log/emerge-fetch.log -- gen_context(system_u:object_r:portage_log_t,s0)
-+/var/log/emerge-fetch.log.* -- gen_context(system_u:object_r:portage_log_t,s0)
- /var/log/portage(/.*)? gen_context(system_u:object_r:portage_log_t,s0)
- /var/lib/layman(/.*)? gen_context(system_u:object_r:portage_ebuild_t,s0)
- /var/lib/portage(/.*)? gen_context(system_u:object_r:portage_cache_t,s0)
-diff --git a/portage.if b/portage.if
-index 08ac5af..9c4aa3c 100644
---- a/portage.if
-+++ b/portage.if
-@@ -43,11 +43,15 @@ interface(`portage_domtrans',`
- #
- interface(`portage_run',`
- gen_require(`
-- attribute_role portage_roles;
-+ type portage_t, portage_fetch_t, portage_sandbox_t;
-+ #attribute_role portage_roles;
- ')
-
-- portage_domtrans($1)
-- roleattribute $2 portage_roles;
-+ #portage_domtrans($1)
-+ #roleattribute $2 portage_roles;
-+ portage_domtrans($1)
-+ role $2 types { portage_t portage_fetch_t portage_sandbox_t };
-+
- ')
-
- ########################################
-@@ -139,7 +143,6 @@ interface(`portage_compile_domain',`
- # really shouldnt need this but some packages test
- # network access, such as during configure
- # also distcc--need to reinvestigate confining distcc client
-- corenet_all_recvfrom_unlabeled($1)
- corenet_all_recvfrom_netlabel($1)
- corenet_tcp_sendrecv_generic_if($1)
- corenet_udp_sendrecv_generic_if($1)
-diff --git a/portage.te b/portage.te
-index 630f16f..64fb1f5 100644
---- a/portage.te
-+++ b/portage.te
-@@ -12,7 +12,7 @@ policy_module(portage, 1.13.0)
- ##
- gen_tunable(portage_use_nfs, false)
-
--attribute_role portage_roles;
-+#attribute_role portage_roles;
-
- type gcc_config_t;
- type gcc_config_exec_t;
-@@ -25,7 +25,8 @@ application_domain(portage_t, portage_exec_t)
- domain_obj_id_change_exemption(portage_t)
- rsync_entry_type(portage_t)
- corecmd_shell_entry_type(portage_t)
--role portage_roles types portage_t;
-+#role portage_roles types portage_t;
-+role system_r types portage_t;
-
- # portage compile sandbox domain
- type portage_sandbox_t;
-@@ -33,7 +34,8 @@ application_domain(portage_sandbox_t, portage_exec_t)
- # the shell is the entrypoint if regular sandbox is disabled
- # portage_exec_t is the entrypoint if regular sandbox is enabled
- corecmd_shell_entry_type(portage_sandbox_t)
--role portage_roles types portage_sandbox_t;
-+#role portage_roles types portage_sandbox_t;
-+role system_r types portage_sandbox_t;
-
- # portage package fetching domain
- type portage_fetch_t;
-@@ -41,7 +43,8 @@ type portage_fetch_exec_t;
- application_domain(portage_fetch_t, portage_fetch_exec_t)
- corecmd_shell_entry_type(portage_fetch_t)
- rsync_entry_type(portage_fetch_t)
--role portage_roles types portage_fetch_t;
-+#role portage_roles types portage_fetch_t;
-+role system_r types portage_fetch_t;
-
- type portage_devpts_t;
- term_pty(portage_devpts_t)
-@@ -56,7 +59,7 @@ type portage_db_t;
- files_type(portage_db_t)
-
- type portage_conf_t;
--files_type(portage_conf_t)
-+files_config_file(portage_conf_t)
-
- type portage_cache_t;
- files_type(portage_cache_t)
-@@ -115,18 +118,19 @@ files_list_all(gcc_config_t)
- init_dontaudit_read_script_status_files(gcc_config_t)
-
- libs_read_lib_files(gcc_config_t)
--libs_run_ldconfig(gcc_config_t, portage_roles)
-+#libs_run_ldconfig(gcc_config_t, portage_roles)
-+libs_domtrans_ldconfig(gcc_config_t)
- libs_manage_shared_libs(gcc_config_t)
- # gcc-config creates a temp dir for the libs
- libs_manage_lib_dirs(gcc_config_t)
-
- logging_send_syslog_msg(gcc_config_t)
-
--miscfiles_read_localization(gcc_config_t)
-+userdom_use_inherited_user_terminals(gcc_config_t)
-
--userdom_use_user_terminals(gcc_config_t)
--
--consoletype_exec(gcc_config_t)
-+optional_policy(`
-+ consoletype_exec(gcc_config_t)
-+')
-
- ifdef(`distro_gentoo',`
- init_exec_rc(gcc_config_t)
-@@ -198,33 +202,41 @@ auth_manage_shadow(portage_t)
- init_exec(portage_t)
-
- # run setfiles -r
--seutil_run_setfiles(portage_t, portage_roles)
-+#seutil_run_setfiles(portage_t, portage_roles)
- # run semodule
--seutil_run_semanage(portage_t, portage_roles)
-+#seutil_run_semanage(portage_t, portage_roles)
-
--portage_run_gcc_config(portage_t, portage_roles)
-+#portage_run_gcc_config(portage_t, portage_roles)
- # if sesandbox is disabled, compiling is performed in this domain
- portage_compile_domain(portage_t)
-
--optional_policy(`
-- bootloader_run(portage_t, portage_roles)
--')
-+#optional_policy(`
-+# bootloader_run(portage_t, portage_roles)
-+#')
-
- optional_policy(`
- cron_system_entry(portage_t, portage_exec_t)
- cron_system_entry(portage_fetch_t, portage_fetch_exec_t)
- ')
-
--optional_policy(`
-- modutils_run_depmod(portage_t, portage_roles)
-- modutils_run_update_mods(portage_t, portage_roles)
-+#optional_policy(`
-+# modutils_run_depmod(portage_t, portage_roles)
-+# modutils_run_update_mods(portage_t, portage_roles)
- #dontaudit update_modules_t portage_tmp_t:dir search_dir_perms;
- ')
-
--optional_policy(`
-- usermanage_run_groupadd(portage_t, portage_roles)
-- usermanage_run_useradd(portage_t, portage_roles)
--')
-+#optional_policy(`
-+# usermanage_run_groupadd(portage_t, portage_roles)
-+# usermanage_run_useradd(portage_t, portage_roles)
-+#')
-+
-+seutil_domtrans_setfiles(portage_t)
-+seutil_domtrans_semanage(portage_t)
-+bootloader_domtrans(portage_t)
-+modutils_domtrans_depmod(portage_t)
-+modutils_domtrans_update_mods(portage_t)
-+usermanage_domtrans_groupadd(portage_t)
-+usermanage_domtrans_useradd(portage_t)
-
- ifdef(`TODO',`
- # seems to work ok without these
-@@ -271,7 +283,6 @@ kernel_read_kernel_sysctls(portage_fetch_t)
- corecmd_exec_bin(portage_fetch_t)
- corecmd_exec_shell(portage_fetch_t)
-
--corenet_all_recvfrom_unlabeled(portage_fetch_t)
- corenet_all_recvfrom_netlabel(portage_fetch_t)
- corenet_tcp_sendrecv_generic_if(portage_fetch_t)
- corenet_tcp_sendrecv_generic_node(portage_fetch_t)
-@@ -303,16 +314,13 @@ logging_dontaudit_search_logs(portage_fetch_t)
-
- term_search_ptys(portage_fetch_t)
-
--miscfiles_read_localization(portage_fetch_t)
-
- sysnet_read_config(portage_fetch_t)
- sysnet_dns_name_resolve(portage_fetch_t)
-
--userdom_use_user_terminals(portage_fetch_t)
-+userdom_use_inherited_user_terminals(portage_fetch_t)
- userdom_dontaudit_read_user_home_content_files(portage_fetch_t)
-
--rsync_exec(portage_fetch_t)
--
- ifdef(`hide_broken_symptoms',`
- dontaudit portage_fetch_t portage_cache_t:file read;
- ')
-@@ -328,6 +336,10 @@ optional_policy(`
- gpg_exec(portage_fetch_t)
- ')
-
-+optional_policy(`
-+ rsync_exec(portage_fetch_t)
-+')
-+
- ##########################################
- #
- # Portage sandbox domain
-diff --git a/portmap.fc b/portmap.fc
-index 3cdcd9f..2061efe 100644
---- a/portmap.fc
-+++ b/portmap.fc
-@@ -1,6 +1,8 @@
-
- /sbin/portmap -- gen_context(system_u:object_r:portmap_exec_t,s0)
-
-+/usr/sbin/portmap -- gen_context(system_u:object_r:portmap_exec_t,s0)
-+
- ifdef(`distro_debian',`
- /sbin/pmap_dump -- gen_context(system_u:object_r:portmap_helper_exec_t,s0)
- /sbin/pmap_set -- gen_context(system_u:object_r:portmap_helper_exec_t,s0)
-diff --git a/portmap.te b/portmap.te
-index c1db652..66590bd 100644
---- a/portmap.te
-+++ b/portmap.te
-@@ -43,7 +43,6 @@ files_pid_filetrans(portmap_t, portmap_var_run_t, file)
- kernel_read_system_state(portmap_t)
- kernel_read_kernel_sysctls(portmap_t)
-
--corenet_all_recvfrom_unlabeled(portmap_t)
- corenet_all_recvfrom_netlabel(portmap_t)
- corenet_tcp_sendrecv_generic_if(portmap_t)
- corenet_udp_sendrecv_generic_if(portmap_t)
-@@ -73,12 +72,10 @@ fs_search_auto_mountpoints(portmap_t)
-
- domain_use_interactive_fds(portmap_t)
-
--files_read_etc_files(portmap_t)
-+auth_use_nsswitch(portmap_t)
-
- logging_send_syslog_msg(portmap_t)
-
--miscfiles_read_localization(portmap_t)
--
- sysnet_read_config(portmap_t)
-
- userdom_dontaudit_use_unpriv_user_fds(portmap_t)
-@@ -113,7 +110,6 @@ allow portmap_helper_t self:udp_socket create_socket_perms;
- allow portmap_helper_t portmap_var_run_t:file manage_file_perms;
- files_pid_filetrans(portmap_helper_t, portmap_var_run_t, file)
-
--corenet_all_recvfrom_unlabeled(portmap_helper_t)
- corenet_all_recvfrom_netlabel(portmap_helper_t)
- corenet_tcp_sendrecv_generic_if(portmap_helper_t)
- corenet_udp_sendrecv_generic_if(portmap_helper_t)
-@@ -133,7 +129,6 @@ corenet_tcp_connect_all_ports(portmap_helper_t)
-
- domain_dontaudit_use_interactive_fds(portmap_helper_t)
-
--files_read_etc_files(portmap_helper_t)
- files_rw_generic_pids(portmap_helper_t)
-
- init_rw_utmp(portmap_helper_t)
-@@ -142,7 +137,7 @@ logging_send_syslog_msg(portmap_helper_t)
-
- sysnet_read_config(portmap_helper_t)
-
--userdom_use_user_terminals(portmap_helper_t)
-+userdom_use_inherited_user_terminals(portmap_helper_t)
- userdom_dontaudit_use_all_users_fds(portmap_helper_t)
-
- optional_policy(`
-diff --git a/portreserve.fc b/portreserve.fc
-index 4313a6f..cc334a3 100644
---- a/portreserve.fc
-+++ b/portreserve.fc
-@@ -1,7 +1,10 @@
--/etc/portreserve(/.*)? gen_context(system_u:object_r:portreserve_etc_t,s0)
-
--/etc/rc\.d/init\.d/portreserve -- gen_context(system_u:object_r:portreserve_initrc_exec_t,s0)
-+/etc/rc\.d/init\.d/portreserve -- gen_context(system_u:object_r:portreserve_initrc_exec_t,s0)
-+
-+/etc/portreserve(/.*)? gen_context(system_u:object_r:portreserve_etc_t,s0)
-
- /sbin/portreserve -- gen_context(system_u:object_r:portreserve_exec_t,s0)
-
-+/usr/sbin/portreserve -- gen_context(system_u:object_r:portreserve_exec_t,s0)
-+
- /var/run/portreserve(/.*)? gen_context(system_u:object_r:portreserve_var_run_t,s0)
-diff --git a/portreserve.if b/portreserve.if
-index 7719d16..d283895 100644
---- a/portreserve.if
-+++ b/portreserve.if
-@@ -104,8 +104,11 @@ interface(`portreserve_admin',`
- type portreserve_initrc_exec_t;
- ')
-
-- allow $1 portreserve_t:process { ptrace signal_perms };
-+ allow $1 portreserve_t:process signal_perms;
- ps_process_pattern($1, portreserve_t)
-+ tunable_policy(`deny_ptrace',`',`
-+ allow $1 portreserve_t:process ptrace;
-+ ')
-
- portreserve_initrc_domtrans($1)
- domain_system_change_exemption($1)
-diff --git a/portreserve.te b/portreserve.te
-index 152af92..d67fea5 100644
---- a/portreserve.te
-+++ b/portreserve.te
-@@ -13,7 +13,7 @@ type portreserve_initrc_exec_t;
- init_script_file(portreserve_initrc_exec_t)
-
- type portreserve_etc_t;
--files_type(portreserve_etc_t)
-+files_config_file(portreserve_etc_t)
-
- type portreserve_var_run_t;
- files_pid_file(portreserve_var_run_t)
-@@ -42,7 +42,6 @@ files_pid_filetrans(portreserve_t, portreserve_var_run_t, { file sock_file dir }
-
- corecmd_getattr_bin_files(portreserve_t)
-
--corenet_all_recvfrom_unlabeled(portreserve_t)
- corenet_all_recvfrom_netlabel(portreserve_t)
- corenet_tcp_bind_generic_node(portreserve_t)
- corenet_udp_bind_generic_node(portreserve_t)
-diff --git a/portslave.te b/portslave.te
-index 69c331e..528f2d8 100644
---- a/portslave.te
-+++ b/portslave.te
-@@ -54,7 +54,6 @@ kernel_read_kernel_sysctls(portslave_t)
- corecmd_exec_bin(portslave_t)
- corecmd_exec_shell(portslave_t)
-
--corenet_all_recvfrom_unlabeled(portslave_t)
- corenet_all_recvfrom_netlabel(portslave_t)
- corenet_tcp_sendrecv_generic_if(portslave_t)
- corenet_udp_sendrecv_generic_if(portslave_t)
-@@ -79,7 +78,7 @@ fs_getattr_xattr_fs(portslave_t)
-
- term_use_unallocated_ttys(portslave_t)
- term_setattr_unallocated_ttys(portslave_t)
--term_use_all_ttys(portslave_t)
-+term_use_all_inherited_ttys(portslave_t)
- term_search_ptys(portslave_t)
-
- auth_rw_login_records(portslave_t)
-diff --git a/postfix.fc b/postfix.fc
-index 1ddfa16..c0e0959 100644
---- a/postfix.fc
-+++ b/postfix.fc
-@@ -1,5 +1,6 @@
- # postfix
--/etc/postfix(/.*)? gen_context(system_u:object_r:postfix_etc_t,s0)
-+/etc/rc\.d/init\.d/postfix -- gen_context(system_u:object_r:postfix_initrc_exec_t,s0)
-+/etc/postfix.* gen_context(system_u:object_r:postfix_etc_t,s0)
- ifdef(`distro_redhat', `
- /usr/libexec/postfix/.* -- gen_context(system_u:object_r:postfix_exec_t,s0)
- /usr/libexec/postfix/cleanup -- gen_context(system_u:object_r:postfix_cleanup_exec_t,s0)
-@@ -22,16 +23,17 @@ ifdef(`distro_redhat', `
- /usr/lib/postfix/master -- gen_context(system_u:object_r:postfix_master_exec_t,s0)
- /usr/lib/postfix/pickup -- gen_context(system_u:object_r:postfix_pickup_exec_t,s0)
- /usr/lib/postfix/(n)?qmgr -- gen_context(system_u:object_r:postfix_qmgr_exec_t,s0)
-+/usr/lib/postfix/showq -- gen_context(system_u:object_r:postfix_showq_exec_t,s0)
- /usr/lib/postfix/smtp -- gen_context(system_u:object_r:postfix_smtp_exec_t,s0)
- /usr/lib/postfix/lmtp -- gen_context(system_u:object_r:postfix_smtp_exec_t,s0)
- /usr/lib/postfix/scache -- gen_context(system_u:object_r:postfix_smtp_exec_t,s0)
- /usr/lib/postfix/smtpd -- gen_context(system_u:object_r:postfix_smtpd_exec_t,s0)
- /usr/lib/postfix/bounce -- gen_context(system_u:object_r:postfix_bounce_exec_t,s0)
- /usr/lib/postfix/pipe -- gen_context(system_u:object_r:postfix_pipe_exec_t,s0)
--/usr/lib/postfix/virtual -- gen_context(system_u:object_r:postfix_virtual_exec_t,s0)
- ')
- /etc/postfix/postfix-script.* -- gen_context(system_u:object_r:postfix_exec_t,s0)
- /etc/postfix/prng_exch -- gen_context(system_u:object_r:postfix_prng_t,s0)
-+/usr/sbin/postalias -- gen_context(system_u:object_r:postfix_master_exec_t,s0)
- /usr/sbin/postcat -- gen_context(system_u:object_r:postfix_master_exec_t,s0)
- /usr/sbin/postdrop -- gen_context(system_u:object_r:postfix_postdrop_exec_t,s0)
- /usr/sbin/postfix -- gen_context(system_u:object_r:postfix_master_exec_t,s0)
-@@ -42,9 +44,11 @@ ifdef(`distro_redhat', `
- /usr/sbin/postqueue -- gen_context(system_u:object_r:postfix_postqueue_exec_t,s0)
- /usr/sbin/postsuper -- gen_context(system_u:object_r:postfix_master_exec_t,s0)
-
--/var/lib/postfix(/.*)? gen_context(system_u:object_r:postfix_data_t,s0)
-+/var/lib/postfix.* gen_context(system_u:object_r:postfix_data_t,s0)
-
--/var/spool/postfix(/.*)? gen_context(system_u:object_r:postfix_spool_t,s0)
-+/var/spool/postfix.* gen_context(system_u:object_r:postfix_spool_t,s0)
-+/var/spool/postfix/deferred(/.*)? gen_context(system_u:object_r:postfix_spool_maildrop_t,s0)
-+/var/spool/postfix/defer(/.*)? gen_context(system_u:object_r:postfix_spool_maildrop_t,s0)
- /var/spool/postfix/maildrop(/.*)? gen_context(system_u:object_r:postfix_spool_maildrop_t,s0)
- /var/spool/postfix/pid/.* gen_context(system_u:object_r:postfix_var_run_t,s0)
- /var/spool/postfix/private(/.*)? gen_context(system_u:object_r:postfix_private_t,s0)
-diff --git a/postfix.if b/postfix.if
-index 46bee12..8ef270f 100644
---- a/postfix.if
-+++ b/postfix.if
-@@ -28,75 +28,23 @@ interface(`postfix_stub',`
- ##
- #
- template(`postfix_domain_template',`
-- type postfix_$1_t;
-+ gen_require(`
-+ attribute postfix_domain;
-+ ')
-+
-+ type postfix_$1_t, postfix_domain;
- type postfix_$1_exec_t;
- domain_type(postfix_$1_t)
- domain_entry_file(postfix_$1_t, postfix_$1_exec_t)
- role system_r types postfix_$1_t;
-
-- dontaudit postfix_$1_t self:capability sys_tty_config;
-- allow postfix_$1_t self:process { signal_perms setpgid };
-- allow postfix_$1_t self:unix_dgram_socket create_socket_perms;
-- allow postfix_$1_t self:unix_stream_socket create_stream_socket_perms;
-- allow postfix_$1_t self:unix_stream_socket connectto;
--
-- allow postfix_master_t postfix_$1_t:process signal;
-- #https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=244456
-- allow postfix_$1_t postfix_master_t:file read;
--
-- allow postfix_$1_t postfix_etc_t:dir list_dir_perms;
-- read_files_pattern(postfix_$1_t, postfix_etc_t, postfix_etc_t)
-- read_lnk_files_pattern(postfix_$1_t, postfix_etc_t, postfix_etc_t)
--
-- can_exec(postfix_$1_t, postfix_$1_exec_t)
--
-- allow postfix_$1_t postfix_exec_t:file { mmap_file_perms lock ioctl };
--
-- allow postfix_$1_t postfix_master_t:process sigchld;
--
-- allow postfix_$1_t postfix_spool_t:dir list_dir_perms;
--
-- allow postfix_$1_t postfix_var_run_t:file manage_file_perms;
-- files_pid_filetrans(postfix_$1_t, postfix_var_run_t, file)
--
- kernel_read_system_state(postfix_$1_t)
-- kernel_read_network_state(postfix_$1_t)
-- kernel_read_all_sysctls(postfix_$1_t)
--
-- dev_read_sysfs(postfix_$1_t)
-- dev_read_rand(postfix_$1_t)
-- dev_read_urand(postfix_$1_t)
--
-- fs_search_auto_mountpoints(postfix_$1_t)
-- fs_getattr_xattr_fs(postfix_$1_t)
-- fs_rw_anon_inodefs_files(postfix_$1_t)
--
-- term_dontaudit_use_console(postfix_$1_t)
--
-- corecmd_exec_shell(postfix_$1_t)
--
-- files_read_etc_files(postfix_$1_t)
-- files_read_etc_runtime_files(postfix_$1_t)
-- files_read_usr_symlinks(postfix_$1_t)
-- files_search_spool(postfix_$1_t)
-- files_getattr_tmp_dirs(postfix_$1_t)
-- files_search_all_mountpoints(postfix_$1_t)
--
-- init_dontaudit_use_fds(postfix_$1_t)
-- init_sigchld(postfix_$1_t)
-
- auth_use_nsswitch(postfix_$1_t)
-
- logging_send_syslog_msg(postfix_$1_t)
-
-- miscfiles_read_localization(postfix_$1_t)
-- miscfiles_read_generic_certs(postfix_$1_t)
--
-- userdom_dontaudit_use_unpriv_user_fds(postfix_$1_t)
--
-- optional_policy(`
-- udev_read_db(postfix_$1_t)
-- ')
-+ can_exec(postfix_$1_t, postfix_$1_exec_t)
- ')
-
- ########################################
-@@ -115,7 +63,7 @@ template(`postfix_server_domain_template',`
- type postfix_$1_tmp_t;
- files_tmp_file(postfix_$1_tmp_t)
-
-- allow postfix_$1_t self:capability { setuid setgid dac_override };
-+ allow postfix_$1_t self:capability { setuid setgid sys_chroot dac_override };
- allow postfix_$1_t postfix_master_t:unix_stream_socket { connectto rw_stream_socket_perms };
- allow postfix_$1_t self:tcp_socket create_socket_perms;
- allow postfix_$1_t self:udp_socket create_socket_perms;
-@@ -126,7 +74,6 @@ template(`postfix_server_domain_template',`
-
- domtrans_pattern(postfix_master_t, postfix_$1_exec_t, postfix_$1_t)
-
-- corenet_all_recvfrom_unlabeled(postfix_$1_t)
- corenet_all_recvfrom_netlabel(postfix_$1_t)
- corenet_tcp_sendrecv_generic_if(postfix_$1_t)
- corenet_udp_sendrecv_generic_if(postfix_$1_t)
-@@ -165,6 +112,8 @@ template(`postfix_user_domain_template',`
- domtrans_pattern(postfix_user_domtrans, postfix_$1_exec_t, postfix_$1_t)
-
- domain_use_interactive_fds(postfix_$1_t)
-+
-+ application_domain(postfix_$1_t, postfix_$1_exec_t)
- ')
-
- ########################################
-@@ -208,6 +157,11 @@ interface(`postfix_read_config',`
- ## The object class of the object being created.
- ##
- ##
-+##
-+##
-+## The name of the object being created.
-+##
-+##
- #
- interface(`postfix_config_filetrans',`
- gen_require(`
-@@ -215,7 +169,7 @@ interface(`postfix_config_filetrans',`
- ')
-
- files_search_etc($1)
-- filetrans_pattern($1, postfix_etc_t, $2, $3)
-+ filetrans_pattern($1, postfix_etc_t, $2, $3, $4)
- ')
-
- ########################################
-@@ -257,6 +211,25 @@ interface(`postfix_rw_local_pipes',`
- allow $1 postfix_local_t:fifo_file rw_fifo_file_perms;
- ')
-
-+#######################################
-+##
-+## Allow read/write postfix public pipes
-+## TCP sockets.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`postfix_rw_public_pipes',`
-+ gen_require(`
-+ type postfix_public_t;
-+ ')
-+
-+ allow $1 postfix_public_t:fifo_file rw_fifo_file_perms;
-+')
-+
- ########################################
- ##
- ## Allow domain to read postfix local process state
-@@ -272,7 +245,8 @@ interface(`postfix_read_local_state',`
- type postfix_local_t;
- ')
-
-- read_files_pattern($1, postfix_local_t, postfix_local_t)
-+ kernel_search_proc($1)
-+ ps_process_pattern($1, postfix_local_t)
- ')
-
- ########################################
-@@ -290,7 +264,27 @@ interface(`postfix_read_master_state',`
- type postfix_master_t;
- ')
-
-- read_files_pattern($1, postfix_master_t, postfix_master_t)
-+ kernel_search_proc($1)
-+ ps_process_pattern($1, postfix_master_t)
-+')
-+
-+########################################
-+##
-+## Use postfix master process file
-+## file descriptors.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`postfix_use_fds_master',`
-+ gen_require(`
-+ type postfix_master_t;
-+ ')
-+
-+ allow $1 postfix_master_t:fd use;
- ')
-
- ########################################
-@@ -376,6 +370,25 @@ interface(`postfix_domtrans_master',`
- domtrans_pattern($1, postfix_master_exec_t, postfix_master_t)
- ')
-
-+
-+########################################
-+##
-+## Execute the master postfix in the postfix master domain.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`postfix_initrc_domtrans',`
-+ gen_require(`
-+ type postfix_initrc_exec_t;
-+ ')
-+
-+ init_labeled_script_domtrans($1, postfix_initrc_exec_t)
-+')
-+
- ########################################
- ##
- ## Execute the master postfix program in the
-@@ -404,7 +417,6 @@ interface(`postfix_exec_master',`
- ## Domain allowed access.
- ##
- ##
--##
- #
- interface(`postfix_stream_connect_master',`
- gen_require(`
-@@ -416,6 +428,24 @@ interface(`postfix_stream_connect_master',`
-
- ########################################
- ##
-+## Allow read/write postfix master pipes
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`postfix_rw_master_pipes',`
-+ gen_require(`
-+ type postfix_master_t;
-+ ')
-+
-+ allow $1 postfix_master_t:fifo_file rw_inherited_fifo_file_perms;
-+')
-+
-+########################################
-+##
- ## Execute the master postdrop in the
- ## postfix_postdrop domain.
- ##
-@@ -462,7 +492,7 @@ interface(`postfix_domtrans_postqueue',`
- ##
- ##
- #
--interface(`posftix_exec_postqueue',`
-+interface(`postfix_exec_postqueue',`
- gen_require(`
- type postfix_postqueue_exec_t;
- ')
-@@ -529,6 +559,25 @@ interface(`postfix_domtrans_smtp',`
-
- ########################################
- ##
-+## Getattr postfix mail spool files.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`postfix_getattr_spool_files',`
-+ gen_require(`
-+ attribute postfix_spool_type;
-+ ')
-+
-+ files_search_spool($1)
-+ getattr_files_pattern($1, postfix_spool_type, postfix_spool_type)
-+')
-+
-+########################################
-+##
- ## Search postfix mail spool directories.
- ##
- ##
-@@ -539,10 +588,10 @@ interface(`postfix_domtrans_smtp',`
- #
- interface(`postfix_search_spool',`
- gen_require(`
-- type postfix_spool_t;
-+ attribute postfix_spool_type;
- ')
-
-- allow $1 postfix_spool_t:dir search_dir_perms;
-+ allow $1 postfix_spool_type:dir search_dir_perms;
- files_search_spool($1)
- ')
-
-@@ -558,10 +607,10 @@ interface(`postfix_search_spool',`
- #
- interface(`postfix_list_spool',`
- gen_require(`
-- type postfix_spool_t;
-+ attribute postfix_spool_type;
- ')
-
-- allow $1 postfix_spool_t:dir list_dir_perms;
-+ allow $1 postfix_spool_type:dir list_dir_perms;
- files_search_spool($1)
- ')
-
-@@ -577,11 +626,11 @@ interface(`postfix_list_spool',`
- #
- interface(`postfix_read_spool_files',`
- gen_require(`
-- type postfix_spool_t;
-+ attribute postfix_spool_type;
- ')
-
- files_search_spool($1)
-- read_files_pattern($1, postfix_spool_t, postfix_spool_t)
-+ read_files_pattern($1, postfix_spool_type, postfix_spool_type)
- ')
-
- ########################################
-@@ -596,11 +645,31 @@ interface(`postfix_read_spool_files',`
- #
- interface(`postfix_manage_spool_files',`
- gen_require(`
-- type postfix_spool_t;
-+ attribute postfix_spool_type;
- ')
-
- files_search_spool($1)
-- manage_files_pattern($1, postfix_spool_t, postfix_spool_t)
-+ manage_files_pattern($1, postfix_spool_type, postfix_spool_type)
-+')
-+
-+#######################################
-+##
-+## Create, read, write, and delete postfix maildrop spool files.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`postfix_manage_spool_maildrop_files',`
-+ gen_require(`
-+ type postfix_spool_maildrop_t;
-+ ')
-+
-+ files_search_spool($1)
-+ manage_dirs_pattern($1, postfix_spool_maildrop_t, postfix_spool_maildrop_t)
-+ manage_files_pattern($1, postfix_spool_maildrop_t, postfix_spool_maildrop_t)
- ')
-
- ########################################
-@@ -621,3 +690,155 @@ interface(`postfix_domtrans_user_mail_handler',`
-
- typeattribute $1 postfix_user_domtrans;
- ')
-+
-+########################################
-+##
-+## All of the rules required to administrate
-+## an postfix environment.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+##
-+##
-+## Role allowed access.
-+##
-+##
-+##
-+#
-+interface(`postfix_admin',`
-+ gen_require(`
-+ attribute postfix_spool_type;
-+ type postfix_bounce_t, postfix_cleanup_t, postfix_local_t;
-+ type postfix_master_t, postfix_pickup_t, postfix_qmgr_t;
-+ type postfix_initrc_exec_t, postfix_data_t, postfix_etc_t;
-+ type postfix_map_tmp_t, postfix_prng_t, postfix_public_t;
-+ type postfix_smtpd_t, postfix_var_run_t;
-+ ')
-+
-+ allow $1 postfix_bounce_t:process signal_perms;
-+ ps_process_pattern($1, postfix_bounce_t)
-+ tunable_policy(`deny_ptrace',`',`
-+ allow $1 postfix_bounce_t:process ptrace;
-+ ')
-+
-+ allow $1 postfix_cleanup_t:process signal_perms;
-+ ps_process_pattern($1, postfix_cleanup_t)
-+ tunable_policy(`deny_ptrace',`',`
-+ allow $1 postfix_cleanup_t:process ptrace;
-+ allow $1 postfix_local_t:process ptrace;
-+ allow $1 postfix_master_t:process ptrace;
-+ allow $1 postfix_pickup_t:process ptrace;
-+ allow $1 postfix_qmgr_t:process ptrace;
-+ allow $1 postfix_smtpd_t:process ptrace;
-+ ')
-+
-+ allow $1 postfix_local_t:process signal_perms;
-+ ps_process_pattern($1, postfix_local_t)
-+
-+ allow $1 postfix_master_t:process signal_perms;
-+ ps_process_pattern($1, postfix_master_t)
-+
-+ allow $1 postfix_pickup_t:process signal_perms;
-+ ps_process_pattern($1, postfix_pickup_t)
-+
-+ allow $1 postfix_qmgr_t:process signal_perms;
-+ ps_process_pattern($1, postfix_qmgr_t)
-+
-+ allow $1 postfix_smtpd_t:process signal_perms;
-+ ps_process_pattern($1, postfix_smtpd_t)
-+
-+ postfix_run_map($1, $2)
-+ postfix_run_postdrop($1, $2)
-+
-+ postfix_initrc_domtrans($1)
-+ domain_system_change_exemption($1)
-+ role_transition $2 postfix_initrc_exec_t system_r;
-+ allow $2 system_r;
-+
-+ admin_pattern($1, postfix_data_t)
-+
-+ files_list_etc($1)
-+ admin_pattern($1, postfix_etc_t)
-+
-+ files_list_spool($1)
-+ admin_pattern($1, postfix_spool_type)
-+
-+ admin_pattern($1, postfix_var_run_t)
-+
-+ files_list_tmp($1)
-+ admin_pattern($1, postfix_map_tmp_t)
-+
-+ admin_pattern($1, postfix_prng_t)
-+
-+ admin_pattern($1, postfix_public_t)
-+
-+ postfix_filetrans_named_content($1)
-+')
-+
-+########################################
-+##
-+## Execute the master postdrop in the
-+## postfix_postdrop domain.
-+##
-+##
-+##
-+## Domain allowed to transition.
-+##
-+##
-+##
-+##
-+## The role to be allowed the iptables domain.
-+##
-+##
-+##
-+#
-+interface(`postfix_run_postdrop',`
-+ gen_require(`
-+ type postfix_postdrop_t;
-+ ')
-+
-+ postfix_domtrans_postdrop($1)
-+ role $2 types postfix_postdrop_t;
-+ allow postfix_postdrop_t $1:unix_stream_socket { read write getattr };
-+')
-+
-+########################################
-+##
-+## Execute postfix exec in the users domain
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`postfix_exec',`
-+ gen_require(`
-+ type postfix_exec_t;
-+ ')
-+
-+ can_exec($1, postfix_exec_t)
-+')
-+
-+########################################
-+##
-+## Transition to postfix named content
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`postfix_filetrans_named_content',`
-+ gen_require(`
-+ type postfix_exec_t;
-+ type postfix_prng_t;
-+ ')
-+
-+ postfix_config_filetrans($1, postfix_exec_t, file, "postfix-script")
-+ postfix_config_filetrans($1, postfix_prng_t, file, "prng_exch")
-+')
-diff --git a/postfix.te b/postfix.te
-index a1e0f60..85b12af 100644
---- a/postfix.te
-+++ b/postfix.te
-@@ -5,6 +5,15 @@ policy_module(postfix, 1.14.0)
- # Declarations
- #
-
-+##
-+##
-+## Allow postfix_local domain full write access to mail_spool directories
-+##
-+##
-+gen_tunable(postfix_local_write_mail_spool, true)
-+
-+attribute postfix_domain;
-+attribute postfix_spool_type;
- attribute postfix_user_domains;
- # domains that transition to the
- # postfix user domains
-@@ -12,8 +21,8 @@ attribute postfix_user_domtrans;
-
- postfix_server_domain_template(bounce)
-
--type postfix_spool_bounce_t;
--files_type(postfix_spool_bounce_t)
-+type postfix_spool_bounce_t, postfix_spool_type;
-+files_spool_file(postfix_spool_bounce_t)
-
- postfix_server_domain_template(cleanup)
-
-@@ -41,6 +50,9 @@ typealias postfix_master_t alias postfix_t;
- # generation macro work
- mta_mailserver(postfix_t, postfix_master_exec_t)
-
-+type postfix_initrc_exec_t;
-+init_script_file(postfix_initrc_exec_t)
-+
- postfix_server_domain_template(pickup)
-
- postfix_server_domain_template(pipe)
-@@ -49,6 +61,7 @@ postfix_user_domain_template(postdrop)
- mta_mailserver_user_agent(postfix_postdrop_t)
-
- postfix_user_domain_template(postqueue)
-+mta_mailserver_user_agent(postfix_postqueue_t)
-
- type postfix_private_t;
- files_type(postfix_private_t)
-@@ -65,14 +78,14 @@ mta_mailserver_sender(postfix_smtp_t)
-
- postfix_server_domain_template(smtpd)
-
--type postfix_spool_t;
--files_type(postfix_spool_t)
-+type postfix_spool_t, postfix_spool_type;
-+files_spool_file(postfix_spool_t)
-
--type postfix_spool_maildrop_t;
--files_type(postfix_spool_maildrop_t)
-+type postfix_spool_maildrop_t, postfix_spool_type;
-+files_spool_file(postfix_spool_maildrop_t)
-
--type postfix_spool_flush_t;
--files_type(postfix_spool_flush_t)
-+type postfix_spool_flush_t, postfix_spool_type;
-+files_spool_file(postfix_spool_flush_t)
-
- type postfix_public_t;
- files_type(postfix_public_t)
-@@ -94,23 +107,26 @@ mta_mailserver_delivery(postfix_virtual_t)
-
- # chown is to set the correct ownership of queue dirs
- allow postfix_master_t self:capability { chown dac_override kill setgid setuid net_bind_service sys_tty_config };
--allow postfix_master_t self:fifo_file rw_fifo_file_perms;
-+allow postfix_master_t self:capability2 block_suspend;
-+
-+allow postfix_master_t self:process setrlimit;
- allow postfix_master_t self:tcp_socket create_stream_socket_perms;
- allow postfix_master_t self:udp_socket create_socket_perms;
--allow postfix_master_t self:process setrlimit;
-
-+allow postfix_master_t postfix_etc_t:dir rw_dir_perms;
- allow postfix_master_t postfix_etc_t:file rw_file_perms;
-+mta_filetrans_aliases(postfix_master_t, postfix_etc_t)
-
- can_exec(postfix_master_t, postfix_exec_t)
-
- allow postfix_master_t postfix_data_t:dir manage_dir_perms;
- allow postfix_master_t postfix_data_t:file manage_file_perms;
-
--allow postfix_master_t postfix_map_exec_t:file { mmap_file_perms ioctl lock };
-+allow postfix_master_t postfix_map_exec_t:file { mmap_file_perms lock };
-
--allow postfix_master_t postfix_postdrop_exec_t:file getattr;
-+allow postfix_master_t postfix_postdrop_exec_t:file getattr_file_perms;
-
--allow postfix_master_t postfix_postqueue_exec_t:file getattr;
-+allow postfix_master_t postfix_postqueue_exec_t:file getattr_file_perms;
-
- manage_fifo_files_pattern(postfix_master_t, postfix_private_t, postfix_private_t)
- manage_sock_files_pattern(postfix_master_t, postfix_private_t, postfix_private_t)
-@@ -130,7 +146,7 @@ manage_files_pattern(postfix_master_t, postfix_spool_t, postfix_spool_t)
- files_spool_filetrans(postfix_master_t, postfix_spool_t, dir)
-
- allow postfix_master_t postfix_spool_bounce_t:dir manage_dir_perms;
--allow postfix_master_t postfix_spool_bounce_t:file getattr;
-+allow postfix_master_t postfix_spool_bounce_t:file getattr_file_perms;
-
- manage_dirs_pattern(postfix_master_t, postfix_spool_flush_t, postfix_spool_flush_t)
- manage_files_pattern(postfix_master_t, postfix_spool_flush_t, postfix_spool_flush_t)
-@@ -138,11 +154,11 @@ manage_lnk_files_pattern(postfix_master_t, postfix_spool_flush_t, postfix_spool_
-
- delete_files_pattern(postfix_master_t, postfix_spool_maildrop_t, postfix_spool_maildrop_t)
- rename_files_pattern(postfix_master_t, postfix_spool_maildrop_t, postfix_spool_maildrop_t)
-+rw_files_pattern(postfix_master_t, postfix_spool_maildrop_t, postfix_spool_maildrop_t)
- setattr_dirs_pattern(postfix_master_t, postfix_spool_maildrop_t, postfix_spool_maildrop_t)
-
- kernel_read_all_sysctls(postfix_master_t)
-
--corenet_all_recvfrom_unlabeled(postfix_master_t)
- corenet_all_recvfrom_netlabel(postfix_master_t)
- corenet_tcp_sendrecv_generic_if(postfix_master_t)
- corenet_udp_sendrecv_generic_if(postfix_master_t)
-@@ -150,6 +166,9 @@ corenet_tcp_sendrecv_generic_node(postfix_master_t)
- corenet_udp_sendrecv_generic_node(postfix_master_t)
- corenet_tcp_sendrecv_all_ports(postfix_master_t)
- corenet_udp_sendrecv_all_ports(postfix_master_t)
-+corenet_udp_bind_generic_node(postfix_master_t)
-+corenet_udp_bind_all_unreserved_ports(postfix_master_t)
-+corenet_dontaudit_udp_bind_all_ports(postfix_master_t)
- corenet_tcp_bind_generic_node(postfix_master_t)
- corenet_tcp_bind_amavisd_send_port(postfix_master_t)
- corenet_tcp_bind_smtp_port(postfix_master_t)
-@@ -157,6 +176,8 @@ corenet_tcp_connect_all_ports(postfix_master_t)
- corenet_sendrecv_amavisd_send_server_packets(postfix_master_t)
- corenet_sendrecv_smtp_server_packets(postfix_master_t)
- corenet_sendrecv_all_client_packets(postfix_master_t)
-+# for spampd
-+corenet_tcp_bind_spamd_port(postfix_master_t)
-
- # for a find command
- selinux_dontaudit_search_fs(postfix_master_t)
-@@ -167,14 +188,14 @@ corecmd_exec_bin(postfix_master_t)
- domain_use_interactive_fds(postfix_master_t)
-
- files_read_usr_files(postfix_master_t)
-+files_search_var_lib(postfix_master_t)
-+files_search_tmp(postfix_master_t)
-
--term_dontaudit_search_ptys(postfix_master_t)
-+mcs_file_read_all(postfix_master_t)
-
--miscfiles_read_man_pages(postfix_master_t)
-+term_dontaudit_search_ptys(postfix_master_t)
-
- seutil_sigchld_newrole(postfix_master_t)
--# postfix does a "find" on startup for some reason - keep it quiet
--seutil_dontaudit_search_config(postfix_master_t)
-
- mta_rw_aliases(postfix_master_t)
- mta_read_sendmail_bin(postfix_master_t)
-@@ -195,7 +216,7 @@ optional_policy(`
- ')
-
- optional_policy(`
--# for postalias
-+# for postalias
- mailman_manage_data_files(postfix_master_t)
- ')
-
-@@ -220,13 +241,17 @@ allow postfix_bounce_t self:capability dac_read_search;
- allow postfix_bounce_t self:tcp_socket create_socket_perms;
-
- allow postfix_bounce_t postfix_public_t:sock_file write;
--allow postfix_bounce_t postfix_public_t:dir search;
-+allow postfix_bounce_t postfix_public_t:dir search_dir_perms;
-
- manage_dirs_pattern(postfix_bounce_t, postfix_spool_t, postfix_spool_t)
- manage_files_pattern(postfix_bounce_t, postfix_spool_t, postfix_spool_t)
- manage_lnk_files_pattern(postfix_bounce_t, postfix_spool_t, postfix_spool_t)
- files_spool_filetrans(postfix_bounce_t, postfix_spool_t, dir)
-
-+manage_files_pattern(postfix_bounce_t, postfix_spool_maildrop_t, postfix_spool_maildrop_t)
-+manage_dirs_pattern(postfix_bounce_t, postfix_spool_maildrop_t, postfix_spool_maildrop_t)
-+allow postfix_bounce_t postfix_spool_maildrop_t:lnk_file read_lnk_file_perms;
-+
- manage_dirs_pattern(postfix_bounce_t, postfix_spool_bounce_t, postfix_spool_bounce_t)
- manage_files_pattern(postfix_bounce_t, postfix_spool_bounce_t, postfix_spool_bounce_t)
- manage_lnk_files_pattern(postfix_bounce_t, postfix_spool_bounce_t, postfix_spool_bounce_t)
-@@ -237,22 +262,31 @@ manage_lnk_files_pattern(postfix_bounce_t, postfix_spool_bounce_t, postfix_spool
- #
-
- allow postfix_cleanup_t self:process setrlimit;
-+allow postfix_cleanup_t postfix_smtpd_t:tcp_socket rw_stream_socket_perms;
-
- # connect to master process
- stream_connect_pattern(postfix_cleanup_t, postfix_private_t, postfix_private_t, postfix_master_t)
-
- rw_fifo_files_pattern(postfix_cleanup_t, postfix_public_t, postfix_public_t)
- write_sock_files_pattern(postfix_cleanup_t, postfix_public_t, postfix_public_t)
-+allow postfix_cleanup_t postfix_smtpd_t:unix_stream_socket rw_socket_perms;
-
- manage_dirs_pattern(postfix_cleanup_t, postfix_spool_t, postfix_spool_t)
- manage_files_pattern(postfix_cleanup_t, postfix_spool_t, postfix_spool_t)
- manage_lnk_files_pattern(postfix_cleanup_t, postfix_spool_t, postfix_spool_t)
- files_spool_filetrans(postfix_cleanup_t, postfix_spool_t, dir)
-
-+allow postfix_cleanup_t postfix_spool_maildrop_t:dir list_dir_perms;
-+allow postfix_cleanup_t postfix_spool_maildrop_t:file read_file_perms;
-+allow postfix_cleanup_t postfix_spool_maildrop_t:lnk_file read_lnk_file_perms;
-+
- allow postfix_cleanup_t postfix_spool_bounce_t:dir list_dir_perms;
-
- corecmd_exec_bin(postfix_cleanup_t)
-
-+# allow postfix to connect to sqlgrey
-+corenet_tcp_connect_rtsclient_port(postfix_cleanup_t)
-+
- mta_read_aliases(postfix_cleanup_t)
-
- optional_policy(`
-@@ -264,7 +298,6 @@ optional_policy(`
- # Postfix local local policy
- #
-
--allow postfix_local_t self:fifo_file rw_fifo_file_perms;
- allow postfix_local_t self:process { setsched setrlimit };
-
- # connect to master process
-@@ -272,28 +305,51 @@ stream_connect_pattern(postfix_local_t, postfix_public_t, postfix_public_t, post
-
- # for .forward - maybe we need a new type for it?
- rw_sock_files_pattern(postfix_local_t, postfix_private_t, postfix_private_t)
-+rw_files_pattern(postfix_local_t, postfix_spool_maildrop_t, postfix_spool_maildrop_t)
-+
-+domtrans_pattern(postfix_local_t, postfix_postdrop_exec_t, postfix_postdrop_t)
-
- allow postfix_local_t postfix_spool_t:file rw_file_perms;
-
- corecmd_exec_shell(postfix_local_t)
- corecmd_exec_bin(postfix_local_t)
-
--files_read_etc_files(postfix_local_t)
--
- logging_dontaudit_search_logs(postfix_local_t)
-
- mta_read_aliases(postfix_local_t)
- mta_delete_spool(postfix_local_t)
- # For reading spamassasin
- mta_read_config(postfix_local_t)
-+# Handle vacation script
-+mta_send_mail(postfix_local_t)
-
--domtrans_pattern(postfix_local_t, postfix_postdrop_exec_t, postfix_postdrop_t)
--# Might be a leak, but I need a postfix expert to explain
--allow postfix_postdrop_t postfix_local_t:unix_stream_socket { read write };
-+userdom_read_user_home_content_files(postfix_local_t)
-+userdom_exec_user_bin_files(postfix_local_t)
-+
-+tunable_policy(`use_nfs_home_dirs',`
-+ fs_exec_nfs_files(postfix_local_t)
-+')
-+
-+tunable_policy(`use_samba_home_dirs',`
-+ fs_exec_cifs_files(postfix_local_t)
-+')
-+
-+tunable_policy(`postfix_local_write_mail_spool',`
-+ mta_manage_spool(postfix_local_t)
-+')
-
- optional_policy(`
- clamav_search_lib(postfix_local_t)
- clamav_exec_clamscan(postfix_local_t)
-+ clamav_stream_connect(postfix_domain)
-+')
-+
-+optional_policy(`
-+ dovecot_domtrans_deliver(postfix_local_t)
-+')
-+
-+optional_policy(`
-+ dspam_domtrans(postfix_local_t)
- ')
-
- optional_policy(`
-@@ -304,9 +360,26 @@ optional_policy(`
- ')
-
- optional_policy(`
-+ nagios_search_spool(postfix_local_t)
-+')
-+
-+optional_policy(`
-+ openshift_search_lib(postfix_local_t)
-+')
-+
-+optional_policy(`
- procmail_domtrans(postfix_local_t)
- ')
-
-+optional_policy(`
-+ sendmail_rw_pipes(postfix_local_t)
-+')
-+
-+optional_policy(`
-+ zarafa_domtrans_deliver(postfix_local_t)
-+ zarafa_stream_connect_server(postfix_local_t)
-+')
-+
- ########################################
- #
- # Postfix map local policy
-@@ -329,7 +402,6 @@ kernel_read_kernel_sysctls(postfix_map_t)
- kernel_dontaudit_list_proc(postfix_map_t)
- kernel_dontaudit_read_system_state(postfix_map_t)
-
--corenet_all_recvfrom_unlabeled(postfix_map_t)
- corenet_all_recvfrom_netlabel(postfix_map_t)
- corenet_tcp_sendrecv_generic_if(postfix_map_t)
- corenet_udp_sendrecv_generic_if(postfix_map_t)
-@@ -348,7 +420,6 @@ corecmd_read_bin_sockets(postfix_map_t)
-
- files_list_home(postfix_map_t)
- files_read_usr_files(postfix_map_t)
--files_read_etc_files(postfix_map_t)
- files_read_etc_runtime_files(postfix_map_t)
- files_dontaudit_search_var(postfix_map_t)
-
-@@ -356,8 +427,6 @@ auth_use_nsswitch(postfix_map_t)
-
- logging_send_syslog_msg(postfix_map_t)
-
--miscfiles_read_localization(postfix_map_t)
--
- optional_policy(`
- locallogin_dontaudit_use_fds(postfix_map_t)
- ')
-@@ -379,18 +448,24 @@ stream_connect_pattern(postfix_pickup_t, postfix_private_t, postfix_private_t, p
- rw_fifo_files_pattern(postfix_pickup_t, postfix_public_t, postfix_public_t)
- rw_sock_files_pattern(postfix_pickup_t, postfix_public_t, postfix_public_t)
-
-+allow postfix_pickup_t postfix_spool_t:dir list_dir_perms;
-+read_files_pattern(postfix_pickup_t, postfix_spool_t, postfix_spool_t)
-+delete_files_pattern(postfix_pickup_t, postfix_spool_t, postfix_spool_t)
-+
- postfix_list_spool(postfix_pickup_t)
-
- allow postfix_pickup_t postfix_spool_maildrop_t:dir list_dir_perms;
- read_files_pattern(postfix_pickup_t, postfix_spool_maildrop_t, postfix_spool_maildrop_t)
- delete_files_pattern(postfix_pickup_t, postfix_spool_maildrop_t, postfix_spool_maildrop_t)
-
-+mcs_file_read_all(postfix_pickup_t)
-+mcs_file_write_all(postfix_pickup_t)
-+
- ########################################
- #
- # Postfix pipe local policy
- #
-
--allow postfix_pipe_t self:fifo_file rw_fifo_file_perms;
- allow postfix_pipe_t self:process setrlimit;
-
- write_sock_files_pattern(postfix_pipe_t, postfix_private_t, postfix_private_t)
-@@ -401,6 +476,8 @@ rw_files_pattern(postfix_pipe_t, postfix_spool_t, postfix_spool_t)
-
- domtrans_pattern(postfix_pipe_t, postfix_postdrop_exec_t, postfix_postdrop_t)
-
-+corecmd_exec_bin(postfix_pipe_t)
-+
- optional_policy(`
- dovecot_domtrans_deliver(postfix_pipe_t)
- ')
-@@ -420,6 +497,7 @@ optional_policy(`
-
- optional_policy(`
- spamassassin_domtrans_client(postfix_pipe_t)
-+ spamassassin_kill_client(postfix_pipe_t)
- ')
-
- optional_policy(`
-@@ -436,11 +514,17 @@ allow postfix_postdrop_t self:capability sys_resource;
- allow postfix_postdrop_t self:tcp_socket create;
- allow postfix_postdrop_t self:udp_socket create_socket_perms;
-
-+# Might be a leak, but I need a postfix expert to explain
-+allow postfix_postdrop_t postfix_local_t:unix_stream_socket { read write };
-+
- rw_fifo_files_pattern(postfix_postdrop_t, postfix_public_t, postfix_public_t)
-
- postfix_list_spool(postfix_postdrop_t)
- manage_files_pattern(postfix_postdrop_t, postfix_spool_maildrop_t, postfix_spool_maildrop_t)
-
-+mcs_file_read_all(postfix_postdrop_t)
-+mcs_file_write_all(postfix_postdrop_t)
-+
- corenet_udp_sendrecv_generic_if(postfix_postdrop_t)
- corenet_udp_sendrecv_generic_node(postfix_postdrop_t)
-
-@@ -487,8 +571,8 @@ write_fifo_files_pattern(postfix_postqueue_t, postfix_public_t, postfix_public_t
- domtrans_pattern(postfix_postqueue_t, postfix_showq_exec_t, postfix_showq_t)
-
- # to write the mailq output, it really should not need read access!
--term_use_all_ptys(postfix_postqueue_t)
--term_use_all_ttys(postfix_postqueue_t)
-+term_use_all_inherited_ptys(postfix_postqueue_t)
-+term_use_all_inherited_ttys(postfix_postqueue_t)
-
- init_sigchld_script(postfix_postqueue_t)
- init_use_script_fds(postfix_postqueue_t)
-@@ -519,7 +603,11 @@ files_spool_filetrans(postfix_qmgr_t, postfix_spool_t, dir)
-
- allow postfix_qmgr_t postfix_spool_bounce_t:dir list_dir_perms;
- allow postfix_qmgr_t postfix_spool_bounce_t:file read_file_perms;
--allow postfix_qmgr_t postfix_spool_bounce_t:lnk_file { getattr read };
-+allow postfix_qmgr_t postfix_spool_bounce_t:lnk_file read_lnk_file_perms;
-+
-+manage_files_pattern(postfix_qmgr_t, postfix_spool_maildrop_t, postfix_spool_maildrop_t)
-+manage_dirs_pattern(postfix_qmgr_t, postfix_spool_maildrop_t, postfix_spool_maildrop_t)
-+allow postfix_qmgr_t postfix_spool_maildrop_t:lnk_file read_lnk_file_perms;
-
- corecmd_exec_bin(postfix_qmgr_t)
-
-@@ -539,7 +627,9 @@ postfix_list_spool(postfix_showq_t)
-
- allow postfix_showq_t postfix_spool_maildrop_t:dir list_dir_perms;
- allow postfix_showq_t postfix_spool_maildrop_t:file read_file_perms;
--allow postfix_showq_t postfix_spool_maildrop_t:lnk_file { getattr read };
-+allow postfix_showq_t postfix_spool_maildrop_t:lnk_file read_lnk_file_perms;
-+
-+mcs_file_read_all(postfix_showq_t)
-
- # to write the mailq output, it really should not need read access!
- term_use_all_ptys(postfix_showq_t)
-@@ -558,6 +648,12 @@ allow postfix_smtp_t postfix_prng_t:file rw_file_perms;
-
- allow postfix_smtp_t postfix_spool_t:file rw_file_perms;
-
-+rw_files_pattern(postfix_smtp_t, postfix_spool_maildrop_t, postfix_spool_maildrop_t)
-+
-+# for spampd
-+corenet_tcp_connect_spamd_port(postfix_master_t)
-+corenet_tcp_bind_spamd_port(postfix_master_t)
-+
- files_search_all_mountpoints(postfix_smtp_t)
-
- optional_policy(`
-@@ -565,6 +661,14 @@ optional_policy(`
- ')
-
- optional_policy(`
-+ dovecot_stream_connect(postfix_smtp_t)
-+')
-+
-+optional_policy(`
-+ dspam_stream_connect(postfix_smtp_t)
-+')
-+
-+optional_policy(`
- milter_stream_connect_all(postfix_smtp_t)
- ')
-
-@@ -581,17 +685,25 @@ stream_connect_pattern(postfix_smtpd_t, { postfix_private_t postfix_public_t },
- corenet_tcp_connect_postfix_policyd_port(postfix_smtpd_t)
-
- # for prng_exch
--allow postfix_smtpd_t postfix_spool_t:file rw_file_perms;
-+manage_dirs_pattern(postfix_smtpd_t, postfix_spool_t, postfix_spool_t)
-+manage_files_pattern(postfix_smtpd_t, postfix_spool_t, postfix_spool_t)
-+manage_lnk_files_pattern(postfix_smtpd_t, postfix_spool_t, postfix_spool_t)
- allow postfix_smtpd_t postfix_prng_t:file rw_file_perms;
-
- corecmd_exec_bin(postfix_smtpd_t)
-
- # for OpenSSL certificates
- files_read_usr_files(postfix_smtpd_t)
-+
-+# postfix checks the size of all mounted file systems
-+fs_getattr_all_dirs(postfix_smtpd_t)
-+fs_getattr_all_fs(postfix_smtpd_t)
-+
- mta_read_aliases(postfix_smtpd_t)
-
- optional_policy(`
- dovecot_stream_connect_auth(postfix_smtpd_t)
-+ dovecot_stream_connect(postfix_smtpd_t)
- ')
-
- optional_policy(`
-@@ -599,6 +711,11 @@ optional_policy(`
- ')
-
- optional_policy(`
-+ milter_stream_connect_all(postfix_smtpd_t)
-+ spamassassin_read_pid_files(postfix_smtpd_t)
-+')
-+
-+optional_policy(`
- postgrey_stream_connect(postfix_smtpd_t)
- ')
-
-@@ -611,7 +728,6 @@ optional_policy(`
- # Postfix virtual local policy
- #
-
--allow postfix_virtual_t self:fifo_file rw_fifo_file_perms;
- allow postfix_virtual_t self:process { setsched setrlimit };
-
- allow postfix_virtual_t postfix_spool_t:file rw_file_perms;
-@@ -622,7 +738,6 @@ stream_connect_pattern(postfix_virtual_t, { postfix_private_t postfix_public_t }
- corecmd_exec_shell(postfix_virtual_t)
- corecmd_exec_bin(postfix_virtual_t)
-
--files_read_etc_files(postfix_virtual_t)
- files_read_usr_files(postfix_virtual_t)
-
- mta_read_aliases(postfix_virtual_t)
-@@ -630,3 +745,76 @@ mta_delete_spool(postfix_virtual_t)
- # For reading spamassasin
- mta_read_config(postfix_virtual_t)
- mta_manage_spool(postfix_virtual_t)
-+
-+userdom_manage_user_home_dirs(postfix_virtual_t)
-+userdom_manage_user_home_content(postfix_virtual_t)
-+userdom_home_filetrans_user_home_dir(postfix_virtual_t)
-+userdom_user_home_dir_filetrans_user_home_content(postfix_virtual_t, {file dir })
-+
-+########################################
-+#
-+# postfix_domain common policy
-+#
-+allow postfix_domain self:capability { sys_nice sys_chroot };
-+dontaudit postfix_domain self:capability sys_tty_config;
-+allow postfix_domain self:process { signal_perms setpgid setsched };
-+allow postfix_domain self:unix_dgram_socket create_socket_perms;
-+allow postfix_domain self:unix_stream_socket create_stream_socket_perms;
-+allow postfix_domain self:unix_stream_socket connectto;
-+allow postfix_domain self:fifo_file rw_fifo_file_perms;
-+
-+allow postfix_master_t postfix_domain:fifo_file { read write };
-+allow postfix_master_t postfix_domain:process signal;
-+#https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=244456
-+allow postfix_domain postfix_master_t:file read;
-+allow postfix_domain postfix_etc_t:dir list_dir_perms;
-+read_files_pattern(postfix_domain, postfix_etc_t, postfix_etc_t)
-+read_lnk_files_pattern(postfix_domain, postfix_etc_t, postfix_etc_t)
-+
-+allow postfix_domain postfix_exec_t:file { mmap_file_perms lock };
-+
-+allow postfix_domain postfix_master_t:process sigchld;
-+
-+allow postfix_domain postfix_spool_t:dir list_dir_perms;
-+
-+allow postfix_domain postfix_var_run_t:file manage_file_perms;
-+files_pid_filetrans(postfix_domain, postfix_var_run_t, file)
-+
-+kernel_read_network_state(postfix_domain)
-+kernel_read_all_sysctls(postfix_domain)
-+
-+dev_read_sysfs(postfix_domain)
-+dev_read_rand(postfix_domain)
-+dev_read_urand(postfix_domain)
-+
-+fs_search_auto_mountpoints(postfix_domain)
-+fs_getattr_xattr_fs(postfix_domain)
-+fs_rw_anon_inodefs_files(postfix_domain)
-+
-+term_dontaudit_use_console(postfix_domain)
-+
-+corecmd_exec_shell(postfix_domain)
-+
-+files_read_etc_runtime_files(postfix_domain)
-+files_read_usr_files(postfix_domain)
-+files_read_usr_symlinks(postfix_domain)
-+files_search_spool(postfix_domain)
-+files_getattr_tmp_dirs(postfix_domain)
-+files_search_all_mountpoints(postfix_domain)
-+
-+init_dontaudit_use_fds(postfix_domain)
-+init_sigchld(postfix_domain)
-+init_dontaudit_rw_stream_socket(postfix_domain)
-+
-+miscfiles_read_generic_certs(postfix_domain)
-+
-+userdom_dontaudit_use_unpriv_user_fds(postfix_domain)
-+
-+optional_policy(`
-+ spamd_stream_connect(postfix_domain)
-+ spamassassin_domtrans_client(postfix_domain)
-+')
-+
-+optional_policy(`
-+ udev_read_db(postfix_domain)
-+')
-diff --git a/postfixpolicyd.if b/postfixpolicyd.if
-index feae93b..b2af729 100644
---- a/postfixpolicyd.if
-+++ b/postfixpolicyd.if
-@@ -20,12 +20,14 @@
- interface(`postfixpolicyd_admin',`
- gen_require(`
- type postfix_policyd_t, postfix_policyd_conf_t;
-- type postfix_policyd_var_run_t;
-- type postfix_policyd_initrc_exec_t;
-+ type postfix_policyd_var_run_t, postfix_policyd_initrc_exec_t;
- ')
-
-- allow $1 postfix_policyd_t:process { ptrace signal_perms };
-+ allow $1 postfix_policyd_t:process signal_perms;
- ps_process_pattern($1, postfix_policyd_t)
-+ tunable_policy(`deny_ptrace',`',`
-+ allow $1 postfix_policyd_t:process ptrace;
-+ ')
-
- init_labeled_script_domtrans($1, postfix_policyd_initrc_exec_t)
- domain_system_change_exemption($1)
-diff --git a/postfixpolicyd.te b/postfixpolicyd.te
-index 7257526..e69e0d4 100644
---- a/postfixpolicyd.te
-+++ b/postfixpolicyd.te
-@@ -23,19 +23,18 @@ files_pid_file(postfix_policyd_var_run_t)
- # Local Policy
- #
-
--allow postfix_policyd_t self:tcp_socket create_stream_socket_perms;
- allow postfix_policyd_t self:capability { sys_resource sys_chroot setgid setuid };
- allow postfix_policyd_t self:process setrlimit;
--allow postfix_policyd_t self:unix_dgram_socket { connect create write};
-+allow postfix_policyd_t self:tcp_socket create_stream_socket_perms;
-+allow postfix_policyd_t self:unix_dgram_socket create_socket_perms;
-
- allow postfix_policyd_t postfix_policyd_conf_t:dir list_dir_perms;
- allow postfix_policyd_t postfix_policyd_conf_t:file read_file_perms;
--allow postfix_policyd_t postfix_policyd_conf_t:lnk_file { getattr read };
-+allow postfix_policyd_t postfix_policyd_conf_t:lnk_file read_lnk_file_perms;
-
- manage_files_pattern(postfix_policyd_t, postfix_policyd_var_run_t, postfix_policyd_var_run_t)
- files_pid_filetrans(postfix_policyd_t, postfix_policyd_var_run_t, file)
-
--corenet_all_recvfrom_unlabeled(postfix_policyd_t)
- corenet_tcp_sendrecv_generic_if(postfix_policyd_t)
- corenet_tcp_sendrecv_generic_node(postfix_policyd_t)
- corenet_tcp_sendrecv_all_ports(postfix_policyd_t)
-@@ -48,6 +47,4 @@ files_read_usr_files(postfix_policyd_t)
-
- logging_send_syslog_msg(postfix_policyd_t)
-
--miscfiles_read_localization(postfix_policyd_t)
--
- sysnet_dns_name_resolve(postfix_policyd_t)
-diff --git a/postgrey.if b/postgrey.if
-index ad15fde..12202e1 100644
---- a/postgrey.if
-+++ b/postgrey.if
-@@ -15,9 +15,9 @@ interface(`postgrey_stream_connect',`
- type postgrey_var_run_t, postgrey_t, postgrey_spool_t;
- ')
-
-- stream_connect_pattern($1, postgrey_var_run_t, postgrey_var_run_t, postgrey_t)
-- stream_connect_pattern($1, postgrey_spool_t, postgrey_spool_t, postgrey_t)
-+ stream_connect_pattern($1, { postgrey_spool_t postgrey_var_run_t }, { postgrey_spool_t postgrey_var_run_t }, postgrey_t)
- files_search_pids($1)
-+ files_search_spool($1)
- ')
-
- ########################################
-@@ -35,6 +35,7 @@ interface(`postgrey_search_spool',`
- type postgrey_spool_t;
- ')
-
-+ files_search_spool($1)
- allow $1 postgrey_spool_t:dir search_dir_perms;
- ')
-
-@@ -57,13 +58,15 @@ interface(`postgrey_search_spool',`
- #
- interface(`postgrey_admin',`
- gen_require(`
-- type postgrey_t, postgrey_etc_t;
-+ type postgrey_t, postgrey_etc_t, postgrey_initrc_exec_t;
- type postgrey_var_lib_t, postgrey_var_run_t;
-- type postgrey_initrc_exec_t;
- ')
-
-- allow $1 postgrey_t:process { ptrace signal_perms };
-+ allow $1 postgrey_t:process signal_perms;
- ps_process_pattern($1, postgrey_t)
-+ tunable_policy(`deny_ptrace',`',`
-+ allow $1 postgrey_t:process ptrace;
-+ ')
-
- init_labeled_script_domtrans($1, postgrey_initrc_exec_t)
- domain_system_change_exemption($1)
-diff --git a/postgrey.te b/postgrey.te
-index db843e2..570cf36 100644
---- a/postgrey.te
-+++ b/postgrey.te
-@@ -16,7 +16,7 @@ type postgrey_initrc_exec_t;
- init_script_file(postgrey_initrc_exec_t)
-
- type postgrey_spool_t;
--files_type(postgrey_spool_t)
-+files_spool_file(postgrey_spool_t)
-
- type postgrey_var_lib_t;
- files_type(postgrey_var_lib_t)
-@@ -58,7 +58,6 @@ kernel_read_kernel_sysctls(postgrey_t)
- # for perl
- corecmd_search_bin(postgrey_t)
-
--corenet_all_recvfrom_unlabeled(postgrey_t)
- corenet_all_recvfrom_netlabel(postgrey_t)
- corenet_tcp_sendrecv_generic_if(postgrey_t)
- corenet_tcp_sendrecv_generic_node(postgrey_t)
-@@ -80,9 +79,9 @@ files_getattr_tmp_dirs(postgrey_t)
- fs_getattr_all_fs(postgrey_t)
- fs_search_auto_mountpoints(postgrey_t)
-
--logging_send_syslog_msg(postgrey_t)
-+auth_read_passwd(postgrey_t)
-
--miscfiles_read_localization(postgrey_t)
-+logging_send_syslog_msg(postgrey_t)
-
- sysnet_read_config(postgrey_t)
-
-diff --git a/ppp.fc b/ppp.fc
-index 2d82c6d..ff2c96a 100644
---- a/ppp.fc
-+++ b/ppp.fc
-@@ -11,19 +11,24 @@
- # Fix /etc/ppp {up,down} family scripts (see man pppd)
- /etc/ppp/(auth|ip(v6|x)?)-(up|down) -- gen_context(system_u:object_r:pppd_initrc_exec_t,s0)
-
-+/usr/lib/systemd/system/ppp.* -- gen_context(system_u:object_r:iptables_unit_file_t,s0)
-+
- /root/.ppprc -- gen_context(system_u:object_r:pppd_etc_t,s0)
-
- #
- # /sbin
- #
--/sbin/ppp-watch -- gen_context(system_u:object_r:pppd_exec_t,s0)
-+/sbin/pppoe-server -- gen_context(system_u:object_r:pppd_exec_t,s0)
-+/sbin/ppp-watch -- gen_context(system_u:object_r:pppd_exec_t,s0)
-
- #
- # /usr
- #
-+/usr/sbin/ipppd -- gen_context(system_u:object_r:pppd_exec_t,s0)
-+/usr/sbin/ppp-watch -- gen_context(system_u:object_r:pppd_exec_t,s0)
- /usr/sbin/pppd -- gen_context(system_u:object_r:pppd_exec_t,s0)
-+/usr/sbin/pppoe-server -- gen_context(system_u:object_r:pppd_exec_t,s0)
- /usr/sbin/pptp -- gen_context(system_u:object_r:pptp_exec_t,s0)
--/usr/sbin/ipppd -- gen_context(system_u:object_r:pppd_exec_t,s0)
-
- #
- # /var
-@@ -34,5 +39,7 @@
- # Fix pptp sockets
- /var/run/pptp(/.*)? gen_context(system_u:object_r:pptp_var_run_t,s0)
-
-+/var/lock/ppp(/.*)? gen_context(system_u:object_r:pppd_lock_t,s0)
-+
- /var/log/ppp-connect-errors.* -- gen_context(system_u:object_r:pppd_log_t,s0)
--/var/log/ppp/.* -- gen_context(system_u:object_r:pppd_log_t,s0)
-+/var/log/ppp(/.*)? gen_context(system_u:object_r:pppd_log_t,s0)
-diff --git a/ppp.if b/ppp.if
-index de4bdb7..a4cad0b 100644
---- a/ppp.if
-+++ b/ppp.if
-@@ -66,7 +66,6 @@ interface(`ppp_sigchld',`
- ##
- ##
- #
--#
- interface(`ppp_kill',`
- gen_require(`
- type pppd_t;
-@@ -176,11 +175,18 @@ interface(`ppp_run_cond',`
- #
- interface(`ppp_run',`
- gen_require(`
-- attribute_role pppd_roles;
-+ #attribute_role pppd_roles;
-+ type pppd_t;
- ')
-
-- ppp_domtrans($1)
-- roleattribute $2 pppd_roles;
-+ #ppp_domtrans($1)
-+ #roleattribute $2 pppd_roles;
-+
-+ role $2 types pppd_t;
-+
-+ tunable_policy(`pppd_for_user',`
-+ ppp_domtrans($1)
-+ ')
- ')
-
- ########################################
-@@ -276,7 +282,8 @@ interface(`ppp_read_pid_files',`
- type pppd_var_run_t;
- ')
-
-- allow $1 pppd_var_run_t:file read_file_perms;
-+ files_search_pids($1)
-+ read_files_pattern($1, pppd_var_run_t, pppd_var_run_t)
- ')
-
- ########################################
-@@ -294,6 +301,7 @@ interface(`ppp_manage_pid_files',`
- type pppd_var_run_t;
- ')
-
-+ files_search_pids($1)
- allow $1 pppd_var_run_t:file manage_file_perms;
- ')
-
-@@ -335,6 +343,29 @@ interface(`ppp_initrc_domtrans',`
-
- ########################################
- ##
-+## Execute pppd server in the pppd domain.
-+##
-+##
-+##
-+## Domain allowed to transition.
-+##
-+##
-+#
-+interface(`ppp_systemctl',`
-+ gen_require(`
-+ type pppd_unit_file_t;
-+ type pppd_t;
-+ ')
-+
-+ systemd_exec_systemctl($1)
-+ allow $1 pppd_unit_file_t:file read_file_perms;
-+ allow $1 pppd_unit_file_t:service manage_service_perms;
-+
-+ ps_process_pattern($1, pppd_t)
-+')
-+
-+########################################
-+##
- ## All of the rules required to administrate
- ## an ppp environment
- ##
-@@ -343,20 +374,31 @@ interface(`ppp_initrc_domtrans',`
- ## Domain allowed access.
- ##
- ##
-+##
-+##
-+## Role allowed access.
-+##
-+##
- ##
- #
- interface(`ppp_admin',`
- gen_require(`
- type pppd_t, pppd_tmp_t, pppd_log_t, pppd_lock_t;
-- type pppd_etc_t, pppd_secret_t;
-- type pppd_etc_rw_t, pppd_var_run_t;
--
-+ type pppd_etc_t, pppd_secret_t, pppd_var_run_t;
- type pptp_t, pptp_log_t, pptp_var_run_t;
-- type pppd_initrc_exec_t;
-+ type pppd_initrc_exec_t, pppd_etc_rw_t;
-+ type pppd_unit_file_t;
- ')
-
-- allow $1 pppd_t:process { ptrace signal_perms getattr };
-+ allow $1 pppd_t:process signal_perms;
- ps_process_pattern($1, pppd_t)
-+ tunable_policy(`deny_ptrace',`',`
-+ allow $1 pppd_t:process ptrace;
-+ allow $1 pptp_t:process ptrace;
-+ ')
-+
-+ allow $1 pptp_t:process signal_perms;
-+ ps_process_pattern($1, pptp_t)
-
- ppp_initrc_domtrans($1)
- domain_system_change_exemption($1)
-@@ -369,6 +411,7 @@ interface(`ppp_admin',`
- logging_list_logs($1)
- admin_pattern($1, pppd_log_t)
-
-+ files_list_locks($1)
- admin_pattern($1, pppd_lock_t)
-
- files_list_etc($1)
-@@ -381,10 +424,11 @@ interface(`ppp_admin',`
- files_list_pids($1)
- admin_pattern($1, pppd_var_run_t)
-
-- allow $1 pptp_t:process { ptrace signal_perms getattr };
-- ps_process_pattern($1, pptp_t)
--
- admin_pattern($1, pptp_log_t)
-
- admin_pattern($1, pptp_var_run_t)
-+
-+ ppp_systemctl($1)
-+ admin_pattern($1, pppd_unit_file_t)
-+ allow $1 pppd_unit_file_t:service all_service_perms;
- ')
-diff --git a/ppp.te b/ppp.te
-index bcbf9ac..5a550bb 100644
---- a/ppp.te
-+++ b/ppp.te
-@@ -19,14 +19,15 @@ gen_tunable(pppd_can_insmod, false)
- ##
- gen_tunable(pppd_for_user, false)
-
--attribute_role pppd_roles;
-+#attribute_role pppd_roles;
-
- # pppd_t is the domain for the pppd program.
- # pppd_exec_t is the type of the pppd executable.
- type pppd_t;
- type pppd_exec_t;
- init_daemon_domain(pppd_t, pppd_exec_t)
--role pppd_roles types pppd_t;
-+#role pppd_roles types pppd_t;
-+role system_r types pppd_t;
-
- type pppd_devpts_t;
- term_pty(pppd_devpts_t)
-@@ -42,6 +43,9 @@ files_type(pppd_etc_rw_t)
- type pppd_initrc_exec_t alias pppd_script_exec_t;
- init_script_file(pppd_initrc_exec_t)
-
-+type pppd_unit_file_t;
-+systemd_unit_file(pppd_unit_file_t)
-+
- # pppd_secret_t is the type of the pap and chap password files
- type pppd_secret_t;
- files_type(pppd_secret_t)
-@@ -61,7 +65,8 @@ files_pid_file(pppd_var_run_t)
- type pptp_t;
- type pptp_exec_t;
- init_daemon_domain(pptp_t, pptp_exec_t)
--role pppd_roles types pptp_t;
-+#role pppd_roles types pptp_t;
-+role system_r types pptp_t;
-
- type pptp_log_t;
- logging_log_file(pptp_log_t)
-@@ -74,9 +79,9 @@ files_pid_file(pptp_var_run_t)
- # PPPD Local policy
- #
-
--allow pppd_t self:capability { kill net_admin setuid setgid fsetid fowner net_raw dac_override };
-+allow pppd_t self:capability { kill net_admin setuid setgid sys_admin fsetid fowner net_raw dac_override sys_nice };
- dontaudit pppd_t self:capability sys_tty_config;
--allow pppd_t self:process { getsched signal };
-+allow pppd_t self:process { getsched setsched signal };
- allow pppd_t self:fifo_file rw_fifo_file_perms;
- allow pppd_t self:socket create_socket_perms;
- allow pppd_t self:unix_dgram_socket create_socket_perms;
-@@ -88,28 +93,29 @@ allow pppd_t self:packet_socket create_socket_perms;
-
- domtrans_pattern(pppd_t, pptp_exec_t, pptp_t)
-
--allow pppd_t pppd_devpts_t:chr_file { rw_chr_file_perms setattr };
-+allow pppd_t pppd_devpts_t:chr_file { rw_chr_file_perms setattr_chr_file_perms };
-
- allow pppd_t pppd_etc_t:dir rw_dir_perms;
- allow pppd_t pppd_etc_t:file read_file_perms;
--allow pppd_t pppd_etc_t:lnk_file { getattr read };
-+allow pppd_t pppd_etc_t:lnk_file read_lnk_file_perms;
-
- manage_files_pattern(pppd_t, pppd_etc_rw_t, pppd_etc_rw_t)
- # Automatically label newly created files under /etc/ppp with this type
- filetrans_pattern(pppd_t, pppd_etc_t, pppd_etc_rw_t, file)
-
--allow pppd_t pppd_lock_t:file manage_file_perms;
--files_lock_filetrans(pppd_t, pppd_lock_t, file)
-+manage_files_pattern(pppd_t, pppd_lock_t, pppd_lock_t)
-+files_search_locks(pppd_t)
-
--allow pppd_t pppd_log_t:file manage_file_perms;
-+manage_files_pattern(pppd_t, pppd_log_t, pppd_log_t)
- logging_log_filetrans(pppd_t, pppd_log_t, file)
-
- manage_dirs_pattern(pppd_t, pppd_tmp_t, pppd_tmp_t)
- manage_files_pattern(pppd_t, pppd_tmp_t, pppd_tmp_t)
- files_tmp_filetrans(pppd_t, pppd_tmp_t, { file dir })
-
-+manage_dirs_pattern(pppd_t, pppd_var_run_t, pppd_var_run_t)
- manage_files_pattern(pppd_t, pppd_var_run_t, pppd_var_run_t)
--files_pid_filetrans(pppd_t, pppd_var_run_t, file)
-+files_pid_filetrans(pppd_t, pppd_var_run_t, { dir file })
-
- allow pppd_t pptp_t:process signal;
-
-@@ -130,7 +136,6 @@ dev_search_sysfs(pppd_t)
- dev_read_sysfs(pppd_t)
- dev_rw_modem(pppd_t)
-
--corenet_all_recvfrom_unlabeled(pppd_t)
- corenet_all_recvfrom_netlabel(pppd_t)
- corenet_tcp_sendrecv_generic_if(pppd_t)
- corenet_raw_sendrecv_generic_if(pppd_t)
-@@ -147,10 +152,12 @@ fs_getattr_all_fs(pppd_t)
- fs_search_auto_mountpoints(pppd_t)
-
- term_use_unallocated_ttys(pppd_t)
-+term_use_usb_ttys(pppd_t)
- term_setattr_unallocated_ttys(pppd_t)
- term_ioctl_generic_ptys(pppd_t)
- # for pppoe
- term_create_pty(pppd_t, pppd_devpts_t)
-+term_use_generic_ptys(pppd_t)
-
- # allow running ip-up and ip-down scripts and running chat.
- corecmd_exec_bin(pppd_t)
-@@ -161,43 +168,54 @@ domain_use_interactive_fds(pppd_t)
- files_exec_etc_files(pppd_t)
- files_manage_etc_runtime_files(pppd_t)
- files_dontaudit_write_etc_files(pppd_t)
-+files_read_usr_files(pppd_t)
-
- # for scripts
--files_read_etc_files(pppd_t)
-
- init_read_utmp(pppd_t)
- init_dontaudit_write_utmp(pppd_t)
- init_signal_script(pppd_t)
-
- auth_use_nsswitch(pppd_t)
-+auth_domtrans_chk_passwd(pppd_t)
-+#auth_run_chk_passwd(pppd_t,pppd_roles)
-+auth_write_login_records(pppd_t)
-
- logging_send_syslog_msg(pppd_t)
- logging_send_audit_msgs(pppd_t)
-
--miscfiles_read_localization(pppd_t)
--
- sysnet_exec_ifconfig(pppd_t)
- sysnet_manage_config(pppd_t)
- sysnet_etc_filetrans_config(pppd_t)
-
--userdom_use_user_terminals(pppd_t)
-+userdom_use_inherited_user_terminals(pppd_t)
- userdom_dontaudit_use_unpriv_user_fds(pppd_t)
- userdom_search_user_home_dirs(pppd_t)
-+userdom_search_admin_dir(pppd_t)
-
- ppp_exec(pppd_t)
-
- optional_policy(`
-- ddclient_run(pppd_t, pppd_roles)
-+ #ddclient_run(pppd_t, pppd_roles)
-+ ddclient_domtrans(pppd_t)
-+')
-+
-+optional_policy(`
-+ l2tpd_dgram_send(pppd_t)
-+ l2tpd_rw_socket(pppd_t)
-+ l2tpd_stream_connect(pppd_t)
- ')
-
- optional_policy(`
- tunable_policy(`pppd_can_insmod',`
-- modutils_domtrans_insmod(pppd_t)
-+ modutils_domtrans_insmod_uncond(pppd_t)
- ')
- ')
-
- optional_policy(`
- mta_send_mail(pppd_t)
-+ mta_system_content(pppd_etc_t)
-+ mta_system_content(pppd_etc_rw_t)
- ')
-
- optional_policy(`
-@@ -247,21 +265,24 @@ allow pptp_t pppd_log_t:file append_file_perms;
- allow pptp_t pptp_log_t:file manage_file_perms;
- logging_log_filetrans(pptp_t, pptp_log_t, file)
-
-+manage_dirs_pattern(pptp_t, pptp_var_run_t, pptp_var_run_t)
- manage_files_pattern(pptp_t, pptp_var_run_t, pptp_var_run_t)
- manage_sock_files_pattern(pptp_t, pptp_var_run_t, pptp_var_run_t)
--files_pid_filetrans(pptp_t, pptp_var_run_t, file)
-+files_pid_filetrans(pptp_t, pptp_var_run_t, { file dir })
-
- kernel_list_proc(pptp_t)
-+kernel_signal(pptp_t)
- kernel_read_kernel_sysctls(pptp_t)
-+kernel_read_network_state(pptp_t)
- kernel_read_proc_symlinks(pptp_t)
- kernel_read_system_state(pptp_t)
-+kernel_signal(pptp_t)
-
- dev_read_sysfs(pptp_t)
-
- corecmd_exec_shell(pptp_t)
- corecmd_read_bin_symlinks(pptp_t)
-
--corenet_all_recvfrom_unlabeled(pptp_t)
- corenet_all_recvfrom_netlabel(pptp_t)
- corenet_tcp_sendrecv_generic_if(pptp_t)
- corenet_raw_sendrecv_generic_if(pptp_t)
-@@ -272,8 +293,7 @@ corenet_tcp_bind_generic_node(pptp_t)
- corenet_tcp_connect_generic_port(pptp_t)
- corenet_tcp_connect_all_reserved_ports(pptp_t)
- corenet_sendrecv_generic_client_packets(pptp_t)
--
--files_read_etc_files(pptp_t)
-+corenet_tcp_connect_pptp_port(pptp_t)
-
- fs_getattr_all_fs(pptp_t)
- fs_search_auto_mountpoints(pptp_t)
-@@ -288,8 +308,6 @@ auth_use_nsswitch(pptp_t)
-
- logging_send_syslog_msg(pptp_t)
-
--miscfiles_read_localization(pptp_t)
--
- sysnet_exec_ifconfig(pptp_t)
-
- userdom_dontaudit_use_unpriv_user_fds(pptp_t)
-diff --git a/prelink.fc b/prelink.fc
-index ec0e76a..62af9a4 100644
---- a/prelink.fc
-+++ b/prelink.fc
-@@ -4,7 +4,7 @@
-
- /usr/sbin/prelink(\.bin)? -- gen_context(system_u:object_r:prelink_exec_t,s0)
-
--/var/log/prelink\.log -- gen_context(system_u:object_r:prelink_log_t,s0)
-+/var/log/prelink\.log.* -- gen_context(system_u:object_r:prelink_log_t,s0)
- /var/log/prelink(/.*)? gen_context(system_u:object_r:prelink_log_t,s0)
-
- /var/lib/misc/prelink.* -- gen_context(system_u:object_r:prelink_var_lib_t,s0)
-diff --git a/prelink.if b/prelink.if
-index 93ec175..e6605c1 100644
---- a/prelink.if
-+++ b/prelink.if
-@@ -202,3 +202,21 @@ interface(`prelink_relabel_lib',`
- files_search_var_lib($1)
- relabel_files_pattern($1, prelink_var_lib_t, prelink_var_lib_t)
- ')
-+
-+########################################
-+##
-+## Transition to prelink named content
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`prelink_filetrans_named_content',`
-+ gen_require(`
-+ type prelink_cache_t;
-+ ')
-+
-+ files_etc_filetrans($1, prelink_cache_t, file, "prelink.cache")
-+')
-diff --git a/prelink.te b/prelink.te
-index af55369..9f1d1b5 100644
---- a/prelink.te
-+++ b/prelink.te
-@@ -18,6 +18,7 @@ type prelink_cron_system_t;
- type prelink_cron_system_exec_t;
- domain_type(prelink_cron_system_t)
- domain_entry_file(prelink_cron_system_t, prelink_cron_system_exec_t)
-+domain_obj_id_change_exemption(prelink_cron_system_t)
-
- type prelink_log_t;
- logging_log_file(prelink_log_t)
-@@ -36,7 +37,7 @@ files_type(prelink_var_lib_t)
- # Local policy
- #
-
--allow prelink_t self:capability { chown dac_override fowner fsetid sys_resource };
-+allow prelink_t self:capability { chown dac_override fowner fsetid setfcap sys_resource };
- allow prelink_t self:process { execheap execmem execstack signal };
- allow prelink_t self:fifo_file rw_fifo_file_perms;
-
-@@ -59,10 +60,11 @@ manage_dirs_pattern(prelink_t, prelink_var_lib_t, prelink_var_lib_t)
- manage_files_pattern(prelink_t, prelink_var_lib_t, prelink_var_lib_t)
- relabel_files_pattern(prelink_t, prelink_var_lib_t, prelink_var_lib_t)
- files_var_lib_filetrans(prelink_t, prelink_var_lib_t, { dir file })
-+files_search_var_lib(prelink_t)
-
- # prelink misc objects that are not system
- # libraries or entrypoints
--allow prelink_t prelink_object:file { manage_file_perms execute relabelto relabelfrom };
-+allow prelink_t prelink_object:file { manage_file_perms execute relabel_file_perms };
-
- kernel_read_system_state(prelink_t)
- kernel_read_kernel_sysctls(prelink_t)
-@@ -73,6 +75,7 @@ corecmd_mmap_all_executables(prelink_t)
- corecmd_read_bin_symlinks(prelink_t)
-
- dev_read_urand(prelink_t)
-+dev_getattr_all_chr_files(prelink_t)
-
- files_list_all(prelink_t)
- files_getattr_all_files(prelink_t)
-@@ -86,6 +89,8 @@ files_relabelfrom_usr_files(prelink_t)
-
- fs_getattr_xattr_fs(prelink_t)
-
-+storage_getattr_fixed_disk_dev(prelink_t)
-+
- selinux_get_enforce_mode(prelink_t)
-
- libs_exec_ld_so(prelink_t)
-@@ -96,9 +101,16 @@ libs_manage_shared_libs(prelink_t)
- libs_relabel_shared_libs(prelink_t)
- libs_delete_lib_symlinks(prelink_t)
-
--miscfiles_read_localization(prelink_t)
-
--userdom_use_user_terminals(prelink_t)
-+userdom_use_inherited_user_terminals(prelink_t)
-+userdom_manage_user_home_content(prelink_t)
-+userdom_relabel_user_home_files(prelink_t)
-+userdom_execmod_user_home_files(prelink_t)
-+userdom_exec_user_home_content_files(prelink_t)
-+
-+systemd_read_unit_files(prelink_t)
-+
-+term_use_all_inherited_terms(prelink_t)
-
- optional_policy(`
- amanda_manage_lib(prelink_t)
-@@ -109,6 +121,15 @@ optional_policy(`
- ')
-
- optional_policy(`
-+ gnome_dontaudit_read_config(prelink_t)
-+ gnome_dontaudit_read_inherited_gconf_config_files(prelink_t)
-+')
-+
-+optional_policy(`
-+ mozilla_plugin_manage_rw_files(prelink_t)
-+')
-+
-+optional_policy(`
- rpm_manage_tmp_files(prelink_t)
- ')
-
-@@ -129,6 +150,7 @@ optional_policy(`
-
- read_files_pattern(prelink_cron_system_t, prelink_cache_t, prelink_cache_t)
- allow prelink_cron_system_t prelink_cache_t:file unlink;
-+ files_delete_etc_dir_entry(prelink_cron_system_t)
-
- domtrans_pattern(prelink_cron_system_t, prelink_exec_t, prelink_t)
- allow prelink_cron_system_t prelink_t:process noatsecure;
-@@ -144,21 +166,38 @@ optional_policy(`
- corecmd_exec_bin(prelink_cron_system_t)
- corecmd_exec_shell(prelink_cron_system_t)
-
-+ dev_list_sysfs(prelink_cron_system_t)
-+ dev_read_sysfs(prelink_cron_system_t)
-+
- files_dontaudit_search_all_mountpoints(prelink_cron_system_t)
- files_read_etc_files(prelink_cron_system_t)
- files_search_var_lib(prelink_cron_system_t)
-
-+ fs_search_cgroup_dirs(prelink_cron_system_t)
-+
-+ auth_use_nsswitch(prelink_cron_system_t)
-+
-+ init_telinit(prelink_cron_system_t)
- init_exec(prelink_cron_system_t)
-
- libs_exec_ld_so(prelink_cron_system_t)
-
- logging_search_logs(prelink_cron_system_t)
-
-- miscfiles_read_localization(prelink_cron_system_t)
-+ init_stream_connect(prelink_cron_system_t)
-+
-
- cron_system_entry(prelink_cron_system_t, prelink_cron_system_exec_t)
-
-+ userdom_dontaudit_list_admin_dir(prelink_cron_system_t)
-+
- optional_policy(`
- rpm_read_db(prelink_cron_system_t)
- ')
- ')
-+
-+ifdef(`hide_broken_symptoms', `
-+ optional_policy(`
-+ dbus_read_config(prelink_t)
-+ ')
-+')
-diff --git a/prelude.fc b/prelude.fc
-index 3bd847a..a52b025 100644
---- a/prelude.fc
-+++ b/prelude.fc
-@@ -5,6 +5,7 @@
-
- /sbin/audisp-prelude -- gen_context(system_u:object_r:prelude_audisp_exec_t,s0)
-
-+/usr/sbin/audisp-prelude -- gen_context(system_u:object_r:prelude_audisp_exec_t,s0)
- /usr/bin/prelude-correlator -- gen_context(system_u:object_r:prelude_correlator_exec_t, s0)
- /usr/bin/prelude-lml -- gen_context(system_u:object_r:prelude_lml_exec_t,s0)
- /usr/bin/prelude-manager -- gen_context(system_u:object_r:prelude_exec_t,s0)
-diff --git a/prelude.if b/prelude.if
-index 2316653..f41a4f7 100644
---- a/prelude.if
-+++ b/prelude.if
-@@ -112,22 +112,24 @@ interface(`prelude_manage_spool',`
- #
- interface(`prelude_admin',`
- gen_require(`
-- type prelude_t, prelude_spool_t;
-- type prelude_var_run_t, prelude_var_lib_t;
-- type prelude_audisp_t, prelude_audisp_var_run_t;
-- type prelude_initrc_exec_t;
--
-- type prelude_lml_t, prelude_lml_tmp_t;
-- type prelude_lml_var_run_t;
-+ type prelude_t, prelude_spool_t, prelude_initrc_exec_t;
-+ type prelude_var_run_t, prelude_var_lib_t, prelude_lml_var_run_t;
-+ type prelude_audisp_t, prelude_audisp_var_run_t, prelude_lml_tmp_t;
-+ type prelude_lml_t;
- ')
-
-- allow $1 prelude_t:process { ptrace signal_perms };
-+ allow $1 prelude_t:process signal_perms;
- ps_process_pattern($1, prelude_t)
-+ tunable_policy(`deny_ptrace',`',`
-+ allow $1 prelude_t:process ptrace;
-+ allow $1 prelude_audisp_t:process ptrace;
-+ allow $1 prelude_lml_t:process ptrace;
-+ ')
-
-- allow $1 prelude_audisp_t:process { ptrace signal_perms };
-+ allow $1 prelude_audisp_t:process signal_perms;
- ps_process_pattern($1, prelude_audisp_t)
-
-- allow $1 prelude_lml_t:process { ptrace signal_perms };
-+ allow $1 prelude_lml_t:process signal_perms;
- ps_process_pattern($1, prelude_lml_t)
-
- init_labeled_script_domtrans($1, prelude_initrc_exec_t)
-@@ -135,10 +137,17 @@ interface(`prelude_admin',`
- role_transition $2 prelude_initrc_exec_t system_r;
- allow $2 system_r;
-
-+ files_list_spool($1)
- admin_pattern($1, prelude_spool_t)
-+
-+ files_list_var_lib($1)
- admin_pattern($1, prelude_var_lib_t)
-+
-+ files_list_pids($1)
- admin_pattern($1, prelude_var_run_t)
- admin_pattern($1, prelude_audisp_var_run_t)
-- admin_pattern($1, prelude_lml_tmp_t)
- admin_pattern($1, prelude_lml_var_run_t)
-+
-+ files_list_tmp($1)
-+ admin_pattern($1, prelude_lml_tmp_t)
- ')
-diff --git a/prelude.te b/prelude.te
-index b1bc02c..a06f448 100644
---- a/prelude.te
-+++ b/prelude.te
-@@ -13,7 +13,7 @@ type prelude_initrc_exec_t;
- init_script_file(prelude_initrc_exec_t)
-
- type prelude_spool_t;
--files_type(prelude_spool_t)
-+files_spool_file(prelude_spool_t)
-
- type prelude_log_t;
- logging_log_file(prelude_log_t)
-@@ -82,7 +82,6 @@ kernel_read_sysctl(prelude_t)
-
- corecmd_search_bin(prelude_t)
-
--corenet_all_recvfrom_unlabeled(prelude_t)
- corenet_all_recvfrom_netlabel(prelude_t)
- corenet_tcp_sendrecv_generic_if(prelude_t)
- corenet_tcp_sendrecv_generic_node(prelude_t)
-@@ -95,7 +94,6 @@ corenet_tcp_connect_mysqld_port(prelude_t)
- dev_read_rand(prelude_t)
- dev_read_urand(prelude_t)
-
--files_read_etc_files(prelude_t)
- files_read_etc_runtime_files(prelude_t)
- files_read_usr_files(prelude_t)
- files_search_tmp(prelude_t)
-@@ -107,8 +105,6 @@ auth_use_nsswitch(prelude_t)
- logging_send_audit_msgs(prelude_t)
- logging_send_syslog_msg(prelude_t)
-
--miscfiles_read_localization(prelude_t)
--
- optional_policy(`
- mysql_search_db(prelude_t)
- mysql_stream_connect(prelude_t)
-@@ -143,7 +139,6 @@ kernel_read_system_state(prelude_audisp_t)
-
- corecmd_search_bin(prelude_audisp_t)
-
--corenet_all_recvfrom_unlabeled(prelude_audisp_t)
- corenet_all_recvfrom_netlabel(prelude_audisp_t)
- corenet_tcp_sendrecv_generic_if(prelude_audisp_t)
- corenet_tcp_sendrecv_generic_node(prelude_audisp_t)
-@@ -156,14 +151,11 @@ dev_read_urand(prelude_audisp_t)
- # Init script handling
- domain_use_interactive_fds(prelude_audisp_t)
-
--files_read_etc_files(prelude_audisp_t)
- files_read_etc_runtime_files(prelude_audisp_t)
- files_search_tmp(prelude_audisp_t)
-
- logging_send_syslog_msg(prelude_audisp_t)
-
--miscfiles_read_localization(prelude_audisp_t)
--
- sysnet_dns_name_resolve(prelude_audisp_t)
-
- ########################################
-@@ -183,7 +175,6 @@ kernel_read_sysctl(prelude_correlator_t)
-
- corecmd_search_bin(prelude_correlator_t)
-
--corenet_all_recvfrom_unlabeled(prelude_correlator_t)
- corenet_all_recvfrom_netlabel(prelude_correlator_t)
- corenet_tcp_sendrecv_generic_if(prelude_correlator_t)
- corenet_tcp_sendrecv_generic_node(prelude_correlator_t)
-@@ -192,14 +183,11 @@ corenet_tcp_connect_prelude_port(prelude_correlator_t)
- dev_read_rand(prelude_correlator_t)
- dev_read_urand(prelude_correlator_t)
-
--files_read_etc_files(prelude_correlator_t)
- files_read_usr_files(prelude_correlator_t)
- files_search_spool(prelude_correlator_t)
-
- logging_send_syslog_msg(prelude_correlator_t)
-
--miscfiles_read_localization(prelude_correlator_t)
--
- sysnet_dns_name_resolve(prelude_correlator_t)
-
- prelude_manage_spool(prelude_correlator_t)
-@@ -210,8 +198,8 @@ prelude_manage_spool(prelude_correlator_t)
- #
-
- allow prelude_lml_t self:capability dac_override;
--allow prelude_lml_t self:tcp_socket { write getattr setopt read create connect };
--allow prelude_lml_t self:unix_dgram_socket { write create connect };
-+allow prelude_lml_t self:tcp_socket { setopt create_socket_perms };
-+allow prelude_lml_t self:unix_dgram_socket create_socket_perms;
- allow prelude_lml_t self:fifo_file rw_fifo_file_perms;
- allow prelude_lml_t self:unix_stream_socket connectto;
-
-@@ -236,10 +224,10 @@ kernel_read_sysctl(prelude_lml_t)
-
- corecmd_exec_bin(prelude_lml_t)
-
-+corenet_all_recvfrom_netlabel(prelude_lml_t)
- corenet_tcp_sendrecv_generic_if(prelude_lml_t)
- corenet_tcp_sendrecv_generic_node(prelude_lml_t)
- corenet_tcp_recvfrom_netlabel(prelude_lml_t)
--corenet_tcp_recvfrom_unlabeled(prelude_lml_t)
- corenet_sendrecv_unlabeled_packets(prelude_lml_t)
- corenet_tcp_connect_prelude_port(prelude_lml_t)
-
-@@ -247,7 +235,6 @@ dev_read_rand(prelude_lml_t)
- dev_read_urand(prelude_lml_t)
-
- files_list_etc(prelude_lml_t)
--files_read_etc_files(prelude_lml_t)
- files_read_etc_runtime_files(prelude_lml_t)
-
- fs_getattr_all_fs(prelude_lml_t)
-@@ -262,8 +249,6 @@ libs_read_lib_files(prelude_lml_t)
- logging_send_syslog_msg(prelude_lml_t)
- logging_read_generic_logs(prelude_lml_t)
-
--miscfiles_read_localization(prelude_lml_t)
--
- sysnet_dns_name_resolve(prelude_lml_t)
-
- userdom_read_all_users_state(prelude_lml_t)
-@@ -283,7 +268,6 @@ optional_policy(`
-
- can_exec(httpd_prewikka_script_t, httpd_prewikka_script_exec_t)
-
-- files_read_etc_files(httpd_prewikka_script_t)
- files_search_tmp(httpd_prewikka_script_t)
-
- kernel_read_sysctl(httpd_prewikka_script_t)
-diff --git a/privoxy.if b/privoxy.if
-index afd1751..5aff531 100644
---- a/privoxy.if
-+++ b/privoxy.if
-@@ -23,8 +23,11 @@ interface(`privoxy_admin',`
- type privoxy_etc_rw_t, privoxy_var_run_t;
- ')
-
-- allow $1 privoxy_t:process { ptrace signal_perms };
-+ allow $1 privoxy_t:process signal_perms;
- ps_process_pattern($1, privoxy_t)
-+ tunable_policy(`deny_ptrace',`',`
-+ allow $1 privoxy_t:process ptrace;
-+ ')
-
- init_labeled_script_domtrans($1, privoxy_initrc_exec_t)
- domain_system_change_exemption($1)
-diff --git a/privoxy.te b/privoxy.te
-index 2dbf4d4..daa7c93 100644
---- a/privoxy.te
-+++ b/privoxy.te
-@@ -46,10 +46,10 @@ logging_log_filetrans(privoxy_t, privoxy_log_t, file)
- manage_files_pattern(privoxy_t, privoxy_var_run_t, privoxy_var_run_t)
- files_pid_filetrans(privoxy_t, privoxy_var_run_t, file)
-
--kernel_read_system_state(privoxy_t)
- kernel_read_kernel_sysctls(privoxy_t)
-+kernel_read_network_state(privoxy_t)
-+kernel_read_system_state(privoxy_t)
-
--corenet_all_recvfrom_unlabeled(privoxy_t)
- corenet_all_recvfrom_netlabel(privoxy_t)
- corenet_tcp_sendrecv_generic_if(privoxy_t)
- corenet_tcp_sendrecv_generic_node(privoxy_t)
-@@ -62,6 +62,7 @@ corenet_tcp_connect_squid_port(privoxy_t)
- corenet_tcp_connect_ftp_port(privoxy_t)
- corenet_tcp_connect_pgpkeyserver_port(privoxy_t)
- corenet_tcp_connect_tor_port(privoxy_t)
-+corenet_tcp_connect_tor_socks_port(privoxy_t)
- corenet_sendrecv_http_cache_client_packets(privoxy_t)
- corenet_sendrecv_squid_client_packets(privoxy_t)
- corenet_sendrecv_http_cache_server_packets(privoxy_t)
-@@ -76,18 +77,15 @@ fs_search_auto_mountpoints(privoxy_t)
-
- domain_use_interactive_fds(privoxy_t)
-
--files_read_etc_files(privoxy_t)
-
- auth_use_nsswitch(privoxy_t)
-
- logging_send_syslog_msg(privoxy_t)
-
--miscfiles_read_localization(privoxy_t)
--
- userdom_dontaudit_use_unpriv_user_fds(privoxy_t)
- userdom_dontaudit_search_user_home_dirs(privoxy_t)
- # cjp: this should really not be needed
--userdom_use_user_terminals(privoxy_t)
-+userdom_use_inherited_user_terminals(privoxy_t)
-
- tunable_policy(`privoxy_connect_any',`
- corenet_tcp_connect_all_ports(privoxy_t)
-diff --git a/procmail.fc b/procmail.fc
-index 1343621..4b36a13 100644
---- a/procmail.fc
-+++ b/procmail.fc
-@@ -1,3 +1,5 @@
-+HOME_DIR/\.procmailrc -- gen_context(system_u:object_r:procmail_home_t, s0)
-+/root/\.procmailrc -- gen_context(system_u:object_r:procmail_home_t, s0)
-
- /usr/bin/procmail -- gen_context(system_u:object_r:procmail_exec_t,s0)
-
-diff --git a/procmail.if b/procmail.if
-index b64b02f..166e9c3 100644
---- a/procmail.if
-+++ b/procmail.if
-@@ -77,3 +77,22 @@ interface(`procmail_rw_tmp_files',`
- files_search_tmp($1)
- rw_files_pattern($1, procmail_tmp_t, procmail_tmp_t)
- ')
-+
-+########################################
-+##
-+## Read procmail home directory content
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`procmail_read_home_files',`
-+ gen_require(`
-+ type procmail_home_t;
-+ ')
-+
-+ userdom_search_user_home_dirs($1)
-+ read_files_pattern($1, procmail_home_t, procmail_home_t)
-+')
-diff --git a/procmail.te b/procmail.te
-index 29b9295..23625fc 100644
---- a/procmail.te
-+++ b/procmail.te
-@@ -10,6 +10,9 @@ type procmail_exec_t;
- application_domain(procmail_t, procmail_exec_t)
- role system_r types procmail_t;
-
-+type procmail_home_t;
-+userdom_user_home_content(procmail_home_t)
-+
- type procmail_log_t;
- logging_log_file(procmail_log_t)
-
-@@ -32,7 +35,7 @@ allow procmail_t self:udp_socket create_socket_perms;
- can_exec(procmail_t, procmail_exec_t)
-
- # Write log to /var/log/procmail.log or /var/log/procmail/.*
--allow procmail_t procmail_log_t:dir setattr;
-+allow procmail_t procmail_log_t:dir setattr_dir_perms;
- create_files_pattern(procmail_t, procmail_log_t, procmail_log_t)
- append_files_pattern(procmail_t, procmail_log_t, procmail_log_t)
- read_lnk_files_pattern(procmail_t, procmail_log_t, procmail_log_t)
-@@ -44,7 +47,6 @@ files_tmp_filetrans(procmail_t, procmail_tmp_t, file)
- kernel_read_system_state(procmail_t)
- kernel_read_kernel_sysctls(procmail_t)
-
--corenet_all_recvfrom_unlabeled(procmail_t)
- corenet_all_recvfrom_netlabel(procmail_t)
- corenet_tcp_sendrecv_generic_if(procmail_t)
- corenet_udp_sendrecv_generic_if(procmail_t)
-@@ -67,17 +69,23 @@ auth_use_nsswitch(procmail_t)
-
- corecmd_exec_bin(procmail_t)
- corecmd_exec_shell(procmail_t)
--corecmd_read_bin_symlinks(procmail_t)
-
--files_read_etc_files(procmail_t)
- files_read_etc_runtime_files(procmail_t)
- files_search_pids(procmail_t)
- # for spamassasin
- files_read_usr_files(procmail_t)
-
-+application_exec_all(procmail_t)
-+
-+init_read_utmp(procmail_t)
-+
- logging_send_syslog_msg(procmail_t)
-+logging_append_all_logs(procmail_t)
-
--miscfiles_read_localization(procmail_t)
-+list_dirs_pattern(procmail_t, procmail_home_t, procmail_home_t)
-+read_files_pattern(procmail_t, procmail_home_t, procmail_home_t)
-+userdom_search_user_home_dirs(procmail_t)
-+userdom_search_admin_dir(procmail_t)
-
- # only works until we define a different type for maildir
- userdom_manage_user_home_content_dirs(procmail_t)
-@@ -87,8 +95,8 @@ userdom_manage_user_home_content_pipes(procmail_t)
- userdom_manage_user_home_content_sockets(procmail_t)
- userdom_user_home_dir_filetrans_user_home_content(procmail_t, { dir file lnk_file fifo_file sock_file })
-
--# Do not audit attempts to access /root.
--userdom_dontaudit_search_user_home_dirs(procmail_t)
-+# Execute user executables
-+userdom_exec_user_bin_files(procmail_t)
-
- mta_manage_spool(procmail_t)
- mta_read_queue(procmail_t)
-@@ -97,21 +105,19 @@ ifdef(`hide_broken_symptoms',`
- mta_dontaudit_rw_queue(procmail_t)
- ')
-
--tunable_policy(`use_nfs_home_dirs',`
-- fs_manage_nfs_dirs(procmail_t)
-- fs_manage_nfs_files(procmail_t)
-- fs_manage_nfs_symlinks(procmail_t)
-+userdom_home_manager(procmail_t)
-+
-+optional_policy(`
-+ clamav_domtrans_clamscan(procmail_t)
-+ clamav_search_lib(procmail_t)
- ')
-
--tunable_policy(`use_samba_home_dirs',`
-- fs_manage_cifs_dirs(procmail_t)
-- fs_manage_cifs_files(procmail_t)
-- fs_manage_cifs_symlinks(procmail_t)
-+optional_policy(`
-+ cyrus_stream_connect(procmail_t)
- ')
-
- optional_policy(`
-- clamav_domtrans_clamscan(procmail_t)
-- clamav_search_lib(procmail_t)
-+ gnome_manage_data(procmail_t)
- ')
-
- optional_policy(`
-@@ -125,6 +131,11 @@ optional_policy(`
- postfix_read_spool_files(procmail_t)
- postfix_read_local_state(procmail_t)
- postfix_read_master_state(procmail_t)
-+ postfix_rw_master_pipes(procmail_t)
-+')
-+
-+optional_policy(`
-+ nagios_search_spool(procmail_t)
- ')
-
- optional_policy(`
-@@ -134,6 +145,7 @@ optional_policy(`
-
- optional_policy(`
- mta_read_config(procmail_t)
-+ mta_manage_home_rw(procmail_t)
- sendmail_domtrans(procmail_t)
- sendmail_signal(procmail_t)
- sendmail_dontaudit_rw_tcp_sockets(procmail_t)
-diff --git a/psad.if b/psad.if
-index bc329d1..20bb463 100644
---- a/psad.if
-+++ b/psad.if
-@@ -91,7 +91,6 @@ interface(`psad_manage_config',`
- files_search_etc($1)
- manage_dirs_pattern($1, psad_etc_t, psad_etc_t)
- manage_files_pattern($1, psad_etc_t, psad_etc_t)
--
- ')
-
- ########################################
-@@ -115,7 +114,7 @@ interface(`psad_read_pid_files',`
-
- ########################################
- ##
--## Read psad PID files.
-+## Read and write psad PID files.
- ##
- ##
- ##
-@@ -176,6 +175,45 @@ interface(`psad_append_log',`
-
- ########################################
- ##
-+## Allow the specified domain to write to psad's log files.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+##
-+#
-+interface(`psad_write_log',`
-+ gen_require(`
-+ type psad_var_log_t;
-+ ')
-+
-+ logging_search_logs($1)
-+ write_files_pattern($1, psad_var_log_t, psad_var_log_t)
-+')
-+
-+#######################################
-+##
-+## Allow the specified domain to setattr to psad's log files.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`psad_setattr_log',`
-+ gen_require(`
-+ type psad_var_log_t;
-+ ')
-+
-+ logging_search_logs($1)
-+ setattr_files_pattern($1, psad_var_log_t, psad_var_log_t)
-+')
-+
-+########################################
-+##
- ## Read and write psad fifo files.
- ##
- ##
-@@ -186,7 +224,7 @@ interface(`psad_append_log',`
- #
- interface(`psad_rw_fifo_file',`
- gen_require(`
-- type psad_t;
-+ type psad_t, psad_var_lib_t;
- ')
-
- files_search_var_lib($1)
-@@ -196,6 +234,26 @@ interface(`psad_rw_fifo_file',`
-
- #######################################
- ##
-+## Allow setattr to psad fifo files.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`psad_setattr_fifo_file',`
-+ gen_require(`
-+ type psad_t, psad_var_lib_t;
-+ ')
-+
-+ files_search_var_lib($1)
-+ allow $1 psad_var_lib_t:fifo_file setattr;
-+ search_dirs_pattern($1, psad_var_lib_t, psad_var_lib_t)
-+')
-+
-+#######################################
-+##
- ## Read and write psad tmp files.
- ##
- ##
-@@ -233,30 +291,33 @@ interface(`psad_rw_tmp_files',`
- interface(`psad_admin',`
- gen_require(`
- type psad_t, psad_var_run_t, psad_var_log_t;
-- type psad_initrc_exec_t, psad_var_lib_t;
-+ type psad_initrc_exec_t, psad_var_lib_t, psad_etc_t;
- type psad_tmp_t;
- ')
-
-- allow $1 psad_t:process { ptrace signal_perms };
-+ allow $1 psad_t:process signal_perms;
- ps_process_pattern($1, psad_t)
-+ tunable_policy(`deny_ptrace',`',`
-+ allow $1 psad_t:process ptrace;
-+ ')
-
- init_labeled_script_domtrans($1, psad_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 psad_initrc_exec_t system_r;
- allow $2 system_r;
-
-- files_search_etc($1)
-+ files_list_etc($1)
- admin_pattern($1, psad_etc_t)
-
-- files_search_pids($1)
-+ files_list_pids($1)
- admin_pattern($1, psad_var_run_t)
-
-- logging_search_logs($1)
-+ logging_list_logs($1)
- admin_pattern($1, psad_var_log_t)
-
-- files_search_var_lib($1)
-+ files_list_var_lib($1)
- admin_pattern($1, psad_var_lib_t)
-
-- files_search_tmp($1)
-+ files_list_tmp($1)
- admin_pattern($1, psad_tmp_t)
- ')
-diff --git a/psad.te b/psad.te
-index d4000e0..7fbcae1 100644
---- a/psad.te
-+++ b/psad.te
-@@ -11,7 +11,7 @@ init_daemon_domain(psad_t, psad_exec_t)
-
- # config files
- type psad_etc_t;
--files_type(psad_etc_t)
-+files_config_file(psad_etc_t)
-
- type psad_initrc_exec_t;
- init_script_file(psad_initrc_exec_t)
-@@ -39,7 +39,7 @@ files_tmp_file(psad_tmp_t)
-
- allow psad_t self:capability { net_admin net_raw setuid setgid dac_override };
- dontaudit psad_t self:capability sys_tty_config;
--allow psad_t self:process signull;
-+allow psad_t self:process signal_perms;
- allow psad_t self:fifo_file rw_fifo_file_perms;
- allow psad_t self:rawip_socket create_socket_perms;
-
-@@ -53,9 +53,10 @@ manage_dirs_pattern(psad_t, psad_var_log_t, psad_var_log_t)
- logging_log_filetrans(psad_t, psad_var_log_t, { file dir })
-
- # pid file
-+manage_dirs_pattern(psad_t, psad_var_run_t, psad_var_run_t)
- manage_files_pattern(psad_t, psad_var_run_t, psad_var_run_t)
- manage_sock_files_pattern(psad_t, psad_var_run_t, psad_var_run_t)
--files_pid_filetrans(psad_t, psad_var_run_t, { file sock_file })
-+files_pid_filetrans(psad_t, psad_var_run_t, { dir file sock_file })
-
- # tmp files
- manage_dirs_pattern(psad_t, psad_tmp_t, psad_tmp_t)
-@@ -73,7 +74,6 @@ kernel_read_net_sysctls(psad_t)
- corecmd_exec_shell(psad_t)
- corecmd_exec_bin(psad_t)
-
--corenet_all_recvfrom_unlabeled(psad_t)
- corenet_all_recvfrom_netlabel(psad_t)
- corenet_tcp_sendrecv_generic_if(psad_t)
- corenet_tcp_sendrecv_generic_node(psad_t)
-@@ -85,22 +85,23 @@ corenet_sendrecv_whois_client_packets(psad_t)
- dev_read_urand(psad_t)
-
- files_read_etc_runtime_files(psad_t)
-+files_read_usr_files(psad_t)
-
- fs_getattr_all_fs(psad_t)
-
- auth_use_nsswitch(psad_t)
-
--iptables_domtrans(psad_t)
--
- logging_read_generic_logs(psad_t)
- logging_read_syslog_config(psad_t)
- logging_send_syslog_msg(psad_t)
-
--miscfiles_read_localization(psad_t)
--
- sysnet_exec_ifconfig(psad_t)
-
- optional_policy(`
-+ iptables_domtrans(psad_t)
-+')
-+
-+optional_policy(`
- mta_send_mail(psad_t)
- mta_read_queue(psad_t)
- ')
-diff --git a/ptchown.if b/ptchown.if
-index 96cc023..5919bbd 100644
---- a/ptchown.if
-+++ b/ptchown.if
-@@ -18,6 +18,24 @@ interface(`ptchown_domtrans',`
- domtrans_pattern($1, ptchown_exec_t, ptchown_t)
- ')
-
-+#######################################
-+##
-+## Execute ptchown in the caller domain.
-+##
-+##
-+##
-+## Domain allowed to transition.
-+##
-+##
-+#
-+interface(`ptchown_exec',`
-+ gen_require(`
-+ type ptchown_exec_t;
-+ ')
-+
-+ can_exec($1, ptchown_exec_t)
-+')
-+
- ########################################
- ##
- ## Execute ptchown in the ptchown domain, and
-diff --git a/ptchown.te b/ptchown.te
-index d90245a..546474f 100644
---- a/ptchown.te
-+++ b/ptchown.te
-@@ -28,4 +28,4 @@ term_setattr_all_ptys(ptchown_t)
- term_use_generic_ptys(ptchown_t)
- term_use_ptmx(ptchown_t)
-
--miscfiles_read_localization(ptchown_t)
-+auth_read_passwd(ptchown_t)
-diff --git a/pulseaudio.fc b/pulseaudio.fc
-index 84f23dc..0e7d875 100644
---- a/pulseaudio.fc
-+++ b/pulseaudio.fc
-@@ -1,5 +1,12 @@
--HOME_DIR/\.pulse-cookie gen_context(system_u:object_r:pulseaudio_home_t,s0)
-+HOME_DIR/\.esd_auth -- gen_context(system_u:object_r:pulseaudio_home_t,s0)
-+HOME_DIR/\.pulse-cookie -- gen_context(system_u:object_r:pulseaudio_home_t,s0)
- HOME_DIR/\.pulse(/.*)? gen_context(system_u:object_r:pulseaudio_home_t,s0)
-+HOME_DIR/\.config/pulse(/.*)? gen_context(system_u:object_r:pulseaudio_home_t,s0)
-+
-+/root/\.esd_auth -- gen_context(system_u:object_r:pulseaudio_home_t,s0)
-+/root/\.pulse-cookie -- gen_context(system_u:object_r:pulseaudio_home_t,s0)
-+/root/\.pulse(/.*)? gen_context(system_u:object_r:pulseaudio_home_t,s0)
-+/root/\.config/pulse(/.*)? gen_context(system_u:object_r:pulseaudio_home_t,s0)
-
- /usr/bin/pulseaudio -- gen_context(system_u:object_r:pulseaudio_exec_t,s0)
-
-diff --git a/pulseaudio.if b/pulseaudio.if
-index f40c64d..7015dce 100644
---- a/pulseaudio.if
-+++ b/pulseaudio.if
-@@ -35,6 +35,9 @@ interface(`pulseaudio_role',`
- allow pulseaudio_t $2:unix_stream_socket connectto;
- allow $2 pulseaudio_t:unix_stream_socket connectto;
-
-+ userdom_manage_tmp_role($1, pulseaudio_t)
-+ userdom_manage_tmpfs_role($1, pulseaudio_t)
-+
- allow $2 pulseaudio_t:dbus send_msg;
- allow pulseaudio_t $2:dbus { acquire_svc send_msg };
- ')
-@@ -151,12 +154,14 @@ interface(`pulseaudio_signull',`
- interface(`pulseaudio_stream_connect',`
- gen_require(`
- type pulseaudio_t, pulseaudio_var_run_t;
-+ type pulseaudio_home_t;
- ')
-
- files_search_pids($1)
- allow $1 pulseaudio_t:process signull;
- allow pulseaudio_t $1:process signull;
- stream_connect_pattern($1, pulseaudio_var_run_t, pulseaudio_var_run_t, pulseaudio_t)
-+ stream_connect_pattern($1, pulseaudio_home_t, pulseaudio_home_t, pulseaudio_t)
- ')
-
- ########################################
-@@ -257,4 +262,88 @@ interface(`pulseaudio_manage_home_files',`
- userdom_search_user_home_dirs($1)
- manage_files_pattern($1, pulseaudio_home_t, pulseaudio_home_t)
- read_lnk_files_pattern($1, pulseaudio_home_t, pulseaudio_home_t)
-+ pulseaudio_filetrans_home_content($1)
-+ pulseaudio_filetrans_admin_home_content($1)
-+')
-+
-+########################################
-+##
-+## Create, read, write, and delete pulseaudio
-+## home directory symlinks.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`pulseaudio_manage_home_symlinks',`
-+ gen_require(`
-+ type pulseaudio_home_t;
-+ ')
-+
-+ userdom_search_user_home_dirs($1)
-+ manage_lnk_files_pattern($1, pulseaudio_home_t, pulseaudio_home_t)
-+')
-+
-+########################################
-+##
-+## Create pulseaudio content in the user home directory
-+## with an correct label.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`pulseaudio_filetrans_home_content',`
-+ gen_require(`
-+ type pulseaudio_home_t;
-+ ')
-+
-+ userdom_user_home_dir_filetrans($1, pulseaudio_home_t, dir, ".pulse")
-+ userdom_user_home_dir_filetrans($1, pulseaudio_home_t, file, ".pulse-cookie")
-+ userdom_user_home_dir_filetrans($1, pulseaudio_home_t, file, ".esd_auth")
-+ gnome_config_filetrans($1, pulseaudio_home_t, dir, "pulse")
-+')
-+
-+########################################
-+##
-+## Create pulseaudio content in the admin home directory
-+## with an correct label.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`pulseaudio_filetrans_admin_home_content',`
-+ gen_require(`
-+ type pulseaudio_home_t;
-+ ')
-+
-+ userdom_admin_home_dir_filetrans($1, pulseaudio_home_t, dir, ".pulse")
-+ userdom_admin_home_dir_filetrans($1, pulseaudio_home_t, file, ".pulse-cookie")
-+ userdom_admin_home_dir_filetrans($1, pulseaudio_home_t, file, ".esd_auth")
-+')
-+
-+########################################
-+##
-+## Allow the domain to read pulseaudio state files in /proc.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`pulseaudio_read_state',`
-+ gen_require(`
-+ type pulseaudio_t;
-+ ')
-+
-+ kernel_search_proc($1)
-+ ps_process_pattern($1, pulseaudio_t)
- ')
-diff --git a/pulseaudio.te b/pulseaudio.te
-index 901ac9b..bef43f7 100644
---- a/pulseaudio.te
-+++ b/pulseaudio.te
-@@ -41,7 +41,13 @@ allow pulseaudio_t self:netlink_kobject_uevent_socket create_socket_perms;
-
- manage_dirs_pattern(pulseaudio_t, pulseaudio_home_t, pulseaudio_home_t)
- manage_files_pattern(pulseaudio_t, pulseaudio_home_t, pulseaudio_home_t)
-+manage_lnk_files_pattern(pulseaudio_t, pulseaudio_home_t, pulseaudio_home_t)
- userdom_search_user_home_dirs(pulseaudio_t)
-+pulseaudio_filetrans_home_content(pulseaudio_t)
-+
-+# ~/.esd_auth - maybe we should label this pulseaudio_home_t?
-+userdom_read_user_home_content_files(pulseaudio_t)
-+userdom_search_admin_dir(pulseaudio_t)
-
- manage_dirs_pattern(pulseaudio_t, pulseaudio_var_lib_t, pulseaudio_var_lib_t)
- manage_files_pattern(pulseaudio_t, pulseaudio_var_lib_t, pulseaudio_var_lib_t)
-@@ -51,7 +57,7 @@ files_var_lib_filetrans(pulseaudio_t, pulseaudio_var_lib_t, { dir file })
- manage_dirs_pattern(pulseaudio_t, pulseaudio_var_run_t, pulseaudio_var_run_t)
- manage_files_pattern(pulseaudio_t, pulseaudio_var_run_t, pulseaudio_var_run_t)
- manage_sock_files_pattern(pulseaudio_t, pulseaudio_var_run_t, pulseaudio_var_run_t)
--files_pid_filetrans(pulseaudio_t, pulseaudio_var_run_t, { dir file })
-+files_pid_filetrans(pulseaudio_t, pulseaudio_var_run_t, { file dir })
-
- can_exec(pulseaudio_t, pulseaudio_exec_t)
-
-@@ -61,7 +67,6 @@ kernel_read_kernel_sysctls(pulseaudio_t)
-
- corecmd_exec_bin(pulseaudio_t)
-
--corenet_all_recvfrom_unlabeled(pulseaudio_t)
- corenet_all_recvfrom_netlabel(pulseaudio_t)
- corenet_tcp_bind_pulseaudio_port(pulseaudio_t)
- corenet_tcp_bind_soundd_port(pulseaudio_t)
-@@ -70,32 +75,49 @@ corenet_tcp_sendrecv_generic_node(pulseaudio_t)
- corenet_udp_bind_sap_port(pulseaudio_t)
- corenet_udp_sendrecv_generic_if(pulseaudio_t)
- corenet_udp_sendrecv_generic_node(pulseaudio_t)
-+corenet_dontaudit_tcp_connect_xserver_port(pulseaudio_t)
-
- dev_read_sound(pulseaudio_t)
- dev_write_sound(pulseaudio_t)
- dev_read_sysfs(pulseaudio_t)
- dev_read_urand(pulseaudio_t)
-
--files_read_etc_files(pulseaudio_t)
- files_read_usr_files(pulseaudio_t)
-
- fs_rw_anon_inodefs_files(pulseaudio_t)
- fs_getattr_tmpfs(pulseaudio_t)
- fs_list_inotifyfs(pulseaudio_t)
-
--term_use_all_ttys(pulseaudio_t)
--term_use_all_ptys(pulseaudio_t)
-+term_use_all_inherited_ttys(pulseaudio_t)
-+term_use_all_inherited_ptys(pulseaudio_t)
-
- auth_use_nsswitch(pulseaudio_t)
-
- logging_send_syslog_msg(pulseaudio_t)
-
--miscfiles_read_localization(pulseaudio_t)
-+tunable_policy(`use_nfs_home_dirs',`
-+ fs_mount_nfs(pulseaudio_t)
-+ fs_mounton_nfs(pulseaudio_t)
-+ fs_manage_nfs_dirs(pulseaudio_t)
-+ fs_manage_nfs_files(pulseaudio_t)
-+ fs_manage_nfs_symlinks(pulseaudio_t)
-+ fs_manage_nfs_named_sockets(pulseaudio_t)
-+ fs_manage_nfs_named_pipes(pulseaudio_t)
-+')
-+
-+tunable_policy(`use_samba_home_dirs',`
-+ fs_mount_cifs(pulseaudio_t)
-+ fs_mounton_cifs(pulseaudio_t)
-+ fs_manage_cifs_dirs(pulseaudio_t)
-+ fs_manage_cifs_files(pulseaudio_t)
-+ fs_manage_cifs_symlinks(pulseaudio_t)
-+ fs_manage_cifs_named_sockets(pulseaudio_t)
-+ fs_manage_cifs_named_pipes(pulseaudio_t)
-+')
-
--# cjp: this seems excessive. need to confirm
--userdom_manage_user_home_content_files(pulseaudio_t)
--userdom_manage_user_tmp_files(pulseaudio_t)
--userdom_manage_user_tmpfs_files(pulseaudio_t)
-+optional_policy(`
-+ alsa_read_rw_config(pulseaudio_t)
-+')
-
- optional_policy(`
- bluetooth_stream_connect(pulseaudio_t)
-@@ -125,16 +147,37 @@ optional_policy(`
- ')
-
- optional_policy(`
-+ gnome_read_gkeyringd_state(pulseaudio_t)
-+ gnome_signull_gkeyringd(pulseaudio_t)
-+ gnome_manage_gstreamer_home_files(pulseaudio_t)
-+ gnome_exec_gstreamer_home_files(pulseaudio_t)
-+')
-+
-+optional_policy(`
- rtkit_scheduled(pulseaudio_t)
- ')
-
- optional_policy(`
-+ mozilla_plugin_delete_tmpfs_files(pulseaudio_t)
-+ mozilla_plugin_read_tmpfs_files(pulseaudio_t)
-+')
-+
-+optional_policy(`
-+ mpd_read_tmpfs_files(pulseaudio_t)
-+')
-+
-+optional_policy(`
- policykit_domtrans_auth(pulseaudio_t)
- policykit_read_lib(pulseaudio_t)
- policykit_read_reload(pulseaudio_t)
- ')
-
- optional_policy(`
-+ systemd_read_logind_sessions_files(pulseaudio_t)
-+ systemd_login_read_pid_files(pulseaudio_t)
-+')
-+
-+optional_policy(`
- udev_read_state(pulseaudio_t)
- udev_read_db(pulseaudio_t)
- ')
-@@ -146,3 +189,7 @@ optional_policy(`
- xserver_read_xdm_pid(pulseaudio_t)
- xserver_user_x_domain_template(pulseaudio, pulseaudio_t, pulseaudio_tmpfs_t)
- ')
-+
-+optional_policy(`
-+ virt_manage_tmpfs_files(pulseaudio_t)
-+')
-diff --git a/puppet.fc b/puppet.fc
-index 2f1e529..8c0b242 100644
---- a/puppet.fc
-+++ b/puppet.fc
-@@ -3,6 +3,7 @@
- /etc/rc\.d/init\.d/puppet -- gen_context(system_u:object_r:puppet_initrc_exec_t,s0)
- /etc/rc\.d/init\.d/puppetmaster -- gen_context(system_u:object_r:puppetmaster_initrc_exec_t,s0)
-
-+/usr/sbin/puppetca -- gen_context(system_u:object_r:puppetca_exec_t,s0)
- /usr/sbin/puppetd -- gen_context(system_u:object_r:puppet_exec_t,s0)
- /usr/sbin/puppetmasterd -- gen_context(system_u:object_r:puppetmaster_exec_t,s0)
-
-diff --git a/puppet.if b/puppet.if
-index 2855a44..b7b5ee7 100644
---- a/puppet.if
-+++ b/puppet.if
-@@ -8,6 +8,53 @@
- ##
- ##
-
-+########################################
-+##
-+## Execute puppetca in the puppetca
-+## domain.
-+##
-+##
-+##
-+## Domain allowed to transition.
-+##
-+##
-+#
-+interface(`puppet_domtrans_puppetca',`
-+ gen_require(`
-+ type puppetca_t, puppetca_exec_t;
-+ ')
-+
-+ corecmd_search_bin($1)
-+ domtrans_pattern($1, puppetca_exec_t, puppetca_t)
-+')
-+
-+#####################################
-+##
-+## Execute puppetca in the puppetca
-+## domain and allow the specified
-+## role the puppetca domain.
-+##
-+##
-+##
-+## Domain allowed to transition.
-+##
-+##
-+##
-+##
-+## Role allowed access.
-+##
-+##
-+##
-+#
-+interface(`puppet_run_puppetca',`
-+ gen_require(`
-+ type puppetca_t, puppetca_exec_t;
-+ ')
-+
-+ puppet_domtrans_puppetca($1)
-+ role $2 types puppetca_t;
-+')
-+
- ################################################
- ##
- ## Read / Write to Puppet temp files. Puppet uses
-@@ -26,6 +73,178 @@ interface(`puppet_rw_tmp', `
- type puppet_tmp_t;
- ')
-
-- allow $1 puppet_tmp_t:file rw_file_perms;
-+ allow $1 puppet_tmp_t:file rw_inherited_file_perms;
- files_search_tmp($1)
- ')
-+
-+################################################
-+##
-+## Read Puppet lib files.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`puppet_read_lib',`
-+ gen_require(`
-+ type puppet_var_lib_t;
-+ ')
-+
-+ read_files_pattern($1, puppet_var_lib_t, puppet_var_lib_t)
-+ files_search_var_lib($1)
-+')
-+
-+###############################################
-+##
-+## Manage Puppet lib files.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`puppet_manage_lib',`
-+ gen_require(`
-+ type puppet_var_lib_t;
-+ ')
-+
-+ manage_files_pattern($1, puppet_var_lib_t, puppet_var_lib_t)
-+ files_search_var_lib($1)
-+')
-+
-+######################################
-+##
-+## Allow the specified domain to search puppet's log files.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`puppet_search_log',`
-+ gen_require(`
-+ type puppet_log_t;
-+ ')
-+
-+ logging_search_logs($1)
-+ allow $1 puppet_log_t:dir search_dir_perms;
-+')
-+
-+#####################################
-+##
-+## Allow the specified domain to read puppet's log files.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`puppet_read_log',`
-+ gen_require(`
-+ type puppet_log_t;
-+ ')
-+
-+ logging_search_logs($1)
-+ read_files_pattern($1, puppet_log_t, puppet_log_t)
-+')
-+
-+#####################################
-+##
-+## Allow the specified domain to create puppet's log files.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`puppet_create_log',`
-+ gen_require(`
-+ type puppet_log_t;
-+ ')
-+
-+ logging_search_logs($1)
-+ create_files_pattern($1, puppet_log_t, puppet_log_t)
-+')
-+
-+####################################
-+##
-+## Allow the specified domain to append puppet's log files.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`puppet_append_log',`
-+ gen_require(`
-+ type puppet_log_t;
-+ ')
-+
-+ logging_search_logs($1)
-+ append_files_pattern($1, puppet_log_t, puppet_log_t)
-+')
-+
-+####################################
-+##
-+## Allow the specified domain to manage puppet's log files.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`puppet_manage_log',`
-+ gen_require(`
-+ type puppet_log_t;
-+ ')
-+
-+ logging_search_logs($1)
-+ manage_files_pattern($1, puppet_log_t, puppet_log_t)
-+')
-+
-+####################################
-+##
-+## Allow the specified domain to read puppet's config files.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`puppet_read_config',`
-+ gen_require(`
-+ type puppet_etc_t;
-+ ')
-+
-+ logging_search_logs($1)
-+ list_dirs_pattern($1, puppet_etc_t, puppet_etc_t)
-+ read_files_pattern($1, puppet_etc_t, puppet_etc_t)
-+')
-+
-+#####################################
-+##
-+## Allow the specified domain to search puppet's pid files.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`puppet_search_pid',`
-+ gen_require(`
-+ type puppet_var_run_t;
-+ ')
-+
-+ files_search_pids($1)
-+ allow $1 puppet_var_run_t:dir search_dir_perms;
-+')
-diff --git a/puppet.te b/puppet.te
-index baa88f6..050d953 100644
---- a/puppet.te
-+++ b/puppet.te
-@@ -13,6 +13,13 @@ policy_module(puppet, 1.3.0)
- ##
- gen_tunable(puppet_manage_all_files, false)
-
-+##
-+##
-+## Allow Puppet master to use connect to MySQL and PostgreSQL database
-+##
-+##
-+gen_tunable(puppetmaster_use_db, false)
-+
- type puppet_t;
- type puppet_exec_t;
- init_daemon_domain(puppet_t, puppet_exec_t)
-@@ -35,6 +42,11 @@ files_type(puppet_var_lib_t)
- type puppet_var_run_t;
- files_pid_file(puppet_var_run_t)
-
-+type puppetca_t;
-+type puppetca_exec_t;
-+application_domain(puppetca_t, puppetca_exec_t)
-+role system_r types puppetca_t;
-+
- type puppetmaster_t;
- type puppetmaster_exec_t;
- init_daemon_domain(puppetmaster_t, puppetmaster_exec_t)
-@@ -50,7 +62,7 @@ files_tmp_file(puppetmaster_tmp_t)
- # Puppet personal policy
- #
-
--allow puppet_t self:capability { fowner fsetid setuid setgid dac_override sys_nice sys_ptrace sys_tty_config };
-+allow puppet_t self:capability { fowner fsetid setuid setgid dac_override sys_nice sys_tty_config };
- allow puppet_t self:process { signal signull getsched setsched };
- allow puppet_t self:fifo_file rw_fifo_file_perms;
- allow puppet_t self:netlink_route_socket create_netlink_socket_perms;
-@@ -63,7 +75,7 @@ manage_dirs_pattern(puppet_t, puppet_var_lib_t, puppet_var_lib_t)
- manage_files_pattern(puppet_t, puppet_var_lib_t, puppet_var_lib_t)
- files_search_var_lib(puppet_t)
-
--setattr_dirs_pattern(puppet_t, puppet_var_run_t, puppet_var_run_t)
-+manage_dirs_pattern(puppet_t, puppet_var_run_t, puppet_var_run_t)
- manage_files_pattern(puppet_t, puppet_var_run_t, puppet_var_run_t)
- files_pid_filetrans(puppet_t, puppet_var_run_t, { file dir })
-
-@@ -80,12 +92,14 @@ kernel_dontaudit_search_sysctl(puppet_t)
- kernel_dontaudit_search_kernel_sysctl(puppet_t)
- kernel_read_system_state(puppet_t)
- kernel_read_crypto_sysctls(puppet_t)
-+kernel_read_kernel_sysctls(puppet_t)
-
-+corecmd_read_all_executables(puppet_t)
-+corecmd_dontaudit_access_all_executables(puppet_t)
- corecmd_exec_bin(puppet_t)
- corecmd_exec_shell(puppet_t)
-
- corenet_all_recvfrom_netlabel(puppet_t)
--corenet_all_recvfrom_unlabeled(puppet_t)
- corenet_tcp_sendrecv_generic_if(puppet_t)
- corenet_tcp_sendrecv_generic_node(puppet_t)
- corenet_tcp_bind_generic_node(puppet_t)
-@@ -103,11 +117,11 @@ files_manage_config_files(puppet_t)
- files_manage_config_dirs(puppet_t)
- files_manage_etc_dirs(puppet_t)
- files_manage_etc_files(puppet_t)
-+files_read_usr_files(puppet_t)
- files_read_usr_symlinks(puppet_t)
- files_relabel_config_dirs(puppet_t)
- files_relabel_config_files(puppet_t)
-
--selinux_search_fs(puppet_t)
- selinux_set_all_booleans(puppet_t)
- selinux_set_generic_booleans(puppet_t)
- selinux_validate_context(puppet_t)
-@@ -115,6 +129,8 @@ selinux_validate_context(puppet_t)
- term_dontaudit_getattr_unallocated_ttys(puppet_t)
- term_dontaudit_getattr_all_ttys(puppet_t)
-
-+auth_use_nsswitch(puppet_t)
-+
- init_all_labeled_script_domtrans(puppet_t)
- init_domtrans_script(puppet_t)
- init_read_utmp(puppet_t)
-@@ -123,22 +139,23 @@ init_signull_script(puppet_t)
- logging_send_syslog_msg(puppet_t)
-
- miscfiles_read_hwdata(puppet_t)
--miscfiles_read_localization(puppet_t)
--
--mount_domtrans(puppet_t)
-
- seutil_domtrans_setfiles(puppet_t)
- seutil_domtrans_semanage(puppet_t)
-+seutil_read_file_contexts(puppet_t)
-
--sysnet_dns_name_resolve(puppet_t)
- sysnet_run_ifconfig(puppet_t, system_r)
-
- tunable_policy(`puppet_manage_all_files',`
-- files_manage_non_auth_files(puppet_t)
-+ files_manage_non_security_files(puppet_t)
-+')
-+
-+optional_policy(`
-+ cfengine_read_lib_files(puppet_t)
- ')
-
- optional_policy(`
-- consoletype_domtrans(puppet_t)
-+ consoletype_exec(puppet_t)
- ')
-
- optional_policy(`
-@@ -146,6 +163,14 @@ optional_policy(`
- ')
-
- optional_policy(`
-+ mount_domtrans(puppet_t)
-+')
-+
-+optional_policy(`
-+ mta_send_mail(puppet_t)
-+')
-+
-+optional_policy(`
- portage_domtrans(puppet_t)
- portage_domtrans_fetch(puppet_t)
- portage_domtrans_gcc_config(puppet_t)
-@@ -164,8 +189,134 @@ optional_policy(`
- ')
-
- optional_policy(`
-- usermanage_domtrans_groupadd(puppet_t)
-- usermanage_domtrans_useradd(puppet_t)
-+ usermanage_access_check_groupadd(puppet_t)
-+ usermanage_access_check_passwd(puppet_t)
-+ usermanage_access_check_useradd(puppet_t)
-+')
-+
-+optional_policy(`
-+ auth_filetrans_named_content(puppet_t)
-+')
-+
-+optional_policy(`
-+ alsa_filetrans_named_content(puppet_t)
-+')
-+
-+optional_policy(`
-+ bootloader_filetrans_config(puppet_t)
-+')
-+
-+optional_policy(`
-+ devicekit_filetrans_named_content(puppet_t)
-+')
-+
-+optional_policy(`
-+ dnsmasq_filetrans_named_content(puppet_t)
-+')
-+
-+optional_policy(`
-+ kerberos_filetrans_named_content(puppet_t)
-+')
-+
-+optional_policy(`
-+ libs_filetrans_named_content(puppet_t)
-+')
-+
-+optional_policy(`
-+ miscfiles_filetrans_named_content(puppet_t)
-+')
-+
-+optional_policy(`
-+ mta_filetrans_named_content(puppet_t)
-+')
-+
-+optional_policy(`
-+ modules_filetrans_named_content(puppet_t)
-+')
-+
-+optional_policy(`
-+ networkmanager_filetrans_named_content(puppet_t)
-+')
-+
-+optional_policy(`
-+ nx_filetrans_named_content(puppet_t)
-+')
-+
-+optional_policy(`
-+ postfix_filetrans_named_content(puppet_t)
-+')
-+
-+optional_policy(`
-+ openshift_initrc_domtrans(puppet_t)
-+')
-+
-+optional_policy(`
-+ quota_filetrans_named_content(puppet_t)
-+')
-+
-+optional_policy(`
-+ sysnet_filetrans_named_content(puppet_t)
-+')
-+
-+optional_policy(`
-+ virt_filetrans_home_content(puppet_t)
-+')
-+
-+optional_policy(`
-+ ssh_filetrans_admin_home_content(puppet_t)
-+')
-+
-+########################################
-+#
-+# PuppetCA personal policy
-+#
-+
-+allow puppetca_t self:capability { dac_override setgid setuid };
-+allow puppetca_t self:fifo_file rw_fifo_file_perms;
-+
-+read_files_pattern(puppetca_t, puppet_etc_t, puppet_etc_t)
-+
-+allow puppetca_t puppet_var_lib_t:dir list_dir_perms;
-+manage_files_pattern(puppetca_t, puppet_var_lib_t, puppet_var_lib_t)
-+manage_dirs_pattern(puppetca_t, puppet_var_lib_t, puppet_var_lib_t)
-+
-+allow puppetca_t puppet_log_t:dir search_dir_perms;
-+
-+allow puppetca_t puppet_var_run_t:dir search_dir_perms;
-+
-+kernel_read_system_state(puppetca_t)
-+# Maybe dontaudit this like we did with other puppet domains?
-+kernel_read_kernel_sysctls(puppetca_t)
-+
-+corecmd_exec_bin(puppetca_t)
-+corecmd_exec_shell(puppetca_t)
-+
-+dev_read_urand(puppetca_t)
-+dev_search_sysfs(puppetca_t)
-+
-+files_read_etc_files(puppetca_t)
-+files_search_var_lib(puppetca_t)
-+
-+selinux_validate_context(puppetca_t)
-+
-+logging_search_logs(puppetca_t)
-+
-+miscfiles_read_generic_certs(puppetca_t)
-+
-+seutil_read_file_contexts(puppetca_t)
-+
-+optional_policy(`
-+ hostname_exec(puppetca_t)
-+')
-+
-+optional_policy(`
-+ mta_sendmail_access_check(puppetca_t)
-+')
-+
-+optional_policy(`
-+ usermanage_access_check_groupadd(puppet_t)
-+ usermanage_access_check_passwd(puppet_t)
-+ usermanage_access_check_useradd(puppet_t)
- ')
-
- ########################################
-@@ -184,51 +335,83 @@ allow puppetmaster_t self:udp_socket create_socket_perms;
- list_dirs_pattern(puppetmaster_t, puppet_etc_t, puppet_etc_t)
- read_files_pattern(puppetmaster_t, puppet_etc_t, puppet_etc_t)
-
--allow puppetmaster_t puppet_log_t:dir { rw_dir_perms setattr };
--allow puppetmaster_t puppet_log_t:file { rw_file_perms create setattr };
-+allow puppetmaster_t puppet_log_t:dir { rw_dir_perms setattr_dir_perms };
-+allow puppetmaster_t puppet_log_t:file { rw_file_perms create_file_perms setattr_file_perms };
- logging_log_filetrans(puppetmaster_t, puppet_log_t, { file dir })
-+allow puppetmaster_t puppet_log_t:file relabel_file_perms;
-
- manage_dirs_pattern(puppetmaster_t, puppet_var_lib_t, puppet_var_lib_t)
- manage_files_pattern(puppetmaster_t, puppet_var_lib_t, puppet_var_lib_t)
-+allow puppetmaster_t puppet_var_lib_t:dir relabel_dir_perms;
-+allow puppetmaster_t puppet_var_lib_t:file relabel_file_perms;
-
- setattr_dirs_pattern(puppetmaster_t, puppet_var_run_t, puppet_var_run_t)
-+create_dirs_pattern(puppetmaster_t, puppet_var_run_t, puppet_var_run_t)
- manage_files_pattern(puppetmaster_t, puppet_var_run_t, puppet_var_run_t)
- files_pid_filetrans(puppetmaster_t, puppet_var_run_t, { file dir })
-+allow puppetmaster_t puppet_var_run_t:dir relabel_dir_perms;
-
- manage_dirs_pattern(puppetmaster_t, puppetmaster_tmp_t, puppetmaster_tmp_t)
- manage_files_pattern(puppetmaster_t, puppetmaster_tmp_t, puppetmaster_tmp_t)
- files_tmp_filetrans(puppetmaster_t, puppetmaster_tmp_t, { file dir })
-+allow puppetmaster_t puppet_tmp_t:dir relabel_dir_perms;
-
- kernel_dontaudit_search_kernel_sysctl(puppetmaster_t)
-+kernel_read_network_state(puppetmaster_t)
- kernel_read_system_state(puppetmaster_t)
- kernel_read_crypto_sysctls(puppetmaster_t)
-+kernel_read_kernel_sysctls(puppetmaster_t)
-
- corecmd_exec_bin(puppetmaster_t)
- corecmd_exec_shell(puppetmaster_t)
-
- corenet_all_recvfrom_netlabel(puppetmaster_t)
--corenet_all_recvfrom_unlabeled(puppetmaster_t)
- corenet_tcp_sendrecv_generic_if(puppetmaster_t)
- corenet_tcp_sendrecv_generic_node(puppetmaster_t)
- corenet_tcp_bind_generic_node(puppetmaster_t)
- corenet_tcp_bind_puppet_port(puppetmaster_t)
- corenet_sendrecv_puppet_server_packets(puppetmaster_t)
-+corenet_tcp_connect_ntop_port(puppetmaster_t)
-+
-+# This needs investigation. Puppermasterd is confirmed to bind udp sockets to random high ports.
-+corenet_udp_bind_generic_node(puppetmaster_t)
-+corenet_udp_bind_generic_port(puppetmaster_t)
-
- dev_read_rand(puppetmaster_t)
- dev_read_urand(puppetmaster_t)
-+dev_search_sysfs(puppetmaster_t)
-
- domain_read_all_domains_state(puppetmaster_t)
-+domain_obj_id_change_exemption(puppetmaster_t)
-
--files_read_etc_files(puppetmaster_t)
--files_search_var_lib(puppetmaster_t)
-+files_read_usr_files(puppetmaster_t)
-+
-+selinux_validate_context(puppetmaster_t)
-+
-+auth_use_nsswitch(puppetmaster_t)
-
- logging_send_syslog_msg(puppetmaster_t)
-
--miscfiles_read_localization(puppetmaster_t)
-+miscfiles_read_generic_certs(puppetmaster_t)
-+
-+seutil_read_file_contexts(puppetmaster_t)
-
--sysnet_dns_name_resolve(puppetmaster_t)
- sysnet_run_ifconfig(puppetmaster_t, system_r)
-
-+mta_send_mail(puppetmaster_t)
-+
-+optional_policy(`
-+ tunable_policy(`puppetmaster_use_db',`
-+ mysql_stream_connect(puppetmaster_t)
-+ ')
-+')
-+
-+optional_policy(`
-+ tunable_policy(`puppetmaster_use_db',`
-+ postgresql_stream_connect(puppetmaster_t)
-+ ')
-+')
-+
- optional_policy(`
- hostname_exec(puppetmaster_t)
- ')
-@@ -239,3 +422,9 @@ optional_policy(`
- rpm_exec(puppetmaster_t)
- rpm_read_db(puppetmaster_t)
- ')
-+
-+optional_policy(`
-+ usermanage_access_check_groupadd(puppetmaster_t)
-+ usermanage_access_check_passwd(puppetmaster_t)
-+ usermanage_access_check_useradd(puppetmaster_t)
-+')
-diff --git a/pwauth.fc b/pwauth.fc
-new file mode 100644
-index 0000000..e2f8687
---- /dev/null
-+++ b/pwauth.fc
-@@ -0,0 +1,3 @@
-+/usr/bin/pwauth -- gen_context(system_u:object_r:pwauth_exec_t,s0)
-+
-+/var/run/pwauth.lock -- gen_context(system_u:object_r:pwauth_var_run_t,s0)
-diff --git a/pwauth.if b/pwauth.if
-new file mode 100644
-index 0000000..86d25ea
---- /dev/null
-+++ b/pwauth.if
-@@ -0,0 +1,74 @@
-+
-+## policy for pwauth
-+
-+########################################
-+##
-+## Transition to pwauth.
-+##
-+##
-+##
-+## Domain allowed to transition.
-+##
-+##
-+#
-+interface(`pwauth_domtrans',`
-+ gen_require(`
-+ type pwauth_t, pwauth_exec_t;
-+ ')
-+
-+ corecmd_search_bin($1)
-+ domtrans_pattern($1, pwauth_exec_t, pwauth_t)
-+')
-+
-+########################################
-+##
-+## Execute pwauth in the pwauth domain, and
-+## allow the specified role the pwauth domain.
-+##
-+##
-+##
-+## Domain allowed to transition
-+##
-+##
-+##
-+##
-+## The role to be allowed the pwauth domain.
-+##
-+##
-+#
-+interface(`pwauth_run',`
-+ gen_require(`
-+ type pwauth_t;
-+ ')
-+
-+ pwauth_domtrans($1)
-+ role $2 types pwauth_t;
-+')
-+
-+########################################
-+##
-+## Role access for pwauth
-+##
-+##
-+##
-+## Role allowed access
-+##
-+##
-+##
-+##
-+## User domain for the role
-+##
-+##
-+#
-+interface(`pwauth_role',`
-+ gen_require(`
-+ type pwauth_t;
-+ ')
-+
-+ role $1 types pwauth_t;
-+
-+ pwauth_domtrans($2)
-+
-+ ps_process_pattern($2, pwauth_t)
-+ allow $2 pwauth_t:process signal;
-+')
-diff --git a/pwauth.te b/pwauth.te
-new file mode 100644
-index 0000000..8f357cc
---- /dev/null
-+++ b/pwauth.te
-@@ -0,0 +1,39 @@
-+policy_module(pwauth, 1.0.0)
-+
-+########################################
-+#
-+# Declarations
-+#
-+
-+type pwauth_t;
-+type pwauth_exec_t;
-+application_domain(pwauth_t, pwauth_exec_t)
-+role system_r types pwauth_t;
-+
-+type pwauth_var_run_t;
-+files_pid_file(pwauth_var_run_t)
-+
-+########################################
-+#
-+# pwauth local policy
-+#
-+allow pwauth_t self:capability setuid;
-+allow pwauth_t self:process setrlimit;
-+
-+allow pwauth_t self:fifo_file manage_fifo_file_perms;
-+allow pwauth_t self:unix_stream_socket create_stream_socket_perms;
-+
-+manage_files_pattern(pwauth_t, pwauth_var_run_t, pwauth_var_run_t)
-+files_pid_filetrans(pwauth_t, pwauth_var_run_t, file)
-+
-+domain_use_interactive_fds(pwauth_t)
-+
-+
-+auth_domtrans_chkpwd(pwauth_t)
-+auth_use_nsswitch(pwauth_t)
-+auth_read_shadow(pwauth_t)
-+
-+init_read_utmp(pwauth_t)
-+
-+logging_send_syslog_msg(pwauth_t)
-+logging_send_audit_msgs(pwauth_t)
-diff --git a/pxe.fc b/pxe.fc
-index 44b3a0c..5d247cb 100644
---- a/pxe.fc
-+++ b/pxe.fc
-@@ -1,6 +1,6 @@
-
- /usr/sbin/pxe -- gen_context(system_u:object_r:pxe_exec_t,s0)
-
--/var/log/pxe\.log -- gen_context(system_u:object_r:pxe_log_t,s0)
-+/var/log/pxe\.log.* -- gen_context(system_u:object_r:pxe_log_t,s0)
-
- /var/run/pxe\.pid -- gen_context(system_u:object_r:pxe_var_run_t,s0)
-diff --git a/pxe.te b/pxe.te
-index fec69eb..848c311 100644
---- a/pxe.te
-+++ b/pxe.te
-@@ -49,8 +49,6 @@ fs_search_auto_mountpoints(pxe_t)
-
- logging_send_syslog_msg(pxe_t)
-
--miscfiles_read_localization(pxe_t)
--
- userdom_dontaudit_use_unpriv_user_fds(pxe_t)
- userdom_dontaudit_search_user_home_dirs(pxe_t)
-
-diff --git a/pyicqt.te b/pyicqt.te
-index a841221..c653e4a 100644
---- a/pyicqt.te
-+++ b/pyicqt.te
-@@ -13,7 +13,7 @@ type pyicqt_conf_t;
- files_config_file(pyicqt_conf_t)
-
- type pyicqt_spool_t;
--files_type(pyicqt_spool_t)
-+files_spool_file(pyicqt_spool_t)
-
- type pyicqt_var_run_t;
- files_pid_file(pyicqt_var_run_t)
-@@ -40,7 +40,6 @@ kernel_read_system_state(pyicqt_t)
-
- corecmd_exec_bin(pyicqt_t)
-
--corenet_all_recvfrom_unlabeled(pyicqt_t)
- corenet_all_recvfrom_netlabel(pyicqt_t)
- corenet_tcp_sendrecv_generic_if(pyicqt_t)
- corenet_tcp_sendrecv_generic_node(pyicqt_t)
-@@ -54,6 +53,5 @@ files_read_usr_files(pyicqt_t)
-
- libs_read_lib_files(pyicqt_t)
-
--miscfiles_read_localization(pyicqt_t)
-
- sysnet_read_config(pyicqt_t)
-diff --git a/pyzor.fc b/pyzor.fc
-index d4a7750..a927c5a 100644
---- a/pyzor.fc
-+++ b/pyzor.fc
-@@ -1,9 +1,13 @@
- /etc/pyzor(/.*)? gen_context(system_u:object_r:pyzor_etc_t, s0)
-+/etc/rc\.d/init\.d/pyzord -- gen_context(system_u:object_r:pyzord_initrc_exec_t,s0)
-
- HOME_DIR/\.pyzor(/.*)? gen_context(system_u:object_r:pyzor_home_t,s0)
-+HOME_DIR/\.spamd(/.*)? gen_context(system_u:object_r:pyzor_home_t,s0)
-+/root/\.pyzor(/.*)? gen_context(system_u:object_r:pyzor_home_t,s0)
-+/root/\.spamd(/.*)? gen_context(system_u:object_r:pyzor_home_t,s0)
-
- /usr/bin/pyzor -- gen_context(system_u:object_r:pyzor_exec_t,s0)
- /usr/bin/pyzord -- gen_context(system_u:object_r:pyzord_exec_t,s0)
-
- /var/lib/pyzord(/.*)? gen_context(system_u:object_r:pyzor_var_lib_t,s0)
--/var/log/pyzord\.log -- gen_context(system_u:object_r:pyzord_log_t,s0)
-+/var/log/pyzord\.log.* -- gen_context(system_u:object_r:pyzord_log_t,s0)
-diff --git a/pyzor.if b/pyzor.if
-index 494f7e2..2c411af 100644
---- a/pyzor.if
-+++ b/pyzor.if
-@@ -14,6 +14,7 @@
- ## User domain for the role
- ##
- ##
-+##
- #
- interface(`pyzor_role',`
- gen_require(`
-@@ -28,7 +29,10 @@ interface(`pyzor_role',`
-
- # allow ps to show pyzor and allow the user to kill it
- ps_process_pattern($2, pyzor_t)
-- allow $2 pyzor_t:process signal;
-+ allow $2 pyzor_t:process signal_perms;
-+ tunable_policy(`deny_ptrace',`',`
-+ allow $2 pyzor_t:process ptrace;
-+ ')
- ')
-
- ########################################
-@@ -88,3 +92,50 @@ interface(`pyzor_exec',`
- corecmd_search_bin($1)
- can_exec($1, pyzor_exec_t)
- ')
-+
-+########################################
-+##
-+## All of the rules required to administrate
-+## an pyzor environment
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+##
-+##
-+## The role to be allowed to manage the pyzor domain.
-+##
-+##
-+##
-+#
-+interface(`pyzor_admin',`
-+ gen_require(`
-+ type pyzord_t, pyzor_tmp_t, pyzord_log_t;
-+ type pyzor_etc_t, pyzor_var_lib_t, pyzord_initrc_exec_t;
-+ ')
-+
-+ allow $1 pyzord_t:process signal_perms;
-+ ps_process_pattern($1, pyzord_t)
-+ tunable_policy(`deny_ptrace',`',`
-+ allow $1 pyzord_t:process ptrace;
-+ ')
-+
-+ init_labeled_script_domtrans($1, pyzord_initrc_exec_t)
-+ domain_system_change_exemption($1)
-+ role_transition $2 pyzord_initrc_exec_t system_r;
-+ allow $2 system_r;
-+
-+ files_list_tmp($1)
-+ admin_pattern($1, pyzor_tmp_t)
-+
-+ logging_list_logs($1)
-+ admin_pattern($1, pyzord_log_t)
-+
-+ files_list_etc($1)
-+ admin_pattern($1, pyzor_etc_t)
-+
-+ files_list_var_lib($1)
-+ admin_pattern($1, pyzor_var_lib_t)
-+')
-diff --git a/pyzor.te b/pyzor.te
-index c8fb70b..f7bf36e 100644
---- a/pyzor.te
-+++ b/pyzor.te
-@@ -1,42 +1,66 @@
--policy_module(pyzor, 2.2.0)
-+policy_module(pyzor, 2.1.0)
-
- ########################################
- #
- # Declarations
- #
-
--type pyzor_t;
--type pyzor_exec_t;
--typealias pyzor_t alias { user_pyzor_t staff_pyzor_t sysadm_pyzor_t };
--typealias pyzor_t alias { auditadm_pyzor_t secadm_pyzor_t };
--userdom_user_application_domain(pyzor_t, pyzor_exec_t)
--role system_r types pyzor_t;
--
--type pyzor_etc_t;
--files_type(pyzor_etc_t)
--
--type pyzor_home_t;
--typealias pyzor_home_t alias { user_pyzor_home_t staff_pyzor_home_t sysadm_pyzor_home_t };
--typealias pyzor_home_t alias { auditadm_pyzor_home_t secadm_pyzor_home_t };
--userdom_user_home_content(pyzor_home_t)
--
--type pyzor_tmp_t;
--typealias pyzor_tmp_t alias { user_pyzor_tmp_t staff_pyzor_tmp_t sysadm_pyzor_tmp_t };
--typealias pyzor_tmp_t alias { auditadm_pyzor_tmp_t secadm_pyzor_tmp_t };
--userdom_user_tmp_file(pyzor_tmp_t)
--
--type pyzor_var_lib_t;
--typealias pyzor_var_lib_t alias { user_pyzor_var_lib_t staff_pyzor_var_lib_t sysadm_pyzor_var_lib_t };
--typealias pyzor_var_lib_t alias { auditadm_pyzor_var_lib_t secadm_pyzor_var_lib_t };
--files_type(pyzor_var_lib_t)
--ubac_constrained(pyzor_var_lib_t)
--
--type pyzord_t;
--type pyzord_exec_t;
--init_daemon_domain(pyzord_t, pyzord_exec_t)
--
--type pyzord_log_t;
--logging_log_file(pyzord_log_t)
-+ifdef(`distro_redhat',`
-+ gen_require(`
-+ type spamc_t, spamc_exec_t, spamd_t;
-+ type spamd_initrc_exec_t, spamd_exec_t, spamc_tmp_t;
-+ type spamd_log_t, spamd_var_lib_t, spamd_etc_t;
-+ type spamc_tmp_t, spamc_home_t;
-+ ')
-+
-+ typealias spamc_t alias pyzor_t;
-+ typealias spamc_exec_t alias pyzor_exec_t;
-+ typealias spamd_t alias pyzord_t;
-+ typealias spamd_initrc_exec_t alias pyzord_initrc_exec_t;
-+ typealias spamd_exec_t alias pyzord_exec_t;
-+ typealias spamc_tmp_t alias pyzor_tmp_t;
-+ typealias spamd_log_t alias pyzor_log_t;
-+ typealias spamd_log_t alias pyzord_log_t;
-+ typealias spamd_var_lib_t alias pyzor_var_lib_t;
-+ typealias spamd_etc_t alias pyzor_etc_t;
-+ typealias spamc_home_t alias pyzor_home_t;
-+ typealias spamc_home_t alias user_pyzor_home_t;
-+',`
-+ type pyzor_t;
-+ type pyzor_exec_t;
-+ typealias pyzor_t alias { user_pyzor_t staff_pyzor_t sysadm_pyzor_t };
-+ typealias pyzor_t alias { auditadm_pyzor_t secadm_pyzor_t };
-+ application_domain(pyzor_t, pyzor_exec_t)
-+ ubac_constrained(pyzor_t)
-+ role system_r types pyzor_t;
-+
-+ type pyzor_etc_t;
-+ files_config_file(pyzor_etc_t)
-+
-+ type pyzor_home_t;
-+ typealias pyzor_home_t alias { user_pyzor_home_t staff_pyzor_home_t sysadm_pyzor_home_t };
-+ typealias pyzor_home_t alias { auditadm_pyzor_home_t secadm_pyzor_home_t };
-+ userdom_user_home_content(pyzor_home_t)
-+
-+ type pyzor_tmp_t;
-+ typealias pyzor_tmp_t alias { user_pyzor_tmp_t staff_pyzor_tmp_t sysadm_pyzor_tmp_t };
-+ typealias pyzor_tmp_t alias { auditadm_pyzor_tmp_t secadm_pyzor_tmp_t };
-+ files_tmp_file(pyzor_tmp_t)
-+ ubac_constrained(pyzor_tmp_t)
-+
-+ type pyzor_var_lib_t;
-+ typealias pyzor_var_lib_t alias { user_pyzor_var_lib_t staff_pyzor_var_lib_t sysadm_pyzor_var_lib_t };
-+ typealias pyzor_var_lib_t alias { auditadm_pyzor_var_lib_t secadm_pyzor_var_lib_t };
-+ files_type(pyzor_var_lib_t)
-+ ubac_constrained(pyzor_var_lib_t)
-+
-+ type pyzord_t;
-+ type pyzord_exec_t;
-+ init_daemon_domain(pyzord_t, pyzord_exec_t)
-+
-+ type pyzord_log_t;
-+ logging_log_file(pyzord_log_t)
-+')
-
- ########################################
- #
-@@ -74,11 +98,13 @@ corenet_tcp_connect_http_port(pyzor_t)
-
- dev_read_urand(pyzor_t)
-
--files_read_etc_files(pyzor_t)
-+fs_getattr_xattr_fs(pyzor_t)
-+
-
- auth_use_nsswitch(pyzor_t)
-
--miscfiles_read_localization(pyzor_t)
-+
-+mta_read_queue(pyzor_t)
-
- userdom_dontaudit_search_user_home_dirs(pyzor_t)
-
-@@ -109,8 +135,8 @@ allow pyzord_t pyzor_etc_t:dir list_dir_perms;
- can_exec(pyzord_t, pyzor_exec_t)
-
- manage_files_pattern(pyzord_t, pyzord_log_t, pyzord_log_t)
--allow pyzord_t pyzord_log_t:dir setattr;
--logging_log_filetrans(pyzord_t, pyzord_log_t, { file dir } )
-+allow pyzord_t pyzord_log_t:dir setattr_dir_perms;
-+logging_log_filetrans(pyzord_t, pyzord_log_t, { file dir })
-
- kernel_read_kernel_sysctls(pyzord_t)
- kernel_read_system_state(pyzord_t)
-@@ -119,7 +145,6 @@ dev_read_urand(pyzord_t)
-
- corecmd_exec_bin(pyzord_t)
-
--corenet_all_recvfrom_unlabeled(pyzord_t)
- corenet_all_recvfrom_netlabel(pyzord_t)
- corenet_udp_sendrecv_generic_if(pyzord_t)
- corenet_udp_sendrecv_generic_node(pyzord_t)
-@@ -128,13 +153,11 @@ corenet_udp_bind_generic_node(pyzord_t)
- corenet_udp_bind_pyzor_port(pyzord_t)
- corenet_sendrecv_pyzor_server_packets(pyzord_t)
-
--files_read_etc_files(pyzord_t)
-
- auth_use_nsswitch(pyzord_t)
-
- locallogin_dontaudit_use_fds(pyzord_t)
-
--miscfiles_read_localization(pyzord_t)
-
- # Do not audit attempts to access /root.
- userdom_dontaudit_search_user_home_dirs(pyzord_t)
-diff --git a/qemu.if b/qemu.if
-index 268d691..580f9ee 100644
---- a/qemu.if
-+++ b/qemu.if
-@@ -43,7 +43,6 @@ template(`qemu_domain_template',`
-
- kernel_read_system_state($1_t)
-
-- corenet_all_recvfrom_unlabeled($1_t)
- corenet_all_recvfrom_netlabel($1_t)
- corenet_tcp_sendrecv_generic_if($1_t)
- corenet_tcp_sendrecv_generic_node($1_t)
-@@ -72,11 +71,10 @@ template(`qemu_domain_template',`
- term_getattr_pty_fs($1_t)
- term_use_generic_ptys($1_t)
-
-- miscfiles_read_localization($1_t)
-
- sysnet_read_config($1_t)
-
-- userdom_use_user_terminals($1_t)
-+ userdom_use_inherited_user_terminals($1_t)
- userdom_attach_admin_tun_iface($1_t)
-
- optional_policy(`
-@@ -98,61 +96,40 @@ template(`qemu_domain_template',`
- ')
- ')
-
--#######################################
-+########################################
- ##
--## The per role template for the qemu module.
-+## Execute a domain transition to run qemu.
-+##
-+##
-+##
-+## Domain allowed to transition.
- ##
--##
--##
--## This template creates a derived domains which are used
--## for qemu web browser.
--##
--##
--## This template is invoked automatically for each user, and
--## generally does not need to be invoked directly
--## by policy writers.
--##
--##
--##
--##
--## The role associated with the user domain.
--##
--##
--##
--##
--## The type of the user domain.
--##
- ##
- #
--template(`qemu_role',`
-+interface(`qemu_domtrans',`
- gen_require(`
- type qemu_t, qemu_exec_t;
-- type qemu_config_t, qemu_config_exec_t;
- ')
-
-- role $1 types { qemu_t qemu_config_t };
--
-- domtrans_pattern($2, qemu_exec_t, qemu_t)
-- domtrans_pattern($2, qemu_config_exec_t, qemu_config_t)
-- allow qemu_t $2:process signull;
-+ domtrans_pattern($1, qemu_exec_t, qemu_t)
- ')
-
- ########################################
- ##
--## Execute a domain transition to run qemu.
-+## Execute a qemu in the callers domain
- ##
- ##
- ##
--## Domain allowed to transition.
-+## Domain allowed access.
- ##
- ##
- #
--interface(`qemu_domtrans',`
-+interface(`qemu_exec',`
- gen_require(`
-- type qemu_t, qemu_exec_t;
-+ type qemu_exec_t;
- ')
-
-- domtrans_pattern($1, qemu_exec_t, qemu_t)
-+ can_exec($1, qemu_exec_t)
- ')
-
- ########################################
-@@ -256,20 +233,63 @@ interface(`qemu_kill',`
-
- ########################################
- ##
--## Execute a domain transition to run qemu unconfined.
-+## Execute qemu_exec_t
-+## in the specified domain but do not
-+## do it automatically. This is an explicit
-+## transition, requiring the caller to use setexeccon().
- ##
-+##
-+##
-+## Execute qemu_exec_t
-+## in the specified domain. This allows
-+## the specified domain to qemu programs
-+## on these filesystems in the specified
-+## domain.
-+##
-+##
- ##
-+##
-+## Domain allowed access.
-+##
-+##
-+##
-+##
-+## The type of the new process.
-+##
-+##
-+#
-+interface(`qemu_spec_domtrans',`
-+ gen_require(`
-+ type qemu_exec_t;
-+ ')
-+
-+ read_lnk_files_pattern($1, qemu_exec_t, qemu_exec_t)
-+ domain_transition_pattern($1, qemu_exec_t, $2)
-+ domain_entry_file($2,qemu_exec_t)
-+ can_exec($1,qemu_exec_t)
-+
-+ allow $2 $1:fd use;
-+ allow $2 $1:fifo_file rw_fifo_file_perms;
-+ allow $2 $1:process sigchld;
-+')
-+
-+########################################
- ##
--## Domain allowed to transition.
-+## Execute qemu unconfined programs in the role.
- ##
-+##
-+##
-+## The role to allow the qemu unconfined domain.
-+##
- ##
- #
--interface(`qemu_domtrans_unconfined',`
-+interface(`qemu_unconfined_role',`
- gen_require(`
-- type unconfined_qemu_t, qemu_exec_t;
-+ type unconfined_qemu_t;
-+ type qemu_t;
- ')
--
-- domtrans_pattern($1, qemu_exec_t, unconfined_qemu_t)
-+ role $1 types unconfined_qemu_t;
-+ role $1 types qemu_t;
- ')
-
- ########################################
-@@ -307,3 +327,22 @@ interface(`qemu_manage_tmp_files',`
-
- manage_files_pattern($1, qemu_tmp_t, qemu_tmp_t)
- ')
-+
-+########################################
-+##
-+## Make qemu_exec_t an entrypoint for
-+## the specified domain.
-+##
-+##
-+##
-+## The domain for which qemu_exec_t is an entrypoint.
-+##
-+##
-+#
-+interface(`qemu_entry_type',`
-+ gen_require(`
-+ type qemu_exec_t;
-+ ')
-+
-+ domain_entry_file($1, qemu_exec_t)
-+')
-diff --git a/qemu.te b/qemu.te
-index 9681d82..695c857 100644
---- a/qemu.te
-+++ b/qemu.te
-@@ -40,9 +40,7 @@ gen_tunable(qemu_use_nfs, true)
- ##
- gen_tunable(qemu_use_usb, true)
-
--type qemu_exec_t;
- virt_domain_template(qemu)
--application_domain(qemu_t, qemu_exec_t)
- role system_r types qemu_t;
-
- ########################################
-@@ -50,13 +48,12 @@ role system_r types qemu_t;
- # qemu local policy
- #
-
--can_exec(qemu_t, qemu_exec_t)
--
- storage_raw_write_removable_device(qemu_t)
- storage_raw_read_removable_device(qemu_t)
-
- userdom_search_user_home_content(qemu_t)
- userdom_read_user_tmpfs_files(qemu_t)
-+userdom_stream_connect(qemu_t)
-
- tunable_policy(`qemu_full_network',`
- allow qemu_t self:udp_socket create_socket_perms;
-@@ -101,6 +98,17 @@ optional_policy(`
- ')
-
- optional_policy(`
-+ tunable_policy(`qemu_use_cifs',`
-+ samba_domtrans_smbd(qemu_t)
-+ ')
-+')
-+
-+optional_policy(`
-+ virt_domtrans_bridgehelper(qemu_t)
-+')
-+
-+optional_policy(`
-+ virt_manage_home_files(qemu_t)
- virt_manage_images(qemu_t)
- virt_append_log(qemu_t)
- ')
-@@ -113,18 +121,3 @@ optional_policy(`
- xserver_read_xdm_pid(qemu_t)
- xserver_stream_connect(qemu_t)
- ')
--
--########################################
--#
--# Unconfined qemu local policy
--#
--
--optional_policy(`
-- type unconfined_qemu_t;
-- typealias unconfined_qemu_t alias qemu_unconfined_t;
-- application_type(unconfined_qemu_t)
-- unconfined_domain(unconfined_qemu_t)
--
-- allow unconfined_qemu_t self:process { execstack execmem };
-- allow unconfined_qemu_t qemu_exec_t:file execmod;
--')
-diff --git a/qmail.fc b/qmail.fc
-index 0055e54..edee505 100644
---- a/qmail.fc
-+++ b/qmail.fc
-@@ -17,6 +17,7 @@
- /var/qmail/bin/tcp-env -- gen_context(system_u:object_r:qmail_tcp_env_exec_t,s0)
-
- /var/qmail/control(/.*)? gen_context(system_u:object_r:qmail_etc_t,s0)
-+/var/qmail/owners(/.*)? gen_context(system_u:object_r:qmail_etc_t,s0)
-
- /var/qmail/queue(/.*)? gen_context(system_u:object_r:qmail_spool_t,s0)
-
-@@ -25,7 +26,7 @@ ifdef(`distro_debian', `
-
- /usr/bin/tcp-env -- gen_context(system_u:object_r:qmail_tcp_env_exec_t,s0)
-
--#/usr/local/bin/serialmail/.* -- gen_context(system_u:object_r:qmail_serialmail_exec_t,s0)
-+#/usr/bin/serialmail/.* -- gen_context(system_u:object_r:qmail_serialmail_exec_t,s0)
-
- /usr/sbin/qmail-clean -- gen_context(system_u:object_r:qmail_clean_exec_t,s0)
- /usr/sbin/qmail-getpw -- gen_context(system_u:object_r:qmail_exec_t,s0)
-diff --git a/qmail.if b/qmail.if
-index a55bf44..05e219e 100644
---- a/qmail.if
-+++ b/qmail.if
-@@ -44,7 +44,6 @@ template(`qmail_child_domain_template',`
-
- fs_getattr_xattr_fs($1_t)
-
-- miscfiles_read_localization($1_t)
- ')
-
- ########################################
-@@ -62,14 +61,13 @@ interface(`qmail_domtrans_inject',`
- type qmail_inject_t, qmail_inject_exec_t;
- ')
-
-+ corecmd_search_bin($1)
- domtrans_pattern($1, qmail_inject_exec_t, qmail_inject_t)
-
- ifdef(`distro_debian',`
- files_search_usr($1)
-- corecmd_search_bin($1)
- ',`
- files_search_var($1)
-- corecmd_search_bin($1)
- ')
- ')
-
-@@ -88,14 +86,13 @@ interface(`qmail_domtrans_queue',`
- type qmail_queue_t, qmail_queue_exec_t;
- ')
-
-+ corecmd_search_bin($1)
- domtrans_pattern($1, qmail_queue_exec_t, qmail_queue_t)
-
- ifdef(`distro_debian',`
- files_search_usr($1)
-- corecmd_search_bin($1)
- ',`
- files_search_var($1)
-- corecmd_search_bin($1)
- ')
- ')
-
-@@ -149,3 +146,59 @@ interface(`qmail_smtpd_service_domain',`
-
- domtrans_pattern(qmail_smtpd_t, $2, $1)
- ')
-+
-+########################################
-+##
-+## Create, read, write, and delete qmail
-+## spool directories.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`qmail_manage_spool_dirs',`
-+ gen_require(`
-+ type qmail_spool_t;
-+ ')
-+
-+ manage_dirs_pattern($1, qmail_spool_t, qmail_spool_t)
-+')
-+
-+########################################
-+##
-+## Create, read, write, and delete qmail
-+## spool files.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`qmail_manage_spool_files',`
-+ gen_require(`
-+ type qmail_spool_t;
-+ ')
-+
-+ manage_files_pattern($1, qmail_spool_t, qmail_spool_t)
-+')
-+
-+########################################
-+##
-+## Read and write to qmail spool pipes.
-+##
-+##
-+##
-+## Domain to not audit.
-+##
-+##
-+#
-+interface(`qmail_rw_spool_pipes',`
-+ gen_require(`
-+ type qmail_spool_t;
-+ ')
-+
-+ allow $1 qmail_spool_t:fifo_file rw_fifo_file_perms;
-+')
-diff --git a/qmail.te b/qmail.te
-index 355b2a2..af2850e 100644
---- a/qmail.te
-+++ b/qmail.te
-@@ -47,7 +47,7 @@ qmail_child_domain_template(qmail_smtpd, qmail_tcp_env_t)
- qmail_child_domain_template(qmail_splogger, qmail_start_t)
-
- type qmail_spool_t;
--files_type(qmail_spool_t)
-+files_spool_file(qmail_spool_t)
-
- type qmail_start_t;
- type qmail_start_exec_t;
-@@ -60,7 +60,7 @@ application_domain(qmail_tcp_env_t, qmail_tcp_env_exec_t)
- ########################################
- #
- # qmail-clean local policy
--# this component cleans up the queue directory
-+# this component cleans up the queue directory
- #
-
- read_files_pattern(qmail_clean_t, qmail_spool_t, qmail_spool_t)
-@@ -69,11 +69,11 @@ delete_files_pattern(qmail_clean_t, qmail_spool_t, qmail_spool_t)
- ########################################
- #
- # qmail-inject local policy
--# this component preprocesses mail from stdin and invokes qmail-queue
-+# this component preprocesses mail from stdin and invokes qmail-queue
- #
-
--allow qmail_inject_t self:fifo_file write_fifo_file_perms;
- allow qmail_inject_t self:process signal_perms;
-+allow qmail_inject_t self:fifo_file write_fifo_file_perms;
-
- allow qmail_inject_t qmail_queue_exec_t:file read_file_perms;
-
-@@ -81,18 +81,17 @@ corecmd_search_bin(qmail_inject_t)
-
- files_search_var(qmail_inject_t)
-
--miscfiles_read_localization(qmail_inject_t)
-
- qmail_read_config(qmail_inject_t)
-
- ########################################
- #
- # qmail-local local policy
--# this component delivers a mail message
-+# this component delivers a mail message
- #
-
--allow qmail_local_t self:fifo_file write_file_perms;
- allow qmail_local_t self:process signal_perms;
-+allow qmail_local_t self:fifo_file write_file_perms;
- allow qmail_local_t self:unix_stream_socket create_stream_socket_perms;
-
- manage_dirs_pattern(qmail_local_t, qmail_alias_home_t, qmail_alias_home_t)
-@@ -109,7 +108,6 @@ kernel_read_system_state(qmail_local_t)
- corecmd_exec_bin(qmail_local_t)
- corecmd_exec_shell(qmail_local_t)
-
--files_read_etc_files(qmail_local_t)
- files_read_etc_runtime_files(qmail_local_t)
-
- auth_use_nsswitch(qmail_local_t)
-@@ -121,13 +119,17 @@ mta_append_spool(qmail_local_t)
- qmail_domtrans_queue(qmail_local_t)
-
- optional_policy(`
-+ uucp_domtrans(qmail_local_t)
-+')
-+
-+optional_policy(`
- spamassassin_domtrans_client(qmail_local_t)
- ')
-
- ########################################
- #
- # qmail-lspawn local policy
--# this component schedules local deliveries
-+# this component schedules local deliveries
- #
-
- allow qmail_lspawn_t self:capability { setuid setgid };
-@@ -143,22 +145,21 @@ read_files_pattern(qmail_lspawn_t, qmail_spool_t, qmail_spool_t)
-
- corecmd_search_bin(qmail_lspawn_t)
-
--files_read_etc_files(qmail_lspawn_t)
- files_search_pids(qmail_lspawn_t)
- files_search_tmp(qmail_lspawn_t)
-
- ########################################
- #
- # qmail-queue local policy
--# this component places a mail in a delivery queue, later to be processed by qmail-send
-+# this component places a mail in a delivery queue, later to be processed by qmail-send
- #
-
- allow qmail_queue_t qmail_lspawn_t:fd use;
- allow qmail_queue_t qmail_lspawn_t:fifo_file write_fifo_file_perms;
-
-+allow qmail_queue_t qmail_smtpd_t:process sigchld;
- allow qmail_queue_t qmail_smtpd_t:fd use;
- allow qmail_queue_t qmail_smtpd_t:fifo_file read_fifo_file_perms;
--allow qmail_queue_t qmail_smtpd_t:process sigchld;
-
- manage_dirs_pattern(qmail_queue_t, qmail_spool_t, qmail_spool_t)
- manage_files_pattern(qmail_queue_t, qmail_spool_t, qmail_spool_t)
-@@ -175,7 +176,7 @@ optional_policy(`
- ########################################
- #
- # qmail-remote local policy
--# this component sends mail via SMTP
-+# this component sends mail via SMTP
- #
-
- allow qmail_remote_t self:tcp_socket create_socket_perms;
-@@ -183,7 +184,6 @@ allow qmail_remote_t self:udp_socket create_socket_perms;
-
- rw_files_pattern(qmail_remote_t, qmail_spool_t, qmail_spool_t)
-
--corenet_all_recvfrom_unlabeled(qmail_remote_t)
- corenet_all_recvfrom_netlabel(qmail_remote_t)
- corenet_tcp_sendrecv_generic_if(qmail_remote_t)
- corenet_udp_sendrecv_generic_if(qmail_remote_t)
-@@ -202,7 +202,7 @@ sysnet_read_config(qmail_remote_t)
- ########################################
- #
- # qmail-rspawn local policy
--# this component scedules remote deliveries
-+# this component scedules remote deliveries
- #
-
- allow qmail_rspawn_t self:process signal_perms;
-@@ -217,7 +217,7 @@ corecmd_search_bin(qmail_rspawn_t)
- ########################################
- #
- # qmail-send local policy
--# this component delivers mail messages from the queue
-+# this component delivers mail messages from the queue
- #
-
- allow qmail_send_t self:process signal_perms;
-@@ -236,7 +236,7 @@ optional_policy(`
- ########################################
- #
- # qmail-smtpd local policy
--# this component receives mails via SMTP
-+# this component receives mails via SMTP
- #
-
- allow qmail_smtpd_t self:process signal_perms;
-@@ -265,27 +265,25 @@ optional_policy(`
- ########################################
- #
- # splogger local policy
--# this component creates entries in syslog
-+# this component creates entries in syslog
- #
-
- allow qmail_splogger_t self:unix_dgram_socket create_socket_perms;
-
--files_read_etc_files(qmail_splogger_t)
-
- init_dontaudit_use_script_fds(qmail_splogger_t)
-
--miscfiles_read_localization(qmail_splogger_t)
-
- ########################################
- #
- # qmail-start local policy
--# this component starts up the mail delivery component
-+# this component starts up the mail delivery component
- #
-
- allow qmail_start_t self:capability { setgid setuid };
- dontaudit qmail_start_t self:capability sys_tty_config;
--allow qmail_start_t self:fifo_file rw_fifo_file_perms;
- allow qmail_start_t self:process signal_perms;
-+allow qmail_start_t self:fifo_file rw_fifo_file_perms;
-
- can_exec(qmail_start_t, qmail_start_exec_t)
-
-@@ -303,7 +301,7 @@ optional_policy(`
- ########################################
- #
- # tcp-env local policy
--# this component sets up TCP-related environment variables
-+# this component sets up TCP-related environment variables
- #
-
- allow qmail_tcp_env_t qmail_smtpd_exec_t:file read_file_perms;
-diff --git a/qpid.fc b/qpid.fc
-index 4f94229..f3b89e4 100644
---- a/qpid.fc
-+++ b/qpid.fc
-@@ -1,6 +1,7 @@
--/etc/rc\.d/init\.d/qpidd -- gen_context(system_u:object_r:qpidd_initrc_exec_t,s0)
-
--/usr/sbin/qpidd -- gen_context(system_u:object_r:qpidd_exec_t,s0)
-+/usr/sbin/qpidd -- gen_context(system_u:object_r:qpidd_exec_t,s0)
-+
-+/etc/rc\.d/init\.d/qpidd -- gen_context(system_u:object_r:qpidd_initrc_exec_t,s0)
-
- /var/lib/qpidd(/.*)? gen_context(system_u:object_r:qpidd_var_lib_t,s0)
-
-diff --git a/qpid.if b/qpid.if
-index 5a9630c..bedca3a 100644
---- a/qpid.if
-+++ b/qpid.if
-@@ -1,4 +1,4 @@
--## Apache QPID AMQP messaging server.
-+## policy for qpidd
-
- ########################################
- ##
-@@ -18,9 +18,9 @@ interface(`qpidd_domtrans',`
- domtrans_pattern($1, qpidd_exec_t, qpidd_t)
- ')
-
--#####################################
-+########################################
- ##
--## Allow read and write access to qpidd semaphores.
-+## Execute qpidd server in the qpidd domain.
- ##
- ##
- ##
-@@ -28,17 +28,17 @@ interface(`qpidd_domtrans',`
- ##
- ##
- #
--interface(`qpidd_rw_semaphores',`
-+interface(`qpidd_initrc_domtrans',`
- gen_require(`
-- type qpidd_t;
-+ type qpidd_initrc_exec_t;
- ')
-
-- allow $1 qpidd_t:sem rw_sem_perms;
-+ init_labeled_script_domtrans($1, qpidd_initrc_exec_t)
- ')
-
- ########################################
- ##
--## Read and write to qpidd shared memory.
-+## Read qpidd PID files.
- ##
- ##
- ##
-@@ -46,17 +46,18 @@ interface(`qpidd_rw_semaphores',`
- ##
- ##
- #
--interface(`qpidd_rw_shm',`
-+interface(`qpidd_read_pid_files',`
- gen_require(`
-- type qpidd_t;
-+ type qpidd_var_run_t;
- ')
-
-- allow $1 qpidd_t:shm rw_shm_perms;
-+ files_search_pids($1)
-+ allow $1 qpidd_var_run_t:file read_file_perms;
- ')
-
- ########################################
- ##
--## Execute qpidd server in the qpidd domain.
-+## Manage qpidd var_run files.
- ##
- ##
- ##
-@@ -64,17 +65,20 @@ interface(`qpidd_rw_shm',`
- ##
- ##
- #
--interface(`qpidd_initrc_domtrans',`
-+interface(`qpidd_manage_var_run',`
- gen_require(`
-- type qpidd_initrc_exec_t;
-+ type qpidd_var_run_t;
- ')
-
-- init_labeled_script_domtrans($1, qpidd_initrc_exec_t)
-+ files_search_pids($1)
-+ manage_dirs_pattern($1, qpidd_var_run_t, qpidd_var_run_t)
-+ manage_files_pattern($1, qpidd_var_run_t, qpidd_var_run_t)
-+ manage_lnk_files_pattern($1, qpidd_var_run_t, qpidd_var_run_t)
- ')
-
- ########################################
- ##
--## Read qpidd PID files.
-+## Search qpidd lib directories.
- ##
- ##
- ##
-@@ -82,18 +86,18 @@ interface(`qpidd_initrc_domtrans',`
- ##
- ##
- #
--interface(`qpidd_read_pid_files',`
-+interface(`qpidd_search_lib',`
- gen_require(`
-- type qpidd_var_run_t;
-+ type qpidd_var_lib_t;
- ')
-
-- files_search_pids($1)
-- allow $1 qpidd_var_run_t:file read_file_perms;
-+ allow $1 qpidd_var_lib_t:dir search_dir_perms;
-+ files_search_var_lib($1)
- ')
-
- ########################################
- ##
--## Search qpidd lib directories.
-+## Read qpidd lib files.
- ##
- ##
- ##
-@@ -101,18 +105,19 @@ interface(`qpidd_read_pid_files',`
- ##
- ##
- #
--interface(`qpidd_search_lib',`
-+interface(`qpidd_read_lib_files',`
- gen_require(`
- type qpidd_var_lib_t;
- ')
-
-- allow $1 qpidd_var_lib_t:dir search_dir_perms;
- files_search_var_lib($1)
-+ read_files_pattern($1, qpidd_var_lib_t, qpidd_var_lib_t)
- ')
-
- ########################################
- ##
--## Read qpidd lib files.
-+## Create, read, write, and delete
-+## qpidd lib files.
- ##
- ##
- ##
-@@ -120,19 +125,18 @@ interface(`qpidd_search_lib',`
- ##
- ##
- #
--interface(`qpidd_read_lib_files',`
-+interface(`qpidd_manage_lib_files',`
- gen_require(`
- type qpidd_var_lib_t;
- ')
-
- files_search_var_lib($1)
-- read_files_pattern($1, qpidd_var_lib_t, qpidd_var_lib_t)
-+ manage_files_pattern($1, qpidd_var_lib_t, qpidd_var_lib_t)
- ')
-
- ########################################
- ##
--## Create, read, write, and delete
--## qpidd lib files.
-+## Manage qpidd var_lib files.
- ##
- ##
- ##
-@@ -140,13 +144,15 @@ interface(`qpidd_read_lib_files',`
- ##
- ##
- #
--interface(`qpidd_manage_lib_files',`
-+interface(`qpidd_manage_var_lib',`
- gen_require(`
- type qpidd_var_lib_t;
- ')
-
- files_search_var_lib($1)
-+ manage_dirs_pattern($1, qpidd_var_lib_t, qpidd_var_lib_t)
- manage_files_pattern($1, qpidd_var_lib_t, qpidd_var_lib_t)
-+ manage_lnk_files_pattern($1, qpidd_var_lib_t, qpidd_var_lib_t)
- ')
-
- ########################################
-@@ -171,8 +177,11 @@ interface(`qpidd_admin',`
- type qpidd_t, qpidd_initrc_exec_t;
- ')
-
-- allow $1 qpidd_t:process { ptrace signal_perms };
-+ allow $1 qpidd_t:process signal_perms;
- ps_process_pattern($1, qpidd_t)
-+ tunable_policy(`deny_ptrace',`',`
-+ allow $1 qpidd_t:process ptrace;
-+ ')
-
- # Allow qpidd_t to restart the apache service
- qpidd_initrc_domtrans($1)
-@@ -180,7 +189,46 @@ interface(`qpidd_admin',`
- role_transition $2 qpidd_initrc_exec_t system_r;
- allow $2 system_r;
-
-- admin_pattern($1, qpidd_var_lib_t)
-+ qpidd_manage_var_run($1)
-
-- admin_pattern($1, qpidd_var_run_t)
-+ qpidd_manage_var_lib($1)
-+')
-+
-+#####################################
-+##
-+## Allow read and write access to qpidd semaphores.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`qpidd_rw_semaphores',`
-+ gen_require(`
-+ type qpidd_t;
-+ ')
-+
-+ allow $1 qpidd_t:sem rw_sem_perms;
-+')
-+
-+#######################################
-+##
-+## Read and write to qpidd shared memory.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`qpidd_rw_shm',`
-+ gen_require(`
-+ type qpidd_t;
-+ type qpidd_tmpfs_t;
-+ ')
-+
-+ allow $1 qpidd_t:shm rw_shm_perms;
-+ fs_search_tmpfs($1)
-+ manage_files_pattern($1, qpidd_tmpfs_t, qpidd_tmpfs_t)
- ')
-diff --git a/qpid.te b/qpid.te
-index cb7ecb5..68f26ad 100644
---- a/qpid.te
-+++ b/qpid.te
-@@ -12,12 +12,15 @@ init_daemon_domain(qpidd_t, qpidd_exec_t)
- type qpidd_initrc_exec_t;
- init_script_file(qpidd_initrc_exec_t)
-
--type qpidd_var_lib_t;
--files_type(qpidd_var_lib_t)
-+type qpidd_tmpfs_t;
-+files_tmpfs_file(qpidd_tmpfs_t)
-
- type qpidd_var_run_t;
- files_pid_file(qpidd_var_run_t)
-
-+type qpidd_var_lib_t;
-+files_type(qpidd_var_lib_t)
-+
- ########################################
- #
- # qpidd local policy
-@@ -30,34 +33,41 @@ allow qpidd_t self:shm create_shm_perms;
- allow qpidd_t self:tcp_socket create_stream_socket_perms;
- allow qpidd_t self:unix_stream_socket create_stream_socket_perms;
-
--manage_dirs_pattern(qpidd_t, qpidd_var_lib_t, qpidd_var_lib_t)
--manage_files_pattern(qpidd_t, qpidd_var_lib_t, qpidd_var_lib_t)
-+manage_dirs_pattern(qpidd_t, qpidd_tmpfs_t, qpidd_tmpfs_t)
-+manage_files_pattern(qpidd_t, qpidd_tmpfs_t, qpidd_tmpfs_t)
-+fs_tmpfs_filetrans(qpidd_t, qpidd_tmpfs_t, { dir file })
-+
-+manage_dirs_pattern(qpidd_t, qpidd_var_lib_t, qpidd_var_lib_t)
-+manage_files_pattern(qpidd_t, qpidd_var_lib_t, qpidd_var_lib_t)
- files_var_lib_filetrans(qpidd_t, qpidd_var_lib_t, { file dir })
-
--manage_dirs_pattern(qpidd_t, qpidd_var_run_t, qpidd_var_run_t)
--manage_files_pattern(qpidd_t, qpidd_var_run_t, qpidd_var_run_t)
-+manage_dirs_pattern(qpidd_t, qpidd_var_run_t, qpidd_var_run_t)
-+manage_files_pattern(qpidd_t, qpidd_var_run_t, qpidd_var_run_t)
- files_pid_filetrans(qpidd_t, qpidd_var_run_t, { file dir })
-
- kernel_read_system_state(qpidd_t)
-
--corenet_all_recvfrom_unlabeled(qpidd_t)
- corenet_all_recvfrom_netlabel(qpidd_t)
-+corenet_tcp_bind_generic_node(qpidd_t)
- corenet_tcp_sendrecv_generic_if(qpidd_t)
- corenet_tcp_sendrecv_generic_node(qpidd_t)
- corenet_tcp_sendrecv_all_ports(qpidd_t)
--corenet_tcp_bind_generic_node(qpidd_t)
- corenet_tcp_bind_amqp_port(qpidd_t)
-+corenet_tcp_bind_matahari_port(qpidd_t)
-+corenet_tcp_connect_amqp_port(qpidd_t)
-+corenet_tcp_connect_matahari_port(qpidd_t)
-
-+dev_read_sysfs(qpidd_t)
- dev_read_urand(qpidd_t)
-
- files_read_etc_files(qpidd_t)
-+files_read_usr_files(qpidd_t)
-
- logging_send_syslog_msg(qpidd_t)
-
--miscfiles_read_localization(qpidd_t)
--
- sysnet_dns_name_resolve(qpidd_t)
-
- optional_policy(`
- corosync_stream_connect(qpidd_t)
- ')
-+
-diff --git a/quantum.fc b/quantum.fc
-new file mode 100644
-index 0000000..9108437
---- /dev/null
-+++ b/quantum.fc
-@@ -0,0 +1,10 @@
-+/usr/bin/quantum-server -- gen_context(system_u:object_r:quantum_exec_t,s0)
-+/usr/bin/quantum-openvswitch-agent -- gen_context(system_u:object_r:quantum_exec_t,s0)
-+/usr/bin/quantum-linuxbridge-agent -- gen_context(system_u:object_r:quantum_exec_t,s0)
-+/usr/bin/quantum-ryu-agent -- gen_context(system_u:object_r:quantum_exec_t,s0)
-+
-+/usr/lib/systemd/system/quantum.* -- gen_context(system_u:object_r:quantum_unit_file_t,s0)
-+
-+/var/lib/quantum(/.*)? gen_context(system_u:object_r:quantum_var_lib_t,s0)
-+
-+/var/log/quantum(/.*)? gen_context(system_u:object_r:quantum_log_t,s0)
-diff --git a/quantum.if b/quantum.if
-new file mode 100644
-index 0000000..010b2be
---- /dev/null
-+++ b/quantum.if
-@@ -0,0 +1,218 @@
-+## Quantum is a virtual network service for Openstack
-+
-+########################################
-+##
-+## Transition to quantum.
-+##
-+##
-+##
-+## Domain allowed to transition.
-+##
-+##
-+#
-+interface(`quantum_domtrans',`
-+ gen_require(`
-+ type quantum_t, quantum_exec_t;
-+ ')
-+
-+ corecmd_search_bin($1)
-+ domtrans_pattern($1, quantum_exec_t, quantum_t)
-+')
-+
-+########################################
-+##
-+## Read quantum's log files.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+##
-+#
-+interface(`quantum_read_log',`
-+ gen_require(`
-+ type quantum_log_t;
-+ ')
-+
-+ logging_search_logs($1)
-+ read_files_pattern($1, quantum_log_t, quantum_log_t)
-+')
-+
-+########################################
-+##
-+## Append to quantum log files.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`quantum_append_log',`
-+ gen_require(`
-+ type quantum_log_t;
-+ ')
-+
-+ logging_search_logs($1)
-+ append_files_pattern($1, quantum_log_t, quantum_log_t)
-+')
-+
-+########################################
-+##
-+## Manage quantum log files
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`quantum_manage_log',`
-+ gen_require(`
-+ type quantum_log_t;
-+ ')
-+
-+ logging_search_logs($1)
-+ manage_dirs_pattern($1, quantum_log_t, quantum_log_t)
-+ manage_files_pattern($1, quantum_log_t, quantum_log_t)
-+ manage_lnk_files_pattern($1, quantum_log_t, quantum_log_t)
-+')
-+
-+########################################
-+##
-+## Search quantum lib directories.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`quantum_search_lib',`
-+ gen_require(`
-+ type quantum_var_lib_t;
-+ ')
-+
-+ allow $1 quantum_var_lib_t:dir search_dir_perms;
-+ files_search_var_lib($1)
-+')
-+
-+########################################
-+##
-+## Read quantum lib files.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`quantum_read_lib_files',`
-+ gen_require(`
-+ type quantum_var_lib_t;
-+ ')
-+
-+ files_search_var_lib($1)
-+ read_files_pattern($1, quantum_var_lib_t, quantum_var_lib_t)
-+')
-+
-+########################################
-+##
-+## Manage quantum lib files.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`quantum_manage_lib_files',`
-+ gen_require(`
-+ type quantum_var_lib_t;
-+ ')
-+
-+ files_search_var_lib($1)
-+ manage_files_pattern($1, quantum_var_lib_t, quantum_var_lib_t)
-+')
-+
-+########################################
-+##
-+## Manage quantum lib directories.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`quantum_manage_lib_dirs',`
-+ gen_require(`
-+ type quantum_var_lib_t;
-+ ')
-+
-+ files_search_var_lib($1)
-+ manage_dirs_pattern($1, quantum_var_lib_t, quantum_var_lib_t)
-+')
-+
-+########################################
-+##
-+## Execute quantum server in the quantum domain.
-+##
-+##
-+##
-+## Domain allowed to transition.
-+##
-+##
-+#
-+interface(`quantum_systemctl',`
-+ gen_require(`
-+ type quantum_t;
-+ type quantum_unit_file_t;
-+ ')
-+
-+ systemd_exec_systemctl($1)
-+ systemd_read_fifo_file_passwd_run($1)
-+ allow $1 quantum_unit_file_t:file read_file_perms;
-+ allow $1 quantum_unit_file_t:service manage_service_perms;
-+
-+ ps_process_pattern($1, quantum_t)
-+')
-+
-+
-+########################################
-+##
-+## All of the rules required to administrate
-+## an quantum environment
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`quantum_admin',`
-+ gen_require(`
-+ type quantum_t;
-+ type quantum_log_t;
-+ type quantum_var_lib_t;
-+ type quantum_unit_file_t;
-+ ')
-+
-+ allow $1 quantum_t:process { ptrace signal_perms };
-+ ps_process_pattern($1, quantum_t)
-+
-+ logging_search_logs($1)
-+ admin_pattern($1, quantum_log_t)
-+
-+ files_search_var_lib($1)
-+ admin_pattern($1, quantum_var_lib_t)
-+
-+ quantum_systemctl($1)
-+ admin_pattern($1, quantum_unit_file_t)
-+ allow $1 quantum_unit_file_t:service all_service_perms;
-+ optional_policy(`
-+ systemd_passwd_agent_exec($1)
-+ systemd_read_fifo_file_passwd_run($1)
-+ ')
-+')
-diff --git a/quantum.te b/quantum.te
-new file mode 100644
-index 0000000..6e15504
---- /dev/null
-+++ b/quantum.te
-@@ -0,0 +1,80 @@
-+policy_module(quantum, 1.0.0)
-+
-+########################################
-+#
-+# Declarations
-+#
-+
-+type quantum_t;
-+type quantum_exec_t;
-+init_daemon_domain(quantum_t, quantum_exec_t)
-+
-+type quantum_log_t;
-+logging_log_file(quantum_log_t)
-+
-+type quantum_tmp_t;
-+files_tmp_file(quantum_tmp_t)
-+
-+type quantum_var_lib_t;
-+files_type(quantum_var_lib_t)
-+
-+type quantum_unit_file_t;
-+systemd_unit_file(quantum_unit_file_t)
-+
-+########################################
-+#
-+# quantum local policy
-+#
-+allow quantum_t self:capability { setuid sys_resource setgid audit_write };
-+allow quantum_t self:process { setsched setrlimit };
-+allow quantum_t self:key manage_key_perms;
-+
-+allow quantum_t self:fifo_file rw_fifo_file_perms;
-+allow quantum_t self:unix_stream_socket create_stream_socket_perms;
-+allow quantum_t self:tcp_socket create_stream_socket_perms;
-+
-+manage_dirs_pattern(quantum_t, quantum_log_t, quantum_log_t)
-+manage_files_pattern(quantum_t, quantum_log_t, quantum_log_t)
-+logging_log_filetrans(quantum_t, quantum_log_t, { dir file })
-+
-+manage_files_pattern(quantum_t, quantum_tmp_t, quantum_tmp_t)
-+files_tmp_filetrans(quantum_t, quantum_tmp_t, file)
-+can_exec(quantum_t, quantum_tmp_t)
-+
-+manage_dirs_pattern(quantum_t, quantum_var_lib_t, quantum_var_lib_t)
-+manage_files_pattern(quantum_t, quantum_var_lib_t, quantum_var_lib_t)
-+files_var_lib_filetrans(quantum_t, quantum_var_lib_t, { dir file })
-+
-+kernel_read_kernel_sysctls(quantum_t)
-+kernel_read_system_state(quantum_t)
-+
-+corecmd_exec_shell(quantum_t)
-+corecmd_exec_bin(quantum_t)
-+
-+corenet_tcp_bind_generic_node(quantum_t)
-+corenet_tcp_bind_quantum_port(quantum_t)
-+corenet_tcp_connect_mysqld_port(quantum_t)
-+
-+dev_read_urand(quantum_t)
-+dev_list_sysfs(quantum_t)
-+
-+domain_use_interactive_fds(quantum_t)
-+
-+files_read_usr_files(quantum_t)
-+
-+auth_use_nsswitch(quantum_t)
-+
-+libs_exec_ldconfig(quantum_t)
-+
-+logging_send_audit_msgs(quantum_t)
-+logging_send_syslog_msg(quantum_t)
-+
-+sysnet_domtrans_ifconfig(quantum_t)
-+
-+optional_policy(`
-+ brctl_domtrans(quantum_t)
-+')
-+
-+optional_policy(`
-+ sudo_exec(quantum_t)
-+')
-diff --git a/quota.fc b/quota.fc
-index f387230..0ee2489 100644
---- a/quota.fc
-+++ b/quota.fc
-@@ -1,4 +1,5 @@
- HOME_ROOT/a?quota\.(user|group) -- gen_context(system_u:object_r:quota_db_t,s0)
-+HOME_DIR/a?quota\.(user|group) -- gen_context(system_u:object_r:quota_db_t,s0)
-
- /a?quota\.(user|group) -- gen_context(system_u:object_r:quota_db_t,s0)
-
-@@ -8,12 +9,21 @@ HOME_ROOT/a?quota\.(user|group) -- gen_context(system_u:object_r:quota_db_t,s0)
-
- /sbin/quota(check|on) -- gen_context(system_u:object_r:quota_exec_t,s0)
-
-+/usr/sbin/quota(check|on) -- gen_context(system_u:object_r:quota_exec_t,s0)
-+
- /var/a?quota\.(user|group) -- gen_context(system_u:object_r:quota_db_t,s0)
- /var/lib/quota(/.*)? gen_context(system_u:object_r:quota_flag_t,s0)
--/var/spool/a?quota\.(user|group) -- gen_context(system_u:object_r:quota_db_t,s0)
-+/var/spool/(.*/)?a?quota\.(user|group) -- gen_context(system_u:object_r:quota_db_t,s0)
-
- ifdef(`distro_redhat',`
- /usr/sbin/convertquota -- gen_context(system_u:object_r:quota_exec_t,s0)
- ',`
- /sbin/convertquota -- gen_context(system_u:object_r:quota_exec_t,s0)
- ')
-+
-+/usr/sbin/quota_nld -- gen_context(system_u:object_r:quota_nld_exec_t,s0)
-+
-+/var/lib/stickshift/a?quota\.(user|group) -- gen_context(system_u:object_r:quota_db_t,s0)
-+/var/lib/openshift/a?quota\.(user|group) -- gen_context(system_u:object_r:quota_db_t,s0)
-+
-+/var/run/quota_nld\.pid -- gen_context(system_u:object_r:quota_nld_var_run_t,s0)
-diff --git a/quota.if b/quota.if
-index bf75d99..3fb8575 100644
---- a/quota.if
-+++ b/quota.if
-@@ -45,6 +45,24 @@ interface(`quota_run',`
- role $2 types quota_t;
- ')
-
-+#######################################
-+##
-+## Alow to read of filesystem quota data files.
-+##
-+##
-+##
-+## Domain to not audit.
-+##
-+##
-+#
-+interface(`quota_read_db',`
-+ gen_require(`
-+ type quota_db_t;
-+ ')
-+
-+ allow $1 quota_db_t:file read_file_perms;
-+')
-+
- ########################################
- ##
- ## Do not audit attempts to get the attributes
-@@ -67,6 +85,25 @@ interface(`quota_dontaudit_getattr_db',`
- ########################################
- ##
- ## Create, read, write, and delete quota
-+## db files.
-+##
-+##
-+##
-+## Domain to not audit.
-+##
-+##
-+#
-+interface(`quota_manage_db',`
-+ gen_require(`
-+ type quota_db_t;
-+ ')
-+
-+ allow $1 quota_db_t:file manage_file_perms;
-+')
-+
-+########################################
-+##
-+## Create, read, write, and delete quota
- ## flag files.
- ##
- ##
-@@ -83,3 +120,59 @@ interface(`quota_manage_flags',`
- files_search_var_lib($1)
- manage_files_pattern($1, quota_flag_t, quota_flag_t)
- ')
-+
-+########################################
-+##
-+## Transition to quota named content
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`quota_filetrans_named_content',`
-+ gen_require(`
-+ type quota_db_t;
-+ ')
-+
-+ files_root_filetrans($1, quota_db_t, file, "aquota.user")
-+ files_root_filetrans($1, quota_db_t, file, "aquota.group")
-+ files_boot_filetrans($1, quota_db_t, file, "aquota.user")
-+ files_boot_filetrans($1, quota_db_t, file, "aquota.group")
-+ files_etc_filetrans($1, quota_db_t, file, "aquota.user")
-+ files_etc_filetrans($1, quota_db_t, file, "aquota.group")
-+ files_tmp_filetrans($1, quota_db_t, file, "aquota.user")
-+ files_tmp_filetrans($1, quota_db_t, file, "aquota.group")
-+ files_home_filetrans($1, quota_db_t, file, "aquota.user")
-+ files_home_filetrans($1, quota_db_t, file, "aquota.group")
-+ files_usr_filetrans($1, quota_db_t, file, "aquota.user")
-+ files_usr_filetrans($1, quota_db_t, file, "aquota.group")
-+ files_var_filetrans($1, quota_db_t, file, "aquota.user")
-+ files_var_filetrans($1, quota_db_t, file, "aquota.group")
-+ files_spool_filetrans($1, quota_db_t, file, "aquota.user")
-+ files_spool_filetrans($1, quota_db_t, file, "aquota.group")
-+ mta_spool_filetrans($1, quota_db_t, file, "aquota.user")
-+ mta_spool_filetrans($1, quota_db_t, file, "aquota.group")
-+ mta_spool_filetrans_queue($1, quota_db_t, file, "aquota.user")
-+ mta_spool_filetrans_queue($1, quota_db_t, file, "aquota.group")
-+')
-+
-+#######################################
-+##
-+## Transition to quota_nld.
-+##
-+##
-+##
-+## Domain allowed to transition.
-+##
-+##
-+#
-+interface(`quota_domtrans_nld',`
-+ gen_require(`
-+ type quota_nld_t, quota_nld_exec_t;
-+ ')
-+
-+ corecmd_search_bin($1)
-+ domtrans_pattern($1, quota_nld_exec_t, quota_nld_t)
-+')
-diff --git a/quota.te b/quota.te
-index 5dd42f5..0df6e21 100644
---- a/quota.te
-+++ b/quota.te
-@@ -7,7 +7,8 @@ policy_module(quota, 1.5.0)
-
- type quota_t;
- type quota_exec_t;
--init_system_domain(quota_t, quota_exec_t)
-+application_domain(quota_t, quota_exec_t)
-+#init_system_domain(quota_t, quota_exec_t)
-
- type quota_db_t;
- files_type(quota_db_t)
-@@ -15,6 +16,13 @@ files_type(quota_db_t)
- type quota_flag_t;
- files_type(quota_flag_t)
-
-+type quota_nld_t;
-+type quota_nld_exec_t;
-+init_daemon_domain(quota_nld_t, quota_nld_exec_t)
-+
-+type quota_nld_var_run_t;
-+files_pid_file(quota_nld_var_run_t)
-+
- ########################################
- #
- # Local policy
-@@ -34,6 +42,17 @@ files_home_filetrans(quota_t, quota_db_t, file)
- files_usr_filetrans(quota_t, quota_db_t, file)
- files_var_filetrans(quota_t, quota_db_t, file)
- files_spool_filetrans(quota_t, quota_db_t, file)
-+userdom_user_home_dir_filetrans(quota_t, quota_db_t, file)
-+
-+optional_policy(`
-+ mta_spool_filetrans(quota_t, quota_db_t, file)
-+ mta_spool_filetrans(quota_t, quota_db_t, file)
-+ mta_spool_filetrans_queue(quota_t, quota_db_t, file)
-+')
-+
-+optional_policy(`
-+ openshift_lib_filetrans(quota_t, quota_db_t, file)
-+')
-
- kernel_list_proc(quota_t)
- kernel_read_proc_symlinks(quota_t)
-@@ -72,7 +91,7 @@ init_use_script_ptys(quota_t)
-
- logging_send_syslog_msg(quota_t)
-
--userdom_use_user_terminals(quota_t)
-+userdom_use_inherited_user_terminals(quota_t)
- userdom_dontaudit_use_unpriv_user_fds(quota_t)
-
- optional_policy(`
-@@ -82,3 +101,30 @@ optional_policy(`
- optional_policy(`
- udev_read_db(quota_t)
- ')
-+
-+#######################################
-+#
-+# Local policy
-+#
-+
-+allow quota_nld_t self:fifo_file rw_fifo_file_perms;
-+allow quota_nld_t self:netlink_socket create_socket_perms;
-+allow quota_nld_t self:unix_stream_socket create_stream_socket_perms;
-+
-+manage_files_pattern(quota_nld_t, quota_nld_var_run_t, quota_nld_var_run_t)
-+files_pid_filetrans(quota_nld_t, quota_nld_var_run_t, { file })
-+
-+kernel_read_network_state(quota_nld_t)
-+
-+auth_use_nsswitch(quota_nld_t)
-+
-+init_read_utmp(quota_nld_t)
-+
-+logging_send_syslog_msg(quota_nld_t)
-+
-+userdom_use_user_terminals(quota_nld_t)
-+
-+optional_policy(`
-+ dbus_system_bus_client(quota_nld_t)
-+ dbus_connect_system_bus(quota_nld_t)
-+')
-diff --git a/rabbitmq.fc b/rabbitmq.fc
-new file mode 100644
-index 0000000..594c110
---- /dev/null
-+++ b/rabbitmq.fc
-@@ -0,0 +1,7 @@
-+
-+/usr/lib64/erlang/erts-5.8.5/bin/beam.* -- gen_context(system_u:object_r:rabbitmq_beam_exec_t,s0)
-+/usr/lib64/erlang/erts-5.8.5/bin/epmd -- gen_context(system_u:object_r:rabbitmq_epmd_exec_t,s0)
-+
-+/var/lib/rabbitmq(/.*)? gen_context(system_u:object_r:rabbitmq_var_lib_t,s0)
-+
-+/var/log/rabbitmq(/.*)? gen_context(system_u:object_r:rabbitmq_var_log_t,s0)
-diff --git a/rabbitmq.if b/rabbitmq.if
-new file mode 100644
-index 0000000..491bd1f
---- /dev/null
-+++ b/rabbitmq.if
-@@ -0,0 +1,21 @@
-+
-+## policy for rabbitmq
-+
-+########################################
-+##
-+## Transition to rabbitmq.
-+##
-+##
-+##
-+## Domain allowed to transition.
-+##
-+##
-+#
-+interface(`rabbitmq_domtrans',`
-+ gen_require(`
-+ type rabbitmq_t, rabbitmq_exec_t;
-+ ')
-+
-+ corecmd_search_bin($1)
-+ domtrans_pattern($1, rabbitmq_exec_t, rabbitmq_t)
-+')
-diff --git a/rabbitmq.te b/rabbitmq.te
-new file mode 100644
-index 0000000..4cb2ad8
---- /dev/null
-+++ b/rabbitmq.te
-@@ -0,0 +1,82 @@
-+policy_module(rabbitmq, 1.0.0)
-+
-+########################################
-+#
-+# Declarations
-+#
-+
-+type rabbitmq_epmd_t;
-+type rabbitmq_epmd_exec_t;
-+init_daemon_domain(rabbitmq_epmd_t, rabbitmq_epmd_exec_t)
-+
-+type rabbitmq_beam_t;
-+type rabbitmq_beam_exec_t;
-+init_daemon_domain(rabbitmq_beam_t, rabbitmq_beam_exec_t)
-+
-+type rabbitmq_var_lib_t;
-+files_type(rabbitmq_var_lib_t)
-+
-+type rabbitmq_var_log_t;
-+logging_log_file(rabbitmq_var_log_t)
-+
-+######################################
-+#
-+# beam local policy
-+#
-+
-+allow rabbitmq_beam_t self:process { setsched signal signull };
-+
-+allow rabbitmq_beam_t self:fifo_file rw_fifo_file_perms;
-+allow rabbitmq_beam_t self:tcp_socket create_stream_socket_perms;
-+
-+manage_dirs_pattern(rabbitmq_beam_t, rabbitmq_var_lib_t, rabbitmq_var_lib_t)
-+manage_files_pattern(rabbitmq_beam_t, rabbitmq_var_lib_t, rabbitmq_var_lib_t)
-+
-+manage_dirs_pattern(rabbitmq_beam_t, rabbitmq_var_log_t, rabbitmq_var_log_t)
-+manage_files_pattern(rabbitmq_beam_t, rabbitmq_var_log_t, rabbitmq_var_log_t)
-+
-+can_exec(rabbitmq_beam_t, rabbitmq_beam_exec_t)
-+
-+kernel_read_system_state(rabbitmq_beam_t)
-+
-+corecmd_exec_bin(rabbitmq_beam_t)
-+corecmd_exec_shell(rabbitmq_beam_t)
-+
-+corenet_tcp_bind_generic_node(rabbitmq_beam_t)
-+corenet_udp_bind_generic_node(rabbitmq_beam_t)
-+corenet_tcp_connect_all_ephemeral_ports(rabbitmq_beam_t)
-+corenet_tcp_bind_amqp_port(rabbitmq_beam_t)
-+corenet_tcp_connect_epmd_port(rabbitmq_beam_t)
-+
-+dev_read_sysfs(rabbitmq_beam_t)
-+
-+files_read_etc_files(rabbitmq_beam_t)
-+
-+
-+optional_policy(`
-+ sysnet_dns_name_resolve(rabbitmq_beam_t)
-+')
-+
-+########################################
-+#
-+# epmd local policy
-+#
-+
-+domtrans_pattern(rabbitmq_beam_t, rabbitmq_epmd_exec_t, rabbitmq_epmd_t)
-+
-+allow rabbitmq_epmd_t self:process signal;
-+
-+allow rabbitmq_epmd_t self:fifo_file rw_fifo_file_perms;
-+allow rabbitmq_epmd_t self:tcp_socket create_stream_socket_perms;
-+allow rabbitmq_epmd_t self:unix_stream_socket create_stream_socket_perms;
-+
-+# should be append
-+allow rabbitmq_epmd_t rabbitmq_var_log_t:file write_file_perms;
-+
-+corenet_tcp_bind_generic_node(rabbitmq_epmd_t)
-+corenet_udp_bind_generic_node(rabbitmq_epmd_t)
-+corenet_tcp_bind_epmd_port(rabbitmq_epmd_t)
-+
-+files_read_etc_files(rabbitmq_epmd_t)
-+
-+logging_send_syslog_msg(rabbitmq_epmd_t)
-diff --git a/radius.fc b/radius.fc
-index 09f7b50..61c6d34 100644
---- a/radius.fc
-+++ b/radius.fc
-@@ -9,6 +9,8 @@
- /usr/sbin/radiusd -- gen_context(system_u:object_r:radiusd_exec_t,s0)
- /usr/sbin/freeradius -- gen_context(system_u:object_r:radiusd_exec_t,s0)
-
-+/usr/lib/systemd/system/radiusd.* -- gen_context(system_u:object_r:radiusd_unit_file_t,s0)
-+
- /var/lib/radiousd(/.*)? gen_context(system_u:object_r:radiusd_var_lib_t,s0)
-
- /var/log/freeradius(/.*)? gen_context(system_u:object_r:radiusd_log_t,s0)
-@@ -16,7 +18,7 @@
- /var/log/radius(/.*)? gen_context(system_u:object_r:radiusd_log_t,s0)
- /var/log/radius\.log.* -- gen_context(system_u:object_r:radiusd_log_t,s0)
- /var/log/radiusd-freeradius(/.*)? gen_context(system_u:object_r:radiusd_log_t,s0)
--/var/log/radutmp -- gen_context(system_u:object_r:radiusd_log_t,s0)
-+/var/log/radutmp.* -- gen_context(system_u:object_r:radiusd_log_t,s0)
- /var/log/radwtmp.* -- gen_context(system_u:object_r:radiusd_log_t,s0)
-
- /var/run/radiusd(/.*)? gen_context(system_u:object_r:radiusd_var_run_t,s0)
-diff --git a/radius.if b/radius.if
-index 75e5dc4..a366f85 100644
---- a/radius.if
-+++ b/radius.if
-@@ -14,6 +14,29 @@ interface(`radius_use',`
- refpolicywarn(`$0($*) has been deprecated.')
- ')
-
-+#######################################
-+##
-+## Execute radiusd server in the radiusd domain.
-+##
-+##
-+##
-+## Domain allowed to transition.
-+##
-+##
-+#
-+interface(`radiusd_systemctl',`
-+ gen_require(`
-+ type radiusd_unit_file_t;
-+ type radiusd_t;
-+ ')
-+
-+ systemd_exec_systemctl($1)
-+ allow $1 radiusd_unit_file_t:file read_file_perms;
-+ allow $1 radiusd_unit_file_t:service manage_service_perms;
-+
-+ ps_process_pattern($1, radiusd_t)
-+')
-+
- ########################################
- ##
- ## All of the rules required to administrate
-@@ -35,11 +58,14 @@ interface(`radius_admin',`
- gen_require(`
- type radiusd_t, radiusd_etc_t, radiusd_log_t;
- type radiusd_etc_rw_t, radiusd_var_lib_t, radiusd_var_run_t;
-- type radiusd_initrc_exec_t;
-+ type radiusd_initrc_exec_t, radiusd_unit_file_t;
- ')
-
-- allow $1 radiusd_t:process { ptrace signal_perms };
-+ allow $1 radiusd_t:process signal_perms;
- ps_process_pattern($1, radiusd_t)
-+ tunable_policy(`deny_ptrace',`',`
-+ allow $1 radiusd_t:process ptrace;
-+ ')
-
- init_labeled_script_domtrans($1, radiusd_initrc_exec_t)
- domain_system_change_exemption($1)
-@@ -59,4 +85,9 @@ interface(`radius_admin',`
-
- files_list_pids($1)
- admin_pattern($1, radiusd_var_run_t)
-+
-+ admin_pattern($1, radiusd_unit_file_t)
-+ bind_systemctl($1)
-+ allow $1 radiusd_unit_file_t:service all_service_perms;
-+
- ')
-diff --git a/radius.te b/radius.te
-index b1ed1bf..8b3f408 100644
---- a/radius.te
-+++ b/radius.te
-@@ -27,6 +27,9 @@ files_type(radiusd_var_lib_t)
- type radiusd_var_run_t;
- files_pid_file(radiusd_var_run_t)
-
-+type radiusd_unit_file_t;
-+systemd_unit_file(radiusd_unit_file_t)
-+
- ########################################
- #
- # Local policy
-@@ -62,11 +65,11 @@ manage_sock_files_pattern(radiusd_t, radiusd_var_run_t, radiusd_var_run_t)
- manage_dirs_pattern(radiusd_t, radiusd_var_run_t, radiusd_var_run_t)
- manage_files_pattern(radiusd_t, radiusd_var_run_t, radiusd_var_run_t)
- files_pid_filetrans(radiusd_t, radiusd_var_run_t, { file sock_file dir })
-+files_dontaudit_list_tmp(radiusd_t)
-
- kernel_read_kernel_sysctls(radiusd_t)
- kernel_read_system_state(radiusd_t)
-
--corenet_all_recvfrom_unlabeled(radiusd_t)
- corenet_all_recvfrom_netlabel(radiusd_t)
- corenet_tcp_sendrecv_generic_if(radiusd_t)
- corenet_udp_sendrecv_generic_if(radiusd_t)
-@@ -77,6 +80,7 @@ corenet_udp_sendrecv_all_ports(radiusd_t)
- corenet_udp_bind_generic_node(radiusd_t)
- corenet_udp_bind_radacct_port(radiusd_t)
- corenet_udp_bind_radius_port(radiusd_t)
-+corenet_tcp_connect_postgresql_port(radiusd_t)
- corenet_tcp_connect_mysqld_port(radiusd_t)
- corenet_tcp_connect_snmp_port(radiusd_t)
- corenet_sendrecv_radius_server_packets(radiusd_t)
-@@ -99,7 +103,6 @@ corecmd_exec_shell(radiusd_t)
- domain_use_interactive_fds(radiusd_t)
-
- files_read_usr_files(radiusd_t)
--files_read_etc_files(radiusd_t)
- files_read_etc_runtime_files(radiusd_t)
-
- auth_use_nsswitch(radiusd_t)
-@@ -110,9 +113,10 @@ libs_exec_lib_files(radiusd_t)
-
- logging_send_syslog_msg(radiusd_t)
-
--miscfiles_read_localization(radiusd_t)
- miscfiles_read_generic_certs(radiusd_t)
-
-+sysnet_use_ldap(radiusd_t)
-+
- userdom_dontaudit_use_unpriv_user_fds(radiusd_t)
- userdom_dontaudit_search_user_home_dirs(radiusd_t)
-
-diff --git a/radvd.if b/radvd.if
-index be05bff..924fc0c 100644
---- a/radvd.if
-+++ b/radvd.if
-@@ -1,5 +1,24 @@
- ## IPv6 router advertisement daemon
-
-+######################################
-+##
-+## Read radvd PID files.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`radvd_read_pid_files',`
-+ gen_require(`
-+ type radvd_var_run_t;
-+ ')
-+
-+ files_search_pids($1)
-+ read_files_pattern($1, radvd_var_run_t, radvd_var_run_t)
-+')
-+
- ########################################
- ##
- ## All of the rules required to administrate
-@@ -19,12 +38,15 @@
- #
- interface(`radvd_admin',`
- gen_require(`
-- type radvd_t, radvd_etc_t;
-- type radvd_var_run_t, radvd_initrc_exec_t;
-+ type radvd_t, radvd_etc_t, radvd_initrc_exec_t;
-+ type radvd_var_run_t;
- ')
-
-- allow $1 radvd_t:process { ptrace signal_perms };
-+ allow $1 radvd_t:process signal_perms;
- ps_process_pattern($1, radvd_t)
-+ tunable_policy(`deny_ptrace',`',`
-+ allow $1 radvd_t:process ptrace;
-+ ')
-
- init_labeled_script_domtrans($1, radvd_initrc_exec_t)
- domain_system_change_exemption($1)
-diff --git a/radvd.te b/radvd.te
-index f9a2162..903be76 100644
---- a/radvd.te
-+++ b/radvd.te
-@@ -43,7 +43,6 @@ kernel_read_network_state(radvd_t)
- kernel_read_system_state(radvd_t)
- kernel_request_load_module(radvd_t)
-
--corenet_all_recvfrom_unlabeled(radvd_t)
- corenet_all_recvfrom_netlabel(radvd_t)
- corenet_tcp_sendrecv_generic_if(radvd_t)
- corenet_udp_sendrecv_generic_if(radvd_t)
-@@ -61,15 +60,12 @@ fs_search_auto_mountpoints(radvd_t)
-
- domain_use_interactive_fds(radvd_t)
-
--files_read_etc_files(radvd_t)
- files_list_usr(radvd_t)
-
- auth_use_nsswitch(radvd_t)
-
- logging_send_syslog_msg(radvd_t)
-
--miscfiles_read_localization(radvd_t)
--
- userdom_dontaudit_use_unpriv_user_fds(radvd_t)
- userdom_dontaudit_search_user_home_dirs(radvd_t)
-
-diff --git a/raid.fc b/raid.fc
-index ed9c70d..c298507 100644
---- a/raid.fc
-+++ b/raid.fc
-@@ -1,6 +1,14 @@
--/dev/.mdadm.map -- gen_context(system_u:object_r:mdadm_map_t,s0)
-+/dev/.mdadm\.map -- gen_context(system_u:object_r:mdadm_var_run_t,s0)
-+/dev/md/.* -- gen_context(system_u:object_r:mdadm_var_run_t,s0)
-
- /sbin/mdadm -- gen_context(system_u:object_r:mdadm_exec_t,s0)
- /sbin/mdmpd -- gen_context(system_u:object_r:mdadm_exec_t,s0)
-
-+/usr/sbin/iprdump -- gen_context(system_u:object_r:mdadm_exec_t,s0)
-+/usr/sbin/iprinit -- gen_context(system_u:object_r:mdadm_exec_t,s0)
-+/usr/sbin/iprupdate -- gen_context(system_u:object_r:mdadm_exec_t,s0)
-+/usr/sbin/mdadm -- gen_context(system_u:object_r:mdadm_exec_t,s0)
-+/usr/sbin/mdmpd -- gen_context(system_u:object_r:mdadm_exec_t,s0)
-+/usr/sbin/raid-check -- gen_context(system_u:object_r:mdadm_exec_t,s0)
-+
- /var/run/mdadm(/.*)? gen_context(system_u:object_r:mdadm_var_run_t,s0)
-diff --git a/raid.if b/raid.if
-index b1a85b5..db0d815 100644
---- a/raid.if
-+++ b/raid.if
-@@ -47,6 +47,24 @@ interface(`raid_run_mdadm',`
-
- ########################################
- ##
-+## read the mdadm pid files.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`raid_read_mdadm_pid',`
-+ gen_require(`
-+ type mdadm_var_run_t;
-+ ')
-+
-+ read_files_pattern($1, mdadm_var_run_t, mdadm_var_run_t)
-+')
-+
-+########################################
-+##
- ## Create, read, write, and delete the mdadm pid files.
- ##
- ##
-diff --git a/raid.te b/raid.te
-index a8a12b7..a6cbba3 100644
---- a/raid.te
-+++ b/raid.te
-@@ -10,11 +10,9 @@ type mdadm_exec_t;
- init_daemon_domain(mdadm_t, mdadm_exec_t)
- role system_r types mdadm_t;
-
--type mdadm_map_t;
--files_type(mdadm_map_t)
--
--type mdadm_var_run_t;
-+type mdadm_var_run_t alias mdadm_map_t;
- files_pid_file(mdadm_var_run_t)
-+dev_associate(mdadm_var_run_t)
-
- ########################################
- #
-@@ -23,18 +21,20 @@ files_pid_file(mdadm_var_run_t)
-
- allow mdadm_t self:capability { dac_override sys_admin ipc_lock };
- dontaudit mdadm_t self:capability sys_tty_config;
--allow mdadm_t self:process { sigchld sigkill sigstop signull signal };
-+allow mdadm_t self:process { getsched setsched sigchld sigkill sigstop signull signal };
- allow mdadm_t self:fifo_file rw_fifo_file_perms;
-+allow mdadm_t self:netlink_kobject_uevent_socket create_socket_perms;
-
--# create .mdadm files in /dev
--allow mdadm_t mdadm_map_t:file manage_file_perms;
--dev_filetrans(mdadm_t, mdadm_map_t, file)
--
-+manage_dirs_pattern(mdadm_t, mdadm_var_run_t, mdadm_var_run_t)
- manage_files_pattern(mdadm_t, mdadm_var_run_t, mdadm_var_run_t)
--files_pid_filetrans(mdadm_t, mdadm_var_run_t, file)
-+manage_lnk_files_pattern(mdadm_t, mdadm_var_run_t, mdadm_var_run_t)
-+manage_sock_files_pattern(mdadm_t, mdadm_var_run_t, mdadm_var_run_t)
-+files_pid_filetrans(mdadm_t, mdadm_var_run_t, { file dir })
-+dev_filetrans(mdadm_t, mdadm_var_run_t, { file dir sock_file })
-
- kernel_read_system_state(mdadm_t)
- kernel_read_kernel_sysctls(mdadm_t)
-+kernel_request_load_module(mdadm_t)
- kernel_rw_software_raid_state(mdadm_t)
- kernel_getattr_core_if(mdadm_t)
-
-@@ -52,15 +52,18 @@ dev_dontaudit_getattr_generic_blk_files(mdadm_t)
- dev_read_realtime_clock(mdadm_t)
- # unfortunately needed for DMI decoding:
- dev_read_raw_memory(mdadm_t)
-+dev_read_generic_files(mdadm_t)
-
-+domain_read_all_domains_state(mdadm_t)
- domain_use_interactive_fds(mdadm_t)
-
--files_read_etc_files(mdadm_t)
- files_read_etc_runtime_files(mdadm_t)
--files_dontaudit_getattr_all_files(mdadm_t)
-+files_dontaudit_getattr_tmpfs_files(mdadm_t)
-
--fs_search_auto_mountpoints(mdadm_t)
-+fs_list_hugetlbfs(mdadm_t)
-+fs_list_auto_mountpoints(mdadm_t)
- fs_dontaudit_list_tmpfs(mdadm_t)
-+fs_manage_cgroup_files(mdadm_t)
-
- mls_file_read_all_levels(mdadm_t)
- mls_file_write_all_levels(mdadm_t)
-@@ -69,16 +72,17 @@ mls_file_write_all_levels(mdadm_t)
- storage_manage_fixed_disk(mdadm_t)
- storage_dev_filetrans_fixed_disk(mdadm_t)
- storage_read_scsi_generic(mdadm_t)
-+storage_write_scsi_generic(mdadm_t)
-
- term_dontaudit_list_ptys(mdadm_t)
- term_dontaudit_use_unallocated_ttys(mdadm_t)
-
-+auth_use_nsswitch(mdadm_t)
-+
- init_dontaudit_getattr_initctl(mdadm_t)
-
- logging_send_syslog_msg(mdadm_t)
-
--miscfiles_read_localization(mdadm_t)
--
- userdom_dontaudit_use_unpriv_user_fds(mdadm_t)
- userdom_dontaudit_search_user_home_content(mdadm_t)
- userdom_dontaudit_use_user_terminals(mdadm_t)
-@@ -86,6 +90,10 @@ userdom_dontaudit_use_user_terminals(mdadm_t)
- mta_send_mail(mdadm_t)
-
- optional_policy(`
-+ cron_system_entry(mdadm_t, mdadm_exec_t)
-+')
-+
-+optional_policy(`
- gpm_dontaudit_getattr_gpmctl(mdadm_t)
- ')
-
-diff --git a/razor.fc b/razor.fc
-index 1efba0c..6e26673 100644
---- a/razor.fc
-+++ b/razor.fc
-@@ -1,8 +1,9 @@
--HOME_DIR/\.razor(/.*)? gen_context(system_u:object_r:razor_home_t,s0)
-+#/root/\.razor(/.*)? gen_context(system_u:object_r:razor_home_t,s0)
-+#HOME_DIR/\.razor(/.*)? gen_context(system_u:object_r:razor_home_t,s0)
-
--/etc/razor(/.*)? gen_context(system_u:object_r:razor_etc_t,s0)
-+#/etc/razor(/.*)? gen_context(system_u:object_r:razor_etc_t,s0)
-
--/usr/bin/razor.* -- gen_context(system_u:object_r:razor_exec_t,s0)
-+#/usr/bin/razor.* -- gen_context(system_u:object_r:razor_exec_t,s0)
-
--/var/lib/razor(/.*)? gen_context(system_u:object_r:razor_var_lib_t,s0)
--/var/log/razor-agent\.log -- gen_context(system_u:object_r:razor_log_t,s0)
-+#/var/lib/razor(/.*)? gen_context(system_u:object_r:razor_var_lib_t,s0)
-+#/var/log/razor-agent\.log.* -- gen_context(system_u:object_r:razor_log_t,s0)
-diff --git a/razor.if b/razor.if
-index f04a595..fee3b7c 100644
---- a/razor.if
-+++ b/razor.if
-@@ -26,6 +26,7 @@ template(`razor_common_domain_template',`
- gen_require(`
- type razor_exec_t, razor_etc_t, razor_log_t, razor_var_lib_t;
- ')
-+
- type $1_t;
- domain_type($1_t)
- domain_entry_file($1_t, razor_exec_t)
-@@ -46,7 +47,7 @@ template(`razor_common_domain_template',`
- # Read system config file
- allow $1_t razor_etc_t:dir list_dir_perms;
- allow $1_t razor_etc_t:file read_file_perms;
-- allow $1_t razor_etc_t:lnk_file { getattr read };
-+ allow $1_t razor_etc_t:lnk_file read_lnk_file_perms;
-
- manage_dirs_pattern($1_t, razor_log_t, razor_log_t)
- manage_files_pattern($1_t, razor_log_t, razor_log_t)
-@@ -93,7 +94,6 @@ template(`razor_common_domain_template',`
-
- libs_read_lib_files($1_t)
-
-- miscfiles_read_localization($1_t)
-
- sysnet_read_config($1_t)
- sysnet_dns_name_resolve($1_t)
-@@ -117,6 +117,7 @@ template(`razor_common_domain_template',`
- ## User domain for the role
- ##
- ##
-+##
- #
- interface(`razor_role',`
- gen_require(`
-@@ -130,7 +131,10 @@ interface(`razor_role',`
-
- # allow ps to show razor and allow the user to kill it
- ps_process_pattern($2, razor_t)
-- allow $2 razor_t:process signal;
-+ allow $2 razor_t:process signal_perms;
-+ tunable_policy(`deny_ptrace',`',`
-+ allow $2 razor_t:process ptrace;
-+ ')
-
- manage_dirs_pattern($2, razor_home_t, razor_home_t)
- manage_files_pattern($2, razor_home_t, razor_home_t)
-@@ -157,3 +161,43 @@ interface(`razor_domtrans',`
-
- domtrans_pattern($1, razor_exec_t, razor_t)
- ')
-+
-+########################################
-+##
-+## Create, read, write, and delete razor files
-+## in a user home subdirectory.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`razor_manage_user_home_files',`
-+ gen_require(`
-+ type razor_home_t;
-+ ')
-+
-+ userdom_search_user_home_dirs($1)
-+ manage_files_pattern($1, razor_home_t, razor_home_t)
-+ read_lnk_files_pattern($1, razor_home_t, razor_home_t)
-+')
-+
-+########################################
-+##
-+## read razor lib files.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`razor_read_lib_files',`
-+ gen_require(`
-+ type razor_var_lib_t;
-+ ')
-+
-+ files_search_var_lib($1)
-+ read_files_pattern($1, razor_var_lib_t, razor_var_lib_t)
-+')
-diff --git a/razor.te b/razor.te
-index 9353d5e..4e15f29 100644
---- a/razor.te
-+++ b/razor.te
-@@ -5,117 +5,124 @@ policy_module(razor, 2.3.0)
- # Declarations
- #
-
--type razor_exec_t;
--corecmd_executable_file(razor_exec_t)
-+ifdef(`distro_redhat',`
-+ gen_require(`
-+ type spamc_t, spamc_exec_t, spamd_log_t;
-+ type spamd_spool_t, spamd_var_lib_t, spamd_etc_t;
-+ type spamc_home_t, spamc_tmp_t;
-+ ')
-+
-+ typealias spamc_t alias razor_t;
-+ typealias spamc_exec_t alias razor_exec_t;
-+ typealias spamd_log_t alias razor_log_t;
-+ typealias spamd_var_lib_t alias razor_var_lib_t;
-+ typealias spamd_etc_t alias razor_etc_t;
-+ typealias spamc_home_t alias razor_home_t;
-+ typealias spamc_home_t alias { user_razor_home_t staff_razor_home_t sysadm_razor_home_t };
-+ typealias spamc_home_t alias { auditadm_razor_home_t secadm_razor_home_t };
-+ typealias spamc_tmp_t alias { user_razor_tmp_t staff_razor_tmp_t sysadm_razor_tmp_t };
-+ typealias spamc_tmp_t alias { auditadm_razor_tmp_t secadm_razor_tmp_t };
-+',`
-+ type razor_exec_t;
-+ corecmd_executable_file(razor_exec_t)
-+
-+ type razor_etc_t;
-+ files_config_file(razor_etc_t)
-+
-+ type razor_home_t;
-+ typealias razor_home_t alias { user_razor_home_t staff_razor_home_t sysadm_razor_home_t };
-+ typealias razor_home_t alias { auditadm_razor_home_t secadm_razor_home_t };
-+ userdom_user_home_content(razor_home_t)
-+
-+ type razor_log_t;
-+ logging_log_file(razor_log_t)
-+
-+ type razor_tmp_t;
-+ typealias razor_tmp_t alias { user_razor_tmp_t staff_razor_tmp_t sysadm_razor_tmp_t };
-+ typealias razor_tmp_t alias { auditadm_razor_tmp_t secadm_razor_tmp_t };
-+ files_tmp_file(razor_tmp_t)
-+ ubac_constrained(razor_tmp_t)
-+
-+ type razor_var_lib_t;
-+ files_type(razor_var_lib_t)
-+
-+ # these are here due to ordering issues:
-+ razor_common_domain_template(razor)
-+ typealias razor_t alias { user_razor_t staff_razor_t sysadm_razor_t };
-+ typealias razor_t alias { auditadm_razor_t secadm_razor_t };
-+ ubac_constrained(razor_t)
-+
-+ razor_common_domain_template(system_razor)
-+ role system_r types system_razor_t;
-+
-+ ########################################
-+ #
-+ # System razor local policy
-+ #
-+
-+ # this version of razor is invoked typically
-+ # via the system spam filter
-+
-+ allow system_razor_t self:tcp_socket create_socket_perms;
-+
-+ manage_dirs_pattern(system_razor_t, razor_etc_t, razor_etc_t)
-+ manage_files_pattern(system_razor_t, razor_etc_t, razor_etc_t)
-+ manage_lnk_files_pattern(system_razor_t, razor_etc_t, razor_etc_t)
-+ files_search_etc(system_razor_t)
-+
-+ allow system_razor_t razor_log_t:file manage_file_perms;
-+ logging_log_filetrans(system_razor_t, razor_log_t, file)
-+
-+ manage_files_pattern(system_razor_t, razor_var_lib_t, razor_var_lib_t)
-+ files_var_lib_filetrans(system_razor_t, razor_var_lib_t, file)
-+
-+ corenet_all_recvfrom_netlabel(system_razor_t)
-+ corenet_tcp_sendrecv_generic_if(system_razor_t)
-+ corenet_raw_sendrecv_generic_if(system_razor_t)
-+ corenet_tcp_sendrecv_generic_node(system_razor_t)
-+ corenet_raw_sendrecv_generic_node(system_razor_t)
-+ corenet_tcp_sendrecv_razor_port(system_razor_t)
-+ corenet_tcp_connect_razor_port(system_razor_t)
-+ corenet_sendrecv_razor_client_packets(system_razor_t)
-+
-+ auth_use_nsswitch(system_razor_t)
-+
-+ # cjp: this shouldn't be needed
-+ userdom_use_unpriv_users_fds(system_razor_t)
-+
-+ optional_policy(`
-+ logging_send_syslog_msg(system_razor_t)
-+ ')
-+
-+ ########################################
-+ #
-+ # User razor local policy
-+ #
-+
-+ # Allow razor to be run by hand. Needed by any action other than
-+ # invocation from a spam filter.
-+
-+ allow razor_t self:unix_stream_socket create_stream_socket_perms;
-+
-+ manage_dirs_pattern(razor_t, razor_home_t, razor_home_t)
-+ manage_files_pattern(razor_t, razor_home_t, razor_home_t)
-+ manage_lnk_files_pattern(razor_t, razor_home_t, razor_home_t)
-+ userdom_user_home_dir_filetrans(razor_t, razor_home_t, dir)
-+
-+ manage_dirs_pattern(razor_t, razor_tmp_t, razor_tmp_t)
-+ manage_files_pattern(razor_t, razor_tmp_t, razor_tmp_t)
-+ files_tmp_filetrans(razor_t, razor_tmp_t, { file dir })
-+
-+ auth_use_nsswitch(razor_t)
-
--type razor_etc_t;
--files_config_file(razor_etc_t)
-+ logging_send_syslog_msg(razor_t)
-
--type razor_home_t;
--typealias razor_home_t alias { user_razor_home_t staff_razor_home_t sysadm_razor_home_t };
--typealias razor_home_t alias { auditadm_razor_home_t secadm_razor_home_t };
--userdom_user_home_content(razor_home_t)
-+ userdom_search_user_home_dirs(razor_t)
-+ userdom_use_inherited_user_terminals(razor_t)
-
--type razor_log_t;
--logging_log_file(razor_log_t)
-+ userdom_home_manager(razor_t)
-
--type razor_tmp_t;
--typealias razor_tmp_t alias { user_razor_tmp_t staff_razor_tmp_t sysadm_razor_tmp_t };
--typealias razor_tmp_t alias { auditadm_razor_tmp_t secadm_razor_tmp_t };
--userdom_user_tmp_file(razor_tmp_t)
--
--type razor_var_lib_t;
--files_type(razor_var_lib_t)
--
--# these are here due to ordering issues:
--razor_common_domain_template(razor)
--typealias razor_t alias { user_razor_t staff_razor_t sysadm_razor_t };
--typealias razor_t alias { auditadm_razor_t secadm_razor_t };
--userdom_user_application_type(razor_t)
--
--razor_common_domain_template(system_razor)
--role system_r types system_razor_t;
--
--########################################
--#
--# System razor local policy
--#
--
--# this version of razor is invoked typically
--# via the system spam filter
--
--allow system_razor_t self:tcp_socket create_socket_perms;
--
--manage_dirs_pattern(system_razor_t, razor_etc_t, razor_etc_t)
--manage_files_pattern(system_razor_t, razor_etc_t, razor_etc_t)
--manage_lnk_files_pattern(system_razor_t, razor_etc_t, razor_etc_t)
--files_search_etc(system_razor_t)
--
--allow system_razor_t razor_log_t:file manage_file_perms;
--logging_log_filetrans(system_razor_t, razor_log_t, file)
--
--manage_files_pattern(system_razor_t, razor_var_lib_t, razor_var_lib_t)
--files_var_lib_filetrans(system_razor_t, razor_var_lib_t, file)
--
--corenet_all_recvfrom_unlabeled(system_razor_t)
--corenet_all_recvfrom_netlabel(system_razor_t)
--corenet_tcp_sendrecv_generic_if(system_razor_t)
--corenet_raw_sendrecv_generic_if(system_razor_t)
--corenet_tcp_sendrecv_generic_node(system_razor_t)
--corenet_raw_sendrecv_generic_node(system_razor_t)
--corenet_tcp_sendrecv_razor_port(system_razor_t)
--corenet_tcp_connect_razor_port(system_razor_t)
--corenet_sendrecv_razor_client_packets(system_razor_t)
--
--sysnet_read_config(system_razor_t)
--
--# cjp: this shouldn't be needed
--userdom_use_unpriv_users_fds(system_razor_t)
--
--optional_policy(`
-- logging_send_syslog_msg(system_razor_t)
--')
--
--optional_policy(`
-- nscd_socket_use(system_razor_t)
--')
--
--########################################
--#
--# User razor local policy
--#
--
--# Allow razor to be run by hand. Needed by any action other than
--# invocation from a spam filter.
--
--allow razor_t self:unix_stream_socket create_stream_socket_perms;
--
--manage_dirs_pattern(razor_t, razor_home_t, razor_home_t)
--manage_files_pattern(razor_t, razor_home_t, razor_home_t)
--manage_lnk_files_pattern(razor_t, razor_home_t, razor_home_t)
--userdom_user_home_dir_filetrans(razor_t, razor_home_t, dir)
--
--manage_dirs_pattern(razor_t, razor_tmp_t, razor_tmp_t)
--manage_files_pattern(razor_t, razor_tmp_t, razor_tmp_t)
--files_tmp_filetrans(razor_t, razor_tmp_t, { file dir })
--
--logging_send_syslog_msg(razor_t)
--
--userdom_search_user_home_dirs(razor_t)
--userdom_use_user_terminals(razor_t)
--
--tunable_policy(`use_nfs_home_dirs',`
-- fs_manage_nfs_dirs(razor_t)
-- fs_manage_nfs_files(razor_t)
-- fs_manage_nfs_symlinks(razor_t)
--')
--
--tunable_policy(`use_samba_home_dirs',`
-- fs_manage_cifs_dirs(razor_t)
-- fs_manage_cifs_files(razor_t)
-- fs_manage_cifs_symlinks(razor_t)
--')
--
--optional_policy(`
-- nscd_socket_use(razor_t)
-+ optional_policy(`
-+ milter_manage_spamass_state(razor_t)
-+ ')
- ')
-diff --git a/rdisc.fc b/rdisc.fc
-index dee4adc..a7e4bc7 100644
---- a/rdisc.fc
-+++ b/rdisc.fc
-@@ -1,2 +1,4 @@
-
- /sbin/rdisc -- gen_context(system_u:object_r:rdisc_exec_t,s0)
-+
-+/usr/sbin/rdisc -- gen_context(system_u:object_r:rdisc_exec_t,s0)
-diff --git a/rdisc.te b/rdisc.te
-index 0f07685..1b75760 100644
---- a/rdisc.te
-+++ b/rdisc.te
-@@ -25,7 +25,6 @@ kernel_list_proc(rdisc_t)
- kernel_read_proc_symlinks(rdisc_t)
- kernel_read_kernel_sysctls(rdisc_t)
-
--corenet_all_recvfrom_unlabeled(rdisc_t)
- corenet_all_recvfrom_netlabel(rdisc_t)
- corenet_udp_sendrecv_generic_if(rdisc_t)
- corenet_raw_sendrecv_generic_if(rdisc_t)
-@@ -43,8 +42,6 @@ files_read_etc_files(rdisc_t)
-
- logging_send_syslog_msg(rdisc_t)
-
--miscfiles_read_localization(rdisc_t)
--
- sysnet_read_config(rdisc_t)
-
- userdom_dontaudit_use_unpriv_user_fds(rdisc_t)
-diff --git a/readahead.fc b/readahead.fc
-index 7077413..0428aee 100644
---- a/readahead.fc
-+++ b/readahead.fc
-@@ -1,3 +1,10 @@
--/usr/sbin/readahead.* -- gen_context(system_u:object_r:readahead_exec_t,s0)
-+/dev/\.systemd/readahead(/.*)? gen_context(system_u:object_r:readahead_var_run_t,s0)
-+
- /sbin/readahead.* -- gen_context(system_u:object_r:readahead_exec_t,s0)
-+/usr/sbin/readahead.* -- gen_context(system_u:object_r:readahead_exec_t,s0)
-+
-+/usr/lib/systemd/systemd-readahead.* -- gen_context(system_u:object_r:readahead_exec_t,s0)
-+
- /var/lib/readahead(/.*)? gen_context(system_u:object_r:readahead_var_lib_t,s0)
-+
-+/var/run/systemd/readahead(/.*)? gen_context(system_u:object_r:readahead_var_run_t,s0)
-diff --git a/readahead.if b/readahead.if
-index 47c4723..64c8889 100644
---- a/readahead.if
-+++ b/readahead.if
-@@ -1 +1,44 @@
- ## Readahead, read files into page cache for improved performance
-+
-+########################################
-+##
-+## Transition to the readahead domain.
-+##
-+##
-+##
-+## Domain allowed to transition.
-+##
-+##
-+#
-+interface(`readahead_domtrans',`
-+ gen_require(`
-+ type readahead_t, readahead_exec_t;
-+ ')
-+
-+ corecmd_search_bin($1)
-+ domtrans_pattern($1, readahead_exec_t, readahead_t)
-+')
-+
-+########################################
-+##
-+## Manage readahead var_run files.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`readahead_manage_pid_files',`
-+ gen_require(`
-+ type readahead_var_run_t;
-+ ')
-+
-+ manage_dirs_pattern($1, readahead_var_run_t, readahead_var_run_t)
-+ manage_files_pattern($1, readahead_var_run_t, readahead_var_run_t)
-+ dev_filetrans($1, readahead_var_run_t, { dir file })
-+ init_pid_filetrans($1, readahead_var_run_t, { dir file })
-+ files_search_pids($1)
-+ init_search_pid_dirs($1)
-+')
-+
-diff --git a/readahead.te b/readahead.te
-index b4ac57e..e384d8e 100644
---- a/readahead.te
-+++ b/readahead.te
-@@ -16,13 +16,14 @@ typealias readahead_var_lib_t alias readahead_etc_rw_t;
-
- type readahead_var_run_t;
- files_pid_file(readahead_var_run_t)
-+dev_associate(readahead_var_run_t)
-
- ########################################
- #
- # Local policy
- #
-
--allow readahead_t self:capability { fowner dac_override dac_read_search };
-+allow readahead_t self:capability { sys_admin fowner dac_override dac_read_search };
- dontaudit readahead_t self:capability { net_admin sys_tty_config };
- allow readahead_t self:process { setsched signal_perms };
-
-@@ -31,13 +32,19 @@ manage_files_pattern(readahead_t, readahead_var_lib_t, readahead_var_lib_t)
- files_search_var_lib(readahead_t)
-
- manage_files_pattern(readahead_t, readahead_var_run_t, readahead_var_run_t)
--files_pid_filetrans(readahead_t, readahead_var_run_t, file)
-+manage_dirs_pattern(readahead_t, readahead_var_run_t, readahead_var_run_t)
-+files_pid_filetrans(readahead_t, readahead_var_run_t, { dir file })
-+dev_filetrans(readahead_t, readahead_var_run_t, { dir file })
-+init_pid_filetrans(readahead_t, readahead_var_run_t, { dir file })
-
- kernel_read_all_sysctls(readahead_t)
- kernel_read_system_state(readahead_t)
- kernel_dontaudit_getattr_core_if(readahead_t)
-+kernel_list_all_proc(readahead_t)
-
--dev_read_sysfs(readahead_t)
-+dev_rw_sysfs(readahead_t)
-+dev_read_kmsg(readahead_t)
-+dev_write_kmsg(readahead_t)
- dev_getattr_generic_chr_files(readahead_t)
- dev_getattr_generic_blk_files(readahead_t)
- dev_getattr_all_chr_files(readahead_t)
-@@ -53,10 +60,19 @@ domain_read_all_domains_state(readahead_t)
-
- files_list_non_security(readahead_t)
- files_read_non_security_files(readahead_t)
-+files_dontaudit_read_security_files(readahead_t)
- files_create_boot_flag(readahead_t)
-+files_delete_root_files(readahead_t)
- files_getattr_all_pipes(readahead_t)
- files_dontaudit_getattr_all_sockets(readahead_t)
- files_dontaudit_getattr_non_security_blk_files(readahead_t)
-+files_dontaudit_all_access_check(readahead_t)
-+
-+ifdef(`hide_broken_symptoms', `
-+ files_dontaudit_write_all_files(readahead_t)
-+ dev_dontaudit_write_all_chr_files(readahead_t)
-+ dev_dontaudit_write_all_blk_files(readahead_t)
-+')
-
- fs_getattr_all_fs(readahead_t)
- fs_search_auto_mountpoints(readahead_t)
-@@ -66,12 +82,14 @@ fs_read_cgroup_files(readahead_t)
- fs_read_tmpfs_files(readahead_t)
- fs_read_tmpfs_symlinks(readahead_t)
- fs_list_inotifyfs(readahead_t)
-+fs_dontaudit_read_tmpfs_blk_dev(readahead_t)
- fs_dontaudit_search_ramfs(readahead_t)
- fs_dontaudit_read_ramfs_pipes(readahead_t)
- fs_dontaudit_read_ramfs_files(readahead_t)
- fs_dontaudit_use_tmpfs_chr_dev(readahead_t)
-
- mls_file_read_all_levels(readahead_t)
-+mcs_file_read_all(readahead_t)
-
- storage_raw_read_fixed_disk(readahead_t)
-
-@@ -82,13 +100,13 @@ auth_dontaudit_read_shadow(readahead_t)
- init_use_fds(readahead_t)
- init_use_script_ptys(readahead_t)
- init_getattr_initctl(readahead_t)
-+# needs to write to /run/systemd/notify
-+init_write_pid_socket(readahead_t)
-
- logging_send_syslog_msg(readahead_t)
- logging_set_audit_parameters(readahead_t)
- logging_dontaudit_search_audit_config(readahead_t)
-
--miscfiles_read_localization(readahead_t)
--
- userdom_dontaudit_use_unpriv_user_fds(readahead_t)
- userdom_dontaudit_search_user_home_dirs(readahead_t)
-
-diff --git a/realmd.fc b/realmd.fc
-new file mode 100644
-index 0000000..3c24ce4
---- /dev/null
-+++ b/realmd.fc
-@@ -0,0 +1 @@
-+/usr/lib/realmd/realmd -- gen_context(system_u:object_r:realmd_exec_t,s0)
-diff --git a/realmd.if b/realmd.if
-new file mode 100644
-index 0000000..e38693b
---- /dev/null
-+++ b/realmd.if
-@@ -0,0 +1,42 @@
-+
-+## dbus system service which manages discovery and enrollment in realms and domains like Active Directory or IPA
-+
-+########################################
-+##
-+## Execute realmd in the realmd_t domain.
-+##
-+##
-+##
-+## Domain allowed to transition.
-+##
-+##
-+#
-+interface(`realmd_domtrans',`
-+ gen_require(`
-+ type realmd_t, realmd_exec_t;
-+ ')
-+
-+ corecmd_search_bin($1)
-+ domtrans_pattern($1, realmd_exec_t, realmd_t)
-+')
-+
-+########################################
-+##
-+## Send and receive messages from
-+## realmd over dbus.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`realmd_dbus_chat',`
-+ gen_require(`
-+ type realmd_t;
-+ class dbus send_msg;
-+ ')
-+
-+ allow $1 realmd_t:dbus send_msg;
-+ allow realmd_t $1:dbus send_msg;
-+')
-diff --git a/realmd.te b/realmd.te
-new file mode 100644
-index 0000000..c994751
---- /dev/null
-+++ b/realmd.te
-@@ -0,0 +1,103 @@
-+policy_module(realmd, 1.0.0)
-+
-+########################################
-+#
-+# Declarations
-+#
-+
-+type realmd_t;
-+type realmd_exec_t;
-+application_domain(realmd_t, realmd_exec_t)
-+role system_r types realmd_t;
-+
-+########################################
-+#
-+# realmd local policy
-+#
-+
-+allow realmd_t self:capability sys_nice;
-+allow realmd_t self:process setsched;
-+
-+kernel_read_system_state(realmd_t)
-+
-+corecmd_exec_bin(realmd_t)
-+corecmd_exec_shell(realmd_t)
-+
-+corenet_tcp_connect_http_port(realmd_t)
-+
-+domain_use_interactive_fds(realmd_t)
-+
-+dev_read_rand(realmd_t)
-+dev_read_urand(realmd_t)
-+
-+files_read_etc_files(realmd_t)
-+files_read_usr_files(realmd_t)
-+
-+fs_getattr_all_fs(realmd_t)
-+
-+auth_use_nsswitch(realmd_t)
-+
-+logging_send_syslog_msg(realmd_t)
-+
-+sysnet_dns_name_resolve(realmd_t)
-+systemd_exec_systemctl(realmd_t)
-+
-+#userdom_admin_home_dir_filetrans(realmd_t, cache_home_t, dir, ".cache")
-+#userdom_user_home_dir_filetrans(realmd_t, cache_home_t, dir, ".cache")
-+
-+optional_policy(`
-+ authconfig_domtrans(realmd_t)
-+')
-+
-+optional_policy(`
-+ dbus_system_domain(realmd_t, realmd_exec_t)
-+
-+ optional_policy(`
-+ networkmanager_dbus_chat(realmd_t)
-+ ')
-+
-+ optional_policy(`
-+ policykit_dbus_chat(realmd_t)
-+ ')
-+')
-+
-+optional_policy(`
-+ hostname_exec(realmd_t)
-+')
-+
-+optional_policy(`
-+ kerberos_use(realmd_t)
-+ kerberos_rw_keytab(realmd_t)
-+')
-+
-+optional_policy(`
-+ nis_exec_ypbind(realmd_t)
-+ nis_systemctl_ypbind(realmd_t)
-+')
-+
-+optional_policy(`
-+ gnome_read_config(realmd_t)
-+ gnome_read_generic_cache_files(realmd_t)
-+ gnome_write_generic_cache_files(realmd_t)
-+ gnome_manage_cache_home_dir(realmd_t)
-+
-+')
-+
-+optional_policy(`
-+ samba_domtrans_net(realmd_t)
-+ samba_manage_config(realmd_t)
-+ samba_getattr_winbind(realmd_t)
-+')
-+
-+optional_policy(`
-+ sssd_getattr_exec(realmd_t)
-+ sssd_manage_config(realmd_t)
-+ sssd_manage_lib_files(realmd_t)
-+ sssd_manage_public_files(realmd_t)
-+ sssd_read_pid_files(realmd_t)
-+ sssd_systemctl(realmd_t)
-+')
-+
-+optional_policy(`
-+ xserver_read_state_xdm(realmd_t)
-+')
-diff --git a/remotelogin.te b/remotelogin.te
-index 0a76027..18f59a7 100644
---- a/remotelogin.te
-+++ b/remotelogin.te
-@@ -10,9 +10,6 @@ domain_interactive_fd(remote_login_t)
- auth_login_pgm_domain(remote_login_t)
- auth_login_entry_type(remote_login_t)
-
--type remote_login_tmp_t;
--files_tmp_file(remote_login_tmp_t)
--
- ########################################
- #
- # Remote login remote policy
-@@ -34,10 +31,6 @@ allow remote_login_t self:msgq create_msgq_perms;
- allow remote_login_t self:msg { send receive };
- allow remote_login_t self:key write;
-
--manage_dirs_pattern(remote_login_t, remote_login_tmp_t, remote_login_tmp_t)
--manage_files_pattern(remote_login_t, remote_login_tmp_t, remote_login_tmp_t)
--files_tmp_filetrans(remote_login_t, remote_login_tmp_t, { file dir })
--
- kernel_read_system_state(remote_login_t)
- kernel_read_kernel_sysctls(remote_login_t)
-
-@@ -49,6 +42,8 @@ fs_getattr_xattr_fs(remote_login_t)
- fs_search_auto_mountpoints(remote_login_t)
-
- term_relabel_all_ptys(remote_login_t)
-+term_use_all_ptys(remote_login_t)
-+term_setattr_all_ptys(remote_login_t)
-
- auth_rw_login_records(remote_login_t)
- auth_rw_faillog(remote_login_t)
-@@ -64,7 +59,6 @@ corecmd_read_bin_sockets(remote_login_t)
-
- domain_read_all_entry_files(remote_login_t)
-
--files_read_etc_files(remote_login_t)
- files_read_etc_runtime_files(remote_login_t)
- files_list_home(remote_login_t)
- files_read_usr_files(remote_login_t)
-@@ -77,9 +71,8 @@ files_list_mnt(remote_login_t)
- # for when /var/mail is a sym-link
- files_read_var_symlinks(remote_login_t)
-
--sysnet_dns_name_resolve(remote_login_t)
-+auth_use_nsswitch(remote_login_t)
-
--miscfiles_read_localization(remote_login_t)
-
- userdom_use_unpriv_users_fds(remote_login_t)
- userdom_search_user_home_content(remote_login_t)
-@@ -87,34 +80,28 @@ userdom_search_user_home_content(remote_login_t)
- # since very weak authentication is used.
- userdom_signal_unpriv_users(remote_login_t)
- userdom_spec_domtrans_unpriv_users(remote_login_t)
-+userdom_use_user_ptys(remote_login_t)
-
--# Search for mail spool file.
--mta_getattr_spool(remote_login_t)
-+userdom_manage_user_tmp_dirs(remote_login_t)
-+userdom_manage_user_tmp_files(remote_login_t)
-+userdom_tmp_filetrans_user_tmp(remote_login_t, { file dir })
-
--tunable_policy(`use_nfs_home_dirs',`
-- fs_read_nfs_files(remote_login_t)
-- fs_read_nfs_symlinks(remote_login_t)
--')
--
--tunable_policy(`use_samba_home_dirs',`
-- fs_read_cifs_files(remote_login_t)
-- fs_read_cifs_symlinks(remote_login_t)
--')
-+userdom_home_reader(remote_login_t)
-
- optional_policy(`
- alsa_domtrans(remote_login_t)
- ')
-
- optional_policy(`
-- nis_use_ypbind(remote_login_t)
-+ # Search for mail spool file.
-+ mta_getattr_spool(remote_login_t)
- ')
-
- optional_policy(`
-- nscd_socket_use(remote_login_t)
-+ telnet_use_ptys(remote_login_t)
- ')
-
- optional_policy(`
-- unconfined_domain(remote_login_t)
- unconfined_shell_domtrans(remote_login_t)
- ')
-
-diff --git a/resmgr.fc b/resmgr.fc
-index af810b9..a888eb9 100644
---- a/resmgr.fc
-+++ b/resmgr.fc
-@@ -2,6 +2,7 @@
- /etc/resmgr\.conf -- gen_context(system_u:object_r:resmgrd_etc_t,s0)
-
- /sbin/resmgrd -- gen_context(system_u:object_r:resmgrd_exec_t,s0)
-+/usr/sbin/resmgrd -- gen_context(system_u:object_r:resmgrd_exec_t,s0)
-
- /var/run/\.resmgr_socket -s gen_context(system_u:object_r:resmgrd_var_run_t,s0)
- /var/run/resmgr\.pid -- gen_context(system_u:object_r:resmgrd_var_run_t,s0)
-diff --git a/resmgr.if b/resmgr.if
-index d457736..eabdd78 100644
---- a/resmgr.if
-+++ b/resmgr.if
-@@ -16,7 +16,6 @@ interface(`resmgr_stream_connect',`
- type resmgrd_var_run_t, resmgrd_t;
- ')
-
-- allow $1 resmgrd_t:unix_stream_socket connectto;
-- allow $1 resmgrd_var_run_t:sock_file { getattr write };
- files_search_pids($1)
-+ stream_connect_pattern($1, resmgrd_var_run_t, resmgrd_var_run_t, resmgrd_t)
- ')
-diff --git a/resmgr.te b/resmgr.te
-index bf5efbf..b38b22d 100644
---- a/resmgr.te
-+++ b/resmgr.te
-@@ -53,8 +53,6 @@ storage_raw_write_removable_device(resmgrd_t)
-
- logging_send_syslog_msg(resmgrd_t)
-
--miscfiles_read_localization(resmgrd_t)
--
- userdom_dontaudit_use_unpriv_user_fds(resmgrd_t)
-
- optional_policy(`
-diff --git a/rgmanager.fc b/rgmanager.fc
-index 3c97ef0..91e69b8 100644
---- a/rgmanager.fc
-+++ b/rgmanager.fc
-@@ -1,7 +1,22 @@
-+/etc/rc\.d/init\.d/cpglockd -- gen_context(system_u:object_r:rgmanager_initrc_exec_t,s0)
-+/etc/rc\.d/init\.d/rgmanager -- gen_context(system_u:object_r:rgmanager_initrc_exec_t,s0)
-+/etc/rc\.d/init\.d/heartbeat -- gen_context(system_u:object_r:rgmanager_initrc_exec_t,s0)
-+
-+/usr/sbin/cpglockd -- gen_context(system_u:object_r:rgmanager_exec_t,s0)
- /usr/sbin/rgmanager -- gen_context(system_u:object_r:rgmanager_exec_t,s0)
-
--/var/log/cluster/rgmanager\.log -- gen_context(system_u:object_r:rgmanager_var_log_t,s0)
-+/usr/sbin/ccs_tool -- gen_context(system_u:object_r:rgmanager_exec_t,s0)
-+/usr/sbin/cman_tool -- gen_context(system_u:object_r:rgmanager_exec_t,s0)
-+
-+/usr/lib/heartbeat(/.*)? gen_context(system_u:object_r:rgmanager_var_lib_t,s0)
-+/usr/lib/heartbeat/heartbeat -- gen_context(system_u:object_r:rgmanager_exec_t,s0)
-+/var/lib/heartbeat(/.*)? gen_context(system_u:object_r:rgmanager_var_lib_t,s0)
-+
-+/var/log/cluster/cpglockd\.log.* -- gen_context(system_u:object_r:rgmanager_var_log_t,s0)
-+/var/log/cluster/rgmanager\.log.* -- gen_context(system_u:object_r:rgmanager_var_log_t,s0)
-
- /var/run/cluster/rgmanager\.sk -s gen_context(system_u:object_r:rgmanager_var_run_t,s0)
-
-+/var/run/cpglockd\.pid -- gen_context(system_u:object_r:rgmanager_var_run_t,s0)
-+/var/run/heartbeat(/.*)? gen_context(system_u:object_r:rgmanager_var_run_t,s0)
- /var/run/rgmanager\.pid -- gen_context(system_u:object_r:rgmanager_var_run_t,s0)
-diff --git a/rgmanager.if b/rgmanager.if
-index 7dc38d1..5bd6fdb 100644
---- a/rgmanager.if
-+++ b/rgmanager.if
-@@ -5,9 +5,9 @@
- ## Execute a domain transition to run rgmanager.
- ##
- ##
--##
-+##
- ## Domain allowed to transition.
--##
-+##
- ##
- #
- interface(`rgmanager_domtrans',`
-@@ -21,7 +21,7 @@ interface(`rgmanager_domtrans',`
-
- ########################################
- ##
--## Connect to rgmanager over an unix stream socket.
-+## Connect to rgmanager over a unix stream socket.
- ##
- ##
- ##
-@@ -75,3 +75,91 @@ interface(`rgmanager_manage_tmpfs_files',`
- fs_search_tmpfs($1)
- manage_files_pattern($1, rgmanager_tmpfs_t, rgmanager_tmpfs_t)
- ')
-+
-+#######################################
-+##
-+## Allow read and write access to rgmanager semaphores.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`rgmanager_rw_semaphores',`
-+ gen_require(`
-+ type rgmanager_t;
-+ ')
-+
-+ allow $1 rgmanager_t:sem rw_sem_perms;
-+')
-+
-+######################################
-+##
-+## All of the rules required to administrate
-+## an rgmanager environment
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+##
-+##
-+## The role to be allowed to manage the rgmanager domain.
-+##
-+##
-+##
-+#
-+interface(`rgmanager_admin',`
-+ gen_require(`
-+ type rgmanager_t, rgmanager_initrc_exec_t, rgmanager_tmp_t;
-+ type rgmanager_tmpfs_t, rgmanager_var_log_t, rgmanager_var_run_t;
-+ ')
-+
-+ allow $1 rgmanager_t:process signal_perms;
-+ ps_process_pattern($1, rgmanager_t)
-+ tunable_policy(`deny_ptrace',`',`
-+ allow $1 rgmanager_t:process ptrace;
-+ ')
-+
-+ init_labeled_script_domtrans($1, rgmanager_initrc_exec_t)
-+ domain_system_change_exemption($1)
-+ role_transition $2 rgmanager_initrc_exec_t system_r;
-+ allow $2 system_r;
-+
-+ files_list_tmp($1)
-+ admin_pattern($1, rgmanager_tmp_t)
-+
-+ admin_pattern($1, rgmanager_tmpfs_t)
-+
-+ logging_list_logs($1)
-+ admin_pattern($1, rgmanager_var_log_t)
-+
-+ files_list_pids($1)
-+ admin_pattern($1, rgmanager_var_run_t)
-+')
-+
-+
-+######################################
-+##
-+## Allow the specified domain to manage rgmanager's lib/run files.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`rgmanager_manage_files',`
-+ gen_require(`
-+ type rgmanager_var_lib_t;
-+ type rgmanager_var_run_t;
-+ ')
-+
-+ files_list_var_lib($1)
-+ admin_pattern($1, rgmanager_var_lib_t)
-+
-+ files_list_pids($1)
-+ admin_pattern($1, rgmanager_var_run_t)
-+')
-diff --git a/rgmanager.te b/rgmanager.te
-index 3786c45..1ad9c12 100644
---- a/rgmanager.te
-+++ b/rgmanager.te
-@@ -14,15 +14,20 @@ gen_tunable(rgmanager_can_network_connect, false)
-
- type rgmanager_t;
- type rgmanager_exec_t;
--domain_type(rgmanager_t)
- init_daemon_domain(rgmanager_t, rgmanager_exec_t)
-
-+type rgmanager_initrc_exec_t;
-+init_script_file(rgmanager_initrc_exec_t)
-+
- type rgmanager_tmp_t;
- files_tmp_file(rgmanager_tmp_t)
-
- type rgmanager_tmpfs_t;
- files_tmpfs_file(rgmanager_tmpfs_t)
-
-+type rgmanager_var_lib_t;
-+files_type(rgmanager_var_lib_t)
-+
- type rgmanager_var_log_t;
- logging_log_file(rgmanager_var_log_t)
-
-@@ -35,9 +40,7 @@ files_pid_file(rgmanager_var_run_t)
- #
-
- allow rgmanager_t self:capability { dac_override net_raw sys_resource sys_admin sys_nice ipc_lock };
--dontaudit rgmanager_t self:capability { sys_ptrace };
- allow rgmanager_t self:process { setsched signal };
--dontaudit rgmanager_t self:process { ptrace };
-
- allow rgmanager_t self:fifo_file rw_fifo_file_perms;
- allow rgmanager_t self:unix_stream_socket { create_stream_socket_perms };
-@@ -52,14 +55,27 @@ manage_dirs_pattern(rgmanager_t, rgmanager_tmpfs_t, rgmanager_tmpfs_t)
- manage_files_pattern(rgmanager_t, rgmanager_tmpfs_t, rgmanager_tmpfs_t)
- fs_tmpfs_filetrans(rgmanager_t, rgmanager_tmpfs_t, { dir file })
-
-+# var/lib files
-+# # needed by hearbeat
-+can_exec(rgmanager_t, rgmanager_var_lib_t)
-+manage_files_pattern(rgmanager_t, rgmanager_var_lib_t,rgmanager_var_lib_t)
-+manage_dirs_pattern(rgmanager_t, rgmanager_var_lib_t,rgmanager_var_lib_t)
-+manage_sock_files_pattern(rgmanager_t, rgmanager_var_lib_t,rgmanager_var_lib_t)
-+manage_fifo_files_pattern(rgmanager_t, rgmanager_var_lib_t,rgmanager_var_lib_t)
-+files_var_lib_filetrans(rgmanager_t,rgmanager_var_lib_t, { file dir fifo_file sock_file })
-+
-+
- manage_files_pattern(rgmanager_t, rgmanager_var_log_t, rgmanager_var_log_t)
- logging_log_filetrans(rgmanager_t, rgmanager_var_log_t, { file })
-
-+manage_dirs_pattern(rgmanager_t, rgmanager_var_run_t, rgmanager_var_run_t)
- manage_files_pattern(rgmanager_t, rgmanager_var_run_t, rgmanager_var_run_t)
- manage_sock_files_pattern(rgmanager_t, rgmanager_var_run_t, rgmanager_var_run_t)
--files_pid_filetrans(rgmanager_t, rgmanager_var_run_t, { file sock_file })
-+files_pid_filetrans(rgmanager_t, rgmanager_var_run_t, { file sock_file dir })
-
-+kernel_kill(rgmanager_t)
- kernel_read_kernel_sysctls(rgmanager_t)
-+kernel_read_rpc_sysctls(rgmanager_t)
- kernel_read_system_state(rgmanager_t)
- kernel_rw_rpc_sysctls(rgmanager_t)
- kernel_search_debugfs(rgmanager_t)
-@@ -67,7 +83,6 @@ kernel_search_network_state(rgmanager_t)
-
- corecmd_exec_bin(rgmanager_t)
- corecmd_exec_shell(rgmanager_t)
--consoletype_exec(rgmanager_t)
-
- # need to write to /dev/misc/dlm-control
- dev_rw_dlm_control(rgmanager_t)
-@@ -76,31 +91,35 @@ dev_search_sysfs(rgmanager_t)
-
- domain_read_all_domains_state(rgmanager_t)
- domain_getattr_all_domains(rgmanager_t)
--domain_dontaudit_ptrace_all_domains(rgmanager_t)
-
--files_list_all(rgmanager_t)
-+files_create_var_run_dirs(rgmanager_t)
- files_getattr_all_symlinks(rgmanager_t)
-+files_list_all(rgmanager_t)
- files_manage_mnt_dirs(rgmanager_t)
-+files_manage_mnt_files(rgmanager_t)
-+files_manage_mnt_symlinks(rgmanager_t)
-+files_manage_isid_type_files(rgmanager_t)
- files_manage_isid_type_dirs(rgmanager_t)
-
- fs_getattr_xattr_fs(rgmanager_t)
- fs_getattr_all_fs(rgmanager_t)
-
-+storage_raw_read_fixed_disk(rgmanager_t)
- storage_getattr_fixed_disk_dev(rgmanager_t)
-
- term_getattr_pty_fs(rgmanager_t)
--#term_use_ptmx(rgmanager_t)
-
- # needed by resources scripts
--files_read_non_auth_files(rgmanager_t)
-+files_read_non_security_files(rgmanager_t)
- auth_dontaudit_getattr_shadow(rgmanager_t)
- auth_use_nsswitch(rgmanager_t)
-
--logging_send_syslog_msg(rgmanager_t)
-+init_domtrans_script(rgmanager_t)
-+init_initrc_domain(rgmanager_t)
-
--miscfiles_read_localization(rgmanager_t)
-+logging_send_syslog_msg(rgmanager_t)
-
--mount_domtrans(rgmanager_t)
-+userdom_kill_all_users(rgmanager_t)
-
- tunable_policy(`rgmanager_can_network_connect',`
- corenet_tcp_connect_all_ports(rgmanager_t)
-@@ -118,6 +137,14 @@ optional_policy(`
- ')
-
- optional_policy(`
-+ consoletype_exec(rgmanager_t)
-+')
-+
-+optional_policy(`
-+ dbus_system_bus_client(rgmanager_t)
-+')
-+
-+optional_policy(`
- fstools_domtrans(rgmanager_t)
- ')
-
-@@ -140,6 +167,16 @@ optional_policy(`
- ')
-
- optional_policy(`
-+ ldap_initrc_domtrans(rgmanager_t)
-+ ldap_systemctl(rgmanager_t)
-+ ldap_domtrans(rgmanager_t)
-+')
-+
-+optional_policy(`
-+ mount_domtrans(rgmanager_t)
-+')
-+
-+optional_policy(`
- mysql_domtrans_mysql_safe(rgmanager_t)
- mysql_stream_connect(rgmanager_t)
- ')
-@@ -165,6 +202,8 @@ optional_policy(`
- optional_policy(`
- rpc_initrc_domtrans_nfsd(rgmanager_t)
- rpc_initrc_domtrans_rpcd(rgmanager_t)
-+ rpc_systemctl_nfsd(rgmanager_t)
-+ rpc_systemctl_rpcd(rgmanager_t)
-
- rpc_domtrans_nfsd(rgmanager_t)
- rpc_domtrans_rpcd(rgmanager_t)
-diff --git a/rhcs.fc b/rhcs.fc
-index c2ba53b..977f2eb 100644
---- a/rhcs.fc
-+++ b/rhcs.fc
-@@ -1,22 +1,30 @@
- /usr/sbin/dlm_controld -- gen_context(system_u:object_r:dlm_controld_exec_t,s0)
- /usr/sbin/fenced -- gen_context(system_u:object_r:fenced_exec_t,s0)
- /usr/sbin/fence_node -- gen_context(system_u:object_r:fenced_exec_t,s0)
-+/usr/sbin/fence_tool -- gen_context(system_u:object_r:fenced_exec_t,s0)
-+/usr/sbin/fence_virtd -- gen_context(system_u:object_r:fenced_exec_t,s0)
- /usr/sbin/gfs_controld -- gen_context(system_u:object_r:gfs_controld_exec_t,s0)
-+/usr/sbin/foghorn -- gen_context(system_u:object_r:foghorn_exec_t,s0)
- /usr/sbin/groupd -- gen_context(system_u:object_r:groupd_exec_t,s0)
- /usr/sbin/qdiskd -- gen_context(system_u:object_r:qdiskd_exec_t,s0)
-
- /var/lock/fence_manual\.lock -- gen_context(system_u:object_r:fenced_lock_t,s0)
-
-+/var/lib/cluster(/.*)? gen_context(system_u:object_r:cluster_var_lib_t,s0)
- /var/lib/qdiskd(/.*)? gen_context(system_u:object_r:qdiskd_var_lib_t,s0)
-
-+/var/log/cluster/.*\.*log <>
- /var/log/cluster/dlm_controld\.log.* -- gen_context(system_u:object_r:dlm_controld_var_log_t,s0)
- /var/log/cluster/fenced\.log.* -- gen_context(system_u:object_r:fenced_var_log_t,s0)
- /var/log/cluster/gfs_controld\.log.* -- gen_context(system_u:object_r:gfs_controld_var_log_t,s0)
- /var/log/cluster/qdiskd\.log.* -- gen_context(system_u:object_r:qdiskd_var_log_t,s0)
-+/var/log/dlm_controld(/.*)? gen_context(system_u:object_r:dlm_controld_var_log_t,s0)
-
- /var/run/cluster/fenced_override -- gen_context(system_u:object_r:fenced_var_run_t,s0)
-+/var/run/cluster/fence_scsi.* -- gen_context(system_u:object_r:fenced_var_run_t,s0)
- /var/run/dlm_controld\.pid -- gen_context(system_u:object_r:dlm_controld_var_run_t,s0)
--/var/run/fenced\.pid -- gen_context(system_u:object_r:fenced_var_run_t,s0)
-+/var/run/dlm_controld(/.*)? gen_context(system_u:object_r:dlm_controld_var_run_t,s0)
-+/var/run/fence.* gen_context(system_u:object_r:fenced_var_run_t,s0)
- /var/run/gfs_controld\.pid -- gen_context(system_u:object_r:gfs_controld_var_run_t,s0)
- /var/run/groupd\.pid -- gen_context(system_u:object_r:groupd_var_run_t,s0)
- /var/run/qdiskd\.pid -- gen_context(system_u:object_r:qdiskd_var_run_t,s0)
-diff --git a/rhcs.if b/rhcs.if
-index de37806..aee7ba7 100644
---- a/rhcs.if
-+++ b/rhcs.if
-@@ -13,7 +13,7 @@
- #
- template(`rhcs_domain_template',`
- gen_require(`
-- attribute cluster_domain;
-+ attribute cluster_domain, cluster_tmpfs, cluster_pid;
- ')
-
- ##############################
-@@ -25,13 +25,13 @@ template(`rhcs_domain_template',`
- type $1_exec_t;
- init_daemon_domain($1_t, $1_exec_t)
-
-- type $1_tmpfs_t;
-+ type $1_tmpfs_t, cluster_tmpfs;
- files_tmpfs_file($1_tmpfs_t)
-
- type $1_var_log_t;
- logging_log_file($1_var_log_t)
-
-- type $1_var_run_t;
-+ type $1_var_run_t, cluster_pid;
- files_pid_file($1_var_run_t)
-
- ##############################
-@@ -43,15 +43,20 @@ template(`rhcs_domain_template',`
- manage_files_pattern($1_t, $1_tmpfs_t, $1_tmpfs_t)
- fs_tmpfs_filetrans($1_t, $1_tmpfs_t, { dir file })
-
-+ manage_dirs_pattern($1_t, $1_var_log_t, $1_var_log_t)
- manage_files_pattern($1_t, $1_var_log_t, $1_var_log_t)
- manage_sock_files_pattern($1_t, $1_var_log_t, $1_var_log_t)
-- logging_log_filetrans($1_t, $1_var_log_t, { file sock_file })
-+ logging_log_filetrans($1_t, $1_var_log_t, { dir file sock_file })
-
-+ manage_dirs_pattern($1_t, $1_var_run_t, $1_var_run_t)
- manage_files_pattern($1_t, $1_var_run_t, $1_var_run_t)
- manage_fifo_files_pattern($1_t, $1_var_run_t, $1_var_run_t)
- manage_sock_files_pattern($1_t, $1_var_run_t, $1_var_run_t)
-- files_pid_filetrans($1_t, $1_var_run_t, { file fifo_file })
-+ files_pid_filetrans($1_t, $1_var_run_t, { dir file fifo_file })
-+
-+ auth_use_nsswitch($1_t)
-
-+ logging_send_syslog_msg($1_t)
- ')
-
- ######################################
-@@ -59,9 +64,9 @@ template(`rhcs_domain_template',`
- ## Execute a domain transition to run dlm_controld.
- ##
- ##
--##
-+##
- ## Domain allowed to transition.
--##
-+##
- ##
- #
- interface(`rhcs_domtrans_dlm_controld',`
-@@ -133,6 +138,24 @@ interface(`rhcs_domtrans_fenced',`
- domtrans_pattern($1, fenced_exec_t, fenced_t)
- ')
-
-+#####################################
-+##
-+## Allow a domain to getattr on fenced executable.
-+##
-+##
-+##
-+## Domain allowed to transition.
-+##
-+##
-+#
-+interface(`rhcs_getattr_fenced',`
-+ gen_require(`
-+ type fenced_t, fenced_exec_t;
-+ ')
-+
-+ allow $1 fenced_exec_t:file getattr;
-+')
-+
- ######################################
- ##
- ## Allow read and write access to fenced semaphores.
-@@ -156,7 +179,26 @@ interface(`rhcs_rw_fenced_semaphores',`
-
- ######################################
- ##
--## Connect to fenced over an unix domain stream socket.
-+## Read fenced PID files.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`rhcs_read_fenced_pid_files',`
-+ gen_require(`
-+ type fenced_var_run_t;
-+ ')
-+
-+ files_search_pids($1)
-+ read_files_pattern($1, fenced_var_run_t, fenced_var_run_t)
-+')
-+
-+######################################
-+##
-+## Connect to fenced over a unix domain stream socket.
- ##
- ##
- ##
-@@ -169,9 +211,8 @@ interface(`rhcs_stream_connect_fenced',`
- type fenced_var_run_t, fenced_t;
- ')
-
-- allow $1 fenced_t:unix_stream_socket connectto;
-- allow $1 fenced_var_run_t:sock_file { getattr write };
- files_search_pids($1)
-+ stream_connect_pattern($1, fenced_var_run_t, fenced_var_run_t, fenced_t)
- ')
-
- #####################################
-@@ -237,7 +278,7 @@ interface(`rhcs_rw_gfs_controld_shm',`
-
- #####################################
- ##
--## Connect to gfs_controld_t over an unix domain stream socket.
-+## Connect to gfs_controld_t over a unix domain stream socket.
- ##
- ##
- ##
-@@ -335,6 +376,65 @@ interface(`rhcs_rw_groupd_shm',`
- manage_files_pattern($1, groupd_tmpfs_t, groupd_tmpfs_t)
- ')
-
-+########################################
-+##
-+## Read and write to group shared memory.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`rhcs_rw_cluster_shm',`
-+ gen_require(`
-+ attribute cluster_domain, cluster_tmpfs;
-+ ')
-+
-+ allow $1 cluster_domain:shm { rw_shm_perms destroy };
-+
-+ fs_search_tmpfs($1)
-+ manage_files_pattern($1, cluster_tmpfs, cluster_tmpfs)
-+')
-+
-+####################################
-+##
-+## Read and write access to cluster domains semaphores.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`rhcs_rw_cluster_semaphores',`
-+ gen_require(`
-+ attribute cluster_domain;
-+ ')
-+
-+ allow $1 cluster_domain:sem { rw_sem_perms destroy };
-+')
-+
-+####################################
-+##
-+## Connect to cluster domains over a unix domain
-+## stream socket.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`rhcs_stream_connect_cluster',`
-+ gen_require(`
-+ attribute cluster_domain, cluster_pid;
-+ ')
-+
-+ files_search_pids($1)
-+ stream_connect_pattern($1, cluster_pid, cluster_pid, cluster_domain)
-+')
-+
- ######################################
- ##
- ## Execute a domain transition to run qdiskd.
-@@ -353,3 +453,80 @@ interface(`rhcs_domtrans_qdiskd',`
- corecmd_search_bin($1)
- domtrans_pattern($1, qdiskd_exec_t, qdiskd_t)
- ')
-+
-+########################################
-+##
-+## Allow domain to read qdiskd tmpfs files
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`rhcs_read_qdiskd_tmpfs_files',`
-+ gen_require(`
-+ type qdiskd_tmpfs_t;
-+ ')
-+
-+ fs_search_tmpfs($1)
-+ allow $1 qdiskd_tmpfs_t:file read_file_perms;
-+')
-+
-+######################################
-+##
-+## Allow domain to read cluster lib files
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`rhcs_read_cluster_lib_files',`
-+ gen_require(`
-+ type cluster_var_lib_t;
-+ ')
-+
-+ files_search_var_lib($1)
-+ read_files_pattern($1, cluster_var_lib_t, cluster_var_lib_t)
-+')
-+
-+#####################################
-+##
-+## Allow domain to manage cluster lib files
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`rhcs_manage_cluster_lib_files',`
-+ gen_require(`
-+ type cluster_var_lib_t;
-+ ')
-+
-+ files_search_var_lib($1)
-+ manage_files_pattern($1, cluster_var_lib_t, cluster_var_lib_t)
-+')
-+
-+####################################
-+##
-+## Allow domain to relabel cluster lib files
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`rhcs_relabel_cluster_lib_files',`
-+ gen_require(`
-+ type cluster_var_lib_t;
-+ ')
-+
-+ files_search_var_lib($1)
-+ relabelto_files_pattern($1, cluster_var_lib_t, cluster_var_lib_t)
-+ relabelfrom_files_pattern($1, cluster_var_lib_t, cluster_var_lib_t)
-+')
-diff --git a/rhcs.te b/rhcs.te
-index 93c896a..8aa7362 100644
---- a/rhcs.te
-+++ b/rhcs.te
-@@ -12,7 +12,16 @@ policy_module(rhcs, 1.1.0)
- ##
- gen_tunable(fenced_can_network_connect, false)
-
-+##
-+##
-+## Allow fenced domain to execute ssh.
-+##
-+##
-+gen_tunable(fenced_can_ssh, false)
-+
- attribute cluster_domain;
-+attribute cluster_tmpfs;
-+attribute cluster_pid;
-
- rhcs_domain_template(dlm_controld)
-
-@@ -24,6 +33,8 @@ files_lock_file(fenced_lock_t)
- type fenced_tmp_t;
- files_tmp_file(fenced_tmp_t)
-
-+rhcs_domain_template(foghorn)
-+
- rhcs_domain_template(gfs_controld)
-
- rhcs_domain_template(groupd)
-@@ -33,6 +44,10 @@ rhcs_domain_template(qdiskd)
- type qdiskd_var_lib_t;
- files_type(qdiskd_var_lib_t)
-
-+# type for cluster lib files
-+type cluster_var_lib_t;
-+files_type(cluster_var_lib_t)
-+
- #####################################
- #
- # dlm_controld local policy
-@@ -46,6 +61,9 @@ stream_connect_pattern(dlm_controld_t, fenced_var_run_t, fenced_var_run_t, fence
- stream_connect_pattern(dlm_controld_t, groupd_var_run_t, groupd_var_run_t, groupd_t)
-
- kernel_read_system_state(dlm_controld_t)
-+kernel_rw_net_sysctls(dlm_controld_t)
-+
-+corecmd_exec_bin(dlm_controld_t)
-
- dev_rw_dlm_control(dlm_controld_t)
- dev_rw_sysfs(dlm_controld_t)
-@@ -56,7 +74,7 @@ fs_manage_configfs_dirs(dlm_controld_t)
- init_rw_script_tmp_files(dlm_controld_t)
-
- optional_policy(`
-- ccs_stream_connect(dlm_controld_t)
-+ corosync_rw_tmpfs(dlm_controld_t)
- ')
-
- #######################################
-@@ -65,10 +83,11 @@ optional_policy(`
- #
-
- allow fenced_t self:capability { sys_rawio sys_resource };
--allow fenced_t self:process getsched;
-+allow fenced_t self:process { getsched signal_perms };
-
- allow fenced_t self:tcp_socket create_stream_socket_perms;
- allow fenced_t self:udp_socket create_socket_perms;
-+allow fenced_t self:unix_stream_socket connectto;
-
- can_exec(fenced_t, fenced_exec_t)
-
-@@ -82,13 +101,23 @@ files_tmp_filetrans(fenced_t, fenced_tmp_t, { file fifo_file dir })
-
- stream_connect_pattern(fenced_t, groupd_var_run_t, groupd_var_run_t, groupd_t)
-
-+kernel_read_system_state(fenced_t)
-+kernel_read_network_state(fenced_t)
-+
- corecmd_exec_bin(fenced_t)
-+corecmd_exec_shell(fenced_t)
-
-+corenet_udp_bind_ionixnetmon_port(fenced_t)
-+corenet_tcp_bind_zented_port(fenced_t)
-+corenet_udp_bind_zented_port(fenced_t)
- corenet_tcp_connect_http_port(fenced_t)
-+corenet_tcp_connect_zented_port(fenced_t)
-
- dev_read_sysfs(fenced_t)
- dev_read_urand(fenced_t)
-+dev_read_rand(fenced_t)
-
-+files_read_usr_files(fenced_t)
- files_read_usr_symlinks(fenced_t)
-
- storage_raw_read_fixed_disk(fenced_t)
-@@ -97,16 +126,37 @@ storage_raw_read_removable_device(fenced_t)
-
- term_getattr_pty_fs(fenced_t)
- term_use_ptmx(fenced_t)
--
--auth_use_nsswitch(fenced_t)
-+term_use_generic_ptys(fenced_t)
-
- tunable_policy(`fenced_can_network_connect',`
- corenet_tcp_connect_all_ports(fenced_t)
- ')
-
- optional_policy(`
-+ tunable_policy(`fenced_can_ssh',`
-+
-+ allow fenced_t self:capability { setuid setgid };
-+
-+ corenet_tcp_connect_ssh_port(fenced_t)
-+ ')
-+')
-+
-+optional_policy(`
-+ ssh_exec(fenced_t)
-+ ssh_read_user_home_files(fenced_t)
-+ ')
-+
-+# needed by fence_scsi
-+optional_policy(`
-+ corosync_exec(fenced_t)
-+')
-+
-+optional_policy(`
- ccs_read_config(fenced_t)
-- ccs_stream_connect(fenced_t)
-+')
-+
-+optional_policy(`
-+ gnome_read_generic_data_home_files(fenced_t)
- ')
-
- optional_policy(`
-@@ -114,13 +164,52 @@ optional_policy(`
- lvm_read_config(fenced_t)
- ')
-
-+optional_policy(`
-+ snmp_manage_var_lib_files(fenced_t)
-+ snmp_manage_var_lib_dirs(fenced_t)
-+')
-+
-+optional_policy(`
-+ virt_domtrans(fenced_t)
-+ virt_read_config(fenced_t)
-+ virt_read_pid_files(fenced_t)
-+ virt_stream_connect(fenced_t)
-+')
-+
-+#######################################
-+#
-+# foghorn local policy
-+#
-+
-+allow foghorn_t self:process { signal };
-+allow foghorn_t self:tcp_socket create_stream_socket_perms;
-+allow foghorn_t self:udp_socket create_socket_perms;
-+
-+corenet_tcp_connect_agentx_port(foghorn_t)
-+
-+dev_read_urand(foghorn_t)
-+
-+files_read_etc_files(foghorn_t)
-+files_read_usr_files(foghorn_t)
-+
-+sysnet_dns_name_resolve(foghorn_t)
-+
-+optional_policy(`
-+ dbus_connect_system_bus(foghorn_t)
-+')
-+
-+optional_policy(`
-+ snmp_read_snmp_var_lib_files(foghorn_t)
-+ snmp_dontaudit_write_snmp_var_lib_files(foghorn_t)
-+ snmp_stream_connect(foghorn_t)
-+')
-+
- ######################################
- #
- # gfs_controld local policy
- #
-
- allow gfs_controld_t self:capability { net_admin sys_resource };
--
- allow gfs_controld_t self:shm create_shm_perms;
- allow gfs_controld_t self:netlink_kobject_uevent_socket create_socket_perms;
-
-@@ -139,10 +228,6 @@ storage_getattr_removable_dev(gfs_controld_t)
- init_rw_script_tmp_files(gfs_controld_t)
-
- optional_policy(`
-- ccs_stream_connect(gfs_controld_t)
--')
--
--optional_policy(`
- lvm_exec(gfs_controld_t)
- dev_rw_lvm_control(gfs_controld_t)
- ')
-@@ -154,12 +239,12 @@ optional_policy(`
-
- allow groupd_t self:capability { sys_nice sys_resource };
- allow groupd_t self:process setsched;
--
- allow groupd_t self:shm create_shm_perms;
-
-+domtrans_pattern(groupd_t, fenced_exec_t, fenced_t)
-+
- dev_list_sysfs(groupd_t)
-
--files_read_etc_files(groupd_t)
-
- init_rw_script_tmp_files(groupd_t)
-
-@@ -168,8 +253,7 @@ init_rw_script_tmp_files(groupd_t)
- # qdiskd local policy
- #
-
--allow qdiskd_t self:capability ipc_lock;
--
-+allow qdiskd_t self:capability { ipc_lock sys_boot };
- allow qdiskd_t self:tcp_socket create_stream_socket_perms;
- allow qdiskd_t self:udp_socket create_socket_perms;
-
-@@ -182,7 +266,7 @@ kernel_read_system_state(qdiskd_t)
- kernel_read_software_raid_state(qdiskd_t)
- kernel_getattr_core_if(qdiskd_t)
-
--corecmd_getattr_bin_files(qdiskd_t)
-+corecmd_exec_bin(qdiskd_t)
- corecmd_exec_shell(qdiskd_t)
-
- dev_read_sysfs(qdiskd_t)
-@@ -197,19 +281,16 @@ domain_dontaudit_getattr_all_sockets(qdiskd_t)
-
- files_dontaudit_getattr_all_sockets(qdiskd_t)
- files_dontaudit_getattr_all_pipes(qdiskd_t)
--files_read_etc_files(qdiskd_t)
-+
-+files_read_usr_files(qdiskd_t)
-+
-+fs_list_hugetlbfs(qdiskd_t)
-
- storage_raw_read_removable_device(qdiskd_t)
- storage_raw_write_removable_device(qdiskd_t)
- storage_raw_read_fixed_disk(qdiskd_t)
- storage_raw_write_fixed_disk(qdiskd_t)
-
--auth_use_nsswitch(qdiskd_t)
--
--optional_policy(`
-- ccs_stream_connect(qdiskd_t)
--')
--
- optional_policy(`
- netutils_domtrans_ping(qdiskd_t)
- ')
-@@ -223,18 +304,24 @@ optional_policy(`
- # rhcs domains common policy
- #
-
--allow cluster_domain self:capability { sys_nice };
-+allow cluster_domain self:capability sys_nice;
- allow cluster_domain self:process setsched;
--
- allow cluster_domain self:sem create_sem_perms;
- allow cluster_domain self:fifo_file rw_fifo_file_perms;
- allow cluster_domain self:unix_stream_socket create_stream_socket_perms;
- allow cluster_domain self:unix_dgram_socket create_socket_perms;
-
--logging_send_syslog_msg(cluster_domain)
-+manage_files_pattern(cluster_domain, cluster_var_lib_t, cluster_var_lib_t)
-+manage_dirs_pattern(cluster_domain, cluster_var_lib_t, cluster_var_lib_t)
-
--miscfiles_read_localization(cluster_domain)
-+optional_policy(`
-+ ccs_stream_connect(cluster_domain)
-+')
-
- optional_policy(`
- corosync_stream_connect(cluster_domain)
- ')
-+
-+optional_policy(`
-+ dbus_system_bus_client(cluster_domain)
-+')
-diff --git a/rhev.fc b/rhev.fc
-new file mode 100644
-index 0000000..4b66adf
---- /dev/null
-+++ b/rhev.fc
-@@ -0,0 +1,13 @@
-+/usr/share/rhev-agent/rhev-agentd\.py -- gen_context(system_u:object_r:rhev_agentd_exec_t,s0)
-+/usr/share/ovirt-guest-agent -- gen_context(system_u:object_r:rhev_agentd_exec_t,s0)
-+
-+/usr/share/rhev-agent/LockActiveSession\.py -- gen_context(system_u:object_r:rhev_agentd_exec_t,s0)
-+/usr/share/ovirt-guest-agent/LockActiveSession\.py -- gen_context(system_u:object_r:rhev_agentd_exec_t,s0)
-+
-+/usr/lib/systemd/system/ovirt-guest-agent.* -- gen_context(system_u:object_r:rhev_agentd_unit_file_t,s0)
-+
-+/var/run/rhev-agentd\.pid -- gen_context(system_u:object_r:rhev_agentd_var_run_t,s0)
-+/var/run/ovirt-guest-agent\.pid -- gen_context(system_u:object_r:rhev_agentd_var_run_t,s0)
-+
-+/var/log/rhev-agent(/.*)? gen_context(system_u:object_r:rhev_agentd_log_t,s0)
-+/var/log/ovirt-guest-agent(/.*)? gen_context(system_u:object_r:rhev_agentd_log_t,s0)
-diff --git a/rhev.if b/rhev.if
-new file mode 100644
-index 0000000..bf11e25
---- /dev/null
-+++ b/rhev.if
-@@ -0,0 +1,76 @@
-+## rhev polic module contains policies for rhev apps
-+
-+#####################################
-+##
-+## Execute rhev-agentd in the rhev_agentd domain.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`rhev_domtrans_agentd',`
-+ gen_require(`
-+ type rhev_agentd_t, rhev_agentd_exec_t;
-+ ')
-+
-+ domtrans_pattern($1, rhev_agentd_exec_t, rhev_agentd_t)
-+')
-+
-+####################################
-+##
-+## Read rhev-agentd PID files.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`rhev_read_pid_files_agentd',`
-+ gen_require(`
-+ type rhev_agentd_var_run_t;
-+ ')
-+
-+ files_search_pids($1)
-+ read_files_pattern($1, rhev_agentd_var_run_t, rhev_agentd_var_run_t)
-+')
-+
-+#####################################
-+##
-+## Connect to rhev_agentd over a unix domain
-+## stream socket.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`rhev_stream_connect_agentd',`
-+ gen_require(`
-+ type rhev_agentd_var_run_t, rhev_agentd_t;
-+ ')
-+
-+ files_search_pids($1)
-+ stream_connect_pattern($1, rhev_agentd_var_run_t, rhev_agentd_var_run_t, rhev_agentd_t)
-+')
-+
-+######################################
-+##
-+## Send sigchld to rhev-agentd
-+##
-+##
-+##
-+## Domain allowed access
-+##
-+##
-+#
-+interface(`rhev_sigchld_agentd',`
-+ gen_require(`
-+ type rhev_agentd_t;
-+ ')
-+
-+ allow $1 rhev_agentd_t:process sigchld;
-+')
-diff --git a/rhev.te b/rhev.te
-new file mode 100644
-index 0000000..51b00c0
---- /dev/null
-+++ b/rhev.te
-@@ -0,0 +1,117 @@
-+policy_module(rhev,1.0)
-+
-+########################################
-+#
-+# Declarations
-+#
-+
-+type rhev_agentd_t;
-+type rhev_agentd_exec_t;
-+init_daemon_domain(rhev_agentd_t, rhev_agentd_exec_t)
-+
-+type rhev_agentd_unit_file_t;
-+systemd_unit_file(rhev_agentd_unit_file_t)
-+
-+type rhev_agentd_var_run_t;
-+files_pid_file(rhev_agentd_var_run_t)
-+
-+type rhev_agentd_tmp_t;
-+files_tmp_file(rhev_agentd_tmp_t)
-+
-+type rhev_agentd_log_t;
-+logging_log_file(rhev_agentd_log_t)
-+
-+########################################
-+#
-+# rhev_agentd_t local policy
-+#
-+
-+allow rhev_agentd_t self:capability { setuid setgid sys_nice };
-+allow rhev_agentd_t self:process setsched;
-+
-+allow rhev_agentd_t self:fifo_file rw_fifo_file_perms;
-+allow rhev_agentd_t self:unix_stream_socket create_stream_socket_perms;
-+
-+manage_dirs_pattern(rhev_agentd_t, rhev_agentd_var_run_t, rhev_agentd_var_run_t)
-+manage_files_pattern(rhev_agentd_t, rhev_agentd_var_run_t, rhev_agentd_var_run_t)
-+manage_sock_files_pattern(rhev_agentd_t, rhev_agentd_var_run_t, rhev_agentd_var_run_t)
-+files_pid_filetrans(rhev_agentd_t, rhev_agentd_var_run_t, { dir file sock_file })
-+
-+manage_files_pattern(rhev_agentd_t, rhev_agentd_log_t, rhev_agentd_log_t)
-+manage_dirs_pattern(rhev_agentd_t, rhev_agentd_log_t, rhev_agentd_log_t)
-+logging_log_filetrans(rhev_agentd_t, rhev_agentd_log_t, { dir file })
-+
-+manage_dirs_pattern(rhev_agentd_t, rhev_agentd_tmp_t, rhev_agentd_tmp_t)
-+manage_files_pattern(rhev_agentd_t, rhev_agentd_tmp_t, rhev_agentd_tmp_t)
-+files_tmp_filetrans(rhev_agentd_t, rhev_agentd_tmp_t, { file dir })
-+can_exec(rhev_agentd_t, rhev_agentd_tmp_t)
-+
-+kernel_read_system_state(rhev_agentd_t)
-+kernel_read_kernel_sysctls(rhev_agentd_t)
-+
-+corecmd_exec_bin(rhev_agentd_t)
-+corecmd_exec_shell(rhev_agentd_t)
-+
-+dev_read_urand(rhev_agentd_t)
-+
-+term_use_virtio_console(rhev_agentd_t)
-+
-+fs_getattr_all_fs(rhev_agentd_t)
-+
-+files_getattr_all_mountpoints(rhev_agentd_t)
-+files_search_all_mountpoints(rhev_agentd_t)
-+files_read_usr_files(rhev_agentd_t)
-+
-+auth_use_nsswitch(rhev_agentd_t)
-+
-+init_read_utmp(rhev_agentd_t)
-+
-+libs_exec_ldconfig(rhev_agentd_t)
-+logging_send_syslog_msg(rhev_agentd_t)
-+
-+optional_policy(`
-+ rpm_read_db(rhev_agentd_t)
-+ rpm_dontaudit_manage_db(rhev_agentd_t)
-+')
-+
-+optional_policy(`
-+ ssh_signull(rhev_agentd_t)
-+')
-+
-+optional_policy(`
-+ dbus_system_bus_client(rhev_agentd_t)
-+ dbus_connect_system_bus(rhev_agentd_t)
-+ dbus_session_bus_client(rhev_agentd_t)
-+')
-+
-+optional_policy(`
-+ xserver_dbus_chat_xdm(rhev_agentd_t)
-+ xserver_stream_connect(rhev_agentd_t)
-+')
-+
-+######################################
-+#
-+# rhev_agentd_t consolehelper local policy
-+#
-+
-+optional_policy(`
-+ userhelper_console_role_template(rhev_agentd, system_r, rhev_agentd_t)
-+
-+ allow rhev_agentd_consolehelper_t rhev_agentd_log_t:file rw_inherited_file_perms;
-+ allow rhev_agentd_consolehelper_t rhev_agentd_tmp_t:file rw_inherited_file_perms;
-+
-+ can_exec(rhev_agentd_consolehelper_t, rhev_agentd_exec_t)
-+ kernel_read_system_state(rhev_agentd_consolehelper_t)
-+
-+ term_use_virtio_console(rhev_agentd_consolehelper_t)
-+
-+ corenet_tcp_connect_xserver_port(rhev_agentd_consolehelper_t)
-+
-+ optional_policy(`
-+ dbus_session_bus_client(rhev_agentd_consolehelper_t)
-+ ')
-+
-+ optional_policy(`
-+ unconfined_dbus_chat(rhev_agentd_consolehelper_t)
-+ ')
-+')
-diff --git a/rhgb.if b/rhgb.if
-index 96efae7..793a29f 100644
---- a/rhgb.if
-+++ b/rhgb.if
-@@ -194,5 +194,6 @@ interface(`rhgb_rw_tmpfs_files',`
- type rhgb_tmpfs_t;
- ')
-
-+ fs_search_tmpfs($1)
- allow $1 rhgb_tmpfs_t:file rw_file_perms;
- ')
-diff --git a/rhgb.te b/rhgb.te
-index 0f262a7..08c49bc 100644
---- a/rhgb.te
-+++ b/rhgb.te
-@@ -30,7 +30,7 @@ allow rhgb_t self:tcp_socket create_socket_perms;
- allow rhgb_t self:udp_socket create_socket_perms;
- allow rhgb_t self:netlink_route_socket r_netlink_socket_perms;
-
--allow rhgb_t rhgb_devpts_t:chr_file { rw_chr_file_perms setattr };
-+allow rhgb_t rhgb_devpts_t:chr_file { rw_chr_file_perms setattr_chr_file_perms };
- term_create_pty(rhgb_t, rhgb_devpts_t)
-
- manage_dirs_pattern(rhgb_t, rhgb_tmpfs_t, rhgb_tmpfs_t)
-@@ -46,7 +46,6 @@ kernel_read_system_state(rhgb_t)
- corecmd_exec_bin(rhgb_t)
- corecmd_exec_shell(rhgb_t)
-
--corenet_all_recvfrom_unlabeled(rhgb_t)
- corenet_all_recvfrom_netlabel(rhgb_t)
- corenet_tcp_sendrecv_generic_if(rhgb_t)
- corenet_udp_sendrecv_generic_if(rhgb_t)
-@@ -97,7 +96,6 @@ libs_read_lib_files(rhgb_t)
-
- logging_send_syslog_msg(rhgb_t)
-
--miscfiles_read_localization(rhgb_t)
- miscfiles_read_fonts(rhgb_t)
- miscfiles_dontaudit_write_fonts(rhgb_t)
-
-diff --git a/rhnsd.fc b/rhnsd.fc
-new file mode 100644
-index 0000000..1936028
---- /dev/null
-+++ b/rhnsd.fc
-@@ -0,0 +1,5 @@
-+/etc/rc\.d/init\.d/rhnsd -- gen_context(system_u:object_r:rhnsd_initrc_exec_t,s0)
-+
-+/usr/sbin/rhnsd -- gen_context(system_u:object_r:rhnsd_exec_t,s0)
-+
-+/var/run/rhnsd\.pid -- gen_context(system_u:object_r:rhnsd_var_run_t,s0)
-diff --git a/rhnsd.if b/rhnsd.if
-new file mode 100644
-index 0000000..d2a58c1
---- /dev/null
-+++ b/rhnsd.if
-@@ -0,0 +1,75 @@
-+
-+## policy for rhnsd
-+
-+########################################
-+##
-+## Transition to rhnsd.
-+##
-+##
-+##
-+## Domain allowed to transition.
-+##
-+##
-+#
-+interface(`rhnsd_domtrans',`
-+ gen_require(`
-+ type rhnsd_t, rhnsd_exec_t;
-+ ')
-+
-+ corecmd_search_bin($1)
-+ domtrans_pattern($1, rhnsd_exec_t, rhnsd_t)
-+')
-+
-+########################################
-+##
-+## Execute rhnsd server in the rhnsd domain.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`rhnsd_initrc_domtrans',`
-+ gen_require(`
-+ type rhnsd_initrc_exec_t;
-+ ')
-+
-+ init_labeled_script_domtrans($1, rhnsd_initrc_exec_t)
-+')
-+
-+########################################
-+##
-+## All of the rules required to administrate
-+## an rhnsd environment
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+##
-+##
-+## Role allowed access.
-+##
-+##
-+##
-+#
-+interface(`rhnsd_admin',`
-+ gen_require(`
-+ type rhnsd_t;
-+ type rhnsd_initrc_exec_t;
-+ ')
-+
-+ allow $1 rhnsd_t:process { ptrace signal_perms };
-+ ps_process_pattern($1, rhnsd_t)
-+
-+ rhnsd_initrc_domtrans($1)
-+ domain_system_change_exemption($1)
-+ role_transition $2 rhnsd_initrc_exec_t system_r;
-+ allow $2 system_r;
-+ optional_policy(`
-+ systemd_passwd_agent_exec($1)
-+ systemd_read_fifo_file_passwd_run($1)
-+ ')
-+')
-diff --git a/rhnsd.te b/rhnsd.te
-new file mode 100644
-index 0000000..5b2757d
---- /dev/null
-+++ b/rhnsd.te
-@@ -0,0 +1,41 @@
-+policy_module(rhnsd, 1.0.0)
-+
-+########################################
-+#
-+# Declarations
-+#
-+
-+type rhnsd_t;
-+type rhnsd_exec_t;
-+init_daemon_domain(rhnsd_t, rhnsd_exec_t)
-+
-+type rhnsd_var_run_t;
-+files_pid_file(rhnsd_var_run_t)
-+
-+type rhnsd_initrc_exec_t;
-+init_script_file(rhnsd_initrc_exec_t)
-+
-+########################################
-+#
-+# rhnsd local policy
-+#
-+
-+allow rhnsd_t self:capability { kill };
-+allow rhnsd_t self:process { fork signal };
-+allow rhnsd_t self:fifo_file rw_fifo_file_perms;
-+allow rhnsd_t self:unix_stream_socket create_stream_socket_perms;
-+
-+manage_dirs_pattern(rhnsd_t, rhnsd_var_run_t, rhnsd_var_run_t)
-+manage_files_pattern(rhnsd_t, rhnsd_var_run_t, rhnsd_var_run_t)
-+files_pid_filetrans(rhnsd_t, rhnsd_var_run_t, { dir file })
-+
-+corecmd_exec_bin(rhnsd_t)
-+
-+files_read_etc_files(rhnsd_t)
-+
-+logging_send_syslog_msg(rhnsd_t)
-+
-+optional_policy(`
-+ # execute rhn_check
-+ rpm_domtrans(rhnsd_t)
-+')
-diff --git a/rhsmcertd.if b/rhsmcertd.if
-index 137605a..fd40b90 100644
---- a/rhsmcertd.if
-+++ b/rhsmcertd.if
-@@ -194,13 +194,13 @@ interface(`rhsmcertd_read_pid_files',`
-
- ####################################
- ##
--## Connect to rhsmcertd over a unix domain
--## stream socket.
-+## Connect to rhsmcertd over a unix domain
-+## stream socket.
- ##
- ##
--##
--## Domain allowed access.
--##
-+##
-+## Domain allowed access.
-+##
- ##
- #
- interface(`rhsmcertd_stream_connect',`
-@@ -235,23 +235,23 @@ interface(`rhsmcertd_dbus_chat',`
-
- ######################################
- ##
--## Dontaudit Send and receive messages from
--## rhsmcertd over dbus.
-+## Dontaudit Send and receive messages from
-+## rhsmcertd over dbus.
- ##
- ##
--##
--## Domain allowed access.
--##
-+##
-+## Domain allowed access.
-+##
- ##
- #
- interface(`rhsmcertd_dontaudit_dbus_chat',`
-- gen_require(`
-- type rhsmcertd_t;
-- class dbus send_msg;
-- ')
-+ gen_require(`
-+ type rhsmcertd_t;
-+ class dbus send_msg;
-+ ')
-
-- dontaudit $1 rhsmcertd_t:dbus send_msg;
-- dontaudit rhsmcertd_t $1:dbus send_msg;
-+ dontaudit $1 rhsmcertd_t:dbus send_msg;
-+ dontaudit rhsmcertd_t $1:dbus send_msg;
- ')
-
- ########################################
-@@ -264,12 +264,6 @@ interface(`rhsmcertd_dontaudit_dbus_chat',`
- ## Domain allowed access.
- ##
- ##
--##
--##
--## Role allowed access.
--##
--##
--##
- #
- interface(`rhsmcertd_admin',`
- gen_require(`
-@@ -279,18 +273,7 @@ interface(`rhsmcertd_admin',`
-
- allow $1 rhsmcertd_t:process signal_perms;
- ps_process_pattern($1, rhsmcertd_t)
--
-- rhsmcertd_initrc_domtrans($1)
-- domain_system_change_exemption($1)
-- role_transition $2 rhsmcertd_initrc_exec_t system_r;
-- allow $2 system_r;
--
-- logging_search_logs($1)
-- admin_pattern($1, rhsmcertd_log_t)
--
-- files_search_var_lib($1)
-- admin_pattern($1, rhsmcertd_var_lib_t)
--
-- files_search_pids($1)
-- admin_pattern($1, rhsmcertd_var_run_t)
-+ tunable_policy(`deny_ptrace',`',`
-+ allow $1 rhsmcertd_t:process ptrace;
-+ ')
- ')
-diff --git a/rhsmcertd.te b/rhsmcertd.te
-index 783f678..14193ca 100644
---- a/rhsmcertd.te
-+++ b/rhsmcertd.te
-@@ -29,6 +29,9 @@ files_pid_file(rhsmcertd_var_run_t)
- # rhsmcertd local policy
- #
-
-+allow rhsmcertd_t self:capability sys_nice;
-+allow rhsmcertd_t self:process { signal setsched };
-+
- allow rhsmcertd_t self:fifo_file rw_fifo_file_perms;
- allow rhsmcertd_t self:unix_stream_socket create_stream_socket_perms;
-
-@@ -43,17 +46,36 @@ manage_files_pattern(rhsmcertd_t, rhsmcertd_var_lib_t, rhsmcertd_var_lib_t)
-
- manage_dirs_pattern(rhsmcertd_t, rhsmcertd_var_run_t, rhsmcertd_var_run_t)
- manage_files_pattern(rhsmcertd_t, rhsmcertd_var_run_t, rhsmcertd_var_run_t)
-+files_pid_filetrans(rhsmcertd_t, rhsmcertd_var_run_t, { file dir })
-
-+kernel_read_network_state(rhsmcertd_t)
- kernel_read_system_state(rhsmcertd_t)
-
-+files_list_tmp(rhsmcertd_t)
-+
- corecmd_exec_bin(rhsmcertd_t)
-
-+dev_read_rand(rhsmcertd_t)
- dev_read_urand(rhsmcertd_t)
-+dev_read_sysfs(rhsmcertd_t)
-
- files_read_etc_files(rhsmcertd_t)
- files_read_usr_files(rhsmcertd_t)
-+files_manage_generic_locks(rhsmcertd_t)
-+
-+auth_read_passwd(rhsmcertd_t)
-+
-+logging_send_syslog_msg(rhsmcertd_t)
-
--miscfiles_read_localization(rhsmcertd_t)
--miscfiles_read_generic_certs(rhsmcertd_t)
-+miscfiles_read_certs(rhsmcertd_t)
-
- sysnet_dns_name_resolve(rhsmcertd_t)
-+
-+
-+optional_policy(`
-+ dmidecode_domtrans(rhsmcertd_t)
-+')
-+
-+optional_policy(`
-+ gnome_dontaudit_search_config(rhsmcertd_t)
-+')
-diff --git a/ricci.fc b/ricci.fc
-index 5b08327..4d5819e 100644
---- a/ricci.fc
-+++ b/ricci.fc
-@@ -1,3 +1,6 @@
-+
-+/etc/rc\.d/init\.d/ricci -- gen_context(system_u:object_r:ricci_initrc_exec_t,s0)
-+
- /usr/libexec/modcluster -- gen_context(system_u:object_r:ricci_modcluster_exec_t,s0)
- /usr/libexec/ricci-modlog -- gen_context(system_u:object_r:ricci_modlog_exec_t,s0)
- /usr/libexec/ricci-modrpm -- gen_context(system_u:object_r:ricci_modrpm_exec_t,s0)
-@@ -9,7 +12,7 @@
-
- /var/lib/ricci(/.*)? gen_context(system_u:object_r:ricci_var_lib_t,s0)
-
--/var/log/clumond\.log -- gen_context(system_u:object_r:ricci_modcluster_var_log_t,s0)
-+/var/log/clumond\.log.* -- gen_context(system_u:object_r:ricci_modcluster_var_log_t,s0)
-
- /var/run/clumond\.sock -s gen_context(system_u:object_r:ricci_modcluster_var_run_t,s0)
- /var/run/modclusterd\.pid -- gen_context(system_u:object_r:ricci_modcluster_var_run_t,s0)
-diff --git a/ricci.if b/ricci.if
-index f7826f9..23d579c 100644
---- a/ricci.if
-+++ b/ricci.if
-@@ -5,9 +5,9 @@
- ## Execute a domain transition to run ricci.
- ##
- ##
--##
-+##
- ## Domain allowed to transition.
--##
-+##
- ##
- #
- interface(`ricci_domtrans',`
-@@ -18,14 +18,32 @@ interface(`ricci_domtrans',`
- domtrans_pattern($1, ricci_exec_t, ricci_t)
- ')
-
-+#######################################
-+##
-+## Execute ricci server in the ricci domain.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`ricci_initrc_domtrans',`
-+ gen_require(`
-+ type ricci_initrc_exec_t;
-+ ')
-+
-+ init_labeled_script_domtrans($1, ricci_initrc_exec_t)
-+')
-+
- ########################################
- ##
- ## Execute a domain transition to run ricci_modcluster.
- ##
- ##
--##
-+##
- ## Domain allowed to transition.
--##
-+##
- ##
- #
- interface(`ricci_domtrans_modcluster',`
-@@ -71,12 +89,12 @@ interface(`ricci_dontaudit_rw_modcluster_pipes',`
- type ricci_modcluster_t;
- ')
-
-- dontaudit $1 ricci_modcluster_t:fifo_file { read write };
-+ dontaudit $1 ricci_modcluster_t:fifo_file rw_inherited_fifo_file_perms;
- ')
-
- ########################################
- ##
--## Connect to ricci_modclusterd over an unix stream socket.
-+## Connect to ricci_modclusterd over a unix stream socket.
- ##
- ##
- ##
-@@ -90,18 +108,36 @@ interface(`ricci_stream_connect_modclusterd',`
- ')
-
- files_search_pids($1)
-- allow $1 ricci_modcluster_var_run_t:sock_file write;
-- allow $1 ricci_modclusterd_t:unix_stream_socket connectto;
-+ stream_connect_pattern($1, ricci_modcluster_var_run_t, ricci_modcluster_var_run_t, ricci_modclusterd_t)
- ')
-
- ########################################
- ##
--## Execute a domain transition to run ricci_modlog.
-+## Read and write to ricci_modcluserd temporary file system.
- ##
- ##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`ricci_rw_modclusterd_tmpfs_files',`
-+ gen_require(`
-+ type ricci_modclusterd_tmpfs_t;
-+ ')
-+
-+ fs_search_tmpfs($1)
-+ allow $1 ricci_modclusterd_tmpfs_t:file rw_file_perms;
-+')
-+
-+########################################
- ##
--## Domain allowed to transition.
-+## Execute a domain transition to run ricci_modlog.
- ##
-+##
-+##
-+## Domain allowed to transition.
-+##
- ##
- #
- interface(`ricci_domtrans_modlog',`
-@@ -117,9 +153,9 @@ interface(`ricci_domtrans_modlog',`
- ## Execute a domain transition to run ricci_modrpm.
- ##
- ##
--##
-+##
- ## Domain allowed to transition.
--##
-+##
- ##
- #
- interface(`ricci_domtrans_modrpm',`
-@@ -135,9 +171,9 @@ interface(`ricci_domtrans_modrpm',`
- ## Execute a domain transition to run ricci_modservice.
- ##
- ##
--##
-+##
- ## Domain allowed to transition.
--##
-+##
- ##
- #
- interface(`ricci_domtrans_modservice',`
-@@ -153,9 +189,9 @@ interface(`ricci_domtrans_modservice',`
- ## Execute a domain transition to run ricci_modstorage.
- ##
- ##
--##
-+##
- ## Domain allowed to transition.
--##
-+##
- ##
- #
- interface(`ricci_domtrans_modstorage',`
-@@ -165,3 +201,70 @@ interface(`ricci_domtrans_modstorage',`
-
- domtrans_pattern($1, ricci_modstorage_exec_t, ricci_modstorage_t)
- ')
-+
-+####################################
-+##
-+## Allow the specified domain to manage ricci's lib files.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`ricci_manage_lib_files',`
-+ gen_require(`
-+ type ricci_var_lib_t;
-+ ')
-+
-+ files_search_var_lib($1)
-+ manage_dirs_pattern($1, ricci_var_lib_t, ricci_var_lib_t)
-+ manage_files_pattern($1, ricci_var_lib_t, ricci_var_lib_t)
-+')
-+
-+########################################
-+##
-+## All of the rules required to administrate
-+## an ricci environment
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+##
-+##
-+## Role allowed access.
-+##
-+##
-+##
-+#
-+interface(`ricci_admin',`
-+ gen_require(`
-+ type ricci_t, ricci_initrc_exec_t, ricci_tmp_t;
-+ type ricci_var_lib_t, ricci_var_log_t, ricci_var_run_t;
-+ ')
-+
-+ allow $1 ricci_t:process signal_perms;
-+ ps_process_pattern($1, ricci_t)
-+ tunable_policy(`deny_ptrace',`',`
-+ allow $1 ricci_t:process ptrace;
-+ ')
-+
-+ ricci_initrc_domtrans($1)
-+ domain_system_change_exemption($1)
-+ role_transition $2 ricci_initrc_exec_t system_r;
-+ allow $2 system_r;
-+
-+ files_list_tmp($1)
-+ admin_pattern($1, ricci_tmp_t)
-+
-+ files_list_var_lib($1)
-+ admin_pattern($1, ricci_var_lib_t)
-+
-+ logging_list_logs($1)
-+ admin_pattern($1, ricci_var_log_t)
-+
-+ files_list_pids($1)
-+ admin_pattern($1, ricci_var_run_t)
-+')
-diff --git a/ricci.te b/ricci.te
-index 33e72e8..6b0ec3e 100644
---- a/ricci.te
-+++ b/ricci.te
-@@ -7,9 +7,11 @@ policy_module(ricci, 1.7.0)
-
- type ricci_t;
- type ricci_exec_t;
--domain_type(ricci_t)
- init_daemon_domain(ricci_t, ricci_exec_t)
-
-+type ricci_initrc_exec_t;
-+init_script_file(ricci_initrc_exec_t)
-+
- type ricci_tmp_t;
- files_tmp_file(ricci_tmp_t)
-
-@@ -39,9 +41,11 @@ files_pid_file(ricci_modcluster_var_run_t)
-
- type ricci_modclusterd_t;
- type ricci_modclusterd_exec_t;
--domain_type(ricci_modclusterd_t)
- init_daemon_domain(ricci_modclusterd_t, ricci_modclusterd_exec_t)
-
-+type ricci_modclusterd_tmpfs_t;
-+files_tmpfs_file(ricci_modclusterd_tmpfs_t)
-+
- type ricci_modlog_t;
- type ricci_modlog_exec_t;
- domain_type(ricci_modlog_t)
-@@ -95,7 +99,7 @@ manage_files_pattern(ricci_t, ricci_var_lib_t, ricci_var_lib_t)
- manage_sock_files_pattern(ricci_t, ricci_var_lib_t, ricci_var_lib_t)
- files_var_lib_filetrans(ricci_t, ricci_var_lib_t, { file dir sock_file })
-
--allow ricci_t ricci_var_log_t:dir setattr;
-+allow ricci_t ricci_var_log_t:dir setattr_dir_perms;
- manage_files_pattern(ricci_t, ricci_var_log_t, ricci_var_log_t)
- manage_sock_files_pattern(ricci_t, ricci_var_log_t, ricci_var_log_t)
- logging_log_filetrans(ricci_t, ricci_var_log_t, { sock_file file dir })
-@@ -105,10 +109,10 @@ manage_sock_files_pattern(ricci_t, ricci_var_run_t, ricci_var_run_t)
- files_pid_filetrans(ricci_t, ricci_var_run_t, { file sock_file })
-
- kernel_read_kernel_sysctls(ricci_t)
-+kernel_read_system_state(ricci_t)
-
- corecmd_exec_bin(ricci_t)
-
--corenet_all_recvfrom_unlabeled(ricci_t)
- corenet_all_recvfrom_netlabel(ricci_t)
- corenet_tcp_sendrecv_generic_if(ricci_t)
- corenet_tcp_sendrecv_generic_node(ricci_t)
-@@ -123,7 +127,6 @@ dev_read_urand(ricci_t)
-
- domain_read_all_domains_state(ricci_t)
-
--files_read_etc_files(ricci_t)
- files_read_etc_runtime_files(ricci_t)
- files_create_boot_flag(ricci_t)
-
-@@ -136,8 +139,6 @@ locallogin_dontaudit_use_fds(ricci_t)
-
- logging_send_syslog_msg(ricci_t)
-
--miscfiles_read_localization(ricci_t)
--
- sysnet_dns_name_resolve(ricci_t)
-
- optional_policy(`
-@@ -170,6 +171,10 @@ optional_policy(`
- ')
-
- optional_policy(`
-+ shutdown_domtrans(ricci_t)
-+')
-+
-+optional_policy(`
- unconfined_use_fds(ricci_t)
- ')
-
-@@ -193,29 +198,25 @@ corecmd_exec_shell(ricci_modcluster_t)
- corecmd_exec_bin(ricci_modcluster_t)
-
- corenet_tcp_bind_cluster_port(ricci_modclusterd_t)
--corenet_tcp_bind_reserved_port(ricci_modclusterd_t)
-+corenet_tcp_bind_all_rpc_ports(ricci_modclusterd_t)
-+corenet_tcp_connect_cluster_port(ricci_modclusterd_t)
-
- domain_read_all_domains_state(ricci_modcluster_t)
-
- files_search_locks(ricci_modcluster_t)
- files_read_etc_runtime_files(ricci_modcluster_t)
--files_read_etc_files(ricci_modcluster_t)
- files_search_usr(ricci_modcluster_t)
-
-+auth_use_nsswitch(ricci_modcluster_t)
-+
- init_exec(ricci_modcluster_t)
- init_domtrans_script(ricci_modcluster_t)
-
- logging_send_syslog_msg(ricci_modcluster_t)
-
--miscfiles_read_localization(ricci_modcluster_t)
--
--modutils_domtrans_insmod(ricci_modcluster_t)
--
--mount_domtrans(ricci_modcluster_t)
--
--consoletype_exec(ricci_modcluster_t)
--
--ricci_stream_connect_modclusterd(ricci_modcluster_t)
-+optional_policy(`
-+ ricci_stream_connect_modclusterd(ricci_modcluster_t)
-+')
-
- optional_policy(`
- aisexec_stream_connect(ricci_modcluster_t)
-@@ -233,7 +234,15 @@ optional_policy(`
- ')
-
- optional_policy(`
-- nscd_socket_use(ricci_modcluster_t)
-+ modutils_domtrans_insmod(ricci_modcluster_t)
-+')
-+
-+optional_policy(`
-+ mount_domtrans(ricci_modcluster_t)
-+')
-+
-+optional_policy(`
-+ consoletype_exec(ricci_modcluster_t)
- ')
-
- optional_policy(`
-@@ -241,8 +250,7 @@ optional_policy(`
- ')
-
- optional_policy(`
-- # XXX This has got to go.
-- unconfined_domain(ricci_modcluster_t)
-+ rgmanager_stream_connect(ricci_modclusterd_t)
- ')
-
- ########################################
-@@ -261,6 +269,10 @@ allow ricci_modclusterd_t self:socket create_socket_perms;
- allow ricci_modclusterd_t ricci_modcluster_t:unix_stream_socket connectto;
- allow ricci_modclusterd_t ricci_modcluster_t:fifo_file rw_file_perms;
-
-+manage_dirs_pattern(ricci_modclusterd_t, ricci_modclusterd_tmpfs_t, ricci_modclusterd_tmpfs_t)
-+manage_files_pattern(ricci_modclusterd_t, ricci_modclusterd_tmpfs_t, ricci_modclusterd_tmpfs_t)
-+fs_tmpfs_filetrans(ricci_modclusterd_t, ricci_modclusterd_tmpfs_t, { dir file })
-+
- allow ricci_modclusterd_t ricci_modcluster_var_log_t:dir setattr;
- manage_files_pattern(ricci_modclusterd_t, ricci_modcluster_var_log_t, ricci_modcluster_var_log_t)
- manage_sock_files_pattern(ricci_modclusterd_t, ricci_modcluster_var_log_t, ricci_modcluster_var_log_t)
-@@ -272,6 +284,7 @@ files_pid_filetrans(ricci_modclusterd_t, ricci_modcluster_var_run_t, { file sock
-
- kernel_read_kernel_sysctls(ricci_modclusterd_t)
- kernel_read_system_state(ricci_modclusterd_t)
-+kernel_request_load_module(ricci_modclusterd_t)
-
- corecmd_exec_bin(ricci_modclusterd_t)
-
-@@ -283,7 +296,6 @@ corenet_tcp_connect_ricci_modcluster_port(ricci_modclusterd_t)
-
- domain_read_all_domains_state(ricci_modclusterd_t)
-
--files_read_etc_files(ricci_modclusterd_t)
- files_read_etc_runtime_files(ricci_modclusterd_t)
-
- fs_getattr_xattr_fs(ricci_modclusterd_t)
-@@ -296,8 +308,6 @@ locallogin_dontaudit_use_fds(ricci_modclusterd_t)
-
- logging_send_syslog_msg(ricci_modclusterd_t)
-
--miscfiles_read_localization(ricci_modclusterd_t)
--
- sysnet_domtrans_ifconfig(ricci_modclusterd_t)
-
- optional_policy(`
-@@ -334,12 +344,10 @@ corecmd_exec_bin(ricci_modlog_t)
-
- domain_read_all_domains_state(ricci_modlog_t)
-
--files_read_etc_files(ricci_modlog_t)
- files_search_usr(ricci_modlog_t)
-
- logging_read_generic_logs(ricci_modlog_t)
-
--miscfiles_read_localization(ricci_modlog_t)
-
- optional_policy(`
- nscd_dontaudit_search_pid(ricci_modlog_t)
-@@ -361,9 +369,8 @@ kernel_read_kernel_sysctls(ricci_modrpm_t)
- corecmd_exec_bin(ricci_modrpm_t)
-
- files_search_usr(ricci_modrpm_t)
--files_read_etc_files(ricci_modrpm_t)
-
--miscfiles_read_localization(ricci_modrpm_t)
-+logging_send_syslog_msg(ricci_modrpm_t)
-
- optional_policy(`
- oddjob_system_entry(ricci_modrpm_t, ricci_modrpm_exec_t)
-@@ -388,23 +395,24 @@ kernel_read_system_state(ricci_modservice_t)
- corecmd_exec_bin(ricci_modservice_t)
- corecmd_exec_shell(ricci_modservice_t)
-
--files_read_etc_files(ricci_modservice_t)
- files_read_etc_runtime_files(ricci_modservice_t)
- files_search_usr(ricci_modservice_t)
- # Needed for running chkconfig
- files_manage_etc_symlinks(ricci_modservice_t)
-
--consoletype_exec(ricci_modservice_t)
--
- init_domtrans_script(ricci_modservice_t)
-
--miscfiles_read_localization(ricci_modservice_t)
-+logging_send_syslog_msg(ricci_modservice_t)
-
- optional_policy(`
- ccs_read_config(ricci_modservice_t)
- ')
-
- optional_policy(`
-+ consoletype_exec(ricci_modservice_t)
-+')
-+
-+optional_policy(`
- nscd_dontaudit_search_pid(ricci_modservice_t)
- ')
-
-@@ -418,7 +426,6 @@ optional_policy(`
- #
-
- allow ricci_modstorage_t self:process { setsched signal };
--dontaudit ricci_modstorage_t self:process ptrace;
- allow ricci_modstorage_t self:capability { mknod sys_nice };
- allow ricci_modstorage_t self:fifo_file rw_fifo_file_perms;
- allow ricci_modstorage_t self:unix_dgram_socket create_socket_perms;
-@@ -444,22 +451,20 @@ files_read_etc_runtime_files(ricci_modstorage_t)
- files_read_usr_files(ricci_modstorage_t)
- files_read_kernel_modules(ricci_modstorage_t)
-
-+files_create_default_dir(ricci_modstorage_t)
-+files_root_filetrans_default(ricci_modstorage_t, dir)
-+files_mounton_default(ricci_modstorage_t)
-+files_manage_default_dirs(ricci_modstorage_t)
-+files_manage_default_files(ricci_modstorage_t)
-+
- storage_raw_read_fixed_disk(ricci_modstorage_t)
-
- term_dontaudit_use_console(ricci_modstorage_t)
-
--fstools_domtrans(ricci_modstorage_t)
-+auth_use_nsswitch(ricci_modstorage_t)
-
- logging_send_syslog_msg(ricci_modstorage_t)
-
--miscfiles_read_localization(ricci_modstorage_t)
--
--modutils_read_module_deps(ricci_modstorage_t)
--
--consoletype_exec(ricci_modstorage_t)
--
--mount_domtrans(ricci_modstorage_t)
--
- optional_policy(`
- aisexec_stream_connect(ricci_modstorage_t)
- corosync_stream_connect(ricci_modstorage_t)
-@@ -471,12 +476,24 @@ optional_policy(`
- ')
-
- optional_policy(`
-+ consoletype_exec(ricci_modstorage_t)
-+')
-+
-+optional_policy(`
-+ fstools_domtrans(ricci_modstorage_t)
-+')
-+
-+optional_policy(`
- lvm_domtrans(ricci_modstorage_t)
- lvm_manage_config(ricci_modstorage_t)
- ')
-
- optional_policy(`
-- nscd_socket_use(ricci_modstorage_t)
-+ modutils_read_module_deps(ricci_modstorage_t)
-+')
-+
-+optional_policy(`
-+ mount_domtrans(ricci_modstorage_t)
- ')
-
- optional_policy(`
-diff --git a/rlogin.fc b/rlogin.fc
-index 2fae3f0..d7f6b82 100644
---- a/rlogin.fc
-+++ b/rlogin.fc
-@@ -1,7 +1,10 @@
- HOME_DIR/\.rlogin -- gen_context(system_u:object_r:rlogind_home_t,s0)
-+HOME_DIR/\.rhosts -- gen_context(system_u:object_r:rlogind_home_t,s0)
-+/root/\.rlogin -- gen_context(system_u:object_r:rlogind_home_t,s0)
-+/root/\.rhosts -- gen_context(system_u:object_r:rlogind_home_t,s0)
-
- /usr/kerberos/sbin/klogind -- gen_context(system_u:object_r:rlogind_exec_t,s0)
-
--/usr/lib/telnetlogin -- gen_context(system_u:object_r:rlogind_exec_t,s0)
-+/usr/lib/telnetlogin -- gen_context(system_u:object_r:rlogind_exec_t,s0)
-
- /usr/sbin/in\.rlogind -- gen_context(system_u:object_r:rlogind_exec_t,s0)
-diff --git a/rlogin.if b/rlogin.if
-index 63e78c6..fdd8228 100644
---- a/rlogin.if
-+++ b/rlogin.if
-@@ -21,21 +21,15 @@ interface(`rlogin_domtrans',`
-
- ########################################
- ##
--## read rlogin homedir content (.config)
-+## read rlogin homedir content (.rlogin)
- ##
--##
--##
--## The prefix of the user domain (e.g., user
--## is the prefix for user_t).
--##
--##
--##
-+##
- ##
--## The type of the user domain.
-+## Domain allowed access.
- ##
- ##
- #
--template(`rlogin_read_home_content',`
-+interface(`rlogin_read_home_content',`
- gen_require(`
- type rlogind_home_t;
- ')
-diff --git a/rlogin.te b/rlogin.te
-index 16304ec..3293b25 100644
---- a/rlogin.te
-+++ b/rlogin.te
-@@ -27,15 +27,14 @@ files_pid_file(rlogind_var_run_t)
- # Local policy
- #
-
--allow rlogind_t self:capability { fsetid chown fowner sys_tty_config dac_override };
-+allow rlogind_t self:capability { fsetid chown fowner setuid setgid sys_tty_config dac_override };
- allow rlogind_t self:process signal_perms;
- allow rlogind_t self:fifo_file rw_fifo_file_perms;
- allow rlogind_t self:tcp_socket connected_stream_socket_perms;
- # for identd; cjp: this should probably only be inetd_child rules?
- allow rlogind_t self:netlink_tcpdiag_socket r_netlink_socket_perms;
--allow rlogind_t self:capability { setuid setgid };
-
--allow rlogind_t rlogind_devpts_t:chr_file { rw_chr_file_perms setattr };
-+allow rlogind_t rlogind_devpts_t:chr_file { rw_chr_file_perms setattr_chr_file_perms };
- term_create_pty(rlogind_t, rlogind_devpts_t)
-
- # for /usr/lib/telnetlogin
-@@ -43,7 +42,6 @@ can_exec(rlogind_t, rlogind_exec_t)
-
- manage_dirs_pattern(rlogind_t, rlogind_tmp_t, rlogind_tmp_t)
- manage_files_pattern(rlogind_t, rlogind_tmp_t, rlogind_tmp_t)
--files_tmp_filetrans(rlogind_t, rlogind_tmp_t, { file dir })
-
- manage_files_pattern(rlogind_t, rlogind_var_run_t, rlogind_var_run_t)
- files_pid_filetrans(rlogind_t, rlogind_var_run_t, file)
-@@ -52,7 +50,6 @@ kernel_read_kernel_sysctls(rlogind_t)
- kernel_read_system_state(rlogind_t)
- kernel_read_network_state(rlogind_t)
-
--corenet_all_recvfrom_unlabeled(rlogind_t)
- corenet_all_recvfrom_netlabel(rlogind_t)
- corenet_tcp_sendrecv_generic_if(rlogind_t)
- corenet_udp_sendrecv_generic_if(rlogind_t)
-@@ -69,10 +66,11 @@ fs_getattr_xattr_fs(rlogind_t)
- fs_search_auto_mountpoints(rlogind_t)
-
- auth_domtrans_chk_passwd(rlogind_t)
-+auth_signal_chk_passwd(rlogind_t)
- auth_rw_login_records(rlogind_t)
- auth_use_nsswitch(rlogind_t)
-+auth_login_pgm_domain(rlogind_t)
-
--files_read_etc_files(rlogind_t)
- files_read_etc_runtime_files(rlogind_t)
- files_search_home(rlogind_t)
- files_search_default(rlogind_t)
-@@ -81,34 +79,29 @@ init_rw_utmp(rlogind_t)
-
- logging_send_syslog_msg(rlogind_t)
-
--miscfiles_read_localization(rlogind_t)
--
- seutil_read_config(rlogind_t)
-
- userdom_setattr_user_ptys(rlogind_t)
- # cjp: this is egregious
- userdom_read_user_home_content_files(rlogind_t)
--
--remotelogin_domtrans(rlogind_t)
--remotelogin_signal(rlogind_t)
-+userdom_search_admin_dir(rlogind_t)
-+userdom_manage_user_tmp_files(rlogind_t)
-+userdom_tmp_filetrans_user_tmp(rlogind_t, file)
-+userdom_use_user_terminals(rlogind_t)
-+userdom_home_reader(rlogind_t)
-
- rlogin_read_home_content(rlogind_t)
-
--tunable_policy(`use_nfs_home_dirs',`
-- fs_list_nfs(rlogind_t)
-- fs_read_nfs_files(rlogind_t)
-- fs_read_nfs_symlinks(rlogind_t)
--')
--
--tunable_policy(`use_samba_home_dirs',`
-- fs_list_cifs(rlogind_t)
-- fs_read_cifs_files(rlogind_t)
-- fs_read_cifs_symlinks(rlogind_t)
-+optional_policy(`
-+ kerberos_keytab_template(rlogind, rlogind_t)
-+ kerberos_tmp_filetrans_host_rcache(rlogind_t, "host_0")
-+ #part of auth_use_pam
-+ #kerberos_manage_host_rcache(rlogind_t)
- ')
-
- optional_policy(`
-- kerberos_keytab_template(rlogind, rlogind_t)
-- kerberos_manage_host_rcache(rlogind_t)
-+ remotelogin_domtrans(rlogind_t)
-+ remotelogin_signal(rlogind_t)
- ')
-
- optional_policy(`
-diff --git a/rngd.fc b/rngd.fc
-new file mode 100644
-index 0000000..f6be09d
---- /dev/null
-+++ b/rngd.fc
-@@ -0,0 +1,6 @@
-+
-+/etc/rc\.d/init\.d/rngd -- gen_context(system_u:object_r:rngd_initrc_exec_t,s0)
-+
-+/usr/lib/systemd/system/rngd.* -- gen_context(system_u:object_r:rngd_unit_file_t,s0)
-+
-+/usr/sbin/rngd -- gen_context(system_u:object_r:rngd_exec_t,s0)
-diff --git a/rngd.if b/rngd.if
-new file mode 100644
-index 0000000..8b505d5
---- /dev/null
-+++ b/rngd.if
-@@ -0,0 +1,62 @@
-+## Check and feed random data from hardware device to kernel random device.
-+
-+########################################
-+##
-+## Execute rngd in the rngd domain.
-+##
-+##
-+##
-+## Domain allowed to transition.
-+##
-+##
-+#
-+interface(`rng_systemctl_rngd',`
-+ gen_require(`
-+ type rngd_t, rngd_unit_file_t;
-+ ')
-+
-+ systemd_exec_systemctl($1)
-+ allow $1 rngd_unit_file_t:file read_file_perms;
-+ allow $1 rngd_unit_file_t:service manage_service_perms;
-+
-+ ps_process_pattern($1, rngd_t)
-+')
-+
-+########################################
-+##
-+## All of the rules required to
-+## administrate an rng environment.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+##
-+##
-+## Role allowed access.
-+##
-+##
-+##
-+#
-+interface(`rng_admin',`
-+ gen_require(`
-+ type rngd_t, rngd_initrc_exec_t, rngd_unit_file_t;
-+ ')
-+
-+ allow $1 rngd_t:process signal_perms;
-+ ps_process_pattern($1, rngd_t)
-+
-+ tunable_policy(`deny_ptrace',`',`
-+ allow $1 rngd_t:process ptrace;
-+ ')
-+
-+ init_labeled_script_domtrans($1, rngd_initrc_exec_t)
-+ domain_system_change_exemption($1)
-+ role_transition $2 rngd_initrc_exec_t system_r;
-+ allow $2 system_r;
-+
-+ rng_systemctl($1)
-+ admin_pattern($1, rngd_unit_file_t)
-+ allow $1 rngd_unit_file_t:service all_service_perms;
-+')
-diff --git a/rngd.te b/rngd.te
-new file mode 100644
-index 0000000..50b6196
---- /dev/null
-+++ b/rngd.te
-@@ -0,0 +1,37 @@
-+policy_module(rngd, 1.0.0)
-+
-+########################################
-+#
-+# Declarations
-+#
-+
-+type rngd_t;
-+type rngd_exec_t;
-+init_daemon_domain(rngd_t, rngd_exec_t)
-+
-+type rngd_initrc_exec_t;
-+init_script_file(rngd_initrc_exec_t)
-+
-+type rngd_unit_file_t;
-+systemd_unit_file(rngd_unit_file_t)
-+
-+########################################
-+#
-+# Local policy
-+#
-+
-+allow rngd_t self:capability sys_admin;
-+allow rngd_t self:process { signal };
-+allow rngd_t self:fifo_file rw_fifo_file_perms;
-+allow rngd_t self:unix_stream_socket create_stream_socket_perms;
-+
-+kernel_rw_kernel_sysctl(rngd_t)
-+
-+dev_read_rand(rngd_t)
-+dev_read_urand(rngd_t)
-+dev_rw_tpm(rngd_t)
-+dev_write_rand(rngd_t)
-+
-+files_read_etc_files(rngd_t)
-+
-+logging_send_syslog_msg(rngd_t)
-diff --git a/roundup.if b/roundup.if
-index 30c4b75..e07c2ff 100644
---- a/roundup.if
-+++ b/roundup.if
-@@ -23,8 +23,11 @@ interface(`roundup_admin',`
- type roundup_initrc_exec_t;
- ')
-
-- allow $1 roundup_t:process { ptrace signal_perms };
-+ allow $1 roundup_t:process signal_perms;
- ps_process_pattern($1, roundup_t)
-+ tunable_policy(`deny_ptrace',`',`
-+ allow $1 roundup_t:process ptrace;
-+ ')
-
- init_labeled_script_domtrans($1, roundup_initrc_exec_t)
- domain_system_change_exemption($1)
-diff --git a/roundup.te b/roundup.te
-index 57f839f..090dd29 100644
---- a/roundup.te
-+++ b/roundup.te
-@@ -45,7 +45,6 @@ dev_read_sysfs(roundup_t)
- # execute python
- corecmd_exec_bin(roundup_t)
-
--corenet_all_recvfrom_unlabeled(roundup_t)
- corenet_all_recvfrom_netlabel(roundup_t)
- corenet_tcp_sendrecv_generic_if(roundup_t)
- corenet_udp_sendrecv_generic_if(roundup_t)
-@@ -75,8 +74,6 @@ fs_search_auto_mountpoints(roundup_t)
-
- logging_send_syslog_msg(roundup_t)
-
--miscfiles_read_localization(roundup_t)
--
- sysnet_read_config(roundup_t)
-
- userdom_dontaudit_use_unpriv_user_fds(roundup_t)
-diff --git a/rpc.fc b/rpc.fc
-index 5c70c0c..b0c22f7 100644
---- a/rpc.fc
-+++ b/rpc.fc
-@@ -6,6 +6,9 @@
- /etc/rc\.d/init\.d/nfslock -- gen_context(system_u:object_r:rpcd_initrc_exec_t,s0)
- /etc/rc\.d/init\.d/rpcidmapd -- gen_context(system_u:object_r:rpcd_initrc_exec_t,s0)
-
-+/usr/lib/systemd/system/nfs.* -- gen_context(system_u:object_r:nfsd_unit_file_t,s0)
-+/usr/lib/systemd/system/rpc.* -- gen_context(system_u:object_r:rpcd_unit_file_t,s0)
-+
- #
- # /sbin
- #
-@@ -15,12 +18,14 @@
- #
- # /usr
- #
-+/usr/sbin/rpc\..* -- gen_context(system_u:object_r:rpcd_exec_t,s0)
- /usr/sbin/rpc\.idmapd -- gen_context(system_u:object_r:rpcd_exec_t,s0)
- /usr/sbin/rpc\.gssd -- gen_context(system_u:object_r:gssd_exec_t,s0)
- /usr/sbin/rpc\.mountd -- gen_context(system_u:object_r:nfsd_exec_t,s0)
- /usr/sbin/rpc\.nfsd -- gen_context(system_u:object_r:nfsd_exec_t,s0)
- /usr/sbin/rpc\.rquotad -- gen_context(system_u:object_r:rpcd_exec_t,s0)
- /usr/sbin/rpc\.svcgssd -- gen_context(system_u:object_r:gssd_exec_t,s0)
-+/usr/sbin/sm-notify -- gen_context(system_u:object_r:rpcd_exec_t,s0)
-
- #
- # /var
-@@ -29,3 +34,4 @@
-
- /var/run/rpc\.statd(/.*)? gen_context(system_u:object_r:rpcd_var_run_t,s0)
- /var/run/rpc\.statd\.pid -- gen_context(system_u:object_r:rpcd_var_run_t,s0)
-+
-diff --git a/rpc.if b/rpc.if
-index dddabcf..a61764b 100644
---- a/rpc.if
-+++ b/rpc.if
-@@ -32,7 +32,11 @@ interface(`rpc_stub',`
- ##
- ##
- #
--template(`rpc_domain_template', `
-+template(`rpc_domain_template',`
-+ gen_require(`
-+ type var_lib_nfs_t;
-+ ')
-+
- ########################################
- #
- # Declarations
-@@ -69,7 +73,6 @@ template(`rpc_domain_template', `
- dev_read_urand($1_t)
- dev_read_rand($1_t)
-
-- corenet_all_recvfrom_unlabeled($1_t)
- corenet_all_recvfrom_netlabel($1_t)
- corenet_tcp_sendrecv_generic_if($1_t)
- corenet_udp_sendrecv_generic_if($1_t)
-@@ -105,7 +108,6 @@ template(`rpc_domain_template', `
-
- logging_send_syslog_msg($1_t)
-
-- miscfiles_read_localization($1_t)
-
- userdom_dontaudit_use_unpriv_user_fds($1_t)
-
-@@ -152,7 +154,7 @@ interface(`rpc_dontaudit_getattr_exports',`
- type exports_t;
- ')
-
-- dontaudit $1 exports_t:file getattr;
-+ dontaudit $1 exports_t:file getattr_file_perms;
- ')
-
- ########################################
-@@ -188,7 +190,7 @@ interface(`rpc_write_exports',`
- type exports_t;
- ')
-
-- allow $1 exports_t:file write;
-+ allow $1 exports_t:file write_file_perms;
- ')
-
- ########################################
-@@ -229,6 +231,29 @@ interface(`rpc_initrc_domtrans_nfsd',`
-
- ########################################
- ##
-+## Execute nfsd server in the nfsd domain.
-+##
-+##
-+##
-+## Domain allowed to transition.
-+##
-+##
-+#
-+interface(`rpc_systemctl_nfsd',`
-+ gen_require(`
-+ type nfsd_unit_file_t;
-+ type nfsd_t;
-+ ')
-+
-+ systemd_exec_systemctl($1)
-+ allow $1 nfsd_unit_file_t:file read_file_perms;
-+ allow $1 nfsd_unit_file_t:service manage_service_perms;
-+
-+ ps_process_pattern($1, nfsd_t)
-+')
-+
-+########################################
-+##
- ## Execute domain in rpcd domain.
- ##
- ##
-@@ -246,6 +271,32 @@ interface(`rpc_domtrans_rpcd',`
- allow rpcd_t $1:process signal;
- ')
-
-+########################################
-+##
-+## Execute rpcd in the rcpd domain, and
-+## allow the specified role the rpcd domain.
-+##
-+##
-+##
-+## Domain allowed to transition.
-+##
-+##
-+##
-+##
-+## Role allowed access.
-+##
-+##
-+##
-+#
-+interface(`rpc_run_rpcd',`
-+ gen_require(`
-+ type rpcd_t;
-+ ')
-+
-+ rpc_domtrans_rpcd($1)
-+ role $2 types rpcd_t;
-+')
-+
- #######################################
- ##
- ## Execute domain in rpcd domain.
-@@ -266,6 +317,29 @@ interface(`rpc_initrc_domtrans_rpcd',`
-
- ########################################
- ##
-+## Execute rpcd server in the rpcd domain.
-+##
-+##
-+##
-+## Domain allowed to transition.
-+##
-+##
-+#
-+interface(`rpc_systemctl_rpcd',`
-+ gen_require(`
-+ type rpcd_unit_file_t;
-+ type rpcd_t;
-+ ')
-+
-+ systemd_exec_systemctl($1)
-+ allow $1 rpcd_unit_file_t:file read_file_perms;
-+ allow $1 rpcd_unit_file_t:service manage_service_perms;
-+
-+ ps_process_pattern($1, rpcd_t)
-+')
-+
-+########################################
-+##
- ## Read NFS exported content.
- ##
- ##
-@@ -282,7 +356,7 @@ interface(`rpc_read_nfs_content',`
-
- allow $1 { nfsd_ro_t nfsd_rw_t }:dir list_dir_perms;
- allow $1 { nfsd_ro_t nfsd_rw_t }:file read_file_perms;
-- allow $1 { nfsd_ro_t nfsd_rw_t }:lnk_file { getattr read };
-+ allow $1 { nfsd_ro_t nfsd_rw_t }:lnk_file read_lnk_file_perms;
- ')
-
- ########################################
-@@ -329,7 +403,7 @@ interface(`rpc_manage_nfs_ro_content',`
-
- ########################################
- ##
--## Allow domain to read and write to an NFS TCP socket.
-+## Allow domain to read and write to an NFS UDP socket.
- ##
- ##
- ##
-@@ -337,17 +411,17 @@ interface(`rpc_manage_nfs_ro_content',`
- ##
- ##
- #
--interface(`rpc_tcp_rw_nfs_sockets',`
-+interface(`rpc_udp_rw_nfs_sockets',`
- gen_require(`
- type nfsd_t;
- ')
-
-- allow $1 nfsd_t:tcp_socket rw_socket_perms;
-+ allow $1 nfsd_t:udp_socket rw_socket_perms;
- ')
-
- ########################################
- ##
--## Allow domain to read and write to an NFS UDP socket.
-+## Send UDP traffic to NFSd. (Deprecated)
- ##
- ##
- ##
-@@ -355,17 +429,13 @@ interface(`rpc_tcp_rw_nfs_sockets',`
- ##
- ##
- #
--interface(`rpc_udp_rw_nfs_sockets',`
-- gen_require(`
-- type nfsd_t;
-- ')
--
-- allow $1 nfsd_t:udp_socket rw_socket_perms;
-+interface(`rpc_udp_send_nfs',`
-+ refpolicywarn(`$0($*) has been deprecated.')
- ')
-
- ########################################
- ##
--## Send UDP traffic to NFSd. (Deprecated)
-+## Search NFS state data in /var/lib/nfs.
- ##
- ##
- ##
-@@ -373,13 +443,18 @@ interface(`rpc_udp_rw_nfs_sockets',`
- ##
- ##
- #
--interface(`rpc_udp_send_nfs',`
-- refpolicywarn(`$0($*) has been deprecated.')
-+interface(`rpc_search_nfs_state_data',`
-+ gen_require(`
-+ type var_lib_nfs_t;
-+ ')
-+
-+ files_search_var_lib($1)
-+ allow $1 var_lib_nfs_t:dir search_dir_perms;
- ')
-
- ########################################
- ##
--## Search NFS state data in /var/lib/nfs.
-+## List NFS state data in /var/lib/nfs.
- ##
- ##
- ##
-@@ -387,13 +462,13 @@ interface(`rpc_udp_send_nfs',`
- ##
- ##
- #
--interface(`rpc_search_nfs_state_data',`
-+interface(`rpc_list_nfs_state_data',`
- gen_require(`
- type var_lib_nfs_t;
- ')
-
- files_search_var_lib($1)
-- allow $1 var_lib_nfs_t:dir search;
-+ allow $1 var_lib_nfs_t:dir list_dir_perms;
- ')
-
- ########################################
-@@ -432,4 +507,5 @@ interface(`rpc_manage_nfs_state_data',`
-
- files_search_var_lib($1)
- manage_files_pattern($1, var_lib_nfs_t, var_lib_nfs_t)
-+ allow $1 var_lib_nfs_t:file relabel_file_perms;
- ')
-diff --git a/rpc.te b/rpc.te
-index 330d01f..fd96b3c 100644
---- a/rpc.te
-+++ b/rpc.te
-@@ -10,7 +10,7 @@ policy_module(rpc, 1.14.0)
- ## Allow gssd to read temp directory. For access to kerberos tgt.
- ##
- ##
--gen_tunable(allow_gssd_read_tmp, true)
-+gen_tunable(gssd_read_tmp, true)
-
- ##
- ##
-@@ -19,7 +19,7 @@ gen_tunable(allow_gssd_read_tmp, true)
- ## labeled public_content_rw_t.
- ##
- ##
--gen_tunable(allow_nfsd_anon_write, false)
-+gen_tunable(nfsd_anon_write, false)
-
- type exports_t;
- files_config_file(exports_t)
-@@ -39,11 +39,17 @@ rpc_domain_template(rpcd)
- type rpcd_initrc_exec_t;
- init_script_file(rpcd_initrc_exec_t)
-
-+type rpcd_unit_file_t;
-+systemd_unit_file(rpcd_unit_file_t)
-+
- rpc_domain_template(nfsd)
-
- type nfsd_initrc_exec_t;
- init_script_file(nfsd_initrc_exec_t)
-
-+type nfsd_unit_file_t;
-+systemd_unit_file(nfsd_unit_file_t)
-+
- type nfsd_rw_t;
- files_type(nfsd_rw_t)
-
-@@ -58,13 +64,16 @@ files_mountpoint(var_lib_nfs_t)
- # RPC local policy
- #
-
--allow rpcd_t self:capability { sys_admin chown dac_override setgid setuid };
-+allow rpcd_t self:capability { setpcap sys_admin chown dac_override setgid setuid };
-+allow rpcd_t self:capability2 block_suspend;
-+
- allow rpcd_t self:process { getcap setcap };
- allow rpcd_t self:fifo_file rw_fifo_file_perms;
-
--allow rpcd_t rpcd_var_run_t:dir setattr;
-+allow rpcd_t rpcd_var_run_t:dir setattr_dir_perms;
-+manage_dirs_pattern(rpcd_t, rpcd_var_run_t, rpcd_var_run_t)
- manage_files_pattern(rpcd_t, rpcd_var_run_t, rpcd_var_run_t)
--files_pid_filetrans(rpcd_t, rpcd_var_run_t, file)
-+files_pid_filetrans(rpcd_t, rpcd_var_run_t, { file dir })
-
- # rpc.statd executes sm-notify
- can_exec(rpcd_t, rpcd_exec_t)
-@@ -81,21 +90,26 @@ corecmd_exec_bin(rpcd_t)
-
- files_manage_mounttab(rpcd_t)
- files_getattr_all_dirs(rpcd_t)
-+files_read_usr_files(rpcd_t)
-
- fs_list_rpc(rpcd_t)
- fs_read_rpc_files(rpcd_t)
- fs_read_rpc_symlinks(rpcd_t)
- fs_rw_rpc_sockets(rpcd_t)
- fs_get_all_fs_quotas(rpcd_t)
-+fs_set_xattr_fs_quotas(rpcd_t)
- fs_getattr_all_fs(rpcd_t)
-
- storage_getattr_fixed_disk_dev(rpcd_t)
-
-+init_read_utmp(rpcd_t)
-+
- selinux_dontaudit_read_fs(rpcd_t)
-
- miscfiles_read_generic_certs(rpcd_t)
-
--seutil_dontaudit_search_config(rpcd_t)
-+userdom_signal_unpriv_users(rpcd_t)
-+userdom_read_user_home_content_files(rpcd_t)
-
- optional_policy(`
- automount_signal(rpcd_t)
-@@ -103,15 +117,32 @@ optional_policy(`
- ')
-
- optional_policy(`
-+ domain_unconfined_signal(rpcd_t)
-+')
-+
-+optional_policy(`
-+ quota_manage_db(rpcd_t)
-+')
-+
-+optional_policy(`
- nis_read_ypserv_config(rpcd_t)
- ')
-
-+optional_policy(`
-+ quota_read_db(rpcd_t)
-+')
-+
-+optional_policy(`
-+ rgmanager_manage_tmp_files(rpcd_t)
-+')
-+
- ########################################
- #
- # NFSD local policy
- #
-
- allow nfsd_t self:capability { dac_override dac_read_search sys_admin sys_resource };
-+dontaudit nfsd_t self:capability sys_rawio;
-
- allow nfsd_t exports_t:file read_file_perms;
- allow nfsd_t { nfsd_rw_t nfsd_ro_t }:dir list_dir_perms;
-@@ -120,9 +151,16 @@ allow nfsd_t { nfsd_rw_t nfsd_ro_t }:dir list_dir_perms;
- kernel_read_system_state(nfsd_t)
- kernel_read_network_state(nfsd_t)
- kernel_dontaudit_getattr_core_if(nfsd_t)
-+kernel_setsched(nfsd_t)
-+kernel_request_load_module(nfsd_t)
-+kernel_mounton_proc(nfsd_t)
-+
-+corecmd_exec_shell(nfsd_t)
-
- corenet_tcp_bind_all_rpc_ports(nfsd_t)
- corenet_udp_bind_all_rpc_ports(nfsd_t)
-+corenet_tcp_bind_nfs_port(nfsd_t)
-+corenet_udp_bind_nfs_port(nfsd_t)
-
- dev_dontaudit_getattr_all_blk_files(nfsd_t)
- dev_dontaudit_getattr_all_chr_files(nfsd_t)
-@@ -135,12 +173,12 @@ files_getattr_tmp_dirs(nfsd_t)
- # cjp: this should really have its own type
- files_manage_mounttab(nfsd_t)
- files_read_etc_runtime_files(nfsd_t)
-+files_read_usr_files(nfsd_t)
-
- fs_mount_nfsd_fs(nfsd_t)
--fs_search_nfsd_fs(nfsd_t)
- fs_getattr_all_fs(nfsd_t)
- fs_getattr_all_dirs(nfsd_t)
--fs_rw_nfsd_fs(nfsd_t)
-+fs_manage_nfsd_fs(nfsd_t)
-
- storage_dontaudit_read_fixed_disk(nfsd_t)
- storage_raw_read_removable_device(nfsd_t)
-@@ -148,8 +186,11 @@ storage_raw_read_removable_device(nfsd_t)
- # Read access to public_content_t and public_content_rw_t
- miscfiles_read_public_files(nfsd_t)
-
-+userdom_user_home_dir_filetrans_user_home_content(nfsd_t, { file dir })
-+userdom_list_user_tmp(nfsd_t)
-+
- # Write access to public_content_t and public_content_rw_t
--tunable_policy(`allow_nfsd_anon_write',`
-+tunable_policy(`nfsd_anon_write',`
- miscfiles_manage_public_files(nfsd_t)
- ')
-
-@@ -158,7 +199,6 @@ tunable_policy(`nfs_export_all_rw',`
- dev_getattr_all_chr_files(nfsd_t)
-
- fs_read_noxattr_fs_files(nfsd_t)
-- files_manage_non_auth_files(nfsd_t)
- ')
-
- tunable_policy(`nfs_export_all_ro',`
-@@ -170,8 +210,12 @@ tunable_policy(`nfs_export_all_ro',`
-
- fs_read_noxattr_fs_files(nfsd_t)
-
-- files_list_non_auth_dirs(nfsd_t)
-- files_read_non_auth_files(nfsd_t)
-+ files_read_non_security_files(nfsd_t)
-+')
-+
-+optional_policy(`
-+ mount_exec(nfsd_t)
-+ mount_manage_pid_files(nfsd_t)
- ')
-
- ########################################
-@@ -181,7 +225,7 @@ tunable_policy(`nfs_export_all_ro',`
-
- allow gssd_t self:capability { dac_override dac_read_search setuid sys_nice };
- allow gssd_t self:process { getsched setsched };
--allow gssd_t self:fifo_file rw_file_perms;
-+allow gssd_t self:fifo_file rw_fifo_file_perms;
-
- manage_dirs_pattern(gssd_t, gssd_tmp_t, gssd_tmp_t)
- manage_files_pattern(gssd_t, gssd_tmp_t, gssd_tmp_t)
-@@ -199,6 +243,7 @@ corecmd_exec_bin(gssd_t)
- fs_list_rpc(gssd_t)
- fs_rw_rpc_sockets(gssd_t)
- fs_read_rpc_files(gssd_t)
-+fs_read_nfsd_files(gssd_t)
-
- fs_list_inotifyfs(gssd_t)
- files_list_tmp(gssd_t)
-@@ -210,14 +255,14 @@ auth_manage_cache(gssd_t)
-
- miscfiles_read_generic_certs(gssd_t)
-
--mount_signal(gssd_t)
--
- userdom_signal_all_users(gssd_t)
-
--tunable_policy(`allow_gssd_read_tmp',`
-+tunable_policy(`gssd_read_tmp',`
- userdom_list_user_tmp(gssd_t)
- userdom_read_user_tmp_files(gssd_t)
- userdom_read_user_tmp_symlinks(gssd_t)
-+ userdom_write_user_tmp_files(gssd_t)
-+ files_read_generic_tmp_files(gssd_t)
- ')
-
- optional_policy(`
-@@ -226,6 +271,11 @@ optional_policy(`
-
- optional_policy(`
- kerberos_keytab_template(gssd, gssd_t)
-+ kerberos_tmp_filetrans_host_rcache(gssd_t, "nfs_0")
-+')
-+
-+optional_policy(`
-+ mount_signal(gssd_t)
- ')
-
- optional_policy(`
-diff --git a/rpcbind.fc b/rpcbind.fc
-index f5c47d6..164ce1f 100644
---- a/rpcbind.fc
-+++ b/rpcbind.fc
-@@ -2,8 +2,10 @@
-
- /sbin/rpcbind -- gen_context(system_u:object_r:rpcbind_exec_t,s0)
-
-+/usr/sbin/rpcbind -- gen_context(system_u:object_r:rpcbind_exec_t,s0)
-+
-+/var/cache/rpcbind(/.*)? gen_context(system_u:object_r:rpcbind_var_lib_t,s0)
- /var/lib/rpcbind(/.*)? gen_context(system_u:object_r:rpcbind_var_lib_t,s0)
-
- /var/run/rpc.statd\.pid -- gen_context(system_u:object_r:rpcbind_var_run_t,s0)
--/var/run/rpcbind\.lock -- gen_context(system_u:object_r:rpcbind_var_run_t,s0)
--/var/run/rpcbind\.sock -s gen_context(system_u:object_r:rpcbind_var_run_t,s0)
-+/var/run/rpcbind.* gen_context(system_u:object_r:rpcbind_var_run_t,s0)
-diff --git a/rpcbind.if b/rpcbind.if
-index a96249c..ff1163f 100644
---- a/rpcbind.if
-+++ b/rpcbind.if
-@@ -34,8 +34,7 @@ interface(`rpcbind_stream_connect',`
- ')
-
- files_search_pids($1)
-- allow $1 rpcbind_var_run_t:sock_file write;
-- allow $1 rpcbind_t:unix_stream_socket connectto;
-+ stream_connect_pattern($1, rpcbind_var_run_t, rpcbind_var_run_t, rpcbind_t)
- ')
-
- ########################################
-@@ -117,6 +116,60 @@ interface(`rpcbind_manage_lib_files',`
-
- ########################################
- ##
-+## Send a null signal to rpcbind.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`rpcbind_signull',`
-+ gen_require(`
-+ type rpcbind_t;
-+ ')
-+
-+ allow $1 rpcbind_t:process signull;
-+')
-+
-+########################################
-+##
-+## Transition to rpcbind named content
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`rpcbind_filetrans_named_content',`
-+ gen_require(`
-+ type rpcbind_var_run_t;
-+ ')
-+
-+ files_pid_filetrans($1, rpcbind_var_run_t, sock_file, "rpcbind.sock")
-+')
-+
-+########################################
-+##
-+## Relabel from rpcbind sock file.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`rpcbind_relabel_sock_file',`
-+ gen_require(`
-+ type rpcbind_var_run_t;
-+ ')
-+
-+ allow $1 rpcbind_var_run_t:sock_file relabel_sock_file_perms;
-+')
-+
-+########################################
-+##
- ## All of the rules required to administrate
- ## an rpcbind environment
- ##
-@@ -138,11 +191,20 @@ interface(`rpcbind_admin',`
- type rpcbind_initrc_exec_t;
- ')
-
-- allow $1 rpcbind_t:process { ptrace signal_perms };
-+ allow $1 rpcbind_t:process signal_perms;
- ps_process_pattern($1, rpcbind_t)
-+ tunable_policy(`deny_ptrace',`',`
-+ allow $1 rpcbind_t:process ptrace;
-+ ')
-
-- init_labeled_script_domtrans($1, rbcbind_initrc_exec_t)
-+ init_labeled_script_domtrans($1, rpcbind_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 rpcbind_initrc_exec_t system_r;
- allow $2 system_r;
-+
-+ files_list_var_lib($1)
-+ admin_pattern($1, rpcbind_var_lib_t)
-+
-+ files_list_pids($1)
-+ admin_pattern($1, rpcbind_var_run_t)
- ')
-diff --git a/rpcbind.te b/rpcbind.te
-index a63e9ee..e4a0c9b 100644
---- a/rpcbind.te
-+++ b/rpcbind.te
-@@ -43,7 +43,8 @@ kernel_read_system_state(rpcbind_t)
- kernel_read_network_state(rpcbind_t)
- kernel_request_load_module(rpcbind_t)
-
--corenet_all_recvfrom_unlabeled(rpcbind_t)
-+corecmd_exec_shell(rpcbind_t)
-+
- corenet_all_recvfrom_netlabel(rpcbind_t)
- corenet_tcp_sendrecv_generic_if(rpcbind_t)
- corenet_udp_sendrecv_generic_if(rpcbind_t)
-@@ -62,8 +63,16 @@ domain_use_interactive_fds(rpcbind_t)
- files_read_etc_files(rpcbind_t)
- files_read_etc_runtime_files(rpcbind_t)
-
--logging_send_syslog_msg(rpcbind_t)
-+auth_read_passwd(rpcbind_t)
-
--miscfiles_read_localization(rpcbind_t)
-+logging_send_syslog_msg(rpcbind_t)
-
- sysnet_dns_name_resolve(rpcbind_t)
-+
-+ifdef(`hide_broken_symptoms',`
-+ dontaudit rpcbind_t self:udp_socket listen;
-+')
-+
-+optional_policy(`
-+ nis_use_ypbind(rpcbind_t)
-+')
-diff --git a/rpm.fc b/rpm.fc
-index b2a0b6a..ee55335 100644
---- a/rpm.fc
-+++ b/rpm.fc
-@@ -2,10 +2,12 @@
- /bin/rpm -- gen_context(system_u:object_r:rpm_exec_t,s0)
-
- /usr/bin/debuginfo-install -- gen_context(system_u:object_r:debuginfo_exec_t,s0)
-+/usr/bin/dnf -- gen_context(system_u:object_r:rpm_exec_t,s0)
- /usr/bin/rpm -- gen_context(system_u:object_r:rpm_exec_t,s0)
- /usr/bin/smart -- gen_context(system_u:object_r:rpm_exec_t,s0)
-
- /usr/bin/yum -- gen_context(system_u:object_r:rpm_exec_t,s0)
-+/usr/bin/zif -- gen_context(system_u:object_r:rpm_exec_t,s0)
-
- /usr/libexec/packagekitd -- gen_context(system_u:object_r:rpm_exec_t,s0)
- /usr/libexec/yumDBUSBackend.py -- gen_context(system_u:object_r:rpm_exec_t,s0)
-@@ -20,12 +22,18 @@
- /usr/share/yumex/yum_childtask\.py -- gen_context(system_u:object_r:rpm_exec_t,s0)
-
- ifdef(`distro_redhat', `
-+/usr/sbin/bcfg2 -- gen_context(system_u:object_r:rpm_exec_t,s0)
-+/usr/bin/package-cleanup -- gen_context(system_u:object_r:rpm_exec_t,s0)
- /usr/bin/fedora-rmdevelrpms -- gen_context(system_u:object_r:rpm_exec_t,s0)
- /usr/bin/rpmdev-rmdevelrpms -- gen_context(system_u:object_r:rpm_exec_t,s0)
- /usr/sbin/pirut -- gen_context(system_u:object_r:rpm_exec_t,s0)
- /usr/sbin/pup -- gen_context(system_u:object_r:rpm_exec_t,s0)
- /usr/sbin/rhn_check -- gen_context(system_u:object_r:rpm_exec_t,s0)
-+/usr/sbin/rhnreg_ks -- gen_context(system_u:object_r:rpm_exec_t,s0)
- /usr/sbin/up2date -- gen_context(system_u:object_r:rpm_exec_t,s0)
-+/usr/sbin/synaptic -- gen_context(system_u:object_r:rpm_exec_t,s0)
-+/usr/bin/apt-get -- gen_context(system_u:object_r:rpm_exec_t,s0)
-+/usr/bin/apt-shell -- gen_context(system_u:object_r:rpm_exec_t,s0)
- ')
-
- /var/cache/PackageKit(/.*)? gen_context(system_u:object_r:rpm_var_cache_t,s0)
-@@ -36,9 +44,10 @@ ifdef(`distro_redhat', `
- /var/lib/rpm(/.*)? gen_context(system_u:object_r:rpm_var_lib_t,s0)
- /var/lib/yum(/.*)? gen_context(system_u:object_r:rpm_var_lib_t,s0)
-
--/var/log/rpmpkgs.* -- gen_context(system_u:object_r:rpm_log_t,s0)
- /var/log/yum\.log.* -- gen_context(system_u:object_r:rpm_log_t,s0)
-
-+/var/spool/up2date(/.*)? gen_context(system_u:object_r:rpm_var_cache_t,s0)
-+
- /var/run/yum.* -- gen_context(system_u:object_r:rpm_var_run_t,s0)
- /var/run/PackageKit(/.*)? gen_context(system_u:object_r:rpm_var_run_t,s0)
-
-diff --git a/rpm.if b/rpm.if
-index 951d8f6..bedc8ae 100644
---- a/rpm.if
-+++ b/rpm.if
-@@ -13,10 +13,13 @@
- interface(`rpm_domtrans',`
- gen_require(`
- type rpm_t, rpm_exec_t;
-+ attribute rpm_transition_domain;
- ')
-
- corecmd_search_bin($1)
- domtrans_pattern($1, rpm_exec_t, rpm_t)
-+ typeattribute $1 rpm_transition_domain;
-+ rpm_debuginfo_domtrans($1)
- ')
-
- ########################################
-@@ -78,11 +81,19 @@ interface(`rpm_domtrans_script',`
- #
- interface(`rpm_run',`
- gen_require(`
-- attribute_role rpm_roles;
-+ type rpm_t, rpm_script_t;
- ')
-
- rpm_domtrans($1)
-- roleattribute $2 rpm_roles;
-+ role $2 types { rpm_t rpm_script_t };
-+
-+ domain_system_change_exemption($1)
-+ role_transition $2 rpm_exec_t system_r;
-+ allow $2 system_r;
-+
-+ seutil_run_loadpolicy(rpm_script_t, $2)
-+ seutil_run_semanage(rpm_script_t, $2)
-+ seutil_run_setfiles(rpm_script_t, $2)
- ')
-
- ########################################
-@@ -178,6 +189,42 @@ interface(`rpm_rw_pipes',`
-
- ########################################
- ##
-+## dontaudit read and write an leaked file descriptors
-+##
-+##
-+##
-+## Domain to not audit.
-+##
-+##
-+#
-+interface(`rpm_dontaudit_leaks',`
-+ gen_require(`
-+ type rpm_t, rpm_var_cache_t;
-+ type rpm_script_t, rpm_var_run_t, rpm_tmp_t;
-+ type rpm_tmpfs_t, rpm_script_tmp_t, rpm_var_lib_t;
-+ ')
-+
-+ dontaudit $1 rpm_t:fifo_file rw_inherited_fifo_file_perms;
-+ dontaudit $1 rpm_t:tcp_socket { read write };
-+ dontaudit $1 rpm_t:unix_dgram_socket { read write };
-+ dontaudit $1 rpm_t:shm rw_shm_perms;
-+
-+ dontaudit $1 rpm_script_t:fd use;
-+ dontaudit $1 rpm_script_t:fifo_file rw_inherited_fifo_file_perms;
-+
-+ dontaudit $1 rpm_var_run_t:file rw_inherited_file_perms;
-+
-+ dontaudit $1 rpm_tmp_t:file rw_inherited_file_perms;
-+ dontaudit $1 rpm_tmpfs_t:dir rw_dir_perms;
-+ dontaudit $1 rpm_tmpfs_t:file rw_inherited_file_perms;
-+ dontaudit $1 rpm_script_tmp_t:file rw_inherited_file_perms;
-+ dontaudit $1 rpm_var_lib_t:dir getattr;
-+ dontaudit $1 rpm_var_lib_t:file rw_inherited_file_perms;
-+ dontaudit $1 rpm_var_cache_t:file rw_inherited_file_perms;
-+')
-+
-+########################################
-+##
- ## Send and receive messages from
- ## rpm over dbus.
- ##
-@@ -274,8 +321,7 @@ interface(`rpm_append_log',`
- type rpm_log_t;
- ')
-
-- logging_search_logs($1)
-- append_files_pattern($1, rpm_log_t, rpm_log_t)
-+ allow $1 rpm_log_t:file append_inherited_file_perms;
- ')
-
- ########################################
-@@ -332,7 +378,9 @@ interface(`rpm_manage_script_tmp_files',`
- ')
-
- files_search_tmp($1)
-+ manage_dirs_pattern($1, rpm_script_tmp_t, rpm_script_tmp_t)
- manage_files_pattern($1, rpm_script_tmp_t, rpm_script_tmp_t)
-+ manage_lnk_files_pattern($1, rpm_script_tmp_t, rpm_script_tmp_t)
- ')
-
- #####################################
-@@ -351,8 +399,7 @@ interface(`rpm_append_tmp_files',`
- type rpm_tmp_t;
- ')
-
-- files_search_tmp($1)
-- append_files_pattern($1, rpm_tmp_t, rpm_tmp_t)
-+ allow $1 rpm_tmp_t:file append_inherited_file_perms;
- ')
-
- ########################################
-@@ -372,7 +419,9 @@ interface(`rpm_manage_tmp_files',`
- ')
-
- files_search_tmp($1)
-+ manage_dirs_pattern($1, rpm_tmp_t, rpm_tmp_t)
- manage_files_pattern($1, rpm_tmp_t, rpm_tmp_t)
-+ manage_lnk_files_pattern($1, rpm_tmp_t, rpm_tmp_t)
- ')
-
- ########################################
-@@ -456,6 +505,7 @@ interface(`rpm_read_db',`
- allow $1 rpm_var_lib_t:dir list_dir_perms;
- read_files_pattern($1, rpm_var_lib_t, rpm_var_lib_t)
- read_lnk_files_pattern($1, rpm_var_lib_t, rpm_var_lib_t)
-+ rpm_read_cache($1)
- ')
-
- ########################################
-@@ -513,7 +563,7 @@ interface(`rpm_dontaudit_manage_db',`
- type rpm_var_lib_t;
- ')
-
-- dontaudit $1 rpm_var_lib_t:dir rw_dir_perms;
-+ dontaudit $1 rpm_var_lib_t:dir manage_dir_perms;
- dontaudit $1 rpm_var_lib_t:file manage_file_perms;
- dontaudit $1 rpm_var_lib_t:lnk_file manage_lnk_file_perms;
- ')
-@@ -573,3 +623,66 @@ interface(`rpm_pid_filetrans',`
-
- files_pid_filetrans($1, rpm_var_run_t, file)
- ')
-+
-+########################################
-+##
-+## Send a null signal to rpm.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`rpm_inherited_fifo',`
-+ gen_require(`
-+ attribute rpm_transition_domain;
-+ ')
-+
-+ allow $1 rpm_transition_domain:fifo_file rw_inherited_fifo_file_perms;
-+')
-+
-+
-+########################################
-+##
-+## Make rpm_exec_t an entry point for
-+## the specified domain.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`rpm_entry_type',`
-+ gen_require(`
-+ type rpm_exec_t;
-+ ')
-+
-+ domain_entry_file($1, rpm_exec_t)
-+')
-+
-+########################################
-+##
-+## Allow application to transition to rpm_script domain.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`rpm_transition_script',`
-+ gen_require(`
-+ type rpm_script_t;
-+ attribute rpm_transition_domain;
-+ ')
-+
-+ typeattribute $1 rpm_transition_domain;
-+ allow $1 rpm_script_t:process transition;
-+
-+ allow $1 rpm_script_t:fd use;
-+ allow rpm_script_t $1:fd use;
-+ allow rpm_script_t $1:fifo_file rw_fifo_file_perms;
-+ allow rpm_script_t $1:process sigchld;
-+')
-diff --git a/rpm.te b/rpm.te
-index 60149a5..b33a77d 100644
---- a/rpm.te
-+++ b/rpm.te
-@@ -1,15 +1,11 @@
- policy_module(rpm, 1.15.0)
-
-+attribute rpm_transition_domain;
-+
- ########################################
- #
- # Declarations
- #
--
--attribute_role rpm_roles;
--
--type debuginfo_exec_t;
--domain_entry_file(rpm_t, debuginfo_exec_t)
--
- type rpm_t;
- type rpm_exec_t;
- init_system_domain(rpm_t, rpm_exec_t)
-@@ -17,7 +13,10 @@ domain_obj_id_change_exemption(rpm_t)
- domain_role_change_exemption(rpm_t)
- domain_system_change_exemption(rpm_t)
- domain_interactive_fd(rpm_t)
--role rpm_roles types rpm_t;
-+role system_r types rpm_t;
-+
-+type debuginfo_exec_t;
-+domain_entry_file(rpm_t, debuginfo_exec_t)
-
- type rpm_file_t;
- files_type(rpm_file_t)
-@@ -50,7 +49,6 @@ corecmd_bin_entry_type(rpm_script_t)
- domain_type(rpm_script_t)
- domain_entry_file(rpm_t, rpm_script_exec_t)
- domain_interactive_fd(rpm_script_t)
--role rpm_roles types rpm_script_t;
- role system_r types rpm_script_t;
-
- type rpm_script_tmp_t;
-@@ -80,6 +78,9 @@ allow rpm_t self:shm create_shm_perms;
- allow rpm_t self:sem create_sem_perms;
- allow rpm_t self:msgq create_msgq_perms;
- allow rpm_t self:msg { send receive };
-+allow rpm_t self:dir search;
-+allow rpm_t self:file rw_file_perms;;
-+allow rpm_t self:netlink_kobject_uevent_socket create_socket_perms;
-
- allow rpm_t rpm_log_t:file manage_file_perms;
- logging_log_filetrans(rpm_t, rpm_log_t, file)
-@@ -105,17 +106,19 @@ files_var_filetrans(rpm_t, rpm_var_cache_t, dir)
- manage_files_pattern(rpm_t, rpm_var_lib_t, rpm_var_lib_t)
- files_var_lib_filetrans(rpm_t, rpm_var_lib_t, dir)
-
-+manage_dirs_pattern(rpm_t, rpm_var_run_t, rpm_var_run_t)
- manage_files_pattern(rpm_t, rpm_var_run_t, rpm_var_run_t)
--files_pid_filetrans(rpm_t, rpm_var_run_t, file)
-+files_pid_filetrans(rpm_t, rpm_var_run_t, { file dir })
-
- kernel_read_crypto_sysctls(rpm_t)
- kernel_read_network_state(rpm_t)
- kernel_read_system_state(rpm_t)
- kernel_read_kernel_sysctls(rpm_t)
-+kernel_read_network_state_symlinks(rpm_t)
-+kernel_rw_irq_sysctls(rpm_t)
-
- corecmd_exec_all_executables(rpm_t)
-
--corenet_all_recvfrom_unlabeled(rpm_t)
- corenet_all_recvfrom_netlabel(rpm_t)
- corenet_tcp_sendrecv_generic_if(rpm_t)
- corenet_raw_sendrecv_generic_if(rpm_t)
-@@ -131,6 +134,19 @@ corenet_sendrecv_all_client_packets(rpm_t)
- dev_list_sysfs(rpm_t)
- dev_list_usbfs(rpm_t)
- dev_read_urand(rpm_t)
-+dev_read_raw_memory(rpm_t)
-+dev_manage_all_dev_nodes(rpm_t)
-+
-+#devices_manage_all_device_types(rpm_t)
-+dev_create_generic_blk_files(rpm_t)
-+dev_create_generic_chr_files(rpm_t)
-+dev_delete_all_blk_files(rpm_t)
-+dev_delete_all_chr_files(rpm_t)
-+dev_relabel_all_dev_nodes(rpm_t)
-+dev_rename_generic_blk_files(rpm_t)
-+dev_rename_generic_chr_files(rpm_t)
-+dev_setattr_all_blk_files(rpm_t)
-+dev_setattr_all_chr_files(rpm_t)
-
- fs_getattr_all_dirs(rpm_t)
- fs_list_inotifyfs(rpm_t)
-@@ -158,8 +174,8 @@ storage_raw_read_fixed_disk(rpm_t)
-
- term_list_ptys(rpm_t)
-
--files_relabel_non_auth_files(rpm_t)
--files_manage_non_auth_files(rpm_t)
-+files_relabel_all_files(rpm_t)
-+files_manage_all_files(rpm_t)
- auth_dontaudit_read_shadow(rpm_t)
- auth_use_nsswitch(rpm_t)
-
-@@ -168,7 +184,6 @@ rpm_domtrans_script(rpm_t)
-
- domain_read_all_domains_state(rpm_t)
- domain_getattr_all_domains(rpm_t)
--domain_dontaudit_ptrace_all_domains(rpm_t)
- domain_use_interactive_fds(rpm_t)
- domain_dontaudit_getattr_all_pipes(rpm_t)
- domain_dontaudit_getattr_all_tcp_sockets(rpm_t)
-@@ -177,23 +192,26 @@ domain_dontaudit_getattr_all_packet_sockets(rpm_t)
- domain_dontaudit_getattr_all_raw_sockets(rpm_t)
- domain_dontaudit_getattr_all_stream_sockets(rpm_t)
- domain_dontaudit_getattr_all_dgram_sockets(rpm_t)
-+domain_signull_all_domains(rpm_t)
-
- files_exec_etc_files(rpm_t)
-
- init_domtrans_script(rpm_t)
- init_use_script_ptys(rpm_t)
-+init_signull_script(rpm_t)
-
- libs_exec_ld_so(rpm_t)
- libs_exec_lib_files(rpm_t)
--libs_run_ldconfig(rpm_t, rpm_roles)
-
- logging_send_syslog_msg(rpm_t)
-
-+miscfiles_filetrans_named_content(rpm_t)
-+
- # allow compiling and loading new policy
- seutil_manage_src_policy(rpm_t)
- seutil_manage_bin_policy(rpm_t)
-
--userdom_use_user_terminals(rpm_t)
-+userdom_use_inherited_user_terminals(rpm_t)
- userdom_use_unpriv_users_fds(rpm_t)
-
- optional_policy(`
-@@ -211,14 +229,15 @@ optional_policy(`
- optional_policy(`
- networkmanager_dbus_chat(rpm_t)
- ')
-+
- ')
-
- optional_policy(`
-- prelink_run(rpm_t, rpm_roles)
-+ prelink_domtrans(rpm_t)
- ')
-
- optional_policy(`
-- unconfined_domain(rpm_t)
-+ unconfined_domain_noaudit(rpm_t)
- # yum-updatesd requires this
- unconfined_dbus_chat(rpm_t)
- unconfined_dbus_chat(rpm_script_t)
-@@ -229,7 +248,8 @@ optional_policy(`
- # rpm-script Local policy
- #
-
--allow rpm_script_t self:capability { chown dac_override dac_read_search fowner fsetid setgid setuid ipc_lock sys_admin sys_chroot sys_ptrace sys_rawio sys_nice mknod kill net_admin };
-+allow rpm_script_t self:capability { chown dac_override dac_read_search fowner fsetid setgid setuid ipc_lock sys_admin sys_chroot sys_rawio sys_nice mknod kill net_admin };
-+
- allow rpm_script_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execheap };
- allow rpm_script_t self:fd use;
- allow rpm_script_t self:fifo_file rw_fifo_file_perms;
-@@ -261,12 +281,18 @@ manage_sock_files_pattern(rpm_script_t, rpm_script_tmpfs_t, rpm_script_tmpfs_t)
- fs_tmpfs_filetrans(rpm_script_t, rpm_script_tmpfs_t, { dir file lnk_file sock_file fifo_file })
- can_exec(rpm_script_t, rpm_script_tmpfs_t)
-
-+allow rpm_script_t rpm_t:netlink_route_socket { read write };
-+
- kernel_read_crypto_sysctls(rpm_script_t)
- kernel_read_kernel_sysctls(rpm_script_t)
- kernel_read_system_state(rpm_script_t)
- kernel_read_network_state(rpm_script_t)
-+kernel_list_all_proc(rpm_script_t)
- kernel_read_software_raid_state(rpm_script_t)
-
-+# needed by rhn_check
-+corenet_tcp_connect_http_port(rpm_script_t)
-+
- dev_list_sysfs(rpm_script_t)
-
- # ideally we would not need this
-@@ -286,7 +312,6 @@ fs_unmount_xattr_fs(rpm_script_t)
- fs_search_auto_mountpoints(rpm_script_t)
-
- mcs_killall(rpm_script_t)
--mcs_ptrace_all(rpm_script_t)
-
- mls_file_read_all_levels(rpm_script_t)
- mls_file_write_all_levels(rpm_script_t)
-@@ -303,19 +328,20 @@ storage_raw_write_fixed_disk(rpm_script_t)
-
- term_getattr_unallocated_ttys(rpm_script_t)
- term_list_ptys(rpm_script_t)
--term_use_all_terms(rpm_script_t)
-+term_use_all_inherited_terms(rpm_script_t)
-
- auth_dontaudit_getattr_shadow(rpm_script_t)
- auth_use_nsswitch(rpm_script_t)
- # ideally we would not need this
--files_manage_non_auth_files(rpm_script_t)
--auth_relabel_shadow(rpm_script_t)
-+files_manage_all_files(rpm_script_t)
-+files_relabel_all_files(rpm_script_t)
-
- corecmd_exec_all_executables(rpm_script_t)
-+can_exec(rpm_script_t, rpm_script_tmp_t)
-+can_exec(rpm_script_t, rpm_script_tmpfs_t)
-
- domain_read_all_domains_state(rpm_script_t)
- domain_getattr_all_domains(rpm_script_t)
--domain_dontaudit_ptrace_all_domains(rpm_script_t)
- domain_use_interactive_fds(rpm_script_t)
- domain_signal_all_domains(rpm_script_t)
- domain_signull_all_domains(rpm_script_t)
-@@ -328,35 +354,41 @@ files_relabel_all_files(rpm_script_t)
- init_domtrans_script(rpm_script_t)
- init_telinit(rpm_script_t)
-
-+systemd_config_all_services(rpm_script_t)
-+
- libs_exec_ld_so(rpm_script_t)
- libs_exec_lib_files(rpm_script_t)
--libs_run_ldconfig(rpm_script_t, rpm_roles)
-+libs_ldconfig_exec_entry_type(rpm_script_t)
-
- logging_send_syslog_msg(rpm_script_t)
-
--miscfiles_read_localization(rpm_script_t)
-+miscfiles_filetrans_named_content(rpm_script_t)
-
--modutils_run_depmod(rpm_script_t, rpm_roles)
--modutils_run_insmod(rpm_script_t, rpm_roles)
--
--seutil_run_loadpolicy(rpm_script_t, rpm_roles)
--seutil_run_setfiles(rpm_script_t, rpm_roles)
--seutil_run_semanage(rpm_script_t, rpm_roles)
-+seutil_domtrans_loadpolicy(rpm_script_t)
-+seutil_domtrans_setfiles(rpm_script_t)
-+seutil_domtrans_semanage(rpm_script_t)
-+seutil_domtrans_setsebool(rpm_script_t)
-
- userdom_use_all_users_fds(rpm_script_t)
-+userdom_exec_admin_home_files(rpm_script_t)
-
- ifdef(`distro_redhat',`
- optional_policy(`
- mta_send_mail(rpm_script_t)
-+ mta_system_content(rpm_var_run_t)
- ')
- ')
-
--tunable_policy(`allow_execmem',`
-+tunable_policy(`deny_execmem',`',`
- allow rpm_script_t self:process execmem;
- ')
-
- optional_policy(`
-- bootloader_run(rpm_script_t, rpm_roles)
-+ bootloader_domtrans(rpm_script_t)
-+')
-+
-+optional_policy(`
-+ cups_filetrans_named_content(rpm_script_t)
- ')
-
- optional_policy(`
-@@ -364,7 +396,7 @@ optional_policy(`
- ')
-
- optional_policy(`
-- lvm_run(rpm_script_t, rpm_roles)
-+ lvm_domtrans(rpm_script_t)
- ')
-
- optional_policy(`
-@@ -372,8 +404,17 @@ optional_policy(`
- ')
-
- optional_policy(`
-- tzdata_run(rpm_t, rpm_roles)
-- tzdata_run(rpm_script_t, rpm_roles)
-+ modutils_domtrans_depmod(rpm_script_t)
-+ modutils_domtrans_insmod(rpm_script_t)
-+')
-+
-+optional_policy(`
-+ openshift_initrc_domtrans(rpm_script_t)
-+')
-+
-+optional_policy(`
-+ tzdata_domtrans(rpm_t)
-+ tzdata_domtrans(rpm_script_t)
- ')
-
- optional_policy(`
-@@ -381,7 +422,7 @@ optional_policy(`
- ')
-
- optional_policy(`
-- unconfined_domain(rpm_script_t)
-+ unconfined_domain_noaudit(rpm_script_t)
- unconfined_domtrans(rpm_script_t)
-
- optional_policy(`
-@@ -394,6 +435,6 @@ optional_policy(`
- ')
-
- optional_policy(`
-- usermanage_run_groupadd(rpm_script_t, rpm_roles)
-- usermanage_run_useradd(rpm_script_t, rpm_roles)
-+ usermanage_domtrans_groupadd(rpm_script_t)
-+ usermanage_domtrans_useradd(rpm_script_t)
- ')
-diff --git a/rshd.te b/rshd.te
-index 0b405d1..23c58c2 100644
---- a/rshd.te
-+++ b/rshd.te
-@@ -22,7 +22,6 @@ allow rshd_t self:tcp_socket create_stream_socket_perms;
-
- kernel_read_kernel_sysctls(rshd_t)
-
--corenet_all_recvfrom_unlabeled(rshd_t)
- corenet_all_recvfrom_netlabel(rshd_t)
- corenet_tcp_sendrecv_generic_if(rshd_t)
- corenet_udp_sendrecv_generic_if(rshd_t)
-@@ -39,6 +38,8 @@ corenet_sendrecv_rsh_server_packets(rshd_t)
-
- dev_read_urand(rshd_t)
-
-+domain_interactive_fd(rshd_t)
-+
- selinux_get_fs_mount(rshd_t)
- selinux_validate_context(rshd_t)
- selinux_compute_access_vector(rshd_t)
-@@ -60,26 +61,16 @@ init_rw_utmp(rshd_t)
- logging_send_syslog_msg(rshd_t)
- logging_search_logs(rshd_t)
-
--miscfiles_read_localization(rshd_t)
--
- seutil_read_config(rshd_t)
- seutil_read_default_contexts(rshd_t)
-
- userdom_search_user_home_content(rshd_t)
-+userdom_manage_tmp_role(system_r, rshd_t)
-
--tunable_policy(`use_nfs_home_dirs',`
-- fs_read_nfs_files(rshd_t)
-- fs_read_nfs_symlinks(rshd_t)
--')
--
--tunable_policy(`use_samba_home_dirs',`
-- fs_read_cifs_files(rshd_t)
-- fs_read_cifs_symlinks(rshd_t)
--')
-+userdom_home_reader(rshd_t)
-
- optional_policy(`
- kerberos_keytab_template(rshd, rshd_t)
-- kerberos_manage_host_rcache(rshd_t)
- ')
-
- optional_policy(`
-diff --git a/rssh.fc b/rssh.fc
-index 4c091ca..a58f123 100644
---- a/rssh.fc
-+++ b/rssh.fc
-@@ -1 +1,3 @@
- /usr/bin/rssh -- gen_context(system_u:object_r:rssh_exec_t,s0)
-+
-+/usr/libexec/rssh_chroot_helper -- gen_context(system_u:object_r:rssh_chroot_helper_exec_t,s0)
-diff --git a/rssh.te b/rssh.te
-index ffb9605..4bb7119 100644
---- a/rssh.te
-+++ b/rssh.te
-@@ -63,7 +63,6 @@ manage_files_pattern(rssh_t, rssh_rw_t, rssh_rw_t)
- kernel_read_system_state(rssh_t)
- kernel_read_kernel_sysctls(rssh_t)
-
--files_read_etc_files(rssh_t)
- files_read_etc_runtime_files(rssh_t)
- files_list_home(rssh_t)
- files_read_usr_files(rssh_t)
-@@ -73,8 +72,6 @@ fs_search_auto_mountpoints(rssh_t)
-
- logging_send_syslog_msg(rssh_t)
-
--miscfiles_read_localization(rssh_t)
--
- rssh_domtrans_chroot_helper(rssh_t)
-
- ssh_rw_tcp_sockets(rssh_t)
-@@ -95,10 +92,6 @@ allow rssh_chroot_helper_t self:unix_stream_socket create_stream_socket_perms;
-
- domain_use_interactive_fds(rssh_chroot_helper_t)
-
--files_read_etc_files(rssh_chroot_helper_t)
--
- auth_use_nsswitch(rssh_chroot_helper_t)
-
- logging_send_syslog_msg(rssh_chroot_helper_t)
--
--miscfiles_read_localization(rssh_chroot_helper_t)
-diff --git a/rsync.fc b/rsync.fc
-index 479615b..2d77839 100644
---- a/rsync.fc
-+++ b/rsync.fc
-@@ -2,6 +2,6 @@
-
- /usr/bin/rsync -- gen_context(system_u:object_r:rsync_exec_t,s0)
-
--/var/log/rsync\.log -- gen_context(system_u:object_r:rsync_log_t,s0)
-+/var/log/rsync\.log.* -- gen_context(system_u:object_r:rsync_log_t,s0)
-
- /var/run/rsyncd\.lock -- gen_context(system_u:object_r:rsync_var_run_t,s0)
-diff --git a/rsync.if b/rsync.if
-index 3386f29..8d8f6c5 100644
---- a/rsync.if
-+++ b/rsync.if
-@@ -119,7 +119,7 @@ interface(`rsync_read_config',`
- type rsync_etc_t;
- ')
-
-- allow $1 rsync_etc_t:file read_file_perms;
-+ read_files_pattern($1, rsync_etc_t, rsync_etc_t)
- files_search_etc($1)
- ')
-
-@@ -128,9 +128,9 @@ interface(`rsync_read_config',`
- ## Write to rsync config files.
- ##
- ##
--##
-+##
- ## Domain allowed access.
--##
-+##
- ##
- #
- interface(`rsync_write_config',`
-@@ -138,6 +138,49 @@ interface(`rsync_write_config',`
- type rsync_etc_t;
- ')
-
-- allow $1 rsync_etc_t:file read_file_perms;
-+ write_files_pattern($1, rsync_etc_t, rsync_etc_t)
-+ files_search_etc($1)
-+')
-+
-+########################################
-+##
-+## Manage rsync config files.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`rsync_manage_config',`
-+ gen_require(`
-+ type rsync_etc_t;
-+ ')
-+
-+ manage_files_pattern($1, rsync_etc_t, rsync_etc_t)
- files_search_etc($1)
- ')
-+
-+########################################
-+##
-+## Create objects in etc directories
-+## with rsync etc type.
-+##
-+##
-+##
-+## Domain allowed to transition.
-+##
-+##
-+##
-+##
-+## Class of the object being created.
-+##
-+##
-+#
-+interface(`rsync_filetrans_config',`
-+ gen_require(`
-+ type rsync_etc_t;
-+ ')
-+
-+ files_etc_filetrans($1, rsync_etc_t, $2)
-+')
-diff --git a/rsync.te b/rsync.te
-index 2834d86..8fdd060 100644
---- a/rsync.te
-+++ b/rsync.te
-@@ -7,6 +7,27 @@ policy_module(rsync, 1.12.0)
-
- ##
- ##
-+## Allow rsync servers to share cifs files systems
-+##
-+##
-+gen_tunable(rsync_use_cifs, false)
-+
-+##
-+##
-+## Allow rsync servers to share nfs files systems
-+##
-+##
-+gen_tunable(rsync_use_nfs, false)
-+
-+##
-+##
-+## Allow rsync to run as a client
-+##
-+##
-+gen_tunable(rsync_client, false)
-+
-+##
-+##
- ## Allow rsync to export any files/directories read only.
- ##
- ##
-@@ -19,7 +40,7 @@ gen_tunable(rsync_export_all_ro, false)
- ## labeled public_content_rw_t.
- ##
- ##
--gen_tunable(allow_rsync_anon_write, false)
-+gen_tunable(rsync_anon_write, false)
-
- type rsync_t;
- type rsync_exec_t;
-@@ -59,7 +80,7 @@ allow rsync_t self:udp_socket connected_socket_perms;
- allow rsync_t self:netlink_tcpdiag_socket r_netlink_socket_perms;
- #end for identd
-
--allow rsync_t rsync_etc_t:file read_file_perms;
-+read_files_pattern(rsync_t, rsync_etc_t, rsync_etc_t)
-
- allow rsync_t rsync_data_t:dir list_dir_perms;
- read_files_pattern(rsync_t, rsync_data_t, rsync_data_t)
-@@ -79,7 +100,6 @@ kernel_read_kernel_sysctls(rsync_t)
- kernel_read_system_state(rsync_t)
- kernel_read_network_state(rsync_t)
-
--corenet_all_recvfrom_unlabeled(rsync_t)
- corenet_all_recvfrom_netlabel(rsync_t)
- corenet_tcp_sendrecv_generic_if(rsync_t)
- corenet_udp_sendrecv_generic_if(rsync_t)
-@@ -94,18 +114,19 @@ corenet_sendrecv_rsync_server_packets(rsync_t)
- dev_read_urand(rsync_t)
-
- fs_getattr_xattr_fs(rsync_t)
-+fs_search_auto_mountpoints(rsync_t)
-
--files_read_etc_files(rsync_t)
- files_search_home(rsync_t)
-
- auth_use_nsswitch(rsync_t)
-
- logging_send_syslog_msg(rsync_t)
-
--miscfiles_read_localization(rsync_t)
- miscfiles_read_public_files(rsync_t)
-
--tunable_policy(`allow_rsync_anon_write',`
-+userdom_home_manager(rsync_t)
-+
-+tunable_policy(`rsync_anon_write',`
- miscfiles_manage_public_files(rsync_t)
- ')
-
-@@ -122,12 +143,26 @@ optional_policy(`
- ')
-
- tunable_policy(`rsync_export_all_ro',`
-- fs_read_noxattr_fs_files(rsync_t)
-+ files_getattr_all_pipes(rsync_t)
-+ fs_read_noxattr_fs_files(rsync_t)
- fs_read_nfs_files(rsync_t)
- fs_read_cifs_files(rsync_t)
-- files_list_non_auth_dirs(rsync_t)
-- files_read_non_auth_files(rsync_t)
-- files_read_non_auth_symlinks(rsync_t)
-+ files_read_non_security_files(rsync_t)
- auth_tunable_read_shadow(rsync_t)
- ')
-+
-+tunable_policy(`rsync_client',`
-+ corenet_tcp_connect_rsync_port(rsync_t)
-+ corenet_tcp_connect_ssh_port(rsync_t)
-+ manage_dirs_pattern(rsync_t, rsync_data_t, rsync_data_t)
-+ manage_files_pattern(rsync_t, rsync_data_t, rsync_data_t)
-+ manage_lnk_files_pattern(rsync_t, rsync_data_t, rsync_data_t)
-+')
-+
-+optional_policy(`
-+ tunable_policy(`rsync_client',`
-+ ssh_exec(rsync_t)
-+ ')
-+')
-+
- auth_can_read_shadow_passwords(rsync_t)
-diff --git a/rtkit.if b/rtkit.if
-index 46dad1f..051addd 100644
---- a/rtkit.if
-+++ b/rtkit.if
-@@ -41,6 +41,28 @@ interface(`rtkit_daemon_dbus_chat',`
-
- ########################################
- ##
-+## Do not audit send and receive messages from
-+## rtkit_daemon over dbus.
-+##
-+##
-+##
-+## Domain to not audit.
-+##
-+##
-+#
-+interface(`rtkit_daemon_dontaudit_dbus_chat',`
-+ gen_require(`
-+ type rtkit_daemon_t;
-+ class dbus send_msg;
-+ ')
-+
-+ dontaudit $1 rtkit_daemon_t:dbus send_msg;
-+ dontaudit rtkit_daemon_t $1:dbus send_msg;
-+ dontaudit rtkit_daemon_t $1:process { getsched setsched };
-+')
-+
-+########################################
-+##
- ## Allow rtkit to control scheduling for your process
- ##
- ##
-@@ -54,6 +76,7 @@ interface(`rtkit_scheduled',`
- type rtkit_daemon_t;
- ')
-
-+ kernel_search_proc($1)
- ps_process_pattern(rtkit_daemon_t, $1)
- allow rtkit_daemon_t $1:process { getsched setsched };
- rtkit_daemon_dbus_chat($1)
-diff --git a/rtkit.te b/rtkit.te
-index 6f8e268..eaad2c5 100644
---- a/rtkit.te
-+++ b/rtkit.te
-@@ -7,7 +7,7 @@ policy_module(rtkit, 1.1.0)
-
- type rtkit_daemon_t;
- type rtkit_daemon_exec_t;
--dbus_system_domain(rtkit_daemon_t, rtkit_daemon_exec_t)
-+init_system_domain(rtkit_daemon_t, rtkit_daemon_exec_t)
-
- ########################################
- #
-@@ -28,8 +28,9 @@ auth_use_nsswitch(rtkit_daemon_t)
-
- logging_send_syslog_msg(rtkit_daemon_t)
-
--miscfiles_read_localization(rtkit_daemon_t)
--
-+optional_policy(`
-+ dbus_system_domain(rtkit_daemon_t, rtkit_daemon_exec_t)
-+')
- optional_policy(`
- policykit_dbus_chat(rtkit_daemon_t)
- ')
-diff --git a/rwho.if b/rwho.if
-index 71ea0ea..886a45e 100644
---- a/rwho.if
-+++ b/rwho.if
-@@ -138,8 +138,11 @@ interface(`rwho_admin',`
- type rwho_initrc_exec_t;
- ')
-
-- allow $1 rwho_t:process { ptrace signal_perms };
-+ allow $1 rwho_t:process signal_perms;
- ps_process_pattern($1, rwho_t)
-+ tunable_policy(`deny_ptrace',`',`
-+ allow $1 rwho_t:process ptrace;
-+ ')
-
- init_labeled_script_domtrans($1, rwho_initrc_exec_t)
- domain_system_change_exemption($1)
-diff --git a/rwho.te b/rwho.te
-index a07b2f4..22e0db0 100644
---- a/rwho.te
-+++ b/rwho.te
-@@ -16,7 +16,7 @@ type rwho_log_t;
- files_type(rwho_log_t)
-
- type rwho_spool_t;
--files_type(rwho_spool_t)
-+files_spool_file(rwho_spool_t)
-
- ########################################
- #
-@@ -24,6 +24,7 @@ files_type(rwho_spool_t)
- #
-
- allow rwho_t self:capability sys_chroot;
-+allow rwho_t self:process signal;
- allow rwho_t self:unix_dgram_socket create;
- allow rwho_t self:fifo_file rw_file_perms;
- allow rwho_t self:unix_stream_socket create_stream_socket_perms;
-@@ -39,7 +40,6 @@ files_spool_filetrans(rwho_t, rwho_spool_t, { file dir })
-
- kernel_read_system_state(rwho_t)
-
--corenet_all_recvfrom_unlabeled(rwho_t)
- corenet_all_recvfrom_netlabel(rwho_t)
- corenet_udp_sendrecv_generic_if(rwho_t)
- corenet_udp_sendrecv_generic_node(rwho_t)
-@@ -55,6 +55,8 @@ files_read_etc_files(rwho_t)
- init_read_utmp(rwho_t)
- init_dontaudit_write_utmp(rwho_t)
-
--miscfiles_read_localization(rwho_t)
-+logging_send_syslog_msg(rwho_t)
-
- sysnet_dns_name_resolve(rwho_t)
-+
-+userdom_getattr_user_terminals(rwho_t)
-diff --git a/samba.fc b/samba.fc
-index 69a6074..2ccac49 100644
---- a/samba.fc
-+++ b/samba.fc
-@@ -14,6 +14,9 @@
- #
- # /usr
- #
-+/usr/lib/systemd/system/smb.* -- gen_context(system_u:object_r:samba_unit_file_t,s0)
-+/usr/lib/systemd/system/nmb.* -- gen_context(system_u:object_r:samba_unit_file_t,s0)
-+
- /usr/bin/net -- gen_context(system_u:object_r:samba_net_exec_t,s0)
- /usr/bin/ntlm_auth -- gen_context(system_u:object_r:winbind_helper_exec_t,s0)
- /usr/bin/smbcontrol -- gen_context(system_u:object_r:smbcontrol_exec_t,s0)
-@@ -31,11 +34,17 @@
- /var/cache/samba(/.*)? gen_context(system_u:object_r:samba_var_t,s0)
- /var/cache/samba/winbindd_privileged(/.*)? gen_context(system_u:object_r:winbind_var_run_t,s0)
-
-+/var/nmbd(/.*)? gen_context(system_u:object_r:samba_var_t,s0)
-+
- /var/lib/samba(/.*)? gen_context(system_u:object_r:samba_var_t,s0)
- /var/lib/samba/winbindd_privileged(/.*)? gen_context(system_u:object_r:winbind_var_run_t,s0)
-
- /var/log/samba(/.*)? gen_context(system_u:object_r:samba_log_t,s0)
-
-+/var/run/nmbd(/.*)? gen_context(system_u:object_r:nmbd_var_run_t,s0)
-+/var/run/samba/nmbd(/.*)? gen_context(system_u:object_r:nmbd_var_run_t,s0)
-+
-+/var/run/samba(/.*)? gen_context(system_u:object_r:smbd_var_run_t,s0)
- /var/run/samba/brlock\.tdb -- gen_context(system_u:object_r:smbd_var_run_t,s0)
- /var/run/samba/connections\.tdb -- gen_context(system_u:object_r:smbd_var_run_t,s0)
- /var/run/samba/gencache\.tdb -- gen_context(system_u:object_r:smbd_var_run_t,s0)
-@@ -48,6 +57,11 @@
- /var/run/samba/smbd\.pid -- gen_context(system_u:object_r:smbd_var_run_t,s0)
- /var/run/samba/unexpected\.tdb -- gen_context(system_u:object_r:nmbd_var_run_t,s0)
-
-+/var/run/samba/winbindd(/.*)? gen_context(system_u:object_r:winbind_var_run_t,s0)
- /var/run/winbindd(/.*)? gen_context(system_u:object_r:winbind_var_run_t,s0)
-
- /var/spool/samba(/.*)? gen_context(system_u:object_r:samba_var_t,s0)
-+
-+ifndef(`enable_mls',`
-+/var/lib/samba/scripts(/.*)? gen_context(system_u:object_r:samba_unconfined_script_exec_t,s0)
-+')
-diff --git a/samba.if b/samba.if
-index 82cb169..a6bab06 100644
---- a/samba.if
-+++ b/samba.if
-@@ -42,6 +42,44 @@ interface(`samba_signal_nmbd',`
-
- ########################################
- ##
-+## Search the samba pid directory.
-+##
-+##
-+##
-+## Domain to not audit.
-+##
-+##
-+#
-+interface(`samba_search_pid',`
-+ gen_require(`
-+ type smbd_var_run_t;
-+ ')
-+
-+ files_search_pids($1)
-+ allow $1 smbd_var_run_t:dir search_dir_perms;
-+')
-+
-+########################################
-+##
-+## Connect to nmbd.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`samba_stream_connect_nmbd',`
-+ gen_require(`
-+ type nmbd_t, nmbd_var_run_t;
-+ ')
-+
-+ samba_search_pid($1)
-+ stream_connect_pattern($1, nmbd_var_run_t, nmbd_var_run_t, nmbd_t)
-+')
-+
-+########################################
-+##
- ## Execute samba server in the samba domain.
- ##
- ##
-@@ -60,6 +98,29 @@ interface(`samba_initrc_domtrans',`
-
- ########################################
- ##
-+## Execute samba server in the samba domain.
-+##
-+##
-+##
-+## Domain allowed to transition.
-+##
-+##
-+#
-+interface(`samba_systemctl',`
-+ gen_require(`
-+ type samba_unit_file_t;
-+ type smbd_t;
-+ ')
-+
-+ systemd_exec_systemctl($1)
-+ allow $1 samba_unit_file_t:file read_file_perms;
-+ allow $1 samba_unit_file_t:service manage_service_perms;
-+
-+ ps_process_pattern($1, smbd_t)
-+')
-+
-+########################################
-+##
- ## Execute samba net in the samba_net domain.
- ##
- ##
-@@ -79,6 +140,25 @@ interface(`samba_domtrans_net',`
-
- ########################################
- ##
-+## Execute samba net in the samba_unconfined_net domain.
-+##
-+##
-+##
-+## Domain allowed to transition.
-+##
-+##
-+#
-+interface(`samba_domtrans_unconfined_net',`
-+ gen_require(`
-+ type samba_unconfined_net_t, samba_net_exec_t;
-+ ')
-+
-+ corecmd_search_bin($1)
-+ domtrans_pattern($1, samba_net_exec_t, samba_unconfined_net_t)
-+')
-+
-+########################################
-+##
- ## Execute samba net in the samba_net domain, and
- ## allow the specified role the samba_net domain.
- ##
-@@ -103,6 +183,51 @@ interface(`samba_run_net',`
- role $2 types samba_net_t;
- ')
-
-+#######################################
-+##
-+## The role for the samba module.
-+##
-+##
-+##
-+## The role to be allowed the samba_net domain.
-+##
-+##
-+##
-+#
-+interface(`samba_role_notrans',`
-+ gen_require(`
-+ type smbd_t;
-+ ')
-+
-+ role $1 types smbd_t;
-+')
-+
-+########################################
-+##
-+## Execute samba net in the samba_unconfined_net domain, and
-+## allow the specified role the samba_unconfined_net domain.
-+##
-+##
-+##
-+## Domain allowed to transition.
-+##
-+##
-+##
-+##
-+## The role to be allowed the samba_unconfined_net domain.
-+##
-+##
-+##
-+#
-+interface(`samba_run_unconfined_net',`
-+ gen_require(`
-+ type samba_unconfined_net_t;
-+ ')
-+
-+ samba_domtrans_unconfined_net($1)
-+ role $2 types samba_unconfined_net_t;
-+')
-+
- ########################################
- ##
- ## Execute smbmount in the smbmount domain.
-@@ -166,6 +291,7 @@ interface(`samba_read_config',`
- ')
-
- files_search_etc($1)
-+ list_dirs_pattern($1, samba_etc_t, samba_etc_t)
- read_files_pattern($1, samba_etc_t, samba_etc_t)
- ')
-
-@@ -409,9 +535,10 @@ interface(`samba_manage_var_files',`
- type samba_var_t;
- ')
-
-- files_search_var($1)
-+ files_search_var_lib($1)
- files_search_var_lib($1)
- manage_files_pattern($1, samba_var_t, samba_var_t)
-+ manage_lnk_files_pattern($1, samba_var_t, samba_var_t)
- ')
-
- ########################################
-@@ -548,6 +675,24 @@ interface(`samba_rw_smbmount_tcp_sockets',`
- allow $1 smbmount_t:tcp_socket { read write };
- ')
-
-+#######################################
-+##
-+## Allow to getattr on winbind binary.
-+##
-+##
-+##
-+## Domain allowed to transition.
-+##
-+##
-+#
-+interface(`samba_getattr_winbind',`
-+ gen_require(`
-+ type winbind_exec_t;
-+ ')
-+
-+ allow $1 winbind_exec_t:file getattr;
-+')
-+
- ########################################
- ##
- ## Execute winbind_helper in the winbind_helper domain.
-@@ -564,6 +709,7 @@ interface(`samba_domtrans_winbind_helper',`
- ')
-
- domtrans_pattern($1, winbind_helper_exec_t, winbind_helper_t)
-+ allow $1 winbind_helper_t:process signal;
- ')
-
- ########################################
-@@ -607,7 +753,7 @@ interface(`samba_read_winbind_pid',`
- type winbind_var_run_t;
- ')
-
-- files_search_pids($1)
-+ samba_search_pid($1)
- allow $1 winbind_var_run_t:file read_file_perms;
- ')
-
-@@ -626,9 +772,10 @@ interface(`samba_stream_connect_winbind',`
- type samba_var_t, winbind_t, winbind_var_run_t;
- ')
-
-- files_search_pids($1)
-+ samba_search_pid($1)
- allow $1 samba_var_t:dir search_dir_perms;
- stream_connect_pattern($1, winbind_var_run_t, winbind_var_run_t, winbind_t)
-+ samba_read_config($1)
-
- ifndef(`distro_redhat',`
- gen_require(`
-@@ -644,6 +791,37 @@ interface(`samba_stream_connect_winbind',`
-
- ########################################
- ##
-+## Create a set of derived types for apache
-+## web content.
-+##
-+##
-+##
-+## The prefix to be used for deriving type names.
-+##
-+##
-+#
-+template(`samba_helper_template',`
-+ gen_require(`
-+ type smbd_t;
-+ role system_r;
-+ ')
-+
-+ #This type is for samba helper scripts
-+ type samba_$1_script_t;
-+ domain_type(samba_$1_script_t)
-+ role system_r types samba_$1_script_t;
-+
-+ # This type is used for executable scripts files
-+ type samba_$1_script_exec_t;
-+ corecmd_shell_entry_type(samba_$1_script_t)
-+ domain_entry_file(samba_$1_script_t, samba_$1_script_exec_t)
-+
-+ domtrans_pattern(smbd_t, samba_$1_script_exec_t, samba_$1_script_t)
-+ allow smbd_t samba_$1_script_exec_t:file ioctl;
-+')
-+
-+########################################
-+##
- ## All of the rules required to administrate
- ## an samba environment
- ##
-@@ -661,33 +839,33 @@ interface(`samba_stream_connect_winbind',`
- #
- interface(`samba_admin',`
- gen_require(`
-- type nmbd_t, nmbd_var_run_t;
-- type smbd_t, smbd_tmp_t;
-- type smbd_var_run_t;
-- type smbd_spool_t;
--
-- type samba_log_t, samba_var_t;
-- type samba_etc_t, samba_share_t;
-- type samba_secrets_t;
--
-- type swat_var_run_t, swat_tmp_t;
--
-- type winbind_var_run_t, winbind_tmp_t;
-- type winbind_log_t;
--
-- type samba_initrc_exec_t;
-+ type nmbd_t, nmbd_var_run_t, smbd_var_run_t;
-+ type smbd_t, smbd_tmp_t, samba_secrets_t;
-+ type samba_initrc_exec_t, samba_log_t, samba_var_t;
-+ type samba_etc_t, samba_share_t, winbind_log_t;
-+ type swat_var_run_t, swat_tmp_t, samba_unconfined_script_exec_t;
-+ type winbind_var_run_t, winbind_tmp_t, samba_unconfined_script_t;
-+ type samba_unit_file_t;
- ')
-
-- allow $1 smbd_t:process { ptrace signal_perms };
-+ allow $1 smbd_t:process signal_perms;
- ps_process_pattern($1, smbd_t)
-+ tunable_policy(`deny_ptrace',`',`
-+ allow $1 smbd_t:process ptrace;
-+ allow $1 nmbd_t:process ptrace;
-+ allow $1 samba_unconfined_script_t:process ptrace;
-+ ')
-
-- allow $1 nmbd_t:process { ptrace signal_perms };
-+ allow $1 nmbd_t:process signal_perms;
- ps_process_pattern($1, nmbd_t)
-
-- samba_run_smbcontrol($1, $2, $3)
-- samba_run_winbind_helper($1, $2, $3)
-- samba_run_smbmount($1, $2, $3)
-- samba_run_net($1, $2, $3)
-+ allow $1 samba_unconfined_script_t:process signal_perms;
-+ ps_process_pattern($1, samba_unconfined_script_t)
-+
-+ samba_run_smbcontrol($1, $2)
-+ samba_run_winbind_helper($1, $2)
-+ samba_run_smbmount($1, $2)
-+ samba_run_net($1, $2)
-
- init_labeled_script_domtrans($1, samba_initrc_exec_t)
- domain_system_change_exemption($1)
-@@ -709,9 +887,6 @@ interface(`samba_admin',`
- admin_pattern($1, samba_var_t)
- files_list_var($1)
-
-- admin_pattern($1, smbd_spool_t)
-- files_list_spool($1)
--
- admin_pattern($1, smbd_var_run_t)
- files_list_pids($1)
-
-@@ -727,4 +902,9 @@ interface(`samba_admin',`
- admin_pattern($1, winbind_tmp_t)
-
- admin_pattern($1, winbind_var_run_t)
-+ admin_pattern($1, samba_unconfined_script_exec_t)
-+
-+ samba_systemctl($1)
-+ admin_pattern($1, samba_unit_file_t)
-+ allow $1 samba_unit_file_t:service all_service_perms;
- ')
-diff --git a/samba.te b/samba.te
-index 905883f..7e70344 100644
---- a/samba.te
-+++ b/samba.te
-@@ -12,7 +12,7 @@ policy_module(samba, 1.15.0)
- ## public_content_rw_t.
- ##
- ##
--gen_tunable(allow_smbd_anon_write, false)
-+gen_tunable(smbd_anon_write, false)
-
- ##
- ##
-@@ -32,6 +32,14 @@ gen_tunable(samba_domain_controller, false)
-
- ##
- ##
-+## Allow samba to act as a portmapper
-+##
-+##
-+##
-+gen_tunable(samba_portmapper, false)
-+
-+##
-+##
- ## Allow samba to share users home directories.
- ##
- ##
-@@ -85,6 +93,9 @@ files_config_file(samba_etc_t)
- type samba_initrc_exec_t;
- init_script_file(samba_initrc_exec_t)
-
-+type samba_unit_file_t;
-+systemd_unit_file(samba_unit_file_t)
-+
- type samba_log_t;
- logging_log_file(samba_log_t)
-
-@@ -152,9 +163,6 @@ domain_entry_file(winbind_helper_t, winbind_helper_exec_t)
- type winbind_log_t;
- logging_log_file(winbind_log_t)
-
--type winbind_tmp_t;
--files_tmp_file(winbind_tmp_t)
--
- type winbind_var_run_t;
- files_pid_file(winbind_var_run_t)
-
-@@ -181,11 +189,12 @@ files_tmp_filetrans(samba_net_t, samba_net_tmp_t, { file dir })
- manage_dirs_pattern(samba_net_t, samba_var_t, samba_var_t)
- manage_files_pattern(samba_net_t, samba_var_t, samba_var_t)
- manage_lnk_files_pattern(samba_net_t, samba_var_t, samba_var_t)
-+files_var_filetrans(samba_net_t, samba_var_t, dir, "samba")
-
- kernel_read_proc_symlinks(samba_net_t)
- kernel_read_system_state(samba_net_t)
-+kernel_read_network_state(samba_net_t)
-
--corenet_all_recvfrom_unlabeled(samba_net_t)
- corenet_all_recvfrom_netlabel(samba_net_t)
- corenet_tcp_sendrecv_generic_if(samba_net_t)
- corenet_udp_sendrecv_generic_if(samba_net_t)
-@@ -203,7 +212,6 @@ dev_read_urand(samba_net_t)
-
- domain_use_interactive_fds(samba_net_t)
-
--files_read_etc_files(samba_net_t)
- files_read_usr_symlinks(samba_net_t)
-
- auth_use_nsswitch(samba_net_t)
-@@ -211,15 +219,16 @@ auth_manage_cache(samba_net_t)
-
- logging_send_syslog_msg(samba_net_t)
-
--miscfiles_read_localization(samba_net_t)
--
- samba_read_var_files(samba_net_t)
-
--userdom_use_user_terminals(samba_net_t)
-+sysnet_use_ldap(samba_net_t)
-+
-+userdom_use_inherited_user_terminals(samba_net_t)
- userdom_list_user_home_dirs(samba_net_t)
-
- optional_policy(`
-- ldap_stream_connect(samba_net_t)
-+ ldap_stream_connect(samba_net_t)
-+ dirsrv_stream_connect(samba_net_t)
- ')
-
- optional_policy(`
-@@ -228,13 +237,15 @@ optional_policy(`
-
- optional_policy(`
- kerberos_use(samba_net_t)
-+ kerberos_etc_filetrans_keytab(samba_net_t)
- ')
-
- ########################################
- #
- # smbd Local policy
- #
--allow smbd_t self:capability { chown fowner setgid setuid sys_nice sys_resource lease dac_override dac_read_search };
-+
-+allow smbd_t self:capability { chown fowner kill fsetid setgid setuid sys_chroot sys_nice sys_admin sys_resource lease dac_override dac_read_search };
- dontaudit smbd_t self:capability sys_tty_config;
- allow smbd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
- allow smbd_t self:process setrlimit;
-@@ -244,6 +255,7 @@ allow smbd_t self:msg { send receive };
- allow smbd_t self:msgq create_msgq_perms;
- allow smbd_t self:sem create_sem_perms;
- allow smbd_t self:shm create_shm_perms;
-+allow smbd_t self:key manage_key_perms;
- allow smbd_t self:sock_file read_sock_file_perms;
- allow smbd_t self:tcp_socket create_stream_socket_perms;
- allow smbd_t self:udp_socket create_socket_perms;
-@@ -253,6 +265,7 @@ allow smbd_t self:unix_stream_socket { create_stream_socket_perms connectto };
- allow smbd_t nmbd_t:process { signal signull };
-
- allow smbd_t nmbd_var_run_t:file rw_file_perms;
-+stream_connect_pattern(smbd_t, nmbd_var_run_t, nmbd_var_run_t, nmbd_t)
-
- allow smbd_t samba_etc_t:file { rw_file_perms setattr };
-
-@@ -267,12 +280,13 @@ filetrans_pattern(smbd_t, samba_etc_t, samba_secrets_t, file)
- manage_dirs_pattern(smbd_t, samba_share_t, samba_share_t)
- manage_files_pattern(smbd_t, samba_share_t, samba_share_t)
- manage_lnk_files_pattern(smbd_t, samba_share_t, samba_share_t)
--allow smbd_t samba_share_t:filesystem getattr;
-+allow smbd_t samba_share_t:filesystem { getattr quotaget };
-
- manage_dirs_pattern(smbd_t, samba_var_t, samba_var_t)
- manage_files_pattern(smbd_t, samba_var_t, samba_var_t)
- manage_lnk_files_pattern(smbd_t, samba_var_t, samba_var_t)
- manage_sock_files_pattern(smbd_t, samba_var_t, samba_var_t)
-+files_var_filetrans(smbd_t, samba_var_t, dir, "samba")
-
- allow smbd_t smbcontrol_t:process { signal signull };
-
-@@ -283,7 +297,7 @@ files_tmp_filetrans(smbd_t, smbd_tmp_t, { file dir })
- manage_dirs_pattern(smbd_t, smbd_var_run_t, smbd_var_run_t)
- manage_files_pattern(smbd_t, smbd_var_run_t, smbd_var_run_t)
- manage_sock_files_pattern(smbd_t, smbd_var_run_t, smbd_var_run_t)
--files_pid_filetrans(smbd_t, smbd_var_run_t, file)
-+files_pid_filetrans(smbd_t, smbd_var_run_t, { dir file })
-
- allow smbd_t swat_t:process signal;
-
-@@ -302,7 +316,6 @@ kernel_read_system_state(smbd_t)
- corecmd_exec_shell(smbd_t)
- corecmd_exec_bin(smbd_t)
-
--corenet_all_recvfrom_unlabeled(smbd_t)
- corenet_all_recvfrom_netlabel(smbd_t)
- corenet_tcp_sendrecv_generic_if(smbd_t)
- corenet_udp_sendrecv_generic_if(smbd_t)
-@@ -320,6 +333,7 @@ corenet_tcp_connect_smbd_port(smbd_t)
-
- dev_read_sysfs(smbd_t)
- dev_read_urand(smbd_t)
-+dev_dontaudit_write_urand(smbd_t)
- dev_getattr_mtrr_dev(smbd_t)
- dev_dontaudit_getattr_usbfs_dirs(smbd_t)
- # For redhat bug 566984
-@@ -327,26 +341,29 @@ dev_getattr_all_blk_files(smbd_t)
- dev_getattr_all_chr_files(smbd_t)
-
- fs_getattr_all_fs(smbd_t)
-+fs_getattr_all_dirs(smbd_t)
- fs_get_xattr_fs_quotas(smbd_t)
- fs_search_auto_mountpoints(smbd_t)
- fs_getattr_rpc_dirs(smbd_t)
- fs_list_inotifyfs(smbd_t)
-+fs_get_all_fs_quotas(smbd_t)
-
- auth_use_nsswitch(smbd_t)
- auth_domtrans_chk_passwd(smbd_t)
- auth_domtrans_upd_passwd(smbd_t)
- auth_manage_cache(smbd_t)
-+auth_write_login_records(smbd_t)
-
- domain_use_interactive_fds(smbd_t)
- domain_dontaudit_list_all_domains_state(smbd_t)
-
- files_list_var_lib(smbd_t)
--files_read_etc_files(smbd_t)
- files_read_etc_runtime_files(smbd_t)
- files_read_usr_files(smbd_t)
- files_search_spool(smbd_t)
- # smbd seems to getattr all mountpoints
- files_dontaudit_getattr_all_dirs(smbd_t)
-+files_dontaudit_list_all_mountpoints(smbd_t)
- # Allow samba to list mnt_t for potential mounted dirs
- files_list_mnt(smbd_t)
-
-@@ -355,9 +372,10 @@ init_rw_utmp(smbd_t)
- logging_search_logs(smbd_t)
- logging_send_syslog_msg(smbd_t)
-
--miscfiles_read_localization(smbd_t)
- miscfiles_read_public_files(smbd_t)
-
-+sysnet_use_ldap(smbd_t)
-+
- userdom_use_unpriv_users_fds(smbd_t)
- userdom_search_user_home_content(smbd_t)
- userdom_signal_all_users(smbd_t)
-@@ -372,8 +390,13 @@ ifdef(`hide_broken_symptoms', `
- fs_dontaudit_getattr_tmpfs_dirs(smbd_t)
- ')
-
--tunable_policy(`allow_smbd_anon_write',`
-+tunable_policy(`smbd_anon_write',`
- miscfiles_manage_public_files(smbd_t)
-+')
-+
-+tunable_policy(`samba_portmapper',`
-+ corenet_tcp_bind_epmap_port(smbd_t)
-+ corenet_tcp_bind_all_unreserved_ports(smbd_t)
- ')
-
- tunable_policy(`samba_domain_controller',`
-@@ -389,12 +412,7 @@ tunable_policy(`samba_domain_controller',`
- ')
-
- tunable_policy(`samba_enable_home_dirs',`
-- userdom_manage_user_home_content_dirs(smbd_t)
-- userdom_manage_user_home_content_files(smbd_t)
-- userdom_manage_user_home_content_symlinks(smbd_t)
-- userdom_manage_user_home_content_sockets(smbd_t)
-- userdom_manage_user_home_content_pipes(smbd_t)
-- userdom_user_home_dir_filetrans_user_home_content(smbd_t, { dir file lnk_file sock_file fifo_file })
-+ userdom_manage_user_home_content(smbd_t)
- ')
-
- # Support Samba sharing of NFS mount points
-@@ -415,6 +433,15 @@ tunable_policy(`samba_share_fusefs',`
- ')
-
- optional_policy(`
-+ ccs_read_config(smbd_t)
-+')
-+
-+optional_policy(`
-+ ctdbd_stream_connect(smbd_t)
-+ ctdbd_manage_lib_files(smbd_t)
-+')
-+
-+optional_policy(`
- cups_read_rw_config(smbd_t)
- cups_stream_connect(smbd_t)
- ')
-@@ -426,6 +453,7 @@ optional_policy(`
-
- optional_policy(`
- ldap_stream_connect(smbd_t)
-+ dirsrv_stream_connect(smbd_t)
- ')
-
- optional_policy(`
-@@ -452,26 +480,26 @@ optional_policy(`
- tunable_policy(`samba_create_home_dirs',`
- allow smbd_t self:capability chown;
- userdom_create_user_home_dirs(smbd_t)
-- userdom_home_filetrans_user_home_dir(smbd_t)
- ')
-
-+userdom_home_filetrans_user_home_dir(smbd_t)
-+
- tunable_policy(`samba_export_all_ro',`
-- fs_read_noxattr_fs_files(smbd_t)
-- files_list_non_auth_dirs(smbd_t)
-- files_read_non_auth_files(smbd_t)
-- fs_read_noxattr_fs_files(nmbd_t)
-- files_list_non_auth_dirs(nmbd_t)
-- files_read_non_auth_files(nmbd_t)
-+ fs_read_noxattr_fs_files(smbd_t)
-+ files_read_non_security_files(smbd_t)
-+ fs_read_noxattr_fs_files(nmbd_t)
-+ files_read_non_security_files(nmbd_t)
- ')
-
- tunable_policy(`samba_export_all_rw',`
-- fs_read_noxattr_fs_files(smbd_t)
-- files_manage_non_auth_files(smbd_t)
-- fs_read_noxattr_fs_files(nmbd_t)
-- files_manage_non_auth_files(nmbd_t)
-- userdom_user_home_dir_filetrans_user_home_content(nmbd_t, { file dir })
-+ fs_read_noxattr_fs_files(smbd_t)
-+ files_manage_non_security_files(smbd_t)
-+ fs_read_noxattr_fs_files(nmbd_t)
-+ files_manage_non_security_files(nmbd_t)
- ')
-
-+userdom_user_home_dir_filetrans_user_home_content(nmbd_t, { file dir })
-+
- ########################################
- #
- # nmbd Local policy
-@@ -491,8 +519,11 @@ allow nmbd_t self:udp_socket create_socket_perms;
- allow nmbd_t self:unix_dgram_socket { create_socket_perms sendto };
- allow nmbd_t self:unix_stream_socket { create_stream_socket_perms connectto };
-
-+manage_dirs_pattern(nmbd_t, { smbd_var_run_t nmbd_var_run_t }, nmbd_var_run_t)
- manage_files_pattern(nmbd_t, nmbd_var_run_t, nmbd_var_run_t)
--files_pid_filetrans(nmbd_t, nmbd_var_run_t, file)
-+manage_sock_files_pattern(nmbd_t, nmbd_var_run_t, nmbd_var_run_t)
-+files_pid_filetrans(nmbd_t, nmbd_var_run_t, { dir file sock_file })
-+filetrans_pattern(nmbd_t, smbd_var_run_t, nmbd_var_run_t, dir)
-
- read_files_pattern(nmbd_t, samba_etc_t, samba_etc_t)
- read_lnk_files_pattern(nmbd_t, samba_etc_t, samba_etc_t)
-@@ -501,11 +532,13 @@ manage_dirs_pattern(nmbd_t, samba_log_t, samba_log_t)
- manage_files_pattern(nmbd_t, samba_log_t, samba_log_t)
-
- manage_files_pattern(nmbd_t, samba_var_t, samba_var_t)
-+manage_files_pattern(nmbd_t, samba_var_t, samba_var_t)
-+manage_lnk_files_pattern(nmbd_t, samba_var_t, samba_var_t)
-+manage_sock_files_pattern(nmbd_t, samba_var_t, samba_var_t)
-+files_var_filetrans(nmbd_t, samba_var_t, dir, "samba")
-
- allow nmbd_t smbcontrol_t:process signal;
-
--allow nmbd_t smbd_var_run_t:dir rw_dir_perms;
--
- kernel_getattr_core_if(nmbd_t)
- kernel_getattr_message_if(nmbd_t)
- kernel_read_kernel_sysctls(nmbd_t)
-@@ -513,7 +546,6 @@ kernel_read_network_state(nmbd_t)
- kernel_read_software_raid_state(nmbd_t)
- kernel_read_system_state(nmbd_t)
-
--corenet_all_recvfrom_unlabeled(nmbd_t)
- corenet_all_recvfrom_netlabel(nmbd_t)
- corenet_tcp_sendrecv_generic_if(nmbd_t)
- corenet_udp_sendrecv_generic_if(nmbd_t)
-@@ -536,7 +568,6 @@ fs_search_auto_mountpoints(nmbd_t)
- domain_use_interactive_fds(nmbd_t)
-
- files_read_usr_files(nmbd_t)
--files_read_etc_files(nmbd_t)
- files_list_var_lib(nmbd_t)
-
- auth_use_nsswitch(nmbd_t)
-@@ -544,12 +575,14 @@ auth_use_nsswitch(nmbd_t)
- logging_search_logs(nmbd_t)
- logging_send_syslog_msg(nmbd_t)
-
--miscfiles_read_localization(nmbd_t)
--
- userdom_use_unpriv_users_fds(nmbd_t)
- userdom_dontaudit_search_user_home_dirs(nmbd_t)
-
- optional_policy(`
-+ ctdbd_stream_connect(nmbd_t)
-+')
-+
-+optional_policy(`
- seutil_sigchld_newrole(nmbd_t)
- ')
-
-@@ -562,18 +595,21 @@ optional_policy(`
- # smbcontrol local policy
- #
-
-+
-+allow smbcontrol_t self:process signal;
- # internal communication is often done using fifo and unix sockets.
- allow smbcontrol_t self:fifo_file rw_file_perms;
- allow smbcontrol_t self:unix_stream_socket create_stream_socket_perms;
-+allow smbcontrol_t self:process { signal signull };
-
- allow smbcontrol_t nmbd_t:process { signal signull };
-+read_files_pattern(smbcontrol_t, nmbd_var_run_t, nmbd_var_run_t)
-
--allow smbcontrol_t nmbd_var_run_t:file { read lock };
--
--allow smbcontrol_t smbd_t:process signal;
--
-+allow smbcontrol_t smbd_t:process { signal signull };
-+read_files_pattern(smbcontrol_t, smbd_var_run_t, smbd_var_run_t)
- allow smbcontrol_t winbind_t:process { signal signull };
-
-+files_search_var_lib(smbcontrol_t)
- samba_read_config(smbcontrol_t)
- samba_rw_var_files(smbcontrol_t)
- samba_search_var(smbcontrol_t)
-@@ -581,11 +617,19 @@ samba_read_winbind_pid(smbcontrol_t)
-
- domain_use_interactive_fds(smbcontrol_t)
-
--files_read_etc_files(smbcontrol_t)
-+dev_read_urand(smbcontrol_t)
-+
-+files_read_usr_files(smbcontrol_t)
-+
-+term_use_console(smbcontrol_t)
-+
-+sysnet_use_ldap(smbcontrol_t)
-
--miscfiles_read_localization(smbcontrol_t)
-+userdom_use_inherited_user_terminals(smbcontrol_t)
-
--userdom_use_user_terminals(smbcontrol_t)
-+optional_policy(`
-+ ctdbd_stream_connect(smbcontrol_t)
-+')
-
- ########################################
- #
-@@ -604,18 +648,20 @@ allow smbmount_t samba_etc_t:file read_file_perms;
-
- can_exec(smbmount_t, smbmount_exec_t)
-
--allow smbmount_t samba_log_t:dir list_dir_perms;
-+allow smbmount_t samba_log_t:dir list_dir_perms;
- allow smbmount_t samba_log_t:file manage_file_perms;
-
- allow smbmount_t samba_secrets_t:file manage_file_perms;
-
-+manage_dirs_pattern(smbmount_t, samba_var_t, samba_var_t)
- manage_files_pattern(smbmount_t, samba_var_t, samba_var_t)
- manage_lnk_files_pattern(smbmount_t, samba_var_t, samba_var_t)
-+files_var_filetrans(smbmount_t, samba_var_t, dir, "samba")
-+
- files_list_var_lib(smbmount_t)
-
- kernel_read_system_state(smbmount_t)
-
--corenet_all_recvfrom_unlabeled(smbmount_t)
- corenet_all_recvfrom_netlabel(smbmount_t)
- corenet_tcp_sendrecv_generic_if(smbmount_t)
- corenet_raw_sendrecv_generic_if(smbmount_t)
-@@ -645,31 +691,32 @@ files_list_mnt(smbmount_t)
- files_mounton_mnt(smbmount_t)
- files_manage_etc_runtime_files(smbmount_t)
- files_etc_filetrans_etc_runtime(smbmount_t, file)
--files_read_etc_files(smbmount_t)
-
- auth_use_nsswitch(smbmount_t)
-
--miscfiles_read_localization(smbmount_t)
--
--mount_use_fds(smbmount_t)
-
- locallogin_use_fds(smbmount_t)
-
- logging_search_logs(smbmount_t)
-
--userdom_use_user_terminals(smbmount_t)
-+userdom_use_inherited_user_terminals(smbmount_t)
- userdom_use_all_users_fds(smbmount_t)
-
- optional_policy(`
- cups_read_rw_config(smbmount_t)
- ')
-
-+optional_policy(`
-+ mount_use_fds(smbmount_t)
-+')
-+
- ########################################
- #
- # SWAT Local policy
- #
-
- allow swat_t self:capability { dac_override setuid setgid sys_resource };
-+allow swat_t self:capability2 block_suspend;
- allow swat_t self:process { setrlimit signal_perms };
- allow swat_t self:fifo_file rw_fifo_file_perms;
- allow swat_t self:netlink_tcpdiag_socket r_netlink_socket_perms;
-@@ -684,7 +731,8 @@ samba_domtrans_nmbd(swat_t)
- allow swat_t nmbd_t:process { signal signull };
- allow nmbd_t swat_t:process signal;
-
--allow swat_t smbd_var_run_t:file { lock unlink };
-+read_files_pattern(swat_t, nmbd_var_run_t, nmbd_var_run_t)
-+stream_connect_pattern(swat_t, nmbd_var_run_t, nmbd_var_run_t, nmbd_t)
-
- allow swat_t smbd_port_t:tcp_socket name_bind;
-
-@@ -698,13 +746,17 @@ manage_files_pattern(swat_t, samba_log_t, samba_log_t)
-
- manage_files_pattern(swat_t, samba_etc_t, samba_secrets_t)
-
-+manage_dirs_pattern(swat_t, samba_var_t, samba_var_t)
- manage_files_pattern(swat_t, samba_var_t, samba_var_t)
-+files_var_filetrans(swat_t, samba_var_t, dir, "samba")
-+files_list_var_lib(swat_t)
-
- allow swat_t smbd_exec_t:file mmap_file_perms ;
-
- allow swat_t smbd_t:process signull;
-
- allow swat_t smbd_var_run_t:file read_file_perms;
-+allow swat_t smbd_var_run_t:file { lock unlink };
-
- manage_dirs_pattern(swat_t, swat_tmp_t, swat_tmp_t)
- manage_files_pattern(swat_t, swat_tmp_t, swat_tmp_t)
-@@ -717,6 +769,7 @@ allow swat_t winbind_exec_t:file mmap_file_perms;
- domtrans_pattern(swat_t, winbind_exec_t, winbind_t)
- allow swat_t winbind_t:process { signal signull };
-
-+read_files_pattern(swat_t, winbind_var_run_t, winbind_var_run_t)
- allow swat_t winbind_var_run_t:dir { write add_name remove_name };
- allow swat_t winbind_var_run_t:sock_file { create unlink };
-
-@@ -726,7 +779,6 @@ kernel_read_network_state(swat_t)
-
- corecmd_search_bin(swat_t)
-
--corenet_all_recvfrom_unlabeled(swat_t)
- corenet_all_recvfrom_netlabel(swat_t)
- corenet_tcp_sendrecv_generic_if(swat_t)
- corenet_udp_sendrecv_generic_if(swat_t)
-@@ -744,7 +796,6 @@ corenet_sendrecv_ipp_client_packets(swat_t)
- dev_read_urand(swat_t)
-
- files_list_var_lib(swat_t)
--files_read_etc_files(swat_t)
- files_search_home(swat_t)
- files_read_usr_files(swat_t)
- fs_getattr_xattr_fs(swat_t)
-@@ -759,7 +810,10 @@ logging_send_syslog_msg(swat_t)
- logging_send_audit_msgs(swat_t)
- logging_search_logs(swat_t)
-
--miscfiles_read_localization(swat_t)
-+sysnet_use_ldap(swat_t)
-+
-+
-+userdom_dontaudit_search_admin_dir(swat_t)
-
- optional_policy(`
- cups_read_rw_config(swat_t)
-@@ -790,7 +844,8 @@ allow winbind_t self:udp_socket create_socket_perms;
-
- allow winbind_t nmbd_t:process { signal signull };
-
--allow winbind_t nmbd_var_run_t:file read_file_perms;
-+read_files_pattern(winbind_t, nmbd_var_run_t, nmbd_var_run_t)
-+samba_stream_connect_nmbd(winbind_t)
-
- allow winbind_t samba_etc_t:dir list_dir_perms;
- read_files_pattern(winbind_t, samba_etc_t, samba_etc_t)
-@@ -806,6 +861,8 @@ manage_lnk_files_pattern(winbind_t, samba_log_t, samba_log_t)
- manage_dirs_pattern(winbind_t, samba_var_t, samba_var_t)
- manage_files_pattern(winbind_t, samba_var_t, samba_var_t)
- manage_lnk_files_pattern(winbind_t, samba_var_t, samba_var_t)
-+manage_sock_files_pattern(winbind_t, samba_var_t, samba_var_t)
-+files_var_filetrans(winbind_t, samba_var_t, dir, "samba")
- files_list_var_lib(winbind_t)
-
- rw_files_pattern(winbind_t, smbd_tmp_t, smbd_tmp_t)
-@@ -813,21 +870,26 @@ rw_files_pattern(winbind_t, smbd_tmp_t, smbd_tmp_t)
- allow winbind_t winbind_log_t:file manage_file_perms;
- logging_log_filetrans(winbind_t, winbind_log_t, file)
-
--manage_dirs_pattern(winbind_t, winbind_tmp_t, winbind_tmp_t)
--manage_files_pattern(winbind_t, winbind_tmp_t, winbind_tmp_t)
--manage_sock_files_pattern(winbind_t, winbind_tmp_t, winbind_tmp_t)
--files_tmp_filetrans(winbind_t, winbind_tmp_t, { file dir })
-+userdom_manage_user_tmp_dirs(winbind_t)
-+userdom_manage_user_tmp_files(winbind_t)
-+userdom_tmp_filetrans_user_tmp(winbind_t, { file dir })
-
-+manage_dirs_pattern(winbind_t, { smbd_var_run_t winbind_var_run_t }, winbind_var_run_t)
- manage_files_pattern(winbind_t, winbind_var_run_t, winbind_var_run_t)
- manage_sock_files_pattern(winbind_t, winbind_var_run_t, winbind_var_run_t)
--files_pid_filetrans(winbind_t, winbind_var_run_t, file)
--
-+files_pid_filetrans(winbind_t, winbind_var_run_t, { sock_file file dir })
-+filetrans_pattern(winbind_t, smbd_var_run_t, winbind_var_run_t, dir)
-+# /run/samba/krb5cc_samba
-+manage_files_pattern(winbind_t, smbd_var_run_t, smbd_var_run_t)
-+manage_dirs_pattern(winbind_t, smbd_var_run_t, smbd_var_run_t)
-+manage_sock_files_pattern(winbind_t, smbd_var_run_t, smbd_var_run_t)
-+
-+kernel_read_network_state(winbind_t)
- kernel_read_kernel_sysctls(winbind_t)
- kernel_read_system_state(winbind_t)
-
- corecmd_exec_bin(winbind_t)
-
--corenet_all_recvfrom_unlabeled(winbind_t)
- corenet_all_recvfrom_netlabel(winbind_t)
- corenet_tcp_sendrecv_generic_if(winbind_t)
- corenet_udp_sendrecv_generic_if(winbind_t)
-@@ -840,12 +902,15 @@ corenet_udp_sendrecv_all_ports(winbind_t)
- corenet_tcp_bind_generic_node(winbind_t)
- corenet_udp_bind_generic_node(winbind_t)
- corenet_tcp_connect_smbd_port(winbind_t)
-+corenet_tcp_connect_smbd_port(winbind_t)
- corenet_tcp_connect_epmap_port(winbind_t)
- corenet_tcp_connect_all_unreserved_ports(winbind_t)
-
- dev_read_sysfs(winbind_t)
- dev_read_urand(winbind_t)
-
-+files_read_usr_files(winbind_t)
-+
- fs_getattr_all_fs(winbind_t)
- fs_search_auto_mountpoints(winbind_t)
-
-@@ -855,12 +920,14 @@ auth_manage_cache(winbind_t)
-
- domain_use_interactive_fds(winbind_t)
-
--files_read_etc_files(winbind_t)
- files_read_usr_symlinks(winbind_t)
-+files_list_var_lib(winbind_t)
-
- logging_send_syslog_msg(winbind_t)
-
--miscfiles_read_localization(winbind_t)
-+miscfiles_read_generic_certs(winbind_t)
-+
-+sysnet_use_ldap(winbind_t)
-
- userdom_dontaudit_use_unpriv_user_fds(winbind_t)
- userdom_manage_user_home_content_dirs(winbind_t)
-@@ -871,6 +938,15 @@ userdom_manage_user_home_content_sockets(winbind_t)
- userdom_user_home_dir_filetrans_user_home_content(winbind_t, { dir file lnk_file fifo_file sock_file })
-
- optional_policy(`
-+ ctdbd_stream_connect(winbind_t)
-+ ctdbd_manage_lib_files(winbind_t)
-+')
-+
-+optional_policy(`
-+ dirsrv_stream_connect(winbind_t)
-+')
-+
-+optional_policy(`
- kerberos_use(winbind_t)
- ')
-
-@@ -909,9 +985,7 @@ auth_use_nsswitch(winbind_helper_t)
-
- logging_send_syslog_msg(winbind_helper_t)
-
--miscfiles_read_localization(winbind_helper_t)
--
--userdom_use_user_terminals(winbind_helper_t)
-+userdom_use_inherited_user_terminals(winbind_helper_t)
-
- optional_policy(`
- apache_append_log(winbind_helper_t)
-@@ -929,19 +1003,34 @@ optional_policy(`
- #
-
- optional_policy(`
-- type samba_unconfined_script_t;
-- type samba_unconfined_script_exec_t;
-- domain_type(samba_unconfined_script_t)
-- domain_entry_file(samba_unconfined_script_t, samba_unconfined_script_exec_t)
-- corecmd_shell_entry_type(samba_unconfined_script_t)
-- role system_r types samba_unconfined_script_t;
-+ type samba_unconfined_net_t;
-+ domain_type(samba_unconfined_net_t)
-+ domain_entry_file(samba_unconfined_net_t, samba_net_exec_t)
-+ role system_r types samba_unconfined_net_t;
-
-- allow smbd_t samba_unconfined_script_exec_t:dir search_dir_perms;
-- allow smbd_t samba_unconfined_script_exec_t:file ioctl;
-+ unconfined_domain(samba_unconfined_net_t)
-
-+ manage_files_pattern(samba_unconfined_net_t, samba_etc_t, samba_secrets_t)
-+ filetrans_pattern(samba_unconfined_net_t, samba_etc_t, samba_secrets_t, file)
-+ userdom_use_inherited_user_terminals(samba_unconfined_net_t)
-+')
-+
-+type samba_unconfined_script_t;
-+type samba_unconfined_script_exec_t;
-+domain_type(samba_unconfined_script_t)
-+domain_entry_file(samba_unconfined_script_t, samba_unconfined_script_exec_t)
-+corecmd_shell_entry_type(samba_unconfined_script_t)
-+role system_r types samba_unconfined_script_t;
-+
-+allow smbd_t samba_unconfined_script_exec_t:dir search_dir_perms;
-+allow smbd_t samba_unconfined_script_exec_t:file ioctl;
-+
-+optional_policy(`
- unconfined_domain(samba_unconfined_script_t)
-+')
-
-- tunable_policy(`samba_run_unconfined',`
-+tunable_policy(`samba_run_unconfined',`
- domtrans_pattern(smbd_t, samba_unconfined_script_exec_t, samba_unconfined_script_t)
-- ')
-+',`
-+ can_exec(smbd_t, samba_unconfined_script_exec_t)
- ')
-diff --git a/sambagui.te b/sambagui.te
-index 1898dbd..1d5e802 100644
---- a/sambagui.te
-+++ b/sambagui.te
-@@ -7,7 +7,8 @@ policy_module(sambagui, 1.1.0)
-
- type sambagui_t;
- type sambagui_exec_t;
--dbus_system_domain(sambagui_t, sambagui_exec_t)
-+application_domain(sambagui_t, sambagui_exec_t)
-+role system_r types sambagui_t;
-
- ########################################
- #
-@@ -27,21 +28,28 @@ corecmd_exec_bin(sambagui_t)
-
- dev_dontaudit_read_urand(sambagui_t)
-
--files_read_etc_files(sambagui_t)
-+files_read_usr_files(sambagui_t)
- files_search_var_lib(sambagui_t)
- files_read_usr_files(sambagui_t)
-
- auth_use_nsswitch(sambagui_t)
-+auth_dontaudit_read_shadow(sambagui_t)
-+
-+init_access_check(sambagui_t)
-
- logging_send_syslog_msg(sambagui_t)
-
--miscfiles_read_localization(sambagui_t)
-+sysnet_use_ldap(sambagui_t)
-
- optional_policy(`
- consoletype_exec(sambagui_t)
- ')
-
- optional_policy(`
-+ dbus_system_domain(sambagui_t, sambagui_exec_t)
-+')
-+
-+optional_policy(`
- nscd_dontaudit_search_pid(sambagui_t)
- ')
-
-@@ -56,6 +64,7 @@ optional_policy(`
- samba_manage_var_files(sambagui_t)
- samba_read_secrets(sambagui_t)
- samba_initrc_domtrans(sambagui_t)
-+ samba_systemctl(sambagui_t)
- samba_domtrans_smbd(sambagui_t)
- samba_domtrans_nmbd(sambagui_t)
- ')
-diff --git a/samhain.if b/samhain.if
-index c040ebf..2b601a5 100644
---- a/samhain.if
-+++ b/samhain.if
-@@ -271,10 +271,14 @@ interface(`samhain_admin',`
- type samhain_initrc_exec_t, samhain_log_t, samhain_var_run_t;
- ')
-
-- allow $1 samhain_t:process { ptrace signal_perms };
-+ allow $1 samhain_t:process signal_perms;
- ps_process_pattern($1, samhain_t)
-+ tunable_policy(`deny_ptrace',`',`
-+ allow $1 samhain_t:process ptrace;
-+ allow $1 samhaind_t:process ptrace;
-+ ')
-
-- allow $1 samhaind_t:process { ptrace signal_perms };
-+ allow $1 samhaind_t:process signal_perms;
- ps_process_pattern($1, samhaind_t)
-
- files_list_var_lib($1)
-diff --git a/samhain.te b/samhain.te
-index acd1700..778d18b 100644
---- a/samhain.te
-+++ b/samhain.te
-@@ -55,7 +55,7 @@ domain_use_interactive_fds(samhain_t)
-
- seutil_sigchld_newrole(samhain_t)
-
--userdom_use_user_terminals(samhain_t)
-+userdom_use_inherited_user_terminals(samhain_t)
-
- ########################################
- #
-diff --git a/sandbox.fc b/sandbox.fc
-new file mode 100644
-index 0000000..b7db254
---- /dev/null
-+++ b/sandbox.fc
-@@ -0,0 +1 @@
-+# Empty
-diff --git a/sandbox.if b/sandbox.if
-new file mode 100644
-index 0000000..7addd77
---- /dev/null
-+++ b/sandbox.if
-@@ -0,0 +1,55 @@
-+
-+## policy for sandbox
-+
-+########################################
-+##
-+## Execute sandbox in the sandbox domain, and
-+## allow the specified role the sandbox domain.
-+##
-+##
-+##
-+## Domain allowed access
-+##
-+##
-+##
-+##
-+## The role to be allowed the sandbox domain.
-+##
-+##
-+#
-+interface(`sandbox_transition',`
-+ gen_require(`
-+ attribute sandbox_domain;
-+ ')
-+
-+ allow $1 sandbox_domain:process transition;
-+ dontaudit $1 sandbox_domain:process { noatsecure siginh rlimitinh };
-+ role $2 types sandbox_domain;
-+ allow sandbox_domain $1:process { sigchld signull };
-+ allow sandbox_domain $1:fifo_file rw_inherited_fifo_file_perms;
-+ dontaudit sandbox_domain $1:process signal;
-+')
-+
-+########################################
-+##
-+## Creates types and rules for a basic
-+## sandbox process domain.
-+##
-+##
-+##
-+## Prefix for the domain.
-+##
-+##
-+#
-+template(`sandbox_domain_template',`
-+
-+ gen_require(`
-+ attribute sandbox_domain;
-+ ')
-+ type $1_t, sandbox_domain;
-+
-+ application_type($1_t)
-+
-+ mls_rangetrans_target($1_t)
-+ mcs_untrusted_proc($1_t)
-+')
-diff --git a/sandbox.te b/sandbox.te
-new file mode 100644
-index 0000000..db440d4
---- /dev/null
-+++ b/sandbox.te
-@@ -0,0 +1,66 @@
-+policy_module(sandbox,1.0.0)
-+
-+attribute sandbox_domain;
-+
-+########################################
-+#
-+# Declarations
-+#
-+sandbox_domain_template(sandbox)
-+
-+########################################
-+#
-+# sandbox local policy
-+#
-+allow sandbox_domain self:process { getattr signal_perms getsched setsched setpgid execstack };
-+tunable_policy(`deny_execmem',`',`
-+ allow sandbox_domain self:process execmem;
-+')
-+
-+allow sandbox_domain self:fifo_file manage_file_perms;
-+allow sandbox_domain self:sem create_sem_perms;
-+allow sandbox_domain self:shm create_shm_perms;
-+allow sandbox_domain self:msgq create_msgq_perms;
-+allow sandbox_domain self:unix_stream_socket create_stream_socket_perms;
-+allow sandbox_domain self:unix_dgram_socket { sendto create_socket_perms };
-+dontaudit sandbox_domain self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay };
-+
-+dev_rw_all_inherited_chr_files(sandbox_domain)
-+dev_rw_all_inherited_blk_files(sandbox_domain)
-+
-+# sandbox_file_t was moved to sandboxX.te
-+optional_policy(`
-+ sandbox_exec_file(sandbox_domain)
-+ sandbox_manage_content(sandbox_domain)
-+ sandbox_dontaudit_mounton(sandbox_domain)
-+ sandbox_manage_tmpfs_files(sandbox_domain)
-+')
-+
-+gen_require(`
-+ type usr_t, lib_t, locale_t, device_t;
-+ type var_t, var_run_t, rpm_log_t, locale_t;
-+ attribute exec_type, configfile;
-+')
-+
-+kernel_dontaudit_read_system_state(sandbox_domain)
-+
-+corecmd_exec_all_executables(sandbox_domain)
-+
-+dev_dontaudit_getattr_all(sandbox_domain)
-+
-+files_rw_all_inherited_files(sandbox_domain, -exec_type -configfile -usr_t -lib_t -locale_t -var_t -var_run_t -device_t -rpm_log_t )
-+files_entrypoint_all_files(sandbox_domain)
-+
-+files_read_config_files(sandbox_domain)
-+files_read_usr_files(sandbox_domain)
-+files_read_var_files(sandbox_domain)
-+files_dontaudit_search_all_dirs(sandbox_domain)
-+
-+fs_dontaudit_getattr_all_fs(sandbox_domain)
-+
-+
-+userdom_dontaudit_use_user_terminals(sandbox_domain)
-+
-+mta_dontaudit_read_spool_symlinks(sandbox_domain)
-+
-+
-diff --git a/sandboxX.fc b/sandboxX.fc
-new file mode 100644
-index 0000000..6caef63
---- /dev/null
-+++ b/sandboxX.fc
-@@ -0,0 +1,2 @@
-+
-+/usr/share/sandbox/start -- gen_context(system_u:object_r:sandbox_exec_t,s0)
-diff --git a/sandboxX.if b/sandboxX.if
-new file mode 100644
-index 0000000..f00e5c5
---- /dev/null
-+++ b/sandboxX.if
-@@ -0,0 +1,391 @@
-+
-+## policy for sandboxX
-+
-+########################################
-+##
-+## Execute sandbox in the sandbox domain, and
-+## allow the specified role the sandbox domain.
-+##
-+##
-+##
-+## Domain allowed access
-+##
-+##
-+##
-+##
-+## The role to be allowed the sandbox domain.
-+##
-+##
-+#
-+interface(`sandbox_x_transition',`
-+ gen_require(`
-+ type sandbox_xserver_t;
-+ type sandbox_file_t;
-+ attribute sandbox_x_domain;
-+ attribute sandbox_tmpfs_type;
-+ ')
-+
-+ allow $1 sandbox_x_domain:process { signal_perms transition };
-+ dontaudit $1 sandbox_x_domain:process { noatsecure siginh rlimitinh };
-+ allow sandbox_x_domain $1:process { sigchld signull };
-+ allow { sandbox_x_domain sandbox_xserver_t } $1:fd use;
-+ role $2 types sandbox_x_domain;
-+ role $2 types sandbox_xserver_t;
-+ allow $1 sandbox_xserver_t:process signal_perms;
-+ dontaudit sandbox_xserver_t $1:fifo_file rw_inherited_fifo_file_perms;
-+ dontaudit sandbox_xserver_t $1:tcp_socket rw_socket_perms;
-+ dontaudit sandbox_xserver_t $1:udp_socket rw_socket_perms;
-+ allow sandbox_xserver_t $1:unix_stream_socket { connectto rw_socket_perms };
-+ allow sandbox_x_domain sandbox_x_domain:process signal;
-+ # Dontaudit leaked file descriptors
-+ dontaudit sandbox_x_domain $1:fifo_file { read write };
-+ dontaudit sandbox_x_domain $1:tcp_socket rw_socket_perms;
-+ dontaudit sandbox_x_domain $1:udp_socket rw_socket_perms;
-+ dontaudit sandbox_x_domain $1:unix_stream_socket { read write };
-+ dontaudit sandbox_x_domain $1:process { signal sigkill };
-+
-+ allow $1 sandbox_tmpfs_type:file manage_file_perms;
-+ dontaudit $1 sandbox_tmpfs_type:file manage_file_perms;
-+
-+ can_exec($1, sandbox_file_t)
-+ allow $1 sandbox_file_t:filesystem getattr;
-+ manage_files_pattern($1, sandbox_file_t, sandbox_file_t);
-+ manage_dirs_pattern($1, sandbox_file_t, sandbox_file_t);
-+ manage_sock_files_pattern($1, sandbox_file_t, sandbox_file_t);
-+ manage_fifo_files_pattern($1, sandbox_file_t, sandbox_file_t);
-+ manage_lnk_files_pattern($1, sandbox_file_t, sandbox_file_t);
-+ relabel_dirs_pattern($1, sandbox_file_t, sandbox_file_t)
-+ relabel_files_pattern($1, sandbox_file_t, sandbox_file_t)
-+ relabel_lnk_files_pattern($1, sandbox_file_t, sandbox_file_t)
-+ relabel_fifo_files_pattern($1, sandbox_file_t, sandbox_file_t)
-+ relabel_sock_files_pattern($1, sandbox_file_t, sandbox_file_t)
-+')
-+
-+########################################
-+##
-+## Creates types and rules for a basic
-+## sandbox process domain.
-+##
-+##
-+##
-+## Prefix for the domain.
-+##
-+##
-+#
-+template(`sandbox_x_domain_template',`
-+ gen_require(`
-+ type xserver_exec_t, sandbox_devpts_t;
-+ type sandbox_xserver_t;
-+ type sandbox_exec_t;
-+ attribute sandbox_x_domain;
-+ attribute sandbox_tmpfs_type;
-+ attribute sandbox_type;
-+ ')
-+
-+ type $1_t, sandbox_x_domain, sandbox_type;
-+ application_type($1_t)
-+ mcs_untrusted_proc($1_t)
-+
-+ kernel_read_system_state($1_t)
-+ selinux_get_fs_mount($1_t)
-+
-+ auth_use_nsswitch($1_t)
-+
-+ logging_send_syslog_msg($1_t)
-+
-+ # window manager
-+ miscfiles_setattr_fonts_cache_dirs($1_t)
-+ allow $1_t self:capability setuid;
-+
-+ type $1_client_t, sandbox_x_domain;
-+ application_type($1_client_t)
-+ kernel_read_system_state($1_client_t)
-+
-+ mcs_untrusted_proc($1_t)
-+
-+ type $1_client_tmpfs_t, sandbox_tmpfs_type;
-+ files_tmpfs_file($1_client_tmpfs_t)
-+
-+ manage_files_pattern($1_client_t, $1_client_tmpfs_t, $1_client_tmpfs_t)
-+ manage_files_pattern($1_t, $1_client_tmpfs_t, $1_client_tmpfs_t)
-+ fs_tmpfs_filetrans($1_client_t, $1_client_tmpfs_t, file )
-+ fs_tmpfs_filetrans($1_t, $1_client_tmpfs_t, file )
-+ # Pulseaudio tmpfs files with different MCS labels
-+ dontaudit $1_client_t $1_client_tmpfs_t:file { read write };
-+ dontaudit $1_t $1_client_tmpfs_t:file { read write };
-+ allow sandbox_xserver_t $1_client_tmpfs_t:file { read write };
-+
-+ domtrans_pattern($1_t, xserver_exec_t, sandbox_xserver_t)
-+ allow $1_t sandbox_xserver_t:process signal_perms;
-+
-+ domtrans_pattern($1_t, sandbox_exec_t, $1_client_t)
-+ domain_entry_file($1_client_t, sandbox_exec_t)
-+
-+ ps_process_pattern(sandbox_xserver_t, $1_client_t)
-+ ps_process_pattern(sandbox_xserver_t, $1_t)
-+ allow sandbox_xserver_t $1_client_t:shm rw_shm_perms;
-+ allow sandbox_xserver_t $1_t:shm rw_shm_perms;
-+ allow $1_client_t $1_t:unix_stream_socket connectto;
-+ allow $1_t $1_client_t:unix_stream_socket connectto;
-+')
-+
-+########################################
-+##
-+## allow domain to read,
-+## write sandbox_xserver tmp files
-+##
-+##
-+##
-+## Domain allowed access
-+##
-+##
-+#
-+interface(`sandbox_rw_xserver_tmpfs_files',`
-+ gen_require(`
-+ type sandbox_xserver_tmpfs_t;
-+ ')
-+
-+ allow $1 sandbox_xserver_tmpfs_t:file rw_file_perms;
-+')
-+
-+########################################
-+##
-+## allow domain to read
-+## sandbox tmpfs files
-+##
-+##
-+##
-+## Domain allowed access
-+##
-+##
-+#
-+interface(`sandbox_read_tmpfs_files',`
-+ gen_require(`
-+ attribute sandbox_tmpfs_type;
-+ ')
-+
-+ allow $1 sandbox_tmpfs_type:file read_file_perms;
-+')
-+
-+########################################
-+##
-+## allow domain to manage
-+## sandbox tmpfs files
-+##
-+##
-+##
-+## Domain allowed access
-+##
-+##
-+#
-+interface(`sandbox_manage_tmpfs_files',`
-+ gen_require(`
-+ attribute sandbox_tmpfs_type;
-+ ')
-+
-+ allow $1 sandbox_tmpfs_type:file manage_file_perms;
-+')
-+
-+########################################
-+##
-+## Delete sandbox files
-+##
-+##
-+##
-+## Domain allowed access
-+##
-+##
-+#
-+interface(`sandbox_delete_files',`
-+ gen_require(`
-+ type sandbox_file_t;
-+ ')
-+
-+ delete_files_pattern($1, sandbox_file_t, sandbox_file_t)
-+')
-+
-+########################################
-+##
-+## Manage sandbox content
-+##
-+##
-+##
-+## Domain allowed access
-+##
-+##
-+#
-+interface(`sandbox_manage_content',`
-+ gen_require(`
-+ type sandbox_file_t;
-+ ')
-+
-+ allow $1 sandbox_file_t:filesystem getattr;
-+ manage_files_pattern($1, sandbox_file_t, sandbox_file_t);
-+ manage_dirs_pattern($1, sandbox_file_t, sandbox_file_t);
-+ manage_sock_files_pattern($1, sandbox_file_t, sandbox_file_t);
-+ manage_fifo_files_pattern($1, sandbox_file_t, sandbox_file_t);
-+ manage_lnk_files_pattern($1, sandbox_file_t, sandbox_file_t);
-+')
-+
-+########################################
-+##
-+## Delete sandbox symbolic links
-+##
-+##
-+##
-+## Domain allowed access
-+##
-+##
-+#
-+interface(`sandbox_delete_lnk_files',`
-+ gen_require(`
-+ type sandbox_file_t;
-+ ')
-+
-+ delete_lnk_files_pattern($1, sandbox_file_t, sandbox_file_t)
-+')
-+
-+########################################
-+##
-+## Delete sandbox fifo files
-+##
-+##
-+##
-+## Domain allowed access
-+##
-+##
-+#
-+interface(`sandbox_delete_pipes',`
-+ gen_require(`
-+ type sandbox_file_t;
-+ ')
-+
-+ delete_fifo_files_pattern($1, sandbox_file_t, sandbox_file_t)
-+')
-+
-+########################################
-+##
-+## Delete sandbox sock files
-+##
-+##
-+##
-+## Domain allowed access
-+##
-+##
-+#
-+interface(`sandbox_delete_sock_files',`
-+ gen_require(`
-+ type sandbox_file_t;
-+ ')
-+
-+ delete_sock_files_pattern($1, sandbox_file_t, sandbox_file_t)
-+')
-+
-+########################################
-+##
-+## Allow domain to set the attributes
-+## of the sandbox directory.
-+##
-+##
-+##
-+## Domain allowed access
-+##
-+##
-+#
-+interface(`sandbox_setattr_dirs',`
-+ gen_require(`
-+ type sandbox_file_t;
-+ ')
-+
-+ allow $1 sandbox_file_t:dir setattr;
-+')
-+
-+########################################
-+##
-+## Delete sandbox directories
-+##
-+##
-+##
-+## Domain allowed access
-+##
-+##
-+#
-+interface(`sandbox_delete_dirs',`
-+ gen_require(`
-+ type sandbox_file_t;
-+ ')
-+
-+ delete_dirs_pattern($1, sandbox_file_t, sandbox_file_t)
-+')
-+
-+########################################
-+##
-+## allow domain to list sandbox dirs
-+##
-+##
-+##
-+## Domain allowed access
-+##
-+##
-+#
-+interface(`sandbox_list',`
-+ gen_require(`
-+ type sandbox_file_t;
-+ ')
-+
-+ allow $1 sandbox_file_t:dir list_dir_perms;
-+')
-+
-+########################################
-+##
-+## Read and write a sandbox domain pty.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`sandbox_use_ptys',`
-+ gen_require(`
-+ type sandbox_devpts_t;
-+ ')
-+
-+ allow $1 sandbox_devpts_t:chr_file rw_inherited_term_perms;
-+')
-+
-+#######################################
-+##
-+## Allow domain to execute sandbox_file_t in the caller domain.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`sandbox_exec_file',`
-+ gen_require(`
-+ type sandbox_file_t;
-+ ')
-+
-+ can_exec($1, sandbox_file_t)
-+')
-+
-+######################################
-+##
-+## Allow domain to execute sandbox_file_t in the caller domain.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`sandbox_dontaudit_mounton',`
-+ gen_require(`
-+ type sandbox_file_t;
-+ ')
-+
-+ dontaudit $1 sandbox_file_t:dir mounton;
-+')
-diff --git a/sandboxX.te b/sandboxX.te
-new file mode 100644
-index 0000000..479ece4
---- /dev/null
-+++ b/sandboxX.te
-@@ -0,0 +1,463 @@
-+policy_module(sandboxX,1.0.0)
-+
-+dbus_stub()
-+attribute sandbox_x_domain;
-+attribute sandbox_web_type;
-+attribute sandbox_file_type;
-+attribute sandbox_tmpfs_type;
-+attribute sandbox_type;
-+
-+type sandbox_exec_t;
-+files_type(sandbox_exec_t)
-+
-+type sandbox_file_t, sandbox_file_type;
-+files_type(sandbox_file_t)
-+typealias sandbox_file_t alias { sandbox_x_file_t sandbox_web_file_t sandbox_net_file_t sandbox_min_file_t };
-+
-+########################################
-+#
-+# Declarations
-+#
-+sandbox_x_domain_template(sandbox_min)
-+sandbox_x_domain_template(sandbox_x)
-+sandbox_x_domain_template(sandbox_web)
-+sandbox_x_domain_template(sandbox_net)
-+
-+type sandbox_xserver_t;
-+domain_type(sandbox_xserver_t)
-+xserver_user_x_domain_template(sandbox_xserver, sandbox_xserver_t, sandbox_xserver_tmpfs_t)
-+
-+type sandbox_xserver_tmpfs_t;
-+files_tmpfs_file(sandbox_xserver_tmpfs_t)
-+
-+type sandbox_devpts_t;
-+term_pty(sandbox_devpts_t)
-+files_type(sandbox_devpts_t)
-+
-+########################################
-+#
-+# sandbox xserver policy
-+#
-+allow sandbox_xserver_t self:process { signal_perms execstack };
-+
-+tunable_policy(`deny_execmem',`',`
-+ allow sandbox_xserver_t self:process execmem;
-+')
-+
-+allow sandbox_xserver_t self:fifo_file manage_fifo_file_perms;
-+allow sandbox_xserver_t self:shm create_shm_perms;
-+allow sandbox_xserver_t self:tcp_socket create_stream_socket_perms;
-+
-+manage_dirs_pattern(sandbox_xserver_t, sandbox_file_t, sandbox_file_t)
-+manage_files_pattern(sandbox_xserver_t, sandbox_file_t, sandbox_file_t)
-+manage_sock_files_pattern(sandbox_xserver_t, sandbox_file_t, sandbox_file_t)
-+allow sandbox_xserver_t sandbox_file_t:sock_file create_sock_file_perms;
-+
-+manage_dirs_pattern(sandbox_xserver_t, sandbox_xserver_tmpfs_t, sandbox_xserver_tmpfs_t)
-+manage_files_pattern(sandbox_xserver_t, sandbox_xserver_tmpfs_t, sandbox_xserver_tmpfs_t)
-+manage_lnk_files_pattern(sandbox_xserver_t, sandbox_xserver_tmpfs_t, sandbox_xserver_tmpfs_t)
-+manage_fifo_files_pattern(sandbox_xserver_t, sandbox_xserver_tmpfs_t, sandbox_xserver_tmpfs_t)
-+manage_sock_files_pattern(sandbox_xserver_t, sandbox_xserver_tmpfs_t, sandbox_xserver_tmpfs_t)
-+fs_tmpfs_filetrans(sandbox_xserver_t, sandbox_xserver_tmpfs_t, { dir file lnk_file sock_file fifo_file })
-+
-+kernel_dontaudit_request_load_module(sandbox_xserver_t)
-+kernel_read_system_state(sandbox_xserver_t)
-+
-+corecmd_exec_bin(sandbox_xserver_t)
-+corecmd_exec_shell(sandbox_xserver_t)
-+
-+corenet_all_recvfrom_netlabel(sandbox_xserver_t)
-+corenet_tcp_sendrecv_generic_if(sandbox_xserver_t)
-+corenet_udp_sendrecv_generic_if(sandbox_xserver_t)
-+corenet_tcp_sendrecv_generic_node(sandbox_xserver_t)
-+corenet_udp_sendrecv_generic_node(sandbox_xserver_t)
-+corenet_tcp_sendrecv_all_ports(sandbox_xserver_t)
-+corenet_udp_sendrecv_all_ports(sandbox_xserver_t)
-+corenet_tcp_bind_generic_node(sandbox_xserver_t)
-+corenet_tcp_bind_xserver_port(sandbox_xserver_t)
-+corenet_sendrecv_xserver_server_packets(sandbox_xserver_t)
-+corenet_sendrecv_all_client_packets(sandbox_xserver_t)
-+
-+dev_read_sysfs(sandbox_xserver_t)
-+dev_rwx_zero(sandbox_xserver_t)
-+dev_read_urand(sandbox_xserver_t)
-+
-+domain_use_interactive_fds(sandbox_xserver_t)
-+
-+files_read_config_files(sandbox_xserver_t)
-+files_read_usr_files(sandbox_xserver_t)
-+files_search_home(sandbox_xserver_t)
-+fs_dontaudit_rw_tmpfs_files(sandbox_xserver_t)
-+fs_list_inotifyfs(sandbox_xserver_t)
-+fs_search_auto_mountpoints(sandbox_xserver_t)
-+
-+miscfiles_read_fonts(sandbox_xserver_t)
-+
-+selinux_validate_context(sandbox_xserver_t)
-+selinux_compute_access_vector(sandbox_xserver_t)
-+selinux_compute_create_context(sandbox_xserver_t)
-+
-+auth_use_nsswitch(sandbox_xserver_t)
-+
-+logging_send_syslog_msg(sandbox_xserver_t)
-+logging_send_audit_msgs(sandbox_xserver_t)
-+
-+userdom_use_inherited_user_terminals(sandbox_xserver_t)
-+userdom_dontaudit_search_user_home_content(sandbox_xserver_t)
-+userdom_dontaudit_rw_user_tmp_pipes(sandbox_xserver_t)
-+
-+xserver_entry_type(sandbox_xserver_t)
-+
-+optional_policy(`
-+ dbus_system_bus_client(sandbox_xserver_t)
-+
-+ optional_policy(`
-+ hal_dbus_chat(sandbox_xserver_t)
-+ ')
-+')
-+
-+########################################
-+#
-+# sandbox_x_domain local policy
-+#
-+allow sandbox_x_domain self:process { getattr signal_perms getsched setsched setpgid execstack };
-+tunable_policy(`deny_execmem',`',`
-+ allow sandbox_x_domain self:process execmem;
-+')
-+
-+allow sandbox_x_domain self:fifo_file manage_file_perms;
-+allow sandbox_x_domain self:sem create_sem_perms;
-+allow sandbox_x_domain self:shm create_shm_perms;
-+allow sandbox_x_domain self:msgq create_msgq_perms;
-+allow sandbox_x_domain self:netlink_selinux_socket create_socket_perms;
-+allow sandbox_x_domain self:unix_dgram_socket { sendto create_socket_perms };
-+allow sandbox_x_domain self:unix_stream_socket { connectto create_stream_socket_perms };
-+
-+dontaudit sandbox_x_domain sandbox_x_domain:process signal;
-+dontaudit sandbox_x_domain sandbox_xserver_t:process signal;
-+dontaudit sandbox_x_domain self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay };
-+
-+allow sandbox_x_domain sandbox_xserver_t:unix_stream_socket connectto;
-+
-+allow sandbox_x_domain sandbox_devpts_t:chr_file { rw_term_perms setattr };
-+term_create_pty(sandbox_x_domain,sandbox_devpts_t)
-+
-+can_exec(sandbox_x_domain, sandbox_file_t)
-+allow sandbox_x_domain sandbox_file_t:filesystem getattr;
-+manage_files_pattern(sandbox_x_domain, sandbox_file_t, sandbox_file_t);
-+manage_dirs_pattern(sandbox_x_domain, sandbox_file_t, sandbox_file_t);
-+manage_sock_files_pattern(sandbox_x_domain, sandbox_file_t, sandbox_file_t);
-+manage_fifo_files_pattern(sandbox_x_domain, sandbox_file_t, sandbox_file_t);
-+manage_lnk_files_pattern(sandbox_x_domain, sandbox_file_t, sandbox_file_t);
-+dontaudit sandbox_x_domain sandbox_file_t:dir mounton;
-+
-+kernel_getattr_proc(sandbox_x_domain)
-+kernel_read_network_state(sandbox_x_domain)
-+kernel_dontaudit_search_kernel_sysctl(sandbox_x_domain)
-+
-+domain_dontaudit_read_all_domains_state(sandbox_x_domain)
-+
-+corecmd_exec_all_executables(sandbox_x_domain)
-+
-+dev_read_urand(sandbox_x_domain)
-+dev_dontaudit_read_rand(sandbox_x_domain)
-+dev_read_sysfs(sandbox_x_domain)
-+dev_dontaudit_rw_dri(sandbox_x_domain)
-+
-+files_search_home(sandbox_x_domain)
-+files_dontaudit_list_all_mountpoints(sandbox_x_domain)
-+files_entrypoint_all_files(sandbox_x_domain)
-+files_read_config_files(sandbox_x_domain)
-+files_read_usr_files(sandbox_x_domain)
-+files_read_usr_symlinks(sandbox_x_domain)
-+
-+fs_getattr_tmpfs(sandbox_x_domain)
-+fs_getattr_xattr_fs(sandbox_x_domain)
-+fs_list_inotifyfs(sandbox_x_domain)
-+fs_dontaudit_getattr_xattr_fs(sandbox_x_domain)
-+# Random tmpfs_t that gets created when you run X.
-+fs_rw_tmpfs_files(sandbox_x_domain)
-+fs_get_xattr_fs_quotas(sandbox_x_domain)
-+
-+auth_dontaudit_read_login_records(sandbox_x_domain)
-+auth_dontaudit_write_login_records(sandbox_x_domain)
-+auth_search_pam_console_data(sandbox_x_domain)
-+
-+init_read_utmp(sandbox_x_domain)
-+init_dontaudit_write_utmp(sandbox_x_domain)
-+
-+libs_dontaudit_setattr_lib_files(sandbox_x_domain)
-+
-+miscfiles_dontaudit_setattr_fonts_cache_dirs(sandbox_x_domain)
-+
-+mta_dontaudit_read_spool_symlinks(sandbox_x_domain)
-+
-+selinux_validate_context(sandbox_x_domain)
-+selinux_compute_access_vector(sandbox_x_domain)
-+selinux_compute_create_context(sandbox_x_domain)
-+selinux_compute_relabel_context(sandbox_x_domain)
-+selinux_compute_user_contexts(sandbox_x_domain)
-+seutil_read_default_contexts(sandbox_x_domain)
-+
-+term_getattr_pty_fs(sandbox_x_domain)
-+term_use_ptmx(sandbox_x_domain)
-+term_search_ptys(sandbox_x_domain)
-+
-+application_dontaudit_signal(sandbox_x_domain)
-+application_dontaudit_sigkill(sandbox_x_domain)
-+
-+logging_dontaudit_search_logs(sandbox_x_domain)
-+
-+miscfiles_read_fonts(sandbox_x_domain)
-+
-+storage_dontaudit_rw_fuse(sandbox_x_domain)
-+
-+optional_policy(`
-+ consolekit_dbus_chat(sandbox_x_domain)
-+')
-+
-+optional_policy(`
-+ cups_stream_connect(sandbox_x_domain)
-+ cups_read_rw_config(sandbox_x_domain)
-+')
-+
-+optional_policy(`
-+ dbus_system_bus_client(sandbox_x_domain)
-+')
-+
-+optional_policy(`
-+ devicekit_dontaudit_dbus_chat_disk(sandbox_x_domain)
-+')
-+
-+optional_policy(`
-+ gnome_read_gconf_config(sandbox_x_domain)
-+')
-+
-+optional_policy(`
-+ nscd_dontaudit_search_pid(sandbox_x_domain)
-+')
-+
-+optional_policy(`
-+ sssd_dontaudit_search_lib(sandbox_x_domain)
-+')
-+
-+optional_policy(`
-+ udev_read_db(sandbox_x_domain)
-+')
-+
-+userdom_dontaudit_use_user_terminals(sandbox_x_domain)
-+userdom_read_user_home_content_symlinks(sandbox_x_domain)
-+userdom_search_user_home_content(sandbox_x_domain)
-+userdom_dontaudit_rw_user_tmp_pipes(sandbox_x_domain)
-+
-+fs_search_auto_mountpoints(sandbox_x_domain)
-+fs_read_hugetlbfs_files(sandbox_x_domain)
-+
-+tunable_policy(`use_nfs_home_dirs',`
-+ fs_search_auto_mountpoints(sandbox_x_domain)
-+ fs_search_nfs(sandbox_xserver_t)
-+ fs_read_nfs_files(sandbox_xserver_t)
-+ fs_manage_nfs_dirs(sandbox_x_domain)
-+ fs_manage_nfs_files(sandbox_x_domain)
-+ fs_exec_nfs_files(sandbox_x_domain)
-+')
-+
-+tunable_policy(`use_samba_home_dirs',`
-+ fs_search_cifs(sandbox_xserver_t)
-+ fs_read_cifs_files(sandbox_xserver_t)
-+ fs_manage_cifs_dirs(sandbox_x_domain)
-+ fs_manage_cifs_files(sandbox_x_domain)
-+ fs_exec_cifs_files(sandbox_x_domain)
-+')
-+
-+tunable_policy(`use_fusefs_home_dirs',`
-+ fs_search_fusefs(sandbox_xserver_t)
-+ fs_read_fusefs_files(sandbox_xserver_t)
-+ fs_manage_fusefs_dirs(sandbox_x_domain)
-+ fs_manage_fusefs_files(sandbox_x_domain)
-+ fs_exec_fusefs_files(sandbox_x_domain)
-+')
-+
-+files_search_home(sandbox_x_t)
-+userdom_use_user_ptys(sandbox_x_t)
-+
-+########################################
-+#
-+# sandbox_x_client_t local policy
-+#
-+allow sandbox_x_client_t self:tcp_socket create_stream_socket_perms;
-+allow sandbox_x_client_t self:udp_socket create_socket_perms;
-+allow sandbox_x_client_t self:dbus { acquire_svc send_msg };
-+
-+dev_read_rand(sandbox_x_client_t)
-+
-+corenet_tcp_connect_ipp_port(sandbox_x_client_t)
-+corenet_dontaudit_tcp_connect_xserver_port(sandbox_x_client_t)
-+
-+auth_use_nsswitch(sandbox_x_client_t)
-+
-+logging_send_syslog_msg(sandbox_x_client_t)
-+
-+optional_policy(`
-+ colord_dbus_chat(sandbox_x_client_t)
-+')
-+
-+optional_policy(`
-+ hal_dbus_chat(sandbox_x_client_t)
-+')
-+
-+optional_policy(`
-+ nsplugin_read_rw_files(sandbox_x_client_t)
-+')
-+
-+########################################
-+#
-+# sandbox_web_client_t local policy
-+#
-+typeattribute sandbox_web_client_t sandbox_web_type;
-+
-+selinux_get_fs_mount(sandbox_web_client_t)
-+
-+auth_use_nsswitch(sandbox_web_client_t)
-+
-+logging_send_syslog_msg(sandbox_web_client_t)
-+
-+allow sandbox_web_type self:capability { setuid setgid };
-+allow sandbox_web_type self:netlink_audit_socket nlmsg_relay;
-+dontaudit sandbox_web_type self:process setrlimit;
-+
-+allow sandbox_web_type self:tcp_socket create_stream_socket_perms;
-+allow sandbox_web_type self:udp_socket create_socket_perms;
-+allow sandbox_web_type self:dbus { acquire_svc send_msg };
-+
-+kernel_dontaudit_search_kernel_sysctl(sandbox_web_type)
-+kernel_request_load_module(sandbox_web_type)
-+
-+dev_read_rand(sandbox_web_type)
-+dev_write_sound(sandbox_web_type)
-+dev_read_sound(sandbox_web_type)
-+
-+corenet_tcp_sendrecv_generic_if(sandbox_web_type)
-+corenet_raw_sendrecv_generic_if(sandbox_web_type)
-+corenet_tcp_sendrecv_generic_node(sandbox_web_type)
-+corenet_raw_sendrecv_generic_node(sandbox_web_type)
-+corenet_tcp_sendrecv_http_port(sandbox_web_type)
-+corenet_tcp_sendrecv_http_cache_port(sandbox_web_type)
-+corenet_tcp_sendrecv_squid_port(sandbox_web_type)
-+corenet_tcp_sendrecv_ftp_port(sandbox_web_type)
-+corenet_tcp_sendrecv_ipp_port(sandbox_web_type)
-+corenet_tcp_connect_http_port(sandbox_web_type)
-+corenet_tcp_connect_http_cache_port(sandbox_web_type)
-+corenet_tcp_connect_squid_port(sandbox_web_type)
-+corenet_tcp_connect_flash_port(sandbox_web_type)
-+corenet_tcp_connect_ftp_port(sandbox_web_type)
-+corenet_tcp_connect_all_ephemeral_ports(sandbox_web_type)
-+corenet_tcp_connect_ipp_port(sandbox_web_type)
-+corenet_tcp_connect_streaming_port(sandbox_web_type)
-+corenet_tcp_connect_pulseaudio_port(sandbox_web_type)
-+corenet_tcp_connect_tor_socks_port(sandbox_web_type)
-+corenet_tcp_connect_speech_port(sandbox_web_type)
-+corenet_tcp_connect_generic_port(sandbox_web_type)
-+corenet_tcp_connect_soundd_port(sandbox_web_type)
-+corenet_tcp_connect_speech_port(sandbox_web_type)
-+corenet_sendrecv_http_client_packets(sandbox_web_type)
-+corenet_sendrecv_http_cache_client_packets(sandbox_web_type)
-+corenet_sendrecv_squid_client_packets(sandbox_web_type)
-+corenet_sendrecv_ftp_client_packets(sandbox_web_type)
-+corenet_sendrecv_ipp_client_packets(sandbox_web_type)
-+corenet_sendrecv_generic_client_packets(sandbox_web_type)
-+
-+corenet_dontaudit_tcp_sendrecv_generic_port(sandbox_web_type)
-+corenet_dontaudit_tcp_bind_generic_port(sandbox_web_type)
-+
-+files_dontaudit_getattr_all_dirs(sandbox_web_type)
-+
-+fs_dontaudit_rw_anon_inodefs_files(sandbox_web_type)
-+fs_dontaudit_getattr_all_fs(sandbox_web_type)
-+
-+storage_dontaudit_getattr_fixed_disk_dev(sandbox_web_type)
-+
-+dbus_system_bus_client(sandbox_web_type)
-+dbus_read_config(sandbox_web_type)
-+selinux_validate_context(sandbox_web_type)
-+selinux_compute_access_vector(sandbox_web_type)
-+selinux_compute_create_context(sandbox_web_type)
-+selinux_compute_relabel_context(sandbox_web_type)
-+selinux_compute_user_contexts(sandbox_web_type)
-+seutil_read_default_contexts(sandbox_web_type)
-+
-+userdom_rw_user_tmpfs_files(sandbox_web_type)
-+userdom_delete_user_tmpfs_files(sandbox_web_type)
-+
-+optional_policy(`
-+ alsa_read_rw_config(sandbox_web_type)
-+')
-+
-+optional_policy(`
-+ bluetooth_dontaudit_dbus_chat(sandbox_web_type)
-+')
-+
-+optional_policy(`
-+ hal_dbus_chat(sandbox_web_type)
-+')
-+
-+optional_policy(`
-+ chrome_domtrans_sandbox(sandbox_web_type)
-+')
-+
-+optional_policy(`
-+ nsplugin_manage_rw(sandbox_web_type)
-+ nsplugin_read_rw_files(sandbox_web_type)
-+ nsplugin_rw_exec(sandbox_web_type)
-+')
-+
-+optional_policy(`
-+ pulseaudio_stream_connect(sandbox_web_type)
-+ allow sandbox_web_type self:netlink_kobject_uevent_socket create_socket_perms;
-+')
-+
-+optional_policy(`
-+ rtkit_daemon_dontaudit_dbus_chat(sandbox_web_type)
-+')
-+
-+optional_policy(`
-+ # needed by pulseaudio
-+ systemd_read_logind_sessions_files(sandbox_web_type)
-+ systemd_login_read_pid_files(sandbox_web_type)
-+')
-+
-+optional_policy(`
-+ networkmanager_dontaudit_dbus_chat(sandbox_web_type)
-+')
-+
-+optional_policy(`
-+ udev_read_state(sandbox_web_type)
-+')
-+
-+########################################
-+#
-+# sandbox_net_client_t local policy
-+#
-+typeattribute sandbox_net_client_t sandbox_web_type;
-+
-+corenet_tcp_sendrecv_generic_if(sandbox_net_client_t)
-+corenet_udp_sendrecv_generic_if(sandbox_net_client_t)
-+corenet_tcp_sendrecv_generic_node(sandbox_net_client_t)
-+corenet_udp_sendrecv_generic_node(sandbox_net_client_t)
-+corenet_tcp_sendrecv_all_ports(sandbox_net_client_t)
-+corenet_udp_sendrecv_all_ports(sandbox_net_client_t)
-+corenet_tcp_connect_all_ports(sandbox_net_client_t)
-+corenet_sendrecv_all_client_packets(sandbox_net_client_t)
-+
-+selinux_get_fs_mount(sandbox_net_client_t)
-+
-+auth_use_nsswitch(sandbox_net_client_t)
-+
-+logging_send_syslog_msg(sandbox_net_client_t)
-+
-+optional_policy(`
-+ mozilla_dontaudit_rw_user_home_files(sandbox_x_t)
-+ mozilla_dontaudit_rw_user_home_files(sandbox_xserver_t)
-+ mozilla_dontaudit_rw_user_home_files(sandbox_x_domain)
-+ mozilla_plugin_dontaudit_leaks(sandbox_x_domain)
-+')
-diff --git a/sanlock.fc b/sanlock.fc
-index 5d1826c..9059165 100644
---- a/sanlock.fc
-+++ b/sanlock.fc
-@@ -1,7 +1,10 @@
-+
- /etc/rc\.d/init\.d/sanlock -- gen_context(system_u:object_r:sanlock_initrc_exec_t,s0)
-
- /var/run/sanlock(/.*)? gen_context(system_u:object_r:sanlock_var_run_t,s0)
-
--/var/log/sanlock\.log gen_context(system_u:object_r:sanlock_log_t,s0)
-+/var/log/sanlock\.log.* gen_context(system_u:object_r:sanlock_log_t,s0)
-
- /usr/sbin/sanlock -- gen_context(system_u:object_r:sanlock_exec_t,s0)
-+
-+/usr/lib/systemd/system/sanlock\.service -- gen_context(system_u:object_r:sanlock_unit_file_t,s0)
-diff --git a/sanlock.if b/sanlock.if
-index cfe3172..34b861a 100644
---- a/sanlock.if
-+++ b/sanlock.if
-@@ -1,3 +1,4 @@
-+
- ## policy for sanlock
-
- ########################################
-@@ -18,6 +19,7 @@ interface(`sanlock_domtrans',`
- domtrans_pattern($1, sanlock_exec_t, sanlock_t)
- ')
-
-+
- ########################################
- ##
- ## Execute sanlock server in the sanlock domain.
-@@ -57,21 +59,44 @@ interface(`sanlock_manage_pid_files',`
-
- ########################################
- ##
--## Connect to sanlock over an unix stream socket.
-+## Connect to sanlock over a unix stream socket.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`sanlock_stream_connect',`
-+ gen_require(`
-+ type sanlock_t, sanlock_var_run_t;
-+ ')
-+
-+ files_search_pids($1)
-+ stream_connect_pattern($1, sanlock_var_run_t, sanlock_var_run_t, sanlock_t)
-+')
-+
-+########################################
-+##
-+## Execute virt server in the virt domain.
- ##
- ##
- ##
--## Domain allowed access.
-+## Domain allowed to transition.
- ##
- ##
- #
--interface(`sanlock_stream_connect',`
-+interface(`sanlock_systemctl',`
- gen_require(`
-- type sanlock_t, sanlock_var_run_t;
-+ type sanlock_unit_file_t;
-+ type sanlock_t;
- ')
-
-- files_search_pids($1)
-- stream_connect_pattern($1, sanlock_var_run_t, sanlock_var_run_t, sanlock_t)
-+ systemd_exec_systemctl($1)
-+ allow $1 sanlock_unit_file_t:file read_file_perms;
-+ allow $1 sanlock_unit_file_t:service manage_service_perms;
-+
-+ ps_process_pattern($1, sanlock_t)
- ')
-
- ########################################
-@@ -95,13 +120,21 @@ interface(`sanlock_admin',`
- gen_require(`
- type sanlock_t;
- type sanlock_initrc_exec_t;
-+ type sanlock_unit_file_t;
- ')
-
- allow $1 sanlock_t:process signal_perms;
- ps_process_pattern($1, sanlock_t)
-+ tunable_policy(`deny_ptrace',`',`
-+ allow $1 sanlock_t:process ptrace;
-+ ')
-
- sanlock_initrc_domtrans($1)
- domain_system_change_exemption($1)
- role_transition $2 sanlock_initrc_exec_t system_r;
- allow $2 system_r;
-+
-+ virt_systemctl($1)
-+ admin_pattern($1, sanlock_unit_file_t)
-+ allow $1 sanlock_unit_file_t:service all_service_perms;
- ')
-diff --git a/sanlock.te b/sanlock.te
-index e02eb6c..4f4eaf4 100644
---- a/sanlock.te
-+++ b/sanlock.te
-@@ -1,4 +1,4 @@
--policy_module(sanlock, 1.0.0)
-+policy_module(sanlock,1.0.0)
-
- ########################################
- #
-@@ -6,18 +6,25 @@ policy_module(sanlock, 1.0.0)
- #
-
- ##
--##
--## Allow confined virtual guests to manage nfs files
--##
-+##
-+## Allow sanlock to manage nfs files
-+##
- ##
- gen_tunable(sanlock_use_nfs, false)
-
- ##
-+##
-+## Allow sanlock to manage cifs files
-+##
-+##
-+gen_tunable(sanlock_use_samba, false)
-+
-+##
- ##
--## Allow confined virtual guests to manage cifs files
-+## Allow sanlock to read/write fuse files
- ##
- ##
--gen_tunable(sanlock_use_samba, false)
-+gen_tunable(sanlock_use_fusefs, false)
-
- type sanlock_t;
- type sanlock_exec_t;
-@@ -32,6 +39,9 @@ logging_log_file(sanlock_log_t)
- type sanlock_initrc_exec_t;
- init_script_file(sanlock_initrc_exec_t)
-
-+type sanlock_unit_file_t;
-+systemd_unit_file(sanlock_unit_file_t)
-+
- ifdef(`enable_mcs',`
- init_ranged_daemon_domain(sanlock_t, sanlock_exec_t, s0 - mcs_systemhigh)
- ')
-@@ -44,8 +54,9 @@ ifdef(`enable_mls',`
- #
- # sanlock local policy
- #
--allow sanlock_t self:capability { sys_nice ipc_lock };
--allow sanlock_t self:process { setsched signull };
-+allow sanlock_t self:capability { chown dac_override ipc_lock kill setgid setuid sys_nice sys_resource };
-+allow sanlock_t self:process { setrlimit setsched signull signal sigkill };
-+
- allow sanlock_t self:fifo_file rw_fifo_file_perms;
- allow sanlock_t self:unix_stream_socket create_stream_socket_perms;
-
-@@ -58,36 +69,51 @@ manage_sock_files_pattern(sanlock_t, sanlock_var_run_t, sanlock_var_run_t)
- files_pid_filetrans(sanlock_t, sanlock_var_run_t, { file dir sock_file })
-
- kernel_read_system_state(sanlock_t)
-+kernel_read_kernel_sysctls(sanlock_t)
-
- domain_use_interactive_fds(sanlock_t)
-
--files_read_etc_files(sanlock_t)
-+files_read_mnt_symlinks(sanlock_t)
-
- storage_raw_rw_fixed_disk(sanlock_t)
-
-+dev_read_rand(sanlock_t)
- dev_read_urand(sanlock_t)
-
-+auth_use_nsswitch(sanlock_t)
-+
- init_read_utmp(sanlock_t)
- init_dontaudit_write_utmp(sanlock_t)
-
- logging_send_syslog_msg(sanlock_t)
-
--miscfiles_read_localization(sanlock_t)
-+tunable_policy(`sanlock_use_fusefs',`
-+ fs_manage_fusefs_dirs(sanlock_t)
-+ fs_manage_fusefs_files(sanlock_t)
-+ fs_read_fusefs_symlinks(sanlock_t)
-+ fs_getattr_fusefs(sanlock_t)
-+')
-
- tunable_policy(`sanlock_use_nfs',`
-- fs_manage_nfs_dirs(sanlock_t)
-- fs_manage_nfs_files(sanlock_t)
-- fs_manage_nfs_named_sockets(sanlock_t)
-- fs_read_nfs_symlinks(sanlock_t)
-+ fs_manage_nfs_dirs(sanlock_t)
-+ fs_manage_nfs_files(sanlock_t)
-+ fs_manage_nfs_named_sockets(sanlock_t)
-+ fs_read_nfs_symlinks(sanlock_t)
- ')
-
- tunable_policy(`sanlock_use_samba',`
-- fs_manage_cifs_dirs(sanlock_t)
-- fs_manage_cifs_files(sanlock_t)
-- fs_manage_cifs_named_sockets(sanlock_t)
-- fs_read_cifs_symlinks(sanlock_t)
-+ fs_manage_cifs_dirs(sanlock_t)
-+ fs_manage_cifs_files(sanlock_t)
-+ fs_manage_cifs_named_sockets(sanlock_t)
-+ fs_read_cifs_symlinks(sanlock_t)
-+')
-+
-+optional_policy(`
-+ wdmd_stream_connect(sanlock_t)
- ')
-
- optional_policy(`
-+ virt_kill_svirt(sanlock_t)
- virt_manage_lib_files(sanlock_t)
-+ virt_signal_svirt(sanlock_t)
- ')
-diff --git a/sasl.if b/sasl.if
-index f1aea88..3e6a93f 100644
---- a/sasl.if
-+++ b/sasl.if
-@@ -38,21 +38,21 @@ interface(`sasl_connect',`
- #
- interface(`sasl_admin',`
- gen_require(`
-- type saslauthd_t, saslauthd_tmp_t, saslauthd_var_run_t;
-+ type saslauthd_t, saslauthd_var_run_t;
- type saslauthd_initrc_exec_t;
- ')
-
-- allow $1 saslauthd_t:process { ptrace signal_perms getattr };
-+ allow $1 saslauthd_t:process signal_perms;
- ps_process_pattern($1, saslauthd_t)
-+ tunable_policy(`deny_ptrace',`',`
-+ allow $1 saslauthd_t:process ptrace;
-+ ')
-
- init_labeled_script_domtrans($1, saslauthd_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 saslauthd_initrc_exec_t system_r;
- allow $2 system_r;
-
-- files_list_tmp($1)
-- admin_pattern($1, saslauthd_tmp_t)
--
- files_list_pids($1)
- admin_pattern($1, saslauthd_var_run_t)
- ')
-diff --git a/sasl.te b/sasl.te
-index 9d9f8ce..88a01c0 100644
---- a/sasl.te
-+++ b/sasl.te
-@@ -10,7 +10,7 @@ policy_module(sasl, 1.14.0)
- ## Allow sasl to read shadow
- ##
- ##
--gen_tunable(allow_saslauthd_read_shadow, false)
-+gen_tunable(saslauthd_read_shadow, false)
-
- type saslauthd_t;
- type saslauthd_exec_t;
-@@ -19,9 +19,6 @@ init_daemon_domain(saslauthd_t, saslauthd_exec_t)
- type saslauthd_initrc_exec_t;
- init_script_file(saslauthd_initrc_exec_t)
-
--type saslauthd_tmp_t;
--files_tmp_file(saslauthd_tmp_t)
--
- type saslauthd_var_run_t;
- files_pid_file(saslauthd_var_run_t)
-
-@@ -30,31 +27,32 @@ files_pid_file(saslauthd_var_run_t)
- # Local policy
- #
-
--allow saslauthd_t self:capability { setgid setuid };
-+allow saslauthd_t self:capability { setgid setuid sys_nice };
- dontaudit saslauthd_t self:capability sys_tty_config;
--allow saslauthd_t self:process signal_perms;
-+allow saslauthd_t self:process { setsched signal_perms };
- allow saslauthd_t self:fifo_file rw_fifo_file_perms;
- allow saslauthd_t self:unix_dgram_socket create_socket_perms;
- allow saslauthd_t self:unix_stream_socket create_stream_socket_perms;
- allow saslauthd_t self:tcp_socket create_socket_perms;
-
--allow saslauthd_t saslauthd_tmp_t:dir setattr;
--manage_files_pattern(saslauthd_t, saslauthd_tmp_t, saslauthd_tmp_t)
--files_tmp_filetrans(saslauthd_t, saslauthd_tmp_t, file)
--
-+manage_dirs_pattern(saslauthd_t, saslauthd_var_run_t, saslauthd_var_run_t)
- manage_files_pattern(saslauthd_t, saslauthd_var_run_t, saslauthd_var_run_t)
- manage_sock_files_pattern(saslauthd_t, saslauthd_var_run_t, saslauthd_var_run_t)
--files_pid_filetrans(saslauthd_t, saslauthd_var_run_t, file)
-+files_pid_filetrans(saslauthd_t, saslauthd_var_run_t, { file dir })
-
- kernel_read_kernel_sysctls(saslauthd_t)
- kernel_read_system_state(saslauthd_t)
-+kernel_rw_afs_state(saslauthd_t)
-+
-+#577519
-+corecmd_exec_bin(saslauthd_t)
-
--corenet_all_recvfrom_unlabeled(saslauthd_t)
- corenet_all_recvfrom_netlabel(saslauthd_t)
- corenet_tcp_sendrecv_generic_if(saslauthd_t)
- corenet_tcp_sendrecv_generic_node(saslauthd_t)
- corenet_tcp_sendrecv_all_ports(saslauthd_t)
- corenet_tcp_connect_pop_port(saslauthd_t)
-+corenet_tcp_connect_zarafa_port(saslauthd_t)
- corenet_sendrecv_pop_client_packets(saslauthd_t)
-
- dev_read_urand(saslauthd_t)
-@@ -78,21 +76,20 @@ init_dontaudit_stream_connect_script(saslauthd_t)
-
- logging_send_syslog_msg(saslauthd_t)
-
--miscfiles_read_localization(saslauthd_t)
- miscfiles_read_generic_certs(saslauthd_t)
-
--seutil_dontaudit_read_config(saslauthd_t)
--
- userdom_dontaudit_use_unpriv_user_fds(saslauthd_t)
- userdom_dontaudit_search_user_home_dirs(saslauthd_t)
-
- # cjp: typeattribute doesnt work in conditionals
- auth_can_read_shadow_passwords(saslauthd_t)
--tunable_policy(`allow_saslauthd_read_shadow',`
-+tunable_policy(`saslauthd_read_shadow',`
-+ allow saslauthd_t self:capability dac_override;
- auth_tunable_read_shadow(saslauthd_t)
- ')
-
- optional_policy(`
-+ kerberos_tmp_filetrans_host_rcache(saslauthd_t, "host_0")
- kerberos_keytab_template(saslauthd, saslauthd_t)
- ')
-
-diff --git a/sblim.if b/sblim.if
-index fa24879..3abfdf2 100644
---- a/sblim.if
-+++ b/sblim.if
-@@ -1,5 +1,28 @@
- ## policy for SBLIM Gatherer
-
-+######################################
-+##
-+## Creates types and rules for a basic
-+## sblim daemon domain.
-+##
-+##
-+##
-+## Prefix for the domain.
-+##
-+##
-+#
-+template(`sblim_domain_template',`
-+ gen_require(`
-+ attribute sblim_domain;
-+ ')
-+
-+ type sblim_$1_t, sblim_domain;
-+ type sblim_$1_exec_t;
-+ init_daemon_domain(sblim_$1_t, sblim_$1_exec_t)
-+
-+ kernel_read_system_state(sblim_$1_t)
-+')
-+
- ########################################
- ##
- ## Transition to gatherd.
-@@ -48,11 +71,6 @@ interface(`sblim_read_pid_files',`
- ## Domain allowed access.
- ##
- ##
--##
--##
--## Role allowed access.
--##
--##
- ##
- #
- interface(`sblim_admin',`
-@@ -65,6 +83,11 @@ interface(`sblim_admin',`
- allow $1 sblim_gatherd_t:process signal_perms;
- ps_process_pattern($1, sblim_gatherd_t)
-
-+ tunable_policy(`deny_ptrace',`',`
-+ allow $1 sblim_gatherd_t:process ptrace;
-+ allow $1 sblim_reposd_t:process ptrace;
-+ ')
-+
- allow $1 sblim_reposd_t:process signal_perms;
- ps_process_pattern($1, sblim_reposd_t)
-
-diff --git a/sblim.te b/sblim.te
-index 869f976..5171bda 100644
---- a/sblim.te
-+++ b/sblim.te
-@@ -7,13 +7,9 @@ policy_module(sblim, 1.0.0)
-
- attribute sblim_domain;
-
--type sblim_gatherd_t, sblim_domain;
--type sblim_gatherd_exec_t;
--init_daemon_domain(sblim_gatherd_t, sblim_gatherd_exec_t)
-+sblim_domain_template(gatherd)
-
--type sblim_reposd_t, sblim_domain;
--type sblim_reposd_exec_t;
--init_daemon_domain(sblim_reposd_t, sblim_reposd_exec_t)
-+sblim_domain_template(reposd)
-
- type sblim_var_run_t;
- files_pid_file(sblim_var_run_t)
-@@ -41,6 +37,12 @@ dev_read_urand(sblim_gatherd_t)
- domain_read_all_domains_state(sblim_gatherd_t)
-
- fs_getattr_all_fs(sblim_gatherd_t)
-+fs_search_cgroup_dirs(sblim_gatherd_t)
-+
-+storage_raw_read_fixed_disk(sblim_gatherd_t)
-+storage_raw_read_removable_device(sblim_gatherd_t)
-+
-+logging_send_syslog_msg(sblim_gatherd_t)
-
- sysnet_dns_name_resolve(sblim_gatherd_t)
-
-@@ -63,7 +65,9 @@ optional_policy(`
- ')
-
- optional_policy(`
-+ virt_read_config(sblim_gatherd_t)
- virt_stream_connect(sblim_gatherd_t)
-+ virt_getattr_exec(sblim_gatherd_t)
- ')
-
- optional_policy(`
-@@ -81,6 +85,8 @@ domtrans_pattern(sblim_gatherd_t, sblim_reposd_exec_t, sblim_reposd_t)
- corenet_tcp_bind_all_nodes(sblim_reposd_t)
- corenet_tcp_bind_repository_port(sblim_reposd_t)
-
-+logging_send_syslog_msg(sblim_reposd_t)
-+
- ######################################
- #
- # sblim_domain local policy
-@@ -91,14 +97,13 @@ allow sblim_domain self:tcp_socket create_stream_socket_perms;
- manage_dirs_pattern(sblim_domain, sblim_var_run_t, sblim_var_run_t)
- manage_files_pattern(sblim_domain, sblim_var_run_t, sblim_var_run_t)
- manage_sock_files_pattern(sblim_domain, sblim_var_run_t, sblim_var_run_t)
-+files_pid_filetrans(sblim_domain, sblim_var_run_t, { dir file sock_file })
-
- kernel_read_network_state(sblim_domain)
--kernel_read_system_state(sblim_domain)
-
- dev_read_sysfs(sblim_domain)
-
--logging_send_syslog_msg(sblim_domain)
-+auth_read_passwd(sblim_domain)
-
- files_read_etc_files(sblim_domain)
-
--miscfiles_read_localization(sblim_domain)
-diff --git a/screen.fc b/screen.fc
-index c8254dd..b73334e 100644
---- a/screen.fc
-+++ b/screen.fc
-@@ -1,15 +1,19 @@
- #
- # /home
- #
--HOME_DIR/\.screen(/.*)? gen_context(system_u:object_r:screen_home_t,s0)
- HOME_DIR/\.screenrc -- gen_context(system_u:object_r:screen_home_t,s0)
-+HOME_DIR/\.screen(/.*)? gen_context(system_u:object_r:screen_home_t,s0)
-+
-+/root/\.screen(/.*)? gen_context(system_u:object_r:screen_home_t,s0)
-
- #
- # /usr
- #
- /usr/bin/screen -- gen_context(system_u:object_r:screen_exec_t,s0)
-+/usr/bin/tmux -- gen_context(system_u:object_r:screen_exec_t,s0)
-
- #
- # /var
- #
- /var/run/screen(/.*)? gen_context(system_u:object_r:screen_var_run_t,s0)
-+/var/run/tmux(/.*)? gen_context(system_u:object_r:screen_var_run_t,s0)
-diff --git a/screen.if b/screen.if
-index c50a444..ee00be2 100644
---- a/screen.if
-+++ b/screen.if
-@@ -25,6 +25,7 @@ template(`screen_role_template',`
- gen_require(`
- type screen_exec_t, screen_tmp_t;
- type screen_home_t, screen_var_run_t;
-+ attribute screen_domain;
- ')
-
- ########################################
-@@ -32,50 +33,24 @@ template(`screen_role_template',`
- # Declarations
- #
-
-- type $1_screen_t;
-- userdom_user_application_domain($1_screen_t, screen_exec_t)
-+ type $1_screen_t, screen_domain;
-+ application_domain($1_screen_t, screen_exec_t)
- domain_interactive_fd($1_screen_t)
-+ ubac_constrained($1_screen_t)
- role $2 types $1_screen_t;
-
-- ########################################
-- #
-- # Local policy
-- #
--
-- allow $1_screen_t self:capability { setuid setgid fsetid };
-- allow $1_screen_t self:process signal_perms;
-- allow $1_screen_t self:fifo_file rw_fifo_file_perms;
-- allow $1_screen_t self:tcp_socket create_stream_socket_perms;
-- allow $1_screen_t self:udp_socket create_socket_perms;
-- # Internal screen networking
-- allow $1_screen_t self:fd use;
-- allow $1_screen_t self:unix_stream_socket { create_socket_perms connectto };
-- allow $1_screen_t self:unix_dgram_socket create_socket_perms;
--
-- manage_dirs_pattern($1_screen_t, screen_tmp_t, screen_tmp_t)
-- manage_files_pattern($1_screen_t, screen_tmp_t, screen_tmp_t)
-- manage_fifo_files_pattern($1_screen_t, screen_tmp_t, screen_tmp_t)
-- files_tmp_filetrans($1_screen_t, screen_tmp_t, { file dir })
--
-- # Create fifo
-- manage_fifo_files_pattern($1_screen_t, screen_var_run_t, screen_var_run_t)
-- manage_dirs_pattern($1_screen_t, screen_var_run_t, screen_var_run_t)
-- manage_sock_files_pattern($1_screen_t, screen_var_run_t, screen_var_run_t)
-- files_pid_filetrans($1_screen_t, screen_var_run_t, dir)
--
-- allow $1_screen_t screen_home_t:dir list_dir_perms;
-- manage_dirs_pattern($1_screen_t, screen_home_t, screen_home_t)
-- manage_fifo_files_pattern($1_screen_t, screen_home_t, screen_home_t)
-- userdom_user_home_dir_filetrans($1_screen_t, screen_home_t, dir)
-- read_files_pattern($1_screen_t, screen_home_t, screen_home_t)
-- read_lnk_files_pattern($1_screen_t, screen_home_t, screen_home_t)
-+ tunable_policy(`deny_ptrace',`',`
-+ allow $3 $1_screen_t:process ptrace;
-+ ')
-
-- allow $1_screen_t $3:process signal;
-+ userdom_home_reader($1_screen_t)
-
- domtrans_pattern($3, screen_exec_t, $1_screen_t)
- allow $3 $1_screen_t:process { signal sigchld };
- dontaudit $3 $1_screen_t:unix_stream_socket { read write };
-+ allow $1_screen_t $3:unix_stream_socket { connectto };
- allow $1_screen_t $3:process signal;
-+ ps_process_pattern($1_screen_t, $3)
-
- manage_fifo_files_pattern($3, screen_home_t, screen_home_t)
- manage_dirs_pattern($3, screen_home_t, screen_home_t)
-@@ -86,77 +61,46 @@ template(`screen_role_template',`
- relabel_lnk_files_pattern($3, screen_home_t, screen_home_t)
-
- manage_dirs_pattern($3, screen_var_run_t, screen_var_run_t)
-- manage_files_pattern($3, screen_var_run_t, screen_var_run_t)
-- manage_lnk_files_pattern($3, screen_var_run_t, screen_var_run_t)
- manage_fifo_files_pattern($3, screen_var_run_t, screen_var_run_t)
-
- kernel_read_system_state($1_screen_t)
-- kernel_read_kernel_sysctls($1_screen_t)
-
-- corecmd_list_bin($1_screen_t)
-- corecmd_read_bin_files($1_screen_t)
-- corecmd_read_bin_symlinks($1_screen_t)
-- corecmd_read_bin_pipes($1_screen_t)
-- corecmd_read_bin_sockets($1_screen_t)
- # Revert to the user domain when a shell is executed.
- corecmd_shell_domtrans($1_screen_t, $3)
- corecmd_bin_domtrans($1_screen_t, $3)
-
-- corenet_all_recvfrom_unlabeled($1_screen_t)
-- corenet_all_recvfrom_netlabel($1_screen_t)
-- corenet_tcp_sendrecv_generic_if($1_screen_t)
-- corenet_udp_sendrecv_generic_if($1_screen_t)
-- corenet_tcp_sendrecv_generic_node($1_screen_t)
-- corenet_udp_sendrecv_generic_node($1_screen_t)
-- corenet_tcp_sendrecv_all_ports($1_screen_t)
-- corenet_udp_sendrecv_all_ports($1_screen_t)
-- corenet_tcp_connect_all_ports($1_screen_t)
--
-- dev_dontaudit_getattr_all_chr_files($1_screen_t)
-- dev_dontaudit_getattr_all_blk_files($1_screen_t)
-- # for SSP
-- dev_read_urand($1_screen_t)
--
-- domain_use_interactive_fds($1_screen_t)
--
-- files_search_tmp($1_screen_t)
-- files_search_home($1_screen_t)
-- files_list_home($1_screen_t)
-- files_read_usr_files($1_screen_t)
-- files_read_etc_files($1_screen_t)
--
-- fs_search_auto_mountpoints($1_screen_t)
-- fs_getattr_xattr_fs($1_screen_t)
--
- auth_domtrans_chk_passwd($1_screen_t)
- auth_use_nsswitch($1_screen_t)
-- auth_dontaudit_read_shadow($1_screen_t)
-- auth_dontaudit_exec_utempter($1_screen_t)
--
-- # Write to utmp.
-- init_rw_utmp($1_screen_t)
-
- logging_send_syslog_msg($1_screen_t)
-
-- miscfiles_read_localization($1_screen_t)
--
-- seutil_read_config($1_screen_t)
--
-- userdom_use_user_terminals($1_screen_t)
-- userdom_create_user_pty($1_screen_t)
- userdom_user_home_domtrans($1_screen_t, $3)
-- userdom_setattr_user_ptys($1_screen_t)
-- userdom_setattr_user_ttys($1_screen_t)
-+ userdom_manage_tmp_role($2, $1_screen_t)
-
- tunable_policy(`use_samba_home_dirs',`
- fs_cifs_domtrans($1_screen_t, $3)
-- fs_read_cifs_symlinks($1_screen_t)
-- fs_list_cifs($1_screen_t)
- ')
-
- tunable_policy(`use_nfs_home_dirs',`
- fs_nfs_domtrans($1_screen_t, $3)
-- fs_list_nfs($1_screen_t)
-- fs_read_nfs_symlinks($1_screen_t)
- ')
- ')
-+
-+#######################################
-+##
-+## Execute the rssh program
-+## in the caller domain.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`screen_exec',`
-+ gen_require(`
-+ type screen_exec_t;
-+ ')
-+
-+ can_exec($1, screen_exec_t)
-+')
-diff --git a/screen.te b/screen.te
-index 2583626..86af6f6 100644
---- a/screen.te
-+++ b/screen.te
-@@ -5,6 +5,8 @@ policy_module(screen, 2.5.0)
- # Declarations
- #
-
-+attribute screen_domain;
-+
- type screen_exec_t;
- application_executable_file(screen_exec_t)
-
-@@ -13,13 +15,84 @@ typealias screen_home_t alias { user_screen_home_t staff_screen_home_t sysadm_sc
- typealias screen_home_t alias { auditadm_screen_home_t secadm_screen_home_t };
- userdom_user_home_content(screen_home_t)
-
--type screen_tmp_t;
--typealias screen_tmp_t alias { user_screen_tmp_t staff_screen_tmp_t sysadm_screen_tmp_t };
--typealias screen_tmp_t alias { auditadm_screen_tmp_t secadm_screen_tmp_t };
--userdom_user_tmp_file(screen_tmp_t)
--
- type screen_var_run_t;
- typealias screen_var_run_t alias { user_screen_var_run_t staff_screen_var_run_t sysadm_screen_var_run_t };
- typealias screen_var_run_t alias { auditadm_screen_var_run_t secadm_screen_var_run_t screen_dir_t };
- files_pid_file(screen_var_run_t)
- ubac_constrained(screen_var_run_t)
-+
-+########################################
-+#
-+# Local policy
-+#
-+
-+allow screen_domain self:capability { setuid setgid fsetid };
-+allow screen_domain self:process signal_perms;
-+allow screen_domain self:fifo_file rw_fifo_file_perms;
-+allow screen_domain self:tcp_socket create_stream_socket_perms;
-+allow screen_domain self:udp_socket create_socket_perms;
-+# Internal screen networking
-+allow screen_domain self:fd use;
-+allow screen_domain self:unix_stream_socket { create_socket_perms connectto };
-+allow screen_domain self:unix_dgram_socket create_socket_perms;
-+
-+# Create fifo
-+manage_fifo_files_pattern(screen_domain, screen_var_run_t, screen_var_run_t)
-+manage_dirs_pattern(screen_domain, screen_var_run_t, screen_var_run_t)
-+manage_sock_files_pattern(screen_domain, screen_var_run_t, screen_var_run_t)
-+files_pid_filetrans(screen_domain, screen_var_run_t, dir)
-+
-+allow screen_domain screen_home_t:dir list_dir_perms;
-+manage_dirs_pattern(screen_domain, screen_home_t, screen_home_t)
-+manage_fifo_files_pattern(screen_domain, screen_home_t, screen_home_t)
-+userdom_user_home_dir_filetrans(screen_domain, screen_home_t, dir)
-+userdom_admin_home_dir_filetrans(screen_domain, screen_home_t, dir)
-+read_files_pattern(screen_domain, screen_home_t, screen_home_t)
-+read_lnk_files_pattern(screen_domain, screen_home_t, screen_home_t)
-+
-+kernel_read_kernel_sysctls(screen_domain)
-+
-+corecmd_list_bin(screen_domain)
-+corecmd_read_bin_files(screen_domain)
-+corecmd_read_bin_symlinks(screen_domain)
-+corecmd_read_bin_pipes(screen_domain)
-+corecmd_read_bin_sockets(screen_domain)
-+
-+corenet_tcp_sendrecv_generic_if(screen_domain)
-+corenet_udp_sendrecv_generic_if(screen_domain)
-+corenet_tcp_sendrecv_generic_node(screen_domain)
-+corenet_udp_sendrecv_generic_node(screen_domain)
-+corenet_tcp_sendrecv_all_ports(screen_domain)
-+corenet_udp_sendrecv_all_ports(screen_domain)
-+corenet_tcp_connect_all_ports(screen_domain)
-+
-+dev_dontaudit_getattr_all_chr_files(screen_domain)
-+dev_dontaudit_getattr_all_blk_files(screen_domain)
-+# for SSP
-+dev_read_urand(screen_domain)
-+
-+domain_sigchld_interactive_fds(screen_domain)
-+domain_use_interactive_fds(screen_domain)
-+domain_read_all_domains_state(screen_domain)
-+
-+files_search_tmp(screen_domain)
-+files_search_home(screen_domain)
-+files_list_home(screen_domain)
-+files_read_usr_files(screen_domain)
-+files_read_etc_files(screen_domain)
-+
-+fs_search_auto_mountpoints(screen_domain)
-+fs_getattr_xattr_fs(screen_domain)
-+
-+auth_dontaudit_read_shadow(screen_domain)
-+auth_dontaudit_exec_utempter(screen_domain)
-+
-+# Write to utmp.
-+init_rw_utmp(screen_domain)
-+
-+seutil_read_config(screen_domain)
-+
-+userdom_use_user_terminals(screen_domain)
-+userdom_create_user_pty(screen_domain)
-+userdom_setattr_user_ptys(screen_domain)
-+userdom_setattr_user_ttys(screen_domain)
-diff --git a/sectoolm.fc b/sectoolm.fc
-index 1ed6870..3f1dac5 100644
---- a/sectoolm.fc
-+++ b/sectoolm.fc
-@@ -1,4 +1,4 @@
- /usr/libexec/sectool-mechanism\.py -- gen_context(system_u:object_r:sectoolm_exec_t,s0)
-
- /var/lib/sectool(/.*)? gen_context(system_u:object_r:sectool_var_lib_t,s0)
--/var/log/sectool\.log -- gen_context(system_u:object_r:sectool_var_log_t,s0)
-+/var/log/sectool\.log.* -- gen_context(system_u:object_r:sectool_var_log_t,s0)
-diff --git a/sectoolm.te b/sectoolm.te
-index c8ef84b..ffa81dd 100644
---- a/sectoolm.te
-+++ b/sectoolm.te
-@@ -7,7 +7,7 @@ policy_module(sectoolm, 1.0.0)
-
- type sectoolm_t;
- type sectoolm_exec_t;
--dbus_system_domain(sectoolm_t, sectoolm_exec_t)
-+init_daemon_domain(sectoolm_t, sectoolm_exec_t)
-
- type sectool_var_lib_t;
- files_type(sectool_var_lib_t)
-@@ -23,7 +23,7 @@ files_tmp_file(sectool_tmp_t)
- # sectool local policy
- #
-
--allow sectoolm_t self:capability { dac_override net_admin sys_nice sys_ptrace };
-+allow sectoolm_t self:capability { dac_override net_admin sys_nice };
- allow sectoolm_t self:process { getcap getsched signull setsched };
- dontaudit sectoolm_t self:process { execstack execmem };
- allow sectoolm_t self:fifo_file rw_fifo_file_perms;
-@@ -70,12 +70,6 @@ application_exec_all(sectoolm_t)
-
- auth_use_nsswitch(sectoolm_t)
-
--# tests related to network
--hostname_exec(sectoolm_t)
--
--# tests related to network
--iptables_domtrans(sectoolm_t)
--
- libs_exec_ld_so(sectoolm_t)
-
- logging_send_syslog_msg(sectoolm_t)
-@@ -84,6 +78,21 @@ logging_send_syslog_msg(sectoolm_t)
- sysnet_domtrans_ifconfig(sectoolm_t)
-
- userdom_manage_user_tmp_sockets(sectoolm_t)
-+userdom_dgram_send(sectoolm_t)
-+
-+optional_policy(`
-+ dbus_system_domain(sectoolm_t, sectoolm_exec_t)
-+')
-+
-+optional_policy(`
-+ # tests related to network
-+ hostname_exec(sectoolm_t)
-+')
-+
-+optional_policy(`
-+ # tests related to network
-+ iptables_domtrans(sectoolm_t)
-+')
-
- optional_policy(`
- mount_exec(sectoolm_t)
-diff --git a/sendmail.fc b/sendmail.fc
-index a86ec50..da5d41d 100644
---- a/sendmail.fc
-+++ b/sendmail.fc
-@@ -1,5 +1,7 @@
-
--/var/log/sendmail\.st -- gen_context(system_u:object_r:sendmail_log_t,s0)
-+/etc/rc\.d/init\.d/sendmail -- gen_context(system_u:object_r:sendmail_initrc_exec_t,s0)
-+
-+/var/log/sendmail\.st.* -- gen_context(system_u:object_r:sendmail_log_t,s0)
- /var/log/mail(/.*)? gen_context(system_u:object_r:sendmail_log_t,s0)
-
- /var/run/sendmail\.pid -- gen_context(system_u:object_r:sendmail_var_run_t,s0)
-diff --git a/sendmail.if b/sendmail.if
-index 7e94c7c..ca74cd9 100644
---- a/sendmail.if
-+++ b/sendmail.if
-@@ -51,10 +51,24 @@ interface(`sendmail_domtrans',`
- ')
-
- mta_sendmail_domtrans($1, sendmail_t)
-+')
-+
-+#######################################
-+##
-+## Execute sendmail in the sendmail domain.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`sendmail_initrc_domtrans',`
-+ gen_require(`
-+ type sendmail_initrc_exec_t;
-+ ')
-
-- allow sendmail_t $1:fd use;
-- allow sendmail_t $1:fifo_file rw_file_perms;
-- allow sendmail_t $1:process sigchld;
-+ init_labeled_script_domtrans($1, sendmail_initrc_exec_t)
- ')
-
- ########################################
-@@ -152,7 +166,7 @@ interface(`sendmail_rw_unix_stream_sockets',`
- type sendmail_t;
- ')
-
-- allow $1 sendmail_t:unix_stream_socket { getattr read write ioctl };
-+ allow $1 sendmail_t:unix_stream_socket rw_socket_perms;
- ')
-
- ########################################
-@@ -171,7 +185,7 @@ interface(`sendmail_dontaudit_rw_unix_stream_sockets',`
- type sendmail_t;
- ')
-
-- dontaudit $1 sendmail_t:unix_stream_socket { getattr read write ioctl };
-+ dontaudit $1 sendmail_t:unix_stream_socket rw_socket_perms;
- ')
-
- ########################################
-@@ -295,3 +309,73 @@ interface(`sendmail_run_unconfined',`
- sendmail_domtrans_unconfined($1)
- role $2 types unconfined_sendmail_t;
- ')
-+
-+########################################
-+##
-+## Set the attributes of sendmail pid files.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`sendmail_setattr_pid_files',`
-+ gen_require(`
-+ type sendmail_var_run_t;
-+ ')
-+
-+ allow $1 sendmail_var_run_t:file setattr_file_perms;
-+ files_search_pids($1)
-+')
-+
-+########################################
-+##
-+## All of the rules required to administrate
-+## an sendmail environment
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+##
-+##
-+## Role allowed access.
-+##
-+##
-+##
-+#
-+interface(`sendmail_admin',`
-+ gen_require(`
-+ type sendmail_t, sendmail_initrc_exec_t, sendmail_log_t;
-+ type sendmail_tmp_t, sendmail_var_run_t, unconfined_sendmail_t;
-+ type mail_spool_t;
-+ ')
-+
-+ allow $1 sendmail_t:process signal_perms;
-+ ps_process_pattern($1, sendmail_t)
-+ tunable_policy(`deny_ptrace',`',`
-+ allow $1 sendmail_t:process ptrace;
-+ allow $1 unconfined_sendmail_t:process ptrace;
-+ ')
-+
-+ allow $1 unconfined_sendmail_t:process signal_perms;
-+ ps_process_pattern($1, unconfined_sendmail_t)
-+
-+ sendmail_initrc_domtrans($1)
-+ domain_system_change_exemption($1)
-+ role_transition $2 sendmail_initrc_exec_t system_r;
-+
-+ logging_list_logs($1)
-+ admin_pattern($1, sendmail_log_t)
-+
-+ files_list_tmp($1)
-+ admin_pattern($1, sendmail_tmp_t)
-+
-+ files_list_pids($1)
-+ admin_pattern($1, sendmail_var_run_t)
-+
-+ files_list_spool($1)
-+ admin_pattern($1, mail_spool_t)
-+')
-diff --git a/sendmail.te b/sendmail.te
-index 22dac1f..a536819 100644
---- a/sendmail.te
-+++ b/sendmail.te
-@@ -19,9 +19,8 @@ mta_sendmail_mailserver(sendmail_t)
- mta_mailserver_delivery(sendmail_t)
- mta_mailserver_sender(sendmail_t)
-
--type unconfined_sendmail_t;
--application_domain(unconfined_sendmail_t, sendmail_exec_t)
--role system_r types unconfined_sendmail_t;
-+type sendmail_initrc_exec_t;
-+init_script_file(sendmail_initrc_exec_t)
-
- ########################################
- #
-@@ -52,7 +51,6 @@ kernel_read_kernel_sysctls(sendmail_t)
- # for piping mail to a command
- kernel_read_system_state(sendmail_t)
-
--corenet_all_recvfrom_unlabeled(sendmail_t)
- corenet_all_recvfrom_netlabel(sendmail_t)
- corenet_tcp_sendrecv_generic_if(sendmail_t)
- corenet_tcp_sendrecv_generic_node(sendmail_t)
-@@ -79,17 +77,18 @@ corecmd_exec_bin(sendmail_t)
-
- domain_use_interactive_fds(sendmail_t)
-
--files_read_etc_files(sendmail_t)
- files_read_usr_files(sendmail_t)
- files_search_spool(sendmail_t)
- # for piping mail to a command
- files_read_etc_runtime_files(sendmail_t)
-+files_read_all_tmp_files(sendmail_t)
-
- init_use_fds(sendmail_t)
- init_use_script_ptys(sendmail_t)
- # sendmail wants to read /var/run/utmp if the controlling tty is /dev/console
- init_read_utmp(sendmail_t)
- init_dontaudit_write_utmp(sendmail_t)
-+init_rw_script_tmp_files(sendmail_t)
-
- auth_use_nsswitch(sendmail_t)
-
-@@ -100,10 +99,10 @@ logging_send_syslog_msg(sendmail_t)
- logging_dontaudit_write_generic_logs(sendmail_t)
-
- miscfiles_read_generic_certs(sendmail_t)
--miscfiles_read_localization(sendmail_t)
-
- userdom_dontaudit_use_unpriv_user_fds(sendmail_t)
--userdom_dontaudit_search_user_home_dirs(sendmail_t)
-+userdom_read_user_home_content_files(sendmail_t)
-+userdom_dontaudit_list_user_home_dirs(sendmail_t)
-
- mta_read_config(sendmail_t)
- mta_etc_filetrans_aliases(sendmail_t)
-@@ -115,6 +114,10 @@ mta_manage_spool(sendmail_t)
- mta_sendmail_exec(sendmail_t)
-
- optional_policy(`
-+ cfengine_dontaudit_write_log(sendmail_t)
-+')
-+
-+optional_policy(`
- cron_read_pipes(sendmail_t)
- ')
-
-@@ -128,7 +131,14 @@ optional_policy(`
- ')
-
- optional_policy(`
-+ dovecot_write_inherited_tmp_files(sendmail_t)
-+')
-+
-+optional_policy(`
- exim_domtrans(sendmail_t)
-+ exim_manage_spool_files(sendmail_t)
-+ exim_manage_spool_dirs(sendmail_t)
-+ exim_read_log(sendmail_t)
- ')
-
- optional_policy(`
-@@ -149,7 +159,14 @@ optional_policy(`
- ')
-
- optional_policy(`
-+ openshift_dontaudit_rw_inherited_fifo_files(sendmail_t)
-+ openshift_rw_inherited_content(sendmail_t)
-+')
-+
-+optional_policy(`
-+ postfix_domtrans_postdrop(sendmail_t)
- postfix_domtrans_master(sendmail_t)
-+ postfix_domtrans_postqueue(sendmail_t)
- postfix_read_config(sendmail_t)
- postfix_search_spool(sendmail_t)
- ')
-@@ -168,20 +185,13 @@ optional_policy(`
- ')
-
- optional_policy(`
-- udev_read_db(sendmail_t)
-+ spamd_stream_connect(sendmail_t)
- ')
-
- optional_policy(`
-- uucp_domtrans_uux(sendmail_t)
-+ udev_read_db(sendmail_t)
- ')
-
--########################################
--#
--# Unconfined sendmail local policy
--# Allow unconfined domain to run newalias and have transitions work
--#
--
- optional_policy(`
-- mta_etc_filetrans_aliases(unconfined_sendmail_t)
-- unconfined_domain(unconfined_sendmail_t)
-+ uucp_domtrans_uux(sendmail_t)
- ')
-diff --git a/sensord.fc b/sensord.fc
-new file mode 100644
-index 0000000..e1ef619
---- /dev/null
-+++ b/sensord.fc
-@@ -0,0 +1,5 @@
-+/lib/systemd/system/sensord.service -- gen_context(system_u:object_r:sensord_unit_file_t,s0)
-+
-+/usr/sbin/sensord -- gen_context(system_u:object_r:sensord_exec_t,s0)
-+
-+/var/run/sensord\.pid -- gen_context(system_u:object_r:sensord_var_run_t,s0)
-diff --git a/sensord.if b/sensord.if
-new file mode 100644
-index 0000000..5eba5fd
---- /dev/null
-+++ b/sensord.if
-@@ -0,0 +1,75 @@
-+
-+## Sensor information logging daemon
-+
-+########################################
-+##
-+## Execute sensord in the sensord domain.
-+##
-+##
-+##
-+## Domain allowed to transition.
-+##
-+##
-+#
-+interface(`sensord_domtrans',`
-+ gen_require(`
-+ type sensord_t, sensord_exec_t;
-+ ')
-+
-+ corecmd_search_bin($1)
-+ domtrans_pattern($1, sensord_exec_t, sensord_t)
-+')
-+########################################
-+##
-+## Execute sensord server in the sensord domain.
-+##
-+##
-+##
-+## Domain allowed to transition.
-+##
-+##
-+#
-+interface(`sensord_systemctl',`
-+ gen_require(`
-+ type sensord_t;
-+ type sensord_unit_file_t;
-+ ')
-+
-+ systemd_exec_systemctl($1)
-+ allow $1 sensord_unit_file_t:file read_file_perms;
-+ allow $1 sensord_unit_file_t:service manage_service_perms;
-+
-+ ps_process_pattern($1, sensord_t)
-+')
-+
-+
-+########################################
-+##
-+## All of the rules required to administrate
-+## an sensord environment
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+##
-+#
-+interface(`sensord_admin',`
-+ gen_require(`
-+ type sensord_t;
-+ type sensord_unit_file_t;
-+ ')
-+
-+ allow $1 sensord_t:process { ptrace signal_perms };
-+ ps_process_pattern($1, sensord_t)
-+
-+ sensord_systemctl($1)
-+ admin_pattern($1, sensord_unit_file_t)
-+ allow $1 sensord_unit_file_t:service all_service_perms;
-+
-+ optional_policy(`
-+ systemd_passwd_agent_exec($1)
-+ systemd_read_fifo_file_passwd_run($1)
-+ ')
-+')
-diff --git a/sensord.te b/sensord.te
-new file mode 100644
-index 0000000..5e92ac9
---- /dev/null
-+++ b/sensord.te
-@@ -0,0 +1,35 @@
-+policy_module(sensord, 1.0.0)
-+
-+########################################
-+#
-+# Declarations
-+#
-+
-+type sensord_t;
-+type sensord_exec_t;
-+init_daemon_domain(sensord_t, sensord_exec_t)
-+
-+type sensord_unit_file_t;
-+systemd_unit_file(sensord_unit_file_t)
-+
-+type sensord_var_run_t;
-+files_pid_file(sensord_var_run_t)
-+
-+########################################
-+#
-+# sensord local policy
-+#
-+
-+allow sensord_t self:fifo_file rw_fifo_file_perms;
-+allow sensord_t self:unix_stream_socket create_stream_socket_perms;
-+
-+manage_files_pattern(sensord_t, sensord_var_run_t, sensord_var_run_t)
-+files_pid_filetrans(sensord_t, sensord_var_run_t, { file })
-+
-+domain_use_interactive_fds(sensord_t)
-+
-+dev_read_sysfs(sensord_t)
-+
-+files_read_etc_files(sensord_t)
-+
-+logging_send_syslog_msg(sensord_t)
-diff --git a/setroubleshoot.if b/setroubleshoot.if
-index bcdd16c..039b0c8 100644
---- a/setroubleshoot.if
-+++ b/setroubleshoot.if
-@@ -2,7 +2,7 @@
-
- ########################################
- ##
--## Connect to setroubleshootd over an unix stream socket.
-+## Connect to setroubleshootd over a unix stream socket.
- ##
- ##
- ##
-@@ -23,7 +23,7 @@ interface(`setroubleshoot_stream_connect',`
- ########################################
- ##
- ## Dontaudit attempts to connect to setroubleshootd
--## over an unix stream socket.
-+## over a unix stream socket.
- ##
- ##
- ##
-@@ -105,6 +105,25 @@ interface(`setroubleshoot_dbus_chat_fixit',`
-
- ########################################
- ##
-+## Dontaudit read/write to a setroubleshoot leaked sockets.
-+##
-+##
-+##
-+## Domain to not audit.
-+##
-+##
-+#
-+interface(`setroubleshoot_fixit_dontaudit_leaks',`
-+ gen_require(`
-+ type setroubleshoot_fixit_t;
-+ ')
-+
-+ dontaudit $1 setroubleshoot_fixit_t:unix_dgram_socket { read write };
-+ dontaudit $1 setroubleshoot_fixit_t:unix_stream_socket { read write };
-+')
-+
-+########################################
-+##
- ## All of the rules required to administrate
- ## an setroubleshoot environment
- ##
-@@ -117,15 +136,18 @@ interface(`setroubleshoot_dbus_chat_fixit',`
- #
- interface(`setroubleshoot_admin',`
- gen_require(`
-- type setroubleshootd_t, setroubleshoot_log_t;
-- type setroubleshoot_var_lib_t, setroubleshoot_var_run_t;
-+ type setroubleshootd_t, setroubleshoot_var_log_t, setroubleshoot_var_run_t;
-+ type setroubleshoot_var_lib_t;
- ')
-
-- allow $1 setroubleshootd_t:process { ptrace signal_perms };
-+ allow $1 setroubleshootd_t:process signal_perms;
- ps_process_pattern($1, setroubleshootd_t)
-+ tunable_policy(`deny_ptrace',`',`
-+ allow $1 setroubleshootd_t:process ptrace;
-+ ')
-
- logging_list_logs($1)
-- admin_pattern($1, setroubleshoot_log_t)
-+ admin_pattern($1, setroubleshoot_var_log_t)
-
- files_list_var_lib($1)
- admin_pattern($1, setroubleshoot_var_lib_t)
-diff --git a/setroubleshoot.te b/setroubleshoot.te
-index 086cd5f..08ef0c7 100644
---- a/setroubleshoot.te
-+++ b/setroubleshoot.te
-@@ -12,7 +12,7 @@ init_daemon_domain(setroubleshootd_t, setroubleshootd_exec_t)
-
- type setroubleshoot_fixit_t;
- type setroubleshoot_fixit_exec_t;
--dbus_system_domain(setroubleshoot_fixit_t, setroubleshoot_fixit_exec_t)
-+init_daemon_domain(setroubleshoot_fixit_t, setroubleshoot_fixit_exec_t)
-
- type setroubleshoot_var_lib_t;
- files_type(setroubleshoot_var_lib_t)
-@@ -30,8 +30,10 @@ files_pid_file(setroubleshoot_var_run_t)
- # setroubleshootd local policy
- #
-
--allow setroubleshootd_t self:capability { dac_override sys_nice sys_tty_config };
-+allow setroubleshootd_t self:capability { dac_override sys_nice sys_ptrace sys_tty_config };
- allow setroubleshootd_t self:process { getattr getsched setsched sigkill signull signal };
-+# if bad library causes setroubleshoot to require these, we want to give it so setroubleshoot can continue to run
-+allow setroubleshootd_t self:process { execmem execstack };
- allow setroubleshootd_t self:fifo_file rw_fifo_file_perms;
- allow setroubleshootd_t self:tcp_socket create_stream_socket_perms;
- allow setroubleshootd_t self:unix_stream_socket { create_stream_socket_perms connectto };
-@@ -49,19 +51,23 @@ manage_sock_files_pattern(setroubleshootd_t, setroubleshoot_var_log_t, setrouble
- logging_log_filetrans(setroubleshootd_t, setroubleshoot_var_log_t, { file dir })
-
- # pid file
-+manage_dirs_pattern(setroubleshootd_t, setroubleshoot_var_run_t, setroubleshoot_var_run_t)
- manage_files_pattern(setroubleshootd_t, setroubleshoot_var_run_t, setroubleshoot_var_run_t)
- manage_sock_files_pattern(setroubleshootd_t, setroubleshoot_var_run_t, setroubleshoot_var_run_t)
--files_pid_filetrans(setroubleshootd_t, setroubleshoot_var_run_t, { file sock_file })
-+files_pid_filetrans(setroubleshootd_t, setroubleshoot_var_run_t, { file sock_file dir })
-
- kernel_read_kernel_sysctls(setroubleshootd_t)
- kernel_read_system_state(setroubleshootd_t)
- kernel_read_net_sysctls(setroubleshootd_t)
- kernel_read_network_state(setroubleshootd_t)
-+kernel_dontaudit_list_all_proc(setroubleshootd_t)
-+kernel_read_irq_sysctls(setroubleshootd_t)
-+kernel_read_unlabeled_state(setroubleshootd_t)
-
- corecmd_exec_bin(setroubleshootd_t)
- corecmd_exec_shell(setroubleshootd_t)
-+corecmd_read_all_executables(setroubleshootd_t)
-
--corenet_all_recvfrom_unlabeled(setroubleshootd_t)
- corenet_all_recvfrom_netlabel(setroubleshootd_t)
- corenet_tcp_sendrecv_generic_if(setroubleshootd_t)
- corenet_tcp_sendrecv_generic_node(setroubleshootd_t)
-@@ -74,17 +80,18 @@ dev_read_urand(setroubleshootd_t)
- dev_read_sysfs(setroubleshootd_t)
- dev_getattr_all_blk_files(setroubleshootd_t)
- dev_getattr_all_chr_files(setroubleshootd_t)
-+dev_getattr_mtrr_dev(setroubleshootd_t)
-
- domain_dontaudit_search_all_domains_state(setroubleshootd_t)
- domain_signull_all_domains(setroubleshootd_t)
-
- files_read_usr_files(setroubleshootd_t)
--files_read_etc_files(setroubleshootd_t)
- files_list_all(setroubleshootd_t)
- files_getattr_all_files(setroubleshootd_t)
- files_getattr_all_pipes(setroubleshootd_t)
- files_getattr_all_sockets(setroubleshootd_t)
- files_read_all_symlinks(setroubleshootd_t)
-+files_read_mnt_files(setroubleshootd_t)
-
- fs_getattr_all_dirs(setroubleshootd_t)
- fs_getattr_all_files(setroubleshootd_t)
-@@ -95,6 +102,7 @@ fs_dontaudit_read_cifs_files(setroubleshootd_t)
-
- selinux_get_enforce_mode(setroubleshootd_t)
- selinux_validate_context(setroubleshootd_t)
-+selinux_read_policy(setroubleshootd_t)
-
- term_dontaudit_use_all_ptys(setroubleshootd_t)
- term_dontaudit_use_all_ttys(setroubleshootd_t)
-@@ -104,15 +112,15 @@ auth_use_nsswitch(setroubleshootd_t)
- init_read_utmp(setroubleshootd_t)
- init_dontaudit_write_utmp(setroubleshootd_t)
-
--miscfiles_read_localization(setroubleshootd_t)
-+libs_exec_ld_so(setroubleshootd_t)
-+
-
- locallogin_dontaudit_use_fds(setroubleshootd_t)
-
- logging_send_audit_msgs(setroubleshootd_t)
- logging_send_syslog_msg(setroubleshootd_t)
- logging_stream_connect_dispatcher(setroubleshootd_t)
--
--modutils_read_module_config(setroubleshootd_t)
-+logging_stream_connect_syslog(setroubleshootd_t)
-
- seutil_read_config(setroubleshootd_t)
- seutil_read_file_contexts(setroubleshootd_t)
-@@ -121,10 +129,27 @@ seutil_read_bin_policy(setroubleshootd_t)
- userdom_dontaudit_read_user_home_content_files(setroubleshootd_t)
-
- optional_policy(`
-+ abrt_dbus_chat(setroubleshootd_t)
-+')
-+
-+optional_policy(`
-+ locate_read_lib_files(setroubleshootd_t)
-+')
-+
-+optional_policy(`
-+ mock_getattr_lib(setroubleshootd_t)
-+')
-+
-+optional_policy(`
-+ modutils_read_module_config(setroubleshootd_t)
-+')
-+
-+optional_policy(`
- dbus_system_domain(setroubleshootd_t, setroubleshootd_exec_t)
- ')
-
- optional_policy(`
-+ rpm_exec(setroubleshootd_t)
- rpm_signull(setroubleshootd_t)
- rpm_read_db(setroubleshootd_t)
- rpm_dontaudit_manage_db(setroubleshootd_t)
-@@ -150,11 +175,16 @@ kernel_read_system_state(setroubleshoot_fixit_t)
-
- corecmd_exec_bin(setroubleshoot_fixit_t)
- corecmd_exec_shell(setroubleshoot_fixit_t)
-+corecmd_getattr_all_executables(setroubleshoot_fixit_t)
-+
-+dev_read_sysfs(setroubleshoot_fixit_t)
-+dev_read_urand(setroubleshoot_fixit_t)
-
- seutil_domtrans_setfiles(setroubleshoot_fixit_t)
-+seutil_domtrans_setsebool(setroubleshoot_fixit_t)
-+seutil_read_module_store(setroubleshoot_fixit_t)
-
- files_read_usr_files(setroubleshoot_fixit_t)
--files_read_etc_files(setroubleshoot_fixit_t)
- files_list_tmp(setroubleshoot_fixit_t)
-
- auth_use_nsswitch(setroubleshoot_fixit_t)
-@@ -162,7 +192,16 @@ auth_use_nsswitch(setroubleshoot_fixit_t)
- logging_send_audit_msgs(setroubleshoot_fixit_t)
- logging_send_syslog_msg(setroubleshoot_fixit_t)
-
--miscfiles_read_localization(setroubleshoot_fixit_t)
-+userdom_dontaudit_search_admin_dir(setroubleshoot_fixit_t)
-+userdom_signull_unpriv_users(setroubleshoot_fixit_t)
-+
-+optional_policy(`
-+ dbus_system_domain(setroubleshoot_fixit_t, setroubleshoot_fixit_exec_t)
-+')
-+
-+optional_policy(`
-+ gnome_dontaudit_search_config(setroubleshoot_fixit_t)
-+')
-
- optional_policy(`
- rpm_signull(setroubleshoot_fixit_t)
-diff --git a/sge.fc b/sge.fc
-new file mode 100644
-index 0000000..160ddc2
---- /dev/null
-+++ b/sge.fc
-@@ -0,0 +1,6 @@
-+
-+/usr/bin/sge_execd -- gen_context(system_u:object_r:sge_execd_exec_t,s0)
-+/usr/bin/sge_shepherd -- gen_context(system_u:object_r:sge_shepherd_exec_t,s0)
-+
-+/var/spool/gridengine(/.*)? gen_context(system_u:object_r:sge_spool_t,s0)
-+
-diff --git a/sge.if b/sge.if
-new file mode 100644
-index 0000000..c9d2d9c
---- /dev/null
-+++ b/sge.if
-@@ -0,0 +1,24 @@
-+## Policy for gridengine MPI jobs
-+
-+######################################
-+##
-+## Creates types and rules for a basic
-+## sge domain.
-+##
-+##
-+##
-+## Prefix for the domain.
-+##
-+##
-+#
-+template(`sge_basic_types_template',`
-+ gen_require(`
-+ attribute sge_domain;
-+ ')
-+
-+ type $1_t, sge_domain;
-+ type $1_exec_t;
-+
-+ kernel_read_system_state($1_t)
-+')
-+
-diff --git a/sge.te b/sge.te
-new file mode 100644
-index 0000000..d43336f
---- /dev/null
-+++ b/sge.te
-@@ -0,0 +1,193 @@
-+policy_module(sge, 1.0.0)
-+
-+########################################
-+#
-+# Declarations
-+#
-+
-+##
-+##
-+## Allow sge to access nfs file systems.
-+##
-+##
-+gen_tunable(sge_use_nfs, false)
-+
-+##
-+##
-+## Allow sge to connect to the network using any TCP port
-+##
-+##
-+gen_tunable(sge_domain_can_network_connect, false)
-+
-+attribute sge_domain;
-+
-+sge_basic_types_template(sge_execd)
-+init_daemon_domain(sge_execd_t, sge_execd_exec_t)
-+
-+type sge_spool_t;
-+files_type(sge_spool_t)
-+
-+type sge_tmp_t;
-+files_tmp_file(sge_tmp_t)
-+
-+sge_basic_types_template(sge_shepherd)
-+application_domain(sge_shepherd_t, sge_shepherd_exec_t)
-+role system_r types sge_shepherd_t;
-+
-+sge_basic_types_template(sge_job)
-+application_domain(sge_job_t, sge_job_exec_t)
-+corecmd_shell_entry_type(sge_job_t)
-+role system_r types sge_job_t;
-+
-+#######################################
-+#
-+# sge_execd local policy
-+#
-+
-+allow sge_execd_t self:capability { dac_override setuid chown setgid };
-+allow sge_execd_t self:process { setsched signal setpgid };
-+
-+allow sge_execd_t sge_shepherd_t:process signal;
-+
-+kernel_read_kernel_sysctls(sge_execd_t)
-+
-+dev_read_sysfs(sge_execd_t)
-+
-+files_exec_usr_files(sge_execd_t)
-+files_search_spool(sge_execd_t)
-+
-+fs_getattr_xattr_fs(sge_execd_t)
-+
-+auth_use_nsswitch(sge_execd_t)
-+
-+logging_send_syslog_msg(sge_execd_t)
-+
-+init_read_utmp(sge_execd_t)
-+
-+optional_policy(`
-+ sendmail_domtrans(sge_execd_t)
-+')
-+
-+######################################
-+#
-+# sge_shepherd local policy
-+#
-+
-+allow sge_shepherd_t self:capability { setuid sys_nice chown kill setgid dac_override };
-+allow sge_shepherd_t self:process { setsched setrlimit setpgid };
-+allow sge_shepherd_t self:process signal_perms;
-+
-+domtrans_pattern(sge_execd_t, sge_shepherd_exec_t, sge_shepherd_t)
-+
-+kernel_read_sysctl(sge_shepherd_t)
-+kernel_read_kernel_sysctls(sge_shepherd_t)
-+
-+dev_read_sysfs(sge_shepherd_t)
-+
-+fs_getattr_all_fs(sge_shepherd_t)
-+
-+logging_send_syslog_msg(sge_shepherd_t)
-+
-+optional_policy(`
-+ mta_send_mail(sge_shepherd_t)
-+')
-+
-+optional_policy(`
-+ ssh_domtrans(sge_shepherd_t)
-+')
-+
-+optional_policy(`
-+ unconfined_domain(sge_shepherd_t)
-+')
-+
-+#####################################
-+#
-+# sge_job local policy
-+#
-+
-+allow sge_shepherd_t sge_job_t:process signal_perms;
-+
-+corecmd_shell_domtrans(sge_shepherd_t, sge_job_t)
-+
-+kernel_read_kernel_sysctls(sge_job_t)
-+
-+term_use_all_terms(sge_job_t)
-+
-+logging_send_syslog_msg(sge_job_t)
-+
-+optional_policy(`
-+ ssh_basic_client_template(sge_job, sge_job_t, system_r)
-+ ssh_domtrans(sge_job_t)
-+
-+ allow sge_job_t sge_job_ssh_t:process sigkill;
-+ allow sge_shepherd_t sge_job_ssh_t:process sigkill;
-+
-+ xserver_exec_xauth(sge_job_ssh_t)
-+
-+ tunable_policy(`sge_use_nfs',`
-+ fs_list_auto_mountpoints(sge_job_ssh_t)
-+ fs_manage_nfs_dirs(sge_job_ssh_t)
-+ fs_manage_nfs_files(sge_job_ssh_t)
-+ fs_read_nfs_symlinks(sge_job_ssh_t)
-+ ')
-+ ')
-+
-+optional_policy(`
-+ xserver_domtrans_xauth(sge_job_t)
-+')
-+
-+optional_policy(`
-+ unconfined_domain(sge_job_t)
-+')
-+
-+#####################################
-+#
-+# sge_domain local policy
-+#
-+
-+allow sge_domain self:fifo_file rw_fifo_file_perms;
-+allow sge_domain self:tcp_socket create_stream_socket_perms;
-+
-+manage_dirs_pattern(sge_domain, sge_spool_t, sge_spool_t)
-+manage_files_pattern(sge_domain, sge_spool_t, sge_spool_t)
-+manage_lnk_files_pattern(sge_domain, sge_spool_t, sge_spool_t)
-+
-+manage_files_pattern(sge_domain, sge_tmp_t, sge_tmp_t)
-+manage_dirs_pattern(sge_domain, sge_tmp_t, sge_tmp_t)
-+files_tmp_filetrans(sge_domain, sge_tmp_t, { file dir })
-+
-+kernel_read_network_state(sge_domain)
-+
-+corecmd_exec_bin(sge_domain)
-+corecmd_exec_shell(sge_domain)
-+
-+domain_read_all_domains_state(sge_domain)
-+
-+files_read_etc_files(sge_domain)
-+files_read_usr_files(sge_domain)
-+
-+dev_read_urand(sge_domain)
-+
-+tunable_policy(`sge_domain_can_network_connect',`
-+ corenet_tcp_connect_all_ports(sge_domain)
-+')
-+
-+tunable_policy(`sge_use_nfs',`
-+ fs_list_auto_mountpoints(sge_domain)
-+ fs_manage_nfs_dirs(sge_domain)
-+ fs_manage_nfs_files(sge_domain)
-+ fs_read_nfs_symlinks(sge_domain)
-+ fs_exec_nfs_files(sge_domain)
-+')
-+
-+optional_policy(`
-+ sysnet_dns_name_resolve(sge_domain)
-+')
-+
-+optional_policy(`
-+ hostname_exec(sge_domain)
-+')
-+
-+optional_policy(`
-+ nslcd_stream_connect(sge_domain)
-+')
-diff --git a/shorewall.fc b/shorewall.fc
-index 48d1363..4a5b930 100644
---- a/shorewall.fc
-+++ b/shorewall.fc
-@@ -7,6 +7,9 @@
- /sbin/shorewall6? -- gen_context(system_u:object_r:shorewall_exec_t,s0)
- /sbin/shorewall-lite -- gen_context(system_u:object_r:shorewall_exec_t,s0)
-
-+/usr/sbin/shorewall6? -- gen_context(system_u:object_r:shorewall_exec_t,s0)
-+/usr/sbin/shorewall-lite -- gen_context(system_u:object_r:shorewall_exec_t,s0)
-+
- /var/lib/shorewall(/.*)? gen_context(system_u:object_r:shorewall_var_lib_t,s0)
- /var/lib/shorewall6(/.*)? gen_context(system_u:object_r:shorewall_var_lib_t,s0)
- /var/lib/shorewall-lite(/.*)? gen_context(system_u:object_r:shorewall_var_lib_t,s0)
-diff --git a/shorewall.if b/shorewall.if
-index 781ad7e..d5ce40a 100644
---- a/shorewall.if
-+++ b/shorewall.if
-@@ -55,28 +55,9 @@ interface(`shorewall_read_config',`
- read_files_pattern($1, shorewall_etc_t, shorewall_etc_t)
- ')
-
--#######################################
--##
--## Read shorewall PID files.
--##
--##
--##
--## Domain allowed access.
--##
--##
--#
--interface(`shorewall_read_pid_files',`
-- gen_require(`
-- type shorewall_var_run_t;
-- ')
--
-- files_search_pids($1)
-- read_files_pattern($1, shorewall_var_run_t, shorewall_var_run_t)
--')
--
--#######################################
-+######################################
- ##
--## Read and write shorewall PID files.
-+## Read shorewall /var/lib files.
- ##
- ##
- ##
-@@ -84,28 +65,9 @@ interface(`shorewall_read_pid_files',`
- ##
- ##
- #
--interface(`shorewall_rw_pid_files',`
-- gen_require(`
-- type shorewall_var_run_t;
-- ')
--
-- files_search_pids($1)
-- rw_files_pattern($1, shorewall_var_run_t, shorewall_var_run_t)
--')
--
--######################################
--##
--## Read shorewall /var/lib files.
--##
--##
--##
--## Domain allowed access.
--##
--##
--#
- interface(`shorewall_read_lib_files',`
- gen_require(`
-- type shorewall_t;
-+ type shorewall_var_lib_t;
- ')
-
- files_search_var_lib($1)
-@@ -177,8 +139,11 @@ interface(`shorewall_admin',`
- type shorewall_tmp_t, shorewall_etc_t;
- ')
-
-- allow $1 shorewall_t:process { ptrace signal_perms };
-+ allow $1 shorewall_t:process signal_perms;
- ps_process_pattern($1, shorewall_t)
-+ tunable_policy(`deny_ptrace',`',`
-+ allow $1 shorewall_t:process ptrace;
-+ ')
-
- init_labeled_script_domtrans($1, shorewall_initrc_exec_t)
- domain_system_change_exemption($1)
-diff --git a/shorewall.te b/shorewall.te
-index 4723c6b..c55fcaa 100644
---- a/shorewall.te
-+++ b/shorewall.te
-@@ -37,9 +37,10 @@ logging_log_file(shorewall_log_t)
- # shorewall local policy
- #
-
--allow shorewall_t self:capability { dac_override net_admin net_raw setuid setgid sys_nice sys_ptrace };
-+allow shorewall_t self:capability { dac_override net_admin net_raw setuid setgid sys_nice };
- dontaudit shorewall_t self:capability sys_tty_config;
- allow shorewall_t self:fifo_file rw_fifo_file_perms;
-+allow shorewall_t self:netlink_socket create_socket_perms;
-
- read_files_pattern(shorewall_t, shorewall_etc_t, shorewall_etc_t)
- list_dirs_pattern(shorewall_t, shorewall_etc_t, shorewall_etc_t)
-@@ -59,6 +60,9 @@ exec_files_pattern(shorewall_t, shorewall_var_lib_t, shorewall_var_lib_t)
- manage_dirs_pattern(shorewall_t, shorewall_var_lib_t, shorewall_var_lib_t)
- manage_files_pattern(shorewall_t, shorewall_var_lib_t, shorewall_var_lib_t)
- files_var_lib_filetrans(shorewall_t, shorewall_var_lib_t, { dir file })
-+allow shorewall_t shorewall_var_lib_t:file entrypoint;
-+
-+allow shorewall_t shorewall_initrc_exec_t:file read_file_perms;
-
- allow shorewall_t shorewall_initrc_exec_t:file read_file_perms;
-
-@@ -70,12 +74,12 @@ kernel_rw_net_sysctls(shorewall_t)
- corecmd_exec_bin(shorewall_t)
- corecmd_exec_shell(shorewall_t)
-
-+dev_read_sysfs(shorewall_t)
- dev_read_urand(shorewall_t)
-
- domain_read_all_domains_state(shorewall_t)
-
- files_getattr_kernel_modules(shorewall_t)
--files_read_etc_files(shorewall_t)
- files_read_usr_files(shorewall_t)
- files_search_kernel_modules(shorewall_t)
-
-@@ -83,13 +87,20 @@ fs_getattr_all_fs(shorewall_t)
-
- init_rw_utmp(shorewall_t)
-
-+logging_read_generic_logs(shorewall_t)
- logging_send_syslog_msg(shorewall_t)
-
--miscfiles_read_localization(shorewall_t)
-+auth_use_nsswitch(shorewall_t)
-
- sysnet_domtrans_ifconfig(shorewall_t)
-
--userdom_dontaudit_list_user_home_dirs(shorewall_t)
-+userdom_dontaudit_list_admin_dir(shorewall_t)
-+userdom_use_inherited_user_ttys(shorewall_t)
-+userdom_use_inherited_user_ptys(shorewall_t)
-+
-+optional_policy(`
-+ brctl_domtrans(shorewall_t)
-+')
-
- optional_policy(`
- hostname_exec(shorewall_t)
-diff --git a/shutdown.fc b/shutdown.fc
-index 97671a3..e317fbe 100644
---- a/shutdown.fc
-+++ b/shutdown.fc
-@@ -2,6 +2,10 @@
-
- /lib/upstart/shutdown -- gen_context(system_u:object_r:shutdown_exec_t,s0)
-
--/sbin/shutdown -- gen_context(system_u:object_r:shutdown_exec_t,s0)
-+/sbin/shutdown -- gen_context(system_u:object_r:shutdown_exec_t,s0)
-
--/var/run/shutdown\.pid -- gen_context(system_u:object_r:shutdown_var_run_t,s0)
-+/usr/lib/upstart/shutdown -- gen_context(system_u:object_r:shutdown_exec_t,s0)
-+
-+/usr/sbin/shutdown -- gen_context(system_u:object_r:shutdown_exec_t,s0)
-+
-+/var/run/shutdown\.pid -- gen_context(system_u:object_r:shutdown_var_run_t,s0)
-diff --git a/shutdown.if b/shutdown.if
-index d0604cf..b66057c 100644
---- a/shutdown.if
-+++ b/shutdown.if
-@@ -18,9 +18,18 @@ interface(`shutdown_domtrans',`
- corecmd_search_bin($1)
- domtrans_pattern($1, shutdown_exec_t, shutdown_t)
-
-+ init_reboot($1)
-+ init_halt($1)
-+
-+ optional_policy(`
-+ systemd_exec_systemctl($1)
-+ init_stream_connect($1)
-+ systemd_login_reboot($1)
-+ systemd_login_halt($1)
-+ ')
-+
- ifdef(`hide_broken_symptoms', `
-- dontaudit shutdown_t $1:socket_class_set { read write };
-- dontaudit shutdown_t $1:fifo_file { read write };
-+ dontaudit shutdown_t $1:fifo_file rw_inherited_fifo_file_perms;
- ')
- ')
-
-@@ -51,6 +60,73 @@ interface(`shutdown_run',`
-
- ########################################
- ##
-+## Role access for shutdown
-+##
-+##
-+##
-+## Role allowed access
-+##
-+##
-+##
-+##
-+## User domain for the role
-+##
-+##
-+#
-+interface(`shutdown_role',`
-+ gen_require(`
-+ type shutdown_t;
-+ ')
-+
-+ role $1 types shutdown_t;
-+
-+ shutdown_domtrans($2)
-+
-+ ps_process_pattern($2, shutdown_t)
-+ allow $2 shutdown_t:process signal;
-+')
-+
-+########################################
-+##
-+## Recieve sigchld from shutdown
-+##
-+##
-+##
-+## Domain allowed access
-+##
-+##
-+#
-+interface(`shutdown_send_sigchld',`
-+ gen_require(`
-+ type shutdown_t;
-+ ')
-+
-+ allow shutdown_t $1:process signal;
-+')
-+
-+########################################
-+##
-+## Send and receive messages from
-+## shutdown over dbus.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`shutdown_dbus_chat',`
-+ gen_require(`
-+ type shutdown_t;
-+ class dbus send_msg;
-+ ')
-+
-+ allow $1 shutdown_t:dbus send_msg;
-+ allow shutdown_t $1:dbus send_msg;
-+')
-+
-+########################################
-+##
- ## Get attributes of shutdown executable.
- ##
- ##
-diff --git a/shutdown.te b/shutdown.te
-index 8966ec9..2a52a13 100644
---- a/shutdown.te
-+++ b/shutdown.te
-@@ -7,6 +7,7 @@ policy_module(shutdown, 1.1.0)
-
- type shutdown_t;
- type shutdown_exec_t;
-+init_system_domain(shutdown_t, shutdown_exec_t)
- application_domain(shutdown_t, shutdown_exec_t)
- role system_r types shutdown_t;
-
-@@ -21,8 +22,8 @@ files_pid_file(shutdown_var_run_t)
- # shutdown local policy
- #
-
--allow shutdown_t self:capability { dac_override kill setuid sys_tty_config };
--allow shutdown_t self:process { fork signal signull };
-+allow shutdown_t self:capability { dac_override kill setuid sys_nice sys_tty_config };
-+allow shutdown_t self:process { fork setsched signal signull };
-
- allow shutdown_t self:fifo_file manage_fifo_file_perms;
- allow shutdown_t self:unix_stream_socket create_stream_socket_perms;
-@@ -33,25 +34,31 @@ files_etc_filetrans(shutdown_t, shutdown_etc_t, file)
- manage_files_pattern(shutdown_t, shutdown_var_run_t, shutdown_var_run_t)
- files_pid_filetrans(shutdown_t, shutdown_var_run_t, file)
-
-+kernel_read_system_state(shutdown_t)
-+
- domain_use_interactive_fds(shutdown_t)
-
--files_read_etc_files(shutdown_t)
- files_read_generic_pids(shutdown_t)
-+files_delete_boot_flag(shutdown_t)
-+
-+mls_file_write_to_clearance(shutdown_t)
-
--term_use_all_terms(shutdown_t)
-+term_use_all_inherited_terms(shutdown_t)
-
- auth_use_nsswitch(shutdown_t)
- auth_write_login_records(shutdown_t)
-
--init_dontaudit_write_utmp(shutdown_t)
--init_read_utmp(shutdown_t)
-+init_rw_utmp(shutdown_t)
- init_stream_connect(shutdown_t)
- init_telinit(shutdown_t)
-
- logging_search_logs(shutdown_t)
- logging_send_audit_msgs(shutdown_t)
-
--miscfiles_read_localization(shutdown_t)
-+
-+optional_policy(`
-+ cron_system_entry(shutdown_t, shutdown_exec_t)
-+')
-
- optional_policy(`
- dbus_system_bus_client(shutdown_t)
-@@ -59,5 +66,15 @@ optional_policy(`
- ')
-
- optional_policy(`
-+ oddjob_dontaudit_rw_fifo_file(shutdown_t)
-+ oddjob_sigchld(shutdown_t)
-+')
-+
-+optional_policy(`
-+ rhev_sigchld_agentd(shutdown_t)
-+')
-+
-+optional_policy(`
- xserver_dontaudit_write_log(shutdown_t)
-+ xserver_xdm_append_log(shutdown_t)
- ')
-diff --git a/slocate.te b/slocate.te
-index a225c02..b76ed92 100644
---- a/slocate.te
-+++ b/slocate.te
-@@ -43,7 +43,6 @@ files_getattr_all_files(locate_t)
- files_getattr_all_pipes(locate_t)
- files_getattr_all_sockets(locate_t)
- files_read_etc_runtime_files(locate_t)
--files_read_etc_files(locate_t)
-
- fs_getattr_all_fs(locate_t)
- fs_getattr_all_files(locate_t)
-@@ -58,7 +57,6 @@ fs_read_noxattr_fs_symlinks(locate_t)
- # getpwnam
- auth_use_nsswitch(locate_t)
-
--miscfiles_read_localization(locate_t)
-
- ifdef(`enable_mls',`
- # On MLS machines will not be allowed to getattr Anything but SystemLow
-diff --git a/slpd.fc b/slpd.fc
-new file mode 100644
-index 0000000..5064a4a
---- /dev/null
-+++ b/slpd.fc
-@@ -0,0 +1,7 @@
-+/etc/rc\.d/init\.d/slpd -- gen_context(system_u:object_r:slpd_initrc_exec_t,s0)
-+
-+/usr/sbin/slpd -- gen_context(system_u:object_r:slpd_exec_t,s0)
-+
-+/var/log/slpd\.log -- gen_context(system_u:object_r:slpd_var_log_t,s0)
-+
-+/var/run/slpd\.pid -- gen_context(system_u:object_r:slpd_var_run_t,s0)
-diff --git a/slpd.if b/slpd.if
-new file mode 100644
-index 0000000..75931f8
---- /dev/null
-+++ b/slpd.if
-@@ -0,0 +1,75 @@
-+
-+## OpenSLP server daemon to dynamically register services.
-+
-+########################################
-+##
-+## Transition to slpd.
-+##
-+##
-+##
-+## Domain allowed to transition.
-+##
-+##
-+#
-+interface(`slpd_domtrans',`
-+ gen_require(`
-+ type slpd_t, slpd_exec_t;
-+ ')
-+
-+ corecmd_search_bin($1)
-+ domtrans_pattern($1, slpd_exec_t, slpd_t)
-+')
-+
-+########################################
-+##
-+## Execute slpd server in the slpd domain.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`slpd_initrc_domtrans',`
-+ gen_require(`
-+ type slpd_initrc_exec_t;
-+ ')
-+
-+ init_labeled_script_domtrans($1, slpd_initrc_exec_t)
-+')
-+
-+########################################
-+##
-+## All of the rules required to administrate
-+## an slpd environment
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+##
-+##
-+## Role allowed access.
-+##
-+##
-+##
-+#
-+interface(`slpd_admin',`
-+ gen_require(`
-+ type slpd_t;
-+ type slpd_initrc_exec_t;
-+ ')
-+
-+ allow $1 slpd_t:process { ptrace signal_perms };
-+ ps_process_pattern($1, slpd_t)
-+
-+ slpd_initrc_domtrans($1)
-+ domain_system_change_exemption($1)
-+ role_transition $2 slpd_initrc_exec_t system_r;
-+ allow $2 system_r;
-+ optional_policy(`
-+ systemd_passwd_agent_exec($1)
-+ systemd_read_fifo_file_passwd_run($1)
-+ ')
-+')
-diff --git a/slpd.te b/slpd.te
-new file mode 100644
-index 0000000..cd475d6
---- /dev/null
-+++ b/slpd.te
-@@ -0,0 +1,52 @@
-+policy_module(slpd, 1.0.0)
-+
-+########################################
-+#
-+# Declarations
-+#
-+
-+type slpd_t;
-+type slpd_exec_t;
-+init_daemon_domain(slpd_t, slpd_exec_t)
-+
-+type slpd_initrc_exec_t;
-+init_script_file(slpd_initrc_exec_t)
-+
-+type slpd_var_log_t;
-+logging_log_file(slpd_var_log_t)
-+
-+type slpd_var_run_t;
-+files_pid_file(slpd_var_run_t)
-+
-+########################################
-+#
-+# slpd local policy
-+#
-+
-+allow slpd_t self:capability { kill setgid setuid };
-+allow slpd_t self:process { fork signal };
-+allow slpd_t self:fifo_file rw_fifo_file_perms;
-+allow slpd_t self:tcp_socket { create_socket_perms listen };
-+allow slpd_t self:unix_stream_socket create_stream_socket_perms;
-+
-+manage_files_pattern(slpd_t, slpd_var_log_t, slpd_var_log_t)
-+logging_log_filetrans(slpd_t, slpd_var_log_t, { file })
-+
-+manage_files_pattern(slpd_t, slpd_var_run_t, slpd_var_run_t)
-+files_pid_filetrans(slpd_t, slpd_var_run_t, { file })
-+
-+corenet_all_recvfrom_netlabel(slpd_t)
-+corenet_tcp_bind_generic_node(slpd_t)
-+corenet_udp_bind_generic_node(slpd_t)
-+corenet_tcp_bind_all_ports(slpd_t)
-+corenet_udp_bind_all_ports(slpd_t)
-+
-+dev_read_urand(slpd_t)
-+
-+domain_use_interactive_fds(slpd_t)
-+
-+files_read_etc_files(slpd_t)
-+
-+auth_use_nsswitch(slpd_t)
-+
-+sysnet_dns_name_resolve(slpd_t)
-diff --git a/slrnpull.te b/slrnpull.te
-index e5e72fd..84936ca 100644
---- a/slrnpull.te
-+++ b/slrnpull.te
-@@ -13,7 +13,7 @@ type slrnpull_var_run_t;
- files_pid_file(slrnpull_var_run_t)
-
- type slrnpull_spool_t;
--files_type(slrnpull_spool_t)
-+files_spool_file(slrnpull_spool_t)
-
- type slrnpull_log_t;
- logging_log_file(slrnpull_log_t)
-@@ -52,8 +52,6 @@ fs_search_auto_mountpoints(slrnpull_t)
-
- logging_send_syslog_msg(slrnpull_t)
-
--miscfiles_read_localization(slrnpull_t)
--
- userdom_dontaudit_use_unpriv_user_fds(slrnpull_t)
- userdom_dontaudit_search_user_home_dirs(slrnpull_t)
-
-diff --git a/smartmon.if b/smartmon.if
-index adea9f9..f5dd0fe 100644
---- a/smartmon.if
-+++ b/smartmon.if
-@@ -15,6 +15,7 @@ interface(`smartmon_read_tmp_files',`
- type fsdaemon_tmp_t;
- ')
-
-+ files_search_tmp($1)
- allow $1 fsdaemon_tmp_t:file read_file_perms;
- ')
-
-@@ -41,8 +42,11 @@ interface(`smartmon_admin',`
- type fsdaemon_initrc_exec_t;
- ')
-
-- allow $1 fsdaemon_t:process { ptrace signal_perms getattr };
-+ allow $1 fsdaemon_t:process signal_perms;
- ps_process_pattern($1, fsdaemon_t)
-+ tunable_policy(`deny_ptrace',`',`
-+ allow $1 fsdaemon_t:process ptrace;
-+ ')
-
- init_labeled_script_domtrans($1, fsdaemon_initrc_exec_t)
- domain_system_change_exemption($1)
-diff --git a/smartmon.te b/smartmon.te
-index 6b3322b..c955ccc 100644
---- a/smartmon.te
-+++ b/smartmon.te
-@@ -1,4 +1,4 @@
--policy_module(smartmon, 1.11.0)
-+policy_module(smartmon, 1.14.0)
-
- ########################################
- #
-@@ -35,7 +35,7 @@ ifdef(`enable_mls',`
- # Local policy
- #
-
--allow fsdaemon_t self:capability { setpcap setgid sys_rawio sys_admin };
-+allow fsdaemon_t self:capability { dac_override kill setpcap setgid sys_rawio sys_admin };
- dontaudit fsdaemon_t self:capability sys_tty_config;
- allow fsdaemon_t self:process { getcap setcap signal_perms };
- allow fsdaemon_t self:fifo_file rw_fifo_file_perms;
-@@ -52,12 +52,12 @@ manage_files_pattern(fsdaemon_t, fsdaemon_var_run_t, fsdaemon_var_run_t)
- files_pid_filetrans(fsdaemon_t, fsdaemon_var_run_t, file)
-
- kernel_read_kernel_sysctls(fsdaemon_t)
-+kernel_read_network_state(fsdaemon_t)
- kernel_read_software_raid_state(fsdaemon_t)
- kernel_read_system_state(fsdaemon_t)
-
- corecmd_exec_all_executables(fsdaemon_t)
-
--corenet_all_recvfrom_unlabeled(fsdaemon_t)
- corenet_all_recvfrom_netlabel(fsdaemon_t)
- corenet_udp_sendrecv_generic_if(fsdaemon_t)
- corenet_udp_sendrecv_generic_node(fsdaemon_t)
-@@ -73,26 +73,36 @@ files_read_etc_runtime_files(fsdaemon_t)
- files_read_usr_files(fsdaemon_t)
- # for config
- files_read_etc_files(fsdaemon_t)
-+files_read_usr_files(fsdaemon_t)
-
- fs_getattr_all_fs(fsdaemon_t)
- fs_search_auto_mountpoints(fsdaemon_t)
-+fs_read_removable_files(fsdaemon_t)
-
- mls_file_read_all_levels(fsdaemon_t)
- #mls_rangetrans_target(fsdaemon_t)
-
-+storage_create_fixed_disk_dev(fsdaemon_t)
-+storage_dev_filetrans_named_fixed_disk(fsdaemon_t)
- storage_raw_read_fixed_disk(fsdaemon_t)
- storage_raw_write_fixed_disk(fsdaemon_t)
- storage_raw_read_removable_device(fsdaemon_t)
-+storage_read_scsi_generic(fsdaemon_t)
-+storage_write_scsi_generic(fsdaemon_t)
-
- term_dontaudit_search_ptys(fsdaemon_t)
-
-+application_signull(fsdaemon_t)
-+
-+auth_read_passwd(fsdaemon_t)
-+
-+init_read_utmp(fsdaemon_t)
-+
- libs_exec_ld_so(fsdaemon_t)
- libs_exec_lib_files(fsdaemon_t)
-
- logging_send_syslog_msg(fsdaemon_t)
-
--miscfiles_read_localization(fsdaemon_t)
--
- seutil_sigchld_newrole(fsdaemon_t)
-
- sysnet_dns_name_resolve(fsdaemon_t)
-diff --git a/smokeping.if b/smokeping.if
-index 8265278..017b923 100644
---- a/smokeping.if
-+++ b/smokeping.if
-@@ -153,8 +153,11 @@ interface(`smokeping_admin',`
- type smokeping_t, smokeping_initrc_exec_t;
- ')
-
-- allow $1 smokeping_t:process { ptrace signal_perms };
-+ allow $1 smokeping_t:process signal_perms;
- ps_process_pattern($1, smokeping_t)
-+ tunable_policy(`deny_ptrace',`',`
-+ allow $1 smokeping_t:process ptrace;
-+ ')
-
- smokeping_initrc_domtrans($1)
- domain_system_change_exemption($1)
-diff --git a/smokeping.te b/smokeping.te
-index 740994a..4bfc780 100644
---- a/smokeping.te
-+++ b/smokeping.te
-@@ -36,11 +36,10 @@ manage_dirs_pattern(smokeping_t, smokeping_var_lib_t, smokeping_var_lib_t)
- manage_files_pattern(smokeping_t, smokeping_var_lib_t, smokeping_var_lib_t)
- files_var_lib_filetrans(smokeping_t, smokeping_var_lib_t, { file dir } )
-
--corecmd_read_bin_symlinks(smokeping_t)
-+corecmd_exec_bin(smokeping_t)
-
- dev_read_urand(smokeping_t)
-
--files_read_etc_files(smokeping_t)
- files_read_usr_files(smokeping_t)
- files_search_tmp(smokeping_t)
-
-@@ -49,8 +48,6 @@ auth_dontaudit_read_shadow(smokeping_t)
-
- logging_send_syslog_msg(smokeping_t)
-
--miscfiles_read_localization(smokeping_t)
--
- mta_send_mail(smokeping_t)
-
- netutils_domtrans_ping(smokeping_t)
-@@ -73,5 +70,9 @@ optional_policy(`
- files_search_tmp(httpd_smokeping_cgi_script_t)
- files_search_var_lib(httpd_smokeping_cgi_script_t)
-
-+ auth_read_passwd(httpd_smokeping_cgi_script_t)
-+
- sysnet_dns_name_resolve(httpd_smokeping_cgi_script_t)
-+
-+ netutils_domtrans_ping(httpd_smokeping_cgi_script_t)
- ')
-diff --git a/smoltclient.te b/smoltclient.te
-index bc00875..7dd4e53 100644
---- a/smoltclient.te
-+++ b/smoltclient.te
-@@ -8,7 +8,6 @@ policy_module(smoltclient, 1.1.0)
- type smoltclient_t;
- type smoltclient_exec_t;
- application_domain(smoltclient_t, smoltclient_exec_t)
--cron_system_entry(smoltclient_t, smoltclient_exec_t)
-
- type smoltclient_tmp_t;
- files_tmp_file(smoltclient_tmp_t)
-@@ -39,20 +38,29 @@ corecmd_exec_shell(smoltclient_t)
- corenet_tcp_connect_http_port(smoltclient_t)
-
- dev_read_sysfs(smoltclient_t)
-+dev_read_urand(smoltclient_t)
-
- fs_getattr_all_fs(smoltclient_t)
- fs_getattr_all_dirs(smoltclient_t)
- fs_list_auto_mountpoints(smoltclient_t)
-
- files_getattr_generic_locks(smoltclient_t)
--files_read_etc_files(smoltclient_t)
-+files_read_etc_runtime_files(smoltclient_t)
- files_read_usr_files(smoltclient_t)
-
- auth_use_nsswitch(smoltclient_t)
-
- logging_send_syslog_msg(smoltclient_t)
-
--miscfiles_read_localization(smoltclient_t)
-+miscfiles_read_hwdata(smoltclient_t)
-+
-+optional_policy(`
-+ abrt_stream_connect(smoltclient_t)
-+')
-+
-+optional_policy(`
-+ cron_system_entry(smoltclient_t, smoltclient_exec_t)
-+')
-
- optional_policy(`
- dbus_system_bus_client(smoltclient_t)
-diff --git a/smsd.fc b/smsd.fc
-new file mode 100644
-index 0000000..4c3fcec
---- /dev/null
-+++ b/smsd.fc
-@@ -0,0 +1,11 @@
-+/etc/rc\.d/init\.d/smsd -- gen_context(system_u:object_r:smsd_initrc_exec_t,s0)
-+
-+/usr/sbin/smsd -- gen_context(system_u:object_r:smsd_exec_t,s0)
-+
-+/var/lib/smstools(/.*)? gen_context(system_u:object_r:smsd_var_lib_t,s0)
-+
-+/var/log/smsd(/.*)? gen_context(system_u:object_r:smsd_log_t,s0)
-+
-+/var/run/smsd(/.*)? gen_context(system_u:object_r:smsd_var_run_t,s0)
-+
-+/var/spool/sms(/.*)? gen_context(system_u:object_r:smsd_spool_t,s0)
-diff --git a/smsd.if b/smsd.if
-new file mode 100644
-index 0000000..6db3f07
---- /dev/null
-+++ b/smsd.if
-@@ -0,0 +1,241 @@
-+
-+## The SMS Server Tools are made to send and receive short messages through GSM modems. It supports easy file interfaces and it can run external programs for automatic actions.
-+
-+########################################
-+##
-+## Execute smsd in the smsd domin.
-+##
-+##
-+##
-+## Domain allowed to transition.
-+##
-+##
-+#
-+interface(`smsd_domtrans',`
-+ gen_require(`
-+ type smsd_t, smsd_exec_t;
-+ ')
-+
-+ corecmd_search_bin($1)
-+ domtrans_pattern($1, smsd_exec_t, smsd_t)
-+')
-+
-+########################################
-+##
-+## Execute smsd server in the smsd domain.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`smsd_initrc_domtrans',`
-+ gen_require(`
-+ type smsd_initrc_exec_t;
-+ ')
-+
-+ init_labeled_script_domtrans($1, smsd_initrc_exec_t)
-+')
-+
-+########################################
-+##
-+## Read smsd's log files.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`smsd_read_log',`
-+ gen_require(`
-+ type smsd_log_t;
-+ ')
-+
-+ logging_search_logs($1)
-+ read_files_pattern($1, smsd_log_t, smsd_log_t)
-+')
-+
-+########################################
-+##
-+## Append to smsd log files.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`smsd_append_log',`
-+ gen_require(`
-+ type smsd_log_t;
-+ ')
-+
-+ logging_search_logs($1)
-+ append_files_pattern($1, smsd_log_t, smsd_log_t)
-+')
-+
-+########################################
-+##
-+## Manage smsd log files
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`smsd_manage_log',`
-+ gen_require(`
-+ type smsd_log_t;
-+ ')
-+
-+ logging_search_logs($1)
-+ manage_dirs_pattern($1, smsd_log_t, smsd_log_t)
-+ manage_files_pattern($1, smsd_log_t, smsd_log_t)
-+ manage_lnk_files_pattern($1, smsd_log_t, smsd_log_t)
-+')
-+########################################
-+##
-+## Read smsd PID files.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`smsd_read_pid_files',`
-+ gen_require(`
-+ type smsd_var_run_t;
-+ ')
-+
-+ files_search_pids($1)
-+ read_files_pattern($1, smsd_var_run_t, smsd_var_run_t)
-+')
-+
-+########################################
-+##
-+## Search smsd spool directories.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`smsd_search_spool',`
-+ gen_require(`
-+ type smsd_spool_t;
-+ ')
-+
-+ allow $1 smsd_spool_t:dir search_dir_perms;
-+ files_search_spool($1)
-+')
-+
-+########################################
-+##
-+## Read smsd spool files.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`smsd_read_spool_files',`
-+ gen_require(`
-+ type smsd_spool_t;
-+ ')
-+
-+ files_search_spool($1)
-+ read_files_pattern($1, smsd_spool_t, smsd_spool_t)
-+')
-+
-+########################################
-+##
-+## Manage smsd spool files.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`smsd_manage_spool_files',`
-+ gen_require(`
-+ type smsd_spool_t;
-+ ')
-+
-+ files_search_spool($1)
-+ manage_files_pattern($1, smsd_spool_t, smsd_spool_t)
-+')
-+
-+########################################
-+##
-+## Manage smsd spool dirs.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`smsd_manage_spool_dirs',`
-+ gen_require(`
-+ type smsd_spool_t;
-+ ')
-+
-+ files_search_spool($1)
-+ manage_dirs_pattern($1, smsd_spool_t, smsd_spool_t)
-+')
-+
-+########################################
-+##
-+## All of the rules required to administrate
-+## an smsd environment
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+##
-+##
-+## Role allowed access.
-+##
-+##
-+##
-+#
-+interface(`smsd_admin',`
-+ gen_require(`
-+ type smsd_t;
-+ type smsd_initrc_exec_t;
-+ type smsd_log_t;
-+ type smsd_var_run_t;
-+ type smsd_spool_t;
-+ ')
-+
-+ allow $1 smsd_t:process { ptrace signal_perms };
-+ ps_process_pattern($1, smsd_t)
-+
-+ smsd_initrc_domtrans($1)
-+ domain_system_change_exemption($1)
-+ role_transition $2 smsd_initrc_exec_t system_r;
-+ allow $2 system_r;
-+
-+ logging_search_logs($1)
-+ admin_pattern($1, smsd_log_t)
-+
-+ files_search_pids($1)
-+ admin_pattern($1, smsd_var_run_t)
-+
-+ files_search_spool($1)
-+ admin_pattern($1, smsd_spool_t)
-+
-+ optional_policy(`
-+ systemd_passwd_agent_exec($1)
-+ systemd_read_fifo_file_passwd_run($1)
-+ ')
-+')
-diff --git a/smsd.te b/smsd.te
-new file mode 100644
-index 0000000..4e822e5
---- /dev/null
-+++ b/smsd.te
-@@ -0,0 +1,74 @@
-+policy_module(smsd, 1.0.0)
-+
-+########################################
-+#
-+# Declarations
-+#
-+
-+type smsd_t;
-+type smsd_exec_t;
-+init_daemon_domain(smsd_t, smsd_exec_t)
-+
-+type smsd_initrc_exec_t;
-+init_script_file(smsd_initrc_exec_t)
-+
-+type smsd_log_t;
-+logging_log_file(smsd_log_t)
-+
-+type smsd_var_lib_t;
-+files_type(smsd_var_lib_t)
-+
-+type smsd_var_run_t;
-+files_pid_file(smsd_var_run_t)
-+
-+type smsd_spool_t;
-+files_type(smsd_spool_t)
-+
-+type smsd_tmp_t;
-+files_tmp_file(smsd_tmp_t)
-+
-+########################################
-+#
-+# smsd local policy
-+#
-+
-+allow smsd_t self:capability { kill setgid setuid };
-+allow smsd_t self:process { fork signal };
-+allow smsd_t self:fifo_file rw_fifo_file_perms;
-+allow smsd_t self:unix_stream_socket create_stream_socket_perms;
-+
-+manage_dirs_pattern(smsd_t, smsd_log_t, smsd_log_t)
-+manage_files_pattern(smsd_t, smsd_log_t, smsd_log_t)
-+manage_lnk_files_pattern(smsd_t, smsd_log_t, smsd_log_t)
-+logging_log_filetrans(smsd_t, smsd_log_t, { dir })
-+
-+manage_dirs_pattern(smsd_t, smsd_var_lib_t, smsd_var_lib_t)
-+manage_files_pattern(smsd_t, smsd_var_lib_t, smsd_var_lib_t)
-+manage_lnk_files_pattern(smsd_t, smsd_var_lib_t, smsd_var_lib_t)
-+
-+manage_dirs_pattern(smsd_t, smsd_var_run_t, smsd_var_run_t)
-+manage_files_pattern(smsd_t, smsd_var_run_t, smsd_var_run_t)
-+manage_lnk_files_pattern(smsd_t, smsd_var_run_t, smsd_var_run_t)
-+files_pid_filetrans(smsd_t, smsd_var_run_t, { dir })
-+
-+manage_dirs_pattern(smsd_t, smsd_spool_t, smsd_spool_t)
-+manage_files_pattern(smsd_t, smsd_spool_t, smsd_spool_t)
-+manage_lnk_files_pattern(smsd_t, smsd_spool_t, smsd_spool_t)
-+files_spool_filetrans(smsd_t, smsd_spool_t, { dir })
-+
-+manage_dirs_pattern(smsd_t, smsd_tmp_t, smsd_tmp_t)
-+manage_files_pattern(smsd_t, smsd_tmp_t, smsd_tmp_t)
-+files_tmp_filetrans(smsd_t, smsd_tmp_t, { file dir })
-+
-+kernel_read_system_state(smsd_t)
-+kernel_read_kernel_sysctls(smsd_t)
-+
-+corecmd_exec_shell(smsd_t)
-+
-+files_read_etc_files(smsd_t)
-+
-+auth_use_nsswitch(smsd_t)
-+
-+logging_send_syslog_msg(smsd_t)
-+
-+sysnet_dns_name_resolve(smsd_t)
-diff --git a/snmp.fc b/snmp.fc
-index 623c8fa..1ef62d0 100644
---- a/snmp.fc
-+++ b/snmp.fc
-@@ -16,9 +16,10 @@
- /var/lib/net-snmp(/.*)? gen_context(system_u:object_r:snmpd_var_lib_t,s0)
- /var/lib/snmp(/.*)? gen_context(system_u:object_r:snmpd_var_lib_t,s0)
-
--/var/log/snmpd\.log -- gen_context(system_u:object_r:snmpd_log_t,s0)
-+/var/log/snmpd\.log.* -- gen_context(system_u:object_r:snmpd_log_t,s0)
-
--/var/net-snmp(/.*) gen_context(system_u:object_r:snmpd_var_lib_t,s0)
-+/var/net-snmp(/.*)? gen_context(system_u:object_r:snmpd_var_lib_t,s0)
-
-+/var/run/net-snmpd(/.*)? gen_context(system_u:object_r:snmpd_var_run_t,s0)
- /var/run/snmpd(/.*)? gen_context(system_u:object_r:snmpd_var_run_t,s0)
- /var/run/snmpd\.pid -- gen_context(system_u:object_r:snmpd_var_run_t,s0)
-diff --git a/snmp.if b/snmp.if
-index 275f9fb..f1343b7 100644
---- a/snmp.if
-+++ b/snmp.if
-@@ -11,12 +11,12 @@
- ##
- #
- interface(`snmp_stream_connect',`
-- gen_require(`
-+ gen_require(`
- type snmpd_t, snmpd_var_lib_t;
-- ')
-+ ')
-
-- files_search_var_lib($1)
-- stream_connect_pattern($1, snmpd_var_lib_t, snmpd_var_lib_t, snmpd_t)
-+ files_search_var_lib($1)
-+ stream_connect_pattern($1, snmpd_var_lib_t, snmpd_var_lib_t, snmpd_t)
- ')
-
- ########################################
-@@ -62,11 +62,70 @@ interface(`snmp_read_snmp_var_lib_files',`
- type snmpd_var_lib_t;
- ')
-
-+ files_search_var_lib($1)
- allow $1 snmpd_var_lib_t:dir list_dir_perms;
- read_files_pattern($1, snmpd_var_lib_t, snmpd_var_lib_t)
- read_lnk_files_pattern($1, snmpd_var_lib_t, snmpd_var_lib_t)
- ')
-
-+#######################################
-+##
-+## Read snmpd libraries directories
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`snmp_read_snmp_var_lib_dirs',`
-+ gen_require(`
-+ type snmpd_var_lib_t;
-+ ')
-+
-+ files_search_var_lib($1)
-+ allow $1 snmpd_var_lib_t:dir list_dir_perms;
-+')
-+
-+########################################
-+##
-+## Manage snmpd libraries directories
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`snmp_manage_var_lib_dirs',`
-+ gen_require(`
-+ type snmpd_var_lib_t;
-+ ')
-+
-+ allow $1 snmpd_var_lib_t:dir manage_dir_perms;
-+ files_var_lib_filetrans($1, snmpd_var_lib_t, dir)
-+')
-+
-+########################################
-+##
-+## Manage snmpd libraries.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`snmp_manage_var_lib_files',`
-+ gen_require(`
-+ type snmpd_var_lib_t;
-+ ')
-+
-+ files_search_var_lib($1)
-+ allow $1 snmpd_var_lib_t:dir list_dir_perms;
-+ manage_files_pattern($1, snmpd_var_lib_t, snmpd_var_lib_t)
-+')
-+
- ########################################
- ##
- ## dontaudit Read snmpd libraries.
-@@ -81,9 +140,10 @@ interface(`snmp_dontaudit_read_snmp_var_lib_files',`
- gen_require(`
- type snmpd_var_lib_t;
- ')
-+
- dontaudit $1 snmpd_var_lib_t:dir list_dir_perms;
- dontaudit $1 snmpd_var_lib_t:file read_file_perms;
-- dontaudit $1 snmpd_var_lib_t:lnk_file { getattr read };
-+ dontaudit $1 snmpd_var_lib_t:lnk_file read_lnk_file_perms;
- ')
-
- ########################################
-@@ -123,13 +183,15 @@ interface(`snmp_dontaudit_write_snmp_var_lib_files',`
- #
- interface(`snmp_admin',`
- gen_require(`
-- type snmpd_t, snmpd_log_t;
-+ type snmpd_t, snmpd_log_t, snmpd_initrc_exec_t;
- type snmpd_var_lib_t, snmpd_var_run_t;
-- type snmpd_initrc_exec_t;
- ')
-
-- allow $1 snmpd_t:process { ptrace signal_perms getattr };
-+ allow $1 snmpd_t:process signal_perms;
- ps_process_pattern($1, snmpd_t)
-+ tunable_policy(`deny_ptrace',`',`
-+ allow $1 snmpd_t:process ptrace;
-+ ')
-
- init_labeled_script_domtrans($1, snmpd_initrc_exec_t)
- domain_system_change_exemption($1)
-diff --git a/snmp.te b/snmp.te
-index 56f074c..4909ce8 100644
---- a/snmp.te
-+++ b/snmp.te
-@@ -4,6 +4,7 @@ policy_module(snmp, 1.13.0)
- #
- # Declarations
- #
-+
- type snmpd_t;
- type snmpd_exec_t;
- init_daemon_domain(snmpd_t, snmpd_exec_t)
-@@ -24,12 +25,14 @@ files_type(snmpd_var_lib_t)
- #
- # Local policy
- #
--allow snmpd_t self:capability { chown dac_override kill ipc_lock sys_ptrace net_admin sys_nice sys_tty_config };
-+
-+allow snmpd_t self:capability { chown dac_override kill ipc_lock setgid setuid net_admin sys_nice sys_tty_config sys_ptrace };
-+
- dontaudit snmpd_t self:capability { sys_module sys_tty_config };
- allow snmpd_t self:process { signal_perms getsched setsched };
- allow snmpd_t self:fifo_file rw_fifo_file_perms;
- allow snmpd_t self:unix_dgram_socket create_socket_perms;
--allow snmpd_t self:unix_stream_socket create_stream_socket_perms;
-+allow snmpd_t self:unix_stream_socket { create_stream_socket_perms connectto };
- allow snmpd_t self:tcp_socket create_stream_socket_perms;
- allow snmpd_t self:udp_socket connected_stream_socket_perms;
-
-@@ -41,23 +44,23 @@ manage_files_pattern(snmpd_t, snmpd_var_lib_t, snmpd_var_lib_t)
- manage_sock_files_pattern(snmpd_t, snmpd_var_lib_t, snmpd_var_lib_t)
- files_usr_filetrans(snmpd_t, snmpd_var_lib_t, file)
- files_var_filetrans(snmpd_t, snmpd_var_lib_t, { file dir sock_file })
--files_var_lib_filetrans(snmpd_t, snmpd_var_lib_t, file)
-+files_var_lib_filetrans(snmpd_t, snmpd_var_lib_t, { dir file })
-
-+manage_dirs_pattern(snmpd_t, snmpd_var_run_t, snmpd_var_run_t)
- manage_files_pattern(snmpd_t, snmpd_var_run_t, snmpd_var_run_t)
--files_pid_filetrans(snmpd_t, snmpd_var_run_t, file)
-+files_pid_filetrans(snmpd_t, snmpd_var_run_t, { file dir })
-
- kernel_read_device_sysctls(snmpd_t)
- kernel_read_kernel_sysctls(snmpd_t)
- kernel_read_fs_sysctls(snmpd_t)
- kernel_read_net_sysctls(snmpd_t)
--kernel_read_proc_symlinks(snmpd_t)
--kernel_read_system_state(snmpd_t)
- kernel_read_network_state(snmpd_t)
-+kernel_read_proc_symlinks(snmpd_t)
-+kernel_read_all_proc(snmpd_t)
-
- corecmd_exec_bin(snmpd_t)
- corecmd_exec_shell(snmpd_t)
-
--corenet_all_recvfrom_unlabeled(snmpd_t)
- corenet_all_recvfrom_netlabel(snmpd_t)
- corenet_tcp_sendrecv_generic_if(snmpd_t)
- corenet_udp_sendrecv_generic_if(snmpd_t)
-@@ -73,6 +76,7 @@ corenet_sendrecv_snmp_server_packets(snmpd_t)
- corenet_tcp_connect_agentx_port(snmpd_t)
- corenet_tcp_bind_agentx_port(snmpd_t)
- corenet_udp_bind_agentx_port(snmpd_t)
-+corenet_tcp_connect_snmp_port(snmpd_t)
-
- dev_list_sysfs(snmpd_t)
- dev_read_sysfs(snmpd_t)
-@@ -83,10 +87,8 @@ dev_getattr_usbfs_dirs(snmpd_t)
- domain_use_interactive_fds(snmpd_t)
- domain_signull_all_domains(snmpd_t)
- domain_read_all_domains_state(snmpd_t)
--domain_dontaudit_ptrace_all_domains(snmpd_t)
- domain_exec_all_entry_files(snmpd_t)
-
--files_read_etc_files(snmpd_t)
- files_read_usr_files(snmpd_t)
- files_read_etc_runtime_files(snmpd_t)
- files_search_home(snmpd_t)
-@@ -94,28 +96,28 @@ files_search_home(snmpd_t)
- fs_getattr_all_dirs(snmpd_t)
- fs_getattr_all_fs(snmpd_t)
- fs_search_auto_mountpoints(snmpd_t)
-+files_search_all_mountpoints(snmpd_t)
-
- storage_dontaudit_read_fixed_disk(snmpd_t)
- storage_dontaudit_read_removable_device(snmpd_t)
-+storage_dontaudit_write_removable_device(snmpd_t)
-
- auth_use_nsswitch(snmpd_t)
--files_list_non_auth_dirs(snmpd_t)
-+files_list_all(snmpd_t)
-
- init_read_utmp(snmpd_t)
- init_dontaudit_write_utmp(snmpd_t)
-+# need write to /var/run/systemd/notify
-+init_write_pid_socket(snmpd_t)
-
- logging_send_syslog_msg(snmpd_t)
-
--miscfiles_read_localization(snmpd_t)
--
--seutil_dontaudit_search_config(snmpd_t)
--
- sysnet_read_config(snmpd_t)
-
- userdom_dontaudit_use_unpriv_user_fds(snmpd_t)
- userdom_dontaudit_search_user_home_dirs(snmpd_t)
-
--ifdef(`distro_redhat', `
-+ifdef(`distro_redhat',`
- optional_policy(`
- rpm_read_db(snmpd_t)
- rpm_dontaudit_manage_db(snmpd_t)
-@@ -131,6 +133,10 @@ optional_policy(`
- ')
-
- optional_policy(`
-+ corosync_stream_connect(snmpd_t)
-+')
-+
-+optional_policy(`
- cups_read_rw_config(snmpd_t)
- ')
-
-@@ -140,6 +146,10 @@ optional_policy(`
- ')
-
- optional_policy(`
-+ ricci_stream_connect_modclusterd(snmpd_t)
-+')
-+
-+optional_policy(`
- rpc_search_nfs_state_data(snmpd_t)
- ')
-
-diff --git a/snort.if b/snort.if
-index c117e8b..0eb909b 100644
---- a/snort.if
-+++ b/snort.if
-@@ -41,8 +41,11 @@ interface(`snort_admin',`
- type snort_etc_t, snort_initrc_exec_t;
- ')
-
-- allow $1 snort_t:process { ptrace signal_perms };
-+ allow $1 snort_t:process signal_perms;
- ps_process_pattern($1, snort_t)
-+ tunable_policy(`deny_ptrace',`',`
-+ allow $1 snort_t:process ptrace;
-+ ')
-
- init_labeled_script_domtrans($1, snort_initrc_exec_t)
- domain_system_change_exemption($1)
-@@ -50,11 +53,11 @@ interface(`snort_admin',`
- allow $2 system_r;
-
- admin_pattern($1, snort_etc_t)
-- files_search_etc($1)
-+ files_list_etc($1)
-
- admin_pattern($1, snort_log_t)
-- logging_search_logs($1)
-+ logging_list_logs($1)
-
- admin_pattern($1, snort_var_run_t)
-- files_search_pids($1)
-+ files_list_pids($1)
- ')
-diff --git a/snort.te b/snort.te
-index 179bc1b..3dbbcc0 100644
---- a/snort.te
-+++ b/snort.te
-@@ -32,17 +32,18 @@ files_pid_file(snort_var_run_t)
- allow snort_t self:capability { setgid setuid net_admin net_raw dac_override };
- dontaudit snort_t self:capability sys_tty_config;
- allow snort_t self:process signal_perms;
--allow snort_t self:netlink_route_socket { bind create getattr nlmsg_read read write };
-+allow snort_t self:netlink_route_socket create_netlink_socket_perms;
-+allow snort_t self:netlink_socket create_socket_perms;
- allow snort_t self:tcp_socket create_stream_socket_perms;
- allow snort_t self:udp_socket create_socket_perms;
- allow snort_t self:packet_socket create_socket_perms;
- allow snort_t self:socket create_socket_perms;
- # Snort IPS node. unverified.
--allow snort_t self:netlink_firewall_socket { bind create getattr };
-+allow snort_t self:netlink_firewall_socket create_socket_perms;
-
- allow snort_t snort_etc_t:dir list_dir_perms;
- allow snort_t snort_etc_t:file read_file_perms;
--allow snort_t snort_etc_t:lnk_file { getattr read };
-+allow snort_t snort_etc_t:lnk_file read_lnk_file_perms;
-
- manage_files_pattern(snort_t, snort_log_t, snort_log_t)
- create_dirs_pattern(snort_t, snort_log_t, snort_log_t)
-@@ -63,7 +64,6 @@ kernel_request_load_module(snort_t)
- kernel_dontaudit_read_system_state(snort_t)
- kernel_read_network_state(snort_t)
-
--corenet_all_recvfrom_unlabeled(snort_t)
- corenet_all_recvfrom_netlabel(snort_t)
- corenet_tcp_sendrecv_generic_if(snort_t)
- corenet_udp_sendrecv_generic_if(snort_t)
-@@ -95,8 +95,6 @@ init_read_utmp(snort_t)
-
- logging_send_syslog_msg(snort_t)
-
--miscfiles_read_localization(snort_t)
--
- sysnet_read_config(snort_t)
- # snorts must be able to resolve dns in case it wants to relay to a remote prelude-manager
- sysnet_dns_name_resolve(snort_t)
-diff --git a/sosreport.fc b/sosreport.fc
-index a40478e..050f521 100644
---- a/sosreport.fc
-+++ b/sosreport.fc
-@@ -1 +1,3 @@
- /usr/sbin/sosreport -- gen_context(system_u:object_r:sosreport_exec_t,s0)
-+
-+/.ismount-test-file -- gen_context(system_u:object_r:sosreport_tmp_t,s0)
-diff --git a/sosreport.if b/sosreport.if
-index 94c01b5..f64bd93 100644
---- a/sosreport.if
-+++ b/sosreport.if
-@@ -106,7 +106,7 @@ interface(`sosreport_append_tmp_files',`
- type sosreport_tmp_t;
- ')
-
-- append_files_pattern($1, sosreport_tmp_t, sosreport_tmp_t)
-+ allow $1 sosreport_tmp_t:file append_inherited_file_perms;
- ')
-
- ########################################
-diff --git a/sosreport.te b/sosreport.te
-index c6079a5..cb59eff 100644
---- a/sosreport.te
-+++ b/sosreport.te
-@@ -21,7 +21,7 @@ files_tmpfs_file(sosreport_tmpfs_t)
- # sosreport local policy
- #
-
--allow sosreport_t self:capability { kill net_admin net_raw setuid sys_admin sys_nice sys_ptrace dac_override };
-+allow sosreport_t self:capability { kill net_admin net_raw setuid sys_admin sys_nice dac_override };
- allow sosreport_t self:process { setsched signull };
- allow sosreport_t self:fifo_file rw_fifo_file_perms;
- allow sosreport_t self:tcp_socket create_stream_socket_perms;
-@@ -64,7 +64,6 @@ files_getattr_all_sockets(sosreport_t)
- files_exec_etc_files(sosreport_t)
- files_list_all(sosreport_t)
- files_read_config_files(sosreport_t)
--files_read_etc_files(sosreport_t)
- files_read_generic_tmp_files(sosreport_t)
- files_read_usr_files(sosreport_t)
- files_read_var_lib_files(sosreport_t)
-@@ -74,13 +73,17 @@ files_read_all_symlinks(sosreport_t)
- # for blkid.tab
- files_manage_etc_runtime_files(sosreport_t)
- files_etc_filetrans_etc_runtime(sosreport_t, file)
-+files_root_filetrans(sosreport_t, sosreport_tmp_t, file, ".ismount-test-file")
-
- fs_getattr_all_fs(sosreport_t)
- fs_list_inotifyfs(sosreport_t)
-
-+storage_dontaudit_read_fixed_disk(sosreport_t)
-+storage_dontaudit_read_removable_device(sosreport_t)
-+
- # some config files do not have configfile attribute
- # sosreport needs to read various files on system
--files_read_non_auth_files(sosreport_t)
-+files_read_non_security_files(sosreport_t)
- auth_use_nsswitch(sosreport_t)
-
- init_domtrans_script(sosreport_t)
-@@ -90,15 +93,11 @@ libs_domtrans_ldconfig(sosreport_t)
- logging_read_all_logs(sosreport_t)
- logging_send_syslog_msg(sosreport_t)
-
--miscfiles_read_localization(sosreport_t)
--
--# needed by modinfo
--modutils_read_module_deps(sosreport_t)
--
- sysnet_read_config(sosreport_t)
-
- optional_policy(`
- abrt_manage_pid_files(sosreport_t)
-+ abrt_manage_cache(sosreport_t)
- ')
-
- optional_policy(`
-@@ -110,6 +109,11 @@ optional_policy(`
- ')
-
- optional_policy(`
-+ # needed by modinfo
-+ modutils_read_module_deps(sosreport_t)
-+')
-+
-+optional_policy(`
- fstools_domtrans(sosreport_t)
- ')
-
-diff --git a/soundserver.if b/soundserver.if
-index 93fe7bf..1b07ed4 100644
---- a/soundserver.if
-+++ b/soundserver.if
-@@ -33,13 +33,15 @@ interface(`soundserver_tcp_connect',`
- #
- interface(`soundserver_admin',`
- gen_require(`
-- type soundd_t, soundd_etc_t;
-+ type soundd_t, soundd_etc_t, soundd_initrc_exec_t;
- type soundd_tmp_t, soundd_var_run_t;
-- type soundd_initrc_exec_t;
- ')
-
-- allow $1 soundd_t:process { ptrace signal_perms };
-+ allow $1 soundd_t:process signal_perms;
- ps_process_pattern($1, soundd_t)
-+ tunable_policy(`deny_ptrace',`',`
-+ allow $1 soundd_t:process ptrace;
-+ ')
-
- init_labeled_script_domtrans($1, soundd_initrc_exec_t)
- domain_system_change_exemption($1)
-diff --git a/soundserver.te b/soundserver.te
-index 3217605..e9a4381 100644
---- a/soundserver.te
-+++ b/soundserver.te
-@@ -68,7 +68,6 @@ kernel_read_kernel_sysctls(soundd_t)
- kernel_list_proc(soundd_t)
- kernel_read_proc_symlinks(soundd_t)
-
--corenet_all_recvfrom_unlabeled(soundd_t)
- corenet_all_recvfrom_netlabel(soundd_t)
- corenet_tcp_sendrecv_generic_if(soundd_t)
- corenet_udp_sendrecv_generic_if(soundd_t)
-@@ -94,8 +93,6 @@ fs_search_auto_mountpoints(soundd_t)
-
- logging_send_syslog_msg(soundd_t)
-
--miscfiles_read_localization(soundd_t)
--
- sysnet_read_config(soundd_t)
-
- userdom_dontaudit_use_unpriv_user_fds(soundd_t)
-diff --git a/spamassassin.fc b/spamassassin.fc
-index 6b3abf9..80c9e56 100644
---- a/spamassassin.fc
-+++ b/spamassassin.fc
-@@ -1,15 +1,53 @@
--HOME_DIR/\.spamassassin(/.*)? gen_context(system_u:object_r:spamassassin_home_t,s0)
-+HOME_DIR/\.pyzor(/.*)? gen_context(system_u:object_r:spamc_home_t,s0)
-+HOME_DIR/\.spamassassin(/.*)? gen_context(system_u:object_r:spamc_home_t,s0)
-+HOME_DIR/\.spamd(/.*)? gen_context(system_u:object_r:spamc_home_t,s0)
-+/root/\.pyzor(/.*)? gen_context(system_u:object_r:spamc_home_t,s0)
-+/root/\.spamassassin(/.*)? gen_context(system_u:object_r:spamc_home_t,s0)
-+/root/\.spamd(/.*)? gen_context(system_u:object_r:spamc_home_t,s0)
-+
-+/etc/rc\.d/init\.d/spamd -- gen_context(system_u:object_r:spamd_initrc_exec_t,s0)
-+/etc/rc\.d/init\.d/spampd -- gen_context(system_u:object_r:spamd_initrc_exec_t,s0)
-+/etc/rc\.d/init\.d/mimedefang.* -- gen_context(system_u:object_r:spamd_initrc_exec_t,s0)
-
- /usr/bin/sa-learn -- gen_context(system_u:object_r:spamc_exec_t,s0)
--/usr/bin/spamassassin -- gen_context(system_u:object_r:spamassassin_exec_t,s0)
-+/usr/bin/spamassassin -- gen_context(system_u:object_r:spamc_exec_t,s0)
- /usr/bin/spamc -- gen_context(system_u:object_r:spamc_exec_t,s0)
- /usr/bin/spamd -- gen_context(system_u:object_r:spamd_exec_t,s0)
-+/usr/bin/sa-update -- gen_context(system_u:object_r:spamd_update_exec_t,s0)
-
- /usr/sbin/spamd -- gen_context(system_u:object_r:spamd_exec_t,s0)
-+/usr/sbin/spampd -- gen_context(system_u:object_r:spamd_exec_t,s0)
-+/usr/bin/mimedefang -- gen_context(system_u:object_r:spamd_exec_t,s0)
-+/usr/bin/mimedefang-multiplexor -- gen_context(system_u:object_r:spamd_exec_t,s0)
-
- /var/lib/spamassassin(/.*)? gen_context(system_u:object_r:spamd_var_lib_t,s0)
-+/var/lib/spamassassin/compiled(/.*)? gen_context(system_u:object_r:spamd_compiled_t,s0)
-+
-+/var/log/spamd\.log.* -- gen_context(system_u:object_r:spamd_log_t,s0)
-+/var/log/mimedefang.* -- gen_context(system_u:object_r:spamd_log_t,s0)
-
- /var/run/spamassassin(/.*)? gen_context(system_u:object_r:spamd_var_run_t,s0)
-
- /var/spool/spamassassin(/.*)? gen_context(system_u:object_r:spamd_spool_t,s0)
- /var/spool/spamd(/.*)? gen_context(system_u:object_r:spamd_spool_t,s0)
-+/var/spool/spampd(/.*)? gen_context(system_u:object_r:spamd_spool_t,s0)
-+/var/spool/MD-Quarantine(/.*)? gen_context(system_u:object_r:spamd_var_run_t,s0)
-+/var/spool/MIMEDefang(/.*)? gen_context(system_u:object_r:spamd_var_run_t,s0)
-+
-+/root/\.razor(/.*)? gen_context(system_u:object_r:spamc_home_t,s0)
-+HOME_DIR/\.razor(/.*)? gen_context(system_u:object_r:spamc_home_t,s0)
-+
-+/etc/pyzor(/.*)? gen_context(system_u:object_r:spamd_etc_t, s0)
-+/etc/razor(/.*)? gen_context(system_u:object_r:spamd_etc_t,s0)
-+/etc/rc\.d/init\.d/pyzord -- gen_context(system_u:object_r:spamd_initrc_exec_t,s0)
-+
-+/usr/bin/razor.* -- gen_context(system_u:object_r:spamc_exec_t,s0)
-+
-+/var/lib/pyzord(/.*)? gen_context(system_u:object_r:spamd_var_lib_t,s0)
-+/var/lib/razor(/.*)? gen_context(system_u:object_r:spamd_var_lib_t,s0)
-+
-+/var/log/pyzord\.log.* -- gen_context(system_u:object_r:spamd_log_t,s0)
-+/var/log/razor-agent\.log.* -- gen_context(system_u:object_r:spamd_log_t,s0)
-+
-+/usr/bin/pyzor -- gen_context(system_u:object_r:spamc_exec_t,s0)
-+/usr/bin/pyzord -- gen_context(system_u:object_r:spamd_exec_t,s0)
-diff --git a/spamassassin.if b/spamassassin.if
-index c954f31..82fc7f6 100644
---- a/spamassassin.if
-+++ b/spamassassin.if
-@@ -14,6 +14,7 @@
- ## User domain for the role
- ##
- ##
-+##
- #
- interface(`spamassassin_role',`
- gen_require(`
-@@ -25,9 +26,13 @@ interface(`spamassassin_role',`
- role $1 types { spamc_t spamassassin_t };
-
- domtrans_pattern($2, spamassassin_exec_t, spamassassin_t)
-+
-+ allow $2 spamassassin_t:process signal_perms;
- ps_process_pattern($2, spamassassin_t)
-
- domtrans_pattern($2, spamc_exec_t, spamc_t)
-+
-+ allow $2 spamc_t:process signal_perms;
- ps_process_pattern($2, spamc_t)
-
- manage_dirs_pattern($2, spamassassin_home_t, spamassassin_home_t)
-@@ -55,7 +60,6 @@ interface(`spamassassin_exec',`
- ')
-
- can_exec($1, spamassassin_exec_t)
--
- ')
-
- ########################################
-@@ -111,6 +115,67 @@ interface(`spamassassin_domtrans_client',`
- ')
-
- domtrans_pattern($1, spamc_exec_t, spamc_t)
-+ allow $1 spamc_exec_t:file ioctl;
-+')
-+
-+########################################
-+##
-+## Send kill signal to spamassassin client
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`spamassassin_kill_client',`
-+ gen_require(`
-+ type spamc_t;
-+ ')
-+
-+ allow $1 spamc_t:process sigkill;
-+')
-+
-+########################################
-+##
-+## Manage spamc home files.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`spamassassin_manage_home_client',`
-+ gen_require(`
-+ type spamc_home_t;
-+ ')
-+
-+ userdom_search_user_home_dirs($1)
-+ manage_dirs_pattern($1, spamc_home_t, spamc_home_t)
-+ manage_files_pattern($1, spamc_home_t, spamc_home_t)
-+ manage_lnk_files_pattern($1, spamc_home_t, spamc_home_t)
-+')
-+
-+########################################
-+##
-+## Read spamc home files.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`spamassassin_read_home_client',`
-+ gen_require(`
-+ type spamc_home_t;
-+ ')
-+
-+ userdom_search_user_home_dirs($1)
-+ list_dirs_pattern($1, spamc_home_t, spamc_home_t)
-+ read_files_pattern($1, spamc_home_t, spamc_home_t)
-+ read_lnk_files_pattern($1, spamc_home_t, spamc_home_t)
- ')
-
- ########################################
-@@ -166,7 +231,9 @@ interface(`spamassassin_read_lib_files',`
- ')
-
- files_search_var_lib($1)
-+ list_dirs_pattern($1, spamd_var_lib_t, spamd_var_lib_t)
- read_files_pattern($1, spamd_var_lib_t, spamd_var_lib_t)
-+ read_lnk_files_pattern($1, spamd_var_lib_t, spamd_var_lib_t)
- ')
-
- ########################################
-@@ -204,6 +271,7 @@ interface(`spamassassin_read_spamd_tmp_files',`
- type spamd_tmp_t;
- ')
-
-+ files_search_tmp($1)
- allow $1 spamd_tmp_t:file read_file_perms;
- ')
-
-@@ -223,5 +291,94 @@ interface(`spamassassin_dontaudit_getattr_spamd_tmp_sockets',`
- type spamd_tmp_t;
- ')
-
-- dontaudit $1 spamd_tmp_t:sock_file getattr;
-+ dontaudit $1 spamd_tmp_t:sock_file getattr_sock_file_perms;
-+')
-+
-+########################################
-+##
-+## Connect to run spamd.
-+##
-+##
-+##
-+## Domain allowed to connect.
-+##
-+##
-+#
-+interface(`spamd_stream_connect',`
-+ gen_require(`
-+ type spamd_t, spamd_var_run_t;
-+ ')
-+
-+ files_search_pids($1)
-+ stream_connect_pattern($1, spamd_var_run_t, spamd_var_run_t, spamd_t)
-+')
-+
-+########################################
-+##
-+## Read spamd pid files.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`spamassassin_read_pid_files',`
-+ gen_require(`
-+ type spamd_var_run_t;
-+ ')
-+
-+ files_search_pids($1)
-+ read_files_pattern($1, spamd_var_run_t, spamd_var_run_t)
-+')
-+
-+########################################
-+##
-+## All of the rules required to administrate
-+## an spamassassin environment
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+##
-+##
-+## The role to be allowed to manage the spamassassin domain.
-+##
-+##
-+##
-+#
-+interface(`spamassassin_spamd_admin',`
-+ gen_require(`
-+ type spamd_t, spamd_tmp_t, spamd_log_t;
-+ type spamd_spool_t, spamd_var_lib_t, spamd_var_run_t;
-+ type spamd_initrc_exec_t;
-+ ')
-+
-+ allow $1 spamd_t:process signal_perms;
-+ ps_process_pattern($1, spamd_t)
-+ tunable_policy(`deny_ptrace',`',`
-+ allow $1 spamd_t:process ptrace;
-+ ')
-+
-+ init_labeled_script_domtrans($1, spamd_initrc_exec_t)
-+ domain_system_change_exemption($1)
-+ role_transition $2 spamd_initrc_exec_t system_r;
-+ allow $2 system_r;
-+
-+ files_list_tmp($1)
-+ admin_pattern($1, spamd_tmp_t)
-+
-+ logging_list_logs($1)
-+ admin_pattern($1, spamd_log_t)
-+
-+ files_list_spool($1)
-+ admin_pattern($1, spamd_spool_t)
-+
-+ files_list_var_lib($1)
-+ admin_pattern($1, spamd_var_lib_t)
-+
-+ files_list_pids($1)
-+ admin_pattern($1, spamd_var_run_t)
- ')
-diff --git a/spamassassin.te b/spamassassin.te
-index 1bbf73b..dd3e5e1 100644
---- a/spamassassin.te
-+++ b/spamassassin.te
-@@ -6,52 +6,40 @@ policy_module(spamassassin, 2.5.0)
- #
-
- ##
--##
--## Allow user spamassassin clients to use the network.
--##
-+##
-+## Allow user spamassassin clients to use the network.
-+##
- ##
- gen_tunable(spamassassin_can_network, false)
-
- ##
--##
--## Allow spamd to read/write user home directories.
--##
-+##
-+## Allow spamd to read/write user home directories.
-+##
- ##
- gen_tunable(spamd_enable_home_dirs, true)
-
--type spamassassin_t;
--type spamassassin_exec_t;
--typealias spamassassin_t alias { user_spamassassin_t staff_spamassassin_t sysadm_spamassassin_t };
--typealias spamassassin_t alias { auditadm_spamassassin_t secadm_spamassassin_t };
--userdom_user_application_domain(spamassassin_t, spamassassin_exec_t)
--
--type spamassassin_home_t;
--typealias spamassassin_home_t alias { user_spamassassin_home_t staff_spamassassin_home_t sysadm_spamassassin_home_t };
--typealias spamassassin_home_t alias { auditadm_spamassassin_home_t secadm_spamassassin_home_t };
--userdom_user_home_content(spamassassin_home_t)
--
--type spamassassin_tmp_t;
--typealias spamassassin_tmp_t alias { user_spamassassin_tmp_t staff_spamassassin_tmp_t sysadm_spamassassin_tmp_t };
--typealias spamassassin_tmp_t alias { auditadm_spamassassin_tmp_t secadm_spamassassin_tmp_t };
--userdom_user_tmp_file(spamassassin_tmp_t)
--
--type spamc_t;
--type spamc_exec_t;
--typealias spamc_t alias { user_spamc_t staff_spamc_t sysadm_spamc_t };
--typealias spamc_t alias { auditadm_spamc_t secadm_spamc_t };
--userdom_user_application_domain(spamc_t, spamc_exec_t)
--
--type spamc_tmp_t;
--typealias spamc_tmp_t alias { user_spamc_tmp_t staff_spamc_tmp_t sysadm_spamc_tmp_t };
--typealias spamc_tmp_t alias { auditadm_spamc_tmp_t secadm_spamc_tmp_t };
--userdom_user_tmp_file(spamc_tmp_t)
-+
-+type spamd_update_t;
-+type spamd_update_exec_t;
-+application_domain(spamd_update_t, spamd_update_exec_t)
-+role system_r types spamd_update_t;
-
- type spamd_t;
- type spamd_exec_t;
- init_daemon_domain(spamd_t, spamd_exec_t)
-
-+type spamd_compiled_t;
-+files_type(spamd_compiled_t)
-+
-+type spamd_initrc_exec_t;
-+init_script_file(spamd_initrc_exec_t)
-+
-+type spamd_log_t;
-+logging_log_file(spamd_log_t)
-+
- type spamd_spool_t;
--files_type(spamd_spool_t)
-+files_spool_file(spamd_spool_t)
-
- type spamd_tmp_t;
- files_tmp_file(spamd_tmp_t)
-@@ -63,6 +51,89 @@ files_type(spamd_var_lib_t)
- type spamd_var_run_t;
- files_pid_file(spamd_var_run_t)
-
-+ifdef(`distro_redhat',`
-+ # spamassassin client executable
-+ type spamc_t;
-+ type spamc_exec_t;
-+ application_domain(spamc_t, spamc_exec_t)
-+ role system_r types spamc_t;
-+
-+ type spamd_etc_t;
-+ files_config_file(spamd_etc_t)
-+
-+ typealias spamc_exec_t alias spamassassin_exec_t;
-+ typealias spamc_t alias spamassassin_t;
-+
-+ type spamc_home_t;
-+ userdom_user_home_content(spamc_home_t)
-+ typealias spamc_home_t alias { spamassassin_home_t user_spamassassin_home_t staff_spamassassin_home_t sysadm_spamassassin_home_t };
-+ typealias spamc_home_t alias { auditadm_spamassassin_home_t secadm_spamassassin_home_t };
-+ typealias spamc_home_t alias { user_spamc_home_t staff_spamc_home_t sysadm_spamc_home_t };
-+ typealias spamc_home_t alias { auditadm_spamc_home_t secadm_spamc_home_t };
-+
-+ type spamc_tmp_t;
-+ files_tmp_file(spamc_tmp_t)
-+ typealias spamc_tmp_t alias spamassassin_tmp_t;
-+ typealias spamc_tmp_t alias { user_spamassassin_tmp_t staff_spamassassin_tmp_t sysadm_spamassassin_tmp_t };
-+ typealias spamc_tmp_t alias { auditadm_spamassassin_tmp_t secadm_spamassassin_tmp_t };
-+
-+ typealias spamc_tmp_t alias { user_spamc_tmp_t staff_spamc_tmp_t sysadm_spamc_tmp_t };
-+ typealias spamc_tmp_t alias { auditadm_spamc_tmp_t secadm_spamc_tmp_t };
-+ typealias spamc_t alias pyzor_t;
-+ typealias spamc_exec_t alias pyzor_exec_t;
-+ typealias spamd_t alias pyzord_t;
-+ typealias spamd_initrc_exec_t alias pyzord_initrc_exec_t;
-+ typealias spamd_exec_t alias pyzord_exec_t;
-+ typealias spamc_tmp_t alias pyzor_tmp_t;
-+ typealias spamd_log_t alias pyzor_log_t;
-+ typealias spamd_log_t alias pyzord_log_t;
-+ typealias spamd_var_lib_t alias pyzor_var_lib_t;
-+ typealias spamd_etc_t alias pyzor_etc_t;
-+ typealias spamc_home_t alias pyzor_home_t;
-+ typealias spamc_home_t alias user_pyzor_home_t;
-+ typealias spamc_t alias razor_t;
-+ typealias spamc_exec_t alias razor_exec_t;
-+ typealias spamd_log_t alias razor_log_t;
-+ typealias spamd_var_lib_t alias razor_var_lib_t;
-+ typealias spamd_etc_t alias razor_etc_t;
-+ typealias spamc_home_t alias razor_home_t;
-+ typealias spamc_home_t alias { user_razor_home_t staff_razor_home_t sysadm_razor_home_t };
-+ typealias spamc_home_t alias { auditadm_razor_home_t secadm_razor_home_t };
-+ typealias spamc_tmp_t alias { user_razor_tmp_t staff_razor_tmp_t sysadm_razor_tmp_t };
-+ typealias spamc_tmp_t alias { auditadm_razor_tmp_t secadm_razor_tmp_t };
-+',`
-+ type spamassassin_t;
-+ type spamassassin_exec_t;
-+ typealias spamassassin_t alias { user_spamassassin_t staff_spamassassin_t sysadm_spamassassin_t };
-+ typealias spamassassin_t alias { auditadm_spamassassin_t secadm_spamassassin_t };
-+ application_domain(spamassassin_t, spamassassin_exec_t)
-+ ubac_constrained(spamassassin_t)
-+
-+ type spamassassin_home_t;
-+ typealias spamassassin_home_t alias { user_spamassassin_home_t staff_spamassassin_home_t sysadm_spamassassin_home_t };
-+ typealias spamassassin_home_t alias { auditadm_spamassassin_home_t secadm_spamassassin_home_t };
-+ userdom_user_home_content(spamassassin_home_t)
-+
-+ type spamassassin_tmp_t;
-+ typealias spamassassin_tmp_t alias { user_spamassassin_tmp_t staff_spamassassin_tmp_t sysadm_spamassassin_tmp_t };
-+ typealias spamassassin_tmp_t alias { auditadm_spamassassin_tmp_t secadm_spamassassin_tmp_t };
-+ files_tmp_file(spamassassin_tmp_t)
-+ ubac_constrained(spamassassin_tmp_t)
-+
-+ type spamc_t;
-+ type spamc_exec_t;
-+ typealias spamc_t alias { user_spamc_t staff_spamc_t sysadm_spamc_t };
-+ typealias spamc_t alias { auditadm_spamc_t secadm_spamc_t };
-+ application_domain(spamc_t, spamc_exec_t)
-+ ubac_constrained(spamc_t)
-+
-+ type spamc_tmp_t;
-+ typealias spamc_tmp_t alias { user_spamc_tmp_t staff_spamc_tmp_t sysadm_spamc_tmp_t };
-+ typealias spamc_tmp_t alias { auditadm_spamc_tmp_t secadm_spamc_tmp_t };
-+ files_tmp_file(spamc_tmp_t)
-+ ubac_constrained(spamc_tmp_t)
-+')
-+
- ##############################
- #
- # Standalone program local policy
-@@ -98,12 +169,14 @@ manage_lnk_files_pattern(spamd_t, spamassassin_home_t, spamassassin_home_t)
- manage_fifo_files_pattern(spamd_t, spamassassin_home_t, spamassassin_home_t)
- manage_sock_files_pattern(spamd_t, spamassassin_home_t, spamassassin_home_t)
- userdom_user_home_dir_filetrans(spamd_t, spamassassin_home_t, { dir file lnk_file sock_file fifo_file })
-+userdom_home_manager(spamassassin_t)
-
- kernel_read_kernel_sysctls(spamassassin_t)
-
- dev_read_urand(spamassassin_t)
-
- fs_search_auto_mountpoints(spamassassin_t)
-+fs_getattr_all_fs(spamassassin_t)
-
- # this should probably be removed
- corecmd_list_bin(spamassassin_t)
-@@ -114,7 +187,6 @@ corecmd_read_bin_sockets(spamassassin_t)
-
- domain_use_interactive_fds(spamassassin_t)
-
--files_read_etc_files(spamassassin_t)
- files_read_etc_runtime_files(spamassassin_t)
- files_list_home(spamassassin_t)
- files_read_usr_files(spamassassin_t)
-@@ -122,8 +194,6 @@ files_dontaudit_search_var(spamassassin_t)
-
- logging_send_syslog_msg(spamassassin_t)
-
--miscfiles_read_localization(spamassassin_t)
--
- # cjp: this could probably be removed
- seutil_read_config(spamassassin_t)
-
-@@ -134,8 +204,6 @@ tunable_policy(`spamassassin_can_network',`
- allow spamassassin_t self:tcp_socket create_stream_socket_perms;
- allow spamassassin_t self:udp_socket create_socket_perms;
-
-- corenet_all_recvfrom_unlabeled(spamassassin_t)
-- corenet_all_recvfrom_netlabel(spamassassin_t)
- corenet_tcp_sendrecv_generic_if(spamassassin_t)
- corenet_udp_sendrecv_generic_if(spamassassin_t)
- corenet_tcp_sendrecv_generic_node(spamassassin_t)
-@@ -144,6 +212,9 @@ tunable_policy(`spamassassin_can_network',`
- corenet_udp_sendrecv_all_ports(spamassassin_t)
- corenet_tcp_connect_all_ports(spamassassin_t)
- corenet_sendrecv_all_client_packets(spamassassin_t)
-+ corenet_udp_bind_generic_node(spamassassin_t)
-+ corenet_udp_bind_generic_port(spamassassin_t)
-+ corenet_dontaudit_udp_bind_all_ports(spamassassin_t)
-
- sysnet_read_config(spamassassin_t)
- ')
-@@ -154,25 +225,13 @@ tunable_policy(`spamd_enable_home_dirs',`
- userdom_manage_user_home_content_symlinks(spamd_t)
- ')
-
--tunable_policy(`use_nfs_home_dirs',`
-- fs_manage_nfs_dirs(spamassassin_t)
-- fs_manage_nfs_files(spamassassin_t)
-- fs_manage_nfs_symlinks(spamassassin_t)
--')
--
--tunable_policy(`use_samba_home_dirs',`
-- fs_manage_cifs_dirs(spamassassin_t)
-- fs_manage_cifs_files(spamassassin_t)
-- fs_manage_cifs_symlinks(spamassassin_t)
--')
--
- optional_policy(`
- # Write pid file and socket in ~/.evolution/cache/tmp
- evolution_home_filetrans(spamd_t, spamd_tmp_t, { file sock_file })
- ')
-
- optional_policy(`
-- tunable_policy(`spamassassin_can_network && allow_ypbind',`
-+ tunable_policy(`spamassassin_can_network && nis_enabled',`
- nis_use_ypbind_uncond(spamassassin_t)
- ')
- ')
-@@ -180,6 +239,8 @@ optional_policy(`
- optional_policy(`
- mta_read_config(spamassassin_t)
- sendmail_stub(spamassassin_t)
-+ sendmail_dontaudit_rw_unix_stream_sockets(spamassassin_t)
-+ sendmail_dontaudit_rw_tcp_sockets(spamassassin_t)
- ')
-
- ########################################
-@@ -202,17 +263,37 @@ allow spamc_t self:unix_stream_socket connectto;
- allow spamc_t self:tcp_socket create_stream_socket_perms;
- allow spamc_t self:udp_socket create_socket_perms;
-
-+can_exec(spamc_t, spamc_exec_t)
-+
- manage_dirs_pattern(spamc_t, spamc_tmp_t, spamc_tmp_t)
- manage_files_pattern(spamc_t, spamc_tmp_t, spamc_tmp_t)
- files_tmp_filetrans(spamc_t, spamc_tmp_t, { file dir })
-
-+manage_dirs_pattern(spamc_t, spamc_home_t, spamc_home_t)
-+manage_files_pattern(spamc_t, spamc_home_t, spamc_home_t)
-+manage_lnk_files_pattern(spamc_t, spamc_home_t, spamc_home_t)
-+manage_fifo_files_pattern(spamc_t, spamc_home_t, spamc_home_t)
-+manage_sock_files_pattern(spamc_t, spamc_home_t, spamc_home_t)
-+userdom_user_home_dir_filetrans(spamc_t, spamc_home_t, { dir file lnk_file sock_file fifo_file })
-+userdom_append_user_home_content_files(spamc_t)
-+# for /root/.pyzor
-+allow spamc_t self:capability dac_override;
-+userdom_admin_home_dir_filetrans(spamc_t, spamc_home_t , dir, ".pyzor")
-+
-+list_dirs_pattern(spamc_t, spamd_var_lib_t, spamd_var_lib_t)
-+read_files_pattern(spamc_t, spamd_var_lib_t, spamd_var_lib_t)
-+
- # Allow connecting to a local spamd
- allow spamc_t spamd_t:unix_stream_socket connectto;
- allow spamc_t spamd_tmp_t:sock_file rw_sock_file_perms;
-+spamd_stream_connect(spamc_t)
-+allow spamc_t spamd_tmp_t:file read_inherited_file_perms;
-
- kernel_read_kernel_sysctls(spamc_t)
-+kernel_read_system_state(spamc_t)
-+
-+corecmd_exec_bin(spamc_t)
-
--corenet_all_recvfrom_unlabeled(spamc_t)
- corenet_all_recvfrom_netlabel(spamc_t)
- corenet_tcp_sendrecv_generic_if(spamc_t)
- corenet_udp_sendrecv_generic_if(spamc_t)
-@@ -222,6 +303,7 @@ corenet_tcp_sendrecv_all_ports(spamc_t)
- corenet_udp_sendrecv_all_ports(spamc_t)
- corenet_tcp_connect_all_ports(spamc_t)
- corenet_sendrecv_all_client_packets(spamc_t)
-+corenet_tcp_connect_spamd_port(spamc_t)
-
- fs_search_auto_mountpoints(spamc_t)
-
-@@ -234,43 +316,52 @@ corecmd_read_bin_sockets(spamc_t)
-
- domain_use_interactive_fds(spamc_t)
-
--files_read_etc_files(spamc_t)
- files_read_etc_runtime_files(spamc_t)
- files_read_usr_files(spamc_t)
- files_dontaudit_search_var(spamc_t)
- # cjp: this may be removable:
- files_list_home(spamc_t)
-+files_list_var_lib(spamc_t)
-+
-+fs_search_auto_mountpoints(spamc_t)
-
- logging_send_syslog_msg(spamc_t)
-
--miscfiles_read_localization(spamc_t)
-+auth_use_nsswitch(spamc_t)
-
--# cjp: this should probably be removed:
--seutil_read_config(spamc_t)
-+userdom_home_manager(spamc_t)
-
--sysnet_read_config(spamc_t)
-+optional_policy(`
-+ abrt_stream_connect(spamc_t)
-+')
-
- optional_policy(`
-- # Allow connection to spamd socket above
-- evolution_stream_connect(spamc_t)
-+ amavis_manage_spool_files(spamc_t)
- ')
-
- optional_policy(`
-- # Needed for pyzor/razor called from spamd
-- milter_manage_spamass_state(spamc_t)
-+ # Allow connection to spamd socket above
-+ evolution_stream_connect(spamc_t)
- ')
-
- optional_policy(`
-- nis_use_ypbind(spamc_t)
-+ milter_manage_spamass_state(spamc_t)
- ')
-
- optional_policy(`
-- nscd_socket_use(spamc_t)
-+ postfix_domtrans_postdrop(spamc_t)
-+ postfix_search_spool(spamc_t)
-+ postfix_rw_local_pipes(spamc_t)
-+ postfix_rw_master_pipes(spamc_t)
- ')
-
- optional_policy(`
-+ mta_send_mail(spamc_t)
- mta_read_config(spamc_t)
-+ mta_read_queue(spamc_t)
- sendmail_stub(spamc_t)
-+ sendmail_rw_pipes(spamc_t)
-+ sendmail_dontaudit_rw_tcp_sockets(spamc_t)
- ')
-
- ########################################
-@@ -282,7 +373,7 @@ optional_policy(`
- # setuids to the user running spamc. Comment this if you are not
- # using this ability.
-
--allow spamd_t self:capability { setuid setgid dac_override sys_tty_config };
-+allow spamd_t self:capability { kill setuid setgid dac_override sys_tty_config };
- dontaudit spamd_t self:capability sys_tty_config;
- allow spamd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
- allow spamd_t self:fd use;
-@@ -298,10 +389,20 @@ allow spamd_t self:unix_dgram_socket sendto;
- allow spamd_t self:unix_stream_socket connectto;
- allow spamd_t self:tcp_socket create_stream_socket_perms;
- allow spamd_t self:udp_socket create_socket_perms;
--allow spamd_t self:netlink_route_socket r_netlink_socket_perms;
-+
-+# needed by razor
-+rw_files_pattern(spamd_t, spamd_etc_t, spamd_etc_t)
-+
-+can_exec(spamd_t, spamd_compiled_t)
-+manage_dirs_pattern(spamd_t, spamd_compiled_t, spamd_compiled_t)
-+manage_files_pattern(spamd_t, spamd_compiled_t, spamd_compiled_t)
-+
-+manage_files_pattern(spamd_t, spamd_log_t, spamd_log_t)
-+logging_log_filetrans(spamd_t, spamd_log_t, file)
-
- manage_dirs_pattern(spamd_t, spamd_spool_t, spamd_spool_t)
- manage_files_pattern(spamd_t, spamd_spool_t, spamd_spool_t)
-+manage_sock_files_pattern(spamd_t, spamd_spool_t, spamd_spool_t)
- files_spool_filetrans(spamd_t, spamd_spool_t, { file dir })
-
- manage_dirs_pattern(spamd_t, spamd_tmp_t, spamd_tmp_t)
-@@ -310,16 +411,21 @@ files_tmp_filetrans(spamd_t, spamd_tmp_t, { file dir })
-
- # var/lib files for spamd
- allow spamd_t spamd_var_lib_t:dir list_dir_perms;
--read_files_pattern(spamd_t, spamd_var_lib_t, spamd_var_lib_t)
-+manage_files_pattern(spamd_t, spamd_var_lib_t, spamd_var_lib_t)
-+manage_lnk_files_pattern(spamd_t, spamd_var_lib_t, spamd_var_lib_t)
-
- manage_dirs_pattern(spamd_t, spamd_var_run_t, spamd_var_run_t)
- manage_files_pattern(spamd_t, spamd_var_run_t, spamd_var_run_t)
--files_pid_filetrans(spamd_t, spamd_var_run_t, { dir file })
-+manage_sock_files_pattern(spamd_t, spamd_var_run_t, spamd_var_run_t)
-+files_pid_filetrans(spamd_t, spamd_var_run_t, { file dir })
-+
-+read_files_pattern(spamd_t, spamc_home_t, spamc_home_t)
-+
-+can_exec(spamd_t, spamd_exec_t)
-
- kernel_read_all_sysctls(spamd_t)
- kernel_read_system_state(spamd_t)
-
--corenet_all_recvfrom_unlabeled(spamd_t)
- corenet_all_recvfrom_netlabel(spamd_t)
- corenet_tcp_sendrecv_generic_if(spamd_t)
- corenet_udp_sendrecv_generic_if(spamd_t)
-@@ -356,30 +462,30 @@ corecmd_exec_bin(spamd_t)
- domain_use_interactive_fds(spamd_t)
-
- files_read_usr_files(spamd_t)
--files_read_etc_files(spamd_t)
- files_read_etc_runtime_files(spamd_t)
- # /var/lib/spamassin
- files_read_var_lib_files(spamd_t)
-
- init_dontaudit_rw_utmp(spamd_t)
-
--logging_send_syslog_msg(spamd_t)
-+auth_use_nsswitch(spamd_t)
-
--miscfiles_read_localization(spamd_t)
-+libs_use_ld_so(spamd_t)
-+libs_use_shared_libs(spamd_t)
-
--sysnet_read_config(spamd_t)
--sysnet_use_ldap(spamd_t)
--sysnet_dns_name_resolve(spamd_t)
-+logging_send_syslog_msg(spamd_t)
-
- userdom_use_unpriv_users_fds(spamd_t)
- userdom_search_user_home_dirs(spamd_t)
-+userdom_home_manager(spamd_t)
-
--tunable_policy(`use_nfs_home_dirs',`
-- fs_manage_nfs_files(spamd_t)
-+optional_policy(`
-+ clamav_stream_connect(spamd_t)
- ')
-
--tunable_policy(`use_samba_home_dirs',`
-- fs_manage_cifs_files(spamd_t)
-+optional_policy(`
-+ exim_manage_spool_dirs(spamd_t)
-+ exim_manage_spool_files(spamd_t)
- ')
-
- optional_policy(`
-@@ -395,7 +501,9 @@ optional_policy(`
- ')
-
- optional_policy(`
-+ dcc_domtrans_cdcc(spamd_t)
- dcc_domtrans_client(spamd_t)
-+ dcc_signal_client(spamd_t)
- dcc_stream_connect_dccifd(spamd_t)
- ')
-
-@@ -404,25 +512,17 @@ optional_policy(`
- ')
-
- optional_policy(`
-- corenet_tcp_connect_mysqld_port(spamd_t)
-- corenet_sendrecv_mysqld_client_packets(spamd_t)
--
-+ mysql_tcp_connect(spamd_t)
- mysql_search_db(spamd_t)
- mysql_stream_connect(spamd_t)
- ')
-
- optional_policy(`
-- nis_use_ypbind(spamd_t)
--')
--
--optional_policy(`
- postfix_read_config(spamd_t)
- ')
-
- optional_policy(`
-- corenet_tcp_connect_postgresql_port(spamd_t)
-- corenet_sendrecv_postgresql_client_packets(spamd_t)
--
-+ postgresql_tcp_connect(spamd_t)
- postgresql_stream_connect(spamd_t)
- ')
-
-@@ -433,6 +533,13 @@ optional_policy(`
-
- optional_policy(`
- razor_domtrans(spamd_t)
-+ razor_read_lib_files(spamd_t)
-+')
-+
-+optional_policy(`
-+ tunable_policy(`spamd_enable_home_dirs',`
-+ razor_manage_user_home_files(spamd_t)
-+ ')
- ')
-
- optional_policy(`
-@@ -440,6 +547,7 @@ optional_policy(`
- ')
-
- optional_policy(`
-+ mta_send_mail(spamd_t)
- sendmail_stub(spamd_t)
- mta_read_config(spamd_t)
- ')
-@@ -447,3 +555,54 @@ optional_policy(`
- optional_policy(`
- udev_read_db(spamd_t)
- ')
-+
-+########################################
-+#
-+# spamd_update local policy
-+#
-+
-+allow spamd_update_t self:fifo_file manage_fifo_file_perms;
-+allow spamd_update_t self:unix_stream_socket create_stream_socket_perms;
-+allow spamd_update_t self:capability dac_read_search;
-+dontaudit spamd_update_t self:capability dac_override;
-+
-+manage_dirs_pattern(spamd_update_t, spamd_tmp_t, spamd_tmp_t)
-+manage_files_pattern(spamd_update_t, spamd_tmp_t, spamd_tmp_t)
-+files_tmp_filetrans(spamd_update_t, spamd_tmp_t, { file dir })
-+
-+allow spamd_update_t spamd_var_lib_t:dir list_dir_perms;
-+manage_dirs_pattern(spamd_update_t, spamd_var_lib_t, spamd_var_lib_t)
-+manage_files_pattern(spamd_update_t, spamd_var_lib_t, spamd_var_lib_t)
-+manage_lnk_files_pattern(spamd_update_t, spamd_var_lib_t, spamd_var_lib_t)
-+
-+allow spamd_update_t spamd_tmp_t:file read_file_perms;
-+
-+kernel_read_system_state(spamd_update_t)
-+
-+# for updating rules
-+corenet_tcp_connect_http_port(spamd_update_t)
-+
-+corecmd_exec_bin(spamd_update_t)
-+corecmd_exec_shell(spamd_update_t)
-+
-+dev_read_urand(spamd_update_t)
-+
-+domain_use_interactive_fds(spamd_update_t)
-+
-+files_read_usr_files(spamd_update_t)
-+
-+auth_use_nsswitch(spamd_update_t)
-+auth_dontaudit_read_shadow(spamd_update_t)
-+
-+mta_read_config(spamd_update_t)
-+
-+userdom_use_inherited_user_ptys(spamd_update_t)
-+
-+optional_policy(`
-+ cron_system_entry(spamd_update_t, spamd_update_exec_t)
-+')
-+
-+optional_policy(`
-+ gpg_domtrans(spamd_update_t)
-+')
-+
-diff --git a/speedtouch.te b/speedtouch.te
-index ade10f5..bed16af 100644
---- a/speedtouch.te
-+++ b/speedtouch.te
-@@ -47,8 +47,6 @@ fs_search_auto_mountpoints(speedmgmt_t)
-
- logging_send_syslog_msg(speedmgmt_t)
-
--miscfiles_read_localization(speedmgmt_t)
--
- userdom_dontaudit_use_unpriv_user_fds(speedmgmt_t)
- userdom_dontaudit_search_user_home_dirs(speedmgmt_t)
-
-diff --git a/squid.fc b/squid.fc
-index 2015152..6664de3 100644
---- a/squid.fc
-+++ b/squid.fc
-@@ -1,8 +1,11 @@
- /etc/rc\.d/init\.d/squid -- gen_context(system_u:object_r:squid_initrc_exec_t,s0)
- /etc/squid(/.*)? gen_context(system_u:object_r:squid_conf_t,s0)
-+/etc/lightsquid(/.*)? gen_context(system_u:object_r:squid_conf_t,s0)
-
-+/usr/share/lightsquid/cgi(/.*)? gen_context(system_u:object_r:httpd_squid_script_exec_t,s0)
- /usr/lib/squid/cachemgr\.cgi -- gen_context(system_u:object_r:httpd_squid_script_exec_t,s0)
- /usr/sbin/squid -- gen_context(system_u:object_r:squid_exec_t,s0)
-+/usr/sbin/lightparser.pl -- gen_context(system_u:object_r:squid_cron_exec_t,s0)
- /usr/share/squid(/.*)? gen_context(system_u:object_r:squid_conf_t,s0)
-
- /var/cache/squid(/.*)? gen_context(system_u:object_r:squid_cache_t,s0)
-@@ -11,3 +14,4 @@
- /var/run/squid\.pid -- gen_context(system_u:object_r:squid_var_run_t,s0)
- /var/spool/squid(/.*)? gen_context(system_u:object_r:squid_cache_t,s0)
- /var/squidGuard(/.*)? gen_context(system_u:object_r:squid_cache_t,s0)
-+/var/lightsquid(/.*)? gen_context(system_u:object_r:squid_cache_t,s0)
-diff --git a/squid.if b/squid.if
-index d2496bd..c7614d7 100644
---- a/squid.if
-+++ b/squid.if
-@@ -71,7 +71,7 @@ interface(`squid_rw_stream_sockets',`
- type squid_t;
- ')
-
-- allow $1 squid_t:unix_stream_socket { getattr read write };
-+ allow $1 squid_t:unix_stream_socket rw_socket_perms;
- ')
-
- ########################################
-@@ -83,7 +83,6 @@ interface(`squid_rw_stream_sockets',`
- ## Domain to not audit.
- ##
- ##
--##
- #
- interface(`squid_dontaudit_search_cache',`
- gen_require(`
-@@ -207,12 +206,14 @@ interface(`squid_use',`
- interface(`squid_admin',`
- gen_require(`
- type squid_t, squid_cache_t, squid_conf_t;
-- type squid_log_t, squid_var_run_t;
-- type squid_initrc_exec_t;
-+ type squid_log_t, squid_var_run_t, squid_initrc_exec_t;
- ')
-
-- allow $1 squid_t:process { ptrace signal_perms };
-+ allow $1 squid_t:process signal_perms;
- ps_process_pattern($1, squid_t)
-+ tunable_policy(`deny_ptrace',`',`
-+ allow $1 squid_t:process ptrace;
-+ ')
-
- init_labeled_script_domtrans($1, squid_initrc_exec_t)
- domain_system_change_exemption($1)
-diff --git a/squid.te b/squid.te
-index c38de7a..413146c 100644
---- a/squid.te
-+++ b/squid.te
-@@ -29,7 +29,7 @@ type squid_cache_t;
- files_type(squid_cache_t)
-
- type squid_conf_t;
--files_type(squid_conf_t)
-+files_config_file(squid_conf_t)
-
- type squid_initrc_exec_t;
- init_script_file(squid_initrc_exec_t)
-@@ -40,9 +40,18 @@ logging_log_file(squid_log_t)
- type squid_tmpfs_t;
- files_tmpfs_file(squid_tmpfs_t)
-
-+type squid_tmp_t;
-+files_tmp_file(squid_tmp_t)
-+
- type squid_var_run_t;
- files_pid_file(squid_var_run_t)
-
-+type squid_cron_t;
-+type squid_cron_exec_t;
-+init_daemon_domain(squid_cron_t, squid_cron_exec_t)
-+application_domain(squid_cron_t, squid_cron_exec_t)
-+role system_r types squid_cron_t;
-+
- ########################################
- #
- # Local policy
-@@ -69,6 +78,7 @@ allow squid_t self:udp_socket create_socket_perms;
- manage_dirs_pattern(squid_t, squid_cache_t, squid_cache_t)
- manage_files_pattern(squid_t, squid_cache_t, squid_cache_t)
- manage_lnk_files_pattern(squid_t, squid_cache_t, squid_cache_t)
-+files_var_filetrans(squid_t, squid_cache_t, dir, "squid")
-
- allow squid_t squid_conf_t:dir list_dir_perms;
- read_files_pattern(squid_t, squid_conf_t, squid_conf_t)
-@@ -85,15 +95,19 @@ logging_log_filetrans(squid_t, squid_log_t, { file dir })
- manage_files_pattern(squid_t, squid_tmpfs_t, squid_tmpfs_t)
- fs_tmpfs_filetrans(squid_t, squid_tmpfs_t, file)
-
-+manage_dirs_pattern(squid_t, squid_tmp_t, squid_tmp_t)
-+manage_files_pattern(squid_t, squid_tmp_t, squid_tmp_t)
-+files_tmp_filetrans(squid_t, squid_tmp_t, { file dir })
-+
- manage_files_pattern(squid_t, squid_var_run_t, squid_var_run_t)
- files_pid_filetrans(squid_t, squid_var_run_t, file)
-
- kernel_read_kernel_sysctls(squid_t)
- kernel_read_system_state(squid_t)
-+kernel_read_network_state(squid_t)
-
- files_dontaudit_getattr_boot_dirs(squid_t)
-
--corenet_all_recvfrom_unlabeled(squid_t)
- corenet_all_recvfrom_netlabel(squid_t)
- corenet_tcp_sendrecv_generic_if(squid_t)
- corenet_udp_sendrecv_generic_if(squid_t)
-@@ -145,7 +159,6 @@ corecmd_exec_shell(squid_t)
-
- domain_use_interactive_fds(squid_t)
-
--files_read_etc_files(squid_t)
- files_read_etc_runtime_files(squid_t)
- files_read_usr_files(squid_t)
- files_search_spool(squid_t)
-@@ -161,7 +174,6 @@ libs_exec_lib_files(squid_t)
- logging_send_syslog_msg(squid_t)
-
- miscfiles_read_generic_certs(squid_t)
--miscfiles_read_localization(squid_t)
-
- userdom_use_unpriv_users_fds(squid_t)
- userdom_dontaudit_search_user_home_dirs(squid_t)
-@@ -169,7 +181,8 @@ userdom_dontaudit_search_user_home_dirs(squid_t)
- tunable_policy(`squid_connect_any',`
- corenet_tcp_connect_all_ports(squid_t)
- corenet_tcp_bind_all_ports(squid_t)
-- corenet_sendrecv_all_packets(squid_t)
-+ corenet_sendrecv_all_client_packets(squid_t)
-+ corenet_sendrecv_all_server_packets(squid_t)
- ')
-
- tunable_policy(`squid_use_tproxy',`
-@@ -182,17 +195,19 @@ optional_policy(`
-
- allow httpd_squid_script_t self:tcp_socket create_socket_perms;
-
-- corenet_all_recvfrom_unlabeled(httpd_squid_script_t)
- corenet_all_recvfrom_netlabel(httpd_squid_script_t)
- corenet_tcp_connect_http_cache_port(httpd_squid_script_t)
-+ corenet_tcp_connect_squid_port(httpd_squid_script_t)
-
- sysnet_dns_name_resolve(httpd_squid_script_t)
-
-- squid_read_config(httpd_squid_script_t)
-+ optional_policy(`
-+ squid_read_config(httpd_squid_script_t)
-+ ')
- ')
-
- optional_policy(`
-- cron_system_entry(squid_t, squid_exec_t)
-+ mysql_stream_connect(squid_t)
- ')
-
- optional_policy(`
-@@ -206,3 +221,32 @@ optional_policy(`
- optional_policy(`
- udev_read_db(squid_t)
- ')
-+
-+optional_policy(`
-+ kerberos_tmp_filetrans_host_rcache(squid_t, "host_0")
-+')
-+
-+########################################
-+#
-+# squid cron Local policy
-+#
-+manage_dirs_pattern(squid_cron_t, squid_cache_t, squid_cache_t)
-+manage_files_pattern(squid_cron_t, squid_cache_t, squid_cache_t)
-+manage_lnk_files_pattern(squid_cron_t, squid_cache_t, squid_cache_t)
-+files_var_filetrans(squid_cron_t, squid_cache_t, dir, "squid")
-+
-+read_files_pattern(squid_cron_t, squid_conf_t, squid_conf_t)
-+
-+read_files_pattern(squid_cron_t, squid_log_t, squid_log_t)
-+
-+corecmd_exec_bin(squid_cron_t)
-+
-+dev_read_urand(squid_cron_t)
-+
-+files_read_etc_files(squid_cron_t)
-+files_read_usr_files(squid_cron_t)
-+
-+
-+optional_policy(`
-+ cron_system_entry(squid_cron_t, squid_cron_exec_t)
-+')
-diff --git a/sssd.fc b/sssd.fc
-index 4271815..45291bb 100644
---- a/sssd.fc
-+++ b/sssd.fc
-@@ -1,9 +1,15 @@
- /etc/rc\.d/init\.d/sssd -- gen_context(system_u:object_r:sssd_initrc_exec_t,s0)
-
-+/etc/sssd(/.*)? gen_context(system_u:object_r:sssd_conf_t,s0)
-+
- /usr/sbin/sssd -- gen_context(system_u:object_r:sssd_exec_t,s0)
-
-+/usr/lib/systemd/system/sssd.* -- gen_context(system_u:object_r:sssd_unit_file_t,s0)
-+
- /var/lib/sss(/.*)? gen_context(system_u:object_r:sssd_var_lib_t,s0)
-
-+/var/lib/sss/mc(/.*)? gen_context(system_u:object_r:sssd_public_t,s0)
-+
- /var/lib/sss/pubconf(/.*)? gen_context(system_u:object_r:sssd_public_t,s0)
-
- /var/log/sssd(/.*)? gen_context(system_u:object_r:sssd_var_log_t,s0)
-diff --git a/sssd.if b/sssd.if
-index 941380a..54c45f6 100644
---- a/sssd.if
-+++ b/sssd.if
-@@ -1,13 +1,31 @@
- ## System Security Services Daemon
-
-+#######################################
-+##
-+## Allow a domain to getattr on sssd binary.
-+##
-+##
-+##
-+## Domain allowed to transition.
-+##
-+##
-+#
-+interface(`sssd_getattr_exec',`
-+ gen_require(`
-+ type sssd_t, sssd_exec_t;
-+ ')
-+
-+ allow $1 sssd_exec_t:file getattr;
-+')
-+
- ########################################
- ##
- ## Execute a domain transition to run sssd.
- ##
- ##
--##
-+##
- ## Domain allowed to transition.
--##
-+##
- ##
- #
- interface(`sssd_domtrans',`
-@@ -38,6 +56,106 @@ interface(`sssd_initrc_domtrans',`
-
- ########################################
- ##
-+## Execute sssd server in the sssd domain.
-+##
-+##
-+##
-+## Domain allowed to transition.
-+##
-+##
-+#
-+interface(`sssd_systemctl',`
-+ gen_require(`
-+ type sssd_t;
-+ type sssd_unit_file_t;
-+ ')
-+
-+ systemd_exec_systemctl($1)
-+ allow $1 sssd_unit_file_t:file read_file_perms;
-+ allow $1 sssd_unit_file_t:service manage_service_perms;
-+
-+ ps_process_pattern($1, sssd_t)
-+')
-+
-+#######################################
-+##
-+## Read sssd configuration.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`sssd_read_config',`
-+ gen_require(`
-+ type sssd_conf_t;
-+ ')
-+
-+ files_search_etc($1)
-+ list_dirs_pattern($1, sssd_conf_t, sssd_conf_t)
-+ read_files_pattern($1, sssd_conf_t, sssd_conf_t)
-+')
-+
-+######################################
-+##
-+## Write sssd configuration.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`sssd_write_config',`
-+ gen_require(`
-+ type sssd_conf_t;
-+ ')
-+
-+ files_search_etc($1)
-+ write_files_pattern($1, sssd_conf_t, sssd_conf_t)
-+')
-+
-+#####################################
-+##
-+## Write sssd configuration.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`sssd_create_config',`
-+ gen_require(`
-+ type sssd_conf_t;
-+ ')
-+
-+ files_search_etc($1)
-+ create_files_pattern($1, sssd_conf_t, sssd_conf_t)
-+')
-+
-+####################################
-+##
-+## Manage sssd configuration.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`sssd_manage_config',`
-+ gen_require(`
-+ type sssd_conf_t;
-+ ')
-+
-+ files_search_etc($1)
-+ manage_files_pattern($1, sssd_conf_t, sssd_conf_t)
-+')
-+
-+########################################
-+##
- ## Read sssd public files.
- ##
- ##
-@@ -52,9 +170,29 @@ interface(`sssd_read_public_files',`
- ')
-
- sssd_search_lib($1)
-+ list_dirs_pattern($1, sssd_public_t, sssd_public_t)
- read_files_pattern($1, sssd_public_t, sssd_public_t)
- ')
-
-+#######################################
-+##
-+## Manage sssd public files.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`sssd_manage_public_files',`
-+ gen_require(`
-+ type sssd_public_t;
-+ ')
-+
-+ sssd_search_lib($1)
-+ manage_files_pattern($1, sssd_public_t, sssd_public_t)
-+')
-+
- ########################################
- ##
- ## Read sssd PID files.
-@@ -89,6 +227,7 @@ interface(`sssd_manage_pids',`
- type sssd_var_run_t;
- ')
-
-+ files_search_pids($1)
- manage_dirs_pattern($1, sssd_var_run_t, sssd_var_run_t)
- manage_files_pattern($1, sssd_var_run_t, sssd_var_run_t)
- ')
-@@ -128,7 +267,6 @@ interface(`sssd_dontaudit_search_lib',`
- ')
-
- dontaudit $1 sssd_var_lib_t:dir search_dir_perms;
-- files_search_var_lib($1)
- ')
-
- ########################################
-@@ -148,6 +286,7 @@ interface(`sssd_read_lib_files',`
-
- files_search_var_lib($1)
- read_files_pattern($1, sssd_var_lib_t, sssd_var_lib_t)
-+ read_lnk_files_pattern($1, sssd_var_lib_t, sssd_var_lib_t)
- ')
-
- ########################################
-@@ -168,6 +307,7 @@ interface(`sssd_manage_lib_files',`
-
- files_search_var_lib($1)
- manage_files_pattern($1, sssd_var_lib_t, sssd_var_lib_t)
-+ manage_lnk_files_pattern($1, sssd_var_lib_t, sssd_var_lib_t)
- ')
-
- ########################################
-@@ -193,7 +333,7 @@ interface(`sssd_dbus_chat',`
-
- ########################################
- ##
--## Connect to sssd over an unix stream socket.
-+## Connect to sssd over a unix stream socket.
- ##
- ##
- ##
-@@ -225,21 +365,19 @@ interface(`sssd_stream_connect',`
- ## The role to be allowed to manage the sssd domain.
- ##
- ##
--##
--##
--## The type of the user terminal.
--##
--##
- ##
- #
- interface(`sssd_admin',`
- gen_require(`
-- type sssd_t, sssd_public_t;
-- type sssd_initrc_exec_t;
-+ type sssd_t, sssd_public_t, sssd_initrc_exec_t;
-+ type sssd_unit_file_t;
- ')
-
-- allow $1 sssd_t:process { ptrace signal_perms getattr };
-- read_files_pattern($1, sssd_t, sssd_t)
-+ allow $1 sssd_t:process signal_perms;
-+ ps_process_pattern($1, sssd_t)
-+ tunable_policy(`deny_ptrace',`',`
-+ allow $1 sssd_t:process ptrace;
-+ ')
-
- # Allow sssd_t to restart the apache service
- sssd_initrc_domtrans($1)
-@@ -252,4 +390,9 @@ interface(`sssd_admin',`
- sssd_manage_lib_files($1)
-
- admin_pattern($1, sssd_public_t)
-+
-+ sssd_systemctl($1)
-+ admin_pattern($1, sssd_unit_file_t)
-+ allow $1 sssd_unit_file_t:service all_service_perms;
-+
- ')
-diff --git a/sssd.te b/sssd.te
-index a1b61bc..4253541 100644
---- a/sssd.te
-+++ b/sssd.te
-@@ -12,11 +12,15 @@ init_daemon_domain(sssd_t, sssd_exec_t)
- type sssd_initrc_exec_t;
- init_script_file(sssd_initrc_exec_t)
-
-+type sssd_conf_t;
-+files_config_file(sssd_conf_t)
-+
- type sssd_public_t;
- files_pid_file(sssd_public_t)
-
- type sssd_var_lib_t;
- files_type(sssd_var_lib_t)
-+mls_trusted_object(sssd_var_lib_t)
-
- type sssd_var_log_t;
- logging_log_file(sssd_var_log_t)
-@@ -24,22 +28,31 @@ logging_log_file(sssd_var_log_t)
- type sssd_var_run_t;
- files_pid_file(sssd_var_run_t)
-
-+type sssd_unit_file_t;
-+systemd_unit_file(sssd_unit_file_t)
-+
- ########################################
- #
- # sssd local policy
- #
--allow sssd_t self:capability { dac_read_search dac_override kill sys_nice setgid setuid };
--allow sssd_t self:process { setfscreate setsched sigkill signal getsched };
--allow sssd_t self:fifo_file rw_file_perms;
-+
-+allow sssd_t self:capability { chown dac_read_search dac_override kill net_admin sys_nice setgid setuid sys_admin sys_resource };
-+allow sssd_t self:capability2 block_suspend;
-+allow sssd_t self:process { setfscreate setsched sigkill signal getsched setrlimit };
-+allow sssd_t self:fifo_file rw_fifo_file_perms;
-+allow sssd_t self:key manage_key_perms;
- allow sssd_t self:unix_stream_socket { create_stream_socket_perms connectto };
-
-+read_files_pattern(sssd_t, sssd_conf_t, sssd_conf_t)
-+
- manage_dirs_pattern(sssd_t, sssd_public_t, sssd_public_t)
- manage_files_pattern(sssd_t, sssd_public_t, sssd_public_t)
-
- manage_dirs_pattern(sssd_t, sssd_var_lib_t, sssd_var_lib_t)
- manage_files_pattern(sssd_t, sssd_var_lib_t, sssd_var_lib_t)
-+manage_lnk_files_pattern(sssd_t, sssd_var_lib_t, sssd_var_lib_t)
- manage_sock_files_pattern(sssd_t, sssd_var_lib_t, sssd_var_lib_t)
--files_var_lib_filetrans(sssd_t, sssd_var_lib_t, { file dir } )
-+files_var_lib_filetrans(sssd_t, sssd_var_lib_t, { file dir })
-
- manage_files_pattern(sssd_t, sssd_var_log_t, sssd_var_log_t)
- logging_log_filetrans(sssd_t, sssd_var_log_t, file)
-@@ -48,37 +61,57 @@ manage_dirs_pattern(sssd_t, sssd_var_run_t, sssd_var_run_t)
- manage_files_pattern(sssd_t, sssd_var_run_t, sssd_var_run_t)
- files_pid_filetrans(sssd_t, sssd_var_run_t, { file dir })
-
-+kernel_read_network_state(sssd_t)
- kernel_read_system_state(sssd_t)
-
-+corenet_udp_bind_generic_port(sssd_t)
-+corenet_dontaudit_udp_bind_all_ports(sssd_t)
-+corenet_tcp_connect_kerberos_password_port(sssd_t)
-+
- corecmd_exec_bin(sssd_t)
-
- dev_read_urand(sssd_t)
-+dev_read_sysfs(sssd_t)
-
- domain_read_all_domains_state(sssd_t)
- domain_obj_id_change_exemption(sssd_t)
-
- files_list_tmp(sssd_t)
- files_read_etc_files(sssd_t)
-+files_read_etc_runtime_files(sssd_t)
- files_read_usr_files(sssd_t)
-+files_list_var_lib(sssd_t)
-
- fs_list_inotifyfs(sssd_t)
-
- selinux_validate_context(sssd_t)
-
- seutil_read_file_contexts(sssd_t)
-+# sssd wants to write /etc/selinux//logins/ for SELinux PAM module
-+seutil_rw_login_config_dirs(sssd_t)
-+seutil_manage_login_config_files(sssd_t)
-
- mls_file_read_to_clearance(sssd_t)
-+mls_socket_read_to_clearance(sssd_t)
-+mls_socket_write_to_clearance(sssd_t)
-+mls_trusted_object(sssd_t)
-
--auth_use_nsswitch(sssd_t)
-+# auth_use_nsswitch(sssd_t)
- auth_domtrans_chk_passwd(sssd_t)
- auth_domtrans_upd_passwd(sssd_t)
-+auth_manage_cache(sssd_t)
-
- init_read_utmp(sssd_t)
-
- logging_send_syslog_msg(sssd_t)
- logging_send_audit_msgs(sssd_t)
-
--miscfiles_read_localization(sssd_t)
-+miscfiles_read_generic_certs(sssd_t)
-+
-+sysnet_dns_name_resolve(sssd_t)
-+sysnet_use_ldap(sssd_t)
-+
-+userdom_manage_tmp_role(system_r, sssd_t)
-
- optional_policy(`
- dbus_system_bus_client(sssd_t)
-@@ -87,8 +120,17 @@ optional_policy(`
-
- optional_policy(`
- kerberos_manage_host_rcache(sssd_t)
-+ kerberos_tmp_filetrans_host_rcache(sssd_t, "host_0")
-+ kerberos_read_home_content(sssd_t)
-+')
-+
-+optional_policy(`
-+ dirsrv_stream_connect(sssd_t)
- ')
-
- optional_policy(`
- ldap_stream_connect(sssd_t)
- ')
-+
-+userdom_home_reader(sssd_t)
-+
-diff --git a/stapserver.fc b/stapserver.fc
-new file mode 100644
-index 0000000..0ccce59
---- /dev/null
-+++ b/stapserver.fc
-@@ -0,0 +1,7 @@
-+/usr/bin/stap-server -- gen_context(system_u:object_r:stapserver_exec_t,s0)
-+
-+/var/lib/stap-server(/.*)? gen_context(system_u:object_r:stapserver_var_lib_t,s0)
-+
-+/var/log/stap-server(/.*)? gen_context(system_u:object_r:stapserver_log_t,s0)
-+
-+/var/run/stap-server(/.*)? gen_context(system_u:object_r:stapserver_var_run_t,s0)
-diff --git a/stapserver.if b/stapserver.if
-new file mode 100644
-index 0000000..80c6480
---- /dev/null
-+++ b/stapserver.if
-@@ -0,0 +1,151 @@
-+
-+## Instrumentation System Server
-+
-+########################################
-+##
-+## Execute stapserver in the stapserver domain.
-+##
-+##
-+##
-+## Domain allowed to transition.
-+##
-+##
-+#
-+interface(`stapserver_domtrans',`
-+ gen_require(`
-+ type stapserver_t, stapserver_exec_t;
-+ ')
-+
-+ corecmd_search_bin($1)
-+ domtrans_pattern($1, stapserver_exec_t, stapserver_t)
-+')
-+########################################
-+##
-+## Read stapserver's log files.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+##
-+#
-+interface(`stapserver_read_log',`
-+ gen_require(`
-+ type stapserver_log_t;
-+ ')
-+
-+ logging_search_logs($1)
-+ read_files_pattern($1, stapserver_log_t, stapserver_log_t)
-+')
-+
-+########################################
-+##
-+## Append to stapserver log files.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`stapserver_append_log',`
-+ gen_require(`
-+ type stapserver_log_t;
-+ ')
-+
-+ logging_search_logs($1)
-+ append_files_pattern($1, stapserver_log_t, stapserver_log_t)
-+')
-+
-+########################################
-+##
-+## Manage stapserver log files
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`stapserver_manage_log',`
-+ gen_require(`
-+ type stapserver_log_t;
-+ ')
-+
-+ logging_search_logs($1)
-+ manage_dirs_pattern($1, stapserver_log_t, stapserver_log_t)
-+ manage_files_pattern($1, stapserver_log_t, stapserver_log_t)
-+ manage_lnk_files_pattern($1, stapserver_log_t, stapserver_log_t)
-+')
-+########################################
-+##
-+## Read stapserver PID files.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`stapserver_read_pid_files',`
-+ gen_require(`
-+ type stapserver_var_run_t;
-+ ')
-+
-+ files_search_pids($1)
-+ allow $1 stapserver_var_run_t:file read_file_perms;
-+')
-+
-+#######################################
-+##
-+## Manage stapserver lib files
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`stapserver_manage_lib',`
-+ gen_require(`
-+ type stapserver_var_lib_t;
-+ ')
-+
-+ manage_dirs_pattern($1, stapserver_var_lib_t, stapserver_var_lib_t)
-+ manage_files_pattern($1, stapserver_var_lib_t, stapserver_var_lib_t)
-+')
-+
-+########################################
-+##
-+## All of the rules required to administrate
-+## an stapserver environment
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+##
-+#
-+interface(`stapserver_admin',`
-+ gen_require(`
-+ type stapserver_t;
-+ type stapserver_log_t;
-+ type stapserver_var_run_t;
-+ ')
-+
-+ allow $1 stapserver_t:process { ptrace signal_perms };
-+ ps_process_pattern($1, stapserver_t)
-+
-+ logging_search_logs($1)
-+ admin_pattern($1, stapserver_log_t)
-+
-+ files_search_pids($1)
-+ admin_pattern($1, stapserver_var_run_t)
-+
-+ optional_policy(`
-+ systemd_passwd_agent_exec($1)
-+ systemd_read_fifo_file_passwd_run($1)
-+ ')
-+')
-diff --git a/stapserver.te b/stapserver.te
-new file mode 100644
-index 0000000..b87c79c
---- /dev/null
-+++ b/stapserver.te
-@@ -0,0 +1,100 @@
-+policy_module(stapserver, 1.0.0)
-+
-+########################################
-+#
-+# Declarations
-+#
-+
-+type stapserver_t;
-+type stapserver_exec_t;
-+init_daemon_domain(stapserver_t, stapserver_exec_t)
-+
-+type stapserver_var_lib_t;
-+files_type(stapserver_var_lib_t)
-+
-+type stapserver_log_t;
-+logging_log_file(stapserver_log_t)
-+
-+type stapserver_var_run_t;
-+files_pid_file(stapserver_var_run_t)
-+
-+########################################
-+#
-+# stapserver local policy
-+#
-+
-+#runuser
-+allow stapserver_t self:capability { setuid setgid };
-+allow stapserver_t self:process setsched;
-+
-+allow stapserver_t self:capability { dac_override kill };
-+allow stapserver_t self:process { setrlimit signal };
-+
-+allow stapserver_t self:fifo_file rw_fifo_file_perms;
-+allow stapserver_t self:key write;
-+allow stapserver_t self:unix_stream_socket create_stream_socket_perms;
-+allow stapserver_t self:tcp_socket { accept listen };
-+
-+manage_dirs_pattern(stapserver_t, stapserver_var_lib_t, stapserver_var_lib_t)
-+manage_files_pattern(stapserver_t, stapserver_var_lib_t, stapserver_var_lib_t)
-+files_var_lib_filetrans(stapserver_t, stapserver_var_lib_t, dir)
-+
-+manage_dirs_pattern(stapserver_t, stapserver_log_t, stapserver_log_t)
-+manage_files_pattern(stapserver_t, stapserver_log_t, stapserver_log_t)
-+logging_log_filetrans(stapserver_t, stapserver_log_t, dir )
-+
-+manage_dirs_pattern(stapserver_t, stapserver_var_run_t, stapserver_var_run_t)
-+manage_files_pattern(stapserver_t, stapserver_var_run_t, stapserver_var_run_t)
-+files_pid_filetrans(stapserver_t, stapserver_var_run_t, dir )
-+
-+kernel_read_system_state(stapserver_t)
-+kernel_read_kernel_sysctls(stapserver_t)
-+
-+corecmd_exec_bin(stapserver_t)
-+corecmd_exec_shell(stapserver_t)
-+
-+domain_read_all_domains_state(stapserver_t)
-+domain_use_interactive_fds(stapserver_t)
-+
-+dev_read_sysfs(stapserver_t)
-+dev_read_rand(stapserver_t)
-+dev_read_urand(stapserver_t)
-+
-+files_list_tmp(stapserver_t)
-+files_read_usr_files(stapserver_t)
-+files_search_kernel_modules(stapserver_t)
-+
-+fs_search_cgroup_dirs(stapserver_t)
-+
-+auth_use_nsswitch(stapserver_t)
-+
-+init_read_utmp(stapserver_t)
-+
-+logging_send_audit_msgs(stapserver_t)
-+logging_send_syslog_msg(stapserver_t)
-+
-+#lspci
-+miscfiles_read_hwdata(stapserver_t)
-+
-+userdom_use_user_terminals(stapserver_t)
-+
-+optional_policy(`
-+ consoletype_exec(stapserver_t)
-+')
-+
-+optional_policy(`
-+ dbus_system_bus_client(stapserver_t)
-+')
-+
-+optional_policy(`
-+ hostname_exec(stapserver_t)
-+')
-+
-+optional_policy(`
-+ plymouthd_exec_plymouth(stapserver_t)
-+')
-+
-+optional_policy(`
-+ rpm_exec(stapserver_t)
-+')
-+
-diff --git a/stunnel.te b/stunnel.te
-index f646c66..a399168 100644
---- a/stunnel.te
-+++ b/stunnel.te
-@@ -40,7 +40,7 @@ allow stunnel_t self:udp_socket create_socket_perms;
-
- allow stunnel_t stunnel_etc_t:dir list_dir_perms;
- allow stunnel_t stunnel_etc_t:file read_file_perms;
--allow stunnel_t stunnel_etc_t:lnk_file { getattr read };
-+allow stunnel_t stunnel_etc_t:lnk_file read_lnk_file_perms;
-
- manage_dirs_pattern(stunnel_t, stunnel_tmp_t, stunnel_tmp_t)
- manage_files_pattern(stunnel_t, stunnel_tmp_t, stunnel_tmp_t)
-@@ -56,7 +56,6 @@ kernel_read_network_state(stunnel_t)
-
- corecmd_exec_bin(stunnel_t)
-
--corenet_all_recvfrom_unlabeled(stunnel_t)
- corenet_all_recvfrom_netlabel(stunnel_t)
- corenet_tcp_sendrecv_generic_if(stunnel_t)
- corenet_udp_sendrecv_generic_if(stunnel_t)
-@@ -73,8 +72,6 @@ auth_use_nsswitch(stunnel_t)
-
- logging_send_syslog_msg(stunnel_t)
-
--miscfiles_read_localization(stunnel_t)
--
- sysnet_read_config(stunnel_t)
-
- ifdef(`distro_gentoo', `
-@@ -106,7 +103,6 @@ ifdef(`distro_gentoo', `
-
- dev_read_urand(stunnel_t)
-
-- files_read_etc_files(stunnel_t)
- files_read_etc_runtime_files(stunnel_t)
- files_search_home(stunnel_t)
-
-@@ -120,4 +116,5 @@ ifdef(`distro_gentoo', `
- gen_require(`
- type stunnel_port_t;
- ')
-+
- allow stunnel_t stunnel_port_t:tcp_socket name_bind;
-diff --git a/svnserve.fc b/svnserve.fc
-new file mode 100644
-index 0000000..5ab0840
---- /dev/null
-+++ b/svnserve.fc
-@@ -0,0 +1,12 @@
-+/etc/rc.d/init.d/svnserve -- gen_context(system_u:object_r:svnserve_initrc_exec_t,s0)
-+
-+/usr/bin/svnserve -- gen_context(system_u:object_r:svnserve_exec_t,s0)
-+
-+/lib/systemd/system/svnserve\.service -- gen_context(system_u:object_r:svnserve_unit_file_t,s0)
-+/usr/lib/systemd/system/svnserve\.service -- gen_context(system_u:object_r:svnserve_unit_file_t,s0)
-+
-+/var/run/svnserve(/.*)? gen_context(system_u:object_r:svnserve_var_run_t,s0)
-+/var/run/svnserve.pid -- gen_context(system_u:object_r:svnserve_var_run_t,s0)
-+
-+/var/subversion/repo(/.*)? gen_context(system_u:object_r:svnserve_content_t,s0)
-+/var/lib/subversion/repo(/.*)? gen_context(system_u:object_r:svnserve_content_t,s0)
-diff --git a/svnserve.if b/svnserve.if
-new file mode 100644
-index 0000000..dd2ac36
---- /dev/null
-+++ b/svnserve.if
-@@ -0,0 +1,118 @@
-+
-+## policy for svnserve
-+
-+
-+########################################
-+##
-+## Transition to svnserve.
-+##
-+##
-+##
-+## Domain allowed to transition.
-+##
-+##
-+#
-+interface(`svnserve_domtrans',`
-+ gen_require(`
-+ type svnserve_t, svnserve_exec_t;
-+ ')
-+
-+ corecmd_search_bin($1)
-+ domtrans_pattern($1, svnserve_exec_t, svnserve_t)
-+')
-+
-+
-+########################################
-+##
-+## Execute svnserve server in the svnserve domain.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`svnserve_initrc_domtrans',`
-+ gen_require(`
-+ type svnserve_initrc_exec_t;
-+ ')
-+
-+ init_labeled_script_domtrans($1, svnserve_initrc_exec_t)
-+')
-+
-+#######################################
-+##
-+## Execute svnserve server in the svnserve domain.
-+##
-+##
-+##
-+## Domain allowed to transition.
-+##
-+##
-+#
-+interface(`svnserve_systemctl',`
-+ gen_require(`
-+ type svnserve_t;
-+ type svnserve_unit_file_t;
-+ ')
-+
-+ systemd_exec_systemctl($1)
-+ allow $1 svnserve_unit_file_t:file read_file_perms;
-+ allow $1 svnserve_unit_file_t:service manage_service_perms;
-+
-+ ps_process_pattern($1, svnserve_t)
-+')
-+
-+########################################
-+##
-+## Read svnserve PID files.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`svnserve_read_pid_files',`
-+ gen_require(`
-+ type svnserve_var_run_t;
-+ ')
-+
-+ files_search_pids($1)
-+ allow $1 svnserve_var_run_t:file read_file_perms;
-+')
-+
-+
-+########################################
-+##
-+## All of the rules required to administrate
-+## an svnserve environment
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`svnserve_admin',`
-+ gen_require(`
-+ type svnserve_t;
-+ type svnserve_var_run_t;
-+ type svnserve_unit_file_t;
-+ ')
-+
-+ allow $1 svnserve_t:process { ptrace signal_perms };
-+ ps_process_pattern($1, svnserve_t)
-+
-+ files_search_pids($1)
-+ admin_pattern($1, svnserve_var_run_t)
-+
-+ svnserve_systemctl($1)
-+ admin_pattern($1, svnserve_unit_file_t)
-+ allow $1 svnserve_unit_file_t:service all_service_perms;
-+ optional_policy(`
-+ systemd_passwd_agent_exec($1)
-+ systemd_read_fifo_file_passwd_run($1)
-+ ')
-+')
-+
-diff --git a/svnserve.te b/svnserve.te
-new file mode 100644
-index 0000000..ba40a17
---- /dev/null
-+++ b/svnserve.te
-@@ -0,0 +1,53 @@
-+policy_module(svnserve, 1.0.0)
-+
-+########################################
-+#
-+# Declarations
-+#
-+
-+type svnserve_t;
-+type svnserve_exec_t;
-+init_daemon_domain(svnserve_t, svnserve_exec_t)
-+
-+type svnserve_initrc_exec_t;
-+init_script_file(svnserve_initrc_exec_t)
-+
-+type svnserve_var_run_t;
-+files_pid_file(svnserve_var_run_t)
-+
-+type svnserve_content_t;
-+files_type(svnserve_content_t)
-+
-+type svnserve_unit_file_t;
-+systemd_unit_file(svnserve_unit_file_t)
-+
-+########################################
-+#
-+# svnserve local policy
-+#
-+
-+allow svnserve_t self:fifo_file rw_fifo_file_perms;
-+allow svnserve_t self:tcp_socket create_stream_socket_perms;
-+allow svnserve_t self:unix_stream_socket create_stream_socket_perms;
-+
-+manage_dirs_pattern(svnserve_t, svnserve_content_t, svnserve_content_t)
-+manage_files_pattern(svnserve_t, svnserve_content_t, svnserve_content_t)
-+
-+manage_dirs_pattern(svnserve_t, svnserve_var_run_t, svnserve_var_run_t)
-+manage_files_pattern(svnserve_t, svnserve_var_run_t, svnserve_var_run_t)
-+files_pid_filetrans(svnserve_t, svnserve_var_run_t, { dir file })
-+
-+corenet_udp_bind_generic_node(svnserve_t)
-+#corenet_tcp_connect_svn_port(svnserve_t)
-+#corenet_tcp_bind_svn_port(svnserve_t)
-+#corenet_udp_bind_svn_port(svnserve_t)
-+
-+domain_use_interactive_fds(svnserve_t)
-+
-+files_read_etc_files(svnserve_t)
-+files_read_usr_files(svnserve_t)
-+
-+logging_send_syslog_msg(svnserve_t)
-+
-+sysnet_dns_name_resolve(svnserve_t)
-+
-diff --git a/sxid.te b/sxid.te
-index 8296303..50eddef 100644
---- a/sxid.te
-+++ b/sxid.te
-@@ -40,7 +40,6 @@ kernel_read_kernel_sysctls(sxid_t)
- corecmd_exec_bin(sxid_t)
- corecmd_exec_shell(sxid_t)
-
--corenet_all_recvfrom_unlabeled(sxid_t)
- corenet_all_recvfrom_netlabel(sxid_t)
- corenet_tcp_sendrecv_generic_if(sxid_t)
- corenet_udp_sendrecv_generic_if(sxid_t)
-@@ -66,7 +65,7 @@ fs_list_all(sxid_t)
-
- term_dontaudit_use_console(sxid_t)
-
--files_read_non_auth_files(sxid_t)
-+files_read_non_security_files(sxid_t)
- auth_dontaudit_getattr_shadow(sxid_t)
-
- init_use_fds(sxid_t)
-@@ -74,15 +73,17 @@ init_use_script_ptys(sxid_t)
-
- logging_send_syslog_msg(sxid_t)
-
--miscfiles_read_localization(sxid_t)
--
--mount_exec(sxid_t)
--
- sysnet_read_config(sxid_t)
-
- userdom_dontaudit_use_unpriv_user_fds(sxid_t)
-
--cron_system_entry(sxid_t, sxid_exec_t)
-+optional_policy(`
-+ cron_system_entry(sxid_t, sxid_exec_t)
-+')
-+
-+optional_policy(`
-+ mount_exec(sxid_t)
-+')
-
- optional_policy(`
- mta_send_mail(sxid_t)
-diff --git a/sysstat.fc b/sysstat.fc
-index 5d0e77b..5a92938 100644
---- a/sysstat.fc
-+++ b/sysstat.fc
-@@ -6,3 +6,4 @@
- /var/log/atsar(/.*)? gen_context(system_u:object_r:sysstat_log_t,s0)
- /var/log/sa(/.*)? gen_context(system_u:object_r:sysstat_log_t,s0)
- /var/log/sysstat(/.*)? gen_context(system_u:object_r:sysstat_log_t,s0)
-+/opt/sartest(/.*)? gen_context(system_u:object_r:sysstat_log_t,s0)
-diff --git a/sysstat.te b/sysstat.te
-index 0ecd8a7..b532568 100644
---- a/sysstat.te
-+++ b/sysstat.te
-@@ -18,8 +18,7 @@ logging_log_file(sysstat_log_t)
- # Local policy
- #
-
--allow sysstat_t self:capability { dac_override sys_resource sys_tty_config };
--dontaudit sysstat_t self:capability sys_admin;
-+allow sysstat_t self:capability { dac_override sys_admin sys_resource sys_tty_config };
- allow sysstat_t self:fifo_file rw_fifo_file_perms;
-
- can_exec(sysstat_t, sysstat_exec_t)
-@@ -36,6 +35,7 @@ kernel_read_kernel_sysctls(sysstat_t)
- kernel_read_fs_sysctls(sysstat_t)
- kernel_read_rpc_sysctls(sysstat_t)
-
-+corecmd_exec_shell(sysstat_t)
- corecmd_exec_bin(sysstat_t)
-
- dev_read_urand(sysstat_t)
-@@ -45,19 +45,20 @@ files_search_var(sysstat_t)
- # for mtab
- files_read_etc_runtime_files(sysstat_t)
- #for fstab
--files_read_etc_files(sysstat_t)
-
- fs_getattr_xattr_fs(sysstat_t)
- fs_list_inotifyfs(sysstat_t)
-
- term_use_console(sysstat_t)
--term_use_all_terms(sysstat_t)
-+term_use_all_inherited_terms(sysstat_t)
-
- init_use_fds(sysstat_t)
-
- locallogin_use_fds(sysstat_t)
-
--miscfiles_read_localization(sysstat_t)
-+auth_use_nsswitch(sysstat_t)
-+
-+logging_send_syslog_msg(sysstat_t)
-
- userdom_dontaudit_list_user_home_dirs(sysstat_t)
-
-@@ -65,6 +66,3 @@ optional_policy(`
- cron_system_entry(sysstat_t, sysstat_exec_t)
- ')
-
--optional_policy(`
-- logging_send_syslog_msg(sysstat_t)
--')
-diff --git a/tcpd.te b/tcpd.te
-index 7038b55..8961067 100644
---- a/tcpd.te
-+++ b/tcpd.te
-@@ -22,7 +22,6 @@ manage_dirs_pattern(tcpd_t, tcpd_tmp_t, tcpd_tmp_t)
- manage_files_pattern(tcpd_t, tcpd_tmp_t, tcpd_tmp_t)
- files_tmp_filetrans(tcpd_t, tcpd_tmp_t, { file dir })
-
--corenet_all_recvfrom_unlabeled(tcpd_t)
- corenet_all_recvfrom_netlabel(tcpd_t)
- corenet_tcp_sendrecv_generic_if(tcpd_t)
- corenet_tcp_sendrecv_generic_node(tcpd_t)
-@@ -39,8 +38,6 @@ files_dontaudit_search_var(tcpd_t)
-
- logging_send_syslog_msg(tcpd_t)
-
--miscfiles_read_localization(tcpd_t)
--
- sysnet_read_config(tcpd_t)
-
- inetd_domtrans_child(tcpd_t)
-diff --git a/tcsd.if b/tcsd.if
-index 595f5a7..4e518cf 100644
---- a/tcsd.if
-+++ b/tcsd.if
-@@ -137,8 +137,11 @@ interface(`tcsd_admin',`
- type tcsd_var_lib_t;
- ')
-
-- allow $1 tcsd_t:process { ptrace signal_perms };
-+ allow $1 tcsd_t:process signal_perms;
- ps_process_pattern($1, tcsd_t)
-+ tunable_policy(`deny_ptrace',`',`
-+ allow $1 tcsd_t:process ptrace;
-+ ')
-
- tcsd_initrc_domtrans($1)
- domain_system_change_exemption($1)
-diff --git a/tcsd.te b/tcsd.te
-index ee9f3c6..ac97168 100644
---- a/tcsd.te
-+++ b/tcsd.te
-@@ -30,7 +30,6 @@ manage_files_pattern(tcsd_t, tcsd_var_lib_t, tcsd_var_lib_t)
- files_var_lib_filetrans(tcsd_t, tcsd_var_lib_t, { file dir })
-
- # Accept connections on the TCS port over loopback.
--corenet_all_recvfrom_unlabeled(tcsd_t)
- corenet_tcp_bind_generic_node(tcsd_t)
- corenet_tcp_bind_tcs_port(tcsd_t)
-
-@@ -38,13 +37,8 @@ dev_read_urand(tcsd_t)
- # Access /dev/tpm0.
- dev_rw_tpm(tcsd_t)
-
--files_read_etc_files(tcsd_t)
- files_read_usr_files(tcsd_t)
-
- auth_use_nsswitch(tcsd_t)
-
- logging_send_syslog_msg(tcsd_t)
--
--miscfiles_read_localization(tcsd_t)
--
--sysnet_dns_name_resolve(tcsd_t)
-diff --git a/telepathy.fc b/telepathy.fc
-index b07ee19..a275bd6 100644
---- a/telepathy.fc
-+++ b/telepathy.fc
-@@ -1,8 +1,11 @@
- HOME_DIR/\.cache/\.mc_connections -- gen_context(system_u:object_r:telepathy_mission_control_cache_home_t, s0)
--HOME_DIR/\.cache/telepathy/logger/sqlite-data-journal -- gen_context(system_u:object_r:telepathy_logger_cache_home_t,s0)
-+HOME_DIR/\.cache/telepathy(/.*)? gen_context(system_u:object_r:telepathy_cache_home_t, s0)
-+HOME_DIR/\.cache/telepathy/logger(/.*)? gen_context(system_u:object_r:telepathy_logger_cache_home_t,s0)
- HOME_DIR/\.cache/telepathy/gabble(/.*)? gen_context(system_u:object_r:telepathy_gabble_cache_home_t, s0)
- HOME_DIR/\.cache/wocky(/.*)? gen_context(system_u:object_r:telepathy_gabble_cache_home_t, s0)
- HOME_DIR/\.mission-control(/.*)? gen_context(system_u:object_r:telepathy_mission_control_home_t, s0)
-+HOME_DIR/\.local/share/telepathy(/.*)? gen_context(system_u:object_r:telepathy_data_home_t,s0)
-+HOME_DIR/\.local/share/telepathy/mission-control(/.*)? gen_context(system_u:object_r:telepathy_mission_control_data_home_t, s0)
- HOME_DIR/\.telepathy-sunshine(/.*)? gen_context(system_u:object_r:telepathy_sunshine_home_t, s0)
- HOME_DIR/\.local/share/TpLogger(/.*)? gen_context(system_u:object_r:telepathy_logger_data_home_t,s0)
-
-diff --git a/telepathy.if b/telepathy.if
-index f09171e..95a9aa3 100644
---- a/telepathy.if
-+++ b/telepathy.if
-@@ -11,7 +11,6 @@
- ##
- ##
- #
--#
- template(`telepathy_domain_template',`
- gen_require(`
- attribute telepathy_domain;
-@@ -20,19 +19,21 @@ template(`telepathy_domain_template',`
-
- type telepathy_$1_t, telepathy_domain;
- type telepathy_$1_exec_t, telepathy_executable;
-- userdom_user_application_domain(telepathy_$1_t, telepathy_$1_exec_t)
-+ application_domain(telepathy_$1_t, telepathy_$1_exec_t)
-+ ubac_constrained(telepathy_$1_t)
-
- type telepathy_$1_tmp_t;
- userdom_user_tmp_file(telepathy_$1_tmp_t)
-
-- auth_use_nsswitch(telepathy_$1_t)
-+ kernel_read_system_state(telepathy_$1_t)
-
-+ auth_use_nsswitch(telepathy_$1_t)
- ')
-
- #######################################
- ##
--## Role access for telepathy domains
--### that executes via dbus-session
-+## Role access for telepathy domains
-+## that executes via dbus-session
- ##
- ##
- ##
-@@ -44,8 +45,13 @@ template(`telepathy_domain_template',`
- ## The type of the user domain.
- ##
- ##
-+##
-+##
-+## User domain prefix to be used.
-+##
-+##
- #
--template(`telepathy_role', `
-+template(`telepathy_role',`
- gen_require(`
- attribute telepathy_domain;
- type telepathy_gabble_t, telepathy_sofiasip_t, telepathy_idle_t;
-@@ -76,6 +82,8 @@ template(`telepathy_role', `
- dbus_session_domain($3, telepathy_sunshine_exec_t, telepathy_sunshine_t)
- dbus_session_domain($3, telepathy_stream_engine_exec_t, telepathy_stream_engine_t)
- dbus_session_domain($3, telepathy_msn_exec_t, telepathy_msn_t)
-+
-+ telepathy_dbus_chat($2)
- ')
-
- ########################################
-@@ -122,11 +130,6 @@ interface(`telepathy_gabble_dbus_chat', `
- ##
- ## Read telepathy mission control state.
- ##
--##
--##
--## Prefix to be used.
--##
--##
- ##
- ##
- ## Domain allowed access.
-@@ -166,7 +169,7 @@ interface(`telepathy_msn_stream_connect', `
- ## Stream connect to Telepathy Salut
- ##
- ##
--##
-+##
- ## Domain allowed access.
- ##
- ##
-@@ -179,3 +182,130 @@ interface(`telepathy_salut_stream_connect', `
- stream_connect_pattern($1, telepathy_salut_tmp_t, telepathy_salut_tmp_t, telepathy_salut_t)
- files_search_tmp($1)
- ')
-+
-+#######################################
-+##
-+## Send DBus messages to and from
-+## all Telepathy domain.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`telepathy_dbus_chat',`
-+ gen_require(`
-+ attribute telepathy_domain;
-+ class dbus send_msg;
-+ ')
-+
-+ allow $1 telepathy_domain:dbus send_msg;
-+ allow telepathy_domain $1:dbus send_msg;
-+')
-+
-+######################################
-+##
-+## Execute telepathy executable
-+## in the specified domain.
-+##
-+##
-+##
-+## Execute a telepathy executable
-+## in the specified domain. This allows
-+## the specified domain to execute any file
-+## on these filesystems in the specified
-+## domain.
-+##
-+##
-+## No interprocess communication (signals, pipes,
-+## etc.) is provided by this interface since
-+## the domains are not owned by this module.
-+##
-+##
-+##
-+##
-+## Domain allowed to transition.
-+##
-+##
-+##
-+##
-+## The type of the new process.
-+##
-+##
-+#
-+interface(`telepathy_command_domtrans', `
-+ gen_require(`
-+ attribute telepathy_executable;
-+ ')
-+
-+ allow $2 telepathy_executable:file entrypoint;
-+ domain_transition_pattern($1, telepathy_executable, $2)
-+ type_transition $1 telepathy_executable:process $2;
-+
-+ # needs to dbus chat with unconfined_t and unconfined_dbusd_t
-+ optional_policy(`
-+ telepathy_dbus_chat($1)
-+ telepathy_dbus_chat($2)
-+ ')
-+')
-+
-+########################################
-+##
-+## Create telepathy content in the user home directory
-+## with an correct label.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`telepathy_filetrans_home_content',`
-+ gen_require(`
-+ type telepathy_mission_control_cache_home_t;
-+ type telepathy_mission_control_home_t;
-+ type telepathy_logger_cache_home_t;
-+ type telepathy_gabble_cache_home_t;
-+ type telepathy_sunshine_home_t;
-+ type telepathy_logger_data_home_t;
-+ type telepathy_cache_home_t, telepathy_data_home_t;
-+ type telepathy_mission_control_data_home_t;
-+ ')
-+
-+ filetrans_pattern($1, telepathy_cache_home_t, telepathy_logger_cache_home_t, dir, "logger")
-+ filetrans_pattern($1, telepathy_cache_home_t, telepathy_logger_cache_home_t, file, "sqlite-data-journal")
-+ filetrans_pattern($1, telepathy_cache_home_t, telepathy_gabble_cache_home_t, dir, "gabble")
-+
-+ filetrans_pattern($1, telepathy_data_home_t, telepathy_mission_control_data_home_t, dir, "mission-control")
-+
-+ userdom_user_home_dir_filetrans($1, telepathy_mission_control_home_t, dir, ".mission-control")
-+ userdom_user_home_dir_filetrans($1, telepathy_sunshine_home_t, dir, ".telepathy-sunshine")
-+
-+ gnome_cache_filetrans($1, telepathy_mission_control_cache_home_t, file, ".mc_connections")
-+ gnome_cache_filetrans($1, telepathy_gabble_cache_home_t, dir, "gabble")
-+ gnome_cache_filetrans($1, telepathy_gabble_cache_home_t, dir, "wocky")
-+ gnome_cache_filetrans($1, telepathy_cache_home_t, dir, "telepathy")
-+
-+ gnome_data_filetrans($1, telepathy_logger_data_home_t, dir, "TpLogger")
-+ gnome_data_filetrans($1, telepathy_data_home_t, dir, "telepathy")
-+')
-+
-+######################################
-+##
-+## Execute telepathy in the caller domain.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`telepathy_exec',`
-+ gen_require(`
-+ attribute telepathy_executable;
-+ ')
-+
-+ corecmd_search_bin($1)
-+ can_exec($1, telepathy_executable)
-+')
-diff --git a/telepathy.te b/telepathy.te
-index 964978b..6cc7ecd 100644
---- a/telepathy.te
-+++ b/telepathy.te
-@@ -7,16 +7,16 @@ policy_module(telepathy, 1.3.0)
-
- ##
- ##
--## Allow the Telepathy connection managers
--## to connect to any generic TCP port.
-+## Allow the Telepathy connection managers
-+## to connect to any generic TCP port.
- ##
- ##
- gen_tunable(telepathy_tcp_connect_generic_network_ports, false)
-
- ##
- ##
--## Allow the Telepathy connection managers
--## to connect to any network port.
-+## Allow the Telepathy connection managers
-+## to connect to any network port.
- ##
- ##
- gen_tunable(telepathy_connect_all_ports, false)
-@@ -26,12 +26,18 @@ attribute telepathy_executable;
-
- telepathy_domain_template(gabble)
-
-+type telepathy_cache_home_t;
-+userdom_user_home_content(telepathy_cache_home_t)
-+
- type telepathy_gabble_cache_home_t;
- userdom_user_home_content(telepathy_gabble_cache_home_t)
-
- telepathy_domain_template(idle)
- telepathy_domain_template(logger)
-
-+type telepathy_data_home_t;
-+userdom_user_home_content(telepathy_data_home_t)
-+
- type telepathy_logger_cache_home_t;
- userdom_user_home_content(telepathy_logger_cache_home_t)
-
-@@ -43,6 +49,9 @@ telepathy_domain_template(mission_control)
- type telepathy_mission_control_home_t;
- userdom_user_home_content(telepathy_mission_control_home_t)
-
-+type telepathy_mission_control_data_home_t;
-+userdom_user_home_content(telepathy_mission_control_data_home_t)
-+
- type telepathy_mission_control_cache_home_t;
- userdom_user_home_content(telepathy_mission_control_cache_home_t)
-
-@@ -67,8 +76,16 @@ manage_dirs_pattern(telepathy_gabble_t, telepathy_gabble_tmp_t, telepathy_gabble
- manage_sock_files_pattern(telepathy_gabble_t, telepathy_gabble_tmp_t, telepathy_gabble_tmp_t)
- files_tmp_filetrans(telepathy_gabble_t, telepathy_gabble_tmp_t, { dir sock_file })
-
-+# ~/.cache/telepathy/gabble/caps-cache.db-journal
-+optional_policy(`
-+ manage_dirs_pattern(telepathy_gabble_t, telepathy_gabble_cache_home_t, telepathy_gabble_cache_home_t)
-+ manage_files_pattern(telepathy_gabble_t, telepathy_gabble_cache_home_t, telepathy_gabble_cache_home_t)
-+ filetrans_pattern(telepathy_gabble_t, telepathy_cache_home_t, telepathy_gabble_cache_home_t, dir)
-+ # ~/.cache/wocky
-+ gnome_cache_filetrans(telepathy_gabble_t, telepathy_gabble_cache_home_t, dir)
-+')
-+
- corenet_all_recvfrom_netlabel(telepathy_gabble_t)
--corenet_all_recvfrom_unlabeled(telepathy_gabble_t)
- corenet_tcp_sendrecv_generic_if(telepathy_gabble_t)
- corenet_tcp_sendrecv_generic_node(telepathy_gabble_t)
- corenet_tcp_connect_http_port(telepathy_gabble_t)
-@@ -98,18 +115,14 @@ tunable_policy(`telepathy_tcp_connect_generic_network_ports',`
- corenet_sendrecv_generic_client_packets(telepathy_gabble_t)
- ')
-
--tunable_policy(`use_nfs_home_dirs',`
-- fs_manage_nfs_dirs(telepathy_gabble_t)
-- fs_manage_nfs_files(telepathy_gabble_t)
--')
-+userdom_home_manager(telepathy_gabble_t)
-
--tunable_policy(`use_samba_home_dirs',`
-- fs_manage_cifs_dirs(telepathy_gabble_t)
-- fs_manage_cifs_files(telepathy_gabble_t)
-+optional_policy(`
-+ dbus_system_bus_client(telepathy_gabble_t)
- ')
-
- optional_policy(`
-- dbus_system_bus_client(telepathy_gabble_t)
-+ gnome_manage_home_config(telepathy_gabble_t)
- ')
-
- #######################################
-@@ -118,7 +131,6 @@ optional_policy(`
- #
-
- corenet_all_recvfrom_netlabel(telepathy_idle_t)
--corenet_all_recvfrom_unlabeled(telepathy_idle_t)
- corenet_tcp_sendrecv_generic_if(telepathy_idle_t)
- corenet_tcp_sendrecv_generic_node(telepathy_idle_t)
- corenet_tcp_connect_gatekeeper_port(telepathy_idle_t)
-@@ -127,8 +139,6 @@ corenet_sendrecv_ircd_client_packets(telepathy_idle_t)
-
- dev_read_rand(telepathy_idle_t)
-
--files_read_etc_files(telepathy_idle_t)
--
- tunable_policy(`telepathy_connect_all_ports',`
- corenet_tcp_connect_all_ports(telepathy_idle_t)
- corenet_tcp_sendrecv_all_ports(telepathy_idle_t)
-@@ -147,51 +157,74 @@ tunable_policy(`telepathy_tcp_connect_generic_network_ports',`
-
- allow telepathy_logger_t self:unix_stream_socket create_socket_perms;
-
-+manage_dirs_pattern(telepathy_logger_t, telepathy_logger_cache_home_t, telepathy_logger_cache_home_t)
- manage_files_pattern(telepathy_logger_t, telepathy_logger_cache_home_t, telepathy_logger_cache_home_t)
-+filetrans_pattern(telepathy_logger_t, telepathy_cache_home_t, telepathy_logger_cache_home_t, dir)
-
- manage_dirs_pattern(telepathy_logger_t, telepathy_logger_data_home_t, telepathy_logger_data_home_t)
- manage_files_pattern(telepathy_logger_t, telepathy_logger_data_home_t, telepathy_logger_data_home_t)
-
--files_read_etc_files(telepathy_logger_t)
--files_read_usr_files(telepathy_logger_t)
-+optional_policy(`
-+ gnome_data_filetrans(telepathy_logger_t, telepathy_logger_data_home_t, dir)
-+')
-+
- files_search_pids(telepathy_logger_t)
-
- fs_getattr_all_fs(telepathy_logger_t)
-
--tunable_policy(`use_nfs_home_dirs',`
-- fs_manage_nfs_dirs(telepathy_logger_t)
-- fs_manage_nfs_files(telepathy_logger_t)
--')
-+userdom_home_manager(telepathy_logger_t)
-
--tunable_policy(`use_samba_home_dirs',`
-- fs_manage_cifs_dirs(telepathy_logger_t)
-- fs_manage_cifs_files(telepathy_logger_t)
-+optional_policy(`
-+ # ~/.config/dconf/user
-+ gnome_manage_home_config(telepathy_logger_t)
- ')
-
- #######################################
- #
- # Telepathy Mission-Control local policy.
- #
-+allow telepathy_mission_control_t self:process setsched;
-
- manage_dirs_pattern(telepathy_mission_control_t, telepathy_mission_control_home_t, telepathy_mission_control_home_t)
- manage_files_pattern(telepathy_mission_control_t, telepathy_mission_control_home_t, telepathy_mission_control_home_t)
- userdom_user_home_dir_filetrans(telepathy_mission_control_t, telepathy_mission_control_home_t, { dir file })
-+userdom_search_user_home_dirs(telepathy_mission_control_t)
-+
-+manage_dirs_pattern(telepathy_mission_control_t, { telepathy_data_home_t telepathy_mission_control_data_home_t }, { telepathy_data_home_t telepathy_mission_control_data_home_t })
-+manage_files_pattern(telepathy_mission_control_t, telepathy_mission_control_data_home_t, telepathy_mission_control_data_home_t)
-+filetrans_pattern(telepathy_mission_control_t, telepathy_data_home_t, telepathy_mission_control_data_home_t, { dir file })
-+
-+optional_policy(`
-+ gnome_data_filetrans(telepathy_mission_control_t, telepathy_data_home_t, dir)
-+ gnome_manage_home_config(telepathy_mission_control_t)
-+')
-
- dev_read_rand(telepathy_mission_control_t)
-
- fs_getattr_all_fs(telepathy_mission_control_t)
-
--files_read_etc_files(telepathy_mission_control_t)
--files_read_usr_files(telepathy_mission_control_t)
-+files_list_tmp(telepathy_mission_control_t)
-+
-+userdom_home_manager(telepathy_mission_control_t)
-+
-+optional_policy(`
-+ dbus_system_bus_client(telepathy_mission_control_t)
-
--tunable_policy(`use_nfs_home_dirs',`
-- fs_manage_nfs_dirs(telepathy_mission_control_t)
-- fs_manage_nfs_files(telepathy_mission_control_t)
-+ optional_policy(`
-+ devicekit_dbus_chat_power(telepathy_mission_control_t)
-+ ')
-+ optional_policy(`
-+ gnome_dbus_chat_gkeyringd(telepathy_mission_control_t)
-+ ')
-+ optional_policy(`
-+ networkmanager_dbus_chat(telepathy_mission_control_t)
-+ ')
- ')
-
--tunable_policy(`use_samba_home_dirs',`
-- fs_manage_cifs_dirs(telepathy_mission_control_t)
-- fs_manage_cifs_files(telepathy_mission_control_t)
-+# ~/.cache/.mc_connections.
-+optional_policy(`
-+ manage_files_pattern(telepathy_mission_control_t, telepathy_mission_control_cache_home_t, telepathy_mission_control_cache_home_t)
-+ gnome_cache_filetrans(telepathy_mission_control_t, telepathy_mission_control_cache_home_t, file)
- ')
-
- #######################################
-@@ -205,11 +238,13 @@ allow telepathy_msn_t self:unix_dgram_socket { write create connect };
- manage_dirs_pattern(telepathy_msn_t, telepathy_msn_tmp_t, telepathy_msn_tmp_t)
- manage_files_pattern(telepathy_msn_t, telepathy_msn_tmp_t, telepathy_msn_tmp_t)
- manage_sock_files_pattern(telepathy_msn_t, telepathy_msn_tmp_t, telepathy_msn_tmp_t)
-+exec_files_pattern(telepathy_msn_t, telepathy_msn_tmp_t, telepathy_msn_tmp_t)
- files_tmp_filetrans(telepathy_msn_t, telepathy_msn_tmp_t, { dir file sock_file })
- userdom_user_tmp_filetrans(telepathy_msn_t, telepathy_msn_tmp_t, { dir file sock_file })
-+userdom_dontaudit_setattr_user_tmp(telepathy_msn_t)
-+can_exec(telepathy_msn_t, telepathy_msn_tmp_t)
-
- corenet_all_recvfrom_netlabel(telepathy_msn_t)
--corenet_all_recvfrom_unlabeled(telepathy_msn_t)
- corenet_tcp_sendrecv_generic_if(telepathy_msn_t)
- corenet_tcp_sendrecv_generic_node(telepathy_msn_t)
- corenet_tcp_bind_generic_node(telepathy_msn_t)
-@@ -225,8 +260,7 @@ corecmd_exec_bin(telepathy_msn_t)
- corecmd_exec_shell(telepathy_msn_t)
- corecmd_read_bin_symlinks(telepathy_msn_t)
-
--files_read_etc_files(telepathy_msn_t)
--files_read_usr_files(telepathy_msn_t)
-+init_read_state(telepathy_msn_t)
-
- libs_exec_ldconfig(telepathy_msn_t)
-
-@@ -246,6 +280,10 @@ tunable_policy(`telepathy_tcp_connect_generic_network_ports',`
- ')
-
- optional_policy(`
-+ gnome_read_gconf_home_files(telepathy_msn_t)
-+')
-+
-+optional_policy(`
- dbus_system_bus_client(telepathy_msn_t)
-
- optional_policy(`
-@@ -264,7 +302,6 @@ manage_sock_files_pattern(telepathy_salut_t, telepathy_salut_tmp_t, telepathy_sa
- files_tmp_filetrans(telepathy_salut_t, telepathy_salut_tmp_t, sock_file)
-
- corenet_all_recvfrom_netlabel(telepathy_salut_t)
--corenet_all_recvfrom_unlabeled(telepathy_salut_t)
- corenet_tcp_sendrecv_generic_if(telepathy_salut_t)
- corenet_tcp_sendrecv_generic_node(telepathy_salut_t)
- corenet_tcp_bind_generic_node(telepathy_salut_t)
-@@ -272,8 +309,6 @@ corenet_tcp_bind_presence_port(telepathy_salut_t)
- corenet_tcp_connect_presence_port(telepathy_salut_t)
- corenet_sendrecv_presence_server_packets(telepathy_salut_t)
-
--files_read_etc_files(telepathy_salut_t)
--
- tunable_policy(`telepathy_connect_all_ports',`
- corenet_tcp_connect_all_ports(telepathy_salut_t)
- corenet_tcp_sendrecv_all_ports(telepathy_salut_t)
-@@ -302,7 +337,6 @@ allow telepathy_sofiasip_t self:rawip_socket { create_socket_perms listen };
- allow telepathy_sofiasip_t self:tcp_socket create_stream_socket_perms;
-
- corenet_all_recvfrom_netlabel(telepathy_sofiasip_t)
--corenet_all_recvfrom_unlabeled(telepathy_sofiasip_t)
- corenet_tcp_sendrecv_generic_if(telepathy_sofiasip_t)
- corenet_raw_sendrecv_generic_if(telepathy_sofiasip_t)
- corenet_raw_sendrecv_generic_node(telepathy_sofiasip_t)
-@@ -343,9 +377,6 @@ files_tmp_filetrans(telepathy_sunshine_t, telepathy_sunshine_tmp_t, file)
-
- corecmd_exec_bin(telepathy_sunshine_t)
-
--files_read_etc_files(telepathy_sunshine_t)
--files_read_usr_files(telepathy_sunshine_t)
--
- optional_policy(`
- xserver_read_xdm_pid(telepathy_sunshine_t)
- xserver_stream_connect(telepathy_sunshine_t)
-@@ -361,18 +392,33 @@ allow telepathy_domain self:fifo_file rw_fifo_file_perms;
- allow telepathy_domain self:tcp_socket create_socket_perms;
- allow telepathy_domain self:udp_socket create_socket_perms;
-
-+manage_dirs_pattern(telepathy_domain, telepathy_cache_home_t, telepathy_cache_home_t)
-+optional_policy(`
-+ gnome_cache_filetrans(telepathy_domain, telepathy_cache_home_t, dir, "telepathy")
-+')
-+
- dev_read_urand(telepathy_domain)
-
--kernel_read_system_state(telepathy_domain)
-+files_read_etc_files(telepathy_domain)
-+files_read_usr_files(telepathy_domain)
-
-+fs_getattr_all_fs(telepathy_domain)
- fs_search_auto_mountpoints(telepathy_domain)
--
--miscfiles_read_localization(telepathy_domain)
-+fs_rw_inherited_tmpfs_files(telepathy_domain)
-
- optional_policy(`
- automount_dontaudit_getattr_tmp_dirs(telepathy_domain)
- ')
-
- optional_policy(`
-+ gnome_read_generic_cache_files(telepathy_domain)
-+ gnome_write_generic_cache_files(telepathy_domain)
-+')
-+
-+optional_policy(`
-+ telepathy_dbus_chat(telepathy_domain)
-+')
-+
-+optional_policy(`
- xserver_rw_xdm_pipes(telepathy_domain)
- ')
-diff --git a/telnet.if b/telnet.if
-index 58e7ec0..e4119f7 100644
---- a/telnet.if
-+++ b/telnet.if
-@@ -1 +1,19 @@
- ## Telnet daemon
-+
-+########################################
-+##
-+## Read and write a telnetd domain pty.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`telnet_use_ptys',`
-+ gen_require(`
-+ type telnetd_devpts_t;
-+ ')
-+
-+ allow $1 telnetd_devpts_t:chr_file rw_inherited_term_perms;
-+')
-diff --git a/telnet.te b/telnet.te
-index 3858d35..62dca46 100644
---- a/telnet.te
-+++ b/telnet.te
-@@ -24,21 +24,20 @@ files_pid_file(telnetd_var_run_t)
- # Local policy
- #
-
--allow telnetd_t self:capability { fsetid chown fowner sys_tty_config dac_override };
-+allow telnetd_t self:capability { fsetid chown fowner setuid setgid sys_tty_config dac_override };
- allow telnetd_t self:process signal_perms;
- allow telnetd_t self:fifo_file rw_fifo_file_perms;
- allow telnetd_t self:tcp_socket connected_stream_socket_perms;
- allow telnetd_t self:udp_socket create_socket_perms;
- # for identd; cjp: this should probably only be inetd_child rules?
- allow telnetd_t self:netlink_tcpdiag_socket r_netlink_socket_perms;
--allow telnetd_t self:capability { setuid setgid };
-
--allow telnetd_t telnetd_devpts_t:chr_file { rw_chr_file_perms setattr };
-+allow telnetd_t telnetd_devpts_t:chr_file { rw_chr_file_perms setattr_chr_file_perms };
-+
- term_create_pty(telnetd_t, telnetd_devpts_t)
-
- manage_dirs_pattern(telnetd_t, telnetd_tmp_t, telnetd_tmp_t)
- manage_files_pattern(telnetd_t, telnetd_tmp_t, telnetd_tmp_t)
--files_tmp_filetrans(telnetd_t, telnetd_tmp_t, { file dir })
-
- manage_files_pattern(telnetd_t, telnetd_var_run_t, telnetd_var_run_t)
- files_pid_filetrans(telnetd_t, telnetd_var_run_t, file)
-@@ -47,7 +46,6 @@ kernel_read_kernel_sysctls(telnetd_t)
- kernel_read_system_state(telnetd_t)
- kernel_read_network_state(telnetd_t)
-
--corenet_all_recvfrom_unlabeled(telnetd_t)
- corenet_all_recvfrom_netlabel(telnetd_t)
- corenet_tcp_sendrecv_generic_if(telnetd_t)
- corenet_udp_sendrecv_generic_if(telnetd_t)
-@@ -68,7 +66,6 @@ auth_use_nsswitch(telnetd_t)
- corecmd_search_bin(telnetd_t)
-
- files_read_usr_files(telnetd_t)
--files_read_etc_files(telnetd_t)
- files_read_etc_runtime_files(telnetd_t)
- # for identd; cjp: this should probably only be inetd_child rules?
- files_search_home(telnetd_t)
-@@ -77,14 +74,12 @@ init_rw_utmp(telnetd_t)
-
- logging_send_syslog_msg(telnetd_t)
-
--miscfiles_read_localization(telnetd_t)
--
- seutil_read_config(telnetd_t)
-
--remotelogin_domtrans(telnetd_t)
--
- userdom_search_user_home_dirs(telnetd_t)
- userdom_setattr_user_ptys(telnetd_t)
-+userdom_manage_user_tmp_files(telnetd_t)
-+userdom_tmp_filetrans_user_tmp(telnetd_t, file)
-
- tunable_policy(`use_nfs_home_dirs',`
- fs_search_nfs(telnetd_t)
-@@ -96,5 +91,10 @@ tunable_policy(`use_samba_home_dirs',`
-
- optional_policy(`
- kerberos_keytab_template(telnetd, telnetd_t)
-+ kerberos_tmp_filetrans_host_rcache(telnetd_t, "host_0")
- kerberos_manage_host_rcache(telnetd_t)
- ')
-+
-+optional_policy(`
-+ remotelogin_domtrans(telnetd_t)
-+')
-diff --git a/tftp.fc b/tftp.fc
-index 25eee43..621f343 100644
---- a/tftp.fc
-+++ b/tftp.fc
-@@ -1,3 +1,4 @@
-+/etc/xinetd\.d/tftp -- gen_context(system_u:object_r:tftpd_etc_t,s0)
-
- /usr/sbin/atftpd -- gen_context(system_u:object_r:tftpd_exec_t,s0)
- /usr/sbin/in\.tftpd -- gen_context(system_u:object_r:tftpd_exec_t,s0)
-diff --git a/tftp.if b/tftp.if
-index 38bb312..d9fe23c 100644
---- a/tftp.if
-+++ b/tftp.if
-@@ -13,9 +13,34 @@
- interface(`tftp_read_content',`
- gen_require(`
- type tftpdir_t;
-+ type tftpdir_rw_t;
- ')
-
-+ list_dirs_pattern($1, tftpdir_t, tftpdir_t)
- read_files_pattern($1, tftpdir_t, tftpdir_t)
-+ read_lnk_files_pattern($1, tftpdir_t, tftpdir_t)
-+
-+ read_files_pattern($1, tftpdir_rw_t, tftpdir_rw_t)
-+ read_lnk_files_pattern($1, tftpdir_rw_t, tftpdir_rw_t)
-+')
-+
-+########################################
-+##
-+## Search tftp /var/lib directories.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`tftp_search_rw_content',`
-+ gen_require(`
-+ type tftpdir_rw_t;
-+ ')
-+
-+ search_dirs_pattern($1, tftpdir_rw_t, tftpdir_rw_t)
-+ files_search_var_lib($1)
- ')
-
- ########################################
-@@ -40,6 +65,91 @@ interface(`tftp_manage_rw_content',`
-
- ########################################
- ##
-+## Read tftp config files.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`tftp_read_config',`
-+ gen_require(`
-+ type tftpd_etc_t;
-+ ')
-+
-+ read_files_pattern($1, tftpd_etc_t, tftpd_etc_t)
-+')
-+
-+########################################
-+##
-+## Manage tftp config files.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`tftp_manage_config',`
-+ gen_require(`
-+ type tftpd_etc_t;
-+ ')
-+
-+ manage_files_pattern($1, tftpd_etc_t, tftpd_etc_t)
-+ files_etc_filetrans($1, tftpd_etc_t, file, "tftp")
-+')
-+
-+########################################
-+##
-+## Create objects in tftpdir directories
-+## with specified types.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+##
-+##
-+## Private file type.
-+##
-+##
-+##
-+##
-+## Class of the object being created.
-+##
-+##
-+#
-+interface(`tftp_filetrans_tftpdir',`
-+ gen_require(`
-+ type tftpdir_rw_t;
-+ ')
-+
-+ filetrans_pattern($1, tftpdir_rw_t, $2, $3)
-+ files_search_var_lib($1)
-+')
-+
-+########################################
-+##
-+## Transition to tftp named content
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`tftp_filetrans_named_content',`
-+ gen_require(`
-+ type tftpd_etc_t;
-+ ')
-+
-+ files_etc_filetrans($1, tftpd_etc_t, file, "tftp")
-+')
-+
-+########################################
-+##
- ## All of the rules required to administrate
- ## an tftp environment
- ##
-@@ -55,8 +165,13 @@ interface(`tftp_admin',`
- type tftpd_t, tftpdir_t, tftpdir_rw_t, tftpd_var_run_t;
- ')
-
-- allow $1 tftpd_t:process { ptrace signal_perms getattr };
-+ allow $1 tftpd_t:process signal_perms;
- ps_process_pattern($1, tftpd_t)
-+ tunable_policy(`deny_ptrace',`',`
-+ allow $1 tftpd_t:process ptrace;
-+ ')
-+
-+ files_list_var_lib($1)
-
- admin_pattern($1, tftpdir_rw_t)
-
-@@ -64,4 +179,6 @@ interface(`tftp_admin',`
-
- files_list_pids($1)
- admin_pattern($1, tftpd_var_run_t)
-+
-+ tftp_manage_config($1)
- ')
-diff --git a/tftp.te b/tftp.te
-index d50c10d..d2778d3 100644
---- a/tftp.te
-+++ b/tftp.te
-@@ -13,6 +13,13 @@ policy_module(tftp, 1.12.0)
- ##
- gen_tunable(tftp_anon_write, false)
-
-+##
-+##
-+## Allow tftp to read and write files in the user home directories
-+##
-+##
-+gen_tunable(tftp_home_dir, false)
-+
- type tftpd_t;
- type tftpd_exec_t;
- init_daemon_domain(tftpd_t, tftpd_exec_t)
-@@ -26,21 +33,26 @@ files_type(tftpdir_t)
- type tftpdir_rw_t;
- files_type(tftpdir_rw_t)
-
-+type tftpd_etc_t;
-+files_config_file(tftpd_etc_t)
-+
- ########################################
- #
- # Local policy
- #
-
- allow tftpd_t self:capability { setgid setuid sys_chroot };
-+dontaudit tftpd_t self:capability sys_tty_config;
- allow tftpd_t self:tcp_socket create_stream_socket_perms;
- allow tftpd_t self:udp_socket create_socket_perms;
- allow tftpd_t self:unix_dgram_socket create_socket_perms;
- allow tftpd_t self:unix_stream_socket create_stream_socket_perms;
--dontaudit tftpd_t self:capability sys_tty_config;
-
- allow tftpd_t tftpdir_t:dir list_dir_perms;
- allow tftpd_t tftpdir_t:file read_file_perms;
--allow tftpd_t tftpdir_t:lnk_file { getattr read };
-+allow tftpd_t tftpdir_t:lnk_file read_lnk_file_perms;
-+
-+read_files_pattern(tftpd_t, tftpd_etc_t, tftpd_etc_t)
-
- manage_dirs_pattern(tftpd_t, tftpdir_rw_t, tftpdir_rw_t)
- manage_files_pattern(tftpd_t, tftpdir_rw_t, tftpdir_rw_t)
-@@ -52,7 +64,6 @@ files_pid_filetrans(tftpd_t, tftpd_var_run_t, file)
- kernel_read_system_state(tftpd_t)
- kernel_read_kernel_sysctls(tftpd_t)
-
--corenet_all_recvfrom_unlabeled(tftpd_t)
- corenet_all_recvfrom_netlabel(tftpd_t)
- corenet_tcp_sendrecv_generic_if(tftpd_t)
- corenet_udp_sendrecv_generic_if(tftpd_t)
-@@ -72,7 +83,6 @@ fs_search_auto_mountpoints(tftpd_t)
-
- domain_use_interactive_fds(tftpd_t)
-
--files_read_etc_files(tftpd_t)
- files_read_etc_runtime_files(tftpd_t)
- files_read_var_files(tftpd_t)
- files_read_var_symlinks(tftpd_t)
-@@ -82,7 +92,6 @@ auth_use_nsswitch(tftpd_t)
-
- logging_send_syslog_msg(tftpd_t)
-
--miscfiles_read_localization(tftpd_t)
- miscfiles_read_public_files(tftpd_t)
-
- userdom_dontaudit_use_unpriv_user_fds(tftpd_t)
-@@ -93,6 +102,36 @@ tunable_policy(`tftp_anon_write',`
- miscfiles_manage_public_files(tftpd_t)
- ')
-
-+tunable_policy(`tftp_home_dir',`
-+ allow tftpd_t self:capability { dac_override dac_read_search };
-+
-+ # allow access to /home
-+ files_list_home(tftpd_t)
-+ userdom_read_user_home_content_files(tftpd_t)
-+ userdom_manage_user_home_content(tftpd_t)
-+
-+ auth_read_all_dirs_except_shadow(tftpd_t)
-+ auth_read_all_files_except_shadow(tftpd_t)
-+ auth_read_all_symlinks_except_shadow(tftpd_t)
-+',`
-+ # Needed for permissive mode, to make sure everything gets labeled correctly
-+ userdom_user_home_dir_filetrans_pattern(tftpd_t, { dir file lnk_file })
-+')
-+
-+tunable_policy(`tftp_home_dir && use_nfs_home_dirs',`
-+ fs_manage_nfs_files(tftpd_t)
-+ fs_read_nfs_symlinks(tftpd_t)
-+')
-+
-+tunable_policy(`tftp_home_dir && use_samba_home_dirs',`
-+ fs_manage_cifs_files(tftpd_t)
-+ fs_read_cifs_symlinks(tftpd_t)
-+')
-+
-+optional_policy(`
-+ cobbler_read_lib_files(tftpd_t)
-+')
-+
- optional_policy(`
- inetd_udp_service_domain(tftpd_t, tftpd_exec_t)
- ')
-diff --git a/tgtd.fc b/tgtd.fc
-index 8294f6f..4847b43 100644
---- a/tgtd.fc
-+++ b/tgtd.fc
-@@ -1,3 +1,4 @@
- /etc/rc\.d/init\.d/tgtd -- gen_context(system_u:object_r:tgtd_initrc_exec_t,s0)
- /usr/sbin/tgtd -- gen_context(system_u:object_r:tgtd_exec_t,s0)
- /var/lib/tgtd(/.*)? gen_context(system_u:object_r:tgtd_var_lib_t,s0)
-+/var/run/tgtd.* -s gen_context(system_u:object_r:tgtd_var_run_t,s0)
-diff --git a/tgtd.if b/tgtd.if
-index c2ed23a..d9e875d 100644
---- a/tgtd.if
-+++ b/tgtd.if
-@@ -44,3 +44,22 @@ interface(`tgtd_manage_semaphores',`
-
- allow $1 tgtd_t:sem create_sem_perms;
- ')
-+
-+######################################
-+##
-+## Connect to tgtd using a unix domain stream socket.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`tgtd_stream_connect',`
-+ gen_require(`
-+ type tgtd_t, tgtd_var_run_t;
-+ ')
-+
-+ files_search_var_lib($1)
-+ stream_connect_pattern($1, tgtd_var_run_t, tgtd_var_run_t, tgtd_t)
-+')
-diff --git a/tgtd.te b/tgtd.te
-index 80fe75c..6e81911 100644
---- a/tgtd.te
-+++ b/tgtd.te
-@@ -21,15 +21,19 @@ files_tmpfs_file(tgtd_tmpfs_t)
- type tgtd_var_lib_t;
- files_type(tgtd_var_lib_t)
-
-+type tgtd_var_run_t;
-+files_pid_file(tgtd_var_run_t)
-+
- ########################################
- #
- # TGTD personal policy.
- #
-
- allow tgtd_t self:capability sys_resource;
-+allow tgtd_t self:capability2 block_suspend;
- allow tgtd_t self:process { setrlimit signal };
- allow tgtd_t self:fifo_file rw_fifo_file_perms;
--allow tgtd_t self:netlink_route_socket { create_socket_perms nlmsg_read };
-+allow tgtd_t self:netlink_route_socket create_netlink_socket_perms;
- allow tgtd_t self:shm create_shm_perms;
- allow tgtd_t self:sem create_sem_perms;
- allow tgtd_t self:tcp_socket create_stream_socket_perms;
-@@ -46,10 +50,15 @@ manage_dirs_pattern(tgtd_t, tgtd_var_lib_t, tgtd_var_lib_t)
- manage_files_pattern(tgtd_t, tgtd_var_lib_t, tgtd_var_lib_t)
- files_var_lib_filetrans(tgtd_t, tgtd_var_lib_t, { dir file })
-
-+manage_dirs_pattern(tgtd_t, tgtd_var_run_t,tgtd_var_run_t)
-+manage_files_pattern(tgtd_t, tgtd_var_run_t,tgtd_var_run_t)
-+manage_sock_files_pattern(tgtd_t, tgtd_var_run_t,tgtd_var_run_t)
-+files_pid_filetrans(tgtd_t,tgtd_var_run_t, { file sock_file })
-+
-+kernel_read_system_state(tgtd_t)
- kernel_read_fs_sysctls(tgtd_t)
-
- corenet_all_recvfrom_netlabel(tgtd_t)
--corenet_all_recvfrom_unlabeled(tgtd_t)
- corenet_tcp_sendrecv_generic_if(tgtd_t)
- corenet_tcp_sendrecv_generic_node(tgtd_t)
- corenet_tcp_sendrecv_iscsi_port(tgtd_t)
-@@ -57,10 +66,16 @@ corenet_tcp_bind_generic_node(tgtd_t)
- corenet_tcp_bind_iscsi_port(tgtd_t)
- corenet_sendrecv_iscsi_server_packets(tgtd_t)
-
-+dev_read_sysfs(tgtd_t)
-+
- files_read_etc_files(tgtd_t)
-
-+fs_read_anon_inodefs_files(tgtd_t)
-+
- storage_manage_fixed_disk(tgtd_t)
-
- logging_send_syslog_msg(tgtd_t)
-
--miscfiles_read_localization(tgtd_t)
-+optional_policy(`
-+ iscsi_manage_semaphores(tgtd_t)
-+')
-diff --git a/thin.fc b/thin.fc
-new file mode 100644
-index 0000000..7f4bce8
---- /dev/null
-+++ b/thin.fc
-@@ -0,0 +1,11 @@
-+/usr/bin/thin -- gen_context(system_u:object_r:thin_exec_t,s0)
-+
-+/usr/bin/aeolus-configserver-thinwrapper -- gen_context(system_u:object_r:thin_aeolus_configserver_exec_t,s0)
-+
-+/var/lib/aeolus-configserver(/.*)? gen_context(system_u:object_r:thin_aeolus_configserver_lib_t,s0)
-+
-+/var/log/aeolus-configserver(/.*)? gen_context(system_u:object_r:thin_aeolus_configserver_log_t,s0)
-+/var/log/thin\.log.* -- gen_context(system_u:object_r:thin_log_t,s0)
-+
-+/var/run/aeolus-configserver(/.*)? gen_context(system_u:object_r:thin_aeolus_configserver_var_run_t,s0)
-+/var/run/aeolus/thin\.pid -- gen_context(system_u:object_r:thin_var_run_t,s0)
-diff --git a/thin.if b/thin.if
-new file mode 100644
-index 0000000..d000122
---- /dev/null
-+++ b/thin.if
-@@ -0,0 +1,44 @@
-+## thin policy
-+
-+#######################################
-+##
-+## Creates types and rules for a basic
-+## thin daemon domain.
-+##
-+##
-+##
-+## Prefix for the domain.
-+##
-+##
-+#
-+template(`thin_domain_template',`
-+ gen_require(`
-+ attribute thin_domain;
-+ ')
-+
-+ type $1_t, thin_domain;
-+ type $1_exec_t;
-+ init_daemon_domain($1_t, $1_exec_t)
-+
-+ can_exec($1_t, $1_exec_t)
-+
-+ kernel_read_system_state($1_t)
-+')
-+
-+######################################
-+##
-+## Execute mongod in the caller domain.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`thin_exec',`
-+ gen_require(`
-+ type thin_exec_t;
-+ ')
-+
-+ can_exec($1, thin_exec_t)
-+')
-diff --git a/thin.te b/thin.te
-new file mode 100644
-index 0000000..2b878d8
---- /dev/null
-+++ b/thin.te
-@@ -0,0 +1,110 @@
-+policy_module(thin, 1.0)
-+
-+########################################
-+#
-+# Declarations
-+#
-+
-+attribute thin_domain;
-+
-+thin_domain_template(thin)
-+
-+type thin_log_t;
-+logging_log_file(thin_log_t)
-+
-+type thin_var_run_t;
-+files_pid_file(thin_var_run_t)
-+
-+thin_domain_template(thin_aeolus_configserver)
-+
-+type thin_aeolus_configserver_lib_t;
-+files_type(thin_aeolus_configserver_lib_t)
-+
-+type thin_aeolus_configserver_log_t;
-+logging_log_file(thin_aeolus_configserver_log_t)
-+
-+type thin_aeolus_configserver_var_run_t;
-+files_pid_file(thin_aeolus_configserver_var_run_t)
-+
-+########################################
-+#
-+# thin_domain local policy
-+#
-+
-+allow thin_domain self:process signal;
-+
-+allow thin_domain self:fifo_file rw_fifo_file_perms;
-+allow thin_domain self:tcp_socket create_stream_socket_perms;
-+
-+# we want to stay in a new thin domain if we call thin binary from a script
-+# # initrc_t@thin_test_exec_t->thin_test_t@thin_exec_t->thin_test_t
-+can_exec(thin_domain, thin_exec_t)
-+
-+corecmd_exec_bin(thin_domain)
-+corecmd_exec_shell(thin_domain)
-+
-+corenet_tcp_bind_generic_node(thin_domain)
-+
-+dev_read_rand(thin_domain)
-+dev_read_urand(thin_domain)
-+
-+files_read_etc_files(thin_domain)
-+
-+auth_read_passwd(thin_domain)
-+
-+miscfiles_read_certs(thin_domain)
-+
-+files_read_usr_files(thin_domain)
-+
-+fs_search_auto_mountpoints(thin_domain)
-+
-+init_read_utmp(thin_domain)
-+
-+kernel_read_kernel_sysctls(thin_domain)
-+
-+optional_policy(`
-+ sysnet_read_config(thin_domain)
-+')
-+
-+########################################
-+#
-+# thin local policy
-+#
-+
-+allow thin_t self:capability { setuid kill setgid dac_override };
-+
-+allow thin_t self:netlink_route_socket r_netlink_socket_perms;
-+allow thin_t self:udp_socket create_socket_perms;
-+allow thin_t self:unix_stream_socket create_stream_socket_perms;
-+
-+manage_files_pattern(thin_t, thin_log_t, thin_log_t)
-+manage_dirs_pattern(thin_t, thin_log_t, thin_log_t)
-+logging_log_filetrans(thin_t, thin_log_t, { file dir })
-+
-+manage_files_pattern(thin_t, thin_var_run_t, thin_var_run_t)
-+files_pid_filetrans(thin_t, thin_var_run_t, { file })
-+
-+corenet_tcp_bind_ntop_port(thin_t)
-+corenet_tcp_connect_postgresql_port(thin_t)
-+
-+
-+#######################################
-+#
-+# thin aeolus configserver local policy
-+#
-+
-+allow thin_aeolus_configserver_t self:capability { setuid setgid };
-+
-+corenet_tcp_bind_tram_port(thin_aeolus_configserver_t)
-+
-+manage_files_pattern(thin_aeolus_configserver_t, thin_aeolus_configserver_lib_t, thin_aeolus_configserver_lib_t)
-+manage_dirs_pattern(thin_aeolus_configserver_t, thin_aeolus_configserver_lib_t, thin_aeolus_configserver_lib_t)
-+files_var_lib_filetrans(thin_aeolus_configserver_t, thin_aeolus_configserver_lib_t, { file dir })
-+
-+manage_files_pattern(thin_aeolus_configserver_t, thin_aeolus_configserver_log_t, thin_aeolus_configserver_log_t)
-+manage_dirs_pattern(thin_aeolus_configserver_t, thin_aeolus_configserver_log_t, thin_aeolus_configserver_log_t)
-+logging_log_filetrans(thin_aeolus_configserver_t, thin_aeolus_configserver_log_t, { file dir })
-+
-+manage_files_pattern(thin_aeolus_configserver_t, thin_aeolus_configserver_var_run_t, thin_aeolus_configserver_var_run_t)
-+manage_dirs_pattern(thin_aeolus_configserver_t, thin_aeolus_configserver_var_run_t, thin_aeolus_configserver_var_run_t)
-+files_pid_filetrans(thin_aeolus_configserver_t, thin_aeolus_configserver_var_run_t, { dir file })
-diff --git a/thumb.fc b/thumb.fc
-new file mode 100644
-index 0000000..059e12c
---- /dev/null
-+++ b/thumb.fc
-@@ -0,0 +1,16 @@
-+HOME_DIR/\.thumbnails(/.*)? gen_context(system_u:object_r:thumb_home_t,s0)
-+HOME_DIR/\.cache/thumbnails(/.*)? gen_context(system_u:object_r:thumb_home_t,s0)
-+HOME_DIR/missfont\.log.* gen_context(system_u:object_r:thumb_home_t,s0)
-+
-+/usr/bin/evince-thumbnailer -- gen_context(system_u:object_r:thumb_exec_t,s0)
-+/usr/bin/gsf-office-thumbnailer -- gen_context(system_u:object_r:thumb_exec_t,s0)
-+/usr/bin/gnome-thumbnail-font -- gen_context(system_u:object_r:thumb_exec_t,s0)
-+/usr/bin/gnome-[^/]*-thumbnailer(.sh)? -- gen_context(system_u:object_r:thumb_exec_t,s0)
-+/usr/bin/raw-thumbnailer -- gen_context(system_u:object_r:thumb_exec_t,s0)
-+/usr/bin/shotwell-video-thumbnailer -- gen_context(system_u:object_r:thumb_exec_t,s0)
-+/usr/bin/totem-video-thumbnailer -- gen_context(system_u:object_r:thumb_exec_t,s0)
-+/usr/bin/whaaw-thumbnailer -- gen_context(system_u:object_r:thumb_exec_t,s0)
-+/usr/bin/[^/]*thumbnailer -- gen_context(system_u:object_r:thumb_exec_t,s0)
-+/usr/bin/ffmpegthumbnailer -- gen_context(system_u:object_r:thumb_exec_t,s0)
-+
-+/usr/lib/tumbler[^/]*/tumblerd -- gen_context(system_u:object_r:thumb_exec_t,s0)
-diff --git a/thumb.if b/thumb.if
-new file mode 100644
-index 0000000..9127cec
---- /dev/null
-+++ b/thumb.if
-@@ -0,0 +1,125 @@
-+
-+## policy for thumb
-+
-+########################################
-+##
-+## Transition to thumb.
-+##
-+##
-+##
-+## Domain allowed to transition.
-+##
-+##
-+#
-+interface(`thumb_domtrans',`
-+ gen_require(`
-+ type thumb_t, thumb_exec_t;
-+ ')
-+
-+ corecmd_search_bin($1)
-+ domtrans_pattern($1, thumb_exec_t, thumb_t)
-+')
-+
-+
-+########################################
-+##
-+## Execute thumb in the thumb domain, and
-+## allow the specified role the thumb domain.
-+##
-+##
-+##
-+## Domain allowed to transition
-+##
-+##
-+##
-+##
-+## The role to be allowed the thumb domain.
-+##
-+##
-+#
-+interface(`thumb_run',`
-+ gen_require(`
-+ type thumb_t;
-+ ')
-+
-+ thumb_domtrans($1)
-+ role $2 types thumb_t;
-+
-+ allow $1 thumb_t:process signal;
-+')
-+
-+########################################
-+##
-+## Role access for thumb
-+##
-+##
-+##
-+## Role allowed access
-+##
-+##
-+##
-+##
-+## User domain for the role
-+##
-+##
-+#
-+interface(`thumb_role',`
-+ gen_require(`
-+ type thumb_t;
-+ class dbus send_msg;
-+ ')
-+
-+ role $1 types thumb_t;
-+
-+ thumb_domtrans($2)
-+
-+ ps_process_pattern($2, thumb_t)
-+ allow $2 thumb_t:process signal;
-+ allow thumb_t $2:unix_stream_socket connectto;
-+
-+ allow $2 thumb_t:dbus send_msg;
-+ allow thumb_t $2:dbus send_msg;
-+ thumb_filetrans_home_content($2)
-+')
-+
-+########################################
-+##
-+## Send and receive messages from
-+## thumb over dbus.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`thumb_dbus_chat',`
-+ gen_require(`
-+ type thumb_t;
-+ class dbus send_msg;
-+ ')
-+
-+ allow $1 thumb_t:dbus send_msg;
-+ allow thumb_t $1:dbus send_msg;
-+')
-+
-+########################################
-+##
-+## Create thumb content in the user home directory
-+## with an correct label.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`thumb_filetrans_home_content',`
-+
-+ gen_require(`
-+ type thumb_home_t;
-+ ')
-+
-+ userdom_user_home_dir_filetrans($1, thumb_home_t, dir, ".thumbnails")
-+ userdom_user_home_dir_filetrans($1, thumb_home_t, file, "missfont.log")
-+')
-diff --git a/thumb.te b/thumb.te
-new file mode 100644
-index 0000000..572ab5d
---- /dev/null
-+++ b/thumb.te
-@@ -0,0 +1,126 @@
-+policy_module(thumb, 1.0.0)
-+
-+########################################
-+#
-+# Declarations
-+#
-+
-+type thumb_t;
-+type thumb_exec_t;
-+application_domain(thumb_t, thumb_exec_t)
-+ubac_constrained(thumb_t)
-+userdom_home_manager(thumb_t)
-+
-+type thumb_tmp_t;
-+files_tmp_file(thumb_tmp_t)
-+ubac_constrained(thumb_tmp_t)
-+
-+type thumb_home_t;
-+userdom_user_home_content(thumb_home_t)
-+
-+type thumb_tmpfs_t;
-+files_tmpfs_file(thumb_tmpfs_t)
-+
-+########################################
-+#
-+# thumb local policy
-+#
-+
-+allow thumb_t self:process { setsched signal signull setrlimit };
-+
-+tunable_policy(`deny_execmem',`',`
-+ allow thumb_t self:process execmem;
-+')
-+
-+allow thumb_t self:fifo_file manage_fifo_file_perms;
-+allow thumb_t self:unix_stream_socket create_stream_socket_perms;
-+allow thumb_t self:netlink_route_socket r_netlink_socket_perms;
-+allow thumb_t self:udp_socket create_socket_perms;
-+allow thumb_t self:tcp_socket create_socket_perms;
-+allow thumb_t self:shm create_shm_perms;
-+allow thumb_t self:sem create_sem_perms;
-+
-+manage_dirs_pattern(thumb_t, thumb_home_t, thumb_home_t)
-+manage_files_pattern(thumb_t, thumb_home_t, thumb_home_t)
-+userdom_user_home_dir_filetrans(thumb_t, thumb_home_t, dir, ".thumbnails")
-+userdom_user_home_dir_filetrans(thumb_t, thumb_home_t, file, "missfont.log")
-+
-+manage_files_pattern(thumb_t, thumb_tmp_t, thumb_tmp_t)
-+manage_dirs_pattern(thumb_t, thumb_tmp_t, thumb_tmp_t)
-+manage_sock_files_pattern(thumb_t, thumb_tmp_t, thumb_tmp_t)
-+exec_files_pattern(thumb_t, thumb_tmp_t, thumb_tmp_t)
-+files_tmp_filetrans(thumb_t, thumb_tmp_t, { file dir sock_file })
-+userdom_user_tmp_filetrans(thumb_t, thumb_tmp_t, { file dir sock_file })
-+xserver_xdm_tmp_filetrans(thumb_t, thumb_tmp_t, sock_file)
-+
-+manage_dirs_pattern(thumb_t, thumb_tmpfs_t, thumb_tmpfs_t)
-+manage_files_pattern(thumb_t, thumb_tmpfs_t, thumb_tmpfs_t)
-+fs_tmpfs_filetrans(thumb_t, thumb_tmpfs_t, { dir file })
-+
-+can_exec(thumb_t, thumb_exec_t)
-+
-+kernel_read_system_state(thumb_t)
-+
-+domain_use_interactive_fds(thumb_t)
-+
-+corecmd_exec_bin(thumb_t)
-+corecmd_exec_shell(thumb_t)
-+
-+dev_read_sysfs(thumb_t)
-+dev_read_urand(thumb_t)
-+dev_dontaudit_rw_dri(thumb_t)
-+dev_rw_xserver_misc(thumb_t)
-+
-+domain_use_interactive_fds(thumb_t)
-+
-+files_read_usr_files(thumb_t)
-+files_read_non_security_files(thumb_t)
-+
-+fs_getattr_all_fs(thumb_t)
-+fs_read_dos_files(thumb_t)
-+fs_rw_inherited_tmpfs_files(thumb_t)
-+
-+auth_read_passwd(thumb_t)
-+
-+tunable_policy(`selinuxuser_execmod',`
-+ libs_legacy_use_shared_libs(thumb_t)
-+')
-+
-+miscfiles_read_fonts(thumb_t)
-+miscfiles_dontaudit_setattr_fonts_dirs(thumb_t)
-+miscfiles_dontaudit_setattr_fonts_cache_dirs(thumb_t)
-+
-+sysnet_read_config(thumb_t)
-+
-+userdom_dontaudit_setattr_user_tmp(thumb_t)
-+userdom_read_user_tmp_files(thumb_t)
-+userdom_read_user_home_content_files(thumb_t)
-+userdom_write_user_tmp_files(thumb_t)
-+userdom_read_home_audio_files(thumb_t)
-+userdom_home_reader(thumb_t)
-+
-+userdom_use_user_terminals(thumb_t)
-+
-+xserver_read_xdm_home_files(thumb_t)
-+xserver_append_xdm_home_files(thumb_t)
-+xserver_dontaudit_read_xdm_pid(thumb_t)
-+xserver_dontaudit_xdm_tmp_dirs(thumb_t)
-+xserver_stream_connect(thumb_t)
-+xserver_use_user_fonts(thumb_t)
-+
-+optional_policy(`
-+ dbus_dontaudit_stream_connect_session_bus(thumb_t)
-+ dbus_dontaudit_chat_session_bus(thumb_t)
-+')
-+
-+optional_policy(`
-+ # .config
-+ gnome_dontaudit_search_config(thumb_t)
-+ gnome_append_generic_cache_files(thumb_t)
-+ gnome_read_generic_data_home_files(thumb_t)
-+ gnome_manage_gstreamer_home_files(thumb_t)
-+ gnome_manage_gstreamer_home_dirs(thumb_t)
-+ gnome_exec_gstreamer_home_files(thumb_t)
-+ gnome_cache_filetrans(thumb_t, thumb_home_t, dir, "thumbnails")
-+ gnome_cache_filetrans(thumb_t, thumb_home_t, file)
-+')
-diff --git a/thunderbird.te b/thunderbird.te
-index bf37d98..0d863fc 100644
---- a/thunderbird.te
-+++ b/thunderbird.te
-@@ -54,7 +54,6 @@ kernel_read_system_state(thunderbird_t)
- # Startup shellscript
- corecmd_exec_shell(thunderbird_t)
-
--corenet_all_recvfrom_unlabeled(thunderbird_t)
- corenet_all_recvfrom_netlabel(thunderbird_t)
- corenet_tcp_sendrecv_generic_if(thunderbird_t)
- corenet_tcp_sendrecv_generic_node(thunderbird_t)
-@@ -82,7 +81,6 @@ dev_dontaudit_search_sysfs(thunderbird_t)
-
- files_list_tmp(thunderbird_t)
- files_read_usr_files(thunderbird_t)
--files_read_etc_files(thunderbird_t)
- files_read_etc_runtime_files(thunderbird_t)
- files_read_var_files(thunderbird_t)
- files_read_var_symlinks(thunderbird_t)
-@@ -99,7 +97,6 @@ fs_search_auto_mountpoints(thunderbird_t)
- auth_use_nsswitch(thunderbird_t)
-
- miscfiles_read_fonts(thunderbird_t)
--miscfiles_read_localization(thunderbird_t)
-
- userdom_manage_user_tmp_dirs(thunderbird_t)
- userdom_read_user_tmp_files(thunderbird_t)
-@@ -112,17 +109,7 @@ xserver_read_xdm_tmp_files(thunderbird_t)
- xserver_dontaudit_getattr_xdm_tmp_sockets(thunderbird_t)
-
- # Access ~/.thunderbird
--tunable_policy(`use_nfs_home_dirs',`
-- fs_manage_nfs_dirs(thunderbird_t)
-- fs_manage_nfs_files(thunderbird_t)
-- fs_manage_nfs_symlinks(thunderbird_t)
--')
--
--tunable_policy(`use_samba_home_dirs',`
-- fs_manage_cifs_dirs(thunderbird_t)
-- fs_manage_cifs_files(thunderbird_t)
-- fs_manage_cifs_symlinks(thunderbird_t)
--')
-+userdom_home_manager(thunderbird_t)
-
- tunable_policy(`mail_read_content && use_nfs_home_dirs',`
- files_list_home(thunderbird_t)
-diff --git a/timidity.te b/timidity.te
-index 67b5592..ccddff5 100644
---- a/timidity.te
-+++ b/timidity.te
-@@ -39,7 +39,6 @@ kernel_read_kernel_sysctls(timidity_t)
- # read /proc/cpuinfo
- kernel_read_system_state(timidity_t)
-
--corenet_all_recvfrom_unlabeled(timidity_t)
- corenet_all_recvfrom_netlabel(timidity_t)
- corenet_tcp_sendrecv_generic_if(timidity_t)
- corenet_udp_sendrecv_generic_if(timidity_t)
-diff --git a/tmpreaper.te b/tmpreaper.te
-index 0521d5a..4ad0788 100644
---- a/tmpreaper.te
-+++ b/tmpreaper.te
-@@ -7,6 +7,7 @@ policy_module(tmpreaper, 1.6.0)
-
- type tmpreaper_t;
- type tmpreaper_exec_t;
-+init_system_domain(tmpreaper_t, tmpreaper_exec_t)
- application_domain(tmpreaper_t, tmpreaper_exec_t)
- role system_r types tmpreaper_t;
-
-@@ -18,33 +19,47 @@ role system_r types tmpreaper_t;
- allow tmpreaper_t self:process { fork sigchld };
- allow tmpreaper_t self:capability { dac_override dac_read_search fowner };
-
-+kernel_read_system_state(tmpreaper_t)
-+
- dev_read_urand(tmpreaper_t)
-
- fs_getattr_xattr_fs(tmpreaper_t)
-+fs_list_all(tmpreaper_t)
-
--files_read_etc_files(tmpreaper_t)
- files_read_var_lib_files(tmpreaper_t)
- files_purge_tmp(tmpreaper_t)
-+files_delete_all_non_security_files(tmpreaper_t)
- # why does it need setattr?
- files_setattr_all_tmp_dirs(tmpreaper_t)
-+files_setattr_usr_dirs(tmpreaper_t)
- files_getattr_all_dirs(tmpreaper_t)
- files_getattr_all_files(tmpreaper_t)
-+kernel_list_unlabeled(tmpreaper_t)
-+kernel_delete_unlabeled(tmpreaper_t)
-
-+mcs_file_read_all(tmpreaper_t)
-+mcs_file_write_all(tmpreaper_t)
- mls_file_read_all_levels(tmpreaper_t)
- mls_file_write_all_levels(tmpreaper_t)
-
-+auth_use_nsswitch(tmpreaper_t)
-+
- logging_send_syslog_msg(tmpreaper_t)
-
--miscfiles_read_localization(tmpreaper_t)
- miscfiles_delete_man_pages(tmpreaper_t)
-
--cron_system_entry(tmpreaper_t, tmpreaper_exec_t)
-+optional_policy(`
-+ cron_system_entry(tmpreaper_t, tmpreaper_exec_t)
-+')
-
- ifdef(`distro_redhat',`
- userdom_list_user_home_content(tmpreaper_t)
-- userdom_delete_user_home_content_dirs(tmpreaper_t)
-- userdom_delete_user_home_content_files(tmpreaper_t)
-- userdom_delete_user_home_content_symlinks(tmpreaper_t)
-+ userdom_list_admin_dir(tmpreaper_t)
-+ userdom_delete_all_user_home_content_dirs(tmpreaper_t)
-+ userdom_delete_all_user_home_content_files(tmpreaper_t)
-+ userdom_delete_all_user_home_content_sock_files(tmpreaper_t)
-+ userdom_delete_all_user_home_content_symlinks(tmpreaper_t)
-+ userdom_setattr_all_user_home_content_dirs(tmpreaper_t)
- ')
-
- optional_policy(`
-@@ -52,7 +67,9 @@ optional_policy(`
- ')
-
- optional_policy(`
-+ apache_delete_sys_content_rw(tmpreaper_t)
- apache_list_cache(tmpreaper_t)
-+ apache_delete_cache_dirs(tmpreaper_t)
- apache_delete_cache_files(tmpreaper_t)
- apache_setattr_cache_dirs(tmpreaper_t)
- ')
-@@ -66,9 +83,17 @@ optional_policy(`
- ')
-
- optional_policy(`
-- rpm_manage_cache(tmpreaper_t)
-+ mandb_delete_cache(tmpreaper_t)
- ')
-
- optional_policy(`
-- unconfined_domain(tmpreaper_t)
-+ sandbox_list(tmpreaper_t)
-+ sandbox_delete_dirs(tmpreaper_t)
-+ sandbox_delete_files(tmpreaper_t)
-+ sandbox_delete_sock_files(tmpreaper_t)
-+ sandbox_setattr_dirs(tmpreaper_t)
-+')
-+
-+optional_policy(`
-+ rpm_manage_cache(tmpreaper_t)
- ')
-diff --git a/tomcat.fc b/tomcat.fc
-new file mode 100644
-index 0000000..a8385bc
---- /dev/null
-+++ b/tomcat.fc
-@@ -0,0 +1,11 @@
-+/usr/lib/systemd/system/tomcat.service -- gen_context(system_u:object_r:tomcat_unit_file_t,s0)
-+
-+/usr/sbin/tomcat(6)? -- gen_context(system_u:object_r:tomcat_exec_t,s0)
-+
-+/var/cache/tomcat6?(/.*)? gen_context(system_u:object_r:tomcat_cache_t,s0)
-+
-+/var/lib/tomcat6?(/.*)? gen_context(system_u:object_r:tomcat_var_lib_t,s0)
-+
-+/var/log/tomcat6?(/.*)? gen_context(system_u:object_r:tomcat_log_t,s0)
-+
-+/var/run/tomcat6?\.pid -- gen_context(system_u:object_r:tomcat_var_run_t,s0)
-diff --git a/tomcat.if b/tomcat.if
-new file mode 100644
-index 0000000..9abef48
---- /dev/null
-+++ b/tomcat.if
-@@ -0,0 +1,395 @@
-+
-+## policy for tomcat
-+
-+######################################
-+##
-+## Creates types and rules for a basic
-+## tomcat daemon domain.
-+##
-+##
-+##
-+## Prefix for the domain.
-+##
-+##
-+#
-+template(`tomcat_domain_template',`
-+ gen_require(`
-+ attribute tomcat_domain;
-+ ')
-+
-+ type $1_t, tomcat_domain;
-+ type $1_exec_t;
-+ init_daemon_domain($1_t, $1_exec_t)
-+
-+ type $1_cache_t;
-+ files_type($1_cache_t)
-+
-+ type $1_log_t;
-+ logging_log_file($1_log_t)
-+
-+ type $1_var_lib_t;
-+ files_type($1_var_lib_t)
-+
-+ type $1_var_run_t;
-+ files_pid_file($1_var_run_t)
-+
-+ type $1_tmp_t;
-+ files_tmp_file($1_tmp_t)
-+
-+ ##################################
-+ #
-+ # Local policy
-+ #
-+
-+ manage_dirs_pattern($1_t, $1_cache_t, $1_cache_t)
-+ manage_files_pattern($1_t, $1_cache_t, $1_cache_t)
-+ manage_lnk_files_pattern($1_t, $1_cache_t, $1_cache_t)
-+ files_var_filetrans($1_t, $1_cache_t, { dir file })
-+
-+ manage_dirs_pattern($1_t, $1_log_t, $1_log_t)
-+ manage_files_pattern($1_t, $1_log_t, $1_log_t)
-+ manage_lnk_files_pattern($1_t, $1_log_t, $1_log_t)
-+ logging_log_filetrans($1_t, $1_log_t, { dir file })
-+
-+ manage_dirs_pattern($1_t, $1_var_lib_t, $1_var_lib_t)
-+ manage_files_pattern($1_t, $1_var_lib_t, $1_var_lib_t)
-+ manage_lnk_files_pattern($1_t, $1_var_lib_t, $1_var_lib_t)
-+ files_var_lib_filetrans($1_t, $1_var_lib_t, { dir file lnk_file })
-+
-+ manage_dirs_pattern($1_t, $1_var_run_t, $1_var_run_t)
-+ manage_files_pattern($1_t, $1_var_run_t, $1_var_run_t)
-+ manage_lnk_files_pattern($1_t, $1_var_run_t, $1_var_run_t)
-+ files_pid_filetrans($1_t, $1_var_run_t, { dir file lnk_file })
-+
-+ manage_dirs_pattern($1_t, $1_tmp_t, $1_tmp_t)
-+ manage_files_pattern($1_t, $1_tmp_t, $1_tmp_t)
-+ manage_fifo_files_pattern($1_t, $1_tmp_t, $1_tmp_t)
-+ files_tmp_filetrans($1_t, $1_tmp_t, { file fifo_file dir })
-+
-+ can_exec($1_t, $1_exec_t)
-+
-+ kernel_read_system_state($1_t)
-+
-+ logging_send_syslog_msg($1_t)
-+')
-+
-+########################################
-+##
-+## Transition to tomcat.
-+##
-+##
-+##
-+## Domain allowed to transition.
-+##
-+##
-+#
-+interface(`tomcat_domtrans',`
-+ gen_require(`
-+ type tomcat_t, tomcat_exec_t;
-+ ')
-+
-+ corecmd_search_bin($1)
-+ domtrans_pattern($1, tomcat_exec_t, tomcat_t)
-+')
-+
-+########################################
-+##
-+## Search tomcat cache directories.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`tomcat_search_cache',`
-+ gen_require(`
-+ type tomcat_cache_t;
-+ ')
-+
-+ allow $1 tomcat_cache_t:dir search_dir_perms;
-+ files_search_var($1)
-+')
-+
-+########################################
-+##
-+## Read tomcat cache files.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`tomcat_read_cache_files',`
-+ gen_require(`
-+ type tomcat_cache_t;
-+ ')
-+
-+ files_search_var($1)
-+ read_files_pattern($1, tomcat_cache_t, tomcat_cache_t)
-+')
-+
-+########################################
-+##
-+## Create, read, write, and delete
-+## tomcat cache files.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`tomcat_manage_cache_files',`
-+ gen_require(`
-+ type tomcat_cache_t;
-+ ')
-+
-+ files_search_var($1)
-+ manage_files_pattern($1, tomcat_cache_t, tomcat_cache_t)
-+')
-+
-+########################################
-+##
-+## Manage tomcat cache dirs.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`tomcat_manage_cache_dirs',`
-+ gen_require(`
-+ type tomcat_cache_t;
-+ ')
-+
-+ files_search_var($1)
-+ manage_dirs_pattern($1, tomcat_cache_t, tomcat_cache_t)
-+')
-+
-+########################################
-+##
-+## Read tomcat's log files.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+##
-+#
-+interface(`tomcat_read_log',`
-+ gen_require(`
-+ type tomcat_log_t;
-+ ')
-+
-+ logging_search_logs($1)
-+ read_files_pattern($1, tomcat_log_t, tomcat_log_t)
-+')
-+
-+########################################
-+##
-+## Append to tomcat log files.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`tomcat_append_log',`
-+ gen_require(`
-+ type tomcat_log_t;
-+ ')
-+
-+ logging_search_logs($1)
-+ append_files_pattern($1, tomcat_log_t, tomcat_log_t)
-+')
-+
-+########################################
-+##
-+## Manage tomcat log files
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`tomcat_manage_log',`
-+ gen_require(`
-+ type tomcat_log_t;
-+ ')
-+
-+ logging_search_logs($1)
-+ manage_dirs_pattern($1, tomcat_log_t, tomcat_log_t)
-+ manage_files_pattern($1, tomcat_log_t, tomcat_log_t)
-+ manage_lnk_files_pattern($1, tomcat_log_t, tomcat_log_t)
-+')
-+
-+########################################
-+##
-+## Search tomcat lib directories.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`tomcat_search_lib',`
-+ gen_require(`
-+ type tomcat_var_lib_t;
-+ ')
-+
-+ allow $1 tomcat_var_lib_t:dir search_dir_perms;
-+ files_search_var_lib($1)
-+')
-+
-+########################################
-+##
-+## Read tomcat lib files.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`tomcat_read_lib_files',`
-+ gen_require(`
-+ type tomcat_var_lib_t;
-+ ')
-+
-+ files_search_var_lib($1)
-+ read_files_pattern($1, tomcat_var_lib_t, tomcat_var_lib_t)
-+')
-+
-+########################################
-+##
-+## Manage tomcat lib files.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`tomcat_manage_lib_files',`
-+ gen_require(`
-+ type tomcat_var_lib_t;
-+ ')
-+
-+ files_search_var_lib($1)
-+ manage_files_pattern($1, tomcat_var_lib_t, tomcat_var_lib_t)
-+')
-+
-+########################################
-+##
-+## Manage tomcat lib directories.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`tomcat_manage_lib_dirs',`
-+ gen_require(`
-+ type tomcat_var_lib_t;
-+ ')
-+
-+ files_search_var_lib($1)
-+ manage_dirs_pattern($1, tomcat_var_lib_t, tomcat_var_lib_t)
-+')
-+
-+########################################
-+##
-+## Read tomcat PID files.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`tomcat_read_pid_files',`
-+ gen_require(`
-+ type tomcat_var_run_t;
-+ ')
-+
-+ files_search_pids($1)
-+ allow $1 tomcat_var_run_t:file read_file_perms;
-+')
-+
-+########################################
-+##
-+## Execute tomcat server in the tomcat domain.
-+##
-+##
-+##
-+## Domain allowed to transition.
-+##
-+##
-+#
-+interface(`tomcat_systemctl',`
-+ gen_require(`
-+ type tomcat_t;
-+ type tomcat_unit_file_t;
-+ ')
-+
-+ systemd_exec_systemctl($1)
-+ allow $1 tomcat_unit_file_t:file read_file_perms;
-+ allow $1 tomcat_unit_file_t:service manage_service_perms;
-+
-+ ps_process_pattern($1, tomcat_t)
-+')
-+
-+
-+########################################
-+##
-+## All of the rules required to administrate
-+## an tomcat environment
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+##
-+#
-+interface(`tomcat_admin',`
-+ gen_require(`
-+ type tomcat_t;
-+ type tomcat_cache_t;
-+ type tomcat_log_t;
-+ type tomcat_var_lib_t;
-+ type tomcat_var_run_t;
-+ type tomcat_unit_file_t;
-+ ')
-+
-+ allow $1 tomcat_t:process { ptrace signal_perms };
-+ ps_process_pattern($1, tomcat_t)
-+
-+ files_search_var($1)
-+ admin_pattern($1, tomcat_cache_t)
-+
-+ logging_search_logs($1)
-+ admin_pattern($1, tomcat_log_t)
-+
-+ files_search_var_lib($1)
-+ admin_pattern($1, tomcat_var_lib_t)
-+
-+ files_search_pids($1)
-+ admin_pattern($1, tomcat_var_run_t)
-+
-+ tomcat_systemctl($1)
-+ admin_pattern($1, tomcat_unit_file_t)
-+ allow $1 tomcat_unit_file_t:service all_service_perms;
-+ optional_policy(`
-+ systemd_passwd_agent_exec($1)
-+ systemd_read_fifo_file_passwd_run($1)
-+ ')
-+')
-diff --git a/tomcat.te b/tomcat.te
-new file mode 100644
-index 0000000..0557ffc
---- /dev/null
-+++ b/tomcat.te
-@@ -0,0 +1,71 @@
-+policy_module(tomcat, 1.0.0)
-+
-+########################################
-+#
-+# Declarations
-+#
-+
-+attribute tomcat_domain;
-+
-+tomcat_domain_template(tomcat)
-+
-+type tomcat_unit_file_t;
-+systemd_unit_file(tomcat_unit_file_t)
-+
-+#######################################
-+#
-+# tomcat local policy
-+#
-+
-+optional_policy(`
-+ unconfined_domain(tomcat_t)
-+')
-+
-+########################################
-+#
-+# tomcat domain local policy
-+#
-+
-+allow tomcat_t self:process execmem;
-+allow tomcat_t self:process { signal signull };
-+
-+allow tomcat_t self:tcp_socket { accept listen };
-+allow tomcat_domain self:fifo_file rw_fifo_file_perms;
-+allow tomcat_domain self:unix_stream_socket create_stream_socket_perms;
-+
-+# we want to stay in a new tomcat domain if we call tomcat binary from a script
-+# initrc_t@tomcat_test_exec_t->tomcat_test_t@tomcat_exec_t->tomcat_test_t
-+can_exec(tomcat_domain, tomcat_exec_t)
-+
-+kernel_read_network_state(tomcat_domain)
-+
-+corecmd_exec_bin(tomcat_domain)
-+corecmd_exec_shell(tomcat_domain)
-+
-+corenet_tcp_bind_generic_node(tomcat_domain)
-+corenet_udp_bind_generic_node(tomcat_domain)
-+corenet_tcp_bind_http_port(tomcat_domain)
-+corenet_tcp_bind_http_cache_port(tomcat_domain)
-+corenet_tcp_bind_mxi_port(tomcat_domain)
-+corenet_tcp_connect_http_port(tomcat_domain)
-+corenet_tcp_connect_mxi_port(tomcat_domain)
-+
-+dev_read_rand(tomcat_domain)
-+dev_read_urand(tomcat_domain)
-+dev_read_sysfs(tomcat_domain)
-+
-+domain_use_interactive_fds(tomcat_domain)
-+
-+fs_getattr_all_fs(tomcat_domain)
-+fs_read_hugetlbfs_files(tomcat_domain)
-+
-+files_read_etc_files(tomcat_domain)
-+files_read_usr_files(tomcat_domain)
-+
-+auth_read_passwd(tomcat_domain)
-+
-+sysnet_dns_name_resolve(tomcat_domain)
-+
-+optional_policy(`
-+ tomcat_search_lib(tomcat_domain)
-+')
-diff --git a/tor.fc b/tor.fc
-index e2e06b2..6752bc3 100644
---- a/tor.fc
-+++ b/tor.fc
-@@ -4,6 +4,8 @@
- /usr/bin/tor -- gen_context(system_u:object_r:tor_exec_t,s0)
- /usr/sbin/tor -- gen_context(system_u:object_r:tor_exec_t,s0)
-
-+/usr/lib/systemd/system/tor.* -- gen_context(system_u:object_r:tor_unit_file_t,s0)
-+
- /var/lib/tor(/.*)? gen_context(system_u:object_r:tor_var_lib_t,s0)
- /var/lib/tor-data(/.*)? gen_context(system_u:object_r:tor_var_lib_t,s0)
-
-diff --git a/tor.if b/tor.if
-index 904f13e..5801347 100644
---- a/tor.if
-+++ b/tor.if
-@@ -18,6 +18,29 @@ interface(`tor_domtrans',`
- domtrans_pattern($1, tor_exec_t, tor_t)
- ')
-
-+#######################################
-+##
-+## Execute tor server in the tor domain.
-+##
-+##
-+##
-+## Domain allowed to transition.
-+##
-+##
-+#
-+interface(`tor_systemctl',`
-+ gen_require(`
-+ type tor_t;
-+ type tor_unit_file_t;
-+ ')
-+
-+ systemd_exec_systemctl($1)
-+ allow $1 tor_unit_file_t:file read_file_perms;
-+ allow $1 tor_unit_file_t:service manage_service_perms;
-+
-+ ps_process_pattern($1, tor_t)
-+')
-+
- ########################################
- ##
- ## All of the rules required to administrate
-@@ -40,10 +63,14 @@ interface(`tor_admin',`
- type tor_t, tor_var_log_t, tor_etc_t;
- type tor_var_lib_t, tor_var_run_t;
- type tor_initrc_exec_t;
-+ type tor_unit_file_t;
- ')
-
-- allow $1 tor_t:process { ptrace signal_perms getattr };
-+ allow $1 tor_t:process signal_perms;
- ps_process_pattern($1, tor_t)
-+ tunable_policy(`deny_ptrace',`',`
-+ allow $1 tor_t:process ptrace;
-+ ')
-
- init_labeled_script_domtrans($1, tor_initrc_exec_t)
- domain_system_change_exemption($1)
-@@ -61,4 +88,13 @@ interface(`tor_admin',`
-
- files_list_pids($1)
- admin_pattern($1, tor_var_run_t)
-+
-+ tor_systemctl($1)
-+ admin_pattern($1, tor_unit_file_t)
-+ allow $1 tor_unit_file_t:service all_service_perms;
-+
-+ optional_policy(`
-+ systemd_passwd_agent_exec($1)
-+ systemd_read_fifo_file_passwd_run($1)
-+ ')
- ')
-diff --git a/tor.te b/tor.te
-index c842cad..a655e4c 100644
---- a/tor.te
-+++ b/tor.te
-@@ -13,6 +13,13 @@ policy_module(tor, 1.8.0)
- ##
- gen_tunable(tor_bind_all_unreserved_ports, false)
-
-+##
-+##
-+## Allow tor to act as a relay
-+##
-+##
-+gen_tunable(tor_can_network_relay, false)
-+
- type tor_t;
- type tor_exec_t;
- init_daemon_domain(tor_t, tor_exec_t)
-@@ -36,12 +43,16 @@ logging_log_file(tor_var_log_t)
- type tor_var_run_t;
- files_pid_file(tor_var_run_t)
-
-+type tor_unit_file_t;
-+systemd_unit_file(tor_unit_file_t)
-+
- ########################################
- #
- # tor local policy
- #
-
- allow tor_t self:capability { setgid setuid sys_tty_config };
-+allow tor_t self:process signal;
- allow tor_t self:fifo_file rw_fifo_file_perms;
- allow tor_t self:unix_stream_socket create_stream_socket_perms;
- allow tor_t self:netlink_route_socket r_netlink_socket_perms;
-@@ -73,9 +84,10 @@ manage_sock_files_pattern(tor_t, tor_var_run_t, tor_var_run_t)
- files_pid_filetrans(tor_t, tor_var_run_t, { dir file sock_file })
-
- kernel_read_system_state(tor_t)
-+kernel_read_net_sysctls(tor_t)
-+kernel_read_kernel_sysctls(tor_t)
-
- # networking basics
--corenet_all_recvfrom_unlabeled(tor_t)
- corenet_all_recvfrom_netlabel(tor_t)
- corenet_tcp_sendrecv_generic_if(tor_t)
- corenet_udp_sendrecv_generic_if(tor_t)
-@@ -87,6 +99,7 @@ corenet_tcp_sendrecv_all_reserved_ports(tor_t)
- corenet_tcp_bind_generic_node(tor_t)
- corenet_udp_bind_generic_node(tor_t)
- corenet_tcp_bind_tor_port(tor_t)
-+corenet_tcp_bind_tor_socks_port(tor_t)
- corenet_udp_bind_dns_port(tor_t)
- corenet_sendrecv_tor_server_packets(tor_t)
- corenet_sendrecv_dns_server_packets(tor_t)
-@@ -95,13 +108,14 @@ corenet_tcp_connect_all_ports(tor_t)
- corenet_sendrecv_all_client_packets(tor_t)
- # ... especially including port 80 and other privileged ports
- corenet_tcp_connect_all_reserved_ports(tor_t)
-+corenet_udp_bind_dns_port(tor_t)
-
- # tor uses crypto and needs random
- dev_read_urand(tor_t)
-+dev_read_sysfs(tor_t)
-
- domain_use_interactive_fds(tor_t)
-
--files_read_etc_files(tor_t)
- files_read_etc_runtime_files(tor_t)
- files_read_usr_files(tor_t)
-
-@@ -109,12 +123,16 @@ auth_use_nsswitch(tor_t)
-
- logging_send_syslog_msg(tor_t)
-
--miscfiles_read_localization(tor_t)
--
- tunable_policy(`tor_bind_all_unreserved_ports', `
- corenet_tcp_bind_all_unreserved_ports(tor_t)
- ')
-
-+tunable_policy(`tor_can_network_relay',`
-+ # allow httpd to work as a relay
-+ corenet_tcp_connect_all_ephemeral_ports(tor_t)
-+ corenet_tcp_bind_http_port(tor_t)
-+')
-+
- optional_policy(`
- seutil_sigchld_newrole(tor_t)
- ')
-diff --git a/transproxy.te b/transproxy.te
-index 95cf0c0..f191f8a 100644
---- a/transproxy.te
-+++ b/transproxy.te
-@@ -29,7 +29,6 @@ kernel_read_kernel_sysctls(transproxy_t)
- kernel_list_proc(transproxy_t)
- kernel_read_proc_symlinks(transproxy_t)
-
--corenet_all_recvfrom_unlabeled(transproxy_t)
- corenet_all_recvfrom_netlabel(transproxy_t)
- corenet_tcp_sendrecv_generic_if(transproxy_t)
- corenet_tcp_sendrecv_generic_node(transproxy_t)
-@@ -49,8 +48,6 @@ fs_search_auto_mountpoints(transproxy_t)
-
- logging_send_syslog_msg(transproxy_t)
-
--miscfiles_read_localization(transproxy_t)
--
- sysnet_read_config(transproxy_t)
-
- userdom_dontaudit_use_unpriv_user_fds(transproxy_t)
-diff --git a/tripwire.te b/tripwire.te
-index 2ae8b62..bfe64af 100644
---- a/tripwire.te
-+++ b/tripwire.te
-@@ -80,7 +80,7 @@ files_getattr_all_sockets(tripwire_t)
-
- logging_send_syslog_msg(tripwire_t)
-
--userdom_use_user_terminals(tripwire_t)
-+userdom_use_inherited_user_terminals(tripwire_t)
-
- optional_policy(`
- cron_system_entry(tripwire_t, tripwire_exec_t)
-@@ -99,9 +99,7 @@ domain_use_interactive_fds(twadmin_t)
-
- logging_send_syslog_msg(twadmin_t)
-
--miscfiles_read_localization(twadmin_t)
--
--userdom_use_user_terminals(twadmin_t)
-+userdom_use_inherited_user_terminals(twadmin_t)
-
- ########################################
- #
-@@ -125,9 +123,7 @@ domain_use_interactive_fds(twprint_t)
-
- logging_send_syslog_msg(twprint_t)
-
--miscfiles_read_localization(twprint_t)
--
--userdom_use_user_terminals(twprint_t)
-+userdom_use_inherited_user_terminals(twprint_t)
-
- ########################################
- #
-@@ -141,6 +137,4 @@ files_read_all_files(siggen_t)
-
- logging_send_syslog_msg(siggen_t)
-
--miscfiles_read_localization(siggen_t)
--
--userdom_use_user_terminals(siggen_t)
-+userdom_use_inherited_user_terminals(siggen_t)
-diff --git a/tuned.fc b/tuned.fc
-index 639c962..e789b2e 100644
---- a/tuned.fc
-+++ b/tuned.fc
-@@ -1,8 +1,12 @@
- /etc/rc\.d/init\.d/tuned -- gen_context(system_u:object_r:tuned_initrc_exec_t,s0)
-
-+/etc/tuned(/.)? gen_context(system_u:object_r:tuned_etc_t,s0)
-+/etc/tuned/active_profile -- gen_context(system_u:object_r:tuned_rw_etc_t,s0)
-+
- /usr/sbin/tuned -- gen_context(system_u:object_r:tuned_exec_t,s0)
-
- /var/log/tuned(/.*)? gen_context(system_u:object_r:tuned_log_t,s0)
--/var/log/tuned\.log -- gen_context(system_u:object_r:tuned_log_t,s0)
-+/var/log/tuned\.log.* -- gen_context(system_u:object_r:tuned_log_t,s0)
-
-+/var/run/tuned(/.*)? gen_context(system_u:object_r:tuned_var_run_t,s0)
- /var/run/tuned\.pid -- gen_context(system_u:object_r:tuned_var_run_t,s0)
-diff --git a/tuned.if b/tuned.if
-index 54b8605..a04f013 100644
---- a/tuned.if
-+++ b/tuned.if
-@@ -5,9 +5,9 @@
- ## Execute a domain transition to run tuned.
- ##
- ##
--##
-+##
- ## Domain allowed to transition.
--##
-+##
- ##
- #
- interface(`tuned_domtrans',`
-@@ -112,18 +112,20 @@ interface(`tuned_initrc_domtrans',`
- #
- interface(`tuned_admin',`
- gen_require(`
-- type tuned_t, tuned_var_run_t;
-- type tuned_initrc_exec_t;
-+ type tuned_t, tuned_var_run_t, tuned_initrc_exec_t;
- ')
-
-- allow $1 tuned_t:process { ptrace signal_perms };
-+ allow $1 tuned_t:process signal_perms;
- ps_process_pattern($1, tuned_t)
-+ tunable_policy(`deny_ptrace',`',`
-+ allow $1 tuned_t:process ptrace;
-+ ')
-
- tuned_initrc_domtrans($1)
- domain_system_change_exemption($1)
- role_transition $2 tuned_initrc_exec_t system_r;
- allow $2 system_r;
-
-- files_search_pids($1)
-+ files_list_pids($1)
- admin_pattern($1, tuned_var_run_t)
- ')
-diff --git a/tuned.te b/tuned.te
-index db9d2a5..edfe6ba 100644
---- a/tuned.te
-+++ b/tuned.te
-@@ -12,6 +12,12 @@ init_daemon_domain(tuned_t, tuned_exec_t)
- type tuned_initrc_exec_t;
- init_script_file(tuned_initrc_exec_t)
-
-+type tuned_etc_t;
-+files_config_file(tuned_etc_t)
-+
-+type tuned_rw_etc_t;
-+files_config_file(tuned_rw_etc_t)
-+
- type tuned_log_t;
- logging_log_file(tuned_log_t)
-
-@@ -22,43 +28,85 @@ files_pid_file(tuned_var_run_t)
- #
- # tuned local policy
- #
--
-+allow tuned_t self:capability { sys_admin sys_nice };
- dontaudit tuned_t self:capability { dac_override sys_tty_config };
-+allow tuned_t self:process { setsched signal };
-+allow tuned_t self:fifo_file rw_fifo_file_perms;
-+allow tuned_t self:udp_socket create_socket_perms;
-+
-+read_files_pattern(tuned_t, tuned_etc_t, tuned_etc_t)
-+exec_files_pattern(tuned_t, tuned_etc_t, tuned_etc_t)
-+
-+manage_files_pattern(tuned_t, tuned_etc_t, tuned_rw_etc_t)
-+files_etc_filetrans(tuned_t, tuned_rw_etc_t, file, "active_profile")
-
- manage_dirs_pattern(tuned_t, tuned_log_t, tuned_log_t)
- manage_files_pattern(tuned_t, tuned_log_t, tuned_log_t)
--logging_log_filetrans(tuned_t, tuned_log_t, file)
-+logging_log_filetrans(tuned_t, tuned_log_t, file, "tuned.log")
-
- manage_files_pattern(tuned_t, tuned_var_run_t, tuned_var_run_t)
--files_pid_filetrans(tuned_t, tuned_var_run_t, file)
-+manage_dirs_pattern(tuned_t, tuned_var_run_t, tuned_var_run_t)
-+files_pid_filetrans(tuned_t, tuned_var_run_t, { dir file })
-
- corecmd_exec_shell(tuned_t)
- corecmd_exec_bin(tuned_t)
-
- kernel_read_system_state(tuned_t)
- kernel_read_network_state(tuned_t)
--
-+kernel_read_kernel_sysctls(tuned_t)
-+kernel_request_load_module(tuned_t)
-+kernel_rw_kernel_sysctl(tuned_t)
-+kernel_rw_hotplug_sysctls(tuned_t)
-+kernel_rw_vm_sysctls(tuned_t)
-+kernel_setsched(tuned_t)
-+
-+dev_getattr_all_blk_files(tuned_t)
-+dev_getattr_all_chr_files(tuned_t)
-+dev_dontaudit_getattr_all(tuned_t)
- dev_read_urand(tuned_t)
--dev_read_sysfs(tuned_t)
-+dev_rw_sysfs(tuned_t)
- # to allow cpu tuning
- dev_rw_netcontrol(tuned_t)
-
--files_read_etc_files(tuned_t)
- files_read_usr_files(tuned_t)
- files_dontaudit_search_home(tuned_t)
-+files_list_tmp(tuned_t)
-+
-+fs_getattr_all_fs(tuned_t)
-+
-+auth_use_nsswitch(tuned_t)
-
- logging_send_syslog_msg(tuned_t)
-
--miscfiles_read_localization(tuned_t)
-+mount_read_pid_files(tuned_t)
-+
-+udev_read_pid_files(tuned_t)
-
- userdom_dontaudit_search_user_home_dirs(tuned_t)
-
-+optional_policy(`
-+ dbus_system_bus_client(tuned_t)
-+ dbus_connect_system_bus(tuned_t)
-+')
-+
- # to allow disk tuning
- optional_policy(`
- fstools_domtrans(tuned_t)
- ')
-
-+optional_policy(`
-+ gnome_dontaudit_search_config(tuned_t)
-+')
-+
-+optional_policy(`
-+ mount_domtrans(tuned_t)
-+')
-+
- # to allow network interface tuning
- optional_policy(`
- sysnet_domtrans_ifconfig(tuned_t)
- ')
-+
-+optional_policy(`
-+ unconfined_dbus_send(tuned_t)
-+')
-diff --git a/tvtime.te b/tvtime.te
-index 531b1f1..7455f78 100644
---- a/tvtime.te
-+++ b/tvtime.te
-@@ -67,23 +67,13 @@ files_read_etc_files(tvtime_t)
- # X access, Home files
- fs_search_auto_mountpoints(tvtime_t)
-
--miscfiles_read_localization(tvtime_t)
- miscfiles_read_fonts(tvtime_t)
-
--userdom_use_user_terminals(tvtime_t)
-+userdom_use_inherited_user_terminals(tvtime_t)
- userdom_read_user_home_content_files(tvtime_t)
-
- # X access, Home files
--tunable_policy(`use_nfs_home_dirs',`
-- fs_manage_nfs_dirs(tvtime_t)
-- fs_manage_nfs_files(tvtime_t)
-- fs_manage_nfs_symlinks(tvtime_t)
--')
--tunable_policy(`use_samba_home_dirs',`
-- fs_manage_cifs_dirs(tvtime_t)
-- fs_manage_cifs_files(tvtime_t)
-- fs_manage_cifs_symlinks(tvtime_t)
--')
-+userdom_home_manager(tvtime_t)
-
- optional_policy(`
- xserver_user_x_domain_template(tvtime, tvtime_t, tvtime_tmpfs_t)
-diff --git a/tzdata.te b/tzdata.te
-index d0f2a64..9896b57 100644
---- a/tzdata.te
-+++ b/tzdata.te
-@@ -15,7 +15,7 @@ application_domain(tzdata_t, tzdata_exec_t)
- # tzdata local policy
- #
-
--files_read_etc_files(tzdata_t)
-+files_read_config_files(tzdata_t)
- files_search_spool(tzdata_t)
-
- fs_getattr_xattr_fs(tzdata_t)
-@@ -24,11 +24,10 @@ term_dontaudit_list_ptys(tzdata_t)
-
- locallogin_dontaudit_use_fds(tzdata_t)
-
--miscfiles_read_localization(tzdata_t)
- miscfiles_manage_localization(tzdata_t)
- miscfiles_etc_filetrans_localization(tzdata_t)
-
--userdom_use_user_terminals(tzdata_t)
-+userdom_use_inherited_user_terminals(tzdata_t)
-
- # tzdata looks for /var/spool/postfix/etc/localtime.
- optional_policy(`
-diff --git a/ucspitcp.if b/ucspitcp.if
-index c1feba4..bf82170 100644
---- a/ucspitcp.if
-+++ b/ucspitcp.if
-@@ -31,8 +31,5 @@ interface(`ucspitcp_service_domain', `
-
- role system_r types $1;
-
-- domain_auto_trans(ucspitcp_t, $2, $1)
-- allow $1 ucspitcp_t:fd use;
-- allow $1 ucspitcp_t:process sigchld;
-- allow $1 ucspitcp_t:tcp_socket rw_stream_socket_perms;
-+ domtrans_pattern(ucspitcp_t, $2, $1)
- ')
-diff --git a/ucspitcp.te b/ucspitcp.te
-index a0794bf..a05c54c 100644
---- a/ucspitcp.te
-+++ b/ucspitcp.te
-@@ -24,7 +24,6 @@ ucspitcp_service_domain(rblsmtpd_t, rblsmtpd_exec_t)
-
- corecmd_search_bin(rblsmtpd_t)
-
--corenet_all_recvfrom_unlabeled(rblsmtpd_t)
- corenet_all_recvfrom_netlabel(rblsmtpd_t)
- corenet_tcp_sendrecv_generic_if(rblsmtpd_t)
- corenet_udp_sendrecv_generic_if(rblsmtpd_t)
-@@ -55,7 +54,6 @@ allow ucspitcp_t self:udp_socket create_socket_perms;
- corecmd_search_bin(ucspitcp_t)
-
- # base networking:
--corenet_all_recvfrom_unlabeled(ucspitcp_t)
- corenet_all_recvfrom_netlabel(ucspitcp_t)
- corenet_tcp_sendrecv_generic_if(ucspitcp_t)
- corenet_udp_sendrecv_generic_if(ucspitcp_t)
-@@ -89,5 +87,7 @@ sysnet_read_config(ucspitcp_t)
-
- optional_policy(`
- daemontools_service_domain(ucspitcp_t, ucspitcp_exec_t)
-+ daemontools_sigchld_run(ucspitcp_t)
- daemontools_read_svc(ucspitcp_t)
- ')
-+
-diff --git a/ulogd.if b/ulogd.if
-index d23be5c..a05cd68 100644
---- a/ulogd.if
-+++ b/ulogd.if
-@@ -123,8 +123,11 @@ interface(`ulogd_admin',`
- type ulogd_var_log_t, ulogd_initrc_exec_t;
- ')
-
-- allow $1 ulogd_t:process { ptrace signal_perms };
-+ allow $1 ulogd_t:process signal_perms;
- ps_process_pattern($1, ulogd_t)
-+ tunable_policy(`deny_ptrace',`',`
-+ allow $1 ulogd_t:process ptrace;
-+ ')
-
- init_labeled_script_domtrans($1, ulogd_initrc_exec_t)
- domain_system_change_exemption($1)
-diff --git a/ulogd.te b/ulogd.te
-index 3b953f5..d35a323 100644
---- a/ulogd.te
-+++ b/ulogd.te
-@@ -11,7 +11,7 @@ init_daemon_domain(ulogd_t, ulogd_exec_t)
-
- # config files
- type ulogd_etc_t;
--files_type(ulogd_etc_t)
-+files_config_file(ulogd_etc_t)
-
- type ulogd_initrc_exec_t;
- init_script_file(ulogd_initrc_exec_t)
-@@ -29,8 +29,13 @@ logging_log_file(ulogd_var_log_t)
- # ulogd local policy
- #
-
--allow ulogd_t self:capability net_admin;
-+allow ulogd_t self:capability { net_admin sys_nice };
-+allow ulogd_t self:process { setsched };
- allow ulogd_t self:netlink_nflog_socket create_socket_perms;
-+allow ulogd_t self:netlink_route_socket r_netlink_socket_perms;
-+allow ulogd_t self:netlink_socket create_socket_perms;
-+allow ulogd_t self:tcp_socket { create_stream_socket_perms connect };
-+allow ulogd_t self:udp_socket create_socket_perms;
-
- # config files
- read_files_pattern(ulogd_t, ulogd_etc_t, ulogd_etc_t)
-@@ -46,7 +51,6 @@ logging_log_filetrans(ulogd_t, ulogd_var_log_t, file)
- files_read_etc_files(ulogd_t)
- files_read_usr_files(ulogd_t)
-
--miscfiles_read_localization(ulogd_t)
-
- optional_policy(`
- allow ulogd_t self:tcp_socket create_stream_socket_perms;
-diff --git a/uml.if b/uml.if
-index d2ab7cb..ddb34f1 100644
---- a/uml.if
-+++ b/uml.if
-@@ -31,9 +31,9 @@ interface(`uml_role',`
- allow $2 uml_t:unix_dgram_socket sendto;
- allow uml_t $2:unix_dgram_socket sendto;
-
-- # allow ps, ptrace, signal
-+ # allow ps, signal
- ps_process_pattern($2, uml_t)
-- allow $2 uml_t:process { ptrace signal_perms };
-+ allow $2 uml_t:process signal_perms;
-
- allow $2 uml_ro_t:dir list_dir_perms;
- read_files_pattern($2, uml_ro_t, uml_ro_t)
-diff --git a/uml.te b/uml.te
-index ff094e5..4ddeb30 100644
---- a/uml.te
-+++ b/uml.te
-@@ -50,7 +50,7 @@ files_pid_file(uml_switch_var_run_t)
- #
-
- allow uml_t self:fifo_file rw_fifo_file_perms;
--allow uml_t self:process { signal_perms ptrace };
-+allow uml_t self:process signal_perms;
- allow uml_t self:unix_stream_socket create_stream_socket_perms;
- allow uml_t self:unix_dgram_socket create_socket_perms;
- # Use the network.
-@@ -97,7 +97,6 @@ kernel_write_proc_files(uml_t)
- # for xterm
- corecmd_exec_bin(uml_t)
-
--corenet_all_recvfrom_unlabeled(uml_t)
- corenet_all_recvfrom_netlabel(uml_t)
- corenet_tcp_sendrecv_generic_if(uml_t)
- corenet_udp_sendrecv_generic_if(uml_t)
-@@ -131,7 +130,7 @@ seutil_use_newrole_fds(uml_t)
- # Use the network.
- sysnet_read_config(uml_t)
-
--userdom_use_user_terminals(uml_t)
-+userdom_use_inherited_user_terminals(uml_t)
- userdom_attach_admin_tun_iface(uml_t)
-
- optional_policy(`
-@@ -174,8 +173,6 @@ init_use_script_ptys(uml_switch_t)
-
- logging_send_syslog_msg(uml_switch_t)
-
--miscfiles_read_localization(uml_switch_t)
--
- userdom_dontaudit_use_unpriv_user_fds(uml_switch_t)
- userdom_dontaudit_search_user_home_dirs(uml_switch_t)
-
-diff --git a/updfstab.te b/updfstab.te
-index ef12ed5..4bd4cea 100644
---- a/updfstab.te
-+++ b/updfstab.te
-@@ -69,8 +69,6 @@ init_use_script_ptys(updfstab_t)
- logging_send_syslog_msg(updfstab_t)
- logging_search_logs(updfstab_t)
-
--miscfiles_read_localization(updfstab_t)
--
- seutil_read_config(updfstab_t)
- seutil_read_default_contexts(updfstab_t)
- seutil_read_file_contexts(updfstab_t)
-@@ -78,9 +76,8 @@ seutil_read_file_contexts(updfstab_t)
- userdom_dontaudit_search_user_home_content(updfstab_t)
- userdom_dontaudit_use_unpriv_user_fds(updfstab_t)
-
--optional_policy(`
-- auth_domtrans_pam_console(updfstab_t)
--')
-+auth_use_nsswitch(updfstab_t)
-+auth_domtrans_pam_console(updfstab_t)
-
- optional_policy(`
- init_dbus_chat_script(updfstab_t)
-diff --git a/uptime.te b/uptime.te
-index c2cf97e..d9105b0 100644
---- a/uptime.te
-+++ b/uptime.te
-@@ -13,7 +13,7 @@ type uptimed_etc_t alias etc_uptimed_t;
- files_config_file(uptimed_etc_t)
-
- type uptimed_spool_t;
--files_type(uptimed_spool_t)
-+files_spool_file(uptimed_spool_t)
-
- type uptimed_var_run_t;
- files_pid_file(uptimed_var_run_t)
-@@ -25,7 +25,7 @@ files_pid_file(uptimed_var_run_t)
-
- dontaudit uptimed_t self:capability sys_tty_config;
- allow uptimed_t self:process signal_perms;
--allow uptimed_t self:fifo_file write_file_perms;
-+allow uptimed_t self:fifo_file write_fifo_file_perms;
-
- allow uptimed_t uptimed_etc_t:file read_file_perms;
- files_search_etc(uptimed_t)
-@@ -55,8 +55,6 @@ fs_search_auto_mountpoints(uptimed_t)
-
- logging_send_syslog_msg(uptimed_t)
-
--miscfiles_read_localization(uptimed_t)
--
- userdom_dontaudit_use_unpriv_user_fds(uptimed_t)
- userdom_dontaudit_search_user_home_dirs(uptimed_t)
-
-diff --git a/usbmodules.te b/usbmodules.te
-index 74354da..f04565f 100644
---- a/usbmodules.te
-+++ b/usbmodules.te
-@@ -34,9 +34,7 @@ init_use_fds(usbmodules_t)
-
- miscfiles_read_hwdata(usbmodules_t)
-
--modutils_read_module_deps(usbmodules_t)
--
--userdom_use_user_terminals(usbmodules_t)
-+userdom_use_inherited_user_terminals(usbmodules_t)
-
- optional_policy(`
- hotplug_read_config(usbmodules_t)
-@@ -45,3 +43,7 @@ optional_policy(`
- optional_policy(`
- logging_send_syslog_msg(usbmodules_t)
- ')
-+
-+optional_policy(`
-+ modutils_read_module_deps(usbmodules_t)
-+')
-diff --git a/usbmuxd.fc b/usbmuxd.fc
-index 40b8b8d..cd80b9b 100644
---- a/usbmuxd.fc
-+++ b/usbmuxd.fc
-@@ -1,3 +1,4 @@
- /usr/sbin/usbmuxd -- gen_context(system_u:object_r:usbmuxd_exec_t,s0)
-
- /var/run/usbmuxd.* gen_context(system_u:object_r:usbmuxd_var_run_t,s0)
-+/usr/lib/systemd/system/usbmuxd.* -- gen_context(system_u:object_r:usbmuxd_unit_file_t,s0)
-diff --git a/usbmuxd.if b/usbmuxd.if
-index 53792d3..823ac94 100644
---- a/usbmuxd.if
-+++ b/usbmuxd.if
-@@ -37,3 +37,65 @@ interface(`usbmuxd_stream_connect',`
- files_search_pids($1)
- stream_connect_pattern($1, usbmuxd_var_run_t, usbmuxd_var_run_t, usbmuxd_t)
- ')
-+
-+########################################
-+##
-+## Execute usbmuxd server in the usbmuxd domain.
-+##
-+##
-+##
-+## Domain allowed to transition.
-+##
-+##
-+#
-+interface(`usbmuxd_systemctl',`
-+ gen_require(`
-+ type usbmuxd_t;
-+ type usbmuxd_unit_file_t;
-+ ')
-+
-+ systemd_exec_systemctl($1)
-+ allow $1 usbmuxd_unit_file_t:file read_file_perms;
-+ allow $1 usbmuxd_unit_file_t:service manage_service_perms;
-+
-+ ps_process_pattern($1, usbmuxd_t)
-+')
-+
-+#####################################
-+##
-+## All of the rules required to administrate
-+## an usbmuxd environment
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+##
-+##
-+## The role to be allowed to manage the usbmuxd domain.
-+##
-+##
-+##
-+#
-+interface(`usbmuxd_admin',`
-+ gen_require(`
-+ type usbmuxd_t,usbmuxd_var_run_t;
-+ type usbmuxd_unit_file_t;
-+ ')
-+
-+ allow $1 usbmuxd_t:process { signal_perms };
-+ ps_process_pattern($1, usbmuxd_t)
-+
-+ tunable_policy(`deny_ptrace',`',`
-+ allow $1 usbmuxd_t:process ptrace;
-+ ')
-+ allow $2 system_r;
-+
-+ files_list_pids($1)
-+ admin_pattern($1, usbmuxd_var_run_t)
-+
-+ usbmuxd_systemctl($1)
-+ admin_pattern($1, usbmuxd_unit_file_t)
-+ allow $1 usbmuxd_unit_file_t:service all_service_perms;
-+')
-diff --git a/usbmuxd.te b/usbmuxd.te
-index 4440aa6..8c94194 100644
---- a/usbmuxd.te
-+++ b/usbmuxd.te
-@@ -7,12 +7,15 @@ policy_module(usbmuxd, 1.1.0)
-
- type usbmuxd_t;
- type usbmuxd_exec_t;
--application_domain(usbmuxd_t, usbmuxd_exec_t)
-+init_system_domain(usbmuxd_t, usbmuxd_exec_t)
- role system_r types usbmuxd_t;
-
- type usbmuxd_var_run_t;
- files_pid_file(usbmuxd_var_run_t)
-
-+type usbmuxd_unit_file_t;
-+systemd_unit_file(usbmuxd_unit_file_t)
-+
- ########################################
- #
- # usbmuxd local policy
-@@ -33,10 +36,12 @@ kernel_read_system_state(usbmuxd_t)
- dev_read_sysfs(usbmuxd_t)
- dev_rw_generic_usb_dev(usbmuxd_t)
-
--files_read_etc_files(usbmuxd_t)
--
--miscfiles_read_localization(usbmuxd_t)
--
- auth_use_nsswitch(usbmuxd_t)
-
- logging_send_syslog_msg(usbmuxd_t)
-+
-+seutil_dontaudit_read_file_contexts(usbmuxd_t)
-+
-+optional_policy(`
-+ virt_dontaudit_read_chr_dev(usbmuxd_t)
-+')
-diff --git a/userhelper.fc b/userhelper.fc
-index e70b0e8..cd83b89 100644
---- a/userhelper.fc
-+++ b/userhelper.fc
-@@ -7,3 +7,4 @@
- # /usr
- #
- /usr/sbin/userhelper -- gen_context(system_u:object_r:userhelper_exec_t,s0)
-+/usr/bin/consolehelper -- gen_context(system_u:object_r:consolehelper_exec_t,s0)
-diff --git a/userhelper.if b/userhelper.if
-index 65baaac..3b93d32 100644
---- a/userhelper.if
-+++ b/userhelper.if
-@@ -25,6 +25,7 @@ template(`userhelper_role_template',`
- gen_require(`
- attribute userhelper_type;
- type userhelper_exec_t, userhelper_conf_t;
-+ class dbus send_msg;
- ')
-
- ########################################
-@@ -121,6 +122,9 @@ template(`userhelper_role_template',`
- auth_manage_pam_pid($1_userhelper_t)
- auth_manage_var_auth($1_userhelper_t)
- auth_search_pam_console_data($1_userhelper_t)
-+ auth_use_nsswitch($1_userhelper_t)
-+
-+ logging_send_syslog_msg($1_userhelper_t)
-
- # Inherit descriptors from the current session.
- init_use_fds($1_userhelper_t)
-@@ -128,7 +132,6 @@ template(`userhelper_role_template',`
- init_manage_utmp($1_userhelper_t)
- init_pid_filetrans_utmp($1_userhelper_t)
-
-- miscfiles_read_localization($1_userhelper_t)
-
- seutil_read_config($1_userhelper_t)
- seutil_read_default_contexts($1_userhelper_t)
-@@ -145,18 +148,6 @@ template(`userhelper_role_template',`
- ')
-
- optional_policy(`
-- logging_send_syslog_msg($1_userhelper_t)
-- ')
--
-- optional_policy(`
-- nis_use_ypbind($1_userhelper_t)
-- ')
--
-- optional_policy(`
-- nscd_socket_use($1_userhelper_t)
-- ')
--
-- optional_policy(`
- tunable_policy(`! secure_mode',`
- #if we are not in secure mode then we can transition to sysadm_t
- sysadm_bin_spec_domtrans($1_userhelper_t)
-@@ -255,3 +246,91 @@ interface(`userhelper_exec',`
-
- can_exec($1, userhelper_exec_t)
- ')
-+
-+#######################################
-+##
-+## The role template for the consolehelper module.
-+##
-+##
-+##
-+## This template creates a derived domains which are used
-+## for consolehelper applications.
-+##
-+##
-+##
-+##
-+## The prefix of the user domain (e.g., user
-+## is the prefix for user_t).
-+##
-+##
-+##
-+##
-+## The role associated with the user domain.
-+##
-+##
-+##
-+##
-+## The type of the user domain.
-+##
-+##
-+#
-+template(`userhelper_console_role_template',`
-+ gen_require(`
-+ type consolehelper_exec_t;
-+ attribute consolehelper_domain;
-+ class dbus send_msg;
-+ ')
-+ type $1_consolehelper_t, consolehelper_domain;
-+ domain_type($1_consolehelper_t)
-+ domain_entry_file($1_consolehelper_t, consolehelper_exec_t)
-+ role $2 types $1_consolehelper_t;
-+
-+ domtrans_pattern($3, consolehelper_exec_t, $1_consolehelper_t)
-+
-+ allow $3 $1_consolehelper_t:process signal;
-+ allow $3 $1_consolehelper_t:dbus send_msg;
-+ allow $1_consolehelper_t $3:dbus send_msg;
-+ allow $1_consolehelper_t $3:unix_stream_socket connectto;
-+
-+ kernel_read_system_state($1_consolehelper_t)
-+
-+ auth_use_pam($1_consolehelper_t)
-+
-+ userdom_manage_tmpfs_role($2, $1_consolehelper_t)
-+
-+ optional_policy(`
-+ dbus_connect_session_bus($1_consolehelper_t)
-+ ')
-+
-+ optional_policy(`
-+ shutdown_run($1_consolehelper_t, $2)
-+ shutdown_send_sigchld($3)
-+ ')
-+
-+ optional_policy(`
-+ mock_run($1_consolehelper_t, $2)
-+ ')
-+
-+ optional_policy(`
-+ xserver_run_xauth($1_consolehelper_t, $2)
-+ xserver_read_xdm_pid($1_consolehelper_t)
-+ ')
-+')
-+
-+########################################
-+##
-+## Execute the consolehelper program in the caller domain.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`userhelper_exec_console',`
-+ gen_require(`
-+ type consolehelper_exec_t;
-+ ')
-+
-+ can_exec($1, consolehelper_exec_t)
-+')
-diff --git a/userhelper.te b/userhelper.te
-index f25ed61..1b381f0 100644
---- a/userhelper.te
-+++ b/userhelper.te
-@@ -6,9 +6,81 @@ policy_module(userhelper, 1.7.0)
- #
-
- attribute userhelper_type;
-+attribute consolehelper_domain;
-
- type userhelper_conf_t;
- files_type(userhelper_conf_t)
-
- type userhelper_exec_t;
- application_executable_file(userhelper_exec_t)
-+
-+type consolehelper_exec_t;
-+application_executable_file(consolehelper_exec_t)
-+
-+########################################
-+#
-+# consolehelper local policy
-+#
-+
-+allow consolehelper_domain self:shm create_shm_perms;
-+allow consolehelper_domain self:capability { setgid setuid dac_override };
-+allow consolehelper_domain self:process signal;
-+
-+allow consolehelper_domain userhelper_conf_t:file audit_access;
-+dontaudit consolehelper_domain userhelper_conf_t:file write;
-+read_files_pattern(consolehelper_domain, userhelper_conf_t, userhelper_conf_t)
-+
-+# Init script handling
-+domain_use_interactive_fds(consolehelper_domain)
-+
-+# internal communication is often done using fifo and unix sockets.
-+allow consolehelper_domain self:fifo_file rw_fifo_file_perms;
-+allow consolehelper_domain self:unix_stream_socket create_stream_socket_perms;
-+
-+kernel_read_kernel_sysctls(consolehelper_domain)
-+
-+corecmd_exec_bin(consolehelper_domain)
-+
-+dev_getattr_all_chr_files(consolehelper_domain)
-+dev_dontaudit_list_all_dev_nodes(consolehelper_domain)
-+dev_dontaudit_getattr_all(consolehelper_domain)
-+fs_getattr_all_fs(consolehelper_domain)
-+fs_getattr_all_dirs(consolehelper_domain)
-+
-+files_read_config_files(consolehelper_domain)
-+files_read_usr_files(consolehelper_domain)
-+
-+term_list_ptys(consolehelper_domain)
-+
-+auth_search_pam_console_data(consolehelper_domain)
-+auth_read_pam_pid(consolehelper_domain)
-+
-+init_read_utmp(consolehelper_domain)
-+init_telinit(consolehelper_domain)
-+
-+miscfiles_read_fonts(consolehelper_domain)
-+
-+userhelper_exec(consolehelper_domain)
-+
-+userdom_use_user_ptys(consolehelper_domain)
-+userdom_use_user_ttys(consolehelper_domain)
-+userdom_read_user_home_content_files(consolehelper_domain)
-+
-+optional_policy(`
-+ gnome_read_gconf_home_files(consolehelper_domain)
-+')
-+
-+optional_policy(`
-+ xserver_read_home_fonts(consolehelper_domain)
-+ xserver_stream_connect(consolehelper_domain)
-+')
-+
-+tunable_policy(`use_nfs_home_dirs',`
-+ files_search_mnt(consolehelper_domain)
-+ fs_search_nfs(consolehelper_domain)
-+')
-+
-+tunable_policy(`use_samba_home_dirs',`
-+ files_search_mnt(consolehelper_domain)
-+ fs_search_cifs(consolehelper_domain)
-+')
-diff --git a/usernetctl.if b/usernetctl.if
-index d45c715..2d4f1ba 100644
---- a/usernetctl.if
-+++ b/usernetctl.if
-@@ -37,9 +37,26 @@ interface(`usernetctl_domtrans',`
- #
- interface(`usernetctl_run',`
- gen_require(`
-- attribute_role usernetctl_roles;
-+ type usernetctl_t;
-+ #attribute_role usernetctl_roles;
- ')
-
-- usernetctl_domtrans($1)
-- roleattribute $2 usernetctl_roles;
-+ #usernetctl_domtrans($1)
-+ #roleattribute $2 usernetctl_roles;
-+
-+ sysnet_run_ifconfig(usernetctl_t, $2)
-+ sysnet_run_dhcpc(usernetctl_t, $2)
-+
-+ optional_policy(`
-+ iptables_run(usernetctl_t, $2)
-+ ')
-+
-+ optional_policy(`
-+ modutils_run_insmod(usernetctl_t, $2)
-+ ')
-+
-+ optional_policy(`
-+ ppp_run(usernetctl_t, $2)
-+ ')
-+
- ')
-diff --git a/usernetctl.te b/usernetctl.te
-index 19c70bb..8a00ab0 100644
---- a/usernetctl.te
-+++ b/usernetctl.te
-@@ -5,13 +5,14 @@ policy_module(usernetctl, 1.6.0)
- # Declarations
- #
-
--attribute_role usernetctl_roles;
-+#attribute_role usernetctl_roles;
-
- type usernetctl_t;
- type usernetctl_exec_t;
- application_domain(usernetctl_t, usernetctl_exec_t)
- domain_interactive_fd(usernetctl_t)
--role usernetctl_roles types usernetctl_t;
-+#role usernetctl_roles types usernetctl_t;
-+role system_r types usernetctl_t;
-
- ########################################
- #
-@@ -42,7 +43,6 @@ corecmd_exec_shell(usernetctl_t)
-
- domain_dontaudit_read_all_domains_state(usernetctl_t)
-
--files_read_etc_files(usernetctl_t)
- files_exec_etc_files(usernetctl_t)
- files_read_etc_runtime_files(usernetctl_t)
- files_list_pids(usernetctl_t)
-@@ -55,36 +55,36 @@ auth_use_nsswitch(usernetctl_t)
-
- logging_send_syslog_msg(usernetctl_t)
-
--miscfiles_read_localization(usernetctl_t)
--
- seutil_read_config(usernetctl_t)
-
- sysnet_read_config(usernetctl_t)
--sysnet_run_ifconfig(usernetctl_t, usernetctl_roles)
--sysnet_run_dhcpc(usernetctl_t, usernetctl_roles)
-
--userdom_use_user_terminals(usernetctl_t)
-+userdom_use_inherited_user_terminals(usernetctl_t)
-+
-+#sysnet_run_ifconfig(usernetctl_t, usernetctl_roles)
-+#sysnet_run_dhcpc(usernetctl_t, usernetctl_roles)
-
- optional_policy(`
-- consoletype_run(usernetctl_t, usernetctl_roles)
-+ #consoletype_run(usernetctl_t, usernetctl_roles)
-+ consoletype_exec(usernetctl_t)
- ')
-
- optional_policy(`
- hostname_exec(usernetctl_t)
- ')
-
--optional_policy(`
-- iptables_run(usernetctl_t, usernetctl_roles)
--')
-+#optional_policy(`
-+# iptables_run(usernetctl_t, usernetctl_roles)
-+#')
-
--optional_policy(`
-- modutils_run_insmod(usernetctl_t, usernetctl_roles)
--')
-+#optional_policy(`
-+# modutils_run_insmod(usernetctl_t, usernetctl_roles)
-+#')
-
- optional_policy(`
- nis_use_ypbind(usernetctl_t)
- ')
-
--optional_policy(`
-- ppp_run(usernetctl_t, usernetctl_roles)
--')
-+#optional_policy(`
-+# ppp_run(usernetctl_t, usernetctl_roles)
-+#')
-diff --git a/uucp.if b/uucp.if
-index ebc5414..8f8ac45 100644
---- a/uucp.if
-+++ b/uucp.if
-@@ -99,8 +99,11 @@ interface(`uucp_admin',`
- type uucpd_var_run_t;
- ')
-
-- allow $1 uucpd_t:process { ptrace signal_perms };
-+ allow $1 uucpd_t:process signal_perms;
- ps_process_pattern($1, uucpd_t)
-+ tunable_policy(`deny_ptrace',`',`
-+ allow $1 uucpd_t:process ptrace;
-+ ')
-
- logging_list_logs($1)
- admin_pattern($1, uucpd_log_t)
-diff --git a/uucp.te b/uucp.te
-index d4349e9..e338438 100644
---- a/uucp.te
-+++ b/uucp.te
-@@ -24,7 +24,7 @@ type uucpd_ro_t;
- files_type(uucpd_ro_t)
-
- type uucpd_spool_t;
--files_type(uucpd_spool_t)
-+files_spool_file(uucpd_spool_t)
-
- type uucpd_log_t;
- logging_log_file(uucpd_log_t)
-@@ -74,7 +74,6 @@ kernel_read_kernel_sysctls(uucpd_t)
- kernel_read_system_state(uucpd_t)
- kernel_read_network_state(uucpd_t)
-
--corenet_all_recvfrom_unlabeled(uucpd_t)
- corenet_all_recvfrom_netlabel(uucpd_t)
- corenet_tcp_sendrecv_generic_if(uucpd_t)
- corenet_udp_sendrecv_generic_if(uucpd_t)
-@@ -83,6 +82,7 @@ corenet_udp_sendrecv_generic_node(uucpd_t)
- corenet_tcp_sendrecv_all_ports(uucpd_t)
- corenet_udp_sendrecv_all_ports(uucpd_t)
- corenet_tcp_connect_ssh_port(uucpd_t)
-+corenet_tcp_connect_uucpd_port(uucpd_t)
-
- dev_read_urand(uucpd_t)
-
-@@ -91,7 +91,6 @@ fs_getattr_xattr_fs(uucpd_t)
- corecmd_exec_bin(uucpd_t)
- corecmd_exec_shell(uucpd_t)
-
--files_read_etc_files(uucpd_t)
- files_search_home(uucpd_t)
- files_search_spool(uucpd_t)
-
-@@ -101,8 +100,6 @@ auth_use_nsswitch(uucpd_t)
-
- logging_send_syslog_msg(uucpd_t)
-
--miscfiles_read_localization(uucpd_t)
--
- mta_send_mail(uucpd_t)
-
- optional_policy(`
-@@ -125,18 +122,19 @@ optional_policy(`
- allow uux_t self:capability { setuid setgid };
- allow uux_t self:fifo_file write_fifo_file_perms;
-
-+domtrans_pattern(uux_t, uucpd_exec_t, uucpd_t)
-+
- uucp_append_log(uux_t)
- uucp_manage_spool(uux_t)
-
- corecmd_exec_bin(uux_t)
-
--files_read_etc_files(uux_t)
-
- fs_rw_anon_inodefs_files(uux_t)
-
--logging_send_syslog_msg(uux_t)
-+auth_use_nsswitch(uux_t)
-
--miscfiles_read_localization(uux_t)
-+logging_send_syslog_msg(uux_t)
-
- optional_policy(`
- mta_send_mail(uux_t)
-@@ -145,5 +143,5 @@ optional_policy(`
- ')
-
- optional_policy(`
-- nscd_socket_use(uux_t)
-+ postfix_rw_master_pipes(uux_t)
- ')
-diff --git a/uuidd.fc b/uuidd.fc
-index a7c9381..d810232 100644
---- a/uuidd.fc
-+++ b/uuidd.fc
-@@ -1,4 +1,5 @@
--/etc/rc\.d/init\.d/uuidd -- gen_context(system_u:object_r:uuidd_initrc_exec_t,s0)
-+
-+/etc/rc\.d/init\.d/uuidd -- gen_context(system_u:object_r:uuidd_initrc_exec_t,s0)
-
- /usr/sbin/uuidd -- gen_context(system_u:object_r:uuidd_exec_t,s0)
-
-diff --git a/uuidd.if b/uuidd.if
-index 5d43bd5..879a5cb 100644
---- a/uuidd.if
-+++ b/uuidd.if
-@@ -176,6 +176,9 @@ interface(`uuidd_admin',`
-
- allow $1 uuidd_t:process signal_perms;
- ps_process_pattern($1, uuidd_t)
-+ tunable_policy(`deny_ptrace',`',`
-+ allow $1 uuidd_t:process ptrace;
-+ ')
-
- uuidd_initrc_domtrans($1)
- domain_system_change_exemption($1)
-diff --git a/uuidd.te b/uuidd.te
-index 04589dc..33b02b5 100644
---- a/uuidd.te
-+++ b/uuidd.te
-@@ -41,4 +41,3 @@ domain_use_interactive_fds(uuidd_t)
-
- files_read_etc_files(uuidd_t)
-
--miscfiles_read_localization(uuidd_t)
-diff --git a/uwimap.te b/uwimap.te
-index 46d9811..f109ba3 100644
---- a/uwimap.te
-+++ b/uwimap.te
-@@ -37,7 +37,6 @@ kernel_read_kernel_sysctls(imapd_t)
- kernel_list_proc(imapd_t)
- kernel_read_proc_symlinks(imapd_t)
-
--corenet_all_recvfrom_unlabeled(imapd_t)
- corenet_all_recvfrom_netlabel(imapd_t)
- corenet_tcp_sendrecv_generic_if(imapd_t)
- corenet_tcp_sendrecv_generic_node(imapd_t)
-@@ -65,8 +64,6 @@ auth_domtrans_chk_passwd(imapd_t)
-
- logging_send_syslog_msg(imapd_t)
-
--miscfiles_read_localization(imapd_t)
--
- sysnet_read_config(imapd_t)
-
- userdom_dontaudit_use_unpriv_user_fds(imapd_t)
-diff --git a/varnishd.if b/varnishd.if
-index 93975d6..bd248ce 100644
---- a/varnishd.if
-+++ b/varnishd.if
-@@ -151,12 +151,16 @@ interface(`varnishd_manage_log',`
- #
- interface(`varnishd_admin_varnishlog',`
- gen_require(`
-+ type varnishd_t;
- type varnishlog_t, varnishlog_initrc_exec_t, varnishlog_log_t;
- type varnishlog_var_run_t;
- ')
-
-- allow $1 varnishlog_t:process { ptrace signal_perms };
-+ allow $1 varnishlog_t:process signal_perms;
- ps_process_pattern($1, varnishlog_t)
-+ tunable_policy(`deny_ptrace',`',`
-+ allow $1 varnishd_t:process ptrace;
-+ ')
-
- init_labeled_script_domtrans($1, varnishlog_initrc_exec_t)
- domain_system_change_exemption($1)
-@@ -194,8 +198,11 @@ interface(`varnishd_admin',`
- type varnishd_initrc_exec_t;
- ')
-
-- allow $1 varnishd_t:process { ptrace signal_perms };
-+ allow $1 varnishd_t:process signal_perms;
- ps_process_pattern($1, varnishd_t)
-+ tunable_policy(`deny_ptrace',`',`
-+ allow $1 varnishd_t:process ptrace;
-+ ')
-
- init_labeled_script_domtrans($1, varnishd_initrc_exec_t)
- domain_system_change_exemption($1)
-diff --git a/varnishd.te b/varnishd.te
-index f9310f3..b4dafb7 100644
---- a/varnishd.te
-+++ b/varnishd.te
-@@ -21,7 +21,7 @@ type varnishd_initrc_exec_t;
- init_script_file(varnishd_initrc_exec_t)
-
- type varnishd_etc_t;
--files_type(varnishd_etc_t)
-+files_config_file(varnishd_etc_t)
-
- type varnishd_tmp_t;
- files_tmp_file(varnishd_tmp_t)
-@@ -43,7 +43,7 @@ type varnishlog_var_run_t;
- files_pid_file(varnishlog_var_run_t)
-
- type varnishlog_log_t;
--files_type(varnishlog_log_t)
-+logging_log_file(varnishlog_log_t)
-
- ########################################
- #
-@@ -52,7 +52,7 @@ files_type(varnishlog_log_t)
-
- allow varnishd_t self:capability { kill dac_override ipc_lock setuid setgid };
- dontaudit varnishd_t self:capability sys_tty_config;
--allow varnishd_t self:process signal;
-+allow varnishd_t self:process { execmem signal };
- allow varnishd_t self:fifo_file rw_fifo_file_perms;
- allow varnishd_t self:tcp_socket create_stream_socket_perms;
- allow varnishd_t self:udp_socket create_socket_perms;
-@@ -87,14 +87,14 @@ corenet_tcp_connect_http_port(varnishd_t)
-
- dev_read_urand(varnishd_t)
-
-+files_read_usr_files(varnishd_t)
-+
- fs_getattr_all_fs(varnishd_t)
-
- auth_use_nsswitch(varnishd_t)
-
- logging_send_syslog_msg(varnishd_t)
-
--miscfiles_read_localization(varnishd_t)
--
- sysnet_read_config(varnishd_t)
-
- tunable_policy(`varnishd_connect_any',`
-diff --git a/vbetool.te b/vbetool.te
-index 001c93c..f918ed2 100644
---- a/vbetool.te
-+++ b/vbetool.te
-@@ -22,6 +22,7 @@ init_system_domain(vbetool_t, vbetool_exec_t)
- #
-
- allow vbetool_t self:capability { dac_override sys_tty_config sys_admin };
-+allow vbetool_t self:capability2 compromise_kernel;
- allow vbetool_t self:process execmem;
-
- dev_wx_raw_memory(vbetool_t)
-@@ -38,7 +39,6 @@ mls_file_write_all_levels(vbetool_t)
-
- term_use_unallocated_ttys(vbetool_t)
-
--miscfiles_read_localization(vbetool_t)
-
- tunable_policy(`vbetool_mmap_zero_ignore',`
- dontaudit vbetool_t self:memprotect mmap_zero;
-diff --git a/vdagent.fc b/vdagent.fc
-index 21c5f41..3ae71ae 100644
---- a/vdagent.fc
-+++ b/vdagent.fc
-@@ -1,7 +1,7 @@
- /usr/sbin/spice-vdagentd -- gen_context(system_u:object_r:vdagent_exec_t,s0)
-
- /var/log/spice-vdagentd(/.*)? gen_context(system_u:object_r:vdagent_log_t,s0)
--/var/log/spice-vdagentd\.log -- gen_context(system_u:object_r:vdagent_log_t,s0)
-+/var/log/spice-vdagentd\.log.* -- gen_context(system_u:object_r:vdagent_log_t,s0)
-
- /var/run/spice-vdagentd(/.*)? gen_context(system_u:object_r:vdagent_var_run_t,s0)
--/var/run/spice-vdagentd.\pid -- gen_context(system_u:object_r:vdagent_var_run_t,s0)
-+/var/run/spice-vdagentd\.pid -- gen_context(system_u:object_r:vdagent_var_run_t,s0)
-diff --git a/vdagent.if b/vdagent.if
-index e59a074..b708678 100644
---- a/vdagent.if
-+++ b/vdagent.if
-@@ -20,39 +20,39 @@ interface(`vdagent_domtrans',`
-
- #####################################
- ##
--## Getattr on vdagent executable.
-+## Getattr on vdagent executable.
- ##
- ##
--##
-+##
- ## Domain allowed access.
--##
-+##
- ##
- #
- interface(`vdagent_getattr_exec_files',`
-- gen_require(`
-- type vdagent_exec_t;
-- ')
-+ gen_require(`
-+ type vdagent_exec_t;
-+ ')
-
-- allow $1 vdagent_exec_t:file getattr;
-+ allow $1 vdagent_exec_t:file getattr;
- ')
-
- #######################################
- ##
--## Get the attributes of vdagent logs.
-+## Get the attributes of vdagent logs.
- ##
- ##
--##
--## Domain allowed access.
--##
-+##
-+## Domain allowed access.
-+##
- ##
- #
- interface(`vdagent_getattr_log',`
-- gen_require(`
-- type vdagent_log_t;
-- ')
-+ gen_require(`
-+ type vdagent_log_t;
-+ ')
-
-- logging_search_logs($1)
-- allow $1 vdagent_log_t:file getattr_file_perms;
-+ logging_search_logs($1)
-+ allow $1 vdagent_log_t:file getattr_file_perms;
- ')
-
- ########################################
-@@ -76,22 +76,22 @@ interface(`vdagent_read_pid_files',`
-
- #####################################
- ##
--## Connect to vdagent over a unix domain
--## stream socket.
-+## Connect to vdagent over a unix domain
-+## stream socket.
- ##
- ##
--##
--## Domain allowed access.
--##
-+##
-+## Domain allowed access.
-+##
- ##
- #
- interface(`vdagent_stream_connect',`
-- gen_require(`
-- type vdagent_var_run_t, vdagent_t;
-- ')
-+ gen_require(`
-+ type vdagent_var_run_t, vdagent_t;
-+ ')
-
-- files_search_pids($1)
-- stream_connect_pattern($1, vdagent_var_run_t, vdagent_var_run_t, vdagent_t)
-+ files_search_pids($1)
-+ stream_connect_pattern($1, vdagent_var_run_t, vdagent_var_run_t, vdagent_t)
- ')
-
- ########################################
-@@ -104,12 +104,6 @@ interface(`vdagent_stream_connect',`
- ## Domain allowed access.
- ##
- ##
--##
--##
--## Role allowed access.
--##
--##
--##
- #
- interface(`vdagent_admin',`
- gen_require(`
-@@ -118,6 +112,9 @@ interface(`vdagent_admin',`
-
- allow $1 vdagent_t:process signal_perms;
- ps_process_pattern($1, vdagent_t)
-+ tunable_policy(`deny_ptrace',`',`
-+ allow $1 vdagent_t:process ptrace;
-+ ')
-
- files_search_pids($1)
- admin_pattern($1, vdagent_var_run_t)
-diff --git a/vdagent.te b/vdagent.te
-index 29e24e2..b1ca03a 100644
---- a/vdagent.te
-+++ b/vdagent.te
-@@ -21,6 +21,7 @@ logging_log_file(vdagent_log_t)
- #
-
- dontaudit vdagent_t self:capability sys_admin;
-+allow vdagent_t self:process signal;
-
- allow vdagent_t self:fifo_file rw_fifo_file_perms;
- allow vdagent_t self:unix_stream_socket create_stream_socket_perms;
-@@ -32,7 +33,7 @@ files_pid_filetrans(vdagent_t, vdagent_var_run_t, { dir file sock_file })
-
- manage_dirs_pattern(vdagent_t, vdagent_log_t, vdagent_log_t)
- manage_files_pattern(vdagent_t, vdagent_log_t, vdagent_log_t)
--logging_log_filetrans(vdagent_t, vdagent_log_t, file)
-+logging_log_filetrans(vdagent_t, vdagent_log_t, { file })
-
- dev_rw_input_dev(vdagent_t)
- dev_read_sysfs(vdagent_t)
-@@ -40,7 +41,16 @@ dev_dontaudit_write_mtrr(vdagent_t)
-
- files_read_etc_files(vdagent_t)
-
--miscfiles_read_localization(vdagent_t)
-+init_read_state(vdagent_t)
-+
-+systemd_read_logind_sessions_files(vdagent_t)
-+systemd_login_read_pid_files(vdagent_t)
-+
-+term_use_virtio_console(vdagent_t)
-+
-+userdom_read_all_users_state(vdagent_t)
-+
-+logging_send_syslog_msg(vdagent_t)
-
- optional_policy(`
- consolekit_dbus_chat(vdagent_t)
-diff --git a/vhostmd.if b/vhostmd.if
-index 1f872b5..8af4bce 100644
---- a/vhostmd.if
-+++ b/vhostmd.if
-@@ -52,7 +52,7 @@ interface(`vhostmd_read_tmpfs_files',`
- ')
-
- allow $1 vhostmd_tmpfs_t:file read_file_perms;
-- files_search_tmp($1)
-+ fs_search_tmpfs($1)
- ')
-
- ########################################
-@@ -90,7 +90,7 @@ interface(`vhostmd_rw_tmpfs_files',`
- ')
-
- rw_files_pattern($1, vhostmd_tmpfs_t, vhostmd_tmpfs_t)
-- files_search_tmp($1)
-+ fs_search_tmpfs($1)
- ')
-
- ########################################
-@@ -109,7 +109,7 @@ interface(`vhostmd_manage_tmpfs_files',`
- ')
-
- manage_files_pattern($1, vhostmd_tmpfs_t, vhostmd_tmpfs_t)
-- files_search_tmp($1)
-+ fs_search_tmpfs($1)
- ')
-
- ########################################
-@@ -146,7 +146,8 @@ interface(`vhostmd_manage_pid_files',`
- type vhostmd_var_run_t;
- ')
-
-- manage_files_pattern($1, vhostmd_var_run_t, vhostmd_var_run_t)
-+ files_search_pids($1)
-+ manage_files_pattern($1, vhostmd_var_run_t, vhostmd_var_run_t)
- ')
-
- ########################################
-@@ -209,8 +210,11 @@ interface(`vhostmd_admin',`
- type vhostmd_t, vhostmd_initrc_exec_t;
- ')
-
-- allow $1 vhostmd_t:process { ptrace signal_perms getattr };
-+ allow $1 vhostmd_t:process signal_perms;
- ps_process_pattern($1, vhostmd_t)
-+ tunable_policy(`deny_ptrace',`',`
-+ allow $1 vhostmd_t:process ptrace;
-+ ')
-
- vhostmd_initrc_domtrans($1)
- domain_system_change_exemption($1)
-@@ -220,5 +224,4 @@ interface(`vhostmd_admin',`
- vhostmd_manage_tmpfs_files($1)
-
- vhostmd_manage_pid_files($1)
--
- ')
-diff --git a/vhostmd.te b/vhostmd.te
-index 32a3c13..0cbca75 100644
---- a/vhostmd.te
-+++ b/vhostmd.te
-@@ -24,8 +24,8 @@ files_pid_file(vhostmd_var_run_t)
- #
-
- allow vhostmd_t self:capability { dac_override ipc_lock setuid setgid };
--allow vhostmd_t self:process { setsched getsched };
--allow vhostmd_t self:fifo_file rw_file_perms;
-+allow vhostmd_t self:process { setsched getsched signal };
-+allow vhostmd_t self:fifo_file rw_fifo_file_perms;
-
- manage_dirs_pattern(vhostmd_t, vhostmd_tmpfs_t, vhostmd_tmpfs_t)
- manage_files_pattern(vhostmd_t, vhostmd_tmpfs_t, vhostmd_tmpfs_t)
-@@ -35,6 +35,7 @@ manage_dirs_pattern(vhostmd_t, vhostmd_var_run_t, vhostmd_var_run_t)
- manage_files_pattern(vhostmd_t, vhostmd_var_run_t, vhostmd_var_run_t)
- files_pid_filetrans(vhostmd_t, vhostmd_var_run_t, { file dir })
-
-+kernel_read_kernel_sysctls(vhostmd_t)
- kernel_read_system_state(vhostmd_t)
- kernel_read_network_state(vhostmd_t)
- kernel_write_xen_state(vhostmd_t)
-@@ -44,17 +45,21 @@ corecmd_exec_shell(vhostmd_t)
-
- corenet_tcp_connect_soundd_port(vhostmd_t)
-
--files_read_etc_files(vhostmd_t)
-+dev_read_rand(vhostmd_t)
-+dev_read_urand(vhostmd_t)
-+dev_read_sysfs(vhostmd_t)
-+
-+# 579803
-+files_list_tmp(vhostmd_t)
- files_read_usr_files(vhostmd_t)
-
-+dev_read_rand(vhostmd_t)
- dev_read_sysfs(vhostmd_t)
-
- auth_use_nsswitch(vhostmd_t)
-
- logging_send_syslog_msg(vhostmd_t)
-
--miscfiles_read_localization(vhostmd_t)
--
- optional_policy(`
- hostname_exec(vhostmd_t)
- ')
-@@ -66,6 +71,7 @@ optional_policy(`
-
- optional_policy(`
- virt_stream_connect(vhostmd_t)
-+ virt_write_content(vhostmd_t)
- ')
-
- optional_policy(`
-diff --git a/virt.fc b/virt.fc
-index 2124b6a..e55e393 100644
---- a/virt.fc
-+++ b/virt.fc
-@@ -1,6 +1,14 @@
--HOME_DIR/.virtinst(/.*)? gen_context(system_u:object_r:virt_content_t,s0)
--HOME_DIR/VirtualMachines(/.*)? gen_context(system_u:object_r:virt_image_t,s0)
-+HOME_DIR/\.libvirt(/.*)? gen_context(system_u:object_r:virt_home_t,s0)
-+HOME_DIR/\.libvirt/qemu(/.*)? gen_context(system_u:object_r:svirt_home_t,s0)
-+HOME_DIR/\.virtinst(/.*)? gen_context(system_u:object_r:virt_home_t,s0)
-+HOME_DIR/\.cache/libvirt(/.*)? gen_context(system_u:object_r:virt_home_t,s0)
-+HOME_DIR/\.cache/gnome-boxes(/.*)? gen_context(system_u:object_r:virt_home_t,s0)
-+HOME_DIR/\.cache/libvirt/qemu(/.*)? gen_context(system_u:object_r:svirt_home_t,s0)
-+HOME_DIR/\.config/libvirt(/.*)? gen_context(system_u:object_r:virt_home_t,s0)
-+HOME_DIR/\.config/libvirt/qemu(/.*)? gen_context(system_u:object_r:svirt_home_t,s0)
-+HOME_DIR/VirtualMachines(/.*)? gen_context(system_u:object_r:virt_home_t,s0)
- HOME_DIR/VirtualMachines/isos(/.*)? gen_context(system_u:object_r:virt_content_t,s0)
-+HOME_DIR/\.local/share/gnome-boxes/images(/.*)? gen_context(system_u:object_r:svirt_home_t,s0)
-
- /etc/libvirt -d gen_context(system_u:object_r:virt_etc_t,s0)
- /etc/libvirt/[^/]* -- gen_context(system_u:object_r:virt_etc_t,s0)
-@@ -12,18 +20,59 @@ HOME_DIR/VirtualMachines/isos(/.*)? gen_context(system_u:object_r:virt_content_t
- /etc/xen/[^/]* -d gen_context(system_u:object_r:virt_etc_rw_t,s0)
- /etc/xen/.*/.* gen_context(system_u:object_r:virt_etc_rw_t,s0)
-
-+/usr/libexec/libvirt_lxc -- gen_context(system_u:object_r:virtd_lxc_exec_t,s0)
-+/usr/libexec/qemu-bridge-helper gen_context(system_u:object_r:virt_bridgehelper_exec_t,s0)
-+
-+/usr/sbin/libvirt-qmf -- gen_context(system_u:object_r:virt_qmf_exec_t,s0)
- /usr/sbin/libvirtd -- gen_context(system_u:object_r:virtd_exec_t,s0)
-+/usr/bin/virsh -- gen_context(system_u:object_r:virsh_exec_t,s0)
-+/usr/bin/virt-sandbox-service.* -- gen_context(system_u:object_r:virsh_exec_t,s0)
-+/usr/sbin/condor_vm-gahp -- gen_context(system_u:object_r:virtd_exec_t,s0)
-
--/var/cache/libvirt(/.*)? gen_context(system_u:object_r:svirt_cache_t,s0)
-+/var/cache/libvirt(/.*)? gen_context(system_u:object_r:virt_cache_t,s0-mls_systemhigh)
-
- /var/lib/libvirt(/.*)? gen_context(system_u:object_r:virt_var_lib_t,s0)
- /var/lib/libvirt/boot(/.*)? gen_context(system_u:object_r:virt_content_t,s0)
- /var/lib/libvirt/images(/.*)? gen_context(system_u:object_r:virt_image_t,s0)
- /var/lib/libvirt/isos(/.*)? gen_context(system_u:object_r:virt_content_t,s0)
--/var/lib/libvirt/qemu(/.*)? gen_context(system_u:object_r:svirt_var_run_t,s0)
-+/var/lib/libvirt/qemu(/.*)? gen_context(system_u:object_r:qemu_var_run_t,s0-mls_systemhigh)
-
-+/var/log/log(/.*)? gen_context(system_u:object_r:virt_log_t,s0)
- /var/log/libvirt(/.*)? gen_context(system_u:object_r:virt_log_t,s0)
-+/var/log/vdsm(/.*)? gen_context(system_u:object_r:virt_log_t,s0)
-+/var/run/libvirtd\.pid -- gen_context(system_u:object_r:virt_var_run_t,s0)
- /var/run/libvirt(/.*)? gen_context(system_u:object_r:virt_var_run_t,s0)
--/var/run/libvirt/qemu(/.*)? gen_context(system_u:object_r:svirt_var_run_t,s0)
-+/var/run/libvirt/qemu(/.*)? gen_context(system_u:object_r:qemu_var_run_t,s0-mls_systemhigh)
-+/var/run/libvirt/lxc(/.*)? gen_context(system_u:object_r:virt_lxc_var_run_t,s0)
-+/var/run/libvirt-sandbox(/.*)? gen_context(system_u:object_r:virt_lxc_var_run_t,s0)
-+/var/run/vdsm(/.*)? gen_context(system_u:object_r:virt_var_run_t,s0)
-
- /var/vdsm(/.*)? gen_context(system_u:object_r:virt_var_run_t,s0)
-+
-+# support for AEOLUS project
-+/usr/bin/imagefactory -- gen_context(system_u:object_r:virtd_exec_t,s0)
-+/usr/bin/imgfac\.py -- gen_context(system_u:object_r:virtd_exec_t,s0)
-+/var/cache/oz(/.*)? gen_context(system_u:object_r:virt_cache_t,s0)
-+/var/lib/imagefactory/images(/.*)? gen_context(system_u:object_r:virt_image_t,s0)
-+/var/lib/oz(/.*)? gen_context(system_u:object_r:virt_var_lib_t,s0)
-+/var/lib/oz/isos(/.*)? gen_context(system_u:object_r:virt_content_t,s0)
-+/var/lib/vdsm(/.*)? gen_context(system_u:object_r:virt_content_t,s0)
-+
-+# add support vios-proxy-*
-+/usr/bin/vios-proxy-host -- gen_context(system_u:object_r:virtd_exec_t,s0)
-+/usr/bin/vios-proxy-guest -- gen_context(system_u:object_r:virtd_exec_t,s0)
-+
-+# support for nova-stack
-+/usr/bin/nova-compute -- gen_context(system_u:object_r:virtd_exec_t,s0)
-+/usr/bin/qemu -- gen_context(system_u:object_r:qemu_exec_t,s0)
-+/usr/bin/qemu-system-.* -- gen_context(system_u:object_r:qemu_exec_t,s0)
-+/usr/bin/qemu-kvm -- gen_context(system_u:object_r:qemu_exec_t,s0)
-+/usr/libexec/qemu.* -- gen_context(system_u:object_r:qemu_exec_t,s0)
-+
-+/usr/lib/systemd/system/virt.*\.service -- gen_context(system_u:object_r:virtd_unit_file_t,s0)
-+/usr/lib/systemd/system/libvirt.*\.service -- gen_context(system_u:object_r:virtd_unit_file_t,s0)
-+/usr/lib/systemd/system/.*xen.*\.service -- gen_context(system_u:object_r:virtd_unit_file_t,s0)
-+
-+/usr/bin/qemu-ga -- gen_context(system_u:object_r:virt_qemu_ga_exec_t,s0)
-+/var/run/qemu-ga\.pid -- gen_context(system_u:object_r:virt_qemu_ga_var_run_t,s0)
-+/var/log/qemu-ga\.log -- gen_context(system_u:object_r:virt_qemu_ga_log_t,s0)
-diff --git a/virt.if b/virt.if
-index 6f0736b..408a20a 100644
---- a/virt.if
-+++ b/virt.if
-@@ -13,67 +13,30 @@
- #
- template(`virt_domain_template',`
- gen_require(`
-- type virtd_t;
-- attribute virt_image_type;
-- attribute virt_domain;
-+ attribute virt_image_type, virt_domain;
-+ attribute virt_tmpfs_type;
-+ attribute virt_ptynode;
-+ type qemu_exec_t;
- ')
-
- type $1_t, virt_domain;
-- domain_type($1_t)
-+ application_domain($1_t, qemu_exec_t)
- domain_user_exemption_target($1_t)
-+ mls_rangetrans_target($1_t)
-+ mcs_untrusted_proc($1_t)
- role system_r types $1_t;
-
-- type $1_devpts_t;
-+ type $1_devpts_t, virt_ptynode;
- term_pty($1_devpts_t)
-
-- type $1_tmp_t;
-- files_tmp_file($1_tmp_t)
-+ kernel_read_system_state($1_t)
-
-- type $1_tmpfs_t;
-- files_tmpfs_file($1_tmpfs_t)
-+ auth_read_passwd($1_t)
-
-- type $1_image_t, virt_image_type;
-- files_type($1_image_t)
-- dev_node($1_image_t)
-+ logging_send_syslog_msg($1_t)
-
-- type $1_var_run_t;
-- files_pid_file($1_var_run_t)
--
-- allow $1_t $1_devpts_t:chr_file { rw_chr_file_perms setattr };
-+ allow $1_t $1_devpts_t:chr_file { rw_chr_file_perms setattr_chr_file_perms };
- term_create_pty($1_t, $1_devpts_t)
--
-- manage_dirs_pattern($1_t, $1_image_t, $1_image_t)
-- manage_files_pattern($1_t, $1_image_t, $1_image_t)
-- read_lnk_files_pattern($1_t, $1_image_t, $1_image_t)
-- rw_blk_files_pattern($1_t, $1_image_t, $1_image_t)
--
-- manage_dirs_pattern($1_t, $1_tmp_t, $1_tmp_t)
-- manage_files_pattern($1_t, $1_tmp_t, $1_tmp_t)
-- manage_lnk_files_pattern($1_t, $1_tmp_t, $1_tmp_t)
-- files_tmp_filetrans($1_t, $1_tmp_t, { file dir })
--
-- manage_dirs_pattern($1_t, $1_tmpfs_t, $1_tmpfs_t)
-- manage_files_pattern($1_t, $1_tmpfs_t, $1_tmpfs_t)
-- manage_lnk_files_pattern($1_t, $1_tmpfs_t, $1_tmpfs_t)
-- fs_tmpfs_filetrans($1_t, $1_tmpfs_t, { dir file lnk_file })
--
-- stream_connect_pattern(virtd_t, $1_var_run_t, $1_var_run_t, virt_domain)
-- manage_dirs_pattern(virtd_t, $1_var_run_t, $1_var_run_t)
-- manage_files_pattern(virtd_t, $1_var_run_t, $1_var_run_t)
-- manage_sock_files_pattern(virtd_t, $1_var_run_t, $1_var_run_t)
--
-- manage_dirs_pattern($1_t, $1_var_run_t, $1_var_run_t)
-- manage_files_pattern($1_t, $1_var_run_t, $1_var_run_t)
-- manage_sock_files_pattern($1_t, $1_var_run_t, $1_var_run_t)
-- manage_lnk_files_pattern($1_t, $1_var_run_t, $1_var_run_t)
-- files_pid_filetrans($1_t, $1_var_run_t, { dir file })
-- stream_connect_pattern($1_t, $1_var_run_t, $1_var_run_t, virtd_t)
--
-- auth_use_nsswitch($1_t)
--
-- optional_policy(`
-- xserver_rw_shm($1_t)
-- ')
- ')
-
- ########################################
-@@ -98,14 +61,32 @@ interface(`virt_image',`
- dev_node($1)
- ')
-
-+#######################################
-+##
-+## Getattr on virt executable.
-+##
-+##
-+##
-+## Domain allowed to transition.
-+##
-+##
-+#
-+interface(`virt_getattr_exec',`
-+ gen_require(`
-+ type virtd_exec_t;
-+ ')
-+
-+ allow $1 virtd_exec_t:file getattr;
-+')
-+
- ########################################
- ##
- ## Execute a domain transition to run virt.
- ##
- ##
--##
-+##
- ## Domain allowed to transition.
--##
-+##
- ##
- #
- interface(`virt_domtrans',`
-@@ -116,9 +97,45 @@ interface(`virt_domtrans',`
- domtrans_pattern($1, virtd_exec_t, virtd_t)
- ')
-
-+########################################
-+##
-+## Transition to virt_qmf.
-+##
-+##
-+##
-+## Domain allowed to transition.
-+##
-+##
-+#
-+interface(`virt_domtrans_qmf',`
-+ gen_require(`
-+ type virt_qmf_t, virt_qmf_exec_t;
-+ ')
-+
-+ corecmd_search_bin($1)
-+ domtrans_pattern($1, virt_qmf_exec_t, virt_qmf_t)
-+')
-+
-+########################################
-+##
-+## Transition to virt_bridgehelper.
-+##
-+##
-+##
-+## Domain allowed to transition.
-+##
-+##
-+interface(`virt_domtrans_bridgehelper',`
-+ gen_require(`
-+ type virt_bridgehelper_t, virt_bridgehelper_exec_t;
-+ ')
-+
-+ domtrans_pattern($1, virt_bridgehelper_exec_t, virt_bridgehelper_t)
-+')
-+
- #######################################
- ##
--## Connect to virt over an unix domain stream socket.
-+## Connect to virt over a unix domain stream socket.
- ##
- ##
- ##
-@@ -166,13 +183,13 @@ interface(`virt_attach_tun_iface',`
- #
- interface(`virt_read_config',`
- gen_require(`
-- type virt_etc_t;
-- type virt_etc_rw_t;
-+ type virt_etc_t, virt_etc_rw_t;
- ')
-
- files_search_etc($1)
- read_files_pattern($1, virt_etc_t, virt_etc_t)
- read_files_pattern($1, virt_etc_rw_t, virt_etc_rw_t)
-+ read_lnk_files_pattern($1, virt_etc_rw_t, virt_etc_rw_t)
- ')
-
- ########################################
-@@ -187,13 +204,13 @@ interface(`virt_read_config',`
- #
- interface(`virt_manage_config',`
- gen_require(`
-- type virt_etc_t;
-- type virt_etc_rw_t;
-+ type virt_etc_t, virt_etc_rw_t;
- ')
-
- files_search_etc($1)
- manage_files_pattern($1, virt_etc_t, virt_etc_t)
- manage_files_pattern($1, virt_etc_rw_t, virt_etc_rw_t)
-+ manage_lnk_files_pattern($1, virt_etc_rw_t, virt_etc_rw_t)
- ')
-
- ########################################
-@@ -233,6 +250,24 @@ interface(`virt_read_content',`
-
- ########################################
- ##
-+## Allow domain to write virt image files
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`virt_write_content',`
-+ gen_require(`
-+ type virt_content_t;
-+ ')
-+
-+ allow $1 virt_content_t:file write_file_perms;
-+')
-+
-+########################################
-+##
- ## Read virt PID files.
- ##
- ##
-@@ -252,6 +287,28 @@ interface(`virt_read_pid_files',`
-
- ########################################
- ##
-+## Manage virt pid directories.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`virt_manage_pid_dirs',`
-+ gen_require(`
-+ type virt_var_run_t;
-+ type virt_lxc_var_run_t;
-+ ')
-+
-+ files_search_pids($1)
-+ manage_dirs_pattern($1, virt_var_run_t, virt_var_run_t)
-+ manage_dirs_pattern($1, virt_lxc_var_run_t, virt_lxc_var_run_t)
-+ virt_filetrans_named_content($1)
-+')
-+
-+########################################
-+##
- ## Manage virt pid files.
- ##
- ##
-@@ -263,10 +320,47 @@ interface(`virt_read_pid_files',`
- interface(`virt_manage_pid_files',`
- gen_require(`
- type virt_var_run_t;
-+ type virt_lxc_var_run_t;
- ')
-
- files_search_pids($1)
- manage_files_pattern($1, virt_var_run_t, virt_var_run_t)
-+ manage_files_pattern($1, virt_lxc_var_run_t, virt_lxc_var_run_t)
-+')
-+
-+########################################
-+##
-+## Create objects in the pid directory
-+## with a private type with a type transition.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+##
-+##
-+## Type to which the created node will be transitioned.
-+##
-+##
-+##
-+##
-+## Object class(es) (single or set including {}) for which this
-+## the transition will occur.
-+##
-+##
-+##
-+##
-+## The name of the object being created.
-+##
-+##
-+#
-+interface(`virt_pid_filetrans',`
-+ gen_require(`
-+ type virt_var_run_t;
-+ ')
-+
-+ filetrans_pattern($1, virt_var_run_t, $2, $3, $4)
- ')
-
- ########################################
-@@ -310,6 +404,24 @@ interface(`virt_read_lib_files',`
-
- ########################################
- ##
-+## Dontaudit inherited read virt lib files.
-+##
-+##
-+##
-+## Domain to not audit.
-+##
-+##
-+#
-+interface(`virt_dontaudit_read_lib_files',`
-+ gen_require(`
-+ type virt_var_lib_t;
-+ ')
-+
-+ dontaudit $1 virt_var_lib_t:file read_inherited_file_perms;
-+')
-+
-+########################################
-+##
- ## Create, read, write, and delete
- ## virt lib files.
- ##
-@@ -354,9 +466,9 @@ interface(`virt_read_log',`
- ## virt log files.
- ##
- ##
--##
-+##
- ## Domain allowed access.
--##
-+##
- ##
- #
- interface(`virt_append_log',`
-@@ -390,6 +502,25 @@ interface(`virt_manage_log',`
-
- ########################################
- ##
-+## Allow domain to search virt image direcories
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`virt_search_images',`
-+ gen_require(`
-+ attribute virt_image_type;
-+ ')
-+
-+ virt_search_lib($1)
-+ allow $1 virt_image_type:dir search_dir_perms;
-+')
-+
-+########################################
-+##
- ## Allow domain to read virt image files
- ##
- ##
-@@ -410,6 +541,7 @@ interface(`virt_read_images',`
- read_files_pattern($1, virt_image_type, virt_image_type)
- read_lnk_files_pattern($1, virt_image_type, virt_image_type)
- read_blk_files_pattern($1, virt_image_type, virt_image_type)
-+ read_chr_files_pattern($1, virt_image_type, virt_image_type)
-
- tunable_policy(`virt_use_nfs',`
- fs_list_nfs($1)
-@@ -426,6 +558,42 @@ interface(`virt_read_images',`
-
- ########################################
- ##
-+## Allow domain to read virt blk image files
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`virt_read_blk_images',`
-+ gen_require(`
-+ attribute virt_image_type;
-+ ')
-+
-+ read_blk_files_pattern($1, virt_image_type, virt_image_type)
-+')
-+
-+########################################
-+##
-+## Allow domain to read/write virt image chr files
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`virt_rw_chr_files',`
-+ gen_require(`
-+ attribute virt_image_type;
-+ ')
-+
-+ rw_chr_files_pattern($1, virt_image_type, virt_image_type)
-+')
-+
-+########################################
-+##
- ## Create, read, write, and delete
- ## svirt cache files.
- ##
-@@ -435,15 +603,15 @@ interface(`virt_read_images',`
- ##
- ##
- #
--interface(`virt_manage_svirt_cache',`
-+interface(`virt_manage_cache',`
- gen_require(`
-- type svirt_cache_t;
-+ type virt_cache_t;
- ')
-
- files_search_var($1)
-- manage_dirs_pattern($1, svirt_cache_t, svirt_cache_t)
-- manage_files_pattern($1, svirt_cache_t, svirt_cache_t)
-- manage_lnk_files_pattern($1, svirt_cache_t, svirt_cache_t)
-+ manage_dirs_pattern($1, virt_cache_t, virt_cache_t)
-+ manage_files_pattern($1, virt_cache_t, virt_cache_t)
-+ manage_lnk_files_pattern($1, virt_cache_t, virt_cache_t)
- ')
-
- ########################################
-@@ -468,18 +636,52 @@ interface(`virt_manage_images',`
- manage_files_pattern($1, virt_image_type, virt_image_type)
- read_lnk_files_pattern($1, virt_image_type, virt_image_type)
- rw_blk_files_pattern($1, virt_image_type, virt_image_type)
-+ rw_chr_files_pattern($1, virt_image_type, virt_image_type)
-+')
-
-- tunable_policy(`virt_use_nfs',`
-- fs_manage_nfs_dirs($1)
-- fs_manage_nfs_files($1)
-- fs_read_nfs_symlinks($1)
-- ')
-+#######################################
-+##
-+## Allow domain to manage virt image files
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`virt_manage_default_image_type',`
-+ gen_require(`
-+ type virt_var_lib_t;
-+ type virt_image_t;
-+ ')
-+
-+ virt_search_lib($1)
-+ manage_dirs_pattern($1, virt_image_t, virt_image_t)
-+ manage_files_pattern($1, virt_image_t, virt_image_t)
-+ read_lnk_files_pattern($1, virt_image_t, virt_image_t)
-+')
-
-- tunable_policy(`virt_use_samba',`
-- fs_manage_cifs_files($1)
-- fs_manage_cifs_files($1)
-- fs_read_cifs_symlinks($1)
-+########################################
-+##
-+## Execute virt server in the virt domain.
-+##
-+##
-+##
-+## Domain allowed to transition.
-+##
-+##
-+#
-+interface(`virt_systemctl',`
-+ gen_require(`
-+ type virtd_unit_file_t;
-+ type virtd_t;
- ')
-+
-+ systemd_exec_systemctl($1)
-+ allow $1 virtd_unit_file_t:file read_file_perms;
-+ allow $1 virtd_unit_file_t:service manage_service_perms;
-+
-+ ps_process_pattern($1, virtd_t)
- ')
-
- ########################################
-@@ -502,10 +704,20 @@ interface(`virt_manage_images',`
- interface(`virt_admin',`
- gen_require(`
- type virtd_t, virtd_initrc_exec_t;
-+ attribute virt_domain;
-+ type virt_lxc_t;
-+ type virtd_unit_file_t;
- ')
-
-- allow $1 virtd_t:process { ptrace signal_perms };
-+ allow $1 virtd_t:process signal_perms;
- ps_process_pattern($1, virtd_t)
-+ tunable_policy(`deny_ptrace',`',`
-+ allow $1 virtd_t:process ptrace;
-+ allow $1 virt_lxc_t:process ptrace;
-+ ')
-+
-+ allow $1 virt_lxc_t:process signal_perms;
-+ ps_process_pattern($1, virt_lxc_t)
-
- init_labeled_script_domtrans($1, virtd_initrc_exec_t)
- domain_system_change_exemption($1)
-@@ -517,4 +729,305 @@ interface(`virt_admin',`
- virt_manage_lib_files($1)
-
- virt_manage_log($1)
-+
-+ virt_manage_images($1)
-+
-+ allow $1 virt_domain:process signal_perms;
-+
-+ virt_systemctl($1)
-+ admin_pattern($1, virtd_unit_file_t)
-+ allow $1 virtd_unit_file_t:service all_service_perms;
-+')
-+
-+########################################
-+##
-+## Execute qemu in the svirt domain, and
-+## allow the specified role the svirt domain.
-+##
-+##
-+##
-+## Domain allowed access
-+##
-+##
-+##
-+##
-+## The role to be allowed the sandbox domain.
-+##
-+##
-+##
-+#
-+interface(`virt_transition_svirt',`
-+ gen_require(`
-+ attribute virt_domain;
-+ type virt_bridgehelper_t;
-+ type svirt_image_t;
-+ type svirt_socket_t;
-+ ')
-+
-+ allow $1 virt_domain:process transition;
-+ role $2 types virt_domain;
-+ role $2 types virt_bridgehelper_t;
-+ role $2 types svirt_socket_t;
-+
-+ allow $1 virt_domain:process { sigkill sigstop signull signal };
-+ allow $1 svirt_image_t:file { relabelfrom relabelto };
-+ allow $1 svirt_image_t:fifo_file { read_fifo_file_perms relabelto };
-+ allow $1 svirt_image_t:sock_file { create_sock_file_perms relabelto };
-+ allow $1 svirt_socket_t:unix_stream_socket create_stream_socket_perms;
-+
-+ optional_policy(`
-+ ptchown_run(virt_domain, $2)
-+ ')
-+')
-+
-+########################################
-+##
-+## Do not audit attempts to write virt daemon unnamed pipes.
-+##
-+##
-+##
-+## Domain to not audit.
-+##
-+##
-+#
-+interface(`virt_dontaudit_write_pipes',`
-+ gen_require(`
-+ type virtd_t;
-+ ')
-+
-+ dontaudit $1 virtd_t:fd use;
-+ dontaudit $1 virtd_t:fifo_file write_fifo_file_perms;
-+')
-+
-+########################################
-+##
-+## Send a sigkill to virtual machines
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`virt_kill_svirt',`
-+ gen_require(`
-+ attribute virt_domain;
-+ ')
-+
-+ allow $1 virt_domain:process sigkill;
-+')
-+
-+########################################
-+##
-+## Send a signal to virtual machines
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`virt_signal_svirt',`
-+ gen_require(`
-+ attribute virt_domain;
-+ ')
-+
-+ allow $1 virt_domain:process signal;
-+')
-+
-+########################################
-+##
-+## Manage virt home files.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`virt_manage_home_files',`
-+ gen_require(`
-+ type virt_home_t;
-+ ')
-+
-+ userdom_search_user_home_dirs($1)
-+ manage_files_pattern($1, virt_home_t, virt_home_t)
-+')
-+
-+########################################
-+##
-+## allow domain to read
-+## virt tmpfs files
-+##
-+##
-+##
-+## Domain allowed access
-+##
-+##
-+#
-+interface(`virt_read_tmpfs_files',`
-+ gen_require(`
-+ attribute virt_tmpfs_type;
-+ ')
-+
-+ allow $1 virt_tmpfs_type:file read_file_perms;
-+')
-+
-+########################################
-+##
-+## allow domain to manage
-+## virt tmpfs files
-+##
-+##
-+##
-+## Domain allowed access
-+##
-+##
-+#
-+interface(`virt_manage_tmpfs_files',`
-+ gen_require(`
-+ attribute virt_tmpfs_type;
-+ ')
-+
-+ allow $1 virt_tmpfs_type:file manage_file_perms;
-+')
-+
-+########################################
-+##
-+## Create .virt directory in the user home directory
-+## with an correct label.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`virt_filetrans_home_content',`
-+ gen_require(`
-+ type virt_home_t;
-+ type svirt_home_t;
-+ ')
-+
-+ userdom_user_home_dir_filetrans($1, virt_home_t, dir, ".libvirt")
-+ userdom_user_home_dir_filetrans($1, virt_home_t, dir, ".virtinst")
-+ filetrans_pattern($1, virt_home_t, svirt_home_t, dir, "qemu")
-+
-+ optional_policy(`
-+ gnome_config_filetrans($1, virt_home_t, dir, "libvirt")
-+ gnome_cache_filetrans($1, virt_home_t, dir, "libvirt")
-+ gnome_cache_filetrans($1, virt_home_t, dir, "gnome-boxes")
-+ gnome_data_filetrans($1, svirt_home_t, dir, "images")
-+ ')
-+')
-+
-+########################################
-+##
-+## Dontaudit attempts to Read virt_image_type devices.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`virt_dontaudit_read_chr_dev',`
-+ gen_require(`
-+ attribute virt_image_type;
-+ ')
-+
-+ dontaudit $1 virt_image_type:chr_file read_chr_file_perms;
-+')
-+
-+########################################
-+##
-+## Creates types and rules for a basic
-+## virt_lxc process domain.
-+##
-+##
-+##
-+## Prefix for the domain.
-+##
-+##
-+#
-+template(`virt_lxc_domain_template',`
-+ gen_require(`
-+ attribute svirt_lxc_domain;
-+ ')
-+
-+ type $1_t, svirt_lxc_domain;
-+ domain_type($1_t)
-+ domain_user_exemption_target($1_t)
-+ mls_rangetrans_target($1_t)
-+ mcs_untrusted_proc($1_t)
-+ role system_r types $1_t;
-+
-+ kernel_read_system_state($1_t)
-+')
-+
-+########################################
-+##
-+## Execute a qemu_exec_t in the callers domain
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`virt_exec_qemu',`
-+ gen_require(`
-+ type qemu_exec_t;
-+ ')
-+
-+ can_exec($1, qemu_exec_t)
-+')
-+
-+########################################
-+##
-+## Transition to virt named content
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`virt_filetrans_named_content',`
-+ gen_require(`
-+ type virt_lxc_var_run_t;
-+ type virt_var_run_t;
-+ ')
-+
-+ files_pid_filetrans($1, virt_lxc_var_run_t, dir, "libvirt-sandbox")
-+ files_pid_filetrans($1, virt_var_run_t, dir, "libvirt")
-+ files_pid_filetrans($1, virt_var_run_t, dir, "libguestfs")
-+')
-+
-+########################################
-+##
-+## Execute qemu in the svirt domain, and
-+## allow the specified role the svirt domain.
-+##
-+##
-+##
-+## Domain allowed access
-+##
-+##
-+##
-+##
-+## The role to be allowed the sandbox domain.
-+##
-+##
-+##
-+#
-+interface(`virt_transition_svirt_lxc',`
-+ gen_require(`
-+ attribute svirt_lxc_domain;
-+ ')
-+
-+ allow $1 svirt_lxc_domain:process transition;
-+ role $2 types svirt_lxc_domain;
-+
-+ allow svirt_lxc_domain $1:process sigchld;
- ')
-diff --git a/virt.te b/virt.te
-index 947bbc6..d17661a 100644
---- a/virt.te
-+++ b/virt.te
-@@ -5,56 +5,104 @@ policy_module(virt, 1.5.0)
- # Declarations
- #
-
-+attribute virsh_transition_domain;
-+attribute virt_ptynode;
-+attribute virt_domain;
-+attribute virt_image_type;
-+attribute virt_tmpfs_type;
-+
-+type svirt_tmp_t;
-+files_tmp_file(svirt_tmp_t)
-+
-+type svirt_tmpfs_t, virt_tmpfs_type;
-+files_tmpfs_file(svirt_tmpfs_t)
-+
-+type svirt_image_t, virt_image_type;
-+files_type(svirt_image_t)
-+dev_node(svirt_image_t)
-+dev_associate_sysfs(svirt_image_t)
-+
- ##
- ##
--## Allow virt to use serial/parallell communication ports
-+## Allow confined virtual guests to use serial/parallel communication ports
- ##
- ##
- gen_tunable(virt_use_comm, false)
-
- ##
- ##
--## Allow virt to read fuse files
-+## Allow confined virtual guests to use executable memory and executable stack
-+##
-+##
-+gen_tunable(virt_use_execmem, false)
-+
-+##
-+##
-+## Allow confined virtual guests to read fuse files
- ##
- ##
- gen_tunable(virt_use_fusefs, false)
-
- ##
- ##
--## Allow virt to manage nfs files
-+## Allow confined virtual guests to manage nfs files
- ##
- ##
- gen_tunable(virt_use_nfs, false)
-
- ##
- ##
--## Allow virt to manage cifs files
-+## Allow confined virtual guests to manage cifs files
- ##
- ##
- gen_tunable(virt_use_samba, false)
-
- ##
- ##
--## Allow virt to manage device configuration, (pci)
-+## Allow confined virtual guests to manage device configuration, (pci)
- ##
- ##
- gen_tunable(virt_use_sysfs, false)
-
- ##
-+##
-+## Allow confined virtual guests to interact with the sanlock
-+##
-+##
-+gen_tunable(virt_use_sanlock, false)
-+
-+##
-+##
-+## Allow confined virtual guests to interact with rawip sockets
-+##
-+##
-+gen_tunable(virt_use_rawip, false)
-+
-+##
-+##
-+## Allow confined virtual guests to interact with the xserver
-+##
-+##
-+gen_tunable(virt_use_xserver, false)
-+
-+##
- ##
--## Allow virt to use usb devices
-+## Allow confined virtual guests to use usb devices
- ##
- ##
- gen_tunable(virt_use_usb, true)
-
- virt_domain_template(svirt)
- role system_r types svirt_t;
-+typealias svirt_t alias qemu_t;
-
--type svirt_cache_t;
--files_type(svirt_cache_t)
-+virt_domain_template(svirt_tcg)
-+role system_r types svirt_tcg_t;
-
--attribute virt_domain;
--attribute virt_image_type;
-+type qemu_exec_t;
-+
-+type virt_cache_t alias svirt_cache_t;
-+files_type(virt_cache_t)
-
- type virt_etc_t;
- files_config_file(virt_etc_t)
-@@ -62,26 +110,37 @@ files_config_file(virt_etc_t)
- type virt_etc_rw_t;
- files_type(virt_etc_rw_t)
-
-+type virt_home_t;
-+userdom_user_home_content(virt_home_t)
-+
-+type svirt_home_t;
-+userdom_user_home_content(svirt_home_t)
-+
- # virt Image files
- type virt_image_t; # customizable
- virt_image(virt_image_t)
-+files_mountpoint(virt_image_t)
-
- # virt Image files
- type virt_content_t; # customizable
- virt_image(virt_content_t)
- userdom_user_home_content(virt_content_t)
-
-+type virt_tmp_t;
-+files_tmp_file(virt_tmp_t)
-+
- type virt_log_t;
- logging_log_file(virt_log_t)
-+mls_trusted_object(virt_log_t)
-
--type virt_tmp_t;
--files_tmp_file(virt_tmp_t)
-+type virt_lock_t;
-+files_lock_file(virt_lock_t)
-
- type virt_var_run_t;
- files_pid_file(virt_var_run_t)
-
- type virt_var_lib_t;
--files_type(virt_var_lib_t)
-+files_mountpoint(virt_var_lib_t)
-
- type virtd_t;
- type virtd_exec_t;
-@@ -89,9 +148,17 @@ init_daemon_domain(virtd_t, virtd_exec_t)
- domain_obj_id_change_exemption(virtd_t)
- domain_subj_id_change_exemption(virtd_t)
-
-+type virtd_unit_file_t;
-+systemd_unit_file(virtd_unit_file_t)
-+
- type virtd_initrc_exec_t;
- init_script_file(virtd_initrc_exec_t)
-
-+type qemu_var_run_t;
-+typealias qemu_var_run_t alias svirt_var_run_t;
-+files_pid_file(qemu_var_run_t)
-+mls_trusted_object(qemu_var_run_t)
-+
- ifdef(`enable_mcs',`
- init_ranged_daemon_domain(virtd_t, virtd_exec_t, s0 - mcs_systemhigh)
- ')
-@@ -100,28 +167,53 @@ ifdef(`enable_mls',`
- init_ranged_daemon_domain(virtd_t, virtd_exec_t, s0 - mls_systemhigh)
- ')
-
-+type virt_qmf_t;
-+type virt_qmf_exec_t;
-+init_daemon_domain(virt_qmf_t, virt_qmf_exec_t)
-+
-+type virt_bridgehelper_t;
-+domain_type(virt_bridgehelper_t)
-+
-+type virt_bridgehelper_exec_t;
-+domain_entry_file(virt_bridgehelper_t, virt_bridgehelper_exec_t)
-+role system_r types virt_bridgehelper_t;
-+
-+# policy for qemu_ga
-+type virt_qemu_ga_t;
-+type virt_qemu_ga_exec_t;
-+init_daemon_domain(virt_qemu_ga_t, virt_qemu_ga_exec_t)
-+
-+type virt_qemu_ga_var_run_t;
-+files_pid_file(virt_qemu_ga_var_run_t)
-+
-+type virt_qemu_ga_log_t;
-+logging_log_file(virt_qemu_ga_log_t)
-+
- ########################################
- #
--# svirt local policy
-+# Declarations
- #
-+attribute svirt_lxc_domain;
-
--allow svirt_t self:udp_socket create_socket_perms;
-+type virtd_lxc_t;
-+type virtd_lxc_exec_t;
-+init_system_domain(virtd_lxc_t, virtd_lxc_exec_t)
-
--manage_dirs_pattern(svirt_t, svirt_cache_t, svirt_cache_t)
--manage_files_pattern(svirt_t, svirt_cache_t, svirt_cache_t)
--files_var_filetrans(svirt_t, svirt_cache_t, { file dir })
-+type virt_lxc_var_run_t;
-+files_pid_file(virt_lxc_var_run_t)
-+typealias virt_lxc_var_run_t alias virtd_lxc_var_run_t;
-
--read_lnk_files_pattern(svirt_t, virt_image_t, virt_image_t)
-+# virt lxc container files
-+type svirt_lxc_file_t;
-+files_mountpoint(svirt_lxc_file_t)
-
--allow svirt_t svirt_image_t:dir search_dir_perms;
--manage_dirs_pattern(svirt_t, svirt_image_t, svirt_image_t)
--manage_files_pattern(svirt_t, svirt_image_t, svirt_image_t)
--fs_hugetlbfs_filetrans(svirt_t, svirt_image_t, file)
-+########################################
-+#
-+# svirt local policy
-+#
-
--list_dirs_pattern(svirt_t, virt_content_t, virt_content_t)
--read_files_pattern(svirt_t, virt_content_t, virt_content_t)
--dontaudit svirt_t virt_content_t:file write_file_perms;
--dontaudit svirt_t virt_content_t:dir write;
-+# it was a part of auth_use_nsswitch
-+allow svirt_t self:netlink_route_socket r_netlink_socket_perms;
-
- corenet_udp_sendrecv_generic_if(svirt_t)
- corenet_udp_sendrecv_generic_node(svirt_t)
-@@ -131,67 +223,69 @@ corenet_udp_bind_all_ports(svirt_t)
- corenet_tcp_bind_all_ports(svirt_t)
- corenet_tcp_connect_all_ports(svirt_t)
-
--dev_list_sysfs(svirt_t)
--
--userdom_search_user_home_content(svirt_t)
--userdom_read_user_home_content_symlinks(svirt_t)
--userdom_read_all_users_state(svirt_t)
--
--tunable_policy(`virt_use_comm',`
-- term_use_unallocated_ttys(svirt_t)
-- dev_rw_printer(svirt_t)
--')
--
--tunable_policy(`virt_use_fusefs',`
-- fs_read_fusefs_files(svirt_t)
-- fs_read_fusefs_symlinks(svirt_t)
--')
--
--tunable_policy(`virt_use_nfs',`
-- fs_manage_nfs_dirs(svirt_t)
-- fs_manage_nfs_files(svirt_t)
--')
--
--tunable_policy(`virt_use_samba',`
-- fs_manage_cifs_dirs(svirt_t)
-- fs_manage_cifs_files(svirt_t)
-+optional_policy(`
-+ xen_rw_image_files(svirt_t)
- ')
-
--tunable_policy(`virt_use_sysfs',`
-- dev_rw_sysfs(svirt_t)
-+optional_policy(`
-+ nscd_use(svirt_t)
- ')
-
--tunable_policy(`virt_use_usb',`
-- dev_rw_usbfs(svirt_t)
-- fs_manage_dos_dirs(svirt_t)
-- fs_manage_dos_files(svirt_t)
--')
-+#######################################
-+#
-+# svirt_prot_exec local policy
-+#
-
--optional_policy(`
-- xen_rw_image_files(svirt_t)
--')
-+allow svirt_tcg_t self:process { execmem execstack };
-+corenet_udp_sendrecv_generic_if(svirt_tcg_t)
-+corenet_udp_sendrecv_generic_node(svirt_tcg_t)
-+corenet_udp_sendrecv_all_ports(svirt_tcg_t)
-+corenet_udp_bind_generic_node(svirt_tcg_t)
-+corenet_udp_bind_all_ports(svirt_tcg_t)
-+corenet_tcp_bind_all_ports(svirt_tcg_t)
-+corenet_tcp_connect_all_ports(svirt_tcg_t)
-
- ########################################
- #
- # virtd local policy
- #
-
--allow virtd_t self:capability { chown dac_override fowner ipc_lock kill mknod net_admin net_raw setpcap setuid setgid sys_admin sys_nice sys_ptrace };
--allow virtd_t self:process { getcap getsched setcap sigkill signal signull execmem setexec setfscreate setsched };
-+allow virtd_t self:capability { chown dac_override fowner ipc_lock kill mknod net_admin net_raw setpcap setuid setgid sys_admin sys_nice };
-+allow virtd_t self:capability2 compromise_kernel;
-+allow virtd_t self:process { getcap getsched setcap sigkill signal signull execmem setexec setfscreate setsockcreate setsched };
-+ifdef(`hide_broken_symptoms',`
-+ # caused by some bogus kernel code
-+ dontaudit virtd_t self:capability { sys_module sys_ptrace };
-+')
-
--allow virtd_t self:fifo_file rw_fifo_file_perms;
--allow virtd_t self:unix_stream_socket create_stream_socket_perms;
-+allow virtd_t self:fifo_file { manage_fifo_file_perms relabelfrom relabelto };
-+allow virtd_t self:unix_stream_socket { connectto create_stream_socket_perms };
- allow virtd_t self:tcp_socket create_stream_socket_perms;
--allow virtd_t self:tun_socket create_socket_perms;
-+allow virtd_t self:tun_socket { create_socket_perms relabelfrom relabelto };
-+allow virtd_t self:rawip_socket create_socket_perms;
-+allow virtd_t self:packet_socket create_socket_perms;
- allow virtd_t self:netlink_kobject_uevent_socket create_socket_perms;
-+allow virtd_t self:netlink_route_socket create_netlink_socket_perms;
-
--manage_dirs_pattern(virtd_t, svirt_cache_t, svirt_cache_t)
--manage_files_pattern(virtd_t, svirt_cache_t, svirt_cache_t)
-+manage_dirs_pattern(virtd_t, virt_cache_t, virt_cache_t)
-+manage_files_pattern(virtd_t, virt_cache_t, virt_cache_t)
-
- manage_dirs_pattern(virtd_t, virt_content_t, virt_content_t)
- manage_files_pattern(virtd_t, virt_content_t, virt_content_t)
-
- allow virtd_t virt_domain:process { getattr getsched setsched transition signal signull sigkill };
-+allow virt_domain virtd_t:fd use;
-+dontaudit virt_domain virtd_t:unix_stream_socket { read write };
-+
-+can_exec(virtd_t, qemu_exec_t)
-+can_exec(virt_domain, qemu_exec_t)
-+
-+allow virtd_t qemu_var_run_t:file relabel_file_perms;
-+manage_dirs_pattern(virtd_t, qemu_var_run_t, qemu_var_run_t)
-+manage_files_pattern(virtd_t, qemu_var_run_t, qemu_var_run_t)
-+manage_sock_files_pattern(virtd_t, qemu_var_run_t, qemu_var_run_t)
-+stream_connect_pattern(virtd_t, qemu_var_run_t, qemu_var_run_t, virt_domain)
-+filetrans_pattern(virtd_t, virt_var_run_t, qemu_var_run_t, dir, "qemu")
-
- read_files_pattern(virtd_t, virt_etc_t, virt_etc_t)
- read_lnk_files_pattern(virtd_t, virt_etc_t, virt_etc_t)
-@@ -202,19 +296,28 @@ manage_lnk_files_pattern(virtd_t, virt_etc_rw_t, virt_etc_rw_t)
- filetrans_pattern(virtd_t, virt_etc_t, virt_etc_rw_t, dir)
-
- manage_files_pattern(virtd_t, virt_image_type, virt_image_type)
-+manage_chr_files_pattern(virtd_t, virt_image_type, virt_image_type)
- manage_blk_files_pattern(virtd_t, virt_image_type, virt_image_type)
--allow virtd_t virt_image_type:file { relabelfrom relabelto };
--allow virtd_t virt_image_type:blk_file { relabelfrom relabelto };
--
--manage_dirs_pattern(virtd_t, virt_log_t, virt_log_t)
--manage_files_pattern(virtd_t, virt_log_t, virt_log_t)
--logging_log_filetrans(virtd_t, virt_log_t, { file dir })
-+manage_lnk_files_pattern(virtd_t, virt_image_type, virt_image_type)
-+allow virtd_t virt_image_type:file relabel_file_perms;
-+allow virtd_t virt_image_type:blk_file relabel_blk_file_perms;
-+allow virtd_t virt_image_type:chr_file relabel_chr_file_perms;
-+allow virtd_t virt_ptynode:chr_file rw_term_perms;
-
- manage_dirs_pattern(virtd_t, virt_tmp_t, virt_tmp_t)
- manage_files_pattern(virtd_t, virt_tmp_t, virt_tmp_t)
- files_tmp_filetrans(virtd_t, virt_tmp_t, { file dir })
- can_exec(virtd_t, virt_tmp_t)
-
-+manage_dirs_pattern(virtd_t, virt_lock_t, virt_lock_t)
-+manage_files_pattern(virtd_t, virt_lock_t, virt_lock_t)
-+manage_lnk_files_pattern(virtd_t, virt_lock_t, virt_lock_t)
-+files_lock_filetrans(virtd_t, virt_lock_t, { dir file lnk_file })
-+
-+manage_dirs_pattern(virtd_t, virt_log_t, virt_log_t)
-+manage_files_pattern(virtd_t, virt_log_t, virt_log_t)
-+logging_log_filetrans(virtd_t, virt_log_t, { file dir })
-+
- manage_dirs_pattern(virtd_t, virt_var_lib_t, virt_var_lib_t)
- manage_files_pattern(virtd_t, virt_var_lib_t, virt_var_lib_t)
- manage_sock_files_pattern(virtd_t, virt_var_lib_t, virt_var_lib_t)
-@@ -225,16 +328,22 @@ manage_files_pattern(virtd_t, virt_var_run_t, virt_var_run_t)
- manage_sock_files_pattern(virtd_t, virt_var_run_t, virt_var_run_t)
- files_pid_filetrans(virtd_t, virt_var_run_t, { file dir })
-
-+manage_dirs_pattern(virtd_t, virt_lxc_var_run_t, virt_lxc_var_run_t)
-+manage_files_pattern(virtd_t, virt_lxc_var_run_t, virt_lxc_var_run_t)
-+filetrans_pattern(virtd_t, virt_var_run_t, virt_lxc_var_run_t, dir, "lxc")
-+stream_connect_pattern(virtd_t, virt_lxc_var_run_t, virt_lxc_var_run_t, virtd_lxc_t)
-+
- kernel_read_system_state(virtd_t)
- kernel_read_network_state(virtd_t)
- kernel_rw_net_sysctls(virtd_t)
-+kernel_read_kernel_sysctls(virtd_t)
- kernel_request_load_module(virtd_t)
- kernel_search_debugfs(virtd_t)
-+kernel_setsched(virtd_t)
-
- corecmd_exec_bin(virtd_t)
- corecmd_exec_shell(virtd_t)
-
--corenet_all_recvfrom_unlabeled(virtd_t)
- corenet_all_recvfrom_netlabel(virtd_t)
- corenet_tcp_sendrecv_generic_if(virtd_t)
- corenet_tcp_sendrecv_generic_node(virtd_t)
-@@ -247,22 +356,31 @@ corenet_tcp_connect_soundd_port(virtd_t)
- corenet_rw_tun_tap_dev(virtd_t)
-
- dev_rw_sysfs(virtd_t)
-+dev_read_urand(virtd_t)
- dev_read_rand(virtd_t)
- dev_rw_kvm(virtd_t)
- dev_getattr_all_chr_files(virtd_t)
- dev_rw_mtrr(virtd_t)
-+dev_rw_vhost(virtd_t)
-+dev_setattr_generic_usb_dev(virtd_t)
-+dev_relabel_generic_usb_dev(virtd_t)
-
- # Init script handling
- domain_use_interactive_fds(virtd_t)
- domain_read_all_domains_state(virtd_t)
-+domain_read_all_domains_state(virtd_t)
-
- files_read_usr_files(virtd_t)
--files_read_etc_files(virtd_t)
-+files_read_usr_files(virtd_t)
- files_read_etc_runtime_files(virtd_t)
- files_search_all(virtd_t)
- files_read_kernel_modules(virtd_t)
- files_read_usr_src_files(virtd_t)
--files_manage_etc_files(virtd_t)
-+files_relabelto_system_conf_files(virtd_t)
-+files_relabelfrom_system_conf_files(virtd_t)
-+
-+# Manages /etc/sysconfig/system-config-firewall
-+files_manage_system_conf_files(virtd_t)
-
- fs_list_auto_mountpoints(virtd_t)
- fs_getattr_xattr_fs(virtd_t)
-@@ -270,6 +388,18 @@ fs_rw_anon_inodefs_files(virtd_t)
- fs_list_inotifyfs(virtd_t)
- fs_manage_cgroup_dirs(virtd_t)
- fs_rw_cgroup_files(virtd_t)
-+fs_manage_hugetlbfs_dirs(virtd_t)
-+fs_rw_hugetlbfs_files(virtd_t)
-+
-+mls_fd_share_all_levels(virtd_t)
-+mls_file_read_to_clearance(virtd_t)
-+mls_file_write_to_clearance(virtd_t)
-+mls_process_read_to_clearance(virtd_t)
-+mls_process_write_to_clearance(virtd_t)
-+mls_net_write_within_range(virtd_t)
-+mls_socket_write_to_clearance(virtd_t)
-+mls_socket_read_to_clearance(virtd_t)
-+mls_rangetrans_source(virtd_t)
-
- mcs_process_set_categories(virtd_t)
-
-@@ -284,7 +414,8 @@ term_use_ptmx(virtd_t)
-
- auth_use_nsswitch(virtd_t)
-
--miscfiles_read_localization(virtd_t)
-+init_dbus_chat(virtd_t)
-+
- miscfiles_read_generic_certs(virtd_t)
- miscfiles_read_hwdata(virtd_t)
-
-@@ -293,17 +424,36 @@ modutils_read_module_config(virtd_t)
- modutils_manage_module_config(virtd_t)
-
- logging_send_syslog_msg(virtd_t)
-+logging_send_audit_msgs(virtd_t)
-+logging_stream_connect_syslog(virtd_t)
-+
-+selinux_validate_context(virtd_t)
-
- seutil_read_config(virtd_t)
- seutil_read_default_contexts(virtd_t)
-+seutil_read_file_contexts(virtd_t)
-
-+sysnet_signull_ifconfig(virtd_t)
-+sysnet_signal_ifconfig(virtd_t)
- sysnet_domtrans_ifconfig(virtd_t)
- sysnet_read_config(virtd_t)
-
-+systemd_dbus_chat_logind(virtd_t)
-+systemd_write_inhibit_pipes(virtd_t)
-+
-+userdom_list_admin_dir(virtd_t)
- userdom_getattr_all_users(virtd_t)
- userdom_list_user_home_content(virtd_t)
- userdom_read_all_users_state(virtd_t)
- userdom_read_user_home_content_files(virtd_t)
-+userdom_relabel_user_home_files(virtd_t)
-+userdom_setattr_user_home_content_files(virtd_t)
-+manage_dirs_pattern(virtd_t, virt_home_t, virt_home_t)
-+manage_files_pattern(virtd_t, virt_home_t, virt_home_t)
-+manage_sock_files_pattern(virtd_t, virt_home_t, virt_home_t)
-+manage_lnk_files_pattern(virtd_t, virt_home_t, virt_home_t)
-+#userdom_user_home_dir_filetrans(virtd_t, virt_home_t, { dir file })
-+virt_filetrans_home_content(virtd_t)
-
- tunable_policy(`virt_use_nfs',`
- fs_manage_nfs_dirs(virtd_t)
-@@ -322,6 +472,10 @@ optional_policy(`
- ')
-
- optional_policy(`
-+ consoletype_exec(virtd_t)
-+')
-+
-+optional_policy(`
- dbus_system_bus_client(virtd_t)
-
- optional_policy(`
-@@ -335,19 +489,34 @@ optional_policy(`
- optional_policy(`
- hal_dbus_chat(virtd_t)
- ')
-+
-+ optional_policy(`
-+ networkmanager_dbus_chat(virtd_t)
-+ ')
-+')
-+
-+optional_policy(`
-+ dmidecode_domtrans(virtd_t)
- ')
-
- optional_policy(`
- dnsmasq_domtrans(virtd_t)
- dnsmasq_signal(virtd_t)
- dnsmasq_kill(virtd_t)
-- dnsmasq_read_pid_files(virtd_t)
- dnsmasq_signull(virtd_t)
-+ dnsmasq_create_pid_dirs(virtd_t)
-+ dnsmasq_filetrans_named_content_fromdir(virtd_t, virt_var_run_t);
-+ dnsmasq_manage_pid_files(virtd_t)
-+')
-+
-+optional_policy(`
-+ firewalld_dbus_chat(virtd_t)
- ')
-
- optional_policy(`
- iptables_domtrans(virtd_t)
- iptables_initrc_domtrans(virtd_t)
-+ iptables_systemctl(virtd_t)
-
- # Manages /etc/sysconfig/system-config-firewall
- iptables_manage_config(virtd_t)
-@@ -362,6 +531,12 @@ optional_policy(`
- ')
-
- optional_policy(`
-+ # Run mount in the mount_t domain.
-+ mount_domtrans(virtd_t)
-+ mount_signal(virtd_t)
-+')
-+
-+optional_policy(`
- policykit_dbus_chat(virtd_t)
- policykit_domtrans_auth(virtd_t)
- policykit_domtrans_resolve(virtd_t)
-@@ -369,11 +544,11 @@ optional_policy(`
- ')
-
- optional_policy(`
-- qemu_domtrans(virtd_t)
-- qemu_read_state(virtd_t)
-- qemu_signal(virtd_t)
-- qemu_kill(virtd_t)
-- qemu_setsched(virtd_t)
-+ qemu_exec(virtd_t)
-+')
-+
-+optional_policy(`
-+ sanlock_stream_connect(virtd_t)
- ')
-
- optional_policy(`
-@@ -384,6 +559,7 @@ optional_policy(`
- kernel_read_xen_state(virtd_t)
- kernel_write_xen_state(virtd_t)
-
-+ xen_exec(virtd_t)
- xen_stream_connect(virtd_t)
- xen_stream_connect_xenstore(virtd_t)
- xen_read_image_files(virtd_t)
-@@ -402,35 +578,85 @@ optional_policy(`
- #
- # virtual domains common policy
- #
--
--allow virt_domain self:capability { dac_read_search dac_override kill };
--allow virt_domain self:process { execmem execstack signal getsched signull };
--allow virt_domain self:fifo_file rw_file_perms;
-+allow virt_domain self:process { signal getsched signull };
-+allow virt_domain self:fifo_file rw_fifo_file_perms;
- allow virt_domain self:shm create_shm_perms;
- allow virt_domain self:unix_stream_socket create_stream_socket_perms;
- allow virt_domain self:unix_dgram_socket { create_socket_perms sendto };
- allow virt_domain self:tcp_socket create_stream_socket_perms;
-+allow virt_domain self:udp_socket create_socket_perms;
-+
-+list_dirs_pattern(virt_domain, virt_content_t, virt_content_t)
-+read_files_pattern(virt_domain, virt_content_t, virt_content_t)
-+dontaudit virt_domain virt_content_t:file write_file_perms;
-+dontaudit virt_domain virt_content_t:dir write;
-+
-+userdom_search_user_home_content(virt_domain)
-+userdom_read_user_home_content_symlinks(virt_domain)
-+userdom_read_all_users_state(virt_domain)
-+append_files_pattern(virt_domain, virt_home_t, virt_home_t)
-+manage_dirs_pattern(virt_domain, svirt_home_t, svirt_home_t)
-+manage_files_pattern(virt_domain, svirt_home_t, svirt_home_t)
-+manage_sock_files_pattern(virt_domain, svirt_home_t, svirt_home_t)
-+filetrans_pattern(virt_domain, virt_home_t, svirt_home_t, { dir sock_file file })
-+stream_connect_pattern(virt_domain, svirt_home_t, svirt_home_t, virtd_t)
-+
-+manage_dirs_pattern(virt_domain, virt_cache_t, virt_cache_t)
-+manage_files_pattern(virt_domain, virt_cache_t, virt_cache_t)
-+files_var_filetrans(virt_domain, virt_cache_t, { file dir })
-+
-+read_lnk_files_pattern(virt_domain, virt_image_t, virt_image_t)
-+
-+manage_dirs_pattern(virt_domain, svirt_image_t, svirt_image_t)
-+manage_files_pattern(virt_domain, svirt_image_t, svirt_image_t)
-+manage_sock_files_pattern(virt_domain, svirt_image_t, svirt_image_t)
-+manage_fifo_files_pattern(virt_domain, svirt_image_t, svirt_image_t)
-+read_lnk_files_pattern(virt_domain, svirt_image_t, svirt_image_t)
-+rw_chr_files_pattern(virt_domain, svirt_image_t, svirt_image_t)
-+rw_blk_files_pattern(virt_domain, svirt_image_t, svirt_image_t)
-+fs_hugetlbfs_filetrans(virt_domain, svirt_image_t, file)
-+
-+manage_dirs_pattern(virt_domain, svirt_tmp_t, svirt_tmp_t)
-+manage_files_pattern(virt_domain, svirt_tmp_t, svirt_tmp_t)
-+manage_lnk_files_pattern(virt_domain, svirt_tmp_t, svirt_tmp_t)
-+files_tmp_filetrans(virt_domain, svirt_tmp_t, { file dir lnk_file })
-+userdom_user_tmp_filetrans(virt_domain, svirt_tmp_t, { dir file lnk_file })
-+
-+manage_dirs_pattern(virt_domain, svirt_tmpfs_t, svirt_tmpfs_t)
-+manage_files_pattern(virt_domain, svirt_tmpfs_t, svirt_tmpfs_t)
-+manage_lnk_files_pattern(virt_domain, svirt_tmpfs_t, svirt_tmpfs_t)
-+fs_tmpfs_filetrans(virt_domain, svirt_tmpfs_t, { dir file lnk_file })
-+
-+manage_dirs_pattern(virt_domain, qemu_var_run_t, qemu_var_run_t)
-+manage_files_pattern(virt_domain, qemu_var_run_t, qemu_var_run_t)
-+manage_sock_files_pattern(virt_domain, qemu_var_run_t, qemu_var_run_t)
-+manage_lnk_files_pattern(virt_domain, qemu_var_run_t, qemu_var_run_t)
-+files_pid_filetrans(virt_domain, qemu_var_run_t, { dir file })
-+stream_connect_pattern(virt_domain, qemu_var_run_t, qemu_var_run_t, virtd_t)
-+
-+dontaudit virtd_t virt_domain:process { siginh noatsecure rlimitinh };
-+
-+dontaudit virt_domain virt_tmpfs_type:file { read write };
-
- append_files_pattern(virt_domain, virt_log_t, virt_log_t)
-
- append_files_pattern(virt_domain, virt_var_lib_t, virt_var_lib_t)
-
--kernel_read_system_state(virt_domain)
--
- corecmd_exec_bin(virt_domain)
- corecmd_exec_shell(virt_domain)
-
--corenet_all_recvfrom_unlabeled(virt_domain)
--corenet_all_recvfrom_netlabel(virt_domain)
- corenet_tcp_sendrecv_generic_if(virt_domain)
- corenet_tcp_sendrecv_generic_node(virt_domain)
- corenet_tcp_sendrecv_all_ports(virt_domain)
- corenet_tcp_bind_generic_node(virt_domain)
- corenet_tcp_bind_vnc_port(virt_domain)
--corenet_rw_tun_tap_dev(virt_domain)
- corenet_tcp_bind_virt_migration_port(virt_domain)
- corenet_tcp_connect_virt_migration_port(virt_domain)
-+corenet_rw_inherited_tun_tap_dev(virt_domain)
-
-+dev_list_sysfs(virt_domain)
-+dev_getattr_fs(virt_domain)
-+dev_read_generic_symlinks(virt_domain)
- dev_read_rand(virt_domain)
- dev_read_sound(virt_domain)
- dev_read_urand(virt_domain)
-@@ -438,34 +664,627 @@ dev_write_sound(virt_domain)
- dev_rw_ksm(virt_domain)
- dev_rw_kvm(virt_domain)
- dev_rw_qemu(virt_domain)
-+dev_rw_inherited_vhost(virt_domain)
-
- domain_use_interactive_fds(virt_domain)
-
--files_read_etc_files(virt_domain)
-+files_read_mnt_symlinks(virt_domain)
- files_read_usr_files(virt_domain)
- files_read_var_files(virt_domain)
- files_search_all(virt_domain)
-
-+fs_getattr_xattr_fs(virt_domain)
- fs_getattr_tmpfs(virt_domain)
- fs_rw_anon_inodefs_files(virt_domain)
- fs_rw_tmpfs_files(virt_domain)
-+fs_getattr_hugetlbfs(virt_domain)
-+fs_rw_inherited_nfs_files(virt_domain)
-+fs_rw_inherited_cifs_files(virt_domain)
-+fs_rw_inherited_noxattr_fs_files(virt_domain)
-
--term_use_all_terms(virt_domain)
-+# I think we need these for now.
-+miscfiles_read_public_files(virt_domain)
-+storage_raw_read_removable_device(virt_domain)
-+
-+sysnet_read_config(virt_domain)
-+
-+term_use_all_inherited_terms(virt_domain)
- term_getattr_pty_fs(virt_domain)
- term_use_generic_ptys(virt_domain)
- term_use_ptmx(virt_domain)
-
--logging_send_syslog_msg(virt_domain)
-+tunable_policy(`virt_use_execmem',`
-+ allow virt_domain self:process { execmem execstack };
-+')
-
--miscfiles_read_localization(virt_domain)
-+optional_policy(`
-+ alsa_read_rw_config(virt_domain)
-+')
-
- optional_policy(`
- ptchown_domtrans(virt_domain)
- ')
-
- optional_policy(`
-+ pulseaudio_dontaudit_exec(virt_domain)
-+')
-+
-+optional_policy(`
- virt_read_config(virt_domain)
- virt_read_lib_files(virt_domain)
- virt_read_content(virt_domain)
- virt_stream_connect(virt_domain)
-+ virt_domtrans_bridgehelper(virt_domain)
-+')
-+
-+optional_policy(`
-+ xserver_rw_shm(virt_domain)
-+')
-+
-+tunable_policy(`virt_use_comm',`
-+ term_use_unallocated_ttys(virt_domain)
-+ dev_rw_printer(virt_domain)
-+')
-+
-+tunable_policy(`virt_use_fusefs',`
-+ fs_manage_fusefs_dirs(virt_domain)
-+ fs_manage_fusefs_files(virt_domain)
-+ fs_read_fusefs_symlinks(virt_domain)
-+ fs_getattr_fusefs(virt_domain)
-+')
-+
-+tunable_policy(`virt_use_nfs',`
-+ fs_manage_nfs_dirs(virt_domain)
-+ fs_manage_nfs_files(virt_domain)
-+ fs_manage_nfs_named_sockets(virt_domain)
-+ fs_read_nfs_symlinks(virt_domain)
-+ fs_getattr_nfs(virt_domain)
-+')
-+
-+tunable_policy(`virt_use_samba',`
-+ fs_manage_cifs_dirs(virt_domain)
-+ fs_manage_cifs_files(virt_domain)
-+ fs_manage_cifs_named_sockets(virt_domain)
-+ fs_read_cifs_symlinks(virt_domain)
-+ fs_getattr_cifs(virt_domain)
-+')
-+
-+tunable_policy(`virt_use_sysfs',`
-+ dev_rw_sysfs(virt_domain)
-+')
-+
-+tunable_policy(`virt_use_usb',`
-+ dev_rw_usbfs(virt_domain)
-+ dev_read_sysfs(virt_domain)
-+ fs_manage_dos_dirs(virt_domain)
-+ fs_manage_dos_files(virt_domain)
-+')
-+
-+optional_policy(`
-+ tunable_policy(`virt_use_sanlock',`
-+ sanlock_stream_connect(virt_domain)
-+ ')
-+')
-+
-+tunable_policy(`virt_use_rawip',`
-+ allow virt_domain self:rawip_socket create_socket_perms;
-+')
-+
-+optional_policy(`
-+ tunable_policy(`virt_use_xserver',`
-+ xserver_stream_connect(virt_domain)
-+ ')
-+')
-+
-+########################################
-+#
-+# xm local policy
-+#
-+type virsh_t;
-+type virsh_exec_t;
-+init_system_domain(virsh_t, virsh_exec_t)
-+typealias virsh_t alias xm_t;
-+typealias virsh_exec_t alias xm_exec_t;
-+
-+allow virsh_t self:capability { setpcap dac_override ipc_lock sys_chroot sys_nice sys_tty_config };
-+allow virsh_t self:process { getcap getsched setsched setcap signal };
-+allow virsh_t self:fifo_file rw_fifo_file_perms;
-+allow virsh_t self:unix_stream_socket { create_stream_socket_perms connectto };
-+allow virsh_t self:tcp_socket create_stream_socket_perms;
-+
-+ps_process_pattern(virsh_t, svirt_lxc_domain)
-+
-+can_exec(virsh_t, virsh_exec_t)
-+virt_domtrans(virsh_t)
-+virt_manage_images(virsh_t)
-+virt_manage_config(virsh_t)
-+virt_stream_connect(virsh_t)
-+
-+manage_files_pattern(virsh_t, virt_image_type, virt_image_type)
-+manage_blk_files_pattern(virsh_t, virt_image_type, virt_image_type)
-+manage_lnk_files_pattern(virsh_t, virt_image_type, virt_image_type)
-+
-+manage_dirs_pattern(virsh_t, svirt_lxc_file_t, svirt_lxc_file_t)
-+manage_files_pattern(virsh_t, svirt_lxc_file_t, svirt_lxc_file_t)
-+manage_chr_files_pattern(virsh_t, svirt_lxc_file_t, svirt_lxc_file_t)
-+manage_lnk_files_pattern(virsh_t, svirt_lxc_file_t, svirt_lxc_file_t)
-+manage_sock_files_pattern(virsh_t, svirt_lxc_file_t, svirt_lxc_file_t)
-+manage_fifo_files_pattern(virsh_t, svirt_lxc_file_t, svirt_lxc_file_t)
-+virt_transition_svirt_lxc(virsh_t, system_r)
-+
-+manage_dirs_pattern(virsh_t, virt_lxc_var_run_t, virt_lxc_var_run_t)
-+manage_files_pattern(virsh_t, virt_lxc_var_run_t, virt_lxc_var_run_t)
-+virt_filetrans_named_content(virsh_t)
-+
-+dontaudit virsh_t virt_var_lib_t:file read_inherited_file_perms;
-+
-+kernel_read_system_state(virsh_t)
-+kernel_read_network_state(virsh_t)
-+kernel_read_kernel_sysctls(virsh_t)
-+kernel_read_sysctl(virsh_t)
-+kernel_read_xen_state(virsh_t)
-+kernel_write_xen_state(virsh_t)
-+
-+corecmd_exec_bin(virsh_t)
-+corecmd_exec_shell(virsh_t)
-+
-+corenet_tcp_sendrecv_generic_if(virsh_t)
-+corenet_tcp_sendrecv_generic_node(virsh_t)
-+corenet_tcp_connect_soundd_port(virsh_t)
-+
-+dev_read_rand(virsh_t)
-+dev_read_urand(virsh_t)
-+dev_read_sysfs(virsh_t)
-+
-+files_read_etc_runtime_files(virsh_t)
-+files_read_etc_files(virsh_t)
-+files_read_usr_files(virsh_t)
-+files_list_mnt(virsh_t)
-+files_list_tmp(virsh_t)
-+# Some common macros (you might be able to remove some)
-+
-+fs_getattr_all_fs(virsh_t)
-+fs_manage_xenfs_dirs(virsh_t)
-+fs_manage_xenfs_files(virsh_t)
-+fs_search_auto_mountpoints(virsh_t)
-+
-+storage_raw_read_fixed_disk(virsh_t)
-+
-+term_use_all_inherited_terms(virsh_t)
-+
-+userdom_search_admin_dir(virsh_t)
-+userdom_read_home_certs(virsh_t)
-+
-+init_stream_connect_script(virsh_t)
-+init_rw_script_stream_sockets(virsh_t)
-+init_use_fds(virsh_t)
-+
-+auth_read_passwd(virsh_t)
-+
-+logging_send_syslog_msg(virsh_t)
-+
-+sysnet_dns_name_resolve(virsh_t)
-+
-+tunable_policy(`virt_use_nfs',`
-+ fs_manage_nfs_dirs(virsh_t)
-+ fs_manage_nfs_files(virsh_t)
-+ fs_read_nfs_symlinks(virsh_t)
- ')
-+
-+tunable_policy(`virt_use_samba',`
-+ fs_manage_cifs_files(virsh_t)
-+ fs_manage_cifs_files(virsh_t)
-+ fs_read_cifs_symlinks(virsh_t)
-+')
-+
-+optional_policy(`
-+ cron_system_entry(virsh_t, virsh_exec_t)
-+')
-+
-+optional_policy(`
-+ rhcs_domtrans_fenced(virsh_t)
-+')
-+
-+optional_policy(`
-+ rpm_exec(virsh_t)
-+')
-+
-+optional_policy(`
-+ xen_manage_image_dirs(virsh_t)
-+ xen_append_log(virsh_t)
-+ xen_domtrans(virsh_t)
-+ xen_read_pid_files_xenstored(virsh_t)
-+ xen_stream_connect(virsh_t)
-+ xen_stream_connect_xenstore(virsh_t)
-+')
-+
-+optional_policy(`
-+ dbus_system_bus_client(virsh_t)
-+
-+ optional_policy(`
-+ hal_dbus_chat(virsh_t)
-+ ')
-+')
-+
-+optional_policy(`
-+ vhostmd_rw_tmpfs_files(virsh_t)
-+ vhostmd_stream_connect(virsh_t)
-+ vhostmd_dontaudit_rw_stream_connect(virsh_t)
-+')
-+
-+optional_policy(`
-+ ssh_basic_client_template(virsh, virsh_t, system_r)
-+
-+ kernel_read_xen_state(virsh_ssh_t)
-+ kernel_write_xen_state(virsh_ssh_t)
-+
-+ dontaudit virsh_ssh_t virsh_transition_domain:fifo_file rw_inherited_fifo_file_perms;
-+ files_search_tmp(virsh_ssh_t)
-+
-+ fs_manage_xenfs_dirs(virsh_ssh_t)
-+ fs_manage_xenfs_files(virsh_ssh_t)
-+
-+ userdom_search_admin_dir(virsh_ssh_t)
-+')
-+
-+########################################
-+#
-+# virt_lxc local policy
-+#
-+allow virtd_lxc_t self:capability { dac_override net_admin net_raw setpcap chown sys_admin sys_boot sys_resource };
-+allow virtd_lxc_t self:capability2 compromise_kernel;
-+
-+allow virtd_lxc_t self:process { setexec setrlimit setsched getcap setcap signal_perms };
-+allow virtd_lxc_t self:fifo_file rw_fifo_file_perms;
-+allow virtd_lxc_t self:netlink_route_socket rw_netlink_socket_perms;
-+allow virtd_lxc_t self:unix_stream_socket create_stream_socket_perms;
-+allow virtd_lxc_t self:packet_socket create_socket_perms;
-+
-+allow virtd_lxc_t virt_image_type:dir mounton;
-+manage_files_pattern(virtd_lxc_t, virt_image_t, virt_image_t)
-+
-+domtrans_pattern(virtd_t, virtd_lxc_exec_t, virtd_lxc_t)
-+allow virtd_t virtd_lxc_t:process { signal signull sigkill };
-+
-+allow virtd_lxc_t virt_var_run_t:dir search_dir_perms;
-+manage_dirs_pattern(virtd_lxc_t, virt_lxc_var_run_t, virt_lxc_var_run_t)
-+manage_files_pattern(virtd_lxc_t, virt_lxc_var_run_t, virt_lxc_var_run_t)
-+manage_sock_files_pattern(virtd_lxc_t, virt_lxc_var_run_t, virt_lxc_var_run_t)
-+files_pid_filetrans(virtd_lxc_t, virt_lxc_var_run_t, { file dir })
-+
-+manage_dirs_pattern(virtd_lxc_t, svirt_lxc_file_t, svirt_lxc_file_t)
-+manage_files_pattern(virtd_lxc_t, svirt_lxc_file_t, svirt_lxc_file_t)
-+manage_chr_files_pattern(virtd_lxc_t, svirt_lxc_file_t, svirt_lxc_file_t)
-+manage_lnk_files_pattern(virtd_lxc_t, svirt_lxc_file_t, svirt_lxc_file_t)
-+manage_sock_files_pattern(virtd_lxc_t, svirt_lxc_file_t, svirt_lxc_file_t)
-+manage_fifo_files_pattern(virtd_lxc_t, svirt_lxc_file_t, svirt_lxc_file_t)
-+allow virtd_lxc_t svirt_lxc_file_t:dir_file_class_set { relabelto relabelfrom };
-+allow virtd_lxc_t svirt_lxc_file_t:filesystem { relabelto relabelfrom };
-+files_associate_rootfs(svirt_lxc_file_t)
-+
-+storage_manage_fixed_disk(virtd_lxc_t)
-+storage_rw_fuse(virtd_lxc_t)
-+
-+kernel_read_all_sysctls(virtd_lxc_t)
-+kernel_read_network_state(virtd_lxc_t)
-+kernel_read_system_state(virtd_lxc_t)
-+
-+corecmd_exec_bin(virtd_lxc_t)
-+corecmd_exec_shell(virtd_lxc_t)
-+
-+dev_relabel_all_dev_nodes(virtd_lxc_t)
-+dev_rw_sysfs(virtd_lxc_t)
-+dev_read_sysfs(virtd_lxc_t)
-+dev_read_urand(virtd_lxc_t)
-+
-+domain_use_interactive_fds(virtd_lxc_t)
-+
-+files_search_all(virtd_lxc_t)
-+files_getattr_all_files(virtd_lxc_t)
-+files_read_usr_files(virtd_lxc_t)
-+files_relabel_rootfs(virtd_lxc_t)
-+files_mounton_non_security(virtd_lxc_t)
-+files_mount_all_file_type_fs(virtd_lxc_t)
-+files_unmount_all_file_type_fs(virtd_lxc_t)
-+files_list_isid_type_dirs(virtd_lxc_t)
-+files_root_filetrans(virtd_lxc_t, svirt_lxc_file_t, dir_file_class_set)
-+
-+fs_getattr_all_fs(virtd_lxc_t)
-+fs_manage_tmpfs_dirs(virtd_lxc_t)
-+fs_manage_tmpfs_chr_files(virtd_lxc_t)
-+fs_manage_tmpfs_symlinks(virtd_lxc_t)
-+fs_manage_cgroup_dirs(virtd_lxc_t)
-+fs_mounton_tmpfs(virtd_lxc_t)
-+fs_remount_all_fs(virtd_lxc_t)
-+fs_rw_cgroup_files(virtd_lxc_t)
-+fs_unmount_all_fs(virtd_lxc_t)
-+fs_relabelfrom_tmpfs(virtd_lxc_t)
-+
-+logging_send_audit_msgs(virtd_lxc_t)
-+
-+selinux_mount_fs(virtd_lxc_t)
-+selinux_unmount_fs(virtd_lxc_t)
-+seutil_read_config(virtd_lxc_t)
-+
-+term_use_generic_ptys(virtd_lxc_t)
-+term_use_ptmx(virtd_lxc_t)
-+term_relabel_pty_fs(virtd_lxc_t)
-+
-+auth_use_nsswitch(virtd_lxc_t)
-+
-+logging_send_syslog_msg(virtd_lxc_t)
-+
-+seutil_domtrans_setfiles(virtd_lxc_t)
-+seutil_read_default_contexts(virtd_lxc_t)
-+
-+selinux_get_enforce_mode(virtd_lxc_t)
-+selinux_get_fs_mount(virtd_lxc_t)
-+selinux_validate_context(virtd_lxc_t)
-+selinux_compute_access_vector(virtd_lxc_t)
-+selinux_compute_create_context(virtd_lxc_t)
-+selinux_compute_relabel_context(virtd_lxc_t)
-+selinux_compute_user_contexts(virtd_lxc_t)
-+seutil_read_default_contexts(virtd_lxc_t)
-+
-+optional_policy(`
-+ unconfined_domain(virtd_lxc_t)
-+')
-+
-+########################################
-+#
-+# virt_lxc_domain local policy
-+#
-+allow svirt_lxc_domain self:capability { kill setuid setgid dac_override sys_boot ipc_lock };
-+
-+allow virtd_t svirt_lxc_domain:unix_stream_socket { create_stream_socket_perms connectto };
-+allow virtd_t svirt_lxc_domain:process { signal_perms };
-+allow virtd_lxc_t svirt_lxc_domain:process { getattr getsched setsched transition signal signull sigkill };
-+allow svirt_lxc_domain virtd_lxc_t:process sigchld;
-+allow svirt_lxc_domain virtd_lxc_t:fd use;
-+allow svirt_lxc_domain virt_lxc_var_run_t:dir list_dir_perms;
-+allow svirt_lxc_domain virt_lxc_var_run_t:file read_file_perms;
-+allow svirt_lxc_domain virtd_lxc_t:unix_stream_socket { connectto rw_socket_perms };
-+
-+allow svirt_lxc_domain self:process { execstack execmem getattr signal_perms getsched setsched setcap setpgid };
-+allow svirt_lxc_domain self:fifo_file manage_file_perms;
-+allow svirt_lxc_domain self:sem create_sem_perms;
-+allow svirt_lxc_domain self:shm create_shm_perms;
-+allow svirt_lxc_domain self:msgq create_msgq_perms;
-+allow svirt_lxc_domain self:unix_stream_socket { create_stream_socket_perms connectto };
-+allow svirt_lxc_domain self:unix_dgram_socket { sendto create_socket_perms };
-+
-+manage_dirs_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t)
-+manage_files_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t)
-+manage_lnk_files_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t)
-+manage_sock_files_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t)
-+manage_fifo_files_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t)
-+rw_chr_files_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t)
-+rw_blk_files_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t)
-+can_exec(svirt_lxc_domain, svirt_lxc_file_t)
-+allow svirt_lxc_net_t svirt_lxc_file_t:dir mounton;
-+allow svirt_lxc_net_t svirt_lxc_file_t:filesystem getattr;
-+
-+kernel_getattr_proc(svirt_lxc_domain)
-+kernel_list_all_proc(svirt_lxc_domain)
-+kernel_read_kernel_sysctls(svirt_lxc_domain)
-+kernel_rw_net_sysctls(svirt_lxc_domain)
-+kernel_dontaudit_search_kernel_sysctl(svirt_lxc_domain)
-+
-+corecmd_exec_all_executables(svirt_lxc_domain)
-+
-+files_dontaudit_getattr_all_dirs(svirt_lxc_domain)
-+files_dontaudit_getattr_all_files(svirt_lxc_domain)
-+files_dontaudit_getattr_all_symlinks(svirt_lxc_domain)
-+files_dontaudit_getattr_all_pipes(svirt_lxc_domain)
-+files_dontaudit_getattr_all_sockets(svirt_lxc_domain)
-+files_dontaudit_list_all_mountpoints(svirt_lxc_domain)
-+files_dontaudit_write_etc_runtime_files(svirt_lxc_domain)
-+files_entrypoint_all_files(svirt_lxc_domain)
-+files_list_var(svirt_lxc_domain)
-+files_list_var_lib(svirt_lxc_domain)
-+files_search_all(svirt_lxc_domain)
-+files_read_config_files(svirt_lxc_domain)
-+files_read_usr_files(svirt_lxc_domain)
-+files_read_usr_symlinks(svirt_lxc_domain)
-+files_search_locks(svirt_lxc_domain)
-+
-+fs_getattr_all_fs(svirt_lxc_domain)
-+fs_list_inotifyfs(svirt_lxc_domain)
-+fs_rw_inherited_tmpfs_files(svirt_lxc_domain)
-+
-+auth_dontaudit_read_passwd(svirt_lxc_domain)
-+auth_dontaudit_read_login_records(svirt_lxc_domain)
-+auth_dontaudit_write_login_records(svirt_lxc_domain)
-+auth_search_pam_console_data(svirt_lxc_domain)
-+
-+clock_read_adjtime(svirt_lxc_domain)
-+
-+init_read_utmp(svirt_lxc_domain)
-+init_dontaudit_write_utmp(svirt_lxc_domain)
-+
-+libs_dontaudit_setattr_lib_files(svirt_lxc_domain)
-+
-+miscfiles_dontaudit_setattr_fonts_cache_dirs(svirt_lxc_domain)
-+miscfiles_read_fonts(svirt_lxc_domain)
-+
-+optional_policy(`
-+ mta_dontaudit_read_spool_symlinks(svirt_lxc_domain)
-+')
-+
-+systemd_read_unit_files(svirt_lxc_domain)
-+
-+optional_policy(`
-+ udev_read_pid_files(svirt_lxc_domain)
-+')
-+
-+optional_policy(`
-+ apache_exec_modules(svirt_lxc_domain)
-+ apache_read_sys_content(svirt_lxc_domain)
-+')
-+
-+virt_lxc_domain_template(svirt_lxc_net)
-+
-+allow svirt_lxc_net_t self:capability { chown dac_read_search dac_override fowner fsetid net_raw net_admin net_bind_service sys_admin sys_nice sys_ptrace sys_resource setpcap };
-+dontaudit svirt_lxc_net_t self:capability2 block_suspend;
-+allow svirt_lxc_net_t self:netlink_socket create_socket_perms;
-+allow svirt_lxc_net_t self:process setrlimit;
-+
-+allow svirt_lxc_net_t self:udp_socket create_socket_perms;
-+allow svirt_lxc_net_t self:tcp_socket create_stream_socket_perms;
-+allow svirt_lxc_net_t self:netlink_route_socket create_netlink_socket_perms;
-+allow svirt_lxc_net_t self:packet_socket create_socket_perms;
-+allow svirt_lxc_net_t self:socket create_socket_perms;
-+allow svirt_lxc_net_t self:rawip_socket create_socket_perms;
-+allow svirt_lxc_net_t self:netlink_tcpdiag_socket create_socket_perms;
-+allow svirt_lxc_net_t self:netlink_kobject_uevent_socket create_socket_perms;
-+
-+kernel_read_network_state(svirt_lxc_net_t)
-+kernel_read_irq_sysctls(svirt_lxc_net_t)
-+
-+dev_read_sysfs(svirt_lxc_net_t)
-+dev_getattr_mtrr_dev(svirt_lxc_net_t)
-+dev_read_rand(svirt_lxc_net_t)
-+dev_read_urand(svirt_lxc_net_t)
-+
-+corenet_tcp_bind_generic_node(svirt_lxc_net_t)
-+corenet_udp_bind_generic_node(svirt_lxc_net_t)
-+corenet_tcp_sendrecv_all_ports(svirt_lxc_net_t)
-+corenet_udp_sendrecv_all_ports(svirt_lxc_net_t)
-+corenet_udp_bind_all_ports(svirt_lxc_net_t)
-+corenet_tcp_bind_all_ports(svirt_lxc_net_t)
-+corenet_tcp_connect_all_ports(svirt_lxc_net_t)
-+
-+files_read_kernel_modules(svirt_lxc_net_t)
-+
-+fs_noxattr_type(svirt_lxc_file_t)
-+fs_mount_cgroup(svirt_lxc_net_t)
-+fs_manage_cgroup_dirs(svirt_lxc_net_t)
-+fs_manage_cgroup_files(svirt_lxc_net_t)
-+
-+term_pty(svirt_lxc_file_t)
-+
-+auth_use_nsswitch(svirt_lxc_net_t)
-+
-+rpm_read_db(svirt_lxc_net_t)
-+
-+logging_send_audit_msgs(svirt_lxc_net_t)
-+
-+userdom_use_inherited_user_ptys(svirt_lxc_net_t)
-+
-+########################################
-+#
-+# virt_qmf local policy
-+#
-+allow virt_qmf_t self:capability { sys_nice sys_tty_config };
-+allow virt_qmf_t self:process { setsched signal };
-+allow virt_qmf_t self:fifo_file rw_fifo_file_perms;
-+allow virt_qmf_t self:unix_stream_socket create_stream_socket_perms;
-+allow virt_qmf_t self:tcp_socket create_stream_socket_perms;
-+allow virt_qmf_t self:netlink_route_socket create_netlink_socket_perms;
-+
-+can_exec(virt_qmf_t, virtd_exec_t)
-+
-+kernel_read_system_state(virt_qmf_t)
-+kernel_read_network_state(virt_qmf_t)
-+
-+dev_read_sysfs(virt_qmf_t)
-+dev_read_rand(virt_qmf_t)
-+dev_read_urand(virt_qmf_t)
-+
-+corenet_tcp_connect_matahari_port(virt_qmf_t)
-+
-+domain_use_interactive_fds(virt_qmf_t)
-+
-+logging_send_syslog_msg(virt_qmf_t)
-+
-+sysnet_read_config(virt_qmf_t)
-+
-+optional_policy(`
-+ dbus_read_lib_files(virt_qmf_t)
-+')
-+
-+optional_policy(`
-+ virt_stream_connect(virt_qmf_t)
-+')
-+
-+########################################
-+#
-+# virt_bridgehelper local policy
-+#
-+allow virt_bridgehelper_t self:process { setcap getcap };
-+allow virt_bridgehelper_t self:capability { setpcap setgid setuid net_admin };
-+allow virt_bridgehelper_t self:tcp_socket create_stream_socket_perms;
-+allow virt_bridgehelper_t self:tun_socket create_socket_perms;
-+allow virt_bridgehelper_t self:unix_dgram_socket create_socket_perms;
-+
-+manage_files_pattern(virt_bridgehelper_t, svirt_home_t, svirt_home_t)
-+
-+kernel_read_network_state(virt_bridgehelper_t)
-+
-+corenet_rw_tun_tap_dev(virt_bridgehelper_t)
-+
-+userdom_use_inherited_user_ptys(virt_bridgehelper_t)
-+
-+#######################################
-+#
-+# virt_qemu_ga local policy
-+#
-+
-+allow virt_qemu_ga_t self:capability sys_tty_config;
-+
-+allow virt_qemu_ga_t self:fifo_file rw_fifo_file_perms;
-+allow virt_qemu_ga_t self:unix_stream_socket create_stream_socket_perms;
-+
-+manage_files_pattern(virt_qemu_ga_t, virt_qemu_ga_var_run_t, virt_qemu_ga_var_run_t)
-+manage_dirs_pattern(virt_qemu_ga_t, virt_qemu_ga_var_run_t, virt_qemu_ga_var_run_t)
-+filetrans_pattern(virt_qemu_ga_t, virt_qemu_ga_var_run_t, virt_qemu_ga_var_run_t,{ dir file } )
-+
-+manage_files_pattern(virt_qemu_ga_t, virt_qemu_ga_log_t, virt_qemu_ga_log_t)
-+logging_log_filetrans(virt_qemu_ga_t, virt_qemu_ga_log_t, file )
-+
-+corecmd_exec_shell(virt_qemu_ga_t)
-+corecmd_exec_bin(virt_qemu_ga_t)
-+
-+files_read_etc_files(virt_qemu_ga_t)
-+
-+dev_rw_sysfs(virt_qemu_ga_t)
-+
-+term_use_virtio_console(virt_qemu_ga_t)
-+term_use_all_ttys(virt_qemu_ga_t)
-+
-+logging_send_syslog_msg(virt_qemu_ga_t)
-+
-+sysnet_dns_name_resolve(virt_qemu_ga_t)
-+
-+userdom_use_user_ptys(virt_qemu_ga_t)
-+
-+optional_policy(`
-+ bootloader_domtrans(virt_qemu_ga_t)
-+')
-+
-+optional_policy(`
-+ dbus_system_bus_client(virt_qemu_ga_t)
-+')
-+
-+optional_policy(`
-+ cron_initrc_domtrans(virt_qemu_ga_t)
-+ cron_domtrans(virt_qemu_ga_t)
-+')
-+
-+optional_policy(`
-+ devicekit_manage_pid_files(virt_qemu_ga_t)
-+')
-+
-+optional_policy(`
-+ fstools_domtrans(virt_qemu_ga_t)
-+')
-+
-+optional_policy(`
-+ shutdown_domtrans(virt_qemu_ga_t)
-+')
-+
-+type svirt_socket_t;
-+role system_r types svirt_socket_t;
-+allow svirt_t svirt_socket_t:unix_stream_socket connectto;
-+
-+
-diff --git a/vlock.te b/vlock.te
-index 2511093..669dc13 100644
---- a/vlock.te
-+++ b/vlock.te
-@@ -47,7 +47,5 @@ init_dontaudit_rw_utmp(vlock_t)
-
- logging_send_syslog_msg(vlock_t)
-
--miscfiles_read_localization(vlock_t)
--
- userdom_dontaudit_search_user_home_dirs(vlock_t)
--userdom_use_user_terminals(vlock_t)
-+userdom_use_inherited_user_terminals(vlock_t)
-diff --git a/vmware.te b/vmware.te
-index 7d334c4..979e82f 100644
---- a/vmware.te
-+++ b/vmware.te
-@@ -68,7 +68,8 @@ ifdef(`enable_mcs',`
- # VMWare host local policy
- #
-
--allow vmware_host_t self:capability { setgid setuid net_raw sys_nice sys_time sys_ptrace kill dac_override };
-+allow vmware_host_t self:capability { net_admin sys_module };
-+allow vmware_host_t self:capability { setgid setuid net_raw sys_nice sys_time kill dac_override };
- dontaudit vmware_host_t self:capability sys_tty_config;
- allow vmware_host_t self:process { execstack execmem signal_perms };
- allow vmware_host_t self:fifo_file rw_fifo_file_perms;
-@@ -97,8 +98,8 @@ logging_log_filetrans(vmware_host_t, vmware_log_t, { file dir })
- kernel_read_kernel_sysctls(vmware_host_t)
- kernel_read_system_state(vmware_host_t)
- kernel_read_network_state(vmware_host_t)
-+kernel_request_load_module(vmware_host_t)
-
--corenet_all_recvfrom_unlabeled(vmware_host_t)
- corenet_all_recvfrom_netlabel(vmware_host_t)
- corenet_tcp_sendrecv_generic_if(vmware_host_t)
- corenet_udp_sendrecv_generic_if(vmware_host_t)
-@@ -122,6 +123,7 @@ dev_getattr_all_blk_files(vmware_host_t)
- dev_read_sysfs(vmware_host_t)
- dev_read_urand(vmware_host_t)
- dev_rw_vmware(vmware_host_t)
-+dev_rw_generic_chr_files(vmware_host_t)
-
- domain_use_interactive_fds(vmware_host_t)
- domain_dontaudit_read_all_domains_state(vmware_host_t)
-@@ -129,7 +131,7 @@ domain_dontaudit_read_all_domains_state(vmware_host_t)
- files_list_tmp(vmware_host_t)
- files_read_etc_files(vmware_host_t)
- files_read_etc_runtime_files(vmware_host_t)
--files_read_usr_files(vmware_host_t)
-+files_read_usr_files(vmware_host_t)
-
- fs_getattr_all_fs(vmware_host_t)
- fs_search_auto_mountpoints(vmware_host_t)
-@@ -145,8 +147,6 @@ libs_exec_ld_so(vmware_host_t)
-
- logging_send_syslog_msg(vmware_host_t)
-
--miscfiles_read_localization(vmware_host_t)
--
- sysnet_dns_name_resolve(vmware_host_t)
- sysnet_domtrans_ifconfig(vmware_host_t)
-
-@@ -156,11 +156,27 @@ userdom_dontaudit_search_user_home_dirs(vmware_host_t)
- netutils_domtrans_ping(vmware_host_t)
-
- optional_policy(`
-- hostname_exec(vmware_host_t)
-+ unconfined_domain(vmware_host_t)
- ')
-
- optional_policy(`
-+ hostname_exec(vmware_host_t)
-+')
-+
-+optional_policy(`
- modutils_domtrans_insmod(vmware_host_t)
-+')
-+
-+optional_policy(`
-+ samba_read_config(vmware_host_t)
-+')
-+
-+optional_policy(`
-+ seutil_sigchld_newrole(vmware_host_t)
-+')
-+
-+optional_policy(`
-+ shutdown_domtrans(vmware_host_t)
- ')
-
- optional_policy(`
-@@ -269,9 +285,8 @@ libs_exec_ld_so(vmware_t)
- # Access X11 config files
- libs_read_lib_files(vmware_t)
-
--miscfiles_read_localization(vmware_t)
-
--userdom_use_user_terminals(vmware_t)
-+userdom_use_inherited_user_terminals(vmware_t)
- userdom_list_user_home_dirs(vmware_t)
- # cjp: why?
- userdom_read_user_home_content_files(vmware_t)
-diff --git a/vnstatd.if b/vnstatd.if
-index 727fe95..47ec114 100644
---- a/vnstatd.if
-+++ b/vnstatd.if
-@@ -123,20 +123,17 @@ interface(`vnstatd_manage_lib_files',`
- ## Domain allowed access.
- ##
- ##
--##
--##
--## Role allowed access.
--##
--##
--##
- #
- interface(`vnstatd_admin',`
- gen_require(`
- type vnstatd_t, vnstatd_var_lib_t;
- ')
-
-- allow $1 vnstatd_t:process { ptrace signal_perms };
-+ allow $1 vnstatd_t:process signal_perms;
- ps_process_pattern($1, vnstatd_t)
-+ tunable_policy(`deny_ptrace',`',`
-+ allow $1 vnstatd_t:process ptrace;
-+ ')
-
- files_list_var_lib($1)
- admin_pattern($1, vnstatd_var_lib_t)
-diff --git a/vnstatd.te b/vnstatd.te
-index 8121937..f90b43b 100644
---- a/vnstatd.te
-+++ b/vnstatd.te
-@@ -28,9 +28,13 @@ allow vnstatd_t self:process signal;
- allow vnstatd_t self:fifo_file rw_fifo_file_perms;
- allow vnstatd_t self:unix_stream_socket create_stream_socket_perms;
-
-+manage_files_pattern(vnstatd_t, vnstatd_var_run_t, vnstatd_var_run_t)
-+manage_dirs_pattern(vnstatd_t, vnstatd_var_run_t, vnstatd_var_run_t)
-+files_pid_filetrans(vnstatd_t, vnstatd_var_run_t, { dir file })
-+
- manage_dirs_pattern(vnstatd_t, vnstatd_var_lib_t, vnstatd_var_lib_t)
- manage_files_pattern(vnstatd_t, vnstatd_var_lib_t, vnstatd_var_lib_t)
--files_var_lib_filetrans(vnstatd_t, vnstatd_var_lib_t, { dir file })
-+files_var_lib_filetrans(vnstatd_t, vnstatd_var_lib_t, dir)
-
- manage_files_pattern(vnstatd_t, vnstatd_var_run_t, vnstatd_var_run_t)
- manage_dirs_pattern(vnstatd_t, vnstatd_var_run_t, vnstatd_var_run_t)
-@@ -47,8 +51,6 @@ fs_getattr_xattr_fs(vnstatd_t)
-
- logging_send_syslog_msg(vnstatd_t)
-
--miscfiles_read_localization(vnstatd_t)
--
- optional_policy(`
- cron_system_entry(vnstat_t, vnstat_exec_t)
- ')
-@@ -62,9 +64,9 @@ allow vnstat_t self:process signal;
- allow vnstat_t self:fifo_file rw_fifo_file_perms;
- allow vnstat_t self:unix_stream_socket create_stream_socket_perms;
-
-+files_search_var_lib(vnstat_t)
- manage_dirs_pattern(vnstat_t, vnstatd_var_lib_t, vnstatd_var_lib_t)
- manage_files_pattern(vnstat_t, vnstatd_var_lib_t, vnstatd_var_lib_t)
--files_var_lib_filetrans(vnstat_t, vnstatd_var_lib_t, { dir file })
-
- kernel_read_network_state(vnstat_t)
- kernel_read_system_state(vnstat_t)
-@@ -76,5 +78,3 @@ files_read_etc_files(vnstat_t)
- fs_getattr_xattr_fs(vnstat_t)
-
- logging_send_syslog_msg(vnstat_t)
--
--miscfiles_read_localization(vnstat_t)
-diff --git a/vpn.if b/vpn.if
-index 7b93e07..a4e2f60 100644
---- a/vpn.if
-+++ b/vpn.if
-@@ -37,11 +37,16 @@ interface(`vpn_domtrans',`
- #
- interface(`vpn_run',`
- gen_require(`
-- attribute_role vpnc_roles;
-+ #attribute_role vpnc_roles;
-+ type vpnc_t;
- ')
-
-+ #vpn_domtrans($1)
-+ #roleattribute $2 vpnc_roles;
-+
- vpn_domtrans($1)
-- roleattribute $2 vpnc_roles;
-+ role $2 types vpnc_t;
-+ sysnet_run_ifconfig(vpnc_t, $2)
- ')
-
- ########################################
-diff --git a/vpn.te b/vpn.te
-index 83a80ba..ddf48c0 100644
---- a/vpn.te
-+++ b/vpn.te
-@@ -5,13 +5,15 @@ policy_module(vpn, 1.15.0)
- # Declarations
- #
-
--attribute_role vpnc_roles;
--roleattribute system_r vpnc_roles;
-+#attribute_role vpnc_roles;
-+#roleattribute system_r vpnc_roles;
-
- type vpnc_t;
- type vpnc_exec_t;
-+init_system_domain(vpnc_t, vpnc_exec_t)
- application_domain(vpnc_t, vpnc_exec_t)
--role vpnc_roles types vpnc_t;
-+#role vpnc_roles types vpnc_t;
-+role system_r types vpnc_t;
-
- type vpnc_tmp_t;
- files_tmp_file(vpnc_tmp_t)
-@@ -24,7 +26,7 @@ files_pid_file(vpnc_var_run_t)
- # Local policy
- #
-
--allow vpnc_t self:capability { dac_read_search dac_override net_admin ipc_lock net_raw };
-+allow vpnc_t self:capability { dac_read_search dac_override net_admin ipc_lock net_raw setuid };
- allow vpnc_t self:process { getsched signal };
- allow vpnc_t self:fifo_file rw_fifo_file_perms;
- allow vpnc_t self:netlink_route_socket rw_netlink_socket_perms;
-@@ -51,7 +53,6 @@ kernel_read_all_sysctls(vpnc_t)
- kernel_request_load_module(vpnc_t)
- kernel_rw_net_sysctls(vpnc_t)
-
--corenet_all_recvfrom_unlabeled(vpnc_t)
- corenet_all_recvfrom_netlabel(vpnc_t)
- corenet_tcp_sendrecv_generic_if(vpnc_t)
- corenet_udp_sendrecv_generic_if(vpnc_t)
-@@ -80,18 +81,19 @@ domain_use_interactive_fds(vpnc_t)
- fs_getattr_xattr_fs(vpnc_t)
- fs_getattr_tmpfs(vpnc_t)
-
--term_use_all_ptys(vpnc_t)
--term_use_all_ttys(vpnc_t)
-+term_use_all_inherited_ptys(vpnc_t)
-+term_use_all_inherited_ttys(vpnc_t)
-
- corecmd_exec_all_executables(vpnc_t)
-
- files_exec_etc_files(vpnc_t)
- files_read_etc_runtime_files(vpnc_t)
--files_read_etc_files(vpnc_t)
- files_dontaudit_search_home(vpnc_t)
-
- auth_use_nsswitch(vpnc_t)
-
-+init_dontaudit_use_fds(vpnc_t)
-+
- libs_exec_ld_so(vpnc_t)
- libs_exec_lib_files(vpnc_t)
-
-@@ -100,17 +102,15 @@ locallogin_use_fds(vpnc_t)
- logging_send_syslog_msg(vpnc_t)
- logging_dontaudit_search_logs(vpnc_t)
-
--miscfiles_read_localization(vpnc_t)
--
--seutil_dontaudit_search_config(vpnc_t)
- seutil_use_newrole_fds(vpnc_t)
-
--sysnet_run_ifconfig(vpnc_t, vpnc_roles)
-+#sysnet_run_ifconfig(vpnc_t, vpnc_roles)
- sysnet_etc_filetrans_config(vpnc_t)
- sysnet_manage_config(vpnc_t)
-
- userdom_use_all_users_fds(vpnc_t)
--userdom_dontaudit_search_user_home_content(vpnc_t)
-+userdom_read_home_certs(vpnc_t)
-+userdom_search_admin_dir(vpnc_t)
-
- optional_policy(`
- dbus_system_bus_client(vpnc_t)
-diff --git a/w3c.te b/w3c.te
-index 1174ad8..bd7a7da 100644
---- a/w3c.te
-+++ b/w3c.te
-@@ -5,20 +5,34 @@ policy_module(w3c, 1.0.0)
- # Declarations
- #
-
--apache_content_template(w3c_validator)
-+
-+type httpd_w3c_validator_tmp_t;
-+files_tmp_file(httpd_w3c_validator_tmp_t)
-
- ########################################
- #
- # Local policy
- #
-
--corenet_tcp_connect_ftp_port(httpd_w3c_validator_script_t)
--corenet_tcp_sendrecv_ftp_port(httpd_w3c_validator_script_t)
--corenet_tcp_connect_http_port(httpd_w3c_validator_script_t)
--corenet_tcp_sendrecv_http_port(httpd_w3c_validator_script_t)
--corenet_tcp_connect_http_cache_port(httpd_w3c_validator_script_t)
--corenet_tcp_sendrecv_http_cache_port(httpd_w3c_validator_script_t)
-+optional_policy(`
-+ apache_content_template(w3c_validator)
-+
-+ manage_dirs_pattern(httpd_w3c_validator_script_t, httpd_w3c_validator_tmp_t, httpd_w3c_validator_tmp_t)
-+ manage_files_pattern(httpd_w3c_validator_script_t, httpd_w3c_validator_tmp_t, httpd_w3c_validator_tmp_t)
-+ files_tmp_filetrans(httpd_w3c_validator_script_t, httpd_w3c_validator_tmp_t, { file dir })
-+
-+ corenet_tcp_connect_ftp_port(httpd_w3c_validator_script_t)
-+ corenet_tcp_sendrecv_ftp_port(httpd_w3c_validator_script_t)
-+ corenet_tcp_connect_http_port(httpd_w3c_validator_script_t)
-+ corenet_tcp_sendrecv_http_port(httpd_w3c_validator_script_t)
-+ corenet_tcp_connect_http_cache_port(httpd_w3c_validator_script_t)
-+ corenet_tcp_sendrecv_http_cache_port(httpd_w3c_validator_script_t)
-+
-+ miscfiles_read_generic_certs(httpd_w3c_validator_script_t)
-
--miscfiles_read_generic_certs(httpd_w3c_validator_script_t)
-+ sysnet_dns_name_resolve(httpd_w3c_validator_script_t)
-
--sysnet_dns_name_resolve(httpd_w3c_validator_script_t)
-+ optional_policy(`
-+ apache_dontaudit_rw_tmp_files(httpd_w3c_validator_script_t)
-+ ')
-+')
-diff --git a/watchdog.te b/watchdog.te
-index b10bb05..f0d56b5 100644
---- a/watchdog.te
-+++ b/watchdog.te
-@@ -42,7 +42,6 @@ kernel_unmount_proc(watchdog_t)
- corecmd_exec_shell(watchdog_t)
-
- # cjp: why networking?
--corenet_all_recvfrom_unlabeled(watchdog_t)
- corenet_all_recvfrom_netlabel(watchdog_t)
- corenet_tcp_sendrecv_generic_if(watchdog_t)
- corenet_udp_sendrecv_generic_if(watchdog_t)
-@@ -81,8 +80,6 @@ auth_append_login_records(watchdog_t)
-
- logging_send_syslog_msg(watchdog_t)
-
--miscfiles_read_localization(watchdog_t)
--
- sysnet_read_config(watchdog_t)
-
- userdom_dontaudit_use_unpriv_user_fds(watchdog_t)
-diff --git a/wdmd.fc b/wdmd.fc
-new file mode 100644
-index 0000000..0d6257d
---- /dev/null
-+++ b/wdmd.fc
-@@ -0,0 +1,8 @@
-+
-+/etc/rc\.d/init\.d/wdmd -- gen_context(system_u:object_r:wdmd_initrc_exec_t,s0)
-+
-+/usr/sbin/wdmd -- gen_context(system_u:object_r:wdmd_exec_t,s0)
-+
-+/var/run/wdmd(/.*)? gen_context(system_u:object_r:wdmd_var_run_t,s0)
-+/var/run/checkquorum-timer -- gen_context(system_u:object_r:wdmd_var_run_t,s0)
-+
-diff --git a/wdmd.if b/wdmd.if
-new file mode 100644
-index 0000000..d17ff39
---- /dev/null
-+++ b/wdmd.if
-@@ -0,0 +1,133 @@
-+
-+## watchdog multiplexing daemon
-+
-+########################################
-+##
-+## Execute a domain transition to run wdmd.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`wdmd_domtrans',`
-+ gen_require(`
-+ type wdmd_t, wdmd_exec_t;
-+ ')
-+
-+ domtrans_pattern($1, wdmd_exec_t, wdmd_t)
-+')
-+
-+
-+########################################
-+##
-+## Execute wdmd server in the wdmd domain.
-+##
-+##
-+##
-+## The type of the process performing this action.
-+##
-+##
-+#
-+interface(`wdmd_initrc_domtrans',`
-+ gen_require(`
-+ type wdmd_initrc_exec_t;
-+ ')
-+
-+ init_labeled_script_domtrans($1, wdmd_initrc_exec_t)
-+')
-+
-+########################################
-+##
-+## All of the rules required to administrate
-+## an wdmd environment
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+##
-+##
-+## Role allowed access.
-+##
-+##
-+##
-+#
-+interface(`wdmd_admin',`
-+ gen_require(`
-+ type wdmd_t;
-+ type wdmd_initrc_exec_t;
-+ ')
-+
-+ allow $1 wdmd_t:process signal_perms;
-+ ps_process_pattern($1, wdmd_t)
-+ tunable_policy(`deny_ptrace',`',`
-+ allow $1 wdmd_t:process ptrace;
-+ ')
-+
-+ wdmd_initrc_domtrans($1)
-+ domain_system_change_exemption($1)
-+ role_transition $2 wdmd_initrc_exec_t system_r;
-+ allow $2 system_r;
-+
-+')
-+
-+######################################
-+##
-+## Create, read, write, and delete wdmd PID files.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`wdmd_manage_pid_files',`
-+ gen_require(`
-+ type wdmd_var_run_t;
-+ ')
-+
-+ files_search_pids($1)
-+ manage_files_pattern($1, wdmd_var_run_t, wdmd_var_run_t)
-+')
-+
-+########################################
-+##
-+## Connect to wdmd over a unix stream socket.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`wdmd_stream_connect',`
-+ gen_require(`
-+ type wdmd_t, wdmd_var_run_t;
-+ ')
-+
-+ files_search_pids($1)
-+ stream_connect_pattern($1, wdmd_var_run_t, wdmd_var_run_t, wdmd_t)
-+')
-+
-+
-+####################################
-+##
-+## Allow the specified domain to read/write wdmd's tmpfs files.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`wdmd_rw_tmpfs',`
-+ gen_require(`
-+ type wdmd_tmpfs_t;
-+ ')
-+
-+ rw_files_pattern($1, wdmd_tmpfs_t, wdmd_tmpfs_t)
-+
-+')
-diff --git a/wdmd.te b/wdmd.te
-new file mode 100644
-index 0000000..09b45bb
---- /dev/null
-+++ b/wdmd.te
-@@ -0,0 +1,61 @@
-+policy_module(wdmd,1.0.0)
-+
-+########################################
-+#
-+# Declarations
-+#
-+
-+type wdmd_t;
-+type wdmd_exec_t;
-+init_daemon_domain(wdmd_t, wdmd_exec_t)
-+
-+type wdmd_var_run_t;
-+files_pid_file(wdmd_var_run_t)
-+
-+type wdmd_initrc_exec_t;
-+init_script_file(wdmd_initrc_exec_t)
-+
-+type wdmd_tmpfs_t;
-+files_tmpfs_file(wdmd_tmpfs_t)
-+
-+########################################
-+#
-+# wdmd local policy
-+#
-+allow wdmd_t self:capability { chown sys_nice ipc_lock };
-+allow wdmd_t self:process { setsched signal };
-+
-+allow wdmd_t self:fifo_file rw_fifo_file_perms;
-+allow wdmd_t self:unix_stream_socket create_stream_socket_perms;
-+
-+manage_dirs_pattern(wdmd_t, wdmd_var_run_t, wdmd_var_run_t)
-+manage_files_pattern(wdmd_t, wdmd_var_run_t, wdmd_var_run_t)
-+manage_sock_files_pattern(wdmd_t, wdmd_var_run_t, wdmd_var_run_t)
-+files_pid_filetrans(wdmd_t, wdmd_var_run_t, { file dir sock_file })
-+
-+manage_dirs_pattern(wdmd_t, wdmd_tmpfs_t, wdmd_tmpfs_t)
-+manage_files_pattern(wdmd_t, wdmd_tmpfs_t, wdmd_tmpfs_t)
-+fs_tmpfs_filetrans(wdmd_t, wdmd_tmpfs_t, { dir file })
-+
-+kernel_read_system_state(wdmd_t)
-+
-+corecmd_exec_bin(wdmd_t)
-+corecmd_exec_shell(wdmd_t)
-+
-+dev_read_watchdog(wdmd_t)
-+dev_write_watchdog(wdmd_t)
-+
-+domain_use_interactive_fds(wdmd_t)
-+
-+fs_getattr_tmpfs(wdmd_t)
-+fs_read_anon_inodefs_files(wdmd_t)
-+
-+auth_use_nsswitch(wdmd_t)
-+
-+logging_send_syslog_msg(wdmd_t)
-+
-+optional_policy(`
-+ corosync_initrc_domtrans(wdmd_t)
-+ corosync_stream_connect(wdmd_t)
-+ corosync_rw_tmpfs(wdmd_t)
-+')
-diff --git a/webadm.te b/webadm.te
-index 0ecc786..79a664a 100644
---- a/webadm.te
-+++ b/webadm.te
-@@ -23,12 +23,21 @@ role webadm_r;
-
- userdom_base_user_template(webadm)
-
-+type webadm_tmp_t;
-+files_tmp_file(webadm_tmp_t)
-+
- ########################################
- #
- # webadmin local policy
- #
-
--allow webadm_t self:capability { dac_override dac_read_search kill sys_ptrace sys_nice };
-+allow webadm_t self:capability { dac_override dac_read_search kill sys_nice };
-+
-+manage_dirs_pattern(webadm_t, webadm_tmp_t, webadm_tmp_t)
-+manage_files_pattern(webadm_t, webadm_tmp_t, webadm_tmp_t)
-+manage_lnk_files_pattern(webadm_t, webadm_tmp_t, webadm_tmp_t)
-+files_tmp_filetrans(webadm_t, webadm_tmp_t, { file dir })
-+can_exec(webadm_t, webadm_tmp_t)
-
- files_dontaudit_search_all_dirs(webadm_t)
- files_manage_generic_locks(webadm_t)
-@@ -38,10 +47,13 @@ selinux_get_enforce_mode(webadm_t)
- seutil_domtrans_setfiles(webadm_t)
-
- logging_send_syslog_msg(webadm_t)
-+logging_send_audit_msgs(webadm_t)
-
- userdom_dontaudit_search_user_home_dirs(webadm_t)
-
--apache_admin(webadm_t, webadm_r)
-+optional_policy(`
-+ apache_admin(webadm_t, webadm_r)
-+')
-
- tunable_policy(`webadm_manage_user_files',`
- userdom_manage_user_home_content_files(webadm_t)
-diff --git a/webalizer.te b/webalizer.te
-index 32b4f76..b00362b 100644
---- a/webalizer.te
-+++ b/webalizer.te
-@@ -59,7 +59,6 @@ files_var_lib_filetrans(webalizer_t, webalizer_var_lib_t, file)
- kernel_read_kernel_sysctls(webalizer_t)
- kernel_read_system_state(webalizer_t)
-
--corenet_all_recvfrom_unlabeled(webalizer_t)
- corenet_all_recvfrom_netlabel(webalizer_t)
- corenet_tcp_sendrecv_generic_if(webalizer_t)
- corenet_tcp_sendrecv_generic_node(webalizer_t)
-@@ -69,24 +68,26 @@ fs_search_auto_mountpoints(webalizer_t)
- fs_getattr_xattr_fs(webalizer_t)
- fs_rw_anon_inodefs_files(webalizer_t)
-
--files_read_etc_files(webalizer_t)
- files_read_etc_runtime_files(webalizer_t)
-
- logging_list_logs(webalizer_t)
- logging_send_syslog_msg(webalizer_t)
-
--miscfiles_read_localization(webalizer_t)
-+auth_use_nsswitch(webalizer_t)
-+
- miscfiles_read_public_files(webalizer_t)
-
- sysnet_dns_name_resolve(webalizer_t)
- sysnet_read_config(webalizer_t)
-
--userdom_use_user_terminals(webalizer_t)
-+userdom_use_inherited_user_terminals(webalizer_t)
- userdom_use_unpriv_users_fds(webalizer_t)
- userdom_dontaudit_search_user_home_content(webalizer_t)
-
--apache_read_log(webalizer_t)
--apache_manage_sys_content(webalizer_t)
-+optional_policy(`
-+ apache_read_log(webalizer_t)
-+ apache_manage_sys_content(webalizer_t)
-+')
-
- optional_policy(`
- cron_system_entry(webalizer_t, webalizer_exec_t)
-diff --git a/wine.fc b/wine.fc
-index 9d24449..2666317 100644
---- a/wine.fc
-+++ b/wine.fc
-@@ -2,6 +2,7 @@ HOME_DIR/cxoffice/bin/wine.+ -- gen_context(system_u:object_r:wine_exec_t,s0)
-
- /opt/cxoffice/bin/wine.* -- gen_context(system_u:object_r:wine_exec_t,s0)
-
-+/opt/google/picasa(/.*)?/Picasa3/.*exe -- gen_context(system_u:object_r:wine_exec_t,s0)
- /opt/google/picasa(/.*)?/bin/msiexec -- gen_context(system_u:object_r:wine_exec_t,s0)
- /opt/google/picasa(/.*)?/bin/notepad -- gen_context(system_u:object_r:wine_exec_t,s0)
- /opt/google/picasa(/.*)?/bin/progman -- gen_context(system_u:object_r:wine_exec_t,s0)
-@@ -10,6 +11,7 @@ HOME_DIR/cxoffice/bin/wine.+ -- gen_context(system_u:object_r:wine_exec_t,s0)
- /opt/google/picasa(/.*)?/bin/uninstaller -- gen_context(system_u:object_r:wine_exec_t,s0)
- /opt/google/picasa(/.*)?/bin/wdi -- gen_context(system_u:object_r:wine_exec_t,s0)
- /opt/google/picasa(/.*)?/bin/wine.* -- gen_context(system_u:object_r:wine_exec_t,s0)
-+/opt/teamviewer(/.*)?/bin/wine.* -- gen_context(system_u:object_r:wine_exec_t,s0)
-
- /opt/picasa/wine/bin/wine.* -- gen_context(system_u:object_r:wine_exec_t,s0)
-
-diff --git a/wine.if b/wine.if
-index f9a73d0..4b83bb0 100644
---- a/wine.if
-+++ b/wine.if
-@@ -10,10 +10,9 @@
- ## for wine applications.
- ##
- ##
--##
-+##
- ##
--## The prefix of the user domain (e.g., user
--## is the prefix for user_t).
-+## The role associated with the user domain.
- ##
- ##
- ##
-@@ -21,20 +20,19 @@
- ## The type of the user domain.
- ##
- ##
--##
--##
--## The role associated with the user domain.
--##
--##
- #
- template(`wine_role',`
- gen_require(`
-+ type wine_t;
-+ type wine_home_t;
- type wine_exec_t;
- ')
-
- role $1 types wine_t;
-
- domain_auto_trans($2, wine_exec_t, wine_t)
-+ # Unrestricted inheritance from the caller.
-+ allow $2 wine_t:process { noatsecure siginh rlimitinh };
- allow wine_t $2:fd use;
- allow wine_t $2:process { sigchld signull };
- allow wine_t $2:unix_stream_socket connectto;
-@@ -44,8 +42,7 @@ template(`wine_role',`
- allow $2 wine_t:process signal_perms;
-
- allow $2 wine_t:fd use;
-- allow $2 wine_t:shm { associate getattr };
-- allow $2 wine_t:shm { unix_read unix_write };
-+ allow $2 wine_t:shm { associate getattr unix_read unix_write };
- allow $2 wine_t:unix_stream_socket connectto;
-
- # X access, Home files
-@@ -86,6 +83,7 @@ template(`wine_role',`
- #
- template(`wine_role_template',`
- gen_require(`
-+ type wine_t;
- type wine_exec_t;
- ')
-
-@@ -96,12 +94,12 @@ template(`wine_role_template',`
- role $2 types $1_wine_t;
-
- allow $1_wine_t self:process { execmem execstack };
-- allow $3 $1_wine_t:process { getattr ptrace noatsecure signal_perms };
-+ allow $3 $1_wine_t:process { getattr noatsecure signal_perms };
- domtrans_pattern($3, wine_exec_t, $1_wine_t)
- corecmd_bin_domtrans($1_wine_t, $1_t)
-
- userdom_unpriv_usertype($1, $1_wine_t)
-- userdom_manage_user_tmpfs_files($1_wine_t)
-+ userdom_manage_tmpfs_role($2, $1_wine_t)
-
- domain_mmap_low($1_wine_t)
-
-@@ -109,6 +107,10 @@ template(`wine_role_template',`
- dontaudit $1_wine_t self:memprotect mmap_zero;
- ')
-
-+ tunable_policy(`wine_mmap_zero_ignore',`
-+ dontaudit $1_wine_t self:memprotect mmap_zero;
-+ ')
-+
- optional_policy(`
- xserver_role($1_r, $1_wine_t)
- ')
-diff --git a/wine.te b/wine.te
-index 7a17516..56fbcc2 100644
---- a/wine.te
-+++ b/wine.te
-@@ -38,7 +38,7 @@ domain_mmap_low(wine_t)
-
- files_execmod_all_files(wine_t)
-
--userdom_use_user_terminals(wine_t)
-+userdom_use_inherited_user_terminals(wine_t)
-
- tunable_policy(`wine_mmap_zero_ignore',`
- dontaudit wine_t self:memprotect mmap_zero;
-@@ -53,6 +53,10 @@ optional_policy(`
- ')
-
- optional_policy(`
-+ rtkit_scheduled(wine_t)
-+')
-+
-+optional_policy(`
- unconfined_domain(wine_t)
- ')
-
-diff --git a/wireshark.te b/wireshark.te
-index fc0adf8..cf479f3 100644
---- a/wireshark.te
-+++ b/wireshark.te
-@@ -31,18 +31,19 @@ userdom_user_tmpfs_file(wireshark_tmpfs_t)
- # Local Policy
- #
-
--allow wireshark_t self:capability { net_admin net_raw setgid };
-+allow wireshark_t self:capability { net_admin net_raw };
- allow wireshark_t self:process { signal getsched };
- allow wireshark_t self:fifo_file { getattr read write };
- allow wireshark_t self:shm destroy;
- allow wireshark_t self:shm create_shm_perms;
- allow wireshark_t self:netlink_route_socket { nlmsg_read create_socket_perms };
--allow wireshark_t self:packet_socket { setopt bind ioctl getopt create read write };
-+allow wireshark_t self:packet_socket { setopt bind ioctl getopt create read };
- allow wireshark_t self:tcp_socket create_socket_perms;
- allow wireshark_t self:udp_socket create_socket_perms;
-
- # Re-execute itself (why?)
- can_exec(wireshark_t, wireshark_exec_t)
-+corecmd_search_bin(wireshark_t)
-
- # /home/.wireshark
- manage_dirs_pattern(wireshark_t, wireshark_home_t, wireshark_home_t)
-@@ -67,7 +68,6 @@ kernel_read_system_state(wireshark_t)
- kernel_read_sysctl(wireshark_t)
-
- corecmd_exec_bin(wireshark_t)
--corecmd_search_bin(wireshark_t)
-
- corenet_tcp_connect_generic_port(wireshark_t)
- corenet_tcp_sendrecv_generic_if(wireshark_t)
-@@ -76,7 +76,6 @@ dev_read_rand(wireshark_t)
- dev_read_sysfs(wireshark_t)
- dev_read_urand(wireshark_t)
-
--files_read_etc_files(wireshark_t)
- files_read_usr_files(wireshark_t)
-
- fs_list_inotifyfs(wireshark_t)
-@@ -84,31 +83,17 @@ fs_search_auto_mountpoints(wireshark_t)
-
- libs_read_lib_files(wireshark_t)
-
-+auth_use_nsswitch(wireshark_t)
-+
- miscfiles_read_fonts(wireshark_t)
--miscfiles_read_localization(wireshark_t)
-
- seutil_use_newrole_fds(wireshark_t)
-
- sysnet_read_config(wireshark_t)
-
- userdom_manage_user_home_content_files(wireshark_t)
--userdom_use_user_ptys(wireshark_t)
--
--tunable_policy(`use_nfs_home_dirs',`
-- fs_manage_nfs_dirs(wireshark_t)
-- fs_manage_nfs_files(wireshark_t)
-- fs_manage_nfs_symlinks(wireshark_t)
--')
-
--tunable_policy(`use_samba_home_dirs',`
-- fs_manage_cifs_dirs(wireshark_t)
-- fs_manage_cifs_files(wireshark_t)
-- fs_manage_cifs_symlinks(wireshark_t)
--')
--
--optional_policy(`
-- nscd_socket_use(wireshark_t)
--')
-+userdom_home_manager(wireshark_t)
-
- # Manual transition from userhelper
- optional_policy(`
-diff --git a/wm.if b/wm.if
-index b3efef7..177cf16 100644
---- a/wm.if
-+++ b/wm.if
-@@ -31,17 +31,14 @@ template(`wm_role_template',`
- gen_require(`
- type wm_exec_t;
- class dbus send_msg;
-+ attribute wm_domain;
- ')
-
-- type $1_wm_t;
-+ type $1_wm_t, wm_domain;
- domain_type($1_wm_t)
- domain_entry_file($1_wm_t, wm_exec_t)
- role $2 types $1_wm_t;
-
-- allow $1_wm_t self:fifo_file rw_fifo_file_perms;
-- allow $1_wm_t self:process getsched;
-- allow $1_wm_t self:shm create_shm_perms;
--
- allow $1_wm_t $3:unix_stream_socket connectto;
- allow $3 $1_wm_t:unix_stream_socket connectto;
- allow $3 $1_wm_t:process { signal sigchld signull };
-@@ -50,19 +47,19 @@ template(`wm_role_template',`
- allow $1_wm_t $3:dbus send_msg;
- allow $3 $1_wm_t:dbus send_msg;
-
-- domtrans_pattern($3, wm_exec_t, $1_wm_t)
-+ userdom_manage_home_role($2, $1_wm_t)
-+ userdom_manage_tmpfs_role($2, $1_wm_t)
-+ userdom_manage_tmp_role($2, $1_wm_t)
-+ userdom_exec_user_tmp_files($1_wm_t)
-
-- kernel_read_system_state($1_wm_t)
-+ domtrans_pattern($3, wm_exec_t, $1_wm_t)
-
- corecmd_bin_domtrans($1_wm_t, $3)
- corecmd_shell_domtrans($1_wm_t, $3)
-
-- dev_read_urand($1_wm_t)
--
-- files_read_etc_files($1_wm_t)
-- files_read_usr_files($1_wm_t)
-+ auth_use_nsswitch($1_wm_t)
-
-- fs_getattr_tmpfs($1_wm_t)
-+ kernel_read_system_state($1_wm_t)
-
- mls_file_read_all_levels($1_wm_t)
- mls_file_write_all_levels($1_wm_t)
-@@ -70,22 +67,6 @@ template(`wm_role_template',`
- mls_xwin_write_all_levels($1_wm_t)
- mls_fd_use_all_levels($1_wm_t)
-
-- auth_use_nsswitch($1_wm_t)
--
-- application_signull($1_wm_t)
--
-- miscfiles_read_fonts($1_wm_t)
-- miscfiles_read_localization($1_wm_t)
--
-- optional_policy(`
-- dbus_system_bus_client($1_wm_t)
-- dbus_session_bus_client($1_wm_t)
-- ')
--
-- optional_policy(`
-- pulseaudio_stream_connect($1_wm_t)
-- ')
--
- optional_policy(`
- xserver_role($2, $1_wm_t)
- xserver_manage_core_devices($1_wm_t)
-diff --git a/wm.te b/wm.te
-index 19d447e..996a3d4 100644
---- a/wm.te
-+++ b/wm.te
-@@ -1,5 +1,7 @@
- policy_module(wm, 1.2.0)
-
-+attribute wm_domain;
-+
- ########################################
- #
- # Declarations
-@@ -7,3 +9,34 @@ policy_module(wm, 1.2.0)
-
- type wm_exec_t;
- corecmd_executable_file(wm_exec_t)
-+
-+allow wm_domain self:fifo_file rw_fifo_file_perms;
-+allow wm_domain self:process getsched;
-+allow wm_domain self:shm create_shm_perms;
-+allow wm_domain self:unix_dgram_socket create_socket_perms;
-+
-+dev_read_urand(wm_domain)
-+
-+files_read_etc_files(wm_domain)
-+files_read_usr_files(wm_domain)
-+
-+fs_getattr_tmpfs(wm_domain)
-+
-+application_signull(wm_domain)
-+
-+miscfiles_read_fonts(wm_domain)
-+
-+optional_policy(`
-+ dbus_system_bus_client(wm_domain)
-+ dbus_session_bus_client(wm_domain)
-+')
-+
-+optional_policy(`
-+ pulseaudio_stream_connect(wm_domain)
-+')
-+
-+optional_policy(`
-+ xserver_manage_core_devices(wm_domain)
-+')
-+
-+
-diff --git a/xen.fc b/xen.fc
-index 1a1b374..574794d 100644
---- a/xen.fc
-+++ b/xen.fc
-@@ -1,12 +1,10 @@
- /dev/xen/tapctrl.* -p gen_context(system_u:object_r:xenctl_t,s0)
-
--/usr/bin/virsh -- gen_context(system_u:object_r:xm_exec_t,s0)
--
- /usr/sbin/blktapctrl -- gen_context(system_u:object_r:blktap_exec_t,s0)
- /usr/sbin/evtchnd -- gen_context(system_u:object_r:evtchnd_exec_t,s0)
- /usr/sbin/tapdisk -- gen_context(system_u:object_r:blktap_exec_t,s0)
-
--/usr/lib/xen/bin/qemu-dm -- gen_context(system_u:object_r:qemu_dm_exec_t,s0)
-+#/usr/lib/xen/bin/qemu-dm -- gen_context(system_u:object_r:qemu_dm_exec_t,s0)
-
- ifdef(`distro_debian',`
- /usr/lib/xen-[^/]*/bin/xenconsoled -- gen_context(system_u:object_r:xenconsoled_exec_t,s0)
-@@ -17,6 +15,7 @@ ifdef(`distro_debian',`
- /usr/sbin/xenconsoled -- gen_context(system_u:object_r:xenconsoled_exec_t,s0)
- /usr/sbin/xend -- gen_context(system_u:object_r:xend_exec_t,s0)
- /usr/sbin/xenstored -- gen_context(system_u:object_r:xenstored_exec_t,s0)
-+/usr/sbin/xl -- gen_context(system_u:object_r:xm_exec_t,s0)
- /usr/sbin/xm -- gen_context(system_u:object_r:xm_exec_t,s0)
- ')
-
-@@ -25,11 +24,11 @@ ifdef(`distro_debian',`
- /var/lib/xend(/.*)? gen_context(system_u:object_r:xend_var_lib_t,s0)
- /var/lib/xenstored(/.*)? gen_context(system_u:object_r:xenstored_var_lib_t,s0)
-
--/var/log/evtchnd\.log -- gen_context(system_u:object_r:evtchnd_var_log_t,s0)
-+/var/log/evtchnd\.log.* -- gen_context(system_u:object_r:evtchnd_var_log_t,s0)
- /var/log/xen(/.*)? gen_context(system_u:object_r:xend_var_log_t,s0)
--/var/log/xen-hotplug\.log -- gen_context(system_u:object_r:xend_var_log_t,s0)
--/var/log/xend\.log -- gen_context(system_u:object_r:xend_var_log_t,s0)
--/var/log/xend-debug\.log -- gen_context(system_u:object_r:xend_var_log_t,s0)
-+/var/log/xen-hotplug\.log.* -- gen_context(system_u:object_r:xend_var_log_t,s0)
-+/var/log/xend\.log.* -- gen_context(system_u:object_r:xend_var_log_t,s0)
-+/var/log/xend-debug\.log.* -- gen_context(system_u:object_r:xend_var_log_t,s0)
-
- /var/run/evtchnd -s gen_context(system_u:object_r:evtchnd_var_run_t,s0)
- /var/run/evtchnd\.pid -- gen_context(system_u:object_r:evtchnd_var_run_t,s0)
-diff --git a/xen.if b/xen.if
-index 77d41b6..cc73c96 100644
---- a/xen.if
-+++ b/xen.if
-@@ -20,6 +20,25 @@ interface(`xen_domtrans',`
-
- ########################################
- ##
-+## Allow the specified domain to execute xend
-+## in the caller domain.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`xen_exec',`
-+ gen_require(`
-+ type xend_exec_t;
-+ ')
-+
-+ can_exec($1, xend_exec_t)
-+')
-+
-+########################################
-+##
- ## Inherit and use xen file descriptors.
- ##
- ##
-@@ -55,6 +74,26 @@ interface(`xen_dontaudit_use_fds',`
- dontaudit $1 xend_t:fd use;
- ')
-
-+#######################################
-+##
-+## Read xend pid files.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`xen_read_pid_files_xenstored',`
-+ gen_require(`
-+ type xenstored_var_run_t;
-+ ')
-+
-+ files_search_pids($1)
-+
-+ read_files_pattern($1, xenstored_var_run_t, xenstored_var_run_t)
-+')
-+
- ########################################
- ##
- ## Read xend image files.
-@@ -87,6 +126,26 @@ interface(`xen_read_image_files',`
- ##
- ##
- #
-+interface(`xen_manage_image_dirs',`
-+ gen_require(`
-+ type xend_var_lib_t;
-+ ')
-+
-+ files_list_var_lib($1)
-+ manage_dirs_pattern($1, xend_var_lib_t, xend_var_lib_t)
-+')
-+
-+########################################
-+##
-+## Allow the specified domain to read/write
-+## xend image files.
-+##
-+##
-+##
-+## Domain allowed to transition.
-+##
-+##
-+#
- interface(`xen_rw_image_files',`
- gen_require(`
- type xen_image_t, xend_var_lib_t;
-@@ -161,7 +220,7 @@ interface(`xen_dontaudit_rw_unix_stream_sockets',`
-
- ########################################
- ##
--## Connect to xenstored over an unix stream socket.
-+## Connect to xenstored over a unix stream socket.
- ##
- ##
- ##
-@@ -180,7 +239,7 @@ interface(`xen_stream_connect_xenstore',`
-
- ########################################
- ##
--## Connect to xend over an unix domain stream socket.
-+## Connect to xend over a unix domain stream socket.
- ##
- ##
- ##
-@@ -213,14 +272,15 @@ interface(`xen_stream_connect',`
- interface(`xen_domtrans_xm',`
- gen_require(`
- type xm_t, xm_exec_t;
-+ attribute virsh_transition_domain;
- ')
--
-+ typeattribute $1 virsh_transition_domain;
- domtrans_pattern($1, xm_exec_t, xm_t)
- ')
-
- ########################################
- ##
--## Connect to xm over an unix stream socket.
-+## Connect to xm over a unix stream socket.
- ##
- ##
- ##
-@@ -230,7 +290,7 @@ interface(`xen_domtrans_xm',`
- #
- interface(`xen_stream_connect_xm',`
- gen_require(`
-- type xm_t;
-+ type xm_t, xenstored_var_run_t;
- ')
-
- files_search_pids($1)
-diff --git a/xen.te b/xen.te
-index 07033bb..8358a63 100644
---- a/xen.te
-+++ b/xen.te
-@@ -4,6 +4,7 @@ policy_module(xen, 1.12.0)
- #
- # Declarations
- #
-+attribute xm_transition_domain;
-
- ##
- ##
-@@ -65,6 +66,7 @@ type xen_image_t; # customizable
- files_type(xen_image_t)
- # xen_image_t can be assigned to blk devices
- dev_node(xen_image_t)
-+virt_image(xen_image_t)
-
- type xenctl_t;
- files_type(xenctl_t)
-@@ -121,11 +123,6 @@ init_daemon_domain(xenconsoled_t, xenconsoled_exec_t)
- type xenconsoled_var_run_t;
- files_pid_file(xenconsoled_var_run_t)
-
--type xm_t;
--type xm_exec_t;
--domain_type(xm_t)
--init_system_domain(xm_t, xm_exec_t)
--
- ########################################
- #
- # blktap local policy
-@@ -135,22 +132,21 @@ tunable_policy(`xend_run_blktap',`
- # If yes, transition to its own domain.
- domtrans_pattern(xend_t, blktap_exec_t, blktap_t)
-
-- allow blktap_t self:fifo_file { read write };
-+',`
-+ # If no, then silently refuse to run it.
-+ dontaudit xend_t blktap_exec_t:file { execute execute_no_trans };
-+')
-
-- dev_read_sysfs(blktap_t)
-- dev_rw_xen(blktap_t)
-+allow blktap_t self:fifo_file { read write };
-
-- files_read_etc_files(blktap_t)
-+dev_read_sysfs(blktap_t)
-+dev_rw_xen(blktap_t)
-
-- logging_send_syslog_msg(blktap_t)
-+files_read_etc_files(blktap_t)
-
-- miscfiles_read_localization(blktap_t)
-+logging_send_syslog_msg(blktap_t)
-
-- xen_stream_connect_xenstore(blktap_t)
--',`
-- # If no, then silently refuse to run it.
-- dontaudit xend_t blktap_exec_t:file { execute execute_no_trans };
--')
-+xen_stream_connect_xenstore(blktap_t)
-
- #######################################
- #
-@@ -170,6 +166,10 @@ files_pid_filetrans(evtchnd_t, evtchnd_var_run_t, { file sock_file dir })
- #
- # qemu-dm local policy
- #
-+
-+# TODO: This part of policy should be removed
-+# qemu-dm should run in xend_t domain
-+
- # Do we need to allow execution of qemu-dm?
- tunable_policy(`xend_run_qemu',`
- allow qemu_dm_t self:capability sys_resource;
-@@ -195,7 +195,6 @@ tunable_policy(`xend_run_qemu',`
- fs_manage_xenfs_dirs(qemu_dm_t)
- fs_manage_xenfs_files(qemu_dm_t)
-
-- miscfiles_read_localization(qemu_dm_t)
-
- xen_stream_connect_xenstore(qemu_dm_t)
- ',`
-@@ -208,10 +207,13 @@ tunable_policy(`xend_run_qemu',`
- # xend local policy
- #
-
--allow xend_t self:capability { dac_override ipc_lock net_admin setuid sys_nice sys_tty_config net_raw };
--dontaudit xend_t self:capability { sys_ptrace };
-+allow xend_t self:capability { dac_override ipc_lock net_admin setuid sys_admin sys_nice sys_tty_config net_raw sys_rawio };
- allow xend_t self:process { signal sigkill };
--dontaudit xend_t self:process ptrace;
-+
-+# needed by qemu_dm
-+allow xend_t self:capability sys_resource;
-+allow xend_t self:process setrlimit;
-+
- # internal communication is often done using fifo and unix sockets.
- allow xend_t self:fifo_file rw_fifo_file_perms;
- allow xend_t self:unix_stream_socket create_stream_socket_perms;
-@@ -219,6 +221,7 @@ allow xend_t self:unix_dgram_socket create_socket_perms;
- allow xend_t self:netlink_route_socket r_netlink_socket_perms;
- allow xend_t self:tcp_socket create_stream_socket_perms;
- allow xend_t self:packet_socket create_socket_perms;
-+allow xend_t self:tun_socket create_socket_perms;
-
- allow xend_t xen_image_t:dir list_dir_perms;
- manage_dirs_pattern(xend_t, xen_image_t, xen_image_t)
-@@ -275,7 +278,6 @@ kernel_read_network_state(xend_t)
- corecmd_exec_bin(xend_t)
- corecmd_exec_shell(xend_t)
-
--corenet_all_recvfrom_unlabeled(xend_t)
- corenet_all_recvfrom_netlabel(xend_t)
- corenet_tcp_sendrecv_generic_if(xend_t)
- corenet_tcp_sendrecv_generic_node(xend_t)
-@@ -294,12 +296,13 @@ corenet_sendrecv_soundd_server_packets(xend_t)
- corenet_rw_tun_tap_dev(xend_t)
-
- dev_read_urand(xend_t)
-+# run lsscsi
-+dev_getattr_all_chr_files(xend_t)
- dev_filetrans_xen(xend_t)
- dev_rw_sysfs(xend_t)
- dev_rw_xen(xend_t)
-
- domain_dontaudit_read_all_domains_state(xend_t)
--domain_dontaudit_ptrace_all_domains(xend_t)
-
- files_read_etc_files(xend_t)
- files_read_kernel_symbol_table(xend_t)
-@@ -309,7 +312,13 @@ files_etc_filetrans_etc_runtime(xend_t, file)
- files_read_usr_files(xend_t)
- files_read_default_symlinks(xend_t)
-
-+fs_read_removable_blk_files(xend_t)
-+
-+storage_read_scsi_generic(xend_t)
-+
-+term_setattr_generic_ptys(xend_t)
- term_getattr_all_ptys(xend_t)
-+term_setattr_all_ptys(xend_t)
- term_use_generic_ptys(xend_t)
- term_use_ptmx(xend_t)
- term_getattr_pty_fs(xend_t)
-@@ -320,13 +329,10 @@ locallogin_dontaudit_use_fds(xend_t)
-
- logging_send_syslog_msg(xend_t)
-
--lvm_domtrans(xend_t)
-+auth_read_passwd(xend_t)
-
--miscfiles_read_localization(xend_t)
- miscfiles_read_hwdata(xend_t)
-
--mount_domtrans(xend_t)
--
- sysnet_domtrans_dhcpc(xend_t)
- sysnet_signal_dhcpc(xend_t)
- sysnet_domtrans_ifconfig(xend_t)
-@@ -339,8 +345,6 @@ userdom_dontaudit_search_user_home_dirs(xend_t)
-
- xen_stream_connect_xenstore(xend_t)
-
--netutils_domtrans(xend_t)
--
- optional_policy(`
- brctl_domtrans(xend_t)
- ')
-@@ -349,6 +353,28 @@ optional_policy(`
- consoletype_exec(xend_t)
- ')
-
-+optional_policy(`
-+ lvm_domtrans(xend_t)
-+')
-+
-+optional_policy(`
-+ mount_domtrans(xend_t)
-+')
-+
-+optional_policy(`
-+ netutils_domtrans(xend_t)
-+')
-+
-+optional_policy(`
-+ ptchown_exec(xend_t)
-+')
-+
-+optional_policy(`
-+ virt_manage_default_image_type(xend_t)
-+ virt_search_images(xend_t)
-+ virt_read_config(xend_t)
-+')
-+
- ########################################
- #
- # Xen console local policy
-@@ -359,7 +385,7 @@ allow xenconsoled_t self:process setrlimit;
- allow xenconsoled_t self:unix_stream_socket create_stream_socket_perms;
- allow xenconsoled_t self:fifo_file rw_fifo_file_perms;
-
--allow xenconsoled_t xen_devpts_t:chr_file rw_term_perms;
-+allow xenconsoled_t xen_devpts_t:chr_file { rw_term_perms setattr };
-
- # pid file
- manage_files_pattern(xenconsoled_t, xenconsoled_var_run_t, xenconsoled_var_run_t)
-@@ -374,8 +400,6 @@ dev_rw_xen(xenconsoled_t)
- dev_filetrans_xen(xenconsoled_t)
- dev_rw_sysfs(xenconsoled_t)
-
--domain_dontaudit_ptrace_all_domains(xenconsoled_t)
--
- files_read_etc_files(xenconsoled_t)
- files_read_usr_files(xenconsoled_t)
-
-@@ -390,7 +414,7 @@ term_use_console(xenconsoled_t)
- init_use_fds(xenconsoled_t)
- init_use_script_ptys(xenconsoled_t)
-
--miscfiles_read_localization(xenconsoled_t)
-+auth_read_passwd(xenconsoled_t)
-
- xen_manage_log(xenconsoled_t)
- xen_stream_connect_xenstore(xenconsoled_t)
-@@ -413,9 +437,10 @@ manage_dirs_pattern(xenstored_t, xenstored_tmp_t, xenstored_tmp_t)
- files_tmp_filetrans(xenstored_t, xenstored_tmp_t, { file dir })
-
- # pid file
-+manage_dirs_pattern(xenstored_t, xenstored_var_run_t, xenstored_var_run_t)
- manage_files_pattern(xenstored_t, xenstored_var_run_t, xenstored_var_run_t)
- manage_sock_files_pattern(xenstored_t, xenstored_var_run_t, xenstored_var_run_t)
--files_pid_filetrans(xenstored_t, xenstored_var_run_t, { file sock_file })
-+files_pid_filetrans(xenstored_t, xenstored_var_run_t, { file sock_file dir })
-
- # log files
- manage_dirs_pattern(xenstored_t, xenstored_var_log_t, xenstored_var_log_t)
-@@ -442,111 +467,24 @@ files_read_etc_files(xenstored_t)
-
- files_read_usr_files(xenstored_t)
-
-+fs_search_xenfs(xenstored_t)
- fs_manage_xenfs_files(xenstored_t)
-
- term_use_generic_ptys(xenstored_t)
-+term_use_console(xenconsoled_t)
-
- init_use_fds(xenstored_t)
- init_use_script_ptys(xenstored_t)
-
- logging_send_syslog_msg(xenstored_t)
-
--miscfiles_read_localization(xenstored_t)
--
- xen_append_log(xenstored_t)
-
- ########################################
- #
--# xm local policy
--#
--
--allow xm_t self:capability { dac_override ipc_lock sys_tty_config };
--allow xm_t self:process { getsched signal };
--
--# internal communication is often done using fifo and unix sockets.
--allow xm_t self:fifo_file rw_fifo_file_perms;
--allow xm_t self:unix_stream_socket { create_stream_socket_perms connectto };
--allow xm_t self:tcp_socket create_stream_socket_perms;
--
--manage_files_pattern(xm_t, xend_var_lib_t, xend_var_lib_t)
--manage_fifo_files_pattern(xm_t, xend_var_lib_t, xend_var_lib_t)
--manage_sock_files_pattern(xm_t, xend_var_lib_t, xend_var_lib_t)
--files_search_var_lib(xm_t)
--
--allow xm_t xen_image_t:dir rw_dir_perms;
--allow xm_t xen_image_t:file read_file_perms;
--allow xm_t xen_image_t:blk_file read_blk_file_perms;
--
--kernel_read_system_state(xm_t)
--kernel_read_kernel_sysctls(xm_t)
--kernel_read_sysctl(xm_t)
--kernel_read_xen_state(xm_t)
--kernel_write_xen_state(xm_t)
--
--corecmd_exec_bin(xm_t)
--corecmd_exec_shell(xm_t)
--
--corenet_tcp_sendrecv_generic_if(xm_t)
--corenet_tcp_sendrecv_generic_node(xm_t)
--corenet_tcp_connect_soundd_port(xm_t)
--
--dev_read_urand(xm_t)
--dev_read_sysfs(xm_t)
--
--files_read_etc_runtime_files(xm_t)
--files_read_usr_files(xm_t)
--files_list_mnt(xm_t)
--# Some common macros (you might be able to remove some)
--files_read_etc_files(xm_t)
--
--fs_getattr_all_fs(xm_t)
--fs_manage_xenfs_dirs(xm_t)
--fs_manage_xenfs_files(xm_t)
--
--term_use_all_terms(xm_t)
--
--init_stream_connect_script(xm_t)
--init_rw_script_stream_sockets(xm_t)
--init_use_fds(xm_t)
--
--miscfiles_read_localization(xm_t)
--
--sysnet_dns_name_resolve(xm_t)
--
--xen_append_log(xm_t)
--xen_stream_connect(xm_t)
--xen_stream_connect_xenstore(xm_t)
--
--optional_policy(`
-- dbus_system_bus_client(xm_t)
--
-- optional_policy(`
-- hal_dbus_chat(xm_t)
-- ')
--')
--
--optional_policy(`
-- virt_domtrans(xm_t)
-- virt_manage_images(xm_t)
-- virt_manage_config(xm_t)
-- virt_stream_connect(xm_t)
--')
--
--########################################
--#
- # SSH component local policy
- #
- optional_policy(`
-- ssh_basic_client_template(xm, xm_t, system_r)
--
-- kernel_read_xen_state(xm_ssh_t)
-- kernel_write_xen_state(xm_ssh_t)
--
-- files_search_tmp(xm_ssh_t)
--
-- fs_manage_xenfs_dirs(xm_ssh_t)
-- fs_manage_xenfs_files(xm_ssh_t)
--
- #Should have a boolean wrapping these
- fs_list_auto_mountpoints(xend_t)
- files_search_mnt(xend_t)
-@@ -559,8 +497,4 @@ optional_policy(`
- fs_manage_nfs_files(xend_t)
- fs_read_nfs_symlinks(xend_t)
- ')
--
-- optional_policy(`
-- unconfined_domain(xend_t)
-- ')
- ')
-diff --git a/xfs.te b/xfs.te
-index 11c1b12..fc5d128 100644
---- a/xfs.te
-+++ b/xfs.te
-@@ -37,7 +37,6 @@ files_pid_filetrans(xfs_t, xfs_var_run_t, file)
- kernel_read_kernel_sysctls(xfs_t)
- kernel_read_system_state(xfs_t)
-
--corenet_all_recvfrom_unlabeled(xfs_t)
- corenet_all_recvfrom_netlabel(xfs_t)
- corenet_tcp_sendrecv_generic_if(xfs_t)
- corenet_tcp_sendrecv_generic_node(xfs_t)
-@@ -57,7 +56,6 @@ fs_search_auto_mountpoints(xfs_t)
-
- domain_use_interactive_fds(xfs_t)
-
--files_read_etc_files(xfs_t)
- files_read_etc_runtime_files(xfs_t)
- files_read_usr_files(xfs_t)
-
-@@ -65,7 +63,6 @@ auth_use_nsswitch(xfs_t)
-
- logging_send_syslog_msg(xfs_t)
-
--miscfiles_read_localization(xfs_t)
- miscfiles_read_fonts(xfs_t)
-
- userdom_dontaudit_use_unpriv_user_fds(xfs_t)
-diff --git a/xguest.te b/xguest.te
-index e88b95f..3dd3d9a 100644
---- a/xguest.te
-+++ b/xguest.te
-@@ -14,7 +14,7 @@ gen_tunable(xguest_mount_media, true)
-
- ##
- ##
--## Allow xguest to configure Network Manager
-+## Allow xguest users to configure Network Manager and connect to apache ports
- ##
- ##
- gen_tunable(xguest_connect_network, true)
-@@ -29,6 +29,7 @@ gen_tunable(xguest_use_bluetooth, true)
- role xguest_r;
-
- userdom_restricted_xwindows_user_template(xguest)
-+sysnet_dns_name_resolve(xguest_t)
-
- ########################################
- #
-@@ -38,7 +39,7 @@ userdom_restricted_xwindows_user_template(xguest)
- ifndef(`enable_mls',`
- fs_exec_noxattr(xguest_t)
-
-- tunable_policy(`user_rw_noexattrfile',`
-+ tunable_policy(`selinuxuser_rw_noexattrfile',`
- fs_manage_noxattr_fs_files(xguest_t)
- fs_manage_noxattr_fs_dirs(xguest_t)
- # Write floppies
-@@ -49,11 +50,22 @@ ifndef(`enable_mls',`
- ')
- ')
-
-+optional_policy(`
-+ # Dontaudit fusermount
-+ mount_dontaudit_exec_fusermount(xguest_t)
-+')
-+
-+kernel_dontaudit_request_load_module(xguest_t)
-+
-+tunable_policy(`selinuxuser_execstack',`
-+ allow xguest_t self:process execstack;
-+')
-+
- # Allow mounting of file systems
- optional_policy(`
- tunable_policy(`xguest_mount_media',`
- kernel_read_fs_sysctls(xguest_t)
--
-+ kernel_request_load_module(xguest_t)
- files_dontaudit_getattr_boot_dirs(xguest_t)
- files_search_mnt(xguest_t)
-
-@@ -62,10 +74,9 @@ optional_policy(`
- fs_manage_noxattr_fs_dirs(xguest_t)
- fs_getattr_noxattr_fs(xguest_t)
- fs_read_noxattr_fs_symlinks(xguest_t)
-+ fs_mount_fusefs(xguest_t)
-
- auth_list_pam_console_data(xguest_t)
--
-- init_read_utmp(xguest_t)
- ')
- ')
-
-@@ -76,23 +87,97 @@ optional_policy(`
- ')
-
- optional_policy(`
-+ tunable_policy(`xguest_use_bluetooth',`
-+ blueman_dbus_chat(xguest_t)
-+ ')
-+')
-+
-+
-+optional_policy(`
-+ chrome_role(xguest_r, xguest_t)
-+')
-+
-+optional_policy(`
- hal_dbus_chat(xguest_t)
- ')
-
- optional_policy(`
-- java_role(xguest_r, xguest_t)
-+ apache_role(xguest_r, xguest_t)
-+')
-+
-+optional_policy(`
-+ gnome_role(xguest_r, xguest_t)
- ')
-
- optional_policy(`
-- mozilla_role(xguest_r, xguest_t)
-+ gnomeclock_dontaudit_dbus_chat(xguest_t)
-+')
-+
-+optional_policy(`
-+ mozilla_run_plugin(xguest_t, xguest_r)
-+')
-+
-+optional_policy(`
-+ pcscd_read_pub_files(xguest_t)
-+ pcscd_stream_connect(xguest_t)
-+')
-+
-+optional_policy(`
-+ rhsmcertd_dontaudit_dbus_chat(xguest_t)
- ')
-
- optional_policy(`
- tunable_policy(`xguest_connect_network',`
- networkmanager_dbus_chat(xguest_t)
-+ networkmanager_read_lib_files(xguest_t)
-+ ')
-+')
-+
-+optional_policy(`
-+ tunable_policy(`xguest_connect_network',`
-+ kernel_read_network_state(xguest_t)
-+
- corenet_tcp_connect_pulseaudio_port(xguest_t)
-+ corenet_tcp_sendrecv_generic_if(xguest_t)
-+ corenet_raw_sendrecv_generic_if(xguest_t)
-+ corenet_tcp_sendrecv_generic_node(xguest_t)
-+ corenet_raw_sendrecv_generic_node(xguest_t)
-+ corenet_tcp_connect_commplex_port(xguest_t)
-+ corenet_tcp_sendrecv_http_port(xguest_t)
-+ corenet_tcp_sendrecv_http_cache_port(xguest_t)
-+ corenet_tcp_sendrecv_squid_port(xguest_t)
-+ corenet_tcp_sendrecv_ftp_port(xguest_t)
-+ corenet_tcp_sendrecv_ipp_port(xguest_t)
-+ corenet_tcp_connect_http_port(xguest_t)
-+ corenet_tcp_connect_http_cache_port(xguest_t)
-+ corenet_tcp_connect_squid_port(xguest_t)
-+ corenet_tcp_connect_flash_port(xguest_t)
-+ corenet_tcp_connect_ftp_port(xguest_t)
- corenet_tcp_connect_ipp_port(xguest_t)
-+ corenet_tcp_connect_generic_port(xguest_t)
-+ corenet_tcp_connect_soundd_port(xguest_t)
-+ corenet_sendrecv_http_client_packets(xguest_t)
-+ corenet_sendrecv_http_cache_client_packets(xguest_t)
-+ corenet_sendrecv_squid_client_packets(xguest_t)
-+ corenet_sendrecv_ftp_client_packets(xguest_t)
-+ corenet_sendrecv_ipp_client_packets(xguest_t)
-+ corenet_sendrecv_generic_client_packets(xguest_t)
-+ # Should not need other ports
-+ corenet_dontaudit_tcp_sendrecv_generic_port(xguest_t)
-+ corenet_dontaudit_tcp_bind_generic_port(xguest_t)
-+ corenet_tcp_connect_speech_port(xguest_t)
-+ corenet_tcp_sendrecv_transproxy_port(xguest_t)
-+ corenet_tcp_connect_transproxy_port(xguest_t)
- ')
- ')
-
--#gen_user(xguest_u,, xguest_r, s0, s0)
-+optional_policy(`
-+ gen_require(`
-+ type mozilla_t;
-+ ')
-+
-+ allow xguest_t mozilla_t:process transition;
-+ role xguest_r types mozilla_t;
-+')
-+
-+gen_user(xguest_u, user, xguest_r, s0, s0)
-diff --git a/xprint.te b/xprint.te
-index 68d13e5..4fe8668 100644
---- a/xprint.te
-+++ b/xprint.te
-@@ -32,7 +32,6 @@ kernel_read_kernel_sysctls(xprint_t)
- corecmd_exec_bin(xprint_t)
- corecmd_exec_shell(xprint_t)
-
--corenet_all_recvfrom_unlabeled(xprint_t)
- corenet_all_recvfrom_netlabel(xprint_t)
- corenet_tcp_sendrecv_generic_if(xprint_t)
- corenet_udp_sendrecv_generic_if(xprint_t)
-@@ -58,7 +57,6 @@ fs_search_auto_mountpoints(xprint_t)
- logging_send_syslog_msg(xprint_t)
-
- miscfiles_read_fonts(xprint_t)
--miscfiles_read_localization(xprint_t)
-
- sysnet_read_config(xprint_t)
-
-diff --git a/xscreensaver.te b/xscreensaver.te
-index 1487a4e..c099b55 100644
---- a/xscreensaver.te
-+++ b/xscreensaver.te
-@@ -33,9 +33,7 @@ init_read_utmp(xscreensaver_t)
- logging_send_audit_msgs(xscreensaver_t)
- logging_send_syslog_msg(xscreensaver_t)
-
--miscfiles_read_localization(xscreensaver_t)
--
--userdom_use_user_ptys(xscreensaver_t)
-+userdom_use_inherited_user_ptys(xscreensaver_t)
- #access to .icons and ~/.xscreensaver
- userdom_read_user_home_content_files(xscreensaver_t)
-
-diff --git a/yam.te b/yam.te
-index 223ad43..a3267e5 100644
---- a/yam.te
-+++ b/yam.te
-@@ -58,7 +58,6 @@ corecmd_exec_bin(yam_t)
-
- # Rsync and lftp need to network. They also set files attributes to
- # match whats on the remote server.
--corenet_all_recvfrom_unlabeled(yam_t)
- corenet_all_recvfrom_netlabel(yam_t)
- corenet_tcp_sendrecv_generic_if(yam_t)
- corenet_tcp_sendrecv_generic_node(yam_t)
-@@ -71,7 +70,6 @@ corenet_sendrecv_rsync_client_packets(yam_t)
- # mktemp
- dev_read_urand(yam_t)
-
--files_read_etc_files(yam_t)
- files_read_etc_runtime_files(yam_t)
- # /usr/share/createrepo/genpkgmetadata.py:
- files_exec_usr_files(yam_t)
-@@ -83,16 +81,15 @@ fs_search_auto_mountpoints(yam_t)
- # Content can also be on ISO image files.
- fs_read_iso9660_files(yam_t)
-
--logging_send_syslog_msg(yam_t)
-+auth_use_nsswitch(yam_t)
-
--miscfiles_read_localization(yam_t)
-+logging_send_syslog_msg(yam_t)
-
- seutil_read_config(yam_t)
-
--sysnet_dns_name_resolve(yam_t)
- sysnet_read_config(yam_t)
-
--userdom_use_user_terminals(yam_t)
-+userdom_use_inherited_user_terminals(yam_t)
- userdom_use_unpriv_users_fds(yam_t)
- # Reading dotfiles...
- # cjp: ?
-diff --git a/zabbix.fc b/zabbix.fc
-index aa5a521..980c0df 100644
---- a/zabbix.fc
-+++ b/zabbix.fc
-@@ -1,8 +1,12 @@
- /etc/rc\.d/init\.d/zabbix -- gen_context(system_u:object_r:zabbix_initrc_exec_t,s0)
--/etc/rc\.d/init\.d/zabbix-agentd -- gen_context(system_u:object_r:zabbix_agent_initrc_exec_t,s0)
-+/etc/rc\.d/init\.d/zabbix-server -- gen_context(system_u:object_r:zabbix_initrc_exec_t,s0)
-+/etc/rc\.d/init\.d/zabbix-agentd -- gen_context(system_u:object_r:zabbix_agent_initrc_exec_t,s0)
-
- /usr/(s)?bin/zabbix_server -- gen_context(system_u:object_r:zabbix_exec_t,s0)
- /usr/(s)?bin/zabbix_agentd -- gen_context(system_u:object_r:zabbix_agent_exec_t,s0)
-+/usr/sbin/zabbix_server_mysql -- gen_context(system_u:object_r:zabbix_exec_t,s0)
-+/usr/sbin/zabbix_server_pgsql -- gen_context(system_u:object_r:zabbix_exec_t,s0)
-+/usr/sbin/zabbix_server_sqlite3 -- gen_context(system_u:object_r:zabbix_exec_t,s0)
-
- /var/log/zabbix(/.*)? gen_context(system_u:object_r:zabbix_log_t,s0)
-
-diff --git a/zabbix.if b/zabbix.if
-index c9981d1..38ce620 100644
---- a/zabbix.if
-+++ b/zabbix.if
-@@ -61,6 +61,26 @@ interface(`zabbix_read_log',`
-
- ########################################
- ##
-+## Allow the specified domain to read zabbix's tmp files.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+##
-+#
-+interface(`zabbix_read_tmp',`
-+ gen_require(`
-+ type zabbix_tmp_t;
-+ ')
-+
-+ files_search_tmp($1)
-+ read_files_pattern($1, zabbix_tmp_t, zabbix_tmp_t)
-+')
-+
-+########################################
-+##
- ## Allow the specified domain to append
- ## zabbix log files.
- ##
-@@ -110,7 +130,7 @@ interface(`zabbix_read_pid_files',`
- #
- interface(`zabbix_agent_tcp_connect',`
- gen_require(`
-- type zabbix_agent_t;
-+ type zabbix_t, zabbix_agent_t;
- ')
-
- corenet_sendrecv_zabbix_agent_client_packets($1)
-@@ -142,8 +162,11 @@ interface(`zabbix_admin',`
- type zabbix_initrc_exec_t;
- ')
-
-- allow $1 zabbix_t:process { ptrace signal_perms };
-+ allow $1 zabbix_t:process signal_perms;
- ps_process_pattern($1, zabbix_t)
-+ tunable_policy(`deny_ptrace',`',`
-+ allow $1 zabbix_t:process ptrace;
-+ ')
-
- init_labeled_script_domtrans($1, zabbix_initrc_exec_t)
- domain_system_change_exemption($1)
-diff --git a/zabbix.te b/zabbix.te
-index 8c0bd70..24dd920 100644
---- a/zabbix.te
-+++ b/zabbix.te
-@@ -5,6 +5,13 @@ policy_module(zabbix, 1.5.0)
- # Declarations
- #
-
-+##
-+##
-+## Allow zabbix to connect to unreserved ports
-+##
-+##
-+gen_tunable(zabbix_can_network, false)
-+
- type zabbix_t;
- type zabbix_exec_t;
- init_daemon_domain(zabbix_t, zabbix_exec_t)
-@@ -23,6 +30,10 @@ init_script_file(zabbix_agent_initrc_exec_t)
- type zabbix_log_t;
- logging_log_file(zabbix_log_t)
-
-+# tmp files
-+type zabbix_tmp_t;
-+files_tmp_file(zabbix_tmp_t)
-+
- # shared memory
- type zabbix_tmpfs_t;
- files_tmpfs_file(zabbix_tmpfs_t)
-@@ -36,19 +47,25 @@ files_pid_file(zabbix_var_run_t)
- # zabbix local policy
- #
-
--allow zabbix_t self:capability { setuid setgid };
--allow zabbix_t self:fifo_file rw_file_perms;
--allow zabbix_t self:process { setsched getsched signal };
-+allow zabbix_t self:capability { dac_read_search dac_override setuid setgid };
-+allow zabbix_t self:process { setsched signal_perms };
-+allow zabbix_t self:sem create_sem_perms;
-+allow zabbix_t self:fifo_file rw_fifo_file_perms;
- allow zabbix_t self:unix_stream_socket create_stream_socket_perms;
- allow zabbix_t self:sem create_sem_perms;
- allow zabbix_t self:shm create_shm_perms;
- allow zabbix_t self:tcp_socket create_stream_socket_perms;
-
- # log files
--allow zabbix_t zabbix_log_t:dir setattr;
-+allow zabbix_t zabbix_log_t:dir setattr_dir_perms;
- manage_files_pattern(zabbix_t, zabbix_log_t, zabbix_log_t)
- logging_log_filetrans(zabbix_t, zabbix_log_t, file)
-
-+# tmp files
-+manage_dirs_pattern(zabbix_t, zabbix_tmp_t, zabbix_tmp_t)
-+manage_files_pattern(zabbix_t, zabbix_tmp_t, zabbix_tmp_t)
-+files_tmp_filetrans(zabbix_t, zabbix_tmp_t, { dir file })
-+
- # shared memory
- rw_files_pattern(zabbix_t, zabbix_tmpfs_t, zabbix_tmpfs_t)
- fs_tmpfs_filetrans(zabbix_t, zabbix_tmpfs_t, file)
-@@ -58,26 +75,48 @@ manage_dirs_pattern(zabbix_t, zabbix_var_run_t, zabbix_var_run_t)
- manage_files_pattern(zabbix_t, zabbix_var_run_t, zabbix_var_run_t)
- files_pid_filetrans(zabbix_t, zabbix_var_run_t, { dir file })
-
-+kernel_read_system_state(zabbix_t)
-+kernel_read_kernel_sysctls(zabbix_t)
-+
-+corecmd_exec_bin(zabbix_t)
-+corecmd_exec_shell(zabbix_t)
-+
- corenet_tcp_bind_generic_node(zabbix_t)
- corenet_tcp_bind_zabbix_port(zabbix_t)
-+# needed by zabbix-server-mysql
-+corenet_tcp_connect_http_port(zabbix_t)
-+# to monitor ftp urls
-+corenet_tcp_connect_ftp_port(zabbix_t)
-
--files_read_etc_files(zabbix_t)
-+dev_read_urand(zabbix_t)
-
--miscfiles_read_localization(zabbix_t)
-+files_read_usr_files(zabbix_t)
-+
-+auth_use_nsswitch(zabbix_t)
-
--sysnet_dns_name_resolve(zabbix_t)
-
- zabbix_agent_tcp_connect(zabbix_t)
-
-+tunable_policy(`zabbix_can_network',`
-+ corenet_tcp_connect_all_ports(zabbix_t)
-+')
-+
- optional_policy(`
- mysql_stream_connect(zabbix_t)
-- mysql_tcp_connect(zabbix_t)
-+')
-+
-+optional_policy(`
-+ netutils_domtrans_ping(zabbix_t)
- ')
-
- optional_policy(`
- postgresql_stream_connect(zabbix_t)
- ')
-
-+optional_policy(`
-+ snmp_read_snmp_var_lib_dirs(zabbix_t)
-+')
-+
- ########################################
- #
- # zabbix agent local policy
-@@ -121,7 +160,6 @@ domain_search_all_domains_state(zabbix_agent_t)
- files_getattr_all_dirs(zabbix_agent_t)
- files_getattr_all_files(zabbix_agent_t)
- files_read_all_symlinks(zabbix_agent_t)
--files_read_etc_files(zabbix_agent_t)
-
- fs_getattr_all_fs(zabbix_agent_t)
-
-@@ -129,7 +167,6 @@ init_read_utmp(zabbix_agent_t)
-
- logging_search_logs(zabbix_agent_t)
-
--miscfiles_read_localization(zabbix_agent_t)
-
- sysnet_dns_name_resolve(zabbix_agent_t)
-
-diff --git a/zarafa.fc b/zarafa.fc
-index 3defaa1..a451e97 100644
---- a/zarafa.fc
-+++ b/zarafa.fc
-@@ -8,19 +8,24 @@
- /usr/bin/zarafa-server -- gen_context(system_u:object_r:zarafa_server_exec_t,s0)
- /usr/bin/zarafa-spooler -- gen_context(system_u:object_r:zarafa_spooler_exec_t,s0)
-
--/var/lib/zarafa-.* gen_context(system_u:object_r:zarafa_var_lib_t,s0)
-+/var/lib/zarafa(/.*)? gen_context(system_u:object_r:zarafa_var_lib_t,s0)
-+/var/lib/zarafa-webaccess(/.*)? gen_context(system_u:object_r:zarafa_var_lib_t,s0)
-+/var/lib/zarafa-webapp(/.*)? gen_context(system_u:object_r:zarafa_var_lib_t,s0)
-
--/var/log/zarafa/gateway\.log -- gen_context(system_u:object_r:zarafa_gateway_log_t,s0)
--/var/log/zarafa/ical\.log -- gen_context(system_u:object_r:zarafa_ical_log_t,s0)
--/var/log/zarafa/indexer\.log -- gen_context(system_u:object_r:zarafa_indexer_log_t,s0)
--/var/log/zarafa/monitor\.log -- gen_context(system_u:object_r:zarafa_monitor_log_t,s0)
--/var/log/zarafa/server\.log -- gen_context(system_u:object_r:zarafa_server_log_t,s0)
--/var/log/zarafa/spooler\.log -- gen_context(system_u:object_r:zarafa_spooler_log_t,s0)
-+/var/log/zarafa/dagent\.log.* -- gen_context(system_u:object_r:zarafa_deliver_log_t,s0)
-+/var/log/zarafa/gateway\.log.* -- gen_context(system_u:object_r:zarafa_gateway_log_t,s0)
-+/var/log/zarafa/ical\.log.* -- gen_context(system_u:object_r:zarafa_ical_log_t,s0)
-+/var/log/zarafa/indexer\.log.* -- gen_context(system_u:object_r:zarafa_indexer_log_t,s0)
-+/var/log/zarafa/monitor\.log.* -- gen_context(system_u:object_r:zarafa_monitor_log_t,s0)
-+/var/log/zarafa/server\.log.* -- gen_context(system_u:object_r:zarafa_server_log_t,s0)
-+/var/log/zarafa/spooler\.log.* -- gen_context(system_u:object_r:zarafa_spooler_log_t,s0)
-
- /var/run/zarafa -s gen_context(system_u:object_r:zarafa_server_var_run_t,s0)
-+/var/run/zarafa-dagent\.pid -- gen_context(system_u:object_r:zarafa_deliver_var_run_t,s0)
- /var/run/zarafa-gateway\.pid -- gen_context(system_u:object_r:zarafa_gateway_var_run_t,s0)
- /var/run/zarafa-ical\.pid -- gen_context(system_u:object_r:zarafa_ical_var_run_t,s0)
--/var/run/zarafa-indexer -- gen_context(system_u:object_r:zarafa_indexer_var_run_t,s0)
-+/var/run/zarafa-indexer -s gen_context(system_u:object_r:zarafa_indexer_var_run_t,s0)
-+/var/run/zarafa-indexer\.pid -- gen_context(system_u:object_r:zarafa_indexer_var_run_t,s0)
- /var/run/zarafa-monitor\.pid -- gen_context(system_u:object_r:zarafa_monitor_var_run_t,s0)
- /var/run/zarafa-server\.pid -- gen_context(system_u:object_r:zarafa_server_var_run_t,s0)
- /var/run/zarafa-spooler\.pid -- gen_context(system_u:object_r:zarafa_spooler_var_run_t,s0)
-diff --git a/zarafa.if b/zarafa.if
-index 21ae664..3d08962 100644
---- a/zarafa.if
-+++ b/zarafa.if
-@@ -42,6 +42,12 @@ template(`zarafa_domain_template',`
-
- manage_files_pattern(zarafa_$1_t, zarafa_$1_log_t, zarafa_$1_log_t)
- logging_log_filetrans(zarafa_$1_t, zarafa_$1_log_t, { file })
-+
-+ kernel_read_system_state(zarafa_$1_t)
-+
-+ auth_use_nsswitch(zarafa_$1_t)
-+
-+ logging_send_syslog_msg(zarafa_$1_t)
- ')
-
- ######################################
-@@ -118,3 +124,25 @@ interface(`zarafa_stream_connect_server',`
- files_search_var_lib($1)
- stream_connect_pattern($1, zarafa_server_var_run_t, zarafa_server_var_run_t, zarafa_server_t)
- ')
-+
-+####################################
-+##
-+## Allow the specified domain to manage
-+## zarafa /var/lib files.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`zarafa_manage_lib_files',`
-+ gen_require(`
-+ type zarafa_var_lib_t;
-+ ')
-+
-+ files_search_var_lib($1)
-+ manage_files_pattern($1, zarafa_var_lib_t, zarafa_var_lib_t)
-+ manage_lnk_files_pattern($1, zarafa_var_lib_t, zarafa_var_lib_t)
-+ manage_dirs_pattern($1, zarafa_var_lib_t, zarafa_var_lib_t)
-+')
-diff --git a/zarafa.te b/zarafa.te
-index 91267bc..0aa9870 100644
---- a/zarafa.te
-+++ b/zarafa.te
-@@ -18,6 +18,10 @@ files_config_file(zarafa_etc_t)
- zarafa_domain_template(gateway)
- zarafa_domain_template(ical)
- zarafa_domain_template(indexer)
-+
-+type zarafa_indexer_tmp_t;
-+files_tmp_file(zarafa_indexer_tmp_t)
-+
- zarafa_domain_template(monitor)
- zarafa_domain_template(server)
-
-@@ -48,10 +52,9 @@ auth_use_nsswitch(zarafa_deliver_t)
- # zarafa_gateway local policy
- #
-
--allow zarafa_gateway_t self:capability { chown kill };
-+allow zarafa_gateway_t self:capability { kill };
- allow zarafa_gateway_t self:process setrlimit;
-
--corenet_all_recvfrom_unlabeled(zarafa_gateway_t)
- corenet_all_recvfrom_netlabel(zarafa_gateway_t)
- corenet_tcp_sendrecv_generic_if(zarafa_gateway_t)
- corenet_tcp_sendrecv_generic_node(zarafa_gateway_t)
-@@ -59,16 +62,28 @@ corenet_tcp_sendrecv_all_ports(zarafa_gateway_t)
- corenet_tcp_bind_generic_node(zarafa_gateway_t)
- corenet_tcp_bind_pop_port(zarafa_gateway_t)
-
--auth_use_nsswitch(zarafa_gateway_t)
-+######################################
-+#
-+# zarafa-indexer local policy
-+#
-+
-+
-+manage_dirs_pattern(zarafa_indexer_t, zarafa_indexer_tmp_t, zarafa_indexer_tmp_t)
-+manage_files_pattern(zarafa_indexer_t, zarafa_indexer_tmp_t, zarafa_indexer_tmp_t)
-+files_tmp_filetrans(zarafa_indexer_t, zarafa_indexer_tmp_t, { file dir })
-+
-+manage_dirs_pattern(zarafa_indexer_t, zarafa_var_lib_t, zarafa_var_lib_t)
-+manage_files_pattern(zarafa_indexer_t, zarafa_var_lib_t, zarafa_var_lib_t)
-+manage_lnk_files_pattern(zarafa_indexer_t, zarafa_var_lib_t, zarafa_var_lib_t)
-+
-+auth_use_nsswitch(zarafa_indexer_t)
-
- #######################################
- #
- # zarafa-ical local policy
- #
-
--allow zarafa_ical_t self:capability chown;
-
--corenet_all_recvfrom_unlabeled(zarafa_ical_t)
- corenet_all_recvfrom_netlabel(zarafa_ical_t)
- corenet_tcp_sendrecv_generic_if(zarafa_ical_t)
- corenet_tcp_sendrecv_generic_node(zarafa_ical_t)
-@@ -83,7 +98,6 @@ auth_use_nsswitch(zarafa_ical_t)
- # zarafa-monitor local policy
- #
-
--allow zarafa_monitor_t self:capability chown;
-
- auth_use_nsswitch(zarafa_monitor_t)
-
-@@ -92,7 +106,7 @@ auth_use_nsswitch(zarafa_monitor_t)
- # zarafa_server local policy
- #
-
--allow zarafa_server_t self:capability { chown kill net_bind_service };
-+allow zarafa_server_t self:capability { kill net_bind_service };
- allow zarafa_server_t self:process setrlimit;
-
- manage_dirs_pattern(zarafa_server_t, zarafa_server_tmp_t, zarafa_server_tmp_t)
-@@ -101,11 +115,11 @@ files_tmp_filetrans(zarafa_server_t, zarafa_server_tmp_t, { file dir })
-
- manage_dirs_pattern(zarafa_server_t, zarafa_var_lib_t, zarafa_var_lib_t)
- manage_files_pattern(zarafa_server_t, zarafa_var_lib_t, zarafa_var_lib_t)
--files_var_lib_filetrans(zarafa_server_t, zarafa_var_lib_t, { file dir })
-+manage_lnk_files_pattern(zarafa_server_t, zarafa_var_lib_t, zarafa_var_lib_t)
-+files_var_lib_filetrans(zarafa_server_t, zarafa_var_lib_t, { file dir lnk_file })
-
- stream_connect_pattern(zarafa_server_t, zarafa_indexer_var_run_t, zarafa_indexer_var_run_t, zarafa_indexer_t)
-
--corenet_all_recvfrom_unlabeled(zarafa_server_t)
- corenet_all_recvfrom_netlabel(zarafa_server_t)
- corenet_tcp_sendrecv_generic_if(zarafa_server_t)
- corenet_tcp_sendrecv_generic_node(zarafa_server_t)
-@@ -135,11 +149,10 @@ optional_policy(`
- # zarafa_spooler local policy
- #
-
--allow zarafa_spooler_t self:capability { chown kill };
-+allow zarafa_spooler_t self:capability { kill };
-
- can_exec(zarafa_spooler_t, zarafa_spooler_exec_t)
-
--corenet_all_recvfrom_unlabeled(zarafa_spooler_t)
- corenet_all_recvfrom_netlabel(zarafa_spooler_t)
- corenet_tcp_sendrecv_generic_if(zarafa_spooler_t)
- corenet_tcp_sendrecv_generic_node(zarafa_spooler_t)
-@@ -150,11 +163,35 @@ auth_use_nsswitch(zarafa_spooler_t)
-
- ########################################
- #
-+# zarafa_gateway local policy
-+#
-+
-+allow zarafa_gateway_t self:capability { kill };
-+allow zarafa_gateway_t self:process setrlimit;
-+
-+corenet_tcp_bind_pop_port(zarafa_gateway_t)
-+
-+#######################################
-+#
-+# zarafa-ical local policy
-+#
-+
-+
-+corenet_tcp_bind_http_cache_port(zarafa_ical_t)
-+
-+######################################
-+#
-+# zarafa-monitor local policy
-+#
-+
-+
-+########################################
-+#
- # zarafa domains local policy
- #
-
- # bad permission on /etc/zarafa
--allow zarafa_domain self:capability { dac_override setgid setuid };
-+allow zarafa_domain self:capability { dac_override chown setgid setuid };
- allow zarafa_domain self:process signal;
- allow zarafa_domain self:fifo_file rw_fifo_file_perms;
- allow zarafa_domain self:tcp_socket create_stream_socket_perms;
-@@ -164,8 +201,8 @@ stream_connect_pattern(zarafa_domain, zarafa_server_var_run_t, zarafa_server_var
-
- read_files_pattern(zarafa_domain, zarafa_etc_t, zarafa_etc_t)
-
--kernel_read_system_state(zarafa_domain)
-+dev_read_rand(zarafa_domain)
-+dev_read_urand(zarafa_domain)
-
- files_read_etc_files(zarafa_domain)
-
--miscfiles_read_localization(zarafa_domain)
-diff --git a/zebra.if b/zebra.if
-index 6b87605..ef64e73 100644
---- a/zebra.if
-+++ b/zebra.if
-@@ -38,8 +38,7 @@ interface(`zebra_stream_connect',`
- ')
-
- files_search_pids($1)
-- allow $1 zebra_var_run_t:sock_file write;
-- allow $1 zebra_t:unix_stream_socket connectto;
-+ stream_connect_pattern($1, zebra_var_run_t, zebra_var_run_t, zebra_t)
- ')
-
- ########################################
-@@ -62,12 +61,14 @@ interface(`zebra_stream_connect',`
- interface(`zebra_admin',`
- gen_require(`
- type zebra_t, zebra_tmp_t, zebra_log_t;
-- type zebra_conf_t, zebra_var_run_t;
-- type zebra_initrc_exec_t;
-+ type zebra_conf_t, zebra_var_run_t, zebra_initrc_exec_t;
- ')
-
-- allow $1 zebra_t:process { ptrace signal_perms };
-+ allow $1 zebra_t:process signal_perms;
- ps_process_pattern($1, zebra_t)
-+ tunable_policy(`deny_ptrace',`',`
-+ allow $1 zebra_t:process ptrace;
-+ ')
-
- init_labeled_script_domtrans($1, zebra_initrc_exec_t)
- domain_system_change_exemption($1)
-diff --git a/zebra.te b/zebra.te
-index ade6c2c..ac46eb2 100644
---- a/zebra.te
-+++ b/zebra.te
-@@ -11,14 +11,14 @@ policy_module(zebra, 1.12.0)
- ##
- ##
- #
--gen_tunable(allow_zebra_write_config, false)
-+gen_tunable(zebra_write_config, false)
-
- type zebra_t;
- type zebra_exec_t;
- init_daemon_domain(zebra_t, zebra_exec_t)
-
- type zebra_conf_t;
--files_type(zebra_conf_t)
-+files_config_file(zebra_conf_t)
-
- type zebra_initrc_exec_t;
- init_script_file(zebra_initrc_exec_t)
-@@ -52,7 +52,7 @@ allow zebra_t zebra_conf_t:dir list_dir_perms;
- read_files_pattern(zebra_t, zebra_conf_t, zebra_conf_t)
- read_lnk_files_pattern(zebra_t, zebra_conf_t, zebra_conf_t)
-
--allow zebra_t zebra_log_t:dir setattr;
-+allow zebra_t zebra_log_t:dir setattr_dir_perms;
- manage_files_pattern(zebra_t, zebra_log_t, zebra_log_t)
- manage_sock_files_pattern(zebra_t, zebra_log_t, zebra_log_t)
- logging_log_filetrans(zebra_t, zebra_log_t, { sock_file file dir })
-@@ -71,7 +71,6 @@ kernel_read_network_state(zebra_t)
- kernel_read_kernel_sysctls(zebra_t)
- kernel_rw_net_sysctls(zebra_t)
-
--corenet_all_recvfrom_unlabeled(zebra_t)
- corenet_all_recvfrom_netlabel(zebra_t)
- corenet_tcp_sendrecv_generic_if(zebra_t)
- corenet_udp_sendrecv_generic_if(zebra_t)
-@@ -106,16 +105,16 @@ files_search_etc(zebra_t)
- files_read_etc_files(zebra_t)
- files_read_etc_runtime_files(zebra_t)
-
--logging_send_syslog_msg(zebra_t)
-+auth_read_passwd(zebra_t)
-
--miscfiles_read_localization(zebra_t)
-+logging_send_syslog_msg(zebra_t)
-
- sysnet_read_config(zebra_t)
-
- userdom_dontaudit_use_unpriv_user_fds(zebra_t)
- userdom_dontaudit_search_user_home_dirs(zebra_t)
-
--tunable_policy(`allow_zebra_write_config',`
-+tunable_policy(`zebra_write_config',`
- manage_files_pattern(zebra_t, zebra_conf_t, zebra_conf_t)
- ')
-
-diff --git a/zoneminder.fc b/zoneminder.fc
-new file mode 100644
-index 0000000..e1602ec
---- /dev/null
-+++ b/zoneminder.fc
-@@ -0,0 +1,24 @@
-+/etc/rc\.d/init\.d/motion -- gen_context(system_u:object_r:zoneminder_initrc_exec_t,s0)
-+
-+/etc/rc\.d/init\.d/zoneminder -- gen_context(system_u:object_r:zoneminder_initrc_exec_t,s0)
-+
-+/usr/bin/motion -- gen_context(system_u:object_r:zoneminder_exec_t,s0)
-+
-+/usr/bin/zmpkg.pl -- gen_context(system_u:object_r:zoneminder_exec_t,s0)
-+
-+/usr/libexec/zoneminder/cgi-bin(/.*)? gen_context(system_u:object_r:httpd_zoneminder_script_exec_t,s0)
-+
-+/var/lib/zoneminder(/.*)? gen_context(system_u:object_r:zoneminder_var_lib_t,s0)
-+
-+/var/motion(/.*)? gen_context(system_u:object_r:zoneminder_var_lib_t,s0)
-+
-+/var/log/zoneminder(/.*)? gen_context(system_u:object_r:zoneminder_log_t,s0)
-+
-+/var/log/motion\.log.* -- gen_context(system_u:object_r:zoneminder_log_t,s0)
-+
-+/var/run/motion\.pid -- gen_context(system_u:object_r:zoneminder_var_run_t,s0)
-+
-+/var/spool/zoneminder-upload(/.*)? gen_context(system_u:object_r:zoneminder_spool_t,s0)
-+
-+
-+
-diff --git a/zoneminder.if b/zoneminder.if
-new file mode 100644
-index 0000000..b34b8b4
---- /dev/null
-+++ b/zoneminder.if
-@@ -0,0 +1,339 @@
-+
-+## policy for zoneminder
-+
-+
-+########################################
-+##
-+## Transition to zoneminder.
-+##
-+##
-+##
-+## Domain allowed to transition.
-+##
-+##
-+#
-+interface(`zoneminder_domtrans',`
-+ gen_require(`
-+ type zoneminder_t, zoneminder_exec_t;
-+ ')
-+
-+ corecmd_search_bin($1)
-+ domtrans_pattern($1, zoneminder_exec_t, zoneminder_t)
-+')
-+
-+
-+########################################
-+##
-+## Execute zoneminder server in the zoneminder domain.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`zoneminder_initrc_domtrans',`
-+ gen_require(`
-+ type zoneminder_initrc_exec_t;
-+ ')
-+
-+ init_labeled_script_domtrans($1, zoneminder_initrc_exec_t)
-+')
-+
-+
-+########################################
-+##
-+## Read zoneminder's log files.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+##
-+#
-+interface(`zoneminder_read_log',`
-+ gen_require(`
-+ type zoneminder_log_t;
-+ ')
-+
-+ logging_search_logs($1)
-+ read_files_pattern($1, zoneminder_log_t, zoneminder_log_t)
-+')
-+
-+########################################
-+##
-+## Append to zoneminder log files.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`zoneminder_append_log',`
-+ gen_require(`
-+ type zoneminder_log_t;
-+ ')
-+
-+ logging_search_logs($1)
-+ append_files_pattern($1, zoneminder_log_t, zoneminder_log_t)
-+')
-+
-+########################################
-+##
-+## Manage zoneminder log files
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`zoneminder_manage_log',`
-+ gen_require(`
-+ type zoneminder_log_t;
-+ ')
-+
-+ logging_search_logs($1)
-+ manage_dirs_pattern($1, zoneminder_log_t, zoneminder_log_t)
-+ manage_files_pattern($1, zoneminder_log_t, zoneminder_log_t)
-+ manage_lnk_files_pattern($1, zoneminder_log_t, zoneminder_log_t)
-+')
-+
-+########################################
-+##
-+## Search zoneminder lib directories.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`zoneminder_search_lib',`
-+ gen_require(`
-+ type zoneminder_var_lib_t;
-+ ')
-+
-+ allow $1 zoneminder_var_lib_t:dir search_dir_perms;
-+ files_search_var_lib($1)
-+')
-+
-+########################################
-+##
-+## Read zoneminder lib files.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`zoneminder_read_lib_files',`
-+ gen_require(`
-+ type zoneminder_var_lib_t;
-+ ')
-+
-+ files_search_var_lib($1)
-+ read_files_pattern($1, zoneminder_var_lib_t, zoneminder_var_lib_t)
-+')
-+
-+########################################
-+##
-+## Manage zoneminder lib files.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`zoneminder_manage_lib_files',`
-+ gen_require(`
-+ type zoneminder_var_lib_t;
-+ ')
-+
-+ files_search_var_lib($1)
-+ manage_files_pattern($1, zoneminder_var_lib_t, zoneminder_var_lib_t)
-+')
-+
-+########################################
-+##
-+## Manage zoneminder lib directories.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`zoneminder_manage_lib_dirs',`
-+ gen_require(`
-+ type zoneminder_var_lib_t;
-+ ')
-+
-+ files_search_var_lib($1)
-+ manage_dirs_pattern($1, zoneminder_var_lib_t, zoneminder_var_lib_t)
-+')
-+
-+
-+########################################
-+##
-+## Search zoneminder spool directories.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`zoneminder_search_spool',`
-+ gen_require(`
-+ type zoneminder_spool_t;
-+ ')
-+
-+ allow $1 zoneminder_spool_t:dir search_dir_perms;
-+ files_search_spool($1)
-+')
-+
-+########################################
-+##
-+## Read zoneminder spool files.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`zoneminder_read_spool_files',`
-+ gen_require(`
-+ type zoneminder_spool_t;
-+ ')
-+
-+ files_search_spool($1)
-+ read_files_pattern($1, zoneminder_spool_t, zoneminder_spool_t)
-+')
-+
-+########################################
-+##
-+## Manage zoneminder spool files.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`zoneminder_manage_spool_files',`
-+ gen_require(`
-+ type zoneminder_spool_t;
-+ ')
-+
-+ files_search_spool($1)
-+ manage_files_pattern($1, zoneminder_spool_t, zoneminder_spool_t)
-+')
-+
-+########################################
-+##
-+## Manage zoneminder spool dirs.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`zoneminder_manage_spool_dirs',`
-+ gen_require(`
-+ type zoneminder_spool_t;
-+ ')
-+
-+ files_search_spool($1)
-+ manage_dirs_pattern($1, zoneminder_spool_t, zoneminder_spool_t)
-+')
-+
-+########################################
-+##
-+## Connect to zoneminder over a unix stream socket.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`zoneminder_stream_connect',`
-+ gen_require(`
-+ type zoneminder_t, zoneminder_var_lib_t;
-+ ')
-+
-+ files_search_pids($1)
-+ stream_connect_pattern($1, zoneminder_var_lib_t, zoneminder_var_lib_t, zoneminder_t)
-+')
-+
-+######################################
-+##
-+## Read/write zonerimender tmpfs files.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`zoneminder_rw_tmpfs_files',`
-+ gen_require(`
-+ type zoneminder_tmpfs_t;
-+ ')
-+
-+ fs_search_tmpfs($1)
-+ rw_files_pattern($1, zoneminder_tmpfs_t, zoneminder_tmpfs_t)
-+')
-+
-+########################################
-+##
-+## All of the rules required to administrate
-+## an zoneminder environment
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+##
-+##
-+## Role allowed access.
-+##
-+##
-+##
-+#
-+interface(`zoneminder_admin',`
-+ gen_require(`
-+ type zoneminder_t;
-+ type zoneminder_initrc_exec_t;
-+ type zoneminder_log_t;
-+ type zoneminder_var_lib_t;
-+ type zoneminder_spool_t;
-+ ')
-+
-+ allow $1 zoneminder_t:process { ptrace signal_perms };
-+ ps_process_pattern($1, zoneminder_t)
-+
-+ zoneminder_initrc_domtrans($1)
-+ domain_system_change_exemption($1)
-+ role_transition $2 zoneminder_initrc_exec_t system_r;
-+ allow $2 system_r;
-+
-+ logging_search_logs($1)
-+ admin_pattern($1, zoneminder_log_t)
-+
-+ files_search_var_lib($1)
-+ admin_pattern($1, zoneminder_var_lib_t)
-+
-+ files_search_spool($1)
-+ admin_pattern($1, zoneminder_spool_t)
-+
-+')
-+
-diff --git a/zoneminder.te b/zoneminder.te
-new file mode 100644
-index 0000000..3708d3c
---- /dev/null
-+++ b/zoneminder.te
-@@ -0,0 +1,121 @@
-+policy_module(zoneminder, 1.0.0)
-+
-+########################################
-+#
-+# Declarations
-+#
-+
-+##
-+##
-+## Allow ZoneMinder to modify public files
-+## used for public file transfer services.
-+##
-+##
-+gen_tunable(zoneminder_anon_write, false)
-+
-+type zoneminder_t;
-+type zoneminder_exec_t;
-+init_daemon_domain(zoneminder_t, zoneminder_exec_t)
-+
-+type zoneminder_initrc_exec_t;
-+init_script_file(zoneminder_initrc_exec_t)
-+
-+type zoneminder_log_t;
-+logging_log_file(zoneminder_log_t)
-+
-+type zoneminder_tmpfs_t;
-+files_tmpfs_file(zoneminder_tmpfs_t)
-+
-+type zoneminder_spool_t;
-+files_type(zoneminder_spool_t)
-+
-+type zoneminder_var_lib_t;
-+files_type(zoneminder_var_lib_t)
-+
-+type zoneminder_var_run_t;
-+files_pid_file(zoneminder_var_run_t)
-+
-+########################################
-+#
-+# zoneminder local policy
-+#
-+allow zoneminder_t self:capability { chown dac_override };
-+allow zoneminder_t self:process { signal_perms setpgid };
-+allow zoneminder_t self:shm create_shm_perms;
-+allow zoneminder_t self:fifo_file rw_fifo_file_perms;
-+allow zoneminder_t self:unix_stream_socket { create_stream_socket_perms connectto };
-+
-+manage_dirs_pattern(zoneminder_t, zoneminder_log_t, zoneminder_log_t)
-+manage_files_pattern(zoneminder_t, zoneminder_log_t, zoneminder_log_t)
-+logging_log_filetrans(zoneminder_t, zoneminder_log_t, { dir file })
-+
-+manage_dirs_pattern(zoneminder_t, zoneminder_tmpfs_t, zoneminder_tmpfs_t)
-+manage_files_pattern(zoneminder_t, zoneminder_tmpfs_t, zoneminder_tmpfs_t)
-+manage_lnk_files_pattern(zoneminder_t, zoneminder_tmpfs_t, zoneminder_tmpfs_t)
-+fs_tmpfs_filetrans(zoneminder_t, zoneminder_tmpfs_t, { dir file lnk_file })
-+
-+manage_dirs_pattern(zoneminder_t, zoneminder_var_lib_t, zoneminder_var_lib_t)
-+manage_files_pattern(zoneminder_t, zoneminder_var_lib_t, zoneminder_var_lib_t)
-+manage_sock_files_pattern(zoneminder_t, zoneminder_var_lib_t, zoneminder_var_lib_t)
-+files_var_lib_filetrans(zoneminder_t, zoneminder_var_lib_t, { dir file sock_file })
-+
-+manage_dirs_pattern(zoneminder_t, zoneminder_var_run_t, zoneminder_var_run_t)
-+manage_files_pattern(zoneminder_t, zoneminder_var_run_t, zoneminder_var_run_t)
-+files_pid_filetrans(zoneminder_t, zoneminder_var_run_t, { dir file })
-+
-+manage_dirs_pattern(zoneminder_t, zoneminder_spool_t, zoneminder_spool_t)
-+manage_files_pattern(zoneminder_t, zoneminder_spool_t, zoneminder_spool_t)
-+manage_lnk_files_pattern(zoneminder_t, zoneminder_spool_t, zoneminder_spool_t)
-+files_spool_filetrans(zoneminder_t, zoneminder_spool_t, { dir file })
-+
-+kernel_read_system_state(zoneminder_t)
-+
-+corecmd_exec_bin(zoneminder_t)
-+corecmd_exec_shell(zoneminder_t)
-+
-+corenet_tcp_bind_http_cache_port(zoneminder_t)
-+corenet_tcp_bind_transproxy_port(zoneminder_t)
-+
-+dev_read_sysfs(zoneminder_t)
-+dev_read_rand(zoneminder_t)
-+dev_read_urand(zoneminder_t)
-+dev_read_video_dev(zoneminder_t)
-+dev_write_video_dev(zoneminder_t)
-+
-+files_read_usr_files(zoneminder_t)
-+
-+auth_use_nsswitch(zoneminder_t)
-+
-+logging_send_syslog_msg(zoneminder_t)
-+
-+tunable_policy(`zoneminder_anon_write',`
-+ miscfiles_manage_public_files(zoneminder_t)
-+')
-+
-+optional_policy(`
-+ mysql_stream_connect(zoneminder_t)
-+')
-+
-+########################################
-+#
-+# zoneminder cgi local policy
-+#
-+
-+optional_policy(`
-+ apache_content_template(zoneminder)
-+
-+ # need more testing
-+ #allow httpd_zoneminder_script_t self:shm create_shm_perms;
-+
-+ manage_sock_files_pattern(httpd_zoneminder_script_t, zoneminder_var_lib_t, zoneminder_var_lib_t)
-+ zoneminder_stream_connect(httpd_zoneminder_script_t)
-+
-+ files_search_var_lib(httpd_zoneminder_script_t)
-+
-+ logging_send_syslog_msg(httpd_zoneminder_script_t)
-+
-+ optional_policy(`
-+ mysql_stream_connect(httpd_zoneminder_script_t)
-+ ')
-+
-+')
-diff --git a/zosremote.fc b/zosremote.fc
-index d719d0b..7a7fc61 100644
---- a/zosremote.fc
-+++ b/zosremote.fc
-@@ -1 +1,3 @@
- /sbin/audispd-zos-remote -- gen_context(system_u:object_r:zos_remote_exec_t,s0)
-+
-+/usr/sbin/audispd-zos-remote -- gen_context(system_u:object_r:zos_remote_exec_t,s0)
-diff --git a/zosremote.if b/zosremote.if
-index 702e768..2a4f2cc 100644
---- a/zosremote.if
-+++ b/zosremote.if
-@@ -34,6 +34,7 @@ interface(`zosremote_domtrans',`
- ## Role allowed access.
- ##
- ##
-+##
- #
- interface(`zosremote_run',`
- gen_require(`
-diff --git a/zosremote.te b/zosremote.te
-index f9a06d2..fade72a 100644
---- a/zosremote.te
-+++ b/zosremote.te
-@@ -16,13 +16,9 @@ logging_dispatcher_domain(zos_remote_t, zos_remote_exec_t)
- #
-
- allow zos_remote_t self:process signal;
--allow zos_remote_t self:fifo_file rw_file_perms;
-+allow zos_remote_t self:fifo_file rw_fifo_file_perms;
- allow zos_remote_t self:unix_stream_socket create_stream_socket_perms;
-
--files_read_etc_files(zos_remote_t)
--
- auth_use_nsswitch(zos_remote_t)
-
--miscfiles_read_localization(zos_remote_t)
--
- logging_send_syslog_msg(zos_remote_t)
diff --git a/selinux-policy.spec b/selinux-policy.spec
index cf75bdd..397410c 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -23,8 +23,8 @@ Release: 67%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
-patch: policy-rawhide.patch
-patch1: policy_contrib-rawhide.patch
+patch: policy-rawhide-base.patch
+patch1: policy-rawhide-contrib.patch
patch2: policy_contrib-rawhide-roleattribute.patch
patch3: policy-rawhide-roleattribute.patch
Source1: modules-targeted-base.conf